Analysis
-
max time kernel
144s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
01/06/2024, 20:03
Static task
static1
Behavioral task
behavioral1
Sample
328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe
Resource
win10v2004-20240508-en
General
-
Target
328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe
-
Size
180KB
-
MD5
78daf397d39aa60d56471f67bacf471e
-
SHA1
321307f2afdc67b1a63ae9468c4c6e49b314b56c
-
SHA256
328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983
-
SHA512
6a2238e98ffeef3d3f8500f6279e876091f8d10bbe3fb83f5e340f043b3b7439472b422756c58464e840de5edce8bd1b43f2259b10dbb8ab19a4fb69182707e1
-
SSDEEP
3072:jEGh0o4lfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGOl5eKcAEc
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral1/files/0x000c00000001313a-4.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0034000000015d07-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000d00000001313a-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0004000000004ed7-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000e00000001313a-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0005000000004ed7-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000f00000001313a-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0006000000004ed7-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x001000000001313a-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0007000000004ed7-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x001100000001313a-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD6E6FBB-7DAF-428d-9DC6-E2DD898ECBDE} {57352ABD-CF91-4347-9A4D-2DBA277A61B9}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C50E527-07FD-4c76-A471-A588FD4E4552} {6FF595D9-519A-45ef-A7B9-CAF818A6B04E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8652973A-9E9A-4337-B900-8AF2A0582249} {9C50E527-07FD-4c76-A471-A588FD4E4552}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{827E2511-E15D-43f9-BFD9-CD1888AAA72A} {B59C3DF5-88AB-4833-8DEC-CD8BA169A7AB}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91481A97-0C26-4903-AA71-1C8A7C7A1552} {BD6E6FBB-7DAF-428d-9DC6-E2DD898ECBDE}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6FF595D9-519A-45ef-A7B9-CAF818A6B04E}\stubpath = "C:\\Windows\\{6FF595D9-519A-45ef-A7B9-CAF818A6B04E}.exe" {91481A97-0C26-4903-AA71-1C8A7C7A1552}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{583F0504-4668-4df7-862A-A3B7E32BB90E}\stubpath = "C:\\Windows\\{583F0504-4668-4df7-862A-A3B7E32BB90E}.exe" 328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{570AB2B4-CAA4-4e83-99DF-98C483A62FF7} {583F0504-4668-4df7-862A-A3B7E32BB90E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{570AB2B4-CAA4-4e83-99DF-98C483A62FF7}\stubpath = "C:\\Windows\\{570AB2B4-CAA4-4e83-99DF-98C483A62FF7}.exe" {583F0504-4668-4df7-862A-A3B7E32BB90E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57352ABD-CF91-4347-9A4D-2DBA277A61B9}\stubpath = "C:\\Windows\\{57352ABD-CF91-4347-9A4D-2DBA277A61B9}.exe" {827E2511-E15D-43f9-BFD9-CD1888AAA72A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6FF595D9-519A-45ef-A7B9-CAF818A6B04E} {91481A97-0C26-4903-AA71-1C8A7C7A1552}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C50E527-07FD-4c76-A471-A588FD4E4552}\stubpath = "C:\\Windows\\{9C50E527-07FD-4c76-A471-A588FD4E4552}.exe" {6FF595D9-519A-45ef-A7B9-CAF818A6B04E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8652973A-9E9A-4337-B900-8AF2A0582249}\stubpath = "C:\\Windows\\{8652973A-9E9A-4337-B900-8AF2A0582249}.exe" {9C50E527-07FD-4c76-A471-A588FD4E4552}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB5F4AD3-8F67-48b4-AFAA-263EDE19EAF0}\stubpath = "C:\\Windows\\{FB5F4AD3-8F67-48b4-AFAA-263EDE19EAF0}.exe" {8652973A-9E9A-4337-B900-8AF2A0582249}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{583F0504-4668-4df7-862A-A3B7E32BB90E} 328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B59C3DF5-88AB-4833-8DEC-CD8BA169A7AB}\stubpath = "C:\\Windows\\{B59C3DF5-88AB-4833-8DEC-CD8BA169A7AB}.exe" {570AB2B4-CAA4-4e83-99DF-98C483A62FF7}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{827E2511-E15D-43f9-BFD9-CD1888AAA72A}\stubpath = "C:\\Windows\\{827E2511-E15D-43f9-BFD9-CD1888AAA72A}.exe" {B59C3DF5-88AB-4833-8DEC-CD8BA169A7AB}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57352ABD-CF91-4347-9A4D-2DBA277A61B9} {827E2511-E15D-43f9-BFD9-CD1888AAA72A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD6E6FBB-7DAF-428d-9DC6-E2DD898ECBDE}\stubpath = "C:\\Windows\\{BD6E6FBB-7DAF-428d-9DC6-E2DD898ECBDE}.exe" {57352ABD-CF91-4347-9A4D-2DBA277A61B9}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91481A97-0C26-4903-AA71-1C8A7C7A1552}\stubpath = "C:\\Windows\\{91481A97-0C26-4903-AA71-1C8A7C7A1552}.exe" {BD6E6FBB-7DAF-428d-9DC6-E2DD898ECBDE}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB5F4AD3-8F67-48b4-AFAA-263EDE19EAF0} {8652973A-9E9A-4337-B900-8AF2A0582249}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B59C3DF5-88AB-4833-8DEC-CD8BA169A7AB} {570AB2B4-CAA4-4e83-99DF-98C483A62FF7}.exe -
Deletes itself 1 IoCs
pid Process 3040 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 2928 {583F0504-4668-4df7-862A-A3B7E32BB90E}.exe 2584 {570AB2B4-CAA4-4e83-99DF-98C483A62FF7}.exe 2752 {B59C3DF5-88AB-4833-8DEC-CD8BA169A7AB}.exe 2988 {827E2511-E15D-43f9-BFD9-CD1888AAA72A}.exe 2980 {57352ABD-CF91-4347-9A4D-2DBA277A61B9}.exe 1712 {BD6E6FBB-7DAF-428d-9DC6-E2DD898ECBDE}.exe 1496 {91481A97-0C26-4903-AA71-1C8A7C7A1552}.exe 2524 {6FF595D9-519A-45ef-A7B9-CAF818A6B04E}.exe 2272 {9C50E527-07FD-4c76-A471-A588FD4E4552}.exe 2016 {8652973A-9E9A-4337-B900-8AF2A0582249}.exe 1332 {FB5F4AD3-8F67-48b4-AFAA-263EDE19EAF0}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{91481A97-0C26-4903-AA71-1C8A7C7A1552}.exe {BD6E6FBB-7DAF-428d-9DC6-E2DD898ECBDE}.exe File created C:\Windows\{6FF595D9-519A-45ef-A7B9-CAF818A6B04E}.exe {91481A97-0C26-4903-AA71-1C8A7C7A1552}.exe File created C:\Windows\{9C50E527-07FD-4c76-A471-A588FD4E4552}.exe {6FF595D9-519A-45ef-A7B9-CAF818A6B04E}.exe File created C:\Windows\{8652973A-9E9A-4337-B900-8AF2A0582249}.exe {9C50E527-07FD-4c76-A471-A588FD4E4552}.exe File created C:\Windows\{57352ABD-CF91-4347-9A4D-2DBA277A61B9}.exe {827E2511-E15D-43f9-BFD9-CD1888AAA72A}.exe File created C:\Windows\{BD6E6FBB-7DAF-428d-9DC6-E2DD898ECBDE}.exe {57352ABD-CF91-4347-9A4D-2DBA277A61B9}.exe File created C:\Windows\{FB5F4AD3-8F67-48b4-AFAA-263EDE19EAF0}.exe {8652973A-9E9A-4337-B900-8AF2A0582249}.exe File created C:\Windows\{583F0504-4668-4df7-862A-A3B7E32BB90E}.exe 328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe File created C:\Windows\{570AB2B4-CAA4-4e83-99DF-98C483A62FF7}.exe {583F0504-4668-4df7-862A-A3B7E32BB90E}.exe File created C:\Windows\{B59C3DF5-88AB-4833-8DEC-CD8BA169A7AB}.exe {570AB2B4-CAA4-4e83-99DF-98C483A62FF7}.exe File created C:\Windows\{827E2511-E15D-43f9-BFD9-CD1888AAA72A}.exe {B59C3DF5-88AB-4833-8DEC-CD8BA169A7AB}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2188 328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe Token: SeIncBasePriorityPrivilege 2928 {583F0504-4668-4df7-862A-A3B7E32BB90E}.exe Token: SeIncBasePriorityPrivilege 2584 {570AB2B4-CAA4-4e83-99DF-98C483A62FF7}.exe Token: SeIncBasePriorityPrivilege 2752 {B59C3DF5-88AB-4833-8DEC-CD8BA169A7AB}.exe Token: SeIncBasePriorityPrivilege 2988 {827E2511-E15D-43f9-BFD9-CD1888AAA72A}.exe Token: SeIncBasePriorityPrivilege 2980 {57352ABD-CF91-4347-9A4D-2DBA277A61B9}.exe Token: SeIncBasePriorityPrivilege 1712 {BD6E6FBB-7DAF-428d-9DC6-E2DD898ECBDE}.exe Token: SeIncBasePriorityPrivilege 1496 {91481A97-0C26-4903-AA71-1C8A7C7A1552}.exe Token: SeIncBasePriorityPrivilege 2524 {6FF595D9-519A-45ef-A7B9-CAF818A6B04E}.exe Token: SeIncBasePriorityPrivilege 2272 {9C50E527-07FD-4c76-A471-A588FD4E4552}.exe Token: SeIncBasePriorityPrivilege 2016 {8652973A-9E9A-4337-B900-8AF2A0582249}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2188 wrote to memory of 2928 2188 328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe 28 PID 2188 wrote to memory of 2928 2188 328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe 28 PID 2188 wrote to memory of 2928 2188 328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe 28 PID 2188 wrote to memory of 2928 2188 328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe 28 PID 2188 wrote to memory of 3040 2188 328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe 29 PID 2188 wrote to memory of 3040 2188 328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe 29 PID 2188 wrote to memory of 3040 2188 328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe 29 PID 2188 wrote to memory of 3040 2188 328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe 29 PID 2928 wrote to memory of 2584 2928 {583F0504-4668-4df7-862A-A3B7E32BB90E}.exe 30 PID 2928 wrote to memory of 2584 2928 {583F0504-4668-4df7-862A-A3B7E32BB90E}.exe 30 PID 2928 wrote to memory of 2584 2928 {583F0504-4668-4df7-862A-A3B7E32BB90E}.exe 30 PID 2928 wrote to memory of 2584 2928 {583F0504-4668-4df7-862A-A3B7E32BB90E}.exe 30 PID 2928 wrote to memory of 2432 2928 {583F0504-4668-4df7-862A-A3B7E32BB90E}.exe 31 PID 2928 wrote to memory of 2432 2928 {583F0504-4668-4df7-862A-A3B7E32BB90E}.exe 31 PID 2928 wrote to memory of 2432 2928 {583F0504-4668-4df7-862A-A3B7E32BB90E}.exe 31 PID 2928 wrote to memory of 2432 2928 {583F0504-4668-4df7-862A-A3B7E32BB90E}.exe 31 PID 2584 wrote to memory of 2752 2584 {570AB2B4-CAA4-4e83-99DF-98C483A62FF7}.exe 32 PID 2584 wrote to memory of 2752 2584 {570AB2B4-CAA4-4e83-99DF-98C483A62FF7}.exe 32 PID 2584 wrote to memory of 2752 2584 {570AB2B4-CAA4-4e83-99DF-98C483A62FF7}.exe 32 PID 2584 wrote to memory of 2752 2584 {570AB2B4-CAA4-4e83-99DF-98C483A62FF7}.exe 32 PID 2584 wrote to memory of 2724 2584 {570AB2B4-CAA4-4e83-99DF-98C483A62FF7}.exe 33 PID 2584 wrote to memory of 2724 2584 {570AB2B4-CAA4-4e83-99DF-98C483A62FF7}.exe 33 PID 2584 wrote to memory of 2724 2584 {570AB2B4-CAA4-4e83-99DF-98C483A62FF7}.exe 33 PID 2584 wrote to memory of 2724 2584 {570AB2B4-CAA4-4e83-99DF-98C483A62FF7}.exe 33 PID 2752 wrote to memory of 2988 2752 {B59C3DF5-88AB-4833-8DEC-CD8BA169A7AB}.exe 36 PID 2752 wrote to memory of 2988 2752 {B59C3DF5-88AB-4833-8DEC-CD8BA169A7AB}.exe 36 PID 2752 wrote to memory of 2988 2752 {B59C3DF5-88AB-4833-8DEC-CD8BA169A7AB}.exe 36 PID 2752 wrote to memory of 2988 2752 {B59C3DF5-88AB-4833-8DEC-CD8BA169A7AB}.exe 36 PID 2752 wrote to memory of 1528 2752 {B59C3DF5-88AB-4833-8DEC-CD8BA169A7AB}.exe 37 PID 2752 wrote to memory of 1528 2752 {B59C3DF5-88AB-4833-8DEC-CD8BA169A7AB}.exe 37 PID 2752 wrote to memory of 1528 2752 {B59C3DF5-88AB-4833-8DEC-CD8BA169A7AB}.exe 37 PID 2752 wrote to memory of 1528 2752 {B59C3DF5-88AB-4833-8DEC-CD8BA169A7AB}.exe 37 PID 2988 wrote to memory of 2980 2988 {827E2511-E15D-43f9-BFD9-CD1888AAA72A}.exe 38 PID 2988 wrote to memory of 2980 2988 {827E2511-E15D-43f9-BFD9-CD1888AAA72A}.exe 38 PID 2988 wrote to memory of 2980 2988 {827E2511-E15D-43f9-BFD9-CD1888AAA72A}.exe 38 PID 2988 wrote to memory of 2980 2988 {827E2511-E15D-43f9-BFD9-CD1888AAA72A}.exe 38 PID 2988 wrote to memory of 2960 2988 {827E2511-E15D-43f9-BFD9-CD1888AAA72A}.exe 39 PID 2988 wrote to memory of 2960 2988 {827E2511-E15D-43f9-BFD9-CD1888AAA72A}.exe 39 PID 2988 wrote to memory of 2960 2988 {827E2511-E15D-43f9-BFD9-CD1888AAA72A}.exe 39 PID 2988 wrote to memory of 2960 2988 {827E2511-E15D-43f9-BFD9-CD1888AAA72A}.exe 39 PID 2980 wrote to memory of 1712 2980 {57352ABD-CF91-4347-9A4D-2DBA277A61B9}.exe 40 PID 2980 wrote to memory of 1712 2980 {57352ABD-CF91-4347-9A4D-2DBA277A61B9}.exe 40 PID 2980 wrote to memory of 1712 2980 {57352ABD-CF91-4347-9A4D-2DBA277A61B9}.exe 40 PID 2980 wrote to memory of 1712 2980 {57352ABD-CF91-4347-9A4D-2DBA277A61B9}.exe 40 PID 2980 wrote to memory of 2320 2980 {57352ABD-CF91-4347-9A4D-2DBA277A61B9}.exe 41 PID 2980 wrote to memory of 2320 2980 {57352ABD-CF91-4347-9A4D-2DBA277A61B9}.exe 41 PID 2980 wrote to memory of 2320 2980 {57352ABD-CF91-4347-9A4D-2DBA277A61B9}.exe 41 PID 2980 wrote to memory of 2320 2980 {57352ABD-CF91-4347-9A4D-2DBA277A61B9}.exe 41 PID 1712 wrote to memory of 1496 1712 {BD6E6FBB-7DAF-428d-9DC6-E2DD898ECBDE}.exe 42 PID 1712 wrote to memory of 1496 1712 {BD6E6FBB-7DAF-428d-9DC6-E2DD898ECBDE}.exe 42 PID 1712 wrote to memory of 1496 1712 {BD6E6FBB-7DAF-428d-9DC6-E2DD898ECBDE}.exe 42 PID 1712 wrote to memory of 1496 1712 {BD6E6FBB-7DAF-428d-9DC6-E2DD898ECBDE}.exe 42 PID 1712 wrote to memory of 2680 1712 {BD6E6FBB-7DAF-428d-9DC6-E2DD898ECBDE}.exe 43 PID 1712 wrote to memory of 2680 1712 {BD6E6FBB-7DAF-428d-9DC6-E2DD898ECBDE}.exe 43 PID 1712 wrote to memory of 2680 1712 {BD6E6FBB-7DAF-428d-9DC6-E2DD898ECBDE}.exe 43 PID 1712 wrote to memory of 2680 1712 {BD6E6FBB-7DAF-428d-9DC6-E2DD898ECBDE}.exe 43 PID 1496 wrote to memory of 2524 1496 {91481A97-0C26-4903-AA71-1C8A7C7A1552}.exe 44 PID 1496 wrote to memory of 2524 1496 {91481A97-0C26-4903-AA71-1C8A7C7A1552}.exe 44 PID 1496 wrote to memory of 2524 1496 {91481A97-0C26-4903-AA71-1C8A7C7A1552}.exe 44 PID 1496 wrote to memory of 2524 1496 {91481A97-0C26-4903-AA71-1C8A7C7A1552}.exe 44 PID 1496 wrote to memory of 2776 1496 {91481A97-0C26-4903-AA71-1C8A7C7A1552}.exe 45 PID 1496 wrote to memory of 2776 1496 {91481A97-0C26-4903-AA71-1C8A7C7A1552}.exe 45 PID 1496 wrote to memory of 2776 1496 {91481A97-0C26-4903-AA71-1C8A7C7A1552}.exe 45 PID 1496 wrote to memory of 2776 1496 {91481A97-0C26-4903-AA71-1C8A7C7A1552}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe"C:\Users\Admin\AppData\Local\Temp\328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\{583F0504-4668-4df7-862A-A3B7E32BB90E}.exeC:\Windows\{583F0504-4668-4df7-862A-A3B7E32BB90E}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\{570AB2B4-CAA4-4e83-99DF-98C483A62FF7}.exeC:\Windows\{570AB2B4-CAA4-4e83-99DF-98C483A62FF7}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\{B59C3DF5-88AB-4833-8DEC-CD8BA169A7AB}.exeC:\Windows\{B59C3DF5-88AB-4833-8DEC-CD8BA169A7AB}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\{827E2511-E15D-43f9-BFD9-CD1888AAA72A}.exeC:\Windows\{827E2511-E15D-43f9-BFD9-CD1888AAA72A}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\{57352ABD-CF91-4347-9A4D-2DBA277A61B9}.exeC:\Windows\{57352ABD-CF91-4347-9A4D-2DBA277A61B9}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\{BD6E6FBB-7DAF-428d-9DC6-E2DD898ECBDE}.exeC:\Windows\{BD6E6FBB-7DAF-428d-9DC6-E2DD898ECBDE}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\{91481A97-0C26-4903-AA71-1C8A7C7A1552}.exeC:\Windows\{91481A97-0C26-4903-AA71-1C8A7C7A1552}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\{6FF595D9-519A-45ef-A7B9-CAF818A6B04E}.exeC:\Windows\{6FF595D9-519A-45ef-A7B9-CAF818A6B04E}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2524 -
C:\Windows\{9C50E527-07FD-4c76-A471-A588FD4E4552}.exeC:\Windows\{9C50E527-07FD-4c76-A471-A588FD4E4552}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2272 -
C:\Windows\{8652973A-9E9A-4337-B900-8AF2A0582249}.exeC:\Windows\{8652973A-9E9A-4337-B900-8AF2A0582249}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2016 -
C:\Windows\{FB5F4AD3-8F67-48b4-AFAA-263EDE19EAF0}.exeC:\Windows\{FB5F4AD3-8F67-48b4-AFAA-263EDE19EAF0}.exe12⤵
- Executes dropped EXE
PID:1332
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{86529~1.EXE > nul12⤵PID:1820
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9C50E~1.EXE > nul11⤵PID:1264
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6FF59~1.EXE > nul10⤵PID:1284
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{91481~1.EXE > nul9⤵PID:2776
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{BD6E6~1.EXE > nul8⤵PID:2680
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{57352~1.EXE > nul7⤵PID:2320
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{827E2~1.EXE > nul6⤵PID:2960
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B59C3~1.EXE > nul5⤵PID:1528
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{570AB~1.EXE > nul4⤵PID:2724
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{583F0~1.EXE > nul3⤵PID:2432
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\328FB4~1.EXE > nul2⤵
- Deletes itself
PID:3040
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
180KB
MD53afcf82d1b8edb5c9090abb7753e444b
SHA1d9980e74c151c3af9edf1dd67f064aada2d160ce
SHA2567a8298e77d312fd5983d6fdc285b14ce2c2840e3a9c790fc01427c7dc9797d51
SHA512232f7823907950d8a26a772977b0c3cd6dc2ecae58b817b2d73291b957758d6d089587ec1be20fef5de5fd86900a5901f709daa5467e6e288b22d060591e3847
-
Filesize
180KB
MD5977e5dd93f71f11f74d5d4ea816cf6f9
SHA1e986745c4d9f188892cc95dd9d8e98f2217bd359
SHA25667f2a72a657e7f6073449a559de46f24ce925cb2ef436d5d3c01b2bc70ffb12a
SHA512399a53a3b0ded53b43e526bc9c56f8f583f1e9f955313c828e28a445eb998bf482ad2b687b28f6524afc0707636621f4d332fda85e14f6cc0bd2b3966634e199
-
Filesize
180KB
MD58ef79a307c0514f7934efa6ff26356fc
SHA1e7f1f3384aa542cd1b8a3c962c187f516e26009d
SHA25607734619d188010d73517565655e9aff5a8e5cfb11d337ef2dfd046377ea4d25
SHA512f90d1d94642c8d6ba17ded1c57a55c5aa24081b107acfe0f6f96d44e1877a7b6a4bd128ee9af28c228e194af75012f82031ac823bf56f24ed104327e94b36a03
-
Filesize
180KB
MD57e66924e521182f1eb8ae885ddae7938
SHA1eef92e542ae9175da4961f84f8ac9ac72daaf70d
SHA2569ea41dbb280294aefd2b2ed4993534316fe54e44f7915695b7c3b7c26aec59d6
SHA51293aceaf953211ee8343197257b5913e9dc5f5813ae6f2c43812752f598996a0d7e056e4b5bd97fa15b8ad5601322c81c56f7701d9a8c5c0e63effd237f55b4e8
-
Filesize
180KB
MD531b404dd80336db87af8e143e4861a89
SHA133ad0b796161075cee4a8eddec7c1552c20a7a5d
SHA256c0255909237a8666a8001f37ae7d1384ebe4b949c2cf443defa93367f9fbf12d
SHA5128ff7027db772dad7751fed0f4089d862c6264d07f0933282966e9902f75230e719f2394252d9d114c9c69ce49fe500846c2ae88723eda59aedbae9537c6e63e9
-
Filesize
180KB
MD56943f16399b2a8d5e125e001809383d7
SHA113f2efd26bee2a7f51eae69d3dbc88863f8f2ca4
SHA256657bd5f41c575ba61ab12d6b0c40fb50199feece7d9755caa994dcc35ecac670
SHA512e68f4fd31458f53ea26e3ab33cc1c99a2763d620416adf396e5ce1b07fbc436674f539ce71254132aca940d19ab3611afe60635e79c3473090f644b25bdd3cac
-
Filesize
180KB
MD5988418e4add61b65a248160e1a56a428
SHA1495dd4940359038d5b3e53aa74534163aad270ba
SHA2565add6355bfcc0bb0c879bb88356b929794ddf97bce632377da690c8f657b4377
SHA512926b59c7868108caa467fb6b9042e0850bff243a7eb4fa64dce2b7bec81da05c67c05815173ebaba417e4e3567096b7059ec26acac2facdc0acaeef8322bdee9
-
Filesize
180KB
MD551211d298ef322603045acbe6e77f5ac
SHA144e76636581a54fe0a26c2884c29f01a2c2a05ee
SHA25604d001b7a94318308d066e0852008e5fcf28cb8682f99da7262032065a60c6de
SHA5127de8ffec4d2bd4f798d4f55424bd1675ee45b9ec4f7e0b85978f89d89d090558749fe37b99f9e5c3b161927ebff1f729ee91591abbea91490e4bb2359ed77b61
-
Filesize
180KB
MD54f49d3221b169d0f443a764c561282cb
SHA13d07752cb308995a80cb876766ed74711d9b7ddb
SHA256af591d9150a425cba862abc06f4ec24f6903a71cd324861d2532f3e8d31f3387
SHA512b45d528f4439eaef642a4a2c8918217d2586b51bc8357ca4bee6d811dd35d9d8f0193a366b798a77ff22176038596faf2c850d44acf0c8d187a8b40174b73f8f
-
Filesize
180KB
MD572c09f7f23d748277502275714aeafa1
SHA181803bbe706c107a69404fad679ea370338808f3
SHA25600ad61d000ac006e238111f34d0613dda329514a69f61b3cb07614ab3c5cb8c2
SHA512819c6a18538e5e25856917f45674926a1de94d53ed1ec1e313860e9f277c765a5e606dfc61728a38fd37ed1fbc99c14c7ca4d05e6e449c92ca93367a7f7f2584
-
Filesize
180KB
MD5abe565f508e135d0e5c6379e4a4fd601
SHA19eda7b23016c4f44986c4eaa3fe4babdac400238
SHA256723ced98d1c460592ff954c38636466cc855cabad779689b890b3d986b9bccd9
SHA512cd0e1c55d646f93755eb45c00f9fe602dfefe0fd9b893636db72ef5560157b1be23a0450e6af8d363445450f7a4ee9a8400fc30340a5c4fd8b67890f03bb0e29