Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02/03/2024, 16:37
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe
-
Size
168KB
-
MD5
2680d6392f72a0c5db4e1d4eb20e3fb2
-
SHA1
e0e6554478c119d14cd2ada53a16b71982b2d8ec
-
SHA256
02229c757c01b07239d030159c39b38281b72687a8d3406f01043e42db7128b9
-
SHA512
c4a0b8a112b714bfc60d373b8473bb5b96e1085fadb8ccce972f341354637aaf144d52111dffbaf5f0c277f9439c1875967420f1444e6148ab21ac61472a536e
-
SSDEEP
1536:1EGh0o6lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o6lqOPOe2MUVg3Ve+rX
Malware Config
Signatures
-
Auto-generated rule 13 IoCs
resource yara_rule behavioral2/files/0x000800000002320a-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000900000002320b-6.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000023213-8.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000300000001e743-15.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0009000000023213-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000400000001e743-22.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000400000001e743-23.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000a000000023213-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000500000001e743-30.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000b000000023213-34.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000600000001e743-38.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000800000002320f-43.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000700000001e743-46.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{076EC35C-09F6-4f9b-82BB-77423B6A286B}\stubpath = "C:\\Windows\\{076EC35C-09F6-4f9b-82BB-77423B6A286B}.exe" {2B8FDD9D-0067-40a3-A7EC-552286070268}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{933B6DB4-F9F5-4f47-A84E-937B41564C73}\stubpath = "C:\\Windows\\{933B6DB4-F9F5-4f47-A84E-937B41564C73}.exe" {076EC35C-09F6-4f9b-82BB-77423B6A286B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87FCF7F5-F675-4490-B6FD-18630AA83617} {933B6DB4-F9F5-4f47-A84E-937B41564C73}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8831F8CB-554A-46f9-8C5B-74B37D277869}\stubpath = "C:\\Windows\\{8831F8CB-554A-46f9-8C5B-74B37D277869}.exe" {79611CE9-02B9-455c-8ECF-E92BD5531AEF}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3AEEC420-0A05-442b-910A-B0880445E89F} {ED5B6993-E65C-4ed0-84EE-AD8E4A8E5091}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCD72FFE-43F8-41e6-90CD-8A7BEA66DA02}\stubpath = "C:\\Windows\\{CCD72FFE-43F8-41e6-90CD-8A7BEA66DA02}.exe" 2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B8FDD9D-0067-40a3-A7EC-552286070268} {86A21F3A-2532-49e6-8F47-6BDB6DE7B757}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B8FDD9D-0067-40a3-A7EC-552286070268}\stubpath = "C:\\Windows\\{2B8FDD9D-0067-40a3-A7EC-552286070268}.exe" {86A21F3A-2532-49e6-8F47-6BDB6DE7B757}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3AEEC420-0A05-442b-910A-B0880445E89F}\stubpath = "C:\\Windows\\{3AEEC420-0A05-442b-910A-B0880445E89F}.exe" {ED5B6993-E65C-4ed0-84EE-AD8E4A8E5091}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F07FF5D-1A0E-49dc-970D-6196304AC766} {3AEEC420-0A05-442b-910A-B0880445E89F}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{076EC35C-09F6-4f9b-82BB-77423B6A286B} {2B8FDD9D-0067-40a3-A7EC-552286070268}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCD72FFE-43F8-41e6-90CD-8A7BEA66DA02} 2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86A21F3A-2532-49e6-8F47-6BDB6DE7B757} {CCD72FFE-43F8-41e6-90CD-8A7BEA66DA02}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86A21F3A-2532-49e6-8F47-6BDB6DE7B757}\stubpath = "C:\\Windows\\{86A21F3A-2532-49e6-8F47-6BDB6DE7B757}.exe" {CCD72FFE-43F8-41e6-90CD-8A7BEA66DA02}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A059DDF-466D-4a6d-A9E7-244ED35FBC40} {6F07FF5D-1A0E-49dc-970D-6196304AC766}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A059DDF-466D-4a6d-A9E7-244ED35FBC40}\stubpath = "C:\\Windows\\{8A059DDF-466D-4a6d-A9E7-244ED35FBC40}.exe" {6F07FF5D-1A0E-49dc-970D-6196304AC766}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{933B6DB4-F9F5-4f47-A84E-937B41564C73} {076EC35C-09F6-4f9b-82BB-77423B6A286B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87FCF7F5-F675-4490-B6FD-18630AA83617}\stubpath = "C:\\Windows\\{87FCF7F5-F675-4490-B6FD-18630AA83617}.exe" {933B6DB4-F9F5-4f47-A84E-937B41564C73}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED5B6993-E65C-4ed0-84EE-AD8E4A8E5091} {8831F8CB-554A-46f9-8C5B-74B37D277869}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED5B6993-E65C-4ed0-84EE-AD8E4A8E5091}\stubpath = "C:\\Windows\\{ED5B6993-E65C-4ed0-84EE-AD8E4A8E5091}.exe" {8831F8CB-554A-46f9-8C5B-74B37D277869}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F07FF5D-1A0E-49dc-970D-6196304AC766}\stubpath = "C:\\Windows\\{6F07FF5D-1A0E-49dc-970D-6196304AC766}.exe" {3AEEC420-0A05-442b-910A-B0880445E89F}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79611CE9-02B9-455c-8ECF-E92BD5531AEF} {87FCF7F5-F675-4490-B6FD-18630AA83617}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79611CE9-02B9-455c-8ECF-E92BD5531AEF}\stubpath = "C:\\Windows\\{79611CE9-02B9-455c-8ECF-E92BD5531AEF}.exe" {87FCF7F5-F675-4490-B6FD-18630AA83617}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8831F8CB-554A-46f9-8C5B-74B37D277869} {79611CE9-02B9-455c-8ECF-E92BD5531AEF}.exe -
Executes dropped EXE 12 IoCs
pid Process 4716 {CCD72FFE-43F8-41e6-90CD-8A7BEA66DA02}.exe 4728 {86A21F3A-2532-49e6-8F47-6BDB6DE7B757}.exe 2508 {2B8FDD9D-0067-40a3-A7EC-552286070268}.exe 4108 {076EC35C-09F6-4f9b-82BB-77423B6A286B}.exe 3068 {933B6DB4-F9F5-4f47-A84E-937B41564C73}.exe 1656 {87FCF7F5-F675-4490-B6FD-18630AA83617}.exe 4520 {79611CE9-02B9-455c-8ECF-E92BD5531AEF}.exe 4388 {8831F8CB-554A-46f9-8C5B-74B37D277869}.exe 1692 {ED5B6993-E65C-4ed0-84EE-AD8E4A8E5091}.exe 4776 {3AEEC420-0A05-442b-910A-B0880445E89F}.exe 4752 {6F07FF5D-1A0E-49dc-970D-6196304AC766}.exe 4864 {8A059DDF-466D-4a6d-A9E7-244ED35FBC40}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{8A059DDF-466D-4a6d-A9E7-244ED35FBC40}.exe {6F07FF5D-1A0E-49dc-970D-6196304AC766}.exe File created C:\Windows\{CCD72FFE-43F8-41e6-90CD-8A7BEA66DA02}.exe 2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe File created C:\Windows\{933B6DB4-F9F5-4f47-A84E-937B41564C73}.exe {076EC35C-09F6-4f9b-82BB-77423B6A286B}.exe File created C:\Windows\{79611CE9-02B9-455c-8ECF-E92BD5531AEF}.exe {87FCF7F5-F675-4490-B6FD-18630AA83617}.exe File created C:\Windows\{8831F8CB-554A-46f9-8C5B-74B37D277869}.exe {79611CE9-02B9-455c-8ECF-E92BD5531AEF}.exe File created C:\Windows\{3AEEC420-0A05-442b-910A-B0880445E89F}.exe {ED5B6993-E65C-4ed0-84EE-AD8E4A8E5091}.exe File created C:\Windows\{6F07FF5D-1A0E-49dc-970D-6196304AC766}.exe {3AEEC420-0A05-442b-910A-B0880445E89F}.exe File created C:\Windows\{86A21F3A-2532-49e6-8F47-6BDB6DE7B757}.exe {CCD72FFE-43F8-41e6-90CD-8A7BEA66DA02}.exe File created C:\Windows\{2B8FDD9D-0067-40a3-A7EC-552286070268}.exe {86A21F3A-2532-49e6-8F47-6BDB6DE7B757}.exe File created C:\Windows\{076EC35C-09F6-4f9b-82BB-77423B6A286B}.exe {2B8FDD9D-0067-40a3-A7EC-552286070268}.exe File created C:\Windows\{87FCF7F5-F675-4490-B6FD-18630AA83617}.exe {933B6DB4-F9F5-4f47-A84E-937B41564C73}.exe File created C:\Windows\{ED5B6993-E65C-4ed0-84EE-AD8E4A8E5091}.exe {8831F8CB-554A-46f9-8C5B-74B37D277869}.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 3536 2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe Token: SeIncBasePriorityPrivilege 4716 {CCD72FFE-43F8-41e6-90CD-8A7BEA66DA02}.exe Token: SeIncBasePriorityPrivilege 4728 {86A21F3A-2532-49e6-8F47-6BDB6DE7B757}.exe Token: SeIncBasePriorityPrivilege 2508 {2B8FDD9D-0067-40a3-A7EC-552286070268}.exe Token: SeIncBasePriorityPrivilege 4108 {076EC35C-09F6-4f9b-82BB-77423B6A286B}.exe Token: SeIncBasePriorityPrivilege 3068 {933B6DB4-F9F5-4f47-A84E-937B41564C73}.exe Token: SeIncBasePriorityPrivilege 1656 {87FCF7F5-F675-4490-B6FD-18630AA83617}.exe Token: SeIncBasePriorityPrivilege 4520 {79611CE9-02B9-455c-8ECF-E92BD5531AEF}.exe Token: SeIncBasePriorityPrivilege 4388 {8831F8CB-554A-46f9-8C5B-74B37D277869}.exe Token: SeIncBasePriorityPrivilege 1692 {ED5B6993-E65C-4ed0-84EE-AD8E4A8E5091}.exe Token: SeIncBasePriorityPrivilege 4776 {3AEEC420-0A05-442b-910A-B0880445E89F}.exe Token: SeIncBasePriorityPrivilege 4752 {6F07FF5D-1A0E-49dc-970D-6196304AC766}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3536 wrote to memory of 4716 3536 2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe 93 PID 3536 wrote to memory of 4716 3536 2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe 93 PID 3536 wrote to memory of 4716 3536 2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe 93 PID 3536 wrote to memory of 2000 3536 2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe 94 PID 3536 wrote to memory of 2000 3536 2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe 94 PID 3536 wrote to memory of 2000 3536 2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe 94 PID 4716 wrote to memory of 4728 4716 {CCD72FFE-43F8-41e6-90CD-8A7BEA66DA02}.exe 95 PID 4716 wrote to memory of 4728 4716 {CCD72FFE-43F8-41e6-90CD-8A7BEA66DA02}.exe 95 PID 4716 wrote to memory of 4728 4716 {CCD72FFE-43F8-41e6-90CD-8A7BEA66DA02}.exe 95 PID 4716 wrote to memory of 2944 4716 {CCD72FFE-43F8-41e6-90CD-8A7BEA66DA02}.exe 96 PID 4716 wrote to memory of 2944 4716 {CCD72FFE-43F8-41e6-90CD-8A7BEA66DA02}.exe 96 PID 4716 wrote to memory of 2944 4716 {CCD72FFE-43F8-41e6-90CD-8A7BEA66DA02}.exe 96 PID 4728 wrote to memory of 2508 4728 {86A21F3A-2532-49e6-8F47-6BDB6DE7B757}.exe 99 PID 4728 wrote to memory of 2508 4728 {86A21F3A-2532-49e6-8F47-6BDB6DE7B757}.exe 99 PID 4728 wrote to memory of 2508 4728 {86A21F3A-2532-49e6-8F47-6BDB6DE7B757}.exe 99 PID 4728 wrote to memory of 3652 4728 {86A21F3A-2532-49e6-8F47-6BDB6DE7B757}.exe 100 PID 4728 wrote to memory of 3652 4728 {86A21F3A-2532-49e6-8F47-6BDB6DE7B757}.exe 100 PID 4728 wrote to memory of 3652 4728 {86A21F3A-2532-49e6-8F47-6BDB6DE7B757}.exe 100 PID 2508 wrote to memory of 4108 2508 {2B8FDD9D-0067-40a3-A7EC-552286070268}.exe 102 PID 2508 wrote to memory of 4108 2508 {2B8FDD9D-0067-40a3-A7EC-552286070268}.exe 102 PID 2508 wrote to memory of 4108 2508 {2B8FDD9D-0067-40a3-A7EC-552286070268}.exe 102 PID 2508 wrote to memory of 4804 2508 {2B8FDD9D-0067-40a3-A7EC-552286070268}.exe 103 PID 2508 wrote to memory of 4804 2508 {2B8FDD9D-0067-40a3-A7EC-552286070268}.exe 103 PID 2508 wrote to memory of 4804 2508 {2B8FDD9D-0067-40a3-A7EC-552286070268}.exe 103 PID 4108 wrote to memory of 3068 4108 {076EC35C-09F6-4f9b-82BB-77423B6A286B}.exe 104 PID 4108 wrote to memory of 3068 4108 {076EC35C-09F6-4f9b-82BB-77423B6A286B}.exe 104 PID 4108 wrote to memory of 3068 4108 {076EC35C-09F6-4f9b-82BB-77423B6A286B}.exe 104 PID 4108 wrote to memory of 2988 4108 {076EC35C-09F6-4f9b-82BB-77423B6A286B}.exe 105 PID 4108 wrote to memory of 2988 4108 {076EC35C-09F6-4f9b-82BB-77423B6A286B}.exe 105 PID 4108 wrote to memory of 2988 4108 {076EC35C-09F6-4f9b-82BB-77423B6A286B}.exe 105 PID 3068 wrote to memory of 1656 3068 {933B6DB4-F9F5-4f47-A84E-937B41564C73}.exe 106 PID 3068 wrote to memory of 1656 3068 {933B6DB4-F9F5-4f47-A84E-937B41564C73}.exe 106 PID 3068 wrote to memory of 1656 3068 {933B6DB4-F9F5-4f47-A84E-937B41564C73}.exe 106 PID 3068 wrote to memory of 4800 3068 {933B6DB4-F9F5-4f47-A84E-937B41564C73}.exe 107 PID 3068 wrote to memory of 4800 3068 {933B6DB4-F9F5-4f47-A84E-937B41564C73}.exe 107 PID 3068 wrote to memory of 4800 3068 {933B6DB4-F9F5-4f47-A84E-937B41564C73}.exe 107 PID 1656 wrote to memory of 4520 1656 {87FCF7F5-F675-4490-B6FD-18630AA83617}.exe 108 PID 1656 wrote to memory of 4520 1656 {87FCF7F5-F675-4490-B6FD-18630AA83617}.exe 108 PID 1656 wrote to memory of 4520 1656 {87FCF7F5-F675-4490-B6FD-18630AA83617}.exe 108 PID 1656 wrote to memory of 1884 1656 {87FCF7F5-F675-4490-B6FD-18630AA83617}.exe 109 PID 1656 wrote to memory of 1884 1656 {87FCF7F5-F675-4490-B6FD-18630AA83617}.exe 109 PID 1656 wrote to memory of 1884 1656 {87FCF7F5-F675-4490-B6FD-18630AA83617}.exe 109 PID 4520 wrote to memory of 4388 4520 {79611CE9-02B9-455c-8ECF-E92BD5531AEF}.exe 110 PID 4520 wrote to memory of 4388 4520 {79611CE9-02B9-455c-8ECF-E92BD5531AEF}.exe 110 PID 4520 wrote to memory of 4388 4520 {79611CE9-02B9-455c-8ECF-E92BD5531AEF}.exe 110 PID 4520 wrote to memory of 4696 4520 {79611CE9-02B9-455c-8ECF-E92BD5531AEF}.exe 111 PID 4520 wrote to memory of 4696 4520 {79611CE9-02B9-455c-8ECF-E92BD5531AEF}.exe 111 PID 4520 wrote to memory of 4696 4520 {79611CE9-02B9-455c-8ECF-E92BD5531AEF}.exe 111 PID 4388 wrote to memory of 1692 4388 {8831F8CB-554A-46f9-8C5B-74B37D277869}.exe 112 PID 4388 wrote to memory of 1692 4388 {8831F8CB-554A-46f9-8C5B-74B37D277869}.exe 112 PID 4388 wrote to memory of 1692 4388 {8831F8CB-554A-46f9-8C5B-74B37D277869}.exe 112 PID 4388 wrote to memory of 1848 4388 {8831F8CB-554A-46f9-8C5B-74B37D277869}.exe 113 PID 4388 wrote to memory of 1848 4388 {8831F8CB-554A-46f9-8C5B-74B37D277869}.exe 113 PID 4388 wrote to memory of 1848 4388 {8831F8CB-554A-46f9-8C5B-74B37D277869}.exe 113 PID 1692 wrote to memory of 4776 1692 {ED5B6993-E65C-4ed0-84EE-AD8E4A8E5091}.exe 114 PID 1692 wrote to memory of 4776 1692 {ED5B6993-E65C-4ed0-84EE-AD8E4A8E5091}.exe 114 PID 1692 wrote to memory of 4776 1692 {ED5B6993-E65C-4ed0-84EE-AD8E4A8E5091}.exe 114 PID 1692 wrote to memory of 3852 1692 {ED5B6993-E65C-4ed0-84EE-AD8E4A8E5091}.exe 115 PID 1692 wrote to memory of 3852 1692 {ED5B6993-E65C-4ed0-84EE-AD8E4A8E5091}.exe 115 PID 1692 wrote to memory of 3852 1692 {ED5B6993-E65C-4ed0-84EE-AD8E4A8E5091}.exe 115 PID 4776 wrote to memory of 4752 4776 {3AEEC420-0A05-442b-910A-B0880445E89F}.exe 116 PID 4776 wrote to memory of 4752 4776 {3AEEC420-0A05-442b-910A-B0880445E89F}.exe 116 PID 4776 wrote to memory of 4752 4776 {3AEEC420-0A05-442b-910A-B0880445E89F}.exe 116 PID 4776 wrote to memory of 3896 4776 {3AEEC420-0A05-442b-910A-B0880445E89F}.exe 117
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Windows\{CCD72FFE-43F8-41e6-90CD-8A7BEA66DA02}.exeC:\Windows\{CCD72FFE-43F8-41e6-90CD-8A7BEA66DA02}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\{86A21F3A-2532-49e6-8F47-6BDB6DE7B757}.exeC:\Windows\{86A21F3A-2532-49e6-8F47-6BDB6DE7B757}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Windows\{2B8FDD9D-0067-40a3-A7EC-552286070268}.exeC:\Windows\{2B8FDD9D-0067-40a3-A7EC-552286070268}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\{076EC35C-09F6-4f9b-82BB-77423B6A286B}.exeC:\Windows\{076EC35C-09F6-4f9b-82BB-77423B6A286B}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\Windows\{933B6DB4-F9F5-4f47-A84E-937B41564C73}.exeC:\Windows\{933B6DB4-F9F5-4f47-A84E-937B41564C73}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\{87FCF7F5-F675-4490-B6FD-18630AA83617}.exeC:\Windows\{87FCF7F5-F675-4490-B6FD-18630AA83617}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\{79611CE9-02B9-455c-8ECF-E92BD5531AEF}.exeC:\Windows\{79611CE9-02B9-455c-8ECF-E92BD5531AEF}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\{8831F8CB-554A-46f9-8C5B-74B37D277869}.exeC:\Windows\{8831F8CB-554A-46f9-8C5B-74B37D277869}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\{ED5B6993-E65C-4ed0-84EE-AD8E4A8E5091}.exeC:\Windows\{ED5B6993-E65C-4ed0-84EE-AD8E4A8E5091}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\{3AEEC420-0A05-442b-910A-B0880445E89F}.exeC:\Windows\{3AEEC420-0A05-442b-910A-B0880445E89F}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\{6F07FF5D-1A0E-49dc-970D-6196304AC766}.exeC:\Windows\{6F07FF5D-1A0E-49dc-970D-6196304AC766}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4752 -
C:\Windows\{8A059DDF-466D-4a6d-A9E7-244ED35FBC40}.exeC:\Windows\{8A059DDF-466D-4a6d-A9E7-244ED35FBC40}.exe13⤵
- Executes dropped EXE
PID:4864
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6F07F~1.EXE > nul13⤵PID:4816
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3AEEC~1.EXE > nul12⤵PID:3896
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{ED5B6~1.EXE > nul11⤵PID:3852
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8831F~1.EXE > nul10⤵PID:1848
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{79611~1.EXE > nul9⤵PID:4696
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{87FCF~1.EXE > nul8⤵PID:1884
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{933B6~1.EXE > nul7⤵PID:4800
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{076EC~1.EXE > nul6⤵PID:2988
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2B8FD~1.EXE > nul5⤵PID:4804
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{86A21~1.EXE > nul4⤵PID:3652
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CCD72~1.EXE > nul3⤵PID:2944
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:2000
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD53dac8a0000423b8d656b4ca0e0358560
SHA15f46bb597a200cd033f93874b3d3bbce6755d855
SHA256dca6f5effb16c5269bf80bdb7845f6c6162c6db2e09332db0e9ffe1186034462
SHA512aa45571a307b7054db80e8fbed2e8ec682421945443c87da36ff6c8c6242acdb182f1cb93d3b09f238ad04621f0d7d432d5ebfbfbfa6d0f366494bd816c4d9de
-
Filesize
168KB
MD593014206419f1bf219162c2d939f0de6
SHA1482a32325b57e7a4e0880401217ad181de3faff8
SHA256ce22842c522925fba5cd17f95f8be33557218244a267e0bf5f17d9b1477687c9
SHA512bc92927a3ab95bce82a7a7892f12f58fe5ef0e0d79748a3510132df8379b04fe09c150e72ff5d7a252d0239ec905a236440034a7d957d0c9b2b70923cf122e49
-
Filesize
168KB
MD5e0360ad5bc9e658dd3e5020e0cc2d1da
SHA18e307b30f2c3f6510c015b6f524fff1df35d9fc5
SHA256cd56f90760ffa61219ad127c9c8540260b7147ad100d20d82e98364fad9fddf5
SHA512186b07345eceb209bb8058329bf6fa5f3051fd4408a7583c7f7a27e2a87c3eb48123dcaa370fee4504315ae96ae10f6556217495fcacf6037e1da38b95b76a2e
-
Filesize
168KB
MD5bb21f764b3471002aa73f194c15b25e2
SHA18f3a180a3ca4cd6b87a00b687d4b52fc185a5126
SHA2562b9ba5d951f622dc366f9cc2cb7fa3313474637628a4692fe5084aa1c18e8323
SHA51245e7656e147c6bf96b083ce2536c135c3a9a57d9257943ec08fcb45a372cf30735a75df84453bd9eb1b60e01245fe9dfa6f65f92eae5c426125c495ab6e8d991
-
Filesize
168KB
MD5eaab6ff271b0cb5812015c6d704ef2e9
SHA1b0dd32fb57b3c5c24ddd7a7a7c64f75187a9eea1
SHA2568a0264dcd10f756d7cc23db486dd16ee04e07453ef5f0870c2a7e77673a59ef3
SHA5128f2f51634a65b4722449a82450c7308397cec0f091a21866d0c24f22752a63cd4227209dcd234c636c7fa01e53f79c97329a906034711bb1b2cf75d1c26b8191
-
Filesize
168KB
MD5f76e25a2a9ec34485124050eb887c171
SHA157e283859ecff5d4fd67909458a1d1cd22dc5246
SHA256c6ece3af24f6f61a1295e80ab8e5a13225354d1f3a63c95ef68dd47a4585d6e2
SHA5121e6e243bb3dba0c7bb0d68c6242cc5296a1bea4e4d0c968a1882c02a5dfb073fd90c1f1ed8cecfcdd3c22dd0808acb5172535704bfe402ba559a338a14f8363c
-
Filesize
128KB
MD533a6e25d5d9f217bb285eaf3cc006f21
SHA1eb6b11a10d19472ad474d460d4b94db7182be57e
SHA256024be0c1b1859ba502143e882d527c8041866a0d9481cf446ece0a809e884d0e
SHA5125fc68cfe3a826f4f6af7c718dd2bf82cab64baa93990496971cb101d7e77594234625468ac702eebb3a2054eca3bfab73b9fd042e9efd8d3966ff2a119c02610
-
Filesize
168KB
MD537d58c1180a0c0e00808b873341774e1
SHA13302cb3983739d8604a021fefd833cf4fb63d758
SHA256ba8a36c3f79ee4ffa48f24d979aaeea758a00bcff1699aa55a2921a8c175343d
SHA512b4420bf980830608461b29c09a1ecdc447e1f96c0f753cff3ce908c06f5c17d5f78b238babe93b4de02bb54b754d5fbfced9271702acb250c3253c4f2c8e9d90
-
Filesize
168KB
MD5850c8cef58d54f74daeefd446279194f
SHA14e8ccec6c7176215639b21bf067450649edaca58
SHA2561a62d1b53ea741cc0dc49fde505023f343e706c4ee771cb27c12b86792b43a35
SHA512dc2d3f8a140141f50adb957779eba40edb34b17e88d4c6d68c8c83e49f0845292c5e603a9f6d31f561431e45fd314f86e4e599170c21673202d1972a88bd534c
-
Filesize
168KB
MD58fdcea4c2e9680d8ae6c735a6bdecc7f
SHA1c03a98646f165c6a111e95029a6aab839c7ea6eb
SHA256303080708d49b6254543630f4da6cb52b48d5483b5ae6ef128e41eac4a9d18db
SHA51285cbd8e2ebb7197df8028639d90714f2d36bbbc61c92645f3acb8fc6d6256791565e20d13d7afeb702246a02cf71ec3be2743c6315f8a96e097e7d001ff3bd21
-
Filesize
168KB
MD5c500b16705b7f2dc7d3f8beee5f887e9
SHA14ffc6625a6b40060dfec1a2a6cc0e9e485ead7ea
SHA2564940a34fc59855a9e7e4c4c2d31dad3d1344b0d3fea70ca0463092a55fe54177
SHA512688acccafb63485bf4254bf973c88cd6fcfdc6f6df85e0f54fc0b4a09bb1e5f63241f3c14b0b85f3ee6824e38e3d504a372320687a1256e47241a5fb8204f462
-
Filesize
168KB
MD50222c0644392482b8c3739427502e3df
SHA1b5e2f97c7fe430d663ddec04d8f460dcf8090cbe
SHA256a2e9a9174be46d3d56ffa28f75a1e87c9aeee7084227838c37dae21922a4f82e
SHA512bcc51aa975d5c55bf6118c75908a9de604ae0c3cc4e4b99015455f949be6255a0ab4f9fcb94bbd4eed1ce1a754ddadfa768bf80de214a21dfe6394912295f42d
-
Filesize
168KB
MD5dc4061bc402c57cbddfc1ebb51c9042e
SHA1713e294fdccba195f9e9654399a690c4a60afd1d
SHA2565ae79d6b8a88a237b1fc1291661799f3a18926abda8dd01788cffa31b3b6b58b
SHA51210a55a85d666cd33e7202b27b5046f3aa088508af9d36fa3b89151ca51b887208a55190878069ef1457c50b393c2ff167380f4186353d3847d67b7d50b67d199