6b26ff70404dc80879fae711e560d085fe35b5356ec6632cf5812f45fd1b62cf

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/02/2024, 18:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-28_419807c225a36a07749867567f9dbf04_goldeneye.exe
Size

372KB
MD5

419807c225a36a07749867567f9dbf04
SHA1

9ebc5ad592f6eb9f41a2785622f4b8642a45b21e
SHA256

6b26ff70404dc80879fae711e560d085fe35b5356ec6632cf5812f45fd1b62cf
SHA512

298a7ed878aa9feebb5d034b010e6a4188321971d6a5cf2c2de7df667a9b6067061fa96ff447d7a26e1eeee71adcd91734f3f3b530bedd9138ad7ccdfb6524d1
SSDEEP

3072:CEGh0oDlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGhlkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00080000000231d0-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000231c9-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000231dc-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000231c9-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000231dc-17.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000231c9-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000231dc-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000231c9-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000231dc-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000231c9-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000231d5-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d0000000231c9-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B167E036-E066-41a8-8EE7-C143F119B282}	{D286F64F-4BE6-46fa-8F06-4B79FE82E240}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78F825E1-710C-4d45-8C2F-B56093D9858A}	{B167E036-E066-41a8-8EE7-C143F119B282}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4AE3151-07D2-4804-9CFC-46B446BFEA12}	{78F825E1-710C-4d45-8C2F-B56093D9858A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4AE3151-07D2-4804-9CFC-46B446BFEA12}\stubpath = "C:\\Windows\\{F4AE3151-07D2-4804-9CFC-46B446BFEA12}.exe"	{78F825E1-710C-4d45-8C2F-B56093D9858A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7049364B-6083-4482-918C-DFA8DD16F672}\stubpath = "C:\\Windows\\{7049364B-6083-4482-918C-DFA8DD16F672}.exe"	{0B5D3A1C-4C9B-47d7-82C4-33970F61D265}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E94A8FD4-23AC-457b-B332-9BBE146E8A4A}\stubpath = "C:\\Windows\\{E94A8FD4-23AC-457b-B332-9BBE146E8A4A}.exe"	{7049364B-6083-4482-918C-DFA8DD16F672}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00C0944A-46CD-42da-84A7-AFC9A945EEFC}\stubpath = "C:\\Windows\\{00C0944A-46CD-42da-84A7-AFC9A945EEFC}.exe"	{E94A8FD4-23AC-457b-B332-9BBE146E8A4A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44F6A368-EA4D-4346-88E4-7C65E0509D63}	{00C0944A-46CD-42da-84A7-AFC9A945EEFC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44F6A368-EA4D-4346-88E4-7C65E0509D63}\stubpath = "C:\\Windows\\{44F6A368-EA4D-4346-88E4-7C65E0509D63}.exe"	{00C0944A-46CD-42da-84A7-AFC9A945EEFC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B167E036-E066-41a8-8EE7-C143F119B282}\stubpath = "C:\\Windows\\{B167E036-E066-41a8-8EE7-C143F119B282}.exe"	{D286F64F-4BE6-46fa-8F06-4B79FE82E240}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E94A8FD4-23AC-457b-B332-9BBE146E8A4A}	{7049364B-6083-4482-918C-DFA8DD16F672}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00C0944A-46CD-42da-84A7-AFC9A945EEFC}	{E94A8FD4-23AC-457b-B332-9BBE146E8A4A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC196B4B-1FE7-4401-B8AD-5A9439BBE350}	{44F6A368-EA4D-4346-88E4-7C65E0509D63}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC196B4B-1FE7-4401-B8AD-5A9439BBE350}\stubpath = "C:\\Windows\\{AC196B4B-1FE7-4401-B8AD-5A9439BBE350}.exe"	{44F6A368-EA4D-4346-88E4-7C65E0509D63}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5A985D2-6A37-436f-A34D-FAE3CE70C2E3}	2024-02-28_419807c225a36a07749867567f9dbf04_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A12B7300-71D3-4bd0-AE07-2637C140D093}	{B5A985D2-6A37-436f-A34D-FAE3CE70C2E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A12B7300-71D3-4bd0-AE07-2637C140D093}\stubpath = "C:\\Windows\\{A12B7300-71D3-4bd0-AE07-2637C140D093}.exe"	{B5A985D2-6A37-436f-A34D-FAE3CE70C2E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D286F64F-4BE6-46fa-8F06-4B79FE82E240}\stubpath = "C:\\Windows\\{D286F64F-4BE6-46fa-8F06-4B79FE82E240}.exe"	{A12B7300-71D3-4bd0-AE07-2637C140D093}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78F825E1-710C-4d45-8C2F-B56093D9858A}\stubpath = "C:\\Windows\\{78F825E1-710C-4d45-8C2F-B56093D9858A}.exe"	{B167E036-E066-41a8-8EE7-C143F119B282}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B5D3A1C-4C9B-47d7-82C4-33970F61D265}	{F4AE3151-07D2-4804-9CFC-46B446BFEA12}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B5D3A1C-4C9B-47d7-82C4-33970F61D265}\stubpath = "C:\\Windows\\{0B5D3A1C-4C9B-47d7-82C4-33970F61D265}.exe"	{F4AE3151-07D2-4804-9CFC-46B446BFEA12}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7049364B-6083-4482-918C-DFA8DD16F672}	{0B5D3A1C-4C9B-47d7-82C4-33970F61D265}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5A985D2-6A37-436f-A34D-FAE3CE70C2E3}\stubpath = "C:\\Windows\\{B5A985D2-6A37-436f-A34D-FAE3CE70C2E3}.exe"	2024-02-28_419807c225a36a07749867567f9dbf04_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D286F64F-4BE6-46fa-8F06-4B79FE82E240}	{A12B7300-71D3-4bd0-AE07-2637C140D093}.exe

Executes dropped EXE 12 IoCs

pid	Process
3348	{B5A985D2-6A37-436f-A34D-FAE3CE70C2E3}.exe
2372	{A12B7300-71D3-4bd0-AE07-2637C140D093}.exe
3592	{D286F64F-4BE6-46fa-8F06-4B79FE82E240}.exe
2068	{B167E036-E066-41a8-8EE7-C143F119B282}.exe
1896	{78F825E1-710C-4d45-8C2F-B56093D9858A}.exe
4784	{F4AE3151-07D2-4804-9CFC-46B446BFEA12}.exe
4132	{0B5D3A1C-4C9B-47d7-82C4-33970F61D265}.exe
2396	{7049364B-6083-4482-918C-DFA8DD16F672}.exe
2288	{E94A8FD4-23AC-457b-B332-9BBE146E8A4A}.exe
2936	{00C0944A-46CD-42da-84A7-AFC9A945EEFC}.exe
2332	{44F6A368-EA4D-4346-88E4-7C65E0509D63}.exe
1852	{AC196B4B-1FE7-4401-B8AD-5A9439BBE350}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{0B5D3A1C-4C9B-47d7-82C4-33970F61D265}.exe	{F4AE3151-07D2-4804-9CFC-46B446BFEA12}.exe
File created	C:\Windows\{7049364B-6083-4482-918C-DFA8DD16F672}.exe	{0B5D3A1C-4C9B-47d7-82C4-33970F61D265}.exe
File created	C:\Windows\{00C0944A-46CD-42da-84A7-AFC9A945EEFC}.exe	{E94A8FD4-23AC-457b-B332-9BBE146E8A4A}.exe
File created	C:\Windows\{44F6A368-EA4D-4346-88E4-7C65E0509D63}.exe	{00C0944A-46CD-42da-84A7-AFC9A945EEFC}.exe
File created	C:\Windows\{AC196B4B-1FE7-4401-B8AD-5A9439BBE350}.exe	{44F6A368-EA4D-4346-88E4-7C65E0509D63}.exe
File created	C:\Windows\{D286F64F-4BE6-46fa-8F06-4B79FE82E240}.exe	{A12B7300-71D3-4bd0-AE07-2637C140D093}.exe
File created	C:\Windows\{78F825E1-710C-4d45-8C2F-B56093D9858A}.exe	{B167E036-E066-41a8-8EE7-C143F119B282}.exe
File created	C:\Windows\{F4AE3151-07D2-4804-9CFC-46B446BFEA12}.exe	{78F825E1-710C-4d45-8C2F-B56093D9858A}.exe
File created	C:\Windows\{E94A8FD4-23AC-457b-B332-9BBE146E8A4A}.exe	{7049364B-6083-4482-918C-DFA8DD16F672}.exe
File created	C:\Windows\{B5A985D2-6A37-436f-A34D-FAE3CE70C2E3}.exe	2024-02-28_419807c225a36a07749867567f9dbf04_goldeneye.exe
File created	C:\Windows\{A12B7300-71D3-4bd0-AE07-2637C140D093}.exe	{B5A985D2-6A37-436f-A34D-FAE3CE70C2E3}.exe
File created	C:\Windows\{B167E036-E066-41a8-8EE7-C143F119B282}.exe	{D286F64F-4BE6-46fa-8F06-4B79FE82E240}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4088	2024-02-28_419807c225a36a07749867567f9dbf04_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3348	{B5A985D2-6A37-436f-A34D-FAE3CE70C2E3}.exe
Token: SeIncBasePriorityPrivilege	2372	{A12B7300-71D3-4bd0-AE07-2637C140D093}.exe
Token: SeIncBasePriorityPrivilege	3592	{D286F64F-4BE6-46fa-8F06-4B79FE82E240}.exe
Token: SeIncBasePriorityPrivilege	2068	{B167E036-E066-41a8-8EE7-C143F119B282}.exe
Token: SeIncBasePriorityPrivilege	1896	{78F825E1-710C-4d45-8C2F-B56093D9858A}.exe
Token: SeIncBasePriorityPrivilege	4784	{F4AE3151-07D2-4804-9CFC-46B446BFEA12}.exe
Token: SeIncBasePriorityPrivilege	4132	{0B5D3A1C-4C9B-47d7-82C4-33970F61D265}.exe
Token: SeIncBasePriorityPrivilege	2396	{7049364B-6083-4482-918C-DFA8DD16F672}.exe
Token: SeIncBasePriorityPrivilege	2288	{E94A8FD4-23AC-457b-B332-9BBE146E8A4A}.exe
Token: SeIncBasePriorityPrivilege	2936	{00C0944A-46CD-42da-84A7-AFC9A945EEFC}.exe
Token: SeIncBasePriorityPrivilege	2332	{44F6A368-EA4D-4346-88E4-7C65E0509D63}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4088 wrote to memory of 3348	4088	2024-02-28_419807c225a36a07749867567f9dbf04_goldeneye.exe	94
PID 4088 wrote to memory of 3348	4088	2024-02-28_419807c225a36a07749867567f9dbf04_goldeneye.exe	94
PID 4088 wrote to memory of 3348	4088	2024-02-28_419807c225a36a07749867567f9dbf04_goldeneye.exe	94
PID 4088 wrote to memory of 4444	4088	2024-02-28_419807c225a36a07749867567f9dbf04_goldeneye.exe	95
PID 4088 wrote to memory of 4444	4088	2024-02-28_419807c225a36a07749867567f9dbf04_goldeneye.exe	95
PID 4088 wrote to memory of 4444	4088	2024-02-28_419807c225a36a07749867567f9dbf04_goldeneye.exe	95
PID 3348 wrote to memory of 2372	3348	{B5A985D2-6A37-436f-A34D-FAE3CE70C2E3}.exe	96
PID 3348 wrote to memory of 2372	3348	{B5A985D2-6A37-436f-A34D-FAE3CE70C2E3}.exe	96
PID 3348 wrote to memory of 2372	3348	{B5A985D2-6A37-436f-A34D-FAE3CE70C2E3}.exe	96
PID 3348 wrote to memory of 756	3348	{B5A985D2-6A37-436f-A34D-FAE3CE70C2E3}.exe	97
PID 3348 wrote to memory of 756	3348	{B5A985D2-6A37-436f-A34D-FAE3CE70C2E3}.exe	97
PID 3348 wrote to memory of 756	3348	{B5A985D2-6A37-436f-A34D-FAE3CE70C2E3}.exe	97
PID 2372 wrote to memory of 3592	2372	{A12B7300-71D3-4bd0-AE07-2637C140D093}.exe	102
PID 2372 wrote to memory of 3592	2372	{A12B7300-71D3-4bd0-AE07-2637C140D093}.exe	102
PID 2372 wrote to memory of 3592	2372	{A12B7300-71D3-4bd0-AE07-2637C140D093}.exe	102
PID 2372 wrote to memory of 4572	2372	{A12B7300-71D3-4bd0-AE07-2637C140D093}.exe	103
PID 2372 wrote to memory of 4572	2372	{A12B7300-71D3-4bd0-AE07-2637C140D093}.exe	103
PID 2372 wrote to memory of 4572	2372	{A12B7300-71D3-4bd0-AE07-2637C140D093}.exe	103
PID 3592 wrote to memory of 2068	3592	{D286F64F-4BE6-46fa-8F06-4B79FE82E240}.exe	104
PID 3592 wrote to memory of 2068	3592	{D286F64F-4BE6-46fa-8F06-4B79FE82E240}.exe	104
PID 3592 wrote to memory of 2068	3592	{D286F64F-4BE6-46fa-8F06-4B79FE82E240}.exe	104
PID 3592 wrote to memory of 3032	3592	{D286F64F-4BE6-46fa-8F06-4B79FE82E240}.exe	105
PID 3592 wrote to memory of 3032	3592	{D286F64F-4BE6-46fa-8F06-4B79FE82E240}.exe	105
PID 3592 wrote to memory of 3032	3592	{D286F64F-4BE6-46fa-8F06-4B79FE82E240}.exe	105
PID 2068 wrote to memory of 1896	2068	{B167E036-E066-41a8-8EE7-C143F119B282}.exe	106
PID 2068 wrote to memory of 1896	2068	{B167E036-E066-41a8-8EE7-C143F119B282}.exe	106
PID 2068 wrote to memory of 1896	2068	{B167E036-E066-41a8-8EE7-C143F119B282}.exe	106
PID 2068 wrote to memory of 1944	2068	{B167E036-E066-41a8-8EE7-C143F119B282}.exe	107
PID 2068 wrote to memory of 1944	2068	{B167E036-E066-41a8-8EE7-C143F119B282}.exe	107
PID 2068 wrote to memory of 1944	2068	{B167E036-E066-41a8-8EE7-C143F119B282}.exe	107
PID 1896 wrote to memory of 4784	1896	{78F825E1-710C-4d45-8C2F-B56093D9858A}.exe	108
PID 1896 wrote to memory of 4784	1896	{78F825E1-710C-4d45-8C2F-B56093D9858A}.exe	108
PID 1896 wrote to memory of 4784	1896	{78F825E1-710C-4d45-8C2F-B56093D9858A}.exe	108
PID 1896 wrote to memory of 872	1896	{78F825E1-710C-4d45-8C2F-B56093D9858A}.exe	109
PID 1896 wrote to memory of 872	1896	{78F825E1-710C-4d45-8C2F-B56093D9858A}.exe	109
PID 1896 wrote to memory of 872	1896	{78F825E1-710C-4d45-8C2F-B56093D9858A}.exe	109
PID 4784 wrote to memory of 4132	4784	{F4AE3151-07D2-4804-9CFC-46B446BFEA12}.exe	110
PID 4784 wrote to memory of 4132	4784	{F4AE3151-07D2-4804-9CFC-46B446BFEA12}.exe	110
PID 4784 wrote to memory of 4132	4784	{F4AE3151-07D2-4804-9CFC-46B446BFEA12}.exe	110
PID 4784 wrote to memory of 4764	4784	{F4AE3151-07D2-4804-9CFC-46B446BFEA12}.exe	111
PID 4784 wrote to memory of 4764	4784	{F4AE3151-07D2-4804-9CFC-46B446BFEA12}.exe	111
PID 4784 wrote to memory of 4764	4784	{F4AE3151-07D2-4804-9CFC-46B446BFEA12}.exe	111
PID 4132 wrote to memory of 2396	4132	{0B5D3A1C-4C9B-47d7-82C4-33970F61D265}.exe	112
PID 4132 wrote to memory of 2396	4132	{0B5D3A1C-4C9B-47d7-82C4-33970F61D265}.exe	112
PID 4132 wrote to memory of 2396	4132	{0B5D3A1C-4C9B-47d7-82C4-33970F61D265}.exe	112
PID 4132 wrote to memory of 2448	4132	{0B5D3A1C-4C9B-47d7-82C4-33970F61D265}.exe	113
PID 4132 wrote to memory of 2448	4132	{0B5D3A1C-4C9B-47d7-82C4-33970F61D265}.exe	113
PID 4132 wrote to memory of 2448	4132	{0B5D3A1C-4C9B-47d7-82C4-33970F61D265}.exe	113
PID 2396 wrote to memory of 2288	2396	{7049364B-6083-4482-918C-DFA8DD16F672}.exe	114
PID 2396 wrote to memory of 2288	2396	{7049364B-6083-4482-918C-DFA8DD16F672}.exe	114
PID 2396 wrote to memory of 2288	2396	{7049364B-6083-4482-918C-DFA8DD16F672}.exe	114
PID 2396 wrote to memory of 3284	2396	{7049364B-6083-4482-918C-DFA8DD16F672}.exe	115
PID 2396 wrote to memory of 3284	2396	{7049364B-6083-4482-918C-DFA8DD16F672}.exe	115
PID 2396 wrote to memory of 3284	2396	{7049364B-6083-4482-918C-DFA8DD16F672}.exe	115
PID 2288 wrote to memory of 2936	2288	{E94A8FD4-23AC-457b-B332-9BBE146E8A4A}.exe	116
PID 2288 wrote to memory of 2936	2288	{E94A8FD4-23AC-457b-B332-9BBE146E8A4A}.exe	116
PID 2288 wrote to memory of 2936	2288	{E94A8FD4-23AC-457b-B332-9BBE146E8A4A}.exe	116
PID 2288 wrote to memory of 2428	2288	{E94A8FD4-23AC-457b-B332-9BBE146E8A4A}.exe	117
PID 2288 wrote to memory of 2428	2288	{E94A8FD4-23AC-457b-B332-9BBE146E8A4A}.exe	117
PID 2288 wrote to memory of 2428	2288	{E94A8FD4-23AC-457b-B332-9BBE146E8A4A}.exe	117
PID 2936 wrote to memory of 2332	2936	{00C0944A-46CD-42da-84A7-AFC9A945EEFC}.exe	118
PID 2936 wrote to memory of 2332	2936	{00C0944A-46CD-42da-84A7-AFC9A945EEFC}.exe	118
PID 2936 wrote to memory of 2332	2936	{00C0944A-46CD-42da-84A7-AFC9A945EEFC}.exe	118
PID 2936 wrote to memory of 4452	2936	{00C0944A-46CD-42da-84A7-AFC9A945EEFC}.exe	119

C:\Users\Admin\AppData\Local\Temp\2024-02-28_419807c225a36a07749867567f9dbf04_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-28_419807c225a36a07749867567f9dbf04_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4088
- C:\Windows\{B5A985D2-6A37-436f-A34D-FAE3CE70C2E3}.exe
  C:\Windows\{B5A985D2-6A37-436f-A34D-FAE3CE70C2E3}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3348
- - C:\Windows\{A12B7300-71D3-4bd0-AE07-2637C140D093}.exe
    C:\Windows\{A12B7300-71D3-4bd0-AE07-2637C140D093}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2372
  - - C:\Windows\{D286F64F-4BE6-46fa-8F06-4B79FE82E240}.exe
      C:\Windows\{D286F64F-4BE6-46fa-8F06-4B79FE82E240}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3592
    - - C:\Windows\{B167E036-E066-41a8-8EE7-C143F119B282}.exe
        
        C:\Windows\{B167E036-E066-41a8-8EE7-C143F119B282}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2068
      - C:\Windows\{78F825E1-710C-4d45-8C2F-B56093D9858A}.exe
        
        C:\Windows\{78F825E1-710C-4d45-8C2F-B56093D9858A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Windows\{F4AE3151-07D2-4804-9CFC-46B446BFEA12}.exe
        
        C:\Windows\{F4AE3151-07D2-4804-9CFC-46B446BFEA12}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Windows\{0B5D3A1C-4C9B-47d7-82C4-33970F61D265}.exe
        
        C:\Windows\{0B5D3A1C-4C9B-47d7-82C4-33970F61D265}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4132
        
        C:\Windows\{7049364B-6083-4482-918C-DFA8DD16F672}.exe
        
        C:\Windows\{7049364B-6083-4482-918C-DFA8DD16F672}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\{E94A8FD4-23AC-457b-B332-9BBE146E8A4A}.exe
        
        C:\Windows\{E94A8FD4-23AC-457b-B332-9BBE146E8A4A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\{00C0944A-46CD-42da-84A7-AFC9A945EEFC}.exe
        
        C:\Windows\{00C0944A-46CD-42da-84A7-AFC9A945EEFC}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\{44F6A368-EA4D-4346-88E4-7C65E0509D63}.exe
        
        C:\Windows\{44F6A368-EA4D-4346-88E4-7C65E0509D63}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
        
        C:\Windows\{AC196B4B-1FE7-4401-B8AD-5A9439BBE350}.exe
        
        C:\Windows\{AC196B4B-1FE7-4401-B8AD-5A9439BBE350}.exe
        13⤵
        Executes dropped EXE
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44F6A~1.EXE > nul
        13⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{00C09~1.EXE > nul
        12⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E94A8~1.EXE > nul
        11⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{70493~1.EXE > nul
        10⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0B5D3~1.EXE > nul
        9⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F4AE3~1.EXE > nul
        8⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{78F82~1.EXE > nul
        7⤵
        
        PID:872
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B167E~1.EXE > nul
        6⤵
        
        PID:1944
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D286F~1.EXE > nul
        5⤵
        
        PID:3032
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A12B7~1.EXE > nul
      4⤵
      PID:4572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B5A98~1.EXE > nul
    3⤵
    PID:756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00C0944A-46CD-42da-84A7-AFC9A945EEFC}.exe

Filesize
372KB

MD5
d79f06b5c34e0c85e0eea06d5d65703a

SHA1
0c3b5afd7ee108da035e916807f5db0debf9a39c

SHA256
bcb1102e6494c17874e339184950d76626150cc8896810f9a9fea4bb28009e55

SHA512
4ed6f2dd69d790cb7bf9c20ab8bec2fcc42e1ad27e5fd1f32c4d20494d35e8a946021a279dbc54a69f36d7ea90cebae5c1c20ddb5d52e00d27fd9b01413904fd

Download Submit
C:\Windows\{0B5D3A1C-4C9B-47d7-82C4-33970F61D265}.exe

Filesize
372KB

MD5
e34ef5e9f157c65344c4c135a453750a

SHA1
ae56b198a1e1a93c433b63f30e8b4d8074c0b152

SHA256
8450b660c0bf42d42b3040fc8f23086803f319b1f53e380345a60bc44ba2f864

SHA512
3d3659910cc0bb780f96395e18be8ef1482193d9a7550c97eef3a86100993243f5dae06061fdddb40746defaf302be9879aa543df3ea455aece602c693e84491

Download Submit
C:\Windows\{44F6A368-EA4D-4346-88E4-7C65E0509D63}.exe

Filesize
372KB

MD5
1e33962ca6a120200c58237cd6d787c4

SHA1
97273030e579c7a8641defaa0970e30b4011021b

SHA256
205fa49e0ce9ca228102d5e42d9e30bb7e272c7031017bf435930e5fd6ede269

SHA512
7bf1e888a35aa3c467432301aa89c75bda3ab7236da0e4ef084b192cef3bb135672676d11e15a727c13b61c5225c1deee136659f66f9ebfacdb0834b08807096

Download Submit
C:\Windows\{7049364B-6083-4482-918C-DFA8DD16F672}.exe

Filesize
372KB

MD5
c63fbb58c613cf35d0f28b6aa7481764

SHA1
3780c0108cc95e425d7ecfd4c69884f760dca841

SHA256
04fdd427147007c494115eb18e9cf0a7c61cffec6cca4854b9c5ef7a864c71e3

SHA512
e5a57132b2e2f308b2e5cee3636b59c27dcf1f793aa95d650da060f52816744d4f6249230f19b5b1e328d5395630a60a4854f8244d0b7e364449cecd4b28fbe3

Download Submit
C:\Windows\{78F825E1-710C-4d45-8C2F-B56093D9858A}.exe

Filesize
372KB

MD5
585a76072ee0aa69e4e15ce41f12d040

SHA1
0e853474874e46e12673f8b17f60b1a97cc76485

SHA256
c078880e1bc5d7a29ce06d7669b750dd110aaac82cea0891049ef68958e401ef

SHA512
5c30541e2f16ddced896f3ac8a0e99357f5f3f59ce7e22cad016fc8fb7f37b8c277b3a84a51082d033de91a4f4518e69d5d5b0495436c29a03b1cb02fa0b270e

Download Submit
C:\Windows\{A12B7300-71D3-4bd0-AE07-2637C140D093}.exe

Filesize
372KB

MD5
a9e82a94cdc019a5711b51a7a9ec7e40

SHA1
efe9356d716924771ff8f3b85a8467765b9f3314

SHA256
0c8031026781c20e45d8a582171ffedf8994dc925245d7be215c656b4a603200

SHA512
048df1caeb0fc4fef48e5a3f5ab8ff6652ca1f405d4b8fab4603db717c155a3a0e09375f3425ec74260a1bf65d0effa82ba47cf97fb2abb75bd3f304af7d3022

Download Submit
C:\Windows\{AC196B4B-1FE7-4401-B8AD-5A9439BBE350}.exe

Filesize
372KB

MD5
f8d071f15e965de937fcf47615c1ccba

SHA1
3d7ae1aa80da136116dab10620d50d149466691e

SHA256
5ae1211ecc46e4721ff63a2a3db8800a2f155a882e7488cfed3907f2aa215471

SHA512
1cfd8009be165f62541328f231255cea3754c5d9375fe5a17c948b377634e72fa3c415d418a28fae86037a21558183e2836537069c8071c32b386294eb4e0ee0

Download Submit
C:\Windows\{B167E036-E066-41a8-8EE7-C143F119B282}.exe

Filesize
372KB

MD5
630452452072d8ecbcc6d8e199f494b5

SHA1
578e37c956d8a763d94401cafb2eaf33aedb58f3

SHA256
be51748798525b89425b36d6836e11a4fdbe4c9f13d1844a5931b3c4cdb386c4

SHA512
24ee9807d9bef8d6f0a3b64edb27bfb6a82c99d9b546fc29f55581c996e35f45b3222465d6eb3f4c65c6749d4c90bc94e4a88644fe342430b2b60f44edd7e8b4

Download Submit
C:\Windows\{B5A985D2-6A37-436f-A34D-FAE3CE70C2E3}.exe

Filesize
372KB

MD5
6d4de9ea59104abad0c1a59a2e26dc27

SHA1
c8c3b9e3ca1761e83e5479a13d41deca8a55b69c

SHA256
43f1cb896e4332417519f997c034823521f575477b708ebf707b4140a0672a26

SHA512
fb4b523e8071f3d5e9ef9a770ce7b8b5bb13a4804573daa8cca194b1a3e5735e121718a478012e10cdd38f1f2be588234cd0ef29f632794d029a4ee66e6d4fc9

Download Submit
C:\Windows\{D286F64F-4BE6-46fa-8F06-4B79FE82E240}.exe

Filesize
372KB

MD5
a06b2a212f415258bec4cd29a281c826

SHA1
cd828610a11b425baac4ebd51410b1e91d851b9f

SHA256
29f3e8b266f6a2df0c04104e089bb2318950b062037b9fe66dd0a356ddc0667e

SHA512
2f4f63e8ac6cf14181648f9ef0eaa69d34a4bc6ef297652ccec825bb877170f03d110ff2a8f153bff4d5843087cb8c46975747acb7020f2e8a4de220da2b23cb

Download Submit
C:\Windows\{E94A8FD4-23AC-457b-B332-9BBE146E8A4A}.exe

Filesize
372KB

MD5
3c227a8f00d6cd828b540e4109346cd0

SHA1
e0f4b911745c4be5472ca66dd00506daf59a4880

SHA256
960fd3c216a2b2774b4aab5c87b3516a8c243f5bcebcb3dc3caba83707837d57

SHA512
602ce9cc59cd24409a49bf8b8f2124f2e7582dec206eeff8ea6574ff1288b0af8f6a69e73fcec77ab974d25daa1ea7200df51e4b250d36fc79a295a2da27c7bb

Download Submit
C:\Windows\{F4AE3151-07D2-4804-9CFC-46B446BFEA12}.exe

Filesize
372KB

MD5
f58eb76da67e5ad242f8952ef93dc367

SHA1
59a8c608b4b7c8720703a398daa6c3c395f71956

SHA256
cdc9a1b78d07525a33299113b2abe5f40e69b2ea21d184a54cd5069b8539ac2f

SHA512
f30b8308e6c2ef8baef78904b4f642224458bb18eab004be2874953b65662b648099add7fb3f871995459ab05622b63dc0e5b26b213828d288f9645933e3bf90

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads