Analysis
-
max time kernel
149s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02/03/2024, 23:23
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe
-
Size
204KB
-
MD5
1f57b3b2e0426da9841dcf20c031e1cd
-
SHA1
a98d6c1eaa825a4321d01c66ab5df496002effb5
-
SHA256
73a7aea95d6e7f8a274bfed7b82ef7bd0c2faa8a042c8f59cdf44f7b73491df5
-
SHA512
dee901fd35c0aaba529b039fd744e90068bc6111dd9f1fc6760572a4abce07a8a9a0b347ff38441248139acb41970813f2805cc21a45ac0db5c7846bec8adee8
-
SSDEEP
1536:1EGh0oyl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oyl1OPOe2MUVg3Ve+rXfMUy
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
resource yara_rule behavioral1/files/0x000e00000001224e-4.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x002c0000000155d4-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000f00000000f680-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x002d0000000155d4-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x001000000000f680-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x002e0000000155d4-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x00120000000155d9-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x002f0000000155d4-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000900000001560a-60.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x00300000000155d4-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000a00000001560a-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x00310000000155d4-82.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89494701-917B-4d69-8BED-1BB7753C5AF0} {33ECD5B9-E5B1-466f-9941-09DE1C5F220D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC1B66EA-A08D-469a-8F58-3EFA8123E4A1} {89494701-917B-4d69-8BED-1BB7753C5AF0}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F457DAC7-26F7-4c0c-A1CA-7B2D1C9169E9} 2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4160388C-A54B-48e5-AFD9-EA793FA0A672} {444EF7BA-BE70-4446-85C4-5A830E9ABDDD}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33ECD5B9-E5B1-466f-9941-09DE1C5F220D}\stubpath = "C:\\Windows\\{33ECD5B9-E5B1-466f-9941-09DE1C5F220D}.exe" {1BA58297-FFD3-44db-A01C-C17A5F501696}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33ECD5B9-E5B1-466f-9941-09DE1C5F220D} {1BA58297-FFD3-44db-A01C-C17A5F501696}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89494701-917B-4d69-8BED-1BB7753C5AF0}\stubpath = "C:\\Windows\\{89494701-917B-4d69-8BED-1BB7753C5AF0}.exe" {33ECD5B9-E5B1-466f-9941-09DE1C5F220D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC1B66EA-A08D-469a-8F58-3EFA8123E4A1}\stubpath = "C:\\Windows\\{EC1B66EA-A08D-469a-8F58-3EFA8123E4A1}.exe" {89494701-917B-4d69-8BED-1BB7753C5AF0}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A65D97F5-C01B-46e6-963A-B83CF1CEDD59} {DA80D9EC-FEC2-4e2e-ADEE-A555836E78C2}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6ADCE41-3B0D-4494-B7B6-F2B7920A2C86} {A65D97F5-C01B-46e6-963A-B83CF1CEDD59}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F457DAC7-26F7-4c0c-A1CA-7B2D1C9169E9}\stubpath = "C:\\Windows\\{F457DAC7-26F7-4c0c-A1CA-7B2D1C9169E9}.exe" 2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4160388C-A54B-48e5-AFD9-EA793FA0A672}\stubpath = "C:\\Windows\\{4160388C-A54B-48e5-AFD9-EA793FA0A672}.exe" {444EF7BA-BE70-4446-85C4-5A830E9ABDDD}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC102FD7-B054-4e21-BE16-B24A9E98ECB6}\stubpath = "C:\\Windows\\{BC102FD7-B054-4e21-BE16-B24A9E98ECB6}.exe" {4160388C-A54B-48e5-AFD9-EA793FA0A672}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B6FA4E9-8460-4cbe-850F-098448677A80} {C6ADCE41-3B0D-4494-B7B6-F2B7920A2C86}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B6FA4E9-8460-4cbe-850F-098448677A80}\stubpath = "C:\\Windows\\{9B6FA4E9-8460-4cbe-850F-098448677A80}.exe" {C6ADCE41-3B0D-4494-B7B6-F2B7920A2C86}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1BA58297-FFD3-44db-A01C-C17A5F501696} {BC102FD7-B054-4e21-BE16-B24A9E98ECB6}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1BA58297-FFD3-44db-A01C-C17A5F501696}\stubpath = "C:\\Windows\\{1BA58297-FFD3-44db-A01C-C17A5F501696}.exe" {BC102FD7-B054-4e21-BE16-B24A9E98ECB6}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A65D97F5-C01B-46e6-963A-B83CF1CEDD59}\stubpath = "C:\\Windows\\{A65D97F5-C01B-46e6-963A-B83CF1CEDD59}.exe" {DA80D9EC-FEC2-4e2e-ADEE-A555836E78C2}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{444EF7BA-BE70-4446-85C4-5A830E9ABDDD} {F457DAC7-26F7-4c0c-A1CA-7B2D1C9169E9}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{444EF7BA-BE70-4446-85C4-5A830E9ABDDD}\stubpath = "C:\\Windows\\{444EF7BA-BE70-4446-85C4-5A830E9ABDDD}.exe" {F457DAC7-26F7-4c0c-A1CA-7B2D1C9169E9}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC102FD7-B054-4e21-BE16-B24A9E98ECB6} {4160388C-A54B-48e5-AFD9-EA793FA0A672}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA80D9EC-FEC2-4e2e-ADEE-A555836E78C2} {EC1B66EA-A08D-469a-8F58-3EFA8123E4A1}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA80D9EC-FEC2-4e2e-ADEE-A555836E78C2}\stubpath = "C:\\Windows\\{DA80D9EC-FEC2-4e2e-ADEE-A555836E78C2}.exe" {EC1B66EA-A08D-469a-8F58-3EFA8123E4A1}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6ADCE41-3B0D-4494-B7B6-F2B7920A2C86}\stubpath = "C:\\Windows\\{C6ADCE41-3B0D-4494-B7B6-F2B7920A2C86}.exe" {A65D97F5-C01B-46e6-963A-B83CF1CEDD59}.exe -
Deletes itself 1 IoCs
pid Process 2572 cmd.exe -
Executes dropped EXE 12 IoCs
pid Process 2980 {F457DAC7-26F7-4c0c-A1CA-7B2D1C9169E9}.exe 2704 {444EF7BA-BE70-4446-85C4-5A830E9ABDDD}.exe 2388 {4160388C-A54B-48e5-AFD9-EA793FA0A672}.exe 1392 {BC102FD7-B054-4e21-BE16-B24A9E98ECB6}.exe 1880 {1BA58297-FFD3-44db-A01C-C17A5F501696}.exe 2908 {33ECD5B9-E5B1-466f-9941-09DE1C5F220D}.exe 1252 {89494701-917B-4d69-8BED-1BB7753C5AF0}.exe 2520 {EC1B66EA-A08D-469a-8F58-3EFA8123E4A1}.exe 1740 {DA80D9EC-FEC2-4e2e-ADEE-A555836E78C2}.exe 1288 {A65D97F5-C01B-46e6-963A-B83CF1CEDD59}.exe 676 {C6ADCE41-3B0D-4494-B7B6-F2B7920A2C86}.exe 3068 {9B6FA4E9-8460-4cbe-850F-098448677A80}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{444EF7BA-BE70-4446-85C4-5A830E9ABDDD}.exe {F457DAC7-26F7-4c0c-A1CA-7B2D1C9169E9}.exe File created C:\Windows\{BC102FD7-B054-4e21-BE16-B24A9E98ECB6}.exe {4160388C-A54B-48e5-AFD9-EA793FA0A672}.exe File created C:\Windows\{A65D97F5-C01B-46e6-963A-B83CF1CEDD59}.exe {DA80D9EC-FEC2-4e2e-ADEE-A555836E78C2}.exe File created C:\Windows\{33ECD5B9-E5B1-466f-9941-09DE1C5F220D}.exe {1BA58297-FFD3-44db-A01C-C17A5F501696}.exe File created C:\Windows\{89494701-917B-4d69-8BED-1BB7753C5AF0}.exe {33ECD5B9-E5B1-466f-9941-09DE1C5F220D}.exe File created C:\Windows\{EC1B66EA-A08D-469a-8F58-3EFA8123E4A1}.exe {89494701-917B-4d69-8BED-1BB7753C5AF0}.exe File created C:\Windows\{DA80D9EC-FEC2-4e2e-ADEE-A555836E78C2}.exe {EC1B66EA-A08D-469a-8F58-3EFA8123E4A1}.exe File created C:\Windows\{C6ADCE41-3B0D-4494-B7B6-F2B7920A2C86}.exe {A65D97F5-C01B-46e6-963A-B83CF1CEDD59}.exe File created C:\Windows\{F457DAC7-26F7-4c0c-A1CA-7B2D1C9169E9}.exe 2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe File created C:\Windows\{4160388C-A54B-48e5-AFD9-EA793FA0A672}.exe {444EF7BA-BE70-4446-85C4-5A830E9ABDDD}.exe File created C:\Windows\{1BA58297-FFD3-44db-A01C-C17A5F501696}.exe {BC102FD7-B054-4e21-BE16-B24A9E98ECB6}.exe File created C:\Windows\{9B6FA4E9-8460-4cbe-850F-098448677A80}.exe {C6ADCE41-3B0D-4494-B7B6-F2B7920A2C86}.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1704 2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe Token: SeIncBasePriorityPrivilege 2980 {F457DAC7-26F7-4c0c-A1CA-7B2D1C9169E9}.exe Token: SeIncBasePriorityPrivilege 2704 {444EF7BA-BE70-4446-85C4-5A830E9ABDDD}.exe Token: SeIncBasePriorityPrivilege 2388 {4160388C-A54B-48e5-AFD9-EA793FA0A672}.exe Token: SeIncBasePriorityPrivilege 1392 {BC102FD7-B054-4e21-BE16-B24A9E98ECB6}.exe Token: SeIncBasePriorityPrivilege 1880 {1BA58297-FFD3-44db-A01C-C17A5F501696}.exe Token: SeIncBasePriorityPrivilege 2908 {33ECD5B9-E5B1-466f-9941-09DE1C5F220D}.exe Token: SeIncBasePriorityPrivilege 1252 {89494701-917B-4d69-8BED-1BB7753C5AF0}.exe Token: SeIncBasePriorityPrivilege 2520 {EC1B66EA-A08D-469a-8F58-3EFA8123E4A1}.exe Token: SeIncBasePriorityPrivilege 1740 {DA80D9EC-FEC2-4e2e-ADEE-A555836E78C2}.exe Token: SeIncBasePriorityPrivilege 1288 {A65D97F5-C01B-46e6-963A-B83CF1CEDD59}.exe Token: SeIncBasePriorityPrivilege 676 {C6ADCE41-3B0D-4494-B7B6-F2B7920A2C86}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1704 wrote to memory of 2980 1704 2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe 28 PID 1704 wrote to memory of 2980 1704 2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe 28 PID 1704 wrote to memory of 2980 1704 2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe 28 PID 1704 wrote to memory of 2980 1704 2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe 28 PID 1704 wrote to memory of 2572 1704 2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe 29 PID 1704 wrote to memory of 2572 1704 2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe 29 PID 1704 wrote to memory of 2572 1704 2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe 29 PID 1704 wrote to memory of 2572 1704 2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe 29 PID 2980 wrote to memory of 2704 2980 {F457DAC7-26F7-4c0c-A1CA-7B2D1C9169E9}.exe 32 PID 2980 wrote to memory of 2704 2980 {F457DAC7-26F7-4c0c-A1CA-7B2D1C9169E9}.exe 32 PID 2980 wrote to memory of 2704 2980 {F457DAC7-26F7-4c0c-A1CA-7B2D1C9169E9}.exe 32 PID 2980 wrote to memory of 2704 2980 {F457DAC7-26F7-4c0c-A1CA-7B2D1C9169E9}.exe 32 PID 2980 wrote to memory of 2588 2980 {F457DAC7-26F7-4c0c-A1CA-7B2D1C9169E9}.exe 33 PID 2980 wrote to memory of 2588 2980 {F457DAC7-26F7-4c0c-A1CA-7B2D1C9169E9}.exe 33 PID 2980 wrote to memory of 2588 2980 {F457DAC7-26F7-4c0c-A1CA-7B2D1C9169E9}.exe 33 PID 2980 wrote to memory of 2588 2980 {F457DAC7-26F7-4c0c-A1CA-7B2D1C9169E9}.exe 33 PID 2704 wrote to memory of 2388 2704 {444EF7BA-BE70-4446-85C4-5A830E9ABDDD}.exe 34 PID 2704 wrote to memory of 2388 2704 {444EF7BA-BE70-4446-85C4-5A830E9ABDDD}.exe 34 PID 2704 wrote to memory of 2388 2704 {444EF7BA-BE70-4446-85C4-5A830E9ABDDD}.exe 34 PID 2704 wrote to memory of 2388 2704 {444EF7BA-BE70-4446-85C4-5A830E9ABDDD}.exe 34 PID 2704 wrote to memory of 2992 2704 {444EF7BA-BE70-4446-85C4-5A830E9ABDDD}.exe 35 PID 2704 wrote to memory of 2992 2704 {444EF7BA-BE70-4446-85C4-5A830E9ABDDD}.exe 35 PID 2704 wrote to memory of 2992 2704 {444EF7BA-BE70-4446-85C4-5A830E9ABDDD}.exe 35 PID 2704 wrote to memory of 2992 2704 {444EF7BA-BE70-4446-85C4-5A830E9ABDDD}.exe 35 PID 2388 wrote to memory of 1392 2388 {4160388C-A54B-48e5-AFD9-EA793FA0A672}.exe 36 PID 2388 wrote to memory of 1392 2388 {4160388C-A54B-48e5-AFD9-EA793FA0A672}.exe 36 PID 2388 wrote to memory of 1392 2388 {4160388C-A54B-48e5-AFD9-EA793FA0A672}.exe 36 PID 2388 wrote to memory of 1392 2388 {4160388C-A54B-48e5-AFD9-EA793FA0A672}.exe 36 PID 2388 wrote to memory of 580 2388 {4160388C-A54B-48e5-AFD9-EA793FA0A672}.exe 37 PID 2388 wrote to memory of 580 2388 {4160388C-A54B-48e5-AFD9-EA793FA0A672}.exe 37 PID 2388 wrote to memory of 580 2388 {4160388C-A54B-48e5-AFD9-EA793FA0A672}.exe 37 PID 2388 wrote to memory of 580 2388 {4160388C-A54B-48e5-AFD9-EA793FA0A672}.exe 37 PID 1392 wrote to memory of 1880 1392 {BC102FD7-B054-4e21-BE16-B24A9E98ECB6}.exe 38 PID 1392 wrote to memory of 1880 1392 {BC102FD7-B054-4e21-BE16-B24A9E98ECB6}.exe 38 PID 1392 wrote to memory of 1880 1392 {BC102FD7-B054-4e21-BE16-B24A9E98ECB6}.exe 38 PID 1392 wrote to memory of 1880 1392 {BC102FD7-B054-4e21-BE16-B24A9E98ECB6}.exe 38 PID 1392 wrote to memory of 2780 1392 {BC102FD7-B054-4e21-BE16-B24A9E98ECB6}.exe 39 PID 1392 wrote to memory of 2780 1392 {BC102FD7-B054-4e21-BE16-B24A9E98ECB6}.exe 39 PID 1392 wrote to memory of 2780 1392 {BC102FD7-B054-4e21-BE16-B24A9E98ECB6}.exe 39 PID 1392 wrote to memory of 2780 1392 {BC102FD7-B054-4e21-BE16-B24A9E98ECB6}.exe 39 PID 1880 wrote to memory of 2908 1880 {1BA58297-FFD3-44db-A01C-C17A5F501696}.exe 40 PID 1880 wrote to memory of 2908 1880 {1BA58297-FFD3-44db-A01C-C17A5F501696}.exe 40 PID 1880 wrote to memory of 2908 1880 {1BA58297-FFD3-44db-A01C-C17A5F501696}.exe 40 PID 1880 wrote to memory of 2908 1880 {1BA58297-FFD3-44db-A01C-C17A5F501696}.exe 40 PID 1880 wrote to memory of 1892 1880 {1BA58297-FFD3-44db-A01C-C17A5F501696}.exe 41 PID 1880 wrote to memory of 1892 1880 {1BA58297-FFD3-44db-A01C-C17A5F501696}.exe 41 PID 1880 wrote to memory of 1892 1880 {1BA58297-FFD3-44db-A01C-C17A5F501696}.exe 41 PID 1880 wrote to memory of 1892 1880 {1BA58297-FFD3-44db-A01C-C17A5F501696}.exe 41 PID 2908 wrote to memory of 1252 2908 {33ECD5B9-E5B1-466f-9941-09DE1C5F220D}.exe 42 PID 2908 wrote to memory of 1252 2908 {33ECD5B9-E5B1-466f-9941-09DE1C5F220D}.exe 42 PID 2908 wrote to memory of 1252 2908 {33ECD5B9-E5B1-466f-9941-09DE1C5F220D}.exe 42 PID 2908 wrote to memory of 1252 2908 {33ECD5B9-E5B1-466f-9941-09DE1C5F220D}.exe 42 PID 2908 wrote to memory of 1324 2908 {33ECD5B9-E5B1-466f-9941-09DE1C5F220D}.exe 43 PID 2908 wrote to memory of 1324 2908 {33ECD5B9-E5B1-466f-9941-09DE1C5F220D}.exe 43 PID 2908 wrote to memory of 1324 2908 {33ECD5B9-E5B1-466f-9941-09DE1C5F220D}.exe 43 PID 2908 wrote to memory of 1324 2908 {33ECD5B9-E5B1-466f-9941-09DE1C5F220D}.exe 43 PID 1252 wrote to memory of 2520 1252 {89494701-917B-4d69-8BED-1BB7753C5AF0}.exe 44 PID 1252 wrote to memory of 2520 1252 {89494701-917B-4d69-8BED-1BB7753C5AF0}.exe 44 PID 1252 wrote to memory of 2520 1252 {89494701-917B-4d69-8BED-1BB7753C5AF0}.exe 44 PID 1252 wrote to memory of 2520 1252 {89494701-917B-4d69-8BED-1BB7753C5AF0}.exe 44 PID 1252 wrote to memory of 2744 1252 {89494701-917B-4d69-8BED-1BB7753C5AF0}.exe 45 PID 1252 wrote to memory of 2744 1252 {89494701-917B-4d69-8BED-1BB7753C5AF0}.exe 45 PID 1252 wrote to memory of 2744 1252 {89494701-917B-4d69-8BED-1BB7753C5AF0}.exe 45 PID 1252 wrote to memory of 2744 1252 {89494701-917B-4d69-8BED-1BB7753C5AF0}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\{F457DAC7-26F7-4c0c-A1CA-7B2D1C9169E9}.exeC:\Windows\{F457DAC7-26F7-4c0c-A1CA-7B2D1C9169E9}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\{444EF7BA-BE70-4446-85C4-5A830E9ABDDD}.exeC:\Windows\{444EF7BA-BE70-4446-85C4-5A830E9ABDDD}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\{4160388C-A54B-48e5-AFD9-EA793FA0A672}.exeC:\Windows\{4160388C-A54B-48e5-AFD9-EA793FA0A672}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\{BC102FD7-B054-4e21-BE16-B24A9E98ECB6}.exeC:\Windows\{BC102FD7-B054-4e21-BE16-B24A9E98ECB6}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\{1BA58297-FFD3-44db-A01C-C17A5F501696}.exeC:\Windows\{1BA58297-FFD3-44db-A01C-C17A5F501696}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\{33ECD5B9-E5B1-466f-9941-09DE1C5F220D}.exeC:\Windows\{33ECD5B9-E5B1-466f-9941-09DE1C5F220D}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\{89494701-917B-4d69-8BED-1BB7753C5AF0}.exeC:\Windows\{89494701-917B-4d69-8BED-1BB7753C5AF0}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\{EC1B66EA-A08D-469a-8F58-3EFA8123E4A1}.exeC:\Windows\{EC1B66EA-A08D-469a-8F58-3EFA8123E4A1}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2520 -
C:\Windows\{DA80D9EC-FEC2-4e2e-ADEE-A555836E78C2}.exeC:\Windows\{DA80D9EC-FEC2-4e2e-ADEE-A555836E78C2}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1740 -
C:\Windows\{A65D97F5-C01B-46e6-963A-B83CF1CEDD59}.exeC:\Windows\{A65D97F5-C01B-46e6-963A-B83CF1CEDD59}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1288 -
C:\Windows\{C6ADCE41-3B0D-4494-B7B6-F2B7920A2C86}.exeC:\Windows\{C6ADCE41-3B0D-4494-B7B6-F2B7920A2C86}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:676 -
C:\Windows\{9B6FA4E9-8460-4cbe-850F-098448677A80}.exeC:\Windows\{9B6FA4E9-8460-4cbe-850F-098448677A80}.exe13⤵
- Executes dropped EXE
PID:3068
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C6ADC~1.EXE > nul13⤵PID:1444
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A65D9~1.EXE > nul12⤵PID:2248
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{DA80D~1.EXE > nul11⤵PID:2868
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{EC1B6~1.EXE > nul10⤵PID:2312
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{89494~1.EXE > nul9⤵PID:2744
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{33ECD~1.EXE > nul8⤵PID:1324
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1BA58~1.EXE > nul7⤵PID:1892
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{BC102~1.EXE > nul6⤵PID:2780
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{41603~1.EXE > nul5⤵PID:580
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{444EF~1.EXE > nul4⤵PID:2992
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F457D~1.EXE > nul3⤵PID:2588
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:2572
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB
MD56fe04b71d10145c6009b2c3c85286b2a
SHA10068efbc843801259e4c936340960657aa60d8dc
SHA256f28bac4c095c1bdcd778d6cfcc53187624fd5ed67088e5f6b4231bc9e4c16a65
SHA512ad2e19b639973b55b05a70b5e3b00d85cbbc501325d320ffa45b24bff51f62d573c1183ec7e7c5e886637948bdb15ef8fb5a8d65ade2c207358fca1f102e48a9
-
Filesize
204KB
MD53da95a11d54d8085456a3968ca46e144
SHA1bd2b53da278aa6ae87e41ee1facb7d127ea1824a
SHA256bc1325d5485ee19ca10cfc00256c8e32f6d03951b99ee801c3b2b69245cc051c
SHA512f07e470747c786d6cf492b73c79c88246149d956e6ef437dec681c326806e7ed7d9a07a8b279a00750d7045965da184e9119b19aff69bbfa4b9bbc8aa469a761
-
Filesize
204KB
MD5e0b202ca06201b76882c9db30c08bdc8
SHA130adcb217d05127aaa4652a6ffee4715e3022878
SHA25620ab1c1862250e33e425101a689d68290d93c9550826a36ee463d507f4174161
SHA512667765d06ba99c74b341504d75c2a2708de2e2d4b509f3bb4ebad7e48f53ce59bf84e6d2d148d902fe0c496e6000ce4265260c3756a47a0be36b7a9df3187027
-
Filesize
204KB
MD52341cdd9bc2e637c5115066e12ccff20
SHA1b5810615d4c594ca570d478205d44d9e91148678
SHA256807151ad9b9ea2c66d773a7228e4e46f2b55204b135f44df6ce0d1cd4a6d1655
SHA512df80a65bbdece33de8d313c49eba293bb6e3b3aa5d31e8a430260e4e0a730c37f8381e8ef932e2f90b0249d295974dbbad73211fe36e1e6948903f0dd2cfcd1b
-
Filesize
204KB
MD5ed12772c6d0118d7d50b1bdf2945282a
SHA1195d7dbd4f120352f6a5aef223dc8cbb633a0ac7
SHA25678ddd048682a6b9fdd72119575b7d3ba2f2443861f7dd610bb2ef71f374c8f4a
SHA512b7d4d10b050c4f5d5cde79950d5d857ba0c44ce9ec17701361d5525683757b5466e9750e3b0adae0d66e8cb0e12ae464bc08a397719cd88c399d113a6dd5801e
-
Filesize
204KB
MD5fb4538c26575f82251a6b1f3caed779b
SHA1884b180ed9e29a53749ce3bb86668fe1e2a9d0c1
SHA2563da6c6fe57ccf4b60787a0d5280426cce802dabdbe5a05436e690202c66db02f
SHA5122b01d8425155191e2361df215e44ee6945ba65530bac73ee8d9a6479c773c31dc0e4701508e8d6f62563fa0ea686f01368e75fa217b2bfa853a7320b470be3da
-
Filesize
204KB
MD549d618031aa706f84e5f3844ee78a692
SHA10f468c6741f934f31364e07743212c1ebc5a0570
SHA256780344dcb308065ac7ab4b8778792e9e37d5e5c32b3012960cbb116f13b5d6d4
SHA5127def4b301e955e95dbf0879d4ecda59f32b47f5878f1ff6db1b14047c04c3cf1a638f0f36b2a1da77272cd24d5a5958597373deee90da0a2fc552992ec2a89af
-
Filesize
204KB
MD5e05cd6bdd459afa849c9756e3ade185f
SHA108e0e380bf10083a192406ed37e1d0fdf694cef2
SHA256f8362220290937a7b8812a72e6f0e7e137612b22b9ae881e8359309e4538380b
SHA5128dc0fccf9ff2a6f2646a5cbdbfcc91e8e2c99b18f89245b6c9a02e21f4899dfdb7ccc434b09cd439ff1223a691fb87105c86e675d57879ce9daef2b4c46b992f
-
Filesize
204KB
MD5613f2ad97542a487a26f360089250e84
SHA1fc009aa0e33b8338e62f57edf6f9760925a93651
SHA2565df7133ca0186d6b350b44c9014d8b8c3d50bd4c489049170f8010134d7e9bd4
SHA5122f5baef724c7cec113cd4692eaa7014d1f1f74f57222ab3ff722020e8ce3032097583053bce8c825831039d7298ef594c3a1406e4a013dcb21df9aeade3244a9
-
Filesize
204KB
MD54029006a148c5110ee41e6c750753dce
SHA17852be8e1e2b611de2e3b396d71dd12f3346cc30
SHA2562e8d6f8ad94e213213a79ddccf14ae19c0fe754ded2e25da2572c71176458b26
SHA512309cc28350bc00e588f57f6284f14d6f7f5c8045f29b733f41cb0bd9e1c9c6437c58dcd11b766bbb2f210203120affdc971a1b2b70827fc874bc5b415bb49d39
-
Filesize
204KB
MD5177e436badb9c1cad8bd2b2969a1b814
SHA1d418bd3d46896b6b73b1666b28640c6454511a69
SHA256666abdf44b0fa1a81922d82d2fb61a9d57b1e1a9f1be8eab3838799abfe7b5f0
SHA51214c05e57f58a5553a856bb84b17f6b5d83ee6ad463c884455bedcd3bd4481da7e861a7d61a519491d2b5e351f51e14c03cd1c6a66206ee95f1aec83a50691847
-
Filesize
204KB
MD519dd66d6e03731e853c3f913fad3c9dc
SHA1aa609fb963cbd978869d3ce807347fd1cb0be3b0
SHA256c69c08cdc5d4386a2e2ab8ef11611a037365b2326ef132eda3e7c1d855adb910
SHA5129bd46b04b8f0df0c4270ea1e783a057dcc388ab850d5688fc5430039b82c63670fe67ce508c79e14ab32560820c294d32fdc2c36007c5b75a4cad1c12daf7110