b32a9b67def538a9d9a0f0247ef7f13134dec2c0562f2c22c02f74250f2eff57

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2024, 17:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-20_e2aaca778584f5ccd074603952fa003d_goldeneye.exe
Size

204KB
MD5

e2aaca778584f5ccd074603952fa003d
SHA1

079fb5d2e0c7a30718c617036563b23d9349a321
SHA256

b32a9b67def538a9d9a0f0247ef7f13134dec2c0562f2c22c02f74250f2eff57
SHA512

3ecc92c27aec86edf60d4c83533bd6e779c6114b008f95dbb458514c5fe470d787afed2102cd3e934ad30689524229a5d06110fe1f9c84836bcb0c3128d6ad07
SSDEEP

1536:1EGh0osl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0osl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023348-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000233f0-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023403-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023408-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000234f6-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000234fa-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000234fb-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023503-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001dadb-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000001db58-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000001dadb-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000001db60-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1DFF43E-B147-4cb2-804E-26009F7D21CD}	{27FB1B16-3DAA-453e-9149-3E948D6B7AC9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{698623B2-3A42-460b-B34C-B9D9A3A439E6}	{3F21E148-FAB5-4ef9-B86E-322B25ACC425}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C7C1DF8-20B4-40c5-B180-E17FB69FA464}	{698623B2-3A42-460b-B34C-B9D9A3A439E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C7C1DF8-20B4-40c5-B180-E17FB69FA464}\stubpath = "C:\\Windows\\{6C7C1DF8-20B4-40c5-B180-E17FB69FA464}.exe"	{698623B2-3A42-460b-B34C-B9D9A3A439E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6ABE9AB7-1C37-48c9-B99B-6672758040BE}	2024-04-20_e2aaca778584f5ccd074603952fa003d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2E530BB-416F-42dc-BED0-608149F2C673}\stubpath = "C:\\Windows\\{C2E530BB-416F-42dc-BED0-608149F2C673}.exe"	{6AF00A57-A81E-4f72-90E6-0B24AD2065FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{127D5DB1-BBE5-41d5-9B61-882647885F75}\stubpath = "C:\\Windows\\{127D5DB1-BBE5-41d5-9B61-882647885F75}.exe"	{C2E530BB-416F-42dc-BED0-608149F2C673}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35C8C202-2863-4837-B5D0-BFEE99810247}	{127D5DB1-BBE5-41d5-9B61-882647885F75}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27FB1B16-3DAA-453e-9149-3E948D6B7AC9}\stubpath = "C:\\Windows\\{27FB1B16-3DAA-453e-9149-3E948D6B7AC9}.exe"	{35C8C202-2863-4837-B5D0-BFEE99810247}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6ABE9AB7-1C37-48c9-B99B-6672758040BE}\stubpath = "C:\\Windows\\{6ABE9AB7-1C37-48c9-B99B-6672758040BE}.exe"	2024-04-20_e2aaca778584f5ccd074603952fa003d_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6AF00A57-A81E-4f72-90E6-0B24AD2065FE}	{D78D845A-9413-430d-A478-16CFF4E7BCBE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6AF00A57-A81E-4f72-90E6-0B24AD2065FE}\stubpath = "C:\\Windows\\{6AF00A57-A81E-4f72-90E6-0B24AD2065FE}.exe"	{D78D845A-9413-430d-A478-16CFF4E7BCBE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{127D5DB1-BBE5-41d5-9B61-882647885F75}	{C2E530BB-416F-42dc-BED0-608149F2C673}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CDF2498E-4ADD-466c-9726-C06C71D856A5}	{F1DFF43E-B147-4cb2-804E-26009F7D21CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{698623B2-3A42-460b-B34C-B9D9A3A439E6}\stubpath = "C:\\Windows\\{698623B2-3A42-460b-B34C-B9D9A3A439E6}.exe"	{3F21E148-FAB5-4ef9-B86E-322B25ACC425}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D78D845A-9413-430d-A478-16CFF4E7BCBE}	{6ABE9AB7-1C37-48c9-B99B-6672758040BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2E530BB-416F-42dc-BED0-608149F2C673}	{6AF00A57-A81E-4f72-90E6-0B24AD2065FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35C8C202-2863-4837-B5D0-BFEE99810247}\stubpath = "C:\\Windows\\{35C8C202-2863-4837-B5D0-BFEE99810247}.exe"	{127D5DB1-BBE5-41d5-9B61-882647885F75}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27FB1B16-3DAA-453e-9149-3E948D6B7AC9}	{35C8C202-2863-4837-B5D0-BFEE99810247}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F21E148-FAB5-4ef9-B86E-322B25ACC425}\stubpath = "C:\\Windows\\{3F21E148-FAB5-4ef9-B86E-322B25ACC425}.exe"	{CDF2498E-4ADD-466c-9726-C06C71D856A5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D78D845A-9413-430d-A478-16CFF4E7BCBE}\stubpath = "C:\\Windows\\{D78D845A-9413-430d-A478-16CFF4E7BCBE}.exe"	{6ABE9AB7-1C37-48c9-B99B-6672758040BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1DFF43E-B147-4cb2-804E-26009F7D21CD}\stubpath = "C:\\Windows\\{F1DFF43E-B147-4cb2-804E-26009F7D21CD}.exe"	{27FB1B16-3DAA-453e-9149-3E948D6B7AC9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CDF2498E-4ADD-466c-9726-C06C71D856A5}\stubpath = "C:\\Windows\\{CDF2498E-4ADD-466c-9726-C06C71D856A5}.exe"	{F1DFF43E-B147-4cb2-804E-26009F7D21CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F21E148-FAB5-4ef9-B86E-322B25ACC425}	{CDF2498E-4ADD-466c-9726-C06C71D856A5}.exe

Executes dropped EXE 12 IoCs

pid	Process
1412	{6ABE9AB7-1C37-48c9-B99B-6672758040BE}.exe
2488	{D78D845A-9413-430d-A478-16CFF4E7BCBE}.exe
2104	{6AF00A57-A81E-4f72-90E6-0B24AD2065FE}.exe
1532	{C2E530BB-416F-42dc-BED0-608149F2C673}.exe
2192	{127D5DB1-BBE5-41d5-9B61-882647885F75}.exe
3040	{35C8C202-2863-4837-B5D0-BFEE99810247}.exe
2076	{27FB1B16-3DAA-453e-9149-3E948D6B7AC9}.exe
4992	{F1DFF43E-B147-4cb2-804E-26009F7D21CD}.exe
2716	{CDF2498E-4ADD-466c-9726-C06C71D856A5}.exe
368	{3F21E148-FAB5-4ef9-B86E-322B25ACC425}.exe
1100	{698623B2-3A42-460b-B34C-B9D9A3A439E6}.exe
3420	{6C7C1DF8-20B4-40c5-B180-E17FB69FA464}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{698623B2-3A42-460b-B34C-B9D9A3A439E6}.exe	{3F21E148-FAB5-4ef9-B86E-322B25ACC425}.exe
File created	C:\Windows\{6ABE9AB7-1C37-48c9-B99B-6672758040BE}.exe	2024-04-20_e2aaca778584f5ccd074603952fa003d_goldeneye.exe
File created	C:\Windows\{C2E530BB-416F-42dc-BED0-608149F2C673}.exe	{6AF00A57-A81E-4f72-90E6-0B24AD2065FE}.exe
File created	C:\Windows\{127D5DB1-BBE5-41d5-9B61-882647885F75}.exe	{C2E530BB-416F-42dc-BED0-608149F2C673}.exe
File created	C:\Windows\{35C8C202-2863-4837-B5D0-BFEE99810247}.exe	{127D5DB1-BBE5-41d5-9B61-882647885F75}.exe
File created	C:\Windows\{27FB1B16-3DAA-453e-9149-3E948D6B7AC9}.exe	{35C8C202-2863-4837-B5D0-BFEE99810247}.exe
File created	C:\Windows\{F1DFF43E-B147-4cb2-804E-26009F7D21CD}.exe	{27FB1B16-3DAA-453e-9149-3E948D6B7AC9}.exe
File created	C:\Windows\{CDF2498E-4ADD-466c-9726-C06C71D856A5}.exe	{F1DFF43E-B147-4cb2-804E-26009F7D21CD}.exe
File created	C:\Windows\{6C7C1DF8-20B4-40c5-B180-E17FB69FA464}.exe	{698623B2-3A42-460b-B34C-B9D9A3A439E6}.exe
File created	C:\Windows\{D78D845A-9413-430d-A478-16CFF4E7BCBE}.exe	{6ABE9AB7-1C37-48c9-B99B-6672758040BE}.exe
File created	C:\Windows\{6AF00A57-A81E-4f72-90E6-0B24AD2065FE}.exe	{D78D845A-9413-430d-A478-16CFF4E7BCBE}.exe
File created	C:\Windows\{3F21E148-FAB5-4ef9-B86E-322B25ACC425}.exe	{CDF2498E-4ADD-466c-9726-C06C71D856A5}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4724	2024-04-20_e2aaca778584f5ccd074603952fa003d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1412	{6ABE9AB7-1C37-48c9-B99B-6672758040BE}.exe
Token: SeIncBasePriorityPrivilege	2488	{D78D845A-9413-430d-A478-16CFF4E7BCBE}.exe
Token: SeIncBasePriorityPrivilege	2104	{6AF00A57-A81E-4f72-90E6-0B24AD2065FE}.exe
Token: SeIncBasePriorityPrivilege	1532	{C2E530BB-416F-42dc-BED0-608149F2C673}.exe
Token: SeIncBasePriorityPrivilege	2192	{127D5DB1-BBE5-41d5-9B61-882647885F75}.exe
Token: SeIncBasePriorityPrivilege	3040	{35C8C202-2863-4837-B5D0-BFEE99810247}.exe
Token: SeIncBasePriorityPrivilege	2076	{27FB1B16-3DAA-453e-9149-3E948D6B7AC9}.exe
Token: SeIncBasePriorityPrivilege	4992	{F1DFF43E-B147-4cb2-804E-26009F7D21CD}.exe
Token: SeIncBasePriorityPrivilege	2716	{CDF2498E-4ADD-466c-9726-C06C71D856A5}.exe
Token: SeIncBasePriorityPrivilege	368	{3F21E148-FAB5-4ef9-B86E-322B25ACC425}.exe
Token: SeIncBasePriorityPrivilege	1100	{698623B2-3A42-460b-B34C-B9D9A3A439E6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4724 wrote to memory of 1412	4724	2024-04-20_e2aaca778584f5ccd074603952fa003d_goldeneye.exe	94
PID 4724 wrote to memory of 1412	4724	2024-04-20_e2aaca778584f5ccd074603952fa003d_goldeneye.exe	94
PID 4724 wrote to memory of 1412	4724	2024-04-20_e2aaca778584f5ccd074603952fa003d_goldeneye.exe	94
PID 4724 wrote to memory of 1240	4724	2024-04-20_e2aaca778584f5ccd074603952fa003d_goldeneye.exe	95
PID 4724 wrote to memory of 1240	4724	2024-04-20_e2aaca778584f5ccd074603952fa003d_goldeneye.exe	95
PID 4724 wrote to memory of 1240	4724	2024-04-20_e2aaca778584f5ccd074603952fa003d_goldeneye.exe	95
PID 1412 wrote to memory of 2488	1412	{6ABE9AB7-1C37-48c9-B99B-6672758040BE}.exe	98
PID 1412 wrote to memory of 2488	1412	{6ABE9AB7-1C37-48c9-B99B-6672758040BE}.exe	98
PID 1412 wrote to memory of 2488	1412	{6ABE9AB7-1C37-48c9-B99B-6672758040BE}.exe	98
PID 1412 wrote to memory of 5096	1412	{6ABE9AB7-1C37-48c9-B99B-6672758040BE}.exe	99
PID 1412 wrote to memory of 5096	1412	{6ABE9AB7-1C37-48c9-B99B-6672758040BE}.exe	99
PID 1412 wrote to memory of 5096	1412	{6ABE9AB7-1C37-48c9-B99B-6672758040BE}.exe	99
PID 2488 wrote to memory of 2104	2488	{D78D845A-9413-430d-A478-16CFF4E7BCBE}.exe	102
PID 2488 wrote to memory of 2104	2488	{D78D845A-9413-430d-A478-16CFF4E7BCBE}.exe	102
PID 2488 wrote to memory of 2104	2488	{D78D845A-9413-430d-A478-16CFF4E7BCBE}.exe	102
PID 2488 wrote to memory of 4164	2488	{D78D845A-9413-430d-A478-16CFF4E7BCBE}.exe	103
PID 2488 wrote to memory of 4164	2488	{D78D845A-9413-430d-A478-16CFF4E7BCBE}.exe	103
PID 2488 wrote to memory of 4164	2488	{D78D845A-9413-430d-A478-16CFF4E7BCBE}.exe	103
PID 2104 wrote to memory of 1532	2104	{6AF00A57-A81E-4f72-90E6-0B24AD2065FE}.exe	105
PID 2104 wrote to memory of 1532	2104	{6AF00A57-A81E-4f72-90E6-0B24AD2065FE}.exe	105
PID 2104 wrote to memory of 1532	2104	{6AF00A57-A81E-4f72-90E6-0B24AD2065FE}.exe	105
PID 2104 wrote to memory of 1236	2104	{6AF00A57-A81E-4f72-90E6-0B24AD2065FE}.exe	106
PID 2104 wrote to memory of 1236	2104	{6AF00A57-A81E-4f72-90E6-0B24AD2065FE}.exe	106
PID 2104 wrote to memory of 1236	2104	{6AF00A57-A81E-4f72-90E6-0B24AD2065FE}.exe	106
PID 1532 wrote to memory of 2192	1532	{C2E530BB-416F-42dc-BED0-608149F2C673}.exe	108
PID 1532 wrote to memory of 2192	1532	{C2E530BB-416F-42dc-BED0-608149F2C673}.exe	108
PID 1532 wrote to memory of 2192	1532	{C2E530BB-416F-42dc-BED0-608149F2C673}.exe	108
PID 1532 wrote to memory of 4064	1532	{C2E530BB-416F-42dc-BED0-608149F2C673}.exe	109
PID 1532 wrote to memory of 4064	1532	{C2E530BB-416F-42dc-BED0-608149F2C673}.exe	109
PID 1532 wrote to memory of 4064	1532	{C2E530BB-416F-42dc-BED0-608149F2C673}.exe	109
PID 2192 wrote to memory of 3040	2192	{127D5DB1-BBE5-41d5-9B61-882647885F75}.exe	114
PID 2192 wrote to memory of 3040	2192	{127D5DB1-BBE5-41d5-9B61-882647885F75}.exe	114
PID 2192 wrote to memory of 3040	2192	{127D5DB1-BBE5-41d5-9B61-882647885F75}.exe	114
PID 2192 wrote to memory of 1208	2192	{127D5DB1-BBE5-41d5-9B61-882647885F75}.exe	115
PID 2192 wrote to memory of 1208	2192	{127D5DB1-BBE5-41d5-9B61-882647885F75}.exe	115
PID 2192 wrote to memory of 1208	2192	{127D5DB1-BBE5-41d5-9B61-882647885F75}.exe	115
PID 3040 wrote to memory of 2076	3040	{35C8C202-2863-4837-B5D0-BFEE99810247}.exe	116
PID 3040 wrote to memory of 2076	3040	{35C8C202-2863-4837-B5D0-BFEE99810247}.exe	116
PID 3040 wrote to memory of 2076	3040	{35C8C202-2863-4837-B5D0-BFEE99810247}.exe	116
PID 3040 wrote to memory of 2496	3040	{35C8C202-2863-4837-B5D0-BFEE99810247}.exe	117
PID 3040 wrote to memory of 2496	3040	{35C8C202-2863-4837-B5D0-BFEE99810247}.exe	117
PID 3040 wrote to memory of 2496	3040	{35C8C202-2863-4837-B5D0-BFEE99810247}.exe	117
PID 2076 wrote to memory of 4992	2076	{27FB1B16-3DAA-453e-9149-3E948D6B7AC9}.exe	120
PID 2076 wrote to memory of 4992	2076	{27FB1B16-3DAA-453e-9149-3E948D6B7AC9}.exe	120
PID 2076 wrote to memory of 4992	2076	{27FB1B16-3DAA-453e-9149-3E948D6B7AC9}.exe	120
PID 2076 wrote to memory of 640	2076	{27FB1B16-3DAA-453e-9149-3E948D6B7AC9}.exe	121
PID 2076 wrote to memory of 640	2076	{27FB1B16-3DAA-453e-9149-3E948D6B7AC9}.exe	121
PID 2076 wrote to memory of 640	2076	{27FB1B16-3DAA-453e-9149-3E948D6B7AC9}.exe	121
PID 4992 wrote to memory of 2716	4992	{F1DFF43E-B147-4cb2-804E-26009F7D21CD}.exe	125
PID 4992 wrote to memory of 2716	4992	{F1DFF43E-B147-4cb2-804E-26009F7D21CD}.exe	125
PID 4992 wrote to memory of 2716	4992	{F1DFF43E-B147-4cb2-804E-26009F7D21CD}.exe	125
PID 4992 wrote to memory of 4484	4992	{F1DFF43E-B147-4cb2-804E-26009F7D21CD}.exe	126
PID 4992 wrote to memory of 4484	4992	{F1DFF43E-B147-4cb2-804E-26009F7D21CD}.exe	126
PID 4992 wrote to memory of 4484	4992	{F1DFF43E-B147-4cb2-804E-26009F7D21CD}.exe	126
PID 2716 wrote to memory of 368	2716	{CDF2498E-4ADD-466c-9726-C06C71D856A5}.exe	127
PID 2716 wrote to memory of 368	2716	{CDF2498E-4ADD-466c-9726-C06C71D856A5}.exe	127
PID 2716 wrote to memory of 368	2716	{CDF2498E-4ADD-466c-9726-C06C71D856A5}.exe	127
PID 2716 wrote to memory of 3328	2716	{CDF2498E-4ADD-466c-9726-C06C71D856A5}.exe	128
PID 2716 wrote to memory of 3328	2716	{CDF2498E-4ADD-466c-9726-C06C71D856A5}.exe	128
PID 2716 wrote to memory of 3328	2716	{CDF2498E-4ADD-466c-9726-C06C71D856A5}.exe	128
PID 368 wrote to memory of 1100	368	{3F21E148-FAB5-4ef9-B86E-322B25ACC425}.exe	129
PID 368 wrote to memory of 1100	368	{3F21E148-FAB5-4ef9-B86E-322B25ACC425}.exe	129
PID 368 wrote to memory of 1100	368	{3F21E148-FAB5-4ef9-B86E-322B25ACC425}.exe	129
PID 368 wrote to memory of 4936	368	{3F21E148-FAB5-4ef9-B86E-322B25ACC425}.exe	130

C:\Users\Admin\AppData\Local\Temp\2024-04-20_e2aaca778584f5ccd074603952fa003d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-20_e2aaca778584f5ccd074603952fa003d_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4724
- C:\Windows\{6ABE9AB7-1C37-48c9-B99B-6672758040BE}.exe
  C:\Windows\{6ABE9AB7-1C37-48c9-B99B-6672758040BE}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1412
- - C:\Windows\{D78D845A-9413-430d-A478-16CFF4E7BCBE}.exe
    C:\Windows\{D78D845A-9413-430d-A478-16CFF4E7BCBE}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2488
  - - C:\Windows\{6AF00A57-A81E-4f72-90E6-0B24AD2065FE}.exe
      C:\Windows\{6AF00A57-A81E-4f72-90E6-0B24AD2065FE}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2104
    - - C:\Windows\{C2E530BB-416F-42dc-BED0-608149F2C673}.exe
        
        C:\Windows\{C2E530BB-416F-42dc-BED0-608149F2C673}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1532
      - C:\Windows\{127D5DB1-BBE5-41d5-9B61-882647885F75}.exe
        
        C:\Windows\{127D5DB1-BBE5-41d5-9B61-882647885F75}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\{35C8C202-2863-4837-B5D0-BFEE99810247}.exe
        
        C:\Windows\{35C8C202-2863-4837-B5D0-BFEE99810247}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\{27FB1B16-3DAA-453e-9149-3E948D6B7AC9}.exe
        
        C:\Windows\{27FB1B16-3DAA-453e-9149-3E948D6B7AC9}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\{F1DFF43E-B147-4cb2-804E-26009F7D21CD}.exe
        
        C:\Windows\{F1DFF43E-B147-4cb2-804E-26009F7D21CD}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\{CDF2498E-4ADD-466c-9726-C06C71D856A5}.exe
        
        C:\Windows\{CDF2498E-4ADD-466c-9726-C06C71D856A5}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\{3F21E148-FAB5-4ef9-B86E-322B25ACC425}.exe
        
        C:\Windows\{3F21E148-FAB5-4ef9-B86E-322B25ACC425}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:368
        
        C:\Windows\{698623B2-3A42-460b-B34C-B9D9A3A439E6}.exe
        
        C:\Windows\{698623B2-3A42-460b-B34C-B9D9A3A439E6}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1100
        
        C:\Windows\{6C7C1DF8-20B4-40c5-B180-E17FB69FA464}.exe
        
        C:\Windows\{6C7C1DF8-20B4-40c5-B180-E17FB69FA464}.exe
        13⤵
        Executes dropped EXE
        
        PID:3420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69862~1.EXE > nul
        13⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3F21E~1.EXE > nul
        12⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CDF24~1.EXE > nul
        11⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F1DFF~1.EXE > nul
        10⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{27FB1~1.EXE > nul
        9⤵
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{35C8C~1.EXE > nul
        8⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{127D5~1.EXE > nul
        7⤵
        
        PID:1208
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C2E53~1.EXE > nul
        6⤵
        
        PID:4064
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6AF00~1.EXE > nul
        5⤵
        
        PID:1236
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D78D8~1.EXE > nul
      4⤵
      PID:4164
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6ABE9~1.EXE > nul
    3⤵
    PID:5096
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{127D5DB1-BBE5-41d5-9B61-882647885F75}.exe

Filesize
204KB

MD5
90b6ca97d76eee174e2f819aebc0720c

SHA1
d5fafe15bbfb7c0b1048711ae056479c1919630a

SHA256
bc8a0fa651786dd39c4d5f0a8936bcb64fefafd655a2bc11c66c0c25eaae2107

SHA512
0a2813f19db7c478db09515a5202bfad146d355d96d12dc2ec293d4f68109869081fefd16007c0541294e1b1c4b8e45427081dedf72a7e8efd160420a6cf547c

Download Submit
C:\Windows\{27FB1B16-3DAA-453e-9149-3E948D6B7AC9}.exe

Filesize
204KB

MD5
40fd6745034da126ae8fb285f43d4c83

SHA1
02f25c022a4fd88fac8505d31700187ab0d45597

SHA256
a434cedb818a990695c1fe25e44931e381c33e284b9c836be82094750ae27e2f

SHA512
12313555fed299f5d54e537ff911aa5fe56569433c76edc9b166db9a0b57376919920b994ac2464668a5efec03e5a5fb4953be70e7d012a9982df539fcb8cb3a

Download Submit
C:\Windows\{35C8C202-2863-4837-B5D0-BFEE99810247}.exe

Filesize
204KB

MD5
e0f0e55c8947db0bb74311fbc3c7347f

SHA1
d4e2423ff1222e32add1c9c8f4ea79a2fa7a05c8

SHA256
d0137f37de24c7ecd6dda749dd072921ed389e5bbe31e10c6dcb641b9120b729

SHA512
ed4131ed72a4e9eae1a06439949bcf9ab278e6b02a751c3846786eea699b6952d891669c0bd228c93020d0a3c2e18281f71967fd366ede7a07b272d12ef50f2f

Download Submit
C:\Windows\{3F21E148-FAB5-4ef9-B86E-322B25ACC425}.exe

Filesize
204KB

MD5
4a682736d811690abf0023cf6512083f

SHA1
9c640a16845fd5b496ae23e76d489934d66c7c9c

SHA256
1a8d41b37b5d8b6b7270a9ef6dd9caf94bc4c509573aa601227b6f028b4ead18

SHA512
d36cabbf278a7028b1f2d2711e98d514dc7682292d1003da83e4f1e53d20a2c7743bc76e96ad94a613f5665bdcbab3c037d6fbc12c1c21e174366e98ed5119aa

Download Submit
C:\Windows\{698623B2-3A42-460b-B34C-B9D9A3A439E6}.exe

Filesize
204KB

MD5
ad1a3e80e2641e80c2032849a3759e35

SHA1
dbebb68499e26cdcbcd7fa524b7c285243473210

SHA256
9ee62bae83848ae9179d3c95108aca378aada26672fe229a82aeb3c0fcd58313

SHA512
ec463a999f7a04ecb2abce48b6720de650cfedda90009749e00273999153049073ace87a751d659d1385e5de667d0728fd11d7f3259cf64d026b973a73a0bf4d

Download Submit
C:\Windows\{6ABE9AB7-1C37-48c9-B99B-6672758040BE}.exe

Filesize
204KB

MD5
7e5a5e29bb8ece0aec2ce9f488b181a0

SHA1
9360f3bc0b2bbc421b0b125e9d15033919a39d91

SHA256
e8181f1ddb7500414813b8c61b37d562f9d938ba737f439e3b0682178c8ac84e

SHA512
c2278df41ffe887dc0d1b9dc7fb8733c5b3c249ddb82b26560f2fdc25e7c4c2a50c6213509c3175541e1073cb7aa281f27591ccd476fd18d787961bf8f663116

Download Submit
C:\Windows\{6AF00A57-A81E-4f72-90E6-0B24AD2065FE}.exe

Filesize
204KB

MD5
5c49dacaa07798a84e81886672612b6d

SHA1
d051fa2b25ab07c0c30bc1f31fdae828e727c83e

SHA256
9080d116257fc333734faf01be3cd343a73bc7574e2ce7bb06f4b90ea0209bdf

SHA512
b39c0f7456289f72f051e48ca4c4a40771db4981ee9846cedac779bc36351f8d962a7a02936c315732114fa84fe67a633ece77e129798db7b2a3c398994994fa

Download Submit
C:\Windows\{6C7C1DF8-20B4-40c5-B180-E17FB69FA464}.exe

Filesize
204KB

MD5
7a610bd801ebf8b4695b75d18aa4df8b

SHA1
4db783b567d9ddf58e01e323c2c49f58dd12c4ff

SHA256
36af5c625a33bfb9b88a09d2e69642cc3d92393bbff40c06ece527f3082706f5

SHA512
0d8ed9e0bcf4acc81302385e67d4da591a9fa35282ff39616802f1b0cd54bc31b0f363aaa251d5b084da121acb8e7e4cdb94b99bf8407fe4f2f6d02a6e629941

Download Submit
C:\Windows\{C2E530BB-416F-42dc-BED0-608149F2C673}.exe

Filesize
204KB

MD5
86f37d1f0f97157a2aa18fff424b6eaa

SHA1
f7840d1e672cae64706187d8e520987333d8bd23

SHA256
4bfc84ab4ad94ab52868b7d719543cdb2dc251eefb84ae07124c0f4d3e20ef06

SHA512
1614c0d42f3f1aeda4e6e7504424e0c82884e9735548eba77bbfd211c7230047a097aec0032a89a582e871bae6329ad1cf0ce91d08e21b287816a4cbedd16bd4

Download Submit
C:\Windows\{CDF2498E-4ADD-466c-9726-C06C71D856A5}.exe

Filesize
204KB

MD5
3c5086b675d352ceaa2dceead243683c

SHA1
999a5e167961c3f3b9988df6fdc625c610ca092d

SHA256
49cb07c5b0ada217707d1cee4a7c6a376fd0879c7d217b4cbd3a71be245ce217

SHA512
371f7bd8ff4cb2a519502d32d190f2231be2ecb122431e1d9f14d406c5722b2b8376c03f62913d9f1bea0de09f2ad021860aaee0902c56956250769047d0f2a0

Download Submit
C:\Windows\{D78D845A-9413-430d-A478-16CFF4E7BCBE}.exe

Filesize
204KB

MD5
b5e58426e10c7b2d044d27aaeff8ad02

SHA1
39ef98b5a348dace386751d0f5a3855764082902

SHA256
237fb99d8a5a9ce5a9a81b3b2968a15e1483f6d64eb6546ac1594256fcbed826

SHA512
5da1f00cac38820094a827e6fa8a6fcdbf1d696798c215d4a21e5dab71f7c9d8ec532c45999a88c2acb8bbc73c956102ee25c4d4150ea062cf12594e0d0f96d2

Download Submit
C:\Windows\{F1DFF43E-B147-4cb2-804E-26009F7D21CD}.exe

Filesize
204KB

MD5
cd00b861ba0bd89f52d655d307653d56

SHA1
de6657e80324dc00b72041cf013cfd78a3c084b0

SHA256
7c99cdb8d5d78206444d1fc8b83435e8fbdf89e6ef5d3bfc1b99c6d0b94172ad

SHA512
40925c39c6663a8d22b8dc7b1a1c26d69087a24a7000323e913154c9ccf989fa37134373acefc61efb4b798889fc7541f434716fa90659a05fa7448dfaea1bb0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads