d81aa78eeb970189a331c64539a9fd4db9629410b740ac08220d9bca90f82d49

Analysis

max time kernel
149s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22-04-2024 01:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-22_44815dc40cb5e0269edf8bc867a4e564_goldeneye.exe
Size

380KB
MD5

44815dc40cb5e0269edf8bc867a4e564
SHA1

dcee6330630664fc18f2b77a0db08fd71ccd5dae
SHA256

d81aa78eeb970189a331c64539a9fd4db9629410b740ac08220d9bca90f82d49
SHA512

e0ce354fcf833d024402618c4a1ac76720533ee41f3289e4cfec0cb573a96cc72dad30a2cba504ed4c00d69776c8c519c7a1d18f650d05cdc70a3dccf86967b1
SSDEEP

3072:mEGh0oYlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEG2l7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023484-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001100000002348d-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d0000000233b3-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001200000002348d-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e0000000233b3-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000233b2-21.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f0000000233b3-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000233b2-29.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000233b5-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d0000000233b2-37.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000233b5-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000233b4-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A00585EE-1A6D-486c-940C-16EA41AFB03A}\stubpath = "C:\\Windows\\{A00585EE-1A6D-486c-940C-16EA41AFB03A}.exe"	{5773EC25-970D-45d4-94B3-332F6EAD8D3A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C7102AC-7B38-475f-BBA4-159A219C2CCF}\stubpath = "C:\\Windows\\{5C7102AC-7B38-475f-BBA4-159A219C2CCF}.exe"	2024-04-22_44815dc40cb5e0269edf8bc867a4e564_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34E61A6B-90BA-47d0-A354-C681153133FF}\stubpath = "C:\\Windows\\{34E61A6B-90BA-47d0-A354-C681153133FF}.exe"	{5C7102AC-7B38-475f-BBA4-159A219C2CCF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2940260-3BAC-41bb-BD83-7F15C42499C6}\stubpath = "C:\\Windows\\{C2940260-3BAC-41bb-BD83-7F15C42499C6}.exe"	{600C5CA8-1FBD-41cd-87F4-DACC668D3CA1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5773EC25-970D-45d4-94B3-332F6EAD8D3A}	{000CC1BD-1274-405c-A4CC-8B7BDBF9B173}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{000CC1BD-1274-405c-A4CC-8B7BDBF9B173}\stubpath = "C:\\Windows\\{000CC1BD-1274-405c-A4CC-8B7BDBF9B173}.exe"	{466F6590-AAA3-4f64-BE12-993313A0B9AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A00585EE-1A6D-486c-940C-16EA41AFB03A}	{5773EC25-970D-45d4-94B3-332F6EAD8D3A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{891E3688-2940-4efd-944E-91100DC0E514}	{7C41A673-FBF8-47f0-B958-FA85DFF0F321}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{891E3688-2940-4efd-944E-91100DC0E514}\stubpath = "C:\\Windows\\{891E3688-2940-4efd-944E-91100DC0E514}.exe"	{7C41A673-FBF8-47f0-B958-FA85DFF0F321}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B0B1CB2-7A24-4d11-B077-401F41E23F1D}	{891E3688-2940-4efd-944E-91100DC0E514}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{000CC1BD-1274-405c-A4CC-8B7BDBF9B173}	{466F6590-AAA3-4f64-BE12-993313A0B9AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5773EC25-970D-45d4-94B3-332F6EAD8D3A}\stubpath = "C:\\Windows\\{5773EC25-970D-45d4-94B3-332F6EAD8D3A}.exe"	{000CC1BD-1274-405c-A4CC-8B7BDBF9B173}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C7102AC-7B38-475f-BBA4-159A219C2CCF}	2024-04-22_44815dc40cb5e0269edf8bc867a4e564_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{600C5CA8-1FBD-41cd-87F4-DACC668D3CA1}	{2B0B1CB2-7A24-4d11-B077-401F41E23F1D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F07342F5-8694-4396-949A-6F76A5527A34}\stubpath = "C:\\Windows\\{F07342F5-8694-4396-949A-6F76A5527A34}.exe"	{C2940260-3BAC-41bb-BD83-7F15C42499C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{466F6590-AAA3-4f64-BE12-993313A0B9AE}\stubpath = "C:\\Windows\\{466F6590-AAA3-4f64-BE12-993313A0B9AE}.exe"	{F07342F5-8694-4396-949A-6F76A5527A34}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{600C5CA8-1FBD-41cd-87F4-DACC668D3CA1}\stubpath = "C:\\Windows\\{600C5CA8-1FBD-41cd-87F4-DACC668D3CA1}.exe"	{2B0B1CB2-7A24-4d11-B077-401F41E23F1D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2940260-3BAC-41bb-BD83-7F15C42499C6}	{600C5CA8-1FBD-41cd-87F4-DACC668D3CA1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F07342F5-8694-4396-949A-6F76A5527A34}	{C2940260-3BAC-41bb-BD83-7F15C42499C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{466F6590-AAA3-4f64-BE12-993313A0B9AE}	{F07342F5-8694-4396-949A-6F76A5527A34}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34E61A6B-90BA-47d0-A354-C681153133FF}	{5C7102AC-7B38-475f-BBA4-159A219C2CCF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C41A673-FBF8-47f0-B958-FA85DFF0F321}	{34E61A6B-90BA-47d0-A354-C681153133FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C41A673-FBF8-47f0-B958-FA85DFF0F321}\stubpath = "C:\\Windows\\{7C41A673-FBF8-47f0-B958-FA85DFF0F321}.exe"	{34E61A6B-90BA-47d0-A354-C681153133FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B0B1CB2-7A24-4d11-B077-401F41E23F1D}\stubpath = "C:\\Windows\\{2B0B1CB2-7A24-4d11-B077-401F41E23F1D}.exe"	{891E3688-2940-4efd-944E-91100DC0E514}.exe

Executes dropped EXE 12 IoCs

pid	Process
4140	{5C7102AC-7B38-475f-BBA4-159A219C2CCF}.exe
2688	{34E61A6B-90BA-47d0-A354-C681153133FF}.exe
2264	{7C41A673-FBF8-47f0-B958-FA85DFF0F321}.exe
4352	{891E3688-2940-4efd-944E-91100DC0E514}.exe
552	{2B0B1CB2-7A24-4d11-B077-401F41E23F1D}.exe
4300	{600C5CA8-1FBD-41cd-87F4-DACC668D3CA1}.exe
4152	{C2940260-3BAC-41bb-BD83-7F15C42499C6}.exe
4268	{F07342F5-8694-4396-949A-6F76A5527A34}.exe
3500	{466F6590-AAA3-4f64-BE12-993313A0B9AE}.exe
2016	{000CC1BD-1274-405c-A4CC-8B7BDBF9B173}.exe
3256	{5773EC25-970D-45d4-94B3-332F6EAD8D3A}.exe
944	{A00585EE-1A6D-486c-940C-16EA41AFB03A}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{5773EC25-970D-45d4-94B3-332F6EAD8D3A}.exe	{000CC1BD-1274-405c-A4CC-8B7BDBF9B173}.exe
File created	C:\Windows\{5C7102AC-7B38-475f-BBA4-159A219C2CCF}.exe	2024-04-22_44815dc40cb5e0269edf8bc867a4e564_goldeneye.exe
File created	C:\Windows\{34E61A6B-90BA-47d0-A354-C681153133FF}.exe	{5C7102AC-7B38-475f-BBA4-159A219C2CCF}.exe
File created	C:\Windows\{7C41A673-FBF8-47f0-B958-FA85DFF0F321}.exe	{34E61A6B-90BA-47d0-A354-C681153133FF}.exe
File created	C:\Windows\{2B0B1CB2-7A24-4d11-B077-401F41E23F1D}.exe	{891E3688-2940-4efd-944E-91100DC0E514}.exe
File created	C:\Windows\{466F6590-AAA3-4f64-BE12-993313A0B9AE}.exe	{F07342F5-8694-4396-949A-6F76A5527A34}.exe
File created	C:\Windows\{A00585EE-1A6D-486c-940C-16EA41AFB03A}.exe	{5773EC25-970D-45d4-94B3-332F6EAD8D3A}.exe
File created	C:\Windows\{891E3688-2940-4efd-944E-91100DC0E514}.exe	{7C41A673-FBF8-47f0-B958-FA85DFF0F321}.exe
File created	C:\Windows\{600C5CA8-1FBD-41cd-87F4-DACC668D3CA1}.exe	{2B0B1CB2-7A24-4d11-B077-401F41E23F1D}.exe
File created	C:\Windows\{C2940260-3BAC-41bb-BD83-7F15C42499C6}.exe	{600C5CA8-1FBD-41cd-87F4-DACC668D3CA1}.exe
File created	C:\Windows\{F07342F5-8694-4396-949A-6F76A5527A34}.exe	{C2940260-3BAC-41bb-BD83-7F15C42499C6}.exe
File created	C:\Windows\{000CC1BD-1274-405c-A4CC-8B7BDBF9B173}.exe	{466F6590-AAA3-4f64-BE12-993313A0B9AE}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2632	2024-04-22_44815dc40cb5e0269edf8bc867a4e564_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4140	{5C7102AC-7B38-475f-BBA4-159A219C2CCF}.exe
Token: SeIncBasePriorityPrivilege	2688	{34E61A6B-90BA-47d0-A354-C681153133FF}.exe
Token: SeIncBasePriorityPrivilege	2264	{7C41A673-FBF8-47f0-B958-FA85DFF0F321}.exe
Token: SeIncBasePriorityPrivilege	4352	{891E3688-2940-4efd-944E-91100DC0E514}.exe
Token: SeIncBasePriorityPrivilege	552	{2B0B1CB2-7A24-4d11-B077-401F41E23F1D}.exe
Token: SeIncBasePriorityPrivilege	4300	{600C5CA8-1FBD-41cd-87F4-DACC668D3CA1}.exe
Token: SeIncBasePriorityPrivilege	4152	{C2940260-3BAC-41bb-BD83-7F15C42499C6}.exe
Token: SeIncBasePriorityPrivilege	4268	{F07342F5-8694-4396-949A-6F76A5527A34}.exe
Token: SeIncBasePriorityPrivilege	3500	{466F6590-AAA3-4f64-BE12-993313A0B9AE}.exe
Token: SeIncBasePriorityPrivilege	2016	{000CC1BD-1274-405c-A4CC-8B7BDBF9B173}.exe
Token: SeIncBasePriorityPrivilege	3256	{5773EC25-970D-45d4-94B3-332F6EAD8D3A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 4140	2632	2024-04-22_44815dc40cb5e0269edf8bc867a4e564_goldeneye.exe	98
PID 2632 wrote to memory of 4140	2632	2024-04-22_44815dc40cb5e0269edf8bc867a4e564_goldeneye.exe	98
PID 2632 wrote to memory of 4140	2632	2024-04-22_44815dc40cb5e0269edf8bc867a4e564_goldeneye.exe	98
PID 2632 wrote to memory of 4312	2632	2024-04-22_44815dc40cb5e0269edf8bc867a4e564_goldeneye.exe	99
PID 2632 wrote to memory of 4312	2632	2024-04-22_44815dc40cb5e0269edf8bc867a4e564_goldeneye.exe	99
PID 2632 wrote to memory of 4312	2632	2024-04-22_44815dc40cb5e0269edf8bc867a4e564_goldeneye.exe	99
PID 4140 wrote to memory of 2688	4140	{5C7102AC-7B38-475f-BBA4-159A219C2CCF}.exe	101
PID 4140 wrote to memory of 2688	4140	{5C7102AC-7B38-475f-BBA4-159A219C2CCF}.exe	101
PID 4140 wrote to memory of 2688	4140	{5C7102AC-7B38-475f-BBA4-159A219C2CCF}.exe	101
PID 4140 wrote to memory of 3968	4140	{5C7102AC-7B38-475f-BBA4-159A219C2CCF}.exe	102
PID 4140 wrote to memory of 3968	4140	{5C7102AC-7B38-475f-BBA4-159A219C2CCF}.exe	102
PID 4140 wrote to memory of 3968	4140	{5C7102AC-7B38-475f-BBA4-159A219C2CCF}.exe	102
PID 2688 wrote to memory of 2264	2688	{34E61A6B-90BA-47d0-A354-C681153133FF}.exe	105
PID 2688 wrote to memory of 2264	2688	{34E61A6B-90BA-47d0-A354-C681153133FF}.exe	105
PID 2688 wrote to memory of 2264	2688	{34E61A6B-90BA-47d0-A354-C681153133FF}.exe	105
PID 2688 wrote to memory of 1564	2688	{34E61A6B-90BA-47d0-A354-C681153133FF}.exe	106
PID 2688 wrote to memory of 1564	2688	{34E61A6B-90BA-47d0-A354-C681153133FF}.exe	106
PID 2688 wrote to memory of 1564	2688	{34E61A6B-90BA-47d0-A354-C681153133FF}.exe	106
PID 2264 wrote to memory of 4352	2264	{7C41A673-FBF8-47f0-B958-FA85DFF0F321}.exe	107
PID 2264 wrote to memory of 4352	2264	{7C41A673-FBF8-47f0-B958-FA85DFF0F321}.exe	107
PID 2264 wrote to memory of 4352	2264	{7C41A673-FBF8-47f0-B958-FA85DFF0F321}.exe	107
PID 2264 wrote to memory of 4504	2264	{7C41A673-FBF8-47f0-B958-FA85DFF0F321}.exe	108
PID 2264 wrote to memory of 4504	2264	{7C41A673-FBF8-47f0-B958-FA85DFF0F321}.exe	108
PID 2264 wrote to memory of 4504	2264	{7C41A673-FBF8-47f0-B958-FA85DFF0F321}.exe	108
PID 4352 wrote to memory of 552	4352	{891E3688-2940-4efd-944E-91100DC0E514}.exe	109
PID 4352 wrote to memory of 552	4352	{891E3688-2940-4efd-944E-91100DC0E514}.exe	109
PID 4352 wrote to memory of 552	4352	{891E3688-2940-4efd-944E-91100DC0E514}.exe	109
PID 4352 wrote to memory of 1408	4352	{891E3688-2940-4efd-944E-91100DC0E514}.exe	110
PID 4352 wrote to memory of 1408	4352	{891E3688-2940-4efd-944E-91100DC0E514}.exe	110
PID 4352 wrote to memory of 1408	4352	{891E3688-2940-4efd-944E-91100DC0E514}.exe	110
PID 552 wrote to memory of 4300	552	{2B0B1CB2-7A24-4d11-B077-401F41E23F1D}.exe	115
PID 552 wrote to memory of 4300	552	{2B0B1CB2-7A24-4d11-B077-401F41E23F1D}.exe	115
PID 552 wrote to memory of 4300	552	{2B0B1CB2-7A24-4d11-B077-401F41E23F1D}.exe	115
PID 552 wrote to memory of 116	552	{2B0B1CB2-7A24-4d11-B077-401F41E23F1D}.exe	116
PID 552 wrote to memory of 116	552	{2B0B1CB2-7A24-4d11-B077-401F41E23F1D}.exe	116
PID 552 wrote to memory of 116	552	{2B0B1CB2-7A24-4d11-B077-401F41E23F1D}.exe	116
PID 4300 wrote to memory of 4152	4300	{600C5CA8-1FBD-41cd-87F4-DACC668D3CA1}.exe	117
PID 4300 wrote to memory of 4152	4300	{600C5CA8-1FBD-41cd-87F4-DACC668D3CA1}.exe	117
PID 4300 wrote to memory of 4152	4300	{600C5CA8-1FBD-41cd-87F4-DACC668D3CA1}.exe	117
PID 4300 wrote to memory of 4412	4300	{600C5CA8-1FBD-41cd-87F4-DACC668D3CA1}.exe	118
PID 4300 wrote to memory of 4412	4300	{600C5CA8-1FBD-41cd-87F4-DACC668D3CA1}.exe	118
PID 4300 wrote to memory of 4412	4300	{600C5CA8-1FBD-41cd-87F4-DACC668D3CA1}.exe	118
PID 4152 wrote to memory of 4268	4152	{C2940260-3BAC-41bb-BD83-7F15C42499C6}.exe	120
PID 4152 wrote to memory of 4268	4152	{C2940260-3BAC-41bb-BD83-7F15C42499C6}.exe	120
PID 4152 wrote to memory of 4268	4152	{C2940260-3BAC-41bb-BD83-7F15C42499C6}.exe	120
PID 4152 wrote to memory of 1960	4152	{C2940260-3BAC-41bb-BD83-7F15C42499C6}.exe	121
PID 4152 wrote to memory of 1960	4152	{C2940260-3BAC-41bb-BD83-7F15C42499C6}.exe	121
PID 4152 wrote to memory of 1960	4152	{C2940260-3BAC-41bb-BD83-7F15C42499C6}.exe	121
PID 4268 wrote to memory of 3500	4268	{F07342F5-8694-4396-949A-6F76A5527A34}.exe	128
PID 4268 wrote to memory of 3500	4268	{F07342F5-8694-4396-949A-6F76A5527A34}.exe	128
PID 4268 wrote to memory of 3500	4268	{F07342F5-8694-4396-949A-6F76A5527A34}.exe	128
PID 4268 wrote to memory of 4352	4268	{F07342F5-8694-4396-949A-6F76A5527A34}.exe	129
PID 4268 wrote to memory of 4352	4268	{F07342F5-8694-4396-949A-6F76A5527A34}.exe	129
PID 4268 wrote to memory of 4352	4268	{F07342F5-8694-4396-949A-6F76A5527A34}.exe	129
PID 3500 wrote to memory of 2016	3500	{466F6590-AAA3-4f64-BE12-993313A0B9AE}.exe	130
PID 3500 wrote to memory of 2016	3500	{466F6590-AAA3-4f64-BE12-993313A0B9AE}.exe	130
PID 3500 wrote to memory of 2016	3500	{466F6590-AAA3-4f64-BE12-993313A0B9AE}.exe	130
PID 3500 wrote to memory of 440	3500	{466F6590-AAA3-4f64-BE12-993313A0B9AE}.exe	131
PID 3500 wrote to memory of 440	3500	{466F6590-AAA3-4f64-BE12-993313A0B9AE}.exe	131
PID 3500 wrote to memory of 440	3500	{466F6590-AAA3-4f64-BE12-993313A0B9AE}.exe	131
PID 2016 wrote to memory of 3256	2016	{000CC1BD-1274-405c-A4CC-8B7BDBF9B173}.exe	132
PID 2016 wrote to memory of 3256	2016	{000CC1BD-1274-405c-A4CC-8B7BDBF9B173}.exe	132
PID 2016 wrote to memory of 3256	2016	{000CC1BD-1274-405c-A4CC-8B7BDBF9B173}.exe	132
PID 2016 wrote to memory of 4112	2016	{000CC1BD-1274-405c-A4CC-8B7BDBF9B173}.exe	133

C:\Users\Admin\AppData\Local\Temp\2024-04-22_44815dc40cb5e0269edf8bc867a4e564_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-22_44815dc40cb5e0269edf8bc867a4e564_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Windows\{5C7102AC-7B38-475f-BBA4-159A219C2CCF}.exe
  C:\Windows\{5C7102AC-7B38-475f-BBA4-159A219C2CCF}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4140
- - C:\Windows\{34E61A6B-90BA-47d0-A354-C681153133FF}.exe
    C:\Windows\{34E61A6B-90BA-47d0-A354-C681153133FF}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\{7C41A673-FBF8-47f0-B958-FA85DFF0F321}.exe
      C:\Windows\{7C41A673-FBF8-47f0-B958-FA85DFF0F321}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2264
    - - C:\Windows\{891E3688-2940-4efd-944E-91100DC0E514}.exe
        
        C:\Windows\{891E3688-2940-4efd-944E-91100DC0E514}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4352
      - C:\Windows\{2B0B1CB2-7A24-4d11-B077-401F41E23F1D}.exe
        
        C:\Windows\{2B0B1CB2-7A24-4d11-B077-401F41E23F1D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Windows\{600C5CA8-1FBD-41cd-87F4-DACC668D3CA1}.exe
        
        C:\Windows\{600C5CA8-1FBD-41cd-87F4-DACC668D3CA1}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4300
        
        C:\Windows\{C2940260-3BAC-41bb-BD83-7F15C42499C6}.exe
        
        C:\Windows\{C2940260-3BAC-41bb-BD83-7F15C42499C6}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4152
        
        C:\Windows\{F07342F5-8694-4396-949A-6F76A5527A34}.exe
        
        C:\Windows\{F07342F5-8694-4396-949A-6F76A5527A34}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4268
        
        C:\Windows\{466F6590-AAA3-4f64-BE12-993313A0B9AE}.exe
        
        C:\Windows\{466F6590-AAA3-4f64-BE12-993313A0B9AE}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3500
        
        C:\Windows\{000CC1BD-1274-405c-A4CC-8B7BDBF9B173}.exe
        
        C:\Windows\{000CC1BD-1274-405c-A4CC-8B7BDBF9B173}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\{5773EC25-970D-45d4-94B3-332F6EAD8D3A}.exe
        
        C:\Windows\{5773EC25-970D-45d4-94B3-332F6EAD8D3A}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3256
        
        C:\Windows\{A00585EE-1A6D-486c-940C-16EA41AFB03A}.exe
        
        C:\Windows\{A00585EE-1A6D-486c-940C-16EA41AFB03A}.exe
        13⤵
        Executes dropped EXE
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5773E~1.EXE > nul
        13⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{000CC~1.EXE > nul
        12⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{466F6~1.EXE > nul
        11⤵
        
        PID:440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F0734~1.EXE > nul
        10⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C2940~1.EXE > nul
        9⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{600C5~1.EXE > nul
        8⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B0B1~1.EXE > nul
        7⤵
        
        PID:116
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{891E3~1.EXE > nul
        6⤵
        
        PID:1408
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7C41A~1.EXE > nul
        5⤵
        
        PID:4504
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{34E61~1.EXE > nul
      4⤵
      PID:1564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5C710~1.EXE > nul
    3⤵
    PID:3968
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{000CC1BD-1274-405c-A4CC-8B7BDBF9B173}.exe

Filesize
380KB

MD5
5d6a45e63e035ff528172b4d4a5abb48

SHA1
396a0f7e130daa275c82d57e585f2a52f3ff7031

SHA256
f94b8072ad785e3cf338852dbb62a07af5b9f168b4f3c93e6bb71a9348e66678

SHA512
8796a3dbe27acde07561d8a91922d3c6dce16c0ba48cd6ccc1867c50dd71ca6213ac76d00b472eabdf2b2740b98c8cc0ee448a0c7fbe1885eb672f077f956895

Download Submit
C:\Windows\{2B0B1CB2-7A24-4d11-B077-401F41E23F1D}.exe

Filesize
380KB

MD5
5e6795779376be2f52954fa2d3dc4ea0

SHA1
8525abd49e8fe7c1f4eb0b4253e0045ea03e54cf

SHA256
87e4f6b1d8665115064bd5e08d43fa24f6008f091e2b74e64b37d15bccf99951

SHA512
c78cef9294d8ecb8f12b9f03bf0274c3bf523f9aac63c37c96c57fae74efa2dfb7644205ac0888c4615ec67253cd773e02a9d7263b6e8a017bd16744beafaa7c

Download Submit
C:\Windows\{34E61A6B-90BA-47d0-A354-C681153133FF}.exe

Filesize
380KB

MD5
59e4d003b4596ee30bb7d05288c0b49c

SHA1
676870ac8f8d6375aadf129c653f73cb6b76df8a

SHA256
6120b8300bc4fe087fabc89c25e0f6bb99dce67399c3ee2d526ebdf9bcf45171

SHA512
c39cc9e2b889545c7e5069fe4ba6f22ac468c891064c4171e72e427c28f91dd4efd1499d5d6f5774e5c3d671bfc79a30e17a99f165d10478959b6660cc108024

Download Submit
C:\Windows\{466F6590-AAA3-4f64-BE12-993313A0B9AE}.exe

Filesize
380KB

MD5
dc7f78a4538d4bfcd9cea3b8c1095296

SHA1
2f201b35607907d190b01b654d59cfaf5a367bb8

SHA256
17a0b8a2ff0cd87b31cc9710e73e514ab72d073aee401f17a43a9770f87a6d12

SHA512
ea5b2c8be82a119989adf4dd3b6fbbe7f9ac832c8832dcd3815f24b92eebc2354937b7bedafa969813b3b8a8a6e7de3507e32f5e50f945d1973b2edd56c601f6

Download Submit
C:\Windows\{5773EC25-970D-45d4-94B3-332F6EAD8D3A}.exe

Filesize
380KB

MD5
1340a6a97d3da1d33483352349997686

SHA1
8a0955247cb11f76bb406fa483affa8477ddb25b

SHA256
aba1342fea52bff81cdb94674263986bd5cdaf7400050c806f2ea23707593ac8

SHA512
daf8cd570087648e6f62f3392ffe321a7ba868769cfa1f4063e0058c3a00ad0db744370334ea1f48a78f612523c76e052e40ca6bb218591b715ff5552d4ec256

Download Submit
C:\Windows\{5C7102AC-7B38-475f-BBA4-159A219C2CCF}.exe

Filesize
380KB

MD5
981750f45faa328d05da7d0317fd479e

SHA1
ad398152c98047f4615e1dfdb9ac0c6b1dc9ce36

SHA256
4649786f131d514d4804c36f98ad2b980cec0e1f0f60d3730d85ebc77dafc420

SHA512
13b25845c88f7cd51619ff2a5c1e48acd15df4c0da77b1e69d5737ed3d153909e0f8b6a7e1e9f89b399d5a55c39966f661cdb7c0365226774f8ec541a648f820

Download Submit
C:\Windows\{600C5CA8-1FBD-41cd-87F4-DACC668D3CA1}.exe

Filesize
380KB

MD5
c50f236e8690dfc27551d8ba68821b99

SHA1
51d946e9b249d68ee45ad589f0bee594ced17991

SHA256
0a72313745c1a474e88914cefa7042e57f58a3291a586b45294a1413c770dd32

SHA512
fb3fdccdd622fa2192950026fa60c64d9ab0cbbf0cfb5513233495f16678e559a2ab796b048e5b6e8a672063f47ace93bd41a05c6e63837ada03d6076a16774e

Download Submit
C:\Windows\{7C41A673-FBF8-47f0-B958-FA85DFF0F321}.exe

Filesize
380KB

MD5
b34aa1672111e065f23e6b08f43c31a6

SHA1
4a3972315d062e68da771b6eb7067a721d637be1

SHA256
71fa48686a4d05edffeff3b08c83c577d422e4ec895f64463483e4767026cf22

SHA512
0dabbb09e13311cb06ee713bebda952f25e54f1f9610480e73e005c01ac44c29d02a729156837c430b0bd3fa4225ff9e4122954ee30a4a4c19761bd9504e60ef

Download Submit
C:\Windows\{891E3688-2940-4efd-944E-91100DC0E514}.exe

Filesize
380KB

MD5
ed5d2a7540faacd0a859e570a333efd9

SHA1
47c847798427d2d75e5dfa6edc5ca6000aff1452

SHA256
822e5a81cf1916a68ffb1e7bbc1fe5259c45c933d3959bb0eb85db0f09274f5f

SHA512
00840792aca6e93d16138477e76aa2504462a506744e576182d5518587e02835f52d3ccde2723a38744aabbbfe1638842965b107f27af7d6d3dd78fdd79f1639

Download Submit
C:\Windows\{A00585EE-1A6D-486c-940C-16EA41AFB03A}.exe

Filesize
380KB

MD5
55ff99a8946e41630c5e67a89b68dd07

SHA1
79f0b3827844b2be78eb3ca01168edea6fb3e303

SHA256
9d9aca7f1ef73bd2cdec0aa3afb26f98ef2b4d8e542b0e83df3719d81570028b

SHA512
4597585d182718168416150e97756718c6294a3b27702a710a00f822903490d5b18478fe8cd36726029342f177719c6be8d117ce545432d730e8c448760a15a9

Download Submit
C:\Windows\{C2940260-3BAC-41bb-BD83-7F15C42499C6}.exe

Filesize
380KB

MD5
d88310897c1703712db2fbd149ffb405

SHA1
4c1e971110eb5987bf318ec166b6ad7300a80ac8

SHA256
7e3d22aa8443ad766be322aac0e9a643b1e130639825e19377aa14504bba4f89

SHA512
6004d9ec3c9eacfc5085e31efbce7c701c8c9659d42e0cb559c24339d40d1eeecba40edf0f5e89f2ee837b00f7338223dfb0fc5cd84a31aa98bdf04fc3ca1454

Download Submit
C:\Windows\{F07342F5-8694-4396-949A-6F76A5527A34}.exe

Filesize
380KB

MD5
5988c0e88d1762867c838cee6b867c6c

SHA1
51d5b07a33da1db4c6fcc419268a85822e433336

SHA256
35fc3e8b41f49009e4afac123fbeb5df4fdba2729270c70583c92a3cdececdb8

SHA512
71bd87cc99f1a72b1c92122a4aa32b19dded23e9e06528cbb82b269515dffc461113d0943aa532c036720e3c2c8693f76896a7b947a2308a2b20acfa1f2d91ed

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads