Analysis
-
max time kernel
144s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04/04/2024, 13:42
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe
-
Size
180KB
-
MD5
8b0d6362c5339021cf7bf8c3335b3656
-
SHA1
5edcdcbc300c263a93bad82d0e3c9a58eaa1df6d
-
SHA256
bd35f6bc5112f724f198ce37c376e172a7d8854e88e2919c8c26bf4fd3e12bdb
-
SHA512
e9ae3dbcb28949cb6af1ec184d3b9b71086afa2ddc3762a8b9425fd8b0ba5eb44b7907304da312ac0600ef6ef4ade589fd21133d5f7d6d447e2b3b892a8e6177
-
SSDEEP
3072:jEGh0oVlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGfl5eKcAEc
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral1/files/0x000900000001225b-5.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000800000001227e-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0004000000004ed7-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000300000000b1f3-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0033000000016ce9-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000f000000016ced-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0007000000016d29-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0010000000016ced-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0008000000016d29-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0011000000016ced-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0009000000016d29-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F3963956-BF9B-4e75-98BF-640EEA48CCFF} {4BE61102-DBEE-49f2-9D9A-F912E30E1728}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F3963956-BF9B-4e75-98BF-640EEA48CCFF}\stubpath = "C:\\Windows\\{F3963956-BF9B-4e75-98BF-640EEA48CCFF}.exe" {4BE61102-DBEE-49f2-9D9A-F912E30E1728}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0FE919E-F6D7-492c-BB35-79E5F5AE88DF}\stubpath = "C:\\Windows\\{A0FE919E-F6D7-492c-BB35-79E5F5AE88DF}.exe" {94BE65DE-29E0-4928-9620-3F29E0D6783E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF5CF52F-5EE3-4412-B393-534DEBE7B1CA} {6BA2EA45-B2EE-477d-A87D-EC78653DCBA2}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F64B3978-62CC-461e-8171-248679C9158C}\stubpath = "C:\\Windows\\{F64B3978-62CC-461e-8171-248679C9158C}.exe" {920BF310-5F68-4812-ADA8-FDD57959FC2E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6D6BB9C-4F4C-4e72-9B02-CE492BA83ADE}\stubpath = "C:\\Windows\\{A6D6BB9C-4F4C-4e72-9B02-CE492BA83ADE}.exe" {DF5CF52F-5EE3-4412-B393-534DEBE7B1CA}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BE61102-DBEE-49f2-9D9A-F912E30E1728} {F64B3978-62CC-461e-8171-248679C9158C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BE61102-DBEE-49f2-9D9A-F912E30E1728}\stubpath = "C:\\Windows\\{4BE61102-DBEE-49f2-9D9A-F912E30E1728}.exe" {F64B3978-62CC-461e-8171-248679C9158C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36797B73-560C-4bc4-A281-D987E6B05C23}\stubpath = "C:\\Windows\\{36797B73-560C-4bc4-A281-D987E6B05C23}.exe" {F3963956-BF9B-4e75-98BF-640EEA48CCFF}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0FE919E-F6D7-492c-BB35-79E5F5AE88DF} {94BE65DE-29E0-4928-9620-3F29E0D6783E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C782ACB6-8C42-4bb8-88DF-271FDF1156C6} 2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BA2EA45-B2EE-477d-A87D-EC78653DCBA2}\stubpath = "C:\\Windows\\{6BA2EA45-B2EE-477d-A87D-EC78653DCBA2}.exe" {C782ACB6-8C42-4bb8-88DF-271FDF1156C6}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F64B3978-62CC-461e-8171-248679C9158C} {920BF310-5F68-4812-ADA8-FDD57959FC2E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94BE65DE-29E0-4928-9620-3F29E0D6783E} {36797B73-560C-4bc4-A281-D987E6B05C23}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94BE65DE-29E0-4928-9620-3F29E0D6783E}\stubpath = "C:\\Windows\\{94BE65DE-29E0-4928-9620-3F29E0D6783E}.exe" {36797B73-560C-4bc4-A281-D987E6B05C23}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{920BF310-5F68-4812-ADA8-FDD57959FC2E} {A6D6BB9C-4F4C-4e72-9B02-CE492BA83ADE}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{920BF310-5F68-4812-ADA8-FDD57959FC2E}\stubpath = "C:\\Windows\\{920BF310-5F68-4812-ADA8-FDD57959FC2E}.exe" {A6D6BB9C-4F4C-4e72-9B02-CE492BA83ADE}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF5CF52F-5EE3-4412-B393-534DEBE7B1CA}\stubpath = "C:\\Windows\\{DF5CF52F-5EE3-4412-B393-534DEBE7B1CA}.exe" {6BA2EA45-B2EE-477d-A87D-EC78653DCBA2}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6D6BB9C-4F4C-4e72-9B02-CE492BA83ADE} {DF5CF52F-5EE3-4412-B393-534DEBE7B1CA}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36797B73-560C-4bc4-A281-D987E6B05C23} {F3963956-BF9B-4e75-98BF-640EEA48CCFF}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C782ACB6-8C42-4bb8-88DF-271FDF1156C6}\stubpath = "C:\\Windows\\{C782ACB6-8C42-4bb8-88DF-271FDF1156C6}.exe" 2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BA2EA45-B2EE-477d-A87D-EC78653DCBA2} {C782ACB6-8C42-4bb8-88DF-271FDF1156C6}.exe -
Deletes itself 1 IoCs
pid Process 3004 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 2908 {C782ACB6-8C42-4bb8-88DF-271FDF1156C6}.exe 2536 {6BA2EA45-B2EE-477d-A87D-EC78653DCBA2}.exe 2408 {DF5CF52F-5EE3-4412-B393-534DEBE7B1CA}.exe 2368 {A6D6BB9C-4F4C-4e72-9B02-CE492BA83ADE}.exe 1064 {920BF310-5F68-4812-ADA8-FDD57959FC2E}.exe 2728 {F64B3978-62CC-461e-8171-248679C9158C}.exe 1960 {4BE61102-DBEE-49f2-9D9A-F912E30E1728}.exe 2276 {F3963956-BF9B-4e75-98BF-640EEA48CCFF}.exe 1604 {36797B73-560C-4bc4-A281-D987E6B05C23}.exe 1040 {94BE65DE-29E0-4928-9620-3F29E0D6783E}.exe 3012 {A0FE919E-F6D7-492c-BB35-79E5F5AE88DF}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{C782ACB6-8C42-4bb8-88DF-271FDF1156C6}.exe 2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe File created C:\Windows\{6BA2EA45-B2EE-477d-A87D-EC78653DCBA2}.exe {C782ACB6-8C42-4bb8-88DF-271FDF1156C6}.exe File created C:\Windows\{F64B3978-62CC-461e-8171-248679C9158C}.exe {920BF310-5F68-4812-ADA8-FDD57959FC2E}.exe File created C:\Windows\{4BE61102-DBEE-49f2-9D9A-F912E30E1728}.exe {F64B3978-62CC-461e-8171-248679C9158C}.exe File created C:\Windows\{F3963956-BF9B-4e75-98BF-640EEA48CCFF}.exe {4BE61102-DBEE-49f2-9D9A-F912E30E1728}.exe File created C:\Windows\{DF5CF52F-5EE3-4412-B393-534DEBE7B1CA}.exe {6BA2EA45-B2EE-477d-A87D-EC78653DCBA2}.exe File created C:\Windows\{A6D6BB9C-4F4C-4e72-9B02-CE492BA83ADE}.exe {DF5CF52F-5EE3-4412-B393-534DEBE7B1CA}.exe File created C:\Windows\{920BF310-5F68-4812-ADA8-FDD57959FC2E}.exe {A6D6BB9C-4F4C-4e72-9B02-CE492BA83ADE}.exe File created C:\Windows\{36797B73-560C-4bc4-A281-D987E6B05C23}.exe {F3963956-BF9B-4e75-98BF-640EEA48CCFF}.exe File created C:\Windows\{94BE65DE-29E0-4928-9620-3F29E0D6783E}.exe {36797B73-560C-4bc4-A281-D987E6B05C23}.exe File created C:\Windows\{A0FE919E-F6D7-492c-BB35-79E5F5AE88DF}.exe {94BE65DE-29E0-4928-9620-3F29E0D6783E}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1464 2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe Token: SeIncBasePriorityPrivilege 2908 {C782ACB6-8C42-4bb8-88DF-271FDF1156C6}.exe Token: SeIncBasePriorityPrivilege 2536 {6BA2EA45-B2EE-477d-A87D-EC78653DCBA2}.exe Token: SeIncBasePriorityPrivilege 2408 {DF5CF52F-5EE3-4412-B393-534DEBE7B1CA}.exe Token: SeIncBasePriorityPrivilege 2368 {A6D6BB9C-4F4C-4e72-9B02-CE492BA83ADE}.exe Token: SeIncBasePriorityPrivilege 1064 {920BF310-5F68-4812-ADA8-FDD57959FC2E}.exe Token: SeIncBasePriorityPrivilege 2728 {F64B3978-62CC-461e-8171-248679C9158C}.exe Token: SeIncBasePriorityPrivilege 1960 {4BE61102-DBEE-49f2-9D9A-F912E30E1728}.exe Token: SeIncBasePriorityPrivilege 2276 {F3963956-BF9B-4e75-98BF-640EEA48CCFF}.exe Token: SeIncBasePriorityPrivilege 1604 {36797B73-560C-4bc4-A281-D987E6B05C23}.exe Token: SeIncBasePriorityPrivilege 1040 {94BE65DE-29E0-4928-9620-3F29E0D6783E}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1464 wrote to memory of 2908 1464 2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe 28 PID 1464 wrote to memory of 2908 1464 2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe 28 PID 1464 wrote to memory of 2908 1464 2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe 28 PID 1464 wrote to memory of 2908 1464 2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe 28 PID 1464 wrote to memory of 3004 1464 2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe 29 PID 1464 wrote to memory of 3004 1464 2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe 29 PID 1464 wrote to memory of 3004 1464 2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe 29 PID 1464 wrote to memory of 3004 1464 2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe 29 PID 2908 wrote to memory of 2536 2908 {C782ACB6-8C42-4bb8-88DF-271FDF1156C6}.exe 30 PID 2908 wrote to memory of 2536 2908 {C782ACB6-8C42-4bb8-88DF-271FDF1156C6}.exe 30 PID 2908 wrote to memory of 2536 2908 {C782ACB6-8C42-4bb8-88DF-271FDF1156C6}.exe 30 PID 2908 wrote to memory of 2536 2908 {C782ACB6-8C42-4bb8-88DF-271FDF1156C6}.exe 30 PID 2908 wrote to memory of 2672 2908 {C782ACB6-8C42-4bb8-88DF-271FDF1156C6}.exe 31 PID 2908 wrote to memory of 2672 2908 {C782ACB6-8C42-4bb8-88DF-271FDF1156C6}.exe 31 PID 2908 wrote to memory of 2672 2908 {C782ACB6-8C42-4bb8-88DF-271FDF1156C6}.exe 31 PID 2908 wrote to memory of 2672 2908 {C782ACB6-8C42-4bb8-88DF-271FDF1156C6}.exe 31 PID 2536 wrote to memory of 2408 2536 {6BA2EA45-B2EE-477d-A87D-EC78653DCBA2}.exe 34 PID 2536 wrote to memory of 2408 2536 {6BA2EA45-B2EE-477d-A87D-EC78653DCBA2}.exe 34 PID 2536 wrote to memory of 2408 2536 {6BA2EA45-B2EE-477d-A87D-EC78653DCBA2}.exe 34 PID 2536 wrote to memory of 2408 2536 {6BA2EA45-B2EE-477d-A87D-EC78653DCBA2}.exe 34 PID 2536 wrote to memory of 2512 2536 {6BA2EA45-B2EE-477d-A87D-EC78653DCBA2}.exe 35 PID 2536 wrote to memory of 2512 2536 {6BA2EA45-B2EE-477d-A87D-EC78653DCBA2}.exe 35 PID 2536 wrote to memory of 2512 2536 {6BA2EA45-B2EE-477d-A87D-EC78653DCBA2}.exe 35 PID 2536 wrote to memory of 2512 2536 {6BA2EA45-B2EE-477d-A87D-EC78653DCBA2}.exe 35 PID 2408 wrote to memory of 2368 2408 {DF5CF52F-5EE3-4412-B393-534DEBE7B1CA}.exe 36 PID 2408 wrote to memory of 2368 2408 {DF5CF52F-5EE3-4412-B393-534DEBE7B1CA}.exe 36 PID 2408 wrote to memory of 2368 2408 {DF5CF52F-5EE3-4412-B393-534DEBE7B1CA}.exe 36 PID 2408 wrote to memory of 2368 2408 {DF5CF52F-5EE3-4412-B393-534DEBE7B1CA}.exe 36 PID 2408 wrote to memory of 380 2408 {DF5CF52F-5EE3-4412-B393-534DEBE7B1CA}.exe 37 PID 2408 wrote to memory of 380 2408 {DF5CF52F-5EE3-4412-B393-534DEBE7B1CA}.exe 37 PID 2408 wrote to memory of 380 2408 {DF5CF52F-5EE3-4412-B393-534DEBE7B1CA}.exe 37 PID 2408 wrote to memory of 380 2408 {DF5CF52F-5EE3-4412-B393-534DEBE7B1CA}.exe 37 PID 2368 wrote to memory of 1064 2368 {A6D6BB9C-4F4C-4e72-9B02-CE492BA83ADE}.exe 38 PID 2368 wrote to memory of 1064 2368 {A6D6BB9C-4F4C-4e72-9B02-CE492BA83ADE}.exe 38 PID 2368 wrote to memory of 1064 2368 {A6D6BB9C-4F4C-4e72-9B02-CE492BA83ADE}.exe 38 PID 2368 wrote to memory of 1064 2368 {A6D6BB9C-4F4C-4e72-9B02-CE492BA83ADE}.exe 38 PID 2368 wrote to memory of 2376 2368 {A6D6BB9C-4F4C-4e72-9B02-CE492BA83ADE}.exe 39 PID 2368 wrote to memory of 2376 2368 {A6D6BB9C-4F4C-4e72-9B02-CE492BA83ADE}.exe 39 PID 2368 wrote to memory of 2376 2368 {A6D6BB9C-4F4C-4e72-9B02-CE492BA83ADE}.exe 39 PID 2368 wrote to memory of 2376 2368 {A6D6BB9C-4F4C-4e72-9B02-CE492BA83ADE}.exe 39 PID 1064 wrote to memory of 2728 1064 {920BF310-5F68-4812-ADA8-FDD57959FC2E}.exe 40 PID 1064 wrote to memory of 2728 1064 {920BF310-5F68-4812-ADA8-FDD57959FC2E}.exe 40 PID 1064 wrote to memory of 2728 1064 {920BF310-5F68-4812-ADA8-FDD57959FC2E}.exe 40 PID 1064 wrote to memory of 2728 1064 {920BF310-5F68-4812-ADA8-FDD57959FC2E}.exe 40 PID 1064 wrote to memory of 2428 1064 {920BF310-5F68-4812-ADA8-FDD57959FC2E}.exe 41 PID 1064 wrote to memory of 2428 1064 {920BF310-5F68-4812-ADA8-FDD57959FC2E}.exe 41 PID 1064 wrote to memory of 2428 1064 {920BF310-5F68-4812-ADA8-FDD57959FC2E}.exe 41 PID 1064 wrote to memory of 2428 1064 {920BF310-5F68-4812-ADA8-FDD57959FC2E}.exe 41 PID 2728 wrote to memory of 1960 2728 {F64B3978-62CC-461e-8171-248679C9158C}.exe 42 PID 2728 wrote to memory of 1960 2728 {F64B3978-62CC-461e-8171-248679C9158C}.exe 42 PID 2728 wrote to memory of 1960 2728 {F64B3978-62CC-461e-8171-248679C9158C}.exe 42 PID 2728 wrote to memory of 1960 2728 {F64B3978-62CC-461e-8171-248679C9158C}.exe 42 PID 2728 wrote to memory of 2016 2728 {F64B3978-62CC-461e-8171-248679C9158C}.exe 43 PID 2728 wrote to memory of 2016 2728 {F64B3978-62CC-461e-8171-248679C9158C}.exe 43 PID 2728 wrote to memory of 2016 2728 {F64B3978-62CC-461e-8171-248679C9158C}.exe 43 PID 2728 wrote to memory of 2016 2728 {F64B3978-62CC-461e-8171-248679C9158C}.exe 43 PID 1960 wrote to memory of 2276 1960 {4BE61102-DBEE-49f2-9D9A-F912E30E1728}.exe 44 PID 1960 wrote to memory of 2276 1960 {4BE61102-DBEE-49f2-9D9A-F912E30E1728}.exe 44 PID 1960 wrote to memory of 2276 1960 {4BE61102-DBEE-49f2-9D9A-F912E30E1728}.exe 44 PID 1960 wrote to memory of 2276 1960 {4BE61102-DBEE-49f2-9D9A-F912E30E1728}.exe 44 PID 1960 wrote to memory of 980 1960 {4BE61102-DBEE-49f2-9D9A-F912E30E1728}.exe 45 PID 1960 wrote to memory of 980 1960 {4BE61102-DBEE-49f2-9D9A-F912E30E1728}.exe 45 PID 1960 wrote to memory of 980 1960 {4BE61102-DBEE-49f2-9D9A-F912E30E1728}.exe 45 PID 1960 wrote to memory of 980 1960 {4BE61102-DBEE-49f2-9D9A-F912E30E1728}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\{C782ACB6-8C42-4bb8-88DF-271FDF1156C6}.exeC:\Windows\{C782ACB6-8C42-4bb8-88DF-271FDF1156C6}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\{6BA2EA45-B2EE-477d-A87D-EC78653DCBA2}.exeC:\Windows\{6BA2EA45-B2EE-477d-A87D-EC78653DCBA2}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\{DF5CF52F-5EE3-4412-B393-534DEBE7B1CA}.exeC:\Windows\{DF5CF52F-5EE3-4412-B393-534DEBE7B1CA}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\{A6D6BB9C-4F4C-4e72-9B02-CE492BA83ADE}.exeC:\Windows\{A6D6BB9C-4F4C-4e72-9B02-CE492BA83ADE}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\{920BF310-5F68-4812-ADA8-FDD57959FC2E}.exeC:\Windows\{920BF310-5F68-4812-ADA8-FDD57959FC2E}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\{F64B3978-62CC-461e-8171-248679C9158C}.exeC:\Windows\{F64B3978-62CC-461e-8171-248679C9158C}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\{4BE61102-DBEE-49f2-9D9A-F912E30E1728}.exeC:\Windows\{4BE61102-DBEE-49f2-9D9A-F912E30E1728}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\{F3963956-BF9B-4e75-98BF-640EEA48CCFF}.exeC:\Windows\{F3963956-BF9B-4e75-98BF-640EEA48CCFF}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2276 -
C:\Windows\{36797B73-560C-4bc4-A281-D987E6B05C23}.exeC:\Windows\{36797B73-560C-4bc4-A281-D987E6B05C23}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1604 -
C:\Windows\{94BE65DE-29E0-4928-9620-3F29E0D6783E}.exeC:\Windows\{94BE65DE-29E0-4928-9620-3F29E0D6783E}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1040 -
C:\Windows\{A0FE919E-F6D7-492c-BB35-79E5F5AE88DF}.exeC:\Windows\{A0FE919E-F6D7-492c-BB35-79E5F5AE88DF}.exe12⤵
- Executes dropped EXE
PID:3012
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{94BE6~1.EXE > nul12⤵PID:2096
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{36797~1.EXE > nul11⤵PID:2224
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F3963~1.EXE > nul10⤵PID:1528
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4BE61~1.EXE > nul9⤵PID:980
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F64B3~1.EXE > nul8⤵PID:2016
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{920BF~1.EXE > nul7⤵PID:2428
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A6D6B~1.EXE > nul6⤵PID:2376
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{DF5CF~1.EXE > nul5⤵PID:380
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6BA2E~1.EXE > nul4⤵PID:2512
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C782A~1.EXE > nul3⤵PID:2672
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:3004
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
180KB
MD586b33c8923947dc9ce00b919d01f68b2
SHA165d8eb6fbd9db745d9c5156760cea1f8f0f97a27
SHA2565b666817cb57151c46a3922d85f10ad157adc4ee1745fd0b81b108c31bd5ccbe
SHA512d0652fb4f80729b02693085068fc0537a827e9cf5173f1dba38bc23d00d4bd856f0dafb8680b7f25e252200e0314a1fc4ff38f7f6f9eeba6eb4021cd8b45da44
-
Filesize
180KB
MD562c887fe00794f92f5bcae7ec9c2422d
SHA19dbf591e2d23bc7e59b7ab0457df0a72093575e7
SHA256be169592d960afb855d6cb836960554a7c5334d82f2cb8a5e674323402e4c715
SHA5124694d52537b18fc34ceec19a709ef8f70869ee293453759b50f1d8bd6d32bec2359ac78c50960a6778d658af1da3826fd9540a1e452c4ab45bc1c8ed2d144dec
-
Filesize
180KB
MD5ff8acbd3543ce31c8313c1a7b6231d11
SHA1f82242e02f84fcd123aecacb59ea0dad4a9f39c6
SHA2563c82f0326f2e69495f966f5784e5444e343283119e3f8495a5644d1de2cecb54
SHA51265b935648925acf737a82f59016cc536a803277f434a71a4bb2b6651427e506b7f6a740dc7da2abbb36744336e2d7142849f05b0ef4ec9d185d150c2113a60d7
-
Filesize
180KB
MD58b1aa8beecf7703712edf6e2d5b66bd3
SHA1aab2f887506290cb1f63df1cca47e8a54feb5e40
SHA2568dc3ca1e11d75d96fe7fc1e91aaca15878cd9d056377af1f2d21e2e1872eb9d8
SHA512fc5b02bd10328428548a396a8257db450f7d54731abb5cf18d4c645b339ee942200f985773335b95cc6fad5af499f1f514fdcf525c7d8864961ab82cd9e9346c
-
Filesize
180KB
MD595efe9b25e1208ac39de6cf2e267c25f
SHA15dec70913b652ad79b7c81b5f132348375ccc45a
SHA256703652989ab0be398251fae833426a7b2016c2df7754adb38cba1a945e2558a5
SHA512c57b9e4f58812db482370408e8a46b94c4b426228ad1b43b24f3901f0964687a1316dc0e145dbfe83f16e182097a4bb861882c62f4d69a53e2d7cec1e938f8c9
-
Filesize
180KB
MD5ff1831da8a50d0376406aebfb439576a
SHA1b0f28269eb2459d5642ccc0668c9049329b305a4
SHA256c78a446b480452462f0589380493f805ac5a97e3d4c5fdeaf29b198c723327b9
SHA512180be68952eec2fa75923479d438cbe6994139c9350e515b9f07d337531a2143f3fc3a4ab763c98fccdb5dda183c14d4dca12acb0347f7145719f2a360fc0c73
-
Filesize
180KB
MD596b150812c214e2448606befba0853bd
SHA1c7436e2cdcef3134e459a5e87af1422a98150c57
SHA256d4eaa4294474847f6c827e1ae5ea1e2c9872258a154e4515be8420935ece3b64
SHA512f71741abcf04f5fbbf10ca9ba5bee07f1995353e449cdcf6a5f71e58061de146011425c935e32c1df646364427b7f618e6f925945df6ef7746e89de7fc27d46a
-
Filesize
180KB
MD54b42f57ee3e86d494c41cdf8e51d651f
SHA1b1af92ac51b60ebc391c3fb9c043cb280fd47a26
SHA25696837a319c4f4b6b176c8cc133ed976ef17e237622de04a0d7937285291a2d86
SHA5120b08d7333b48af4aadbb0ab72e22c63383472990a4f0bcdf7d61ca47dde9d0466fe81f41279f33558089a242a4fb1a780a4d91082ecb1382ae9d760f5412e99f
-
Filesize
180KB
MD59907c62fdef52d2b392b33b0b9e1621d
SHA10992aa321d81fa6a90c1da32c5cb055bb2860c7c
SHA256b22e7b832e0ff1fcad9e682b1ec6dd746e60798b75bc223233b2089f897e6811
SHA51251b4190b5dea9dfc90fab358cc262064c0a67a726b1bed366b2eb00d14e70e3f519d08606d9445658045c1bd95e6c0cc061da7b6a528f4ace0255ef105775835
-
Filesize
180KB
MD523e44dae1b62aff2adfe009b407e09d2
SHA1ac558e257930cc6bea1fd1adea6827b5f8bb6cd9
SHA256d7ff4669cb798ae72b2b2527ca9a17fe1e69d987f35f28646128606904a288f3
SHA5124b923e24c6be21fb2cfc373f16569ffc2becbe063e9bd0d06a818cb338009a43cb1e146c8a72fc841912ae3c9436cc92ed9e449922fb824473a21243456d1ff4
-
Filesize
180KB
MD575363e3e3641dcaf387599fc85c10313
SHA15e32d925468cd29e5e03ac81651724d2cbc5713a
SHA256bf3f64aa28fdb34a44020fe627e2ec097c5a6d047085769bac063bc5943ebf24
SHA512ea6c04fe5d91ceec12f8f617df3500a1c07fa5362d67bdb3d720f91a1a25b2867a8adc0ed553e190f97a69fde2dca6c7ccbaa6bb34318b52f92e70e9afbd104b