Analysis
-
max time kernel
144s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 02:51
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe
Resource
win10v2004-20240611-en
General
-
Target
2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe
-
Size
197KB
-
MD5
50c172c6f6287f85183ca033525e3bd8
-
SHA1
e864c4444e97779c074d08522cf8d39d351b9ea0
-
SHA256
a165df81640d91fa0676d16d7c2e604afa1055dc5ae45dc6907bb79806be5bee
-
SHA512
73d799742498a9bb2cea7af12c222fe7eaa214a5446e42212f7ede492a83094e25bf7084d2e449d651b1106cbb0dd9971d8843469c8e2440259ab1c649e9f765
-
SSDEEP
3072:jEGh0osl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGelEeKcAEca
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral1/files/0x000c00000001313a-4.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0034000000015d07-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000d00000001313a-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0004000000004ed7-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000e00000001313a-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0005000000004ed7-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000f00000001313a-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0006000000004ed7-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x001000000001313a-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0007000000004ed7-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x001100000001313a-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{817878BB-966C-4369-ABB2-4CCEC114C9C6}\stubpath = "C:\\Windows\\{817878BB-966C-4369-ABB2-4CCEC114C9C6}.exe" {D9DCEBAD-200A-49d2-8295-9AC2E41660D5}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE6E48FC-AE7C-4731-A316-20DE21DF2C91}\stubpath = "C:\\Windows\\{AE6E48FC-AE7C-4731-A316-20DE21DF2C91}.exe" {40BB1530-EA53-482e-B63E-594765E3390A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E45B0C3-8C3E-4423-8D79-3669119EC76E} {09ACA319-E429-4a76-A9D4-DBBF23A5FC06}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C62F2553-5BF4-4b31-9444-DDF82792DD7E} {1E45B0C3-8C3E-4423-8D79-3669119EC76E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0AB3B16E-1D7C-4a3d-BFC7-C156B42B11C6} {53F569C1-F86A-4333-8D4A-2F40C686676F}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D9DCEBAD-200A-49d2-8295-9AC2E41660D5}\stubpath = "C:\\Windows\\{D9DCEBAD-200A-49d2-8295-9AC2E41660D5}.exe" {0AB3B16E-1D7C-4a3d-BFC7-C156B42B11C6}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53F569C1-F86A-4333-8D4A-2F40C686676F}\stubpath = "C:\\Windows\\{53F569C1-F86A-4333-8D4A-2F40C686676F}.exe" {C62F2553-5BF4-4b31-9444-DDF82792DD7E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0AB3B16E-1D7C-4a3d-BFC7-C156B42B11C6}\stubpath = "C:\\Windows\\{0AB3B16E-1D7C-4a3d-BFC7-C156B42B11C6}.exe" {53F569C1-F86A-4333-8D4A-2F40C686676F}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{817878BB-966C-4369-ABB2-4CCEC114C9C6} {D9DCEBAD-200A-49d2-8295-9AC2E41660D5}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59E6CBE0-9C82-4a3e-AB45-8BF0B9FED937}\stubpath = "C:\\Windows\\{59E6CBE0-9C82-4a3e-AB45-8BF0B9FED937}.exe" 2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40BB1530-EA53-482e-B63E-594765E3390A}\stubpath = "C:\\Windows\\{40BB1530-EA53-482e-B63E-594765E3390A}.exe" {2A0F94BD-1FE3-41a7-8328-8FFFA3BA77B0}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09ACA319-E429-4a76-A9D4-DBBF23A5FC06} {AE6E48FC-AE7C-4731-A316-20DE21DF2C91}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C62F2553-5BF4-4b31-9444-DDF82792DD7E}\stubpath = "C:\\Windows\\{C62F2553-5BF4-4b31-9444-DDF82792DD7E}.exe" {1E45B0C3-8C3E-4423-8D79-3669119EC76E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53F569C1-F86A-4333-8D4A-2F40C686676F} {C62F2553-5BF4-4b31-9444-DDF82792DD7E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A0F94BD-1FE3-41a7-8328-8FFFA3BA77B0}\stubpath = "C:\\Windows\\{2A0F94BD-1FE3-41a7-8328-8FFFA3BA77B0}.exe" {59E6CBE0-9C82-4a3e-AB45-8BF0B9FED937}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40BB1530-EA53-482e-B63E-594765E3390A} {2A0F94BD-1FE3-41a7-8328-8FFFA3BA77B0}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09ACA319-E429-4a76-A9D4-DBBF23A5FC06}\stubpath = "C:\\Windows\\{09ACA319-E429-4a76-A9D4-DBBF23A5FC06}.exe" {AE6E48FC-AE7C-4731-A316-20DE21DF2C91}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E45B0C3-8C3E-4423-8D79-3669119EC76E}\stubpath = "C:\\Windows\\{1E45B0C3-8C3E-4423-8D79-3669119EC76E}.exe" {09ACA319-E429-4a76-A9D4-DBBF23A5FC06}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59E6CBE0-9C82-4a3e-AB45-8BF0B9FED937} 2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A0F94BD-1FE3-41a7-8328-8FFFA3BA77B0} {59E6CBE0-9C82-4a3e-AB45-8BF0B9FED937}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE6E48FC-AE7C-4731-A316-20DE21DF2C91} {40BB1530-EA53-482e-B63E-594765E3390A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D9DCEBAD-200A-49d2-8295-9AC2E41660D5} {0AB3B16E-1D7C-4a3d-BFC7-C156B42B11C6}.exe -
Deletes itself 1 IoCs
pid Process 2144 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 2744 {59E6CBE0-9C82-4a3e-AB45-8BF0B9FED937}.exe 2260 {2A0F94BD-1FE3-41a7-8328-8FFFA3BA77B0}.exe 2448 {40BB1530-EA53-482e-B63E-594765E3390A}.exe 2992 {AE6E48FC-AE7C-4731-A316-20DE21DF2C91}.exe 2964 {09ACA319-E429-4a76-A9D4-DBBF23A5FC06}.exe 1716 {1E45B0C3-8C3E-4423-8D79-3669119EC76E}.exe 2168 {C62F2553-5BF4-4b31-9444-DDF82792DD7E}.exe 2772 {53F569C1-F86A-4333-8D4A-2F40C686676F}.exe 868 {0AB3B16E-1D7C-4a3d-BFC7-C156B42B11C6}.exe 2068 {D9DCEBAD-200A-49d2-8295-9AC2E41660D5}.exe 2732 {817878BB-966C-4369-ABB2-4CCEC114C9C6}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{40BB1530-EA53-482e-B63E-594765E3390A}.exe {2A0F94BD-1FE3-41a7-8328-8FFFA3BA77B0}.exe File created C:\Windows\{1E45B0C3-8C3E-4423-8D79-3669119EC76E}.exe {09ACA319-E429-4a76-A9D4-DBBF23A5FC06}.exe File created C:\Windows\{53F569C1-F86A-4333-8D4A-2F40C686676F}.exe {C62F2553-5BF4-4b31-9444-DDF82792DD7E}.exe File created C:\Windows\{D9DCEBAD-200A-49d2-8295-9AC2E41660D5}.exe {0AB3B16E-1D7C-4a3d-BFC7-C156B42B11C6}.exe File created C:\Windows\{817878BB-966C-4369-ABB2-4CCEC114C9C6}.exe {D9DCEBAD-200A-49d2-8295-9AC2E41660D5}.exe File created C:\Windows\{59E6CBE0-9C82-4a3e-AB45-8BF0B9FED937}.exe 2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe File created C:\Windows\{2A0F94BD-1FE3-41a7-8328-8FFFA3BA77B0}.exe {59E6CBE0-9C82-4a3e-AB45-8BF0B9FED937}.exe File created C:\Windows\{AE6E48FC-AE7C-4731-A316-20DE21DF2C91}.exe {40BB1530-EA53-482e-B63E-594765E3390A}.exe File created C:\Windows\{09ACA319-E429-4a76-A9D4-DBBF23A5FC06}.exe {AE6E48FC-AE7C-4731-A316-20DE21DF2C91}.exe File created C:\Windows\{C62F2553-5BF4-4b31-9444-DDF82792DD7E}.exe {1E45B0C3-8C3E-4423-8D79-3669119EC76E}.exe File created C:\Windows\{0AB3B16E-1D7C-4a3d-BFC7-C156B42B11C6}.exe {53F569C1-F86A-4333-8D4A-2F40C686676F}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2188 2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe Token: SeIncBasePriorityPrivilege 2744 {59E6CBE0-9C82-4a3e-AB45-8BF0B9FED937}.exe Token: SeIncBasePriorityPrivilege 2260 {2A0F94BD-1FE3-41a7-8328-8FFFA3BA77B0}.exe Token: SeIncBasePriorityPrivilege 2448 {40BB1530-EA53-482e-B63E-594765E3390A}.exe Token: SeIncBasePriorityPrivilege 2992 {AE6E48FC-AE7C-4731-A316-20DE21DF2C91}.exe Token: SeIncBasePriorityPrivilege 2964 {09ACA319-E429-4a76-A9D4-DBBF23A5FC06}.exe Token: SeIncBasePriorityPrivilege 1716 {1E45B0C3-8C3E-4423-8D79-3669119EC76E}.exe Token: SeIncBasePriorityPrivilege 2168 {C62F2553-5BF4-4b31-9444-DDF82792DD7E}.exe Token: SeIncBasePriorityPrivilege 2772 {53F569C1-F86A-4333-8D4A-2F40C686676F}.exe Token: SeIncBasePriorityPrivilege 868 {0AB3B16E-1D7C-4a3d-BFC7-C156B42B11C6}.exe Token: SeIncBasePriorityPrivilege 2068 {D9DCEBAD-200A-49d2-8295-9AC2E41660D5}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2188 wrote to memory of 2744 2188 2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe 28 PID 2188 wrote to memory of 2744 2188 2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe 28 PID 2188 wrote to memory of 2744 2188 2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe 28 PID 2188 wrote to memory of 2744 2188 2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe 28 PID 2188 wrote to memory of 2144 2188 2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe 29 PID 2188 wrote to memory of 2144 2188 2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe 29 PID 2188 wrote to memory of 2144 2188 2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe 29 PID 2188 wrote to memory of 2144 2188 2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe 29 PID 2744 wrote to memory of 2260 2744 {59E6CBE0-9C82-4a3e-AB45-8BF0B9FED937}.exe 30 PID 2744 wrote to memory of 2260 2744 {59E6CBE0-9C82-4a3e-AB45-8BF0B9FED937}.exe 30 PID 2744 wrote to memory of 2260 2744 {59E6CBE0-9C82-4a3e-AB45-8BF0B9FED937}.exe 30 PID 2744 wrote to memory of 2260 2744 {59E6CBE0-9C82-4a3e-AB45-8BF0B9FED937}.exe 30 PID 2744 wrote to memory of 2276 2744 {59E6CBE0-9C82-4a3e-AB45-8BF0B9FED937}.exe 31 PID 2744 wrote to memory of 2276 2744 {59E6CBE0-9C82-4a3e-AB45-8BF0B9FED937}.exe 31 PID 2744 wrote to memory of 2276 2744 {59E6CBE0-9C82-4a3e-AB45-8BF0B9FED937}.exe 31 PID 2744 wrote to memory of 2276 2744 {59E6CBE0-9C82-4a3e-AB45-8BF0B9FED937}.exe 31 PID 2260 wrote to memory of 2448 2260 {2A0F94BD-1FE3-41a7-8328-8FFFA3BA77B0}.exe 32 PID 2260 wrote to memory of 2448 2260 {2A0F94BD-1FE3-41a7-8328-8FFFA3BA77B0}.exe 32 PID 2260 wrote to memory of 2448 2260 {2A0F94BD-1FE3-41a7-8328-8FFFA3BA77B0}.exe 32 PID 2260 wrote to memory of 2448 2260 {2A0F94BD-1FE3-41a7-8328-8FFFA3BA77B0}.exe 32 PID 2260 wrote to memory of 2720 2260 {2A0F94BD-1FE3-41a7-8328-8FFFA3BA77B0}.exe 33 PID 2260 wrote to memory of 2720 2260 {2A0F94BD-1FE3-41a7-8328-8FFFA3BA77B0}.exe 33 PID 2260 wrote to memory of 2720 2260 {2A0F94BD-1FE3-41a7-8328-8FFFA3BA77B0}.exe 33 PID 2260 wrote to memory of 2720 2260 {2A0F94BD-1FE3-41a7-8328-8FFFA3BA77B0}.exe 33 PID 2448 wrote to memory of 2992 2448 {40BB1530-EA53-482e-B63E-594765E3390A}.exe 36 PID 2448 wrote to memory of 2992 2448 {40BB1530-EA53-482e-B63E-594765E3390A}.exe 36 PID 2448 wrote to memory of 2992 2448 {40BB1530-EA53-482e-B63E-594765E3390A}.exe 36 PID 2448 wrote to memory of 2992 2448 {40BB1530-EA53-482e-B63E-594765E3390A}.exe 36 PID 2448 wrote to memory of 2800 2448 {40BB1530-EA53-482e-B63E-594765E3390A}.exe 37 PID 2448 wrote to memory of 2800 2448 {40BB1530-EA53-482e-B63E-594765E3390A}.exe 37 PID 2448 wrote to memory of 2800 2448 {40BB1530-EA53-482e-B63E-594765E3390A}.exe 37 PID 2448 wrote to memory of 2800 2448 {40BB1530-EA53-482e-B63E-594765E3390A}.exe 37 PID 2992 wrote to memory of 2964 2992 {AE6E48FC-AE7C-4731-A316-20DE21DF2C91}.exe 38 PID 2992 wrote to memory of 2964 2992 {AE6E48FC-AE7C-4731-A316-20DE21DF2C91}.exe 38 PID 2992 wrote to memory of 2964 2992 {AE6E48FC-AE7C-4731-A316-20DE21DF2C91}.exe 38 PID 2992 wrote to memory of 2964 2992 {AE6E48FC-AE7C-4731-A316-20DE21DF2C91}.exe 38 PID 2992 wrote to memory of 2968 2992 {AE6E48FC-AE7C-4731-A316-20DE21DF2C91}.exe 39 PID 2992 wrote to memory of 2968 2992 {AE6E48FC-AE7C-4731-A316-20DE21DF2C91}.exe 39 PID 2992 wrote to memory of 2968 2992 {AE6E48FC-AE7C-4731-A316-20DE21DF2C91}.exe 39 PID 2992 wrote to memory of 2968 2992 {AE6E48FC-AE7C-4731-A316-20DE21DF2C91}.exe 39 PID 2964 wrote to memory of 1716 2964 {09ACA319-E429-4a76-A9D4-DBBF23A5FC06}.exe 40 PID 2964 wrote to memory of 1716 2964 {09ACA319-E429-4a76-A9D4-DBBF23A5FC06}.exe 40 PID 2964 wrote to memory of 1716 2964 {09ACA319-E429-4a76-A9D4-DBBF23A5FC06}.exe 40 PID 2964 wrote to memory of 1716 2964 {09ACA319-E429-4a76-A9D4-DBBF23A5FC06}.exe 40 PID 2964 wrote to memory of 1760 2964 {09ACA319-E429-4a76-A9D4-DBBF23A5FC06}.exe 41 PID 2964 wrote to memory of 1760 2964 {09ACA319-E429-4a76-A9D4-DBBF23A5FC06}.exe 41 PID 2964 wrote to memory of 1760 2964 {09ACA319-E429-4a76-A9D4-DBBF23A5FC06}.exe 41 PID 2964 wrote to memory of 1760 2964 {09ACA319-E429-4a76-A9D4-DBBF23A5FC06}.exe 41 PID 1716 wrote to memory of 2168 1716 {1E45B0C3-8C3E-4423-8D79-3669119EC76E}.exe 42 PID 1716 wrote to memory of 2168 1716 {1E45B0C3-8C3E-4423-8D79-3669119EC76E}.exe 42 PID 1716 wrote to memory of 2168 1716 {1E45B0C3-8C3E-4423-8D79-3669119EC76E}.exe 42 PID 1716 wrote to memory of 2168 1716 {1E45B0C3-8C3E-4423-8D79-3669119EC76E}.exe 42 PID 1716 wrote to memory of 2672 1716 {1E45B0C3-8C3E-4423-8D79-3669119EC76E}.exe 43 PID 1716 wrote to memory of 2672 1716 {1E45B0C3-8C3E-4423-8D79-3669119EC76E}.exe 43 PID 1716 wrote to memory of 2672 1716 {1E45B0C3-8C3E-4423-8D79-3669119EC76E}.exe 43 PID 1716 wrote to memory of 2672 1716 {1E45B0C3-8C3E-4423-8D79-3669119EC76E}.exe 43 PID 2168 wrote to memory of 2772 2168 {C62F2553-5BF4-4b31-9444-DDF82792DD7E}.exe 44 PID 2168 wrote to memory of 2772 2168 {C62F2553-5BF4-4b31-9444-DDF82792DD7E}.exe 44 PID 2168 wrote to memory of 2772 2168 {C62F2553-5BF4-4b31-9444-DDF82792DD7E}.exe 44 PID 2168 wrote to memory of 2772 2168 {C62F2553-5BF4-4b31-9444-DDF82792DD7E}.exe 44 PID 2168 wrote to memory of 2708 2168 {C62F2553-5BF4-4b31-9444-DDF82792DD7E}.exe 45 PID 2168 wrote to memory of 2708 2168 {C62F2553-5BF4-4b31-9444-DDF82792DD7E}.exe 45 PID 2168 wrote to memory of 2708 2168 {C62F2553-5BF4-4b31-9444-DDF82792DD7E}.exe 45 PID 2168 wrote to memory of 2708 2168 {C62F2553-5BF4-4b31-9444-DDF82792DD7E}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\{59E6CBE0-9C82-4a3e-AB45-8BF0B9FED937}.exeC:\Windows\{59E6CBE0-9C82-4a3e-AB45-8BF0B9FED937}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\{2A0F94BD-1FE3-41a7-8328-8FFFA3BA77B0}.exeC:\Windows\{2A0F94BD-1FE3-41a7-8328-8FFFA3BA77B0}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\{40BB1530-EA53-482e-B63E-594765E3390A}.exeC:\Windows\{40BB1530-EA53-482e-B63E-594765E3390A}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\{AE6E48FC-AE7C-4731-A316-20DE21DF2C91}.exeC:\Windows\{AE6E48FC-AE7C-4731-A316-20DE21DF2C91}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\{09ACA319-E429-4a76-A9D4-DBBF23A5FC06}.exeC:\Windows\{09ACA319-E429-4a76-A9D4-DBBF23A5FC06}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\{1E45B0C3-8C3E-4423-8D79-3669119EC76E}.exeC:\Windows\{1E45B0C3-8C3E-4423-8D79-3669119EC76E}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\{C62F2553-5BF4-4b31-9444-DDF82792DD7E}.exeC:\Windows\{C62F2553-5BF4-4b31-9444-DDF82792DD7E}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\{53F569C1-F86A-4333-8D4A-2F40C686676F}.exeC:\Windows\{53F569C1-F86A-4333-8D4A-2F40C686676F}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2772 -
C:\Windows\{0AB3B16E-1D7C-4a3d-BFC7-C156B42B11C6}.exeC:\Windows\{0AB3B16E-1D7C-4a3d-BFC7-C156B42B11C6}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:868 -
C:\Windows\{D9DCEBAD-200A-49d2-8295-9AC2E41660D5}.exeC:\Windows\{D9DCEBAD-200A-49d2-8295-9AC2E41660D5}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2068 -
C:\Windows\{817878BB-966C-4369-ABB2-4CCEC114C9C6}.exeC:\Windows\{817878BB-966C-4369-ABB2-4CCEC114C9C6}.exe12⤵
- Executes dropped EXE
PID:2732
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D9DCE~1.EXE > nul12⤵PID:2860
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0AB3B~1.EXE > nul11⤵PID:2408
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{53F56~1.EXE > nul10⤵PID:1292
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C62F2~1.EXE > nul9⤵PID:2708
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1E45B~1.EXE > nul8⤵PID:2672
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{09ACA~1.EXE > nul7⤵PID:1760
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{AE6E4~1.EXE > nul6⤵PID:2968
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{40BB1~1.EXE > nul5⤵PID:2800
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2A0F9~1.EXE > nul4⤵PID:2720
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{59E6C~1.EXE > nul3⤵PID:2276
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:2144
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
197KB
MD596cc21f0343d9c4f983d0d37a6256e2f
SHA16a6c24e969e4f5a1e807cdaa88efc145489e9993
SHA256b0324fe3896d6baf88ed4546deb43970e70680968b7ff50509858fd4b4412f84
SHA512530a12bd544d9f3195db75ce9f743a973e7d9de5853928f3b242a45caf1c858c545da6a70646505a00ab408b36f902865a65986d7c157c49607106e5b54da088
-
Filesize
197KB
MD52725a46010d284ed99c6e7b50549b804
SHA186f777348071a904fb7189a80dfe039e787e2147
SHA2568fa5baefa4e5b79df73c1c0400dbbab10ff50427f6abfb455bb4feff878f5458
SHA512085bb09a135e5615b9ff99e35c38f74135b039084b361e1f8ef68ab945bcb5543e34803710e297d9def7c884b0a8e7d2c2d0f2712a99112161b482c3f385f7e6
-
Filesize
197KB
MD5627062d829ddb37a34b8818aa006c478
SHA1451f2e47ae915c40a9cf6dbbff4136703b0fe2db
SHA256c7da0bb704e161189f7f2369773557a9b815be4513eb5c3985d327f68eab1726
SHA5127c1a40593fbe5414aada9204c878c22d9046a3e007adfa3c7d55cbeb3b35d019d336ef410c693944db611886fdfe5068b6c5418d900ee62896d4d4ae040a9415
-
Filesize
197KB
MD5e9b4e42e9ffa52439529cb9736ded565
SHA1d56f67306b06d4e8a5eb94718a921da8bd3901e1
SHA2562bb97e956d9d3f366f0d7d6e034a6d03a0aa35ff9fd535d2fd74eff856139028
SHA512dc357b5b4840ba1fd4fc0eb79c0b93b770980289340192501c8e6a453df5216737d7f1c97911e6e5896d2427402afa7b4051f22a7fa5c69806c00b9702524323
-
Filesize
197KB
MD5230b1e0d572eca2cac4686e3ad668ede
SHA1f75ff287e912990e17b50597d7aee10660669667
SHA256fb87f438f5cab1d7df302820272bdf30fa83a0d46ef8c9deb6a1f357a5941771
SHA5122d313b39db72020e9639e0aa403e3bee0040d4e6b874e1eba626a437fd0ce16a83f0dcfbac183e986a2e684747562c9ab70d4307f63bf2bf83e76c9d96d29913
-
Filesize
197KB
MD5e5178df96b38d059e2ad26451ed0aa0f
SHA16decfdfb1ec0642cac8f7528e9a6efde253dad07
SHA25655ecca47dbb34c581165d5a257823f6d2eda8c6ec9a542c22482ad6d2e79ced6
SHA512e7da5fb0fe62525736aa68cfc07e29db84d75f8d715aafdc5197187ed0c57baf97c79ae02fe4a74d5ec4f45f64ecb0528ee8044fb1dbbd208eede2539007a046
-
Filesize
197KB
MD5ae47fd39e0f524895da97319b80587ac
SHA10033db7047bc88bdbbe8bc7af059dd084aa63de0
SHA2560a66691c7b8244f9d10db0d448fed9f960b04dea2f91735358cca6f5e2319f1f
SHA512217ced15ab0543b3f2bfa4b591df74ce9d686966cc04048833c221f86c647d95127198bb42e5234712f8c51a4f51cc794da7f7301792008760ca2052652ee736
-
Filesize
197KB
MD5b9fc9f60a3929548681fcacb721807f1
SHA14cddc683dd374594becbb58b91f77c18ab5aad8d
SHA256df9e5ba9618b93fde82bbb7ebc917d61c44e62e85e4635f72bbf538e4bcda61a
SHA512ec34d81426c5c66421c91a9abb66e4db9d185cad5ded86dd221ed89fd7265b48211ba0e6b0c9406a65de191db631b53954ce9f93470444e95a5f0c89020625a7
-
Filesize
197KB
MD510318d868331c153afc3ad9ad75ce019
SHA10bd18dc0de878dd2c2042d383cb44deb09b4edf3
SHA256262b6071d87b78168afa3623a91a53e86f6a1ee44b6b826d66273aa5ff56ac6b
SHA512eeb38cd2851b3a3e134c282a65c5c0de7a79d75bafe2c3c6cba641abefe9fe55b4521d661618ae3048d8d7e84ac7972f85ec8ee98fe0009a2cef22c3c46a2d53
-
Filesize
197KB
MD54b7e0b0b7f4f5e45b1924e9221a96d9a
SHA1226f37cd2b90834110a46e3b2450d7e0aa0a1a9b
SHA256b7588cf0ec394bfe53eaa4dd360fedfd6490769d677d899a6057ddec549d46d7
SHA512e6963164c1b52597046612e9be7503d25209292d167b718c8636ad6698dd0a361314c27e9b5808f62be87716d2d101d83d7533bc4cf808e63cef9198390050ea
-
Filesize
197KB
MD519cf994a5beea939d499563c317e24fe
SHA110b596eff1ed0ea2517e8fc1be9f80c7951cdcff
SHA25616efe45fff092ca786eaae1179bb11ae2ff7ca2336ee95d39d31d3ef997414ff
SHA51245274bed8bf1cd74b95e69816444c84f3823b60c1770a79301e20afd67c1bd01d725faa886d0abc6ecd7e936513f30f5304b4594387b39d59b51dd0b387eabe6