61fc633fef51fec3d58228ebe2432f93d4d545f3612c55a6105588d6e563ec8f

Analysis

max time kernel
161s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 16:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-17_5b2c660e145f0869d1defc3fb143ed44_goldeneye.exe
Size

408KB
MD5

5b2c660e145f0869d1defc3fb143ed44
SHA1

bed19e675c98dddf9587cef932c5ad607c3cac96
SHA256

61fc633fef51fec3d58228ebe2432f93d4d545f3612c55a6105588d6e563ec8f
SHA512

41586e7a4f91201bca8a320086ed5af225af9a491588cd36de1d451ee7eead19bae2a031b80a2e633fa3b51b8957e7f47412ae32f6e59cd804f30043b7c0c3ac
SSDEEP

3072:CEGh0o0l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGWldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023542-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023548-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002354b-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002354c-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000016904-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002354c-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000016904-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002354c-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000016904-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d00000002354c-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023532-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023547-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9CAA2A03-3DEE-4179-9E11-B61541449BA5}	2024-04-17_5b2c660e145f0869d1defc3fb143ed44_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8900976F-3AF2-43dc-8064-FA732C555F48}	{18984DA0-7566-49ff-96C2-B0A25CE7502D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03C3374D-5350-4064-B524-9457EFAD49C6}	{3B723CED-0025-4fa7-9C38-43F4876EEEEE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03C3374D-5350-4064-B524-9457EFAD49C6}\stubpath = "C:\\Windows\\{03C3374D-5350-4064-B524-9457EFAD49C6}.exe"	{3B723CED-0025-4fa7-9C38-43F4876EEEEE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D760655-A56B-4493-A4E1-93834739EF8D}\stubpath = "C:\\Windows\\{5D760655-A56B-4493-A4E1-93834739EF8D}.exe"	{03C3374D-5350-4064-B524-9457EFAD49C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E243F2F7-DF45-4ad0-AA80-252B9EC04103}	{5D760655-A56B-4493-A4E1-93834739EF8D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E243F2F7-DF45-4ad0-AA80-252B9EC04103}\stubpath = "C:\\Windows\\{E243F2F7-DF45-4ad0-AA80-252B9EC04103}.exe"	{5D760655-A56B-4493-A4E1-93834739EF8D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1A78904-CDB1-4f2a-A16B-FCC066F647A3}	{E243F2F7-DF45-4ad0-AA80-252B9EC04103}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8900976F-3AF2-43dc-8064-FA732C555F48}\stubpath = "C:\\Windows\\{8900976F-3AF2-43dc-8064-FA732C555F48}.exe"	{18984DA0-7566-49ff-96C2-B0A25CE7502D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B723CED-0025-4fa7-9C38-43F4876EEEEE}	{8900976F-3AF2-43dc-8064-FA732C555F48}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D760655-A56B-4493-A4E1-93834739EF8D}	{03C3374D-5350-4064-B524-9457EFAD49C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{096F30BD-FDE6-4516-8DA9-DB9E502F1DB4}	{5F391A9E-C64A-40b9-A2C2-A2F59A593028}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5E43C62-4D91-4231-A204-28E3053C162F}	{096F30BD-FDE6-4516-8DA9-DB9E502F1DB4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18984DA0-7566-49ff-96C2-B0A25CE7502D}	{9CAA2A03-3DEE-4179-9E11-B61541449BA5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18984DA0-7566-49ff-96C2-B0A25CE7502D}\stubpath = "C:\\Windows\\{18984DA0-7566-49ff-96C2-B0A25CE7502D}.exe"	{9CAA2A03-3DEE-4179-9E11-B61541449BA5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B723CED-0025-4fa7-9C38-43F4876EEEEE}\stubpath = "C:\\Windows\\{3B723CED-0025-4fa7-9C38-43F4876EEEEE}.exe"	{8900976F-3AF2-43dc-8064-FA732C555F48}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55C3DD5F-67D2-4f99-96DB-735F730B399C}\stubpath = "C:\\Windows\\{55C3DD5F-67D2-4f99-96DB-735F730B399C}.exe"	{E1A78904-CDB1-4f2a-A16B-FCC066F647A3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F391A9E-C64A-40b9-A2C2-A2F59A593028}	{55C3DD5F-67D2-4f99-96DB-735F730B399C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F391A9E-C64A-40b9-A2C2-A2F59A593028}\stubpath = "C:\\Windows\\{5F391A9E-C64A-40b9-A2C2-A2F59A593028}.exe"	{55C3DD5F-67D2-4f99-96DB-735F730B399C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5E43C62-4D91-4231-A204-28E3053C162F}\stubpath = "C:\\Windows\\{F5E43C62-4D91-4231-A204-28E3053C162F}.exe"	{096F30BD-FDE6-4516-8DA9-DB9E502F1DB4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9CAA2A03-3DEE-4179-9E11-B61541449BA5}\stubpath = "C:\\Windows\\{9CAA2A03-3DEE-4179-9E11-B61541449BA5}.exe"	2024-04-17_5b2c660e145f0869d1defc3fb143ed44_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1A78904-CDB1-4f2a-A16B-FCC066F647A3}\stubpath = "C:\\Windows\\{E1A78904-CDB1-4f2a-A16B-FCC066F647A3}.exe"	{E243F2F7-DF45-4ad0-AA80-252B9EC04103}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55C3DD5F-67D2-4f99-96DB-735F730B399C}	{E1A78904-CDB1-4f2a-A16B-FCC066F647A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{096F30BD-FDE6-4516-8DA9-DB9E502F1DB4}\stubpath = "C:\\Windows\\{096F30BD-FDE6-4516-8DA9-DB9E502F1DB4}.exe"	{5F391A9E-C64A-40b9-A2C2-A2F59A593028}.exe

Executes dropped EXE 12 IoCs

pid	Process
1420	{9CAA2A03-3DEE-4179-9E11-B61541449BA5}.exe
864	{18984DA0-7566-49ff-96C2-B0A25CE7502D}.exe
4564	{8900976F-3AF2-43dc-8064-FA732C555F48}.exe
4776	{3B723CED-0025-4fa7-9C38-43F4876EEEEE}.exe
1144	{03C3374D-5350-4064-B524-9457EFAD49C6}.exe
4684	{5D760655-A56B-4493-A4E1-93834739EF8D}.exe
1664	{E243F2F7-DF45-4ad0-AA80-252B9EC04103}.exe
4852	{E1A78904-CDB1-4f2a-A16B-FCC066F647A3}.exe
4984	{55C3DD5F-67D2-4f99-96DB-735F730B399C}.exe
2372	{5F391A9E-C64A-40b9-A2C2-A2F59A593028}.exe
404	{096F30BD-FDE6-4516-8DA9-DB9E502F1DB4}.exe
2336	{F5E43C62-4D91-4231-A204-28E3053C162F}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{8900976F-3AF2-43dc-8064-FA732C555F48}.exe	{18984DA0-7566-49ff-96C2-B0A25CE7502D}.exe
File created	C:\Windows\{03C3374D-5350-4064-B524-9457EFAD49C6}.exe	{3B723CED-0025-4fa7-9C38-43F4876EEEEE}.exe
File created	C:\Windows\{E243F2F7-DF45-4ad0-AA80-252B9EC04103}.exe	{5D760655-A56B-4493-A4E1-93834739EF8D}.exe
File created	C:\Windows\{5F391A9E-C64A-40b9-A2C2-A2F59A593028}.exe	{55C3DD5F-67D2-4f99-96DB-735F730B399C}.exe
File created	C:\Windows\{F5E43C62-4D91-4231-A204-28E3053C162F}.exe	{096F30BD-FDE6-4516-8DA9-DB9E502F1DB4}.exe
File created	C:\Windows\{9CAA2A03-3DEE-4179-9E11-B61541449BA5}.exe	2024-04-17_5b2c660e145f0869d1defc3fb143ed44_goldeneye.exe
File created	C:\Windows\{18984DA0-7566-49ff-96C2-B0A25CE7502D}.exe	{9CAA2A03-3DEE-4179-9E11-B61541449BA5}.exe
File created	C:\Windows\{3B723CED-0025-4fa7-9C38-43F4876EEEEE}.exe	{8900976F-3AF2-43dc-8064-FA732C555F48}.exe
File created	C:\Windows\{5D760655-A56B-4493-A4E1-93834739EF8D}.exe	{03C3374D-5350-4064-B524-9457EFAD49C6}.exe
File created	C:\Windows\{E1A78904-CDB1-4f2a-A16B-FCC066F647A3}.exe	{E243F2F7-DF45-4ad0-AA80-252B9EC04103}.exe
File created	C:\Windows\{55C3DD5F-67D2-4f99-96DB-735F730B399C}.exe	{E1A78904-CDB1-4f2a-A16B-FCC066F647A3}.exe
File created	C:\Windows\{096F30BD-FDE6-4516-8DA9-DB9E502F1DB4}.exe	{5F391A9E-C64A-40b9-A2C2-A2F59A593028}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1688	2024-04-17_5b2c660e145f0869d1defc3fb143ed44_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1420	{9CAA2A03-3DEE-4179-9E11-B61541449BA5}.exe
Token: SeIncBasePriorityPrivilege	864	{18984DA0-7566-49ff-96C2-B0A25CE7502D}.exe
Token: SeIncBasePriorityPrivilege	4564	{8900976F-3AF2-43dc-8064-FA732C555F48}.exe
Token: SeIncBasePriorityPrivilege	4776	{3B723CED-0025-4fa7-9C38-43F4876EEEEE}.exe
Token: SeIncBasePriorityPrivilege	1144	{03C3374D-5350-4064-B524-9457EFAD49C6}.exe
Token: SeIncBasePriorityPrivilege	4684	{5D760655-A56B-4493-A4E1-93834739EF8D}.exe
Token: SeIncBasePriorityPrivilege	1664	{E243F2F7-DF45-4ad0-AA80-252B9EC04103}.exe
Token: SeIncBasePriorityPrivilege	4852	{E1A78904-CDB1-4f2a-A16B-FCC066F647A3}.exe
Token: SeIncBasePriorityPrivilege	4984	{55C3DD5F-67D2-4f99-96DB-735F730B399C}.exe
Token: SeIncBasePriorityPrivilege	2372	{5F391A9E-C64A-40b9-A2C2-A2F59A593028}.exe
Token: SeIncBasePriorityPrivilege	404	{096F30BD-FDE6-4516-8DA9-DB9E502F1DB4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 1420	1688	2024-04-17_5b2c660e145f0869d1defc3fb143ed44_goldeneye.exe	96
PID 1688 wrote to memory of 1420	1688	2024-04-17_5b2c660e145f0869d1defc3fb143ed44_goldeneye.exe	96
PID 1688 wrote to memory of 1420	1688	2024-04-17_5b2c660e145f0869d1defc3fb143ed44_goldeneye.exe	96
PID 1688 wrote to memory of 920	1688	2024-04-17_5b2c660e145f0869d1defc3fb143ed44_goldeneye.exe	97
PID 1688 wrote to memory of 920	1688	2024-04-17_5b2c660e145f0869d1defc3fb143ed44_goldeneye.exe	97
PID 1688 wrote to memory of 920	1688	2024-04-17_5b2c660e145f0869d1defc3fb143ed44_goldeneye.exe	97
PID 1420 wrote to memory of 864	1420	{9CAA2A03-3DEE-4179-9E11-B61541449BA5}.exe	100
PID 1420 wrote to memory of 864	1420	{9CAA2A03-3DEE-4179-9E11-B61541449BA5}.exe	100
PID 1420 wrote to memory of 864	1420	{9CAA2A03-3DEE-4179-9E11-B61541449BA5}.exe	100
PID 1420 wrote to memory of 4852	1420	{9CAA2A03-3DEE-4179-9E11-B61541449BA5}.exe	101
PID 1420 wrote to memory of 4852	1420	{9CAA2A03-3DEE-4179-9E11-B61541449BA5}.exe	101
PID 1420 wrote to memory of 4852	1420	{9CAA2A03-3DEE-4179-9E11-B61541449BA5}.exe	101
PID 864 wrote to memory of 4564	864	{18984DA0-7566-49ff-96C2-B0A25CE7502D}.exe	102
PID 864 wrote to memory of 4564	864	{18984DA0-7566-49ff-96C2-B0A25CE7502D}.exe	102
PID 864 wrote to memory of 4564	864	{18984DA0-7566-49ff-96C2-B0A25CE7502D}.exe	102
PID 864 wrote to memory of 1764	864	{18984DA0-7566-49ff-96C2-B0A25CE7502D}.exe	103
PID 864 wrote to memory of 1764	864	{18984DA0-7566-49ff-96C2-B0A25CE7502D}.exe	103
PID 864 wrote to memory of 1764	864	{18984DA0-7566-49ff-96C2-B0A25CE7502D}.exe	103
PID 4564 wrote to memory of 4776	4564	{8900976F-3AF2-43dc-8064-FA732C555F48}.exe	106
PID 4564 wrote to memory of 4776	4564	{8900976F-3AF2-43dc-8064-FA732C555F48}.exe	106
PID 4564 wrote to memory of 4776	4564	{8900976F-3AF2-43dc-8064-FA732C555F48}.exe	106
PID 4564 wrote to memory of 4324	4564	{8900976F-3AF2-43dc-8064-FA732C555F48}.exe	107
PID 4564 wrote to memory of 4324	4564	{8900976F-3AF2-43dc-8064-FA732C555F48}.exe	107
PID 4564 wrote to memory of 4324	4564	{8900976F-3AF2-43dc-8064-FA732C555F48}.exe	107
PID 4776 wrote to memory of 1144	4776	{3B723CED-0025-4fa7-9C38-43F4876EEEEE}.exe	108
PID 4776 wrote to memory of 1144	4776	{3B723CED-0025-4fa7-9C38-43F4876EEEEE}.exe	108
PID 4776 wrote to memory of 1144	4776	{3B723CED-0025-4fa7-9C38-43F4876EEEEE}.exe	108
PID 4776 wrote to memory of 4768	4776	{3B723CED-0025-4fa7-9C38-43F4876EEEEE}.exe	109
PID 4776 wrote to memory of 4768	4776	{3B723CED-0025-4fa7-9C38-43F4876EEEEE}.exe	109
PID 4776 wrote to memory of 4768	4776	{3B723CED-0025-4fa7-9C38-43F4876EEEEE}.exe	109
PID 1144 wrote to memory of 4684	1144	{03C3374D-5350-4064-B524-9457EFAD49C6}.exe	110
PID 1144 wrote to memory of 4684	1144	{03C3374D-5350-4064-B524-9457EFAD49C6}.exe	110
PID 1144 wrote to memory of 4684	1144	{03C3374D-5350-4064-B524-9457EFAD49C6}.exe	110
PID 1144 wrote to memory of 3184	1144	{03C3374D-5350-4064-B524-9457EFAD49C6}.exe	111
PID 1144 wrote to memory of 3184	1144	{03C3374D-5350-4064-B524-9457EFAD49C6}.exe	111
PID 1144 wrote to memory of 3184	1144	{03C3374D-5350-4064-B524-9457EFAD49C6}.exe	111
PID 4684 wrote to memory of 1664	4684	{5D760655-A56B-4493-A4E1-93834739EF8D}.exe	112
PID 4684 wrote to memory of 1664	4684	{5D760655-A56B-4493-A4E1-93834739EF8D}.exe	112
PID 4684 wrote to memory of 1664	4684	{5D760655-A56B-4493-A4E1-93834739EF8D}.exe	112
PID 4684 wrote to memory of 5004	4684	{5D760655-A56B-4493-A4E1-93834739EF8D}.exe	113
PID 4684 wrote to memory of 5004	4684	{5D760655-A56B-4493-A4E1-93834739EF8D}.exe	113
PID 4684 wrote to memory of 5004	4684	{5D760655-A56B-4493-A4E1-93834739EF8D}.exe	113
PID 1664 wrote to memory of 4852	1664	{E243F2F7-DF45-4ad0-AA80-252B9EC04103}.exe	114
PID 1664 wrote to memory of 4852	1664	{E243F2F7-DF45-4ad0-AA80-252B9EC04103}.exe	114
PID 1664 wrote to memory of 4852	1664	{E243F2F7-DF45-4ad0-AA80-252B9EC04103}.exe	114
PID 1664 wrote to memory of 4908	1664	{E243F2F7-DF45-4ad0-AA80-252B9EC04103}.exe	115
PID 1664 wrote to memory of 4908	1664	{E243F2F7-DF45-4ad0-AA80-252B9EC04103}.exe	115
PID 1664 wrote to memory of 4908	1664	{E243F2F7-DF45-4ad0-AA80-252B9EC04103}.exe	115
PID 4852 wrote to memory of 4984	4852	{E1A78904-CDB1-4f2a-A16B-FCC066F647A3}.exe	116
PID 4852 wrote to memory of 4984	4852	{E1A78904-CDB1-4f2a-A16B-FCC066F647A3}.exe	116
PID 4852 wrote to memory of 4984	4852	{E1A78904-CDB1-4f2a-A16B-FCC066F647A3}.exe	116
PID 4852 wrote to memory of 816	4852	{E1A78904-CDB1-4f2a-A16B-FCC066F647A3}.exe	117
PID 4852 wrote to memory of 816	4852	{E1A78904-CDB1-4f2a-A16B-FCC066F647A3}.exe	117
PID 4852 wrote to memory of 816	4852	{E1A78904-CDB1-4f2a-A16B-FCC066F647A3}.exe	117
PID 4984 wrote to memory of 2372	4984	{55C3DD5F-67D2-4f99-96DB-735F730B399C}.exe	118
PID 4984 wrote to memory of 2372	4984	{55C3DD5F-67D2-4f99-96DB-735F730B399C}.exe	118
PID 4984 wrote to memory of 2372	4984	{55C3DD5F-67D2-4f99-96DB-735F730B399C}.exe	118
PID 4984 wrote to memory of 1764	4984	{55C3DD5F-67D2-4f99-96DB-735F730B399C}.exe	119
PID 4984 wrote to memory of 1764	4984	{55C3DD5F-67D2-4f99-96DB-735F730B399C}.exe	119
PID 4984 wrote to memory of 1764	4984	{55C3DD5F-67D2-4f99-96DB-735F730B399C}.exe	119
PID 2372 wrote to memory of 404	2372	{5F391A9E-C64A-40b9-A2C2-A2F59A593028}.exe	120
PID 2372 wrote to memory of 404	2372	{5F391A9E-C64A-40b9-A2C2-A2F59A593028}.exe	120
PID 2372 wrote to memory of 404	2372	{5F391A9E-C64A-40b9-A2C2-A2F59A593028}.exe	120
PID 2372 wrote to memory of 4500	2372	{5F391A9E-C64A-40b9-A2C2-A2F59A593028}.exe	121

C:\Users\Admin\AppData\Local\Temp\2024-04-17_5b2c660e145f0869d1defc3fb143ed44_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-17_5b2c660e145f0869d1defc3fb143ed44_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\{9CAA2A03-3DEE-4179-9E11-B61541449BA5}.exe
  C:\Windows\{9CAA2A03-3DEE-4179-9E11-B61541449BA5}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1420
- - C:\Windows\{18984DA0-7566-49ff-96C2-B0A25CE7502D}.exe
    C:\Windows\{18984DA0-7566-49ff-96C2-B0A25CE7502D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:864
  - - C:\Windows\{8900976F-3AF2-43dc-8064-FA732C555F48}.exe
      C:\Windows\{8900976F-3AF2-43dc-8064-FA732C555F48}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4564
    - - C:\Windows\{3B723CED-0025-4fa7-9C38-43F4876EEEEE}.exe
        
        C:\Windows\{3B723CED-0025-4fa7-9C38-43F4876EEEEE}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4776
      - C:\Windows\{03C3374D-5350-4064-B524-9457EFAD49C6}.exe
        
        C:\Windows\{03C3374D-5350-4064-B524-9457EFAD49C6}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\{5D760655-A56B-4493-A4E1-93834739EF8D}.exe
        
        C:\Windows\{5D760655-A56B-4493-A4E1-93834739EF8D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\{E243F2F7-DF45-4ad0-AA80-252B9EC04103}.exe
        
        C:\Windows\{E243F2F7-DF45-4ad0-AA80-252B9EC04103}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\{E1A78904-CDB1-4f2a-A16B-FCC066F647A3}.exe
        
        C:\Windows\{E1A78904-CDB1-4f2a-A16B-FCC066F647A3}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4852
        
        C:\Windows\{55C3DD5F-67D2-4f99-96DB-735F730B399C}.exe
        
        C:\Windows\{55C3DD5F-67D2-4f99-96DB-735F730B399C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\{5F391A9E-C64A-40b9-A2C2-A2F59A593028}.exe
        
        C:\Windows\{5F391A9E-C64A-40b9-A2C2-A2F59A593028}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\{096F30BD-FDE6-4516-8DA9-DB9E502F1DB4}.exe
        
        C:\Windows\{096F30BD-FDE6-4516-8DA9-DB9E502F1DB4}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:404
        
        C:\Windows\{F5E43C62-4D91-4231-A204-28E3053C162F}.exe
        
        C:\Windows\{F5E43C62-4D91-4231-A204-28E3053C162F}.exe
        13⤵
        Executes dropped EXE
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{096F3~1.EXE > nul
        13⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5F391~1.EXE > nul
        12⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{55C3D~1.EXE > nul
        11⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E1A78~1.EXE > nul
        10⤵
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E243F~1.EXE > nul
        9⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5D760~1.EXE > nul
        8⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{03C33~1.EXE > nul
        7⤵
        
        PID:3184
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3B723~1.EXE > nul
        6⤵
        
        PID:4768
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{89009~1.EXE > nul
        5⤵
        
        PID:4324
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{18984~1.EXE > nul
      4⤵
      PID:1764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9CAA2~1.EXE > nul
    3⤵
    PID:4852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{03C3374D-5350-4064-B524-9457EFAD49C6}.exe

Filesize
408KB

MD5
cce1d7f092c87007b98d023bc8e88ada

SHA1
6b5f59fd716e6e7bf4f1331176107edd3b6f53b6

SHA256
019d27878c32b56e2c20c1858814ec8abbbdaa247a55265222168f178df17dc9

SHA512
f4a1f38ee603ade7c9cb2b2a8262631c45f07260879d142b9f26487db4f20d065564e7f173d5f03980254736bac2c5266c2ebadf88c48d994302e5e37c8e61ad

Download Submit
C:\Windows\{096F30BD-FDE6-4516-8DA9-DB9E502F1DB4}.exe

Filesize
408KB

MD5
1d1b20790d9144a3f8aced4262ccd0a3

SHA1
860b2fb71046d0f70da6e01bb0d8e3d3ddbd1681

SHA256
4c2005a0a0917edc49c1c227fa3c01fb5ed99d44a769a4a4b557fbe9f5306cb3

SHA512
c8c0ab232e42d03a68dbd677d3e6f658e7cac4b0971881b0c897ad6fecdc7da4b41ca4ca71bfee9cfe760f93ddbdccc4ceef7e43056b330ee45b46e74fd97b3c

Download Submit
C:\Windows\{18984DA0-7566-49ff-96C2-B0A25CE7502D}.exe

Filesize
408KB

MD5
9b6460d4fa7e8755d0d2ea8028c1f716

SHA1
1fb311834f68a22bb9e2d5b6374723d7ad07fcf7

SHA256
c0cad2330f58e91d13eed3a6e04310c88a6780bf7ffa4f8c1a8d4920fee31d11

SHA512
c6f02048bc15a0877ddebab9ffba41caa04780b1536ae8c06d6fe6925d8e14e1a75c167fd95eefe18a3e107edb2dcc5cca7c05aec2dab143ac2794be8593432c

Download Submit
C:\Windows\{3B723CED-0025-4fa7-9C38-43F4876EEEEE}.exe

Filesize
408KB

MD5
5335aa88a620b3bf4e95b5f539c3688f

SHA1
2bcaf0c508c62859cc413115a33192144f6dcd6a

SHA256
5d780888b88cdba4c9f9f563106076def3e80ab62694feac88d91cdbb90db8ce

SHA512
9987400277337a60fcea00e2bd7331f23751a892c0086d56009dbbd5e885b56ceba5a1a78dd74fb1cf7968f88c96dcd680082b7267ba1271a9bd95c3a044b596

Download Submit
C:\Windows\{55C3DD5F-67D2-4f99-96DB-735F730B399C}.exe

Filesize
408KB

MD5
077497551492256e9cb699cb3b3b2203

SHA1
34666765d3f2273bad538b4d79cbaf96d277ff3a

SHA256
b05c5bada0c41dfc3a4517db45a2d068dd0d50d45f1261ff8e084f2f68568dbb

SHA512
d6b1817946758dcd5138ff46a5cd773d9ff1aa7adc71ae2feae9719e90720111899761832522d17f41320b0c232ffec878cb6b1d02862fb059b1bbcf80df1136

Download Submit
C:\Windows\{5D760655-A56B-4493-A4E1-93834739EF8D}.exe

Filesize
408KB

MD5
c83f23db505c0a4c800636455d30ceba

SHA1
5b4f98b3541df83e5cc47202b17aa2f1fa4490a5

SHA256
47c878b1f0ead5f671e181ba128e850e1fa2f91a8d85c31c96ebf9a1858fde1c

SHA512
d15ba6d70c9e46a9f6a475863511b283a2e386376e7dc6f892c0f44821723452fae063afd0293e6b1fb0b0bb1d9a6a4d98f018d4e19c5a6a094c09cad90809b6

Download Submit
C:\Windows\{5F391A9E-C64A-40b9-A2C2-A2F59A593028}.exe

Filesize
408KB

MD5
7f7e8bffe9c0e56425fd4d969f85b792

SHA1
f72394cc9a724e80ced8072c6d63be04cdff2b73

SHA256
6fa864259b1b2bc71d4a74201681a3854b2c4d6d903f8047e63abbdf5251878b

SHA512
bf5c24548e42704bb26560b58c30b078db013bfcbc55e9e0e9331f0608a85aaa4459561add95b5db205ed49f44261d18c35318fb0e4fea88c7c7e9370228b0b3

Download Submit
C:\Windows\{8900976F-3AF2-43dc-8064-FA732C555F48}.exe

Filesize
408KB

MD5
ab75158a4808bf4a3d23239ff3f065a6

SHA1
c9ae2aaecba7ce686dfb8e607d15bc261db5d35a

SHA256
041e6284abb95fe66dd49f3cbf5c4e96070e71b5f91459b9033ad528e02a0ab7

SHA512
cd7d5a6dec18f5d055bdd2487c850f8444b12db3ce8a51da450a7769df547094e561ba7cee6bb5b38941f3d045485109b3e6ba0b5885507afb7818a5cf9ea08d

Download Submit
C:\Windows\{9CAA2A03-3DEE-4179-9E11-B61541449BA5}.exe

Filesize
408KB

MD5
0cbe0c7df60c29a195c262518ddb3548

SHA1
e49d25d30b40d22f7829a25423dc24bd645c5dd7

SHA256
d6987f0625431a74bde6c8ecb1a6ed752f9080f61c81ec4be41d912f948e0ca0

SHA512
21cb1aa7815c03c13906aea66c04dd2b1a53201ed327a2a01900cdd7ec2058d69f02740bcc91435969cf4e0f2395bd01c2ddee48d5d5f797d64b7d91289b9181

Download Submit
C:\Windows\{E1A78904-CDB1-4f2a-A16B-FCC066F647A3}.exe

Filesize
408KB

MD5
6d375c42d0772314ff020b1f9c690a0f

SHA1
03ecb278b4d0f6c937073f972934596a4a047050

SHA256
a80ae236098666187ad4b42b73077fa68ebe3eb7e2b392ab9ec7a5954be4a1b3

SHA512
923d92548917e049c581a66c744a05003d565629c48723adc289953884cbd3e77b033423f515c3d3aa4d75e494e649770d82ca6a4c860902ef80d513eb20572a

Download Submit
C:\Windows\{E243F2F7-DF45-4ad0-AA80-252B9EC04103}.exe

Filesize
408KB

MD5
1885511d028f1c176fa1d23c247aa169

SHA1
199b55bf29d2530fc82b3ca094e74929a751e05d

SHA256
2de1798258554940df97446e45f906c8c5460514bd78bf7f59d64723acd963cd

SHA512
c7c3271c122a782856cd41ce0b07e95108fba3ab1c45d1b4950b6495b423370ef6b51cc3a992d6ad3f7003a385d1792d88f2a639e7d16ef897e9707a833dbd7a

Download Submit
C:\Windows\{F5E43C62-4D91-4231-A204-28E3053C162F}.exe

Filesize
408KB

MD5
99bb3083862a06895967be34f553c6ce

SHA1
a03b305732c086ac51731b0544ca4f5fb6a1d3c1

SHA256
5bbd18fbe9ba239691611594f012b5990d262133540929fc99f4dee4ac4c04ad

SHA512
3b8cb70bc776f5afa297571d8a52a4bdfa4ed45be0e422c8ca9785c8e45da3e466c9049371f493db69d390cf8877309d4e583b0f7f355e84cc8f1c36e98e452b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads