bd27facfca9f9b328efd33e2a687520fd230a5a755b61344a0b99565cc05cba1

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23/05/2024, 05:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-05-23_ce94c026b05cdbad44e704de161fc423_goldeneye.exe
Size

180KB
MD5

ce94c026b05cdbad44e704de161fc423
SHA1

8d41e30541841e7a2da29fc70fc96937d1ed5235
SHA256

bd27facfca9f9b328efd33e2a687520fd230a5a755b61344a0b99565cc05cba1
SHA512

b8f62e61426aa499fd547fd0636697ea2c300d9187268af8f43617c5db5e74830957ef760a12c04c022f0146ff991e3e672cfd8aa0c01438a5d4075f11a2bb50
SSDEEP

3072:jEGh0oqwlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGxl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000900000002339c-1.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f00000002339d-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023395-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001000000002339d-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023395-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001300000002339d-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f000000023395-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023430-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023395-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023430-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023396-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023430-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8153867-1375-4dd5-9974-E648298C8137}	{22AA11BA-D9B3-4085-A473-35A9CB6EF566}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8153867-1375-4dd5-9974-E648298C8137}\stubpath = "C:\\Windows\\{B8153867-1375-4dd5-9974-E648298C8137}.exe"	{22AA11BA-D9B3-4085-A473-35A9CB6EF566}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A245CC93-CB7D-456a-BC60-16EA69AF4F9C}	{A0A77E49-3EA4-4a75-9BF7-C67E555CB2CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A245CC93-CB7D-456a-BC60-16EA69AF4F9C}\stubpath = "C:\\Windows\\{A245CC93-CB7D-456a-BC60-16EA69AF4F9C}.exe"	{A0A77E49-3EA4-4a75-9BF7-C67E555CB2CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3E16135-B627-4a5c-A3E4-1246A2374F54}	{27AEE1C9-019C-42fd-B994-D5BAAECE7EEA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9BE79910-E255-4a1b-9015-D6A44FDB0068}	{C3E16135-B627-4a5c-A3E4-1246A2374F54}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9BE79910-E255-4a1b-9015-D6A44FDB0068}\stubpath = "C:\\Windows\\{9BE79910-E255-4a1b-9015-D6A44FDB0068}.exe"	{C3E16135-B627-4a5c-A3E4-1246A2374F54}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B25F261-25EE-46a8-8A1E-1522B2233385}	2024-05-23_ce94c026b05cdbad44e704de161fc423_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B25F261-25EE-46a8-8A1E-1522B2233385}\stubpath = "C:\\Windows\\{7B25F261-25EE-46a8-8A1E-1522B2233385}.exe"	2024-05-23_ce94c026b05cdbad44e704de161fc423_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3E16135-B627-4a5c-A3E4-1246A2374F54}\stubpath = "C:\\Windows\\{C3E16135-B627-4a5c-A3E4-1246A2374F54}.exe"	{27AEE1C9-019C-42fd-B994-D5BAAECE7EEA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56495B58-D8BB-44ae-8BDF-3367CE458A32}\stubpath = "C:\\Windows\\{56495B58-D8BB-44ae-8BDF-3367CE458A32}.exe"	{E5E4D3E7-EB31-42aa-A5EE-F20C749591D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22AA11BA-D9B3-4085-A473-35A9CB6EF566}\stubpath = "C:\\Windows\\{22AA11BA-D9B3-4085-A473-35A9CB6EF566}.exe"	{56495B58-D8BB-44ae-8BDF-3367CE458A32}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61FE3C6C-0BE0-4a54-8655-2F9949905CE4}\stubpath = "C:\\Windows\\{61FE3C6C-0BE0-4a54-8655-2F9949905CE4}.exe"	{B8153867-1375-4dd5-9974-E648298C8137}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53885FB8-6F38-4927-A580-6434068DF6FC}	{61FE3C6C-0BE0-4a54-8655-2F9949905CE4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53885FB8-6F38-4927-A580-6434068DF6FC}\stubpath = "C:\\Windows\\{53885FB8-6F38-4927-A580-6434068DF6FC}.exe"	{61FE3C6C-0BE0-4a54-8655-2F9949905CE4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27AEE1C9-019C-42fd-B994-D5BAAECE7EEA}	{7B25F261-25EE-46a8-8A1E-1522B2233385}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5E4D3E7-EB31-42aa-A5EE-F20C749591D4}	{9BE79910-E255-4a1b-9015-D6A44FDB0068}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56495B58-D8BB-44ae-8BDF-3367CE458A32}	{E5E4D3E7-EB31-42aa-A5EE-F20C749591D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61FE3C6C-0BE0-4a54-8655-2F9949905CE4}	{B8153867-1375-4dd5-9974-E648298C8137}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0A77E49-3EA4-4a75-9BF7-C67E555CB2CC}	{53885FB8-6F38-4927-A580-6434068DF6FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0A77E49-3EA4-4a75-9BF7-C67E555CB2CC}\stubpath = "C:\\Windows\\{A0A77E49-3EA4-4a75-9BF7-C67E555CB2CC}.exe"	{53885FB8-6F38-4927-A580-6434068DF6FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27AEE1C9-019C-42fd-B994-D5BAAECE7EEA}\stubpath = "C:\\Windows\\{27AEE1C9-019C-42fd-B994-D5BAAECE7EEA}.exe"	{7B25F261-25EE-46a8-8A1E-1522B2233385}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5E4D3E7-EB31-42aa-A5EE-F20C749591D4}\stubpath = "C:\\Windows\\{E5E4D3E7-EB31-42aa-A5EE-F20C749591D4}.exe"	{9BE79910-E255-4a1b-9015-D6A44FDB0068}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22AA11BA-D9B3-4085-A473-35A9CB6EF566}	{56495B58-D8BB-44ae-8BDF-3367CE458A32}.exe

Executes dropped EXE 12 IoCs

pid	Process
3144	{7B25F261-25EE-46a8-8A1E-1522B2233385}.exe
1988	{27AEE1C9-019C-42fd-B994-D5BAAECE7EEA}.exe
1892	{C3E16135-B627-4a5c-A3E4-1246A2374F54}.exe
2216	{9BE79910-E255-4a1b-9015-D6A44FDB0068}.exe
1796	{E5E4D3E7-EB31-42aa-A5EE-F20C749591D4}.exe
2208	{56495B58-D8BB-44ae-8BDF-3367CE458A32}.exe
1208	{22AA11BA-D9B3-4085-A473-35A9CB6EF566}.exe
1156	{B8153867-1375-4dd5-9974-E648298C8137}.exe
2944	{61FE3C6C-0BE0-4a54-8655-2F9949905CE4}.exe
312	{53885FB8-6F38-4927-A580-6434068DF6FC}.exe
3192	{A0A77E49-3EA4-4a75-9BF7-C67E555CB2CC}.exe
5012	{A245CC93-CB7D-456a-BC60-16EA69AF4F9C}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{27AEE1C9-019C-42fd-B994-D5BAAECE7EEA}.exe	{7B25F261-25EE-46a8-8A1E-1522B2233385}.exe
File created	C:\Windows\{B8153867-1375-4dd5-9974-E648298C8137}.exe	{22AA11BA-D9B3-4085-A473-35A9CB6EF566}.exe
File created	C:\Windows\{61FE3C6C-0BE0-4a54-8655-2F9949905CE4}.exe	{B8153867-1375-4dd5-9974-E648298C8137}.exe
File created	C:\Windows\{53885FB8-6F38-4927-A580-6434068DF6FC}.exe	{61FE3C6C-0BE0-4a54-8655-2F9949905CE4}.exe
File created	C:\Windows\{22AA11BA-D9B3-4085-A473-35A9CB6EF566}.exe	{56495B58-D8BB-44ae-8BDF-3367CE458A32}.exe
File created	C:\Windows\{A0A77E49-3EA4-4a75-9BF7-C67E555CB2CC}.exe	{53885FB8-6F38-4927-A580-6434068DF6FC}.exe
File created	C:\Windows\{A245CC93-CB7D-456a-BC60-16EA69AF4F9C}.exe	{A0A77E49-3EA4-4a75-9BF7-C67E555CB2CC}.exe
File created	C:\Windows\{7B25F261-25EE-46a8-8A1E-1522B2233385}.exe	2024-05-23_ce94c026b05cdbad44e704de161fc423_goldeneye.exe
File created	C:\Windows\{C3E16135-B627-4a5c-A3E4-1246A2374F54}.exe	{27AEE1C9-019C-42fd-B994-D5BAAECE7EEA}.exe
File created	C:\Windows\{9BE79910-E255-4a1b-9015-D6A44FDB0068}.exe	{C3E16135-B627-4a5c-A3E4-1246A2374F54}.exe
File created	C:\Windows\{E5E4D3E7-EB31-42aa-A5EE-F20C749591D4}.exe	{9BE79910-E255-4a1b-9015-D6A44FDB0068}.exe
File created	C:\Windows\{56495B58-D8BB-44ae-8BDF-3367CE458A32}.exe	{E5E4D3E7-EB31-42aa-A5EE-F20C749591D4}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4508	2024-05-23_ce94c026b05cdbad44e704de161fc423_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3144	{7B25F261-25EE-46a8-8A1E-1522B2233385}.exe
Token: SeIncBasePriorityPrivilege	1988	{27AEE1C9-019C-42fd-B994-D5BAAECE7EEA}.exe
Token: SeIncBasePriorityPrivilege	1892	{C3E16135-B627-4a5c-A3E4-1246A2374F54}.exe
Token: SeIncBasePriorityPrivilege	2216	{9BE79910-E255-4a1b-9015-D6A44FDB0068}.exe
Token: SeIncBasePriorityPrivilege	1796	{E5E4D3E7-EB31-42aa-A5EE-F20C749591D4}.exe
Token: SeIncBasePriorityPrivilege	2208	{56495B58-D8BB-44ae-8BDF-3367CE458A32}.exe
Token: SeIncBasePriorityPrivilege	1208	{22AA11BA-D9B3-4085-A473-35A9CB6EF566}.exe
Token: SeIncBasePriorityPrivilege	1156	{B8153867-1375-4dd5-9974-E648298C8137}.exe
Token: SeIncBasePriorityPrivilege	2944	{61FE3C6C-0BE0-4a54-8655-2F9949905CE4}.exe
Token: SeIncBasePriorityPrivilege	312	{53885FB8-6F38-4927-A580-6434068DF6FC}.exe
Token: SeIncBasePriorityPrivilege	3192	{A0A77E49-3EA4-4a75-9BF7-C67E555CB2CC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4508 wrote to memory of 3144	4508	2024-05-23_ce94c026b05cdbad44e704de161fc423_goldeneye.exe	96
PID 4508 wrote to memory of 3144	4508	2024-05-23_ce94c026b05cdbad44e704de161fc423_goldeneye.exe	96
PID 4508 wrote to memory of 3144	4508	2024-05-23_ce94c026b05cdbad44e704de161fc423_goldeneye.exe	96
PID 4508 wrote to memory of 4116	4508	2024-05-23_ce94c026b05cdbad44e704de161fc423_goldeneye.exe	97
PID 4508 wrote to memory of 4116	4508	2024-05-23_ce94c026b05cdbad44e704de161fc423_goldeneye.exe	97
PID 4508 wrote to memory of 4116	4508	2024-05-23_ce94c026b05cdbad44e704de161fc423_goldeneye.exe	97
PID 3144 wrote to memory of 1988	3144	{7B25F261-25EE-46a8-8A1E-1522B2233385}.exe	98
PID 3144 wrote to memory of 1988	3144	{7B25F261-25EE-46a8-8A1E-1522B2233385}.exe	98
PID 3144 wrote to memory of 1988	3144	{7B25F261-25EE-46a8-8A1E-1522B2233385}.exe	98
PID 3144 wrote to memory of 4132	3144	{7B25F261-25EE-46a8-8A1E-1522B2233385}.exe	99
PID 3144 wrote to memory of 4132	3144	{7B25F261-25EE-46a8-8A1E-1522B2233385}.exe	99
PID 3144 wrote to memory of 4132	3144	{7B25F261-25EE-46a8-8A1E-1522B2233385}.exe	99
PID 1988 wrote to memory of 1892	1988	{27AEE1C9-019C-42fd-B994-D5BAAECE7EEA}.exe	102
PID 1988 wrote to memory of 1892	1988	{27AEE1C9-019C-42fd-B994-D5BAAECE7EEA}.exe	102
PID 1988 wrote to memory of 1892	1988	{27AEE1C9-019C-42fd-B994-D5BAAECE7EEA}.exe	102
PID 1988 wrote to memory of 2544	1988	{27AEE1C9-019C-42fd-B994-D5BAAECE7EEA}.exe	103
PID 1988 wrote to memory of 2544	1988	{27AEE1C9-019C-42fd-B994-D5BAAECE7EEA}.exe	103
PID 1988 wrote to memory of 2544	1988	{27AEE1C9-019C-42fd-B994-D5BAAECE7EEA}.exe	103
PID 1892 wrote to memory of 2216	1892	{C3E16135-B627-4a5c-A3E4-1246A2374F54}.exe	104
PID 1892 wrote to memory of 2216	1892	{C3E16135-B627-4a5c-A3E4-1246A2374F54}.exe	104
PID 1892 wrote to memory of 2216	1892	{C3E16135-B627-4a5c-A3E4-1246A2374F54}.exe	104
PID 1892 wrote to memory of 4776	1892	{C3E16135-B627-4a5c-A3E4-1246A2374F54}.exe	105
PID 1892 wrote to memory of 4776	1892	{C3E16135-B627-4a5c-A3E4-1246A2374F54}.exe	105
PID 1892 wrote to memory of 4776	1892	{C3E16135-B627-4a5c-A3E4-1246A2374F54}.exe	105
PID 2216 wrote to memory of 1796	2216	{9BE79910-E255-4a1b-9015-D6A44FDB0068}.exe	106
PID 2216 wrote to memory of 1796	2216	{9BE79910-E255-4a1b-9015-D6A44FDB0068}.exe	106
PID 2216 wrote to memory of 1796	2216	{9BE79910-E255-4a1b-9015-D6A44FDB0068}.exe	106
PID 2216 wrote to memory of 4984	2216	{9BE79910-E255-4a1b-9015-D6A44FDB0068}.exe	107
PID 2216 wrote to memory of 4984	2216	{9BE79910-E255-4a1b-9015-D6A44FDB0068}.exe	107
PID 2216 wrote to memory of 4984	2216	{9BE79910-E255-4a1b-9015-D6A44FDB0068}.exe	107
PID 1796 wrote to memory of 2208	1796	{E5E4D3E7-EB31-42aa-A5EE-F20C749591D4}.exe	109
PID 1796 wrote to memory of 2208	1796	{E5E4D3E7-EB31-42aa-A5EE-F20C749591D4}.exe	109
PID 1796 wrote to memory of 2208	1796	{E5E4D3E7-EB31-42aa-A5EE-F20C749591D4}.exe	109
PID 1796 wrote to memory of 4624	1796	{E5E4D3E7-EB31-42aa-A5EE-F20C749591D4}.exe	110
PID 1796 wrote to memory of 4624	1796	{E5E4D3E7-EB31-42aa-A5EE-F20C749591D4}.exe	110
PID 1796 wrote to memory of 4624	1796	{E5E4D3E7-EB31-42aa-A5EE-F20C749591D4}.exe	110
PID 2208 wrote to memory of 1208	2208	{56495B58-D8BB-44ae-8BDF-3367CE458A32}.exe	111
PID 2208 wrote to memory of 1208	2208	{56495B58-D8BB-44ae-8BDF-3367CE458A32}.exe	111
PID 2208 wrote to memory of 1208	2208	{56495B58-D8BB-44ae-8BDF-3367CE458A32}.exe	111
PID 2208 wrote to memory of 1204	2208	{56495B58-D8BB-44ae-8BDF-3367CE458A32}.exe	112
PID 2208 wrote to memory of 1204	2208	{56495B58-D8BB-44ae-8BDF-3367CE458A32}.exe	112
PID 2208 wrote to memory of 1204	2208	{56495B58-D8BB-44ae-8BDF-3367CE458A32}.exe	112
PID 1208 wrote to memory of 1156	1208	{22AA11BA-D9B3-4085-A473-35A9CB6EF566}.exe	119
PID 1208 wrote to memory of 1156	1208	{22AA11BA-D9B3-4085-A473-35A9CB6EF566}.exe	119
PID 1208 wrote to memory of 1156	1208	{22AA11BA-D9B3-4085-A473-35A9CB6EF566}.exe	119
PID 1208 wrote to memory of 2304	1208	{22AA11BA-D9B3-4085-A473-35A9CB6EF566}.exe	120
PID 1208 wrote to memory of 2304	1208	{22AA11BA-D9B3-4085-A473-35A9CB6EF566}.exe	120
PID 1208 wrote to memory of 2304	1208	{22AA11BA-D9B3-4085-A473-35A9CB6EF566}.exe	120
PID 1156 wrote to memory of 2944	1156	{B8153867-1375-4dd5-9974-E648298C8137}.exe	121
PID 1156 wrote to memory of 2944	1156	{B8153867-1375-4dd5-9974-E648298C8137}.exe	121
PID 1156 wrote to memory of 2944	1156	{B8153867-1375-4dd5-9974-E648298C8137}.exe	121
PID 1156 wrote to memory of 3020	1156	{B8153867-1375-4dd5-9974-E648298C8137}.exe	122
PID 1156 wrote to memory of 3020	1156	{B8153867-1375-4dd5-9974-E648298C8137}.exe	122
PID 1156 wrote to memory of 3020	1156	{B8153867-1375-4dd5-9974-E648298C8137}.exe	122
PID 2944 wrote to memory of 312	2944	{61FE3C6C-0BE0-4a54-8655-2F9949905CE4}.exe	123
PID 2944 wrote to memory of 312	2944	{61FE3C6C-0BE0-4a54-8655-2F9949905CE4}.exe	123
PID 2944 wrote to memory of 312	2944	{61FE3C6C-0BE0-4a54-8655-2F9949905CE4}.exe	123
PID 2944 wrote to memory of 1700	2944	{61FE3C6C-0BE0-4a54-8655-2F9949905CE4}.exe	124
PID 2944 wrote to memory of 1700	2944	{61FE3C6C-0BE0-4a54-8655-2F9949905CE4}.exe	124
PID 2944 wrote to memory of 1700	2944	{61FE3C6C-0BE0-4a54-8655-2F9949905CE4}.exe	124
PID 312 wrote to memory of 3192	312	{53885FB8-6F38-4927-A580-6434068DF6FC}.exe	127
PID 312 wrote to memory of 3192	312	{53885FB8-6F38-4927-A580-6434068DF6FC}.exe	127
PID 312 wrote to memory of 3192	312	{53885FB8-6F38-4927-A580-6434068DF6FC}.exe	127
PID 312 wrote to memory of 5084	312	{53885FB8-6F38-4927-A580-6434068DF6FC}.exe	128

C:\Users\Admin\AppData\Local\Temp\2024-05-23_ce94c026b05cdbad44e704de161fc423_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_ce94c026b05cdbad44e704de161fc423_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4508
- C:\Windows\{7B25F261-25EE-46a8-8A1E-1522B2233385}.exe
  C:\Windows\{7B25F261-25EE-46a8-8A1E-1522B2233385}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3144
- - C:\Windows\{27AEE1C9-019C-42fd-B994-D5BAAECE7EEA}.exe
    C:\Windows\{27AEE1C9-019C-42fd-B994-D5BAAECE7EEA}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1988
  - - C:\Windows\{C3E16135-B627-4a5c-A3E4-1246A2374F54}.exe
      C:\Windows\{C3E16135-B627-4a5c-A3E4-1246A2374F54}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1892
    - - C:\Windows\{9BE79910-E255-4a1b-9015-D6A44FDB0068}.exe
        
        C:\Windows\{9BE79910-E255-4a1b-9015-D6A44FDB0068}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2216
      - C:\Windows\{E5E4D3E7-EB31-42aa-A5EE-F20C749591D4}.exe
        
        C:\Windows\{E5E4D3E7-EB31-42aa-A5EE-F20C749591D4}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\{56495B58-D8BB-44ae-8BDF-3367CE458A32}.exe
        
        C:\Windows\{56495B58-D8BB-44ae-8BDF-3367CE458A32}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\{22AA11BA-D9B3-4085-A473-35A9CB6EF566}.exe
        
        C:\Windows\{22AA11BA-D9B3-4085-A473-35A9CB6EF566}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Windows\{B8153867-1375-4dd5-9974-E648298C8137}.exe
        
        C:\Windows\{B8153867-1375-4dd5-9974-E648298C8137}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1156
        
        C:\Windows\{61FE3C6C-0BE0-4a54-8655-2F9949905CE4}.exe
        
        C:\Windows\{61FE3C6C-0BE0-4a54-8655-2F9949905CE4}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\{53885FB8-6F38-4927-A580-6434068DF6FC}.exe
        
        C:\Windows\{53885FB8-6F38-4927-A580-6434068DF6FC}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:312
        
        C:\Windows\{A0A77E49-3EA4-4a75-9BF7-C67E555CB2CC}.exe
        
        C:\Windows\{A0A77E49-3EA4-4a75-9BF7-C67E555CB2CC}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3192
        
        C:\Windows\{A245CC93-CB7D-456a-BC60-16EA69AF4F9C}.exe
        
        C:\Windows\{A245CC93-CB7D-456a-BC60-16EA69AF4F9C}.exe
        13⤵
        Executes dropped EXE
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A0A77~1.EXE > nul
        13⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53885~1.EXE > nul
        12⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{61FE3~1.EXE > nul
        11⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B8153~1.EXE > nul
        10⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{22AA1~1.EXE > nul
        9⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{56495~1.EXE > nul
        8⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5E4D~1.EXE > nul
        7⤵
        
        PID:4624
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9BE79~1.EXE > nul
        6⤵
        
        PID:4984
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3E16~1.EXE > nul
        5⤵
        
        PID:4776
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{27AEE~1.EXE > nul
      4⤵
      PID:2544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7B25F~1.EXE > nul
    3⤵
    PID:4132
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{22AA11BA-D9B3-4085-A473-35A9CB6EF566}.exe

Filesize
180KB

MD5
0c57d18b3812fd617d0e1265a11ef008

SHA1
aa416a6ae4c1c83aac2356314cd789fb9417be9f

SHA256
e51083f62c9ed9533167957f1878348e62b86fe15cfe3effa04eff36842f9d13

SHA512
3f69cb8ddce6ee4d1b09e168603f55c19fac6e013b61052c0e29f841e62c4b3072e0091d75b8faea7cc7550734cc6ce64393381e6ba4ce54f78d55b5c3b561bd

Download Submit
C:\Windows\{27AEE1C9-019C-42fd-B994-D5BAAECE7EEA}.exe

Filesize
180KB

MD5
cfb09d95201a444f81f4b2b57bf9929e

SHA1
cc7d92daffb5a167c7fd1edf7c89f78d6c17fa07

SHA256
8ee32e5fde98d2bc629f3591054cd4c2b844dbe522ffb9f3a60d20cd7e5bcb12

SHA512
94f872895bd442ca5fda5a991bb3807030a9622d8f87a24ff1cf598fbee7b963d2db60766e0d45500a16adab886bd538f44f49874e67645a339f882d9fa46ffb

Download Submit
C:\Windows\{53885FB8-6F38-4927-A580-6434068DF6FC}.exe

Filesize
180KB

MD5
b1e53389c6f93743560b6eb19b74dda2

SHA1
d9b86ce686d7d5ac8caea76043dcbd9253c57f2c

SHA256
312999858ca6e4c8b7cacf4f3f9889141aaa52a2d501209c5ea360aa44f95954

SHA512
9aa0a153c9f6f7680e55abb4374a3808d06bade42af104fd724d2eb51745483cb0b4c0ac124771bd855bdca15899eaf3f561d9dc4fb425d9a7d2afed0f6d3fff

Download Submit
C:\Windows\{56495B58-D8BB-44ae-8BDF-3367CE458A32}.exe

Filesize
180KB

MD5
2ee74b666d052964ba5d6757cd949c95

SHA1
532630f716300aa68ac3d4ec8f8c0d5c6536ff44

SHA256
bf0bc5e1962883d99a3811f8b186bec95e02e053237ec798c27689f4ce4305aa

SHA512
8634d466825564ae59e146cd79d414c44c3cfc11983c048d6eaba906dd5e375b6a5d7437190f58081243313ce2cf684fce1f775840e88a06ce03627810d3f03c

Download Submit
C:\Windows\{61FE3C6C-0BE0-4a54-8655-2F9949905CE4}.exe

Filesize
180KB

MD5
dc41d801565f09fb02bfab290fba2a62

SHA1
38fb82eb2711d002e83379c95bad7f49c5aa6470

SHA256
3b656e3025a6bdaa6d83639b9559a5b95a312002115d54c4064521d13cc97e45

SHA512
0f6c3e84b86b6d307540c4f5cddd9c244dfe4bb2d2bf9ff19c47bee12e1c41354bd5f1779ff3c109dea9630dd8b15f31d7a3c5730808d6d8e364d850d1342f00

Download Submit
C:\Windows\{7B25F261-25EE-46a8-8A1E-1522B2233385}.exe

Filesize
180KB

MD5
f16e01167ae6e5d2eecbd5693fec7580

SHA1
cb4acb8f9195038cdc958443ca4a3f28b21eb6dd

SHA256
7aa14d37b682e1c567554611c64b9688e709c47afd17019ec5acfbbe5b648c30

SHA512
0612df5e5fa73b945cea6fd8181d8c47a9bf21a2b0d10f02f41859f716b1b7bfe67217cb61ce0636b4a8d1f02df887dddeb1c8924b046ce8b67d57d9bd1e8240

Download Submit
C:\Windows\{9BE79910-E255-4a1b-9015-D6A44FDB0068}.exe

Filesize
180KB

MD5
669009dde153b03dcfbbebdba1297e1a

SHA1
2e7da259e78a6d94d14d7ceba58b63700a4f9cc3

SHA256
78df3cf244822f38f316b054e49b7daf1f78a31646ab043578f708422f0c6fae

SHA512
295d8df5f525610710e69445f5c600ada3bb22e0c52ff270198682a48b1dcf696ebf263bb50c609db8104e1a438f2e4614597b5bb5ee5d00e5ae8e61214828a5

Download Submit
C:\Windows\{A0A77E49-3EA4-4a75-9BF7-C67E555CB2CC}.exe

Filesize
180KB

MD5
922260144d5050761d52a850853a01fd

SHA1
60dc67714839a265b33f8e7d2a32716dbf8c7c58

SHA256
573cdcaa975e23a4ae47ace008199fb44007a03b4c86db18e5db907d12189a86

SHA512
31a77960e0a04867f9dc7f3bee774f5ee70703fb1139adf45334fb124f2caefd75eca1f71489d2495df00b2f8aea94cd521b8c4a3cee4b53871fc34996155c26

Download Submit
C:\Windows\{A245CC93-CB7D-456a-BC60-16EA69AF4F9C}.exe

Filesize
180KB

MD5
6cb6962d19650e4b9724b7b4f34e5235

SHA1
bcb06b5bfb60e0c0438350ae500dea07fd69a97d

SHA256
335e489a190b61f010e7fdb7fd0a6ddfc705a3d9746ebc36ab2539e43033e4bd

SHA512
787f637dfd1ec8f4449d7a8995f6bdcd5916bec3abcea8ee00791966f8d284f0e9ef47d5ad182523856500da92b4064f591f9ae8a41a21c84421231cfbc86b1f

Download Submit
C:\Windows\{B8153867-1375-4dd5-9974-E648298C8137}.exe

Filesize
180KB

MD5
f5dc16f5965a7c1f6769fafa4261cf57

SHA1
29edc274219f9540d3b45cafd2103b38a7e79687

SHA256
8cdced61722cd77e5173450a94ae4875ffa74fd81161680c6dd331fffc532de4

SHA512
356c7701bc272094c5e4b94e88e9fec33df8fe2c42ee557224d41e8b954ff1cdcd0982bd0e22d19da0fab5a86112878b6cd296b78cedeacdec7cafe9ce675ca7

Download Submit
C:\Windows\{C3E16135-B627-4a5c-A3E4-1246A2374F54}.exe

Filesize
180KB

MD5
0d825554dd865b67b784ed5e0cd64511

SHA1
2607792b6ee7be32db18e3d88163241f3a73ae8d

SHA256
3079d82579f18674cce141ef12a8c265ff084c4d6afdd3d0b89fc2fca33fcf41

SHA512
06a901e32962d3a2867c575edda85e7c6887a26b07dd8e07c5e471782b13a42559dcab056ec08306ae0dabb552324333efd01f159a7deab11bd7f48894a17c37

Download Submit
C:\Windows\{E5E4D3E7-EB31-42aa-A5EE-F20C749591D4}.exe

Filesize
180KB

MD5
025f6d9b62bca83d5c6cd6101900967b

SHA1
19be03744b962bb6bf458f92ed8e31d800819925

SHA256
c00587af5ad46f72985d4b627ee0afe19f471b9b852a388ec01c24187f346b0a

SHA512
f0c57e263df7d4202b9a4b463659bab18e783963a97c2e0c0b6e01f23c0c20868b1aee15df15d0eb41aaa3e3865b4a7cbe926575f9062d30b9864e5afe808c14

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads