dcebac52a828598c66559bca0f9e6e84ae383b820defe33d6474aaf718ce2e41

Analysis

max time kernel
149s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2024, 12:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-08_1a438d3245767ce861d8359b3ef4d260_goldeneye.exe
Size

408KB
MD5

1a438d3245767ce861d8359b3ef4d260
SHA1

394d3d7b7cbd7a4a99548ed4a9228161f13ae6f1
SHA256

dcebac52a828598c66559bca0f9e6e84ae383b820defe33d6474aaf718ce2e41
SHA512

de07588d38dca6750c76da02980618646e883db951e92a5e385513f2e40ef08d50f3727e14e623b71fd57b0c1fb85dbc000017356126d659da28271b8bbff68e
SSDEEP

3072:CEGh0o2l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGcldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000600000002321d-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023225-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002322b-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023225-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021f82-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021f83-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000006c5-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000006c5-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000006c5-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000705-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{265449F3-313D-419a-84EA-9536E5FA8B7B}	{936E650C-AD15-4f94-9EE7-B4703949DE9F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{265449F3-313D-419a-84EA-9536E5FA8B7B}\stubpath = "C:\\Windows\\{265449F3-313D-419a-84EA-9536E5FA8B7B}.exe"	{936E650C-AD15-4f94-9EE7-B4703949DE9F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0393624-BAAA-484c-AE42-DF0900CBE367}	{265449F3-313D-419a-84EA-9536E5FA8B7B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15BD33C5-C8AF-4435-8D87-3BFFDEBF4192}	{E0393624-BAAA-484c-AE42-DF0900CBE367}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15BD33C5-C8AF-4435-8D87-3BFFDEBF4192}\stubpath = "C:\\Windows\\{15BD33C5-C8AF-4435-8D87-3BFFDEBF4192}.exe"	{E0393624-BAAA-484c-AE42-DF0900CBE367}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{517E4073-2CDD-4ccf-B538-32DF4883BF85}	{2504BC20-1E27-4316-B0F2-E4B66B21E35A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{517E4073-2CDD-4ccf-B538-32DF4883BF85}\stubpath = "C:\\Windows\\{517E4073-2CDD-4ccf-B538-32DF4883BF85}.exe"	{2504BC20-1E27-4316-B0F2-E4B66B21E35A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{936E650C-AD15-4f94-9EE7-B4703949DE9F}	{A312D8DD-3E93-4d72-BFB5-3D6FD3C3E49D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{518977A7-E4D4-4a6b-BC62-51C6349F4167}	{0C741FE9-4CB3-4870-9101-4CDCE2074F11}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3616C8A2-2D70-4c7b-8788-E466A537F1AF}	{518977A7-E4D4-4a6b-BC62-51C6349F4167}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C741FE9-4CB3-4870-9101-4CDCE2074F11}\stubpath = "C:\\Windows\\{0C741FE9-4CB3-4870-9101-4CDCE2074F11}.exe"	{80C438B1-90C4-4352-B576-99365B8A1C44}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{518977A7-E4D4-4a6b-BC62-51C6349F4167}\stubpath = "C:\\Windows\\{518977A7-E4D4-4a6b-BC62-51C6349F4167}.exe"	{0C741FE9-4CB3-4870-9101-4CDCE2074F11}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2504BC20-1E27-4316-B0F2-E4B66B21E35A}	2024-03-08_1a438d3245767ce861d8359b3ef4d260_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A312D8DD-3E93-4d72-BFB5-3D6FD3C3E49D}\stubpath = "C:\\Windows\\{A312D8DD-3E93-4d72-BFB5-3D6FD3C3E49D}.exe"	{C8A1A22A-FD94-4b79-9B64-3717BAB95C88}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80C438B1-90C4-4352-B576-99365B8A1C44}\stubpath = "C:\\Windows\\{80C438B1-90C4-4352-B576-99365B8A1C44}.exe"	{15BD33C5-C8AF-4435-8D87-3BFFDEBF4192}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{936E650C-AD15-4f94-9EE7-B4703949DE9F}\stubpath = "C:\\Windows\\{936E650C-AD15-4f94-9EE7-B4703949DE9F}.exe"	{A312D8DD-3E93-4d72-BFB5-3D6FD3C3E49D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0393624-BAAA-484c-AE42-DF0900CBE367}\stubpath = "C:\\Windows\\{E0393624-BAAA-484c-AE42-DF0900CBE367}.exe"	{265449F3-313D-419a-84EA-9536E5FA8B7B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C741FE9-4CB3-4870-9101-4CDCE2074F11}	{80C438B1-90C4-4352-B576-99365B8A1C44}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3616C8A2-2D70-4c7b-8788-E466A537F1AF}\stubpath = "C:\\Windows\\{3616C8A2-2D70-4c7b-8788-E466A537F1AF}.exe"	{518977A7-E4D4-4a6b-BC62-51C6349F4167}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8A1A22A-FD94-4b79-9B64-3717BAB95C88}	{517E4073-2CDD-4ccf-B538-32DF4883BF85}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8A1A22A-FD94-4b79-9B64-3717BAB95C88}\stubpath = "C:\\Windows\\{C8A1A22A-FD94-4b79-9B64-3717BAB95C88}.exe"	{517E4073-2CDD-4ccf-B538-32DF4883BF85}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A312D8DD-3E93-4d72-BFB5-3D6FD3C3E49D}	{C8A1A22A-FD94-4b79-9B64-3717BAB95C88}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2504BC20-1E27-4316-B0F2-E4B66B21E35A}\stubpath = "C:\\Windows\\{2504BC20-1E27-4316-B0F2-E4B66B21E35A}.exe"	2024-03-08_1a438d3245767ce861d8359b3ef4d260_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80C438B1-90C4-4352-B576-99365B8A1C44}	{15BD33C5-C8AF-4435-8D87-3BFFDEBF4192}.exe

Executes dropped EXE 12 IoCs

pid	Process
5096	{2504BC20-1E27-4316-B0F2-E4B66B21E35A}.exe
3292	{517E4073-2CDD-4ccf-B538-32DF4883BF85}.exe
1708	{C8A1A22A-FD94-4b79-9B64-3717BAB95C88}.exe
4740	{A312D8DD-3E93-4d72-BFB5-3D6FD3C3E49D}.exe
2472	{936E650C-AD15-4f94-9EE7-B4703949DE9F}.exe
3612	{265449F3-313D-419a-84EA-9536E5FA8B7B}.exe
5076	{E0393624-BAAA-484c-AE42-DF0900CBE367}.exe
3716	{15BD33C5-C8AF-4435-8D87-3BFFDEBF4192}.exe
1288	{80C438B1-90C4-4352-B576-99365B8A1C44}.exe
824	{0C741FE9-4CB3-4870-9101-4CDCE2074F11}.exe
4668	{518977A7-E4D4-4a6b-BC62-51C6349F4167}.exe
4044	{3616C8A2-2D70-4c7b-8788-E466A537F1AF}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{15BD33C5-C8AF-4435-8D87-3BFFDEBF4192}.exe	{E0393624-BAAA-484c-AE42-DF0900CBE367}.exe
File created	C:\Windows\{80C438B1-90C4-4352-B576-99365B8A1C44}.exe	{15BD33C5-C8AF-4435-8D87-3BFFDEBF4192}.exe
File created	C:\Windows\{518977A7-E4D4-4a6b-BC62-51C6349F4167}.exe	{0C741FE9-4CB3-4870-9101-4CDCE2074F11}.exe
File created	C:\Windows\{3616C8A2-2D70-4c7b-8788-E466A537F1AF}.exe	{518977A7-E4D4-4a6b-BC62-51C6349F4167}.exe
File created	C:\Windows\{936E650C-AD15-4f94-9EE7-B4703949DE9F}.exe	{A312D8DD-3E93-4d72-BFB5-3D6FD3C3E49D}.exe
File created	C:\Windows\{265449F3-313D-419a-84EA-9536E5FA8B7B}.exe	{936E650C-AD15-4f94-9EE7-B4703949DE9F}.exe
File created	C:\Windows\{C8A1A22A-FD94-4b79-9B64-3717BAB95C88}.exe	{517E4073-2CDD-4ccf-B538-32DF4883BF85}.exe
File created	C:\Windows\{A312D8DD-3E93-4d72-BFB5-3D6FD3C3E49D}.exe	{C8A1A22A-FD94-4b79-9B64-3717BAB95C88}.exe
File created	C:\Windows\{E0393624-BAAA-484c-AE42-DF0900CBE367}.exe	{265449F3-313D-419a-84EA-9536E5FA8B7B}.exe
File created	C:\Windows\{0C741FE9-4CB3-4870-9101-4CDCE2074F11}.exe	{80C438B1-90C4-4352-B576-99365B8A1C44}.exe
File created	C:\Windows\{2504BC20-1E27-4316-B0F2-E4B66B21E35A}.exe	2024-03-08_1a438d3245767ce861d8359b3ef4d260_goldeneye.exe
File created	C:\Windows\{517E4073-2CDD-4ccf-B538-32DF4883BF85}.exe	{2504BC20-1E27-4316-B0F2-E4B66B21E35A}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	5024	2024-03-08_1a438d3245767ce861d8359b3ef4d260_goldeneye.exe
Token: SeIncBasePriorityPrivilege	5096	{2504BC20-1E27-4316-B0F2-E4B66B21E35A}.exe
Token: SeIncBasePriorityPrivilege	3292	{517E4073-2CDD-4ccf-B538-32DF4883BF85}.exe
Token: SeIncBasePriorityPrivilege	1708	{C8A1A22A-FD94-4b79-9B64-3717BAB95C88}.exe
Token: SeIncBasePriorityPrivilege	4740	{A312D8DD-3E93-4d72-BFB5-3D6FD3C3E49D}.exe
Token: SeIncBasePriorityPrivilege	2472	{936E650C-AD15-4f94-9EE7-B4703949DE9F}.exe
Token: SeIncBasePriorityPrivilege	3612	{265449F3-313D-419a-84EA-9536E5FA8B7B}.exe
Token: SeIncBasePriorityPrivilege	5076	{E0393624-BAAA-484c-AE42-DF0900CBE367}.exe
Token: SeIncBasePriorityPrivilege	3716	{15BD33C5-C8AF-4435-8D87-3BFFDEBF4192}.exe
Token: SeIncBasePriorityPrivilege	1288	{80C438B1-90C4-4352-B576-99365B8A1C44}.exe
Token: SeIncBasePriorityPrivilege	824	{0C741FE9-4CB3-4870-9101-4CDCE2074F11}.exe
Token: SeIncBasePriorityPrivilege	4668	{518977A7-E4D4-4a6b-BC62-51C6349F4167}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5024 wrote to memory of 5096	5024	2024-03-08_1a438d3245767ce861d8359b3ef4d260_goldeneye.exe	89
PID 5024 wrote to memory of 5096	5024	2024-03-08_1a438d3245767ce861d8359b3ef4d260_goldeneye.exe	89
PID 5024 wrote to memory of 5096	5024	2024-03-08_1a438d3245767ce861d8359b3ef4d260_goldeneye.exe	89
PID 5024 wrote to memory of 3756	5024	2024-03-08_1a438d3245767ce861d8359b3ef4d260_goldeneye.exe	90
PID 5024 wrote to memory of 3756	5024	2024-03-08_1a438d3245767ce861d8359b3ef4d260_goldeneye.exe	90
PID 5024 wrote to memory of 3756	5024	2024-03-08_1a438d3245767ce861d8359b3ef4d260_goldeneye.exe	90
PID 5096 wrote to memory of 3292	5096	{2504BC20-1E27-4316-B0F2-E4B66B21E35A}.exe	93
PID 5096 wrote to memory of 3292	5096	{2504BC20-1E27-4316-B0F2-E4B66B21E35A}.exe	93
PID 5096 wrote to memory of 3292	5096	{2504BC20-1E27-4316-B0F2-E4B66B21E35A}.exe	93
PID 5096 wrote to memory of 4488	5096	{2504BC20-1E27-4316-B0F2-E4B66B21E35A}.exe	94
PID 5096 wrote to memory of 4488	5096	{2504BC20-1E27-4316-B0F2-E4B66B21E35A}.exe	94
PID 5096 wrote to memory of 4488	5096	{2504BC20-1E27-4316-B0F2-E4B66B21E35A}.exe	94
PID 3292 wrote to memory of 1708	3292	{517E4073-2CDD-4ccf-B538-32DF4883BF85}.exe	96
PID 3292 wrote to memory of 1708	3292	{517E4073-2CDD-4ccf-B538-32DF4883BF85}.exe	96
PID 3292 wrote to memory of 1708	3292	{517E4073-2CDD-4ccf-B538-32DF4883BF85}.exe	96
PID 3292 wrote to memory of 4948	3292	{517E4073-2CDD-4ccf-B538-32DF4883BF85}.exe	97
PID 3292 wrote to memory of 4948	3292	{517E4073-2CDD-4ccf-B538-32DF4883BF85}.exe	97
PID 3292 wrote to memory of 4948	3292	{517E4073-2CDD-4ccf-B538-32DF4883BF85}.exe	97
PID 1708 wrote to memory of 4740	1708	{C8A1A22A-FD94-4b79-9B64-3717BAB95C88}.exe	98
PID 1708 wrote to memory of 4740	1708	{C8A1A22A-FD94-4b79-9B64-3717BAB95C88}.exe	98
PID 1708 wrote to memory of 4740	1708	{C8A1A22A-FD94-4b79-9B64-3717BAB95C88}.exe	98
PID 1708 wrote to memory of 4188	1708	{C8A1A22A-FD94-4b79-9B64-3717BAB95C88}.exe	99
PID 1708 wrote to memory of 4188	1708	{C8A1A22A-FD94-4b79-9B64-3717BAB95C88}.exe	99
PID 1708 wrote to memory of 4188	1708	{C8A1A22A-FD94-4b79-9B64-3717BAB95C88}.exe	99
PID 4740 wrote to memory of 2472	4740	{A312D8DD-3E93-4d72-BFB5-3D6FD3C3E49D}.exe	100
PID 4740 wrote to memory of 2472	4740	{A312D8DD-3E93-4d72-BFB5-3D6FD3C3E49D}.exe	100
PID 4740 wrote to memory of 2472	4740	{A312D8DD-3E93-4d72-BFB5-3D6FD3C3E49D}.exe	100
PID 4740 wrote to memory of 2736	4740	{A312D8DD-3E93-4d72-BFB5-3D6FD3C3E49D}.exe	101
PID 4740 wrote to memory of 2736	4740	{A312D8DD-3E93-4d72-BFB5-3D6FD3C3E49D}.exe	101
PID 4740 wrote to memory of 2736	4740	{A312D8DD-3E93-4d72-BFB5-3D6FD3C3E49D}.exe	101
PID 2472 wrote to memory of 3612	2472	{936E650C-AD15-4f94-9EE7-B4703949DE9F}.exe	102
PID 2472 wrote to memory of 3612	2472	{936E650C-AD15-4f94-9EE7-B4703949DE9F}.exe	102
PID 2472 wrote to memory of 3612	2472	{936E650C-AD15-4f94-9EE7-B4703949DE9F}.exe	102
PID 2472 wrote to memory of 2812	2472	{936E650C-AD15-4f94-9EE7-B4703949DE9F}.exe	103
PID 2472 wrote to memory of 2812	2472	{936E650C-AD15-4f94-9EE7-B4703949DE9F}.exe	103
PID 2472 wrote to memory of 2812	2472	{936E650C-AD15-4f94-9EE7-B4703949DE9F}.exe	103
PID 3612 wrote to memory of 5076	3612	{265449F3-313D-419a-84EA-9536E5FA8B7B}.exe	104
PID 3612 wrote to memory of 5076	3612	{265449F3-313D-419a-84EA-9536E5FA8B7B}.exe	104
PID 3612 wrote to memory of 5076	3612	{265449F3-313D-419a-84EA-9536E5FA8B7B}.exe	104
PID 3612 wrote to memory of 1464	3612	{265449F3-313D-419a-84EA-9536E5FA8B7B}.exe	105
PID 3612 wrote to memory of 1464	3612	{265449F3-313D-419a-84EA-9536E5FA8B7B}.exe	105
PID 3612 wrote to memory of 1464	3612	{265449F3-313D-419a-84EA-9536E5FA8B7B}.exe	105
PID 5076 wrote to memory of 3716	5076	{E0393624-BAAA-484c-AE42-DF0900CBE367}.exe	106
PID 5076 wrote to memory of 3716	5076	{E0393624-BAAA-484c-AE42-DF0900CBE367}.exe	106
PID 5076 wrote to memory of 3716	5076	{E0393624-BAAA-484c-AE42-DF0900CBE367}.exe	106
PID 5076 wrote to memory of 396	5076	{E0393624-BAAA-484c-AE42-DF0900CBE367}.exe	107
PID 5076 wrote to memory of 396	5076	{E0393624-BAAA-484c-AE42-DF0900CBE367}.exe	107
PID 5076 wrote to memory of 396	5076	{E0393624-BAAA-484c-AE42-DF0900CBE367}.exe	107
PID 3716 wrote to memory of 1288	3716	{15BD33C5-C8AF-4435-8D87-3BFFDEBF4192}.exe	108
PID 3716 wrote to memory of 1288	3716	{15BD33C5-C8AF-4435-8D87-3BFFDEBF4192}.exe	108
PID 3716 wrote to memory of 1288	3716	{15BD33C5-C8AF-4435-8D87-3BFFDEBF4192}.exe	108
PID 3716 wrote to memory of 2724	3716	{15BD33C5-C8AF-4435-8D87-3BFFDEBF4192}.exe	109
PID 3716 wrote to memory of 2724	3716	{15BD33C5-C8AF-4435-8D87-3BFFDEBF4192}.exe	109
PID 3716 wrote to memory of 2724	3716	{15BD33C5-C8AF-4435-8D87-3BFFDEBF4192}.exe	109
PID 1288 wrote to memory of 824	1288	{80C438B1-90C4-4352-B576-99365B8A1C44}.exe	110
PID 1288 wrote to memory of 824	1288	{80C438B1-90C4-4352-B576-99365B8A1C44}.exe	110
PID 1288 wrote to memory of 824	1288	{80C438B1-90C4-4352-B576-99365B8A1C44}.exe	110
PID 1288 wrote to memory of 940	1288	{80C438B1-90C4-4352-B576-99365B8A1C44}.exe	111
PID 1288 wrote to memory of 940	1288	{80C438B1-90C4-4352-B576-99365B8A1C44}.exe	111
PID 1288 wrote to memory of 940	1288	{80C438B1-90C4-4352-B576-99365B8A1C44}.exe	111
PID 824 wrote to memory of 4668	824	{0C741FE9-4CB3-4870-9101-4CDCE2074F11}.exe	112
PID 824 wrote to memory of 4668	824	{0C741FE9-4CB3-4870-9101-4CDCE2074F11}.exe	112
PID 824 wrote to memory of 4668	824	{0C741FE9-4CB3-4870-9101-4CDCE2074F11}.exe	112
PID 824 wrote to memory of 4696	824	{0C741FE9-4CB3-4870-9101-4CDCE2074F11}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-03-08_1a438d3245767ce861d8359b3ef4d260_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-08_1a438d3245767ce861d8359b3ef4d260_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5024
- C:\Windows\{2504BC20-1E27-4316-B0F2-E4B66B21E35A}.exe
  C:\Windows\{2504BC20-1E27-4316-B0F2-E4B66B21E35A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5096
- - C:\Windows\{517E4073-2CDD-4ccf-B538-32DF4883BF85}.exe
    C:\Windows\{517E4073-2CDD-4ccf-B538-32DF4883BF85}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3292
  - - C:\Windows\{C8A1A22A-FD94-4b79-9B64-3717BAB95C88}.exe
      C:\Windows\{C8A1A22A-FD94-4b79-9B64-3717BAB95C88}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1708
    - - C:\Windows\{A312D8DD-3E93-4d72-BFB5-3D6FD3C3E49D}.exe
        
        C:\Windows\{A312D8DD-3E93-4d72-BFB5-3D6FD3C3E49D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4740
      - C:\Windows\{936E650C-AD15-4f94-9EE7-B4703949DE9F}.exe
        
        C:\Windows\{936E650C-AD15-4f94-9EE7-B4703949DE9F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\{265449F3-313D-419a-84EA-9536E5FA8B7B}.exe
        
        C:\Windows\{265449F3-313D-419a-84EA-9536E5FA8B7B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3612
        
        C:\Windows\{E0393624-BAAA-484c-AE42-DF0900CBE367}.exe
        
        C:\Windows\{E0393624-BAAA-484c-AE42-DF0900CBE367}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\{15BD33C5-C8AF-4435-8D87-3BFFDEBF4192}.exe
        
        C:\Windows\{15BD33C5-C8AF-4435-8D87-3BFFDEBF4192}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3716
        
        C:\Windows\{80C438B1-90C4-4352-B576-99365B8A1C44}.exe
        
        C:\Windows\{80C438B1-90C4-4352-B576-99365B8A1C44}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\{0C741FE9-4CB3-4870-9101-4CDCE2074F11}.exe
        
        C:\Windows\{0C741FE9-4CB3-4870-9101-4CDCE2074F11}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:824
        
        C:\Windows\{518977A7-E4D4-4a6b-BC62-51C6349F4167}.exe
        
        C:\Windows\{518977A7-E4D4-4a6b-BC62-51C6349F4167}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4668
        
        C:\Windows\{3616C8A2-2D70-4c7b-8788-E466A537F1AF}.exe
        
        C:\Windows\{3616C8A2-2D70-4c7b-8788-E466A537F1AF}.exe
        13⤵
        Executes dropped EXE
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51897~1.EXE > nul
        13⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0C741~1.EXE > nul
        12⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{80C43~1.EXE > nul
        11⤵
        
        PID:940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{15BD3~1.EXE > nul
        10⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E0393~1.EXE > nul
        9⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{26544~1.EXE > nul
        8⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{936E6~1.EXE > nul
        7⤵
        
        PID:2812
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A312D~1.EXE > nul
        6⤵
        
        PID:2736
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8A1A~1.EXE > nul
        5⤵
        
        PID:4188
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{517E4~1.EXE > nul
      4⤵
      PID:4948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2504B~1.EXE > nul
    3⤵
    PID:4488
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0C741FE9-4CB3-4870-9101-4CDCE2074F11}.exe

Filesize
408KB

MD5
5135d09adbd2983e102179c61e195ba8

SHA1
bee9cdc49a776c6b22ab7a19b480947624bb2ede

SHA256
5b17aea3a52ba865e418e456a4acd0cfa45fc375aa95c1362f6421a83112ce08

SHA512
35e1cddf3840bfcc01b8f2a5de457b616f733881262abed5b55053e3643ac70abb92ef545cfe94437438baf0fb1fecb45025f164e1e0f05d203dc04ad1dc1246

Download Submit
C:\Windows\{15BD33C5-C8AF-4435-8D87-3BFFDEBF4192}.exe

Filesize
408KB

MD5
fa0762ecc04e606caef2651aeda6dca3

SHA1
64f33daac4af28b1e7c49932ed801ccd578ee1a5

SHA256
d23d481ed8f615322e4aa7ff3b81a608b41e526c68cf497898e19e205f68a7d4

SHA512
2b6f469a7f0fdd474493a4dd972fbeda88073929c664672129fe3dd07c187fdeda43d7ded57d830e0aa599b261bfa8730123e7fefe9730a0497937240da92172

Download Submit
C:\Windows\{2504BC20-1E27-4316-B0F2-E4B66B21E35A}.exe

Filesize
408KB

MD5
177d460a5411e2c6c513ae93e793d92f

SHA1
4036c94fa1c84ccf31370dca0dcb58df94ede6b9

SHA256
145244316e48da04cf00bc6a0b2472c50a643296cc0d8b0a280487685b2a0855

SHA512
5ec40ab9c1a1f154436a2b05bac25a7d6419bfc68d33440589969b63d2faf65837a2457f7dffc195224c0bfaa94edf127715984c89e2fb90288580f989b10cec

Download Submit
C:\Windows\{265449F3-313D-419a-84EA-9536E5FA8B7B}.exe

Filesize
408KB

MD5
d6422a5892322e9394d34ab35289e1bd

SHA1
62f440906c670976a20f1dde27025a0df3583107

SHA256
436658458091a66bef553e67ca680d862e2750833fb5ab22c8837b5b526497c7

SHA512
8637099c81aee781d0d6566fc24a1e00287b9144894934f3c021a86564a866d52a5ba25e4e4815739c1debbe8b19ab0b53c095214098933154ee8e24a8550af4

Download Submit
C:\Windows\{3616C8A2-2D70-4c7b-8788-E466A537F1AF}.exe

Filesize
408KB

MD5
f689d8e4c20dfc9c2c92acf99a52703d

SHA1
33003e019f5e8b43d6e32bcd199a4aacaefaab6b

SHA256
38d82c28cfb76fac903f2426101dae33520d7ebcc36798cdd54428b18ad8f2b0

SHA512
701d6d8115be86123040b73320188a8484f3c9a7da1741f57668a7f8c7327981d30877d40f7eb51866ddaa0cd2760d5f881507af387f34439c6d604d391450c6

Download Submit
C:\Windows\{517E4073-2CDD-4ccf-B538-32DF4883BF85}.exe

Filesize
408KB

MD5
6da9ddd6284bcdbfe9c19c4e4f66d56b

SHA1
d792c009529c419bef65b49f95798d983cc3229a

SHA256
7aaf12ef6d08d6d89a724562610c7fa51e888819631d5f060eb42b1f0daef0b7

SHA512
ca5960f7e098b0bd92eaf38bc44fed8b7d9ced15a1a4184fabcfa55242cbe3a9b404a29791ead476b50ddca108077d37ef8eaeae0ef9081733f79793176d68dd

Download Submit
C:\Windows\{518977A7-E4D4-4a6b-BC62-51C6349F4167}.exe

Filesize
408KB

MD5
24172a063497de9bb5b3fffb69995067

SHA1
b34f9161e17e70fd2efe9f04cc467fd49564c331

SHA256
4cfcb2b07c39ebdd890f86220d60cd485e0b78eaaf7768e796361a7ececcb2b2

SHA512
e5411544d58556f79d4932802aebe6f934863f46e8e38030a054c5cb144e3a3d87055e48ba5da849af01b379abdd7e37d387a0716b9ce0557d37391be709ed70

Download Submit
C:\Windows\{80C438B1-90C4-4352-B576-99365B8A1C44}.exe

Filesize
408KB

MD5
348b6cd639b6b6f239dfe97cf7b476b1

SHA1
1f1b940f453148c2cce69a6d4515156b56756413

SHA256
b0d33d7e04a43d25697c842e4e34bfbd223b03466f7f8a4060edb64fb32d9d29

SHA512
a8740f1af641454f58d82bb2691851430e2a996502433feba1350f9eec19b393836da3f5a85cb1ce5961bf831cbfe8159a9e9e26d83580685193b7e832c2cdf7

Download Submit
C:\Windows\{936E650C-AD15-4f94-9EE7-B4703949DE9F}.exe

Filesize
408KB

MD5
59b85f30f229365defebfec614b04ccc

SHA1
6f1b9ea44ff99fd94f5ec5ff4dc1f767773e63e3

SHA256
9e3a205e708dcca2b44b2842222dbbd1fab36845779b995f8fe3adceb109095a

SHA512
43695fb6f7528f08415c2da1999a6fe9437ac57284d45b09f5fea67f932d2450f1feff5c3f045aadb7faa439319b2ae9f9d2e62cde292501270128d5257b3de4

Download Submit
C:\Windows\{A312D8DD-3E93-4d72-BFB5-3D6FD3C3E49D}.exe

Filesize
408KB

MD5
f61826ec3b5ccb895047be97201ccc6d

SHA1
b50c328fcd2eafab7b2c732ae05842de193e8a6e

SHA256
3b4d309cc8c2cba2315f7dca54c0e8f30be10992e6d2316727b28450cf2a7cf2

SHA512
73bb564f4d6565222eecd2fa0b1fece1f361bdb41ffe73b56d60bd7ee7451c310adc93b976e29b7350e451b64b9d110a15eb3d856bd87163a1ac34f9293d33f5

Download Submit
C:\Windows\{C8A1A22A-FD94-4b79-9B64-3717BAB95C88}.exe

Filesize
408KB

MD5
5c51a7bdfc5cab87557131557af78df5

SHA1
2ffbedf4f72486dd9306e3677b9c639e2f79a548

SHA256
fcb14306debd451f345e063df926efdb4f2028905a3bb0fa90a1ae7dc9c96302

SHA512
21f8b6f8e7869bcf8ce5a4ef87b5b2f40fda0931a1d6a67f1b2233b61182e7b765da3218bb5c4d90c4bc310356376346e89b58eccb8eccb539074c09bb198eb6

Download Submit
C:\Windows\{E0393624-BAAA-484c-AE42-DF0900CBE367}.exe

Filesize
408KB

MD5
3f4658907560d52c18aa56f7cf7dfc39

SHA1
6c68c19495773c2608fd68cdf8ef61950e615f8c

SHA256
dfc20045ad024c6b3d5accdca1ec77490ccc7d5985e81e6d2230265dc983e385

SHA512
1a3f262b2455e5c7231cb29b4ce5e0fbe5be022085be43a146a6c32bae4aa685835001f540d920a64a8308b09e32f77e489696da8ca882a2dc50fd9c1513b623

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads