Analysis
-
max time kernel
144s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04/04/2024, 17:48
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe
-
Size
197KB
-
MD5
e4d2a0c0c33dc92bb5245ec3f744cdbf
-
SHA1
3efb34fc084ec2a81d56a8253fe55a2245e969a3
-
SHA256
2489e2760ad547f24841cca1879a74d5d47ca8083c53eb86fa73977edcfefd5e
-
SHA512
ed6b4ebfc4e272740d4eb36f8ef6906bf29a6579a80fbad88414d9c3b4ac01839ee609a710d9df1a66708d0329c5df62fe74d9a930a1eb2017b4922618d75a17
-
SSDEEP
3072:jEGh0o1l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGTlEeKcAEca
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral1/files/0x0009000000014909-5.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x002c000000014c67-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000f00000000f680-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x002d000000014c67-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x001000000000f680-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x002e000000014c67-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x001100000000f680-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x002f000000014c67-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x001200000000f680-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0030000000014c67-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x001300000000f680-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC3A41B7-1E8A-4edb-A255-7E9BFEFAE188} {46FE61F9-BE5B-42ec-87C6-BC826C813E0D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D44FE8BB-A758-4604-8038-D6BBB468095E} {FC3A41B7-1E8A-4edb-A255-7E9BFEFAE188}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D44FE8BB-A758-4604-8038-D6BBB468095E}\stubpath = "C:\\Windows\\{D44FE8BB-A758-4604-8038-D6BBB468095E}.exe" {FC3A41B7-1E8A-4edb-A255-7E9BFEFAE188}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F17DABB7-D65C-43bd-8AB2-02A0F3F3E1A5} {8F86B980-6168-4005-A647-C532A5A89090}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57BD6B94-B07B-4e8a-A6A2-D410A87C538A} 2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57BD6B94-B07B-4e8a-A6A2-D410A87C538A}\stubpath = "C:\\Windows\\{57BD6B94-B07B-4e8a-A6A2-D410A87C538A}.exe" 2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{065356A9-054A-438d-801D-7B8D233D20D9} {57BD6B94-B07B-4e8a-A6A2-D410A87C538A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49C002CB-84F6-43c4-8669-828973402A04}\stubpath = "C:\\Windows\\{49C002CB-84F6-43c4-8669-828973402A04}.exe" {065356A9-054A-438d-801D-7B8D233D20D9}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F17DABB7-D65C-43bd-8AB2-02A0F3F3E1A5}\stubpath = "C:\\Windows\\{F17DABB7-D65C-43bd-8AB2-02A0F3F3E1A5}.exe" {8F86B980-6168-4005-A647-C532A5A89090}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D944D92-7366-45a6-B6D3-6D370FEBA9F4} {F17DABB7-D65C-43bd-8AB2-02A0F3F3E1A5}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6B8E691-3B63-47e8-8344-4A35FE4BE585} {2D944D92-7366-45a6-B6D3-6D370FEBA9F4}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F86B980-6168-4005-A647-C532A5A89090} {12D49ADD-D329-401d-94D9-C0437798EB4E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49C002CB-84F6-43c4-8669-828973402A04} {065356A9-054A-438d-801D-7B8D233D20D9}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46FE61F9-BE5B-42ec-87C6-BC826C813E0D}\stubpath = "C:\\Windows\\{46FE61F9-BE5B-42ec-87C6-BC826C813E0D}.exe" {49C002CB-84F6-43c4-8669-828973402A04}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC3A41B7-1E8A-4edb-A255-7E9BFEFAE188}\stubpath = "C:\\Windows\\{FC3A41B7-1E8A-4edb-A255-7E9BFEFAE188}.exe" {46FE61F9-BE5B-42ec-87C6-BC826C813E0D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12D49ADD-D329-401d-94D9-C0437798EB4E}\stubpath = "C:\\Windows\\{12D49ADD-D329-401d-94D9-C0437798EB4E}.exe" {D44FE8BB-A758-4604-8038-D6BBB468095E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12D49ADD-D329-401d-94D9-C0437798EB4E} {D44FE8BB-A758-4604-8038-D6BBB468095E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6B8E691-3B63-47e8-8344-4A35FE4BE585}\stubpath = "C:\\Windows\\{E6B8E691-3B63-47e8-8344-4A35FE4BE585}.exe" {2D944D92-7366-45a6-B6D3-6D370FEBA9F4}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{065356A9-054A-438d-801D-7B8D233D20D9}\stubpath = "C:\\Windows\\{065356A9-054A-438d-801D-7B8D233D20D9}.exe" {57BD6B94-B07B-4e8a-A6A2-D410A87C538A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46FE61F9-BE5B-42ec-87C6-BC826C813E0D} {49C002CB-84F6-43c4-8669-828973402A04}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F86B980-6168-4005-A647-C532A5A89090}\stubpath = "C:\\Windows\\{8F86B980-6168-4005-A647-C532A5A89090}.exe" {12D49ADD-D329-401d-94D9-C0437798EB4E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D944D92-7366-45a6-B6D3-6D370FEBA9F4}\stubpath = "C:\\Windows\\{2D944D92-7366-45a6-B6D3-6D370FEBA9F4}.exe" {F17DABB7-D65C-43bd-8AB2-02A0F3F3E1A5}.exe -
Deletes itself 1 IoCs
pid Process 2700 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 2528 {57BD6B94-B07B-4e8a-A6A2-D410A87C538A}.exe 2536 {065356A9-054A-438d-801D-7B8D233D20D9}.exe 2748 {49C002CB-84F6-43c4-8669-828973402A04}.exe 944 {46FE61F9-BE5B-42ec-87C6-BC826C813E0D}.exe 1836 {FC3A41B7-1E8A-4edb-A255-7E9BFEFAE188}.exe 2076 {D44FE8BB-A758-4604-8038-D6BBB468095E}.exe 876 {12D49ADD-D329-401d-94D9-C0437798EB4E}.exe 1588 {8F86B980-6168-4005-A647-C532A5A89090}.exe 1612 {F17DABB7-D65C-43bd-8AB2-02A0F3F3E1A5}.exe 2296 {2D944D92-7366-45a6-B6D3-6D370FEBA9F4}.exe 2880 {E6B8E691-3B63-47e8-8344-4A35FE4BE585}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{49C002CB-84F6-43c4-8669-828973402A04}.exe {065356A9-054A-438d-801D-7B8D233D20D9}.exe File created C:\Windows\{46FE61F9-BE5B-42ec-87C6-BC826C813E0D}.exe {49C002CB-84F6-43c4-8669-828973402A04}.exe File created C:\Windows\{FC3A41B7-1E8A-4edb-A255-7E9BFEFAE188}.exe {46FE61F9-BE5B-42ec-87C6-BC826C813E0D}.exe File created C:\Windows\{E6B8E691-3B63-47e8-8344-4A35FE4BE585}.exe {2D944D92-7366-45a6-B6D3-6D370FEBA9F4}.exe File created C:\Windows\{8F86B980-6168-4005-A647-C532A5A89090}.exe {12D49ADD-D329-401d-94D9-C0437798EB4E}.exe File created C:\Windows\{F17DABB7-D65C-43bd-8AB2-02A0F3F3E1A5}.exe {8F86B980-6168-4005-A647-C532A5A89090}.exe File created C:\Windows\{2D944D92-7366-45a6-B6D3-6D370FEBA9F4}.exe {F17DABB7-D65C-43bd-8AB2-02A0F3F3E1A5}.exe File created C:\Windows\{57BD6B94-B07B-4e8a-A6A2-D410A87C538A}.exe 2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe File created C:\Windows\{065356A9-054A-438d-801D-7B8D233D20D9}.exe {57BD6B94-B07B-4e8a-A6A2-D410A87C538A}.exe File created C:\Windows\{D44FE8BB-A758-4604-8038-D6BBB468095E}.exe {FC3A41B7-1E8A-4edb-A255-7E9BFEFAE188}.exe File created C:\Windows\{12D49ADD-D329-401d-94D9-C0437798EB4E}.exe {D44FE8BB-A758-4604-8038-D6BBB468095E}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1548 2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe Token: SeIncBasePriorityPrivilege 2528 {57BD6B94-B07B-4e8a-A6A2-D410A87C538A}.exe Token: SeIncBasePriorityPrivilege 2536 {065356A9-054A-438d-801D-7B8D233D20D9}.exe Token: SeIncBasePriorityPrivilege 2748 {49C002CB-84F6-43c4-8669-828973402A04}.exe Token: SeIncBasePriorityPrivilege 944 {46FE61F9-BE5B-42ec-87C6-BC826C813E0D}.exe Token: SeIncBasePriorityPrivilege 1836 {FC3A41B7-1E8A-4edb-A255-7E9BFEFAE188}.exe Token: SeIncBasePriorityPrivilege 2076 {D44FE8BB-A758-4604-8038-D6BBB468095E}.exe Token: SeIncBasePriorityPrivilege 876 {12D49ADD-D329-401d-94D9-C0437798EB4E}.exe Token: SeIncBasePriorityPrivilege 1588 {8F86B980-6168-4005-A647-C532A5A89090}.exe Token: SeIncBasePriorityPrivilege 1612 {F17DABB7-D65C-43bd-8AB2-02A0F3F3E1A5}.exe Token: SeIncBasePriorityPrivilege 2296 {2D944D92-7366-45a6-B6D3-6D370FEBA9F4}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1548 wrote to memory of 2528 1548 2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe 28 PID 1548 wrote to memory of 2528 1548 2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe 28 PID 1548 wrote to memory of 2528 1548 2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe 28 PID 1548 wrote to memory of 2528 1548 2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe 28 PID 1548 wrote to memory of 2700 1548 2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe 29 PID 1548 wrote to memory of 2700 1548 2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe 29 PID 1548 wrote to memory of 2700 1548 2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe 29 PID 1548 wrote to memory of 2700 1548 2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe 29 PID 2528 wrote to memory of 2536 2528 {57BD6B94-B07B-4e8a-A6A2-D410A87C538A}.exe 30 PID 2528 wrote to memory of 2536 2528 {57BD6B94-B07B-4e8a-A6A2-D410A87C538A}.exe 30 PID 2528 wrote to memory of 2536 2528 {57BD6B94-B07B-4e8a-A6A2-D410A87C538A}.exe 30 PID 2528 wrote to memory of 2536 2528 {57BD6B94-B07B-4e8a-A6A2-D410A87C538A}.exe 30 PID 2528 wrote to memory of 2456 2528 {57BD6B94-B07B-4e8a-A6A2-D410A87C538A}.exe 31 PID 2528 wrote to memory of 2456 2528 {57BD6B94-B07B-4e8a-A6A2-D410A87C538A}.exe 31 PID 2528 wrote to memory of 2456 2528 {57BD6B94-B07B-4e8a-A6A2-D410A87C538A}.exe 31 PID 2528 wrote to memory of 2456 2528 {57BD6B94-B07B-4e8a-A6A2-D410A87C538A}.exe 31 PID 2536 wrote to memory of 2748 2536 {065356A9-054A-438d-801D-7B8D233D20D9}.exe 34 PID 2536 wrote to memory of 2748 2536 {065356A9-054A-438d-801D-7B8D233D20D9}.exe 34 PID 2536 wrote to memory of 2748 2536 {065356A9-054A-438d-801D-7B8D233D20D9}.exe 34 PID 2536 wrote to memory of 2748 2536 {065356A9-054A-438d-801D-7B8D233D20D9}.exe 34 PID 2536 wrote to memory of 2936 2536 {065356A9-054A-438d-801D-7B8D233D20D9}.exe 35 PID 2536 wrote to memory of 2936 2536 {065356A9-054A-438d-801D-7B8D233D20D9}.exe 35 PID 2536 wrote to memory of 2936 2536 {065356A9-054A-438d-801D-7B8D233D20D9}.exe 35 PID 2536 wrote to memory of 2936 2536 {065356A9-054A-438d-801D-7B8D233D20D9}.exe 35 PID 2748 wrote to memory of 944 2748 {49C002CB-84F6-43c4-8669-828973402A04}.exe 36 PID 2748 wrote to memory of 944 2748 {49C002CB-84F6-43c4-8669-828973402A04}.exe 36 PID 2748 wrote to memory of 944 2748 {49C002CB-84F6-43c4-8669-828973402A04}.exe 36 PID 2748 wrote to memory of 944 2748 {49C002CB-84F6-43c4-8669-828973402A04}.exe 36 PID 2748 wrote to memory of 1352 2748 {49C002CB-84F6-43c4-8669-828973402A04}.exe 37 PID 2748 wrote to memory of 1352 2748 {49C002CB-84F6-43c4-8669-828973402A04}.exe 37 PID 2748 wrote to memory of 1352 2748 {49C002CB-84F6-43c4-8669-828973402A04}.exe 37 PID 2748 wrote to memory of 1352 2748 {49C002CB-84F6-43c4-8669-828973402A04}.exe 37 PID 944 wrote to memory of 1836 944 {46FE61F9-BE5B-42ec-87C6-BC826C813E0D}.exe 38 PID 944 wrote to memory of 1836 944 {46FE61F9-BE5B-42ec-87C6-BC826C813E0D}.exe 38 PID 944 wrote to memory of 1836 944 {46FE61F9-BE5B-42ec-87C6-BC826C813E0D}.exe 38 PID 944 wrote to memory of 1836 944 {46FE61F9-BE5B-42ec-87C6-BC826C813E0D}.exe 38 PID 944 wrote to memory of 2612 944 {46FE61F9-BE5B-42ec-87C6-BC826C813E0D}.exe 39 PID 944 wrote to memory of 2612 944 {46FE61F9-BE5B-42ec-87C6-BC826C813E0D}.exe 39 PID 944 wrote to memory of 2612 944 {46FE61F9-BE5B-42ec-87C6-BC826C813E0D}.exe 39 PID 944 wrote to memory of 2612 944 {46FE61F9-BE5B-42ec-87C6-BC826C813E0D}.exe 39 PID 1836 wrote to memory of 2076 1836 {FC3A41B7-1E8A-4edb-A255-7E9BFEFAE188}.exe 40 PID 1836 wrote to memory of 2076 1836 {FC3A41B7-1E8A-4edb-A255-7E9BFEFAE188}.exe 40 PID 1836 wrote to memory of 2076 1836 {FC3A41B7-1E8A-4edb-A255-7E9BFEFAE188}.exe 40 PID 1836 wrote to memory of 2076 1836 {FC3A41B7-1E8A-4edb-A255-7E9BFEFAE188}.exe 40 PID 1836 wrote to memory of 2624 1836 {FC3A41B7-1E8A-4edb-A255-7E9BFEFAE188}.exe 41 PID 1836 wrote to memory of 2624 1836 {FC3A41B7-1E8A-4edb-A255-7E9BFEFAE188}.exe 41 PID 1836 wrote to memory of 2624 1836 {FC3A41B7-1E8A-4edb-A255-7E9BFEFAE188}.exe 41 PID 1836 wrote to memory of 2624 1836 {FC3A41B7-1E8A-4edb-A255-7E9BFEFAE188}.exe 41 PID 2076 wrote to memory of 876 2076 {D44FE8BB-A758-4604-8038-D6BBB468095E}.exe 42 PID 2076 wrote to memory of 876 2076 {D44FE8BB-A758-4604-8038-D6BBB468095E}.exe 42 PID 2076 wrote to memory of 876 2076 {D44FE8BB-A758-4604-8038-D6BBB468095E}.exe 42 PID 2076 wrote to memory of 876 2076 {D44FE8BB-A758-4604-8038-D6BBB468095E}.exe 42 PID 2076 wrote to memory of 2328 2076 {D44FE8BB-A758-4604-8038-D6BBB468095E}.exe 43 PID 2076 wrote to memory of 2328 2076 {D44FE8BB-A758-4604-8038-D6BBB468095E}.exe 43 PID 2076 wrote to memory of 2328 2076 {D44FE8BB-A758-4604-8038-D6BBB468095E}.exe 43 PID 2076 wrote to memory of 2328 2076 {D44FE8BB-A758-4604-8038-D6BBB468095E}.exe 43 PID 876 wrote to memory of 1588 876 {12D49ADD-D329-401d-94D9-C0437798EB4E}.exe 44 PID 876 wrote to memory of 1588 876 {12D49ADD-D329-401d-94D9-C0437798EB4E}.exe 44 PID 876 wrote to memory of 1588 876 {12D49ADD-D329-401d-94D9-C0437798EB4E}.exe 44 PID 876 wrote to memory of 1588 876 {12D49ADD-D329-401d-94D9-C0437798EB4E}.exe 44 PID 876 wrote to memory of 2668 876 {12D49ADD-D329-401d-94D9-C0437798EB4E}.exe 45 PID 876 wrote to memory of 2668 876 {12D49ADD-D329-401d-94D9-C0437798EB4E}.exe 45 PID 876 wrote to memory of 2668 876 {12D49ADD-D329-401d-94D9-C0437798EB4E}.exe 45 PID 876 wrote to memory of 2668 876 {12D49ADD-D329-401d-94D9-C0437798EB4E}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\{57BD6B94-B07B-4e8a-A6A2-D410A87C538A}.exeC:\Windows\{57BD6B94-B07B-4e8a-A6A2-D410A87C538A}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\{065356A9-054A-438d-801D-7B8D233D20D9}.exeC:\Windows\{065356A9-054A-438d-801D-7B8D233D20D9}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\{49C002CB-84F6-43c4-8669-828973402A04}.exeC:\Windows\{49C002CB-84F6-43c4-8669-828973402A04}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\{46FE61F9-BE5B-42ec-87C6-BC826C813E0D}.exeC:\Windows\{46FE61F9-BE5B-42ec-87C6-BC826C813E0D}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\{FC3A41B7-1E8A-4edb-A255-7E9BFEFAE188}.exeC:\Windows\{FC3A41B7-1E8A-4edb-A255-7E9BFEFAE188}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\{D44FE8BB-A758-4604-8038-D6BBB468095E}.exeC:\Windows\{D44FE8BB-A758-4604-8038-D6BBB468095E}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\{12D49ADD-D329-401d-94D9-C0437798EB4E}.exeC:\Windows\{12D49ADD-D329-401d-94D9-C0437798EB4E}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\{8F86B980-6168-4005-A647-C532A5A89090}.exeC:\Windows\{8F86B980-6168-4005-A647-C532A5A89090}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1588 -
C:\Windows\{F17DABB7-D65C-43bd-8AB2-02A0F3F3E1A5}.exeC:\Windows\{F17DABB7-D65C-43bd-8AB2-02A0F3F3E1A5}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1612 -
C:\Windows\{2D944D92-7366-45a6-B6D3-6D370FEBA9F4}.exeC:\Windows\{2D944D92-7366-45a6-B6D3-6D370FEBA9F4}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2296 -
C:\Windows\{E6B8E691-3B63-47e8-8344-4A35FE4BE585}.exeC:\Windows\{E6B8E691-3B63-47e8-8344-4A35FE4BE585}.exe12⤵
- Executes dropped EXE
PID:2880
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2D944~1.EXE > nul12⤵PID:2292
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F17DA~1.EXE > nul11⤵PID:1112
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8F86B~1.EXE > nul10⤵PID:1812
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{12D49~1.EXE > nul9⤵PID:2668
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D44FE~1.EXE > nul8⤵PID:2328
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{FC3A4~1.EXE > nul7⤵PID:2624
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{46FE6~1.EXE > nul6⤵PID:2612
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{49C00~1.EXE > nul5⤵PID:1352
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{06535~1.EXE > nul4⤵PID:2936
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{57BD6~1.EXE > nul3⤵PID:2456
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:2700
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
197KB
MD5a5339f48a90273eafb444b82bed4b4bc
SHA1c051789dc287364d02e5978d4f110930018e2f25
SHA256484a85a06de61c7d0c1dd674bcd0963da813c3dc8619aabb1668c8d2657a0d3c
SHA512777a3054326ce4f0d1c568c286f91741ebeb78dcc40e3b87b92f16c4aefa215a3b0e816896096bcbcc408a7775b564bf43e98d630cf99562e9671c0491fac8cc
-
Filesize
197KB
MD568f6c6db281151d8c97444c65046c35c
SHA12c02aa6c202e4d7444ee466836ea46d2aabf4f3b
SHA25616c8a83d2ac18926f491f50ca7651321b7c8b818d1a317f7ac51027c8afce420
SHA512d28b4251574cefebd077fe928de134b448479575b1726bd6da106682874c4cf70e4d11c3d5ae402697cda030a54245e0270f5c09dd19173b6ded192b0f244499
-
Filesize
197KB
MD57abb1ff2c11aa70f8c132333541cc153
SHA1149cc827b1cf9fe911dfc48f4081d89cc70c3ca7
SHA256ec77a0cb0e0387072f48aaa202603aa4948ddcf64a290107537b61f9e453f347
SHA512752f358c3566babb0743f7d68229aea5116e3ddd9ec8cbaafe1be4eef07aa1b6dd3526b503f2032bb8c445016c074ea65454f997b1c20374415520f5d35d7078
-
Filesize
197KB
MD534d3af00ed115617adb3777f1a63c514
SHA16d14004255c37b1400695bfc403c855f0988084a
SHA25672292e8c7af5947f40a1f7514a48eb16eb9f7d9efa85a1ee27c724c5d2ee5776
SHA512cbcaf16e7ce90539de8c3b730ea9c8434570066f4c8f50bf8a4593076579096017ead1bd5307f7ebeece5a4a2cd133480fc0b7292d6a82ad453e8f80064771bf
-
Filesize
197KB
MD5dfb9fb38b971ea131e1274d545f81262
SHA17092e9d359ad9fbc75cb9cacf9ce35bbe7d4a607
SHA2566537390b09f221c94c23d41a22dcc7ffc73fd988465162e2f8d6c44b51c13714
SHA51242ac191ee6fa14ed25212dd3c483d5274ee88a651dcdb1e43ae2f0d15bbcf8bfb3232539c9e2403d17ab37bbb0468ba10467f79276daffc6c3446d6fe67e3048
-
Filesize
197KB
MD56e852c4fa2ace9bebd4533daf3aadb57
SHA1ffa391f5a432d09cc6836331e3db84b80a67c8b5
SHA256cae9787dd5ba28e248110a3af03371647166559a2859efd0803719254b4e6e4b
SHA5121d5578b886a4546dc769f41395681e1b09cdf94e4b838bbd76496636603b38993e8fa872c7ba1a294299ad60d83ce9cbf060768fc816e07fafc64166ab0816d7
-
Filesize
197KB
MD5c32086061c8a05518defb7adac317d09
SHA1bb1024c9f4b57473454e62de0b46ff522c0a5236
SHA256cb901e91ad47f0d8ccc3431a2d35221f71fa277f654a339163060cc3bb55da29
SHA5120aafb626a1ccb96d47c51105228f13e66ec71926f2a62bb4b396f968a6598fa3689450000a2a100e8cc2ba6c01df45a2a68d3d00a6f6feebc0320c522339e78f
-
Filesize
197KB
MD579cbc8085ec66c145b86355054490749
SHA1710b02a2d6eee9bfb729233b12248b9335b48bd9
SHA25644f96db7262e448a514acc5c0d3119f8461111ee5874d428eeb15b4a4432eaa1
SHA512df72261494c3573983f55094f8b64f7388d2d4605c6e4e23ac70e8f91f1e43197e999eb45c839efd99ce9911c91693f580e02d01808d607d3685cb9bfc00c345
-
Filesize
197KB
MD54ee820e0a1e61a5b0d333ee8296d1317
SHA1599500b2b53aeaea8caf6608f014f7d710b8ab9d
SHA2564710ddbc9c63759debd161feea8f51c4619bbb4dbabd514e1a8b8e23fb44f805
SHA512cb3ec96a4951c03ec4746854cacdbfc0387985ad9dbe2a03666ad1fca58bd0fb4ee7ea2a04e0a08c7f70fa82d0d83188c4153f2422a46266f49adfc589b68119
-
Filesize
197KB
MD5eebb8aea957d2cf29eb0e5b71e9bc100
SHA17a461b535364e4b7f93199901baebb744368378b
SHA2561c1396952983bd2815370eafc23d389f2a16844b52749980761532b4ae027dc9
SHA51208eaf6900eddc86836b5ebe8d0321157b28c9a3585163037d3c312df6d94e951c9f5dcee97573db5b888ee70c24fdf02cc1cecca7a6e7e6c0a95229683812a91
-
Filesize
197KB
MD5deb360054d213dd02c5a34c052be5b06
SHA1056461744fb11379f1452f8806ae8181ecb4e6fb
SHA256af1a7f4dcdba93586bfef6d92ff81143fdea2eb88b822a444837ef454e23deb0
SHA512c6afe704a380320576002b2f5808c75710f126baadd7620aacfb349e570f36babcc1d77d6b1f07a753f91a86cc6872fed34bb9e61833b8b34c954f09ec27f94b