680dd3a9a8783c3c3b7c5ebbade50bc410e1bc85e474579da41396640bcff14d

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13-02-2024 00:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-13_ace975e9ccf43064a51a057543cc25bd_goldeneye.exe
Size

197KB
MD5

ace975e9ccf43064a51a057543cc25bd
SHA1

4f13648eb24e185bae74c5c1212793e0627653ef
SHA256

680dd3a9a8783c3c3b7c5ebbade50bc410e1bc85e474579da41396640bcff14d
SHA512

d6221681fed659c515b0b1e9e2c6de4870f8c1ffb5ff44f7b0f897c17ba4f0e1699db8891c3c345d7f74d3ed2adb31beec2667589604f568e1ffe85aff0d211a
SSDEEP

3072:jEGh0ofl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEG1lEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023226-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023124-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023234-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023124-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000215c9-17.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000215d0-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d0000000215c9-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d0000000215c9-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000711-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000713-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000711-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000713-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000071d-45.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2FFD09C8-C513-4471-B54E-A273EF969A91}\stubpath = "C:\\Windows\\{2FFD09C8-C513-4471-B54E-A273EF969A91}.exe"	{5736BD19-E544-44c7-8A11-FF069BDDAFF9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FF24ED0-8EEE-4e01-9F34-B958E8E37D75}	{2FFD09C8-C513-4471-B54E-A273EF969A91}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5985EDCC-9CD7-4957-A266-3372D92CEDCC}	{3FF24ED0-8EEE-4e01-9F34-B958E8E37D75}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7BC84550-C865-4bec-B796-C663D6A0E7ED}	{5985EDCC-9CD7-4957-A266-3372D92CEDCC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5B67FDC-778A-449d-AFC0-909569BA555E}\stubpath = "C:\\Windows\\{E5B67FDC-778A-449d-AFC0-909569BA555E}.exe"	{7BC84550-C865-4bec-B796-C663D6A0E7ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6549B50-4877-4ea2-85A6-0292CBA146DB}\stubpath = "C:\\Windows\\{F6549B50-4877-4ea2-85A6-0292CBA146DB}.exe"	{0CA912A1-8591-40ed-81E7-128E92A22C59}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5736BD19-E544-44c7-8A11-FF069BDDAFF9}	2024-02-13_ace975e9ccf43064a51a057543cc25bd_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5736BD19-E544-44c7-8A11-FF069BDDAFF9}\stubpath = "C:\\Windows\\{5736BD19-E544-44c7-8A11-FF069BDDAFF9}.exe"	2024-02-13_ace975e9ccf43064a51a057543cc25bd_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75DA8557-21C6-4d72-88B4-02F26998AFC0}\stubpath = "C:\\Windows\\{75DA8557-21C6-4d72-88B4-02F26998AFC0}.exe"	{303F2255-1D37-47bf-B53F-1996C98AD48B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0CA912A1-8591-40ed-81E7-128E92A22C59}	{75DA8557-21C6-4d72-88B4-02F26998AFC0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6549B50-4877-4ea2-85A6-0292CBA146DB}	{0CA912A1-8591-40ed-81E7-128E92A22C59}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8868714A-BAB4-40d4-B7BC-694590189819}	{F6549B50-4877-4ea2-85A6-0292CBA146DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8868714A-BAB4-40d4-B7BC-694590189819}\stubpath = "C:\\Windows\\{8868714A-BAB4-40d4-B7BC-694590189819}.exe"	{F6549B50-4877-4ea2-85A6-0292CBA146DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D46086CF-C30B-46f1-A7E9-E5E5FB105286}	{E5B67FDC-778A-449d-AFC0-909569BA555E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{303F2255-1D37-47bf-B53F-1996C98AD48B}\stubpath = "C:\\Windows\\{303F2255-1D37-47bf-B53F-1996C98AD48B}.exe"	{D46086CF-C30B-46f1-A7E9-E5E5FB105286}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5B67FDC-778A-449d-AFC0-909569BA555E}	{7BC84550-C865-4bec-B796-C663D6A0E7ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D46086CF-C30B-46f1-A7E9-E5E5FB105286}\stubpath = "C:\\Windows\\{D46086CF-C30B-46f1-A7E9-E5E5FB105286}.exe"	{E5B67FDC-778A-449d-AFC0-909569BA555E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{303F2255-1D37-47bf-B53F-1996C98AD48B}	{D46086CF-C30B-46f1-A7E9-E5E5FB105286}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2FFD09C8-C513-4471-B54E-A273EF969A91}	{5736BD19-E544-44c7-8A11-FF069BDDAFF9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7BC84550-C865-4bec-B796-C663D6A0E7ED}\stubpath = "C:\\Windows\\{7BC84550-C865-4bec-B796-C663D6A0E7ED}.exe"	{5985EDCC-9CD7-4957-A266-3372D92CEDCC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75DA8557-21C6-4d72-88B4-02F26998AFC0}	{303F2255-1D37-47bf-B53F-1996C98AD48B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0CA912A1-8591-40ed-81E7-128E92A22C59}\stubpath = "C:\\Windows\\{0CA912A1-8591-40ed-81E7-128E92A22C59}.exe"	{75DA8557-21C6-4d72-88B4-02F26998AFC0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FF24ED0-8EEE-4e01-9F34-B958E8E37D75}\stubpath = "C:\\Windows\\{3FF24ED0-8EEE-4e01-9F34-B958E8E37D75}.exe"	{2FFD09C8-C513-4471-B54E-A273EF969A91}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5985EDCC-9CD7-4957-A266-3372D92CEDCC}\stubpath = "C:\\Windows\\{5985EDCC-9CD7-4957-A266-3372D92CEDCC}.exe"	{3FF24ED0-8EEE-4e01-9F34-B958E8E37D75}.exe

Executes dropped EXE 12 IoCs

pid	Process
4624	{5736BD19-E544-44c7-8A11-FF069BDDAFF9}.exe
5060	{2FFD09C8-C513-4471-B54E-A273EF969A91}.exe
2580	{3FF24ED0-8EEE-4e01-9F34-B958E8E37D75}.exe
2972	{5985EDCC-9CD7-4957-A266-3372D92CEDCC}.exe
624	{7BC84550-C865-4bec-B796-C663D6A0E7ED}.exe
3728	{E5B67FDC-778A-449d-AFC0-909569BA555E}.exe
1468	{D46086CF-C30B-46f1-A7E9-E5E5FB105286}.exe
3100	{303F2255-1D37-47bf-B53F-1996C98AD48B}.exe
4600	{75DA8557-21C6-4d72-88B4-02F26998AFC0}.exe
4688	{0CA912A1-8591-40ed-81E7-128E92A22C59}.exe
4424	{F6549B50-4877-4ea2-85A6-0292CBA146DB}.exe
3304	{8868714A-BAB4-40d4-B7BC-694590189819}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{5736BD19-E544-44c7-8A11-FF069BDDAFF9}.exe	2024-02-13_ace975e9ccf43064a51a057543cc25bd_goldeneye.exe
File created	C:\Windows\{3FF24ED0-8EEE-4e01-9F34-B958E8E37D75}.exe	{2FFD09C8-C513-4471-B54E-A273EF969A91}.exe
File created	C:\Windows\{7BC84550-C865-4bec-B796-C663D6A0E7ED}.exe	{5985EDCC-9CD7-4957-A266-3372D92CEDCC}.exe
File created	C:\Windows\{E5B67FDC-778A-449d-AFC0-909569BA555E}.exe	{7BC84550-C865-4bec-B796-C663D6A0E7ED}.exe
File created	C:\Windows\{75DA8557-21C6-4d72-88B4-02F26998AFC0}.exe	{303F2255-1D37-47bf-B53F-1996C98AD48B}.exe
File created	C:\Windows\{F6549B50-4877-4ea2-85A6-0292CBA146DB}.exe	{0CA912A1-8591-40ed-81E7-128E92A22C59}.exe
File created	C:\Windows\{8868714A-BAB4-40d4-B7BC-694590189819}.exe	{F6549B50-4877-4ea2-85A6-0292CBA146DB}.exe
File created	C:\Windows\{2FFD09C8-C513-4471-B54E-A273EF969A91}.exe	{5736BD19-E544-44c7-8A11-FF069BDDAFF9}.exe
File created	C:\Windows\{5985EDCC-9CD7-4957-A266-3372D92CEDCC}.exe	{3FF24ED0-8EEE-4e01-9F34-B958E8E37D75}.exe
File created	C:\Windows\{D46086CF-C30B-46f1-A7E9-E5E5FB105286}.exe	{E5B67FDC-778A-449d-AFC0-909569BA555E}.exe
File created	C:\Windows\{303F2255-1D37-47bf-B53F-1996C98AD48B}.exe	{D46086CF-C30B-46f1-A7E9-E5E5FB105286}.exe
File created	C:\Windows\{0CA912A1-8591-40ed-81E7-128E92A22C59}.exe	{75DA8557-21C6-4d72-88B4-02F26998AFC0}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1660	2024-02-13_ace975e9ccf43064a51a057543cc25bd_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4624	{5736BD19-E544-44c7-8A11-FF069BDDAFF9}.exe
Token: SeIncBasePriorityPrivilege	5060	{2FFD09C8-C513-4471-B54E-A273EF969A91}.exe
Token: SeIncBasePriorityPrivilege	2580	{3FF24ED0-8EEE-4e01-9F34-B958E8E37D75}.exe
Token: SeIncBasePriorityPrivilege	2972	{5985EDCC-9CD7-4957-A266-3372D92CEDCC}.exe
Token: SeIncBasePriorityPrivilege	624	{7BC84550-C865-4bec-B796-C663D6A0E7ED}.exe
Token: SeIncBasePriorityPrivilege	3728	{E5B67FDC-778A-449d-AFC0-909569BA555E}.exe
Token: SeIncBasePriorityPrivilege	1468	{D46086CF-C30B-46f1-A7E9-E5E5FB105286}.exe
Token: SeIncBasePriorityPrivilege	3100	{303F2255-1D37-47bf-B53F-1996C98AD48B}.exe
Token: SeIncBasePriorityPrivilege	4600	{75DA8557-21C6-4d72-88B4-02F26998AFC0}.exe
Token: SeIncBasePriorityPrivilege	4688	{0CA912A1-8591-40ed-81E7-128E92A22C59}.exe
Token: SeIncBasePriorityPrivilege	4424	{F6549B50-4877-4ea2-85A6-0292CBA146DB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 4624	1660	2024-02-13_ace975e9ccf43064a51a057543cc25bd_goldeneye.exe	86
PID 1660 wrote to memory of 4624	1660	2024-02-13_ace975e9ccf43064a51a057543cc25bd_goldeneye.exe	86
PID 1660 wrote to memory of 4624	1660	2024-02-13_ace975e9ccf43064a51a057543cc25bd_goldeneye.exe	86
PID 1660 wrote to memory of 4056	1660	2024-02-13_ace975e9ccf43064a51a057543cc25bd_goldeneye.exe	87
PID 1660 wrote to memory of 4056	1660	2024-02-13_ace975e9ccf43064a51a057543cc25bd_goldeneye.exe	87
PID 1660 wrote to memory of 4056	1660	2024-02-13_ace975e9ccf43064a51a057543cc25bd_goldeneye.exe	87
PID 4624 wrote to memory of 5060	4624	{5736BD19-E544-44c7-8A11-FF069BDDAFF9}.exe	91
PID 4624 wrote to memory of 5060	4624	{5736BD19-E544-44c7-8A11-FF069BDDAFF9}.exe	91
PID 4624 wrote to memory of 5060	4624	{5736BD19-E544-44c7-8A11-FF069BDDAFF9}.exe	91
PID 4624 wrote to memory of 2368	4624	{5736BD19-E544-44c7-8A11-FF069BDDAFF9}.exe	92
PID 4624 wrote to memory of 2368	4624	{5736BD19-E544-44c7-8A11-FF069BDDAFF9}.exe	92
PID 4624 wrote to memory of 2368	4624	{5736BD19-E544-44c7-8A11-FF069BDDAFF9}.exe	92
PID 5060 wrote to memory of 2580	5060	{2FFD09C8-C513-4471-B54E-A273EF969A91}.exe	94
PID 5060 wrote to memory of 2580	5060	{2FFD09C8-C513-4471-B54E-A273EF969A91}.exe	94
PID 5060 wrote to memory of 2580	5060	{2FFD09C8-C513-4471-B54E-A273EF969A91}.exe	94
PID 5060 wrote to memory of 2816	5060	{2FFD09C8-C513-4471-B54E-A273EF969A91}.exe	95
PID 5060 wrote to memory of 2816	5060	{2FFD09C8-C513-4471-B54E-A273EF969A91}.exe	95
PID 5060 wrote to memory of 2816	5060	{2FFD09C8-C513-4471-B54E-A273EF969A91}.exe	95
PID 2580 wrote to memory of 2972	2580	{3FF24ED0-8EEE-4e01-9F34-B958E8E37D75}.exe	96
PID 2580 wrote to memory of 2972	2580	{3FF24ED0-8EEE-4e01-9F34-B958E8E37D75}.exe	96
PID 2580 wrote to memory of 2972	2580	{3FF24ED0-8EEE-4e01-9F34-B958E8E37D75}.exe	96
PID 2580 wrote to memory of 3588	2580	{3FF24ED0-8EEE-4e01-9F34-B958E8E37D75}.exe	97
PID 2580 wrote to memory of 3588	2580	{3FF24ED0-8EEE-4e01-9F34-B958E8E37D75}.exe	97
PID 2580 wrote to memory of 3588	2580	{3FF24ED0-8EEE-4e01-9F34-B958E8E37D75}.exe	97
PID 2972 wrote to memory of 624	2972	{5985EDCC-9CD7-4957-A266-3372D92CEDCC}.exe	98
PID 2972 wrote to memory of 624	2972	{5985EDCC-9CD7-4957-A266-3372D92CEDCC}.exe	98
PID 2972 wrote to memory of 624	2972	{5985EDCC-9CD7-4957-A266-3372D92CEDCC}.exe	98
PID 2972 wrote to memory of 1100	2972	{5985EDCC-9CD7-4957-A266-3372D92CEDCC}.exe	99
PID 2972 wrote to memory of 1100	2972	{5985EDCC-9CD7-4957-A266-3372D92CEDCC}.exe	99
PID 2972 wrote to memory of 1100	2972	{5985EDCC-9CD7-4957-A266-3372D92CEDCC}.exe	99
PID 624 wrote to memory of 3728	624	{7BC84550-C865-4bec-B796-C663D6A0E7ED}.exe	100
PID 624 wrote to memory of 3728	624	{7BC84550-C865-4bec-B796-C663D6A0E7ED}.exe	100
PID 624 wrote to memory of 3728	624	{7BC84550-C865-4bec-B796-C663D6A0E7ED}.exe	100
PID 624 wrote to memory of 4604	624	{7BC84550-C865-4bec-B796-C663D6A0E7ED}.exe	101
PID 624 wrote to memory of 4604	624	{7BC84550-C865-4bec-B796-C663D6A0E7ED}.exe	101
PID 624 wrote to memory of 4604	624	{7BC84550-C865-4bec-B796-C663D6A0E7ED}.exe	101
PID 3728 wrote to memory of 1468	3728	{E5B67FDC-778A-449d-AFC0-909569BA555E}.exe	102
PID 3728 wrote to memory of 1468	3728	{E5B67FDC-778A-449d-AFC0-909569BA555E}.exe	102
PID 3728 wrote to memory of 1468	3728	{E5B67FDC-778A-449d-AFC0-909569BA555E}.exe	102
PID 3728 wrote to memory of 2388	3728	{E5B67FDC-778A-449d-AFC0-909569BA555E}.exe	103
PID 3728 wrote to memory of 2388	3728	{E5B67FDC-778A-449d-AFC0-909569BA555E}.exe	103
PID 3728 wrote to memory of 2388	3728	{E5B67FDC-778A-449d-AFC0-909569BA555E}.exe	103
PID 1468 wrote to memory of 3100	1468	{D46086CF-C30B-46f1-A7E9-E5E5FB105286}.exe	104
PID 1468 wrote to memory of 3100	1468	{D46086CF-C30B-46f1-A7E9-E5E5FB105286}.exe	104
PID 1468 wrote to memory of 3100	1468	{D46086CF-C30B-46f1-A7E9-E5E5FB105286}.exe	104
PID 1468 wrote to memory of 4560	1468	{D46086CF-C30B-46f1-A7E9-E5E5FB105286}.exe	105
PID 1468 wrote to memory of 4560	1468	{D46086CF-C30B-46f1-A7E9-E5E5FB105286}.exe	105
PID 1468 wrote to memory of 4560	1468	{D46086CF-C30B-46f1-A7E9-E5E5FB105286}.exe	105
PID 3100 wrote to memory of 4600	3100	{303F2255-1D37-47bf-B53F-1996C98AD48B}.exe	106
PID 3100 wrote to memory of 4600	3100	{303F2255-1D37-47bf-B53F-1996C98AD48B}.exe	106
PID 3100 wrote to memory of 4600	3100	{303F2255-1D37-47bf-B53F-1996C98AD48B}.exe	106
PID 3100 wrote to memory of 3120	3100	{303F2255-1D37-47bf-B53F-1996C98AD48B}.exe	107
PID 3100 wrote to memory of 3120	3100	{303F2255-1D37-47bf-B53F-1996C98AD48B}.exe	107
PID 3100 wrote to memory of 3120	3100	{303F2255-1D37-47bf-B53F-1996C98AD48B}.exe	107
PID 4600 wrote to memory of 4688	4600	{75DA8557-21C6-4d72-88B4-02F26998AFC0}.exe	108
PID 4600 wrote to memory of 4688	4600	{75DA8557-21C6-4d72-88B4-02F26998AFC0}.exe	108
PID 4600 wrote to memory of 4688	4600	{75DA8557-21C6-4d72-88B4-02F26998AFC0}.exe	108
PID 4600 wrote to memory of 3800	4600	{75DA8557-21C6-4d72-88B4-02F26998AFC0}.exe	109
PID 4600 wrote to memory of 3800	4600	{75DA8557-21C6-4d72-88B4-02F26998AFC0}.exe	109
PID 4600 wrote to memory of 3800	4600	{75DA8557-21C6-4d72-88B4-02F26998AFC0}.exe	109
PID 4688 wrote to memory of 4424	4688	{0CA912A1-8591-40ed-81E7-128E92A22C59}.exe	110
PID 4688 wrote to memory of 4424	4688	{0CA912A1-8591-40ed-81E7-128E92A22C59}.exe	110
PID 4688 wrote to memory of 4424	4688	{0CA912A1-8591-40ed-81E7-128E92A22C59}.exe	110
PID 4688 wrote to memory of 4204	4688	{0CA912A1-8591-40ed-81E7-128E92A22C59}.exe	111

C:\Users\Admin\AppData\Local\Temp\2024-02-13_ace975e9ccf43064a51a057543cc25bd_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-13_ace975e9ccf43064a51a057543cc25bd_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Windows\{5736BD19-E544-44c7-8A11-FF069BDDAFF9}.exe
  C:\Windows\{5736BD19-E544-44c7-8A11-FF069BDDAFF9}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4624
- - C:\Windows\{2FFD09C8-C513-4471-B54E-A273EF969A91}.exe
    C:\Windows\{2FFD09C8-C513-4471-B54E-A273EF969A91}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5060
  - - C:\Windows\{3FF24ED0-8EEE-4e01-9F34-B958E8E37D75}.exe
      C:\Windows\{3FF24ED0-8EEE-4e01-9F34-B958E8E37D75}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2580
    - - C:\Windows\{5985EDCC-9CD7-4957-A266-3372D92CEDCC}.exe
        
        C:\Windows\{5985EDCC-9CD7-4957-A266-3372D92CEDCC}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2972
      - C:\Windows\{7BC84550-C865-4bec-B796-C663D6A0E7ED}.exe
        
        C:\Windows\{7BC84550-C865-4bec-B796-C663D6A0E7ED}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Windows\{E5B67FDC-778A-449d-AFC0-909569BA555E}.exe
        
        C:\Windows\{E5B67FDC-778A-449d-AFC0-909569BA555E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3728
        
        C:\Windows\{D46086CF-C30B-46f1-A7E9-E5E5FB105286}.exe
        
        C:\Windows\{D46086CF-C30B-46f1-A7E9-E5E5FB105286}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\{303F2255-1D37-47bf-B53F-1996C98AD48B}.exe
        
        C:\Windows\{303F2255-1D37-47bf-B53F-1996C98AD48B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Windows\{75DA8557-21C6-4d72-88B4-02F26998AFC0}.exe
        
        C:\Windows\{75DA8557-21C6-4d72-88B4-02F26998AFC0}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Windows\{0CA912A1-8591-40ed-81E7-128E92A22C59}.exe
        
        C:\Windows\{0CA912A1-8591-40ed-81E7-128E92A22C59}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4688
        
        C:\Windows\{F6549B50-4877-4ea2-85A6-0292CBA146DB}.exe
        
        C:\Windows\{F6549B50-4877-4ea2-85A6-0292CBA146DB}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4424
        
        C:\Windows\{8868714A-BAB4-40d4-B7BC-694590189819}.exe
        
        C:\Windows\{8868714A-BAB4-40d4-B7BC-694590189819}.exe
        13⤵
        Executes dropped EXE
        
        PID:3304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F6549~1.EXE > nul
        13⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0CA91~1.EXE > nul
        12⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{75DA8~1.EXE > nul
        11⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{303F2~1.EXE > nul
        10⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D4608~1.EXE > nul
        9⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5B67~1.EXE > nul
        8⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7BC84~1.EXE > nul
        7⤵
        
        PID:4604
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5985E~1.EXE > nul
        6⤵
        
        PID:1100
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3FF24~1.EXE > nul
        5⤵
        
        PID:3588
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2FFD0~1.EXE > nul
      4⤵
      PID:2816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5736B~1.EXE > nul
    3⤵
    PID:2368
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0CA912A1-8591-40ed-81E7-128E92A22C59}.exe

Filesize
197KB

MD5
68abecb451057b957d75325e35d1d279

SHA1
dc7d6d26dcc6448310ae91df2aa3542164592ff4

SHA256
e1199b685bbbe0865172d0659c3dad40053378c9c45f4712c0eb8bcf3c335c14

SHA512
fa6b2f89a31e689c0f0c909f5dc675fa3a8231a46a3e009598361852562862df08f1066d277afb2ff1f1f9104af20cdbe60f2a22eaf8e6d66b97d25c32106490

Download Submit
C:\Windows\{2FFD09C8-C513-4471-B54E-A273EF969A91}.exe

Filesize
197KB

MD5
3fed80a8b52b10106f7cbb7397ece006

SHA1
b0b1f992b4879870e129722b5d78037e2ac29239

SHA256
eb46a6d888976e630ae1295fca0dcc2eea2ae4fdf076fa7bd04cb3d393d440ab

SHA512
747ac55884ed52399315cbd388863388804f132fc91dafeac484928d1626f3dc6548b9089a45cb66b85d0a9d37bc86eceb6ac00e5540b13cc140d15bb72cd8bb

Download Submit
C:\Windows\{303F2255-1D37-47bf-B53F-1996C98AD48B}.exe

Filesize
197KB

MD5
e8713f1b2aeaf0053aa250e914bd7f66

SHA1
a6b342e62c739f642d8eeb1feca12c84b34a16d2

SHA256
21fd065b60b440f061cb3fcb55fd5b3b5b4c5c28b6839355dbde71d3cc0cf03a

SHA512
cc334a1988f1754d75d63bbceefc8896fb7ba4be8b5fb431e02e7183d89846d21f82ce02772bab96a2bcf1fc858de145e6696e45e98976911cbc78b1864a2f59

Download Submit
C:\Windows\{3FF24ED0-8EEE-4e01-9F34-B958E8E37D75}.exe

Filesize
197KB

MD5
b4586baf49ce7f564992333753aa7fd6

SHA1
5fe6e8210c802117c9ff1e5158470e0710a0828c

SHA256
16526e86a766d617db9eaa2060681884cdae8256280a5dbf29b239893ea681db

SHA512
d3d11ede5e587068cc4d32b2870f278eee5a14d594245ee4c2b7b072bac4973bf771125139721df088f7893967e5b6f1c91a85a62cb3560be7eaf201120f675b

Download Submit
C:\Windows\{5736BD19-E544-44c7-8A11-FF069BDDAFF9}.exe

Filesize
197KB

MD5
5c659b2ebd945561a37ab24367e89e12

SHA1
fcd513646a5bbc642646ba3baaeac87d6c726ba2

SHA256
bad64602811a232025d46eebfc0ae4984af478522b769e4946e3f824c0ba4839

SHA512
75b0b4e299eb2065c3697ed3b64e1d68676bc24a202c573f6c54057590f87f196f9ea9c13a6a73db66e292bc612a53927e5c62a3fbbe498511f0f229f4f91aa5

Download Submit
C:\Windows\{5985EDCC-9CD7-4957-A266-3372D92CEDCC}.exe

Filesize
197KB

MD5
7bb7dac9a13df1bf271d0f3dd362cdc9

SHA1
108e0a5d9ca3ab1610c15dc43e5ebb755b9b94f1

SHA256
637b363b1cf9c7bac3c36f5327614a496eb19b6d15564463131acc01a1dcd3ed

SHA512
8f2727433d19de42218c7efe4eb55b22b0f311ded0d42ccc2e00e8e1bcd9f63ef60d4be60f094b04b8bf8313b8598a9fbf4960d09334e8c8a58a37912c36fe7e

Download Submit
C:\Windows\{75DA8557-21C6-4d72-88B4-02F26998AFC0}.exe

Filesize
197KB

MD5
16e9a8c2d0cfe023dc89d9d0280cb828

SHA1
965c6ed6022b2a370131971f88408cdb9d634dff

SHA256
15b5319cde0f110f049d321c349501e15182e388d5da38ba5a3dbe589fe89d1d

SHA512
53350875cc7eb03100c41c2c9d6571015d8c65b725e2c741aacf7aa377018634245b3fef292118b1b7978c64aeaa1ca7a90b47d60165a1b43b9a8fe9dd3cec60

Download Submit
C:\Windows\{7BC84550-C865-4bec-B796-C663D6A0E7ED}.exe

Filesize
197KB

MD5
48f099913faf99a92ecba2d7a0818539

SHA1
c4d4f64232e9a423bb638a322d3f8cff4ab9a0d4

SHA256
96acc3029b68b3dadd7d132ff500541432db6cdd546a7105ae5c3aaaef646599

SHA512
afeac5fbd6e3051255b63f7d0a221580a2416451c4318d2823d57ceb2c6f901366a6c4ec6dc623eb4da7d03d1517c778dafdf9e8584a82b21e9ea6372cdd1748

Download Submit
C:\Windows\{8868714A-BAB4-40d4-B7BC-694590189819}.exe

Filesize
197KB

MD5
a3c730489bd29a837eb9e62db915843d

SHA1
0e498e07b9e6a19fbfbf65f7f5c313872946219d

SHA256
f25a54163afb91b7bc78925f3a48c2ad9aafddc64bb3fcaa3bf2e9e0578d2366

SHA512
ed6c150aace5c3ea3a091d27d26a8cae6a5e84305f8a4316dc96e0aabf689de40df3ceffdfbbb09d587dff01332cc406c50fa65dfbdcdd0cf3106eb65eeaf0d0

Download Submit
C:\Windows\{D46086CF-C30B-46f1-A7E9-E5E5FB105286}.exe

Filesize
192KB

MD5
2d08a8bfdd0d443223e4de0a842f5fa1

SHA1
b3670fd15252c021d2ac77cbbb1f975ed5097197

SHA256
f66856808a2aa2f583cc87c57fa4fafe0a90e809d763cf390e8d345266227f06

SHA512
25864cf444e0034eb0a5ac667868875364297769ce992e6059fec7e252f309e23d272197364e0c1542c67a7944451572f81f3d393342828301ccca462d92bb23

Download Submit
C:\Windows\{D46086CF-C30B-46f1-A7E9-E5E5FB105286}.exe

Filesize
137KB

MD5
daa7e328eb18733c5d13cd1574ea3798

SHA1
836873e3c936fd9bebe32a95a4295f381ed7b296

SHA256
b934abb7ea0a479d1fca28d0e1248bf566a706afe868f5831361ed81e94633f8

SHA512
ed2a12ca7537eb88e72acf0784629a29f805c45511f03da1c9ab5947c3c7f292281d825c9279b8f4caa2968dcb2b4b2a37e99ad63e5d3494892e57f749778bbe

Download Submit
C:\Windows\{E5B67FDC-778A-449d-AFC0-909569BA555E}.exe

Filesize
197KB

MD5
1570e248e261a396e2c2f5f23b6b1d29

SHA1
a3d7031d2d76d30a0d2fad5fd10f344da3a30900

SHA256
f52f3616ac50b4cd93420d4f2cd9060e9924de507ed250db88251e999f2deb0e

SHA512
590a9518f943b43aac4b4f062ebe505836d5ed210720c7a7e266c42b0dcffece832141f3e3f873eae64967bf2d4cf649be3f627afbf6671cd304b38d95692963

Download Submit
C:\Windows\{F6549B50-4877-4ea2-85A6-0292CBA146DB}.exe

Filesize
197KB

MD5
7c907669ce3c50a2b00b01bfa2891c75

SHA1
86193dcd5fbb45e2c60a7c7494f87fe7ae13c90b

SHA256
2da7d36599b3fd6914b3623466ef784aee6a1c3a73dd14416257e2f974e6dbc7

SHA512
166aadce76c6ef2288a212020e723ec3163c8593987e010048539db1c6ce361568585eccb8a994297d82430438c0003a7a9dd948e9ca13ac5ea56408c26ec8c4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads