6128e1a8cec6e72b229e3e5ef9f441c5765747d9e97bb577871c6db2294b9c80

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18/04/2024, 03:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-18_1c6a7b50e32bef06f3e0cfe8b42d1e92_goldeneye.exe
Size

344KB
MD5

1c6a7b50e32bef06f3e0cfe8b42d1e92
SHA1

7e8a071709f314e1005582e100d4dfd4869b3131
SHA256

6128e1a8cec6e72b229e3e5ef9f441c5765747d9e97bb577871c6db2294b9c80
SHA512

769a39e900936f6c2c4f17f0866189c7ee84f89fad68d24a01e4065bbc4a23ca63224437455c0c40fb04f9d36d6cabe653bd0a3c436a4b75298e7b9bf5310ebb
SSDEEP

3072:mEGh0oulEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGIlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a00000001224d-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012350-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000001224d-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0037000000014712-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001224d-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001224d-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001224d-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5116B44E-6104-4d8c-9694-1AF9A8521F3E}	{C4EF99D2-CFFA-486c-A61E-F0CE6356CF4F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{358C0333-FA9C-4ce8-B34B-BDEDD1A48EC2}\stubpath = "C:\\Windows\\{358C0333-FA9C-4ce8-B34B-BDEDD1A48EC2}.exe"	{E39C4C37-494E-4de6-9A5C-736BE831D28A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6544FDE5-024C-4bc7-BBE4-6B8D26038709}	{87BD381E-4769-4307-9F0C-ACB480A11DE2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6544FDE5-024C-4bc7-BBE4-6B8D26038709}\stubpath = "C:\\Windows\\{6544FDE5-024C-4bc7-BBE4-6B8D26038709}.exe"	{87BD381E-4769-4307-9F0C-ACB480A11DE2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE108BA8-EB30-4c41-AA3E-6592A5D707B9}	{D84CCBC7-3FD5-4a24-8C53-CC7E7BA9C4E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE108BA8-EB30-4c41-AA3E-6592A5D707B9}\stubpath = "C:\\Windows\\{FE108BA8-EB30-4c41-AA3E-6592A5D707B9}.exe"	{D84CCBC7-3FD5-4a24-8C53-CC7E7BA9C4E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4EF99D2-CFFA-486c-A61E-F0CE6356CF4F}	{5B62443D-B2F5-4ea3-A335-E6F55CC0DB7B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E39C4C37-494E-4de6-9A5C-736BE831D28A}	{5116B44E-6104-4d8c-9694-1AF9A8521F3E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E39C4C37-494E-4de6-9A5C-736BE831D28A}\stubpath = "C:\\Windows\\{E39C4C37-494E-4de6-9A5C-736BE831D28A}.exe"	{5116B44E-6104-4d8c-9694-1AF9A8521F3E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD0D9D5F-95B9-47d2-92AE-F9F79F7192E5}\stubpath = "C:\\Windows\\{FD0D9D5F-95B9-47d2-92AE-F9F79F7192E5}.exe"	{358C0333-FA9C-4ce8-B34B-BDEDD1A48EC2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99F27E65-3D6C-4151-A70D-59EC87A31865}\stubpath = "C:\\Windows\\{99F27E65-3D6C-4151-A70D-59EC87A31865}.exe"	{FD0D9D5F-95B9-47d2-92AE-F9F79F7192E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87BD381E-4769-4307-9F0C-ACB480A11DE2}\stubpath = "C:\\Windows\\{87BD381E-4769-4307-9F0C-ACB480A11DE2}.exe"	{99F27E65-3D6C-4151-A70D-59EC87A31865}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B62443D-B2F5-4ea3-A335-E6F55CC0DB7B}\stubpath = "C:\\Windows\\{5B62443D-B2F5-4ea3-A335-E6F55CC0DB7B}.exe"	2024-04-18_1c6a7b50e32bef06f3e0cfe8b42d1e92_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4EF99D2-CFFA-486c-A61E-F0CE6356CF4F}\stubpath = "C:\\Windows\\{C4EF99D2-CFFA-486c-A61E-F0CE6356CF4F}.exe"	{5B62443D-B2F5-4ea3-A335-E6F55CC0DB7B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5116B44E-6104-4d8c-9694-1AF9A8521F3E}\stubpath = "C:\\Windows\\{5116B44E-6104-4d8c-9694-1AF9A8521F3E}.exe"	{C4EF99D2-CFFA-486c-A61E-F0CE6356CF4F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD0D9D5F-95B9-47d2-92AE-F9F79F7192E5}	{358C0333-FA9C-4ce8-B34B-BDEDD1A48EC2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D84CCBC7-3FD5-4a24-8C53-CC7E7BA9C4E1}\stubpath = "C:\\Windows\\{D84CCBC7-3FD5-4a24-8C53-CC7E7BA9C4E1}.exe"	{6544FDE5-024C-4bc7-BBE4-6B8D26038709}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B62443D-B2F5-4ea3-A335-E6F55CC0DB7B}	2024-04-18_1c6a7b50e32bef06f3e0cfe8b42d1e92_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{358C0333-FA9C-4ce8-B34B-BDEDD1A48EC2}	{E39C4C37-494E-4de6-9A5C-736BE831D28A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99F27E65-3D6C-4151-A70D-59EC87A31865}	{FD0D9D5F-95B9-47d2-92AE-F9F79F7192E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87BD381E-4769-4307-9F0C-ACB480A11DE2}	{99F27E65-3D6C-4151-A70D-59EC87A31865}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D84CCBC7-3FD5-4a24-8C53-CC7E7BA9C4E1}	{6544FDE5-024C-4bc7-BBE4-6B8D26038709}.exe

Deletes itself 1 IoCs

pid	Process
2116	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2328	{5B62443D-B2F5-4ea3-A335-E6F55CC0DB7B}.exe
2656	{C4EF99D2-CFFA-486c-A61E-F0CE6356CF4F}.exe
2452	{5116B44E-6104-4d8c-9694-1AF9A8521F3E}.exe
1992	{E39C4C37-494E-4de6-9A5C-736BE831D28A}.exe
2772	{358C0333-FA9C-4ce8-B34B-BDEDD1A48EC2}.exe
1628	{FD0D9D5F-95B9-47d2-92AE-F9F79F7192E5}.exe
1556	{99F27E65-3D6C-4151-A70D-59EC87A31865}.exe
2496	{87BD381E-4769-4307-9F0C-ACB480A11DE2}.exe
2216	{6544FDE5-024C-4bc7-BBE4-6B8D26038709}.exe
1388	{D84CCBC7-3FD5-4a24-8C53-CC7E7BA9C4E1}.exe
1044	{FE108BA8-EB30-4c41-AA3E-6592A5D707B9}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{5116B44E-6104-4d8c-9694-1AF9A8521F3E}.exe	{C4EF99D2-CFFA-486c-A61E-F0CE6356CF4F}.exe
File created	C:\Windows\{358C0333-FA9C-4ce8-B34B-BDEDD1A48EC2}.exe	{E39C4C37-494E-4de6-9A5C-736BE831D28A}.exe
File created	C:\Windows\{FD0D9D5F-95B9-47d2-92AE-F9F79F7192E5}.exe	{358C0333-FA9C-4ce8-B34B-BDEDD1A48EC2}.exe
File created	C:\Windows\{99F27E65-3D6C-4151-A70D-59EC87A31865}.exe	{FD0D9D5F-95B9-47d2-92AE-F9F79F7192E5}.exe
File created	C:\Windows\{5B62443D-B2F5-4ea3-A335-E6F55CC0DB7B}.exe	2024-04-18_1c6a7b50e32bef06f3e0cfe8b42d1e92_goldeneye.exe
File created	C:\Windows\{C4EF99D2-CFFA-486c-A61E-F0CE6356CF4F}.exe	{5B62443D-B2F5-4ea3-A335-E6F55CC0DB7B}.exe
File created	C:\Windows\{E39C4C37-494E-4de6-9A5C-736BE831D28A}.exe	{5116B44E-6104-4d8c-9694-1AF9A8521F3E}.exe
File created	C:\Windows\{87BD381E-4769-4307-9F0C-ACB480A11DE2}.exe	{99F27E65-3D6C-4151-A70D-59EC87A31865}.exe
File created	C:\Windows\{6544FDE5-024C-4bc7-BBE4-6B8D26038709}.exe	{87BD381E-4769-4307-9F0C-ACB480A11DE2}.exe
File created	C:\Windows\{D84CCBC7-3FD5-4a24-8C53-CC7E7BA9C4E1}.exe	{6544FDE5-024C-4bc7-BBE4-6B8D26038709}.exe
File created	C:\Windows\{FE108BA8-EB30-4c41-AA3E-6592A5D707B9}.exe	{D84CCBC7-3FD5-4a24-8C53-CC7E7BA9C4E1}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2612	2024-04-18_1c6a7b50e32bef06f3e0cfe8b42d1e92_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2328	{5B62443D-B2F5-4ea3-A335-E6F55CC0DB7B}.exe
Token: SeIncBasePriorityPrivilege	2656	{C4EF99D2-CFFA-486c-A61E-F0CE6356CF4F}.exe
Token: SeIncBasePriorityPrivilege	2452	{5116B44E-6104-4d8c-9694-1AF9A8521F3E}.exe
Token: SeIncBasePriorityPrivilege	1992	{E39C4C37-494E-4de6-9A5C-736BE831D28A}.exe
Token: SeIncBasePriorityPrivilege	2772	{358C0333-FA9C-4ce8-B34B-BDEDD1A48EC2}.exe
Token: SeIncBasePriorityPrivilege	1628	{FD0D9D5F-95B9-47d2-92AE-F9F79F7192E5}.exe
Token: SeIncBasePriorityPrivilege	1556	{99F27E65-3D6C-4151-A70D-59EC87A31865}.exe
Token: SeIncBasePriorityPrivilege	2496	{87BD381E-4769-4307-9F0C-ACB480A11DE2}.exe
Token: SeIncBasePriorityPrivilege	2216	{6544FDE5-024C-4bc7-BBE4-6B8D26038709}.exe
Token: SeIncBasePriorityPrivilege	1388	{D84CCBC7-3FD5-4a24-8C53-CC7E7BA9C4E1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 2328	2612	2024-04-18_1c6a7b50e32bef06f3e0cfe8b42d1e92_goldeneye.exe	28
PID 2612 wrote to memory of 2328	2612	2024-04-18_1c6a7b50e32bef06f3e0cfe8b42d1e92_goldeneye.exe	28
PID 2612 wrote to memory of 2328	2612	2024-04-18_1c6a7b50e32bef06f3e0cfe8b42d1e92_goldeneye.exe	28
PID 2612 wrote to memory of 2328	2612	2024-04-18_1c6a7b50e32bef06f3e0cfe8b42d1e92_goldeneye.exe	28
PID 2612 wrote to memory of 2116	2612	2024-04-18_1c6a7b50e32bef06f3e0cfe8b42d1e92_goldeneye.exe	29
PID 2612 wrote to memory of 2116	2612	2024-04-18_1c6a7b50e32bef06f3e0cfe8b42d1e92_goldeneye.exe	29
PID 2612 wrote to memory of 2116	2612	2024-04-18_1c6a7b50e32bef06f3e0cfe8b42d1e92_goldeneye.exe	29
PID 2612 wrote to memory of 2116	2612	2024-04-18_1c6a7b50e32bef06f3e0cfe8b42d1e92_goldeneye.exe	29
PID 2328 wrote to memory of 2656	2328	{5B62443D-B2F5-4ea3-A335-E6F55CC0DB7B}.exe	30
PID 2328 wrote to memory of 2656	2328	{5B62443D-B2F5-4ea3-A335-E6F55CC0DB7B}.exe	30
PID 2328 wrote to memory of 2656	2328	{5B62443D-B2F5-4ea3-A335-E6F55CC0DB7B}.exe	30
PID 2328 wrote to memory of 2656	2328	{5B62443D-B2F5-4ea3-A335-E6F55CC0DB7B}.exe	30
PID 2328 wrote to memory of 2788	2328	{5B62443D-B2F5-4ea3-A335-E6F55CC0DB7B}.exe	31
PID 2328 wrote to memory of 2788	2328	{5B62443D-B2F5-4ea3-A335-E6F55CC0DB7B}.exe	31
PID 2328 wrote to memory of 2788	2328	{5B62443D-B2F5-4ea3-A335-E6F55CC0DB7B}.exe	31
PID 2328 wrote to memory of 2788	2328	{5B62443D-B2F5-4ea3-A335-E6F55CC0DB7B}.exe	31
PID 2656 wrote to memory of 2452	2656	{C4EF99D2-CFFA-486c-A61E-F0CE6356CF4F}.exe	32
PID 2656 wrote to memory of 2452	2656	{C4EF99D2-CFFA-486c-A61E-F0CE6356CF4F}.exe	32
PID 2656 wrote to memory of 2452	2656	{C4EF99D2-CFFA-486c-A61E-F0CE6356CF4F}.exe	32
PID 2656 wrote to memory of 2452	2656	{C4EF99D2-CFFA-486c-A61E-F0CE6356CF4F}.exe	32
PID 2656 wrote to memory of 2960	2656	{C4EF99D2-CFFA-486c-A61E-F0CE6356CF4F}.exe	33
PID 2656 wrote to memory of 2960	2656	{C4EF99D2-CFFA-486c-A61E-F0CE6356CF4F}.exe	33
PID 2656 wrote to memory of 2960	2656	{C4EF99D2-CFFA-486c-A61E-F0CE6356CF4F}.exe	33
PID 2656 wrote to memory of 2960	2656	{C4EF99D2-CFFA-486c-A61E-F0CE6356CF4F}.exe	33
PID 2452 wrote to memory of 1992	2452	{5116B44E-6104-4d8c-9694-1AF9A8521F3E}.exe	36
PID 2452 wrote to memory of 1992	2452	{5116B44E-6104-4d8c-9694-1AF9A8521F3E}.exe	36
PID 2452 wrote to memory of 1992	2452	{5116B44E-6104-4d8c-9694-1AF9A8521F3E}.exe	36
PID 2452 wrote to memory of 1992	2452	{5116B44E-6104-4d8c-9694-1AF9A8521F3E}.exe	36
PID 2452 wrote to memory of 952	2452	{5116B44E-6104-4d8c-9694-1AF9A8521F3E}.exe	37
PID 2452 wrote to memory of 952	2452	{5116B44E-6104-4d8c-9694-1AF9A8521F3E}.exe	37
PID 2452 wrote to memory of 952	2452	{5116B44E-6104-4d8c-9694-1AF9A8521F3E}.exe	37
PID 2452 wrote to memory of 952	2452	{5116B44E-6104-4d8c-9694-1AF9A8521F3E}.exe	37
PID 1992 wrote to memory of 2772	1992	{E39C4C37-494E-4de6-9A5C-736BE831D28A}.exe	38
PID 1992 wrote to memory of 2772	1992	{E39C4C37-494E-4de6-9A5C-736BE831D28A}.exe	38
PID 1992 wrote to memory of 2772	1992	{E39C4C37-494E-4de6-9A5C-736BE831D28A}.exe	38
PID 1992 wrote to memory of 2772	1992	{E39C4C37-494E-4de6-9A5C-736BE831D28A}.exe	38
PID 1992 wrote to memory of 2880	1992	{E39C4C37-494E-4de6-9A5C-736BE831D28A}.exe	39
PID 1992 wrote to memory of 2880	1992	{E39C4C37-494E-4de6-9A5C-736BE831D28A}.exe	39
PID 1992 wrote to memory of 2880	1992	{E39C4C37-494E-4de6-9A5C-736BE831D28A}.exe	39
PID 1992 wrote to memory of 2880	1992	{E39C4C37-494E-4de6-9A5C-736BE831D28A}.exe	39
PID 2772 wrote to memory of 1628	2772	{358C0333-FA9C-4ce8-B34B-BDEDD1A48EC2}.exe	40
PID 2772 wrote to memory of 1628	2772	{358C0333-FA9C-4ce8-B34B-BDEDD1A48EC2}.exe	40
PID 2772 wrote to memory of 1628	2772	{358C0333-FA9C-4ce8-B34B-BDEDD1A48EC2}.exe	40
PID 2772 wrote to memory of 1628	2772	{358C0333-FA9C-4ce8-B34B-BDEDD1A48EC2}.exe	40
PID 2772 wrote to memory of 1836	2772	{358C0333-FA9C-4ce8-B34B-BDEDD1A48EC2}.exe	41
PID 2772 wrote to memory of 1836	2772	{358C0333-FA9C-4ce8-B34B-BDEDD1A48EC2}.exe	41
PID 2772 wrote to memory of 1836	2772	{358C0333-FA9C-4ce8-B34B-BDEDD1A48EC2}.exe	41
PID 2772 wrote to memory of 1836	2772	{358C0333-FA9C-4ce8-B34B-BDEDD1A48EC2}.exe	41
PID 1628 wrote to memory of 1556	1628	{FD0D9D5F-95B9-47d2-92AE-F9F79F7192E5}.exe	42
PID 1628 wrote to memory of 1556	1628	{FD0D9D5F-95B9-47d2-92AE-F9F79F7192E5}.exe	42
PID 1628 wrote to memory of 1556	1628	{FD0D9D5F-95B9-47d2-92AE-F9F79F7192E5}.exe	42
PID 1628 wrote to memory of 1556	1628	{FD0D9D5F-95B9-47d2-92AE-F9F79F7192E5}.exe	42
PID 1628 wrote to memory of 1904	1628	{FD0D9D5F-95B9-47d2-92AE-F9F79F7192E5}.exe	43
PID 1628 wrote to memory of 1904	1628	{FD0D9D5F-95B9-47d2-92AE-F9F79F7192E5}.exe	43
PID 1628 wrote to memory of 1904	1628	{FD0D9D5F-95B9-47d2-92AE-F9F79F7192E5}.exe	43
PID 1628 wrote to memory of 1904	1628	{FD0D9D5F-95B9-47d2-92AE-F9F79F7192E5}.exe	43
PID 1556 wrote to memory of 2496	1556	{99F27E65-3D6C-4151-A70D-59EC87A31865}.exe	44
PID 1556 wrote to memory of 2496	1556	{99F27E65-3D6C-4151-A70D-59EC87A31865}.exe	44
PID 1556 wrote to memory of 2496	1556	{99F27E65-3D6C-4151-A70D-59EC87A31865}.exe	44
PID 1556 wrote to memory of 2496	1556	{99F27E65-3D6C-4151-A70D-59EC87A31865}.exe	44
PID 1556 wrote to memory of 1644	1556	{99F27E65-3D6C-4151-A70D-59EC87A31865}.exe	45
PID 1556 wrote to memory of 1644	1556	{99F27E65-3D6C-4151-A70D-59EC87A31865}.exe	45
PID 1556 wrote to memory of 1644	1556	{99F27E65-3D6C-4151-A70D-59EC87A31865}.exe	45
PID 1556 wrote to memory of 1644	1556	{99F27E65-3D6C-4151-A70D-59EC87A31865}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-18_1c6a7b50e32bef06f3e0cfe8b42d1e92_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-18_1c6a7b50e32bef06f3e0cfe8b42d1e92_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Windows\{5B62443D-B2F5-4ea3-A335-E6F55CC0DB7B}.exe
  C:\Windows\{5B62443D-B2F5-4ea3-A335-E6F55CC0DB7B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\{C4EF99D2-CFFA-486c-A61E-F0CE6356CF4F}.exe
    C:\Windows\{C4EF99D2-CFFA-486c-A61E-F0CE6356CF4F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\{5116B44E-6104-4d8c-9694-1AF9A8521F3E}.exe
      C:\Windows\{5116B44E-6104-4d8c-9694-1AF9A8521F3E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2452
    - - C:\Windows\{E39C4C37-494E-4de6-9A5C-736BE831D28A}.exe
        
        C:\Windows\{E39C4C37-494E-4de6-9A5C-736BE831D28A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1992
      - C:\Windows\{358C0333-FA9C-4ce8-B34B-BDEDD1A48EC2}.exe
        
        C:\Windows\{358C0333-FA9C-4ce8-B34B-BDEDD1A48EC2}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\{FD0D9D5F-95B9-47d2-92AE-F9F79F7192E5}.exe
        
        C:\Windows\{FD0D9D5F-95B9-47d2-92AE-F9F79F7192E5}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\{99F27E65-3D6C-4151-A70D-59EC87A31865}.exe
        
        C:\Windows\{99F27E65-3D6C-4151-A70D-59EC87A31865}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Windows\{87BD381E-4769-4307-9F0C-ACB480A11DE2}.exe
        
        C:\Windows\{87BD381E-4769-4307-9F0C-ACB480A11DE2}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2496
        
        C:\Windows\{6544FDE5-024C-4bc7-BBE4-6B8D26038709}.exe
        
        C:\Windows\{6544FDE5-024C-4bc7-BBE4-6B8D26038709}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
        
        C:\Windows\{D84CCBC7-3FD5-4a24-8C53-CC7E7BA9C4E1}.exe
        
        C:\Windows\{D84CCBC7-3FD5-4a24-8C53-CC7E7BA9C4E1}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1388
        
        C:\Windows\{FE108BA8-EB30-4c41-AA3E-6592A5D707B9}.exe
        
        C:\Windows\{FE108BA8-EB30-4c41-AA3E-6592A5D707B9}.exe
        12⤵
        Executes dropped EXE
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D84CC~1.EXE > nul
        12⤵
        
        PID:716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6544F~1.EXE > nul
        11⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{87BD3~1.EXE > nul
        10⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{99F27~1.EXE > nul
        9⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD0D9~1.EXE > nul
        8⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{358C0~1.EXE > nul
        7⤵
        
        PID:1836
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E39C4~1.EXE > nul
        6⤵
        
        PID:2880
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5116B~1.EXE > nul
        5⤵
        
        PID:952
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C4EF9~1.EXE > nul
      4⤵
      PID:2960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5B624~1.EXE > nul
    3⤵
    PID:2788
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{358C0333-FA9C-4ce8-B34B-BDEDD1A48EC2}.exe

Filesize
344KB

MD5
67107b875adba4fcbe159a6aba2503c4

SHA1
83dd09edaf414dbcb782e4fbf44fdadf3e7d75f6

SHA256
94d95ed865a9d7a1257cda1f926d3d433393a1a7299a5673b313437b1e07b9c5

SHA512
705bcea9184db3b11c3d37a0155edc761f2f45022fc0ec903440b8ae0a24dc469fcfb0115ea92589cc9d38c71a9cb1861965f4a695770510fb7d094d73337cea

Download Submit
C:\Windows\{5116B44E-6104-4d8c-9694-1AF9A8521F3E}.exe

Filesize
344KB

MD5
0228d7de6d762836bc1239313f0806d9

SHA1
a3e672e52c50a9c8b0337315767a328cc9ed6a65

SHA256
07bd5e6116719116f04b0ca91ededb1446a9663f6f8372bcead64324172e5817

SHA512
92b468946864131fefd044d40cefaf3cd319712949a76ac658f614022a452278207bcc016be511cc812cf7a82d2229f997ae3799ab4565097a6974623cfc514e

Download Submit
C:\Windows\{5B62443D-B2F5-4ea3-A335-E6F55CC0DB7B}.exe

Filesize
344KB

MD5
8fabd2935773c79a07b4176570b850c5

SHA1
ed77cb91a89c32d282db93de3502dc03681c7659

SHA256
cdfba638bc7c77bad4af81c2a2d05b506c57172f828413acbfcb19387d058635

SHA512
8f67f2fd6ba87072e15ba31b7f58e81b8aa1411a864063de1e14b4921d0654d95a2e2d93e4c929d04bdcae543e8507eb98347431af03b0430c20ad51a9508eee

Download Submit
C:\Windows\{6544FDE5-024C-4bc7-BBE4-6B8D26038709}.exe

Filesize
344KB

MD5
03d17bd404680858020a4f5b770ab894

SHA1
f86e76dc82e2ea3c8ac82225edebb0c9db613cbd

SHA256
7b812003dedecaec7f9c29966202903df0f79b65029a6562f6d8b5029e17ebc5

SHA512
d0a53fee0a5237e01ef58d20ff01defdaf4c39e5869fec3e5e2d049b2c1f93b4b0d1af0979ab35ecaf3d7326271af25bd1c2d46064b177da1235ce4d08725ba0

Download Submit
C:\Windows\{87BD381E-4769-4307-9F0C-ACB480A11DE2}.exe

Filesize
344KB

MD5
58b21747401f27f043bddc174534fd3b

SHA1
ff06a2f4a033c4c1344cf78f2bf811d2d4160e3c

SHA256
1b4c94ca1239489317d0ea7f42b11ce2d587b5281b8beaa8f14f1f3ea07125ad

SHA512
1485603ca82c79e95e19c35c161923ddb6411db71e4d760788aee541ca961789587c87130b00881b1fc99029fe23150475b5d93c385bbdf28c056af411794b7c

Download Submit
C:\Windows\{99F27E65-3D6C-4151-A70D-59EC87A31865}.exe

Filesize
344KB

MD5
41306cc9bd42703afbf025c72c886c71

SHA1
2bcca47763abcbd9118faaa7e88c9e84a7a9f468

SHA256
d9be05ba029a809a828d0e9fd2b1d2e3224496f155f92f149d3bf42a9d2f86cd

SHA512
a24616b9980bce243bae2c06df0fc6c1d2462d27a10d20f49b8b81bad7408182814b205ea7792424ca5d115fb92c77ebc0db4b0c0d1b37460ef554d3c1a5ba72

Download Submit
C:\Windows\{C4EF99D2-CFFA-486c-A61E-F0CE6356CF4F}.exe

Filesize
344KB

MD5
dcdd2be6baeac0279b7b201a7e78a1e3

SHA1
4ba5e48dede1073af93fd738b30b642c4f42cf43

SHA256
609bac0778bcc460976aa36159097e5f816844a995c0b0e9edb789e169fe131b

SHA512
a649371e216fe9e28297c27b3303868a24113cdcee235c590fb1328d85d1329ff43f196455221e8084b6993e00f90089bd008119dff1ed80888bbc4a19ef5fdc

Download Submit
C:\Windows\{D84CCBC7-3FD5-4a24-8C53-CC7E7BA9C4E1}.exe

Filesize
344KB

MD5
b8c62d9b7e01ff0cdec00f43c0cd369a

SHA1
ee5d6e1b6222359773ca82f043ea9bd8bf451419

SHA256
2f3b1121081370835202fa325edd6ed50abde5b9d4914b1f89716619adb91478

SHA512
5f11bfa1214ba3d43cca1b8ed5de8d440fcf8730422f328e2d8074b400a565be6520a5eb3c069b2321a4968f3fc2724fc72d3c575d19d338b843590a4b77c8cc

Download Submit
C:\Windows\{E39C4C37-494E-4de6-9A5C-736BE831D28A}.exe

Filesize
344KB

MD5
34d87f65ed890b2b7e8282d67acd7a76

SHA1
ff5e4f100866745386fa0b926682a79943d199e4

SHA256
14355bea30b808bc1464db689a71db778a04c857b15800440f189c9cbef796e6

SHA512
1751f8f83a770a6ccaecb5ea43a78ead42179c91f11fc4f89f99d858a5309999baa079bdf316d89e086ead828905670cb21c0497ff4fb21d696493758afd67f1

Download Submit
C:\Windows\{FD0D9D5F-95B9-47d2-92AE-F9F79F7192E5}.exe

Filesize
344KB

MD5
0a34d751e6c1b280bd4eae89c3becf32

SHA1
ff6bdac95f06d8849350a84386e97e0a28edb450

SHA256
845ad463df65cfc0263f9fa318ecc62951c81df307fb2ed72fa1fd35d521002c

SHA512
e70468457c989c63fe8f73dad50c66f5a981a825ade654220820788615de33b55a064739966af54757ef97e4681606de72522c943193f309bc9016115784edc9

Download Submit
C:\Windows\{FE108BA8-EB30-4c41-AA3E-6592A5D707B9}.exe

Filesize
344KB

MD5
0ddf998b814819031570a5bcfe18841c

SHA1
de41ddcdd775c2c86ad2743d84a01fb461282e82

SHA256
ee6ed5775781cf2ac4b163674cd97b8bab39514006472cf954806bf6dfc2b5b3

SHA512
b9c63693cfe3413d14fc105306cd0931cb8444bc2fe93d6af715fc8f09247b6cf80bc713d3bfab5a1ee022ad045d77a3906f9e8652789319a7846dc483fbd593

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads