e601d952c6105456ca17350256dead8f23bae0d937cbde11a8d3617663059d15

Analysis

max time kernel
149s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05-04-2024 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-05_4f2b46e3a4469d03974536a46e9e7e86_goldeneye.exe
Size

380KB
MD5

4f2b46e3a4469d03974536a46e9e7e86
SHA1

24113e88722eb2545edd3643d0c8f642df817aad
SHA256

e601d952c6105456ca17350256dead8f23bae0d937cbde11a8d3617663059d15
SHA512

79519c8d3a99186013ec2ca035ac17a5da597fb4e5018741e05d8f3213d4c34392fb3f08a2b86958b9c86aee0f38838f5ebac644ad94a3b0b8af0ce70cb8f27b
SSDEEP

3072:mEGh0odlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGvl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000800000002320e-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023215-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002321c-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0012000000023215-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021fa2-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021fa3-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023024-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000703-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000703-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000703-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8136A0A1-6D87-4cf7-B19C-015BC15E82B1}\stubpath = "C:\\Windows\\{8136A0A1-6D87-4cf7-B19C-015BC15E82B1}.exe"	{5A396C8B-06FD-4d5d-8D63-9080D9753BEF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A5BEA20-D6A0-48b1-A100-2A4A1E11B752}	{8136A0A1-6D87-4cf7-B19C-015BC15E82B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7258B1D-5FCB-40ef-BDD7-B785DDB772E9}	{31CAF153-22F4-432f-9196-DB94A02760C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7258B1D-5FCB-40ef-BDD7-B785DDB772E9}\stubpath = "C:\\Windows\\{A7258B1D-5FCB-40ef-BDD7-B785DDB772E9}.exe"	{31CAF153-22F4-432f-9196-DB94A02760C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A298295-BA7D-4d3d-B9BE-075CD4DB474B}\stubpath = "C:\\Windows\\{5A298295-BA7D-4d3d-B9BE-075CD4DB474B}.exe"	{95E930F2-CC2A-42c5-A625-8139AC857167}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A396C8B-06FD-4d5d-8D63-9080D9753BEF}	{40035012-9A03-4922-A648-3494CD739761}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40035012-9A03-4922-A648-3494CD739761}\stubpath = "C:\\Windows\\{40035012-9A03-4922-A648-3494CD739761}.exe"	{5A298295-BA7D-4d3d-B9BE-075CD4DB474B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8136A0A1-6D87-4cf7-B19C-015BC15E82B1}	{5A396C8B-06FD-4d5d-8D63-9080D9753BEF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53AF48E8-DB8F-42fd-8245-6A05D5E67390}	{6A5BEA20-D6A0-48b1-A100-2A4A1E11B752}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BC88FAF-4403-477a-A3B0-C9D21CB6ECD7}	{AD525AFF-7516-44b4-BEED-2136286D9AF8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95E930F2-CC2A-42c5-A625-8139AC857167}	{084A8367-7108-403f-97C5-67818DEF0839}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A298295-BA7D-4d3d-B9BE-075CD4DB474B}	{95E930F2-CC2A-42c5-A625-8139AC857167}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95E930F2-CC2A-42c5-A625-8139AC857167}\stubpath = "C:\\Windows\\{95E930F2-CC2A-42c5-A625-8139AC857167}.exe"	{084A8367-7108-403f-97C5-67818DEF0839}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40035012-9A03-4922-A648-3494CD739761}	{5A298295-BA7D-4d3d-B9BE-075CD4DB474B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD525AFF-7516-44b4-BEED-2136286D9AF8}\stubpath = "C:\\Windows\\{AD525AFF-7516-44b4-BEED-2136286D9AF8}.exe"	{53AF48E8-DB8F-42fd-8245-6A05D5E67390}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{084A8367-7108-403f-97C5-67818DEF0839}	2024-04-05_4f2b46e3a4469d03974536a46e9e7e86_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{084A8367-7108-403f-97C5-67818DEF0839}\stubpath = "C:\\Windows\\{084A8367-7108-403f-97C5-67818DEF0839}.exe"	2024-04-05_4f2b46e3a4469d03974536a46e9e7e86_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53AF48E8-DB8F-42fd-8245-6A05D5E67390}\stubpath = "C:\\Windows\\{53AF48E8-DB8F-42fd-8245-6A05D5E67390}.exe"	{6A5BEA20-D6A0-48b1-A100-2A4A1E11B752}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD525AFF-7516-44b4-BEED-2136286D9AF8}	{53AF48E8-DB8F-42fd-8245-6A05D5E67390}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BC88FAF-4403-477a-A3B0-C9D21CB6ECD7}\stubpath = "C:\\Windows\\{2BC88FAF-4403-477a-A3B0-C9D21CB6ECD7}.exe"	{AD525AFF-7516-44b4-BEED-2136286D9AF8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31CAF153-22F4-432f-9196-DB94A02760C0}	{2BC88FAF-4403-477a-A3B0-C9D21CB6ECD7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31CAF153-22F4-432f-9196-DB94A02760C0}\stubpath = "C:\\Windows\\{31CAF153-22F4-432f-9196-DB94A02760C0}.exe"	{2BC88FAF-4403-477a-A3B0-C9D21CB6ECD7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A396C8B-06FD-4d5d-8D63-9080D9753BEF}\stubpath = "C:\\Windows\\{5A396C8B-06FD-4d5d-8D63-9080D9753BEF}.exe"	{40035012-9A03-4922-A648-3494CD739761}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A5BEA20-D6A0-48b1-A100-2A4A1E11B752}\stubpath = "C:\\Windows\\{6A5BEA20-D6A0-48b1-A100-2A4A1E11B752}.exe"	{8136A0A1-6D87-4cf7-B19C-015BC15E82B1}.exe

Executes dropped EXE 12 IoCs

pid	Process
4952	{084A8367-7108-403f-97C5-67818DEF0839}.exe
4152	{95E930F2-CC2A-42c5-A625-8139AC857167}.exe
2896	{5A298295-BA7D-4d3d-B9BE-075CD4DB474B}.exe
908	{40035012-9A03-4922-A648-3494CD739761}.exe
3100	{5A396C8B-06FD-4d5d-8D63-9080D9753BEF}.exe
1292	{8136A0A1-6D87-4cf7-B19C-015BC15E82B1}.exe
3772	{6A5BEA20-D6A0-48b1-A100-2A4A1E11B752}.exe
2176	{53AF48E8-DB8F-42fd-8245-6A05D5E67390}.exe
4892	{AD525AFF-7516-44b4-BEED-2136286D9AF8}.exe
2756	{2BC88FAF-4403-477a-A3B0-C9D21CB6ECD7}.exe
2888	{31CAF153-22F4-432f-9196-DB94A02760C0}.exe
3412	{A7258B1D-5FCB-40ef-BDD7-B785DDB772E9}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{95E930F2-CC2A-42c5-A625-8139AC857167}.exe	{084A8367-7108-403f-97C5-67818DEF0839}.exe
File created	C:\Windows\{5A298295-BA7D-4d3d-B9BE-075CD4DB474B}.exe	{95E930F2-CC2A-42c5-A625-8139AC857167}.exe
File created	C:\Windows\{40035012-9A03-4922-A648-3494CD739761}.exe	{5A298295-BA7D-4d3d-B9BE-075CD4DB474B}.exe
File created	C:\Windows\{8136A0A1-6D87-4cf7-B19C-015BC15E82B1}.exe	{5A396C8B-06FD-4d5d-8D63-9080D9753BEF}.exe
File created	C:\Windows\{AD525AFF-7516-44b4-BEED-2136286D9AF8}.exe	{53AF48E8-DB8F-42fd-8245-6A05D5E67390}.exe
File created	C:\Windows\{A7258B1D-5FCB-40ef-BDD7-B785DDB772E9}.exe	{31CAF153-22F4-432f-9196-DB94A02760C0}.exe
File created	C:\Windows\{084A8367-7108-403f-97C5-67818DEF0839}.exe	2024-04-05_4f2b46e3a4469d03974536a46e9e7e86_goldeneye.exe
File created	C:\Windows\{5A396C8B-06FD-4d5d-8D63-9080D9753BEF}.exe	{40035012-9A03-4922-A648-3494CD739761}.exe
File created	C:\Windows\{6A5BEA20-D6A0-48b1-A100-2A4A1E11B752}.exe	{8136A0A1-6D87-4cf7-B19C-015BC15E82B1}.exe
File created	C:\Windows\{53AF48E8-DB8F-42fd-8245-6A05D5E67390}.exe	{6A5BEA20-D6A0-48b1-A100-2A4A1E11B752}.exe
File created	C:\Windows\{2BC88FAF-4403-477a-A3B0-C9D21CB6ECD7}.exe	{AD525AFF-7516-44b4-BEED-2136286D9AF8}.exe
File created	C:\Windows\{31CAF153-22F4-432f-9196-DB94A02760C0}.exe	{2BC88FAF-4403-477a-A3B0-C9D21CB6ECD7}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3648	2024-04-05_4f2b46e3a4469d03974536a46e9e7e86_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4952	{084A8367-7108-403f-97C5-67818DEF0839}.exe
Token: SeIncBasePriorityPrivilege	4152	{95E930F2-CC2A-42c5-A625-8139AC857167}.exe
Token: SeIncBasePriorityPrivilege	2896	{5A298295-BA7D-4d3d-B9BE-075CD4DB474B}.exe
Token: SeIncBasePriorityPrivilege	908	{40035012-9A03-4922-A648-3494CD739761}.exe
Token: SeIncBasePriorityPrivilege	3100	{5A396C8B-06FD-4d5d-8D63-9080D9753BEF}.exe
Token: SeIncBasePriorityPrivilege	1292	{8136A0A1-6D87-4cf7-B19C-015BC15E82B1}.exe
Token: SeIncBasePriorityPrivilege	3772	{6A5BEA20-D6A0-48b1-A100-2A4A1E11B752}.exe
Token: SeIncBasePriorityPrivilege	2176	{53AF48E8-DB8F-42fd-8245-6A05D5E67390}.exe
Token: SeIncBasePriorityPrivilege	4892	{AD525AFF-7516-44b4-BEED-2136286D9AF8}.exe
Token: SeIncBasePriorityPrivilege	2756	{2BC88FAF-4403-477a-A3B0-C9D21CB6ECD7}.exe
Token: SeIncBasePriorityPrivilege	2888	{31CAF153-22F4-432f-9196-DB94A02760C0}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3648 wrote to memory of 4952	3648	2024-04-05_4f2b46e3a4469d03974536a46e9e7e86_goldeneye.exe	97
PID 3648 wrote to memory of 4952	3648	2024-04-05_4f2b46e3a4469d03974536a46e9e7e86_goldeneye.exe	97
PID 3648 wrote to memory of 4952	3648	2024-04-05_4f2b46e3a4469d03974536a46e9e7e86_goldeneye.exe	97
PID 3648 wrote to memory of 3828	3648	2024-04-05_4f2b46e3a4469d03974536a46e9e7e86_goldeneye.exe	98
PID 3648 wrote to memory of 3828	3648	2024-04-05_4f2b46e3a4469d03974536a46e9e7e86_goldeneye.exe	98
PID 3648 wrote to memory of 3828	3648	2024-04-05_4f2b46e3a4469d03974536a46e9e7e86_goldeneye.exe	98
PID 4952 wrote to memory of 4152	4952	{084A8367-7108-403f-97C5-67818DEF0839}.exe	99
PID 4952 wrote to memory of 4152	4952	{084A8367-7108-403f-97C5-67818DEF0839}.exe	99
PID 4952 wrote to memory of 4152	4952	{084A8367-7108-403f-97C5-67818DEF0839}.exe	99
PID 4952 wrote to memory of 4352	4952	{084A8367-7108-403f-97C5-67818DEF0839}.exe	100
PID 4952 wrote to memory of 4352	4952	{084A8367-7108-403f-97C5-67818DEF0839}.exe	100
PID 4952 wrote to memory of 4352	4952	{084A8367-7108-403f-97C5-67818DEF0839}.exe	100
PID 4152 wrote to memory of 2896	4152	{95E930F2-CC2A-42c5-A625-8139AC857167}.exe	102
PID 4152 wrote to memory of 2896	4152	{95E930F2-CC2A-42c5-A625-8139AC857167}.exe	102
PID 4152 wrote to memory of 2896	4152	{95E930F2-CC2A-42c5-A625-8139AC857167}.exe	102
PID 4152 wrote to memory of 4996	4152	{95E930F2-CC2A-42c5-A625-8139AC857167}.exe	103
PID 4152 wrote to memory of 4996	4152	{95E930F2-CC2A-42c5-A625-8139AC857167}.exe	103
PID 4152 wrote to memory of 4996	4152	{95E930F2-CC2A-42c5-A625-8139AC857167}.exe	103
PID 2896 wrote to memory of 908	2896	{5A298295-BA7D-4d3d-B9BE-075CD4DB474B}.exe	104
PID 2896 wrote to memory of 908	2896	{5A298295-BA7D-4d3d-B9BE-075CD4DB474B}.exe	104
PID 2896 wrote to memory of 908	2896	{5A298295-BA7D-4d3d-B9BE-075CD4DB474B}.exe	104
PID 2896 wrote to memory of 1392	2896	{5A298295-BA7D-4d3d-B9BE-075CD4DB474B}.exe	105
PID 2896 wrote to memory of 1392	2896	{5A298295-BA7D-4d3d-B9BE-075CD4DB474B}.exe	105
PID 2896 wrote to memory of 1392	2896	{5A298295-BA7D-4d3d-B9BE-075CD4DB474B}.exe	105
PID 908 wrote to memory of 3100	908	{40035012-9A03-4922-A648-3494CD739761}.exe	106
PID 908 wrote to memory of 3100	908	{40035012-9A03-4922-A648-3494CD739761}.exe	106
PID 908 wrote to memory of 3100	908	{40035012-9A03-4922-A648-3494CD739761}.exe	106
PID 908 wrote to memory of 3344	908	{40035012-9A03-4922-A648-3494CD739761}.exe	107
PID 908 wrote to memory of 3344	908	{40035012-9A03-4922-A648-3494CD739761}.exe	107
PID 908 wrote to memory of 3344	908	{40035012-9A03-4922-A648-3494CD739761}.exe	107
PID 3100 wrote to memory of 1292	3100	{5A396C8B-06FD-4d5d-8D63-9080D9753BEF}.exe	108
PID 3100 wrote to memory of 1292	3100	{5A396C8B-06FD-4d5d-8D63-9080D9753BEF}.exe	108
PID 3100 wrote to memory of 1292	3100	{5A396C8B-06FD-4d5d-8D63-9080D9753BEF}.exe	108
PID 3100 wrote to memory of 4884	3100	{5A396C8B-06FD-4d5d-8D63-9080D9753BEF}.exe	109
PID 3100 wrote to memory of 4884	3100	{5A396C8B-06FD-4d5d-8D63-9080D9753BEF}.exe	109
PID 3100 wrote to memory of 4884	3100	{5A396C8B-06FD-4d5d-8D63-9080D9753BEF}.exe	109
PID 1292 wrote to memory of 3772	1292	{8136A0A1-6D87-4cf7-B19C-015BC15E82B1}.exe	110
PID 1292 wrote to memory of 3772	1292	{8136A0A1-6D87-4cf7-B19C-015BC15E82B1}.exe	110
PID 1292 wrote to memory of 3772	1292	{8136A0A1-6D87-4cf7-B19C-015BC15E82B1}.exe	110
PID 1292 wrote to memory of 3220	1292	{8136A0A1-6D87-4cf7-B19C-015BC15E82B1}.exe	111
PID 1292 wrote to memory of 3220	1292	{8136A0A1-6D87-4cf7-B19C-015BC15E82B1}.exe	111
PID 1292 wrote to memory of 3220	1292	{8136A0A1-6D87-4cf7-B19C-015BC15E82B1}.exe	111
PID 3772 wrote to memory of 2176	3772	{6A5BEA20-D6A0-48b1-A100-2A4A1E11B752}.exe	112
PID 3772 wrote to memory of 2176	3772	{6A5BEA20-D6A0-48b1-A100-2A4A1E11B752}.exe	112
PID 3772 wrote to memory of 2176	3772	{6A5BEA20-D6A0-48b1-A100-2A4A1E11B752}.exe	112
PID 3772 wrote to memory of 4972	3772	{6A5BEA20-D6A0-48b1-A100-2A4A1E11B752}.exe	113
PID 3772 wrote to memory of 4972	3772	{6A5BEA20-D6A0-48b1-A100-2A4A1E11B752}.exe	113
PID 3772 wrote to memory of 4972	3772	{6A5BEA20-D6A0-48b1-A100-2A4A1E11B752}.exe	113
PID 2176 wrote to memory of 4892	2176	{53AF48E8-DB8F-42fd-8245-6A05D5E67390}.exe	114
PID 2176 wrote to memory of 4892	2176	{53AF48E8-DB8F-42fd-8245-6A05D5E67390}.exe	114
PID 2176 wrote to memory of 4892	2176	{53AF48E8-DB8F-42fd-8245-6A05D5E67390}.exe	114
PID 2176 wrote to memory of 1152	2176	{53AF48E8-DB8F-42fd-8245-6A05D5E67390}.exe	115
PID 2176 wrote to memory of 1152	2176	{53AF48E8-DB8F-42fd-8245-6A05D5E67390}.exe	115
PID 2176 wrote to memory of 1152	2176	{53AF48E8-DB8F-42fd-8245-6A05D5E67390}.exe	115
PID 4892 wrote to memory of 2756	4892	{AD525AFF-7516-44b4-BEED-2136286D9AF8}.exe	116
PID 4892 wrote to memory of 2756	4892	{AD525AFF-7516-44b4-BEED-2136286D9AF8}.exe	116
PID 4892 wrote to memory of 2756	4892	{AD525AFF-7516-44b4-BEED-2136286D9AF8}.exe	116
PID 4892 wrote to memory of 5108	4892	{AD525AFF-7516-44b4-BEED-2136286D9AF8}.exe	117
PID 4892 wrote to memory of 5108	4892	{AD525AFF-7516-44b4-BEED-2136286D9AF8}.exe	117
PID 4892 wrote to memory of 5108	4892	{AD525AFF-7516-44b4-BEED-2136286D9AF8}.exe	117
PID 2756 wrote to memory of 2888	2756	{2BC88FAF-4403-477a-A3B0-C9D21CB6ECD7}.exe	118
PID 2756 wrote to memory of 2888	2756	{2BC88FAF-4403-477a-A3B0-C9D21CB6ECD7}.exe	118
PID 2756 wrote to memory of 2888	2756	{2BC88FAF-4403-477a-A3B0-C9D21CB6ECD7}.exe	118
PID 2756 wrote to memory of 2480	2756	{2BC88FAF-4403-477a-A3B0-C9D21CB6ECD7}.exe	119

C:\Users\Admin\AppData\Local\Temp\2024-04-05_4f2b46e3a4469d03974536a46e9e7e86_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-05_4f2b46e3a4469d03974536a46e9e7e86_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3648
- C:\Windows\{084A8367-7108-403f-97C5-67818DEF0839}.exe
  C:\Windows\{084A8367-7108-403f-97C5-67818DEF0839}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4952
- - C:\Windows\{95E930F2-CC2A-42c5-A625-8139AC857167}.exe
    C:\Windows\{95E930F2-CC2A-42c5-A625-8139AC857167}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4152
  - - C:\Windows\{5A298295-BA7D-4d3d-B9BE-075CD4DB474B}.exe
      C:\Windows\{5A298295-BA7D-4d3d-B9BE-075CD4DB474B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2896
    - - C:\Windows\{40035012-9A03-4922-A648-3494CD739761}.exe
        
        C:\Windows\{40035012-9A03-4922-A648-3494CD739761}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:908
      - C:\Windows\{5A396C8B-06FD-4d5d-8D63-9080D9753BEF}.exe
        
        C:\Windows\{5A396C8B-06FD-4d5d-8D63-9080D9753BEF}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Windows\{8136A0A1-6D87-4cf7-B19C-015BC15E82B1}.exe
        
        C:\Windows\{8136A0A1-6D87-4cf7-B19C-015BC15E82B1}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\{6A5BEA20-D6A0-48b1-A100-2A4A1E11B752}.exe
        
        C:\Windows\{6A5BEA20-D6A0-48b1-A100-2A4A1E11B752}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3772
        
        C:\Windows\{53AF48E8-DB8F-42fd-8245-6A05D5E67390}.exe
        
        C:\Windows\{53AF48E8-DB8F-42fd-8245-6A05D5E67390}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\{AD525AFF-7516-44b4-BEED-2136286D9AF8}.exe
        
        C:\Windows\{AD525AFF-7516-44b4-BEED-2136286D9AF8}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\{2BC88FAF-4403-477a-A3B0-C9D21CB6ECD7}.exe
        
        C:\Windows\{2BC88FAF-4403-477a-A3B0-C9D21CB6ECD7}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\{31CAF153-22F4-432f-9196-DB94A02760C0}.exe
        
        C:\Windows\{31CAF153-22F4-432f-9196-DB94A02760C0}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2888
        
        C:\Windows\{A7258B1D-5FCB-40ef-BDD7-B785DDB772E9}.exe
        
        C:\Windows\{A7258B1D-5FCB-40ef-BDD7-B785DDB772E9}.exe
        13⤵
        Executes dropped EXE
        
        PID:3412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{31CAF~1.EXE > nul
        13⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2BC88~1.EXE > nul
        12⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD525~1.EXE > nul
        11⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53AF4~1.EXE > nul
        10⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6A5BE~1.EXE > nul
        9⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8136A~1.EXE > nul
        8⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5A396~1.EXE > nul
        7⤵
        
        PID:4884
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{40035~1.EXE > nul
        6⤵
        
        PID:3344
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5A298~1.EXE > nul
        5⤵
        
        PID:1392
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{95E93~1.EXE > nul
      4⤵
      PID:4996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{084A8~1.EXE > nul
    3⤵
    PID:4352
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{084A8367-7108-403f-97C5-67818DEF0839}.exe

Filesize
380KB

MD5
724e096c215897a1fba724895cf5a5d0

SHA1
76cade228429a209ca180efca7bf0e30d48e0673

SHA256
d162026d1c76ab493e962940392e2e0e1295bff9419fc217c2a9a733ab3b9bd0

SHA512
3646e5cdc67b20a4af27808d141a06dadb422e109c20ee6055f108c072d1c95f129ec82cb6fc964d865a8a47c5e5eeee96a5ac2752db38590272feda735f2c91

Download Submit
C:\Windows\{2BC88FAF-4403-477a-A3B0-C9D21CB6ECD7}.exe

Filesize
380KB

MD5
809d7b3c99193b695ccd4c13f8bde8da

SHA1
d83f27ff6ae79b7409cd85d9e2dfd31e1b1e10a6

SHA256
653585ce672231225a86accbb79c8710815f68691ad90b93fbfceaa1b07d11ef

SHA512
c09da28d3e41e92315df545aef784e2af0caed45d6b867a9d115579c9755677cde2f5f6f2f2e14049dfccf4742cd5109b43a1bcad135e963dd01594f492ddfc8

Download Submit
C:\Windows\{31CAF153-22F4-432f-9196-DB94A02760C0}.exe

Filesize
380KB

MD5
b6c7456bd9f6b38f9ad8a773d5def4bf

SHA1
536ed151f45f70769a60fbeda4b4e25ada1ce762

SHA256
74d84fee4c2004cf219d4c4838108ef8bc0e78bbc2c1679b32868bf3854ea2ad

SHA512
c988c678d9d908d8f968d57366fa0ae57757915684074bc3cbcbf57cfd8507d0e68a84f86d1a4a9aee465ee5a70a31f54a09f60ddc3ef423ca7cd9278411e87a

Download Submit
C:\Windows\{40035012-9A03-4922-A648-3494CD739761}.exe

Filesize
380KB

MD5
5d9ad9a49179a695273c5822adbf6cfd

SHA1
cccc3deef1f7f8052e010fc8e1a4a54e4115d812

SHA256
a2b4c40f6332adedc9b9f83e3b519ded33045997c4d1a132758b331e48e1f917

SHA512
5b827d39d015f548e13038210bd72ca38fc4a08c9c895c22fed7c7e4017d6434b98300bffea533cd37b9409e0f6a80f7890ec0781326ac49f23dbcc44eac239f

Download Submit
C:\Windows\{53AF48E8-DB8F-42fd-8245-6A05D5E67390}.exe

Filesize
380KB

MD5
bd1be8cc72cd74546cdd6212b1068eab

SHA1
60f64c3a8c9b8baa153400cef2ef904e2cbf36b9

SHA256
87914d91250f0d41d42639e4832ae9b771e9ca065724863ec92f46852ecbfd27

SHA512
d08dccd409c31fee49f947e3c829c21af6c167a7886184b6283418ab70fc2221b9de8f2fd909f512b956968a51a2a329d8d909842ac43d83953eb1cda5a439b0

Download Submit
C:\Windows\{5A298295-BA7D-4d3d-B9BE-075CD4DB474B}.exe

Filesize
380KB

MD5
4fe33e1f72cb0c98874e9c2663eb3799

SHA1
c5d787eb1946a7c15cff793543d83071cd1bb200

SHA256
200a2f721bde1d525b1dfad6c3dcacf78fadd991c9f98bf2dc5c118bbffaefa6

SHA512
312dae770f567a1632cd3743310e60f5262765e935dda88236c9971d39baa2eaf370955242c6e7907ce04b593ccc2346c577d119af85c67c5555bd02fb8716b0

Download Submit
C:\Windows\{5A396C8B-06FD-4d5d-8D63-9080D9753BEF}.exe

Filesize
380KB

MD5
d97d0093470ec86eefed13dd5c09bc6d

SHA1
c5b60bf22e3161b53883c9da75269f73161f4a11

SHA256
2aa5ad25b918128b0ede2c9847a8361398f976cb9912b881d4eb74f3609c4612

SHA512
4fab9b8a07ace0811ef9e79d45bdc15dea282f296973ebe72af0de6e2a5056b97d2cee1bb2516ebeb9486d0aba323993a4834adf70e92f30edaacf90fbb6b318

Download Submit
C:\Windows\{6A5BEA20-D6A0-48b1-A100-2A4A1E11B752}.exe

Filesize
380KB

MD5
26ea8c49dcd8339f66e5196749db2bd2

SHA1
b7a55b0137e16263d90e4eec0ed807aec9e1a45a

SHA256
dcebc8119debe2ebb1f386e05acbc8afdbc647cb92784f589b3d4963a68677f9

SHA512
c43dda27957d2430dd6f986820c4f3b0d18f05df0a1b9f4a7f7adb3027772f18cd0f6b291e9d0fb91593afa4055a61486b3703d8d567f9f4c8dbcd737bfb5b10

Download Submit
C:\Windows\{8136A0A1-6D87-4cf7-B19C-015BC15E82B1}.exe

Filesize
380KB

MD5
747c4ca28b95c221902a5145a9ccb3f5

SHA1
856f5647e91c3895bb5e380de1f20466b2915907

SHA256
894196750f705e62ef5d15ca94b4738c9d33a53ec69820454cd4e7c62c24c6ff

SHA512
5fd44707ebd2808c6252172a7a4264327fb17008d22bcd363285cb63cd1a053e52cae980a3be1599dfda623e44734237c8e17d81b109d49532ec6327959b15b6

Download Submit
C:\Windows\{95E930F2-CC2A-42c5-A625-8139AC857167}.exe

Filesize
380KB

MD5
b804133b280b75c3b19d31d8dc5add50

SHA1
6cf525cb25764a26cd148cfd043f362d555bda4d

SHA256
1fc93348f39030f1fed3b6e917df950ae6ad46781cd72894c7e1c06cd0498bf0

SHA512
a48325712d8fa60f6392867247d99cdcf8bce0dc287d041be35fc802d53f8077db47baf7454aaa2098565e89920fa22db15ffc9ce9f3db730468c729dfb421dc

Download Submit
C:\Windows\{A7258B1D-5FCB-40ef-BDD7-B785DDB772E9}.exe

Filesize
380KB

MD5
007e38f7c798fbaaea2e37f382bb8358

SHA1
95fac06c55b29c17c72a3a9f3e1ad3d2ad78e4a8

SHA256
27ce9e23ad0444a1484229510b1f01108d2156ee9867a9b5beb92c20cdbda178

SHA512
51899123cb82aa96a9107b534a5f313e06563e0e0a5659a61eb18f8583219d3274e992d83537b1cf753ab12e8308c9379423240dc099ffa3bafffb6ca78007c1

Download Submit
C:\Windows\{AD525AFF-7516-44b4-BEED-2136286D9AF8}.exe

Filesize
380KB

MD5
e251675ce240a5b0c77a9cb71195cc18

SHA1
58b06769a2d25968afac4694cb5aac0490ad8212

SHA256
58afec7903eb72af1b539015f9ad7de70e906c0e729407a301fb889e90f92a5b

SHA512
5e60c6d92381baf1954bbbf5bc0504397700fff582b2a131f69c9833230e585d7405b30211771b51e69d3d74862799d059da0af0b4c7a0197c1ad24f07b672da

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads