5bb596a5f4d1159e3316a3539a7f268e5c9655c57884e2c33db1806e3e65b582

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
22/02/2024, 21:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-22_6ab95c887955283a17b855e67e1218c7_goldeneye.exe
Size

216KB
MD5

6ab95c887955283a17b855e67e1218c7
SHA1

c21ca9f7258383e2586cd4eecbc51bef65d76ad4
SHA256

5bb596a5f4d1159e3316a3539a7f268e5c9655c57884e2c33db1806e3e65b582
SHA512

2509e5328ca7f8e2062a17e3adbaad200a4d8eb260f6ccfe936467b10a5a3dfab7b8cfd462fb39fd6664ba4e4b7a48c5f120871b02d8b9a7eaff362333649e0c
SSDEEP

3072:jEGh0oWl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGslEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00090000000230ff-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023104-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002310c-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000022fdc-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002310c-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000022fdc-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002310c-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000022fdc-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002310c-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000022fdc-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002310c-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000022fdc-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7453A02-A7F9-453c-93C7-E6A819259DE2}\stubpath = "C:\\Windows\\{A7453A02-A7F9-453c-93C7-E6A819259DE2}.exe"	{CFDAD549-2F65-4c90-ADF6-F856145D2369}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC11546F-E10B-4ec3-93E2-B99561985026}	{9A0989C1-7801-4d0e-9485-2420FEA61EC2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9FCD9768-5816-4c92-9D2A-68614CFC2A0F}\stubpath = "C:\\Windows\\{9FCD9768-5816-4c92-9D2A-68614CFC2A0F}.exe"	{635E8D8F-DBC7-4d4f-BBC6-86C657D8355A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C92FF42D-2584-4eab-BB9F-AB2256B81618}	{784863AF-E55C-4432-9889-933D1C8F43FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95FA738C-A0DC-401f-AC2C-D9CD2C244627}	{C92FF42D-2584-4eab-BB9F-AB2256B81618}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7453A02-A7F9-453c-93C7-E6A819259DE2}	{CFDAD549-2F65-4c90-ADF6-F856145D2369}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A0989C1-7801-4d0e-9485-2420FEA61EC2}\stubpath = "C:\\Windows\\{9A0989C1-7801-4d0e-9485-2420FEA61EC2}.exe"	2024-02-22_6ab95c887955283a17b855e67e1218c7_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64A56C1B-D02E-4119-91DE-FB261ADD3A12}\stubpath = "C:\\Windows\\{64A56C1B-D02E-4119-91DE-FB261ADD3A12}.exe"	{EC11546F-E10B-4ec3-93E2-B99561985026}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{784863AF-E55C-4432-9889-933D1C8F43FC}	{9FCD9768-5816-4c92-9D2A-68614CFC2A0F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D39A44C0-98E2-484f-9554-D255FC440E3C}	{A7453A02-A7F9-453c-93C7-E6A819259DE2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D39A44C0-98E2-484f-9554-D255FC440E3C}\stubpath = "C:\\Windows\\{D39A44C0-98E2-484f-9554-D255FC440E3C}.exe"	{A7453A02-A7F9-453c-93C7-E6A819259DE2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A0989C1-7801-4d0e-9485-2420FEA61EC2}	2024-02-22_6ab95c887955283a17b855e67e1218c7_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC11546F-E10B-4ec3-93E2-B99561985026}\stubpath = "C:\\Windows\\{EC11546F-E10B-4ec3-93E2-B99561985026}.exe"	{9A0989C1-7801-4d0e-9485-2420FEA61EC2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFDAD549-2F65-4c90-ADF6-F856145D2369}\stubpath = "C:\\Windows\\{CFDAD549-2F65-4c90-ADF6-F856145D2369}.exe"	{95FA738C-A0DC-401f-AC2C-D9CD2C244627}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C92FF42D-2584-4eab-BB9F-AB2256B81618}\stubpath = "C:\\Windows\\{C92FF42D-2584-4eab-BB9F-AB2256B81618}.exe"	{784863AF-E55C-4432-9889-933D1C8F43FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95FA738C-A0DC-401f-AC2C-D9CD2C244627}\stubpath = "C:\\Windows\\{95FA738C-A0DC-401f-AC2C-D9CD2C244627}.exe"	{C92FF42D-2584-4eab-BB9F-AB2256B81618}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFDAD549-2F65-4c90-ADF6-F856145D2369}	{95FA738C-A0DC-401f-AC2C-D9CD2C244627}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64A56C1B-D02E-4119-91DE-FB261ADD3A12}	{EC11546F-E10B-4ec3-93E2-B99561985026}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{635E8D8F-DBC7-4d4f-BBC6-86C657D8355A}	{64A56C1B-D02E-4119-91DE-FB261ADD3A12}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{635E8D8F-DBC7-4d4f-BBC6-86C657D8355A}\stubpath = "C:\\Windows\\{635E8D8F-DBC7-4d4f-BBC6-86C657D8355A}.exe"	{64A56C1B-D02E-4119-91DE-FB261ADD3A12}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9FCD9768-5816-4c92-9D2A-68614CFC2A0F}	{635E8D8F-DBC7-4d4f-BBC6-86C657D8355A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{784863AF-E55C-4432-9889-933D1C8F43FC}\stubpath = "C:\\Windows\\{784863AF-E55C-4432-9889-933D1C8F43FC}.exe"	{9FCD9768-5816-4c92-9D2A-68614CFC2A0F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADC7A184-57B4-4d10-A75D-677922095C31}	{D39A44C0-98E2-484f-9554-D255FC440E3C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADC7A184-57B4-4d10-A75D-677922095C31}\stubpath = "C:\\Windows\\{ADC7A184-57B4-4d10-A75D-677922095C31}.exe"	{D39A44C0-98E2-484f-9554-D255FC440E3C}.exe

Executes dropped EXE 12 IoCs

pid	Process
1620	{9A0989C1-7801-4d0e-9485-2420FEA61EC2}.exe
4756	{EC11546F-E10B-4ec3-93E2-B99561985026}.exe
4456	{64A56C1B-D02E-4119-91DE-FB261ADD3A12}.exe
4104	{635E8D8F-DBC7-4d4f-BBC6-86C657D8355A}.exe
1764	{9FCD9768-5816-4c92-9D2A-68614CFC2A0F}.exe
824	{784863AF-E55C-4432-9889-933D1C8F43FC}.exe
1808	{C92FF42D-2584-4eab-BB9F-AB2256B81618}.exe
4868	{95FA738C-A0DC-401f-AC2C-D9CD2C244627}.exe
2940	{CFDAD549-2F65-4c90-ADF6-F856145D2369}.exe
2344	{A7453A02-A7F9-453c-93C7-E6A819259DE2}.exe
3520	{D39A44C0-98E2-484f-9554-D255FC440E3C}.exe
4884	{ADC7A184-57B4-4d10-A75D-677922095C31}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{EC11546F-E10B-4ec3-93E2-B99561985026}.exe	{9A0989C1-7801-4d0e-9485-2420FEA61EC2}.exe
File created	C:\Windows\{64A56C1B-D02E-4119-91DE-FB261ADD3A12}.exe	{EC11546F-E10B-4ec3-93E2-B99561985026}.exe
File created	C:\Windows\{9FCD9768-5816-4c92-9D2A-68614CFC2A0F}.exe	{635E8D8F-DBC7-4d4f-BBC6-86C657D8355A}.exe
File created	C:\Windows\{CFDAD549-2F65-4c90-ADF6-F856145D2369}.exe	{95FA738C-A0DC-401f-AC2C-D9CD2C244627}.exe
File created	C:\Windows\{ADC7A184-57B4-4d10-A75D-677922095C31}.exe	{D39A44C0-98E2-484f-9554-D255FC440E3C}.exe
File created	C:\Windows\{9A0989C1-7801-4d0e-9485-2420FEA61EC2}.exe	2024-02-22_6ab95c887955283a17b855e67e1218c7_goldeneye.exe
File created	C:\Windows\{784863AF-E55C-4432-9889-933D1C8F43FC}.exe	{9FCD9768-5816-4c92-9D2A-68614CFC2A0F}.exe
File created	C:\Windows\{C92FF42D-2584-4eab-BB9F-AB2256B81618}.exe	{784863AF-E55C-4432-9889-933D1C8F43FC}.exe
File created	C:\Windows\{95FA738C-A0DC-401f-AC2C-D9CD2C244627}.exe	{C92FF42D-2584-4eab-BB9F-AB2256B81618}.exe
File created	C:\Windows\{A7453A02-A7F9-453c-93C7-E6A819259DE2}.exe	{CFDAD549-2F65-4c90-ADF6-F856145D2369}.exe
File created	C:\Windows\{D39A44C0-98E2-484f-9554-D255FC440E3C}.exe	{A7453A02-A7F9-453c-93C7-E6A819259DE2}.exe
File created	C:\Windows\{635E8D8F-DBC7-4d4f-BBC6-86C657D8355A}.exe	{64A56C1B-D02E-4119-91DE-FB261ADD3A12}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1448	2024-02-22_6ab95c887955283a17b855e67e1218c7_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1620	{9A0989C1-7801-4d0e-9485-2420FEA61EC2}.exe
Token: SeIncBasePriorityPrivilege	4756	{EC11546F-E10B-4ec3-93E2-B99561985026}.exe
Token: SeIncBasePriorityPrivilege	4456	{64A56C1B-D02E-4119-91DE-FB261ADD3A12}.exe
Token: SeIncBasePriorityPrivilege	4104	{635E8D8F-DBC7-4d4f-BBC6-86C657D8355A}.exe
Token: SeIncBasePriorityPrivilege	1764	{9FCD9768-5816-4c92-9D2A-68614CFC2A0F}.exe
Token: SeIncBasePriorityPrivilege	824	{784863AF-E55C-4432-9889-933D1C8F43FC}.exe
Token: SeIncBasePriorityPrivilege	1808	{C92FF42D-2584-4eab-BB9F-AB2256B81618}.exe
Token: SeIncBasePriorityPrivilege	4868	{95FA738C-A0DC-401f-AC2C-D9CD2C244627}.exe
Token: SeIncBasePriorityPrivilege	2940	{CFDAD549-2F65-4c90-ADF6-F856145D2369}.exe
Token: SeIncBasePriorityPrivilege	2344	{A7453A02-A7F9-453c-93C7-E6A819259DE2}.exe
Token: SeIncBasePriorityPrivilege	3520	{D39A44C0-98E2-484f-9554-D255FC440E3C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 1620	1448	2024-02-22_6ab95c887955283a17b855e67e1218c7_goldeneye.exe	86
PID 1448 wrote to memory of 1620	1448	2024-02-22_6ab95c887955283a17b855e67e1218c7_goldeneye.exe	86
PID 1448 wrote to memory of 1620	1448	2024-02-22_6ab95c887955283a17b855e67e1218c7_goldeneye.exe	86
PID 1448 wrote to memory of 2620	1448	2024-02-22_6ab95c887955283a17b855e67e1218c7_goldeneye.exe	87
PID 1448 wrote to memory of 2620	1448	2024-02-22_6ab95c887955283a17b855e67e1218c7_goldeneye.exe	87
PID 1448 wrote to memory of 2620	1448	2024-02-22_6ab95c887955283a17b855e67e1218c7_goldeneye.exe	87
PID 1620 wrote to memory of 4756	1620	{9A0989C1-7801-4d0e-9485-2420FEA61EC2}.exe	88
PID 1620 wrote to memory of 4756	1620	{9A0989C1-7801-4d0e-9485-2420FEA61EC2}.exe	88
PID 1620 wrote to memory of 4756	1620	{9A0989C1-7801-4d0e-9485-2420FEA61EC2}.exe	88
PID 1620 wrote to memory of 3892	1620	{9A0989C1-7801-4d0e-9485-2420FEA61EC2}.exe	89
PID 1620 wrote to memory of 3892	1620	{9A0989C1-7801-4d0e-9485-2420FEA61EC2}.exe	89
PID 1620 wrote to memory of 3892	1620	{9A0989C1-7801-4d0e-9485-2420FEA61EC2}.exe	89
PID 4756 wrote to memory of 4456	4756	{EC11546F-E10B-4ec3-93E2-B99561985026}.exe	92
PID 4756 wrote to memory of 4456	4756	{EC11546F-E10B-4ec3-93E2-B99561985026}.exe	92
PID 4756 wrote to memory of 4456	4756	{EC11546F-E10B-4ec3-93E2-B99561985026}.exe	92
PID 4756 wrote to memory of 1852	4756	{EC11546F-E10B-4ec3-93E2-B99561985026}.exe	93
PID 4756 wrote to memory of 1852	4756	{EC11546F-E10B-4ec3-93E2-B99561985026}.exe	93
PID 4756 wrote to memory of 1852	4756	{EC11546F-E10B-4ec3-93E2-B99561985026}.exe	93
PID 4456 wrote to memory of 4104	4456	{64A56C1B-D02E-4119-91DE-FB261ADD3A12}.exe	97
PID 4456 wrote to memory of 4104	4456	{64A56C1B-D02E-4119-91DE-FB261ADD3A12}.exe	97
PID 4456 wrote to memory of 4104	4456	{64A56C1B-D02E-4119-91DE-FB261ADD3A12}.exe	97
PID 4456 wrote to memory of 2568	4456	{64A56C1B-D02E-4119-91DE-FB261ADD3A12}.exe	98
PID 4456 wrote to memory of 2568	4456	{64A56C1B-D02E-4119-91DE-FB261ADD3A12}.exe	98
PID 4456 wrote to memory of 2568	4456	{64A56C1B-D02E-4119-91DE-FB261ADD3A12}.exe	98
PID 4104 wrote to memory of 1764	4104	{635E8D8F-DBC7-4d4f-BBC6-86C657D8355A}.exe	99
PID 4104 wrote to memory of 1764	4104	{635E8D8F-DBC7-4d4f-BBC6-86C657D8355A}.exe	99
PID 4104 wrote to memory of 1764	4104	{635E8D8F-DBC7-4d4f-BBC6-86C657D8355A}.exe	99
PID 4104 wrote to memory of 2544	4104	{635E8D8F-DBC7-4d4f-BBC6-86C657D8355A}.exe	100
PID 4104 wrote to memory of 2544	4104	{635E8D8F-DBC7-4d4f-BBC6-86C657D8355A}.exe	100
PID 4104 wrote to memory of 2544	4104	{635E8D8F-DBC7-4d4f-BBC6-86C657D8355A}.exe	100
PID 1764 wrote to memory of 824	1764	{9FCD9768-5816-4c92-9D2A-68614CFC2A0F}.exe	101
PID 1764 wrote to memory of 824	1764	{9FCD9768-5816-4c92-9D2A-68614CFC2A0F}.exe	101
PID 1764 wrote to memory of 824	1764	{9FCD9768-5816-4c92-9D2A-68614CFC2A0F}.exe	101
PID 1764 wrote to memory of 4064	1764	{9FCD9768-5816-4c92-9D2A-68614CFC2A0F}.exe	102
PID 1764 wrote to memory of 4064	1764	{9FCD9768-5816-4c92-9D2A-68614CFC2A0F}.exe	102
PID 1764 wrote to memory of 4064	1764	{9FCD9768-5816-4c92-9D2A-68614CFC2A0F}.exe	102
PID 824 wrote to memory of 1808	824	{784863AF-E55C-4432-9889-933D1C8F43FC}.exe	103
PID 824 wrote to memory of 1808	824	{784863AF-E55C-4432-9889-933D1C8F43FC}.exe	103
PID 824 wrote to memory of 1808	824	{784863AF-E55C-4432-9889-933D1C8F43FC}.exe	103
PID 824 wrote to memory of 2348	824	{784863AF-E55C-4432-9889-933D1C8F43FC}.exe	104
PID 824 wrote to memory of 2348	824	{784863AF-E55C-4432-9889-933D1C8F43FC}.exe	104
PID 824 wrote to memory of 2348	824	{784863AF-E55C-4432-9889-933D1C8F43FC}.exe	104
PID 1808 wrote to memory of 4868	1808	{C92FF42D-2584-4eab-BB9F-AB2256B81618}.exe	105
PID 1808 wrote to memory of 4868	1808	{C92FF42D-2584-4eab-BB9F-AB2256B81618}.exe	105
PID 1808 wrote to memory of 4868	1808	{C92FF42D-2584-4eab-BB9F-AB2256B81618}.exe	105
PID 1808 wrote to memory of 4692	1808	{C92FF42D-2584-4eab-BB9F-AB2256B81618}.exe	106
PID 1808 wrote to memory of 4692	1808	{C92FF42D-2584-4eab-BB9F-AB2256B81618}.exe	106
PID 1808 wrote to memory of 4692	1808	{C92FF42D-2584-4eab-BB9F-AB2256B81618}.exe	106
PID 4868 wrote to memory of 2940	4868	{95FA738C-A0DC-401f-AC2C-D9CD2C244627}.exe	107
PID 4868 wrote to memory of 2940	4868	{95FA738C-A0DC-401f-AC2C-D9CD2C244627}.exe	107
PID 4868 wrote to memory of 2940	4868	{95FA738C-A0DC-401f-AC2C-D9CD2C244627}.exe	107
PID 4868 wrote to memory of 4220	4868	{95FA738C-A0DC-401f-AC2C-D9CD2C244627}.exe	108
PID 4868 wrote to memory of 4220	4868	{95FA738C-A0DC-401f-AC2C-D9CD2C244627}.exe	108
PID 4868 wrote to memory of 4220	4868	{95FA738C-A0DC-401f-AC2C-D9CD2C244627}.exe	108
PID 2940 wrote to memory of 2344	2940	{CFDAD549-2F65-4c90-ADF6-F856145D2369}.exe	109
PID 2940 wrote to memory of 2344	2940	{CFDAD549-2F65-4c90-ADF6-F856145D2369}.exe	109
PID 2940 wrote to memory of 2344	2940	{CFDAD549-2F65-4c90-ADF6-F856145D2369}.exe	109
PID 2940 wrote to memory of 5040	2940	{CFDAD549-2F65-4c90-ADF6-F856145D2369}.exe	110
PID 2940 wrote to memory of 5040	2940	{CFDAD549-2F65-4c90-ADF6-F856145D2369}.exe	110
PID 2940 wrote to memory of 5040	2940	{CFDAD549-2F65-4c90-ADF6-F856145D2369}.exe	110
PID 2344 wrote to memory of 3520	2344	{A7453A02-A7F9-453c-93C7-E6A819259DE2}.exe	111
PID 2344 wrote to memory of 3520	2344	{A7453A02-A7F9-453c-93C7-E6A819259DE2}.exe	111
PID 2344 wrote to memory of 3520	2344	{A7453A02-A7F9-453c-93C7-E6A819259DE2}.exe	111
PID 2344 wrote to memory of 3904	2344	{A7453A02-A7F9-453c-93C7-E6A819259DE2}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-02-22_6ab95c887955283a17b855e67e1218c7_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-22_6ab95c887955283a17b855e67e1218c7_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Windows\{9A0989C1-7801-4d0e-9485-2420FEA61EC2}.exe
  C:\Windows\{9A0989C1-7801-4d0e-9485-2420FEA61EC2}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\{EC11546F-E10B-4ec3-93E2-B99561985026}.exe
    C:\Windows\{EC11546F-E10B-4ec3-93E2-B99561985026}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4756
  - - C:\Windows\{64A56C1B-D02E-4119-91DE-FB261ADD3A12}.exe
      C:\Windows\{64A56C1B-D02E-4119-91DE-FB261ADD3A12}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4456
    - - C:\Windows\{635E8D8F-DBC7-4d4f-BBC6-86C657D8355A}.exe
        
        C:\Windows\{635E8D8F-DBC7-4d4f-BBC6-86C657D8355A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4104
      - C:\Windows\{9FCD9768-5816-4c92-9D2A-68614CFC2A0F}.exe
        
        C:\Windows\{9FCD9768-5816-4c92-9D2A-68614CFC2A0F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\{784863AF-E55C-4432-9889-933D1C8F43FC}.exe
        
        C:\Windows\{784863AF-E55C-4432-9889-933D1C8F43FC}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:824
        
        C:\Windows\{C92FF42D-2584-4eab-BB9F-AB2256B81618}.exe
        
        C:\Windows\{C92FF42D-2584-4eab-BB9F-AB2256B81618}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\{95FA738C-A0DC-401f-AC2C-D9CD2C244627}.exe
        
        C:\Windows\{95FA738C-A0DC-401f-AC2C-D9CD2C244627}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Windows\{CFDAD549-2F65-4c90-ADF6-F856145D2369}.exe
        
        C:\Windows\{CFDAD549-2F65-4c90-ADF6-F856145D2369}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\{A7453A02-A7F9-453c-93C7-E6A819259DE2}.exe
        
        C:\Windows\{A7453A02-A7F9-453c-93C7-E6A819259DE2}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\{D39A44C0-98E2-484f-9554-D255FC440E3C}.exe
        
        C:\Windows\{D39A44C0-98E2-484f-9554-D255FC440E3C}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D39A4~1.EXE > nul
        13⤵
        
        PID:3896
        
        C:\Windows\{ADC7A184-57B4-4d10-A75D-677922095C31}.exe
        
        C:\Windows\{ADC7A184-57B4-4d10-A75D-677922095C31}.exe
        13⤵
        Executes dropped EXE
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7453~1.EXE > nul
        12⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CFDAD~1.EXE > nul
        11⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95FA7~1.EXE > nul
        10⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C92FF~1.EXE > nul
        9⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{78486~1.EXE > nul
        8⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9FCD9~1.EXE > nul
        7⤵
        
        PID:4064
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{635E8~1.EXE > nul
        6⤵
        
        PID:2544
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64A56~1.EXE > nul
        5⤵
        
        PID:2568
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EC115~1.EXE > nul
      4⤵
      PID:1852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9A098~1.EXE > nul
    3⤵
    PID:3892
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{635E8D8F-DBC7-4d4f-BBC6-86C657D8355A}.exe

Filesize
216KB

MD5
e82701a994a704d58ae367eb3e5f6ca2

SHA1
48fb8cbb7865bab4ef8238f7345c4b8cf94da194

SHA256
343787d4a88f094a706420f442a9835df5384bed00cd84566179dabbf7b5e074

SHA512
c4d9db9b5b8b461fde026bc64d677777882d6d016023ea68aaf86be1ab3b5e0a6af639295f81b1166fa4f003ef5c2b83cbcae99731fc5000a0c16dd6b6fa15fb

Download Submit
C:\Windows\{64A56C1B-D02E-4119-91DE-FB261ADD3A12}.exe

Filesize
216KB

MD5
424a446f40445f4b82a14cec8c43111b

SHA1
2d4bc236985739e4e817ffd6c8a0b42e62fbcbab

SHA256
b5abfe85044b619e8833b74021936b0fcdb4320ae13a99133250767d01529598

SHA512
f9e801d935c4e1d8a07bd76c1de96c9927fc23e8ef51df5b5b36ae92e69d52ca28435a0c97ef5ee8594ffb16b4cdba31f96c95cec966690ef5cd751d35315c2d

Download Submit
C:\Windows\{784863AF-E55C-4432-9889-933D1C8F43FC}.exe

Filesize
216KB

MD5
09aac0196cdb0c7e62e463228382b1ad

SHA1
50abd1c22d6a87b96176fcd65b50bad875293ae5

SHA256
d8ed7dd2d11169ba7ca4b5f180187f18d265efe34a59278c56e384ae9d3aad1b

SHA512
2add3a8966c1688e45166a496984f05581a74dd959b7eb6f432344355d060f495703294d63abcf0d458734ca279d787109ffe05f7277191b581952ee713413b8

Download Submit
C:\Windows\{95FA738C-A0DC-401f-AC2C-D9CD2C244627}.exe

Filesize
216KB

MD5
711dd5f4b82e2485a4952ee583236adc

SHA1
ded4cb9891bd7705e8370357e2be437876e0207d

SHA256
dc92ffaac762d56135e1db2f78f4006ff8e4e8486ac3dc0be3a44d2eafdd00f5

SHA512
7ca0a55c2a0dde16d832f08372379699a664ed295b0f390a2af725112d9a85c0e1cd1ce87fdf6889cbef592dbb4894eaa2af7372f8eb36766bb352e5838229cb

Download Submit
C:\Windows\{9A0989C1-7801-4d0e-9485-2420FEA61EC2}.exe

Filesize
216KB

MD5
8938d2feda41a5a0a7e325fa1fc98fd2

SHA1
edaae883b4cc03e957645e065f784838e30a09ff

SHA256
4968661aa67114bec429a9212e5e1c384e29a3ac334ef0510b572b87c99d6fca

SHA512
7c2c24e18801e2425abf0129f6785531d048cde816271871d4c3da11cf82684a93ca04be916a3ca27d4aaa219ad40f6506cab06fcd641d1c6775e95e8da5ac96

Download Submit
C:\Windows\{9FCD9768-5816-4c92-9D2A-68614CFC2A0F}.exe

Filesize
216KB

MD5
25a5800a7e679ad9938585244f1913e4

SHA1
08fe0f490fac61df92022f06bdf3d20995140033

SHA256
1e5083075de0daf94e417b5a7a0d8ef00941fe677889b60ea43a211ee106d90a

SHA512
a04ccbc665ec9efd3cab00cdac82fba38db9dbc6998efbae5573bd48ead1331c03dbe23c052a1d7a0c3b29a0fd2cf5a3a8a2160480e831982aa1d436f3d8b669

Download Submit
C:\Windows\{A7453A02-A7F9-453c-93C7-E6A819259DE2}.exe

Filesize
216KB

MD5
6f74fe7acea97f17a0a91debcf4f1621

SHA1
fb5e163d86ff219a4bd1082589f1c1a9a780cf71

SHA256
f17441183efbbc64984ebf92e1264b3950530f8b15be67f9e4854e1afb092348

SHA512
20884d95d86d4aeabaf73290d6c0281955687812c2712425790b3ed320090ad333a002586203548936e0edddd0487382b0c8f44df690d9c0c5499e0d5cbe81d9

Download Submit
C:\Windows\{ADC7A184-57B4-4d10-A75D-677922095C31}.exe

Filesize
216KB

MD5
1186ded68216a8da37085e0a6b481b1e

SHA1
3af31950c45ab0188193e277f77be9595923a498

SHA256
49793144a7ba09b7a0f993b65890f3ffbbfc5e56953ed91c9aea5e78dead8c4e

SHA512
28c0428cfbf26a5ccf5deb15e59886bac494eb03e6248c9bd085d0e9f661afa317a9128e12295a6ebe1e0db5cfa56e35a6c999b0afa078f3d87ce3ca9197a000

Download Submit
C:\Windows\{C92FF42D-2584-4eab-BB9F-AB2256B81618}.exe

Filesize
216KB

MD5
c6ccc9bbaad749e20ccb0491008d8369

SHA1
c15afead8ae6132f032c0def102e8f1ca699dced

SHA256
b81e3047ec012e5ef7f5e942545d51681ee47b9b2bad81b7d7308a25e4e88b0c

SHA512
7cb9fd56a068c8dc4517c1f60f5a1bc03b74698e67a297bf0989008ced76949a4b2dfa6393627767fef5802cc9fe99d0f017c796186ac926235aa039b5a47335

Download Submit
C:\Windows\{CFDAD549-2F65-4c90-ADF6-F856145D2369}.exe

Filesize
216KB

MD5
ba733685e25c96a88aae424a2592252c

SHA1
0a1e3035975ab93dadfc0fa3a296b4c2a980a2f8

SHA256
39248932610f9092aeaa4d1658c7c482d4c1f38e66f48a2691a23616c707ceaa

SHA512
3d253602803bc729a1736ad56c960960919387d0aca3878eb26b42c8240894ac0d6e28057ba52b808f1d455bcc7b6d41cc3e2b45141f4b8fc296adb59846396b

Download Submit
C:\Windows\{D39A44C0-98E2-484f-9554-D255FC440E3C}.exe

Filesize
216KB

MD5
7659f772a7a44a366e8d2eef7169f852

SHA1
e7834bd24725d9e733753d5627a80896d494f536

SHA256
7da9545894a18eb4b1b086de005050f5076b93639e3082e4db9f01b9109c96ac

SHA512
d683aca64a64beec0ebf68c5601cf568ee1e671372a397d90aa7766db6a65b0520db4409f9572766d8771c43aa332bff8337d6fa4f62afc3afd14a9aff202e83

Download Submit
C:\Windows\{EC11546F-E10B-4ec3-93E2-B99561985026}.exe

Filesize
216KB

MD5
5195fdf7198d0f66e775365a54f597c6

SHA1
8fe7c691633f241aaad4adf8a3d4230b8da8dd3b

SHA256
c688fbfc0820ea9ec4e13a1edd56875508c0614f3a2388518c4c4ad2f4dfde77

SHA512
368452391d8cd2c5ab93756b96e1fd1a40dd370b8b59f14b8559b949f08923866e931f02c26c5c976edafd7f7ff03ff7ea76badbf63336feb9bc848d2dbb92b2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads