Analysis
-
max time kernel
144s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
04/04/2024, 17:33
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe
-
Size
408KB
-
MD5
7c79d857b718bf5a5838505d3dbb615d
-
SHA1
2ac8774151e05d71183cd09b9435ca32a3d543f7
-
SHA256
8bd06ed0f125f4b50da63906bfecb187873bd82cb3d6ed64c5190e17642a23a6
-
SHA512
f00d505f2d255864a4332affc6d8c9fb83aa5501625ed0f2473d96c52cc121d37bcdb7b826299376f993d410c63df93f96d752ef54efaee6ac02b8165dbed84d
-
SSDEEP
3072:CEGh0oRl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGvldOe2MUVg3vTeKcAEciTBqr3jy
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral1/files/0x000a000000012252-4.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x00080000000122bf-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000b000000012252-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0036000000014b10-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0004000000004ed7-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000c000000012252-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0005000000004ed7-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000d000000012252-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0006000000004ed7-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000e000000012252-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0007000000004ed7-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F6C4D75-DCF3-48af-9FE7-4BF63DBB592C} 2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64B80B20-68D9-4baf-BFA1-3094EBC29D2D}\stubpath = "C:\\Windows\\{64B80B20-68D9-4baf-BFA1-3094EBC29D2D}.exe" {7F6C4D75-DCF3-48af-9FE7-4BF63DBB592C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3CBC41E-A6C7-4827-91B7-FDC0EE81EC20}\stubpath = "C:\\Windows\\{D3CBC41E-A6C7-4827-91B7-FDC0EE81EC20}.exe" {64B80B20-68D9-4baf-BFA1-3094EBC29D2D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8E0A43C-986F-462e-B69A-CAA8537BA389} {E83D0614-1609-401c-A06E-0DA0917E7D45}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E48547A3-BA90-424e-BE10-1FEB3C1C1DC4} {1F7E2A90-4EB4-4893-990E-F02213A61194}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64B80B20-68D9-4baf-BFA1-3094EBC29D2D} {7F6C4D75-DCF3-48af-9FE7-4BF63DBB592C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3CBC41E-A6C7-4827-91B7-FDC0EE81EC20} {64B80B20-68D9-4baf-BFA1-3094EBC29D2D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E83D0614-1609-401c-A06E-0DA0917E7D45} {D3CBC41E-A6C7-4827-91B7-FDC0EE81EC20}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBEDDDD9-2739-4781-9F87-94AF1EE4804A}\stubpath = "C:\\Windows\\{FBEDDDD9-2739-4781-9F87-94AF1EE4804A}.exe" {0519F1B9-D84D-4363-8E04-A3E6DB66A217}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{758F56F4-711C-4465-B5FE-A8771FB66D9A}\stubpath = "C:\\Windows\\{758F56F4-711C-4465-B5FE-A8771FB66D9A}.exe" {FBEDDDD9-2739-4781-9F87-94AF1EE4804A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F0C872A-FD4D-496f-B7BA-76FE6335A9A3} {758F56F4-711C-4465-B5FE-A8771FB66D9A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8E0A43C-986F-462e-B69A-CAA8537BA389}\stubpath = "C:\\Windows\\{E8E0A43C-986F-462e-B69A-CAA8537BA389}.exe" {E83D0614-1609-401c-A06E-0DA0917E7D45}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F7E2A90-4EB4-4893-990E-F02213A61194} {E8E0A43C-986F-462e-B69A-CAA8537BA389}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E48547A3-BA90-424e-BE10-1FEB3C1C1DC4}\stubpath = "C:\\Windows\\{E48547A3-BA90-424e-BE10-1FEB3C1C1DC4}.exe" {1F7E2A90-4EB4-4893-990E-F02213A61194}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0519F1B9-D84D-4363-8E04-A3E6DB66A217} {E48547A3-BA90-424e-BE10-1FEB3C1C1DC4}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0519F1B9-D84D-4363-8E04-A3E6DB66A217}\stubpath = "C:\\Windows\\{0519F1B9-D84D-4363-8E04-A3E6DB66A217}.exe" {E48547A3-BA90-424e-BE10-1FEB3C1C1DC4}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{758F56F4-711C-4465-B5FE-A8771FB66D9A} {FBEDDDD9-2739-4781-9F87-94AF1EE4804A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F6C4D75-DCF3-48af-9FE7-4BF63DBB592C}\stubpath = "C:\\Windows\\{7F6C4D75-DCF3-48af-9FE7-4BF63DBB592C}.exe" 2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E83D0614-1609-401c-A06E-0DA0917E7D45}\stubpath = "C:\\Windows\\{E83D0614-1609-401c-A06E-0DA0917E7D45}.exe" {D3CBC41E-A6C7-4827-91B7-FDC0EE81EC20}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F7E2A90-4EB4-4893-990E-F02213A61194}\stubpath = "C:\\Windows\\{1F7E2A90-4EB4-4893-990E-F02213A61194}.exe" {E8E0A43C-986F-462e-B69A-CAA8537BA389}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBEDDDD9-2739-4781-9F87-94AF1EE4804A} {0519F1B9-D84D-4363-8E04-A3E6DB66A217}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F0C872A-FD4D-496f-B7BA-76FE6335A9A3}\stubpath = "C:\\Windows\\{6F0C872A-FD4D-496f-B7BA-76FE6335A9A3}.exe" {758F56F4-711C-4465-B5FE-A8771FB66D9A}.exe -
Deletes itself 1 IoCs
pid Process 2616 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 2556 {7F6C4D75-DCF3-48af-9FE7-4BF63DBB592C}.exe 2528 {64B80B20-68D9-4baf-BFA1-3094EBC29D2D}.exe 1588 {D3CBC41E-A6C7-4827-91B7-FDC0EE81EC20}.exe 1580 {E83D0614-1609-401c-A06E-0DA0917E7D45}.exe 1684 {E8E0A43C-986F-462e-B69A-CAA8537BA389}.exe 1016 {1F7E2A90-4EB4-4893-990E-F02213A61194}.exe 2288 {E48547A3-BA90-424e-BE10-1FEB3C1C1DC4}.exe 852 {0519F1B9-D84D-4363-8E04-A3E6DB66A217}.exe 2072 {FBEDDDD9-2739-4781-9F87-94AF1EE4804A}.exe 596 {758F56F4-711C-4465-B5FE-A8771FB66D9A}.exe 1812 {6F0C872A-FD4D-496f-B7BA-76FE6335A9A3}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{7F6C4D75-DCF3-48af-9FE7-4BF63DBB592C}.exe 2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe File created C:\Windows\{D3CBC41E-A6C7-4827-91B7-FDC0EE81EC20}.exe {64B80B20-68D9-4baf-BFA1-3094EBC29D2D}.exe File created C:\Windows\{E8E0A43C-986F-462e-B69A-CAA8537BA389}.exe {E83D0614-1609-401c-A06E-0DA0917E7D45}.exe File created C:\Windows\{1F7E2A90-4EB4-4893-990E-F02213A61194}.exe {E8E0A43C-986F-462e-B69A-CAA8537BA389}.exe File created C:\Windows\{E48547A3-BA90-424e-BE10-1FEB3C1C1DC4}.exe {1F7E2A90-4EB4-4893-990E-F02213A61194}.exe File created C:\Windows\{64B80B20-68D9-4baf-BFA1-3094EBC29D2D}.exe {7F6C4D75-DCF3-48af-9FE7-4BF63DBB592C}.exe File created C:\Windows\{E83D0614-1609-401c-A06E-0DA0917E7D45}.exe {D3CBC41E-A6C7-4827-91B7-FDC0EE81EC20}.exe File created C:\Windows\{0519F1B9-D84D-4363-8E04-A3E6DB66A217}.exe {E48547A3-BA90-424e-BE10-1FEB3C1C1DC4}.exe File created C:\Windows\{FBEDDDD9-2739-4781-9F87-94AF1EE4804A}.exe {0519F1B9-D84D-4363-8E04-A3E6DB66A217}.exe File created C:\Windows\{758F56F4-711C-4465-B5FE-A8771FB66D9A}.exe {FBEDDDD9-2739-4781-9F87-94AF1EE4804A}.exe File created C:\Windows\{6F0C872A-FD4D-496f-B7BA-76FE6335A9A3}.exe {758F56F4-711C-4465-B5FE-A8771FB66D9A}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1920 2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe Token: SeIncBasePriorityPrivilege 2556 {7F6C4D75-DCF3-48af-9FE7-4BF63DBB592C}.exe Token: SeIncBasePriorityPrivilege 2528 {64B80B20-68D9-4baf-BFA1-3094EBC29D2D}.exe Token: SeIncBasePriorityPrivilege 1588 {D3CBC41E-A6C7-4827-91B7-FDC0EE81EC20}.exe Token: SeIncBasePriorityPrivilege 1580 {E83D0614-1609-401c-A06E-0DA0917E7D45}.exe Token: SeIncBasePriorityPrivilege 1684 {E8E0A43C-986F-462e-B69A-CAA8537BA389}.exe Token: SeIncBasePriorityPrivilege 1016 {1F7E2A90-4EB4-4893-990E-F02213A61194}.exe Token: SeIncBasePriorityPrivilege 2288 {E48547A3-BA90-424e-BE10-1FEB3C1C1DC4}.exe Token: SeIncBasePriorityPrivilege 852 {0519F1B9-D84D-4363-8E04-A3E6DB66A217}.exe Token: SeIncBasePriorityPrivilege 2072 {FBEDDDD9-2739-4781-9F87-94AF1EE4804A}.exe Token: SeIncBasePriorityPrivilege 596 {758F56F4-711C-4465-B5FE-A8771FB66D9A}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1920 wrote to memory of 2556 1920 2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe 28 PID 1920 wrote to memory of 2556 1920 2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe 28 PID 1920 wrote to memory of 2556 1920 2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe 28 PID 1920 wrote to memory of 2556 1920 2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe 28 PID 1920 wrote to memory of 2616 1920 2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe 29 PID 1920 wrote to memory of 2616 1920 2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe 29 PID 1920 wrote to memory of 2616 1920 2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe 29 PID 1920 wrote to memory of 2616 1920 2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe 29 PID 2556 wrote to memory of 2528 2556 {7F6C4D75-DCF3-48af-9FE7-4BF63DBB592C}.exe 30 PID 2556 wrote to memory of 2528 2556 {7F6C4D75-DCF3-48af-9FE7-4BF63DBB592C}.exe 30 PID 2556 wrote to memory of 2528 2556 {7F6C4D75-DCF3-48af-9FE7-4BF63DBB592C}.exe 30 PID 2556 wrote to memory of 2528 2556 {7F6C4D75-DCF3-48af-9FE7-4BF63DBB592C}.exe 30 PID 2556 wrote to memory of 2604 2556 {7F6C4D75-DCF3-48af-9FE7-4BF63DBB592C}.exe 31 PID 2556 wrote to memory of 2604 2556 {7F6C4D75-DCF3-48af-9FE7-4BF63DBB592C}.exe 31 PID 2556 wrote to memory of 2604 2556 {7F6C4D75-DCF3-48af-9FE7-4BF63DBB592C}.exe 31 PID 2556 wrote to memory of 2604 2556 {7F6C4D75-DCF3-48af-9FE7-4BF63DBB592C}.exe 31 PID 2528 wrote to memory of 1588 2528 {64B80B20-68D9-4baf-BFA1-3094EBC29D2D}.exe 32 PID 2528 wrote to memory of 1588 2528 {64B80B20-68D9-4baf-BFA1-3094EBC29D2D}.exe 32 PID 2528 wrote to memory of 1588 2528 {64B80B20-68D9-4baf-BFA1-3094EBC29D2D}.exe 32 PID 2528 wrote to memory of 1588 2528 {64B80B20-68D9-4baf-BFA1-3094EBC29D2D}.exe 32 PID 2528 wrote to memory of 2408 2528 {64B80B20-68D9-4baf-BFA1-3094EBC29D2D}.exe 33 PID 2528 wrote to memory of 2408 2528 {64B80B20-68D9-4baf-BFA1-3094EBC29D2D}.exe 33 PID 2528 wrote to memory of 2408 2528 {64B80B20-68D9-4baf-BFA1-3094EBC29D2D}.exe 33 PID 2528 wrote to memory of 2408 2528 {64B80B20-68D9-4baf-BFA1-3094EBC29D2D}.exe 33 PID 1588 wrote to memory of 1580 1588 {D3CBC41E-A6C7-4827-91B7-FDC0EE81EC20}.exe 36 PID 1588 wrote to memory of 1580 1588 {D3CBC41E-A6C7-4827-91B7-FDC0EE81EC20}.exe 36 PID 1588 wrote to memory of 1580 1588 {D3CBC41E-A6C7-4827-91B7-FDC0EE81EC20}.exe 36 PID 1588 wrote to memory of 1580 1588 {D3CBC41E-A6C7-4827-91B7-FDC0EE81EC20}.exe 36 PID 1588 wrote to memory of 1488 1588 {D3CBC41E-A6C7-4827-91B7-FDC0EE81EC20}.exe 37 PID 1588 wrote to memory of 1488 1588 {D3CBC41E-A6C7-4827-91B7-FDC0EE81EC20}.exe 37 PID 1588 wrote to memory of 1488 1588 {D3CBC41E-A6C7-4827-91B7-FDC0EE81EC20}.exe 37 PID 1588 wrote to memory of 1488 1588 {D3CBC41E-A6C7-4827-91B7-FDC0EE81EC20}.exe 37 PID 1580 wrote to memory of 1684 1580 {E83D0614-1609-401c-A06E-0DA0917E7D45}.exe 38 PID 1580 wrote to memory of 1684 1580 {E83D0614-1609-401c-A06E-0DA0917E7D45}.exe 38 PID 1580 wrote to memory of 1684 1580 {E83D0614-1609-401c-A06E-0DA0917E7D45}.exe 38 PID 1580 wrote to memory of 1684 1580 {E83D0614-1609-401c-A06E-0DA0917E7D45}.exe 38 PID 1580 wrote to memory of 2144 1580 {E83D0614-1609-401c-A06E-0DA0917E7D45}.exe 39 PID 1580 wrote to memory of 2144 1580 {E83D0614-1609-401c-A06E-0DA0917E7D45}.exe 39 PID 1580 wrote to memory of 2144 1580 {E83D0614-1609-401c-A06E-0DA0917E7D45}.exe 39 PID 1580 wrote to memory of 2144 1580 {E83D0614-1609-401c-A06E-0DA0917E7D45}.exe 39 PID 1684 wrote to memory of 1016 1684 {E8E0A43C-986F-462e-B69A-CAA8537BA389}.exe 40 PID 1684 wrote to memory of 1016 1684 {E8E0A43C-986F-462e-B69A-CAA8537BA389}.exe 40 PID 1684 wrote to memory of 1016 1684 {E8E0A43C-986F-462e-B69A-CAA8537BA389}.exe 40 PID 1684 wrote to memory of 1016 1684 {E8E0A43C-986F-462e-B69A-CAA8537BA389}.exe 40 PID 1684 wrote to memory of 1776 1684 {E8E0A43C-986F-462e-B69A-CAA8537BA389}.exe 41 PID 1684 wrote to memory of 1776 1684 {E8E0A43C-986F-462e-B69A-CAA8537BA389}.exe 41 PID 1684 wrote to memory of 1776 1684 {E8E0A43C-986F-462e-B69A-CAA8537BA389}.exe 41 PID 1684 wrote to memory of 1776 1684 {E8E0A43C-986F-462e-B69A-CAA8537BA389}.exe 41 PID 1016 wrote to memory of 2288 1016 {1F7E2A90-4EB4-4893-990E-F02213A61194}.exe 42 PID 1016 wrote to memory of 2288 1016 {1F7E2A90-4EB4-4893-990E-F02213A61194}.exe 42 PID 1016 wrote to memory of 2288 1016 {1F7E2A90-4EB4-4893-990E-F02213A61194}.exe 42 PID 1016 wrote to memory of 2288 1016 {1F7E2A90-4EB4-4893-990E-F02213A61194}.exe 42 PID 1016 wrote to memory of 2200 1016 {1F7E2A90-4EB4-4893-990E-F02213A61194}.exe 43 PID 1016 wrote to memory of 2200 1016 {1F7E2A90-4EB4-4893-990E-F02213A61194}.exe 43 PID 1016 wrote to memory of 2200 1016 {1F7E2A90-4EB4-4893-990E-F02213A61194}.exe 43 PID 1016 wrote to memory of 2200 1016 {1F7E2A90-4EB4-4893-990E-F02213A61194}.exe 43 PID 2288 wrote to memory of 852 2288 {E48547A3-BA90-424e-BE10-1FEB3C1C1DC4}.exe 44 PID 2288 wrote to memory of 852 2288 {E48547A3-BA90-424e-BE10-1FEB3C1C1DC4}.exe 44 PID 2288 wrote to memory of 852 2288 {E48547A3-BA90-424e-BE10-1FEB3C1C1DC4}.exe 44 PID 2288 wrote to memory of 852 2288 {E48547A3-BA90-424e-BE10-1FEB3C1C1DC4}.exe 44 PID 2288 wrote to memory of 1204 2288 {E48547A3-BA90-424e-BE10-1FEB3C1C1DC4}.exe 45 PID 2288 wrote to memory of 1204 2288 {E48547A3-BA90-424e-BE10-1FEB3C1C1DC4}.exe 45 PID 2288 wrote to memory of 1204 2288 {E48547A3-BA90-424e-BE10-1FEB3C1C1DC4}.exe 45 PID 2288 wrote to memory of 1204 2288 {E48547A3-BA90-424e-BE10-1FEB3C1C1DC4}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\{7F6C4D75-DCF3-48af-9FE7-4BF63DBB592C}.exeC:\Windows\{7F6C4D75-DCF3-48af-9FE7-4BF63DBB592C}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\{64B80B20-68D9-4baf-BFA1-3094EBC29D2D}.exeC:\Windows\{64B80B20-68D9-4baf-BFA1-3094EBC29D2D}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\{D3CBC41E-A6C7-4827-91B7-FDC0EE81EC20}.exeC:\Windows\{D3CBC41E-A6C7-4827-91B7-FDC0EE81EC20}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\{E83D0614-1609-401c-A06E-0DA0917E7D45}.exeC:\Windows\{E83D0614-1609-401c-A06E-0DA0917E7D45}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\{E8E0A43C-986F-462e-B69A-CAA8537BA389}.exeC:\Windows\{E8E0A43C-986F-462e-B69A-CAA8537BA389}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\{1F7E2A90-4EB4-4893-990E-F02213A61194}.exeC:\Windows\{1F7E2A90-4EB4-4893-990E-F02213A61194}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\{E48547A3-BA90-424e-BE10-1FEB3C1C1DC4}.exeC:\Windows\{E48547A3-BA90-424e-BE10-1FEB3C1C1DC4}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\{0519F1B9-D84D-4363-8E04-A3E6DB66A217}.exeC:\Windows\{0519F1B9-D84D-4363-8E04-A3E6DB66A217}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:852 -
C:\Windows\{FBEDDDD9-2739-4781-9F87-94AF1EE4804A}.exeC:\Windows\{FBEDDDD9-2739-4781-9F87-94AF1EE4804A}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2072 -
C:\Windows\{758F56F4-711C-4465-B5FE-A8771FB66D9A}.exeC:\Windows\{758F56F4-711C-4465-B5FE-A8771FB66D9A}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:596 -
C:\Windows\{6F0C872A-FD4D-496f-B7BA-76FE6335A9A3}.exeC:\Windows\{6F0C872A-FD4D-496f-B7BA-76FE6335A9A3}.exe12⤵
- Executes dropped EXE
PID:1812
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{758F5~1.EXE > nul12⤵PID:1772
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{FBEDD~1.EXE > nul11⤵PID:524
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0519F~1.EXE > nul10⤵PID:1992
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E4854~1.EXE > nul9⤵PID:1204
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1F7E2~1.EXE > nul8⤵PID:2200
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E8E0A~1.EXE > nul7⤵PID:1776
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E83D0~1.EXE > nul6⤵PID:2144
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D3CBC~1.EXE > nul5⤵PID:1488
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{64B80~1.EXE > nul4⤵PID:2408
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7F6C4~1.EXE > nul3⤵PID:2604
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:2616
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
408KB
MD555612e29a628c1191295c3b0a046ea87
SHA1fa4ac4b192d99fcb5122e6b3dfb704b920872c61
SHA2567dc772877c3a07e24986850b21d8a9e9e55e17e2283fd84fb9e2abacca06805d
SHA512b687b3948eb96f345dae64b7183e306844bad5ac2b99ce8a7a4ed7a38ba80a7e008ab8979fc12b096f406a37e62018bdc57578eb34fc4aa347c0907e4622a88c
-
Filesize
408KB
MD5663954763a906b6c594f6e371adca4e2
SHA1015ca656705548d487960118b75ca2ca8c074663
SHA2568d715a26a955946593d1a6d1d4654fa2c27816a29cfbaf26ed8ed6dd275d7483
SHA512260b71e15811c2d2eabe237877594789ce88f7a011885f68d317ab1a6f1b98f019d51df494b1a3ed3ef6dfddea824a7a97b1bc9011e6732b2132a7f50910814e
-
Filesize
408KB
MD565f3c3b3fe7b806c668a3af05c1e3c44
SHA1be8a500768aa774a995291b75816292def1d8a79
SHA2563db9a4496db7506362261a7693158a6432975f490f969726ef2960181167d8e2
SHA5121092facd80067f0471f65baefd81eb0eafc518e54b7cfe5654987810b4b9bfa129c4e12eabf6d42d806efbcb6099224e2e9d23aee3516524ebd2442531551694
-
Filesize
408KB
MD5ef667aa1ca198307a663f8607179f9f1
SHA1925c4473fa65e1ca5bc352644a9ba150d2580bbf
SHA25639ae2142c5e2676c7f0e55c8a38fb2a3f0be14a5fc94c63b26f806e1283f4177
SHA51210de51d608544da2de08b6d6614efcc024f12009a22d96bc642a7a2b9081322fe426e2b9a403e48c80904836e1ccdf7b609b0583697912a0671b5e664767e960
-
Filesize
408KB
MD52d915cdf9398d6e3845d08de15a7a75a
SHA1e7dea7b0f2cda9d2a851eb4546c360c71ca4c72e
SHA2561f1dab1527e1a192fc628dd692ab35d7677e12d275e3c0b79cba9715f70daaa2
SHA512d4d54dbf173b6f7b347c356abac0c3c4d933acf99362a6a80a0016aead3670046e60d7caac92021145f9858145aaedc7cbee5a0f07d6a6f0d214245c9c2c3ccb
-
Filesize
408KB
MD53f01a96b6ebc755ad8b7644b760fc764
SHA1bc2b89e57d46362a5c2a49e1791de6bf6200b9df
SHA2569b92706254858b8f7fc4f3f88daf15ba86853e998f082fa844ce38626a8f5169
SHA5128b3a3e9b5432a4ff9162d50714540b5e419e772ffc45efdeca333622d53af9ad92e7d95b24c47c87ebaca844d40971492869980c9a7f079435c139ab085ef7af
-
Filesize
408KB
MD5a60b04d447e00af3f92f38e078be0917
SHA141a4892a6bc8902d36cfe16039b6e9a8d7f513d3
SHA256fe698b8fe395bcdf7f03bf267114b6664cc5717d8faac2944d8c86c08c93cdac
SHA512848dcfc190b6a4c723f7bb10ace0497c1cb4317de909307ed447414a4f2e16589c1a5bf2f241f624b9a670a83ecf253ca97c4f734c7f71469912f6b1e5c78b24
-
Filesize
408KB
MD5c8589c8f4b8a62ff9c64ef60de7ed761
SHA1b39d592fc3f95b09baa27dbeb4935e2e23bfc7bd
SHA256f1add54aa081fc67e36669e2387e40a62b490a87801a2211325bd3a84f5dd07e
SHA5128a7d331784aa0d721a6c5c5ac89def1e0774284f900627af57f8c60f6306561034fdfdcf65e55c634f22286617e8f1453b7ee03eafdbd959429714c45ed503a9
-
Filesize
408KB
MD51cbe4a0e2ce6871092134ed317cb531b
SHA152adb2591c0a5e5a3598adfd50ad978f7e61c5c3
SHA2562fc5d7dafd068fb676a6f3ad30d5cc6488e97a8457623e2fc30db06863ad0053
SHA512a6b2815f520b3b019e93f2c1a9033e348025b0fe75946c1171fd697438629ace38f9acd1df6f1b74d59c0879ce7cbaf794213d8a89a226101a530905f1b616de
-
Filesize
408KB
MD5e8565404476a8525c1f31e0978ff77ef
SHA12fbb72315619ac27282d5c7f6d11317e1138098b
SHA256fdce23f2ec65c90162aded8948ebbac507946b7b1e399b59bfc7c27f9436cdee
SHA512c53ba42a5f50ffee06aadce6e3fce9a81509ce0e7dcee0cd00d28970f30094b6e2b98f1bea5a282841079439af1948e98fa291d21a2ca7ea75a58c94778de28d
-
Filesize
408KB
MD556399d0f5d937db9505dfdd0b48e6462
SHA1272823c72609121ebfefc4d1a39de8bfe30c5a69
SHA256c908df214df08465e8010b890e37a74e76560e4a54ff2bb1a1c48e6652580af4
SHA512ec98e2fd42af99b0fd4d9d30a6d4ab4ce4518a4405c57b2eb486760b011b513c7bf48f42bc3c949cbe19b53b93cc65b1fa19be5cfa4dd3aa1b4479c2cc299000