Analysis
-
max time kernel
144s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 02:43
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe
-
Size
344KB
-
MD5
0a755e821f5f8006a843b9ec0878c779
-
SHA1
4a481c3ff19aaf6c5d2f00654cee5c0d06a87184
-
SHA256
08e176d28691fc2e5eca6d6b5709f56f60f1ff0109e7e3d9a78e361a99fa6818
-
SHA512
d792ed635304e7be64ecb6134df83f52a9168ce60af2a63da4e25b2dc680d6a59daa7d791aa6de902d5cc4969c1fc47401f7cc6f66a52e38fbae1b01abe10f0e
-
SSDEEP
3072:mEGh0ozlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEG5lqOe2MUVg3v2IneKcAEcA
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral1/files/0x000f00000001227e-5.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0036000000016c7a-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x001000000001227e-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0004000000004ed7-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0036000000016cc3-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0005000000004ed7-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0037000000016cc3-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0006000000004ed7-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0038000000016cc3-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000c000000016ce7-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0039000000016cc3-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74B9109E-9B90-4003-B786-1E272E72BE91}\stubpath = "C:\\Windows\\{74B9109E-9B90-4003-B786-1E272E72BE91}.exe" {89685C1C-617C-4cfa-8A26-9812EBC61243}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F2997367-45EE-4a6d-800A-06E97D37E978}\stubpath = "C:\\Windows\\{F2997367-45EE-4a6d-800A-06E97D37E978}.exe" {BF603A42-CA1F-4fcd-8FAA-829CC6EAF8AE}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED4476ED-C73F-4162-8CA6-8C783E5AD96B} {A369E39A-89B5-455b-B7D6-782D83E63C99}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D93DD83C-028B-4ca1-BB61-2A3507D47695} {F32100AD-63B7-4759-A591-0FD33F67C60F}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D93DD83C-028B-4ca1-BB61-2A3507D47695}\stubpath = "C:\\Windows\\{D93DD83C-028B-4ca1-BB61-2A3507D47695}.exe" {F32100AD-63B7-4759-A591-0FD33F67C60F}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F32100AD-63B7-4759-A591-0FD33F67C60F} {2F9F5243-CB38-4375-AED1-BC1DEF50DE2A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89685C1C-617C-4cfa-8A26-9812EBC61243}\stubpath = "C:\\Windows\\{89685C1C-617C-4cfa-8A26-9812EBC61243}.exe" {85796DE0-F775-40fb-B4A8-48D33281E574}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74B9109E-9B90-4003-B786-1E272E72BE91} {89685C1C-617C-4cfa-8A26-9812EBC61243}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF603A42-CA1F-4fcd-8FAA-829CC6EAF8AE}\stubpath = "C:\\Windows\\{BF603A42-CA1F-4fcd-8FAA-829CC6EAF8AE}.exe" 2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F2997367-45EE-4a6d-800A-06E97D37E978} {BF603A42-CA1F-4fcd-8FAA-829CC6EAF8AE}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A369E39A-89B5-455b-B7D6-782D83E63C99} {9776CCD5-DF3C-4c1e-8854-90A31C3B6659}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A369E39A-89B5-455b-B7D6-782D83E63C99}\stubpath = "C:\\Windows\\{A369E39A-89B5-455b-B7D6-782D83E63C99}.exe" {9776CCD5-DF3C-4c1e-8854-90A31C3B6659}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F9F5243-CB38-4375-AED1-BC1DEF50DE2A} {ED4476ED-C73F-4162-8CA6-8C783E5AD96B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85796DE0-F775-40fb-B4A8-48D33281E574} {D93DD83C-028B-4ca1-BB61-2A3507D47695}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85796DE0-F775-40fb-B4A8-48D33281E574}\stubpath = "C:\\Windows\\{85796DE0-F775-40fb-B4A8-48D33281E574}.exe" {D93DD83C-028B-4ca1-BB61-2A3507D47695}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF603A42-CA1F-4fcd-8FAA-829CC6EAF8AE} 2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9776CCD5-DF3C-4c1e-8854-90A31C3B6659} {F2997367-45EE-4a6d-800A-06E97D37E978}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9776CCD5-DF3C-4c1e-8854-90A31C3B6659}\stubpath = "C:\\Windows\\{9776CCD5-DF3C-4c1e-8854-90A31C3B6659}.exe" {F2997367-45EE-4a6d-800A-06E97D37E978}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED4476ED-C73F-4162-8CA6-8C783E5AD96B}\stubpath = "C:\\Windows\\{ED4476ED-C73F-4162-8CA6-8C783E5AD96B}.exe" {A369E39A-89B5-455b-B7D6-782D83E63C99}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F9F5243-CB38-4375-AED1-BC1DEF50DE2A}\stubpath = "C:\\Windows\\{2F9F5243-CB38-4375-AED1-BC1DEF50DE2A}.exe" {ED4476ED-C73F-4162-8CA6-8C783E5AD96B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F32100AD-63B7-4759-A591-0FD33F67C60F}\stubpath = "C:\\Windows\\{F32100AD-63B7-4759-A591-0FD33F67C60F}.exe" {2F9F5243-CB38-4375-AED1-BC1DEF50DE2A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89685C1C-617C-4cfa-8A26-9812EBC61243} {85796DE0-F775-40fb-B4A8-48D33281E574}.exe -
Deletes itself 1 IoCs
pid Process 3056 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 2700 {BF603A42-CA1F-4fcd-8FAA-829CC6EAF8AE}.exe 2672 {F2997367-45EE-4a6d-800A-06E97D37E978}.exe 2724 {9776CCD5-DF3C-4c1e-8854-90A31C3B6659}.exe 2200 {A369E39A-89B5-455b-B7D6-782D83E63C99}.exe 2864 {ED4476ED-C73F-4162-8CA6-8C783E5AD96B}.exe 1644 {2F9F5243-CB38-4375-AED1-BC1DEF50DE2A}.exe 2404 {F32100AD-63B7-4759-A591-0FD33F67C60F}.exe 700 {D93DD83C-028B-4ca1-BB61-2A3507D47695}.exe 2616 {85796DE0-F775-40fb-B4A8-48D33281E574}.exe 2084 {89685C1C-617C-4cfa-8A26-9812EBC61243}.exe 2332 {74B9109E-9B90-4003-B786-1E272E72BE91}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{89685C1C-617C-4cfa-8A26-9812EBC61243}.exe {85796DE0-F775-40fb-B4A8-48D33281E574}.exe File created C:\Windows\{74B9109E-9B90-4003-B786-1E272E72BE91}.exe {89685C1C-617C-4cfa-8A26-9812EBC61243}.exe File created C:\Windows\{BF603A42-CA1F-4fcd-8FAA-829CC6EAF8AE}.exe 2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe File created C:\Windows\{F2997367-45EE-4a6d-800A-06E97D37E978}.exe {BF603A42-CA1F-4fcd-8FAA-829CC6EAF8AE}.exe File created C:\Windows\{2F9F5243-CB38-4375-AED1-BC1DEF50DE2A}.exe {ED4476ED-C73F-4162-8CA6-8C783E5AD96B}.exe File created C:\Windows\{D93DD83C-028B-4ca1-BB61-2A3507D47695}.exe {F32100AD-63B7-4759-A591-0FD33F67C60F}.exe File created C:\Windows\{85796DE0-F775-40fb-B4A8-48D33281E574}.exe {D93DD83C-028B-4ca1-BB61-2A3507D47695}.exe File created C:\Windows\{9776CCD5-DF3C-4c1e-8854-90A31C3B6659}.exe {F2997367-45EE-4a6d-800A-06E97D37E978}.exe File created C:\Windows\{A369E39A-89B5-455b-B7D6-782D83E63C99}.exe {9776CCD5-DF3C-4c1e-8854-90A31C3B6659}.exe File created C:\Windows\{ED4476ED-C73F-4162-8CA6-8C783E5AD96B}.exe {A369E39A-89B5-455b-B7D6-782D83E63C99}.exe File created C:\Windows\{F32100AD-63B7-4759-A591-0FD33F67C60F}.exe {2F9F5243-CB38-4375-AED1-BC1DEF50DE2A}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2224 2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe Token: SeIncBasePriorityPrivilege 2700 {BF603A42-CA1F-4fcd-8FAA-829CC6EAF8AE}.exe Token: SeIncBasePriorityPrivilege 2672 {F2997367-45EE-4a6d-800A-06E97D37E978}.exe Token: SeIncBasePriorityPrivilege 2724 {9776CCD5-DF3C-4c1e-8854-90A31C3B6659}.exe Token: SeIncBasePriorityPrivilege 2200 {A369E39A-89B5-455b-B7D6-782D83E63C99}.exe Token: SeIncBasePriorityPrivilege 2864 {ED4476ED-C73F-4162-8CA6-8C783E5AD96B}.exe Token: SeIncBasePriorityPrivilege 1644 {2F9F5243-CB38-4375-AED1-BC1DEF50DE2A}.exe Token: SeIncBasePriorityPrivilege 2404 {F32100AD-63B7-4759-A591-0FD33F67C60F}.exe Token: SeIncBasePriorityPrivilege 700 {D93DD83C-028B-4ca1-BB61-2A3507D47695}.exe Token: SeIncBasePriorityPrivilege 2616 {85796DE0-F775-40fb-B4A8-48D33281E574}.exe Token: SeIncBasePriorityPrivilege 2084 {89685C1C-617C-4cfa-8A26-9812EBC61243}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2224 wrote to memory of 2700 2224 2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe 28 PID 2224 wrote to memory of 2700 2224 2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe 28 PID 2224 wrote to memory of 2700 2224 2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe 28 PID 2224 wrote to memory of 2700 2224 2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe 28 PID 2224 wrote to memory of 3056 2224 2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe 29 PID 2224 wrote to memory of 3056 2224 2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe 29 PID 2224 wrote to memory of 3056 2224 2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe 29 PID 2224 wrote to memory of 3056 2224 2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe 29 PID 2700 wrote to memory of 2672 2700 {BF603A42-CA1F-4fcd-8FAA-829CC6EAF8AE}.exe 30 PID 2700 wrote to memory of 2672 2700 {BF603A42-CA1F-4fcd-8FAA-829CC6EAF8AE}.exe 30 PID 2700 wrote to memory of 2672 2700 {BF603A42-CA1F-4fcd-8FAA-829CC6EAF8AE}.exe 30 PID 2700 wrote to memory of 2672 2700 {BF603A42-CA1F-4fcd-8FAA-829CC6EAF8AE}.exe 30 PID 2700 wrote to memory of 2784 2700 {BF603A42-CA1F-4fcd-8FAA-829CC6EAF8AE}.exe 31 PID 2700 wrote to memory of 2784 2700 {BF603A42-CA1F-4fcd-8FAA-829CC6EAF8AE}.exe 31 PID 2700 wrote to memory of 2784 2700 {BF603A42-CA1F-4fcd-8FAA-829CC6EAF8AE}.exe 31 PID 2700 wrote to memory of 2784 2700 {BF603A42-CA1F-4fcd-8FAA-829CC6EAF8AE}.exe 31 PID 2672 wrote to memory of 2724 2672 {F2997367-45EE-4a6d-800A-06E97D37E978}.exe 32 PID 2672 wrote to memory of 2724 2672 {F2997367-45EE-4a6d-800A-06E97D37E978}.exe 32 PID 2672 wrote to memory of 2724 2672 {F2997367-45EE-4a6d-800A-06E97D37E978}.exe 32 PID 2672 wrote to memory of 2724 2672 {F2997367-45EE-4a6d-800A-06E97D37E978}.exe 32 PID 2672 wrote to memory of 2656 2672 {F2997367-45EE-4a6d-800A-06E97D37E978}.exe 33 PID 2672 wrote to memory of 2656 2672 {F2997367-45EE-4a6d-800A-06E97D37E978}.exe 33 PID 2672 wrote to memory of 2656 2672 {F2997367-45EE-4a6d-800A-06E97D37E978}.exe 33 PID 2672 wrote to memory of 2656 2672 {F2997367-45EE-4a6d-800A-06E97D37E978}.exe 33 PID 2724 wrote to memory of 2200 2724 {9776CCD5-DF3C-4c1e-8854-90A31C3B6659}.exe 36 PID 2724 wrote to memory of 2200 2724 {9776CCD5-DF3C-4c1e-8854-90A31C3B6659}.exe 36 PID 2724 wrote to memory of 2200 2724 {9776CCD5-DF3C-4c1e-8854-90A31C3B6659}.exe 36 PID 2724 wrote to memory of 2200 2724 {9776CCD5-DF3C-4c1e-8854-90A31C3B6659}.exe 36 PID 2724 wrote to memory of 2588 2724 {9776CCD5-DF3C-4c1e-8854-90A31C3B6659}.exe 37 PID 2724 wrote to memory of 2588 2724 {9776CCD5-DF3C-4c1e-8854-90A31C3B6659}.exe 37 PID 2724 wrote to memory of 2588 2724 {9776CCD5-DF3C-4c1e-8854-90A31C3B6659}.exe 37 PID 2724 wrote to memory of 2588 2724 {9776CCD5-DF3C-4c1e-8854-90A31C3B6659}.exe 37 PID 2200 wrote to memory of 2864 2200 {A369E39A-89B5-455b-B7D6-782D83E63C99}.exe 38 PID 2200 wrote to memory of 2864 2200 {A369E39A-89B5-455b-B7D6-782D83E63C99}.exe 38 PID 2200 wrote to memory of 2864 2200 {A369E39A-89B5-455b-B7D6-782D83E63C99}.exe 38 PID 2200 wrote to memory of 2864 2200 {A369E39A-89B5-455b-B7D6-782D83E63C99}.exe 38 PID 2200 wrote to memory of 2556 2200 {A369E39A-89B5-455b-B7D6-782D83E63C99}.exe 39 PID 2200 wrote to memory of 2556 2200 {A369E39A-89B5-455b-B7D6-782D83E63C99}.exe 39 PID 2200 wrote to memory of 2556 2200 {A369E39A-89B5-455b-B7D6-782D83E63C99}.exe 39 PID 2200 wrote to memory of 2556 2200 {A369E39A-89B5-455b-B7D6-782D83E63C99}.exe 39 PID 2864 wrote to memory of 1644 2864 {ED4476ED-C73F-4162-8CA6-8C783E5AD96B}.exe 40 PID 2864 wrote to memory of 1644 2864 {ED4476ED-C73F-4162-8CA6-8C783E5AD96B}.exe 40 PID 2864 wrote to memory of 1644 2864 {ED4476ED-C73F-4162-8CA6-8C783E5AD96B}.exe 40 PID 2864 wrote to memory of 1644 2864 {ED4476ED-C73F-4162-8CA6-8C783E5AD96B}.exe 40 PID 2864 wrote to memory of 776 2864 {ED4476ED-C73F-4162-8CA6-8C783E5AD96B}.exe 41 PID 2864 wrote to memory of 776 2864 {ED4476ED-C73F-4162-8CA6-8C783E5AD96B}.exe 41 PID 2864 wrote to memory of 776 2864 {ED4476ED-C73F-4162-8CA6-8C783E5AD96B}.exe 41 PID 2864 wrote to memory of 776 2864 {ED4476ED-C73F-4162-8CA6-8C783E5AD96B}.exe 41 PID 1644 wrote to memory of 2404 1644 {2F9F5243-CB38-4375-AED1-BC1DEF50DE2A}.exe 42 PID 1644 wrote to memory of 2404 1644 {2F9F5243-CB38-4375-AED1-BC1DEF50DE2A}.exe 42 PID 1644 wrote to memory of 2404 1644 {2F9F5243-CB38-4375-AED1-BC1DEF50DE2A}.exe 42 PID 1644 wrote to memory of 2404 1644 {2F9F5243-CB38-4375-AED1-BC1DEF50DE2A}.exe 42 PID 1644 wrote to memory of 2504 1644 {2F9F5243-CB38-4375-AED1-BC1DEF50DE2A}.exe 43 PID 1644 wrote to memory of 2504 1644 {2F9F5243-CB38-4375-AED1-BC1DEF50DE2A}.exe 43 PID 1644 wrote to memory of 2504 1644 {2F9F5243-CB38-4375-AED1-BC1DEF50DE2A}.exe 43 PID 1644 wrote to memory of 2504 1644 {2F9F5243-CB38-4375-AED1-BC1DEF50DE2A}.exe 43 PID 2404 wrote to memory of 700 2404 {F32100AD-63B7-4759-A591-0FD33F67C60F}.exe 44 PID 2404 wrote to memory of 700 2404 {F32100AD-63B7-4759-A591-0FD33F67C60F}.exe 44 PID 2404 wrote to memory of 700 2404 {F32100AD-63B7-4759-A591-0FD33F67C60F}.exe 44 PID 2404 wrote to memory of 700 2404 {F32100AD-63B7-4759-A591-0FD33F67C60F}.exe 44 PID 2404 wrote to memory of 1156 2404 {F32100AD-63B7-4759-A591-0FD33F67C60F}.exe 45 PID 2404 wrote to memory of 1156 2404 {F32100AD-63B7-4759-A591-0FD33F67C60F}.exe 45 PID 2404 wrote to memory of 1156 2404 {F32100AD-63B7-4759-A591-0FD33F67C60F}.exe 45 PID 2404 wrote to memory of 1156 2404 {F32100AD-63B7-4759-A591-0FD33F67C60F}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\{BF603A42-CA1F-4fcd-8FAA-829CC6EAF8AE}.exeC:\Windows\{BF603A42-CA1F-4fcd-8FAA-829CC6EAF8AE}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\{F2997367-45EE-4a6d-800A-06E97D37E978}.exeC:\Windows\{F2997367-45EE-4a6d-800A-06E97D37E978}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\{9776CCD5-DF3C-4c1e-8854-90A31C3B6659}.exeC:\Windows\{9776CCD5-DF3C-4c1e-8854-90A31C3B6659}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\{A369E39A-89B5-455b-B7D6-782D83E63C99}.exeC:\Windows\{A369E39A-89B5-455b-B7D6-782D83E63C99}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\{ED4476ED-C73F-4162-8CA6-8C783E5AD96B}.exeC:\Windows\{ED4476ED-C73F-4162-8CA6-8C783E5AD96B}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\{2F9F5243-CB38-4375-AED1-BC1DEF50DE2A}.exeC:\Windows\{2F9F5243-CB38-4375-AED1-BC1DEF50DE2A}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\{F32100AD-63B7-4759-A591-0FD33F67C60F}.exeC:\Windows\{F32100AD-63B7-4759-A591-0FD33F67C60F}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\{D93DD83C-028B-4ca1-BB61-2A3507D47695}.exeC:\Windows\{D93DD83C-028B-4ca1-BB61-2A3507D47695}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:700 -
C:\Windows\{85796DE0-F775-40fb-B4A8-48D33281E574}.exeC:\Windows\{85796DE0-F775-40fb-B4A8-48D33281E574}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2616 -
C:\Windows\{89685C1C-617C-4cfa-8A26-9812EBC61243}.exeC:\Windows\{89685C1C-617C-4cfa-8A26-9812EBC61243}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2084 -
C:\Windows\{74B9109E-9B90-4003-B786-1E272E72BE91}.exeC:\Windows\{74B9109E-9B90-4003-B786-1E272E72BE91}.exe12⤵
- Executes dropped EXE
PID:2332
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{89685~1.EXE > nul12⤵PID:1328
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{85796~1.EXE > nul11⤵PID:1500
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D93DD~1.EXE > nul10⤵PID:1612
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F3210~1.EXE > nul9⤵PID:1156
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2F9F5~1.EXE > nul8⤵PID:2504
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{ED447~1.EXE > nul7⤵PID:776
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A369E~1.EXE > nul6⤵PID:2556
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9776C~1.EXE > nul5⤵PID:2588
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F2997~1.EXE > nul4⤵PID:2656
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{BF603~1.EXE > nul3⤵PID:2784
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:3056
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
344KB
MD58e034af0a745e8cdc638fb0ddb74c4bb
SHA17d567dc3bfb5440d574bcce83792e49c25dcbe4d
SHA256492cec2a3e50d990ee5d12cd74cd3d0d639802f8a9654df9a691ec7b916cac56
SHA512cecf6c2fc91174abce6e13905803feafa5d5cedd279c3f652c19d4393a8a736fd3ef58a3ab7d44901f332572ed08f1e6034ffa6c05360151a731cf3963d38b1c
-
Filesize
344KB
MD518162b7e22a31f7c8a000390a2567fb8
SHA10f8fb50b57dece84a5ed8d77c1f0d275a5137666
SHA256f7ced574ac1014f7eedd1a319a5f4c1f7d1bc29b1977a56905cf76bc9218757a
SHA512eaec5756b66ed3d8222a87e78339ddb87ff01ac2b7613748088e7cbb9cfad77d75b0d233316e41efda291816196c931dde603d8ecfdd99e18da3f720ee69da8c
-
Filesize
344KB
MD5025aa65efc04ebe37fec855cf756e6ea
SHA15042789341e747242db862e83d4f3bbedda536c7
SHA25601c057eb3019b575d3e5eb7e48840c1d34db77844fa8db13a8d0e9c76b96a680
SHA5122571e92126c040e266f0829ea2c65b013f3df6421503ae4d3f33b05f6d2c90cb8083a20ed1c1889dff199f5b3ed0e76ff01f25256db6ad45edb51ddf6e542850
-
Filesize
344KB
MD5eda735b0f6eb1678fc12249e6ad5d801
SHA1e074d8d1e7e2d05a9d3dab1693cddee780157e09
SHA256f8583f18197a65b7500841d452ac60bdd86d86b8bb3bd26b16051fd533fac95f
SHA512dacc68909226826196ce6836a46a4d3d8831ba13924f393a3abe64abadbc29e49ec63c5641bb8c8458a3d59a5c151c7c48f85f17625327e63c6c9d2cb2bfa90d
-
Filesize
344KB
MD5d7b16169956ee57994ffbf793d32ca91
SHA12569af9facb0cd606aca13d649ab33d4bd8be7db
SHA256bd3189154e86c37f126f961d87bf6eed1d9523c3a41be9cd3f7fa1671975a00f
SHA512a097b2516e2845f0b772fbc36ac36474e5b39f9efc4c22aeab881b3467d1b2bf062deca3c4fc3e6b46a7e5f54d25ba4fed218ddd820cdd4e43f8fb69a568b4ce
-
Filesize
344KB
MD532b7df794f0fe3cdf5dcdd9de14e1c6a
SHA1e498c2892a3969072ca598bc945bbc48cf105ac5
SHA256d245c83887f56522c72f3249c64f411c37019c8a9902956e350e7196cd2ed7cd
SHA5122588f3484a4ac885cbb0b9e05e55e46e3079a66e6549e73c5f22c757e6470fd47ff27cfca30645f18c4e4dbb99c487bb7416415e9370b6e896ba4105918359e6
-
Filesize
344KB
MD5b9ca2756661f6ee51a0ff13b10912f8e
SHA1b080d8acabbdb86b7546fb63f840b6ccc7fe2374
SHA256e8643dabb769720ff888aee633972dd8a7cb6a92ce479c642231211d3ce8971d
SHA512381fb4880b47cacca9b7eef8a0d811b9ed987936e086747421d9b15770507881526600519ff88ff47546c71a89b1a20cd0dd374dc0bb56824ca94b9a622a567a
-
Filesize
344KB
MD5135bbb2a4f2d2ab744a638c8180f4893
SHA149f5be33fc2fb2f5775a8e7dca8d7ddebffd590c
SHA256641cd230089fc7cf178a16c2f4cdbdcaa8fce3ce108a6e98e24b7ba1f6330019
SHA5123f377f49bab00dafda4c9f3574c5120e1741735c57bbaab0492373a57eb400b422725852456eedac02cd7d2dc4c0a425902d405d9c67588c66186d401ce590f4
-
Filesize
344KB
MD5efc762434d5b3ac247388d623ed5ba9b
SHA1bfffea59aa30090bbedb73d8394e2a493ab84289
SHA256f0bf41cc6fd2f45358d9ffcec7693b0abeca36474e31ba1e3118bdc19c9929ad
SHA51216ffd095cafd3a0b84042589c2a7328b2de85d6ade79d392b98d6893e350079ee4f3493716b2efef48e9004b55f0c04227cc5d52a18b3c0ade406186a8c4cd41
-
Filesize
344KB
MD58817d652f8f96852526e324ad6178adf
SHA1a3b41c32fe867d0b017bb12936672e95ba1256bb
SHA256bd5270320f98f53058b984a8fa208ae9a4ef4cfb5ca6e05af6f9b48bf0a203a8
SHA512a468f970c8930fbbde6a2928f38a7b8239505e40510699cd3335ff44f2b1c2e9301603e7959259cde125e69d570b1b0c23b8bddcf0421bf636aec4a6040ae44f
-
Filesize
344KB
MD5eac995c40d5ab3580b820e74a4973e1d
SHA1e6639b314b31ef907e682afa9e086e20be3bed8d
SHA2561a4e5ee6f88b5e6d673c10042e2cec32005a120c4c2d7703aa0a817decc26664
SHA512f00d815894a26ca68353810b99bc81112428f0eea6ec090765dc343fd429d73ac672a9eb903244fbdf737e524b398d0e36305094e94571f22222317bfb5a84a3