c281be6b2f5e72f7c790367a3db6fb9cd2f88fa90ac1c4e296617fd964b7a3bc

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2024, 08:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-29_8769bc23913880ab6337d62fb4f6fca8_goldeneye.exe
Size

168KB
MD5

8769bc23913880ab6337d62fb4f6fca8
SHA1

69c6ae737b352ac04b540ecbdad0c21a52f4ded6
SHA256

c281be6b2f5e72f7c790367a3db6fb9cd2f88fa90ac1c4e296617fd964b7a3bc
SHA512

5bbd9fe9cb596ff36f3f44555ceb34a7b91e73c277a5bd932c5c62990b9ae00509c7517d905d6f4350604025cdda85cd17f9d7bdea73b153f167bdf40032f5ad
SSDEEP

1536:1EGh0o8lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o8lqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00060000000231ee-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000001e804-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000231fc-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000006c5-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021f82-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000006c5-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021f82-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000006c5-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d0000000006c5-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C70D436E-7E27-431d-83BE-3A6F972275BD}	2024-03-29_8769bc23913880ab6337d62fb4f6fca8_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C70D436E-7E27-431d-83BE-3A6F972275BD}\stubpath = "C:\\Windows\\{C70D436E-7E27-431d-83BE-3A6F972275BD}.exe"	2024-03-29_8769bc23913880ab6337d62fb4f6fca8_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{641FBA1A-9658-4440-B838-3A8FE8F8C53D}\stubpath = "C:\\Windows\\{641FBA1A-9658-4440-B838-3A8FE8F8C53D}.exe"	{7FB6983F-B02B-40c6-987E-FDF295009B6E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{138D7576-B464-4424-9BC1-6B194FD2B78B}\stubpath = "C:\\Windows\\{138D7576-B464-4424-9BC1-6B194FD2B78B}.exe"	{641FBA1A-9658-4440-B838-3A8FE8F8C53D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E674D45-F847-4acb-873B-6901AAB0F272}\stubpath = "C:\\Windows\\{7E674D45-F847-4acb-873B-6901AAB0F272}.exe"	{138D7576-B464-4424-9BC1-6B194FD2B78B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6732F21C-2AFE-45a9-BDF4-CE2EB368F97B}	{95E05F97-EA00-4a19-B8A4-6722A475290D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7FB6983F-B02B-40c6-987E-FDF295009B6E}	{C70D436E-7E27-431d-83BE-3A6F972275BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{138D7576-B464-4424-9BC1-6B194FD2B78B}	{641FBA1A-9658-4440-B838-3A8FE8F8C53D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD21CE5E-A217-4dc8-A19A-1001388FAB86}\stubpath = "C:\\Windows\\{DD21CE5E-A217-4dc8-A19A-1001388FAB86}.exe"	{7E674D45-F847-4acb-873B-6901AAB0F272}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C97ACDD8-EA18-46c9-87BA-69AA23516C40}\stubpath = "C:\\Windows\\{C97ACDD8-EA18-46c9-87BA-69AA23516C40}.exe"	{DD21CE5E-A217-4dc8-A19A-1001388FAB86}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{019B6BF3-0B93-415e-92B5-9862BE4EE1B8}\stubpath = "C:\\Windows\\{019B6BF3-0B93-415e-92B5-9862BE4EE1B8}.exe"	{3DA44258-3D77-4e04-AC66-533EA7E2BD65}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7602910F-CEF0-441c-857E-4F424B50DEA5}	{019B6BF3-0B93-415e-92B5-9862BE4EE1B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95E05F97-EA00-4a19-B8A4-6722A475290D}	{7602910F-CEF0-441c-857E-4F424B50DEA5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95E05F97-EA00-4a19-B8A4-6722A475290D}\stubpath = "C:\\Windows\\{95E05F97-EA00-4a19-B8A4-6722A475290D}.exe"	{7602910F-CEF0-441c-857E-4F424B50DEA5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6732F21C-2AFE-45a9-BDF4-CE2EB368F97B}\stubpath = "C:\\Windows\\{6732F21C-2AFE-45a9-BDF4-CE2EB368F97B}.exe"	{95E05F97-EA00-4a19-B8A4-6722A475290D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{641FBA1A-9658-4440-B838-3A8FE8F8C53D}	{7FB6983F-B02B-40c6-987E-FDF295009B6E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E674D45-F847-4acb-873B-6901AAB0F272}	{138D7576-B464-4424-9BC1-6B194FD2B78B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD21CE5E-A217-4dc8-A19A-1001388FAB86}	{7E674D45-F847-4acb-873B-6901AAB0F272}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C97ACDD8-EA18-46c9-87BA-69AA23516C40}	{DD21CE5E-A217-4dc8-A19A-1001388FAB86}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DA44258-3D77-4e04-AC66-533EA7E2BD65}\stubpath = "C:\\Windows\\{3DA44258-3D77-4e04-AC66-533EA7E2BD65}.exe"	{C97ACDD8-EA18-46c9-87BA-69AA23516C40}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7602910F-CEF0-441c-857E-4F424B50DEA5}\stubpath = "C:\\Windows\\{7602910F-CEF0-441c-857E-4F424B50DEA5}.exe"	{019B6BF3-0B93-415e-92B5-9862BE4EE1B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7FB6983F-B02B-40c6-987E-FDF295009B6E}\stubpath = "C:\\Windows\\{7FB6983F-B02B-40c6-987E-FDF295009B6E}.exe"	{C70D436E-7E27-431d-83BE-3A6F972275BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DA44258-3D77-4e04-AC66-533EA7E2BD65}	{C97ACDD8-EA18-46c9-87BA-69AA23516C40}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{019B6BF3-0B93-415e-92B5-9862BE4EE1B8}	{3DA44258-3D77-4e04-AC66-533EA7E2BD65}.exe

Executes dropped EXE 12 IoCs

pid	Process
1988	{C70D436E-7E27-431d-83BE-3A6F972275BD}.exe
3028	{7FB6983F-B02B-40c6-987E-FDF295009B6E}.exe
4768	{641FBA1A-9658-4440-B838-3A8FE8F8C53D}.exe
3324	{138D7576-B464-4424-9BC1-6B194FD2B78B}.exe
4040	{7E674D45-F847-4acb-873B-6901AAB0F272}.exe
4548	{DD21CE5E-A217-4dc8-A19A-1001388FAB86}.exe
1480	{C97ACDD8-EA18-46c9-87BA-69AA23516C40}.exe
2700	{3DA44258-3D77-4e04-AC66-533EA7E2BD65}.exe
4568	{019B6BF3-0B93-415e-92B5-9862BE4EE1B8}.exe
4448	{7602910F-CEF0-441c-857E-4F424B50DEA5}.exe
668	{95E05F97-EA00-4a19-B8A4-6722A475290D}.exe
1504	{6732F21C-2AFE-45a9-BDF4-CE2EB368F97B}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{C70D436E-7E27-431d-83BE-3A6F972275BD}.exe	2024-03-29_8769bc23913880ab6337d62fb4f6fca8_goldeneye.exe
File created	C:\Windows\{641FBA1A-9658-4440-B838-3A8FE8F8C53D}.exe	{7FB6983F-B02B-40c6-987E-FDF295009B6E}.exe
File created	C:\Windows\{3DA44258-3D77-4e04-AC66-533EA7E2BD65}.exe	{C97ACDD8-EA18-46c9-87BA-69AA23516C40}.exe
File created	C:\Windows\{7602910F-CEF0-441c-857E-4F424B50DEA5}.exe	{019B6BF3-0B93-415e-92B5-9862BE4EE1B8}.exe
File created	C:\Windows\{95E05F97-EA00-4a19-B8A4-6722A475290D}.exe	{7602910F-CEF0-441c-857E-4F424B50DEA5}.exe
File created	C:\Windows\{6732F21C-2AFE-45a9-BDF4-CE2EB368F97B}.exe	{95E05F97-EA00-4a19-B8A4-6722A475290D}.exe
File created	C:\Windows\{7FB6983F-B02B-40c6-987E-FDF295009B6E}.exe	{C70D436E-7E27-431d-83BE-3A6F972275BD}.exe
File created	C:\Windows\{138D7576-B464-4424-9BC1-6B194FD2B78B}.exe	{641FBA1A-9658-4440-B838-3A8FE8F8C53D}.exe
File created	C:\Windows\{7E674D45-F847-4acb-873B-6901AAB0F272}.exe	{138D7576-B464-4424-9BC1-6B194FD2B78B}.exe
File created	C:\Windows\{DD21CE5E-A217-4dc8-A19A-1001388FAB86}.exe	{7E674D45-F847-4acb-873B-6901AAB0F272}.exe
File created	C:\Windows\{C97ACDD8-EA18-46c9-87BA-69AA23516C40}.exe	{DD21CE5E-A217-4dc8-A19A-1001388FAB86}.exe
File created	C:\Windows\{019B6BF3-0B93-415e-92B5-9862BE4EE1B8}.exe	{3DA44258-3D77-4e04-AC66-533EA7E2BD65}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1736	2024-03-29_8769bc23913880ab6337d62fb4f6fca8_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1988	{C70D436E-7E27-431d-83BE-3A6F972275BD}.exe
Token: SeIncBasePriorityPrivilege	3028	{7FB6983F-B02B-40c6-987E-FDF295009B6E}.exe
Token: SeIncBasePriorityPrivilege	4768	{641FBA1A-9658-4440-B838-3A8FE8F8C53D}.exe
Token: SeIncBasePriorityPrivilege	3324	{138D7576-B464-4424-9BC1-6B194FD2B78B}.exe
Token: SeIncBasePriorityPrivilege	4040	{7E674D45-F847-4acb-873B-6901AAB0F272}.exe
Token: SeIncBasePriorityPrivilege	4548	{DD21CE5E-A217-4dc8-A19A-1001388FAB86}.exe
Token: SeIncBasePriorityPrivilege	1480	{C97ACDD8-EA18-46c9-87BA-69AA23516C40}.exe
Token: SeIncBasePriorityPrivilege	2700	{3DA44258-3D77-4e04-AC66-533EA7E2BD65}.exe
Token: SeIncBasePriorityPrivilege	4568	{019B6BF3-0B93-415e-92B5-9862BE4EE1B8}.exe
Token: SeIncBasePriorityPrivilege	4448	{7602910F-CEF0-441c-857E-4F424B50DEA5}.exe
Token: SeIncBasePriorityPrivilege	668	{95E05F97-EA00-4a19-B8A4-6722A475290D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 1988	1736	2024-03-29_8769bc23913880ab6337d62fb4f6fca8_goldeneye.exe	90
PID 1736 wrote to memory of 1988	1736	2024-03-29_8769bc23913880ab6337d62fb4f6fca8_goldeneye.exe	90
PID 1736 wrote to memory of 1988	1736	2024-03-29_8769bc23913880ab6337d62fb4f6fca8_goldeneye.exe	90
PID 1736 wrote to memory of 2844	1736	2024-03-29_8769bc23913880ab6337d62fb4f6fca8_goldeneye.exe	91
PID 1736 wrote to memory of 2844	1736	2024-03-29_8769bc23913880ab6337d62fb4f6fca8_goldeneye.exe	91
PID 1736 wrote to memory of 2844	1736	2024-03-29_8769bc23913880ab6337d62fb4f6fca8_goldeneye.exe	91
PID 1988 wrote to memory of 3028	1988	{C70D436E-7E27-431d-83BE-3A6F972275BD}.exe	94
PID 1988 wrote to memory of 3028	1988	{C70D436E-7E27-431d-83BE-3A6F972275BD}.exe	94
PID 1988 wrote to memory of 3028	1988	{C70D436E-7E27-431d-83BE-3A6F972275BD}.exe	94
PID 1988 wrote to memory of 5032	1988	{C70D436E-7E27-431d-83BE-3A6F972275BD}.exe	95
PID 1988 wrote to memory of 5032	1988	{C70D436E-7E27-431d-83BE-3A6F972275BD}.exe	95
PID 1988 wrote to memory of 5032	1988	{C70D436E-7E27-431d-83BE-3A6F972275BD}.exe	95
PID 3028 wrote to memory of 4768	3028	{7FB6983F-B02B-40c6-987E-FDF295009B6E}.exe	97
PID 3028 wrote to memory of 4768	3028	{7FB6983F-B02B-40c6-987E-FDF295009B6E}.exe	97
PID 3028 wrote to memory of 4768	3028	{7FB6983F-B02B-40c6-987E-FDF295009B6E}.exe	97
PID 3028 wrote to memory of 4748	3028	{7FB6983F-B02B-40c6-987E-FDF295009B6E}.exe	98
PID 3028 wrote to memory of 4748	3028	{7FB6983F-B02B-40c6-987E-FDF295009B6E}.exe	98
PID 3028 wrote to memory of 4748	3028	{7FB6983F-B02B-40c6-987E-FDF295009B6E}.exe	98
PID 4768 wrote to memory of 3324	4768	{641FBA1A-9658-4440-B838-3A8FE8F8C53D}.exe	99
PID 4768 wrote to memory of 3324	4768	{641FBA1A-9658-4440-B838-3A8FE8F8C53D}.exe	99
PID 4768 wrote to memory of 3324	4768	{641FBA1A-9658-4440-B838-3A8FE8F8C53D}.exe	99
PID 4768 wrote to memory of 408	4768	{641FBA1A-9658-4440-B838-3A8FE8F8C53D}.exe	100
PID 4768 wrote to memory of 408	4768	{641FBA1A-9658-4440-B838-3A8FE8F8C53D}.exe	100
PID 4768 wrote to memory of 408	4768	{641FBA1A-9658-4440-B838-3A8FE8F8C53D}.exe	100
PID 3324 wrote to memory of 4040	3324	{138D7576-B464-4424-9BC1-6B194FD2B78B}.exe	101
PID 3324 wrote to memory of 4040	3324	{138D7576-B464-4424-9BC1-6B194FD2B78B}.exe	101
PID 3324 wrote to memory of 4040	3324	{138D7576-B464-4424-9BC1-6B194FD2B78B}.exe	101
PID 3324 wrote to memory of 2860	3324	{138D7576-B464-4424-9BC1-6B194FD2B78B}.exe	102
PID 3324 wrote to memory of 2860	3324	{138D7576-B464-4424-9BC1-6B194FD2B78B}.exe	102
PID 3324 wrote to memory of 2860	3324	{138D7576-B464-4424-9BC1-6B194FD2B78B}.exe	102
PID 4040 wrote to memory of 4548	4040	{7E674D45-F847-4acb-873B-6901AAB0F272}.exe	103
PID 4040 wrote to memory of 4548	4040	{7E674D45-F847-4acb-873B-6901AAB0F272}.exe	103
PID 4040 wrote to memory of 4548	4040	{7E674D45-F847-4acb-873B-6901AAB0F272}.exe	103
PID 4040 wrote to memory of 3500	4040	{7E674D45-F847-4acb-873B-6901AAB0F272}.exe	104
PID 4040 wrote to memory of 3500	4040	{7E674D45-F847-4acb-873B-6901AAB0F272}.exe	104
PID 4040 wrote to memory of 3500	4040	{7E674D45-F847-4acb-873B-6901AAB0F272}.exe	104
PID 4548 wrote to memory of 1480	4548	{DD21CE5E-A217-4dc8-A19A-1001388FAB86}.exe	105
PID 4548 wrote to memory of 1480	4548	{DD21CE5E-A217-4dc8-A19A-1001388FAB86}.exe	105
PID 4548 wrote to memory of 1480	4548	{DD21CE5E-A217-4dc8-A19A-1001388FAB86}.exe	105
PID 4548 wrote to memory of 3648	4548	{DD21CE5E-A217-4dc8-A19A-1001388FAB86}.exe	106
PID 4548 wrote to memory of 3648	4548	{DD21CE5E-A217-4dc8-A19A-1001388FAB86}.exe	106
PID 4548 wrote to memory of 3648	4548	{DD21CE5E-A217-4dc8-A19A-1001388FAB86}.exe	106
PID 1480 wrote to memory of 2700	1480	{C97ACDD8-EA18-46c9-87BA-69AA23516C40}.exe	107
PID 1480 wrote to memory of 2700	1480	{C97ACDD8-EA18-46c9-87BA-69AA23516C40}.exe	107
PID 1480 wrote to memory of 2700	1480	{C97ACDD8-EA18-46c9-87BA-69AA23516C40}.exe	107
PID 1480 wrote to memory of 464	1480	{C97ACDD8-EA18-46c9-87BA-69AA23516C40}.exe	108
PID 1480 wrote to memory of 464	1480	{C97ACDD8-EA18-46c9-87BA-69AA23516C40}.exe	108
PID 1480 wrote to memory of 464	1480	{C97ACDD8-EA18-46c9-87BA-69AA23516C40}.exe	108
PID 2700 wrote to memory of 4568	2700	{3DA44258-3D77-4e04-AC66-533EA7E2BD65}.exe	109
PID 2700 wrote to memory of 4568	2700	{3DA44258-3D77-4e04-AC66-533EA7E2BD65}.exe	109
PID 2700 wrote to memory of 4568	2700	{3DA44258-3D77-4e04-AC66-533EA7E2BD65}.exe	109
PID 2700 wrote to memory of 2792	2700	{3DA44258-3D77-4e04-AC66-533EA7E2BD65}.exe	110
PID 2700 wrote to memory of 2792	2700	{3DA44258-3D77-4e04-AC66-533EA7E2BD65}.exe	110
PID 2700 wrote to memory of 2792	2700	{3DA44258-3D77-4e04-AC66-533EA7E2BD65}.exe	110
PID 4568 wrote to memory of 4448	4568	{019B6BF3-0B93-415e-92B5-9862BE4EE1B8}.exe	111
PID 4568 wrote to memory of 4448	4568	{019B6BF3-0B93-415e-92B5-9862BE4EE1B8}.exe	111
PID 4568 wrote to memory of 4448	4568	{019B6BF3-0B93-415e-92B5-9862BE4EE1B8}.exe	111
PID 4568 wrote to memory of 4928	4568	{019B6BF3-0B93-415e-92B5-9862BE4EE1B8}.exe	112
PID 4568 wrote to memory of 4928	4568	{019B6BF3-0B93-415e-92B5-9862BE4EE1B8}.exe	112
PID 4568 wrote to memory of 4928	4568	{019B6BF3-0B93-415e-92B5-9862BE4EE1B8}.exe	112
PID 4448 wrote to memory of 668	4448	{7602910F-CEF0-441c-857E-4F424B50DEA5}.exe	113
PID 4448 wrote to memory of 668	4448	{7602910F-CEF0-441c-857E-4F424B50DEA5}.exe	113
PID 4448 wrote to memory of 668	4448	{7602910F-CEF0-441c-857E-4F424B50DEA5}.exe	113
PID 4448 wrote to memory of 2152	4448	{7602910F-CEF0-441c-857E-4F424B50DEA5}.exe	114

C:\Users\Admin\AppData\Local\Temp\2024-03-29_8769bc23913880ab6337d62fb4f6fca8_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-29_8769bc23913880ab6337d62fb4f6fca8_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\{C70D436E-7E27-431d-83BE-3A6F972275BD}.exe
  C:\Windows\{C70D436E-7E27-431d-83BE-3A6F972275BD}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Windows\{7FB6983F-B02B-40c6-987E-FDF295009B6E}.exe
    C:\Windows\{7FB6983F-B02B-40c6-987E-FDF295009B6E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3028
  - - C:\Windows\{641FBA1A-9658-4440-B838-3A8FE8F8C53D}.exe
      C:\Windows\{641FBA1A-9658-4440-B838-3A8FE8F8C53D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4768
    - - C:\Windows\{138D7576-B464-4424-9BC1-6B194FD2B78B}.exe
        
        C:\Windows\{138D7576-B464-4424-9BC1-6B194FD2B78B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3324
      - C:\Windows\{7E674D45-F847-4acb-873B-6901AAB0F272}.exe
        
        C:\Windows\{7E674D45-F847-4acb-873B-6901AAB0F272}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4040
        
        C:\Windows\{DD21CE5E-A217-4dc8-A19A-1001388FAB86}.exe
        
        C:\Windows\{DD21CE5E-A217-4dc8-A19A-1001388FAB86}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\{C97ACDD8-EA18-46c9-87BA-69AA23516C40}.exe
        
        C:\Windows\{C97ACDD8-EA18-46c9-87BA-69AA23516C40}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\{3DA44258-3D77-4e04-AC66-533EA7E2BD65}.exe
        
        C:\Windows\{3DA44258-3D77-4e04-AC66-533EA7E2BD65}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\{019B6BF3-0B93-415e-92B5-9862BE4EE1B8}.exe
        
        C:\Windows\{019B6BF3-0B93-415e-92B5-9862BE4EE1B8}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4568
        
        C:\Windows\{7602910F-CEF0-441c-857E-4F424B50DEA5}.exe
        
        C:\Windows\{7602910F-CEF0-441c-857E-4F424B50DEA5}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\{95E05F97-EA00-4a19-B8A4-6722A475290D}.exe
        
        C:\Windows\{95E05F97-EA00-4a19-B8A4-6722A475290D}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:668
        
        C:\Windows\{6732F21C-2AFE-45a9-BDF4-CE2EB368F97B}.exe
        
        C:\Windows\{6732F21C-2AFE-45a9-BDF4-CE2EB368F97B}.exe
        13⤵
        Executes dropped EXE
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95E05~1.EXE > nul
        13⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76029~1.EXE > nul
        12⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{019B6~1.EXE > nul
        11⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3DA44~1.EXE > nul
        10⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C97AC~1.EXE > nul
        9⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD21C~1.EXE > nul
        8⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E674~1.EXE > nul
        7⤵
        
        PID:3500
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{138D7~1.EXE > nul
        6⤵
        
        PID:2860
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{641FB~1.EXE > nul
        5⤵
        
        PID:408
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7FB69~1.EXE > nul
      4⤵
      PID:4748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C70D4~1.EXE > nul
    3⤵
    PID:5032
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{019B6BF3-0B93-415e-92B5-9862BE4EE1B8}.exe

Filesize
168KB

MD5
d4997c7918b5ecab8e66a6b2074b0d6b

SHA1
b5b0ba9f8f1b40f804d859afa0b783d626956599

SHA256
e0e716ef88ee5a246cffcd6634e63e29ae9b1d03c57826d8900d4e1fe64f15ee

SHA512
b5496f3039e9a54303d0dd4eea41c3a637c894fb457dec067e642443d19fccb1ef185a25392be7a7befe7b818b235f686f34e55ff61817bcfdaf4a264b08f07d

Download Submit
C:\Windows\{138D7576-B464-4424-9BC1-6B194FD2B78B}.exe

Filesize
168KB

MD5
c0ce03810ccc0c844cda87c7a162d8b9

SHA1
1491b1b5d067150aee72475f70c5a12a8dd791ad

SHA256
74aea6e509fa1c0a594712697c4883c41f67a41848e9aabaf3233929d99ca9a6

SHA512
9647e5e80289dc8785de8945ed00c48d9b8fc5c7280b513a3d5b71a7df376a391296129940e5309337e73f8c59ef6cf92bf3fafdc0f8f05b455ae33d2c1228b1

Download Submit
C:\Windows\{3DA44258-3D77-4e04-AC66-533EA7E2BD65}.exe

Filesize
168KB

MD5
9c5e5d4e237f227a376beab54b2c4b32

SHA1
63fe37c35d6fa6f5f370f996a819434a09714bfe

SHA256
9934cc43609c9cd7d9772cf33159b1f0866eda15d6157173c5fb225e8c3c6fa7

SHA512
ba2ee33cb4bde7eb5e556ef117eeb7648d0ca84b283355eae6e634985bb84713479c74aa77fd5ac60a1f6a2acccb5f707ddbc7b9482ceb9133ecfadbd9b427f1

Download Submit
C:\Windows\{641FBA1A-9658-4440-B838-3A8FE8F8C53D}.exe

Filesize
168KB

MD5
2c2caf2c989834828cd790c54f51cb03

SHA1
42d795d5e3caab1a7556ca770aa2bd6795734a31

SHA256
00fdfe66adecc6a6ada42622fa4a9a62f09c9b1352aa84600a6e5a47a0f52101

SHA512
f4b0b49675338309ead300da75f7f8e35cf33daa0ed3b3385bf73ace1d8a564621b4ca832550eba7c17faea4372c4693ec61a34bbc4c3d51bfbce80e0925d855

Download Submit
C:\Windows\{6732F21C-2AFE-45a9-BDF4-CE2EB368F97B}.exe

Filesize
168KB

MD5
6102da3d4aa82ab2349ac12948d323d2

SHA1
50356176068c151a28ede24f5f54d60691ed34ac

SHA256
39fdb2d9cb8ecda2b19ba2f21641f90b9fc6eb00bbe46da61944473a3a317ff8

SHA512
a88411c22a9ac43a7f1231392f9001645c077c5efe8f37f578191b3249647d0da49c1619fc308c5c9201db52ec8d342874dab251e9741cd6288a9bc7394bd215

Download Submit
C:\Windows\{7602910F-CEF0-441c-857E-4F424B50DEA5}.exe

Filesize
168KB

MD5
7436c33bd475781db5e25a4ff9b02b0b

SHA1
f8d45b72aa927eff4bec49213023d4818254c483

SHA256
b83a64e40deed95f466508f34ada80a4e72d4ad52451acc520dc906e8707c6c2

SHA512
3790386825953585435dedb2bd4a716240e29faadc7873309b620367aac26f31a745a34a0064b76bdc8073153a218d65957654ce9716750ac399bc65296d596e

Download Submit
C:\Windows\{7E674D45-F847-4acb-873B-6901AAB0F272}.exe

Filesize
168KB

MD5
714c673cada18edb67d929c5563cf572

SHA1
9a091d89a95e7469644148b0889c111a05c257a8

SHA256
58f5511511e17b511777f011c8c8bd892fd2c614929a6a9bd90ebdb47e866d3e

SHA512
49aa8f970ff488f06fdf4fc77670aee4c0af20d6c28e5ef26b6708387a36e76fb164ae048837cedde41a91e1388a0ae92767e1195b9a0021f84bca48236f0039

Download Submit
C:\Windows\{7FB6983F-B02B-40c6-987E-FDF295009B6E}.exe

Filesize
168KB

MD5
a1cb5d68fc32250447ecd7b0496b81d9

SHA1
c00ff0a5f5e34aa0adf2455bb75238e2ccf65c31

SHA256
35caa9c7bb32ea135ffc6b88efe0e720ed014dbc09d01e34bb41cd2031835259

SHA512
2b3aacf70e53d07293618f5a7263a95b687f1fa89814e9853707e5515e0e4fca80b84940949ce29eb003f175c9ea48065c0f19cd4903b0fac6ec105bfea6eaf4

Download Submit
C:\Windows\{95E05F97-EA00-4a19-B8A4-6722A475290D}.exe

Filesize
168KB

MD5
00935d8b621adc3dec6ad39007787fca

SHA1
51b22d478ae6651b1218e0d3f309bef0e911f751

SHA256
350d4c9bdc92ad4cfbc9691c7a9cdb7bb5c7e0e8d8b0049d15bfadf1f84e7e7e

SHA512
7b85dcaf97f40acb69e3c704e127c1f7751bfec393ee81eb773760df5cfd1d8b8c8cc5f07e8fa0fa0d71f901c01135bbe4324b8a805de58f7c81f184717002a1

Download Submit
C:\Windows\{C70D436E-7E27-431d-83BE-3A6F972275BD}.exe

Filesize
168KB

MD5
2e5e87194e53ea84a12982708d11bc40

SHA1
4f8901b6cee465a2a515c3c4b06a00bb7af2a965

SHA256
80bc0eb02e25060b84c6dccb3edf7e4b7edaaab9a763d88f60f1feea59d49f30

SHA512
bb13678c2695b1e4fa3229827693204fc491413f5b716bfd255cf38ae74815df05a036b5828b9d23496dc0ec54eb4a5075f9e3f49e512e2681ba786103be77a3

Download Submit
C:\Windows\{C97ACDD8-EA18-46c9-87BA-69AA23516C40}.exe

Filesize
168KB

MD5
4131fe9ec7e7a297df369e464d0ec55a

SHA1
166c8026f67689ab5b43b466f77037a51b9c91b4

SHA256
a9e26053411445a9f35b8e11e724e78061c765a4a2f31e22bd81cb87cfd87581

SHA512
dcec8409146b9322d1d620e572cd0f08d95857bdd843d3d142dd9d25ca5d1f41a10498f1949903c0b703ee32702c99d9c4b8aedefeff205aa740412b833c0b96

Download Submit
C:\Windows\{DD21CE5E-A217-4dc8-A19A-1001388FAB86}.exe

Filesize
168KB

MD5
54a930fbbaffc40e20eb3f2cf6546a2d

SHA1
fe73f89b4b65f5aaf715bf51ac1cd301ea154f99

SHA256
be73a3c4d8e62362f92fed9bd76b63958c97d7c6d12292330ec5cdffcbb6a873

SHA512
15e48923b2bb9fce476b3823a097681f0178630f084a1a78964f340fdbc26880655c0ae7cfb4be2614ba616109d52175d10c1642773632fd43337f5474c33357

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads