Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
21-02-2024 15:28
Static task
static1
Behavioral task
behavioral1
Sample
2024-02-21_45886ed8872c2047266f3d095cda4b0a_goldeneye.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2024-02-21_45886ed8872c2047266f3d095cda4b0a_goldeneye.exe
Resource
win10v2004-20240221-en
General
-
Target
2024-02-21_45886ed8872c2047266f3d095cda4b0a_goldeneye.exe
-
Size
216KB
-
MD5
45886ed8872c2047266f3d095cda4b0a
-
SHA1
ccfc7df17fbae56f4cab6fe43cd0e1c4d379062b
-
SHA256
e9bd989f4393d3c34c997aea8d4beb783a97308953607125a4f557728fd9a134
-
SHA512
ef458237f89ba08162f0c573d729f87fc8a667c883cd2c9cf8afb783ac1b4879576935a5a9191ab65a485f5d64aff34f64740c4ec9803b26720ba5734d6424b0
-
SSDEEP
3072:jEGh0o7l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGVlEeKcAEcGy
Malware Config
Signatures
-
Auto-generated rule 13 IoCs
resource yara_rule behavioral2/files/0x000700000002320c-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0007000000023207-6.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000800000002320c-10.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000023207-14.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000900000002320c-18.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000900000002320c-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0009000000023207-23.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000a00000002320c-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000a000000023207-31.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000b00000002320c-34.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000b000000023207-39.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000c00000002320c-42.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000800000002320d-46.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F0DEA36-29D2-48da-BF5D-6FD31F2A6AC7} {3312ADC5-43AB-49d0-B11E-E0DA10BEBA84}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{347D29BB-71C5-4e53-8140-2310B252A4A0} {4F0DEA36-29D2-48da-BF5D-6FD31F2A6AC7}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63258706-DB8D-4ca1-8226-18D4D6862C48}\stubpath = "C:\\Windows\\{63258706-DB8D-4ca1-8226-18D4D6862C48}.exe" {6604739E-62F7-49a8-A8F1-E0C758B41B09}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD626137-924A-4f04-8907-537D25588A79} {933F20D3-0B31-4e5d-80F1-D7BB4792C66D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{933F20D3-0B31-4e5d-80F1-D7BB4792C66D} {D3350BF4-57C5-4726-A22F-46597343A5D9}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{933F20D3-0B31-4e5d-80F1-D7BB4792C66D}\stubpath = "C:\\Windows\\{933F20D3-0B31-4e5d-80F1-D7BB4792C66D}.exe" {D3350BF4-57C5-4726-A22F-46597343A5D9}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD626137-924A-4f04-8907-537D25588A79}\stubpath = "C:\\Windows\\{DD626137-924A-4f04-8907-537D25588A79}.exe" {933F20D3-0B31-4e5d-80F1-D7BB4792C66D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{347D29BB-71C5-4e53-8140-2310B252A4A0}\stubpath = "C:\\Windows\\{347D29BB-71C5-4e53-8140-2310B252A4A0}.exe" {4F0DEA36-29D2-48da-BF5D-6FD31F2A6AC7}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{818BDB1F-0C8D-420d-9CEA-3A0BFA07FC2F}\stubpath = "C:\\Windows\\{818BDB1F-0C8D-420d-9CEA-3A0BFA07FC2F}.exe" {9A55D2C0-8186-4490-A843-8A1811C8DA99}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6604739E-62F7-49a8-A8F1-E0C758B41B09}\stubpath = "C:\\Windows\\{6604739E-62F7-49a8-A8F1-E0C758B41B09}.exe" {818BDB1F-0C8D-420d-9CEA-3A0BFA07FC2F}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63258706-DB8D-4ca1-8226-18D4D6862C48} {6604739E-62F7-49a8-A8F1-E0C758B41B09}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3350BF4-57C5-4726-A22F-46597343A5D9} {A5DD4EAE-C5D7-48b9-A140-9ED0FDD27318}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3350BF4-57C5-4726-A22F-46597343A5D9}\stubpath = "C:\\Windows\\{D3350BF4-57C5-4726-A22F-46597343A5D9}.exe" {A5DD4EAE-C5D7-48b9-A140-9ED0FDD27318}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3312ADC5-43AB-49d0-B11E-E0DA10BEBA84} {DD626137-924A-4f04-8907-537D25588A79}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3312ADC5-43AB-49d0-B11E-E0DA10BEBA84}\stubpath = "C:\\Windows\\{3312ADC5-43AB-49d0-B11E-E0DA10BEBA84}.exe" {DD626137-924A-4f04-8907-537D25588A79}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A55D2C0-8186-4490-A843-8A1811C8DA99} {347D29BB-71C5-4e53-8140-2310B252A4A0}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A55D2C0-8186-4490-A843-8A1811C8DA99}\stubpath = "C:\\Windows\\{9A55D2C0-8186-4490-A843-8A1811C8DA99}.exe" {347D29BB-71C5-4e53-8140-2310B252A4A0}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F62BEEFF-A906-46ba-B024-6C9A2A9C0B56} {63258706-DB8D-4ca1-8226-18D4D6862C48}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F62BEEFF-A906-46ba-B024-6C9A2A9C0B56}\stubpath = "C:\\Windows\\{F62BEEFF-A906-46ba-B024-6C9A2A9C0B56}.exe" {63258706-DB8D-4ca1-8226-18D4D6862C48}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5DD4EAE-C5D7-48b9-A140-9ED0FDD27318} 2024-02-21_45886ed8872c2047266f3d095cda4b0a_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F0DEA36-29D2-48da-BF5D-6FD31F2A6AC7}\stubpath = "C:\\Windows\\{4F0DEA36-29D2-48da-BF5D-6FD31F2A6AC7}.exe" {3312ADC5-43AB-49d0-B11E-E0DA10BEBA84}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{818BDB1F-0C8D-420d-9CEA-3A0BFA07FC2F} {9A55D2C0-8186-4490-A843-8A1811C8DA99}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6604739E-62F7-49a8-A8F1-E0C758B41B09} {818BDB1F-0C8D-420d-9CEA-3A0BFA07FC2F}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5DD4EAE-C5D7-48b9-A140-9ED0FDD27318}\stubpath = "C:\\Windows\\{A5DD4EAE-C5D7-48b9-A140-9ED0FDD27318}.exe" 2024-02-21_45886ed8872c2047266f3d095cda4b0a_goldeneye.exe -
Executes dropped EXE 12 IoCs
pid Process 4264 {A5DD4EAE-C5D7-48b9-A140-9ED0FDD27318}.exe 8 {D3350BF4-57C5-4726-A22F-46597343A5D9}.exe 2516 {933F20D3-0B31-4e5d-80F1-D7BB4792C66D}.exe 4720 {DD626137-924A-4f04-8907-537D25588A79}.exe 3408 {3312ADC5-43AB-49d0-B11E-E0DA10BEBA84}.exe 444 {4F0DEA36-29D2-48da-BF5D-6FD31F2A6AC7}.exe 5096 {347D29BB-71C5-4e53-8140-2310B252A4A0}.exe 3168 {9A55D2C0-8186-4490-A843-8A1811C8DA99}.exe 1892 {818BDB1F-0C8D-420d-9CEA-3A0BFA07FC2F}.exe 4380 {6604739E-62F7-49a8-A8F1-E0C758B41B09}.exe 952 {63258706-DB8D-4ca1-8226-18D4D6862C48}.exe 4060 {F62BEEFF-A906-46ba-B024-6C9A2A9C0B56}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{6604739E-62F7-49a8-A8F1-E0C758B41B09}.exe {818BDB1F-0C8D-420d-9CEA-3A0BFA07FC2F}.exe File created C:\Windows\{63258706-DB8D-4ca1-8226-18D4D6862C48}.exe {6604739E-62F7-49a8-A8F1-E0C758B41B09}.exe File created C:\Windows\{F62BEEFF-A906-46ba-B024-6C9A2A9C0B56}.exe {63258706-DB8D-4ca1-8226-18D4D6862C48}.exe File created C:\Windows\{A5DD4EAE-C5D7-48b9-A140-9ED0FDD27318}.exe 2024-02-21_45886ed8872c2047266f3d095cda4b0a_goldeneye.exe File created C:\Windows\{933F20D3-0B31-4e5d-80F1-D7BB4792C66D}.exe {D3350BF4-57C5-4726-A22F-46597343A5D9}.exe File created C:\Windows\{347D29BB-71C5-4e53-8140-2310B252A4A0}.exe {4F0DEA36-29D2-48da-BF5D-6FD31F2A6AC7}.exe File created C:\Windows\{9A55D2C0-8186-4490-A843-8A1811C8DA99}.exe {347D29BB-71C5-4e53-8140-2310B252A4A0}.exe File created C:\Windows\{818BDB1F-0C8D-420d-9CEA-3A0BFA07FC2F}.exe {9A55D2C0-8186-4490-A843-8A1811C8DA99}.exe File created C:\Windows\{D3350BF4-57C5-4726-A22F-46597343A5D9}.exe {A5DD4EAE-C5D7-48b9-A140-9ED0FDD27318}.exe File created C:\Windows\{DD626137-924A-4f04-8907-537D25588A79}.exe {933F20D3-0B31-4e5d-80F1-D7BB4792C66D}.exe File created C:\Windows\{3312ADC5-43AB-49d0-B11E-E0DA10BEBA84}.exe {DD626137-924A-4f04-8907-537D25588A79}.exe File created C:\Windows\{4F0DEA36-29D2-48da-BF5D-6FD31F2A6AC7}.exe {3312ADC5-43AB-49d0-B11E-E0DA10BEBA84}.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2640 2024-02-21_45886ed8872c2047266f3d095cda4b0a_goldeneye.exe Token: SeIncBasePriorityPrivilege 4264 {A5DD4EAE-C5D7-48b9-A140-9ED0FDD27318}.exe Token: SeIncBasePriorityPrivilege 8 {D3350BF4-57C5-4726-A22F-46597343A5D9}.exe Token: SeIncBasePriorityPrivilege 2516 {933F20D3-0B31-4e5d-80F1-D7BB4792C66D}.exe Token: SeIncBasePriorityPrivilege 4720 {DD626137-924A-4f04-8907-537D25588A79}.exe Token: SeIncBasePriorityPrivilege 3408 {3312ADC5-43AB-49d0-B11E-E0DA10BEBA84}.exe Token: SeIncBasePriorityPrivilege 444 {4F0DEA36-29D2-48da-BF5D-6FD31F2A6AC7}.exe Token: SeIncBasePriorityPrivilege 5096 {347D29BB-71C5-4e53-8140-2310B252A4A0}.exe Token: SeIncBasePriorityPrivilege 3168 {9A55D2C0-8186-4490-A843-8A1811C8DA99}.exe Token: SeIncBasePriorityPrivilege 1892 {818BDB1F-0C8D-420d-9CEA-3A0BFA07FC2F}.exe Token: SeIncBasePriorityPrivilege 4380 {6604739E-62F7-49a8-A8F1-E0C758B41B09}.exe Token: SeIncBasePriorityPrivilege 952 {63258706-DB8D-4ca1-8226-18D4D6862C48}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2640 wrote to memory of 4264 2640 2024-02-21_45886ed8872c2047266f3d095cda4b0a_goldeneye.exe 90 PID 2640 wrote to memory of 4264 2640 2024-02-21_45886ed8872c2047266f3d095cda4b0a_goldeneye.exe 90 PID 2640 wrote to memory of 4264 2640 2024-02-21_45886ed8872c2047266f3d095cda4b0a_goldeneye.exe 90 PID 2640 wrote to memory of 5024 2640 2024-02-21_45886ed8872c2047266f3d095cda4b0a_goldeneye.exe 91 PID 2640 wrote to memory of 5024 2640 2024-02-21_45886ed8872c2047266f3d095cda4b0a_goldeneye.exe 91 PID 2640 wrote to memory of 5024 2640 2024-02-21_45886ed8872c2047266f3d095cda4b0a_goldeneye.exe 91 PID 4264 wrote to memory of 8 4264 {A5DD4EAE-C5D7-48b9-A140-9ED0FDD27318}.exe 92 PID 4264 wrote to memory of 8 4264 {A5DD4EAE-C5D7-48b9-A140-9ED0FDD27318}.exe 92 PID 4264 wrote to memory of 8 4264 {A5DD4EAE-C5D7-48b9-A140-9ED0FDD27318}.exe 92 PID 4264 wrote to memory of 4280 4264 {A5DD4EAE-C5D7-48b9-A140-9ED0FDD27318}.exe 93 PID 4264 wrote to memory of 4280 4264 {A5DD4EAE-C5D7-48b9-A140-9ED0FDD27318}.exe 93 PID 4264 wrote to memory of 4280 4264 {A5DD4EAE-C5D7-48b9-A140-9ED0FDD27318}.exe 93 PID 8 wrote to memory of 2516 8 {D3350BF4-57C5-4726-A22F-46597343A5D9}.exe 96 PID 8 wrote to memory of 2516 8 {D3350BF4-57C5-4726-A22F-46597343A5D9}.exe 96 PID 8 wrote to memory of 2516 8 {D3350BF4-57C5-4726-A22F-46597343A5D9}.exe 96 PID 8 wrote to memory of 1140 8 {D3350BF4-57C5-4726-A22F-46597343A5D9}.exe 95 PID 8 wrote to memory of 1140 8 {D3350BF4-57C5-4726-A22F-46597343A5D9}.exe 95 PID 8 wrote to memory of 1140 8 {D3350BF4-57C5-4726-A22F-46597343A5D9}.exe 95 PID 2516 wrote to memory of 4720 2516 {933F20D3-0B31-4e5d-80F1-D7BB4792C66D}.exe 97 PID 2516 wrote to memory of 4720 2516 {933F20D3-0B31-4e5d-80F1-D7BB4792C66D}.exe 97 PID 2516 wrote to memory of 4720 2516 {933F20D3-0B31-4e5d-80F1-D7BB4792C66D}.exe 97 PID 2516 wrote to memory of 4680 2516 {933F20D3-0B31-4e5d-80F1-D7BB4792C66D}.exe 98 PID 2516 wrote to memory of 4680 2516 {933F20D3-0B31-4e5d-80F1-D7BB4792C66D}.exe 98 PID 2516 wrote to memory of 4680 2516 {933F20D3-0B31-4e5d-80F1-D7BB4792C66D}.exe 98 PID 4720 wrote to memory of 3408 4720 {DD626137-924A-4f04-8907-537D25588A79}.exe 99 PID 4720 wrote to memory of 3408 4720 {DD626137-924A-4f04-8907-537D25588A79}.exe 99 PID 4720 wrote to memory of 3408 4720 {DD626137-924A-4f04-8907-537D25588A79}.exe 99 PID 4720 wrote to memory of 1384 4720 {DD626137-924A-4f04-8907-537D25588A79}.exe 100 PID 4720 wrote to memory of 1384 4720 {DD626137-924A-4f04-8907-537D25588A79}.exe 100 PID 4720 wrote to memory of 1384 4720 {DD626137-924A-4f04-8907-537D25588A79}.exe 100 PID 3408 wrote to memory of 444 3408 {3312ADC5-43AB-49d0-B11E-E0DA10BEBA84}.exe 101 PID 3408 wrote to memory of 444 3408 {3312ADC5-43AB-49d0-B11E-E0DA10BEBA84}.exe 101 PID 3408 wrote to memory of 444 3408 {3312ADC5-43AB-49d0-B11E-E0DA10BEBA84}.exe 101 PID 3408 wrote to memory of 4844 3408 {3312ADC5-43AB-49d0-B11E-E0DA10BEBA84}.exe 102 PID 3408 wrote to memory of 4844 3408 {3312ADC5-43AB-49d0-B11E-E0DA10BEBA84}.exe 102 PID 3408 wrote to memory of 4844 3408 {3312ADC5-43AB-49d0-B11E-E0DA10BEBA84}.exe 102 PID 444 wrote to memory of 5096 444 {4F0DEA36-29D2-48da-BF5D-6FD31F2A6AC7}.exe 103 PID 444 wrote to memory of 5096 444 {4F0DEA36-29D2-48da-BF5D-6FD31F2A6AC7}.exe 103 PID 444 wrote to memory of 5096 444 {4F0DEA36-29D2-48da-BF5D-6FD31F2A6AC7}.exe 103 PID 444 wrote to memory of 3724 444 {4F0DEA36-29D2-48da-BF5D-6FD31F2A6AC7}.exe 104 PID 444 wrote to memory of 3724 444 {4F0DEA36-29D2-48da-BF5D-6FD31F2A6AC7}.exe 104 PID 444 wrote to memory of 3724 444 {4F0DEA36-29D2-48da-BF5D-6FD31F2A6AC7}.exe 104 PID 5096 wrote to memory of 3168 5096 {347D29BB-71C5-4e53-8140-2310B252A4A0}.exe 105 PID 5096 wrote to memory of 3168 5096 {347D29BB-71C5-4e53-8140-2310B252A4A0}.exe 105 PID 5096 wrote to memory of 3168 5096 {347D29BB-71C5-4e53-8140-2310B252A4A0}.exe 105 PID 5096 wrote to memory of 4064 5096 {347D29BB-71C5-4e53-8140-2310B252A4A0}.exe 106 PID 5096 wrote to memory of 4064 5096 {347D29BB-71C5-4e53-8140-2310B252A4A0}.exe 106 PID 5096 wrote to memory of 4064 5096 {347D29BB-71C5-4e53-8140-2310B252A4A0}.exe 106 PID 3168 wrote to memory of 1892 3168 {9A55D2C0-8186-4490-A843-8A1811C8DA99}.exe 107 PID 3168 wrote to memory of 1892 3168 {9A55D2C0-8186-4490-A843-8A1811C8DA99}.exe 107 PID 3168 wrote to memory of 1892 3168 {9A55D2C0-8186-4490-A843-8A1811C8DA99}.exe 107 PID 3168 wrote to memory of 3680 3168 {9A55D2C0-8186-4490-A843-8A1811C8DA99}.exe 108 PID 3168 wrote to memory of 3680 3168 {9A55D2C0-8186-4490-A843-8A1811C8DA99}.exe 108 PID 3168 wrote to memory of 3680 3168 {9A55D2C0-8186-4490-A843-8A1811C8DA99}.exe 108 PID 1892 wrote to memory of 4380 1892 {818BDB1F-0C8D-420d-9CEA-3A0BFA07FC2F}.exe 109 PID 1892 wrote to memory of 4380 1892 {818BDB1F-0C8D-420d-9CEA-3A0BFA07FC2F}.exe 109 PID 1892 wrote to memory of 4380 1892 {818BDB1F-0C8D-420d-9CEA-3A0BFA07FC2F}.exe 109 PID 1892 wrote to memory of 4204 1892 {818BDB1F-0C8D-420d-9CEA-3A0BFA07FC2F}.exe 110 PID 1892 wrote to memory of 4204 1892 {818BDB1F-0C8D-420d-9CEA-3A0BFA07FC2F}.exe 110 PID 1892 wrote to memory of 4204 1892 {818BDB1F-0C8D-420d-9CEA-3A0BFA07FC2F}.exe 110 PID 4380 wrote to memory of 952 4380 {6604739E-62F7-49a8-A8F1-E0C758B41B09}.exe 111 PID 4380 wrote to memory of 952 4380 {6604739E-62F7-49a8-A8F1-E0C758B41B09}.exe 111 PID 4380 wrote to memory of 952 4380 {6604739E-62F7-49a8-A8F1-E0C758B41B09}.exe 111 PID 4380 wrote to memory of 4736 4380 {6604739E-62F7-49a8-A8F1-E0C758B41B09}.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-21_45886ed8872c2047266f3d095cda4b0a_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-21_45886ed8872c2047266f3d095cda4b0a_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\{A5DD4EAE-C5D7-48b9-A140-9ED0FDD27318}.exeC:\Windows\{A5DD4EAE-C5D7-48b9-A140-9ED0FDD27318}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Windows\{D3350BF4-57C5-4726-A22F-46597343A5D9}.exeC:\Windows\{D3350BF4-57C5-4726-A22F-46597343A5D9}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D3350~1.EXE > nul4⤵PID:1140
-
-
C:\Windows\{933F20D3-0B31-4e5d-80F1-D7BB4792C66D}.exeC:\Windows\{933F20D3-0B31-4e5d-80F1-D7BB4792C66D}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\{DD626137-924A-4f04-8907-537D25588A79}.exeC:\Windows\{DD626137-924A-4f04-8907-537D25588A79}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\{3312ADC5-43AB-49d0-B11E-E0DA10BEBA84}.exeC:\Windows\{3312ADC5-43AB-49d0-B11E-E0DA10BEBA84}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Windows\{4F0DEA36-29D2-48da-BF5D-6FD31F2A6AC7}.exeC:\Windows\{4F0DEA36-29D2-48da-BF5D-6FD31F2A6AC7}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:444 -
C:\Windows\{347D29BB-71C5-4e53-8140-2310B252A4A0}.exeC:\Windows\{347D29BB-71C5-4e53-8140-2310B252A4A0}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\{9A55D2C0-8186-4490-A843-8A1811C8DA99}.exeC:\Windows\{9A55D2C0-8186-4490-A843-8A1811C8DA99}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Windows\{818BDB1F-0C8D-420d-9CEA-3A0BFA07FC2F}.exeC:\Windows\{818BDB1F-0C8D-420d-9CEA-3A0BFA07FC2F}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\{6604739E-62F7-49a8-A8F1-E0C758B41B09}.exeC:\Windows\{6604739E-62F7-49a8-A8F1-E0C758B41B09}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\{63258706-DB8D-4ca1-8226-18D4D6862C48}.exeC:\Windows\{63258706-DB8D-4ca1-8226-18D4D6862C48}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:952 -
C:\Windows\{F62BEEFF-A906-46ba-B024-6C9A2A9C0B56}.exeC:\Windows\{F62BEEFF-A906-46ba-B024-6C9A2A9C0B56}.exe13⤵
- Executes dropped EXE
PID:4060
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{63258~1.EXE > nul13⤵PID:552
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{66047~1.EXE > nul12⤵PID:4736
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{818BD~1.EXE > nul11⤵PID:4204
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9A55D~1.EXE > nul10⤵PID:3680
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{347D2~1.EXE > nul9⤵PID:4064
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4F0DE~1.EXE > nul8⤵PID:3724
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3312A~1.EXE > nul7⤵PID:4844
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{DD626~1.EXE > nul6⤵PID:1384
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{933F2~1.EXE > nul5⤵PID:4680
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A5DD4~1.EXE > nul3⤵PID:4280
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:5024
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
98KB
MD50c662e9e89adf85daceb61eda7f9da1a
SHA1b72c09fdf6ef8e59b0ee4413785823c5bcd1d265
SHA2568fe057742ff942a1d196c5362e82249bbb92f660a0ecfe863bfd17b8f332db7b
SHA51266893f46148888f9c05ab6877c66d2e327ff327819420efea1dbe1e337075553d59cdd1dd9924c301c333b90566a52c1e3905a7a221e36491153f2ccf287082b
-
Filesize
216KB
MD5380da408ec0c2c2c40de1728ef50f994
SHA120bb3e4a3d304bdd813e5e0261dc2d49b7f08671
SHA256b4503a98a88a116001634e5c38dbb57bd2c6136a584d0b3559c1af4bab198e71
SHA51251f3a22f16e49dc9a805039da63f2d35faa14a50d3b090cdcb0938d6d704d0b638f3b65b9eb5223270fdc2263706145e291d1188064320f7b27817e5dcb26d08
-
Filesize
216KB
MD5a0e7285900dce66bbb29efe3fda184a5
SHA146dc1840eac9fa2fa486346d603eaec7cad5e81a
SHA2560803d1d7b44ff9f51907c8026cf3596c89e0a2b3432569a879c5d5efedc508f0
SHA512ff848b9a2d4c366afc9f3ff90fa5f0a678f88594803e9d9f443599df7607960002a19c220da397cddb0624c1f6839768952da88e814c42d3e77ea77147603945
-
Filesize
216KB
MD57b58538864267998d86c2a7e5ca7b3b8
SHA1c4f86b9d9f6f5619ddd5b038e3956df8004f1710
SHA256340257bc5efbf6eb19064170d183a547761b98636ddf9b1658a5915451df0842
SHA512bb66defd516212951008346f4162ae9d6c47ca558e0d18fd343cdb55a49f45554e386134bd6e7c92498e559adc611afa2da48851f5375199226d57b64be545fe
-
Filesize
216KB
MD55572fc2eb554756eec5aab4472e84baa
SHA1a7c41b891e20a2933d02d4b37c736fef28136acb
SHA2565055a62c9f2e2399c6b2e3ac6e278046be4b2299ad6697a4a949cae20e411d3c
SHA51275cab04b2e03345042254507e128a53e4ebcd503f80ae4fa8b6adcd86ac66b6f43b87bc1b1edf28555aa30cc28c6b85acd5d2477f65584a3e8848362c2113c9d
-
Filesize
216KB
MD53cb4099d03b55c9d3daede0725b72c41
SHA147bcf9202e9a473dd0c7348a4fab08e6428342a1
SHA2564d2c017d1956ac86e8abf33a10af8e95462eaf37330b0797373ad05be4c65d1a
SHA512533201d2c530347495ec916a0c1d544f9ec0ec8316d8ab66033d7aee82897fba2b1a9cd813b9d66ae3a6d3450cd6b0827e6016a24849d1c9cdda4ad798d2b4b8
-
Filesize
216KB
MD53de4ed1df1b03dab9a8199383a9ad51f
SHA13c1f185195de79dcf5ccf7f295b9b7078f90dfa7
SHA256169d311d4ece76a879566020592adfbea94378cc5b4a5dbbd681f613542d9a40
SHA512baf4481aece0bb6685e688c55b9296d4083ed1d63e6efa41647513fc63f3387efa82a5e69a6f5dd5af1446e1210ac3234876486cccd438dbd45cff5a138699de
-
Filesize
216KB
MD5b0c50d3a332914dc599194b952121801
SHA17875e786ec150fd358536451d7af91ff98843e5b
SHA256fd273ea58046705e66e7239507b00f742108f0627f4993d892d1439ce18a37bc
SHA5123288480841bb0535bb2407734daa92c579f349cb76e2e99b02686dbbbed73d749165a5b6f1408183d876f723ed8a9e5420b5637bf8d16936e3d69c3741f7c0bb
-
Filesize
216KB
MD5f3e0565c5cbfeff021849f595236083d
SHA1f9222a9600f13c0beb4381104853e7b5fe8930e7
SHA25660c2a9a624666f8782235f6e22e8c00dabc54043c3da6ab387a5a0ce38d75451
SHA5124cde079b249439f7f37e2b544d110cde1bde4849b17f7623fdadbe6b556a6e199a1e7ef9b1c06522622fbf62c43c6b55f946e55032d57d968c8b7c86dbc46511
-
Filesize
216KB
MD55717f639bb5de4be8f5f1be68ed914c6
SHA13e66dbecd177b2ea5f247b2586fa62b09005e2e1
SHA2569d9b1c79295b7d87cb8434dac3e733bf12c5c70f9f0878ec280bcb87311b177c
SHA5120846886aade6a83af1ee817120aefebf5d8872283cfa12b0eea653c36f4e490589ccc4538cf7b885b743ac3294967a279a784ea038eb6bc5dbd185ada58b5acd
-
Filesize
216KB
MD5766375126c28c3483019caea9716bede
SHA14f35d0a7a862b5d4e0d07087114168a2aafa7424
SHA256913f0c754e8b315502e8eb492344b338d92e4f1d96fabf7d5161add61113cb18
SHA5126713568b46b0dcae4d8d7eafff15581fd263dd942349fb4cc285f43e17ce861511973abb1043f76ff3db19e7c8110e7eeb0927780ad9962fc2ccc6c09edbacb3
-
Filesize
216KB
MD53aea3944a5763b1393c3e4e4b8253b92
SHA1afebc8b0ae99e74bd9e1dc4809f5c65e20b3a3d0
SHA25607bbc6d3649cd6c5332edc6e2be81cbdd1a978a16a4b0c7a5ea75f320a702eb6
SHA512a3699c713709c7d78a7e83e7c8af910c008b7b63ddf4d59abbf77dfefd9257dc3ca7b9ac9bdefcfc27ed9903f77999e65d3374a65661fc7c409008dad321677f
-
Filesize
216KB
MD592a40fe1a8e852ada69a804b0cf2dce6
SHA1097b416a7669617a4c5ac89968c22d24f637080a
SHA256d565f7a52c5e154a375fa629c0b67f8c18f9b7e25595918f86bbeab21761a235
SHA512a89d648c4ed04a88600d88e018c9514d5d50e2faeb483be10ddfd722e4e8c1f013f5158310ecc1db83b2cfb907e27ea69d35ab98d3c33e9b6b0778439d758cdf