Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02/03/2024, 16:34
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-02_1d83b5d5a996b10bd072a83df62b3ae2_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-02_1d83b5d5a996b10bd072a83df62b3ae2_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-02_1d83b5d5a996b10bd072a83df62b3ae2_goldeneye.exe
-
Size
216KB
-
MD5
1d83b5d5a996b10bd072a83df62b3ae2
-
SHA1
ebf526a1a66ebc4bf0b65b312c817c31274c2614
-
SHA256
ab47f60e736382aaea83ac449682a8908b0f8fbb644d20ff975d9e27f82025c8
-
SHA512
d06fa8d130a29711cdce26c8ec8b9a29dcb93d489b6d9e51399c9d8ae70efc2dd151644390b794e1eecd65d4213ba2c275f97d91ef1f0778612c9070a862b682
-
SSDEEP
3072:jEGh0ovl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGtlEeKcAEcGy
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
resource yara_rule behavioral2/files/0x0008000000023221-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000800000002321a-6.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000b000000023120-8.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000b000000023123-15.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000c000000023120-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000c000000023123-21.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000b000000023024-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000d000000023123-30.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000c000000023024-35.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000e000000023123-38.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000d000000023024-43.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000f000000023123-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{300DE7C2-873C-4fc4-A584-CA5D1F325252}\stubpath = "C:\\Windows\\{300DE7C2-873C-4fc4-A584-CA5D1F325252}.exe" {8BA57586-0BF4-4651-8F84-D9E24B3FF680}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DA5CB12-7BC8-40b5-A372-D8265748FC7C}\stubpath = "C:\\Windows\\{1DA5CB12-7BC8-40b5-A372-D8265748FC7C}.exe" {CDF7E546-FBB8-4d69-A53F-08DD3BE42FE0}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F5ED9FC-F9F7-4050-87F1-D77F04AA2E1D}\stubpath = "C:\\Windows\\{5F5ED9FC-F9F7-4050-87F1-D77F04AA2E1D}.exe" {EAA9BBB9-03B4-4368-A296-A262594ADC56}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25420D7E-4119-40ae-8B32-15764EF66683}\stubpath = "C:\\Windows\\{25420D7E-4119-40ae-8B32-15764EF66683}.exe" {865FB709-2B21-4b13-B6BB-6B65A075923F}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8BA57586-0BF4-4651-8F84-D9E24B3FF680} {25420D7E-4119-40ae-8B32-15764EF66683}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8BA57586-0BF4-4651-8F84-D9E24B3FF680}\stubpath = "C:\\Windows\\{8BA57586-0BF4-4651-8F84-D9E24B3FF680}.exe" {25420D7E-4119-40ae-8B32-15764EF66683}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9442F68B-EF56-45c0-86B1-A50A6D32F293} {D365E531-7C52-43fc-82F5-B13FB6DF7EBD}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CDF7E546-FBB8-4d69-A53F-08DD3BE42FE0} {9442F68B-EF56-45c0-86B1-A50A6D32F293}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F5ED9FC-F9F7-4050-87F1-D77F04AA2E1D} {EAA9BBB9-03B4-4368-A296-A262594ADC56}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8E99F58-F2DD-49c8-816E-01D1BD21A4A0}\stubpath = "C:\\Windows\\{E8E99F58-F2DD-49c8-816E-01D1BD21A4A0}.exe" {5F5ED9FC-F9F7-4050-87F1-D77F04AA2E1D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25420D7E-4119-40ae-8B32-15764EF66683} {865FB709-2B21-4b13-B6BB-6B65A075923F}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{300DE7C2-873C-4fc4-A584-CA5D1F325252} {8BA57586-0BF4-4651-8F84-D9E24B3FF680}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D365E531-7C52-43fc-82F5-B13FB6DF7EBD} {300DE7C2-873C-4fc4-A584-CA5D1F325252}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DA5CB12-7BC8-40b5-A372-D8265748FC7C} {CDF7E546-FBB8-4d69-A53F-08DD3BE42FE0}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA8AF8A0-AA22-4970-A997-1A93050304C7} {1DA5CB12-7BC8-40b5-A372-D8265748FC7C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA8AF8A0-AA22-4970-A997-1A93050304C7}\stubpath = "C:\\Windows\\{BA8AF8A0-AA22-4970-A997-1A93050304C7}.exe" {1DA5CB12-7BC8-40b5-A372-D8265748FC7C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8E99F58-F2DD-49c8-816E-01D1BD21A4A0} {5F5ED9FC-F9F7-4050-87F1-D77F04AA2E1D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{865FB709-2B21-4b13-B6BB-6B65A075923F} 2024-03-02_1d83b5d5a996b10bd072a83df62b3ae2_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{865FB709-2B21-4b13-B6BB-6B65A075923F}\stubpath = "C:\\Windows\\{865FB709-2B21-4b13-B6BB-6B65A075923F}.exe" 2024-03-02_1d83b5d5a996b10bd072a83df62b3ae2_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D365E531-7C52-43fc-82F5-B13FB6DF7EBD}\stubpath = "C:\\Windows\\{D365E531-7C52-43fc-82F5-B13FB6DF7EBD}.exe" {300DE7C2-873C-4fc4-A584-CA5D1F325252}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9442F68B-EF56-45c0-86B1-A50A6D32F293}\stubpath = "C:\\Windows\\{9442F68B-EF56-45c0-86B1-A50A6D32F293}.exe" {D365E531-7C52-43fc-82F5-B13FB6DF7EBD}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CDF7E546-FBB8-4d69-A53F-08DD3BE42FE0}\stubpath = "C:\\Windows\\{CDF7E546-FBB8-4d69-A53F-08DD3BE42FE0}.exe" {9442F68B-EF56-45c0-86B1-A50A6D32F293}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EAA9BBB9-03B4-4368-A296-A262594ADC56} {BA8AF8A0-AA22-4970-A997-1A93050304C7}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EAA9BBB9-03B4-4368-A296-A262594ADC56}\stubpath = "C:\\Windows\\{EAA9BBB9-03B4-4368-A296-A262594ADC56}.exe" {BA8AF8A0-AA22-4970-A997-1A93050304C7}.exe -
Executes dropped EXE 12 IoCs
pid Process 3632 {865FB709-2B21-4b13-B6BB-6B65A075923F}.exe 376 {25420D7E-4119-40ae-8B32-15764EF66683}.exe 4868 {8BA57586-0BF4-4651-8F84-D9E24B3FF680}.exe 4008 {300DE7C2-873C-4fc4-A584-CA5D1F325252}.exe 2152 {D365E531-7C52-43fc-82F5-B13FB6DF7EBD}.exe 2660 {9442F68B-EF56-45c0-86B1-A50A6D32F293}.exe 1908 {CDF7E546-FBB8-4d69-A53F-08DD3BE42FE0}.exe 2544 {1DA5CB12-7BC8-40b5-A372-D8265748FC7C}.exe 3388 {BA8AF8A0-AA22-4970-A997-1A93050304C7}.exe 2876 {EAA9BBB9-03B4-4368-A296-A262594ADC56}.exe 3220 {5F5ED9FC-F9F7-4050-87F1-D77F04AA2E1D}.exe 1264 {E8E99F58-F2DD-49c8-816E-01D1BD21A4A0}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{9442F68B-EF56-45c0-86B1-A50A6D32F293}.exe {D365E531-7C52-43fc-82F5-B13FB6DF7EBD}.exe File created C:\Windows\{1DA5CB12-7BC8-40b5-A372-D8265748FC7C}.exe {CDF7E546-FBB8-4d69-A53F-08DD3BE42FE0}.exe File created C:\Windows\{BA8AF8A0-AA22-4970-A997-1A93050304C7}.exe {1DA5CB12-7BC8-40b5-A372-D8265748FC7C}.exe File created C:\Windows\{865FB709-2B21-4b13-B6BB-6B65A075923F}.exe 2024-03-02_1d83b5d5a996b10bd072a83df62b3ae2_goldeneye.exe File created C:\Windows\{25420D7E-4119-40ae-8B32-15764EF66683}.exe {865FB709-2B21-4b13-B6BB-6B65A075923F}.exe File created C:\Windows\{8BA57586-0BF4-4651-8F84-D9E24B3FF680}.exe {25420D7E-4119-40ae-8B32-15764EF66683}.exe File created C:\Windows\{300DE7C2-873C-4fc4-A584-CA5D1F325252}.exe {8BA57586-0BF4-4651-8F84-D9E24B3FF680}.exe File created C:\Windows\{D365E531-7C52-43fc-82F5-B13FB6DF7EBD}.exe {300DE7C2-873C-4fc4-A584-CA5D1F325252}.exe File created C:\Windows\{CDF7E546-FBB8-4d69-A53F-08DD3BE42FE0}.exe {9442F68B-EF56-45c0-86B1-A50A6D32F293}.exe File created C:\Windows\{EAA9BBB9-03B4-4368-A296-A262594ADC56}.exe {BA8AF8A0-AA22-4970-A997-1A93050304C7}.exe File created C:\Windows\{5F5ED9FC-F9F7-4050-87F1-D77F04AA2E1D}.exe {EAA9BBB9-03B4-4368-A296-A262594ADC56}.exe File created C:\Windows\{E8E99F58-F2DD-49c8-816E-01D1BD21A4A0}.exe {5F5ED9FC-F9F7-4050-87F1-D77F04AA2E1D}.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 4596 2024-03-02_1d83b5d5a996b10bd072a83df62b3ae2_goldeneye.exe Token: SeIncBasePriorityPrivilege 3632 {865FB709-2B21-4b13-B6BB-6B65A075923F}.exe Token: SeIncBasePriorityPrivilege 376 {25420D7E-4119-40ae-8B32-15764EF66683}.exe Token: SeIncBasePriorityPrivilege 4868 {8BA57586-0BF4-4651-8F84-D9E24B3FF680}.exe Token: SeIncBasePriorityPrivilege 4008 {300DE7C2-873C-4fc4-A584-CA5D1F325252}.exe Token: SeIncBasePriorityPrivilege 2152 {D365E531-7C52-43fc-82F5-B13FB6DF7EBD}.exe Token: SeIncBasePriorityPrivilege 2660 {9442F68B-EF56-45c0-86B1-A50A6D32F293}.exe Token: SeIncBasePriorityPrivilege 1908 {CDF7E546-FBB8-4d69-A53F-08DD3BE42FE0}.exe Token: SeIncBasePriorityPrivilege 2544 {1DA5CB12-7BC8-40b5-A372-D8265748FC7C}.exe Token: SeIncBasePriorityPrivilege 3388 {BA8AF8A0-AA22-4970-A997-1A93050304C7}.exe Token: SeIncBasePriorityPrivilege 2876 {EAA9BBB9-03B4-4368-A296-A262594ADC56}.exe Token: SeIncBasePriorityPrivilege 3220 {5F5ED9FC-F9F7-4050-87F1-D77F04AA2E1D}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4596 wrote to memory of 3632 4596 2024-03-02_1d83b5d5a996b10bd072a83df62b3ae2_goldeneye.exe 94 PID 4596 wrote to memory of 3632 4596 2024-03-02_1d83b5d5a996b10bd072a83df62b3ae2_goldeneye.exe 94 PID 4596 wrote to memory of 3632 4596 2024-03-02_1d83b5d5a996b10bd072a83df62b3ae2_goldeneye.exe 94 PID 4596 wrote to memory of 3048 4596 2024-03-02_1d83b5d5a996b10bd072a83df62b3ae2_goldeneye.exe 95 PID 4596 wrote to memory of 3048 4596 2024-03-02_1d83b5d5a996b10bd072a83df62b3ae2_goldeneye.exe 95 PID 4596 wrote to memory of 3048 4596 2024-03-02_1d83b5d5a996b10bd072a83df62b3ae2_goldeneye.exe 95 PID 3632 wrote to memory of 376 3632 {865FB709-2B21-4b13-B6BB-6B65A075923F}.exe 96 PID 3632 wrote to memory of 376 3632 {865FB709-2B21-4b13-B6BB-6B65A075923F}.exe 96 PID 3632 wrote to memory of 376 3632 {865FB709-2B21-4b13-B6BB-6B65A075923F}.exe 96 PID 3632 wrote to memory of 876 3632 {865FB709-2B21-4b13-B6BB-6B65A075923F}.exe 97 PID 3632 wrote to memory of 876 3632 {865FB709-2B21-4b13-B6BB-6B65A075923F}.exe 97 PID 3632 wrote to memory of 876 3632 {865FB709-2B21-4b13-B6BB-6B65A075923F}.exe 97 PID 376 wrote to memory of 4868 376 {25420D7E-4119-40ae-8B32-15764EF66683}.exe 102 PID 376 wrote to memory of 4868 376 {25420D7E-4119-40ae-8B32-15764EF66683}.exe 102 PID 376 wrote to memory of 4868 376 {25420D7E-4119-40ae-8B32-15764EF66683}.exe 102 PID 376 wrote to memory of 844 376 {25420D7E-4119-40ae-8B32-15764EF66683}.exe 103 PID 376 wrote to memory of 844 376 {25420D7E-4119-40ae-8B32-15764EF66683}.exe 103 PID 376 wrote to memory of 844 376 {25420D7E-4119-40ae-8B32-15764EF66683}.exe 103 PID 4868 wrote to memory of 4008 4868 {8BA57586-0BF4-4651-8F84-D9E24B3FF680}.exe 104 PID 4868 wrote to memory of 4008 4868 {8BA57586-0BF4-4651-8F84-D9E24B3FF680}.exe 104 PID 4868 wrote to memory of 4008 4868 {8BA57586-0BF4-4651-8F84-D9E24B3FF680}.exe 104 PID 4868 wrote to memory of 1400 4868 {8BA57586-0BF4-4651-8F84-D9E24B3FF680}.exe 105 PID 4868 wrote to memory of 1400 4868 {8BA57586-0BF4-4651-8F84-D9E24B3FF680}.exe 105 PID 4868 wrote to memory of 1400 4868 {8BA57586-0BF4-4651-8F84-D9E24B3FF680}.exe 105 PID 4008 wrote to memory of 2152 4008 {300DE7C2-873C-4fc4-A584-CA5D1F325252}.exe 107 PID 4008 wrote to memory of 2152 4008 {300DE7C2-873C-4fc4-A584-CA5D1F325252}.exe 107 PID 4008 wrote to memory of 2152 4008 {300DE7C2-873C-4fc4-A584-CA5D1F325252}.exe 107 PID 4008 wrote to memory of 4172 4008 {300DE7C2-873C-4fc4-A584-CA5D1F325252}.exe 108 PID 4008 wrote to memory of 4172 4008 {300DE7C2-873C-4fc4-A584-CA5D1F325252}.exe 108 PID 4008 wrote to memory of 4172 4008 {300DE7C2-873C-4fc4-A584-CA5D1F325252}.exe 108 PID 2152 wrote to memory of 2660 2152 {D365E531-7C52-43fc-82F5-B13FB6DF7EBD}.exe 109 PID 2152 wrote to memory of 2660 2152 {D365E531-7C52-43fc-82F5-B13FB6DF7EBD}.exe 109 PID 2152 wrote to memory of 2660 2152 {D365E531-7C52-43fc-82F5-B13FB6DF7EBD}.exe 109 PID 2152 wrote to memory of 4312 2152 {D365E531-7C52-43fc-82F5-B13FB6DF7EBD}.exe 110 PID 2152 wrote to memory of 4312 2152 {D365E531-7C52-43fc-82F5-B13FB6DF7EBD}.exe 110 PID 2152 wrote to memory of 4312 2152 {D365E531-7C52-43fc-82F5-B13FB6DF7EBD}.exe 110 PID 2660 wrote to memory of 1908 2660 {9442F68B-EF56-45c0-86B1-A50A6D32F293}.exe 111 PID 2660 wrote to memory of 1908 2660 {9442F68B-EF56-45c0-86B1-A50A6D32F293}.exe 111 PID 2660 wrote to memory of 1908 2660 {9442F68B-EF56-45c0-86B1-A50A6D32F293}.exe 111 PID 2660 wrote to memory of 4928 2660 {9442F68B-EF56-45c0-86B1-A50A6D32F293}.exe 112 PID 2660 wrote to memory of 4928 2660 {9442F68B-EF56-45c0-86B1-A50A6D32F293}.exe 112 PID 2660 wrote to memory of 4928 2660 {9442F68B-EF56-45c0-86B1-A50A6D32F293}.exe 112 PID 1908 wrote to memory of 2544 1908 {CDF7E546-FBB8-4d69-A53F-08DD3BE42FE0}.exe 113 PID 1908 wrote to memory of 2544 1908 {CDF7E546-FBB8-4d69-A53F-08DD3BE42FE0}.exe 113 PID 1908 wrote to memory of 2544 1908 {CDF7E546-FBB8-4d69-A53F-08DD3BE42FE0}.exe 113 PID 1908 wrote to memory of 2292 1908 {CDF7E546-FBB8-4d69-A53F-08DD3BE42FE0}.exe 114 PID 1908 wrote to memory of 2292 1908 {CDF7E546-FBB8-4d69-A53F-08DD3BE42FE0}.exe 114 PID 1908 wrote to memory of 2292 1908 {CDF7E546-FBB8-4d69-A53F-08DD3BE42FE0}.exe 114 PID 2544 wrote to memory of 3388 2544 {1DA5CB12-7BC8-40b5-A372-D8265748FC7C}.exe 115 PID 2544 wrote to memory of 3388 2544 {1DA5CB12-7BC8-40b5-A372-D8265748FC7C}.exe 115 PID 2544 wrote to memory of 3388 2544 {1DA5CB12-7BC8-40b5-A372-D8265748FC7C}.exe 115 PID 2544 wrote to memory of 1660 2544 {1DA5CB12-7BC8-40b5-A372-D8265748FC7C}.exe 116 PID 2544 wrote to memory of 1660 2544 {1DA5CB12-7BC8-40b5-A372-D8265748FC7C}.exe 116 PID 2544 wrote to memory of 1660 2544 {1DA5CB12-7BC8-40b5-A372-D8265748FC7C}.exe 116 PID 3388 wrote to memory of 2876 3388 {BA8AF8A0-AA22-4970-A997-1A93050304C7}.exe 117 PID 3388 wrote to memory of 2876 3388 {BA8AF8A0-AA22-4970-A997-1A93050304C7}.exe 117 PID 3388 wrote to memory of 2876 3388 {BA8AF8A0-AA22-4970-A997-1A93050304C7}.exe 117 PID 3388 wrote to memory of 4288 3388 {BA8AF8A0-AA22-4970-A997-1A93050304C7}.exe 118 PID 3388 wrote to memory of 4288 3388 {BA8AF8A0-AA22-4970-A997-1A93050304C7}.exe 118 PID 3388 wrote to memory of 4288 3388 {BA8AF8A0-AA22-4970-A997-1A93050304C7}.exe 118 PID 2876 wrote to memory of 3220 2876 {EAA9BBB9-03B4-4368-A296-A262594ADC56}.exe 119 PID 2876 wrote to memory of 3220 2876 {EAA9BBB9-03B4-4368-A296-A262594ADC56}.exe 119 PID 2876 wrote to memory of 3220 2876 {EAA9BBB9-03B4-4368-A296-A262594ADC56}.exe 119 PID 2876 wrote to memory of 3260 2876 {EAA9BBB9-03B4-4368-A296-A262594ADC56}.exe 120
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-02_1d83b5d5a996b10bd072a83df62b3ae2_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-02_1d83b5d5a996b10bd072a83df62b3ae2_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\{865FB709-2B21-4b13-B6BB-6B65A075923F}.exeC:\Windows\{865FB709-2B21-4b13-B6BB-6B65A075923F}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Windows\{25420D7E-4119-40ae-8B32-15764EF66683}.exeC:\Windows\{25420D7E-4119-40ae-8B32-15764EF66683}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Windows\{8BA57586-0BF4-4651-8F84-D9E24B3FF680}.exeC:\Windows\{8BA57586-0BF4-4651-8F84-D9E24B3FF680}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\{300DE7C2-873C-4fc4-A584-CA5D1F325252}.exeC:\Windows\{300DE7C2-873C-4fc4-A584-CA5D1F325252}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Windows\{D365E531-7C52-43fc-82F5-B13FB6DF7EBD}.exeC:\Windows\{D365E531-7C52-43fc-82F5-B13FB6DF7EBD}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\{9442F68B-EF56-45c0-86B1-A50A6D32F293}.exeC:\Windows\{9442F68B-EF56-45c0-86B1-A50A6D32F293}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\{CDF7E546-FBB8-4d69-A53F-08DD3BE42FE0}.exeC:\Windows\{CDF7E546-FBB8-4d69-A53F-08DD3BE42FE0}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\{1DA5CB12-7BC8-40b5-A372-D8265748FC7C}.exeC:\Windows\{1DA5CB12-7BC8-40b5-A372-D8265748FC7C}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\{BA8AF8A0-AA22-4970-A997-1A93050304C7}.exeC:\Windows\{BA8AF8A0-AA22-4970-A997-1A93050304C7}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3388 -
C:\Windows\{EAA9BBB9-03B4-4368-A296-A262594ADC56}.exeC:\Windows\{EAA9BBB9-03B4-4368-A296-A262594ADC56}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\{5F5ED9FC-F9F7-4050-87F1-D77F04AA2E1D}.exeC:\Windows\{5F5ED9FC-F9F7-4050-87F1-D77F04AA2E1D}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3220 -
C:\Windows\{E8E99F58-F2DD-49c8-816E-01D1BD21A4A0}.exeC:\Windows\{E8E99F58-F2DD-49c8-816E-01D1BD21A4A0}.exe13⤵
- Executes dropped EXE
PID:1264
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5F5ED~1.EXE > nul13⤵PID:4016
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{EAA9B~1.EXE > nul12⤵PID:3260
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{BA8AF~1.EXE > nul11⤵PID:4288
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1DA5C~1.EXE > nul10⤵PID:1660
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CDF7E~1.EXE > nul9⤵PID:2292
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9442F~1.EXE > nul8⤵PID:4928
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D365E~1.EXE > nul7⤵PID:4312
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{300DE~1.EXE > nul6⤵PID:4172
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8BA57~1.EXE > nul5⤵PID:1400
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{25420~1.EXE > nul4⤵PID:844
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{865FB~1.EXE > nul3⤵PID:876
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:3048
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216KB
MD516f95a3f3d2342a678076d481d3e60bd
SHA1faeeef39a170fdce6cc633cb7eb6c47fd407e4de
SHA256bba073cf337ecc0f820e3c1dc8319a0b3e43711e74abe51ca7c3d6f9f801082a
SHA512d652b4a0b0b0d8e8c3a67c75101042684d953ad5ee4a5aa0e879189794e6857369060b6afca09b21963b947bddcbe4937bfd8a6e0f1d67dc50601aa329d681fb
-
Filesize
216KB
MD5ac97d244c93abeaa7f6ce41613452fb0
SHA1c7b9c91c6146e57376f20b73acf747ac3149052e
SHA25680c660748240f997a9fb1ae6d45612b1d671bc8cc4bcf4dab093e14cbd05bd21
SHA512a6ae8ea6ee301ebdc4cfa12d80736ff433c564043ddc2819c0f78f5bef7744b3f7469ced4928041219a9e10d941637cbf3eee2a4cab1146abf9994e9838944f8
-
Filesize
216KB
MD548eaab127c27d7b6af12bb6b454b18c6
SHA18fa2d1cec680c9e36e6ea8e24aa438eef05e22de
SHA2569a3b897ec2555f53ce411486e2f30fdca44221f07240e26ed057bc3b6e720180
SHA512a47f5bf06428592834afb74ee62c2adb0b84adff5770821477011e5648016042322503bbd11ade46ebc9f87c3b946b361d8750025332de2bb185d934874b3466
-
Filesize
216KB
MD59b0c7929e2c4433513e4afa5fdca01f5
SHA121d688bdc8a7f3846e6ab7d13defd2e22364f31a
SHA2563fff279021fbd0f24c81d4deb98c93174c5c26d66f06567c5d536203c06bdc29
SHA512a0e9c93b81ad53cc2656e6dadd49d4bc1610a9dae9e4c31d59a1753a79d92c86e42742ea636ced01651c931a90c8cb227f973dfe29022ebbad05cd9ee14cf20c
-
Filesize
216KB
MD532e5d9650520756648ffe7448ad067d1
SHA1c86f5401bffb6833187627c7dbce832a8ad67abb
SHA2562e1f480200a1c665f714372fd1873769fa0d2766e80b99c45a127b0d1dfe2706
SHA51256560deed6ec531b294269cf89af8e3d50b9c70828b5d4a81f311a3e99826e8a4fa0d732d8c005a1c104841c2c84bc707dd9ee06caa8fc9a83bb4410e46a0d1e
-
Filesize
216KB
MD5266b09921193f3352a625ac08711f74b
SHA1b1bc39199bcada051e046534b7e717ff1f0daea5
SHA2561917e63e7639403aa6e8fad4b732cbdabccba37e4b3860c0b6969fe1e5bdfb47
SHA512646035c06d390bfa6d993e50e7ac53e09786160f13cfb775caa14fdc828925a19a4518266092255e7dd4659aa0bac4c57d46fe50cbd29bd94d999be516627b58
-
Filesize
216KB
MD545fef899868bd8d6cf82623e45226548
SHA1b8fd9de8cb64614529c93f4377ba0f8fccc8c672
SHA2568ee5c8b6f581fd291540b42ece6c9fd367b4b7fb60b35a5d788f38bb4fd18443
SHA512682f5fb80bb0218984c1649e86b261793e7756ef47107f0d5e59b2e84b57122dc4f1534b6db7dd395d257150712344748d092deaf7897f7b0e19f1ae8350b9b0
-
Filesize
216KB
MD5693d99a8b31127a575159a755ff82fca
SHA16be7a8ac21ba3578b28bb19e32fbe2cfed47a786
SHA256530f696dafcbd875682dc9f56e2e065e0ea9bad59c170d58d52ffbdbb56851ab
SHA51272a96c4861edb43d5aa2a2e42e5b4c292e09ea07caaebe9f0fd7ab3658c385536cb4cefc6adecadccf55c493bd70df8834e4d423a7a6af268d733ab144085426
-
Filesize
216KB
MD5e17b5730862c1b3de1b80130d734cb70
SHA1c38546ba3d30b9a157788a14cc5914cab70e9341
SHA256b760807f537c5b044b21f4c321493d1e662bf9ebe559f1316a745da10a3f7208
SHA5124e3bfa9b42afefadce12034263aa1590959594c7126dca8c056d151c69de07e5e88a9125da09ab00827cd14872979cc18bd56d5ec629bdcf1bf80789342c7aba
-
Filesize
216KB
MD5dcb416d1ec3845b863cb70d75d40910f
SHA1490043d3db41f44b29d1bcb8ff5db8763f733edc
SHA256dabbbc5963d1170205251225d863b0ce6d90d09535f7065d16d592f083bde97c
SHA51254c3287013049152cf14dfcf50d5fb67e7c76f1cff274666eba5435bf45dce25d3df57a8ff319d0f211c2baa6c8c90d4a9fbf8c8117deb513625c9474576066e
-
Filesize
216KB
MD5b611fd925b7ea322b4c40386f990f411
SHA17a326d0a79a60b71fe4e79721d45bb8cee858a0a
SHA256a55428cc30db406081f060bb17154d39890bfebe8f59daaa9d43395e390c249d
SHA5123c18911801fd666d083aabc7dc2231fe7b2cb2ddc9e00765be8c445e71af071076480cb8b25d51b1dca887d77f8f5a9a2f9419628f567d90441f4e587a22449b
-
Filesize
216KB
MD5bd3d70911a73bd7faa9a10fc4a8e1b4f
SHA15170b2d7eccc7f1886ea2629bdfe331324a4992b
SHA2562c39d3c999f9f6dee8811b2358c37978867764ed282d16c730bb012da8324118
SHA512068084f6923887b1a0183b4d9f3ca6bd96478fb141b987f9e48abba3b4e878f164d8750a82bd3c2f03fd8dc98f1deccad53b93c21daae487a0ff60ea16d626be