5d182a7e7aa16c3952cdffa1292294172d2eaaddfd654144415364a4e86fe7be

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19/02/2024, 05:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-19_97ff93b5619406f9ceac5e5f2185f398_goldeneye.exe
Size

197KB
MD5

97ff93b5619406f9ceac5e5f2185f398
SHA1

bdb5adcf7c488857c5ee25184af31966bd989613
SHA256

5d182a7e7aa16c3952cdffa1292294172d2eaaddfd654144415364a4e86fe7be
SHA512

69c91e6a5ea1cb184be19a78418ce429aee48bc9e40379da39d12c6fde821f403547c83580d65e7d1da08c2ef22634b632dd09e68a7cdee648150a5068ce8e98
SSDEEP

3072:jEGh0oEl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEG6lEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023219-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000001e75f-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023228-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000001e75f-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021e70-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000001e75f-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021e70-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000711-45.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83F08BB3-D4C6-4357-8A98-EC55E77461B2}	{07492ABA-0EDD-436a-8BEB-6014CF1AD7E0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83F08BB3-D4C6-4357-8A98-EC55E77461B2}\stubpath = "C:\\Windows\\{83F08BB3-D4C6-4357-8A98-EC55E77461B2}.exe"	{07492ABA-0EDD-436a-8BEB-6014CF1AD7E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22C9B304-797F-4279-9445-FA99826268D4}	{FDB24131-2CB9-449a-87DA-4322EED21084}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22C9B304-797F-4279-9445-FA99826268D4}\stubpath = "C:\\Windows\\{22C9B304-797F-4279-9445-FA99826268D4}.exe"	{FDB24131-2CB9-449a-87DA-4322EED21084}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2BEA9AC-A7B6-4a4b-A1BC-BABD2B07B30F}\stubpath = "C:\\Windows\\{E2BEA9AC-A7B6-4a4b-A1BC-BABD2B07B30F}.exe"	{15C663DA-C173-4ee8-8181-B573037FE063}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9FEF664D-3C54-4531-82AF-F6168373E933}	{E2BEA9AC-A7B6-4a4b-A1BC-BABD2B07B30F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7AE8419-8540-418a-8280-07A081D422F7}	{783AF1AC-72F5-4700-8F7B-0DF918467BD5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07492ABA-0EDD-436a-8BEB-6014CF1AD7E0}\stubpath = "C:\\Windows\\{07492ABA-0EDD-436a-8BEB-6014CF1AD7E0}.exe"	{E7AE8419-8540-418a-8280-07A081D422F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FDB24131-2CB9-449a-87DA-4322EED21084}	{05E91130-7DC8-4a00-A2E5-5E24D4A59B7B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15C663DA-C173-4ee8-8181-B573037FE063}	{22C9B304-797F-4279-9445-FA99826268D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2BEA9AC-A7B6-4a4b-A1BC-BABD2B07B30F}	{15C663DA-C173-4ee8-8181-B573037FE063}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{783AF1AC-72F5-4700-8F7B-0DF918467BD5}\stubpath = "C:\\Windows\\{783AF1AC-72F5-4700-8F7B-0DF918467BD5}.exe"	{9FEF664D-3C54-4531-82AF-F6168373E933}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7FA525FF-694D-4bd5-A4C9-FCBBA593A8E5}\stubpath = "C:\\Windows\\{7FA525FF-694D-4bd5-A4C9-FCBBA593A8E5}.exe"	{83F08BB3-D4C6-4357-8A98-EC55E77461B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05E91130-7DC8-4a00-A2E5-5E24D4A59B7B}	2024-02-19_97ff93b5619406f9ceac5e5f2185f398_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15C663DA-C173-4ee8-8181-B573037FE063}\stubpath = "C:\\Windows\\{15C663DA-C173-4ee8-8181-B573037FE063}.exe"	{22C9B304-797F-4279-9445-FA99826268D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9FEF664D-3C54-4531-82AF-F6168373E933}\stubpath = "C:\\Windows\\{9FEF664D-3C54-4531-82AF-F6168373E933}.exe"	{E2BEA9AC-A7B6-4a4b-A1BC-BABD2B07B30F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07492ABA-0EDD-436a-8BEB-6014CF1AD7E0}	{E7AE8419-8540-418a-8280-07A081D422F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7FA525FF-694D-4bd5-A4C9-FCBBA593A8E5}	{83F08BB3-D4C6-4357-8A98-EC55E77461B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04E6AA89-3DD7-4771-98F6-A20D07F2C9FD}	{7FA525FF-694D-4bd5-A4C9-FCBBA593A8E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04E6AA89-3DD7-4771-98F6-A20D07F2C9FD}\stubpath = "C:\\Windows\\{04E6AA89-3DD7-4771-98F6-A20D07F2C9FD}.exe"	{7FA525FF-694D-4bd5-A4C9-FCBBA593A8E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05E91130-7DC8-4a00-A2E5-5E24D4A59B7B}\stubpath = "C:\\Windows\\{05E91130-7DC8-4a00-A2E5-5E24D4A59B7B}.exe"	2024-02-19_97ff93b5619406f9ceac5e5f2185f398_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FDB24131-2CB9-449a-87DA-4322EED21084}\stubpath = "C:\\Windows\\{FDB24131-2CB9-449a-87DA-4322EED21084}.exe"	{05E91130-7DC8-4a00-A2E5-5E24D4A59B7B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{783AF1AC-72F5-4700-8F7B-0DF918467BD5}	{9FEF664D-3C54-4531-82AF-F6168373E933}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7AE8419-8540-418a-8280-07A081D422F7}\stubpath = "C:\\Windows\\{E7AE8419-8540-418a-8280-07A081D422F7}.exe"	{783AF1AC-72F5-4700-8F7B-0DF918467BD5}.exe

Executes dropped EXE 12 IoCs

pid	Process
3316	{05E91130-7DC8-4a00-A2E5-5E24D4A59B7B}.exe
428	{FDB24131-2CB9-449a-87DA-4322EED21084}.exe
4888	{22C9B304-797F-4279-9445-FA99826268D4}.exe
3280	{15C663DA-C173-4ee8-8181-B573037FE063}.exe
1676	{E2BEA9AC-A7B6-4a4b-A1BC-BABD2B07B30F}.exe
1528	{9FEF664D-3C54-4531-82AF-F6168373E933}.exe
3680	{783AF1AC-72F5-4700-8F7B-0DF918467BD5}.exe
4540	{E7AE8419-8540-418a-8280-07A081D422F7}.exe
4532	{07492ABA-0EDD-436a-8BEB-6014CF1AD7E0}.exe
1612	{83F08BB3-D4C6-4357-8A98-EC55E77461B2}.exe
4008	{7FA525FF-694D-4bd5-A4C9-FCBBA593A8E5}.exe
2616	{04E6AA89-3DD7-4771-98F6-A20D07F2C9FD}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{E2BEA9AC-A7B6-4a4b-A1BC-BABD2B07B30F}.exe	{15C663DA-C173-4ee8-8181-B573037FE063}.exe
File created	C:\Windows\{9FEF664D-3C54-4531-82AF-F6168373E933}.exe	{E2BEA9AC-A7B6-4a4b-A1BC-BABD2B07B30F}.exe
File created	C:\Windows\{E7AE8419-8540-418a-8280-07A081D422F7}.exe	{783AF1AC-72F5-4700-8F7B-0DF918467BD5}.exe
File created	C:\Windows\{07492ABA-0EDD-436a-8BEB-6014CF1AD7E0}.exe	{E7AE8419-8540-418a-8280-07A081D422F7}.exe
File created	C:\Windows\{FDB24131-2CB9-449a-87DA-4322EED21084}.exe	{05E91130-7DC8-4a00-A2E5-5E24D4A59B7B}.exe
File created	C:\Windows\{15C663DA-C173-4ee8-8181-B573037FE063}.exe	{22C9B304-797F-4279-9445-FA99826268D4}.exe
File created	C:\Windows\{783AF1AC-72F5-4700-8F7B-0DF918467BD5}.exe	{9FEF664D-3C54-4531-82AF-F6168373E933}.exe
File created	C:\Windows\{83F08BB3-D4C6-4357-8A98-EC55E77461B2}.exe	{07492ABA-0EDD-436a-8BEB-6014CF1AD7E0}.exe
File created	C:\Windows\{7FA525FF-694D-4bd5-A4C9-FCBBA593A8E5}.exe	{83F08BB3-D4C6-4357-8A98-EC55E77461B2}.exe
File created	C:\Windows\{04E6AA89-3DD7-4771-98F6-A20D07F2C9FD}.exe	{7FA525FF-694D-4bd5-A4C9-FCBBA593A8E5}.exe
File created	C:\Windows\{05E91130-7DC8-4a00-A2E5-5E24D4A59B7B}.exe	2024-02-19_97ff93b5619406f9ceac5e5f2185f398_goldeneye.exe
File created	C:\Windows\{22C9B304-797F-4279-9445-FA99826268D4}.exe	{FDB24131-2CB9-449a-87DA-4322EED21084}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2672	2024-02-19_97ff93b5619406f9ceac5e5f2185f398_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3316	{05E91130-7DC8-4a00-A2E5-5E24D4A59B7B}.exe
Token: SeIncBasePriorityPrivilege	428	{FDB24131-2CB9-449a-87DA-4322EED21084}.exe
Token: SeIncBasePriorityPrivilege	4888	{22C9B304-797F-4279-9445-FA99826268D4}.exe
Token: SeIncBasePriorityPrivilege	3280	{15C663DA-C173-4ee8-8181-B573037FE063}.exe
Token: SeIncBasePriorityPrivilege	1676	{E2BEA9AC-A7B6-4a4b-A1BC-BABD2B07B30F}.exe
Token: SeIncBasePriorityPrivilege	1528	{9FEF664D-3C54-4531-82AF-F6168373E933}.exe
Token: SeIncBasePriorityPrivilege	3680	{783AF1AC-72F5-4700-8F7B-0DF918467BD5}.exe
Token: SeIncBasePriorityPrivilege	4540	{E7AE8419-8540-418a-8280-07A081D422F7}.exe
Token: SeIncBasePriorityPrivilege	4532	{07492ABA-0EDD-436a-8BEB-6014CF1AD7E0}.exe
Token: SeIncBasePriorityPrivilege	1612	{83F08BB3-D4C6-4357-8A98-EC55E77461B2}.exe
Token: SeIncBasePriorityPrivilege	4008	{7FA525FF-694D-4bd5-A4C9-FCBBA593A8E5}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 3316	2672	2024-02-19_97ff93b5619406f9ceac5e5f2185f398_goldeneye.exe	90
PID 2672 wrote to memory of 3316	2672	2024-02-19_97ff93b5619406f9ceac5e5f2185f398_goldeneye.exe	90
PID 2672 wrote to memory of 3316	2672	2024-02-19_97ff93b5619406f9ceac5e5f2185f398_goldeneye.exe	90
PID 2672 wrote to memory of 412	2672	2024-02-19_97ff93b5619406f9ceac5e5f2185f398_goldeneye.exe	91
PID 2672 wrote to memory of 412	2672	2024-02-19_97ff93b5619406f9ceac5e5f2185f398_goldeneye.exe	91
PID 2672 wrote to memory of 412	2672	2024-02-19_97ff93b5619406f9ceac5e5f2185f398_goldeneye.exe	91
PID 3316 wrote to memory of 428	3316	{05E91130-7DC8-4a00-A2E5-5E24D4A59B7B}.exe	94
PID 3316 wrote to memory of 428	3316	{05E91130-7DC8-4a00-A2E5-5E24D4A59B7B}.exe	94
PID 3316 wrote to memory of 428	3316	{05E91130-7DC8-4a00-A2E5-5E24D4A59B7B}.exe	94
PID 3316 wrote to memory of 3832	3316	{05E91130-7DC8-4a00-A2E5-5E24D4A59B7B}.exe	95
PID 3316 wrote to memory of 3832	3316	{05E91130-7DC8-4a00-A2E5-5E24D4A59B7B}.exe	95
PID 3316 wrote to memory of 3832	3316	{05E91130-7DC8-4a00-A2E5-5E24D4A59B7B}.exe	95
PID 428 wrote to memory of 4888	428	{FDB24131-2CB9-449a-87DA-4322EED21084}.exe	98
PID 428 wrote to memory of 4888	428	{FDB24131-2CB9-449a-87DA-4322EED21084}.exe	98
PID 428 wrote to memory of 4888	428	{FDB24131-2CB9-449a-87DA-4322EED21084}.exe	98
PID 428 wrote to memory of 2464	428	{FDB24131-2CB9-449a-87DA-4322EED21084}.exe	97
PID 428 wrote to memory of 2464	428	{FDB24131-2CB9-449a-87DA-4322EED21084}.exe	97
PID 428 wrote to memory of 2464	428	{FDB24131-2CB9-449a-87DA-4322EED21084}.exe	97
PID 4888 wrote to memory of 3280	4888	{22C9B304-797F-4279-9445-FA99826268D4}.exe	99
PID 4888 wrote to memory of 3280	4888	{22C9B304-797F-4279-9445-FA99826268D4}.exe	99
PID 4888 wrote to memory of 3280	4888	{22C9B304-797F-4279-9445-FA99826268D4}.exe	99
PID 4888 wrote to memory of 3528	4888	{22C9B304-797F-4279-9445-FA99826268D4}.exe	100
PID 4888 wrote to memory of 3528	4888	{22C9B304-797F-4279-9445-FA99826268D4}.exe	100
PID 4888 wrote to memory of 3528	4888	{22C9B304-797F-4279-9445-FA99826268D4}.exe	100
PID 3280 wrote to memory of 1676	3280	{15C663DA-C173-4ee8-8181-B573037FE063}.exe	101
PID 3280 wrote to memory of 1676	3280	{15C663DA-C173-4ee8-8181-B573037FE063}.exe	101
PID 3280 wrote to memory of 1676	3280	{15C663DA-C173-4ee8-8181-B573037FE063}.exe	101
PID 3280 wrote to memory of 3940	3280	{15C663DA-C173-4ee8-8181-B573037FE063}.exe	102
PID 3280 wrote to memory of 3940	3280	{15C663DA-C173-4ee8-8181-B573037FE063}.exe	102
PID 3280 wrote to memory of 3940	3280	{15C663DA-C173-4ee8-8181-B573037FE063}.exe	102
PID 1676 wrote to memory of 1528	1676	{E2BEA9AC-A7B6-4a4b-A1BC-BABD2B07B30F}.exe	103
PID 1676 wrote to memory of 1528	1676	{E2BEA9AC-A7B6-4a4b-A1BC-BABD2B07B30F}.exe	103
PID 1676 wrote to memory of 1528	1676	{E2BEA9AC-A7B6-4a4b-A1BC-BABD2B07B30F}.exe	103
PID 1676 wrote to memory of 1228	1676	{E2BEA9AC-A7B6-4a4b-A1BC-BABD2B07B30F}.exe	104
PID 1676 wrote to memory of 1228	1676	{E2BEA9AC-A7B6-4a4b-A1BC-BABD2B07B30F}.exe	104
PID 1676 wrote to memory of 1228	1676	{E2BEA9AC-A7B6-4a4b-A1BC-BABD2B07B30F}.exe	104
PID 1528 wrote to memory of 3680	1528	{9FEF664D-3C54-4531-82AF-F6168373E933}.exe	105
PID 1528 wrote to memory of 3680	1528	{9FEF664D-3C54-4531-82AF-F6168373E933}.exe	105
PID 1528 wrote to memory of 3680	1528	{9FEF664D-3C54-4531-82AF-F6168373E933}.exe	105
PID 1528 wrote to memory of 4404	1528	{9FEF664D-3C54-4531-82AF-F6168373E933}.exe	106
PID 1528 wrote to memory of 4404	1528	{9FEF664D-3C54-4531-82AF-F6168373E933}.exe	106
PID 1528 wrote to memory of 4404	1528	{9FEF664D-3C54-4531-82AF-F6168373E933}.exe	106
PID 3680 wrote to memory of 4540	3680	{783AF1AC-72F5-4700-8F7B-0DF918467BD5}.exe	107
PID 3680 wrote to memory of 4540	3680	{783AF1AC-72F5-4700-8F7B-0DF918467BD5}.exe	107
PID 3680 wrote to memory of 4540	3680	{783AF1AC-72F5-4700-8F7B-0DF918467BD5}.exe	107
PID 3680 wrote to memory of 3632	3680	{783AF1AC-72F5-4700-8F7B-0DF918467BD5}.exe	108
PID 3680 wrote to memory of 3632	3680	{783AF1AC-72F5-4700-8F7B-0DF918467BD5}.exe	108
PID 3680 wrote to memory of 3632	3680	{783AF1AC-72F5-4700-8F7B-0DF918467BD5}.exe	108
PID 4540 wrote to memory of 4532	4540	{E7AE8419-8540-418a-8280-07A081D422F7}.exe	109
PID 4540 wrote to memory of 4532	4540	{E7AE8419-8540-418a-8280-07A081D422F7}.exe	109
PID 4540 wrote to memory of 4532	4540	{E7AE8419-8540-418a-8280-07A081D422F7}.exe	109
PID 4540 wrote to memory of 3548	4540	{E7AE8419-8540-418a-8280-07A081D422F7}.exe	110
PID 4540 wrote to memory of 3548	4540	{E7AE8419-8540-418a-8280-07A081D422F7}.exe	110
PID 4540 wrote to memory of 3548	4540	{E7AE8419-8540-418a-8280-07A081D422F7}.exe	110
PID 4532 wrote to memory of 1612	4532	{07492ABA-0EDD-436a-8BEB-6014CF1AD7E0}.exe	111
PID 4532 wrote to memory of 1612	4532	{07492ABA-0EDD-436a-8BEB-6014CF1AD7E0}.exe	111
PID 4532 wrote to memory of 1612	4532	{07492ABA-0EDD-436a-8BEB-6014CF1AD7E0}.exe	111
PID 4532 wrote to memory of 3844	4532	{07492ABA-0EDD-436a-8BEB-6014CF1AD7E0}.exe	112
PID 4532 wrote to memory of 3844	4532	{07492ABA-0EDD-436a-8BEB-6014CF1AD7E0}.exe	112
PID 4532 wrote to memory of 3844	4532	{07492ABA-0EDD-436a-8BEB-6014CF1AD7E0}.exe	112
PID 1612 wrote to memory of 4008	1612	{83F08BB3-D4C6-4357-8A98-EC55E77461B2}.exe	113
PID 1612 wrote to memory of 4008	1612	{83F08BB3-D4C6-4357-8A98-EC55E77461B2}.exe	113
PID 1612 wrote to memory of 4008	1612	{83F08BB3-D4C6-4357-8A98-EC55E77461B2}.exe	113
PID 1612 wrote to memory of 1540	1612	{83F08BB3-D4C6-4357-8A98-EC55E77461B2}.exe	114

C:\Users\Admin\AppData\Local\Temp\2024-02-19_97ff93b5619406f9ceac5e5f2185f398_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-19_97ff93b5619406f9ceac5e5f2185f398_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Windows\{05E91130-7DC8-4a00-A2E5-5E24D4A59B7B}.exe
  C:\Windows\{05E91130-7DC8-4a00-A2E5-5E24D4A59B7B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3316
- - C:\Windows\{FDB24131-2CB9-449a-87DA-4322EED21084}.exe
    C:\Windows\{FDB24131-2CB9-449a-87DA-4322EED21084}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:428
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FDB24~1.EXE > nul
      4⤵
      PID:2464
  - - C:\Windows\{22C9B304-797F-4279-9445-FA99826268D4}.exe
      C:\Windows\{22C9B304-797F-4279-9445-FA99826268D4}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4888
    - - C:\Windows\{15C663DA-C173-4ee8-8181-B573037FE063}.exe
        
        C:\Windows\{15C663DA-C173-4ee8-8181-B573037FE063}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3280
      - C:\Windows\{E2BEA9AC-A7B6-4a4b-A1BC-BABD2B07B30F}.exe
        
        C:\Windows\{E2BEA9AC-A7B6-4a4b-A1BC-BABD2B07B30F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\{9FEF664D-3C54-4531-82AF-F6168373E933}.exe
        
        C:\Windows\{9FEF664D-3C54-4531-82AF-F6168373E933}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\{783AF1AC-72F5-4700-8F7B-0DF918467BD5}.exe
        
        C:\Windows\{783AF1AC-72F5-4700-8F7B-0DF918467BD5}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3680
        
        C:\Windows\{E7AE8419-8540-418a-8280-07A081D422F7}.exe
        
        C:\Windows\{E7AE8419-8540-418a-8280-07A081D422F7}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\{07492ABA-0EDD-436a-8BEB-6014CF1AD7E0}.exe
        
        C:\Windows\{07492ABA-0EDD-436a-8BEB-6014CF1AD7E0}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\{83F08BB3-D4C6-4357-8A98-EC55E77461B2}.exe
        
        C:\Windows\{83F08BB3-D4C6-4357-8A98-EC55E77461B2}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\{7FA525FF-694D-4bd5-A4C9-FCBBA593A8E5}.exe
        
        C:\Windows\{7FA525FF-694D-4bd5-A4C9-FCBBA593A8E5}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4008
        
        C:\Windows\{04E6AA89-3DD7-4771-98F6-A20D07F2C9FD}.exe
        
        C:\Windows\{04E6AA89-3DD7-4771-98F6-A20D07F2C9FD}.exe
        13⤵
        Executes dropped EXE
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7FA52~1.EXE > nul
        13⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83F08~1.EXE > nul
        12⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{07492~1.EXE > nul
        11⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7AE8~1.EXE > nul
        10⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{783AF~1.EXE > nul
        9⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9FEF6~1.EXE > nul
        8⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2BEA~1.EXE > nul
        7⤵
        
        PID:1228
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{15C66~1.EXE > nul
        6⤵
        
        PID:3940
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{22C9B~1.EXE > nul
        5⤵
        
        PID:3528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{05E91~1.EXE > nul
    3⤵
    PID:3832
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04E6AA89-3DD7-4771-98F6-A20D07F2C9FD}.exe

Filesize
197KB

MD5
0a1095209de0da32ccc18ed15d0545b5

SHA1
cf6ab585b5b7e76f8fd90630918dd7feefdf2344

SHA256
2bdae053d70a33c4e44242ea622ead337c9f0a876acb069287dfe2a363b23e3f

SHA512
4a512e87c86d8c102b5e864c32e00395a1d4b65299220f9801956d48ec12b3549e8582c91d3a416ad26fa9425f9bd3d3af7a3765584f16cc5f095c1ac425b99d

Download Submit
C:\Windows\{05E91130-7DC8-4a00-A2E5-5E24D4A59B7B}.exe

Filesize
197KB

MD5
5bb6aa701110a88a954bf2dfadcdd776

SHA1
6f8a0700ef9b6bac02468ba989a36f638a20e285

SHA256
f53a5a28375b8f762ac9d286199ef8b1dc8008c0943c8aa58beb8e7aebd07eef

SHA512
54a81b8c19be9e943702b9bf9782193a0e3f6507e9435ccf5abfdb181675a568132d90a285d0313e42725c9e0705e466d9633631fac18289696ebfed1cfcdf04

Download Submit
C:\Windows\{07492ABA-0EDD-436a-8BEB-6014CF1AD7E0}.exe

Filesize
197KB

MD5
3888398932cb5076d5e36040f165de88

SHA1
df0457144ccee1c988fe60abba804371bb32469e

SHA256
f0a06c4d7bdd35dafcba2b1a2711aeaa51d163ca9db82bd7d832071b746ea955

SHA512
984ef193680f2133a38de49e2672a43640bf0716793bff21db767b3def122dc8fca4376dc989e2bd7a41c8a395d3f042101528a461ecdb9f65f4d4ce33c37aba

Download Submit
C:\Windows\{15C663DA-C173-4ee8-8181-B573037FE063}.exe

Filesize
197KB

MD5
f10e96fc49e202a4d783dc579c781f21

SHA1
c121c11e98c84649d43570a5c6d7a6f35a83df58

SHA256
bf661f56f35494016d1fd983df6676943f39f46eab6d71b235032aa52ffbea45

SHA512
d432606df7996c37640f46423e68ea9575d4e64ce6253dfd1491f37e16a68605a9f936ef1f0b0546466e6e2ec965973897e42d64b82249e72d10454bc94aca37

Download Submit
C:\Windows\{22C9B304-797F-4279-9445-FA99826268D4}.exe

Filesize
197KB

MD5
43e38b9e8f4aa9fa0d5571a4f4bee56f

SHA1
43a4aed94b0f5db768c2e3d3157dcdb23916b171

SHA256
ceac96226c91993c0ebb4d7e22c303e10e94e95d9c812a05a956120565a09b4e

SHA512
ed114c564d1949b95577c4e5ee4302c1699a3f6dbc30d941def6c54e9ef8a594b01d8f2bcdefa11ef0e6737488088a035aa3f8a005287726c6596f52ddef224f

Download Submit
C:\Windows\{783AF1AC-72F5-4700-8F7B-0DF918467BD5}.exe

Filesize
197KB

MD5
f30878376a8b6f78c7680842d97dbd60

SHA1
500fde24e686145ffafbaa29dda8d9b859ce316f

SHA256
244461ac15d99d5bcae713aedec1b0239962e829fc66297e48209a4ba245893e

SHA512
66ede0ea583a19c39c53b19b095b2e9fce8adb1f7b7682077bd72a351466734c0157da820a21d5b92cdd412d808c4663ad637b1f28475d7c60a429eb0d0a79ce

Download Submit
C:\Windows\{7FA525FF-694D-4bd5-A4C9-FCBBA593A8E5}.exe

Filesize
197KB

MD5
0236ef2c8e6dd2eee6600a68876705b0

SHA1
a36fd89f7245ad585eba00a3efb39ec7e642b403

SHA256
c07d59cdf4aac66a7509f25a4a857b5f1a78908dd3c40c1b984b8a8516ae5152

SHA512
8df4b0d2da5cd27a00bcb46a832782f52526cc7f385a061cbf5bf3d8a88ffe1fa31978882d3b5e9507e6b5470f1215c630be97ca8673d9706cf88f9da4b52958

Download Submit
C:\Windows\{83F08BB3-D4C6-4357-8A98-EC55E77461B2}.exe

Filesize
197KB

MD5
39f55a89f57c75ebb33108d24b50ac3c

SHA1
ea0d19b9c245d23a9949c7a4a1067c9cc908fb51

SHA256
ee7e0c6854c5e0eb3f22b194d13712f19177b3af6d5350e2cd8c438807ec35ba

SHA512
134fa705dd09d85cfec14e945ee0b8dd4e5c5d2430234e5a6ec02401067f7d9ed911140ab9a436426e0a452bc707b9256021f30756ac2f49a5ab076d2dc67b92

Download Submit
C:\Windows\{9FEF664D-3C54-4531-82AF-F6168373E933}.exe

Filesize
197KB

MD5
1c239249dffc45045898048d18499db1

SHA1
a6160defcc90c4fd810fbe3fdcb4bca143b94fd9

SHA256
f1a199fce95f211f362b41ffa7355fd27efadde10a1bc99790215851dbf6ffde

SHA512
09aa34d417a4ebfb39189f1693339a2c0a0b78b0991e69db6a9b69258b94cc7f1e1c3ff5a0973b067d6b902884715c3a5aa820a9396bfa20a5da3fa16eacfcb4

Download Submit
C:\Windows\{E2BEA9AC-A7B6-4a4b-A1BC-BABD2B07B30F}.exe

Filesize
197KB

MD5
ba36e8f2281ccdcfa660272e1dd37f51

SHA1
a2fe82de227b484b95f872c4a47596ff18279f24

SHA256
a217f5d0aaf718d83b84db5f6e0f517b9f7f0f304639fc69065b607fc6806166

SHA512
61fb5f07a81067431fd2d0c6f7486a9a4f720faab28717d47990c62030a4b7d974eabbd14bfca0854ff1c886e255432d6d359af36b413b2d8ce68f029ca272e5

Download Submit
C:\Windows\{E7AE8419-8540-418a-8280-07A081D422F7}.exe

Filesize
197KB

MD5
19f3b9918236cfb2cf02e08459304fde

SHA1
d758a9a8b333dc3c4bee30842bf01afd2f83ca7d

SHA256
82b0d589bb847a29f5b0249af32e48c002e6cf14976f17ca77dcbd00ba2b36b3

SHA512
0b8e82b0adad0ce4b89b2fe4b488ed33d6da7bba41168e43cff7aba31292ed31973e960f1e8324e260e56d468d7447b890df3887b81a31fa928d3cd95c525464

Download Submit
C:\Windows\{FDB24131-2CB9-449a-87DA-4322EED21084}.exe

Filesize
197KB

MD5
00e25416af922feab0284640b1560c38

SHA1
126a61e4a3801f32391e20e50824fd8d9b87cfc2

SHA256
804643c45a079bbb6b68e66961db3f3d9ee3abaffb46b038749d52ccc548b343

SHA512
9fc22259dc1855f2021c2b3d0b28530b79ed07b527a18fbdc3ac575a2acff2984c81504916b730805e5feb4531f25169776701b963cac4745a07feb953cbd27a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads