ed2b610d2e804064a0445c3764790e1677bd8d476db0da7a6a2957f66d27b06f

Analysis

max time kernel
150s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2024, 01:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-06_15e6527190928265146135e5a096a12b_goldeneye.exe
Size

408KB
MD5

15e6527190928265146135e5a096a12b
SHA1

8d68f1f519f97dcb4f28f8c8bc0128e524996481
SHA256

ed2b610d2e804064a0445c3764790e1677bd8d476db0da7a6a2957f66d27b06f
SHA512

7dd806c5c84d3b3cfc3bcf2335b19aac46aa0fd8972f8ace2d2edd60bf09f92500b2301b8bf0a1253a05c75d60e0e795504e0be1bbc3fbd30a04616834bea230
SSDEEP

3072:CEGh0oJl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGDldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023231-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0012000000023238-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002324b-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023347-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023135-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023256-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000233b2-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023255-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000233c1-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023150-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000234da-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023140-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7590A18-D319-4cc6-A953-CD02251100EC}	{16248CA1-1B6D-457f-933D-7325D68AE810}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE5E94CE-0C71-421d-87A1-44C8DBBECB4C}	{D7590A18-D319-4cc6-A953-CD02251100EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDC22238-43F6-4250-8FFD-64173D8FE9E3}	{CE5E94CE-0C71-421d-87A1-44C8DBBECB4C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CABD963D-8B6A-4e1e-B18C-C0C6AD8D087D}\stubpath = "C:\\Windows\\{CABD963D-8B6A-4e1e-B18C-C0C6AD8D087D}.exe"	{D498C64F-7C1E-4022-91FC-59E6DA0E5803}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B79F3D21-B7EA-4ef7-BA34-67DD8D0EA421}	{2BEA592F-1C72-41c8-92B3-CD29D817F8FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B79F3D21-B7EA-4ef7-BA34-67DD8D0EA421}\stubpath = "C:\\Windows\\{B79F3D21-B7EA-4ef7-BA34-67DD8D0EA421}.exe"	{2BEA592F-1C72-41c8-92B3-CD29D817F8FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16248CA1-1B6D-457f-933D-7325D68AE810}\stubpath = "C:\\Windows\\{16248CA1-1B6D-457f-933D-7325D68AE810}.exe"	2024-03-06_15e6527190928265146135e5a096a12b_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7590A18-D319-4cc6-A953-CD02251100EC}\stubpath = "C:\\Windows\\{D7590A18-D319-4cc6-A953-CD02251100EC}.exe"	{16248CA1-1B6D-457f-933D-7325D68AE810}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A02A623F-1877-4409-B0F4-9B646680E2F5}	{BDC22238-43F6-4250-8FFD-64173D8FE9E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D498C64F-7C1E-4022-91FC-59E6DA0E5803}	{A02A623F-1877-4409-B0F4-9B646680E2F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF020E48-32D5-484b-B7D7-53483C6775FD}	{CABD963D-8B6A-4e1e-B18C-C0C6AD8D087D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{014E68C5-62FF-4d3d-9BA7-F9A24C78154F}\stubpath = "C:\\Windows\\{014E68C5-62FF-4d3d-9BA7-F9A24C78154F}.exe"	{8CF38A7A-73AC-4bb1-8F95-36E6E01FC7E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CF38A7A-73AC-4bb1-8F95-36E6E01FC7E5}\stubpath = "C:\\Windows\\{8CF38A7A-73AC-4bb1-8F95-36E6E01FC7E5}.exe"	{CF020E48-32D5-484b-B7D7-53483C6775FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BEA592F-1C72-41c8-92B3-CD29D817F8FB}\stubpath = "C:\\Windows\\{2BEA592F-1C72-41c8-92B3-CD29D817F8FB}.exe"	{014E68C5-62FF-4d3d-9BA7-F9A24C78154F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16248CA1-1B6D-457f-933D-7325D68AE810}	2024-03-06_15e6527190928265146135e5a096a12b_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE5E94CE-0C71-421d-87A1-44C8DBBECB4C}\stubpath = "C:\\Windows\\{CE5E94CE-0C71-421d-87A1-44C8DBBECB4C}.exe"	{D7590A18-D319-4cc6-A953-CD02251100EC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDC22238-43F6-4250-8FFD-64173D8FE9E3}\stubpath = "C:\\Windows\\{BDC22238-43F6-4250-8FFD-64173D8FE9E3}.exe"	{CE5E94CE-0C71-421d-87A1-44C8DBBECB4C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A02A623F-1877-4409-B0F4-9B646680E2F5}\stubpath = "C:\\Windows\\{A02A623F-1877-4409-B0F4-9B646680E2F5}.exe"	{BDC22238-43F6-4250-8FFD-64173D8FE9E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D498C64F-7C1E-4022-91FC-59E6DA0E5803}\stubpath = "C:\\Windows\\{D498C64F-7C1E-4022-91FC-59E6DA0E5803}.exe"	{A02A623F-1877-4409-B0F4-9B646680E2F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CF38A7A-73AC-4bb1-8F95-36E6E01FC7E5}	{CF020E48-32D5-484b-B7D7-53483C6775FD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CABD963D-8B6A-4e1e-B18C-C0C6AD8D087D}	{D498C64F-7C1E-4022-91FC-59E6DA0E5803}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF020E48-32D5-484b-B7D7-53483C6775FD}\stubpath = "C:\\Windows\\{CF020E48-32D5-484b-B7D7-53483C6775FD}.exe"	{CABD963D-8B6A-4e1e-B18C-C0C6AD8D087D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{014E68C5-62FF-4d3d-9BA7-F9A24C78154F}	{8CF38A7A-73AC-4bb1-8F95-36E6E01FC7E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BEA592F-1C72-41c8-92B3-CD29D817F8FB}	{014E68C5-62FF-4d3d-9BA7-F9A24C78154F}.exe

Executes dropped EXE 12 IoCs

pid	Process
4764	{16248CA1-1B6D-457f-933D-7325D68AE810}.exe
624	{D7590A18-D319-4cc6-A953-CD02251100EC}.exe
700	{CE5E94CE-0C71-421d-87A1-44C8DBBECB4C}.exe
724	{BDC22238-43F6-4250-8FFD-64173D8FE9E3}.exe
1300	{A02A623F-1877-4409-B0F4-9B646680E2F5}.exe
3616	{D498C64F-7C1E-4022-91FC-59E6DA0E5803}.exe
4852	{CABD963D-8B6A-4e1e-B18C-C0C6AD8D087D}.exe
2328	{CF020E48-32D5-484b-B7D7-53483C6775FD}.exe
2508	{8CF38A7A-73AC-4bb1-8F95-36E6E01FC7E5}.exe
1492	{014E68C5-62FF-4d3d-9BA7-F9A24C78154F}.exe
3648	{2BEA592F-1C72-41c8-92B3-CD29D817F8FB}.exe
4392	{B79F3D21-B7EA-4ef7-BA34-67DD8D0EA421}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{A02A623F-1877-4409-B0F4-9B646680E2F5}.exe	{BDC22238-43F6-4250-8FFD-64173D8FE9E3}.exe
File created	C:\Windows\{CABD963D-8B6A-4e1e-B18C-C0C6AD8D087D}.exe	{D498C64F-7C1E-4022-91FC-59E6DA0E5803}.exe
File created	C:\Windows\{CF020E48-32D5-484b-B7D7-53483C6775FD}.exe	{CABD963D-8B6A-4e1e-B18C-C0C6AD8D087D}.exe
File created	C:\Windows\{8CF38A7A-73AC-4bb1-8F95-36E6E01FC7E5}.exe	{CF020E48-32D5-484b-B7D7-53483C6775FD}.exe
File created	C:\Windows\{B79F3D21-B7EA-4ef7-BA34-67DD8D0EA421}.exe	{2BEA592F-1C72-41c8-92B3-CD29D817F8FB}.exe
File created	C:\Windows\{16248CA1-1B6D-457f-933D-7325D68AE810}.exe	2024-03-06_15e6527190928265146135e5a096a12b_goldeneye.exe
File created	C:\Windows\{D7590A18-D319-4cc6-A953-CD02251100EC}.exe	{16248CA1-1B6D-457f-933D-7325D68AE810}.exe
File created	C:\Windows\{CE5E94CE-0C71-421d-87A1-44C8DBBECB4C}.exe	{D7590A18-D319-4cc6-A953-CD02251100EC}.exe
File created	C:\Windows\{2BEA592F-1C72-41c8-92B3-CD29D817F8FB}.exe	{014E68C5-62FF-4d3d-9BA7-F9A24C78154F}.exe
File created	C:\Windows\{BDC22238-43F6-4250-8FFD-64173D8FE9E3}.exe	{CE5E94CE-0C71-421d-87A1-44C8DBBECB4C}.exe
File created	C:\Windows\{D498C64F-7C1E-4022-91FC-59E6DA0E5803}.exe	{A02A623F-1877-4409-B0F4-9B646680E2F5}.exe
File created	C:\Windows\{014E68C5-62FF-4d3d-9BA7-F9A24C78154F}.exe	{8CF38A7A-73AC-4bb1-8F95-36E6E01FC7E5}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4516	2024-03-06_15e6527190928265146135e5a096a12b_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4764	{16248CA1-1B6D-457f-933D-7325D68AE810}.exe
Token: SeIncBasePriorityPrivilege	624	{D7590A18-D319-4cc6-A953-CD02251100EC}.exe
Token: SeIncBasePriorityPrivilege	700	{CE5E94CE-0C71-421d-87A1-44C8DBBECB4C}.exe
Token: SeIncBasePriorityPrivilege	724	{BDC22238-43F6-4250-8FFD-64173D8FE9E3}.exe
Token: SeIncBasePriorityPrivilege	1300	{A02A623F-1877-4409-B0F4-9B646680E2F5}.exe
Token: SeIncBasePriorityPrivilege	3616	{D498C64F-7C1E-4022-91FC-59E6DA0E5803}.exe
Token: SeIncBasePriorityPrivilege	4852	{CABD963D-8B6A-4e1e-B18C-C0C6AD8D087D}.exe
Token: SeIncBasePriorityPrivilege	2328	{CF020E48-32D5-484b-B7D7-53483C6775FD}.exe
Token: SeIncBasePriorityPrivilege	2508	{8CF38A7A-73AC-4bb1-8F95-36E6E01FC7E5}.exe
Token: SeIncBasePriorityPrivilege	1492	{014E68C5-62FF-4d3d-9BA7-F9A24C78154F}.exe
Token: SeIncBasePriorityPrivilege	3648	{2BEA592F-1C72-41c8-92B3-CD29D817F8FB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4516 wrote to memory of 4764	4516	2024-03-06_15e6527190928265146135e5a096a12b_goldeneye.exe	96
PID 4516 wrote to memory of 4764	4516	2024-03-06_15e6527190928265146135e5a096a12b_goldeneye.exe	96
PID 4516 wrote to memory of 4764	4516	2024-03-06_15e6527190928265146135e5a096a12b_goldeneye.exe	96
PID 4516 wrote to memory of 4956	4516	2024-03-06_15e6527190928265146135e5a096a12b_goldeneye.exe	97
PID 4516 wrote to memory of 4956	4516	2024-03-06_15e6527190928265146135e5a096a12b_goldeneye.exe	97
PID 4516 wrote to memory of 4956	4516	2024-03-06_15e6527190928265146135e5a096a12b_goldeneye.exe	97
PID 4764 wrote to memory of 624	4764	{16248CA1-1B6D-457f-933D-7325D68AE810}.exe	100
PID 4764 wrote to memory of 624	4764	{16248CA1-1B6D-457f-933D-7325D68AE810}.exe	100
PID 4764 wrote to memory of 624	4764	{16248CA1-1B6D-457f-933D-7325D68AE810}.exe	100
PID 4764 wrote to memory of 4184	4764	{16248CA1-1B6D-457f-933D-7325D68AE810}.exe	101
PID 4764 wrote to memory of 4184	4764	{16248CA1-1B6D-457f-933D-7325D68AE810}.exe	101
PID 4764 wrote to memory of 4184	4764	{16248CA1-1B6D-457f-933D-7325D68AE810}.exe	101
PID 624 wrote to memory of 700	624	{D7590A18-D319-4cc6-A953-CD02251100EC}.exe	104
PID 624 wrote to memory of 700	624	{D7590A18-D319-4cc6-A953-CD02251100EC}.exe	104
PID 624 wrote to memory of 700	624	{D7590A18-D319-4cc6-A953-CD02251100EC}.exe	104
PID 624 wrote to memory of 1728	624	{D7590A18-D319-4cc6-A953-CD02251100EC}.exe	105
PID 624 wrote to memory of 1728	624	{D7590A18-D319-4cc6-A953-CD02251100EC}.exe	105
PID 624 wrote to memory of 1728	624	{D7590A18-D319-4cc6-A953-CD02251100EC}.exe	105
PID 700 wrote to memory of 724	700	{CE5E94CE-0C71-421d-87A1-44C8DBBECB4C}.exe	108
PID 700 wrote to memory of 724	700	{CE5E94CE-0C71-421d-87A1-44C8DBBECB4C}.exe	108
PID 700 wrote to memory of 724	700	{CE5E94CE-0C71-421d-87A1-44C8DBBECB4C}.exe	108
PID 700 wrote to memory of 1276	700	{CE5E94CE-0C71-421d-87A1-44C8DBBECB4C}.exe	109
PID 700 wrote to memory of 1276	700	{CE5E94CE-0C71-421d-87A1-44C8DBBECB4C}.exe	109
PID 700 wrote to memory of 1276	700	{CE5E94CE-0C71-421d-87A1-44C8DBBECB4C}.exe	109
PID 724 wrote to memory of 1300	724	{BDC22238-43F6-4250-8FFD-64173D8FE9E3}.exe	110
PID 724 wrote to memory of 1300	724	{BDC22238-43F6-4250-8FFD-64173D8FE9E3}.exe	110
PID 724 wrote to memory of 1300	724	{BDC22238-43F6-4250-8FFD-64173D8FE9E3}.exe	110
PID 724 wrote to memory of 1932	724	{BDC22238-43F6-4250-8FFD-64173D8FE9E3}.exe	111
PID 724 wrote to memory of 1932	724	{BDC22238-43F6-4250-8FFD-64173D8FE9E3}.exe	111
PID 724 wrote to memory of 1932	724	{BDC22238-43F6-4250-8FFD-64173D8FE9E3}.exe	111
PID 1300 wrote to memory of 3616	1300	{A02A623F-1877-4409-B0F4-9B646680E2F5}.exe	113
PID 1300 wrote to memory of 3616	1300	{A02A623F-1877-4409-B0F4-9B646680E2F5}.exe	113
PID 1300 wrote to memory of 3616	1300	{A02A623F-1877-4409-B0F4-9B646680E2F5}.exe	113
PID 1300 wrote to memory of 4544	1300	{A02A623F-1877-4409-B0F4-9B646680E2F5}.exe	114
PID 1300 wrote to memory of 4544	1300	{A02A623F-1877-4409-B0F4-9B646680E2F5}.exe	114
PID 1300 wrote to memory of 4544	1300	{A02A623F-1877-4409-B0F4-9B646680E2F5}.exe	114
PID 3616 wrote to memory of 4852	3616	{D498C64F-7C1E-4022-91FC-59E6DA0E5803}.exe	115
PID 3616 wrote to memory of 4852	3616	{D498C64F-7C1E-4022-91FC-59E6DA0E5803}.exe	115
PID 3616 wrote to memory of 4852	3616	{D498C64F-7C1E-4022-91FC-59E6DA0E5803}.exe	115
PID 3616 wrote to memory of 2936	3616	{D498C64F-7C1E-4022-91FC-59E6DA0E5803}.exe	116
PID 3616 wrote to memory of 2936	3616	{D498C64F-7C1E-4022-91FC-59E6DA0E5803}.exe	116
PID 3616 wrote to memory of 2936	3616	{D498C64F-7C1E-4022-91FC-59E6DA0E5803}.exe	116
PID 4852 wrote to memory of 2328	4852	{CABD963D-8B6A-4e1e-B18C-C0C6AD8D087D}.exe	117
PID 4852 wrote to memory of 2328	4852	{CABD963D-8B6A-4e1e-B18C-C0C6AD8D087D}.exe	117
PID 4852 wrote to memory of 2328	4852	{CABD963D-8B6A-4e1e-B18C-C0C6AD8D087D}.exe	117
PID 4852 wrote to memory of 4396	4852	{CABD963D-8B6A-4e1e-B18C-C0C6AD8D087D}.exe	118
PID 4852 wrote to memory of 4396	4852	{CABD963D-8B6A-4e1e-B18C-C0C6AD8D087D}.exe	118
PID 4852 wrote to memory of 4396	4852	{CABD963D-8B6A-4e1e-B18C-C0C6AD8D087D}.exe	118
PID 2328 wrote to memory of 2508	2328	{CF020E48-32D5-484b-B7D7-53483C6775FD}.exe	123
PID 2328 wrote to memory of 2508	2328	{CF020E48-32D5-484b-B7D7-53483C6775FD}.exe	123
PID 2328 wrote to memory of 2508	2328	{CF020E48-32D5-484b-B7D7-53483C6775FD}.exe	123
PID 2328 wrote to memory of 4676	2328	{CF020E48-32D5-484b-B7D7-53483C6775FD}.exe	124
PID 2328 wrote to memory of 4676	2328	{CF020E48-32D5-484b-B7D7-53483C6775FD}.exe	124
PID 2328 wrote to memory of 4676	2328	{CF020E48-32D5-484b-B7D7-53483C6775FD}.exe	124
PID 2508 wrote to memory of 1492	2508	{8CF38A7A-73AC-4bb1-8F95-36E6E01FC7E5}.exe	128
PID 2508 wrote to memory of 1492	2508	{8CF38A7A-73AC-4bb1-8F95-36E6E01FC7E5}.exe	128
PID 2508 wrote to memory of 1492	2508	{8CF38A7A-73AC-4bb1-8F95-36E6E01FC7E5}.exe	128
PID 2508 wrote to memory of 2904	2508	{8CF38A7A-73AC-4bb1-8F95-36E6E01FC7E5}.exe	129
PID 2508 wrote to memory of 2904	2508	{8CF38A7A-73AC-4bb1-8F95-36E6E01FC7E5}.exe	129
PID 2508 wrote to memory of 2904	2508	{8CF38A7A-73AC-4bb1-8F95-36E6E01FC7E5}.exe	129
PID 1492 wrote to memory of 3648	1492	{014E68C5-62FF-4d3d-9BA7-F9A24C78154F}.exe	130
PID 1492 wrote to memory of 3648	1492	{014E68C5-62FF-4d3d-9BA7-F9A24C78154F}.exe	130
PID 1492 wrote to memory of 3648	1492	{014E68C5-62FF-4d3d-9BA7-F9A24C78154F}.exe	130
PID 1492 wrote to memory of 4880	1492	{014E68C5-62FF-4d3d-9BA7-F9A24C78154F}.exe	131

C:\Users\Admin\AppData\Local\Temp\2024-03-06_15e6527190928265146135e5a096a12b_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-06_15e6527190928265146135e5a096a12b_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4516
- C:\Windows\{16248CA1-1B6D-457f-933D-7325D68AE810}.exe
  C:\Windows\{16248CA1-1B6D-457f-933D-7325D68AE810}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4764
- - C:\Windows\{D7590A18-D319-4cc6-A953-CD02251100EC}.exe
    C:\Windows\{D7590A18-D319-4cc6-A953-CD02251100EC}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:624
  - - C:\Windows\{CE5E94CE-0C71-421d-87A1-44C8DBBECB4C}.exe
      C:\Windows\{CE5E94CE-0C71-421d-87A1-44C8DBBECB4C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:700
    - - C:\Windows\{BDC22238-43F6-4250-8FFD-64173D8FE9E3}.exe
        
        C:\Windows\{BDC22238-43F6-4250-8FFD-64173D8FE9E3}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:724
      - C:\Windows\{A02A623F-1877-4409-B0F4-9B646680E2F5}.exe
        
        C:\Windows\{A02A623F-1877-4409-B0F4-9B646680E2F5}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Windows\{D498C64F-7C1E-4022-91FC-59E6DA0E5803}.exe
        
        C:\Windows\{D498C64F-7C1E-4022-91FC-59E6DA0E5803}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3616
        
        C:\Windows\{CABD963D-8B6A-4e1e-B18C-C0C6AD8D087D}.exe
        
        C:\Windows\{CABD963D-8B6A-4e1e-B18C-C0C6AD8D087D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4852
        
        C:\Windows\{CF020E48-32D5-484b-B7D7-53483C6775FD}.exe
        
        C:\Windows\{CF020E48-32D5-484b-B7D7-53483C6775FD}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\{8CF38A7A-73AC-4bb1-8F95-36E6E01FC7E5}.exe
        
        C:\Windows\{8CF38A7A-73AC-4bb1-8F95-36E6E01FC7E5}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\{014E68C5-62FF-4d3d-9BA7-F9A24C78154F}.exe
        
        C:\Windows\{014E68C5-62FF-4d3d-9BA7-F9A24C78154F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Windows\{2BEA592F-1C72-41c8-92B3-CD29D817F8FB}.exe
        
        C:\Windows\{2BEA592F-1C72-41c8-92B3-CD29D817F8FB}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3648
        
        C:\Windows\{B79F3D21-B7EA-4ef7-BA34-67DD8D0EA421}.exe
        
        C:\Windows\{B79F3D21-B7EA-4ef7-BA34-67DD8D0EA421}.exe
        13⤵
        Executes dropped EXE
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2BEA5~1.EXE > nul
        13⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{014E6~1.EXE > nul
        12⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8CF38~1.EXE > nul
        11⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CF020~1.EXE > nul
        10⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CABD9~1.EXE > nul
        9⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D498C~1.EXE > nul
        8⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A02A6~1.EXE > nul
        7⤵
        
        PID:4544
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BDC22~1.EXE > nul
        6⤵
        
        PID:1932
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CE5E9~1.EXE > nul
        5⤵
        
        PID:1276
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D7590~1.EXE > nul
      4⤵
      PID:1728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{16248~1.EXE > nul
    3⤵
    PID:4184
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{014E68C5-62FF-4d3d-9BA7-F9A24C78154F}.exe

Filesize
408KB

MD5
430538601239fdcba47c2774c1d02550

SHA1
c64bad7361933e79388009c2ff70122f80609230

SHA256
006a6639453b40197b75ab7cf0b2ca2eaef72275e2ca9ede57e413a68e4f3f34

SHA512
57f6697df1ad3775e73233b50ff328829e3765208cfd5006fef40a707a236f9bbb7957370df425fabb187dbf73c139727b52b92346a1cc28c3b0c6e7f3f3be1a

Download Submit
C:\Windows\{16248CA1-1B6D-457f-933D-7325D68AE810}.exe

Filesize
408KB

MD5
8bdbd83dfef73ec130b84cf8faac800e

SHA1
31b528e1797c218d30fd200266f08e02c34755cf

SHA256
07abc1363f8cdca5f3df9c0bf56b32b99d167f4802edb2b264d3e69e798ef5b2

SHA512
89fbba4461e5ce7f38519aa4314cc4298fec2e0491a090b91aa0d40e25475606c51d81e1a1d23f8a2b8ebba1b1ebcd3fc6b03523e4fe560175a73f4bb1ccbfb4

Download Submit
C:\Windows\{2BEA592F-1C72-41c8-92B3-CD29D817F8FB}.exe

Filesize
408KB

MD5
e445faa976451612a544a2e1be7f5a51

SHA1
3d545b6373e1d21273f04eb900ef899bdefa433e

SHA256
9f70c675c28428f452d0a26a4af4bc7e14a98b419614f8701dfb283268d8cb5a

SHA512
919d05c08c9d967829366b59020cedaee5217155e58b56557d85f17267784fde79a32bdd0f882ed4e54e491e1b10251e59f5f61e1944d6c74a2a21af80d619e0

Download Submit
C:\Windows\{8CF38A7A-73AC-4bb1-8F95-36E6E01FC7E5}.exe

Filesize
408KB

MD5
791a129b585273bc6aa674d11f244332

SHA1
91c1697de5565772d14c0fb12d4813771bacf00c

SHA256
731477f6418266b56fd314ed232ae45514bd8b965465601f24491e5be5ab103b

SHA512
2ab251c263bc10560451da1ee96325b6e91ad5132dd80c04b550b960f1f65f76b7ae8ff8991b3f15a73310a60dc5b76e57bfbfafb15d4eb179101a14a897068b

Download Submit
C:\Windows\{A02A623F-1877-4409-B0F4-9B646680E2F5}.exe

Filesize
408KB

MD5
8ce245e6f93b124e8e90e2d7958f92f1

SHA1
ff81ed6bb81486bc6595e07cda00fd31bf96f0a6

SHA256
74d470429efb0bc911448f8f3a537016f0f412e928826f4c9dac23b2bac98f64

SHA512
0b1d1271febf3e1ee9d36f8244a44537552ab696b3d1559f82adc5c405e76d5b89f623d69d5c1c3b8d66ac0b6f84a9283c5192aa8bd49756cde000a050553d98

Download Submit
C:\Windows\{B79F3D21-B7EA-4ef7-BA34-67DD8D0EA421}.exe

Filesize
408KB

MD5
ef9affad036bb874091f6d1ea18aef22

SHA1
0fea5f2d6b66948bae66cd9f03ca5a3f7fc1d2f0

SHA256
7b7a697c18837590c6e9d6755aaab3ea53979e75e334523f967857da19b02c8e

SHA512
6cf16a038b5834475c557be0e6a6acce20f8c71651d4bb33a052bfeb8e5ad474da63508ce52e31ec4071fd89c691c50fb79b1a8656bf242e0ce0405fa9ae11e0

Download Submit
C:\Windows\{BDC22238-43F6-4250-8FFD-64173D8FE9E3}.exe

Filesize
408KB

MD5
2b499adeefab2e5506bdb53c2bed2cb6

SHA1
58a3932c8c0c42c565f25cc8599d3d1e783de5de

SHA256
90eedd4ca7df1f094ee0e20e4bdd149ad97fb9248241ce3e7ea878e17987b3e3

SHA512
92bafd45d6ff5212261f3ac56723fefc88c72d22f77bbbdd30d770203de9910e28cbeeee8ec815eeaf9aba000302ae11d98c3a164dff3fbb07fbfb05909bb6bd

Download Submit
C:\Windows\{CABD963D-8B6A-4e1e-B18C-C0C6AD8D087D}.exe

Filesize
408KB

MD5
c5c1a91d4d91e3d4149f5567e567e123

SHA1
fff75887dc99379030f4ba978eb5e7dbf1338ece

SHA256
3debc4bb70eb1ca9e5ae2ad20e09ad27371571882d977a5042b3adc7c7d99853

SHA512
2e9122d4e4178b882a2be738f25e08a860bba2849d2bd34e90cdd68db2ce247437c87c09f82e4b8efd03e9af6be192e2bb20bea1e684101972165d549101f96b

Download Submit
C:\Windows\{CE5E94CE-0C71-421d-87A1-44C8DBBECB4C}.exe

Filesize
408KB

MD5
d3b01d7d041f79aa036c63ae35e8d50a

SHA1
0ee96e3438c75573f0693304943e3ade6475e29b

SHA256
275b283112c7d2fe6740ab9a6b229d8623f119a2bb98f11ff85783e9672f41d2

SHA512
ecc8799d32ed84ae098adaccfc512331d40619bd7b95658fbeb94835cdaefb4ade8cd202eabaa5b8bd8c936bf48695449a71ca89c849a034050a8c145fbdd334

Download Submit
C:\Windows\{CF020E48-32D5-484b-B7D7-53483C6775FD}.exe

Filesize
408KB

MD5
33d8b42ced220e06735fdc8efe307607

SHA1
ea923ad1633b8cc32ea5b81acf748e8eef78239f

SHA256
aef8e8052dcd9d397d286de50c980346a488f633488efea59847b727693e5638

SHA512
c0f254d54cebafb839be8e75c4d711acecb808ad7f8d899f0dcd97bdb3ceec1b4bc4157c8c1c5dcbc67fbd9619b388f8e90071d3b8e769a10caed03191a69fef

Download Submit
C:\Windows\{D498C64F-7C1E-4022-91FC-59E6DA0E5803}.exe

Filesize
408KB

MD5
8cdc753ba6692843c7372247940ad731

SHA1
87260d0343d07bee4a6623884def3c2be4023155

SHA256
ed0dec639b423b33c6a2c7324905307b65f7a56aa38bad5b1a7486933aef7a06

SHA512
0c7b8a08a636480f9c01ffa54a72f81eb172594e4baaed9bbda4c5ba505ec0e443ec0ee532dd65391c06562c5c116e6954692d9834024d940e506a0f5536fe35

Download Submit
C:\Windows\{D7590A18-D319-4cc6-A953-CD02251100EC}.exe

Filesize
408KB

MD5
79f2f422cd8cc7fe8ac4257dfd0803a4

SHA1
ead319246c721154d13aba2e61eb1bc8ad42cd62

SHA256
7e4d59031a347e9ca6bb90383f4c196f5dc3b5a4f83093230e1e2185411e56f1

SHA512
8170f85154cdcb73170a74923e9a3d2fde229d3895f954b48df97d3819878778986362c339be1d25c7f9c13a5c16717182696277522858fad9ad18afab2dca03

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads