426d6b61fed8fe6be6857c6758a6dbf1bc465af7d786692d219743d7ecc12ba7

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18/01/2024, 22:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-18_8093ed1f4a7f436ec59d3d58a61e6ac3_goldeneye.exe
Size

180KB
MD5

8093ed1f4a7f436ec59d3d58a61e6ac3
SHA1

cab602cffacb9333f9373071117def79626f967d
SHA256

426d6b61fed8fe6be6857c6758a6dbf1bc465af7d786692d219743d7ecc12ba7
SHA512

e36861da647fb3b2345c7e5dfaf8e758761dea8777ba5f0d48555e13ff9afbd06b5a3d0c3c8fd639f044b1a5234bc1ab9fa349dfc399ae6f80b505ca5f169c42
SSDEEP

3072:jEGh0oklfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGWl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023136-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023212-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023219-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023212-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023219-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021e70-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021e71-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000705-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CEE4F13A-7235-49fc-9F84-865C765BF55C}	{78672110-B46A-4a00-B8E2-AE16C916356B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{772E7C25-2E13-43b5-A129-79C23A9E8957}	{3EA72E4E-B36E-4ef7-B00A-F090CDDC4615}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7AF80EF-6537-4fef-91A5-09274D1443C4}	{772E7C25-2E13-43b5-A129-79C23A9E8957}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7332755-A68C-4ef2-B64C-0144BB8D5AA7}	{29645257-5FB9-479c-9CA5-5527C1E5380D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7332755-A68C-4ef2-B64C-0144BB8D5AA7}\stubpath = "C:\\Windows\\{C7332755-A68C-4ef2-B64C-0144BB8D5AA7}.exe"	{29645257-5FB9-479c-9CA5-5527C1E5380D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6ED36D8F-9668-417f-8F04-365E78C08D32}	2024-01-18_8093ed1f4a7f436ec59d3d58a61e6ac3_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F47C3B6C-CA68-48ec-9A91-CA712AA08D12}	{05B38735-1C8F-4097-8519-ED49CA80D09B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F47C3B6C-CA68-48ec-9A91-CA712AA08D12}\stubpath = "C:\\Windows\\{F47C3B6C-CA68-48ec-9A91-CA712AA08D12}.exe"	{05B38735-1C8F-4097-8519-ED49CA80D09B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F3E2422-7430-4285-A0E3-E26850BA89BD}\stubpath = "C:\\Windows\\{7F3E2422-7430-4285-A0E3-E26850BA89BD}.exe"	{CEE4F13A-7235-49fc-9F84-865C765BF55C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EA72E4E-B36E-4ef7-B00A-F090CDDC4615}	{7F3E2422-7430-4285-A0E3-E26850BA89BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7AF80EF-6537-4fef-91A5-09274D1443C4}\stubpath = "C:\\Windows\\{F7AF80EF-6537-4fef-91A5-09274D1443C4}.exe"	{772E7C25-2E13-43b5-A129-79C23A9E8957}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29645257-5FB9-479c-9CA5-5527C1E5380D}	{F7AF80EF-6537-4fef-91A5-09274D1443C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29645257-5FB9-479c-9CA5-5527C1E5380D}\stubpath = "C:\\Windows\\{29645257-5FB9-479c-9CA5-5527C1E5380D}.exe"	{F7AF80EF-6537-4fef-91A5-09274D1443C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6ED36D8F-9668-417f-8F04-365E78C08D32}\stubpath = "C:\\Windows\\{6ED36D8F-9668-417f-8F04-365E78C08D32}.exe"	2024-01-18_8093ed1f4a7f436ec59d3d58a61e6ac3_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05B38735-1C8F-4097-8519-ED49CA80D09B}\stubpath = "C:\\Windows\\{05B38735-1C8F-4097-8519-ED49CA80D09B}.exe"	{6ED36D8F-9668-417f-8F04-365E78C08D32}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78672110-B46A-4a00-B8E2-AE16C916356B}	{0EC7A40A-64EF-4b21-97A6-80FB98A721FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78672110-B46A-4a00-B8E2-AE16C916356B}\stubpath = "C:\\Windows\\{78672110-B46A-4a00-B8E2-AE16C916356B}.exe"	{0EC7A40A-64EF-4b21-97A6-80FB98A721FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CEE4F13A-7235-49fc-9F84-865C765BF55C}\stubpath = "C:\\Windows\\{CEE4F13A-7235-49fc-9F84-865C765BF55C}.exe"	{78672110-B46A-4a00-B8E2-AE16C916356B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F3E2422-7430-4285-A0E3-E26850BA89BD}	{CEE4F13A-7235-49fc-9F84-865C765BF55C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{772E7C25-2E13-43b5-A129-79C23A9E8957}\stubpath = "C:\\Windows\\{772E7C25-2E13-43b5-A129-79C23A9E8957}.exe"	{3EA72E4E-B36E-4ef7-B00A-F090CDDC4615}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0EC7A40A-64EF-4b21-97A6-80FB98A721FE}	{F47C3B6C-CA68-48ec-9A91-CA712AA08D12}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0EC7A40A-64EF-4b21-97A6-80FB98A721FE}\stubpath = "C:\\Windows\\{0EC7A40A-64EF-4b21-97A6-80FB98A721FE}.exe"	{F47C3B6C-CA68-48ec-9A91-CA712AA08D12}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05B38735-1C8F-4097-8519-ED49CA80D09B}	{6ED36D8F-9668-417f-8F04-365E78C08D32}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EA72E4E-B36E-4ef7-B00A-F090CDDC4615}\stubpath = "C:\\Windows\\{3EA72E4E-B36E-4ef7-B00A-F090CDDC4615}.exe"	{7F3E2422-7430-4285-A0E3-E26850BA89BD}.exe

Executes dropped EXE 12 IoCs

pid	Process
224	{6ED36D8F-9668-417f-8F04-365E78C08D32}.exe
984	{05B38735-1C8F-4097-8519-ED49CA80D09B}.exe
792	{F47C3B6C-CA68-48ec-9A91-CA712AA08D12}.exe
1644	{0EC7A40A-64EF-4b21-97A6-80FB98A721FE}.exe
5060	{78672110-B46A-4a00-B8E2-AE16C916356B}.exe
2532	{CEE4F13A-7235-49fc-9F84-865C765BF55C}.exe
3612	{7F3E2422-7430-4285-A0E3-E26850BA89BD}.exe
1616	{3EA72E4E-B36E-4ef7-B00A-F090CDDC4615}.exe
4532	{772E7C25-2E13-43b5-A129-79C23A9E8957}.exe
3188	{F7AF80EF-6537-4fef-91A5-09274D1443C4}.exe
1860	{29645257-5FB9-479c-9CA5-5527C1E5380D}.exe
2208	{C7332755-A68C-4ef2-B64C-0144BB8D5AA7}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{05B38735-1C8F-4097-8519-ED49CA80D09B}.exe	{6ED36D8F-9668-417f-8F04-365E78C08D32}.exe
File created	C:\Windows\{F47C3B6C-CA68-48ec-9A91-CA712AA08D12}.exe	{05B38735-1C8F-4097-8519-ED49CA80D09B}.exe
File created	C:\Windows\{78672110-B46A-4a00-B8E2-AE16C916356B}.exe	{0EC7A40A-64EF-4b21-97A6-80FB98A721FE}.exe
File created	C:\Windows\{3EA72E4E-B36E-4ef7-B00A-F090CDDC4615}.exe	{7F3E2422-7430-4285-A0E3-E26850BA89BD}.exe
File created	C:\Windows\{F7AF80EF-6537-4fef-91A5-09274D1443C4}.exe	{772E7C25-2E13-43b5-A129-79C23A9E8957}.exe
File created	C:\Windows\{29645257-5FB9-479c-9CA5-5527C1E5380D}.exe	{F7AF80EF-6537-4fef-91A5-09274D1443C4}.exe
File created	C:\Windows\{C7332755-A68C-4ef2-B64C-0144BB8D5AA7}.exe	{29645257-5FB9-479c-9CA5-5527C1E5380D}.exe
File created	C:\Windows\{6ED36D8F-9668-417f-8F04-365E78C08D32}.exe	2024-01-18_8093ed1f4a7f436ec59d3d58a61e6ac3_goldeneye.exe
File created	C:\Windows\{0EC7A40A-64EF-4b21-97A6-80FB98A721FE}.exe	{F47C3B6C-CA68-48ec-9A91-CA712AA08D12}.exe
File created	C:\Windows\{CEE4F13A-7235-49fc-9F84-865C765BF55C}.exe	{78672110-B46A-4a00-B8E2-AE16C916356B}.exe
File created	C:\Windows\{7F3E2422-7430-4285-A0E3-E26850BA89BD}.exe	{CEE4F13A-7235-49fc-9F84-865C765BF55C}.exe
File created	C:\Windows\{772E7C25-2E13-43b5-A129-79C23A9E8957}.exe	{3EA72E4E-B36E-4ef7-B00A-F090CDDC4615}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4880	2024-01-18_8093ed1f4a7f436ec59d3d58a61e6ac3_goldeneye.exe
Token: SeIncBasePriorityPrivilege	224	{6ED36D8F-9668-417f-8F04-365E78C08D32}.exe
Token: SeIncBasePriorityPrivilege	984	{05B38735-1C8F-4097-8519-ED49CA80D09B}.exe
Token: SeIncBasePriorityPrivilege	792	{F47C3B6C-CA68-48ec-9A91-CA712AA08D12}.exe
Token: SeIncBasePriorityPrivilege	1644	{0EC7A40A-64EF-4b21-97A6-80FB98A721FE}.exe
Token: SeIncBasePriorityPrivilege	5060	{78672110-B46A-4a00-B8E2-AE16C916356B}.exe
Token: SeIncBasePriorityPrivilege	2532	{CEE4F13A-7235-49fc-9F84-865C765BF55C}.exe
Token: SeIncBasePriorityPrivilege	3612	{7F3E2422-7430-4285-A0E3-E26850BA89BD}.exe
Token: SeIncBasePriorityPrivilege	1616	{3EA72E4E-B36E-4ef7-B00A-F090CDDC4615}.exe
Token: SeIncBasePriorityPrivilege	4532	{772E7C25-2E13-43b5-A129-79C23A9E8957}.exe
Token: SeIncBasePriorityPrivilege	3188	{F7AF80EF-6537-4fef-91A5-09274D1443C4}.exe
Token: SeIncBasePriorityPrivilege	1860	{29645257-5FB9-479c-9CA5-5527C1E5380D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4880 wrote to memory of 224	4880	2024-01-18_8093ed1f4a7f436ec59d3d58a61e6ac3_goldeneye.exe	95
PID 4880 wrote to memory of 224	4880	2024-01-18_8093ed1f4a7f436ec59d3d58a61e6ac3_goldeneye.exe	95
PID 4880 wrote to memory of 224	4880	2024-01-18_8093ed1f4a7f436ec59d3d58a61e6ac3_goldeneye.exe	95
PID 4880 wrote to memory of 1656	4880	2024-01-18_8093ed1f4a7f436ec59d3d58a61e6ac3_goldeneye.exe	96
PID 4880 wrote to memory of 1656	4880	2024-01-18_8093ed1f4a7f436ec59d3d58a61e6ac3_goldeneye.exe	96
PID 4880 wrote to memory of 1656	4880	2024-01-18_8093ed1f4a7f436ec59d3d58a61e6ac3_goldeneye.exe	96
PID 224 wrote to memory of 984	224	{6ED36D8F-9668-417f-8F04-365E78C08D32}.exe	99
PID 224 wrote to memory of 984	224	{6ED36D8F-9668-417f-8F04-365E78C08D32}.exe	99
PID 224 wrote to memory of 984	224	{6ED36D8F-9668-417f-8F04-365E78C08D32}.exe	99
PID 224 wrote to memory of 1096	224	{6ED36D8F-9668-417f-8F04-365E78C08D32}.exe	100
PID 224 wrote to memory of 1096	224	{6ED36D8F-9668-417f-8F04-365E78C08D32}.exe	100
PID 224 wrote to memory of 1096	224	{6ED36D8F-9668-417f-8F04-365E78C08D32}.exe	100
PID 984 wrote to memory of 792	984	{05B38735-1C8F-4097-8519-ED49CA80D09B}.exe	103
PID 984 wrote to memory of 792	984	{05B38735-1C8F-4097-8519-ED49CA80D09B}.exe	103
PID 984 wrote to memory of 792	984	{05B38735-1C8F-4097-8519-ED49CA80D09B}.exe	103
PID 984 wrote to memory of 852	984	{05B38735-1C8F-4097-8519-ED49CA80D09B}.exe	102
PID 984 wrote to memory of 852	984	{05B38735-1C8F-4097-8519-ED49CA80D09B}.exe	102
PID 984 wrote to memory of 852	984	{05B38735-1C8F-4097-8519-ED49CA80D09B}.exe	102
PID 792 wrote to memory of 1644	792	{F47C3B6C-CA68-48ec-9A91-CA712AA08D12}.exe	105
PID 792 wrote to memory of 1644	792	{F47C3B6C-CA68-48ec-9A91-CA712AA08D12}.exe	105
PID 792 wrote to memory of 1644	792	{F47C3B6C-CA68-48ec-9A91-CA712AA08D12}.exe	105
PID 792 wrote to memory of 3636	792	{F47C3B6C-CA68-48ec-9A91-CA712AA08D12}.exe	104
PID 792 wrote to memory of 3636	792	{F47C3B6C-CA68-48ec-9A91-CA712AA08D12}.exe	104
PID 792 wrote to memory of 3636	792	{F47C3B6C-CA68-48ec-9A91-CA712AA08D12}.exe	104
PID 1644 wrote to memory of 5060	1644	{0EC7A40A-64EF-4b21-97A6-80FB98A721FE}.exe	106
PID 1644 wrote to memory of 5060	1644	{0EC7A40A-64EF-4b21-97A6-80FB98A721FE}.exe	106
PID 1644 wrote to memory of 5060	1644	{0EC7A40A-64EF-4b21-97A6-80FB98A721FE}.exe	106
PID 1644 wrote to memory of 3444	1644	{0EC7A40A-64EF-4b21-97A6-80FB98A721FE}.exe	107
PID 1644 wrote to memory of 3444	1644	{0EC7A40A-64EF-4b21-97A6-80FB98A721FE}.exe	107
PID 1644 wrote to memory of 3444	1644	{0EC7A40A-64EF-4b21-97A6-80FB98A721FE}.exe	107
PID 5060 wrote to memory of 2532	5060	{78672110-B46A-4a00-B8E2-AE16C916356B}.exe	108
PID 5060 wrote to memory of 2532	5060	{78672110-B46A-4a00-B8E2-AE16C916356B}.exe	108
PID 5060 wrote to memory of 2532	5060	{78672110-B46A-4a00-B8E2-AE16C916356B}.exe	108
PID 5060 wrote to memory of 1884	5060	{78672110-B46A-4a00-B8E2-AE16C916356B}.exe	109
PID 5060 wrote to memory of 1884	5060	{78672110-B46A-4a00-B8E2-AE16C916356B}.exe	109
PID 5060 wrote to memory of 1884	5060	{78672110-B46A-4a00-B8E2-AE16C916356B}.exe	109
PID 2532 wrote to memory of 3612	2532	{CEE4F13A-7235-49fc-9F84-865C765BF55C}.exe	110
PID 2532 wrote to memory of 3612	2532	{CEE4F13A-7235-49fc-9F84-865C765BF55C}.exe	110
PID 2532 wrote to memory of 3612	2532	{CEE4F13A-7235-49fc-9F84-865C765BF55C}.exe	110
PID 2532 wrote to memory of 3368	2532	{CEE4F13A-7235-49fc-9F84-865C765BF55C}.exe	111
PID 2532 wrote to memory of 3368	2532	{CEE4F13A-7235-49fc-9F84-865C765BF55C}.exe	111
PID 2532 wrote to memory of 3368	2532	{CEE4F13A-7235-49fc-9F84-865C765BF55C}.exe	111
PID 3612 wrote to memory of 1616	3612	{7F3E2422-7430-4285-A0E3-E26850BA89BD}.exe	113
PID 3612 wrote to memory of 1616	3612	{7F3E2422-7430-4285-A0E3-E26850BA89BD}.exe	113
PID 3612 wrote to memory of 1616	3612	{7F3E2422-7430-4285-A0E3-E26850BA89BD}.exe	113
PID 3612 wrote to memory of 4592	3612	{7F3E2422-7430-4285-A0E3-E26850BA89BD}.exe	112
PID 3612 wrote to memory of 4592	3612	{7F3E2422-7430-4285-A0E3-E26850BA89BD}.exe	112
PID 3612 wrote to memory of 4592	3612	{7F3E2422-7430-4285-A0E3-E26850BA89BD}.exe	112
PID 1616 wrote to memory of 4532	1616	{3EA72E4E-B36E-4ef7-B00A-F090CDDC4615}.exe	114
PID 1616 wrote to memory of 4532	1616	{3EA72E4E-B36E-4ef7-B00A-F090CDDC4615}.exe	114
PID 1616 wrote to memory of 4532	1616	{3EA72E4E-B36E-4ef7-B00A-F090CDDC4615}.exe	114
PID 1616 wrote to memory of 2980	1616	{3EA72E4E-B36E-4ef7-B00A-F090CDDC4615}.exe	115
PID 1616 wrote to memory of 2980	1616	{3EA72E4E-B36E-4ef7-B00A-F090CDDC4615}.exe	115
PID 1616 wrote to memory of 2980	1616	{3EA72E4E-B36E-4ef7-B00A-F090CDDC4615}.exe	115
PID 4532 wrote to memory of 3188	4532	{772E7C25-2E13-43b5-A129-79C23A9E8957}.exe	116
PID 4532 wrote to memory of 3188	4532	{772E7C25-2E13-43b5-A129-79C23A9E8957}.exe	116
PID 4532 wrote to memory of 3188	4532	{772E7C25-2E13-43b5-A129-79C23A9E8957}.exe	116
PID 4532 wrote to memory of 3016	4532	{772E7C25-2E13-43b5-A129-79C23A9E8957}.exe	117
PID 4532 wrote to memory of 3016	4532	{772E7C25-2E13-43b5-A129-79C23A9E8957}.exe	117
PID 4532 wrote to memory of 3016	4532	{772E7C25-2E13-43b5-A129-79C23A9E8957}.exe	117
PID 3188 wrote to memory of 1860	3188	{F7AF80EF-6537-4fef-91A5-09274D1443C4}.exe	118
PID 3188 wrote to memory of 1860	3188	{F7AF80EF-6537-4fef-91A5-09274D1443C4}.exe	118
PID 3188 wrote to memory of 1860	3188	{F7AF80EF-6537-4fef-91A5-09274D1443C4}.exe	118
PID 3188 wrote to memory of 4272	3188	{F7AF80EF-6537-4fef-91A5-09274D1443C4}.exe	119

C:\Users\Admin\AppData\Local\Temp\2024-01-18_8093ed1f4a7f436ec59d3d58a61e6ac3_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-18_8093ed1f4a7f436ec59d3d58a61e6ac3_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Windows\{6ED36D8F-9668-417f-8F04-365E78C08D32}.exe
  C:\Windows\{6ED36D8F-9668-417f-8F04-365E78C08D32}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:224
- - C:\Windows\{05B38735-1C8F-4097-8519-ED49CA80D09B}.exe
    C:\Windows\{05B38735-1C8F-4097-8519-ED49CA80D09B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:984
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{05B38~1.EXE > nul
      4⤵
      PID:852
  - - C:\Windows\{F47C3B6C-CA68-48ec-9A91-CA712AA08D12}.exe
      C:\Windows\{F47C3B6C-CA68-48ec-9A91-CA712AA08D12}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:792
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F47C3~1.EXE > nul
        5⤵
        
        PID:3636
    - - C:\Windows\{0EC7A40A-64EF-4b21-97A6-80FB98A721FE}.exe
        
        C:\Windows\{0EC7A40A-64EF-4b21-97A6-80FB98A721FE}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1644
      - C:\Windows\{78672110-B46A-4a00-B8E2-AE16C916356B}.exe
        
        C:\Windows\{78672110-B46A-4a00-B8E2-AE16C916356B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\{CEE4F13A-7235-49fc-9F84-865C765BF55C}.exe
        
        C:\Windows\{CEE4F13A-7235-49fc-9F84-865C765BF55C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\{7F3E2422-7430-4285-A0E3-E26850BA89BD}.exe
        
        C:\Windows\{7F3E2422-7430-4285-A0E3-E26850BA89BD}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F3E2~1.EXE > nul
        9⤵
        
        PID:4592
        
        C:\Windows\{3EA72E4E-B36E-4ef7-B00A-F090CDDC4615}.exe
        
        C:\Windows\{3EA72E4E-B36E-4ef7-B00A-F090CDDC4615}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\{772E7C25-2E13-43b5-A129-79C23A9E8957}.exe
        
        C:\Windows\{772E7C25-2E13-43b5-A129-79C23A9E8957}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\{F7AF80EF-6537-4fef-91A5-09274D1443C4}.exe
        
        C:\Windows\{F7AF80EF-6537-4fef-91A5-09274D1443C4}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3188
        
        C:\Windows\{29645257-5FB9-479c-9CA5-5527C1E5380D}.exe
        
        C:\Windows\{29645257-5FB9-479c-9CA5-5527C1E5380D}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1860
        
        C:\Windows\{C7332755-A68C-4ef2-B64C-0144BB8D5AA7}.exe
        
        C:\Windows\{C7332755-A68C-4ef2-B64C-0144BB8D5AA7}.exe
        13⤵
        Executes dropped EXE
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{29645~1.EXE > nul
        13⤵
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F7AF8~1.EXE > nul
        12⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{772E7~1.EXE > nul
        11⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3EA72~1.EXE > nul
        10⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CEE4F~1.EXE > nul
        8⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{78672~1.EXE > nul
        7⤵
        
        PID:1884
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0EC7A~1.EXE > nul
        6⤵
        
        PID:3444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6ED36~1.EXE > nul
    3⤵
    PID:1096
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{05B38735-1C8F-4097-8519-ED49CA80D09B}.exe

Filesize
180KB

MD5
2759bf4b67c73789cb78f9da64590667

SHA1
9532228275a4cbfe5426aae2199773449eb6be69

SHA256
2c5b021e1a2d781d61a700775bc18c5871865dcb8113457660c7c699ecaab646

SHA512
66d7e087bafc7f9ac4899f0e20165cb802efefb758409062c42e9f33cf3ca4e096d81396ae5e7df7d739c7b1be354f63839bf1dfd63b28ce65ad01bdc7689b0a

Download Submit
C:\Windows\{0EC7A40A-64EF-4b21-97A6-80FB98A721FE}.exe

Filesize
180KB

MD5
f678b48ec9168fef13f175768bd8f9a5

SHA1
86c321a67d83b6dd5607e812fc07b1ea242f7cd8

SHA256
1cf1cc70610a8522f1ae5572a7799391e9d0fd6da1871a1032ac35d1bedfc9e0

SHA512
7699735334bd104e4c15555ceae89f79047969bf4b84d4a95b7fa0e3d88a33cf1fd78c2ef53461136ec0926cace6737facecd7691f701dd772c7031812e9bc29

Download Submit
C:\Windows\{29645257-5FB9-479c-9CA5-5527C1E5380D}.exe

Filesize
180KB

MD5
56b1899283a9eb6052d9dd14fb5acb03

SHA1
6397e537d841726033b95b951b4716966cc658a6

SHA256
520374cc861ed87a6fa2bfa4985707cf609a811b61f9e541772588026daf4d42

SHA512
6f8e6cb18aae518ce2b54a9b15e928f976aa746ac2a8ccf45e2b14a44d5edfb6e488ab5bb4dd2a3e8fcde67cbe02a748da3c0989643d0767d74cbb17a8b5a4b1

Download Submit
C:\Windows\{3EA72E4E-B36E-4ef7-B00A-F090CDDC4615}.exe

Filesize
180KB

MD5
0df9edc7be524ae3e89a510f1b0ba4fc

SHA1
f3f48b15087c301983a68188832ad8056b80e4b3

SHA256
94676ba1b20322171a4dea151c83fdac83715fcd40012b90f844175d11ab88e9

SHA512
b52f25b235e1f9a9078c181c58b5a813a3b9181c6d53da61558d9399e36a57fa24678d8dcf48edbd7e5541ab323918c148b97c72fe81a02269e48bbb96dba66d

Download Submit
C:\Windows\{6ED36D8F-9668-417f-8F04-365E78C08D32}.exe

Filesize
180KB

MD5
ae897a4e50f3224a94c16015c2fdd530

SHA1
944f47582c61095184e98b6fd77136ac5ddeb660

SHA256
b56f5ee2e26fe84d30c2f9df920aa819c43241b711925c3cea5fdb158444cbdb

SHA512
15c963375f484ee3c3345da37d4878f2c73a41f9bf1210d5155fa98f265188816de241a38a73a2304bf9e4d159483362e7ff94b74c539bfe865d589610e785b4

Download Submit
C:\Windows\{772E7C25-2E13-43b5-A129-79C23A9E8957}.exe

Filesize
180KB

MD5
d60f46fc8bc8a2bdc79236f6f519138a

SHA1
7d774b305f5575eb1cd76cb4c5fb9bae18a7f09d

SHA256
8e9be3becab0fb33a8315d47d9e213781120fb6ba9bd9e7aff7db6d6e3e99413

SHA512
5cedfa19bc83f7828143ab56e93a4c0ea08b01798cfac2c75eb04e25d74b6bff6cf2198c4a5a560cefdb9f8bdee64ba45fe4ce0ee9e706a4014f4caaa68c70b2

Download Submit
C:\Windows\{78672110-B46A-4a00-B8E2-AE16C916356B}.exe

Filesize
180KB

MD5
37cb64969c780d57ff1f5e0a25362a8f

SHA1
b3f33607dc612bdf7bacade7b55e612e70241cb5

SHA256
6b99c3be9b0b29d07c50e55bf35ac415b7c369b834502f40823fcb5e7607f1d0

SHA512
ee37a15ac9ce7df8618b6f3b85bedbf31424ab7d0fc305b2215098643aa12b7608a4b134f09e3ec07ee2770d42f7257425b4f8ed486306313f7ed92d61b5f44b

Download Submit
C:\Windows\{7F3E2422-7430-4285-A0E3-E26850BA89BD}.exe

Filesize
180KB

MD5
797731647481c004c52e75b739f33cee

SHA1
007ca6c6ca7ff256b93e50a4ce5c919d34fb42e2

SHA256
bf23df2fcbdb825abc149bdd3088fdc138f77f33a4c3ea613a3d49322d4b4df4

SHA512
bbfdc6d24b104cb0f356a6401f145b38965caf5dac47bb2b00dfdef94f59c28f79dabcc917d7c5b33181d8f754c76ceeed83de2ffbd968294a6c2a68d0d5dcc2

Download Submit
C:\Windows\{C7332755-A68C-4ef2-B64C-0144BB8D5AA7}.exe

Filesize
180KB

MD5
dfb4ea73349552f756e922b829c0c3fc

SHA1
7267fe8cd8c70b11e705fcc60bcb4271a8a4e3c0

SHA256
a331c199b3ca44ff74444447d631ffadbaf5e4068196abd230d4b4e9426d23e7

SHA512
a742ddff034fdb8faf97e2f7c2598159a267011a18e03e6466ec4e07a8ff23fa2350b7d4b5a08348f8e8da912ed1029073b68504a629eefc22518ced9d27cab4

Download Submit
C:\Windows\{CEE4F13A-7235-49fc-9F84-865C765BF55C}.exe

Filesize
180KB

MD5
046e8417821fc095ec91283084ca61c8

SHA1
dfe2fe65879f0b71060a9e18a18f7853a5d9015c

SHA256
f0afc44069bf23d10f0dca66a3f543d1e08388e2fb9bbe193587ede0823a9800

SHA512
cc4362260c1d9b3402f1fd3f7ce16b09243075d2edd80f7cccfeb0be7008d5df08e1652e1010fa099ec0c8b7898ff03ea997ec091e9fc6fb7181f84e2d6d3fc0

Download Submit
C:\Windows\{F47C3B6C-CA68-48ec-9A91-CA712AA08D12}.exe

Filesize
180KB

MD5
f46609dfbee1c45336c74d58b4ab6711

SHA1
5b7b3ae8f87a74887e08094abf335ecf2fba2d89

SHA256
3b3b9e48b02b1dc4d9c02eb3c03ea0afb382ad4bd60cea46c966bbc61dbfa479

SHA512
8ba3f32809822d3e144a5f4f43fb2893772d43fb20670102f9481306327a0dc8ef4c1b759bffc5940b35f80dacc0f525441f3cb4a004bf9f7c42c9994f62d20b

Download Submit
C:\Windows\{F7AF80EF-6537-4fef-91A5-09274D1443C4}.exe

Filesize
180KB

MD5
571a5895ea451f546ca69e9e7dfda1a7

SHA1
01e28cffbc1f5d70c6ad3889379c164e9e89e190

SHA256
2ae410888de8df61cba7636c354239bc9b5673012d80d1b1e67c735784425c23

SHA512
fb2a62cd8e5033fa81a0c501097b90b0dbd60590db466d22e14a9033b060826a5ecbd1436633c62d2749c258904b84dcd512d2ca4934cc79d3be54d83b302900

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads