Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
12-03-2024 07:25
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-12_2faa224e3327af62f250a59a467a91cb_goldeneye.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
2024-03-12_2faa224e3327af62f250a59a467a91cb_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-12_2faa224e3327af62f250a59a467a91cb_goldeneye.exe
-
Size
197KB
-
MD5
2faa224e3327af62f250a59a467a91cb
-
SHA1
d2458ccbe522ccb358310c13485b6c22320017da
-
SHA256
bb6845faa17cb36a5403418e9d33ff8d9a9f9aaeef15633a58181b5aa9d44ca0
-
SHA512
abcfc2945f230ac342e42397c1808eea8de931932a421d5e4326449068157efd59ca72186afe769d7d249af14643e6635bced65038e174e1cfd2d73915fdb884
-
SSDEEP
3072:jEGh0oil+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGQlEeKcAEca
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
resource yara_rule behavioral2/files/0x00080000000231fc-1.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000700000002320e-6.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000e000000023101-8.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0009000000023314-14.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000f000000023101-18.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0007000000023373-22.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0007000000023374-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000023373-29.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000b00000001e36d-35.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000b000000023100-38.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000c00000001e36d-42.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00070000000233af-46.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7E73D38-33CD-4f35-9007-EF02046A0B9E}\stubpath = "C:\\Windows\\{E7E73D38-33CD-4f35-9007-EF02046A0B9E}.exe" 2024-03-12_2faa224e3327af62f250a59a467a91cb_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6A94C27-12C7-49f8-83C7-1750ADEC42D8}\stubpath = "C:\\Windows\\{B6A94C27-12C7-49f8-83C7-1750ADEC42D8}.exe" {E7E73D38-33CD-4f35-9007-EF02046A0B9E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C224C20C-E4AE-41e3-BCCF-F1BD1A5FB9E8} {B6A94C27-12C7-49f8-83C7-1750ADEC42D8}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C224C20C-E4AE-41e3-BCCF-F1BD1A5FB9E8}\stubpath = "C:\\Windows\\{C224C20C-E4AE-41e3-BCCF-F1BD1A5FB9E8}.exe" {B6A94C27-12C7-49f8-83C7-1750ADEC42D8}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56BADDCD-1B2A-4078-8692-79C22A6F1DB4}\stubpath = "C:\\Windows\\{56BADDCD-1B2A-4078-8692-79C22A6F1DB4}.exe" {C224C20C-E4AE-41e3-BCCF-F1BD1A5FB9E8}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5640C511-AB55-4267-8BCB-D14723AB4A46}\stubpath = "C:\\Windows\\{5640C511-AB55-4267-8BCB-D14723AB4A46}.exe" {FE9BE3FE-1041-455b-90F0-8BD68367050C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BBAC1E9-2063-42b3-8EF0-C6C30FACF93A} {CABCC722-865B-4b76-8909-708BECDF697D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7E73D38-33CD-4f35-9007-EF02046A0B9E} 2024-03-12_2faa224e3327af62f250a59a467a91cb_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE440C22-78EB-4086-8F28-3FA97E062610}\stubpath = "C:\\Windows\\{BE440C22-78EB-4086-8F28-3FA97E062610}.exe" {7BDF18BD-62DC-4f23-A795-1AEC821FB279}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BBAC1E9-2063-42b3-8EF0-C6C30FACF93A}\stubpath = "C:\\Windows\\{6BBAC1E9-2063-42b3-8EF0-C6C30FACF93A}.exe" {CABCC722-865B-4b76-8909-708BECDF697D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8548683-CBFE-4718-A9E1-AE009955E9FB} {6BBAC1E9-2063-42b3-8EF0-C6C30FACF93A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94D8D699-04CC-46a7-820C-EA57C7AA71F0}\stubpath = "C:\\Windows\\{94D8D699-04CC-46a7-820C-EA57C7AA71F0}.exe" {F8548683-CBFE-4718-A9E1-AE009955E9FB}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE9BE3FE-1041-455b-90F0-8BD68367050C}\stubpath = "C:\\Windows\\{FE9BE3FE-1041-455b-90F0-8BD68367050C}.exe" {56BADDCD-1B2A-4078-8692-79C22A6F1DB4}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE9BE3FE-1041-455b-90F0-8BD68367050C} {56BADDCD-1B2A-4078-8692-79C22A6F1DB4}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5640C511-AB55-4267-8BCB-D14723AB4A46} {FE9BE3FE-1041-455b-90F0-8BD68367050C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CABCC722-865B-4b76-8909-708BECDF697D}\stubpath = "C:\\Windows\\{CABCC722-865B-4b76-8909-708BECDF697D}.exe" {5640C511-AB55-4267-8BCB-D14723AB4A46}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7BDF18BD-62DC-4f23-A795-1AEC821FB279} {94D8D699-04CC-46a7-820C-EA57C7AA71F0}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE440C22-78EB-4086-8F28-3FA97E062610} {7BDF18BD-62DC-4f23-A795-1AEC821FB279}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56BADDCD-1B2A-4078-8692-79C22A6F1DB4} {C224C20C-E4AE-41e3-BCCF-F1BD1A5FB9E8}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CABCC722-865B-4b76-8909-708BECDF697D} {5640C511-AB55-4267-8BCB-D14723AB4A46}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8548683-CBFE-4718-A9E1-AE009955E9FB}\stubpath = "C:\\Windows\\{F8548683-CBFE-4718-A9E1-AE009955E9FB}.exe" {6BBAC1E9-2063-42b3-8EF0-C6C30FACF93A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94D8D699-04CC-46a7-820C-EA57C7AA71F0} {F8548683-CBFE-4718-A9E1-AE009955E9FB}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7BDF18BD-62DC-4f23-A795-1AEC821FB279}\stubpath = "C:\\Windows\\{7BDF18BD-62DC-4f23-A795-1AEC821FB279}.exe" {94D8D699-04CC-46a7-820C-EA57C7AA71F0}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6A94C27-12C7-49f8-83C7-1750ADEC42D8} {E7E73D38-33CD-4f35-9007-EF02046A0B9E}.exe -
Executes dropped EXE 12 IoCs
pid Process 3536 {E7E73D38-33CD-4f35-9007-EF02046A0B9E}.exe 2152 {B6A94C27-12C7-49f8-83C7-1750ADEC42D8}.exe 1052 {C224C20C-E4AE-41e3-BCCF-F1BD1A5FB9E8}.exe 1816 {56BADDCD-1B2A-4078-8692-79C22A6F1DB4}.exe 5048 {FE9BE3FE-1041-455b-90F0-8BD68367050C}.exe 3980 {5640C511-AB55-4267-8BCB-D14723AB4A46}.exe 4236 {CABCC722-865B-4b76-8909-708BECDF697D}.exe 4240 {6BBAC1E9-2063-42b3-8EF0-C6C30FACF93A}.exe 4372 {F8548683-CBFE-4718-A9E1-AE009955E9FB}.exe 2704 {94D8D699-04CC-46a7-820C-EA57C7AA71F0}.exe 4300 {7BDF18BD-62DC-4f23-A795-1AEC821FB279}.exe 724 {BE440C22-78EB-4086-8F28-3FA97E062610}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{94D8D699-04CC-46a7-820C-EA57C7AA71F0}.exe {F8548683-CBFE-4718-A9E1-AE009955E9FB}.exe File created C:\Windows\{E7E73D38-33CD-4f35-9007-EF02046A0B9E}.exe 2024-03-12_2faa224e3327af62f250a59a467a91cb_goldeneye.exe File created C:\Windows\{56BADDCD-1B2A-4078-8692-79C22A6F1DB4}.exe {C224C20C-E4AE-41e3-BCCF-F1BD1A5FB9E8}.exe File created C:\Windows\{CABCC722-865B-4b76-8909-708BECDF697D}.exe {5640C511-AB55-4267-8BCB-D14723AB4A46}.exe File created C:\Windows\{F8548683-CBFE-4718-A9E1-AE009955E9FB}.exe {6BBAC1E9-2063-42b3-8EF0-C6C30FACF93A}.exe File created C:\Windows\{6BBAC1E9-2063-42b3-8EF0-C6C30FACF93A}.exe {CABCC722-865B-4b76-8909-708BECDF697D}.exe File created C:\Windows\{7BDF18BD-62DC-4f23-A795-1AEC821FB279}.exe {94D8D699-04CC-46a7-820C-EA57C7AA71F0}.exe File created C:\Windows\{BE440C22-78EB-4086-8F28-3FA97E062610}.exe {7BDF18BD-62DC-4f23-A795-1AEC821FB279}.exe File created C:\Windows\{B6A94C27-12C7-49f8-83C7-1750ADEC42D8}.exe {E7E73D38-33CD-4f35-9007-EF02046A0B9E}.exe File created C:\Windows\{C224C20C-E4AE-41e3-BCCF-F1BD1A5FB9E8}.exe {B6A94C27-12C7-49f8-83C7-1750ADEC42D8}.exe File created C:\Windows\{FE9BE3FE-1041-455b-90F0-8BD68367050C}.exe {56BADDCD-1B2A-4078-8692-79C22A6F1DB4}.exe File created C:\Windows\{5640C511-AB55-4267-8BCB-D14723AB4A46}.exe {FE9BE3FE-1041-455b-90F0-8BD68367050C}.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 4008 2024-03-12_2faa224e3327af62f250a59a467a91cb_goldeneye.exe Token: SeIncBasePriorityPrivilege 3536 {E7E73D38-33CD-4f35-9007-EF02046A0B9E}.exe Token: SeIncBasePriorityPrivilege 2152 {B6A94C27-12C7-49f8-83C7-1750ADEC42D8}.exe Token: SeIncBasePriorityPrivilege 1052 {C224C20C-E4AE-41e3-BCCF-F1BD1A5FB9E8}.exe Token: SeIncBasePriorityPrivilege 1816 {56BADDCD-1B2A-4078-8692-79C22A6F1DB4}.exe Token: SeIncBasePriorityPrivilege 5048 {FE9BE3FE-1041-455b-90F0-8BD68367050C}.exe Token: SeIncBasePriorityPrivilege 3980 {5640C511-AB55-4267-8BCB-D14723AB4A46}.exe Token: SeIncBasePriorityPrivilege 4236 {CABCC722-865B-4b76-8909-708BECDF697D}.exe Token: SeIncBasePriorityPrivilege 4240 {6BBAC1E9-2063-42b3-8EF0-C6C30FACF93A}.exe Token: SeIncBasePriorityPrivilege 4372 {F8548683-CBFE-4718-A9E1-AE009955E9FB}.exe Token: SeIncBasePriorityPrivilege 2704 {94D8D699-04CC-46a7-820C-EA57C7AA71F0}.exe Token: SeIncBasePriorityPrivilege 4300 {7BDF18BD-62DC-4f23-A795-1AEC821FB279}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4008 wrote to memory of 3536 4008 2024-03-12_2faa224e3327af62f250a59a467a91cb_goldeneye.exe 99 PID 4008 wrote to memory of 3536 4008 2024-03-12_2faa224e3327af62f250a59a467a91cb_goldeneye.exe 99 PID 4008 wrote to memory of 3536 4008 2024-03-12_2faa224e3327af62f250a59a467a91cb_goldeneye.exe 99 PID 4008 wrote to memory of 1180 4008 2024-03-12_2faa224e3327af62f250a59a467a91cb_goldeneye.exe 100 PID 4008 wrote to memory of 1180 4008 2024-03-12_2faa224e3327af62f250a59a467a91cb_goldeneye.exe 100 PID 4008 wrote to memory of 1180 4008 2024-03-12_2faa224e3327af62f250a59a467a91cb_goldeneye.exe 100 PID 3536 wrote to memory of 2152 3536 {E7E73D38-33CD-4f35-9007-EF02046A0B9E}.exe 102 PID 3536 wrote to memory of 2152 3536 {E7E73D38-33CD-4f35-9007-EF02046A0B9E}.exe 102 PID 3536 wrote to memory of 2152 3536 {E7E73D38-33CD-4f35-9007-EF02046A0B9E}.exe 102 PID 3536 wrote to memory of 692 3536 {E7E73D38-33CD-4f35-9007-EF02046A0B9E}.exe 103 PID 3536 wrote to memory of 692 3536 {E7E73D38-33CD-4f35-9007-EF02046A0B9E}.exe 103 PID 3536 wrote to memory of 692 3536 {E7E73D38-33CD-4f35-9007-EF02046A0B9E}.exe 103 PID 2152 wrote to memory of 1052 2152 {B6A94C27-12C7-49f8-83C7-1750ADEC42D8}.exe 106 PID 2152 wrote to memory of 1052 2152 {B6A94C27-12C7-49f8-83C7-1750ADEC42D8}.exe 106 PID 2152 wrote to memory of 1052 2152 {B6A94C27-12C7-49f8-83C7-1750ADEC42D8}.exe 106 PID 2152 wrote to memory of 3436 2152 {B6A94C27-12C7-49f8-83C7-1750ADEC42D8}.exe 107 PID 2152 wrote to memory of 3436 2152 {B6A94C27-12C7-49f8-83C7-1750ADEC42D8}.exe 107 PID 2152 wrote to memory of 3436 2152 {B6A94C27-12C7-49f8-83C7-1750ADEC42D8}.exe 107 PID 1052 wrote to memory of 1816 1052 {C224C20C-E4AE-41e3-BCCF-F1BD1A5FB9E8}.exe 108 PID 1052 wrote to memory of 1816 1052 {C224C20C-E4AE-41e3-BCCF-F1BD1A5FB9E8}.exe 108 PID 1052 wrote to memory of 1816 1052 {C224C20C-E4AE-41e3-BCCF-F1BD1A5FB9E8}.exe 108 PID 1052 wrote to memory of 1324 1052 {C224C20C-E4AE-41e3-BCCF-F1BD1A5FB9E8}.exe 109 PID 1052 wrote to memory of 1324 1052 {C224C20C-E4AE-41e3-BCCF-F1BD1A5FB9E8}.exe 109 PID 1052 wrote to memory of 1324 1052 {C224C20C-E4AE-41e3-BCCF-F1BD1A5FB9E8}.exe 109 PID 1816 wrote to memory of 5048 1816 {56BADDCD-1B2A-4078-8692-79C22A6F1DB4}.exe 110 PID 1816 wrote to memory of 5048 1816 {56BADDCD-1B2A-4078-8692-79C22A6F1DB4}.exe 110 PID 1816 wrote to memory of 5048 1816 {56BADDCD-1B2A-4078-8692-79C22A6F1DB4}.exe 110 PID 1816 wrote to memory of 4456 1816 {56BADDCD-1B2A-4078-8692-79C22A6F1DB4}.exe 111 PID 1816 wrote to memory of 4456 1816 {56BADDCD-1B2A-4078-8692-79C22A6F1DB4}.exe 111 PID 1816 wrote to memory of 4456 1816 {56BADDCD-1B2A-4078-8692-79C22A6F1DB4}.exe 111 PID 5048 wrote to memory of 3980 5048 {FE9BE3FE-1041-455b-90F0-8BD68367050C}.exe 113 PID 5048 wrote to memory of 3980 5048 {FE9BE3FE-1041-455b-90F0-8BD68367050C}.exe 113 PID 5048 wrote to memory of 3980 5048 {FE9BE3FE-1041-455b-90F0-8BD68367050C}.exe 113 PID 5048 wrote to memory of 2844 5048 {FE9BE3FE-1041-455b-90F0-8BD68367050C}.exe 114 PID 5048 wrote to memory of 2844 5048 {FE9BE3FE-1041-455b-90F0-8BD68367050C}.exe 114 PID 5048 wrote to memory of 2844 5048 {FE9BE3FE-1041-455b-90F0-8BD68367050C}.exe 114 PID 3980 wrote to memory of 4236 3980 {5640C511-AB55-4267-8BCB-D14723AB4A46}.exe 115 PID 3980 wrote to memory of 4236 3980 {5640C511-AB55-4267-8BCB-D14723AB4A46}.exe 115 PID 3980 wrote to memory of 4236 3980 {5640C511-AB55-4267-8BCB-D14723AB4A46}.exe 115 PID 3980 wrote to memory of 3320 3980 {5640C511-AB55-4267-8BCB-D14723AB4A46}.exe 116 PID 3980 wrote to memory of 3320 3980 {5640C511-AB55-4267-8BCB-D14723AB4A46}.exe 116 PID 3980 wrote to memory of 3320 3980 {5640C511-AB55-4267-8BCB-D14723AB4A46}.exe 116 PID 4236 wrote to memory of 4240 4236 {CABCC722-865B-4b76-8909-708BECDF697D}.exe 117 PID 4236 wrote to memory of 4240 4236 {CABCC722-865B-4b76-8909-708BECDF697D}.exe 117 PID 4236 wrote to memory of 4240 4236 {CABCC722-865B-4b76-8909-708BECDF697D}.exe 117 PID 4236 wrote to memory of 2872 4236 {CABCC722-865B-4b76-8909-708BECDF697D}.exe 118 PID 4236 wrote to memory of 2872 4236 {CABCC722-865B-4b76-8909-708BECDF697D}.exe 118 PID 4236 wrote to memory of 2872 4236 {CABCC722-865B-4b76-8909-708BECDF697D}.exe 118 PID 4240 wrote to memory of 4372 4240 {6BBAC1E9-2063-42b3-8EF0-C6C30FACF93A}.exe 126 PID 4240 wrote to memory of 4372 4240 {6BBAC1E9-2063-42b3-8EF0-C6C30FACF93A}.exe 126 PID 4240 wrote to memory of 4372 4240 {6BBAC1E9-2063-42b3-8EF0-C6C30FACF93A}.exe 126 PID 4240 wrote to memory of 4092 4240 {6BBAC1E9-2063-42b3-8EF0-C6C30FACF93A}.exe 127 PID 4240 wrote to memory of 4092 4240 {6BBAC1E9-2063-42b3-8EF0-C6C30FACF93A}.exe 127 PID 4240 wrote to memory of 4092 4240 {6BBAC1E9-2063-42b3-8EF0-C6C30FACF93A}.exe 127 PID 4372 wrote to memory of 2704 4372 {F8548683-CBFE-4718-A9E1-AE009955E9FB}.exe 128 PID 4372 wrote to memory of 2704 4372 {F8548683-CBFE-4718-A9E1-AE009955E9FB}.exe 128 PID 4372 wrote to memory of 2704 4372 {F8548683-CBFE-4718-A9E1-AE009955E9FB}.exe 128 PID 4372 wrote to memory of 4264 4372 {F8548683-CBFE-4718-A9E1-AE009955E9FB}.exe 129 PID 4372 wrote to memory of 4264 4372 {F8548683-CBFE-4718-A9E1-AE009955E9FB}.exe 129 PID 4372 wrote to memory of 4264 4372 {F8548683-CBFE-4718-A9E1-AE009955E9FB}.exe 129 PID 2704 wrote to memory of 4300 2704 {94D8D699-04CC-46a7-820C-EA57C7AA71F0}.exe 130 PID 2704 wrote to memory of 4300 2704 {94D8D699-04CC-46a7-820C-EA57C7AA71F0}.exe 130 PID 2704 wrote to memory of 4300 2704 {94D8D699-04CC-46a7-820C-EA57C7AA71F0}.exe 130 PID 2704 wrote to memory of 2628 2704 {94D8D699-04CC-46a7-820C-EA57C7AA71F0}.exe 131
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-12_2faa224e3327af62f250a59a467a91cb_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-12_2faa224e3327af62f250a59a467a91cb_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Windows\{E7E73D38-33CD-4f35-9007-EF02046A0B9E}.exeC:\Windows\{E7E73D38-33CD-4f35-9007-EF02046A0B9E}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Windows\{B6A94C27-12C7-49f8-83C7-1750ADEC42D8}.exeC:\Windows\{B6A94C27-12C7-49f8-83C7-1750ADEC42D8}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\{C224C20C-E4AE-41e3-BCCF-F1BD1A5FB9E8}.exeC:\Windows\{C224C20C-E4AE-41e3-BCCF-F1BD1A5FB9E8}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\{56BADDCD-1B2A-4078-8692-79C22A6F1DB4}.exeC:\Windows\{56BADDCD-1B2A-4078-8692-79C22A6F1DB4}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\{FE9BE3FE-1041-455b-90F0-8BD68367050C}.exeC:\Windows\{FE9BE3FE-1041-455b-90F0-8BD68367050C}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\{5640C511-AB55-4267-8BCB-D14723AB4A46}.exeC:\Windows\{5640C511-AB55-4267-8BCB-D14723AB4A46}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Windows\{CABCC722-865B-4b76-8909-708BECDF697D}.exeC:\Windows\{CABCC722-865B-4b76-8909-708BECDF697D}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Windows\{6BBAC1E9-2063-42b3-8EF0-C6C30FACF93A}.exeC:\Windows\{6BBAC1E9-2063-42b3-8EF0-C6C30FACF93A}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Windows\{F8548683-CBFE-4718-A9E1-AE009955E9FB}.exeC:\Windows\{F8548683-CBFE-4718-A9E1-AE009955E9FB}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\{94D8D699-04CC-46a7-820C-EA57C7AA71F0}.exeC:\Windows\{94D8D699-04CC-46a7-820C-EA57C7AA71F0}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\{7BDF18BD-62DC-4f23-A795-1AEC821FB279}.exeC:\Windows\{7BDF18BD-62DC-4f23-A795-1AEC821FB279}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4300 -
C:\Windows\{BE440C22-78EB-4086-8F28-3FA97E062610}.exeC:\Windows\{BE440C22-78EB-4086-8F28-3FA97E062610}.exe13⤵
- Executes dropped EXE
PID:724
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7BDF1~1.EXE > nul13⤵PID:2584
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{94D8D~1.EXE > nul12⤵PID:2628
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F8548~1.EXE > nul11⤵PID:4264
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6BBAC~1.EXE > nul10⤵PID:4092
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CABCC~1.EXE > nul9⤵PID:2872
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5640C~1.EXE > nul8⤵PID:3320
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{FE9BE~1.EXE > nul7⤵PID:2844
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{56BAD~1.EXE > nul6⤵PID:4456
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C224C~1.EXE > nul5⤵PID:1324
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B6A94~1.EXE > nul4⤵PID:3436
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E7E73~1.EXE > nul3⤵PID:692
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:1180
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
197KB
MD55211b5cde6f58172a576b18583de3f24
SHA1b1b92c937b5b7aadea3411bd16d51f0275e1b793
SHA256b68657578eea9317587c4983a65a0e5f77a1dcc5d358c16829276a675750f16d
SHA512d925b675e5e5db6d3f1ac65e8eddff5e1dbf1ccafdd4691600e6ab12541364ee556290ebac62c5597829f810a4aaba4138b008dc70fe0704d54a9995150a2a24
-
Filesize
197KB
MD5d5156224f1521877d99541f1af283464
SHA1eaa77f6282d60e0a3397e10a70d3f7204bdff2b0
SHA256ca0ba3979f9d5e0568a78e895f879e70bc44918f98611e0fc1dfa372c5396f2e
SHA512926d9871d0daad9e349ad5d77af105420ad808e37fdbcdf6bf69ad88f322896d58e2e13877974c90a353b562422d2ebab51cf62287f0ab4598b3f3a4eb42846c
-
Filesize
197KB
MD5de1691862467e26341ada6f642180afd
SHA1b224d1f5359b88b82d3eeecee1c37a51dfb40150
SHA2569db187a20b9de4fcb58e94f427e0dec5e1eaed362ad8532fb91530a38e923e5e
SHA512645dee001dec8d651515a10ab952b7dd314ed99fcf9f3e8bcc9567bf2025572d59e1cc2dbf8b73e13493831cc6562f9a94725fb199da606f7c35eca26f74fc4d
-
Filesize
197KB
MD523744d271dcbc05156b5aa3d6d4646f8
SHA189f9fdfdf41366ebf33ba01a36a351569ea9b6fe
SHA256a78c26a83bfd66a2c963887211d74f07f966ee8fc5365565f02871589286a68f
SHA51220ab827e3ea43b548a4f1a3b5888114f87d1cee49904f4f0dca5f10c7465fb6a1ee588c87e972d15e93cc83499c30514bdc9504c3f5c7d8b064d0d504a33a918
-
Filesize
197KB
MD5705cdc7affbaab8cc3d6fcc4e0093674
SHA1548c9d8f70111680aa7b751d739264978ca86cd6
SHA2566cbe56c9e44b2aa96b4d8550f8ee26588578449fe3b402c7a39a7cbe400bd61f
SHA5121ab83a8839c26499fd53a0f48cbf5f6d3fdb05abbd81e14dd9462be6d232ce5514860b2b0ccf424918a15a77f41188245fe503400a906a1279c093d88f9e7707
-
Filesize
197KB
MD5f3cd4e931f6973644fa0445f10dd3a5d
SHA1c0f4e1aaed0f1f19ce537a8e59c57b9bc572395e
SHA2563dc14b21f295fc83b4d6b8fca5742d44a298e6f812af328cd3b2f39801202ec5
SHA512e7e64a480f1872b77b9844ccd6a4761a5c0545253a70c83b0d4406b6123aa5f39fe2a7b10a1594bf017fc69b3ff2a1e2679adb06a9978eb94b3a4a8557e6051c
-
Filesize
197KB
MD53c97554d6913230c35fa21c43f049407
SHA1dd94a315c00a1ca307a35a700efa857899af9863
SHA256d3c464961d5a2df174b638389f91f74033140a11cd39ea057db538c9c45d4769
SHA5129d383f6cc9690a9641d1648dc3a5bc3a869acf5a05ed9f2c24e5637e0a852fd872fa5e43fc1002adc1894fbce1645ee7e2393cb19e312c7dcd48a505abdcab45
-
Filesize
197KB
MD546d55680240018e578e45393604b305f
SHA18d5095dc8bb447a3575efd1053de3a9917184610
SHA256b4407e07c30c3830edffa5a62a55be85ce16db3f4fe53c25af6d0a298aed9f92
SHA51229e745569e15641c63e74d3c88f966a115dea4c6d3328f193c4d8335a403519c25656ea042499abf4a5db048f5afee0f81d5f82e51acf8e4419c444f4dd074f0
-
Filesize
197KB
MD55f7b95b0d467fc7ce096a42a43f2b066
SHA1b5e8abb0b9f207604e003f9ee9803ad097bd38ba
SHA256b0e36ca6654723ebc05fb4f511fbf2a77bb6d5cba2ce1021f374cc952f39f6dd
SHA5125c0bcb9ec8a74506d459959d8a28d309610a7f3f1ce6bf4146b3a9d7101d4efcae19045f0da8359a7c54f3056981b358a4cde369ae9e3d9e9d9852ab06e5ef7b
-
Filesize
197KB
MD584a096adbd83377a1a16acaaccb1e887
SHA16b828463b3f14016ce752579062cfd182c5ef263
SHA256ca74232b19f12bd0597ccac4d1bb9565bfaeaf7f339912631eca2a4f9605ac42
SHA5128f293b1614155456709cb378fcb1384939d3b67b0fede0750ff58fc834e9a1cf634d195536c9c0ea11674b7f1b9a0efa197db5f181ab0cd19d388b9e3cbec3bd
-
Filesize
197KB
MD5ba3406c872c806c5104fae8270998b2e
SHA1ed66ff1f750d66e8ca879d66ffb62b494de11b62
SHA25672bfc04c89e7c4a4b97e844cb5787d8dad0b3fb05dd7a5be21b4e7373a2ac1b5
SHA5128e1c85d1a952223b695ea87a9613ad2691ba228f542c4eae580ba3849db1d9038f386d21d9776c6117c864e8f112152ebb1a2a0a9c1afa340e02d7c1753aba22
-
Filesize
197KB
MD5f973af790ed6ad1b0e83c3aa645082e9
SHA162c8f90b04c3098303a6ff709e7e7f54cfc6be12
SHA25664d91c5c4dd350d48ec19c8db98bb8f7043cf28f01b83025c520408f321ebf31
SHA512de60fc7e91c85b106ca3bb33a249c9a81e270d39ff9ed41f13a8e5778e7bcb5176d986809544ea034ec4a410611646529c95934501a719bc5e48c6a6a0da2959