Analysis
-
max time kernel
144s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 02:53
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe
-
Size
197KB
-
MD5
75395c7cde9cd0b4183be94570719bdb
-
SHA1
dde84cf6504ae75e56b7e939ceb0025d9670ee6a
-
SHA256
7b46eff9608adc6d13237c8516edc6e511b2b2fa079a5df130f4cda58d71e46d
-
SHA512
12d896269ddc038a6089207b88e872116a3dcd4b438b71c25fbd6d928478b7a7dd928e5423bdf4457171f66dca794c83f98eb260d31702787bba32a9aab44289
-
SSDEEP
3072:jEGh0owl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEG+lEeKcAEca
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral1/files/0x000b0000000144ac-4.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0009000000014825-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000c0000000144ac-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x00090000000149f5-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0006000000005a59-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000d0000000144ac-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0007000000005a59-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000e0000000144ac-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0008000000005a59-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000f0000000144ac-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0009000000005a59-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3940AD8B-3871-46da-821E-AED7E3387F31} {57C9D47B-F7D8-4c79-B310-54F1BA127229}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AFD634D9-A45F-4f77-8B8C-4ADBDDD68F2C} {09D8E1D6-F2BC-4704-8253-2035EE6BDD36}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{612EAB1D-7162-464e-93FE-F47211FEE417} {AFD634D9-A45F-4f77-8B8C-4ADBDDD68F2C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6FAFAA84-3C9E-451c-B6BB-2F54EB4F3737}\stubpath = "C:\\Windows\\{6FAFAA84-3C9E-451c-B6BB-2F54EB4F3737}.exe" 2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57C9D47B-F7D8-4c79-B310-54F1BA127229}\stubpath = "C:\\Windows\\{57C9D47B-F7D8-4c79-B310-54F1BA127229}.exe" {6FAFAA84-3C9E-451c-B6BB-2F54EB4F3737}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F532EFC3-E249-4d19-A088-F3BDADE22970} {F1FA42AD-D887-4dd6-9AF6-3470DCDDDA74}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C370617C-4D18-485d-B498-B871BF4196A9}\stubpath = "C:\\Windows\\{C370617C-4D18-485d-B498-B871BF4196A9}.exe" {F532EFC3-E249-4d19-A088-F3BDADE22970}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AFD634D9-A45F-4f77-8B8C-4ADBDDD68F2C}\stubpath = "C:\\Windows\\{AFD634D9-A45F-4f77-8B8C-4ADBDDD68F2C}.exe" {09D8E1D6-F2BC-4704-8253-2035EE6BDD36}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57C9D47B-F7D8-4c79-B310-54F1BA127229} {6FAFAA84-3C9E-451c-B6BB-2F54EB4F3737}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3940AD8B-3871-46da-821E-AED7E3387F31}\stubpath = "C:\\Windows\\{3940AD8B-3871-46da-821E-AED7E3387F31}.exe" {57C9D47B-F7D8-4c79-B310-54F1BA127229}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F1FA42AD-D887-4dd6-9AF6-3470DCDDDA74} {3A4CC82D-991C-4824-95FD-CB042EE6401C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C370617C-4D18-485d-B498-B871BF4196A9} {F532EFC3-E249-4d19-A088-F3BDADE22970}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09D8E1D6-F2BC-4704-8253-2035EE6BDD36} {C370617C-4D18-485d-B498-B871BF4196A9}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{612EAB1D-7162-464e-93FE-F47211FEE417}\stubpath = "C:\\Windows\\{612EAB1D-7162-464e-93FE-F47211FEE417}.exe" {AFD634D9-A45F-4f77-8B8C-4ADBDDD68F2C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{282A3572-3C1A-4ad6-8F2B-D6ACCB2C30EB}\stubpath = "C:\\Windows\\{282A3572-3C1A-4ad6-8F2B-D6ACCB2C30EB}.exe" {612EAB1D-7162-464e-93FE-F47211FEE417}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6FAFAA84-3C9E-451c-B6BB-2F54EB4F3737} 2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A4CC82D-991C-4824-95FD-CB042EE6401C} {3940AD8B-3871-46da-821E-AED7E3387F31}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A4CC82D-991C-4824-95FD-CB042EE6401C}\stubpath = "C:\\Windows\\{3A4CC82D-991C-4824-95FD-CB042EE6401C}.exe" {3940AD8B-3871-46da-821E-AED7E3387F31}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F1FA42AD-D887-4dd6-9AF6-3470DCDDDA74}\stubpath = "C:\\Windows\\{F1FA42AD-D887-4dd6-9AF6-3470DCDDDA74}.exe" {3A4CC82D-991C-4824-95FD-CB042EE6401C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F532EFC3-E249-4d19-A088-F3BDADE22970}\stubpath = "C:\\Windows\\{F532EFC3-E249-4d19-A088-F3BDADE22970}.exe" {F1FA42AD-D887-4dd6-9AF6-3470DCDDDA74}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09D8E1D6-F2BC-4704-8253-2035EE6BDD36}\stubpath = "C:\\Windows\\{09D8E1D6-F2BC-4704-8253-2035EE6BDD36}.exe" {C370617C-4D18-485d-B498-B871BF4196A9}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{282A3572-3C1A-4ad6-8F2B-D6ACCB2C30EB} {612EAB1D-7162-464e-93FE-F47211FEE417}.exe -
Deletes itself 1 IoCs
pid Process 3064 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 2952 {6FAFAA84-3C9E-451c-B6BB-2F54EB4F3737}.exe 2624 {57C9D47B-F7D8-4c79-B310-54F1BA127229}.exe 2604 {3940AD8B-3871-46da-821E-AED7E3387F31}.exe 2872 {3A4CC82D-991C-4824-95FD-CB042EE6401C}.exe 2968 {F1FA42AD-D887-4dd6-9AF6-3470DCDDDA74}.exe 2712 {F532EFC3-E249-4d19-A088-F3BDADE22970}.exe 2532 {C370617C-4D18-485d-B498-B871BF4196A9}.exe 2972 {09D8E1D6-F2BC-4704-8253-2035EE6BDD36}.exe 2076 {AFD634D9-A45F-4f77-8B8C-4ADBDDD68F2C}.exe 2844 {612EAB1D-7162-464e-93FE-F47211FEE417}.exe 584 {282A3572-3C1A-4ad6-8F2B-D6ACCB2C30EB}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{F532EFC3-E249-4d19-A088-F3BDADE22970}.exe {F1FA42AD-D887-4dd6-9AF6-3470DCDDDA74}.exe File created C:\Windows\{AFD634D9-A45F-4f77-8B8C-4ADBDDD68F2C}.exe {09D8E1D6-F2BC-4704-8253-2035EE6BDD36}.exe File created C:\Windows\{6FAFAA84-3C9E-451c-B6BB-2F54EB4F3737}.exe 2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe File created C:\Windows\{57C9D47B-F7D8-4c79-B310-54F1BA127229}.exe {6FAFAA84-3C9E-451c-B6BB-2F54EB4F3737}.exe File created C:\Windows\{3A4CC82D-991C-4824-95FD-CB042EE6401C}.exe {3940AD8B-3871-46da-821E-AED7E3387F31}.exe File created C:\Windows\{09D8E1D6-F2BC-4704-8253-2035EE6BDD36}.exe {C370617C-4D18-485d-B498-B871BF4196A9}.exe File created C:\Windows\{612EAB1D-7162-464e-93FE-F47211FEE417}.exe {AFD634D9-A45F-4f77-8B8C-4ADBDDD68F2C}.exe File created C:\Windows\{282A3572-3C1A-4ad6-8F2B-D6ACCB2C30EB}.exe {612EAB1D-7162-464e-93FE-F47211FEE417}.exe File created C:\Windows\{3940AD8B-3871-46da-821E-AED7E3387F31}.exe {57C9D47B-F7D8-4c79-B310-54F1BA127229}.exe File created C:\Windows\{F1FA42AD-D887-4dd6-9AF6-3470DCDDDA74}.exe {3A4CC82D-991C-4824-95FD-CB042EE6401C}.exe File created C:\Windows\{C370617C-4D18-485d-B498-B871BF4196A9}.exe {F532EFC3-E249-4d19-A088-F3BDADE22970}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2360 2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe Token: SeIncBasePriorityPrivilege 2952 {6FAFAA84-3C9E-451c-B6BB-2F54EB4F3737}.exe Token: SeIncBasePriorityPrivilege 2624 {57C9D47B-F7D8-4c79-B310-54F1BA127229}.exe Token: SeIncBasePriorityPrivilege 2604 {3940AD8B-3871-46da-821E-AED7E3387F31}.exe Token: SeIncBasePriorityPrivilege 2872 {3A4CC82D-991C-4824-95FD-CB042EE6401C}.exe Token: SeIncBasePriorityPrivilege 2968 {F1FA42AD-D887-4dd6-9AF6-3470DCDDDA74}.exe Token: SeIncBasePriorityPrivilege 2712 {F532EFC3-E249-4d19-A088-F3BDADE22970}.exe Token: SeIncBasePriorityPrivilege 2532 {C370617C-4D18-485d-B498-B871BF4196A9}.exe Token: SeIncBasePriorityPrivilege 2972 {09D8E1D6-F2BC-4704-8253-2035EE6BDD36}.exe Token: SeIncBasePriorityPrivilege 2076 {AFD634D9-A45F-4f77-8B8C-4ADBDDD68F2C}.exe Token: SeIncBasePriorityPrivilege 2844 {612EAB1D-7162-464e-93FE-F47211FEE417}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2360 wrote to memory of 2952 2360 2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe 28 PID 2360 wrote to memory of 2952 2360 2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe 28 PID 2360 wrote to memory of 2952 2360 2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe 28 PID 2360 wrote to memory of 2952 2360 2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe 28 PID 2360 wrote to memory of 3064 2360 2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe 29 PID 2360 wrote to memory of 3064 2360 2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe 29 PID 2360 wrote to memory of 3064 2360 2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe 29 PID 2360 wrote to memory of 3064 2360 2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe 29 PID 2952 wrote to memory of 2624 2952 {6FAFAA84-3C9E-451c-B6BB-2F54EB4F3737}.exe 30 PID 2952 wrote to memory of 2624 2952 {6FAFAA84-3C9E-451c-B6BB-2F54EB4F3737}.exe 30 PID 2952 wrote to memory of 2624 2952 {6FAFAA84-3C9E-451c-B6BB-2F54EB4F3737}.exe 30 PID 2952 wrote to memory of 2624 2952 {6FAFAA84-3C9E-451c-B6BB-2F54EB4F3737}.exe 30 PID 2952 wrote to memory of 2720 2952 {6FAFAA84-3C9E-451c-B6BB-2F54EB4F3737}.exe 31 PID 2952 wrote to memory of 2720 2952 {6FAFAA84-3C9E-451c-B6BB-2F54EB4F3737}.exe 31 PID 2952 wrote to memory of 2720 2952 {6FAFAA84-3C9E-451c-B6BB-2F54EB4F3737}.exe 31 PID 2952 wrote to memory of 2720 2952 {6FAFAA84-3C9E-451c-B6BB-2F54EB4F3737}.exe 31 PID 2624 wrote to memory of 2604 2624 {57C9D47B-F7D8-4c79-B310-54F1BA127229}.exe 32 PID 2624 wrote to memory of 2604 2624 {57C9D47B-F7D8-4c79-B310-54F1BA127229}.exe 32 PID 2624 wrote to memory of 2604 2624 {57C9D47B-F7D8-4c79-B310-54F1BA127229}.exe 32 PID 2624 wrote to memory of 2604 2624 {57C9D47B-F7D8-4c79-B310-54F1BA127229}.exe 32 PID 2624 wrote to memory of 2784 2624 {57C9D47B-F7D8-4c79-B310-54F1BA127229}.exe 33 PID 2624 wrote to memory of 2784 2624 {57C9D47B-F7D8-4c79-B310-54F1BA127229}.exe 33 PID 2624 wrote to memory of 2784 2624 {57C9D47B-F7D8-4c79-B310-54F1BA127229}.exe 33 PID 2624 wrote to memory of 2784 2624 {57C9D47B-F7D8-4c79-B310-54F1BA127229}.exe 33 PID 2604 wrote to memory of 2872 2604 {3940AD8B-3871-46da-821E-AED7E3387F31}.exe 36 PID 2604 wrote to memory of 2872 2604 {3940AD8B-3871-46da-821E-AED7E3387F31}.exe 36 PID 2604 wrote to memory of 2872 2604 {3940AD8B-3871-46da-821E-AED7E3387F31}.exe 36 PID 2604 wrote to memory of 2872 2604 {3940AD8B-3871-46da-821E-AED7E3387F31}.exe 36 PID 2604 wrote to memory of 2992 2604 {3940AD8B-3871-46da-821E-AED7E3387F31}.exe 37 PID 2604 wrote to memory of 2992 2604 {3940AD8B-3871-46da-821E-AED7E3387F31}.exe 37 PID 2604 wrote to memory of 2992 2604 {3940AD8B-3871-46da-821E-AED7E3387F31}.exe 37 PID 2604 wrote to memory of 2992 2604 {3940AD8B-3871-46da-821E-AED7E3387F31}.exe 37 PID 2872 wrote to memory of 2968 2872 {3A4CC82D-991C-4824-95FD-CB042EE6401C}.exe 38 PID 2872 wrote to memory of 2968 2872 {3A4CC82D-991C-4824-95FD-CB042EE6401C}.exe 38 PID 2872 wrote to memory of 2968 2872 {3A4CC82D-991C-4824-95FD-CB042EE6401C}.exe 38 PID 2872 wrote to memory of 2968 2872 {3A4CC82D-991C-4824-95FD-CB042EE6401C}.exe 38 PID 2872 wrote to memory of 892 2872 {3A4CC82D-991C-4824-95FD-CB042EE6401C}.exe 39 PID 2872 wrote to memory of 892 2872 {3A4CC82D-991C-4824-95FD-CB042EE6401C}.exe 39 PID 2872 wrote to memory of 892 2872 {3A4CC82D-991C-4824-95FD-CB042EE6401C}.exe 39 PID 2872 wrote to memory of 892 2872 {3A4CC82D-991C-4824-95FD-CB042EE6401C}.exe 39 PID 2968 wrote to memory of 2712 2968 {F1FA42AD-D887-4dd6-9AF6-3470DCDDDA74}.exe 40 PID 2968 wrote to memory of 2712 2968 {F1FA42AD-D887-4dd6-9AF6-3470DCDDDA74}.exe 40 PID 2968 wrote to memory of 2712 2968 {F1FA42AD-D887-4dd6-9AF6-3470DCDDDA74}.exe 40 PID 2968 wrote to memory of 2712 2968 {F1FA42AD-D887-4dd6-9AF6-3470DCDDDA74}.exe 40 PID 2968 wrote to memory of 1876 2968 {F1FA42AD-D887-4dd6-9AF6-3470DCDDDA74}.exe 41 PID 2968 wrote to memory of 1876 2968 {F1FA42AD-D887-4dd6-9AF6-3470DCDDDA74}.exe 41 PID 2968 wrote to memory of 1876 2968 {F1FA42AD-D887-4dd6-9AF6-3470DCDDDA74}.exe 41 PID 2968 wrote to memory of 1876 2968 {F1FA42AD-D887-4dd6-9AF6-3470DCDDDA74}.exe 41 PID 2712 wrote to memory of 2532 2712 {F532EFC3-E249-4d19-A088-F3BDADE22970}.exe 42 PID 2712 wrote to memory of 2532 2712 {F532EFC3-E249-4d19-A088-F3BDADE22970}.exe 42 PID 2712 wrote to memory of 2532 2712 {F532EFC3-E249-4d19-A088-F3BDADE22970}.exe 42 PID 2712 wrote to memory of 2532 2712 {F532EFC3-E249-4d19-A088-F3BDADE22970}.exe 42 PID 2712 wrote to memory of 2684 2712 {F532EFC3-E249-4d19-A088-F3BDADE22970}.exe 43 PID 2712 wrote to memory of 2684 2712 {F532EFC3-E249-4d19-A088-F3BDADE22970}.exe 43 PID 2712 wrote to memory of 2684 2712 {F532EFC3-E249-4d19-A088-F3BDADE22970}.exe 43 PID 2712 wrote to memory of 2684 2712 {F532EFC3-E249-4d19-A088-F3BDADE22970}.exe 43 PID 2532 wrote to memory of 2972 2532 {C370617C-4D18-485d-B498-B871BF4196A9}.exe 44 PID 2532 wrote to memory of 2972 2532 {C370617C-4D18-485d-B498-B871BF4196A9}.exe 44 PID 2532 wrote to memory of 2972 2532 {C370617C-4D18-485d-B498-B871BF4196A9}.exe 44 PID 2532 wrote to memory of 2972 2532 {C370617C-4D18-485d-B498-B871BF4196A9}.exe 44 PID 2532 wrote to memory of 1644 2532 {C370617C-4D18-485d-B498-B871BF4196A9}.exe 45 PID 2532 wrote to memory of 1644 2532 {C370617C-4D18-485d-B498-B871BF4196A9}.exe 45 PID 2532 wrote to memory of 1644 2532 {C370617C-4D18-485d-B498-B871BF4196A9}.exe 45 PID 2532 wrote to memory of 1644 2532 {C370617C-4D18-485d-B498-B871BF4196A9}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\{6FAFAA84-3C9E-451c-B6BB-2F54EB4F3737}.exeC:\Windows\{6FAFAA84-3C9E-451c-B6BB-2F54EB4F3737}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\{57C9D47B-F7D8-4c79-B310-54F1BA127229}.exeC:\Windows\{57C9D47B-F7D8-4c79-B310-54F1BA127229}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\{3940AD8B-3871-46da-821E-AED7E3387F31}.exeC:\Windows\{3940AD8B-3871-46da-821E-AED7E3387F31}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\{3A4CC82D-991C-4824-95FD-CB042EE6401C}.exeC:\Windows\{3A4CC82D-991C-4824-95FD-CB042EE6401C}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\{F1FA42AD-D887-4dd6-9AF6-3470DCDDDA74}.exeC:\Windows\{F1FA42AD-D887-4dd6-9AF6-3470DCDDDA74}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\{F532EFC3-E249-4d19-A088-F3BDADE22970}.exeC:\Windows\{F532EFC3-E249-4d19-A088-F3BDADE22970}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\{C370617C-4D18-485d-B498-B871BF4196A9}.exeC:\Windows\{C370617C-4D18-485d-B498-B871BF4196A9}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\{09D8E1D6-F2BC-4704-8253-2035EE6BDD36}.exeC:\Windows\{09D8E1D6-F2BC-4704-8253-2035EE6BDD36}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2972 -
C:\Windows\{AFD634D9-A45F-4f77-8B8C-4ADBDDD68F2C}.exeC:\Windows\{AFD634D9-A45F-4f77-8B8C-4ADBDDD68F2C}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2076 -
C:\Windows\{612EAB1D-7162-464e-93FE-F47211FEE417}.exeC:\Windows\{612EAB1D-7162-464e-93FE-F47211FEE417}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2844 -
C:\Windows\{282A3572-3C1A-4ad6-8F2B-D6ACCB2C30EB}.exeC:\Windows\{282A3572-3C1A-4ad6-8F2B-D6ACCB2C30EB}.exe12⤵
- Executes dropped EXE
PID:584
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{612EA~1.EXE > nul12⤵PID:2056
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{AFD63~1.EXE > nul11⤵PID:680
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{09D8E~1.EXE > nul10⤵PID:2316
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C3706~1.EXE > nul9⤵PID:1644
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F532E~1.EXE > nul8⤵PID:2684
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F1FA4~1.EXE > nul7⤵PID:1876
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3A4CC~1.EXE > nul6⤵PID:892
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3940A~1.EXE > nul5⤵PID:2992
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{57C9D~1.EXE > nul4⤵PID:2784
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6FAFA~1.EXE > nul3⤵PID:2720
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:3064
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
197KB
MD52049b5eabc46e1bf9541ae5d50fc3895
SHA190dcbedcf5218fd2de1d7065e7e41f1366e80df7
SHA256161d4350e26559236ccba177d41bba4e2b0c39337e5e282de946abfa2b73830a
SHA512fe4e16a4f30f6f158e6c6cde2da95b1517b7648f7087273bbf6b78884fe32d1461d9b9ff1e49eae69614dece40771496878d8392bcf39662025dfc12bc2f13c6
-
Filesize
197KB
MD55d2c8c630212023d639f02fe9d57f42b
SHA13aab85a4d7ac81f0774641c82bcf8d4973013a0f
SHA256e757a3e4b4ee0164456159ffeb025fcaf0b2fa14bafc075b8085b0f6d5af86f0
SHA512fd1d298db4a659f0dc65394bd6470c2157a16625aaa41204e50b49d01b93a13b9ec350b1a965265d578feea6c662195e7d90dfdb8bbaca9e5a8390e4a63422d1
-
Filesize
197KB
MD5c8f90ed15fb9ff45548cb79a338b39e8
SHA1e64b54f963c848b20749264f81cc136e32f8e3d1
SHA2569adbd799c6d3259895b133fdea8367b88a1c475f24ae483b1f7cfb1ff686f17a
SHA51270ede053dc4a4ad90e95059d72a7c632246a76beba83c62c948fa6e72db5666f13a1b2c8764a517dff62ec1532ba2aa227a90d6bddb1c3784d146b4693ff673a
-
Filesize
197KB
MD5bcb675de50ccc3c3163e846e71b6daeb
SHA1bafb371700dba520c0cf45c18200a9311fad30a2
SHA256370d4e8a0693209aee46ed32c71b76b29b92881137a9211e176fe034ef12cfbd
SHA512fca829365a7cda968fb1244371680265ff1d4b4bde2d4e01476b9b09e4097309484559110c3274825514f9c5dfd9729944d6f9bdf1caecfb3cae6b32deb7d75e
-
Filesize
197KB
MD5e81f9993b6d8ceb526bbe7ec320267a8
SHA1cc46ac6581620b8966c52022a4b7ca952b8d3d7a
SHA2564ad216e1c1cce7342d3bb0814f91497761eb5a3570e335dcb2aa65793d987b38
SHA512f7525614e2ae886f0451b40ba6667d930cac7e89c57b4fb71e74fc7544fa3ab4bf50241da52a8164df908948c6541d7dd306c8c629206dc169cacd5390633c12
-
Filesize
197KB
MD5090fb6ead3aebcd35c5b44e25ebb6f8e
SHA1539035af227c2e26529e49590f0f8081bdc5d36c
SHA2564707c0bfb0201a7c56137b6cd4ed872b8872c25138a05c2b93ef435c8c708e91
SHA512f7267a9fe1eb1e350f8aaf5c202a56f9a0b8a1aea571bddd8b448dc59ab50b5a2ce02acec060c2e885600e86927d7afddac6e4ae120bb55aefd738b16f9796ef
-
Filesize
197KB
MD59cbe145adf259a903c43aa5e4de62130
SHA173de981ef28762bdc272113f84eb810f9c4d817b
SHA256f485135556d2eeb8ecd92d584a1828e7c45fe84ba44e2d2f873ce022e328feca
SHA5121d9f18590ecd3eb1a7443c0c1cd8c3a5ca012b356da85c70d28d6667187f81d9bc33b94a347389fddd198edc6af271c531f8fb144f8168ce63dd477585727445
-
Filesize
197KB
MD5503ef30c2ce0b58f3102008d4dc5e35c
SHA1c110e5f748dc55de89cc54ada8627eb5e9a02f04
SHA25628b297473efbb138c042db3f917a70ef51819183f6dae78e129687ce83f4d43f
SHA512312f119fec6fc4187034f16baf69f1a7cac457ccdd066649076a4568c8f6c48f7afebe5c770a35e64871eb55d71b5496deb59695201bca7d2bced3ecf4a82aaf
-
Filesize
197KB
MD5534fcdd9fb02593b75c1a3c217da2a52
SHA1f78c1c682a1b2d6e9e3647e5a48b427c439cb2da
SHA256a0a2bab1634e4997431f02997729c588b063efd5d6702493f828dd446bb21f51
SHA512bfc417819eb556766eb6c6471e931e4f11f2ee93fa42a4e7d981ed1d2914c197e7942e10e95abec3f99c4dc385da5e5393a2a67a4df67a25177be41665452056
-
Filesize
197KB
MD507c9aa9cb076fdd3323de29e383d5e39
SHA18349429bd2280ecb9bc2afda4652db0b2891362d
SHA2566c0960ad3ac185b10dad195ede7909d47a71f2df6ff12275d0c38806ddff9fd6
SHA5125490216f7a296057f81a8e4332655723a2c8a0891dce6e0bcd6c3a3b1c409a58bb6370d59bf4182ce2a7db16e2dcec05adf4922d99b56f52a4310f36b3f8d81f
-
Filesize
197KB
MD55926a4972a6403200cd70c4703f9e25e
SHA1abfead9d906c8fb1ac6c45413da34f35adf237e8
SHA2569a6eda854a35556a79fd5531fcc4e784bd9fbd0daa2fc28f50de107c1eb237d9
SHA512de160840538d9b3e85b936f5bc6ad666a151a61bd6a0146abe8bd91bafd5e3ee2884826da17e8c5c5850182b760d57318369918e77936c3f72567776bb28f449