c6220bad3b38c8cfdb2c5b40f2207ff9e7cc3c490f4cd21f13dd1f34fc3545b8

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/01/2024, 20:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-26_443d05567206d65460493fcba0b78ec0_goldeneye.exe
Size

216KB
MD5

443d05567206d65460493fcba0b78ec0
SHA1

40f3ee13d8d92c357079a897ee0c388e29c9354e
SHA256

c6220bad3b38c8cfdb2c5b40f2207ff9e7cc3c490f4cd21f13dd1f34fc3545b8
SHA512

8f0f0f5f44d7b0029aa70b96e5de5adcfd1705e85e8471689eef55d0847147c0be8ae93eb0ac9d7b328399f5495e4d06a519d12c9d17c9431e83867eb186c81f
SSDEEP

3072:jEGh0oJl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGvlEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023205-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00120000000231fe-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002320c-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00130000000231fe-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021e70-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021e71-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021e70-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000711-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD259CDA-4C28-4bbe-AB29-0F370299719A}\stubpath = "C:\\Windows\\{DD259CDA-4C28-4bbe-AB29-0F370299719A}.exe"	{A5B8A9EA-31D0-47f6-A098-BC56240558C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{537369D1-803D-47c2-A310-B622CA50CD09}	{0E7AE2A7-FC9D-40cb-890A-058796C01B3C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F7FCFAA-5B18-4861-BFBF-5FE4B34656A8}\stubpath = "C:\\Windows\\{8F7FCFAA-5B18-4861-BFBF-5FE4B34656A8}.exe"	{537369D1-803D-47c2-A310-B622CA50CD09}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E3B078AF-A28C-4aac-9634-79D72EE5D249}\stubpath = "C:\\Windows\\{E3B078AF-A28C-4aac-9634-79D72EE5D249}.exe"	{8F7FCFAA-5B18-4861-BFBF-5FE4B34656A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F4360AA-614F-4eb0-84EF-A91AB8F44AD0}	{4AE52A01-E862-40f8-8D12-E84BE3A1F632}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3786FC14-72B9-4498-8CA4-85D98886A588}	{2F4360AA-614F-4eb0-84EF-A91AB8F44AD0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3786FC14-72B9-4498-8CA4-85D98886A588}\stubpath = "C:\\Windows\\{3786FC14-72B9-4498-8CA4-85D98886A588}.exe"	{2F4360AA-614F-4eb0-84EF-A91AB8F44AD0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD259CDA-4C28-4bbe-AB29-0F370299719A}	{A5B8A9EA-31D0-47f6-A098-BC56240558C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E532057B-5518-4961-9FB7-E1F5C3BE6B47}\stubpath = "C:\\Windows\\{E532057B-5518-4961-9FB7-E1F5C3BE6B47}.exe"	{DD259CDA-4C28-4bbe-AB29-0F370299719A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E7AE2A7-FC9D-40cb-890A-058796C01B3C}	2024-01-26_443d05567206d65460493fcba0b78ec0_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E7AE2A7-FC9D-40cb-890A-058796C01B3C}\stubpath = "C:\\Windows\\{0E7AE2A7-FC9D-40cb-890A-058796C01B3C}.exe"	2024-01-26_443d05567206d65460493fcba0b78ec0_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E3B078AF-A28C-4aac-9634-79D72EE5D249}	{8F7FCFAA-5B18-4861-BFBF-5FE4B34656A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AE52A01-E862-40f8-8D12-E84BE3A1F632}	{E3B078AF-A28C-4aac-9634-79D72EE5D249}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F10B0416-2D75-4196-92D7-218E7B1ADADE}\stubpath = "C:\\Windows\\{F10B0416-2D75-4196-92D7-218E7B1ADADE}.exe"	{3786FC14-72B9-4498-8CA4-85D98886A588}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5B8A9EA-31D0-47f6-A098-BC56240558C1}\stubpath = "C:\\Windows\\{A5B8A9EA-31D0-47f6-A098-BC56240558C1}.exe"	{F10B0416-2D75-4196-92D7-218E7B1ADADE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7260D74-9586-4a3a-B17F-FCF6512E23C9}\stubpath = "C:\\Windows\\{F7260D74-9586-4a3a-B17F-FCF6512E23C9}.exe"	{E532057B-5518-4961-9FB7-E1F5C3BE6B47}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{537369D1-803D-47c2-A310-B622CA50CD09}\stubpath = "C:\\Windows\\{537369D1-803D-47c2-A310-B622CA50CD09}.exe"	{0E7AE2A7-FC9D-40cb-890A-058796C01B3C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F7FCFAA-5B18-4861-BFBF-5FE4B34656A8}	{537369D1-803D-47c2-A310-B622CA50CD09}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AE52A01-E862-40f8-8D12-E84BE3A1F632}\stubpath = "C:\\Windows\\{4AE52A01-E862-40f8-8D12-E84BE3A1F632}.exe"	{E3B078AF-A28C-4aac-9634-79D72EE5D249}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F4360AA-614F-4eb0-84EF-A91AB8F44AD0}\stubpath = "C:\\Windows\\{2F4360AA-614F-4eb0-84EF-A91AB8F44AD0}.exe"	{4AE52A01-E862-40f8-8D12-E84BE3A1F632}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E532057B-5518-4961-9FB7-E1F5C3BE6B47}	{DD259CDA-4C28-4bbe-AB29-0F370299719A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7260D74-9586-4a3a-B17F-FCF6512E23C9}	{E532057B-5518-4961-9FB7-E1F5C3BE6B47}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F10B0416-2D75-4196-92D7-218E7B1ADADE}	{3786FC14-72B9-4498-8CA4-85D98886A588}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5B8A9EA-31D0-47f6-A098-BC56240558C1}	{F10B0416-2D75-4196-92D7-218E7B1ADADE}.exe

Executes dropped EXE 12 IoCs

pid	Process
4920	{0E7AE2A7-FC9D-40cb-890A-058796C01B3C}.exe
1528	{537369D1-803D-47c2-A310-B622CA50CD09}.exe
4476	{8F7FCFAA-5B18-4861-BFBF-5FE4B34656A8}.exe
1328	{E3B078AF-A28C-4aac-9634-79D72EE5D249}.exe
3064	{4AE52A01-E862-40f8-8D12-E84BE3A1F632}.exe
880	{2F4360AA-614F-4eb0-84EF-A91AB8F44AD0}.exe
912	{3786FC14-72B9-4498-8CA4-85D98886A588}.exe
1684	{F10B0416-2D75-4196-92D7-218E7B1ADADE}.exe
228	{A5B8A9EA-31D0-47f6-A098-BC56240558C1}.exe
3252	{DD259CDA-4C28-4bbe-AB29-0F370299719A}.exe
4020	{E532057B-5518-4961-9FB7-E1F5C3BE6B47}.exe
2272	{F7260D74-9586-4a3a-B17F-FCF6512E23C9}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{537369D1-803D-47c2-A310-B622CA50CD09}.exe	{0E7AE2A7-FC9D-40cb-890A-058796C01B3C}.exe
File created	C:\Windows\{8F7FCFAA-5B18-4861-BFBF-5FE4B34656A8}.exe	{537369D1-803D-47c2-A310-B622CA50CD09}.exe
File created	C:\Windows\{E3B078AF-A28C-4aac-9634-79D72EE5D249}.exe	{8F7FCFAA-5B18-4861-BFBF-5FE4B34656A8}.exe
File created	C:\Windows\{4AE52A01-E862-40f8-8D12-E84BE3A1F632}.exe	{E3B078AF-A28C-4aac-9634-79D72EE5D249}.exe
File created	C:\Windows\{2F4360AA-614F-4eb0-84EF-A91AB8F44AD0}.exe	{4AE52A01-E862-40f8-8D12-E84BE3A1F632}.exe
File created	C:\Windows\{F10B0416-2D75-4196-92D7-218E7B1ADADE}.exe	{3786FC14-72B9-4498-8CA4-85D98886A588}.exe
File created	C:\Windows\{A5B8A9EA-31D0-47f6-A098-BC56240558C1}.exe	{F10B0416-2D75-4196-92D7-218E7B1ADADE}.exe
File created	C:\Windows\{0E7AE2A7-FC9D-40cb-890A-058796C01B3C}.exe	2024-01-26_443d05567206d65460493fcba0b78ec0_goldeneye.exe
File created	C:\Windows\{DD259CDA-4C28-4bbe-AB29-0F370299719A}.exe	{A5B8A9EA-31D0-47f6-A098-BC56240558C1}.exe
File created	C:\Windows\{E532057B-5518-4961-9FB7-E1F5C3BE6B47}.exe	{DD259CDA-4C28-4bbe-AB29-0F370299719A}.exe
File created	C:\Windows\{F7260D74-9586-4a3a-B17F-FCF6512E23C9}.exe	{E532057B-5518-4961-9FB7-E1F5C3BE6B47}.exe
File created	C:\Windows\{3786FC14-72B9-4498-8CA4-85D98886A588}.exe	{2F4360AA-614F-4eb0-84EF-A91AB8F44AD0}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1820	2024-01-26_443d05567206d65460493fcba0b78ec0_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4920	{0E7AE2A7-FC9D-40cb-890A-058796C01B3C}.exe
Token: SeIncBasePriorityPrivilege	1528	{537369D1-803D-47c2-A310-B622CA50CD09}.exe
Token: SeIncBasePriorityPrivilege	4476	{8F7FCFAA-5B18-4861-BFBF-5FE4B34656A8}.exe
Token: SeIncBasePriorityPrivilege	1328	{E3B078AF-A28C-4aac-9634-79D72EE5D249}.exe
Token: SeIncBasePriorityPrivilege	3064	{4AE52A01-E862-40f8-8D12-E84BE3A1F632}.exe
Token: SeIncBasePriorityPrivilege	880	{2F4360AA-614F-4eb0-84EF-A91AB8F44AD0}.exe
Token: SeIncBasePriorityPrivilege	912	{3786FC14-72B9-4498-8CA4-85D98886A588}.exe
Token: SeIncBasePriorityPrivilege	1684	{F10B0416-2D75-4196-92D7-218E7B1ADADE}.exe
Token: SeIncBasePriorityPrivilege	228	{A5B8A9EA-31D0-47f6-A098-BC56240558C1}.exe
Token: SeIncBasePriorityPrivilege	3252	{DD259CDA-4C28-4bbe-AB29-0F370299719A}.exe
Token: SeIncBasePriorityPrivilege	4020	{E532057B-5518-4961-9FB7-E1F5C3BE6B47}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 4920	1820	2024-01-26_443d05567206d65460493fcba0b78ec0_goldeneye.exe	97
PID 1820 wrote to memory of 4920	1820	2024-01-26_443d05567206d65460493fcba0b78ec0_goldeneye.exe	97
PID 1820 wrote to memory of 4920	1820	2024-01-26_443d05567206d65460493fcba0b78ec0_goldeneye.exe	97
PID 1820 wrote to memory of 2344	1820	2024-01-26_443d05567206d65460493fcba0b78ec0_goldeneye.exe	98
PID 1820 wrote to memory of 2344	1820	2024-01-26_443d05567206d65460493fcba0b78ec0_goldeneye.exe	98
PID 1820 wrote to memory of 2344	1820	2024-01-26_443d05567206d65460493fcba0b78ec0_goldeneye.exe	98
PID 4920 wrote to memory of 1528	4920	{0E7AE2A7-FC9D-40cb-890A-058796C01B3C}.exe	99
PID 4920 wrote to memory of 1528	4920	{0E7AE2A7-FC9D-40cb-890A-058796C01B3C}.exe	99
PID 4920 wrote to memory of 1528	4920	{0E7AE2A7-FC9D-40cb-890A-058796C01B3C}.exe	99
PID 4920 wrote to memory of 3884	4920	{0E7AE2A7-FC9D-40cb-890A-058796C01B3C}.exe	100
PID 4920 wrote to memory of 3884	4920	{0E7AE2A7-FC9D-40cb-890A-058796C01B3C}.exe	100
PID 4920 wrote to memory of 3884	4920	{0E7AE2A7-FC9D-40cb-890A-058796C01B3C}.exe	100
PID 1528 wrote to memory of 4476	1528	{537369D1-803D-47c2-A310-B622CA50CD09}.exe	103
PID 1528 wrote to memory of 4476	1528	{537369D1-803D-47c2-A310-B622CA50CD09}.exe	103
PID 1528 wrote to memory of 4476	1528	{537369D1-803D-47c2-A310-B622CA50CD09}.exe	103
PID 1528 wrote to memory of 2832	1528	{537369D1-803D-47c2-A310-B622CA50CD09}.exe	102
PID 1528 wrote to memory of 2832	1528	{537369D1-803D-47c2-A310-B622CA50CD09}.exe	102
PID 1528 wrote to memory of 2832	1528	{537369D1-803D-47c2-A310-B622CA50CD09}.exe	102
PID 4476 wrote to memory of 1328	4476	{8F7FCFAA-5B18-4861-BFBF-5FE4B34656A8}.exe	104
PID 4476 wrote to memory of 1328	4476	{8F7FCFAA-5B18-4861-BFBF-5FE4B34656A8}.exe	104
PID 4476 wrote to memory of 1328	4476	{8F7FCFAA-5B18-4861-BFBF-5FE4B34656A8}.exe	104
PID 4476 wrote to memory of 3420	4476	{8F7FCFAA-5B18-4861-BFBF-5FE4B34656A8}.exe	105
PID 4476 wrote to memory of 3420	4476	{8F7FCFAA-5B18-4861-BFBF-5FE4B34656A8}.exe	105
PID 4476 wrote to memory of 3420	4476	{8F7FCFAA-5B18-4861-BFBF-5FE4B34656A8}.exe	105
PID 1328 wrote to memory of 3064	1328	{E3B078AF-A28C-4aac-9634-79D72EE5D249}.exe	106
PID 1328 wrote to memory of 3064	1328	{E3B078AF-A28C-4aac-9634-79D72EE5D249}.exe	106
PID 1328 wrote to memory of 3064	1328	{E3B078AF-A28C-4aac-9634-79D72EE5D249}.exe	106
PID 1328 wrote to memory of 3992	1328	{E3B078AF-A28C-4aac-9634-79D72EE5D249}.exe	107
PID 1328 wrote to memory of 3992	1328	{E3B078AF-A28C-4aac-9634-79D72EE5D249}.exe	107
PID 1328 wrote to memory of 3992	1328	{E3B078AF-A28C-4aac-9634-79D72EE5D249}.exe	107
PID 3064 wrote to memory of 880	3064	{4AE52A01-E862-40f8-8D12-E84BE3A1F632}.exe	108
PID 3064 wrote to memory of 880	3064	{4AE52A01-E862-40f8-8D12-E84BE3A1F632}.exe	108
PID 3064 wrote to memory of 880	3064	{4AE52A01-E862-40f8-8D12-E84BE3A1F632}.exe	108
PID 3064 wrote to memory of 2404	3064	{4AE52A01-E862-40f8-8D12-E84BE3A1F632}.exe	109
PID 3064 wrote to memory of 2404	3064	{4AE52A01-E862-40f8-8D12-E84BE3A1F632}.exe	109
PID 3064 wrote to memory of 2404	3064	{4AE52A01-E862-40f8-8D12-E84BE3A1F632}.exe	109
PID 880 wrote to memory of 912	880	{2F4360AA-614F-4eb0-84EF-A91AB8F44AD0}.exe	110
PID 880 wrote to memory of 912	880	{2F4360AA-614F-4eb0-84EF-A91AB8F44AD0}.exe	110
PID 880 wrote to memory of 912	880	{2F4360AA-614F-4eb0-84EF-A91AB8F44AD0}.exe	110
PID 880 wrote to memory of 4620	880	{2F4360AA-614F-4eb0-84EF-A91AB8F44AD0}.exe	111
PID 880 wrote to memory of 4620	880	{2F4360AA-614F-4eb0-84EF-A91AB8F44AD0}.exe	111
PID 880 wrote to memory of 4620	880	{2F4360AA-614F-4eb0-84EF-A91AB8F44AD0}.exe	111
PID 912 wrote to memory of 1684	912	{3786FC14-72B9-4498-8CA4-85D98886A588}.exe	113
PID 912 wrote to memory of 1684	912	{3786FC14-72B9-4498-8CA4-85D98886A588}.exe	113
PID 912 wrote to memory of 1684	912	{3786FC14-72B9-4498-8CA4-85D98886A588}.exe	113
PID 912 wrote to memory of 3776	912	{3786FC14-72B9-4498-8CA4-85D98886A588}.exe	112
PID 912 wrote to memory of 3776	912	{3786FC14-72B9-4498-8CA4-85D98886A588}.exe	112
PID 912 wrote to memory of 3776	912	{3786FC14-72B9-4498-8CA4-85D98886A588}.exe	112
PID 1684 wrote to memory of 228	1684	{F10B0416-2D75-4196-92D7-218E7B1ADADE}.exe	114
PID 1684 wrote to memory of 228	1684	{F10B0416-2D75-4196-92D7-218E7B1ADADE}.exe	114
PID 1684 wrote to memory of 228	1684	{F10B0416-2D75-4196-92D7-218E7B1ADADE}.exe	114
PID 1684 wrote to memory of 4500	1684	{F10B0416-2D75-4196-92D7-218E7B1ADADE}.exe	115
PID 1684 wrote to memory of 4500	1684	{F10B0416-2D75-4196-92D7-218E7B1ADADE}.exe	115
PID 1684 wrote to memory of 4500	1684	{F10B0416-2D75-4196-92D7-218E7B1ADADE}.exe	115
PID 228 wrote to memory of 3252	228	{A5B8A9EA-31D0-47f6-A098-BC56240558C1}.exe	117
PID 228 wrote to memory of 3252	228	{A5B8A9EA-31D0-47f6-A098-BC56240558C1}.exe	117
PID 228 wrote to memory of 3252	228	{A5B8A9EA-31D0-47f6-A098-BC56240558C1}.exe	117
PID 228 wrote to memory of 1080	228	{A5B8A9EA-31D0-47f6-A098-BC56240558C1}.exe	116
PID 228 wrote to memory of 1080	228	{A5B8A9EA-31D0-47f6-A098-BC56240558C1}.exe	116
PID 228 wrote to memory of 1080	228	{A5B8A9EA-31D0-47f6-A098-BC56240558C1}.exe	116
PID 3252 wrote to memory of 4020	3252	{DD259CDA-4C28-4bbe-AB29-0F370299719A}.exe	118
PID 3252 wrote to memory of 4020	3252	{DD259CDA-4C28-4bbe-AB29-0F370299719A}.exe	118
PID 3252 wrote to memory of 4020	3252	{DD259CDA-4C28-4bbe-AB29-0F370299719A}.exe	118
PID 3252 wrote to memory of 3660	3252	{DD259CDA-4C28-4bbe-AB29-0F370299719A}.exe	119

C:\Users\Admin\AppData\Local\Temp\2024-01-26_443d05567206d65460493fcba0b78ec0_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-26_443d05567206d65460493fcba0b78ec0_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Windows\{0E7AE2A7-FC9D-40cb-890A-058796C01B3C}.exe
  C:\Windows\{0E7AE2A7-FC9D-40cb-890A-058796C01B3C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4920
- - C:\Windows\{537369D1-803D-47c2-A310-B622CA50CD09}.exe
    C:\Windows\{537369D1-803D-47c2-A310-B622CA50CD09}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1528
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{53736~1.EXE > nul
      4⤵
      PID:2832
  - - C:\Windows\{8F7FCFAA-5B18-4861-BFBF-5FE4B34656A8}.exe
      C:\Windows\{8F7FCFAA-5B18-4861-BFBF-5FE4B34656A8}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4476
    - - C:\Windows\{E3B078AF-A28C-4aac-9634-79D72EE5D249}.exe
        
        C:\Windows\{E3B078AF-A28C-4aac-9634-79D72EE5D249}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1328
      - C:\Windows\{4AE52A01-E862-40f8-8D12-E84BE3A1F632}.exe
        
        C:\Windows\{4AE52A01-E862-40f8-8D12-E84BE3A1F632}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\{2F4360AA-614F-4eb0-84EF-A91AB8F44AD0}.exe
        
        C:\Windows\{2F4360AA-614F-4eb0-84EF-A91AB8F44AD0}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:880
        
        C:\Windows\{3786FC14-72B9-4498-8CA4-85D98886A588}.exe
        
        C:\Windows\{3786FC14-72B9-4498-8CA4-85D98886A588}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3786F~1.EXE > nul
        9⤵
        
        PID:3776
        
        C:\Windows\{F10B0416-2D75-4196-92D7-218E7B1ADADE}.exe
        
        C:\Windows\{F10B0416-2D75-4196-92D7-218E7B1ADADE}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\{A5B8A9EA-31D0-47f6-A098-BC56240558C1}.exe
        
        C:\Windows\{A5B8A9EA-31D0-47f6-A098-BC56240558C1}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A5B8A~1.EXE > nul
        11⤵
        
        PID:1080
        
        C:\Windows\{DD259CDA-4C28-4bbe-AB29-0F370299719A}.exe
        
        C:\Windows\{DD259CDA-4C28-4bbe-AB29-0F370299719A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3252
        
        C:\Windows\{E532057B-5518-4961-9FB7-E1F5C3BE6B47}.exe
        
        C:\Windows\{E532057B-5518-4961-9FB7-E1F5C3BE6B47}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4020
        
        C:\Windows\{F7260D74-9586-4a3a-B17F-FCF6512E23C9}.exe
        
        C:\Windows\{F7260D74-9586-4a3a-B17F-FCF6512E23C9}.exe
        13⤵
        Executes dropped EXE
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5320~1.EXE > nul
        13⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD259~1.EXE > nul
        12⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F10B0~1.EXE > nul
        10⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2F436~1.EXE > nul
        8⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4AE52~1.EXE > nul
        7⤵
        
        PID:2404
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E3B07~1.EXE > nul
        6⤵
        
        PID:3992
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F7FC~1.EXE > nul
        5⤵
        
        PID:3420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0E7AE~1.EXE > nul
    3⤵
    PID:3884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0E7AE2A7-FC9D-40cb-890A-058796C01B3C}.exe

Filesize
216KB

MD5
19497880ea6877c1a96e460dedb6f505

SHA1
5c57de2f2c9c30f076e2097d014dc7ea47ab23ba

SHA256
8932e62b1be9eea896549f366227076a49089f27dd5c8adb05c5e194bdbd7f73

SHA512
7c9f84bdf413b1fb3130274261ffc13e501d9a402427b1d997e656ac140a5b8871efd78e21d9e5a20d40ed39a7fa1dae3881c4cd31a5910296a620d5967d9902

Download Submit
C:\Windows\{2F4360AA-614F-4eb0-84EF-A91AB8F44AD0}.exe

Filesize
216KB

MD5
ba7c9ea828d689eef5cafcb68e3ab948

SHA1
3daa7ed74fd0c22745340d6375b6a01e63389180

SHA256
ebd7d2ef80c61be50fcc1167057db4753e7ffdc3a0e15ca96c5ad46fe00583d6

SHA512
9d4525e3dd7b4831c42fb0b7507265f1ad45a0bf2422b9389e9771d9d3ebb5cd834ecf158749724cc64b97019b5679d860b662b76df9b1c4bd74d740d63e7b96

Download Submit
C:\Windows\{3786FC14-72B9-4498-8CA4-85D98886A588}.exe

Filesize
216KB

MD5
878cffb636e98d513ed84abae846375a

SHA1
af1c2aa5293afebb0d6dc73f4c15318e42acd881

SHA256
4e883d8eb7fd7b57e7258fbd5502ff8640a7fcf1e6442755208b8fdda7093110

SHA512
4ac6e3db7f3ba943dbe1c46abada4d6b7ea70ee8e4e4b0f0da85fcc68646f778b8fc095a25c10ad4debe217026bb5debe36da05e7646f2c16b3334b53e6a7109

Download Submit
C:\Windows\{4AE52A01-E862-40f8-8D12-E84BE3A1F632}.exe

Filesize
216KB

MD5
5f899dc3d6b2548427465ce8b48188db

SHA1
f7d270e34c8337c33fa2a67ec29931004a0eda6f

SHA256
28b9e8036b1f66bca37a16630d0866d54bf3dea03e2bf8c00ce9d711f7ec2027

SHA512
31e133e7102518950afbd1ddb7f3e1d7146477d502d793280f14bfb7b9fc914f07b827ab1f6ce72fb3f017a33740e0cae091ef00d493e3279474c6700ad74587

Download Submit
C:\Windows\{537369D1-803D-47c2-A310-B622CA50CD09}.exe

Filesize
216KB

MD5
58ca926f7c4f5c4b135f430cba40d86b

SHA1
174bb42e4e18308ef8fe1d95648f58b6760c0aab

SHA256
9df0e2976b5e20f0b97a346299a47fef29adb3186fb09f6170372f85c7389ef4

SHA512
b42c8e5c3d01b03ab176d90422631910e5ed847fd9c06d1a506ff6aabe4dd74936849cf1dcb3292ea3ed3dc58d0f91ddc5e95af4c8ad0ef8246c01218c079ea0

Download Submit
C:\Windows\{8F7FCFAA-5B18-4861-BFBF-5FE4B34656A8}.exe

Filesize
216KB

MD5
b6b0e238ede166010698d509386b0b4e

SHA1
ca887c2a903951d37e12809ec4208e29ac054df5

SHA256
48c8d431c22c9c7423436fa5c480a1b8d62e0054ab434768f25541d968ff125e

SHA512
92945f8d2b24be1c15dc0ff25c39d6fd65dcdea3781fb2ae5dd8f2a61906a6c55ffd5bbf604837465763943ee2c871d2c8c416e9c7a6c902a2d3025183f0a133

Download Submit
C:\Windows\{A5B8A9EA-31D0-47f6-A098-BC56240558C1}.exe

Filesize
216KB

MD5
b18f27c3fba11d416d3bcd2cfc339d00

SHA1
0ee8c2a716c1e1bc787dee93762ac720288c3bda

SHA256
88a779210ca663a2308b8967677965256589e342f138c8f8128b7ce203347b9c

SHA512
306678f6d23b1af6f324db6ec4d3a9e1d873afe9bc411e39618ada8189803035877e0d7c9cf3e777b4dd229f82ef4da0589ada3326f899bb86396bebc7c121fc

Download Submit
C:\Windows\{DD259CDA-4C28-4bbe-AB29-0F370299719A}.exe

Filesize
216KB

MD5
dd4bc28062f9d7c45b4cc26850e67f93

SHA1
7e0ec0da7a90a2cf9b44ffe8a85cbbc02e4ef91e

SHA256
36bd7a1f3d1a53f78e528a7d24e310bd90737f0d72e079647d3fd28a32fe66f9

SHA512
e4bf0048b85ab1380f7d3fb3da668342508dbbfb9ca8239ab5aa51734f0effe1f01d063b89e417fcc0ba28ab62860c6d8411530d760cd417ec9748ef42c723e4

Download Submit
C:\Windows\{E3B078AF-A28C-4aac-9634-79D72EE5D249}.exe

Filesize
216KB

MD5
379e8149363400a4bd791468f4b49d49

SHA1
a479eda99f020f8e1094b395f9424e8985ceafb2

SHA256
158ab8d1f56a74a4120312fbee238d2699d061d7ff09ae48be82aa37081b76ce

SHA512
e667858b98792f1bc1c267eacca366d8fff24868442707ce8f141e220178da12cc9d71602c98726a23cbdeabf6ae43035ff2eb57fe0aa0c875c52d7bb2f9c58a

Download Submit
C:\Windows\{E532057B-5518-4961-9FB7-E1F5C3BE6B47}.exe

Filesize
216KB

MD5
a60c9da2a95ffa097c81a7eca10e2e91

SHA1
98320e2cd99e596399aa8dafa187cdf605d46926

SHA256
9343d283581768c318d86b00e3d339397ee3ead0e43a0432a619366e3072305c

SHA512
2082410c6c8922b59ab8930946fa86ea7303e51db7ec5439b5b75570752dd85c0c37a18cb15e04cd6eb6ac942928de22535d58088c766aa92b431c9a29625899

Download Submit
C:\Windows\{F10B0416-2D75-4196-92D7-218E7B1ADADE}.exe

Filesize
216KB

MD5
176af37792d1d4b5738a04fbb1f75308

SHA1
bbe5620873999eb021109a4a65944cda8ec2e54c

SHA256
7602d6de1d94f97bc5b9a7779f3edd3202589241894ff272f69f23eb6489b6aa

SHA512
ae4e91b2997d47a8828949859e9675adef6c33836741f3e4ba892c66fa9b2fb4097d85a36dfecc859f2d39df70823cdd263b9594d6f564760c53e3db1b21def1

Download Submit
C:\Windows\{F7260D74-9586-4a3a-B17F-FCF6512E23C9}.exe

Filesize
216KB

MD5
a1174cec24ab6e11d61d434318bcf950

SHA1
25799c9ba805d6274b68faad0dc92e9b915db0f9

SHA256
2c289506320cce4975c8c7a67e8afcb9a7e9fa348ad8089f4d8915999bdccaab

SHA512
e619bd10a077f027d4c6e4e41f7c4ca28106c7241acb3baf89c4e3e26bfcd02f8ef78d99d9c5c1dc13860594141f247122b3732e23ce3b01905c83287f4fbf91

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads