0879c405098d0cd79b9ec2f9209b5a382b353601907cb3d77a5b2b96182b8144

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/03/2024, 09:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-09_d07bbe61b500416bbf4be774a9ef5c8e_goldeneye.exe
Size

168KB
MD5

d07bbe61b500416bbf4be774a9ef5c8e
SHA1

4326c29220b6bda671f2bf0d599fafa789014533
SHA256

0879c405098d0cd79b9ec2f9209b5a382b353601907cb3d77a5b2b96182b8144
SHA512

64ba6de544684fde25540269db5a7ae4df09ea0dee415dbda1c4c97a3bdcb60c5dc6274acddacdeb9399023cb91a981bf78eb7fd0445bae95b436a7653ae4f73
SSDEEP

1536:1EGh0o8lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o8lqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000700000002324a-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001200000002323a-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023154-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001300000002323a-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023154-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001500000002323a-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0012000000023154-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023265-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e00000002314b-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0014000000023154-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f00000002314b-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f000000023155-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E80B82B5-B5D9-454c-B49F-C478EE81D5E1}\stubpath = "C:\\Windows\\{E80B82B5-B5D9-454c-B49F-C478EE81D5E1}.exe"	{EDD3D1A4-39ED-4a03-A721-51B2195EC3C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3004BFE5-2E48-4852-BEA9-2549B6834B20}	{1FE23C5A-F3FF-4c98-BD5C-EE9140239913}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BF288BE-04C3-4cce-A942-C0447BE84EFD}\stubpath = "C:\\Windows\\{1BF288BE-04C3-4cce-A942-C0447BE84EFD}.exe"	{04C10569-FC4C-4ecd-9D6A-70C08B0F63CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12B6D33C-D710-4226-8C51-3EFA63F14921}	{1BF288BE-04C3-4cce-A942-C0447BE84EFD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F05240B3-804D-4a7f-A03C-3E0A570F66DC}\stubpath = "C:\\Windows\\{F05240B3-804D-4a7f-A03C-3E0A570F66DC}.exe"	{3A552BDF-D98C-4815-B1B2-FABCDF051160}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD0D9F6D-A6DD-484f-BF1E-D206CED18459}\stubpath = "C:\\Windows\\{CD0D9F6D-A6DD-484f-BF1E-D206CED18459}.exe"	{F05240B3-804D-4a7f-A03C-3E0A570F66DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9FF2930-63FB-406c-A3DC-E294C85C97FF}	{CD0D9F6D-A6DD-484f-BF1E-D206CED18459}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04C10569-FC4C-4ecd-9D6A-70C08B0F63CC}\stubpath = "C:\\Windows\\{04C10569-FC4C-4ecd-9D6A-70C08B0F63CC}.exe"	{E9FF2930-63FB-406c-A3DC-E294C85C97FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1261B1CE-27E7-4622-9D63-5FA386221076}\stubpath = "C:\\Windows\\{1261B1CE-27E7-4622-9D63-5FA386221076}.exe"	{12B6D33C-D710-4226-8C51-3EFA63F14921}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1FE23C5A-F3FF-4c98-BD5C-EE9140239913}	2024-03-09_d07bbe61b500416bbf4be774a9ef5c8e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3004BFE5-2E48-4852-BEA9-2549B6834B20}\stubpath = "C:\\Windows\\{3004BFE5-2E48-4852-BEA9-2549B6834B20}.exe"	{1FE23C5A-F3FF-4c98-BD5C-EE9140239913}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F05240B3-804D-4a7f-A03C-3E0A570F66DC}	{3A552BDF-D98C-4815-B1B2-FABCDF051160}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EDD3D1A4-39ED-4a03-A721-51B2195EC3C9}\stubpath = "C:\\Windows\\{EDD3D1A4-39ED-4a03-A721-51B2195EC3C9}.exe"	{1261B1CE-27E7-4622-9D63-5FA386221076}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04C10569-FC4C-4ecd-9D6A-70C08B0F63CC}	{E9FF2930-63FB-406c-A3DC-E294C85C97FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BF288BE-04C3-4cce-A942-C0447BE84EFD}	{04C10569-FC4C-4ecd-9D6A-70C08B0F63CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12B6D33C-D710-4226-8C51-3EFA63F14921}\stubpath = "C:\\Windows\\{12B6D33C-D710-4226-8C51-3EFA63F14921}.exe"	{1BF288BE-04C3-4cce-A942-C0447BE84EFD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1261B1CE-27E7-4622-9D63-5FA386221076}	{12B6D33C-D710-4226-8C51-3EFA63F14921}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EDD3D1A4-39ED-4a03-A721-51B2195EC3C9}	{1261B1CE-27E7-4622-9D63-5FA386221076}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1FE23C5A-F3FF-4c98-BD5C-EE9140239913}\stubpath = "C:\\Windows\\{1FE23C5A-F3FF-4c98-BD5C-EE9140239913}.exe"	2024-03-09_d07bbe61b500416bbf4be774a9ef5c8e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A552BDF-D98C-4815-B1B2-FABCDF051160}	{3004BFE5-2E48-4852-BEA9-2549B6834B20}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD0D9F6D-A6DD-484f-BF1E-D206CED18459}	{F05240B3-804D-4a7f-A03C-3E0A570F66DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A552BDF-D98C-4815-B1B2-FABCDF051160}\stubpath = "C:\\Windows\\{3A552BDF-D98C-4815-B1B2-FABCDF051160}.exe"	{3004BFE5-2E48-4852-BEA9-2549B6834B20}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9FF2930-63FB-406c-A3DC-E294C85C97FF}\stubpath = "C:\\Windows\\{E9FF2930-63FB-406c-A3DC-E294C85C97FF}.exe"	{CD0D9F6D-A6DD-484f-BF1E-D206CED18459}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E80B82B5-B5D9-454c-B49F-C478EE81D5E1}	{EDD3D1A4-39ED-4a03-A721-51B2195EC3C9}.exe

Executes dropped EXE 12 IoCs

pid	Process
1644	{1FE23C5A-F3FF-4c98-BD5C-EE9140239913}.exe
1412	{3004BFE5-2E48-4852-BEA9-2549B6834B20}.exe
740	{3A552BDF-D98C-4815-B1B2-FABCDF051160}.exe
2472	{F05240B3-804D-4a7f-A03C-3E0A570F66DC}.exe
1868	{CD0D9F6D-A6DD-484f-BF1E-D206CED18459}.exe
2464	{E9FF2930-63FB-406c-A3DC-E294C85C97FF}.exe
3580	{04C10569-FC4C-4ecd-9D6A-70C08B0F63CC}.exe
3180	{1BF288BE-04C3-4cce-A942-C0447BE84EFD}.exe
4040	{12B6D33C-D710-4226-8C51-3EFA63F14921}.exe
2152	{1261B1CE-27E7-4622-9D63-5FA386221076}.exe
4652	{EDD3D1A4-39ED-4a03-A721-51B2195EC3C9}.exe
3692	{E80B82B5-B5D9-454c-B49F-C478EE81D5E1}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{1261B1CE-27E7-4622-9D63-5FA386221076}.exe	{12B6D33C-D710-4226-8C51-3EFA63F14921}.exe
File created	C:\Windows\{EDD3D1A4-39ED-4a03-A721-51B2195EC3C9}.exe	{1261B1CE-27E7-4622-9D63-5FA386221076}.exe
File created	C:\Windows\{E80B82B5-B5D9-454c-B49F-C478EE81D5E1}.exe	{EDD3D1A4-39ED-4a03-A721-51B2195EC3C9}.exe
File created	C:\Windows\{1FE23C5A-F3FF-4c98-BD5C-EE9140239913}.exe	2024-03-09_d07bbe61b500416bbf4be774a9ef5c8e_goldeneye.exe
File created	C:\Windows\{3A552BDF-D98C-4815-B1B2-FABCDF051160}.exe	{3004BFE5-2E48-4852-BEA9-2549B6834B20}.exe
File created	C:\Windows\{CD0D9F6D-A6DD-484f-BF1E-D206CED18459}.exe	{F05240B3-804D-4a7f-A03C-3E0A570F66DC}.exe
File created	C:\Windows\{E9FF2930-63FB-406c-A3DC-E294C85C97FF}.exe	{CD0D9F6D-A6DD-484f-BF1E-D206CED18459}.exe
File created	C:\Windows\{1BF288BE-04C3-4cce-A942-C0447BE84EFD}.exe	{04C10569-FC4C-4ecd-9D6A-70C08B0F63CC}.exe
File created	C:\Windows\{3004BFE5-2E48-4852-BEA9-2549B6834B20}.exe	{1FE23C5A-F3FF-4c98-BD5C-EE9140239913}.exe
File created	C:\Windows\{F05240B3-804D-4a7f-A03C-3E0A570F66DC}.exe	{3A552BDF-D98C-4815-B1B2-FABCDF051160}.exe
File created	C:\Windows\{04C10569-FC4C-4ecd-9D6A-70C08B0F63CC}.exe	{E9FF2930-63FB-406c-A3DC-E294C85C97FF}.exe
File created	C:\Windows\{12B6D33C-D710-4226-8C51-3EFA63F14921}.exe	{1BF288BE-04C3-4cce-A942-C0447BE84EFD}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3076	2024-03-09_d07bbe61b500416bbf4be774a9ef5c8e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1644	{1FE23C5A-F3FF-4c98-BD5C-EE9140239913}.exe
Token: SeIncBasePriorityPrivilege	1412	{3004BFE5-2E48-4852-BEA9-2549B6834B20}.exe
Token: SeIncBasePriorityPrivilege	740	{3A552BDF-D98C-4815-B1B2-FABCDF051160}.exe
Token: SeIncBasePriorityPrivilege	2472	{F05240B3-804D-4a7f-A03C-3E0A570F66DC}.exe
Token: SeIncBasePriorityPrivilege	1868	{CD0D9F6D-A6DD-484f-BF1E-D206CED18459}.exe
Token: SeIncBasePriorityPrivilege	2464	{E9FF2930-63FB-406c-A3DC-E294C85C97FF}.exe
Token: SeIncBasePriorityPrivilege	3580	{04C10569-FC4C-4ecd-9D6A-70C08B0F63CC}.exe
Token: SeIncBasePriorityPrivilege	3180	{1BF288BE-04C3-4cce-A942-C0447BE84EFD}.exe
Token: SeIncBasePriorityPrivilege	4040	{12B6D33C-D710-4226-8C51-3EFA63F14921}.exe
Token: SeIncBasePriorityPrivilege	2152	{1261B1CE-27E7-4622-9D63-5FA386221076}.exe
Token: SeIncBasePriorityPrivilege	4652	{EDD3D1A4-39ED-4a03-A721-51B2195EC3C9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3076 wrote to memory of 1644	3076	2024-03-09_d07bbe61b500416bbf4be774a9ef5c8e_goldeneye.exe	100
PID 3076 wrote to memory of 1644	3076	2024-03-09_d07bbe61b500416bbf4be774a9ef5c8e_goldeneye.exe	100
PID 3076 wrote to memory of 1644	3076	2024-03-09_d07bbe61b500416bbf4be774a9ef5c8e_goldeneye.exe	100
PID 3076 wrote to memory of 1828	3076	2024-03-09_d07bbe61b500416bbf4be774a9ef5c8e_goldeneye.exe	101
PID 3076 wrote to memory of 1828	3076	2024-03-09_d07bbe61b500416bbf4be774a9ef5c8e_goldeneye.exe	101
PID 3076 wrote to memory of 1828	3076	2024-03-09_d07bbe61b500416bbf4be774a9ef5c8e_goldeneye.exe	101
PID 1644 wrote to memory of 1412	1644	{1FE23C5A-F3FF-4c98-BD5C-EE9140239913}.exe	102
PID 1644 wrote to memory of 1412	1644	{1FE23C5A-F3FF-4c98-BD5C-EE9140239913}.exe	102
PID 1644 wrote to memory of 1412	1644	{1FE23C5A-F3FF-4c98-BD5C-EE9140239913}.exe	102
PID 1644 wrote to memory of 2376	1644	{1FE23C5A-F3FF-4c98-BD5C-EE9140239913}.exe	103
PID 1644 wrote to memory of 2376	1644	{1FE23C5A-F3FF-4c98-BD5C-EE9140239913}.exe	103
PID 1644 wrote to memory of 2376	1644	{1FE23C5A-F3FF-4c98-BD5C-EE9140239913}.exe	103
PID 1412 wrote to memory of 740	1412	{3004BFE5-2E48-4852-BEA9-2549B6834B20}.exe	106
PID 1412 wrote to memory of 740	1412	{3004BFE5-2E48-4852-BEA9-2549B6834B20}.exe	106
PID 1412 wrote to memory of 740	1412	{3004BFE5-2E48-4852-BEA9-2549B6834B20}.exe	106
PID 1412 wrote to memory of 400	1412	{3004BFE5-2E48-4852-BEA9-2549B6834B20}.exe	107
PID 1412 wrote to memory of 400	1412	{3004BFE5-2E48-4852-BEA9-2549B6834B20}.exe	107
PID 1412 wrote to memory of 400	1412	{3004BFE5-2E48-4852-BEA9-2549B6834B20}.exe	107
PID 740 wrote to memory of 2472	740	{3A552BDF-D98C-4815-B1B2-FABCDF051160}.exe	108
PID 740 wrote to memory of 2472	740	{3A552BDF-D98C-4815-B1B2-FABCDF051160}.exe	108
PID 740 wrote to memory of 2472	740	{3A552BDF-D98C-4815-B1B2-FABCDF051160}.exe	108
PID 740 wrote to memory of 2580	740	{3A552BDF-D98C-4815-B1B2-FABCDF051160}.exe	109
PID 740 wrote to memory of 2580	740	{3A552BDF-D98C-4815-B1B2-FABCDF051160}.exe	109
PID 740 wrote to memory of 2580	740	{3A552BDF-D98C-4815-B1B2-FABCDF051160}.exe	109
PID 2472 wrote to memory of 1868	2472	{F05240B3-804D-4a7f-A03C-3E0A570F66DC}.exe	110
PID 2472 wrote to memory of 1868	2472	{F05240B3-804D-4a7f-A03C-3E0A570F66DC}.exe	110
PID 2472 wrote to memory of 1868	2472	{F05240B3-804D-4a7f-A03C-3E0A570F66DC}.exe	110
PID 2472 wrote to memory of 3656	2472	{F05240B3-804D-4a7f-A03C-3E0A570F66DC}.exe	111
PID 2472 wrote to memory of 3656	2472	{F05240B3-804D-4a7f-A03C-3E0A570F66DC}.exe	111
PID 2472 wrote to memory of 3656	2472	{F05240B3-804D-4a7f-A03C-3E0A570F66DC}.exe	111
PID 1868 wrote to memory of 2464	1868	{CD0D9F6D-A6DD-484f-BF1E-D206CED18459}.exe	113
PID 1868 wrote to memory of 2464	1868	{CD0D9F6D-A6DD-484f-BF1E-D206CED18459}.exe	113
PID 1868 wrote to memory of 2464	1868	{CD0D9F6D-A6DD-484f-BF1E-D206CED18459}.exe	113
PID 1868 wrote to memory of 1256	1868	{CD0D9F6D-A6DD-484f-BF1E-D206CED18459}.exe	114
PID 1868 wrote to memory of 1256	1868	{CD0D9F6D-A6DD-484f-BF1E-D206CED18459}.exe	114
PID 1868 wrote to memory of 1256	1868	{CD0D9F6D-A6DD-484f-BF1E-D206CED18459}.exe	114
PID 2464 wrote to memory of 3580	2464	{E9FF2930-63FB-406c-A3DC-E294C85C97FF}.exe	115
PID 2464 wrote to memory of 3580	2464	{E9FF2930-63FB-406c-A3DC-E294C85C97FF}.exe	115
PID 2464 wrote to memory of 3580	2464	{E9FF2930-63FB-406c-A3DC-E294C85C97FF}.exe	115
PID 2464 wrote to memory of 2520	2464	{E9FF2930-63FB-406c-A3DC-E294C85C97FF}.exe	116
PID 2464 wrote to memory of 2520	2464	{E9FF2930-63FB-406c-A3DC-E294C85C97FF}.exe	116
PID 2464 wrote to memory of 2520	2464	{E9FF2930-63FB-406c-A3DC-E294C85C97FF}.exe	116
PID 3580 wrote to memory of 3180	3580	{04C10569-FC4C-4ecd-9D6A-70C08B0F63CC}.exe	121
PID 3580 wrote to memory of 3180	3580	{04C10569-FC4C-4ecd-9D6A-70C08B0F63CC}.exe	121
PID 3580 wrote to memory of 3180	3580	{04C10569-FC4C-4ecd-9D6A-70C08B0F63CC}.exe	121
PID 3580 wrote to memory of 2168	3580	{04C10569-FC4C-4ecd-9D6A-70C08B0F63CC}.exe	122
PID 3580 wrote to memory of 2168	3580	{04C10569-FC4C-4ecd-9D6A-70C08B0F63CC}.exe	122
PID 3580 wrote to memory of 2168	3580	{04C10569-FC4C-4ecd-9D6A-70C08B0F63CC}.exe	122
PID 3180 wrote to memory of 4040	3180	{1BF288BE-04C3-4cce-A942-C0447BE84EFD}.exe	126
PID 3180 wrote to memory of 4040	3180	{1BF288BE-04C3-4cce-A942-C0447BE84EFD}.exe	126
PID 3180 wrote to memory of 4040	3180	{1BF288BE-04C3-4cce-A942-C0447BE84EFD}.exe	126
PID 3180 wrote to memory of 5096	3180	{1BF288BE-04C3-4cce-A942-C0447BE84EFD}.exe	127
PID 3180 wrote to memory of 5096	3180	{1BF288BE-04C3-4cce-A942-C0447BE84EFD}.exe	127
PID 3180 wrote to memory of 5096	3180	{1BF288BE-04C3-4cce-A942-C0447BE84EFD}.exe	127
PID 4040 wrote to memory of 2152	4040	{12B6D33C-D710-4226-8C51-3EFA63F14921}.exe	128
PID 4040 wrote to memory of 2152	4040	{12B6D33C-D710-4226-8C51-3EFA63F14921}.exe	128
PID 4040 wrote to memory of 2152	4040	{12B6D33C-D710-4226-8C51-3EFA63F14921}.exe	128
PID 4040 wrote to memory of 4440	4040	{12B6D33C-D710-4226-8C51-3EFA63F14921}.exe	129
PID 4040 wrote to memory of 4440	4040	{12B6D33C-D710-4226-8C51-3EFA63F14921}.exe	129
PID 4040 wrote to memory of 4440	4040	{12B6D33C-D710-4226-8C51-3EFA63F14921}.exe	129
PID 2152 wrote to memory of 4652	2152	{1261B1CE-27E7-4622-9D63-5FA386221076}.exe	130
PID 2152 wrote to memory of 4652	2152	{1261B1CE-27E7-4622-9D63-5FA386221076}.exe	130
PID 2152 wrote to memory of 4652	2152	{1261B1CE-27E7-4622-9D63-5FA386221076}.exe	130
PID 2152 wrote to memory of 3704	2152	{1261B1CE-27E7-4622-9D63-5FA386221076}.exe	131

C:\Users\Admin\AppData\Local\Temp\2024-03-09_d07bbe61b500416bbf4be774a9ef5c8e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-09_d07bbe61b500416bbf4be774a9ef5c8e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3076
- C:\Windows\{1FE23C5A-F3FF-4c98-BD5C-EE9140239913}.exe
  C:\Windows\{1FE23C5A-F3FF-4c98-BD5C-EE9140239913}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Windows\{3004BFE5-2E48-4852-BEA9-2549B6834B20}.exe
    C:\Windows\{3004BFE5-2E48-4852-BEA9-2549B6834B20}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1412
  - - C:\Windows\{3A552BDF-D98C-4815-B1B2-FABCDF051160}.exe
      C:\Windows\{3A552BDF-D98C-4815-B1B2-FABCDF051160}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:740
    - - C:\Windows\{F05240B3-804D-4a7f-A03C-3E0A570F66DC}.exe
        
        C:\Windows\{F05240B3-804D-4a7f-A03C-3E0A570F66DC}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2472
      - C:\Windows\{CD0D9F6D-A6DD-484f-BF1E-D206CED18459}.exe
        
        C:\Windows\{CD0D9F6D-A6DD-484f-BF1E-D206CED18459}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\{E9FF2930-63FB-406c-A3DC-E294C85C97FF}.exe
        
        C:\Windows\{E9FF2930-63FB-406c-A3DC-E294C85C97FF}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\{04C10569-FC4C-4ecd-9D6A-70C08B0F63CC}.exe
        
        C:\Windows\{04C10569-FC4C-4ecd-9D6A-70C08B0F63CC}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3580
        
        C:\Windows\{1BF288BE-04C3-4cce-A942-C0447BE84EFD}.exe
        
        C:\Windows\{1BF288BE-04C3-4cce-A942-C0447BE84EFD}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Windows\{12B6D33C-D710-4226-8C51-3EFA63F14921}.exe
        
        C:\Windows\{12B6D33C-D710-4226-8C51-3EFA63F14921}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4040
        
        C:\Windows\{1261B1CE-27E7-4622-9D63-5FA386221076}.exe
        
        C:\Windows\{1261B1CE-27E7-4622-9D63-5FA386221076}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\{EDD3D1A4-39ED-4a03-A721-51B2195EC3C9}.exe
        
        C:\Windows\{EDD3D1A4-39ED-4a03-A721-51B2195EC3C9}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4652
        
        C:\Windows\{E80B82B5-B5D9-454c-B49F-C478EE81D5E1}.exe
        
        C:\Windows\{E80B82B5-B5D9-454c-B49F-C478EE81D5E1}.exe
        13⤵
        Executes dropped EXE
        
        PID:3692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EDD3D~1.EXE > nul
        13⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1261B~1.EXE > nul
        12⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{12B6D~1.EXE > nul
        11⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1BF28~1.EXE > nul
        10⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{04C10~1.EXE > nul
        9⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E9FF2~1.EXE > nul
        8⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CD0D9~1.EXE > nul
        7⤵
        
        PID:1256
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F0524~1.EXE > nul
        6⤵
        
        PID:3656
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3A552~1.EXE > nul
        5⤵
        
        PID:2580
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3004B~1.EXE > nul
      4⤵
      PID:400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1FE23~1.EXE > nul
    3⤵
    PID:2376
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04C10569-FC4C-4ecd-9D6A-70C08B0F63CC}.exe

Filesize
168KB

MD5
ec41bcc4b442eccc022831e57dbe7799

SHA1
6ebfec0fd2d188454363f65d1c691603892b387c

SHA256
ef00bccda38567592d49011216b5cf33b9aef0299bdf752ddb1dd643193137b9

SHA512
d01f3be618885a17a38bee0c892b516501e73b7bda3c8e928cffdcd9abf59e2bd2da0223489b5bc6611e29bd12c3f44c7b284d182da80ed042c3d99aa028677d

Download Submit
C:\Windows\{1261B1CE-27E7-4622-9D63-5FA386221076}.exe

Filesize
168KB

MD5
87312f356b0b80a7a5b25993fec16c91

SHA1
753a416cf9670596a755b96d521ef090d0c8ce62

SHA256
7d809c64033a287a00b29727f48537ba601df766a30daebbfeb5017383786017

SHA512
0bdc1dfb27a5c0c9609d20fab291b4ac46f3c52be1f68363dcb5f5257448836b66453dab172a91349b097b168de944a945f32d57fa83bd3cb09f19342d6b025f

Download Submit
C:\Windows\{12B6D33C-D710-4226-8C51-3EFA63F14921}.exe

Filesize
168KB

MD5
1d71edc955c34595621f65a20daa82be

SHA1
b95cfc5adeff91a4faae599e1157b71d1b554084

SHA256
1e91e9e7e84d22b89ff8d5e61999c10b55ff20783e5cae8cd605d4702d10698f

SHA512
951a376502d659a283f3af010b4690498645af9cea7ecedbc2aac822ebf5261a2c935dd60888b4fdee7bdf2981a3125198dfb5a2934181283016b69f6ad73c76

Download Submit
C:\Windows\{1BF288BE-04C3-4cce-A942-C0447BE84EFD}.exe

Filesize
168KB

MD5
18ea23c5d1d799cfed09df3e0e87e708

SHA1
8f78c5bd6726e95a93ce39eb903802de5f433744

SHA256
6563c74a9f47fdbb7b110042cec4afbb225d9ab07a950bd6592f356f5f4405a3

SHA512
afb30a76fb8cdc1640438601a5679bea8fe46ffdbeb80c98a350ceea3cdaca1d8e88278371d58b0107e31ae379184acafda06ca85f7a314fadc9c529531a4c4c

Download Submit
C:\Windows\{1FE23C5A-F3FF-4c98-BD5C-EE9140239913}.exe

Filesize
168KB

MD5
2dae10c5f1a2def7416afa0882d4e042

SHA1
1a568cfa97756db6d4ba17dcba0f0469f32020f2

SHA256
1b87111582cdc9f8f9d097f96ea6695d78e2a84ae644e2e46480fb155882d6e0

SHA512
5e1aaaa63c33ba8cfd5a6b4281bf676b6cc5116b24f97584e907a142ae0f10c1cc486d0f3a3fa3870e45f2b1630ad93b761fecd4a921293face21a619ed6d847

Download Submit
C:\Windows\{3004BFE5-2E48-4852-BEA9-2549B6834B20}.exe

Filesize
168KB

MD5
a520726127e499e895338448b8e7b7ee

SHA1
1b509b1d2a1b7d661d0ecdedd29a34872cd7335b

SHA256
cc43e25cdb9ec1166f5512e5c869d3c2f7a72310e62351c92b9ab0ecd8112418

SHA512
458842980fa494233e7aadd40f59b2499c3b557e63ea4a6ee2f13d144810e91bbdd836431cd981b5e52bbba17045be74ade38a448c07032c6b103fd23e2b6bbd

Download Submit
C:\Windows\{3A552BDF-D98C-4815-B1B2-FABCDF051160}.exe

Filesize
168KB

MD5
99e7e2856b09d56174a69bf7da4a9ec6

SHA1
df66d535625dd73281eb7782eae474b813f82b53

SHA256
577ba96f9779ec175be42643ef27b3ffe7c74bca629d87bb93bc5c270212d7c6

SHA512
d3dc605ac41d37c566274a165c88a6e70985d799052991d66b9d5a1702c433b4fba36d1541bd922ad68adf3e531b1888b6c88ba6b2c0e9ec2776529312803370

Download Submit
C:\Windows\{CD0D9F6D-A6DD-484f-BF1E-D206CED18459}.exe

Filesize
168KB

MD5
dacc35b6a3ba7c4b5e11a3cacddd590c

SHA1
2f1bb3f0488943902046c0b6f93d2f3fe781b4cb

SHA256
249f00fe966e1138083ab5e35d0102b373f443f7516aa730c15b5587306102a4

SHA512
ed88819564abedcf87fb643cfefd050ba1520a2d5b9ed10c30b07d320dab99209060b6d74701b2d313799320653d55e2a8dbb2dcfe149ff410c4a1ce7587ff2e

Download Submit
C:\Windows\{E80B82B5-B5D9-454c-B49F-C478EE81D5E1}.exe

Filesize
168KB

MD5
7adc78115abe96daa2a5d36db21558c4

SHA1
ddb275c46a0d0f480c4f3ea3862f4ddce1620780

SHA256
b074299e0aecbe82f13ac00a9c0e5ece687eee7a2d47efdc42d9f48d1351d81b

SHA512
ce7d3387c7607185f1c4513b749f7b90290b796b64fbe317331d3930a0f9a6e3304822350cbeac8eb41415da82dd0521fdd8cac0b2983d424703a8562d9e325a

Download Submit
C:\Windows\{E9FF2930-63FB-406c-A3DC-E294C85C97FF}.exe

Filesize
168KB

MD5
32d2580ffea1b456ce48a075bcd10640

SHA1
f37d3bdd52035415ac7999f894fe26850c1fc455

SHA256
07d9a1027e05e4c1ce1c3ecb64bde5e55dfe4ca5bb730fea6374d0032cf884cc

SHA512
abb98888f08ececea49b34d35d495d4f64b372eef5fd34a7aa990d3b88687805b1cb28dbe3c3785dee17aef8bd91a060cce864c288305ef3d4660d8d058a3787

Download Submit
C:\Windows\{EDD3D1A4-39ED-4a03-A721-51B2195EC3C9}.exe

Filesize
168KB

MD5
2af138a1f24ae535e6384726dd62a042

SHA1
3177a0a6f946a2e77f18f6d8f36f63bc2412b681

SHA256
5f167c7f21f2a6aaa9ecd4ef110b39a0125d9f93dc0c1a3f697fe0490d0b152a

SHA512
82e261c95174a77ad29e943ea6a0dc071773749016eef306d3f5c26c3020a77b4f7c4f5a961d9e03416af1ed519d0a8260e1083c506223bbc8b8907d400cef9e

Download Submit
C:\Windows\{F05240B3-804D-4a7f-A03C-3E0A570F66DC}.exe

Filesize
168KB

MD5
b95e366fdea6a1d9e2baa6c17b1794a7

SHA1
34a558ed078711fdbccd4a4fc79969bb1acf9011

SHA256
db2ad5c19c49899c12187b14bc4891d1c6f67ef02704f6e79d2db243c7daed60

SHA512
046e5b9e3e9785bbe5180cbf509f49b0fe6573bfe8b6ae36c839ca1f7b413a75ac4faa9998d310facea792f6a2cb354355b1b921a600e35e43c615202bd0b0f6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads