Analysis
-
max time kernel
144s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04/04/2024, 17:36
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe
-
Size
216KB
-
MD5
8ea0dd1a711c9c10168735d32e4aa174
-
SHA1
25d038f82d14faf3c2911dd41ed978c86d838ae0
-
SHA256
dd45da4ac9e71a521959ca58a588567054e9cdcb884a15dfb0699bf81045c02e
-
SHA512
25b011767726f66f55f5e1238de4535958536fdef94ece48267afae0bc1ff0e5ccf9963e073dd30ed47a765b5cdf23c3341d1e85d195c4daec3699cb2a33533d
-
SSDEEP
3072:jEGh0o0l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGOlEeKcAEcGy
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral1/files/0x0009000000012248-4.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000e0000000122e5-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0030000000015c50-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0004000000004ed7-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000300000000b1f2-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0005000000004ed7-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000400000000b1f2-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0006000000004ed7-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000f0000000122e5-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0007000000004ed7-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x002f000000015c5b-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46A6E562-BEA2-45f9-AA93-FBF38D8D1554}\stubpath = "C:\\Windows\\{46A6E562-BEA2-45f9-AA93-FBF38D8D1554}.exe" {8DC76868-8834-43c2-8005-D056C7D53FD0}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75B262A6-8634-4111-B6C1-706529378260}\stubpath = "C:\\Windows\\{75B262A6-8634-4111-B6C1-706529378260}.exe" {738898C5-E120-4eb7-A4F5-6CAB93E402FA}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34944F5B-185C-4f6e-9C70-054FC4FFF07A} {75B262A6-8634-4111-B6C1-706529378260}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B095A86-877A-41fe-9020-5B202D6BD5C2} 2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DC76868-8834-43c2-8005-D056C7D53FD0}\stubpath = "C:\\Windows\\{8DC76868-8834-43c2-8005-D056C7D53FD0}.exe" {4567CF87-DF3D-4d46-87D7-C3F6A5A7EF78}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75B262A6-8634-4111-B6C1-706529378260} {738898C5-E120-4eb7-A4F5-6CAB93E402FA}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34944F5B-185C-4f6e-9C70-054FC4FFF07A}\stubpath = "C:\\Windows\\{34944F5B-185C-4f6e-9C70-054FC4FFF07A}.exe" {75B262A6-8634-4111-B6C1-706529378260}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A47EAC2-52C9-4dff-B166-CB9FD167CF17} {DEFF01D9-908D-4d74-929B-1ED6243A5585}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46A6E562-BEA2-45f9-AA93-FBF38D8D1554} {8DC76868-8834-43c2-8005-D056C7D53FD0}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B30212D-1F06-44a4-A49A-983A53730C27} {02236274-6E38-4e40-B216-244B4A5A7C62}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02236274-6E38-4e40-B216-244B4A5A7C62}\stubpath = "C:\\Windows\\{02236274-6E38-4e40-B216-244B4A5A7C62}.exe" {46A6E562-BEA2-45f9-AA93-FBF38D8D1554}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A47EAC2-52C9-4dff-B166-CB9FD167CF17}\stubpath = "C:\\Windows\\{4A47EAC2-52C9-4dff-B166-CB9FD167CF17}.exe" {DEFF01D9-908D-4d74-929B-1ED6243A5585}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4567CF87-DF3D-4d46-87D7-C3F6A5A7EF78}\stubpath = "C:\\Windows\\{4567CF87-DF3D-4d46-87D7-C3F6A5A7EF78}.exe" {2B095A86-877A-41fe-9020-5B202D6BD5C2}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DC76868-8834-43c2-8005-D056C7D53FD0} {4567CF87-DF3D-4d46-87D7-C3F6A5A7EF78}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02236274-6E38-4e40-B216-244B4A5A7C62} {46A6E562-BEA2-45f9-AA93-FBF38D8D1554}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B30212D-1F06-44a4-A49A-983A53730C27}\stubpath = "C:\\Windows\\{8B30212D-1F06-44a4-A49A-983A53730C27}.exe" {02236274-6E38-4e40-B216-244B4A5A7C62}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{738898C5-E120-4eb7-A4F5-6CAB93E402FA} {8B30212D-1F06-44a4-A49A-983A53730C27}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{738898C5-E120-4eb7-A4F5-6CAB93E402FA}\stubpath = "C:\\Windows\\{738898C5-E120-4eb7-A4F5-6CAB93E402FA}.exe" {8B30212D-1F06-44a4-A49A-983A53730C27}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DEFF01D9-908D-4d74-929B-1ED6243A5585} {34944F5B-185C-4f6e-9C70-054FC4FFF07A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DEFF01D9-908D-4d74-929B-1ED6243A5585}\stubpath = "C:\\Windows\\{DEFF01D9-908D-4d74-929B-1ED6243A5585}.exe" {34944F5B-185C-4f6e-9C70-054FC4FFF07A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B095A86-877A-41fe-9020-5B202D6BD5C2}\stubpath = "C:\\Windows\\{2B095A86-877A-41fe-9020-5B202D6BD5C2}.exe" 2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4567CF87-DF3D-4d46-87D7-C3F6A5A7EF78} {2B095A86-877A-41fe-9020-5B202D6BD5C2}.exe -
Deletes itself 1 IoCs
pid Process 2108 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 2584 {2B095A86-877A-41fe-9020-5B202D6BD5C2}.exe 2560 {4567CF87-DF3D-4d46-87D7-C3F6A5A7EF78}.exe 2416 {8DC76868-8834-43c2-8005-D056C7D53FD0}.exe 2384 {46A6E562-BEA2-45f9-AA93-FBF38D8D1554}.exe 528 {02236274-6E38-4e40-B216-244B4A5A7C62}.exe 1532 {8B30212D-1F06-44a4-A49A-983A53730C27}.exe 308 {738898C5-E120-4eb7-A4F5-6CAB93E402FA}.exe 640 {75B262A6-8634-4111-B6C1-706529378260}.exe 1328 {34944F5B-185C-4f6e-9C70-054FC4FFF07A}.exe 2240 {DEFF01D9-908D-4d74-929B-1ED6243A5585}.exe 2992 {4A47EAC2-52C9-4dff-B166-CB9FD167CF17}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{738898C5-E120-4eb7-A4F5-6CAB93E402FA}.exe {8B30212D-1F06-44a4-A49A-983A53730C27}.exe File created C:\Windows\{75B262A6-8634-4111-B6C1-706529378260}.exe {738898C5-E120-4eb7-A4F5-6CAB93E402FA}.exe File created C:\Windows\{2B095A86-877A-41fe-9020-5B202D6BD5C2}.exe 2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe File created C:\Windows\{8DC76868-8834-43c2-8005-D056C7D53FD0}.exe {4567CF87-DF3D-4d46-87D7-C3F6A5A7EF78}.exe File created C:\Windows\{8B30212D-1F06-44a4-A49A-983A53730C27}.exe {02236274-6E38-4e40-B216-244B4A5A7C62}.exe File created C:\Windows\{34944F5B-185C-4f6e-9C70-054FC4FFF07A}.exe {75B262A6-8634-4111-B6C1-706529378260}.exe File created C:\Windows\{DEFF01D9-908D-4d74-929B-1ED6243A5585}.exe {34944F5B-185C-4f6e-9C70-054FC4FFF07A}.exe File created C:\Windows\{4A47EAC2-52C9-4dff-B166-CB9FD167CF17}.exe {DEFF01D9-908D-4d74-929B-1ED6243A5585}.exe File created C:\Windows\{4567CF87-DF3D-4d46-87D7-C3F6A5A7EF78}.exe {2B095A86-877A-41fe-9020-5B202D6BD5C2}.exe File created C:\Windows\{46A6E562-BEA2-45f9-AA93-FBF38D8D1554}.exe {8DC76868-8834-43c2-8005-D056C7D53FD0}.exe File created C:\Windows\{02236274-6E38-4e40-B216-244B4A5A7C62}.exe {46A6E562-BEA2-45f9-AA93-FBF38D8D1554}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2144 2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe Token: SeIncBasePriorityPrivilege 2584 {2B095A86-877A-41fe-9020-5B202D6BD5C2}.exe Token: SeIncBasePriorityPrivilege 2560 {4567CF87-DF3D-4d46-87D7-C3F6A5A7EF78}.exe Token: SeIncBasePriorityPrivilege 2416 {8DC76868-8834-43c2-8005-D056C7D53FD0}.exe Token: SeIncBasePriorityPrivilege 2384 {46A6E562-BEA2-45f9-AA93-FBF38D8D1554}.exe Token: SeIncBasePriorityPrivilege 528 {02236274-6E38-4e40-B216-244B4A5A7C62}.exe Token: SeIncBasePriorityPrivilege 1532 {8B30212D-1F06-44a4-A49A-983A53730C27}.exe Token: SeIncBasePriorityPrivilege 308 {738898C5-E120-4eb7-A4F5-6CAB93E402FA}.exe Token: SeIncBasePriorityPrivilege 640 {75B262A6-8634-4111-B6C1-706529378260}.exe Token: SeIncBasePriorityPrivilege 1328 {34944F5B-185C-4f6e-9C70-054FC4FFF07A}.exe Token: SeIncBasePriorityPrivilege 2240 {DEFF01D9-908D-4d74-929B-1ED6243A5585}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2144 wrote to memory of 2584 2144 2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe 28 PID 2144 wrote to memory of 2584 2144 2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe 28 PID 2144 wrote to memory of 2584 2144 2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe 28 PID 2144 wrote to memory of 2584 2144 2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe 28 PID 2144 wrote to memory of 2108 2144 2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe 29 PID 2144 wrote to memory of 2108 2144 2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe 29 PID 2144 wrote to memory of 2108 2144 2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe 29 PID 2144 wrote to memory of 2108 2144 2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe 29 PID 2584 wrote to memory of 2560 2584 {2B095A86-877A-41fe-9020-5B202D6BD5C2}.exe 30 PID 2584 wrote to memory of 2560 2584 {2B095A86-877A-41fe-9020-5B202D6BD5C2}.exe 30 PID 2584 wrote to memory of 2560 2584 {2B095A86-877A-41fe-9020-5B202D6BD5C2}.exe 30 PID 2584 wrote to memory of 2560 2584 {2B095A86-877A-41fe-9020-5B202D6BD5C2}.exe 30 PID 2584 wrote to memory of 2412 2584 {2B095A86-877A-41fe-9020-5B202D6BD5C2}.exe 31 PID 2584 wrote to memory of 2412 2584 {2B095A86-877A-41fe-9020-5B202D6BD5C2}.exe 31 PID 2584 wrote to memory of 2412 2584 {2B095A86-877A-41fe-9020-5B202D6BD5C2}.exe 31 PID 2584 wrote to memory of 2412 2584 {2B095A86-877A-41fe-9020-5B202D6BD5C2}.exe 31 PID 2560 wrote to memory of 2416 2560 {4567CF87-DF3D-4d46-87D7-C3F6A5A7EF78}.exe 34 PID 2560 wrote to memory of 2416 2560 {4567CF87-DF3D-4d46-87D7-C3F6A5A7EF78}.exe 34 PID 2560 wrote to memory of 2416 2560 {4567CF87-DF3D-4d46-87D7-C3F6A5A7EF78}.exe 34 PID 2560 wrote to memory of 2416 2560 {4567CF87-DF3D-4d46-87D7-C3F6A5A7EF78}.exe 34 PID 2560 wrote to memory of 2476 2560 {4567CF87-DF3D-4d46-87D7-C3F6A5A7EF78}.exe 35 PID 2560 wrote to memory of 2476 2560 {4567CF87-DF3D-4d46-87D7-C3F6A5A7EF78}.exe 35 PID 2560 wrote to memory of 2476 2560 {4567CF87-DF3D-4d46-87D7-C3F6A5A7EF78}.exe 35 PID 2560 wrote to memory of 2476 2560 {4567CF87-DF3D-4d46-87D7-C3F6A5A7EF78}.exe 35 PID 2416 wrote to memory of 2384 2416 {8DC76868-8834-43c2-8005-D056C7D53FD0}.exe 36 PID 2416 wrote to memory of 2384 2416 {8DC76868-8834-43c2-8005-D056C7D53FD0}.exe 36 PID 2416 wrote to memory of 2384 2416 {8DC76868-8834-43c2-8005-D056C7D53FD0}.exe 36 PID 2416 wrote to memory of 2384 2416 {8DC76868-8834-43c2-8005-D056C7D53FD0}.exe 36 PID 2416 wrote to memory of 2204 2416 {8DC76868-8834-43c2-8005-D056C7D53FD0}.exe 37 PID 2416 wrote to memory of 2204 2416 {8DC76868-8834-43c2-8005-D056C7D53FD0}.exe 37 PID 2416 wrote to memory of 2204 2416 {8DC76868-8834-43c2-8005-D056C7D53FD0}.exe 37 PID 2416 wrote to memory of 2204 2416 {8DC76868-8834-43c2-8005-D056C7D53FD0}.exe 37 PID 2384 wrote to memory of 528 2384 {46A6E562-BEA2-45f9-AA93-FBF38D8D1554}.exe 38 PID 2384 wrote to memory of 528 2384 {46A6E562-BEA2-45f9-AA93-FBF38D8D1554}.exe 38 PID 2384 wrote to memory of 528 2384 {46A6E562-BEA2-45f9-AA93-FBF38D8D1554}.exe 38 PID 2384 wrote to memory of 528 2384 {46A6E562-BEA2-45f9-AA93-FBF38D8D1554}.exe 38 PID 2384 wrote to memory of 2948 2384 {46A6E562-BEA2-45f9-AA93-FBF38D8D1554}.exe 39 PID 2384 wrote to memory of 2948 2384 {46A6E562-BEA2-45f9-AA93-FBF38D8D1554}.exe 39 PID 2384 wrote to memory of 2948 2384 {46A6E562-BEA2-45f9-AA93-FBF38D8D1554}.exe 39 PID 2384 wrote to memory of 2948 2384 {46A6E562-BEA2-45f9-AA93-FBF38D8D1554}.exe 39 PID 528 wrote to memory of 1532 528 {02236274-6E38-4e40-B216-244B4A5A7C62}.exe 40 PID 528 wrote to memory of 1532 528 {02236274-6E38-4e40-B216-244B4A5A7C62}.exe 40 PID 528 wrote to memory of 1532 528 {02236274-6E38-4e40-B216-244B4A5A7C62}.exe 40 PID 528 wrote to memory of 1532 528 {02236274-6E38-4e40-B216-244B4A5A7C62}.exe 40 PID 528 wrote to memory of 616 528 {02236274-6E38-4e40-B216-244B4A5A7C62}.exe 41 PID 528 wrote to memory of 616 528 {02236274-6E38-4e40-B216-244B4A5A7C62}.exe 41 PID 528 wrote to memory of 616 528 {02236274-6E38-4e40-B216-244B4A5A7C62}.exe 41 PID 528 wrote to memory of 616 528 {02236274-6E38-4e40-B216-244B4A5A7C62}.exe 41 PID 1532 wrote to memory of 308 1532 {8B30212D-1F06-44a4-A49A-983A53730C27}.exe 42 PID 1532 wrote to memory of 308 1532 {8B30212D-1F06-44a4-A49A-983A53730C27}.exe 42 PID 1532 wrote to memory of 308 1532 {8B30212D-1F06-44a4-A49A-983A53730C27}.exe 42 PID 1532 wrote to memory of 308 1532 {8B30212D-1F06-44a4-A49A-983A53730C27}.exe 42 PID 1532 wrote to memory of 2000 1532 {8B30212D-1F06-44a4-A49A-983A53730C27}.exe 43 PID 1532 wrote to memory of 2000 1532 {8B30212D-1F06-44a4-A49A-983A53730C27}.exe 43 PID 1532 wrote to memory of 2000 1532 {8B30212D-1F06-44a4-A49A-983A53730C27}.exe 43 PID 1532 wrote to memory of 2000 1532 {8B30212D-1F06-44a4-A49A-983A53730C27}.exe 43 PID 308 wrote to memory of 640 308 {738898C5-E120-4eb7-A4F5-6CAB93E402FA}.exe 44 PID 308 wrote to memory of 640 308 {738898C5-E120-4eb7-A4F5-6CAB93E402FA}.exe 44 PID 308 wrote to memory of 640 308 {738898C5-E120-4eb7-A4F5-6CAB93E402FA}.exe 44 PID 308 wrote to memory of 640 308 {738898C5-E120-4eb7-A4F5-6CAB93E402FA}.exe 44 PID 308 wrote to memory of 1112 308 {738898C5-E120-4eb7-A4F5-6CAB93E402FA}.exe 45 PID 308 wrote to memory of 1112 308 {738898C5-E120-4eb7-A4F5-6CAB93E402FA}.exe 45 PID 308 wrote to memory of 1112 308 {738898C5-E120-4eb7-A4F5-6CAB93E402FA}.exe 45 PID 308 wrote to memory of 1112 308 {738898C5-E120-4eb7-A4F5-6CAB93E402FA}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\{2B095A86-877A-41fe-9020-5B202D6BD5C2}.exeC:\Windows\{2B095A86-877A-41fe-9020-5B202D6BD5C2}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\{4567CF87-DF3D-4d46-87D7-C3F6A5A7EF78}.exeC:\Windows\{4567CF87-DF3D-4d46-87D7-C3F6A5A7EF78}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\{8DC76868-8834-43c2-8005-D056C7D53FD0}.exeC:\Windows\{8DC76868-8834-43c2-8005-D056C7D53FD0}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\{46A6E562-BEA2-45f9-AA93-FBF38D8D1554}.exeC:\Windows\{46A6E562-BEA2-45f9-AA93-FBF38D8D1554}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\{02236274-6E38-4e40-B216-244B4A5A7C62}.exeC:\Windows\{02236274-6E38-4e40-B216-244B4A5A7C62}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Windows\{8B30212D-1F06-44a4-A49A-983A53730C27}.exeC:\Windows\{8B30212D-1F06-44a4-A49A-983A53730C27}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\{738898C5-E120-4eb7-A4F5-6CAB93E402FA}.exeC:\Windows\{738898C5-E120-4eb7-A4F5-6CAB93E402FA}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:308 -
C:\Windows\{75B262A6-8634-4111-B6C1-706529378260}.exeC:\Windows\{75B262A6-8634-4111-B6C1-706529378260}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:640 -
C:\Windows\{34944F5B-185C-4f6e-9C70-054FC4FFF07A}.exeC:\Windows\{34944F5B-185C-4f6e-9C70-054FC4FFF07A}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1328 -
C:\Windows\{DEFF01D9-908D-4d74-929B-1ED6243A5585}.exeC:\Windows\{DEFF01D9-908D-4d74-929B-1ED6243A5585}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2240 -
C:\Windows\{4A47EAC2-52C9-4dff-B166-CB9FD167CF17}.exeC:\Windows\{4A47EAC2-52C9-4dff-B166-CB9FD167CF17}.exe12⤵
- Executes dropped EXE
PID:2992
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{DEFF0~1.EXE > nul12⤵PID:1936
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{34944~1.EXE > nul11⤵PID:2592
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{75B26~1.EXE > nul10⤵PID:1228
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{73889~1.EXE > nul9⤵PID:1112
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8B302~1.EXE > nul8⤵PID:2000
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{02236~1.EXE > nul7⤵PID:616
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{46A6E~1.EXE > nul6⤵PID:2948
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8DC76~1.EXE > nul5⤵PID:2204
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4567C~1.EXE > nul4⤵PID:2476
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2B095~1.EXE > nul3⤵PID:2412
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:2108
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216KB
MD5929399e0342830bf0710ebd803092f5c
SHA1678181bdbcb31c21fd8ac38cf3c8ff470ad2ff96
SHA2564324afa1c74105c6516de8e7a907d64a6af927dafa48e3cddbb3f74fa36ff7b2
SHA51238d2def89e5039743545c6b09d35292bea29579fed26c04497b497e3d4ff5dc10bc1d1920fe2ff7141e1c9947111ee5dbb103e44174a9e1ce080ab937bbe6416
-
Filesize
216KB
MD5b4052f6bca4d0d07a4dba0233a716079
SHA1032806afae10b1b931c2f8aae1ab05fc22e8c498
SHA256d0a3aff2789173f2ede3e4c9692c15857f977002cc07baf8bb8d87105172a62f
SHA512989f48f0680e3c51fdcc6fc46bdaf5b452ec91f8b24d5e85413f854622e6ef6217cd9c69901848d4dce22cdccaf263062465b1aad37a0b1963d0a97b8613b24e
-
Filesize
216KB
MD5334a5ebc11ef198a66e6c55bdb215269
SHA1009373c7c99f5e4e92e7725c93a95552207d0d91
SHA256314a69a6fce784517c7c48b99e909eeeb321cdc3ae260e7744ecbbd689145908
SHA512cbf9381edb7e876810d7f29f87045aec180be6c31e43c3b0d58a300b1076fe5eace1133b6f19cfba8f967f6a7084c2348227228d56f48f22a2ba4e3750f55bac
-
Filesize
216KB
MD5bccc7ded669aca828b12a44dba6be6b0
SHA1c140018ac283e6c5d850fe0e5c61c85866c856ff
SHA2568779e9b180439baf0d60ac827902bbfcb05d2a774b34462680efe0d94af4d540
SHA51210d8ee365b1cd14a0f40dd3bf642ed8d67b388d355dd957387efacfb8d38dbbf300fb07a3defd1dda1f20c98514290e11fce1437b0fdee00d69ddf6270abd824
-
Filesize
216KB
MD57ff9394f03b533ee3db7378e06c54918
SHA1b7bc39151306c7aceef08ce93c4942d3f4dd8a31
SHA256cbb52e589977b0e5ec3188d4593e2551f854d520ed247d5496f19dc6c2889eff
SHA51288482e4145953082545b0ca4ae66b5a963b9dcde782ceebc0fbd7344677e88352aa421318eecced653c1be22381155a016e96a3684cb4f406f2a7be69c31f14c
-
Filesize
216KB
MD5519c3ed5a34169bdd1832f7284044806
SHA146bd7a2c52e807c36570c92c573dce520c29aa42
SHA256f2bf7323239830e55984150592f66da362f31bbaaa52f55c9e7718817d80e798
SHA5128feafa1e7ff9ff8bd3617019ffd06121b3c0934f55d49e0d3055028c522a4c4502846d37410cc0ff9e45c8efab1f4ec9c983254a075f77e276f52715384b7f54
-
Filesize
216KB
MD537c10b9ad027b9f642830a5927c8a327
SHA19cc7c72390c1d3bb69867a7dce963ca7e94d8ad0
SHA2569ac04aa56ae35a387d6f9dd785c5df73e07d9699b7e67c9974a878f6630481ae
SHA5129c0788cb226d31b25f071cebeacdd3af332387fc0373416f3fa8fed88df06efeb0779cd6db7b184c56f54dfb73f82b9a7d6428bd2abd6705e9a064d9f84aa21b
-
Filesize
216KB
MD54e161548adfffc7bef81913932eea4e2
SHA1bfdd5db3fbd9e99f34bccd20acb26ee8f23cb5e1
SHA2560581234d311cf46ee829722a5d52605a67cbeb70a088680941e2367cc46670c6
SHA512743b582e88e29b1669d44237a4ba8de1a2646e35a6106aa0f5ca08f90ecd26c137f87c5624605a2716874ca8f1aad4936cd4095a81077e8defc7ad756eb1e9f5
-
Filesize
216KB
MD530a2f91ad1d532477b22a47d54d69be0
SHA1edc6b3eb02a27af5dddc1148ba9992aa08a7a15c
SHA256910e3bc9a16b96236718ce3c35af19974042cc602cd0d01b67837b9d0741bbb2
SHA5129056ba4c6e242caa2265aa3064a2ef16e6c2d4e84e3d5d362640ff5bbe440d7c60b5860c6c7ea4206f252724996c1921d3bf1a266086ce4c397ee965dec9c304
-
Filesize
216KB
MD5027a2afe743b8e7f302d9e17a6dc64ff
SHA1150bdb9c4637fe6bca00199a0a893f1ade95d5eb
SHA256d93fb31739b96b22b7fadb11922f663a8490c8ad1c78e16f676ba716c70b61a8
SHA512b69603b28b363edb66687ea4a755fa9ceb9bfdb8ffccb36c2fe6f22554222fbc7c3257c556c3b67fb11f48ea24139293e7e880e4422ade1d55c94cc911ba61bc
-
Filesize
216KB
MD5441dcab9ac8c081f081e4258f8ab256d
SHA198664e10bea5f76c5ae9fdd849854c37d8082750
SHA256a3d1ae74990868fb93970728253c097ad65707c9ebcdaba999139bacc5a11fde
SHA512015cec3befd29c27c05097c1790b87037b28666cc85636bf46dfccb69d09cdbe0a5ee1dfaf4cefa9ae60c01f20d7b6f5630d14dd846a365bbabbb09b05b4a7af