f1c14f366ea2d1acfd329c249f2ff78e407421ba9a6db2d729d969f8122df589

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-04-2024 17:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-08_534e83fa30e56b024711d651fe303b61_goldeneye.exe
Size

408KB
MD5

534e83fa30e56b024711d651fe303b61
SHA1

5bdf4c7a3e01db9ff46d77d178f205c538927adf
SHA256

f1c14f366ea2d1acfd329c249f2ff78e407421ba9a6db2d729d969f8122df589
SHA512

b90a315c9e3548af4c32afe04a4ab9d9e2666d5bbe50b4900922e0a30bc2ce61eae22ff3650c2cd2d3b165ed351a05c91095393b6da35a649c3a6fd524a5c012
SSDEEP

3072:CEGh0otl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGfldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023147-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002322c-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000001db36-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002322c-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000001db36-17.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021b3f-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000001db36-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-29.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000709-37.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000731-45.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99B5B094-E167-4fe6-A82E-DDD5CDB6C1CC}	2024-04-08_534e83fa30e56b024711d651fe303b61_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C175782-D5EB-4336-949D-C8534074CCBD}\stubpath = "C:\\Windows\\{4C175782-D5EB-4336-949D-C8534074CCBD}.exe"	{99B5B094-E167-4fe6-A82E-DDD5CDB6C1CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7228C08-4831-4411-A5AC-2DDBA0E0D1ED}	{4C175782-D5EB-4336-949D-C8534074CCBD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44F0C9BB-C153-4e6c-9F1E-A5F792B85DD8}	{E7228C08-4831-4411-A5AC-2DDBA0E0D1ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6CBA8E9A-B2AB-4472-8A93-D0A451F5D378}	{036DBADB-094D-4d88-985B-107B46A14E8D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21CDF3BE-75CC-4a6f-B5DA-8F6B1B75C361}	{6CBA8E9A-B2AB-4472-8A93-D0A451F5D378}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99B5B094-E167-4fe6-A82E-DDD5CDB6C1CC}\stubpath = "C:\\Windows\\{99B5B094-E167-4fe6-A82E-DDD5CDB6C1CC}.exe"	2024-04-08_534e83fa30e56b024711d651fe303b61_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7228C08-4831-4411-A5AC-2DDBA0E0D1ED}\stubpath = "C:\\Windows\\{E7228C08-4831-4411-A5AC-2DDBA0E0D1ED}.exe"	{4C175782-D5EB-4336-949D-C8534074CCBD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{036DBADB-094D-4d88-985B-107B46A14E8D}\stubpath = "C:\\Windows\\{036DBADB-094D-4d88-985B-107B46A14E8D}.exe"	{44F0C9BB-C153-4e6c-9F1E-A5F792B85DD8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6CBA8E9A-B2AB-4472-8A93-D0A451F5D378}\stubpath = "C:\\Windows\\{6CBA8E9A-B2AB-4472-8A93-D0A451F5D378}.exe"	{036DBADB-094D-4d88-985B-107B46A14E8D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F789E3E5-FD24-48e1-8E80-F88D6AED9696}	{ED79BD76-DE39-46c1-94B2-0A375F3CE946}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05339A79-E471-4a91-8AEE-8D5DA2338602}	{F789E3E5-FD24-48e1-8E80-F88D6AED9696}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C175782-D5EB-4336-949D-C8534074CCBD}	{99B5B094-E167-4fe6-A82E-DDD5CDB6C1CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44F0C9BB-C153-4e6c-9F1E-A5F792B85DD8}\stubpath = "C:\\Windows\\{44F0C9BB-C153-4e6c-9F1E-A5F792B85DD8}.exe"	{E7228C08-4831-4411-A5AC-2DDBA0E0D1ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21CDF3BE-75CC-4a6f-B5DA-8F6B1B75C361}\stubpath = "C:\\Windows\\{21CDF3BE-75CC-4a6f-B5DA-8F6B1B75C361}.exe"	{6CBA8E9A-B2AB-4472-8A93-D0A451F5D378}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D9853B3-F72C-4da6-8E93-B9E3DCA811D2}	{21CDF3BE-75CC-4a6f-B5DA-8F6B1B75C361}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED79BD76-DE39-46c1-94B2-0A375F3CE946}	{2DA84AF8-BC56-4824-AFF1-B016A9097CCE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED79BD76-DE39-46c1-94B2-0A375F3CE946}\stubpath = "C:\\Windows\\{ED79BD76-DE39-46c1-94B2-0A375F3CE946}.exe"	{2DA84AF8-BC56-4824-AFF1-B016A9097CCE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F789E3E5-FD24-48e1-8E80-F88D6AED9696}\stubpath = "C:\\Windows\\{F789E3E5-FD24-48e1-8E80-F88D6AED9696}.exe"	{ED79BD76-DE39-46c1-94B2-0A375F3CE946}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{036DBADB-094D-4d88-985B-107B46A14E8D}	{44F0C9BB-C153-4e6c-9F1E-A5F792B85DD8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D9853B3-F72C-4da6-8E93-B9E3DCA811D2}\stubpath = "C:\\Windows\\{4D9853B3-F72C-4da6-8E93-B9E3DCA811D2}.exe"	{21CDF3BE-75CC-4a6f-B5DA-8F6B1B75C361}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DA84AF8-BC56-4824-AFF1-B016A9097CCE}	{4D9853B3-F72C-4da6-8E93-B9E3DCA811D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DA84AF8-BC56-4824-AFF1-B016A9097CCE}\stubpath = "C:\\Windows\\{2DA84AF8-BC56-4824-AFF1-B016A9097CCE}.exe"	{4D9853B3-F72C-4da6-8E93-B9E3DCA811D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05339A79-E471-4a91-8AEE-8D5DA2338602}\stubpath = "C:\\Windows\\{05339A79-E471-4a91-8AEE-8D5DA2338602}.exe"	{F789E3E5-FD24-48e1-8E80-F88D6AED9696}.exe

Executes dropped EXE 11 IoCs

pid	Process
4892	{99B5B094-E167-4fe6-A82E-DDD5CDB6C1CC}.exe
908	{4C175782-D5EB-4336-949D-C8534074CCBD}.exe
2568	{E7228C08-4831-4411-A5AC-2DDBA0E0D1ED}.exe
676	{44F0C9BB-C153-4e6c-9F1E-A5F792B85DD8}.exe
1340	{036DBADB-094D-4d88-985B-107B46A14E8D}.exe
2428	{6CBA8E9A-B2AB-4472-8A93-D0A451F5D378}.exe
4436	{21CDF3BE-75CC-4a6f-B5DA-8F6B1B75C361}.exe
1092	{4D9853B3-F72C-4da6-8E93-B9E3DCA811D2}.exe
4028	{ED79BD76-DE39-46c1-94B2-0A375F3CE946}.exe
464	{F789E3E5-FD24-48e1-8E80-F88D6AED9696}.exe
2400	{05339A79-E471-4a91-8AEE-8D5DA2338602}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{F789E3E5-FD24-48e1-8E80-F88D6AED9696}.exe	{ED79BD76-DE39-46c1-94B2-0A375F3CE946}.exe
File created	C:\Windows\{99B5B094-E167-4fe6-A82E-DDD5CDB6C1CC}.exe	2024-04-08_534e83fa30e56b024711d651fe303b61_goldeneye.exe
File created	C:\Windows\{E7228C08-4831-4411-A5AC-2DDBA0E0D1ED}.exe	{4C175782-D5EB-4336-949D-C8534074CCBD}.exe
File created	C:\Windows\{44F0C9BB-C153-4e6c-9F1E-A5F792B85DD8}.exe	{E7228C08-4831-4411-A5AC-2DDBA0E0D1ED}.exe
File created	C:\Windows\{036DBADB-094D-4d88-985B-107B46A14E8D}.exe	{44F0C9BB-C153-4e6c-9F1E-A5F792B85DD8}.exe
File created	C:\Windows\{4D9853B3-F72C-4da6-8E93-B9E3DCA811D2}.exe	{21CDF3BE-75CC-4a6f-B5DA-8F6B1B75C361}.exe
File created	C:\Windows\{ED79BD76-DE39-46c1-94B2-0A375F3CE946}.exe	{2DA84AF8-BC56-4824-AFF1-B016A9097CCE}.exe
File created	C:\Windows\{4C175782-D5EB-4336-949D-C8534074CCBD}.exe	{99B5B094-E167-4fe6-A82E-DDD5CDB6C1CC}.exe
File created	C:\Windows\{6CBA8E9A-B2AB-4472-8A93-D0A451F5D378}.exe	{036DBADB-094D-4d88-985B-107B46A14E8D}.exe
File created	C:\Windows\{21CDF3BE-75CC-4a6f-B5DA-8F6B1B75C361}.exe	{6CBA8E9A-B2AB-4472-8A93-D0A451F5D378}.exe
File created	C:\Windows\{05339A79-E471-4a91-8AEE-8D5DA2338602}.exe	{F789E3E5-FD24-48e1-8E80-F88D6AED9696}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2108	2024-04-08_534e83fa30e56b024711d651fe303b61_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4892	{99B5B094-E167-4fe6-A82E-DDD5CDB6C1CC}.exe
Token: SeIncBasePriorityPrivilege	908	{4C175782-D5EB-4336-949D-C8534074CCBD}.exe
Token: SeIncBasePriorityPrivilege	2568	{E7228C08-4831-4411-A5AC-2DDBA0E0D1ED}.exe
Token: SeIncBasePriorityPrivilege	676	{44F0C9BB-C153-4e6c-9F1E-A5F792B85DD8}.exe
Token: SeIncBasePriorityPrivilege	1340	{036DBADB-094D-4d88-985B-107B46A14E8D}.exe
Token: SeIncBasePriorityPrivilege	2428	{6CBA8E9A-B2AB-4472-8A93-D0A451F5D378}.exe
Token: SeIncBasePriorityPrivilege	4436	{21CDF3BE-75CC-4a6f-B5DA-8F6B1B75C361}.exe
Token: SeIncBasePriorityPrivilege	3180	{2DA84AF8-BC56-4824-AFF1-B016A9097CCE}.exe
Token: SeIncBasePriorityPrivilege	4028	{ED79BD76-DE39-46c1-94B2-0A375F3CE946}.exe
Token: SeIncBasePriorityPrivilege	464	{F789E3E5-FD24-48e1-8E80-F88D6AED9696}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 4892	2108	2024-04-08_534e83fa30e56b024711d651fe303b61_goldeneye.exe	90
PID 2108 wrote to memory of 4892	2108	2024-04-08_534e83fa30e56b024711d651fe303b61_goldeneye.exe	90
PID 2108 wrote to memory of 4892	2108	2024-04-08_534e83fa30e56b024711d651fe303b61_goldeneye.exe	90
PID 2108 wrote to memory of 4916	2108	2024-04-08_534e83fa30e56b024711d651fe303b61_goldeneye.exe	91
PID 2108 wrote to memory of 4916	2108	2024-04-08_534e83fa30e56b024711d651fe303b61_goldeneye.exe	91
PID 2108 wrote to memory of 4916	2108	2024-04-08_534e83fa30e56b024711d651fe303b61_goldeneye.exe	91
PID 4892 wrote to memory of 908	4892	{99B5B094-E167-4fe6-A82E-DDD5CDB6C1CC}.exe	97
PID 4892 wrote to memory of 908	4892	{99B5B094-E167-4fe6-A82E-DDD5CDB6C1CC}.exe	97
PID 4892 wrote to memory of 908	4892	{99B5B094-E167-4fe6-A82E-DDD5CDB6C1CC}.exe	97
PID 4892 wrote to memory of 2980	4892	{99B5B094-E167-4fe6-A82E-DDD5CDB6C1CC}.exe	98
PID 4892 wrote to memory of 2980	4892	{99B5B094-E167-4fe6-A82E-DDD5CDB6C1CC}.exe	98
PID 4892 wrote to memory of 2980	4892	{99B5B094-E167-4fe6-A82E-DDD5CDB6C1CC}.exe	98
PID 908 wrote to memory of 2568	908	{4C175782-D5EB-4336-949D-C8534074CCBD}.exe	100
PID 908 wrote to memory of 2568	908	{4C175782-D5EB-4336-949D-C8534074CCBD}.exe	100
PID 908 wrote to memory of 2568	908	{4C175782-D5EB-4336-949D-C8534074CCBD}.exe	100
PID 908 wrote to memory of 1944	908	{4C175782-D5EB-4336-949D-C8534074CCBD}.exe	101
PID 908 wrote to memory of 1944	908	{4C175782-D5EB-4336-949D-C8534074CCBD}.exe	101
PID 908 wrote to memory of 1944	908	{4C175782-D5EB-4336-949D-C8534074CCBD}.exe	101
PID 2568 wrote to memory of 676	2568	{E7228C08-4831-4411-A5AC-2DDBA0E0D1ED}.exe	102
PID 2568 wrote to memory of 676	2568	{E7228C08-4831-4411-A5AC-2DDBA0E0D1ED}.exe	102
PID 2568 wrote to memory of 676	2568	{E7228C08-4831-4411-A5AC-2DDBA0E0D1ED}.exe	102
PID 2568 wrote to memory of 3744	2568	{E7228C08-4831-4411-A5AC-2DDBA0E0D1ED}.exe	103
PID 2568 wrote to memory of 3744	2568	{E7228C08-4831-4411-A5AC-2DDBA0E0D1ED}.exe	103
PID 2568 wrote to memory of 3744	2568	{E7228C08-4831-4411-A5AC-2DDBA0E0D1ED}.exe	103
PID 676 wrote to memory of 1340	676	{44F0C9BB-C153-4e6c-9F1E-A5F792B85DD8}.exe	104
PID 676 wrote to memory of 1340	676	{44F0C9BB-C153-4e6c-9F1E-A5F792B85DD8}.exe	104
PID 676 wrote to memory of 1340	676	{44F0C9BB-C153-4e6c-9F1E-A5F792B85DD8}.exe	104
PID 676 wrote to memory of 1524	676	{44F0C9BB-C153-4e6c-9F1E-A5F792B85DD8}.exe	105
PID 676 wrote to memory of 1524	676	{44F0C9BB-C153-4e6c-9F1E-A5F792B85DD8}.exe	105
PID 676 wrote to memory of 1524	676	{44F0C9BB-C153-4e6c-9F1E-A5F792B85DD8}.exe	105
PID 1340 wrote to memory of 2428	1340	{036DBADB-094D-4d88-985B-107B46A14E8D}.exe	106
PID 1340 wrote to memory of 2428	1340	{036DBADB-094D-4d88-985B-107B46A14E8D}.exe	106
PID 1340 wrote to memory of 2428	1340	{036DBADB-094D-4d88-985B-107B46A14E8D}.exe	106
PID 1340 wrote to memory of 3032	1340	{036DBADB-094D-4d88-985B-107B46A14E8D}.exe	107
PID 1340 wrote to memory of 3032	1340	{036DBADB-094D-4d88-985B-107B46A14E8D}.exe	107
PID 1340 wrote to memory of 3032	1340	{036DBADB-094D-4d88-985B-107B46A14E8D}.exe	107
PID 2428 wrote to memory of 4436	2428	{6CBA8E9A-B2AB-4472-8A93-D0A451F5D378}.exe	108
PID 2428 wrote to memory of 4436	2428	{6CBA8E9A-B2AB-4472-8A93-D0A451F5D378}.exe	108
PID 2428 wrote to memory of 4436	2428	{6CBA8E9A-B2AB-4472-8A93-D0A451F5D378}.exe	108
PID 2428 wrote to memory of 1976	2428	{6CBA8E9A-B2AB-4472-8A93-D0A451F5D378}.exe	109
PID 2428 wrote to memory of 1976	2428	{6CBA8E9A-B2AB-4472-8A93-D0A451F5D378}.exe	109
PID 2428 wrote to memory of 1976	2428	{6CBA8E9A-B2AB-4472-8A93-D0A451F5D378}.exe	109
PID 4436 wrote to memory of 1092	4436	{21CDF3BE-75CC-4a6f-B5DA-8F6B1B75C361}.exe	110
PID 4436 wrote to memory of 1092	4436	{21CDF3BE-75CC-4a6f-B5DA-8F6B1B75C361}.exe	110
PID 4436 wrote to memory of 1092	4436	{21CDF3BE-75CC-4a6f-B5DA-8F6B1B75C361}.exe	110
PID 4436 wrote to memory of 4312	4436	{21CDF3BE-75CC-4a6f-B5DA-8F6B1B75C361}.exe	111
PID 4436 wrote to memory of 4312	4436	{21CDF3BE-75CC-4a6f-B5DA-8F6B1B75C361}.exe	111
PID 4436 wrote to memory of 4312	4436	{21CDF3BE-75CC-4a6f-B5DA-8F6B1B75C361}.exe	111
PID 3180 wrote to memory of 4028	3180	{2DA84AF8-BC56-4824-AFF1-B016A9097CCE}.exe	114
PID 3180 wrote to memory of 4028	3180	{2DA84AF8-BC56-4824-AFF1-B016A9097CCE}.exe	114
PID 3180 wrote to memory of 4028	3180	{2DA84AF8-BC56-4824-AFF1-B016A9097CCE}.exe	114
PID 3180 wrote to memory of 4452	3180	{2DA84AF8-BC56-4824-AFF1-B016A9097CCE}.exe	115
PID 3180 wrote to memory of 4452	3180	{2DA84AF8-BC56-4824-AFF1-B016A9097CCE}.exe	115
PID 3180 wrote to memory of 4452	3180	{2DA84AF8-BC56-4824-AFF1-B016A9097CCE}.exe	115
PID 4028 wrote to memory of 464	4028	{ED79BD76-DE39-46c1-94B2-0A375F3CE946}.exe	116
PID 4028 wrote to memory of 464	4028	{ED79BD76-DE39-46c1-94B2-0A375F3CE946}.exe	116
PID 4028 wrote to memory of 464	4028	{ED79BD76-DE39-46c1-94B2-0A375F3CE946}.exe	116
PID 4028 wrote to memory of 4668	4028	{ED79BD76-DE39-46c1-94B2-0A375F3CE946}.exe	117
PID 4028 wrote to memory of 4668	4028	{ED79BD76-DE39-46c1-94B2-0A375F3CE946}.exe	117
PID 4028 wrote to memory of 4668	4028	{ED79BD76-DE39-46c1-94B2-0A375F3CE946}.exe	117
PID 464 wrote to memory of 2400	464	{F789E3E5-FD24-48e1-8E80-F88D6AED9696}.exe	118
PID 464 wrote to memory of 2400	464	{F789E3E5-FD24-48e1-8E80-F88D6AED9696}.exe	118
PID 464 wrote to memory of 2400	464	{F789E3E5-FD24-48e1-8E80-F88D6AED9696}.exe	118
PID 464 wrote to memory of 3588	464	{F789E3E5-FD24-48e1-8E80-F88D6AED9696}.exe	119

C:\Users\Admin\AppData\Local\Temp\2024-04-08_534e83fa30e56b024711d651fe303b61_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-08_534e83fa30e56b024711d651fe303b61_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Windows\{99B5B094-E167-4fe6-A82E-DDD5CDB6C1CC}.exe
  C:\Windows\{99B5B094-E167-4fe6-A82E-DDD5CDB6C1CC}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4892
- - C:\Windows\{4C175782-D5EB-4336-949D-C8534074CCBD}.exe
    C:\Windows\{4C175782-D5EB-4336-949D-C8534074CCBD}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:908
  - - C:\Windows\{E7228C08-4831-4411-A5AC-2DDBA0E0D1ED}.exe
      C:\Windows\{E7228C08-4831-4411-A5AC-2DDBA0E0D1ED}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2568
    - - C:\Windows\{44F0C9BB-C153-4e6c-9F1E-A5F792B85DD8}.exe
        
        C:\Windows\{44F0C9BB-C153-4e6c-9F1E-A5F792B85DD8}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:676
      - C:\Windows\{036DBADB-094D-4d88-985B-107B46A14E8D}.exe
        
        C:\Windows\{036DBADB-094D-4d88-985B-107B46A14E8D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Windows\{6CBA8E9A-B2AB-4472-8A93-D0A451F5D378}.exe
        
        C:\Windows\{6CBA8E9A-B2AB-4472-8A93-D0A451F5D378}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\{21CDF3BE-75CC-4a6f-B5DA-8F6B1B75C361}.exe
        
        C:\Windows\{21CDF3BE-75CC-4a6f-B5DA-8F6B1B75C361}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\{4D9853B3-F72C-4da6-8E93-B9E3DCA811D2}.exe
        
        C:\Windows\{4D9853B3-F72C-4da6-8E93-B9E3DCA811D2}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        
        PID:1092
        
        C:\Windows\{2DA84AF8-BC56-4824-AFF1-B016A9097CCE}.exe
        
        C:\Windows\{2DA84AF8-BC56-4824-AFF1-B016A9097CCE}.exe
        10⤵
        Modifies Installed Components in the registry
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Windows\{ED79BD76-DE39-46c1-94B2-0A375F3CE946}.exe
        
        C:\Windows\{ED79BD76-DE39-46c1-94B2-0A375F3CE946}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\{F789E3E5-FD24-48e1-8E80-F88D6AED9696}.exe
        
        C:\Windows\{F789E3E5-FD24-48e1-8E80-F88D6AED9696}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\{05339A79-E471-4a91-8AEE-8D5DA2338602}.exe
        
        C:\Windows\{05339A79-E471-4a91-8AEE-8D5DA2338602}.exe
        13⤵
        Executes dropped EXE
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F789E~1.EXE > nul
        13⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ED79B~1.EXE > nul
        12⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2DA84~1.EXE > nul
        11⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D985~1.EXE > nul
        10⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{21CDF~1.EXE > nul
        9⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6CBA8~1.EXE > nul
        8⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{036DB~1.EXE > nul
        7⤵
        
        PID:3032
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44F0C~1.EXE > nul
        6⤵
        
        PID:1524
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7228~1.EXE > nul
        5⤵
        
        PID:3744
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4C175~1.EXE > nul
      4⤵
      PID:1944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{99B5B~1.EXE > nul
    3⤵
    PID:2980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{036DBADB-094D-4d88-985B-107B46A14E8D}.exe

Filesize
408KB

MD5
cd9db429cecb224729685a8d5f078767

SHA1
f6b413573ee54e420ac60f6fd039dc4481367519

SHA256
74183204ac65b1674aec0cd18fcc3c69a1743c3a646b6654f05c719bd31a0f9c

SHA512
630ff69e78f7380e3b9f074e8dbc8091e943e9b527d2c8a07f2d1001d28a69fbe460f7e4313f84af749a2a6ddfff6ce7572905ec20c6841aac41afdc12ea97a8

Download Submit
C:\Windows\{05339A79-E471-4a91-8AEE-8D5DA2338602}.exe

Filesize
408KB

MD5
717f8bb39854d720891d5713c81d08e3

SHA1
f2ca95a9e341cbfb961376ad8dfd9b67039977cf

SHA256
f7b2f8da5996365500a08cc82b13081e6c0190c1ccb1f2ea79e502588ea8a271

SHA512
25ce5905ebf210b721dec471c7bf5764b220f9f9098aab4330a157324a7ec512b9e86647a4ad2c00e4ee64a1fbaf3312e1fa288126e412e3a980262dc3b59bed

Download Submit
C:\Windows\{21CDF3BE-75CC-4a6f-B5DA-8F6B1B75C361}.exe

Filesize
408KB

MD5
db2ca69f88a9696a41ae8f9c10c04322

SHA1
a1c6259ebe40d9013a04214d80904c8690a23648

SHA256
36ac9adbf144308ba72dd4cfb827a39322117b1c4bc83f068dd56b23e1353230

SHA512
91cd726262d9a7dab2294760547408384092533e068bb43d537573027f5b787e95f22fb9748b107e3f66784d9a4111808da78cc7e23dd30bd80b09e3bc2a94a4

Download Submit
C:\Windows\{44F0C9BB-C153-4e6c-9F1E-A5F792B85DD8}.exe

Filesize
408KB

MD5
a2bf169b83369b6adcf897513e24f385

SHA1
650382b2387a353f07af9d62caaf6940ee6149a5

SHA256
7fe8ed4a5defc7924ca5400fb7f22c31be5dab2521cf1fc33893d74152135921

SHA512
74a2c8843d9c3b9b6ec50f66f5fa6c04d9206ba98cb5c08f6cd442c8c6725d6c366bc706fd46cac20ffa5574b33741b380f868c852374d293afe11d918860b01

Download Submit
C:\Windows\{4C175782-D5EB-4336-949D-C8534074CCBD}.exe

Filesize
408KB

MD5
d348ba7ac5bef09e925ea85f57b275ac

SHA1
e11d3aa265fa0f5b81b31e913f47b5a746f96143

SHA256
0f8e400d0aab0d3acc962ccdbe6422d0f219ffa815e6f87b1da66033c3bf6793

SHA512
cde4e7d0a2373874753104d1e9643d9433c5e12000117b0df1429dfb919eebfc7d5f7757ccbcb8ca057a9bfe55324b457ba217ef708423134a6f4b011467478b

Download Submit
C:\Windows\{4D9853B3-F72C-4da6-8E93-B9E3DCA811D2}.exe

Filesize
408KB

MD5
47bbc54558ccd9c3a6d1db4b4a87b083

SHA1
87fb88dfad284e0edc8024668f06607699665254

SHA256
7e229723f06fde4549d76a3d1c3e6e5e118edbfcff0bc681d5462eb829c8162a

SHA512
a0058677a01ffd86cf1f3ad051473bf28b6e7ca2070b62c863f649f63394e0ea867f23d478de0dfd7ead22aecac0fe62ce5d8f1c1ce9c2d157a63695b91a505d

Download Submit
C:\Windows\{6CBA8E9A-B2AB-4472-8A93-D0A451F5D378}.exe

Filesize
408KB

MD5
ae6d97055a4ac4b176aa6942ca35bd30

SHA1
77f13cf70a0645aed8384400a9e21c8bc135926b

SHA256
cc6750a52e02ad4aea77cd5bde29d3aafbd58ce802efb1a9e42feaea8c63b40a

SHA512
f2a514d811fbe47c6b15537bbc9ea94dde88237dd37a86049f232486d8e146e38e38d95c17202113465e7e669c54ff54d244d9d3d22cfa65b6e9972959e3d819

Download Submit
C:\Windows\{99B5B094-E167-4fe6-A82E-DDD5CDB6C1CC}.exe

Filesize
408KB

MD5
b5bf2fdf41dfb152811cecf83168464f

SHA1
3f2decde45e6d5819854017a000a597a827a4668

SHA256
49bae4afa74d8c4a3249503329112e526f4640f5c5b2766d30bb3e22c55ab4cb

SHA512
c15ced897a7827e82c8666512a7830589a03c9dd966e2254794b3e604501feefec2de87824cc63a85bef6e63d7ac8a39677ae8628be21188feb4686802e99fd9

Download Submit
C:\Windows\{E7228C08-4831-4411-A5AC-2DDBA0E0D1ED}.exe

Filesize
408KB

MD5
e41c2e860307c9f77c1c54780ceda11c

SHA1
1752b1cbef058520a6dc3ba26fac1d44e723859d

SHA256
a0984912e05a7fd2e756858b581f8f942be4487e3adc551ef8d996e9a9677065

SHA512
5af0c30d301653df449fa8cedfd890a8bd2117e3e279e5238520c72c6d80aaef896e6a1af5851d2fff88c505bdabfefdbf93b0fb478a4d4a25f24e12041546fc

Download Submit
C:\Windows\{ED79BD76-DE39-46c1-94B2-0A375F3CE946}.exe

Filesize
408KB

MD5
9499afc11a3456a41c8091c8c74407c3

SHA1
47aeac339ed7b6c368a4ebea4ff17ac3438bc1b6

SHA256
c4d310f13e3f24df838e62798d56087db406f5c76061ec6df1d95443eb3926a8

SHA512
7ccabe1340777f2917e5dd8a9bb004f607e160c68de5f4d91e82a28f9c8ea68ceba097192008a43777f732005c3f2a3d48ad0ef70a4ccc81a92fa494ffb9a8d7

Download Submit
C:\Windows\{F789E3E5-FD24-48e1-8E80-F88D6AED9696}.exe

Filesize
408KB

MD5
34881b72e31275a3f48d9641a16613d5

SHA1
ecca9cbcca8aa9978b90d24848e7c6cc8af137ea

SHA256
c3cf43add479ee3df7c164839f324320b61794c97ed5fa23f54d88bc14ad1705

SHA512
194d2c2edf7581733857139f19fd3ac7b8e9cf6fa4b6ced813e8cb10903716b7152ce71f22ad0d1337fa7d8c9bd2fe2620e84d16df008a00f73befa2a4cd54c0

Download Submit
memory/1092-31-0x0000000003930000-0x0000000003A0B000-memory.dmp

Filesize
876KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads