Analysis
-
max time kernel
144s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 07:43
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-23_02cee40891f0ec895fee7ec2e24c90e3_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-05-23_02cee40891f0ec895fee7ec2e24c90e3_goldeneye.exe
Resource
win10v2004-20240426-en
General
-
Target
2024-05-23_02cee40891f0ec895fee7ec2e24c90e3_goldeneye.exe
-
Size
216KB
-
MD5
02cee40891f0ec895fee7ec2e24c90e3
-
SHA1
7743bda3774f8af185c52a078fd12e46467ac500
-
SHA256
ff12976a1169418732511afc0a1c16e08f5f3b51a008e8a752dba255770011d9
-
SHA512
f479598a28cecbf455048d211dd1fac3d4e15180eba2d709f71f25f1e0c045ed5bd5e61d46a7989d2a956330bb0ae5273637aa1bca77bc3d5fd389a2124c0b26
-
SSDEEP
3072:jEGh0oIl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGylEeKcAEcGy
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral1/files/0x000c00000001443b-5.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x00340000000146fc-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000d00000001443b-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x003400000001471a-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0004000000004ed7-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000e00000001443b-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0005000000004ed7-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000f00000001443b-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0006000000004ed7-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x001000000001443b-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0007000000004ed7-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1AF5211-C094-4eb3-816D-BDB03698DE2A} 2024-05-23_02cee40891f0ec895fee7ec2e24c90e3_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA61A470-6B12-4f5f-9657-5C2E147557BF} {CCD159F7-D5CB-4008-A755-0ABC80C69BAE}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA61A470-6B12-4f5f-9657-5C2E147557BF}\stubpath = "C:\\Windows\\{DA61A470-6B12-4f5f-9657-5C2E147557BF}.exe" {CCD159F7-D5CB-4008-A755-0ABC80C69BAE}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F282ACF9-8BD7-4d5e-82F2-7856D3DDDFC0} {DA61A470-6B12-4f5f-9657-5C2E147557BF}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D88732B-E8ED-4ee1-8C7D-2C323F4FD190}\stubpath = "C:\\Windows\\{1D88732B-E8ED-4ee1-8C7D-2C323F4FD190}.exe" {FDA88231-C4DB-44b7-9967-7B01D577896B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A350C63-BE94-4dcc-9C57-981B688BE607} {D3FAB376-66A3-40f3-A598-0B223E61B11D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A350C63-BE94-4dcc-9C57-981B688BE607}\stubpath = "C:\\Windows\\{0A350C63-BE94-4dcc-9C57-981B688BE607}.exe" {D3FAB376-66A3-40f3-A598-0B223E61B11D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1AF5211-C094-4eb3-816D-BDB03698DE2A}\stubpath = "C:\\Windows\\{C1AF5211-C094-4eb3-816D-BDB03698DE2A}.exe" 2024-05-23_02cee40891f0ec895fee7ec2e24c90e3_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FDA88231-C4DB-44b7-9967-7B01D577896B} {F282ACF9-8BD7-4d5e-82F2-7856D3DDDFC0}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74984FC1-F4AC-4b60-87E4-89E899C069D3} {CF8E0266-7451-4412-B8EE-4EC6EAD9B009}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCD159F7-D5CB-4008-A755-0ABC80C69BAE} {C1AF5211-C094-4eb3-816D-BDB03698DE2A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCD159F7-D5CB-4008-A755-0ABC80C69BAE}\stubpath = "C:\\Windows\\{CCD159F7-D5CB-4008-A755-0ABC80C69BAE}.exe" {C1AF5211-C094-4eb3-816D-BDB03698DE2A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FDA88231-C4DB-44b7-9967-7B01D577896B}\stubpath = "C:\\Windows\\{FDA88231-C4DB-44b7-9967-7B01D577896B}.exe" {F282ACF9-8BD7-4d5e-82F2-7856D3DDDFC0}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3FAB376-66A3-40f3-A598-0B223E61B11D}\stubpath = "C:\\Windows\\{D3FAB376-66A3-40f3-A598-0B223E61B11D}.exe" {1D88732B-E8ED-4ee1-8C7D-2C323F4FD190}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A140964C-65B3-416a-B9F8-58E2C3E27349}\stubpath = "C:\\Windows\\{A140964C-65B3-416a-B9F8-58E2C3E27349}.exe" {74984FC1-F4AC-4b60-87E4-89E899C069D3}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F282ACF9-8BD7-4d5e-82F2-7856D3DDDFC0}\stubpath = "C:\\Windows\\{F282ACF9-8BD7-4d5e-82F2-7856D3DDDFC0}.exe" {DA61A470-6B12-4f5f-9657-5C2E147557BF}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D88732B-E8ED-4ee1-8C7D-2C323F4FD190} {FDA88231-C4DB-44b7-9967-7B01D577896B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3FAB376-66A3-40f3-A598-0B223E61B11D} {1D88732B-E8ED-4ee1-8C7D-2C323F4FD190}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF8E0266-7451-4412-B8EE-4EC6EAD9B009} {0A350C63-BE94-4dcc-9C57-981B688BE607}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF8E0266-7451-4412-B8EE-4EC6EAD9B009}\stubpath = "C:\\Windows\\{CF8E0266-7451-4412-B8EE-4EC6EAD9B009}.exe" {0A350C63-BE94-4dcc-9C57-981B688BE607}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74984FC1-F4AC-4b60-87E4-89E899C069D3}\stubpath = "C:\\Windows\\{74984FC1-F4AC-4b60-87E4-89E899C069D3}.exe" {CF8E0266-7451-4412-B8EE-4EC6EAD9B009}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A140964C-65B3-416a-B9F8-58E2C3E27349} {74984FC1-F4AC-4b60-87E4-89E899C069D3}.exe -
Executes dropped EXE 11 IoCs
pid Process 2060 {C1AF5211-C094-4eb3-816D-BDB03698DE2A}.exe 2640 {CCD159F7-D5CB-4008-A755-0ABC80C69BAE}.exe 2468 {DA61A470-6B12-4f5f-9657-5C2E147557BF}.exe 2112 {F282ACF9-8BD7-4d5e-82F2-7856D3DDDFC0}.exe 2728 {FDA88231-C4DB-44b7-9967-7B01D577896B}.exe 1704 {1D88732B-E8ED-4ee1-8C7D-2C323F4FD190}.exe 1936 {D3FAB376-66A3-40f3-A598-0B223E61B11D}.exe 2220 {0A350C63-BE94-4dcc-9C57-981B688BE607}.exe 2332 {CF8E0266-7451-4412-B8EE-4EC6EAD9B009}.exe 2808 {74984FC1-F4AC-4b60-87E4-89E899C069D3}.exe 600 {A140964C-65B3-416a-B9F8-58E2C3E27349}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{F282ACF9-8BD7-4d5e-82F2-7856D3DDDFC0}.exe {DA61A470-6B12-4f5f-9657-5C2E147557BF}.exe File created C:\Windows\{FDA88231-C4DB-44b7-9967-7B01D577896B}.exe {F282ACF9-8BD7-4d5e-82F2-7856D3DDDFC0}.exe File created C:\Windows\{1D88732B-E8ED-4ee1-8C7D-2C323F4FD190}.exe {FDA88231-C4DB-44b7-9967-7B01D577896B}.exe File created C:\Windows\{CF8E0266-7451-4412-B8EE-4EC6EAD9B009}.exe {0A350C63-BE94-4dcc-9C57-981B688BE607}.exe File created C:\Windows\{A140964C-65B3-416a-B9F8-58E2C3E27349}.exe {74984FC1-F4AC-4b60-87E4-89E899C069D3}.exe File created C:\Windows\{C1AF5211-C094-4eb3-816D-BDB03698DE2A}.exe 2024-05-23_02cee40891f0ec895fee7ec2e24c90e3_goldeneye.exe File created C:\Windows\{CCD159F7-D5CB-4008-A755-0ABC80C69BAE}.exe {C1AF5211-C094-4eb3-816D-BDB03698DE2A}.exe File created C:\Windows\{DA61A470-6B12-4f5f-9657-5C2E147557BF}.exe {CCD159F7-D5CB-4008-A755-0ABC80C69BAE}.exe File created C:\Windows\{D3FAB376-66A3-40f3-A598-0B223E61B11D}.exe {1D88732B-E8ED-4ee1-8C7D-2C323F4FD190}.exe File created C:\Windows\{0A350C63-BE94-4dcc-9C57-981B688BE607}.exe {D3FAB376-66A3-40f3-A598-0B223E61B11D}.exe File created C:\Windows\{74984FC1-F4AC-4b60-87E4-89E899C069D3}.exe {CF8E0266-7451-4412-B8EE-4EC6EAD9B009}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2276 2024-05-23_02cee40891f0ec895fee7ec2e24c90e3_goldeneye.exe Token: SeIncBasePriorityPrivilege 2060 {C1AF5211-C094-4eb3-816D-BDB03698DE2A}.exe Token: SeIncBasePriorityPrivilege 2640 {CCD159F7-D5CB-4008-A755-0ABC80C69BAE}.exe Token: SeIncBasePriorityPrivilege 2468 {DA61A470-6B12-4f5f-9657-5C2E147557BF}.exe Token: SeIncBasePriorityPrivilege 2112 {F282ACF9-8BD7-4d5e-82F2-7856D3DDDFC0}.exe Token: SeIncBasePriorityPrivilege 2728 {FDA88231-C4DB-44b7-9967-7B01D577896B}.exe Token: SeIncBasePriorityPrivilege 1704 {1D88732B-E8ED-4ee1-8C7D-2C323F4FD190}.exe Token: SeIncBasePriorityPrivilege 1936 {D3FAB376-66A3-40f3-A598-0B223E61B11D}.exe Token: SeIncBasePriorityPrivilege 2220 {0A350C63-BE94-4dcc-9C57-981B688BE607}.exe Token: SeIncBasePriorityPrivilege 2332 {CF8E0266-7451-4412-B8EE-4EC6EAD9B009}.exe Token: SeIncBasePriorityPrivilege 2808 {74984FC1-F4AC-4b60-87E4-89E899C069D3}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2276 wrote to memory of 2060 2276 2024-05-23_02cee40891f0ec895fee7ec2e24c90e3_goldeneye.exe 28 PID 2276 wrote to memory of 2060 2276 2024-05-23_02cee40891f0ec895fee7ec2e24c90e3_goldeneye.exe 28 PID 2276 wrote to memory of 2060 2276 2024-05-23_02cee40891f0ec895fee7ec2e24c90e3_goldeneye.exe 28 PID 2276 wrote to memory of 2060 2276 2024-05-23_02cee40891f0ec895fee7ec2e24c90e3_goldeneye.exe 28 PID 2276 wrote to memory of 2532 2276 2024-05-23_02cee40891f0ec895fee7ec2e24c90e3_goldeneye.exe 29 PID 2276 wrote to memory of 2532 2276 2024-05-23_02cee40891f0ec895fee7ec2e24c90e3_goldeneye.exe 29 PID 2276 wrote to memory of 2532 2276 2024-05-23_02cee40891f0ec895fee7ec2e24c90e3_goldeneye.exe 29 PID 2276 wrote to memory of 2532 2276 2024-05-23_02cee40891f0ec895fee7ec2e24c90e3_goldeneye.exe 29 PID 2060 wrote to memory of 2640 2060 {C1AF5211-C094-4eb3-816D-BDB03698DE2A}.exe 30 PID 2060 wrote to memory of 2640 2060 {C1AF5211-C094-4eb3-816D-BDB03698DE2A}.exe 30 PID 2060 wrote to memory of 2640 2060 {C1AF5211-C094-4eb3-816D-BDB03698DE2A}.exe 30 PID 2060 wrote to memory of 2640 2060 {C1AF5211-C094-4eb3-816D-BDB03698DE2A}.exe 30 PID 2060 wrote to memory of 2788 2060 {C1AF5211-C094-4eb3-816D-BDB03698DE2A}.exe 31 PID 2060 wrote to memory of 2788 2060 {C1AF5211-C094-4eb3-816D-BDB03698DE2A}.exe 31 PID 2060 wrote to memory of 2788 2060 {C1AF5211-C094-4eb3-816D-BDB03698DE2A}.exe 31 PID 2060 wrote to memory of 2788 2060 {C1AF5211-C094-4eb3-816D-BDB03698DE2A}.exe 31 PID 2640 wrote to memory of 2468 2640 {CCD159F7-D5CB-4008-A755-0ABC80C69BAE}.exe 32 PID 2640 wrote to memory of 2468 2640 {CCD159F7-D5CB-4008-A755-0ABC80C69BAE}.exe 32 PID 2640 wrote to memory of 2468 2640 {CCD159F7-D5CB-4008-A755-0ABC80C69BAE}.exe 32 PID 2640 wrote to memory of 2468 2640 {CCD159F7-D5CB-4008-A755-0ABC80C69BAE}.exe 32 PID 2640 wrote to memory of 2632 2640 {CCD159F7-D5CB-4008-A755-0ABC80C69BAE}.exe 33 PID 2640 wrote to memory of 2632 2640 {CCD159F7-D5CB-4008-A755-0ABC80C69BAE}.exe 33 PID 2640 wrote to memory of 2632 2640 {CCD159F7-D5CB-4008-A755-0ABC80C69BAE}.exe 33 PID 2640 wrote to memory of 2632 2640 {CCD159F7-D5CB-4008-A755-0ABC80C69BAE}.exe 33 PID 2468 wrote to memory of 2112 2468 {DA61A470-6B12-4f5f-9657-5C2E147557BF}.exe 36 PID 2468 wrote to memory of 2112 2468 {DA61A470-6B12-4f5f-9657-5C2E147557BF}.exe 36 PID 2468 wrote to memory of 2112 2468 {DA61A470-6B12-4f5f-9657-5C2E147557BF}.exe 36 PID 2468 wrote to memory of 2112 2468 {DA61A470-6B12-4f5f-9657-5C2E147557BF}.exe 36 PID 2468 wrote to memory of 1700 2468 {DA61A470-6B12-4f5f-9657-5C2E147557BF}.exe 37 PID 2468 wrote to memory of 1700 2468 {DA61A470-6B12-4f5f-9657-5C2E147557BF}.exe 37 PID 2468 wrote to memory of 1700 2468 {DA61A470-6B12-4f5f-9657-5C2E147557BF}.exe 37 PID 2468 wrote to memory of 1700 2468 {DA61A470-6B12-4f5f-9657-5C2E147557BF}.exe 37 PID 2112 wrote to memory of 2728 2112 {F282ACF9-8BD7-4d5e-82F2-7856D3DDDFC0}.exe 38 PID 2112 wrote to memory of 2728 2112 {F282ACF9-8BD7-4d5e-82F2-7856D3DDDFC0}.exe 38 PID 2112 wrote to memory of 2728 2112 {F282ACF9-8BD7-4d5e-82F2-7856D3DDDFC0}.exe 38 PID 2112 wrote to memory of 2728 2112 {F282ACF9-8BD7-4d5e-82F2-7856D3DDDFC0}.exe 38 PID 2112 wrote to memory of 2768 2112 {F282ACF9-8BD7-4d5e-82F2-7856D3DDDFC0}.exe 39 PID 2112 wrote to memory of 2768 2112 {F282ACF9-8BD7-4d5e-82F2-7856D3DDDFC0}.exe 39 PID 2112 wrote to memory of 2768 2112 {F282ACF9-8BD7-4d5e-82F2-7856D3DDDFC0}.exe 39 PID 2112 wrote to memory of 2768 2112 {F282ACF9-8BD7-4d5e-82F2-7856D3DDDFC0}.exe 39 PID 2728 wrote to memory of 1704 2728 {FDA88231-C4DB-44b7-9967-7B01D577896B}.exe 40 PID 2728 wrote to memory of 1704 2728 {FDA88231-C4DB-44b7-9967-7B01D577896B}.exe 40 PID 2728 wrote to memory of 1704 2728 {FDA88231-C4DB-44b7-9967-7B01D577896B}.exe 40 PID 2728 wrote to memory of 1704 2728 {FDA88231-C4DB-44b7-9967-7B01D577896B}.exe 40 PID 2728 wrote to memory of 1032 2728 {FDA88231-C4DB-44b7-9967-7B01D577896B}.exe 41 PID 2728 wrote to memory of 1032 2728 {FDA88231-C4DB-44b7-9967-7B01D577896B}.exe 41 PID 2728 wrote to memory of 1032 2728 {FDA88231-C4DB-44b7-9967-7B01D577896B}.exe 41 PID 2728 wrote to memory of 1032 2728 {FDA88231-C4DB-44b7-9967-7B01D577896B}.exe 41 PID 1704 wrote to memory of 1936 1704 {1D88732B-E8ED-4ee1-8C7D-2C323F4FD190}.exe 42 PID 1704 wrote to memory of 1936 1704 {1D88732B-E8ED-4ee1-8C7D-2C323F4FD190}.exe 42 PID 1704 wrote to memory of 1936 1704 {1D88732B-E8ED-4ee1-8C7D-2C323F4FD190}.exe 42 PID 1704 wrote to memory of 1936 1704 {1D88732B-E8ED-4ee1-8C7D-2C323F4FD190}.exe 42 PID 1704 wrote to memory of 2248 1704 {1D88732B-E8ED-4ee1-8C7D-2C323F4FD190}.exe 43 PID 1704 wrote to memory of 2248 1704 {1D88732B-E8ED-4ee1-8C7D-2C323F4FD190}.exe 43 PID 1704 wrote to memory of 2248 1704 {1D88732B-E8ED-4ee1-8C7D-2C323F4FD190}.exe 43 PID 1704 wrote to memory of 2248 1704 {1D88732B-E8ED-4ee1-8C7D-2C323F4FD190}.exe 43 PID 1936 wrote to memory of 2220 1936 {D3FAB376-66A3-40f3-A598-0B223E61B11D}.exe 44 PID 1936 wrote to memory of 2220 1936 {D3FAB376-66A3-40f3-A598-0B223E61B11D}.exe 44 PID 1936 wrote to memory of 2220 1936 {D3FAB376-66A3-40f3-A598-0B223E61B11D}.exe 44 PID 1936 wrote to memory of 2220 1936 {D3FAB376-66A3-40f3-A598-0B223E61B11D}.exe 44 PID 1936 wrote to memory of 868 1936 {D3FAB376-66A3-40f3-A598-0B223E61B11D}.exe 45 PID 1936 wrote to memory of 868 1936 {D3FAB376-66A3-40f3-A598-0B223E61B11D}.exe 45 PID 1936 wrote to memory of 868 1936 {D3FAB376-66A3-40f3-A598-0B223E61B11D}.exe 45 PID 1936 wrote to memory of 868 1936 {D3FAB376-66A3-40f3-A598-0B223E61B11D}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-23_02cee40891f0ec895fee7ec2e24c90e3_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-23_02cee40891f0ec895fee7ec2e24c90e3_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\{C1AF5211-C094-4eb3-816D-BDB03698DE2A}.exeC:\Windows\{C1AF5211-C094-4eb3-816D-BDB03698DE2A}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\{CCD159F7-D5CB-4008-A755-0ABC80C69BAE}.exeC:\Windows\{CCD159F7-D5CB-4008-A755-0ABC80C69BAE}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\{DA61A470-6B12-4f5f-9657-5C2E147557BF}.exeC:\Windows\{DA61A470-6B12-4f5f-9657-5C2E147557BF}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\{F282ACF9-8BD7-4d5e-82F2-7856D3DDDFC0}.exeC:\Windows\{F282ACF9-8BD7-4d5e-82F2-7856D3DDDFC0}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\{FDA88231-C4DB-44b7-9967-7B01D577896B}.exeC:\Windows\{FDA88231-C4DB-44b7-9967-7B01D577896B}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\{1D88732B-E8ED-4ee1-8C7D-2C323F4FD190}.exeC:\Windows\{1D88732B-E8ED-4ee1-8C7D-2C323F4FD190}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\{D3FAB376-66A3-40f3-A598-0B223E61B11D}.exeC:\Windows\{D3FAB376-66A3-40f3-A598-0B223E61B11D}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\{0A350C63-BE94-4dcc-9C57-981B688BE607}.exeC:\Windows\{0A350C63-BE94-4dcc-9C57-981B688BE607}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2220 -
C:\Windows\{CF8E0266-7451-4412-B8EE-4EC6EAD9B009}.exeC:\Windows\{CF8E0266-7451-4412-B8EE-4EC6EAD9B009}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2332 -
C:\Windows\{74984FC1-F4AC-4b60-87E4-89E899C069D3}.exeC:\Windows\{74984FC1-F4AC-4b60-87E4-89E899C069D3}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2808 -
C:\Windows\{A140964C-65B3-416a-B9F8-58E2C3E27349}.exeC:\Windows\{A140964C-65B3-416a-B9F8-58E2C3E27349}.exe12⤵
- Executes dropped EXE
PID:600
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{74984~1.EXE > nul12⤵PID:348
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CF8E0~1.EXE > nul11⤵PID:856
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0A350~1.EXE > nul10⤵PID:2420
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D3FAB~1.EXE > nul9⤵PID:868
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1D887~1.EXE > nul8⤵PID:2248
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{FDA88~1.EXE > nul7⤵PID:1032
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F282A~1.EXE > nul6⤵PID:2768
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{DA61A~1.EXE > nul5⤵PID:1700
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CCD15~1.EXE > nul4⤵PID:2632
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C1AF5~1.EXE > nul3⤵PID:2788
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:2532
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216KB
MD59ab26710c4e5da5eb1fcd4c78fe775f0
SHA1403f3229450cfa2f780e08c505d27d5eecb59d9d
SHA25682107413d6bc0f4077c810a71f4d121f173954dcec8cf337df9e8dca50ad2495
SHA512cb01236b6ba48adc2aa3e73d72925cec0f865647361f928725394a55ab9a85a1618e6594cf1fa29658a3b4092b68e5e48426be668b395860eeb8a054e6f5ef22
-
Filesize
216KB
MD5dc444cb88a53bc739f8892f2fd918d0f
SHA1893a489580e54353f0bd69cb0313e64fb1aeef2b
SHA256d2d008db628f800ae698ec81883b9890e59668ed4c01952f1b030a89d683669a
SHA5129f3f867723750a6f3aac1af8a7dc1a986e00e8f8332263280c3d7e841849023253051c7f22a3e49a551f0928a1f30b1ce19722e47dd90c39336df3d499122f08
-
Filesize
216KB
MD5f3ffd0a47a18f31ed6e1ac958933e4b9
SHA171713ff0aba74d88b9a5164a347031119aadfcc1
SHA256a52d4155444685f5c1d3bfff0a9ee4d8e0fae4c24313ea9460bb34d93e0c9e9e
SHA512725f9416c2445fe2d03e079f771ec649e6e5801df3f73a1403a4f4943d2c68ce2a966a9113933502753f2645fa7d21609228a10bafcf74b093003c085fc0e3e6
-
Filesize
216KB
MD53ef07910dee09972ffaf4caaa37280f6
SHA1bd94e81f615d24abcf75c04bb4bbdcb74700079e
SHA256660919094f5940760857f1ce4a3c22b3a9f5e1b9e97a53f3e477ca4699d29d55
SHA5120fb760d1f2a5eb79ea2007d1c6bc0602ff3fea1c5797e6d5d5c1d93bff7ac0af20793ee5c62f676b41f3ad44ae6ca3710583c68b0df076e88aac322d1da97d40
-
Filesize
216KB
MD5246f5ffd1247427e252bb4e34f5efe1b
SHA1a042733f0c09afa5aaaf6d4f6b650a7eebc7b461
SHA256e5fa38bc468f363a600cb81ccc5a03debff8065715fe03125a856aa2d3394186
SHA512a9663b4a700edcfdc9a8351e04a53c2e1b26c1f3d6ff52343bdfd016d472283d609c7bffa340cc8c1e3ffe8f8d866a388131911aa927fa666b7a9547b2594678
-
Filesize
216KB
MD5a34810583457ed31457a2acdea512f31
SHA17b722b51ce43522152af1b0733e345729da42b60
SHA2564af62cbc8603003216e054943d87b9ea8d8de611894bf2d8274027c0e3a5a1fe
SHA51205687ee0089ff5280ee5b64ad05bdfe9359ba4b92cc15676b25c5a74ff7cc9c606e64bb341566bb61e01b2c8582b462538c566c34ee79dcb65bb9a96fe90aefd
-
Filesize
216KB
MD572a6cfdbdacc5ce0c332d1eb36a147b1
SHA1f544c8c2b5b94661f104fbfed3c2df011b40e2f8
SHA25601bb1ec65b5d78ea0b461710f99a820d430856e85601bd1b458267c0f28125e8
SHA5125e74cd699df2a113f518e5ea43dfb1e8f049705f39d4071ff73bd2e1183e9682db2b012fc8d2ee84d19c9b51dae54de7a9be3ab83058c9f161f768639bc624d4
-
Filesize
216KB
MD532d74ed21c058d8e69f6fa0ae5bf2254
SHA1fc426d8e2dda48607d29e6c30ad6b3773320433d
SHA256562a56144dd9886a3cd2eee5518eb0a537eb0424d62f4fc49ad119b7ec3dc69a
SHA512a75f6cf306b21e6d532869a73195d734dc43a22a706c0ad6211521bc81e5a0874e79b800340b2cc028c4fff208be73e8733ea930ca5dd4e8c1513d32737adc83
-
Filesize
216KB
MD50fa9e4c571ca6a16c1581d6402cfdb41
SHA1d7a5edb0b8318eb5205f30578d8bec1de3391227
SHA2565f88fabb8c5c43072d0d7b6379aa1daff12193209f1d05312fd99e9f2ee53e1c
SHA51253ac368a7317ea591db9b811508ccd9474ed993eb290be6f1affc32ff1b54020035af2f5eb435b6ff4fb0c50982f308a2cafebed7364b85e1d470180ec21dcfe
-
Filesize
216KB
MD5bac86534533c039b28883ca921edbb6c
SHA15d8b8b3cd6c93f0459aee824216a7a6983c3fd8e
SHA2560631cdb0d943d5e6783581e2180f55a635c2b3a6d904bca0916e9f80922c9732
SHA5126cfc8513a6fa64e1589cb9cea5b356e8db533ce277f0a4c95611fdf74e44406a9c6738f5c10d4e4b993eb790dead183daf495afe67204edd3af527ad807577a8
-
Filesize
216KB
MD58e99435cf5027ba70802cb7ef97283aa
SHA11c97d2278cda0336f38a4f6adfc3e44888c5df4d
SHA25643c5d3cc1772639487e9dd97ef289378d57cb38b84295282a8d0daf84e8e6b17
SHA512777e871d6b7cc5a4d4f0769758b4ac58f140546e5e6596c18d5049bef217ae2f589da9b0237d7f1d429c5a0e7f7a3f43f37f1349a3c79a9afcef2188f65063fb