4bca5e029ff5df9fce64aeabb079443625ccfcc66fd1d78e1882731c4a10a8ab

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
09-04-2024 16:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-08_39858076ad8c772e14145879763d0a0d_goldeneye.exe
Size

380KB
MD5

39858076ad8c772e14145879763d0a0d
SHA1

e1977a13a1ba98d99ace8f1d3c84eae09f049463
SHA256

4bca5e029ff5df9fce64aeabb079443625ccfcc66fd1d78e1882731c4a10a8ab
SHA512

eb26902d9e9b09a46852b6e0dd38d70fc44fe3a378f194f1add5952e5fbd4c5d6851a83aed51fd1a5b4469e6dd896423bbbee9944e73f9fa6599fed36ec5496c
SSDEEP

3072:mEGh0ozlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGRl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00060000000231f0-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00060000000231f8-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000018062-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000231f8-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000018062-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021f82-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000018062-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000705-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{120ECDC0-6549-42e8-A883-8558964105B7}	{91E68F45-ABBB-4ba1-8602-E0380A1BB44E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6294DCC1-13C6-41b5-8FF8-E75C72661E39}	{120ECDC0-6549-42e8-A883-8558964105B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6294DCC1-13C6-41b5-8FF8-E75C72661E39}\stubpath = "C:\\Windows\\{6294DCC1-13C6-41b5-8FF8-E75C72661E39}.exe"	{120ECDC0-6549-42e8-A883-8558964105B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4E239EB-3BBC-4845-AE41-0F22CA46EF0C}	{1BC3837C-8412-47da-9D49-09218D0213DE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE96C195-63D1-40e8-A150-A37296695152}\stubpath = "C:\\Windows\\{AE96C195-63D1-40e8-A150-A37296695152}.exe"	{AB0680A1-5524-46ce-8BAB-4DC3EEB541A4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D43BB5B5-8F1E-438e-8DA9-45CE0BC21D30}\stubpath = "C:\\Windows\\{D43BB5B5-8F1E-438e-8DA9-45CE0BC21D30}.exe"	{AE96C195-63D1-40e8-A150-A37296695152}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A57E66A1-E678-414f-B1D4-16B4FBD36B21}\stubpath = "C:\\Windows\\{A57E66A1-E678-414f-B1D4-16B4FBD36B21}.exe"	{E4E239EB-3BBC-4845-AE41-0F22CA46EF0C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91E68F45-ABBB-4ba1-8602-E0380A1BB44E}	{A57E66A1-E678-414f-B1D4-16B4FBD36B21}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91E68F45-ABBB-4ba1-8602-E0380A1BB44E}\stubpath = "C:\\Windows\\{91E68F45-ABBB-4ba1-8602-E0380A1BB44E}.exe"	{A57E66A1-E678-414f-B1D4-16B4FBD36B21}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02AD7372-0367-4bc9-969C-C6FDDF5F2503}\stubpath = "C:\\Windows\\{02AD7372-0367-4bc9-969C-C6FDDF5F2503}.exe"	{A903D05C-FFF2-4588-B656-0215683605DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB0680A1-5524-46ce-8BAB-4DC3EEB541A4}\stubpath = "C:\\Windows\\{AB0680A1-5524-46ce-8BAB-4DC3EEB541A4}.exe"	2024-04-08_39858076ad8c772e14145879763d0a0d_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D43BB5B5-8F1E-438e-8DA9-45CE0BC21D30}	{AE96C195-63D1-40e8-A150-A37296695152}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BC3837C-8412-47da-9D49-09218D0213DE}	{D43BB5B5-8F1E-438e-8DA9-45CE0BC21D30}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4E239EB-3BBC-4845-AE41-0F22CA46EF0C}\stubpath = "C:\\Windows\\{E4E239EB-3BBC-4845-AE41-0F22CA46EF0C}.exe"	{1BC3837C-8412-47da-9D49-09218D0213DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A57E66A1-E678-414f-B1D4-16B4FBD36B21}	{E4E239EB-3BBC-4845-AE41-0F22CA46EF0C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A903D05C-FFF2-4588-B656-0215683605DB}\stubpath = "C:\\Windows\\{A903D05C-FFF2-4588-B656-0215683605DB}.exe"	{6294DCC1-13C6-41b5-8FF8-E75C72661E39}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5EF15ECE-9790-4317-AB01-4D837D68F646}	{02AD7372-0367-4bc9-969C-C6FDDF5F2503}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5EF15ECE-9790-4317-AB01-4D837D68F646}\stubpath = "C:\\Windows\\{5EF15ECE-9790-4317-AB01-4D837D68F646}.exe"	{02AD7372-0367-4bc9-969C-C6FDDF5F2503}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB0680A1-5524-46ce-8BAB-4DC3EEB541A4}	2024-04-08_39858076ad8c772e14145879763d0a0d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BC3837C-8412-47da-9D49-09218D0213DE}\stubpath = "C:\\Windows\\{1BC3837C-8412-47da-9D49-09218D0213DE}.exe"	{D43BB5B5-8F1E-438e-8DA9-45CE0BC21D30}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{120ECDC0-6549-42e8-A883-8558964105B7}\stubpath = "C:\\Windows\\{120ECDC0-6549-42e8-A883-8558964105B7}.exe"	{91E68F45-ABBB-4ba1-8602-E0380A1BB44E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A903D05C-FFF2-4588-B656-0215683605DB}	{6294DCC1-13C6-41b5-8FF8-E75C72661E39}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02AD7372-0367-4bc9-969C-C6FDDF5F2503}	{A903D05C-FFF2-4588-B656-0215683605DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE96C195-63D1-40e8-A150-A37296695152}	{AB0680A1-5524-46ce-8BAB-4DC3EEB541A4}.exe

Executes dropped EXE 12 IoCs

pid	Process
4944	{AB0680A1-5524-46ce-8BAB-4DC3EEB541A4}.exe
3480	{AE96C195-63D1-40e8-A150-A37296695152}.exe
1356	{D43BB5B5-8F1E-438e-8DA9-45CE0BC21D30}.exe
3484	{1BC3837C-8412-47da-9D49-09218D0213DE}.exe
4504	{E4E239EB-3BBC-4845-AE41-0F22CA46EF0C}.exe
3036	{A57E66A1-E678-414f-B1D4-16B4FBD36B21}.exe
4976	{91E68F45-ABBB-4ba1-8602-E0380A1BB44E}.exe
2920	{120ECDC0-6549-42e8-A883-8558964105B7}.exe
644	{6294DCC1-13C6-41b5-8FF8-E75C72661E39}.exe
2224	{A903D05C-FFF2-4588-B656-0215683605DB}.exe
4356	{02AD7372-0367-4bc9-969C-C6FDDF5F2503}.exe
392	{5EF15ECE-9790-4317-AB01-4D837D68F646}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{D43BB5B5-8F1E-438e-8DA9-45CE0BC21D30}.exe	{AE96C195-63D1-40e8-A150-A37296695152}.exe
File created	C:\Windows\{E4E239EB-3BBC-4845-AE41-0F22CA46EF0C}.exe	{1BC3837C-8412-47da-9D49-09218D0213DE}.exe
File created	C:\Windows\{A903D05C-FFF2-4588-B656-0215683605DB}.exe	{6294DCC1-13C6-41b5-8FF8-E75C72661E39}.exe
File created	C:\Windows\{02AD7372-0367-4bc9-969C-C6FDDF5F2503}.exe	{A903D05C-FFF2-4588-B656-0215683605DB}.exe
File created	C:\Windows\{5EF15ECE-9790-4317-AB01-4D837D68F646}.exe	{02AD7372-0367-4bc9-969C-C6FDDF5F2503}.exe
File created	C:\Windows\{6294DCC1-13C6-41b5-8FF8-E75C72661E39}.exe	{120ECDC0-6549-42e8-A883-8558964105B7}.exe
File created	C:\Windows\{AB0680A1-5524-46ce-8BAB-4DC3EEB541A4}.exe	2024-04-08_39858076ad8c772e14145879763d0a0d_goldeneye.exe
File created	C:\Windows\{AE96C195-63D1-40e8-A150-A37296695152}.exe	{AB0680A1-5524-46ce-8BAB-4DC3EEB541A4}.exe
File created	C:\Windows\{1BC3837C-8412-47da-9D49-09218D0213DE}.exe	{D43BB5B5-8F1E-438e-8DA9-45CE0BC21D30}.exe
File created	C:\Windows\{A57E66A1-E678-414f-B1D4-16B4FBD36B21}.exe	{E4E239EB-3BBC-4845-AE41-0F22CA46EF0C}.exe
File created	C:\Windows\{91E68F45-ABBB-4ba1-8602-E0380A1BB44E}.exe	{A57E66A1-E678-414f-B1D4-16B4FBD36B21}.exe
File created	C:\Windows\{120ECDC0-6549-42e8-A883-8558964105B7}.exe	{91E68F45-ABBB-4ba1-8602-E0380A1BB44E}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2444	2024-04-08_39858076ad8c772e14145879763d0a0d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4944	{AB0680A1-5524-46ce-8BAB-4DC3EEB541A4}.exe
Token: SeIncBasePriorityPrivilege	3480	{AE96C195-63D1-40e8-A150-A37296695152}.exe
Token: SeIncBasePriorityPrivilege	1356	{D43BB5B5-8F1E-438e-8DA9-45CE0BC21D30}.exe
Token: SeIncBasePriorityPrivilege	3484	{1BC3837C-8412-47da-9D49-09218D0213DE}.exe
Token: SeIncBasePriorityPrivilege	4504	{E4E239EB-3BBC-4845-AE41-0F22CA46EF0C}.exe
Token: SeIncBasePriorityPrivilege	3036	{A57E66A1-E678-414f-B1D4-16B4FBD36B21}.exe
Token: SeIncBasePriorityPrivilege	4976	{91E68F45-ABBB-4ba1-8602-E0380A1BB44E}.exe
Token: SeIncBasePriorityPrivilege	2920	{120ECDC0-6549-42e8-A883-8558964105B7}.exe
Token: SeIncBasePriorityPrivilege	644	{6294DCC1-13C6-41b5-8FF8-E75C72661E39}.exe
Token: SeIncBasePriorityPrivilege	2224	{A903D05C-FFF2-4588-B656-0215683605DB}.exe
Token: SeIncBasePriorityPrivilege	4356	{02AD7372-0367-4bc9-969C-C6FDDF5F2503}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 4944	2444	2024-04-08_39858076ad8c772e14145879763d0a0d_goldeneye.exe	91
PID 2444 wrote to memory of 4944	2444	2024-04-08_39858076ad8c772e14145879763d0a0d_goldeneye.exe	91
PID 2444 wrote to memory of 4944	2444	2024-04-08_39858076ad8c772e14145879763d0a0d_goldeneye.exe	91
PID 2444 wrote to memory of 920	2444	2024-04-08_39858076ad8c772e14145879763d0a0d_goldeneye.exe	92
PID 2444 wrote to memory of 920	2444	2024-04-08_39858076ad8c772e14145879763d0a0d_goldeneye.exe	92
PID 2444 wrote to memory of 920	2444	2024-04-08_39858076ad8c772e14145879763d0a0d_goldeneye.exe	92
PID 4944 wrote to memory of 3480	4944	{AB0680A1-5524-46ce-8BAB-4DC3EEB541A4}.exe	93
PID 4944 wrote to memory of 3480	4944	{AB0680A1-5524-46ce-8BAB-4DC3EEB541A4}.exe	93
PID 4944 wrote to memory of 3480	4944	{AB0680A1-5524-46ce-8BAB-4DC3EEB541A4}.exe	93
PID 4944 wrote to memory of 4892	4944	{AB0680A1-5524-46ce-8BAB-4DC3EEB541A4}.exe	94
PID 4944 wrote to memory of 4892	4944	{AB0680A1-5524-46ce-8BAB-4DC3EEB541A4}.exe	94
PID 4944 wrote to memory of 4892	4944	{AB0680A1-5524-46ce-8BAB-4DC3EEB541A4}.exe	94
PID 3480 wrote to memory of 1356	3480	{AE96C195-63D1-40e8-A150-A37296695152}.exe	96
PID 3480 wrote to memory of 1356	3480	{AE96C195-63D1-40e8-A150-A37296695152}.exe	96
PID 3480 wrote to memory of 1356	3480	{AE96C195-63D1-40e8-A150-A37296695152}.exe	96
PID 3480 wrote to memory of 2064	3480	{AE96C195-63D1-40e8-A150-A37296695152}.exe	97
PID 3480 wrote to memory of 2064	3480	{AE96C195-63D1-40e8-A150-A37296695152}.exe	97
PID 3480 wrote to memory of 2064	3480	{AE96C195-63D1-40e8-A150-A37296695152}.exe	97
PID 1356 wrote to memory of 3484	1356	{D43BB5B5-8F1E-438e-8DA9-45CE0BC21D30}.exe	98
PID 1356 wrote to memory of 3484	1356	{D43BB5B5-8F1E-438e-8DA9-45CE0BC21D30}.exe	98
PID 1356 wrote to memory of 3484	1356	{D43BB5B5-8F1E-438e-8DA9-45CE0BC21D30}.exe	98
PID 1356 wrote to memory of 5056	1356	{D43BB5B5-8F1E-438e-8DA9-45CE0BC21D30}.exe	99
PID 1356 wrote to memory of 5056	1356	{D43BB5B5-8F1E-438e-8DA9-45CE0BC21D30}.exe	99
PID 1356 wrote to memory of 5056	1356	{D43BB5B5-8F1E-438e-8DA9-45CE0BC21D30}.exe	99
PID 3484 wrote to memory of 4504	3484	{1BC3837C-8412-47da-9D49-09218D0213DE}.exe	100
PID 3484 wrote to memory of 4504	3484	{1BC3837C-8412-47da-9D49-09218D0213DE}.exe	100
PID 3484 wrote to memory of 4504	3484	{1BC3837C-8412-47da-9D49-09218D0213DE}.exe	100
PID 3484 wrote to memory of 1168	3484	{1BC3837C-8412-47da-9D49-09218D0213DE}.exe	101
PID 3484 wrote to memory of 1168	3484	{1BC3837C-8412-47da-9D49-09218D0213DE}.exe	101
PID 3484 wrote to memory of 1168	3484	{1BC3837C-8412-47da-9D49-09218D0213DE}.exe	101
PID 4504 wrote to memory of 3036	4504	{E4E239EB-3BBC-4845-AE41-0F22CA46EF0C}.exe	102
PID 4504 wrote to memory of 3036	4504	{E4E239EB-3BBC-4845-AE41-0F22CA46EF0C}.exe	102
PID 4504 wrote to memory of 3036	4504	{E4E239EB-3BBC-4845-AE41-0F22CA46EF0C}.exe	102
PID 4504 wrote to memory of 880	4504	{E4E239EB-3BBC-4845-AE41-0F22CA46EF0C}.exe	103
PID 4504 wrote to memory of 880	4504	{E4E239EB-3BBC-4845-AE41-0F22CA46EF0C}.exe	103
PID 4504 wrote to memory of 880	4504	{E4E239EB-3BBC-4845-AE41-0F22CA46EF0C}.exe	103
PID 3036 wrote to memory of 4976	3036	{A57E66A1-E678-414f-B1D4-16B4FBD36B21}.exe	104
PID 3036 wrote to memory of 4976	3036	{A57E66A1-E678-414f-B1D4-16B4FBD36B21}.exe	104
PID 3036 wrote to memory of 4976	3036	{A57E66A1-E678-414f-B1D4-16B4FBD36B21}.exe	104
PID 3036 wrote to memory of 5036	3036	{A57E66A1-E678-414f-B1D4-16B4FBD36B21}.exe	105
PID 3036 wrote to memory of 5036	3036	{A57E66A1-E678-414f-B1D4-16B4FBD36B21}.exe	105
PID 3036 wrote to memory of 5036	3036	{A57E66A1-E678-414f-B1D4-16B4FBD36B21}.exe	105
PID 4976 wrote to memory of 2920	4976	{91E68F45-ABBB-4ba1-8602-E0380A1BB44E}.exe	106
PID 4976 wrote to memory of 2920	4976	{91E68F45-ABBB-4ba1-8602-E0380A1BB44E}.exe	106
PID 4976 wrote to memory of 2920	4976	{91E68F45-ABBB-4ba1-8602-E0380A1BB44E}.exe	106
PID 4976 wrote to memory of 2880	4976	{91E68F45-ABBB-4ba1-8602-E0380A1BB44E}.exe	107
PID 4976 wrote to memory of 2880	4976	{91E68F45-ABBB-4ba1-8602-E0380A1BB44E}.exe	107
PID 4976 wrote to memory of 2880	4976	{91E68F45-ABBB-4ba1-8602-E0380A1BB44E}.exe	107
PID 2920 wrote to memory of 644	2920	{120ECDC0-6549-42e8-A883-8558964105B7}.exe	108
PID 2920 wrote to memory of 644	2920	{120ECDC0-6549-42e8-A883-8558964105B7}.exe	108
PID 2920 wrote to memory of 644	2920	{120ECDC0-6549-42e8-A883-8558964105B7}.exe	108
PID 2920 wrote to memory of 3068	2920	{120ECDC0-6549-42e8-A883-8558964105B7}.exe	109
PID 2920 wrote to memory of 3068	2920	{120ECDC0-6549-42e8-A883-8558964105B7}.exe	109
PID 2920 wrote to memory of 3068	2920	{120ECDC0-6549-42e8-A883-8558964105B7}.exe	109
PID 644 wrote to memory of 2224	644	{6294DCC1-13C6-41b5-8FF8-E75C72661E39}.exe	110
PID 644 wrote to memory of 2224	644	{6294DCC1-13C6-41b5-8FF8-E75C72661E39}.exe	110
PID 644 wrote to memory of 2224	644	{6294DCC1-13C6-41b5-8FF8-E75C72661E39}.exe	110
PID 644 wrote to memory of 4388	644	{6294DCC1-13C6-41b5-8FF8-E75C72661E39}.exe	111
PID 644 wrote to memory of 4388	644	{6294DCC1-13C6-41b5-8FF8-E75C72661E39}.exe	111
PID 644 wrote to memory of 4388	644	{6294DCC1-13C6-41b5-8FF8-E75C72661E39}.exe	111
PID 2224 wrote to memory of 4356	2224	{A903D05C-FFF2-4588-B656-0215683605DB}.exe	112
PID 2224 wrote to memory of 4356	2224	{A903D05C-FFF2-4588-B656-0215683605DB}.exe	112
PID 2224 wrote to memory of 4356	2224	{A903D05C-FFF2-4588-B656-0215683605DB}.exe	112
PID 2224 wrote to memory of 856	2224	{A903D05C-FFF2-4588-B656-0215683605DB}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-04-08_39858076ad8c772e14145879763d0a0d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-08_39858076ad8c772e14145879763d0a0d_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Windows\{AB0680A1-5524-46ce-8BAB-4DC3EEB541A4}.exe
  C:\Windows\{AB0680A1-5524-46ce-8BAB-4DC3EEB541A4}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4944
- - C:\Windows\{AE96C195-63D1-40e8-A150-A37296695152}.exe
    C:\Windows\{AE96C195-63D1-40e8-A150-A37296695152}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3480
  - - C:\Windows\{D43BB5B5-8F1E-438e-8DA9-45CE0BC21D30}.exe
      C:\Windows\{D43BB5B5-8F1E-438e-8DA9-45CE0BC21D30}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1356
    - - C:\Windows\{1BC3837C-8412-47da-9D49-09218D0213DE}.exe
        
        C:\Windows\{1BC3837C-8412-47da-9D49-09218D0213DE}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3484
      - C:\Windows\{E4E239EB-3BBC-4845-AE41-0F22CA46EF0C}.exe
        
        C:\Windows\{E4E239EB-3BBC-4845-AE41-0F22CA46EF0C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\{A57E66A1-E678-414f-B1D4-16B4FBD36B21}.exe
        
        C:\Windows\{A57E66A1-E678-414f-B1D4-16B4FBD36B21}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\{91E68F45-ABBB-4ba1-8602-E0380A1BB44E}.exe
        
        C:\Windows\{91E68F45-ABBB-4ba1-8602-E0380A1BB44E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\{120ECDC0-6549-42e8-A883-8558964105B7}.exe
        
        C:\Windows\{120ECDC0-6549-42e8-A883-8558964105B7}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\{6294DCC1-13C6-41b5-8FF8-E75C72661E39}.exe
        
        C:\Windows\{6294DCC1-13C6-41b5-8FF8-E75C72661E39}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:644
        
        C:\Windows\{A903D05C-FFF2-4588-B656-0215683605DB}.exe
        
        C:\Windows\{A903D05C-FFF2-4588-B656-0215683605DB}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\{02AD7372-0367-4bc9-969C-C6FDDF5F2503}.exe
        
        C:\Windows\{02AD7372-0367-4bc9-969C-C6FDDF5F2503}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4356
        
        C:\Windows\{5EF15ECE-9790-4317-AB01-4D837D68F646}.exe
        
        C:\Windows\{5EF15ECE-9790-4317-AB01-4D837D68F646}.exe
        13⤵
        Executes dropped EXE
        
        PID:392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{02AD7~1.EXE > nul
        13⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A903D~1.EXE > nul
        12⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6294D~1.EXE > nul
        11⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{120EC~1.EXE > nul
        10⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91E68~1.EXE > nul
        9⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A57E6~1.EXE > nul
        8⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E4E23~1.EXE > nul
        7⤵
        
        PID:880
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1BC38~1.EXE > nul
        6⤵
        
        PID:1168
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D43BB~1.EXE > nul
        5⤵
        
        PID:5056
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{AE96C~1.EXE > nul
      4⤵
      PID:2064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{AB068~1.EXE > nul
    3⤵
    PID:4892
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02AD7372-0367-4bc9-969C-C6FDDF5F2503}.exe

Filesize
380KB

MD5
28e5775c5ca35acd26f2e658a2d32adb

SHA1
dec701ce4b240cb7d1bbee7b1c9c4dcc863647a9

SHA256
9320190e5da2b135664ba5c3e966d9ee3644feb11fa3f91c7dbe80496ec8a2f3

SHA512
67caa86f7c88c51405b849e790f383e04de8ba84929a79c0775b7d5377a2ace2b13a6d8d4c30b9188739890a3cc3fc6a0aa660fa20199ac480ed9cffab59aa4d

Download Submit
C:\Windows\{120ECDC0-6549-42e8-A883-8558964105B7}.exe

Filesize
380KB

MD5
305f90f9126b6bdd88bed3ba49a9f1e0

SHA1
4815d9e33ad55cea00cf6b4639bf745d98e56eb3

SHA256
e36a4c002e7fca1f2f062cf387a761f5fb20966b61c5c50eaacb4dfdbfd4f68b

SHA512
1b094b88d611fdfb54499a3ffec21c1af41a16cb2d621a8e7e03480a255614730eb6e6ce820117e961f0a5770de6a6ea4bc68074d9e940e50bb003c9d4bd5dab

Download Submit
C:\Windows\{1BC3837C-8412-47da-9D49-09218D0213DE}.exe

Filesize
380KB

MD5
c8e9cc4994d24f7a20bc509dc993a9e3

SHA1
035fa9b02e0455d1d42ccc993b1a632c6e8e915c

SHA256
ecc4cec9cc895404468d09b90fe72ec74b33d08e4b6eb041dcc2f898e9aaa058

SHA512
b902316f9b7a56ce4553034720030e1968d21b18380096fdc1bf7afc5b2337aa9f306008a7e02f6bca7fbbe497a51cd49fc404110d3165ae1308286203241bcd

Download Submit
C:\Windows\{5EF15ECE-9790-4317-AB01-4D837D68F646}.exe

Filesize
380KB

MD5
b782d9dc62c988b0ef48819b8a001276

SHA1
e2d007717c74911d930dcb25ef4d9789a010ece4

SHA256
65e4d48d717ceb4c8cfc125a2059df7c8bc82d76e63130f6fe97fcb0831beaa5

SHA512
f1974de2db1887cd45ebff5688ace623dd631f3beed21524c3f1103bbda15182171c68af9e3da52567d22d9d7dc61ae6deccc596d458a390862637611238f4f2

Download Submit
C:\Windows\{6294DCC1-13C6-41b5-8FF8-E75C72661E39}.exe

Filesize
380KB

MD5
06cc40086a63fdf8776e5554503bc52c

SHA1
eb74bb99e35004fe725b19227b542992aae6f908

SHA256
ae5d9a874fab19830d24c9c4944df323a7650217dcdbca95f8ef99a1cc79c6a1

SHA512
a2459327feeaf656222f40421c54028123c3f31e3e4c1fed7d7bcbbc2a17f5913fecb11b3bf55758ca043d27bb1b7267b12225e01b8beb41fb429ef3a7c4ef0c

Download Submit
C:\Windows\{91E68F45-ABBB-4ba1-8602-E0380A1BB44E}.exe

Filesize
380KB

MD5
9a7eaa91a9d9671d5085c8298b16007b

SHA1
b5b1feb0051188655cfeabe980281a89a5763e90

SHA256
e81255a57319370b679113898ad17fc3a0fd0e991640ce707304d4094a67cea9

SHA512
b24d00daa269b051e1d540aa0543586a90a010fd6b41e1383351278f41c28817e8e1cab7d83f02e58b1a76f6deed922289e166d6adc4b5e90f685cdddd019db1

Download Submit
C:\Windows\{A57E66A1-E678-414f-B1D4-16B4FBD36B21}.exe

Filesize
380KB

MD5
a84823ba3d1e0ac66f2a6e43286cf087

SHA1
c115831bdf4fc3be35189fc40de9f7edc7d4ac76

SHA256
59f5cb4b2b055b545e9aab0209c9daaa619dcb5e929c8276ab09773a2ea078ed

SHA512
213ed24db333f94904ae8ec05e151b07751bf60c1202642f942927a815524c3b57b786dc97c8d4b05c61ee6ffccad2726a738185b93a69dda87ffa6d0ddfc920

Download Submit
C:\Windows\{A903D05C-FFF2-4588-B656-0215683605DB}.exe

Filesize
380KB

MD5
b78093cca515d7f8ed2b6000c4e7e689

SHA1
601856f34fbbe010426bd6ab91f7b612de3cbeb3

SHA256
10a36eeba6f36a4ae93d6ec44b8a4f2009e6ca81eadcc38c5e16390254209342

SHA512
635abcebb36b2d730a189ebe975c3ac1c3bbc7d7d5e5ea705cc9a772a18e961ede99e63dcd966a8e8e25bf129e570e64b7eacb3f4cd284eaf532ae09d04b38f5

Download Submit
C:\Windows\{AB0680A1-5524-46ce-8BAB-4DC3EEB541A4}.exe

Filesize
380KB

MD5
725861d6cb0acc82dbd05bf108a34370

SHA1
947547798ebceeeedc66a19ddcb62f49eb9492d1

SHA256
d908d3cbee9fac6c603b521839924e9f5e2a6e7c78f2b43a6d45887f809874d8

SHA512
cf3d389721d675f11d7309b0167e9f47e0c8718d594e436d5615b62a7b0bc67c3ece1055928ec4cb4cad3bc790499a8aaa8c261d78b08dd656ec14d8f0629ece

Download Submit
C:\Windows\{AE96C195-63D1-40e8-A150-A37296695152}.exe

Filesize
380KB

MD5
7137f6d005854137581d259df47fc8e2

SHA1
db7a9a280f69cab2005147662c418227bf277918

SHA256
358f474eefdd4ce91bb9fb1014ba6b855b2a860eace7d18b3d1a5be818cc812b

SHA512
134f3fc612d66a5a5e7b8e7680c89c2417213b9fe0738b83d4f9159a179290274983e8bd30f5ac1f77c327041ee03211210429b3aeb5042c6a29e44cd5a12c7f

Download Submit
C:\Windows\{D43BB5B5-8F1E-438e-8DA9-45CE0BC21D30}.exe

Filesize
380KB

MD5
f8a3e6f7ec96e4ed1bd785ac2569a4f2

SHA1
d1e1d9bca5ae9ca4f53baacaab2addd03a17eb03

SHA256
bcd6d6a97b341094783f359081887ce6a470aaca60bacd9a445916ea6dda783c

SHA512
c6b7ca96d1d28adde5004a4e8b90a8ff842418e5fca443fe7b08b47f04fc31e27961c4d2e27974b732d1e1fec3d0d2df709ab5608e8ccdd56a48c2c92be2f5b7

Download Submit
C:\Windows\{E4E239EB-3BBC-4845-AE41-0F22CA46EF0C}.exe

Filesize
380KB

MD5
b3f2e14bea7e8489d7b6b656e6f9a7c4

SHA1
45046f17c2688c49a48412adfff46bf7989698c1

SHA256
cf79de1c6c238320236215b3dbe3ac6268427d36c2e6fcd60a2237f6a0b86ffb

SHA512
0f54b098e7556fb46b95d53cec44dae70ac6321e1c41fd97563ff0e3c8bdf68f80ec1e9c95c936cc07f24d1d6986d4a509c8feb55ca9f482a63e33bfe03bba8e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads