741d927827b98dd4258526f5103da3072c4b2d7a9945932ca77ede8a64cfd2e2

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 05:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-08_a0e982a24f42f9348842bd7685b4430d_goldeneye.exe
Size

344KB
MD5

a0e982a24f42f9348842bd7685b4430d
SHA1

f1596901d7bcfc508d005d2cd3bd472d5065393a
SHA256

741d927827b98dd4258526f5103da3072c4b2d7a9945932ca77ede8a64cfd2e2
SHA512

16356426862bd047f2fd029a14bcb45ef7ecf0aa51338bb1871a3559480e516725b3aaf14ed10ebee7103ff56ec725ad3894406eb79fe543d954f097fc245b1e
SSDEEP

3072:mEGh0oAlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEG+lqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023ba5-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023b99-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000001e732-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023b99-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000001e732-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0014000000023a11-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001e732-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023bc6-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000001e732-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0013000000023a15-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023bb7-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0014000000023a15-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD2B8B85-E755-4312-B03C-1773D65C7410}	{0A566261-C28A-45d1-9210-D818198DCA3B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{845D86A3-DE7F-4d3a-8895-DCE092A4E4B4}	{FD2B8B85-E755-4312-B03C-1773D65C7410}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{845D86A3-DE7F-4d3a-8895-DCE092A4E4B4}\stubpath = "C:\\Windows\\{845D86A3-DE7F-4d3a-8895-DCE092A4E4B4}.exe"	{FD2B8B85-E755-4312-B03C-1773D65C7410}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F117EB0-529F-44ac-ADA8-66AFDC1E0FFD}\stubpath = "C:\\Windows\\{8F117EB0-529F-44ac-ADA8-66AFDC1E0FFD}.exe"	{84C258E8-B4FF-48da-A9C2-C5185DA17A95}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97D868A5-2F82-4071-B59C-174196E66A92}\stubpath = "C:\\Windows\\{97D868A5-2F82-4071-B59C-174196E66A92}.exe"	{8F117EB0-529F-44ac-ADA8-66AFDC1E0FFD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F51C13B5-1641-4d77-AA97-0C1C52DB6566}\stubpath = "C:\\Windows\\{F51C13B5-1641-4d77-AA97-0C1C52DB6566}.exe"	{97D868A5-2F82-4071-B59C-174196E66A92}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A4EA923-B0AA-42b4-9770-23BF8CE01AF1}\stubpath = "C:\\Windows\\{1A4EA923-B0AA-42b4-9770-23BF8CE01AF1}.exe"	{0574ED5B-0C02-49c1-A2EB-90D42BBCBA30}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A566261-C28A-45d1-9210-D818198DCA3B}\stubpath = "C:\\Windows\\{0A566261-C28A-45d1-9210-D818198DCA3B}.exe"	{2C7A886B-48DA-4421-9075-507A8EE166DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84C258E8-B4FF-48da-A9C2-C5185DA17A95}	{845D86A3-DE7F-4d3a-8895-DCE092A4E4B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97D868A5-2F82-4071-B59C-174196E66A92}	{8F117EB0-529F-44ac-ADA8-66AFDC1E0FFD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0574ED5B-0C02-49c1-A2EB-90D42BBCBA30}	{7136E612-500F-489b-A212-440C05949F7A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7136E612-500F-489b-A212-440C05949F7A}	{F51C13B5-1641-4d77-AA97-0C1C52DB6566}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C40EC0B-2B63-4f78-9BB3-399324048123}\stubpath = "C:\\Windows\\{8C40EC0B-2B63-4f78-9BB3-399324048123}.exe"	2024-05-08_a0e982a24f42f9348842bd7685b4430d_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C7A886B-48DA-4421-9075-507A8EE166DA}	{8C40EC0B-2B63-4f78-9BB3-399324048123}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C7A886B-48DA-4421-9075-507A8EE166DA}\stubpath = "C:\\Windows\\{2C7A886B-48DA-4421-9075-507A8EE166DA}.exe"	{8C40EC0B-2B63-4f78-9BB3-399324048123}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A566261-C28A-45d1-9210-D818198DCA3B}	{2C7A886B-48DA-4421-9075-507A8EE166DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD2B8B85-E755-4312-B03C-1773D65C7410}\stubpath = "C:\\Windows\\{FD2B8B85-E755-4312-B03C-1773D65C7410}.exe"	{0A566261-C28A-45d1-9210-D818198DCA3B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84C258E8-B4FF-48da-A9C2-C5185DA17A95}\stubpath = "C:\\Windows\\{84C258E8-B4FF-48da-A9C2-C5185DA17A95}.exe"	{845D86A3-DE7F-4d3a-8895-DCE092A4E4B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F51C13B5-1641-4d77-AA97-0C1C52DB6566}	{97D868A5-2F82-4071-B59C-174196E66A92}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7136E612-500F-489b-A212-440C05949F7A}\stubpath = "C:\\Windows\\{7136E612-500F-489b-A212-440C05949F7A}.exe"	{F51C13B5-1641-4d77-AA97-0C1C52DB6566}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A4EA923-B0AA-42b4-9770-23BF8CE01AF1}	{0574ED5B-0C02-49c1-A2EB-90D42BBCBA30}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C40EC0B-2B63-4f78-9BB3-399324048123}	2024-05-08_a0e982a24f42f9348842bd7685b4430d_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F117EB0-529F-44ac-ADA8-66AFDC1E0FFD}	{84C258E8-B4FF-48da-A9C2-C5185DA17A95}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0574ED5B-0C02-49c1-A2EB-90D42BBCBA30}\stubpath = "C:\\Windows\\{0574ED5B-0C02-49c1-A2EB-90D42BBCBA30}.exe"	{7136E612-500F-489b-A212-440C05949F7A}.exe

Executes dropped EXE 12 IoCs

pid	Process
4524	{8C40EC0B-2B63-4f78-9BB3-399324048123}.exe
4812	{2C7A886B-48DA-4421-9075-507A8EE166DA}.exe
4152	{0A566261-C28A-45d1-9210-D818198DCA3B}.exe
3552	{FD2B8B85-E755-4312-B03C-1773D65C7410}.exe
5040	{845D86A3-DE7F-4d3a-8895-DCE092A4E4B4}.exe
3432	{84C258E8-B4FF-48da-A9C2-C5185DA17A95}.exe
4876	{8F117EB0-529F-44ac-ADA8-66AFDC1E0FFD}.exe
3952	{97D868A5-2F82-4071-B59C-174196E66A92}.exe
4808	{F51C13B5-1641-4d77-AA97-0C1C52DB6566}.exe
2024	{7136E612-500F-489b-A212-440C05949F7A}.exe
1284	{0574ED5B-0C02-49c1-A2EB-90D42BBCBA30}.exe
1760	{1A4EA923-B0AA-42b4-9770-23BF8CE01AF1}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{8C40EC0B-2B63-4f78-9BB3-399324048123}.exe	2024-05-08_a0e982a24f42f9348842bd7685b4430d_goldeneye.exe
File created	C:\Windows\{0A566261-C28A-45d1-9210-D818198DCA3B}.exe	{2C7A886B-48DA-4421-9075-507A8EE166DA}.exe
File created	C:\Windows\{FD2B8B85-E755-4312-B03C-1773D65C7410}.exe	{0A566261-C28A-45d1-9210-D818198DCA3B}.exe
File created	C:\Windows\{845D86A3-DE7F-4d3a-8895-DCE092A4E4B4}.exe	{FD2B8B85-E755-4312-B03C-1773D65C7410}.exe
File created	C:\Windows\{97D868A5-2F82-4071-B59C-174196E66A92}.exe	{8F117EB0-529F-44ac-ADA8-66AFDC1E0FFD}.exe
File created	C:\Windows\{7136E612-500F-489b-A212-440C05949F7A}.exe	{F51C13B5-1641-4d77-AA97-0C1C52DB6566}.exe
File created	C:\Windows\{1A4EA923-B0AA-42b4-9770-23BF8CE01AF1}.exe	{0574ED5B-0C02-49c1-A2EB-90D42BBCBA30}.exe
File created	C:\Windows\{2C7A886B-48DA-4421-9075-507A8EE166DA}.exe	{8C40EC0B-2B63-4f78-9BB3-399324048123}.exe
File created	C:\Windows\{84C258E8-B4FF-48da-A9C2-C5185DA17A95}.exe	{845D86A3-DE7F-4d3a-8895-DCE092A4E4B4}.exe
File created	C:\Windows\{8F117EB0-529F-44ac-ADA8-66AFDC1E0FFD}.exe	{84C258E8-B4FF-48da-A9C2-C5185DA17A95}.exe
File created	C:\Windows\{F51C13B5-1641-4d77-AA97-0C1C52DB6566}.exe	{97D868A5-2F82-4071-B59C-174196E66A92}.exe
File created	C:\Windows\{0574ED5B-0C02-49c1-A2EB-90D42BBCBA30}.exe	{7136E612-500F-489b-A212-440C05949F7A}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1760	2024-05-08_a0e982a24f42f9348842bd7685b4430d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4524	{8C40EC0B-2B63-4f78-9BB3-399324048123}.exe
Token: SeIncBasePriorityPrivilege	4812	{2C7A886B-48DA-4421-9075-507A8EE166DA}.exe
Token: SeIncBasePriorityPrivilege	4152	{0A566261-C28A-45d1-9210-D818198DCA3B}.exe
Token: SeIncBasePriorityPrivilege	3552	{FD2B8B85-E755-4312-B03C-1773D65C7410}.exe
Token: SeIncBasePriorityPrivilege	5040	{845D86A3-DE7F-4d3a-8895-DCE092A4E4B4}.exe
Token: SeIncBasePriorityPrivilege	3432	{84C258E8-B4FF-48da-A9C2-C5185DA17A95}.exe
Token: SeIncBasePriorityPrivilege	4876	{8F117EB0-529F-44ac-ADA8-66AFDC1E0FFD}.exe
Token: SeIncBasePriorityPrivilege	3952	{97D868A5-2F82-4071-B59C-174196E66A92}.exe
Token: SeIncBasePriorityPrivilege	4808	{F51C13B5-1641-4d77-AA97-0C1C52DB6566}.exe
Token: SeIncBasePriorityPrivilege	2024	{7136E612-500F-489b-A212-440C05949F7A}.exe
Token: SeIncBasePriorityPrivilege	1284	{0574ED5B-0C02-49c1-A2EB-90D42BBCBA30}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 4524	1760	2024-05-08_a0e982a24f42f9348842bd7685b4430d_goldeneye.exe	95
PID 1760 wrote to memory of 4524	1760	2024-05-08_a0e982a24f42f9348842bd7685b4430d_goldeneye.exe	95
PID 1760 wrote to memory of 4524	1760	2024-05-08_a0e982a24f42f9348842bd7685b4430d_goldeneye.exe	95
PID 1760 wrote to memory of 2672	1760	2024-05-08_a0e982a24f42f9348842bd7685b4430d_goldeneye.exe	96
PID 1760 wrote to memory of 2672	1760	2024-05-08_a0e982a24f42f9348842bd7685b4430d_goldeneye.exe	96
PID 1760 wrote to memory of 2672	1760	2024-05-08_a0e982a24f42f9348842bd7685b4430d_goldeneye.exe	96
PID 4524 wrote to memory of 4812	4524	{8C40EC0B-2B63-4f78-9BB3-399324048123}.exe	97
PID 4524 wrote to memory of 4812	4524	{8C40EC0B-2B63-4f78-9BB3-399324048123}.exe	97
PID 4524 wrote to memory of 4812	4524	{8C40EC0B-2B63-4f78-9BB3-399324048123}.exe	97
PID 4524 wrote to memory of 1732	4524	{8C40EC0B-2B63-4f78-9BB3-399324048123}.exe	98
PID 4524 wrote to memory of 1732	4524	{8C40EC0B-2B63-4f78-9BB3-399324048123}.exe	98
PID 4524 wrote to memory of 1732	4524	{8C40EC0B-2B63-4f78-9BB3-399324048123}.exe	98
PID 4812 wrote to memory of 4152	4812	{2C7A886B-48DA-4421-9075-507A8EE166DA}.exe	101
PID 4812 wrote to memory of 4152	4812	{2C7A886B-48DA-4421-9075-507A8EE166DA}.exe	101
PID 4812 wrote to memory of 4152	4812	{2C7A886B-48DA-4421-9075-507A8EE166DA}.exe	101
PID 4812 wrote to memory of 3204	4812	{2C7A886B-48DA-4421-9075-507A8EE166DA}.exe	102
PID 4812 wrote to memory of 3204	4812	{2C7A886B-48DA-4421-9075-507A8EE166DA}.exe	102
PID 4812 wrote to memory of 3204	4812	{2C7A886B-48DA-4421-9075-507A8EE166DA}.exe	102
PID 4152 wrote to memory of 3552	4152	{0A566261-C28A-45d1-9210-D818198DCA3B}.exe	103
PID 4152 wrote to memory of 3552	4152	{0A566261-C28A-45d1-9210-D818198DCA3B}.exe	103
PID 4152 wrote to memory of 3552	4152	{0A566261-C28A-45d1-9210-D818198DCA3B}.exe	103
PID 4152 wrote to memory of 3088	4152	{0A566261-C28A-45d1-9210-D818198DCA3B}.exe	104
PID 4152 wrote to memory of 3088	4152	{0A566261-C28A-45d1-9210-D818198DCA3B}.exe	104
PID 4152 wrote to memory of 3088	4152	{0A566261-C28A-45d1-9210-D818198DCA3B}.exe	104
PID 3552 wrote to memory of 5040	3552	{FD2B8B85-E755-4312-B03C-1773D65C7410}.exe	105
PID 3552 wrote to memory of 5040	3552	{FD2B8B85-E755-4312-B03C-1773D65C7410}.exe	105
PID 3552 wrote to memory of 5040	3552	{FD2B8B85-E755-4312-B03C-1773D65C7410}.exe	105
PID 3552 wrote to memory of 3132	3552	{FD2B8B85-E755-4312-B03C-1773D65C7410}.exe	106
PID 3552 wrote to memory of 3132	3552	{FD2B8B85-E755-4312-B03C-1773D65C7410}.exe	106
PID 3552 wrote to memory of 3132	3552	{FD2B8B85-E755-4312-B03C-1773D65C7410}.exe	106
PID 5040 wrote to memory of 3432	5040	{845D86A3-DE7F-4d3a-8895-DCE092A4E4B4}.exe	111
PID 5040 wrote to memory of 3432	5040	{845D86A3-DE7F-4d3a-8895-DCE092A4E4B4}.exe	111
PID 5040 wrote to memory of 3432	5040	{845D86A3-DE7F-4d3a-8895-DCE092A4E4B4}.exe	111
PID 5040 wrote to memory of 3076	5040	{845D86A3-DE7F-4d3a-8895-DCE092A4E4B4}.exe	112
PID 5040 wrote to memory of 3076	5040	{845D86A3-DE7F-4d3a-8895-DCE092A4E4B4}.exe	112
PID 5040 wrote to memory of 3076	5040	{845D86A3-DE7F-4d3a-8895-DCE092A4E4B4}.exe	112
PID 3432 wrote to memory of 4876	3432	{84C258E8-B4FF-48da-A9C2-C5185DA17A95}.exe	113
PID 3432 wrote to memory of 4876	3432	{84C258E8-B4FF-48da-A9C2-C5185DA17A95}.exe	113
PID 3432 wrote to memory of 4876	3432	{84C258E8-B4FF-48da-A9C2-C5185DA17A95}.exe	113
PID 3432 wrote to memory of 2896	3432	{84C258E8-B4FF-48da-A9C2-C5185DA17A95}.exe	114
PID 3432 wrote to memory of 2896	3432	{84C258E8-B4FF-48da-A9C2-C5185DA17A95}.exe	114
PID 3432 wrote to memory of 2896	3432	{84C258E8-B4FF-48da-A9C2-C5185DA17A95}.exe	114
PID 4876 wrote to memory of 3952	4876	{8F117EB0-529F-44ac-ADA8-66AFDC1E0FFD}.exe	119
PID 4876 wrote to memory of 3952	4876	{8F117EB0-529F-44ac-ADA8-66AFDC1E0FFD}.exe	119
PID 4876 wrote to memory of 3952	4876	{8F117EB0-529F-44ac-ADA8-66AFDC1E0FFD}.exe	119
PID 4876 wrote to memory of 3064	4876	{8F117EB0-529F-44ac-ADA8-66AFDC1E0FFD}.exe	120
PID 4876 wrote to memory of 3064	4876	{8F117EB0-529F-44ac-ADA8-66AFDC1E0FFD}.exe	120
PID 4876 wrote to memory of 3064	4876	{8F117EB0-529F-44ac-ADA8-66AFDC1E0FFD}.exe	120
PID 3952 wrote to memory of 4808	3952	{97D868A5-2F82-4071-B59C-174196E66A92}.exe	124
PID 3952 wrote to memory of 4808	3952	{97D868A5-2F82-4071-B59C-174196E66A92}.exe	124
PID 3952 wrote to memory of 4808	3952	{97D868A5-2F82-4071-B59C-174196E66A92}.exe	124
PID 3952 wrote to memory of 1524	3952	{97D868A5-2F82-4071-B59C-174196E66A92}.exe	125
PID 3952 wrote to memory of 1524	3952	{97D868A5-2F82-4071-B59C-174196E66A92}.exe	125
PID 3952 wrote to memory of 1524	3952	{97D868A5-2F82-4071-B59C-174196E66A92}.exe	125
PID 4808 wrote to memory of 2024	4808	{F51C13B5-1641-4d77-AA97-0C1C52DB6566}.exe	126
PID 4808 wrote to memory of 2024	4808	{F51C13B5-1641-4d77-AA97-0C1C52DB6566}.exe	126
PID 4808 wrote to memory of 2024	4808	{F51C13B5-1641-4d77-AA97-0C1C52DB6566}.exe	126
PID 4808 wrote to memory of 2304	4808	{F51C13B5-1641-4d77-AA97-0C1C52DB6566}.exe	127
PID 4808 wrote to memory of 2304	4808	{F51C13B5-1641-4d77-AA97-0C1C52DB6566}.exe	127
PID 4808 wrote to memory of 2304	4808	{F51C13B5-1641-4d77-AA97-0C1C52DB6566}.exe	127
PID 2024 wrote to memory of 1284	2024	{7136E612-500F-489b-A212-440C05949F7A}.exe	131
PID 2024 wrote to memory of 1284	2024	{7136E612-500F-489b-A212-440C05949F7A}.exe	131
PID 2024 wrote to memory of 1284	2024	{7136E612-500F-489b-A212-440C05949F7A}.exe	131
PID 2024 wrote to memory of 2884	2024	{7136E612-500F-489b-A212-440C05949F7A}.exe	132

C:\Users\Admin\AppData\Local\Temp\2024-05-08_a0e982a24f42f9348842bd7685b4430d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-08_a0e982a24f42f9348842bd7685b4430d_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Windows\{8C40EC0B-2B63-4f78-9BB3-399324048123}.exe
  C:\Windows\{8C40EC0B-2B63-4f78-9BB3-399324048123}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4524
- - C:\Windows\{2C7A886B-48DA-4421-9075-507A8EE166DA}.exe
    C:\Windows\{2C7A886B-48DA-4421-9075-507A8EE166DA}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4812
  - - C:\Windows\{0A566261-C28A-45d1-9210-D818198DCA3B}.exe
      C:\Windows\{0A566261-C28A-45d1-9210-D818198DCA3B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4152
    - - C:\Windows\{FD2B8B85-E755-4312-B03C-1773D65C7410}.exe
        
        C:\Windows\{FD2B8B85-E755-4312-B03C-1773D65C7410}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3552
      - C:\Windows\{845D86A3-DE7F-4d3a-8895-DCE092A4E4B4}.exe
        
        C:\Windows\{845D86A3-DE7F-4d3a-8895-DCE092A4E4B4}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\{84C258E8-B4FF-48da-A9C2-C5185DA17A95}.exe
        
        C:\Windows\{84C258E8-B4FF-48da-A9C2-C5185DA17A95}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Windows\{8F117EB0-529F-44ac-ADA8-66AFDC1E0FFD}.exe
        
        C:\Windows\{8F117EB0-529F-44ac-ADA8-66AFDC1E0FFD}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Windows\{97D868A5-2F82-4071-B59C-174196E66A92}.exe
        
        C:\Windows\{97D868A5-2F82-4071-B59C-174196E66A92}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\{F51C13B5-1641-4d77-AA97-0C1C52DB6566}.exe
        
        C:\Windows\{F51C13B5-1641-4d77-AA97-0C1C52DB6566}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Windows\{7136E612-500F-489b-A212-440C05949F7A}.exe
        
        C:\Windows\{7136E612-500F-489b-A212-440C05949F7A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\{0574ED5B-0C02-49c1-A2EB-90D42BBCBA30}.exe
        
        C:\Windows\{0574ED5B-0C02-49c1-A2EB-90D42BBCBA30}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1284
        
        C:\Windows\{1A4EA923-B0AA-42b4-9770-23BF8CE01AF1}.exe
        
        C:\Windows\{1A4EA923-B0AA-42b4-9770-23BF8CE01AF1}.exe
        13⤵
        Executes dropped EXE
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0574E~1.EXE > nul
        13⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7136E~1.EXE > nul
        12⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F51C1~1.EXE > nul
        11⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{97D86~1.EXE > nul
        10⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F117~1.EXE > nul
        9⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{84C25~1.EXE > nul
        8⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{845D8~1.EXE > nul
        7⤵
        
        PID:3076
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD2B8~1.EXE > nul
        6⤵
        
        PID:3132
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0A566~1.EXE > nul
        5⤵
        
        PID:3088
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2C7A8~1.EXE > nul
      4⤵
      PID:3204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8C40E~1.EXE > nul
    3⤵
    PID:1732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0574ED5B-0C02-49c1-A2EB-90D42BBCBA30}.exe

Filesize
344KB

MD5
68bff70ff63879f1b298bc3bb796789c

SHA1
6d854979a877ba554716d659e7db344f408f1a0e

SHA256
a868b77636d1d504c48926f10ea10addeeb3601241e25219d27fe0e29a671496

SHA512
9a72b8e57a3228084736ac7873103d4979ff28d33bda70fe64edb63547c07da58b9359c1b6064db22407867e3e996966ce17a6f332f34e8d1efb691788abb92b

Download Submit
C:\Windows\{0A566261-C28A-45d1-9210-D818198DCA3B}.exe

Filesize
344KB

MD5
1f33d4403ffd6a6ea7478922ba1320ee

SHA1
79c4252bb11a285335a0c317d26422331fd21b5b

SHA256
b79c20ca2e10792c7b0677ffa5ba7f45bf3a0a755ec00f9296c711e8c4a4660b

SHA512
2b67c7e592d34f3f48e09c73656958b8463ce8bd80ab07a2f9e863d43c0ae6e908d85749f13c0a7a9620f3c4a141f28065c1cf9ec46def26095320abb9ef8119

Download Submit
C:\Windows\{1A4EA923-B0AA-42b4-9770-23BF8CE01AF1}.exe

Filesize
344KB

MD5
9d6af41f2643f08288d7b46caa0628a6

SHA1
006438c6ce434011c23b27ffde415a5ab1a57952

SHA256
1ab74997ebb3a34e0533c83aaa6c176a9168ad5b2877d234d01a0496e8acc4b6

SHA512
58fcdcf3a533fb8fe1643d2120b337f19bebcbf3d071ac08da1c8e725790a4ed74ea48c705f6dbc1584fe539cff1f0b2e2ca44341c50e93bfe4ff45332482d69

Download Submit
C:\Windows\{2C7A886B-48DA-4421-9075-507A8EE166DA}.exe

Filesize
344KB

MD5
8cf7fe879d1cf015f5b97bc5e8b3f7e5

SHA1
8ecf32742aa38a9b30f96c3dc95818f56ebe2e02

SHA256
8cd08cdd7d8e0d765a18e2d3f4411983b456e3a9ab36a06840ee15409426159f

SHA512
5b038d73faf1837542070c60306d53d2210b182265384532360d917e363d16821e46204637848ecf8ee6cd8f0615b262990c4826e32ff01ee215469d8287b121

Download Submit
C:\Windows\{7136E612-500F-489b-A212-440C05949F7A}.exe

Filesize
344KB

MD5
c4062eee3313b6156c7ba23c4c3889a6

SHA1
b9058eec320bc8ad145f256aca51f20db34aa8f9

SHA256
ce9e5413c2bbe9bf21bb13ffca3b945a652b3024d29dacd1ad412cfbbd445d4b

SHA512
89e5cbc1fc6690389c1d8fb2d7fe81c41b944812b715527ed486fa8d66d21e9aba0a5ee5a537c7846571bc34210b9d642a347df470ab988dc97280362ff868d1

Download Submit
C:\Windows\{845D86A3-DE7F-4d3a-8895-DCE092A4E4B4}.exe

Filesize
344KB

MD5
8844759d38d0f3b60301a132eb9bd12a

SHA1
f15e0f27d3d86ad1adafb31b433dc18c55ebc0c1

SHA256
7cfa0aeb59bb08a68cb372acdfca6ef5460b7c76c34c672ec2e4cde98180bba4

SHA512
ce00d95b4d35cd7cf5698a161a798e3e0a449b0898a8281d99b6b883365a4fffbd6ccbe053317b6093c71b2f026652e9c739a868697b0b5d5810a4b9992dc8c0

Download Submit
C:\Windows\{84C258E8-B4FF-48da-A9C2-C5185DA17A95}.exe

Filesize
344KB

MD5
28d4eb48c062f73656ad243009925c8b

SHA1
6c2b7e87bdf5fa71b1a6de9fec929880b9f640fe

SHA256
2529c1c0845142bbf2fb7f893f9b0ff01564bad996067fb4a95820f46d0d4c39

SHA512
3bd7f955389c3f2c51d25646276904219e0c343eeb7fad37b357b375453a1d9ec8f32241ae7d80b93b379e1f65ddefe4b5a78a5584b6408df3b43dff72d80253

Download Submit
C:\Windows\{8C40EC0B-2B63-4f78-9BB3-399324048123}.exe

Filesize
344KB

MD5
255ef12ca7b339e94b4f1d607e000e29

SHA1
8321607adbeaf47201dbef710f423cb638b6d194

SHA256
e8ee8e4e6cd68a7c38eab25fac89c496e286da7d38aa1f726d002e50c70b5ff2

SHA512
645188673ab60dfea5d0019e113ec67bf147d8e297fcc6707b1458d6ddb91b6d698a4c68f1b1a43ed4b61c1ed24a0dd2e7722cf90483344725b25543593454e1

Download Submit
C:\Windows\{8F117EB0-529F-44ac-ADA8-66AFDC1E0FFD}.exe

Filesize
344KB

MD5
90847c0958e3c5d9e66291b433670a31

SHA1
1e78adaa8238a76a50e01c8889930bd89032745a

SHA256
fae571b1ac28b6bb4788e1a82865e7f87d9aec06d9f7941c9d68c119595353c7

SHA512
81919b79e2db6c9b9941573b025370803dcbf2707e6a6304391355a585019d26f94c8e8f306e0d189881079d167b40e8bc83fe6d46edffb285c94ff9446a0b24

Download Submit
C:\Windows\{97D868A5-2F82-4071-B59C-174196E66A92}.exe

Filesize
344KB

MD5
baacec0679c90501ef07601519cbe43b

SHA1
0a45774ab4b0341c696223bad5a779f1bd7d53c3

SHA256
8f070b815b30173948dc18e424d083ab3bfb93e97397c433b821cd9eb1b8e755

SHA512
016cb04dedc7f9a7997dc395398fcacfd25bde35421ed39e564eca9d96337532ec6756e5f757eb76376c5de7cd363975dacb56a636d0d9bb3cfe26c4d9bec072

Download Submit
C:\Windows\{F51C13B5-1641-4d77-AA97-0C1C52DB6566}.exe

Filesize
344KB

MD5
5b67f4d96d609287b1eee81628248f15

SHA1
98ec3000bea6c0e2066e6b49cfafc10a3d723832

SHA256
40ce518c6b00c9c785458d7e39908dda1bd3bcca7248a82c38c11b12480d78c4

SHA512
ae24c201cf4e3effe390924bd10246c557531f9b400578de4b644a3062a79ce979877fa25fd3c3b6bc942cb2449bd511f0680ba9d4658bf7a1f0ee15481fbf97

Download Submit
C:\Windows\{FD2B8B85-E755-4312-B03C-1773D65C7410}.exe

Filesize
344KB

MD5
233c377172a5b8ec55aa3b7d78bdbc79

SHA1
1048f2938146eebf09c00ed51f52f91c5cab397f

SHA256
6e3b98525e5a7d751d0b028185b6ca5843ab187dfee7e55b6f4ca8b38e6fd53e

SHA512
68d61e6593f2745b6861235c9bd9ccba7f6e7da45707c4788f2b45f12799ec2d764201dadf04f1cd7dfe480326dfef07a9b2184ff3c672c96fa83ae35c119881

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads