Analysis
-
max time kernel
144s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
04/04/2024, 17:41
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe
-
Size
192KB
-
MD5
b74120f39986ebaf4507dd39d76c5a14
-
SHA1
f5ea0ec84e6830c1044d993559b1b8a5f1935a55
-
SHA256
21a531c3306520a16e04aa7a4f24c5aab801c790525e46256fbaaf7665da9291
-
SHA512
906e42a51642a1a0c3cb94383ecaa6e5bea2761a61f7d547a4e4e806c8e138124867d103fb06383fbbb3740b3ef18811d3f374ca4dbd74773550b88b3d5e1607
-
SSDEEP
1536:1EGh0ool15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0ool1OPOe2MUVg3Ve+rXfMUa
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral1/files/0x0009000000014b70-5.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000b000000014ef8-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000a000000014b70-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0009000000015616-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0006000000005a59-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000b000000014b70-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0007000000005a59-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000c000000014b70-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0008000000005a59-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000d000000014b70-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0009000000005a59-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{078E77AC-14C6-4977-AB96-835408A2F49B}\stubpath = "C:\\Windows\\{078E77AC-14C6-4977-AB96-835408A2F49B}.exe" 2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A464C467-8DB9-4705-88A7-DD0F667D776E} {4AAAD155-C541-4c02-8E2A-90946FA4CDE8}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{556B17AF-DA13-406f-B180-5B1CE1EDF7F8}\stubpath = "C:\\Windows\\{556B17AF-DA13-406f-B180-5B1CE1EDF7F8}.exe" {461A4BCB-1FE3-4e37-8159-3E032AF404D3}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2DCF1DAA-E6D8-445e-8185-6F35CFF8695D} {426B868C-88CF-4092-A3DF-94BE950B904C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA52E9F0-3EB2-4534-B398-8B14364E48F6} {06D84438-6AFF-4fc3-9B0B-3FBF5DB8DAB5}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA52E9F0-3EB2-4534-B398-8B14364E48F6}\stubpath = "C:\\Windows\\{BA52E9F0-3EB2-4534-B398-8B14364E48F6}.exe" {06D84438-6AFF-4fc3-9B0B-3FBF5DB8DAB5}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{078E77AC-14C6-4977-AB96-835408A2F49B} 2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AAAD155-C541-4c02-8E2A-90946FA4CDE8} {078E77AC-14C6-4977-AB96-835408A2F49B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AAAD155-C541-4c02-8E2A-90946FA4CDE8}\stubpath = "C:\\Windows\\{4AAAD155-C541-4c02-8E2A-90946FA4CDE8}.exe" {078E77AC-14C6-4977-AB96-835408A2F49B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{556B17AF-DA13-406f-B180-5B1CE1EDF7F8} {461A4BCB-1FE3-4e37-8159-3E032AF404D3}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{426B868C-88CF-4092-A3DF-94BE950B904C}\stubpath = "C:\\Windows\\{426B868C-88CF-4092-A3DF-94BE950B904C}.exe" {556B17AF-DA13-406f-B180-5B1CE1EDF7F8}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2DCF1DAA-E6D8-445e-8185-6F35CFF8695D}\stubpath = "C:\\Windows\\{2DCF1DAA-E6D8-445e-8185-6F35CFF8695D}.exe" {426B868C-88CF-4092-A3DF-94BE950B904C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A464C467-8DB9-4705-88A7-DD0F667D776E}\stubpath = "C:\\Windows\\{A464C467-8DB9-4705-88A7-DD0F667D776E}.exe" {4AAAD155-C541-4c02-8E2A-90946FA4CDE8}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{461A4BCB-1FE3-4e37-8159-3E032AF404D3} {A464C467-8DB9-4705-88A7-DD0F667D776E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{461A4BCB-1FE3-4e37-8159-3E032AF404D3}\stubpath = "C:\\Windows\\{461A4BCB-1FE3-4e37-8159-3E032AF404D3}.exe" {A464C467-8DB9-4705-88A7-DD0F667D776E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27C34729-1D2F-4bdf-A242-3CC3E23B0618}\stubpath = "C:\\Windows\\{27C34729-1D2F-4bdf-A242-3CC3E23B0618}.exe" {2DCF1DAA-E6D8-445e-8185-6F35CFF8695D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{497601ED-FB01-40e0-AC8D-053166A61BD0} {27C34729-1D2F-4bdf-A242-3CC3E23B0618}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06D84438-6AFF-4fc3-9B0B-3FBF5DB8DAB5} {497601ED-FB01-40e0-AC8D-053166A61BD0}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{426B868C-88CF-4092-A3DF-94BE950B904C} {556B17AF-DA13-406f-B180-5B1CE1EDF7F8}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27C34729-1D2F-4bdf-A242-3CC3E23B0618} {2DCF1DAA-E6D8-445e-8185-6F35CFF8695D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{497601ED-FB01-40e0-AC8D-053166A61BD0}\stubpath = "C:\\Windows\\{497601ED-FB01-40e0-AC8D-053166A61BD0}.exe" {27C34729-1D2F-4bdf-A242-3CC3E23B0618}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06D84438-6AFF-4fc3-9B0B-3FBF5DB8DAB5}\stubpath = "C:\\Windows\\{06D84438-6AFF-4fc3-9B0B-3FBF5DB8DAB5}.exe" {497601ED-FB01-40e0-AC8D-053166A61BD0}.exe -
Deletes itself 1 IoCs
pid Process 2932 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 2616 {078E77AC-14C6-4977-AB96-835408A2F49B}.exe 2528 {4AAAD155-C541-4c02-8E2A-90946FA4CDE8}.exe 2860 {A464C467-8DB9-4705-88A7-DD0F667D776E}.exe 2488 {461A4BCB-1FE3-4e37-8159-3E032AF404D3}.exe 2964 {556B17AF-DA13-406f-B180-5B1CE1EDF7F8}.exe 1664 {426B868C-88CF-4092-A3DF-94BE950B904C}.exe 2812 {2DCF1DAA-E6D8-445e-8185-6F35CFF8695D}.exe 1656 {27C34729-1D2F-4bdf-A242-3CC3E23B0618}.exe 1700 {497601ED-FB01-40e0-AC8D-053166A61BD0}.exe 2228 {06D84438-6AFF-4fc3-9B0B-3FBF5DB8DAB5}.exe 1508 {BA52E9F0-3EB2-4534-B398-8B14364E48F6}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{06D84438-6AFF-4fc3-9B0B-3FBF5DB8DAB5}.exe {497601ED-FB01-40e0-AC8D-053166A61BD0}.exe File created C:\Windows\{BA52E9F0-3EB2-4534-B398-8B14364E48F6}.exe {06D84438-6AFF-4fc3-9B0B-3FBF5DB8DAB5}.exe File created C:\Windows\{078E77AC-14C6-4977-AB96-835408A2F49B}.exe 2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe File created C:\Windows\{4AAAD155-C541-4c02-8E2A-90946FA4CDE8}.exe {078E77AC-14C6-4977-AB96-835408A2F49B}.exe File created C:\Windows\{461A4BCB-1FE3-4e37-8159-3E032AF404D3}.exe {A464C467-8DB9-4705-88A7-DD0F667D776E}.exe File created C:\Windows\{2DCF1DAA-E6D8-445e-8185-6F35CFF8695D}.exe {426B868C-88CF-4092-A3DF-94BE950B904C}.exe File created C:\Windows\{497601ED-FB01-40e0-AC8D-053166A61BD0}.exe {27C34729-1D2F-4bdf-A242-3CC3E23B0618}.exe File created C:\Windows\{A464C467-8DB9-4705-88A7-DD0F667D776E}.exe {4AAAD155-C541-4c02-8E2A-90946FA4CDE8}.exe File created C:\Windows\{556B17AF-DA13-406f-B180-5B1CE1EDF7F8}.exe {461A4BCB-1FE3-4e37-8159-3E032AF404D3}.exe File created C:\Windows\{426B868C-88CF-4092-A3DF-94BE950B904C}.exe {556B17AF-DA13-406f-B180-5B1CE1EDF7F8}.exe File created C:\Windows\{27C34729-1D2F-4bdf-A242-3CC3E23B0618}.exe {2DCF1DAA-E6D8-445e-8185-6F35CFF8695D}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2304 2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe Token: SeIncBasePriorityPrivilege 2616 {078E77AC-14C6-4977-AB96-835408A2F49B}.exe Token: SeIncBasePriorityPrivilege 2528 {4AAAD155-C541-4c02-8E2A-90946FA4CDE8}.exe Token: SeIncBasePriorityPrivilege 2860 {A464C467-8DB9-4705-88A7-DD0F667D776E}.exe Token: SeIncBasePriorityPrivilege 2488 {461A4BCB-1FE3-4e37-8159-3E032AF404D3}.exe Token: SeIncBasePriorityPrivilege 2964 {556B17AF-DA13-406f-B180-5B1CE1EDF7F8}.exe Token: SeIncBasePriorityPrivilege 1664 {426B868C-88CF-4092-A3DF-94BE950B904C}.exe Token: SeIncBasePriorityPrivilege 2812 {2DCF1DAA-E6D8-445e-8185-6F35CFF8695D}.exe Token: SeIncBasePriorityPrivilege 1656 {27C34729-1D2F-4bdf-A242-3CC3E23B0618}.exe Token: SeIncBasePriorityPrivilege 1700 {497601ED-FB01-40e0-AC8D-053166A61BD0}.exe Token: SeIncBasePriorityPrivilege 2228 {06D84438-6AFF-4fc3-9B0B-3FBF5DB8DAB5}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2304 wrote to memory of 2616 2304 2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe 28 PID 2304 wrote to memory of 2616 2304 2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe 28 PID 2304 wrote to memory of 2616 2304 2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe 28 PID 2304 wrote to memory of 2616 2304 2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe 28 PID 2304 wrote to memory of 2932 2304 2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe 29 PID 2304 wrote to memory of 2932 2304 2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe 29 PID 2304 wrote to memory of 2932 2304 2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe 29 PID 2304 wrote to memory of 2932 2304 2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe 29 PID 2616 wrote to memory of 2528 2616 {078E77AC-14C6-4977-AB96-835408A2F49B}.exe 30 PID 2616 wrote to memory of 2528 2616 {078E77AC-14C6-4977-AB96-835408A2F49B}.exe 30 PID 2616 wrote to memory of 2528 2616 {078E77AC-14C6-4977-AB96-835408A2F49B}.exe 30 PID 2616 wrote to memory of 2528 2616 {078E77AC-14C6-4977-AB96-835408A2F49B}.exe 30 PID 2616 wrote to memory of 2564 2616 {078E77AC-14C6-4977-AB96-835408A2F49B}.exe 31 PID 2616 wrote to memory of 2564 2616 {078E77AC-14C6-4977-AB96-835408A2F49B}.exe 31 PID 2616 wrote to memory of 2564 2616 {078E77AC-14C6-4977-AB96-835408A2F49B}.exe 31 PID 2616 wrote to memory of 2564 2616 {078E77AC-14C6-4977-AB96-835408A2F49B}.exe 31 PID 2528 wrote to memory of 2860 2528 {4AAAD155-C541-4c02-8E2A-90946FA4CDE8}.exe 32 PID 2528 wrote to memory of 2860 2528 {4AAAD155-C541-4c02-8E2A-90946FA4CDE8}.exe 32 PID 2528 wrote to memory of 2860 2528 {4AAAD155-C541-4c02-8E2A-90946FA4CDE8}.exe 32 PID 2528 wrote to memory of 2860 2528 {4AAAD155-C541-4c02-8E2A-90946FA4CDE8}.exe 32 PID 2528 wrote to memory of 2672 2528 {4AAAD155-C541-4c02-8E2A-90946FA4CDE8}.exe 33 PID 2528 wrote to memory of 2672 2528 {4AAAD155-C541-4c02-8E2A-90946FA4CDE8}.exe 33 PID 2528 wrote to memory of 2672 2528 {4AAAD155-C541-4c02-8E2A-90946FA4CDE8}.exe 33 PID 2528 wrote to memory of 2672 2528 {4AAAD155-C541-4c02-8E2A-90946FA4CDE8}.exe 33 PID 2860 wrote to memory of 2488 2860 {A464C467-8DB9-4705-88A7-DD0F667D776E}.exe 36 PID 2860 wrote to memory of 2488 2860 {A464C467-8DB9-4705-88A7-DD0F667D776E}.exe 36 PID 2860 wrote to memory of 2488 2860 {A464C467-8DB9-4705-88A7-DD0F667D776E}.exe 36 PID 2860 wrote to memory of 2488 2860 {A464C467-8DB9-4705-88A7-DD0F667D776E}.exe 36 PID 2860 wrote to memory of 1136 2860 {A464C467-8DB9-4705-88A7-DD0F667D776E}.exe 37 PID 2860 wrote to memory of 1136 2860 {A464C467-8DB9-4705-88A7-DD0F667D776E}.exe 37 PID 2860 wrote to memory of 1136 2860 {A464C467-8DB9-4705-88A7-DD0F667D776E}.exe 37 PID 2860 wrote to memory of 1136 2860 {A464C467-8DB9-4705-88A7-DD0F667D776E}.exe 37 PID 2488 wrote to memory of 2964 2488 {461A4BCB-1FE3-4e37-8159-3E032AF404D3}.exe 38 PID 2488 wrote to memory of 2964 2488 {461A4BCB-1FE3-4e37-8159-3E032AF404D3}.exe 38 PID 2488 wrote to memory of 2964 2488 {461A4BCB-1FE3-4e37-8159-3E032AF404D3}.exe 38 PID 2488 wrote to memory of 2964 2488 {461A4BCB-1FE3-4e37-8159-3E032AF404D3}.exe 38 PID 2488 wrote to memory of 2736 2488 {461A4BCB-1FE3-4e37-8159-3E032AF404D3}.exe 39 PID 2488 wrote to memory of 2736 2488 {461A4BCB-1FE3-4e37-8159-3E032AF404D3}.exe 39 PID 2488 wrote to memory of 2736 2488 {461A4BCB-1FE3-4e37-8159-3E032AF404D3}.exe 39 PID 2488 wrote to memory of 2736 2488 {461A4BCB-1FE3-4e37-8159-3E032AF404D3}.exe 39 PID 2964 wrote to memory of 1664 2964 {556B17AF-DA13-406f-B180-5B1CE1EDF7F8}.exe 40 PID 2964 wrote to memory of 1664 2964 {556B17AF-DA13-406f-B180-5B1CE1EDF7F8}.exe 40 PID 2964 wrote to memory of 1664 2964 {556B17AF-DA13-406f-B180-5B1CE1EDF7F8}.exe 40 PID 2964 wrote to memory of 1664 2964 {556B17AF-DA13-406f-B180-5B1CE1EDF7F8}.exe 40 PID 2964 wrote to memory of 1472 2964 {556B17AF-DA13-406f-B180-5B1CE1EDF7F8}.exe 41 PID 2964 wrote to memory of 1472 2964 {556B17AF-DA13-406f-B180-5B1CE1EDF7F8}.exe 41 PID 2964 wrote to memory of 1472 2964 {556B17AF-DA13-406f-B180-5B1CE1EDF7F8}.exe 41 PID 2964 wrote to memory of 1472 2964 {556B17AF-DA13-406f-B180-5B1CE1EDF7F8}.exe 41 PID 1664 wrote to memory of 2812 1664 {426B868C-88CF-4092-A3DF-94BE950B904C}.exe 42 PID 1664 wrote to memory of 2812 1664 {426B868C-88CF-4092-A3DF-94BE950B904C}.exe 42 PID 1664 wrote to memory of 2812 1664 {426B868C-88CF-4092-A3DF-94BE950B904C}.exe 42 PID 1664 wrote to memory of 2812 1664 {426B868C-88CF-4092-A3DF-94BE950B904C}.exe 42 PID 1664 wrote to memory of 2800 1664 {426B868C-88CF-4092-A3DF-94BE950B904C}.exe 43 PID 1664 wrote to memory of 2800 1664 {426B868C-88CF-4092-A3DF-94BE950B904C}.exe 43 PID 1664 wrote to memory of 2800 1664 {426B868C-88CF-4092-A3DF-94BE950B904C}.exe 43 PID 1664 wrote to memory of 2800 1664 {426B868C-88CF-4092-A3DF-94BE950B904C}.exe 43 PID 2812 wrote to memory of 1656 2812 {2DCF1DAA-E6D8-445e-8185-6F35CFF8695D}.exe 44 PID 2812 wrote to memory of 1656 2812 {2DCF1DAA-E6D8-445e-8185-6F35CFF8695D}.exe 44 PID 2812 wrote to memory of 1656 2812 {2DCF1DAA-E6D8-445e-8185-6F35CFF8695D}.exe 44 PID 2812 wrote to memory of 1656 2812 {2DCF1DAA-E6D8-445e-8185-6F35CFF8695D}.exe 44 PID 2812 wrote to memory of 1784 2812 {2DCF1DAA-E6D8-445e-8185-6F35CFF8695D}.exe 45 PID 2812 wrote to memory of 1784 2812 {2DCF1DAA-E6D8-445e-8185-6F35CFF8695D}.exe 45 PID 2812 wrote to memory of 1784 2812 {2DCF1DAA-E6D8-445e-8185-6F35CFF8695D}.exe 45 PID 2812 wrote to memory of 1784 2812 {2DCF1DAA-E6D8-445e-8185-6F35CFF8695D}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\{078E77AC-14C6-4977-AB96-835408A2F49B}.exeC:\Windows\{078E77AC-14C6-4977-AB96-835408A2F49B}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\{4AAAD155-C541-4c02-8E2A-90946FA4CDE8}.exeC:\Windows\{4AAAD155-C541-4c02-8E2A-90946FA4CDE8}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\{A464C467-8DB9-4705-88A7-DD0F667D776E}.exeC:\Windows\{A464C467-8DB9-4705-88A7-DD0F667D776E}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\{461A4BCB-1FE3-4e37-8159-3E032AF404D3}.exeC:\Windows\{461A4BCB-1FE3-4e37-8159-3E032AF404D3}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\{556B17AF-DA13-406f-B180-5B1CE1EDF7F8}.exeC:\Windows\{556B17AF-DA13-406f-B180-5B1CE1EDF7F8}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\{426B868C-88CF-4092-A3DF-94BE950B904C}.exeC:\Windows\{426B868C-88CF-4092-A3DF-94BE950B904C}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\{2DCF1DAA-E6D8-445e-8185-6F35CFF8695D}.exeC:\Windows\{2DCF1DAA-E6D8-445e-8185-6F35CFF8695D}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\{27C34729-1D2F-4bdf-A242-3CC3E23B0618}.exeC:\Windows\{27C34729-1D2F-4bdf-A242-3CC3E23B0618}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1656 -
C:\Windows\{497601ED-FB01-40e0-AC8D-053166A61BD0}.exeC:\Windows\{497601ED-FB01-40e0-AC8D-053166A61BD0}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1700 -
C:\Windows\{06D84438-6AFF-4fc3-9B0B-3FBF5DB8DAB5}.exeC:\Windows\{06D84438-6AFF-4fc3-9B0B-3FBF5DB8DAB5}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2228 -
C:\Windows\{BA52E9F0-3EB2-4534-B398-8B14364E48F6}.exeC:\Windows\{BA52E9F0-3EB2-4534-B398-8B14364E48F6}.exe12⤵
- Executes dropped EXE
PID:1508
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{06D84~1.EXE > nul12⤵PID:1116
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{49760~1.EXE > nul11⤵PID:540
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{27C34~1.EXE > nul10⤵PID:2264
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2DCF1~1.EXE > nul9⤵PID:1784
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{426B8~1.EXE > nul8⤵PID:2800
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{556B1~1.EXE > nul7⤵PID:1472
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{461A4~1.EXE > nul6⤵PID:2736
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A464C~1.EXE > nul5⤵PID:1136
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4AAAD~1.EXE > nul4⤵PID:2672
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{078E7~1.EXE > nul3⤵PID:2564
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:2932
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
192KB
MD50b5c2a17b230d2b014b1e156f1ee1835
SHA1101b97d540dab9139789b506a9421d5e129b0e28
SHA256e6b174135585b04bd19d2f5baf6224569fc960efbc51350c6984da9d60327b46
SHA512ba367728f9698d355b348938b8623e5878822775fe51e251c034ce662baff2a47c20d55e299e6e325aa4b4957604dddb79d0ed6b3508f42b646880ac78a91092
-
Filesize
192KB
MD53e5cdf2b1be42d81596aeb4e91e154d9
SHA1e4a3a3ee8bda4e5cd610dee18b31766abcb04bbd
SHA256c8e23a7be403cc2a8d94385f5f4a325fa0f58dd4a7be617074f4e159f7498d4e
SHA5124ee5eb36f2300f7705f5f07d24b3e476b94be3f2d7d5186520c927e2dc02a576f32a315f176bacc0be33c7cb18f14c20c6239573c5a3007b088658147c546b1a
-
Filesize
192KB
MD55b95d81b0d47521462f516f22ec8f75a
SHA1f9f7d614cc6232ff1b80891d5c139d07d1c4a547
SHA25649eff79a1b566c7c6d1ea3de1117eb2a4f1acd794c817e34617b39ca792b8324
SHA5128c688001c04239cf10491079ac01a3d6a3d74232bbe9fff6d6f8d7005d5faf9f2f11de167f7bfbea4a1ee7ae320fbe39d4a8d740e6c0bb3d275c5cf489c1d58d
-
Filesize
192KB
MD53e0d718c6b48d70737bb51bb96a8ed3b
SHA10fe5a1f26cb13493d79da8151575dd9dd4bc5e81
SHA256d496cbbace86f240d9c16a7b07022eb0da2b59a3915603acd8660abc8cad12d4
SHA512dfcbe215c615f5f3c43ccf20da89527eb6c31856bea0f16d45a28f5a9f7ae3be810e3a94fc526511c4b5b42bf0c21d9219a8d897c755337c60bd94cfe454445d
-
Filesize
192KB
MD5d5f150ad055a2d39a8cb84f745024991
SHA18c06abea5e76cf724b6b0ffd2f4df0e098f7b147
SHA25670260cef0842348f30967cd833ba5f2b94f1e659877717bde18bf9faaebb2514
SHA512ab68d25375136e193d54db9c573c2c26a715eb0d5dbd649bb33d98b32069c79241ef5c0b9c200968dbd53576ee39c21a233b747bf3748347022788bec80f8c4d
-
Filesize
192KB
MD523af495fbbf57e341b05688705e8e7d9
SHA11ef0fb494ea902bf566265de3530b120e320bffe
SHA25616352ebfb83f274195f05009d22a5dc0830e37899660c49a5bc62a631dc91144
SHA51231762f04c5dbc6736f315dc2999a2b1206f571b3a41936630e7fde6161f6a10040b2de4d680e5730daef2eee9ea4049b68065c6f72972a0827f510a33df904bc
-
Filesize
192KB
MD5e74102eb2963cbd5c6715bf037901107
SHA1616ce399ac8c200cb332dd7fcffa92f8b2f9249a
SHA256b8b9a101ffde55e3fa403c3757c1af3c57e633f2f60609dc34b5b9488a47f108
SHA5124c0aa40e6726cba5df7b1f68c564ba7e8c09f64af91ab7ec85b493597e5328c5d235e36b7af3acd8bc2eaa5b8fa0d03e3e84cbc00004c69f029b25b39b540cfe
-
Filesize
192KB
MD5d2c1bbefcefadaa5f80bab8646873e7a
SHA15636f70dc73aa2532c0b5438d85061a0d3a2859c
SHA256e1023be86c224af7f96e39fc1609e448c1ef5c619659daab1144054d66214dc0
SHA5122217ec114c74bcc760b69d7b1997d1f88b62f8765b184d3db84588da80e9426bf8e751ae528bb51572b5a74ce9094120b5b49569816584c4e5de5237e71548a9
-
Filesize
192KB
MD5b144b003083472a8b14fbdfc4fcf1472
SHA1d03ebedb4fd39aac378d491619bb8a2862941301
SHA2569f14ce9edbfdf9ab8a72fa001638c921fc42bee1005f78ac853789fc31091e9d
SHA51204f3467509c025aff2a62226091d0615bb34b23d7e0c14d0d267cba242ad91c2681f1a15f878ef833962a67aef2190aa3765ea790d255573bfbecc2f9435e49b
-
Filesize
192KB
MD5a08864dc9265974a3d169a3d711a999a
SHA149fc19f76c8933ad3ac08f267a2539b8879a5fcc
SHA256fb269aa32b7948763e28019218556940ed97af49c4659c7f7549502ee22c77f6
SHA5125b5a1f5716284d38ec2924124503c2d76f5fea3000f4bfa25f951c426c92e7e94803c92914cdc7c26a16ca5ed0c174c148ea5c1157aa95e43c37c1ce395dcf5c
-
Filesize
192KB
MD5e40a5e92c1c54b56656c3051b17f4c86
SHA1d5744f3bb346b5c75ffb2b2d85195c267c540d36
SHA256b1233d05aa56c6e6f48b02498036009e8b66e16731730629430664badbcd78e2
SHA512caadfceeb200631570712c10ac785a3a8707245dfb989fe319058d80b8c210a203ee9370c14babd2a46bc528d49c6ae374335fd40e4cdda9d168f2998cb095ca