Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02/03/2024, 23:26
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe
-
Size
408KB
-
MD5
5563717ece795b8d9bcdf32e23573d0e
-
SHA1
64560ef9cb7b54b3c16a5cebbf8a79e68ddf4b32
-
SHA256
07490cb10169d4341dce83e183cf3cb2daec726e0c991bcb2c9d959ba3b57615
-
SHA512
51b34fd5a59962732707f669897a6c8ab3c15e8103b8f223caae38e568b439c19de8508e3d01928e82bf280fbbadf6334019faf593aa9201df29bcc251c62874
-
SSDEEP
3072:CEGh0oJl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGjldOe2MUVg3vTeKcAEciTBqr3jy
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
resource yara_rule behavioral2/files/0x00080000000231fe-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00090000000231ff-6.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000023207-10.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000300000001e759-14.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0009000000023207-18.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000400000001e759-23.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000a000000023207-25.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000500000001e759-30.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000b000000023207-34.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000600000001e759-38.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000023203-42.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000700000001e759-46.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4D81ACD-DC42-49bb-9146-35E13A5AB7C5} {522C254F-592F-4129-836C-CD7F331029B6}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CB5A265-6D71-4ddd-BE2F-A6FA3C12FD62}\stubpath = "C:\\Windows\\{8CB5A265-6D71-4ddd-BE2F-A6FA3C12FD62}.exe" 2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5EA819D-A84E-4dd3-80E8-1CD9B83DD1A8} {E1DA00B8-5DCB-4fe4-BAEC-59842DAAAD02}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{290E7FFA-9EDD-4d68-80DE-E574B5267DDA}\stubpath = "C:\\Windows\\{290E7FFA-9EDD-4d68-80DE-E574B5267DDA}.exe" {D5EA819D-A84E-4dd3-80E8-1CD9B83DD1A8}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05D8EDEB-0AEC-43ea-9027-4613FF1458A2}\stubpath = "C:\\Windows\\{05D8EDEB-0AEC-43ea-9027-4613FF1458A2}.exe" {290E7FFA-9EDD-4d68-80DE-E574B5267DDA}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{522C254F-592F-4129-836C-CD7F331029B6} {64B36113-3956-4e8a-AB00-6E5E880DE7D5}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{522C254F-592F-4129-836C-CD7F331029B6}\stubpath = "C:\\Windows\\{522C254F-592F-4129-836C-CD7F331029B6}.exe" {64B36113-3956-4e8a-AB00-6E5E880DE7D5}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64B36113-3956-4e8a-AB00-6E5E880DE7D5} {57276813-B02B-47df-9D70-1E3C0B09D1DE}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CB5A265-6D71-4ddd-BE2F-A6FA3C12FD62} 2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1DA00B8-5DCB-4fe4-BAEC-59842DAAAD02}\stubpath = "C:\\Windows\\{E1DA00B8-5DCB-4fe4-BAEC-59842DAAAD02}.exe" {E6122B18-6B08-4ea9-8089-6B830B04D3E4}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{290E7FFA-9EDD-4d68-80DE-E574B5267DDA} {D5EA819D-A84E-4dd3-80E8-1CD9B83DD1A8}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05D8EDEB-0AEC-43ea-9027-4613FF1458A2} {290E7FFA-9EDD-4d68-80DE-E574B5267DDA}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57276813-B02B-47df-9D70-1E3C0B09D1DE} {9D190816-1739-44f8-AE4E-86F59A3B8F8D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57276813-B02B-47df-9D70-1E3C0B09D1DE}\stubpath = "C:\\Windows\\{57276813-B02B-47df-9D70-1E3C0B09D1DE}.exe" {9D190816-1739-44f8-AE4E-86F59A3B8F8D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A28CDB9-93CA-4b3f-A6AA-C3B4FAE447F4} {8CB5A265-6D71-4ddd-BE2F-A6FA3C12FD62}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D190816-1739-44f8-AE4E-86F59A3B8F8D}\stubpath = "C:\\Windows\\{9D190816-1739-44f8-AE4E-86F59A3B8F8D}.exe" {05D8EDEB-0AEC-43ea-9027-4613FF1458A2}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64B36113-3956-4e8a-AB00-6E5E880DE7D5}\stubpath = "C:\\Windows\\{64B36113-3956-4e8a-AB00-6E5E880DE7D5}.exe" {57276813-B02B-47df-9D70-1E3C0B09D1DE}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4D81ACD-DC42-49bb-9146-35E13A5AB7C5}\stubpath = "C:\\Windows\\{B4D81ACD-DC42-49bb-9146-35E13A5AB7C5}.exe" {522C254F-592F-4129-836C-CD7F331029B6}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A28CDB9-93CA-4b3f-A6AA-C3B4FAE447F4}\stubpath = "C:\\Windows\\{9A28CDB9-93CA-4b3f-A6AA-C3B4FAE447F4}.exe" {8CB5A265-6D71-4ddd-BE2F-A6FA3C12FD62}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6122B18-6B08-4ea9-8089-6B830B04D3E4} {9A28CDB9-93CA-4b3f-A6AA-C3B4FAE447F4}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6122B18-6B08-4ea9-8089-6B830B04D3E4}\stubpath = "C:\\Windows\\{E6122B18-6B08-4ea9-8089-6B830B04D3E4}.exe" {9A28CDB9-93CA-4b3f-A6AA-C3B4FAE447F4}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1DA00B8-5DCB-4fe4-BAEC-59842DAAAD02} {E6122B18-6B08-4ea9-8089-6B830B04D3E4}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5EA819D-A84E-4dd3-80E8-1CD9B83DD1A8}\stubpath = "C:\\Windows\\{D5EA819D-A84E-4dd3-80E8-1CD9B83DD1A8}.exe" {E1DA00B8-5DCB-4fe4-BAEC-59842DAAAD02}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D190816-1739-44f8-AE4E-86F59A3B8F8D} {05D8EDEB-0AEC-43ea-9027-4613FF1458A2}.exe -
Executes dropped EXE 12 IoCs
pid Process 440 {8CB5A265-6D71-4ddd-BE2F-A6FA3C12FD62}.exe 4008 {9A28CDB9-93CA-4b3f-A6AA-C3B4FAE447F4}.exe 2920 {E6122B18-6B08-4ea9-8089-6B830B04D3E4}.exe 1476 {E1DA00B8-5DCB-4fe4-BAEC-59842DAAAD02}.exe 1188 {D5EA819D-A84E-4dd3-80E8-1CD9B83DD1A8}.exe 4208 {290E7FFA-9EDD-4d68-80DE-E574B5267DDA}.exe 1604 {05D8EDEB-0AEC-43ea-9027-4613FF1458A2}.exe 4864 {9D190816-1739-44f8-AE4E-86F59A3B8F8D}.exe 4440 {57276813-B02B-47df-9D70-1E3C0B09D1DE}.exe 3996 {64B36113-3956-4e8a-AB00-6E5E880DE7D5}.exe 4916 {522C254F-592F-4129-836C-CD7F331029B6}.exe 4576 {B4D81ACD-DC42-49bb-9146-35E13A5AB7C5}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{290E7FFA-9EDD-4d68-80DE-E574B5267DDA}.exe {D5EA819D-A84E-4dd3-80E8-1CD9B83DD1A8}.exe File created C:\Windows\{05D8EDEB-0AEC-43ea-9027-4613FF1458A2}.exe {290E7FFA-9EDD-4d68-80DE-E574B5267DDA}.exe File created C:\Windows\{9D190816-1739-44f8-AE4E-86F59A3B8F8D}.exe {05D8EDEB-0AEC-43ea-9027-4613FF1458A2}.exe File created C:\Windows\{57276813-B02B-47df-9D70-1E3C0B09D1DE}.exe {9D190816-1739-44f8-AE4E-86F59A3B8F8D}.exe File created C:\Windows\{522C254F-592F-4129-836C-CD7F331029B6}.exe {64B36113-3956-4e8a-AB00-6E5E880DE7D5}.exe File created C:\Windows\{E6122B18-6B08-4ea9-8089-6B830B04D3E4}.exe {9A28CDB9-93CA-4b3f-A6AA-C3B4FAE447F4}.exe File created C:\Windows\{D5EA819D-A84E-4dd3-80E8-1CD9B83DD1A8}.exe {E1DA00B8-5DCB-4fe4-BAEC-59842DAAAD02}.exe File created C:\Windows\{E1DA00B8-5DCB-4fe4-BAEC-59842DAAAD02}.exe {E6122B18-6B08-4ea9-8089-6B830B04D3E4}.exe File created C:\Windows\{64B36113-3956-4e8a-AB00-6E5E880DE7D5}.exe {57276813-B02B-47df-9D70-1E3C0B09D1DE}.exe File created C:\Windows\{B4D81ACD-DC42-49bb-9146-35E13A5AB7C5}.exe {522C254F-592F-4129-836C-CD7F331029B6}.exe File created C:\Windows\{8CB5A265-6D71-4ddd-BE2F-A6FA3C12FD62}.exe 2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe File created C:\Windows\{9A28CDB9-93CA-4b3f-A6AA-C3B4FAE447F4}.exe {8CB5A265-6D71-4ddd-BE2F-A6FA3C12FD62}.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 4560 2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe Token: SeIncBasePriorityPrivilege 440 {8CB5A265-6D71-4ddd-BE2F-A6FA3C12FD62}.exe Token: SeIncBasePriorityPrivilege 4008 {9A28CDB9-93CA-4b3f-A6AA-C3B4FAE447F4}.exe Token: SeIncBasePriorityPrivilege 2920 {E6122B18-6B08-4ea9-8089-6B830B04D3E4}.exe Token: SeIncBasePriorityPrivilege 1476 {E1DA00B8-5DCB-4fe4-BAEC-59842DAAAD02}.exe Token: SeIncBasePriorityPrivilege 1188 {D5EA819D-A84E-4dd3-80E8-1CD9B83DD1A8}.exe Token: SeIncBasePriorityPrivilege 4208 {290E7FFA-9EDD-4d68-80DE-E574B5267DDA}.exe Token: SeIncBasePriorityPrivilege 1604 {05D8EDEB-0AEC-43ea-9027-4613FF1458A2}.exe Token: SeIncBasePriorityPrivilege 4864 {9D190816-1739-44f8-AE4E-86F59A3B8F8D}.exe Token: SeIncBasePriorityPrivilege 4440 {57276813-B02B-47df-9D70-1E3C0B09D1DE}.exe Token: SeIncBasePriorityPrivilege 3996 {64B36113-3956-4e8a-AB00-6E5E880DE7D5}.exe Token: SeIncBasePriorityPrivilege 4916 {522C254F-592F-4129-836C-CD7F331029B6}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4560 wrote to memory of 440 4560 2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe 91 PID 4560 wrote to memory of 440 4560 2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe 91 PID 4560 wrote to memory of 440 4560 2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe 91 PID 4560 wrote to memory of 2740 4560 2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe 92 PID 4560 wrote to memory of 2740 4560 2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe 92 PID 4560 wrote to memory of 2740 4560 2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe 92 PID 440 wrote to memory of 4008 440 {8CB5A265-6D71-4ddd-BE2F-A6FA3C12FD62}.exe 93 PID 440 wrote to memory of 4008 440 {8CB5A265-6D71-4ddd-BE2F-A6FA3C12FD62}.exe 93 PID 440 wrote to memory of 4008 440 {8CB5A265-6D71-4ddd-BE2F-A6FA3C12FD62}.exe 93 PID 440 wrote to memory of 4092 440 {8CB5A265-6D71-4ddd-BE2F-A6FA3C12FD62}.exe 94 PID 440 wrote to memory of 4092 440 {8CB5A265-6D71-4ddd-BE2F-A6FA3C12FD62}.exe 94 PID 440 wrote to memory of 4092 440 {8CB5A265-6D71-4ddd-BE2F-A6FA3C12FD62}.exe 94 PID 4008 wrote to memory of 2920 4008 {9A28CDB9-93CA-4b3f-A6AA-C3B4FAE447F4}.exe 97 PID 4008 wrote to memory of 2920 4008 {9A28CDB9-93CA-4b3f-A6AA-C3B4FAE447F4}.exe 97 PID 4008 wrote to memory of 2920 4008 {9A28CDB9-93CA-4b3f-A6AA-C3B4FAE447F4}.exe 97 PID 4008 wrote to memory of 4644 4008 {9A28CDB9-93CA-4b3f-A6AA-C3B4FAE447F4}.exe 98 PID 4008 wrote to memory of 4644 4008 {9A28CDB9-93CA-4b3f-A6AA-C3B4FAE447F4}.exe 98 PID 4008 wrote to memory of 4644 4008 {9A28CDB9-93CA-4b3f-A6AA-C3B4FAE447F4}.exe 98 PID 2920 wrote to memory of 1476 2920 {E6122B18-6B08-4ea9-8089-6B830B04D3E4}.exe 101 PID 2920 wrote to memory of 1476 2920 {E6122B18-6B08-4ea9-8089-6B830B04D3E4}.exe 101 PID 2920 wrote to memory of 1476 2920 {E6122B18-6B08-4ea9-8089-6B830B04D3E4}.exe 101 PID 2920 wrote to memory of 2136 2920 {E6122B18-6B08-4ea9-8089-6B830B04D3E4}.exe 102 PID 2920 wrote to memory of 2136 2920 {E6122B18-6B08-4ea9-8089-6B830B04D3E4}.exe 102 PID 2920 wrote to memory of 2136 2920 {E6122B18-6B08-4ea9-8089-6B830B04D3E4}.exe 102 PID 1476 wrote to memory of 1188 1476 {E1DA00B8-5DCB-4fe4-BAEC-59842DAAAD02}.exe 103 PID 1476 wrote to memory of 1188 1476 {E1DA00B8-5DCB-4fe4-BAEC-59842DAAAD02}.exe 103 PID 1476 wrote to memory of 1188 1476 {E1DA00B8-5DCB-4fe4-BAEC-59842DAAAD02}.exe 103 PID 1476 wrote to memory of 1408 1476 {E1DA00B8-5DCB-4fe4-BAEC-59842DAAAD02}.exe 104 PID 1476 wrote to memory of 1408 1476 {E1DA00B8-5DCB-4fe4-BAEC-59842DAAAD02}.exe 104 PID 1476 wrote to memory of 1408 1476 {E1DA00B8-5DCB-4fe4-BAEC-59842DAAAD02}.exe 104 PID 1188 wrote to memory of 4208 1188 {D5EA819D-A84E-4dd3-80E8-1CD9B83DD1A8}.exe 105 PID 1188 wrote to memory of 4208 1188 {D5EA819D-A84E-4dd3-80E8-1CD9B83DD1A8}.exe 105 PID 1188 wrote to memory of 4208 1188 {D5EA819D-A84E-4dd3-80E8-1CD9B83DD1A8}.exe 105 PID 1188 wrote to memory of 2488 1188 {D5EA819D-A84E-4dd3-80E8-1CD9B83DD1A8}.exe 106 PID 1188 wrote to memory of 2488 1188 {D5EA819D-A84E-4dd3-80E8-1CD9B83DD1A8}.exe 106 PID 1188 wrote to memory of 2488 1188 {D5EA819D-A84E-4dd3-80E8-1CD9B83DD1A8}.exe 106 PID 4208 wrote to memory of 1604 4208 {290E7FFA-9EDD-4d68-80DE-E574B5267DDA}.exe 107 PID 4208 wrote to memory of 1604 4208 {290E7FFA-9EDD-4d68-80DE-E574B5267DDA}.exe 107 PID 4208 wrote to memory of 1604 4208 {290E7FFA-9EDD-4d68-80DE-E574B5267DDA}.exe 107 PID 4208 wrote to memory of 2076 4208 {290E7FFA-9EDD-4d68-80DE-E574B5267DDA}.exe 108 PID 4208 wrote to memory of 2076 4208 {290E7FFA-9EDD-4d68-80DE-E574B5267DDA}.exe 108 PID 4208 wrote to memory of 2076 4208 {290E7FFA-9EDD-4d68-80DE-E574B5267DDA}.exe 108 PID 1604 wrote to memory of 4864 1604 {05D8EDEB-0AEC-43ea-9027-4613FF1458A2}.exe 109 PID 1604 wrote to memory of 4864 1604 {05D8EDEB-0AEC-43ea-9027-4613FF1458A2}.exe 109 PID 1604 wrote to memory of 4864 1604 {05D8EDEB-0AEC-43ea-9027-4613FF1458A2}.exe 109 PID 1604 wrote to memory of 2340 1604 {05D8EDEB-0AEC-43ea-9027-4613FF1458A2}.exe 110 PID 1604 wrote to memory of 2340 1604 {05D8EDEB-0AEC-43ea-9027-4613FF1458A2}.exe 110 PID 1604 wrote to memory of 2340 1604 {05D8EDEB-0AEC-43ea-9027-4613FF1458A2}.exe 110 PID 4864 wrote to memory of 4440 4864 {9D190816-1739-44f8-AE4E-86F59A3B8F8D}.exe 111 PID 4864 wrote to memory of 4440 4864 {9D190816-1739-44f8-AE4E-86F59A3B8F8D}.exe 111 PID 4864 wrote to memory of 4440 4864 {9D190816-1739-44f8-AE4E-86F59A3B8F8D}.exe 111 PID 4864 wrote to memory of 4028 4864 {9D190816-1739-44f8-AE4E-86F59A3B8F8D}.exe 112 PID 4864 wrote to memory of 4028 4864 {9D190816-1739-44f8-AE4E-86F59A3B8F8D}.exe 112 PID 4864 wrote to memory of 4028 4864 {9D190816-1739-44f8-AE4E-86F59A3B8F8D}.exe 112 PID 4440 wrote to memory of 3996 4440 {57276813-B02B-47df-9D70-1E3C0B09D1DE}.exe 113 PID 4440 wrote to memory of 3996 4440 {57276813-B02B-47df-9D70-1E3C0B09D1DE}.exe 113 PID 4440 wrote to memory of 3996 4440 {57276813-B02B-47df-9D70-1E3C0B09D1DE}.exe 113 PID 4440 wrote to memory of 2316 4440 {57276813-B02B-47df-9D70-1E3C0B09D1DE}.exe 114 PID 4440 wrote to memory of 2316 4440 {57276813-B02B-47df-9D70-1E3C0B09D1DE}.exe 114 PID 4440 wrote to memory of 2316 4440 {57276813-B02B-47df-9D70-1E3C0B09D1DE}.exe 114 PID 3996 wrote to memory of 4916 3996 {64B36113-3956-4e8a-AB00-6E5E880DE7D5}.exe 115 PID 3996 wrote to memory of 4916 3996 {64B36113-3956-4e8a-AB00-6E5E880DE7D5}.exe 115 PID 3996 wrote to memory of 4916 3996 {64B36113-3956-4e8a-AB00-6E5E880DE7D5}.exe 115 PID 3996 wrote to memory of 408 3996 {64B36113-3956-4e8a-AB00-6E5E880DE7D5}.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\{8CB5A265-6D71-4ddd-BE2F-A6FA3C12FD62}.exeC:\Windows\{8CB5A265-6D71-4ddd-BE2F-A6FA3C12FD62}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\{9A28CDB9-93CA-4b3f-A6AA-C3B4FAE447F4}.exeC:\Windows\{9A28CDB9-93CA-4b3f-A6AA-C3B4FAE447F4}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Windows\{E6122B18-6B08-4ea9-8089-6B830B04D3E4}.exeC:\Windows\{E6122B18-6B08-4ea9-8089-6B830B04D3E4}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\{E1DA00B8-5DCB-4fe4-BAEC-59842DAAAD02}.exeC:\Windows\{E1DA00B8-5DCB-4fe4-BAEC-59842DAAAD02}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\{D5EA819D-A84E-4dd3-80E8-1CD9B83DD1A8}.exeC:\Windows\{D5EA819D-A84E-4dd3-80E8-1CD9B83DD1A8}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\{290E7FFA-9EDD-4d68-80DE-E574B5267DDA}.exeC:\Windows\{290E7FFA-9EDD-4d68-80DE-E574B5267DDA}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Windows\{05D8EDEB-0AEC-43ea-9027-4613FF1458A2}.exeC:\Windows\{05D8EDEB-0AEC-43ea-9027-4613FF1458A2}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\{9D190816-1739-44f8-AE4E-86F59A3B8F8D}.exeC:\Windows\{9D190816-1739-44f8-AE4E-86F59A3B8F8D}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\{57276813-B02B-47df-9D70-1E3C0B09D1DE}.exeC:\Windows\{57276813-B02B-47df-9D70-1E3C0B09D1DE}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\{64B36113-3956-4e8a-AB00-6E5E880DE7D5}.exeC:\Windows\{64B36113-3956-4e8a-AB00-6E5E880DE7D5}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Windows\{522C254F-592F-4129-836C-CD7F331029B6}.exeC:\Windows\{522C254F-592F-4129-836C-CD7F331029B6}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4916 -
C:\Windows\{B4D81ACD-DC42-49bb-9146-35E13A5AB7C5}.exeC:\Windows\{B4D81ACD-DC42-49bb-9146-35E13A5AB7C5}.exe13⤵
- Executes dropped EXE
PID:4576
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{522C2~1.EXE > nul13⤵PID:4320
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{64B36~1.EXE > nul12⤵PID:408
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{57276~1.EXE > nul11⤵PID:2316
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9D190~1.EXE > nul10⤵PID:4028
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{05D8E~1.EXE > nul9⤵PID:2340
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{290E7~1.EXE > nul8⤵PID:2076
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D5EA8~1.EXE > nul7⤵PID:2488
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E1DA0~1.EXE > nul6⤵PID:1408
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E6122~1.EXE > nul5⤵PID:2136
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9A28C~1.EXE > nul4⤵PID:4644
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8CB5A~1.EXE > nul3⤵PID:4092
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:2740
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
408KB
MD52e5e3f3c3f6d71e91da127674915dfe9
SHA1d8481b00d37aaa7e93232257a05424315a28dfd6
SHA25605b09472fdc47bd524966c4550f86ebf589eceb9ce9e091c3ac2f21466a754ca
SHA51216978dbe3b750bd82587130628ada86c16d874841894e2a07bfe82c00f3fe01ab5d0cb24540e88009d75c7f6c3749ba7f151e0720ea7d29c1a832c8ee19f9de8
-
Filesize
408KB
MD570da9901c64d8ba8fb67c90e22945be6
SHA1c311cf5106f104d8632c43f102e81eca2590e438
SHA256fdfca74e5ecf0b2d5f2bae3ca266c9a3689ee51b4ce79bf937490d4b4caf1e11
SHA5125e2836a7d1bc5b44facfbec962f8d298e27f646acf4c4d5c820e379d5a5a788fce9dac8a805cd9bdb804ca7e55f0e59dbff213b1b7d8140d17122df6253c0a79
-
Filesize
408KB
MD5122bcc6a1b6213c5febcd55e32782ec8
SHA12c18d4dde1a1077c0036ccd038b55a34fad9250b
SHA256f06ccb1a4a5fcb55e9ff90233c055789eda94eb7135b7b4675152274519099b6
SHA5120978dc7f4552696b1782ca9415d18f00d39430dea3ef8802e8dd01cc729e0006241ccdc119146af24990e9f0103a5b5046267842767b0c861a274a1fa20958c8
-
Filesize
408KB
MD5258c6feca60378dff101bf334e0e79db
SHA1e9685928d6793a2b51aea7e8b4a6ef82c384ccb3
SHA25623e9c4b2da06223038654051030ecef1e9c918e81f7870958ed27c5261727200
SHA5124dcc672908af334c3502a4894ac9ba635d899e1e214036002f0237dbd6dba82acc2ab10091613aa127f82ab1c13db8031e183bf260de51cd0fb047347dd78467
-
Filesize
408KB
MD5978b09c9cfd75b3d843f0db0a6eed64d
SHA153c64c22a5b5438562849063ae7b2ea30c8b13a2
SHA25696debc6763779e15f7bd0d1e16d17025d0d5f62aee7047e2441712d708c543d5
SHA512beed3dd52ad4f4aea445ffe12af09aa5e465868164a3d486368604be40e491d6751c87d8f5c0608ab33f0f4cabf8dfb17b2ed988efaf620d0d0e2d0744a34bd3
-
Filesize
408KB
MD588c3aa68b4031353e129ce9e90e1a94d
SHA18769d549c9bc14c8f76e046f34fcac0ca5242752
SHA2564b2c5de39470eda9515877df37182c8c64132ce5f64ff2d87b7b0945534c768c
SHA51294c2d76c18e6bcab1047522713de8d4b741f53ab4f3a169b552a0c0cb1fbbdd8c3072dcbaf437f0acabaedbf81a3428c48d8824bf89ea6395dd6e3c18b5e6e9a
-
Filesize
408KB
MD582c81495e641c9fad127da3cd37d0a44
SHA1924763ecfe7e72c21cfaba9088ce45433b669552
SHA2565906c179ff4f4de9e91641882557a279970507b0c4cd4a0abd9dad254a69b368
SHA5124fee49e4c9b4f5a045c215460e2ff0c6f0f72cea46762d28022ae001c22cd51a7606657a824798b36b84ed435a2607fffb41317a9450a6372776166e79c40b0f
-
Filesize
408KB
MD5ed7a3d9d8fe69854cef4af9c7277f27d
SHA1e0482173c75e0114303a1a4ebeb6c5cc82271cfb
SHA25663592201ef6812b455619dd1446046e1bd83884c63699e1d2ed5eb4ea346d63e
SHA5128c377a1bc8c517f01069b5097031b870fa1b2a0be63853a4173cf249cae41f4c8ba64d6de718930d259292e4472645269806d53e49300354a1a49b0b9a91482f
-
Filesize
408KB
MD5b0fd514bc925b3f07bd1ebfa63c05f63
SHA11688ca90f0054392b0062f1e4e858994925d1869
SHA256638bf0a421389d67e06bca1f04043fea861f172e3fbb2159cb813f0d1898c17e
SHA5126cc8ddbee6395980a662042167d142e1da902fa6aa14de01cdacd7228b17db49841b1aaf4e7a583c80a868d9aa8cbf912b1366c3ef9291a56cc1696a7c026525
-
Filesize
408KB
MD5bd778c51783d35b41bc0470da5d6f382
SHA1a5496d6c5657df05c346f0a0bce9b57b8e0a0cd4
SHA2569e8b6cfc138f98d63d22152d6368c88b83cf2c2a4967084fb32594b401d36277
SHA5127a549692c124eae2c6303196fe9e9b37c49ee9a38196f43f309186197ec142430eaff77c6822949675b23e75d8cf36bac531039c72e27c49ed8d8acc47487999
-
Filesize
408KB
MD5e4e8c89d5655bd7d88394763da5ff80b
SHA114b59f875f127baaf02750086cf6cd1447f57fb8
SHA25641c50025da9bed2b151b43e906b562a8273053c55be0dce666611ec487d4c8cd
SHA512aae27ac6be5476086d17517667e79e8e01665e3e10fee85b5574831a749c693f3c517909beab04ff1a38dd93adb3f68b4e0a991e434d6fdbf2b6c6484c58af6d
-
Filesize
408KB
MD54b3f5bac184ac4e52b95d460558c9919
SHA1d497b693626ac0a52da006d8b1c78b23ff5af5d8
SHA256e25a11dcbce071042321e254567d08cca4e66badf3c1a5626d2ac8e50f7476d0
SHA5128e464b398a604ac4e1156dd338a64b8d463eb335602856865de2ee030dc184be6d7f11b2fa1c99d64211d84711c5920b643d7f11c5ccc979817437720bb30614