a60e41b03d814e431bf72b084bf0369775272ba0687086016b20856212fc91d4

Analysis

max time kernel
155s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/01/2024, 00:33 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-26_66df83b4656869eefb369c65fabebc92_goldeneye.exe
Size

372KB
MD5

66df83b4656869eefb369c65fabebc92
SHA1

c48f2936456db8e002839828bfbfcf321378a409
SHA256

a60e41b03d814e431bf72b084bf0369775272ba0687086016b20856212fc91d4
SHA512

5570cac2367d35143a3caab225e76c04a91b4f974b07c3cd248401f03d22cd10b75770c7b8eb33980d7ba46b8ae70196a648715e921d455f1976aeaee04f06d3
SSDEEP

3072:CEGh0ommlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEG5l/Oe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023001-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002310f-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001000000002311c-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002310f-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001100000002311c-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006df-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00040000000006df-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8260C0C9-C0C7-4ca7-8442-B95187799896}	{7C168ACD-3A82-4bc2-B051-BB07D52C92D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44D6FE23-8EED-4fce-95E4-98D17CA9625B}	{6124B61D-1157-4e88-A184-23EF13D340FA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44D6FE23-8EED-4fce-95E4-98D17CA9625B}\stubpath = "C:\\Windows\\{44D6FE23-8EED-4fce-95E4-98D17CA9625B}.exe"	{6124B61D-1157-4e88-A184-23EF13D340FA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DAA78C05-16E1-4448-BCE5-B234F6A17025}	{44D6FE23-8EED-4fce-95E4-98D17CA9625B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5BC6B50F-261E-4ce6-9BA3-7193D5A7CCC0}\stubpath = "C:\\Windows\\{5BC6B50F-261E-4ce6-9BA3-7193D5A7CCC0}.exe"	2024-01-26_66df83b4656869eefb369c65fabebc92_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{798F5A8B-E292-4bfc-8885-E512AA821F05}	{39A255E0-6052-422a-A9C4-22522840458D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{798F5A8B-E292-4bfc-8885-E512AA821F05}\stubpath = "C:\\Windows\\{798F5A8B-E292-4bfc-8885-E512AA821F05}.exe"	{39A255E0-6052-422a-A9C4-22522840458D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C168ACD-3A82-4bc2-B051-BB07D52C92D7}\stubpath = "C:\\Windows\\{7C168ACD-3A82-4bc2-B051-BB07D52C92D7}.exe"	{798F5A8B-E292-4bfc-8885-E512AA821F05}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8260C0C9-C0C7-4ca7-8442-B95187799896}\stubpath = "C:\\Windows\\{8260C0C9-C0C7-4ca7-8442-B95187799896}.exe"	{7C168ACD-3A82-4bc2-B051-BB07D52C92D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DAB7A87-204E-4de4-87F1-197374D41EA5}\stubpath = "C:\\Windows\\{2DAB7A87-204E-4de4-87F1-197374D41EA5}.exe"	{DAA78C05-16E1-4448-BCE5-B234F6A17025}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69C73602-07BA-4375-B818-CE086149CAF8}\stubpath = "C:\\Windows\\{69C73602-07BA-4375-B818-CE086149CAF8}.exe"	{699DDEFC-A165-4fd5-AED6-82FF888F43E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DAA78C05-16E1-4448-BCE5-B234F6A17025}\stubpath = "C:\\Windows\\{DAA78C05-16E1-4448-BCE5-B234F6A17025}.exe"	{44D6FE23-8EED-4fce-95E4-98D17CA9625B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DAB7A87-204E-4de4-87F1-197374D41EA5}	{DAA78C05-16E1-4448-BCE5-B234F6A17025}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{699DDEFC-A165-4fd5-AED6-82FF888F43E8}	{2DAB7A87-204E-4de4-87F1-197374D41EA5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{699DDEFC-A165-4fd5-AED6-82FF888F43E8}\stubpath = "C:\\Windows\\{699DDEFC-A165-4fd5-AED6-82FF888F43E8}.exe"	{2DAB7A87-204E-4de4-87F1-197374D41EA5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5BC6B50F-261E-4ce6-9BA3-7193D5A7CCC0}	2024-01-26_66df83b4656869eefb369c65fabebc92_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39A255E0-6052-422a-A9C4-22522840458D}	{5BC6B50F-261E-4ce6-9BA3-7193D5A7CCC0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6124B61D-1157-4e88-A184-23EF13D340FA}	{8260C0C9-C0C7-4ca7-8442-B95187799896}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6124B61D-1157-4e88-A184-23EF13D340FA}\stubpath = "C:\\Windows\\{6124B61D-1157-4e88-A184-23EF13D340FA}.exe"	{8260C0C9-C0C7-4ca7-8442-B95187799896}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69C73602-07BA-4375-B818-CE086149CAF8}	{699DDEFC-A165-4fd5-AED6-82FF888F43E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39A255E0-6052-422a-A9C4-22522840458D}\stubpath = "C:\\Windows\\{39A255E0-6052-422a-A9C4-22522840458D}.exe"	{5BC6B50F-261E-4ce6-9BA3-7193D5A7CCC0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C168ACD-3A82-4bc2-B051-BB07D52C92D7}	{798F5A8B-E292-4bfc-8885-E512AA821F05}.exe

Executes dropped EXE 11 IoCs

pid	Process
1068	{5BC6B50F-261E-4ce6-9BA3-7193D5A7CCC0}.exe
4248	{39A255E0-6052-422a-A9C4-22522840458D}.exe
2636	{798F5A8B-E292-4bfc-8885-E512AA821F05}.exe
4960	{7C168ACD-3A82-4bc2-B051-BB07D52C92D7}.exe
4676	{8260C0C9-C0C7-4ca7-8442-B95187799896}.exe
2140	{6124B61D-1157-4e88-A184-23EF13D340FA}.exe
1512	{44D6FE23-8EED-4fce-95E4-98D17CA9625B}.exe
4228	{DAA78C05-16E1-4448-BCE5-B234F6A17025}.exe
4144	{2DAB7A87-204E-4de4-87F1-197374D41EA5}.exe
3596	{699DDEFC-A165-4fd5-AED6-82FF888F43E8}.exe
3384	{69C73602-07BA-4375-B818-CE086149CAF8}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{DAA78C05-16E1-4448-BCE5-B234F6A17025}.exe	{44D6FE23-8EED-4fce-95E4-98D17CA9625B}.exe
File created	C:\Windows\{699DDEFC-A165-4fd5-AED6-82FF888F43E8}.exe	{2DAB7A87-204E-4de4-87F1-197374D41EA5}.exe
File created	C:\Windows\{69C73602-07BA-4375-B818-CE086149CAF8}.exe	{699DDEFC-A165-4fd5-AED6-82FF888F43E8}.exe
File created	C:\Windows\{5BC6B50F-261E-4ce6-9BA3-7193D5A7CCC0}.exe	2024-01-26_66df83b4656869eefb369c65fabebc92_goldeneye.exe
File created	C:\Windows\{39A255E0-6052-422a-A9C4-22522840458D}.exe	{5BC6B50F-261E-4ce6-9BA3-7193D5A7CCC0}.exe
File created	C:\Windows\{798F5A8B-E292-4bfc-8885-E512AA821F05}.exe	{39A255E0-6052-422a-A9C4-22522840458D}.exe
File created	C:\Windows\{7C168ACD-3A82-4bc2-B051-BB07D52C92D7}.exe	{798F5A8B-E292-4bfc-8885-E512AA821F05}.exe
File created	C:\Windows\{8260C0C9-C0C7-4ca7-8442-B95187799896}.exe	{7C168ACD-3A82-4bc2-B051-BB07D52C92D7}.exe
File created	C:\Windows\{6124B61D-1157-4e88-A184-23EF13D340FA}.exe	{8260C0C9-C0C7-4ca7-8442-B95187799896}.exe
File created	C:\Windows\{44D6FE23-8EED-4fce-95E4-98D17CA9625B}.exe	{6124B61D-1157-4e88-A184-23EF13D340FA}.exe
File created	C:\Windows\{2DAB7A87-204E-4de4-87F1-197374D41EA5}.exe	{DAA78C05-16E1-4448-BCE5-B234F6A17025}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4648	2024-01-26_66df83b4656869eefb369c65fabebc92_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1068	{5BC6B50F-261E-4ce6-9BA3-7193D5A7CCC0}.exe
Token: SeIncBasePriorityPrivilege	4248	{39A255E0-6052-422a-A9C4-22522840458D}.exe
Token: SeIncBasePriorityPrivilege	2636	{798F5A8B-E292-4bfc-8885-E512AA821F05}.exe
Token: SeIncBasePriorityPrivilege	4960	{7C168ACD-3A82-4bc2-B051-BB07D52C92D7}.exe
Token: SeIncBasePriorityPrivilege	4676	{8260C0C9-C0C7-4ca7-8442-B95187799896}.exe
Token: SeIncBasePriorityPrivilege	2140	{6124B61D-1157-4e88-A184-23EF13D340FA}.exe
Token: SeIncBasePriorityPrivilege	1512	{44D6FE23-8EED-4fce-95E4-98D17CA9625B}.exe
Token: SeIncBasePriorityPrivilege	4228	{DAA78C05-16E1-4448-BCE5-B234F6A17025}.exe
Token: SeIncBasePriorityPrivilege	4144	{2DAB7A87-204E-4de4-87F1-197374D41EA5}.exe
Token: SeIncBasePriorityPrivilege	3596	{699DDEFC-A165-4fd5-AED6-82FF888F43E8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4648 wrote to memory of 1068	4648	2024-01-26_66df83b4656869eefb369c65fabebc92_goldeneye.exe	91
PID 4648 wrote to memory of 1068	4648	2024-01-26_66df83b4656869eefb369c65fabebc92_goldeneye.exe	91
PID 4648 wrote to memory of 1068	4648	2024-01-26_66df83b4656869eefb369c65fabebc92_goldeneye.exe	91
PID 4648 wrote to memory of 1732	4648	2024-01-26_66df83b4656869eefb369c65fabebc92_goldeneye.exe	92
PID 4648 wrote to memory of 1732	4648	2024-01-26_66df83b4656869eefb369c65fabebc92_goldeneye.exe	92
PID 4648 wrote to memory of 1732	4648	2024-01-26_66df83b4656869eefb369c65fabebc92_goldeneye.exe	92
PID 1068 wrote to memory of 4248	1068	{5BC6B50F-261E-4ce6-9BA3-7193D5A7CCC0}.exe	96
PID 1068 wrote to memory of 4248	1068	{5BC6B50F-261E-4ce6-9BA3-7193D5A7CCC0}.exe	96
PID 1068 wrote to memory of 4248	1068	{5BC6B50F-261E-4ce6-9BA3-7193D5A7CCC0}.exe	96
PID 1068 wrote to memory of 3908	1068	{5BC6B50F-261E-4ce6-9BA3-7193D5A7CCC0}.exe	97
PID 1068 wrote to memory of 3908	1068	{5BC6B50F-261E-4ce6-9BA3-7193D5A7CCC0}.exe	97
PID 1068 wrote to memory of 3908	1068	{5BC6B50F-261E-4ce6-9BA3-7193D5A7CCC0}.exe	97
PID 4248 wrote to memory of 2636	4248	{39A255E0-6052-422a-A9C4-22522840458D}.exe	102
PID 4248 wrote to memory of 2636	4248	{39A255E0-6052-422a-A9C4-22522840458D}.exe	102
PID 4248 wrote to memory of 2636	4248	{39A255E0-6052-422a-A9C4-22522840458D}.exe	102
PID 4248 wrote to memory of 1476	4248	{39A255E0-6052-422a-A9C4-22522840458D}.exe	103
PID 4248 wrote to memory of 1476	4248	{39A255E0-6052-422a-A9C4-22522840458D}.exe	103
PID 4248 wrote to memory of 1476	4248	{39A255E0-6052-422a-A9C4-22522840458D}.exe	103
PID 2636 wrote to memory of 4960	2636	{798F5A8B-E292-4bfc-8885-E512AA821F05}.exe	104
PID 2636 wrote to memory of 4960	2636	{798F5A8B-E292-4bfc-8885-E512AA821F05}.exe	104
PID 2636 wrote to memory of 4960	2636	{798F5A8B-E292-4bfc-8885-E512AA821F05}.exe	104
PID 2636 wrote to memory of 5116	2636	{798F5A8B-E292-4bfc-8885-E512AA821F05}.exe	105
PID 2636 wrote to memory of 5116	2636	{798F5A8B-E292-4bfc-8885-E512AA821F05}.exe	105
PID 2636 wrote to memory of 5116	2636	{798F5A8B-E292-4bfc-8885-E512AA821F05}.exe	105
PID 4960 wrote to memory of 4676	4960	{7C168ACD-3A82-4bc2-B051-BB07D52C92D7}.exe	106
PID 4960 wrote to memory of 4676	4960	{7C168ACD-3A82-4bc2-B051-BB07D52C92D7}.exe	106
PID 4960 wrote to memory of 4676	4960	{7C168ACD-3A82-4bc2-B051-BB07D52C92D7}.exe	106
PID 4960 wrote to memory of 3520	4960	{7C168ACD-3A82-4bc2-B051-BB07D52C92D7}.exe	107
PID 4960 wrote to memory of 3520	4960	{7C168ACD-3A82-4bc2-B051-BB07D52C92D7}.exe	107
PID 4960 wrote to memory of 3520	4960	{7C168ACD-3A82-4bc2-B051-BB07D52C92D7}.exe	107
PID 4676 wrote to memory of 2140	4676	{8260C0C9-C0C7-4ca7-8442-B95187799896}.exe	108
PID 4676 wrote to memory of 2140	4676	{8260C0C9-C0C7-4ca7-8442-B95187799896}.exe	108
PID 4676 wrote to memory of 2140	4676	{8260C0C9-C0C7-4ca7-8442-B95187799896}.exe	108
PID 4676 wrote to memory of 3320	4676	{8260C0C9-C0C7-4ca7-8442-B95187799896}.exe	109
PID 4676 wrote to memory of 3320	4676	{8260C0C9-C0C7-4ca7-8442-B95187799896}.exe	109
PID 4676 wrote to memory of 3320	4676	{8260C0C9-C0C7-4ca7-8442-B95187799896}.exe	109
PID 2140 wrote to memory of 1512	2140	{6124B61D-1157-4e88-A184-23EF13D340FA}.exe	110
PID 2140 wrote to memory of 1512	2140	{6124B61D-1157-4e88-A184-23EF13D340FA}.exe	110
PID 2140 wrote to memory of 1512	2140	{6124B61D-1157-4e88-A184-23EF13D340FA}.exe	110
PID 2140 wrote to memory of 1328	2140	{6124B61D-1157-4e88-A184-23EF13D340FA}.exe	111
PID 2140 wrote to memory of 1328	2140	{6124B61D-1157-4e88-A184-23EF13D340FA}.exe	111
PID 2140 wrote to memory of 1328	2140	{6124B61D-1157-4e88-A184-23EF13D340FA}.exe	111
PID 1512 wrote to memory of 4228	1512	{44D6FE23-8EED-4fce-95E4-98D17CA9625B}.exe	112
PID 1512 wrote to memory of 4228	1512	{44D6FE23-8EED-4fce-95E4-98D17CA9625B}.exe	112
PID 1512 wrote to memory of 4228	1512	{44D6FE23-8EED-4fce-95E4-98D17CA9625B}.exe	112
PID 1512 wrote to memory of 4480	1512	{44D6FE23-8EED-4fce-95E4-98D17CA9625B}.exe	113
PID 1512 wrote to memory of 4480	1512	{44D6FE23-8EED-4fce-95E4-98D17CA9625B}.exe	113
PID 1512 wrote to memory of 4480	1512	{44D6FE23-8EED-4fce-95E4-98D17CA9625B}.exe	113
PID 4228 wrote to memory of 4144	4228	{DAA78C05-16E1-4448-BCE5-B234F6A17025}.exe	114
PID 4228 wrote to memory of 4144	4228	{DAA78C05-16E1-4448-BCE5-B234F6A17025}.exe	114
PID 4228 wrote to memory of 4144	4228	{DAA78C05-16E1-4448-BCE5-B234F6A17025}.exe	114
PID 4228 wrote to memory of 4428	4228	{DAA78C05-16E1-4448-BCE5-B234F6A17025}.exe	115
PID 4228 wrote to memory of 4428	4228	{DAA78C05-16E1-4448-BCE5-B234F6A17025}.exe	115
PID 4228 wrote to memory of 4428	4228	{DAA78C05-16E1-4448-BCE5-B234F6A17025}.exe	115
PID 4144 wrote to memory of 3596	4144	{2DAB7A87-204E-4de4-87F1-197374D41EA5}.exe	116
PID 4144 wrote to memory of 3596	4144	{2DAB7A87-204E-4de4-87F1-197374D41EA5}.exe	116
PID 4144 wrote to memory of 3596	4144	{2DAB7A87-204E-4de4-87F1-197374D41EA5}.exe	116
PID 4144 wrote to memory of 3164	4144	{2DAB7A87-204E-4de4-87F1-197374D41EA5}.exe	117
PID 4144 wrote to memory of 3164	4144	{2DAB7A87-204E-4de4-87F1-197374D41EA5}.exe	117
PID 4144 wrote to memory of 3164	4144	{2DAB7A87-204E-4de4-87F1-197374D41EA5}.exe	117
PID 3596 wrote to memory of 3384	3596	{699DDEFC-A165-4fd5-AED6-82FF888F43E8}.exe	118
PID 3596 wrote to memory of 3384	3596	{699DDEFC-A165-4fd5-AED6-82FF888F43E8}.exe	118
PID 3596 wrote to memory of 3384	3596	{699DDEFC-A165-4fd5-AED6-82FF888F43E8}.exe	118
PID 3596 wrote to memory of 4892	3596	{699DDEFC-A165-4fd5-AED6-82FF888F43E8}.exe	119

C:\Users\Admin\AppData\Local\Temp\2024-01-26_66df83b4656869eefb369c65fabebc92_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-26_66df83b4656869eefb369c65fabebc92_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4648
- C:\Windows\{5BC6B50F-261E-4ce6-9BA3-7193D5A7CCC0}.exe
  C:\Windows\{5BC6B50F-261E-4ce6-9BA3-7193D5A7CCC0}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1068
- - C:\Windows\{39A255E0-6052-422a-A9C4-22522840458D}.exe
    C:\Windows\{39A255E0-6052-422a-A9C4-22522840458D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4248
  - - C:\Windows\{798F5A8B-E292-4bfc-8885-E512AA821F05}.exe
      C:\Windows\{798F5A8B-E292-4bfc-8885-E512AA821F05}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2636
    - - C:\Windows\{7C168ACD-3A82-4bc2-B051-BB07D52C92D7}.exe
        
        C:\Windows\{7C168ACD-3A82-4bc2-B051-BB07D52C92D7}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4960
      - C:\Windows\{8260C0C9-C0C7-4ca7-8442-B95187799896}.exe
        
        C:\Windows\{8260C0C9-C0C7-4ca7-8442-B95187799896}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Windows\{6124B61D-1157-4e88-A184-23EF13D340FA}.exe
        
        C:\Windows\{6124B61D-1157-4e88-A184-23EF13D340FA}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\{44D6FE23-8EED-4fce-95E4-98D17CA9625B}.exe
        
        C:\Windows\{44D6FE23-8EED-4fce-95E4-98D17CA9625B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\{DAA78C05-16E1-4448-BCE5-B234F6A17025}.exe
        
        C:\Windows\{DAA78C05-16E1-4448-BCE5-B234F6A17025}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4228
        
        C:\Windows\{2DAB7A87-204E-4de4-87F1-197374D41EA5}.exe
        
        C:\Windows\{2DAB7A87-204E-4de4-87F1-197374D41EA5}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4144
        
        C:\Windows\{699DDEFC-A165-4fd5-AED6-82FF888F43E8}.exe
        
        C:\Windows\{699DDEFC-A165-4fd5-AED6-82FF888F43E8}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3596
        
        C:\Windows\{69C73602-07BA-4375-B818-CE086149CAF8}.exe
        
        C:\Windows\{69C73602-07BA-4375-B818-CE086149CAF8}.exe
        12⤵
        Executes dropped EXE
        
        PID:3384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{699DD~1.EXE > nul
        12⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2DAB7~1.EXE > nul
        11⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DAA78~1.EXE > nul
        10⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44D6F~1.EXE > nul
        9⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6124B~1.EXE > nul
        8⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8260C~1.EXE > nul
        7⤵
        
        PID:3320
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7C168~1.EXE > nul
        6⤵
        
        PID:3520
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{798F5~1.EXE > nul
        5⤵
        
        PID:5116
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{39A25~1.EXE > nul
      4⤵
      PID:1476
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5BC6B~1.EXE > nul
    3⤵
    PID:3908
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1732

Network

DNS

104.219.191.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

104.219.191.52.in-addr.arpa

IN PTR

Response
DNS

194.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

194.178.17.96.in-addr.arpa

IN PTR

Response

194.178.17.96.in-addr.arpa

IN PTR

a96-17-178-194deploystaticakamaitechnologiescom
DNS

86.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.23.85.13.in-addr.arpa

IN PTR

Response
DNS

198.187.3.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.187.3.20.in-addr.arpa

IN PTR

Response
DNS

140.71.91.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

140.71.91.104.in-addr.arpa

IN PTR

Response

140.71.91.104.in-addr.arpa

IN PTR

a104-91-71-140deploystaticakamaitechnologiescom
DNS

72.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

72.32.126.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

183.142.211.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

183.142.211.20.in-addr.arpa

IN PTR

Response
DNS

183.142.211.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

183.142.211.20.in-addr.arpa

IN PTR
DNS

209.205.72.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.205.72.20.in-addr.arpa

IN PTR

Response
DNS

79.121.231.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

79.121.231.20.in-addr.arpa

IN PTR

Response
DNS

114.110.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

114.110.16.96.in-addr.arpa

IN PTR

Response

114.110.16.96.in-addr.arpa

IN PTR

a96-16-110-114deploystaticakamaitechnologiescom
DNS

21.236.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

21.236.111.52.in-addr.arpa

IN PTR

Response
DNS

173.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

173.178.17.96.in-addr.arpa

IN PTR

Response

173.178.17.96.in-addr.arpa

IN PTR

a96-17-178-173deploystaticakamaitechnologiescom

No results found

8.8.8.8:53

104.219.191.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

104.219.191.52.in-addr.arpa
8.8.8.8:53

194.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

194.178.17.96.in-addr.arpa
8.8.8.8:53

86.23.85.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

86.23.85.13.in-addr.arpa
8.8.8.8:53

198.187.3.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

198.187.3.20.in-addr.arpa
8.8.8.8:53

140.71.91.104.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

140.71.91.104.in-addr.arpa
8.8.8.8:53

72.32.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

72.32.126.40.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

183.142.211.20.in-addr.arpa

dns

146 B
159 B
2
1

DNS Request

183.142.211.20.in-addr.arpa

DNS Request

183.142.211.20.in-addr.arpa
8.8.8.8:53

209.205.72.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

209.205.72.20.in-addr.arpa
8.8.8.8:53

79.121.231.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

79.121.231.20.in-addr.arpa
8.8.8.8:53

114.110.16.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

114.110.16.96.in-addr.arpa
8.8.8.8:53

21.236.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

21.236.111.52.in-addr.arpa
8.8.8.8:53

173.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

173.178.17.96.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2DAB7A87-204E-4de4-87F1-197374D41EA5}.exe

Filesize
372KB

MD5
0ce898710ba14bfec1eb58c415f40a45

SHA1
cbb003ffcfd0247f8832eb5f085c63227a2bba5d

SHA256
44ca6375bf24f1a7f9f8dc5a6993ed51239658ad7c135bf5f3a788a8b6d1f7ef

SHA512
5f42bdb2ffc09bbdf9a3e8842730965eead65f8923b6d014cef5366409822183811d6ec1f837ebd5a5ee9dfcddd8400ca8efe9f2ef33e3e8fdca8e20427e7551

Download Submit
C:\Windows\{39A255E0-6052-422a-A9C4-22522840458D}.exe

Filesize
372KB

MD5
b2b5be56df6d34317731565a5d78a68d

SHA1
c2bfb1c1e26c9fb0b556091a47950fe5aae539a5

SHA256
3a96543d8bd9ace265655c6809373da6627eb53361d44dd398d6f71cbb1fa66d

SHA512
ee6b08237174137b72c43cf12ad9601a5b2f04a4850bf9cead3f2ee8833e1cbf3924e82e12bdc1c8937202027fe79887477330dbf2fe4f789565dbb9c4aae17d

Download Submit
C:\Windows\{44D6FE23-8EED-4fce-95E4-98D17CA9625B}.exe

Filesize
372KB

MD5
eba808fc2cde011da5b997d85e11a2cc

SHA1
416c9dedb78818ac609999c0e17563ad51f6c6ad

SHA256
f3b76294c07b3e5e24951fe559bbbcc6416e9ea860b00ad50ca71975195366a4

SHA512
e593d9a88d881489da17a2d11cc260c314f9c201a3f6b6f28f8264b939edf385e608b30d3648ee5e6a7f8fc1ed07c600b47158cd4ac7643f0e2cbe3beb8be482

Download Submit
C:\Windows\{5BC6B50F-261E-4ce6-9BA3-7193D5A7CCC0}.exe

Filesize
372KB

MD5
d6f431c3ed3c15b53bba69840795ed2b

SHA1
e36e2887549159c75cb64f8cd0ee7fd97612921b

SHA256
1b644de365ad39766411e9e7d9c28ee2f30cd66dab8f115a0ed84c253fef23a0

SHA512
5ad9bc4006b82e748bca9a30ca66724d96cff02714b48f1688a40ac89718466352a1b53a0f1940301ee0b2d3e95d264706f6c3a98881c22a25448ceb277b7689

Download Submit
C:\Windows\{6124B61D-1157-4e88-A184-23EF13D340FA}.exe

Filesize
372KB

MD5
2c397c294e5e4a2bbcd2ea785a373868

SHA1
15adadb97a92072065ded96940726d1ea336a4bc

SHA256
983062767d1caa37c5fd0336fea73eae9ef27e67945b73e4b9b23c3ef8697b95

SHA512
7d96a2ae3b392d01781346641edc9a222e2f7f7dd582fa37406987d76305b109fee33eaf15419f28367ebe129ab7b6eaf14dd972ed48529394edc196cec623be

Download Submit
C:\Windows\{699DDEFC-A165-4fd5-AED6-82FF888F43E8}.exe

Filesize
372KB

MD5
f242e4fc839f0baa897d3c797b8fe32d

SHA1
c0e18f518ef4d7ab14fcb975cd7f0886aaecab4b

SHA256
73df5be888419529fa97a80d3c9756074f2fe5670a02bbd4d2d3f5919ec94aa4

SHA512
b7b3a09cf5993c9f368f050a0e7c6a44415a9c34c4d056b02c387e46e285a373962eabadf972600a6506db60d2f455164eeb38b8ba65951b8e9acd3f0c3b4cb6

Download Submit
C:\Windows\{69C73602-07BA-4375-B818-CE086149CAF8}.exe

Filesize
372KB

MD5
761332db0c7cffdfd87a657d97d0043b

SHA1
707dda524ee321544c67f52d746e18fc4d0bd901

SHA256
6149c4feb34dbc802d76d288b1995f39831d979224d3f2bc1c5b78f0d76d49d2

SHA512
0b858be199c81aa9b5bb00fe35400f555a88b4e199d10f6f6241bd0a643d8d69fe399900f3728e0a6a892ca57edb38edad75155c972c16b0d12eeda9a8949950

Download Submit
C:\Windows\{798F5A8B-E292-4bfc-8885-E512AA821F05}.exe

Filesize
372KB

MD5
94adaecb43fdb08b395a568c9d5396e7

SHA1
b73f40ccb9a0670919f79ca54d3e3d6c2d905ab9

SHA256
02ad9bcfb1015fb7ee3101b49902a53cc88c1a65e4f016623915a9b474df18ad

SHA512
f836761cad65b1c5dd15c9b41f2c6d2ff6e9da4bc665001c8223dd535207d3b9cf5118a224b8cbe9a793f503161cac62ff17e0648822690c64b7e00608061f7d

Download Submit
C:\Windows\{7C168ACD-3A82-4bc2-B051-BB07D52C92D7}.exe

Filesize
372KB

MD5
92c1c05491f57d2660fa9973d05377ed

SHA1
918be27dfb3166cc42c9cc4d2ad744112467d34a

SHA256
035a8aa3167586e8a882c5286ed92c0fd64540c976972f8099c175868527bb95

SHA512
54857fb836c9ceff22bdee77cb3a69ea90cfe894a9b1ed71e5b1edb2532174695a58d30f1a617a5667c3fd836f982c57be5ccd4d278ac42cdbab9090131d791e

Download Submit
C:\Windows\{8260C0C9-C0C7-4ca7-8442-B95187799896}.exe

Filesize
372KB

MD5
6c3b41cd9cc4a4852e58686ef9863ffb

SHA1
d2bcd7a708da08a1be74ece04cd9e08515c89459

SHA256
cabab38056b8ab9db5c14f166eca734955d3daac09b5f1eb67f5a60c8760c28c

SHA512
497348e46d4cd2347f8690d5485942b466c667da4b87b45bad89d70b85596c89d8003a908d270438ef5408af3a15b04ab5d147cb4be33382574c604f113c6292

Download Submit
C:\Windows\{DAA78C05-16E1-4448-BCE5-B234F6A17025}.exe

Filesize
372KB

MD5
c37963bee46dd9108102650ce167c8c6

SHA1
d05c0ba4aa701cabf8cdb0447176e56f40d4ad47

SHA256
b9455f1c963c56e830d29a2e1386ad332b9f18767d2451304c2bdcf8e0520dc2

SHA512
d6ba681fb3055c4ea37b01bd32d2edff7f68a8a558b66e714c48ca8379f66fec3ed32e6a98d9ee6da5d2d854f2ef581a26ef817a4b80754a83f6f3d33f522187

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.