Analysis
-
max time kernel
144s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04/04/2024, 13:39
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe
-
Size
180KB
-
MD5
7797130fb4e98aab4021671402741353
-
SHA1
4d73edec6762a49079032ecf3c4a1782aab754d8
-
SHA256
8c74b39e1abe43c7e9774cdf80e1d441b320de635c37baa31c98f01586e57afc
-
SHA512
8257b9fa76823847bdb0c7ac98ba5a9bcafd585a033d45982c4921df1b82e6e7f5cbe992e93de4fd1e7573e886d42989a66e971a6f9dd10e19187616cc8fb6ba
-
SSDEEP
3072:jEGh0oalfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGcl5eKcAEc
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral1/files/0x000b00000001413f-4.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x002b0000000142ac-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000c00000001413f-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0004000000004ed7-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000300000000b1f2-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0005000000004ed7-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000400000000b1f2-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0006000000004ed7-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000500000000b1f2-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0007000000004ed7-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000600000000b1f2-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF64B707-0AE1-41c4-B072-C6D308180806} {479ED959-8E57-4209-A82B-678A006E7D34}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19C9C6B0-F2F2-4c3c-BDD7-C2651072E9F1}\stubpath = "C:\\Windows\\{19C9C6B0-F2F2-4c3c-BDD7-C2651072E9F1}.exe" {EF64B707-0AE1-41c4-B072-C6D308180806}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BD19470-5747-4942-880A-EA1AC2780B88}\stubpath = "C:\\Windows\\{8BD19470-5747-4942-880A-EA1AC2780B88}.exe" {DDACB699-91B4-4a00-8E27-5CA6D3255798}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{701069A2-B2E9-4bd2-8190-740A89155C4A}\stubpath = "C:\\Windows\\{701069A2-B2E9-4bd2-8190-740A89155C4A}.exe" {15D6E019-9C27-43f2-A8E0-637AC6A88366}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17AABC3A-24D2-4e6f-8C23-C2C8CD6D22DC}\stubpath = "C:\\Windows\\{17AABC3A-24D2-4e6f-8C23-C2C8CD6D22DC}.exe" {701069A2-B2E9-4bd2-8190-740A89155C4A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B67B273-5D11-480d-8A63-C998AAC84425}\stubpath = "C:\\Windows\\{4B67B273-5D11-480d-8A63-C998AAC84425}.exe" 2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF64B707-0AE1-41c4-B072-C6D308180806}\stubpath = "C:\\Windows\\{EF64B707-0AE1-41c4-B072-C6D308180806}.exe" {479ED959-8E57-4209-A82B-678A006E7D34}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15D6E019-9C27-43f2-A8E0-637AC6A88366}\stubpath = "C:\\Windows\\{15D6E019-9C27-43f2-A8E0-637AC6A88366}.exe" {A404D399-FAD0-4ab6-9AD6-633443E263B2}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{479ED959-8E57-4209-A82B-678A006E7D34} {4B67B273-5D11-480d-8A63-C998AAC84425}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{479ED959-8E57-4209-A82B-678A006E7D34}\stubpath = "C:\\Windows\\{479ED959-8E57-4209-A82B-678A006E7D34}.exe" {4B67B273-5D11-480d-8A63-C998AAC84425}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DDACB699-91B4-4a00-8E27-5CA6D3255798} {19C9C6B0-F2F2-4c3c-BDD7-C2651072E9F1}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DDACB699-91B4-4a00-8E27-5CA6D3255798}\stubpath = "C:\\Windows\\{DDACB699-91B4-4a00-8E27-5CA6D3255798}.exe" {19C9C6B0-F2F2-4c3c-BDD7-C2651072E9F1}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BD19470-5747-4942-880A-EA1AC2780B88} {DDACB699-91B4-4a00-8E27-5CA6D3255798}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AB9396A-8D9A-4c86-9E64-00D4C2EACC65} {17AABC3A-24D2-4e6f-8C23-C2C8CD6D22DC}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B67B273-5D11-480d-8A63-C998AAC84425} 2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19C9C6B0-F2F2-4c3c-BDD7-C2651072E9F1} {EF64B707-0AE1-41c4-B072-C6D308180806}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A404D399-FAD0-4ab6-9AD6-633443E263B2} {8BD19470-5747-4942-880A-EA1AC2780B88}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A404D399-FAD0-4ab6-9AD6-633443E263B2}\stubpath = "C:\\Windows\\{A404D399-FAD0-4ab6-9AD6-633443E263B2}.exe" {8BD19470-5747-4942-880A-EA1AC2780B88}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15D6E019-9C27-43f2-A8E0-637AC6A88366} {A404D399-FAD0-4ab6-9AD6-633443E263B2}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{701069A2-B2E9-4bd2-8190-740A89155C4A} {15D6E019-9C27-43f2-A8E0-637AC6A88366}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17AABC3A-24D2-4e6f-8C23-C2C8CD6D22DC} {701069A2-B2E9-4bd2-8190-740A89155C4A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AB9396A-8D9A-4c86-9E64-00D4C2EACC65}\stubpath = "C:\\Windows\\{8AB9396A-8D9A-4c86-9E64-00D4C2EACC65}.exe" {17AABC3A-24D2-4e6f-8C23-C2C8CD6D22DC}.exe -
Deletes itself 1 IoCs
pid Process 2284 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 2524 {4B67B273-5D11-480d-8A63-C998AAC84425}.exe 2668 {479ED959-8E57-4209-A82B-678A006E7D34}.exe 2600 {EF64B707-0AE1-41c4-B072-C6D308180806}.exe 2028 {19C9C6B0-F2F2-4c3c-BDD7-C2651072E9F1}.exe 2776 {DDACB699-91B4-4a00-8E27-5CA6D3255798}.exe 1636 {8BD19470-5747-4942-880A-EA1AC2780B88}.exe 852 {A404D399-FAD0-4ab6-9AD6-633443E263B2}.exe 1180 {15D6E019-9C27-43f2-A8E0-637AC6A88366}.exe 1764 {701069A2-B2E9-4bd2-8190-740A89155C4A}.exe 1108 {17AABC3A-24D2-4e6f-8C23-C2C8CD6D22DC}.exe 2080 {8AB9396A-8D9A-4c86-9E64-00D4C2EACC65}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{EF64B707-0AE1-41c4-B072-C6D308180806}.exe {479ED959-8E57-4209-A82B-678A006E7D34}.exe File created C:\Windows\{DDACB699-91B4-4a00-8E27-5CA6D3255798}.exe {19C9C6B0-F2F2-4c3c-BDD7-C2651072E9F1}.exe File created C:\Windows\{8BD19470-5747-4942-880A-EA1AC2780B88}.exe {DDACB699-91B4-4a00-8E27-5CA6D3255798}.exe File created C:\Windows\{17AABC3A-24D2-4e6f-8C23-C2C8CD6D22DC}.exe {701069A2-B2E9-4bd2-8190-740A89155C4A}.exe File created C:\Windows\{4B67B273-5D11-480d-8A63-C998AAC84425}.exe 2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe File created C:\Windows\{479ED959-8E57-4209-A82B-678A006E7D34}.exe {4B67B273-5D11-480d-8A63-C998AAC84425}.exe File created C:\Windows\{19C9C6B0-F2F2-4c3c-BDD7-C2651072E9F1}.exe {EF64B707-0AE1-41c4-B072-C6D308180806}.exe File created C:\Windows\{A404D399-FAD0-4ab6-9AD6-633443E263B2}.exe {8BD19470-5747-4942-880A-EA1AC2780B88}.exe File created C:\Windows\{15D6E019-9C27-43f2-A8E0-637AC6A88366}.exe {A404D399-FAD0-4ab6-9AD6-633443E263B2}.exe File created C:\Windows\{701069A2-B2E9-4bd2-8190-740A89155C4A}.exe {15D6E019-9C27-43f2-A8E0-637AC6A88366}.exe File created C:\Windows\{8AB9396A-8D9A-4c86-9E64-00D4C2EACC65}.exe {17AABC3A-24D2-4e6f-8C23-C2C8CD6D22DC}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1668 2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe Token: SeIncBasePriorityPrivilege 2524 {4B67B273-5D11-480d-8A63-C998AAC84425}.exe Token: SeIncBasePriorityPrivilege 2668 {479ED959-8E57-4209-A82B-678A006E7D34}.exe Token: SeIncBasePriorityPrivilege 2600 {EF64B707-0AE1-41c4-B072-C6D308180806}.exe Token: SeIncBasePriorityPrivilege 2028 {19C9C6B0-F2F2-4c3c-BDD7-C2651072E9F1}.exe Token: SeIncBasePriorityPrivilege 2776 {DDACB699-91B4-4a00-8E27-5CA6D3255798}.exe Token: SeIncBasePriorityPrivilege 1636 {8BD19470-5747-4942-880A-EA1AC2780B88}.exe Token: SeIncBasePriorityPrivilege 852 {A404D399-FAD0-4ab6-9AD6-633443E263B2}.exe Token: SeIncBasePriorityPrivilege 1180 {15D6E019-9C27-43f2-A8E0-637AC6A88366}.exe Token: SeIncBasePriorityPrivilege 1764 {701069A2-B2E9-4bd2-8190-740A89155C4A}.exe Token: SeIncBasePriorityPrivilege 1108 {17AABC3A-24D2-4e6f-8C23-C2C8CD6D22DC}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1668 wrote to memory of 2524 1668 2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe 28 PID 1668 wrote to memory of 2524 1668 2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe 28 PID 1668 wrote to memory of 2524 1668 2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe 28 PID 1668 wrote to memory of 2524 1668 2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe 28 PID 1668 wrote to memory of 2284 1668 2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe 29 PID 1668 wrote to memory of 2284 1668 2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe 29 PID 1668 wrote to memory of 2284 1668 2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe 29 PID 1668 wrote to memory of 2284 1668 2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe 29 PID 2524 wrote to memory of 2668 2524 {4B67B273-5D11-480d-8A63-C998AAC84425}.exe 30 PID 2524 wrote to memory of 2668 2524 {4B67B273-5D11-480d-8A63-C998AAC84425}.exe 30 PID 2524 wrote to memory of 2668 2524 {4B67B273-5D11-480d-8A63-C998AAC84425}.exe 30 PID 2524 wrote to memory of 2668 2524 {4B67B273-5D11-480d-8A63-C998AAC84425}.exe 30 PID 2524 wrote to memory of 2440 2524 {4B67B273-5D11-480d-8A63-C998AAC84425}.exe 31 PID 2524 wrote to memory of 2440 2524 {4B67B273-5D11-480d-8A63-C998AAC84425}.exe 31 PID 2524 wrote to memory of 2440 2524 {4B67B273-5D11-480d-8A63-C998AAC84425}.exe 31 PID 2524 wrote to memory of 2440 2524 {4B67B273-5D11-480d-8A63-C998AAC84425}.exe 31 PID 2668 wrote to memory of 2600 2668 {479ED959-8E57-4209-A82B-678A006E7D34}.exe 32 PID 2668 wrote to memory of 2600 2668 {479ED959-8E57-4209-A82B-678A006E7D34}.exe 32 PID 2668 wrote to memory of 2600 2668 {479ED959-8E57-4209-A82B-678A006E7D34}.exe 32 PID 2668 wrote to memory of 2600 2668 {479ED959-8E57-4209-A82B-678A006E7D34}.exe 32 PID 2668 wrote to memory of 2164 2668 {479ED959-8E57-4209-A82B-678A006E7D34}.exe 33 PID 2668 wrote to memory of 2164 2668 {479ED959-8E57-4209-A82B-678A006E7D34}.exe 33 PID 2668 wrote to memory of 2164 2668 {479ED959-8E57-4209-A82B-678A006E7D34}.exe 33 PID 2668 wrote to memory of 2164 2668 {479ED959-8E57-4209-A82B-678A006E7D34}.exe 33 PID 2600 wrote to memory of 2028 2600 {EF64B707-0AE1-41c4-B072-C6D308180806}.exe 36 PID 2600 wrote to memory of 2028 2600 {EF64B707-0AE1-41c4-B072-C6D308180806}.exe 36 PID 2600 wrote to memory of 2028 2600 {EF64B707-0AE1-41c4-B072-C6D308180806}.exe 36 PID 2600 wrote to memory of 2028 2600 {EF64B707-0AE1-41c4-B072-C6D308180806}.exe 36 PID 2600 wrote to memory of 2380 2600 {EF64B707-0AE1-41c4-B072-C6D308180806}.exe 37 PID 2600 wrote to memory of 2380 2600 {EF64B707-0AE1-41c4-B072-C6D308180806}.exe 37 PID 2600 wrote to memory of 2380 2600 {EF64B707-0AE1-41c4-B072-C6D308180806}.exe 37 PID 2600 wrote to memory of 2380 2600 {EF64B707-0AE1-41c4-B072-C6D308180806}.exe 37 PID 2028 wrote to memory of 2776 2028 {19C9C6B0-F2F2-4c3c-BDD7-C2651072E9F1}.exe 38 PID 2028 wrote to memory of 2776 2028 {19C9C6B0-F2F2-4c3c-BDD7-C2651072E9F1}.exe 38 PID 2028 wrote to memory of 2776 2028 {19C9C6B0-F2F2-4c3c-BDD7-C2651072E9F1}.exe 38 PID 2028 wrote to memory of 2776 2028 {19C9C6B0-F2F2-4c3c-BDD7-C2651072E9F1}.exe 38 PID 2028 wrote to memory of 2904 2028 {19C9C6B0-F2F2-4c3c-BDD7-C2651072E9F1}.exe 39 PID 2028 wrote to memory of 2904 2028 {19C9C6B0-F2F2-4c3c-BDD7-C2651072E9F1}.exe 39 PID 2028 wrote to memory of 2904 2028 {19C9C6B0-F2F2-4c3c-BDD7-C2651072E9F1}.exe 39 PID 2028 wrote to memory of 2904 2028 {19C9C6B0-F2F2-4c3c-BDD7-C2651072E9F1}.exe 39 PID 2776 wrote to memory of 1636 2776 {DDACB699-91B4-4a00-8E27-5CA6D3255798}.exe 40 PID 2776 wrote to memory of 1636 2776 {DDACB699-91B4-4a00-8E27-5CA6D3255798}.exe 40 PID 2776 wrote to memory of 1636 2776 {DDACB699-91B4-4a00-8E27-5CA6D3255798}.exe 40 PID 2776 wrote to memory of 1636 2776 {DDACB699-91B4-4a00-8E27-5CA6D3255798}.exe 40 PID 2776 wrote to memory of 2172 2776 {DDACB699-91B4-4a00-8E27-5CA6D3255798}.exe 41 PID 2776 wrote to memory of 2172 2776 {DDACB699-91B4-4a00-8E27-5CA6D3255798}.exe 41 PID 2776 wrote to memory of 2172 2776 {DDACB699-91B4-4a00-8E27-5CA6D3255798}.exe 41 PID 2776 wrote to memory of 2172 2776 {DDACB699-91B4-4a00-8E27-5CA6D3255798}.exe 41 PID 1636 wrote to memory of 852 1636 {8BD19470-5747-4942-880A-EA1AC2780B88}.exe 42 PID 1636 wrote to memory of 852 1636 {8BD19470-5747-4942-880A-EA1AC2780B88}.exe 42 PID 1636 wrote to memory of 852 1636 {8BD19470-5747-4942-880A-EA1AC2780B88}.exe 42 PID 1636 wrote to memory of 852 1636 {8BD19470-5747-4942-880A-EA1AC2780B88}.exe 42 PID 1636 wrote to memory of 656 1636 {8BD19470-5747-4942-880A-EA1AC2780B88}.exe 43 PID 1636 wrote to memory of 656 1636 {8BD19470-5747-4942-880A-EA1AC2780B88}.exe 43 PID 1636 wrote to memory of 656 1636 {8BD19470-5747-4942-880A-EA1AC2780B88}.exe 43 PID 1636 wrote to memory of 656 1636 {8BD19470-5747-4942-880A-EA1AC2780B88}.exe 43 PID 852 wrote to memory of 1180 852 {A404D399-FAD0-4ab6-9AD6-633443E263B2}.exe 44 PID 852 wrote to memory of 1180 852 {A404D399-FAD0-4ab6-9AD6-633443E263B2}.exe 44 PID 852 wrote to memory of 1180 852 {A404D399-FAD0-4ab6-9AD6-633443E263B2}.exe 44 PID 852 wrote to memory of 1180 852 {A404D399-FAD0-4ab6-9AD6-633443E263B2}.exe 44 PID 852 wrote to memory of 876 852 {A404D399-FAD0-4ab6-9AD6-633443E263B2}.exe 45 PID 852 wrote to memory of 876 852 {A404D399-FAD0-4ab6-9AD6-633443E263B2}.exe 45 PID 852 wrote to memory of 876 852 {A404D399-FAD0-4ab6-9AD6-633443E263B2}.exe 45 PID 852 wrote to memory of 876 852 {A404D399-FAD0-4ab6-9AD6-633443E263B2}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\{4B67B273-5D11-480d-8A63-C998AAC84425}.exeC:\Windows\{4B67B273-5D11-480d-8A63-C998AAC84425}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\{479ED959-8E57-4209-A82B-678A006E7D34}.exeC:\Windows\{479ED959-8E57-4209-A82B-678A006E7D34}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\{EF64B707-0AE1-41c4-B072-C6D308180806}.exeC:\Windows\{EF64B707-0AE1-41c4-B072-C6D308180806}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\{19C9C6B0-F2F2-4c3c-BDD7-C2651072E9F1}.exeC:\Windows\{19C9C6B0-F2F2-4c3c-BDD7-C2651072E9F1}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\{DDACB699-91B4-4a00-8E27-5CA6D3255798}.exeC:\Windows\{DDACB699-91B4-4a00-8E27-5CA6D3255798}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\{8BD19470-5747-4942-880A-EA1AC2780B88}.exeC:\Windows\{8BD19470-5747-4942-880A-EA1AC2780B88}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\{A404D399-FAD0-4ab6-9AD6-633443E263B2}.exeC:\Windows\{A404D399-FAD0-4ab6-9AD6-633443E263B2}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\{15D6E019-9C27-43f2-A8E0-637AC6A88366}.exeC:\Windows\{15D6E019-9C27-43f2-A8E0-637AC6A88366}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1180 -
C:\Windows\{701069A2-B2E9-4bd2-8190-740A89155C4A}.exeC:\Windows\{701069A2-B2E9-4bd2-8190-740A89155C4A}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1764 -
C:\Windows\{17AABC3A-24D2-4e6f-8C23-C2C8CD6D22DC}.exeC:\Windows\{17AABC3A-24D2-4e6f-8C23-C2C8CD6D22DC}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1108 -
C:\Windows\{8AB9396A-8D9A-4c86-9E64-00D4C2EACC65}.exeC:\Windows\{8AB9396A-8D9A-4c86-9E64-00D4C2EACC65}.exe12⤵
- Executes dropped EXE
PID:2080
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{17AAB~1.EXE > nul12⤵PID:672
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{70106~1.EXE > nul11⤵PID:2876
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{15D6E~1.EXE > nul10⤵PID:2112
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A404D~1.EXE > nul9⤵PID:876
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8BD19~1.EXE > nul8⤵PID:656
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{DDACB~1.EXE > nul7⤵PID:2172
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{19C9C~1.EXE > nul6⤵PID:2904
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{EF64B~1.EXE > nul5⤵PID:2380
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{479ED~1.EXE > nul4⤵PID:2164
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4B67B~1.EXE > nul3⤵PID:2440
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:2284
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
180KB
MD5631dcae8ee24c26f4d132915534ac58e
SHA1c8b74c0492b64cbdf930352c2f981c028a50606e
SHA256c0d7248458053162b770ad6288c9deba702c96a8db867e3b7191d3082f49bd21
SHA51229a7f5b0e40ae93544ae4ebeedca314ee1270719c7957a07628cd54a9bb2a0ef12218abee6a6f6099c8d67ffbbbd33f1a4afa95a56c764c63d3dc707260af71a
-
Filesize
180KB
MD53cc8b0be906cbfec30eaedad70b9e906
SHA14684f270f371121426e3a69f1a2f1d6e0d0791ee
SHA256b81a031479a692272ae90d96433cf8d5fa8a8c78942e41372e4ad6ea17c3170e
SHA5126ba765a4e9d95ef129b46b3729de62ee837aa01c662903f6e26e466437f4b042ff282a6434c92f19b731b0f692a21025646930eec2b4e51c8beed6304a540761
-
Filesize
180KB
MD517dd7042325e488205f8d6ec8edc5b26
SHA1076354257e30e86b87f8883f07fe09a0202b85a3
SHA256babd8dfdc4393202af084096a368352aedae3f0bf70d56858c4c8a99d0550cd3
SHA51230b44983057a547378ce4cc918afa64f7591bd3baac80ed72538c54e88a2eea2c9d65fe14acedcc0c9843956fbdcd8bcaf756df67760b39e693ad4a1ec5a9b38
-
Filesize
180KB
MD53226383af96f23ed6c15099615c53f2e
SHA119074d42fa06d5897a09f34790216041d85b7b48
SHA256cc243bb910a30e569aa78090f17eeb091794f148676a2cc26f31c5a0b9661298
SHA512a1167ad30577c1fcdf03520bf2c080d8668e194cefd25fb5a1a2ec629e40e6aab828cc8541a4e775921598377aa11cf63365d7c6b1f21adafa5faaf1126cf27b
-
Filesize
180KB
MD5e5be26c98ab05b627390bdf1c4dc7eee
SHA1dc0a24f3c7cb0762551733d9d9a878fcc0c4fe95
SHA256f9a3eaf85706ed531951d363e7293b9eb6d4d4b9678e7cd080da987464417737
SHA51218be4041b48db30ee9d018186bd23e01a490c8bc43ddd04292cf8650be5996fe31450f3c84cdee94f0d6e647f1c8e046e87f518925c825d42264c899963e7722
-
Filesize
180KB
MD5175762126b01ee2af13bc19992adca7f
SHA1507283c6fcab8f2077d1b26edf172fbe85bbaa4d
SHA25609ae4b444b5ef98429db90bb27ad97a431ef4054caf740d6db85aca19e2f3a24
SHA51248ccd3609849cc828ef5d38209a284c377e99b8a226e94354c78da261cba467a751094751ecfed4aa1ba420f7533c488c822bf4671a233d9f36ca99ee9d51a00
-
Filesize
180KB
MD52b28276f4fa8f5ef87731c1297055929
SHA1cbcd9b340ffd3eefaab22de1ea8166c32416f194
SHA25660893155b1007113497698a212a05f9353fd395cf75549e040d3af852b14c88b
SHA51232490c2ddc1969c21c758fa1bf5f0195201b95534274b0f0a11b9a1b14e88715365478b233ec68f4a5829795d34893de37867a2a2b51574b07345d49378c15bb
-
Filesize
180KB
MD5bff04c454bc7598a85700deb7d07aba9
SHA169b68dcdcf17228eb97c5f17d274e3a9e29f20a5
SHA2561258eeb5244f97789ba8f421aa5abf9f2048140fbc462cc61023b572f11af7e3
SHA5127601dcf95f0decb45ac7c1b4411873b1f9f4e8558ade62b5e63fd6eaa100cdba256c132d3fed31de9ebaf534bbc02ad303da86a85d36989e8c3821cd9560b57c
-
Filesize
180KB
MD5cb0dac43f5a603260c0b9174bba3e51b
SHA1d466f9751c7d54a238f5bcb2c82ed70e68cc0472
SHA256a3fdeedd035cd0fc19f11a9c749df3abdfa63a87d096300011417f18cc825ab4
SHA512fd9ca3dabe46db69081ee4733fddad8c4997bc99231e826446c80c1f42955d6bbece14277acc9030ec4c9addc3779025fb2d14e89ee4b38fad607af011e771b1
-
Filesize
180KB
MD568362305ab8d8f95f38f1ac17c440b4f
SHA1f80c550ad1116dbc13609d71a563e9a2374e8688
SHA25663c41319b2cdbfad7f48bd5052edeb6a955c44bd3b6a094b8acc18469e9d1556
SHA512079b0ad27aedc5d1885c59c9758bab140f07a7b46604617d7a9f5fe8d4116f30bdf762d054f1d101770b075ecb9158fa5c77d91e27cb97d05a8fe856cca16e54
-
Filesize
180KB
MD5d67fce81cdf2e9c98df448455fb14693
SHA1c486e1ae5862356bf2df13b7f49301fc47048482
SHA2565d1376f9fa78cba076eeee18af7603f9a884bb9b56d2776e01effec66d961d27
SHA512aefb677d5bad632f03cbf25ecc1971c5b47150ac3839a754ab3a149aa1c3efe1aea5e562ad78427af98b0fc3632f219d6243d0c90fbe374c4fc1fd16fa282ee4