7b259bd84a2b33e8d7399687cb7564509683ec7a7f7d62d99f35fc5106f96796

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06-03-2024 17:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-06_0b0b55d7678192cd32672e12249b1a33_goldeneye.exe
Size

192KB
MD5

0b0b55d7678192cd32672e12249b1a33
SHA1

7a1e78ce8a75487e70c647393dc4a580b557c6ed
SHA256

7b259bd84a2b33e8d7399687cb7564509683ec7a7f7d62d99f35fc5106f96796
SHA512

923cb7ca20d039485df64650fa7fda9de1d3e6d6411020ebd9220b72f3bf0854fd02ffe226dc63975852a5df01e0430f6231adb5365a6565217382ba33c5a7ca
SSDEEP

1536:1EGh0ovl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0ovl1OPOe2MUVg3Ve+rXfMUa

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000700000002320d-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001100000002321d-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023225-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001200000002321d-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023225-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001400000002321d-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023225-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001500000002321d-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d00000002311d-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023122-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e00000002311d-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001600000002321d-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D09CA91-7F15-4678-A3B3-314FF4A64E5C}	{2C176B24-9178-4ac8-B1EB-5B190C9FBE0E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D09CA91-7F15-4678-A3B3-314FF4A64E5C}\stubpath = "C:\\Windows\\{1D09CA91-7F15-4678-A3B3-314FF4A64E5C}.exe"	{2C176B24-9178-4ac8-B1EB-5B190C9FBE0E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D79478B-E494-4e43-9756-2DAE77524298}\stubpath = "C:\\Windows\\{7D79478B-E494-4e43-9756-2DAE77524298}.exe"	{1D09CA91-7F15-4678-A3B3-314FF4A64E5C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFB744CB-25EF-44ce-A186-685FAE371D52}	{7D79478B-E494-4e43-9756-2DAE77524298}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFB744CB-25EF-44ce-A186-685FAE371D52}\stubpath = "C:\\Windows\\{AFB744CB-25EF-44ce-A186-685FAE371D52}.exe"	{7D79478B-E494-4e43-9756-2DAE77524298}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B08C5ED-D438-460d-90F4-348FFAF97EF1}	{AFB744CB-25EF-44ce-A186-685FAE371D52}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{809B517B-70A5-45dd-9A87-2229AE946D98}	{807222A7-1231-439b-B5CE-0E4B4654A644}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37506D3E-DB0B-4a4c-9CED-FEB8496AAF12}	{809B517B-70A5-45dd-9A87-2229AE946D98}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A133263B-2264-46d3-80F0-5FC866A98E08}	{DC6F04E4-B4DB-413b-B4DE-9086B0A70CAF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52E7D6FC-EB98-429d-993D-5FB782BA3B64}\stubpath = "C:\\Windows\\{52E7D6FC-EB98-429d-993D-5FB782BA3B64}.exe"	{A133263B-2264-46d3-80F0-5FC866A98E08}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{809B517B-70A5-45dd-9A87-2229AE946D98}\stubpath = "C:\\Windows\\{809B517B-70A5-45dd-9A87-2229AE946D98}.exe"	{807222A7-1231-439b-B5CE-0E4B4654A644}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B08C5ED-D438-460d-90F4-348FFAF97EF1}\stubpath = "C:\\Windows\\{6B08C5ED-D438-460d-90F4-348FFAF97EF1}.exe"	{AFB744CB-25EF-44ce-A186-685FAE371D52}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{508C28B7-6A7B-404e-A6E2-716AE8173629}	{6B08C5ED-D438-460d-90F4-348FFAF97EF1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{508C28B7-6A7B-404e-A6E2-716AE8173629}\stubpath = "C:\\Windows\\{508C28B7-6A7B-404e-A6E2-716AE8173629}.exe"	{6B08C5ED-D438-460d-90F4-348FFAF97EF1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC6F04E4-B4DB-413b-B4DE-9086B0A70CAF}	{508C28B7-6A7B-404e-A6E2-716AE8173629}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC6F04E4-B4DB-413b-B4DE-9086B0A70CAF}\stubpath = "C:\\Windows\\{DC6F04E4-B4DB-413b-B4DE-9086B0A70CAF}.exe"	{508C28B7-6A7B-404e-A6E2-716AE8173629}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{807222A7-1231-439b-B5CE-0E4B4654A644}	2024-03-06_0b0b55d7678192cd32672e12249b1a33_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{807222A7-1231-439b-B5CE-0E4B4654A644}\stubpath = "C:\\Windows\\{807222A7-1231-439b-B5CE-0E4B4654A644}.exe"	2024-03-06_0b0b55d7678192cd32672e12249b1a33_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52E7D6FC-EB98-429d-993D-5FB782BA3B64}	{A133263B-2264-46d3-80F0-5FC866A98E08}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D79478B-E494-4e43-9756-2DAE77524298}	{1D09CA91-7F15-4678-A3B3-314FF4A64E5C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A133263B-2264-46d3-80F0-5FC866A98E08}\stubpath = "C:\\Windows\\{A133263B-2264-46d3-80F0-5FC866A98E08}.exe"	{DC6F04E4-B4DB-413b-B4DE-9086B0A70CAF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C176B24-9178-4ac8-B1EB-5B190C9FBE0E}\stubpath = "C:\\Windows\\{2C176B24-9178-4ac8-B1EB-5B190C9FBE0E}.exe"	{37506D3E-DB0B-4a4c-9CED-FEB8496AAF12}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37506D3E-DB0B-4a4c-9CED-FEB8496AAF12}\stubpath = "C:\\Windows\\{37506D3E-DB0B-4a4c-9CED-FEB8496AAF12}.exe"	{809B517B-70A5-45dd-9A87-2229AE946D98}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C176B24-9178-4ac8-B1EB-5B190C9FBE0E}	{37506D3E-DB0B-4a4c-9CED-FEB8496AAF12}.exe

Executes dropped EXE 12 IoCs

pid	Process
2476	{807222A7-1231-439b-B5CE-0E4B4654A644}.exe
1564	{809B517B-70A5-45dd-9A87-2229AE946D98}.exe
4736	{37506D3E-DB0B-4a4c-9CED-FEB8496AAF12}.exe
688	{2C176B24-9178-4ac8-B1EB-5B190C9FBE0E}.exe
4244	{1D09CA91-7F15-4678-A3B3-314FF4A64E5C}.exe
3920	{7D79478B-E494-4e43-9756-2DAE77524298}.exe
2012	{AFB744CB-25EF-44ce-A186-685FAE371D52}.exe
3976	{6B08C5ED-D438-460d-90F4-348FFAF97EF1}.exe
1088	{508C28B7-6A7B-404e-A6E2-716AE8173629}.exe
4000	{DC6F04E4-B4DB-413b-B4DE-9086B0A70CAF}.exe
4364	{A133263B-2264-46d3-80F0-5FC866A98E08}.exe
4972	{52E7D6FC-EB98-429d-993D-5FB782BA3B64}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{A133263B-2264-46d3-80F0-5FC866A98E08}.exe	{DC6F04E4-B4DB-413b-B4DE-9086B0A70CAF}.exe
File created	C:\Windows\{807222A7-1231-439b-B5CE-0E4B4654A644}.exe	2024-03-06_0b0b55d7678192cd32672e12249b1a33_goldeneye.exe
File created	C:\Windows\{2C176B24-9178-4ac8-B1EB-5B190C9FBE0E}.exe	{37506D3E-DB0B-4a4c-9CED-FEB8496AAF12}.exe
File created	C:\Windows\{1D09CA91-7F15-4678-A3B3-314FF4A64E5C}.exe	{2C176B24-9178-4ac8-B1EB-5B190C9FBE0E}.exe
File created	C:\Windows\{AFB744CB-25EF-44ce-A186-685FAE371D52}.exe	{7D79478B-E494-4e43-9756-2DAE77524298}.exe
File created	C:\Windows\{6B08C5ED-D438-460d-90F4-348FFAF97EF1}.exe	{AFB744CB-25EF-44ce-A186-685FAE371D52}.exe
File created	C:\Windows\{52E7D6FC-EB98-429d-993D-5FB782BA3B64}.exe	{A133263B-2264-46d3-80F0-5FC866A98E08}.exe
File created	C:\Windows\{809B517B-70A5-45dd-9A87-2229AE946D98}.exe	{807222A7-1231-439b-B5CE-0E4B4654A644}.exe
File created	C:\Windows\{37506D3E-DB0B-4a4c-9CED-FEB8496AAF12}.exe	{809B517B-70A5-45dd-9A87-2229AE946D98}.exe
File created	C:\Windows\{7D79478B-E494-4e43-9756-2DAE77524298}.exe	{1D09CA91-7F15-4678-A3B3-314FF4A64E5C}.exe
File created	C:\Windows\{508C28B7-6A7B-404e-A6E2-716AE8173629}.exe	{6B08C5ED-D438-460d-90F4-348FFAF97EF1}.exe
File created	C:\Windows\{DC6F04E4-B4DB-413b-B4DE-9086B0A70CAF}.exe	{508C28B7-6A7B-404e-A6E2-716AE8173629}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2448	2024-03-06_0b0b55d7678192cd32672e12249b1a33_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2476	{807222A7-1231-439b-B5CE-0E4B4654A644}.exe
Token: SeIncBasePriorityPrivilege	1564	{809B517B-70A5-45dd-9A87-2229AE946D98}.exe
Token: SeIncBasePriorityPrivilege	4736	{37506D3E-DB0B-4a4c-9CED-FEB8496AAF12}.exe
Token: SeIncBasePriorityPrivilege	688	{2C176B24-9178-4ac8-B1EB-5B190C9FBE0E}.exe
Token: SeIncBasePriorityPrivilege	4244	{1D09CA91-7F15-4678-A3B3-314FF4A64E5C}.exe
Token: SeIncBasePriorityPrivilege	3920	{7D79478B-E494-4e43-9756-2DAE77524298}.exe
Token: SeIncBasePriorityPrivilege	2012	{AFB744CB-25EF-44ce-A186-685FAE371D52}.exe
Token: SeIncBasePriorityPrivilege	3976	{6B08C5ED-D438-460d-90F4-348FFAF97EF1}.exe
Token: SeIncBasePriorityPrivilege	1088	{508C28B7-6A7B-404e-A6E2-716AE8173629}.exe
Token: SeIncBasePriorityPrivilege	4000	{DC6F04E4-B4DB-413b-B4DE-9086B0A70CAF}.exe
Token: SeIncBasePriorityPrivilege	4364	{A133263B-2264-46d3-80F0-5FC866A98E08}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 2476	2448	2024-03-06_0b0b55d7678192cd32672e12249b1a33_goldeneye.exe	97
PID 2448 wrote to memory of 2476	2448	2024-03-06_0b0b55d7678192cd32672e12249b1a33_goldeneye.exe	97
PID 2448 wrote to memory of 2476	2448	2024-03-06_0b0b55d7678192cd32672e12249b1a33_goldeneye.exe	97
PID 2448 wrote to memory of 2388	2448	2024-03-06_0b0b55d7678192cd32672e12249b1a33_goldeneye.exe	98
PID 2448 wrote to memory of 2388	2448	2024-03-06_0b0b55d7678192cd32672e12249b1a33_goldeneye.exe	98
PID 2448 wrote to memory of 2388	2448	2024-03-06_0b0b55d7678192cd32672e12249b1a33_goldeneye.exe	98
PID 2476 wrote to memory of 1564	2476	{807222A7-1231-439b-B5CE-0E4B4654A644}.exe	100
PID 2476 wrote to memory of 1564	2476	{807222A7-1231-439b-B5CE-0E4B4654A644}.exe	100
PID 2476 wrote to memory of 1564	2476	{807222A7-1231-439b-B5CE-0E4B4654A644}.exe	100
PID 2476 wrote to memory of 4112	2476	{807222A7-1231-439b-B5CE-0E4B4654A644}.exe	101
PID 2476 wrote to memory of 4112	2476	{807222A7-1231-439b-B5CE-0E4B4654A644}.exe	101
PID 2476 wrote to memory of 4112	2476	{807222A7-1231-439b-B5CE-0E4B4654A644}.exe	101
PID 1564 wrote to memory of 4736	1564	{809B517B-70A5-45dd-9A87-2229AE946D98}.exe	105
PID 1564 wrote to memory of 4736	1564	{809B517B-70A5-45dd-9A87-2229AE946D98}.exe	105
PID 1564 wrote to memory of 4736	1564	{809B517B-70A5-45dd-9A87-2229AE946D98}.exe	105
PID 1564 wrote to memory of 2516	1564	{809B517B-70A5-45dd-9A87-2229AE946D98}.exe	106
PID 1564 wrote to memory of 2516	1564	{809B517B-70A5-45dd-9A87-2229AE946D98}.exe	106
PID 1564 wrote to memory of 2516	1564	{809B517B-70A5-45dd-9A87-2229AE946D98}.exe	106
PID 4736 wrote to memory of 688	4736	{37506D3E-DB0B-4a4c-9CED-FEB8496AAF12}.exe	107
PID 4736 wrote to memory of 688	4736	{37506D3E-DB0B-4a4c-9CED-FEB8496AAF12}.exe	107
PID 4736 wrote to memory of 688	4736	{37506D3E-DB0B-4a4c-9CED-FEB8496AAF12}.exe	107
PID 4736 wrote to memory of 1796	4736	{37506D3E-DB0B-4a4c-9CED-FEB8496AAF12}.exe	108
PID 4736 wrote to memory of 1796	4736	{37506D3E-DB0B-4a4c-9CED-FEB8496AAF12}.exe	108
PID 4736 wrote to memory of 1796	4736	{37506D3E-DB0B-4a4c-9CED-FEB8496AAF12}.exe	108
PID 688 wrote to memory of 4244	688	{2C176B24-9178-4ac8-B1EB-5B190C9FBE0E}.exe	109
PID 688 wrote to memory of 4244	688	{2C176B24-9178-4ac8-B1EB-5B190C9FBE0E}.exe	109
PID 688 wrote to memory of 4244	688	{2C176B24-9178-4ac8-B1EB-5B190C9FBE0E}.exe	109
PID 688 wrote to memory of 1072	688	{2C176B24-9178-4ac8-B1EB-5B190C9FBE0E}.exe	110
PID 688 wrote to memory of 1072	688	{2C176B24-9178-4ac8-B1EB-5B190C9FBE0E}.exe	110
PID 688 wrote to memory of 1072	688	{2C176B24-9178-4ac8-B1EB-5B190C9FBE0E}.exe	110
PID 4244 wrote to memory of 3920	4244	{1D09CA91-7F15-4678-A3B3-314FF4A64E5C}.exe	112
PID 4244 wrote to memory of 3920	4244	{1D09CA91-7F15-4678-A3B3-314FF4A64E5C}.exe	112
PID 4244 wrote to memory of 3920	4244	{1D09CA91-7F15-4678-A3B3-314FF4A64E5C}.exe	112
PID 4244 wrote to memory of 3980	4244	{1D09CA91-7F15-4678-A3B3-314FF4A64E5C}.exe	113
PID 4244 wrote to memory of 3980	4244	{1D09CA91-7F15-4678-A3B3-314FF4A64E5C}.exe	113
PID 4244 wrote to memory of 3980	4244	{1D09CA91-7F15-4678-A3B3-314FF4A64E5C}.exe	113
PID 3920 wrote to memory of 2012	3920	{7D79478B-E494-4e43-9756-2DAE77524298}.exe	114
PID 3920 wrote to memory of 2012	3920	{7D79478B-E494-4e43-9756-2DAE77524298}.exe	114
PID 3920 wrote to memory of 2012	3920	{7D79478B-E494-4e43-9756-2DAE77524298}.exe	114
PID 3920 wrote to memory of 2824	3920	{7D79478B-E494-4e43-9756-2DAE77524298}.exe	115
PID 3920 wrote to memory of 2824	3920	{7D79478B-E494-4e43-9756-2DAE77524298}.exe	115
PID 3920 wrote to memory of 2824	3920	{7D79478B-E494-4e43-9756-2DAE77524298}.exe	115
PID 2012 wrote to memory of 3976	2012	{AFB744CB-25EF-44ce-A186-685FAE371D52}.exe	116
PID 2012 wrote to memory of 3976	2012	{AFB744CB-25EF-44ce-A186-685FAE371D52}.exe	116
PID 2012 wrote to memory of 3976	2012	{AFB744CB-25EF-44ce-A186-685FAE371D52}.exe	116
PID 2012 wrote to memory of 824	2012	{AFB744CB-25EF-44ce-A186-685FAE371D52}.exe	117
PID 2012 wrote to memory of 824	2012	{AFB744CB-25EF-44ce-A186-685FAE371D52}.exe	117
PID 2012 wrote to memory of 824	2012	{AFB744CB-25EF-44ce-A186-685FAE371D52}.exe	117
PID 3976 wrote to memory of 1088	3976	{6B08C5ED-D438-460d-90F4-348FFAF97EF1}.exe	125
PID 3976 wrote to memory of 1088	3976	{6B08C5ED-D438-460d-90F4-348FFAF97EF1}.exe	125
PID 3976 wrote to memory of 1088	3976	{6B08C5ED-D438-460d-90F4-348FFAF97EF1}.exe	125
PID 3976 wrote to memory of 4496	3976	{6B08C5ED-D438-460d-90F4-348FFAF97EF1}.exe	126
PID 3976 wrote to memory of 4496	3976	{6B08C5ED-D438-460d-90F4-348FFAF97EF1}.exe	126
PID 3976 wrote to memory of 4496	3976	{6B08C5ED-D438-460d-90F4-348FFAF97EF1}.exe	126
PID 1088 wrote to memory of 4000	1088	{508C28B7-6A7B-404e-A6E2-716AE8173629}.exe	127
PID 1088 wrote to memory of 4000	1088	{508C28B7-6A7B-404e-A6E2-716AE8173629}.exe	127
PID 1088 wrote to memory of 4000	1088	{508C28B7-6A7B-404e-A6E2-716AE8173629}.exe	127
PID 1088 wrote to memory of 4436	1088	{508C28B7-6A7B-404e-A6E2-716AE8173629}.exe	128
PID 1088 wrote to memory of 4436	1088	{508C28B7-6A7B-404e-A6E2-716AE8173629}.exe	128
PID 1088 wrote to memory of 4436	1088	{508C28B7-6A7B-404e-A6E2-716AE8173629}.exe	128
PID 4000 wrote to memory of 4364	4000	{DC6F04E4-B4DB-413b-B4DE-9086B0A70CAF}.exe	129
PID 4000 wrote to memory of 4364	4000	{DC6F04E4-B4DB-413b-B4DE-9086B0A70CAF}.exe	129
PID 4000 wrote to memory of 4364	4000	{DC6F04E4-B4DB-413b-B4DE-9086B0A70CAF}.exe	129
PID 4000 wrote to memory of 2388	4000	{DC6F04E4-B4DB-413b-B4DE-9086B0A70CAF}.exe	130

C:\Users\Admin\AppData\Local\Temp\2024-03-06_0b0b55d7678192cd32672e12249b1a33_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-06_0b0b55d7678192cd32672e12249b1a33_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Windows\{807222A7-1231-439b-B5CE-0E4B4654A644}.exe
  C:\Windows\{807222A7-1231-439b-B5CE-0E4B4654A644}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Windows\{809B517B-70A5-45dd-9A87-2229AE946D98}.exe
    C:\Windows\{809B517B-70A5-45dd-9A87-2229AE946D98}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1564
  - - C:\Windows\{37506D3E-DB0B-4a4c-9CED-FEB8496AAF12}.exe
      C:\Windows\{37506D3E-DB0B-4a4c-9CED-FEB8496AAF12}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4736
    - - C:\Windows\{2C176B24-9178-4ac8-B1EB-5B190C9FBE0E}.exe
        
        C:\Windows\{2C176B24-9178-4ac8-B1EB-5B190C9FBE0E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:688
      - C:\Windows\{1D09CA91-7F15-4678-A3B3-314FF4A64E5C}.exe
        
        C:\Windows\{1D09CA91-7F15-4678-A3B3-314FF4A64E5C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4244
        
        C:\Windows\{7D79478B-E494-4e43-9756-2DAE77524298}.exe
        
        C:\Windows\{7D79478B-E494-4e43-9756-2DAE77524298}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3920
        
        C:\Windows\{AFB744CB-25EF-44ce-A186-685FAE371D52}.exe
        
        C:\Windows\{AFB744CB-25EF-44ce-A186-685FAE371D52}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\{6B08C5ED-D438-460d-90F4-348FFAF97EF1}.exe
        
        C:\Windows\{6B08C5ED-D438-460d-90F4-348FFAF97EF1}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3976
        
        C:\Windows\{508C28B7-6A7B-404e-A6E2-716AE8173629}.exe
        
        C:\Windows\{508C28B7-6A7B-404e-A6E2-716AE8173629}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\{DC6F04E4-B4DB-413b-B4DE-9086B0A70CAF}.exe
        
        C:\Windows\{DC6F04E4-B4DB-413b-B4DE-9086B0A70CAF}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4000
        
        C:\Windows\{A133263B-2264-46d3-80F0-5FC866A98E08}.exe
        
        C:\Windows\{A133263B-2264-46d3-80F0-5FC866A98E08}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4364
        
        C:\Windows\{52E7D6FC-EB98-429d-993D-5FB782BA3B64}.exe
        
        C:\Windows\{52E7D6FC-EB98-429d-993D-5FB782BA3B64}.exe
        13⤵
        Executes dropped EXE
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A1332~1.EXE > nul
        13⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC6F0~1.EXE > nul
        12⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{508C2~1.EXE > nul
        11⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B08C~1.EXE > nul
        10⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AFB74~1.EXE > nul
        9⤵
        
        PID:824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D794~1.EXE > nul
        8⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1D09C~1.EXE > nul
        7⤵
        
        PID:3980
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2C176~1.EXE > nul
        6⤵
        
        PID:1072
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37506~1.EXE > nul
        5⤵
        
        PID:1796
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{809B5~1.EXE > nul
      4⤵
      PID:2516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{80722~1.EXE > nul
    3⤵
    PID:4112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1D09CA91-7F15-4678-A3B3-314FF4A64E5C}.exe

Filesize
192KB

MD5
c58d6c494cad3909a0e0ae20814ee188

SHA1
fcd42ac2f3408d1b7a8a03472f24e21102b02224

SHA256
2bfd2ab1b892f720fb75db4cdaaff1403270f51b212bf88f845bc113a44a193f

SHA512
8c1e1b7f1d810c64b847768f314dc31c7751b33648b11b6a770ab9153c35235bb4f157b1c7ddd5bde08bf8b325795a72925eab5b6429967c8821a47e56d76fb1

Download Submit
C:\Windows\{2C176B24-9178-4ac8-B1EB-5B190C9FBE0E}.exe

Filesize
192KB

MD5
6611b581b234ec054268a7df99faf809

SHA1
e8800326a92951744705ccd4b04bdead20a46567

SHA256
36ac7b213510a0323efb62b413bca84c3e07a59b0011b325f984f17a98169bae

SHA512
43044079b6969815124f48d8a2fa62f33246b312ab6814773c1582deee093a8148094b114288f1e9fd1eea8f0a342be6393db4d193602b16004cfebca62b5087

Download Submit
C:\Windows\{37506D3E-DB0B-4a4c-9CED-FEB8496AAF12}.exe

Filesize
192KB

MD5
fbd7a7f9356834b34cc7f3dc29d9183e

SHA1
37907d43153f360a0815debbdf24c0d644e8eb17

SHA256
aeca062db53d82af1266dec1a91deb96dd2531b5afaf0798bf432cf069b8121f

SHA512
f6b3ea9c550d36ec8ace7e3bbe522c2ee543032c2fba7951da5b398207cd0406a26ad866b79e2a4546930e109330b4ac6542a4190486755571438a0297e8ac4b

Download Submit
C:\Windows\{508C28B7-6A7B-404e-A6E2-716AE8173629}.exe

Filesize
192KB

MD5
dcd68543b9db2524eba0ae112424357d

SHA1
ccb35bac9351b0a4765a8f2a768b4b33d6f364bb

SHA256
5020fcc81038be91a1267bca99dda0995ccef6615a033caeb12d9ad4e5e7d93d

SHA512
4ba94651c7da60b0bc1b375b30c823c01d89e841c6ac8ab9b815afefe57904cdec9f9cda817185cb5d178456c78d7a728bc6cbf6c8232d50f9ab4a7e3585c39c

Download Submit
C:\Windows\{52E7D6FC-EB98-429d-993D-5FB782BA3B64}.exe

Filesize
192KB

MD5
c101bbc4316669a86c7e8c5d89f5e4ae

SHA1
bf436d88d86da76aff6db49b3a74f5aee06ef7bc

SHA256
b747cff612341aa183a4df513afab00064561a99ede8f7f71a10f5e2f68d46bd

SHA512
c1464d5e96705126d8a3d8fed1daec10e8016711a6774f416744631a807911ec4149beb99a54fdcb6b8f1fbe165ab4330f120fad2837e63bb5121b708fe4b373

Download Submit
C:\Windows\{6B08C5ED-D438-460d-90F4-348FFAF97EF1}.exe

Filesize
192KB

MD5
91410ad5b28aaa2e4b656d04db216c19

SHA1
69ec8d0d21fb39a439a36787cbd5624321881aae

SHA256
e410f3958b4683a9b464efb59c24ac28afcb14b48cd5c6daaa39827555e9e54f

SHA512
9d0f34b1c2c1e67ae75bd228ec9b1d753aa023ac5a91717951190fd447cbab63c1fc222eaaceefb4ab13f516952c5d799cb3b0aa2b4d6d3d9b89d31ffa2f29f6

Download Submit
C:\Windows\{7D79478B-E494-4e43-9756-2DAE77524298}.exe

Filesize
192KB

MD5
9bb104eb334939b341e3be0b996af07f

SHA1
3da8d6757a2d8f181a288cf171510cd6f824a3d7

SHA256
bc09cab8d3faa670eedbf95ae194db35e356b8cbcf893629cbdb7c3a163bbfd1

SHA512
ee97420f8d270c38846b2e572a9431991a465a5f593f2eb951ef3d62b7c4d5a2830fcd122eb0c57f8e4fe0501b89bd1c115b0771dc3d2db5d9ba39a9280066e8

Download Submit
C:\Windows\{807222A7-1231-439b-B5CE-0E4B4654A644}.exe

Filesize
192KB

MD5
ff47c4ace1bf9cbeba4b99cafe4977b9

SHA1
e81f6ae36f640a94b108afb2bf8e6c43d0e30559

SHA256
587f58763d42c6b948f4d0955c069b5a09b59be59bc01a314cd96696c7e2cb45

SHA512
7f7c1c39b15d424acb4c2d40cec176c29354d2f6046e5a1d7fdffa1993593398dbba3ae7ca6d40cd2471c81e0c31b765c08b680b6d9a19ce5e6628851c89b61c

Download Submit
C:\Windows\{809B517B-70A5-45dd-9A87-2229AE946D98}.exe

Filesize
192KB

MD5
edaa5cd71a3b29d46cf2b51bfee031b5

SHA1
c9ea9dfc3a38e5d6dbe4a85bd664b9e8e6a81591

SHA256
660e9d4d7f09071135ec81d6b1dfa563a413483bc68bbb93933e8e1d5942eace

SHA512
d4bd31215762f4da32fd3ce45a95343f72f9034f5dcbb94f298db8ea7a0be0bb4343b1f22688d39bceade28d994d868bc14776374de2a07c5bfc292ab92a8cc9

Download Submit
C:\Windows\{A133263B-2264-46d3-80F0-5FC866A98E08}.exe

Filesize
192KB

MD5
a8043190f0ba27b0556352d2a5169c57

SHA1
631fb00d4f4f53547e2c6b5dd3f496b0d176cdf9

SHA256
194d47cf0a52c297500fb0d91696b7533afe507c24cd742fdbdaaa4698aa7506

SHA512
b82a5d1709d6e392d5e9f7ef87938f8e9716535ed718e15149cbe42ea0a4bf2e6bef4f4b7dd1763f80eb85dc7a8af9ea1259f0edbe9b9470fde13a9bf8796ae9

Download Submit
C:\Windows\{AFB744CB-25EF-44ce-A186-685FAE371D52}.exe

Filesize
192KB

MD5
243c7dcd7d8c19ace15686032eaed21a

SHA1
94dc65bea1a7cb835d74ffec378b2022e862ed73

SHA256
fcb06f18376af037283658b56c05e54007bd940b5ddd70b054ca24530581e60e

SHA512
ee8163707de58b200378122e081728bf5aa99c9ebb91256fc4720c5f8f4b2e22c746164983ba17a9d690585884c0fda6fdff697fe939df39e872249be133165d

Download Submit
C:\Windows\{DC6F04E4-B4DB-413b-B4DE-9086B0A70CAF}.exe

Filesize
192KB

MD5
066e17c89331535e82a3f58c8c1d6e49

SHA1
67e8efb60f9fc1bb81ecbf120d0b4c20f9b407cc

SHA256
8f70a317451dcbbceb4a72ccffe22a11ebdf9c00ffea849845c654afa616888a

SHA512
c2f510738528e9f332e6ddcfd377c2e0d82c683a8c3a1ac709776887d53126b5105c5f461518dd90b388a7fcfda2986593653e5e6c3a7e66f348e66873749499

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads