Analysis
-
max time kernel
144s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
12/06/2024, 15:08
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe
-
Size
168KB
-
MD5
f844085e931ec6f32dabe71e5314e933
-
SHA1
975a67898eb5efa008571b050e6f3b0c9df5f42b
-
SHA256
d49b9fdfde116b0d01978bdc33e847c319f68683a0d905d269a9ab0d08246c25
-
SHA512
62210862a1cfd012c0d6f237696b7806f4beb44591d175235876e4a30ec01c208d19c8e7535b5c3a9aacc386df2f0d4941e60b413481633c966b5d9e9bd6e808
-
SSDEEP
1536:1EGh0oWlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oWlqOPOe2MUVg3Ve+rX
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral1/files/0x000c000000014890-5.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0033000000015083-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000d000000014890-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x00330000000150d9-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0004000000004ed7-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000e000000014890-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0005000000004ed7-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000f000000014890-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0006000000004ed7-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0010000000014890-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0007000000004ed7-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D720150-FD29-4b00-B773-6E26D31A25C3}\stubpath = "C:\\Windows\\{1D720150-FD29-4b00-B773-6E26D31A25C3}.exe" {52E8A389-E4D3-420f-BD5A-875CD7746411}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{444CEFB9-E8A3-426b-8FD0-59BE5C3A74C9} {0A957A1E-5F98-4be2-B6AE-5FC556041B95}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{444CEFB9-E8A3-426b-8FD0-59BE5C3A74C9}\stubpath = "C:\\Windows\\{444CEFB9-E8A3-426b-8FD0-59BE5C3A74C9}.exe" {0A957A1E-5F98-4be2-B6AE-5FC556041B95}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9658269-6E39-414c-970C-71E76E12B82E} 2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A957A1E-5F98-4be2-B6AE-5FC556041B95} {1D720150-FD29-4b00-B773-6E26D31A25C3}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F2D836C-C713-4b5e-9A38-7DED43D9101B} {7664B354-13C0-44cd-9959-285B55A67C8D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1DB74CE0-E449-4e6d-9A2F-27735CEBDE49}\stubpath = "C:\\Windows\\{1DB74CE0-E449-4e6d-9A2F-27735CEBDE49}.exe" {2F2D836C-C713-4b5e-9A38-7DED43D9101B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2473B04F-11E1-48bf-960C-45B02D17463B} {1DB74CE0-E449-4e6d-9A2F-27735CEBDE49}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9658269-6E39-414c-970C-71E76E12B82E}\stubpath = "C:\\Windows\\{E9658269-6E39-414c-970C-71E76E12B82E}.exe" 2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52E8A389-E4D3-420f-BD5A-875CD7746411} {90D0866C-FABF-4898-95AF-350E7079D445}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D720150-FD29-4b00-B773-6E26D31A25C3} {52E8A389-E4D3-420f-BD5A-875CD7746411}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A957A1E-5F98-4be2-B6AE-5FC556041B95}\stubpath = "C:\\Windows\\{0A957A1E-5F98-4be2-B6AE-5FC556041B95}.exe" {1D720150-FD29-4b00-B773-6E26D31A25C3}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F2D836C-C713-4b5e-9A38-7DED43D9101B}\stubpath = "C:\\Windows\\{2F2D836C-C713-4b5e-9A38-7DED43D9101B}.exe" {7664B354-13C0-44cd-9959-285B55A67C8D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9594D5AC-CF0F-474f-B59E-3020576EBFE2} {2473B04F-11E1-48bf-960C-45B02D17463B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9594D5AC-CF0F-474f-B59E-3020576EBFE2}\stubpath = "C:\\Windows\\{9594D5AC-CF0F-474f-B59E-3020576EBFE2}.exe" {2473B04F-11E1-48bf-960C-45B02D17463B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90D0866C-FABF-4898-95AF-350E7079D445} {E9658269-6E39-414c-970C-71E76E12B82E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90D0866C-FABF-4898-95AF-350E7079D445}\stubpath = "C:\\Windows\\{90D0866C-FABF-4898-95AF-350E7079D445}.exe" {E9658269-6E39-414c-970C-71E76E12B82E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52E8A389-E4D3-420f-BD5A-875CD7746411}\stubpath = "C:\\Windows\\{52E8A389-E4D3-420f-BD5A-875CD7746411}.exe" {90D0866C-FABF-4898-95AF-350E7079D445}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7664B354-13C0-44cd-9959-285B55A67C8D} {444CEFB9-E8A3-426b-8FD0-59BE5C3A74C9}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7664B354-13C0-44cd-9959-285B55A67C8D}\stubpath = "C:\\Windows\\{7664B354-13C0-44cd-9959-285B55A67C8D}.exe" {444CEFB9-E8A3-426b-8FD0-59BE5C3A74C9}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1DB74CE0-E449-4e6d-9A2F-27735CEBDE49} {2F2D836C-C713-4b5e-9A38-7DED43D9101B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2473B04F-11E1-48bf-960C-45B02D17463B}\stubpath = "C:\\Windows\\{2473B04F-11E1-48bf-960C-45B02D17463B}.exe" {1DB74CE0-E449-4e6d-9A2F-27735CEBDE49}.exe -
Deletes itself 1 IoCs
pid Process 2560 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 2464 {E9658269-6E39-414c-970C-71E76E12B82E}.exe 2504 {90D0866C-FABF-4898-95AF-350E7079D445}.exe 2732 {52E8A389-E4D3-420f-BD5A-875CD7746411}.exe 556 {1D720150-FD29-4b00-B773-6E26D31A25C3}.exe 2780 {0A957A1E-5F98-4be2-B6AE-5FC556041B95}.exe 1768 {444CEFB9-E8A3-426b-8FD0-59BE5C3A74C9}.exe 2264 {7664B354-13C0-44cd-9959-285B55A67C8D}.exe 2784 {2F2D836C-C713-4b5e-9A38-7DED43D9101B}.exe 2188 {1DB74CE0-E449-4e6d-9A2F-27735CEBDE49}.exe 2228 {2473B04F-11E1-48bf-960C-45B02D17463B}.exe 1316 {9594D5AC-CF0F-474f-B59E-3020576EBFE2}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{52E8A389-E4D3-420f-BD5A-875CD7746411}.exe {90D0866C-FABF-4898-95AF-350E7079D445}.exe File created C:\Windows\{2473B04F-11E1-48bf-960C-45B02D17463B}.exe {1DB74CE0-E449-4e6d-9A2F-27735CEBDE49}.exe File created C:\Windows\{9594D5AC-CF0F-474f-B59E-3020576EBFE2}.exe {2473B04F-11E1-48bf-960C-45B02D17463B}.exe File created C:\Windows\{444CEFB9-E8A3-426b-8FD0-59BE5C3A74C9}.exe {0A957A1E-5F98-4be2-B6AE-5FC556041B95}.exe File created C:\Windows\{7664B354-13C0-44cd-9959-285B55A67C8D}.exe {444CEFB9-E8A3-426b-8FD0-59BE5C3A74C9}.exe File created C:\Windows\{2F2D836C-C713-4b5e-9A38-7DED43D9101B}.exe {7664B354-13C0-44cd-9959-285B55A67C8D}.exe File created C:\Windows\{1DB74CE0-E449-4e6d-9A2F-27735CEBDE49}.exe {2F2D836C-C713-4b5e-9A38-7DED43D9101B}.exe File created C:\Windows\{E9658269-6E39-414c-970C-71E76E12B82E}.exe 2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe File created C:\Windows\{90D0866C-FABF-4898-95AF-350E7079D445}.exe {E9658269-6E39-414c-970C-71E76E12B82E}.exe File created C:\Windows\{1D720150-FD29-4b00-B773-6E26D31A25C3}.exe {52E8A389-E4D3-420f-BD5A-875CD7746411}.exe File created C:\Windows\{0A957A1E-5F98-4be2-B6AE-5FC556041B95}.exe {1D720150-FD29-4b00-B773-6E26D31A25C3}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2040 2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe Token: SeIncBasePriorityPrivilege 2464 {E9658269-6E39-414c-970C-71E76E12B82E}.exe Token: SeIncBasePriorityPrivilege 2504 {90D0866C-FABF-4898-95AF-350E7079D445}.exe Token: SeIncBasePriorityPrivilege 2732 {52E8A389-E4D3-420f-BD5A-875CD7746411}.exe Token: SeIncBasePriorityPrivilege 556 {1D720150-FD29-4b00-B773-6E26D31A25C3}.exe Token: SeIncBasePriorityPrivilege 2780 {0A957A1E-5F98-4be2-B6AE-5FC556041B95}.exe Token: SeIncBasePriorityPrivilege 1768 {444CEFB9-E8A3-426b-8FD0-59BE5C3A74C9}.exe Token: SeIncBasePriorityPrivilege 2264 {7664B354-13C0-44cd-9959-285B55A67C8D}.exe Token: SeIncBasePriorityPrivilege 2784 {2F2D836C-C713-4b5e-9A38-7DED43D9101B}.exe Token: SeIncBasePriorityPrivilege 2188 {1DB74CE0-E449-4e6d-9A2F-27735CEBDE49}.exe Token: SeIncBasePriorityPrivilege 2228 {2473B04F-11E1-48bf-960C-45B02D17463B}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2040 wrote to memory of 2464 2040 2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe 28 PID 2040 wrote to memory of 2464 2040 2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe 28 PID 2040 wrote to memory of 2464 2040 2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe 28 PID 2040 wrote to memory of 2464 2040 2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe 28 PID 2040 wrote to memory of 2560 2040 2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe 29 PID 2040 wrote to memory of 2560 2040 2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe 29 PID 2040 wrote to memory of 2560 2040 2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe 29 PID 2040 wrote to memory of 2560 2040 2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe 29 PID 2464 wrote to memory of 2504 2464 {E9658269-6E39-414c-970C-71E76E12B82E}.exe 30 PID 2464 wrote to memory of 2504 2464 {E9658269-6E39-414c-970C-71E76E12B82E}.exe 30 PID 2464 wrote to memory of 2504 2464 {E9658269-6E39-414c-970C-71E76E12B82E}.exe 30 PID 2464 wrote to memory of 2504 2464 {E9658269-6E39-414c-970C-71E76E12B82E}.exe 30 PID 2464 wrote to memory of 2676 2464 {E9658269-6E39-414c-970C-71E76E12B82E}.exe 31 PID 2464 wrote to memory of 2676 2464 {E9658269-6E39-414c-970C-71E76E12B82E}.exe 31 PID 2464 wrote to memory of 2676 2464 {E9658269-6E39-414c-970C-71E76E12B82E}.exe 31 PID 2464 wrote to memory of 2676 2464 {E9658269-6E39-414c-970C-71E76E12B82E}.exe 31 PID 2504 wrote to memory of 2732 2504 {90D0866C-FABF-4898-95AF-350E7079D445}.exe 32 PID 2504 wrote to memory of 2732 2504 {90D0866C-FABF-4898-95AF-350E7079D445}.exe 32 PID 2504 wrote to memory of 2732 2504 {90D0866C-FABF-4898-95AF-350E7079D445}.exe 32 PID 2504 wrote to memory of 2732 2504 {90D0866C-FABF-4898-95AF-350E7079D445}.exe 32 PID 2504 wrote to memory of 2484 2504 {90D0866C-FABF-4898-95AF-350E7079D445}.exe 33 PID 2504 wrote to memory of 2484 2504 {90D0866C-FABF-4898-95AF-350E7079D445}.exe 33 PID 2504 wrote to memory of 2484 2504 {90D0866C-FABF-4898-95AF-350E7079D445}.exe 33 PID 2504 wrote to memory of 2484 2504 {90D0866C-FABF-4898-95AF-350E7079D445}.exe 33 PID 2732 wrote to memory of 556 2732 {52E8A389-E4D3-420f-BD5A-875CD7746411}.exe 36 PID 2732 wrote to memory of 556 2732 {52E8A389-E4D3-420f-BD5A-875CD7746411}.exe 36 PID 2732 wrote to memory of 556 2732 {52E8A389-E4D3-420f-BD5A-875CD7746411}.exe 36 PID 2732 wrote to memory of 556 2732 {52E8A389-E4D3-420f-BD5A-875CD7746411}.exe 36 PID 2732 wrote to memory of 2636 2732 {52E8A389-E4D3-420f-BD5A-875CD7746411}.exe 37 PID 2732 wrote to memory of 2636 2732 {52E8A389-E4D3-420f-BD5A-875CD7746411}.exe 37 PID 2732 wrote to memory of 2636 2732 {52E8A389-E4D3-420f-BD5A-875CD7746411}.exe 37 PID 2732 wrote to memory of 2636 2732 {52E8A389-E4D3-420f-BD5A-875CD7746411}.exe 37 PID 556 wrote to memory of 2780 556 {1D720150-FD29-4b00-B773-6E26D31A25C3}.exe 38 PID 556 wrote to memory of 2780 556 {1D720150-FD29-4b00-B773-6E26D31A25C3}.exe 38 PID 556 wrote to memory of 2780 556 {1D720150-FD29-4b00-B773-6E26D31A25C3}.exe 38 PID 556 wrote to memory of 2780 556 {1D720150-FD29-4b00-B773-6E26D31A25C3}.exe 38 PID 556 wrote to memory of 1940 556 {1D720150-FD29-4b00-B773-6E26D31A25C3}.exe 39 PID 556 wrote to memory of 1940 556 {1D720150-FD29-4b00-B773-6E26D31A25C3}.exe 39 PID 556 wrote to memory of 1940 556 {1D720150-FD29-4b00-B773-6E26D31A25C3}.exe 39 PID 556 wrote to memory of 1940 556 {1D720150-FD29-4b00-B773-6E26D31A25C3}.exe 39 PID 2780 wrote to memory of 1768 2780 {0A957A1E-5F98-4be2-B6AE-5FC556041B95}.exe 40 PID 2780 wrote to memory of 1768 2780 {0A957A1E-5F98-4be2-B6AE-5FC556041B95}.exe 40 PID 2780 wrote to memory of 1768 2780 {0A957A1E-5F98-4be2-B6AE-5FC556041B95}.exe 40 PID 2780 wrote to memory of 1768 2780 {0A957A1E-5F98-4be2-B6AE-5FC556041B95}.exe 40 PID 2780 wrote to memory of 1960 2780 {0A957A1E-5F98-4be2-B6AE-5FC556041B95}.exe 41 PID 2780 wrote to memory of 1960 2780 {0A957A1E-5F98-4be2-B6AE-5FC556041B95}.exe 41 PID 2780 wrote to memory of 1960 2780 {0A957A1E-5F98-4be2-B6AE-5FC556041B95}.exe 41 PID 2780 wrote to memory of 1960 2780 {0A957A1E-5F98-4be2-B6AE-5FC556041B95}.exe 41 PID 1768 wrote to memory of 2264 1768 {444CEFB9-E8A3-426b-8FD0-59BE5C3A74C9}.exe 42 PID 1768 wrote to memory of 2264 1768 {444CEFB9-E8A3-426b-8FD0-59BE5C3A74C9}.exe 42 PID 1768 wrote to memory of 2264 1768 {444CEFB9-E8A3-426b-8FD0-59BE5C3A74C9}.exe 42 PID 1768 wrote to memory of 2264 1768 {444CEFB9-E8A3-426b-8FD0-59BE5C3A74C9}.exe 42 PID 1768 wrote to memory of 292 1768 {444CEFB9-E8A3-426b-8FD0-59BE5C3A74C9}.exe 43 PID 1768 wrote to memory of 292 1768 {444CEFB9-E8A3-426b-8FD0-59BE5C3A74C9}.exe 43 PID 1768 wrote to memory of 292 1768 {444CEFB9-E8A3-426b-8FD0-59BE5C3A74C9}.exe 43 PID 1768 wrote to memory of 292 1768 {444CEFB9-E8A3-426b-8FD0-59BE5C3A74C9}.exe 43 PID 2264 wrote to memory of 2784 2264 {7664B354-13C0-44cd-9959-285B55A67C8D}.exe 44 PID 2264 wrote to memory of 2784 2264 {7664B354-13C0-44cd-9959-285B55A67C8D}.exe 44 PID 2264 wrote to memory of 2784 2264 {7664B354-13C0-44cd-9959-285B55A67C8D}.exe 44 PID 2264 wrote to memory of 2784 2264 {7664B354-13C0-44cd-9959-285B55A67C8D}.exe 44 PID 2264 wrote to memory of 1612 2264 {7664B354-13C0-44cd-9959-285B55A67C8D}.exe 45 PID 2264 wrote to memory of 1612 2264 {7664B354-13C0-44cd-9959-285B55A67C8D}.exe 45 PID 2264 wrote to memory of 1612 2264 {7664B354-13C0-44cd-9959-285B55A67C8D}.exe 45 PID 2264 wrote to memory of 1612 2264 {7664B354-13C0-44cd-9959-285B55A67C8D}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\{E9658269-6E39-414c-970C-71E76E12B82E}.exeC:\Windows\{E9658269-6E39-414c-970C-71E76E12B82E}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\{90D0866C-FABF-4898-95AF-350E7079D445}.exeC:\Windows\{90D0866C-FABF-4898-95AF-350E7079D445}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\{52E8A389-E4D3-420f-BD5A-875CD7746411}.exeC:\Windows\{52E8A389-E4D3-420f-BD5A-875CD7746411}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\{1D720150-FD29-4b00-B773-6E26D31A25C3}.exeC:\Windows\{1D720150-FD29-4b00-B773-6E26D31A25C3}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\{0A957A1E-5F98-4be2-B6AE-5FC556041B95}.exeC:\Windows\{0A957A1E-5F98-4be2-B6AE-5FC556041B95}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\{444CEFB9-E8A3-426b-8FD0-59BE5C3A74C9}.exeC:\Windows\{444CEFB9-E8A3-426b-8FD0-59BE5C3A74C9}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\{7664B354-13C0-44cd-9959-285B55A67C8D}.exeC:\Windows\{7664B354-13C0-44cd-9959-285B55A67C8D}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\{2F2D836C-C713-4b5e-9A38-7DED43D9101B}.exeC:\Windows\{2F2D836C-C713-4b5e-9A38-7DED43D9101B}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2784 -
C:\Windows\{1DB74CE0-E449-4e6d-9A2F-27735CEBDE49}.exeC:\Windows\{1DB74CE0-E449-4e6d-9A2F-27735CEBDE49}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2188 -
C:\Windows\{2473B04F-11E1-48bf-960C-45B02D17463B}.exeC:\Windows\{2473B04F-11E1-48bf-960C-45B02D17463B}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2228 -
C:\Windows\{9594D5AC-CF0F-474f-B59E-3020576EBFE2}.exeC:\Windows\{9594D5AC-CF0F-474f-B59E-3020576EBFE2}.exe12⤵
- Executes dropped EXE
PID:1316
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2473B~1.EXE > nul12⤵PID:928
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1DB74~1.EXE > nul11⤵PID:612
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2F2D8~1.EXE > nul10⤵PID:2216
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7664B~1.EXE > nul9⤵PID:1612
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{444CE~1.EXE > nul8⤵PID:292
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0A957~1.EXE > nul7⤵PID:1960
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1D720~1.EXE > nul6⤵PID:1940
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{52E8A~1.EXE > nul5⤵PID:2636
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{90D08~1.EXE > nul4⤵PID:2484
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E9658~1.EXE > nul3⤵PID:2676
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:2560
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD54bdc70ad8185003ad786ffdce909cae6
SHA138bcc654f794f4991623f3f78eedd838dadbe658
SHA256135ae1d3872b936039938536ed1df404529e4720eef2ca26f627db444c1c22aa
SHA512e48e36cb930d68722053c4ee1827b72c5621d870f00cf03f8ab16729fcd8d090767a19a8179bfd8717bb806df7d5828671ced4bc1d0c5677ea5110fda22d554f
-
Filesize
168KB
MD58c7cfa29a508d0bb026d676231bad248
SHA1c397c32b5b623af89df6985b75ffefdb4bd6f8ff
SHA2564d36a874237eacd91c1b168c1afe029f03cebb54a29bcb4358f3caec83b8fa79
SHA512ba8b8bf1b0d72e4176b25350060bfca18d3588f8042aa69fc10c4525e107a7e7a529c0e7fc972cd48608e4c5924078930466cfc37a5f346c9decb941bcb35b09
-
Filesize
168KB
MD549049346af258627d01ae70b91a16541
SHA15bbe7e9f7c6c4dec34c211dcb76bc7a19cb64d67
SHA256976d634c7aa3948acda98ebc7d466e904108d2ae5019f58164edcc85014e172f
SHA512b1b7c24cb5f3a734ff8235b50683beb8d16f040be72eabaa10f613b98df08632c81cbd9a1d7b499229be92eb622fa0298da0ff1662aa2801edbabd93c921e264
-
Filesize
168KB
MD5c05bc2524c7bc91ce26959fa288bd798
SHA145c1fc45d6307bed9ce13d12ceab8133fda0cda0
SHA2566563db7ad3c3a4f037038951396999dcc2d0071f382c141c0d6d159ba3b5ef17
SHA5122a65945b356d22d05d19773d002f7c30cac9ca7c75de8f102bb4a8ef09dcb022c4cb2f5e6fb4329c715d36b68e19764b9d09b93390959058fe194380842e716e
-
Filesize
168KB
MD52a214477a7cbeaabd959ad4e4126b17f
SHA1627c9bb0d0182cb9bd85967adad7db982cf94323
SHA256b3a124e61a262af3ad4a104abe0ea0fbcca8813dad4452c137aaf85c353a5708
SHA51270eb77772750e477affa956794596d14c49a9b58e4309cfc0e8562fbe1566a27754b8257f4efa5cd3e9db5abb72676951df864aa627d1f14d878addfe8cdcf68
-
Filesize
168KB
MD5d947157fc1656fccd3599184302b2076
SHA13c6853394f9c206241a232b752b956ff62338527
SHA256fc8b25969dc26a682c56b793e57a1615fe6db333a144333e6a978ad159c12197
SHA51286ab712a19fd4c07ae016549572d3c1a38c225a200a01a31ac750edffea649676f67752746ef91e47f957af0775e7cc9a34c473e5025e3538d9ee63878b35987
-
Filesize
168KB
MD5b36c72743b9a151376da8694be4f061a
SHA177ba3b5b625034cc00ea6f64579336007d381c3a
SHA2567ce5156531d1afa2f30df1e5c85072b981ff4a97127caff1c0c2ede437514e38
SHA5127811b539502af77e302ea8f59e240fd021b54a4b13c9a23f7ababc850bc03d1ae77b5663a134ee1d82e718fcf15a609a57724a1f961f80be8c83984f12e3b5ed
-
Filesize
168KB
MD5a0ae086f0fcaea46dc0e772802d2f36e
SHA1ff0ce6c09a818f6a4b5ebf06c10b9b8739de7092
SHA2563d3c8acc253c7ce7dfb74a237124c61eb8686d7c0de9ad2557acf4c873cd7a72
SHA512442579a8e4870b873f0f4b3ff9d8d2a018b26c8b07a56828355401f42515c04d878f7ddb887a27346699bc2357932b72a5a0d99d48212ec026a48c561e20b048
-
Filesize
168KB
MD57976da946ff1f539e73b7957b3c6b41f
SHA1a283d5a43bd277e37d1cd9e686115b00529bb5a5
SHA256ef914edc10f11258cc44c29c658461cd67d98888c09a2f9e5b8ccb6277fa5b90
SHA512ecb3ab658126e38200697c23b7acf0491f85aa14b53b2467b6e68bcd86e859a24904298bc6968076ee9ee896d5897c342f36b20c60294b5a5fea2a3d8cc1198e
-
Filesize
168KB
MD5f9a76c0d53e94f95efd3536b2f13fb87
SHA1b65c9ab2e3b9723dbd7f1b312dc31e4b3f78b965
SHA256ceecd74d6328ddbfe3eb27b63f913b88c6cbc2ae491a73b5c438f2ce9cc93f5d
SHA512e1676ebb910daf9e9bac90a47ae3cd1b462a2da6ce5a96e4f9086d6ead863f06edbfb383632dbceee8e876bb2b983f6ee4bb637b124e1fad05d03abd40d50869
-
Filesize
168KB
MD5d61c1b340ca864c5f43da8f67b0938ce
SHA16ad44309c8f8ffcbc271c4e29d58a223bfd576b4
SHA256e688377351db23c5c1134aa1d3bc2b4650ec0f50ed479f00dcc1a106c8cdb3b2
SHA512202f95ab9e9d3869aab34d62f0b1adcde513afc2b8b63dd54fc36ab22111b46acfccf3e699da3de7063df34344966d2971e365bc8cf3c13f88878c600eaa3b00