49878940f3463858d85db3d0623fad9acf32c61a002556f651ae670eb59cac5a

Analysis

max time kernel
149s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
13/02/2024, 17:50 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-13_632e996f941eb8b629da9f7149609861_goldeneye.exe
Size

216KB
MD5

632e996f941eb8b629da9f7149609861
SHA1

83518d294c1517ac2e51d2b86c56dbc74aa247fe
SHA256

49878940f3463858d85db3d0623fad9acf32c61a002556f651ae670eb59cac5a
SHA512

28fa12b26b33ccf8f17f5571051a1039cb4c81bc096f9a98b9f4d8a5f78d5feecc182938b6fec6958918890fbd26648fa2deca09b2ccb5dc4ccf1b0358660e48
SSDEEP

3072:jEGh0o+l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEG0lEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023234-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023229-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002323b-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023229-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000022008-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000022009-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000022008-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000036-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000036-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000036-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DBF37E7D-858B-40ba-8267-585E2978D0A8}\stubpath = "C:\\Windows\\{DBF37E7D-858B-40ba-8267-585E2978D0A8}.exe"	{BCA341F7-617B-4cec-B75D-37B1403394DE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA41B851-1172-46e9-982C-C2FC1ABAB655}\stubpath = "C:\\Windows\\{FA41B851-1172-46e9-982C-C2FC1ABAB655}.exe"	{4A4BD54D-AB67-4936-8A6D-2508642ADA4B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6FC93EDE-5543-41bb-AFE0-07F5A2F7701F}	{FA41B851-1172-46e9-982C-C2FC1ABAB655}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{452382E9-CBA9-442c-BCE8-A02107B19397}	{6FC93EDE-5543-41bb-AFE0-07F5A2F7701F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCA341F7-617B-4cec-B75D-37B1403394DE}\stubpath = "C:\\Windows\\{BCA341F7-617B-4cec-B75D-37B1403394DE}.exe"	{452382E9-CBA9-442c-BCE8-A02107B19397}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33E2134C-BDF3-41f2-8477-35C3344104AC}	{0D2DE297-474C-41b4-BBC4-BDB6342D25E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53C23AB1-F4D2-429f-80D0-799D1A905E22}\stubpath = "C:\\Windows\\{53C23AB1-F4D2-429f-80D0-799D1A905E22}.exe"	{51F8FA12-E2D3-4b23-9EEA-9016A9414E32}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90D89337-14C6-4e8a-847A-35B691E00919}\stubpath = "C:\\Windows\\{90D89337-14C6-4e8a-847A-35B691E00919}.exe"	{53C23AB1-F4D2-429f-80D0-799D1A905E22}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A4BD54D-AB67-4936-8A6D-2508642ADA4B}\stubpath = "C:\\Windows\\{4A4BD54D-AB67-4936-8A6D-2508642ADA4B}.exe"	2024-02-13_632e996f941eb8b629da9f7149609861_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6FC93EDE-5543-41bb-AFE0-07F5A2F7701F}\stubpath = "C:\\Windows\\{6FC93EDE-5543-41bb-AFE0-07F5A2F7701F}.exe"	{FA41B851-1172-46e9-982C-C2FC1ABAB655}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{452382E9-CBA9-442c-BCE8-A02107B19397}\stubpath = "C:\\Windows\\{452382E9-CBA9-442c-BCE8-A02107B19397}.exe"	{6FC93EDE-5543-41bb-AFE0-07F5A2F7701F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FEE13521-220B-4f49-8FBB-B10F67CF29CF}\stubpath = "C:\\Windows\\{FEE13521-220B-4f49-8FBB-B10F67CF29CF}.exe"	{DBF37E7D-858B-40ba-8267-585E2978D0A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D2DE297-474C-41b4-BBC4-BDB6342D25E7}\stubpath = "C:\\Windows\\{0D2DE297-474C-41b4-BBC4-BDB6342D25E7}.exe"	{FEE13521-220B-4f49-8FBB-B10F67CF29CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33E2134C-BDF3-41f2-8477-35C3344104AC}\stubpath = "C:\\Windows\\{33E2134C-BDF3-41f2-8477-35C3344104AC}.exe"	{0D2DE297-474C-41b4-BBC4-BDB6342D25E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51F8FA12-E2D3-4b23-9EEA-9016A9414E32}	{33E2134C-BDF3-41f2-8477-35C3344104AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51F8FA12-E2D3-4b23-9EEA-9016A9414E32}\stubpath = "C:\\Windows\\{51F8FA12-E2D3-4b23-9EEA-9016A9414E32}.exe"	{33E2134C-BDF3-41f2-8477-35C3344104AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A4BD54D-AB67-4936-8A6D-2508642ADA4B}	2024-02-13_632e996f941eb8b629da9f7149609861_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90D89337-14C6-4e8a-847A-35B691E00919}	{53C23AB1-F4D2-429f-80D0-799D1A905E22}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCA341F7-617B-4cec-B75D-37B1403394DE}	{452382E9-CBA9-442c-BCE8-A02107B19397}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DBF37E7D-858B-40ba-8267-585E2978D0A8}	{BCA341F7-617B-4cec-B75D-37B1403394DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FEE13521-220B-4f49-8FBB-B10F67CF29CF}	{DBF37E7D-858B-40ba-8267-585E2978D0A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D2DE297-474C-41b4-BBC4-BDB6342D25E7}	{FEE13521-220B-4f49-8FBB-B10F67CF29CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53C23AB1-F4D2-429f-80D0-799D1A905E22}	{51F8FA12-E2D3-4b23-9EEA-9016A9414E32}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA41B851-1172-46e9-982C-C2FC1ABAB655}	{4A4BD54D-AB67-4936-8A6D-2508642ADA4B}.exe

Executes dropped EXE 12 IoCs

pid	Process
4592	{4A4BD54D-AB67-4936-8A6D-2508642ADA4B}.exe
4316	{FA41B851-1172-46e9-982C-C2FC1ABAB655}.exe
3792	{6FC93EDE-5543-41bb-AFE0-07F5A2F7701F}.exe
4844	{452382E9-CBA9-442c-BCE8-A02107B19397}.exe
876	{BCA341F7-617B-4cec-B75D-37B1403394DE}.exe
680	{DBF37E7D-858B-40ba-8267-585E2978D0A8}.exe
744	{FEE13521-220B-4f49-8FBB-B10F67CF29CF}.exe
2784	{0D2DE297-474C-41b4-BBC4-BDB6342D25E7}.exe
4288	{33E2134C-BDF3-41f2-8477-35C3344104AC}.exe
2608	{51F8FA12-E2D3-4b23-9EEA-9016A9414E32}.exe
2692	{53C23AB1-F4D2-429f-80D0-799D1A905E22}.exe
536	{90D89337-14C6-4e8a-847A-35B691E00919}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{BCA341F7-617B-4cec-B75D-37B1403394DE}.exe	{452382E9-CBA9-442c-BCE8-A02107B19397}.exe
File created	C:\Windows\{FEE13521-220B-4f49-8FBB-B10F67CF29CF}.exe	{DBF37E7D-858B-40ba-8267-585E2978D0A8}.exe
File created	C:\Windows\{33E2134C-BDF3-41f2-8477-35C3344104AC}.exe	{0D2DE297-474C-41b4-BBC4-BDB6342D25E7}.exe
File created	C:\Windows\{53C23AB1-F4D2-429f-80D0-799D1A905E22}.exe	{51F8FA12-E2D3-4b23-9EEA-9016A9414E32}.exe
File created	C:\Windows\{4A4BD54D-AB67-4936-8A6D-2508642ADA4B}.exe	2024-02-13_632e996f941eb8b629da9f7149609861_goldeneye.exe
File created	C:\Windows\{6FC93EDE-5543-41bb-AFE0-07F5A2F7701F}.exe	{FA41B851-1172-46e9-982C-C2FC1ABAB655}.exe
File created	C:\Windows\{452382E9-CBA9-442c-BCE8-A02107B19397}.exe	{6FC93EDE-5543-41bb-AFE0-07F5A2F7701F}.exe
File created	C:\Windows\{51F8FA12-E2D3-4b23-9EEA-9016A9414E32}.exe	{33E2134C-BDF3-41f2-8477-35C3344104AC}.exe
File created	C:\Windows\{90D89337-14C6-4e8a-847A-35B691E00919}.exe	{53C23AB1-F4D2-429f-80D0-799D1A905E22}.exe
File created	C:\Windows\{FA41B851-1172-46e9-982C-C2FC1ABAB655}.exe	{4A4BD54D-AB67-4936-8A6D-2508642ADA4B}.exe
File created	C:\Windows\{DBF37E7D-858B-40ba-8267-585E2978D0A8}.exe	{BCA341F7-617B-4cec-B75D-37B1403394DE}.exe
File created	C:\Windows\{0D2DE297-474C-41b4-BBC4-BDB6342D25E7}.exe	{FEE13521-220B-4f49-8FBB-B10F67CF29CF}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4164	2024-02-13_632e996f941eb8b629da9f7149609861_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4592	{4A4BD54D-AB67-4936-8A6D-2508642ADA4B}.exe
Token: SeIncBasePriorityPrivilege	4316	{FA41B851-1172-46e9-982C-C2FC1ABAB655}.exe
Token: SeIncBasePriorityPrivilege	3792	{6FC93EDE-5543-41bb-AFE0-07F5A2F7701F}.exe
Token: SeIncBasePriorityPrivilege	4844	{452382E9-CBA9-442c-BCE8-A02107B19397}.exe
Token: SeIncBasePriorityPrivilege	876	{BCA341F7-617B-4cec-B75D-37B1403394DE}.exe
Token: SeIncBasePriorityPrivilege	680	{DBF37E7D-858B-40ba-8267-585E2978D0A8}.exe
Token: SeIncBasePriorityPrivilege	744	{FEE13521-220B-4f49-8FBB-B10F67CF29CF}.exe
Token: SeIncBasePriorityPrivilege	2784	{0D2DE297-474C-41b4-BBC4-BDB6342D25E7}.exe
Token: SeIncBasePriorityPrivilege	4288	{33E2134C-BDF3-41f2-8477-35C3344104AC}.exe
Token: SeIncBasePriorityPrivilege	2608	{51F8FA12-E2D3-4b23-9EEA-9016A9414E32}.exe
Token: SeIncBasePriorityPrivilege	2692	{53C23AB1-F4D2-429f-80D0-799D1A905E22}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4164 wrote to memory of 4592	4164	2024-02-13_632e996f941eb8b629da9f7149609861_goldeneye.exe	92
PID 4164 wrote to memory of 4592	4164	2024-02-13_632e996f941eb8b629da9f7149609861_goldeneye.exe	92
PID 4164 wrote to memory of 4592	4164	2024-02-13_632e996f941eb8b629da9f7149609861_goldeneye.exe	92
PID 4164 wrote to memory of 2708	4164	2024-02-13_632e996f941eb8b629da9f7149609861_goldeneye.exe	93
PID 4164 wrote to memory of 2708	4164	2024-02-13_632e996f941eb8b629da9f7149609861_goldeneye.exe	93
PID 4164 wrote to memory of 2708	4164	2024-02-13_632e996f941eb8b629da9f7149609861_goldeneye.exe	93
PID 4592 wrote to memory of 4316	4592	{4A4BD54D-AB67-4936-8A6D-2508642ADA4B}.exe	94
PID 4592 wrote to memory of 4316	4592	{4A4BD54D-AB67-4936-8A6D-2508642ADA4B}.exe	94
PID 4592 wrote to memory of 4316	4592	{4A4BD54D-AB67-4936-8A6D-2508642ADA4B}.exe	94
PID 4592 wrote to memory of 1932	4592	{4A4BD54D-AB67-4936-8A6D-2508642ADA4B}.exe	95
PID 4592 wrote to memory of 1932	4592	{4A4BD54D-AB67-4936-8A6D-2508642ADA4B}.exe	95
PID 4592 wrote to memory of 1932	4592	{4A4BD54D-AB67-4936-8A6D-2508642ADA4B}.exe	95
PID 4316 wrote to memory of 3792	4316	{FA41B851-1172-46e9-982C-C2FC1ABAB655}.exe	98
PID 4316 wrote to memory of 3792	4316	{FA41B851-1172-46e9-982C-C2FC1ABAB655}.exe	98
PID 4316 wrote to memory of 3792	4316	{FA41B851-1172-46e9-982C-C2FC1ABAB655}.exe	98
PID 4316 wrote to memory of 2012	4316	{FA41B851-1172-46e9-982C-C2FC1ABAB655}.exe	97
PID 4316 wrote to memory of 2012	4316	{FA41B851-1172-46e9-982C-C2FC1ABAB655}.exe	97
PID 4316 wrote to memory of 2012	4316	{FA41B851-1172-46e9-982C-C2FC1ABAB655}.exe	97
PID 3792 wrote to memory of 4844	3792	{6FC93EDE-5543-41bb-AFE0-07F5A2F7701F}.exe	99
PID 3792 wrote to memory of 4844	3792	{6FC93EDE-5543-41bb-AFE0-07F5A2F7701F}.exe	99
PID 3792 wrote to memory of 4844	3792	{6FC93EDE-5543-41bb-AFE0-07F5A2F7701F}.exe	99
PID 3792 wrote to memory of 1584	3792	{6FC93EDE-5543-41bb-AFE0-07F5A2F7701F}.exe	100
PID 3792 wrote to memory of 1584	3792	{6FC93EDE-5543-41bb-AFE0-07F5A2F7701F}.exe	100
PID 3792 wrote to memory of 1584	3792	{6FC93EDE-5543-41bb-AFE0-07F5A2F7701F}.exe	100
PID 4844 wrote to memory of 876	4844	{452382E9-CBA9-442c-BCE8-A02107B19397}.exe	101
PID 4844 wrote to memory of 876	4844	{452382E9-CBA9-442c-BCE8-A02107B19397}.exe	101
PID 4844 wrote to memory of 876	4844	{452382E9-CBA9-442c-BCE8-A02107B19397}.exe	101
PID 4844 wrote to memory of 1088	4844	{452382E9-CBA9-442c-BCE8-A02107B19397}.exe	102
PID 4844 wrote to memory of 1088	4844	{452382E9-CBA9-442c-BCE8-A02107B19397}.exe	102
PID 4844 wrote to memory of 1088	4844	{452382E9-CBA9-442c-BCE8-A02107B19397}.exe	102
PID 876 wrote to memory of 680	876	{BCA341F7-617B-4cec-B75D-37B1403394DE}.exe	103
PID 876 wrote to memory of 680	876	{BCA341F7-617B-4cec-B75D-37B1403394DE}.exe	103
PID 876 wrote to memory of 680	876	{BCA341F7-617B-4cec-B75D-37B1403394DE}.exe	103
PID 876 wrote to memory of 4692	876	{BCA341F7-617B-4cec-B75D-37B1403394DE}.exe	104
PID 876 wrote to memory of 4692	876	{BCA341F7-617B-4cec-B75D-37B1403394DE}.exe	104
PID 876 wrote to memory of 4692	876	{BCA341F7-617B-4cec-B75D-37B1403394DE}.exe	104
PID 680 wrote to memory of 744	680	{DBF37E7D-858B-40ba-8267-585E2978D0A8}.exe	105
PID 680 wrote to memory of 744	680	{DBF37E7D-858B-40ba-8267-585E2978D0A8}.exe	105
PID 680 wrote to memory of 744	680	{DBF37E7D-858B-40ba-8267-585E2978D0A8}.exe	105
PID 680 wrote to memory of 3092	680	{DBF37E7D-858B-40ba-8267-585E2978D0A8}.exe	106
PID 680 wrote to memory of 3092	680	{DBF37E7D-858B-40ba-8267-585E2978D0A8}.exe	106
PID 680 wrote to memory of 3092	680	{DBF37E7D-858B-40ba-8267-585E2978D0A8}.exe	106
PID 744 wrote to memory of 2784	744	{FEE13521-220B-4f49-8FBB-B10F67CF29CF}.exe	107
PID 744 wrote to memory of 2784	744	{FEE13521-220B-4f49-8FBB-B10F67CF29CF}.exe	107
PID 744 wrote to memory of 2784	744	{FEE13521-220B-4f49-8FBB-B10F67CF29CF}.exe	107
PID 744 wrote to memory of 3728	744	{FEE13521-220B-4f49-8FBB-B10F67CF29CF}.exe	108
PID 744 wrote to memory of 3728	744	{FEE13521-220B-4f49-8FBB-B10F67CF29CF}.exe	108
PID 744 wrote to memory of 3728	744	{FEE13521-220B-4f49-8FBB-B10F67CF29CF}.exe	108
PID 2784 wrote to memory of 4288	2784	{0D2DE297-474C-41b4-BBC4-BDB6342D25E7}.exe	109
PID 2784 wrote to memory of 4288	2784	{0D2DE297-474C-41b4-BBC4-BDB6342D25E7}.exe	109
PID 2784 wrote to memory of 4288	2784	{0D2DE297-474C-41b4-BBC4-BDB6342D25E7}.exe	109
PID 2784 wrote to memory of 4236	2784	{0D2DE297-474C-41b4-BBC4-BDB6342D25E7}.exe	110
PID 2784 wrote to memory of 4236	2784	{0D2DE297-474C-41b4-BBC4-BDB6342D25E7}.exe	110
PID 2784 wrote to memory of 4236	2784	{0D2DE297-474C-41b4-BBC4-BDB6342D25E7}.exe	110
PID 4288 wrote to memory of 2608	4288	{33E2134C-BDF3-41f2-8477-35C3344104AC}.exe	111
PID 4288 wrote to memory of 2608	4288	{33E2134C-BDF3-41f2-8477-35C3344104AC}.exe	111
PID 4288 wrote to memory of 2608	4288	{33E2134C-BDF3-41f2-8477-35C3344104AC}.exe	111
PID 4288 wrote to memory of 4548	4288	{33E2134C-BDF3-41f2-8477-35C3344104AC}.exe	112
PID 4288 wrote to memory of 4548	4288	{33E2134C-BDF3-41f2-8477-35C3344104AC}.exe	112
PID 4288 wrote to memory of 4548	4288	{33E2134C-BDF3-41f2-8477-35C3344104AC}.exe	112
PID 2608 wrote to memory of 2692	2608	{51F8FA12-E2D3-4b23-9EEA-9016A9414E32}.exe	113
PID 2608 wrote to memory of 2692	2608	{51F8FA12-E2D3-4b23-9EEA-9016A9414E32}.exe	113
PID 2608 wrote to memory of 2692	2608	{51F8FA12-E2D3-4b23-9EEA-9016A9414E32}.exe	113
PID 2608 wrote to memory of 1132	2608	{51F8FA12-E2D3-4b23-9EEA-9016A9414E32}.exe	114

C:\Users\Admin\AppData\Local\Temp\2024-02-13_632e996f941eb8b629da9f7149609861_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-13_632e996f941eb8b629da9f7149609861_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4164
- C:\Windows\{4A4BD54D-AB67-4936-8A6D-2508642ADA4B}.exe
  C:\Windows\{4A4BD54D-AB67-4936-8A6D-2508642ADA4B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4592
- - C:\Windows\{FA41B851-1172-46e9-982C-C2FC1ABAB655}.exe
    C:\Windows\{FA41B851-1172-46e9-982C-C2FC1ABAB655}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4316
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FA41B~1.EXE > nul
      4⤵
      PID:2012
  - - C:\Windows\{6FC93EDE-5543-41bb-AFE0-07F5A2F7701F}.exe
      C:\Windows\{6FC93EDE-5543-41bb-AFE0-07F5A2F7701F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3792
    - - C:\Windows\{452382E9-CBA9-442c-BCE8-A02107B19397}.exe
        
        C:\Windows\{452382E9-CBA9-442c-BCE8-A02107B19397}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4844
      - C:\Windows\{BCA341F7-617B-4cec-B75D-37B1403394DE}.exe
        
        C:\Windows\{BCA341F7-617B-4cec-B75D-37B1403394DE}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\{DBF37E7D-858B-40ba-8267-585E2978D0A8}.exe
        
        C:\Windows\{DBF37E7D-858B-40ba-8267-585E2978D0A8}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:680
        
        C:\Windows\{FEE13521-220B-4f49-8FBB-B10F67CF29CF}.exe
        
        C:\Windows\{FEE13521-220B-4f49-8FBB-B10F67CF29CF}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\Windows\{0D2DE297-474C-41b4-BBC4-BDB6342D25E7}.exe
        
        C:\Windows\{0D2DE297-474C-41b4-BBC4-BDB6342D25E7}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\{33E2134C-BDF3-41f2-8477-35C3344104AC}.exe
        
        C:\Windows\{33E2134C-BDF3-41f2-8477-35C3344104AC}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4288
        
        C:\Windows\{51F8FA12-E2D3-4b23-9EEA-9016A9414E32}.exe
        
        C:\Windows\{51F8FA12-E2D3-4b23-9EEA-9016A9414E32}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\{53C23AB1-F4D2-429f-80D0-799D1A905E22}.exe
        
        C:\Windows\{53C23AB1-F4D2-429f-80D0-799D1A905E22}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
        
        C:\Windows\{90D89337-14C6-4e8a-847A-35B691E00919}.exe
        
        C:\Windows\{90D89337-14C6-4e8a-847A-35B691E00919}.exe
        13⤵
        Executes dropped EXE
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53C23~1.EXE > nul
        13⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51F8F~1.EXE > nul
        12⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{33E21~1.EXE > nul
        11⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0D2DE~1.EXE > nul
        10⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FEE13~1.EXE > nul
        9⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DBF37~1.EXE > nul
        8⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BCA34~1.EXE > nul
        7⤵
        
        PID:4692
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{45238~1.EXE > nul
        6⤵
        
        PID:1088
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6FC93~1.EXE > nul
        5⤵
        
        PID:1584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4A4BD~1.EXE > nul
    3⤵
    PID:1932
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2708

Network

DNS

190.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

190.178.17.96.in-addr.arpa

IN PTR

Response

190.178.17.96.in-addr.arpa

IN PTR

a96-17-178-190deploystaticakamaitechnologiescom
DNS

154.239.44.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

154.239.44.20.in-addr.arpa

IN PTR

Response
DNS

140.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

140.32.126.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

241.150.49.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.150.49.20.in-addr.arpa

IN PTR

Response
DNS

86.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.23.85.13.in-addr.arpa

IN PTR

Response
DNS

56.126.166.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

56.126.166.20.in-addr.arpa

IN PTR

Response
DNS

18.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.134.221.88.in-addr.arpa

IN PTR

Response

18.134.221.88.in-addr.arpa

IN PTR

a88-221-134-18deploystaticakamaitechnologiescom
DNS

187.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

187.178.17.96.in-addr.arpa

IN PTR

Response

187.178.17.96.in-addr.arpa

IN PTR

a96-17-178-187deploystaticakamaitechnologiescom
DNS

43.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.229.111.52.in-addr.arpa

IN PTR

Response
DNS

181.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

181.178.17.96.in-addr.arpa

IN PTR

Response

181.178.17.96.in-addr.arpa

IN PTR

a96-17-178-181deploystaticakamaitechnologiescom

No results found

8.8.8.8:53

190.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

190.178.17.96.in-addr.arpa
8.8.8.8:53

154.239.44.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

154.239.44.20.in-addr.arpa
8.8.8.8:53

140.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

140.32.126.40.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

241.150.49.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

241.150.49.20.in-addr.arpa
8.8.8.8:53

86.23.85.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

86.23.85.13.in-addr.arpa
8.8.8.8:53

56.126.166.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

56.126.166.20.in-addr.arpa
8.8.8.8:53

18.134.221.88.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

18.134.221.88.in-addr.arpa
8.8.8.8:53

187.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

187.178.17.96.in-addr.arpa
8.8.8.8:53

43.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

43.229.111.52.in-addr.arpa
8.8.8.8:53

181.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

181.178.17.96.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0D2DE297-474C-41b4-BBC4-BDB6342D25E7}.exe

Filesize
216KB

MD5
a003f9d8e6557d6ff72b9b1ee3c2d0cc

SHA1
16c46de5eebf9f3c873a092b3a8492096f49bf0e

SHA256
c87ea1fa0e7a605bdb8ba3bcce0a9bdc64b701a46bad613bfa0982e1cc1f516b

SHA512
2a76f6265fc10d97ddfcd6bb011c3cc02d93c074fb6dd97d03dcc48af58ad4d789823467399a2bb1e61f127dfa10a22e86326bbe538c502782434dcc34a88308

Download Submit
C:\Windows\{33E2134C-BDF3-41f2-8477-35C3344104AC}.exe

Filesize
216KB

MD5
8e9e82bdd97302c7cbcdef5955d88c3f

SHA1
91f0c5871faf375e14f8f7a7c8251c5c2b929bae

SHA256
40827ac9daacc0976d74c3acb11b5f04c392944bc5fe877a0e308fd2127852d9

SHA512
6fb6d6aacecb3f6b11415000264bc7f5baf140d2b988f3cd5ea4c293424071acd0707124e6348bae3aabd3f5e90d76a864f90f34e352edf7c24ac2945600e2b8

Download Submit
C:\Windows\{452382E9-CBA9-442c-BCE8-A02107B19397}.exe

Filesize
216KB

MD5
c274d3e3b433e33bc265760b30463bfc

SHA1
4dd02414201a73d8a071550a42a6e612ab8cd2cb

SHA256
73e66283167b6f291cdae3aee274a30bb4239e31da4a2981287d27d6ee159972

SHA512
0e662fc5004687e75ed2d63bcc4c1d009f09d785a532db89eba5444bfb1e1f74285deffb09ecbefa485fededc1fc4b8602c12973ee0a1963bd9f5582f15c3659

Download Submit
C:\Windows\{4A4BD54D-AB67-4936-8A6D-2508642ADA4B}.exe

Filesize
216KB

MD5
d09336b705c630ecde318d31c7b001f8

SHA1
3777d1ee73287568b9914d6931b2477e40718b41

SHA256
0e572fc36f927806edcf22ded3ebd7ea362ebbba254e405ddd589a8d00d55788

SHA512
5ee766f5307c8c9d07956375ead0706c87719da099cffa414f1ebc18b871c70bbab9fcfca487e91832b35771f2cd26af2103692536c9747157bc74c4004557d3

Download Submit
C:\Windows\{51F8FA12-E2D3-4b23-9EEA-9016A9414E32}.exe

Filesize
216KB

MD5
bc257436f61fcd3532225190d04b5c2f

SHA1
881ee3cd7ce3269ea0b892ecb6482741bbe1a75b

SHA256
3a7ebbb3da3b26e87b9dee3be3a86459fbdaac89065d956e91f6269b8bff043f

SHA512
384c53b1647d9af09373b578559bc62317d71d5e33583a6f3e3c8ab729f859e694814d22bd99b72b0e143d7e8229d0e9b66cf60c851fdcc07d0d16d0fed5f0eb

Download Submit
C:\Windows\{53C23AB1-F4D2-429f-80D0-799D1A905E22}.exe

Filesize
216KB

MD5
73ca33bf80eb0e64902e220446742ae8

SHA1
06701533d9f2f33e8da913e2b1b85d56ef521a48

SHA256
30d712b9ddc16aca47077c7723f089a4f87be5764a3d25c4cd48d659ff33f0ca

SHA512
55cf23f4529b66580155e3fc11213464c3248f5ab07c9f33c330e861cdc8672786a0d5d5df7c15f3071dae26ca8d23781d008d4b0b30493e5b9dadf906472a47

Download Submit
C:\Windows\{6FC93EDE-5543-41bb-AFE0-07F5A2F7701F}.exe

Filesize
216KB

MD5
687ca8d644ae08ec18e5ddfe194ea2ad

SHA1
4e3de6682d2df59153494828c96c34ca4cad4e40

SHA256
c684091ed667abc3ff1e26128dcd03c74a4480f675ca34b1c479bd8023dc5a0f

SHA512
f57b8c4ee467854fd1afa767223af58da424c9083d14c74291c837edc1fbd71cfc86e3004d6b94611e753bbecff8c792d3aade5979ac06f1cd01c6771eb27ddc

Download Submit
C:\Windows\{90D89337-14C6-4e8a-847A-35B691E00919}.exe

Filesize
216KB

MD5
13ba5440cec0e5404c463264c5976a7d

SHA1
dcd2f232c7a328b9d1605260e96d04ced8efd31b

SHA256
9032f629024c286952a5f938eefca369a922247c9223d62e0ebacb687ff63de0

SHA512
2b49551651ac460a8037e56a1d371293fb1737a557d94d64d8fca3e5dacbcaf8040198a80cb826cd110bc1cec06021675a6bc0b000eae7b674eae070724179b5

Download Submit
C:\Windows\{BCA341F7-617B-4cec-B75D-37B1403394DE}.exe

Filesize
216KB

MD5
18d64b7f046658ada87e33962314560d

SHA1
05941e127bb57ab793199931dca1097099ecf143

SHA256
e3d3d9c024ee7f69553e75e4dcde0f1e642decd77da30c9b5717b5e951ef79a3

SHA512
e0bed7895ca6590903fb4ec2dfc95a3df02127a7f5b4a48c507155f6fc92d2c519a885746c5bad4906dce7c23375a02867d4faa09075cddf840ebebc7ac6f242

Download Submit
C:\Windows\{DBF37E7D-858B-40ba-8267-585E2978D0A8}.exe

Filesize
216KB

MD5
eff5fbec87f47e410c9f0f07fd1b0bfc

SHA1
9b379759550feaad20b43e780f6887b2a74f7614

SHA256
899e52e993050c3218fab76238254a2787f122fe0148092ee6d447724adab894

SHA512
81b4dc7957929d361bfdd3c7293e202ad5015cd32353fe05d568c0665d24a549bea453966fa6a6089ed95009340b51353b6162bc28ee7eaa4727d87cb14d9554

Download Submit
C:\Windows\{FA41B851-1172-46e9-982C-C2FC1ABAB655}.exe

Filesize
216KB

MD5
db3c339729a6f4eaabe9a64ed256ad40

SHA1
32804246244dc3f4a946b19a1dcf6da2b9a3f4c8

SHA256
c0a57abdcc44c8dd8a25be9395e6ada50b0227b940e7d98cffd6c982f0b23a05

SHA512
5a2c6af356389ae198d08fdf65d13f21cbf926c6c3d9bb2183fd057135d02c54816fa06900e6358bdc46373cc28a785bbc3fe78b0c9dc9ba02d9a6b208b8c185

Download Submit
C:\Windows\{FEE13521-220B-4f49-8FBB-B10F67CF29CF}.exe

Filesize
216KB

MD5
af066f6c5156c03633e8a81b1970a153

SHA1
aef9e1109a6c3fbe860ca46fd37037396fb69df7

SHA256
97e5f4a1b89f77d763de40ae356b116c99bd5136e02767e6a3f7c8c161e5bdbc

SHA512
f7ca75df46eac861cc10d9bca8135c437cd14067fa2ce5b204528b8b9e8db99509895267b16f2113b5a71792e47b56990e49b9925f0dc18fc8ac91560dd7e697

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.