f211aab45a97084fd566c0d75a6aea0a4c609e3a517dab05da75f4d005d959d9

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22/04/2024, 01:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-22_5da349636a1ded91fcf179de8ace8a6b_goldeneye.exe
Size

204KB
MD5

5da349636a1ded91fcf179de8ace8a6b
SHA1

1d69e236064a17292efecfc0ef37242fe9dbfd86
SHA256

f211aab45a97084fd566c0d75a6aea0a4c609e3a517dab05da75f4d005d959d9
SHA512

22d284e3584e4ef76841abbf4d9c2f701429bd7bb976ee0ac73d4855bc533bc4c3d6738e6982c53b7f8bbf5d1b25d4b9258a0879704db2a541211a62a88c484f
SSDEEP

1536:1EGh0oWLl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oql1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023435-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0012000000023424-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002343e-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0013000000023424-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002343e-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d00000002338c-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023393-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002344b-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000229a3-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f000000023393-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000229a3-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023392-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC2915C9-A5A4-4016-8B68-506316B69B9C}\stubpath = "C:\\Windows\\{EC2915C9-A5A4-4016-8B68-506316B69B9C}.exe"	{9D6913D6-66D0-4125-BBC7-98032A0D2B6F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22801BAA-EBD4-4ae2-A70B-BF759A232BCD}	{049818E2-45AE-4131-A9C5-28E5CFF5019C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A854462-3C0F-4531-B007-279984358358}\stubpath = "C:\\Windows\\{7A854462-3C0F-4531-B007-279984358358}.exe"	{91842C1C-1D71-4855-B4AE-107E52F22C71}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22801BAA-EBD4-4ae2-A70B-BF759A232BCD}\stubpath = "C:\\Windows\\{22801BAA-EBD4-4ae2-A70B-BF759A232BCD}.exe"	{049818E2-45AE-4131-A9C5-28E5CFF5019C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A854462-3C0F-4531-B007-279984358358}	{91842C1C-1D71-4855-B4AE-107E52F22C71}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB0A1164-50B4-45ee-8D0D-5FC714BDB300}\stubpath = "C:\\Windows\\{EB0A1164-50B4-45ee-8D0D-5FC714BDB300}.exe"	{7A854462-3C0F-4531-B007-279984358358}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3BF4D0E2-8F95-4d3a-ADA4-30427BFEAF8A}	{736EBE04-AE9C-486c-8038-87CF0547747A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3BF4D0E2-8F95-4d3a-ADA4-30427BFEAF8A}\stubpath = "C:\\Windows\\{3BF4D0E2-8F95-4d3a-ADA4-30427BFEAF8A}.exe"	{736EBE04-AE9C-486c-8038-87CF0547747A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{962494C9-6D8C-438b-BF6A-6989579F42AE}	2024-04-22_5da349636a1ded91fcf179de8ace8a6b_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{962494C9-6D8C-438b-BF6A-6989579F42AE}\stubpath = "C:\\Windows\\{962494C9-6D8C-438b-BF6A-6989579F42AE}.exe"	2024-04-22_5da349636a1ded91fcf179de8ace8a6b_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96D581F9-D376-467d-A38C-5C8CEBC792EE}	{987C66DB-50C4-43a6-B2DF-B5163BE5A8BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96D581F9-D376-467d-A38C-5C8CEBC792EE}\stubpath = "C:\\Windows\\{96D581F9-D376-467d-A38C-5C8CEBC792EE}.exe"	{987C66DB-50C4-43a6-B2DF-B5163BE5A8BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91842C1C-1D71-4855-B4AE-107E52F22C71}	{96D581F9-D376-467d-A38C-5C8CEBC792EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91842C1C-1D71-4855-B4AE-107E52F22C71}\stubpath = "C:\\Windows\\{91842C1C-1D71-4855-B4AE-107E52F22C71}.exe"	{96D581F9-D376-467d-A38C-5C8CEBC792EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB0A1164-50B4-45ee-8D0D-5FC714BDB300}	{7A854462-3C0F-4531-B007-279984358358}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D6913D6-66D0-4125-BBC7-98032A0D2B6F}\stubpath = "C:\\Windows\\{9D6913D6-66D0-4125-BBC7-98032A0D2B6F}.exe"	{EB0A1164-50B4-45ee-8D0D-5FC714BDB300}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{049818E2-45AE-4131-A9C5-28E5CFF5019C}	{962494C9-6D8C-438b-BF6A-6989579F42AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{987C66DB-50C4-43a6-B2DF-B5163BE5A8BC}\stubpath = "C:\\Windows\\{987C66DB-50C4-43a6-B2DF-B5163BE5A8BC}.exe"	{22801BAA-EBD4-4ae2-A70B-BF759A232BCD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC2915C9-A5A4-4016-8B68-506316B69B9C}	{9D6913D6-66D0-4125-BBC7-98032A0D2B6F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D6913D6-66D0-4125-BBC7-98032A0D2B6F}	{EB0A1164-50B4-45ee-8D0D-5FC714BDB300}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{736EBE04-AE9C-486c-8038-87CF0547747A}	{EC2915C9-A5A4-4016-8B68-506316B69B9C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{736EBE04-AE9C-486c-8038-87CF0547747A}\stubpath = "C:\\Windows\\{736EBE04-AE9C-486c-8038-87CF0547747A}.exe"	{EC2915C9-A5A4-4016-8B68-506316B69B9C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{049818E2-45AE-4131-A9C5-28E5CFF5019C}\stubpath = "C:\\Windows\\{049818E2-45AE-4131-A9C5-28E5CFF5019C}.exe"	{962494C9-6D8C-438b-BF6A-6989579F42AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{987C66DB-50C4-43a6-B2DF-B5163BE5A8BC}	{22801BAA-EBD4-4ae2-A70B-BF759A232BCD}.exe

Executes dropped EXE 12 IoCs

pid	Process
1144	{962494C9-6D8C-438b-BF6A-6989579F42AE}.exe
2820	{049818E2-45AE-4131-A9C5-28E5CFF5019C}.exe
688	{22801BAA-EBD4-4ae2-A70B-BF759A232BCD}.exe
2108	{987C66DB-50C4-43a6-B2DF-B5163BE5A8BC}.exe
2824	{96D581F9-D376-467d-A38C-5C8CEBC792EE}.exe
1916	{91842C1C-1D71-4855-B4AE-107E52F22C71}.exe
4740	{7A854462-3C0F-4531-B007-279984358358}.exe
1096	{EB0A1164-50B4-45ee-8D0D-5FC714BDB300}.exe
1312	{9D6913D6-66D0-4125-BBC7-98032A0D2B6F}.exe
3876	{EC2915C9-A5A4-4016-8B68-506316B69B9C}.exe
2884	{736EBE04-AE9C-486c-8038-87CF0547747A}.exe
1708	{3BF4D0E2-8F95-4d3a-ADA4-30427BFEAF8A}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{9D6913D6-66D0-4125-BBC7-98032A0D2B6F}.exe	{EB0A1164-50B4-45ee-8D0D-5FC714BDB300}.exe
File created	C:\Windows\{EC2915C9-A5A4-4016-8B68-506316B69B9C}.exe	{9D6913D6-66D0-4125-BBC7-98032A0D2B6F}.exe
File created	C:\Windows\{962494C9-6D8C-438b-BF6A-6989579F42AE}.exe	2024-04-22_5da349636a1ded91fcf179de8ace8a6b_goldeneye.exe
File created	C:\Windows\{96D581F9-D376-467d-A38C-5C8CEBC792EE}.exe	{987C66DB-50C4-43a6-B2DF-B5163BE5A8BC}.exe
File created	C:\Windows\{91842C1C-1D71-4855-B4AE-107E52F22C71}.exe	{96D581F9-D376-467d-A38C-5C8CEBC792EE}.exe
File created	C:\Windows\{7A854462-3C0F-4531-B007-279984358358}.exe	{91842C1C-1D71-4855-B4AE-107E52F22C71}.exe
File created	C:\Windows\{736EBE04-AE9C-486c-8038-87CF0547747A}.exe	{EC2915C9-A5A4-4016-8B68-506316B69B9C}.exe
File created	C:\Windows\{3BF4D0E2-8F95-4d3a-ADA4-30427BFEAF8A}.exe	{736EBE04-AE9C-486c-8038-87CF0547747A}.exe
File created	C:\Windows\{049818E2-45AE-4131-A9C5-28E5CFF5019C}.exe	{962494C9-6D8C-438b-BF6A-6989579F42AE}.exe
File created	C:\Windows\{22801BAA-EBD4-4ae2-A70B-BF759A232BCD}.exe	{049818E2-45AE-4131-A9C5-28E5CFF5019C}.exe
File created	C:\Windows\{987C66DB-50C4-43a6-B2DF-B5163BE5A8BC}.exe	{22801BAA-EBD4-4ae2-A70B-BF759A232BCD}.exe
File created	C:\Windows\{EB0A1164-50B4-45ee-8D0D-5FC714BDB300}.exe	{7A854462-3C0F-4531-B007-279984358358}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	872	2024-04-22_5da349636a1ded91fcf179de8ace8a6b_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1144	{962494C9-6D8C-438b-BF6A-6989579F42AE}.exe
Token: SeIncBasePriorityPrivilege	2820	{049818E2-45AE-4131-A9C5-28E5CFF5019C}.exe
Token: SeIncBasePriorityPrivilege	688	{22801BAA-EBD4-4ae2-A70B-BF759A232BCD}.exe
Token: SeIncBasePriorityPrivilege	2108	{987C66DB-50C4-43a6-B2DF-B5163BE5A8BC}.exe
Token: SeIncBasePriorityPrivilege	2824	{96D581F9-D376-467d-A38C-5C8CEBC792EE}.exe
Token: SeIncBasePriorityPrivilege	1916	{91842C1C-1D71-4855-B4AE-107E52F22C71}.exe
Token: SeIncBasePriorityPrivilege	4740	{7A854462-3C0F-4531-B007-279984358358}.exe
Token: SeIncBasePriorityPrivilege	1096	{EB0A1164-50B4-45ee-8D0D-5FC714BDB300}.exe
Token: SeIncBasePriorityPrivilege	1312	{9D6913D6-66D0-4125-BBC7-98032A0D2B6F}.exe
Token: SeIncBasePriorityPrivilege	3876	{EC2915C9-A5A4-4016-8B68-506316B69B9C}.exe
Token: SeIncBasePriorityPrivilege	2884	{736EBE04-AE9C-486c-8038-87CF0547747A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 872 wrote to memory of 1144	872	2024-04-22_5da349636a1ded91fcf179de8ace8a6b_goldeneye.exe	97
PID 872 wrote to memory of 1144	872	2024-04-22_5da349636a1ded91fcf179de8ace8a6b_goldeneye.exe	97
PID 872 wrote to memory of 1144	872	2024-04-22_5da349636a1ded91fcf179de8ace8a6b_goldeneye.exe	97
PID 872 wrote to memory of 3428	872	2024-04-22_5da349636a1ded91fcf179de8ace8a6b_goldeneye.exe	98
PID 872 wrote to memory of 3428	872	2024-04-22_5da349636a1ded91fcf179de8ace8a6b_goldeneye.exe	98
PID 872 wrote to memory of 3428	872	2024-04-22_5da349636a1ded91fcf179de8ace8a6b_goldeneye.exe	98
PID 1144 wrote to memory of 2820	1144	{962494C9-6D8C-438b-BF6A-6989579F42AE}.exe	99
PID 1144 wrote to memory of 2820	1144	{962494C9-6D8C-438b-BF6A-6989579F42AE}.exe	99
PID 1144 wrote to memory of 2820	1144	{962494C9-6D8C-438b-BF6A-6989579F42AE}.exe	99
PID 1144 wrote to memory of 5088	1144	{962494C9-6D8C-438b-BF6A-6989579F42AE}.exe	100
PID 1144 wrote to memory of 5088	1144	{962494C9-6D8C-438b-BF6A-6989579F42AE}.exe	100
PID 1144 wrote to memory of 5088	1144	{962494C9-6D8C-438b-BF6A-6989579F42AE}.exe	100
PID 2820 wrote to memory of 688	2820	{049818E2-45AE-4131-A9C5-28E5CFF5019C}.exe	103
PID 2820 wrote to memory of 688	2820	{049818E2-45AE-4131-A9C5-28E5CFF5019C}.exe	103
PID 2820 wrote to memory of 688	2820	{049818E2-45AE-4131-A9C5-28E5CFF5019C}.exe	103
PID 2820 wrote to memory of 3016	2820	{049818E2-45AE-4131-A9C5-28E5CFF5019C}.exe	104
PID 2820 wrote to memory of 3016	2820	{049818E2-45AE-4131-A9C5-28E5CFF5019C}.exe	104
PID 2820 wrote to memory of 3016	2820	{049818E2-45AE-4131-A9C5-28E5CFF5019C}.exe	104
PID 688 wrote to memory of 2108	688	{22801BAA-EBD4-4ae2-A70B-BF759A232BCD}.exe	105
PID 688 wrote to memory of 2108	688	{22801BAA-EBD4-4ae2-A70B-BF759A232BCD}.exe	105
PID 688 wrote to memory of 2108	688	{22801BAA-EBD4-4ae2-A70B-BF759A232BCD}.exe	105
PID 688 wrote to memory of 836	688	{22801BAA-EBD4-4ae2-A70B-BF759A232BCD}.exe	106
PID 688 wrote to memory of 836	688	{22801BAA-EBD4-4ae2-A70B-BF759A232BCD}.exe	106
PID 688 wrote to memory of 836	688	{22801BAA-EBD4-4ae2-A70B-BF759A232BCD}.exe	106
PID 2108 wrote to memory of 2824	2108	{987C66DB-50C4-43a6-B2DF-B5163BE5A8BC}.exe	107
PID 2108 wrote to memory of 2824	2108	{987C66DB-50C4-43a6-B2DF-B5163BE5A8BC}.exe	107
PID 2108 wrote to memory of 2824	2108	{987C66DB-50C4-43a6-B2DF-B5163BE5A8BC}.exe	107
PID 2108 wrote to memory of 1152	2108	{987C66DB-50C4-43a6-B2DF-B5163BE5A8BC}.exe	108
PID 2108 wrote to memory of 1152	2108	{987C66DB-50C4-43a6-B2DF-B5163BE5A8BC}.exe	108
PID 2108 wrote to memory of 1152	2108	{987C66DB-50C4-43a6-B2DF-B5163BE5A8BC}.exe	108
PID 2824 wrote to memory of 1916	2824	{96D581F9-D376-467d-A38C-5C8CEBC792EE}.exe	115
PID 2824 wrote to memory of 1916	2824	{96D581F9-D376-467d-A38C-5C8CEBC792EE}.exe	115
PID 2824 wrote to memory of 1916	2824	{96D581F9-D376-467d-A38C-5C8CEBC792EE}.exe	115
PID 2824 wrote to memory of 4296	2824	{96D581F9-D376-467d-A38C-5C8CEBC792EE}.exe	116
PID 2824 wrote to memory of 4296	2824	{96D581F9-D376-467d-A38C-5C8CEBC792EE}.exe	116
PID 2824 wrote to memory of 4296	2824	{96D581F9-D376-467d-A38C-5C8CEBC792EE}.exe	116
PID 1916 wrote to memory of 4740	1916	{91842C1C-1D71-4855-B4AE-107E52F22C71}.exe	117
PID 1916 wrote to memory of 4740	1916	{91842C1C-1D71-4855-B4AE-107E52F22C71}.exe	117
PID 1916 wrote to memory of 4740	1916	{91842C1C-1D71-4855-B4AE-107E52F22C71}.exe	117
PID 1916 wrote to memory of 1432	1916	{91842C1C-1D71-4855-B4AE-107E52F22C71}.exe	118
PID 1916 wrote to memory of 1432	1916	{91842C1C-1D71-4855-B4AE-107E52F22C71}.exe	118
PID 1916 wrote to memory of 1432	1916	{91842C1C-1D71-4855-B4AE-107E52F22C71}.exe	118
PID 4740 wrote to memory of 1096	4740	{7A854462-3C0F-4531-B007-279984358358}.exe	123
PID 4740 wrote to memory of 1096	4740	{7A854462-3C0F-4531-B007-279984358358}.exe	123
PID 4740 wrote to memory of 1096	4740	{7A854462-3C0F-4531-B007-279984358358}.exe	123
PID 4740 wrote to memory of 3516	4740	{7A854462-3C0F-4531-B007-279984358358}.exe	124
PID 4740 wrote to memory of 3516	4740	{7A854462-3C0F-4531-B007-279984358358}.exe	124
PID 4740 wrote to memory of 3516	4740	{7A854462-3C0F-4531-B007-279984358358}.exe	124
PID 1096 wrote to memory of 1312	1096	{EB0A1164-50B4-45ee-8D0D-5FC714BDB300}.exe	128
PID 1096 wrote to memory of 1312	1096	{EB0A1164-50B4-45ee-8D0D-5FC714BDB300}.exe	128
PID 1096 wrote to memory of 1312	1096	{EB0A1164-50B4-45ee-8D0D-5FC714BDB300}.exe	128
PID 1096 wrote to memory of 4724	1096	{EB0A1164-50B4-45ee-8D0D-5FC714BDB300}.exe	129
PID 1096 wrote to memory of 4724	1096	{EB0A1164-50B4-45ee-8D0D-5FC714BDB300}.exe	129
PID 1096 wrote to memory of 4724	1096	{EB0A1164-50B4-45ee-8D0D-5FC714BDB300}.exe	129
PID 1312 wrote to memory of 3876	1312	{9D6913D6-66D0-4125-BBC7-98032A0D2B6F}.exe	130
PID 1312 wrote to memory of 3876	1312	{9D6913D6-66D0-4125-BBC7-98032A0D2B6F}.exe	130
PID 1312 wrote to memory of 3876	1312	{9D6913D6-66D0-4125-BBC7-98032A0D2B6F}.exe	130
PID 1312 wrote to memory of 3400	1312	{9D6913D6-66D0-4125-BBC7-98032A0D2B6F}.exe	131
PID 1312 wrote to memory of 3400	1312	{9D6913D6-66D0-4125-BBC7-98032A0D2B6F}.exe	131
PID 1312 wrote to memory of 3400	1312	{9D6913D6-66D0-4125-BBC7-98032A0D2B6F}.exe	131
PID 3876 wrote to memory of 2884	3876	{EC2915C9-A5A4-4016-8B68-506316B69B9C}.exe	132
PID 3876 wrote to memory of 2884	3876	{EC2915C9-A5A4-4016-8B68-506316B69B9C}.exe	132
PID 3876 wrote to memory of 2884	3876	{EC2915C9-A5A4-4016-8B68-506316B69B9C}.exe	132
PID 3876 wrote to memory of 1748	3876	{EC2915C9-A5A4-4016-8B68-506316B69B9C}.exe	133

C:\Users\Admin\AppData\Local\Temp\2024-04-22_5da349636a1ded91fcf179de8ace8a6b_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-22_5da349636a1ded91fcf179de8ace8a6b_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:872
- C:\Windows\{962494C9-6D8C-438b-BF6A-6989579F42AE}.exe
  C:\Windows\{962494C9-6D8C-438b-BF6A-6989579F42AE}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1144
- - C:\Windows\{049818E2-45AE-4131-A9C5-28E5CFF5019C}.exe
    C:\Windows\{049818E2-45AE-4131-A9C5-28E5CFF5019C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\{22801BAA-EBD4-4ae2-A70B-BF759A232BCD}.exe
      C:\Windows\{22801BAA-EBD4-4ae2-A70B-BF759A232BCD}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:688
    - - C:\Windows\{987C66DB-50C4-43a6-B2DF-B5163BE5A8BC}.exe
        
        C:\Windows\{987C66DB-50C4-43a6-B2DF-B5163BE5A8BC}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2108
      - C:\Windows\{96D581F9-D376-467d-A38C-5C8CEBC792EE}.exe
        
        C:\Windows\{96D581F9-D376-467d-A38C-5C8CEBC792EE}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\{91842C1C-1D71-4855-B4AE-107E52F22C71}.exe
        
        C:\Windows\{91842C1C-1D71-4855-B4AE-107E52F22C71}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\{7A854462-3C0F-4531-B007-279984358358}.exe
        
        C:\Windows\{7A854462-3C0F-4531-B007-279984358358}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\{EB0A1164-50B4-45ee-8D0D-5FC714BDB300}.exe
        
        C:\Windows\{EB0A1164-50B4-45ee-8D0D-5FC714BDB300}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1096
        
        C:\Windows\{9D6913D6-66D0-4125-BBC7-98032A0D2B6F}.exe
        
        C:\Windows\{9D6913D6-66D0-4125-BBC7-98032A0D2B6F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Windows\{EC2915C9-A5A4-4016-8B68-506316B69B9C}.exe
        
        C:\Windows\{EC2915C9-A5A4-4016-8B68-506316B69B9C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3876
        
        C:\Windows\{736EBE04-AE9C-486c-8038-87CF0547747A}.exe
        
        C:\Windows\{736EBE04-AE9C-486c-8038-87CF0547747A}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884
        
        C:\Windows\{3BF4D0E2-8F95-4d3a-ADA4-30427BFEAF8A}.exe
        
        C:\Windows\{3BF4D0E2-8F95-4d3a-ADA4-30427BFEAF8A}.exe
        13⤵
        Executes dropped EXE
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{736EB~1.EXE > nul
        13⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EC291~1.EXE > nul
        12⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9D691~1.EXE > nul
        11⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EB0A1~1.EXE > nul
        10⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7A854~1.EXE > nul
        9⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91842~1.EXE > nul
        8⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96D58~1.EXE > nul
        7⤵
        
        PID:4296
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{987C6~1.EXE > nul
        6⤵
        
        PID:1152
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{22801~1.EXE > nul
        5⤵
        
        PID:836
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{04981~1.EXE > nul
      4⤵
      PID:3016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{96249~1.EXE > nul
    3⤵
    PID:5088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{049818E2-45AE-4131-A9C5-28E5CFF5019C}.exe

Filesize
204KB

MD5
14a1fd493e317fbacc0ca261a2d49be2

SHA1
0375d1612b076ed4a6f0be24f52d20808b68a853

SHA256
cafa943d3182952ad92850411b58d15ffec79a090ecba75c3dc140146d46516c

SHA512
ae8653d395b80ca2c707dabb2d6ff94b33d1e6dd5f9df03dbdca7ee51708d131f20a3fb5d02e66943e10732c4b12c820384b0168281dee9199136c91d5c35da0

Download Submit
C:\Windows\{22801BAA-EBD4-4ae2-A70B-BF759A232BCD}.exe

Filesize
204KB

MD5
ed77bdbe940e69350421690629c0abdd

SHA1
351fe8d2540aa892612ebdaee33ef54eca9b9ae0

SHA256
8e70e14cae8dd5cada2d463b94510c764b69c24d97d560d04687fc3aad0a837e

SHA512
6f30d8eed5f88a6e28ffe06a130241f4349baaa3494f2f591332f83f74cbe4d150b444cc6362503d0be448390152889f394af3501203d9b5acb2db10bffd546b

Download Submit
C:\Windows\{3BF4D0E2-8F95-4d3a-ADA4-30427BFEAF8A}.exe

Filesize
204KB

MD5
291ff9e65ba14adcc55d3792a626558a

SHA1
0580519da546b2970b29b1161ab251a995fa9fbc

SHA256
1c7aea9a3aaaf24eb285a9e6e6e22846783d51c688bc53970276d5f510b06066

SHA512
ddb06815d063f1abf3f60ebf11cdebafef78381b41d2204adf15174f8e6e1a439d498a542eba270fb92a52cfedb9cf6d113624405279b0131a238004da1f83df

Download Submit
C:\Windows\{736EBE04-AE9C-486c-8038-87CF0547747A}.exe

Filesize
204KB

MD5
8c37d6f64107fcb16fe875c33c2678aa

SHA1
8c58b04c2ee1fc39242b6bf88045d92d23c836d6

SHA256
a70443e6db3f689caf66276eb7df0b94c52ce4f3c777afd4d27aff7b0670f209

SHA512
103d31fe667805aa23d824739ba4e7cc094b3cd72dac6a8076b2683f8f3951490f0339064ac7f94ee2fcbd2023c832799b1ba2b6beaecc97aac21f82398a19c3

Download Submit
C:\Windows\{7A854462-3C0F-4531-B007-279984358358}.exe

Filesize
204KB

MD5
5258e8398d2647bad4a953d24a507a20

SHA1
a0f0ebca68bc18a25b433429ab691b22f5731ac6

SHA256
7e1ebbcfaefbd2ee29c85759de19ebad390feb452ddc1e74c4a2a7f4dc6badf1

SHA512
e6136b7e31d1cb02f8a77b4c0c9c0db63d894928c76f81d3c1f7c96a374393200da95ee5a95bb2149c93ad7995b04b0e23bede4d8a903e7d2fd7cb0aa900f18e

Download Submit
C:\Windows\{91842C1C-1D71-4855-B4AE-107E52F22C71}.exe

Filesize
204KB

MD5
eb3693ffa3e2c321b3c16216c300c57a

SHA1
8126198000f27ccf276cb95d2e938e76689614a9

SHA256
cb811404c50b10a0631e55f9dcc5ad88dedfe13964cef18529b4666c8f8fee52

SHA512
933ddd056f04a71d81927bce448cce393009691feb190d817fffcfaf8abf2231852e13167694590828b1345d0eacf8bf1748f6fa747daf7204bbd3f7b45fbbfc

Download Submit
C:\Windows\{962494C9-6D8C-438b-BF6A-6989579F42AE}.exe

Filesize
204KB

MD5
caf8569a8b9da222c612fdb1b4ea60a8

SHA1
2c901e53cf150a4fd45a6040f2550fec824af848

SHA256
d4a023a97f5e6afad09e2a5eb8e9d368bf7f30aa7998eb0ab06eb8bc0d581ca7

SHA512
cec54609c0f3f74b2584a9e28cc637e59ab817d20b9c23b89be5175e5025cc8f34ca138dd8eac12736085e746404343178fe124d826fcb80af6bcd259529f18b

Download Submit
C:\Windows\{96D581F9-D376-467d-A38C-5C8CEBC792EE}.exe

Filesize
204KB

MD5
cfbb8c035a77c31d5410ced7ca4b146c

SHA1
677024823e990ea0b2c3a93ec2471c2432ce8ec0

SHA256
4f47a4875fb39e41752482eb8fe89796b6c27fc0d69ce9ddeccbc6826155d216

SHA512
ebdf6f698d7e499eca248f5bb019e824f4db11f8bb8e88070faa4479b50c7dfed1339d62eb39972443ccaf760f6743e3c7e14287ef53d5dda29470159a31a228

Download Submit
C:\Windows\{987C66DB-50C4-43a6-B2DF-B5163BE5A8BC}.exe

Filesize
204KB

MD5
543c3db7587018e7a2526bf36b1e0446

SHA1
68480d1eb0ba421818967632d8abc0529695179e

SHA256
c7b34df8a1720982ff3178b04a580bb2c8e5eefd52e6bb525e2e89ee038a497e

SHA512
507dd188a05f52a0a8b88c016d6db28a80946cc98dda56749e5b943e9d6500a3eb5469c9212c3a1903e9e193aee4ec25c63eed93cef0d298658373cab02f1975

Download Submit
C:\Windows\{9D6913D6-66D0-4125-BBC7-98032A0D2B6F}.exe

Filesize
204KB

MD5
d58865a54e27ef904ed1971f21c86c34

SHA1
bd6c5601ca38407e9cb61d35b07abf107f064d5e

SHA256
d72e0002b8401c0ef13c93f0c11e420b8ea1dfc5879bf40a354538f219543362

SHA512
bd6079f11a35286f18debc3c7274f8eef03ace878aeec01dbb9133f00275e53f2868fc2494d95edfad1cbd39dc65e013348275e174ec9312f0e6b5fb22319db5

Download Submit
C:\Windows\{EB0A1164-50B4-45ee-8D0D-5FC714BDB300}.exe

Filesize
204KB

MD5
8aa3d312a7edab0faa1a667bf867f7d1

SHA1
4d9abc6ba7d1b0214a639d7cb3b245ae2c988911

SHA256
935b79134d67ef4f8c17329c27ac5281a683e9700361fbc8cd6f8bb2d8ec0b0e

SHA512
1e78bed6e10f2fedb9f88ea9893b2dc29f42accd38d0cfe4e8a92b933681c85ccea331fa8fe1f59ba425c9af2059f8820192131d65822c6e956f7edbbc5c4c31

Download Submit
C:\Windows\{EC2915C9-A5A4-4016-8B68-506316B69B9C}.exe

Filesize
204KB

MD5
066652bb1591be6ebfaf478ed0a124ea

SHA1
f9488ebb5302462e25b9611956507f3f33611a78

SHA256
2dc441743deecaeeeb311512a58befd391802c0eb724c520c1c9d81f0e3423f2

SHA512
ec977c0d5995f0bd67fe8094c9c1453f35f59d798aab00e1241fab8268058f8917e96e003c91895be678d7c3e6ae532fcba3b1fc6ac314f44b7faaef8b08b000

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads