Analysis
-
max time kernel
144s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 02:52
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe
-
Size
380KB
-
MD5
6d567ac7a66fe4ff2118501fe126bae9
-
SHA1
133a6c80f2401f94d2646b7839f88606d8bc967a
-
SHA256
2d9369dc9317b9d668139c100f78be2db8979ad4c67a3c62b91185ece6601adf
-
SHA512
5665592a36e8c13be5ce5bbeaef83ba0ea7f8f905ff679d09240416e29fa70f9e481fbe1bdad9e78c0aff149b0aca1442fc582aefa5d5c74a473308502847926
-
SSDEEP
3072:mEGh0oNlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGfl7Oe2MUVg3v2IneKcAEcARy
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral1/files/0x000c00000001226a-4.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x002c000000015c2f-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0009000000015c68-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000400000000f6e4-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x002d000000015c2f-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000500000000f6e4-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x002e000000015c2f-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000600000000f6e4-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x002f000000015c2f-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000700000000f6e4-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0030000000015c2f-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B71DE78-E456-497a-B7DC-4EDE826BBCF6}\stubpath = "C:\\Windows\\{4B71DE78-E456-497a-B7DC-4EDE826BBCF6}.exe" 2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75CD81D8-6261-452f-A5ED-DAD95599FAE0}\stubpath = "C:\\Windows\\{75CD81D8-6261-452f-A5ED-DAD95599FAE0}.exe" {505FE572-2CB7-4809-B9A4-238336B1189A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0244D1D-6623-436a-B4EA-792A36025D0A} {746FB130-6065-4883-AB49-C07C9FCD2278}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B71DE78-E456-497a-B7DC-4EDE826BBCF6} 2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0761930F-1464-4463-BFF1-492FF1D93677}\stubpath = "C:\\Windows\\{0761930F-1464-4463-BFF1-492FF1D93677}.exe" {75CD81D8-6261-452f-A5ED-DAD95599FAE0}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{746FB130-6065-4883-AB49-C07C9FCD2278} {0761930F-1464-4463-BFF1-492FF1D93677}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0244D1D-6623-436a-B4EA-792A36025D0A}\stubpath = "C:\\Windows\\{F0244D1D-6623-436a-B4EA-792A36025D0A}.exe" {746FB130-6065-4883-AB49-C07C9FCD2278}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31969637-6768-4d49-8F05-AFA506ACC880} {F0244D1D-6623-436a-B4EA-792A36025D0A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31969637-6768-4d49-8F05-AFA506ACC880}\stubpath = "C:\\Windows\\{31969637-6768-4d49-8F05-AFA506ACC880}.exe" {F0244D1D-6623-436a-B4EA-792A36025D0A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8602491F-B75D-4a3f-984C-F0807537098F} {A1BEB2A8-5244-4f3a-BD5A-93258638948C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8602491F-B75D-4a3f-984C-F0807537098F}\stubpath = "C:\\Windows\\{8602491F-B75D-4a3f-984C-F0807537098F}.exe" {A1BEB2A8-5244-4f3a-BD5A-93258638948C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45BD9FAF-2A2D-494a-A602-529AD7F68D69} {4B71DE78-E456-497a-B7DC-4EDE826BBCF6}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75CD81D8-6261-452f-A5ED-DAD95599FAE0} {505FE572-2CB7-4809-B9A4-238336B1189A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0761930F-1464-4463-BFF1-492FF1D93677} {75CD81D8-6261-452f-A5ED-DAD95599FAE0}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{746FB130-6065-4883-AB49-C07C9FCD2278}\stubpath = "C:\\Windows\\{746FB130-6065-4883-AB49-C07C9FCD2278}.exe" {0761930F-1464-4463-BFF1-492FF1D93677}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1BEB2A8-5244-4f3a-BD5A-93258638948C} {31969637-6768-4d49-8F05-AFA506ACC880}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1BEB2A8-5244-4f3a-BD5A-93258638948C}\stubpath = "C:\\Windows\\{A1BEB2A8-5244-4f3a-BD5A-93258638948C}.exe" {31969637-6768-4d49-8F05-AFA506ACC880}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D59EE138-D7BF-4353-A41F-122628B33833} {8602491F-B75D-4a3f-984C-F0807537098F}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D59EE138-D7BF-4353-A41F-122628B33833}\stubpath = "C:\\Windows\\{D59EE138-D7BF-4353-A41F-122628B33833}.exe" {8602491F-B75D-4a3f-984C-F0807537098F}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45BD9FAF-2A2D-494a-A602-529AD7F68D69}\stubpath = "C:\\Windows\\{45BD9FAF-2A2D-494a-A602-529AD7F68D69}.exe" {4B71DE78-E456-497a-B7DC-4EDE826BBCF6}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{505FE572-2CB7-4809-B9A4-238336B1189A} {45BD9FAF-2A2D-494a-A602-529AD7F68D69}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{505FE572-2CB7-4809-B9A4-238336B1189A}\stubpath = "C:\\Windows\\{505FE572-2CB7-4809-B9A4-238336B1189A}.exe" {45BD9FAF-2A2D-494a-A602-529AD7F68D69}.exe -
Deletes itself 1 IoCs
pid Process 2300 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 2640 {4B71DE78-E456-497a-B7DC-4EDE826BBCF6}.exe 2612 {45BD9FAF-2A2D-494a-A602-529AD7F68D69}.exe 2488 {505FE572-2CB7-4809-B9A4-238336B1189A}.exe 1596 {75CD81D8-6261-452f-A5ED-DAD95599FAE0}.exe 1120 {0761930F-1464-4463-BFF1-492FF1D93677}.exe 3036 {746FB130-6065-4883-AB49-C07C9FCD2278}.exe 2748 {F0244D1D-6623-436a-B4EA-792A36025D0A}.exe 2700 {31969637-6768-4d49-8F05-AFA506ACC880}.exe 1984 {A1BEB2A8-5244-4f3a-BD5A-93258638948C}.exe 2216 {8602491F-B75D-4a3f-984C-F0807537098F}.exe 2240 {D59EE138-D7BF-4353-A41F-122628B33833}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{4B71DE78-E456-497a-B7DC-4EDE826BBCF6}.exe 2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe File created C:\Windows\{45BD9FAF-2A2D-494a-A602-529AD7F68D69}.exe {4B71DE78-E456-497a-B7DC-4EDE826BBCF6}.exe File created C:\Windows\{75CD81D8-6261-452f-A5ED-DAD95599FAE0}.exe {505FE572-2CB7-4809-B9A4-238336B1189A}.exe File created C:\Windows\{0761930F-1464-4463-BFF1-492FF1D93677}.exe {75CD81D8-6261-452f-A5ED-DAD95599FAE0}.exe File created C:\Windows\{746FB130-6065-4883-AB49-C07C9FCD2278}.exe {0761930F-1464-4463-BFF1-492FF1D93677}.exe File created C:\Windows\{31969637-6768-4d49-8F05-AFA506ACC880}.exe {F0244D1D-6623-436a-B4EA-792A36025D0A}.exe File created C:\Windows\{A1BEB2A8-5244-4f3a-BD5A-93258638948C}.exe {31969637-6768-4d49-8F05-AFA506ACC880}.exe File created C:\Windows\{505FE572-2CB7-4809-B9A4-238336B1189A}.exe {45BD9FAF-2A2D-494a-A602-529AD7F68D69}.exe File created C:\Windows\{F0244D1D-6623-436a-B4EA-792A36025D0A}.exe {746FB130-6065-4883-AB49-C07C9FCD2278}.exe File created C:\Windows\{8602491F-B75D-4a3f-984C-F0807537098F}.exe {A1BEB2A8-5244-4f3a-BD5A-93258638948C}.exe File created C:\Windows\{D59EE138-D7BF-4353-A41F-122628B33833}.exe {8602491F-B75D-4a3f-984C-F0807537098F}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2000 2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe Token: SeIncBasePriorityPrivilege 2640 {4B71DE78-E456-497a-B7DC-4EDE826BBCF6}.exe Token: SeIncBasePriorityPrivilege 2612 {45BD9FAF-2A2D-494a-A602-529AD7F68D69}.exe Token: SeIncBasePriorityPrivilege 2488 {505FE572-2CB7-4809-B9A4-238336B1189A}.exe Token: SeIncBasePriorityPrivilege 1596 {75CD81D8-6261-452f-A5ED-DAD95599FAE0}.exe Token: SeIncBasePriorityPrivilege 1120 {0761930F-1464-4463-BFF1-492FF1D93677}.exe Token: SeIncBasePriorityPrivilege 3036 {746FB130-6065-4883-AB49-C07C9FCD2278}.exe Token: SeIncBasePriorityPrivilege 2748 {F0244D1D-6623-436a-B4EA-792A36025D0A}.exe Token: SeIncBasePriorityPrivilege 2700 {31969637-6768-4d49-8F05-AFA506ACC880}.exe Token: SeIncBasePriorityPrivilege 1984 {A1BEB2A8-5244-4f3a-BD5A-93258638948C}.exe Token: SeIncBasePriorityPrivilege 2216 {8602491F-B75D-4a3f-984C-F0807537098F}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2000 wrote to memory of 2640 2000 2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe 28 PID 2000 wrote to memory of 2640 2000 2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe 28 PID 2000 wrote to memory of 2640 2000 2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe 28 PID 2000 wrote to memory of 2640 2000 2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe 28 PID 2000 wrote to memory of 2300 2000 2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe 29 PID 2000 wrote to memory of 2300 2000 2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe 29 PID 2000 wrote to memory of 2300 2000 2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe 29 PID 2000 wrote to memory of 2300 2000 2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe 29 PID 2640 wrote to memory of 2612 2640 {4B71DE78-E456-497a-B7DC-4EDE826BBCF6}.exe 30 PID 2640 wrote to memory of 2612 2640 {4B71DE78-E456-497a-B7DC-4EDE826BBCF6}.exe 30 PID 2640 wrote to memory of 2612 2640 {4B71DE78-E456-497a-B7DC-4EDE826BBCF6}.exe 30 PID 2640 wrote to memory of 2612 2640 {4B71DE78-E456-497a-B7DC-4EDE826BBCF6}.exe 30 PID 2640 wrote to memory of 2096 2640 {4B71DE78-E456-497a-B7DC-4EDE826BBCF6}.exe 31 PID 2640 wrote to memory of 2096 2640 {4B71DE78-E456-497a-B7DC-4EDE826BBCF6}.exe 31 PID 2640 wrote to memory of 2096 2640 {4B71DE78-E456-497a-B7DC-4EDE826BBCF6}.exe 31 PID 2640 wrote to memory of 2096 2640 {4B71DE78-E456-497a-B7DC-4EDE826BBCF6}.exe 31 PID 2612 wrote to memory of 2488 2612 {45BD9FAF-2A2D-494a-A602-529AD7F68D69}.exe 34 PID 2612 wrote to memory of 2488 2612 {45BD9FAF-2A2D-494a-A602-529AD7F68D69}.exe 34 PID 2612 wrote to memory of 2488 2612 {45BD9FAF-2A2D-494a-A602-529AD7F68D69}.exe 34 PID 2612 wrote to memory of 2488 2612 {45BD9FAF-2A2D-494a-A602-529AD7F68D69}.exe 34 PID 2612 wrote to memory of 1836 2612 {45BD9FAF-2A2D-494a-A602-529AD7F68D69}.exe 35 PID 2612 wrote to memory of 1836 2612 {45BD9FAF-2A2D-494a-A602-529AD7F68D69}.exe 35 PID 2612 wrote to memory of 1836 2612 {45BD9FAF-2A2D-494a-A602-529AD7F68D69}.exe 35 PID 2612 wrote to memory of 1836 2612 {45BD9FAF-2A2D-494a-A602-529AD7F68D69}.exe 35 PID 2488 wrote to memory of 1596 2488 {505FE572-2CB7-4809-B9A4-238336B1189A}.exe 36 PID 2488 wrote to memory of 1596 2488 {505FE572-2CB7-4809-B9A4-238336B1189A}.exe 36 PID 2488 wrote to memory of 1596 2488 {505FE572-2CB7-4809-B9A4-238336B1189A}.exe 36 PID 2488 wrote to memory of 1596 2488 {505FE572-2CB7-4809-B9A4-238336B1189A}.exe 36 PID 2488 wrote to memory of 524 2488 {505FE572-2CB7-4809-B9A4-238336B1189A}.exe 37 PID 2488 wrote to memory of 524 2488 {505FE572-2CB7-4809-B9A4-238336B1189A}.exe 37 PID 2488 wrote to memory of 524 2488 {505FE572-2CB7-4809-B9A4-238336B1189A}.exe 37 PID 2488 wrote to memory of 524 2488 {505FE572-2CB7-4809-B9A4-238336B1189A}.exe 37 PID 1596 wrote to memory of 1120 1596 {75CD81D8-6261-452f-A5ED-DAD95599FAE0}.exe 38 PID 1596 wrote to memory of 1120 1596 {75CD81D8-6261-452f-A5ED-DAD95599FAE0}.exe 38 PID 1596 wrote to memory of 1120 1596 {75CD81D8-6261-452f-A5ED-DAD95599FAE0}.exe 38 PID 1596 wrote to memory of 1120 1596 {75CD81D8-6261-452f-A5ED-DAD95599FAE0}.exe 38 PID 1596 wrote to memory of 2872 1596 {75CD81D8-6261-452f-A5ED-DAD95599FAE0}.exe 39 PID 1596 wrote to memory of 2872 1596 {75CD81D8-6261-452f-A5ED-DAD95599FAE0}.exe 39 PID 1596 wrote to memory of 2872 1596 {75CD81D8-6261-452f-A5ED-DAD95599FAE0}.exe 39 PID 1596 wrote to memory of 2872 1596 {75CD81D8-6261-452f-A5ED-DAD95599FAE0}.exe 39 PID 1120 wrote to memory of 3036 1120 {0761930F-1464-4463-BFF1-492FF1D93677}.exe 40 PID 1120 wrote to memory of 3036 1120 {0761930F-1464-4463-BFF1-492FF1D93677}.exe 40 PID 1120 wrote to memory of 3036 1120 {0761930F-1464-4463-BFF1-492FF1D93677}.exe 40 PID 1120 wrote to memory of 3036 1120 {0761930F-1464-4463-BFF1-492FF1D93677}.exe 40 PID 1120 wrote to memory of 2824 1120 {0761930F-1464-4463-BFF1-492FF1D93677}.exe 41 PID 1120 wrote to memory of 2824 1120 {0761930F-1464-4463-BFF1-492FF1D93677}.exe 41 PID 1120 wrote to memory of 2824 1120 {0761930F-1464-4463-BFF1-492FF1D93677}.exe 41 PID 1120 wrote to memory of 2824 1120 {0761930F-1464-4463-BFF1-492FF1D93677}.exe 41 PID 3036 wrote to memory of 2748 3036 {746FB130-6065-4883-AB49-C07C9FCD2278}.exe 42 PID 3036 wrote to memory of 2748 3036 {746FB130-6065-4883-AB49-C07C9FCD2278}.exe 42 PID 3036 wrote to memory of 2748 3036 {746FB130-6065-4883-AB49-C07C9FCD2278}.exe 42 PID 3036 wrote to memory of 2748 3036 {746FB130-6065-4883-AB49-C07C9FCD2278}.exe 42 PID 3036 wrote to memory of 2780 3036 {746FB130-6065-4883-AB49-C07C9FCD2278}.exe 43 PID 3036 wrote to memory of 2780 3036 {746FB130-6065-4883-AB49-C07C9FCD2278}.exe 43 PID 3036 wrote to memory of 2780 3036 {746FB130-6065-4883-AB49-C07C9FCD2278}.exe 43 PID 3036 wrote to memory of 2780 3036 {746FB130-6065-4883-AB49-C07C9FCD2278}.exe 43 PID 2748 wrote to memory of 2700 2748 {F0244D1D-6623-436a-B4EA-792A36025D0A}.exe 44 PID 2748 wrote to memory of 2700 2748 {F0244D1D-6623-436a-B4EA-792A36025D0A}.exe 44 PID 2748 wrote to memory of 2700 2748 {F0244D1D-6623-436a-B4EA-792A36025D0A}.exe 44 PID 2748 wrote to memory of 2700 2748 {F0244D1D-6623-436a-B4EA-792A36025D0A}.exe 44 PID 2748 wrote to memory of 2844 2748 {F0244D1D-6623-436a-B4EA-792A36025D0A}.exe 45 PID 2748 wrote to memory of 2844 2748 {F0244D1D-6623-436a-B4EA-792A36025D0A}.exe 45 PID 2748 wrote to memory of 2844 2748 {F0244D1D-6623-436a-B4EA-792A36025D0A}.exe 45 PID 2748 wrote to memory of 2844 2748 {F0244D1D-6623-436a-B4EA-792A36025D0A}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\{4B71DE78-E456-497a-B7DC-4EDE826BBCF6}.exeC:\Windows\{4B71DE78-E456-497a-B7DC-4EDE826BBCF6}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\{45BD9FAF-2A2D-494a-A602-529AD7F68D69}.exeC:\Windows\{45BD9FAF-2A2D-494a-A602-529AD7F68D69}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\{505FE572-2CB7-4809-B9A4-238336B1189A}.exeC:\Windows\{505FE572-2CB7-4809-B9A4-238336B1189A}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\{75CD81D8-6261-452f-A5ED-DAD95599FAE0}.exeC:\Windows\{75CD81D8-6261-452f-A5ED-DAD95599FAE0}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\{0761930F-1464-4463-BFF1-492FF1D93677}.exeC:\Windows\{0761930F-1464-4463-BFF1-492FF1D93677}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\{746FB130-6065-4883-AB49-C07C9FCD2278}.exeC:\Windows\{746FB130-6065-4883-AB49-C07C9FCD2278}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\{F0244D1D-6623-436a-B4EA-792A36025D0A}.exeC:\Windows\{F0244D1D-6623-436a-B4EA-792A36025D0A}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\{31969637-6768-4d49-8F05-AFA506ACC880}.exeC:\Windows\{31969637-6768-4d49-8F05-AFA506ACC880}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2700 -
C:\Windows\{A1BEB2A8-5244-4f3a-BD5A-93258638948C}.exeC:\Windows\{A1BEB2A8-5244-4f3a-BD5A-93258638948C}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1984 -
C:\Windows\{8602491F-B75D-4a3f-984C-F0807537098F}.exeC:\Windows\{8602491F-B75D-4a3f-984C-F0807537098F}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2216 -
C:\Windows\{D59EE138-D7BF-4353-A41F-122628B33833}.exeC:\Windows\{D59EE138-D7BF-4353-A41F-122628B33833}.exe12⤵
- Executes dropped EXE
PID:2240
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{86024~1.EXE > nul12⤵PID:2220
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A1BEB~1.EXE > nul11⤵PID:2016
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{31969~1.EXE > nul10⤵PID:852
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F0244~1.EXE > nul9⤵PID:2844
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{746FB~1.EXE > nul8⤵PID:2780
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{07619~1.EXE > nul7⤵PID:2824
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{75CD8~1.EXE > nul6⤵PID:2872
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{505FE~1.EXE > nul5⤵PID:524
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{45BD9~1.EXE > nul4⤵PID:1836
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4B71D~1.EXE > nul3⤵PID:2096
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:2300
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
380KB
MD5c9c0aee36bafb5470c56b10534e084d5
SHA1187d299536cb9bf7ebaa44e2685bfb184f5a8d65
SHA2566f84f384f7abcb1047288e030fccf09fef72f3421095d1c9157e6f163d91bcfb
SHA512a98ed5549dab500fc918b5ec9607682a1b2898493084f73e21250e64aa445047e5a075d88c93309e41af24d5a114849014d0b57b238f8c5008eba568278700f3
-
Filesize
380KB
MD55424f1594f81897d89c2f6c44baed10d
SHA1d87635add6aa9fafe1d34df2aac3a83f845b0343
SHA2568f477dede05b732c49195e4893bdb32f5579eb0b64295df9579a33531cb54acb
SHA512d41e61e8cbd75c8b99ed6db888bcadae8525cd270c3f48fca071bba7fb3ce1bb757aa98ab0f4c86139cf87410b70d7a359142d0abf2c010a9b8119495773dbc8
-
Filesize
380KB
MD5d3004ee00d113c4d432c58c5e24314ef
SHA194756de3788561656e293591a49ec4d7ea3dd70f
SHA256aec09f500d5ed435f6a707269c74b0615cd9f1a7b4ef82c4cfbc878736c79a3c
SHA512020d5e7ae78a0c87ba381a8d096a15d781a933f61766392dd63161e6136d0f1566e3e540dd09828020e7f50e194d5a7f72ae1ca95f722e41304defbbcef094d3
-
Filesize
380KB
MD50ff4bd1c7cb141a68c1c7b4b40cea049
SHA1d9d6e98303b67424f643abd79ba2d064452dbbb9
SHA2560baf1d448347bc10870ac60be3beb9250910c5a9a49dbd62c3673cf4274c36c1
SHA51242cc17983d46f722bd2640fe7f1cff18658e823be6a29023fade2b47b88af70da2bcc2d73345cba97dcf839d986d0800093f4349af147aa36aee8b667abfaa31
-
Filesize
380KB
MD56c0773e996a713d66ba846d6857dc2dd
SHA1d224584a99f601e1e8a24233a98fd812e8a9af80
SHA25608775c760c63d40521addffe9021a001b206448d28c795e35afb993fa394ee00
SHA51211c8a4056ce699ad2507ff0000c2dc0ee2b0fd945313efbdf8472eb54cd8b5e232d90d8bc94f0df6d14ff41a6f367a5fe38fd5a5162da0e695160f0df1209783
-
Filesize
380KB
MD5e14de76e34ca00544ef7ed266cfa4de7
SHA14bcd0cede9b77934f72d942943f2f2944806b7f8
SHA2560cab79ae07ba27ec5617ace7470f6e22a6d763a9d5d464df32cdae92b4bb33a9
SHA512e1037db50589c9c729c189b97b9063008341ef4e88105b0703350961092a6bdedee65274a82552421e1f7014e15f54e632479886f5daa50009446e5316dc0188
-
Filesize
380KB
MD5f8f3376f9feccb9cdbd01ad9cf815fb5
SHA1c15b6e3c77df388a49d1073a13b8cbecbab68a57
SHA25694d0e999434d2a15a5e78964920c95acd5116074b009e23ef4160b50b96ce772
SHA512abd770f00aa87fec23a48a0df2e5e9d68cc586c60e4f80f41d12e296f0db6e2572c52f283497b5384ff620b3dd205fc418bf099de8b436affc2a1533aae4a6e3
-
Filesize
380KB
MD5ca6bf83cd647c63402760cc75911c2e1
SHA103c846e74e3dda02d0680c57207825e8fbbb91d5
SHA256df6f9fb4f90dd184cb71d2fda956eb00fcf7ef172ff83ada7ea3b3f1c0c6e66c
SHA5121a32c9fbca89beca7bed1cf57ec78d2f1476ca1bb2f9b78f171c66e45526da8952e2db6cd37490b869ba21735716c245ec24de9b4e77df1355f9253cd3909522
-
Filesize
380KB
MD52de85eb6793a2f34ffcbdc7e228405db
SHA127283c276817e81fc95eb3101137af3331b2392b
SHA2564f2b35d9350d7cb23e7c791e95b1eaf3eaac5fbdd58fa55386315e43b9afd540
SHA512302f6822e94f2026a4fe07e8583c1d78e602d3cb3ecc91f4774a739f72baae23c1311bfea551a2b53ce1d0de8415b2c45e922ddb3d87793fe64ed6de54dff6f7
-
Filesize
380KB
MD59b566c164fbb41f9510053c41a0e594b
SHA13ea6f3aeac3483b468886feb581ed444e6fe9798
SHA256cfc160e74be263f34bca3a7262f06fd62329186b280eecab08e7d3ec7de825c6
SHA512a8e70849cc0455484e60e71d055da71fe13422654e8d59311d05396882898d27d9ebb1eb332bf8ce4c76f46346e7c2fef11448ba743fea6c8aa7d32d00a52c23
-
Filesize
380KB
MD5781fc567b14f3ff68f883d1cc1d3229b
SHA1d7dc0efab11731cf9bdf5277df3e718fa59ac505
SHA2561f01c1cf3a0c448ffec524be1ae99cde98090fb1ec7d5384945145da643196c9
SHA512d00828504385b214ad269786cfd12d80a9fe02f7476870839ea73afafe08889b67aa09d66b652390ad7d755a541ebb3c4890f932b79d301c2f001082eac8ac47