Analysis
-
max time kernel
149s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 02:43
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe
-
Size
344KB
-
MD5
0a755e821f5f8006a843b9ec0878c779
-
SHA1
4a481c3ff19aaf6c5d2f00654cee5c0d06a87184
-
SHA256
08e176d28691fc2e5eca6d6b5709f56f60f1ff0109e7e3d9a78e361a99fa6818
-
SHA512
d792ed635304e7be64ecb6134df83f52a9168ce60af2a63da4e25b2dc680d6a59daa7d791aa6de902d5cc4969c1fc47401f7cc6f66a52e38fbae1b01abe10f0e
-
SSDEEP
3072:mEGh0ozlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEG5lqOe2MUVg3v2IneKcAEcA
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral2/files/0x0007000000022974-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000900000002336a-7.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00080000000233f3-10.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00070000000233f8-14.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00070000000233fd-18.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00080000000233f8-22.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00080000000233fd-27.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00090000000233f8-30.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00090000000233fd-34.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000a0000000233f8-38.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000b0000000233f8-45.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF6DDA32-A32C-48f1-B396-F10578B85F88} {31C8E61A-7B9D-427b-805E-0C4C36EF45E7}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2D42483-BDF3-40cf-82A9-CBD8D46F8F53} {EF6DDA32-A32C-48f1-B396-F10578B85F88}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1968C11-8F5D-4b34-9BDF-9296CE594F97}\stubpath = "C:\\Windows\\{F1968C11-8F5D-4b34-9BDF-9296CE594F97}.exe" {C2D42483-BDF3-40cf-82A9-CBD8D46F8F53}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0EE1678-47DB-4127-B95E-B3C0C59ED000} {3EB76C3E-F20E-44d6-A520-0AB4630C9D59}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43AA1FCB-A6AC-46b7-BC43-AA7E7BC5DA5A} {2860B56A-FB95-4d6f-B663-F5D79F1DB9EA}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{934F6EE8-5665-43b3-8D74-74B9F40BD2FD}\stubpath = "C:\\Windows\\{934F6EE8-5665-43b3-8D74-74B9F40BD2FD}.exe" {563096DA-A26F-43c1-8D39-1A21628BD1CC}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4AC64CB-3E15-46e5-BB85-CE6B2FD9DD5A} {934F6EE8-5665-43b3-8D74-74B9F40BD2FD}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31C8E61A-7B9D-427b-805E-0C4C36EF45E7} {D4AC64CB-3E15-46e5-BB85-CE6B2FD9DD5A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0EE1678-47DB-4127-B95E-B3C0C59ED000}\stubpath = "C:\\Windows\\{D0EE1678-47DB-4127-B95E-B3C0C59ED000}.exe" {3EB76C3E-F20E-44d6-A520-0AB4630C9D59}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5727686-89AE-41a2-994D-5C5DE0A6DF51} {D0EE1678-47DB-4127-B95E-B3C0C59ED000}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4AC64CB-3E15-46e5-BB85-CE6B2FD9DD5A}\stubpath = "C:\\Windows\\{D4AC64CB-3E15-46e5-BB85-CE6B2FD9DD5A}.exe" {934F6EE8-5665-43b3-8D74-74B9F40BD2FD}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31C8E61A-7B9D-427b-805E-0C4C36EF45E7}\stubpath = "C:\\Windows\\{31C8E61A-7B9D-427b-805E-0C4C36EF45E7}.exe" {D4AC64CB-3E15-46e5-BB85-CE6B2FD9DD5A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EB76C3E-F20E-44d6-A520-0AB4630C9D59} {F1968C11-8F5D-4b34-9BDF-9296CE594F97}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2860B56A-FB95-4d6f-B663-F5D79F1DB9EA} 2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2860B56A-FB95-4d6f-B663-F5D79F1DB9EA}\stubpath = "C:\\Windows\\{2860B56A-FB95-4d6f-B663-F5D79F1DB9EA}.exe" 2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{563096DA-A26F-43c1-8D39-1A21628BD1CC} {43AA1FCB-A6AC-46b7-BC43-AA7E7BC5DA5A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{563096DA-A26F-43c1-8D39-1A21628BD1CC}\stubpath = "C:\\Windows\\{563096DA-A26F-43c1-8D39-1A21628BD1CC}.exe" {43AA1FCB-A6AC-46b7-BC43-AA7E7BC5DA5A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5727686-89AE-41a2-994D-5C5DE0A6DF51}\stubpath = "C:\\Windows\\{C5727686-89AE-41a2-994D-5C5DE0A6DF51}.exe" {D0EE1678-47DB-4127-B95E-B3C0C59ED000}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43AA1FCB-A6AC-46b7-BC43-AA7E7BC5DA5A}\stubpath = "C:\\Windows\\{43AA1FCB-A6AC-46b7-BC43-AA7E7BC5DA5A}.exe" {2860B56A-FB95-4d6f-B663-F5D79F1DB9EA}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2D42483-BDF3-40cf-82A9-CBD8D46F8F53}\stubpath = "C:\\Windows\\{C2D42483-BDF3-40cf-82A9-CBD8D46F8F53}.exe" {EF6DDA32-A32C-48f1-B396-F10578B85F88}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1968C11-8F5D-4b34-9BDF-9296CE594F97} {C2D42483-BDF3-40cf-82A9-CBD8D46F8F53}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EB76C3E-F20E-44d6-A520-0AB4630C9D59}\stubpath = "C:\\Windows\\{3EB76C3E-F20E-44d6-A520-0AB4630C9D59}.exe" {F1968C11-8F5D-4b34-9BDF-9296CE594F97}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{934F6EE8-5665-43b3-8D74-74B9F40BD2FD} {563096DA-A26F-43c1-8D39-1A21628BD1CC}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF6DDA32-A32C-48f1-B396-F10578B85F88}\stubpath = "C:\\Windows\\{EF6DDA32-A32C-48f1-B396-F10578B85F88}.exe" {31C8E61A-7B9D-427b-805E-0C4C36EF45E7}.exe -
Executes dropped EXE 11 IoCs
pid Process 1504 {2860B56A-FB95-4d6f-B663-F5D79F1DB9EA}.exe 4152 {43AA1FCB-A6AC-46b7-BC43-AA7E7BC5DA5A}.exe 1124 {563096DA-A26F-43c1-8D39-1A21628BD1CC}.exe 4680 {934F6EE8-5665-43b3-8D74-74B9F40BD2FD}.exe 4520 {D4AC64CB-3E15-46e5-BB85-CE6B2FD9DD5A}.exe 228 {31C8E61A-7B9D-427b-805E-0C4C36EF45E7}.exe 3424 {EF6DDA32-A32C-48f1-B396-F10578B85F88}.exe 3680 {C2D42483-BDF3-40cf-82A9-CBD8D46F8F53}.exe 4412 {F1968C11-8F5D-4b34-9BDF-9296CE594F97}.exe 3380 {3EB76C3E-F20E-44d6-A520-0AB4630C9D59}.exe 5008 {C5727686-89AE-41a2-994D-5C5DE0A6DF51}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{31C8E61A-7B9D-427b-805E-0C4C36EF45E7}.exe {D4AC64CB-3E15-46e5-BB85-CE6B2FD9DD5A}.exe File created C:\Windows\{3EB76C3E-F20E-44d6-A520-0AB4630C9D59}.exe {F1968C11-8F5D-4b34-9BDF-9296CE594F97}.exe File created C:\Windows\{2860B56A-FB95-4d6f-B663-F5D79F1DB9EA}.exe 2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe File created C:\Windows\{43AA1FCB-A6AC-46b7-BC43-AA7E7BC5DA5A}.exe {2860B56A-FB95-4d6f-B663-F5D79F1DB9EA}.exe File created C:\Windows\{934F6EE8-5665-43b3-8D74-74B9F40BD2FD}.exe {563096DA-A26F-43c1-8D39-1A21628BD1CC}.exe File created C:\Windows\{D4AC64CB-3E15-46e5-BB85-CE6B2FD9DD5A}.exe {934F6EE8-5665-43b3-8D74-74B9F40BD2FD}.exe File created C:\Windows\{C5727686-89AE-41a2-994D-5C5DE0A6DF51}.exe {D0EE1678-47DB-4127-B95E-B3C0C59ED000}.exe File created C:\Windows\{563096DA-A26F-43c1-8D39-1A21628BD1CC}.exe {43AA1FCB-A6AC-46b7-BC43-AA7E7BC5DA5A}.exe File created C:\Windows\{EF6DDA32-A32C-48f1-B396-F10578B85F88}.exe {31C8E61A-7B9D-427b-805E-0C4C36EF45E7}.exe File created C:\Windows\{C2D42483-BDF3-40cf-82A9-CBD8D46F8F53}.exe {EF6DDA32-A32C-48f1-B396-F10578B85F88}.exe File created C:\Windows\{F1968C11-8F5D-4b34-9BDF-9296CE594F97}.exe {C2D42483-BDF3-40cf-82A9-CBD8D46F8F53}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 3700 2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe Token: SeIncBasePriorityPrivilege 1504 {2860B56A-FB95-4d6f-B663-F5D79F1DB9EA}.exe Token: SeIncBasePriorityPrivilege 4152 {43AA1FCB-A6AC-46b7-BC43-AA7E7BC5DA5A}.exe Token: SeIncBasePriorityPrivilege 1124 {563096DA-A26F-43c1-8D39-1A21628BD1CC}.exe Token: SeIncBasePriorityPrivilege 4680 {934F6EE8-5665-43b3-8D74-74B9F40BD2FD}.exe Token: SeIncBasePriorityPrivilege 4520 {D4AC64CB-3E15-46e5-BB85-CE6B2FD9DD5A}.exe Token: SeIncBasePriorityPrivilege 228 {31C8E61A-7B9D-427b-805E-0C4C36EF45E7}.exe Token: SeIncBasePriorityPrivilege 3424 {EF6DDA32-A32C-48f1-B396-F10578B85F88}.exe Token: SeIncBasePriorityPrivilege 3680 {C2D42483-BDF3-40cf-82A9-CBD8D46F8F53}.exe Token: SeIncBasePriorityPrivilege 4412 {F1968C11-8F5D-4b34-9BDF-9296CE594F97}.exe Token: SeIncBasePriorityPrivilege 4744 {D0EE1678-47DB-4127-B95E-B3C0C59ED000}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3700 wrote to memory of 1504 3700 2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe 87 PID 3700 wrote to memory of 1504 3700 2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe 87 PID 3700 wrote to memory of 1504 3700 2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe 87 PID 3700 wrote to memory of 4808 3700 2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe 88 PID 3700 wrote to memory of 4808 3700 2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe 88 PID 3700 wrote to memory of 4808 3700 2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe 88 PID 1504 wrote to memory of 4152 1504 {2860B56A-FB95-4d6f-B663-F5D79F1DB9EA}.exe 89 PID 1504 wrote to memory of 4152 1504 {2860B56A-FB95-4d6f-B663-F5D79F1DB9EA}.exe 89 PID 1504 wrote to memory of 4152 1504 {2860B56A-FB95-4d6f-B663-F5D79F1DB9EA}.exe 89 PID 1504 wrote to memory of 1384 1504 {2860B56A-FB95-4d6f-B663-F5D79F1DB9EA}.exe 90 PID 1504 wrote to memory of 1384 1504 {2860B56A-FB95-4d6f-B663-F5D79F1DB9EA}.exe 90 PID 1504 wrote to memory of 1384 1504 {2860B56A-FB95-4d6f-B663-F5D79F1DB9EA}.exe 90 PID 4152 wrote to memory of 1124 4152 {43AA1FCB-A6AC-46b7-BC43-AA7E7BC5DA5A}.exe 93 PID 4152 wrote to memory of 1124 4152 {43AA1FCB-A6AC-46b7-BC43-AA7E7BC5DA5A}.exe 93 PID 4152 wrote to memory of 1124 4152 {43AA1FCB-A6AC-46b7-BC43-AA7E7BC5DA5A}.exe 93 PID 4152 wrote to memory of 2964 4152 {43AA1FCB-A6AC-46b7-BC43-AA7E7BC5DA5A}.exe 94 PID 4152 wrote to memory of 2964 4152 {43AA1FCB-A6AC-46b7-BC43-AA7E7BC5DA5A}.exe 94 PID 4152 wrote to memory of 2964 4152 {43AA1FCB-A6AC-46b7-BC43-AA7E7BC5DA5A}.exe 94 PID 1124 wrote to memory of 4680 1124 {563096DA-A26F-43c1-8D39-1A21628BD1CC}.exe 99 PID 1124 wrote to memory of 4680 1124 {563096DA-A26F-43c1-8D39-1A21628BD1CC}.exe 99 PID 1124 wrote to memory of 4680 1124 {563096DA-A26F-43c1-8D39-1A21628BD1CC}.exe 99 PID 1124 wrote to memory of 2744 1124 {563096DA-A26F-43c1-8D39-1A21628BD1CC}.exe 100 PID 1124 wrote to memory of 2744 1124 {563096DA-A26F-43c1-8D39-1A21628BD1CC}.exe 100 PID 1124 wrote to memory of 2744 1124 {563096DA-A26F-43c1-8D39-1A21628BD1CC}.exe 100 PID 4680 wrote to memory of 4520 4680 {934F6EE8-5665-43b3-8D74-74B9F40BD2FD}.exe 102 PID 4680 wrote to memory of 4520 4680 {934F6EE8-5665-43b3-8D74-74B9F40BD2FD}.exe 102 PID 4680 wrote to memory of 4520 4680 {934F6EE8-5665-43b3-8D74-74B9F40BD2FD}.exe 102 PID 4680 wrote to memory of 4620 4680 {934F6EE8-5665-43b3-8D74-74B9F40BD2FD}.exe 103 PID 4680 wrote to memory of 4620 4680 {934F6EE8-5665-43b3-8D74-74B9F40BD2FD}.exe 103 PID 4680 wrote to memory of 4620 4680 {934F6EE8-5665-43b3-8D74-74B9F40BD2FD}.exe 103 PID 4520 wrote to memory of 228 4520 {D4AC64CB-3E15-46e5-BB85-CE6B2FD9DD5A}.exe 104 PID 4520 wrote to memory of 228 4520 {D4AC64CB-3E15-46e5-BB85-CE6B2FD9DD5A}.exe 104 PID 4520 wrote to memory of 228 4520 {D4AC64CB-3E15-46e5-BB85-CE6B2FD9DD5A}.exe 104 PID 4520 wrote to memory of 3116 4520 {D4AC64CB-3E15-46e5-BB85-CE6B2FD9DD5A}.exe 105 PID 4520 wrote to memory of 3116 4520 {D4AC64CB-3E15-46e5-BB85-CE6B2FD9DD5A}.exe 105 PID 4520 wrote to memory of 3116 4520 {D4AC64CB-3E15-46e5-BB85-CE6B2FD9DD5A}.exe 105 PID 228 wrote to memory of 3424 228 {31C8E61A-7B9D-427b-805E-0C4C36EF45E7}.exe 106 PID 228 wrote to memory of 3424 228 {31C8E61A-7B9D-427b-805E-0C4C36EF45E7}.exe 106 PID 228 wrote to memory of 3424 228 {31C8E61A-7B9D-427b-805E-0C4C36EF45E7}.exe 106 PID 228 wrote to memory of 3444 228 {31C8E61A-7B9D-427b-805E-0C4C36EF45E7}.exe 107 PID 228 wrote to memory of 3444 228 {31C8E61A-7B9D-427b-805E-0C4C36EF45E7}.exe 107 PID 228 wrote to memory of 3444 228 {31C8E61A-7B9D-427b-805E-0C4C36EF45E7}.exe 107 PID 3424 wrote to memory of 3680 3424 {EF6DDA32-A32C-48f1-B396-F10578B85F88}.exe 108 PID 3424 wrote to memory of 3680 3424 {EF6DDA32-A32C-48f1-B396-F10578B85F88}.exe 108 PID 3424 wrote to memory of 3680 3424 {EF6DDA32-A32C-48f1-B396-F10578B85F88}.exe 108 PID 3424 wrote to memory of 396 3424 {EF6DDA32-A32C-48f1-B396-F10578B85F88}.exe 109 PID 3424 wrote to memory of 396 3424 {EF6DDA32-A32C-48f1-B396-F10578B85F88}.exe 109 PID 3424 wrote to memory of 396 3424 {EF6DDA32-A32C-48f1-B396-F10578B85F88}.exe 109 PID 3680 wrote to memory of 4412 3680 {C2D42483-BDF3-40cf-82A9-CBD8D46F8F53}.exe 110 PID 3680 wrote to memory of 4412 3680 {C2D42483-BDF3-40cf-82A9-CBD8D46F8F53}.exe 110 PID 3680 wrote to memory of 4412 3680 {C2D42483-BDF3-40cf-82A9-CBD8D46F8F53}.exe 110 PID 3680 wrote to memory of 1912 3680 {C2D42483-BDF3-40cf-82A9-CBD8D46F8F53}.exe 111 PID 3680 wrote to memory of 1912 3680 {C2D42483-BDF3-40cf-82A9-CBD8D46F8F53}.exe 111 PID 3680 wrote to memory of 1912 3680 {C2D42483-BDF3-40cf-82A9-CBD8D46F8F53}.exe 111 PID 4412 wrote to memory of 3380 4412 {F1968C11-8F5D-4b34-9BDF-9296CE594F97}.exe 112 PID 4412 wrote to memory of 3380 4412 {F1968C11-8F5D-4b34-9BDF-9296CE594F97}.exe 112 PID 4412 wrote to memory of 3380 4412 {F1968C11-8F5D-4b34-9BDF-9296CE594F97}.exe 112 PID 4412 wrote to memory of 4424 4412 {F1968C11-8F5D-4b34-9BDF-9296CE594F97}.exe 113 PID 4412 wrote to memory of 4424 4412 {F1968C11-8F5D-4b34-9BDF-9296CE594F97}.exe 113 PID 4412 wrote to memory of 4424 4412 {F1968C11-8F5D-4b34-9BDF-9296CE594F97}.exe 113 PID 4744 wrote to memory of 5008 4744 {D0EE1678-47DB-4127-B95E-B3C0C59ED000}.exe 116 PID 4744 wrote to memory of 5008 4744 {D0EE1678-47DB-4127-B95E-B3C0C59ED000}.exe 116 PID 4744 wrote to memory of 5008 4744 {D0EE1678-47DB-4127-B95E-B3C0C59ED000}.exe 116 PID 4744 wrote to memory of 2616 4744 {D0EE1678-47DB-4127-B95E-B3C0C59ED000}.exe 117
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Windows\{2860B56A-FB95-4d6f-B663-F5D79F1DB9EA}.exeC:\Windows\{2860B56A-FB95-4d6f-B663-F5D79F1DB9EA}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\{43AA1FCB-A6AC-46b7-BC43-AA7E7BC5DA5A}.exeC:\Windows\{43AA1FCB-A6AC-46b7-BC43-AA7E7BC5DA5A}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\Windows\{563096DA-A26F-43c1-8D39-1A21628BD1CC}.exeC:\Windows\{563096DA-A26F-43c1-8D39-1A21628BD1CC}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\{934F6EE8-5665-43b3-8D74-74B9F40BD2FD}.exeC:\Windows\{934F6EE8-5665-43b3-8D74-74B9F40BD2FD}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\{D4AC64CB-3E15-46e5-BB85-CE6B2FD9DD5A}.exeC:\Windows\{D4AC64CB-3E15-46e5-BB85-CE6B2FD9DD5A}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\{31C8E61A-7B9D-427b-805E-0C4C36EF45E7}.exeC:\Windows\{31C8E61A-7B9D-427b-805E-0C4C36EF45E7}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\{EF6DDA32-A32C-48f1-B396-F10578B85F88}.exeC:\Windows\{EF6DDA32-A32C-48f1-B396-F10578B85F88}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Windows\{C2D42483-BDF3-40cf-82A9-CBD8D46F8F53}.exeC:\Windows\{C2D42483-BDF3-40cf-82A9-CBD8D46F8F53}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Windows\{F1968C11-8F5D-4b34-9BDF-9296CE594F97}.exeC:\Windows\{F1968C11-8F5D-4b34-9BDF-9296CE594F97}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\{3EB76C3E-F20E-44d6-A520-0AB4630C9D59}.exeC:\Windows\{3EB76C3E-F20E-44d6-A520-0AB4630C9D59}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
PID:3380 -
C:\Windows\{D0EE1678-47DB-4127-B95E-B3C0C59ED000}.exeC:\Windows\{D0EE1678-47DB-4127-B95E-B3C0C59ED000}.exe12⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\{C5727686-89AE-41a2-994D-5C5DE0A6DF51}.exeC:\Windows\{C5727686-89AE-41a2-994D-5C5DE0A6DF51}.exe13⤵
- Executes dropped EXE
PID:5008
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D0EE1~1.EXE > nul13⤵PID:2616
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3EB76~1.EXE > nul12⤵PID:924
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F1968~1.EXE > nul11⤵PID:4424
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C2D42~1.EXE > nul10⤵PID:1912
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{EF6DD~1.EXE > nul9⤵PID:396
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{31C8E~1.EXE > nul8⤵PID:3444
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D4AC6~1.EXE > nul7⤵PID:3116
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{934F6~1.EXE > nul6⤵PID:4620
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{56309~1.EXE > nul5⤵PID:2744
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{43AA1~1.EXE > nul4⤵PID:2964
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2860B~1.EXE > nul3⤵PID:1384
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:4808
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
344KB
MD5fb3df0518d8a18c1af948f8f89649ca0
SHA18c60a1fcc96eb0d8fdee6fb91f8c804a8b76ded0
SHA25696da6fa87153eb42d7d69c2e9efd738ebe530b383590a616cfb152c0fde59fa4
SHA5126e4d6a5789aa2422a7c0faceaef7a4dcb9434615defb82a6a44a2a8e795f7b6748bd040dc51a7d76608caf9e14324bd350a8c6767cca105baf77b6f0072def29
-
Filesize
344KB
MD567e34111094de90c4494b766d030be72
SHA1923d4593162cde0aeb1adec433f8a2f580f430e0
SHA2566f28c17c97a02d7c56aa42464b462c6a53887d45d5a3ab63a65e34cf4410b812
SHA512820b42c3453d70b2f548c8d30e1c029d4685a31517af8a827bea24c80d9f777524bcc9949475259b63a605e0906667ab635b840e77ac380caa8be04f8b0906e6
-
Filesize
344KB
MD50cb814b990523afa7f8dbde2cd3886c1
SHA1f3efdb7851867dfe2095626769e71570f0a28350
SHA2567a8a0b9274639c250da0c79a7cf10c5ea3c1bb2528fd01fa1b708f42e8ae91eb
SHA5126c9964b4c4fb74e3bd525b31b49dd584b23155aa5e8d83c7f5e3f9308d1e88da0dcf230b7818496b44fe426b7388b57f6d70fb4b6479071a847d110128a4e292
-
Filesize
344KB
MD57ae5641a859503f68e53b8214d59e167
SHA1662035c52b43214a48b18c87ce333086d290ac0b
SHA2568efa056dd48560133ee96e0eba15ad3f3d6e203fce7803eecd3de6e7b83268f2
SHA512368212d6d6b3b680457becce7ee8f6922141192121d99bbb2e7c72dad14f142e164468e1940c1fdfb8840222acfddabf8c418f1fe1dca3b665ddc5c0d6ad876f
-
Filesize
344KB
MD59920f034e1716ac3e57b936e26175dfa
SHA10d23da044db24e3c457d2f6fb6f3bb3464443f66
SHA25617b592db16327d4060aef985a6b813da0231c6de8b9411fbea3453b5743e481f
SHA512e4cd7d34f8789588dab78be95848b99d5cff971bfb4ad963996b15c89c20f2c3076af5d4b7af56fde95f43bc5cb319396c764f762183f8146f5900617fd0a059
-
Filesize
344KB
MD599f31fa3f09e3e43d31abb147cd76c67
SHA1a2b8e2b135fae3c2f3ed3146dfac5524c9ffa7c8
SHA2569af42b747b9557ac1d4080ca540c81357b4620d6d71bebd84c99289ad6526e87
SHA51295edc5c15c07ee088608d9669b18773dad4280d0364e1161b826ee61b760ef05db51152111b63d4f4c35fa2b61679fe9d5dd359b9ed6cba153a1d508a819dba8
-
Filesize
344KB
MD53f8eb29480fde8db52871375b41a16c4
SHA1b55ed6de288b54127bcc41063cb43e85b8d9ccab
SHA256099bf060ecef0b60aab531695820cac264295477f16cdd8ce77fb009ecd2ac0c
SHA5125f1b7a20e63a63ec66cbb344c65015c00702b2a4fd624d65fcb56bdc494bbb0c4ba2b71653a3cba8e691fdb544b0dbeba5808bc74b1bdc33fd500af6ec31f92a
-
Filesize
344KB
MD54bd3071b52f423e6a01b3ee8803454e2
SHA114a2a6ba6fe54c2898dc135f9278757ee1c5acb8
SHA256a10edd37e0a5d1d7937953f77745ef3cc8a9e168674c3c84851cd73b2619f30a
SHA512d2824fc47069f289887cac96dfb53b243a3a2ff565b416cb5a4cb9b26b2f91ffcf52a8f69336c78424ce47c005ec15d8d2bbc2d4753f1d4371d3c7986ff02e62
-
Filesize
344KB
MD5d11d9d6c3844442a6e6fe8d483a53503
SHA156d99ebeca3968f679daf2ff9a5e96ec6ed1b0d3
SHA256a43e4c43eb94086c4fb9e1b2d6b0bc87befd1f1f5162fca162b94b9f459ac742
SHA5126f7b62a7a3c202acb4aed9373de979b57b5a99f6bbd8e1e2e3882d2d9669d4709cdb4cbcb7cfd11f1595661f5704a43bf0c9b09a044b467f8a8f17135fee6259
-
Filesize
344KB
MD513036470e6262b0678a48e5aa22db949
SHA1467d366b6f81d161baa862e1f614564b08c13388
SHA256db91de036d9d8282e55d03d658bc34ab92988d8bbc2bfda925be4ebb2f6f83ce
SHA512b3e2df1c5d8cc3c35cf9e881616b53d380d23f11a68a60c3a947a15b834757fd4c52a5d3ad0c1ca1e9886c7ee0dbeb4f5f85fb18ede818dde2643baf5807a1dd
-
Filesize
344KB
MD5da47fd70ddce133256948ad54a162788
SHA1e211ad6c02b9a89fb3df37624c0c53c68e530288
SHA25683ca8cbd823cb92492d448a6b4db5344378593fee45a521cc82585203a452872
SHA512e82257081d50c26236caacd486fa363a8c90a396059db9be9cea7d4af30d1cbb2dcbe1c19f7288ab32de9cd3aff29d5790cde4becfaffaf57d90a93839568bd6