8c61e8ae8c18fcd3a58ef0db0fc5986d0dd10c842e8755ee531c4e36d9a7d72c

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12-03-2024 03:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-12_668db7933060c64e5efee9760409218c_goldeneye.exe
Size

344KB
MD5

668db7933060c64e5efee9760409218c
SHA1

41f66c43dd8efc9d36bb18a1a9fb0b63273e0e02
SHA256

8c61e8ae8c18fcd3a58ef0db0fc5986d0dd10c842e8755ee531c4e36d9a7d72c
SHA512

0736241a55e3356aaf5034a7da3e98bd4b1047ff66c861b14c8623be3b2b613fb8871d515cda319eed64da7a1a672e6496fc53f14cc92ad0734bc20436900903
SSDEEP

3072:mEGh0oslEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGilqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x000700000002322b-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023237-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000016927-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023241-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023243-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023241-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023243-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023241-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023253-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002325e-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002325e-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002334c-41.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023353-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{874E0367-06C5-4215-8354-23B5EC1647C1}	{BB61B086-775E-4ccc-BA81-9939E14D13D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{874E0367-06C5-4215-8354-23B5EC1647C1}\stubpath = "C:\\Windows\\{874E0367-06C5-4215-8354-23B5EC1647C1}.exe"	{BB61B086-775E-4ccc-BA81-9939E14D13D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5F95DE3-758C-491c-AED4-079FB1020487}	{5DD3FE64-6E28-4201-8D09-8A7E5A1875C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9E316E1-9A91-42e0-919B-81CC6D8BB505}\stubpath = "C:\\Windows\\{A9E316E1-9A91-42e0-919B-81CC6D8BB505}.exe"	{D0F4169B-9AB2-44dd-9021-E57E4FA6044C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4BA36D8-2661-412d-8CDD-F954AEA98D62}\stubpath = "C:\\Windows\\{B4BA36D8-2661-412d-8CDD-F954AEA98D62}.exe"	{464DFD33-965B-411d-9E89-8F648CD7946C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0BC6C1F0-C8CA-4cfd-B87F-F25B57A6EABA}\stubpath = "C:\\Windows\\{0BC6C1F0-C8CA-4cfd-B87F-F25B57A6EABA}.exe"	{D5F95DE3-758C-491c-AED4-079FB1020487}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0F4169B-9AB2-44dd-9021-E57E4FA6044C}	{0BC6C1F0-C8CA-4cfd-B87F-F25B57A6EABA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0F4169B-9AB2-44dd-9021-E57E4FA6044C}\stubpath = "C:\\Windows\\{D0F4169B-9AB2-44dd-9021-E57E4FA6044C}.exe"	{0BC6C1F0-C8CA-4cfd-B87F-F25B57A6EABA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{171586A8-A9D1-4999-83BF-2CAB68544BC6}	2024-03-12_668db7933060c64e5efee9760409218c_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{171586A8-A9D1-4999-83BF-2CAB68544BC6}\stubpath = "C:\\Windows\\{171586A8-A9D1-4999-83BF-2CAB68544BC6}.exe"	2024-03-12_668db7933060c64e5efee9760409218c_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB61B086-775E-4ccc-BA81-9939E14D13D2}	{171586A8-A9D1-4999-83BF-2CAB68544BC6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB61B086-775E-4ccc-BA81-9939E14D13D2}\stubpath = "C:\\Windows\\{BB61B086-775E-4ccc-BA81-9939E14D13D2}.exe"	{171586A8-A9D1-4999-83BF-2CAB68544BC6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DD3FE64-6E28-4201-8D09-8A7E5A1875C0}\stubpath = "C:\\Windows\\{5DD3FE64-6E28-4201-8D09-8A7E5A1875C0}.exe"	{5D5C497A-C0C3-4282-953E-2BB853E4E8A5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9E316E1-9A91-42e0-919B-81CC6D8BB505}	{D0F4169B-9AB2-44dd-9021-E57E4FA6044C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A683062-2069-41ae-8F8D-43036ADFDCFE}	{A9E316E1-9A91-42e0-919B-81CC6D8BB505}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{464DFD33-965B-411d-9E89-8F648CD7946C}\stubpath = "C:\\Windows\\{464DFD33-965B-411d-9E89-8F648CD7946C}.exe"	{1A683062-2069-41ae-8F8D-43036ADFDCFE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D5C497A-C0C3-4282-953E-2BB853E4E8A5}	{874E0367-06C5-4215-8354-23B5EC1647C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0BC6C1F0-C8CA-4cfd-B87F-F25B57A6EABA}	{D5F95DE3-758C-491c-AED4-079FB1020487}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4BA36D8-2661-412d-8CDD-F954AEA98D62}	{464DFD33-965B-411d-9E89-8F648CD7946C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D5C497A-C0C3-4282-953E-2BB853E4E8A5}\stubpath = "C:\\Windows\\{5D5C497A-C0C3-4282-953E-2BB853E4E8A5}.exe"	{874E0367-06C5-4215-8354-23B5EC1647C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DD3FE64-6E28-4201-8D09-8A7E5A1875C0}	{5D5C497A-C0C3-4282-953E-2BB853E4E8A5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5F95DE3-758C-491c-AED4-079FB1020487}\stubpath = "C:\\Windows\\{D5F95DE3-758C-491c-AED4-079FB1020487}.exe"	{5DD3FE64-6E28-4201-8D09-8A7E5A1875C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A683062-2069-41ae-8F8D-43036ADFDCFE}\stubpath = "C:\\Windows\\{1A683062-2069-41ae-8F8D-43036ADFDCFE}.exe"	{A9E316E1-9A91-42e0-919B-81CC6D8BB505}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{464DFD33-965B-411d-9E89-8F648CD7946C}	{1A683062-2069-41ae-8F8D-43036ADFDCFE}.exe

Executes dropped EXE 12 IoCs

pid	Process
3212	{171586A8-A9D1-4999-83BF-2CAB68544BC6}.exe
3224	{BB61B086-775E-4ccc-BA81-9939E14D13D2}.exe
3124	{874E0367-06C5-4215-8354-23B5EC1647C1}.exe
3608	{5D5C497A-C0C3-4282-953E-2BB853E4E8A5}.exe
532	{5DD3FE64-6E28-4201-8D09-8A7E5A1875C0}.exe
5052	{D5F95DE3-758C-491c-AED4-079FB1020487}.exe
2068	{0BC6C1F0-C8CA-4cfd-B87F-F25B57A6EABA}.exe
3000	{D0F4169B-9AB2-44dd-9021-E57E4FA6044C}.exe
1200	{A9E316E1-9A91-42e0-919B-81CC6D8BB505}.exe
708	{1A683062-2069-41ae-8F8D-43036ADFDCFE}.exe
5072	{464DFD33-965B-411d-9E89-8F648CD7946C}.exe
2520	{B4BA36D8-2661-412d-8CDD-F954AEA98D62}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{5DD3FE64-6E28-4201-8D09-8A7E5A1875C0}.exe	{5D5C497A-C0C3-4282-953E-2BB853E4E8A5}.exe
File created	C:\Windows\{D5F95DE3-758C-491c-AED4-079FB1020487}.exe	{5DD3FE64-6E28-4201-8D09-8A7E5A1875C0}.exe
File created	C:\Windows\{D0F4169B-9AB2-44dd-9021-E57E4FA6044C}.exe	{0BC6C1F0-C8CA-4cfd-B87F-F25B57A6EABA}.exe
File created	C:\Windows\{A9E316E1-9A91-42e0-919B-81CC6D8BB505}.exe	{D0F4169B-9AB2-44dd-9021-E57E4FA6044C}.exe
File created	C:\Windows\{1A683062-2069-41ae-8F8D-43036ADFDCFE}.exe	{A9E316E1-9A91-42e0-919B-81CC6D8BB505}.exe
File created	C:\Windows\{B4BA36D8-2661-412d-8CDD-F954AEA98D62}.exe	{464DFD33-965B-411d-9E89-8F648CD7946C}.exe
File created	C:\Windows\{874E0367-06C5-4215-8354-23B5EC1647C1}.exe	{BB61B086-775E-4ccc-BA81-9939E14D13D2}.exe
File created	C:\Windows\{5D5C497A-C0C3-4282-953E-2BB853E4E8A5}.exe	{874E0367-06C5-4215-8354-23B5EC1647C1}.exe
File created	C:\Windows\{0BC6C1F0-C8CA-4cfd-B87F-F25B57A6EABA}.exe	{D5F95DE3-758C-491c-AED4-079FB1020487}.exe
File created	C:\Windows\{464DFD33-965B-411d-9E89-8F648CD7946C}.exe	{1A683062-2069-41ae-8F8D-43036ADFDCFE}.exe
File created	C:\Windows\{171586A8-A9D1-4999-83BF-2CAB68544BC6}.exe	2024-03-12_668db7933060c64e5efee9760409218c_goldeneye.exe
File created	C:\Windows\{BB61B086-775E-4ccc-BA81-9939E14D13D2}.exe	{171586A8-A9D1-4999-83BF-2CAB68544BC6}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1172	2024-03-12_668db7933060c64e5efee9760409218c_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3212	{171586A8-A9D1-4999-83BF-2CAB68544BC6}.exe
Token: SeIncBasePriorityPrivilege	3224	{BB61B086-775E-4ccc-BA81-9939E14D13D2}.exe
Token: SeIncBasePriorityPrivilege	3124	{874E0367-06C5-4215-8354-23B5EC1647C1}.exe
Token: SeIncBasePriorityPrivilege	3608	{5D5C497A-C0C3-4282-953E-2BB853E4E8A5}.exe
Token: SeIncBasePriorityPrivilege	532	{5DD3FE64-6E28-4201-8D09-8A7E5A1875C0}.exe
Token: SeIncBasePriorityPrivilege	5052	{D5F95DE3-758C-491c-AED4-079FB1020487}.exe
Token: SeIncBasePriorityPrivilege	2068	{0BC6C1F0-C8CA-4cfd-B87F-F25B57A6EABA}.exe
Token: SeIncBasePriorityPrivilege	3000	{D0F4169B-9AB2-44dd-9021-E57E4FA6044C}.exe
Token: SeIncBasePriorityPrivilege	1200	{A9E316E1-9A91-42e0-919B-81CC6D8BB505}.exe
Token: SeIncBasePriorityPrivilege	708	{1A683062-2069-41ae-8F8D-43036ADFDCFE}.exe
Token: SeIncBasePriorityPrivilege	5072	{464DFD33-965B-411d-9E89-8F648CD7946C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1172 wrote to memory of 3212	1172	2024-03-12_668db7933060c64e5efee9760409218c_goldeneye.exe	99
PID 1172 wrote to memory of 3212	1172	2024-03-12_668db7933060c64e5efee9760409218c_goldeneye.exe	99
PID 1172 wrote to memory of 3212	1172	2024-03-12_668db7933060c64e5efee9760409218c_goldeneye.exe	99
PID 1172 wrote to memory of 2308	1172	2024-03-12_668db7933060c64e5efee9760409218c_goldeneye.exe	100
PID 1172 wrote to memory of 2308	1172	2024-03-12_668db7933060c64e5efee9760409218c_goldeneye.exe	100
PID 1172 wrote to memory of 2308	1172	2024-03-12_668db7933060c64e5efee9760409218c_goldeneye.exe	100
PID 3212 wrote to memory of 3224	3212	{171586A8-A9D1-4999-83BF-2CAB68544BC6}.exe	101
PID 3212 wrote to memory of 3224	3212	{171586A8-A9D1-4999-83BF-2CAB68544BC6}.exe	101
PID 3212 wrote to memory of 3224	3212	{171586A8-A9D1-4999-83BF-2CAB68544BC6}.exe	101
PID 3212 wrote to memory of 4752	3212	{171586A8-A9D1-4999-83BF-2CAB68544BC6}.exe	102
PID 3212 wrote to memory of 4752	3212	{171586A8-A9D1-4999-83BF-2CAB68544BC6}.exe	102
PID 3212 wrote to memory of 4752	3212	{171586A8-A9D1-4999-83BF-2CAB68544BC6}.exe	102
PID 3224 wrote to memory of 3124	3224	{BB61B086-775E-4ccc-BA81-9939E14D13D2}.exe	105
PID 3224 wrote to memory of 3124	3224	{BB61B086-775E-4ccc-BA81-9939E14D13D2}.exe	105
PID 3224 wrote to memory of 3124	3224	{BB61B086-775E-4ccc-BA81-9939E14D13D2}.exe	105
PID 3224 wrote to memory of 1896	3224	{BB61B086-775E-4ccc-BA81-9939E14D13D2}.exe	106
PID 3224 wrote to memory of 1896	3224	{BB61B086-775E-4ccc-BA81-9939E14D13D2}.exe	106
PID 3224 wrote to memory of 1896	3224	{BB61B086-775E-4ccc-BA81-9939E14D13D2}.exe	106
PID 3124 wrote to memory of 3608	3124	{874E0367-06C5-4215-8354-23B5EC1647C1}.exe	107
PID 3124 wrote to memory of 3608	3124	{874E0367-06C5-4215-8354-23B5EC1647C1}.exe	107
PID 3124 wrote to memory of 3608	3124	{874E0367-06C5-4215-8354-23B5EC1647C1}.exe	107
PID 3124 wrote to memory of 2596	3124	{874E0367-06C5-4215-8354-23B5EC1647C1}.exe	108
PID 3124 wrote to memory of 2596	3124	{874E0367-06C5-4215-8354-23B5EC1647C1}.exe	108
PID 3124 wrote to memory of 2596	3124	{874E0367-06C5-4215-8354-23B5EC1647C1}.exe	108
PID 3608 wrote to memory of 532	3608	{5D5C497A-C0C3-4282-953E-2BB853E4E8A5}.exe	109
PID 3608 wrote to memory of 532	3608	{5D5C497A-C0C3-4282-953E-2BB853E4E8A5}.exe	109
PID 3608 wrote to memory of 532	3608	{5D5C497A-C0C3-4282-953E-2BB853E4E8A5}.exe	109
PID 3608 wrote to memory of 4804	3608	{5D5C497A-C0C3-4282-953E-2BB853E4E8A5}.exe	110
PID 3608 wrote to memory of 4804	3608	{5D5C497A-C0C3-4282-953E-2BB853E4E8A5}.exe	110
PID 3608 wrote to memory of 4804	3608	{5D5C497A-C0C3-4282-953E-2BB853E4E8A5}.exe	110
PID 532 wrote to memory of 5052	532	{5DD3FE64-6E28-4201-8D09-8A7E5A1875C0}.exe	112
PID 532 wrote to memory of 5052	532	{5DD3FE64-6E28-4201-8D09-8A7E5A1875C0}.exe	112
PID 532 wrote to memory of 5052	532	{5DD3FE64-6E28-4201-8D09-8A7E5A1875C0}.exe	112
PID 532 wrote to memory of 3656	532	{5DD3FE64-6E28-4201-8D09-8A7E5A1875C0}.exe	113
PID 532 wrote to memory of 3656	532	{5DD3FE64-6E28-4201-8D09-8A7E5A1875C0}.exe	113
PID 532 wrote to memory of 3656	532	{5DD3FE64-6E28-4201-8D09-8A7E5A1875C0}.exe	113
PID 5052 wrote to memory of 2068	5052	{D5F95DE3-758C-491c-AED4-079FB1020487}.exe	114
PID 5052 wrote to memory of 2068	5052	{D5F95DE3-758C-491c-AED4-079FB1020487}.exe	114
PID 5052 wrote to memory of 2068	5052	{D5F95DE3-758C-491c-AED4-079FB1020487}.exe	114
PID 5052 wrote to memory of 5080	5052	{D5F95DE3-758C-491c-AED4-079FB1020487}.exe	115
PID 5052 wrote to memory of 5080	5052	{D5F95DE3-758C-491c-AED4-079FB1020487}.exe	115
PID 5052 wrote to memory of 5080	5052	{D5F95DE3-758C-491c-AED4-079FB1020487}.exe	115
PID 2068 wrote to memory of 3000	2068	{0BC6C1F0-C8CA-4cfd-B87F-F25B57A6EABA}.exe	116
PID 2068 wrote to memory of 3000	2068	{0BC6C1F0-C8CA-4cfd-B87F-F25B57A6EABA}.exe	116
PID 2068 wrote to memory of 3000	2068	{0BC6C1F0-C8CA-4cfd-B87F-F25B57A6EABA}.exe	116
PID 2068 wrote to memory of 4224	2068	{0BC6C1F0-C8CA-4cfd-B87F-F25B57A6EABA}.exe	117
PID 2068 wrote to memory of 4224	2068	{0BC6C1F0-C8CA-4cfd-B87F-F25B57A6EABA}.exe	117
PID 2068 wrote to memory of 4224	2068	{0BC6C1F0-C8CA-4cfd-B87F-F25B57A6EABA}.exe	117
PID 3000 wrote to memory of 1200	3000	{D0F4169B-9AB2-44dd-9021-E57E4FA6044C}.exe	122
PID 3000 wrote to memory of 1200	3000	{D0F4169B-9AB2-44dd-9021-E57E4FA6044C}.exe	122
PID 3000 wrote to memory of 1200	3000	{D0F4169B-9AB2-44dd-9021-E57E4FA6044C}.exe	122
PID 3000 wrote to memory of 4024	3000	{D0F4169B-9AB2-44dd-9021-E57E4FA6044C}.exe	123
PID 3000 wrote to memory of 4024	3000	{D0F4169B-9AB2-44dd-9021-E57E4FA6044C}.exe	123
PID 3000 wrote to memory of 4024	3000	{D0F4169B-9AB2-44dd-9021-E57E4FA6044C}.exe	123
PID 1200 wrote to memory of 708	1200	{A9E316E1-9A91-42e0-919B-81CC6D8BB505}.exe	125
PID 1200 wrote to memory of 708	1200	{A9E316E1-9A91-42e0-919B-81CC6D8BB505}.exe	125
PID 1200 wrote to memory of 708	1200	{A9E316E1-9A91-42e0-919B-81CC6D8BB505}.exe	125
PID 1200 wrote to memory of 2756	1200	{A9E316E1-9A91-42e0-919B-81CC6D8BB505}.exe	126
PID 1200 wrote to memory of 2756	1200	{A9E316E1-9A91-42e0-919B-81CC6D8BB505}.exe	126
PID 1200 wrote to memory of 2756	1200	{A9E316E1-9A91-42e0-919B-81CC6D8BB505}.exe	126
PID 708 wrote to memory of 5072	708	{1A683062-2069-41ae-8F8D-43036ADFDCFE}.exe	127
PID 708 wrote to memory of 5072	708	{1A683062-2069-41ae-8F8D-43036ADFDCFE}.exe	127
PID 708 wrote to memory of 5072	708	{1A683062-2069-41ae-8F8D-43036ADFDCFE}.exe	127
PID 708 wrote to memory of 4152	708	{1A683062-2069-41ae-8F8D-43036ADFDCFE}.exe	128

C:\Users\Admin\AppData\Local\Temp\2024-03-12_668db7933060c64e5efee9760409218c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-12_668db7933060c64e5efee9760409218c_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Windows\{171586A8-A9D1-4999-83BF-2CAB68544BC6}.exe
  C:\Windows\{171586A8-A9D1-4999-83BF-2CAB68544BC6}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3212
- - C:\Windows\{BB61B086-775E-4ccc-BA81-9939E14D13D2}.exe
    C:\Windows\{BB61B086-775E-4ccc-BA81-9939E14D13D2}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3224
  - - C:\Windows\{874E0367-06C5-4215-8354-23B5EC1647C1}.exe
      C:\Windows\{874E0367-06C5-4215-8354-23B5EC1647C1}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3124
    - - C:\Windows\{5D5C497A-C0C3-4282-953E-2BB853E4E8A5}.exe
        
        C:\Windows\{5D5C497A-C0C3-4282-953E-2BB853E4E8A5}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3608
      - C:\Windows\{5DD3FE64-6E28-4201-8D09-8A7E5A1875C0}.exe
        
        C:\Windows\{5DD3FE64-6E28-4201-8D09-8A7E5A1875C0}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:532
        
        C:\Windows\{D5F95DE3-758C-491c-AED4-079FB1020487}.exe
        
        C:\Windows\{D5F95DE3-758C-491c-AED4-079FB1020487}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\{0BC6C1F0-C8CA-4cfd-B87F-F25B57A6EABA}.exe
        
        C:\Windows\{0BC6C1F0-C8CA-4cfd-B87F-F25B57A6EABA}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\{D0F4169B-9AB2-44dd-9021-E57E4FA6044C}.exe
        
        C:\Windows\{D0F4169B-9AB2-44dd-9021-E57E4FA6044C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\{A9E316E1-9A91-42e0-919B-81CC6D8BB505}.exe
        
        C:\Windows\{A9E316E1-9A91-42e0-919B-81CC6D8BB505}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1200
        
        C:\Windows\{1A683062-2069-41ae-8F8D-43036ADFDCFE}.exe
        
        C:\Windows\{1A683062-2069-41ae-8F8D-43036ADFDCFE}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:708
        
        C:\Windows\{464DFD33-965B-411d-9E89-8F648CD7946C}.exe
        
        C:\Windows\{464DFD33-965B-411d-9E89-8F648CD7946C}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5072
        
        C:\Windows\{B4BA36D8-2661-412d-8CDD-F954AEA98D62}.exe
        
        C:\Windows\{B4BA36D8-2661-412d-8CDD-F954AEA98D62}.exe
        13⤵
        Executes dropped EXE
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{464DF~1.EXE > nul
        13⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1A683~1.EXE > nul
        12⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A9E31~1.EXE > nul
        11⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D0F41~1.EXE > nul
        10⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0BC6C~1.EXE > nul
        9⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D5F95~1.EXE > nul
        8⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5DD3F~1.EXE > nul
        7⤵
        
        PID:3656
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5D5C4~1.EXE > nul
        6⤵
        
        PID:4804
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{874E0~1.EXE > nul
        5⤵
        
        PID:2596
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BB61B~1.EXE > nul
      4⤵
      PID:1896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{17158~1.EXE > nul
    3⤵
    PID:4752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0BC6C1F0-C8CA-4cfd-B87F-F25B57A6EABA}.exe

Filesize
344KB

MD5
667f6a981afaa7204dfaf3337e57adf9

SHA1
a5991a6a2cec58fa8e522767e6aeb74dd52b677f

SHA256
105dc564823c1ac6edf553eec1231c8be5a066e8b8b6d7462b4b030418f7e684

SHA512
3b4860107db701bf3fd7a33445a16eb98cf4d30902ccea7e2ebf51801534f5fddd1d01bb0c4fcf70b28b705959f3977a0c372cdf56f32c8d4f4b67e4ce74bd35

Download Submit
C:\Windows\{171586A8-A9D1-4999-83BF-2CAB68544BC6}.exe

Filesize
344KB

MD5
4f7fc92b6bc8fa79f105ba0100d6e829

SHA1
5e55431e9bf58c7e165fbd679c2e3acefbd0731b

SHA256
ba521ca2f67e97aeff4dad3eebe62872fdd30b6edea1546da78aefbdbdc73f1f

SHA512
81ecf62239efbb03f415acf1a38a66bb1f6826400b618eabbcad34928855ada21a68c965bc0320459ff6ec1084bd0b5fe9a6f47f03b3ad3c38933b48b24f82f8

