01fcea5489992c4fbd5ce582a75c770a1955eeea4ea3a0466dbb60c6e069a21a

Analysis

max time kernel
149s
max time network
53s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
29/04/2024, 09:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-29_cc38d2ea6822349aa99ba0fc5bf6d4a6_goldeneye.exe
Size

408KB
MD5

cc38d2ea6822349aa99ba0fc5bf6d4a6
SHA1

76a1cf47667787b6d4d987add198a9b96f1ea016
SHA256

01fcea5489992c4fbd5ce582a75c770a1955eeea4ea3a0466dbb60c6e069a21a
SHA512

b7796d60322ccd6362ac71d6715866078212754a6c64b56343af3f6a9bc09ec782e19160f61ac2840a4b058346f49bc595739a4d8419ef1712b68fa9affbc64b
SSDEEP

3072:CEGh0osl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEG2ldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0013000000023a19-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023b91-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023b95-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023b98-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023ba4-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023b98-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023ba4-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023b98-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023ba4-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023b98-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023ba4-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023b98-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F640AA59-22C8-4e73-A19B-A7482537F86B}	{4D7599EF-766B-4065-9EA5-92B34F2A61D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25D5EDAE-3EBD-448c-AEDE-784A1D7804C0}	{F640AA59-22C8-4e73-A19B-A7482537F86B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4EEDE1BE-841B-4018-A8AC-9120906EF880}	2024-04-29_cc38d2ea6822349aa99ba0fc5bf6d4a6_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27429396-95DD-41a5-A2EF-46EA563DE717}	{4EEDE1BE-841B-4018-A8AC-9120906EF880}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9CED770-17D7-4327-9113-BE60C80291FB}\stubpath = "C:\\Windows\\{E9CED770-17D7-4327-9113-BE60C80291FB}.exe"	{50B476AB-CE9D-445a-A03D-C575B83A3C61}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0CD5607C-4993-444e-AC32-03EBE3C90567}	{E9CED770-17D7-4327-9113-BE60C80291FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7CAFBF8A-6B35-472d-8A29-F2E4C1089DBB}\stubpath = "C:\\Windows\\{7CAFBF8A-6B35-472d-8A29-F2E4C1089DBB}.exe"	{6D413145-FBA2-45ec-96E6-6900E5E1769D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{698D7389-A034-4bdf-99A6-523316A2AEAE}\stubpath = "C:\\Windows\\{698D7389-A034-4bdf-99A6-523316A2AEAE}.exe"	{7CAFBF8A-6B35-472d-8A29-F2E4C1089DBB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25D5EDAE-3EBD-448c-AEDE-784A1D7804C0}\stubpath = "C:\\Windows\\{25D5EDAE-3EBD-448c-AEDE-784A1D7804C0}.exe"	{F640AA59-22C8-4e73-A19B-A7482537F86B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27429396-95DD-41a5-A2EF-46EA563DE717}\stubpath = "C:\\Windows\\{27429396-95DD-41a5-A2EF-46EA563DE717}.exe"	{4EEDE1BE-841B-4018-A8AC-9120906EF880}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0CD5607C-4993-444e-AC32-03EBE3C90567}\stubpath = "C:\\Windows\\{0CD5607C-4993-444e-AC32-03EBE3C90567}.exe"	{E9CED770-17D7-4327-9113-BE60C80291FB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D413145-FBA2-45ec-96E6-6900E5E1769D}	{0CD5607C-4993-444e-AC32-03EBE3C90567}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7CAFBF8A-6B35-472d-8A29-F2E4C1089DBB}	{6D413145-FBA2-45ec-96E6-6900E5E1769D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D7599EF-766B-4065-9EA5-92B34F2A61D5}	{30E23835-3592-4073-B5B3-786865C69369}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D7599EF-766B-4065-9EA5-92B34F2A61D5}\stubpath = "C:\\Windows\\{4D7599EF-766B-4065-9EA5-92B34F2A61D5}.exe"	{30E23835-3592-4073-B5B3-786865C69369}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4EEDE1BE-841B-4018-A8AC-9120906EF880}\stubpath = "C:\\Windows\\{4EEDE1BE-841B-4018-A8AC-9120906EF880}.exe"	2024-04-29_cc38d2ea6822349aa99ba0fc5bf6d4a6_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50B476AB-CE9D-445a-A03D-C575B83A3C61}\stubpath = "C:\\Windows\\{50B476AB-CE9D-445a-A03D-C575B83A3C61}.exe"	{27429396-95DD-41a5-A2EF-46EA563DE717}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{698D7389-A034-4bdf-99A6-523316A2AEAE}	{7CAFBF8A-6B35-472d-8A29-F2E4C1089DBB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30E23835-3592-4073-B5B3-786865C69369}	{698D7389-A034-4bdf-99A6-523316A2AEAE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30E23835-3592-4073-B5B3-786865C69369}\stubpath = "C:\\Windows\\{30E23835-3592-4073-B5B3-786865C69369}.exe"	{698D7389-A034-4bdf-99A6-523316A2AEAE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F640AA59-22C8-4e73-A19B-A7482537F86B}\stubpath = "C:\\Windows\\{F640AA59-22C8-4e73-A19B-A7482537F86B}.exe"	{4D7599EF-766B-4065-9EA5-92B34F2A61D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50B476AB-CE9D-445a-A03D-C575B83A3C61}	{27429396-95DD-41a5-A2EF-46EA563DE717}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9CED770-17D7-4327-9113-BE60C80291FB}	{50B476AB-CE9D-445a-A03D-C575B83A3C61}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D413145-FBA2-45ec-96E6-6900E5E1769D}\stubpath = "C:\\Windows\\{6D413145-FBA2-45ec-96E6-6900E5E1769D}.exe"	{0CD5607C-4993-444e-AC32-03EBE3C90567}.exe

Executes dropped EXE 12 IoCs

pid	Process
3148	{4EEDE1BE-841B-4018-A8AC-9120906EF880}.exe
3368	{27429396-95DD-41a5-A2EF-46EA563DE717}.exe
4652	{50B476AB-CE9D-445a-A03D-C575B83A3C61}.exe
3984	{E9CED770-17D7-4327-9113-BE60C80291FB}.exe
4340	{0CD5607C-4993-444e-AC32-03EBE3C90567}.exe
4276	{6D413145-FBA2-45ec-96E6-6900E5E1769D}.exe
5116	{7CAFBF8A-6B35-472d-8A29-F2E4C1089DBB}.exe
1508	{698D7389-A034-4bdf-99A6-523316A2AEAE}.exe
3840	{30E23835-3592-4073-B5B3-786865C69369}.exe
2968	{4D7599EF-766B-4065-9EA5-92B34F2A61D5}.exe
1200	{F640AA59-22C8-4e73-A19B-A7482537F86B}.exe
4032	{25D5EDAE-3EBD-448c-AEDE-784A1D7804C0}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{4D7599EF-766B-4065-9EA5-92B34F2A61D5}.exe	{30E23835-3592-4073-B5B3-786865C69369}.exe
File created	C:\Windows\{F640AA59-22C8-4e73-A19B-A7482537F86B}.exe	{4D7599EF-766B-4065-9EA5-92B34F2A61D5}.exe
File created	C:\Windows\{25D5EDAE-3EBD-448c-AEDE-784A1D7804C0}.exe	{F640AA59-22C8-4e73-A19B-A7482537F86B}.exe
File created	C:\Windows\{4EEDE1BE-841B-4018-A8AC-9120906EF880}.exe	2024-04-29_cc38d2ea6822349aa99ba0fc5bf6d4a6_goldeneye.exe
File created	C:\Windows\{27429396-95DD-41a5-A2EF-46EA563DE717}.exe	{4EEDE1BE-841B-4018-A8AC-9120906EF880}.exe
File created	C:\Windows\{0CD5607C-4993-444e-AC32-03EBE3C90567}.exe	{E9CED770-17D7-4327-9113-BE60C80291FB}.exe
File created	C:\Windows\{7CAFBF8A-6B35-472d-8A29-F2E4C1089DBB}.exe	{6D413145-FBA2-45ec-96E6-6900E5E1769D}.exe
File created	C:\Windows\{30E23835-3592-4073-B5B3-786865C69369}.exe	{698D7389-A034-4bdf-99A6-523316A2AEAE}.exe
File created	C:\Windows\{50B476AB-CE9D-445a-A03D-C575B83A3C61}.exe	{27429396-95DD-41a5-A2EF-46EA563DE717}.exe
File created	C:\Windows\{E9CED770-17D7-4327-9113-BE60C80291FB}.exe	{50B476AB-CE9D-445a-A03D-C575B83A3C61}.exe
File created	C:\Windows\{6D413145-FBA2-45ec-96E6-6900E5E1769D}.exe	{0CD5607C-4993-444e-AC32-03EBE3C90567}.exe
File created	C:\Windows\{698D7389-A034-4bdf-99A6-523316A2AEAE}.exe	{7CAFBF8A-6B35-472d-8A29-F2E4C1089DBB}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1360	2024-04-29_cc38d2ea6822349aa99ba0fc5bf6d4a6_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3148	{4EEDE1BE-841B-4018-A8AC-9120906EF880}.exe
Token: SeIncBasePriorityPrivilege	3368	{27429396-95DD-41a5-A2EF-46EA563DE717}.exe
Token: SeIncBasePriorityPrivilege	4652	{50B476AB-CE9D-445a-A03D-C575B83A3C61}.exe
Token: SeIncBasePriorityPrivilege	3984	{E9CED770-17D7-4327-9113-BE60C80291FB}.exe
Token: SeIncBasePriorityPrivilege	4340	{0CD5607C-4993-444e-AC32-03EBE3C90567}.exe
Token: SeIncBasePriorityPrivilege	4276	{6D413145-FBA2-45ec-96E6-6900E5E1769D}.exe
Token: SeIncBasePriorityPrivilege	5116	{7CAFBF8A-6B35-472d-8A29-F2E4C1089DBB}.exe
Token: SeIncBasePriorityPrivilege	1508	{698D7389-A034-4bdf-99A6-523316A2AEAE}.exe
Token: SeIncBasePriorityPrivilege	3840	{30E23835-3592-4073-B5B3-786865C69369}.exe
Token: SeIncBasePriorityPrivilege	2968	{4D7599EF-766B-4065-9EA5-92B34F2A61D5}.exe
Token: SeIncBasePriorityPrivilege	1200	{F640AA59-22C8-4e73-A19B-A7482537F86B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1360 wrote to memory of 3148	1360	2024-04-29_cc38d2ea6822349aa99ba0fc5bf6d4a6_goldeneye.exe	86
PID 1360 wrote to memory of 3148	1360	2024-04-29_cc38d2ea6822349aa99ba0fc5bf6d4a6_goldeneye.exe	86
PID 1360 wrote to memory of 3148	1360	2024-04-29_cc38d2ea6822349aa99ba0fc5bf6d4a6_goldeneye.exe	86
PID 1360 wrote to memory of 2592	1360	2024-04-29_cc38d2ea6822349aa99ba0fc5bf6d4a6_goldeneye.exe	87
PID 1360 wrote to memory of 2592	1360	2024-04-29_cc38d2ea6822349aa99ba0fc5bf6d4a6_goldeneye.exe	87
PID 1360 wrote to memory of 2592	1360	2024-04-29_cc38d2ea6822349aa99ba0fc5bf6d4a6_goldeneye.exe	87
PID 3148 wrote to memory of 3368	3148	{4EEDE1BE-841B-4018-A8AC-9120906EF880}.exe	88
PID 3148 wrote to memory of 3368	3148	{4EEDE1BE-841B-4018-A8AC-9120906EF880}.exe	88
PID 3148 wrote to memory of 3368	3148	{4EEDE1BE-841B-4018-A8AC-9120906EF880}.exe	88
PID 3148 wrote to memory of 3024	3148	{4EEDE1BE-841B-4018-A8AC-9120906EF880}.exe	89
PID 3148 wrote to memory of 3024	3148	{4EEDE1BE-841B-4018-A8AC-9120906EF880}.exe	89
PID 3148 wrote to memory of 3024	3148	{4EEDE1BE-841B-4018-A8AC-9120906EF880}.exe	89
PID 3368 wrote to memory of 4652	3368	{27429396-95DD-41a5-A2EF-46EA563DE717}.exe	92
PID 3368 wrote to memory of 4652	3368	{27429396-95DD-41a5-A2EF-46EA563DE717}.exe	92
PID 3368 wrote to memory of 4652	3368	{27429396-95DD-41a5-A2EF-46EA563DE717}.exe	92
PID 3368 wrote to memory of 4860	3368	{27429396-95DD-41a5-A2EF-46EA563DE717}.exe	93
PID 3368 wrote to memory of 4860	3368	{27429396-95DD-41a5-A2EF-46EA563DE717}.exe	93
PID 3368 wrote to memory of 4860	3368	{27429396-95DD-41a5-A2EF-46EA563DE717}.exe	93
PID 4652 wrote to memory of 3984	4652	{50B476AB-CE9D-445a-A03D-C575B83A3C61}.exe	98
PID 4652 wrote to memory of 3984	4652	{50B476AB-CE9D-445a-A03D-C575B83A3C61}.exe	98
PID 4652 wrote to memory of 3984	4652	{50B476AB-CE9D-445a-A03D-C575B83A3C61}.exe	98
PID 4652 wrote to memory of 3192	4652	{50B476AB-CE9D-445a-A03D-C575B83A3C61}.exe	99
PID 4652 wrote to memory of 3192	4652	{50B476AB-CE9D-445a-A03D-C575B83A3C61}.exe	99
PID 4652 wrote to memory of 3192	4652	{50B476AB-CE9D-445a-A03D-C575B83A3C61}.exe	99
PID 3984 wrote to memory of 4340	3984	{E9CED770-17D7-4327-9113-BE60C80291FB}.exe	101
PID 3984 wrote to memory of 4340	3984	{E9CED770-17D7-4327-9113-BE60C80291FB}.exe	101
PID 3984 wrote to memory of 4340	3984	{E9CED770-17D7-4327-9113-BE60C80291FB}.exe	101
PID 3984 wrote to memory of 2520	3984	{E9CED770-17D7-4327-9113-BE60C80291FB}.exe	102
PID 3984 wrote to memory of 2520	3984	{E9CED770-17D7-4327-9113-BE60C80291FB}.exe	102
PID 3984 wrote to memory of 2520	3984	{E9CED770-17D7-4327-9113-BE60C80291FB}.exe	102
PID 4340 wrote to memory of 4276	4340	{0CD5607C-4993-444e-AC32-03EBE3C90567}.exe	105
PID 4340 wrote to memory of 4276	4340	{0CD5607C-4993-444e-AC32-03EBE3C90567}.exe	105
PID 4340 wrote to memory of 4276	4340	{0CD5607C-4993-444e-AC32-03EBE3C90567}.exe	105
PID 4340 wrote to memory of 4336	4340	{0CD5607C-4993-444e-AC32-03EBE3C90567}.exe	106
PID 4340 wrote to memory of 4336	4340	{0CD5607C-4993-444e-AC32-03EBE3C90567}.exe	106
PID 4340 wrote to memory of 4336	4340	{0CD5607C-4993-444e-AC32-03EBE3C90567}.exe	106
PID 4276 wrote to memory of 5116	4276	{6D413145-FBA2-45ec-96E6-6900E5E1769D}.exe	107
PID 4276 wrote to memory of 5116	4276	{6D413145-FBA2-45ec-96E6-6900E5E1769D}.exe	107
PID 4276 wrote to memory of 5116	4276	{6D413145-FBA2-45ec-96E6-6900E5E1769D}.exe	107
PID 4276 wrote to memory of 4460	4276	{6D413145-FBA2-45ec-96E6-6900E5E1769D}.exe	108
PID 4276 wrote to memory of 4460	4276	{6D413145-FBA2-45ec-96E6-6900E5E1769D}.exe	108
PID 4276 wrote to memory of 4460	4276	{6D413145-FBA2-45ec-96E6-6900E5E1769D}.exe	108
PID 5116 wrote to memory of 1508	5116	{7CAFBF8A-6B35-472d-8A29-F2E4C1089DBB}.exe	109
PID 5116 wrote to memory of 1508	5116	{7CAFBF8A-6B35-472d-8A29-F2E4C1089DBB}.exe	109
PID 5116 wrote to memory of 1508	5116	{7CAFBF8A-6B35-472d-8A29-F2E4C1089DBB}.exe	109
PID 5116 wrote to memory of 4868	5116	{7CAFBF8A-6B35-472d-8A29-F2E4C1089DBB}.exe	110
PID 5116 wrote to memory of 4868	5116	{7CAFBF8A-6B35-472d-8A29-F2E4C1089DBB}.exe	110
PID 5116 wrote to memory of 4868	5116	{7CAFBF8A-6B35-472d-8A29-F2E4C1089DBB}.exe	110
PID 1508 wrote to memory of 3840	1508	{698D7389-A034-4bdf-99A6-523316A2AEAE}.exe	111
PID 1508 wrote to memory of 3840	1508	{698D7389-A034-4bdf-99A6-523316A2AEAE}.exe	111
PID 1508 wrote to memory of 3840	1508	{698D7389-A034-4bdf-99A6-523316A2AEAE}.exe	111
PID 1508 wrote to memory of 3212	1508	{698D7389-A034-4bdf-99A6-523316A2AEAE}.exe	112
PID 1508 wrote to memory of 3212	1508	{698D7389-A034-4bdf-99A6-523316A2AEAE}.exe	112
PID 1508 wrote to memory of 3212	1508	{698D7389-A034-4bdf-99A6-523316A2AEAE}.exe	112
PID 3840 wrote to memory of 2968	3840	{30E23835-3592-4073-B5B3-786865C69369}.exe	113
PID 3840 wrote to memory of 2968	3840	{30E23835-3592-4073-B5B3-786865C69369}.exe	113
PID 3840 wrote to memory of 2968	3840	{30E23835-3592-4073-B5B3-786865C69369}.exe	113
PID 3840 wrote to memory of 3568	3840	{30E23835-3592-4073-B5B3-786865C69369}.exe	114
PID 3840 wrote to memory of 3568	3840	{30E23835-3592-4073-B5B3-786865C69369}.exe	114
PID 3840 wrote to memory of 3568	3840	{30E23835-3592-4073-B5B3-786865C69369}.exe	114
PID 2968 wrote to memory of 1200	2968	{4D7599EF-766B-4065-9EA5-92B34F2A61D5}.exe	115
PID 2968 wrote to memory of 1200	2968	{4D7599EF-766B-4065-9EA5-92B34F2A61D5}.exe	115
PID 2968 wrote to memory of 1200	2968	{4D7599EF-766B-4065-9EA5-92B34F2A61D5}.exe	115
PID 2968 wrote to memory of 4712	2968	{4D7599EF-766B-4065-9EA5-92B34F2A61D5}.exe	116

C:\Users\Admin\AppData\Local\Temp\2024-04-29_cc38d2ea6822349aa99ba0fc5bf6d4a6_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-29_cc38d2ea6822349aa99ba0fc5bf6d4a6_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1360
- C:\Windows\{4EEDE1BE-841B-4018-A8AC-9120906EF880}.exe
  C:\Windows\{4EEDE1BE-841B-4018-A8AC-9120906EF880}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3148
- - C:\Windows\{27429396-95DD-41a5-A2EF-46EA563DE717}.exe
    C:\Windows\{27429396-95DD-41a5-A2EF-46EA563DE717}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3368
  - - C:\Windows\{50B476AB-CE9D-445a-A03D-C575B83A3C61}.exe
      C:\Windows\{50B476AB-CE9D-445a-A03D-C575B83A3C61}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4652
    - - C:\Windows\{E9CED770-17D7-4327-9113-BE60C80291FB}.exe
        
        C:\Windows\{E9CED770-17D7-4327-9113-BE60C80291FB}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3984
      - C:\Windows\{0CD5607C-4993-444e-AC32-03EBE3C90567}.exe
        
        C:\Windows\{0CD5607C-4993-444e-AC32-03EBE3C90567}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Windows\{6D413145-FBA2-45ec-96E6-6900E5E1769D}.exe
        
        C:\Windows\{6D413145-FBA2-45ec-96E6-6900E5E1769D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4276
        
        C:\Windows\{7CAFBF8A-6B35-472d-8A29-F2E4C1089DBB}.exe
        
        C:\Windows\{7CAFBF8A-6B35-472d-8A29-F2E4C1089DBB}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\{698D7389-A034-4bdf-99A6-523316A2AEAE}.exe
        
        C:\Windows\{698D7389-A034-4bdf-99A6-523316A2AEAE}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\{30E23835-3592-4073-B5B3-786865C69369}.exe
        
        C:\Windows\{30E23835-3592-4073-B5B3-786865C69369}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3840
        
        C:\Windows\{4D7599EF-766B-4065-9EA5-92B34F2A61D5}.exe
        
        C:\Windows\{4D7599EF-766B-4065-9EA5-92B34F2A61D5}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\{F640AA59-22C8-4e73-A19B-A7482537F86B}.exe
        
        C:\Windows\{F640AA59-22C8-4e73-A19B-A7482537F86B}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1200
        
        C:\Windows\{25D5EDAE-3EBD-448c-AEDE-784A1D7804C0}.exe
        
        C:\Windows\{25D5EDAE-3EBD-448c-AEDE-784A1D7804C0}.exe
        13⤵
        Executes dropped EXE
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F640A~1.EXE > nul
        13⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D759~1.EXE > nul
        12⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{30E23~1.EXE > nul
        11⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{698D7~1.EXE > nul
        10⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7CAFB~1.EXE > nul
        9⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6D413~1.EXE > nul
        8⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0CD56~1.EXE > nul
        7⤵
        
        PID:4336
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E9CED~1.EXE > nul
        6⤵
        
        PID:2520
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{50B47~1.EXE > nul
        5⤵
        
        PID:3192
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{27429~1.EXE > nul
      4⤵
      PID:4860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4EEDE~1.EXE > nul
    3⤵
    PID:3024
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0CD5607C-4993-444e-AC32-03EBE3C90567}.exe

Filesize
408KB

MD5
f178475fad608cdf808b3ad4ad2f8b6b

SHA1
247c3604b5fa0a6ecd242707d33cd1ab901f0b37

SHA256
141a0dc0a52fcb1cf82b08db21baaf1bfd6a7b2494754fb4bd7e9d93c426516e

SHA512
143d6a57fa732d26b84d49eb8612fc2eeac6ed9205ee7d28963e31e5fe70a892bc69cc7dc0f8e2890ae48324b332454808a525fbc07b27d7a208cd45afc4cf05

Download Submit
C:\Windows\{25D5EDAE-3EBD-448c-AEDE-784A1D7804C0}.exe

Filesize
408KB

MD5
b46a81c3b15953130c9bdf9f90523320

SHA1
18a39ede044598ce4b6e2114af88050b1871a723

SHA256
cf8abd181d89d32505f7b89ff8f09054bc85f0f0d77bb45c1220758f9e1abb29

SHA512
7c2e3bd099d408dc4b7410141e011e37a665649634ae0bc002819fc394fd72a93b6e04534ebf246bc522b9e52d591912f155f2c2080ef25ae57ed73a5c8ec026

Download Submit
C:\Windows\{27429396-95DD-41a5-A2EF-46EA563DE717}.exe

Filesize
408KB

MD5
cd3ab00de39f3dacb731926ec9e74c01

SHA1
1e32e2b9420d9b7e076b408776aa1c0d1e39b6a2

SHA256
c8a43801b81f0d734ade1c339c025567014faf3431ab24022cdb05cc60c73c7d

SHA512
d7f20ad60472959798f4b440b2b6b25300a454330536c339094d0c4325a9582fae250a09317897bd11d6ee8687f01def04d7ac2241b3c3686f0414ebd146d616

Download Submit
C:\Windows\{30E23835-3592-4073-B5B3-786865C69369}.exe

Filesize
408KB

MD5
2787261e3f4c322c9a8fb14782c3dce1

SHA1
92bb26b046aa8c356b30e003e83e0e2c7f369f76

SHA256
4dad3f1e54c6ab79bf68bfcbd51c9c58f4eb9ab813eda068b68128cf9951bfc6

SHA512
a9f3bd77424fcfa9111e4a89732efd5599b5bfdbfb21cd11edfd288aa8f07ec6dc41dea9aba6ba7b01db5bdbe4d123311d44bff0e8a6fed49e54727af2e186b0

Download Submit
C:\Windows\{4D7599EF-766B-4065-9EA5-92B34F2A61D5}.exe

Filesize
408KB

MD5
f38f3e2a6034146ec83e445656741d85

SHA1
c63af609a00b25a8a5c1448421de8241eea05e19

SHA256
26643476efa0f8cb824f0478bd6e0b361d63ea5b45a3e6e6378a002b395b2430

SHA512
05ed62d2c876b8571bf080d06d4d7e62b1538213368b0f2ce8b09fa9d8a2a3e4865bb4a8a3441c948c188593263737f0ad42639a87280042669affcd5ed3772a

Download Submit
C:\Windows\{4EEDE1BE-841B-4018-A8AC-9120906EF880}.exe

Filesize
408KB

MD5
670f7298103ba5abd801717ad5e3b046

SHA1
d11d2ff2d4e519c7f47eb10a21c48778f6688017

SHA256
485fe38d691af2266b82fa0e05b0a3c18fca29c8974145e2c7423113379a7c9c

SHA512
72114c51b7f31440e8f8046f43398e2e4916a42d17bfa01ce4ba482bb4510dce973f09c34e4656239b57d25227b896b4381fd8a71c7394143366388fe35bfa2a

Download Submit
C:\Windows\{50B476AB-CE9D-445a-A03D-C575B83A3C61}.exe

Filesize
408KB

MD5
bbb240d5836f13431bae53ec0ecba686

SHA1
c7564593009bad2c222eb11ba06db4ba50d44509

SHA256
b17144409ad400db21be554324023341fd4adfe1e4c691caccd9c9a052db2c1e

SHA512
08eac4acb8d9eac78165a2c66a546af336fe87e83bc040e2a444ccc9866bf49c89481bd9fcfa1ad395bcc936972259196401438a063fabeeb748fdb5b72b3773

Download Submit
C:\Windows\{698D7389-A034-4bdf-99A6-523316A2AEAE}.exe

Filesize
408KB

MD5
45124c2477b472526479d2150b8ff923

SHA1
c5525300c7d2c7a244a65125d9a721cb63614f7c

SHA256
b003395f66e1f6987460dd28b9be3efb629c96d7e64fc69d9d81be6f14c14cb0

SHA512
4bfb59aab6356725bd265eed752beea5087ba311bcce28589e0d32c769d8492a6e3d203492cae22c0cf4f1cae745bf13c37553c7ebd0ec40b5dc2190209b1b26

Download Submit
C:\Windows\{6D413145-FBA2-45ec-96E6-6900E5E1769D}.exe

Filesize
408KB

MD5
cf5f415cabdc9a13038793e929d6b4e6

SHA1
49a255de1f3bb407169f0d4a6abf5a7f5309dbba

SHA256
0246dd37ec76168115a8cb5381ca89c4a8827b0e793166f84ccb78fbed445bce

SHA512
81b9be06c303b793711b35e18a444a55ae5e5dac0c872b50a52a98ee58f68ed1005ec9af723dc92ffeeda36ba0b4f52c0e1a3c116e8843923b5ca15507fe3a3d

Download Submit
C:\Windows\{7CAFBF8A-6B35-472d-8A29-F2E4C1089DBB}.exe

Filesize
408KB

MD5
96c8f4ca2f0cf8265b798139d9723ccb

SHA1
600d71a1ac22bc33b6ebaae9386d57a87d17dbba

SHA256
fe082a5fe1aab64b620e077f94789a21362b322b0611f24f88502b13b38605dc

SHA512
c06412b3413a7a14da3b683915c9617b9f64ba42d56ca3fa2ee019ab260488eeffa034255421418336377c3658bf24b64262da92a186e9b557b97abe0c9e9f1d

Download Submit
C:\Windows\{E9CED770-17D7-4327-9113-BE60C80291FB}.exe

Filesize
408KB

MD5
68c8f0088d601b4ca71790226a1c9c1c

SHA1
bcab34d5becb82d69551481adf39c2d6eedb9e68

SHA256
add7d869f758f59fe4da3c2c1d3dcd4337e13152ba7beb18b4cc2452f18b4f76

SHA512
aa1d060d6854c6221c4e4b6e583ec0010e6dcee9c18eda9d5bddfe2ffa7359063fb9c59b0c8e96d0cdd5827e0c63fa0624299abdf04b1db04fe22db322d6844d

Download Submit
C:\Windows\{F640AA59-22C8-4e73-A19B-A7482537F86B}.exe

Filesize
408KB

MD5
0da50b098caa0709a77b8f87fe64bb30

SHA1
947f396f79f5c81b3f3f21a6e159154e5736b530

SHA256
d0c87a71b5428837ac65da829ee346c9d7457b81e2c883b4f27534bec8f0aec1

SHA512
886d4da9ca3ec12dc1bcd111a2b2e2213dd2f4591b35e3eb2bf4d258503ec3036058db6351324d5fc988c155237d6c37a95e95154a2b2816fffe3c7b8bde4e63

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads