Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02/03/2024, 23:26
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-02_5264be32e86275d2fbdda6a68bc09148_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-02_5264be32e86275d2fbdda6a68bc09148_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-02_5264be32e86275d2fbdda6a68bc09148_goldeneye.exe
-
Size
408KB
-
MD5
5264be32e86275d2fbdda6a68bc09148
-
SHA1
bd73f0431bae5e161f6c51b23d8ecb479e4105f1
-
SHA256
83be2346e78cbcf6e06dc63789dcbfcfb87fecabc7b49f354fb6bcee7706c54e
-
SHA512
deb386b08978fbe23c46b93b774440ffc767d6bd8a3f5faeaf696c812b7e94992cb13ef5a157457aa249c499b3e785968a4d53582759f097d51d2e60a5df0f16
-
SSDEEP
3072:CEGh0oCl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGUldOe2MUVg3vTeKcAEciTBqr3jy
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
resource yara_rule behavioral2/files/0x0008000000023203-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00080000000231fc-7.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000800000002320b-10.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000300000001e735-13.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000900000002320b-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000400000001e735-22.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000a00000002320b-27.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000500000001e735-31.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000b00000002320b-35.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000600000001e735-39.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000023208-41.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000700000001e735-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48AC6634-09CB-4c42-8231-45161EB43C93} {C5214514-921A-45d5-8C4E-F59F1ADCEF94}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A64C03B1-6DE4-4608-96C3-0F0AB3690F1A} {48AC6634-09CB-4c42-8231-45161EB43C93}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A05F7C6-C953-431e-B7A7-6DC7F3FBEF4F}\stubpath = "C:\\Windows\\{3A05F7C6-C953-431e-B7A7-6DC7F3FBEF4F}.exe" 2024-03-02_5264be32e86275d2fbdda6a68bc09148_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{942501AE-0BAA-4c45-9634-2678E1D2F591}\stubpath = "C:\\Windows\\{942501AE-0BAA-4c45-9634-2678E1D2F591}.exe" {3A05F7C6-C953-431e-B7A7-6DC7F3FBEF4F}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00EA8D32-3B4F-4d3b-A739-6C264F7B3620}\stubpath = "C:\\Windows\\{00EA8D32-3B4F-4d3b-A739-6C264F7B3620}.exe" {5D503DA1-8AC0-4bd5-83CE-51E93B005214}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFBC2E0F-BCE5-4a5a-BA6A-B65465A1560F}\stubpath = "C:\\Windows\\{EFBC2E0F-BCE5-4a5a-BA6A-B65465A1560F}.exe" {00EA8D32-3B4F-4d3b-A739-6C264F7B3620}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D1065CF-CF7D-4d44-8073-CDC330DD65E1} {EFBC2E0F-BCE5-4a5a-BA6A-B65465A1560F}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5214514-921A-45d5-8C4E-F59F1ADCEF94}\stubpath = "C:\\Windows\\{C5214514-921A-45d5-8C4E-F59F1ADCEF94}.exe" {3938B86B-8E67-4158-B7E5-35A2AEFD3353}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A64C03B1-6DE4-4608-96C3-0F0AB3690F1A}\stubpath = "C:\\Windows\\{A64C03B1-6DE4-4608-96C3-0F0AB3690F1A}.exe" {48AC6634-09CB-4c42-8231-45161EB43C93}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A05F7C6-C953-431e-B7A7-6DC7F3FBEF4F} 2024-03-02_5264be32e86275d2fbdda6a68bc09148_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D503DA1-8AC0-4bd5-83CE-51E93B005214}\stubpath = "C:\\Windows\\{5D503DA1-8AC0-4bd5-83CE-51E93B005214}.exe" {942501AE-0BAA-4c45-9634-2678E1D2F591}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFBC2E0F-BCE5-4a5a-BA6A-B65465A1560F} {00EA8D32-3B4F-4d3b-A739-6C264F7B3620}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{012E4200-377A-4ca9-A0EE-3774EC556C13} {0D1065CF-CF7D-4d44-8073-CDC330DD65E1}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3938B86B-8E67-4158-B7E5-35A2AEFD3353} {012E4200-377A-4ca9-A0EE-3774EC556C13}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3938B86B-8E67-4158-B7E5-35A2AEFD3353}\stubpath = "C:\\Windows\\{3938B86B-8E67-4158-B7E5-35A2AEFD3353}.exe" {012E4200-377A-4ca9-A0EE-3774EC556C13}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D503DA1-8AC0-4bd5-83CE-51E93B005214} {942501AE-0BAA-4c45-9634-2678E1D2F591}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00EA8D32-3B4F-4d3b-A739-6C264F7B3620} {5D503DA1-8AC0-4bd5-83CE-51E93B005214}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D1065CF-CF7D-4d44-8073-CDC330DD65E1}\stubpath = "C:\\Windows\\{0D1065CF-CF7D-4d44-8073-CDC330DD65E1}.exe" {EFBC2E0F-BCE5-4a5a-BA6A-B65465A1560F}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{012E4200-377A-4ca9-A0EE-3774EC556C13}\stubpath = "C:\\Windows\\{012E4200-377A-4ca9-A0EE-3774EC556C13}.exe" {0D1065CF-CF7D-4d44-8073-CDC330DD65E1}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5214514-921A-45d5-8C4E-F59F1ADCEF94} {3938B86B-8E67-4158-B7E5-35A2AEFD3353}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6CD1A58F-F41F-440a-BF39-7FA11B2BACD8} {A64C03B1-6DE4-4608-96C3-0F0AB3690F1A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{942501AE-0BAA-4c45-9634-2678E1D2F591} {3A05F7C6-C953-431e-B7A7-6DC7F3FBEF4F}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48AC6634-09CB-4c42-8231-45161EB43C93}\stubpath = "C:\\Windows\\{48AC6634-09CB-4c42-8231-45161EB43C93}.exe" {C5214514-921A-45d5-8C4E-F59F1ADCEF94}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6CD1A58F-F41F-440a-BF39-7FA11B2BACD8}\stubpath = "C:\\Windows\\{6CD1A58F-F41F-440a-BF39-7FA11B2BACD8}.exe" {A64C03B1-6DE4-4608-96C3-0F0AB3690F1A}.exe -
Executes dropped EXE 12 IoCs
pid Process 3312 {3A05F7C6-C953-431e-B7A7-6DC7F3FBEF4F}.exe 1832 {942501AE-0BAA-4c45-9634-2678E1D2F591}.exe 1968 {5D503DA1-8AC0-4bd5-83CE-51E93B005214}.exe 2744 {00EA8D32-3B4F-4d3b-A739-6C264F7B3620}.exe 4880 {EFBC2E0F-BCE5-4a5a-BA6A-B65465A1560F}.exe 1416 {0D1065CF-CF7D-4d44-8073-CDC330DD65E1}.exe 3240 {012E4200-377A-4ca9-A0EE-3774EC556C13}.exe 2672 {3938B86B-8E67-4158-B7E5-35A2AEFD3353}.exe 2520 {C5214514-921A-45d5-8C4E-F59F1ADCEF94}.exe 4372 {48AC6634-09CB-4c42-8231-45161EB43C93}.exe 1724 {A64C03B1-6DE4-4608-96C3-0F0AB3690F1A}.exe 4788 {6CD1A58F-F41F-440a-BF39-7FA11B2BACD8}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{EFBC2E0F-BCE5-4a5a-BA6A-B65465A1560F}.exe {00EA8D32-3B4F-4d3b-A739-6C264F7B3620}.exe File created C:\Windows\{0D1065CF-CF7D-4d44-8073-CDC330DD65E1}.exe {EFBC2E0F-BCE5-4a5a-BA6A-B65465A1560F}.exe File created C:\Windows\{012E4200-377A-4ca9-A0EE-3774EC556C13}.exe {0D1065CF-CF7D-4d44-8073-CDC330DD65E1}.exe File created C:\Windows\{3938B86B-8E67-4158-B7E5-35A2AEFD3353}.exe {012E4200-377A-4ca9-A0EE-3774EC556C13}.exe File created C:\Windows\{C5214514-921A-45d5-8C4E-F59F1ADCEF94}.exe {3938B86B-8E67-4158-B7E5-35A2AEFD3353}.exe File created C:\Windows\{A64C03B1-6DE4-4608-96C3-0F0AB3690F1A}.exe {48AC6634-09CB-4c42-8231-45161EB43C93}.exe File created C:\Windows\{6CD1A58F-F41F-440a-BF39-7FA11B2BACD8}.exe {A64C03B1-6DE4-4608-96C3-0F0AB3690F1A}.exe File created C:\Windows\{942501AE-0BAA-4c45-9634-2678E1D2F591}.exe {3A05F7C6-C953-431e-B7A7-6DC7F3FBEF4F}.exe File created C:\Windows\{5D503DA1-8AC0-4bd5-83CE-51E93B005214}.exe {942501AE-0BAA-4c45-9634-2678E1D2F591}.exe File created C:\Windows\{00EA8D32-3B4F-4d3b-A739-6C264F7B3620}.exe {5D503DA1-8AC0-4bd5-83CE-51E93B005214}.exe File created C:\Windows\{48AC6634-09CB-4c42-8231-45161EB43C93}.exe {C5214514-921A-45d5-8C4E-F59F1ADCEF94}.exe File created C:\Windows\{3A05F7C6-C953-431e-B7A7-6DC7F3FBEF4F}.exe 2024-03-02_5264be32e86275d2fbdda6a68bc09148_goldeneye.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1448 2024-03-02_5264be32e86275d2fbdda6a68bc09148_goldeneye.exe Token: SeIncBasePriorityPrivilege 3312 {3A05F7C6-C953-431e-B7A7-6DC7F3FBEF4F}.exe Token: SeIncBasePriorityPrivilege 1832 {942501AE-0BAA-4c45-9634-2678E1D2F591}.exe Token: SeIncBasePriorityPrivilege 1968 {5D503DA1-8AC0-4bd5-83CE-51E93B005214}.exe Token: SeIncBasePriorityPrivilege 2744 {00EA8D32-3B4F-4d3b-A739-6C264F7B3620}.exe Token: SeIncBasePriorityPrivilege 4880 {EFBC2E0F-BCE5-4a5a-BA6A-B65465A1560F}.exe Token: SeIncBasePriorityPrivilege 1416 {0D1065CF-CF7D-4d44-8073-CDC330DD65E1}.exe Token: SeIncBasePriorityPrivilege 3240 {012E4200-377A-4ca9-A0EE-3774EC556C13}.exe Token: SeIncBasePriorityPrivilege 2672 {3938B86B-8E67-4158-B7E5-35A2AEFD3353}.exe Token: SeIncBasePriorityPrivilege 2520 {C5214514-921A-45d5-8C4E-F59F1ADCEF94}.exe Token: SeIncBasePriorityPrivilege 4372 {48AC6634-09CB-4c42-8231-45161EB43C93}.exe Token: SeIncBasePriorityPrivilege 1724 {A64C03B1-6DE4-4608-96C3-0F0AB3690F1A}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1448 wrote to memory of 3312 1448 2024-03-02_5264be32e86275d2fbdda6a68bc09148_goldeneye.exe 93 PID 1448 wrote to memory of 3312 1448 2024-03-02_5264be32e86275d2fbdda6a68bc09148_goldeneye.exe 93 PID 1448 wrote to memory of 3312 1448 2024-03-02_5264be32e86275d2fbdda6a68bc09148_goldeneye.exe 93 PID 1448 wrote to memory of 792 1448 2024-03-02_5264be32e86275d2fbdda6a68bc09148_goldeneye.exe 94 PID 1448 wrote to memory of 792 1448 2024-03-02_5264be32e86275d2fbdda6a68bc09148_goldeneye.exe 94 PID 1448 wrote to memory of 792 1448 2024-03-02_5264be32e86275d2fbdda6a68bc09148_goldeneye.exe 94 PID 3312 wrote to memory of 1832 3312 {3A05F7C6-C953-431e-B7A7-6DC7F3FBEF4F}.exe 95 PID 3312 wrote to memory of 1832 3312 {3A05F7C6-C953-431e-B7A7-6DC7F3FBEF4F}.exe 95 PID 3312 wrote to memory of 1832 3312 {3A05F7C6-C953-431e-B7A7-6DC7F3FBEF4F}.exe 95 PID 3312 wrote to memory of 4972 3312 {3A05F7C6-C953-431e-B7A7-6DC7F3FBEF4F}.exe 96 PID 3312 wrote to memory of 4972 3312 {3A05F7C6-C953-431e-B7A7-6DC7F3FBEF4F}.exe 96 PID 3312 wrote to memory of 4972 3312 {3A05F7C6-C953-431e-B7A7-6DC7F3FBEF4F}.exe 96 PID 1832 wrote to memory of 1968 1832 {942501AE-0BAA-4c45-9634-2678E1D2F591}.exe 99 PID 1832 wrote to memory of 1968 1832 {942501AE-0BAA-4c45-9634-2678E1D2F591}.exe 99 PID 1832 wrote to memory of 1968 1832 {942501AE-0BAA-4c45-9634-2678E1D2F591}.exe 99 PID 1832 wrote to memory of 4168 1832 {942501AE-0BAA-4c45-9634-2678E1D2F591}.exe 100 PID 1832 wrote to memory of 4168 1832 {942501AE-0BAA-4c45-9634-2678E1D2F591}.exe 100 PID 1832 wrote to memory of 4168 1832 {942501AE-0BAA-4c45-9634-2678E1D2F591}.exe 100 PID 1968 wrote to memory of 2744 1968 {5D503DA1-8AC0-4bd5-83CE-51E93B005214}.exe 102 PID 1968 wrote to memory of 2744 1968 {5D503DA1-8AC0-4bd5-83CE-51E93B005214}.exe 102 PID 1968 wrote to memory of 2744 1968 {5D503DA1-8AC0-4bd5-83CE-51E93B005214}.exe 102 PID 1968 wrote to memory of 4812 1968 {5D503DA1-8AC0-4bd5-83CE-51E93B005214}.exe 103 PID 1968 wrote to memory of 4812 1968 {5D503DA1-8AC0-4bd5-83CE-51E93B005214}.exe 103 PID 1968 wrote to memory of 4812 1968 {5D503DA1-8AC0-4bd5-83CE-51E93B005214}.exe 103 PID 2744 wrote to memory of 4880 2744 {00EA8D32-3B4F-4d3b-A739-6C264F7B3620}.exe 104 PID 2744 wrote to memory of 4880 2744 {00EA8D32-3B4F-4d3b-A739-6C264F7B3620}.exe 104 PID 2744 wrote to memory of 4880 2744 {00EA8D32-3B4F-4d3b-A739-6C264F7B3620}.exe 104 PID 2744 wrote to memory of 2196 2744 {00EA8D32-3B4F-4d3b-A739-6C264F7B3620}.exe 105 PID 2744 wrote to memory of 2196 2744 {00EA8D32-3B4F-4d3b-A739-6C264F7B3620}.exe 105 PID 2744 wrote to memory of 2196 2744 {00EA8D32-3B4F-4d3b-A739-6C264F7B3620}.exe 105 PID 4880 wrote to memory of 1416 4880 {EFBC2E0F-BCE5-4a5a-BA6A-B65465A1560F}.exe 106 PID 4880 wrote to memory of 1416 4880 {EFBC2E0F-BCE5-4a5a-BA6A-B65465A1560F}.exe 106 PID 4880 wrote to memory of 1416 4880 {EFBC2E0F-BCE5-4a5a-BA6A-B65465A1560F}.exe 106 PID 4880 wrote to memory of 3580 4880 {EFBC2E0F-BCE5-4a5a-BA6A-B65465A1560F}.exe 107 PID 4880 wrote to memory of 3580 4880 {EFBC2E0F-BCE5-4a5a-BA6A-B65465A1560F}.exe 107 PID 4880 wrote to memory of 3580 4880 {EFBC2E0F-BCE5-4a5a-BA6A-B65465A1560F}.exe 107 PID 1416 wrote to memory of 3240 1416 {0D1065CF-CF7D-4d44-8073-CDC330DD65E1}.exe 108 PID 1416 wrote to memory of 3240 1416 {0D1065CF-CF7D-4d44-8073-CDC330DD65E1}.exe 108 PID 1416 wrote to memory of 3240 1416 {0D1065CF-CF7D-4d44-8073-CDC330DD65E1}.exe 108 PID 1416 wrote to memory of 2028 1416 {0D1065CF-CF7D-4d44-8073-CDC330DD65E1}.exe 109 PID 1416 wrote to memory of 2028 1416 {0D1065CF-CF7D-4d44-8073-CDC330DD65E1}.exe 109 PID 1416 wrote to memory of 2028 1416 {0D1065CF-CF7D-4d44-8073-CDC330DD65E1}.exe 109 PID 3240 wrote to memory of 2672 3240 {012E4200-377A-4ca9-A0EE-3774EC556C13}.exe 110 PID 3240 wrote to memory of 2672 3240 {012E4200-377A-4ca9-A0EE-3774EC556C13}.exe 110 PID 3240 wrote to memory of 2672 3240 {012E4200-377A-4ca9-A0EE-3774EC556C13}.exe 110 PID 3240 wrote to memory of 3504 3240 {012E4200-377A-4ca9-A0EE-3774EC556C13}.exe 111 PID 3240 wrote to memory of 3504 3240 {012E4200-377A-4ca9-A0EE-3774EC556C13}.exe 111 PID 3240 wrote to memory of 3504 3240 {012E4200-377A-4ca9-A0EE-3774EC556C13}.exe 111 PID 2672 wrote to memory of 2520 2672 {3938B86B-8E67-4158-B7E5-35A2AEFD3353}.exe 112 PID 2672 wrote to memory of 2520 2672 {3938B86B-8E67-4158-B7E5-35A2AEFD3353}.exe 112 PID 2672 wrote to memory of 2520 2672 {3938B86B-8E67-4158-B7E5-35A2AEFD3353}.exe 112 PID 2672 wrote to memory of 348 2672 {3938B86B-8E67-4158-B7E5-35A2AEFD3353}.exe 113 PID 2672 wrote to memory of 348 2672 {3938B86B-8E67-4158-B7E5-35A2AEFD3353}.exe 113 PID 2672 wrote to memory of 348 2672 {3938B86B-8E67-4158-B7E5-35A2AEFD3353}.exe 113 PID 2520 wrote to memory of 4372 2520 {C5214514-921A-45d5-8C4E-F59F1ADCEF94}.exe 114 PID 2520 wrote to memory of 4372 2520 {C5214514-921A-45d5-8C4E-F59F1ADCEF94}.exe 114 PID 2520 wrote to memory of 4372 2520 {C5214514-921A-45d5-8C4E-F59F1ADCEF94}.exe 114 PID 2520 wrote to memory of 2984 2520 {C5214514-921A-45d5-8C4E-F59F1ADCEF94}.exe 115 PID 2520 wrote to memory of 2984 2520 {C5214514-921A-45d5-8C4E-F59F1ADCEF94}.exe 115 PID 2520 wrote to memory of 2984 2520 {C5214514-921A-45d5-8C4E-F59F1ADCEF94}.exe 115 PID 4372 wrote to memory of 1724 4372 {48AC6634-09CB-4c42-8231-45161EB43C93}.exe 116 PID 4372 wrote to memory of 1724 4372 {48AC6634-09CB-4c42-8231-45161EB43C93}.exe 116 PID 4372 wrote to memory of 1724 4372 {48AC6634-09CB-4c42-8231-45161EB43C93}.exe 116 PID 4372 wrote to memory of 4484 4372 {48AC6634-09CB-4c42-8231-45161EB43C93}.exe 117
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-02_5264be32e86275d2fbdda6a68bc09148_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-02_5264be32e86275d2fbdda6a68bc09148_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\{3A05F7C6-C953-431e-B7A7-6DC7F3FBEF4F}.exeC:\Windows\{3A05F7C6-C953-431e-B7A7-6DC7F3FBEF4F}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Windows\{942501AE-0BAA-4c45-9634-2678E1D2F591}.exeC:\Windows\{942501AE-0BAA-4c45-9634-2678E1D2F591}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\{5D503DA1-8AC0-4bd5-83CE-51E93B005214}.exeC:\Windows\{5D503DA1-8AC0-4bd5-83CE-51E93B005214}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\{00EA8D32-3B4F-4d3b-A739-6C264F7B3620}.exeC:\Windows\{00EA8D32-3B4F-4d3b-A739-6C264F7B3620}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\{EFBC2E0F-BCE5-4a5a-BA6A-B65465A1560F}.exeC:\Windows\{EFBC2E0F-BCE5-4a5a-BA6A-B65465A1560F}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\{0D1065CF-CF7D-4d44-8073-CDC330DD65E1}.exeC:\Windows\{0D1065CF-CF7D-4d44-8073-CDC330DD65E1}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\{012E4200-377A-4ca9-A0EE-3774EC556C13}.exeC:\Windows\{012E4200-377A-4ca9-A0EE-3774EC556C13}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3240 -
C:\Windows\{3938B86B-8E67-4158-B7E5-35A2AEFD3353}.exeC:\Windows\{3938B86B-8E67-4158-B7E5-35A2AEFD3353}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\{C5214514-921A-45d5-8C4E-F59F1ADCEF94}.exeC:\Windows\{C5214514-921A-45d5-8C4E-F59F1ADCEF94}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\{48AC6634-09CB-4c42-8231-45161EB43C93}.exeC:\Windows\{48AC6634-09CB-4c42-8231-45161EB43C93}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\{A64C03B1-6DE4-4608-96C3-0F0AB3690F1A}.exeC:\Windows\{A64C03B1-6DE4-4608-96C3-0F0AB3690F1A}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1724 -
C:\Windows\{6CD1A58F-F41F-440a-BF39-7FA11B2BACD8}.exeC:\Windows\{6CD1A58F-F41F-440a-BF39-7FA11B2BACD8}.exe13⤵
- Executes dropped EXE
PID:4788
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A64C0~1.EXE > nul13⤵PID:3264
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{48AC6~1.EXE > nul12⤵PID:4484
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C5214~1.EXE > nul11⤵PID:2984
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3938B~1.EXE > nul10⤵PID:348
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{012E4~1.EXE > nul9⤵PID:3504
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0D106~1.EXE > nul8⤵PID:2028
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{EFBC2~1.EXE > nul7⤵PID:3580
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{00EA8~1.EXE > nul6⤵PID:2196
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5D503~1.EXE > nul5⤵PID:4812
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{94250~1.EXE > nul4⤵PID:4168
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3A05F~1.EXE > nul3⤵PID:4972
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:792
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
408KB
MD5fee60521dc4b11749f91e22c8dcb08b6
SHA174262b4edb52cc451239a8a7202f2997d5d747db
SHA25603ddd1a373aab1dd355db40c9bf9b310d4d3df47dc218561970855097a346936
SHA51298565ce06af29ed0808dfaf20fb3b731d6e72619ba95b953a4465f72cf002e9b61fa8e8b594d11b0a325f2343ce66f3059384ef890e190c13baf8ec0b1274f4f
-
Filesize
408KB
MD5b8b63b5a62294310344dcdb4bcd1e33a
SHA1202f02e83374f26bde69a15e81259895298d50f8
SHA25695fd08f84d14b5c497701fe142c57cd7930ce5eda4fd9a062ebc1a7656504119
SHA512eef33a46b42bda0a34dc2c5b5d4e121352cd2e44dca551b8a77afd9e76279dd9e810cf7b6514b6bd1a7b6499817fca45856d1e6ba83eb47683351a38f639e57a
-
Filesize
408KB
MD567264a21e134e86a2c5ffda1ad6ebd27
SHA14483701871c697f799135fb42c96de100be55227
SHA256a2495adfce5d8b8f998577d72a232d6f4671c8b1f7fdae9f3363307456295ca9
SHA5124acb2f234d68cc125108d80f839d62058aba6e948fcce8bcc477423d70a6f7c834d918570ad748c62650c6eb4068bfb4f4412ea41727a0e01d54bec42ee67936
-
Filesize
408KB
MD58e504ce48905caeed6a279804dff2688
SHA153a0764afbe8a44050bf2e6b3071ea40b1f6c1ad
SHA256786567f5a2c51cd2d35acb88d956c7aa0a21b490e0d90e4cefe2366c101e72d0
SHA5126db68bd43d9d4d11b161843c03152db8dccc4bbc5b6c5ae0ead1338bac3cc861b6d9897f36ec4f112f8a94c3d1534ff8b4bf824a95a15e6b5d70141c8f2d5363
-
Filesize
408KB
MD5198febf251224eb28b0970eb21298975
SHA1e0d8e19b391b5ed36a114ad40cde5ca41be3fb50
SHA25614a07055af3ca602890e6b30f774a4efb677958fe2407b8fc896418eebc8fc21
SHA512ef8c8bba5e8337d11cd0f62b25e8ae6b2f39ae18c1bf03e64d4c2debdc62854309ba968bfb6ece30de8d36ffa11ae67eb1cc5d265c97b6a8f20b1e9a0d6c3f27
-
Filesize
408KB
MD5ecedc3b4c5153c7965237ab854bba6fd
SHA117866a0466de1fcfca472befd2cfb8dd5860369b
SHA25643353767b3a15da46e75f48bd40cbaee5ef2e53a665bb3cf4a1959f620a8f567
SHA5120b0bfcbfede5cd3e136a43495ac1555555c8f695fd6fca73f94da7f76a95c139ed4d21818581a2529644d7e03ccaae1c8955687fe20cea65309b3c29c7b66e11
-
Filesize
408KB
MD573bb5e6a308670c48389eb7f94682a91
SHA1f425ab4b8b3e7a6b40d8672c40d659f0959cfc29
SHA2562f3342348571c78dbe1f82867e3377a9153f0697b04f80c30998d02f8ce4e2f7
SHA5124bf374a5d2702ff0757f8cfd09f94c6274193769bc3f80b1d2af8e7bd7bb405569eed6663f102f03fa3cb68575150b3a77023fb9bcd22ac636a5a38b794adbe3
-
Filesize
408KB
MD553cb58fa5196be9009d7090f9b2f0578
SHA1094871a00a4eb1f98eff9544b373723731e7bbda
SHA256f9bbeef5c8646fab207d2c7c3934a040b7358dae035d93daadaea594c285783a
SHA5120c98825ee38989c3e7b5fdc99b04e747dd6ac1cf1eeb0fa5fa05ed407a7e0b3cbe489d61e2ffa2c351bc2557c9372a08be04b2fc8d375c26b024e7c94c32c51c
-
Filesize
408KB
MD5ac7807210ebf65c04a2a254ecc75442b
SHA1ddbd43be62767d5a51cbf529d0c5e84447b291ec
SHA25639f0507d72772eae2fa4af78d65df2f22ee982ae5702d8e9b49a35eeb8954611
SHA51206fde4208de4169da547ac9d94c2621175e48fc9d1a44fc2ad2f2a636e0b08553e21ec0b5b7613cc829d375beaa2ae8f72aaabe2f23f8ef3a5f6c1eda0453f93
-
Filesize
408KB
MD5bbd06334bd63077832864c832ba542d5
SHA12184e32b2cd2869c57ef0beca63730d62134e131
SHA2564285f4d9056750ea56eebd29ec6d4fc57313083d357fdd635e4258d6b34d4632
SHA51272533bf1c2696906b6a4d13b91eb86c7b22bb5ad49620e9be63c6d1118603cdb0d24d635432b83890a66bcefcbcc0970714b996d9fe815ee243c6e8ec1f21039
-
Filesize
408KB
MD5fb7b620f79c468a34d0c7b91db14aa72
SHA1742918ee98460593e14eec684e005c77f1570f81
SHA25602375b2a9f24892a5d6f5298c0732648d46db438d18e0451cd491d4e1f0b80e2
SHA512830cb7a0a79938449a6e317446bda6d54527f876131c4eee9c9e165e4cd11cc61c7d8524e6d9b90b8170d49590f32df4db8dad1f5868d21e6b221efda745b911
-
Filesize
408KB
MD58deace27e43709f20b6bb4c9f0a3f1a9
SHA18707b15388eb2fb8febb8556cb56d9d9c464c3f1
SHA25668e8132084e03d71c33fe6c6d879e0e4db894f4ba2934527075a858a430cad89
SHA5122d188379bee7e5dadd1bedc87e1682c0bd1e3078075e9a2367bae447344fa5a44c069f672ec82504efce70468313c4bbd53946495079e3476c841167736df5a1