ca812f3efb73d71f9bd9009f9499574193a465209cdc1fe8df2234793d0bf812

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/04/2024, 00:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-05_3d938cf1cf3819b7ade33ae44c0af079_goldeneye.exe
Size

168KB
MD5

3d938cf1cf3819b7ade33ae44c0af079
SHA1

78a46a9758095990867ef2dea90b88decd89ce80
SHA256

ca812f3efb73d71f9bd9009f9499574193a465209cdc1fe8df2234793d0bf812
SHA512

5752345fc39307675e18a49519c42b455a6b1f9b9f092a4e0f631fc4857939166cbce00eeef54721cdf3a3bf626ef2cb8381cff97083c4d5fd3042a971225c95
SSDEEP

1536:1EGh0oXlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oXlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00070000000231f8-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00110000000231fd-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023204-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00120000000231fd-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021d05-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021d06-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021d05-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000705-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CEB39379-322F-419f-AC18-92E94F36C2DD}	{482489AB-931A-4a34-9CA9-EB60454F37A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{937BB5B4-89DF-4abf-9EDF-1CF8EC8F909D}\stubpath = "C:\\Windows\\{937BB5B4-89DF-4abf-9EDF-1CF8EC8F909D}.exe"	{CEB39379-322F-419f-AC18-92E94F36C2DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{478D9E42-3030-4248-A2B4-A2717C211022}	{937BB5B4-89DF-4abf-9EDF-1CF8EC8F909D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{494AB0A6-C19F-437b-A079-76A6150C1DA8}\stubpath = "C:\\Windows\\{494AB0A6-C19F-437b-A079-76A6150C1DA8}.exe"	{478D9E42-3030-4248-A2B4-A2717C211022}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BC4B758-9895-4e3c-B86B-0F2E3EB23876}	{494AB0A6-C19F-437b-A079-76A6150C1DA8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A320539-B5A9-4745-A0B7-FC128FD663DA}	{C3EC2730-19D7-4c36-871C-09BC5DB1B395}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{049AB883-A0A0-42e8-A986-40B688539F37}\stubpath = "C:\\Windows\\{049AB883-A0A0-42e8-A986-40B688539F37}.exe"	{488AF874-0767-4316-8578-CBCDABFBB111}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{482489AB-931A-4a34-9CA9-EB60454F37A1}	{049AB883-A0A0-42e8-A986-40B688539F37}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A320539-B5A9-4745-A0B7-FC128FD663DA}\stubpath = "C:\\Windows\\{3A320539-B5A9-4745-A0B7-FC128FD663DA}.exe"	{C3EC2730-19D7-4c36-871C-09BC5DB1B395}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A4F60AA-C145-453f-B13F-F234CE006DC2}\stubpath = "C:\\Windows\\{0A4F60AA-C145-453f-B13F-F234CE006DC2}.exe"	{3A320539-B5A9-4745-A0B7-FC128FD663DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14150FCA-F0A2-4a6f-8B36-F648F7FA4D1D}	2024-04-05_3d938cf1cf3819b7ade33ae44c0af079_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{488AF874-0767-4316-8578-CBCDABFBB111}	{14150FCA-F0A2-4a6f-8B36-F648F7FA4D1D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{488AF874-0767-4316-8578-CBCDABFBB111}\stubpath = "C:\\Windows\\{488AF874-0767-4316-8578-CBCDABFBB111}.exe"	{14150FCA-F0A2-4a6f-8B36-F648F7FA4D1D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{049AB883-A0A0-42e8-A986-40B688539F37}	{488AF874-0767-4316-8578-CBCDABFBB111}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{482489AB-931A-4a34-9CA9-EB60454F37A1}\stubpath = "C:\\Windows\\{482489AB-931A-4a34-9CA9-EB60454F37A1}.exe"	{049AB883-A0A0-42e8-A986-40B688539F37}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{937BB5B4-89DF-4abf-9EDF-1CF8EC8F909D}	{CEB39379-322F-419f-AC18-92E94F36C2DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BC4B758-9895-4e3c-B86B-0F2E3EB23876}\stubpath = "C:\\Windows\\{2BC4B758-9895-4e3c-B86B-0F2E3EB23876}.exe"	{494AB0A6-C19F-437b-A079-76A6150C1DA8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3EC2730-19D7-4c36-871C-09BC5DB1B395}\stubpath = "C:\\Windows\\{C3EC2730-19D7-4c36-871C-09BC5DB1B395}.exe"	{2BC4B758-9895-4e3c-B86B-0F2E3EB23876}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14150FCA-F0A2-4a6f-8B36-F648F7FA4D1D}\stubpath = "C:\\Windows\\{14150FCA-F0A2-4a6f-8B36-F648F7FA4D1D}.exe"	2024-04-05_3d938cf1cf3819b7ade33ae44c0af079_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{478D9E42-3030-4248-A2B4-A2717C211022}\stubpath = "C:\\Windows\\{478D9E42-3030-4248-A2B4-A2717C211022}.exe"	{937BB5B4-89DF-4abf-9EDF-1CF8EC8F909D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{494AB0A6-C19F-437b-A079-76A6150C1DA8}	{478D9E42-3030-4248-A2B4-A2717C211022}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3EC2730-19D7-4c36-871C-09BC5DB1B395}	{2BC4B758-9895-4e3c-B86B-0F2E3EB23876}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A4F60AA-C145-453f-B13F-F234CE006DC2}	{3A320539-B5A9-4745-A0B7-FC128FD663DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CEB39379-322F-419f-AC18-92E94F36C2DD}\stubpath = "C:\\Windows\\{CEB39379-322F-419f-AC18-92E94F36C2DD}.exe"	{482489AB-931A-4a34-9CA9-EB60454F37A1}.exe

Executes dropped EXE 12 IoCs

pid	Process
5064	{14150FCA-F0A2-4a6f-8B36-F648F7FA4D1D}.exe
3376	{488AF874-0767-4316-8578-CBCDABFBB111}.exe
4852	{049AB883-A0A0-42e8-A986-40B688539F37}.exe
4460	{482489AB-931A-4a34-9CA9-EB60454F37A1}.exe
4360	{CEB39379-322F-419f-AC18-92E94F36C2DD}.exe
1760	{937BB5B4-89DF-4abf-9EDF-1CF8EC8F909D}.exe
4312	{478D9E42-3030-4248-A2B4-A2717C211022}.exe
1600	{494AB0A6-C19F-437b-A079-76A6150C1DA8}.exe
1248	{2BC4B758-9895-4e3c-B86B-0F2E3EB23876}.exe
1100	{C3EC2730-19D7-4c36-871C-09BC5DB1B395}.exe
2028	{3A320539-B5A9-4745-A0B7-FC128FD663DA}.exe
4020	{0A4F60AA-C145-453f-B13F-F234CE006DC2}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{14150FCA-F0A2-4a6f-8B36-F648F7FA4D1D}.exe	2024-04-05_3d938cf1cf3819b7ade33ae44c0af079_goldeneye.exe
File created	C:\Windows\{049AB883-A0A0-42e8-A986-40B688539F37}.exe	{488AF874-0767-4316-8578-CBCDABFBB111}.exe
File created	C:\Windows\{CEB39379-322F-419f-AC18-92E94F36C2DD}.exe	{482489AB-931A-4a34-9CA9-EB60454F37A1}.exe
File created	C:\Windows\{937BB5B4-89DF-4abf-9EDF-1CF8EC8F909D}.exe	{CEB39379-322F-419f-AC18-92E94F36C2DD}.exe
File created	C:\Windows\{2BC4B758-9895-4e3c-B86B-0F2E3EB23876}.exe	{494AB0A6-C19F-437b-A079-76A6150C1DA8}.exe
File created	C:\Windows\{3A320539-B5A9-4745-A0B7-FC128FD663DA}.exe	{C3EC2730-19D7-4c36-871C-09BC5DB1B395}.exe
File created	C:\Windows\{488AF874-0767-4316-8578-CBCDABFBB111}.exe	{14150FCA-F0A2-4a6f-8B36-F648F7FA4D1D}.exe
File created	C:\Windows\{482489AB-931A-4a34-9CA9-EB60454F37A1}.exe	{049AB883-A0A0-42e8-A986-40B688539F37}.exe
File created	C:\Windows\{478D9E42-3030-4248-A2B4-A2717C211022}.exe	{937BB5B4-89DF-4abf-9EDF-1CF8EC8F909D}.exe
File created	C:\Windows\{494AB0A6-C19F-437b-A079-76A6150C1DA8}.exe	{478D9E42-3030-4248-A2B4-A2717C211022}.exe
File created	C:\Windows\{C3EC2730-19D7-4c36-871C-09BC5DB1B395}.exe	{2BC4B758-9895-4e3c-B86B-0F2E3EB23876}.exe
File created	C:\Windows\{0A4F60AA-C145-453f-B13F-F234CE006DC2}.exe	{3A320539-B5A9-4745-A0B7-FC128FD663DA}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3084	2024-04-05_3d938cf1cf3819b7ade33ae44c0af079_goldeneye.exe
Token: SeIncBasePriorityPrivilege	5064	{14150FCA-F0A2-4a6f-8B36-F648F7FA4D1D}.exe
Token: SeIncBasePriorityPrivilege	3376	{488AF874-0767-4316-8578-CBCDABFBB111}.exe
Token: SeIncBasePriorityPrivilege	4852	{049AB883-A0A0-42e8-A986-40B688539F37}.exe
Token: SeIncBasePriorityPrivilege	4460	{482489AB-931A-4a34-9CA9-EB60454F37A1}.exe
Token: SeIncBasePriorityPrivilege	4360	{CEB39379-322F-419f-AC18-92E94F36C2DD}.exe
Token: SeIncBasePriorityPrivilege	1760	{937BB5B4-89DF-4abf-9EDF-1CF8EC8F909D}.exe
Token: SeIncBasePriorityPrivilege	4312	{478D9E42-3030-4248-A2B4-A2717C211022}.exe
Token: SeIncBasePriorityPrivilege	1600	{494AB0A6-C19F-437b-A079-76A6150C1DA8}.exe
Token: SeIncBasePriorityPrivilege	1248	{2BC4B758-9895-4e3c-B86B-0F2E3EB23876}.exe
Token: SeIncBasePriorityPrivilege	1100	{C3EC2730-19D7-4c36-871C-09BC5DB1B395}.exe
Token: SeIncBasePriorityPrivilege	2028	{3A320539-B5A9-4745-A0B7-FC128FD663DA}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3084 wrote to memory of 5064	3084	2024-04-05_3d938cf1cf3819b7ade33ae44c0af079_goldeneye.exe	97
PID 3084 wrote to memory of 5064	3084	2024-04-05_3d938cf1cf3819b7ade33ae44c0af079_goldeneye.exe	97
PID 3084 wrote to memory of 5064	3084	2024-04-05_3d938cf1cf3819b7ade33ae44c0af079_goldeneye.exe	97
PID 3084 wrote to memory of 1596	3084	2024-04-05_3d938cf1cf3819b7ade33ae44c0af079_goldeneye.exe	98
PID 3084 wrote to memory of 1596	3084	2024-04-05_3d938cf1cf3819b7ade33ae44c0af079_goldeneye.exe	98
PID 3084 wrote to memory of 1596	3084	2024-04-05_3d938cf1cf3819b7ade33ae44c0af079_goldeneye.exe	98
PID 5064 wrote to memory of 3376	5064	{14150FCA-F0A2-4a6f-8B36-F648F7FA4D1D}.exe	99
PID 5064 wrote to memory of 3376	5064	{14150FCA-F0A2-4a6f-8B36-F648F7FA4D1D}.exe	99
PID 5064 wrote to memory of 3376	5064	{14150FCA-F0A2-4a6f-8B36-F648F7FA4D1D}.exe	99
PID 5064 wrote to memory of 3652	5064	{14150FCA-F0A2-4a6f-8B36-F648F7FA4D1D}.exe	100
PID 5064 wrote to memory of 3652	5064	{14150FCA-F0A2-4a6f-8B36-F648F7FA4D1D}.exe	100
PID 5064 wrote to memory of 3652	5064	{14150FCA-F0A2-4a6f-8B36-F648F7FA4D1D}.exe	100
PID 3376 wrote to memory of 4852	3376	{488AF874-0767-4316-8578-CBCDABFBB111}.exe	102
PID 3376 wrote to memory of 4852	3376	{488AF874-0767-4316-8578-CBCDABFBB111}.exe	102
PID 3376 wrote to memory of 4852	3376	{488AF874-0767-4316-8578-CBCDABFBB111}.exe	102
PID 3376 wrote to memory of 3200	3376	{488AF874-0767-4316-8578-CBCDABFBB111}.exe	103
PID 3376 wrote to memory of 3200	3376	{488AF874-0767-4316-8578-CBCDABFBB111}.exe	103
PID 3376 wrote to memory of 3200	3376	{488AF874-0767-4316-8578-CBCDABFBB111}.exe	103
PID 4852 wrote to memory of 4460	4852	{049AB883-A0A0-42e8-A986-40B688539F37}.exe	104
PID 4852 wrote to memory of 4460	4852	{049AB883-A0A0-42e8-A986-40B688539F37}.exe	104
PID 4852 wrote to memory of 4460	4852	{049AB883-A0A0-42e8-A986-40B688539F37}.exe	104
PID 4852 wrote to memory of 4984	4852	{049AB883-A0A0-42e8-A986-40B688539F37}.exe	105
PID 4852 wrote to memory of 4984	4852	{049AB883-A0A0-42e8-A986-40B688539F37}.exe	105
PID 4852 wrote to memory of 4984	4852	{049AB883-A0A0-42e8-A986-40B688539F37}.exe	105
PID 4460 wrote to memory of 4360	4460	{482489AB-931A-4a34-9CA9-EB60454F37A1}.exe	106
PID 4460 wrote to memory of 4360	4460	{482489AB-931A-4a34-9CA9-EB60454F37A1}.exe	106
PID 4460 wrote to memory of 4360	4460	{482489AB-931A-4a34-9CA9-EB60454F37A1}.exe	106
PID 4460 wrote to memory of 2416	4460	{482489AB-931A-4a34-9CA9-EB60454F37A1}.exe	107
PID 4460 wrote to memory of 2416	4460	{482489AB-931A-4a34-9CA9-EB60454F37A1}.exe	107
PID 4460 wrote to memory of 2416	4460	{482489AB-931A-4a34-9CA9-EB60454F37A1}.exe	107
PID 4360 wrote to memory of 1760	4360	{CEB39379-322F-419f-AC18-92E94F36C2DD}.exe	108
PID 4360 wrote to memory of 1760	4360	{CEB39379-322F-419f-AC18-92E94F36C2DD}.exe	108
PID 4360 wrote to memory of 1760	4360	{CEB39379-322F-419f-AC18-92E94F36C2DD}.exe	108
PID 4360 wrote to memory of 4488	4360	{CEB39379-322F-419f-AC18-92E94F36C2DD}.exe	109
PID 4360 wrote to memory of 4488	4360	{CEB39379-322F-419f-AC18-92E94F36C2DD}.exe	109
PID 4360 wrote to memory of 4488	4360	{CEB39379-322F-419f-AC18-92E94F36C2DD}.exe	109
PID 1760 wrote to memory of 4312	1760	{937BB5B4-89DF-4abf-9EDF-1CF8EC8F909D}.exe	110
PID 1760 wrote to memory of 4312	1760	{937BB5B4-89DF-4abf-9EDF-1CF8EC8F909D}.exe	110
PID 1760 wrote to memory of 4312	1760	{937BB5B4-89DF-4abf-9EDF-1CF8EC8F909D}.exe	110
PID 1760 wrote to memory of 4320	1760	{937BB5B4-89DF-4abf-9EDF-1CF8EC8F909D}.exe	111
PID 1760 wrote to memory of 4320	1760	{937BB5B4-89DF-4abf-9EDF-1CF8EC8F909D}.exe	111
PID 1760 wrote to memory of 4320	1760	{937BB5B4-89DF-4abf-9EDF-1CF8EC8F909D}.exe	111
PID 4312 wrote to memory of 1600	4312	{478D9E42-3030-4248-A2B4-A2717C211022}.exe	112
PID 4312 wrote to memory of 1600	4312	{478D9E42-3030-4248-A2B4-A2717C211022}.exe	112
PID 4312 wrote to memory of 1600	4312	{478D9E42-3030-4248-A2B4-A2717C211022}.exe	112
PID 4312 wrote to memory of 4900	4312	{478D9E42-3030-4248-A2B4-A2717C211022}.exe	113
PID 4312 wrote to memory of 4900	4312	{478D9E42-3030-4248-A2B4-A2717C211022}.exe	113
PID 4312 wrote to memory of 4900	4312	{478D9E42-3030-4248-A2B4-A2717C211022}.exe	113
PID 1600 wrote to memory of 1248	1600	{494AB0A6-C19F-437b-A079-76A6150C1DA8}.exe	114
PID 1600 wrote to memory of 1248	1600	{494AB0A6-C19F-437b-A079-76A6150C1DA8}.exe	114
PID 1600 wrote to memory of 1248	1600	{494AB0A6-C19F-437b-A079-76A6150C1DA8}.exe	114
PID 1600 wrote to memory of 3912	1600	{494AB0A6-C19F-437b-A079-76A6150C1DA8}.exe	115
PID 1600 wrote to memory of 3912	1600	{494AB0A6-C19F-437b-A079-76A6150C1DA8}.exe	115
PID 1600 wrote to memory of 3912	1600	{494AB0A6-C19F-437b-A079-76A6150C1DA8}.exe	115
PID 1248 wrote to memory of 1100	1248	{2BC4B758-9895-4e3c-B86B-0F2E3EB23876}.exe	116
PID 1248 wrote to memory of 1100	1248	{2BC4B758-9895-4e3c-B86B-0F2E3EB23876}.exe	116
PID 1248 wrote to memory of 1100	1248	{2BC4B758-9895-4e3c-B86B-0F2E3EB23876}.exe	116
PID 1248 wrote to memory of 4748	1248	{2BC4B758-9895-4e3c-B86B-0F2E3EB23876}.exe	117
PID 1248 wrote to memory of 4748	1248	{2BC4B758-9895-4e3c-B86B-0F2E3EB23876}.exe	117
PID 1248 wrote to memory of 4748	1248	{2BC4B758-9895-4e3c-B86B-0F2E3EB23876}.exe	117
PID 1100 wrote to memory of 2028	1100	{C3EC2730-19D7-4c36-871C-09BC5DB1B395}.exe	118
PID 1100 wrote to memory of 2028	1100	{C3EC2730-19D7-4c36-871C-09BC5DB1B395}.exe	118
PID 1100 wrote to memory of 2028	1100	{C3EC2730-19D7-4c36-871C-09BC5DB1B395}.exe	118
PID 1100 wrote to memory of 2760	1100	{C3EC2730-19D7-4c36-871C-09BC5DB1B395}.exe	119

C:\Users\Admin\AppData\Local\Temp\2024-04-05_3d938cf1cf3819b7ade33ae44c0af079_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-05_3d938cf1cf3819b7ade33ae44c0af079_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3084
- C:\Windows\{14150FCA-F0A2-4a6f-8B36-F648F7FA4D1D}.exe
  C:\Windows\{14150FCA-F0A2-4a6f-8B36-F648F7FA4D1D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5064
- - C:\Windows\{488AF874-0767-4316-8578-CBCDABFBB111}.exe
    C:\Windows\{488AF874-0767-4316-8578-CBCDABFBB111}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3376
  - - C:\Windows\{049AB883-A0A0-42e8-A986-40B688539F37}.exe
      C:\Windows\{049AB883-A0A0-42e8-A986-40B688539F37}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4852
    - - C:\Windows\{482489AB-931A-4a34-9CA9-EB60454F37A1}.exe
        
        C:\Windows\{482489AB-931A-4a34-9CA9-EB60454F37A1}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4460
      - C:\Windows\{CEB39379-322F-419f-AC18-92E94F36C2DD}.exe
        
        C:\Windows\{CEB39379-322F-419f-AC18-92E94F36C2DD}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Windows\{937BB5B4-89DF-4abf-9EDF-1CF8EC8F909D}.exe
        
        C:\Windows\{937BB5B4-89DF-4abf-9EDF-1CF8EC8F909D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Windows\{478D9E42-3030-4248-A2B4-A2717C211022}.exe
        
        C:\Windows\{478D9E42-3030-4248-A2B4-A2717C211022}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Windows\{494AB0A6-C19F-437b-A079-76A6150C1DA8}.exe
        
        C:\Windows\{494AB0A6-C19F-437b-A079-76A6150C1DA8}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\{2BC4B758-9895-4e3c-B86B-0F2E3EB23876}.exe
        
        C:\Windows\{2BC4B758-9895-4e3c-B86B-0F2E3EB23876}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\{C3EC2730-19D7-4c36-871C-09BC5DB1B395}.exe
        
        C:\Windows\{C3EC2730-19D7-4c36-871C-09BC5DB1B395}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1100
        
        C:\Windows\{3A320539-B5A9-4745-A0B7-FC128FD663DA}.exe
        
        C:\Windows\{3A320539-B5A9-4745-A0B7-FC128FD663DA}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
        
        C:\Windows\{0A4F60AA-C145-453f-B13F-F234CE006DC2}.exe
        
        C:\Windows\{0A4F60AA-C145-453f-B13F-F234CE006DC2}.exe
        13⤵
        Executes dropped EXE
        
        PID:4020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3A320~1.EXE > nul
        13⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3EC2~1.EXE > nul
        12⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2BC4B~1.EXE > nul
        11⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{494AB~1.EXE > nul
        10⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{478D9~1.EXE > nul
        9⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{937BB~1.EXE > nul
        8⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CEB39~1.EXE > nul
        7⤵
        
        PID:4488
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{48248~1.EXE > nul
        6⤵
        
        PID:2416
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{049AB~1.EXE > nul
        5⤵
        
        PID:4984
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{488AF~1.EXE > nul
      4⤵
      PID:3200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{14150~1.EXE > nul
    3⤵
    PID:3652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{049AB883-A0A0-42e8-A986-40B688539F37}.exe

Filesize
168KB

MD5
634c25fcf0d7c47675c86d0cdc4e02a0

SHA1
b87af5cf9ef3d54c69ba5549a78694020552e437

SHA256
d5852a6d64e9dd33815b6cdaf42ed095a05d9ca224a498bc695a9bd37b3065d2

SHA512
e4440f01c3968eecf878a24e23aa5757292ed58ab515aa5db42153a4290c4036e4590205bb76c9fe812ba24f8e3ea37c6f72137230f60b06c527ed68927bd130

Download Submit
C:\Windows\{0A4F60AA-C145-453f-B13F-F234CE006DC2}.exe

Filesize
168KB

MD5
cf707e8a97e18d77347770aebc3a7b1f

SHA1
8ff3fd38dd27e6a1abd82ade062c8c4b17dff763

SHA256
e7fba89cdbde356e89cf73e954260dcd0fca38f82a82d0cb49ddf5283de7bf09

SHA512
2c010c4a8dfb1174ea29f07821246520023fd32686693463485d7f43ae9f1166a6b34c9323f40c1f323f4ced7406b6f9df8e07e48dd540758f898d09a091c882

Download Submit
C:\Windows\{14150FCA-F0A2-4a6f-8B36-F648F7FA4D1D}.exe

Filesize
168KB

MD5
c3691b3f31363790909f9672b1d45ee0

SHA1
0f5dafb21daaa94b9051913e3b025f3337681c15

SHA256
3f7dd7046e5588c5a94f294866cfa54940f9d670887d203e5c9dd2bfd99cbdbd

SHA512
0aa4d316ba53006278d1d169a1cac4d587358c87ba4d79cdde584ace05b8935fc4c3f44735c0319bd15c480d5092cf0f9968c26aacf9416d26f5051ac04ee583

Download Submit
C:\Windows\{2BC4B758-9895-4e3c-B86B-0F2E3EB23876}.exe

Filesize
168KB

MD5
ad1409a6bfdbfc105467dc53888c624c

SHA1
ef11c38fd42b66a22062f0363b2538c76b95daf9

SHA256
40f744f7bc084f001d087eaa19b66450be10ca453f06cecf8db8099f3ce1f2eb

SHA512
eb7ea3973dfbdb2eb86e886ab2055c2c8ff381ff71b45b2b3e5b0023ce973853ebf9c30d9999bdb2bf0e1362290a6357080d5b58318964c011b6de5f05431926

Download Submit
C:\Windows\{3A320539-B5A9-4745-A0B7-FC128FD663DA}.exe

Filesize
168KB

MD5
87ca777dbc4309c9c416d038ff0e3e76

SHA1
60f312dd68b31567758bd49205b9cba235787799

SHA256
3a2af05145caf11fd451733b78c3e6bad2a0f11046887836376b57e8a9be79e9

SHA512
ca6dd02b95819b6fda36dbdbbb501a6d0ac4a70884bf0dbf8337657536df0df647c919b5a02855c022d9402c3f126fdee5ca3704dce0c0d4bf41c5d36c82feb5

Download Submit
C:\Windows\{478D9E42-3030-4248-A2B4-A2717C211022}.exe

Filesize
168KB

MD5
c70af90672afbc8cc7448898a0a19484

SHA1
860b1382e6cf92cb3d103c875b1483ecad8acfe1

SHA256
dc844dc649f3a09be2632f0e74ce75456afc6cc7c91b64d3081b4d60ad43dd67

SHA512
a72e8531917059848f807c7bbdf76ab56549b29a8f71fe0aad74727898d9711d46c084faf7cef3008afd7b83bc2906b3fbe3a0bcbad9307321323ef188053530

Download Submit
C:\Windows\{482489AB-931A-4a34-9CA9-EB60454F37A1}.exe

Filesize
168KB

MD5
67bec0f3fd9781ef5d9834c2807a68df

SHA1
ea3dbc4507baf3454de1f1fbd52c0a106c7a87e6

SHA256
d2528120aa473ad1e7d31cd183940e26071a9439664bf3ea6231b79b004d5a6f

SHA512
cbfdcd068539aa420816fde5d3f25e685cf0db2e9f269fa90a83667fced3300ff01cc234596a2a31750bae7484b2000e839fb33f1d0a956f01e21728e5d223f8

Download Submit
C:\Windows\{488AF874-0767-4316-8578-CBCDABFBB111}.exe

Filesize
168KB

MD5
2f9f5379fdc3bc2f0a16b78240f51e10

SHA1
5e1d772aa67431f18443659fab4725dff0fc0bb0

SHA256
163985f31080f4e37cf67c6cb8dfb59439e0226487864f45241e0bc477799d13

SHA512
5eb3972329c074e556d313b78477a2ae5fdf8035cd4fd221c04c5b242bce1c1d1f7a32c36a85427698efc5b608ec2a3152ff27d99c93876f23195a91648e4161

Download Submit
C:\Windows\{494AB0A6-C19F-437b-A079-76A6150C1DA8}.exe

Filesize
168KB

MD5
8d4493a4245e8063299c2d30d198a544

SHA1
86748c7a141426171008905304262572c9dcb63f

SHA256
56f90175325b15068a26e3901ab794785e35660071ff17ea41610baf026818fa

SHA512
280040f479e1ecb6bd6bce2994473724718fab8215dd0e0986e93e9bcc1802c1caa05a2fa9a3c2b89c5eacfd0fc91a48e1f196578e6cffa6be44c1c400c89f73

Download Submit
C:\Windows\{937BB5B4-89DF-4abf-9EDF-1CF8EC8F909D}.exe

Filesize
168KB

MD5
b388de96a93cd6de2a855e34b471dd5f

SHA1
757aa4ad2ebce9bfa6cdf8f6782574705f70d199

SHA256
56a077511be670bf332b43772457cea82823d06c72fd4df8481d86b076508c3a

SHA512
1d346492620c9369dc93f65080e6f4737936e62219f00101625e2f511ccf21add7ab72eeec49b48372b9a100afb4cc03e0616e9971ffae6c71caf44ab4af1c65

Download Submit
C:\Windows\{C3EC2730-19D7-4c36-871C-09BC5DB1B395}.exe

Filesize
168KB

MD5
88717be2091fc0b1f6e7ca0237c13774

SHA1
c73248df7ce52b12df193862732ebb6f74e26519

SHA256
1fe0b8dd740cbd8e5d10fb681049ad7931e59e03ae87b3943cd72772dda59dcc

SHA512
aff633c81e165d306dccae18ef36f7248284d8538a1d9ff76e9a874748fcb6dcdd682098f30f1405e7dc352ea7e28bbb29b51a18775ac3657e07d5d8f32d13a7

Download Submit
C:\Windows\{CEB39379-322F-419f-AC18-92E94F36C2DD}.exe

Filesize
168KB

MD5
702897da432752de5bd8f40765afae73

SHA1
c696f5b6fb4b2bf315ffb9036b49a177f2262246

SHA256
417b64f381c62a39d96ece2328f25cfab9baf2271660fbeeb53392daa06f4486

SHA512
b71422995ccde73697d380573a40fabd25115c848db67f0db41a96a723ca1c9e50014bc2a5ff5a7506d5e7aa40af7f59b7d8a0f03ca36338f887151f06939832

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads