Analysis
-
max time kernel
144s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 02:46
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe
Resource
win10v2004-20240611-en
General
-
Target
2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe
-
Size
344KB
-
MD5
24eadd4d609b1d0fc674c021cf1144f9
-
SHA1
82d210e775bab311ee3214f13bd6a18dbcd46ef1
-
SHA256
16c8741c332d24feb1e8bcdd9d90a7ce4c0d6b168a091e716dabaa1fc6ae8175
-
SHA512
785456e14279dcf1192070dbfb4e06fe7904377e501a314e42987a3766991a4ea9d3b91a9dfc2f6a5b2105654eed3c6ef12a2159caeb5578e705f1260bf71bba
-
SSDEEP
3072:mEGh0ojlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGtlqOe2MUVg3v2IneKcAEcA
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral1/files/0x000c00000001228a-4.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0037000000015c9b-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000d00000001228a-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0038000000015ca9-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0004000000004ed7-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000e00000001228a-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0005000000004ed7-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000f00000001228a-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0006000000004ed7-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x001000000001228a-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0007000000004ed7-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A040C519-27C1-4361-8F4D-EE788A4999CB} {9172D8C6-A58E-48c0-8C9E-7F2FFA7AFE0D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{860CCA45-D390-4aaa-B743-EEF6A923076A} {A040C519-27C1-4361-8F4D-EE788A4999CB}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CEE9C394-35EB-4bc2-9392-22007027FEC6} {860CCA45-D390-4aaa-B743-EEF6A923076A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CEE9C394-35EB-4bc2-9392-22007027FEC6}\stubpath = "C:\\Windows\\{CEE9C394-35EB-4bc2-9392-22007027FEC6}.exe" {860CCA45-D390-4aaa-B743-EEF6A923076A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26876394-7762-4a75-9B9E-DE6FF40DEAE3}\stubpath = "C:\\Windows\\{26876394-7762-4a75-9B9E-DE6FF40DEAE3}.exe" {CEE9C394-35EB-4bc2-9392-22007027FEC6}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E40BD509-8E68-4f8c-B1C1-1F61AA1208A7} {04985B9E-B464-4f2b-B4CA-584A8E64E879}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3639F753-306D-4545-A65F-F9EF26B1B393} {649B4ADB-6932-4d60-8A61-7422D7576C94}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9172D8C6-A58E-48c0-8C9E-7F2FFA7AFE0D} {3639F753-306D-4545-A65F-F9EF26B1B393}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6AC68E8-60B2-4fdb-837B-2FED732128BC} {26876394-7762-4a75-9B9E-DE6FF40DEAE3}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04985B9E-B464-4f2b-B4CA-584A8E64E879} 2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3639F753-306D-4545-A65F-F9EF26B1B393}\stubpath = "C:\\Windows\\{3639F753-306D-4545-A65F-F9EF26B1B393}.exe" {649B4ADB-6932-4d60-8A61-7422D7576C94}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9172D8C6-A58E-48c0-8C9E-7F2FFA7AFE0D}\stubpath = "C:\\Windows\\{9172D8C6-A58E-48c0-8C9E-7F2FFA7AFE0D}.exe" {3639F753-306D-4545-A65F-F9EF26B1B393}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{649B4ADB-6932-4d60-8A61-7422D7576C94}\stubpath = "C:\\Windows\\{649B4ADB-6932-4d60-8A61-7422D7576C94}.exe" {2C8D1CD7-E64B-4357-8A44-93AEE7AE2AF8}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A040C519-27C1-4361-8F4D-EE788A4999CB}\stubpath = "C:\\Windows\\{A040C519-27C1-4361-8F4D-EE788A4999CB}.exe" {9172D8C6-A58E-48c0-8C9E-7F2FFA7AFE0D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{860CCA45-D390-4aaa-B743-EEF6A923076A}\stubpath = "C:\\Windows\\{860CCA45-D390-4aaa-B743-EEF6A923076A}.exe" {A040C519-27C1-4361-8F4D-EE788A4999CB}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26876394-7762-4a75-9B9E-DE6FF40DEAE3} {CEE9C394-35EB-4bc2-9392-22007027FEC6}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6AC68E8-60B2-4fdb-837B-2FED732128BC}\stubpath = "C:\\Windows\\{B6AC68E8-60B2-4fdb-837B-2FED732128BC}.exe" {26876394-7762-4a75-9B9E-DE6FF40DEAE3}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04985B9E-B464-4f2b-B4CA-584A8E64E879}\stubpath = "C:\\Windows\\{04985B9E-B464-4f2b-B4CA-584A8E64E879}.exe" 2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C8D1CD7-E64B-4357-8A44-93AEE7AE2AF8} {E40BD509-8E68-4f8c-B1C1-1F61AA1208A7}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C8D1CD7-E64B-4357-8A44-93AEE7AE2AF8}\stubpath = "C:\\Windows\\{2C8D1CD7-E64B-4357-8A44-93AEE7AE2AF8}.exe" {E40BD509-8E68-4f8c-B1C1-1F61AA1208A7}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E40BD509-8E68-4f8c-B1C1-1F61AA1208A7}\stubpath = "C:\\Windows\\{E40BD509-8E68-4f8c-B1C1-1F61AA1208A7}.exe" {04985B9E-B464-4f2b-B4CA-584A8E64E879}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{649B4ADB-6932-4d60-8A61-7422D7576C94} {2C8D1CD7-E64B-4357-8A44-93AEE7AE2AF8}.exe -
Deletes itself 1 IoCs
pid Process 3032 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 2812 {04985B9E-B464-4f2b-B4CA-584A8E64E879}.exe 2616 {E40BD509-8E68-4f8c-B1C1-1F61AA1208A7}.exe 2488 {2C8D1CD7-E64B-4357-8A44-93AEE7AE2AF8}.exe 2508 {649B4ADB-6932-4d60-8A61-7422D7576C94}.exe 1536 {3639F753-306D-4545-A65F-F9EF26B1B393}.exe 2160 {9172D8C6-A58E-48c0-8C9E-7F2FFA7AFE0D}.exe 352 {A040C519-27C1-4361-8F4D-EE788A4999CB}.exe 1844 {860CCA45-D390-4aaa-B743-EEF6A923076A}.exe 2896 {CEE9C394-35EB-4bc2-9392-22007027FEC6}.exe 2560 {26876394-7762-4a75-9B9E-DE6FF40DEAE3}.exe 1068 {B6AC68E8-60B2-4fdb-837B-2FED732128BC}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{CEE9C394-35EB-4bc2-9392-22007027FEC6}.exe {860CCA45-D390-4aaa-B743-EEF6A923076A}.exe File created C:\Windows\{26876394-7762-4a75-9B9E-DE6FF40DEAE3}.exe {CEE9C394-35EB-4bc2-9392-22007027FEC6}.exe File created C:\Windows\{B6AC68E8-60B2-4fdb-837B-2FED732128BC}.exe {26876394-7762-4a75-9B9E-DE6FF40DEAE3}.exe File created C:\Windows\{04985B9E-B464-4f2b-B4CA-584A8E64E879}.exe 2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe File created C:\Windows\{2C8D1CD7-E64B-4357-8A44-93AEE7AE2AF8}.exe {E40BD509-8E68-4f8c-B1C1-1F61AA1208A7}.exe File created C:\Windows\{9172D8C6-A58E-48c0-8C9E-7F2FFA7AFE0D}.exe {3639F753-306D-4545-A65F-F9EF26B1B393}.exe File created C:\Windows\{A040C519-27C1-4361-8F4D-EE788A4999CB}.exe {9172D8C6-A58E-48c0-8C9E-7F2FFA7AFE0D}.exe File created C:\Windows\{860CCA45-D390-4aaa-B743-EEF6A923076A}.exe {A040C519-27C1-4361-8F4D-EE788A4999CB}.exe File created C:\Windows\{E40BD509-8E68-4f8c-B1C1-1F61AA1208A7}.exe {04985B9E-B464-4f2b-B4CA-584A8E64E879}.exe File created C:\Windows\{649B4ADB-6932-4d60-8A61-7422D7576C94}.exe {2C8D1CD7-E64B-4357-8A44-93AEE7AE2AF8}.exe File created C:\Windows\{3639F753-306D-4545-A65F-F9EF26B1B393}.exe {649B4ADB-6932-4d60-8A61-7422D7576C94}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 3028 2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe Token: SeIncBasePriorityPrivilege 2812 {04985B9E-B464-4f2b-B4CA-584A8E64E879}.exe Token: SeIncBasePriorityPrivilege 2616 {E40BD509-8E68-4f8c-B1C1-1F61AA1208A7}.exe Token: SeIncBasePriorityPrivilege 2488 {2C8D1CD7-E64B-4357-8A44-93AEE7AE2AF8}.exe Token: SeIncBasePriorityPrivilege 2508 {649B4ADB-6932-4d60-8A61-7422D7576C94}.exe Token: SeIncBasePriorityPrivilege 1536 {3639F753-306D-4545-A65F-F9EF26B1B393}.exe Token: SeIncBasePriorityPrivilege 2160 {9172D8C6-A58E-48c0-8C9E-7F2FFA7AFE0D}.exe Token: SeIncBasePriorityPrivilege 352 {A040C519-27C1-4361-8F4D-EE788A4999CB}.exe Token: SeIncBasePriorityPrivilege 1844 {860CCA45-D390-4aaa-B743-EEF6A923076A}.exe Token: SeIncBasePriorityPrivilege 2896 {CEE9C394-35EB-4bc2-9392-22007027FEC6}.exe Token: SeIncBasePriorityPrivilege 2560 {26876394-7762-4a75-9B9E-DE6FF40DEAE3}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3028 wrote to memory of 2812 3028 2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe 28 PID 3028 wrote to memory of 2812 3028 2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe 28 PID 3028 wrote to memory of 2812 3028 2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe 28 PID 3028 wrote to memory of 2812 3028 2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe 28 PID 3028 wrote to memory of 3032 3028 2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe 29 PID 3028 wrote to memory of 3032 3028 2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe 29 PID 3028 wrote to memory of 3032 3028 2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe 29 PID 3028 wrote to memory of 3032 3028 2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe 29 PID 2812 wrote to memory of 2616 2812 {04985B9E-B464-4f2b-B4CA-584A8E64E879}.exe 30 PID 2812 wrote to memory of 2616 2812 {04985B9E-B464-4f2b-B4CA-584A8E64E879}.exe 30 PID 2812 wrote to memory of 2616 2812 {04985B9E-B464-4f2b-B4CA-584A8E64E879}.exe 30 PID 2812 wrote to memory of 2616 2812 {04985B9E-B464-4f2b-B4CA-584A8E64E879}.exe 30 PID 2812 wrote to memory of 2768 2812 {04985B9E-B464-4f2b-B4CA-584A8E64E879}.exe 31 PID 2812 wrote to memory of 2768 2812 {04985B9E-B464-4f2b-B4CA-584A8E64E879}.exe 31 PID 2812 wrote to memory of 2768 2812 {04985B9E-B464-4f2b-B4CA-584A8E64E879}.exe 31 PID 2812 wrote to memory of 2768 2812 {04985B9E-B464-4f2b-B4CA-584A8E64E879}.exe 31 PID 2616 wrote to memory of 2488 2616 {E40BD509-8E68-4f8c-B1C1-1F61AA1208A7}.exe 32 PID 2616 wrote to memory of 2488 2616 {E40BD509-8E68-4f8c-B1C1-1F61AA1208A7}.exe 32 PID 2616 wrote to memory of 2488 2616 {E40BD509-8E68-4f8c-B1C1-1F61AA1208A7}.exe 32 PID 2616 wrote to memory of 2488 2616 {E40BD509-8E68-4f8c-B1C1-1F61AA1208A7}.exe 32 PID 2616 wrote to memory of 2600 2616 {E40BD509-8E68-4f8c-B1C1-1F61AA1208A7}.exe 33 PID 2616 wrote to memory of 2600 2616 {E40BD509-8E68-4f8c-B1C1-1F61AA1208A7}.exe 33 PID 2616 wrote to memory of 2600 2616 {E40BD509-8E68-4f8c-B1C1-1F61AA1208A7}.exe 33 PID 2616 wrote to memory of 2600 2616 {E40BD509-8E68-4f8c-B1C1-1F61AA1208A7}.exe 33 PID 2488 wrote to memory of 2508 2488 {2C8D1CD7-E64B-4357-8A44-93AEE7AE2AF8}.exe 36 PID 2488 wrote to memory of 2508 2488 {2C8D1CD7-E64B-4357-8A44-93AEE7AE2AF8}.exe 36 PID 2488 wrote to memory of 2508 2488 {2C8D1CD7-E64B-4357-8A44-93AEE7AE2AF8}.exe 36 PID 2488 wrote to memory of 2508 2488 {2C8D1CD7-E64B-4357-8A44-93AEE7AE2AF8}.exe 36 PID 2488 wrote to memory of 1512 2488 {2C8D1CD7-E64B-4357-8A44-93AEE7AE2AF8}.exe 37 PID 2488 wrote to memory of 1512 2488 {2C8D1CD7-E64B-4357-8A44-93AEE7AE2AF8}.exe 37 PID 2488 wrote to memory of 1512 2488 {2C8D1CD7-E64B-4357-8A44-93AEE7AE2AF8}.exe 37 PID 2488 wrote to memory of 1512 2488 {2C8D1CD7-E64B-4357-8A44-93AEE7AE2AF8}.exe 37 PID 2508 wrote to memory of 1536 2508 {649B4ADB-6932-4d60-8A61-7422D7576C94}.exe 38 PID 2508 wrote to memory of 1536 2508 {649B4ADB-6932-4d60-8A61-7422D7576C94}.exe 38 PID 2508 wrote to memory of 1536 2508 {649B4ADB-6932-4d60-8A61-7422D7576C94}.exe 38 PID 2508 wrote to memory of 1536 2508 {649B4ADB-6932-4d60-8A61-7422D7576C94}.exe 38 PID 2508 wrote to memory of 2700 2508 {649B4ADB-6932-4d60-8A61-7422D7576C94}.exe 39 PID 2508 wrote to memory of 2700 2508 {649B4ADB-6932-4d60-8A61-7422D7576C94}.exe 39 PID 2508 wrote to memory of 2700 2508 {649B4ADB-6932-4d60-8A61-7422D7576C94}.exe 39 PID 2508 wrote to memory of 2700 2508 {649B4ADB-6932-4d60-8A61-7422D7576C94}.exe 39 PID 1536 wrote to memory of 2160 1536 {3639F753-306D-4545-A65F-F9EF26B1B393}.exe 40 PID 1536 wrote to memory of 2160 1536 {3639F753-306D-4545-A65F-F9EF26B1B393}.exe 40 PID 1536 wrote to memory of 2160 1536 {3639F753-306D-4545-A65F-F9EF26B1B393}.exe 40 PID 1536 wrote to memory of 2160 1536 {3639F753-306D-4545-A65F-F9EF26B1B393}.exe 40 PID 1536 wrote to memory of 2368 1536 {3639F753-306D-4545-A65F-F9EF26B1B393}.exe 41 PID 1536 wrote to memory of 2368 1536 {3639F753-306D-4545-A65F-F9EF26B1B393}.exe 41 PID 1536 wrote to memory of 2368 1536 {3639F753-306D-4545-A65F-F9EF26B1B393}.exe 41 PID 1536 wrote to memory of 2368 1536 {3639F753-306D-4545-A65F-F9EF26B1B393}.exe 41 PID 2160 wrote to memory of 352 2160 {9172D8C6-A58E-48c0-8C9E-7F2FFA7AFE0D}.exe 42 PID 2160 wrote to memory of 352 2160 {9172D8C6-A58E-48c0-8C9E-7F2FFA7AFE0D}.exe 42 PID 2160 wrote to memory of 352 2160 {9172D8C6-A58E-48c0-8C9E-7F2FFA7AFE0D}.exe 42 PID 2160 wrote to memory of 352 2160 {9172D8C6-A58E-48c0-8C9E-7F2FFA7AFE0D}.exe 42 PID 2160 wrote to memory of 1664 2160 {9172D8C6-A58E-48c0-8C9E-7F2FFA7AFE0D}.exe 43 PID 2160 wrote to memory of 1664 2160 {9172D8C6-A58E-48c0-8C9E-7F2FFA7AFE0D}.exe 43 PID 2160 wrote to memory of 1664 2160 {9172D8C6-A58E-48c0-8C9E-7F2FFA7AFE0D}.exe 43 PID 2160 wrote to memory of 1664 2160 {9172D8C6-A58E-48c0-8C9E-7F2FFA7AFE0D}.exe 43 PID 352 wrote to memory of 1844 352 {A040C519-27C1-4361-8F4D-EE788A4999CB}.exe 44 PID 352 wrote to memory of 1844 352 {A040C519-27C1-4361-8F4D-EE788A4999CB}.exe 44 PID 352 wrote to memory of 1844 352 {A040C519-27C1-4361-8F4D-EE788A4999CB}.exe 44 PID 352 wrote to memory of 1844 352 {A040C519-27C1-4361-8F4D-EE788A4999CB}.exe 44 PID 352 wrote to memory of 2788 352 {A040C519-27C1-4361-8F4D-EE788A4999CB}.exe 45 PID 352 wrote to memory of 2788 352 {A040C519-27C1-4361-8F4D-EE788A4999CB}.exe 45 PID 352 wrote to memory of 2788 352 {A040C519-27C1-4361-8F4D-EE788A4999CB}.exe 45 PID 352 wrote to memory of 2788 352 {A040C519-27C1-4361-8F4D-EE788A4999CB}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\{04985B9E-B464-4f2b-B4CA-584A8E64E879}.exeC:\Windows\{04985B9E-B464-4f2b-B4CA-584A8E64E879}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\{E40BD509-8E68-4f8c-B1C1-1F61AA1208A7}.exeC:\Windows\{E40BD509-8E68-4f8c-B1C1-1F61AA1208A7}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\{2C8D1CD7-E64B-4357-8A44-93AEE7AE2AF8}.exeC:\Windows\{2C8D1CD7-E64B-4357-8A44-93AEE7AE2AF8}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\{649B4ADB-6932-4d60-8A61-7422D7576C94}.exeC:\Windows\{649B4ADB-6932-4d60-8A61-7422D7576C94}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\{3639F753-306D-4545-A65F-F9EF26B1B393}.exeC:\Windows\{3639F753-306D-4545-A65F-F9EF26B1B393}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\{9172D8C6-A58E-48c0-8C9E-7F2FFA7AFE0D}.exeC:\Windows\{9172D8C6-A58E-48c0-8C9E-7F2FFA7AFE0D}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\{A040C519-27C1-4361-8F4D-EE788A4999CB}.exeC:\Windows\{A040C519-27C1-4361-8F4D-EE788A4999CB}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:352 -
C:\Windows\{860CCA45-D390-4aaa-B743-EEF6A923076A}.exeC:\Windows\{860CCA45-D390-4aaa-B743-EEF6A923076A}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1844 -
C:\Windows\{CEE9C394-35EB-4bc2-9392-22007027FEC6}.exeC:\Windows\{CEE9C394-35EB-4bc2-9392-22007027FEC6}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2896 -
C:\Windows\{26876394-7762-4a75-9B9E-DE6FF40DEAE3}.exeC:\Windows\{26876394-7762-4a75-9B9E-DE6FF40DEAE3}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2560 -
C:\Windows\{B6AC68E8-60B2-4fdb-837B-2FED732128BC}.exeC:\Windows\{B6AC68E8-60B2-4fdb-837B-2FED732128BC}.exe12⤵
- Executes dropped EXE
PID:1068
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{26876~1.EXE > nul12⤵PID:584
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CEE9C~1.EXE > nul11⤵PID:536
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{860CC~1.EXE > nul10⤵PID:1040
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A040C~1.EXE > nul9⤵PID:2788
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9172D~1.EXE > nul8⤵PID:1664
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3639F~1.EXE > nul7⤵PID:2368
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{649B4~1.EXE > nul6⤵PID:2700
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2C8D1~1.EXE > nul5⤵PID:1512
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E40BD~1.EXE > nul4⤵PID:2600
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{04985~1.EXE > nul3⤵PID:2768
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:3032
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
344KB
MD54bdcaacb417d93a45e0de1c3dd03bb71
SHA1e29146f85c2fd25beac4d18112faefae3bef6e09
SHA256820d42182f964907afe576e37c197ad66bb2f50ab24cb735c7f01bbfe04e5861
SHA512c70de25713ff407f9a794e0c082a2d2023c4dcc3bb226ab4de8b9b8b7e4c7ed215209740a7a6d5dfb676405c930ce62115e77bdf0306439e733877ef552ab3b5
-
Filesize
344KB
MD53c967a3462f3fc21f06b0dce61a8266d
SHA1f10fdddedaca7322f84e012c566a0e019e06338e
SHA2565a1adb6c46dd7bf69164fffba9f79bb0be1fef3bfce60381e67cea9a601dd974
SHA512f0e787217da56675dddef871e7b806972c3419e64b77beaefbd10db7c3e271a6813ecd512c4b9857e6ba121fffb26fd7ec8c868e208949b4a5f27887049c2173
-
Filesize
344KB
MD56fe938b77a80e830b1ad1e08e640da74
SHA1115dd4ce07a6ca0cfb2b7b8be0f037392880fecb
SHA25643cf001817325a071a449ec74508fa4381ac1367b820bf8f4d21a0b4220ed401
SHA512adddbb20dfa7d78e2f2d34542a555058c7e8a0b1d6f273e0435be15ba95a1d84aeaf1ffa8513dca2deb4158c7173470add010c4238dea33361f7cb17821dd0f5
-
Filesize
344KB
MD5e56ecf9f0f61dc3ba9e14144aede4296
SHA1afe40211ea764cc945db026b6fadaaa702d6c8ca
SHA256251c4e18fe00a9fcb2c88d3f65e2a58b68ae818419a666d9b661b75089ff170e
SHA512e2049e25f1ce2e3686e17012f6e4107bf55ad8843218784a95deada507086dc663792ac012434c1bf51d55ea79d54a90e594eba24d5776fcd797ddf0e8dbe442
-
Filesize
344KB
MD559cb914f2c06052837070acf5ff38c23
SHA1ee549b72a00eb9ce1934c111955153a118723666
SHA256736a763175cc62fc014a4eb1b2b0d00da9458d09a1f414ad0f2204c171b0b502
SHA5122b5fa1993a276af757698e8e7ff0e08c29e46045e1dfac46f53ecc8d5a7e21a55e0a6a8d9b64a4212c196edbc22142ae353d693b9810b000811bf5f200e66d24
-
Filesize
344KB
MD5de4e612c33f5cc7ce173afb1e9f42d3e
SHA1b53bbd2700890d73e1357e8fa4d662108efab76a
SHA256e2ce5ac8de893b8a6c1502a1dc1da43ddd3567ee66b957d0e982a5267a57dcfb
SHA512f203e9499b73c8d4baf1a3ae07f045d51d7161607785df40f4b9eb2dc42f21785975a39e758f91b0f486000ee75bafae95963b01390fc720cbe8cb6328f66215
-
Filesize
344KB
MD52e2f87d2cf2cdcfc67419428ca5de118
SHA1880a164227821dc42316abad1f87abb25c9e859a
SHA25601d66ee5a9f8249eea0e25f464e03daa0a7d90ada22febf464c7c5d5629c2da8
SHA5122284adf003b0ca87fcf9114f5952f64acb0d92f57ba7ffd9865080e0db01eb43312cbdf1c874e3903bf26bc84ac1d8452998eadf28f068f207aa56113c3a7f16
-
Filesize
344KB
MD5026c6b7fd173bd872809a3b0f369b82e
SHA162a7f030f14dfc4eea2f3f10b1e4f0d29fd3cf8c
SHA256368398404a7c94fbf48140322392181480a403ac1f9822501f4453ec4208be1a
SHA5123ec6927ccb0d3d39e0f074834a901f18aed881c1b65f57d732a7fd0d64eecf4a94a196615d5c6223a30cc7a092ac6961a51967fcf72bf5507c18fb62040c10c7
-
Filesize
344KB
MD5eae671b30987b1f2acb959844e4b021d
SHA1c357992d44bdf7f7f0631d113656fc38c5f88c14
SHA256f017fc9186ff847797eba4e4abbd276a548476805162c08302584f4ce175513a
SHA51262bf5c4d9ae13e993aef9f86245f041b63c2078c9a3a362c63e701da0830e02452c468c6a689707a601c6fb367c6d1e8c25957f8cd905960d271da110afa1c61
-
Filesize
344KB
MD5b2e66b0a0262df27c28f69839ed87f12
SHA10e747af242a7d087b83fcaca292c65ce88f0343e
SHA256c8cb54409ef10a73243370293d9329b97dd67c7daf03c63c6386ffe50c741136
SHA51248100724717dde4ad672919581b0f49a225616b704cbb7233e04f5e4deb46651c0a31159c6fe48f9b14d9f790c853bf595e4be5e6c436a2bcd37ab9ee47d6ea2
-
Filesize
344KB
MD55d3c182cbed4bc96523469d9a6d5b59d
SHA1c32457f68bc6a257fa81de3fb6573c9ae07790a0
SHA2561a47a527e4fa9361cb95174f5d13c0ea4b63301579912c45a907882474dfc2d9
SHA51298eec11bb00ccf89bcc2271d7c30f5a4115632a21273dc6bbaa049f2fbe81d5a475e1b27ab7dbb07bf22ea0355d620bd8442e25c01785c599a76f35feddf41e8