fe5bcb9f0906fd3fdc6eb4fe4647e4b174f2805c46b02ac0fce8c844f6b15b59

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
24-04-2024 18:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-24_29e20b8b542e72ea5a61707def858260_goldeneye.exe
Size

344KB
MD5

29e20b8b542e72ea5a61707def858260
SHA1

4d8aac46263a84d8899b79e459e460431c2391f9
SHA256

fe5bcb9f0906fd3fdc6eb4fe4647e4b174f2805c46b02ac0fce8c844f6b15b59
SHA512

f97f8d9ee6184bcdd250ccdc80d1092fb19befb2129ea5ef34087b81560913c986376ee6489eef5dadf934a727f831fb90c5029a707947360840fcdcca597dfe
SSDEEP

3072:mEGh0oklEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGulqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023419-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002342d-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023525-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023528-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000001db28-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000001db5c-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001db28-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000001db5c-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023540-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000001db5c-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023540-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023541-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{844F3309-F0F6-4ad1-91B5-7D042EFB4647}\stubpath = "C:\\Windows\\{844F3309-F0F6-4ad1-91B5-7D042EFB4647}.exe"	{E20138D5-112D-4f90-A9B8-DF59CD78A95D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9489AE9-1273-474d-83ED-BE91AB736FD7}\stubpath = "C:\\Windows\\{E9489AE9-1273-474d-83ED-BE91AB736FD7}.exe"	{844F3309-F0F6-4ad1-91B5-7D042EFB4647}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13463CD4-721E-4c8d-A665-685CE480A4E6}\stubpath = "C:\\Windows\\{13463CD4-721E-4c8d-A665-685CE480A4E6}.exe"	{3643A140-6703-4224-A7C9-FFF0FEB16C33}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E7B0463-364A-4202-8627-135B54BAD5B5}	2024-04-24_29e20b8b542e72ea5a61707def858260_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2B27107-9830-43e2-9133-B2C7EF3EE221}	{6E7B0463-364A-4202-8627-135B54BAD5B5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BEC39606-324C-4c1a-908B-20AE1D8E801C}\stubpath = "C:\\Windows\\{BEC39606-324C-4c1a-908B-20AE1D8E801C}.exe"	{A2A80A82-0FFB-4876-93CF-0D3BC2A4E008}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3643A140-6703-4224-A7C9-FFF0FEB16C33}\stubpath = "C:\\Windows\\{3643A140-6703-4224-A7C9-FFF0FEB16C33}.exe"	{BEC39606-324C-4c1a-908B-20AE1D8E801C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13463CD4-721E-4c8d-A665-685CE480A4E6}	{3643A140-6703-4224-A7C9-FFF0FEB16C33}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0ABD2DCC-4EBA-43c9-A9FB-EB3FF4EB9789}	{0F52B83C-5277-4b95-B490-2A07C7305D63}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{108131A6-154C-42d7-9D92-0AF829B281BF}	{0ABD2DCC-4EBA-43c9-A9FB-EB3FF4EB9789}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E20138D5-112D-4f90-A9B8-DF59CD78A95D}	{D2B27107-9830-43e2-9133-B2C7EF3EE221}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2A80A82-0FFB-4876-93CF-0D3BC2A4E008}\stubpath = "C:\\Windows\\{A2A80A82-0FFB-4876-93CF-0D3BC2A4E008}.exe"	{E9489AE9-1273-474d-83ED-BE91AB736FD7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{844F3309-F0F6-4ad1-91B5-7D042EFB4647}	{E20138D5-112D-4f90-A9B8-DF59CD78A95D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9489AE9-1273-474d-83ED-BE91AB736FD7}	{844F3309-F0F6-4ad1-91B5-7D042EFB4647}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2A80A82-0FFB-4876-93CF-0D3BC2A4E008}	{E9489AE9-1273-474d-83ED-BE91AB736FD7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E7B0463-364A-4202-8627-135B54BAD5B5}\stubpath = "C:\\Windows\\{6E7B0463-364A-4202-8627-135B54BAD5B5}.exe"	2024-04-24_29e20b8b542e72ea5a61707def858260_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E20138D5-112D-4f90-A9B8-DF59CD78A95D}\stubpath = "C:\\Windows\\{E20138D5-112D-4f90-A9B8-DF59CD78A95D}.exe"	{D2B27107-9830-43e2-9133-B2C7EF3EE221}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3643A140-6703-4224-A7C9-FFF0FEB16C33}	{BEC39606-324C-4c1a-908B-20AE1D8E801C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F52B83C-5277-4b95-B490-2A07C7305D63}	{13463CD4-721E-4c8d-A665-685CE480A4E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F52B83C-5277-4b95-B490-2A07C7305D63}\stubpath = "C:\\Windows\\{0F52B83C-5277-4b95-B490-2A07C7305D63}.exe"	{13463CD4-721E-4c8d-A665-685CE480A4E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0ABD2DCC-4EBA-43c9-A9FB-EB3FF4EB9789}\stubpath = "C:\\Windows\\{0ABD2DCC-4EBA-43c9-A9FB-EB3FF4EB9789}.exe"	{0F52B83C-5277-4b95-B490-2A07C7305D63}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{108131A6-154C-42d7-9D92-0AF829B281BF}\stubpath = "C:\\Windows\\{108131A6-154C-42d7-9D92-0AF829B281BF}.exe"	{0ABD2DCC-4EBA-43c9-A9FB-EB3FF4EB9789}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2B27107-9830-43e2-9133-B2C7EF3EE221}\stubpath = "C:\\Windows\\{D2B27107-9830-43e2-9133-B2C7EF3EE221}.exe"	{6E7B0463-364A-4202-8627-135B54BAD5B5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BEC39606-324C-4c1a-908B-20AE1D8E801C}	{A2A80A82-0FFB-4876-93CF-0D3BC2A4E008}.exe

Executes dropped EXE 12 IoCs

pid	Process
2612	{6E7B0463-364A-4202-8627-135B54BAD5B5}.exe
1928	{D2B27107-9830-43e2-9133-B2C7EF3EE221}.exe
224	{E20138D5-112D-4f90-A9B8-DF59CD78A95D}.exe
3484	{844F3309-F0F6-4ad1-91B5-7D042EFB4647}.exe
3700	{E9489AE9-1273-474d-83ED-BE91AB736FD7}.exe
2268	{A2A80A82-0FFB-4876-93CF-0D3BC2A4E008}.exe
4804	{BEC39606-324C-4c1a-908B-20AE1D8E801C}.exe
3496	{3643A140-6703-4224-A7C9-FFF0FEB16C33}.exe
372	{13463CD4-721E-4c8d-A665-685CE480A4E6}.exe
4052	{0F52B83C-5277-4b95-B490-2A07C7305D63}.exe
2024	{0ABD2DCC-4EBA-43c9-A9FB-EB3FF4EB9789}.exe
4580	{108131A6-154C-42d7-9D92-0AF829B281BF}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{0F52B83C-5277-4b95-B490-2A07C7305D63}.exe	{13463CD4-721E-4c8d-A665-685CE480A4E6}.exe
File created	C:\Windows\{0ABD2DCC-4EBA-43c9-A9FB-EB3FF4EB9789}.exe	{0F52B83C-5277-4b95-B490-2A07C7305D63}.exe
File created	C:\Windows\{108131A6-154C-42d7-9D92-0AF829B281BF}.exe	{0ABD2DCC-4EBA-43c9-A9FB-EB3FF4EB9789}.exe
File created	C:\Windows\{6E7B0463-364A-4202-8627-135B54BAD5B5}.exe	2024-04-24_29e20b8b542e72ea5a61707def858260_goldeneye.exe
File created	C:\Windows\{E20138D5-112D-4f90-A9B8-DF59CD78A95D}.exe	{D2B27107-9830-43e2-9133-B2C7EF3EE221}.exe
File created	C:\Windows\{E9489AE9-1273-474d-83ED-BE91AB736FD7}.exe	{844F3309-F0F6-4ad1-91B5-7D042EFB4647}.exe
File created	C:\Windows\{A2A80A82-0FFB-4876-93CF-0D3BC2A4E008}.exe	{E9489AE9-1273-474d-83ED-BE91AB736FD7}.exe
File created	C:\Windows\{3643A140-6703-4224-A7C9-FFF0FEB16C33}.exe	{BEC39606-324C-4c1a-908B-20AE1D8E801C}.exe
File created	C:\Windows\{D2B27107-9830-43e2-9133-B2C7EF3EE221}.exe	{6E7B0463-364A-4202-8627-135B54BAD5B5}.exe
File created	C:\Windows\{844F3309-F0F6-4ad1-91B5-7D042EFB4647}.exe	{E20138D5-112D-4f90-A9B8-DF59CD78A95D}.exe
File created	C:\Windows\{BEC39606-324C-4c1a-908B-20AE1D8E801C}.exe	{A2A80A82-0FFB-4876-93CF-0D3BC2A4E008}.exe
File created	C:\Windows\{13463CD4-721E-4c8d-A665-685CE480A4E6}.exe	{3643A140-6703-4224-A7C9-FFF0FEB16C33}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	412	2024-04-24_29e20b8b542e72ea5a61707def858260_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2612	{6E7B0463-364A-4202-8627-135B54BAD5B5}.exe
Token: SeIncBasePriorityPrivilege	1928	{D2B27107-9830-43e2-9133-B2C7EF3EE221}.exe
Token: SeIncBasePriorityPrivilege	224	{E20138D5-112D-4f90-A9B8-DF59CD78A95D}.exe
Token: SeIncBasePriorityPrivilege	3484	{844F3309-F0F6-4ad1-91B5-7D042EFB4647}.exe
Token: SeIncBasePriorityPrivilege	3700	{E9489AE9-1273-474d-83ED-BE91AB736FD7}.exe
Token: SeIncBasePriorityPrivilege	2268	{A2A80A82-0FFB-4876-93CF-0D3BC2A4E008}.exe
Token: SeIncBasePriorityPrivilege	4804	{BEC39606-324C-4c1a-908B-20AE1D8E801C}.exe
Token: SeIncBasePriorityPrivilege	3496	{3643A140-6703-4224-A7C9-FFF0FEB16C33}.exe
Token: SeIncBasePriorityPrivilege	372	{13463CD4-721E-4c8d-A665-685CE480A4E6}.exe
Token: SeIncBasePriorityPrivilege	4052	{0F52B83C-5277-4b95-B490-2A07C7305D63}.exe
Token: SeIncBasePriorityPrivilege	2024	{0ABD2DCC-4EBA-43c9-A9FB-EB3FF4EB9789}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 412 wrote to memory of 2612	412	2024-04-24_29e20b8b542e72ea5a61707def858260_goldeneye.exe	96
PID 412 wrote to memory of 2612	412	2024-04-24_29e20b8b542e72ea5a61707def858260_goldeneye.exe	96
PID 412 wrote to memory of 2612	412	2024-04-24_29e20b8b542e72ea5a61707def858260_goldeneye.exe	96
PID 412 wrote to memory of 3980	412	2024-04-24_29e20b8b542e72ea5a61707def858260_goldeneye.exe	97
PID 412 wrote to memory of 3980	412	2024-04-24_29e20b8b542e72ea5a61707def858260_goldeneye.exe	97
PID 412 wrote to memory of 3980	412	2024-04-24_29e20b8b542e72ea5a61707def858260_goldeneye.exe	97
PID 2612 wrote to memory of 1928	2612	{6E7B0463-364A-4202-8627-135B54BAD5B5}.exe	100
PID 2612 wrote to memory of 1928	2612	{6E7B0463-364A-4202-8627-135B54BAD5B5}.exe	100
PID 2612 wrote to memory of 1928	2612	{6E7B0463-364A-4202-8627-135B54BAD5B5}.exe	100
PID 2612 wrote to memory of 4480	2612	{6E7B0463-364A-4202-8627-135B54BAD5B5}.exe	101
PID 2612 wrote to memory of 4480	2612	{6E7B0463-364A-4202-8627-135B54BAD5B5}.exe	101
PID 2612 wrote to memory of 4480	2612	{6E7B0463-364A-4202-8627-135B54BAD5B5}.exe	101
PID 1928 wrote to memory of 224	1928	{D2B27107-9830-43e2-9133-B2C7EF3EE221}.exe	104
PID 1928 wrote to memory of 224	1928	{D2B27107-9830-43e2-9133-B2C7EF3EE221}.exe	104
PID 1928 wrote to memory of 224	1928	{D2B27107-9830-43e2-9133-B2C7EF3EE221}.exe	104
PID 1928 wrote to memory of 228	1928	{D2B27107-9830-43e2-9133-B2C7EF3EE221}.exe	105
PID 1928 wrote to memory of 228	1928	{D2B27107-9830-43e2-9133-B2C7EF3EE221}.exe	105
PID 1928 wrote to memory of 228	1928	{D2B27107-9830-43e2-9133-B2C7EF3EE221}.exe	105
PID 224 wrote to memory of 3484	224	{E20138D5-112D-4f90-A9B8-DF59CD78A95D}.exe	106
PID 224 wrote to memory of 3484	224	{E20138D5-112D-4f90-A9B8-DF59CD78A95D}.exe	106
PID 224 wrote to memory of 3484	224	{E20138D5-112D-4f90-A9B8-DF59CD78A95D}.exe	106
PID 224 wrote to memory of 4412	224	{E20138D5-112D-4f90-A9B8-DF59CD78A95D}.exe	107
PID 224 wrote to memory of 4412	224	{E20138D5-112D-4f90-A9B8-DF59CD78A95D}.exe	107
PID 224 wrote to memory of 4412	224	{E20138D5-112D-4f90-A9B8-DF59CD78A95D}.exe	107
PID 3484 wrote to memory of 3700	3484	{844F3309-F0F6-4ad1-91B5-7D042EFB4647}.exe	108
PID 3484 wrote to memory of 3700	3484	{844F3309-F0F6-4ad1-91B5-7D042EFB4647}.exe	108
PID 3484 wrote to memory of 3700	3484	{844F3309-F0F6-4ad1-91B5-7D042EFB4647}.exe	108
PID 3484 wrote to memory of 5032	3484	{844F3309-F0F6-4ad1-91B5-7D042EFB4647}.exe	109
PID 3484 wrote to memory of 5032	3484	{844F3309-F0F6-4ad1-91B5-7D042EFB4647}.exe	109
PID 3484 wrote to memory of 5032	3484	{844F3309-F0F6-4ad1-91B5-7D042EFB4647}.exe	109
PID 3700 wrote to memory of 2268	3700	{E9489AE9-1273-474d-83ED-BE91AB736FD7}.exe	115
PID 3700 wrote to memory of 2268	3700	{E9489AE9-1273-474d-83ED-BE91AB736FD7}.exe	115
PID 3700 wrote to memory of 2268	3700	{E9489AE9-1273-474d-83ED-BE91AB736FD7}.exe	115
PID 3700 wrote to memory of 1440	3700	{E9489AE9-1273-474d-83ED-BE91AB736FD7}.exe	116
PID 3700 wrote to memory of 1440	3700	{E9489AE9-1273-474d-83ED-BE91AB736FD7}.exe	116
PID 3700 wrote to memory of 1440	3700	{E9489AE9-1273-474d-83ED-BE91AB736FD7}.exe	116
PID 2268 wrote to memory of 4804	2268	{A2A80A82-0FFB-4876-93CF-0D3BC2A4E008}.exe	117
PID 2268 wrote to memory of 4804	2268	{A2A80A82-0FFB-4876-93CF-0D3BC2A4E008}.exe	117
PID 2268 wrote to memory of 4804	2268	{A2A80A82-0FFB-4876-93CF-0D3BC2A4E008}.exe	117
PID 2268 wrote to memory of 4080	2268	{A2A80A82-0FFB-4876-93CF-0D3BC2A4E008}.exe	118
PID 2268 wrote to memory of 4080	2268	{A2A80A82-0FFB-4876-93CF-0D3BC2A4E008}.exe	118
PID 2268 wrote to memory of 4080	2268	{A2A80A82-0FFB-4876-93CF-0D3BC2A4E008}.exe	118
PID 4804 wrote to memory of 3496	4804	{BEC39606-324C-4c1a-908B-20AE1D8E801C}.exe	119
PID 4804 wrote to memory of 3496	4804	{BEC39606-324C-4c1a-908B-20AE1D8E801C}.exe	119
PID 4804 wrote to memory of 3496	4804	{BEC39606-324C-4c1a-908B-20AE1D8E801C}.exe	119
PID 4804 wrote to memory of 1244	4804	{BEC39606-324C-4c1a-908B-20AE1D8E801C}.exe	120
PID 4804 wrote to memory of 1244	4804	{BEC39606-324C-4c1a-908B-20AE1D8E801C}.exe	120
PID 4804 wrote to memory of 1244	4804	{BEC39606-324C-4c1a-908B-20AE1D8E801C}.exe	120
PID 3496 wrote to memory of 372	3496	{3643A140-6703-4224-A7C9-FFF0FEB16C33}.exe	125
PID 3496 wrote to memory of 372	3496	{3643A140-6703-4224-A7C9-FFF0FEB16C33}.exe	125
PID 3496 wrote to memory of 372	3496	{3643A140-6703-4224-A7C9-FFF0FEB16C33}.exe	125
PID 3496 wrote to memory of 4656	3496	{3643A140-6703-4224-A7C9-FFF0FEB16C33}.exe	126
PID 3496 wrote to memory of 4656	3496	{3643A140-6703-4224-A7C9-FFF0FEB16C33}.exe	126
PID 3496 wrote to memory of 4656	3496	{3643A140-6703-4224-A7C9-FFF0FEB16C33}.exe	126
PID 372 wrote to memory of 4052	372	{13463CD4-721E-4c8d-A665-685CE480A4E6}.exe	127
PID 372 wrote to memory of 4052	372	{13463CD4-721E-4c8d-A665-685CE480A4E6}.exe	127
PID 372 wrote to memory of 4052	372	{13463CD4-721E-4c8d-A665-685CE480A4E6}.exe	127
PID 372 wrote to memory of 2036	372	{13463CD4-721E-4c8d-A665-685CE480A4E6}.exe	128
PID 372 wrote to memory of 2036	372	{13463CD4-721E-4c8d-A665-685CE480A4E6}.exe	128
PID 372 wrote to memory of 2036	372	{13463CD4-721E-4c8d-A665-685CE480A4E6}.exe	128
PID 4052 wrote to memory of 2024	4052	{0F52B83C-5277-4b95-B490-2A07C7305D63}.exe	129
PID 4052 wrote to memory of 2024	4052	{0F52B83C-5277-4b95-B490-2A07C7305D63}.exe	129
PID 4052 wrote to memory of 2024	4052	{0F52B83C-5277-4b95-B490-2A07C7305D63}.exe	129
PID 4052 wrote to memory of 3808	4052	{0F52B83C-5277-4b95-B490-2A07C7305D63}.exe	130

C:\Users\Admin\AppData\Local\Temp\2024-04-24_29e20b8b542e72ea5a61707def858260_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-24_29e20b8b542e72ea5a61707def858260_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:412
- C:\Windows\{6E7B0463-364A-4202-8627-135B54BAD5B5}.exe
  C:\Windows\{6E7B0463-364A-4202-8627-135B54BAD5B5}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\{D2B27107-9830-43e2-9133-B2C7EF3EE221}.exe
    C:\Windows\{D2B27107-9830-43e2-9133-B2C7EF3EE221}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1928
  - - C:\Windows\{E20138D5-112D-4f90-A9B8-DF59CD78A95D}.exe
      C:\Windows\{E20138D5-112D-4f90-A9B8-DF59CD78A95D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:224
    - - C:\Windows\{844F3309-F0F6-4ad1-91B5-7D042EFB4647}.exe
        
        C:\Windows\{844F3309-F0F6-4ad1-91B5-7D042EFB4647}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3484
      - C:\Windows\{E9489AE9-1273-474d-83ED-BE91AB736FD7}.exe
        
        C:\Windows\{E9489AE9-1273-474d-83ED-BE91AB736FD7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3700
        
        C:\Windows\{A2A80A82-0FFB-4876-93CF-0D3BC2A4E008}.exe
        
        C:\Windows\{A2A80A82-0FFB-4876-93CF-0D3BC2A4E008}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\{BEC39606-324C-4c1a-908B-20AE1D8E801C}.exe
        
        C:\Windows\{BEC39606-324C-4c1a-908B-20AE1D8E801C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\{3643A140-6703-4224-A7C9-FFF0FEB16C33}.exe
        
        C:\Windows\{3643A140-6703-4224-A7C9-FFF0FEB16C33}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3496
        
        C:\Windows\{13463CD4-721E-4c8d-A665-685CE480A4E6}.exe
        
        C:\Windows\{13463CD4-721E-4c8d-A665-685CE480A4E6}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:372
        
        C:\Windows\{0F52B83C-5277-4b95-B490-2A07C7305D63}.exe
        
        C:\Windows\{0F52B83C-5277-4b95-B490-2A07C7305D63}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4052
        
        C:\Windows\{0ABD2DCC-4EBA-43c9-A9FB-EB3FF4EB9789}.exe
        
        C:\Windows\{0ABD2DCC-4EBA-43c9-A9FB-EB3FF4EB9789}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
        
        C:\Windows\{108131A6-154C-42d7-9D92-0AF829B281BF}.exe
        
        C:\Windows\{108131A6-154C-42d7-9D92-0AF829B281BF}.exe
        13⤵
        Executes dropped EXE
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0ABD2~1.EXE > nul
        13⤵
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F52B~1.EXE > nul
        12⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{13463~1.EXE > nul
        11⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3643A~1.EXE > nul
        10⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BEC39~1.EXE > nul
        9⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A2A80~1.EXE > nul
        8⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E9489~1.EXE > nul
        7⤵
        
        PID:1440
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{844F3~1.EXE > nul
        6⤵
        
        PID:5032
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2013~1.EXE > nul
        5⤵
        
        PID:4412
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D2B27~1.EXE > nul
      4⤵
      PID:228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6E7B0~1.EXE > nul
    3⤵
    PID:4480
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0ABD2DCC-4EBA-43c9-A9FB-EB3FF4EB9789}.exe

Filesize
344KB

MD5
165281c7ca74852bfb2c5d9114f0d73c

SHA1
7a5953b1cc5dfe561694779287e83125191e9c8f

SHA256
619d764956f1dc6fc43254afdde523da41408ee0eeaf52bb7fa358295890d8b2

SHA512
c18ae436e2156fbabfe43065bdf53cbe3d9ebdaf8838fe915ab986a8a91bd52e3ca9fed6b0b2477dcca6cad86b2076ede9a115b3a47552f372972e40d3a107fa

Download Submit
C:\Windows\{0F52B83C-5277-4b95-B490-2A07C7305D63}.exe

Filesize
344KB

MD5
b14358e7c3ab2f95f5fcbf1bc338758c

SHA1
ed09ab1782734a18d4a6c3c0e6e37935aa41320d

SHA256
7b8c77945f082a09e51807ca191a85d7c753bb49fff134674330b6c6eec33e64

SHA512
19b656bbdb0ff5410adddfcc6b3c48d5ca639b78117ab11cae912e2f47df62cbc1397f728f75ef66e69e99b4fd8b60a7eda9e8ac5a353b40bd006a4065240993

Download Submit
C:\Windows\{108131A6-154C-42d7-9D92-0AF829B281BF}.exe

Filesize
344KB

MD5
257b88f0acfb3fb2109a1777c315e9d3

SHA1
5b47562a07fdb4cb19b97f14161681214673e68e

SHA256
4d30653d9bda34871a3e4a273659b5f38ab14b978c5a60ce5c8e283bd6b026cd

SHA512
567415923ccbad80e028a43973aa4f328476f7f352669d16973b1a41381b86f29f8e95265000640405c59e94bd547e556d2d949427b167eea00b7c2a5b094c07

Download Submit
C:\Windows\{13463CD4-721E-4c8d-A665-685CE480A4E6}.exe

Filesize
344KB

MD5
f599227d81f4924fdd5713b118f5a239

SHA1
30b29766570c89fa94d29bbb64ec8e0c888d8891

SHA256
3bc954b0e9366055b7fdbe9ec7fd61828e3a6203e8b72c66bf2efe933e52e0a9

SHA512
ee5d391f649015b51457cf335cdad864dccec4878263357462b7638a16ceb116a9cd890c16decb9f26d0be1f191541ba5baf8c5f60c35e9445258c029f3994d4

Download Submit
C:\Windows\{3643A140-6703-4224-A7C9-FFF0FEB16C33}.exe

Filesize
344KB

MD5
e0fc854097df5138f37b453f06fb4f2a

SHA1
b3762b2429f95b9f5f9587aca79e2d68ace5e223

SHA256
2a2cc02a1f6d28c27478bc5513aff903309db2af4d82e540b3975f5ab0b48019

SHA512
5216fa84ab68d6bdd88a0a9934c7d80b3221ebb48c7923fff937da8b2422d1d08899666ac8ee0fd92afdf24201a4d30822061922d9e504b554e6bdfb5cd6675c

Download Submit
C:\Windows\{6E7B0463-364A-4202-8627-135B54BAD5B5}.exe

Filesize
344KB

MD5
102e3f87baf08c0df4a0ba9962243a83

SHA1
33eeb459b493b8787858f9670feb6ca0770f4637

SHA256
063c39e99623d31b0dc7a66850edb3bc0ef1ba4ed71fcf8be1a091f2bc67f39c

SHA512
7ed8a3971143826ff774b69ca8a58eec62b96e215883c651bef79e9862554d1c5f056566f6e8c95d96e13739a89004cc702f8a8287d43a17b09b26b5b07b3d3d

Download Submit
C:\Windows\{844F3309-F0F6-4ad1-91B5-7D042EFB4647}.exe

Filesize
344KB

MD5
ddd9c1d6ab056b542a7f574dc8323308

SHA1
b344d7d29eaf1c54a1b1e8f7ef074592ccc5721d

SHA256
1a9b7db3a444c035aa4b585ea70da17c6f12eca889d72c8141f8f90982f79afe

SHA512
63a989a0f9da9540bb15ab3ea718bdacf3a9cc259391028ede6dd90db32958cb6d0e2db22711f0726c311ba755f055ae26373d62da2a6652144e6266b7216c99

Download Submit
C:\Windows\{A2A80A82-0FFB-4876-93CF-0D3BC2A4E008}.exe

Filesize
344KB

MD5
ff328c085e35f515b7d13d829bc63235

SHA1
cb97d73d8b0005b42bfd2d3bbe06aa3a61fc6d8c

SHA256
41232dc3d4b487e2d08096dade948105c1078a57a71d84ba9bfe3aca58382e9d

SHA512
554ce31316d5fda66cbe23117180ac0c45eedf75bd143a8e05deb33f07511747d4bfca374c59728124c58530b4afaabc21a18ec354df76221c94d11a2fc76a06

Download Submit
C:\Windows\{BEC39606-324C-4c1a-908B-20AE1D8E801C}.exe

Filesize
344KB

MD5
1e7330f79dc7d24f0a9b744e5a3b5de1

SHA1
3163a9b204653fe3f7e76f4067043fd1784f318b

SHA256
8443d8fea143b7c2832ab8c5084fdb4a40bed7ce14271b12ab4c365297d2c6b5

SHA512
139550aa11e7dd49672e9153656868b7221baf68caa7cb0f6d57a35c43377203bcaf729f276d006bad4f8123a97d84fa1bf51c9b2c556e4575638227f0d387c1

Download Submit
C:\Windows\{D2B27107-9830-43e2-9133-B2C7EF3EE221}.exe

Filesize
344KB

MD5
cc5f72eada293757bc4fec5f5ddce6ba

SHA1
8cc8a8e26ff13d08f85bee224ca92341966f90c7

SHA256
326bff0059d7b15b8d576f1bc3dae22ec7a5c719f2925f7b8d7ae281aeb0c97e

SHA512
0d7ee6ffa2f0f36a8a88b26891212fbb1584a94577d2557d67aec3531ca3cb8a911e1bf9ce5fc3ac5d78b59e961b003b9c1de2fc83977a9e59b86a36f33ddec8

Download Submit
C:\Windows\{E20138D5-112D-4f90-A9B8-DF59CD78A95D}.exe

Filesize
344KB

MD5
e24cd91d433cfe19674605f2c1629188

SHA1
e998ef1a490fbb56ff9057d7c6a255e9c906d7bf

SHA256
e64ecce7c1c403cd62c457dbe58d996cba11152424d2a5173efea303f0833a76

SHA512
664ec0bc935a583b4c97260a33a0bd3a3ec0e884c54bcd66faf117a3d12199b22cb8000e147ad6888bf858055938e8a1b7b3ea95f8d2403acdbe29761e55bfb8

Download Submit
C:\Windows\{E9489AE9-1273-474d-83ED-BE91AB736FD7}.exe

Filesize
344KB

MD5
2e0df66bbc1a5df9f8e35c7f8c1162f0

SHA1
6e312674566e270552281fcac403d5f10e8a1bb6

SHA256
75cecaca3cb1dee514f445f5aac26da82d25bc2d485b0a990def9565cdd89ee3

SHA512
b61bcaa954598eeac12bec43c9ffe1252b00f0c3079c65b3dbae2db5e28d5d0c65266ed51b27e76a4077a19a67cdce31d5880e65bf4b4840711e844a74f6ae75

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads