b3eb380467aa727b235c8f9ae9dafa71839500f253a4c2072115611cf1124177

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12/02/2024, 22:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_96f7c4ea173f147d5dff08592d842d89_goldeneye.exe
Size

216KB
MD5

96f7c4ea173f147d5dff08592d842d89
SHA1

a77b1dc13287a636dab6e77d7fdceba21a9a9f73
SHA256

b3eb380467aa727b235c8f9ae9dafa71839500f253a4c2072115611cf1124177
SHA512

d2ea826af104da57ba7eec81e1ea401029b74f3498c35aca3af842563d1527a7a597534cbad80f4e731a1194188844d4e8cc529e3bf36f23a84c7629da7850aa
SSDEEP

3072:jEGh0ogl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGWlEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023229-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000001e75f-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023237-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000001e75f-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021e70-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000001e75f-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000006c1-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000006c1-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000006c1-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000705-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17D71812-C5E3-4f8d-869F-D35BBCDFF2A6}	{071D9618-13C3-46f1-B890-ABDA1A27553F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ABD2A466-4893-4cf7-A5D1-A575A9F59718}\stubpath = "C:\\Windows\\{ABD2A466-4893-4cf7-A5D1-A575A9F59718}.exe"	{40915763-9739-4e88-8475-4097CEDE82BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB817E72-D700-4e6a-8402-7809AC41D622}	{ABD2A466-4893-4cf7-A5D1-A575A9F59718}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F087A7B5-D194-4789-8B8E-35F2B6B5F7D6}	{17D71812-C5E3-4f8d-869F-D35BBCDFF2A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9F9A1EE-9878-452b-A7CE-E988CB736953}	{B3806908-3BB9-482e-BFD3-9AD6BF552D08}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9F9A1EE-9878-452b-A7CE-E988CB736953}\stubpath = "C:\\Windows\\{C9F9A1EE-9878-452b-A7CE-E988CB736953}.exe"	{B3806908-3BB9-482e-BFD3-9AD6BF552D08}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{510BF613-A1D2-43cb-B211-C2FF39030B9D}\stubpath = "C:\\Windows\\{510BF613-A1D2-43cb-B211-C2FF39030B9D}.exe"	{C9F9A1EE-9878-452b-A7CE-E988CB736953}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40915763-9739-4e88-8475-4097CEDE82BC}\stubpath = "C:\\Windows\\{40915763-9739-4e88-8475-4097CEDE82BC}.exe"	{6EF6FF09-B56F-4010-A3CD-23F6B55BE831}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EF6FF09-B56F-4010-A3CD-23F6B55BE831}\stubpath = "C:\\Windows\\{6EF6FF09-B56F-4010-A3CD-23F6B55BE831}.exe"	{510BF613-A1D2-43cb-B211-C2FF39030B9D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40915763-9739-4e88-8475-4097CEDE82BC}	{6EF6FF09-B56F-4010-A3CD-23F6B55BE831}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ABD2A466-4893-4cf7-A5D1-A575A9F59718}	{40915763-9739-4e88-8475-4097CEDE82BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{071D9618-13C3-46f1-B890-ABDA1A27553F}	2024-02-12_96f7c4ea173f147d5dff08592d842d89_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17D71812-C5E3-4f8d-869F-D35BBCDFF2A6}\stubpath = "C:\\Windows\\{17D71812-C5E3-4f8d-869F-D35BBCDFF2A6}.exe"	{071D9618-13C3-46f1-B890-ABDA1A27553F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F087A7B5-D194-4789-8B8E-35F2B6B5F7D6}\stubpath = "C:\\Windows\\{F087A7B5-D194-4789-8B8E-35F2B6B5F7D6}.exe"	{17D71812-C5E3-4f8d-869F-D35BBCDFF2A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3806908-3BB9-482e-BFD3-9AD6BF552D08}\stubpath = "C:\\Windows\\{B3806908-3BB9-482e-BFD3-9AD6BF552D08}.exe"	{F087A7B5-D194-4789-8B8E-35F2B6B5F7D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{510BF613-A1D2-43cb-B211-C2FF39030B9D}	{C9F9A1EE-9878-452b-A7CE-E988CB736953}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AEC45756-A79F-4222-9DAC-B79966C242E1}	{CB817E72-D700-4e6a-8402-7809AC41D622}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E8FFEFB-B396-4238-9A39-8304B3E02857}	{AEC45756-A79F-4222-9DAC-B79966C242E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E8FFEFB-B396-4238-9A39-8304B3E02857}\stubpath = "C:\\Windows\\{8E8FFEFB-B396-4238-9A39-8304B3E02857}.exe"	{AEC45756-A79F-4222-9DAC-B79966C242E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{071D9618-13C3-46f1-B890-ABDA1A27553F}\stubpath = "C:\\Windows\\{071D9618-13C3-46f1-B890-ABDA1A27553F}.exe"	2024-02-12_96f7c4ea173f147d5dff08592d842d89_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3806908-3BB9-482e-BFD3-9AD6BF552D08}	{F087A7B5-D194-4789-8B8E-35F2B6B5F7D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EF6FF09-B56F-4010-A3CD-23F6B55BE831}	{510BF613-A1D2-43cb-B211-C2FF39030B9D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB817E72-D700-4e6a-8402-7809AC41D622}\stubpath = "C:\\Windows\\{CB817E72-D700-4e6a-8402-7809AC41D622}.exe"	{ABD2A466-4893-4cf7-A5D1-A575A9F59718}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AEC45756-A79F-4222-9DAC-B79966C242E1}\stubpath = "C:\\Windows\\{AEC45756-A79F-4222-9DAC-B79966C242E1}.exe"	{CB817E72-D700-4e6a-8402-7809AC41D622}.exe

Executes dropped EXE 12 IoCs

pid	Process
4536	{071D9618-13C3-46f1-B890-ABDA1A27553F}.exe
1800	{17D71812-C5E3-4f8d-869F-D35BBCDFF2A6}.exe
2224	{F087A7B5-D194-4789-8B8E-35F2B6B5F7D6}.exe
5200	{B3806908-3BB9-482e-BFD3-9AD6BF552D08}.exe
2544	{C9F9A1EE-9878-452b-A7CE-E988CB736953}.exe
648	{510BF613-A1D2-43cb-B211-C2FF39030B9D}.exe
4308	{6EF6FF09-B56F-4010-A3CD-23F6B55BE831}.exe
5112	{40915763-9739-4e88-8475-4097CEDE82BC}.exe
2244	{ABD2A466-4893-4cf7-A5D1-A575A9F59718}.exe
3132	{CB817E72-D700-4e6a-8402-7809AC41D622}.exe
4580	{AEC45756-A79F-4222-9DAC-B79966C242E1}.exe
5616	{8E8FFEFB-B396-4238-9A39-8304B3E02857}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{17D71812-C5E3-4f8d-869F-D35BBCDFF2A6}.exe	{071D9618-13C3-46f1-B890-ABDA1A27553F}.exe
File created	C:\Windows\{B3806908-3BB9-482e-BFD3-9AD6BF552D08}.exe	{F087A7B5-D194-4789-8B8E-35F2B6B5F7D6}.exe
File created	C:\Windows\{C9F9A1EE-9878-452b-A7CE-E988CB736953}.exe	{B3806908-3BB9-482e-BFD3-9AD6BF552D08}.exe
File created	C:\Windows\{ABD2A466-4893-4cf7-A5D1-A575A9F59718}.exe	{40915763-9739-4e88-8475-4097CEDE82BC}.exe
File created	C:\Windows\{CB817E72-D700-4e6a-8402-7809AC41D622}.exe	{ABD2A466-4893-4cf7-A5D1-A575A9F59718}.exe
File created	C:\Windows\{8E8FFEFB-B396-4238-9A39-8304B3E02857}.exe	{AEC45756-A79F-4222-9DAC-B79966C242E1}.exe
File created	C:\Windows\{071D9618-13C3-46f1-B890-ABDA1A27553F}.exe	2024-02-12_96f7c4ea173f147d5dff08592d842d89_goldeneye.exe
File created	C:\Windows\{F087A7B5-D194-4789-8B8E-35F2B6B5F7D6}.exe	{17D71812-C5E3-4f8d-869F-D35BBCDFF2A6}.exe
File created	C:\Windows\{510BF613-A1D2-43cb-B211-C2FF39030B9D}.exe	{C9F9A1EE-9878-452b-A7CE-E988CB736953}.exe
File created	C:\Windows\{6EF6FF09-B56F-4010-A3CD-23F6B55BE831}.exe	{510BF613-A1D2-43cb-B211-C2FF39030B9D}.exe
File created	C:\Windows\{40915763-9739-4e88-8475-4097CEDE82BC}.exe	{6EF6FF09-B56F-4010-A3CD-23F6B55BE831}.exe
File created	C:\Windows\{AEC45756-A79F-4222-9DAC-B79966C242E1}.exe	{CB817E72-D700-4e6a-8402-7809AC41D622}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	5900	2024-02-12_96f7c4ea173f147d5dff08592d842d89_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4536	{071D9618-13C3-46f1-B890-ABDA1A27553F}.exe
Token: SeIncBasePriorityPrivilege	1800	{17D71812-C5E3-4f8d-869F-D35BBCDFF2A6}.exe
Token: SeIncBasePriorityPrivilege	2224	{F087A7B5-D194-4789-8B8E-35F2B6B5F7D6}.exe
Token: SeIncBasePriorityPrivilege	5200	{B3806908-3BB9-482e-BFD3-9AD6BF552D08}.exe
Token: SeIncBasePriorityPrivilege	2544	{C9F9A1EE-9878-452b-A7CE-E988CB736953}.exe
Token: SeIncBasePriorityPrivilege	648	{510BF613-A1D2-43cb-B211-C2FF39030B9D}.exe
Token: SeIncBasePriorityPrivilege	4308	{6EF6FF09-B56F-4010-A3CD-23F6B55BE831}.exe
Token: SeIncBasePriorityPrivilege	5112	{40915763-9739-4e88-8475-4097CEDE82BC}.exe
Token: SeIncBasePriorityPrivilege	2244	{ABD2A466-4893-4cf7-A5D1-A575A9F59718}.exe
Token: SeIncBasePriorityPrivilege	3132	{CB817E72-D700-4e6a-8402-7809AC41D622}.exe
Token: SeIncBasePriorityPrivilege	4580	{AEC45756-A79F-4222-9DAC-B79966C242E1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5900 wrote to memory of 4536	5900	2024-02-12_96f7c4ea173f147d5dff08592d842d89_goldeneye.exe	90
PID 5900 wrote to memory of 4536	5900	2024-02-12_96f7c4ea173f147d5dff08592d842d89_goldeneye.exe	90
PID 5900 wrote to memory of 4536	5900	2024-02-12_96f7c4ea173f147d5dff08592d842d89_goldeneye.exe	90
PID 5900 wrote to memory of 4472	5900	2024-02-12_96f7c4ea173f147d5dff08592d842d89_goldeneye.exe	91
PID 5900 wrote to memory of 4472	5900	2024-02-12_96f7c4ea173f147d5dff08592d842d89_goldeneye.exe	91
PID 5900 wrote to memory of 4472	5900	2024-02-12_96f7c4ea173f147d5dff08592d842d89_goldeneye.exe	91
PID 4536 wrote to memory of 1800	4536	{071D9618-13C3-46f1-B890-ABDA1A27553F}.exe	94
PID 4536 wrote to memory of 1800	4536	{071D9618-13C3-46f1-B890-ABDA1A27553F}.exe	94
PID 4536 wrote to memory of 1800	4536	{071D9618-13C3-46f1-B890-ABDA1A27553F}.exe	94
PID 4536 wrote to memory of 2984	4536	{071D9618-13C3-46f1-B890-ABDA1A27553F}.exe	95
PID 4536 wrote to memory of 2984	4536	{071D9618-13C3-46f1-B890-ABDA1A27553F}.exe	95
PID 4536 wrote to memory of 2984	4536	{071D9618-13C3-46f1-B890-ABDA1A27553F}.exe	95
PID 1800 wrote to memory of 2224	1800	{17D71812-C5E3-4f8d-869F-D35BBCDFF2A6}.exe	97
PID 1800 wrote to memory of 2224	1800	{17D71812-C5E3-4f8d-869F-D35BBCDFF2A6}.exe	97
PID 1800 wrote to memory of 2224	1800	{17D71812-C5E3-4f8d-869F-D35BBCDFF2A6}.exe	97
PID 1800 wrote to memory of 4600	1800	{17D71812-C5E3-4f8d-869F-D35BBCDFF2A6}.exe	98
PID 1800 wrote to memory of 4600	1800	{17D71812-C5E3-4f8d-869F-D35BBCDFF2A6}.exe	98
PID 1800 wrote to memory of 4600	1800	{17D71812-C5E3-4f8d-869F-D35BBCDFF2A6}.exe	98
PID 2224 wrote to memory of 5200	2224	{F087A7B5-D194-4789-8B8E-35F2B6B5F7D6}.exe	99
PID 2224 wrote to memory of 5200	2224	{F087A7B5-D194-4789-8B8E-35F2B6B5F7D6}.exe	99
PID 2224 wrote to memory of 5200	2224	{F087A7B5-D194-4789-8B8E-35F2B6B5F7D6}.exe	99
PID 2224 wrote to memory of 5652	2224	{F087A7B5-D194-4789-8B8E-35F2B6B5F7D6}.exe	100
PID 2224 wrote to memory of 5652	2224	{F087A7B5-D194-4789-8B8E-35F2B6B5F7D6}.exe	100
PID 2224 wrote to memory of 5652	2224	{F087A7B5-D194-4789-8B8E-35F2B6B5F7D6}.exe	100
PID 5200 wrote to memory of 2544	5200	{B3806908-3BB9-482e-BFD3-9AD6BF552D08}.exe	101
PID 5200 wrote to memory of 2544	5200	{B3806908-3BB9-482e-BFD3-9AD6BF552D08}.exe	101
PID 5200 wrote to memory of 2544	5200	{B3806908-3BB9-482e-BFD3-9AD6BF552D08}.exe	101
PID 5200 wrote to memory of 5208	5200	{B3806908-3BB9-482e-BFD3-9AD6BF552D08}.exe	102
PID 5200 wrote to memory of 5208	5200	{B3806908-3BB9-482e-BFD3-9AD6BF552D08}.exe	102
PID 5200 wrote to memory of 5208	5200	{B3806908-3BB9-482e-BFD3-9AD6BF552D08}.exe	102
PID 2544 wrote to memory of 648	2544	{C9F9A1EE-9878-452b-A7CE-E988CB736953}.exe	103
PID 2544 wrote to memory of 648	2544	{C9F9A1EE-9878-452b-A7CE-E988CB736953}.exe	103
PID 2544 wrote to memory of 648	2544	{C9F9A1EE-9878-452b-A7CE-E988CB736953}.exe	103
PID 2544 wrote to memory of 5212	2544	{C9F9A1EE-9878-452b-A7CE-E988CB736953}.exe	104
PID 2544 wrote to memory of 5212	2544	{C9F9A1EE-9878-452b-A7CE-E988CB736953}.exe	104
PID 2544 wrote to memory of 5212	2544	{C9F9A1EE-9878-452b-A7CE-E988CB736953}.exe	104
PID 648 wrote to memory of 4308	648	{510BF613-A1D2-43cb-B211-C2FF39030B9D}.exe	105
PID 648 wrote to memory of 4308	648	{510BF613-A1D2-43cb-B211-C2FF39030B9D}.exe	105
PID 648 wrote to memory of 4308	648	{510BF613-A1D2-43cb-B211-C2FF39030B9D}.exe	105
PID 648 wrote to memory of 4880	648	{510BF613-A1D2-43cb-B211-C2FF39030B9D}.exe	106
PID 648 wrote to memory of 4880	648	{510BF613-A1D2-43cb-B211-C2FF39030B9D}.exe	106
PID 648 wrote to memory of 4880	648	{510BF613-A1D2-43cb-B211-C2FF39030B9D}.exe	106
PID 4308 wrote to memory of 5112	4308	{6EF6FF09-B56F-4010-A3CD-23F6B55BE831}.exe	107
PID 4308 wrote to memory of 5112	4308	{6EF6FF09-B56F-4010-A3CD-23F6B55BE831}.exe	107
PID 4308 wrote to memory of 5112	4308	{6EF6FF09-B56F-4010-A3CD-23F6B55BE831}.exe	107
PID 4308 wrote to memory of 4684	4308	{6EF6FF09-B56F-4010-A3CD-23F6B55BE831}.exe	108
PID 4308 wrote to memory of 4684	4308	{6EF6FF09-B56F-4010-A3CD-23F6B55BE831}.exe	108
PID 4308 wrote to memory of 4684	4308	{6EF6FF09-B56F-4010-A3CD-23F6B55BE831}.exe	108
PID 5112 wrote to memory of 2244	5112	{40915763-9739-4e88-8475-4097CEDE82BC}.exe	109
PID 5112 wrote to memory of 2244	5112	{40915763-9739-4e88-8475-4097CEDE82BC}.exe	109
PID 5112 wrote to memory of 2244	5112	{40915763-9739-4e88-8475-4097CEDE82BC}.exe	109
PID 5112 wrote to memory of 5528	5112	{40915763-9739-4e88-8475-4097CEDE82BC}.exe	110
PID 5112 wrote to memory of 5528	5112	{40915763-9739-4e88-8475-4097CEDE82BC}.exe	110
PID 5112 wrote to memory of 5528	5112	{40915763-9739-4e88-8475-4097CEDE82BC}.exe	110
PID 2244 wrote to memory of 3132	2244	{ABD2A466-4893-4cf7-A5D1-A575A9F59718}.exe	111
PID 2244 wrote to memory of 3132	2244	{ABD2A466-4893-4cf7-A5D1-A575A9F59718}.exe	111
PID 2244 wrote to memory of 3132	2244	{ABD2A466-4893-4cf7-A5D1-A575A9F59718}.exe	111
PID 2244 wrote to memory of 5800	2244	{ABD2A466-4893-4cf7-A5D1-A575A9F59718}.exe	112
PID 2244 wrote to memory of 5800	2244	{ABD2A466-4893-4cf7-A5D1-A575A9F59718}.exe	112
PID 2244 wrote to memory of 5800	2244	{ABD2A466-4893-4cf7-A5D1-A575A9F59718}.exe	112
PID 3132 wrote to memory of 4580	3132	{CB817E72-D700-4e6a-8402-7809AC41D622}.exe	113
PID 3132 wrote to memory of 4580	3132	{CB817E72-D700-4e6a-8402-7809AC41D622}.exe	113
PID 3132 wrote to memory of 4580	3132	{CB817E72-D700-4e6a-8402-7809AC41D622}.exe	113
PID 3132 wrote to memory of 5708	3132	{CB817E72-D700-4e6a-8402-7809AC41D622}.exe	114

C:\Users\Admin\AppData\Local\Temp\2024-02-12_96f7c4ea173f147d5dff08592d842d89_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_96f7c4ea173f147d5dff08592d842d89_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5900
- C:\Windows\{071D9618-13C3-46f1-B890-ABDA1A27553F}.exe
  C:\Windows\{071D9618-13C3-46f1-B890-ABDA1A27553F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4536
- - C:\Windows\{17D71812-C5E3-4f8d-869F-D35BBCDFF2A6}.exe
    C:\Windows\{17D71812-C5E3-4f8d-869F-D35BBCDFF2A6}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1800
  - - C:\Windows\{F087A7B5-D194-4789-8B8E-35F2B6B5F7D6}.exe
      C:\Windows\{F087A7B5-D194-4789-8B8E-35F2B6B5F7D6}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2224
    - - C:\Windows\{B3806908-3BB9-482e-BFD3-9AD6BF552D08}.exe
        
        C:\Windows\{B3806908-3BB9-482e-BFD3-9AD6BF552D08}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5200
      - C:\Windows\{C9F9A1EE-9878-452b-A7CE-E988CB736953}.exe
        
        C:\Windows\{C9F9A1EE-9878-452b-A7CE-E988CB736953}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\{510BF613-A1D2-43cb-B211-C2FF39030B9D}.exe
        
        C:\Windows\{510BF613-A1D2-43cb-B211-C2FF39030B9D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:648
        
        C:\Windows\{6EF6FF09-B56F-4010-A3CD-23F6B55BE831}.exe
        
        C:\Windows\{6EF6FF09-B56F-4010-A3CD-23F6B55BE831}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4308
        
        C:\Windows\{40915763-9739-4e88-8475-4097CEDE82BC}.exe
        
        C:\Windows\{40915763-9739-4e88-8475-4097CEDE82BC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\{ABD2A466-4893-4cf7-A5D1-A575A9F59718}.exe
        
        C:\Windows\{ABD2A466-4893-4cf7-A5D1-A575A9F59718}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\{CB817E72-D700-4e6a-8402-7809AC41D622}.exe
        
        C:\Windows\{CB817E72-D700-4e6a-8402-7809AC41D622}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3132
        
        C:\Windows\{AEC45756-A79F-4222-9DAC-B79966C242E1}.exe
        
        C:\Windows\{AEC45756-A79F-4222-9DAC-B79966C242E1}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4580
        
        C:\Windows\{8E8FFEFB-B396-4238-9A39-8304B3E02857}.exe
        
        C:\Windows\{8E8FFEFB-B396-4238-9A39-8304B3E02857}.exe
        13⤵
        Executes dropped EXE
        
        PID:5616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AEC45~1.EXE > nul
        13⤵
        
        PID:696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CB817~1.EXE > nul
        12⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ABD2A~1.EXE > nul
        11⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{40915~1.EXE > nul
        10⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6EF6F~1.EXE > nul
        9⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{510BF~1.EXE > nul
        8⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9F9A~1.EXE > nul
        7⤵
        
        PID:5212
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B3806~1.EXE > nul
        6⤵
        
        PID:5208
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F087A~1.EXE > nul
        5⤵
        
        PID:5652
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{17D71~1.EXE > nul
      4⤵
      PID:4600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{071D9~1.EXE > nul
    3⤵
    PID:2984
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{071D9618-13C3-46f1-B890-ABDA1A27553F}.exe

Filesize
216KB

MD5
e0cea17958139f4c429f9d49bf8791dd

SHA1
6d075b192ce07904789ec6bca2bbb8a6b67b1ca2

SHA256
224701ecb0c8e9359084fb334bb4f609ca74e9707d3bbe1a6019cae0d07c0b9b

SHA512
72d109d91021b5d961b18540d91ba507ef73188078837fd0125f3ba8779ad933a3d47ee53c83f60ad7cb10fe5d12b2efcfb1eb70dd23541e5199cabe8d87a4ea

Download Submit
C:\Windows\{17D71812-C5E3-4f8d-869F-D35BBCDFF2A6}.exe

Filesize
216KB

MD5
9d932bb3d92a896169be0a09163aec0e

SHA1
1b8e940af100755813470754f0dfd590d73494c7

SHA256
605e301055620a2b2b1b03565e83960806911c5071686c03ab17fd0a15cc10e9

SHA512
2087e66adad23c5156e81b0bedc6b6f281eec86a8b93ddcfe2e164bf9053206664831af053e70fa8c9f48a1b317fdc24823afeb578a8488b0afc66aec0b8c2f6

Download Submit
C:\Windows\{40915763-9739-4e88-8475-4097CEDE82BC}.exe

Filesize
216KB

MD5
10d02785f55d9c7e23654a67654207e4

SHA1
c2ddefe8925c6b5c1eac3437cc7c8c48baaa3a57

SHA256
54f31d8c0a305553e71e84c991720167884f3e68713de76baf947011214c1c9f

SHA512
70dfe882c9cb16070c4210a09caf0f93a96ccfa712d57d611163deadcd279c3d9b191f574053c9d35fb46ef4328feeda2059659495d19c257837a8e388409ec1

Download Submit
C:\Windows\{510BF613-A1D2-43cb-B211-C2FF39030B9D}.exe

Filesize
216KB

MD5
6f9cb6e750abe70bcabc741ebabcd7ad

SHA1
8fac5bcb1f13d6038daa551e2cbf66455ee96f7f

SHA256
adda7bc09b920b10b21dedb82fb022dc155181ae534e817f626e572b13d771eb

SHA512
49369c9b0cd5928e18999c127d02448b8db0861e95389fe18d4c93106911476ab7c30805ca8330934e3d5b0d9a0938e10215df4197cdf4566afc948ef0e07887

Download Submit
C:\Windows\{6EF6FF09-B56F-4010-A3CD-23F6B55BE831}.exe

Filesize
216KB

MD5
16de295eea98109f49718cbbc6ff0248

SHA1
59c60007d4826341a66529c02623aec06443e34b

SHA256
45a2e8c91354cba4d6a622f17411b24fd38291bc52d5c32cc42c155082dd19d0

SHA512
e1958f18e9b42c1e32025876b66a5df0a6b5690def617c1456b0ab49e5fcf70551096fb0c9c910cfe2dd69473c2ababd6b7e1dcf1c71c98b737395575a2406b9

Download Submit
C:\Windows\{8E8FFEFB-B396-4238-9A39-8304B3E02857}.exe

Filesize
216KB

MD5
7262e1638a8012c3939ff19ba9c40fa3

SHA1
fa7cbfacd9efc80462d08c26abd946f589a26a01

SHA256
0333de148b4becbad05ed9d6b915ed653813818a1b62746fd3466215962f17e9

SHA512
0e533fdb1b4ffe2e37b16d98f2d2868ee8bea54775e2899b5d47c0b0f4caea8972a69ca8c9c7d865bda01802e493eacd3382dbac8f54cd6b2f324dd5e7781012

Download Submit
C:\Windows\{ABD2A466-4893-4cf7-A5D1-A575A9F59718}.exe

Filesize
216KB

MD5
91ea4fe9fe7297c755d9ef262856c06c

SHA1
18eae7ca2244981f6bb57a0de1ff19fe1ed02ef6

SHA256
c19c7cde6aab7ad88f6c7816127f567c27759b60dd9689cfdf734732f5ab69bf

SHA512
5613aece3204de23b9e6960d51929163637910f190a1b36735a10f37aace3d9846b4fca7797f68dea66bae02685f4cbbb112c8da52a8e679e8bead5e8e6bd362

Download Submit
C:\Windows\{AEC45756-A79F-4222-9DAC-B79966C242E1}.exe

Filesize
216KB

MD5
0c01dd2936ee409b7e0de8493ad6e0c9

SHA1
9316e779748b46bad45b1ee6de837562ec6f6b12

SHA256
e6c6e4f5ce2385691bde0d0965ae0fd9c527cf5fd3b0215c2092f44cca1862fa

SHA512
39977782ae0db24018fa61c3474e5e144b50528e93b7d571b69389066ce961b930d2eadc6e7e2a0d66f7c1d4e1097889fa83f8d6c589257df3928b4381c5b458

Download Submit
C:\Windows\{B3806908-3BB9-482e-BFD3-9AD6BF552D08}.exe

Filesize
216KB

MD5
089d84f5562a86fff2e9cda0848e09d1

SHA1
e461bf946d1af26d5cf0dfd5336ad1ba2df55ecd

SHA256
133fd195b691d3eb7637dafa4fe3eb19bc9576ab254594b39295450e98f66501

SHA512
917e439490d7456a04c041e9f5443e8b36805e4df043cf795616663c6771b32dd975384b705e23520dd4d66e0267260a8a6c2b986136825e7841cede84b7250c

Download Submit
C:\Windows\{C9F9A1EE-9878-452b-A7CE-E988CB736953}.exe

Filesize
216KB

MD5
38d1e9369a7b94e377272e357e01d694

SHA1
4fd7790f13d26e5c205514d26cf7812ea86a389c

SHA256
7dbe51764d733bfc198b06a476752376f7b9dcef3b2d4e28b48713218e66a0c2

SHA512
bf21e2f5a8d4e0ca8554f83f8fb1b39abde0bfc5a1096eca49c247951a7e1562d325ffc04aba6d3ad7661844e9e7405c42cf821b550759032cbf7d015637e440

Download Submit
C:\Windows\{CB817E72-D700-4e6a-8402-7809AC41D622}.exe

Filesize
216KB

MD5
36701af0f5c73e029dedac4f35ee3ddd

SHA1
26a7bbdafc8d36b588896c0088100099b48a05fe

SHA256
4fdd07c922600f0d4d114b49e046db8adbd1020e90630d297aef18b70627f3ed

SHA512
cb34a1585d82f61020b5e8ca9d58133e917050fb745fcbb858092add0675f833a39de61c777eafcdf83d060bba0d95dd4e7e8841faa96cf1106c05c681d4cfd7

Download Submit
C:\Windows\{F087A7B5-D194-4789-8B8E-35F2B6B5F7D6}.exe

Filesize
216KB

MD5
c9a9d06561e0c241ce0b9589ed603fcf

SHA1
a4c43dec8f611113cfbd86b865d2ee45674b096a

SHA256
05e0648bc1684e25cc9ce9e66818be5abfddf6c36f45c300e13095653c9f1daf

SHA512
d774f91ddcae42c25294f584d0327b2a438cb3b132cb3714e139119679b920e269fbd6f5d1f2f8f6f14d2aa98af4af6b4fa9e21c1993a29a32c666d5621f6356

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads