Analysis
-
max time kernel
149s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
10/06/2024, 04:36
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe
-
Size
204KB
-
MD5
9261f11bd165c8f1c19177f14d3d1f64
-
SHA1
20d8d65589d8bc640fac5c60cf03667f68ed14fc
-
SHA256
217ad59471ba98885cc8a3b4f0a8bf890d0082026ba6e92db4ee83db29dc3f06
-
SHA512
f0cfcb28883bfb32c5efeda1ff5f41b9213c3b09cb901fa0c2ce2a2f8d04ff5e5442952aa3e1199dfdaa796807a605673b8343910767a009fa20f2285cb8f9da
-
SSDEEP
1536:1EGh0ocl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0ocl1OPOe2MUVg3Ve+rXfMUy
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
resource yara_rule behavioral2/files/0x001200000002341f-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0007000000023426-6.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000800000002342d-10.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000023426-14.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000900000002342d-18.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0009000000023426-23.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000a00000002342d-27.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000300000000072f-31.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000000731-34.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000400000000072f-38.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0004000000000731-42.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000500000000072f-46.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17765F30-865E-4280-81CA-1A2B9BFA3BCB}\stubpath = "C:\\Windows\\{17765F30-865E-4280-81CA-1A2B9BFA3BCB}.exe" {71861140-3D32-420f-BCDB-976D9D8786E2}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA9C7749-C8A1-4578-925D-7BC41BCD7C7E}\stubpath = "C:\\Windows\\{AA9C7749-C8A1-4578-925D-7BC41BCD7C7E}.exe" {5FAED625-28E8-4ed6-86D0-09B21354944B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B280F1E1-4A8B-4928-BC61-0FAA850CAEC1} {8EFB68F9-6B6B-4ec4-8B53-C47A38E56877}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B280F1E1-4A8B-4928-BC61-0FAA850CAEC1}\stubpath = "C:\\Windows\\{B280F1E1-4A8B-4928-BC61-0FAA850CAEC1}.exe" {8EFB68F9-6B6B-4ec4-8B53-C47A38E56877}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E3C6CA15-E29F-433f-A59E-3255A81E6483} {B280F1E1-4A8B-4928-BC61-0FAA850CAEC1}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E3C6CA15-E29F-433f-A59E-3255A81E6483}\stubpath = "C:\\Windows\\{E3C6CA15-E29F-433f-A59E-3255A81E6483}.exe" {B280F1E1-4A8B-4928-BC61-0FAA850CAEC1}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0C09A38-218C-424a-AFE6-93E80DBA1D2B}\stubpath = "C:\\Windows\\{C0C09A38-218C-424a-AFE6-93E80DBA1D2B}.exe" 2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17765F30-865E-4280-81CA-1A2B9BFA3BCB} {71861140-3D32-420f-BCDB-976D9D8786E2}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8EFB68F9-6B6B-4ec4-8B53-C47A38E56877} {870D9506-2B8E-4fd3-94A0-E4B21AB7C6B9}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0C09A38-218C-424a-AFE6-93E80DBA1D2B} 2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D082B3A-FBA5-4547-9657-F137337C4BB1} {4BD5788E-F672-4914-A220-0F7D214265FB}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4BD5788E-F672-4914-A220-0F7D214265FB}\stubpath = "C:\\Windows\\{4BD5788E-F672-4914-A220-0F7D214265FB}.exe" {17765F30-865E-4280-81CA-1A2B9BFA3BCB}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA9C7749-C8A1-4578-925D-7BC41BCD7C7E} {5FAED625-28E8-4ed6-86D0-09B21354944B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71861140-3D32-420f-BCDB-976D9D8786E2}\stubpath = "C:\\Windows\\{71861140-3D32-420f-BCDB-976D9D8786E2}.exe" {C0C09A38-218C-424a-AFE6-93E80DBA1D2B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4BD5788E-F672-4914-A220-0F7D214265FB} {17765F30-865E-4280-81CA-1A2B9BFA3BCB}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5FAED625-28E8-4ed6-86D0-09B21354944B} {1D082B3A-FBA5-4547-9657-F137337C4BB1}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5FAED625-28E8-4ed6-86D0-09B21354944B}\stubpath = "C:\\Windows\\{5FAED625-28E8-4ed6-86D0-09B21354944B}.exe" {1D082B3A-FBA5-4547-9657-F137337C4BB1}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{870D9506-2B8E-4fd3-94A0-E4B21AB7C6B9} {AA9C7749-C8A1-4578-925D-7BC41BCD7C7E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{870D9506-2B8E-4fd3-94A0-E4B21AB7C6B9}\stubpath = "C:\\Windows\\{870D9506-2B8E-4fd3-94A0-E4B21AB7C6B9}.exe" {AA9C7749-C8A1-4578-925D-7BC41BCD7C7E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8EFB68F9-6B6B-4ec4-8B53-C47A38E56877}\stubpath = "C:\\Windows\\{8EFB68F9-6B6B-4ec4-8B53-C47A38E56877}.exe" {870D9506-2B8E-4fd3-94A0-E4B21AB7C6B9}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E0651DD-81FE-49ba-9DC8-BA855CF42D12} {E3C6CA15-E29F-433f-A59E-3255A81E6483}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71861140-3D32-420f-BCDB-976D9D8786E2} {C0C09A38-218C-424a-AFE6-93E80DBA1D2B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D082B3A-FBA5-4547-9657-F137337C4BB1}\stubpath = "C:\\Windows\\{1D082B3A-FBA5-4547-9657-F137337C4BB1}.exe" {4BD5788E-F672-4914-A220-0F7D214265FB}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E0651DD-81FE-49ba-9DC8-BA855CF42D12}\stubpath = "C:\\Windows\\{9E0651DD-81FE-49ba-9DC8-BA855CF42D12}.exe" {E3C6CA15-E29F-433f-A59E-3255A81E6483}.exe -
Executes dropped EXE 12 IoCs
pid Process 2512 {C0C09A38-218C-424a-AFE6-93E80DBA1D2B}.exe 768 {71861140-3D32-420f-BCDB-976D9D8786E2}.exe 1020 {17765F30-865E-4280-81CA-1A2B9BFA3BCB}.exe 3752 {4BD5788E-F672-4914-A220-0F7D214265FB}.exe 4376 {1D082B3A-FBA5-4547-9657-F137337C4BB1}.exe 4600 {5FAED625-28E8-4ed6-86D0-09B21354944B}.exe 4804 {AA9C7749-C8A1-4578-925D-7BC41BCD7C7E}.exe 4772 {870D9506-2B8E-4fd3-94A0-E4B21AB7C6B9}.exe 5040 {8EFB68F9-6B6B-4ec4-8B53-C47A38E56877}.exe 4856 {B280F1E1-4A8B-4928-BC61-0FAA850CAEC1}.exe 4944 {E3C6CA15-E29F-433f-A59E-3255A81E6483}.exe 1888 {9E0651DD-81FE-49ba-9DC8-BA855CF42D12}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{1D082B3A-FBA5-4547-9657-F137337C4BB1}.exe {4BD5788E-F672-4914-A220-0F7D214265FB}.exe File created C:\Windows\{B280F1E1-4A8B-4928-BC61-0FAA850CAEC1}.exe {8EFB68F9-6B6B-4ec4-8B53-C47A38E56877}.exe File created C:\Windows\{E3C6CA15-E29F-433f-A59E-3255A81E6483}.exe {B280F1E1-4A8B-4928-BC61-0FAA850CAEC1}.exe File created C:\Windows\{9E0651DD-81FE-49ba-9DC8-BA855CF42D12}.exe {E3C6CA15-E29F-433f-A59E-3255A81E6483}.exe File created C:\Windows\{C0C09A38-218C-424a-AFE6-93E80DBA1D2B}.exe 2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe File created C:\Windows\{4BD5788E-F672-4914-A220-0F7D214265FB}.exe {17765F30-865E-4280-81CA-1A2B9BFA3BCB}.exe File created C:\Windows\{5FAED625-28E8-4ed6-86D0-09B21354944B}.exe {1D082B3A-FBA5-4547-9657-F137337C4BB1}.exe File created C:\Windows\{AA9C7749-C8A1-4578-925D-7BC41BCD7C7E}.exe {5FAED625-28E8-4ed6-86D0-09B21354944B}.exe File created C:\Windows\{870D9506-2B8E-4fd3-94A0-E4B21AB7C6B9}.exe {AA9C7749-C8A1-4578-925D-7BC41BCD7C7E}.exe File created C:\Windows\{8EFB68F9-6B6B-4ec4-8B53-C47A38E56877}.exe {870D9506-2B8E-4fd3-94A0-E4B21AB7C6B9}.exe File created C:\Windows\{71861140-3D32-420f-BCDB-976D9D8786E2}.exe {C0C09A38-218C-424a-AFE6-93E80DBA1D2B}.exe File created C:\Windows\{17765F30-865E-4280-81CA-1A2B9BFA3BCB}.exe {71861140-3D32-420f-BCDB-976D9D8786E2}.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2904 2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe Token: SeIncBasePriorityPrivilege 2512 {C0C09A38-218C-424a-AFE6-93E80DBA1D2B}.exe Token: SeIncBasePriorityPrivilege 768 {71861140-3D32-420f-BCDB-976D9D8786E2}.exe Token: SeIncBasePriorityPrivilege 1020 {17765F30-865E-4280-81CA-1A2B9BFA3BCB}.exe Token: SeIncBasePriorityPrivilege 3752 {4BD5788E-F672-4914-A220-0F7D214265FB}.exe Token: SeIncBasePriorityPrivilege 4376 {1D082B3A-FBA5-4547-9657-F137337C4BB1}.exe Token: SeIncBasePriorityPrivilege 4600 {5FAED625-28E8-4ed6-86D0-09B21354944B}.exe Token: SeIncBasePriorityPrivilege 4804 {AA9C7749-C8A1-4578-925D-7BC41BCD7C7E}.exe Token: SeIncBasePriorityPrivilege 4772 {870D9506-2B8E-4fd3-94A0-E4B21AB7C6B9}.exe Token: SeIncBasePriorityPrivilege 5040 {8EFB68F9-6B6B-4ec4-8B53-C47A38E56877}.exe Token: SeIncBasePriorityPrivilege 4856 {B280F1E1-4A8B-4928-BC61-0FAA850CAEC1}.exe Token: SeIncBasePriorityPrivilege 4944 {E3C6CA15-E29F-433f-A59E-3255A81E6483}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2904 wrote to memory of 2512 2904 2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe 92 PID 2904 wrote to memory of 2512 2904 2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe 92 PID 2904 wrote to memory of 2512 2904 2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe 92 PID 2904 wrote to memory of 944 2904 2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe 93 PID 2904 wrote to memory of 944 2904 2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe 93 PID 2904 wrote to memory of 944 2904 2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe 93 PID 2512 wrote to memory of 768 2512 {C0C09A38-218C-424a-AFE6-93E80DBA1D2B}.exe 94 PID 2512 wrote to memory of 768 2512 {C0C09A38-218C-424a-AFE6-93E80DBA1D2B}.exe 94 PID 2512 wrote to memory of 768 2512 {C0C09A38-218C-424a-AFE6-93E80DBA1D2B}.exe 94 PID 2512 wrote to memory of 1548 2512 {C0C09A38-218C-424a-AFE6-93E80DBA1D2B}.exe 95 PID 2512 wrote to memory of 1548 2512 {C0C09A38-218C-424a-AFE6-93E80DBA1D2B}.exe 95 PID 2512 wrote to memory of 1548 2512 {C0C09A38-218C-424a-AFE6-93E80DBA1D2B}.exe 95 PID 768 wrote to memory of 1020 768 {71861140-3D32-420f-BCDB-976D9D8786E2}.exe 98 PID 768 wrote to memory of 1020 768 {71861140-3D32-420f-BCDB-976D9D8786E2}.exe 98 PID 768 wrote to memory of 1020 768 {71861140-3D32-420f-BCDB-976D9D8786E2}.exe 98 PID 768 wrote to memory of 2324 768 {71861140-3D32-420f-BCDB-976D9D8786E2}.exe 99 PID 768 wrote to memory of 2324 768 {71861140-3D32-420f-BCDB-976D9D8786E2}.exe 99 PID 768 wrote to memory of 2324 768 {71861140-3D32-420f-BCDB-976D9D8786E2}.exe 99 PID 1020 wrote to memory of 3752 1020 {17765F30-865E-4280-81CA-1A2B9BFA3BCB}.exe 100 PID 1020 wrote to memory of 3752 1020 {17765F30-865E-4280-81CA-1A2B9BFA3BCB}.exe 100 PID 1020 wrote to memory of 3752 1020 {17765F30-865E-4280-81CA-1A2B9BFA3BCB}.exe 100 PID 1020 wrote to memory of 1544 1020 {17765F30-865E-4280-81CA-1A2B9BFA3BCB}.exe 101 PID 1020 wrote to memory of 1544 1020 {17765F30-865E-4280-81CA-1A2B9BFA3BCB}.exe 101 PID 1020 wrote to memory of 1544 1020 {17765F30-865E-4280-81CA-1A2B9BFA3BCB}.exe 101 PID 3752 wrote to memory of 4376 3752 {4BD5788E-F672-4914-A220-0F7D214265FB}.exe 102 PID 3752 wrote to memory of 4376 3752 {4BD5788E-F672-4914-A220-0F7D214265FB}.exe 102 PID 3752 wrote to memory of 4376 3752 {4BD5788E-F672-4914-A220-0F7D214265FB}.exe 102 PID 3752 wrote to memory of 1968 3752 {4BD5788E-F672-4914-A220-0F7D214265FB}.exe 103 PID 3752 wrote to memory of 1968 3752 {4BD5788E-F672-4914-A220-0F7D214265FB}.exe 103 PID 3752 wrote to memory of 1968 3752 {4BD5788E-F672-4914-A220-0F7D214265FB}.exe 103 PID 4376 wrote to memory of 4600 4376 {1D082B3A-FBA5-4547-9657-F137337C4BB1}.exe 104 PID 4376 wrote to memory of 4600 4376 {1D082B3A-FBA5-4547-9657-F137337C4BB1}.exe 104 PID 4376 wrote to memory of 4600 4376 {1D082B3A-FBA5-4547-9657-F137337C4BB1}.exe 104 PID 4376 wrote to memory of 3784 4376 {1D082B3A-FBA5-4547-9657-F137337C4BB1}.exe 105 PID 4376 wrote to memory of 3784 4376 {1D082B3A-FBA5-4547-9657-F137337C4BB1}.exe 105 PID 4376 wrote to memory of 3784 4376 {1D082B3A-FBA5-4547-9657-F137337C4BB1}.exe 105 PID 4600 wrote to memory of 4804 4600 {5FAED625-28E8-4ed6-86D0-09B21354944B}.exe 106 PID 4600 wrote to memory of 4804 4600 {5FAED625-28E8-4ed6-86D0-09B21354944B}.exe 106 PID 4600 wrote to memory of 4804 4600 {5FAED625-28E8-4ed6-86D0-09B21354944B}.exe 106 PID 4600 wrote to memory of 3580 4600 {5FAED625-28E8-4ed6-86D0-09B21354944B}.exe 107 PID 4600 wrote to memory of 3580 4600 {5FAED625-28E8-4ed6-86D0-09B21354944B}.exe 107 PID 4600 wrote to memory of 3580 4600 {5FAED625-28E8-4ed6-86D0-09B21354944B}.exe 107 PID 4804 wrote to memory of 4772 4804 {AA9C7749-C8A1-4578-925D-7BC41BCD7C7E}.exe 108 PID 4804 wrote to memory of 4772 4804 {AA9C7749-C8A1-4578-925D-7BC41BCD7C7E}.exe 108 PID 4804 wrote to memory of 4772 4804 {AA9C7749-C8A1-4578-925D-7BC41BCD7C7E}.exe 108 PID 4804 wrote to memory of 4540 4804 {AA9C7749-C8A1-4578-925D-7BC41BCD7C7E}.exe 109 PID 4804 wrote to memory of 4540 4804 {AA9C7749-C8A1-4578-925D-7BC41BCD7C7E}.exe 109 PID 4804 wrote to memory of 4540 4804 {AA9C7749-C8A1-4578-925D-7BC41BCD7C7E}.exe 109 PID 4772 wrote to memory of 5040 4772 {870D9506-2B8E-4fd3-94A0-E4B21AB7C6B9}.exe 110 PID 4772 wrote to memory of 5040 4772 {870D9506-2B8E-4fd3-94A0-E4B21AB7C6B9}.exe 110 PID 4772 wrote to memory of 5040 4772 {870D9506-2B8E-4fd3-94A0-E4B21AB7C6B9}.exe 110 PID 4772 wrote to memory of 628 4772 {870D9506-2B8E-4fd3-94A0-E4B21AB7C6B9}.exe 111 PID 4772 wrote to memory of 628 4772 {870D9506-2B8E-4fd3-94A0-E4B21AB7C6B9}.exe 111 PID 4772 wrote to memory of 628 4772 {870D9506-2B8E-4fd3-94A0-E4B21AB7C6B9}.exe 111 PID 5040 wrote to memory of 4856 5040 {8EFB68F9-6B6B-4ec4-8B53-C47A38E56877}.exe 112 PID 5040 wrote to memory of 4856 5040 {8EFB68F9-6B6B-4ec4-8B53-C47A38E56877}.exe 112 PID 5040 wrote to memory of 4856 5040 {8EFB68F9-6B6B-4ec4-8B53-C47A38E56877}.exe 112 PID 5040 wrote to memory of 2972 5040 {8EFB68F9-6B6B-4ec4-8B53-C47A38E56877}.exe 113 PID 5040 wrote to memory of 2972 5040 {8EFB68F9-6B6B-4ec4-8B53-C47A38E56877}.exe 113 PID 5040 wrote to memory of 2972 5040 {8EFB68F9-6B6B-4ec4-8B53-C47A38E56877}.exe 113 PID 4856 wrote to memory of 4944 4856 {B280F1E1-4A8B-4928-BC61-0FAA850CAEC1}.exe 114 PID 4856 wrote to memory of 4944 4856 {B280F1E1-4A8B-4928-BC61-0FAA850CAEC1}.exe 114 PID 4856 wrote to memory of 4944 4856 {B280F1E1-4A8B-4928-BC61-0FAA850CAEC1}.exe 114 PID 4856 wrote to memory of 1112 4856 {B280F1E1-4A8B-4928-BC61-0FAA850CAEC1}.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\{C0C09A38-218C-424a-AFE6-93E80DBA1D2B}.exeC:\Windows\{C0C09A38-218C-424a-AFE6-93E80DBA1D2B}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\{71861140-3D32-420f-BCDB-976D9D8786E2}.exeC:\Windows\{71861140-3D32-420f-BCDB-976D9D8786E2}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\{17765F30-865E-4280-81CA-1A2B9BFA3BCB}.exeC:\Windows\{17765F30-865E-4280-81CA-1A2B9BFA3BCB}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\{4BD5788E-F672-4914-A220-0F7D214265FB}.exeC:\Windows\{4BD5788E-F672-4914-A220-0F7D214265FB}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Windows\{1D082B3A-FBA5-4547-9657-F137337C4BB1}.exeC:\Windows\{1D082B3A-FBA5-4547-9657-F137337C4BB1}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\{5FAED625-28E8-4ed6-86D0-09B21354944B}.exeC:\Windows\{5FAED625-28E8-4ed6-86D0-09B21354944B}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\{AA9C7749-C8A1-4578-925D-7BC41BCD7C7E}.exeC:\Windows\{AA9C7749-C8A1-4578-925D-7BC41BCD7C7E}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\{870D9506-2B8E-4fd3-94A0-E4B21AB7C6B9}.exeC:\Windows\{870D9506-2B8E-4fd3-94A0-E4B21AB7C6B9}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\{8EFB68F9-6B6B-4ec4-8B53-C47A38E56877}.exeC:\Windows\{8EFB68F9-6B6B-4ec4-8B53-C47A38E56877}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\{B280F1E1-4A8B-4928-BC61-0FAA850CAEC1}.exeC:\Windows\{B280F1E1-4A8B-4928-BC61-0FAA850CAEC1}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\{E3C6CA15-E29F-433f-A59E-3255A81E6483}.exeC:\Windows\{E3C6CA15-E29F-433f-A59E-3255A81E6483}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4944 -
C:\Windows\{9E0651DD-81FE-49ba-9DC8-BA855CF42D12}.exeC:\Windows\{9E0651DD-81FE-49ba-9DC8-BA855CF42D12}.exe13⤵
- Executes dropped EXE
PID:1888
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E3C6C~1.EXE > nul13⤵PID:4908
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B280F~1.EXE > nul12⤵PID:1112
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8EFB6~1.EXE > nul11⤵PID:2972
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{870D9~1.EXE > nul10⤵PID:628
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{AA9C7~1.EXE > nul9⤵PID:4540
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5FAED~1.EXE > nul8⤵PID:3580
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1D082~1.EXE > nul7⤵PID:3784
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4BD57~1.EXE > nul6⤵PID:1968
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{17765~1.EXE > nul5⤵PID:1544
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{71861~1.EXE > nul4⤵PID:2324
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C0C09~1.EXE > nul3⤵PID:1548
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:944
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB
MD5ec0ddafb0dc5d6d36ebf1e13e7ab8d49
SHA120109b1ad05b0899d77fa10867b576a80db82e65
SHA25666b4d9c2fdf2c4e726472c92c715c171ed6fc984700031526d3fca7d5d99957e
SHA5126bdccb429ae951e4f920fb385540f7a14bc0cd4d2cb54d33a903ef36c6765cbed4761cd8a9874fe0ecb0dee595b3f81054ae9537256177d1224b4777488c1154
-
Filesize
204KB
MD5b0e6c82c4aca7d40dc66480c2ef252b5
SHA13a29562f24a913be23a87146acf16028e8f73a68
SHA256d3d3870dd4857a9e61f97c18077b1c1b7ffa41b0361440d86bf93495219e4a9c
SHA5129f2074c3ff8ce282c4df3607e4e3cd3a604d756a057e1986850ed334c2b644091da4bc3e0f24a6e35c7101c4cc14444f2a816fb5b3289e93b78becac983e9715
-
Filesize
204KB
MD560c5ca33c809537254bce118f01f44b4
SHA10506c984c999cca3e828fb812df0d84eec68cb7d
SHA25653d6098ac477fbd0ebaf0811c0ac21c24ced2f741b0b225f9a0e406230594063
SHA51269b165e45c1c19bffbc58137eec89cbeddd4df037fbf6e5ee0e48a102d51ae9d1d173faf85787f2fffa3bf69c8e8c8f6bf1436ea5eeda951d058823dfeb815b9
-
Filesize
204KB
MD50830fdd3f0c7fb64b0e4ce0a24239db6
SHA1d89be98f4dbfe7c7ad238f1cdecacc450b7474b4
SHA256ee578b4ffe0f835683980a239fac2fda7f6ece8825901e8134eb460cad3b5b28
SHA5125e6598c477eb906a1ecae5332beeac0b27a79fb8a48b3878326c7b953a8fc40a86fc0acb1884a56eb318bac0745d20c2e613c87898254c41e69f68081a6c5f82
-
Filesize
204KB
MD5566002ce1cc37feda46f991a088c5705
SHA17cf852a1e01e88adb47247d4ca7ab11ec9b91b7f
SHA2566822c9e708329ea2a506e35ceb5445f0c0fc02f814d1c86d9ab7b1bcdcddd12e
SHA512aadeefda1dce920782cd264624b0894bf718b847a25c412ecb8ef56576de407ef5116cc3704e86a8881bff4d54aeac348243cfbb202a65d7b4323142bfc0a41e
-
Filesize
204KB
MD5673ba67fcc04d970e1598453be0585d3
SHA157d84d21b033fed4d40ed94439b2202e77bef7b2
SHA256484dfe549d38679b24d4e1b46b1006a06a4e1111021f58df06bedf761744df79
SHA512d6f44f21df28aa355183e88fe17f7db1e72847d96ff99c9494e3c63084f684a33449afa169f35d8646dd96ce2a6726224a8dc44366d13525ccea2d76592a5a22
-
Filesize
204KB
MD58a0465d4d15eb29937b79bbef8821aca
SHA1b1bf83b3a25f29bd2d098c20719c1b3e99ad4943
SHA2567e4f1c54d77abf019e4d399780702155faddaf9f0866c4c52c830529273df4e4
SHA512ecac6993d2ce71c0df09650aedb2ae24803ba1e4ad997ef5565b3e2a471a77a7b6c9f8fee5e722a5212f5f5a83b3b9ea51625ee65ca25ef51e0cfe6d893ad9f2
-
Filesize
204KB
MD5a8148d82f247fbbd4c0e911fe02c4571
SHA17684b0cc7afc227faa70a3773775795a20870841
SHA2560a2b4387212addb43087d27106ac0b69bde961fe504ba8bfe0b72b892f0c7f87
SHA512b820da41546ea1e2dfcf2db228fc464624e9d15b8b1986d55d3080fba6d884986b47ed4095222664fed3efe4d9abc1e9ab32cb6462db432841f87d5d204b0062
-
Filesize
204KB
MD56add06e35dbab36d94e88668ec23d48e
SHA16184b0635e654efe933638d37eb43b853964e1b4
SHA25602b1c25e0defe87a2e8d011947756e1b42f9785b59909bb36899c8907d40e028
SHA5129c2f121dae1c4a8ec479e82102c3553d37aa9f2ddcfaff7f4e65c93a82f6e9043c3eb6030416523eb19ff206caed248a5c40fc8ccb349161fa47cf50b33e6ed8
-
Filesize
204KB
MD5054ceae164d6c8a641efc5a169cf7d20
SHA157c6a886630cfc64fbe0a7076915b0912bb275bf
SHA2560bc1fb0e2be107fcebc053b02a49fb99a8a6123c1a924e00062605b2afb40bf3
SHA5123d2831e2ec0a134ea2081ec7fba2147d7dfd419945187233a3b0e87691e139215855f7a9ff863d7add1d9783a67f93554de4e78d94b1f6cf87bf6071a6e74fbc
-
Filesize
204KB
MD5f525c457fd36e3daea2c04c5d583f9de
SHA1d806961b706b1d9fa312c7ce93f1cf542942303b
SHA25632ae747aa704f83b21e32aba3d92c344c0eaec0d686d536fb0f7b4578ae783b9
SHA51215b3f9b2f323f8756d6a291f55f8236fa6299c677535a8bea7b4bd9d8261f80d94a5090553f2b7c6f5ed8941a4ea504f1f5dc7dd369ba16da5c639dc700b97f3
-
Filesize
204KB
MD51f508a1a32aad5e17d8b7149eed768e2
SHA1024e5ffec8186ac6792f8f8c4dcc44734ceec6bd
SHA256748bb46cd687e1a265ffbdd734ab5637487fa8ee22be6b832d5cde1875455c41
SHA5126446bc486df39b2a390ad2db6f7edf397fcf4729da6b8170973648cc1d31edd642c18845247bf4d5e00ae4b2e6e0d7e0e578ee7447b733f10bead4a01889d34b