Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
163s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06/04/2024, 21:40
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe
Resource
win10v2004-20231215-en
General
-
Target
2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe
-
Size
408KB
-
MD5
6f29dcdc7a7f53d474224d34ee51fa0f
-
SHA1
b81b05f21fcca70fd8991138c83490c53beba0d1
-
SHA256
f7e5eaf69fbc116974ea24609d5d6bd6848e9c0f99189287eacfac2adf37c68b
-
SHA512
64329cd588b0a71009260b3d6c83bff27b554fe0a0510b36b0529bec10b525361ce00064225f7c56e45184118429bef488b6100490afb8a7aac9edccd742ab9c
-
SSDEEP
3072:CEGh0ozl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGhldOe2MUVg3vTeKcAEciTBqr3jy9
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
resource yara_rule behavioral1/files/0x000b00000001227d-4.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000900000000f6f2-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000c00000001227d-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000a00000000f6f2-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000d00000001227d-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000b00000000f6f2-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000e00000001227d-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000c00000000f6f2-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000f00000001227d-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000d00000000f6f2-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x001000000001227d-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000e00000000f6f2-82.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7573E6A-AA59-48b6-83C9-7270C1D9F8EA} {0510C931-7787-43f5-86D2-F76C23F61058}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7573E6A-AA59-48b6-83C9-7270C1D9F8EA}\stubpath = "C:\\Windows\\{A7573E6A-AA59-48b6-83C9-7270C1D9F8EA}.exe" {0510C931-7787-43f5-86D2-F76C23F61058}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9863AAC-F9EB-4ca6-93CB-6C97771A3852} {A7573E6A-AA59-48b6-83C9-7270C1D9F8EA}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D30BD1FB-9454-4021-BC8A-807F2B48262E} {31EDCB23-44F4-4da3-B945-B35B3D0236B4}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{289F9504-EBFC-49d1-B678-6B78A87086CA} {78484906-3E05-4eb6-B854-DF5D89173846}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC01FDFD-E4A1-41f8-9C34-E1FED628E8C0} {289F9504-EBFC-49d1-B678-6B78A87086CA}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D39C0DB2-CCC3-4243-A40F-3448C59DB9C0} {AC01FDFD-E4A1-41f8-9C34-E1FED628E8C0}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0510C931-7787-43f5-86D2-F76C23F61058} {1419DB5D-EA81-42e4-939A-0C03F53CA380}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D39C0DB2-CCC3-4243-A40F-3448C59DB9C0}\stubpath = "C:\\Windows\\{D39C0DB2-CCC3-4243-A40F-3448C59DB9C0}.exe" {AC01FDFD-E4A1-41f8-9C34-E1FED628E8C0}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1419DB5D-EA81-42e4-939A-0C03F53CA380}\stubpath = "C:\\Windows\\{1419DB5D-EA81-42e4-939A-0C03F53CA380}.exe" {D39C0DB2-CCC3-4243-A40F-3448C59DB9C0}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9863AAC-F9EB-4ca6-93CB-6C97771A3852}\stubpath = "C:\\Windows\\{B9863AAC-F9EB-4ca6-93CB-6C97771A3852}.exe" {A7573E6A-AA59-48b6-83C9-7270C1D9F8EA}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E766309-DD79-40b5-9A84-6EE9AE596652}\stubpath = "C:\\Windows\\{2E766309-DD79-40b5-9A84-6EE9AE596652}.exe" {4D208725-A94E-4af5-8FD3-D4F616AD043A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E766309-DD79-40b5-9A84-6EE9AE596652} {4D208725-A94E-4af5-8FD3-D4F616AD043A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31EDCB23-44F4-4da3-B945-B35B3D0236B4} 2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{289F9504-EBFC-49d1-B678-6B78A87086CA}\stubpath = "C:\\Windows\\{289F9504-EBFC-49d1-B678-6B78A87086CA}.exe" {78484906-3E05-4eb6-B854-DF5D89173846}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1419DB5D-EA81-42e4-939A-0C03F53CA380} {D39C0DB2-CCC3-4243-A40F-3448C59DB9C0}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0510C931-7787-43f5-86D2-F76C23F61058}\stubpath = "C:\\Windows\\{0510C931-7787-43f5-86D2-F76C23F61058}.exe" {1419DB5D-EA81-42e4-939A-0C03F53CA380}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D208725-A94E-4af5-8FD3-D4F616AD043A} {B9863AAC-F9EB-4ca6-93CB-6C97771A3852}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D208725-A94E-4af5-8FD3-D4F616AD043A}\stubpath = "C:\\Windows\\{4D208725-A94E-4af5-8FD3-D4F616AD043A}.exe" {B9863AAC-F9EB-4ca6-93CB-6C97771A3852}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31EDCB23-44F4-4da3-B945-B35B3D0236B4}\stubpath = "C:\\Windows\\{31EDCB23-44F4-4da3-B945-B35B3D0236B4}.exe" 2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D30BD1FB-9454-4021-BC8A-807F2B48262E}\stubpath = "C:\\Windows\\{D30BD1FB-9454-4021-BC8A-807F2B48262E}.exe" {31EDCB23-44F4-4da3-B945-B35B3D0236B4}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78484906-3E05-4eb6-B854-DF5D89173846} {D30BD1FB-9454-4021-BC8A-807F2B48262E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78484906-3E05-4eb6-B854-DF5D89173846}\stubpath = "C:\\Windows\\{78484906-3E05-4eb6-B854-DF5D89173846}.exe" {D30BD1FB-9454-4021-BC8A-807F2B48262E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC01FDFD-E4A1-41f8-9C34-E1FED628E8C0}\stubpath = "C:\\Windows\\{AC01FDFD-E4A1-41f8-9C34-E1FED628E8C0}.exe" {289F9504-EBFC-49d1-B678-6B78A87086CA}.exe -
Deletes itself 1 IoCs
pid Process 2548 cmd.exe -
Executes dropped EXE 12 IoCs
pid Process 2512 {31EDCB23-44F4-4da3-B945-B35B3D0236B4}.exe 2556 {D30BD1FB-9454-4021-BC8A-807F2B48262E}.exe 2496 {78484906-3E05-4eb6-B854-DF5D89173846}.exe 324 {289F9504-EBFC-49d1-B678-6B78A87086CA}.exe 2780 {AC01FDFD-E4A1-41f8-9C34-E1FED628E8C0}.exe 2660 {D39C0DB2-CCC3-4243-A40F-3448C59DB9C0}.exe 292 {1419DB5D-EA81-42e4-939A-0C03F53CA380}.exe 1780 {0510C931-7787-43f5-86D2-F76C23F61058}.exe 2088 {A7573E6A-AA59-48b6-83C9-7270C1D9F8EA}.exe 2880 {B9863AAC-F9EB-4ca6-93CB-6C97771A3852}.exe 2964 {4D208725-A94E-4af5-8FD3-D4F616AD043A}.exe 872 {2E766309-DD79-40b5-9A84-6EE9AE596652}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{AC01FDFD-E4A1-41f8-9C34-E1FED628E8C0}.exe {289F9504-EBFC-49d1-B678-6B78A87086CA}.exe File created C:\Windows\{D39C0DB2-CCC3-4243-A40F-3448C59DB9C0}.exe {AC01FDFD-E4A1-41f8-9C34-E1FED628E8C0}.exe File created C:\Windows\{1419DB5D-EA81-42e4-939A-0C03F53CA380}.exe {D39C0DB2-CCC3-4243-A40F-3448C59DB9C0}.exe File created C:\Windows\{4D208725-A94E-4af5-8FD3-D4F616AD043A}.exe {B9863AAC-F9EB-4ca6-93CB-6C97771A3852}.exe File created C:\Windows\{2E766309-DD79-40b5-9A84-6EE9AE596652}.exe {4D208725-A94E-4af5-8FD3-D4F616AD043A}.exe File created C:\Windows\{78484906-3E05-4eb6-B854-DF5D89173846}.exe {D30BD1FB-9454-4021-BC8A-807F2B48262E}.exe File created C:\Windows\{289F9504-EBFC-49d1-B678-6B78A87086CA}.exe {78484906-3E05-4eb6-B854-DF5D89173846}.exe File created C:\Windows\{0510C931-7787-43f5-86D2-F76C23F61058}.exe {1419DB5D-EA81-42e4-939A-0C03F53CA380}.exe File created C:\Windows\{A7573E6A-AA59-48b6-83C9-7270C1D9F8EA}.exe {0510C931-7787-43f5-86D2-F76C23F61058}.exe File created C:\Windows\{B9863AAC-F9EB-4ca6-93CB-6C97771A3852}.exe {A7573E6A-AA59-48b6-83C9-7270C1D9F8EA}.exe File created C:\Windows\{31EDCB23-44F4-4da3-B945-B35B3D0236B4}.exe 2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe File created C:\Windows\{D30BD1FB-9454-4021-BC8A-807F2B48262E}.exe {31EDCB23-44F4-4da3-B945-B35B3D0236B4}.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2336 2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe Token: SeIncBasePriorityPrivilege 2512 {31EDCB23-44F4-4da3-B945-B35B3D0236B4}.exe Token: SeIncBasePriorityPrivilege 2556 {D30BD1FB-9454-4021-BC8A-807F2B48262E}.exe Token: SeIncBasePriorityPrivilege 2496 {78484906-3E05-4eb6-B854-DF5D89173846}.exe Token: SeIncBasePriorityPrivilege 324 {289F9504-EBFC-49d1-B678-6B78A87086CA}.exe Token: SeIncBasePriorityPrivilege 2780 {AC01FDFD-E4A1-41f8-9C34-E1FED628E8C0}.exe Token: SeIncBasePriorityPrivilege 2660 {D39C0DB2-CCC3-4243-A40F-3448C59DB9C0}.exe Token: SeIncBasePriorityPrivilege 292 {1419DB5D-EA81-42e4-939A-0C03F53CA380}.exe Token: SeIncBasePriorityPrivilege 1780 {0510C931-7787-43f5-86D2-F76C23F61058}.exe Token: SeIncBasePriorityPrivilege 2088 {A7573E6A-AA59-48b6-83C9-7270C1D9F8EA}.exe Token: SeIncBasePriorityPrivilege 2880 {B9863AAC-F9EB-4ca6-93CB-6C97771A3852}.exe Token: SeIncBasePriorityPrivilege 2964 {4D208725-A94E-4af5-8FD3-D4F616AD043A}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2336 wrote to memory of 2512 2336 2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe 27 PID 2336 wrote to memory of 2512 2336 2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe 27 PID 2336 wrote to memory of 2512 2336 2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe 27 PID 2336 wrote to memory of 2512 2336 2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe 27 PID 2336 wrote to memory of 2548 2336 2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe 28 PID 2336 wrote to memory of 2548 2336 2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe 28 PID 2336 wrote to memory of 2548 2336 2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe 28 PID 2336 wrote to memory of 2548 2336 2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe 28 PID 2512 wrote to memory of 2556 2512 {31EDCB23-44F4-4da3-B945-B35B3D0236B4}.exe 31 PID 2512 wrote to memory of 2556 2512 {31EDCB23-44F4-4da3-B945-B35B3D0236B4}.exe 31 PID 2512 wrote to memory of 2556 2512 {31EDCB23-44F4-4da3-B945-B35B3D0236B4}.exe 31 PID 2512 wrote to memory of 2556 2512 {31EDCB23-44F4-4da3-B945-B35B3D0236B4}.exe 31 PID 2512 wrote to memory of 2464 2512 {31EDCB23-44F4-4da3-B945-B35B3D0236B4}.exe 32 PID 2512 wrote to memory of 2464 2512 {31EDCB23-44F4-4da3-B945-B35B3D0236B4}.exe 32 PID 2512 wrote to memory of 2464 2512 {31EDCB23-44F4-4da3-B945-B35B3D0236B4}.exe 32 PID 2512 wrote to memory of 2464 2512 {31EDCB23-44F4-4da3-B945-B35B3D0236B4}.exe 32 PID 2556 wrote to memory of 2496 2556 {D30BD1FB-9454-4021-BC8A-807F2B48262E}.exe 33 PID 2556 wrote to memory of 2496 2556 {D30BD1FB-9454-4021-BC8A-807F2B48262E}.exe 33 PID 2556 wrote to memory of 2496 2556 {D30BD1FB-9454-4021-BC8A-807F2B48262E}.exe 33 PID 2556 wrote to memory of 2496 2556 {D30BD1FB-9454-4021-BC8A-807F2B48262E}.exe 33 PID 2556 wrote to memory of 3008 2556 {D30BD1FB-9454-4021-BC8A-807F2B48262E}.exe 34 PID 2556 wrote to memory of 3008 2556 {D30BD1FB-9454-4021-BC8A-807F2B48262E}.exe 34 PID 2556 wrote to memory of 3008 2556 {D30BD1FB-9454-4021-BC8A-807F2B48262E}.exe 34 PID 2556 wrote to memory of 3008 2556 {D30BD1FB-9454-4021-BC8A-807F2B48262E}.exe 34 PID 2496 wrote to memory of 324 2496 {78484906-3E05-4eb6-B854-DF5D89173846}.exe 35 PID 2496 wrote to memory of 324 2496 {78484906-3E05-4eb6-B854-DF5D89173846}.exe 35 PID 2496 wrote to memory of 324 2496 {78484906-3E05-4eb6-B854-DF5D89173846}.exe 35 PID 2496 wrote to memory of 324 2496 {78484906-3E05-4eb6-B854-DF5D89173846}.exe 35 PID 2496 wrote to memory of 2768 2496 {78484906-3E05-4eb6-B854-DF5D89173846}.exe 36 PID 2496 wrote to memory of 2768 2496 {78484906-3E05-4eb6-B854-DF5D89173846}.exe 36 PID 2496 wrote to memory of 2768 2496 {78484906-3E05-4eb6-B854-DF5D89173846}.exe 36 PID 2496 wrote to memory of 2768 2496 {78484906-3E05-4eb6-B854-DF5D89173846}.exe 36 PID 324 wrote to memory of 2780 324 {289F9504-EBFC-49d1-B678-6B78A87086CA}.exe 37 PID 324 wrote to memory of 2780 324 {289F9504-EBFC-49d1-B678-6B78A87086CA}.exe 37 PID 324 wrote to memory of 2780 324 {289F9504-EBFC-49d1-B678-6B78A87086CA}.exe 37 PID 324 wrote to memory of 2780 324 {289F9504-EBFC-49d1-B678-6B78A87086CA}.exe 37 PID 324 wrote to memory of 1756 324 {289F9504-EBFC-49d1-B678-6B78A87086CA}.exe 38 PID 324 wrote to memory of 1756 324 {289F9504-EBFC-49d1-B678-6B78A87086CA}.exe 38 PID 324 wrote to memory of 1756 324 {289F9504-EBFC-49d1-B678-6B78A87086CA}.exe 38 PID 324 wrote to memory of 1756 324 {289F9504-EBFC-49d1-B678-6B78A87086CA}.exe 38 PID 2780 wrote to memory of 2660 2780 {AC01FDFD-E4A1-41f8-9C34-E1FED628E8C0}.exe 39 PID 2780 wrote to memory of 2660 2780 {AC01FDFD-E4A1-41f8-9C34-E1FED628E8C0}.exe 39 PID 2780 wrote to memory of 2660 2780 {AC01FDFD-E4A1-41f8-9C34-E1FED628E8C0}.exe 39 PID 2780 wrote to memory of 2660 2780 {AC01FDFD-E4A1-41f8-9C34-E1FED628E8C0}.exe 39 PID 2780 wrote to memory of 2348 2780 {AC01FDFD-E4A1-41f8-9C34-E1FED628E8C0}.exe 40 PID 2780 wrote to memory of 2348 2780 {AC01FDFD-E4A1-41f8-9C34-E1FED628E8C0}.exe 40 PID 2780 wrote to memory of 2348 2780 {AC01FDFD-E4A1-41f8-9C34-E1FED628E8C0}.exe 40 PID 2780 wrote to memory of 2348 2780 {AC01FDFD-E4A1-41f8-9C34-E1FED628E8C0}.exe 40 PID 2660 wrote to memory of 292 2660 {D39C0DB2-CCC3-4243-A40F-3448C59DB9C0}.exe 41 PID 2660 wrote to memory of 292 2660 {D39C0DB2-CCC3-4243-A40F-3448C59DB9C0}.exe 41 PID 2660 wrote to memory of 292 2660 {D39C0DB2-CCC3-4243-A40F-3448C59DB9C0}.exe 41 PID 2660 wrote to memory of 292 2660 {D39C0DB2-CCC3-4243-A40F-3448C59DB9C0}.exe 41 PID 2660 wrote to memory of 1396 2660 {D39C0DB2-CCC3-4243-A40F-3448C59DB9C0}.exe 42 PID 2660 wrote to memory of 1396 2660 {D39C0DB2-CCC3-4243-A40F-3448C59DB9C0}.exe 42 PID 2660 wrote to memory of 1396 2660 {D39C0DB2-CCC3-4243-A40F-3448C59DB9C0}.exe 42 PID 2660 wrote to memory of 1396 2660 {D39C0DB2-CCC3-4243-A40F-3448C59DB9C0}.exe 42 PID 292 wrote to memory of 1780 292 {1419DB5D-EA81-42e4-939A-0C03F53CA380}.exe 43 PID 292 wrote to memory of 1780 292 {1419DB5D-EA81-42e4-939A-0C03F53CA380}.exe 43 PID 292 wrote to memory of 1780 292 {1419DB5D-EA81-42e4-939A-0C03F53CA380}.exe 43 PID 292 wrote to memory of 1780 292 {1419DB5D-EA81-42e4-939A-0C03F53CA380}.exe 43 PID 292 wrote to memory of 1668 292 {1419DB5D-EA81-42e4-939A-0C03F53CA380}.exe 44 PID 292 wrote to memory of 1668 292 {1419DB5D-EA81-42e4-939A-0C03F53CA380}.exe 44 PID 292 wrote to memory of 1668 292 {1419DB5D-EA81-42e4-939A-0C03F53CA380}.exe 44 PID 292 wrote to memory of 1668 292 {1419DB5D-EA81-42e4-939A-0C03F53CA380}.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\{31EDCB23-44F4-4da3-B945-B35B3D0236B4}.exeC:\Windows\{31EDCB23-44F4-4da3-B945-B35B3D0236B4}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\{D30BD1FB-9454-4021-BC8A-807F2B48262E}.exeC:\Windows\{D30BD1FB-9454-4021-BC8A-807F2B48262E}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\{78484906-3E05-4eb6-B854-DF5D89173846}.exeC:\Windows\{78484906-3E05-4eb6-B854-DF5D89173846}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\{289F9504-EBFC-49d1-B678-6B78A87086CA}.exeC:\Windows\{289F9504-EBFC-49d1-B678-6B78A87086CA}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Windows\{AC01FDFD-E4A1-41f8-9C34-E1FED628E8C0}.exeC:\Windows\{AC01FDFD-E4A1-41f8-9C34-E1FED628E8C0}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\{D39C0DB2-CCC3-4243-A40F-3448C59DB9C0}.exeC:\Windows\{D39C0DB2-CCC3-4243-A40F-3448C59DB9C0}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\{1419DB5D-EA81-42e4-939A-0C03F53CA380}.exeC:\Windows\{1419DB5D-EA81-42e4-939A-0C03F53CA380}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:292 -
C:\Windows\{0510C931-7787-43f5-86D2-F76C23F61058}.exeC:\Windows\{0510C931-7787-43f5-86D2-F76C23F61058}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1780 -
C:\Windows\{A7573E6A-AA59-48b6-83C9-7270C1D9F8EA}.exeC:\Windows\{A7573E6A-AA59-48b6-83C9-7270C1D9F8EA}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2088 -
C:\Windows\{B9863AAC-F9EB-4ca6-93CB-6C97771A3852}.exeC:\Windows\{B9863AAC-F9EB-4ca6-93CB-6C97771A3852}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2880 -
C:\Windows\{4D208725-A94E-4af5-8FD3-D4F616AD043A}.exeC:\Windows\{4D208725-A94E-4af5-8FD3-D4F616AD043A}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2964 -
C:\Windows\{2E766309-DD79-40b5-9A84-6EE9AE596652}.exeC:\Windows\{2E766309-DD79-40b5-9A84-6EE9AE596652}.exe13⤵
- Executes dropped EXE
PID:872
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4D208~1.EXE > nul13⤵PID:1864
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B9863~1.EXE > nul12⤵PID:1420
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A7573~1.EXE > nul11⤵PID:1896
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0510C~1.EXE > nul10⤵PID:2968
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1419D~1.EXE > nul9⤵PID:1668
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D39C0~1.EXE > nul8⤵PID:1396
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{AC01F~1.EXE > nul7⤵PID:2348
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{289F9~1.EXE > nul6⤵PID:1756
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{78484~1.EXE > nul5⤵PID:2768
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D30BD~1.EXE > nul4⤵PID:3008
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{31EDC~1.EXE > nul3⤵PID:2464
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:2548
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
408KB
MD5962982c8da1afd70ef63c7cd2d731695
SHA1669316b28babfaeab874f4612380df9110fd04cd
SHA25608775147dd00f2d1376a759d71d7705b425762b0138b274ea640f26787ad16dd
SHA51288b7152438e571e6fedb018fd301acfd55719a5b704434750c32ee449eff5008843257f96f6e183e1184d8d91ce52218d127dca481a1c0efe01def5ac86e5765
-
Filesize
408KB
MD50524e94e140a4f10ae9208f42b9790b3
SHA1626aedde7aef8026797980014c33429a7a97b27a
SHA256f711af600968c46e924dc61d4a8c11315b8ffc753d1abfba2d25b58a587efe3a
SHA512461d0b8aae01da5b9fcf0dd491ceebb93e47054ab736a104de692c700b99acfb74a15e1da18795ac11da8648e61c114b12b382063f1de6b5c57213be57c2f656
-
Filesize
408KB
MD5383e2866d8cc201072cdc493ed1a02ca
SHA1ef1556be60261314b0780daf445c62a4b85f3180
SHA2560838341c9fadd825f2e67576c17881b48f407636513ec708272de0edd31e173c
SHA51202ec7e662b2279a4525f46805d9f9c25d06e9ca512a764758b3cd557ec6339c8df73a3c343f7c1ca7330ed4055b29b95103c3a959e2cb65421649a133edc5e31
-
Filesize
408KB
MD5977ef1cdbcb78e597ce72b239dbd08df
SHA140413f9afc2eed244a0c736cde105bbfcc85ff0d
SHA256ea22d994b8471e7796cf4435ca4d12102a0cd76d8f572ea8e9f8766acd083e15
SHA5123eb2f15dc1f4fa8ad9761b32212ea815ce371394365e9b3963aa6e3647df20f3433349bc0c0d9a7a5eccd6793b301c144800d4f55f758191a0c28c4c6ca6ec7d
-
Filesize
408KB
MD57689595531ea672dbb29fac6fc052269
SHA18fb0df82a8e0faa68a63b6052e794e4dc981bd56
SHA2565fb6ad8d732b2940743f5cddf5f1051e15220671034191c858190f868306e582
SHA512482ac7cbc2db29a39c9469a9fa1de57f0e874ec5f21e5926ed9059ac9ca66b9fc2daaff92411cdafa3d4ff9fb698f189faff4eb8859403c25cdfa50cd0e6451a
-
Filesize
408KB
MD5fad800facc29938f76e1ee926a25407f
SHA183fd88182035f6408001177bef87cfee78534a54
SHA256ead50335570b7bdf3de932b15a0aedecad8dad344a799d93de5d03d25cda4116
SHA5129006260d88f8594aa4aa29b6cc42be667fae9e758317c6593f0f9d4c1760b2ded3a82ab43264c428d68e66a6db809ef93d2813c075038b6da7c41e62c93758d2
-
Filesize
408KB
MD57b50aaa143a9c4498534114e1f56e450
SHA1351f12aadcf0ee7fbffd57f659fd2c3b81c75b95
SHA256f5c33997049d86571e3d695fbeab04ed9413f927a3f412badf0cd601e8ce377e
SHA512ced64ee9780770e4300e8e21494ad345d0d537d2a3f01ecaa9342ac12a915a624d33c1bbf1d2da54afdeb351bd6d6c5fe96fd05a1db71ed9f5c1525e49128400
-
Filesize
408KB
MD523c6942b3c53d4e39c196efad9662465
SHA180134f769f3db41ba293a18ca5f79a6a5b0fb412
SHA2562859b788901e2dc8af921a99a01df3b87d9bf825935de556208e45a26a5db3d6
SHA5120a45d736ab500d95cfb4465c7a6322110118fc29f6049fd452eca1636653791fe15b85d9f952bdaaac884fac41ea0fde716da3b113d8b2ae7013ea4529177265
-
Filesize
408KB
MD562d4a4a8d65ff93857cfc66b7b6c679d
SHA18f5aa31fedaba9233253bb898d7e0fa9e736c42b
SHA256b4d7c0f451d67c85f0b5108d0ee6b9163853092e708db3234e579aa8db4daaf7
SHA5126594cd104181029febcf8fcb8a27f4f081cf6491aaf2ae4fdf03e768577ff17f2a79347a2bb27c6346bc214887f9b95cedf31625e3744ebf0fdde36b54d81d45
-
Filesize
408KB
MD51ab6781c23aaaa88997d67176b7c52fd
SHA169cea32e4839fe91ddc69181050a0bc920094d3c
SHA256eda45470074110f80234f19ff7974f35e8d014197dac9429bf7e4582467fb4be
SHA5124f0fa06266886658e66ea4fa854d18ac726c1e3194f90ba7f37a359ad7a852abe0e23ad96e0f2cdf653827595ed66503343edfe78d7e7aa40f75d576973d2d06
-
Filesize
408KB
MD50fe3c75beadd952595bf8c8a70d22c72
SHA19854e9640bf1aa0e536f7754afabefe94743bf7f
SHA25611ec3f7804e0c156266614a38543c6c8f39388b9b817ed882679d1b5c0d7fedd
SHA512396a975fe11a2c3794103f44bd2c4029657a7323bd0737891c5f98b24777ac50e2f01bb6c60be3e389c56c8ef401ef284deeb561a49dee35152ed81e936624ce
-
Filesize
408KB
MD5b09eeb1d16ceba63be8408082137da1c
SHA14b81fc0809084593e377bc4a068742e458714d84
SHA25617bc719d37008d954d6080a8cc6ef8718012314b23272164f4157e8c651cfe95
SHA51222e1cd90af383d5e627fe7b2114dc78832e99303b59452619da3f0175e87d45884b3d3b462f56dc96e59ba50bc8f6b6c22c22d8b42310e876bbb6a2f02c5a06e