3c1adf7c9d36d074403ca088bff8bcb2f446291f68b58c37dde47cd94aa8a818

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2024, 06:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-10_3bd9098534fdb10761ecea97b2da5968_goldeneye.exe
Size

372KB
MD5

3bd9098534fdb10761ecea97b2da5968
SHA1

b68349b58c12301a5191bdc71e002ab59a69f34c
SHA256

3c1adf7c9d36d074403ca088bff8bcb2f446291f68b58c37dde47cd94aa8a818
SHA512

a253119f247dd436dac033f0ba3b6aa9d6efabe3b70827a50acb649dd6c469ce138e615cfdafd2c1b89d2ec16a2e79d42011c9a82449243f15569e2e7e620adb
SSDEEP

3072:CEGh0oYlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGalkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00090000000231d8-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000231e8-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e00000002310c-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000232fe-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023104-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023362-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000001db54-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002337b-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023390-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002347e-37.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023390-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023483-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75566C53-D08F-4e86-8A8E-C0037923BF73}	{86001F5E-EF34-4c75-A259-FD05ADB6AAB7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E62C3965-B096-4cf8-BF0D-90505BE2BCDC}	{3CB7D638-BF58-4f23-8357-2118F43ED80C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6CC8B071-36F9-40a2-A550-84069AB228AB}	{E62C3965-B096-4cf8-BF0D-90505BE2BCDC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6CC8B071-36F9-40a2-A550-84069AB228AB}\stubpath = "C:\\Windows\\{6CC8B071-36F9-40a2-A550-84069AB228AB}.exe"	{E62C3965-B096-4cf8-BF0D-90505BE2BCDC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{933CDD5A-2AC4-48ce-8BA3-536B2ED22835}\stubpath = "C:\\Windows\\{933CDD5A-2AC4-48ce-8BA3-536B2ED22835}.exe"	{6CC8B071-36F9-40a2-A550-84069AB228AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60A7B778-0BAC-49cb-B350-7C765670DD85}	2024-03-10_3bd9098534fdb10761ecea97b2da5968_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60A7B778-0BAC-49cb-B350-7C765670DD85}\stubpath = "C:\\Windows\\{60A7B778-0BAC-49cb-B350-7C765670DD85}.exe"	2024-03-10_3bd9098534fdb10761ecea97b2da5968_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67368D2B-C050-4b11-9CF2-B20C40EF5770}\stubpath = "C:\\Windows\\{67368D2B-C050-4b11-9CF2-B20C40EF5770}.exe"	{309001D9-EEDF-4006-86FB-F4CC07015F4E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38D0AEEE-E542-4dd2-87DB-FE7130FD7564}	{75566C53-D08F-4e86-8A8E-C0037923BF73}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75566C53-D08F-4e86-8A8E-C0037923BF73}\stubpath = "C:\\Windows\\{75566C53-D08F-4e86-8A8E-C0037923BF73}.exe"	{86001F5E-EF34-4c75-A259-FD05ADB6AAB7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38D0AEEE-E542-4dd2-87DB-FE7130FD7564}\stubpath = "C:\\Windows\\{38D0AEEE-E542-4dd2-87DB-FE7130FD7564}.exe"	{75566C53-D08F-4e86-8A8E-C0037923BF73}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0CBA8D3A-B0D2-40e3-8DBA-53D9229E74ED}\stubpath = "C:\\Windows\\{0CBA8D3A-B0D2-40e3-8DBA-53D9229E74ED}.exe"	{38D0AEEE-E542-4dd2-87DB-FE7130FD7564}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E62C3965-B096-4cf8-BF0D-90505BE2BCDC}\stubpath = "C:\\Windows\\{E62C3965-B096-4cf8-BF0D-90505BE2BCDC}.exe"	{3CB7D638-BF58-4f23-8357-2118F43ED80C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{309001D9-EEDF-4006-86FB-F4CC07015F4E}\stubpath = "C:\\Windows\\{309001D9-EEDF-4006-86FB-F4CC07015F4E}.exe"	{60A7B778-0BAC-49cb-B350-7C765670DD85}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67368D2B-C050-4b11-9CF2-B20C40EF5770}	{309001D9-EEDF-4006-86FB-F4CC07015F4E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86001F5E-EF34-4c75-A259-FD05ADB6AAB7}	{67368D2B-C050-4b11-9CF2-B20C40EF5770}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86001F5E-EF34-4c75-A259-FD05ADB6AAB7}\stubpath = "C:\\Windows\\{86001F5E-EF34-4c75-A259-FD05ADB6AAB7}.exe"	{67368D2B-C050-4b11-9CF2-B20C40EF5770}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{933CDD5A-2AC4-48ce-8BA3-536B2ED22835}	{6CC8B071-36F9-40a2-A550-84069AB228AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{356766F1-C334-4135-9CE9-CE77868AB943}	{933CDD5A-2AC4-48ce-8BA3-536B2ED22835}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{356766F1-C334-4135-9CE9-CE77868AB943}\stubpath = "C:\\Windows\\{356766F1-C334-4135-9CE9-CE77868AB943}.exe"	{933CDD5A-2AC4-48ce-8BA3-536B2ED22835}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{309001D9-EEDF-4006-86FB-F4CC07015F4E}	{60A7B778-0BAC-49cb-B350-7C765670DD85}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0CBA8D3A-B0D2-40e3-8DBA-53D9229E74ED}	{38D0AEEE-E542-4dd2-87DB-FE7130FD7564}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CB7D638-BF58-4f23-8357-2118F43ED80C}	{0CBA8D3A-B0D2-40e3-8DBA-53D9229E74ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CB7D638-BF58-4f23-8357-2118F43ED80C}\stubpath = "C:\\Windows\\{3CB7D638-BF58-4f23-8357-2118F43ED80C}.exe"	{0CBA8D3A-B0D2-40e3-8DBA-53D9229E74ED}.exe

Executes dropped EXE 12 IoCs

pid	Process
4896	{60A7B778-0BAC-49cb-B350-7C765670DD85}.exe
4740	{309001D9-EEDF-4006-86FB-F4CC07015F4E}.exe
388	{67368D2B-C050-4b11-9CF2-B20C40EF5770}.exe
1312	{86001F5E-EF34-4c75-A259-FD05ADB6AAB7}.exe
3052	{75566C53-D08F-4e86-8A8E-C0037923BF73}.exe
3076	{38D0AEEE-E542-4dd2-87DB-FE7130FD7564}.exe
4304	{0CBA8D3A-B0D2-40e3-8DBA-53D9229E74ED}.exe
3996	{3CB7D638-BF58-4f23-8357-2118F43ED80C}.exe
4412	{E62C3965-B096-4cf8-BF0D-90505BE2BCDC}.exe
1908	{6CC8B071-36F9-40a2-A550-84069AB228AB}.exe
3732	{933CDD5A-2AC4-48ce-8BA3-536B2ED22835}.exe
4456	{356766F1-C334-4135-9CE9-CE77868AB943}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{86001F5E-EF34-4c75-A259-FD05ADB6AAB7}.exe	{67368D2B-C050-4b11-9CF2-B20C40EF5770}.exe
File created	C:\Windows\{0CBA8D3A-B0D2-40e3-8DBA-53D9229E74ED}.exe	{38D0AEEE-E542-4dd2-87DB-FE7130FD7564}.exe
File created	C:\Windows\{3CB7D638-BF58-4f23-8357-2118F43ED80C}.exe	{0CBA8D3A-B0D2-40e3-8DBA-53D9229E74ED}.exe
File created	C:\Windows\{E62C3965-B096-4cf8-BF0D-90505BE2BCDC}.exe	{3CB7D638-BF58-4f23-8357-2118F43ED80C}.exe
File created	C:\Windows\{6CC8B071-36F9-40a2-A550-84069AB228AB}.exe	{E62C3965-B096-4cf8-BF0D-90505BE2BCDC}.exe
File created	C:\Windows\{60A7B778-0BAC-49cb-B350-7C765670DD85}.exe	2024-03-10_3bd9098534fdb10761ecea97b2da5968_goldeneye.exe
File created	C:\Windows\{67368D2B-C050-4b11-9CF2-B20C40EF5770}.exe	{309001D9-EEDF-4006-86FB-F4CC07015F4E}.exe
File created	C:\Windows\{75566C53-D08F-4e86-8A8E-C0037923BF73}.exe	{86001F5E-EF34-4c75-A259-FD05ADB6AAB7}.exe
File created	C:\Windows\{38D0AEEE-E542-4dd2-87DB-FE7130FD7564}.exe	{75566C53-D08F-4e86-8A8E-C0037923BF73}.exe
File created	C:\Windows\{933CDD5A-2AC4-48ce-8BA3-536B2ED22835}.exe	{6CC8B071-36F9-40a2-A550-84069AB228AB}.exe
File created	C:\Windows\{356766F1-C334-4135-9CE9-CE77868AB943}.exe	{933CDD5A-2AC4-48ce-8BA3-536B2ED22835}.exe
File created	C:\Windows\{309001D9-EEDF-4006-86FB-F4CC07015F4E}.exe	{60A7B778-0BAC-49cb-B350-7C765670DD85}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1600	2024-03-10_3bd9098534fdb10761ecea97b2da5968_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4896	{60A7B778-0BAC-49cb-B350-7C765670DD85}.exe
Token: SeIncBasePriorityPrivilege	4740	{309001D9-EEDF-4006-86FB-F4CC07015F4E}.exe
Token: SeIncBasePriorityPrivilege	388	{67368D2B-C050-4b11-9CF2-B20C40EF5770}.exe
Token: SeIncBasePriorityPrivilege	1312	{86001F5E-EF34-4c75-A259-FD05ADB6AAB7}.exe
Token: SeIncBasePriorityPrivilege	3052	{75566C53-D08F-4e86-8A8E-C0037923BF73}.exe
Token: SeIncBasePriorityPrivilege	3076	{38D0AEEE-E542-4dd2-87DB-FE7130FD7564}.exe
Token: SeIncBasePriorityPrivilege	4304	{0CBA8D3A-B0D2-40e3-8DBA-53D9229E74ED}.exe
Token: SeIncBasePriorityPrivilege	3996	{3CB7D638-BF58-4f23-8357-2118F43ED80C}.exe
Token: SeIncBasePriorityPrivilege	4412	{E62C3965-B096-4cf8-BF0D-90505BE2BCDC}.exe
Token: SeIncBasePriorityPrivilege	1908	{6CC8B071-36F9-40a2-A550-84069AB228AB}.exe
Token: SeIncBasePriorityPrivilege	3732	{933CDD5A-2AC4-48ce-8BA3-536B2ED22835}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 4896	1600	2024-03-10_3bd9098534fdb10761ecea97b2da5968_goldeneye.exe	100
PID 1600 wrote to memory of 4896	1600	2024-03-10_3bd9098534fdb10761ecea97b2da5968_goldeneye.exe	100
PID 1600 wrote to memory of 4896	1600	2024-03-10_3bd9098534fdb10761ecea97b2da5968_goldeneye.exe	100
PID 1600 wrote to memory of 1044	1600	2024-03-10_3bd9098534fdb10761ecea97b2da5968_goldeneye.exe	101
PID 1600 wrote to memory of 1044	1600	2024-03-10_3bd9098534fdb10761ecea97b2da5968_goldeneye.exe	101
PID 1600 wrote to memory of 1044	1600	2024-03-10_3bd9098534fdb10761ecea97b2da5968_goldeneye.exe	101
PID 4896 wrote to memory of 4740	4896	{60A7B778-0BAC-49cb-B350-7C765670DD85}.exe	103
PID 4896 wrote to memory of 4740	4896	{60A7B778-0BAC-49cb-B350-7C765670DD85}.exe	103
PID 4896 wrote to memory of 4740	4896	{60A7B778-0BAC-49cb-B350-7C765670DD85}.exe	103
PID 4896 wrote to memory of 1684	4896	{60A7B778-0BAC-49cb-B350-7C765670DD85}.exe	104
PID 4896 wrote to memory of 1684	4896	{60A7B778-0BAC-49cb-B350-7C765670DD85}.exe	104
PID 4896 wrote to memory of 1684	4896	{60A7B778-0BAC-49cb-B350-7C765670DD85}.exe	104
PID 4740 wrote to memory of 388	4740	{309001D9-EEDF-4006-86FB-F4CC07015F4E}.exe	107
PID 4740 wrote to memory of 388	4740	{309001D9-EEDF-4006-86FB-F4CC07015F4E}.exe	107
PID 4740 wrote to memory of 388	4740	{309001D9-EEDF-4006-86FB-F4CC07015F4E}.exe	107
PID 4740 wrote to memory of 3468	4740	{309001D9-EEDF-4006-86FB-F4CC07015F4E}.exe	108
PID 4740 wrote to memory of 3468	4740	{309001D9-EEDF-4006-86FB-F4CC07015F4E}.exe	108
PID 4740 wrote to memory of 3468	4740	{309001D9-EEDF-4006-86FB-F4CC07015F4E}.exe	108
PID 388 wrote to memory of 1312	388	{67368D2B-C050-4b11-9CF2-B20C40EF5770}.exe	110
PID 388 wrote to memory of 1312	388	{67368D2B-C050-4b11-9CF2-B20C40EF5770}.exe	110
PID 388 wrote to memory of 1312	388	{67368D2B-C050-4b11-9CF2-B20C40EF5770}.exe	110
PID 388 wrote to memory of 3248	388	{67368D2B-C050-4b11-9CF2-B20C40EF5770}.exe	111
PID 388 wrote to memory of 3248	388	{67368D2B-C050-4b11-9CF2-B20C40EF5770}.exe	111
PID 388 wrote to memory of 3248	388	{67368D2B-C050-4b11-9CF2-B20C40EF5770}.exe	111
PID 1312 wrote to memory of 3052	1312	{86001F5E-EF34-4c75-A259-FD05ADB6AAB7}.exe	112
PID 1312 wrote to memory of 3052	1312	{86001F5E-EF34-4c75-A259-FD05ADB6AAB7}.exe	112
PID 1312 wrote to memory of 3052	1312	{86001F5E-EF34-4c75-A259-FD05ADB6AAB7}.exe	112
PID 1312 wrote to memory of 3940	1312	{86001F5E-EF34-4c75-A259-FD05ADB6AAB7}.exe	113
PID 1312 wrote to memory of 3940	1312	{86001F5E-EF34-4c75-A259-FD05ADB6AAB7}.exe	113
PID 1312 wrote to memory of 3940	1312	{86001F5E-EF34-4c75-A259-FD05ADB6AAB7}.exe	113
PID 3052 wrote to memory of 3076	3052	{75566C53-D08F-4e86-8A8E-C0037923BF73}.exe	115
PID 3052 wrote to memory of 3076	3052	{75566C53-D08F-4e86-8A8E-C0037923BF73}.exe	115
PID 3052 wrote to memory of 3076	3052	{75566C53-D08F-4e86-8A8E-C0037923BF73}.exe	115
PID 3052 wrote to memory of 3588	3052	{75566C53-D08F-4e86-8A8E-C0037923BF73}.exe	116
PID 3052 wrote to memory of 3588	3052	{75566C53-D08F-4e86-8A8E-C0037923BF73}.exe	116
PID 3052 wrote to memory of 3588	3052	{75566C53-D08F-4e86-8A8E-C0037923BF73}.exe	116
PID 3076 wrote to memory of 4304	3076	{38D0AEEE-E542-4dd2-87DB-FE7130FD7564}.exe	117
PID 3076 wrote to memory of 4304	3076	{38D0AEEE-E542-4dd2-87DB-FE7130FD7564}.exe	117
PID 3076 wrote to memory of 4304	3076	{38D0AEEE-E542-4dd2-87DB-FE7130FD7564}.exe	117
PID 3076 wrote to memory of 1360	3076	{38D0AEEE-E542-4dd2-87DB-FE7130FD7564}.exe	118
PID 3076 wrote to memory of 1360	3076	{38D0AEEE-E542-4dd2-87DB-FE7130FD7564}.exe	118
PID 3076 wrote to memory of 1360	3076	{38D0AEEE-E542-4dd2-87DB-FE7130FD7564}.exe	118
PID 4304 wrote to memory of 3996	4304	{0CBA8D3A-B0D2-40e3-8DBA-53D9229E74ED}.exe	119
PID 4304 wrote to memory of 3996	4304	{0CBA8D3A-B0D2-40e3-8DBA-53D9229E74ED}.exe	119
PID 4304 wrote to memory of 3996	4304	{0CBA8D3A-B0D2-40e3-8DBA-53D9229E74ED}.exe	119
PID 4304 wrote to memory of 3120	4304	{0CBA8D3A-B0D2-40e3-8DBA-53D9229E74ED}.exe	120
PID 4304 wrote to memory of 3120	4304	{0CBA8D3A-B0D2-40e3-8DBA-53D9229E74ED}.exe	120
PID 4304 wrote to memory of 3120	4304	{0CBA8D3A-B0D2-40e3-8DBA-53D9229E74ED}.exe	120
PID 3996 wrote to memory of 4412	3996	{3CB7D638-BF58-4f23-8357-2118F43ED80C}.exe	125
PID 3996 wrote to memory of 4412	3996	{3CB7D638-BF58-4f23-8357-2118F43ED80C}.exe	125
PID 3996 wrote to memory of 4412	3996	{3CB7D638-BF58-4f23-8357-2118F43ED80C}.exe	125
PID 3996 wrote to memory of 4500	3996	{3CB7D638-BF58-4f23-8357-2118F43ED80C}.exe	126
PID 3996 wrote to memory of 4500	3996	{3CB7D638-BF58-4f23-8357-2118F43ED80C}.exe	126
PID 3996 wrote to memory of 4500	3996	{3CB7D638-BF58-4f23-8357-2118F43ED80C}.exe	126
PID 4412 wrote to memory of 1908	4412	{E62C3965-B096-4cf8-BF0D-90505BE2BCDC}.exe	127
PID 4412 wrote to memory of 1908	4412	{E62C3965-B096-4cf8-BF0D-90505BE2BCDC}.exe	127
PID 4412 wrote to memory of 1908	4412	{E62C3965-B096-4cf8-BF0D-90505BE2BCDC}.exe	127
PID 4412 wrote to memory of 648	4412	{E62C3965-B096-4cf8-BF0D-90505BE2BCDC}.exe	128
PID 4412 wrote to memory of 648	4412	{E62C3965-B096-4cf8-BF0D-90505BE2BCDC}.exe	128
PID 4412 wrote to memory of 648	4412	{E62C3965-B096-4cf8-BF0D-90505BE2BCDC}.exe	128
PID 1908 wrote to memory of 3732	1908	{6CC8B071-36F9-40a2-A550-84069AB228AB}.exe	129
PID 1908 wrote to memory of 3732	1908	{6CC8B071-36F9-40a2-A550-84069AB228AB}.exe	129
PID 1908 wrote to memory of 3732	1908	{6CC8B071-36F9-40a2-A550-84069AB228AB}.exe	129
PID 1908 wrote to memory of 3576	1908	{6CC8B071-36F9-40a2-A550-84069AB228AB}.exe	130

C:\Users\Admin\AppData\Local\Temp\2024-03-10_3bd9098534fdb10761ecea97b2da5968_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-10_3bd9098534fdb10761ecea97b2da5968_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Windows\{60A7B778-0BAC-49cb-B350-7C765670DD85}.exe
  C:\Windows\{60A7B778-0BAC-49cb-B350-7C765670DD85}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4896
- - C:\Windows\{309001D9-EEDF-4006-86FB-F4CC07015F4E}.exe
    C:\Windows\{309001D9-EEDF-4006-86FB-F4CC07015F4E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4740
  - - C:\Windows\{67368D2B-C050-4b11-9CF2-B20C40EF5770}.exe
      C:\Windows\{67368D2B-C050-4b11-9CF2-B20C40EF5770}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:388
    - - C:\Windows\{86001F5E-EF34-4c75-A259-FD05ADB6AAB7}.exe
        
        C:\Windows\{86001F5E-EF34-4c75-A259-FD05ADB6AAB7}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1312
      - C:\Windows\{75566C53-D08F-4e86-8A8E-C0037923BF73}.exe
        
        C:\Windows\{75566C53-D08F-4e86-8A8E-C0037923BF73}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\{38D0AEEE-E542-4dd2-87DB-FE7130FD7564}.exe
        
        C:\Windows\{38D0AEEE-E542-4dd2-87DB-FE7130FD7564}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3076
        
        C:\Windows\{0CBA8D3A-B0D2-40e3-8DBA-53D9229E74ED}.exe
        
        C:\Windows\{0CBA8D3A-B0D2-40e3-8DBA-53D9229E74ED}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4304
        
        C:\Windows\{3CB7D638-BF58-4f23-8357-2118F43ED80C}.exe
        
        C:\Windows\{3CB7D638-BF58-4f23-8357-2118F43ED80C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\{E62C3965-B096-4cf8-BF0D-90505BE2BCDC}.exe
        
        C:\Windows\{E62C3965-B096-4cf8-BF0D-90505BE2BCDC}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\{6CC8B071-36F9-40a2-A550-84069AB228AB}.exe
        
        C:\Windows\{6CC8B071-36F9-40a2-A550-84069AB228AB}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\{933CDD5A-2AC4-48ce-8BA3-536B2ED22835}.exe
        
        C:\Windows\{933CDD5A-2AC4-48ce-8BA3-536B2ED22835}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3732
        
        C:\Windows\{356766F1-C334-4135-9CE9-CE77868AB943}.exe
        
        C:\Windows\{356766F1-C334-4135-9CE9-CE77868AB943}.exe
        13⤵
        Executes dropped EXE
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{933CD~1.EXE > nul
        13⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6CC8B~1.EXE > nul
        12⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E62C3~1.EXE > nul
        11⤵
        
        PID:648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3CB7D~1.EXE > nul
        10⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0CBA8~1.EXE > nul
        9⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{38D0A~1.EXE > nul
        8⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{75566~1.EXE > nul
        7⤵
        
        PID:3588
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86001~1.EXE > nul
        6⤵
        
        PID:3940
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{67368~1.EXE > nul
        5⤵
        
        PID:3248
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{30900~1.EXE > nul
      4⤵
      PID:3468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{60A7B~1.EXE > nul
    3⤵
    PID:1684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0CBA8D3A-B0D2-40e3-8DBA-53D9229E74ED}.exe

Filesize
372KB

MD5
8596d13ce0351486a3bef08b18036498

SHA1
85fce6cce2bbf1148e6843ddc0a72ba2e59da946

SHA256
28e5d9072eb1269a091051477aa4bfd43c0437557e87a4f815c6e8fc57bd84e3

SHA512
30a96382df259ee84aa6c8375ce7927d6d6e1fb74727f0c997244928ac6beb9e901f11c83dcc72240fd8a567291889b65aa3f3b8b3442b404c61e01baa3c9c72

Download Submit
C:\Windows\{309001D9-EEDF-4006-86FB-F4CC07015F4E}.exe

Filesize
372KB

MD5
cbbbea9e8d25af752730f284abe3d573

SHA1
4ddd6a1353ae9ebbb20407861e5eb34b9fe6678c

SHA256
7db2b7a5973e204f3be915396d3b4bc9a019d31ccb573a76ca86956aacc71b68

SHA512
e24da186447c8fbfef128adc546e0669b05ae2db3bc4d36002272c49d2d296328eba5df023959b6c0c47c5ccb32db344a63af9ab9340b49d725fa723b01b7084

Download Submit
C:\Windows\{356766F1-C334-4135-9CE9-CE77868AB943}.exe

Filesize
372KB

MD5
fef2cbc24488592543d7ef0f4fa82b2c

SHA1
f628d0b5e40b772729f0ae759be6806f95bc3d05

SHA256
daa3bfa7d566b6bdf48c3f1bc55f4284a3fa1172ad4847d6792de06c7285c592

SHA512
fe9694c4cca5a7a363952ce853e397696f2690485c40985d2b617febc8f5cb0b1d39bc232d90101e9fd16f79a160a496fecf7e48bf0745c82b48a3c62a90d0da

Download Submit
C:\Windows\{38D0AEEE-E542-4dd2-87DB-FE7130FD7564}.exe

Filesize
372KB

MD5
ec5b43d482a1f89365ba85e4370359a3

SHA1
c423d1c23efbfc439051e6dd43df41a9fff631b9

SHA256
8fa187e5b20a0c32cece0ad0d38d670fec603dbeaa075fa17632ce065d7703a1

SHA512
9c1a5599e796263f0fe145bf81ec9848487c051081dd75334c5d97cef0fe5fd7144496b27ca4bbd35380024a756198518cae60521b1e94ca28af78d203ef2ed0

Download Submit
C:\Windows\{3CB7D638-BF58-4f23-8357-2118F43ED80C}.exe

Filesize
372KB

MD5
75f7eb218d4371f1608e1821c44b61ca

SHA1
4532d22328df3d1d7a4142e867fd35383c08c34d

SHA256
39baae599c2e730dc37582ec98b2e192f59b36a44fc53b4e0ddfab539a69d928

SHA512
c5d7c9fea80e609828aa8507c8d2e94f99e0205f071a38de74e90d04f52d88530458e6db4e656c324ba36beb864f7e338de3e2ba66876c0fbc7d207e59bfb9b9

Download Submit
C:\Windows\{60A7B778-0BAC-49cb-B350-7C765670DD85}.exe

Filesize
372KB

MD5
a002df263b49df71aef6e280c308b444

SHA1
032e41c9ff4a34de4505120ee049646f8594bd8e

SHA256
28e1aeed9173adc452c896447f3313b873e4be01baeff4dc1495c7f871c2ca2a

SHA512
fef969addd8d13456757737424529867401b844b3bb77fecd3ca2f5c17b7ca86f59ebbd7887d2c9aeb066f8a082cb37c86ccca4176d6e11b6b30ecaa29f2a803

Download Submit
C:\Windows\{67368D2B-C050-4b11-9CF2-B20C40EF5770}.exe

Filesize
372KB

MD5
81b33fe046b08aea30193770853b4914

SHA1
215498bba2b485e326538f4da0191264c187f999

SHA256
3f8782588371a41f2cbd4f0a98e191d7c3022dee4a42abc8c2aaef42fad1e99c

SHA512
9e1dc5a28efabd7bccc6be7f5d6f8318e33dde8afe4ceee9ed926c2ab1845ed3a6807ac2f985ec1f3a14dacd552473c7d5d634ba187b0485f057cd3147af102e

Download Submit
C:\Windows\{6CC8B071-36F9-40a2-A550-84069AB228AB}.exe

Filesize
372KB

MD5
5283ca6c4465a4e854c5fb601020c35e

SHA1
b81449fd613bc9d7bd2b51f874332cd70db1072f

SHA256
08ea594afdedfe97a180157bf2f1fda7ae2b067ab9466bfe953357759a3f7a85

SHA512
dc5b48107b0180dec1ca942f648ef190efa5a4ba99cfd0cb8ca835ac5eb1ecf4ce986191f0fd515388f9eec52b6f3a383b5559c646e75b8dc8d893060f446d92

Download Submit
C:\Windows\{75566C53-D08F-4e86-8A8E-C0037923BF73}.exe

Filesize
372KB

MD5
52b87ad8b9194a7cbafdce3b44426960

SHA1
5596b154679ea52a1605740cfe8039573b6a08de

SHA256
83c56f3ff19cb361372faba4df6808df6884adff8c790f3b888dfc293e5d799a

SHA512
1a0c26fe5f5187897d47ffc9e97f7e6f6214ce2120fbee2851291c0dec9f2b2f9e887ef8d8a1df0ab942deb295df66a133f8797d27d81febfb3024d17a3d065f

Download Submit
C:\Windows\{86001F5E-EF34-4c75-A259-FD05ADB6AAB7}.exe

Filesize
372KB

MD5
4d6dab7a9516a81814eef11f921fba90

SHA1
eda35e1b5c4f5441cf0887e6d96c697d56bda909

SHA256
d58bb26341d732a7432d7d8cc8c0fb09044601a7693e8bc805aebdc1edf7e42d

SHA512
9956bf8b7b1c908eacb7ec867cc7bf33dd18de7367c03d8b99e587e1ab9aef0e02ce36c4a8bd615a9f62da34250a960e6540fcaad19ee83cef68108899c43c5b

Download Submit
C:\Windows\{933CDD5A-2AC4-48ce-8BA3-536B2ED22835}.exe

Filesize
372KB

MD5
945bc8f9ad59fef146784f2812161ccf

SHA1
d3f254a0658baa9bbe6651c17cc9dd504b45f6fb

SHA256
c25875dc3af1f99e99d7c26118b477c1f3183f4a4aaddb7feb7e9ed4a20e0649

SHA512
a714d094b4ad39fd88bcf5ad59b6126398a66c84ad6df668a92cd6954d31bd34f21f1a321aa7a4dcc24f911f5b01222512e4793c9935184dedfe8160263370aa

Download Submit
C:\Windows\{E62C3965-B096-4cf8-BF0D-90505BE2BCDC}.exe

Filesize
372KB

MD5
8ed83187de104da86cdcbf8d5a9c0fc8

SHA1
7593fa217b25ffc297cc89fc6bebfeed531eb708

SHA256
14ede7602699bf5b2d2bfbe240d6a6901fa449f4e99f1464dce5afa366a6ed20

SHA512
591b4f25eb355be03752842202827e709810060bc34ab4b4426bfea158af179d0553829208b7361c72a2493b68b20d4c573e6b0241da37c6db64300f03d64387

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads