7b5b5e513b26bc46b5f049d6275b5d653ceae00f0a50430e668086679e7f5fdc

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
22/02/2024, 05:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-22_6d1025809d2523a84a6390708cffda71_goldeneye.exe
Size

204KB
MD5

6d1025809d2523a84a6390708cffda71
SHA1

406ee79175ba236dbe1f4fa10005e7bc9d8c44ef
SHA256

7b5b5e513b26bc46b5f049d6275b5d653ceae00f0a50430e668086679e7f5fdc
SHA512

8507267f3dfb3fa786bd5c11ab1a3ae5d8560996271ba043e4c9eea498e49e3f6cf3252280de96e4eff38c2c75593d28ac44b48ce47d4f07459f9c1a2caf679f
SSDEEP

1536:1EGh0o3l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0o3l1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023120-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000231e9-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023113-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000231e9-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f000000023113-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000231e9-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023113-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000231e9-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023113-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000231e9-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0012000000023113-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0012000000023113-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000231e9-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{973F4AB6-EDF6-4044-8915-CFCCF5913451}\stubpath = "C:\\Windows\\{973F4AB6-EDF6-4044-8915-CFCCF5913451}.exe"	{DF0C4CEF-1607-45b1-83EC-E25BCE607A51}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D81C8AC5-44E4-41b8-9B48-85B38EA1C09D}\stubpath = "C:\\Windows\\{D81C8AC5-44E4-41b8-9B48-85B38EA1C09D}.exe"	{76E04686-2460-4e37-9F30-155C861E0849}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E3A19F3A-8A60-427c-A197-4BBF71F50808}\stubpath = "C:\\Windows\\{E3A19F3A-8A60-427c-A197-4BBF71F50808}.exe"	{D81C8AC5-44E4-41b8-9B48-85B38EA1C09D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1523F94B-DF28-4136-9A97-EF5068B2CB5B}\stubpath = "C:\\Windows\\{1523F94B-DF28-4136-9A97-EF5068B2CB5B}.exe"	{E3A19F3A-8A60-427c-A197-4BBF71F50808}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{724BEDD0-E047-42ec-99FE-0DC1F77E0875}\stubpath = "C:\\Windows\\{724BEDD0-E047-42ec-99FE-0DC1F77E0875}.exe"	{DCF7D3F5-F188-40b6-BBAA-4CC48D5DB625}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF6335B5-0317-4ad3-A6C5-060A2B092E6D}	2024-02-22_6d1025809d2523a84a6390708cffda71_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C04343A7-D752-42dd-A184-529D6487BA01}\stubpath = "C:\\Windows\\{C04343A7-D752-42dd-A184-529D6487BA01}.exe"	{97F37087-5D84-49ac-9C69-51AF6D553971}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF0C4CEF-1607-45b1-83EC-E25BCE607A51}	{C04343A7-D752-42dd-A184-529D6487BA01}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{724BEDD0-E047-42ec-99FE-0DC1F77E0875}	{DCF7D3F5-F188-40b6-BBAA-4CC48D5DB625}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97F37087-5D84-49ac-9C69-51AF6D553971}	{20F0B21C-63D5-42ac-9907-600C9298F30F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76E04686-2460-4e37-9F30-155C861E0849}	{973F4AB6-EDF6-4044-8915-CFCCF5913451}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DCF7D3F5-F188-40b6-BBAA-4CC48D5DB625}	{1523F94B-DF28-4136-9A97-EF5068B2CB5B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C04343A7-D752-42dd-A184-529D6487BA01}	{97F37087-5D84-49ac-9C69-51AF6D553971}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76E04686-2460-4e37-9F30-155C861E0849}\stubpath = "C:\\Windows\\{76E04686-2460-4e37-9F30-155C861E0849}.exe"	{973F4AB6-EDF6-4044-8915-CFCCF5913451}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1523F94B-DF28-4136-9A97-EF5068B2CB5B}	{E3A19F3A-8A60-427c-A197-4BBF71F50808}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF6335B5-0317-4ad3-A6C5-060A2B092E6D}\stubpath = "C:\\Windows\\{FF6335B5-0317-4ad3-A6C5-060A2B092E6D}.exe"	2024-02-22_6d1025809d2523a84a6390708cffda71_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20F0B21C-63D5-42ac-9907-600C9298F30F}\stubpath = "C:\\Windows\\{20F0B21C-63D5-42ac-9907-600C9298F30F}.exe"	{FF6335B5-0317-4ad3-A6C5-060A2B092E6D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97F37087-5D84-49ac-9C69-51AF6D553971}\stubpath = "C:\\Windows\\{97F37087-5D84-49ac-9C69-51AF6D553971}.exe"	{20F0B21C-63D5-42ac-9907-600C9298F30F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D81C8AC5-44E4-41b8-9B48-85B38EA1C09D}	{76E04686-2460-4e37-9F30-155C861E0849}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E3A19F3A-8A60-427c-A197-4BBF71F50808}	{D81C8AC5-44E4-41b8-9B48-85B38EA1C09D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DCF7D3F5-F188-40b6-BBAA-4CC48D5DB625}\stubpath = "C:\\Windows\\{DCF7D3F5-F188-40b6-BBAA-4CC48D5DB625}.exe"	{1523F94B-DF28-4136-9A97-EF5068B2CB5B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20F0B21C-63D5-42ac-9907-600C9298F30F}	{FF6335B5-0317-4ad3-A6C5-060A2B092E6D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF0C4CEF-1607-45b1-83EC-E25BCE607A51}\stubpath = "C:\\Windows\\{DF0C4CEF-1607-45b1-83EC-E25BCE607A51}.exe"	{C04343A7-D752-42dd-A184-529D6487BA01}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{973F4AB6-EDF6-4044-8915-CFCCF5913451}	{DF0C4CEF-1607-45b1-83EC-E25BCE607A51}.exe

Executes dropped EXE 12 IoCs

pid	Process
5092	{FF6335B5-0317-4ad3-A6C5-060A2B092E6D}.exe
684	{20F0B21C-63D5-42ac-9907-600C9298F30F}.exe
5108	{97F37087-5D84-49ac-9C69-51AF6D553971}.exe
3108	{C04343A7-D752-42dd-A184-529D6487BA01}.exe
3268	{DF0C4CEF-1607-45b1-83EC-E25BCE607A51}.exe
2060	{973F4AB6-EDF6-4044-8915-CFCCF5913451}.exe
1948	{76E04686-2460-4e37-9F30-155C861E0849}.exe
2540	{D81C8AC5-44E4-41b8-9B48-85B38EA1C09D}.exe
2772	{E3A19F3A-8A60-427c-A197-4BBF71F50808}.exe
4356	{1523F94B-DF28-4136-9A97-EF5068B2CB5B}.exe
4136	{DCF7D3F5-F188-40b6-BBAA-4CC48D5DB625}.exe
4736	{724BEDD0-E047-42ec-99FE-0DC1F77E0875}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{C04343A7-D752-42dd-A184-529D6487BA01}.exe	{97F37087-5D84-49ac-9C69-51AF6D553971}.exe
File created	C:\Windows\{DF0C4CEF-1607-45b1-83EC-E25BCE607A51}.exe	{C04343A7-D752-42dd-A184-529D6487BA01}.exe
File created	C:\Windows\{1523F94B-DF28-4136-9A97-EF5068B2CB5B}.exe	{E3A19F3A-8A60-427c-A197-4BBF71F50808}.exe
File created	C:\Windows\{973F4AB6-EDF6-4044-8915-CFCCF5913451}.exe	{DF0C4CEF-1607-45b1-83EC-E25BCE607A51}.exe
File created	C:\Windows\{76E04686-2460-4e37-9F30-155C861E0849}.exe	{973F4AB6-EDF6-4044-8915-CFCCF5913451}.exe
File created	C:\Windows\{D81C8AC5-44E4-41b8-9B48-85B38EA1C09D}.exe	{76E04686-2460-4e37-9F30-155C861E0849}.exe
File created	C:\Windows\{E3A19F3A-8A60-427c-A197-4BBF71F50808}.exe	{D81C8AC5-44E4-41b8-9B48-85B38EA1C09D}.exe
File created	C:\Windows\{DCF7D3F5-F188-40b6-BBAA-4CC48D5DB625}.exe	{1523F94B-DF28-4136-9A97-EF5068B2CB5B}.exe
File created	C:\Windows\{FF6335B5-0317-4ad3-A6C5-060A2B092E6D}.exe	2024-02-22_6d1025809d2523a84a6390708cffda71_goldeneye.exe
File created	C:\Windows\{20F0B21C-63D5-42ac-9907-600C9298F30F}.exe	{FF6335B5-0317-4ad3-A6C5-060A2B092E6D}.exe
File created	C:\Windows\{97F37087-5D84-49ac-9C69-51AF6D553971}.exe	{20F0B21C-63D5-42ac-9907-600C9298F30F}.exe
File created	C:\Windows\{724BEDD0-E047-42ec-99FE-0DC1F77E0875}.exe	{DCF7D3F5-F188-40b6-BBAA-4CC48D5DB625}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2972	2024-02-22_6d1025809d2523a84a6390708cffda71_goldeneye.exe
Token: SeIncBasePriorityPrivilege	5092	{FF6335B5-0317-4ad3-A6C5-060A2B092E6D}.exe
Token: SeIncBasePriorityPrivilege	684	{20F0B21C-63D5-42ac-9907-600C9298F30F}.exe
Token: SeIncBasePriorityPrivilege	5108	{97F37087-5D84-49ac-9C69-51AF6D553971}.exe
Token: SeIncBasePriorityPrivilege	3108	{C04343A7-D752-42dd-A184-529D6487BA01}.exe
Token: SeIncBasePriorityPrivilege	3268	{DF0C4CEF-1607-45b1-83EC-E25BCE607A51}.exe
Token: SeIncBasePriorityPrivilege	2060	{973F4AB6-EDF6-4044-8915-CFCCF5913451}.exe
Token: SeIncBasePriorityPrivilege	1948	{76E04686-2460-4e37-9F30-155C861E0849}.exe
Token: SeIncBasePriorityPrivilege	2540	{D81C8AC5-44E4-41b8-9B48-85B38EA1C09D}.exe
Token: SeIncBasePriorityPrivilege	2772	{E3A19F3A-8A60-427c-A197-4BBF71F50808}.exe
Token: SeIncBasePriorityPrivilege	4356	{1523F94B-DF28-4136-9A97-EF5068B2CB5B}.exe
Token: SeIncBasePriorityPrivilege	4136	{DCF7D3F5-F188-40b6-BBAA-4CC48D5DB625}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 5092	2972	2024-02-22_6d1025809d2523a84a6390708cffda71_goldeneye.exe	89
PID 2972 wrote to memory of 5092	2972	2024-02-22_6d1025809d2523a84a6390708cffda71_goldeneye.exe	89
PID 2972 wrote to memory of 5092	2972	2024-02-22_6d1025809d2523a84a6390708cffda71_goldeneye.exe	89
PID 2972 wrote to memory of 2272	2972	2024-02-22_6d1025809d2523a84a6390708cffda71_goldeneye.exe	90
PID 2972 wrote to memory of 2272	2972	2024-02-22_6d1025809d2523a84a6390708cffda71_goldeneye.exe	90
PID 2972 wrote to memory of 2272	2972	2024-02-22_6d1025809d2523a84a6390708cffda71_goldeneye.exe	90
PID 5092 wrote to memory of 684	5092	{FF6335B5-0317-4ad3-A6C5-060A2B092E6D}.exe	91
PID 5092 wrote to memory of 684	5092	{FF6335B5-0317-4ad3-A6C5-060A2B092E6D}.exe	91
PID 5092 wrote to memory of 684	5092	{FF6335B5-0317-4ad3-A6C5-060A2B092E6D}.exe	91
PID 5092 wrote to memory of 924	5092	{FF6335B5-0317-4ad3-A6C5-060A2B092E6D}.exe	92
PID 5092 wrote to memory of 924	5092	{FF6335B5-0317-4ad3-A6C5-060A2B092E6D}.exe	92
PID 5092 wrote to memory of 924	5092	{FF6335B5-0317-4ad3-A6C5-060A2B092E6D}.exe	92
PID 684 wrote to memory of 5108	684	{20F0B21C-63D5-42ac-9907-600C9298F30F}.exe	95
PID 684 wrote to memory of 5108	684	{20F0B21C-63D5-42ac-9907-600C9298F30F}.exe	95
PID 684 wrote to memory of 5108	684	{20F0B21C-63D5-42ac-9907-600C9298F30F}.exe	95
PID 684 wrote to memory of 4632	684	{20F0B21C-63D5-42ac-9907-600C9298F30F}.exe	94
PID 684 wrote to memory of 4632	684	{20F0B21C-63D5-42ac-9907-600C9298F30F}.exe	94
PID 684 wrote to memory of 4632	684	{20F0B21C-63D5-42ac-9907-600C9298F30F}.exe	94
PID 5108 wrote to memory of 3108	5108	{97F37087-5D84-49ac-9C69-51AF6D553971}.exe	96
PID 5108 wrote to memory of 3108	5108	{97F37087-5D84-49ac-9C69-51AF6D553971}.exe	96
PID 5108 wrote to memory of 3108	5108	{97F37087-5D84-49ac-9C69-51AF6D553971}.exe	96
PID 5108 wrote to memory of 1436	5108	{97F37087-5D84-49ac-9C69-51AF6D553971}.exe	97
PID 5108 wrote to memory of 1436	5108	{97F37087-5D84-49ac-9C69-51AF6D553971}.exe	97
PID 5108 wrote to memory of 1436	5108	{97F37087-5D84-49ac-9C69-51AF6D553971}.exe	97
PID 3108 wrote to memory of 3268	3108	{C04343A7-D752-42dd-A184-529D6487BA01}.exe	98
PID 3108 wrote to memory of 3268	3108	{C04343A7-D752-42dd-A184-529D6487BA01}.exe	98
PID 3108 wrote to memory of 3268	3108	{C04343A7-D752-42dd-A184-529D6487BA01}.exe	98
PID 3108 wrote to memory of 4752	3108	{C04343A7-D752-42dd-A184-529D6487BA01}.exe	99
PID 3108 wrote to memory of 4752	3108	{C04343A7-D752-42dd-A184-529D6487BA01}.exe	99
PID 3108 wrote to memory of 4752	3108	{C04343A7-D752-42dd-A184-529D6487BA01}.exe	99
PID 3268 wrote to memory of 2060	3268	{DF0C4CEF-1607-45b1-83EC-E25BCE607A51}.exe	100
PID 3268 wrote to memory of 2060	3268	{DF0C4CEF-1607-45b1-83EC-E25BCE607A51}.exe	100
PID 3268 wrote to memory of 2060	3268	{DF0C4CEF-1607-45b1-83EC-E25BCE607A51}.exe	100
PID 3268 wrote to memory of 2876	3268	{DF0C4CEF-1607-45b1-83EC-E25BCE607A51}.exe	101
PID 3268 wrote to memory of 2876	3268	{DF0C4CEF-1607-45b1-83EC-E25BCE607A51}.exe	101
PID 3268 wrote to memory of 2876	3268	{DF0C4CEF-1607-45b1-83EC-E25BCE607A51}.exe	101
PID 2060 wrote to memory of 1948	2060	{973F4AB6-EDF6-4044-8915-CFCCF5913451}.exe	102
PID 2060 wrote to memory of 1948	2060	{973F4AB6-EDF6-4044-8915-CFCCF5913451}.exe	102
PID 2060 wrote to memory of 1948	2060	{973F4AB6-EDF6-4044-8915-CFCCF5913451}.exe	102
PID 2060 wrote to memory of 2796	2060	{973F4AB6-EDF6-4044-8915-CFCCF5913451}.exe	103
PID 2060 wrote to memory of 2796	2060	{973F4AB6-EDF6-4044-8915-CFCCF5913451}.exe	103
PID 2060 wrote to memory of 2796	2060	{973F4AB6-EDF6-4044-8915-CFCCF5913451}.exe	103
PID 1948 wrote to memory of 2540	1948	{76E04686-2460-4e37-9F30-155C861E0849}.exe	104
PID 1948 wrote to memory of 2540	1948	{76E04686-2460-4e37-9F30-155C861E0849}.exe	104
PID 1948 wrote to memory of 2540	1948	{76E04686-2460-4e37-9F30-155C861E0849}.exe	104
PID 1948 wrote to memory of 3796	1948	{76E04686-2460-4e37-9F30-155C861E0849}.exe	105
PID 1948 wrote to memory of 3796	1948	{76E04686-2460-4e37-9F30-155C861E0849}.exe	105
PID 1948 wrote to memory of 3796	1948	{76E04686-2460-4e37-9F30-155C861E0849}.exe	105
PID 2540 wrote to memory of 2772	2540	{D81C8AC5-44E4-41b8-9B48-85B38EA1C09D}.exe	107
PID 2540 wrote to memory of 2772	2540	{D81C8AC5-44E4-41b8-9B48-85B38EA1C09D}.exe	107
PID 2540 wrote to memory of 2772	2540	{D81C8AC5-44E4-41b8-9B48-85B38EA1C09D}.exe	107
PID 2540 wrote to memory of 4572	2540	{D81C8AC5-44E4-41b8-9B48-85B38EA1C09D}.exe	106
PID 2540 wrote to memory of 4572	2540	{D81C8AC5-44E4-41b8-9B48-85B38EA1C09D}.exe	106
PID 2540 wrote to memory of 4572	2540	{D81C8AC5-44E4-41b8-9B48-85B38EA1C09D}.exe	106
PID 2772 wrote to memory of 4356	2772	{E3A19F3A-8A60-427c-A197-4BBF71F50808}.exe	108
PID 2772 wrote to memory of 4356	2772	{E3A19F3A-8A60-427c-A197-4BBF71F50808}.exe	108
PID 2772 wrote to memory of 4356	2772	{E3A19F3A-8A60-427c-A197-4BBF71F50808}.exe	108
PID 2772 wrote to memory of 4392	2772	{E3A19F3A-8A60-427c-A197-4BBF71F50808}.exe	109
PID 2772 wrote to memory of 4392	2772	{E3A19F3A-8A60-427c-A197-4BBF71F50808}.exe	109
PID 2772 wrote to memory of 4392	2772	{E3A19F3A-8A60-427c-A197-4BBF71F50808}.exe	109
PID 4356 wrote to memory of 4136	4356	{1523F94B-DF28-4136-9A97-EF5068B2CB5B}.exe	110
PID 4356 wrote to memory of 4136	4356	{1523F94B-DF28-4136-9A97-EF5068B2CB5B}.exe	110
PID 4356 wrote to memory of 4136	4356	{1523F94B-DF28-4136-9A97-EF5068B2CB5B}.exe	110
PID 4356 wrote to memory of 884	4356	{1523F94B-DF28-4136-9A97-EF5068B2CB5B}.exe	111

C:\Users\Admin\AppData\Local\Temp\2024-02-22_6d1025809d2523a84a6390708cffda71_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-22_6d1025809d2523a84a6390708cffda71_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\{FF6335B5-0317-4ad3-A6C5-060A2B092E6D}.exe
  C:\Windows\{FF6335B5-0317-4ad3-A6C5-060A2B092E6D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5092
- - C:\Windows\{20F0B21C-63D5-42ac-9907-600C9298F30F}.exe
    C:\Windows\{20F0B21C-63D5-42ac-9907-600C9298F30F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:684
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{20F0B~1.EXE > nul
      4⤵
      PID:4632
  - - C:\Windows\{97F37087-5D84-49ac-9C69-51AF6D553971}.exe
      C:\Windows\{97F37087-5D84-49ac-9C69-51AF6D553971}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5108
    - - C:\Windows\{C04343A7-D752-42dd-A184-529D6487BA01}.exe
        
        C:\Windows\{C04343A7-D752-42dd-A184-529D6487BA01}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3108
      - C:\Windows\{DF0C4CEF-1607-45b1-83EC-E25BCE607A51}.exe
        
        C:\Windows\{DF0C4CEF-1607-45b1-83EC-E25BCE607A51}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3268
        
        C:\Windows\{973F4AB6-EDF6-4044-8915-CFCCF5913451}.exe
        
        C:\Windows\{973F4AB6-EDF6-4044-8915-CFCCF5913451}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\{76E04686-2460-4e37-9F30-155C861E0849}.exe
        
        C:\Windows\{76E04686-2460-4e37-9F30-155C861E0849}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\{D81C8AC5-44E4-41b8-9B48-85B38EA1C09D}.exe
        
        C:\Windows\{D81C8AC5-44E4-41b8-9B48-85B38EA1C09D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D81C8~1.EXE > nul
        10⤵
        
        PID:4572
        
        C:\Windows\{E3A19F3A-8A60-427c-A197-4BBF71F50808}.exe
        
        C:\Windows\{E3A19F3A-8A60-427c-A197-4BBF71F50808}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\{1523F94B-DF28-4136-9A97-EF5068B2CB5B}.exe
        
        C:\Windows\{1523F94B-DF28-4136-9A97-EF5068B2CB5B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4356
        
        C:\Windows\{DCF7D3F5-F188-40b6-BBAA-4CC48D5DB625}.exe
        
        C:\Windows\{DCF7D3F5-F188-40b6-BBAA-4CC48D5DB625}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4136
        
        C:\Windows\{724BEDD0-E047-42ec-99FE-0DC1F77E0875}.exe
        
        C:\Windows\{724BEDD0-E047-42ec-99FE-0DC1F77E0875}.exe
        13⤵
        Executes dropped EXE
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DCF7D~1.EXE > nul
        13⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1523F~1.EXE > nul
        12⤵
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E3A19~1.EXE > nul
        11⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76E04~1.EXE > nul
        9⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{973F4~1.EXE > nul
        8⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF0C4~1.EXE > nul
        7⤵
        
        PID:2876
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C0434~1.EXE > nul
        6⤵
        
        PID:4752
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{97F37~1.EXE > nul
        5⤵
        
        PID:1436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{FF633~1.EXE > nul
    3⤵
    PID:924
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1523F94B-DF28-4136-9A97-EF5068B2CB5B}.exe

Filesize
204KB

MD5
a138fcfd25dcde31b3214acdfa684e87

SHA1
fddf7e4603a105a39d7d759d346c0aa4c3f62e5f

SHA256
fe198321d88b4100796d3efc8c664fe8cdb70ce3ec5c8d0e75c318e56358d0cb

SHA512
76ab4fc2eb3b86debd42438f894e1017604dd6458ad19a3dbfb115161fefab0e2978348cbfd6c8f2f8c14f1d81d04e12bb5f09340d6c40178a714b23b6d4ed38

Download Submit
C:\Windows\{20F0B21C-63D5-42ac-9907-600C9298F30F}.exe

Filesize
204KB

MD5
a3cd5df8b82f114691736f8d3fb7005f

SHA1
666b994045ef853bf0a1650c054862be91821dba

SHA256
ff6b9f99c00b591c37d04ae8994dca09cc835dd42f1b25a56db436b6f9ad0a49

SHA512
910877c71e035e2fb8156037e40f201565d0e7c0d0b02e6efdb81a8d13577bf1c62b1d19a13747958806ef5d2b73715931552c55600e2e52341cc4ec8ffd0319

Download Submit
C:\Windows\{724BEDD0-E047-42ec-99FE-0DC1F77E0875}.exe

Filesize
204KB

MD5
a85dbedd632f85812c7020079ea52b38

SHA1
1a1c96c364b07d26657d4bdb1075d920b4de4070

SHA256
fc92176591b5968e4b7aeed09a622cf62ccc5c47fe627448a06d8ce45ffb25b6

SHA512
b10565afd8321fea7f47e7f7c6dedb931c839e746176c930064d817ceece364b0155786aab2c2a485efa2d1efae2bd4ee804802e4e74d0a0c1d36c31e8f3019b

Download Submit
C:\Windows\{76E04686-2460-4e37-9F30-155C861E0849}.exe

Filesize
204KB

MD5
08bea5b53c8d81971989685085d9d68a

SHA1
7b6838710c4e1abee255d7686780c8ff29aa3b35

SHA256
051f377f8eb06f306320f60d8a6778a4322d1770061b7ab71aa0b8512bf865ad

SHA512
9edd3c4dae26a707bf8e84c6a8b787562059e7123b4f62c14699601e97cdf3a808cfd4741c56601ea6b7f101cd8e5df9a2904281817b98663f796b0c355ec4d6

Download Submit
C:\Windows\{973F4AB6-EDF6-4044-8915-CFCCF5913451}.exe

Filesize
204KB

MD5
06fd533d09b0f1eac5c760bfad47a5fb

SHA1
f97b3f2e116392515041b0678a9ee3d98b05d21b

SHA256
cb1b8c97476647b9838fb797be5998bc0b6c89033c99253e71b26dec5caaf804

SHA512
48b86f37530d2b0b485e3eb09a3b00b8cd8b04dbdcb3a36946c8ee8fb4f8e283010fe59ee81d04dfa4dde728ec59feea90781768bba9aa5645d38719b784f242

Download Submit
C:\Windows\{97F37087-5D84-49ac-9C69-51AF6D553971}.exe

Filesize
204KB

MD5
a9f036764217b0e55bae03afc0fc09b0

SHA1
ec23eb09dc0e397bb744ac3dbe89b44ecb0bfb11

SHA256
733b777da1a5f47aeeed9a18704d162ec0fbccec4a66166270ddaa709fc56bae

SHA512
10cb97cbbb70b06022e5d7841cef031c4ce2f2671f49098ba2fddac6761b8232e8631897b20656c02dee4b3f21e242b5718a7db7d6ec68578f17b56281c0488c

Download Submit
C:\Windows\{C04343A7-D752-42dd-A184-529D6487BA01}.exe

Filesize
204KB

MD5
e127089b17290256bf87f610a66e461f

SHA1
097df79f0a5cb2eeeb7e6a762150513e9471d13d

SHA256
13d86a6ae7b6232b1688d9f7fb1344a50c5210dfd61783275da2c079c20081cb

SHA512
957817ae0742550c06479773fcf915c3d233b7e25da3ceee11bce5cb5c9e45bfd4a525d379ee35946808af600b79a24d090e61deb9c1b732ae676617396eb0e2

Download Submit
C:\Windows\{D81C8AC5-44E4-41b8-9B48-85B38EA1C09D}.exe

Filesize
204KB

MD5
16e8039f98775e705dba36982285f8f5

SHA1
3afaa0b89f5e1d36c565ece5fb13e9f0f0c35d13

SHA256
d68e66cf590b71bc4a0ffdfde3adcc789e345d81671c17b64b056f637d17864c

SHA512
c2aed66089996a9d39edf417391952ab61877ef21fc8990124ef537f5da5f7e2b96b73c49061a42082cf5b6ec3a1ca29a2b70dbb93849828ddf8bf9c78774f03

Download Submit
C:\Windows\{DCF7D3F5-F188-40b6-BBAA-4CC48D5DB625}.exe

Filesize
73KB

MD5
1727a60f4dfef6acda4e10fafdf12b4b

SHA1
84703a8b92446be67bb78158d68942f9e0c0e06d

SHA256
e08f39f9c34771cca2ccfad726e761cb2146e6413ec060353836f69e902454f2

SHA512
c7a86ad03683f7cdac40521353d0ef85e468381d72d9ac46fe931bfe6ba2412fe8a18ab59fdf43fa4a5d5325e3ec821bac1c1ad3754eb51bbffb06d236af026c

Download Submit
C:\Windows\{DCF7D3F5-F188-40b6-BBAA-4CC48D5DB625}.exe

Filesize
64KB

MD5
ee246059eeb2a2ae683beac6c7f2c122

SHA1
12e8dfbefc6f7ffd9c0baddb08f4e5457222775d

SHA256
d605fa42253b9bd923c89e7e3ff19f020e3344099254311344793aaa2f9f7608

SHA512
58e974f8afb7ecf540eedc13a57d57caaa1deed632e721c5acf1eb7faa0a40e9dc3bcb95aba8750c6da07472520edd7fa29d6d2d51fb2d3dc46abf8dd497e3b0

Download Submit
C:\Windows\{DF0C4CEF-1607-45b1-83EC-E25BCE607A51}.exe

Filesize
204KB

MD5
d8fd46ebfe81947e6ef9b46f0723b060

SHA1
73e0850af45fab47fac6ea203a1691301354035e

SHA256
6060d585f39f66cae4894db3fba333e037a53c71782522ae99c624dff30bf521

SHA512
f72629d3a8bcc01a7a6d014d9da5cd35f52d8001a69e82a4960150c799dba468c70f97201e77efb725c925fcfea0793956fb38aa896be1ecb7708a427a65d46f

Download Submit
C:\Windows\{E3A19F3A-8A60-427c-A197-4BBF71F50808}.exe

Filesize
204KB

MD5
36e34c8ec485f4ac7ae5863bd8e9b9cb

SHA1
1cd03c2f2ab3ec747390af0c31cf88848413411b

SHA256
909722f45bcb661792530af4acce7521fac0209e4f5b3ea340dfcd4451c90949

SHA512
c9548b197e35220354d709c114fea7ce366cfd74efff296e83ecc97226df1e6bb3766c5fa3015ed7a53445cfd2b17c0eb36596163a6a736c6bc591ffb3819214

Download Submit
C:\Windows\{FF6335B5-0317-4ad3-A6C5-060A2B092E6D}.exe

Filesize
204KB

MD5
c3a33ba9bf999ee9bc6fc1e55b77a553

SHA1
6e83c2b17f4d2a89a7fc407603d7744fd4b2f268

SHA256
deac0225ef8fac4fe8a76e309b328c0903ac4fbb0f0fbe95474af7c9c67b7595

SHA512
59e8940369c23fb5543bf6ecb603c4017d16669dc0e6219ab3760db63a54dab1466185b8c8438e1e71d621a7384a3af09be69649316b6db6015d52f8e08820a0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads