Analysis
-
max time kernel
144s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
10/06/2024, 04:41
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe
Resource
win10v2004-20240426-en
General
-
Target
2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe
-
Size
204KB
-
MD5
956e79eb73c9143bd4d4050b31e4b8fa
-
SHA1
f793eccb9add50c4d1708dbfe061b12808c5c07e
-
SHA256
dd304a280fa670f746cf662faa1075faba580015775820450a813f17a9e36735
-
SHA512
74ef24b0ef1bb0b79b5c1410ec2471e3723c152236c65849c0251adafa4245f022fa741112a5503458cc0325fe7108233a8598fffce9d72a2581cbaa00742e11
-
SSDEEP
1536:1EGh0oXl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oXl1OPOe2MUVg3Ve+rXfMUy
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral1/files/0x000f00000001226b-4.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0036000000016c71-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0036000000016c7a-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0004000000004ed7-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0037000000016c7a-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0005000000004ed7-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0038000000016c7a-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0006000000004ed7-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0039000000016c7a-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0007000000004ed7-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x003a000000016c7a-74.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F0BABA9-6EFF-4d3a-8214-30A5F1F80CB1} {FE9933A5-BB0D-4db4-ADBA-708CEF62C078}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26CEFD38-CACB-4149-8932-4763B5CA0A32}\stubpath = "C:\\Windows\\{26CEFD38-CACB-4149-8932-4763B5CA0A32}.exe" {AF19A7DE-D5B8-4937-A9B7-12BFBAAF7BF0}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD7CFDCB-C6B0-42ee-B472-E7C08A3521AF} {26CEFD38-CACB-4149-8932-4763B5CA0A32}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE9933A5-BB0D-4db4-ADBA-708CEF62C078} {9A4F59A5-D42D-49d6-836B-C49A25129D58}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF19A7DE-D5B8-4937-A9B7-12BFBAAF7BF0} {DD998FDE-4686-432b-A2F7-92D9F0CAD667}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26CEFD38-CACB-4149-8932-4763B5CA0A32} {AF19A7DE-D5B8-4937-A9B7-12BFBAAF7BF0}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD7CFDCB-C6B0-42ee-B472-E7C08A3521AF}\stubpath = "C:\\Windows\\{FD7CFDCB-C6B0-42ee-B472-E7C08A3521AF}.exe" {26CEFD38-CACB-4149-8932-4763B5CA0A32}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F0BABA9-6EFF-4d3a-8214-30A5F1F80CB1}\stubpath = "C:\\Windows\\{0F0BABA9-6EFF-4d3a-8214-30A5F1F80CB1}.exe" {FE9933A5-BB0D-4db4-ADBA-708CEF62C078}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F73098D-B9F7-479f-9FA2-2562DBCEC950}\stubpath = "C:\\Windows\\{2F73098D-B9F7-479f-9FA2-2562DBCEC950}.exe" 2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A03EE75-F1B3-4ca8-B033-9A037C853C6F}\stubpath = "C:\\Windows\\{6A03EE75-F1B3-4ca8-B033-9A037C853C6F}.exe" {2F73098D-B9F7-479f-9FA2-2562DBCEC950}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD998FDE-4686-432b-A2F7-92D9F0CAD667}\stubpath = "C:\\Windows\\{DD998FDE-4686-432b-A2F7-92D9F0CAD667}.exe" {DA10BD5E-2492-487d-A96F-8BB505535B22}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF19A7DE-D5B8-4937-A9B7-12BFBAAF7BF0}\stubpath = "C:\\Windows\\{AF19A7DE-D5B8-4937-A9B7-12BFBAAF7BF0}.exe" {DD998FDE-4686-432b-A2F7-92D9F0CAD667}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0F95182-EA2A-4579-B49E-EA318A32B022} {0F0BABA9-6EFF-4d3a-8214-30A5F1F80CB1}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0F95182-EA2A-4579-B49E-EA318A32B022}\stubpath = "C:\\Windows\\{A0F95182-EA2A-4579-B49E-EA318A32B022}.exe" {0F0BABA9-6EFF-4d3a-8214-30A5F1F80CB1}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A03EE75-F1B3-4ca8-B033-9A037C853C6F} {2F73098D-B9F7-479f-9FA2-2562DBCEC950}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA10BD5E-2492-487d-A96F-8BB505535B22} {6A03EE75-F1B3-4ca8-B033-9A037C853C6F}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA10BD5E-2492-487d-A96F-8BB505535B22}\stubpath = "C:\\Windows\\{DA10BD5E-2492-487d-A96F-8BB505535B22}.exe" {6A03EE75-F1B3-4ca8-B033-9A037C853C6F}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A4F59A5-D42D-49d6-836B-C49A25129D58}\stubpath = "C:\\Windows\\{9A4F59A5-D42D-49d6-836B-C49A25129D58}.exe" {FD7CFDCB-C6B0-42ee-B472-E7C08A3521AF}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE9933A5-BB0D-4db4-ADBA-708CEF62C078}\stubpath = "C:\\Windows\\{FE9933A5-BB0D-4db4-ADBA-708CEF62C078}.exe" {9A4F59A5-D42D-49d6-836B-C49A25129D58}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F73098D-B9F7-479f-9FA2-2562DBCEC950} 2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD998FDE-4686-432b-A2F7-92D9F0CAD667} {DA10BD5E-2492-487d-A96F-8BB505535B22}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A4F59A5-D42D-49d6-836B-C49A25129D58} {FD7CFDCB-C6B0-42ee-B472-E7C08A3521AF}.exe -
Deletes itself 1 IoCs
pid Process 2608 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 3024 {2F73098D-B9F7-479f-9FA2-2562DBCEC950}.exe 2624 {6A03EE75-F1B3-4ca8-B033-9A037C853C6F}.exe 2832 {DA10BD5E-2492-487d-A96F-8BB505535B22}.exe 2212 {DD998FDE-4686-432b-A2F7-92D9F0CAD667}.exe 1440 {AF19A7DE-D5B8-4937-A9B7-12BFBAAF7BF0}.exe 1496 {26CEFD38-CACB-4149-8932-4763B5CA0A32}.exe 1608 {FD7CFDCB-C6B0-42ee-B472-E7C08A3521AF}.exe 636 {9A4F59A5-D42D-49d6-836B-C49A25129D58}.exe 2844 {FE9933A5-BB0D-4db4-ADBA-708CEF62C078}.exe 1936 {0F0BABA9-6EFF-4d3a-8214-30A5F1F80CB1}.exe 1412 {A0F95182-EA2A-4579-B49E-EA318A32B022}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{6A03EE75-F1B3-4ca8-B033-9A037C853C6F}.exe {2F73098D-B9F7-479f-9FA2-2562DBCEC950}.exe File created C:\Windows\{DA10BD5E-2492-487d-A96F-8BB505535B22}.exe {6A03EE75-F1B3-4ca8-B033-9A037C853C6F}.exe File created C:\Windows\{9A4F59A5-D42D-49d6-836B-C49A25129D58}.exe {FD7CFDCB-C6B0-42ee-B472-E7C08A3521AF}.exe File created C:\Windows\{FE9933A5-BB0D-4db4-ADBA-708CEF62C078}.exe {9A4F59A5-D42D-49d6-836B-C49A25129D58}.exe File created C:\Windows\{A0F95182-EA2A-4579-B49E-EA318A32B022}.exe {0F0BABA9-6EFF-4d3a-8214-30A5F1F80CB1}.exe File created C:\Windows\{2F73098D-B9F7-479f-9FA2-2562DBCEC950}.exe 2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe File created C:\Windows\{AF19A7DE-D5B8-4937-A9B7-12BFBAAF7BF0}.exe {DD998FDE-4686-432b-A2F7-92D9F0CAD667}.exe File created C:\Windows\{26CEFD38-CACB-4149-8932-4763B5CA0A32}.exe {AF19A7DE-D5B8-4937-A9B7-12BFBAAF7BF0}.exe File created C:\Windows\{FD7CFDCB-C6B0-42ee-B472-E7C08A3521AF}.exe {26CEFD38-CACB-4149-8932-4763B5CA0A32}.exe File created C:\Windows\{0F0BABA9-6EFF-4d3a-8214-30A5F1F80CB1}.exe {FE9933A5-BB0D-4db4-ADBA-708CEF62C078}.exe File created C:\Windows\{DD998FDE-4686-432b-A2F7-92D9F0CAD667}.exe {DA10BD5E-2492-487d-A96F-8BB505535B22}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1992 2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe Token: SeIncBasePriorityPrivilege 3024 {2F73098D-B9F7-479f-9FA2-2562DBCEC950}.exe Token: SeIncBasePriorityPrivilege 2624 {6A03EE75-F1B3-4ca8-B033-9A037C853C6F}.exe Token: SeIncBasePriorityPrivilege 2832 {DA10BD5E-2492-487d-A96F-8BB505535B22}.exe Token: SeIncBasePriorityPrivilege 2212 {DD998FDE-4686-432b-A2F7-92D9F0CAD667}.exe Token: SeIncBasePriorityPrivilege 1440 {AF19A7DE-D5B8-4937-A9B7-12BFBAAF7BF0}.exe Token: SeIncBasePriorityPrivilege 1496 {26CEFD38-CACB-4149-8932-4763B5CA0A32}.exe Token: SeIncBasePriorityPrivilege 1608 {FD7CFDCB-C6B0-42ee-B472-E7C08A3521AF}.exe Token: SeIncBasePriorityPrivilege 636 {9A4F59A5-D42D-49d6-836B-C49A25129D58}.exe Token: SeIncBasePriorityPrivilege 2844 {FE9933A5-BB0D-4db4-ADBA-708CEF62C078}.exe Token: SeIncBasePriorityPrivilege 1936 {0F0BABA9-6EFF-4d3a-8214-30A5F1F80CB1}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1992 wrote to memory of 3024 1992 2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe 28 PID 1992 wrote to memory of 3024 1992 2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe 28 PID 1992 wrote to memory of 3024 1992 2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe 28 PID 1992 wrote to memory of 3024 1992 2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe 28 PID 1992 wrote to memory of 2608 1992 2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe 29 PID 1992 wrote to memory of 2608 1992 2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe 29 PID 1992 wrote to memory of 2608 1992 2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe 29 PID 1992 wrote to memory of 2608 1992 2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe 29 PID 3024 wrote to memory of 2624 3024 {2F73098D-B9F7-479f-9FA2-2562DBCEC950}.exe 30 PID 3024 wrote to memory of 2624 3024 {2F73098D-B9F7-479f-9FA2-2562DBCEC950}.exe 30 PID 3024 wrote to memory of 2624 3024 {2F73098D-B9F7-479f-9FA2-2562DBCEC950}.exe 30 PID 3024 wrote to memory of 2624 3024 {2F73098D-B9F7-479f-9FA2-2562DBCEC950}.exe 30 PID 3024 wrote to memory of 2508 3024 {2F73098D-B9F7-479f-9FA2-2562DBCEC950}.exe 31 PID 3024 wrote to memory of 2508 3024 {2F73098D-B9F7-479f-9FA2-2562DBCEC950}.exe 31 PID 3024 wrote to memory of 2508 3024 {2F73098D-B9F7-479f-9FA2-2562DBCEC950}.exe 31 PID 3024 wrote to memory of 2508 3024 {2F73098D-B9F7-479f-9FA2-2562DBCEC950}.exe 31 PID 2624 wrote to memory of 2832 2624 {6A03EE75-F1B3-4ca8-B033-9A037C853C6F}.exe 32 PID 2624 wrote to memory of 2832 2624 {6A03EE75-F1B3-4ca8-B033-9A037C853C6F}.exe 32 PID 2624 wrote to memory of 2832 2624 {6A03EE75-F1B3-4ca8-B033-9A037C853C6F}.exe 32 PID 2624 wrote to memory of 2832 2624 {6A03EE75-F1B3-4ca8-B033-9A037C853C6F}.exe 32 PID 2624 wrote to memory of 2136 2624 {6A03EE75-F1B3-4ca8-B033-9A037C853C6F}.exe 33 PID 2624 wrote to memory of 2136 2624 {6A03EE75-F1B3-4ca8-B033-9A037C853C6F}.exe 33 PID 2624 wrote to memory of 2136 2624 {6A03EE75-F1B3-4ca8-B033-9A037C853C6F}.exe 33 PID 2624 wrote to memory of 2136 2624 {6A03EE75-F1B3-4ca8-B033-9A037C853C6F}.exe 33 PID 2832 wrote to memory of 2212 2832 {DA10BD5E-2492-487d-A96F-8BB505535B22}.exe 36 PID 2832 wrote to memory of 2212 2832 {DA10BD5E-2492-487d-A96F-8BB505535B22}.exe 36 PID 2832 wrote to memory of 2212 2832 {DA10BD5E-2492-487d-A96F-8BB505535B22}.exe 36 PID 2832 wrote to memory of 2212 2832 {DA10BD5E-2492-487d-A96F-8BB505535B22}.exe 36 PID 2832 wrote to memory of 2188 2832 {DA10BD5E-2492-487d-A96F-8BB505535B22}.exe 37 PID 2832 wrote to memory of 2188 2832 {DA10BD5E-2492-487d-A96F-8BB505535B22}.exe 37 PID 2832 wrote to memory of 2188 2832 {DA10BD5E-2492-487d-A96F-8BB505535B22}.exe 37 PID 2832 wrote to memory of 2188 2832 {DA10BD5E-2492-487d-A96F-8BB505535B22}.exe 37 PID 2212 wrote to memory of 1440 2212 {DD998FDE-4686-432b-A2F7-92D9F0CAD667}.exe 38 PID 2212 wrote to memory of 1440 2212 {DD998FDE-4686-432b-A2F7-92D9F0CAD667}.exe 38 PID 2212 wrote to memory of 1440 2212 {DD998FDE-4686-432b-A2F7-92D9F0CAD667}.exe 38 PID 2212 wrote to memory of 1440 2212 {DD998FDE-4686-432b-A2F7-92D9F0CAD667}.exe 38 PID 2212 wrote to memory of 1848 2212 {DD998FDE-4686-432b-A2F7-92D9F0CAD667}.exe 39 PID 2212 wrote to memory of 1848 2212 {DD998FDE-4686-432b-A2F7-92D9F0CAD667}.exe 39 PID 2212 wrote to memory of 1848 2212 {DD998FDE-4686-432b-A2F7-92D9F0CAD667}.exe 39 PID 2212 wrote to memory of 1848 2212 {DD998FDE-4686-432b-A2F7-92D9F0CAD667}.exe 39 PID 1440 wrote to memory of 1496 1440 {AF19A7DE-D5B8-4937-A9B7-12BFBAAF7BF0}.exe 40 PID 1440 wrote to memory of 1496 1440 {AF19A7DE-D5B8-4937-A9B7-12BFBAAF7BF0}.exe 40 PID 1440 wrote to memory of 1496 1440 {AF19A7DE-D5B8-4937-A9B7-12BFBAAF7BF0}.exe 40 PID 1440 wrote to memory of 1496 1440 {AF19A7DE-D5B8-4937-A9B7-12BFBAAF7BF0}.exe 40 PID 1440 wrote to memory of 1660 1440 {AF19A7DE-D5B8-4937-A9B7-12BFBAAF7BF0}.exe 41 PID 1440 wrote to memory of 1660 1440 {AF19A7DE-D5B8-4937-A9B7-12BFBAAF7BF0}.exe 41 PID 1440 wrote to memory of 1660 1440 {AF19A7DE-D5B8-4937-A9B7-12BFBAAF7BF0}.exe 41 PID 1440 wrote to memory of 1660 1440 {AF19A7DE-D5B8-4937-A9B7-12BFBAAF7BF0}.exe 41 PID 1496 wrote to memory of 1608 1496 {26CEFD38-CACB-4149-8932-4763B5CA0A32}.exe 42 PID 1496 wrote to memory of 1608 1496 {26CEFD38-CACB-4149-8932-4763B5CA0A32}.exe 42 PID 1496 wrote to memory of 1608 1496 {26CEFD38-CACB-4149-8932-4763B5CA0A32}.exe 42 PID 1496 wrote to memory of 1608 1496 {26CEFD38-CACB-4149-8932-4763B5CA0A32}.exe 42 PID 1496 wrote to memory of 2028 1496 {26CEFD38-CACB-4149-8932-4763B5CA0A32}.exe 43 PID 1496 wrote to memory of 2028 1496 {26CEFD38-CACB-4149-8932-4763B5CA0A32}.exe 43 PID 1496 wrote to memory of 2028 1496 {26CEFD38-CACB-4149-8932-4763B5CA0A32}.exe 43 PID 1496 wrote to memory of 2028 1496 {26CEFD38-CACB-4149-8932-4763B5CA0A32}.exe 43 PID 1608 wrote to memory of 636 1608 {FD7CFDCB-C6B0-42ee-B472-E7C08A3521AF}.exe 44 PID 1608 wrote to memory of 636 1608 {FD7CFDCB-C6B0-42ee-B472-E7C08A3521AF}.exe 44 PID 1608 wrote to memory of 636 1608 {FD7CFDCB-C6B0-42ee-B472-E7C08A3521AF}.exe 44 PID 1608 wrote to memory of 636 1608 {FD7CFDCB-C6B0-42ee-B472-E7C08A3521AF}.exe 44 PID 1608 wrote to memory of 996 1608 {FD7CFDCB-C6B0-42ee-B472-E7C08A3521AF}.exe 45 PID 1608 wrote to memory of 996 1608 {FD7CFDCB-C6B0-42ee-B472-E7C08A3521AF}.exe 45 PID 1608 wrote to memory of 996 1608 {FD7CFDCB-C6B0-42ee-B472-E7C08A3521AF}.exe 45 PID 1608 wrote to memory of 996 1608 {FD7CFDCB-C6B0-42ee-B472-E7C08A3521AF}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\{2F73098D-B9F7-479f-9FA2-2562DBCEC950}.exeC:\Windows\{2F73098D-B9F7-479f-9FA2-2562DBCEC950}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\{6A03EE75-F1B3-4ca8-B033-9A037C853C6F}.exeC:\Windows\{6A03EE75-F1B3-4ca8-B033-9A037C853C6F}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\{DA10BD5E-2492-487d-A96F-8BB505535B22}.exeC:\Windows\{DA10BD5E-2492-487d-A96F-8BB505535B22}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\{DD998FDE-4686-432b-A2F7-92D9F0CAD667}.exeC:\Windows\{DD998FDE-4686-432b-A2F7-92D9F0CAD667}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\{AF19A7DE-D5B8-4937-A9B7-12BFBAAF7BF0}.exeC:\Windows\{AF19A7DE-D5B8-4937-A9B7-12BFBAAF7BF0}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\{26CEFD38-CACB-4149-8932-4763B5CA0A32}.exeC:\Windows\{26CEFD38-CACB-4149-8932-4763B5CA0A32}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\{FD7CFDCB-C6B0-42ee-B472-E7C08A3521AF}.exeC:\Windows\{FD7CFDCB-C6B0-42ee-B472-E7C08A3521AF}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\{9A4F59A5-D42D-49d6-836B-C49A25129D58}.exeC:\Windows\{9A4F59A5-D42D-49d6-836B-C49A25129D58}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:636 -
C:\Windows\{FE9933A5-BB0D-4db4-ADBA-708CEF62C078}.exeC:\Windows\{FE9933A5-BB0D-4db4-ADBA-708CEF62C078}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2844 -
C:\Windows\{0F0BABA9-6EFF-4d3a-8214-30A5F1F80CB1}.exeC:\Windows\{0F0BABA9-6EFF-4d3a-8214-30A5F1F80CB1}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1936 -
C:\Windows\{A0F95182-EA2A-4579-B49E-EA318A32B022}.exeC:\Windows\{A0F95182-EA2A-4579-B49E-EA318A32B022}.exe12⤵
- Executes dropped EXE
PID:1412
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0F0BA~1.EXE > nul12⤵PID:524
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{FE993~1.EXE > nul11⤵PID:1964
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9A4F5~1.EXE > nul10⤵PID:2824
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{FD7CF~1.EXE > nul9⤵PID:996
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{26CEF~1.EXE > nul8⤵PID:2028
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{AF19A~1.EXE > nul7⤵PID:1660
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{DD998~1.EXE > nul6⤵PID:1848
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{DA10B~1.EXE > nul5⤵PID:2188
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6A03E~1.EXE > nul4⤵PID:2136
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2F730~1.EXE > nul3⤵PID:2508
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:2608
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB
MD5864e9c667f122ccc22c8a4d7f37fe887
SHA104e0ff59eef2b6ffd5469de3b7560c0ef0072ae5
SHA256662725ea473bf3a717b70afc2976aadc055058bde2d5f3c26fed0a3ef7bf5ac6
SHA5120bdb2f107fdfb948517b8157c93303efcf05fa3d16351d263cfc76f5b9ba0b074318b90ec6ea5874a9697fd704f1727c0780b7212503cdd3df787503b8b63e34
-
Filesize
204KB
MD5bba478116d06c7c0063c5ef82c445195
SHA10bb943aef7c182c9a00b104fabd6c98f70af50bf
SHA256c00d54c6828718ff019b8806aaf8a07ba6135b88e134960bc99dcda08078ba43
SHA512070e76043f56d9597104a2f6a6c2e7d4d3f03a612267bbf4492dfbd0019b2c3245b0ba5516a0cbb3fa6bb3333dd0acca8c7a1ce67366fcd8249928ad929e69fb
-
Filesize
204KB
MD586c173566b0caacc21e6abaaa327b089
SHA18919ed34a8b9e360f804ba2a352e7fc6c81f8b6f
SHA256962febe74cf2477a3b3be1f5e57256b5569866e6088cf7f1be20e261562713be
SHA512abf5aab0dd3a2a7013b718d25173fe3e80001466defa37413ad6351eccc60196542b3eb0aeb7a49b94e4e3d3313d32f9e50f523dffd2353b33e822a2f153c879
-
Filesize
204KB
MD567ebfca75694b65c350ec54f8e53d5dd
SHA1ad3da2e0ee922e59cacb6dd91e885bd8a257393e
SHA25642c829b93cb1294ba7d2a54e87ccd67486d8929344b64072f1a7daab2bab382a
SHA51226125aa5f81ee27a54612f5e2cfc18dc6d02d6e1b47b7286ec926862f0547aba1fa12723d368f88cfc4e3cd54dacd87b582fa3dace2209bd974e79e2f4d6ad7e
-
Filesize
204KB
MD50bb26f79349e18b0be1fdaf977919e50
SHA11b0c8d96c56ab01b955bfd8ee2ed07967ab85508
SHA256c0632b2cca657bc14d4d92a75b9e76ebb50ca04cc27ca71fb5624c948cc027a5
SHA512eb8dad88797d02d04d26489e36bda20270ef7fbe644de8fedcac524b776d95f249708f9d28b96e210bf99be659c23fd3710f5aabea7e05973a931870cb917f1b
-
Filesize
204KB
MD596e3b55fd1c63d4730bed8986d48aec3
SHA13be4627493c9d34e59bc49db315ae572704120f1
SHA25665b37a5196e732b1055f2d5332d5d19abc4648295ecb75503d54770aa3a5fce6
SHA512e0844e092503c2a6f02ebad150e717a5def30b39c48aae69d67ae6388e963aa2c9f2bdbb71e197440800c706b35459dfdc88464fa0f12cf8c94cd9b6c1a645ae
-
Filesize
204KB
MD52f4d09ebffa6d2adeb8a72722eb2892b
SHA171d43b3ac2ab81414db79a91a1b8072114321582
SHA2563787df0773358b4c344712a6ddc716ac925f69242643ce33939822dca96943ae
SHA5121a69a6e7f053feedec1e4467cc5383918085e088e5eb09a3b5d4fe476a1263713602a78288e6ea3a9d19c8308037a7af0b75c70c6d15e4317a361003709b187e
-
Filesize
204KB
MD5c4ddbaf73167c38ec392beee6aae1b50
SHA15d8fd7c901ae786ddbe2e81438b1685c7a705160
SHA25626910f10ea894c83f32d0b18ef19f2c05b963b3cc80a07b2c04443cb89ae506d
SHA512f40e5ee709d202b230905b41fe66a5bc47fed5a2589226575a8d5963b77d2ae8ab89b350a5ce4d2637a074a6e3be437b9f2f1745fe23276b2335ba8ec9c177f6
-
Filesize
204KB
MD5e9b381377d0df4ed61f43cd75f82ce36
SHA1a310102a90ad1444f0d22467c95e26eb31409107
SHA25641eb0cf5153859ae8c7ad56467e2fc6278337f549a8491e6d7e51fb9afd15e66
SHA5124985bfb190ce1e20b1011d70012d227a17fcea45062a35e9252b82b17c6adf44c692570c4a24a6992a57f862571bed6a6b5f6bf02d85a979c10855c8d939ca52
-
Filesize
204KB
MD55751b58bced3236ef5b1d9317d0755ee
SHA11c8f945dbd979e848de57cd47dc33446442b00f3
SHA256516b4df0c8a946c4c531422465865ae99e3c2cb9a77a43527cf37e5aa98e2520
SHA512647b7c484f8a92543f866c4742a6a5fd6ea740c71abe13344b6e9b8c8aca0b017487a7926b96600efb0cea33104b2a5fa56d41a4276d6ac7ee479c848e776f64
-
Filesize
204KB
MD5bb884f39fc82199aa70b287cb4c08df7
SHA16ed4de95c877eb5ccc5d0145292e5dad571c0317
SHA2568eabfe90f0e2db642addff503c40f6999e870f7638a968de3d64f9b037f14fc8
SHA512c612ee4325d021d634ef386eb91955e84c9648a05be92cc9592bdf8491cdfaf3b10edd3377df2da181d5247bb15b2aab4f43b7f553b928f340787d219c54230f