4076d4141213ad312d0d62a19ce284a4f830f7cf7005edf49c7e519abd6b66a6

Analysis

max time kernel
150s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04/02/2024, 06:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-04_aa1885f753c988121c934601a73fa4ea_goldeneye.exe
Size

380KB
MD5

aa1885f753c988121c934601a73fa4ea
SHA1

b8d53147aba7feb995cc737de2a37158e0c8996b
SHA256

4076d4141213ad312d0d62a19ce284a4f830f7cf7005edf49c7e519abd6b66a6
SHA512

613e3a039cbd68c4b52314030d40ba6c170a7f6b288b7a5b3004355ff256fe80a07e53446fae36e828552d270ec29cb7698eeccce3a448f78ce744c41b3434c9
SSDEEP

3072:mEGh0ollPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEG7l7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000600000002313b-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000023148-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002314e-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023148-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002314e-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00050000000217fa-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002181f-25.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-29.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-41.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000707-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86E607AB-35D2-4714-9789-ADC6D23F6C63}	{FFE0F966-986B-49cb-B33A-10D5AD745E86}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86E607AB-35D2-4714-9789-ADC6D23F6C63}\stubpath = "C:\\Windows\\{86E607AB-35D2-4714-9789-ADC6D23F6C63}.exe"	{FFE0F966-986B-49cb-B33A-10D5AD745E86}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65DCFABA-E1AF-4e30-B368-95F9DAE1A69E}\stubpath = "C:\\Windows\\{65DCFABA-E1AF-4e30-B368-95F9DAE1A69E}.exe"	{86E607AB-35D2-4714-9789-ADC6D23F6C63}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7134254D-73E0-4a37-9C24-8FA91345F56A}\stubpath = "C:\\Windows\\{7134254D-73E0-4a37-9C24-8FA91345F56A}.exe"	{AF13D0B3-377E-4daa-BA45-B324DECAF2E0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F721EF48-313F-4061-91F8-87D7693AC5F3}\stubpath = "C:\\Windows\\{F721EF48-313F-4061-91F8-87D7693AC5F3}.exe"	{7134254D-73E0-4a37-9C24-8FA91345F56A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1375F9C-D63A-49c7-B663-1A81F03FDC2A}	{F721EF48-313F-4061-91F8-87D7693AC5F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{595C6EC8-6853-4611-AE3D-031EB72C65F3}\stubpath = "C:\\Windows\\{595C6EC8-6853-4611-AE3D-031EB72C65F3}.exe"	{A1375F9C-D63A-49c7-B663-1A81F03FDC2A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F721EF48-313F-4061-91F8-87D7693AC5F3}	{7134254D-73E0-4a37-9C24-8FA91345F56A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C635408C-CBEB-4f82-AC71-6113005C20D1}	{5A7CCE67-E123-47c2-A345-F203B8AACC75}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A7CCE67-E123-47c2-A345-F203B8AACC75}\stubpath = "C:\\Windows\\{5A7CCE67-E123-47c2-A345-F203B8AACC75}.exe"	{65DCFABA-E1AF-4e30-B368-95F9DAE1A69E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50BF8BB1-3AA4-4911-84B8-920CD0AC5C21}\stubpath = "C:\\Windows\\{50BF8BB1-3AA4-4911-84B8-920CD0AC5C21}.exe"	{C635408C-CBEB-4f82-AC71-6113005C20D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{595C6EC8-6853-4611-AE3D-031EB72C65F3}	{A1375F9C-D63A-49c7-B663-1A81F03FDC2A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95CD1FC3-5090-4277-8740-F9388029E5D4}\stubpath = "C:\\Windows\\{95CD1FC3-5090-4277-8740-F9388029E5D4}.exe"	{595C6EC8-6853-4611-AE3D-031EB72C65F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FFE0F966-986B-49cb-B33A-10D5AD745E86}\stubpath = "C:\\Windows\\{FFE0F966-986B-49cb-B33A-10D5AD745E86}.exe"	{95CD1FC3-5090-4277-8740-F9388029E5D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65DCFABA-E1AF-4e30-B368-95F9DAE1A69E}	{86E607AB-35D2-4714-9789-ADC6D23F6C63}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95CD1FC3-5090-4277-8740-F9388029E5D4}	{595C6EC8-6853-4611-AE3D-031EB72C65F3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FFE0F966-986B-49cb-B33A-10D5AD745E86}	{95CD1FC3-5090-4277-8740-F9388029E5D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A7CCE67-E123-47c2-A345-F203B8AACC75}	{65DCFABA-E1AF-4e30-B368-95F9DAE1A69E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C635408C-CBEB-4f82-AC71-6113005C20D1}\stubpath = "C:\\Windows\\{C635408C-CBEB-4f82-AC71-6113005C20D1}.exe"	{5A7CCE67-E123-47c2-A345-F203B8AACC75}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF13D0B3-377E-4daa-BA45-B324DECAF2E0}	2024-02-04_aa1885f753c988121c934601a73fa4ea_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF13D0B3-377E-4daa-BA45-B324DECAF2E0}\stubpath = "C:\\Windows\\{AF13D0B3-377E-4daa-BA45-B324DECAF2E0}.exe"	2024-02-04_aa1885f753c988121c934601a73fa4ea_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7134254D-73E0-4a37-9C24-8FA91345F56A}	{AF13D0B3-377E-4daa-BA45-B324DECAF2E0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1375F9C-D63A-49c7-B663-1A81F03FDC2A}\stubpath = "C:\\Windows\\{A1375F9C-D63A-49c7-B663-1A81F03FDC2A}.exe"	{F721EF48-313F-4061-91F8-87D7693AC5F3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50BF8BB1-3AA4-4911-84B8-920CD0AC5C21}	{C635408C-CBEB-4f82-AC71-6113005C20D1}.exe

Executes dropped EXE 12 IoCs

pid	Process
4104	{AF13D0B3-377E-4daa-BA45-B324DECAF2E0}.exe
436	{7134254D-73E0-4a37-9C24-8FA91345F56A}.exe
3532	{F721EF48-313F-4061-91F8-87D7693AC5F3}.exe
888	{A1375F9C-D63A-49c7-B663-1A81F03FDC2A}.exe
2892	{595C6EC8-6853-4611-AE3D-031EB72C65F3}.exe
2976	{95CD1FC3-5090-4277-8740-F9388029E5D4}.exe
796	{FFE0F966-986B-49cb-B33A-10D5AD745E86}.exe
4608	{86E607AB-35D2-4714-9789-ADC6D23F6C63}.exe
3752	{65DCFABA-E1AF-4e30-B368-95F9DAE1A69E}.exe
4444	{5A7CCE67-E123-47c2-A345-F203B8AACC75}.exe
4480	{C635408C-CBEB-4f82-AC71-6113005C20D1}.exe
5092	{50BF8BB1-3AA4-4911-84B8-920CD0AC5C21}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{C635408C-CBEB-4f82-AC71-6113005C20D1}.exe	{5A7CCE67-E123-47c2-A345-F203B8AACC75}.exe
File created	C:\Windows\{AF13D0B3-377E-4daa-BA45-B324DECAF2E0}.exe	2024-02-04_aa1885f753c988121c934601a73fa4ea_goldeneye.exe
File created	C:\Windows\{F721EF48-313F-4061-91F8-87D7693AC5F3}.exe	{7134254D-73E0-4a37-9C24-8FA91345F56A}.exe
File created	C:\Windows\{95CD1FC3-5090-4277-8740-F9388029E5D4}.exe	{595C6EC8-6853-4611-AE3D-031EB72C65F3}.exe
File created	C:\Windows\{86E607AB-35D2-4714-9789-ADC6D23F6C63}.exe	{FFE0F966-986B-49cb-B33A-10D5AD745E86}.exe
File created	C:\Windows\{65DCFABA-E1AF-4e30-B368-95F9DAE1A69E}.exe	{86E607AB-35D2-4714-9789-ADC6D23F6C63}.exe
File created	C:\Windows\{50BF8BB1-3AA4-4911-84B8-920CD0AC5C21}.exe	{C635408C-CBEB-4f82-AC71-6113005C20D1}.exe
File created	C:\Windows\{7134254D-73E0-4a37-9C24-8FA91345F56A}.exe	{AF13D0B3-377E-4daa-BA45-B324DECAF2E0}.exe
File created	C:\Windows\{A1375F9C-D63A-49c7-B663-1A81F03FDC2A}.exe	{F721EF48-313F-4061-91F8-87D7693AC5F3}.exe
File created	C:\Windows\{595C6EC8-6853-4611-AE3D-031EB72C65F3}.exe	{A1375F9C-D63A-49c7-B663-1A81F03FDC2A}.exe
File created	C:\Windows\{FFE0F966-986B-49cb-B33A-10D5AD745E86}.exe	{95CD1FC3-5090-4277-8740-F9388029E5D4}.exe
File created	C:\Windows\{5A7CCE67-E123-47c2-A345-F203B8AACC75}.exe	{65DCFABA-E1AF-4e30-B368-95F9DAE1A69E}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1800	2024-02-04_aa1885f753c988121c934601a73fa4ea_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4104	{AF13D0B3-377E-4daa-BA45-B324DECAF2E0}.exe
Token: SeIncBasePriorityPrivilege	436	{7134254D-73E0-4a37-9C24-8FA91345F56A}.exe
Token: SeIncBasePriorityPrivilege	3532	{F721EF48-313F-4061-91F8-87D7693AC5F3}.exe
Token: SeIncBasePriorityPrivilege	888	{A1375F9C-D63A-49c7-B663-1A81F03FDC2A}.exe
Token: SeIncBasePriorityPrivilege	2892	{595C6EC8-6853-4611-AE3D-031EB72C65F3}.exe
Token: SeIncBasePriorityPrivilege	2976	{95CD1FC3-5090-4277-8740-F9388029E5D4}.exe
Token: SeIncBasePriorityPrivilege	796	{FFE0F966-986B-49cb-B33A-10D5AD745E86}.exe
Token: SeIncBasePriorityPrivilege	4608	{86E607AB-35D2-4714-9789-ADC6D23F6C63}.exe
Token: SeIncBasePriorityPrivilege	3752	{65DCFABA-E1AF-4e30-B368-95F9DAE1A69E}.exe
Token: SeIncBasePriorityPrivilege	4444	{5A7CCE67-E123-47c2-A345-F203B8AACC75}.exe
Token: SeIncBasePriorityPrivilege	4480	{C635408C-CBEB-4f82-AC71-6113005C20D1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 4104	1800	2024-02-04_aa1885f753c988121c934601a73fa4ea_goldeneye.exe	86
PID 1800 wrote to memory of 4104	1800	2024-02-04_aa1885f753c988121c934601a73fa4ea_goldeneye.exe	86
PID 1800 wrote to memory of 4104	1800	2024-02-04_aa1885f753c988121c934601a73fa4ea_goldeneye.exe	86
PID 1800 wrote to memory of 1900	1800	2024-02-04_aa1885f753c988121c934601a73fa4ea_goldeneye.exe	87
PID 1800 wrote to memory of 1900	1800	2024-02-04_aa1885f753c988121c934601a73fa4ea_goldeneye.exe	87
PID 1800 wrote to memory of 1900	1800	2024-02-04_aa1885f753c988121c934601a73fa4ea_goldeneye.exe	87
PID 4104 wrote to memory of 436	4104	{AF13D0B3-377E-4daa-BA45-B324DECAF2E0}.exe	93
PID 4104 wrote to memory of 436	4104	{AF13D0B3-377E-4daa-BA45-B324DECAF2E0}.exe	93
PID 4104 wrote to memory of 436	4104	{AF13D0B3-377E-4daa-BA45-B324DECAF2E0}.exe	93
PID 4104 wrote to memory of 1356	4104	{AF13D0B3-377E-4daa-BA45-B324DECAF2E0}.exe	94
PID 4104 wrote to memory of 1356	4104	{AF13D0B3-377E-4daa-BA45-B324DECAF2E0}.exe	94
PID 4104 wrote to memory of 1356	4104	{AF13D0B3-377E-4daa-BA45-B324DECAF2E0}.exe	94
PID 436 wrote to memory of 3532	436	{7134254D-73E0-4a37-9C24-8FA91345F56A}.exe	96
PID 436 wrote to memory of 3532	436	{7134254D-73E0-4a37-9C24-8FA91345F56A}.exe	96
PID 436 wrote to memory of 3532	436	{7134254D-73E0-4a37-9C24-8FA91345F56A}.exe	96
PID 436 wrote to memory of 1400	436	{7134254D-73E0-4a37-9C24-8FA91345F56A}.exe	97
PID 436 wrote to memory of 1400	436	{7134254D-73E0-4a37-9C24-8FA91345F56A}.exe	97
PID 436 wrote to memory of 1400	436	{7134254D-73E0-4a37-9C24-8FA91345F56A}.exe	97
PID 3532 wrote to memory of 888	3532	{F721EF48-313F-4061-91F8-87D7693AC5F3}.exe	98
PID 3532 wrote to memory of 888	3532	{F721EF48-313F-4061-91F8-87D7693AC5F3}.exe	98
PID 3532 wrote to memory of 888	3532	{F721EF48-313F-4061-91F8-87D7693AC5F3}.exe	98
PID 3532 wrote to memory of 4752	3532	{F721EF48-313F-4061-91F8-87D7693AC5F3}.exe	99
PID 3532 wrote to memory of 4752	3532	{F721EF48-313F-4061-91F8-87D7693AC5F3}.exe	99
PID 3532 wrote to memory of 4752	3532	{F721EF48-313F-4061-91F8-87D7693AC5F3}.exe	99
PID 888 wrote to memory of 2892	888	{A1375F9C-D63A-49c7-B663-1A81F03FDC2A}.exe	100
PID 888 wrote to memory of 2892	888	{A1375F9C-D63A-49c7-B663-1A81F03FDC2A}.exe	100
PID 888 wrote to memory of 2892	888	{A1375F9C-D63A-49c7-B663-1A81F03FDC2A}.exe	100
PID 888 wrote to memory of 4548	888	{A1375F9C-D63A-49c7-B663-1A81F03FDC2A}.exe	101
PID 888 wrote to memory of 4548	888	{A1375F9C-D63A-49c7-B663-1A81F03FDC2A}.exe	101
PID 888 wrote to memory of 4548	888	{A1375F9C-D63A-49c7-B663-1A81F03FDC2A}.exe	101
PID 2892 wrote to memory of 2976	2892	{595C6EC8-6853-4611-AE3D-031EB72C65F3}.exe	102
PID 2892 wrote to memory of 2976	2892	{595C6EC8-6853-4611-AE3D-031EB72C65F3}.exe	102
PID 2892 wrote to memory of 2976	2892	{595C6EC8-6853-4611-AE3D-031EB72C65F3}.exe	102
PID 2892 wrote to memory of 1436	2892	{595C6EC8-6853-4611-AE3D-031EB72C65F3}.exe	103
PID 2892 wrote to memory of 1436	2892	{595C6EC8-6853-4611-AE3D-031EB72C65F3}.exe	103
PID 2892 wrote to memory of 1436	2892	{595C6EC8-6853-4611-AE3D-031EB72C65F3}.exe	103
PID 2976 wrote to memory of 796	2976	{95CD1FC3-5090-4277-8740-F9388029E5D4}.exe	104
PID 2976 wrote to memory of 796	2976	{95CD1FC3-5090-4277-8740-F9388029E5D4}.exe	104
PID 2976 wrote to memory of 796	2976	{95CD1FC3-5090-4277-8740-F9388029E5D4}.exe	104
PID 2976 wrote to memory of 2028	2976	{95CD1FC3-5090-4277-8740-F9388029E5D4}.exe	105
PID 2976 wrote to memory of 2028	2976	{95CD1FC3-5090-4277-8740-F9388029E5D4}.exe	105
PID 2976 wrote to memory of 2028	2976	{95CD1FC3-5090-4277-8740-F9388029E5D4}.exe	105
PID 796 wrote to memory of 4608	796	{FFE0F966-986B-49cb-B33A-10D5AD745E86}.exe	106
PID 796 wrote to memory of 4608	796	{FFE0F966-986B-49cb-B33A-10D5AD745E86}.exe	106
PID 796 wrote to memory of 4608	796	{FFE0F966-986B-49cb-B33A-10D5AD745E86}.exe	106
PID 796 wrote to memory of 2648	796	{FFE0F966-986B-49cb-B33A-10D5AD745E86}.exe	107
PID 796 wrote to memory of 2648	796	{FFE0F966-986B-49cb-B33A-10D5AD745E86}.exe	107
PID 796 wrote to memory of 2648	796	{FFE0F966-986B-49cb-B33A-10D5AD745E86}.exe	107
PID 4608 wrote to memory of 3752	4608	{86E607AB-35D2-4714-9789-ADC6D23F6C63}.exe	108
PID 4608 wrote to memory of 3752	4608	{86E607AB-35D2-4714-9789-ADC6D23F6C63}.exe	108
PID 4608 wrote to memory of 3752	4608	{86E607AB-35D2-4714-9789-ADC6D23F6C63}.exe	108
PID 4608 wrote to memory of 1752	4608	{86E607AB-35D2-4714-9789-ADC6D23F6C63}.exe	109
PID 4608 wrote to memory of 1752	4608	{86E607AB-35D2-4714-9789-ADC6D23F6C63}.exe	109
PID 4608 wrote to memory of 1752	4608	{86E607AB-35D2-4714-9789-ADC6D23F6C63}.exe	109
PID 3752 wrote to memory of 4444	3752	{65DCFABA-E1AF-4e30-B368-95F9DAE1A69E}.exe	110
PID 3752 wrote to memory of 4444	3752	{65DCFABA-E1AF-4e30-B368-95F9DAE1A69E}.exe	110
PID 3752 wrote to memory of 4444	3752	{65DCFABA-E1AF-4e30-B368-95F9DAE1A69E}.exe	110
PID 3752 wrote to memory of 4824	3752	{65DCFABA-E1AF-4e30-B368-95F9DAE1A69E}.exe	111
PID 3752 wrote to memory of 4824	3752	{65DCFABA-E1AF-4e30-B368-95F9DAE1A69E}.exe	111
PID 3752 wrote to memory of 4824	3752	{65DCFABA-E1AF-4e30-B368-95F9DAE1A69E}.exe	111
PID 4444 wrote to memory of 4480	4444	{5A7CCE67-E123-47c2-A345-F203B8AACC75}.exe	112
PID 4444 wrote to memory of 4480	4444	{5A7CCE67-E123-47c2-A345-F203B8AACC75}.exe	112
PID 4444 wrote to memory of 4480	4444	{5A7CCE67-E123-47c2-A345-F203B8AACC75}.exe	112
PID 4444 wrote to memory of 868	4444	{5A7CCE67-E123-47c2-A345-F203B8AACC75}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-02-04_aa1885f753c988121c934601a73fa4ea_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-04_aa1885f753c988121c934601a73fa4ea_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Windows\{AF13D0B3-377E-4daa-BA45-B324DECAF2E0}.exe
  C:\Windows\{AF13D0B3-377E-4daa-BA45-B324DECAF2E0}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4104
- - C:\Windows\{7134254D-73E0-4a37-9C24-8FA91345F56A}.exe
    C:\Windows\{7134254D-73E0-4a37-9C24-8FA91345F56A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:436
  - - C:\Windows\{F721EF48-313F-4061-91F8-87D7693AC5F3}.exe
      C:\Windows\{F721EF48-313F-4061-91F8-87D7693AC5F3}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3532
    - - C:\Windows\{A1375F9C-D63A-49c7-B663-1A81F03FDC2A}.exe
        
        C:\Windows\{A1375F9C-D63A-49c7-B663-1A81F03FDC2A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:888
      - C:\Windows\{595C6EC8-6853-4611-AE3D-031EB72C65F3}.exe
        
        C:\Windows\{595C6EC8-6853-4611-AE3D-031EB72C65F3}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\{95CD1FC3-5090-4277-8740-F9388029E5D4}.exe
        
        C:\Windows\{95CD1FC3-5090-4277-8740-F9388029E5D4}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\{FFE0F966-986B-49cb-B33A-10D5AD745E86}.exe
        
        C:\Windows\{FFE0F966-986B-49cb-B33A-10D5AD745E86}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:796
        
        C:\Windows\{86E607AB-35D2-4714-9789-ADC6D23F6C63}.exe
        
        C:\Windows\{86E607AB-35D2-4714-9789-ADC6D23F6C63}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\{65DCFABA-E1AF-4e30-B368-95F9DAE1A69E}.exe
        
        C:\Windows\{65DCFABA-E1AF-4e30-B368-95F9DAE1A69E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3752
        
        C:\Windows\{5A7CCE67-E123-47c2-A345-F203B8AACC75}.exe
        
        C:\Windows\{5A7CCE67-E123-47c2-A345-F203B8AACC75}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\{C635408C-CBEB-4f82-AC71-6113005C20D1}.exe
        
        C:\Windows\{C635408C-CBEB-4f82-AC71-6113005C20D1}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4480
        
        C:\Windows\{50BF8BB1-3AA4-4911-84B8-920CD0AC5C21}.exe
        
        C:\Windows\{50BF8BB1-3AA4-4911-84B8-920CD0AC5C21}.exe
        13⤵
        Executes dropped EXE
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C6354~1.EXE > nul
        13⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5A7CC~1.EXE > nul
        12⤵
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{65DCF~1.EXE > nul
        11⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86E60~1.EXE > nul
        10⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FFE0F~1.EXE > nul
        9⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95CD1~1.EXE > nul
        8⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{595C6~1.EXE > nul
        7⤵
        
        PID:1436
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A1375~1.EXE > nul
        6⤵
        
        PID:4548
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F721E~1.EXE > nul
        5⤵
        
        PID:4752
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{71342~1.EXE > nul
      4⤵
      PID:1400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{AF13D~1.EXE > nul
    3⤵
    PID:1356
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{50BF8BB1-3AA4-4911-84B8-920CD0AC5C21}.exe

Filesize
380KB

MD5
ac2a6fac0933dba3c9e9d3aab63d1553

SHA1
0118ba88a71646743d6946dd1c95f76023a7ccbc

SHA256
64740739abade0199d59cc49cb08e8b6c868f3d1e4288ffc92e06bb26f04c021

SHA512
fdbc82d6ba757e8983a9ae95369b78b5c80f0b87597e726195f1bb323a9849b28614fc1771f4c4694f219062da420999c9ebfa53ff27ebfed47f05636f890c37

Download Submit
C:\Windows\{595C6EC8-6853-4611-AE3D-031EB72C65F3}.exe

Filesize
380KB

MD5
baccc28001e9bd70d77c263536fc6ada

SHA1
3aa4852c831c9330abfce18c02245a4da03e5cbf

SHA256
6397421db64b154c84438fa0c5905add4ba36efe94d8f518787657e83ba459d0

SHA512
1bdb0883d063494fa56447b3249fcebb4838a2d683022cf839db45bd371c72d0ddd24f6ebddcf9859dfb86f8aee13614c963baedfd7e66298232c2cc6e26f220

Download Submit
C:\Windows\{5A7CCE67-E123-47c2-A345-F203B8AACC75}.exe

Filesize
380KB

MD5
bcaee57b9361e29c8db1af301d73885b

SHA1
7f7415ba0955fff28974d9d41380936b9d7a2adb

SHA256
9b79a0d2ba62211dd7b55f4927c39707570e6d863c0223780e68c57932703512

SHA512
3777e894b32229cc88e525607f9387e62ea6984805f1b51f622b0bcfc86eb771b937dc4f42c6b69a193b6e5d78530111dad5e912006751663ae6027cdd6aaa8e

Download Submit
C:\Windows\{65DCFABA-E1AF-4e30-B368-95F9DAE1A69E}.exe

Filesize
380KB

MD5
e6ee933112275cd72b53c5ea5d2de5a4

SHA1
7ab73515b3a462e700a45b7df1c10847a801069f

SHA256
ac3233967700960d85c818c4506c5ef62cc16ab9035fc949280f6b257a181488

SHA512
c1bcc632c0d23816a09a2c0d2eef13e06f5a11e9dffbab90f434b1259806a703f96a7f067ba512569a9193e6ec60e9666c57389a56a2d1ebf1a6c627aabf5a1b

Download Submit
C:\Windows\{7134254D-73E0-4a37-9C24-8FA91345F56A}.exe

Filesize
380KB

MD5
43849bf0df09ac7e39d1760b018b632f

SHA1
8c0df7f17877412611010315a09f3889ae9419c2

SHA256
25309c2db8919aeb5dd731300364ebb33d12e1a34eab1894377c43df6de2c863

SHA512
642c3cbc2174091b69dd1a14625e47389e00e7b328dce4e85427b036b2c946cf2e5df3aa4d1f8dacb7cd85e9f5f4a1c45d94c04a5c83724ea8d7ecad0e5fb7f1

Download Submit
C:\Windows\{86E607AB-35D2-4714-9789-ADC6D23F6C63}.exe

Filesize
380KB

MD5
d87047ffb398a4fe240d6bc6695c29f2

SHA1
557c9d1f4d94bf48a2c39de2b8e4547e4cc20216

SHA256
484eae729dc8a986df1c4da8b1aa4193104c8b486eafc8be89f6af1afbb0f4c6

SHA512
676d3c237be4d9505047eda8d38a1907da809ab89116d4aba94be7392a2a07617431cd820a08fc08b1cb28c8b9f0d62453e2658ab7db560c6ac4ccac61cb6ec2

Download Submit
C:\Windows\{95CD1FC3-5090-4277-8740-F9388029E5D4}.exe

Filesize
380KB

MD5
c0f31690cfa1569c58c946bd52de98cb

SHA1
9195da618e3a849832fe937a1c54313113e5e7e2

SHA256
820b35bbb7367b00c9e9a064db38e9b3ff3b0a4824b1d2c368c55fe77adcabe2

SHA512
58e547520a690357ef3ff3db1fdedfe091854b2ccb62d26925064a89fac0bad5b2d705c072f6027a6eb9bb0b73a456a78b222ab254da3cb6127d7b3e84362b59

Download Submit
C:\Windows\{A1375F9C-D63A-49c7-B663-1A81F03FDC2A}.exe

Filesize
380KB

MD5
6d643916069e843ccc0e189ee8a50eb2

SHA1
e80cd507e83911e64c294a7ae76dc3cb5a86e689

SHA256
bbb2529750c53a53ff512d0183b8ba7b9ecd675e2b584bd3324834ad0ff1af04

SHA512
5f40bbc144bd0a43c97b35e8fe2ec0763a40349bf3278b54b012c491623b1d0e8a7ef2ffb546e9fa31ba009b91198f50b7fcb7861f54201294e64e669f8c4587

Download Submit
C:\Windows\{AF13D0B3-377E-4daa-BA45-B324DECAF2E0}.exe

Filesize
380KB

MD5
47c1c84ce12afab8c01404381c50cab1

SHA1
97d9e74013a27e56d22f85985674d669e11df0cb

SHA256
da67d4d547ac69777be886289595981d42d9abc69528c3c396025f9ec82f59fa

SHA512
e7ab83d289c20f93a263dbf387b5728bbe979568ece9ce478d0d19e8344d0b998553eeb9f6ad3727a448d80aafa5b2bcc0b712098c5c58bdec99a8ae230b8fde

Download Submit
C:\Windows\{C635408C-CBEB-4f82-AC71-6113005C20D1}.exe

Filesize
380KB

MD5
508dca34aa1a35a3b8f7de35810a6bf0

SHA1
7605661bd9eec4dfd5368944fbd2534af76a3450

SHA256
2f86a14c8afd4389a17d94c7a71531be60306669ad1144e64a15f33c507393e6

SHA512
f33e17af2dc459974fa6761f28d7715b2bed084b4fde44bc75401deabcd47dc3d22ef67c0c2b44f7d4023b46a5bdbd3cbc72a61d7bb42c150b49e77f4fd163ba

Download Submit
C:\Windows\{F721EF48-313F-4061-91F8-87D7693AC5F3}.exe

Filesize
380KB

MD5
073fbcf428c6a988556599ee74bd649a

SHA1
ca996bd11126f22f350ca4bc3b7b910ac9c78238

SHA256
ae561672267b8b4257630bff186c015597cba4ca13c9a1819c24d6f945ab4493

SHA512
70b3ea53bcac7af0f3d0347fef1a671773ade1ed875e8480d0e3dccfd2aeb8bd2874862cf0d796fe92cd7446914c569aa1fe869dab888ee55c533c540826b274

Download Submit
C:\Windows\{FFE0F966-986B-49cb-B33A-10D5AD745E86}.exe

Filesize
380KB

MD5
38f8af7b91e7bb69bcb2d264de8342f5

SHA1
e20d0740a3912bacc1be19becba315b29af3a232

SHA256
a7cd665132ea1e14405d8f967910d7698fa4de571ac49ac97e1e388d5cc45b0a

SHA512
bdfff2435194c320131f84ceb019204db1162128c11a465a1953a5526b4199b802407f6784aed22e2780d0f7c7a12720ba126083b93b2ee56fb0c6b5b97577ef

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads