6de584a57549165150ea67d7df78408a8329aeb510600525bcc6929d4cf12d15

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2024, 04:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-29_2a4e6d79bb3ac0a3ce603d3e02940d43_goldeneye.exe
Size

192KB
MD5

2a4e6d79bb3ac0a3ce603d3e02940d43
SHA1

672a9c8ebf45d4dc6f013d5131e0c755536ebb2e
SHA256

6de584a57549165150ea67d7df78408a8329aeb510600525bcc6929d4cf12d15
SHA512

00f20ff6f2598b9dd227e3e13789910ab6330ec5e08ec92168f68248b882e956bbdcd42cf4728c644a4b316b74828955e11d4a012acb4b0affc3c4fe1f8dcb2d
SSDEEP

1536:1EGh0oIl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oIl1OPOe2MUVg3Ve+rXfMUa

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023222-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023228-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002322f-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0012000000023228-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002322f-17.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0013000000023228-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002322f-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000733-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000735-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000733-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000735-41.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000733-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DA5D8E6-2A99-4dee-9C49-51CA2C8B8F09}	{8FF4725B-5429-4c0a-BE29-ADD92275378F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DA5D8E6-2A99-4dee-9C49-51CA2C8B8F09}\stubpath = "C:\\Windows\\{9DA5D8E6-2A99-4dee-9C49-51CA2C8B8F09}.exe"	{8FF4725B-5429-4c0a-BE29-ADD92275378F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F46AD940-EFE8-4d32-A821-493C92525814}\stubpath = "C:\\Windows\\{F46AD940-EFE8-4d32-A821-493C92525814}.exe"	{9DA5D8E6-2A99-4dee-9C49-51CA2C8B8F09}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{061FE144-C9BD-456d-9BEF-2076C260B176}\stubpath = "C:\\Windows\\{061FE144-C9BD-456d-9BEF-2076C260B176}.exe"	{2B0AED0A-BE13-439b-8291-B5665A6D9977}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6457226-0CA4-48cc-A254-D12F9DD5E6DF}\stubpath = "C:\\Windows\\{E6457226-0CA4-48cc-A254-D12F9DD5E6DF}.exe"	{061FE144-C9BD-456d-9BEF-2076C260B176}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3354E333-082A-470e-8493-5ECAD2365DB1}	{E6457226-0CA4-48cc-A254-D12F9DD5E6DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{681BB159-2B34-462a-80EA-10D3D4575399}\stubpath = "C:\\Windows\\{681BB159-2B34-462a-80EA-10D3D4575399}.exe"	{3354E333-082A-470e-8493-5ECAD2365DB1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7CA39D18-382C-4415-B4FB-4545B18F296E}	{86E1E2EB-3FE1-4608-8C56-691B98A2C753}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7CA39D18-382C-4415-B4FB-4545B18F296E}\stubpath = "C:\\Windows\\{7CA39D18-382C-4415-B4FB-4545B18F296E}.exe"	{86E1E2EB-3FE1-4608-8C56-691B98A2C753}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B0AED0A-BE13-439b-8291-B5665A6D9977}\stubpath = "C:\\Windows\\{2B0AED0A-BE13-439b-8291-B5665A6D9977}.exe"	{F46AD940-EFE8-4d32-A821-493C92525814}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86E1E2EB-3FE1-4608-8C56-691B98A2C753}	{681BB159-2B34-462a-80EA-10D3D4575399}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8FF4725B-5429-4c0a-BE29-ADD92275378F}	2024-03-29_2a4e6d79bb3ac0a3ce603d3e02940d43_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8FF4725B-5429-4c0a-BE29-ADD92275378F}\stubpath = "C:\\Windows\\{8FF4725B-5429-4c0a-BE29-ADD92275378F}.exe"	2024-03-29_2a4e6d79bb3ac0a3ce603d3e02940d43_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F46AD940-EFE8-4d32-A821-493C92525814}	{9DA5D8E6-2A99-4dee-9C49-51CA2C8B8F09}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{061FE144-C9BD-456d-9BEF-2076C260B176}	{2B0AED0A-BE13-439b-8291-B5665A6D9977}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6457226-0CA4-48cc-A254-D12F9DD5E6DF}	{061FE144-C9BD-456d-9BEF-2076C260B176}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{681BB159-2B34-462a-80EA-10D3D4575399}	{3354E333-082A-470e-8493-5ECAD2365DB1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E83722D2-FBBF-4a41-B9D9-E3BE9C661178}	{7CA39D18-382C-4415-B4FB-4545B18F296E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E83722D2-FBBF-4a41-B9D9-E3BE9C661178}\stubpath = "C:\\Windows\\{E83722D2-FBBF-4a41-B9D9-E3BE9C661178}.exe"	{7CA39D18-382C-4415-B4FB-4545B18F296E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B0AED0A-BE13-439b-8291-B5665A6D9977}	{F46AD940-EFE8-4d32-A821-493C92525814}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3354E333-082A-470e-8493-5ECAD2365DB1}\stubpath = "C:\\Windows\\{3354E333-082A-470e-8493-5ECAD2365DB1}.exe"	{E6457226-0CA4-48cc-A254-D12F9DD5E6DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86E1E2EB-3FE1-4608-8C56-691B98A2C753}\stubpath = "C:\\Windows\\{86E1E2EB-3FE1-4608-8C56-691B98A2C753}.exe"	{681BB159-2B34-462a-80EA-10D3D4575399}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3583729E-32B2-4088-9F27-2AFB9B98CB0E}	{E83722D2-FBBF-4a41-B9D9-E3BE9C661178}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3583729E-32B2-4088-9F27-2AFB9B98CB0E}\stubpath = "C:\\Windows\\{3583729E-32B2-4088-9F27-2AFB9B98CB0E}.exe"	{E83722D2-FBBF-4a41-B9D9-E3BE9C661178}.exe

Executes dropped EXE 12 IoCs

pid	Process
4432	{8FF4725B-5429-4c0a-BE29-ADD92275378F}.exe
2012	{9DA5D8E6-2A99-4dee-9C49-51CA2C8B8F09}.exe
3436	{F46AD940-EFE8-4d32-A821-493C92525814}.exe
3512	{2B0AED0A-BE13-439b-8291-B5665A6D9977}.exe
2900	{061FE144-C9BD-456d-9BEF-2076C260B176}.exe
4308	{E6457226-0CA4-48cc-A254-D12F9DD5E6DF}.exe
4960	{3354E333-082A-470e-8493-5ECAD2365DB1}.exe
5048	{681BB159-2B34-462a-80EA-10D3D4575399}.exe
4916	{86E1E2EB-3FE1-4608-8C56-691B98A2C753}.exe
3896	{7CA39D18-382C-4415-B4FB-4545B18F296E}.exe
3628	{E83722D2-FBBF-4a41-B9D9-E3BE9C661178}.exe
3308	{3583729E-32B2-4088-9F27-2AFB9B98CB0E}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{E6457226-0CA4-48cc-A254-D12F9DD5E6DF}.exe	{061FE144-C9BD-456d-9BEF-2076C260B176}.exe
File created	C:\Windows\{86E1E2EB-3FE1-4608-8C56-691B98A2C753}.exe	{681BB159-2B34-462a-80EA-10D3D4575399}.exe
File created	C:\Windows\{7CA39D18-382C-4415-B4FB-4545B18F296E}.exe	{86E1E2EB-3FE1-4608-8C56-691B98A2C753}.exe
File created	C:\Windows\{061FE144-C9BD-456d-9BEF-2076C260B176}.exe	{2B0AED0A-BE13-439b-8291-B5665A6D9977}.exe
File created	C:\Windows\{3354E333-082A-470e-8493-5ECAD2365DB1}.exe	{E6457226-0CA4-48cc-A254-D12F9DD5E6DF}.exe
File created	C:\Windows\{681BB159-2B34-462a-80EA-10D3D4575399}.exe	{3354E333-082A-470e-8493-5ECAD2365DB1}.exe
File created	C:\Windows\{E83722D2-FBBF-4a41-B9D9-E3BE9C661178}.exe	{7CA39D18-382C-4415-B4FB-4545B18F296E}.exe
File created	C:\Windows\{8FF4725B-5429-4c0a-BE29-ADD92275378F}.exe	2024-03-29_2a4e6d79bb3ac0a3ce603d3e02940d43_goldeneye.exe
File created	C:\Windows\{9DA5D8E6-2A99-4dee-9C49-51CA2C8B8F09}.exe	{8FF4725B-5429-4c0a-BE29-ADD92275378F}.exe
File created	C:\Windows\{F46AD940-EFE8-4d32-A821-493C92525814}.exe	{9DA5D8E6-2A99-4dee-9C49-51CA2C8B8F09}.exe
File created	C:\Windows\{2B0AED0A-BE13-439b-8291-B5665A6D9977}.exe	{F46AD940-EFE8-4d32-A821-493C92525814}.exe
File created	C:\Windows\{3583729E-32B2-4088-9F27-2AFB9B98CB0E}.exe	{E83722D2-FBBF-4a41-B9D9-E3BE9C661178}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1496	2024-03-29_2a4e6d79bb3ac0a3ce603d3e02940d43_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4432	{8FF4725B-5429-4c0a-BE29-ADD92275378F}.exe
Token: SeIncBasePriorityPrivilege	2012	{9DA5D8E6-2A99-4dee-9C49-51CA2C8B8F09}.exe
Token: SeIncBasePriorityPrivilege	3436	{F46AD940-EFE8-4d32-A821-493C92525814}.exe
Token: SeIncBasePriorityPrivilege	3512	{2B0AED0A-BE13-439b-8291-B5665A6D9977}.exe
Token: SeIncBasePriorityPrivilege	2900	{061FE144-C9BD-456d-9BEF-2076C260B176}.exe
Token: SeIncBasePriorityPrivilege	4308	{E6457226-0CA4-48cc-A254-D12F9DD5E6DF}.exe
Token: SeIncBasePriorityPrivilege	4960	{3354E333-082A-470e-8493-5ECAD2365DB1}.exe
Token: SeIncBasePriorityPrivilege	5048	{681BB159-2B34-462a-80EA-10D3D4575399}.exe
Token: SeIncBasePriorityPrivilege	4916	{86E1E2EB-3FE1-4608-8C56-691B98A2C753}.exe
Token: SeIncBasePriorityPrivilege	3896	{7CA39D18-382C-4415-B4FB-4545B18F296E}.exe
Token: SeIncBasePriorityPrivilege	3628	{E83722D2-FBBF-4a41-B9D9-E3BE9C661178}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 4432	1496	2024-03-29_2a4e6d79bb3ac0a3ce603d3e02940d43_goldeneye.exe	96
PID 1496 wrote to memory of 4432	1496	2024-03-29_2a4e6d79bb3ac0a3ce603d3e02940d43_goldeneye.exe	96
PID 1496 wrote to memory of 4432	1496	2024-03-29_2a4e6d79bb3ac0a3ce603d3e02940d43_goldeneye.exe	96
PID 1496 wrote to memory of 2624	1496	2024-03-29_2a4e6d79bb3ac0a3ce603d3e02940d43_goldeneye.exe	97
PID 1496 wrote to memory of 2624	1496	2024-03-29_2a4e6d79bb3ac0a3ce603d3e02940d43_goldeneye.exe	97
PID 1496 wrote to memory of 2624	1496	2024-03-29_2a4e6d79bb3ac0a3ce603d3e02940d43_goldeneye.exe	97
PID 4432 wrote to memory of 2012	4432	{8FF4725B-5429-4c0a-BE29-ADD92275378F}.exe	98
PID 4432 wrote to memory of 2012	4432	{8FF4725B-5429-4c0a-BE29-ADD92275378F}.exe	98
PID 4432 wrote to memory of 2012	4432	{8FF4725B-5429-4c0a-BE29-ADD92275378F}.exe	98
PID 4432 wrote to memory of 4936	4432	{8FF4725B-5429-4c0a-BE29-ADD92275378F}.exe	99
PID 4432 wrote to memory of 4936	4432	{8FF4725B-5429-4c0a-BE29-ADD92275378F}.exe	99
PID 4432 wrote to memory of 4936	4432	{8FF4725B-5429-4c0a-BE29-ADD92275378F}.exe	99
PID 2012 wrote to memory of 3436	2012	{9DA5D8E6-2A99-4dee-9C49-51CA2C8B8F09}.exe	101
PID 2012 wrote to memory of 3436	2012	{9DA5D8E6-2A99-4dee-9C49-51CA2C8B8F09}.exe	101
PID 2012 wrote to memory of 3436	2012	{9DA5D8E6-2A99-4dee-9C49-51CA2C8B8F09}.exe	101
PID 2012 wrote to memory of 1336	2012	{9DA5D8E6-2A99-4dee-9C49-51CA2C8B8F09}.exe	102
PID 2012 wrote to memory of 1336	2012	{9DA5D8E6-2A99-4dee-9C49-51CA2C8B8F09}.exe	102
PID 2012 wrote to memory of 1336	2012	{9DA5D8E6-2A99-4dee-9C49-51CA2C8B8F09}.exe	102
PID 3436 wrote to memory of 3512	3436	{F46AD940-EFE8-4d32-A821-493C92525814}.exe	103
PID 3436 wrote to memory of 3512	3436	{F46AD940-EFE8-4d32-A821-493C92525814}.exe	103
PID 3436 wrote to memory of 3512	3436	{F46AD940-EFE8-4d32-A821-493C92525814}.exe	103
PID 3436 wrote to memory of 1148	3436	{F46AD940-EFE8-4d32-A821-493C92525814}.exe	104
PID 3436 wrote to memory of 1148	3436	{F46AD940-EFE8-4d32-A821-493C92525814}.exe	104
PID 3436 wrote to memory of 1148	3436	{F46AD940-EFE8-4d32-A821-493C92525814}.exe	104
PID 3512 wrote to memory of 2900	3512	{2B0AED0A-BE13-439b-8291-B5665A6D9977}.exe	105
PID 3512 wrote to memory of 2900	3512	{2B0AED0A-BE13-439b-8291-B5665A6D9977}.exe	105
PID 3512 wrote to memory of 2900	3512	{2B0AED0A-BE13-439b-8291-B5665A6D9977}.exe	105
PID 3512 wrote to memory of 3336	3512	{2B0AED0A-BE13-439b-8291-B5665A6D9977}.exe	106
PID 3512 wrote to memory of 3336	3512	{2B0AED0A-BE13-439b-8291-B5665A6D9977}.exe	106
PID 3512 wrote to memory of 3336	3512	{2B0AED0A-BE13-439b-8291-B5665A6D9977}.exe	106
PID 2900 wrote to memory of 4308	2900	{061FE144-C9BD-456d-9BEF-2076C260B176}.exe	107
PID 2900 wrote to memory of 4308	2900	{061FE144-C9BD-456d-9BEF-2076C260B176}.exe	107
PID 2900 wrote to memory of 4308	2900	{061FE144-C9BD-456d-9BEF-2076C260B176}.exe	107
PID 2900 wrote to memory of 4380	2900	{061FE144-C9BD-456d-9BEF-2076C260B176}.exe	108
PID 2900 wrote to memory of 4380	2900	{061FE144-C9BD-456d-9BEF-2076C260B176}.exe	108
PID 2900 wrote to memory of 4380	2900	{061FE144-C9BD-456d-9BEF-2076C260B176}.exe	108
PID 4308 wrote to memory of 4960	4308	{E6457226-0CA4-48cc-A254-D12F9DD5E6DF}.exe	109
PID 4308 wrote to memory of 4960	4308	{E6457226-0CA4-48cc-A254-D12F9DD5E6DF}.exe	109
PID 4308 wrote to memory of 4960	4308	{E6457226-0CA4-48cc-A254-D12F9DD5E6DF}.exe	109
PID 4308 wrote to memory of 4804	4308	{E6457226-0CA4-48cc-A254-D12F9DD5E6DF}.exe	110
PID 4308 wrote to memory of 4804	4308	{E6457226-0CA4-48cc-A254-D12F9DD5E6DF}.exe	110
PID 4308 wrote to memory of 4804	4308	{E6457226-0CA4-48cc-A254-D12F9DD5E6DF}.exe	110
PID 4960 wrote to memory of 5048	4960	{3354E333-082A-470e-8493-5ECAD2365DB1}.exe	111
PID 4960 wrote to memory of 5048	4960	{3354E333-082A-470e-8493-5ECAD2365DB1}.exe	111
PID 4960 wrote to memory of 5048	4960	{3354E333-082A-470e-8493-5ECAD2365DB1}.exe	111
PID 4960 wrote to memory of 4860	4960	{3354E333-082A-470e-8493-5ECAD2365DB1}.exe	112
PID 4960 wrote to memory of 4860	4960	{3354E333-082A-470e-8493-5ECAD2365DB1}.exe	112
PID 4960 wrote to memory of 4860	4960	{3354E333-082A-470e-8493-5ECAD2365DB1}.exe	112
PID 5048 wrote to memory of 4916	5048	{681BB159-2B34-462a-80EA-10D3D4575399}.exe	113
PID 5048 wrote to memory of 4916	5048	{681BB159-2B34-462a-80EA-10D3D4575399}.exe	113
PID 5048 wrote to memory of 4916	5048	{681BB159-2B34-462a-80EA-10D3D4575399}.exe	113
PID 5048 wrote to memory of 3464	5048	{681BB159-2B34-462a-80EA-10D3D4575399}.exe	114
PID 5048 wrote to memory of 3464	5048	{681BB159-2B34-462a-80EA-10D3D4575399}.exe	114
PID 5048 wrote to memory of 3464	5048	{681BB159-2B34-462a-80EA-10D3D4575399}.exe	114
PID 4916 wrote to memory of 3896	4916	{86E1E2EB-3FE1-4608-8C56-691B98A2C753}.exe	115
PID 4916 wrote to memory of 3896	4916	{86E1E2EB-3FE1-4608-8C56-691B98A2C753}.exe	115
PID 4916 wrote to memory of 3896	4916	{86E1E2EB-3FE1-4608-8C56-691B98A2C753}.exe	115
PID 4916 wrote to memory of 1872	4916	{86E1E2EB-3FE1-4608-8C56-691B98A2C753}.exe	116
PID 4916 wrote to memory of 1872	4916	{86E1E2EB-3FE1-4608-8C56-691B98A2C753}.exe	116
PID 4916 wrote to memory of 1872	4916	{86E1E2EB-3FE1-4608-8C56-691B98A2C753}.exe	116
PID 3896 wrote to memory of 3628	3896	{7CA39D18-382C-4415-B4FB-4545B18F296E}.exe	117
PID 3896 wrote to memory of 3628	3896	{7CA39D18-382C-4415-B4FB-4545B18F296E}.exe	117
PID 3896 wrote to memory of 3628	3896	{7CA39D18-382C-4415-B4FB-4545B18F296E}.exe	117
PID 3896 wrote to memory of 4928	3896	{7CA39D18-382C-4415-B4FB-4545B18F296E}.exe	118

C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a4e6d79bb3ac0a3ce603d3e02940d43_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a4e6d79bb3ac0a3ce603d3e02940d43_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Windows\{8FF4725B-5429-4c0a-BE29-ADD92275378F}.exe
  C:\Windows\{8FF4725B-5429-4c0a-BE29-ADD92275378F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4432
- - C:\Windows\{9DA5D8E6-2A99-4dee-9C49-51CA2C8B8F09}.exe
    C:\Windows\{9DA5D8E6-2A99-4dee-9C49-51CA2C8B8F09}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2012
  - - C:\Windows\{F46AD940-EFE8-4d32-A821-493C92525814}.exe
      C:\Windows\{F46AD940-EFE8-4d32-A821-493C92525814}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3436
    - - C:\Windows\{2B0AED0A-BE13-439b-8291-B5665A6D9977}.exe
        
        C:\Windows\{2B0AED0A-BE13-439b-8291-B5665A6D9977}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3512
      - C:\Windows\{061FE144-C9BD-456d-9BEF-2076C260B176}.exe
        
        C:\Windows\{061FE144-C9BD-456d-9BEF-2076C260B176}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\{E6457226-0CA4-48cc-A254-D12F9DD5E6DF}.exe
        
        C:\Windows\{E6457226-0CA4-48cc-A254-D12F9DD5E6DF}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4308
        
        C:\Windows\{3354E333-082A-470e-8493-5ECAD2365DB1}.exe
        
        C:\Windows\{3354E333-082A-470e-8493-5ECAD2365DB1}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\{681BB159-2B34-462a-80EA-10D3D4575399}.exe
        
        C:\Windows\{681BB159-2B34-462a-80EA-10D3D4575399}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\{86E1E2EB-3FE1-4608-8C56-691B98A2C753}.exe
        
        C:\Windows\{86E1E2EB-3FE1-4608-8C56-691B98A2C753}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\{7CA39D18-382C-4415-B4FB-4545B18F296E}.exe
        
        C:\Windows\{7CA39D18-382C-4415-B4FB-4545B18F296E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3896
        
        C:\Windows\{E83722D2-FBBF-4a41-B9D9-E3BE9C661178}.exe
        
        C:\Windows\{E83722D2-FBBF-4a41-B9D9-E3BE9C661178}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3628
        
        C:\Windows\{3583729E-32B2-4088-9F27-2AFB9B98CB0E}.exe
        
        C:\Windows\{3583729E-32B2-4088-9F27-2AFB9B98CB0E}.exe
        13⤵
        Executes dropped EXE
        
        PID:3308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E8372~1.EXE > nul
        13⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7CA39~1.EXE > nul
        12⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86E1E~1.EXE > nul
        11⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{681BB~1.EXE > nul
        10⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3354E~1.EXE > nul
        9⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6457~1.EXE > nul
        8⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{061FE~1.EXE > nul
        7⤵
        
        PID:4380
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B0AE~1.EXE > nul
        6⤵
        
        PID:3336
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F46AD~1.EXE > nul
        5⤵
        
        PID:1148
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9DA5D~1.EXE > nul
      4⤵
      PID:1336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8FF47~1.EXE > nul
    3⤵
    PID:4936
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{061FE144-C9BD-456d-9BEF-2076C260B176}.exe

Filesize
192KB

MD5
42737a508edf5224cd2302bd0856a6b7

SHA1
ce29f4aa6b111c7c5f598ff39907e01521ee6324

SHA256
adf4acff3b01a6bf071cc6d6a74a7d0f6ee1187f86366327d699162ca8af1a54

SHA512
55d1abc4e39209c427a9d7b8a6e1179f84e798db8f42bbc6655b1d1b40c7dfb665b2111e184dc8f98aa64574438d501b9284fd4d07e1f70b5af9cca313452528

Download Submit
C:\Windows\{2B0AED0A-BE13-439b-8291-B5665A6D9977}.exe

Filesize
192KB

MD5
162db5acaf60dbbd1e2b9becc75f9866

SHA1
3337c0af1629ffca366eebbb4e4ebbb0482bf59c

SHA256
4ff9de82aa32ce8eb74f454fc3aaa85a60e4cf8587f4d19d0d36e5f1160b576e

SHA512
caab771a515474dbc29b9bf8614be3f525fa5fe8eea976ae0a6049df638bc8537aced399eb9b7c4178262b88741b96a6c29ccaf6518ad5c6fff09fc0f8b063f3

Download Submit
C:\Windows\{3354E333-082A-470e-8493-5ECAD2365DB1}.exe

Filesize
192KB

MD5
ede8e24d552b74c7b1e97909e63cdf2b

SHA1
5e3e3c0e3e444dba4a3494d0d40f70836da36f7e

SHA256
0338949e4baa98cf19b66d9bcfc787c15110eff3ba0c6d1062f41c32cd61f2c8

SHA512
0a4e9e8312dbb1d4713b51c9c0544017e876cfc359b3a85fa9c26cb5dedf61d9363e95e9415937e67b4162f32751f37166aad0b46592eb26f81df9251982e06e

Download Submit
C:\Windows\{3583729E-32B2-4088-9F27-2AFB9B98CB0E}.exe

Filesize
192KB

MD5
cb9d576ebde9c7ffa867b97f647c47d5

SHA1
9b1deceb52e69d64488ac2e0b621690249625994

SHA256
9a6d0e4f172e6012ccac4e5fc6ea9604d1d90715fec802a213d3cf79f7ec42bf

SHA512
1bd7e4ad46eee6a46478f94b214301ca6dde58a20a754d4ef22b85e736761e35423a8dd5dcfd169fb6274f49101ef4d93b237f505e67a10bd3be0c89db1273c5

Download Submit
C:\Windows\{681BB159-2B34-462a-80EA-10D3D4575399}.exe

Filesize
192KB

MD5
0b2e2a042c823f9230b74744928a0c51

SHA1
531e54a7374257fbf3bb0dd858c78aacbca04dc2

SHA256
22a975c5ec0bdda522cd27e358fa4294d8d8e4d791ebd5f968d607740849f2bb

SHA512
d1af20950e762decca65992e15562639a002e0a885264943910ef50825e21a622aa8265f78fb6f732369a29902714531c776a22c6eaea8f1d22bf67b75839c68

Download Submit
C:\Windows\{7CA39D18-382C-4415-B4FB-4545B18F296E}.exe

Filesize
192KB

MD5
33cfbd3bf3640df420f36238b8d83ab2

SHA1
e6f27a3e6ce5ff658130ad1f30346d1ba6f54bef

SHA256
62cd7127ec4481729e11b72bd740b049929f0c01d5ccb0836995e9a8b682baff

SHA512
f85aad8bd18ead74fb266d91850f2dc142eb5c60ff7e25c389752e0e00f5db7bb27ce151753618bf31e23219330b115c9a12c0efe26d14bb109b909152ba31f7

Download Submit
C:\Windows\{86E1E2EB-3FE1-4608-8C56-691B98A2C753}.exe

Filesize
192KB

MD5
ba47a06fb26e9ab6bcbef5e83f9cabb9

SHA1
e6b4a00a786347e3c850f0773b00ae3a290eeab1

SHA256
78bb7bc6ab73b27b0fe1ba64b824c9da1289fc728c44be9a2403e7333d594cd4

SHA512
afe8a683beac54396238ba93a58d212c1f3fa12d000d7ab24bb6c8683230119dfe933179547cb04cd93413d32d81382b3e4e1a242557c07d8a9831286362563d

Download Submit
C:\Windows\{8FF4725B-5429-4c0a-BE29-ADD92275378F}.exe

Filesize
192KB

MD5
648e6ab359cb7661a79e72be9fb61254

SHA1
6d51e1cb2315d2e96e95e77988cb648ad6fcbc6b

SHA256
684f604d72d46cce932df0584efbb79bac3d08e39043d1e53cf988a9f7d70d8e

SHA512
ee8bf77c264798be0713bc82b5e67ab2af5f7aee6559dfa5932cd89267d2169da41de5912371ff5a2ff773465d880094cd7a070cac4e360aa64f44fa7243dd77

Download Submit
C:\Windows\{9DA5D8E6-2A99-4dee-9C49-51CA2C8B8F09}.exe

Filesize
192KB

MD5
c2cfd0356a90ece77b1663b677ebf468

SHA1
aa77a02106149387db913ec447ef60868db0b017

SHA256
2c52f2e478b4a95ea6df832bbb0659814b5d21467d73a02c9c5c1cdf27c4dbaf

SHA512
b9883e6b8a4495afc894c412d1928a669e11435d5b490de01fb4b1e39c8397be5601b5215e434843d5583337f5dc37242681031f496ae61bb9dd69cf08b65990

Download Submit
C:\Windows\{E6457226-0CA4-48cc-A254-D12F9DD5E6DF}.exe

Filesize
192KB

MD5
ac416b8504de1cb26f645f1c9764afd1

SHA1
96900636ee15a5b993815c2124848c9659abd1e4

SHA256
b153a05beb5a78eff7372ff28abe4d265d8fd568ef0d86be80f95df9901312d4

SHA512
741f3ce75f212aae981d5f1337f86ede116bfbec706efe954e894fb66cccd4cd5239f44a5fd67235ffac77f011e49a57e00114b433c3a0189af050722d84fdc6

Download Submit
C:\Windows\{E83722D2-FBBF-4a41-B9D9-E3BE9C661178}.exe

Filesize
192KB

MD5
f1b654c4bbb0ce03c190e43dd9af7702

SHA1
248816af74c304026df7a4061a6d982ca7c77321

SHA256
93649b84e0b89a67d012eaec886e4a5f22db958c69d5323b1ce5265a4f731af9

SHA512
a2c5201130c73653d15ac3fbe9d12db3324daaab77ca61e380690ef49da30d12fdb90a63ccc959fd0e0d6e489a30800f68e7c4fc5ae36526444cb0bc6a8aa874

Download Submit
C:\Windows\{F46AD940-EFE8-4d32-A821-493C92525814}.exe

Filesize
192KB

MD5
6cb3d121f457dbe7a6b8d3b5f0d1eecd

SHA1
899e9f5d1a3b39c87b3bd17e6e63ff24a47fc450

SHA256
4ba7b4fc1251971a9cf9eeeee8e947ae3900291fdf5bdc39fd369f93317afbb4

SHA512
635804a5c8b24ee6b0adcc111d2a1ed007061dd38a3d60e60e28b343394b573847252effed79211e1d78cea855c1ad0926811ac3dbbef5354a37454293b191de

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads