0f2f6e51b59cd244b8816f29ff23bf19b58f5874772090f0ffc9cb73630be3c0

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2024, 02:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-07_a63a8bfec9d49ff9481cad240bf487f9_goldeneye.exe
Size

197KB
MD5

a63a8bfec9d49ff9481cad240bf487f9
SHA1

15c2b663f73446ace4af88f5280592f382dcd99f
SHA256

0f2f6e51b59cd244b8816f29ff23bf19b58f5874772090f0ffc9cb73630be3c0
SHA512

fc45895a38eeb732d6c8d9ee4a8dc801ecd3edc0cdc3afea7be0e7d0d762a2cfb566db3b0a71842f7e884de415fc07bd919d37207ad44dd7a36a929a17d04756
SSDEEP

3072:jEGh0oFl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGLlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023243-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023254-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023266-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00120000000006c1-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023136-17.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000233de-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000001e56c-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000001e56e-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002287a-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000234f8-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000234f9-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000234f8-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E302EFA7-8B19-489b-A10A-92DB026B6519}	{96B7E53E-9C64-4fdc-8086-CBE3D9DA194D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0102FAF-5CC2-4135-A702-6ABDF314E6C5}	{F34FB122-393E-4803-9130-3A954AC7B65F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{868B7877-1881-42e5-BB63-F5A9167D1D83}\stubpath = "C:\\Windows\\{868B7877-1881-42e5-BB63-F5A9167D1D83}.exe"	{F84FE596-E6D7-40c4-B9DD-339544252328}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9C65131-C6D3-492d-A908-E85C6FFBCE1E}\stubpath = "C:\\Windows\\{F9C65131-C6D3-492d-A908-E85C6FFBCE1E}.exe"	{868B7877-1881-42e5-BB63-F5A9167D1D83}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3CDB369-D4E8-4868-8674-0B6B3D4632BB}\stubpath = "C:\\Windows\\{C3CDB369-D4E8-4868-8674-0B6B3D4632BB}.exe"	{73421DAC-D213-47d6-AF75-083964973270}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94B53B79-CACF-49e4-82D2-7DDF5B8F0141}\stubpath = "C:\\Windows\\{94B53B79-CACF-49e4-82D2-7DDF5B8F0141}.exe"	{C3CDB369-D4E8-4868-8674-0B6B3D4632BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73421DAC-D213-47d6-AF75-083964973270}\stubpath = "C:\\Windows\\{73421DAC-D213-47d6-AF75-083964973270}.exe"	{03016CAA-9675-47f4-AF63-F005B66AC58F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F34FB122-393E-4803-9130-3A954AC7B65F}\stubpath = "C:\\Windows\\{F34FB122-393E-4803-9130-3A954AC7B65F}.exe"	{E302EFA7-8B19-489b-A10A-92DB026B6519}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0102FAF-5CC2-4135-A702-6ABDF314E6C5}\stubpath = "C:\\Windows\\{A0102FAF-5CC2-4135-A702-6ABDF314E6C5}.exe"	{F34FB122-393E-4803-9130-3A954AC7B65F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F84FE596-E6D7-40c4-B9DD-339544252328}\stubpath = "C:\\Windows\\{F84FE596-E6D7-40c4-B9DD-339544252328}.exe"	2024-03-07_a63a8bfec9d49ff9481cad240bf487f9_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{868B7877-1881-42e5-BB63-F5A9167D1D83}	{F84FE596-E6D7-40c4-B9DD-339544252328}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03016CAA-9675-47f4-AF63-F005B66AC58F}\stubpath = "C:\\Windows\\{03016CAA-9675-47f4-AF63-F005B66AC58F}.exe"	{F9C65131-C6D3-492d-A908-E85C6FFBCE1E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73421DAC-D213-47d6-AF75-083964973270}	{03016CAA-9675-47f4-AF63-F005B66AC58F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46F3B33A-34B4-43a0-A9F2-9E079FAA3D82}\stubpath = "C:\\Windows\\{46F3B33A-34B4-43a0-A9F2-9E079FAA3D82}.exe"	{A0102FAF-5CC2-4135-A702-6ABDF314E6C5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3CDB369-D4E8-4868-8674-0B6B3D4632BB}	{73421DAC-D213-47d6-AF75-083964973270}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96B7E53E-9C64-4fdc-8086-CBE3D9DA194D}	{94B53B79-CACF-49e4-82D2-7DDF5B8F0141}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F34FB122-393E-4803-9130-3A954AC7B65F}	{E302EFA7-8B19-489b-A10A-92DB026B6519}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46F3B33A-34B4-43a0-A9F2-9E079FAA3D82}	{A0102FAF-5CC2-4135-A702-6ABDF314E6C5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96B7E53E-9C64-4fdc-8086-CBE3D9DA194D}\stubpath = "C:\\Windows\\{96B7E53E-9C64-4fdc-8086-CBE3D9DA194D}.exe"	{94B53B79-CACF-49e4-82D2-7DDF5B8F0141}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E302EFA7-8B19-489b-A10A-92DB026B6519}\stubpath = "C:\\Windows\\{E302EFA7-8B19-489b-A10A-92DB026B6519}.exe"	{96B7E53E-9C64-4fdc-8086-CBE3D9DA194D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F84FE596-E6D7-40c4-B9DD-339544252328}	2024-03-07_a63a8bfec9d49ff9481cad240bf487f9_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9C65131-C6D3-492d-A908-E85C6FFBCE1E}	{868B7877-1881-42e5-BB63-F5A9167D1D83}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03016CAA-9675-47f4-AF63-F005B66AC58F}	{F9C65131-C6D3-492d-A908-E85C6FFBCE1E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94B53B79-CACF-49e4-82D2-7DDF5B8F0141}	{C3CDB369-D4E8-4868-8674-0B6B3D4632BB}.exe

Executes dropped EXE 12 IoCs

pid	Process
2780	{F84FE596-E6D7-40c4-B9DD-339544252328}.exe
1632	{868B7877-1881-42e5-BB63-F5A9167D1D83}.exe
3500	{F9C65131-C6D3-492d-A908-E85C6FFBCE1E}.exe
4528	{03016CAA-9675-47f4-AF63-F005B66AC58F}.exe
3044	{73421DAC-D213-47d6-AF75-083964973270}.exe
4684	{C3CDB369-D4E8-4868-8674-0B6B3D4632BB}.exe
4912	{94B53B79-CACF-49e4-82D2-7DDF5B8F0141}.exe
2212	{96B7E53E-9C64-4fdc-8086-CBE3D9DA194D}.exe
2796	{E302EFA7-8B19-489b-A10A-92DB026B6519}.exe
1524	{F34FB122-393E-4803-9130-3A954AC7B65F}.exe
4656	{A0102FAF-5CC2-4135-A702-6ABDF314E6C5}.exe
4532	{46F3B33A-34B4-43a0-A9F2-9E079FAA3D82}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{C3CDB369-D4E8-4868-8674-0B6B3D4632BB}.exe	{73421DAC-D213-47d6-AF75-083964973270}.exe
File created	C:\Windows\{94B53B79-CACF-49e4-82D2-7DDF5B8F0141}.exe	{C3CDB369-D4E8-4868-8674-0B6B3D4632BB}.exe
File created	C:\Windows\{46F3B33A-34B4-43a0-A9F2-9E079FAA3D82}.exe	{A0102FAF-5CC2-4135-A702-6ABDF314E6C5}.exe
File created	C:\Windows\{F84FE596-E6D7-40c4-B9DD-339544252328}.exe	2024-03-07_a63a8bfec9d49ff9481cad240bf487f9_goldeneye.exe
File created	C:\Windows\{868B7877-1881-42e5-BB63-F5A9167D1D83}.exe	{F84FE596-E6D7-40c4-B9DD-339544252328}.exe
File created	C:\Windows\{73421DAC-D213-47d6-AF75-083964973270}.exe	{03016CAA-9675-47f4-AF63-F005B66AC58F}.exe
File created	C:\Windows\{96B7E53E-9C64-4fdc-8086-CBE3D9DA194D}.exe	{94B53B79-CACF-49e4-82D2-7DDF5B8F0141}.exe
File created	C:\Windows\{E302EFA7-8B19-489b-A10A-92DB026B6519}.exe	{96B7E53E-9C64-4fdc-8086-CBE3D9DA194D}.exe
File created	C:\Windows\{F34FB122-393E-4803-9130-3A954AC7B65F}.exe	{E302EFA7-8B19-489b-A10A-92DB026B6519}.exe
File created	C:\Windows\{A0102FAF-5CC2-4135-A702-6ABDF314E6C5}.exe	{F34FB122-393E-4803-9130-3A954AC7B65F}.exe
File created	C:\Windows\{F9C65131-C6D3-492d-A908-E85C6FFBCE1E}.exe	{868B7877-1881-42e5-BB63-F5A9167D1D83}.exe
File created	C:\Windows\{03016CAA-9675-47f4-AF63-F005B66AC58F}.exe	{F9C65131-C6D3-492d-A908-E85C6FFBCE1E}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4492	2024-03-07_a63a8bfec9d49ff9481cad240bf487f9_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2780	{F84FE596-E6D7-40c4-B9DD-339544252328}.exe
Token: SeIncBasePriorityPrivilege	1632	{868B7877-1881-42e5-BB63-F5A9167D1D83}.exe
Token: SeIncBasePriorityPrivilege	3500	{F9C65131-C6D3-492d-A908-E85C6FFBCE1E}.exe
Token: SeIncBasePriorityPrivilege	4528	{03016CAA-9675-47f4-AF63-F005B66AC58F}.exe
Token: SeIncBasePriorityPrivilege	3044	{73421DAC-D213-47d6-AF75-083964973270}.exe
Token: SeIncBasePriorityPrivilege	4684	{C3CDB369-D4E8-4868-8674-0B6B3D4632BB}.exe
Token: SeIncBasePriorityPrivilege	4912	{94B53B79-CACF-49e4-82D2-7DDF5B8F0141}.exe
Token: SeIncBasePriorityPrivilege	2212	{96B7E53E-9C64-4fdc-8086-CBE3D9DA194D}.exe
Token: SeIncBasePriorityPrivilege	2796	{E302EFA7-8B19-489b-A10A-92DB026B6519}.exe
Token: SeIncBasePriorityPrivilege	1524	{F34FB122-393E-4803-9130-3A954AC7B65F}.exe
Token: SeIncBasePriorityPrivilege	4656	{A0102FAF-5CC2-4135-A702-6ABDF314E6C5}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4492 wrote to memory of 2780	4492	2024-03-07_a63a8bfec9d49ff9481cad240bf487f9_goldeneye.exe	97
PID 4492 wrote to memory of 2780	4492	2024-03-07_a63a8bfec9d49ff9481cad240bf487f9_goldeneye.exe	97
PID 4492 wrote to memory of 2780	4492	2024-03-07_a63a8bfec9d49ff9481cad240bf487f9_goldeneye.exe	97
PID 4492 wrote to memory of 2280	4492	2024-03-07_a63a8bfec9d49ff9481cad240bf487f9_goldeneye.exe	98
PID 4492 wrote to memory of 2280	4492	2024-03-07_a63a8bfec9d49ff9481cad240bf487f9_goldeneye.exe	98
PID 4492 wrote to memory of 2280	4492	2024-03-07_a63a8bfec9d49ff9481cad240bf487f9_goldeneye.exe	98
PID 2780 wrote to memory of 1632	2780	{F84FE596-E6D7-40c4-B9DD-339544252328}.exe	100
PID 2780 wrote to memory of 1632	2780	{F84FE596-E6D7-40c4-B9DD-339544252328}.exe	100
PID 2780 wrote to memory of 1632	2780	{F84FE596-E6D7-40c4-B9DD-339544252328}.exe	100
PID 2780 wrote to memory of 2856	2780	{F84FE596-E6D7-40c4-B9DD-339544252328}.exe	101
PID 2780 wrote to memory of 2856	2780	{F84FE596-E6D7-40c4-B9DD-339544252328}.exe	101
PID 2780 wrote to memory of 2856	2780	{F84FE596-E6D7-40c4-B9DD-339544252328}.exe	101
PID 1632 wrote to memory of 3500	1632	{868B7877-1881-42e5-BB63-F5A9167D1D83}.exe	106
PID 1632 wrote to memory of 3500	1632	{868B7877-1881-42e5-BB63-F5A9167D1D83}.exe	106
PID 1632 wrote to memory of 3500	1632	{868B7877-1881-42e5-BB63-F5A9167D1D83}.exe	106
PID 1632 wrote to memory of 3868	1632	{868B7877-1881-42e5-BB63-F5A9167D1D83}.exe	107
PID 1632 wrote to memory of 3868	1632	{868B7877-1881-42e5-BB63-F5A9167D1D83}.exe	107
PID 1632 wrote to memory of 3868	1632	{868B7877-1881-42e5-BB63-F5A9167D1D83}.exe	107
PID 3500 wrote to memory of 4528	3500	{F9C65131-C6D3-492d-A908-E85C6FFBCE1E}.exe	114
PID 3500 wrote to memory of 4528	3500	{F9C65131-C6D3-492d-A908-E85C6FFBCE1E}.exe	114
PID 3500 wrote to memory of 4528	3500	{F9C65131-C6D3-492d-A908-E85C6FFBCE1E}.exe	114
PID 3500 wrote to memory of 3744	3500	{F9C65131-C6D3-492d-A908-E85C6FFBCE1E}.exe	115
PID 3500 wrote to memory of 3744	3500	{F9C65131-C6D3-492d-A908-E85C6FFBCE1E}.exe	115
PID 3500 wrote to memory of 3744	3500	{F9C65131-C6D3-492d-A908-E85C6FFBCE1E}.exe	115
PID 4528 wrote to memory of 3044	4528	{03016CAA-9675-47f4-AF63-F005B66AC58F}.exe	116
PID 4528 wrote to memory of 3044	4528	{03016CAA-9675-47f4-AF63-F005B66AC58F}.exe	116
PID 4528 wrote to memory of 3044	4528	{03016CAA-9675-47f4-AF63-F005B66AC58F}.exe	116
PID 4528 wrote to memory of 488	4528	{03016CAA-9675-47f4-AF63-F005B66AC58F}.exe	117
PID 4528 wrote to memory of 488	4528	{03016CAA-9675-47f4-AF63-F005B66AC58F}.exe	117
PID 4528 wrote to memory of 488	4528	{03016CAA-9675-47f4-AF63-F005B66AC58F}.exe	117
PID 3044 wrote to memory of 4684	3044	{73421DAC-D213-47d6-AF75-083964973270}.exe	118
PID 3044 wrote to memory of 4684	3044	{73421DAC-D213-47d6-AF75-083964973270}.exe	118
PID 3044 wrote to memory of 4684	3044	{73421DAC-D213-47d6-AF75-083964973270}.exe	118
PID 3044 wrote to memory of 3936	3044	{73421DAC-D213-47d6-AF75-083964973270}.exe	119
PID 3044 wrote to memory of 3936	3044	{73421DAC-D213-47d6-AF75-083964973270}.exe	119
PID 3044 wrote to memory of 3936	3044	{73421DAC-D213-47d6-AF75-083964973270}.exe	119
PID 4684 wrote to memory of 4912	4684	{C3CDB369-D4E8-4868-8674-0B6B3D4632BB}.exe	121
PID 4684 wrote to memory of 4912	4684	{C3CDB369-D4E8-4868-8674-0B6B3D4632BB}.exe	121
PID 4684 wrote to memory of 4912	4684	{C3CDB369-D4E8-4868-8674-0B6B3D4632BB}.exe	121
PID 4684 wrote to memory of 4436	4684	{C3CDB369-D4E8-4868-8674-0B6B3D4632BB}.exe	122
PID 4684 wrote to memory of 4436	4684	{C3CDB369-D4E8-4868-8674-0B6B3D4632BB}.exe	122
PID 4684 wrote to memory of 4436	4684	{C3CDB369-D4E8-4868-8674-0B6B3D4632BB}.exe	122
PID 4912 wrote to memory of 2212	4912	{94B53B79-CACF-49e4-82D2-7DDF5B8F0141}.exe	123
PID 4912 wrote to memory of 2212	4912	{94B53B79-CACF-49e4-82D2-7DDF5B8F0141}.exe	123
PID 4912 wrote to memory of 2212	4912	{94B53B79-CACF-49e4-82D2-7DDF5B8F0141}.exe	123
PID 4912 wrote to memory of 4068	4912	{94B53B79-CACF-49e4-82D2-7DDF5B8F0141}.exe	124
PID 4912 wrote to memory of 4068	4912	{94B53B79-CACF-49e4-82D2-7DDF5B8F0141}.exe	124
PID 4912 wrote to memory of 4068	4912	{94B53B79-CACF-49e4-82D2-7DDF5B8F0141}.exe	124
PID 2212 wrote to memory of 2796	2212	{96B7E53E-9C64-4fdc-8086-CBE3D9DA194D}.exe	125
PID 2212 wrote to memory of 2796	2212	{96B7E53E-9C64-4fdc-8086-CBE3D9DA194D}.exe	125
PID 2212 wrote to memory of 2796	2212	{96B7E53E-9C64-4fdc-8086-CBE3D9DA194D}.exe	125
PID 2212 wrote to memory of 4600	2212	{96B7E53E-9C64-4fdc-8086-CBE3D9DA194D}.exe	126
PID 2212 wrote to memory of 4600	2212	{96B7E53E-9C64-4fdc-8086-CBE3D9DA194D}.exe	126
PID 2212 wrote to memory of 4600	2212	{96B7E53E-9C64-4fdc-8086-CBE3D9DA194D}.exe	126
PID 2796 wrote to memory of 1524	2796	{E302EFA7-8B19-489b-A10A-92DB026B6519}.exe	127
PID 2796 wrote to memory of 1524	2796	{E302EFA7-8B19-489b-A10A-92DB026B6519}.exe	127
PID 2796 wrote to memory of 1524	2796	{E302EFA7-8B19-489b-A10A-92DB026B6519}.exe	127
PID 2796 wrote to memory of 1400	2796	{E302EFA7-8B19-489b-A10A-92DB026B6519}.exe	128
PID 2796 wrote to memory of 1400	2796	{E302EFA7-8B19-489b-A10A-92DB026B6519}.exe	128
PID 2796 wrote to memory of 1400	2796	{E302EFA7-8B19-489b-A10A-92DB026B6519}.exe	128
PID 1524 wrote to memory of 4656	1524	{F34FB122-393E-4803-9130-3A954AC7B65F}.exe	129
PID 1524 wrote to memory of 4656	1524	{F34FB122-393E-4803-9130-3A954AC7B65F}.exe	129
PID 1524 wrote to memory of 4656	1524	{F34FB122-393E-4803-9130-3A954AC7B65F}.exe	129
PID 1524 wrote to memory of 3496	1524	{F34FB122-393E-4803-9130-3A954AC7B65F}.exe	130

C:\Users\Admin\AppData\Local\Temp\2024-03-07_a63a8bfec9d49ff9481cad240bf487f9_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-07_a63a8bfec9d49ff9481cad240bf487f9_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4492
- C:\Windows\{F84FE596-E6D7-40c4-B9DD-339544252328}.exe
  C:\Windows\{F84FE596-E6D7-40c4-B9DD-339544252328}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\{868B7877-1881-42e5-BB63-F5A9167D1D83}.exe
    C:\Windows\{868B7877-1881-42e5-BB63-F5A9167D1D83}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1632
  - - C:\Windows\{F9C65131-C6D3-492d-A908-E85C6FFBCE1E}.exe
      C:\Windows\{F9C65131-C6D3-492d-A908-E85C6FFBCE1E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3500
    - - C:\Windows\{03016CAA-9675-47f4-AF63-F005B66AC58F}.exe
        
        C:\Windows\{03016CAA-9675-47f4-AF63-F005B66AC58F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4528
      - C:\Windows\{73421DAC-D213-47d6-AF75-083964973270}.exe
        
        C:\Windows\{73421DAC-D213-47d6-AF75-083964973270}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\{C3CDB369-D4E8-4868-8674-0B6B3D4632BB}.exe
        
        C:\Windows\{C3CDB369-D4E8-4868-8674-0B6B3D4632BB}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\{94B53B79-CACF-49e4-82D2-7DDF5B8F0141}.exe
        
        C:\Windows\{94B53B79-CACF-49e4-82D2-7DDF5B8F0141}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\{96B7E53E-9C64-4fdc-8086-CBE3D9DA194D}.exe
        
        C:\Windows\{96B7E53E-9C64-4fdc-8086-CBE3D9DA194D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\{E302EFA7-8B19-489b-A10A-92DB026B6519}.exe
        
        C:\Windows\{E302EFA7-8B19-489b-A10A-92DB026B6519}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\{F34FB122-393E-4803-9130-3A954AC7B65F}.exe
        
        C:\Windows\{F34FB122-393E-4803-9130-3A954AC7B65F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\{A0102FAF-5CC2-4135-A702-6ABDF314E6C5}.exe
        
        C:\Windows\{A0102FAF-5CC2-4135-A702-6ABDF314E6C5}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4656
        
        C:\Windows\{46F3B33A-34B4-43a0-A9F2-9E079FAA3D82}.exe
        
        C:\Windows\{46F3B33A-34B4-43a0-A9F2-9E079FAA3D82}.exe
        13⤵
        Executes dropped EXE
        
        PID:4532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A0102~1.EXE > nul
        13⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F34FB~1.EXE > nul
        12⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E302E~1.EXE > nul
        11⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96B7E~1.EXE > nul
        10⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94B53~1.EXE > nul
        9⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3CDB~1.EXE > nul
        8⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{73421~1.EXE > nul
        7⤵
        
        PID:3936
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{03016~1.EXE > nul
        6⤵
        
        PID:488
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F9C65~1.EXE > nul
        5⤵
        
        PID:3744
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{868B7~1.EXE > nul
      4⤵
      PID:3868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F84FE~1.EXE > nul
    3⤵
    PID:2856
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{03016CAA-9675-47f4-AF63-F005B66AC58F}.exe

Filesize
197KB

MD5
3615a0a6f91e8c6d5037f7bfd737bb01

SHA1
8c77c6e175c7f723f13ea266d2561dc43eaf7bec

SHA256
dd17e646d419535d1955966f1213a09fe2d46f9f95c9c5beffc96beb473217c3

SHA512
e2f87d3d1b74fb157b83ef137cd9c687fc197521b1e168fa11bb554abb1c59b95f9e204d72e74b86ae1f8b3473daef0fe80d18023ebd9c7b6280bb2e16a52257

Download Submit
C:\Windows\{46F3B33A-34B4-43a0-A9F2-9E079FAA3D82}.exe

Filesize
197KB

MD5
666872d00066b435a507b7386fae5934

SHA1
8a1d8984032309060a12a3fe50ebc1a45b7545ca

SHA256
586574438f89ce93032c2f2872301e59cd4b5ff6c0c683a262dafb5ca69530ce

SHA512
b0c05d7060c103674905485fd6d188bd8e391c929ee9efb241f77e138f3c2b5412050de825aaf1e1157fd17fe1cb8804bc94a446828ef9171b9b70a34933b02b

Download Submit
C:\Windows\{73421DAC-D213-47d6-AF75-083964973270}.exe

Filesize
197KB

MD5
55a5ba5bf63a8202311ff23cc91b1462

SHA1
f8431c616b08d8371e3d12cf2f2abcdc7e23553e

SHA256
cccd54402b64c3438d4374cf6294a842337a1f7a68b3e490881f09efa979dcf4

SHA512
6d6209c67a95995bffd893213372bed322ba69255cf33ca469f567bcccba48fe8d83896a18d2cf5e0414f0ec4239cbcf2a32e5b59d5d69dac904a393f6679738

Download Submit
C:\Windows\{868B7877-1881-42e5-BB63-F5A9167D1D83}.exe

Filesize
197KB

MD5
eb1da2bb0ab54b163351e9304ba1f19c

SHA1
3c9f3c6ad9abdb7a63c8447dfc92841f59ed8c24

SHA256
7ef789ed8def2fdc432740d5e43733dacf7114ea94e4e2462c6f969ef02d6389

SHA512
229ad878c144216abf73c39d16fb6339a305164e8a066b36b3a6c5d564d4cb8ae954ed4e6a776e70d480c1338aaa177d7e8c346d63e1daaf8f07f373ac7f625c

Download Submit
C:\Windows\{94B53B79-CACF-49e4-82D2-7DDF5B8F0141}.exe

Filesize
197KB

MD5
d94ceaa5248b92e285ed72bd040a1b9a

SHA1
04b735d8f5bae53102539c0b3248bece300a191d

SHA256
ccef4cf2b2472c5c379ebeb8380c2650dcd0269491513a7cdc196c606374bfcc

SHA512
3b7a9e15838fcfb275117caf55cc3a56e16461b6a07289723483dd3be1cedda1db5c2833ee6b22efca46fe687c71b09bdb34e0e18fb70014a0b1c302e9db2564

Download Submit
C:\Windows\{96B7E53E-9C64-4fdc-8086-CBE3D9DA194D}.exe

Filesize
197KB

MD5
393e3aed47c8546eeb3cafec69bebcf0

SHA1
98acb34bdb80b996189afa822091e661dc2a9b27

SHA256
379337b83484e6a6aa0876f013df9c5e81a7582ef0b2482b4712ed61b1bbd581

SHA512
767d1f33a0f9f4f0db5a802d7d465a1617edd559a7e6acf5932cd7cb89c097d8dee42ae0ea13194a12df8c797b2c2248a2b99b094da49b9866c9a6aad3679cc3

Download Submit
C:\Windows\{A0102FAF-5CC2-4135-A702-6ABDF314E6C5}.exe

Filesize
128KB

MD5
659bbfc59f46d0b8db1d74f17259a623

SHA1
bfe456a49596f59e317609f288da4fcb82c4f53f

SHA256
e9f11b316663e515ed31e4a3126b08893feaa29c9dd8f02c6c4b72cd42a44d7c

SHA512
95d55e5af6538bd92ceb4fce90a86817bdae034e04af81d6070efb92d43c5caef05de661eb0e9bf9f7910f84414e771830c22fad7c3b93fb39155ead2cb96772

Download Submit
C:\Windows\{C3CDB369-D4E8-4868-8674-0B6B3D4632BB}.exe

Filesize
197KB

MD5
2f0c4328cfc9a43bfbcc7a9718e0fe68

SHA1
a0807717a7e74ac6469c0eaaa863d29da1f63093

SHA256
0a581c58f8014ab3040cfc561601e66f960b8ee186b509feb815be00919d0371

SHA512
68f556fd9898d6e23bd4683ba4027bfac9bed625ed61fbd83642ee4581a997bb3a6e970cff61dac48f1b45e95fce67ddd01178b7d5aba03954a5d6a0a0415c45

Download Submit
C:\Windows\{E302EFA7-8B19-489b-A10A-92DB026B6519}.exe

Filesize
197KB

MD5
4ba84b65c9ec0972a1b951db601a83c1

SHA1
3f0b199be62bceccb6dfa0f2c9146622d2dd3e1d

SHA256
3dc603ed62ba24a9e549e4640ce26ebcaebc4726b86ddf299066dbd0ed02c702

SHA512
d61f8ad01c7f93239ff6be212336bbc49562d0458b5f6a0d0bd66c5801842619c9aa55ab7493b22014bd4d272fbc71576ed7f9ba81badbaa84481b67d5560e72

Download Submit
C:\Windows\{F34FB122-393E-4803-9130-3A954AC7B65F}.exe

Filesize
197KB

MD5
431f8cfbb16f03759b1cc430c81638e2

SHA1
5041ce911f1ff61e6eec977ab81c1c0e9de7a60d

SHA256
110048b342d890c4cae10ed940af8c11f3ebb99dcfcfa2f7342e60817464f228

SHA512
5ac936ff785d43a9bff1d9ccc100186750592067e95fc1afa80958318688133f14283811e1eb5f894c88583322d8feab9daad455e6901a90fcc7db33727758ed

Download Submit
C:\Windows\{F84FE596-E6D7-40c4-B9DD-339544252328}.exe

Filesize
197KB

MD5
6a1071949b606d6cbd14b9de0c601f11

SHA1
06d81827d14e8521a78cedaabad3e3cd6d0ceee6

SHA256
7e4d5c2ca3abf91f8d6556d5fcca6b0bb925a3d849ea6bef316219936e3e1126

SHA512
b9bfbb5073a53351aab8c28db82a2d4f0d3670a8f2c443e9e32a768ba2260ffe8a84a89a9b3cf1dd3b622216e05c99835e792b61dd08249d0bbdf2375f910c2d

Download Submit
C:\Windows\{F9C65131-C6D3-492d-A908-E85C6FFBCE1E}.exe

Filesize
197KB

MD5
6c289a932c13bca83948eea86b2b96d9

SHA1
4b0511ae0fe9bcd4d0d160ed1315a18e59da8903

SHA256
72ea14a4c8c5723a4f65624e4c89ee32faaba35604869b9c17ebc48b18084d56

SHA512
755c0e5197cae7e7a9ccf6070fd332fbbfa86624efc9d1b85c873ef8c9870c37e19618287cb9ef158b94aba72954fe73315d410ccbb7d69b32fb8fa8083e133b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads