Analysis
-
max time kernel
144s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 02:43
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe
-
Size
380KB
-
MD5
050b37d7510f8a8ef9f98757c220251b
-
SHA1
8c9c533b59ff94f0b50103a37bb32804f74b4868
-
SHA256
a6a9bccdd59afea874a4d7da4f11e95a5b58e652c88b5da4b31d4cf38932eb7f
-
SHA512
9bd18744772cf7edeb21d0f44711e110724f57194fd556d50365ee233d53e8fd98ca8593072042cea34f166838519e0a9e6972645d231623fd26244699c0bdce
-
SSDEEP
3072:mEGh0oDlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEG5l7Oe2MUVg3v2IneKcAEcARy
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral1/files/0x0009000000016176-4.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0009000000016a29-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000a000000016176-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0009000000016be2-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0006000000005a59-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000b000000016176-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0007000000005a59-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000c000000016176-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0008000000005a59-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000d000000016176-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0009000000005a59-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C748D5E-7236-4342-8B1B-CED67D0E616B} 2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33DA5C50-ECA5-48c1-B051-58D39C953E04} {9C748D5E-7236-4342-8B1B-CED67D0E616B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CA0F9AE-DE6C-44ad-A7DB-0279C6362B3F} {3AF1FD2A-D3A4-49d3-9B75-E36846884BA1}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F86A9266-C867-4256-9B13-F763FBA2CD68} {4CA0F9AE-DE6C-44ad-A7DB-0279C6362B3F}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DF8FF41-D816-4f96-866A-00B5D753F12D}\stubpath = "C:\\Windows\\{9DF8FF41-D816-4f96-866A-00B5D753F12D}.exe" {F86A9266-C867-4256-9B13-F763FBA2CD68}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18D4E9BB-9C34-4f7c-AEC0-DE60763B35FE} {9DF8FF41-D816-4f96-866A-00B5D753F12D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95BA3A96-770C-4284-A5BE-E0B26D14D494}\stubpath = "C:\\Windows\\{95BA3A96-770C-4284-A5BE-E0B26D14D494}.exe" {D5F0E945-2370-4254-B4EC-185B5068A5D4}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D11C081F-7763-4ed9-940C-B03C49B9AA2F}\stubpath = "C:\\Windows\\{D11C081F-7763-4ed9-940C-B03C49B9AA2F}.exe" {95BA3A96-770C-4284-A5BE-E0B26D14D494}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C17BF9D4-3B5B-4fe1-9267-340023DEB00A}\stubpath = "C:\\Windows\\{C17BF9D4-3B5B-4fe1-9267-340023DEB00A}.exe" {D11C081F-7763-4ed9-940C-B03C49B9AA2F}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C748D5E-7236-4342-8B1B-CED67D0E616B}\stubpath = "C:\\Windows\\{9C748D5E-7236-4342-8B1B-CED67D0E616B}.exe" 2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3AF1FD2A-D3A4-49d3-9B75-E36846884BA1} {33DA5C50-ECA5-48c1-B051-58D39C953E04}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3AF1FD2A-D3A4-49d3-9B75-E36846884BA1}\stubpath = "C:\\Windows\\{3AF1FD2A-D3A4-49d3-9B75-E36846884BA1}.exe" {33DA5C50-ECA5-48c1-B051-58D39C953E04}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18D4E9BB-9C34-4f7c-AEC0-DE60763B35FE}\stubpath = "C:\\Windows\\{18D4E9BB-9C34-4f7c-AEC0-DE60763B35FE}.exe" {9DF8FF41-D816-4f96-866A-00B5D753F12D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5F0E945-2370-4254-B4EC-185B5068A5D4}\stubpath = "C:\\Windows\\{D5F0E945-2370-4254-B4EC-185B5068A5D4}.exe" {18D4E9BB-9C34-4f7c-AEC0-DE60763B35FE}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95BA3A96-770C-4284-A5BE-E0B26D14D494} {D5F0E945-2370-4254-B4EC-185B5068A5D4}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33DA5C50-ECA5-48c1-B051-58D39C953E04}\stubpath = "C:\\Windows\\{33DA5C50-ECA5-48c1-B051-58D39C953E04}.exe" {9C748D5E-7236-4342-8B1B-CED67D0E616B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5F0E945-2370-4254-B4EC-185B5068A5D4} {18D4E9BB-9C34-4f7c-AEC0-DE60763B35FE}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CA0F9AE-DE6C-44ad-A7DB-0279C6362B3F}\stubpath = "C:\\Windows\\{4CA0F9AE-DE6C-44ad-A7DB-0279C6362B3F}.exe" {3AF1FD2A-D3A4-49d3-9B75-E36846884BA1}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F86A9266-C867-4256-9B13-F763FBA2CD68}\stubpath = "C:\\Windows\\{F86A9266-C867-4256-9B13-F763FBA2CD68}.exe" {4CA0F9AE-DE6C-44ad-A7DB-0279C6362B3F}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DF8FF41-D816-4f96-866A-00B5D753F12D} {F86A9266-C867-4256-9B13-F763FBA2CD68}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D11C081F-7763-4ed9-940C-B03C49B9AA2F} {95BA3A96-770C-4284-A5BE-E0B26D14D494}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C17BF9D4-3B5B-4fe1-9267-340023DEB00A} {D11C081F-7763-4ed9-940C-B03C49B9AA2F}.exe -
Deletes itself 1 IoCs
pid Process 2220 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 2164 {9C748D5E-7236-4342-8B1B-CED67D0E616B}.exe 2720 {33DA5C50-ECA5-48c1-B051-58D39C953E04}.exe 2660 {3AF1FD2A-D3A4-49d3-9B75-E36846884BA1}.exe 2668 {4CA0F9AE-DE6C-44ad-A7DB-0279C6362B3F}.exe 3032 {F86A9266-C867-4256-9B13-F763FBA2CD68}.exe 2760 {9DF8FF41-D816-4f96-866A-00B5D753F12D}.exe 1940 {18D4E9BB-9C34-4f7c-AEC0-DE60763B35FE}.exe 2772 {D5F0E945-2370-4254-B4EC-185B5068A5D4}.exe 1676 {95BA3A96-770C-4284-A5BE-E0B26D14D494}.exe 2260 {D11C081F-7763-4ed9-940C-B03C49B9AA2F}.exe 356 {C17BF9D4-3B5B-4fe1-9267-340023DEB00A}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{18D4E9BB-9C34-4f7c-AEC0-DE60763B35FE}.exe {9DF8FF41-D816-4f96-866A-00B5D753F12D}.exe File created C:\Windows\{95BA3A96-770C-4284-A5BE-E0B26D14D494}.exe {D5F0E945-2370-4254-B4EC-185B5068A5D4}.exe File created C:\Windows\{D11C081F-7763-4ed9-940C-B03C49B9AA2F}.exe {95BA3A96-770C-4284-A5BE-E0B26D14D494}.exe File created C:\Windows\{9C748D5E-7236-4342-8B1B-CED67D0E616B}.exe 2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe File created C:\Windows\{3AF1FD2A-D3A4-49d3-9B75-E36846884BA1}.exe {33DA5C50-ECA5-48c1-B051-58D39C953E04}.exe File created C:\Windows\{F86A9266-C867-4256-9B13-F763FBA2CD68}.exe {4CA0F9AE-DE6C-44ad-A7DB-0279C6362B3F}.exe File created C:\Windows\{9DF8FF41-D816-4f96-866A-00B5D753F12D}.exe {F86A9266-C867-4256-9B13-F763FBA2CD68}.exe File created C:\Windows\{33DA5C50-ECA5-48c1-B051-58D39C953E04}.exe {9C748D5E-7236-4342-8B1B-CED67D0E616B}.exe File created C:\Windows\{4CA0F9AE-DE6C-44ad-A7DB-0279C6362B3F}.exe {3AF1FD2A-D3A4-49d3-9B75-E36846884BA1}.exe File created C:\Windows\{D5F0E945-2370-4254-B4EC-185B5068A5D4}.exe {18D4E9BB-9C34-4f7c-AEC0-DE60763B35FE}.exe File created C:\Windows\{C17BF9D4-3B5B-4fe1-9267-340023DEB00A}.exe {D11C081F-7763-4ed9-940C-B03C49B9AA2F}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1972 2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe Token: SeIncBasePriorityPrivilege 2164 {9C748D5E-7236-4342-8B1B-CED67D0E616B}.exe Token: SeIncBasePriorityPrivilege 2720 {33DA5C50-ECA5-48c1-B051-58D39C953E04}.exe Token: SeIncBasePriorityPrivilege 2660 {3AF1FD2A-D3A4-49d3-9B75-E36846884BA1}.exe Token: SeIncBasePriorityPrivilege 2668 {4CA0F9AE-DE6C-44ad-A7DB-0279C6362B3F}.exe Token: SeIncBasePriorityPrivilege 3032 {F86A9266-C867-4256-9B13-F763FBA2CD68}.exe Token: SeIncBasePriorityPrivilege 2760 {9DF8FF41-D816-4f96-866A-00B5D753F12D}.exe Token: SeIncBasePriorityPrivilege 1940 {18D4E9BB-9C34-4f7c-AEC0-DE60763B35FE}.exe Token: SeIncBasePriorityPrivilege 2772 {D5F0E945-2370-4254-B4EC-185B5068A5D4}.exe Token: SeIncBasePriorityPrivilege 1676 {95BA3A96-770C-4284-A5BE-E0B26D14D494}.exe Token: SeIncBasePriorityPrivilege 2260 {D11C081F-7763-4ed9-940C-B03C49B9AA2F}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1972 wrote to memory of 2164 1972 2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe 28 PID 1972 wrote to memory of 2164 1972 2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe 28 PID 1972 wrote to memory of 2164 1972 2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe 28 PID 1972 wrote to memory of 2164 1972 2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe 28 PID 1972 wrote to memory of 2220 1972 2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe 29 PID 1972 wrote to memory of 2220 1972 2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe 29 PID 1972 wrote to memory of 2220 1972 2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe 29 PID 1972 wrote to memory of 2220 1972 2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe 29 PID 2164 wrote to memory of 2720 2164 {9C748D5E-7236-4342-8B1B-CED67D0E616B}.exe 30 PID 2164 wrote to memory of 2720 2164 {9C748D5E-7236-4342-8B1B-CED67D0E616B}.exe 30 PID 2164 wrote to memory of 2720 2164 {9C748D5E-7236-4342-8B1B-CED67D0E616B}.exe 30 PID 2164 wrote to memory of 2720 2164 {9C748D5E-7236-4342-8B1B-CED67D0E616B}.exe 30 PID 2164 wrote to memory of 2744 2164 {9C748D5E-7236-4342-8B1B-CED67D0E616B}.exe 31 PID 2164 wrote to memory of 2744 2164 {9C748D5E-7236-4342-8B1B-CED67D0E616B}.exe 31 PID 2164 wrote to memory of 2744 2164 {9C748D5E-7236-4342-8B1B-CED67D0E616B}.exe 31 PID 2164 wrote to memory of 2744 2164 {9C748D5E-7236-4342-8B1B-CED67D0E616B}.exe 31 PID 2720 wrote to memory of 2660 2720 {33DA5C50-ECA5-48c1-B051-58D39C953E04}.exe 32 PID 2720 wrote to memory of 2660 2720 {33DA5C50-ECA5-48c1-B051-58D39C953E04}.exe 32 PID 2720 wrote to memory of 2660 2720 {33DA5C50-ECA5-48c1-B051-58D39C953E04}.exe 32 PID 2720 wrote to memory of 2660 2720 {33DA5C50-ECA5-48c1-B051-58D39C953E04}.exe 32 PID 2720 wrote to memory of 2804 2720 {33DA5C50-ECA5-48c1-B051-58D39C953E04}.exe 33 PID 2720 wrote to memory of 2804 2720 {33DA5C50-ECA5-48c1-B051-58D39C953E04}.exe 33 PID 2720 wrote to memory of 2804 2720 {33DA5C50-ECA5-48c1-B051-58D39C953E04}.exe 33 PID 2720 wrote to memory of 2804 2720 {33DA5C50-ECA5-48c1-B051-58D39C953E04}.exe 33 PID 2660 wrote to memory of 2668 2660 {3AF1FD2A-D3A4-49d3-9B75-E36846884BA1}.exe 36 PID 2660 wrote to memory of 2668 2660 {3AF1FD2A-D3A4-49d3-9B75-E36846884BA1}.exe 36 PID 2660 wrote to memory of 2668 2660 {3AF1FD2A-D3A4-49d3-9B75-E36846884BA1}.exe 36 PID 2660 wrote to memory of 2668 2660 {3AF1FD2A-D3A4-49d3-9B75-E36846884BA1}.exe 36 PID 2660 wrote to memory of 2452 2660 {3AF1FD2A-D3A4-49d3-9B75-E36846884BA1}.exe 37 PID 2660 wrote to memory of 2452 2660 {3AF1FD2A-D3A4-49d3-9B75-E36846884BA1}.exe 37 PID 2660 wrote to memory of 2452 2660 {3AF1FD2A-D3A4-49d3-9B75-E36846884BA1}.exe 37 PID 2660 wrote to memory of 2452 2660 {3AF1FD2A-D3A4-49d3-9B75-E36846884BA1}.exe 37 PID 2668 wrote to memory of 3032 2668 {4CA0F9AE-DE6C-44ad-A7DB-0279C6362B3F}.exe 38 PID 2668 wrote to memory of 3032 2668 {4CA0F9AE-DE6C-44ad-A7DB-0279C6362B3F}.exe 38 PID 2668 wrote to memory of 3032 2668 {4CA0F9AE-DE6C-44ad-A7DB-0279C6362B3F}.exe 38 PID 2668 wrote to memory of 3032 2668 {4CA0F9AE-DE6C-44ad-A7DB-0279C6362B3F}.exe 38 PID 2668 wrote to memory of 2896 2668 {4CA0F9AE-DE6C-44ad-A7DB-0279C6362B3F}.exe 39 PID 2668 wrote to memory of 2896 2668 {4CA0F9AE-DE6C-44ad-A7DB-0279C6362B3F}.exe 39 PID 2668 wrote to memory of 2896 2668 {4CA0F9AE-DE6C-44ad-A7DB-0279C6362B3F}.exe 39 PID 2668 wrote to memory of 2896 2668 {4CA0F9AE-DE6C-44ad-A7DB-0279C6362B3F}.exe 39 PID 3032 wrote to memory of 2760 3032 {F86A9266-C867-4256-9B13-F763FBA2CD68}.exe 40 PID 3032 wrote to memory of 2760 3032 {F86A9266-C867-4256-9B13-F763FBA2CD68}.exe 40 PID 3032 wrote to memory of 2760 3032 {F86A9266-C867-4256-9B13-F763FBA2CD68}.exe 40 PID 3032 wrote to memory of 2760 3032 {F86A9266-C867-4256-9B13-F763FBA2CD68}.exe 40 PID 3032 wrote to memory of 1976 3032 {F86A9266-C867-4256-9B13-F763FBA2CD68}.exe 41 PID 3032 wrote to memory of 1976 3032 {F86A9266-C867-4256-9B13-F763FBA2CD68}.exe 41 PID 3032 wrote to memory of 1976 3032 {F86A9266-C867-4256-9B13-F763FBA2CD68}.exe 41 PID 3032 wrote to memory of 1976 3032 {F86A9266-C867-4256-9B13-F763FBA2CD68}.exe 41 PID 2760 wrote to memory of 1940 2760 {9DF8FF41-D816-4f96-866A-00B5D753F12D}.exe 42 PID 2760 wrote to memory of 1940 2760 {9DF8FF41-D816-4f96-866A-00B5D753F12D}.exe 42 PID 2760 wrote to memory of 1940 2760 {9DF8FF41-D816-4f96-866A-00B5D753F12D}.exe 42 PID 2760 wrote to memory of 1940 2760 {9DF8FF41-D816-4f96-866A-00B5D753F12D}.exe 42 PID 2760 wrote to memory of 2408 2760 {9DF8FF41-D816-4f96-866A-00B5D753F12D}.exe 43 PID 2760 wrote to memory of 2408 2760 {9DF8FF41-D816-4f96-866A-00B5D753F12D}.exe 43 PID 2760 wrote to memory of 2408 2760 {9DF8FF41-D816-4f96-866A-00B5D753F12D}.exe 43 PID 2760 wrote to memory of 2408 2760 {9DF8FF41-D816-4f96-866A-00B5D753F12D}.exe 43 PID 1940 wrote to memory of 2772 1940 {18D4E9BB-9C34-4f7c-AEC0-DE60763B35FE}.exe 44 PID 1940 wrote to memory of 2772 1940 {18D4E9BB-9C34-4f7c-AEC0-DE60763B35FE}.exe 44 PID 1940 wrote to memory of 2772 1940 {18D4E9BB-9C34-4f7c-AEC0-DE60763B35FE}.exe 44 PID 1940 wrote to memory of 2772 1940 {18D4E9BB-9C34-4f7c-AEC0-DE60763B35FE}.exe 44 PID 1940 wrote to memory of 1184 1940 {18D4E9BB-9C34-4f7c-AEC0-DE60763B35FE}.exe 45 PID 1940 wrote to memory of 1184 1940 {18D4E9BB-9C34-4f7c-AEC0-DE60763B35FE}.exe 45 PID 1940 wrote to memory of 1184 1940 {18D4E9BB-9C34-4f7c-AEC0-DE60763B35FE}.exe 45 PID 1940 wrote to memory of 1184 1940 {18D4E9BB-9C34-4f7c-AEC0-DE60763B35FE}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\{9C748D5E-7236-4342-8B1B-CED67D0E616B}.exeC:\Windows\{9C748D5E-7236-4342-8B1B-CED67D0E616B}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\{33DA5C50-ECA5-48c1-B051-58D39C953E04}.exeC:\Windows\{33DA5C50-ECA5-48c1-B051-58D39C953E04}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\{3AF1FD2A-D3A4-49d3-9B75-E36846884BA1}.exeC:\Windows\{3AF1FD2A-D3A4-49d3-9B75-E36846884BA1}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\{4CA0F9AE-DE6C-44ad-A7DB-0279C6362B3F}.exeC:\Windows\{4CA0F9AE-DE6C-44ad-A7DB-0279C6362B3F}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\{F86A9266-C867-4256-9B13-F763FBA2CD68}.exeC:\Windows\{F86A9266-C867-4256-9B13-F763FBA2CD68}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\{9DF8FF41-D816-4f96-866A-00B5D753F12D}.exeC:\Windows\{9DF8FF41-D816-4f96-866A-00B5D753F12D}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\{18D4E9BB-9C34-4f7c-AEC0-DE60763B35FE}.exeC:\Windows\{18D4E9BB-9C34-4f7c-AEC0-DE60763B35FE}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\{D5F0E945-2370-4254-B4EC-185B5068A5D4}.exeC:\Windows\{D5F0E945-2370-4254-B4EC-185B5068A5D4}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2772 -
C:\Windows\{95BA3A96-770C-4284-A5BE-E0B26D14D494}.exeC:\Windows\{95BA3A96-770C-4284-A5BE-E0B26D14D494}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1676 -
C:\Windows\{D11C081F-7763-4ed9-940C-B03C49B9AA2F}.exeC:\Windows\{D11C081F-7763-4ed9-940C-B03C49B9AA2F}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2260 -
C:\Windows\{C17BF9D4-3B5B-4fe1-9267-340023DEB00A}.exeC:\Windows\{C17BF9D4-3B5B-4fe1-9267-340023DEB00A}.exe12⤵
- Executes dropped EXE
PID:356
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D11C0~1.EXE > nul12⤵PID:1028
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{95BA3~1.EXE > nul11⤵PID:796
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D5F0E~1.EXE > nul10⤵PID:2092
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{18D4E~1.EXE > nul9⤵PID:1184
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9DF8F~1.EXE > nul8⤵PID:2408
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F86A9~1.EXE > nul7⤵PID:1976
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4CA0F~1.EXE > nul6⤵PID:2896
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3AF1F~1.EXE > nul5⤵PID:2452
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{33DA5~1.EXE > nul4⤵PID:2804
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9C748~1.EXE > nul3⤵PID:2744
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:2220
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
380KB
MD53d43d2c21c9d5924c72fcc4da8c1d50a
SHA1454339ca9374107b9b851891a69cb364c6cb3791
SHA2563e56ce4b521d2c283ba6d74813d67fa5ba298688a9e897406f4270d816e47db2
SHA5124b9190c19c6bfe3c0cb17bddce87eb5abeef85fedfe37cf4c3f91dc1d8bbd85caaf14f78b156a0be904a295939b84af17e5137d183e2d3f951c4f68942236850
-
Filesize
380KB
MD5efc663a94c66617487f54027d1d7abc6
SHA148d3b49064d722367ea1528f28d1276bac7c5b94
SHA2560c3b559bb2302ca76bcaa403b82a9e7aaf623d1677e750f3a8d2bade26f745a8
SHA512be1182c4b368731c535f0054cfedd125072196eae62a5a9a7d4a217e333f4a3a6f8f64b1c9b201e624ef98f71687efe87d996756d2ac717b078bfbebf9e9d401
-
Filesize
380KB
MD5de4f789e133f4d017e82430e867c9860
SHA1d9ecdffd971c01bff902c71112609d23e6bf36df
SHA25647d34486921eb0417df556cbad315034779232efe449f6ac2623a7048d5d21a0
SHA512e337a9000788d82e2b71fa43009d3a936c05bad643cc9211a43ad0815965ce5c7f839080585c8ff66c63126a0fc382294ca0b456bb07328383b6d91240990d23
-
Filesize
380KB
MD5bad273cdd25901f0e62b4594498b3feb
SHA1eadbc95b7bcfaad68b4a89282d2ddd90d7b175db
SHA2569a3be17c5059bb855b691e1c70cd6f0a452732893e392f9c6b136b6ca10bb4c1
SHA512bcfd7b4c2aa300141304695214f1e4f329874ebec9d7582472f5984ac12a950183e4232cc481cc6b4b94e50eaeb89cd4527f43500f3be8e24470cfedce2a699f
-
Filesize
380KB
MD53affdc6a1cc46c57f2c3a0f483dc6b88
SHA1767699a7ebe2f788e52f427bfde56e673892724f
SHA2567cfbcab684017d1368563a35922c13f99f92e2ae91392478633a470bbe207268
SHA512819db71f575379f1c2194f3ebcbd0695138bc5d18007e6a6a57bcd57cd4c9f03a44a9ace6633e24947959897aa346f2b25bfc207eeaefb4f20d10f7943de0fb4
-
Filesize
380KB
MD5d5a2728f40d835e0a9ebef1fb0673a8f
SHA1e1dc5e347b7395b440834c50e9e595e9a2f237df
SHA25687b6c1be91e91cb185214e5ee28e41a6873ee8f7f60f5dc7e3729be807ba70d3
SHA5125ff51dcc0382b8f8478aac39c90f4847354bdf90c7bd6d9d531d97e9cf636a73680c65ee5f0dd65734eaa285229d1e61fd9c687702095facb6b1473d599cf26a
-
Filesize
380KB
MD5d765da34a8eecb0fc3677ffff7bb10b8
SHA128dc7241e739c133abaf891c73472a926ebc8d21
SHA256fde11c6011534f5256cb60e9c2975f8cc815986bc2a419b96c07bf71df2e7260
SHA51206e9b25eb1d90c853e67dc79bb190517526ce0a7170f9783f21ce3b249cad2e60875c669d9686c1013dc0a035fda8becce80a819e96a076f101152294e521c8e
-
Filesize
380KB
MD5f5f706d665ff8ad90dada98315e09e34
SHA1ae8e79b2eb1cc10803f47bc57c39fda801482ec9
SHA2564cdf52ee15b1bd3551597d772315c3bb58a89b6254a743bcee58775bbef70c47
SHA51217f294151d5d490e41dfc2c7ec1f35197e79d2cea097d14729d07b989ad93950cf037595aad246630d363c415a0cfe2bbef40b6d25850449eff34350a9fcbc33
-
Filesize
380KB
MD5da6ab89146eb6f9891773ad4ff9132f7
SHA1b1d73345b8df66498a81de0fd7f22ecd8f3296bf
SHA25648a4f6f882f09c7cad61094dbe2f52f1f82fc87964f5c638e978687653280c83
SHA512daa1f8ae6948edac87eef7678844ebdc298e2b331921a438889f07335b3e92cf8443b1940fa4c6582bddb874e5ac59f6d44bdf220b1cc398ea591f1b03d1349a
-
Filesize
380KB
MD548a9d791ba4af39e65a957c3f01a00b3
SHA190e92cbe041c505c39f96d271498c1f3aa393e98
SHA2566d8fc6f88a0c7b4d6e6054a4cd50d728317df513111af9220996ce1a97460f1e
SHA512b59857b2393569f05acd5e2d1771d6be7b8a101b41b8388d9e7d5363c208b24c78d0111444bdee6f064feacc02c0171ff736c7e78709918f1c3b8b22dd8cfe5a
-
Filesize
380KB
MD5b2e34dfa0ec6ff047f98cf292cdc73cc
SHA1000b86a4c3c9fe619f3200feedc275ce3e54e30a
SHA256cd7c15ff17433300917060792974e90d668c05d393daa06a489193f2854b4400
SHA5121d5ee903e64784a73c64570bd0f4cb99a46339a9cc58903305057e33d52d9c379ff990359948853a63c9b8cffda753597d92e48aa244895d5fb9979544058e40