Analysis
-
max time kernel
144s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
10/06/2024, 04:36
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe
-
Size
204KB
-
MD5
9261f11bd165c8f1c19177f14d3d1f64
-
SHA1
20d8d65589d8bc640fac5c60cf03667f68ed14fc
-
SHA256
217ad59471ba98885cc8a3b4f0a8bf890d0082026ba6e92db4ee83db29dc3f06
-
SHA512
f0cfcb28883bfb32c5efeda1ff5f41b9213c3b09cb901fa0c2ce2a2f8d04ff5e5442952aa3e1199dfdaa796807a605673b8343910767a009fa20f2285cb8f9da
-
SSDEEP
1536:1EGh0ocl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0ocl1OPOe2MUVg3Ve+rXfMUy
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral1/files/0x000b000000015d0f-4.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0009000000016176-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000c000000015d0f-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0008000000016287-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0006000000005a59-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000d000000015d0f-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0007000000005a59-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000e000000015d0f-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0008000000005a59-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000f000000015d0f-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0009000000005a59-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46BA0AB5-4991-4a7f-83AF-C128CF1392BD} {9C36FDB4-416B-4c4f-8259-5E4CE953B7C3}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0F2572D-603D-49b2-8CB5-E0079CB51B6F} {4E75E4BE-05DA-4c85-9E6B-63D45E11EBD9}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F87BF0F4-5D68-4fcd-9CF5-F820EB60748D} {6338978F-BCAD-4d63-949C-8573ECCE4DA8}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F94291FE-B657-432c-8159-AAC33DDD501E} {F87BF0F4-5D68-4fcd-9CF5-F820EB60748D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F94291FE-B657-432c-8159-AAC33DDD501E}\stubpath = "C:\\Windows\\{F94291FE-B657-432c-8159-AAC33DDD501E}.exe" {F87BF0F4-5D68-4fcd-9CF5-F820EB60748D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FAE8E632-0485-406e-9849-E49210494B1E}\stubpath = "C:\\Windows\\{FAE8E632-0485-406e-9849-E49210494B1E}.exe" {237ED862-B60B-46a2-A742-0FFE06B67861}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E75E4BE-05DA-4c85-9E6B-63D45E11EBD9} 2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0F2572D-603D-49b2-8CB5-E0079CB51B6F}\stubpath = "C:\\Windows\\{F0F2572D-603D-49b2-8CB5-E0079CB51B6F}.exe" {4E75E4BE-05DA-4c85-9E6B-63D45E11EBD9}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6338978F-BCAD-4d63-949C-8573ECCE4DA8}\stubpath = "C:\\Windows\\{6338978F-BCAD-4d63-949C-8573ECCE4DA8}.exe" {F0F2572D-603D-49b2-8CB5-E0079CB51B6F}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C36FDB4-416B-4c4f-8259-5E4CE953B7C3} {FAE8E632-0485-406e-9849-E49210494B1E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11B590A3-BB8F-4ede-8A4D-562822A67EE9} {46BA0AB5-4991-4a7f-83AF-C128CF1392BD}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0F47025-E6BA-4d36-9C7B-70FD95B9B912} {F94291FE-B657-432c-8159-AAC33DDD501E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0F47025-E6BA-4d36-9C7B-70FD95B9B912}\stubpath = "C:\\Windows\\{E0F47025-E6BA-4d36-9C7B-70FD95B9B912}.exe" {F94291FE-B657-432c-8159-AAC33DDD501E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FAE8E632-0485-406e-9849-E49210494B1E} {237ED862-B60B-46a2-A742-0FFE06B67861}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C36FDB4-416B-4c4f-8259-5E4CE953B7C3}\stubpath = "C:\\Windows\\{9C36FDB4-416B-4c4f-8259-5E4CE953B7C3}.exe" {FAE8E632-0485-406e-9849-E49210494B1E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46BA0AB5-4991-4a7f-83AF-C128CF1392BD}\stubpath = "C:\\Windows\\{46BA0AB5-4991-4a7f-83AF-C128CF1392BD}.exe" {9C36FDB4-416B-4c4f-8259-5E4CE953B7C3}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11B590A3-BB8F-4ede-8A4D-562822A67EE9}\stubpath = "C:\\Windows\\{11B590A3-BB8F-4ede-8A4D-562822A67EE9}.exe" {46BA0AB5-4991-4a7f-83AF-C128CF1392BD}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E75E4BE-05DA-4c85-9E6B-63D45E11EBD9}\stubpath = "C:\\Windows\\{4E75E4BE-05DA-4c85-9E6B-63D45E11EBD9}.exe" 2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6338978F-BCAD-4d63-949C-8573ECCE4DA8} {F0F2572D-603D-49b2-8CB5-E0079CB51B6F}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F87BF0F4-5D68-4fcd-9CF5-F820EB60748D}\stubpath = "C:\\Windows\\{F87BF0F4-5D68-4fcd-9CF5-F820EB60748D}.exe" {6338978F-BCAD-4d63-949C-8573ECCE4DA8}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{237ED862-B60B-46a2-A742-0FFE06B67861} {E0F47025-E6BA-4d36-9C7B-70FD95B9B912}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{237ED862-B60B-46a2-A742-0FFE06B67861}\stubpath = "C:\\Windows\\{237ED862-B60B-46a2-A742-0FFE06B67861}.exe" {E0F47025-E6BA-4d36-9C7B-70FD95B9B912}.exe -
Executes dropped EXE 11 IoCs
pid Process 1692 {4E75E4BE-05DA-4c85-9E6B-63D45E11EBD9}.exe 2572 {F0F2572D-603D-49b2-8CB5-E0079CB51B6F}.exe 2576 {6338978F-BCAD-4d63-949C-8573ECCE4DA8}.exe 2520 {F87BF0F4-5D68-4fcd-9CF5-F820EB60748D}.exe 952 {F94291FE-B657-432c-8159-AAC33DDD501E}.exe 320 {E0F47025-E6BA-4d36-9C7B-70FD95B9B912}.exe 1536 {237ED862-B60B-46a2-A742-0FFE06B67861}.exe 1452 {FAE8E632-0485-406e-9849-E49210494B1E}.exe 2264 {9C36FDB4-416B-4c4f-8259-5E4CE953B7C3}.exe 3056 {46BA0AB5-4991-4a7f-83AF-C128CF1392BD}.exe 580 {11B590A3-BB8F-4ede-8A4D-562822A67EE9}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{46BA0AB5-4991-4a7f-83AF-C128CF1392BD}.exe {9C36FDB4-416B-4c4f-8259-5E4CE953B7C3}.exe File created C:\Windows\{4E75E4BE-05DA-4c85-9E6B-63D45E11EBD9}.exe 2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe File created C:\Windows\{F0F2572D-603D-49b2-8CB5-E0079CB51B6F}.exe {4E75E4BE-05DA-4c85-9E6B-63D45E11EBD9}.exe File created C:\Windows\{9C36FDB4-416B-4c4f-8259-5E4CE953B7C3}.exe {FAE8E632-0485-406e-9849-E49210494B1E}.exe File created C:\Windows\{E0F47025-E6BA-4d36-9C7B-70FD95B9B912}.exe {F94291FE-B657-432c-8159-AAC33DDD501E}.exe File created C:\Windows\{237ED862-B60B-46a2-A742-0FFE06B67861}.exe {E0F47025-E6BA-4d36-9C7B-70FD95B9B912}.exe File created C:\Windows\{FAE8E632-0485-406e-9849-E49210494B1E}.exe {237ED862-B60B-46a2-A742-0FFE06B67861}.exe File created C:\Windows\{11B590A3-BB8F-4ede-8A4D-562822A67EE9}.exe {46BA0AB5-4991-4a7f-83AF-C128CF1392BD}.exe File created C:\Windows\{6338978F-BCAD-4d63-949C-8573ECCE4DA8}.exe {F0F2572D-603D-49b2-8CB5-E0079CB51B6F}.exe File created C:\Windows\{F87BF0F4-5D68-4fcd-9CF5-F820EB60748D}.exe {6338978F-BCAD-4d63-949C-8573ECCE4DA8}.exe File created C:\Windows\{F94291FE-B657-432c-8159-AAC33DDD501E}.exe {F87BF0F4-5D68-4fcd-9CF5-F820EB60748D}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1072 2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe Token: SeIncBasePriorityPrivilege 1692 {4E75E4BE-05DA-4c85-9E6B-63D45E11EBD9}.exe Token: SeIncBasePriorityPrivilege 2572 {F0F2572D-603D-49b2-8CB5-E0079CB51B6F}.exe Token: SeIncBasePriorityPrivilege 2576 {6338978F-BCAD-4d63-949C-8573ECCE4DA8}.exe Token: SeIncBasePriorityPrivilege 2520 {F87BF0F4-5D68-4fcd-9CF5-F820EB60748D}.exe Token: SeIncBasePriorityPrivilege 952 {F94291FE-B657-432c-8159-AAC33DDD501E}.exe Token: SeIncBasePriorityPrivilege 320 {E0F47025-E6BA-4d36-9C7B-70FD95B9B912}.exe Token: SeIncBasePriorityPrivilege 1536 {237ED862-B60B-46a2-A742-0FFE06B67861}.exe Token: SeIncBasePriorityPrivilege 1452 {FAE8E632-0485-406e-9849-E49210494B1E}.exe Token: SeIncBasePriorityPrivilege 2264 {9C36FDB4-416B-4c4f-8259-5E4CE953B7C3}.exe Token: SeIncBasePriorityPrivilege 3056 {46BA0AB5-4991-4a7f-83AF-C128CF1392BD}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1072 wrote to memory of 1692 1072 2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe 28 PID 1072 wrote to memory of 1692 1072 2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe 28 PID 1072 wrote to memory of 1692 1072 2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe 28 PID 1072 wrote to memory of 1692 1072 2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe 28 PID 1072 wrote to memory of 1888 1072 2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe 29 PID 1072 wrote to memory of 1888 1072 2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe 29 PID 1072 wrote to memory of 1888 1072 2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe 29 PID 1072 wrote to memory of 1888 1072 2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe 29 PID 1692 wrote to memory of 2572 1692 {4E75E4BE-05DA-4c85-9E6B-63D45E11EBD9}.exe 30 PID 1692 wrote to memory of 2572 1692 {4E75E4BE-05DA-4c85-9E6B-63D45E11EBD9}.exe 30 PID 1692 wrote to memory of 2572 1692 {4E75E4BE-05DA-4c85-9E6B-63D45E11EBD9}.exe 30 PID 1692 wrote to memory of 2572 1692 {4E75E4BE-05DA-4c85-9E6B-63D45E11EBD9}.exe 30 PID 1692 wrote to memory of 2700 1692 {4E75E4BE-05DA-4c85-9E6B-63D45E11EBD9}.exe 31 PID 1692 wrote to memory of 2700 1692 {4E75E4BE-05DA-4c85-9E6B-63D45E11EBD9}.exe 31 PID 1692 wrote to memory of 2700 1692 {4E75E4BE-05DA-4c85-9E6B-63D45E11EBD9}.exe 31 PID 1692 wrote to memory of 2700 1692 {4E75E4BE-05DA-4c85-9E6B-63D45E11EBD9}.exe 31 PID 2572 wrote to memory of 2576 2572 {F0F2572D-603D-49b2-8CB5-E0079CB51B6F}.exe 32 PID 2572 wrote to memory of 2576 2572 {F0F2572D-603D-49b2-8CB5-E0079CB51B6F}.exe 32 PID 2572 wrote to memory of 2576 2572 {F0F2572D-603D-49b2-8CB5-E0079CB51B6F}.exe 32 PID 2572 wrote to memory of 2576 2572 {F0F2572D-603D-49b2-8CB5-E0079CB51B6F}.exe 32 PID 2572 wrote to memory of 2832 2572 {F0F2572D-603D-49b2-8CB5-E0079CB51B6F}.exe 33 PID 2572 wrote to memory of 2832 2572 {F0F2572D-603D-49b2-8CB5-E0079CB51B6F}.exe 33 PID 2572 wrote to memory of 2832 2572 {F0F2572D-603D-49b2-8CB5-E0079CB51B6F}.exe 33 PID 2572 wrote to memory of 2832 2572 {F0F2572D-603D-49b2-8CB5-E0079CB51B6F}.exe 33 PID 2576 wrote to memory of 2520 2576 {6338978F-BCAD-4d63-949C-8573ECCE4DA8}.exe 36 PID 2576 wrote to memory of 2520 2576 {6338978F-BCAD-4d63-949C-8573ECCE4DA8}.exe 36 PID 2576 wrote to memory of 2520 2576 {6338978F-BCAD-4d63-949C-8573ECCE4DA8}.exe 36 PID 2576 wrote to memory of 2520 2576 {6338978F-BCAD-4d63-949C-8573ECCE4DA8}.exe 36 PID 2576 wrote to memory of 2912 2576 {6338978F-BCAD-4d63-949C-8573ECCE4DA8}.exe 37 PID 2576 wrote to memory of 2912 2576 {6338978F-BCAD-4d63-949C-8573ECCE4DA8}.exe 37 PID 2576 wrote to memory of 2912 2576 {6338978F-BCAD-4d63-949C-8573ECCE4DA8}.exe 37 PID 2576 wrote to memory of 2912 2576 {6338978F-BCAD-4d63-949C-8573ECCE4DA8}.exe 37 PID 2520 wrote to memory of 952 2520 {F87BF0F4-5D68-4fcd-9CF5-F820EB60748D}.exe 38 PID 2520 wrote to memory of 952 2520 {F87BF0F4-5D68-4fcd-9CF5-F820EB60748D}.exe 38 PID 2520 wrote to memory of 952 2520 {F87BF0F4-5D68-4fcd-9CF5-F820EB60748D}.exe 38 PID 2520 wrote to memory of 952 2520 {F87BF0F4-5D68-4fcd-9CF5-F820EB60748D}.exe 38 PID 2520 wrote to memory of 1532 2520 {F87BF0F4-5D68-4fcd-9CF5-F820EB60748D}.exe 39 PID 2520 wrote to memory of 1532 2520 {F87BF0F4-5D68-4fcd-9CF5-F820EB60748D}.exe 39 PID 2520 wrote to memory of 1532 2520 {F87BF0F4-5D68-4fcd-9CF5-F820EB60748D}.exe 39 PID 2520 wrote to memory of 1532 2520 {F87BF0F4-5D68-4fcd-9CF5-F820EB60748D}.exe 39 PID 952 wrote to memory of 320 952 {F94291FE-B657-432c-8159-AAC33DDD501E}.exe 40 PID 952 wrote to memory of 320 952 {F94291FE-B657-432c-8159-AAC33DDD501E}.exe 40 PID 952 wrote to memory of 320 952 {F94291FE-B657-432c-8159-AAC33DDD501E}.exe 40 PID 952 wrote to memory of 320 952 {F94291FE-B657-432c-8159-AAC33DDD501E}.exe 40 PID 952 wrote to memory of 1928 952 {F94291FE-B657-432c-8159-AAC33DDD501E}.exe 41 PID 952 wrote to memory of 1928 952 {F94291FE-B657-432c-8159-AAC33DDD501E}.exe 41 PID 952 wrote to memory of 1928 952 {F94291FE-B657-432c-8159-AAC33DDD501E}.exe 41 PID 952 wrote to memory of 1928 952 {F94291FE-B657-432c-8159-AAC33DDD501E}.exe 41 PID 320 wrote to memory of 1536 320 {E0F47025-E6BA-4d36-9C7B-70FD95B9B912}.exe 42 PID 320 wrote to memory of 1536 320 {E0F47025-E6BA-4d36-9C7B-70FD95B9B912}.exe 42 PID 320 wrote to memory of 1536 320 {E0F47025-E6BA-4d36-9C7B-70FD95B9B912}.exe 42 PID 320 wrote to memory of 1536 320 {E0F47025-E6BA-4d36-9C7B-70FD95B9B912}.exe 42 PID 320 wrote to memory of 2680 320 {E0F47025-E6BA-4d36-9C7B-70FD95B9B912}.exe 43 PID 320 wrote to memory of 2680 320 {E0F47025-E6BA-4d36-9C7B-70FD95B9B912}.exe 43 PID 320 wrote to memory of 2680 320 {E0F47025-E6BA-4d36-9C7B-70FD95B9B912}.exe 43 PID 320 wrote to memory of 2680 320 {E0F47025-E6BA-4d36-9C7B-70FD95B9B912}.exe 43 PID 1536 wrote to memory of 1452 1536 {237ED862-B60B-46a2-A742-0FFE06B67861}.exe 44 PID 1536 wrote to memory of 1452 1536 {237ED862-B60B-46a2-A742-0FFE06B67861}.exe 44 PID 1536 wrote to memory of 1452 1536 {237ED862-B60B-46a2-A742-0FFE06B67861}.exe 44 PID 1536 wrote to memory of 1452 1536 {237ED862-B60B-46a2-A742-0FFE06B67861}.exe 44 PID 1536 wrote to memory of 1480 1536 {237ED862-B60B-46a2-A742-0FFE06B67861}.exe 45 PID 1536 wrote to memory of 1480 1536 {237ED862-B60B-46a2-A742-0FFE06B67861}.exe 45 PID 1536 wrote to memory of 1480 1536 {237ED862-B60B-46a2-A742-0FFE06B67861}.exe 45 PID 1536 wrote to memory of 1480 1536 {237ED862-B60B-46a2-A742-0FFE06B67861}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\{4E75E4BE-05DA-4c85-9E6B-63D45E11EBD9}.exeC:\Windows\{4E75E4BE-05DA-4c85-9E6B-63D45E11EBD9}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\{F0F2572D-603D-49b2-8CB5-E0079CB51B6F}.exeC:\Windows\{F0F2572D-603D-49b2-8CB5-E0079CB51B6F}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\{6338978F-BCAD-4d63-949C-8573ECCE4DA8}.exeC:\Windows\{6338978F-BCAD-4d63-949C-8573ECCE4DA8}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\{F87BF0F4-5D68-4fcd-9CF5-F820EB60748D}.exeC:\Windows\{F87BF0F4-5D68-4fcd-9CF5-F820EB60748D}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\{F94291FE-B657-432c-8159-AAC33DDD501E}.exeC:\Windows\{F94291FE-B657-432c-8159-AAC33DDD501E}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\{E0F47025-E6BA-4d36-9C7B-70FD95B9B912}.exeC:\Windows\{E0F47025-E6BA-4d36-9C7B-70FD95B9B912}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\{237ED862-B60B-46a2-A742-0FFE06B67861}.exeC:\Windows\{237ED862-B60B-46a2-A742-0FFE06B67861}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\{FAE8E632-0485-406e-9849-E49210494B1E}.exeC:\Windows\{FAE8E632-0485-406e-9849-E49210494B1E}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1452 -
C:\Windows\{9C36FDB4-416B-4c4f-8259-5E4CE953B7C3}.exeC:\Windows\{9C36FDB4-416B-4c4f-8259-5E4CE953B7C3}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2264 -
C:\Windows\{46BA0AB5-4991-4a7f-83AF-C128CF1392BD}.exeC:\Windows\{46BA0AB5-4991-4a7f-83AF-C128CF1392BD}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3056 -
C:\Windows\{11B590A3-BB8F-4ede-8A4D-562822A67EE9}.exeC:\Windows\{11B590A3-BB8F-4ede-8A4D-562822A67EE9}.exe12⤵
- Executes dropped EXE
PID:580
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{46BA0~1.EXE > nul12⤵PID:1476
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9C36F~1.EXE > nul11⤵PID:596
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{FAE8E~1.EXE > nul10⤵PID:1716
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{237ED~1.EXE > nul9⤵PID:1480
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E0F47~1.EXE > nul8⤵PID:2680
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F9429~1.EXE > nul7⤵PID:1928
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F87BF~1.EXE > nul6⤵PID:1532
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{63389~1.EXE > nul5⤵PID:2912
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F0F25~1.EXE > nul4⤵PID:2832
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4E75E~1.EXE > nul3⤵PID:2700
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:1888
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB
MD58594730746e040a31d48ef1afa462cc9
SHA12107fd8ddda8b42d7888606a7327109c04a54144
SHA25697fdf06e38852d02360891e244b039855e9eaa48d69d8856abd661e194e84d0f
SHA512a8d5e09af37c51efb664ee4fb369315672b3ccc3a97af2b5b35b1e536d021d621974a4ace77bfc30ff03e2deda276dbf4b240927b0f84b927a0cc073624b9e24
-
Filesize
204KB
MD52438c121fad1801bd2971fa4c01ccc3d
SHA1d22d455b618f5a0130ac1780c260fb0a1c236235
SHA2569780af70f2538843fba5d6f03b25eb1556f5b07337829c69504a004c4a2184e9
SHA512bafb443a2b08cc665dd2a3351a934b65e4d4a656f7c5fdee67346032afdbe95946ea911a008a550f23ec9f0fde57a0359ad40fd264ef729c9cd33c6737580630
-
Filesize
204KB
MD540cb3e66b6ce3f9527f4644121c3b720
SHA1aa1f54aeebd7f5073bc9ef58e4ddd1ef802e4f60
SHA2568d55bad02b17f7aa7ec3cc0614a6f1ff67d97b561da974bc20478a3c425c4974
SHA512e3a2f4761b62590e3f484efd1e19fb2c7e1991016dd5ee7118c7ae80571529d6d551188b09617c4010ac40e409b8d6c058446ceb0a090af18614ec0514c8f029
-
Filesize
204KB
MD52a08099eafaf0bbe3823a83c1832edf5
SHA1dab3e972e7fd146afe18b16d4b0d77e634bd01bd
SHA2567082473916159f7fac92ffbb31d520042ee369d8d06dddad8ff4412b7e1224d2
SHA5129ae3c513c2970ee3cd147369c10f9afa6f45c96fbc7a81b3ffc5bc33261914ca32299556352187c7aea6d13049846d0c4b50122b9123bebb9327147a7ce60b8a
-
Filesize
204KB
MD58554308bed12145c16cb3dbc272887d8
SHA1ff486d4aea1de99d79ab614ad1da3e8d6b094605
SHA256807309d49a17d872ddccdcf0b117f5720ed4f0b5778982245937d1c04550b8ae
SHA512e90dbb482836d734b993cca683abb68e3aafe38ec0f57db8225fa3c7d410bf973bcd7d64f47aab25bd6a0ae0898a5848f80e8ee628d73e7c1e97f766cf7ef44b
-
Filesize
204KB
MD54ea4f34111352841d7189f82758b7518
SHA1c7e647f598b9e4089aaa30f9ea4b19fbf74a9a3a
SHA2565760270864fccb8a833a7ff759e99888e8ac1776698eca23990e94caf97659d5
SHA51250856173bde070e928872e4676216e12adf44480ce71e99fd0bfc0bc4d0e2533cf608b7bd59ea972d66f93c612b961ef9fa7dd122050b4c4fdaabb1267560c31
-
Filesize
204KB
MD5b0b36adedea9cd24c8cc204607b6bd25
SHA180ab7514685d107b8d2444010d91af05b8a88eb3
SHA256b45b36bdc844dab6ac79d38ef1e5173f78dbd9e6c5e81a3ac9958fca530e71a1
SHA5124d2a5b0bc6e1ce24bf011e3e1d3b784ef3517317574258ed8f2b90d9afa33ce7cac5420955d03e5a1ddae9b40b430301556098bc4794b02c94549a5ce381130b
-
Filesize
204KB
MD5906dcd9f351d59f90e3e0c845ce8b4cc
SHA16e903394b6674d5d8abf0eada1b6ad21bbd31f81
SHA256911a0a0e65b36365090d49fc0f5e2718557a8a382e8cf9788bce2ffc900c46d3
SHA512af5b9bc3238c447df6101e27ba9429d71e41afbb9565e54c7757c5d0f48f18890bd64026f0db7b7099c948fdf886e588069fbb26c81c3dd2fb987eaea0bcfd20
-
Filesize
204KB
MD5f2d228b795efe4cbb5871d2c81b620ec
SHA1b6e07f7f4a38e749fa1f2a8fb7f9487095612705
SHA2568ca3afdf5bf9bf5241f7e110e2f194e1ae7129e906460fde0c7b9a28733051db
SHA51201c651ab81469cb2ead698ee88eaf5ae47e8d3bb2fbf1ddef92e54d78736cfa451931e7664ba5130063b94963dd85ce14e183bec51f8c33a85e116199212a88b
-
Filesize
204KB
MD5a25120adad0fbf02b217e74f315ff8fe
SHA1f0ea5ad2888c4b4d5f6d6a121e148b5e6da388b1
SHA25619bb956bf55904efc20c191ef7914ac7e52f17d69896432532eb0a92d1e9fc3b
SHA5121dd4b046c2e55d269db88c8195c3de98bd4c8437bba623665ccc3ba40b19229f8c99fbc469f623d60a0f8cc68f24c0da526815b79403580dbf46b9f44de40acc
-
Filesize
204KB
MD5cca3c3f0993e2143a45d30020b85a103
SHA1914617912e7dc70f67973d435319cd681281866d
SHA256f131e4ab9f0b288d90c0a761c413728df6e5a3a9bc84f215c9f16ddeca0dbf01
SHA51275e1b04aba611083706061d3093d5c764d5d02f9e19907acd15d66c337e0f6e59256203279208482df03af56b0f84f233cd4a3e0092ba21d01922bbbbb034f24