61bcdc503340a3ac1825eb672c810db1e813a93da3970e279fce2b7e513f21ad

Analysis

max time kernel
149s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/02/2024, 21:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-13_6743a6ab932c886c579671a13926ae13_goldeneye.exe
Size

216KB
MD5

6743a6ab932c886c579671a13926ae13
SHA1

32dd25c1dea5c6d0964676fad8e32b7a93bd4a34
SHA256

61bcdc503340a3ac1825eb672c810db1e813a93da3970e279fce2b7e513f21ad
SHA512

2854c8b4e9d76848e2563e89505482e50b9c5f5849df92fc27fd432e692cf0b44dfbe3143330bc0ff4e55b07fd598f74b89aed1c1393d7b5a85746105e5cc519
SSDEEP

3072:jEGh0ovl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEG1lEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000600000002321e-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023227-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002322d-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023227-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021e70-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021e71-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000006c1-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000006c1-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000006c1-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000705-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF695DDE-9858-481b-B1D0-43773A2BBD58}\stubpath = "C:\\Windows\\{DF695DDE-9858-481b-B1D0-43773A2BBD58}.exe"	{F9DC4D85-2CCE-48db-BE4F-BB4BAC48CF60}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07C7B834-7789-4e53-8B4A-57DFC94E5855}\stubpath = "C:\\Windows\\{07C7B834-7789-4e53-8B4A-57DFC94E5855}.exe"	{DF695DDE-9858-481b-B1D0-43773A2BBD58}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1879EE6D-966C-4dbf-9464-D9DEF7E85EDE}\stubpath = "C:\\Windows\\{1879EE6D-966C-4dbf-9464-D9DEF7E85EDE}.exe"	2024-02-13_6743a6ab932c886c579671a13926ae13_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EAD476E7-BEA7-44cc-A245-3DA88C556934}	{1879EE6D-966C-4dbf-9464-D9DEF7E85EDE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D0063BC-D5E9-42db-A5C1-4DB932497840}\stubpath = "C:\\Windows\\{5D0063BC-D5E9-42db-A5C1-4DB932497840}.exe"	{2057EB8D-6C52-4793-A652-E021B1EC5784}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF695DDE-9858-481b-B1D0-43773A2BBD58}	{F9DC4D85-2CCE-48db-BE4F-BB4BAC48CF60}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9DC4D85-2CCE-48db-BE4F-BB4BAC48CF60}	{9B2DBA2C-D840-4718-9F57-978CB47C6755}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9DC4D85-2CCE-48db-BE4F-BB4BAC48CF60}\stubpath = "C:\\Windows\\{F9DC4D85-2CCE-48db-BE4F-BB4BAC48CF60}.exe"	{9B2DBA2C-D840-4718-9F57-978CB47C6755}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9ABCEA95-708C-4567-A507-3A58BDF54832}	{07C7B834-7789-4e53-8B4A-57DFC94E5855}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E8DF287-B9D3-42d3-BDEA-5498B103ABE1}	{9ABCEA95-708C-4567-A507-3A58BDF54832}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EAD476E7-BEA7-44cc-A245-3DA88C556934}\stubpath = "C:\\Windows\\{EAD476E7-BEA7-44cc-A245-3DA88C556934}.exe"	{1879EE6D-966C-4dbf-9464-D9DEF7E85EDE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2057EB8D-6C52-4793-A652-E021B1EC5784}\stubpath = "C:\\Windows\\{2057EB8D-6C52-4793-A652-E021B1EC5784}.exe"	{D10FCC69-7435-4597-B3C6-AA5494AFA854}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D0063BC-D5E9-42db-A5C1-4DB932497840}	{2057EB8D-6C52-4793-A652-E021B1EC5784}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B2DBA2C-D840-4718-9F57-978CB47C6755}\stubpath = "C:\\Windows\\{9B2DBA2C-D840-4718-9F57-978CB47C6755}.exe"	{B5621C9F-2919-4bac-BFC1-267449C2148C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E8DF287-B9D3-42d3-BDEA-5498B103ABE1}\stubpath = "C:\\Windows\\{5E8DF287-B9D3-42d3-BDEA-5498B103ABE1}.exe"	{9ABCEA95-708C-4567-A507-3A58BDF54832}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5621C9F-2919-4bac-BFC1-267449C2148C}\stubpath = "C:\\Windows\\{B5621C9F-2919-4bac-BFC1-267449C2148C}.exe"	{5D0063BC-D5E9-42db-A5C1-4DB932497840}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07C7B834-7789-4e53-8B4A-57DFC94E5855}	{DF695DDE-9858-481b-B1D0-43773A2BBD58}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9ABCEA95-708C-4567-A507-3A58BDF54832}\stubpath = "C:\\Windows\\{9ABCEA95-708C-4567-A507-3A58BDF54832}.exe"	{07C7B834-7789-4e53-8B4A-57DFC94E5855}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1879EE6D-966C-4dbf-9464-D9DEF7E85EDE}	2024-02-13_6743a6ab932c886c579671a13926ae13_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D10FCC69-7435-4597-B3C6-AA5494AFA854}	{EAD476E7-BEA7-44cc-A245-3DA88C556934}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2057EB8D-6C52-4793-A652-E021B1EC5784}	{D10FCC69-7435-4597-B3C6-AA5494AFA854}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5621C9F-2919-4bac-BFC1-267449C2148C}	{5D0063BC-D5E9-42db-A5C1-4DB932497840}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D10FCC69-7435-4597-B3C6-AA5494AFA854}\stubpath = "C:\\Windows\\{D10FCC69-7435-4597-B3C6-AA5494AFA854}.exe"	{EAD476E7-BEA7-44cc-A245-3DA88C556934}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B2DBA2C-D840-4718-9F57-978CB47C6755}	{B5621C9F-2919-4bac-BFC1-267449C2148C}.exe

Executes dropped EXE 12 IoCs

pid	Process
1644	{1879EE6D-966C-4dbf-9464-D9DEF7E85EDE}.exe
1432	{EAD476E7-BEA7-44cc-A245-3DA88C556934}.exe
4700	{D10FCC69-7435-4597-B3C6-AA5494AFA854}.exe
1076	{2057EB8D-6C52-4793-A652-E021B1EC5784}.exe
2280	{5D0063BC-D5E9-42db-A5C1-4DB932497840}.exe
1292	{B5621C9F-2919-4bac-BFC1-267449C2148C}.exe
1944	{9B2DBA2C-D840-4718-9F57-978CB47C6755}.exe
3776	{F9DC4D85-2CCE-48db-BE4F-BB4BAC48CF60}.exe
4632	{DF695DDE-9858-481b-B1D0-43773A2BBD58}.exe
2844	{07C7B834-7789-4e53-8B4A-57DFC94E5855}.exe
2628	{9ABCEA95-708C-4567-A507-3A58BDF54832}.exe
208	{5E8DF287-B9D3-42d3-BDEA-5498B103ABE1}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{F9DC4D85-2CCE-48db-BE4F-BB4BAC48CF60}.exe	{9B2DBA2C-D840-4718-9F57-978CB47C6755}.exe
File created	C:\Windows\{DF695DDE-9858-481b-B1D0-43773A2BBD58}.exe	{F9DC4D85-2CCE-48db-BE4F-BB4BAC48CF60}.exe
File created	C:\Windows\{9ABCEA95-708C-4567-A507-3A58BDF54832}.exe	{07C7B834-7789-4e53-8B4A-57DFC94E5855}.exe
File created	C:\Windows\{5E8DF287-B9D3-42d3-BDEA-5498B103ABE1}.exe	{9ABCEA95-708C-4567-A507-3A58BDF54832}.exe
File created	C:\Windows\{07C7B834-7789-4e53-8B4A-57DFC94E5855}.exe	{DF695DDE-9858-481b-B1D0-43773A2BBD58}.exe
File created	C:\Windows\{1879EE6D-966C-4dbf-9464-D9DEF7E85EDE}.exe	2024-02-13_6743a6ab932c886c579671a13926ae13_goldeneye.exe
File created	C:\Windows\{EAD476E7-BEA7-44cc-A245-3DA88C556934}.exe	{1879EE6D-966C-4dbf-9464-D9DEF7E85EDE}.exe
File created	C:\Windows\{D10FCC69-7435-4597-B3C6-AA5494AFA854}.exe	{EAD476E7-BEA7-44cc-A245-3DA88C556934}.exe
File created	C:\Windows\{2057EB8D-6C52-4793-A652-E021B1EC5784}.exe	{D10FCC69-7435-4597-B3C6-AA5494AFA854}.exe
File created	C:\Windows\{5D0063BC-D5E9-42db-A5C1-4DB932497840}.exe	{2057EB8D-6C52-4793-A652-E021B1EC5784}.exe
File created	C:\Windows\{B5621C9F-2919-4bac-BFC1-267449C2148C}.exe	{5D0063BC-D5E9-42db-A5C1-4DB932497840}.exe
File created	C:\Windows\{9B2DBA2C-D840-4718-9F57-978CB47C6755}.exe	{B5621C9F-2919-4bac-BFC1-267449C2148C}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3580	2024-02-13_6743a6ab932c886c579671a13926ae13_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1644	{1879EE6D-966C-4dbf-9464-D9DEF7E85EDE}.exe
Token: SeIncBasePriorityPrivilege	1432	{EAD476E7-BEA7-44cc-A245-3DA88C556934}.exe
Token: SeIncBasePriorityPrivilege	4700	{D10FCC69-7435-4597-B3C6-AA5494AFA854}.exe
Token: SeIncBasePriorityPrivilege	1076	{2057EB8D-6C52-4793-A652-E021B1EC5784}.exe
Token: SeIncBasePriorityPrivilege	2280	{5D0063BC-D5E9-42db-A5C1-4DB932497840}.exe
Token: SeIncBasePriorityPrivilege	1292	{B5621C9F-2919-4bac-BFC1-267449C2148C}.exe
Token: SeIncBasePriorityPrivilege	1944	{9B2DBA2C-D840-4718-9F57-978CB47C6755}.exe
Token: SeIncBasePriorityPrivilege	3776	{F9DC4D85-2CCE-48db-BE4F-BB4BAC48CF60}.exe
Token: SeIncBasePriorityPrivilege	4632	{DF695DDE-9858-481b-B1D0-43773A2BBD58}.exe
Token: SeIncBasePriorityPrivilege	2844	{07C7B834-7789-4e53-8B4A-57DFC94E5855}.exe
Token: SeIncBasePriorityPrivilege	2628	{9ABCEA95-708C-4567-A507-3A58BDF54832}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3580 wrote to memory of 1644	3580	2024-02-13_6743a6ab932c886c579671a13926ae13_goldeneye.exe	88
PID 3580 wrote to memory of 1644	3580	2024-02-13_6743a6ab932c886c579671a13926ae13_goldeneye.exe	88
PID 3580 wrote to memory of 1644	3580	2024-02-13_6743a6ab932c886c579671a13926ae13_goldeneye.exe	88
PID 3580 wrote to memory of 4244	3580	2024-02-13_6743a6ab932c886c579671a13926ae13_goldeneye.exe	89
PID 3580 wrote to memory of 4244	3580	2024-02-13_6743a6ab932c886c579671a13926ae13_goldeneye.exe	89
PID 3580 wrote to memory of 4244	3580	2024-02-13_6743a6ab932c886c579671a13926ae13_goldeneye.exe	89
PID 1644 wrote to memory of 1432	1644	{1879EE6D-966C-4dbf-9464-D9DEF7E85EDE}.exe	93
PID 1644 wrote to memory of 1432	1644	{1879EE6D-966C-4dbf-9464-D9DEF7E85EDE}.exe	93
PID 1644 wrote to memory of 1432	1644	{1879EE6D-966C-4dbf-9464-D9DEF7E85EDE}.exe	93
PID 1644 wrote to memory of 3188	1644	{1879EE6D-966C-4dbf-9464-D9DEF7E85EDE}.exe	94
PID 1644 wrote to memory of 3188	1644	{1879EE6D-966C-4dbf-9464-D9DEF7E85EDE}.exe	94
PID 1644 wrote to memory of 3188	1644	{1879EE6D-966C-4dbf-9464-D9DEF7E85EDE}.exe	94
PID 1432 wrote to memory of 4700	1432	{EAD476E7-BEA7-44cc-A245-3DA88C556934}.exe	97
PID 1432 wrote to memory of 4700	1432	{EAD476E7-BEA7-44cc-A245-3DA88C556934}.exe	97
PID 1432 wrote to memory of 4700	1432	{EAD476E7-BEA7-44cc-A245-3DA88C556934}.exe	97
PID 1432 wrote to memory of 3040	1432	{EAD476E7-BEA7-44cc-A245-3DA88C556934}.exe	96
PID 1432 wrote to memory of 3040	1432	{EAD476E7-BEA7-44cc-A245-3DA88C556934}.exe	96
PID 1432 wrote to memory of 3040	1432	{EAD476E7-BEA7-44cc-A245-3DA88C556934}.exe	96
PID 4700 wrote to memory of 1076	4700	{D10FCC69-7435-4597-B3C6-AA5494AFA854}.exe	98
PID 4700 wrote to memory of 1076	4700	{D10FCC69-7435-4597-B3C6-AA5494AFA854}.exe	98
PID 4700 wrote to memory of 1076	4700	{D10FCC69-7435-4597-B3C6-AA5494AFA854}.exe	98
PID 4700 wrote to memory of 2836	4700	{D10FCC69-7435-4597-B3C6-AA5494AFA854}.exe	99
PID 4700 wrote to memory of 2836	4700	{D10FCC69-7435-4597-B3C6-AA5494AFA854}.exe	99
PID 4700 wrote to memory of 2836	4700	{D10FCC69-7435-4597-B3C6-AA5494AFA854}.exe	99
PID 1076 wrote to memory of 2280	1076	{2057EB8D-6C52-4793-A652-E021B1EC5784}.exe	100
PID 1076 wrote to memory of 2280	1076	{2057EB8D-6C52-4793-A652-E021B1EC5784}.exe	100
PID 1076 wrote to memory of 2280	1076	{2057EB8D-6C52-4793-A652-E021B1EC5784}.exe	100
PID 1076 wrote to memory of 2144	1076	{2057EB8D-6C52-4793-A652-E021B1EC5784}.exe	101
PID 1076 wrote to memory of 2144	1076	{2057EB8D-6C52-4793-A652-E021B1EC5784}.exe	101
PID 1076 wrote to memory of 2144	1076	{2057EB8D-6C52-4793-A652-E021B1EC5784}.exe	101
PID 2280 wrote to memory of 1292	2280	{5D0063BC-D5E9-42db-A5C1-4DB932497840}.exe	102
PID 2280 wrote to memory of 1292	2280	{5D0063BC-D5E9-42db-A5C1-4DB932497840}.exe	102
PID 2280 wrote to memory of 1292	2280	{5D0063BC-D5E9-42db-A5C1-4DB932497840}.exe	102
PID 2280 wrote to memory of 640	2280	{5D0063BC-D5E9-42db-A5C1-4DB932497840}.exe	103
PID 2280 wrote to memory of 640	2280	{5D0063BC-D5E9-42db-A5C1-4DB932497840}.exe	103
PID 2280 wrote to memory of 640	2280	{5D0063BC-D5E9-42db-A5C1-4DB932497840}.exe	103
PID 1292 wrote to memory of 1944	1292	{B5621C9F-2919-4bac-BFC1-267449C2148C}.exe	104
PID 1292 wrote to memory of 1944	1292	{B5621C9F-2919-4bac-BFC1-267449C2148C}.exe	104
PID 1292 wrote to memory of 1944	1292	{B5621C9F-2919-4bac-BFC1-267449C2148C}.exe	104
PID 1292 wrote to memory of 3884	1292	{B5621C9F-2919-4bac-BFC1-267449C2148C}.exe	105
PID 1292 wrote to memory of 3884	1292	{B5621C9F-2919-4bac-BFC1-267449C2148C}.exe	105
PID 1292 wrote to memory of 3884	1292	{B5621C9F-2919-4bac-BFC1-267449C2148C}.exe	105
PID 1944 wrote to memory of 3776	1944	{9B2DBA2C-D840-4718-9F57-978CB47C6755}.exe	107
PID 1944 wrote to memory of 3776	1944	{9B2DBA2C-D840-4718-9F57-978CB47C6755}.exe	107
PID 1944 wrote to memory of 3776	1944	{9B2DBA2C-D840-4718-9F57-978CB47C6755}.exe	107
PID 1944 wrote to memory of 1084	1944	{9B2DBA2C-D840-4718-9F57-978CB47C6755}.exe	106
PID 1944 wrote to memory of 1084	1944	{9B2DBA2C-D840-4718-9F57-978CB47C6755}.exe	106
PID 1944 wrote to memory of 1084	1944	{9B2DBA2C-D840-4718-9F57-978CB47C6755}.exe	106
PID 3776 wrote to memory of 4632	3776	{F9DC4D85-2CCE-48db-BE4F-BB4BAC48CF60}.exe	108
PID 3776 wrote to memory of 4632	3776	{F9DC4D85-2CCE-48db-BE4F-BB4BAC48CF60}.exe	108
PID 3776 wrote to memory of 4632	3776	{F9DC4D85-2CCE-48db-BE4F-BB4BAC48CF60}.exe	108
PID 3776 wrote to memory of 1516	3776	{F9DC4D85-2CCE-48db-BE4F-BB4BAC48CF60}.exe	109
PID 3776 wrote to memory of 1516	3776	{F9DC4D85-2CCE-48db-BE4F-BB4BAC48CF60}.exe	109
PID 3776 wrote to memory of 1516	3776	{F9DC4D85-2CCE-48db-BE4F-BB4BAC48CF60}.exe	109
PID 4632 wrote to memory of 2844	4632	{DF695DDE-9858-481b-B1D0-43773A2BBD58}.exe	110
PID 4632 wrote to memory of 2844	4632	{DF695DDE-9858-481b-B1D0-43773A2BBD58}.exe	110
PID 4632 wrote to memory of 2844	4632	{DF695DDE-9858-481b-B1D0-43773A2BBD58}.exe	110
PID 4632 wrote to memory of 3524	4632	{DF695DDE-9858-481b-B1D0-43773A2BBD58}.exe	111
PID 4632 wrote to memory of 3524	4632	{DF695DDE-9858-481b-B1D0-43773A2BBD58}.exe	111
PID 4632 wrote to memory of 3524	4632	{DF695DDE-9858-481b-B1D0-43773A2BBD58}.exe	111
PID 2844 wrote to memory of 2628	2844	{07C7B834-7789-4e53-8B4A-57DFC94E5855}.exe	112
PID 2844 wrote to memory of 2628	2844	{07C7B834-7789-4e53-8B4A-57DFC94E5855}.exe	112
PID 2844 wrote to memory of 2628	2844	{07C7B834-7789-4e53-8B4A-57DFC94E5855}.exe	112
PID 2844 wrote to memory of 3892	2844	{07C7B834-7789-4e53-8B4A-57DFC94E5855}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-02-13_6743a6ab932c886c579671a13926ae13_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-13_6743a6ab932c886c579671a13926ae13_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3580
- C:\Windows\{1879EE6D-966C-4dbf-9464-D9DEF7E85EDE}.exe
  C:\Windows\{1879EE6D-966C-4dbf-9464-D9DEF7E85EDE}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Windows\{EAD476E7-BEA7-44cc-A245-3DA88C556934}.exe
    C:\Windows\{EAD476E7-BEA7-44cc-A245-3DA88C556934}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1432
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EAD47~1.EXE > nul
      4⤵
      PID:3040
  - - C:\Windows\{D10FCC69-7435-4597-B3C6-AA5494AFA854}.exe
      C:\Windows\{D10FCC69-7435-4597-B3C6-AA5494AFA854}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4700
    - - C:\Windows\{2057EB8D-6C52-4793-A652-E021B1EC5784}.exe
        
        C:\Windows\{2057EB8D-6C52-4793-A652-E021B1EC5784}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1076
      - C:\Windows\{5D0063BC-D5E9-42db-A5C1-4DB932497840}.exe
        
        C:\Windows\{5D0063BC-D5E9-42db-A5C1-4DB932497840}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\{B5621C9F-2919-4bac-BFC1-267449C2148C}.exe
        
        C:\Windows\{B5621C9F-2919-4bac-BFC1-267449C2148C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\{9B2DBA2C-D840-4718-9F57-978CB47C6755}.exe
        
        C:\Windows\{9B2DBA2C-D840-4718-9F57-978CB47C6755}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9B2DB~1.EXE > nul
        9⤵
        
        PID:1084
        
        C:\Windows\{F9DC4D85-2CCE-48db-BE4F-BB4BAC48CF60}.exe
        
        C:\Windows\{F9DC4D85-2CCE-48db-BE4F-BB4BAC48CF60}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3776
        
        C:\Windows\{DF695DDE-9858-481b-B1D0-43773A2BBD58}.exe
        
        C:\Windows\{DF695DDE-9858-481b-B1D0-43773A2BBD58}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Windows\{07C7B834-7789-4e53-8B4A-57DFC94E5855}.exe
        
        C:\Windows\{07C7B834-7789-4e53-8B4A-57DFC94E5855}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\{9ABCEA95-708C-4567-A507-3A58BDF54832}.exe
        
        C:\Windows\{9ABCEA95-708C-4567-A507-3A58BDF54832}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
        
        C:\Windows\{5E8DF287-B9D3-42d3-BDEA-5498B103ABE1}.exe
        
        C:\Windows\{5E8DF287-B9D3-42d3-BDEA-5498B103ABE1}.exe
        13⤵
        Executes dropped EXE
        
        PID:208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9ABCE~1.EXE > nul
        13⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{07C7B~1.EXE > nul
        12⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF695~1.EXE > nul
        11⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F9DC4~1.EXE > nul
        10⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B5621~1.EXE > nul
        8⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5D006~1.EXE > nul
        7⤵
        
        PID:640
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2057E~1.EXE > nul
        6⤵
        
        PID:2144
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D10FC~1.EXE > nul
        5⤵
        
        PID:2836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1879E~1.EXE > nul
    3⤵
    PID:3188
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{07C7B834-7789-4e53-8B4A-57DFC94E5855}.exe

Filesize
216KB

MD5
601dab92f8ca08b8282fcfd11a1ce974

SHA1
b8f19f7df72721e951bcd5830af2a01ee6051a59

SHA256
34c00cd21f26d6afe5a3a1ae1d13aaa48792a56f6feb8552e8476175e9a06911

SHA512
9584422dbab6f8c99c4e4d022b81ea1b8a4f64a48f2a9cfa24ff6e824385fa18527ecfe5679f4b54c5dd0779e1fd8f74304d6e4b3327d6d9386cc359ed86f5fb

Download Submit
C:\Windows\{1879EE6D-966C-4dbf-9464-D9DEF7E85EDE}.exe

Filesize
216KB

MD5
083ab48f6229b02db274cd754b394a1a

SHA1
6f1818488d0e259bc4245046fbcc6cfead116797

SHA256
22fe26871ad92f5749d0efd852a7d7b81e1f4e8e282fca6a8372186969f3aa12

SHA512
13abc4552e3457e690337fb81027c0373670f71a0af5963fea2193b009cf6fbeebbeb8b69c4f8c48d6252d4c2f01c4bdd8a339ddcafd4ba6369f0038bcdd7756

Download Submit
C:\Windows\{2057EB8D-6C52-4793-A652-E021B1EC5784}.exe

Filesize
216KB

MD5
15b840e814573e57451b7995dfeb3df4

SHA1
7d324c3b90883698a9ef4906591b3607e70ceace

SHA256
bc3eb0eb38605f25233b71ed22bc226ee47d7d9e9c76e550013895399fb30252

SHA512
92cc36316242868792281404df4033eabf9afa4998edc286e95e09ef87bb544828de67c27b42f419f765d584b981c5040771a6f04ce73aecbb57106aed1ada9a

Download Submit
C:\Windows\{5D0063BC-D5E9-42db-A5C1-4DB932497840}.exe

Filesize
216KB

MD5
624ef1b6862538081e6144bcf93d8bd4

SHA1
9d5e3f30c4271be960db89aecc26883bd58535b9

SHA256
63a0c26b0c9702b7aad46a7229a9d20206a801adc0811267dee7145262aff146

SHA512
72cea0805d5e29c0f0107bd13e8a29aa244cf2431fc14e991113380e19021affda0cd9216e9d27cf95e258e3e27104d188105a1acf0d7c18c12586d02313a0d1

Download Submit
C:\Windows\{5E8DF287-B9D3-42d3-BDEA-5498B103ABE1}.exe

Filesize
216KB

MD5
774afc2cd9dd956ef17c66e22d994522

SHA1
2d5fca8682088fc287a1a2333bdd0f5c5074a17d

SHA256
d8fea9df86a6232ccc416b1dc61be5e49b4d47f3016d480f689ba1850da18f52

SHA512
7da7700ad05117f0515c3e0fd83b52b83fd18a3b6b847bd5a5b33d55a10eb9b1bb0fa95362d101f25aff460535b310bc340a6772c2c6b6f1393ba159b040a0e2

Download Submit
C:\Windows\{9ABCEA95-708C-4567-A507-3A58BDF54832}.exe

Filesize
216KB

MD5
6cc785c779356c7b4fe92992a084891a

SHA1
2fdf3f09df23e984925cf221de38c17a30cec2e5

SHA256
5b6a387bb5d865dbdf40b8b0efcec0f9ed4afc28a390c9b22f563ec99971bc74

SHA512
9c6f713205a310b18d5f8cba5ae44a8141c5752798e6361ec2d75ecd4ba308ec5f5309723a3eb448033e48c532b433049d70d5041a3e45e92f9c47bf06c4b95b

Download Submit
C:\Windows\{9B2DBA2C-D840-4718-9F57-978CB47C6755}.exe

Filesize
216KB

MD5
313c38fc4a1634ff233084a96fc345ae

SHA1
4115152cea230c8d4296cb391af93e4259997130

SHA256
42eed9dfcc5c55ef5584395a9d48441d0cd1ebd5cb447ecb452bbceb9f0c57d2

SHA512
d037b1025705f4280f02b64ff1c23fb17f93700470435efe34c1028b501602b01e7570944f863eed8cedf792c1806063dc0e983f3619b5d6d84d9ff164615f44

Download Submit
C:\Windows\{B5621C9F-2919-4bac-BFC1-267449C2148C}.exe

Filesize
216KB

MD5
9cc4a142f1c2f6a1452323aee6e6a969

SHA1
252d36d9bb4aada1bd32b12888141e9eb0e853a4

SHA256
b6860208fc7605ad3184b0fc7cf1e323d7b7f0b36afcac1b0eb3e15eef368d19

SHA512
04aa3e2ae199f90228a2608493a4247b3765d9c229f81a1bb898c943f927d4cf67cefb37dd57d02a565436711438ff21380342b4977a7aebcd91580ab771da43

Download Submit
C:\Windows\{D10FCC69-7435-4597-B3C6-AA5494AFA854}.exe

Filesize
216KB

MD5
ca6e9063b02b4965801267e57bf4e509

SHA1
11bf7f4adbe8a4ddc9798b85ea31d11c067c26b5

SHA256
0ffcc2c5daa42d1c5e50a657a701281a78bb682dbd77b90e3138e9e3672b7884

SHA512
960471c7276cb81458dbee033d7a8e841b614426eec628f583e5e506a2b97115114b8437dee64fbf8f83d5df36f8397d8e3e6b681afa1aba68878ca8baa7dc52

Download Submit
C:\Windows\{DF695DDE-9858-481b-B1D0-43773A2BBD58}.exe

Filesize
216KB

MD5
d35822419b4cbf2fa2bf61cef6878a49

SHA1
709454a09b65bc3c13d84d9c7fa20d0987d705ce

SHA256
cc7a6b52d618237a3d9d7fa3cba5d5c5d676ca59cac3baa9d14dac2c09898277

SHA512
6d32f016b35a87ca587c11c93a014d3babbdfaf13bdd266ffb21ff15176f5c92f95cc0e9bc8c2df2607052a297481b044713f5976cc97c2f1c594f3ac7044898

Download Submit
C:\Windows\{EAD476E7-BEA7-44cc-A245-3DA88C556934}.exe

Filesize
216KB

MD5
1d8c1fcc0cc677e6bf8c88b116114dbf

SHA1
62d4936a0c966cf310f88deeed50d4af04b4e0c3

SHA256
4f134926d3f6dd391de39b7884bae45e8ec18a23d97e01f30d072cb9180a7e0f

SHA512
82e69f3fa1e7a6113264cec2383b9193722d3faa0c8513efcd98fe02e076386ee0f50fc57d72b29cc7cb1a6b48bac1714f36b99472a77671114f6517c856f3c8

Download Submit
C:\Windows\{F9DC4D85-2CCE-48db-BE4F-BB4BAC48CF60}.exe

Filesize
216KB

MD5
a662f41008c4591d9a2ec41e0f596fea

SHA1
178a3c122671b713012031389f311e9e816eec8b

SHA256
6c63e3143e03468128c1caa3721da2b2e1a7a7411c9c5439afaae9860c5b8df8

SHA512
7afb3ac6a4557b80681dab05eebb56c75815a907660427f38ce84583a94620f92716c50a04f6ca9c538af44fc0c51ffd5216641e8334f25fc169a8411d0358e7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads