9e1260cda05b0f2861aa89e690d73e15314c5d367bd34b6fe40eecad365d9869

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 08:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-09_c946504509d770d84c90bce809a98a86_goldeneye.exe
Size

344KB
MD5

c946504509d770d84c90bce809a98a86
SHA1

4ca7a5ca47f58de7fb1f0145694cd450c059593f
SHA256

9e1260cda05b0f2861aa89e690d73e15314c5d367bd34b6fe40eecad365d9869
SHA512

53e434a058026433fd62ef0410b7b69aeecfb280e4b79eef19bee6acb9dfef1dd5b3923946c70415cd93486e660fb4443fbb9585af90241b66a94ac585c103b3
SSDEEP

3072:mEGh0oqlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEG0lqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023207-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023208-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002320f-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0012000000023208-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021cfa-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021cfb-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021cfa-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000709-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000072f-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2AA40BCF-6464-4f35-BF0F-FF7304A0506E}	{D19EFB11-763F-46bc-9FCA-B1D14CE69DB1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E11CA3AE-D5A1-4278-96E0-D89188CA736E}	{DF8E4551-320A-4e0a-AA22-56E1A6F93F7B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5A34D73-C356-47f2-893B-892E75348BBE}\stubpath = "C:\\Windows\\{A5A34D73-C356-47f2-893B-892E75348BBE}.exe"	{97E1DF2A-1EC4-43cf-9BC4-08A035F0C992}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24BAFCD2-20EF-403d-BBC8-CC72926D693F}\stubpath = "C:\\Windows\\{24BAFCD2-20EF-403d-BBC8-CC72926D693F}.exe"	{36ED3F86-D585-4993-956C-789E9DC4FC12}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7F2FE21-61A3-403a-8505-E13D2A729176}	{9105351A-BB76-4c98-B604-490A24981BBD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97E1DF2A-1EC4-43cf-9BC4-08A035F0C992}\stubpath = "C:\\Windows\\{97E1DF2A-1EC4-43cf-9BC4-08A035F0C992}.exe"	{6E0A54FD-A336-4f94-98B4-2D383713627F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5A34D73-C356-47f2-893B-892E75348BBE}	{97E1DF2A-1EC4-43cf-9BC4-08A035F0C992}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9105351A-BB76-4c98-B604-490A24981BBD}	{24BAFCD2-20EF-403d-BBC8-CC72926D693F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9105351A-BB76-4c98-B604-490A24981BBD}\stubpath = "C:\\Windows\\{9105351A-BB76-4c98-B604-490A24981BBD}.exe"	{24BAFCD2-20EF-403d-BBC8-CC72926D693F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9776DB00-EAEE-4b19-8002-7E338FF09BC9}\stubpath = "C:\\Windows\\{9776DB00-EAEE-4b19-8002-7E338FF09BC9}.exe"	2024-04-09_c946504509d770d84c90bce809a98a86_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF8E4551-320A-4e0a-AA22-56E1A6F93F7B}	{9776DB00-EAEE-4b19-8002-7E338FF09BC9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF8E4551-320A-4e0a-AA22-56E1A6F93F7B}\stubpath = "C:\\Windows\\{DF8E4551-320A-4e0a-AA22-56E1A6F93F7B}.exe"	{9776DB00-EAEE-4b19-8002-7E338FF09BC9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E0A54FD-A336-4f94-98B4-2D383713627F}	{E11CA3AE-D5A1-4278-96E0-D89188CA736E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D19EFB11-763F-46bc-9FCA-B1D14CE69DB1}\stubpath = "C:\\Windows\\{D19EFB11-763F-46bc-9FCA-B1D14CE69DB1}.exe"	{C7F2FE21-61A3-403a-8505-E13D2A729176}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E0A54FD-A336-4f94-98B4-2D383713627F}\stubpath = "C:\\Windows\\{6E0A54FD-A336-4f94-98B4-2D383713627F}.exe"	{E11CA3AE-D5A1-4278-96E0-D89188CA736E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36ED3F86-D585-4993-956C-789E9DC4FC12}	{A5A34D73-C356-47f2-893B-892E75348BBE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2AA40BCF-6464-4f35-BF0F-FF7304A0506E}\stubpath = "C:\\Windows\\{2AA40BCF-6464-4f35-BF0F-FF7304A0506E}.exe"	{D19EFB11-763F-46bc-9FCA-B1D14CE69DB1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24BAFCD2-20EF-403d-BBC8-CC72926D693F}	{36ED3F86-D585-4993-956C-789E9DC4FC12}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7F2FE21-61A3-403a-8505-E13D2A729176}\stubpath = "C:\\Windows\\{C7F2FE21-61A3-403a-8505-E13D2A729176}.exe"	{9105351A-BB76-4c98-B604-490A24981BBD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D19EFB11-763F-46bc-9FCA-B1D14CE69DB1}	{C7F2FE21-61A3-403a-8505-E13D2A729176}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9776DB00-EAEE-4b19-8002-7E338FF09BC9}	2024-04-09_c946504509d770d84c90bce809a98a86_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E11CA3AE-D5A1-4278-96E0-D89188CA736E}\stubpath = "C:\\Windows\\{E11CA3AE-D5A1-4278-96E0-D89188CA736E}.exe"	{DF8E4551-320A-4e0a-AA22-56E1A6F93F7B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97E1DF2A-1EC4-43cf-9BC4-08A035F0C992}	{6E0A54FD-A336-4f94-98B4-2D383713627F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36ED3F86-D585-4993-956C-789E9DC4FC12}\stubpath = "C:\\Windows\\{36ED3F86-D585-4993-956C-789E9DC4FC12}.exe"	{A5A34D73-C356-47f2-893B-892E75348BBE}.exe

Executes dropped EXE 12 IoCs

pid	Process
4688	{9776DB00-EAEE-4b19-8002-7E338FF09BC9}.exe
3648	{DF8E4551-320A-4e0a-AA22-56E1A6F93F7B}.exe
4332	{E11CA3AE-D5A1-4278-96E0-D89188CA736E}.exe
3640	{6E0A54FD-A336-4f94-98B4-2D383713627F}.exe
3232	{97E1DF2A-1EC4-43cf-9BC4-08A035F0C992}.exe
816	{A5A34D73-C356-47f2-893B-892E75348BBE}.exe
2460	{36ED3F86-D585-4993-956C-789E9DC4FC12}.exe
1208	{24BAFCD2-20EF-403d-BBC8-CC72926D693F}.exe
3372	{9105351A-BB76-4c98-B604-490A24981BBD}.exe
4648	{C7F2FE21-61A3-403a-8505-E13D2A729176}.exe
3128	{D19EFB11-763F-46bc-9FCA-B1D14CE69DB1}.exe
4688	{2AA40BCF-6464-4f35-BF0F-FF7304A0506E}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{9776DB00-EAEE-4b19-8002-7E338FF09BC9}.exe	2024-04-09_c946504509d770d84c90bce809a98a86_goldeneye.exe
File created	C:\Windows\{DF8E4551-320A-4e0a-AA22-56E1A6F93F7B}.exe	{9776DB00-EAEE-4b19-8002-7E338FF09BC9}.exe
File created	C:\Windows\{97E1DF2A-1EC4-43cf-9BC4-08A035F0C992}.exe	{6E0A54FD-A336-4f94-98B4-2D383713627F}.exe
File created	C:\Windows\{36ED3F86-D585-4993-956C-789E9DC4FC12}.exe	{A5A34D73-C356-47f2-893B-892E75348BBE}.exe
File created	C:\Windows\{24BAFCD2-20EF-403d-BBC8-CC72926D693F}.exe	{36ED3F86-D585-4993-956C-789E9DC4FC12}.exe
File created	C:\Windows\{9105351A-BB76-4c98-B604-490A24981BBD}.exe	{24BAFCD2-20EF-403d-BBC8-CC72926D693F}.exe
File created	C:\Windows\{C7F2FE21-61A3-403a-8505-E13D2A729176}.exe	{9105351A-BB76-4c98-B604-490A24981BBD}.exe
File created	C:\Windows\{D19EFB11-763F-46bc-9FCA-B1D14CE69DB1}.exe	{C7F2FE21-61A3-403a-8505-E13D2A729176}.exe
File created	C:\Windows\{E11CA3AE-D5A1-4278-96E0-D89188CA736E}.exe	{DF8E4551-320A-4e0a-AA22-56E1A6F93F7B}.exe
File created	C:\Windows\{6E0A54FD-A336-4f94-98B4-2D383713627F}.exe	{E11CA3AE-D5A1-4278-96E0-D89188CA736E}.exe
File created	C:\Windows\{A5A34D73-C356-47f2-893B-892E75348BBE}.exe	{97E1DF2A-1EC4-43cf-9BC4-08A035F0C992}.exe
File created	C:\Windows\{2AA40BCF-6464-4f35-BF0F-FF7304A0506E}.exe	{D19EFB11-763F-46bc-9FCA-B1D14CE69DB1}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4952	2024-04-09_c946504509d770d84c90bce809a98a86_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4688	{9776DB00-EAEE-4b19-8002-7E338FF09BC9}.exe
Token: SeIncBasePriorityPrivilege	3648	{DF8E4551-320A-4e0a-AA22-56E1A6F93F7B}.exe
Token: SeIncBasePriorityPrivilege	4332	{E11CA3AE-D5A1-4278-96E0-D89188CA736E}.exe
Token: SeIncBasePriorityPrivilege	3640	{6E0A54FD-A336-4f94-98B4-2D383713627F}.exe
Token: SeIncBasePriorityPrivilege	3232	{97E1DF2A-1EC4-43cf-9BC4-08A035F0C992}.exe
Token: SeIncBasePriorityPrivilege	816	{A5A34D73-C356-47f2-893B-892E75348BBE}.exe
Token: SeIncBasePriorityPrivilege	2460	{36ED3F86-D585-4993-956C-789E9DC4FC12}.exe
Token: SeIncBasePriorityPrivilege	1208	{24BAFCD2-20EF-403d-BBC8-CC72926D693F}.exe
Token: SeIncBasePriorityPrivilege	3372	{9105351A-BB76-4c98-B604-490A24981BBD}.exe
Token: SeIncBasePriorityPrivilege	4648	{C7F2FE21-61A3-403a-8505-E13D2A729176}.exe
Token: SeIncBasePriorityPrivilege	3128	{D19EFB11-763F-46bc-9FCA-B1D14CE69DB1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4952 wrote to memory of 4688	4952	2024-04-09_c946504509d770d84c90bce809a98a86_goldeneye.exe	95
PID 4952 wrote to memory of 4688	4952	2024-04-09_c946504509d770d84c90bce809a98a86_goldeneye.exe	95
PID 4952 wrote to memory of 4688	4952	2024-04-09_c946504509d770d84c90bce809a98a86_goldeneye.exe	95
PID 4952 wrote to memory of 3552	4952	2024-04-09_c946504509d770d84c90bce809a98a86_goldeneye.exe	96
PID 4952 wrote to memory of 3552	4952	2024-04-09_c946504509d770d84c90bce809a98a86_goldeneye.exe	96
PID 4952 wrote to memory of 3552	4952	2024-04-09_c946504509d770d84c90bce809a98a86_goldeneye.exe	96
PID 4688 wrote to memory of 3648	4688	{9776DB00-EAEE-4b19-8002-7E338FF09BC9}.exe	97
PID 4688 wrote to memory of 3648	4688	{9776DB00-EAEE-4b19-8002-7E338FF09BC9}.exe	97
PID 4688 wrote to memory of 3648	4688	{9776DB00-EAEE-4b19-8002-7E338FF09BC9}.exe	97
PID 4688 wrote to memory of 3404	4688	{9776DB00-EAEE-4b19-8002-7E338FF09BC9}.exe	98
PID 4688 wrote to memory of 3404	4688	{9776DB00-EAEE-4b19-8002-7E338FF09BC9}.exe	98
PID 4688 wrote to memory of 3404	4688	{9776DB00-EAEE-4b19-8002-7E338FF09BC9}.exe	98
PID 3648 wrote to memory of 4332	3648	{DF8E4551-320A-4e0a-AA22-56E1A6F93F7B}.exe	100
PID 3648 wrote to memory of 4332	3648	{DF8E4551-320A-4e0a-AA22-56E1A6F93F7B}.exe	100
PID 3648 wrote to memory of 4332	3648	{DF8E4551-320A-4e0a-AA22-56E1A6F93F7B}.exe	100
PID 3648 wrote to memory of 1608	3648	{DF8E4551-320A-4e0a-AA22-56E1A6F93F7B}.exe	101
PID 3648 wrote to memory of 1608	3648	{DF8E4551-320A-4e0a-AA22-56E1A6F93F7B}.exe	101
PID 3648 wrote to memory of 1608	3648	{DF8E4551-320A-4e0a-AA22-56E1A6F93F7B}.exe	101
PID 4332 wrote to memory of 3640	4332	{E11CA3AE-D5A1-4278-96E0-D89188CA736E}.exe	102
PID 4332 wrote to memory of 3640	4332	{E11CA3AE-D5A1-4278-96E0-D89188CA736E}.exe	102
PID 4332 wrote to memory of 3640	4332	{E11CA3AE-D5A1-4278-96E0-D89188CA736E}.exe	102
PID 4332 wrote to memory of 2312	4332	{E11CA3AE-D5A1-4278-96E0-D89188CA736E}.exe	103
PID 4332 wrote to memory of 2312	4332	{E11CA3AE-D5A1-4278-96E0-D89188CA736E}.exe	103
PID 4332 wrote to memory of 2312	4332	{E11CA3AE-D5A1-4278-96E0-D89188CA736E}.exe	103
PID 3640 wrote to memory of 3232	3640	{6E0A54FD-A336-4f94-98B4-2D383713627F}.exe	104
PID 3640 wrote to memory of 3232	3640	{6E0A54FD-A336-4f94-98B4-2D383713627F}.exe	104
PID 3640 wrote to memory of 3232	3640	{6E0A54FD-A336-4f94-98B4-2D383713627F}.exe	104
PID 3640 wrote to memory of 1948	3640	{6E0A54FD-A336-4f94-98B4-2D383713627F}.exe	105
PID 3640 wrote to memory of 1948	3640	{6E0A54FD-A336-4f94-98B4-2D383713627F}.exe	105
PID 3640 wrote to memory of 1948	3640	{6E0A54FD-A336-4f94-98B4-2D383713627F}.exe	105
PID 3232 wrote to memory of 816	3232	{97E1DF2A-1EC4-43cf-9BC4-08A035F0C992}.exe	106
PID 3232 wrote to memory of 816	3232	{97E1DF2A-1EC4-43cf-9BC4-08A035F0C992}.exe	106
PID 3232 wrote to memory of 816	3232	{97E1DF2A-1EC4-43cf-9BC4-08A035F0C992}.exe	106
PID 3232 wrote to memory of 4072	3232	{97E1DF2A-1EC4-43cf-9BC4-08A035F0C992}.exe	107
PID 3232 wrote to memory of 4072	3232	{97E1DF2A-1EC4-43cf-9BC4-08A035F0C992}.exe	107
PID 3232 wrote to memory of 4072	3232	{97E1DF2A-1EC4-43cf-9BC4-08A035F0C992}.exe	107
PID 816 wrote to memory of 2460	816	{A5A34D73-C356-47f2-893B-892E75348BBE}.exe	108
PID 816 wrote to memory of 2460	816	{A5A34D73-C356-47f2-893B-892E75348BBE}.exe	108
PID 816 wrote to memory of 2460	816	{A5A34D73-C356-47f2-893B-892E75348BBE}.exe	108
PID 816 wrote to memory of 3080	816	{A5A34D73-C356-47f2-893B-892E75348BBE}.exe	109
PID 816 wrote to memory of 3080	816	{A5A34D73-C356-47f2-893B-892E75348BBE}.exe	109
PID 816 wrote to memory of 3080	816	{A5A34D73-C356-47f2-893B-892E75348BBE}.exe	109
PID 2460 wrote to memory of 1208	2460	{36ED3F86-D585-4993-956C-789E9DC4FC12}.exe	110
PID 2460 wrote to memory of 1208	2460	{36ED3F86-D585-4993-956C-789E9DC4FC12}.exe	110
PID 2460 wrote to memory of 1208	2460	{36ED3F86-D585-4993-956C-789E9DC4FC12}.exe	110
PID 2460 wrote to memory of 1884	2460	{36ED3F86-D585-4993-956C-789E9DC4FC12}.exe	111
PID 2460 wrote to memory of 1884	2460	{36ED3F86-D585-4993-956C-789E9DC4FC12}.exe	111
PID 2460 wrote to memory of 1884	2460	{36ED3F86-D585-4993-956C-789E9DC4FC12}.exe	111
PID 1208 wrote to memory of 3372	1208	{24BAFCD2-20EF-403d-BBC8-CC72926D693F}.exe	112
PID 1208 wrote to memory of 3372	1208	{24BAFCD2-20EF-403d-BBC8-CC72926D693F}.exe	112
PID 1208 wrote to memory of 3372	1208	{24BAFCD2-20EF-403d-BBC8-CC72926D693F}.exe	112
PID 1208 wrote to memory of 3904	1208	{24BAFCD2-20EF-403d-BBC8-CC72926D693F}.exe	113
PID 1208 wrote to memory of 3904	1208	{24BAFCD2-20EF-403d-BBC8-CC72926D693F}.exe	113
PID 1208 wrote to memory of 3904	1208	{24BAFCD2-20EF-403d-BBC8-CC72926D693F}.exe	113
PID 3372 wrote to memory of 4648	3372	{9105351A-BB76-4c98-B604-490A24981BBD}.exe	114
PID 3372 wrote to memory of 4648	3372	{9105351A-BB76-4c98-B604-490A24981BBD}.exe	114
PID 3372 wrote to memory of 4648	3372	{9105351A-BB76-4c98-B604-490A24981BBD}.exe	114
PID 3372 wrote to memory of 4536	3372	{9105351A-BB76-4c98-B604-490A24981BBD}.exe	115
PID 3372 wrote to memory of 4536	3372	{9105351A-BB76-4c98-B604-490A24981BBD}.exe	115
PID 3372 wrote to memory of 4536	3372	{9105351A-BB76-4c98-B604-490A24981BBD}.exe	115
PID 4648 wrote to memory of 3128	4648	{C7F2FE21-61A3-403a-8505-E13D2A729176}.exe	116
PID 4648 wrote to memory of 3128	4648	{C7F2FE21-61A3-403a-8505-E13D2A729176}.exe	116
PID 4648 wrote to memory of 3128	4648	{C7F2FE21-61A3-403a-8505-E13D2A729176}.exe	116
PID 4648 wrote to memory of 4664	4648	{C7F2FE21-61A3-403a-8505-E13D2A729176}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-04-09_c946504509d770d84c90bce809a98a86_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-09_c946504509d770d84c90bce809a98a86_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4952
- C:\Windows\{9776DB00-EAEE-4b19-8002-7E338FF09BC9}.exe
  C:\Windows\{9776DB00-EAEE-4b19-8002-7E338FF09BC9}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4688
- - C:\Windows\{DF8E4551-320A-4e0a-AA22-56E1A6F93F7B}.exe
    C:\Windows\{DF8E4551-320A-4e0a-AA22-56E1A6F93F7B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3648
  - - C:\Windows\{E11CA3AE-D5A1-4278-96E0-D89188CA736E}.exe
      C:\Windows\{E11CA3AE-D5A1-4278-96E0-D89188CA736E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4332
    - - C:\Windows\{6E0A54FD-A336-4f94-98B4-2D383713627F}.exe
        
        C:\Windows\{6E0A54FD-A336-4f94-98B4-2D383713627F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3640
      - C:\Windows\{97E1DF2A-1EC4-43cf-9BC4-08A035F0C992}.exe
        
        C:\Windows\{97E1DF2A-1EC4-43cf-9BC4-08A035F0C992}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\Windows\{A5A34D73-C356-47f2-893B-892E75348BBE}.exe
        
        C:\Windows\{A5A34D73-C356-47f2-893B-892E75348BBE}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:816
        
        C:\Windows\{36ED3F86-D585-4993-956C-789E9DC4FC12}.exe
        
        C:\Windows\{36ED3F86-D585-4993-956C-789E9DC4FC12}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\{24BAFCD2-20EF-403d-BBC8-CC72926D693F}.exe
        
        C:\Windows\{24BAFCD2-20EF-403d-BBC8-CC72926D693F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Windows\{9105351A-BB76-4c98-B604-490A24981BBD}.exe
        
        C:\Windows\{9105351A-BB76-4c98-B604-490A24981BBD}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3372
        
        C:\Windows\{C7F2FE21-61A3-403a-8505-E13D2A729176}.exe
        
        C:\Windows\{C7F2FE21-61A3-403a-8505-E13D2A729176}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4648
        
        C:\Windows\{D19EFB11-763F-46bc-9FCA-B1D14CE69DB1}.exe
        
        C:\Windows\{D19EFB11-763F-46bc-9FCA-B1D14CE69DB1}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3128
        
        C:\Windows\{2AA40BCF-6464-4f35-BF0F-FF7304A0506E}.exe
        
        C:\Windows\{2AA40BCF-6464-4f35-BF0F-FF7304A0506E}.exe
        13⤵
        Executes dropped EXE
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D19EF~1.EXE > nul
        13⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C7F2F~1.EXE > nul
        12⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91053~1.EXE > nul
        11⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{24BAF~1.EXE > nul
        10⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{36ED3~1.EXE > nul
        9⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A5A34~1.EXE > nul
        8⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{97E1D~1.EXE > nul
        7⤵
        
        PID:4072
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6E0A5~1.EXE > nul
        6⤵
        
        PID:1948
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E11CA~1.EXE > nul
        5⤵
        
        PID:2312
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{DF8E4~1.EXE > nul
      4⤵
      PID:1608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9776D~1.EXE > nul
    3⤵
    PID:3404
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{24BAFCD2-20EF-403d-BBC8-CC72926D693F}.exe

Filesize
344KB

MD5
0ccc42daedff4de7faad7e63bb40d5f7

SHA1
0039f3682e0c4176590d547d884495c8709ea4f1

SHA256
1c72e939a2a9a39790886979eee53835dc34361758520fcd37f0719386b3cda4

SHA512
e814ea9e382014536d607cdfe00151c768574104176bfc608c5f43877d7e756e817bd0bb7a4f91aa9c39e62f9386a1ecc024c876dfafde0c1374f84f362c504a

Download Submit
C:\Windows\{2AA40BCF-6464-4f35-BF0F-FF7304A0506E}.exe

Filesize
344KB

MD5
d6fbfa498600a82ae4c00f60c9181b1e

SHA1
a6b56752962c96720dd8c0607b1f6d0064624645

SHA256
2f043d4ad004e3fe00ef2f7c4f42b60bf46721b256ccb69058273e70b7f404a0

SHA512
7893c7b3ff0e61c2253bfec3099f17c2a00df4c47176344d57e8b22f579192f7b35d50c769d7cefdaf4b6e0719bcccfaa2f198b4165d8cf382c32215b67a284a

Download Submit
C:\Windows\{36ED3F86-D585-4993-956C-789E9DC4FC12}.exe

Filesize
344KB

MD5
a14c00a535989942b02c59248bd67b25

SHA1
f2257d88f4e86c2a6af5d402485475515246453d

SHA256
71f6afb742ac6aedb25881aa665b0194ad89f6696df2b91f4f6b52ebbd4af065

SHA512
f560e0182c3b9ef3bc7b7f9f15c5a8bcea5bf059623430d0cab8083e60e7fd7adb5ee5315e371235efb86f76eeceeaafdd810676e38027df3676732fd3154d6a

Download Submit
C:\Windows\{6E0A54FD-A336-4f94-98B4-2D383713627F}.exe

Filesize
344KB

MD5
4f3e8ca6b24caa0b9f56131db4aaf172

SHA1
fcce28075c0b18af76f463288a2bf431490d2114

SHA256
698b8268b928fd418a559299e297d00a8feb9f7a7049cae1df25d93d646b5315

SHA512
5a23f59bb3b1f23d66ceafc85a8684f612e61f4de5abcd4c738342f0e3e3346c51915c41f8cc7631eaa0d1f7018ecdd0e367cd12161881c6716794a2e47293a2

Download Submit
C:\Windows\{9105351A-BB76-4c98-B604-490A24981BBD}.exe

Filesize
344KB

MD5
8423fe88d815ace96a7e14b34038bbe0

SHA1
f7d18f768fb0b81b3c2feaa4dcb906d721357cb0

SHA256
6c7312c8f3e74b522bde3dc8e305266dc02903cddd2ea546efe51c2cf27aa0f4

SHA512
a3af1608eccf1723694801a7ee53d1950d33f8d22d80581b5ae6dc1bebdc4f9f8fb325b635d93b4ca9596c65d3f3419eb4354156f9eb0d44ee21fd2517970107

Download Submit
C:\Windows\{9776DB00-EAEE-4b19-8002-7E338FF09BC9}.exe

Filesize
344KB

MD5
3fbe3b0c03b373b371cc30d63f682bab

SHA1
59215749f3d711ca4b69200aa93d7c9904d4f348

SHA256
e55f6f5649d19c465272d7d043c05d1467cf321fe9502dddeabc96b9a69bb9a0

SHA512
7a603a15e5327edd4ee065a755829aa6a32a3cea1aad7b62c09b035d718dc7abc4496a7d52407a15b2598aaf1f23e82f6170b5ff8a4131faa0640896bc418f19

Download Submit
C:\Windows\{97E1DF2A-1EC4-43cf-9BC4-08A035F0C992}.exe

Filesize
344KB

MD5
f0090190eeb35819843e757cba618aac

SHA1
971bd02acdf0b587439092c01b4e8b0bae359cce

SHA256
7a820fd61fab9fd09a58a7847c9ab3125f05aa8bff4c466e8f0ee5929351869c

SHA512
47c7e5aa348e7f488fd81a16d30ccbf042ce606cb0200cfa6da46605a840a59048d53b8851d752b0d936610493d253fdc011ba0c5fbcbfce67c7038b64121f32

Download Submit
C:\Windows\{A5A34D73-C356-47f2-893B-892E75348BBE}.exe

Filesize
344KB

MD5
2bb849ab6452644bb43c16a40253e1cf

SHA1
5664fdfae1af248f6e9622a1ec1cc2ff24776528

SHA256
900206da5e753773311bfc1991edfd16f75d5a7df15d632e5bc17b615f011340

SHA512
a867366037238aef590a321641a11db349d46cb2a0be91b3daa4b0583d09fbb5d7f4ab8710a1e1422bfecdb68d25f7421c519e39e26c17901a24fe850e640421

Download Submit
C:\Windows\{C7F2FE21-61A3-403a-8505-E13D2A729176}.exe

Filesize
344KB

MD5
908b52d3d3defdbf4580e76b569a7d92

SHA1
701108df74b2e9cde6d11df7f31b7621674ff5c1

SHA256
6e4a8b07df1cc9b864fef42a173e4c4d3192aa378aa512644a5a0d2a35560786

SHA512
6aa6966c53fc3d46b8062367f9778996e6d7a5393c29aca736f444165d027c4ff2633a790c5f9a220a9b2151ccd3aacc85fa8db1cfcb35c67740edf239755fda

Download Submit
C:\Windows\{D19EFB11-763F-46bc-9FCA-B1D14CE69DB1}.exe

Filesize
344KB

MD5
c5404eb71c888f1038280dc1f1158756

SHA1
fe38ad6cf818ec3d1fcfb8c59e398b9587d540e6

SHA256
793534c3edc3aef22b5b0d2cf314ddbbadeec161b1ed41432cb7240c09cdb42b

SHA512
50081e96103833300a3cbe487adf6b33feb1d047ebe704d06d21e7ac16fbee46956f1960bbae3dc10845e4b047cb880ad3172791bde0b68a50f0ca41ce250a0b

Download Submit
C:\Windows\{DF8E4551-320A-4e0a-AA22-56E1A6F93F7B}.exe

Filesize
344KB

MD5
012d0d2faff897a21c9c7f63d7811695

SHA1
00a9a43a6433d57be9342f3845cb6a4a1cfa8a30

SHA256
7abdea45ad0a51eeb0f9a1e3d9ed5f6b2395a2a7a4c46b25e21128c76b23f93c

SHA512
74c3b9b08554a4d38b69776c64e6ffa5c9eca20a7426ce15c4cf53a5b5c3659d5101b3973a500a4c38a6989fac051e2f6f65e28e73f22b46efdd2937b97f4d87

Download Submit
C:\Windows\{E11CA3AE-D5A1-4278-96E0-D89188CA736E}.exe

Filesize
344KB

MD5
33947646eaab96b6d344542411628607

SHA1
e277b051912340c25b97835caf039b96f4bdd1a3

SHA256
6c0624cd1fc86edd65756833f04c0a0b64c2e40fe3bad60fb15673890922c0c2

SHA512
7a5818adc2706b46fabcd5ba172386c32084631144f3732f18467925a789d584d13b5cf1313ea2f8a21377f2c31327c9212ba7869239bf73378eb2c3bf35df71

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads