52c08b53ab07ac20eafaa262b55c22d221aec2111ca37ed97506afb1c3e7a80d

Analysis

max time kernel
149s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20/02/2024, 12:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-20_737a661a09e5e0f595fbb44e1573dbc5_goldeneye.exe
Size

168KB
MD5

737a661a09e5e0f595fbb44e1573dbc5
SHA1

1e59bacae2f17e7b51119b84a839c871dd7754cc
SHA256

52c08b53ab07ac20eafaa262b55c22d221aec2111ca37ed97506afb1c3e7a80d
SHA512

d5bf1fef7d64dd53f875c1cfde502b690e8ab850dcc76dc077a5498fb96682beb6d070449b31cc315c3fa80717725ba6e59b1338d48cc744522c225a99ce6ec5
SSDEEP

1536:1EGh0oIlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oIlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000600000002321d-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000001e7e2-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002322b-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000001e7e2-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000022043-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000001e7e2-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000022043-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000709-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000709-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95F5490A-40CB-4120-BFE6-3BC9A32DC6FB}	{401A9D8C-7D6F-4b9f-9B26-632DD0DC7741}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{927D172A-8568-40e3-AC67-7F27C027F332}\stubpath = "C:\\Windows\\{927D172A-8568-40e3-AC67-7F27C027F332}.exe"	{95F5490A-40CB-4120-BFE6-3BC9A32DC6FB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69A2E5CA-700C-48fb-ABC3-7625B894459A}	2024-02-20_737a661a09e5e0f595fbb44e1573dbc5_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E1DD207-CB94-4d46-9FA7-F09D916B6B40}\stubpath = "C:\\Windows\\{6E1DD207-CB94-4d46-9FA7-F09D916B6B40}.exe"	{532C4768-0B45-440a-A009-BA97367C37A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B7E42DD-4C83-41de-A227-B09100972043}\stubpath = "C:\\Windows\\{8B7E42DD-4C83-41de-A227-B09100972043}.exe"	{0DB43174-B7F9-49d7-9615-4F6EA6159169}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95F5490A-40CB-4120-BFE6-3BC9A32DC6FB}\stubpath = "C:\\Windows\\{95F5490A-40CB-4120-BFE6-3BC9A32DC6FB}.exe"	{401A9D8C-7D6F-4b9f-9B26-632DD0DC7741}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B333626-7E30-484a-9401-A8C4BDC111FE}	{9E60345F-68B7-4cc8-BE03-9FEC3505A7A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B333626-7E30-484a-9401-A8C4BDC111FE}\stubpath = "C:\\Windows\\{8B333626-7E30-484a-9401-A8C4BDC111FE}.exe"	{9E60345F-68B7-4cc8-BE03-9FEC3505A7A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A69AADFE-9C34-4b07-98C5-999EDF759C71}	{8B333626-7E30-484a-9401-A8C4BDC111FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A69AADFE-9C34-4b07-98C5-999EDF759C71}\stubpath = "C:\\Windows\\{A69AADFE-9C34-4b07-98C5-999EDF759C71}.exe"	{8B333626-7E30-484a-9401-A8C4BDC111FE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{532C4768-0B45-440a-A009-BA97367C37A9}	{69A2E5CA-700C-48fb-ABC3-7625B894459A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0DB43174-B7F9-49d7-9615-4F6EA6159169}	{6E1DD207-CB94-4d46-9FA7-F09D916B6B40}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0DB43174-B7F9-49d7-9615-4F6EA6159169}\stubpath = "C:\\Windows\\{0DB43174-B7F9-49d7-9615-4F6EA6159169}.exe"	{6E1DD207-CB94-4d46-9FA7-F09D916B6B40}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E60345F-68B7-4cc8-BE03-9FEC3505A7A7}	{B26A80A8-90CF-42b6-847E-1A456E1F8021}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E60345F-68B7-4cc8-BE03-9FEC3505A7A7}\stubpath = "C:\\Windows\\{9E60345F-68B7-4cc8-BE03-9FEC3505A7A7}.exe"	{B26A80A8-90CF-42b6-847E-1A456E1F8021}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69A2E5CA-700C-48fb-ABC3-7625B894459A}\stubpath = "C:\\Windows\\{69A2E5CA-700C-48fb-ABC3-7625B894459A}.exe"	2024-02-20_737a661a09e5e0f595fbb44e1573dbc5_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{532C4768-0B45-440a-A009-BA97367C37A9}\stubpath = "C:\\Windows\\{532C4768-0B45-440a-A009-BA97367C37A9}.exe"	{69A2E5CA-700C-48fb-ABC3-7625B894459A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B7E42DD-4C83-41de-A227-B09100972043}	{0DB43174-B7F9-49d7-9615-4F6EA6159169}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{927D172A-8568-40e3-AC67-7F27C027F332}	{95F5490A-40CB-4120-BFE6-3BC9A32DC6FB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B26A80A8-90CF-42b6-847E-1A456E1F8021}	{927D172A-8568-40e3-AC67-7F27C027F332}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B26A80A8-90CF-42b6-847E-1A456E1F8021}\stubpath = "C:\\Windows\\{B26A80A8-90CF-42b6-847E-1A456E1F8021}.exe"	{927D172A-8568-40e3-AC67-7F27C027F332}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E1DD207-CB94-4d46-9FA7-F09D916B6B40}	{532C4768-0B45-440a-A009-BA97367C37A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{401A9D8C-7D6F-4b9f-9B26-632DD0DC7741}	{8B7E42DD-4C83-41de-A227-B09100972043}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{401A9D8C-7D6F-4b9f-9B26-632DD0DC7741}\stubpath = "C:\\Windows\\{401A9D8C-7D6F-4b9f-9B26-632DD0DC7741}.exe"	{8B7E42DD-4C83-41de-A227-B09100972043}.exe

Executes dropped EXE 12 IoCs

pid	Process
1096	{69A2E5CA-700C-48fb-ABC3-7625B894459A}.exe
3460	{532C4768-0B45-440a-A009-BA97367C37A9}.exe
3100	{6E1DD207-CB94-4d46-9FA7-F09D916B6B40}.exe
3600	{0DB43174-B7F9-49d7-9615-4F6EA6159169}.exe
4168	{8B7E42DD-4C83-41de-A227-B09100972043}.exe
4980	{401A9D8C-7D6F-4b9f-9B26-632DD0DC7741}.exe
2604	{95F5490A-40CB-4120-BFE6-3BC9A32DC6FB}.exe
3760	{927D172A-8568-40e3-AC67-7F27C027F332}.exe
4436	{B26A80A8-90CF-42b6-847E-1A456E1F8021}.exe
3432	{9E60345F-68B7-4cc8-BE03-9FEC3505A7A7}.exe
3968	{8B333626-7E30-484a-9401-A8C4BDC111FE}.exe
4476	{A69AADFE-9C34-4b07-98C5-999EDF759C71}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{8B7E42DD-4C83-41de-A227-B09100972043}.exe	{0DB43174-B7F9-49d7-9615-4F6EA6159169}.exe
File created	C:\Windows\{95F5490A-40CB-4120-BFE6-3BC9A32DC6FB}.exe	{401A9D8C-7D6F-4b9f-9B26-632DD0DC7741}.exe
File created	C:\Windows\{A69AADFE-9C34-4b07-98C5-999EDF759C71}.exe	{8B333626-7E30-484a-9401-A8C4BDC111FE}.exe
File created	C:\Windows\{69A2E5CA-700C-48fb-ABC3-7625B894459A}.exe	2024-02-20_737a661a09e5e0f595fbb44e1573dbc5_goldeneye.exe
File created	C:\Windows\{6E1DD207-CB94-4d46-9FA7-F09D916B6B40}.exe	{532C4768-0B45-440a-A009-BA97367C37A9}.exe
File created	C:\Windows\{0DB43174-B7F9-49d7-9615-4F6EA6159169}.exe	{6E1DD207-CB94-4d46-9FA7-F09D916B6B40}.exe
File created	C:\Windows\{B26A80A8-90CF-42b6-847E-1A456E1F8021}.exe	{927D172A-8568-40e3-AC67-7F27C027F332}.exe
File created	C:\Windows\{9E60345F-68B7-4cc8-BE03-9FEC3505A7A7}.exe	{B26A80A8-90CF-42b6-847E-1A456E1F8021}.exe
File created	C:\Windows\{8B333626-7E30-484a-9401-A8C4BDC111FE}.exe	{9E60345F-68B7-4cc8-BE03-9FEC3505A7A7}.exe
File created	C:\Windows\{532C4768-0B45-440a-A009-BA97367C37A9}.exe	{69A2E5CA-700C-48fb-ABC3-7625B894459A}.exe
File created	C:\Windows\{401A9D8C-7D6F-4b9f-9B26-632DD0DC7741}.exe	{8B7E42DD-4C83-41de-A227-B09100972043}.exe
File created	C:\Windows\{927D172A-8568-40e3-AC67-7F27C027F332}.exe	{95F5490A-40CB-4120-BFE6-3BC9A32DC6FB}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2832	2024-02-20_737a661a09e5e0f595fbb44e1573dbc5_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1096	{69A2E5CA-700C-48fb-ABC3-7625B894459A}.exe
Token: SeIncBasePriorityPrivilege	3460	{532C4768-0B45-440a-A009-BA97367C37A9}.exe
Token: SeIncBasePriorityPrivilege	3100	{6E1DD207-CB94-4d46-9FA7-F09D916B6B40}.exe
Token: SeIncBasePriorityPrivilege	3600	{0DB43174-B7F9-49d7-9615-4F6EA6159169}.exe
Token: SeIncBasePriorityPrivilege	4168	{8B7E42DD-4C83-41de-A227-B09100972043}.exe
Token: SeIncBasePriorityPrivilege	4980	{401A9D8C-7D6F-4b9f-9B26-632DD0DC7741}.exe
Token: SeIncBasePriorityPrivilege	2604	{95F5490A-40CB-4120-BFE6-3BC9A32DC6FB}.exe
Token: SeIncBasePriorityPrivilege	3760	{927D172A-8568-40e3-AC67-7F27C027F332}.exe
Token: SeIncBasePriorityPrivilege	4436	{B26A80A8-90CF-42b6-847E-1A456E1F8021}.exe
Token: SeIncBasePriorityPrivilege	3432	{9E60345F-68B7-4cc8-BE03-9FEC3505A7A7}.exe
Token: SeIncBasePriorityPrivilege	3968	{8B333626-7E30-484a-9401-A8C4BDC111FE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2832 wrote to memory of 1096	2832	2024-02-20_737a661a09e5e0f595fbb44e1573dbc5_goldeneye.exe	90
PID 2832 wrote to memory of 1096	2832	2024-02-20_737a661a09e5e0f595fbb44e1573dbc5_goldeneye.exe	90
PID 2832 wrote to memory of 1096	2832	2024-02-20_737a661a09e5e0f595fbb44e1573dbc5_goldeneye.exe	90
PID 2832 wrote to memory of 3452	2832	2024-02-20_737a661a09e5e0f595fbb44e1573dbc5_goldeneye.exe	91
PID 2832 wrote to memory of 3452	2832	2024-02-20_737a661a09e5e0f595fbb44e1573dbc5_goldeneye.exe	91
PID 2832 wrote to memory of 3452	2832	2024-02-20_737a661a09e5e0f595fbb44e1573dbc5_goldeneye.exe	91
PID 1096 wrote to memory of 3460	1096	{69A2E5CA-700C-48fb-ABC3-7625B894459A}.exe	94
PID 1096 wrote to memory of 3460	1096	{69A2E5CA-700C-48fb-ABC3-7625B894459A}.exe	94
PID 1096 wrote to memory of 3460	1096	{69A2E5CA-700C-48fb-ABC3-7625B894459A}.exe	94
PID 1096 wrote to memory of 3756	1096	{69A2E5CA-700C-48fb-ABC3-7625B894459A}.exe	95
PID 1096 wrote to memory of 3756	1096	{69A2E5CA-700C-48fb-ABC3-7625B894459A}.exe	95
PID 1096 wrote to memory of 3756	1096	{69A2E5CA-700C-48fb-ABC3-7625B894459A}.exe	95
PID 3460 wrote to memory of 3100	3460	{532C4768-0B45-440a-A009-BA97367C37A9}.exe	98
PID 3460 wrote to memory of 3100	3460	{532C4768-0B45-440a-A009-BA97367C37A9}.exe	98
PID 3460 wrote to memory of 3100	3460	{532C4768-0B45-440a-A009-BA97367C37A9}.exe	98
PID 3460 wrote to memory of 2320	3460	{532C4768-0B45-440a-A009-BA97367C37A9}.exe	97
PID 3460 wrote to memory of 2320	3460	{532C4768-0B45-440a-A009-BA97367C37A9}.exe	97
PID 3460 wrote to memory of 2320	3460	{532C4768-0B45-440a-A009-BA97367C37A9}.exe	97
PID 3100 wrote to memory of 3600	3100	{6E1DD207-CB94-4d46-9FA7-F09D916B6B40}.exe	99
PID 3100 wrote to memory of 3600	3100	{6E1DD207-CB94-4d46-9FA7-F09D916B6B40}.exe	99
PID 3100 wrote to memory of 3600	3100	{6E1DD207-CB94-4d46-9FA7-F09D916B6B40}.exe	99
PID 3100 wrote to memory of 1016	3100	{6E1DD207-CB94-4d46-9FA7-F09D916B6B40}.exe	100
PID 3100 wrote to memory of 1016	3100	{6E1DD207-CB94-4d46-9FA7-F09D916B6B40}.exe	100
PID 3100 wrote to memory of 1016	3100	{6E1DD207-CB94-4d46-9FA7-F09D916B6B40}.exe	100
PID 3600 wrote to memory of 4168	3600	{0DB43174-B7F9-49d7-9615-4F6EA6159169}.exe	101
PID 3600 wrote to memory of 4168	3600	{0DB43174-B7F9-49d7-9615-4F6EA6159169}.exe	101
PID 3600 wrote to memory of 4168	3600	{0DB43174-B7F9-49d7-9615-4F6EA6159169}.exe	101
PID 3600 wrote to memory of 2044	3600	{0DB43174-B7F9-49d7-9615-4F6EA6159169}.exe	102
PID 3600 wrote to memory of 2044	3600	{0DB43174-B7F9-49d7-9615-4F6EA6159169}.exe	102
PID 3600 wrote to memory of 2044	3600	{0DB43174-B7F9-49d7-9615-4F6EA6159169}.exe	102
PID 4168 wrote to memory of 4980	4168	{8B7E42DD-4C83-41de-A227-B09100972043}.exe	103
PID 4168 wrote to memory of 4980	4168	{8B7E42DD-4C83-41de-A227-B09100972043}.exe	103
PID 4168 wrote to memory of 4980	4168	{8B7E42DD-4C83-41de-A227-B09100972043}.exe	103
PID 4168 wrote to memory of 4912	4168	{8B7E42DD-4C83-41de-A227-B09100972043}.exe	104
PID 4168 wrote to memory of 4912	4168	{8B7E42DD-4C83-41de-A227-B09100972043}.exe	104
PID 4168 wrote to memory of 4912	4168	{8B7E42DD-4C83-41de-A227-B09100972043}.exe	104
PID 4980 wrote to memory of 2604	4980	{401A9D8C-7D6F-4b9f-9B26-632DD0DC7741}.exe	105
PID 4980 wrote to memory of 2604	4980	{401A9D8C-7D6F-4b9f-9B26-632DD0DC7741}.exe	105
PID 4980 wrote to memory of 2604	4980	{401A9D8C-7D6F-4b9f-9B26-632DD0DC7741}.exe	105
PID 4980 wrote to memory of 2664	4980	{401A9D8C-7D6F-4b9f-9B26-632DD0DC7741}.exe	106
PID 4980 wrote to memory of 2664	4980	{401A9D8C-7D6F-4b9f-9B26-632DD0DC7741}.exe	106
PID 4980 wrote to memory of 2664	4980	{401A9D8C-7D6F-4b9f-9B26-632DD0DC7741}.exe	106
PID 2604 wrote to memory of 3760	2604	{95F5490A-40CB-4120-BFE6-3BC9A32DC6FB}.exe	108
PID 2604 wrote to memory of 3760	2604	{95F5490A-40CB-4120-BFE6-3BC9A32DC6FB}.exe	108
PID 2604 wrote to memory of 3760	2604	{95F5490A-40CB-4120-BFE6-3BC9A32DC6FB}.exe	108
PID 2604 wrote to memory of 400	2604	{95F5490A-40CB-4120-BFE6-3BC9A32DC6FB}.exe	107
PID 2604 wrote to memory of 400	2604	{95F5490A-40CB-4120-BFE6-3BC9A32DC6FB}.exe	107
PID 2604 wrote to memory of 400	2604	{95F5490A-40CB-4120-BFE6-3BC9A32DC6FB}.exe	107
PID 3760 wrote to memory of 4436	3760	{927D172A-8568-40e3-AC67-7F27C027F332}.exe	109
PID 3760 wrote to memory of 4436	3760	{927D172A-8568-40e3-AC67-7F27C027F332}.exe	109
PID 3760 wrote to memory of 4436	3760	{927D172A-8568-40e3-AC67-7F27C027F332}.exe	109
PID 3760 wrote to memory of 4628	3760	{927D172A-8568-40e3-AC67-7F27C027F332}.exe	110
PID 3760 wrote to memory of 4628	3760	{927D172A-8568-40e3-AC67-7F27C027F332}.exe	110
PID 3760 wrote to memory of 4628	3760	{927D172A-8568-40e3-AC67-7F27C027F332}.exe	110
PID 4436 wrote to memory of 3432	4436	{B26A80A8-90CF-42b6-847E-1A456E1F8021}.exe	112
PID 4436 wrote to memory of 3432	4436	{B26A80A8-90CF-42b6-847E-1A456E1F8021}.exe	112
PID 4436 wrote to memory of 3432	4436	{B26A80A8-90CF-42b6-847E-1A456E1F8021}.exe	112
PID 4436 wrote to memory of 2804	4436	{B26A80A8-90CF-42b6-847E-1A456E1F8021}.exe	111
PID 4436 wrote to memory of 2804	4436	{B26A80A8-90CF-42b6-847E-1A456E1F8021}.exe	111
PID 4436 wrote to memory of 2804	4436	{B26A80A8-90CF-42b6-847E-1A456E1F8021}.exe	111
PID 3432 wrote to memory of 3968	3432	{9E60345F-68B7-4cc8-BE03-9FEC3505A7A7}.exe	113
PID 3432 wrote to memory of 3968	3432	{9E60345F-68B7-4cc8-BE03-9FEC3505A7A7}.exe	113
PID 3432 wrote to memory of 3968	3432	{9E60345F-68B7-4cc8-BE03-9FEC3505A7A7}.exe	113
PID 3432 wrote to memory of 2832	3432	{9E60345F-68B7-4cc8-BE03-9FEC3505A7A7}.exe	114

C:\Users\Admin\AppData\Local\Temp\2024-02-20_737a661a09e5e0f595fbb44e1573dbc5_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-20_737a661a09e5e0f595fbb44e1573dbc5_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Windows\{69A2E5CA-700C-48fb-ABC3-7625B894459A}.exe
  C:\Windows\{69A2E5CA-700C-48fb-ABC3-7625B894459A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Windows\{532C4768-0B45-440a-A009-BA97367C37A9}.exe
    C:\Windows\{532C4768-0B45-440a-A009-BA97367C37A9}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3460
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{532C4~1.EXE > nul
      4⤵
      PID:2320
  - - C:\Windows\{6E1DD207-CB94-4d46-9FA7-F09D916B6B40}.exe
      C:\Windows\{6E1DD207-CB94-4d46-9FA7-F09D916B6B40}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3100
    - - C:\Windows\{0DB43174-B7F9-49d7-9615-4F6EA6159169}.exe
        
        C:\Windows\{0DB43174-B7F9-49d7-9615-4F6EA6159169}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3600
      - C:\Windows\{8B7E42DD-4C83-41de-A227-B09100972043}.exe
        
        C:\Windows\{8B7E42DD-4C83-41de-A227-B09100972043}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4168
        
        C:\Windows\{401A9D8C-7D6F-4b9f-9B26-632DD0DC7741}.exe
        
        C:\Windows\{401A9D8C-7D6F-4b9f-9B26-632DD0DC7741}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Windows\{95F5490A-40CB-4120-BFE6-3BC9A32DC6FB}.exe
        
        C:\Windows\{95F5490A-40CB-4120-BFE6-3BC9A32DC6FB}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95F54~1.EXE > nul
        9⤵
        
        PID:400
        
        C:\Windows\{927D172A-8568-40e3-AC67-7F27C027F332}.exe
        
        C:\Windows\{927D172A-8568-40e3-AC67-7F27C027F332}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3760
        
        C:\Windows\{B26A80A8-90CF-42b6-847E-1A456E1F8021}.exe
        
        C:\Windows\{B26A80A8-90CF-42b6-847E-1A456E1F8021}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B26A8~1.EXE > nul
        11⤵
        
        PID:2804
        
        C:\Windows\{9E60345F-68B7-4cc8-BE03-9FEC3505A7A7}.exe
        
        C:\Windows\{9E60345F-68B7-4cc8-BE03-9FEC3505A7A7}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Windows\{8B333626-7E30-484a-9401-A8C4BDC111FE}.exe
        
        C:\Windows\{8B333626-7E30-484a-9401-A8C4BDC111FE}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3968
        
        C:\Windows\{A69AADFE-9C34-4b07-98C5-999EDF759C71}.exe
        
        C:\Windows\{A69AADFE-9C34-4b07-98C5-999EDF759C71}.exe
        13⤵
        Executes dropped EXE
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B333~1.EXE > nul
        13⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E603~1.EXE > nul
        12⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{927D1~1.EXE > nul
        10⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{401A9~1.EXE > nul
        8⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B7E4~1.EXE > nul
        7⤵
        
        PID:4912
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0DB43~1.EXE > nul
        6⤵
        
        PID:2044
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6E1DD~1.EXE > nul
        5⤵
        
        PID:1016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{69A2E~1.EXE > nul
    3⤵
    PID:3756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0DB43174-B7F9-49d7-9615-4F6EA6159169}.exe

Filesize
168KB

MD5
8f6c5e462435fbdc7992af44db19afcd

SHA1
fea6d6d96d25903a20b5015804892fe3cc1eb6f4

SHA256
1d0e2e76f7a333ebe773e11ded5a20db3e947da1aad511d64f4ba7be083b75da

SHA512
2c52dc32f5437ad1dc786cb91729fbba1f74a2a0c2faa0212dc57744d58814ad818cbcf8caf98f914105dffabadae22367c0f26a5b354006bc1cd58838a22cac

Download Submit
C:\Windows\{401A9D8C-7D6F-4b9f-9B26-632DD0DC7741}.exe

Filesize
168KB

MD5
86c7c658721a80e780afe4dca5ed2687

SHA1
6d707f0ab724bfe3eead062e6221633ea9314ccb

SHA256
fa21261def99aab88c88568c6765cb6b9ffcdd9a509ffce53d4ba0a7c174c426

SHA512
37b93ca14ff21f5f3b6cc8b47ee7db3c93d3cda0771614cdcafc6e0b23468cf4693ce5ff88e8a1998087228747605f3c2e1086f9396b160e73b374875eda9137

Download Submit
C:\Windows\{532C4768-0B45-440a-A009-BA97367C37A9}.exe

Filesize
168KB

MD5
d2f0c7b2897a07feb14f5fae5edc3a49

SHA1
7ae2b01ef8c3895a21eae14e566faafb7ce45d45

SHA256
038ce5aeca7bc5ed582a2d6f052b73bf0d86d4bf8f3e5528b4e20aa206c6ea88

SHA512
5e5c40b321de7db535c489b7673d10b50770efc3e0eae523f502d55bf34403090c140bf7b21c2cde2c57c5ae5b7ee8d3b8c2b17d04c91d8a625fa5b79ac87fc7

Download Submit
C:\Windows\{69A2E5CA-700C-48fb-ABC3-7625B894459A}.exe

Filesize
168KB

MD5
d36a1baa73e413a4da073f261c1c9537

SHA1
724ee571b3d0b472d01e895489a0e37eb0550ff6

SHA256
a97c816ed988a075b573b78fca1d9e592dbbc914d5f3389884d8acbb62965771

SHA512
fe5d3b6e2471d8c4f0fa5f1e4a1e8e27c081679dab57876d9083916df310443072ed2e4a56e69102150e4849d4e212c54adff61ad5ca31534799297372a140a1

Download Submit
C:\Windows\{6E1DD207-CB94-4d46-9FA7-F09D916B6B40}.exe

Filesize
168KB

MD5
47045dce4036dd39a9d3b76d74179d80

SHA1
26dc55f5e153665f2d4fff5aba4fd4c9263dc48a

SHA256
95b4b68c5c6fc85ba45cbb3f769efa3d12903bcece39d54a87c84b116590fbed

SHA512
6e04c7e972e06ae030d6b038582f8313551527e19792edde706f4dae09c942be046d6faf41fba69b8b02f05f419034265fa941724922263f44f572a3dd4da927

Download Submit
C:\Windows\{8B333626-7E30-484a-9401-A8C4BDC111FE}.exe

Filesize
168KB

MD5
6b4fb8a3ecd4c3ab6f7b156a8bbc088e

SHA1
41ca84ab6ae746a98a7c8859b9c61723d16136ef

SHA256
8332aadf2939fe04d227422175f07b916113a133e8f1ce594d74994725d7a528

SHA512
59d0ea17372029f91e605777e0e5c4a2f50b971fddbcd878f7a1985d310e63590d73c7ea940d9033619f412ae6a215c25b073b938c9f62a3f044b7e3add91ca1

Download Submit
C:\Windows\{8B7E42DD-4C83-41de-A227-B09100972043}.exe

Filesize
168KB

MD5
ab41da7ca964c09d0d7f361b0031ab6c

SHA1
7789a43dcb3d8b9a39f5b4e571bc6b710996f3a1

SHA256
7c70bb01202264931f43bd64a9e3723e0588f7396a246073d54f2ec3380227a8

SHA512
c0aa3f3a8b46f1a6ab799a6e70c06000abca7aa4b475f00768f7c2f607e0794a42e2c371f4bce647284ff012c810b1bd6a7fb94538ebab40491373eff0dc92cd

Download Submit
C:\Windows\{927D172A-8568-40e3-AC67-7F27C027F332}.exe

Filesize
168KB

MD5
e68dfac0bde2b60927730a4246c77335

SHA1
ac36bc949940bbaa34ef1870e8542ce232058c0f

SHA256
a676d5af7fa39a3fb62da3b003abcb1b3753c0f51b626b6bb14480a003b18953

SHA512
d87a922a49a238cb0d1110839bddcbfb81f96ac2817a289bf4a0ce2d3df86d861bbbfdeac7996df0dc3e3242febee3765ed1093bd7a51446a5ccc4fd7ad77ca4

Download Submit
C:\Windows\{95F5490A-40CB-4120-BFE6-3BC9A32DC6FB}.exe

Filesize
168KB

MD5
c24e445643ec83aa3129536f3b2c9f07

SHA1
ab2ae815381b33005ae408d270c3b41c6906073e

SHA256
5874dcdf97b2825ffed2a1cd6f900aee1184b570e13dce67fe2412f0c01bde1f

SHA512
8ddcbeca18903679d4b6f93b21521515623ae9cd483a5830f82512353acf03ad413a176878ba002745c33c9f02cddc5ad7627da4cc02d16876658442d3dedb3e

Download Submit
C:\Windows\{9E60345F-68B7-4cc8-BE03-9FEC3505A7A7}.exe

Filesize
168KB

MD5
62fc2f640469fcd6ffb0d09061c5eddb

SHA1
a5007318a093e055803cf3b01cdf6f775f6b1abe

SHA256
523017bcc8f176c0c3e538a0872be43f578df5107ba832ded21646514a0a1caf

SHA512
6a2d831107887aec482104c6f6493aa8c22434b56c9aad296d592e217b4f3b9097ba2e7d7dac3cd5027a10910ad3d7c67bf619701ef4826ec4431d8eef269daf

Download Submit
C:\Windows\{A69AADFE-9C34-4b07-98C5-999EDF759C71}.exe

Filesize
168KB

MD5
943fa5465cb0be880c01c937bd9abb50

SHA1
adcd7e45e2b8c7befe45e7d365ca0e446481a02e

SHA256
380fa36d59e594593a0080433d750a97f42588fd34c7f52b9123e611b6a96e7b

SHA512
1d6cc015872bf3b100cc509cc4419cc49ed71b3a4a3a46f358eb378f1dd2815b92aa517735174648195ec078adea093959b11273bc87d4a5774b68c405e2c569

Download Submit
C:\Windows\{B26A80A8-90CF-42b6-847E-1A456E1F8021}.exe

Filesize
168KB

MD5
b96f45dd0da743e49337cc7819ee327a

SHA1
3fd796e94fe0e1ab9f275891ccd39a362ae22f89

SHA256
f5568fd5eaa36e9912f742958cc4d18affe0fac367d6af23573c852bacf4720b

SHA512
272c8834e4e3256dbdf9d0556e60958c6c721dcd71dd02013691a4516497e67ad9c295c2a31c57fc49a80a603abf40531c4a554256618fc0c40ec5bb253f99dc

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads