7ed34929829fd3d141c5c67d69906b1264fb982f4b88d7db033ddd0269d5d8a2

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2024, 21:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-06_6538f3adde737517d34a8746dadeaff7_goldeneye.exe
Size

192KB
MD5

6538f3adde737517d34a8746dadeaff7
SHA1

34795b3256e1c1cc3f214b77a65b97e259844822
SHA256

7ed34929829fd3d141c5c67d69906b1264fb982f4b88d7db033ddd0269d5d8a2
SHA512

0926e6dc2274144ca76f5e3e6c315ab24c50e9e52cfc8a1c14a7fd4dce551d0ef974713f19afc8f325a6db52c8209b311d13dbc4b526f5f28b4501887a1e9822
SSDEEP

1536:1EGh0o4l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0o4l1OPOe2MUVg3Ve+rXfMUa

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000900000002320b-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023222-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023124-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002338a-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000001db54-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001db8c-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000233a4-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000234b2-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002312e-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023136-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002312e-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002312f-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25012ADA-C706-40ca-B6DB-A61EC7B1808B}	{3EC341ED-5181-455a-A4B1-6F2ACB6921F3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51C0F78D-9792-43f7-941B-2BC01A1623AD}	{25012ADA-C706-40ca-B6DB-A61EC7B1808B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5AE42187-EA91-413f-A7A3-3516516E7624}	{20D734D2-ADBA-4922-AD2E-7112FD9561A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47936621-61B9-496f-9455-1F9913A6BFDB}\stubpath = "C:\\Windows\\{47936621-61B9-496f-9455-1F9913A6BFDB}.exe"	{D18C5B44-8C99-4527-AB95-94ECA545EA70}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25DD2715-0465-41f1-877A-C42C36D00E40}\stubpath = "C:\\Windows\\{25DD2715-0465-41f1-877A-C42C36D00E40}.exe"	{47936621-61B9-496f-9455-1F9913A6BFDB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EC341ED-5181-455a-A4B1-6F2ACB6921F3}\stubpath = "C:\\Windows\\{3EC341ED-5181-455a-A4B1-6F2ACB6921F3}.exe"	2024-03-06_6538f3adde737517d34a8746dadeaff7_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4ED21DB7-2C0D-4e06-B8C3-611B4DB32C35}	{5AE42187-EA91-413f-A7A3-3516516E7624}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47936621-61B9-496f-9455-1F9913A6BFDB}	{D18C5B44-8C99-4527-AB95-94ECA545EA70}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25DD2715-0465-41f1-877A-C42C36D00E40}	{47936621-61B9-496f-9455-1F9913A6BFDB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F9D5E00-207F-4582-AB2B-DEAFB03A7F2A}\stubpath = "C:\\Windows\\{5F9D5E00-207F-4582-AB2B-DEAFB03A7F2A}.exe"	{F7B2DB51-7E45-4af9-8473-22968451A269}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5AE42187-EA91-413f-A7A3-3516516E7624}\stubpath = "C:\\Windows\\{5AE42187-EA91-413f-A7A3-3516516E7624}.exe"	{20D734D2-ADBA-4922-AD2E-7112FD9561A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EC341ED-5181-455a-A4B1-6F2ACB6921F3}	2024-03-06_6538f3adde737517d34a8746dadeaff7_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25012ADA-C706-40ca-B6DB-A61EC7B1808B}\stubpath = "C:\\Windows\\{25012ADA-C706-40ca-B6DB-A61EC7B1808B}.exe"	{3EC341ED-5181-455a-A4B1-6F2ACB6921F3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7B2DB51-7E45-4af9-8473-22968451A269}	{51C0F78D-9792-43f7-941B-2BC01A1623AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F9D5E00-207F-4582-AB2B-DEAFB03A7F2A}	{F7B2DB51-7E45-4af9-8473-22968451A269}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4ED21DB7-2C0D-4e06-B8C3-611B4DB32C35}\stubpath = "C:\\Windows\\{4ED21DB7-2C0D-4e06-B8C3-611B4DB32C35}.exe"	{5AE42187-EA91-413f-A7A3-3516516E7624}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D18C5B44-8C99-4527-AB95-94ECA545EA70}	{4ED21DB7-2C0D-4e06-B8C3-611B4DB32C35}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D18C5B44-8C99-4527-AB95-94ECA545EA70}\stubpath = "C:\\Windows\\{D18C5B44-8C99-4527-AB95-94ECA545EA70}.exe"	{4ED21DB7-2C0D-4e06-B8C3-611B4DB32C35}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7A1649D-ADA6-4ec8-8FE3-080B2BC45AB6}	{25DD2715-0465-41f1-877A-C42C36D00E40}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51C0F78D-9792-43f7-941B-2BC01A1623AD}\stubpath = "C:\\Windows\\{51C0F78D-9792-43f7-941B-2BC01A1623AD}.exe"	{25012ADA-C706-40ca-B6DB-A61EC7B1808B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7B2DB51-7E45-4af9-8473-22968451A269}\stubpath = "C:\\Windows\\{F7B2DB51-7E45-4af9-8473-22968451A269}.exe"	{51C0F78D-9792-43f7-941B-2BC01A1623AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20D734D2-ADBA-4922-AD2E-7112FD9561A1}	{5F9D5E00-207F-4582-AB2B-DEAFB03A7F2A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20D734D2-ADBA-4922-AD2E-7112FD9561A1}\stubpath = "C:\\Windows\\{20D734D2-ADBA-4922-AD2E-7112FD9561A1}.exe"	{5F9D5E00-207F-4582-AB2B-DEAFB03A7F2A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7A1649D-ADA6-4ec8-8FE3-080B2BC45AB6}\stubpath = "C:\\Windows\\{B7A1649D-ADA6-4ec8-8FE3-080B2BC45AB6}.exe"	{25DD2715-0465-41f1-877A-C42C36D00E40}.exe

Executes dropped EXE 12 IoCs

pid	Process
2780	{3EC341ED-5181-455a-A4B1-6F2ACB6921F3}.exe
1924	{25012ADA-C706-40ca-B6DB-A61EC7B1808B}.exe
1960	{51C0F78D-9792-43f7-941B-2BC01A1623AD}.exe
4980	{F7B2DB51-7E45-4af9-8473-22968451A269}.exe
4740	{5F9D5E00-207F-4582-AB2B-DEAFB03A7F2A}.exe
4520	{20D734D2-ADBA-4922-AD2E-7112FD9561A1}.exe
1092	{5AE42187-EA91-413f-A7A3-3516516E7624}.exe
464	{4ED21DB7-2C0D-4e06-B8C3-611B4DB32C35}.exe
2392	{D18C5B44-8C99-4527-AB95-94ECA545EA70}.exe
4036	{47936621-61B9-496f-9455-1F9913A6BFDB}.exe
1180	{25DD2715-0465-41f1-877A-C42C36D00E40}.exe
4756	{B7A1649D-ADA6-4ec8-8FE3-080B2BC45AB6}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{3EC341ED-5181-455a-A4B1-6F2ACB6921F3}.exe	2024-03-06_6538f3adde737517d34a8746dadeaff7_goldeneye.exe
File created	C:\Windows\{5F9D5E00-207F-4582-AB2B-DEAFB03A7F2A}.exe	{F7B2DB51-7E45-4af9-8473-22968451A269}.exe
File created	C:\Windows\{5AE42187-EA91-413f-A7A3-3516516E7624}.exe	{20D734D2-ADBA-4922-AD2E-7112FD9561A1}.exe
File created	C:\Windows\{4ED21DB7-2C0D-4e06-B8C3-611B4DB32C35}.exe	{5AE42187-EA91-413f-A7A3-3516516E7624}.exe
File created	C:\Windows\{B7A1649D-ADA6-4ec8-8FE3-080B2BC45AB6}.exe	{25DD2715-0465-41f1-877A-C42C36D00E40}.exe
File created	C:\Windows\{25012ADA-C706-40ca-B6DB-A61EC7B1808B}.exe	{3EC341ED-5181-455a-A4B1-6F2ACB6921F3}.exe
File created	C:\Windows\{51C0F78D-9792-43f7-941B-2BC01A1623AD}.exe	{25012ADA-C706-40ca-B6DB-A61EC7B1808B}.exe
File created	C:\Windows\{F7B2DB51-7E45-4af9-8473-22968451A269}.exe	{51C0F78D-9792-43f7-941B-2BC01A1623AD}.exe
File created	C:\Windows\{20D734D2-ADBA-4922-AD2E-7112FD9561A1}.exe	{5F9D5E00-207F-4582-AB2B-DEAFB03A7F2A}.exe
File created	C:\Windows\{D18C5B44-8C99-4527-AB95-94ECA545EA70}.exe	{4ED21DB7-2C0D-4e06-B8C3-611B4DB32C35}.exe
File created	C:\Windows\{47936621-61B9-496f-9455-1F9913A6BFDB}.exe	{D18C5B44-8C99-4527-AB95-94ECA545EA70}.exe
File created	C:\Windows\{25DD2715-0465-41f1-877A-C42C36D00E40}.exe	{47936621-61B9-496f-9455-1F9913A6BFDB}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4432	2024-03-06_6538f3adde737517d34a8746dadeaff7_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2780	{3EC341ED-5181-455a-A4B1-6F2ACB6921F3}.exe
Token: SeIncBasePriorityPrivilege	1924	{25012ADA-C706-40ca-B6DB-A61EC7B1808B}.exe
Token: SeIncBasePriorityPrivilege	1960	{51C0F78D-9792-43f7-941B-2BC01A1623AD}.exe
Token: SeIncBasePriorityPrivilege	4980	{F7B2DB51-7E45-4af9-8473-22968451A269}.exe
Token: SeIncBasePriorityPrivilege	4740	{5F9D5E00-207F-4582-AB2B-DEAFB03A7F2A}.exe
Token: SeIncBasePriorityPrivilege	4520	{20D734D2-ADBA-4922-AD2E-7112FD9561A1}.exe
Token: SeIncBasePriorityPrivilege	1092	{5AE42187-EA91-413f-A7A3-3516516E7624}.exe
Token: SeIncBasePriorityPrivilege	464	{4ED21DB7-2C0D-4e06-B8C3-611B4DB32C35}.exe
Token: SeIncBasePriorityPrivilege	2392	{D18C5B44-8C99-4527-AB95-94ECA545EA70}.exe
Token: SeIncBasePriorityPrivilege	4036	{47936621-61B9-496f-9455-1F9913A6BFDB}.exe
Token: SeIncBasePriorityPrivilege	1180	{25DD2715-0465-41f1-877A-C42C36D00E40}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4432 wrote to memory of 2780	4432	2024-03-06_6538f3adde737517d34a8746dadeaff7_goldeneye.exe	97
PID 4432 wrote to memory of 2780	4432	2024-03-06_6538f3adde737517d34a8746dadeaff7_goldeneye.exe	97
PID 4432 wrote to memory of 2780	4432	2024-03-06_6538f3adde737517d34a8746dadeaff7_goldeneye.exe	97
PID 4432 wrote to memory of 2280	4432	2024-03-06_6538f3adde737517d34a8746dadeaff7_goldeneye.exe	98
PID 4432 wrote to memory of 2280	4432	2024-03-06_6538f3adde737517d34a8746dadeaff7_goldeneye.exe	98
PID 4432 wrote to memory of 2280	4432	2024-03-06_6538f3adde737517d34a8746dadeaff7_goldeneye.exe	98
PID 2780 wrote to memory of 1924	2780	{3EC341ED-5181-455a-A4B1-6F2ACB6921F3}.exe	101
PID 2780 wrote to memory of 1924	2780	{3EC341ED-5181-455a-A4B1-6F2ACB6921F3}.exe	101
PID 2780 wrote to memory of 1924	2780	{3EC341ED-5181-455a-A4B1-6F2ACB6921F3}.exe	101
PID 2780 wrote to memory of 4624	2780	{3EC341ED-5181-455a-A4B1-6F2ACB6921F3}.exe	102
PID 2780 wrote to memory of 4624	2780	{3EC341ED-5181-455a-A4B1-6F2ACB6921F3}.exe	102
PID 2780 wrote to memory of 4624	2780	{3EC341ED-5181-455a-A4B1-6F2ACB6921F3}.exe	102
PID 1924 wrote to memory of 1960	1924	{25012ADA-C706-40ca-B6DB-A61EC7B1808B}.exe	105
PID 1924 wrote to memory of 1960	1924	{25012ADA-C706-40ca-B6DB-A61EC7B1808B}.exe	105
PID 1924 wrote to memory of 1960	1924	{25012ADA-C706-40ca-B6DB-A61EC7B1808B}.exe	105
PID 1924 wrote to memory of 4016	1924	{25012ADA-C706-40ca-B6DB-A61EC7B1808B}.exe	106
PID 1924 wrote to memory of 4016	1924	{25012ADA-C706-40ca-B6DB-A61EC7B1808B}.exe	106
PID 1924 wrote to memory of 4016	1924	{25012ADA-C706-40ca-B6DB-A61EC7B1808B}.exe	106
PID 1960 wrote to memory of 4980	1960	{51C0F78D-9792-43f7-941B-2BC01A1623AD}.exe	107
PID 1960 wrote to memory of 4980	1960	{51C0F78D-9792-43f7-941B-2BC01A1623AD}.exe	107
PID 1960 wrote to memory of 4980	1960	{51C0F78D-9792-43f7-941B-2BC01A1623AD}.exe	107
PID 1960 wrote to memory of 1136	1960	{51C0F78D-9792-43f7-941B-2BC01A1623AD}.exe	108
PID 1960 wrote to memory of 1136	1960	{51C0F78D-9792-43f7-941B-2BC01A1623AD}.exe	108
PID 1960 wrote to memory of 1136	1960	{51C0F78D-9792-43f7-941B-2BC01A1623AD}.exe	108
PID 4980 wrote to memory of 4740	4980	{F7B2DB51-7E45-4af9-8473-22968451A269}.exe	109
PID 4980 wrote to memory of 4740	4980	{F7B2DB51-7E45-4af9-8473-22968451A269}.exe	109
PID 4980 wrote to memory of 4740	4980	{F7B2DB51-7E45-4af9-8473-22968451A269}.exe	109
PID 4980 wrote to memory of 1832	4980	{F7B2DB51-7E45-4af9-8473-22968451A269}.exe	110
PID 4980 wrote to memory of 1832	4980	{F7B2DB51-7E45-4af9-8473-22968451A269}.exe	110
PID 4980 wrote to memory of 1832	4980	{F7B2DB51-7E45-4af9-8473-22968451A269}.exe	110
PID 4740 wrote to memory of 4520	4740	{5F9D5E00-207F-4582-AB2B-DEAFB03A7F2A}.exe	113
PID 4740 wrote to memory of 4520	4740	{5F9D5E00-207F-4582-AB2B-DEAFB03A7F2A}.exe	113
PID 4740 wrote to memory of 4520	4740	{5F9D5E00-207F-4582-AB2B-DEAFB03A7F2A}.exe	113
PID 4740 wrote to memory of 4556	4740	{5F9D5E00-207F-4582-AB2B-DEAFB03A7F2A}.exe	114
PID 4740 wrote to memory of 4556	4740	{5F9D5E00-207F-4582-AB2B-DEAFB03A7F2A}.exe	114
PID 4740 wrote to memory of 4556	4740	{5F9D5E00-207F-4582-AB2B-DEAFB03A7F2A}.exe	114
PID 4520 wrote to memory of 1092	4520	{20D734D2-ADBA-4922-AD2E-7112FD9561A1}.exe	115
PID 4520 wrote to memory of 1092	4520	{20D734D2-ADBA-4922-AD2E-7112FD9561A1}.exe	115
PID 4520 wrote to memory of 1092	4520	{20D734D2-ADBA-4922-AD2E-7112FD9561A1}.exe	115
PID 4520 wrote to memory of 4420	4520	{20D734D2-ADBA-4922-AD2E-7112FD9561A1}.exe	116
PID 4520 wrote to memory of 4420	4520	{20D734D2-ADBA-4922-AD2E-7112FD9561A1}.exe	116
PID 4520 wrote to memory of 4420	4520	{20D734D2-ADBA-4922-AD2E-7112FD9561A1}.exe	116
PID 1092 wrote to memory of 464	1092	{5AE42187-EA91-413f-A7A3-3516516E7624}.exe	121
PID 1092 wrote to memory of 464	1092	{5AE42187-EA91-413f-A7A3-3516516E7624}.exe	121
PID 1092 wrote to memory of 464	1092	{5AE42187-EA91-413f-A7A3-3516516E7624}.exe	121
PID 1092 wrote to memory of 4304	1092	{5AE42187-EA91-413f-A7A3-3516516E7624}.exe	122
PID 1092 wrote to memory of 4304	1092	{5AE42187-EA91-413f-A7A3-3516516E7624}.exe	122
PID 1092 wrote to memory of 4304	1092	{5AE42187-EA91-413f-A7A3-3516516E7624}.exe	122
PID 464 wrote to memory of 2392	464	{4ED21DB7-2C0D-4e06-B8C3-611B4DB32C35}.exe	126
PID 464 wrote to memory of 2392	464	{4ED21DB7-2C0D-4e06-B8C3-611B4DB32C35}.exe	126
PID 464 wrote to memory of 2392	464	{4ED21DB7-2C0D-4e06-B8C3-611B4DB32C35}.exe	126
PID 464 wrote to memory of 1224	464	{4ED21DB7-2C0D-4e06-B8C3-611B4DB32C35}.exe	127
PID 464 wrote to memory of 1224	464	{4ED21DB7-2C0D-4e06-B8C3-611B4DB32C35}.exe	127
PID 464 wrote to memory of 1224	464	{4ED21DB7-2C0D-4e06-B8C3-611B4DB32C35}.exe	127
PID 2392 wrote to memory of 4036	2392	{D18C5B44-8C99-4527-AB95-94ECA545EA70}.exe	128
PID 2392 wrote to memory of 4036	2392	{D18C5B44-8C99-4527-AB95-94ECA545EA70}.exe	128
PID 2392 wrote to memory of 4036	2392	{D18C5B44-8C99-4527-AB95-94ECA545EA70}.exe	128
PID 2392 wrote to memory of 4432	2392	{D18C5B44-8C99-4527-AB95-94ECA545EA70}.exe	129
PID 2392 wrote to memory of 4432	2392	{D18C5B44-8C99-4527-AB95-94ECA545EA70}.exe	129
PID 2392 wrote to memory of 4432	2392	{D18C5B44-8C99-4527-AB95-94ECA545EA70}.exe	129
PID 4036 wrote to memory of 1180	4036	{47936621-61B9-496f-9455-1F9913A6BFDB}.exe	130
PID 4036 wrote to memory of 1180	4036	{47936621-61B9-496f-9455-1F9913A6BFDB}.exe	130
PID 4036 wrote to memory of 1180	4036	{47936621-61B9-496f-9455-1F9913A6BFDB}.exe	130
PID 4036 wrote to memory of 4940	4036	{47936621-61B9-496f-9455-1F9913A6BFDB}.exe	131

C:\Users\Admin\AppData\Local\Temp\2024-03-06_6538f3adde737517d34a8746dadeaff7_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-06_6538f3adde737517d34a8746dadeaff7_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4432
- C:\Windows\{3EC341ED-5181-455a-A4B1-6F2ACB6921F3}.exe
  C:\Windows\{3EC341ED-5181-455a-A4B1-6F2ACB6921F3}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\{25012ADA-C706-40ca-B6DB-A61EC7B1808B}.exe
    C:\Windows\{25012ADA-C706-40ca-B6DB-A61EC7B1808B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1924
  - - C:\Windows\{51C0F78D-9792-43f7-941B-2BC01A1623AD}.exe
      C:\Windows\{51C0F78D-9792-43f7-941B-2BC01A1623AD}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1960
    - - C:\Windows\{F7B2DB51-7E45-4af9-8473-22968451A269}.exe
        
        C:\Windows\{F7B2DB51-7E45-4af9-8473-22968451A269}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4980
      - C:\Windows\{5F9D5E00-207F-4582-AB2B-DEAFB03A7F2A}.exe
        
        C:\Windows\{5F9D5E00-207F-4582-AB2B-DEAFB03A7F2A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\{20D734D2-ADBA-4922-AD2E-7112FD9561A1}.exe
        
        C:\Windows\{20D734D2-ADBA-4922-AD2E-7112FD9561A1}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4520
        
        C:\Windows\{5AE42187-EA91-413f-A7A3-3516516E7624}.exe
        
        C:\Windows\{5AE42187-EA91-413f-A7A3-3516516E7624}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\{4ED21DB7-2C0D-4e06-B8C3-611B4DB32C35}.exe
        
        C:\Windows\{4ED21DB7-2C0D-4e06-B8C3-611B4DB32C35}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\{D18C5B44-8C99-4527-AB95-94ECA545EA70}.exe
        
        C:\Windows\{D18C5B44-8C99-4527-AB95-94ECA545EA70}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\{47936621-61B9-496f-9455-1F9913A6BFDB}.exe
        
        C:\Windows\{47936621-61B9-496f-9455-1F9913A6BFDB}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4036
        
        C:\Windows\{25DD2715-0465-41f1-877A-C42C36D00E40}.exe
        
        C:\Windows\{25DD2715-0465-41f1-877A-C42C36D00E40}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1180
        
        C:\Windows\{B7A1649D-ADA6-4ec8-8FE3-080B2BC45AB6}.exe
        
        C:\Windows\{B7A1649D-ADA6-4ec8-8FE3-080B2BC45AB6}.exe
        13⤵
        Executes dropped EXE
        
        PID:4756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{25DD2~1.EXE > nul
        13⤵
        
        PID:728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{47936~1.EXE > nul
        12⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D18C5~1.EXE > nul
        11⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4ED21~1.EXE > nul
        10⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5AE42~1.EXE > nul
        9⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{20D73~1.EXE > nul
        8⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5F9D5~1.EXE > nul
        7⤵
        
        PID:4556
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F7B2D~1.EXE > nul
        6⤵
        
        PID:1832
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51C0F~1.EXE > nul
        5⤵
        
        PID:1136
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{25012~1.EXE > nul
      4⤵
      PID:4016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3EC34~1.EXE > nul
    3⤵
    PID:4624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{20D734D2-ADBA-4922-AD2E-7112FD9561A1}.exe

Filesize
192KB

MD5
8dce00e8684f0821d9ec26ec614d6138

SHA1
7f90d8907f0a2ed0fcbfefa8c5369ce0535b6cfc

SHA256
f9c815c45d7237f2deeea26d36787e65953d720f7562f1e7a10ef6f076c4796b

SHA512
7fd6c3a7212385a0583a9067d522b0a73079be551691ab17a63f628304d1009ada87d6c56b514a0c1d64c9255687b45a49b8a1eb3f8e2cd288b909c5b23b30ad

Download Submit
C:\Windows\{25012ADA-C706-40ca-B6DB-A61EC7B1808B}.exe

Filesize
192KB

MD5
4c16eb97885a26e87c0192458d56adbc

SHA1
df310e0305a4a1d07b80de8b5bd60f7fe66c0b47

SHA256
837f39ecf77ca0e2a24977cbb657dff1bd3a477976d32cef5baebcb121f301f0

SHA512
75218c065aa5d9f5ac24339a50aeaf647ab54e4059dab4826d6e2d2b5af6678e7786029a6ba9c4a5a993375266ff44a800fa837b2ee3e55e3c8f30f1eb31ff28

Download Submit
C:\Windows\{25DD2715-0465-41f1-877A-C42C36D00E40}.exe

Filesize
192KB

MD5
fae64adfab34eb86f8cdc69fcd1eff74

SHA1
5a6855e0f3f35a8987b1f408e015b181e00b86c5

SHA256
970049f5efe7286a102f9327d47e3ffa3145e5280b89c6909309a57c337dc182

SHA512
c529760b1634989842cbeffb65ded68bbdf6ad7752724924ea80ec4f8f28e63ada5d7455e72ed9446efb4ab067801e3dfc84adeec734fc2ecab4fde252be6dba

Download Submit
C:\Windows\{3EC341ED-5181-455a-A4B1-6F2ACB6921F3}.exe

Filesize
192KB

MD5
4d2dc2c4adae79eb6984198d262bc481

SHA1
5fe259fd9137595aa2ea4c8612b000d2ea7c3e68

SHA256
35841c1e6ecfc07f20330bdd8f422af34717319f05ac0f3159f1c8954244e1cc

SHA512
eefc4992ac15bab96a18e9a6bdde19f788486e680c498695356aac8f1fa8532ac2559c457397f792604ac2a12fca77300afb84ed25641467a3104b0f7859d29c

Download Submit
C:\Windows\{47936621-61B9-496f-9455-1F9913A6BFDB}.exe

Filesize
192KB

MD5
ec6f088603fd71dab5d593199f8c8f49

SHA1
032624f267d939fd817375f3c3f524d9eb7fb2dd

SHA256
2491884f30467d84ee92563887526f50ce4f95597308c78126a88e97b7a9c045

SHA512
ec55d5f62f276302a9b467a7fd172c7abd6333ead14680ed6ae1f6cb9f7cc695f746d10f48a89e38dd7396396c9f5cad4083b450312c2d7367eb47003e815c47

Download Submit
C:\Windows\{4ED21DB7-2C0D-4e06-B8C3-611B4DB32C35}.exe

Filesize
192KB

MD5
f9395f14ebc2d33c4bb6a9dd44ce70da

SHA1
c5feedd4d273ba8828a2723f9f4cfbcaf3d72dee

SHA256
385a4878e9c9335047fe3d1396685e08cad48eac766e7a2ee163333518864f21

SHA512
d8892941fcdcf592223bf125b6400e0733a08470e3c19ead1604a7a012b5c250424ac6c829b552ff27053d0c77bb647e0354113b9e1753468ed353c4cd1a46d1

Download Submit
C:\Windows\{51C0F78D-9792-43f7-941B-2BC01A1623AD}.exe

Filesize
192KB

MD5
f583db051a7e83a7af82ae8a1daca26c

SHA1
748a029dbd26f24c3452d46579b0509482e76200

SHA256
e6466a7002d148535d00aec1619e0d6084df20f852f5a3f17ba7b41b04095a01

SHA512
0b4b68ef4800d0ef73a3a8373ec1c3e9ee288dcf006835d9169bd209771f36d67456dd4a87c09ee9fde4642ae7edacc4337293ad197efc3a5cf5ba1938d21779

Download Submit
C:\Windows\{5AE42187-EA91-413f-A7A3-3516516E7624}.exe

Filesize
192KB

MD5
fcfa27497297d52e8f0041b4c7a46bce

SHA1
4f18ccf1a8d601a04db5d27ea42c9276f66f4d9c

SHA256
0fdcbd7557a897f0cbec3a7033b9c6fee035fe061875e1afeaef68845b338447

SHA512
01bc7e07d5bbb4437b9675a6f387f78ae4ed9e1dd983eeaa0711a0e8cbd9cf9029160b3962614f18593503943ecb06f36c3ae55465b15fb7dbd9a739e34d1066

Download Submit
C:\Windows\{5F9D5E00-207F-4582-AB2B-DEAFB03A7F2A}.exe

Filesize
192KB

MD5
9909651bace3b2b73ffd19dce0565dcf

SHA1
38bfe4568aba6160268897256f911c9aa67fd6c1

SHA256
66e7c47bc57c5d8b1550b9c159cf064f66da66277b4017a97eba97f0350c2240

SHA512
4b532d6a47e4b2e3accdb2ed726232aefbd3d521051aae1c427048e9831d5800bfc61fe82f06efe898aa41eea64eab64621d7d22c9a0163149a892e4329f64d0

Download Submit
C:\Windows\{B7A1649D-ADA6-4ec8-8FE3-080B2BC45AB6}.exe

Filesize
192KB

MD5
1501c25257208f89acb611922e7e4606

SHA1
15d6d3c5e873b05e907f604fb0d54ca433cd2fb9

SHA256
7db5205a23f468c4841fbec4e46a868627a9d89612f60151bca4f51c1fefd8a0

SHA512
2fd59e4b8b04ede702cff61ecb6402fcf36ec25366141d0b5877b9ca242fe292df2d6045bc5a8a106aad4138b8b0bf11682b7bee29a3669938de10f3e7f87d8f

Download Submit
C:\Windows\{D18C5B44-8C99-4527-AB95-94ECA545EA70}.exe

Filesize
192KB

MD5
6288115281f22409cc297c3f31a904b1

SHA1
c2cabfc2dc75ea87fa886dce404595b979575397

SHA256
801a86ee52ea5e1da16c3ddf156f972cef44d72deed99497d9481b731d3777da

SHA512
e2d62737f346f4f4673e543d2378f64d95a26f4d96426a38ea028235a99a4a3978206e1514323aed9cfc7fd27fd8cefb45d7a057e8133daccf3577c1d349705e

Download Submit
C:\Windows\{F7B2DB51-7E45-4af9-8473-22968451A269}.exe

Filesize
192KB

MD5
d089c40aaa3187159dd892846fbba1a3

SHA1
3512c42bf274ed2badad2f8381db3e49915ac1e5

SHA256
b97e42420dc8ecfcbab9d0e5bf4ba0c0932a81bbb90645bbb89dae898e69a6ec

SHA512
c1ec8e2caa3fc61184a5bb77cb64c289748262c9e84aa3a215d00ae5bbbb65918424f83cf1d39a1bff39b7842185f6403d98977dca00c06665c62f4b4cc25dca

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads