596209f15b44b5ada9f5fa81745975535e9fabf891b27084e403d2ec51888120

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2024, 14:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-19_043fe5808c3ba6299c20a8934c730461_goldeneye.exe
Size

408KB
MD5

043fe5808c3ba6299c20a8934c730461
SHA1

c227f9010a442c196df89dcd3a643ecc5ef9dd67
SHA256

596209f15b44b5ada9f5fa81745975535e9fabf891b27084e403d2ec51888120
SHA512

e1641b7e83b43168b57eb3d0e6f23496616ca4bbc3472a6774f8eb007e8a6764ba9c3d6e7af121030ab62a2c5507d21a506b71f674f61279cb9305a09945319c
SSDEEP

3072:CEGh0ohl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGHldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023230-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002323e-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000001e743-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000216c9-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000233ae-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001e581-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000234c5-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000234c7-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023134-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002313e-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002315b-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002313e-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5375F693-B87F-4cd4-A5E4-260B2604E83F}\stubpath = "C:\\Windows\\{5375F693-B87F-4cd4-A5E4-260B2604E83F}.exe"	{0631D098-BE11-4d86-8577-B851F98BC5F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FCBA6D86-13C5-41ca-9D04-B6EE9549681F}\stubpath = "C:\\Windows\\{FCBA6D86-13C5-41ca-9D04-B6EE9549681F}.exe"	{5375F693-B87F-4cd4-A5E4-260B2604E83F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF20F980-1313-463d-AAF2-542D7CFE6BB1}\stubpath = "C:\\Windows\\{AF20F980-1313-463d-AAF2-542D7CFE6BB1}.exe"	{F6750E85-3C11-40d9-BCDC-3234CC9466E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{979D86CE-4748-4d24-82B0-DC8EFD6D9A01}	{B6728A11-0CD0-4cde-AA2B-F4F18D18A6A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B03584BF-435C-4b9e-B060-C85679790081}	{979D86CE-4748-4d24-82B0-DC8EFD6D9A01}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5375F693-B87F-4cd4-A5E4-260B2604E83F}	{0631D098-BE11-4d86-8577-B851F98BC5F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D3175F1-AB41-4fda-BD36-2F8DDCB57290}\stubpath = "C:\\Windows\\{3D3175F1-AB41-4fda-BD36-2F8DDCB57290}.exe"	{B03584BF-435C-4b9e-B060-C85679790081}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0631D098-BE11-4d86-8577-B851F98BC5F7}	{3D3175F1-AB41-4fda-BD36-2F8DDCB57290}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FCBA6D86-13C5-41ca-9D04-B6EE9549681F}	{5375F693-B87F-4cd4-A5E4-260B2604E83F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6750E85-3C11-40d9-BCDC-3234CC9466E2}	{FCBA6D86-13C5-41ca-9D04-B6EE9549681F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6750E85-3C11-40d9-BCDC-3234CC9466E2}\stubpath = "C:\\Windows\\{F6750E85-3C11-40d9-BCDC-3234CC9466E2}.exe"	{FCBA6D86-13C5-41ca-9D04-B6EE9549681F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED8062B3-04E8-4665-B72D-6B3639105801}	2024-03-19_043fe5808c3ba6299c20a8934c730461_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6728A11-0CD0-4cde-AA2B-F4F18D18A6A7}\stubpath = "C:\\Windows\\{B6728A11-0CD0-4cde-AA2B-F4F18D18A6A7}.exe"	{ED8062B3-04E8-4665-B72D-6B3639105801}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{979D86CE-4748-4d24-82B0-DC8EFD6D9A01}\stubpath = "C:\\Windows\\{979D86CE-4748-4d24-82B0-DC8EFD6D9A01}.exe"	{B6728A11-0CD0-4cde-AA2B-F4F18D18A6A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF20F980-1313-463d-AAF2-542D7CFE6BB1}	{F6750E85-3C11-40d9-BCDC-3234CC9466E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2953168A-7F02-46a4-A288-292938299B2D}	{AF20F980-1313-463d-AAF2-542D7CFE6BB1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D3175F1-AB41-4fda-BD36-2F8DDCB57290}	{B03584BF-435C-4b9e-B060-C85679790081}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2953168A-7F02-46a4-A288-292938299B2D}\stubpath = "C:\\Windows\\{2953168A-7F02-46a4-A288-292938299B2D}.exe"	{AF20F980-1313-463d-AAF2-542D7CFE6BB1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED8062B3-04E8-4665-B72D-6B3639105801}\stubpath = "C:\\Windows\\{ED8062B3-04E8-4665-B72D-6B3639105801}.exe"	2024-03-19_043fe5808c3ba6299c20a8934c730461_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6728A11-0CD0-4cde-AA2B-F4F18D18A6A7}	{ED8062B3-04E8-4665-B72D-6B3639105801}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B03584BF-435C-4b9e-B060-C85679790081}\stubpath = "C:\\Windows\\{B03584BF-435C-4b9e-B060-C85679790081}.exe"	{979D86CE-4748-4d24-82B0-DC8EFD6D9A01}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0631D098-BE11-4d86-8577-B851F98BC5F7}\stubpath = "C:\\Windows\\{0631D098-BE11-4d86-8577-B851F98BC5F7}.exe"	{3D3175F1-AB41-4fda-BD36-2F8DDCB57290}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FBD06E4-95F4-4e59-9C65-EB13DB4169CC}	{2953168A-7F02-46a4-A288-292938299B2D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FBD06E4-95F4-4e59-9C65-EB13DB4169CC}\stubpath = "C:\\Windows\\{3FBD06E4-95F4-4e59-9C65-EB13DB4169CC}.exe"	{2953168A-7F02-46a4-A288-292938299B2D}.exe

Executes dropped EXE 12 IoCs

pid	Process
2036	{ED8062B3-04E8-4665-B72D-6B3639105801}.exe
1540	{B6728A11-0CD0-4cde-AA2B-F4F18D18A6A7}.exe
4124	{979D86CE-4748-4d24-82B0-DC8EFD6D9A01}.exe
3468	{B03584BF-435C-4b9e-B060-C85679790081}.exe
4780	{3D3175F1-AB41-4fda-BD36-2F8DDCB57290}.exe
564	{0631D098-BE11-4d86-8577-B851F98BC5F7}.exe
4344	{5375F693-B87F-4cd4-A5E4-260B2604E83F}.exe
2588	{FCBA6D86-13C5-41ca-9D04-B6EE9549681F}.exe
4224	{F6750E85-3C11-40d9-BCDC-3234CC9466E2}.exe
1592	{AF20F980-1313-463d-AAF2-542D7CFE6BB1}.exe
988	{2953168A-7F02-46a4-A288-292938299B2D}.exe
2680	{3FBD06E4-95F4-4e59-9C65-EB13DB4169CC}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{2953168A-7F02-46a4-A288-292938299B2D}.exe	{AF20F980-1313-463d-AAF2-542D7CFE6BB1}.exe
File created	C:\Windows\{3FBD06E4-95F4-4e59-9C65-EB13DB4169CC}.exe	{2953168A-7F02-46a4-A288-292938299B2D}.exe
File created	C:\Windows\{ED8062B3-04E8-4665-B72D-6B3639105801}.exe	2024-03-19_043fe5808c3ba6299c20a8934c730461_goldeneye.exe
File created	C:\Windows\{B6728A11-0CD0-4cde-AA2B-F4F18D18A6A7}.exe	{ED8062B3-04E8-4665-B72D-6B3639105801}.exe
File created	C:\Windows\{B03584BF-435C-4b9e-B060-C85679790081}.exe	{979D86CE-4748-4d24-82B0-DC8EFD6D9A01}.exe
File created	C:\Windows\{0631D098-BE11-4d86-8577-B851F98BC5F7}.exe	{3D3175F1-AB41-4fda-BD36-2F8DDCB57290}.exe
File created	C:\Windows\{5375F693-B87F-4cd4-A5E4-260B2604E83F}.exe	{0631D098-BE11-4d86-8577-B851F98BC5F7}.exe
File created	C:\Windows\{FCBA6D86-13C5-41ca-9D04-B6EE9549681F}.exe	{5375F693-B87F-4cd4-A5E4-260B2604E83F}.exe
File created	C:\Windows\{979D86CE-4748-4d24-82B0-DC8EFD6D9A01}.exe	{B6728A11-0CD0-4cde-AA2B-F4F18D18A6A7}.exe
File created	C:\Windows\{3D3175F1-AB41-4fda-BD36-2F8DDCB57290}.exe	{B03584BF-435C-4b9e-B060-C85679790081}.exe
File created	C:\Windows\{F6750E85-3C11-40d9-BCDC-3234CC9466E2}.exe	{FCBA6D86-13C5-41ca-9D04-B6EE9549681F}.exe
File created	C:\Windows\{AF20F980-1313-463d-AAF2-542D7CFE6BB1}.exe	{F6750E85-3C11-40d9-BCDC-3234CC9466E2}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1792	2024-03-19_043fe5808c3ba6299c20a8934c730461_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2036	{ED8062B3-04E8-4665-B72D-6B3639105801}.exe
Token: SeIncBasePriorityPrivilege	1540	{B6728A11-0CD0-4cde-AA2B-F4F18D18A6A7}.exe
Token: SeIncBasePriorityPrivilege	4124	{979D86CE-4748-4d24-82B0-DC8EFD6D9A01}.exe
Token: SeIncBasePriorityPrivilege	3468	{B03584BF-435C-4b9e-B060-C85679790081}.exe
Token: SeIncBasePriorityPrivilege	4780	{3D3175F1-AB41-4fda-BD36-2F8DDCB57290}.exe
Token: SeIncBasePriorityPrivilege	564	{0631D098-BE11-4d86-8577-B851F98BC5F7}.exe
Token: SeIncBasePriorityPrivilege	4344	{5375F693-B87F-4cd4-A5E4-260B2604E83F}.exe
Token: SeIncBasePriorityPrivilege	2588	{FCBA6D86-13C5-41ca-9D04-B6EE9549681F}.exe
Token: SeIncBasePriorityPrivilege	4224	{F6750E85-3C11-40d9-BCDC-3234CC9466E2}.exe
Token: SeIncBasePriorityPrivilege	1592	{AF20F980-1313-463d-AAF2-542D7CFE6BB1}.exe
Token: SeIncBasePriorityPrivilege	988	{2953168A-7F02-46a4-A288-292938299B2D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 2036	1792	2024-03-19_043fe5808c3ba6299c20a8934c730461_goldeneye.exe	99
PID 1792 wrote to memory of 2036	1792	2024-03-19_043fe5808c3ba6299c20a8934c730461_goldeneye.exe	99
PID 1792 wrote to memory of 2036	1792	2024-03-19_043fe5808c3ba6299c20a8934c730461_goldeneye.exe	99
PID 1792 wrote to memory of 2116	1792	2024-03-19_043fe5808c3ba6299c20a8934c730461_goldeneye.exe	100
PID 1792 wrote to memory of 2116	1792	2024-03-19_043fe5808c3ba6299c20a8934c730461_goldeneye.exe	100
PID 1792 wrote to memory of 2116	1792	2024-03-19_043fe5808c3ba6299c20a8934c730461_goldeneye.exe	100
PID 2036 wrote to memory of 1540	2036	{ED8062B3-04E8-4665-B72D-6B3639105801}.exe	102
PID 2036 wrote to memory of 1540	2036	{ED8062B3-04E8-4665-B72D-6B3639105801}.exe	102
PID 2036 wrote to memory of 1540	2036	{ED8062B3-04E8-4665-B72D-6B3639105801}.exe	102
PID 2036 wrote to memory of 3684	2036	{ED8062B3-04E8-4665-B72D-6B3639105801}.exe	103
PID 2036 wrote to memory of 3684	2036	{ED8062B3-04E8-4665-B72D-6B3639105801}.exe	103
PID 2036 wrote to memory of 3684	2036	{ED8062B3-04E8-4665-B72D-6B3639105801}.exe	103
PID 1540 wrote to memory of 4124	1540	{B6728A11-0CD0-4cde-AA2B-F4F18D18A6A7}.exe	106
PID 1540 wrote to memory of 4124	1540	{B6728A11-0CD0-4cde-AA2B-F4F18D18A6A7}.exe	106
PID 1540 wrote to memory of 4124	1540	{B6728A11-0CD0-4cde-AA2B-F4F18D18A6A7}.exe	106
PID 1540 wrote to memory of 932	1540	{B6728A11-0CD0-4cde-AA2B-F4F18D18A6A7}.exe	107
PID 1540 wrote to memory of 932	1540	{B6728A11-0CD0-4cde-AA2B-F4F18D18A6A7}.exe	107
PID 1540 wrote to memory of 932	1540	{B6728A11-0CD0-4cde-AA2B-F4F18D18A6A7}.exe	107
PID 4124 wrote to memory of 3468	4124	{979D86CE-4748-4d24-82B0-DC8EFD6D9A01}.exe	108
PID 4124 wrote to memory of 3468	4124	{979D86CE-4748-4d24-82B0-DC8EFD6D9A01}.exe	108
PID 4124 wrote to memory of 3468	4124	{979D86CE-4748-4d24-82B0-DC8EFD6D9A01}.exe	108
PID 4124 wrote to memory of 1732	4124	{979D86CE-4748-4d24-82B0-DC8EFD6D9A01}.exe	109
PID 4124 wrote to memory of 1732	4124	{979D86CE-4748-4d24-82B0-DC8EFD6D9A01}.exe	109
PID 4124 wrote to memory of 1732	4124	{979D86CE-4748-4d24-82B0-DC8EFD6D9A01}.exe	109
PID 3468 wrote to memory of 4780	3468	{B03584BF-435C-4b9e-B060-C85679790081}.exe	110
PID 3468 wrote to memory of 4780	3468	{B03584BF-435C-4b9e-B060-C85679790081}.exe	110
PID 3468 wrote to memory of 4780	3468	{B03584BF-435C-4b9e-B060-C85679790081}.exe	110
PID 3468 wrote to memory of 904	3468	{B03584BF-435C-4b9e-B060-C85679790081}.exe	111
PID 3468 wrote to memory of 904	3468	{B03584BF-435C-4b9e-B060-C85679790081}.exe	111
PID 3468 wrote to memory of 904	3468	{B03584BF-435C-4b9e-B060-C85679790081}.exe	111
PID 4780 wrote to memory of 564	4780	{3D3175F1-AB41-4fda-BD36-2F8DDCB57290}.exe	113
PID 4780 wrote to memory of 564	4780	{3D3175F1-AB41-4fda-BD36-2F8DDCB57290}.exe	113
PID 4780 wrote to memory of 564	4780	{3D3175F1-AB41-4fda-BD36-2F8DDCB57290}.exe	113
PID 4780 wrote to memory of 2032	4780	{3D3175F1-AB41-4fda-BD36-2F8DDCB57290}.exe	114
PID 4780 wrote to memory of 2032	4780	{3D3175F1-AB41-4fda-BD36-2F8DDCB57290}.exe	114
PID 4780 wrote to memory of 2032	4780	{3D3175F1-AB41-4fda-BD36-2F8DDCB57290}.exe	114
PID 564 wrote to memory of 4344	564	{0631D098-BE11-4d86-8577-B851F98BC5F7}.exe	115
PID 564 wrote to memory of 4344	564	{0631D098-BE11-4d86-8577-B851F98BC5F7}.exe	115
PID 564 wrote to memory of 4344	564	{0631D098-BE11-4d86-8577-B851F98BC5F7}.exe	115
PID 564 wrote to memory of 452	564	{0631D098-BE11-4d86-8577-B851F98BC5F7}.exe	116
PID 564 wrote to memory of 452	564	{0631D098-BE11-4d86-8577-B851F98BC5F7}.exe	116
PID 564 wrote to memory of 452	564	{0631D098-BE11-4d86-8577-B851F98BC5F7}.exe	116
PID 4344 wrote to memory of 2588	4344	{5375F693-B87F-4cd4-A5E4-260B2604E83F}.exe	119
PID 4344 wrote to memory of 2588	4344	{5375F693-B87F-4cd4-A5E4-260B2604E83F}.exe	119
PID 4344 wrote to memory of 2588	4344	{5375F693-B87F-4cd4-A5E4-260B2604E83F}.exe	119
PID 4344 wrote to memory of 4712	4344	{5375F693-B87F-4cd4-A5E4-260B2604E83F}.exe	120
PID 4344 wrote to memory of 4712	4344	{5375F693-B87F-4cd4-A5E4-260B2604E83F}.exe	120
PID 4344 wrote to memory of 4712	4344	{5375F693-B87F-4cd4-A5E4-260B2604E83F}.exe	120
PID 2588 wrote to memory of 4224	2588	{FCBA6D86-13C5-41ca-9D04-B6EE9549681F}.exe	127
PID 2588 wrote to memory of 4224	2588	{FCBA6D86-13C5-41ca-9D04-B6EE9549681F}.exe	127
PID 2588 wrote to memory of 4224	2588	{FCBA6D86-13C5-41ca-9D04-B6EE9549681F}.exe	127
PID 2588 wrote to memory of 2340	2588	{FCBA6D86-13C5-41ca-9D04-B6EE9549681F}.exe	128
PID 2588 wrote to memory of 2340	2588	{FCBA6D86-13C5-41ca-9D04-B6EE9549681F}.exe	128
PID 2588 wrote to memory of 2340	2588	{FCBA6D86-13C5-41ca-9D04-B6EE9549681F}.exe	128
PID 4224 wrote to memory of 1592	4224	{F6750E85-3C11-40d9-BCDC-3234CC9466E2}.exe	129
PID 4224 wrote to memory of 1592	4224	{F6750E85-3C11-40d9-BCDC-3234CC9466E2}.exe	129
PID 4224 wrote to memory of 1592	4224	{F6750E85-3C11-40d9-BCDC-3234CC9466E2}.exe	129
PID 4224 wrote to memory of 1636	4224	{F6750E85-3C11-40d9-BCDC-3234CC9466E2}.exe	130
PID 4224 wrote to memory of 1636	4224	{F6750E85-3C11-40d9-BCDC-3234CC9466E2}.exe	130
PID 4224 wrote to memory of 1636	4224	{F6750E85-3C11-40d9-BCDC-3234CC9466E2}.exe	130
PID 1592 wrote to memory of 988	1592	{AF20F980-1313-463d-AAF2-542D7CFE6BB1}.exe	134
PID 1592 wrote to memory of 988	1592	{AF20F980-1313-463d-AAF2-542D7CFE6BB1}.exe	134
PID 1592 wrote to memory of 988	1592	{AF20F980-1313-463d-AAF2-542D7CFE6BB1}.exe	134
PID 1592 wrote to memory of 4972	1592	{AF20F980-1313-463d-AAF2-542D7CFE6BB1}.exe	135

C:\Users\Admin\AppData\Local\Temp\2024-03-19_043fe5808c3ba6299c20a8934c730461_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-19_043fe5808c3ba6299c20a8934c730461_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Windows\{ED8062B3-04E8-4665-B72D-6B3639105801}.exe
  C:\Windows\{ED8062B3-04E8-4665-B72D-6B3639105801}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\{B6728A11-0CD0-4cde-AA2B-F4F18D18A6A7}.exe
    C:\Windows\{B6728A11-0CD0-4cde-AA2B-F4F18D18A6A7}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1540
  - - C:\Windows\{979D86CE-4748-4d24-82B0-DC8EFD6D9A01}.exe
      C:\Windows\{979D86CE-4748-4d24-82B0-DC8EFD6D9A01}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4124
    - - C:\Windows\{B03584BF-435C-4b9e-B060-C85679790081}.exe
        
        C:\Windows\{B03584BF-435C-4b9e-B060-C85679790081}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3468
      - C:\Windows\{3D3175F1-AB41-4fda-BD36-2F8DDCB57290}.exe
        
        C:\Windows\{3D3175F1-AB41-4fda-BD36-2F8DDCB57290}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\{0631D098-BE11-4d86-8577-B851F98BC5F7}.exe
        
        C:\Windows\{0631D098-BE11-4d86-8577-B851F98BC5F7}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:564
        
        C:\Windows\{5375F693-B87F-4cd4-A5E4-260B2604E83F}.exe
        
        C:\Windows\{5375F693-B87F-4cd4-A5E4-260B2604E83F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Windows\{FCBA6D86-13C5-41ca-9D04-B6EE9549681F}.exe
        
        C:\Windows\{FCBA6D86-13C5-41ca-9D04-B6EE9549681F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\{F6750E85-3C11-40d9-BCDC-3234CC9466E2}.exe
        
        C:\Windows\{F6750E85-3C11-40d9-BCDC-3234CC9466E2}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Windows\{AF20F980-1313-463d-AAF2-542D7CFE6BB1}.exe
        
        C:\Windows\{AF20F980-1313-463d-AAF2-542D7CFE6BB1}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\{2953168A-7F02-46a4-A288-292938299B2D}.exe
        
        C:\Windows\{2953168A-7F02-46a4-A288-292938299B2D}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:988
        
        C:\Windows\{3FBD06E4-95F4-4e59-9C65-EB13DB4169CC}.exe
        
        C:\Windows\{3FBD06E4-95F4-4e59-9C65-EB13DB4169CC}.exe
        13⤵
        Executes dropped EXE
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{29531~1.EXE > nul
        13⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AF20F~1.EXE > nul
        12⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F6750~1.EXE > nul
        11⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FCBA6~1.EXE > nul
        10⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5375F~1.EXE > nul
        9⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0631D~1.EXE > nul
        8⤵
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3D317~1.EXE > nul
        7⤵
        
        PID:2032
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B0358~1.EXE > nul
        6⤵
        
        PID:904
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{979D8~1.EXE > nul
        5⤵
        
        PID:1732
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B6728~1.EXE > nul
      4⤵
      PID:932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{ED806~1.EXE > nul
    3⤵
    PID:3684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0631D098-BE11-4d86-8577-B851F98BC5F7}.exe

Filesize
408KB

MD5
df909bc287b6a9331c4c9181f5ddfe83

SHA1
ce3a2f15fee925b82338b40e0e319c34e615dbd5

SHA256
dcfe4bd79a0be4a0876208656180047d545d9012d9227f8a9d5b3d4d98bcc5e0

SHA512
bbc82f418cdd722f4ab11b7c199bab086d1fb4642ea74230ee4552d9d87467f7ecc0e5ee8df0869306436b2dfeef1e93d55cd2600b82949e912a34651b71bf4d

Download Submit
C:\Windows\{2953168A-7F02-46a4-A288-292938299B2D}.exe

Filesize
408KB

MD5
0407987fc99dccf81ff41b6ff2c7355b

SHA1
965985d1363102bdfe4a933a9b5f980166a3a333

SHA256
51c3577ed211a7d7090ac060ae8c6be3720973d0972c60da872affce12c2e134

SHA512
0dffc31ed42d7ba0fd615b9a9995e54a1c9db4485cef3c39d66090a809e2197919e9c4db7f8ecee4aeed82dd5931f2fe9a12bc05c399d6461e884138178ebc16

Download Submit
C:\Windows\{3D3175F1-AB41-4fda-BD36-2F8DDCB57290}.exe

Filesize
408KB

MD5
43082615d0be056818f7c976d3d9259d

SHA1
bd55f240549142ea691030905196c7f5a39dc80b

SHA256
70da7b9f38e50c164ecd947725cc0c5b42f22f7fcf9311aaef991e7f887879c0

SHA512
38329e974c9a7a97a02f49504b19084e5b9db38a733db0a848d972cfe5c564103444518d7bea4afee31c22103dce8b1115453f1e11dd77d4f76366e430284361

Download Submit
C:\Windows\{3FBD06E4-95F4-4e59-9C65-EB13DB4169CC}.exe

Filesize
408KB

MD5
975e90964815c56fc58b75c5ed402a83

SHA1
5a907643cda917a53bd4c35816690a3c2463d912

SHA256
504653b535d25ef718dfd981d1275cd6051143b7c4e4d37f718bb8b91a0e51a7

SHA512
9b18154e5fdd76ff83409f346bec8df7184d2206f9d838761a6c9d0282e6d2b1ce85f27810f15987677e1c542824f084cff0b57bb23c3a910b2c96494730c921

Download Submit
C:\Windows\{5375F693-B87F-4cd4-A5E4-260B2604E83F}.exe

Filesize
408KB

MD5
809f6b606c6dcb9cc7e38696748d5333

SHA1
5c9932e033ad612c3ca592e2dab4905045bfb9e4

SHA256
71b56239542721b51cebf6db211efc42b66a8533caa5572521a73c9dea559184

SHA512
97028e7ac4938855ee0575f6a8b2b62a3fba0cf0b8bb87c053adf7f964f400eb8617016ceccbb98e0aa8db3150f43ad538c2b2592a0a125d8e039ef74a131f28

Download Submit
C:\Windows\{979D86CE-4748-4d24-82B0-DC8EFD6D9A01}.exe

Filesize
408KB

MD5
04d351988fb046b3336dd15ebf74e7e4

SHA1
9627d263c099279447facee02dc3f3cbc9548cc0

SHA256
8c957ddb55caa403f0240d8be23be67f75f50a7ea47d750ca27ff04ef987d2e9

SHA512
755fc2827286dab1ccae3a93b8094bce1352dd3f01a42be8efbc79d3dcda02bdd5c067153533533d9fcb364624a147321d4edc54a0e227b48eba1a4162582b37

Download Submit
C:\Windows\{AF20F980-1313-463d-AAF2-542D7CFE6BB1}.exe

Filesize
408KB

MD5
c862f2c3677f87a1e830b5871562a199

SHA1
ecf96d3eb6841488c4ff044e82d7f539f66bcb40

SHA256
fa3d2a9b784f9c34c7df1cbf7df4e4c3ff6330ef30156a52baa5f675f6d1ae36

SHA512
0f99d69aa7b9fdadb0758a80b7a88762465698111ee088e0a56b56b8133c4c72b44934d6440c221a3ec56090432651f772fe5fc33b5d527ef4d6ae4feb0f4305

Download Submit
C:\Windows\{B03584BF-435C-4b9e-B060-C85679790081}.exe

Filesize
408KB

MD5
9762dbc07c84f8c9cd36ec44567a0127

SHA1
03d33753d844f6177105e101294bfa19b8b53a4d

SHA256
fc7b458e6907f15e905a4604057e2e4d2ecc668f1b19e5b81e299f5668232c81

SHA512
4d4dc6f2c2bd570f838eb4aefd6b29795a68b3ba864884b1061ae6955b6d8a45ce0731ddc20fd193c5a50733abb8dae0aad5bbddc58b65edda7cf150461b77b9

Download Submit
C:\Windows\{B6728A11-0CD0-4cde-AA2B-F4F18D18A6A7}.exe

Filesize
408KB

MD5
36754a85d97cc7a0f94fe01fa74c135f

SHA1
525f9684f97c882a69089ad6700cde748223841f

SHA256
2b4fdd91d5fa2c43b3e8b25e25681f66d910776d644c8720ea7a247e6e52b984

SHA512
bea34de96338032887d98e433b6bb401494ad4491fd26f11a67f7a7cec7d513d73f542d21f724852b7bc496d997d195b418fc9c31abba0fa73ef39b1a83669d2

Download Submit
C:\Windows\{ED8062B3-04E8-4665-B72D-6B3639105801}.exe

Filesize
408KB

MD5
e229a0eeea584b00f356bcc3233e4ef8

SHA1
0d51583beec6357fc3120d2351ab202371dccac2

SHA256
aec4b67c006a563489e7056370db2855c7a056df6d694968122a7f935485d67f

SHA512
1b375c9c510077a429807059b533844be5e41a693036b372797e290f4b63dd9f90184b45f7b401946726a6e64038f318e70ff4e8efd68f0ce33dd120ac7b5321

Download Submit
C:\Windows\{F6750E85-3C11-40d9-BCDC-3234CC9466E2}.exe

Filesize
408KB

MD5
ec4eb0085e591bb8eec95f7ef97cb81a

SHA1
296740c2c9febea9ef18ca4100061a785432a9c9

SHA256
b2e3dcb875642f93833c35552a35746297cd2231124e22741118f99c2c394744

SHA512
79d112acfefcfc2bbe4a0041e3cf687f4365248ce59f37d0a340b10aeb52889a8a08e66818fe44c3bf34c4728fad53bfe52e89b85a0e22b01de4bc3ba0ed95bc

Download Submit
C:\Windows\{FCBA6D86-13C5-41ca-9D04-B6EE9549681F}.exe

Filesize
408KB

MD5
b74a88d8420cfe6a301658be76fe1959

SHA1
d9be82791f1ca0c864d0b798f8eb43da15b56f07

SHA256
7ee6b0e63c3c89b82f79332eaa4c48e5591a6cf80b68f19e819bb74ebd1bfd01

SHA512
758242d343ba9be68f2f60db10ea4001dfebb96166fdea9eda166ea6122e7a66d8e0e8712134b1896a856889472dc6755ac564bcf37f81de12af1093ae99f5ba

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads