Analysis
-
max time kernel
149s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 02:53
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe
-
Size
197KB
-
MD5
75395c7cde9cd0b4183be94570719bdb
-
SHA1
dde84cf6504ae75e56b7e939ceb0025d9670ee6a
-
SHA256
7b46eff9608adc6d13237c8516edc6e511b2b2fa079a5df130f4cda58d71e46d
-
SHA512
12d896269ddc038a6089207b88e872116a3dcd4b438b71c25fbd6d928478b7a7dd928e5423bdf4457171f66dca794c83f98eb260d31702787bba32a9aab44289
-
SSDEEP
3072:jEGh0owl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEG+lEeKcAEca
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral2/files/0x0005000000022abb-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0006000000022ac3-6.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000023420-8.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0007000000023424-14.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000700000002342a-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000023424-22.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000800000002342a-27.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0009000000023424-30.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000900000002342a-34.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000a00000002342a-38.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000b000000023424-43.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{100F4665-7F28-414d-ADDC-60DCB318D02B} 2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{100F4665-7F28-414d-ADDC-60DCB318D02B}\stubpath = "C:\\Windows\\{100F4665-7F28-414d-ADDC-60DCB318D02B}.exe" 2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2E3F101-3DB2-46bc-BB29-42469A568E9A} {100F4665-7F28-414d-ADDC-60DCB318D02B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48BBFAC2-C4E0-42e1-8968-44E0AE758B59}\stubpath = "C:\\Windows\\{48BBFAC2-C4E0-42e1-8968-44E0AE758B59}.exe" {F2E3F101-3DB2-46bc-BB29-42469A568E9A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{420FD274-6BF6-4926-93EF-BE40A10BF37A} {48BBFAC2-C4E0-42e1-8968-44E0AE758B59}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4497DD96-613F-4683-B791-26AABBD308A3}\stubpath = "C:\\Windows\\{4497DD96-613F-4683-B791-26AABBD308A3}.exe" {78EC474C-029A-49b7-8DFC-7AC012A953BA}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48BBFAC2-C4E0-42e1-8968-44E0AE758B59} {F2E3F101-3DB2-46bc-BB29-42469A568E9A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78EC474C-029A-49b7-8DFC-7AC012A953BA} {3189BD62-AB9B-4e07-B65F-C6961B2227F9}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78EC474C-029A-49b7-8DFC-7AC012A953BA}\stubpath = "C:\\Windows\\{78EC474C-029A-49b7-8DFC-7AC012A953BA}.exe" {3189BD62-AB9B-4e07-B65F-C6961B2227F9}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4497DD96-613F-4683-B791-26AABBD308A3} {78EC474C-029A-49b7-8DFC-7AC012A953BA}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{869A875D-2E95-4c32-83B9-65592F397DE2}\stubpath = "C:\\Windows\\{869A875D-2E95-4c32-83B9-65592F397DE2}.exe" {4497DD96-613F-4683-B791-26AABBD308A3}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{215468D6-31AE-45cb-911F-8F8F97A4CF97} {4F5291FC-BE4A-424a-8E89-47E30EE4CAF9}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{420FD274-6BF6-4926-93EF-BE40A10BF37A}\stubpath = "C:\\Windows\\{420FD274-6BF6-4926-93EF-BE40A10BF37A}.exe" {48BBFAC2-C4E0-42e1-8968-44E0AE758B59}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CBD68427-FAE6-48d1-8EBA-988322A5BB9A}\stubpath = "C:\\Windows\\{CBD68427-FAE6-48d1-8EBA-988322A5BB9A}.exe" {420FD274-6BF6-4926-93EF-BE40A10BF37A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3189BD62-AB9B-4e07-B65F-C6961B2227F9}\stubpath = "C:\\Windows\\{3189BD62-AB9B-4e07-B65F-C6961B2227F9}.exe" {CBD68427-FAE6-48d1-8EBA-988322A5BB9A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{869A875D-2E95-4c32-83B9-65592F397DE2} {4497DD96-613F-4683-B791-26AABBD308A3}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{493E33C7-AF64-4d04-8B56-BC710E57A240}\stubpath = "C:\\Windows\\{493E33C7-AF64-4d04-8B56-BC710E57A240}.exe" {869A875D-2E95-4c32-83B9-65592F397DE2}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F5291FC-BE4A-424a-8E89-47E30EE4CAF9} {493E33C7-AF64-4d04-8B56-BC710E57A240}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F5291FC-BE4A-424a-8E89-47E30EE4CAF9}\stubpath = "C:\\Windows\\{4F5291FC-BE4A-424a-8E89-47E30EE4CAF9}.exe" {493E33C7-AF64-4d04-8B56-BC710E57A240}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2E3F101-3DB2-46bc-BB29-42469A568E9A}\stubpath = "C:\\Windows\\{F2E3F101-3DB2-46bc-BB29-42469A568E9A}.exe" {100F4665-7F28-414d-ADDC-60DCB318D02B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CBD68427-FAE6-48d1-8EBA-988322A5BB9A} {420FD274-6BF6-4926-93EF-BE40A10BF37A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3189BD62-AB9B-4e07-B65F-C6961B2227F9} {CBD68427-FAE6-48d1-8EBA-988322A5BB9A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{493E33C7-AF64-4d04-8B56-BC710E57A240} {869A875D-2E95-4c32-83B9-65592F397DE2}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{215468D6-31AE-45cb-911F-8F8F97A4CF97}\stubpath = "C:\\Windows\\{215468D6-31AE-45cb-911F-8F8F97A4CF97}.exe" {4F5291FC-BE4A-424a-8E89-47E30EE4CAF9}.exe -
Executes dropped EXE 11 IoCs
pid Process 3552 {100F4665-7F28-414d-ADDC-60DCB318D02B}.exe 1756 {F2E3F101-3DB2-46bc-BB29-42469A568E9A}.exe 4500 {48BBFAC2-C4E0-42e1-8968-44E0AE758B59}.exe 2620 {420FD274-6BF6-4926-93EF-BE40A10BF37A}.exe 544 {CBD68427-FAE6-48d1-8EBA-988322A5BB9A}.exe 4940 {3189BD62-AB9B-4e07-B65F-C6961B2227F9}.exe 512 {78EC474C-029A-49b7-8DFC-7AC012A953BA}.exe 4908 {4497DD96-613F-4683-B791-26AABBD308A3}.exe 1696 {869A875D-2E95-4c32-83B9-65592F397DE2}.exe 4460 {4F5291FC-BE4A-424a-8E89-47E30EE4CAF9}.exe 2600 {215468D6-31AE-45cb-911F-8F8F97A4CF97}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{3189BD62-AB9B-4e07-B65F-C6961B2227F9}.exe {CBD68427-FAE6-48d1-8EBA-988322A5BB9A}.exe File created C:\Windows\{215468D6-31AE-45cb-911F-8F8F97A4CF97}.exe {4F5291FC-BE4A-424a-8E89-47E30EE4CAF9}.exe File created C:\Windows\{100F4665-7F28-414d-ADDC-60DCB318D02B}.exe 2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe File created C:\Windows\{F2E3F101-3DB2-46bc-BB29-42469A568E9A}.exe {100F4665-7F28-414d-ADDC-60DCB318D02B}.exe File created C:\Windows\{420FD274-6BF6-4926-93EF-BE40A10BF37A}.exe {48BBFAC2-C4E0-42e1-8968-44E0AE758B59}.exe File created C:\Windows\{4497DD96-613F-4683-B791-26AABBD308A3}.exe {78EC474C-029A-49b7-8DFC-7AC012A953BA}.exe File created C:\Windows\{869A875D-2E95-4c32-83B9-65592F397DE2}.exe {4497DD96-613F-4683-B791-26AABBD308A3}.exe File created C:\Windows\{4F5291FC-BE4A-424a-8E89-47E30EE4CAF9}.exe {493E33C7-AF64-4d04-8B56-BC710E57A240}.exe File created C:\Windows\{48BBFAC2-C4E0-42e1-8968-44E0AE758B59}.exe {F2E3F101-3DB2-46bc-BB29-42469A568E9A}.exe File created C:\Windows\{CBD68427-FAE6-48d1-8EBA-988322A5BB9A}.exe {420FD274-6BF6-4926-93EF-BE40A10BF37A}.exe File created C:\Windows\{78EC474C-029A-49b7-8DFC-7AC012A953BA}.exe {3189BD62-AB9B-4e07-B65F-C6961B2227F9}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2984 2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe Token: SeIncBasePriorityPrivilege 3552 {100F4665-7F28-414d-ADDC-60DCB318D02B}.exe Token: SeIncBasePriorityPrivilege 1756 {F2E3F101-3DB2-46bc-BB29-42469A568E9A}.exe Token: SeIncBasePriorityPrivilege 4500 {48BBFAC2-C4E0-42e1-8968-44E0AE758B59}.exe Token: SeIncBasePriorityPrivilege 2620 {420FD274-6BF6-4926-93EF-BE40A10BF37A}.exe Token: SeIncBasePriorityPrivilege 544 {CBD68427-FAE6-48d1-8EBA-988322A5BB9A}.exe Token: SeIncBasePriorityPrivilege 4940 {3189BD62-AB9B-4e07-B65F-C6961B2227F9}.exe Token: SeIncBasePriorityPrivilege 512 {78EC474C-029A-49b7-8DFC-7AC012A953BA}.exe Token: SeIncBasePriorityPrivilege 4908 {4497DD96-613F-4683-B791-26AABBD308A3}.exe Token: SeIncBasePriorityPrivilege 2904 {493E33C7-AF64-4d04-8B56-BC710E57A240}.exe Token: SeIncBasePriorityPrivilege 4460 {4F5291FC-BE4A-424a-8E89-47E30EE4CAF9}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2984 wrote to memory of 3552 2984 2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe 86 PID 2984 wrote to memory of 3552 2984 2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe 86 PID 2984 wrote to memory of 3552 2984 2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe 86 PID 2984 wrote to memory of 828 2984 2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe 87 PID 2984 wrote to memory of 828 2984 2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe 87 PID 2984 wrote to memory of 828 2984 2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe 87 PID 3552 wrote to memory of 1756 3552 {100F4665-7F28-414d-ADDC-60DCB318D02B}.exe 88 PID 3552 wrote to memory of 1756 3552 {100F4665-7F28-414d-ADDC-60DCB318D02B}.exe 88 PID 3552 wrote to memory of 1756 3552 {100F4665-7F28-414d-ADDC-60DCB318D02B}.exe 88 PID 3552 wrote to memory of 2996 3552 {100F4665-7F28-414d-ADDC-60DCB318D02B}.exe 89 PID 3552 wrote to memory of 2996 3552 {100F4665-7F28-414d-ADDC-60DCB318D02B}.exe 89 PID 3552 wrote to memory of 2996 3552 {100F4665-7F28-414d-ADDC-60DCB318D02B}.exe 89 PID 1756 wrote to memory of 4500 1756 {F2E3F101-3DB2-46bc-BB29-42469A568E9A}.exe 92 PID 1756 wrote to memory of 4500 1756 {F2E3F101-3DB2-46bc-BB29-42469A568E9A}.exe 92 PID 1756 wrote to memory of 4500 1756 {F2E3F101-3DB2-46bc-BB29-42469A568E9A}.exe 92 PID 1756 wrote to memory of 988 1756 {F2E3F101-3DB2-46bc-BB29-42469A568E9A}.exe 93 PID 1756 wrote to memory of 988 1756 {F2E3F101-3DB2-46bc-BB29-42469A568E9A}.exe 93 PID 1756 wrote to memory of 988 1756 {F2E3F101-3DB2-46bc-BB29-42469A568E9A}.exe 93 PID 4500 wrote to memory of 2620 4500 {48BBFAC2-C4E0-42e1-8968-44E0AE758B59}.exe 98 PID 4500 wrote to memory of 2620 4500 {48BBFAC2-C4E0-42e1-8968-44E0AE758B59}.exe 98 PID 4500 wrote to memory of 2620 4500 {48BBFAC2-C4E0-42e1-8968-44E0AE758B59}.exe 98 PID 4500 wrote to memory of 2344 4500 {48BBFAC2-C4E0-42e1-8968-44E0AE758B59}.exe 99 PID 4500 wrote to memory of 2344 4500 {48BBFAC2-C4E0-42e1-8968-44E0AE758B59}.exe 99 PID 4500 wrote to memory of 2344 4500 {48BBFAC2-C4E0-42e1-8968-44E0AE758B59}.exe 99 PID 2620 wrote to memory of 544 2620 {420FD274-6BF6-4926-93EF-BE40A10BF37A}.exe 101 PID 2620 wrote to memory of 544 2620 {420FD274-6BF6-4926-93EF-BE40A10BF37A}.exe 101 PID 2620 wrote to memory of 544 2620 {420FD274-6BF6-4926-93EF-BE40A10BF37A}.exe 101 PID 2620 wrote to memory of 1520 2620 {420FD274-6BF6-4926-93EF-BE40A10BF37A}.exe 102 PID 2620 wrote to memory of 1520 2620 {420FD274-6BF6-4926-93EF-BE40A10BF37A}.exe 102 PID 2620 wrote to memory of 1520 2620 {420FD274-6BF6-4926-93EF-BE40A10BF37A}.exe 102 PID 544 wrote to memory of 4940 544 {CBD68427-FAE6-48d1-8EBA-988322A5BB9A}.exe 103 PID 544 wrote to memory of 4940 544 {CBD68427-FAE6-48d1-8EBA-988322A5BB9A}.exe 103 PID 544 wrote to memory of 4940 544 {CBD68427-FAE6-48d1-8EBA-988322A5BB9A}.exe 103 PID 544 wrote to memory of 2080 544 {CBD68427-FAE6-48d1-8EBA-988322A5BB9A}.exe 104 PID 544 wrote to memory of 2080 544 {CBD68427-FAE6-48d1-8EBA-988322A5BB9A}.exe 104 PID 544 wrote to memory of 2080 544 {CBD68427-FAE6-48d1-8EBA-988322A5BB9A}.exe 104 PID 4940 wrote to memory of 512 4940 {3189BD62-AB9B-4e07-B65F-C6961B2227F9}.exe 105 PID 4940 wrote to memory of 512 4940 {3189BD62-AB9B-4e07-B65F-C6961B2227F9}.exe 105 PID 4940 wrote to memory of 512 4940 {3189BD62-AB9B-4e07-B65F-C6961B2227F9}.exe 105 PID 4940 wrote to memory of 4420 4940 {3189BD62-AB9B-4e07-B65F-C6961B2227F9}.exe 106 PID 4940 wrote to memory of 4420 4940 {3189BD62-AB9B-4e07-B65F-C6961B2227F9}.exe 106 PID 4940 wrote to memory of 4420 4940 {3189BD62-AB9B-4e07-B65F-C6961B2227F9}.exe 106 PID 512 wrote to memory of 4908 512 {78EC474C-029A-49b7-8DFC-7AC012A953BA}.exe 107 PID 512 wrote to memory of 4908 512 {78EC474C-029A-49b7-8DFC-7AC012A953BA}.exe 107 PID 512 wrote to memory of 4908 512 {78EC474C-029A-49b7-8DFC-7AC012A953BA}.exe 107 PID 512 wrote to memory of 4520 512 {78EC474C-029A-49b7-8DFC-7AC012A953BA}.exe 108 PID 512 wrote to memory of 4520 512 {78EC474C-029A-49b7-8DFC-7AC012A953BA}.exe 108 PID 512 wrote to memory of 4520 512 {78EC474C-029A-49b7-8DFC-7AC012A953BA}.exe 108 PID 4908 wrote to memory of 1696 4908 {4497DD96-613F-4683-B791-26AABBD308A3}.exe 109 PID 4908 wrote to memory of 1696 4908 {4497DD96-613F-4683-B791-26AABBD308A3}.exe 109 PID 4908 wrote to memory of 1696 4908 {4497DD96-613F-4683-B791-26AABBD308A3}.exe 109 PID 4908 wrote to memory of 4360 4908 {4497DD96-613F-4683-B791-26AABBD308A3}.exe 110 PID 4908 wrote to memory of 4360 4908 {4497DD96-613F-4683-B791-26AABBD308A3}.exe 110 PID 4908 wrote to memory of 4360 4908 {4497DD96-613F-4683-B791-26AABBD308A3}.exe 110 PID 2904 wrote to memory of 4460 2904 {493E33C7-AF64-4d04-8B56-BC710E57A240}.exe 113 PID 2904 wrote to memory of 4460 2904 {493E33C7-AF64-4d04-8B56-BC710E57A240}.exe 113 PID 2904 wrote to memory of 4460 2904 {493E33C7-AF64-4d04-8B56-BC710E57A240}.exe 113 PID 2904 wrote to memory of 4476 2904 {493E33C7-AF64-4d04-8B56-BC710E57A240}.exe 114 PID 2904 wrote to memory of 4476 2904 {493E33C7-AF64-4d04-8B56-BC710E57A240}.exe 114 PID 2904 wrote to memory of 4476 2904 {493E33C7-AF64-4d04-8B56-BC710E57A240}.exe 114 PID 4460 wrote to memory of 2600 4460 {4F5291FC-BE4A-424a-8E89-47E30EE4CAF9}.exe 115 PID 4460 wrote to memory of 2600 4460 {4F5291FC-BE4A-424a-8E89-47E30EE4CAF9}.exe 115 PID 4460 wrote to memory of 2600 4460 {4F5291FC-BE4A-424a-8E89-47E30EE4CAF9}.exe 115 PID 4460 wrote to memory of 3776 4460 {4F5291FC-BE4A-424a-8E89-47E30EE4CAF9}.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\{100F4665-7F28-414d-ADDC-60DCB318D02B}.exeC:\Windows\{100F4665-7F28-414d-ADDC-60DCB318D02B}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Windows\{F2E3F101-3DB2-46bc-BB29-42469A568E9A}.exeC:\Windows\{F2E3F101-3DB2-46bc-BB29-42469A568E9A}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\{48BBFAC2-C4E0-42e1-8968-44E0AE758B59}.exeC:\Windows\{48BBFAC2-C4E0-42e1-8968-44E0AE758B59}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\{420FD274-6BF6-4926-93EF-BE40A10BF37A}.exeC:\Windows\{420FD274-6BF6-4926-93EF-BE40A10BF37A}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\{CBD68427-FAE6-48d1-8EBA-988322A5BB9A}.exeC:\Windows\{CBD68427-FAE6-48d1-8EBA-988322A5BB9A}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\{3189BD62-AB9B-4e07-B65F-C6961B2227F9}.exeC:\Windows\{3189BD62-AB9B-4e07-B65F-C6961B2227F9}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\{78EC474C-029A-49b7-8DFC-7AC012A953BA}.exeC:\Windows\{78EC474C-029A-49b7-8DFC-7AC012A953BA}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:512 -
C:\Windows\{4497DD96-613F-4683-B791-26AABBD308A3}.exeC:\Windows\{4497DD96-613F-4683-B791-26AABBD308A3}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\{869A875D-2E95-4c32-83B9-65592F397DE2}.exeC:\Windows\{869A875D-2E95-4c32-83B9-65592F397DE2}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
PID:1696 -
C:\Windows\{493E33C7-AF64-4d04-8B56-BC710E57A240}.exeC:\Windows\{493E33C7-AF64-4d04-8B56-BC710E57A240}.exe11⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\{4F5291FC-BE4A-424a-8E89-47E30EE4CAF9}.exeC:\Windows\{4F5291FC-BE4A-424a-8E89-47E30EE4CAF9}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\{215468D6-31AE-45cb-911F-8F8F97A4CF97}.exeC:\Windows\{215468D6-31AE-45cb-911F-8F8F97A4CF97}.exe13⤵
- Executes dropped EXE
PID:2600
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4F529~1.EXE > nul13⤵PID:3776
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{493E3~1.EXE > nul12⤵PID:4476
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{869A8~1.EXE > nul11⤵PID:2688
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4497D~1.EXE > nul10⤵PID:4360
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{78EC4~1.EXE > nul9⤵PID:4520
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3189B~1.EXE > nul8⤵PID:4420
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CBD68~1.EXE > nul7⤵PID:2080
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{420FD~1.EXE > nul6⤵PID:1520
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{48BBF~1.EXE > nul5⤵PID:2344
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F2E3F~1.EXE > nul4⤵PID:988
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{100F4~1.EXE > nul3⤵PID:2996
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:828
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
197KB
MD533778b645d30e4dee875f05d00cafcef
SHA17353c094549e041842c8a7a461166b949d739705
SHA256dea0a3496c37d7f6677e567ed864e5d440abf5a070407ea1a2261169265a3ed1
SHA512bfe48d6087ae0da11cd64e5383585edd4af713994b665dc849ab29e005e69107af7ad6d74cdcc7363079313d1125d0c63ae855d785ad889eb36797a80822ef9d
-
Filesize
197KB
MD5afc36a5a4da48b39e2d66f60cdfb6797
SHA1c3370e29fc613aafe44097bd480472e6ea10b24e
SHA256c9c047863b6cb8f501c4e9f89adeda1e4cd4f6b6d7872613019540d9aa196c29
SHA51267d9d6c85eee826bbf05e2e07a9604224998c59decebe6426db02e59691427b3480bc39326159560f195fce285e83762561ab2c616b9731b55d9f7da8d974b1a
-
Filesize
197KB
MD5717f90b1c55d77cc6ed52e7191dab2e2
SHA1fd60a5eab5df9cb179232844aaeed70001ec49c7
SHA2566bb64aac0c70451f9ad361a4db3fa300ff361cd53c5f26d2dd36efbaea0cc1f2
SHA51281685fbf1993f5e68d595f7694c22f0ed0d1ddd1bd7e1d3004f5d5443a4f5dc5f09b9bc44606baf0c59cb74dbe78cd5b2c5bf6b18466d483ce3b1460e8c7c8f1
-
Filesize
197KB
MD531f6b71a54474b0b001324b6feaa05dc
SHA189e0b1e4e4af58f612c33e5bd84fca3e958893a4
SHA256f10812bad56747d7b250a208d199fb1a0e3a97f8e7ff19dc462133e21757e7ac
SHA512bf8dd1d2b9ad016ba5f0a76928e09304da82469b819c8b3754013ad4b493af4cd78a126b8441f038879de9bf16c2893d9391a2ae27f9b76f44ec9840448ac10f
-
Filesize
197KB
MD58426f9694edc965508d0903084ef30be
SHA1bff4fe4b49462c5cef709f5ca19a0394273abed4
SHA2564e33820d5fb1e8990b070502003a80cfef3bab1c2d514a943ae219385c9cd95f
SHA5129f99604b8c18c521e5329ffd9fd343fe2c0fc4181d107c64d134b9ec65f25dcd954ea0e476c5da23064eb195925cf77e963c4707c8831af92d6e333fbb40f704
-
Filesize
197KB
MD5953032cc38b0cf9b81dbd6b0108a6c18
SHA1f59dc7b23875cbe3a51541db6bee15f85ae654ef
SHA2561259b158f20ecbadcc679c9f704e6bdbc3473bb9f2dcc2e855d639bb3ea5ffed
SHA512a5185bff1b255003e251d9e98a2ed996f07f553620b6d461650a43faae46535771d14a57372ced738fd4237e8d5ceda325b8ddd9bbbcfa47ce482b119e03a72e
-
Filesize
197KB
MD5125e7043c78e9e94ab727a8ccef3623c
SHA120448975b13a62338c4b80755afbfd0f2fb80d78
SHA2567659099761a479d038005bc983e2f4a22f61f6442718276bf06948763206e139
SHA512a68a53078b91ef1fec273f6908261e819cd7bde9415fed3c955696c08baef0320c6f2d1d2b5e574ae269b420e5495096753bfc612f6ec4cf42b763b9bc4850fe
-
Filesize
197KB
MD5eec71ed4802f7ea028b9e2d9fca07efa
SHA14ea8e74e3183491d53385736030af78aad1c3f8d
SHA256aa1a246ef18f08ffaf26080e15d9dc3cd365292bcc8cffdb03b6fe66ac5ddd01
SHA512fabc907d9ffe5802189c5ee28441f0dcf778e6ae7d2e7af0a0ea05a46460961f2aa79b8b56e0e7969ef96a9b27c55fc660f9b31dee3266dceb6b4c22dd3dbe4b
-
Filesize
197KB
MD5587238fb405c2ac2a2f18b0deb7e05f5
SHA10a68bfa1c3d63974aed39ef5734ebd7b285efac0
SHA25600a7bb2ca45abf40bebbeaf1159c93dc5e773db5c3882792eca17ff49f206672
SHA5122c37ff03b21f9f7ec7f1e90e8fe20bb87e03776d2f3656d5d7c36c61a615248205b1d1b5490febec1fc03299270a096d47a8a718229d583008b0c7b052d55a18
-
Filesize
197KB
MD504147b8cd39d9c0c324945be70731686
SHA1aa8f2231edec70ccd243046d6902f09ebacd6eec
SHA25626352eeb72bd38338a702ad5d59635d4e65da143a87b101b7ee9cf5e97065cd6
SHA512b588b4acfd100a42cfd2acb126435c4fb5bdf101a7fdfd26caa56c6d63554dad31e35a6daaf5a3ac55e05cadbbd2d38a39d03beb9e87d8a3d280924a54b15a78
-
Filesize
197KB
MD57b8441a6077d80921c9abeaad9165dab
SHA152dd526f0faa57dc13573812fbf9858902019ca0
SHA256fca3235efc51dd43bfe3e05e5df05309a3ad811291549a47cffeb54f1ad0e6c1
SHA512320fb067b29e5ab95da1baa42bd719ea8c0dc472da39383595e1adfbf1c991dfdb4ce2280080cffe849756c1f26de754a018fd3d058b11afcd9fee2c3a3e6006