a1509c1d8f6aeb4fbb585e7ad22d68917e08bcb7de21dfa6aeb6548e42764c96

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18-01-2024 23:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-18_88e501d3d838acdbb20406fab48c7105_goldeneye.exe
Size

408KB
MD5

88e501d3d838acdbb20406fab48c7105
SHA1

051eb736bb1f26e3f03fbaea04e1595a91dce3da
SHA256

a1509c1d8f6aeb4fbb585e7ad22d68917e08bcb7de21dfa6aeb6548e42764c96
SHA512

ca2f8e9014c984f5c5c65ca05386de68c52b63fca4207eae796edd806b7fa326ecc3b530d7063e3f2e60bdb6aef82940af57953d2fbe6de74050fa89d5250cff
SSDEEP

3072:CEGh0o1l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGvldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023227-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000002322c-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000023232-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023233-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000022043-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000022044-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000022043-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000709-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000709-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4F762E8-03E1-4aa6-8928-1C25713D3EA0}\stubpath = "C:\\Windows\\{F4F762E8-03E1-4aa6-8928-1C25713D3EA0}.exe"	{60B0A3E8-60F8-4598-A987-E5F789D9D6F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B76D760D-59E1-4e31-BAAD-5F6ABC2A59AB}\stubpath = "C:\\Windows\\{B76D760D-59E1-4e31-BAAD-5F6ABC2A59AB}.exe"	2024-01-18_88e501d3d838acdbb20406fab48c7105_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7BE412A-5159-4c81-AB2F-E8FA4A6EC874}	{AC740C21-D200-4189-A720-B09F33C526B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7BE412A-5159-4c81-AB2F-E8FA4A6EC874}\stubpath = "C:\\Windows\\{C7BE412A-5159-4c81-AB2F-E8FA4A6EC874}.exe"	{AC740C21-D200-4189-A720-B09F33C526B9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39E2E48E-4F9F-4802-B53B-3173CC758CED}	{C7BE412A-5159-4c81-AB2F-E8FA4A6EC874}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61F19E34-E87A-4e46-9BA3-8E125267626E}\stubpath = "C:\\Windows\\{61F19E34-E87A-4e46-9BA3-8E125267626E}.exe"	{13A97C01-AF46-4525-A0EA-07358BCB833D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A01AF517-E923-40c3-8A20-F1FE506F2420}\stubpath = "C:\\Windows\\{A01AF517-E923-40c3-8A20-F1FE506F2420}.exe"	{9D8A3306-56F2-4532-B83D-074F89522E58}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E97D15E-80A9-4447-9017-A4AE181C5548}	{A01AF517-E923-40c3-8A20-F1FE506F2420}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8D9F79A-0190-45de-BB6E-6FDC2CE1809D}\stubpath = "C:\\Windows\\{B8D9F79A-0190-45de-BB6E-6FDC2CE1809D}.exe"	{2E97D15E-80A9-4447-9017-A4AE181C5548}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC740C21-D200-4189-A720-B09F33C526B9}\stubpath = "C:\\Windows\\{AC740C21-D200-4189-A720-B09F33C526B9}.exe"	{B76D760D-59E1-4e31-BAAD-5F6ABC2A59AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39E2E48E-4F9F-4802-B53B-3173CC758CED}\stubpath = "C:\\Windows\\{39E2E48E-4F9F-4802-B53B-3173CC758CED}.exe"	{C7BE412A-5159-4c81-AB2F-E8FA4A6EC874}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60B0A3E8-60F8-4598-A987-E5F789D9D6F9}	{39E2E48E-4F9F-4802-B53B-3173CC758CED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4F762E8-03E1-4aa6-8928-1C25713D3EA0}	{60B0A3E8-60F8-4598-A987-E5F789D9D6F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC740C21-D200-4189-A720-B09F33C526B9}	{B76D760D-59E1-4e31-BAAD-5F6ABC2A59AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13A97C01-AF46-4525-A0EA-07358BCB833D}\stubpath = "C:\\Windows\\{13A97C01-AF46-4525-A0EA-07358BCB833D}.exe"	{F4F762E8-03E1-4aa6-8928-1C25713D3EA0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D8A3306-56F2-4532-B83D-074F89522E58}\stubpath = "C:\\Windows\\{9D8A3306-56F2-4532-B83D-074F89522E58}.exe"	{61F19E34-E87A-4e46-9BA3-8E125267626E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A01AF517-E923-40c3-8A20-F1FE506F2420}	{9D8A3306-56F2-4532-B83D-074F89522E58}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D8A3306-56F2-4532-B83D-074F89522E58}	{61F19E34-E87A-4e46-9BA3-8E125267626E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E97D15E-80A9-4447-9017-A4AE181C5548}\stubpath = "C:\\Windows\\{2E97D15E-80A9-4447-9017-A4AE181C5548}.exe"	{A01AF517-E923-40c3-8A20-F1FE506F2420}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8D9F79A-0190-45de-BB6E-6FDC2CE1809D}	{2E97D15E-80A9-4447-9017-A4AE181C5548}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B76D760D-59E1-4e31-BAAD-5F6ABC2A59AB}	2024-01-18_88e501d3d838acdbb20406fab48c7105_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60B0A3E8-60F8-4598-A987-E5F789D9D6F9}\stubpath = "C:\\Windows\\{60B0A3E8-60F8-4598-A987-E5F789D9D6F9}.exe"	{39E2E48E-4F9F-4802-B53B-3173CC758CED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13A97C01-AF46-4525-A0EA-07358BCB833D}	{F4F762E8-03E1-4aa6-8928-1C25713D3EA0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61F19E34-E87A-4e46-9BA3-8E125267626E}	{13A97C01-AF46-4525-A0EA-07358BCB833D}.exe

Executes dropped EXE 12 IoCs

pid	Process
684	{B76D760D-59E1-4e31-BAAD-5F6ABC2A59AB}.exe
5060	{AC740C21-D200-4189-A720-B09F33C526B9}.exe
4412	{C7BE412A-5159-4c81-AB2F-E8FA4A6EC874}.exe
1928	{39E2E48E-4F9F-4802-B53B-3173CC758CED}.exe
468	{60B0A3E8-60F8-4598-A987-E5F789D9D6F9}.exe
1400	{F4F762E8-03E1-4aa6-8928-1C25713D3EA0}.exe
1128	{13A97C01-AF46-4525-A0EA-07358BCB833D}.exe
1328	{61F19E34-E87A-4e46-9BA3-8E125267626E}.exe
2400	{9D8A3306-56F2-4532-B83D-074F89522E58}.exe
2736	{A01AF517-E923-40c3-8A20-F1FE506F2420}.exe
1632	{2E97D15E-80A9-4447-9017-A4AE181C5548}.exe
3584	{B8D9F79A-0190-45de-BB6E-6FDC2CE1809D}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{13A97C01-AF46-4525-A0EA-07358BCB833D}.exe	{F4F762E8-03E1-4aa6-8928-1C25713D3EA0}.exe
File created	C:\Windows\{C7BE412A-5159-4c81-AB2F-E8FA4A6EC874}.exe	{AC740C21-D200-4189-A720-B09F33C526B9}.exe
File created	C:\Windows\{39E2E48E-4F9F-4802-B53B-3173CC758CED}.exe	{C7BE412A-5159-4c81-AB2F-E8FA4A6EC874}.exe
File created	C:\Windows\{60B0A3E8-60F8-4598-A987-E5F789D9D6F9}.exe	{39E2E48E-4F9F-4802-B53B-3173CC758CED}.exe
File created	C:\Windows\{F4F762E8-03E1-4aa6-8928-1C25713D3EA0}.exe	{60B0A3E8-60F8-4598-A987-E5F789D9D6F9}.exe
File created	C:\Windows\{A01AF517-E923-40c3-8A20-F1FE506F2420}.exe	{9D8A3306-56F2-4532-B83D-074F89522E58}.exe
File created	C:\Windows\{2E97D15E-80A9-4447-9017-A4AE181C5548}.exe	{A01AF517-E923-40c3-8A20-F1FE506F2420}.exe
File created	C:\Windows\{B8D9F79A-0190-45de-BB6E-6FDC2CE1809D}.exe	{2E97D15E-80A9-4447-9017-A4AE181C5548}.exe
File created	C:\Windows\{B76D760D-59E1-4e31-BAAD-5F6ABC2A59AB}.exe	2024-01-18_88e501d3d838acdbb20406fab48c7105_goldeneye.exe
File created	C:\Windows\{AC740C21-D200-4189-A720-B09F33C526B9}.exe	{B76D760D-59E1-4e31-BAAD-5F6ABC2A59AB}.exe
File created	C:\Windows\{61F19E34-E87A-4e46-9BA3-8E125267626E}.exe	{13A97C01-AF46-4525-A0EA-07358BCB833D}.exe
File created	C:\Windows\{9D8A3306-56F2-4532-B83D-074F89522E58}.exe	{61F19E34-E87A-4e46-9BA3-8E125267626E}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4664	2024-01-18_88e501d3d838acdbb20406fab48c7105_goldeneye.exe
Token: SeIncBasePriorityPrivilege	684	{B76D760D-59E1-4e31-BAAD-5F6ABC2A59AB}.exe
Token: SeIncBasePriorityPrivilege	5060	{AC740C21-D200-4189-A720-B09F33C526B9}.exe
Token: SeIncBasePriorityPrivilege	4412	{C7BE412A-5159-4c81-AB2F-E8FA4A6EC874}.exe
Token: SeIncBasePriorityPrivilege	1928	{39E2E48E-4F9F-4802-B53B-3173CC758CED}.exe
Token: SeIncBasePriorityPrivilege	468	{60B0A3E8-60F8-4598-A987-E5F789D9D6F9}.exe
Token: SeIncBasePriorityPrivilege	1400	{F4F762E8-03E1-4aa6-8928-1C25713D3EA0}.exe
Token: SeIncBasePriorityPrivilege	1128	{13A97C01-AF46-4525-A0EA-07358BCB833D}.exe
Token: SeIncBasePriorityPrivilege	1328	{61F19E34-E87A-4e46-9BA3-8E125267626E}.exe
Token: SeIncBasePriorityPrivilege	2400	{9D8A3306-56F2-4532-B83D-074F89522E58}.exe
Token: SeIncBasePriorityPrivilege	2736	{A01AF517-E923-40c3-8A20-F1FE506F2420}.exe
Token: SeIncBasePriorityPrivilege	1632	{2E97D15E-80A9-4447-9017-A4AE181C5548}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4664 wrote to memory of 684	4664	2024-01-18_88e501d3d838acdbb20406fab48c7105_goldeneye.exe	97
PID 4664 wrote to memory of 684	4664	2024-01-18_88e501d3d838acdbb20406fab48c7105_goldeneye.exe	97
PID 4664 wrote to memory of 684	4664	2024-01-18_88e501d3d838acdbb20406fab48c7105_goldeneye.exe	97
PID 4664 wrote to memory of 416	4664	2024-01-18_88e501d3d838acdbb20406fab48c7105_goldeneye.exe	98
PID 4664 wrote to memory of 416	4664	2024-01-18_88e501d3d838acdbb20406fab48c7105_goldeneye.exe	98
PID 4664 wrote to memory of 416	4664	2024-01-18_88e501d3d838acdbb20406fab48c7105_goldeneye.exe	98
PID 684 wrote to memory of 5060	684	{B76D760D-59E1-4e31-BAAD-5F6ABC2A59AB}.exe	99
PID 684 wrote to memory of 5060	684	{B76D760D-59E1-4e31-BAAD-5F6ABC2A59AB}.exe	99
PID 684 wrote to memory of 5060	684	{B76D760D-59E1-4e31-BAAD-5F6ABC2A59AB}.exe	99
PID 684 wrote to memory of 4892	684	{B76D760D-59E1-4e31-BAAD-5F6ABC2A59AB}.exe	100
PID 684 wrote to memory of 4892	684	{B76D760D-59E1-4e31-BAAD-5F6ABC2A59AB}.exe	100
PID 684 wrote to memory of 4892	684	{B76D760D-59E1-4e31-BAAD-5F6ABC2A59AB}.exe	100
PID 5060 wrote to memory of 4412	5060	{AC740C21-D200-4189-A720-B09F33C526B9}.exe	103
PID 5060 wrote to memory of 4412	5060	{AC740C21-D200-4189-A720-B09F33C526B9}.exe	103
PID 5060 wrote to memory of 4412	5060	{AC740C21-D200-4189-A720-B09F33C526B9}.exe	103
PID 5060 wrote to memory of 2760	5060	{AC740C21-D200-4189-A720-B09F33C526B9}.exe	102
PID 5060 wrote to memory of 2760	5060	{AC740C21-D200-4189-A720-B09F33C526B9}.exe	102
PID 5060 wrote to memory of 2760	5060	{AC740C21-D200-4189-A720-B09F33C526B9}.exe	102
PID 4412 wrote to memory of 1928	4412	{C7BE412A-5159-4c81-AB2F-E8FA4A6EC874}.exe	104
PID 4412 wrote to memory of 1928	4412	{C7BE412A-5159-4c81-AB2F-E8FA4A6EC874}.exe	104
PID 4412 wrote to memory of 1928	4412	{C7BE412A-5159-4c81-AB2F-E8FA4A6EC874}.exe	104
PID 4412 wrote to memory of 4764	4412	{C7BE412A-5159-4c81-AB2F-E8FA4A6EC874}.exe	105
PID 4412 wrote to memory of 4764	4412	{C7BE412A-5159-4c81-AB2F-E8FA4A6EC874}.exe	105
PID 4412 wrote to memory of 4764	4412	{C7BE412A-5159-4c81-AB2F-E8FA4A6EC874}.exe	105
PID 1928 wrote to memory of 468	1928	{39E2E48E-4F9F-4802-B53B-3173CC758CED}.exe	106
PID 1928 wrote to memory of 468	1928	{39E2E48E-4F9F-4802-B53B-3173CC758CED}.exe	106
PID 1928 wrote to memory of 468	1928	{39E2E48E-4F9F-4802-B53B-3173CC758CED}.exe	106
PID 1928 wrote to memory of 1688	1928	{39E2E48E-4F9F-4802-B53B-3173CC758CED}.exe	107
PID 1928 wrote to memory of 1688	1928	{39E2E48E-4F9F-4802-B53B-3173CC758CED}.exe	107
PID 1928 wrote to memory of 1688	1928	{39E2E48E-4F9F-4802-B53B-3173CC758CED}.exe	107
PID 468 wrote to memory of 1400	468	{60B0A3E8-60F8-4598-A987-E5F789D9D6F9}.exe	108
PID 468 wrote to memory of 1400	468	{60B0A3E8-60F8-4598-A987-E5F789D9D6F9}.exe	108
PID 468 wrote to memory of 1400	468	{60B0A3E8-60F8-4598-A987-E5F789D9D6F9}.exe	108
PID 468 wrote to memory of 3092	468	{60B0A3E8-60F8-4598-A987-E5F789D9D6F9}.exe	109
PID 468 wrote to memory of 3092	468	{60B0A3E8-60F8-4598-A987-E5F789D9D6F9}.exe	109
PID 468 wrote to memory of 3092	468	{60B0A3E8-60F8-4598-A987-E5F789D9D6F9}.exe	109
PID 1400 wrote to memory of 1128	1400	{F4F762E8-03E1-4aa6-8928-1C25713D3EA0}.exe	110
PID 1400 wrote to memory of 1128	1400	{F4F762E8-03E1-4aa6-8928-1C25713D3EA0}.exe	110
PID 1400 wrote to memory of 1128	1400	{F4F762E8-03E1-4aa6-8928-1C25713D3EA0}.exe	110
PID 1400 wrote to memory of 432	1400	{F4F762E8-03E1-4aa6-8928-1C25713D3EA0}.exe	111
PID 1400 wrote to memory of 432	1400	{F4F762E8-03E1-4aa6-8928-1C25713D3EA0}.exe	111
PID 1400 wrote to memory of 432	1400	{F4F762E8-03E1-4aa6-8928-1C25713D3EA0}.exe	111
PID 1128 wrote to memory of 1328	1128	{13A97C01-AF46-4525-A0EA-07358BCB833D}.exe	113
PID 1128 wrote to memory of 1328	1128	{13A97C01-AF46-4525-A0EA-07358BCB833D}.exe	113
PID 1128 wrote to memory of 1328	1128	{13A97C01-AF46-4525-A0EA-07358BCB833D}.exe	113
PID 1128 wrote to memory of 1948	1128	{13A97C01-AF46-4525-A0EA-07358BCB833D}.exe	112
PID 1128 wrote to memory of 1948	1128	{13A97C01-AF46-4525-A0EA-07358BCB833D}.exe	112
PID 1128 wrote to memory of 1948	1128	{13A97C01-AF46-4525-A0EA-07358BCB833D}.exe	112
PID 1328 wrote to memory of 2400	1328	{61F19E34-E87A-4e46-9BA3-8E125267626E}.exe	114
PID 1328 wrote to memory of 2400	1328	{61F19E34-E87A-4e46-9BA3-8E125267626E}.exe	114
PID 1328 wrote to memory of 2400	1328	{61F19E34-E87A-4e46-9BA3-8E125267626E}.exe	114
PID 1328 wrote to memory of 3816	1328	{61F19E34-E87A-4e46-9BA3-8E125267626E}.exe	115
PID 1328 wrote to memory of 3816	1328	{61F19E34-E87A-4e46-9BA3-8E125267626E}.exe	115
PID 1328 wrote to memory of 3816	1328	{61F19E34-E87A-4e46-9BA3-8E125267626E}.exe	115
PID 2400 wrote to memory of 2736	2400	{9D8A3306-56F2-4532-B83D-074F89522E58}.exe	117
PID 2400 wrote to memory of 2736	2400	{9D8A3306-56F2-4532-B83D-074F89522E58}.exe	117
PID 2400 wrote to memory of 2736	2400	{9D8A3306-56F2-4532-B83D-074F89522E58}.exe	117
PID 2400 wrote to memory of 392	2400	{9D8A3306-56F2-4532-B83D-074F89522E58}.exe	116
PID 2400 wrote to memory of 392	2400	{9D8A3306-56F2-4532-B83D-074F89522E58}.exe	116
PID 2400 wrote to memory of 392	2400	{9D8A3306-56F2-4532-B83D-074F89522E58}.exe	116
PID 2736 wrote to memory of 1632	2736	{A01AF517-E923-40c3-8A20-F1FE506F2420}.exe	118
PID 2736 wrote to memory of 1632	2736	{A01AF517-E923-40c3-8A20-F1FE506F2420}.exe	118
PID 2736 wrote to memory of 1632	2736	{A01AF517-E923-40c3-8A20-F1FE506F2420}.exe	118
PID 2736 wrote to memory of 4384	2736	{A01AF517-E923-40c3-8A20-F1FE506F2420}.exe	119

C:\Users\Admin\AppData\Local\Temp\2024-01-18_88e501d3d838acdbb20406fab48c7105_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-18_88e501d3d838acdbb20406fab48c7105_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4664
- C:\Windows\{B76D760D-59E1-4e31-BAAD-5F6ABC2A59AB}.exe
  C:\Windows\{B76D760D-59E1-4e31-BAAD-5F6ABC2A59AB}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:684
- - C:\Windows\{AC740C21-D200-4189-A720-B09F33C526B9}.exe
    C:\Windows\{AC740C21-D200-4189-A720-B09F33C526B9}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5060
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{AC740~1.EXE > nul
      4⤵
      PID:2760
  - - C:\Windows\{C7BE412A-5159-4c81-AB2F-E8FA4A6EC874}.exe
      C:\Windows\{C7BE412A-5159-4c81-AB2F-E8FA4A6EC874}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4412
    - - C:\Windows\{39E2E48E-4F9F-4802-B53B-3173CC758CED}.exe
        
        C:\Windows\{39E2E48E-4F9F-4802-B53B-3173CC758CED}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1928
      - C:\Windows\{60B0A3E8-60F8-4598-A987-E5F789D9D6F9}.exe
        
        C:\Windows\{60B0A3E8-60F8-4598-A987-E5F789D9D6F9}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:468
        
        C:\Windows\{F4F762E8-03E1-4aa6-8928-1C25713D3EA0}.exe
        
        C:\Windows\{F4F762E8-03E1-4aa6-8928-1C25713D3EA0}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\{13A97C01-AF46-4525-A0EA-07358BCB833D}.exe
        
        C:\Windows\{13A97C01-AF46-4525-A0EA-07358BCB833D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{13A97~1.EXE > nul
        9⤵
        
        PID:1948
        
        C:\Windows\{61F19E34-E87A-4e46-9BA3-8E125267626E}.exe
        
        C:\Windows\{61F19E34-E87A-4e46-9BA3-8E125267626E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\Windows\{9D8A3306-56F2-4532-B83D-074F89522E58}.exe
        
        C:\Windows\{9D8A3306-56F2-4532-B83D-074F89522E58}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9D8A3~1.EXE > nul
        11⤵
        
        PID:392
        
        C:\Windows\{A01AF517-E923-40c3-8A20-F1FE506F2420}.exe
        
        C:\Windows\{A01AF517-E923-40c3-8A20-F1FE506F2420}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\{2E97D15E-80A9-4447-9017-A4AE181C5548}.exe
        
        C:\Windows\{2E97D15E-80A9-4447-9017-A4AE181C5548}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
        
        C:\Windows\{B8D9F79A-0190-45de-BB6E-6FDC2CE1809D}.exe
        
        C:\Windows\{B8D9F79A-0190-45de-BB6E-6FDC2CE1809D}.exe
        13⤵
        Executes dropped EXE
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E97D~1.EXE > nul
        13⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A01AF~1.EXE > nul
        12⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{61F19~1.EXE > nul
        10⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F4F76~1.EXE > nul
        8⤵
        
        PID:432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{60B0A~1.EXE > nul
        7⤵
        
        PID:3092
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39E2E~1.EXE > nul
        6⤵
        
        PID:1688
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C7BE4~1.EXE > nul
        5⤵
        
        PID:4764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B76D7~1.EXE > nul
    3⤵
    PID:4892
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{13A97C01-AF46-4525-A0EA-07358BCB833D}.exe

Filesize
408KB

MD5
815eec94bf3df7cb5fdd53cfdcff3143

SHA1
9295c9d2869af3e6da6dee5070b73bd33d0369ae

SHA256
b270a941918a824150aab9d248ffe5557547fb1b0f71625083ba5c06cdd0858a

SHA512
5919feb126b83d8bc4ec223ab4f31f14bc72bb0ce4af46202a97d05cc61007fb8434c225a9b6b7642403dd45f9a84b06cdae858f169855727a13f1daea1e2344

Download Submit
C:\Windows\{2E97D15E-80A9-4447-9017-A4AE181C5548}.exe

Filesize
408KB

MD5
4d7e357f380cc2b1757768603c2b30fe

SHA1
e8032a7198c93d7d08344e030c9ee95db363a284

SHA256
582d07ec904f0b6fc5399f0f2f6be3e7b45b36039ac05804741b403cb3d32e8f

SHA512
e43053f6c2247c19c3fc4aa4250ae0c05aabdc96015859de844156a3a2145ad3b4c48a96ce9bdd55cb89a42ab133e034c96f3cc892967425fde4bde671286440

Download Submit
C:\Windows\{39E2E48E-4F9F-4802-B53B-3173CC758CED}.exe

Filesize
408KB

MD5
8653d54ec9d1668da47cad5e6eb4e328

SHA1
939c0c0916a9801e4782ac9f36ac3ca5429fb222

SHA256
90c64046e196aeef7cf1f8fac5f565fa5cc4528c165647550052f4fe26e39031

SHA512
a824ff95c81727bf6666330153edd85e8df88ff5c5a65e7d046b5431fbb3c54638455daff9061f25592a4c7b657359f22191e81a52034f1457b458eee7644d09

Download Submit
C:\Windows\{60B0A3E8-60F8-4598-A987-E5F789D9D6F9}.exe

Filesize
408KB

MD5
2d935a67490f47844fd912a5ac900ed2

SHA1
68d2bd2ef169c87a51f7018d7adee5558f84e841

SHA256
5df9cb57e139953b12cd23944f0c42343ee53fe058eb701d65ef2f8e00647ffa

SHA512
0df4634ed23142c996459e504e6180034e55c309b44316a8967d4461c144dcbd8339923cf828343af730de6b0ca36d2de60f5e034707c7647873ae9fec6da02a

Download Submit
C:\Windows\{61F19E34-E87A-4e46-9BA3-8E125267626E}.exe

Filesize
408KB

MD5
7718b4c18155f8615477b4f4e4482dfd

SHA1
8b0b4035a12bac3aae2736452ea0435f8e906ba3

SHA256
f2d1187578b8bf21595cfc1dff59686351f462c0954fa643e441827858273a8f

SHA512
151a37d27900519dcaf4805d93d992830fdf1a44a495ed0dbf0b87aca59af5be773c9dc22df843c19e03ea5d15bccfab8ebcdb88589fe836571e400ab9b0e848

Download Submit
C:\Windows\{9D8A3306-56F2-4532-B83D-074F89522E58}.exe

Filesize
408KB

MD5
acabde800bc546e63668fd86001963be

SHA1
cf28f75964f0aee80bb66587ff8c8ceb7b1bf528

SHA256
757c52d9ea270d35c1c99bc37a2683cbc3302f541adbb98485180b5df8bf47ab

SHA512
abd41bff6f314e94186eb686572b58d22be85c72d670e7fcc5f5e8af190bc051f17dac732a54173abd91da941792cba7e8a7f72367c7855fe047f49ea7db944b

Download Submit
C:\Windows\{A01AF517-E923-40c3-8A20-F1FE506F2420}.exe

Filesize
408KB

MD5
8230de589637693079efc5897d6f1eb6

SHA1
9d85def95c3d2fb1603368a7a1c46afee9ab5319

SHA256
852f21211cc53a2414ed6bbaba644e160b8ac9b5231f29813d00e6472cbdffc0

SHA512
97d48442a2d1f87a632cbb38b68dd15c0381e0cfb001979af4af6d1ab452334dc795cad9c5d51cc19e5da3dabe0152eec27642eeb12ff23c3357863a2e13541a

Download Submit
C:\Windows\{AC740C21-D200-4189-A720-B09F33C526B9}.exe

Filesize
408KB

MD5
743dbb94185db922bb5bba8e6a60806c

SHA1
c52fc4ec5f7afb5ed13e8bd49493c90f89f2cac6

SHA256
109b46d06d9209524c7bd9ae504f2d48dcd9667698360120bbcdf79c04c4c4b8

SHA512
10b18a17ca72aad7181922792a0069261e15fb5b58b12277b0159c1230fe57355ac8f855860319be984b0b94be965c4976cb69cf359fc98ebeaba081088f1cb8

Download Submit
C:\Windows\{B76D760D-59E1-4e31-BAAD-5F6ABC2A59AB}.exe

Filesize
408KB

MD5
4945291b799f1494535925c008555479

SHA1
3e90dd7da8f6539e920cc05a6558cbae540e98d2

SHA256
af072f4f740d9c4fa52ae0b4e34ec760bd32e807d0885a164cd05f924774c294

SHA512
d2759819650e44ac1da065c5d8a0626710933905f3a52794948b7f4b350bed5d6e1713697dca712299162df02e370f237d5a7c38589ff7b1ec378e3b717bc95f

Download Submit
C:\Windows\{B8D9F79A-0190-45de-BB6E-6FDC2CE1809D}.exe

Filesize
408KB

MD5
6a3b5b70e4657dbb1fa3408d267eb4eb

SHA1
8187bdab3f6ccc9a26fef820fe2480bcb22e5e08

SHA256
3cabd6a24b213b3f0892f5efc92f67a10aa1f4fe230dea77509aadf1579566e7

SHA512
55976dedbbd44e828218060ea226822ae450cf2f244185b5faea951fcf31ee1f5b2022e9fc098561d93b0042bf7303030924abf0de5d6924b264f5ae9e57c23c

Download Submit
C:\Windows\{C7BE412A-5159-4c81-AB2F-E8FA4A6EC874}.exe

Filesize
408KB

MD5
2c6e0547b28f0f80508c4af4331d9990

SHA1
f8cd6f902e1094e861485028d669548236f2f2c7

SHA256
35e92db537bfcfa345a37209cf4b9219f930453d1bda06205c685aab4802809e

SHA512
cb7a5fb1e48052cc881b2e39f60b6736f01d0406dd4d33fe4a9e7ed5e2ca6abccd0c2bf9081b397ea9a98f28d1e813c0a6e5c0884712491dabcbf9fe86f40a41

Download Submit
C:\Windows\{F4F762E8-03E1-4aa6-8928-1C25713D3EA0}.exe

Filesize
408KB

MD5
5e86e0cad3f5c62782c448e12da27551

SHA1
21a849a92512ec1ef6535acea103f31971c300bf

SHA256
e6f41eb7810a53465b2429379166af31d800a72f42dd3f75982380f283dedb57

SHA512
5c92996b6fc0deec67ad86e5db01d08da4059c19e2ff932ae3b8a9c93411cce6253e92f16539e22a7e7b2034ed6e71e49fa174060f03f4e902c8fc053ba6bd46

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads