89f2afabe5394d5a7aa3a5976b6459f9f1f1acddec444892ead04f63bc17e7ad

Analysis

max time kernel
150s
max time network
128s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17/04/2024, 23:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-17_de66fc02df3f36298476c7a2e3ea2a77_goldeneye.exe
Size

216KB
MD5

de66fc02df3f36298476c7a2e3ea2a77
SHA1

b94b452db64af2401856a8295bbee68965332bba
SHA256

89f2afabe5394d5a7aa3a5976b6459f9f1f1acddec444892ead04f63bc17e7ad
SHA512

a3c03ac229cdcd3a71452b592fd8993681cd4ebdb4a0c3afd784396243d45d05a9fb6c7cb1b44efe82d67c9fec27096509dfc214150460cda076e42a3bec9c6d
SSDEEP

3072:jEGh0oul+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGglEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x0008000000012249-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000001225c-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00110000000055a2-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000001225c-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00120000000055a2-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0023000000015c9b-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000015cff-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000015db7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000015cff-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000015db7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000015cff-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000015db7-82.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55D92112-9C14-4ccb-8518-D6C4DD4B95A0}\stubpath = "C:\\Windows\\{55D92112-9C14-4ccb-8518-D6C4DD4B95A0}.exe"	{83067C9C-4F8C-49c1-8590-856FC2A03E3B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F19B34FF-A7FD-41de-B597-88ECC5FCAB98}	{CC38A7F3-C523-4057-BA3D-0CC0957DF61E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C9323F2-3A21-4f7c-A564-2FF132412765}	{63B9EBCE-9109-4c52-B8F2-40D55B92A138}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{543C100B-E18B-4e69-A009-6C215471D453}	{48831186-AA8A-4d18-AB2B-3C365A0D97FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{543C100B-E18B-4e69-A009-6C215471D453}\stubpath = "C:\\Windows\\{543C100B-E18B-4e69-A009-6C215471D453}.exe"	{48831186-AA8A-4d18-AB2B-3C365A0D97FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B476352-5793-40e0-8D75-5B09C2391E6D}\stubpath = "C:\\Windows\\{9B476352-5793-40e0-8D75-5B09C2391E6D}.exe"	{543C100B-E18B-4e69-A009-6C215471D453}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFAFA313-00C9-4ce5-9217-D89B7E07DDE8}	{9B476352-5793-40e0-8D75-5B09C2391E6D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83067C9C-4F8C-49c1-8590-856FC2A03E3B}\stubpath = "C:\\Windows\\{83067C9C-4F8C-49c1-8590-856FC2A03E3B}.exe"	2024-04-17_de66fc02df3f36298476c7a2e3ea2a77_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F19B34FF-A7FD-41de-B597-88ECC5FCAB98}\stubpath = "C:\\Windows\\{F19B34FF-A7FD-41de-B597-88ECC5FCAB98}.exe"	{CC38A7F3-C523-4057-BA3D-0CC0957DF61E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63B9EBCE-9109-4c52-B8F2-40D55B92A138}\stubpath = "C:\\Windows\\{63B9EBCE-9109-4c52-B8F2-40D55B92A138}.exe"	{F19B34FF-A7FD-41de-B597-88ECC5FCAB98}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C9323F2-3A21-4f7c-A564-2FF132412765}\stubpath = "C:\\Windows\\{7C9323F2-3A21-4f7c-A564-2FF132412765}.exe"	{63B9EBCE-9109-4c52-B8F2-40D55B92A138}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76690042-BB46-41fd-8240-41E249621727}\stubpath = "C:\\Windows\\{76690042-BB46-41fd-8240-41E249621727}.exe"	{7C9323F2-3A21-4f7c-A564-2FF132412765}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B476352-5793-40e0-8D75-5B09C2391E6D}	{543C100B-E18B-4e69-A009-6C215471D453}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83067C9C-4F8C-49c1-8590-856FC2A03E3B}	2024-04-17_de66fc02df3f36298476c7a2e3ea2a77_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76690042-BB46-41fd-8240-41E249621727}	{7C9323F2-3A21-4f7c-A564-2FF132412765}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC38A7F3-C523-4057-BA3D-0CC0957DF61E}	{55D92112-9C14-4ccb-8518-D6C4DD4B95A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC38A7F3-C523-4057-BA3D-0CC0957DF61E}\stubpath = "C:\\Windows\\{CC38A7F3-C523-4057-BA3D-0CC0957DF61E}.exe"	{55D92112-9C14-4ccb-8518-D6C4DD4B95A0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63B9EBCE-9109-4c52-B8F2-40D55B92A138}	{F19B34FF-A7FD-41de-B597-88ECC5FCAB98}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{48831186-AA8A-4d18-AB2B-3C365A0D97FB}	{76690042-BB46-41fd-8240-41E249621727}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{48831186-AA8A-4d18-AB2B-3C365A0D97FB}\stubpath = "C:\\Windows\\{48831186-AA8A-4d18-AB2B-3C365A0D97FB}.exe"	{76690042-BB46-41fd-8240-41E249621727}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFAFA313-00C9-4ce5-9217-D89B7E07DDE8}\stubpath = "C:\\Windows\\{CFAFA313-00C9-4ce5-9217-D89B7E07DDE8}.exe"	{9B476352-5793-40e0-8D75-5B09C2391E6D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6154C3F-0A61-42eb-9315-B2F0ACCB6D56}	{CFAFA313-00C9-4ce5-9217-D89B7E07DDE8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6154C3F-0A61-42eb-9315-B2F0ACCB6D56}\stubpath = "C:\\Windows\\{A6154C3F-0A61-42eb-9315-B2F0ACCB6D56}.exe"	{CFAFA313-00C9-4ce5-9217-D89B7E07DDE8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55D92112-9C14-4ccb-8518-D6C4DD4B95A0}	{83067C9C-4F8C-49c1-8590-856FC2A03E3B}.exe

Deletes itself 1 IoCs

pid	Process
2476	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2456	{83067C9C-4F8C-49c1-8590-856FC2A03E3B}.exe
2480	{55D92112-9C14-4ccb-8518-D6C4DD4B95A0}.exe
1076	{CC38A7F3-C523-4057-BA3D-0CC0957DF61E}.exe
1736	{F19B34FF-A7FD-41de-B597-88ECC5FCAB98}.exe
568	{63B9EBCE-9109-4c52-B8F2-40D55B92A138}.exe
860	{7C9323F2-3A21-4f7c-A564-2FF132412765}.exe
2416	{76690042-BB46-41fd-8240-41E249621727}.exe
2764	{48831186-AA8A-4d18-AB2B-3C365A0D97FB}.exe
1056	{543C100B-E18B-4e69-A009-6C215471D453}.exe
2528	{9B476352-5793-40e0-8D75-5B09C2391E6D}.exe
1280	{CFAFA313-00C9-4ce5-9217-D89B7E07DDE8}.exe
1036	{A6154C3F-0A61-42eb-9315-B2F0ACCB6D56}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{48831186-AA8A-4d18-AB2B-3C365A0D97FB}.exe	{76690042-BB46-41fd-8240-41E249621727}.exe
File created	C:\Windows\{543C100B-E18B-4e69-A009-6C215471D453}.exe	{48831186-AA8A-4d18-AB2B-3C365A0D97FB}.exe
File created	C:\Windows\{CFAFA313-00C9-4ce5-9217-D89B7E07DDE8}.exe	{9B476352-5793-40e0-8D75-5B09C2391E6D}.exe
File created	C:\Windows\{63B9EBCE-9109-4c52-B8F2-40D55B92A138}.exe	{F19B34FF-A7FD-41de-B597-88ECC5FCAB98}.exe
File created	C:\Windows\{76690042-BB46-41fd-8240-41E249621727}.exe	{7C9323F2-3A21-4f7c-A564-2FF132412765}.exe
File created	C:\Windows\{CC38A7F3-C523-4057-BA3D-0CC0957DF61E}.exe	{55D92112-9C14-4ccb-8518-D6C4DD4B95A0}.exe
File created	C:\Windows\{F19B34FF-A7FD-41de-B597-88ECC5FCAB98}.exe	{CC38A7F3-C523-4057-BA3D-0CC0957DF61E}.exe
File created	C:\Windows\{7C9323F2-3A21-4f7c-A564-2FF132412765}.exe	{63B9EBCE-9109-4c52-B8F2-40D55B92A138}.exe
File created	C:\Windows\{9B476352-5793-40e0-8D75-5B09C2391E6D}.exe	{543C100B-E18B-4e69-A009-6C215471D453}.exe
File created	C:\Windows\{A6154C3F-0A61-42eb-9315-B2F0ACCB6D56}.exe	{CFAFA313-00C9-4ce5-9217-D89B7E07DDE8}.exe
File created	C:\Windows\{83067C9C-4F8C-49c1-8590-856FC2A03E3B}.exe	2024-04-17_de66fc02df3f36298476c7a2e3ea2a77_goldeneye.exe
File created	C:\Windows\{55D92112-9C14-4ccb-8518-D6C4DD4B95A0}.exe	{83067C9C-4F8C-49c1-8590-856FC2A03E3B}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1936	2024-04-17_de66fc02df3f36298476c7a2e3ea2a77_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2456	{83067C9C-4F8C-49c1-8590-856FC2A03E3B}.exe
Token: SeIncBasePriorityPrivilege	2480	{55D92112-9C14-4ccb-8518-D6C4DD4B95A0}.exe
Token: SeIncBasePriorityPrivilege	1076	{CC38A7F3-C523-4057-BA3D-0CC0957DF61E}.exe
Token: SeIncBasePriorityPrivilege	1736	{F19B34FF-A7FD-41de-B597-88ECC5FCAB98}.exe
Token: SeIncBasePriorityPrivilege	568	{63B9EBCE-9109-4c52-B8F2-40D55B92A138}.exe
Token: SeIncBasePriorityPrivilege	860	{7C9323F2-3A21-4f7c-A564-2FF132412765}.exe
Token: SeIncBasePriorityPrivilege	2416	{76690042-BB46-41fd-8240-41E249621727}.exe
Token: SeIncBasePriorityPrivilege	2764	{48831186-AA8A-4d18-AB2B-3C365A0D97FB}.exe
Token: SeIncBasePriorityPrivilege	1056	{543C100B-E18B-4e69-A009-6C215471D453}.exe
Token: SeIncBasePriorityPrivilege	2528	{9B476352-5793-40e0-8D75-5B09C2391E6D}.exe
Token: SeIncBasePriorityPrivilege	1280	{CFAFA313-00C9-4ce5-9217-D89B7E07DDE8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 2456	1936	2024-04-17_de66fc02df3f36298476c7a2e3ea2a77_goldeneye.exe	28
PID 1936 wrote to memory of 2456	1936	2024-04-17_de66fc02df3f36298476c7a2e3ea2a77_goldeneye.exe	28
PID 1936 wrote to memory of 2456	1936	2024-04-17_de66fc02df3f36298476c7a2e3ea2a77_goldeneye.exe	28
PID 1936 wrote to memory of 2456	1936	2024-04-17_de66fc02df3f36298476c7a2e3ea2a77_goldeneye.exe	28
PID 1936 wrote to memory of 2476	1936	2024-04-17_de66fc02df3f36298476c7a2e3ea2a77_goldeneye.exe	29
PID 1936 wrote to memory of 2476	1936	2024-04-17_de66fc02df3f36298476c7a2e3ea2a77_goldeneye.exe	29
PID 1936 wrote to memory of 2476	1936	2024-04-17_de66fc02df3f36298476c7a2e3ea2a77_goldeneye.exe	29
PID 1936 wrote to memory of 2476	1936	2024-04-17_de66fc02df3f36298476c7a2e3ea2a77_goldeneye.exe	29
PID 2456 wrote to memory of 2480	2456	{83067C9C-4F8C-49c1-8590-856FC2A03E3B}.exe	30
PID 2456 wrote to memory of 2480	2456	{83067C9C-4F8C-49c1-8590-856FC2A03E3B}.exe	30
PID 2456 wrote to memory of 2480	2456	{83067C9C-4F8C-49c1-8590-856FC2A03E3B}.exe	30
PID 2456 wrote to memory of 2480	2456	{83067C9C-4F8C-49c1-8590-856FC2A03E3B}.exe	30
PID 2456 wrote to memory of 2832	2456	{83067C9C-4F8C-49c1-8590-856FC2A03E3B}.exe	31
PID 2456 wrote to memory of 2832	2456	{83067C9C-4F8C-49c1-8590-856FC2A03E3B}.exe	31
PID 2456 wrote to memory of 2832	2456	{83067C9C-4F8C-49c1-8590-856FC2A03E3B}.exe	31
PID 2456 wrote to memory of 2832	2456	{83067C9C-4F8C-49c1-8590-856FC2A03E3B}.exe	31
PID 2480 wrote to memory of 1076	2480	{55D92112-9C14-4ccb-8518-D6C4DD4B95A0}.exe	34
PID 2480 wrote to memory of 1076	2480	{55D92112-9C14-4ccb-8518-D6C4DD4B95A0}.exe	34
PID 2480 wrote to memory of 1076	2480	{55D92112-9C14-4ccb-8518-D6C4DD4B95A0}.exe	34
PID 2480 wrote to memory of 1076	2480	{55D92112-9C14-4ccb-8518-D6C4DD4B95A0}.exe	34
PID 2480 wrote to memory of 2920	2480	{55D92112-9C14-4ccb-8518-D6C4DD4B95A0}.exe	35
PID 2480 wrote to memory of 2920	2480	{55D92112-9C14-4ccb-8518-D6C4DD4B95A0}.exe	35
PID 2480 wrote to memory of 2920	2480	{55D92112-9C14-4ccb-8518-D6C4DD4B95A0}.exe	35
PID 2480 wrote to memory of 2920	2480	{55D92112-9C14-4ccb-8518-D6C4DD4B95A0}.exe	35
PID 1076 wrote to memory of 1736	1076	{CC38A7F3-C523-4057-BA3D-0CC0957DF61E}.exe	36
PID 1076 wrote to memory of 1736	1076	{CC38A7F3-C523-4057-BA3D-0CC0957DF61E}.exe	36
PID 1076 wrote to memory of 1736	1076	{CC38A7F3-C523-4057-BA3D-0CC0957DF61E}.exe	36
PID 1076 wrote to memory of 1736	1076	{CC38A7F3-C523-4057-BA3D-0CC0957DF61E}.exe	36
PID 1076 wrote to memory of 472	1076	{CC38A7F3-C523-4057-BA3D-0CC0957DF61E}.exe	37
PID 1076 wrote to memory of 472	1076	{CC38A7F3-C523-4057-BA3D-0CC0957DF61E}.exe	37
PID 1076 wrote to memory of 472	1076	{CC38A7F3-C523-4057-BA3D-0CC0957DF61E}.exe	37
PID 1076 wrote to memory of 472	1076	{CC38A7F3-C523-4057-BA3D-0CC0957DF61E}.exe	37
PID 1736 wrote to memory of 568	1736	{F19B34FF-A7FD-41de-B597-88ECC5FCAB98}.exe	38
PID 1736 wrote to memory of 568	1736	{F19B34FF-A7FD-41de-B597-88ECC5FCAB98}.exe	38
PID 1736 wrote to memory of 568	1736	{F19B34FF-A7FD-41de-B597-88ECC5FCAB98}.exe	38
PID 1736 wrote to memory of 568	1736	{F19B34FF-A7FD-41de-B597-88ECC5FCAB98}.exe	38
PID 1736 wrote to memory of 2736	1736	{F19B34FF-A7FD-41de-B597-88ECC5FCAB98}.exe	39
PID 1736 wrote to memory of 2736	1736	{F19B34FF-A7FD-41de-B597-88ECC5FCAB98}.exe	39
PID 1736 wrote to memory of 2736	1736	{F19B34FF-A7FD-41de-B597-88ECC5FCAB98}.exe	39
PID 1736 wrote to memory of 2736	1736	{F19B34FF-A7FD-41de-B597-88ECC5FCAB98}.exe	39
PID 568 wrote to memory of 860	568	{63B9EBCE-9109-4c52-B8F2-40D55B92A138}.exe	40
PID 568 wrote to memory of 860	568	{63B9EBCE-9109-4c52-B8F2-40D55B92A138}.exe	40
PID 568 wrote to memory of 860	568	{63B9EBCE-9109-4c52-B8F2-40D55B92A138}.exe	40
PID 568 wrote to memory of 860	568	{63B9EBCE-9109-4c52-B8F2-40D55B92A138}.exe	40
PID 568 wrote to memory of 2892	568	{63B9EBCE-9109-4c52-B8F2-40D55B92A138}.exe	41
PID 568 wrote to memory of 2892	568	{63B9EBCE-9109-4c52-B8F2-40D55B92A138}.exe	41
PID 568 wrote to memory of 2892	568	{63B9EBCE-9109-4c52-B8F2-40D55B92A138}.exe	41
PID 568 wrote to memory of 2892	568	{63B9EBCE-9109-4c52-B8F2-40D55B92A138}.exe	41
PID 860 wrote to memory of 2416	860	{7C9323F2-3A21-4f7c-A564-2FF132412765}.exe	42
PID 860 wrote to memory of 2416	860	{7C9323F2-3A21-4f7c-A564-2FF132412765}.exe	42
PID 860 wrote to memory of 2416	860	{7C9323F2-3A21-4f7c-A564-2FF132412765}.exe	42
PID 860 wrote to memory of 2416	860	{7C9323F2-3A21-4f7c-A564-2FF132412765}.exe	42
PID 860 wrote to memory of 2640	860	{7C9323F2-3A21-4f7c-A564-2FF132412765}.exe	43
PID 860 wrote to memory of 2640	860	{7C9323F2-3A21-4f7c-A564-2FF132412765}.exe	43
PID 860 wrote to memory of 2640	860	{7C9323F2-3A21-4f7c-A564-2FF132412765}.exe	43
PID 860 wrote to memory of 2640	860	{7C9323F2-3A21-4f7c-A564-2FF132412765}.exe	43
PID 2416 wrote to memory of 2764	2416	{76690042-BB46-41fd-8240-41E249621727}.exe	44
PID 2416 wrote to memory of 2764	2416	{76690042-BB46-41fd-8240-41E249621727}.exe	44
PID 2416 wrote to memory of 2764	2416	{76690042-BB46-41fd-8240-41E249621727}.exe	44
PID 2416 wrote to memory of 2764	2416	{76690042-BB46-41fd-8240-41E249621727}.exe	44
PID 2416 wrote to memory of 1000	2416	{76690042-BB46-41fd-8240-41E249621727}.exe	45
PID 2416 wrote to memory of 1000	2416	{76690042-BB46-41fd-8240-41E249621727}.exe	45
PID 2416 wrote to memory of 1000	2416	{76690042-BB46-41fd-8240-41E249621727}.exe	45
PID 2416 wrote to memory of 1000	2416	{76690042-BB46-41fd-8240-41E249621727}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-17_de66fc02df3f36298476c7a2e3ea2a77_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-17_de66fc02df3f36298476c7a2e3ea2a77_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Windows\{83067C9C-4F8C-49c1-8590-856FC2A03E3B}.exe
  C:\Windows\{83067C9C-4F8C-49c1-8590-856FC2A03E3B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Windows\{55D92112-9C14-4ccb-8518-D6C4DD4B95A0}.exe
    C:\Windows\{55D92112-9C14-4ccb-8518-D6C4DD4B95A0}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2480
  - - C:\Windows\{CC38A7F3-C523-4057-BA3D-0CC0957DF61E}.exe
      C:\Windows\{CC38A7F3-C523-4057-BA3D-0CC0957DF61E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1076
    - - C:\Windows\{F19B34FF-A7FD-41de-B597-88ECC5FCAB98}.exe
        
        C:\Windows\{F19B34FF-A7FD-41de-B597-88ECC5FCAB98}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1736
      - C:\Windows\{63B9EBCE-9109-4c52-B8F2-40D55B92A138}.exe
        
        C:\Windows\{63B9EBCE-9109-4c52-B8F2-40D55B92A138}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:568
        
        C:\Windows\{7C9323F2-3A21-4f7c-A564-2FF132412765}.exe
        
        C:\Windows\{7C9323F2-3A21-4f7c-A564-2FF132412765}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:860
        
        C:\Windows\{76690042-BB46-41fd-8240-41E249621727}.exe
        
        C:\Windows\{76690042-BB46-41fd-8240-41E249621727}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\{48831186-AA8A-4d18-AB2B-3C365A0D97FB}.exe
        
        C:\Windows\{48831186-AA8A-4d18-AB2B-3C365A0D97FB}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
        
        C:\Windows\{543C100B-E18B-4e69-A009-6C215471D453}.exe
        
        C:\Windows\{543C100B-E18B-4e69-A009-6C215471D453}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1056
        
        C:\Windows\{9B476352-5793-40e0-8D75-5B09C2391E6D}.exe
        
        C:\Windows\{9B476352-5793-40e0-8D75-5B09C2391E6D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2528
        
        C:\Windows\{CFAFA313-00C9-4ce5-9217-D89B7E07DDE8}.exe
        
        C:\Windows\{CFAFA313-00C9-4ce5-9217-D89B7E07DDE8}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1280
        
        C:\Windows\{A6154C3F-0A61-42eb-9315-B2F0ACCB6D56}.exe
        
        C:\Windows\{A6154C3F-0A61-42eb-9315-B2F0ACCB6D56}.exe
        13⤵
        Executes dropped EXE
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CFAFA~1.EXE > nul
        13⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9B476~1.EXE > nul
        12⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{543C1~1.EXE > nul
        11⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{48831~1.EXE > nul
        10⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76690~1.EXE > nul
        9⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7C932~1.EXE > nul
        8⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{63B9E~1.EXE > nul
        7⤵
        
        PID:2892
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F19B3~1.EXE > nul
        6⤵
        
        PID:2736
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CC38A~1.EXE > nul
        5⤵
        
        PID:472
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{55D92~1.EXE > nul
      4⤵
      PID:2920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{83067~1.EXE > nul
    3⤵
    PID:2832
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{48831186-AA8A-4d18-AB2B-3C365A0D97FB}.exe

Filesize
216KB

MD5
d3cefaae7b401d3f9d8f975b3cb05741

SHA1
108b98ce8744a1265635c6faf72facca982838db

SHA256
90203b087496bf30575e08c64dcf5752cd582c0438d0a5f4ad7d99f1029f65b1

SHA512
e588824e7462fc8aafefc51f62241a85857a34db49ab2c3cfd16ed7b52b8e6d51179b098bc7580f62eca5d3d21eb6df51707b0c5da30087802c0553632f4a2f2

Download Submit
C:\Windows\{543C100B-E18B-4e69-A009-6C215471D453}.exe

Filesize
216KB

MD5
459e3011ed891d8c825e8ac730b78ee0

SHA1
2e97d8d27b19c2b11eac4a3ccfedd7343c78167b

SHA256
6b4bf819625ebab3799f6abc4670a5934c2ae06f07e2a9f6cf54765502a300cb

SHA512
eef5e4156f61a2d6b549daa1abcfd975e00cb25197337e9929be4af87a968e763c5fc31094e581238781a161ba826771df178e5c066f15cd213cf05340e860d7

Download Submit
C:\Windows\{55D92112-9C14-4ccb-8518-D6C4DD4B95A0}.exe

Filesize
216KB

MD5
7fcc56c9c541c6810d8630d0d888a003

SHA1
395747616c40d5f3d541003273118ccf8f7d8037

SHA256
cbe50d92f479484b0eea4023a107f8ad253e8fedeb09b677bffaa580ee66d283

SHA512
ab143722aa3389c9f38dacd348c70caf9651176fb2f8d3d98f127b31535325185db60eb0a00b9e98df4ad4b600f68023c53e2fc5dbcb1fc31e741a345120b2cc

Download Submit
C:\Windows\{63B9EBCE-9109-4c52-B8F2-40D55B92A138}.exe

Filesize
216KB

MD5
15936d78f8c1fc2d80d447d4601c0c87

SHA1
322a0315d548b26eea05ac8558474836b4477707

SHA256
9ac560b6ffcd8892e690090e60f0a64bb3362e121c85d322f15039452c501205

SHA512
55617b27392e492f05fc84947fe2c603711742cd214d281daca5b15607041ea94f6a38f8cde06bfcffb20f1a7fc63023485b0321aa6e08c79ab822594a449f19

Download Submit
C:\Windows\{76690042-BB46-41fd-8240-41E249621727}.exe

Filesize
216KB

MD5
f89d9470f99d5ff95e6feecbea5aaf82

SHA1
3b8e2122e792c63826dcf5f6126067ef81ff256d

SHA256
887e6c6b5d76a564c589042e310ef1da34068a982cb481f5779e3038e48a7805

SHA512
025c4e0e71da81add33afb0a0c4fbfcbfd9f3097e766cde5eda34a5ffdc38999b62235c732e42bc4a883b461a9d94da36ba9e4d71aec59ff56aeb24175463df8

Download Submit
C:\Windows\{7C9323F2-3A21-4f7c-A564-2FF132412765}.exe

Filesize
216KB

MD5
bae79d8bc360fa8e41a94fea0e1e13e3

SHA1
eb169810eab109e54e131a2cb4576c0e12e71f0c

SHA256
9bcc8c88f6c1c11564338f4306d4a6052c301fcf1125381f069dd0886f995761

SHA512
9b54740ab975d6392c1075097924a5f5e1fae1ab316400fbcee38de91237e1e173069b4da402ee4ccea7a619ed69d61c9b7017b41307f980c62fdcda3c8e1186

Download Submit
C:\Windows\{83067C9C-4F8C-49c1-8590-856FC2A03E3B}.exe

Filesize
216KB

MD5
71673067585bb65c0d7a81e959c32039

SHA1
1d1151a1711a2ff53993f41b699c46a36a7c8f18

SHA256
5d8e5ac05bf67fee016a4c3d217911ef3960c50da0a5cfe4ffc1121eaefb8e89

SHA512
7c6818b2b3b3b8b2dab57adb9128e2f11667780e988ed84669e7edc94ce33ef522746fba2ad02d2c51b2c600ebf9fd199d215ac5ae0b2ebc368a874d237f4dc5

Download Submit
C:\Windows\{9B476352-5793-40e0-8D75-5B09C2391E6D}.exe

Filesize
216KB

MD5
90018053525a7ad928ed28baa7755b91

SHA1
a7201e7d145e211cf0543677316960f406a7e389

SHA256
8a6af924028669560bafe1d7854fc854d7274580215057c4116fe8ac5eb3e790

SHA512
9701ab340431ce54fa9007bd53955c5f63a87e7dabcdd0c30abbc1238ae53bb2ab30e19dc31f8bd7c02ff498cd3c658115d4b54dd121cad65db5051cebf336e0

Download Submit
C:\Windows\{A6154C3F-0A61-42eb-9315-B2F0ACCB6D56}.exe

Filesize
216KB

MD5
390caa998aa79f00b2d8bb4921d2c347

SHA1
40f68938c334ed11f73d302b0642774a5e17fe74

SHA256
74cc6c5548f57d6126fc4cdbe84cefc14cc9bda7973b4c1c1ce3fcc93f00cf24

SHA512
a94521d3ca33e7a6ca0a53823e25bd597d69e4817127db289299ab02b05c55ac58a1f8e5d1c0bede83e45be87f95de05443c41421269c102548588067483eccc

Download Submit
C:\Windows\{CC38A7F3-C523-4057-BA3D-0CC0957DF61E}.exe

Filesize
216KB

MD5
8ba4a6c40caff748041ebb664999b662

SHA1
1036ecd8672b81d1f643ffa06beffc0ee2dca115

SHA256
fcfd9761b4f3f78f6b40d1a3e2462afe1276c58208fdadb5c2c96cec92dcec12

SHA512
2a218c1e0e4790830ce48120d249d65dbbe6fde7e4a7569b27e88fbf8d12ec9329b8c56b3bed582ad3e89f0a5ed5a177c2c6ed277d4cb9ab912d3db117df2a43

Download Submit
C:\Windows\{CFAFA313-00C9-4ce5-9217-D89B7E07DDE8}.exe

Filesize
216KB

MD5
97a3eeb28843226a8688dcedb122f1b9

SHA1
25e9c4bd5a6e7828b41d50f3e00a40b7e73c54f8

SHA256
13275a113438cf18dc9f830300f7a0bf6e67e4592bfbfa8f50a0393683a15916

SHA512
2228b492ca1572d6620c3d7c30b5dad9b78dd95d1316c37421471252b3382e5b83042cdb05147fff85c4da032e232815a6702164775cdddc1042d4b6b14e6ade

Download Submit
C:\Windows\{F19B34FF-A7FD-41de-B597-88ECC5FCAB98}.exe

Filesize
216KB

MD5
2a4ef217e4126498eb720ce98f270630

SHA1
cc7a7231e57ccfed0da82ce2ad5f721bd9b5ef0c

SHA256
32401f56a771bc936b0e39d335da44e2ed1f02bf7d7502ae316f05ea5881309c

SHA512
0232c625b9dec8c9f5f7eb4b4540113333c8d84c23dce9fb72c0022b49b0e42e03caceb469f4fcb2dd4253cf308f49d6fda388c92b94fbe80a62e161355d55d9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads