Analysis
-
max time kernel
144s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 02:51
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe
-
Size
380KB
-
MD5
639e527998e0506714a7a8d6506c11da
-
SHA1
a776bb9887b916beb52ee968de4d82b1dd300acf
-
SHA256
b56cff8022659e2c0d5276ca259b67efe56c4e36c126c83ab95a739d30f62bde
-
SHA512
aada1a38ed5946e066fe98ac664c9e4f73e9a1a9dee4eb70075e729d667fa1db13b0451f31559103746e98457789a31e12ab686f0756321945bf541509823296
-
SSDEEP
3072:mEGh0oqlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGYl7Oe2MUVg3v2IneKcAEcARy
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral1/files/0x000b0000000149f5-4.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0009000000015018-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000c0000000149f5-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x00090000000155f3-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0006000000005a59-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000d0000000149f5-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0007000000005a59-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000e0000000149f5-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0008000000005a59-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000f0000000149f5-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0009000000005a59-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{47F582D4-40A1-4d9c-9457-AC6CA2BFEB48} {7B542881-E784-4a99-8D39-81CDE9CEC4DB}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{325CCD52-CE02-4d7f-9E8A-AE83CAF4264E} {212F9DD0-147E-4dfb-A8DD-16FDACEC6C35}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8AA2AE6-C465-4e58-8D10-2B66A0EE5377} {325CCD52-CE02-4d7f-9E8A-AE83CAF4264E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8AA2AE6-C465-4e58-8D10-2B66A0EE5377}\stubpath = "C:\\Windows\\{C8AA2AE6-C465-4e58-8D10-2B66A0EE5377}.exe" {325CCD52-CE02-4d7f-9E8A-AE83CAF4264E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5247CA5-769E-43de-8DE4-254F44BDDA6A} {CFC11523-3EEF-46c0-A70B-8D9519AA4485}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B542881-E784-4a99-8D39-81CDE9CEC4DB} {D5247CA5-769E-43de-8DE4-254F44BDDA6A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFC11523-3EEF-46c0-A70B-8D9519AA4485}\stubpath = "C:\\Windows\\{CFC11523-3EEF-46c0-A70B-8D9519AA4485}.exe" {3419F1B3-CC30-4e64-B70D-E80C33440473}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5247CA5-769E-43de-8DE4-254F44BDDA6A}\stubpath = "C:\\Windows\\{D5247CA5-769E-43de-8DE4-254F44BDDA6A}.exe" {CFC11523-3EEF-46c0-A70B-8D9519AA4485}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{47F582D4-40A1-4d9c-9457-AC6CA2BFEB48}\stubpath = "C:\\Windows\\{47F582D4-40A1-4d9c-9457-AC6CA2BFEB48}.exe" {7B542881-E784-4a99-8D39-81CDE9CEC4DB}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2131AF11-F503-4ea8-B826-FA8749AB2C04} 2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79117DC1-9642-4a00-832B-D1587459CDD1} {2131AF11-F503-4ea8-B826-FA8749AB2C04}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79117DC1-9642-4a00-832B-D1587459CDD1}\stubpath = "C:\\Windows\\{79117DC1-9642-4a00-832B-D1587459CDD1}.exe" {2131AF11-F503-4ea8-B826-FA8749AB2C04}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{212F9DD0-147E-4dfb-A8DD-16FDACEC6C35} {576A5771-6210-44b6-B079-D768B4AB4CE4}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3419F1B3-CC30-4e64-B70D-E80C33440473}\stubpath = "C:\\Windows\\{3419F1B3-CC30-4e64-B70D-E80C33440473}.exe" {C8AA2AE6-C465-4e58-8D10-2B66A0EE5377}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{325CCD52-CE02-4d7f-9E8A-AE83CAF4264E}\stubpath = "C:\\Windows\\{325CCD52-CE02-4d7f-9E8A-AE83CAF4264E}.exe" {212F9DD0-147E-4dfb-A8DD-16FDACEC6C35}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B542881-E784-4a99-8D39-81CDE9CEC4DB}\stubpath = "C:\\Windows\\{7B542881-E784-4a99-8D39-81CDE9CEC4DB}.exe" {D5247CA5-769E-43de-8DE4-254F44BDDA6A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFC11523-3EEF-46c0-A70B-8D9519AA4485} {3419F1B3-CC30-4e64-B70D-E80C33440473}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2131AF11-F503-4ea8-B826-FA8749AB2C04}\stubpath = "C:\\Windows\\{2131AF11-F503-4ea8-B826-FA8749AB2C04}.exe" 2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{576A5771-6210-44b6-B079-D768B4AB4CE4} {79117DC1-9642-4a00-832B-D1587459CDD1}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{576A5771-6210-44b6-B079-D768B4AB4CE4}\stubpath = "C:\\Windows\\{576A5771-6210-44b6-B079-D768B4AB4CE4}.exe" {79117DC1-9642-4a00-832B-D1587459CDD1}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{212F9DD0-147E-4dfb-A8DD-16FDACEC6C35}\stubpath = "C:\\Windows\\{212F9DD0-147E-4dfb-A8DD-16FDACEC6C35}.exe" {576A5771-6210-44b6-B079-D768B4AB4CE4}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3419F1B3-CC30-4e64-B70D-E80C33440473} {C8AA2AE6-C465-4e58-8D10-2B66A0EE5377}.exe -
Executes dropped EXE 11 IoCs
pid Process 2336 {2131AF11-F503-4ea8-B826-FA8749AB2C04}.exe 2640 {79117DC1-9642-4a00-832B-D1587459CDD1}.exe 2692 {576A5771-6210-44b6-B079-D768B4AB4CE4}.exe 2524 {212F9DD0-147E-4dfb-A8DD-16FDACEC6C35}.exe 1640 {325CCD52-CE02-4d7f-9E8A-AE83CAF4264E}.exe 1972 {C8AA2AE6-C465-4e58-8D10-2B66A0EE5377}.exe 2776 {3419F1B3-CC30-4e64-B70D-E80C33440473}.exe 1456 {CFC11523-3EEF-46c0-A70B-8D9519AA4485}.exe 3028 {D5247CA5-769E-43de-8DE4-254F44BDDA6A}.exe 1864 {7B542881-E784-4a99-8D39-81CDE9CEC4DB}.exe 1480 {47F582D4-40A1-4d9c-9457-AC6CA2BFEB48}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{C8AA2AE6-C465-4e58-8D10-2B66A0EE5377}.exe {325CCD52-CE02-4d7f-9E8A-AE83CAF4264E}.exe File created C:\Windows\{3419F1B3-CC30-4e64-B70D-E80C33440473}.exe {C8AA2AE6-C465-4e58-8D10-2B66A0EE5377}.exe File created C:\Windows\{7B542881-E784-4a99-8D39-81CDE9CEC4DB}.exe {D5247CA5-769E-43de-8DE4-254F44BDDA6A}.exe File created C:\Windows\{212F9DD0-147E-4dfb-A8DD-16FDACEC6C35}.exe {576A5771-6210-44b6-B079-D768B4AB4CE4}.exe File created C:\Windows\{325CCD52-CE02-4d7f-9E8A-AE83CAF4264E}.exe {212F9DD0-147E-4dfb-A8DD-16FDACEC6C35}.exe File created C:\Windows\{CFC11523-3EEF-46c0-A70B-8D9519AA4485}.exe {3419F1B3-CC30-4e64-B70D-E80C33440473}.exe File created C:\Windows\{D5247CA5-769E-43de-8DE4-254F44BDDA6A}.exe {CFC11523-3EEF-46c0-A70B-8D9519AA4485}.exe File created C:\Windows\{47F582D4-40A1-4d9c-9457-AC6CA2BFEB48}.exe {7B542881-E784-4a99-8D39-81CDE9CEC4DB}.exe File created C:\Windows\{2131AF11-F503-4ea8-B826-FA8749AB2C04}.exe 2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe File created C:\Windows\{79117DC1-9642-4a00-832B-D1587459CDD1}.exe {2131AF11-F503-4ea8-B826-FA8749AB2C04}.exe File created C:\Windows\{576A5771-6210-44b6-B079-D768B4AB4CE4}.exe {79117DC1-9642-4a00-832B-D1587459CDD1}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 948 2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe Token: SeIncBasePriorityPrivilege 2336 {2131AF11-F503-4ea8-B826-FA8749AB2C04}.exe Token: SeIncBasePriorityPrivilege 2640 {79117DC1-9642-4a00-832B-D1587459CDD1}.exe Token: SeIncBasePriorityPrivilege 2692 {576A5771-6210-44b6-B079-D768B4AB4CE4}.exe Token: SeIncBasePriorityPrivilege 2524 {212F9DD0-147E-4dfb-A8DD-16FDACEC6C35}.exe Token: SeIncBasePriorityPrivilege 1640 {325CCD52-CE02-4d7f-9E8A-AE83CAF4264E}.exe Token: SeIncBasePriorityPrivilege 1972 {C8AA2AE6-C465-4e58-8D10-2B66A0EE5377}.exe Token: SeIncBasePriorityPrivilege 2776 {3419F1B3-CC30-4e64-B70D-E80C33440473}.exe Token: SeIncBasePriorityPrivilege 1456 {CFC11523-3EEF-46c0-A70B-8D9519AA4485}.exe Token: SeIncBasePriorityPrivilege 3028 {D5247CA5-769E-43de-8DE4-254F44BDDA6A}.exe Token: SeIncBasePriorityPrivilege 1864 {7B542881-E784-4a99-8D39-81CDE9CEC4DB}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 948 wrote to memory of 2336 948 2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe 28 PID 948 wrote to memory of 2336 948 2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe 28 PID 948 wrote to memory of 2336 948 2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe 28 PID 948 wrote to memory of 2336 948 2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe 28 PID 948 wrote to memory of 2532 948 2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe 29 PID 948 wrote to memory of 2532 948 2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe 29 PID 948 wrote to memory of 2532 948 2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe 29 PID 948 wrote to memory of 2532 948 2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe 29 PID 2336 wrote to memory of 2640 2336 {2131AF11-F503-4ea8-B826-FA8749AB2C04}.exe 30 PID 2336 wrote to memory of 2640 2336 {2131AF11-F503-4ea8-B826-FA8749AB2C04}.exe 30 PID 2336 wrote to memory of 2640 2336 {2131AF11-F503-4ea8-B826-FA8749AB2C04}.exe 30 PID 2336 wrote to memory of 2640 2336 {2131AF11-F503-4ea8-B826-FA8749AB2C04}.exe 30 PID 2336 wrote to memory of 2676 2336 {2131AF11-F503-4ea8-B826-FA8749AB2C04}.exe 31 PID 2336 wrote to memory of 2676 2336 {2131AF11-F503-4ea8-B826-FA8749AB2C04}.exe 31 PID 2336 wrote to memory of 2676 2336 {2131AF11-F503-4ea8-B826-FA8749AB2C04}.exe 31 PID 2336 wrote to memory of 2676 2336 {2131AF11-F503-4ea8-B826-FA8749AB2C04}.exe 31 PID 2640 wrote to memory of 2692 2640 {79117DC1-9642-4a00-832B-D1587459CDD1}.exe 32 PID 2640 wrote to memory of 2692 2640 {79117DC1-9642-4a00-832B-D1587459CDD1}.exe 32 PID 2640 wrote to memory of 2692 2640 {79117DC1-9642-4a00-832B-D1587459CDD1}.exe 32 PID 2640 wrote to memory of 2692 2640 {79117DC1-9642-4a00-832B-D1587459CDD1}.exe 32 PID 2640 wrote to memory of 2568 2640 {79117DC1-9642-4a00-832B-D1587459CDD1}.exe 33 PID 2640 wrote to memory of 2568 2640 {79117DC1-9642-4a00-832B-D1587459CDD1}.exe 33 PID 2640 wrote to memory of 2568 2640 {79117DC1-9642-4a00-832B-D1587459CDD1}.exe 33 PID 2640 wrote to memory of 2568 2640 {79117DC1-9642-4a00-832B-D1587459CDD1}.exe 33 PID 2692 wrote to memory of 2524 2692 {576A5771-6210-44b6-B079-D768B4AB4CE4}.exe 36 PID 2692 wrote to memory of 2524 2692 {576A5771-6210-44b6-B079-D768B4AB4CE4}.exe 36 PID 2692 wrote to memory of 2524 2692 {576A5771-6210-44b6-B079-D768B4AB4CE4}.exe 36 PID 2692 wrote to memory of 2524 2692 {576A5771-6210-44b6-B079-D768B4AB4CE4}.exe 36 PID 2692 wrote to memory of 2824 2692 {576A5771-6210-44b6-B079-D768B4AB4CE4}.exe 37 PID 2692 wrote to memory of 2824 2692 {576A5771-6210-44b6-B079-D768B4AB4CE4}.exe 37 PID 2692 wrote to memory of 2824 2692 {576A5771-6210-44b6-B079-D768B4AB4CE4}.exe 37 PID 2692 wrote to memory of 2824 2692 {576A5771-6210-44b6-B079-D768B4AB4CE4}.exe 37 PID 2524 wrote to memory of 1640 2524 {212F9DD0-147E-4dfb-A8DD-16FDACEC6C35}.exe 38 PID 2524 wrote to memory of 1640 2524 {212F9DD0-147E-4dfb-A8DD-16FDACEC6C35}.exe 38 PID 2524 wrote to memory of 1640 2524 {212F9DD0-147E-4dfb-A8DD-16FDACEC6C35}.exe 38 PID 2524 wrote to memory of 1640 2524 {212F9DD0-147E-4dfb-A8DD-16FDACEC6C35}.exe 38 PID 2524 wrote to memory of 2980 2524 {212F9DD0-147E-4dfb-A8DD-16FDACEC6C35}.exe 39 PID 2524 wrote to memory of 2980 2524 {212F9DD0-147E-4dfb-A8DD-16FDACEC6C35}.exe 39 PID 2524 wrote to memory of 2980 2524 {212F9DD0-147E-4dfb-A8DD-16FDACEC6C35}.exe 39 PID 2524 wrote to memory of 2980 2524 {212F9DD0-147E-4dfb-A8DD-16FDACEC6C35}.exe 39 PID 1640 wrote to memory of 1972 1640 {325CCD52-CE02-4d7f-9E8A-AE83CAF4264E}.exe 40 PID 1640 wrote to memory of 1972 1640 {325CCD52-CE02-4d7f-9E8A-AE83CAF4264E}.exe 40 PID 1640 wrote to memory of 1972 1640 {325CCD52-CE02-4d7f-9E8A-AE83CAF4264E}.exe 40 PID 1640 wrote to memory of 1972 1640 {325CCD52-CE02-4d7f-9E8A-AE83CAF4264E}.exe 40 PID 1640 wrote to memory of 2852 1640 {325CCD52-CE02-4d7f-9E8A-AE83CAF4264E}.exe 41 PID 1640 wrote to memory of 2852 1640 {325CCD52-CE02-4d7f-9E8A-AE83CAF4264E}.exe 41 PID 1640 wrote to memory of 2852 1640 {325CCD52-CE02-4d7f-9E8A-AE83CAF4264E}.exe 41 PID 1640 wrote to memory of 2852 1640 {325CCD52-CE02-4d7f-9E8A-AE83CAF4264E}.exe 41 PID 1972 wrote to memory of 2776 1972 {C8AA2AE6-C465-4e58-8D10-2B66A0EE5377}.exe 42 PID 1972 wrote to memory of 2776 1972 {C8AA2AE6-C465-4e58-8D10-2B66A0EE5377}.exe 42 PID 1972 wrote to memory of 2776 1972 {C8AA2AE6-C465-4e58-8D10-2B66A0EE5377}.exe 42 PID 1972 wrote to memory of 2776 1972 {C8AA2AE6-C465-4e58-8D10-2B66A0EE5377}.exe 42 PID 1972 wrote to memory of 2864 1972 {C8AA2AE6-C465-4e58-8D10-2B66A0EE5377}.exe 43 PID 1972 wrote to memory of 2864 1972 {C8AA2AE6-C465-4e58-8D10-2B66A0EE5377}.exe 43 PID 1972 wrote to memory of 2864 1972 {C8AA2AE6-C465-4e58-8D10-2B66A0EE5377}.exe 43 PID 1972 wrote to memory of 2864 1972 {C8AA2AE6-C465-4e58-8D10-2B66A0EE5377}.exe 43 PID 2776 wrote to memory of 1456 2776 {3419F1B3-CC30-4e64-B70D-E80C33440473}.exe 44 PID 2776 wrote to memory of 1456 2776 {3419F1B3-CC30-4e64-B70D-E80C33440473}.exe 44 PID 2776 wrote to memory of 1456 2776 {3419F1B3-CC30-4e64-B70D-E80C33440473}.exe 44 PID 2776 wrote to memory of 1456 2776 {3419F1B3-CC30-4e64-B70D-E80C33440473}.exe 44 PID 2776 wrote to memory of 1524 2776 {3419F1B3-CC30-4e64-B70D-E80C33440473}.exe 45 PID 2776 wrote to memory of 1524 2776 {3419F1B3-CC30-4e64-B70D-E80C33440473}.exe 45 PID 2776 wrote to memory of 1524 2776 {3419F1B3-CC30-4e64-B70D-E80C33440473}.exe 45 PID 2776 wrote to memory of 1524 2776 {3419F1B3-CC30-4e64-B70D-E80C33440473}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\{2131AF11-F503-4ea8-B826-FA8749AB2C04}.exeC:\Windows\{2131AF11-F503-4ea8-B826-FA8749AB2C04}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\{79117DC1-9642-4a00-832B-D1587459CDD1}.exeC:\Windows\{79117DC1-9642-4a00-832B-D1587459CDD1}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\{576A5771-6210-44b6-B079-D768B4AB4CE4}.exeC:\Windows\{576A5771-6210-44b6-B079-D768B4AB4CE4}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\{212F9DD0-147E-4dfb-A8DD-16FDACEC6C35}.exeC:\Windows\{212F9DD0-147E-4dfb-A8DD-16FDACEC6C35}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\{325CCD52-CE02-4d7f-9E8A-AE83CAF4264E}.exeC:\Windows\{325CCD52-CE02-4d7f-9E8A-AE83CAF4264E}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\{C8AA2AE6-C465-4e58-8D10-2B66A0EE5377}.exeC:\Windows\{C8AA2AE6-C465-4e58-8D10-2B66A0EE5377}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\{3419F1B3-CC30-4e64-B70D-E80C33440473}.exeC:\Windows\{3419F1B3-CC30-4e64-B70D-E80C33440473}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\{CFC11523-3EEF-46c0-A70B-8D9519AA4485}.exeC:\Windows\{CFC11523-3EEF-46c0-A70B-8D9519AA4485}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1456 -
C:\Windows\{D5247CA5-769E-43de-8DE4-254F44BDDA6A}.exeC:\Windows\{D5247CA5-769E-43de-8DE4-254F44BDDA6A}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3028 -
C:\Windows\{7B542881-E784-4a99-8D39-81CDE9CEC4DB}.exeC:\Windows\{7B542881-E784-4a99-8D39-81CDE9CEC4DB}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1864 -
C:\Windows\{47F582D4-40A1-4d9c-9457-AC6CA2BFEB48}.exeC:\Windows\{47F582D4-40A1-4d9c-9457-AC6CA2BFEB48}.exe12⤵
- Executes dropped EXE
PID:1480
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7B542~1.EXE > nul12⤵PID:572
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D5247~1.EXE > nul11⤵PID:600
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CFC11~1.EXE > nul10⤵PID:1124
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3419F~1.EXE > nul9⤵PID:1524
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C8AA2~1.EXE > nul8⤵PID:2864
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{325CC~1.EXE > nul7⤵PID:2852
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{212F9~1.EXE > nul6⤵PID:2980
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{576A5~1.EXE > nul5⤵PID:2824
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{79117~1.EXE > nul4⤵PID:2568
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2131A~1.EXE > nul3⤵PID:2676
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:2532
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
380KB
MD5cdcf4a9899de7f419883a4fa3d87555a
SHA16f82748980e6156b8d5f81baf987e8e0e8e7d00d
SHA2564131bcac41f0abb4e7ead8f7c7fc6815cf80ac1e67bef9ca5d0e9d91ed18b039
SHA51275f303cb114b8bf8995b25d6ba39c1e5b9abce6857fc169c3c2f62894215c844743284c700132beaba93236916af729a95312c3239eb5d47973ecb957db98aa2
-
Filesize
380KB
MD53b0f16b7ee98bb39adf4c79593bcdf01
SHA1d9d8bf1a09ef3867a963ca316c37057352b47fc8
SHA256b3579700061f2490a81940e33c82e8fc90e7a6bdf4867ff47d0c94a423d1ed83
SHA5124cf4df2ff971ff382a28565fe53204d8965ebf4f90693a921328f7146d3e03010757bac9429476144532a149304f12d42527d930927c39a21817a1ab209390ae
-
Filesize
380KB
MD50ba0fea44e9564ecbb32913168d27cd1
SHA1b50edf77f66086a1be835387de1243807109cd43
SHA2567306856e579436eb1f99d9c8d5d45fab3fb72af6a5d51c194627f3c2a76ee1ce
SHA5129b1405f3e475bae7223834698890aa38b4e240947573f5d2a5aba3b9e6f4e93d074b8889b3345ee3ac9bdc8ec1bde0dfce18c55beb89f9d3bd1090e22a862ad3
-
Filesize
380KB
MD5eb64eeb8b6a8fa6d9d841f35abc20ab5
SHA158d8ac7e0daca663f0e246f1243e97f4a0e79ed2
SHA256c5ee4ca50c524bc7bc210ec8171b5dca6e9a57661fc974b81f1a4a7410cb090b
SHA512edddd6dbd1c9cd1eb21cb26dd0dea5b6a2d21365ce48467f3c362a7216b427aef40366f4c0815157f3a8ef27fe4a563fdd67e397b4f4867de0cfb4d0ecc071f6
-
Filesize
380KB
MD55293d10255d9ebbe70d024ed5119f056
SHA1ab326680b318490078d04770f350cb1c48057fb1
SHA256540171e2fd5ed41f8269f1712cb177134d1503219a85625faf032a1536f98723
SHA5121119b1d737a9270bad6e0081d85828e5a0670c314a8c0ba75896147313a32ddce23a5785e507993856db1dc9977d5e2f936a888c8ec503c49786da4f7c6372f2
-
Filesize
380KB
MD54c4a8e9a89d98a8897b1e8abd1cc02e8
SHA16f918b4c22ee28922b9148e2b61847f42df67224
SHA256c95e8f32677b035b4ae9b9ab0f82f9ca73f0b2b79a72b4109eced764b5997a77
SHA5125be71d6bbea799cf73cea5eed11fc6b37059e007efdeb60b8e6ed653ca6e0379040876f74f333b29d3e1e6f4b3ebbf3c4460e508c055ba6db4c65458dd90de85
-
Filesize
380KB
MD556644f319786488189b73b544fa7805d
SHA12bbb567d41ee7463c32f6d333c59e1bd2889171d
SHA2562da8de27ed7823035c5945d6598a24548867238ed355421478013c44abd7869a
SHA512dd0c0c5ade8446736000d8500f39a4be9c2598d9a712612076ce46a8861cd521dd7ad489b70a64f8b2631abc44be7549f90289b1498bb8e98b157e8dee557999
-
Filesize
380KB
MD51e00a5858a522c9c61528ff2a20a14dc
SHA1cb4ce876a4b2e77e85402fc5bae58011d59db1bc
SHA256e70b28a4622b5d2539be1d5bbc47818541d132fd7c22ef8bc8b044263b018ed1
SHA512258ea6d354ec5ce04bbad8481d348df0bd8181af3292d72ff8b8405ac7258ea9622701ca626648a6806868a8caafd21525b9057b5175e11f405cf884f0a7e43d
-
Filesize
380KB
MD55867335e22dad6dabd8e261a3baaff01
SHA19bbaff3ef22e4a8b4095a7c19b48d09fa997ed03
SHA25679fcfc173b8c67e84107698263a767ef8fe4256c56526277f2afd83b9c1c2cbb
SHA512554b1a8d49189a69d9de53e756292a77525560120cf6b21f7a274a3ae5124465300bf9e1eebb25192663d9db246e95bdc6c2874eca85ab5c901755d5d9128524
-
Filesize
380KB
MD56834b97291a2a692cedadb1601fd061d
SHA1bc2944f43d314dd53fe9f5a5a98c06893ee9c5dd
SHA256b1edf6109e48c695fc14f2bdddd554ba80245f55c7021b1e99c53d2d5d3f35a3
SHA5129efeba34cd98f3b9668db92f9a3f3bc1ed345072885433d3e242c724957519819dde6f8467beaff37f5a74437b6c9b13842ed1dd5839d57303d1383f95931714
-
Filesize
380KB
MD5ff4d00d457c97f974dfba93749f164ee
SHA1abd4f9bba1e88bafd3cd2e5ba92af6a94a96861c
SHA2561e142d75f96d4940ca34621f2eddee5f90d27663a9eabf31bf28aee11cce213d
SHA5120725fbdab7c3d90b872d05195cefacf542c3fd0d405e3d8cf127c71d9ad4270d3458002c28d9c091bddb24af528bcea8d341f4e3641eaf42c9d0faf4718535f7