70578cb261ab1ee94857882ba467c5dd5f12e42a5c0cb887122cb053590fa0b4

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20-02-2024 15:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-20_c381919089b09d3856deff334a108775_goldeneye.exe
Size

344KB
MD5

c381919089b09d3856deff334a108775
SHA1

cc4e59cbc90ac0fffdd77c9e5bd1328ae55720b3
SHA256

70578cb261ab1ee94857882ba467c5dd5f12e42a5c0cb887122cb053590fa0b4
SHA512

c98ec89bb2833c7c5b355436600f9f069698d97b6e39cf8cb1f0770bc82c767f30895ef5fc58bdff63ee71d75ef81695de13bd41c87da4eb95d2cb1de3ca1d96
SSDEEP

3072:mEGh0oVlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGDlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x000600000002323c-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002313d-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002324b-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002313d-13.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000215c9-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000215d0-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d0000000215c9-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d0000000215c9-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000711-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000713-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000711-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000713-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006e7-45.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A25DE40-620E-4876-A37C-F7C09E5E31F4}	{2E621F1C-1FEB-427a-893F-7F0E1547866E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{949B0FDD-92EE-47b6-A7FA-8C957B1A5471}\stubpath = "C:\\Windows\\{949B0FDD-92EE-47b6-A7FA-8C957B1A5471}.exe"	{04ABAE32-8295-481d-8F8B-A9F1EBB5116C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1FE94B7-482F-47bd-AE23-4984F58520A8}	{949B0FDD-92EE-47b6-A7FA-8C957B1A5471}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1FE94B7-482F-47bd-AE23-4984F58520A8}\stubpath = "C:\\Windows\\{E1FE94B7-482F-47bd-AE23-4984F58520A8}.exe"	{949B0FDD-92EE-47b6-A7FA-8C957B1A5471}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32F91857-37D9-46fc-9FD7-1E2E8745DBCF}	{D4A0C29E-9777-4c33-9989-0986651B11EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{949B0FDD-92EE-47b6-A7FA-8C957B1A5471}	{04ABAE32-8295-481d-8F8B-A9F1EBB5116C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4A0C29E-9777-4c33-9989-0986651B11EC}\stubpath = "C:\\Windows\\{D4A0C29E-9777-4c33-9989-0986651B11EC}.exe"	{E1FE94B7-482F-47bd-AE23-4984F58520A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A25DE40-620E-4876-A37C-F7C09E5E31F4}\stubpath = "C:\\Windows\\{9A25DE40-620E-4876-A37C-F7C09E5E31F4}.exe"	{2E621F1C-1FEB-427a-893F-7F0E1547866E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41EDB81F-3893-4744-96AD-1FC91D305CDA}\stubpath = "C:\\Windows\\{41EDB81F-3893-4744-96AD-1FC91D305CDA}.exe"	{9A25DE40-620E-4876-A37C-F7C09E5E31F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E28B920A-324A-4035-8129-7CF00754C685}	{41EDB81F-3893-4744-96AD-1FC91D305CDA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21D73DF1-8C41-47a9-B33B-45D08A17975B}	{D2FCB2E8-7079-40e5-86F9-3356173115BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F448328-C318-4534-8AAC-9F7F2C21F2B2}	{21D73DF1-8C41-47a9-B33B-45D08A17975B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F448328-C318-4534-8AAC-9F7F2C21F2B2}\stubpath = "C:\\Windows\\{8F448328-C318-4534-8AAC-9F7F2C21F2B2}.exe"	{21D73DF1-8C41-47a9-B33B-45D08A17975B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04ABAE32-8295-481d-8F8B-A9F1EBB5116C}\stubpath = "C:\\Windows\\{04ABAE32-8295-481d-8F8B-A9F1EBB5116C}.exe"	{8F448328-C318-4534-8AAC-9F7F2C21F2B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4A0C29E-9777-4c33-9989-0986651B11EC}	{E1FE94B7-482F-47bd-AE23-4984F58520A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E621F1C-1FEB-427a-893F-7F0E1547866E}	2024-02-20_c381919089b09d3856deff334a108775_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41EDB81F-3893-4744-96AD-1FC91D305CDA}	{9A25DE40-620E-4876-A37C-F7C09E5E31F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E28B920A-324A-4035-8129-7CF00754C685}\stubpath = "C:\\Windows\\{E28B920A-324A-4035-8129-7CF00754C685}.exe"	{41EDB81F-3893-4744-96AD-1FC91D305CDA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2FCB2E8-7079-40e5-86F9-3356173115BE}	{E28B920A-324A-4035-8129-7CF00754C685}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21D73DF1-8C41-47a9-B33B-45D08A17975B}\stubpath = "C:\\Windows\\{21D73DF1-8C41-47a9-B33B-45D08A17975B}.exe"	{D2FCB2E8-7079-40e5-86F9-3356173115BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32F91857-37D9-46fc-9FD7-1E2E8745DBCF}\stubpath = "C:\\Windows\\{32F91857-37D9-46fc-9FD7-1E2E8745DBCF}.exe"	{D4A0C29E-9777-4c33-9989-0986651B11EC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E621F1C-1FEB-427a-893F-7F0E1547866E}\stubpath = "C:\\Windows\\{2E621F1C-1FEB-427a-893F-7F0E1547866E}.exe"	2024-02-20_c381919089b09d3856deff334a108775_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2FCB2E8-7079-40e5-86F9-3356173115BE}\stubpath = "C:\\Windows\\{D2FCB2E8-7079-40e5-86F9-3356173115BE}.exe"	{E28B920A-324A-4035-8129-7CF00754C685}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04ABAE32-8295-481d-8F8B-A9F1EBB5116C}	{8F448328-C318-4534-8AAC-9F7F2C21F2B2}.exe

Executes dropped EXE 12 IoCs

pid	Process
3292	{2E621F1C-1FEB-427a-893F-7F0E1547866E}.exe
988	{9A25DE40-620E-4876-A37C-F7C09E5E31F4}.exe
2532	{41EDB81F-3893-4744-96AD-1FC91D305CDA}.exe
1872	{E28B920A-324A-4035-8129-7CF00754C685}.exe
3176	{D2FCB2E8-7079-40e5-86F9-3356173115BE}.exe
3308	{21D73DF1-8C41-47a9-B33B-45D08A17975B}.exe
2240	{8F448328-C318-4534-8AAC-9F7F2C21F2B2}.exe
4448	{04ABAE32-8295-481d-8F8B-A9F1EBB5116C}.exe
4480	{949B0FDD-92EE-47b6-A7FA-8C957B1A5471}.exe
4852	{E1FE94B7-482F-47bd-AE23-4984F58520A8}.exe
3968	{D4A0C29E-9777-4c33-9989-0986651B11EC}.exe
1380	{32F91857-37D9-46fc-9FD7-1E2E8745DBCF}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{D4A0C29E-9777-4c33-9989-0986651B11EC}.exe	{E1FE94B7-482F-47bd-AE23-4984F58520A8}.exe
File created	C:\Windows\{2E621F1C-1FEB-427a-893F-7F0E1547866E}.exe	2024-02-20_c381919089b09d3856deff334a108775_goldeneye.exe
File created	C:\Windows\{9A25DE40-620E-4876-A37C-F7C09E5E31F4}.exe	{2E621F1C-1FEB-427a-893F-7F0E1547866E}.exe
File created	C:\Windows\{41EDB81F-3893-4744-96AD-1FC91D305CDA}.exe	{9A25DE40-620E-4876-A37C-F7C09E5E31F4}.exe
File created	C:\Windows\{E28B920A-324A-4035-8129-7CF00754C685}.exe	{41EDB81F-3893-4744-96AD-1FC91D305CDA}.exe
File created	C:\Windows\{949B0FDD-92EE-47b6-A7FA-8C957B1A5471}.exe	{04ABAE32-8295-481d-8F8B-A9F1EBB5116C}.exe
File created	C:\Windows\{E1FE94B7-482F-47bd-AE23-4984F58520A8}.exe	{949B0FDD-92EE-47b6-A7FA-8C957B1A5471}.exe
File created	C:\Windows\{32F91857-37D9-46fc-9FD7-1E2E8745DBCF}.exe	{D4A0C29E-9777-4c33-9989-0986651B11EC}.exe
File created	C:\Windows\{D2FCB2E8-7079-40e5-86F9-3356173115BE}.exe	{E28B920A-324A-4035-8129-7CF00754C685}.exe
File created	C:\Windows\{21D73DF1-8C41-47a9-B33B-45D08A17975B}.exe	{D2FCB2E8-7079-40e5-86F9-3356173115BE}.exe
File created	C:\Windows\{8F448328-C318-4534-8AAC-9F7F2C21F2B2}.exe	{21D73DF1-8C41-47a9-B33B-45D08A17975B}.exe
File created	C:\Windows\{04ABAE32-8295-481d-8F8B-A9F1EBB5116C}.exe	{8F448328-C318-4534-8AAC-9F7F2C21F2B2}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1060	2024-02-20_c381919089b09d3856deff334a108775_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3292	{2E621F1C-1FEB-427a-893F-7F0E1547866E}.exe
Token: SeIncBasePriorityPrivilege	988	{9A25DE40-620E-4876-A37C-F7C09E5E31F4}.exe
Token: SeIncBasePriorityPrivilege	2532	{41EDB81F-3893-4744-96AD-1FC91D305CDA}.exe
Token: SeIncBasePriorityPrivilege	1872	{E28B920A-324A-4035-8129-7CF00754C685}.exe
Token: SeIncBasePriorityPrivilege	3176	{D2FCB2E8-7079-40e5-86F9-3356173115BE}.exe
Token: SeIncBasePriorityPrivilege	3308	{21D73DF1-8C41-47a9-B33B-45D08A17975B}.exe
Token: SeIncBasePriorityPrivilege	2240	{8F448328-C318-4534-8AAC-9F7F2C21F2B2}.exe
Token: SeIncBasePriorityPrivilege	4448	{04ABAE32-8295-481d-8F8B-A9F1EBB5116C}.exe
Token: SeIncBasePriorityPrivilege	4480	{949B0FDD-92EE-47b6-A7FA-8C957B1A5471}.exe
Token: SeIncBasePriorityPrivilege	4852	{E1FE94B7-482F-47bd-AE23-4984F58520A8}.exe
Token: SeIncBasePriorityPrivilege	3968	{D4A0C29E-9777-4c33-9989-0986651B11EC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1060 wrote to memory of 3292	1060	2024-02-20_c381919089b09d3856deff334a108775_goldeneye.exe	84
PID 1060 wrote to memory of 3292	1060	2024-02-20_c381919089b09d3856deff334a108775_goldeneye.exe	84
PID 1060 wrote to memory of 3292	1060	2024-02-20_c381919089b09d3856deff334a108775_goldeneye.exe	84
PID 1060 wrote to memory of 1928	1060	2024-02-20_c381919089b09d3856deff334a108775_goldeneye.exe	85
PID 1060 wrote to memory of 1928	1060	2024-02-20_c381919089b09d3856deff334a108775_goldeneye.exe	85
PID 1060 wrote to memory of 1928	1060	2024-02-20_c381919089b09d3856deff334a108775_goldeneye.exe	85
PID 3292 wrote to memory of 988	3292	{2E621F1C-1FEB-427a-893F-7F0E1547866E}.exe	93
PID 3292 wrote to memory of 988	3292	{2E621F1C-1FEB-427a-893F-7F0E1547866E}.exe	93
PID 3292 wrote to memory of 988	3292	{2E621F1C-1FEB-427a-893F-7F0E1547866E}.exe	93
PID 3292 wrote to memory of 4728	3292	{2E621F1C-1FEB-427a-893F-7F0E1547866E}.exe	94
PID 3292 wrote to memory of 4728	3292	{2E621F1C-1FEB-427a-893F-7F0E1547866E}.exe	94
PID 3292 wrote to memory of 4728	3292	{2E621F1C-1FEB-427a-893F-7F0E1547866E}.exe	94
PID 988 wrote to memory of 2532	988	{9A25DE40-620E-4876-A37C-F7C09E5E31F4}.exe	97
PID 988 wrote to memory of 2532	988	{9A25DE40-620E-4876-A37C-F7C09E5E31F4}.exe	97
PID 988 wrote to memory of 2532	988	{9A25DE40-620E-4876-A37C-F7C09E5E31F4}.exe	97
PID 988 wrote to memory of 4720	988	{9A25DE40-620E-4876-A37C-F7C09E5E31F4}.exe	96
PID 988 wrote to memory of 4720	988	{9A25DE40-620E-4876-A37C-F7C09E5E31F4}.exe	96
PID 988 wrote to memory of 4720	988	{9A25DE40-620E-4876-A37C-F7C09E5E31F4}.exe	96
PID 2532 wrote to memory of 1872	2532	{41EDB81F-3893-4744-96AD-1FC91D305CDA}.exe	98
PID 2532 wrote to memory of 1872	2532	{41EDB81F-3893-4744-96AD-1FC91D305CDA}.exe	98
PID 2532 wrote to memory of 1872	2532	{41EDB81F-3893-4744-96AD-1FC91D305CDA}.exe	98
PID 2532 wrote to memory of 3880	2532	{41EDB81F-3893-4744-96AD-1FC91D305CDA}.exe	99
PID 2532 wrote to memory of 3880	2532	{41EDB81F-3893-4744-96AD-1FC91D305CDA}.exe	99
PID 2532 wrote to memory of 3880	2532	{41EDB81F-3893-4744-96AD-1FC91D305CDA}.exe	99
PID 1872 wrote to memory of 3176	1872	{E28B920A-324A-4035-8129-7CF00754C685}.exe	100
PID 1872 wrote to memory of 3176	1872	{E28B920A-324A-4035-8129-7CF00754C685}.exe	100
PID 1872 wrote to memory of 3176	1872	{E28B920A-324A-4035-8129-7CF00754C685}.exe	100
PID 1872 wrote to memory of 2124	1872	{E28B920A-324A-4035-8129-7CF00754C685}.exe	101
PID 1872 wrote to memory of 2124	1872	{E28B920A-324A-4035-8129-7CF00754C685}.exe	101
PID 1872 wrote to memory of 2124	1872	{E28B920A-324A-4035-8129-7CF00754C685}.exe	101
PID 3176 wrote to memory of 3308	3176	{D2FCB2E8-7079-40e5-86F9-3356173115BE}.exe	102
PID 3176 wrote to memory of 3308	3176	{D2FCB2E8-7079-40e5-86F9-3356173115BE}.exe	102
PID 3176 wrote to memory of 3308	3176	{D2FCB2E8-7079-40e5-86F9-3356173115BE}.exe	102
PID 3176 wrote to memory of 4296	3176	{D2FCB2E8-7079-40e5-86F9-3356173115BE}.exe	103
PID 3176 wrote to memory of 4296	3176	{D2FCB2E8-7079-40e5-86F9-3356173115BE}.exe	103
PID 3176 wrote to memory of 4296	3176	{D2FCB2E8-7079-40e5-86F9-3356173115BE}.exe	103
PID 3308 wrote to memory of 2240	3308	{21D73DF1-8C41-47a9-B33B-45D08A17975B}.exe	104
PID 3308 wrote to memory of 2240	3308	{21D73DF1-8C41-47a9-B33B-45D08A17975B}.exe	104
PID 3308 wrote to memory of 2240	3308	{21D73DF1-8C41-47a9-B33B-45D08A17975B}.exe	104
PID 3308 wrote to memory of 2244	3308	{21D73DF1-8C41-47a9-B33B-45D08A17975B}.exe	105
PID 3308 wrote to memory of 2244	3308	{21D73DF1-8C41-47a9-B33B-45D08A17975B}.exe	105
PID 3308 wrote to memory of 2244	3308	{21D73DF1-8C41-47a9-B33B-45D08A17975B}.exe	105
PID 2240 wrote to memory of 4448	2240	{8F448328-C318-4534-8AAC-9F7F2C21F2B2}.exe	106
PID 2240 wrote to memory of 4448	2240	{8F448328-C318-4534-8AAC-9F7F2C21F2B2}.exe	106
PID 2240 wrote to memory of 4448	2240	{8F448328-C318-4534-8AAC-9F7F2C21F2B2}.exe	106
PID 2240 wrote to memory of 3140	2240	{8F448328-C318-4534-8AAC-9F7F2C21F2B2}.exe	107
PID 2240 wrote to memory of 3140	2240	{8F448328-C318-4534-8AAC-9F7F2C21F2B2}.exe	107
PID 2240 wrote to memory of 3140	2240	{8F448328-C318-4534-8AAC-9F7F2C21F2B2}.exe	107
PID 4448 wrote to memory of 4480	4448	{04ABAE32-8295-481d-8F8B-A9F1EBB5116C}.exe	108
PID 4448 wrote to memory of 4480	4448	{04ABAE32-8295-481d-8F8B-A9F1EBB5116C}.exe	108
PID 4448 wrote to memory of 4480	4448	{04ABAE32-8295-481d-8F8B-A9F1EBB5116C}.exe	108
PID 4448 wrote to memory of 5056	4448	{04ABAE32-8295-481d-8F8B-A9F1EBB5116C}.exe	109
PID 4448 wrote to memory of 5056	4448	{04ABAE32-8295-481d-8F8B-A9F1EBB5116C}.exe	109
PID 4448 wrote to memory of 5056	4448	{04ABAE32-8295-481d-8F8B-A9F1EBB5116C}.exe	109
PID 4480 wrote to memory of 4852	4480	{949B0FDD-92EE-47b6-A7FA-8C957B1A5471}.exe	110
PID 4480 wrote to memory of 4852	4480	{949B0FDD-92EE-47b6-A7FA-8C957B1A5471}.exe	110
PID 4480 wrote to memory of 4852	4480	{949B0FDD-92EE-47b6-A7FA-8C957B1A5471}.exe	110
PID 4480 wrote to memory of 2644	4480	{949B0FDD-92EE-47b6-A7FA-8C957B1A5471}.exe	111
PID 4480 wrote to memory of 2644	4480	{949B0FDD-92EE-47b6-A7FA-8C957B1A5471}.exe	111
PID 4480 wrote to memory of 2644	4480	{949B0FDD-92EE-47b6-A7FA-8C957B1A5471}.exe	111
PID 4852 wrote to memory of 3968	4852	{E1FE94B7-482F-47bd-AE23-4984F58520A8}.exe	112
PID 4852 wrote to memory of 3968	4852	{E1FE94B7-482F-47bd-AE23-4984F58520A8}.exe	112
PID 4852 wrote to memory of 3968	4852	{E1FE94B7-482F-47bd-AE23-4984F58520A8}.exe	112
PID 4852 wrote to memory of 4264	4852	{E1FE94B7-482F-47bd-AE23-4984F58520A8}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-02-20_c381919089b09d3856deff334a108775_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-20_c381919089b09d3856deff334a108775_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Windows\{2E621F1C-1FEB-427a-893F-7F0E1547866E}.exe
  C:\Windows\{2E621F1C-1FEB-427a-893F-7F0E1547866E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3292
- - C:\Windows\{9A25DE40-620E-4876-A37C-F7C09E5E31F4}.exe
    C:\Windows\{9A25DE40-620E-4876-A37C-F7C09E5E31F4}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:988
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9A25D~1.EXE > nul
      4⤵
      PID:4720
  - - C:\Windows\{41EDB81F-3893-4744-96AD-1FC91D305CDA}.exe
      C:\Windows\{41EDB81F-3893-4744-96AD-1FC91D305CDA}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2532
    - - C:\Windows\{E28B920A-324A-4035-8129-7CF00754C685}.exe
        
        C:\Windows\{E28B920A-324A-4035-8129-7CF00754C685}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1872
      - C:\Windows\{D2FCB2E8-7079-40e5-86F9-3356173115BE}.exe
        
        C:\Windows\{D2FCB2E8-7079-40e5-86F9-3356173115BE}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3176
        
        C:\Windows\{21D73DF1-8C41-47a9-B33B-45D08A17975B}.exe
        
        C:\Windows\{21D73DF1-8C41-47a9-B33B-45D08A17975B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\Windows\{8F448328-C318-4534-8AAC-9F7F2C21F2B2}.exe
        
        C:\Windows\{8F448328-C318-4534-8AAC-9F7F2C21F2B2}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\{04ABAE32-8295-481d-8F8B-A9F1EBB5116C}.exe
        
        C:\Windows\{04ABAE32-8295-481d-8F8B-A9F1EBB5116C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\{949B0FDD-92EE-47b6-A7FA-8C957B1A5471}.exe
        
        C:\Windows\{949B0FDD-92EE-47b6-A7FA-8C957B1A5471}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\{E1FE94B7-482F-47bd-AE23-4984F58520A8}.exe
        
        C:\Windows\{E1FE94B7-482F-47bd-AE23-4984F58520A8}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4852
        
        C:\Windows\{D4A0C29E-9777-4c33-9989-0986651B11EC}.exe
        
        C:\Windows\{D4A0C29E-9777-4c33-9989-0986651B11EC}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3968
        
        C:\Windows\{32F91857-37D9-46fc-9FD7-1E2E8745DBCF}.exe
        
        C:\Windows\{32F91857-37D9-46fc-9FD7-1E2E8745DBCF}.exe
        13⤵
        Executes dropped EXE
        
        PID:1380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D4A0C~1.EXE > nul
        13⤵
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E1FE9~1.EXE > nul
        12⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{949B0~1.EXE > nul
        11⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{04ABA~1.EXE > nul
        10⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F448~1.EXE > nul
        9⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{21D73~1.EXE > nul
        8⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D2FCB~1.EXE > nul
        7⤵
        
        PID:4296
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E28B9~1.EXE > nul
        6⤵
        
        PID:2124
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{41EDB~1.EXE > nul
        5⤵
        
        PID:3880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2E621~1.EXE > nul
    3⤵
    PID:4728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04ABAE32-8295-481d-8F8B-A9F1EBB5116C}.exe

Filesize
344KB

MD5
34796465ef17e0527ea1a4e903260ccc

SHA1
14c42fb9dc5946bb7eda48d012bde6bfee457f11

SHA256
0f33c73ef24fc9396e70f442599446ec10b223084db8e5b91f26399bacbab3d1

SHA512
3341e205bdffcadf50a429b41cda517be18890513a74a10c83693242f908dd6f8857a32c2c9155a883cbc789a2fc1dc8a0e5ce12413e7bfcbbf713cf1fbfa669

Download Submit
C:\Windows\{21D73DF1-8C41-47a9-B33B-45D08A17975B}.exe

Filesize
344KB

MD5
faa04c6b325b2e4ce1c60ba6fbfe34df

SHA1
3b14244c53d1c202474a0a503784ec4efb983dee

SHA256
eaebc78d6c6dd78fd37ad0a2c4facfaa218c6457b5df6e1ed666d05cb67a679f

SHA512
7fbdfd1261d310a5e8d484dbb47b3f72d0d92838108d4003d9b9089d3d1f72efd9c2a68c02f6e4d344335701648734d8c4e86f51087af65714f794573079b41e

Download Submit
C:\Windows\{2E621F1C-1FEB-427a-893F-7F0E1547866E}.exe

Filesize
344KB

MD5
acd29d70894fabda0ec27c378fbcd1b1

SHA1
b96de884172f84fd4fef4ebd094ad70b1d318460

SHA256
eeef925d2ef3af896454a3f0fc9a3d0cdd7e8b24c868ef4fc4292a3c471839af

SHA512
d99e3aa6ac82fe591ab4a99d852b4c9c26b4281e9190790d6361ea2763c7069419dd056ae3b9002865737d14e0e845f4a9312491fa5aef53ab645567c32acd4a

Download Submit
C:\Windows\{32F91857-37D9-46fc-9FD7-1E2E8745DBCF}.exe

Filesize
344KB

MD5
238331a9530822a91e3c5c7f8afea390

SHA1
d17a6e8bd0125b294a7170d638396ad1d8520026

SHA256
7755f2034d9b6d7c865f29a07581cba6f639c28073a1f7eea46cf83c395c9411

SHA512
0a6a631396b91ad288b532d4b00bfb9c8d633022ad18832ea01da1b484a135adbb3aa37cdfca7880a3b8d7d8f2891bf0a5c3772264d2a582faf14957b68feb79

Download Submit
C:\Windows\{41EDB81F-3893-4744-96AD-1FC91D305CDA}.exe

Filesize
344KB

MD5
172103d50912de9de61fc9656cedb3be

SHA1
3e55724a9166e43296c77fa60534dd02b08a25cd

SHA256
ac3b3564a1e03cad5032725107b38c1c3e6d8e76ed681491146c93f4b11140b9

SHA512
5bb6fe9d119b0cd3eeb04aa7924e69056d72c823f7dc1dee5744cd291f1a559e77399e6f242439a8b2de361e9a4fd3aa9b19c23eb0da4b9dc76590a059396570

Download Submit
C:\Windows\{8F448328-C318-4534-8AAC-9F7F2C21F2B2}.exe

Filesize
54KB

MD5
f72e26e1e35202bf63f877c9a8c6a760

SHA1
d0da9380cd876352323283f5f9807b0599a0aa68

SHA256
e5a8cac90c185ac2cc06796a976c6e1de82bc4bdb02959f2b544c82b329535a0

SHA512
7a261c5d3cad33351c50c813db01f995a05904096e76195ed370c10d222a21be1b93086379811a6c123ca8a3c635dfc239346324e8faa3279c16f575fbe9a6f5

Download Submit
C:\Windows\{8F448328-C318-4534-8AAC-9F7F2C21F2B2}.exe

Filesize
344KB

MD5
c2e6c6388cd75009fc4c541ef105b854

SHA1
7273e329640fff5083903b3317bf4031a3066ee9

SHA256
e88485561f0f89f91b1ca82df69d9f2f2d714ffb375ab916ccf8065fb80d19bc

SHA512
cda7570928d8d8f60bfb4ce9c5af1d314030edf9663cdc8c7abef43c179aca257f09ed2be2de16628c07cc8910156d6bb4e95183c769d7c73350f7116879fcd5

Download Submit
C:\Windows\{949B0FDD-92EE-47b6-A7FA-8C957B1A5471}.exe

Filesize
344KB

MD5
4540381e8e734f05ce279330a220064f

SHA1
c4d7bb6343636b1f03f1c49b8157e7ddbf479e85

SHA256
85dfb4e5baae60e090bc41969a7f374ebff82255358df53caed44d8855095205

SHA512
89a443e2d486af8d25795a656b396388e304ef73c7d0f989ab3321ad0bdd4f3270b81ffe93bef7a085bf644db0f92a9f43a87b450aed62fbbc72bd0aceaf8f20

Download Submit
C:\Windows\{9A25DE40-620E-4876-A37C-F7C09E5E31F4}.exe

Filesize
344KB

MD5
147a33b42aead058f9c37428f13dfa58

SHA1
2098471f8274f4fa30e9f9bffaeae281216ccf00

SHA256
eda1aff7d77d782c8793ebb1d3d1d861f000a625bd261fbd2592c1f75a859cf8

SHA512
dd03ca1d886eaf840899dd774fd05160a37640737ac4b92908c7390403fca6edcd0a16751db2f6acef87cca0c5b1eb637b2be05b8c9792cac6e2df4b0189d600

Download Submit
C:\Windows\{D2FCB2E8-7079-40e5-86F9-3356173115BE}.exe

Filesize
344KB

MD5
c77cdf9d197691abdf533e50553e415f

SHA1
d9376307de4e838981c126ae2ffc6c18360cb31b

SHA256
2ca56a376999aae2ad4bba06abdd8d2c1b168841c90a04ea6680fa36d6b7ee24

SHA512
486d66d64d1efe48c3eda1f09d88a96186678020b09c613ef1b189257c2c5c484fd21f9e0bdf9a39f2eed47df4c94fcc5d6f6136da61f23e6484a01753f29ebe

Download Submit
C:\Windows\{D4A0C29E-9777-4c33-9989-0986651B11EC}.exe

Filesize
344KB

MD5
6f4a6a1dce9d68e8eab96520c2f22781

SHA1
cb5f307733065c885ccadb86973e0e1eb1075b8c

SHA256
16b10b386c25d7b92f6ef3d5dffed375e904869f008f95b60981f769c5178a39

SHA512
63f361b70a66f0003841e956c19f690df5aac9d129db4e62fb306eca56c52f306a7dc604cbd5e17d23f3d9043c9f1ef8caf9742b3b680c7b7fcbbb1ece4d1be4

Download Submit
C:\Windows\{E1FE94B7-482F-47bd-AE23-4984F58520A8}.exe

Filesize
344KB

MD5
0cf5da8b42a481ad738f8b3ab2122a86

SHA1
82630519bb49929c5f344eb89708d05d344e2c48

SHA256
3008d3fdbb1879dfece56200e7993259d51592e550a8a2e51a39b59ab7ae3b3c

SHA512
9c068c42b50f7973f446c830c4c07b38dbb28e481ce5c112a238f548119d327e5867dd4fe2d80b06ea4f675835a4b63b7b9129c68c43ded7b1e2e79fccbb15cf

Download Submit
C:\Windows\{E28B920A-324A-4035-8129-7CF00754C685}.exe

Filesize
344KB

MD5
f3f75b2ec9b20afda700a0fb9b25cd10

SHA1
cca1b9feb5aed005b769086f09ebfedc857e21d5

SHA256
47cef4dee327490cb67b2f64ef7cde1e2385756ff03c8f3c5393214af7a648ba

SHA512
30d3b0319308abf5306e549f6a69baea56291e6f81fd8adade6a5d52c218f4d9b29f4fc85d8e95c182cd1baabd22d09c3e0249f60c79bc3eab745a389a7c8b29

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads