0eb49b8b1e9c09d4dac3d001b58b35c668ac760fd4fd27c024e004cde26c3104

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
27-01-2024 21:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-27_0b1b517e5ce6791ff2124e7be863bb3f_goldeneye.exe
Size

216KB
MD5

0b1b517e5ce6791ff2124e7be863bb3f
SHA1

76be8dcf7f09e0c7b09a9cbacb12d2118af12145
SHA256

0eb49b8b1e9c09d4dac3d001b58b35c668ac760fd4fd27c024e004cde26c3104
SHA512

eb6a62f9791174cd38c5bfab27d0a2f7f0887b6fb875f56ace265863918d8aa43b94f66ee325af9abc06e005f9471e65556b69282dadbd53152b289b1e3bfeca
SSDEEP

3072:jEGh0o6l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGklEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00110000000231f5-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00060000000231fc-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023203-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000231fc-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000022008-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000022009-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000022008-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000036-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000036-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000036-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00465C44-9458-4aaf-918E-14DB0B21265F}	{8C2CC884-42DB-4056-8289-E0A3B8F1E0C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{637D39E3-9A85-46ca-B5E2-A75E70DD5F0B}\stubpath = "C:\\Windows\\{637D39E3-9A85-46ca-B5E2-A75E70DD5F0B}.exe"	{94BF2A44-4FB4-45d3-952E-830EDF78DBAA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86993534-DC6D-4537-9D00-D20B05D37B15}	2024-01-27_0b1b517e5ce6791ff2124e7be863bb3f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D060CD6-DA33-4f91-9FA3-98C49EB2761F}	{8A3573D8-BEE2-4069-91D7-7B8BC82C8682}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D060CD6-DA33-4f91-9FA3-98C49EB2761F}\stubpath = "C:\\Windows\\{6D060CD6-DA33-4f91-9FA3-98C49EB2761F}.exe"	{8A3573D8-BEE2-4069-91D7-7B8BC82C8682}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F777DF2F-B608-4693-BEE0-E2F238786022}	{78D79B3B-595E-4a54-8254-EC36F582DD62}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F777DF2F-B608-4693-BEE0-E2F238786022}\stubpath = "C:\\Windows\\{F777DF2F-B608-4693-BEE0-E2F238786022}.exe"	{78D79B3B-595E-4a54-8254-EC36F582DD62}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C2CC884-42DB-4056-8289-E0A3B8F1E0C7}\stubpath = "C:\\Windows\\{8C2CC884-42DB-4056-8289-E0A3B8F1E0C7}.exe"	{665F0220-FE81-4d00-A0DD-DDC472611792}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94BF2A44-4FB4-45d3-952E-830EDF78DBAA}	{00465C44-9458-4aaf-918E-14DB0B21265F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94BF2A44-4FB4-45d3-952E-830EDF78DBAA}\stubpath = "C:\\Windows\\{94BF2A44-4FB4-45d3-952E-830EDF78DBAA}.exe"	{00465C44-9458-4aaf-918E-14DB0B21265F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72CCA76B-7635-4a66-A9CC-086A979B695B}	{86993534-DC6D-4537-9D00-D20B05D37B15}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A3573D8-BEE2-4069-91D7-7B8BC82C8682}\stubpath = "C:\\Windows\\{8A3573D8-BEE2-4069-91D7-7B8BC82C8682}.exe"	{72CCA76B-7635-4a66-A9CC-086A979B695B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78D79B3B-595E-4a54-8254-EC36F582DD62}	{6D060CD6-DA33-4f91-9FA3-98C49EB2761F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{665F0220-FE81-4d00-A0DD-DDC472611792}	{F777DF2F-B608-4693-BEE0-E2F238786022}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{665F0220-FE81-4d00-A0DD-DDC472611792}\stubpath = "C:\\Windows\\{665F0220-FE81-4d00-A0DD-DDC472611792}.exe"	{F777DF2F-B608-4693-BEE0-E2F238786022}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{637D39E3-9A85-46ca-B5E2-A75E70DD5F0B}	{94BF2A44-4FB4-45d3-952E-830EDF78DBAA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50CF5AD5-6DA3-4b80-9247-C18E8444E508}\stubpath = "C:\\Windows\\{50CF5AD5-6DA3-4b80-9247-C18E8444E508}.exe"	{637D39E3-9A85-46ca-B5E2-A75E70DD5F0B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C2CC884-42DB-4056-8289-E0A3B8F1E0C7}	{665F0220-FE81-4d00-A0DD-DDC472611792}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50CF5AD5-6DA3-4b80-9247-C18E8444E508}	{637D39E3-9A85-46ca-B5E2-A75E70DD5F0B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86993534-DC6D-4537-9D00-D20B05D37B15}\stubpath = "C:\\Windows\\{86993534-DC6D-4537-9D00-D20B05D37B15}.exe"	2024-01-27_0b1b517e5ce6791ff2124e7be863bb3f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72CCA76B-7635-4a66-A9CC-086A979B695B}\stubpath = "C:\\Windows\\{72CCA76B-7635-4a66-A9CC-086A979B695B}.exe"	{86993534-DC6D-4537-9D00-D20B05D37B15}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A3573D8-BEE2-4069-91D7-7B8BC82C8682}	{72CCA76B-7635-4a66-A9CC-086A979B695B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78D79B3B-595E-4a54-8254-EC36F582DD62}\stubpath = "C:\\Windows\\{78D79B3B-595E-4a54-8254-EC36F582DD62}.exe"	{6D060CD6-DA33-4f91-9FA3-98C49EB2761F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00465C44-9458-4aaf-918E-14DB0B21265F}\stubpath = "C:\\Windows\\{00465C44-9458-4aaf-918E-14DB0B21265F}.exe"	{8C2CC884-42DB-4056-8289-E0A3B8F1E0C7}.exe

Executes dropped EXE 12 IoCs

pid	Process
4872	{86993534-DC6D-4537-9D00-D20B05D37B15}.exe
2788	{72CCA76B-7635-4a66-A9CC-086A979B695B}.exe
1888	{8A3573D8-BEE2-4069-91D7-7B8BC82C8682}.exe
60	{6D060CD6-DA33-4f91-9FA3-98C49EB2761F}.exe
1372	{78D79B3B-595E-4a54-8254-EC36F582DD62}.exe
4384	{F777DF2F-B608-4693-BEE0-E2F238786022}.exe
1116	{665F0220-FE81-4d00-A0DD-DDC472611792}.exe
4544	{8C2CC884-42DB-4056-8289-E0A3B8F1E0C7}.exe
4964	{00465C44-9458-4aaf-918E-14DB0B21265F}.exe
4884	{94BF2A44-4FB4-45d3-952E-830EDF78DBAA}.exe
3036	{637D39E3-9A85-46ca-B5E2-A75E70DD5F0B}.exe
1420	{50CF5AD5-6DA3-4b80-9247-C18E8444E508}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{6D060CD6-DA33-4f91-9FA3-98C49EB2761F}.exe	{8A3573D8-BEE2-4069-91D7-7B8BC82C8682}.exe
File created	C:\Windows\{78D79B3B-595E-4a54-8254-EC36F582DD62}.exe	{6D060CD6-DA33-4f91-9FA3-98C49EB2761F}.exe
File created	C:\Windows\{F777DF2F-B608-4693-BEE0-E2F238786022}.exe	{78D79B3B-595E-4a54-8254-EC36F582DD62}.exe
File created	C:\Windows\{00465C44-9458-4aaf-918E-14DB0B21265F}.exe	{8C2CC884-42DB-4056-8289-E0A3B8F1E0C7}.exe
File created	C:\Windows\{637D39E3-9A85-46ca-B5E2-A75E70DD5F0B}.exe	{94BF2A44-4FB4-45d3-952E-830EDF78DBAA}.exe
File created	C:\Windows\{50CF5AD5-6DA3-4b80-9247-C18E8444E508}.exe	{637D39E3-9A85-46ca-B5E2-A75E70DD5F0B}.exe
File created	C:\Windows\{86993534-DC6D-4537-9D00-D20B05D37B15}.exe	2024-01-27_0b1b517e5ce6791ff2124e7be863bb3f_goldeneye.exe
File created	C:\Windows\{8A3573D8-BEE2-4069-91D7-7B8BC82C8682}.exe	{72CCA76B-7635-4a66-A9CC-086A979B695B}.exe
File created	C:\Windows\{665F0220-FE81-4d00-A0DD-DDC472611792}.exe	{F777DF2F-B608-4693-BEE0-E2F238786022}.exe
File created	C:\Windows\{8C2CC884-42DB-4056-8289-E0A3B8F1E0C7}.exe	{665F0220-FE81-4d00-A0DD-DDC472611792}.exe
File created	C:\Windows\{94BF2A44-4FB4-45d3-952E-830EDF78DBAA}.exe	{00465C44-9458-4aaf-918E-14DB0B21265F}.exe
File created	C:\Windows\{72CCA76B-7635-4a66-A9CC-086A979B695B}.exe	{86993534-DC6D-4537-9D00-D20B05D37B15}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3020	2024-01-27_0b1b517e5ce6791ff2124e7be863bb3f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4872	{86993534-DC6D-4537-9D00-D20B05D37B15}.exe
Token: SeIncBasePriorityPrivilege	2788	{72CCA76B-7635-4a66-A9CC-086A979B695B}.exe
Token: SeIncBasePriorityPrivilege	1888	{8A3573D8-BEE2-4069-91D7-7B8BC82C8682}.exe
Token: SeIncBasePriorityPrivilege	60	{6D060CD6-DA33-4f91-9FA3-98C49EB2761F}.exe
Token: SeIncBasePriorityPrivilege	1372	{78D79B3B-595E-4a54-8254-EC36F582DD62}.exe
Token: SeIncBasePriorityPrivilege	4384	{F777DF2F-B608-4693-BEE0-E2F238786022}.exe
Token: SeIncBasePriorityPrivilege	1116	{665F0220-FE81-4d00-A0DD-DDC472611792}.exe
Token: SeIncBasePriorityPrivilege	4544	{8C2CC884-42DB-4056-8289-E0A3B8F1E0C7}.exe
Token: SeIncBasePriorityPrivilege	4964	{00465C44-9458-4aaf-918E-14DB0B21265F}.exe
Token: SeIncBasePriorityPrivilege	4884	{94BF2A44-4FB4-45d3-952E-830EDF78DBAA}.exe
Token: SeIncBasePriorityPrivilege	3036	{637D39E3-9A85-46ca-B5E2-A75E70DD5F0B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 4872	3020	2024-01-27_0b1b517e5ce6791ff2124e7be863bb3f_goldeneye.exe	95
PID 3020 wrote to memory of 4872	3020	2024-01-27_0b1b517e5ce6791ff2124e7be863bb3f_goldeneye.exe	95
PID 3020 wrote to memory of 4872	3020	2024-01-27_0b1b517e5ce6791ff2124e7be863bb3f_goldeneye.exe	95
PID 3020 wrote to memory of 3872	3020	2024-01-27_0b1b517e5ce6791ff2124e7be863bb3f_goldeneye.exe	96
PID 3020 wrote to memory of 3872	3020	2024-01-27_0b1b517e5ce6791ff2124e7be863bb3f_goldeneye.exe	96
PID 3020 wrote to memory of 3872	3020	2024-01-27_0b1b517e5ce6791ff2124e7be863bb3f_goldeneye.exe	96
PID 4872 wrote to memory of 2788	4872	{86993534-DC6D-4537-9D00-D20B05D37B15}.exe	97
PID 4872 wrote to memory of 2788	4872	{86993534-DC6D-4537-9D00-D20B05D37B15}.exe	97
PID 4872 wrote to memory of 2788	4872	{86993534-DC6D-4537-9D00-D20B05D37B15}.exe	97
PID 4872 wrote to memory of 1836	4872	{86993534-DC6D-4537-9D00-D20B05D37B15}.exe	98
PID 4872 wrote to memory of 1836	4872	{86993534-DC6D-4537-9D00-D20B05D37B15}.exe	98
PID 4872 wrote to memory of 1836	4872	{86993534-DC6D-4537-9D00-D20B05D37B15}.exe	98
PID 2788 wrote to memory of 1888	2788	{72CCA76B-7635-4a66-A9CC-086A979B695B}.exe	101
PID 2788 wrote to memory of 1888	2788	{72CCA76B-7635-4a66-A9CC-086A979B695B}.exe	101
PID 2788 wrote to memory of 1888	2788	{72CCA76B-7635-4a66-A9CC-086A979B695B}.exe	101
PID 2788 wrote to memory of 3684	2788	{72CCA76B-7635-4a66-A9CC-086A979B695B}.exe	100
PID 2788 wrote to memory of 3684	2788	{72CCA76B-7635-4a66-A9CC-086A979B695B}.exe	100
PID 2788 wrote to memory of 3684	2788	{72CCA76B-7635-4a66-A9CC-086A979B695B}.exe	100
PID 1888 wrote to memory of 60	1888	{8A3573D8-BEE2-4069-91D7-7B8BC82C8682}.exe	103
PID 1888 wrote to memory of 60	1888	{8A3573D8-BEE2-4069-91D7-7B8BC82C8682}.exe	103
PID 1888 wrote to memory of 60	1888	{8A3573D8-BEE2-4069-91D7-7B8BC82C8682}.exe	103
PID 1888 wrote to memory of 4012	1888	{8A3573D8-BEE2-4069-91D7-7B8BC82C8682}.exe	102
PID 1888 wrote to memory of 4012	1888	{8A3573D8-BEE2-4069-91D7-7B8BC82C8682}.exe	102
PID 1888 wrote to memory of 4012	1888	{8A3573D8-BEE2-4069-91D7-7B8BC82C8682}.exe	102
PID 60 wrote to memory of 1372	60	{6D060CD6-DA33-4f91-9FA3-98C49EB2761F}.exe	104
PID 60 wrote to memory of 1372	60	{6D060CD6-DA33-4f91-9FA3-98C49EB2761F}.exe	104
PID 60 wrote to memory of 1372	60	{6D060CD6-DA33-4f91-9FA3-98C49EB2761F}.exe	104
PID 60 wrote to memory of 3900	60	{6D060CD6-DA33-4f91-9FA3-98C49EB2761F}.exe	105
PID 60 wrote to memory of 3900	60	{6D060CD6-DA33-4f91-9FA3-98C49EB2761F}.exe	105
PID 60 wrote to memory of 3900	60	{6D060CD6-DA33-4f91-9FA3-98C49EB2761F}.exe	105
PID 1372 wrote to memory of 4384	1372	{78D79B3B-595E-4a54-8254-EC36F582DD62}.exe	106
PID 1372 wrote to memory of 4384	1372	{78D79B3B-595E-4a54-8254-EC36F582DD62}.exe	106
PID 1372 wrote to memory of 4384	1372	{78D79B3B-595E-4a54-8254-EC36F582DD62}.exe	106
PID 1372 wrote to memory of 4280	1372	{78D79B3B-595E-4a54-8254-EC36F582DD62}.exe	107
PID 1372 wrote to memory of 4280	1372	{78D79B3B-595E-4a54-8254-EC36F582DD62}.exe	107
PID 1372 wrote to memory of 4280	1372	{78D79B3B-595E-4a54-8254-EC36F582DD62}.exe	107
PID 4384 wrote to memory of 1116	4384	{F777DF2F-B608-4693-BEE0-E2F238786022}.exe	109
PID 4384 wrote to memory of 1116	4384	{F777DF2F-B608-4693-BEE0-E2F238786022}.exe	109
PID 4384 wrote to memory of 1116	4384	{F777DF2F-B608-4693-BEE0-E2F238786022}.exe	109
PID 4384 wrote to memory of 3480	4384	{F777DF2F-B608-4693-BEE0-E2F238786022}.exe	108
PID 4384 wrote to memory of 3480	4384	{F777DF2F-B608-4693-BEE0-E2F238786022}.exe	108
PID 4384 wrote to memory of 3480	4384	{F777DF2F-B608-4693-BEE0-E2F238786022}.exe	108
PID 1116 wrote to memory of 4544	1116	{665F0220-FE81-4d00-A0DD-DDC472611792}.exe	110
PID 1116 wrote to memory of 4544	1116	{665F0220-FE81-4d00-A0DD-DDC472611792}.exe	110
PID 1116 wrote to memory of 4544	1116	{665F0220-FE81-4d00-A0DD-DDC472611792}.exe	110
PID 1116 wrote to memory of 1980	1116	{665F0220-FE81-4d00-A0DD-DDC472611792}.exe	111
PID 1116 wrote to memory of 1980	1116	{665F0220-FE81-4d00-A0DD-DDC472611792}.exe	111
PID 1116 wrote to memory of 1980	1116	{665F0220-FE81-4d00-A0DD-DDC472611792}.exe	111
PID 4544 wrote to memory of 4964	4544	{8C2CC884-42DB-4056-8289-E0A3B8F1E0C7}.exe	112
PID 4544 wrote to memory of 4964	4544	{8C2CC884-42DB-4056-8289-E0A3B8F1E0C7}.exe	112
PID 4544 wrote to memory of 4964	4544	{8C2CC884-42DB-4056-8289-E0A3B8F1E0C7}.exe	112
PID 4544 wrote to memory of 4520	4544	{8C2CC884-42DB-4056-8289-E0A3B8F1E0C7}.exe	113
PID 4544 wrote to memory of 4520	4544	{8C2CC884-42DB-4056-8289-E0A3B8F1E0C7}.exe	113
PID 4544 wrote to memory of 4520	4544	{8C2CC884-42DB-4056-8289-E0A3B8F1E0C7}.exe	113
PID 4964 wrote to memory of 4884	4964	{00465C44-9458-4aaf-918E-14DB0B21265F}.exe	114
PID 4964 wrote to memory of 4884	4964	{00465C44-9458-4aaf-918E-14DB0B21265F}.exe	114
PID 4964 wrote to memory of 4884	4964	{00465C44-9458-4aaf-918E-14DB0B21265F}.exe	114
PID 4964 wrote to memory of 2644	4964	{00465C44-9458-4aaf-918E-14DB0B21265F}.exe	115
PID 4964 wrote to memory of 2644	4964	{00465C44-9458-4aaf-918E-14DB0B21265F}.exe	115
PID 4964 wrote to memory of 2644	4964	{00465C44-9458-4aaf-918E-14DB0B21265F}.exe	115
PID 4884 wrote to memory of 3036	4884	{94BF2A44-4FB4-45d3-952E-830EDF78DBAA}.exe	116
PID 4884 wrote to memory of 3036	4884	{94BF2A44-4FB4-45d3-952E-830EDF78DBAA}.exe	116
PID 4884 wrote to memory of 3036	4884	{94BF2A44-4FB4-45d3-952E-830EDF78DBAA}.exe	116
PID 4884 wrote to memory of 2832	4884	{94BF2A44-4FB4-45d3-952E-830EDF78DBAA}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-01-27_0b1b517e5ce6791ff2124e7be863bb3f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-27_0b1b517e5ce6791ff2124e7be863bb3f_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Windows\{86993534-DC6D-4537-9D00-D20B05D37B15}.exe
  C:\Windows\{86993534-DC6D-4537-9D00-D20B05D37B15}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Windows\{72CCA76B-7635-4a66-A9CC-086A979B695B}.exe
    C:\Windows\{72CCA76B-7635-4a66-A9CC-086A979B695B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{72CCA~1.EXE > nul
      4⤵
      PID:3684
  - - C:\Windows\{8A3573D8-BEE2-4069-91D7-7B8BC82C8682}.exe
      C:\Windows\{8A3573D8-BEE2-4069-91D7-7B8BC82C8682}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1888
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8A357~1.EXE > nul
        5⤵
        
        PID:4012
    - - C:\Windows\{6D060CD6-DA33-4f91-9FA3-98C49EB2761F}.exe
        
        C:\Windows\{6D060CD6-DA33-4f91-9FA3-98C49EB2761F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:60
      - C:\Windows\{78D79B3B-595E-4a54-8254-EC36F582DD62}.exe
        
        C:\Windows\{78D79B3B-595E-4a54-8254-EC36F582DD62}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\{F777DF2F-B608-4693-BEE0-E2F238786022}.exe
        
        C:\Windows\{F777DF2F-B608-4693-BEE0-E2F238786022}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F777D~1.EXE > nul
        8⤵
        
        PID:3480
        
        C:\Windows\{665F0220-FE81-4d00-A0DD-DDC472611792}.exe
        
        C:\Windows\{665F0220-FE81-4d00-A0DD-DDC472611792}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1116
        
        C:\Windows\{8C2CC884-42DB-4056-8289-E0A3B8F1E0C7}.exe
        
        C:\Windows\{8C2CC884-42DB-4056-8289-E0A3B8F1E0C7}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Windows\{00465C44-9458-4aaf-918E-14DB0B21265F}.exe
        
        C:\Windows\{00465C44-9458-4aaf-918E-14DB0B21265F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\{94BF2A44-4FB4-45d3-952E-830EDF78DBAA}.exe
        
        C:\Windows\{94BF2A44-4FB4-45d3-952E-830EDF78DBAA}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Windows\{637D39E3-9A85-46ca-B5E2-A75E70DD5F0B}.exe
        
        C:\Windows\{637D39E3-9A85-46ca-B5E2-A75E70DD5F0B}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3036
        
        C:\Windows\{50CF5AD5-6DA3-4b80-9247-C18E8444E508}.exe
        
        C:\Windows\{50CF5AD5-6DA3-4b80-9247-C18E8444E508}.exe
        13⤵
        Executes dropped EXE
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{637D3~1.EXE > nul
        13⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94BF2~1.EXE > nul
        12⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{00465~1.EXE > nul
        11⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C2CC~1.EXE > nul
        10⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{665F0~1.EXE > nul
        9⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{78D79~1.EXE > nul
        7⤵
        
        PID:4280
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6D060~1.EXE > nul
        6⤵
        
        PID:3900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{86993~1.EXE > nul
    3⤵
    PID:1836
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00465C44-9458-4aaf-918E-14DB0B21265F}.exe

Filesize
216KB

MD5
de80ced36233e49e9793f6a30eca71e5

SHA1
91ff6d0a4248a085f0dfaf7e44c2e33c30c5c54a

SHA256
4cdbce9cfb6d654abc3b94c6313e051e0578be9ea0c8bd6cbea1191da9affb2e

SHA512
597ca8983ee06226a189949691fb1eaee7f29b1e49423b8b4ce2207cee2a96483cca95a7eb13f1d4b49d5d7924dfc75ff17f3f986954605df71b02ce75947a3f

Download Submit
C:\Windows\{50CF5AD5-6DA3-4b80-9247-C18E8444E508}.exe

Filesize
216KB

MD5
8e5d5f999e955992c0302985a0b4a6e4

SHA1
07994c4039a3c74c49fd20880e77d3c2af25a94a

SHA256
b26c56639673cbab2d2a7f563eb2bd0d02e0b2e5b1143f7813913ee8d4afddd2

SHA512
958266a56bed927e0f70dc0e840ee59c695fc2a4dd82680a6d41e4d4bdda9efdac0d761e981060aadbc7363579d5fd4e90d7afe508074133b678604ff2e46291

Download Submit
C:\Windows\{637D39E3-9A85-46ca-B5E2-A75E70DD5F0B}.exe

Filesize
216KB

MD5
4bc8631f1f5273e1e712d625156214fb

SHA1
b4e17ff87a1469a6a69158252f4fd937cdbaac3a

SHA256
9f59d5e48785ff6ba62a7003247ccdca5741e1427ebd24a17b04122ff37be7d4

SHA512
8a6436d4ef6d97d78e13e629bdc15833e4ce142058590ea4c0cf663d669bdfcf2abb97e636d7983c4af6ad8ee809b401967d65554947d3cb6a751ea58a387a0c

Download Submit
C:\Windows\{665F0220-FE81-4d00-A0DD-DDC472611792}.exe

Filesize
216KB

MD5
57900147442cfd315578f68eaf5bf9af

SHA1
14f1b62222fb9b0acd347996ad59210b3e968044

SHA256
fe9b32cade945956ea787e08518764d161a8514f75f8425c6877d690bc0cb9ad

SHA512
4675d6ba485e544e68841c9b4b68ae2c348ed284b5cc5cb7f5731830768b1bff96eaf3a0fb5a1563bf212570f141835bcdd8746afa9e7b9fd66385c4702da7a2

Download Submit
C:\Windows\{6D060CD6-DA33-4f91-9FA3-98C49EB2761F}.exe

Filesize
216KB

MD5
26b43cb7528400a6e13dbe57a9baf8a2

SHA1
5d9b7e87d8918342f9911d49c629625a1827e8e6

SHA256
29d62ddf5729d0bff7eec58b5bf21395e9cebd048097bd39a0adaed9f5427814

SHA512
ea58b05544681aae32b1e6d0f6a95efae8973cd37686685ff2771c09703226a3f4d7fd4fd98f1dc5ad14568725e6dd9514d0f021cafd8239ad73da5e2dea8f3b

Download Submit
C:\Windows\{72CCA76B-7635-4a66-A9CC-086A979B695B}.exe

Filesize
216KB

MD5
b26699da45d3eb7922484e56375a5edf

SHA1
5e765d0c511210e903459b79024595f041bf1191

SHA256
6995119d2057ed4ae6f911985673ba58a2fe65aa548a627fc9bf48219d56abd7

SHA512
3b4b3e5cf2b02ebcb23be81c554bf8dd11029eda38b214dc7ad68d9d7955ae97b5cc90a97ff7d4332543c1517143c93c930f597a667e0322d7bce670f32618bc

Download Submit
C:\Windows\{78D79B3B-595E-4a54-8254-EC36F582DD62}.exe

Filesize
216KB

MD5
fd268a5b7a54093d25f4096befde5ecd

SHA1
deaea2948bf20126ddf4b62e0b9987209cde2e64

SHA256
f65a09f38a97839da1d24eeb6a5ca2866627cc0e3350aa1d61f8bfb7a3096a23

SHA512
a1955471b1c3ec233b167e1423c1cd811438f223aa46d3e717df9a4f3eabd6c767b541cb7029bd9823f85c5ebb30b5409cdd1ddc3b86fd42141a85cac8cf07a5

Download Submit
C:\Windows\{86993534-DC6D-4537-9D00-D20B05D37B15}.exe

Filesize
216KB

MD5
eb6f9d581ef1771ca1bf45e2f0b26e56

SHA1
3da729fbf535967427393588f9319c0a44202ebc

SHA256
61cd358a40c49a4576fc9ff198adbc5a952ee4e3dc25c0f621a52e9e7839e765

SHA512
05bcf2a202b6faf5e5ec6b3e9d9704a1065df628f12968f3f67ff40b5103d870584c7a201e394491b6cc9d8d0849d8ae7f21c3db25b90e2fe7feb853987e482b

Download Submit
C:\Windows\{8A3573D8-BEE2-4069-91D7-7B8BC82C8682}.exe

Filesize
216KB

MD5
69c0ffb1b742ee33e98bb32422c624b3

SHA1
9f820e6665db9c5427586c6f044a9d8d6b1344fd

SHA256
61582fc7df841684c3d789e2143cafa31b579a92dfb05e1607de4b869e7f7a17

SHA512
4956a64f5afec6c55348892afc7f277563529838e8e08d14e2c4039bd7e00d363ca4da201a881eb92afdc44f2b1694dde15ecbced10cc8e3e8e3b0b57455f84c

Download Submit
C:\Windows\{8C2CC884-42DB-4056-8289-E0A3B8F1E0C7}.exe

Filesize
216KB

MD5
81123dd53bf775dd9750625408c9ed6c

SHA1
0b80f09b4882bab1542d4a79604349d7d6566d86

SHA256
087a4526ffdd29f87cf894ea3e5b33ee4c391bc7ae5f8577ef69cb7eacdb32ec

SHA512
9458786c5b3c26db6999ddb46dcc31ef81ec5e430837be4270d111cfe455302d5626a72415147c61e0ae9ed6797b1cab7b5baac76ab85f86e85023ff444b16d5

Download Submit
C:\Windows\{94BF2A44-4FB4-45d3-952E-830EDF78DBAA}.exe

Filesize
216KB

MD5
f0ad9147562fe6e0ccda9923c3551daf

SHA1
6b42de04452dbee46c34a1ce736d54927439d353

SHA256
e3c71de824ea28914e4998d3acc0d0e959116e19944cad18960e34703a38ed94

SHA512
13b8e4429a6ff2fb59f71ef95c6a0ed1cf1f6cf26eab0f46c88d3e36801036cf49a87348d1c6451bb4182afcc03e63a48ed51f1950ca45b294b45f557573f65a

Download Submit
C:\Windows\{F777DF2F-B608-4693-BEE0-E2F238786022}.exe

Filesize
216KB

MD5
face4bb091f7ca2d0b3259b8214cae81

SHA1
dd76d8eb766b726c846eba195a0027f71fb27ba2

SHA256
d97ff382ba0277b2c30315c343e719943552232b96f99fe1f32beed3a5fa7635

SHA512
ea02c33f66fa3cb0244dd7310e1c9303adc7d56a8b112eb2245260de03ab58e094caca83b3e4f402e2a8c61dafff4c09f28c8ba63e275d423418a9d04e24bc88

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads