14b3d860d7398c09e99956ae2adbda9c27b85e23916cbf4d9765498bf24d1390

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 01:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-09_4685ee0c84f2725585ba2ba2b23b5d5a_goldeneye.exe
Size

408KB
MD5

4685ee0c84f2725585ba2ba2b23b5d5a
SHA1

8aaa71707fb6c8dea15493151164d6c35d6e35d6
SHA256

14b3d860d7398c09e99956ae2adbda9c27b85e23916cbf4d9765498bf24d1390
SHA512

117484d1718b6c171ce2a4453980bf692a00fe33aef7c2d0a941445557cf656deac7bdaf515d061e6576d2e3ed193cf0d00e0f4269ba2e16e57cd55ee57c00ad
SSDEEP

3072:CEGh0ohl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGjldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x00070000000231ff-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023205-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002320c-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0012000000023205-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021d05-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021d06-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021d05-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-32.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-37.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000072d-44.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3ACC3196-8B27-4635-9E2E-02CC5B0D4030}\stubpath = "C:\\Windows\\{3ACC3196-8B27-4635-9E2E-02CC5B0D4030}.exe"	{ABDA025C-4C6C-49ad-8921-05119D717F41}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E296024-BBFB-4293-9520-D9AA56787F67}	{852D3192-FED9-4f0a-AC72-797AF6820B08}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB1A6827-49D7-48e1-B1F6-8D19820471F1}	{24E52A5E-CB39-4623-B66B-8D1CDAE1C2B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB1A6827-49D7-48e1-B1F6-8D19820471F1}\stubpath = "C:\\Windows\\{BB1A6827-49D7-48e1-B1F6-8D19820471F1}.exe"	{24E52A5E-CB39-4623-B66B-8D1CDAE1C2B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{728BC90C-B80E-4e73-BF0C-0EE5EA1D0CE6}	2024-04-09_4685ee0c84f2725585ba2ba2b23b5d5a_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E01AB3F-DE9D-4be1-829E-16E2B933B2BB}\stubpath = "C:\\Windows\\{2E01AB3F-DE9D-4be1-829E-16E2B933B2BB}.exe"	{728BC90C-B80E-4e73-BF0C-0EE5EA1D0CE6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CBA6304B-DAD6-480a-AA88-40C64D0C2E5C}	{E4D68027-04D2-4180-9280-E9BDDE8ACA70}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4875E8C-5C0D-43f8-AE40-C828BA02F3DB}	{CBA6304B-DAD6-480a-AA88-40C64D0C2E5C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4875E8C-5C0D-43f8-AE40-C828BA02F3DB}\stubpath = "C:\\Windows\\{F4875E8C-5C0D-43f8-AE40-C828BA02F3DB}.exe"	{CBA6304B-DAD6-480a-AA88-40C64D0C2E5C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{852D3192-FED9-4f0a-AC72-797AF6820B08}	{F4875E8C-5C0D-43f8-AE40-C828BA02F3DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E296024-BBFB-4293-9520-D9AA56787F67}\stubpath = "C:\\Windows\\{7E296024-BBFB-4293-9520-D9AA56787F67}.exe"	{852D3192-FED9-4f0a-AC72-797AF6820B08}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E01AB3F-DE9D-4be1-829E-16E2B933B2BB}	{728BC90C-B80E-4e73-BF0C-0EE5EA1D0CE6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ABDA025C-4C6C-49ad-8921-05119D717F41}	{2E01AB3F-DE9D-4be1-829E-16E2B933B2BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24E52A5E-CB39-4623-B66B-8D1CDAE1C2B7}	{4816B053-4DCE-4c53-9956-1A4215AABC27}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{728BC90C-B80E-4e73-BF0C-0EE5EA1D0CE6}\stubpath = "C:\\Windows\\{728BC90C-B80E-4e73-BF0C-0EE5EA1D0CE6}.exe"	2024-04-09_4685ee0c84f2725585ba2ba2b23b5d5a_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4816B053-4DCE-4c53-9956-1A4215AABC27}\stubpath = "C:\\Windows\\{4816B053-4DCE-4c53-9956-1A4215AABC27}.exe"	{7E296024-BBFB-4293-9520-D9AA56787F67}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4D68027-04D2-4180-9280-E9BDDE8ACA70}	{3ACC3196-8B27-4635-9E2E-02CC5B0D4030}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4D68027-04D2-4180-9280-E9BDDE8ACA70}\stubpath = "C:\\Windows\\{E4D68027-04D2-4180-9280-E9BDDE8ACA70}.exe"	{3ACC3196-8B27-4635-9E2E-02CC5B0D4030}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CBA6304B-DAD6-480a-AA88-40C64D0C2E5C}\stubpath = "C:\\Windows\\{CBA6304B-DAD6-480a-AA88-40C64D0C2E5C}.exe"	{E4D68027-04D2-4180-9280-E9BDDE8ACA70}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{852D3192-FED9-4f0a-AC72-797AF6820B08}\stubpath = "C:\\Windows\\{852D3192-FED9-4f0a-AC72-797AF6820B08}.exe"	{F4875E8C-5C0D-43f8-AE40-C828BA02F3DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4816B053-4DCE-4c53-9956-1A4215AABC27}	{7E296024-BBFB-4293-9520-D9AA56787F67}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24E52A5E-CB39-4623-B66B-8D1CDAE1C2B7}\stubpath = "C:\\Windows\\{24E52A5E-CB39-4623-B66B-8D1CDAE1C2B7}.exe"	{4816B053-4DCE-4c53-9956-1A4215AABC27}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ABDA025C-4C6C-49ad-8921-05119D717F41}\stubpath = "C:\\Windows\\{ABDA025C-4C6C-49ad-8921-05119D717F41}.exe"	{2E01AB3F-DE9D-4be1-829E-16E2B933B2BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3ACC3196-8B27-4635-9E2E-02CC5B0D4030}	{ABDA025C-4C6C-49ad-8921-05119D717F41}.exe

Executes dropped EXE 11 IoCs

pid	Process
544	{728BC90C-B80E-4e73-BF0C-0EE5EA1D0CE6}.exe
3336	{2E01AB3F-DE9D-4be1-829E-16E2B933B2BB}.exe
2008	{ABDA025C-4C6C-49ad-8921-05119D717F41}.exe
4432	{3ACC3196-8B27-4635-9E2E-02CC5B0D4030}.exe
1312	{E4D68027-04D2-4180-9280-E9BDDE8ACA70}.exe
4624	{CBA6304B-DAD6-480a-AA88-40C64D0C2E5C}.exe
1800	{F4875E8C-5C0D-43f8-AE40-C828BA02F3DB}.exe
4980	{7E296024-BBFB-4293-9520-D9AA56787F67}.exe
432	{4816B053-4DCE-4c53-9956-1A4215AABC27}.exe
3468	{24E52A5E-CB39-4623-B66B-8D1CDAE1C2B7}.exe
4104	{BB1A6827-49D7-48e1-B1F6-8D19820471F1}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{728BC90C-B80E-4e73-BF0C-0EE5EA1D0CE6}.exe	2024-04-09_4685ee0c84f2725585ba2ba2b23b5d5a_goldeneye.exe
File created	C:\Windows\{2E01AB3F-DE9D-4be1-829E-16E2B933B2BB}.exe	{728BC90C-B80E-4e73-BF0C-0EE5EA1D0CE6}.exe
File created	C:\Windows\{3ACC3196-8B27-4635-9E2E-02CC5B0D4030}.exe	{ABDA025C-4C6C-49ad-8921-05119D717F41}.exe
File created	C:\Windows\{E4D68027-04D2-4180-9280-E9BDDE8ACA70}.exe	{3ACC3196-8B27-4635-9E2E-02CC5B0D4030}.exe
File created	C:\Windows\{7E296024-BBFB-4293-9520-D9AA56787F67}.exe	{852D3192-FED9-4f0a-AC72-797AF6820B08}.exe
File created	C:\Windows\{4816B053-4DCE-4c53-9956-1A4215AABC27}.exe	{7E296024-BBFB-4293-9520-D9AA56787F67}.exe
File created	C:\Windows\{ABDA025C-4C6C-49ad-8921-05119D717F41}.exe	{2E01AB3F-DE9D-4be1-829E-16E2B933B2BB}.exe
File created	C:\Windows\{CBA6304B-DAD6-480a-AA88-40C64D0C2E5C}.exe	{E4D68027-04D2-4180-9280-E9BDDE8ACA70}.exe
File created	C:\Windows\{F4875E8C-5C0D-43f8-AE40-C828BA02F3DB}.exe	{CBA6304B-DAD6-480a-AA88-40C64D0C2E5C}.exe
File created	C:\Windows\{24E52A5E-CB39-4623-B66B-8D1CDAE1C2B7}.exe	{4816B053-4DCE-4c53-9956-1A4215AABC27}.exe
File created	C:\Windows\{BB1A6827-49D7-48e1-B1F6-8D19820471F1}.exe	{24E52A5E-CB39-4623-B66B-8D1CDAE1C2B7}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4676	2024-04-09_4685ee0c84f2725585ba2ba2b23b5d5a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	544	{728BC90C-B80E-4e73-BF0C-0EE5EA1D0CE6}.exe
Token: SeIncBasePriorityPrivilege	3336	{2E01AB3F-DE9D-4be1-829E-16E2B933B2BB}.exe
Token: SeIncBasePriorityPrivilege	2008	{ABDA025C-4C6C-49ad-8921-05119D717F41}.exe
Token: SeIncBasePriorityPrivilege	4432	{3ACC3196-8B27-4635-9E2E-02CC5B0D4030}.exe
Token: SeIncBasePriorityPrivilege	1312	{E4D68027-04D2-4180-9280-E9BDDE8ACA70}.exe
Token: SeIncBasePriorityPrivilege	4624	{CBA6304B-DAD6-480a-AA88-40C64D0C2E5C}.exe
Token: SeIncBasePriorityPrivilege	808	{852D3192-FED9-4f0a-AC72-797AF6820B08}.exe
Token: SeIncBasePriorityPrivilege	4980	{7E296024-BBFB-4293-9520-D9AA56787F67}.exe
Token: SeIncBasePriorityPrivilege	432	{4816B053-4DCE-4c53-9956-1A4215AABC27}.exe
Token: SeIncBasePriorityPrivilege	3468	{24E52A5E-CB39-4623-B66B-8D1CDAE1C2B7}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4676 wrote to memory of 544	4676	2024-04-09_4685ee0c84f2725585ba2ba2b23b5d5a_goldeneye.exe	97
PID 4676 wrote to memory of 544	4676	2024-04-09_4685ee0c84f2725585ba2ba2b23b5d5a_goldeneye.exe	97
PID 4676 wrote to memory of 544	4676	2024-04-09_4685ee0c84f2725585ba2ba2b23b5d5a_goldeneye.exe	97
PID 4676 wrote to memory of 2028	4676	2024-04-09_4685ee0c84f2725585ba2ba2b23b5d5a_goldeneye.exe	98
PID 4676 wrote to memory of 2028	4676	2024-04-09_4685ee0c84f2725585ba2ba2b23b5d5a_goldeneye.exe	98
PID 4676 wrote to memory of 2028	4676	2024-04-09_4685ee0c84f2725585ba2ba2b23b5d5a_goldeneye.exe	98
PID 544 wrote to memory of 3336	544	{728BC90C-B80E-4e73-BF0C-0EE5EA1D0CE6}.exe	99
PID 544 wrote to memory of 3336	544	{728BC90C-B80E-4e73-BF0C-0EE5EA1D0CE6}.exe	99
PID 544 wrote to memory of 3336	544	{728BC90C-B80E-4e73-BF0C-0EE5EA1D0CE6}.exe	99
PID 544 wrote to memory of 3692	544	{728BC90C-B80E-4e73-BF0C-0EE5EA1D0CE6}.exe	100
PID 544 wrote to memory of 3692	544	{728BC90C-B80E-4e73-BF0C-0EE5EA1D0CE6}.exe	100
PID 544 wrote to memory of 3692	544	{728BC90C-B80E-4e73-BF0C-0EE5EA1D0CE6}.exe	100
PID 3336 wrote to memory of 2008	3336	{2E01AB3F-DE9D-4be1-829E-16E2B933B2BB}.exe	102
PID 3336 wrote to memory of 2008	3336	{2E01AB3F-DE9D-4be1-829E-16E2B933B2BB}.exe	102
PID 3336 wrote to memory of 2008	3336	{2E01AB3F-DE9D-4be1-829E-16E2B933B2BB}.exe	102
PID 3336 wrote to memory of 396	3336	{2E01AB3F-DE9D-4be1-829E-16E2B933B2BB}.exe	103
PID 3336 wrote to memory of 396	3336	{2E01AB3F-DE9D-4be1-829E-16E2B933B2BB}.exe	103
PID 3336 wrote to memory of 396	3336	{2E01AB3F-DE9D-4be1-829E-16E2B933B2BB}.exe	103
PID 2008 wrote to memory of 4432	2008	{ABDA025C-4C6C-49ad-8921-05119D717F41}.exe	104
PID 2008 wrote to memory of 4432	2008	{ABDA025C-4C6C-49ad-8921-05119D717F41}.exe	104
PID 2008 wrote to memory of 4432	2008	{ABDA025C-4C6C-49ad-8921-05119D717F41}.exe	104
PID 2008 wrote to memory of 3592	2008	{ABDA025C-4C6C-49ad-8921-05119D717F41}.exe	105
PID 2008 wrote to memory of 3592	2008	{ABDA025C-4C6C-49ad-8921-05119D717F41}.exe	105
PID 2008 wrote to memory of 3592	2008	{ABDA025C-4C6C-49ad-8921-05119D717F41}.exe	105
PID 4432 wrote to memory of 1312	4432	{3ACC3196-8B27-4635-9E2E-02CC5B0D4030}.exe	106
PID 4432 wrote to memory of 1312	4432	{3ACC3196-8B27-4635-9E2E-02CC5B0D4030}.exe	106
PID 4432 wrote to memory of 1312	4432	{3ACC3196-8B27-4635-9E2E-02CC5B0D4030}.exe	106
PID 4432 wrote to memory of 1504	4432	{3ACC3196-8B27-4635-9E2E-02CC5B0D4030}.exe	107
PID 4432 wrote to memory of 1504	4432	{3ACC3196-8B27-4635-9E2E-02CC5B0D4030}.exe	107
PID 4432 wrote to memory of 1504	4432	{3ACC3196-8B27-4635-9E2E-02CC5B0D4030}.exe	107
PID 1312 wrote to memory of 4624	1312	{E4D68027-04D2-4180-9280-E9BDDE8ACA70}.exe	108
PID 1312 wrote to memory of 4624	1312	{E4D68027-04D2-4180-9280-E9BDDE8ACA70}.exe	108
PID 1312 wrote to memory of 4624	1312	{E4D68027-04D2-4180-9280-E9BDDE8ACA70}.exe	108
PID 1312 wrote to memory of 2808	1312	{E4D68027-04D2-4180-9280-E9BDDE8ACA70}.exe	109
PID 1312 wrote to memory of 2808	1312	{E4D68027-04D2-4180-9280-E9BDDE8ACA70}.exe	109
PID 1312 wrote to memory of 2808	1312	{E4D68027-04D2-4180-9280-E9BDDE8ACA70}.exe	109
PID 4624 wrote to memory of 1800	4624	{CBA6304B-DAD6-480a-AA88-40C64D0C2E5C}.exe	110
PID 4624 wrote to memory of 1800	4624	{CBA6304B-DAD6-480a-AA88-40C64D0C2E5C}.exe	110
PID 4624 wrote to memory of 1800	4624	{CBA6304B-DAD6-480a-AA88-40C64D0C2E5C}.exe	110
PID 4624 wrote to memory of 4456	4624	{CBA6304B-DAD6-480a-AA88-40C64D0C2E5C}.exe	111
PID 4624 wrote to memory of 4456	4624	{CBA6304B-DAD6-480a-AA88-40C64D0C2E5C}.exe	111
PID 4624 wrote to memory of 4456	4624	{CBA6304B-DAD6-480a-AA88-40C64D0C2E5C}.exe	111
PID 808 wrote to memory of 4980	808	{852D3192-FED9-4f0a-AC72-797AF6820B08}.exe	114
PID 808 wrote to memory of 4980	808	{852D3192-FED9-4f0a-AC72-797AF6820B08}.exe	114
PID 808 wrote to memory of 4980	808	{852D3192-FED9-4f0a-AC72-797AF6820B08}.exe	114
PID 808 wrote to memory of 1440	808	{852D3192-FED9-4f0a-AC72-797AF6820B08}.exe	115
PID 808 wrote to memory of 1440	808	{852D3192-FED9-4f0a-AC72-797AF6820B08}.exe	115
PID 808 wrote to memory of 1440	808	{852D3192-FED9-4f0a-AC72-797AF6820B08}.exe	115
PID 4980 wrote to memory of 432	4980	{7E296024-BBFB-4293-9520-D9AA56787F67}.exe	116
PID 4980 wrote to memory of 432	4980	{7E296024-BBFB-4293-9520-D9AA56787F67}.exe	116
PID 4980 wrote to memory of 432	4980	{7E296024-BBFB-4293-9520-D9AA56787F67}.exe	116
PID 4980 wrote to memory of 2216	4980	{7E296024-BBFB-4293-9520-D9AA56787F67}.exe	117
PID 4980 wrote to memory of 2216	4980	{7E296024-BBFB-4293-9520-D9AA56787F67}.exe	117
PID 4980 wrote to memory of 2216	4980	{7E296024-BBFB-4293-9520-D9AA56787F67}.exe	117
PID 432 wrote to memory of 3468	432	{4816B053-4DCE-4c53-9956-1A4215AABC27}.exe	118
PID 432 wrote to memory of 3468	432	{4816B053-4DCE-4c53-9956-1A4215AABC27}.exe	118
PID 432 wrote to memory of 3468	432	{4816B053-4DCE-4c53-9956-1A4215AABC27}.exe	118
PID 432 wrote to memory of 4656	432	{4816B053-4DCE-4c53-9956-1A4215AABC27}.exe	119
PID 432 wrote to memory of 4656	432	{4816B053-4DCE-4c53-9956-1A4215AABC27}.exe	119
PID 432 wrote to memory of 4656	432	{4816B053-4DCE-4c53-9956-1A4215AABC27}.exe	119
PID 3468 wrote to memory of 4104	3468	{24E52A5E-CB39-4623-B66B-8D1CDAE1C2B7}.exe	120
PID 3468 wrote to memory of 4104	3468	{24E52A5E-CB39-4623-B66B-8D1CDAE1C2B7}.exe	120
PID 3468 wrote to memory of 4104	3468	{24E52A5E-CB39-4623-B66B-8D1CDAE1C2B7}.exe	120
PID 3468 wrote to memory of 1188	3468	{24E52A5E-CB39-4623-B66B-8D1CDAE1C2B7}.exe	121

C:\Users\Admin\AppData\Local\Temp\2024-04-09_4685ee0c84f2725585ba2ba2b23b5d5a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-09_4685ee0c84f2725585ba2ba2b23b5d5a_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4676
- C:\Windows\{728BC90C-B80E-4e73-BF0C-0EE5EA1D0CE6}.exe
  C:\Windows\{728BC90C-B80E-4e73-BF0C-0EE5EA1D0CE6}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:544
- - C:\Windows\{2E01AB3F-DE9D-4be1-829E-16E2B933B2BB}.exe
    C:\Windows\{2E01AB3F-DE9D-4be1-829E-16E2B933B2BB}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3336
  - - C:\Windows\{ABDA025C-4C6C-49ad-8921-05119D717F41}.exe
      C:\Windows\{ABDA025C-4C6C-49ad-8921-05119D717F41}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2008
    - - C:\Windows\{3ACC3196-8B27-4635-9E2E-02CC5B0D4030}.exe
        
        C:\Windows\{3ACC3196-8B27-4635-9E2E-02CC5B0D4030}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4432
      - C:\Windows\{E4D68027-04D2-4180-9280-E9BDDE8ACA70}.exe
        
        C:\Windows\{E4D68027-04D2-4180-9280-E9BDDE8ACA70}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Windows\{CBA6304B-DAD6-480a-AA88-40C64D0C2E5C}.exe
        
        C:\Windows\{CBA6304B-DAD6-480a-AA88-40C64D0C2E5C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Windows\{F4875E8C-5C0D-43f8-AE40-C828BA02F3DB}.exe
        
        C:\Windows\{F4875E8C-5C0D-43f8-AE40-C828BA02F3DB}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        
        PID:1800
        
        C:\Windows\{852D3192-FED9-4f0a-AC72-797AF6820B08}.exe
        
        C:\Windows\{852D3192-FED9-4f0a-AC72-797AF6820B08}.exe
        9⤵
        Modifies Installed Components in the registry
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:808
        
        C:\Windows\{7E296024-BBFB-4293-9520-D9AA56787F67}.exe
        
        C:\Windows\{7E296024-BBFB-4293-9520-D9AA56787F67}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Windows\{4816B053-4DCE-4c53-9956-1A4215AABC27}.exe
        
        C:\Windows\{4816B053-4DCE-4c53-9956-1A4215AABC27}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:432
        
        C:\Windows\{24E52A5E-CB39-4623-B66B-8D1CDAE1C2B7}.exe
        
        C:\Windows\{24E52A5E-CB39-4623-B66B-8D1CDAE1C2B7}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3468
        
        C:\Windows\{BB1A6827-49D7-48e1-B1F6-8D19820471F1}.exe
        
        C:\Windows\{BB1A6827-49D7-48e1-B1F6-8D19820471F1}.exe
        13⤵
        Executes dropped EXE
        
        PID:4104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{24E52~1.EXE > nul
        13⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4816B~1.EXE > nul
        12⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E296~1.EXE > nul
        11⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{852D3~1.EXE > nul
        10⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F4875~1.EXE > nul
        9⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CBA63~1.EXE > nul
        8⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E4D68~1.EXE > nul
        7⤵
        
        PID:2808
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3ACC3~1.EXE > nul
        6⤵
        
        PID:1504
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ABDA0~1.EXE > nul
        5⤵
        
        PID:3592
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2E01A~1.EXE > nul
      4⤵
      PID:396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{728BC~1.EXE > nul
    3⤵
    PID:3692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{24E52A5E-CB39-4623-B66B-8D1CDAE1C2B7}.exe

Filesize
408KB

MD5
0f552fd2ec887a28c7c735cda7cd4134

SHA1
7f9f58815408053e91b0c67ce443d7711666b849

SHA256
24c5e7f89d8b86166d925edc867b601791a831833ae4d9f6a6a336e500dd8476

SHA512
d25bc70d253452a16a025ab5cc1044591a1953d576e7285ef3fa2a092d91b937710cc7ece2282c9e3d31d8faa89626aeb6862e22771ea72e567effb518a37cb3

Download Submit
C:\Windows\{2E01AB3F-DE9D-4be1-829E-16E2B933B2BB}.exe

Filesize
408KB

MD5
1590929ef817d3b05401d18d4961cafb

SHA1
a26ebdd8b438095fb7385beede7baf980e2485ed

SHA256
a3ac8036f8c1d99ceaa03e1e0d3717747930a94d3457b5bac51c349ec8bf3dbd

SHA512
13df1b0e08091d1a41074708a41bede6b35cc88555a26216b6536117ab7310e39d67370c5929d7cf06894ad554ccc5e7208a12391a6b2fa93f8f7db27e7444d7

Download Submit
C:\Windows\{3ACC3196-8B27-4635-9E2E-02CC5B0D4030}.exe

Filesize
408KB

MD5
8bc93017557876a9abbc89a47b8d166c

SHA1
ff2341546ee8039d23de79b9f311b1c8527abffd

SHA256
af83e6244ec13580403d3662b9d906233c57482eac7ff500b1818213fd2f919d

SHA512
176937aa6f66d9247956391ad78d268953c2374564a166d352e70d287d71fb6423d263e42a3920ea13882addef774dfb27abc48545632f5b0eddfc47dc827ae9

Download Submit
C:\Windows\{4816B053-4DCE-4c53-9956-1A4215AABC27}.exe

Filesize
408KB

MD5
7f7f85acadea5c8cfccba8cdd122b690

SHA1
e300552ec5fd8b037d42f16ecc528451b0ccdaf2

SHA256
13d4796e8ba7f8b7775d665ac9fe0e2df783c2121ec1940774f31d4f8a3a17b4

SHA512
8721ac38be104ea0799cdb3e7549759a7aab038036ab1f17be82b2adf063ccce27813789630723360e79bcf2163c92e7d0c767e45b1cd5258e9ceec331189386

Download Submit
C:\Windows\{728BC90C-B80E-4e73-BF0C-0EE5EA1D0CE6}.exe

Filesize
408KB

MD5
c093f030191e8b81fa045b1a022db4ae

SHA1
fe61111ba1266e9ef405fcc5b0e2e2205951f7db

SHA256
fd2a6e7a441541529205aae3fbb18ecb98889e5f4ef18d1d9afc8a78a6da2c2e

SHA512
30948257e45dfb046d0f8b67eee377c525ef7288fee37c6e9ccd0036ea76a68957d419bad09c0db1ec9a60819d59a4a85663811c460d972e16592f0ba0fa8cea

Download Submit
C:\Windows\{7E296024-BBFB-4293-9520-D9AA56787F67}.exe

Filesize
408KB

MD5
23c266cf9fdcb08ccb5c5ff31069ca1c

SHA1
e9a8939571cf4e1679809d6ebb9415523965a3b4

SHA256
822e0b10f0a498d5d9e198dab486fc933d852f6462abf27097ef39cde0d58523

SHA512
82dd5c8da92d723d80bc86db6f81b2a30e74cfbcc66d9d1e1c56f5548660fe82b5d0ebe3e625981165ccf1f05ea603aea429babdb4e54ee165c6bf922fd06035

Download Submit
C:\Windows\{ABDA025C-4C6C-49ad-8921-05119D717F41}.exe

Filesize
408KB

MD5
60eeb69e8f5669485368bf70a86220e2

SHA1
16251bd2b1ba971e62ed6380511a4a77d664afd2

SHA256
8a3639e5131ca46273577f67b37353dd45f145835f9ec37e8e65df9b77afa904

SHA512
ee906ba8ccdf1750a5a6eb860b251cac1f4770bb783178c3a94a80e4a1eb68207c43dfd320efc9568bbd3de7885b1800de4dc88db84446e1bd13fe23e18a52d3

Download Submit
C:\Windows\{BB1A6827-49D7-48e1-B1F6-8D19820471F1}.exe

Filesize
408KB

MD5
ad67bc9513e77309af0e4bd6f9a1b2f7

SHA1
7f36b91c8015ea6c97be111962c499cac801fac7

SHA256
5cfff6b3e0b6dfb3e822af198da739a1dda4a8f18c43cafd8f5099a694291da1

SHA512
b85d1177a55bdc4df3a42007b662bb1819357f17371c988f9ef97cb5939b00b81c7e684dd05e2323c8a813dd9d085e3da4f9e73d4cac2040042c04328decfeb8

Download Submit
C:\Windows\{CBA6304B-DAD6-480a-AA88-40C64D0C2E5C}.exe

Filesize
408KB

MD5
6b1a458f5cb692313d74e4b256d114c3

SHA1
6459631587c3bdd869a66550b91c8888d2c45f73

SHA256
881e0bae4b4366b853bb4492ddcf403ee01fd3cd9e18e1dd77959a415d587f8d

SHA512
b3cc435fe10c1b7b25e6e1563e78a77d6778a90958bc0904e9b23fbe6381790f4877c7667a16f08f41d325923d69cc4337d5ab62eab44293710e63d6085b705f

Download Submit
C:\Windows\{E4D68027-04D2-4180-9280-E9BDDE8ACA70}.exe

Filesize
408KB

MD5
8a28dc1197c8fe6b6c1820b2fc092391

SHA1
527e292f02a691234b1afcf0cd844ada07c7344a

SHA256
a1e8e575a32f55906e325caecefab5cf19e9f9f887a62c038c677a5bbd763b28

SHA512
bd83ab83481a80c4022bfe11eca3c5891686205d269cb6ecab4b0e62b111e1a10ae3822494bbb6d10535301d756759f79ddd22ca2f73d033b11e26609304ef67

Download Submit
C:\Windows\{F4875E8C-5C0D-43f8-AE40-C828BA02F3DB}.exe

Filesize
408KB

MD5
a59ea4763ea228f2d49cfb0411fc68fc

SHA1
703e37ad3509fd023935a519e5e0e7c3810c3b46

SHA256
7e247d2ada97b7f8e40eb778be0202488bad8c4f5243a355a35bcef6b85c63f4

SHA512
8bea13ae3a8619879a5bab939d07e8c7ca21af9db8eb722468ca5e23f9583fd843cdf97076497fa409955ab6a3e32a76cea953007c806f327419235e177dce55

Download Submit
memory/1800-27-0x0000000003860000-0x000000000393B000-memory.dmp

Filesize
876KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads