e0e968c14df2c1fdd1d302a3ab8d8eaf0aa7f455d9b4d6232f42c290fb7d2d90

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18/04/2024, 10:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-18_8485200d00b7460dd408609417253c09_goldeneye.exe
Size

180KB
MD5

8485200d00b7460dd408609417253c09
SHA1

5f512bd0f425642d3a29c171f1c15726c5ca2f8f
SHA256

e0e968c14df2c1fdd1d302a3ab8d8eaf0aa7f455d9b4d6232f42c290fb7d2d90
SHA512

971cb6370184a75a2a217d86fc5d8bdf809c88f5d2a19aef1e9dd6a386b1047b9edbf67275069713b1e5f9b41d890381965d5c44ee4c0b49fa174002509db3d3
SSDEEP

3072:jEGh0oclfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGul5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000800000002340c-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000233fc-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023414-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000001e74c-13.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023414-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000001e74c-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023414-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001e74c-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023414-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000001e74c-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023411-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000001e74c-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E4A0693-1858-4f7f-BF25-2D95E92E64C7}	{A7D9C8BE-8B41-45d4-A474-3C3059D91380}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3772839-DDDE-4200-908C-4610D07C8DA4}	{E85BFEC9-DD29-4eb9-988E-D45362914E5E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93400A33-DAB4-408d-8C24-1A7D6D2446CA}	2024-04-18_8485200d00b7460dd408609417253c09_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93400A33-DAB4-408d-8C24-1A7D6D2446CA}\stubpath = "C:\\Windows\\{93400A33-DAB4-408d-8C24-1A7D6D2446CA}.exe"	2024-04-18_8485200d00b7460dd408609417253c09_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3440A6E5-ED67-40bb-A0E2-436629971021}\stubpath = "C:\\Windows\\{3440A6E5-ED67-40bb-A0E2-436629971021}.exe"	{DE90BA43-AAD2-4422-ADCC-BCC22AC0C914}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{227123DB-2A17-4c03-8791-94768A75A198}	{3440A6E5-ED67-40bb-A0E2-436629971021}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{227123DB-2A17-4c03-8791-94768A75A198}\stubpath = "C:\\Windows\\{227123DB-2A17-4c03-8791-94768A75A198}.exe"	{3440A6E5-ED67-40bb-A0E2-436629971021}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7D9C8BE-8B41-45d4-A474-3C3059D91380}\stubpath = "C:\\Windows\\{A7D9C8BE-8B41-45d4-A474-3C3059D91380}.exe"	{227123DB-2A17-4c03-8791-94768A75A198}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{492A07F2-7416-4e78-B3B6-B82C9D407668}	{D3772839-DDDE-4200-908C-4610D07C8DA4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D1F2BBE-3BFE-4a65-8D4B-A34CA26220DD}	{492A07F2-7416-4e78-B3B6-B82C9D407668}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D1F2BBE-3BFE-4a65-8D4B-A34CA26220DD}\stubpath = "C:\\Windows\\{8D1F2BBE-3BFE-4a65-8D4B-A34CA26220DD}.exe"	{492A07F2-7416-4e78-B3B6-B82C9D407668}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D101AD0F-F5B9-4623-81C7-7EEFEE9D39A8}\stubpath = "C:\\Windows\\{D101AD0F-F5B9-4623-81C7-7EEFEE9D39A8}.exe"	{8D1F2BBE-3BFE-4a65-8D4B-A34CA26220DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7D9C8BE-8B41-45d4-A474-3C3059D91380}	{227123DB-2A17-4c03-8791-94768A75A198}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E4A0693-1858-4f7f-BF25-2D95E92E64C7}\stubpath = "C:\\Windows\\{7E4A0693-1858-4f7f-BF25-2D95E92E64C7}.exe"	{A7D9C8BE-8B41-45d4-A474-3C3059D91380}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E85BFEC9-DD29-4eb9-988E-D45362914E5E}	{7E4A0693-1858-4f7f-BF25-2D95E92E64C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E85BFEC9-DD29-4eb9-988E-D45362914E5E}\stubpath = "C:\\Windows\\{E85BFEC9-DD29-4eb9-988E-D45362914E5E}.exe"	{7E4A0693-1858-4f7f-BF25-2D95E92E64C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE90BA43-AAD2-4422-ADCC-BCC22AC0C914}\stubpath = "C:\\Windows\\{DE90BA43-AAD2-4422-ADCC-BCC22AC0C914}.exe"	{93400A33-DAB4-408d-8C24-1A7D6D2446CA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3440A6E5-ED67-40bb-A0E2-436629971021}	{DE90BA43-AAD2-4422-ADCC-BCC22AC0C914}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3772839-DDDE-4200-908C-4610D07C8DA4}\stubpath = "C:\\Windows\\{D3772839-DDDE-4200-908C-4610D07C8DA4}.exe"	{E85BFEC9-DD29-4eb9-988E-D45362914E5E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D101AD0F-F5B9-4623-81C7-7EEFEE9D39A8}	{8D1F2BBE-3BFE-4a65-8D4B-A34CA26220DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD621537-876A-4193-AC3B-C6DDAC21F930}\stubpath = "C:\\Windows\\{CD621537-876A-4193-AC3B-C6DDAC21F930}.exe"	{D101AD0F-F5B9-4623-81C7-7EEFEE9D39A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE90BA43-AAD2-4422-ADCC-BCC22AC0C914}	{93400A33-DAB4-408d-8C24-1A7D6D2446CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{492A07F2-7416-4e78-B3B6-B82C9D407668}\stubpath = "C:\\Windows\\{492A07F2-7416-4e78-B3B6-B82C9D407668}.exe"	{D3772839-DDDE-4200-908C-4610D07C8DA4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD621537-876A-4193-AC3B-C6DDAC21F930}	{D101AD0F-F5B9-4623-81C7-7EEFEE9D39A8}.exe

Executes dropped EXE 12 IoCs

pid	Process
1544	{93400A33-DAB4-408d-8C24-1A7D6D2446CA}.exe
4856	{DE90BA43-AAD2-4422-ADCC-BCC22AC0C914}.exe
984	{3440A6E5-ED67-40bb-A0E2-436629971021}.exe
2128	{227123DB-2A17-4c03-8791-94768A75A198}.exe
2204	{A7D9C8BE-8B41-45d4-A474-3C3059D91380}.exe
3232	{7E4A0693-1858-4f7f-BF25-2D95E92E64C7}.exe
4964	{E85BFEC9-DD29-4eb9-988E-D45362914E5E}.exe
2132	{D3772839-DDDE-4200-908C-4610D07C8DA4}.exe
4484	{492A07F2-7416-4e78-B3B6-B82C9D407668}.exe
900	{8D1F2BBE-3BFE-4a65-8D4B-A34CA26220DD}.exe
2964	{D101AD0F-F5B9-4623-81C7-7EEFEE9D39A8}.exe
996	{CD621537-876A-4193-AC3B-C6DDAC21F930}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{7E4A0693-1858-4f7f-BF25-2D95E92E64C7}.exe	{A7D9C8BE-8B41-45d4-A474-3C3059D91380}.exe
File created	C:\Windows\{D3772839-DDDE-4200-908C-4610D07C8DA4}.exe	{E85BFEC9-DD29-4eb9-988E-D45362914E5E}.exe
File created	C:\Windows\{492A07F2-7416-4e78-B3B6-B82C9D407668}.exe	{D3772839-DDDE-4200-908C-4610D07C8DA4}.exe
File created	C:\Windows\{D101AD0F-F5B9-4623-81C7-7EEFEE9D39A8}.exe	{8D1F2BBE-3BFE-4a65-8D4B-A34CA26220DD}.exe
File created	C:\Windows\{E85BFEC9-DD29-4eb9-988E-D45362914E5E}.exe	{7E4A0693-1858-4f7f-BF25-2D95E92E64C7}.exe
File created	C:\Windows\{8D1F2BBE-3BFE-4a65-8D4B-A34CA26220DD}.exe	{492A07F2-7416-4e78-B3B6-B82C9D407668}.exe
File created	C:\Windows\{CD621537-876A-4193-AC3B-C6DDAC21F930}.exe	{D101AD0F-F5B9-4623-81C7-7EEFEE9D39A8}.exe
File created	C:\Windows\{93400A33-DAB4-408d-8C24-1A7D6D2446CA}.exe	2024-04-18_8485200d00b7460dd408609417253c09_goldeneye.exe
File created	C:\Windows\{DE90BA43-AAD2-4422-ADCC-BCC22AC0C914}.exe	{93400A33-DAB4-408d-8C24-1A7D6D2446CA}.exe
File created	C:\Windows\{3440A6E5-ED67-40bb-A0E2-436629971021}.exe	{DE90BA43-AAD2-4422-ADCC-BCC22AC0C914}.exe
File created	C:\Windows\{227123DB-2A17-4c03-8791-94768A75A198}.exe	{3440A6E5-ED67-40bb-A0E2-436629971021}.exe
File created	C:\Windows\{A7D9C8BE-8B41-45d4-A474-3C3059D91380}.exe	{227123DB-2A17-4c03-8791-94768A75A198}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1952	2024-04-18_8485200d00b7460dd408609417253c09_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1544	{93400A33-DAB4-408d-8C24-1A7D6D2446CA}.exe
Token: SeIncBasePriorityPrivilege	4856	{DE90BA43-AAD2-4422-ADCC-BCC22AC0C914}.exe
Token: SeIncBasePriorityPrivilege	984	{3440A6E5-ED67-40bb-A0E2-436629971021}.exe
Token: SeIncBasePriorityPrivilege	2128	{227123DB-2A17-4c03-8791-94768A75A198}.exe
Token: SeIncBasePriorityPrivilege	2204	{A7D9C8BE-8B41-45d4-A474-3C3059D91380}.exe
Token: SeIncBasePriorityPrivilege	3232	{7E4A0693-1858-4f7f-BF25-2D95E92E64C7}.exe
Token: SeIncBasePriorityPrivilege	4964	{E85BFEC9-DD29-4eb9-988E-D45362914E5E}.exe
Token: SeIncBasePriorityPrivilege	2132	{D3772839-DDDE-4200-908C-4610D07C8DA4}.exe
Token: SeIncBasePriorityPrivilege	4484	{492A07F2-7416-4e78-B3B6-B82C9D407668}.exe
Token: SeIncBasePriorityPrivilege	900	{8D1F2BBE-3BFE-4a65-8D4B-A34CA26220DD}.exe
Token: SeIncBasePriorityPrivilege	2964	{D101AD0F-F5B9-4623-81C7-7EEFEE9D39A8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 1544	1952	2024-04-18_8485200d00b7460dd408609417253c09_goldeneye.exe	88
PID 1952 wrote to memory of 1544	1952	2024-04-18_8485200d00b7460dd408609417253c09_goldeneye.exe	88
PID 1952 wrote to memory of 1544	1952	2024-04-18_8485200d00b7460dd408609417253c09_goldeneye.exe	88
PID 1952 wrote to memory of 3552	1952	2024-04-18_8485200d00b7460dd408609417253c09_goldeneye.exe	89
PID 1952 wrote to memory of 3552	1952	2024-04-18_8485200d00b7460dd408609417253c09_goldeneye.exe	89
PID 1952 wrote to memory of 3552	1952	2024-04-18_8485200d00b7460dd408609417253c09_goldeneye.exe	89
PID 1544 wrote to memory of 4856	1544	{93400A33-DAB4-408d-8C24-1A7D6D2446CA}.exe	90
PID 1544 wrote to memory of 4856	1544	{93400A33-DAB4-408d-8C24-1A7D6D2446CA}.exe	90
PID 1544 wrote to memory of 4856	1544	{93400A33-DAB4-408d-8C24-1A7D6D2446CA}.exe	90
PID 1544 wrote to memory of 3732	1544	{93400A33-DAB4-408d-8C24-1A7D6D2446CA}.exe	91
PID 1544 wrote to memory of 3732	1544	{93400A33-DAB4-408d-8C24-1A7D6D2446CA}.exe	91
PID 1544 wrote to memory of 3732	1544	{93400A33-DAB4-408d-8C24-1A7D6D2446CA}.exe	91
PID 4856 wrote to memory of 984	4856	{DE90BA43-AAD2-4422-ADCC-BCC22AC0C914}.exe	94
PID 4856 wrote to memory of 984	4856	{DE90BA43-AAD2-4422-ADCC-BCC22AC0C914}.exe	94
PID 4856 wrote to memory of 984	4856	{DE90BA43-AAD2-4422-ADCC-BCC22AC0C914}.exe	94
PID 4856 wrote to memory of 2164	4856	{DE90BA43-AAD2-4422-ADCC-BCC22AC0C914}.exe	95
PID 4856 wrote to memory of 2164	4856	{DE90BA43-AAD2-4422-ADCC-BCC22AC0C914}.exe	95
PID 4856 wrote to memory of 2164	4856	{DE90BA43-AAD2-4422-ADCC-BCC22AC0C914}.exe	95
PID 984 wrote to memory of 2128	984	{3440A6E5-ED67-40bb-A0E2-436629971021}.exe	97
PID 984 wrote to memory of 2128	984	{3440A6E5-ED67-40bb-A0E2-436629971021}.exe	97
PID 984 wrote to memory of 2128	984	{3440A6E5-ED67-40bb-A0E2-436629971021}.exe	97
PID 984 wrote to memory of 3704	984	{3440A6E5-ED67-40bb-A0E2-436629971021}.exe	98
PID 984 wrote to memory of 3704	984	{3440A6E5-ED67-40bb-A0E2-436629971021}.exe	98
PID 984 wrote to memory of 3704	984	{3440A6E5-ED67-40bb-A0E2-436629971021}.exe	98
PID 2128 wrote to memory of 2204	2128	{227123DB-2A17-4c03-8791-94768A75A198}.exe	99
PID 2128 wrote to memory of 2204	2128	{227123DB-2A17-4c03-8791-94768A75A198}.exe	99
PID 2128 wrote to memory of 2204	2128	{227123DB-2A17-4c03-8791-94768A75A198}.exe	99
PID 2128 wrote to memory of 4784	2128	{227123DB-2A17-4c03-8791-94768A75A198}.exe	100
PID 2128 wrote to memory of 4784	2128	{227123DB-2A17-4c03-8791-94768A75A198}.exe	100
PID 2128 wrote to memory of 4784	2128	{227123DB-2A17-4c03-8791-94768A75A198}.exe	100
PID 2204 wrote to memory of 3232	2204	{A7D9C8BE-8B41-45d4-A474-3C3059D91380}.exe	101
PID 2204 wrote to memory of 3232	2204	{A7D9C8BE-8B41-45d4-A474-3C3059D91380}.exe	101
PID 2204 wrote to memory of 3232	2204	{A7D9C8BE-8B41-45d4-A474-3C3059D91380}.exe	101
PID 2204 wrote to memory of 2200	2204	{A7D9C8BE-8B41-45d4-A474-3C3059D91380}.exe	102
PID 2204 wrote to memory of 2200	2204	{A7D9C8BE-8B41-45d4-A474-3C3059D91380}.exe	102
PID 2204 wrote to memory of 2200	2204	{A7D9C8BE-8B41-45d4-A474-3C3059D91380}.exe	102
PID 3232 wrote to memory of 4964	3232	{7E4A0693-1858-4f7f-BF25-2D95E92E64C7}.exe	103
PID 3232 wrote to memory of 4964	3232	{7E4A0693-1858-4f7f-BF25-2D95E92E64C7}.exe	103
PID 3232 wrote to memory of 4964	3232	{7E4A0693-1858-4f7f-BF25-2D95E92E64C7}.exe	103
PID 3232 wrote to memory of 2376	3232	{7E4A0693-1858-4f7f-BF25-2D95E92E64C7}.exe	104
PID 3232 wrote to memory of 2376	3232	{7E4A0693-1858-4f7f-BF25-2D95E92E64C7}.exe	104
PID 3232 wrote to memory of 2376	3232	{7E4A0693-1858-4f7f-BF25-2D95E92E64C7}.exe	104
PID 4964 wrote to memory of 2132	4964	{E85BFEC9-DD29-4eb9-988E-D45362914E5E}.exe	105
PID 4964 wrote to memory of 2132	4964	{E85BFEC9-DD29-4eb9-988E-D45362914E5E}.exe	105
PID 4964 wrote to memory of 2132	4964	{E85BFEC9-DD29-4eb9-988E-D45362914E5E}.exe	105
PID 4964 wrote to memory of 3956	4964	{E85BFEC9-DD29-4eb9-988E-D45362914E5E}.exe	106
PID 4964 wrote to memory of 3956	4964	{E85BFEC9-DD29-4eb9-988E-D45362914E5E}.exe	106
PID 4964 wrote to memory of 3956	4964	{E85BFEC9-DD29-4eb9-988E-D45362914E5E}.exe	106
PID 2132 wrote to memory of 4484	2132	{D3772839-DDDE-4200-908C-4610D07C8DA4}.exe	107
PID 2132 wrote to memory of 4484	2132	{D3772839-DDDE-4200-908C-4610D07C8DA4}.exe	107
PID 2132 wrote to memory of 4484	2132	{D3772839-DDDE-4200-908C-4610D07C8DA4}.exe	107
PID 2132 wrote to memory of 4308	2132	{D3772839-DDDE-4200-908C-4610D07C8DA4}.exe	108
PID 2132 wrote to memory of 4308	2132	{D3772839-DDDE-4200-908C-4610D07C8DA4}.exe	108
PID 2132 wrote to memory of 4308	2132	{D3772839-DDDE-4200-908C-4610D07C8DA4}.exe	108
PID 4484 wrote to memory of 900	4484	{492A07F2-7416-4e78-B3B6-B82C9D407668}.exe	109
PID 4484 wrote to memory of 900	4484	{492A07F2-7416-4e78-B3B6-B82C9D407668}.exe	109
PID 4484 wrote to memory of 900	4484	{492A07F2-7416-4e78-B3B6-B82C9D407668}.exe	109
PID 4484 wrote to memory of 4340	4484	{492A07F2-7416-4e78-B3B6-B82C9D407668}.exe	110
PID 4484 wrote to memory of 4340	4484	{492A07F2-7416-4e78-B3B6-B82C9D407668}.exe	110
PID 4484 wrote to memory of 4340	4484	{492A07F2-7416-4e78-B3B6-B82C9D407668}.exe	110
PID 900 wrote to memory of 2964	900	{8D1F2BBE-3BFE-4a65-8D4B-A34CA26220DD}.exe	111
PID 900 wrote to memory of 2964	900	{8D1F2BBE-3BFE-4a65-8D4B-A34CA26220DD}.exe	111
PID 900 wrote to memory of 2964	900	{8D1F2BBE-3BFE-4a65-8D4B-A34CA26220DD}.exe	111
PID 900 wrote to memory of 1420	900	{8D1F2BBE-3BFE-4a65-8D4B-A34CA26220DD}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-04-18_8485200d00b7460dd408609417253c09_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-18_8485200d00b7460dd408609417253c09_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Windows\{93400A33-DAB4-408d-8C24-1A7D6D2446CA}.exe
  C:\Windows\{93400A33-DAB4-408d-8C24-1A7D6D2446CA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Windows\{DE90BA43-AAD2-4422-ADCC-BCC22AC0C914}.exe
    C:\Windows\{DE90BA43-AAD2-4422-ADCC-BCC22AC0C914}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4856
  - - C:\Windows\{3440A6E5-ED67-40bb-A0E2-436629971021}.exe
      C:\Windows\{3440A6E5-ED67-40bb-A0E2-436629971021}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:984
    - - C:\Windows\{227123DB-2A17-4c03-8791-94768A75A198}.exe
        
        C:\Windows\{227123DB-2A17-4c03-8791-94768A75A198}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2128
      - C:\Windows\{A7D9C8BE-8B41-45d4-A474-3C3059D91380}.exe
        
        C:\Windows\{A7D9C8BE-8B41-45d4-A474-3C3059D91380}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\{7E4A0693-1858-4f7f-BF25-2D95E92E64C7}.exe
        
        C:\Windows\{7E4A0693-1858-4f7f-BF25-2D95E92E64C7}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\Windows\{E85BFEC9-DD29-4eb9-988E-D45362914E5E}.exe
        
        C:\Windows\{E85BFEC9-DD29-4eb9-988E-D45362914E5E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\{D3772839-DDDE-4200-908C-4610D07C8DA4}.exe
        
        C:\Windows\{D3772839-DDDE-4200-908C-4610D07C8DA4}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\{492A07F2-7416-4e78-B3B6-B82C9D407668}.exe
        
        C:\Windows\{492A07F2-7416-4e78-B3B6-B82C9D407668}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\{8D1F2BBE-3BFE-4a65-8D4B-A34CA26220DD}.exe
        
        C:\Windows\{8D1F2BBE-3BFE-4a65-8D4B-A34CA26220DD}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:900
        
        C:\Windows\{D101AD0F-F5B9-4623-81C7-7EEFEE9D39A8}.exe
        
        C:\Windows\{D101AD0F-F5B9-4623-81C7-7EEFEE9D39A8}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2964
        
        C:\Windows\{CD621537-876A-4193-AC3B-C6DDAC21F930}.exe
        
        C:\Windows\{CD621537-876A-4193-AC3B-C6DDAC21F930}.exe
        13⤵
        Executes dropped EXE
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D101A~1.EXE > nul
        13⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D1F2~1.EXE > nul
        12⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{492A0~1.EXE > nul
        11⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D3772~1.EXE > nul
        10⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E85BF~1.EXE > nul
        9⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E4A0~1.EXE > nul
        8⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7D9C~1.EXE > nul
        7⤵
        
        PID:2200
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{22712~1.EXE > nul
        6⤵
        
        PID:4784
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3440A~1.EXE > nul
        5⤵
        
        PID:3704
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{DE90B~1.EXE > nul
      4⤵
      PID:2164
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{93400~1.EXE > nul
    3⤵
    PID:3732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{227123DB-2A17-4c03-8791-94768A75A198}.exe

Filesize
180KB

MD5
75ac64dc0d45d73120f82d0db36c81df

SHA1
b141405484a484731e052e0111de32ec0538d0e4

SHA256
1b05e324573905aae02a858250df02b61db45702f2da1b74ed309150b54c6394

SHA512
0ffcb4562a2702129bb3ff8a9c3bc9d13ac6a3189f06c023f6d0038054ef983e1ffa8f00f98ba1d6e137e35607a03e14d55d1e941e35fb2943839cc1de5a1c9b

Download Submit
C:\Windows\{3440A6E5-ED67-40bb-A0E2-436629971021}.exe

Filesize
180KB

MD5
0387637de23a886bc90345ebf5766d9a

SHA1
0847331bf2224e5c3c2166bc397d146f505883f5

SHA256
332bafe59698c591fb73ee517b899b550258ba72fc920ad4e6bea998bbffec24

SHA512
989a6783dc568de62521a1ec30bdc4132e8814ba8fbbaee76e83059dde0da67cf60ce38fe55aaf33e0172242456740fb462771dc750346c8651c35617540055a

Download Submit
C:\Windows\{492A07F2-7416-4e78-B3B6-B82C9D407668}.exe

Filesize
180KB

MD5
3794a6dcffd83acb1ac5f426c5e4ac2d

SHA1
39b7fe33bf9b6b3cfa39d5d7dd204bb62aaeb2b5

SHA256
2385c2a7f7b897287fd0760a04633affd775b381403562d24d37b0375e2b08db

SHA512
2a59464ef93e9235f0f21e885f8d5cbbda779836d8b51e54839b243ccf1e19bbef4f7cd850c855d059bef8716b1e0e2c6ad71431967e3f4ae31c8f30a6d6adc6

Download Submit
C:\Windows\{7E4A0693-1858-4f7f-BF25-2D95E92E64C7}.exe

Filesize
180KB

MD5
dcce52ee1fd2faac30902c02caa84946

SHA1
50097e3fdbc8f46a31abd5a98ac7cac3722547ad

SHA256
e246666581d7ce0a6f01a7793e73c9f95d8d0d2f5e456ee01edb858b5ddd30ca

SHA512
1a60f0f3091dca7a06e5993abba66337c27abfa5367342d176b8b3126ee613dccfe52e015673e2f2fb0fe76141d6e07c905f2738198a0c3201923bf2724348c6

Download Submit
C:\Windows\{8D1F2BBE-3BFE-4a65-8D4B-A34CA26220DD}.exe

Filesize
180KB

MD5
b0f8c45145c5afb8fb296830bc3ee7d9

SHA1
2ce5678837e67c6084df9dbf1c2d8661fed8fc31

SHA256
f95a3cc1061ccca36946e84540888485d1d2541d29c3855434dec527d25f4e61

SHA512
e25001920431866040cd354e6dabd67133c3b5568835af9d05f09796d2c9b523d1b8e569a794b1ce3f1229c58fe09ea7f90ed6dd772a203e5565cd63bed18bbd

Download Submit
C:\Windows\{93400A33-DAB4-408d-8C24-1A7D6D2446CA}.exe

Filesize
180KB

MD5
3f39982179c2ebe3396925a5b7dbd508

SHA1
6ce87d74e50969c52ada85527bd0417a690a28c9

SHA256
b98e97883ae49edc05711c9d9a8be55bb36a2f348c1fe55a09d03f352bde1816

SHA512
b5b21e5d21b65eace3db01af02d03f40b1ed301f30df3ba388e246e204e935eafd1a9ef40b74faa3b90793ea1e8aa2d21d61830e4dd616f30ce1219220bbc99b

Download Submit
C:\Windows\{A7D9C8BE-8B41-45d4-A474-3C3059D91380}.exe

Filesize
180KB

MD5
503436e55952c9c6425aa3f238e96888

SHA1
34b7a43ef54f833bca4333e071f03ac43e64b561

SHA256
4b5ef08c08aca5d70b047cf4e25ca48f216e395cfb80e2db7e2427cb90a4806a

SHA512
271cfc07bd90c43cf87b9b8fadc084b1b891fdac5e707bdb08ae6c0ab61da1870554fdae864298d39cc0ba8054fcd232fe51db6433179a40f3035ebb211036d9

Download Submit
C:\Windows\{CD621537-876A-4193-AC3B-C6DDAC21F930}.exe

Filesize
180KB

MD5
eebca10f8c73cd818898e9667175b1cc

SHA1
c4d1622535d19372fc078cc97b9dbf46ada2bc60

SHA256
5cb6841c7bb3c093c8e81b868cd560ecf8101a5b9c4e104debd2e412b458c11d

SHA512
477c9caf1b917e151962c35494ec5bb9d2567f9e6fdb269ffd184bc0ebd9f1ec2271b6bfa3f8dc0513926a6b6c2d56bef345a667b8adec61069d4392e1c2911e

Download Submit
C:\Windows\{D101AD0F-F5B9-4623-81C7-7EEFEE9D39A8}.exe

Filesize
180KB

MD5
ddc552cc6b3082fcb69c5d752ee86ead

SHA1
28b62f32e074f35eccbba006198e9809731ca006

SHA256
553d9c54b01ab0f955412f0586fce1b06018285a16fe62a07af38d788e169caf

SHA512
37c094d4eda93c84dd13d4a6120bd8a11764fecd167be9ef86308b1c60a661c67d43244668765bf7bb4a405c02d1511b29f72782f6a456c65483cd80fa63e888

Download Submit
C:\Windows\{D3772839-DDDE-4200-908C-4610D07C8DA4}.exe

Filesize
180KB

MD5
ac24cc2848ec6baa373e3023553722e9

SHA1
20c6c42ffab485635fc828969769beddb3c723a1

SHA256
7baa5b9f0f98de34bf2854be3d0f9c4102b5a4c95273d7bc1703ac8e484aa1c6

SHA512
4998a860726d65405fd043d2f3691a57f4cf3e99a920f62c07291a382a7e54a3f202fe6dcbdfc888b9e8489ca1f2193eef3f518e66cc6a78bcde607c00aa1d9c

Download Submit
C:\Windows\{DE90BA43-AAD2-4422-ADCC-BCC22AC0C914}.exe

Filesize
180KB

MD5
ac9d0b32613dd6a91e9c440d72570998

SHA1
a1f817dcc5592f52a307e93d36a08803b14e1caa

SHA256
9e5bc7629ed78c6aa99d42c9413859823e0d23a2245880013b0bebc4498419cb

SHA512
6042c98b99d003b384110592bacd1e6b21ddcb99f056e5ca847a91a6d4997a197b71d3442c456cbbcdba7de8e66db11c6ae59669fe7549b849dace1f9adc5cff

Download Submit
C:\Windows\{E85BFEC9-DD29-4eb9-988E-D45362914E5E}.exe

Filesize
180KB

MD5
278511b9d81199c3ca91999485b434f4

SHA1
112ed2a14a5ccf054898a462d5043935daf7c562

SHA256
236d21165d09ef48096ccd2486c940a689461b58b6e8ac06a01b93bd0c531d18

SHA512
c074b1daab06459abf8d69ac4406d31da33c31c8fa96c8231e01329fd7442422911d79f2adeaac863f573a4b82bf51a2a2a0c37070b23c5d3d66bab3c249525b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads