c612231a378e24264d18db0e4a68f3efe8b615fbe4daad73b63b5d5b01b94fb2

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14/03/2024, 19:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-14_4dba82785e0dd624a54aefff80d5f727_goldeneye.exe
Size

168KB
MD5

4dba82785e0dd624a54aefff80d5f727
SHA1

d01cc83362eb22e85ed1f4260355ac26604d0175
SHA256

c612231a378e24264d18db0e4a68f3efe8b615fbe4daad73b63b5d5b01b94fb2
SHA512

dc6bd9ad68ef855e3ac6ee9ee2ae88a183c4ca715d6e9c45e54ee27ba2b75fc620f11f20b033b2de0baba03b5ce1776b8ab7036813e71b00550dca188e5c7bba
SSDEEP

1536:1EGh0oSlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oSlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023204-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023219-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023321-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000001e743-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000216c9-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002338d-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000216c9-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000233b6-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000234a5-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000234aa-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002311a-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023120-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2EBC06DE-227C-46c3-8C6C-70F285234BDD}	{6671BF6C-9F4F-4b87-A437-4D948BFC4971}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7573CFD4-15CD-4bcc-83C6-15F8164B9EB6}\stubpath = "C:\\Windows\\{7573CFD4-15CD-4bcc-83C6-15F8164B9EB6}.exe"	{528A3E1F-1E63-4575-BC61-9C196B2B5381}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB082315-8198-4371-B540-83E07D4077DB}	{1A181157-BBA4-42ae-B1A8-8C9859488751}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F220AD25-6F7B-4ac4-8438-C2D148AA17CB}\stubpath = "C:\\Windows\\{F220AD25-6F7B-4ac4-8438-C2D148AA17CB}.exe"	{DB082315-8198-4371-B540-83E07D4077DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{022ADB33-7FA6-485a-A81D-EA0417551250}	{F220AD25-6F7B-4ac4-8438-C2D148AA17CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{679822CD-21A3-4fe8-A104-223802B3DE7B}	{022ADB33-7FA6-485a-A81D-EA0417551250}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6671BF6C-9F4F-4b87-A437-4D948BFC4971}\stubpath = "C:\\Windows\\{6671BF6C-9F4F-4b87-A437-4D948BFC4971}.exe"	2024-03-14_4dba82785e0dd624a54aefff80d5f727_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2EBC06DE-227C-46c3-8C6C-70F285234BDD}\stubpath = "C:\\Windows\\{2EBC06DE-227C-46c3-8C6C-70F285234BDD}.exe"	{6671BF6C-9F4F-4b87-A437-4D948BFC4971}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7573CFD4-15CD-4bcc-83C6-15F8164B9EB6}	{528A3E1F-1E63-4575-BC61-9C196B2B5381}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB082315-8198-4371-B540-83E07D4077DB}\stubpath = "C:\\Windows\\{DB082315-8198-4371-B540-83E07D4077DB}.exe"	{1A181157-BBA4-42ae-B1A8-8C9859488751}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F220AD25-6F7B-4ac4-8438-C2D148AA17CB}	{DB082315-8198-4371-B540-83E07D4077DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1B60F5E-1BF9-445a-A4A1-6CA813BB874B}	{2EBC06DE-227C-46c3-8C6C-70F285234BDD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1B60F5E-1BF9-445a-A4A1-6CA813BB874B}\stubpath = "C:\\Windows\\{C1B60F5E-1BF9-445a-A4A1-6CA813BB874B}.exe"	{2EBC06DE-227C-46c3-8C6C-70F285234BDD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8C74177-1689-4c93-B45C-6D3533D2A805}	{C1B60F5E-1BF9-445a-A4A1-6CA813BB874B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A181157-BBA4-42ae-B1A8-8C9859488751}	{7573CFD4-15CD-4bcc-83C6-15F8164B9EB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A181157-BBA4-42ae-B1A8-8C9859488751}\stubpath = "C:\\Windows\\{1A181157-BBA4-42ae-B1A8-8C9859488751}.exe"	{7573CFD4-15CD-4bcc-83C6-15F8164B9EB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6671BF6C-9F4F-4b87-A437-4D948BFC4971}	2024-03-14_4dba82785e0dd624a54aefff80d5f727_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8C74177-1689-4c93-B45C-6D3533D2A805}\stubpath = "C:\\Windows\\{A8C74177-1689-4c93-B45C-6D3533D2A805}.exe"	{C1B60F5E-1BF9-445a-A4A1-6CA813BB874B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{528A3E1F-1E63-4575-BC61-9C196B2B5381}	{A8C74177-1689-4c93-B45C-6D3533D2A805}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{528A3E1F-1E63-4575-BC61-9C196B2B5381}\stubpath = "C:\\Windows\\{528A3E1F-1E63-4575-BC61-9C196B2B5381}.exe"	{A8C74177-1689-4c93-B45C-6D3533D2A805}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{022ADB33-7FA6-485a-A81D-EA0417551250}\stubpath = "C:\\Windows\\{022ADB33-7FA6-485a-A81D-EA0417551250}.exe"	{F220AD25-6F7B-4ac4-8438-C2D148AA17CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{679822CD-21A3-4fe8-A104-223802B3DE7B}\stubpath = "C:\\Windows\\{679822CD-21A3-4fe8-A104-223802B3DE7B}.exe"	{022ADB33-7FA6-485a-A81D-EA0417551250}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B67F2F8A-6756-42b0-AE2F-067154728064}	{679822CD-21A3-4fe8-A104-223802B3DE7B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B67F2F8A-6756-42b0-AE2F-067154728064}\stubpath = "C:\\Windows\\{B67F2F8A-6756-42b0-AE2F-067154728064}.exe"	{679822CD-21A3-4fe8-A104-223802B3DE7B}.exe

Executes dropped EXE 12 IoCs

pid	Process
3556	{6671BF6C-9F4F-4b87-A437-4D948BFC4971}.exe
3592	{2EBC06DE-227C-46c3-8C6C-70F285234BDD}.exe
4928	{C1B60F5E-1BF9-445a-A4A1-6CA813BB874B}.exe
4896	{A8C74177-1689-4c93-B45C-6D3533D2A805}.exe
3908	{528A3E1F-1E63-4575-BC61-9C196B2B5381}.exe
3436	{7573CFD4-15CD-4bcc-83C6-15F8164B9EB6}.exe
4544	{1A181157-BBA4-42ae-B1A8-8C9859488751}.exe
1556	{DB082315-8198-4371-B540-83E07D4077DB}.exe
2532	{F220AD25-6F7B-4ac4-8438-C2D148AA17CB}.exe
1644	{022ADB33-7FA6-485a-A81D-EA0417551250}.exe
4996	{679822CD-21A3-4fe8-A104-223802B3DE7B}.exe
1724	{B67F2F8A-6756-42b0-AE2F-067154728064}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{022ADB33-7FA6-485a-A81D-EA0417551250}.exe	{F220AD25-6F7B-4ac4-8438-C2D148AA17CB}.exe
File created	C:\Windows\{B67F2F8A-6756-42b0-AE2F-067154728064}.exe	{679822CD-21A3-4fe8-A104-223802B3DE7B}.exe
File created	C:\Windows\{6671BF6C-9F4F-4b87-A437-4D948BFC4971}.exe	2024-03-14_4dba82785e0dd624a54aefff80d5f727_goldeneye.exe
File created	C:\Windows\{7573CFD4-15CD-4bcc-83C6-15F8164B9EB6}.exe	{528A3E1F-1E63-4575-BC61-9C196B2B5381}.exe
File created	C:\Windows\{1A181157-BBA4-42ae-B1A8-8C9859488751}.exe	{7573CFD4-15CD-4bcc-83C6-15F8164B9EB6}.exe
File created	C:\Windows\{DB082315-8198-4371-B540-83E07D4077DB}.exe	{1A181157-BBA4-42ae-B1A8-8C9859488751}.exe
File created	C:\Windows\{F220AD25-6F7B-4ac4-8438-C2D148AA17CB}.exe	{DB082315-8198-4371-B540-83E07D4077DB}.exe
File created	C:\Windows\{2EBC06DE-227C-46c3-8C6C-70F285234BDD}.exe	{6671BF6C-9F4F-4b87-A437-4D948BFC4971}.exe
File created	C:\Windows\{C1B60F5E-1BF9-445a-A4A1-6CA813BB874B}.exe	{2EBC06DE-227C-46c3-8C6C-70F285234BDD}.exe
File created	C:\Windows\{A8C74177-1689-4c93-B45C-6D3533D2A805}.exe	{C1B60F5E-1BF9-445a-A4A1-6CA813BB874B}.exe
File created	C:\Windows\{528A3E1F-1E63-4575-BC61-9C196B2B5381}.exe	{A8C74177-1689-4c93-B45C-6D3533D2A805}.exe
File created	C:\Windows\{679822CD-21A3-4fe8-A104-223802B3DE7B}.exe	{022ADB33-7FA6-485a-A81D-EA0417551250}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4692	2024-03-14_4dba82785e0dd624a54aefff80d5f727_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3556	{6671BF6C-9F4F-4b87-A437-4D948BFC4971}.exe
Token: SeIncBasePriorityPrivilege	3592	{2EBC06DE-227C-46c3-8C6C-70F285234BDD}.exe
Token: SeIncBasePriorityPrivilege	4928	{C1B60F5E-1BF9-445a-A4A1-6CA813BB874B}.exe
Token: SeIncBasePriorityPrivilege	4896	{A8C74177-1689-4c93-B45C-6D3533D2A805}.exe
Token: SeIncBasePriorityPrivilege	3908	{528A3E1F-1E63-4575-BC61-9C196B2B5381}.exe
Token: SeIncBasePriorityPrivilege	3436	{7573CFD4-15CD-4bcc-83C6-15F8164B9EB6}.exe
Token: SeIncBasePriorityPrivilege	4544	{1A181157-BBA4-42ae-B1A8-8C9859488751}.exe
Token: SeIncBasePriorityPrivilege	1556	{DB082315-8198-4371-B540-83E07D4077DB}.exe
Token: SeIncBasePriorityPrivilege	2532	{F220AD25-6F7B-4ac4-8438-C2D148AA17CB}.exe
Token: SeIncBasePriorityPrivilege	1644	{022ADB33-7FA6-485a-A81D-EA0417551250}.exe
Token: SeIncBasePriorityPrivilege	4996	{679822CD-21A3-4fe8-A104-223802B3DE7B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4692 wrote to memory of 3556	4692	2024-03-14_4dba82785e0dd624a54aefff80d5f727_goldeneye.exe	99
PID 4692 wrote to memory of 3556	4692	2024-03-14_4dba82785e0dd624a54aefff80d5f727_goldeneye.exe	99
PID 4692 wrote to memory of 3556	4692	2024-03-14_4dba82785e0dd624a54aefff80d5f727_goldeneye.exe	99
PID 4692 wrote to memory of 4512	4692	2024-03-14_4dba82785e0dd624a54aefff80d5f727_goldeneye.exe	100
PID 4692 wrote to memory of 4512	4692	2024-03-14_4dba82785e0dd624a54aefff80d5f727_goldeneye.exe	100
PID 4692 wrote to memory of 4512	4692	2024-03-14_4dba82785e0dd624a54aefff80d5f727_goldeneye.exe	100
PID 3556 wrote to memory of 3592	3556	{6671BF6C-9F4F-4b87-A437-4D948BFC4971}.exe	101
PID 3556 wrote to memory of 3592	3556	{6671BF6C-9F4F-4b87-A437-4D948BFC4971}.exe	101
PID 3556 wrote to memory of 3592	3556	{6671BF6C-9F4F-4b87-A437-4D948BFC4971}.exe	101
PID 3556 wrote to memory of 1664	3556	{6671BF6C-9F4F-4b87-A437-4D948BFC4971}.exe	102
PID 3556 wrote to memory of 1664	3556	{6671BF6C-9F4F-4b87-A437-4D948BFC4971}.exe	102
PID 3556 wrote to memory of 1664	3556	{6671BF6C-9F4F-4b87-A437-4D948BFC4971}.exe	102
PID 3592 wrote to memory of 4928	3592	{2EBC06DE-227C-46c3-8C6C-70F285234BDD}.exe	105
PID 3592 wrote to memory of 4928	3592	{2EBC06DE-227C-46c3-8C6C-70F285234BDD}.exe	105
PID 3592 wrote to memory of 4928	3592	{2EBC06DE-227C-46c3-8C6C-70F285234BDD}.exe	105
PID 3592 wrote to memory of 5008	3592	{2EBC06DE-227C-46c3-8C6C-70F285234BDD}.exe	106
PID 3592 wrote to memory of 5008	3592	{2EBC06DE-227C-46c3-8C6C-70F285234BDD}.exe	106
PID 3592 wrote to memory of 5008	3592	{2EBC06DE-227C-46c3-8C6C-70F285234BDD}.exe	106
PID 4928 wrote to memory of 4896	4928	{C1B60F5E-1BF9-445a-A4A1-6CA813BB874B}.exe	108
PID 4928 wrote to memory of 4896	4928	{C1B60F5E-1BF9-445a-A4A1-6CA813BB874B}.exe	108
PID 4928 wrote to memory of 4896	4928	{C1B60F5E-1BF9-445a-A4A1-6CA813BB874B}.exe	108
PID 4928 wrote to memory of 4732	4928	{C1B60F5E-1BF9-445a-A4A1-6CA813BB874B}.exe	109
PID 4928 wrote to memory of 4732	4928	{C1B60F5E-1BF9-445a-A4A1-6CA813BB874B}.exe	109
PID 4928 wrote to memory of 4732	4928	{C1B60F5E-1BF9-445a-A4A1-6CA813BB874B}.exe	109
PID 4896 wrote to memory of 3908	4896	{A8C74177-1689-4c93-B45C-6D3533D2A805}.exe	110
PID 4896 wrote to memory of 3908	4896	{A8C74177-1689-4c93-B45C-6D3533D2A805}.exe	110
PID 4896 wrote to memory of 3908	4896	{A8C74177-1689-4c93-B45C-6D3533D2A805}.exe	110
PID 4896 wrote to memory of 1540	4896	{A8C74177-1689-4c93-B45C-6D3533D2A805}.exe	111
PID 4896 wrote to memory of 1540	4896	{A8C74177-1689-4c93-B45C-6D3533D2A805}.exe	111
PID 4896 wrote to memory of 1540	4896	{A8C74177-1689-4c93-B45C-6D3533D2A805}.exe	111
PID 3908 wrote to memory of 3436	3908	{528A3E1F-1E63-4575-BC61-9C196B2B5381}.exe	113
PID 3908 wrote to memory of 3436	3908	{528A3E1F-1E63-4575-BC61-9C196B2B5381}.exe	113
PID 3908 wrote to memory of 3436	3908	{528A3E1F-1E63-4575-BC61-9C196B2B5381}.exe	113
PID 3908 wrote to memory of 3420	3908	{528A3E1F-1E63-4575-BC61-9C196B2B5381}.exe	114
PID 3908 wrote to memory of 3420	3908	{528A3E1F-1E63-4575-BC61-9C196B2B5381}.exe	114
PID 3908 wrote to memory of 3420	3908	{528A3E1F-1E63-4575-BC61-9C196B2B5381}.exe	114
PID 3436 wrote to memory of 4544	3436	{7573CFD4-15CD-4bcc-83C6-15F8164B9EB6}.exe	115
PID 3436 wrote to memory of 4544	3436	{7573CFD4-15CD-4bcc-83C6-15F8164B9EB6}.exe	115
PID 3436 wrote to memory of 4544	3436	{7573CFD4-15CD-4bcc-83C6-15F8164B9EB6}.exe	115
PID 3436 wrote to memory of 4244	3436	{7573CFD4-15CD-4bcc-83C6-15F8164B9EB6}.exe	116
PID 3436 wrote to memory of 4244	3436	{7573CFD4-15CD-4bcc-83C6-15F8164B9EB6}.exe	116
PID 3436 wrote to memory of 4244	3436	{7573CFD4-15CD-4bcc-83C6-15F8164B9EB6}.exe	116
PID 4544 wrote to memory of 1556	4544	{1A181157-BBA4-42ae-B1A8-8C9859488751}.exe	117
PID 4544 wrote to memory of 1556	4544	{1A181157-BBA4-42ae-B1A8-8C9859488751}.exe	117
PID 4544 wrote to memory of 1556	4544	{1A181157-BBA4-42ae-B1A8-8C9859488751}.exe	117
PID 4544 wrote to memory of 4324	4544	{1A181157-BBA4-42ae-B1A8-8C9859488751}.exe	118
PID 4544 wrote to memory of 4324	4544	{1A181157-BBA4-42ae-B1A8-8C9859488751}.exe	118
PID 4544 wrote to memory of 4324	4544	{1A181157-BBA4-42ae-B1A8-8C9859488751}.exe	118
PID 1556 wrote to memory of 2532	1556	{DB082315-8198-4371-B540-83E07D4077DB}.exe	121
PID 1556 wrote to memory of 2532	1556	{DB082315-8198-4371-B540-83E07D4077DB}.exe	121
PID 1556 wrote to memory of 2532	1556	{DB082315-8198-4371-B540-83E07D4077DB}.exe	121
PID 1556 wrote to memory of 2152	1556	{DB082315-8198-4371-B540-83E07D4077DB}.exe	122
PID 1556 wrote to memory of 2152	1556	{DB082315-8198-4371-B540-83E07D4077DB}.exe	122
PID 1556 wrote to memory of 2152	1556	{DB082315-8198-4371-B540-83E07D4077DB}.exe	122
PID 2532 wrote to memory of 1644	2532	{F220AD25-6F7B-4ac4-8438-C2D148AA17CB}.exe	125
PID 2532 wrote to memory of 1644	2532	{F220AD25-6F7B-4ac4-8438-C2D148AA17CB}.exe	125
PID 2532 wrote to memory of 1644	2532	{F220AD25-6F7B-4ac4-8438-C2D148AA17CB}.exe	125
PID 2532 wrote to memory of 2228	2532	{F220AD25-6F7B-4ac4-8438-C2D148AA17CB}.exe	126
PID 2532 wrote to memory of 2228	2532	{F220AD25-6F7B-4ac4-8438-C2D148AA17CB}.exe	126
PID 2532 wrote to memory of 2228	2532	{F220AD25-6F7B-4ac4-8438-C2D148AA17CB}.exe	126
PID 1644 wrote to memory of 4996	1644	{022ADB33-7FA6-485a-A81D-EA0417551250}.exe	132
PID 1644 wrote to memory of 4996	1644	{022ADB33-7FA6-485a-A81D-EA0417551250}.exe	132
PID 1644 wrote to memory of 4996	1644	{022ADB33-7FA6-485a-A81D-EA0417551250}.exe	132
PID 1644 wrote to memory of 4460	1644	{022ADB33-7FA6-485a-A81D-EA0417551250}.exe	133

C:\Users\Admin\AppData\Local\Temp\2024-03-14_4dba82785e0dd624a54aefff80d5f727_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-14_4dba82785e0dd624a54aefff80d5f727_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4692
- C:\Windows\{6671BF6C-9F4F-4b87-A437-4D948BFC4971}.exe
  C:\Windows\{6671BF6C-9F4F-4b87-A437-4D948BFC4971}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3556
- - C:\Windows\{2EBC06DE-227C-46c3-8C6C-70F285234BDD}.exe
    C:\Windows\{2EBC06DE-227C-46c3-8C6C-70F285234BDD}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3592
  - - C:\Windows\{C1B60F5E-1BF9-445a-A4A1-6CA813BB874B}.exe
      C:\Windows\{C1B60F5E-1BF9-445a-A4A1-6CA813BB874B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4928
    - - C:\Windows\{A8C74177-1689-4c93-B45C-6D3533D2A805}.exe
        
        C:\Windows\{A8C74177-1689-4c93-B45C-6D3533D2A805}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4896
      - C:\Windows\{528A3E1F-1E63-4575-BC61-9C196B2B5381}.exe
        
        C:\Windows\{528A3E1F-1E63-4575-BC61-9C196B2B5381}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3908
        
        C:\Windows\{7573CFD4-15CD-4bcc-83C6-15F8164B9EB6}.exe
        
        C:\Windows\{7573CFD4-15CD-4bcc-83C6-15F8164B9EB6}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3436
        
        C:\Windows\{1A181157-BBA4-42ae-B1A8-8C9859488751}.exe
        
        C:\Windows\{1A181157-BBA4-42ae-B1A8-8C9859488751}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Windows\{DB082315-8198-4371-B540-83E07D4077DB}.exe
        
        C:\Windows\{DB082315-8198-4371-B540-83E07D4077DB}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Windows\{F220AD25-6F7B-4ac4-8438-C2D148AA17CB}.exe
        
        C:\Windows\{F220AD25-6F7B-4ac4-8438-C2D148AA17CB}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\{022ADB33-7FA6-485a-A81D-EA0417551250}.exe
        
        C:\Windows\{022ADB33-7FA6-485a-A81D-EA0417551250}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\{679822CD-21A3-4fe8-A104-223802B3DE7B}.exe
        
        C:\Windows\{679822CD-21A3-4fe8-A104-223802B3DE7B}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4996
        
        C:\Windows\{B67F2F8A-6756-42b0-AE2F-067154728064}.exe
        
        C:\Windows\{B67F2F8A-6756-42b0-AE2F-067154728064}.exe
        13⤵
        Executes dropped EXE
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{67982~1.EXE > nul
        13⤵
        
        PID:432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{022AD~1.EXE > nul
        12⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F220A~1.EXE > nul
        11⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DB082~1.EXE > nul
        10⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1A181~1.EXE > nul
        9⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7573C~1.EXE > nul
        8⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{528A3~1.EXE > nul
        7⤵
        
        PID:3420
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A8C74~1.EXE > nul
        6⤵
        
        PID:1540
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C1B60~1.EXE > nul
        5⤵
        
        PID:4732
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2EBC0~1.EXE > nul
      4⤵
      PID:5008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6671B~1.EXE > nul
    3⤵
    PID:1664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{022ADB33-7FA6-485a-A81D-EA0417551250}.exe

Filesize
168KB

MD5
d1113b0a848a9f7b119e325393ba2dcb

SHA1
cf2c256503f3be5b3983b9c8959ae2cb22eda58e

SHA256
36befc73ff28a2fedfd52b7138936757018d5e3c8979afbc2109d776a2b14a0f

SHA512
846a967cef354e50cede86e3490d420b85cfd107ac052a8b63e2a076aeccec3b1ec66328c208da3df0eb20f0e084c413df66e1bc141732a0bb36d12362005f27

Download Submit
C:\Windows\{1A181157-BBA4-42ae-B1A8-8C9859488751}.exe

Filesize
168KB

MD5
80198b6cc1b9dc26101d532dcaefcd59

SHA1
ff5949548ad67d239674b1becde086a6369355c0

SHA256
a3e1ab6b9f9e0112af41c68f7b3a0bab60d69eff4779a72bf728827034966eb5

SHA512
88c6d89a77226bfdf57a2931e40fa2c3c19092907f8bd29950c653c9a1f9801111af6677534d0b0cc04a6876ee07ce8b9eb6790d19a6184844c08ce4542796ec

Download Submit
C:\Windows\{2EBC06DE-227C-46c3-8C6C-70F285234BDD}.exe

Filesize
168KB

MD5
e844e8b42c6920defbb44c967fe18791

SHA1
843dbab6ab6197ad7d567b8b84422601b920fc9b

SHA256
0bda44a7e3238025390e6e614b6fe5c422076ce5f95b66d05bc716f53cb80671

SHA512
e8af2de1e9299543c209e26e31fb487ffcef4f7825112c4b6f06a99bc0a66d0a85cc977504ec6f72436673507f81bc4a07dac2e69ee2d2f4d4f9ce2cf6298433

Download Submit
C:\Windows\{528A3E1F-1E63-4575-BC61-9C196B2B5381}.exe

Filesize
168KB

MD5
f5ce2373c43677cc60b2af2617d09f3c

SHA1
b32ef53b8f69a30451359a1b67dfdab318bcab20

SHA256
b5b9a9a0f08aa941853da1e8b1b1102d12ac107d3bb359f2952e9e58edcac00f

SHA512
ef54487e41be8ec0df4e4a35666f8a23a768cf1e5ed4e040f411f8a743da5f0386b29042fbc34a84a18579d45d7e8532dbda7c01182e93a6e45cb3409017d2bf

Download Submit
C:\Windows\{6671BF6C-9F4F-4b87-A437-4D948BFC4971}.exe

Filesize
168KB

MD5
51cd586c18e26ccb508452a0090993aa

SHA1
5e249df1b15e3261c87801bc45d7752b3e58838a

SHA256
ba52ecb1db81f73f0460e2d3513ba248c0f9fdf09a7380126d37ce1e97c23b0d

SHA512
69c8c0c5e4e98895da449d53b37c5720ef054c808cf0c2e76177d6947a57dc0f62391a321588309a779c7fad35a44477e93bf13855e1e99fad6ef534c8ee5c9a

Download Submit
C:\Windows\{679822CD-21A3-4fe8-A104-223802B3DE7B}.exe

Filesize
168KB

MD5
a930aa67716074d1b39899e9bef9149d

SHA1
25474361200435312da3ecc68367e7270cd6e828

SHA256
b22e634f7c3133361cdd1f94918730c79c724d25bec5c51e8259f4bc9631cccc

SHA512
b9347f5797fca85f46136976f7e033c18e3773f3181069bfd0c971856d276bc89ac082db8c289fba36cedf76136937c85cd9b64d74a36e14d35585d06504702d

Download Submit
C:\Windows\{7573CFD4-15CD-4bcc-83C6-15F8164B9EB6}.exe

Filesize
168KB

MD5
e82f279a964fddff618354ff6fc1fdcf

SHA1
28c3a9a71f180a33feab4d0a10f7ebcd2019e213

SHA256
5afa153177d5b244957cc9621f51e38225652614e554a849ee780ee19be2806b

SHA512
cd7a5b9281e954eea426ca76291d220fb41fc9b89870242e2ebb56ada5c64f5f151a8aade6c6845fac746da05965cce0b2e70fc9a73d5e613d0b122ad0d64698

Download Submit
C:\Windows\{A8C74177-1689-4c93-B45C-6D3533D2A805}.exe

Filesize
168KB

MD5
833fbda171531fe06480a98b300bebd3

SHA1
a97b066c881b54de348a2ec264edecebef95e298

SHA256
6a413632d98f57f96f73f4d3cc241876bb3648b3aafcb356494869847e7ac776

SHA512
3e6b19df93b3cbca68d429a8e6940f4f24b65695b6c87ff54d958c25e0795aa2d53a8a1269ca827aeb64d83f8e4f4ca6412bf96f704f0520593012969c6465ef

Download Submit
C:\Windows\{B67F2F8A-6756-42b0-AE2F-067154728064}.exe

Filesize
168KB

MD5
bd5d2328d9f23648eb5790dc7ad06a94

SHA1
c0a9d00acf2a4ee3f7bc8134af5e2a502752a44f

SHA256
90b9cd0bb4b434c017e2f318821ea5b8852f096e5e64906c1852ce40770b0ee2

SHA512
8b8b242e56b749bf14fb0a4e4fde2fe83bd5d0d921e3f01856c63928b8c664a08d12c8bc20f065e71942a26a54dd2c3c9e03383f649582bae93fe86032de02e0

Download Submit
C:\Windows\{C1B60F5E-1BF9-445a-A4A1-6CA813BB874B}.exe

Filesize
168KB

MD5
90607d60fe979358eeaab763737fdde6

SHA1
e1b62fb3e1ea44a03d98d5e9a9375804ed180c1a

SHA256
ebc91c49929b11ee073494c4e6053d6f9413d1a3ea478dba7184de7f9e274e67

SHA512
5717a38e4478933de4b2e295783999a299b5fb3344a9382881396cdc805fdd67740f120644203b015c12ea189ccb97818e533c867d52de586cd13397da04370a

Download Submit
C:\Windows\{DB082315-8198-4371-B540-83E07D4077DB}.exe

Filesize
168KB

MD5
9b82ff5093aaf4911d2e7897938018db

SHA1
f91f7502b65682ba6f486027b2bd363646b93a90

SHA256
59416233667c80e0e2913b4fdf3b0a7b7fc146c05883cfb5200c24ee93527ce1

SHA512
e6c9d9f32fa46f9f4c5bd0c5b5f9f5c60dbc68d15fcb56b0630e0afb21e152adae1f157414491284416e06fd6a08a289e0d627fb254a1825622b5d6196cc19ad

Download Submit
C:\Windows\{F220AD25-6F7B-4ac4-8438-C2D148AA17CB}.exe

Filesize
168KB

MD5
9991032f2ef53c41a56b433bc7e61152

SHA1
30678a9ef1f778a58dc4cbeeb000b0288ffe66e7

SHA256
a706ad4e425bf0df7615e295e9af25cab090b83dcfd00a774730330c7096857d

SHA512
bf39f664b02b7059fbf333761d919194ee27d52a0522255599c48770a1d4d221efd633accc319e6baa25ce16f647404efeece1f7047175f4f8366436c02f7dce

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads