c546cab010a0b64746298622c19c533b1eab86d42fa88bbdbf374640cb71515c

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06-03-2024 13:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-06_4b1e5357a0548affbd95dab9fa1f1acd_goldeneye.exe
Size

408KB
MD5

4b1e5357a0548affbd95dab9fa1f1acd
SHA1

442e7a597dae86921daf9a82588c4770bd8769e0
SHA256

c546cab010a0b64746298622c19c533b1eab86d42fa88bbdbf374640cb71515c
SHA512

0e950f0b1fd4f05c240c867c0a0aea9164b7121dfef756a1d9721d1b179a0ba8b1d0dffbe371ff309e5441a5bb5e075a6ebf50a4d19275ca366ade6901b31190
SSDEEP

3072:CEGh0oLl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGpldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023202-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002321d-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023326-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000001e400-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023326-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002338c-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002338d-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001db4d-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002312c-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000233b7-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000234a5-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f000000023114-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{345D795A-ADC1-4598-967C-795655750EBA}	{01CFF157-34B4-4c5e-BDC6-6A03DF358B7C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA0365DD-9476-46b5-8699-5DFCE38F73A1}	{345D795A-ADC1-4598-967C-795655750EBA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{118B29B4-687C-4018-8222-88656131C1DC}	{DA0365DD-9476-46b5-8699-5DFCE38F73A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD2E5484-8848-41ce-8AC3-5C228F0BE2A2}\stubpath = "C:\\Windows\\{AD2E5484-8848-41ce-8AC3-5C228F0BE2A2}.exe"	{4776AA80-D1DA-42e2-BA67-B6D36EB46C88}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{316074BE-5634-40df-95B4-5AD72DAC25E1}	{9C26BA69-07AF-4ab4-B69F-FCBECE4E8373}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38B6A3B6-90AC-4097-AC22-E7EF7562EE71}\stubpath = "C:\\Windows\\{38B6A3B6-90AC-4097-AC22-E7EF7562EE71}.exe"	{316074BE-5634-40df-95B4-5AD72DAC25E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{741C5656-05F0-4a8e-B2AB-6F9E7DB4F3B8}	{2BB42158-207A-4569-9E3B-5412F91437C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4776AA80-D1DA-42e2-BA67-B6D36EB46C88}	2024-03-06_4b1e5357a0548affbd95dab9fa1f1acd_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD2E5484-8848-41ce-8AC3-5C228F0BE2A2}	{4776AA80-D1DA-42e2-BA67-B6D36EB46C88}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{316074BE-5634-40df-95B4-5AD72DAC25E1}\stubpath = "C:\\Windows\\{316074BE-5634-40df-95B4-5AD72DAC25E1}.exe"	{9C26BA69-07AF-4ab4-B69F-FCBECE4E8373}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{741C5656-05F0-4a8e-B2AB-6F9E7DB4F3B8}\stubpath = "C:\\Windows\\{741C5656-05F0-4a8e-B2AB-6F9E7DB4F3B8}.exe"	{2BB42158-207A-4569-9E3B-5412F91437C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{345D795A-ADC1-4598-967C-795655750EBA}\stubpath = "C:\\Windows\\{345D795A-ADC1-4598-967C-795655750EBA}.exe"	{01CFF157-34B4-4c5e-BDC6-6A03DF358B7C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA0365DD-9476-46b5-8699-5DFCE38F73A1}\stubpath = "C:\\Windows\\{DA0365DD-9476-46b5-8699-5DFCE38F73A1}.exe"	{345D795A-ADC1-4598-967C-795655750EBA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4776AA80-D1DA-42e2-BA67-B6D36EB46C88}\stubpath = "C:\\Windows\\{4776AA80-D1DA-42e2-BA67-B6D36EB46C88}.exe"	2024-03-06_4b1e5357a0548affbd95dab9fa1f1acd_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38B6A3B6-90AC-4097-AC22-E7EF7562EE71}	{316074BE-5634-40df-95B4-5AD72DAC25E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18BED293-993A-4654-8076-AC1B332CEE19}	{741C5656-05F0-4a8e-B2AB-6F9E7DB4F3B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01CFF157-34B4-4c5e-BDC6-6A03DF358B7C}\stubpath = "C:\\Windows\\{01CFF157-34B4-4c5e-BDC6-6A03DF358B7C}.exe"	{18BED293-993A-4654-8076-AC1B332CEE19}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18BED293-993A-4654-8076-AC1B332CEE19}\stubpath = "C:\\Windows\\{18BED293-993A-4654-8076-AC1B332CEE19}.exe"	{741C5656-05F0-4a8e-B2AB-6F9E7DB4F3B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01CFF157-34B4-4c5e-BDC6-6A03DF358B7C}	{18BED293-993A-4654-8076-AC1B332CEE19}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{118B29B4-687C-4018-8222-88656131C1DC}\stubpath = "C:\\Windows\\{118B29B4-687C-4018-8222-88656131C1DC}.exe"	{DA0365DD-9476-46b5-8699-5DFCE38F73A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C26BA69-07AF-4ab4-B69F-FCBECE4E8373}	{AD2E5484-8848-41ce-8AC3-5C228F0BE2A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C26BA69-07AF-4ab4-B69F-FCBECE4E8373}\stubpath = "C:\\Windows\\{9C26BA69-07AF-4ab4-B69F-FCBECE4E8373}.exe"	{AD2E5484-8848-41ce-8AC3-5C228F0BE2A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BB42158-207A-4569-9E3B-5412F91437C3}	{38B6A3B6-90AC-4097-AC22-E7EF7562EE71}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BB42158-207A-4569-9E3B-5412F91437C3}\stubpath = "C:\\Windows\\{2BB42158-207A-4569-9E3B-5412F91437C3}.exe"	{38B6A3B6-90AC-4097-AC22-E7EF7562EE71}.exe

Executes dropped EXE 12 IoCs

pid	Process
1368	{4776AA80-D1DA-42e2-BA67-B6D36EB46C88}.exe
3676	{AD2E5484-8848-41ce-8AC3-5C228F0BE2A2}.exe
3120	{9C26BA69-07AF-4ab4-B69F-FCBECE4E8373}.exe
1692	{316074BE-5634-40df-95B4-5AD72DAC25E1}.exe
4656	{38B6A3B6-90AC-4097-AC22-E7EF7562EE71}.exe
60	{2BB42158-207A-4569-9E3B-5412F91437C3}.exe
4012	{741C5656-05F0-4a8e-B2AB-6F9E7DB4F3B8}.exe
4900	{18BED293-993A-4654-8076-AC1B332CEE19}.exe
4184	{01CFF157-34B4-4c5e-BDC6-6A03DF358B7C}.exe
1260	{345D795A-ADC1-4598-967C-795655750EBA}.exe
4780	{DA0365DD-9476-46b5-8699-5DFCE38F73A1}.exe
2588	{118B29B4-687C-4018-8222-88656131C1DC}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{AD2E5484-8848-41ce-8AC3-5C228F0BE2A2}.exe	{4776AA80-D1DA-42e2-BA67-B6D36EB46C88}.exe
File created	C:\Windows\{9C26BA69-07AF-4ab4-B69F-FCBECE4E8373}.exe	{AD2E5484-8848-41ce-8AC3-5C228F0BE2A2}.exe
File created	C:\Windows\{38B6A3B6-90AC-4097-AC22-E7EF7562EE71}.exe	{316074BE-5634-40df-95B4-5AD72DAC25E1}.exe
File created	C:\Windows\{2BB42158-207A-4569-9E3B-5412F91437C3}.exe	{38B6A3B6-90AC-4097-AC22-E7EF7562EE71}.exe
File created	C:\Windows\{18BED293-993A-4654-8076-AC1B332CEE19}.exe	{741C5656-05F0-4a8e-B2AB-6F9E7DB4F3B8}.exe
File created	C:\Windows\{DA0365DD-9476-46b5-8699-5DFCE38F73A1}.exe	{345D795A-ADC1-4598-967C-795655750EBA}.exe
File created	C:\Windows\{4776AA80-D1DA-42e2-BA67-B6D36EB46C88}.exe	2024-03-06_4b1e5357a0548affbd95dab9fa1f1acd_goldeneye.exe
File created	C:\Windows\{316074BE-5634-40df-95B4-5AD72DAC25E1}.exe	{9C26BA69-07AF-4ab4-B69F-FCBECE4E8373}.exe
File created	C:\Windows\{741C5656-05F0-4a8e-B2AB-6F9E7DB4F3B8}.exe	{2BB42158-207A-4569-9E3B-5412F91437C3}.exe
File created	C:\Windows\{01CFF157-34B4-4c5e-BDC6-6A03DF358B7C}.exe	{18BED293-993A-4654-8076-AC1B332CEE19}.exe
File created	C:\Windows\{345D795A-ADC1-4598-967C-795655750EBA}.exe	{01CFF157-34B4-4c5e-BDC6-6A03DF358B7C}.exe
File created	C:\Windows\{118B29B4-687C-4018-8222-88656131C1DC}.exe	{DA0365DD-9476-46b5-8699-5DFCE38F73A1}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1296	2024-03-06_4b1e5357a0548affbd95dab9fa1f1acd_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1368	{4776AA80-D1DA-42e2-BA67-B6D36EB46C88}.exe
Token: SeIncBasePriorityPrivilege	3676	{AD2E5484-8848-41ce-8AC3-5C228F0BE2A2}.exe
Token: SeIncBasePriorityPrivilege	3120	{9C26BA69-07AF-4ab4-B69F-FCBECE4E8373}.exe
Token: SeIncBasePriorityPrivilege	1692	{316074BE-5634-40df-95B4-5AD72DAC25E1}.exe
Token: SeIncBasePriorityPrivilege	4656	{38B6A3B6-90AC-4097-AC22-E7EF7562EE71}.exe
Token: SeIncBasePriorityPrivilege	60	{2BB42158-207A-4569-9E3B-5412F91437C3}.exe
Token: SeIncBasePriorityPrivilege	4012	{741C5656-05F0-4a8e-B2AB-6F9E7DB4F3B8}.exe
Token: SeIncBasePriorityPrivilege	4900	{18BED293-993A-4654-8076-AC1B332CEE19}.exe
Token: SeIncBasePriorityPrivilege	4184	{01CFF157-34B4-4c5e-BDC6-6A03DF358B7C}.exe
Token: SeIncBasePriorityPrivilege	1260	{345D795A-ADC1-4598-967C-795655750EBA}.exe
Token: SeIncBasePriorityPrivilege	4780	{DA0365DD-9476-46b5-8699-5DFCE38F73A1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1296 wrote to memory of 1368	1296	2024-03-06_4b1e5357a0548affbd95dab9fa1f1acd_goldeneye.exe	97
PID 1296 wrote to memory of 1368	1296	2024-03-06_4b1e5357a0548affbd95dab9fa1f1acd_goldeneye.exe	97
PID 1296 wrote to memory of 1368	1296	2024-03-06_4b1e5357a0548affbd95dab9fa1f1acd_goldeneye.exe	97
PID 1296 wrote to memory of 3280	1296	2024-03-06_4b1e5357a0548affbd95dab9fa1f1acd_goldeneye.exe	98
PID 1296 wrote to memory of 3280	1296	2024-03-06_4b1e5357a0548affbd95dab9fa1f1acd_goldeneye.exe	98
PID 1296 wrote to memory of 3280	1296	2024-03-06_4b1e5357a0548affbd95dab9fa1f1acd_goldeneye.exe	98
PID 1368 wrote to memory of 3676	1368	{4776AA80-D1DA-42e2-BA67-B6D36EB46C88}.exe	101
PID 1368 wrote to memory of 3676	1368	{4776AA80-D1DA-42e2-BA67-B6D36EB46C88}.exe	101
PID 1368 wrote to memory of 3676	1368	{4776AA80-D1DA-42e2-BA67-B6D36EB46C88}.exe	101
PID 1368 wrote to memory of 1164	1368	{4776AA80-D1DA-42e2-BA67-B6D36EB46C88}.exe	102
PID 1368 wrote to memory of 1164	1368	{4776AA80-D1DA-42e2-BA67-B6D36EB46C88}.exe	102
PID 1368 wrote to memory of 1164	1368	{4776AA80-D1DA-42e2-BA67-B6D36EB46C88}.exe	102
PID 3676 wrote to memory of 3120	3676	{AD2E5484-8848-41ce-8AC3-5C228F0BE2A2}.exe	106
PID 3676 wrote to memory of 3120	3676	{AD2E5484-8848-41ce-8AC3-5C228F0BE2A2}.exe	106
PID 3676 wrote to memory of 3120	3676	{AD2E5484-8848-41ce-8AC3-5C228F0BE2A2}.exe	106
PID 3676 wrote to memory of 1612	3676	{AD2E5484-8848-41ce-8AC3-5C228F0BE2A2}.exe	107
PID 3676 wrote to memory of 1612	3676	{AD2E5484-8848-41ce-8AC3-5C228F0BE2A2}.exe	107
PID 3676 wrote to memory of 1612	3676	{AD2E5484-8848-41ce-8AC3-5C228F0BE2A2}.exe	107
PID 3120 wrote to memory of 1692	3120	{9C26BA69-07AF-4ab4-B69F-FCBECE4E8373}.exe	108
PID 3120 wrote to memory of 1692	3120	{9C26BA69-07AF-4ab4-B69F-FCBECE4E8373}.exe	108
PID 3120 wrote to memory of 1692	3120	{9C26BA69-07AF-4ab4-B69F-FCBECE4E8373}.exe	108
PID 3120 wrote to memory of 3284	3120	{9C26BA69-07AF-4ab4-B69F-FCBECE4E8373}.exe	109
PID 3120 wrote to memory of 3284	3120	{9C26BA69-07AF-4ab4-B69F-FCBECE4E8373}.exe	109
PID 3120 wrote to memory of 3284	3120	{9C26BA69-07AF-4ab4-B69F-FCBECE4E8373}.exe	109
PID 1692 wrote to memory of 4656	1692	{316074BE-5634-40df-95B4-5AD72DAC25E1}.exe	110
PID 1692 wrote to memory of 4656	1692	{316074BE-5634-40df-95B4-5AD72DAC25E1}.exe	110
PID 1692 wrote to memory of 4656	1692	{316074BE-5634-40df-95B4-5AD72DAC25E1}.exe	110
PID 1692 wrote to memory of 1476	1692	{316074BE-5634-40df-95B4-5AD72DAC25E1}.exe	111
PID 1692 wrote to memory of 1476	1692	{316074BE-5634-40df-95B4-5AD72DAC25E1}.exe	111
PID 1692 wrote to memory of 1476	1692	{316074BE-5634-40df-95B4-5AD72DAC25E1}.exe	111
PID 4656 wrote to memory of 60	4656	{38B6A3B6-90AC-4097-AC22-E7EF7562EE71}.exe	113
PID 4656 wrote to memory of 60	4656	{38B6A3B6-90AC-4097-AC22-E7EF7562EE71}.exe	113
PID 4656 wrote to memory of 60	4656	{38B6A3B6-90AC-4097-AC22-E7EF7562EE71}.exe	113
PID 4656 wrote to memory of 1996	4656	{38B6A3B6-90AC-4097-AC22-E7EF7562EE71}.exe	114
PID 4656 wrote to memory of 1996	4656	{38B6A3B6-90AC-4097-AC22-E7EF7562EE71}.exe	114
PID 4656 wrote to memory of 1996	4656	{38B6A3B6-90AC-4097-AC22-E7EF7562EE71}.exe	114
PID 60 wrote to memory of 4012	60	{2BB42158-207A-4569-9E3B-5412F91437C3}.exe	115
PID 60 wrote to memory of 4012	60	{2BB42158-207A-4569-9E3B-5412F91437C3}.exe	115
PID 60 wrote to memory of 4012	60	{2BB42158-207A-4569-9E3B-5412F91437C3}.exe	115
PID 60 wrote to memory of 400	60	{2BB42158-207A-4569-9E3B-5412F91437C3}.exe	116
PID 60 wrote to memory of 400	60	{2BB42158-207A-4569-9E3B-5412F91437C3}.exe	116
PID 60 wrote to memory of 400	60	{2BB42158-207A-4569-9E3B-5412F91437C3}.exe	116
PID 4012 wrote to memory of 4900	4012	{741C5656-05F0-4a8e-B2AB-6F9E7DB4F3B8}.exe	117
PID 4012 wrote to memory of 4900	4012	{741C5656-05F0-4a8e-B2AB-6F9E7DB4F3B8}.exe	117
PID 4012 wrote to memory of 4900	4012	{741C5656-05F0-4a8e-B2AB-6F9E7DB4F3B8}.exe	117
PID 4012 wrote to memory of 4620	4012	{741C5656-05F0-4a8e-B2AB-6F9E7DB4F3B8}.exe	118
PID 4012 wrote to memory of 4620	4012	{741C5656-05F0-4a8e-B2AB-6F9E7DB4F3B8}.exe	118
PID 4012 wrote to memory of 4620	4012	{741C5656-05F0-4a8e-B2AB-6F9E7DB4F3B8}.exe	118
PID 4900 wrote to memory of 4184	4900	{18BED293-993A-4654-8076-AC1B332CEE19}.exe	126
PID 4900 wrote to memory of 4184	4900	{18BED293-993A-4654-8076-AC1B332CEE19}.exe	126
PID 4900 wrote to memory of 4184	4900	{18BED293-993A-4654-8076-AC1B332CEE19}.exe	126
PID 4900 wrote to memory of 3084	4900	{18BED293-993A-4654-8076-AC1B332CEE19}.exe	127
PID 4900 wrote to memory of 3084	4900	{18BED293-993A-4654-8076-AC1B332CEE19}.exe	127
PID 4900 wrote to memory of 3084	4900	{18BED293-993A-4654-8076-AC1B332CEE19}.exe	127
PID 4184 wrote to memory of 1260	4184	{01CFF157-34B4-4c5e-BDC6-6A03DF358B7C}.exe	128
PID 4184 wrote to memory of 1260	4184	{01CFF157-34B4-4c5e-BDC6-6A03DF358B7C}.exe	128
PID 4184 wrote to memory of 1260	4184	{01CFF157-34B4-4c5e-BDC6-6A03DF358B7C}.exe	128
PID 4184 wrote to memory of 2860	4184	{01CFF157-34B4-4c5e-BDC6-6A03DF358B7C}.exe	129
PID 4184 wrote to memory of 2860	4184	{01CFF157-34B4-4c5e-BDC6-6A03DF358B7C}.exe	129
PID 4184 wrote to memory of 2860	4184	{01CFF157-34B4-4c5e-BDC6-6A03DF358B7C}.exe	129
PID 1260 wrote to memory of 4780	1260	{345D795A-ADC1-4598-967C-795655750EBA}.exe	130
PID 1260 wrote to memory of 4780	1260	{345D795A-ADC1-4598-967C-795655750EBA}.exe	130
PID 1260 wrote to memory of 4780	1260	{345D795A-ADC1-4598-967C-795655750EBA}.exe	130
PID 1260 wrote to memory of 220	1260	{345D795A-ADC1-4598-967C-795655750EBA}.exe	131

C:\Users\Admin\AppData\Local\Temp\2024-03-06_4b1e5357a0548affbd95dab9fa1f1acd_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-06_4b1e5357a0548affbd95dab9fa1f1acd_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1296
- C:\Windows\{4776AA80-D1DA-42e2-BA67-B6D36EB46C88}.exe
  C:\Windows\{4776AA80-D1DA-42e2-BA67-B6D36EB46C88}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1368
- - C:\Windows\{AD2E5484-8848-41ce-8AC3-5C228F0BE2A2}.exe
    C:\Windows\{AD2E5484-8848-41ce-8AC3-5C228F0BE2A2}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3676
  - - C:\Windows\{9C26BA69-07AF-4ab4-B69F-FCBECE4E8373}.exe
      C:\Windows\{9C26BA69-07AF-4ab4-B69F-FCBECE4E8373}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3120
    - - C:\Windows\{316074BE-5634-40df-95B4-5AD72DAC25E1}.exe
        
        C:\Windows\{316074BE-5634-40df-95B4-5AD72DAC25E1}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1692
      - C:\Windows\{38B6A3B6-90AC-4097-AC22-E7EF7562EE71}.exe
        
        C:\Windows\{38B6A3B6-90AC-4097-AC22-E7EF7562EE71}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Windows\{2BB42158-207A-4569-9E3B-5412F91437C3}.exe
        
        C:\Windows\{2BB42158-207A-4569-9E3B-5412F91437C3}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:60
        
        C:\Windows\{741C5656-05F0-4a8e-B2AB-6F9E7DB4F3B8}.exe
        
        C:\Windows\{741C5656-05F0-4a8e-B2AB-6F9E7DB4F3B8}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4012
        
        C:\Windows\{18BED293-993A-4654-8076-AC1B332CEE19}.exe
        
        C:\Windows\{18BED293-993A-4654-8076-AC1B332CEE19}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\Windows\{01CFF157-34B4-4c5e-BDC6-6A03DF358B7C}.exe
        
        C:\Windows\{01CFF157-34B4-4c5e-BDC6-6A03DF358B7C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4184
        
        C:\Windows\{345D795A-ADC1-4598-967C-795655750EBA}.exe
        
        C:\Windows\{345D795A-ADC1-4598-967C-795655750EBA}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\{DA0365DD-9476-46b5-8699-5DFCE38F73A1}.exe
        
        C:\Windows\{DA0365DD-9476-46b5-8699-5DFCE38F73A1}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4780
        
        C:\Windows\{118B29B4-687C-4018-8222-88656131C1DC}.exe
        
        C:\Windows\{118B29B4-687C-4018-8222-88656131C1DC}.exe
        13⤵
        Executes dropped EXE
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DA036~1.EXE > nul
        13⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{345D7~1.EXE > nul
        12⤵
        
        PID:220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{01CFF~1.EXE > nul
        11⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{18BED~1.EXE > nul
        10⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{741C5~1.EXE > nul
        9⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2BB42~1.EXE > nul
        8⤵
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{38B6A~1.EXE > nul
        7⤵
        
        PID:1996
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{31607~1.EXE > nul
        6⤵
        
        PID:1476
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C26B~1.EXE > nul
        5⤵
        
        PID:3284
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{AD2E5~1.EXE > nul
      4⤵
      PID:1612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4776A~1.EXE > nul
    3⤵
    PID:1164
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{01CFF157-34B4-4c5e-BDC6-6A03DF358B7C}.exe

Filesize
408KB

MD5
ce7ade574e84cbb97beb5f7e35cb666c

SHA1
24182572242ae552494d32cfeb314251fe448a30

SHA256
8ef31fe06627a525f66b5cd1205c9fa23fd04b895e29305882d081c37a439748

SHA512
d30dd1cec148b29ee1e0b42bf6950057c06504749646b7fdbf2f8e35d4532a446478ac9a082945c7730cccd31c9980ab8a75dc22ca543e14c451810ec87c8bbd

Download Submit
C:\Windows\{118B29B4-687C-4018-8222-88656131C1DC}.exe

Filesize
408KB

MD5
1d14721557dd78ec20440c58837347b4

SHA1
0a5365c02d2e11caa8e309050c4d6698373fbc47

SHA256
18508cddbc1c83fbd2fd5aaf59bcaac743c12e985982866f5057b241f9902a77

SHA512
6a76ab34de9196c22017b6c290c20cdb7e8eab71a1a0c74c89facb4b463a774830c408bc28915374ff8b88e10e7985227193d7e545a867ca2fab143eee1ce85b

Download Submit
C:\Windows\{18BED293-993A-4654-8076-AC1B332CEE19}.exe

Filesize
408KB

MD5
31a78ff68f0b20552c9f85683716a365

SHA1
1637dedb54bc7dee970f8fd56c3efa492d54390c

SHA256
935310107817b054c7b6738cf45abbaff74ac4bb9a15ec6ee4facb76389b0ca2

SHA512
f4004b094feb8f40a33b23cb203118f25f4062fde88d06c9dca2ad10deceda229963969548bbaa0724f25d44b298a19185601311460b82983ea1d438816d11c2

Download Submit
C:\Windows\{2BB42158-207A-4569-9E3B-5412F91437C3}.exe

Filesize
408KB

MD5
a71ab419f3750c084b5ddabf7f1cce5a

SHA1
cef5c0e951ef63c0a897ce1c7245112ab02ad56d

SHA256
fe9a22b00776368d0debf7baf16f9170cef9358ae94388ca533465a266896878

SHA512
24d6a3e3238658c06aba56cef2b52805de0bf083e440ca27a476d4f7576f638420c9eb3b8b7f89b43d2258382970afa834ddf215f6103eb32487f66072647227

Download Submit
C:\Windows\{316074BE-5634-40df-95B4-5AD72DAC25E1}.exe

Filesize
408KB

MD5
14535fed64398f26998ff040178cefca

SHA1
33c9149e5cd4688876bd3418dd5e0edbfcc3c96e

SHA256
168f4c00820c1c90f1a58b43e6426451421ad7bf1ee9ddc5c81019acf7bf1c38

SHA512
8482f4528310429af5a409ae2d94a03356411b6f7f3a5ef8e0e9b9de0854a6a159911b6b84ebd68a732b1c4d829016e8884db8bc088eff2891333529d809941d

Download Submit
C:\Windows\{345D795A-ADC1-4598-967C-795655750EBA}.exe

Filesize
408KB

MD5
a5d53d6e906643d8c5ac654eb1f550ce

SHA1
155b7448021bba14f5c53cf49cc75ff98c5b7b49

SHA256
f4651616183f6b8b09a8a7d421bd9117393ba143cbcde34f8ba21a5d1f31795b

SHA512
9b0a8fcde904f73fe55283691aecae56a7848f307b4410fbf9289a290f06dd2c609c5e4e854939fb3754cd4a9106a21c978ef6f458d365366b1755391a2c0eac

Download Submit
C:\Windows\{38B6A3B6-90AC-4097-AC22-E7EF7562EE71}.exe

Filesize
408KB

MD5
2a6457c283cce9be25085745e73d6d6b

SHA1
bf11d8a7aeac36d41d777d31b26962a05bf7a90f

SHA256
cb7b2e9590b0602789f7fef97a37f59e98e90df1e0049ae607b91c00273ef43a

SHA512
3b6dc2b6a5db3b3b3c42d7c3ab9c4dc7aea014b0018736001845cd7e9cdfaa3a4afdd7ab520c20c3dfb3e286fa146e405c969a6062f353173a4ba9211d386796

Download Submit
C:\Windows\{4776AA80-D1DA-42e2-BA67-B6D36EB46C88}.exe

Filesize
408KB

MD5
527a74f79b344afd0bd5e56f16c02ac8

SHA1
638784286c27ed4f7e7079123cc6d37c310eb763

SHA256
c02b4f18f98378e0409daa9f36cf8b01d7eea95368510d01e09abb359e500925

SHA512
e8330dab7c16207c7ef02c2d776203d0f877cafaba967fb0afbedaadc885be38fac1bdd3a4784ed78e37314c0522a4db7f5ef0a7419daf694edade4aa9db0b03

Download Submit
C:\Windows\{741C5656-05F0-4a8e-B2AB-6F9E7DB4F3B8}.exe

Filesize
408KB

MD5
04065790dc9da77f8deaab82a3a6ea50

SHA1
3e5ff17ea0d6340e61a298ee6e618c05b9701b4d

SHA256
47dfc0a1945c82af9855919168e656235175f3ea6ba7c20229cea5478addbbf8

SHA512
22ccb35a85326439b565865102d09feba4506a24c258fc95ad5602f87d69a922b54044a3a92ddab9555a5002f4ca37fe1ff42f07e06bc5f353452f9cefa79c74

Download Submit
C:\Windows\{9C26BA69-07AF-4ab4-B69F-FCBECE4E8373}.exe

Filesize
408KB

MD5
249523d515b1b9ca0a5432df8bbb948d

SHA1
66b40a75e6f087db09f9a8da954881f3e1ba4157

SHA256
48856c27c39babcddf638fef0d718e65a9caecaaccf3b1ff6e5d266e73d638a7

SHA512
28a4917d60845de603d6466bc30b3de76c9fc45535145c48b013bb9dd18af517f40ae23b2d0ee1dcd300be41559c1e60336e797d329f203dca4ba3634f010f7d

Download Submit
C:\Windows\{AD2E5484-8848-41ce-8AC3-5C228F0BE2A2}.exe

Filesize
408KB

MD5
e7f486313c97160664924df28a999c1f

SHA1
7541025e7cb089e6882719ed234ef6707334887d

SHA256
8a9101df531300b3d292786607cc40a375264507284efa8e4aa05efe0f8a5d65

SHA512
19642894ecf9f0c78dccde37e5d1a273f39410da7ee50215f2b036f070db57a5f6a8db886b9a3898b279953a884dd845be3beed93885bf225b7947cd1d3373a5

Download Submit
C:\Windows\{DA0365DD-9476-46b5-8699-5DFCE38F73A1}.exe

Filesize
408KB

MD5
1af33b734cb5bdc39df8c1b0d8cd0203

SHA1
e101f2285e5ea5f733a9ddd1c4d6a787eeb6e0d5

SHA256
31cf031031504cbbbe3bbeb8b86e4b0b06199893418c8d2d6c74c695916e53da

SHA512
2ba84742fae5f44582e8bf2b33c5ae40039cdd4b370736794d9bbcdc5c672de61a745b06619fa5edf82b5c7ea6dbe971ae113fdf412f6e0e6c706a7d78dbb83b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads