Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19/02/2024, 05:43
Static task
static1
Behavioral task
behavioral1
Sample
2024-02-19_9c11706bf5946f6d22b7f731c75eb97c_goldeneye.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2024-02-19_9c11706bf5946f6d22b7f731c75eb97c_goldeneye.exe
Resource
win10v2004-20231215-en
General
-
Target
2024-02-19_9c11706bf5946f6d22b7f731c75eb97c_goldeneye.exe
-
Size
408KB
-
MD5
9c11706bf5946f6d22b7f731c75eb97c
-
SHA1
1e76f30a91cdb725ad7e7773edbc875244265dc8
-
SHA256
0f0a6713e66dd418ddeac4e53f14147de1016e44a14f5fa033b64393677be973
-
SHA512
57fa26619233048937c2192241d2ecac8c869c6a6bdabaef906f7e35aec749a3f01c7dc0f6557209079b8db8e71c719d9b92aff3abe9a571ea64998333dca63d
-
SSDEEP
3072:CEGh0oXl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEG1ldOe2MUVg3vTeKcAEciTBqr3jy
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
resource yara_rule behavioral2/files/0x000600000002321f-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000d000000023123-6.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000700000002322d-8.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000e000000023123-13.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0002000000021d92-18.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0002000000021d93-22.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000900000001db1b-27.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000300000000070b-30.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000300000000070d-34.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000400000000070b-38.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000400000000070d-43.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000000733-46.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D35B8E78-2D1F-4166-AC21-1D9D12CD673A}\stubpath = "C:\\Windows\\{D35B8E78-2D1F-4166-AC21-1D9D12CD673A}.exe" 2024-02-19_9c11706bf5946f6d22b7f731c75eb97c_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1ABDD71F-B9F1-4b47-8D7E-9683A223CDD1}\stubpath = "C:\\Windows\\{1ABDD71F-B9F1-4b47-8D7E-9683A223CDD1}.exe" {D35B8E78-2D1F-4166-AC21-1D9D12CD673A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19E04AF6-7ACA-402c-BC21-8081C0174A89}\stubpath = "C:\\Windows\\{19E04AF6-7ACA-402c-BC21-8081C0174A89}.exe" {1ABDD71F-B9F1-4b47-8D7E-9683A223CDD1}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{470CEB5D-3D96-4106-8EE6-CE54D1896884} {CE1FD5E8-7355-4d2b-A83B-DF3C342DC6A1}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7BADC034-F10F-4199-B170-13D39519DE73} {470CEB5D-3D96-4106-8EE6-CE54D1896884}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1FE4CE87-E6EC-4bcb-A4BD-5CBC44DD22DF}\stubpath = "C:\\Windows\\{1FE4CE87-E6EC-4bcb-A4BD-5CBC44DD22DF}.exe" {7BADC034-F10F-4199-B170-13D39519DE73}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0A01D1E-2706-4963-BCED-9A3658084BB3} {A4F3F108-D9A5-48b4-93B1-0BAB03F5D9D9}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0A01D1E-2706-4963-BCED-9A3658084BB3}\stubpath = "C:\\Windows\\{C0A01D1E-2706-4963-BCED-9A3658084BB3}.exe" {A4F3F108-D9A5-48b4-93B1-0BAB03F5D9D9}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8DDAC04E-1C44-4a6b-86F2-C8C1362D9ED9} {C0A01D1E-2706-4963-BCED-9A3658084BB3}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8DDAC04E-1C44-4a6b-86F2-C8C1362D9ED9}\stubpath = "C:\\Windows\\{8DDAC04E-1C44-4a6b-86F2-C8C1362D9ED9}.exe" {C0A01D1E-2706-4963-BCED-9A3658084BB3}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D35B8E78-2D1F-4166-AC21-1D9D12CD673A} 2024-02-19_9c11706bf5946f6d22b7f731c75eb97c_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75099AB3-9553-412e-BC3E-67D51D97A67E} {19E04AF6-7ACA-402c-BC21-8081C0174A89}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE1FD5E8-7355-4d2b-A83B-DF3C342DC6A1} {75099AB3-9553-412e-BC3E-67D51D97A67E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4F3F108-D9A5-48b4-93B1-0BAB03F5D9D9} {1FE4CE87-E6EC-4bcb-A4BD-5CBC44DD22DF}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4F3F108-D9A5-48b4-93B1-0BAB03F5D9D9}\stubpath = "C:\\Windows\\{A4F3F108-D9A5-48b4-93B1-0BAB03F5D9D9}.exe" {1FE4CE87-E6EC-4bcb-A4BD-5CBC44DD22DF}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19E04AF6-7ACA-402c-BC21-8081C0174A89} {1ABDD71F-B9F1-4b47-8D7E-9683A223CDD1}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75099AB3-9553-412e-BC3E-67D51D97A67E}\stubpath = "C:\\Windows\\{75099AB3-9553-412e-BC3E-67D51D97A67E}.exe" {19E04AF6-7ACA-402c-BC21-8081C0174A89}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{470CEB5D-3D96-4106-8EE6-CE54D1896884}\stubpath = "C:\\Windows\\{470CEB5D-3D96-4106-8EE6-CE54D1896884}.exe" {CE1FD5E8-7355-4d2b-A83B-DF3C342DC6A1}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7BADC034-F10F-4199-B170-13D39519DE73}\stubpath = "C:\\Windows\\{7BADC034-F10F-4199-B170-13D39519DE73}.exe" {470CEB5D-3D96-4106-8EE6-CE54D1896884}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1ABDD71F-B9F1-4b47-8D7E-9683A223CDD1} {D35B8E78-2D1F-4166-AC21-1D9D12CD673A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE1FD5E8-7355-4d2b-A83B-DF3C342DC6A1}\stubpath = "C:\\Windows\\{CE1FD5E8-7355-4d2b-A83B-DF3C342DC6A1}.exe" {75099AB3-9553-412e-BC3E-67D51D97A67E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1FE4CE87-E6EC-4bcb-A4BD-5CBC44DD22DF} {7BADC034-F10F-4199-B170-13D39519DE73}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0AEAFD4F-1830-4f53-B8FD-016E83DCA3AB} {8DDAC04E-1C44-4a6b-86F2-C8C1362D9ED9}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0AEAFD4F-1830-4f53-B8FD-016E83DCA3AB}\stubpath = "C:\\Windows\\{0AEAFD4F-1830-4f53-B8FD-016E83DCA3AB}.exe" {8DDAC04E-1C44-4a6b-86F2-C8C1362D9ED9}.exe -
Executes dropped EXE 12 IoCs
pid Process 4028 {D35B8E78-2D1F-4166-AC21-1D9D12CD673A}.exe 2344 {1ABDD71F-B9F1-4b47-8D7E-9683A223CDD1}.exe 1016 {19E04AF6-7ACA-402c-BC21-8081C0174A89}.exe 1356 {75099AB3-9553-412e-BC3E-67D51D97A67E}.exe 4452 {CE1FD5E8-7355-4d2b-A83B-DF3C342DC6A1}.exe 2928 {470CEB5D-3D96-4106-8EE6-CE54D1896884}.exe 4532 {7BADC034-F10F-4199-B170-13D39519DE73}.exe 4580 {1FE4CE87-E6EC-4bcb-A4BD-5CBC44DD22DF}.exe 4616 {A4F3F108-D9A5-48b4-93B1-0BAB03F5D9D9}.exe 4456 {C0A01D1E-2706-4963-BCED-9A3658084BB3}.exe 1404 {8DDAC04E-1C44-4a6b-86F2-C8C1362D9ED9}.exe 900 {0AEAFD4F-1830-4f53-B8FD-016E83DCA3AB}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{C0A01D1E-2706-4963-BCED-9A3658084BB3}.exe {A4F3F108-D9A5-48b4-93B1-0BAB03F5D9D9}.exe File created C:\Windows\{8DDAC04E-1C44-4a6b-86F2-C8C1362D9ED9}.exe {C0A01D1E-2706-4963-BCED-9A3658084BB3}.exe File created C:\Windows\{0AEAFD4F-1830-4f53-B8FD-016E83DCA3AB}.exe {8DDAC04E-1C44-4a6b-86F2-C8C1362D9ED9}.exe File created C:\Windows\{D35B8E78-2D1F-4166-AC21-1D9D12CD673A}.exe 2024-02-19_9c11706bf5946f6d22b7f731c75eb97c_goldeneye.exe File created C:\Windows\{1FE4CE87-E6EC-4bcb-A4BD-5CBC44DD22DF}.exe {7BADC034-F10F-4199-B170-13D39519DE73}.exe File created C:\Windows\{75099AB3-9553-412e-BC3E-67D51D97A67E}.exe {19E04AF6-7ACA-402c-BC21-8081C0174A89}.exe File created C:\Windows\{CE1FD5E8-7355-4d2b-A83B-DF3C342DC6A1}.exe {75099AB3-9553-412e-BC3E-67D51D97A67E}.exe File created C:\Windows\{470CEB5D-3D96-4106-8EE6-CE54D1896884}.exe {CE1FD5E8-7355-4d2b-A83B-DF3C342DC6A1}.exe File created C:\Windows\{7BADC034-F10F-4199-B170-13D39519DE73}.exe {470CEB5D-3D96-4106-8EE6-CE54D1896884}.exe File created C:\Windows\{A4F3F108-D9A5-48b4-93B1-0BAB03F5D9D9}.exe {1FE4CE87-E6EC-4bcb-A4BD-5CBC44DD22DF}.exe File created C:\Windows\{1ABDD71F-B9F1-4b47-8D7E-9683A223CDD1}.exe {D35B8E78-2D1F-4166-AC21-1D9D12CD673A}.exe File created C:\Windows\{19E04AF6-7ACA-402c-BC21-8081C0174A89}.exe {1ABDD71F-B9F1-4b47-8D7E-9683A223CDD1}.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 3308 2024-02-19_9c11706bf5946f6d22b7f731c75eb97c_goldeneye.exe Token: SeIncBasePriorityPrivilege 4028 {D35B8E78-2D1F-4166-AC21-1D9D12CD673A}.exe Token: SeIncBasePriorityPrivilege 2344 {1ABDD71F-B9F1-4b47-8D7E-9683A223CDD1}.exe Token: SeIncBasePriorityPrivilege 1016 {19E04AF6-7ACA-402c-BC21-8081C0174A89}.exe Token: SeIncBasePriorityPrivilege 1356 {75099AB3-9553-412e-BC3E-67D51D97A67E}.exe Token: SeIncBasePriorityPrivilege 4452 {CE1FD5E8-7355-4d2b-A83B-DF3C342DC6A1}.exe Token: SeIncBasePriorityPrivilege 2928 {470CEB5D-3D96-4106-8EE6-CE54D1896884}.exe Token: SeIncBasePriorityPrivilege 4532 {7BADC034-F10F-4199-B170-13D39519DE73}.exe Token: SeIncBasePriorityPrivilege 4580 {1FE4CE87-E6EC-4bcb-A4BD-5CBC44DD22DF}.exe Token: SeIncBasePriorityPrivilege 4616 {A4F3F108-D9A5-48b4-93B1-0BAB03F5D9D9}.exe Token: SeIncBasePriorityPrivilege 4456 {C0A01D1E-2706-4963-BCED-9A3658084BB3}.exe Token: SeIncBasePriorityPrivilege 1404 {8DDAC04E-1C44-4a6b-86F2-C8C1362D9ED9}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3308 wrote to memory of 4028 3308 2024-02-19_9c11706bf5946f6d22b7f731c75eb97c_goldeneye.exe 89 PID 3308 wrote to memory of 4028 3308 2024-02-19_9c11706bf5946f6d22b7f731c75eb97c_goldeneye.exe 89 PID 3308 wrote to memory of 4028 3308 2024-02-19_9c11706bf5946f6d22b7f731c75eb97c_goldeneye.exe 89 PID 3308 wrote to memory of 1168 3308 2024-02-19_9c11706bf5946f6d22b7f731c75eb97c_goldeneye.exe 90 PID 3308 wrote to memory of 1168 3308 2024-02-19_9c11706bf5946f6d22b7f731c75eb97c_goldeneye.exe 90 PID 3308 wrote to memory of 1168 3308 2024-02-19_9c11706bf5946f6d22b7f731c75eb97c_goldeneye.exe 90 PID 4028 wrote to memory of 2344 4028 {D35B8E78-2D1F-4166-AC21-1D9D12CD673A}.exe 93 PID 4028 wrote to memory of 2344 4028 {D35B8E78-2D1F-4166-AC21-1D9D12CD673A}.exe 93 PID 4028 wrote to memory of 2344 4028 {D35B8E78-2D1F-4166-AC21-1D9D12CD673A}.exe 93 PID 4028 wrote to memory of 1344 4028 {D35B8E78-2D1F-4166-AC21-1D9D12CD673A}.exe 94 PID 4028 wrote to memory of 1344 4028 {D35B8E78-2D1F-4166-AC21-1D9D12CD673A}.exe 94 PID 4028 wrote to memory of 1344 4028 {D35B8E78-2D1F-4166-AC21-1D9D12CD673A}.exe 94 PID 2344 wrote to memory of 1016 2344 {1ABDD71F-B9F1-4b47-8D7E-9683A223CDD1}.exe 96 PID 2344 wrote to memory of 1016 2344 {1ABDD71F-B9F1-4b47-8D7E-9683A223CDD1}.exe 96 PID 2344 wrote to memory of 1016 2344 {1ABDD71F-B9F1-4b47-8D7E-9683A223CDD1}.exe 96 PID 2344 wrote to memory of 3176 2344 {1ABDD71F-B9F1-4b47-8D7E-9683A223CDD1}.exe 97 PID 2344 wrote to memory of 3176 2344 {1ABDD71F-B9F1-4b47-8D7E-9683A223CDD1}.exe 97 PID 2344 wrote to memory of 3176 2344 {1ABDD71F-B9F1-4b47-8D7E-9683A223CDD1}.exe 97 PID 1016 wrote to memory of 1356 1016 {19E04AF6-7ACA-402c-BC21-8081C0174A89}.exe 98 PID 1016 wrote to memory of 1356 1016 {19E04AF6-7ACA-402c-BC21-8081C0174A89}.exe 98 PID 1016 wrote to memory of 1356 1016 {19E04AF6-7ACA-402c-BC21-8081C0174A89}.exe 98 PID 1016 wrote to memory of 4340 1016 {19E04AF6-7ACA-402c-BC21-8081C0174A89}.exe 99 PID 1016 wrote to memory of 4340 1016 {19E04AF6-7ACA-402c-BC21-8081C0174A89}.exe 99 PID 1016 wrote to memory of 4340 1016 {19E04AF6-7ACA-402c-BC21-8081C0174A89}.exe 99 PID 1356 wrote to memory of 4452 1356 {75099AB3-9553-412e-BC3E-67D51D97A67E}.exe 100 PID 1356 wrote to memory of 4452 1356 {75099AB3-9553-412e-BC3E-67D51D97A67E}.exe 100 PID 1356 wrote to memory of 4452 1356 {75099AB3-9553-412e-BC3E-67D51D97A67E}.exe 100 PID 1356 wrote to memory of 4544 1356 {75099AB3-9553-412e-BC3E-67D51D97A67E}.exe 101 PID 1356 wrote to memory of 4544 1356 {75099AB3-9553-412e-BC3E-67D51D97A67E}.exe 101 PID 1356 wrote to memory of 4544 1356 {75099AB3-9553-412e-BC3E-67D51D97A67E}.exe 101 PID 4452 wrote to memory of 2928 4452 {CE1FD5E8-7355-4d2b-A83B-DF3C342DC6A1}.exe 102 PID 4452 wrote to memory of 2928 4452 {CE1FD5E8-7355-4d2b-A83B-DF3C342DC6A1}.exe 102 PID 4452 wrote to memory of 2928 4452 {CE1FD5E8-7355-4d2b-A83B-DF3C342DC6A1}.exe 102 PID 4452 wrote to memory of 968 4452 {CE1FD5E8-7355-4d2b-A83B-DF3C342DC6A1}.exe 103 PID 4452 wrote to memory of 968 4452 {CE1FD5E8-7355-4d2b-A83B-DF3C342DC6A1}.exe 103 PID 4452 wrote to memory of 968 4452 {CE1FD5E8-7355-4d2b-A83B-DF3C342DC6A1}.exe 103 PID 2928 wrote to memory of 4532 2928 {470CEB5D-3D96-4106-8EE6-CE54D1896884}.exe 104 PID 2928 wrote to memory of 4532 2928 {470CEB5D-3D96-4106-8EE6-CE54D1896884}.exe 104 PID 2928 wrote to memory of 4532 2928 {470CEB5D-3D96-4106-8EE6-CE54D1896884}.exe 104 PID 2928 wrote to memory of 4944 2928 {470CEB5D-3D96-4106-8EE6-CE54D1896884}.exe 105 PID 2928 wrote to memory of 4944 2928 {470CEB5D-3D96-4106-8EE6-CE54D1896884}.exe 105 PID 2928 wrote to memory of 4944 2928 {470CEB5D-3D96-4106-8EE6-CE54D1896884}.exe 105 PID 4532 wrote to memory of 4580 4532 {7BADC034-F10F-4199-B170-13D39519DE73}.exe 106 PID 4532 wrote to memory of 4580 4532 {7BADC034-F10F-4199-B170-13D39519DE73}.exe 106 PID 4532 wrote to memory of 4580 4532 {7BADC034-F10F-4199-B170-13D39519DE73}.exe 106 PID 4532 wrote to memory of 828 4532 {7BADC034-F10F-4199-B170-13D39519DE73}.exe 107 PID 4532 wrote to memory of 828 4532 {7BADC034-F10F-4199-B170-13D39519DE73}.exe 107 PID 4532 wrote to memory of 828 4532 {7BADC034-F10F-4199-B170-13D39519DE73}.exe 107 PID 4580 wrote to memory of 4616 4580 {1FE4CE87-E6EC-4bcb-A4BD-5CBC44DD22DF}.exe 108 PID 4580 wrote to memory of 4616 4580 {1FE4CE87-E6EC-4bcb-A4BD-5CBC44DD22DF}.exe 108 PID 4580 wrote to memory of 4616 4580 {1FE4CE87-E6EC-4bcb-A4BD-5CBC44DD22DF}.exe 108 PID 4580 wrote to memory of 4336 4580 {1FE4CE87-E6EC-4bcb-A4BD-5CBC44DD22DF}.exe 109 PID 4580 wrote to memory of 4336 4580 {1FE4CE87-E6EC-4bcb-A4BD-5CBC44DD22DF}.exe 109 PID 4580 wrote to memory of 4336 4580 {1FE4CE87-E6EC-4bcb-A4BD-5CBC44DD22DF}.exe 109 PID 4616 wrote to memory of 4456 4616 {A4F3F108-D9A5-48b4-93B1-0BAB03F5D9D9}.exe 110 PID 4616 wrote to memory of 4456 4616 {A4F3F108-D9A5-48b4-93B1-0BAB03F5D9D9}.exe 110 PID 4616 wrote to memory of 4456 4616 {A4F3F108-D9A5-48b4-93B1-0BAB03F5D9D9}.exe 110 PID 4616 wrote to memory of 4404 4616 {A4F3F108-D9A5-48b4-93B1-0BAB03F5D9D9}.exe 111 PID 4616 wrote to memory of 4404 4616 {A4F3F108-D9A5-48b4-93B1-0BAB03F5D9D9}.exe 111 PID 4616 wrote to memory of 4404 4616 {A4F3F108-D9A5-48b4-93B1-0BAB03F5D9D9}.exe 111 PID 4456 wrote to memory of 1404 4456 {C0A01D1E-2706-4963-BCED-9A3658084BB3}.exe 112 PID 4456 wrote to memory of 1404 4456 {C0A01D1E-2706-4963-BCED-9A3658084BB3}.exe 112 PID 4456 wrote to memory of 1404 4456 {C0A01D1E-2706-4963-BCED-9A3658084BB3}.exe 112 PID 4456 wrote to memory of 1328 4456 {C0A01D1E-2706-4963-BCED-9A3658084BB3}.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-19_9c11706bf5946f6d22b7f731c75eb97c_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-19_9c11706bf5946f6d22b7f731c75eb97c_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Windows\{D35B8E78-2D1F-4166-AC21-1D9D12CD673A}.exeC:\Windows\{D35B8E78-2D1F-4166-AC21-1D9D12CD673A}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\{1ABDD71F-B9F1-4b47-8D7E-9683A223CDD1}.exeC:\Windows\{1ABDD71F-B9F1-4b47-8D7E-9683A223CDD1}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\{19E04AF6-7ACA-402c-BC21-8081C0174A89}.exeC:\Windows\{19E04AF6-7ACA-402c-BC21-8081C0174A89}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\{75099AB3-9553-412e-BC3E-67D51D97A67E}.exeC:\Windows\{75099AB3-9553-412e-BC3E-67D51D97A67E}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\{CE1FD5E8-7355-4d2b-A83B-DF3C342DC6A1}.exeC:\Windows\{CE1FD5E8-7355-4d2b-A83B-DF3C342DC6A1}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\{470CEB5D-3D96-4106-8EE6-CE54D1896884}.exeC:\Windows\{470CEB5D-3D96-4106-8EE6-CE54D1896884}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\{7BADC034-F10F-4199-B170-13D39519DE73}.exeC:\Windows\{7BADC034-F10F-4199-B170-13D39519DE73}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\{1FE4CE87-E6EC-4bcb-A4BD-5CBC44DD22DF}.exeC:\Windows\{1FE4CE87-E6EC-4bcb-A4BD-5CBC44DD22DF}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\{A4F3F108-D9A5-48b4-93B1-0BAB03F5D9D9}.exeC:\Windows\{A4F3F108-D9A5-48b4-93B1-0BAB03F5D9D9}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\{C0A01D1E-2706-4963-BCED-9A3658084BB3}.exeC:\Windows\{C0A01D1E-2706-4963-BCED-9A3658084BB3}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Windows\{8DDAC04E-1C44-4a6b-86F2-C8C1362D9ED9}.exeC:\Windows\{8DDAC04E-1C44-4a6b-86F2-C8C1362D9ED9}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1404 -
C:\Windows\{0AEAFD4F-1830-4f53-B8FD-016E83DCA3AB}.exeC:\Windows\{0AEAFD4F-1830-4f53-B8FD-016E83DCA3AB}.exe13⤵
- Executes dropped EXE
PID:900
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8DDAC~1.EXE > nul13⤵PID:876
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C0A01~1.EXE > nul12⤵PID:1328
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A4F3F~1.EXE > nul11⤵PID:4404
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1FE4C~1.EXE > nul10⤵PID:4336
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7BADC~1.EXE > nul9⤵PID:828
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{470CE~1.EXE > nul8⤵PID:4944
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CE1FD~1.EXE > nul7⤵PID:968
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{75099~1.EXE > nul6⤵PID:4544
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{19E04~1.EXE > nul5⤵PID:4340
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1ABDD~1.EXE > nul4⤵PID:3176
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D35B8~1.EXE > nul3⤵PID:1344
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:1168
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
408KB
MD5e3aee002beebd89140c8a5d31bc57134
SHA1a62e7d7875ee1e79128a73192703806b7d930330
SHA256cad7782ff1edfda22f978e77d7a220d3484d1a6ff0b85594e1eb2effd8e2355d
SHA512f6b86e8967b69915b329b1be51ce9d8ea57ec48c5a7052d5c005850ee0c64356cd1f3f21af9da6d4ec82dea3debcc43c3133450fa470be4e43765c31b693d5e8
-
Filesize
408KB
MD5d9b50c211b7bd644b7da03a4bc898f50
SHA1171689a8de849e9fc707c3e1074ed1383bfddabd
SHA256b2ad8bf1f270fc19f20ea4663f6f1ce8963995fde7feb76b3c620462518c93d3
SHA51211931b75d7d40f01fd713a5ca8ef49eef660bb3d032f560fcb35ce01b97194fb1c617fac76829465559ddb5b5ed495629e3dad3ee0a951cf65662c8ea66a2d12
-
Filesize
408KB
MD58eab295f87f85ca18b7fec2a62ad9f37
SHA108eac8221f59c0e5d643fe0755f09774c8ffa391
SHA2560ba256f9623421a751e2e8e1ab69c08ed40fa30732960e1e7e5f9772dc3a0d92
SHA512a41544e9c78d9a97b0ef99bd3dcd7eeca4c7b6d77014c99e9e963c19f1252190adf81d76227392ce1826b6a85cbbc04c9bacc6e3c5a5c63dffc5f05f1230e50c
-
Filesize
408KB
MD51e141651fac13865095bb985d066bef3
SHA1ed376a9a3b44daecc295f7076bf1147918f5f7d4
SHA256943cb434c16aecccf361134a5d2c37882beaa63d2b66f9d71c36276f6a4cb9c5
SHA5123dce1892a6e3aedfcf09f782a59abd6e8094f623761379ea36b5754d23c97494d5a32ee58e465d4e485a56ff3a3d2f016189a7cdbebeba042c66ede1e4a88874
-
Filesize
408KB
MD51425b45a34101fdc14135bd7eae1fb86
SHA1084270c18f7f1571a83b1790f797a611bf8d0362
SHA2560636429ad5707cc38c242302b138ee3490fed42ea69095608277fbd06780ada1
SHA5127e1460df06e4836ae6033e2a892d80370823bbe581739c21824973ed0b038d6754c1d83a4e84d013da64218c6b9bd1ef5106ff8b81c6a9c0d659048aaf04aef4
-
Filesize
408KB
MD5345f9d8fddf6a8dd624934438696b904
SHA1a8f5a0c67818b5536989d9b998a0d5e25d72e9b5
SHA256e187ee2251d59bf6dab65cf5f2b44e80d9673451dcebc63e3c3d313b6f16fb93
SHA512ebc21d3697bfbac2cf981dc629edd2ff84c29705b84f4c50bfa849d5ce4ee8f87f26beba8da4e8ac778588c85e5d7aefd0bafa380c1cca9a8741207a4ef5bd04
-
Filesize
408KB
MD5cd835efcb86697666fb05ed5ca275907
SHA1d54fa8aa20fa2a8decadb6940037f784c903c562
SHA2568ec61a834cb37976606df185185181d90947d27f3938861e731013bad15bb3d4
SHA512e78b1a5eec268115a8b4ddb3d7ccb92a7a4e3dfdcdf30520df689e39f8c0df696803d4eabde44602e491367d028b4b61c60ea929dd5c1b9a36e726049038a798
-
Filesize
408KB
MD5a8dc725eaa479d3574aa11b062ef621b
SHA149dd86d3ef0de8ae360a0940521ebb968246493c
SHA256e16d8d2e5607521289163395bb45d0753ce4352e963c7465e1504dc8b0a32521
SHA512e67bbc4cf2b6b268cf23b79b7d9f16833c53745cc9b61da7ddf3607dcbee9c6487a29186de17b9b9320c35c776eed1c4dcfdd86a395994317341e3f5042b1d25
-
Filesize
408KB
MD5c95b9705ca425dfde28e0470d479f1bb
SHA1b9e152393835828f66d691f29eeeac0a53fafed2
SHA256d6abfeec5100e4f2ca2ecfb2003d61a3ddc4903ca4d0ec22b2135b0d4203a5f0
SHA5125ef6dcbabbd1ff8f46d414cb92477b2c6476b981a7c1f75d6afc288ddeb9cf205a9a194c082b99afa4e30aa4dca0d2b99c80e20b81bc2c7c07e626e67158028d
-
Filesize
408KB
MD5ccfe8a64b72f605945b75378cf0901fe
SHA1fd43ac2201c79156ade6a99bc2928d950d4b838f
SHA256f5b57db1b3501a0cce19f3a35e193d13bfa2595aa4b130a77153ff949807cf26
SHA51280916f49f0547e0a3716a49242bd3bcd7795c4165ab21551756f67c3a7ea5fc358ae1f39ada9be175ae4ac7bf75eba056bc05ec752fb8cfae80d8dd2a210016a
-
Filesize
408KB
MD54c7a901803187bbcc76261762a4b6770
SHA1a3c7a95e536a4aee4b98518ecc96e1a28e4b6b3b
SHA256546fec85cc3ff5da90ae66144092a2a8789b35c0b6dc08adb81fb3226c96384b
SHA51213171e30a1bce239478983339055ff12d1545fb0be5c446d966e2b67a86b4b1042692d728b765f83ff09b7c401fb54ade76193f188e406ff6d40c3a48956c9ed
-
Filesize
408KB
MD58518e68b08d6ba88739799ddb4bd274e
SHA19048581872524ba1a9833abbacbd4eb39c726784
SHA256c2c32bf7956dab3dd965b578dbdd5e4a95f619c434f92f5ed4f63195febe4009
SHA5121ff66a26baa764503c2a09d6f8daf94b3667ffc4f59e4dfece6ce06489473235a9cbda5fe2fd68e5d85a6d7fccd1931a96339e8cb0c596eadb8e57335fc782ed