efb49573a70dd746dafd3a71e696afcc94534de6f12ffd9b20e743fb231a2fd4

Analysis

max time kernel
149s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
11/02/2024, 19:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-11_5a9169891ded4607a2407de402ba40d3_goldeneye.exe
Size

216KB
MD5

5a9169891ded4607a2407de402ba40d3
SHA1

2f9e5274b36ba565110b46c809e78bb274533ac2
SHA256

efb49573a70dd746dafd3a71e696afcc94534de6f12ffd9b20e743fb231a2fd4
SHA512

207a7f04e599603ab580ae808aec0ec1263b199ef43360298b8f9008bcfc031870a5e02a4729ae181f8319f772a3acd9e0f292d4ed491c107be16066312650cc
SSDEEP

3072:jEGh0oOl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGYlEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023234-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023229-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002323b-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023229-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000022008-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000022009-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000022008-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000036-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000036-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000036-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4EBA7128-16F6-4844-B1C1-CD312F4A23C0}	{6E2211E3-177E-48da-9311-730177852F2C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4EBA7128-16F6-4844-B1C1-CD312F4A23C0}\stubpath = "C:\\Windows\\{4EBA7128-16F6-4844-B1C1-CD312F4A23C0}.exe"	{6E2211E3-177E-48da-9311-730177852F2C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1200170B-F30B-44d5-9C0F-31575BF4F4DC}	{4EBA7128-16F6-4844-B1C1-CD312F4A23C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{803F43FD-6EFE-4bdc-8DC3-21C798213DB6}\stubpath = "C:\\Windows\\{803F43FD-6EFE-4bdc-8DC3-21C798213DB6}.exe"	{1200170B-F30B-44d5-9C0F-31575BF4F4DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F7F0773-5E1E-44e4-A5D1-C6DE3A7FAB35}	2024-02-11_5a9169891ded4607a2407de402ba40d3_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F7F0773-5E1E-44e4-A5D1-C6DE3A7FAB35}\stubpath = "C:\\Windows\\{2F7F0773-5E1E-44e4-A5D1-C6DE3A7FAB35}.exe"	2024-02-11_5a9169891ded4607a2407de402ba40d3_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6BFF620-5714-4e8d-802D-CA7A478C0D4B}\stubpath = "C:\\Windows\\{E6BFF620-5714-4e8d-802D-CA7A478C0D4B}.exe"	{433D498C-E139-4126-A019-31C01A3AC798}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E2211E3-177E-48da-9311-730177852F2C}\stubpath = "C:\\Windows\\{6E2211E3-177E-48da-9311-730177852F2C}.exe"	{C91DB2C2-66F4-43c9-BFED-4DA4A980A63B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8281F16A-842B-4b5a-B7B5-049126AA98C6}	{1E736A3E-12D6-484d-BE96-663704FE689F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66BEDE59-05DD-4934-937F-6F994F5596CA}	{8281F16A-842B-4b5a-B7B5-049126AA98C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{433D498C-E139-4126-A019-31C01A3AC798}\stubpath = "C:\\Windows\\{433D498C-E139-4126-A019-31C01A3AC798}.exe"	{7A22DD8A-7930-4278-B520-9EBB792B5CFA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6BFF620-5714-4e8d-802D-CA7A478C0D4B}	{433D498C-E139-4126-A019-31C01A3AC798}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E736A3E-12D6-484d-BE96-663704FE689F}	{803F43FD-6EFE-4bdc-8DC3-21C798213DB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E736A3E-12D6-484d-BE96-663704FE689F}\stubpath = "C:\\Windows\\{1E736A3E-12D6-484d-BE96-663704FE689F}.exe"	{803F43FD-6EFE-4bdc-8DC3-21C798213DB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A22DD8A-7930-4278-B520-9EBB792B5CFA}	{2F7F0773-5E1E-44e4-A5D1-C6DE3A7FAB35}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C91DB2C2-66F4-43c9-BFED-4DA4A980A63B}\stubpath = "C:\\Windows\\{C91DB2C2-66F4-43c9-BFED-4DA4A980A63B}.exe"	{E6BFF620-5714-4e8d-802D-CA7A478C0D4B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E2211E3-177E-48da-9311-730177852F2C}	{C91DB2C2-66F4-43c9-BFED-4DA4A980A63B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{803F43FD-6EFE-4bdc-8DC3-21C798213DB6}	{1200170B-F30B-44d5-9C0F-31575BF4F4DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8281F16A-842B-4b5a-B7B5-049126AA98C6}\stubpath = "C:\\Windows\\{8281F16A-842B-4b5a-B7B5-049126AA98C6}.exe"	{1E736A3E-12D6-484d-BE96-663704FE689F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66BEDE59-05DD-4934-937F-6F994F5596CA}\stubpath = "C:\\Windows\\{66BEDE59-05DD-4934-937F-6F994F5596CA}.exe"	{8281F16A-842B-4b5a-B7B5-049126AA98C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A22DD8A-7930-4278-B520-9EBB792B5CFA}\stubpath = "C:\\Windows\\{7A22DD8A-7930-4278-B520-9EBB792B5CFA}.exe"	{2F7F0773-5E1E-44e4-A5D1-C6DE3A7FAB35}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{433D498C-E139-4126-A019-31C01A3AC798}	{7A22DD8A-7930-4278-B520-9EBB792B5CFA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C91DB2C2-66F4-43c9-BFED-4DA4A980A63B}	{E6BFF620-5714-4e8d-802D-CA7A478C0D4B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1200170B-F30B-44d5-9C0F-31575BF4F4DC}\stubpath = "C:\\Windows\\{1200170B-F30B-44d5-9C0F-31575BF4F4DC}.exe"	{4EBA7128-16F6-4844-B1C1-CD312F4A23C0}.exe

Executes dropped EXE 12 IoCs

pid	Process
4680	{2F7F0773-5E1E-44e4-A5D1-C6DE3A7FAB35}.exe
2728	{7A22DD8A-7930-4278-B520-9EBB792B5CFA}.exe
2180	{433D498C-E139-4126-A019-31C01A3AC798}.exe
2868	{E6BFF620-5714-4e8d-802D-CA7A478C0D4B}.exe
2068	{C91DB2C2-66F4-43c9-BFED-4DA4A980A63B}.exe
3348	{6E2211E3-177E-48da-9311-730177852F2C}.exe
3608	{4EBA7128-16F6-4844-B1C1-CD312F4A23C0}.exe
260	{1200170B-F30B-44d5-9C0F-31575BF4F4DC}.exe
1568	{803F43FD-6EFE-4bdc-8DC3-21C798213DB6}.exe
4504	{1E736A3E-12D6-484d-BE96-663704FE689F}.exe
3492	{8281F16A-842B-4b5a-B7B5-049126AA98C6}.exe
3392	{66BEDE59-05DD-4934-937F-6F994F5596CA}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{7A22DD8A-7930-4278-B520-9EBB792B5CFA}.exe	{2F7F0773-5E1E-44e4-A5D1-C6DE3A7FAB35}.exe
File created	C:\Windows\{433D498C-E139-4126-A019-31C01A3AC798}.exe	{7A22DD8A-7930-4278-B520-9EBB792B5CFA}.exe
File created	C:\Windows\{E6BFF620-5714-4e8d-802D-CA7A478C0D4B}.exe	{433D498C-E139-4126-A019-31C01A3AC798}.exe
File created	C:\Windows\{4EBA7128-16F6-4844-B1C1-CD312F4A23C0}.exe	{6E2211E3-177E-48da-9311-730177852F2C}.exe
File created	C:\Windows\{803F43FD-6EFE-4bdc-8DC3-21C798213DB6}.exe	{1200170B-F30B-44d5-9C0F-31575BF4F4DC}.exe
File created	C:\Windows\{8281F16A-842B-4b5a-B7B5-049126AA98C6}.exe	{1E736A3E-12D6-484d-BE96-663704FE689F}.exe
File created	C:\Windows\{2F7F0773-5E1E-44e4-A5D1-C6DE3A7FAB35}.exe	2024-02-11_5a9169891ded4607a2407de402ba40d3_goldeneye.exe
File created	C:\Windows\{C91DB2C2-66F4-43c9-BFED-4DA4A980A63B}.exe	{E6BFF620-5714-4e8d-802D-CA7A478C0D4B}.exe
File created	C:\Windows\{6E2211E3-177E-48da-9311-730177852F2C}.exe	{C91DB2C2-66F4-43c9-BFED-4DA4A980A63B}.exe
File created	C:\Windows\{1200170B-F30B-44d5-9C0F-31575BF4F4DC}.exe	{4EBA7128-16F6-4844-B1C1-CD312F4A23C0}.exe
File created	C:\Windows\{1E736A3E-12D6-484d-BE96-663704FE689F}.exe	{803F43FD-6EFE-4bdc-8DC3-21C798213DB6}.exe
File created	C:\Windows\{66BEDE59-05DD-4934-937F-6F994F5596CA}.exe	{8281F16A-842B-4b5a-B7B5-049126AA98C6}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	836	2024-02-11_5a9169891ded4607a2407de402ba40d3_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4680	{2F7F0773-5E1E-44e4-A5D1-C6DE3A7FAB35}.exe
Token: SeIncBasePriorityPrivilege	2728	{7A22DD8A-7930-4278-B520-9EBB792B5CFA}.exe
Token: SeIncBasePriorityPrivilege	2180	{433D498C-E139-4126-A019-31C01A3AC798}.exe
Token: SeIncBasePriorityPrivilege	2868	{E6BFF620-5714-4e8d-802D-CA7A478C0D4B}.exe
Token: SeIncBasePriorityPrivilege	2068	{C91DB2C2-66F4-43c9-BFED-4DA4A980A63B}.exe
Token: SeIncBasePriorityPrivilege	3348	{6E2211E3-177E-48da-9311-730177852F2C}.exe
Token: SeIncBasePriorityPrivilege	3608	{4EBA7128-16F6-4844-B1C1-CD312F4A23C0}.exe
Token: SeIncBasePriorityPrivilege	260	{1200170B-F30B-44d5-9C0F-31575BF4F4DC}.exe
Token: SeIncBasePriorityPrivilege	1568	{803F43FD-6EFE-4bdc-8DC3-21C798213DB6}.exe
Token: SeIncBasePriorityPrivilege	4504	{1E736A3E-12D6-484d-BE96-663704FE689F}.exe
Token: SeIncBasePriorityPrivilege	3492	{8281F16A-842B-4b5a-B7B5-049126AA98C6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 836 wrote to memory of 4680	836	2024-02-11_5a9169891ded4607a2407de402ba40d3_goldeneye.exe	92
PID 836 wrote to memory of 4680	836	2024-02-11_5a9169891ded4607a2407de402ba40d3_goldeneye.exe	92
PID 836 wrote to memory of 4680	836	2024-02-11_5a9169891ded4607a2407de402ba40d3_goldeneye.exe	92
PID 836 wrote to memory of 2332	836	2024-02-11_5a9169891ded4607a2407de402ba40d3_goldeneye.exe	93
PID 836 wrote to memory of 2332	836	2024-02-11_5a9169891ded4607a2407de402ba40d3_goldeneye.exe	93
PID 836 wrote to memory of 2332	836	2024-02-11_5a9169891ded4607a2407de402ba40d3_goldeneye.exe	93
PID 4680 wrote to memory of 2728	4680	{2F7F0773-5E1E-44e4-A5D1-C6DE3A7FAB35}.exe	94
PID 4680 wrote to memory of 2728	4680	{2F7F0773-5E1E-44e4-A5D1-C6DE3A7FAB35}.exe	94
PID 4680 wrote to memory of 2728	4680	{2F7F0773-5E1E-44e4-A5D1-C6DE3A7FAB35}.exe	94
PID 4680 wrote to memory of 4316	4680	{2F7F0773-5E1E-44e4-A5D1-C6DE3A7FAB35}.exe	95
PID 4680 wrote to memory of 4316	4680	{2F7F0773-5E1E-44e4-A5D1-C6DE3A7FAB35}.exe	95
PID 4680 wrote to memory of 4316	4680	{2F7F0773-5E1E-44e4-A5D1-C6DE3A7FAB35}.exe	95
PID 2728 wrote to memory of 2180	2728	{7A22DD8A-7930-4278-B520-9EBB792B5CFA}.exe	97
PID 2728 wrote to memory of 2180	2728	{7A22DD8A-7930-4278-B520-9EBB792B5CFA}.exe	97
PID 2728 wrote to memory of 2180	2728	{7A22DD8A-7930-4278-B520-9EBB792B5CFA}.exe	97
PID 2728 wrote to memory of 2792	2728	{7A22DD8A-7930-4278-B520-9EBB792B5CFA}.exe	98
PID 2728 wrote to memory of 2792	2728	{7A22DD8A-7930-4278-B520-9EBB792B5CFA}.exe	98
PID 2728 wrote to memory of 2792	2728	{7A22DD8A-7930-4278-B520-9EBB792B5CFA}.exe	98
PID 2180 wrote to memory of 2868	2180	{433D498C-E139-4126-A019-31C01A3AC798}.exe	99
PID 2180 wrote to memory of 2868	2180	{433D498C-E139-4126-A019-31C01A3AC798}.exe	99
PID 2180 wrote to memory of 2868	2180	{433D498C-E139-4126-A019-31C01A3AC798}.exe	99
PID 2180 wrote to memory of 2256	2180	{433D498C-E139-4126-A019-31C01A3AC798}.exe	100
PID 2180 wrote to memory of 2256	2180	{433D498C-E139-4126-A019-31C01A3AC798}.exe	100
PID 2180 wrote to memory of 2256	2180	{433D498C-E139-4126-A019-31C01A3AC798}.exe	100
PID 2868 wrote to memory of 2068	2868	{E6BFF620-5714-4e8d-802D-CA7A478C0D4B}.exe	101
PID 2868 wrote to memory of 2068	2868	{E6BFF620-5714-4e8d-802D-CA7A478C0D4B}.exe	101
PID 2868 wrote to memory of 2068	2868	{E6BFF620-5714-4e8d-802D-CA7A478C0D4B}.exe	101
PID 2868 wrote to memory of 1328	2868	{E6BFF620-5714-4e8d-802D-CA7A478C0D4B}.exe	102
PID 2868 wrote to memory of 1328	2868	{E6BFF620-5714-4e8d-802D-CA7A478C0D4B}.exe	102
PID 2868 wrote to memory of 1328	2868	{E6BFF620-5714-4e8d-802D-CA7A478C0D4B}.exe	102
PID 2068 wrote to memory of 3348	2068	{C91DB2C2-66F4-43c9-BFED-4DA4A980A63B}.exe	103
PID 2068 wrote to memory of 3348	2068	{C91DB2C2-66F4-43c9-BFED-4DA4A980A63B}.exe	103
PID 2068 wrote to memory of 3348	2068	{C91DB2C2-66F4-43c9-BFED-4DA4A980A63B}.exe	103
PID 2068 wrote to memory of 680	2068	{C91DB2C2-66F4-43c9-BFED-4DA4A980A63B}.exe	104
PID 2068 wrote to memory of 680	2068	{C91DB2C2-66F4-43c9-BFED-4DA4A980A63B}.exe	104
PID 2068 wrote to memory of 680	2068	{C91DB2C2-66F4-43c9-BFED-4DA4A980A63B}.exe	104
PID 3348 wrote to memory of 3608	3348	{6E2211E3-177E-48da-9311-730177852F2C}.exe	105
PID 3348 wrote to memory of 3608	3348	{6E2211E3-177E-48da-9311-730177852F2C}.exe	105
PID 3348 wrote to memory of 3608	3348	{6E2211E3-177E-48da-9311-730177852F2C}.exe	105
PID 3348 wrote to memory of 5060	3348	{6E2211E3-177E-48da-9311-730177852F2C}.exe	106
PID 3348 wrote to memory of 5060	3348	{6E2211E3-177E-48da-9311-730177852F2C}.exe	106
PID 3348 wrote to memory of 5060	3348	{6E2211E3-177E-48da-9311-730177852F2C}.exe	106
PID 3608 wrote to memory of 260	3608	{4EBA7128-16F6-4844-B1C1-CD312F4A23C0}.exe	107
PID 3608 wrote to memory of 260	3608	{4EBA7128-16F6-4844-B1C1-CD312F4A23C0}.exe	107
PID 3608 wrote to memory of 260	3608	{4EBA7128-16F6-4844-B1C1-CD312F4A23C0}.exe	107
PID 3608 wrote to memory of 4192	3608	{4EBA7128-16F6-4844-B1C1-CD312F4A23C0}.exe	108
PID 3608 wrote to memory of 4192	3608	{4EBA7128-16F6-4844-B1C1-CD312F4A23C0}.exe	108
PID 3608 wrote to memory of 4192	3608	{4EBA7128-16F6-4844-B1C1-CD312F4A23C0}.exe	108
PID 260 wrote to memory of 1568	260	{1200170B-F30B-44d5-9C0F-31575BF4F4DC}.exe	109
PID 260 wrote to memory of 1568	260	{1200170B-F30B-44d5-9C0F-31575BF4F4DC}.exe	109
PID 260 wrote to memory of 1568	260	{1200170B-F30B-44d5-9C0F-31575BF4F4DC}.exe	109
PID 260 wrote to memory of 4824	260	{1200170B-F30B-44d5-9C0F-31575BF4F4DC}.exe	110
PID 260 wrote to memory of 4824	260	{1200170B-F30B-44d5-9C0F-31575BF4F4DC}.exe	110
PID 260 wrote to memory of 4824	260	{1200170B-F30B-44d5-9C0F-31575BF4F4DC}.exe	110
PID 1568 wrote to memory of 4504	1568	{803F43FD-6EFE-4bdc-8DC3-21C798213DB6}.exe	111
PID 1568 wrote to memory of 4504	1568	{803F43FD-6EFE-4bdc-8DC3-21C798213DB6}.exe	111
PID 1568 wrote to memory of 4504	1568	{803F43FD-6EFE-4bdc-8DC3-21C798213DB6}.exe	111
PID 1568 wrote to memory of 1800	1568	{803F43FD-6EFE-4bdc-8DC3-21C798213DB6}.exe	112
PID 1568 wrote to memory of 1800	1568	{803F43FD-6EFE-4bdc-8DC3-21C798213DB6}.exe	112
PID 1568 wrote to memory of 1800	1568	{803F43FD-6EFE-4bdc-8DC3-21C798213DB6}.exe	112
PID 4504 wrote to memory of 3492	4504	{1E736A3E-12D6-484d-BE96-663704FE689F}.exe	113
PID 4504 wrote to memory of 3492	4504	{1E736A3E-12D6-484d-BE96-663704FE689F}.exe	113
PID 4504 wrote to memory of 3492	4504	{1E736A3E-12D6-484d-BE96-663704FE689F}.exe	113
PID 4504 wrote to memory of 1132	4504	{1E736A3E-12D6-484d-BE96-663704FE689F}.exe	114

C:\Users\Admin\AppData\Local\Temp\2024-02-11_5a9169891ded4607a2407de402ba40d3_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-11_5a9169891ded4607a2407de402ba40d3_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:836
- C:\Windows\{2F7F0773-5E1E-44e4-A5D1-C6DE3A7FAB35}.exe
  C:\Windows\{2F7F0773-5E1E-44e4-A5D1-C6DE3A7FAB35}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4680
- - C:\Windows\{7A22DD8A-7930-4278-B520-9EBB792B5CFA}.exe
    C:\Windows\{7A22DD8A-7930-4278-B520-9EBB792B5CFA}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\{433D498C-E139-4126-A019-31C01A3AC798}.exe
      C:\Windows\{433D498C-E139-4126-A019-31C01A3AC798}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2180
    - - C:\Windows\{E6BFF620-5714-4e8d-802D-CA7A478C0D4B}.exe
        
        C:\Windows\{E6BFF620-5714-4e8d-802D-CA7A478C0D4B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2868
      - C:\Windows\{C91DB2C2-66F4-43c9-BFED-4DA4A980A63B}.exe
        
        C:\Windows\{C91DB2C2-66F4-43c9-BFED-4DA4A980A63B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\{6E2211E3-177E-48da-9311-730177852F2C}.exe
        
        C:\Windows\{6E2211E3-177E-48da-9311-730177852F2C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3348
        
        C:\Windows\{4EBA7128-16F6-4844-B1C1-CD312F4A23C0}.exe
        
        C:\Windows\{4EBA7128-16F6-4844-B1C1-CD312F4A23C0}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3608
        
        C:\Windows\{1200170B-F30B-44d5-9C0F-31575BF4F4DC}.exe
        
        C:\Windows\{1200170B-F30B-44d5-9C0F-31575BF4F4DC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:260
        
        C:\Windows\{803F43FD-6EFE-4bdc-8DC3-21C798213DB6}.exe
        
        C:\Windows\{803F43FD-6EFE-4bdc-8DC3-21C798213DB6}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\{1E736A3E-12D6-484d-BE96-663704FE689F}.exe
        
        C:\Windows\{1E736A3E-12D6-484d-BE96-663704FE689F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\{8281F16A-842B-4b5a-B7B5-049126AA98C6}.exe
        
        C:\Windows\{8281F16A-842B-4b5a-B7B5-049126AA98C6}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3492
        
        C:\Windows\{66BEDE59-05DD-4934-937F-6F994F5596CA}.exe
        
        C:\Windows\{66BEDE59-05DD-4934-937F-6F994F5596CA}.exe
        13⤵
        Executes dropped EXE
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8281F~1.EXE > nul
        13⤵
        
        PID:636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E736~1.EXE > nul
        12⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{803F4~1.EXE > nul
        11⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{12001~1.EXE > nul
        10⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4EBA7~1.EXE > nul
        9⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6E221~1.EXE > nul
        8⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C91DB~1.EXE > nul
        7⤵
        
        PID:680
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6BFF~1.EXE > nul
        6⤵
        
        PID:1328
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{433D4~1.EXE > nul
        5⤵
        
        PID:2256
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7A22D~1.EXE > nul
      4⤵
      PID:2792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2F7F0~1.EXE > nul
    3⤵
    PID:4316
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1200170B-F30B-44d5-9C0F-31575BF4F4DC}.exe

Filesize
216KB

MD5
d6589289019c42e056e5a016cb1540a4

SHA1
ef71dbb4e840ea6e4c2c4c18b04507cdabbd4b67

SHA256
e429e0cc9f58508ba8284cfc23c48fea9e4f02f7e84df7ec48a62efbb89f004d

SHA512
32dc8ce6146950cbe055311625ecf0056a76d87641279f175662b49ebaf272ac1c6ea2d47cee008e2dd48185f6db7ccc925a9e29bbfd4f1ae5868c606675092d

Download Submit
C:\Windows\{1E736A3E-12D6-484d-BE96-663704FE689F}.exe

Filesize
216KB

MD5
03e92782dcf2b1ec819b1cd634ab3a19

SHA1
3834c6493b764a88dde20bcbff47559d3e4c6a2f

SHA256
65018bebb2b9c12b3ffb3e395c6e79099dbd11dfef895ca7cf66eb8afebe3ec9

SHA512
77108402b77d2ee5c8891a8e7c015f3b1c5d0f80b592e08e9aaa6128c63de8ea6617cc64c722e3fc7e279b435f4a80f97b26231fe87f5f770e92e4fd35f67778

Download Submit
C:\Windows\{2F7F0773-5E1E-44e4-A5D1-C6DE3A7FAB35}.exe

Filesize
216KB

MD5
5f8492bce4a38144272481fe1f7f9a0b

SHA1
ca95ceeb8edee5c6f488a55a918aab480efbe52b

SHA256
befd060d3e5943c0d0a4d167d08a66498edf575d2645c87331c307507a63d201

SHA512
c541a7091c2139388f2dafb03db5f2732d44bfe7aaea0f93a7c1a176d993a38c9cf229e92e3c0ca7279b7b5cd2decd3ab55297a099c38ef64dbd88ae4aa24de8

Download Submit
C:\Windows\{433D498C-E139-4126-A019-31C01A3AC798}.exe

Filesize
216KB

MD5
98428aac0ff9c524a242258156b7d9b2

SHA1
56c7deecc70d4e3da8eb930e2132ed1dc9dfdab9

SHA256
58d976eccbe3e9255f1bca58b40cec2dde20ab2f20cd17e0641c661674406298

SHA512
91edddb4ac9eee55f1406135aab92fce134807cbbb17ed64bb7300d1664f21f2eac4cf6eaab3c88e486f187f7d1c0c1c8c6a4a80a7483a78fb869793125e13dd

Download Submit
C:\Windows\{4EBA7128-16F6-4844-B1C1-CD312F4A23C0}.exe

Filesize
216KB

MD5
311533a1fee311d152c82a9fa614cbd7

SHA1
72f8b2775013c34901c1dcc4530febbdf065e958

SHA256
1c97447d0eb7931c80c56b7312f1dc32e77a39824a2158f291a91b774c83dec4

SHA512
af084df9e13d6c068d9fd14606928f45df0214651b48f8ac171c38d5973af51ce48d79143daeee325683d1f30f54d32dfbd2ad9fd8f94cecd429b1fc156b8879

Download Submit
C:\Windows\{66BEDE59-05DD-4934-937F-6F994F5596CA}.exe

Filesize
216KB

MD5
f09918820fe8e87fefc58ffcdbc5264f

SHA1
7b99c2e881a0046b74fe0f24a9c8ed96d4256a8b

SHA256
d081f2f3f67bbae253811fa7c36f934bc1cbeabbb7c6305de5e9492fd466b16a

SHA512
0176b1a5c95e8aef3fd9aef0db5caed92c314ffafa5a12132c522db74d0c2a4b168612437c0c572527403900651fe4cb0dba96309b9cf495ee8b47a66811083e

Download Submit
C:\Windows\{6E2211E3-177E-48da-9311-730177852F2C}.exe

Filesize
216KB

MD5
7018a5391626164de33cbf451fdb1e70

SHA1
ef34fe3e2655a8204767d61319d55d00d983842f

SHA256
1a38a6d91bb574b2e73a0d4c5412dfcec10eac92b34711f96eddaadcc3c2495d

SHA512
ad2d1198a85b6522d57f0557085b4c1375218c1817735287b4770f7395b9d6fd1e18bc4720910a2785ae0bc7ded37fdf730fd8bccc43611c899c40e3f3468341

Download Submit
C:\Windows\{7A22DD8A-7930-4278-B520-9EBB792B5CFA}.exe

Filesize
216KB

MD5
387e6d1e9957676070ab38f5726568dc

SHA1
99bf1ca6b77d804c0951ca78ebc111695ca8ce57

SHA256
c7707a0fcc04c022e16d7aaa9a686e5160f8e8a3c3a6b5cf44cd43b797da7d50

SHA512
0b009c81103bdcac61e3c7eae69a979fc0b4ec32d3f8caf34e77df02b2b9804b2ed990266a70b7784f3da2d8271c77aaed91f24021d9d159c8089a34f4d23e7e

Download Submit
C:\Windows\{803F43FD-6EFE-4bdc-8DC3-21C798213DB6}.exe

Filesize
216KB

MD5
77d9e5c1eccf25af947d079202bd39fc

SHA1
8f2c451987a90a62d1021ccf4bdd39a1697b5a92

SHA256
021fbbb5c2e6e5342a3f9161739f7f4058455df8155295aaa1b1b5f8f0dff22f

SHA512
7e4e0ff45c991ea2d967ca04f7a854800c8055a1484f205843c230537d2a22372d0cd675938381ee99ef1718a9effc8651a5efdb52c0884be14914253fa4a3af

Download Submit
C:\Windows\{8281F16A-842B-4b5a-B7B5-049126AA98C6}.exe

Filesize
216KB

MD5
4c02d469a769a4973fef92d19bba84c2

SHA1
a5d45309b9132dad85212e8bb5a62aac6327b479

SHA256
6ec3b9af567c6b317b16d0c18484f789cc5313e03fc954db223300bffadba832

SHA512
16a1b83ab42396578e473808524c27a630548a8c6315ec4913a828547cfe09ab3f2e2591cf094ae44d0e4dca897b9dc4cdd76435f03d55e3b0b8d6478560330a

Download Submit
C:\Windows\{C91DB2C2-66F4-43c9-BFED-4DA4A980A63B}.exe

Filesize
216KB

MD5
f0dc07a21a4beaa5ed4ffce88e598543

SHA1
826494c9b24645c5b353286d0e28644e775f4db1

SHA256
b63e1f7f472492164f4e1675584fe189c9c3e5ce5ef32db53ef4622fdad195c0

SHA512
12fc135730bd945234c43a21a5f7f5883f9029147858bfaec42f527b15f00ae3faef04a52b1b25825631c26619dd877b60a2e7aa43183e33e57a92a0970ebd9e

Download Submit
C:\Windows\{E6BFF620-5714-4e8d-802D-CA7A478C0D4B}.exe

Filesize
216KB

MD5
3129e9211b77238c9cf59ca0bafe16e1

SHA1
0a39b6cd48cd866e29bbac2e4a3f8d6ac3b48761

SHA256
6f44aa69620739852f977dd242bd2e67f4d643cab6ead983fb2400c1c962051a

SHA512
357ffdc761a566cc7fcf3090540236102141b7eeb31d2e3e10909a9954b66147054835b914791e429faebe9d5a2f730b5f69c25fd4c86211a3d50cc69d9964ed

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads