31c20f14a067954491e8a8b1c3878c86c474d6eb4443eb12cb7626ffc89932e3

Analysis

max time kernel
149s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
01-06-2024 05:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-01_8dde4259a21d9d6c67d104d580d3207a_goldeneye.exe
Size

168KB
MD5

8dde4259a21d9d6c67d104d580d3207a
SHA1

631f10f8b70b576af50c9a8bc1f868310c1dc15a
SHA256

31c20f14a067954491e8a8b1c3878c86c474d6eb4443eb12cb7626ffc89932e3
SHA512

70e000a370b9ae83264f729e392484a4db71a23be594bbb943565e8424e2c53b69c40817bb96d43ae3c174f07f7e2ca932aa67f4758e491db7a8e3a635e5ba8a
SSDEEP

1536:1EGh0oJlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oJlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000f000000023432-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002342b-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023438-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002342b-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021fbd-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021fbe-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021fbd-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000709-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006df-45.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{556AA230-C0F1-4669-9913-144D379A50D3}	{B2CEDFDE-12B8-4441-A236-440632047EAF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02D8A373-C6CB-4397-A7C5-624221E3D0DE}\stubpath = "C:\\Windows\\{02D8A373-C6CB-4397-A7C5-624221E3D0DE}.exe"	{3C0F2F87-5AA9-440b-AC86-8590173792E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6361AAE2-DB12-46b3-8D24-41BE84771EBC}	{0263C001-C8AF-4db5-96A3-E94E380AC1D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43B222E0-2813-4298-AEB3-C7244A40622C}\stubpath = "C:\\Windows\\{43B222E0-2813-4298-AEB3-C7244A40622C}.exe"	{6361AAE2-DB12-46b3-8D24-41BE84771EBC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02D8A373-C6CB-4397-A7C5-624221E3D0DE}	{3C0F2F87-5AA9-440b-AC86-8590173792E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F7B248A-3E19-4cff-8503-50CC8DBE7DF2}	2024-06-01_8dde4259a21d9d6c67d104d580d3207a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{503E839F-65B9-4d83-9DEB-AED4AF0978F2}	{A84B21F6-F1AC-483a-BD65-A567C821B2A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{503E839F-65B9-4d83-9DEB-AED4AF0978F2}\stubpath = "C:\\Windows\\{503E839F-65B9-4d83-9DEB-AED4AF0978F2}.exe"	{A84B21F6-F1AC-483a-BD65-A567C821B2A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1AD18523-B759-48f5-9079-3C0435106213}\stubpath = "C:\\Windows\\{1AD18523-B759-48f5-9079-3C0435106213}.exe"	{503E839F-65B9-4d83-9DEB-AED4AF0978F2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2CEDFDE-12B8-4441-A236-440632047EAF}	{1AD18523-B759-48f5-9079-3C0435106213}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2CEDFDE-12B8-4441-A236-440632047EAF}\stubpath = "C:\\Windows\\{B2CEDFDE-12B8-4441-A236-440632047EAF}.exe"	{1AD18523-B759-48f5-9079-3C0435106213}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C0F2F87-5AA9-440b-AC86-8590173792E8}	{556AA230-C0F1-4669-9913-144D379A50D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{045A8CD9-81DC-4938-A5C4-A02DC56AA27D}	{02D8A373-C6CB-4397-A7C5-624221E3D0DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43B222E0-2813-4298-AEB3-C7244A40622C}	{6361AAE2-DB12-46b3-8D24-41BE84771EBC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A84B21F6-F1AC-483a-BD65-A567C821B2A0}	{8F7B248A-3E19-4cff-8503-50CC8DBE7DF2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A84B21F6-F1AC-483a-BD65-A567C821B2A0}\stubpath = "C:\\Windows\\{A84B21F6-F1AC-483a-BD65-A567C821B2A0}.exe"	{8F7B248A-3E19-4cff-8503-50CC8DBE7DF2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1AD18523-B759-48f5-9079-3C0435106213}	{503E839F-65B9-4d83-9DEB-AED4AF0978F2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{045A8CD9-81DC-4938-A5C4-A02DC56AA27D}\stubpath = "C:\\Windows\\{045A8CD9-81DC-4938-A5C4-A02DC56AA27D}.exe"	{02D8A373-C6CB-4397-A7C5-624221E3D0DE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F7B248A-3E19-4cff-8503-50CC8DBE7DF2}\stubpath = "C:\\Windows\\{8F7B248A-3E19-4cff-8503-50CC8DBE7DF2}.exe"	2024-06-01_8dde4259a21d9d6c67d104d580d3207a_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{556AA230-C0F1-4669-9913-144D379A50D3}\stubpath = "C:\\Windows\\{556AA230-C0F1-4669-9913-144D379A50D3}.exe"	{B2CEDFDE-12B8-4441-A236-440632047EAF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C0F2F87-5AA9-440b-AC86-8590173792E8}\stubpath = "C:\\Windows\\{3C0F2F87-5AA9-440b-AC86-8590173792E8}.exe"	{556AA230-C0F1-4669-9913-144D379A50D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0263C001-C8AF-4db5-96A3-E94E380AC1D0}	{045A8CD9-81DC-4938-A5C4-A02DC56AA27D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0263C001-C8AF-4db5-96A3-E94E380AC1D0}\stubpath = "C:\\Windows\\{0263C001-C8AF-4db5-96A3-E94E380AC1D0}.exe"	{045A8CD9-81DC-4938-A5C4-A02DC56AA27D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6361AAE2-DB12-46b3-8D24-41BE84771EBC}\stubpath = "C:\\Windows\\{6361AAE2-DB12-46b3-8D24-41BE84771EBC}.exe"	{0263C001-C8AF-4db5-96A3-E94E380AC1D0}.exe

Executes dropped EXE 12 IoCs

pid	Process
4276	{8F7B248A-3E19-4cff-8503-50CC8DBE7DF2}.exe
3912	{A84B21F6-F1AC-483a-BD65-A567C821B2A0}.exe
5064	{503E839F-65B9-4d83-9DEB-AED4AF0978F2}.exe
2412	{1AD18523-B759-48f5-9079-3C0435106213}.exe
5016	{B2CEDFDE-12B8-4441-A236-440632047EAF}.exe
1324	{556AA230-C0F1-4669-9913-144D379A50D3}.exe
4644	{3C0F2F87-5AA9-440b-AC86-8590173792E8}.exe
1920	{02D8A373-C6CB-4397-A7C5-624221E3D0DE}.exe
1040	{045A8CD9-81DC-4938-A5C4-A02DC56AA27D}.exe
1616	{0263C001-C8AF-4db5-96A3-E94E380AC1D0}.exe
3644	{6361AAE2-DB12-46b3-8D24-41BE84771EBC}.exe
3948	{43B222E0-2813-4298-AEB3-C7244A40622C}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{A84B21F6-F1AC-483a-BD65-A567C821B2A0}.exe	{8F7B248A-3E19-4cff-8503-50CC8DBE7DF2}.exe
File created	C:\Windows\{1AD18523-B759-48f5-9079-3C0435106213}.exe	{503E839F-65B9-4d83-9DEB-AED4AF0978F2}.exe
File created	C:\Windows\{3C0F2F87-5AA9-440b-AC86-8590173792E8}.exe	{556AA230-C0F1-4669-9913-144D379A50D3}.exe
File created	C:\Windows\{02D8A373-C6CB-4397-A7C5-624221E3D0DE}.exe	{3C0F2F87-5AA9-440b-AC86-8590173792E8}.exe
File created	C:\Windows\{43B222E0-2813-4298-AEB3-C7244A40622C}.exe	{6361AAE2-DB12-46b3-8D24-41BE84771EBC}.exe
File created	C:\Windows\{0263C001-C8AF-4db5-96A3-E94E380AC1D0}.exe	{045A8CD9-81DC-4938-A5C4-A02DC56AA27D}.exe
File created	C:\Windows\{6361AAE2-DB12-46b3-8D24-41BE84771EBC}.exe	{0263C001-C8AF-4db5-96A3-E94E380AC1D0}.exe
File created	C:\Windows\{8F7B248A-3E19-4cff-8503-50CC8DBE7DF2}.exe	2024-06-01_8dde4259a21d9d6c67d104d580d3207a_goldeneye.exe
File created	C:\Windows\{503E839F-65B9-4d83-9DEB-AED4AF0978F2}.exe	{A84B21F6-F1AC-483a-BD65-A567C821B2A0}.exe
File created	C:\Windows\{B2CEDFDE-12B8-4441-A236-440632047EAF}.exe	{1AD18523-B759-48f5-9079-3C0435106213}.exe
File created	C:\Windows\{556AA230-C0F1-4669-9913-144D379A50D3}.exe	{B2CEDFDE-12B8-4441-A236-440632047EAF}.exe
File created	C:\Windows\{045A8CD9-81DC-4938-A5C4-A02DC56AA27D}.exe	{02D8A373-C6CB-4397-A7C5-624221E3D0DE}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1384	2024-06-01_8dde4259a21d9d6c67d104d580d3207a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4276	{8F7B248A-3E19-4cff-8503-50CC8DBE7DF2}.exe
Token: SeIncBasePriorityPrivilege	3912	{A84B21F6-F1AC-483a-BD65-A567C821B2A0}.exe
Token: SeIncBasePriorityPrivilege	5064	{503E839F-65B9-4d83-9DEB-AED4AF0978F2}.exe
Token: SeIncBasePriorityPrivilege	2412	{1AD18523-B759-48f5-9079-3C0435106213}.exe
Token: SeIncBasePriorityPrivilege	5016	{B2CEDFDE-12B8-4441-A236-440632047EAF}.exe
Token: SeIncBasePriorityPrivilege	1324	{556AA230-C0F1-4669-9913-144D379A50D3}.exe
Token: SeIncBasePriorityPrivilege	4644	{3C0F2F87-5AA9-440b-AC86-8590173792E8}.exe
Token: SeIncBasePriorityPrivilege	1920	{02D8A373-C6CB-4397-A7C5-624221E3D0DE}.exe
Token: SeIncBasePriorityPrivilege	1040	{045A8CD9-81DC-4938-A5C4-A02DC56AA27D}.exe
Token: SeIncBasePriorityPrivilege	1616	{0263C001-C8AF-4db5-96A3-E94E380AC1D0}.exe
Token: SeIncBasePriorityPrivilege	3644	{6361AAE2-DB12-46b3-8D24-41BE84771EBC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1384 wrote to memory of 4276	1384	2024-06-01_8dde4259a21d9d6c67d104d580d3207a_goldeneye.exe	94
PID 1384 wrote to memory of 4276	1384	2024-06-01_8dde4259a21d9d6c67d104d580d3207a_goldeneye.exe	94
PID 1384 wrote to memory of 4276	1384	2024-06-01_8dde4259a21d9d6c67d104d580d3207a_goldeneye.exe	94
PID 1384 wrote to memory of 5048	1384	2024-06-01_8dde4259a21d9d6c67d104d580d3207a_goldeneye.exe	95
PID 1384 wrote to memory of 5048	1384	2024-06-01_8dde4259a21d9d6c67d104d580d3207a_goldeneye.exe	95
PID 1384 wrote to memory of 5048	1384	2024-06-01_8dde4259a21d9d6c67d104d580d3207a_goldeneye.exe	95
PID 4276 wrote to memory of 3912	4276	{8F7B248A-3E19-4cff-8503-50CC8DBE7DF2}.exe	96
PID 4276 wrote to memory of 3912	4276	{8F7B248A-3E19-4cff-8503-50CC8DBE7DF2}.exe	96
PID 4276 wrote to memory of 3912	4276	{8F7B248A-3E19-4cff-8503-50CC8DBE7DF2}.exe	96
PID 4276 wrote to memory of 1252	4276	{8F7B248A-3E19-4cff-8503-50CC8DBE7DF2}.exe	97
PID 4276 wrote to memory of 1252	4276	{8F7B248A-3E19-4cff-8503-50CC8DBE7DF2}.exe	97
PID 4276 wrote to memory of 1252	4276	{8F7B248A-3E19-4cff-8503-50CC8DBE7DF2}.exe	97
PID 3912 wrote to memory of 5064	3912	{A84B21F6-F1AC-483a-BD65-A567C821B2A0}.exe	99
PID 3912 wrote to memory of 5064	3912	{A84B21F6-F1AC-483a-BD65-A567C821B2A0}.exe	99
PID 3912 wrote to memory of 5064	3912	{A84B21F6-F1AC-483a-BD65-A567C821B2A0}.exe	99
PID 3912 wrote to memory of 3308	3912	{A84B21F6-F1AC-483a-BD65-A567C821B2A0}.exe	100
PID 3912 wrote to memory of 3308	3912	{A84B21F6-F1AC-483a-BD65-A567C821B2A0}.exe	100
PID 3912 wrote to memory of 3308	3912	{A84B21F6-F1AC-483a-BD65-A567C821B2A0}.exe	100
PID 5064 wrote to memory of 2412	5064	{503E839F-65B9-4d83-9DEB-AED4AF0978F2}.exe	101
PID 5064 wrote to memory of 2412	5064	{503E839F-65B9-4d83-9DEB-AED4AF0978F2}.exe	101
PID 5064 wrote to memory of 2412	5064	{503E839F-65B9-4d83-9DEB-AED4AF0978F2}.exe	101
PID 5064 wrote to memory of 4404	5064	{503E839F-65B9-4d83-9DEB-AED4AF0978F2}.exe	102
PID 5064 wrote to memory of 4404	5064	{503E839F-65B9-4d83-9DEB-AED4AF0978F2}.exe	102
PID 5064 wrote to memory of 4404	5064	{503E839F-65B9-4d83-9DEB-AED4AF0978F2}.exe	102
PID 2412 wrote to memory of 5016	2412	{1AD18523-B759-48f5-9079-3C0435106213}.exe	103
PID 2412 wrote to memory of 5016	2412	{1AD18523-B759-48f5-9079-3C0435106213}.exe	103
PID 2412 wrote to memory of 5016	2412	{1AD18523-B759-48f5-9079-3C0435106213}.exe	103
PID 2412 wrote to memory of 1340	2412	{1AD18523-B759-48f5-9079-3C0435106213}.exe	104
PID 2412 wrote to memory of 1340	2412	{1AD18523-B759-48f5-9079-3C0435106213}.exe	104
PID 2412 wrote to memory of 1340	2412	{1AD18523-B759-48f5-9079-3C0435106213}.exe	104
PID 5016 wrote to memory of 1324	5016	{B2CEDFDE-12B8-4441-A236-440632047EAF}.exe	105
PID 5016 wrote to memory of 1324	5016	{B2CEDFDE-12B8-4441-A236-440632047EAF}.exe	105
PID 5016 wrote to memory of 1324	5016	{B2CEDFDE-12B8-4441-A236-440632047EAF}.exe	105
PID 5016 wrote to memory of 956	5016	{B2CEDFDE-12B8-4441-A236-440632047EAF}.exe	106
PID 5016 wrote to memory of 956	5016	{B2CEDFDE-12B8-4441-A236-440632047EAF}.exe	106
PID 5016 wrote to memory of 956	5016	{B2CEDFDE-12B8-4441-A236-440632047EAF}.exe	106
PID 1324 wrote to memory of 4644	1324	{556AA230-C0F1-4669-9913-144D379A50D3}.exe	107
PID 1324 wrote to memory of 4644	1324	{556AA230-C0F1-4669-9913-144D379A50D3}.exe	107
PID 1324 wrote to memory of 4644	1324	{556AA230-C0F1-4669-9913-144D379A50D3}.exe	107
PID 1324 wrote to memory of 1288	1324	{556AA230-C0F1-4669-9913-144D379A50D3}.exe	108
PID 1324 wrote to memory of 1288	1324	{556AA230-C0F1-4669-9913-144D379A50D3}.exe	108
PID 1324 wrote to memory of 1288	1324	{556AA230-C0F1-4669-9913-144D379A50D3}.exe	108
PID 4644 wrote to memory of 1920	4644	{3C0F2F87-5AA9-440b-AC86-8590173792E8}.exe	109
PID 4644 wrote to memory of 1920	4644	{3C0F2F87-5AA9-440b-AC86-8590173792E8}.exe	109
PID 4644 wrote to memory of 1920	4644	{3C0F2F87-5AA9-440b-AC86-8590173792E8}.exe	109
PID 4644 wrote to memory of 3828	4644	{3C0F2F87-5AA9-440b-AC86-8590173792E8}.exe	110
PID 4644 wrote to memory of 3828	4644	{3C0F2F87-5AA9-440b-AC86-8590173792E8}.exe	110
PID 4644 wrote to memory of 3828	4644	{3C0F2F87-5AA9-440b-AC86-8590173792E8}.exe	110
PID 1920 wrote to memory of 1040	1920	{02D8A373-C6CB-4397-A7C5-624221E3D0DE}.exe	111
PID 1920 wrote to memory of 1040	1920	{02D8A373-C6CB-4397-A7C5-624221E3D0DE}.exe	111
PID 1920 wrote to memory of 1040	1920	{02D8A373-C6CB-4397-A7C5-624221E3D0DE}.exe	111
PID 1920 wrote to memory of 4600	1920	{02D8A373-C6CB-4397-A7C5-624221E3D0DE}.exe	112
PID 1920 wrote to memory of 4600	1920	{02D8A373-C6CB-4397-A7C5-624221E3D0DE}.exe	112
PID 1920 wrote to memory of 4600	1920	{02D8A373-C6CB-4397-A7C5-624221E3D0DE}.exe	112
PID 1040 wrote to memory of 1616	1040	{045A8CD9-81DC-4938-A5C4-A02DC56AA27D}.exe	113
PID 1040 wrote to memory of 1616	1040	{045A8CD9-81DC-4938-A5C4-A02DC56AA27D}.exe	113
PID 1040 wrote to memory of 1616	1040	{045A8CD9-81DC-4938-A5C4-A02DC56AA27D}.exe	113
PID 1040 wrote to memory of 1272	1040	{045A8CD9-81DC-4938-A5C4-A02DC56AA27D}.exe	114
PID 1040 wrote to memory of 1272	1040	{045A8CD9-81DC-4938-A5C4-A02DC56AA27D}.exe	114
PID 1040 wrote to memory of 1272	1040	{045A8CD9-81DC-4938-A5C4-A02DC56AA27D}.exe	114
PID 1616 wrote to memory of 3644	1616	{0263C001-C8AF-4db5-96A3-E94E380AC1D0}.exe	115
PID 1616 wrote to memory of 3644	1616	{0263C001-C8AF-4db5-96A3-E94E380AC1D0}.exe	115
PID 1616 wrote to memory of 3644	1616	{0263C001-C8AF-4db5-96A3-E94E380AC1D0}.exe	115
PID 1616 wrote to memory of 5096	1616	{0263C001-C8AF-4db5-96A3-E94E380AC1D0}.exe	116

C:\Users\Admin\AppData\Local\Temp\2024-06-01_8dde4259a21d9d6c67d104d580d3207a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_8dde4259a21d9d6c67d104d580d3207a_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Windows\{8F7B248A-3E19-4cff-8503-50CC8DBE7DF2}.exe
  C:\Windows\{8F7B248A-3E19-4cff-8503-50CC8DBE7DF2}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4276
- - C:\Windows\{A84B21F6-F1AC-483a-BD65-A567C821B2A0}.exe
    C:\Windows\{A84B21F6-F1AC-483a-BD65-A567C821B2A0}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3912
  - - C:\Windows\{503E839F-65B9-4d83-9DEB-AED4AF0978F2}.exe
      C:\Windows\{503E839F-65B9-4d83-9DEB-AED4AF0978F2}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5064
    - - C:\Windows\{1AD18523-B759-48f5-9079-3C0435106213}.exe
        
        C:\Windows\{1AD18523-B759-48f5-9079-3C0435106213}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2412
      - C:\Windows\{B2CEDFDE-12B8-4441-A236-440632047EAF}.exe
        
        C:\Windows\{B2CEDFDE-12B8-4441-A236-440632047EAF}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\{556AA230-C0F1-4669-9913-144D379A50D3}.exe
        
        C:\Windows\{556AA230-C0F1-4669-9913-144D379A50D3}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\{3C0F2F87-5AA9-440b-AC86-8590173792E8}.exe
        
        C:\Windows\{3C0F2F87-5AA9-440b-AC86-8590173792E8}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4644
        
        C:\Windows\{02D8A373-C6CB-4397-A7C5-624221E3D0DE}.exe
        
        C:\Windows\{02D8A373-C6CB-4397-A7C5-624221E3D0DE}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\{045A8CD9-81DC-4938-A5C4-A02DC56AA27D}.exe
        
        C:\Windows\{045A8CD9-81DC-4938-A5C4-A02DC56AA27D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\{0263C001-C8AF-4db5-96A3-E94E380AC1D0}.exe
        
        C:\Windows\{0263C001-C8AF-4db5-96A3-E94E380AC1D0}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\{6361AAE2-DB12-46b3-8D24-41BE84771EBC}.exe
        
        C:\Windows\{6361AAE2-DB12-46b3-8D24-41BE84771EBC}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3644
        
        C:\Windows\{43B222E0-2813-4298-AEB3-C7244A40622C}.exe
        
        C:\Windows\{43B222E0-2813-4298-AEB3-C7244A40622C}.exe
        13⤵
        Executes dropped EXE
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6361A~1.EXE > nul
        13⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0263C~1.EXE > nul
        12⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{045A8~1.EXE > nul
        11⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{02D8A~1.EXE > nul
        10⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C0F2~1.EXE > nul
        9⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{556AA~1.EXE > nul
        8⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B2CED~1.EXE > nul
        7⤵
        
        PID:956
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1AD18~1.EXE > nul
        6⤵
        
        PID:1340
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{503E8~1.EXE > nul
        5⤵
        
        PID:4404
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A84B2~1.EXE > nul
      4⤵
      PID:3308
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8F7B2~1.EXE > nul
    3⤵
    PID:1252
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:5048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0263C001-C8AF-4db5-96A3-E94E380AC1D0}.exe

Filesize
168KB

MD5
0416a3f56001624f3f3788e879c2fe8b

SHA1
1b4f1cde140c132d2fedb52fadb476b73a7f7faa

SHA256
348df0fa4399b9acac7a0dd3e7140287dcd961869207deb7c61721eddb7ba775

SHA512
e4e8006aa4d9f63f825e247bfcb7f3c34900732f60337f0d549339854aa9291916d3bd53071ac3900372b7b37ed34b7bb8fc10442e9574f6f6067f4300898d3b

Download Submit
C:\Windows\{02D8A373-C6CB-4397-A7C5-624221E3D0DE}.exe

Filesize
168KB

MD5
19ddfd1ee666b4a147770db7aea1539f

SHA1
a9e78810a51d2ee84b67d8bbf1aaf1bbf2434698

SHA256
ea9b9164a614ea77d4fa17f018818b9717764b05e7da5e5d190b79c9be191e2c

SHA512
31b9346cae85204675d524b299de854d448b73609830fda2d64fcbe22a7aa08e51bcaba302b9aae29b5ba9abb870c500d6dcb5358a1b716943487ebf0c29d6f7

Download Submit
C:\Windows\{045A8CD9-81DC-4938-A5C4-A02DC56AA27D}.exe

Filesize
168KB

MD5
1d397f883a11bfd5d1aad85999ecf8e4

SHA1
1be050a76d64f57489328159ee5e6c8c2e3d1ebc

SHA256
2826b3d809a4c2549cb12d3b15faeeab4069c6908e37dfc850f38bfdf5308cb1

SHA512
b04ab4c800e6db1a89523d7fcac5a8e9eb37c48b14092789771c115261dc5642515546236c0af41400092f0236c7dd0222808f712c94e6b8d0911021260a119c

Download Submit
C:\Windows\{1AD18523-B759-48f5-9079-3C0435106213}.exe

Filesize
168KB

MD5
8ad23b988567b1b9c8d96cbb6b5178c2

SHA1
35f370c13c732eef1ed6d3f01134739b96fdfae6

SHA256
d77a8f9b91ded83b2340b7f9511aeb292383aeac52e0feffe67ff40ce9de135a

SHA512
0ea5e393e41bedb7074cd0eb978507d4a246d1201a3a135b6d74202a4490b034b31b7afdef0ad752ca0d9d4b98bf8b8aad7d166ce2e2ccb0892281b6e144de4d

Download Submit
C:\Windows\{3C0F2F87-5AA9-440b-AC86-8590173792E8}.exe

Filesize
168KB

MD5
1587c37b1fc06df71df0eb23bcb121ea

SHA1
5607a41cbd28471f2daace6f39fb322d71a3e400

SHA256
9c3bb0e53adc2f20db89eca73ef36a376c4fad25bb955d2d08d989f1d839e34f

SHA512
b5775681c95f15f3179d95f01071db4826dbc3d6958f01fe2aa1e7eda3bf8eafacc3de6c3793fd921af3604a530c467d79e7b2ecd088926b11de3e95d70634f2

Download Submit
C:\Windows\{43B222E0-2813-4298-AEB3-C7244A40622C}.exe

Filesize
168KB

MD5
a354484e94f20af1e59c547a2c560cf8

SHA1
745e44e544b38ab74f444d6644c662b4058d7b65

SHA256
723ca017495bb840ff7ea2f5d00108df98fec80e50de10fcfc3cfd6e660b4716

SHA512
a3f8e940be95f47b3b98b91f6a2ad8d6aefb1b1b5b45d4a386e33a2f34b910d77d5c1e15a155bee8fbf4a55ecd26d88ec2c398b650d71e4680729510ec5ccec9

Download Submit
C:\Windows\{503E839F-65B9-4d83-9DEB-AED4AF0978F2}.exe

Filesize
168KB

MD5
986b9882f21f0db2f66b62bd31d97e78

SHA1
acff711d6be5475edfd7aee5836fb9ac0bf15436

SHA256
7bbfe575725715c4ad2a0dfea3a370c4777832b35b32cc377b4feb21b173e4d6

SHA512
1355cdd53414ee57f6b3d36094b2a56419320f141726b566643dc41397eb051225f27ab619ac8408c4aeb4a301ed8a6eded005bbff667057be555786bc46550f

Download Submit
C:\Windows\{556AA230-C0F1-4669-9913-144D379A50D3}.exe

Filesize
168KB

MD5
b49a9841059ca54051ba1bfe35ab0169

SHA1
df121dc8f04dcebfc5aa05ccf1fd2265b82476e4

SHA256
955931bd815ce8cf34566e3dba455b08ca2c395ad670cd4062d521648c5a3635

SHA512
83e114e3b8770787115bc1dd538c92664cdaaa20b534f06bf907e77345ebff0d263d300340f404e2b1f15cb7125a874f61e7a6777854808656599a485cd6b70a

Download Submit
C:\Windows\{6361AAE2-DB12-46b3-8D24-41BE84771EBC}.exe

Filesize
168KB

MD5
4f7e2b11ac4b58e765258c198d8aa472

SHA1
fc34b26dbea56942737f11f02ccbc63c7fa5ee4e

SHA256
7c32d406c9f375326c4179acdd9fadd10067a4f14327c6a96cebd6cd1ad75b0e

SHA512
e9cc39a733b9a1fa39be0255a2689e99d310f297a6efd4e3dfca4036b60173cb0723e6c5cb1e6e0770f15f19deea4009986ec88844fa0587e434d8ed9b567ddb

Download Submit
C:\Windows\{8F7B248A-3E19-4cff-8503-50CC8DBE7DF2}.exe

Filesize
168KB

MD5
33df859efe52b2c44a4fcbd8635ff541

SHA1
ceb484225f1b97e7026b05a9e0505d77b8169448

SHA256
71f31c27992617c82e72200ac99aaec06960102b7d67ca3b33ba8883f5785181

SHA512
c019a5001d35fe852017a6237b146d40a6f1a6bb9af5878eabdf4c15b7bea7c8e3e05b04055572168ece3cfddbb79de72f71dcd72d768d475144ed5df106b928

Download Submit
C:\Windows\{A84B21F6-F1AC-483a-BD65-A567C821B2A0}.exe

Filesize
168KB

MD5
01e58176e33636a742da1002defc0416

SHA1
0146fdae7af052865c79d699d1c491502e03acce

SHA256
c1365513301b55720cf144671fd35cd0d7d7ce6e4c4fbfb6b8a2f612fe90e11b

SHA512
abddbcb36d232e08b453850864d86b438e2c29e16cfcad3e69a852a3d5deec726adc23f011f0ccbe7ebed9240ad866c80844fcc3f7af58d8542ad2d5d0f84503

Download Submit
C:\Windows\{B2CEDFDE-12B8-4441-A236-440632047EAF}.exe

Filesize
168KB

MD5
721498b0c209dc089f41d983385c445d

SHA1
58bf46e25d7c68b7a7ddd28cb1c490002996900b

SHA256
af3c48e8f082c3ab3c619c3cd370acfba49632e0c429b29c8eb05ad25899f241

SHA512
d2a23663347b8f8a01aae5284576c08b905d138be5e7e771066574e780458559ac244058496fe3f29157ceccc725c4d6a752c66b75a4ca6639ccda3aa2353dd3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads