86e77fe812c63dbeaefb6acc11474c4718360217fd34c09426792b1e874ca2a9

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
17-02-2024 22:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-17_8158b7f3336d7d98c9c3d9b373544643_goldeneye.exe
Size

197KB
MD5

8158b7f3336d7d98c9c3d9b373544643
SHA1

c613fd8059c5b4376857df023ece28e8c1c344c1
SHA256

86e77fe812c63dbeaefb6acc11474c4718360217fd34c09426792b1e874ca2a9
SHA512

8fc1dc56e2f4c5a2e0bbedfdd0003328cdd801eef6f49ec74b16ae0c9d9b6795cd5cbfd6362fb31a4d20503ac83c6d8ff146788b4cd9e9f2fc6a0d6cb588cf2e
SSDEEP

3072:jEGh0oSl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGAlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00060000000231f6-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000001e0b8-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023201-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000001e0b8-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x004600000001e0be-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d00000001e0b8-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x004700000001e0be-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000000070b-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79872D94-C521-4354-BF65-668C7271717C}	{26F3152F-B2ED-4a86-A93A-408864058557}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DEBCDA06-0F59-4dba-9327-BE9AF6B1879B}	{DDA99138-1766-41bb-9DDB-812E84A2116C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DEBCDA06-0F59-4dba-9327-BE9AF6B1879B}\stubpath = "C:\\Windows\\{DEBCDA06-0F59-4dba-9327-BE9AF6B1879B}.exe"	{DDA99138-1766-41bb-9DDB-812E84A2116C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70E34E44-8862-449e-A0E8-363DCBB9BD8F}\stubpath = "C:\\Windows\\{70E34E44-8862-449e-A0E8-363DCBB9BD8F}.exe"	{DEBCDA06-0F59-4dba-9327-BE9AF6B1879B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC0B2BC6-2233-488b-837A-3D3036AC63DF}\stubpath = "C:\\Windows\\{FC0B2BC6-2233-488b-837A-3D3036AC63DF}.exe"	{FA1A3B5C-1759-4b70-986F-887CFD762C58}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26F3152F-B2ED-4a86-A93A-408864058557}\stubpath = "C:\\Windows\\{26F3152F-B2ED-4a86-A93A-408864058557}.exe"	{FC0B2BC6-2233-488b-837A-3D3036AC63DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E96A1C77-5DEB-4bf2-A91B-CFE307A487D4}\stubpath = "C:\\Windows\\{E96A1C77-5DEB-4bf2-A91B-CFE307A487D4}.exe"	{DFDD498E-DC8C-4304-B35B-9B089DA482BF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DDA99138-1766-41bb-9DDB-812E84A2116C}\stubpath = "C:\\Windows\\{DDA99138-1766-41bb-9DDB-812E84A2116C}.exe"	{644420F7-F7AC-4d08-8D58-778A7C4ED9FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D177561-07E0-49fc-B4EC-F678218B3149}\stubpath = "C:\\Windows\\{5D177561-07E0-49fc-B4EC-F678218B3149}.exe"	{70E34E44-8862-449e-A0E8-363DCBB9BD8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2AB1B3D-44B5-4fa5-992F-7F206A6F4746}\stubpath = "C:\\Windows\\{B2AB1B3D-44B5-4fa5-992F-7F206A6F4746}.exe"	2024-02-17_8158b7f3336d7d98c9c3d9b373544643_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA1A3B5C-1759-4b70-986F-887CFD762C58}	{B2AB1B3D-44B5-4fa5-992F-7F206A6F4746}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC0B2BC6-2233-488b-837A-3D3036AC63DF}	{FA1A3B5C-1759-4b70-986F-887CFD762C58}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26F3152F-B2ED-4a86-A93A-408864058557}	{FC0B2BC6-2233-488b-837A-3D3036AC63DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79872D94-C521-4354-BF65-668C7271717C}\stubpath = "C:\\Windows\\{79872D94-C521-4354-BF65-668C7271717C}.exe"	{26F3152F-B2ED-4a86-A93A-408864058557}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFDD498E-DC8C-4304-B35B-9B089DA482BF}	{79872D94-C521-4354-BF65-668C7271717C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFDD498E-DC8C-4304-B35B-9B089DA482BF}\stubpath = "C:\\Windows\\{DFDD498E-DC8C-4304-B35B-9B089DA482BF}.exe"	{79872D94-C521-4354-BF65-668C7271717C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E96A1C77-5DEB-4bf2-A91B-CFE307A487D4}	{DFDD498E-DC8C-4304-B35B-9B089DA482BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DDA99138-1766-41bb-9DDB-812E84A2116C}	{644420F7-F7AC-4d08-8D58-778A7C4ED9FB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D177561-07E0-49fc-B4EC-F678218B3149}	{70E34E44-8862-449e-A0E8-363DCBB9BD8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2AB1B3D-44B5-4fa5-992F-7F206A6F4746}	2024-02-17_8158b7f3336d7d98c9c3d9b373544643_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA1A3B5C-1759-4b70-986F-887CFD762C58}\stubpath = "C:\\Windows\\{FA1A3B5C-1759-4b70-986F-887CFD762C58}.exe"	{B2AB1B3D-44B5-4fa5-992F-7F206A6F4746}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{644420F7-F7AC-4d08-8D58-778A7C4ED9FB}	{E96A1C77-5DEB-4bf2-A91B-CFE307A487D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{644420F7-F7AC-4d08-8D58-778A7C4ED9FB}\stubpath = "C:\\Windows\\{644420F7-F7AC-4d08-8D58-778A7C4ED9FB}.exe"	{E96A1C77-5DEB-4bf2-A91B-CFE307A487D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70E34E44-8862-449e-A0E8-363DCBB9BD8F}	{DEBCDA06-0F59-4dba-9327-BE9AF6B1879B}.exe

Executes dropped EXE 12 IoCs

pid	Process
4256	{B2AB1B3D-44B5-4fa5-992F-7F206A6F4746}.exe
644	{FA1A3B5C-1759-4b70-986F-887CFD762C58}.exe
632	{FC0B2BC6-2233-488b-837A-3D3036AC63DF}.exe
2432	{26F3152F-B2ED-4a86-A93A-408864058557}.exe
4084	{79872D94-C521-4354-BF65-668C7271717C}.exe
1376	{DFDD498E-DC8C-4304-B35B-9B089DA482BF}.exe
1752	{E96A1C77-5DEB-4bf2-A91B-CFE307A487D4}.exe
3136	{644420F7-F7AC-4d08-8D58-778A7C4ED9FB}.exe
2244	{DDA99138-1766-41bb-9DDB-812E84A2116C}.exe
1556	{DEBCDA06-0F59-4dba-9327-BE9AF6B1879B}.exe
1128	{70E34E44-8862-449e-A0E8-363DCBB9BD8F}.exe
4064	{5D177561-07E0-49fc-B4EC-F678218B3149}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{DDA99138-1766-41bb-9DDB-812E84A2116C}.exe	{644420F7-F7AC-4d08-8D58-778A7C4ED9FB}.exe
File created	C:\Windows\{DEBCDA06-0F59-4dba-9327-BE9AF6B1879B}.exe	{DDA99138-1766-41bb-9DDB-812E84A2116C}.exe
File created	C:\Windows\{70E34E44-8862-449e-A0E8-363DCBB9BD8F}.exe	{DEBCDA06-0F59-4dba-9327-BE9AF6B1879B}.exe
File created	C:\Windows\{E96A1C77-5DEB-4bf2-A91B-CFE307A487D4}.exe	{DFDD498E-DC8C-4304-B35B-9B089DA482BF}.exe
File created	C:\Windows\{644420F7-F7AC-4d08-8D58-778A7C4ED9FB}.exe	{E96A1C77-5DEB-4bf2-A91B-CFE307A487D4}.exe
File created	C:\Windows\{FC0B2BC6-2233-488b-837A-3D3036AC63DF}.exe	{FA1A3B5C-1759-4b70-986F-887CFD762C58}.exe
File created	C:\Windows\{26F3152F-B2ED-4a86-A93A-408864058557}.exe	{FC0B2BC6-2233-488b-837A-3D3036AC63DF}.exe
File created	C:\Windows\{79872D94-C521-4354-BF65-668C7271717C}.exe	{26F3152F-B2ED-4a86-A93A-408864058557}.exe
File created	C:\Windows\{DFDD498E-DC8C-4304-B35B-9B089DA482BF}.exe	{79872D94-C521-4354-BF65-668C7271717C}.exe
File created	C:\Windows\{5D177561-07E0-49fc-B4EC-F678218B3149}.exe	{70E34E44-8862-449e-A0E8-363DCBB9BD8F}.exe
File created	C:\Windows\{B2AB1B3D-44B5-4fa5-992F-7F206A6F4746}.exe	2024-02-17_8158b7f3336d7d98c9c3d9b373544643_goldeneye.exe
File created	C:\Windows\{FA1A3B5C-1759-4b70-986F-887CFD762C58}.exe	{B2AB1B3D-44B5-4fa5-992F-7F206A6F4746}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2668	2024-02-17_8158b7f3336d7d98c9c3d9b373544643_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4256	{B2AB1B3D-44B5-4fa5-992F-7F206A6F4746}.exe
Token: SeIncBasePriorityPrivilege	644	{FA1A3B5C-1759-4b70-986F-887CFD762C58}.exe
Token: SeIncBasePriorityPrivilege	632	{FC0B2BC6-2233-488b-837A-3D3036AC63DF}.exe
Token: SeIncBasePriorityPrivilege	2432	{26F3152F-B2ED-4a86-A93A-408864058557}.exe
Token: SeIncBasePriorityPrivilege	4084	{79872D94-C521-4354-BF65-668C7271717C}.exe
Token: SeIncBasePriorityPrivilege	1376	{DFDD498E-DC8C-4304-B35B-9B089DA482BF}.exe
Token: SeIncBasePriorityPrivilege	1752	{E96A1C77-5DEB-4bf2-A91B-CFE307A487D4}.exe
Token: SeIncBasePriorityPrivilege	3136	{644420F7-F7AC-4d08-8D58-778A7C4ED9FB}.exe
Token: SeIncBasePriorityPrivilege	2244	{DDA99138-1766-41bb-9DDB-812E84A2116C}.exe
Token: SeIncBasePriorityPrivilege	1556	{DEBCDA06-0F59-4dba-9327-BE9AF6B1879B}.exe
Token: SeIncBasePriorityPrivilege	1128	{70E34E44-8862-449e-A0E8-363DCBB9BD8F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 4256	2668	2024-02-17_8158b7f3336d7d98c9c3d9b373544643_goldeneye.exe	90
PID 2668 wrote to memory of 4256	2668	2024-02-17_8158b7f3336d7d98c9c3d9b373544643_goldeneye.exe	90
PID 2668 wrote to memory of 4256	2668	2024-02-17_8158b7f3336d7d98c9c3d9b373544643_goldeneye.exe	90
PID 2668 wrote to memory of 1924	2668	2024-02-17_8158b7f3336d7d98c9c3d9b373544643_goldeneye.exe	91
PID 2668 wrote to memory of 1924	2668	2024-02-17_8158b7f3336d7d98c9c3d9b373544643_goldeneye.exe	91
PID 2668 wrote to memory of 1924	2668	2024-02-17_8158b7f3336d7d98c9c3d9b373544643_goldeneye.exe	91
PID 4256 wrote to memory of 644	4256	{B2AB1B3D-44B5-4fa5-992F-7F206A6F4746}.exe	92
PID 4256 wrote to memory of 644	4256	{B2AB1B3D-44B5-4fa5-992F-7F206A6F4746}.exe	92
PID 4256 wrote to memory of 644	4256	{B2AB1B3D-44B5-4fa5-992F-7F206A6F4746}.exe	92
PID 4256 wrote to memory of 4260	4256	{B2AB1B3D-44B5-4fa5-992F-7F206A6F4746}.exe	93
PID 4256 wrote to memory of 4260	4256	{B2AB1B3D-44B5-4fa5-992F-7F206A6F4746}.exe	93
PID 4256 wrote to memory of 4260	4256	{B2AB1B3D-44B5-4fa5-992F-7F206A6F4746}.exe	93
PID 644 wrote to memory of 632	644	{FA1A3B5C-1759-4b70-986F-887CFD762C58}.exe	96
PID 644 wrote to memory of 632	644	{FA1A3B5C-1759-4b70-986F-887CFD762C58}.exe	96
PID 644 wrote to memory of 632	644	{FA1A3B5C-1759-4b70-986F-887CFD762C58}.exe	96
PID 644 wrote to memory of 556	644	{FA1A3B5C-1759-4b70-986F-887CFD762C58}.exe	95
PID 644 wrote to memory of 556	644	{FA1A3B5C-1759-4b70-986F-887CFD762C58}.exe	95
PID 644 wrote to memory of 556	644	{FA1A3B5C-1759-4b70-986F-887CFD762C58}.exe	95
PID 632 wrote to memory of 2432	632	{FC0B2BC6-2233-488b-837A-3D3036AC63DF}.exe	97
PID 632 wrote to memory of 2432	632	{FC0B2BC6-2233-488b-837A-3D3036AC63DF}.exe	97
PID 632 wrote to memory of 2432	632	{FC0B2BC6-2233-488b-837A-3D3036AC63DF}.exe	97
PID 632 wrote to memory of 5088	632	{FC0B2BC6-2233-488b-837A-3D3036AC63DF}.exe	98
PID 632 wrote to memory of 5088	632	{FC0B2BC6-2233-488b-837A-3D3036AC63DF}.exe	98
PID 632 wrote to memory of 5088	632	{FC0B2BC6-2233-488b-837A-3D3036AC63DF}.exe	98
PID 2432 wrote to memory of 4084	2432	{26F3152F-B2ED-4a86-A93A-408864058557}.exe	99
PID 2432 wrote to memory of 4084	2432	{26F3152F-B2ED-4a86-A93A-408864058557}.exe	99
PID 2432 wrote to memory of 4084	2432	{26F3152F-B2ED-4a86-A93A-408864058557}.exe	99
PID 2432 wrote to memory of 768	2432	{26F3152F-B2ED-4a86-A93A-408864058557}.exe	100
PID 2432 wrote to memory of 768	2432	{26F3152F-B2ED-4a86-A93A-408864058557}.exe	100
PID 2432 wrote to memory of 768	2432	{26F3152F-B2ED-4a86-A93A-408864058557}.exe	100
PID 4084 wrote to memory of 1376	4084	{79872D94-C521-4354-BF65-668C7271717C}.exe	101
PID 4084 wrote to memory of 1376	4084	{79872D94-C521-4354-BF65-668C7271717C}.exe	101
PID 4084 wrote to memory of 1376	4084	{79872D94-C521-4354-BF65-668C7271717C}.exe	101
PID 4084 wrote to memory of 1600	4084	{79872D94-C521-4354-BF65-668C7271717C}.exe	102
PID 4084 wrote to memory of 1600	4084	{79872D94-C521-4354-BF65-668C7271717C}.exe	102
PID 4084 wrote to memory of 1600	4084	{79872D94-C521-4354-BF65-668C7271717C}.exe	102
PID 1376 wrote to memory of 1752	1376	{DFDD498E-DC8C-4304-B35B-9B089DA482BF}.exe	103
PID 1376 wrote to memory of 1752	1376	{DFDD498E-DC8C-4304-B35B-9B089DA482BF}.exe	103
PID 1376 wrote to memory of 1752	1376	{DFDD498E-DC8C-4304-B35B-9B089DA482BF}.exe	103
PID 1376 wrote to memory of 2692	1376	{DFDD498E-DC8C-4304-B35B-9B089DA482BF}.exe	104
PID 1376 wrote to memory of 2692	1376	{DFDD498E-DC8C-4304-B35B-9B089DA482BF}.exe	104
PID 1376 wrote to memory of 2692	1376	{DFDD498E-DC8C-4304-B35B-9B089DA482BF}.exe	104
PID 1752 wrote to memory of 3136	1752	{E96A1C77-5DEB-4bf2-A91B-CFE307A487D4}.exe	105
PID 1752 wrote to memory of 3136	1752	{E96A1C77-5DEB-4bf2-A91B-CFE307A487D4}.exe	105
PID 1752 wrote to memory of 3136	1752	{E96A1C77-5DEB-4bf2-A91B-CFE307A487D4}.exe	105
PID 1752 wrote to memory of 2776	1752	{E96A1C77-5DEB-4bf2-A91B-CFE307A487D4}.exe	106
PID 1752 wrote to memory of 2776	1752	{E96A1C77-5DEB-4bf2-A91B-CFE307A487D4}.exe	106
PID 1752 wrote to memory of 2776	1752	{E96A1C77-5DEB-4bf2-A91B-CFE307A487D4}.exe	106
PID 3136 wrote to memory of 2244	3136	{644420F7-F7AC-4d08-8D58-778A7C4ED9FB}.exe	107
PID 3136 wrote to memory of 2244	3136	{644420F7-F7AC-4d08-8D58-778A7C4ED9FB}.exe	107
PID 3136 wrote to memory of 2244	3136	{644420F7-F7AC-4d08-8D58-778A7C4ED9FB}.exe	107
PID 3136 wrote to memory of 3216	3136	{644420F7-F7AC-4d08-8D58-778A7C4ED9FB}.exe	108
PID 3136 wrote to memory of 3216	3136	{644420F7-F7AC-4d08-8D58-778A7C4ED9FB}.exe	108
PID 3136 wrote to memory of 3216	3136	{644420F7-F7AC-4d08-8D58-778A7C4ED9FB}.exe	108
PID 2244 wrote to memory of 1556	2244	{DDA99138-1766-41bb-9DDB-812E84A2116C}.exe	109
PID 2244 wrote to memory of 1556	2244	{DDA99138-1766-41bb-9DDB-812E84A2116C}.exe	109
PID 2244 wrote to memory of 1556	2244	{DDA99138-1766-41bb-9DDB-812E84A2116C}.exe	109
PID 2244 wrote to memory of 1632	2244	{DDA99138-1766-41bb-9DDB-812E84A2116C}.exe	110
PID 2244 wrote to memory of 1632	2244	{DDA99138-1766-41bb-9DDB-812E84A2116C}.exe	110
PID 2244 wrote to memory of 1632	2244	{DDA99138-1766-41bb-9DDB-812E84A2116C}.exe	110
PID 1556 wrote to memory of 1128	1556	{DEBCDA06-0F59-4dba-9327-BE9AF6B1879B}.exe	111
PID 1556 wrote to memory of 1128	1556	{DEBCDA06-0F59-4dba-9327-BE9AF6B1879B}.exe	111
PID 1556 wrote to memory of 1128	1556	{DEBCDA06-0F59-4dba-9327-BE9AF6B1879B}.exe	111
PID 1556 wrote to memory of 3324	1556	{DEBCDA06-0F59-4dba-9327-BE9AF6B1879B}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-02-17_8158b7f3336d7d98c9c3d9b373544643_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-17_8158b7f3336d7d98c9c3d9b373544643_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Windows\{B2AB1B3D-44B5-4fa5-992F-7F206A6F4746}.exe
  C:\Windows\{B2AB1B3D-44B5-4fa5-992F-7F206A6F4746}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4256
- - C:\Windows\{FA1A3B5C-1759-4b70-986F-887CFD762C58}.exe
    C:\Windows\{FA1A3B5C-1759-4b70-986F-887CFD762C58}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:644
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FA1A3~1.EXE > nul
      4⤵
      PID:556
  - - C:\Windows\{FC0B2BC6-2233-488b-837A-3D3036AC63DF}.exe
      C:\Windows\{FC0B2BC6-2233-488b-837A-3D3036AC63DF}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:632
    - - C:\Windows\{26F3152F-B2ED-4a86-A93A-408864058557}.exe
        
        C:\Windows\{26F3152F-B2ED-4a86-A93A-408864058557}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2432
      - C:\Windows\{79872D94-C521-4354-BF65-668C7271717C}.exe
        
        C:\Windows\{79872D94-C521-4354-BF65-668C7271717C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Windows\{DFDD498E-DC8C-4304-B35B-9B089DA482BF}.exe
        
        C:\Windows\{DFDD498E-DC8C-4304-B35B-9B089DA482BF}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1376
        
        C:\Windows\{E96A1C77-5DEB-4bf2-A91B-CFE307A487D4}.exe
        
        C:\Windows\{E96A1C77-5DEB-4bf2-A91B-CFE307A487D4}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\{644420F7-F7AC-4d08-8D58-778A7C4ED9FB}.exe
        
        C:\Windows\{644420F7-F7AC-4d08-8D58-778A7C4ED9FB}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3136
        
        C:\Windows\{DDA99138-1766-41bb-9DDB-812E84A2116C}.exe
        
        C:\Windows\{DDA99138-1766-41bb-9DDB-812E84A2116C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\{DEBCDA06-0F59-4dba-9327-BE9AF6B1879B}.exe
        
        C:\Windows\{DEBCDA06-0F59-4dba-9327-BE9AF6B1879B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Windows\{70E34E44-8862-449e-A0E8-363DCBB9BD8F}.exe
        
        C:\Windows\{70E34E44-8862-449e-A0E8-363DCBB9BD8F}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1128
        
        C:\Windows\{5D177561-07E0-49fc-B4EC-F678218B3149}.exe
        
        C:\Windows\{5D177561-07E0-49fc-B4EC-F678218B3149}.exe
        13⤵
        Executes dropped EXE
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{70E34~1.EXE > nul
        13⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DEBCD~1.EXE > nul
        12⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DDA99~1.EXE > nul
        11⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64442~1.EXE > nul
        10⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E96A1~1.EXE > nul
        9⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DFDD4~1.EXE > nul
        8⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79872~1.EXE > nul
        7⤵
        
        PID:1600
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{26F31~1.EXE > nul
        6⤵
        
        PID:768
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FC0B2~1.EXE > nul
        5⤵
        
        PID:5088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B2AB1~1.EXE > nul
    3⤵
    PID:4260
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{26F3152F-B2ED-4a86-A93A-408864058557}.exe

Filesize
197KB

MD5
48c5f3c18c35b371a52b01225b0e23c8

SHA1
47c7369c48e9d5623c0926264c922e8472b2ef8d

SHA256
a763cd46d6148ca6e93914f4f1e4e5ac57c8e6031cecd6396e8542349d2c5324

SHA512
4893bdb590016e0f2cbdff97af544a7ffd209515ea76acc67d8851435e7032962b7e6b9f0b9cbfde8510e4e241591b5c0b7abb54b6cbd44c5f0be077bee2e10b

Download Submit
C:\Windows\{5D177561-07E0-49fc-B4EC-F678218B3149}.exe

Filesize
197KB

MD5
86e3e1cd4858857a7a9dfa86bad5711b

SHA1
eb417f9bc693b573cbe6adc55ae69bfba8507341

SHA256
4e4a5e81febddc01c936dfc03e76848e01510dbe4d7f701e7176d9b0befc79dd

SHA512
d9193830361bbf5f3a1ad791d2e7090481040f4fda4cbf7d31663ec6aae4d168a465d643886f1b0038c78fdad02fc175cdca81d907fdffd48907d970c8e1534e

Download Submit
C:\Windows\{644420F7-F7AC-4d08-8D58-778A7C4ED9FB}.exe

Filesize
197KB

MD5
1dbfa9075cee65fc4c61628cefdf9476

SHA1
329f3fee54f04cd2478488b81d8a32fcfbf5e1e4

SHA256
79c2588dacf52c6d27e967a150ae35131f97e9aed1fe073e94669224099a584e

SHA512
28642965ac7cee7dc7824ebcbe5830e373bbb1f0082be4d6be960a8b747397507b18cd8b56b70299cbb3712c9fb496c28b3817f019ab4b392a60f487fc4a14a1

Download Submit
C:\Windows\{70E34E44-8862-449e-A0E8-363DCBB9BD8F}.exe

Filesize
197KB

MD5
3334864ac41f0bb71e9cb333ef802b5c

SHA1
c5d23def5d7e24be2108b2a69d2660ebfcc1e3e5

SHA256
958a74ce420c3a17b87a0b277f5f5273b05a99760b283dfc492f3bfc112f9a56

SHA512
baf354dfa1a6c608e130c7c00c596ad27fa01d611c6951c074f3825c58ba66cc6318c75224ab2cf8e3c8645300238b0829afc0a0503ed26f1d22dab59c793916

Download Submit
C:\Windows\{79872D94-C521-4354-BF65-668C7271717C}.exe

Filesize
197KB

MD5
c43a265405b881784aa497e92e5f4d18

SHA1
45d4778eabbebeae95df859438c7b4c146d2c94a

SHA256
78fe67e16b84bc53631d072a4eb34c9e7e8fe2a3cfce8cb0f61858bdc4d467e3

SHA512
35dd21d5d6b4495d7863e72fd50a728b560503c73f7c7d3909060e240aaf666d8fe90d81e5b59eb8315757f8095c1f1d0dbf367ac1d1c11fba350eb6336b90dd

Download Submit
C:\Windows\{B2AB1B3D-44B5-4fa5-992F-7F206A6F4746}.exe

Filesize
197KB

MD5
74a425f2b808bfce1bd0aaca74c6e298

SHA1
d8a2f4597b70f7133f2a9fb06241f760668205a7

SHA256
efd6582879e5d35d6df0530b3b5ae23b69489fc9ad9e52169ace907281162d8a

SHA512
d3b7b0bda151b50acafa4e3dad1fa33fe587137084c6257d2e5fac766254e609dcebba730abe7daf67235a01b1a936690ae73e8bdb3ab126c704dbdf207861d2

Download Submit
C:\Windows\{DDA99138-1766-41bb-9DDB-812E84A2116C}.exe

Filesize
197KB

MD5
599e8727d0fceddb072f75cf068580e2

SHA1
2b718e78b6566a9f9e728ff8f2b90f9f83938336

SHA256
de478c357d85d0113a778e41e45d0f932a2a264cb31d6d23b425a4b9bb654237

SHA512
9c747bfe310cc090a9c4304c64011feeb2e05fd7ed400328dd302e5dbb0659224fab8081e1a2bf23cfd4e22da73b4f09cd64988eba5eabff5f1119c06febbec2

Download Submit
C:\Windows\{DEBCDA06-0F59-4dba-9327-BE9AF6B1879B}.exe

Filesize
197KB

MD5
5a687f2e9a1e91784da71b29c1495a49

SHA1
1ef1b9c19a4ad105316801966d3c729460a92063

SHA256
01d27db657e57f8f46b22334db62e03368f97d28508bf55a5aad3335cb760973

SHA512
12c775739d2a5e6d56cdbeac7bed402192cf80a807ea03c4325412888ebad2d04c00fe5e2b840a3e91233d12205503a6f5836d0d8450deeb9cd7ed0a2824f48a

Download Submit
C:\Windows\{DFDD498E-DC8C-4304-B35B-9B089DA482BF}.exe

Filesize
197KB

MD5
8d7aca4765b85e1aa71c01613de863e8

SHA1
ad30aa44e05b4aa04711c05be0e5fa09f224c521

SHA256
bd581a8d21c278d77f5398adf752e2999a732296fa1e4c915ea775c1bc68bb45

SHA512
3a71a9fada41a36943e654283e602138f9752c7dee21fc6a6ec6be37a0fecd81f4078389345e966029f30cc5f95a4f89efd0a4c794525dff4dc22e4e7b777bcd

Download Submit
C:\Windows\{E96A1C77-5DEB-4bf2-A91B-CFE307A487D4}.exe

Filesize
197KB

MD5
e1105b9050b25814b3149ea292570ccb

SHA1
b79a1d46ac67896c43517fb6f385a9d91f15b1e3

SHA256
2e7871c3784275cb638325cb24b647fdcaa4f79558258468b35766aee0dcd597

SHA512
3c76dd048015b24e5e39b0180c768e039553e2ae9ddc47a20c241d50e9bc23f02d137c7d8eeea01d2c2982dbf13bbb6d74f275b6e938e339dddf01e8e702b03d

Download Submit
C:\Windows\{FA1A3B5C-1759-4b70-986F-887CFD762C58}.exe

Filesize
197KB

MD5
64d8bb4092360dad4931b3b4dca23f14

SHA1
1f5aace2484dbe5719eaae179d278bed20a65e0d

SHA256
5f405fd6a838203ae6d19248719facf5d2754a4072ad3228dba59c18559f08ea

SHA512
a1430883e32442e0d5d75fab9f5be2054689bd8f76537d0ebc1de0423e35765666a25085f53b46d9b9fbb911fa642b9c781c29106312cacb54a99cdd848fc662

Download Submit
C:\Windows\{FC0B2BC6-2233-488b-837A-3D3036AC63DF}.exe

Filesize
197KB

MD5
8e6dd7676f11e51d1609e194a0674e03

SHA1
aa083beb8a1d9f5a38f0d005214d825f17f3f98e

SHA256
c24b03d743d292b1182b778a459a828ee30d747c230ec48d49082a59a41e6889

SHA512
cf039f14db3a360e2421743f0ab825b42b541a46c73aa04200f480ab2ac1eae4cc03b082fc923d6e369aea8c12b899cc52b2bad36ac5b95a0360b1a9d1dfb7b1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads