af979b692fab5aaec6de2fc9f94cd1683463a96bbad1275d3c7ac0c86d12af45

Analysis

max time kernel
149s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 20:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-09_3ac375d794471a8aa6ededc31543dc75_goldeneye.exe
Size

216KB
MD5

3ac375d794471a8aa6ededc31543dc75
SHA1

910738ed4372e7b188f5ab9af20558e02c138d6b
SHA256

af979b692fab5aaec6de2fc9f94cd1683463a96bbad1275d3c7ac0c86d12af45
SHA512

847845c83b1a7baca0296a3be805310fb2d630bcc670ff0cf9531e8bf8395f9dfd449649d195b4b0694a95d261af5c512f8a2e1268369c27c5380f1e3bcd0776
SSDEEP

3072:jEGh0o/l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGBlEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023215-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023210-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002321c-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023210-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021fa2-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021fa3-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021fa2-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000703-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000703-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000703-45.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0482580-1628-449b-99CD-5738FAA3116B}\stubpath = "C:\\Windows\\{B0482580-1628-449b-99CD-5738FAA3116B}.exe"	{8A5A65F4-353A-4b4a-B0A8-73576BB82423}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F227E652-612F-443e-8473-A75344336F6B}	{6B8C7BB9-13C9-4462-ABA6-1541C5D4F4A3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AF8E0AD-87E4-43e7-A168-D82D08CAC068}	{24CA6A87-0828-4cd3-B246-C6277EE6F438}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5FDC3D98-E45D-40a4-A734-228EE5E8640F}\stubpath = "C:\\Windows\\{5FDC3D98-E45D-40a4-A734-228EE5E8640F}.exe"	{4AF8E0AD-87E4-43e7-A168-D82D08CAC068}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8EB457FB-B5C6-418a-90A3-9F22A9911884}\stubpath = "C:\\Windows\\{8EB457FB-B5C6-418a-90A3-9F22A9911884}.exe"	{B7B4DCF5-ADB6-40ca-9982-BB8DC971B501}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C67A304B-FF2E-4687-AC5F-6B339409FB0B}	{D670AB50-3150-4e74-A9F2-A5CFC8ABA922}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A5A65F4-353A-4b4a-B0A8-73576BB82423}\stubpath = "C:\\Windows\\{8A5A65F4-353A-4b4a-B0A8-73576BB82423}.exe"	{C67A304B-FF2E-4687-AC5F-6B339409FB0B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AF8E0AD-87E4-43e7-A168-D82D08CAC068}\stubpath = "C:\\Windows\\{4AF8E0AD-87E4-43e7-A168-D82D08CAC068}.exe"	{24CA6A87-0828-4cd3-B246-C6277EE6F438}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0482580-1628-449b-99CD-5738FAA3116B}	{8A5A65F4-353A-4b4a-B0A8-73576BB82423}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F227E652-612F-443e-8473-A75344336F6B}\stubpath = "C:\\Windows\\{F227E652-612F-443e-8473-A75344336F6B}.exe"	{6B8C7BB9-13C9-4462-ABA6-1541C5D4F4A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B8C7BB9-13C9-4462-ABA6-1541C5D4F4A3}\stubpath = "C:\\Windows\\{6B8C7BB9-13C9-4462-ABA6-1541C5D4F4A3}.exe"	{B0482580-1628-449b-99CD-5738FAA3116B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6011988B-03A6-44b1-8700-B6038E39972A}	{5FDC3D98-E45D-40a4-A734-228EE5E8640F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6011988B-03A6-44b1-8700-B6038E39972A}\stubpath = "C:\\Windows\\{6011988B-03A6-44b1-8700-B6038E39972A}.exe"	{5FDC3D98-E45D-40a4-A734-228EE5E8640F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7B4DCF5-ADB6-40ca-9982-BB8DC971B501}	{6011988B-03A6-44b1-8700-B6038E39972A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7B4DCF5-ADB6-40ca-9982-BB8DC971B501}\stubpath = "C:\\Windows\\{B7B4DCF5-ADB6-40ca-9982-BB8DC971B501}.exe"	{6011988B-03A6-44b1-8700-B6038E39972A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8EB457FB-B5C6-418a-90A3-9F22A9911884}	{B7B4DCF5-ADB6-40ca-9982-BB8DC971B501}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D670AB50-3150-4e74-A9F2-A5CFC8ABA922}\stubpath = "C:\\Windows\\{D670AB50-3150-4e74-A9F2-A5CFC8ABA922}.exe"	2024-04-09_3ac375d794471a8aa6ededc31543dc75_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C67A304B-FF2E-4687-AC5F-6B339409FB0B}\stubpath = "C:\\Windows\\{C67A304B-FF2E-4687-AC5F-6B339409FB0B}.exe"	{D670AB50-3150-4e74-A9F2-A5CFC8ABA922}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B8C7BB9-13C9-4462-ABA6-1541C5D4F4A3}	{B0482580-1628-449b-99CD-5738FAA3116B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24CA6A87-0828-4cd3-B246-C6277EE6F438}	{F227E652-612F-443e-8473-A75344336F6B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24CA6A87-0828-4cd3-B246-C6277EE6F438}\stubpath = "C:\\Windows\\{24CA6A87-0828-4cd3-B246-C6277EE6F438}.exe"	{F227E652-612F-443e-8473-A75344336F6B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5FDC3D98-E45D-40a4-A734-228EE5E8640F}	{4AF8E0AD-87E4-43e7-A168-D82D08CAC068}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D670AB50-3150-4e74-A9F2-A5CFC8ABA922}	2024-04-09_3ac375d794471a8aa6ededc31543dc75_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A5A65F4-353A-4b4a-B0A8-73576BB82423}	{C67A304B-FF2E-4687-AC5F-6B339409FB0B}.exe

Executes dropped EXE 12 IoCs

pid	Process
5056	{D670AB50-3150-4e74-A9F2-A5CFC8ABA922}.exe
2064	{C67A304B-FF2E-4687-AC5F-6B339409FB0B}.exe
2364	{8A5A65F4-353A-4b4a-B0A8-73576BB82423}.exe
4912	{B0482580-1628-449b-99CD-5738FAA3116B}.exe
3096	{6B8C7BB9-13C9-4462-ABA6-1541C5D4F4A3}.exe
4976	{F227E652-612F-443e-8473-A75344336F6B}.exe
3752	{24CA6A87-0828-4cd3-B246-C6277EE6F438}.exe
1664	{4AF8E0AD-87E4-43e7-A168-D82D08CAC068}.exe
1724	{5FDC3D98-E45D-40a4-A734-228EE5E8640F}.exe
2872	{6011988B-03A6-44b1-8700-B6038E39972A}.exe
3004	{B7B4DCF5-ADB6-40ca-9982-BB8DC971B501}.exe
4788	{8EB457FB-B5C6-418a-90A3-9F22A9911884}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{C67A304B-FF2E-4687-AC5F-6B339409FB0B}.exe	{D670AB50-3150-4e74-A9F2-A5CFC8ABA922}.exe
File created	C:\Windows\{8A5A65F4-353A-4b4a-B0A8-73576BB82423}.exe	{C67A304B-FF2E-4687-AC5F-6B339409FB0B}.exe
File created	C:\Windows\{24CA6A87-0828-4cd3-B246-C6277EE6F438}.exe	{F227E652-612F-443e-8473-A75344336F6B}.exe
File created	C:\Windows\{4AF8E0AD-87E4-43e7-A168-D82D08CAC068}.exe	{24CA6A87-0828-4cd3-B246-C6277EE6F438}.exe
File created	C:\Windows\{5FDC3D98-E45D-40a4-A734-228EE5E8640F}.exe	{4AF8E0AD-87E4-43e7-A168-D82D08CAC068}.exe
File created	C:\Windows\{6011988B-03A6-44b1-8700-B6038E39972A}.exe	{5FDC3D98-E45D-40a4-A734-228EE5E8640F}.exe
File created	C:\Windows\{D670AB50-3150-4e74-A9F2-A5CFC8ABA922}.exe	2024-04-09_3ac375d794471a8aa6ededc31543dc75_goldeneye.exe
File created	C:\Windows\{B0482580-1628-449b-99CD-5738FAA3116B}.exe	{8A5A65F4-353A-4b4a-B0A8-73576BB82423}.exe
File created	C:\Windows\{6B8C7BB9-13C9-4462-ABA6-1541C5D4F4A3}.exe	{B0482580-1628-449b-99CD-5738FAA3116B}.exe
File created	C:\Windows\{F227E652-612F-443e-8473-A75344336F6B}.exe	{6B8C7BB9-13C9-4462-ABA6-1541C5D4F4A3}.exe
File created	C:\Windows\{B7B4DCF5-ADB6-40ca-9982-BB8DC971B501}.exe	{6011988B-03A6-44b1-8700-B6038E39972A}.exe
File created	C:\Windows\{8EB457FB-B5C6-418a-90A3-9F22A9911884}.exe	{B7B4DCF5-ADB6-40ca-9982-BB8DC971B501}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4320	2024-04-09_3ac375d794471a8aa6ededc31543dc75_goldeneye.exe
Token: SeIncBasePriorityPrivilege	5056	{D670AB50-3150-4e74-A9F2-A5CFC8ABA922}.exe
Token: SeIncBasePriorityPrivilege	2064	{C67A304B-FF2E-4687-AC5F-6B339409FB0B}.exe
Token: SeIncBasePriorityPrivilege	2364	{8A5A65F4-353A-4b4a-B0A8-73576BB82423}.exe
Token: SeIncBasePriorityPrivilege	4912	{B0482580-1628-449b-99CD-5738FAA3116B}.exe
Token: SeIncBasePriorityPrivilege	3096	{6B8C7BB9-13C9-4462-ABA6-1541C5D4F4A3}.exe
Token: SeIncBasePriorityPrivilege	4976	{F227E652-612F-443e-8473-A75344336F6B}.exe
Token: SeIncBasePriorityPrivilege	3752	{24CA6A87-0828-4cd3-B246-C6277EE6F438}.exe
Token: SeIncBasePriorityPrivilege	1664	{4AF8E0AD-87E4-43e7-A168-D82D08CAC068}.exe
Token: SeIncBasePriorityPrivilege	1724	{5FDC3D98-E45D-40a4-A734-228EE5E8640F}.exe
Token: SeIncBasePriorityPrivilege	2872	{6011988B-03A6-44b1-8700-B6038E39972A}.exe
Token: SeIncBasePriorityPrivilege	3004	{B7B4DCF5-ADB6-40ca-9982-BB8DC971B501}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4320 wrote to memory of 5056	4320	2024-04-09_3ac375d794471a8aa6ededc31543dc75_goldeneye.exe	97
PID 4320 wrote to memory of 5056	4320	2024-04-09_3ac375d794471a8aa6ededc31543dc75_goldeneye.exe	97
PID 4320 wrote to memory of 5056	4320	2024-04-09_3ac375d794471a8aa6ededc31543dc75_goldeneye.exe	97
PID 4320 wrote to memory of 1668	4320	2024-04-09_3ac375d794471a8aa6ededc31543dc75_goldeneye.exe	98
PID 4320 wrote to memory of 1668	4320	2024-04-09_3ac375d794471a8aa6ededc31543dc75_goldeneye.exe	98
PID 4320 wrote to memory of 1668	4320	2024-04-09_3ac375d794471a8aa6ededc31543dc75_goldeneye.exe	98
PID 5056 wrote to memory of 2064	5056	{D670AB50-3150-4e74-A9F2-A5CFC8ABA922}.exe	99
PID 5056 wrote to memory of 2064	5056	{D670AB50-3150-4e74-A9F2-A5CFC8ABA922}.exe	99
PID 5056 wrote to memory of 2064	5056	{D670AB50-3150-4e74-A9F2-A5CFC8ABA922}.exe	99
PID 5056 wrote to memory of 4152	5056	{D670AB50-3150-4e74-A9F2-A5CFC8ABA922}.exe	100
PID 5056 wrote to memory of 4152	5056	{D670AB50-3150-4e74-A9F2-A5CFC8ABA922}.exe	100
PID 5056 wrote to memory of 4152	5056	{D670AB50-3150-4e74-A9F2-A5CFC8ABA922}.exe	100
PID 2064 wrote to memory of 2364	2064	{C67A304B-FF2E-4687-AC5F-6B339409FB0B}.exe	102
PID 2064 wrote to memory of 2364	2064	{C67A304B-FF2E-4687-AC5F-6B339409FB0B}.exe	102
PID 2064 wrote to memory of 2364	2064	{C67A304B-FF2E-4687-AC5F-6B339409FB0B}.exe	102
PID 2064 wrote to memory of 1044	2064	{C67A304B-FF2E-4687-AC5F-6B339409FB0B}.exe	103
PID 2064 wrote to memory of 1044	2064	{C67A304B-FF2E-4687-AC5F-6B339409FB0B}.exe	103
PID 2064 wrote to memory of 1044	2064	{C67A304B-FF2E-4687-AC5F-6B339409FB0B}.exe	103
PID 2364 wrote to memory of 4912	2364	{8A5A65F4-353A-4b4a-B0A8-73576BB82423}.exe	104
PID 2364 wrote to memory of 4912	2364	{8A5A65F4-353A-4b4a-B0A8-73576BB82423}.exe	104
PID 2364 wrote to memory of 4912	2364	{8A5A65F4-353A-4b4a-B0A8-73576BB82423}.exe	104
PID 2364 wrote to memory of 880	2364	{8A5A65F4-353A-4b4a-B0A8-73576BB82423}.exe	105
PID 2364 wrote to memory of 880	2364	{8A5A65F4-353A-4b4a-B0A8-73576BB82423}.exe	105
PID 2364 wrote to memory of 880	2364	{8A5A65F4-353A-4b4a-B0A8-73576BB82423}.exe	105
PID 4912 wrote to memory of 3096	4912	{B0482580-1628-449b-99CD-5738FAA3116B}.exe	106
PID 4912 wrote to memory of 3096	4912	{B0482580-1628-449b-99CD-5738FAA3116B}.exe	106
PID 4912 wrote to memory of 3096	4912	{B0482580-1628-449b-99CD-5738FAA3116B}.exe	106
PID 4912 wrote to memory of 3100	4912	{B0482580-1628-449b-99CD-5738FAA3116B}.exe	107
PID 4912 wrote to memory of 3100	4912	{B0482580-1628-449b-99CD-5738FAA3116B}.exe	107
PID 4912 wrote to memory of 3100	4912	{B0482580-1628-449b-99CD-5738FAA3116B}.exe	107
PID 3096 wrote to memory of 4976	3096	{6B8C7BB9-13C9-4462-ABA6-1541C5D4F4A3}.exe	108
PID 3096 wrote to memory of 4976	3096	{6B8C7BB9-13C9-4462-ABA6-1541C5D4F4A3}.exe	108
PID 3096 wrote to memory of 4976	3096	{6B8C7BB9-13C9-4462-ABA6-1541C5D4F4A3}.exe	108
PID 3096 wrote to memory of 1068	3096	{6B8C7BB9-13C9-4462-ABA6-1541C5D4F4A3}.exe	109
PID 3096 wrote to memory of 1068	3096	{6B8C7BB9-13C9-4462-ABA6-1541C5D4F4A3}.exe	109
PID 3096 wrote to memory of 1068	3096	{6B8C7BB9-13C9-4462-ABA6-1541C5D4F4A3}.exe	109
PID 4976 wrote to memory of 3752	4976	{F227E652-612F-443e-8473-A75344336F6B}.exe	110
PID 4976 wrote to memory of 3752	4976	{F227E652-612F-443e-8473-A75344336F6B}.exe	110
PID 4976 wrote to memory of 3752	4976	{F227E652-612F-443e-8473-A75344336F6B}.exe	110
PID 4976 wrote to memory of 3896	4976	{F227E652-612F-443e-8473-A75344336F6B}.exe	111
PID 4976 wrote to memory of 3896	4976	{F227E652-612F-443e-8473-A75344336F6B}.exe	111
PID 4976 wrote to memory of 3896	4976	{F227E652-612F-443e-8473-A75344336F6B}.exe	111
PID 3752 wrote to memory of 1664	3752	{24CA6A87-0828-4cd3-B246-C6277EE6F438}.exe	112
PID 3752 wrote to memory of 1664	3752	{24CA6A87-0828-4cd3-B246-C6277EE6F438}.exe	112
PID 3752 wrote to memory of 1664	3752	{24CA6A87-0828-4cd3-B246-C6277EE6F438}.exe	112
PID 3752 wrote to memory of 4876	3752	{24CA6A87-0828-4cd3-B246-C6277EE6F438}.exe	113
PID 3752 wrote to memory of 4876	3752	{24CA6A87-0828-4cd3-B246-C6277EE6F438}.exe	113
PID 3752 wrote to memory of 4876	3752	{24CA6A87-0828-4cd3-B246-C6277EE6F438}.exe	113
PID 1664 wrote to memory of 1724	1664	{4AF8E0AD-87E4-43e7-A168-D82D08CAC068}.exe	114
PID 1664 wrote to memory of 1724	1664	{4AF8E0AD-87E4-43e7-A168-D82D08CAC068}.exe	114
PID 1664 wrote to memory of 1724	1664	{4AF8E0AD-87E4-43e7-A168-D82D08CAC068}.exe	114
PID 1664 wrote to memory of 2224	1664	{4AF8E0AD-87E4-43e7-A168-D82D08CAC068}.exe	115
PID 1664 wrote to memory of 2224	1664	{4AF8E0AD-87E4-43e7-A168-D82D08CAC068}.exe	115
PID 1664 wrote to memory of 2224	1664	{4AF8E0AD-87E4-43e7-A168-D82D08CAC068}.exe	115
PID 1724 wrote to memory of 2872	1724	{5FDC3D98-E45D-40a4-A734-228EE5E8640F}.exe	116
PID 1724 wrote to memory of 2872	1724	{5FDC3D98-E45D-40a4-A734-228EE5E8640F}.exe	116
PID 1724 wrote to memory of 2872	1724	{5FDC3D98-E45D-40a4-A734-228EE5E8640F}.exe	116
PID 1724 wrote to memory of 2616	1724	{5FDC3D98-E45D-40a4-A734-228EE5E8640F}.exe	117
PID 1724 wrote to memory of 2616	1724	{5FDC3D98-E45D-40a4-A734-228EE5E8640F}.exe	117
PID 1724 wrote to memory of 2616	1724	{5FDC3D98-E45D-40a4-A734-228EE5E8640F}.exe	117
PID 2872 wrote to memory of 3004	2872	{6011988B-03A6-44b1-8700-B6038E39972A}.exe	118
PID 2872 wrote to memory of 3004	2872	{6011988B-03A6-44b1-8700-B6038E39972A}.exe	118
PID 2872 wrote to memory of 3004	2872	{6011988B-03A6-44b1-8700-B6038E39972A}.exe	118
PID 2872 wrote to memory of 3068	2872	{6011988B-03A6-44b1-8700-B6038E39972A}.exe	119

C:\Users\Admin\AppData\Local\Temp\2024-04-09_3ac375d794471a8aa6ededc31543dc75_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-09_3ac375d794471a8aa6ededc31543dc75_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4320
- C:\Windows\{D670AB50-3150-4e74-A9F2-A5CFC8ABA922}.exe
  C:\Windows\{D670AB50-3150-4e74-A9F2-A5CFC8ABA922}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5056
- - C:\Windows\{C67A304B-FF2E-4687-AC5F-6B339409FB0B}.exe
    C:\Windows\{C67A304B-FF2E-4687-AC5F-6B339409FB0B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2064
  - - C:\Windows\{8A5A65F4-353A-4b4a-B0A8-73576BB82423}.exe
      C:\Windows\{8A5A65F4-353A-4b4a-B0A8-73576BB82423}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2364
    - - C:\Windows\{B0482580-1628-449b-99CD-5738FAA3116B}.exe
        
        C:\Windows\{B0482580-1628-449b-99CD-5738FAA3116B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4912
      - C:\Windows\{6B8C7BB9-13C9-4462-ABA6-1541C5D4F4A3}.exe
        
        C:\Windows\{6B8C7BB9-13C9-4462-ABA6-1541C5D4F4A3}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3096
        
        C:\Windows\{F227E652-612F-443e-8473-A75344336F6B}.exe
        
        C:\Windows\{F227E652-612F-443e-8473-A75344336F6B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\{24CA6A87-0828-4cd3-B246-C6277EE6F438}.exe
        
        C:\Windows\{24CA6A87-0828-4cd3-B246-C6277EE6F438}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3752
        
        C:\Windows\{4AF8E0AD-87E4-43e7-A168-D82D08CAC068}.exe
        
        C:\Windows\{4AF8E0AD-87E4-43e7-A168-D82D08CAC068}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\{5FDC3D98-E45D-40a4-A734-228EE5E8640F}.exe
        
        C:\Windows\{5FDC3D98-E45D-40a4-A734-228EE5E8640F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\{6011988B-03A6-44b1-8700-B6038E39972A}.exe
        
        C:\Windows\{6011988B-03A6-44b1-8700-B6038E39972A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\{B7B4DCF5-ADB6-40ca-9982-BB8DC971B501}.exe
        
        C:\Windows\{B7B4DCF5-ADB6-40ca-9982-BB8DC971B501}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
        
        C:\Windows\{8EB457FB-B5C6-418a-90A3-9F22A9911884}.exe
        
        C:\Windows\{8EB457FB-B5C6-418a-90A3-9F22A9911884}.exe
        13⤵
        Executes dropped EXE
        
        PID:4788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7B4D~1.EXE > nul
        13⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{60119~1.EXE > nul
        12⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5FDC3~1.EXE > nul
        11⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4AF8E~1.EXE > nul
        10⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{24CA6~1.EXE > nul
        9⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F227E~1.EXE > nul
        8⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B8C7~1.EXE > nul
        7⤵
        
        PID:1068
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B0482~1.EXE > nul
        6⤵
        
        PID:3100
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8A5A6~1.EXE > nul
        5⤵
        
        PID:880
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C67A3~1.EXE > nul
      4⤵
      PID:1044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D670A~1.EXE > nul
    3⤵
    PID:4152
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{24CA6A87-0828-4cd3-B246-C6277EE6F438}.exe

Filesize
216KB

MD5
b96aea0adf53f1bb4f44b6a7b5b5c763

SHA1
9cebd8c8026145d6882317b0dff9cd20b94057f4

SHA256
b6e1833f161d3cef74c5f2fd4a33646e932d511784d5175bf0f2c32e232163a8

SHA512
a16e3a227a30bf2ee0b81f53673aaa92b2809864427dbc529e09f892c8c7033475b5c16cb9f12870ef6d726a5b6a9a996b2c5a2be13d69b228b6c28eb755644e

Download Submit
C:\Windows\{4AF8E0AD-87E4-43e7-A168-D82D08CAC068}.exe

Filesize
216KB

MD5
2d376f010ce4a62304e8165b055fe4b9

SHA1
f76a3f612620e48d15ca4bba81023eac886122ab

SHA256
8c3a40b182a1dd0c1f441f5a8b69d8a288d2949c08c2489db5c1866ea8839966

SHA512
2f87440246a62598a0bc3cc6646337818e01f7af4216544c365aeb1bb05c868370cf0bf96570ccbd372df6582a7118cc04f1bf971c48eba06c47db494afd4324

Download Submit
C:\Windows\{5FDC3D98-E45D-40a4-A734-228EE5E8640F}.exe

Filesize
216KB

MD5
e13897c616729b4cd5b5426b020237a1

SHA1
acc82b9a6f142eeb1cd2f446a6ef18a9d67c647c

SHA256
dc0b41c7095cdf6cc4928d6ced24ceed5a36a4415c73c73a9931edc9c3bb401e

SHA512
7dd11555d916a0e9641e9961b96214c420aef433186a7944a075b79cfe7a7fc5f7163402388d925bd59ab18bc249398e137f2605377a380a69d0e3acb887ab03

Download Submit
C:\Windows\{6011988B-03A6-44b1-8700-B6038E39972A}.exe

Filesize
216KB

MD5
bb746ef84b4dbe52af097b89ee4fa80f

SHA1
3a85ab870588e29e36697c26346f303d46fadbad

SHA256
66da1548f76284a153885f2ef09af4794990e6f15b494f1cde3215e08c16c467

SHA512
ed61d4a864d105ef1115a2ebd071f45b2ad85cb294398477ce26717bd143d2255c8502cbb22bdd4a947916ff83b1809c8cdb4513363218d2d65f54d57ea94ba8

Download Submit
C:\Windows\{6B8C7BB9-13C9-4462-ABA6-1541C5D4F4A3}.exe

Filesize
216KB

MD5
355b79ff3f32dcc9ecdf09cbdba29485

SHA1
103f9a58c8b4fc27a98d2570cb31ea1af2b3df3d

SHA256
429a81150ecf67c7a72ab32cb9c194d043ea7d1df2adaa389dbf42afbd9ffb35

SHA512
32fbffb4148d831b8cf39d99796cf6a1d6aab559e01e290b056be8f3aeb6b85505790c1497ffd7facfd120bc7ddc7ed3727477254c4e5976ecb0448dd6257d3e

Download Submit
C:\Windows\{8A5A65F4-353A-4b4a-B0A8-73576BB82423}.exe

Filesize
216KB

MD5
9a6db067d5466a429703a70425cd617b

SHA1
e54cfa55cdfc88da8bb125c0e03a733ed46b6224

SHA256
4068293223c38a6565e6a8f1e035f48b90f985540afd85d06418708547212c26

SHA512
0eb51571771a0c58dc89217c2c79a02c6e6c67ba0252ec8381a86b8204809bbedd5067ef862daf74bf93b6d19999aa31ad532f9991f734a1b4276ae7aa3d172f

Download Submit
C:\Windows\{8EB457FB-B5C6-418a-90A3-9F22A9911884}.exe

Filesize
216KB

MD5
aa8dc2b3a88df07b5f4c5660577426e7

SHA1
20eaf364e7c93bc5099b91581cb2ed2b3f3b9ecc

SHA256
49e0d158986b7d3791187774beb19ec450c8b7bc1fd473000a1c54dfeaf14f48

SHA512
2c2a42a67577c3d35e1d9381e677f18f214b07bf0584c491e23f35d4e29520bc61600d1258bab3652f6e12a730f90a706f4fb5b310cea653b94eed27b1dddf47

Download Submit
C:\Windows\{B0482580-1628-449b-99CD-5738FAA3116B}.exe

Filesize
216KB

MD5
fe30201685c0b20d36545d227a4a90e8

SHA1
95fe26384e4c7fa36b3d0c3363aa7db48308e64c

SHA256
ca34522c16e6902a6a240fe5f86b116cc793d48aacbca96e93384b64f491f6f7

SHA512
310d292fbc0d22e6879969044b92706b3b98411502d5b993d7662326b59b99e632e81b89daa684489a2c0a3b8e139239222f1ae78336a44c9d0456afd3f27bb9

Download Submit
C:\Windows\{B7B4DCF5-ADB6-40ca-9982-BB8DC971B501}.exe

Filesize
216KB

MD5
0041093f0cb84bb37dad7ff4a69093e1

SHA1
9a5b12600566cf10a51ba19135b7736bc06b01a5

SHA256
b6c2d10c4855793a06dadaf1bed64df78035822258fecc24b1990518a22761e0

SHA512
5a4d5f4e073faabcf22d275f3f1f241be647e383225fa1c682d059f02bf3942aecf2b57c25ce8d101adccc2c818bc039f5381b15aecdf85002fc02a25176a1d6

Download Submit
C:\Windows\{C67A304B-FF2E-4687-AC5F-6B339409FB0B}.exe

Filesize
216KB

MD5
4b3b94c39406d370580f4e384748b5c4

SHA1
1fa215bae3912bf31f262b1dbb020e15e56c2f4b

SHA256
6378e0f6ba88330d5a0386fee7f17b2c74ac822f34d2d016123ad99e9dd6030b

SHA512
18bb9fd6f398518c216eaed3750975fe5417e8ed7bcb2538cab1eab3b172f9778bb5f67b7eb8b7128eb39d17aafd2eb38f8b9f9789bf1f6a33607da839023222

Download Submit
C:\Windows\{D670AB50-3150-4e74-A9F2-A5CFC8ABA922}.exe

Filesize
216KB

MD5
ea63858fb0ad758e178c68d69cc7fa05

SHA1
1c2e74e014bb83a538b3a2821da0edd9cdbcd680

SHA256
46dd38ee8185a5c4fd5ce23399b8d27f80d8b5a278f7a2d4cbe8dfbcd1b245bc

SHA512
a11cf9afd088d93c07a9b6502e49eeb83a98cb6e44ced7bf755c2cd4b92e3aa5a1bf53a452cb82b6a98bafbbfa17155d42d4600f3e9020d0ae236d601430b9aa

Download Submit
C:\Windows\{F227E652-612F-443e-8473-A75344336F6B}.exe

Filesize
216KB

MD5
0d5b90b9acd51edf772abb6ed5689377

SHA1
6e343eda03bd3f0176b1928468810c053bc5a235

SHA256
960c88868dc2b536ab0329e1d07dee5afe803a9a4674a2e59258dd41894239e6

SHA512
5828dac2288b5941e0f100820a87b62b84007d01c3fa07cdfb593752de8a33096bcabdd90abda09389f9c33f32916f1499c9066c1b759be013587fd60fc009e5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads