Analysis
-
max time kernel
144s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04/04/2024, 17:49
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe
-
Size
380KB
-
MD5
f036fbd260dca5a72a2b761714835ff7
-
SHA1
fe5480d67ab5bba2aafecee3959c00bef49081ed
-
SHA256
c5f7588ba2df97c916346dd82a407fa589dff4e935f3092eb6419f10527892da
-
SHA512
d6bdbbc62a92136599d9d31defb0dcd369f91902ff2a48cad8cea1ad9e8adf3b436f43df659a68a0570f895547e7d6558bcd6598f78456cc0e4a77bfc7579aba
-
SSDEEP
3072:mEGh0oblPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGhl7Oe2MUVg3v2IneKcAEcARy
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral1/files/0x000b000000012241-4.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000c000000015a2d-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000e00000000f680-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000b000000015c69-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000f00000000f680-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0007000000015cb9-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0007000000015d88-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0008000000015cb9-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0008000000015d88-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0009000000015cb9-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0007000000015db4-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40F7DDB3-A6A4-44fa-A2E3-B8CBC23ACF73} {7B07FA29-B8A2-460b-ACCB-961C905FF71A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A856EC4-AB78-4adf-80BF-3D1980AD4F3D}\stubpath = "C:\\Windows\\{3A856EC4-AB78-4adf-80BF-3D1980AD4F3D}.exe" {6E7B4FE9-B387-494f-A943-D3C282BA57DC}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25CDC359-E355-4fa8-8DBA-CACE4A966B37} {3A856EC4-AB78-4adf-80BF-3D1980AD4F3D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25CDC359-E355-4fa8-8DBA-CACE4A966B37}\stubpath = "C:\\Windows\\{25CDC359-E355-4fa8-8DBA-CACE4A966B37}.exe" {3A856EC4-AB78-4adf-80BF-3D1980AD4F3D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21D7F2B3-E7BE-4cd5-BAE4-2EC32CC090BA}\stubpath = "C:\\Windows\\{21D7F2B3-E7BE-4cd5-BAE4-2EC32CC090BA}.exe" {67D770EE-D16E-49d0-94E9-4687A2731F34}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0246A2FB-6463-4b59-A604-E0385EECC415} {21D7F2B3-E7BE-4cd5-BAE4-2EC32CC090BA}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B07FA29-B8A2-460b-ACCB-961C905FF71A} {0246A2FB-6463-4b59-A604-E0385EECC415}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21D7F2B3-E7BE-4cd5-BAE4-2EC32CC090BA} {67D770EE-D16E-49d0-94E9-4687A2731F34}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0246A2FB-6463-4b59-A604-E0385EECC415}\stubpath = "C:\\Windows\\{0246A2FB-6463-4b59-A604-E0385EECC415}.exe" {21D7F2B3-E7BE-4cd5-BAE4-2EC32CC090BA}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4020D6E-9BC1-4f6a-9283-202CF950C12A} {40F7DDB3-A6A4-44fa-A2E3-B8CBC23ACF73}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A856EC4-AB78-4adf-80BF-3D1980AD4F3D} {6E7B4FE9-B387-494f-A943-D3C282BA57DC}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA228BF3-5263-4748-8ED5-FD16E842F2BB}\stubpath = "C:\\Windows\\{DA228BF3-5263-4748-8ED5-FD16E842F2BB}.exe" {AF97A730-98FA-47f4-8B6D-F6FE99FC424B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67D770EE-D16E-49d0-94E9-4687A2731F34} 2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B07FA29-B8A2-460b-ACCB-961C905FF71A}\stubpath = "C:\\Windows\\{7B07FA29-B8A2-460b-ACCB-961C905FF71A}.exe" {0246A2FB-6463-4b59-A604-E0385EECC415}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40F7DDB3-A6A4-44fa-A2E3-B8CBC23ACF73}\stubpath = "C:\\Windows\\{40F7DDB3-A6A4-44fa-A2E3-B8CBC23ACF73}.exe" {7B07FA29-B8A2-460b-ACCB-961C905FF71A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4020D6E-9BC1-4f6a-9283-202CF950C12A}\stubpath = "C:\\Windows\\{A4020D6E-9BC1-4f6a-9283-202CF950C12A}.exe" {40F7DDB3-A6A4-44fa-A2E3-B8CBC23ACF73}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E7B4FE9-B387-494f-A943-D3C282BA57DC} {A4020D6E-9BC1-4f6a-9283-202CF950C12A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E7B4FE9-B387-494f-A943-D3C282BA57DC}\stubpath = "C:\\Windows\\{6E7B4FE9-B387-494f-A943-D3C282BA57DC}.exe" {A4020D6E-9BC1-4f6a-9283-202CF950C12A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF97A730-98FA-47f4-8B6D-F6FE99FC424B} {25CDC359-E355-4fa8-8DBA-CACE4A966B37}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF97A730-98FA-47f4-8B6D-F6FE99FC424B}\stubpath = "C:\\Windows\\{AF97A730-98FA-47f4-8B6D-F6FE99FC424B}.exe" {25CDC359-E355-4fa8-8DBA-CACE4A966B37}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67D770EE-D16E-49d0-94E9-4687A2731F34}\stubpath = "C:\\Windows\\{67D770EE-D16E-49d0-94E9-4687A2731F34}.exe" 2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA228BF3-5263-4748-8ED5-FD16E842F2BB} {AF97A730-98FA-47f4-8B6D-F6FE99FC424B}.exe -
Deletes itself 1 IoCs
pid Process 2968 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 2056 {67D770EE-D16E-49d0-94E9-4687A2731F34}.exe 2796 {21D7F2B3-E7BE-4cd5-BAE4-2EC32CC090BA}.exe 2416 {0246A2FB-6463-4b59-A604-E0385EECC415}.exe 2016 {7B07FA29-B8A2-460b-ACCB-961C905FF71A}.exe 1480 {40F7DDB3-A6A4-44fa-A2E3-B8CBC23ACF73}.exe 2768 {A4020D6E-9BC1-4f6a-9283-202CF950C12A}.exe 748 {6E7B4FE9-B387-494f-A943-D3C282BA57DC}.exe 2468 {3A856EC4-AB78-4adf-80BF-3D1980AD4F3D}.exe 872 {25CDC359-E355-4fa8-8DBA-CACE4A966B37}.exe 2096 {AF97A730-98FA-47f4-8B6D-F6FE99FC424B}.exe 2072 {DA228BF3-5263-4748-8ED5-FD16E842F2BB}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{DA228BF3-5263-4748-8ED5-FD16E842F2BB}.exe {AF97A730-98FA-47f4-8B6D-F6FE99FC424B}.exe File created C:\Windows\{67D770EE-D16E-49d0-94E9-4687A2731F34}.exe 2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe File created C:\Windows\{0246A2FB-6463-4b59-A604-E0385EECC415}.exe {21D7F2B3-E7BE-4cd5-BAE4-2EC32CC090BA}.exe File created C:\Windows\{7B07FA29-B8A2-460b-ACCB-961C905FF71A}.exe {0246A2FB-6463-4b59-A604-E0385EECC415}.exe File created C:\Windows\{6E7B4FE9-B387-494f-A943-D3C282BA57DC}.exe {A4020D6E-9BC1-4f6a-9283-202CF950C12A}.exe File created C:\Windows\{25CDC359-E355-4fa8-8DBA-CACE4A966B37}.exe {3A856EC4-AB78-4adf-80BF-3D1980AD4F3D}.exe File created C:\Windows\{AF97A730-98FA-47f4-8B6D-F6FE99FC424B}.exe {25CDC359-E355-4fa8-8DBA-CACE4A966B37}.exe File created C:\Windows\{21D7F2B3-E7BE-4cd5-BAE4-2EC32CC090BA}.exe {67D770EE-D16E-49d0-94E9-4687A2731F34}.exe File created C:\Windows\{40F7DDB3-A6A4-44fa-A2E3-B8CBC23ACF73}.exe {7B07FA29-B8A2-460b-ACCB-961C905FF71A}.exe File created C:\Windows\{A4020D6E-9BC1-4f6a-9283-202CF950C12A}.exe {40F7DDB3-A6A4-44fa-A2E3-B8CBC23ACF73}.exe File created C:\Windows\{3A856EC4-AB78-4adf-80BF-3D1980AD4F3D}.exe {6E7B4FE9-B387-494f-A943-D3C282BA57DC}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1784 2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe Token: SeIncBasePriorityPrivilege 2056 {67D770EE-D16E-49d0-94E9-4687A2731F34}.exe Token: SeIncBasePriorityPrivilege 2796 {21D7F2B3-E7BE-4cd5-BAE4-2EC32CC090BA}.exe Token: SeIncBasePriorityPrivilege 2416 {0246A2FB-6463-4b59-A604-E0385EECC415}.exe Token: SeIncBasePriorityPrivilege 2016 {7B07FA29-B8A2-460b-ACCB-961C905FF71A}.exe Token: SeIncBasePriorityPrivilege 1480 {40F7DDB3-A6A4-44fa-A2E3-B8CBC23ACF73}.exe Token: SeIncBasePriorityPrivilege 2768 {A4020D6E-9BC1-4f6a-9283-202CF950C12A}.exe Token: SeIncBasePriorityPrivilege 748 {6E7B4FE9-B387-494f-A943-D3C282BA57DC}.exe Token: SeIncBasePriorityPrivilege 2468 {3A856EC4-AB78-4adf-80BF-3D1980AD4F3D}.exe Token: SeIncBasePriorityPrivilege 872 {25CDC359-E355-4fa8-8DBA-CACE4A966B37}.exe Token: SeIncBasePriorityPrivilege 2096 {AF97A730-98FA-47f4-8B6D-F6FE99FC424B}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1784 wrote to memory of 2056 1784 2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe 28 PID 1784 wrote to memory of 2056 1784 2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe 28 PID 1784 wrote to memory of 2056 1784 2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe 28 PID 1784 wrote to memory of 2056 1784 2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe 28 PID 1784 wrote to memory of 2968 1784 2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe 29 PID 1784 wrote to memory of 2968 1784 2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe 29 PID 1784 wrote to memory of 2968 1784 2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe 29 PID 1784 wrote to memory of 2968 1784 2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe 29 PID 2056 wrote to memory of 2796 2056 {67D770EE-D16E-49d0-94E9-4687A2731F34}.exe 30 PID 2056 wrote to memory of 2796 2056 {67D770EE-D16E-49d0-94E9-4687A2731F34}.exe 30 PID 2056 wrote to memory of 2796 2056 {67D770EE-D16E-49d0-94E9-4687A2731F34}.exe 30 PID 2056 wrote to memory of 2796 2056 {67D770EE-D16E-49d0-94E9-4687A2731F34}.exe 30 PID 2056 wrote to memory of 2712 2056 {67D770EE-D16E-49d0-94E9-4687A2731F34}.exe 31 PID 2056 wrote to memory of 2712 2056 {67D770EE-D16E-49d0-94E9-4687A2731F34}.exe 31 PID 2056 wrote to memory of 2712 2056 {67D770EE-D16E-49d0-94E9-4687A2731F34}.exe 31 PID 2056 wrote to memory of 2712 2056 {67D770EE-D16E-49d0-94E9-4687A2731F34}.exe 31 PID 2796 wrote to memory of 2416 2796 {21D7F2B3-E7BE-4cd5-BAE4-2EC32CC090BA}.exe 34 PID 2796 wrote to memory of 2416 2796 {21D7F2B3-E7BE-4cd5-BAE4-2EC32CC090BA}.exe 34 PID 2796 wrote to memory of 2416 2796 {21D7F2B3-E7BE-4cd5-BAE4-2EC32CC090BA}.exe 34 PID 2796 wrote to memory of 2416 2796 {21D7F2B3-E7BE-4cd5-BAE4-2EC32CC090BA}.exe 34 PID 2796 wrote to memory of 2476 2796 {21D7F2B3-E7BE-4cd5-BAE4-2EC32CC090BA}.exe 35 PID 2796 wrote to memory of 2476 2796 {21D7F2B3-E7BE-4cd5-BAE4-2EC32CC090BA}.exe 35 PID 2796 wrote to memory of 2476 2796 {21D7F2B3-E7BE-4cd5-BAE4-2EC32CC090BA}.exe 35 PID 2796 wrote to memory of 2476 2796 {21D7F2B3-E7BE-4cd5-BAE4-2EC32CC090BA}.exe 35 PID 2416 wrote to memory of 2016 2416 {0246A2FB-6463-4b59-A604-E0385EECC415}.exe 36 PID 2416 wrote to memory of 2016 2416 {0246A2FB-6463-4b59-A604-E0385EECC415}.exe 36 PID 2416 wrote to memory of 2016 2416 {0246A2FB-6463-4b59-A604-E0385EECC415}.exe 36 PID 2416 wrote to memory of 2016 2416 {0246A2FB-6463-4b59-A604-E0385EECC415}.exe 36 PID 2416 wrote to memory of 580 2416 {0246A2FB-6463-4b59-A604-E0385EECC415}.exe 37 PID 2416 wrote to memory of 580 2416 {0246A2FB-6463-4b59-A604-E0385EECC415}.exe 37 PID 2416 wrote to memory of 580 2416 {0246A2FB-6463-4b59-A604-E0385EECC415}.exe 37 PID 2416 wrote to memory of 580 2416 {0246A2FB-6463-4b59-A604-E0385EECC415}.exe 37 PID 2016 wrote to memory of 1480 2016 {7B07FA29-B8A2-460b-ACCB-961C905FF71A}.exe 38 PID 2016 wrote to memory of 1480 2016 {7B07FA29-B8A2-460b-ACCB-961C905FF71A}.exe 38 PID 2016 wrote to memory of 1480 2016 {7B07FA29-B8A2-460b-ACCB-961C905FF71A}.exe 38 PID 2016 wrote to memory of 1480 2016 {7B07FA29-B8A2-460b-ACCB-961C905FF71A}.exe 38 PID 2016 wrote to memory of 2660 2016 {7B07FA29-B8A2-460b-ACCB-961C905FF71A}.exe 39 PID 2016 wrote to memory of 2660 2016 {7B07FA29-B8A2-460b-ACCB-961C905FF71A}.exe 39 PID 2016 wrote to memory of 2660 2016 {7B07FA29-B8A2-460b-ACCB-961C905FF71A}.exe 39 PID 2016 wrote to memory of 2660 2016 {7B07FA29-B8A2-460b-ACCB-961C905FF71A}.exe 39 PID 1480 wrote to memory of 2768 1480 {40F7DDB3-A6A4-44fa-A2E3-B8CBC23ACF73}.exe 40 PID 1480 wrote to memory of 2768 1480 {40F7DDB3-A6A4-44fa-A2E3-B8CBC23ACF73}.exe 40 PID 1480 wrote to memory of 2768 1480 {40F7DDB3-A6A4-44fa-A2E3-B8CBC23ACF73}.exe 40 PID 1480 wrote to memory of 2768 1480 {40F7DDB3-A6A4-44fa-A2E3-B8CBC23ACF73}.exe 40 PID 1480 wrote to memory of 528 1480 {40F7DDB3-A6A4-44fa-A2E3-B8CBC23ACF73}.exe 41 PID 1480 wrote to memory of 528 1480 {40F7DDB3-A6A4-44fa-A2E3-B8CBC23ACF73}.exe 41 PID 1480 wrote to memory of 528 1480 {40F7DDB3-A6A4-44fa-A2E3-B8CBC23ACF73}.exe 41 PID 1480 wrote to memory of 528 1480 {40F7DDB3-A6A4-44fa-A2E3-B8CBC23ACF73}.exe 41 PID 2768 wrote to memory of 748 2768 {A4020D6E-9BC1-4f6a-9283-202CF950C12A}.exe 42 PID 2768 wrote to memory of 748 2768 {A4020D6E-9BC1-4f6a-9283-202CF950C12A}.exe 42 PID 2768 wrote to memory of 748 2768 {A4020D6E-9BC1-4f6a-9283-202CF950C12A}.exe 42 PID 2768 wrote to memory of 748 2768 {A4020D6E-9BC1-4f6a-9283-202CF950C12A}.exe 42 PID 2768 wrote to memory of 2040 2768 {A4020D6E-9BC1-4f6a-9283-202CF950C12A}.exe 43 PID 2768 wrote to memory of 2040 2768 {A4020D6E-9BC1-4f6a-9283-202CF950C12A}.exe 43 PID 2768 wrote to memory of 2040 2768 {A4020D6E-9BC1-4f6a-9283-202CF950C12A}.exe 43 PID 2768 wrote to memory of 2040 2768 {A4020D6E-9BC1-4f6a-9283-202CF950C12A}.exe 43 PID 748 wrote to memory of 2468 748 {6E7B4FE9-B387-494f-A943-D3C282BA57DC}.exe 44 PID 748 wrote to memory of 2468 748 {6E7B4FE9-B387-494f-A943-D3C282BA57DC}.exe 44 PID 748 wrote to memory of 2468 748 {6E7B4FE9-B387-494f-A943-D3C282BA57DC}.exe 44 PID 748 wrote to memory of 2468 748 {6E7B4FE9-B387-494f-A943-D3C282BA57DC}.exe 44 PID 748 wrote to memory of 2684 748 {6E7B4FE9-B387-494f-A943-D3C282BA57DC}.exe 45 PID 748 wrote to memory of 2684 748 {6E7B4FE9-B387-494f-A943-D3C282BA57DC}.exe 45 PID 748 wrote to memory of 2684 748 {6E7B4FE9-B387-494f-A943-D3C282BA57DC}.exe 45 PID 748 wrote to memory of 2684 748 {6E7B4FE9-B387-494f-A943-D3C282BA57DC}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\{67D770EE-D16E-49d0-94E9-4687A2731F34}.exeC:\Windows\{67D770EE-D16E-49d0-94E9-4687A2731F34}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\{21D7F2B3-E7BE-4cd5-BAE4-2EC32CC090BA}.exeC:\Windows\{21D7F2B3-E7BE-4cd5-BAE4-2EC32CC090BA}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\{0246A2FB-6463-4b59-A604-E0385EECC415}.exeC:\Windows\{0246A2FB-6463-4b59-A604-E0385EECC415}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\{7B07FA29-B8A2-460b-ACCB-961C905FF71A}.exeC:\Windows\{7B07FA29-B8A2-460b-ACCB-961C905FF71A}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\{40F7DDB3-A6A4-44fa-A2E3-B8CBC23ACF73}.exeC:\Windows\{40F7DDB3-A6A4-44fa-A2E3-B8CBC23ACF73}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\{A4020D6E-9BC1-4f6a-9283-202CF950C12A}.exeC:\Windows\{A4020D6E-9BC1-4f6a-9283-202CF950C12A}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\{6E7B4FE9-B387-494f-A943-D3C282BA57DC}.exeC:\Windows\{6E7B4FE9-B387-494f-A943-D3C282BA57DC}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\{3A856EC4-AB78-4adf-80BF-3D1980AD4F3D}.exeC:\Windows\{3A856EC4-AB78-4adf-80BF-3D1980AD4F3D}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2468 -
C:\Windows\{25CDC359-E355-4fa8-8DBA-CACE4A966B37}.exeC:\Windows\{25CDC359-E355-4fa8-8DBA-CACE4A966B37}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:872 -
C:\Windows\{AF97A730-98FA-47f4-8B6D-F6FE99FC424B}.exeC:\Windows\{AF97A730-98FA-47f4-8B6D-F6FE99FC424B}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2096 -
C:\Windows\{DA228BF3-5263-4748-8ED5-FD16E842F2BB}.exeC:\Windows\{DA228BF3-5263-4748-8ED5-FD16E842F2BB}.exe12⤵
- Executes dropped EXE
PID:2072
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{AF97A~1.EXE > nul12⤵PID:1848
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{25CDC~1.EXE > nul11⤵PID:2812
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3A856~1.EXE > nul10⤵PID:2496
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6E7B4~1.EXE > nul9⤵PID:2684
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A4020~1.EXE > nul8⤵PID:2040
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{40F7D~1.EXE > nul7⤵PID:528
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7B07F~1.EXE > nul6⤵PID:2660
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0246A~1.EXE > nul5⤵PID:580
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{21D7F~1.EXE > nul4⤵PID:2476
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{67D77~1.EXE > nul3⤵PID:2712
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:2968
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
380KB
MD5db7aa5b7695086d9774eee3006e63e8b
SHA1ce387f701380657bd05dd3deec5b17f7df94d022
SHA256e87fbfe6163185ab64b517e82db03e844a8fa94a67a49d9fdddabc632da4befc
SHA512f4d4d650dd90f257b5ae3a73e424ea6f268a02e664c5ebbb8c633cdaf282d914270bf6baa63a6431f81e839389f8dcc2f3ba1d20af7250d6c67d2857601af27d
-
Filesize
380KB
MD5cac5499d8d7f46de07a2698e4b1fca86
SHA119d9c4bd117e85ae37723d2a2afada8c31a1662b
SHA2563e8305fd5178bbb5d310610a4eb810fc13056054b2fae005473a8899c4a1cfbe
SHA51286cf60343b8a7876dae1390bea60043480a01a34238dd4309522f99edaca75bc6c4ad6812af5b16e9391c1ababff3d0a56742b0aa4d631ca87763700fa73d1e9
-
Filesize
380KB
MD551d6972bd13f374904d2425fa9260fd1
SHA15f8ec7f8a516dc33eca8c167d20241c21f14f38f
SHA256446dcac08e7116c135c311ecd0ebc6f30b2790be5a3a4f653d424242f2632377
SHA5124e837cf159a8f052bf5d8bfdddf191fd54522af62b15427c3be6417d3ef4cfb386e3c4a2bf80112effa0809bac5bbdae0353a89ed1a11b5d97fae41476d4a781
-
Filesize
380KB
MD57941e23059e3d610f8e728b148b38256
SHA1f5dc5bb7715e702689f887d8026e9aeeac01e42f
SHA25651af5bbaa8e72224b856bc1927b6aa68c2cbea4426b59768ede6b37290c8f49c
SHA51287186d913cad726b250614283ef56a48981f5eda04b1b3b2691b3e9333ef5775c4f824f78cce862076d50ffd2cb0b7d9dbb7494b8d64d5bf9b247ab4139afd55
-
Filesize
380KB
MD5cea25b498077a23ed2c17343e6074acc
SHA116f24ac8ac75238895e9af936aa5f4d67281647b
SHA2566089aaee336f57def4afadb9492892de7314c9bfede0ce38807b864c76e17bf4
SHA512778c6dbe8fb6b3fdf0cd884f16d2caa22b4d06fc6d39e3b70bead7093f8a7e9302e84678fbd338c686846700c6ecd1890418a570a64138e6a8e39bd4cb2844d4
-
Filesize
380KB
MD5798b37a5ec6d1894c64137cd814ce2ec
SHA10d2f774073bf7f6cfe5394c154b0c558ba3d16fe
SHA2567abefc5775f08409d124fd389511d52109fadbc58582b6fc99f173dd337d8c9d
SHA512bacef93bc354bed6c545b136db76c8d97a4efbc92567488143028d7f45065e70a671373a379d7c7690c1790ffb9eb5617a2f9f44975d61642697110e9c48bfd8
-
Filesize
380KB
MD557f57a7eefcd2b10b298cb3901da8cfa
SHA16681442d56079990ead67be77ee8f41393c7e8c4
SHA256792d25ec4b27b97e02a61059baf4dd82d2c988e03c97edfa8a57f6f8d95b3ca2
SHA512dbb0ac5fac4b6352dcefe072e2f115b06c328f4696290234968d0a3f04ec246347a820478b8263f3fb81ce798264ec91003a71599a7c323c25732b3514a6534b
-
Filesize
380KB
MD5d483b89cb4f6d4b8fd5a8335dcc7a0f3
SHA12075abe6509c5bcdd0aae7adbb1755df436edc49
SHA256c3721e7798fc5ca40f1dfc7d83f4276433b08ad40926fd0f16230b983130bac4
SHA512e5fb251d0a87628fbfd6ae27f9f0bf8535d441101795d9fa9d6e26c487a1a266a952ebc1562b8cce035a99f2e52a18c89ab54704f395bf6ded3815294e5845f0
-
Filesize
380KB
MD512bcccd9444bb6221de6441de11dad82
SHA120968c1cd024ba741aef164acb60d68314d400d6
SHA25631e2dd275513bfe5ce39b43fe3e082710aaafa08a53c7178e538c0e85cf0ec01
SHA5127d615609abeb3f298da6381004d9c6e421cc2419ff7265c282cbd91737d4b9438ec299ac8a83b36b4ef8418934ecd65fd921ea3c2538fe087b2b169d213c3aeb
-
Filesize
380KB
MD59a613d3c95f31a3e480d351f8d8645e5
SHA1bbb9682bdecb70f4650c19c1b5890ba6467297d2
SHA25615b55173db355edf7a58a1320c4aecd3e3e467b429b57efe82cd706ea8370d21
SHA5121138bd7ab3fef6a77420ef1b3471bfd9f7eb33070796dabf9b0eeb73de6df5f8cd2f2898ea57a5b3febecfe8bd2b2a39a3972e06d26302d4cfe750bd9c19a009
-
Filesize
380KB
MD5a95d460006ccf8acfade824368945f59
SHA1327c70eda9699e50aa41bab1368aa20909ea1dd8
SHA256760679e993412bba2781ded187b6e91aaf8403ab1b5d84d51770e1b6419558a3
SHA512d22b0495550830a107cb1529bac2271a91e4a074fae9f2342af800559dd56ec874bfa5827f1e738a1c4389211037be737a9efe6893e478511770745261d2c154