5ffdf5e37692b1b1316b8e8e112ae5b2bef04d2e4073af4aa16268be0d16f702

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04-02-2024 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-04_d8fba6b8bd61293524fbbb30b58a026a_goldeneye.exe
Size

197KB
MD5

d8fba6b8bd61293524fbbb30b58a026a
SHA1

3089586e7b948bb9a8d6c69279d657529951fa0e
SHA256

5ffdf5e37692b1b1316b8e8e112ae5b2bef04d2e4073af4aa16268be0d16f702
SHA512

25097454762d3e30bd562b9f1d63886d99ede667840c5a77b572b8aac985d8122fb6b4c4014d41b9e16e656d2a6527b9603c522a9cb2242b7591d776cc125a3a
SSDEEP

3072:jEGh0oLl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGFlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00060000000231f5-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00100000000231fd-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023204-11.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00110000000231fd-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021e70-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021e71-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021e70-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000006c1-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000006c1-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F8134D3-C8AD-4fed-875E-2B49876DBFF8}	{5E41B33A-8209-4143-A3A5-15A00F9935A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F8134D3-C8AD-4fed-875E-2B49876DBFF8}\stubpath = "C:\\Windows\\{7F8134D3-C8AD-4fed-875E-2B49876DBFF8}.exe"	{5E41B33A-8209-4143-A3A5-15A00F9935A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DB33159-2AC9-43a2-A143-2660710578F2}	{7F8134D3-C8AD-4fed-875E-2B49876DBFF8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A48643B9-32BC-46a3-900F-B0116A5744EF}\stubpath = "C:\\Windows\\{A48643B9-32BC-46a3-900F-B0116A5744EF}.exe"	{7DB33159-2AC9-43a2-A143-2660710578F2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2591A5FC-51DC-4e82-A963-C06E5290D0DB}	{142A9CF3-7203-45db-906F-64D52CE0B945}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2591A5FC-51DC-4e82-A963-C06E5290D0DB}\stubpath = "C:\\Windows\\{2591A5FC-51DC-4e82-A963-C06E5290D0DB}.exe"	{142A9CF3-7203-45db-906F-64D52CE0B945}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36561831-BB53-4540-88DE-1D18C5C44C42}\stubpath = "C:\\Windows\\{36561831-BB53-4540-88DE-1D18C5C44C42}.exe"	{2591A5FC-51DC-4e82-A963-C06E5290D0DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8DA457A3-A700-4032-8EAA-64F9C28382FA}\stubpath = "C:\\Windows\\{8DA457A3-A700-4032-8EAA-64F9C28382FA}.exe"	2024-02-04_d8fba6b8bd61293524fbbb30b58a026a_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28FBA209-6C6D-434d-9689-47644BD5516D}\stubpath = "C:\\Windows\\{28FBA209-6C6D-434d-9689-47644BD5516D}.exe"	{36561831-BB53-4540-88DE-1D18C5C44C42}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28FBA209-6C6D-434d-9689-47644BD5516D}	{36561831-BB53-4540-88DE-1D18C5C44C42}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6923E0CE-840B-40e7-8DBC-29FC30E49A9B}	{A48643B9-32BC-46a3-900F-B0116A5744EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{142A9CF3-7203-45db-906F-64D52CE0B945}\stubpath = "C:\\Windows\\{142A9CF3-7203-45db-906F-64D52CE0B945}.exe"	{EF516B1B-3E51-43ed-AB32-A23FE6BA20DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A48643B9-32BC-46a3-900F-B0116A5744EF}	{7DB33159-2AC9-43a2-A143-2660710578F2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ACCFA81D-AB31-435c-82DB-B59C588990AB}\stubpath = "C:\\Windows\\{ACCFA81D-AB31-435c-82DB-B59C588990AB}.exe"	{8DA457A3-A700-4032-8EAA-64F9C28382FA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E41B33A-8209-4143-A3A5-15A00F9935A8}	{ACCFA81D-AB31-435c-82DB-B59C588990AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6923E0CE-840B-40e7-8DBC-29FC30E49A9B}\stubpath = "C:\\Windows\\{6923E0CE-840B-40e7-8DBC-29FC30E49A9B}.exe"	{A48643B9-32BC-46a3-900F-B0116A5744EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF516B1B-3E51-43ed-AB32-A23FE6BA20DD}\stubpath = "C:\\Windows\\{EF516B1B-3E51-43ed-AB32-A23FE6BA20DD}.exe"	{6923E0CE-840B-40e7-8DBC-29FC30E49A9B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{142A9CF3-7203-45db-906F-64D52CE0B945}	{EF516B1B-3E51-43ed-AB32-A23FE6BA20DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ACCFA81D-AB31-435c-82DB-B59C588990AB}	{8DA457A3-A700-4032-8EAA-64F9C28382FA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E41B33A-8209-4143-A3A5-15A00F9935A8}\stubpath = "C:\\Windows\\{5E41B33A-8209-4143-A3A5-15A00F9935A8}.exe"	{ACCFA81D-AB31-435c-82DB-B59C588990AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DB33159-2AC9-43a2-A143-2660710578F2}\stubpath = "C:\\Windows\\{7DB33159-2AC9-43a2-A143-2660710578F2}.exe"	{7F8134D3-C8AD-4fed-875E-2B49876DBFF8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF516B1B-3E51-43ed-AB32-A23FE6BA20DD}	{6923E0CE-840B-40e7-8DBC-29FC30E49A9B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36561831-BB53-4540-88DE-1D18C5C44C42}	{2591A5FC-51DC-4e82-A963-C06E5290D0DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8DA457A3-A700-4032-8EAA-64F9C28382FA}	2024-02-04_d8fba6b8bd61293524fbbb30b58a026a_goldeneye.exe

Executes dropped EXE 12 IoCs

pid	Process
5024	{8DA457A3-A700-4032-8EAA-64F9C28382FA}.exe
3868	{ACCFA81D-AB31-435c-82DB-B59C588990AB}.exe
3024	{5E41B33A-8209-4143-A3A5-15A00F9935A8}.exe
3916	{7F8134D3-C8AD-4fed-875E-2B49876DBFF8}.exe
3428	{7DB33159-2AC9-43a2-A143-2660710578F2}.exe
1632	{A48643B9-32BC-46a3-900F-B0116A5744EF}.exe
4364	{6923E0CE-840B-40e7-8DBC-29FC30E49A9B}.exe
4568	{EF516B1B-3E51-43ed-AB32-A23FE6BA20DD}.exe
1676	{142A9CF3-7203-45db-906F-64D52CE0B945}.exe
3064	{2591A5FC-51DC-4e82-A963-C06E5290D0DB}.exe
2928	{36561831-BB53-4540-88DE-1D18C5C44C42}.exe
876	{28FBA209-6C6D-434d-9689-47644BD5516D}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{36561831-BB53-4540-88DE-1D18C5C44C42}.exe	{2591A5FC-51DC-4e82-A963-C06E5290D0DB}.exe
File created	C:\Windows\{28FBA209-6C6D-434d-9689-47644BD5516D}.exe	{36561831-BB53-4540-88DE-1D18C5C44C42}.exe
File created	C:\Windows\{5E41B33A-8209-4143-A3A5-15A00F9935A8}.exe	{ACCFA81D-AB31-435c-82DB-B59C588990AB}.exe
File created	C:\Windows\{EF516B1B-3E51-43ed-AB32-A23FE6BA20DD}.exe	{6923E0CE-840B-40e7-8DBC-29FC30E49A9B}.exe
File created	C:\Windows\{2591A5FC-51DC-4e82-A963-C06E5290D0DB}.exe	{142A9CF3-7203-45db-906F-64D52CE0B945}.exe
File created	C:\Windows\{7DB33159-2AC9-43a2-A143-2660710578F2}.exe	{7F8134D3-C8AD-4fed-875E-2B49876DBFF8}.exe
File created	C:\Windows\{A48643B9-32BC-46a3-900F-B0116A5744EF}.exe	{7DB33159-2AC9-43a2-A143-2660710578F2}.exe
File created	C:\Windows\{6923E0CE-840B-40e7-8DBC-29FC30E49A9B}.exe	{A48643B9-32BC-46a3-900F-B0116A5744EF}.exe
File created	C:\Windows\{142A9CF3-7203-45db-906F-64D52CE0B945}.exe	{EF516B1B-3E51-43ed-AB32-A23FE6BA20DD}.exe
File created	C:\Windows\{8DA457A3-A700-4032-8EAA-64F9C28382FA}.exe	2024-02-04_d8fba6b8bd61293524fbbb30b58a026a_goldeneye.exe
File created	C:\Windows\{ACCFA81D-AB31-435c-82DB-B59C588990AB}.exe	{8DA457A3-A700-4032-8EAA-64F9C28382FA}.exe
File created	C:\Windows\{7F8134D3-C8AD-4fed-875E-2B49876DBFF8}.exe	{5E41B33A-8209-4143-A3A5-15A00F9935A8}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4776	2024-02-04_d8fba6b8bd61293524fbbb30b58a026a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	5024	{8DA457A3-A700-4032-8EAA-64F9C28382FA}.exe
Token: SeIncBasePriorityPrivilege	3868	{ACCFA81D-AB31-435c-82DB-B59C588990AB}.exe
Token: SeIncBasePriorityPrivilege	3024	{5E41B33A-8209-4143-A3A5-15A00F9935A8}.exe
Token: SeIncBasePriorityPrivilege	3916	{7F8134D3-C8AD-4fed-875E-2B49876DBFF8}.exe
Token: SeIncBasePriorityPrivilege	3428	{7DB33159-2AC9-43a2-A143-2660710578F2}.exe
Token: SeIncBasePriorityPrivilege	1632	{A48643B9-32BC-46a3-900F-B0116A5744EF}.exe
Token: SeIncBasePriorityPrivilege	4364	{6923E0CE-840B-40e7-8DBC-29FC30E49A9B}.exe
Token: SeIncBasePriorityPrivilege	4568	{EF516B1B-3E51-43ed-AB32-A23FE6BA20DD}.exe
Token: SeIncBasePriorityPrivilege	1676	{142A9CF3-7203-45db-906F-64D52CE0B945}.exe
Token: SeIncBasePriorityPrivilege	3064	{2591A5FC-51DC-4e82-A963-C06E5290D0DB}.exe
Token: SeIncBasePriorityPrivilege	2928	{36561831-BB53-4540-88DE-1D18C5C44C42}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4776 wrote to memory of 5024	4776	2024-02-04_d8fba6b8bd61293524fbbb30b58a026a_goldeneye.exe	90
PID 4776 wrote to memory of 5024	4776	2024-02-04_d8fba6b8bd61293524fbbb30b58a026a_goldeneye.exe	90
PID 4776 wrote to memory of 5024	4776	2024-02-04_d8fba6b8bd61293524fbbb30b58a026a_goldeneye.exe	90
PID 4776 wrote to memory of 4536	4776	2024-02-04_d8fba6b8bd61293524fbbb30b58a026a_goldeneye.exe	91
PID 4776 wrote to memory of 4536	4776	2024-02-04_d8fba6b8bd61293524fbbb30b58a026a_goldeneye.exe	91
PID 4776 wrote to memory of 4536	4776	2024-02-04_d8fba6b8bd61293524fbbb30b58a026a_goldeneye.exe	91
PID 5024 wrote to memory of 3868	5024	{8DA457A3-A700-4032-8EAA-64F9C28382FA}.exe	94
PID 5024 wrote to memory of 3868	5024	{8DA457A3-A700-4032-8EAA-64F9C28382FA}.exe	94
PID 5024 wrote to memory of 3868	5024	{8DA457A3-A700-4032-8EAA-64F9C28382FA}.exe	94
PID 5024 wrote to memory of 4708	5024	{8DA457A3-A700-4032-8EAA-64F9C28382FA}.exe	95
PID 5024 wrote to memory of 4708	5024	{8DA457A3-A700-4032-8EAA-64F9C28382FA}.exe	95
PID 5024 wrote to memory of 4708	5024	{8DA457A3-A700-4032-8EAA-64F9C28382FA}.exe	95
PID 3868 wrote to memory of 3024	3868	{ACCFA81D-AB31-435c-82DB-B59C588990AB}.exe	98
PID 3868 wrote to memory of 3024	3868	{ACCFA81D-AB31-435c-82DB-B59C588990AB}.exe	98
PID 3868 wrote to memory of 3024	3868	{ACCFA81D-AB31-435c-82DB-B59C588990AB}.exe	98
PID 3868 wrote to memory of 3060	3868	{ACCFA81D-AB31-435c-82DB-B59C588990AB}.exe	97
PID 3868 wrote to memory of 3060	3868	{ACCFA81D-AB31-435c-82DB-B59C588990AB}.exe	97
PID 3868 wrote to memory of 3060	3868	{ACCFA81D-AB31-435c-82DB-B59C588990AB}.exe	97
PID 3024 wrote to memory of 3916	3024	{5E41B33A-8209-4143-A3A5-15A00F9935A8}.exe	100
PID 3024 wrote to memory of 3916	3024	{5E41B33A-8209-4143-A3A5-15A00F9935A8}.exe	100
PID 3024 wrote to memory of 3916	3024	{5E41B33A-8209-4143-A3A5-15A00F9935A8}.exe	100
PID 3024 wrote to memory of 544	3024	{5E41B33A-8209-4143-A3A5-15A00F9935A8}.exe	99
PID 3024 wrote to memory of 544	3024	{5E41B33A-8209-4143-A3A5-15A00F9935A8}.exe	99
PID 3024 wrote to memory of 544	3024	{5E41B33A-8209-4143-A3A5-15A00F9935A8}.exe	99
PID 3916 wrote to memory of 3428	3916	{7F8134D3-C8AD-4fed-875E-2B49876DBFF8}.exe	102
PID 3916 wrote to memory of 3428	3916	{7F8134D3-C8AD-4fed-875E-2B49876DBFF8}.exe	102
PID 3916 wrote to memory of 3428	3916	{7F8134D3-C8AD-4fed-875E-2B49876DBFF8}.exe	102
PID 3916 wrote to memory of 2948	3916	{7F8134D3-C8AD-4fed-875E-2B49876DBFF8}.exe	101
PID 3916 wrote to memory of 2948	3916	{7F8134D3-C8AD-4fed-875E-2B49876DBFF8}.exe	101
PID 3916 wrote to memory of 2948	3916	{7F8134D3-C8AD-4fed-875E-2B49876DBFF8}.exe	101
PID 3428 wrote to memory of 1632	3428	{7DB33159-2AC9-43a2-A143-2660710578F2}.exe	103
PID 3428 wrote to memory of 1632	3428	{7DB33159-2AC9-43a2-A143-2660710578F2}.exe	103
PID 3428 wrote to memory of 1632	3428	{7DB33159-2AC9-43a2-A143-2660710578F2}.exe	103
PID 3428 wrote to memory of 3372	3428	{7DB33159-2AC9-43a2-A143-2660710578F2}.exe	104
PID 3428 wrote to memory of 3372	3428	{7DB33159-2AC9-43a2-A143-2660710578F2}.exe	104
PID 3428 wrote to memory of 3372	3428	{7DB33159-2AC9-43a2-A143-2660710578F2}.exe	104
PID 1632 wrote to memory of 4364	1632	{A48643B9-32BC-46a3-900F-B0116A5744EF}.exe	105
PID 1632 wrote to memory of 4364	1632	{A48643B9-32BC-46a3-900F-B0116A5744EF}.exe	105
PID 1632 wrote to memory of 4364	1632	{A48643B9-32BC-46a3-900F-B0116A5744EF}.exe	105
PID 1632 wrote to memory of 1744	1632	{A48643B9-32BC-46a3-900F-B0116A5744EF}.exe	106
PID 1632 wrote to memory of 1744	1632	{A48643B9-32BC-46a3-900F-B0116A5744EF}.exe	106
PID 1632 wrote to memory of 1744	1632	{A48643B9-32BC-46a3-900F-B0116A5744EF}.exe	106
PID 4364 wrote to memory of 4568	4364	{6923E0CE-840B-40e7-8DBC-29FC30E49A9B}.exe	107
PID 4364 wrote to memory of 4568	4364	{6923E0CE-840B-40e7-8DBC-29FC30E49A9B}.exe	107
PID 4364 wrote to memory of 4568	4364	{6923E0CE-840B-40e7-8DBC-29FC30E49A9B}.exe	107
PID 4364 wrote to memory of 2996	4364	{6923E0CE-840B-40e7-8DBC-29FC30E49A9B}.exe	108
PID 4364 wrote to memory of 2996	4364	{6923E0CE-840B-40e7-8DBC-29FC30E49A9B}.exe	108
PID 4364 wrote to memory of 2996	4364	{6923E0CE-840B-40e7-8DBC-29FC30E49A9B}.exe	108
PID 4568 wrote to memory of 1676	4568	{EF516B1B-3E51-43ed-AB32-A23FE6BA20DD}.exe	109
PID 4568 wrote to memory of 1676	4568	{EF516B1B-3E51-43ed-AB32-A23FE6BA20DD}.exe	109
PID 4568 wrote to memory of 1676	4568	{EF516B1B-3E51-43ed-AB32-A23FE6BA20DD}.exe	109
PID 4568 wrote to memory of 788	4568	{EF516B1B-3E51-43ed-AB32-A23FE6BA20DD}.exe	110
PID 4568 wrote to memory of 788	4568	{EF516B1B-3E51-43ed-AB32-A23FE6BA20DD}.exe	110
PID 4568 wrote to memory of 788	4568	{EF516B1B-3E51-43ed-AB32-A23FE6BA20DD}.exe	110
PID 1676 wrote to memory of 3064	1676	{142A9CF3-7203-45db-906F-64D52CE0B945}.exe	111
PID 1676 wrote to memory of 3064	1676	{142A9CF3-7203-45db-906F-64D52CE0B945}.exe	111
PID 1676 wrote to memory of 3064	1676	{142A9CF3-7203-45db-906F-64D52CE0B945}.exe	111
PID 1676 wrote to memory of 1740	1676	{142A9CF3-7203-45db-906F-64D52CE0B945}.exe	112
PID 1676 wrote to memory of 1740	1676	{142A9CF3-7203-45db-906F-64D52CE0B945}.exe	112
PID 1676 wrote to memory of 1740	1676	{142A9CF3-7203-45db-906F-64D52CE0B945}.exe	112
PID 3064 wrote to memory of 2928	3064	{2591A5FC-51DC-4e82-A963-C06E5290D0DB}.exe	113
PID 3064 wrote to memory of 2928	3064	{2591A5FC-51DC-4e82-A963-C06E5290D0DB}.exe	113
PID 3064 wrote to memory of 2928	3064	{2591A5FC-51DC-4e82-A963-C06E5290D0DB}.exe	113
PID 3064 wrote to memory of 3996	3064	{2591A5FC-51DC-4e82-A963-C06E5290D0DB}.exe	114

C:\Users\Admin\AppData\Local\Temp\2024-02-04_d8fba6b8bd61293524fbbb30b58a026a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-04_d8fba6b8bd61293524fbbb30b58a026a_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4776
- C:\Windows\{8DA457A3-A700-4032-8EAA-64F9C28382FA}.exe
  C:\Windows\{8DA457A3-A700-4032-8EAA-64F9C28382FA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5024
- - C:\Windows\{ACCFA81D-AB31-435c-82DB-B59C588990AB}.exe
    C:\Windows\{ACCFA81D-AB31-435c-82DB-B59C588990AB}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3868
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{ACCFA~1.EXE > nul
      4⤵
      PID:3060
  - - C:\Windows\{5E41B33A-8209-4143-A3A5-15A00F9935A8}.exe
      C:\Windows\{5E41B33A-8209-4143-A3A5-15A00F9935A8}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3024
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5E41B~1.EXE > nul
        5⤵
        
        PID:544
    - - C:\Windows\{7F8134D3-C8AD-4fed-875E-2B49876DBFF8}.exe
        
        C:\Windows\{7F8134D3-C8AD-4fed-875E-2B49876DBFF8}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3916
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F813~1.EXE > nul
        6⤵
        
        PID:2948
      - C:\Windows\{7DB33159-2AC9-43a2-A143-2660710578F2}.exe
        
        C:\Windows\{7DB33159-2AC9-43a2-A143-2660710578F2}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3428
        
        C:\Windows\{A48643B9-32BC-46a3-900F-B0116A5744EF}.exe
        
        C:\Windows\{A48643B9-32BC-46a3-900F-B0116A5744EF}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\{6923E0CE-840B-40e7-8DBC-29FC30E49A9B}.exe
        
        C:\Windows\{6923E0CE-840B-40e7-8DBC-29FC30E49A9B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4364
        
        C:\Windows\{EF516B1B-3E51-43ed-AB32-A23FE6BA20DD}.exe
        
        C:\Windows\{EF516B1B-3E51-43ed-AB32-A23FE6BA20DD}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4568
        
        C:\Windows\{142A9CF3-7203-45db-906F-64D52CE0B945}.exe
        
        C:\Windows\{142A9CF3-7203-45db-906F-64D52CE0B945}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\{2591A5FC-51DC-4e82-A963-C06E5290D0DB}.exe
        
        C:\Windows\{2591A5FC-51DC-4e82-A963-C06E5290D0DB}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\{36561831-BB53-4540-88DE-1D18C5C44C42}.exe
        
        C:\Windows\{36561831-BB53-4540-88DE-1D18C5C44C42}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
        
        C:\Windows\{28FBA209-6C6D-434d-9689-47644BD5516D}.exe
        
        C:\Windows\{28FBA209-6C6D-434d-9689-47644BD5516D}.exe
        13⤵
        Executes dropped EXE
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{36561~1.EXE > nul
        13⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2591A~1.EXE > nul
        12⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{142A9~1.EXE > nul
        11⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF516~1.EXE > nul
        10⤵
        
        PID:788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6923E~1.EXE > nul
        9⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A4864~1.EXE > nul
        8⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7DB33~1.EXE > nul
        7⤵
        
        PID:3372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8DA45~1.EXE > nul
    3⤵
    PID:4708
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{142A9CF3-7203-45db-906F-64D52CE0B945}.exe

Filesize
197KB

MD5
bf2518cdc7aa98d0ad4ddc6d1b68772a

SHA1
b2bcede77fd600a03b43c34d916acc46944b336d

SHA256
e8091743a7db45c7df4abaf1021d8a9611498a675597ce8f9269f44400a1e6b7

SHA512
baa6147d240ee0905207ca151e5d7f06c2ddb06fc4abd78d96f11d265de689bf60600ba378851d267f2ea4607ada0c438a9d84b8e42f2943715c7970f352a637

Download Submit
C:\Windows\{2591A5FC-51DC-4e82-A963-C06E5290D0DB}.exe

Filesize
197KB

MD5
143c71009e345bfc44cda39eea9a9e98

SHA1
5020d146385f77c8a78a1f81934c50bd36a35cc6

SHA256
e64e2d850e01cf87d96934993a337b49d54480f6be584e2f13fd167553380e82

SHA512
6cd3815c15150f69ac35239d78eee9c814b7583b34f0371148954bea55c1cc98244e8d5061a2a1375d6279b069aa260a7ba264b579a45790f6ce0bb18a92a7a3

Download Submit
C:\Windows\{28FBA209-6C6D-434d-9689-47644BD5516D}.exe

Filesize
197KB

MD5
ab87f01a407924d487afffd31058b1fa

SHA1
703c32843364f008834dcaba0efff39da8c05133

SHA256
8ef70e895fbf176977713f90a54a74dd859b33834417420b3a8b2c810b449c29

SHA512
ff3335d9c05c399f1bd98870dd1ff48de61f09054ca0cea04cc67618688ac9c6252e91fca0e7d20610ce6df789ccf6f57f49d1e48e178a6dc8c0b8aee1416e5f

Download Submit
C:\Windows\{36561831-BB53-4540-88DE-1D18C5C44C42}.exe

Filesize
197KB

MD5
ad0e67df47ec98571472cc79157a9e0e

SHA1
5ce6b8148ac45ce7f9e53f452ce2398e5e5589f4

SHA256
cd95d21a3948d27a58e92fb742644e6bb5cbf67e4bf30b11bd025bf755618368

SHA512
cf0ef8663ae98315b12e22993875f72ba92da702ba3f2696f100ae33c74ffde87c492db3eb49a3062df01408528feeb116bd1d097c41aae8f7df5b275969c4cb

Download Submit
C:\Windows\{5E41B33A-8209-4143-A3A5-15A00F9935A8}.exe

Filesize
197KB

MD5
dd1927dd27f09c1a47dd6188b4b14ddb

SHA1
b501cde06df2ec53fcd0f65a4d1eff549937256a

SHA256
e9d7995ccae6228f9423e01d99b6e9cf1a32f9b472bd7a94e4f88518c526605b

SHA512
41f5eefe6f0a98c196c9bc86a1b4e9233297a7e20b7955ff644ababeb83ab34aa8b89cb7f454b69e3c9652a3e9fbaacdcdd321fb1db69390285b15e504626f2f

Download Submit
C:\Windows\{6923E0CE-840B-40e7-8DBC-29FC30E49A9B}.exe

Filesize
197KB

MD5
16b019a345baf06c8fb0e1443b633ecf

SHA1
c9699fc67bdbbc3dbc9ed2230f81861cfefafcd5

SHA256
80055183327cf0123ffc764f52430a990a7df0e3c2756589336aa0b8cd55495c

SHA512
2776684656ef4b33fae8152165858082cb3efa9802a10d3d03925f34e1348c88e365ea7bee56d15b965714a7c34e1076b8cf64b458b700b08a4fb87a3830cfd1

Download Submit
C:\Windows\{7DB33159-2AC9-43a2-A143-2660710578F2}.exe

Filesize
197KB

MD5
4e0fb4def62e826e0e9b328c6d6fa9bd

SHA1
e73cf11efb2987cbd36c328525ee59ad6777e29d

SHA256
8db7d472588a2d305eab6196c50adbddff8601917274ca264cd08a0d777ad811

SHA512
2db8d95ff649508d95ceba7400ed5d63e93f4f18d61f2fb342abee2f18cf42cf2131635d1a58ca131a35697f9dc991f8b51185736393f9ae3ec6b77bfd8d54c8

Download Submit
C:\Windows\{7F8134D3-C8AD-4fed-875E-2B49876DBFF8}.exe

Filesize
197KB

MD5
53b35357fac5c7e4292180eec49178fd

SHA1
a3ca171137c635eb9de3d3508de391e83e5500d3

SHA256
7b26847f96a8312b56e289c2399ec097084252e7326ee69203b00e618062f838

SHA512
1a6c693b92cfa5490c5652f383b8d55038347f73e61f970845358f9491ca1707fb543704618ce7656ec19f93f669a3625c4ddf7aca03698f503465e4f30cf119

Download Submit
C:\Windows\{8DA457A3-A700-4032-8EAA-64F9C28382FA}.exe

Filesize
197KB

MD5
ba6a7520eb55171f9c1fa08bb9585c44

SHA1
d8ddc1db2a6ab98946ccc7cf87bc6d0e67682f95

SHA256
2fb3be34ea7f49c41582e2ead9efb2914965cde35b5d6727af6f7f9d73cc5d05

SHA512
f3ead82b817065d1db1d5813beece2185493656a9335afe71e6e2371d1ca7f154018c8056604b4f5110ad0363429329311cf20fbe0b92cab46eae430f2569167

Download Submit
C:\Windows\{A48643B9-32BC-46a3-900F-B0116A5744EF}.exe

Filesize
197KB

MD5
a6203f36e7e25422db3495a8d809e1e5

SHA1
7817aa760c70b283250f0c938f1c579bbe4a3c72

SHA256
6e689f33ab6ab3c6aee6c86e4b42755e092de2b75c1a656c929104963e28c8d4

SHA512
26d21dabc7f3be26f1b533dc4947073445d51ce1baaf201e4b7af60984dd3b6f5c29f75cd6541dd3904d57697428c27219d1b905f5cf636b29c864c1e7a1cf72

Download Submit
C:\Windows\{ACCFA81D-AB31-435c-82DB-B59C588990AB}.exe

Filesize
197KB

MD5
683d4f5750b283fd8302ec8f9fa0b5f9

SHA1
aed4434f62229f967123510560c801c7b21f7a97

SHA256
aeb8650af96429b6331bf4eed78acfcccde87c5fe104da50abdb781acf8d007b

SHA512
45e935ef796783870d76b4aba502441062e94f6dee74ee66d48ea14fd10221bce54ee8fad00d5365b61143f0479184f6673a2c922ba494063474e06ceecb8643

Download Submit
C:\Windows\{EF516B1B-3E51-43ed-AB32-A23FE6BA20DD}.exe

Filesize
197KB

MD5
7cbe3f1c20d8e43d851e7894e6a023f7

SHA1
548deba499227c32e32961fcf9b520d8467f2ccf

SHA256
5326547647005ab6a1b1ecd6ad83dbfdb0904f18d24034609f3cd64524ca81c6

SHA512
10ad7726313f05d2bb032c6b7b81945bb3128cf1621e65a1b1884a789ec7eb5a2f9a8479846eb68c2e4d86889b47b78d40df46ec00b146276304e0d48dc74ad4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads