Analysis
-
max time kernel
144s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
10/06/2024, 04:41
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe
Resource
win10v2004-20240426-en
General
-
Target
2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe
-
Size
204KB
-
MD5
97860f63b56a11a2225fb7e0eae2928f
-
SHA1
2869cb06f8fa1d11467034ee6d8ff34961169169
-
SHA256
0793876b8f6eb4d121477510e83e4c88fdea6c79093fe95d4ee99c7396bf39a9
-
SHA512
471d03f24bee300bc67bff010241872d5a2c7b33276bf764107d3ff377f110af5357f8b30f0cafd15d1b08c18d0c4c6de59656a71b2c9ab4528c1fc2ebc35ff4
-
SSDEEP
1536:1EGh0oLl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oLl1OPOe2MUVg3Ve+rXfMUy
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral1/files/0x000c0000000155f6-5.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0030000000015c6f-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000d0000000155f6-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x002e000000015c85-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0004000000004ed7-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000e0000000155f6-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0005000000004ed7-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000f0000000155f6-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0006000000004ed7-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x00100000000155f6-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0007000000004ed7-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0744A0F4-3D3A-4751-B1CA-EB8D3A31ED29}\stubpath = "C:\\Windows\\{0744A0F4-3D3A-4751-B1CA-EB8D3A31ED29}.exe" 2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66572100-77AE-48f3-B508-EC39010AE0BE} {3BEF8E85-A5A8-40a6-9F0D-7FBF82C0DC2E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53A9DA28-407B-4ff4-B9A3-D9AACC8BEF1E}\stubpath = "C:\\Windows\\{53A9DA28-407B-4ff4-B9A3-D9AACC8BEF1E}.exe" {66572100-77AE-48f3-B508-EC39010AE0BE}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F16710F-609B-44eb-98AD-6781E8A5C6C0} {0744A0F4-3D3A-4751-B1CA-EB8D3A31ED29}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BEF8E85-A5A8-40a6-9F0D-7FBF82C0DC2E}\stubpath = "C:\\Windows\\{3BEF8E85-A5A8-40a6-9F0D-7FBF82C0DC2E}.exe" {2F16710F-609B-44eb-98AD-6781E8A5C6C0}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53A9DA28-407B-4ff4-B9A3-D9AACC8BEF1E} {66572100-77AE-48f3-B508-EC39010AE0BE}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DEF195E-C9D6-40ca-9C4F-65CD477818A3} {C9E59FBF-8120-4fc1-B334-2317DE71C53E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DEF195E-C9D6-40ca-9C4F-65CD477818A3}\stubpath = "C:\\Windows\\{9DEF195E-C9D6-40ca-9C4F-65CD477818A3}.exe" {C9E59FBF-8120-4fc1-B334-2317DE71C53E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0744A0F4-3D3A-4751-B1CA-EB8D3A31ED29} 2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66572100-77AE-48f3-B508-EC39010AE0BE}\stubpath = "C:\\Windows\\{66572100-77AE-48f3-B508-EC39010AE0BE}.exe" {3BEF8E85-A5A8-40a6-9F0D-7FBF82C0DC2E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BF8871E-1E01-45d7-ABEE-9A07E5A8C8D8}\stubpath = "C:\\Windows\\{3BF8871E-1E01-45d7-ABEE-9A07E5A8C8D8}.exe" {53A9DA28-407B-4ff4-B9A3-D9AACC8BEF1E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B787751-39D2-4e56-B66A-B9DCFB2A27DD}\stubpath = "C:\\Windows\\{8B787751-39D2-4e56-B66A-B9DCFB2A27DD}.exe" {3BF8871E-1E01-45d7-ABEE-9A07E5A8C8D8}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8737155-FE68-4a3a-9183-4811E2F23581}\stubpath = "C:\\Windows\\{D8737155-FE68-4a3a-9183-4811E2F23581}.exe" {8AA32B03-D4C4-4f61-9097-8A2E467D3AC6}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9E59FBF-8120-4fc1-B334-2317DE71C53E} {D8737155-FE68-4a3a-9183-4811E2F23581}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F16710F-609B-44eb-98AD-6781E8A5C6C0}\stubpath = "C:\\Windows\\{2F16710F-609B-44eb-98AD-6781E8A5C6C0}.exe" {0744A0F4-3D3A-4751-B1CA-EB8D3A31ED29}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BEF8E85-A5A8-40a6-9F0D-7FBF82C0DC2E} {2F16710F-609B-44eb-98AD-6781E8A5C6C0}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BF8871E-1E01-45d7-ABEE-9A07E5A8C8D8} {53A9DA28-407B-4ff4-B9A3-D9AACC8BEF1E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B787751-39D2-4e56-B66A-B9DCFB2A27DD} {3BF8871E-1E01-45d7-ABEE-9A07E5A8C8D8}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AA32B03-D4C4-4f61-9097-8A2E467D3AC6} {8B787751-39D2-4e56-B66A-B9DCFB2A27DD}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AA32B03-D4C4-4f61-9097-8A2E467D3AC6}\stubpath = "C:\\Windows\\{8AA32B03-D4C4-4f61-9097-8A2E467D3AC6}.exe" {8B787751-39D2-4e56-B66A-B9DCFB2A27DD}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8737155-FE68-4a3a-9183-4811E2F23581} {8AA32B03-D4C4-4f61-9097-8A2E467D3AC6}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9E59FBF-8120-4fc1-B334-2317DE71C53E}\stubpath = "C:\\Windows\\{C9E59FBF-8120-4fc1-B334-2317DE71C53E}.exe" {D8737155-FE68-4a3a-9183-4811E2F23581}.exe -
Deletes itself 1 IoCs
pid Process 2760 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 3052 {0744A0F4-3D3A-4751-B1CA-EB8D3A31ED29}.exe 2920 {2F16710F-609B-44eb-98AD-6781E8A5C6C0}.exe 2464 {3BEF8E85-A5A8-40a6-9F0D-7FBF82C0DC2E}.exe 2256 {66572100-77AE-48f3-B508-EC39010AE0BE}.exe 2988 {53A9DA28-407B-4ff4-B9A3-D9AACC8BEF1E}.exe 1748 {3BF8871E-1E01-45d7-ABEE-9A07E5A8C8D8}.exe 2704 {8B787751-39D2-4e56-B66A-B9DCFB2A27DD}.exe 2840 {8AA32B03-D4C4-4f61-9097-8A2E467D3AC6}.exe 2116 {D8737155-FE68-4a3a-9183-4811E2F23581}.exe 2288 {C9E59FBF-8120-4fc1-B334-2317DE71C53E}.exe 488 {9DEF195E-C9D6-40ca-9C4F-65CD477818A3}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{C9E59FBF-8120-4fc1-B334-2317DE71C53E}.exe {D8737155-FE68-4a3a-9183-4811E2F23581}.exe File created C:\Windows\{9DEF195E-C9D6-40ca-9C4F-65CD477818A3}.exe {C9E59FBF-8120-4fc1-B334-2317DE71C53E}.exe File created C:\Windows\{0744A0F4-3D3A-4751-B1CA-EB8D3A31ED29}.exe 2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe File created C:\Windows\{3BEF8E85-A5A8-40a6-9F0D-7FBF82C0DC2E}.exe {2F16710F-609B-44eb-98AD-6781E8A5C6C0}.exe File created C:\Windows\{66572100-77AE-48f3-B508-EC39010AE0BE}.exe {3BEF8E85-A5A8-40a6-9F0D-7FBF82C0DC2E}.exe File created C:\Windows\{3BF8871E-1E01-45d7-ABEE-9A07E5A8C8D8}.exe {53A9DA28-407B-4ff4-B9A3-D9AACC8BEF1E}.exe File created C:\Windows\{8B787751-39D2-4e56-B66A-B9DCFB2A27DD}.exe {3BF8871E-1E01-45d7-ABEE-9A07E5A8C8D8}.exe File created C:\Windows\{8AA32B03-D4C4-4f61-9097-8A2E467D3AC6}.exe {8B787751-39D2-4e56-B66A-B9DCFB2A27DD}.exe File created C:\Windows\{2F16710F-609B-44eb-98AD-6781E8A5C6C0}.exe {0744A0F4-3D3A-4751-B1CA-EB8D3A31ED29}.exe File created C:\Windows\{53A9DA28-407B-4ff4-B9A3-D9AACC8BEF1E}.exe {66572100-77AE-48f3-B508-EC39010AE0BE}.exe File created C:\Windows\{D8737155-FE68-4a3a-9183-4811E2F23581}.exe {8AA32B03-D4C4-4f61-9097-8A2E467D3AC6}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 844 2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe Token: SeIncBasePriorityPrivilege 3052 {0744A0F4-3D3A-4751-B1CA-EB8D3A31ED29}.exe Token: SeIncBasePriorityPrivilege 2920 {2F16710F-609B-44eb-98AD-6781E8A5C6C0}.exe Token: SeIncBasePriorityPrivilege 2464 {3BEF8E85-A5A8-40a6-9F0D-7FBF82C0DC2E}.exe Token: SeIncBasePriorityPrivilege 2256 {66572100-77AE-48f3-B508-EC39010AE0BE}.exe Token: SeIncBasePriorityPrivilege 2988 {53A9DA28-407B-4ff4-B9A3-D9AACC8BEF1E}.exe Token: SeIncBasePriorityPrivilege 1748 {3BF8871E-1E01-45d7-ABEE-9A07E5A8C8D8}.exe Token: SeIncBasePriorityPrivilege 2704 {8B787751-39D2-4e56-B66A-B9DCFB2A27DD}.exe Token: SeIncBasePriorityPrivilege 2840 {8AA32B03-D4C4-4f61-9097-8A2E467D3AC6}.exe Token: SeIncBasePriorityPrivilege 2116 {D8737155-FE68-4a3a-9183-4811E2F23581}.exe Token: SeIncBasePriorityPrivilege 2288 {C9E59FBF-8120-4fc1-B334-2317DE71C53E}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 844 wrote to memory of 3052 844 2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe 28 PID 844 wrote to memory of 3052 844 2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe 28 PID 844 wrote to memory of 3052 844 2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe 28 PID 844 wrote to memory of 3052 844 2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe 28 PID 844 wrote to memory of 2760 844 2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe 29 PID 844 wrote to memory of 2760 844 2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe 29 PID 844 wrote to memory of 2760 844 2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe 29 PID 844 wrote to memory of 2760 844 2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe 29 PID 3052 wrote to memory of 2920 3052 {0744A0F4-3D3A-4751-B1CA-EB8D3A31ED29}.exe 30 PID 3052 wrote to memory of 2920 3052 {0744A0F4-3D3A-4751-B1CA-EB8D3A31ED29}.exe 30 PID 3052 wrote to memory of 2920 3052 {0744A0F4-3D3A-4751-B1CA-EB8D3A31ED29}.exe 30 PID 3052 wrote to memory of 2920 3052 {0744A0F4-3D3A-4751-B1CA-EB8D3A31ED29}.exe 30 PID 3052 wrote to memory of 2564 3052 {0744A0F4-3D3A-4751-B1CA-EB8D3A31ED29}.exe 31 PID 3052 wrote to memory of 2564 3052 {0744A0F4-3D3A-4751-B1CA-EB8D3A31ED29}.exe 31 PID 3052 wrote to memory of 2564 3052 {0744A0F4-3D3A-4751-B1CA-EB8D3A31ED29}.exe 31 PID 3052 wrote to memory of 2564 3052 {0744A0F4-3D3A-4751-B1CA-EB8D3A31ED29}.exe 31 PID 2920 wrote to memory of 2464 2920 {2F16710F-609B-44eb-98AD-6781E8A5C6C0}.exe 32 PID 2920 wrote to memory of 2464 2920 {2F16710F-609B-44eb-98AD-6781E8A5C6C0}.exe 32 PID 2920 wrote to memory of 2464 2920 {2F16710F-609B-44eb-98AD-6781E8A5C6C0}.exe 32 PID 2920 wrote to memory of 2464 2920 {2F16710F-609B-44eb-98AD-6781E8A5C6C0}.exe 32 PID 2920 wrote to memory of 2832 2920 {2F16710F-609B-44eb-98AD-6781E8A5C6C0}.exe 33 PID 2920 wrote to memory of 2832 2920 {2F16710F-609B-44eb-98AD-6781E8A5C6C0}.exe 33 PID 2920 wrote to memory of 2832 2920 {2F16710F-609B-44eb-98AD-6781E8A5C6C0}.exe 33 PID 2920 wrote to memory of 2832 2920 {2F16710F-609B-44eb-98AD-6781E8A5C6C0}.exe 33 PID 2464 wrote to memory of 2256 2464 {3BEF8E85-A5A8-40a6-9F0D-7FBF82C0DC2E}.exe 36 PID 2464 wrote to memory of 2256 2464 {3BEF8E85-A5A8-40a6-9F0D-7FBF82C0DC2E}.exe 36 PID 2464 wrote to memory of 2256 2464 {3BEF8E85-A5A8-40a6-9F0D-7FBF82C0DC2E}.exe 36 PID 2464 wrote to memory of 2256 2464 {3BEF8E85-A5A8-40a6-9F0D-7FBF82C0DC2E}.exe 36 PID 2464 wrote to memory of 2172 2464 {3BEF8E85-A5A8-40a6-9F0D-7FBF82C0DC2E}.exe 37 PID 2464 wrote to memory of 2172 2464 {3BEF8E85-A5A8-40a6-9F0D-7FBF82C0DC2E}.exe 37 PID 2464 wrote to memory of 2172 2464 {3BEF8E85-A5A8-40a6-9F0D-7FBF82C0DC2E}.exe 37 PID 2464 wrote to memory of 2172 2464 {3BEF8E85-A5A8-40a6-9F0D-7FBF82C0DC2E}.exe 37 PID 2256 wrote to memory of 2988 2256 {66572100-77AE-48f3-B508-EC39010AE0BE}.exe 38 PID 2256 wrote to memory of 2988 2256 {66572100-77AE-48f3-B508-EC39010AE0BE}.exe 38 PID 2256 wrote to memory of 2988 2256 {66572100-77AE-48f3-B508-EC39010AE0BE}.exe 38 PID 2256 wrote to memory of 2988 2256 {66572100-77AE-48f3-B508-EC39010AE0BE}.exe 38 PID 2256 wrote to memory of 2104 2256 {66572100-77AE-48f3-B508-EC39010AE0BE}.exe 39 PID 2256 wrote to memory of 2104 2256 {66572100-77AE-48f3-B508-EC39010AE0BE}.exe 39 PID 2256 wrote to memory of 2104 2256 {66572100-77AE-48f3-B508-EC39010AE0BE}.exe 39 PID 2256 wrote to memory of 2104 2256 {66572100-77AE-48f3-B508-EC39010AE0BE}.exe 39 PID 2988 wrote to memory of 1748 2988 {53A9DA28-407B-4ff4-B9A3-D9AACC8BEF1E}.exe 40 PID 2988 wrote to memory of 1748 2988 {53A9DA28-407B-4ff4-B9A3-D9AACC8BEF1E}.exe 40 PID 2988 wrote to memory of 1748 2988 {53A9DA28-407B-4ff4-B9A3-D9AACC8BEF1E}.exe 40 PID 2988 wrote to memory of 1748 2988 {53A9DA28-407B-4ff4-B9A3-D9AACC8BEF1E}.exe 40 PID 2988 wrote to memory of 1688 2988 {53A9DA28-407B-4ff4-B9A3-D9AACC8BEF1E}.exe 41 PID 2988 wrote to memory of 1688 2988 {53A9DA28-407B-4ff4-B9A3-D9AACC8BEF1E}.exe 41 PID 2988 wrote to memory of 1688 2988 {53A9DA28-407B-4ff4-B9A3-D9AACC8BEF1E}.exe 41 PID 2988 wrote to memory of 1688 2988 {53A9DA28-407B-4ff4-B9A3-D9AACC8BEF1E}.exe 41 PID 1748 wrote to memory of 2704 1748 {3BF8871E-1E01-45d7-ABEE-9A07E5A8C8D8}.exe 42 PID 1748 wrote to memory of 2704 1748 {3BF8871E-1E01-45d7-ABEE-9A07E5A8C8D8}.exe 42 PID 1748 wrote to memory of 2704 1748 {3BF8871E-1E01-45d7-ABEE-9A07E5A8C8D8}.exe 42 PID 1748 wrote to memory of 2704 1748 {3BF8871E-1E01-45d7-ABEE-9A07E5A8C8D8}.exe 42 PID 1748 wrote to memory of 2536 1748 {3BF8871E-1E01-45d7-ABEE-9A07E5A8C8D8}.exe 43 PID 1748 wrote to memory of 2536 1748 {3BF8871E-1E01-45d7-ABEE-9A07E5A8C8D8}.exe 43 PID 1748 wrote to memory of 2536 1748 {3BF8871E-1E01-45d7-ABEE-9A07E5A8C8D8}.exe 43 PID 1748 wrote to memory of 2536 1748 {3BF8871E-1E01-45d7-ABEE-9A07E5A8C8D8}.exe 43 PID 2704 wrote to memory of 2840 2704 {8B787751-39D2-4e56-B66A-B9DCFB2A27DD}.exe 44 PID 2704 wrote to memory of 2840 2704 {8B787751-39D2-4e56-B66A-B9DCFB2A27DD}.exe 44 PID 2704 wrote to memory of 2840 2704 {8B787751-39D2-4e56-B66A-B9DCFB2A27DD}.exe 44 PID 2704 wrote to memory of 2840 2704 {8B787751-39D2-4e56-B66A-B9DCFB2A27DD}.exe 44 PID 2704 wrote to memory of 1792 2704 {8B787751-39D2-4e56-B66A-B9DCFB2A27DD}.exe 45 PID 2704 wrote to memory of 1792 2704 {8B787751-39D2-4e56-B66A-B9DCFB2A27DD}.exe 45 PID 2704 wrote to memory of 1792 2704 {8B787751-39D2-4e56-B66A-B9DCFB2A27DD}.exe 45 PID 2704 wrote to memory of 1792 2704 {8B787751-39D2-4e56-B66A-B9DCFB2A27DD}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\{0744A0F4-3D3A-4751-B1CA-EB8D3A31ED29}.exeC:\Windows\{0744A0F4-3D3A-4751-B1CA-EB8D3A31ED29}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\{2F16710F-609B-44eb-98AD-6781E8A5C6C0}.exeC:\Windows\{2F16710F-609B-44eb-98AD-6781E8A5C6C0}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\{3BEF8E85-A5A8-40a6-9F0D-7FBF82C0DC2E}.exeC:\Windows\{3BEF8E85-A5A8-40a6-9F0D-7FBF82C0DC2E}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\{66572100-77AE-48f3-B508-EC39010AE0BE}.exeC:\Windows\{66572100-77AE-48f3-B508-EC39010AE0BE}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\{53A9DA28-407B-4ff4-B9A3-D9AACC8BEF1E}.exeC:\Windows\{53A9DA28-407B-4ff4-B9A3-D9AACC8BEF1E}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\{3BF8871E-1E01-45d7-ABEE-9A07E5A8C8D8}.exeC:\Windows\{3BF8871E-1E01-45d7-ABEE-9A07E5A8C8D8}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\{8B787751-39D2-4e56-B66A-B9DCFB2A27DD}.exeC:\Windows\{8B787751-39D2-4e56-B66A-B9DCFB2A27DD}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\{8AA32B03-D4C4-4f61-9097-8A2E467D3AC6}.exeC:\Windows\{8AA32B03-D4C4-4f61-9097-8A2E467D3AC6}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2840 -
C:\Windows\{D8737155-FE68-4a3a-9183-4811E2F23581}.exeC:\Windows\{D8737155-FE68-4a3a-9183-4811E2F23581}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2116 -
C:\Windows\{C9E59FBF-8120-4fc1-B334-2317DE71C53E}.exeC:\Windows\{C9E59FBF-8120-4fc1-B334-2317DE71C53E}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2288 -
C:\Windows\{9DEF195E-C9D6-40ca-9C4F-65CD477818A3}.exeC:\Windows\{9DEF195E-C9D6-40ca-9C4F-65CD477818A3}.exe12⤵
- Executes dropped EXE
PID:488
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C9E59~1.EXE > nul12⤵PID:704
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D8737~1.EXE > nul11⤵PID:1784
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8AA32~1.EXE > nul10⤵PID:1744
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8B787~1.EXE > nul9⤵PID:1792
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3BF88~1.EXE > nul8⤵PID:2536
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{53A9D~1.EXE > nul7⤵PID:1688
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{66572~1.EXE > nul6⤵PID:2104
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3BEF8~1.EXE > nul5⤵PID:2172
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2F167~1.EXE > nul4⤵PID:2832
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0744A~1.EXE > nul3⤵PID:2564
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:2760
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB
MD5d6968f78757bdef61603001fa11b7e82
SHA1877ea307bc94f1e3fdb17164cc636ae2bcdaafd3
SHA25689c23028f1792a1205d543bab26fa602cd51c47da6649d790caa40e50553a57c
SHA512e841fe3204a41e2ab2359bd301e692bce5696cb3c4a9c6762d90fa79080d23b014a79915db0c085864fe7403f05d70dc133b49f6212cd185b588281d3fb50e13
-
Filesize
204KB
MD5fbafb884ce838020496b5219ca93e091
SHA12cf1764ad58b1baf25f7dd194226a7417ff2eea7
SHA256b50c4bc9acf8d0d8187415edea4126510ed688f321b62d1c3276cd8be7c59d67
SHA5129d27a44facc5965ab41a3f21a52ba7284d8f659df50b15c27bd73985836e56f37301aa6bf448183d01dd80fe5f6f481d2723c21706c34b69faedc0902c37fc1a
-
Filesize
204KB
MD5c96e6c6112fed39a68fa4e468031661f
SHA13abf59abb1ef313328105ea74e0bf390eeb94b6d
SHA2563e91ce757f4b31e999b0b80f44e8275aab6c4228a66cbf6a88f16850672c68e7
SHA512145d0a520b0f8e680449dc87e7bc90d6333b8f1ea3aebc04855ce6b663e209bb788ec2bcde176d021b5589daf428db2a3a7bd0af5d7fa3c2d064a03d640a754d
-
Filesize
204KB
MD54fc8e14cbdcbcfa952c045dadd154b1c
SHA1a48f9b1a0ebf748266b81f504f6f533a1bb1a280
SHA25602d32dd134c7927f2271c69e9e9518b5be28f4b5a42d0f9709ac5d33248bbde3
SHA51261548e6c7555226ec2aa900b28e24c99e16e96831dec91942af859d1a36a6f9266116d564a15541686dca562f143107fc14cb38e7e748cc7a7982f455dee92b8
-
Filesize
204KB
MD5905a0604a2b3897c188c0bfed862bd9e
SHA11ebf684897d753abbb47f03f896659eb58758be9
SHA256626a1f601772b93ee98a817ea6fa40371b119b8670cd5cec1aefaed1c20a703d
SHA512644aa3c1e524e92af85fee0a30a94165ec09ab43e127d983a3d2d495b73afd807a195e29db1e91103f445538a2a86d9a2e5b2dbeb6507a4bf54df14639c92298
-
Filesize
204KB
MD54a9aca397b58bcf4cb45649f98f3c21f
SHA194ab4e67633bdb71288c5e644b0f37917f463336
SHA25670da9d99425796be7a67ea9a433b8af7220bd92be9e7892fa0e247a151f69be2
SHA512f6aed6e8740439ddc14139ac5fd48261b4becc27c52d852e6af859a6224dd6d214adbff9571a5bbd08e9376140e96caac84bc32df70d61e3a7bf818d47a0daa2
-
Filesize
204KB
MD5a8d035d2a3fc8aa88df6aae43b17dbd7
SHA1edbb869fb2429c6e65143ae2629f580b3b073e05
SHA256287f4998d86a600a7e295ec9dd9320fb62ee20d53192005d781e15ecb3508bd6
SHA512f53230ce6d4143b35028bb69139ac01ea3fe519c445d5dce226b1ca74acbefff9ce70e30dca53ec706152d814abd2f41b935cbfc841675ae53ce63cff54c3d73
-
Filesize
204KB
MD5aebb1e88604caa4f9d444fd31d47659f
SHA1fd62fc281139afa9c1fdbcf5d2775fb397a58dc1
SHA2568cc9c1a45c31b6963829661dd71b7ddbe60092071441a392976d71fe2b347616
SHA512da0d34c7eefe0dfd6bdd30850d3473373f6cfa28cadf2cc7591584f82178475b56bd4dab4e558b7a9da16f5070b654999f05cad5e2505bf3c4df24961798f074
-
Filesize
204KB
MD5e2255dd83854942a246cd6a729e37879
SHA19216149a758bbab7e921784cdd788c201ec76528
SHA2568654e26c9a65a65dc532d2f37659661684f55f0d3dbc94e850236c052f6073d0
SHA5123e9a4e88b8bcb6d6ed77a0688f128fe0070c6b3838138af17547359ba1b8808bb4e90ae2d7c17795e0400c71d7e3830543ad8bd7a457cdd09cede821c97fc51e
-
Filesize
204KB
MD5adec2a26f204cec484bb5171d4052753
SHA1b2e69c5f8613b74e1df6f5369b8e9ce1d7ec3dca
SHA2569be68bd6245dec8cb505d6c6e91a157476945e6581732c69b81253fc23ea3928
SHA51201dad3b7b8c84f26880dc94c659a25d50f65fdb4748d08a37975592510f41af99e5c4bf38a0e4ee0158b339e4a996d440906c6e8667bc1ea434bb943207c5a9a
-
Filesize
204KB
MD53d363cac09b5134cd2b56d0fc250b765
SHA1e00ab189d0a0dc246493491e75a2dd7576d80cf4
SHA256d8e2303749dc69cbfd6dce9c6e52c0a995f37716395f702373015b8ca503a46c
SHA512c0bf5137cfb49ee95efeca7f284a478ab7819aa1101b5f69a73d0086afb3fbcac42bb52fcdaae37b1231ebc18be2f4aeea25f7e530bbfade7526859f0834528d