Download Submit
C:\Windows\{1A683062-2069-41ae-8F8D-43036ADFDCFE}.exe

Filesize
270KB

MD5
ef02a7be5c646de5890e715eb6266cc7

SHA1
db65f8c176441483061fd5b2191cf74dc295a49f

SHA256
df741338f42f04a1854a061876e4d4311413720ddc61a117aaad3e16e5067966

SHA512
28da4c0d2beb0efbd5d37114a90a41c476b3ab8c29049ee585ffe417b5c5c2d0660851f7814d9b1979934120ac2782beaeb0c1ea29588024f759090f99bab5fc

Download Submit
C:\Windows\{1A683062-2069-41ae-8F8D-43036ADFDCFE}.exe

Filesize
344KB

MD5
f07871546ec4b36e53a2efa4f5042319

SHA1
74584a8556c65cf5a968c49634a4c0508a38cb07

SHA256
b609b92ed7188186f01d988057ac7eeaf8ad59f42487573029ba81a44580e7fc

SHA512
8ce353832c02ad0903268d35262043a8275713905c0fd9af15b29bca5b49dc0df494ddb68de74c63edb3191d3ef01fc1fbd0a00eedae9f908f913210f95ad7fe

Download Submit
C:\Windows\{464DFD33-965B-411d-9E89-8F648CD7946C}.exe

Filesize
344KB

MD5
37addc8021d92c94b94053206c1434ea

SHA1
a2c495d3193d925b08979cd80c72de65fb7ed753

SHA256
0f273282f7d8502b6e415ed59306a8d0d2d00c2548023b151fb6fd3bf4365a42

SHA512
b3c128269127f14b88adcb9f4c02113de51b71a20ad734fc7f0a79765e85ed3bca3e1ef3f580f8dd969a2a117fdcd21853c290d3c278a3d706d7fd4dc701f405

Download Submit
C:\Windows\{5D5C497A-C0C3-4282-953E-2BB853E4E8A5}.exe

Filesize
344KB

MD5
29ea546caffbf21214a6c3ab7cb313bf

SHA1
9814b2c702710f8f8ffbc75346186c3277b5fe56

SHA256
073756d40f4a086c94495fcdfaa381733949dac77070c579cdd16a4aff246fe9

SHA512
0b9ac90f2e978cd4c77554c2a95d07b815335168351ae1979aecf9e55d5b1f05210f6a21a47d450eef551de90af11e1f508d170af78553408f58a70a5d5a9d1b

Download Submit
C:\Windows\{5DD3FE64-6E28-4201-8D09-8A7E5A1875C0}.exe

Filesize
344KB

MD5
416767d6e03e83a9139ef97cae84450b

SHA1
a338a5237aac659635ef5e1db6caeac164751b9e

SHA256
8e82caa42fdcc731e79137cbb8a2349308a41ac3b38d2d3593991a98b6725ce8

SHA512
3a6c9c53d13fb652b781a24d9805eaed4f8d224673b46bc6b29d633ef796dc2085c968ed312640d9d0fd625939cc097db8afa697ccb2fd9b3b41d7a77e58642b

Download Submit
C:\Windows\{874E0367-06C5-4215-8354-23B5EC1647C1}.exe

Filesize
344KB

MD5
67e67d1f322cc367f54167c721f0562d

SHA1
7fa23b92300385b4679bd0d43c5e1c6d96b229fb

SHA256
4e3116090f1d16904727c64d77da9f241323428edf7de7a57c972e26c668f94f

SHA512
86da3d287240ca50dbf85bb0f47d524b78698addb88017f2b1f6f9b40c2607d54a7fcb0debfb4e520f5fd5c73b9991db64ec5b97ec90c275903184d5234ff3df

Download Submit
C:\Windows\{A9E316E1-9A91-42e0-919B-81CC6D8BB505}.exe

Filesize
344KB

MD5
02b6d51959e5d58ffe87aad51efeeaa1

SHA1
41ee2a69270a2c1129e925699d728fe360c64ef2

SHA256
9519d6daf308411c3d7019bf62f63074c13b4349f30f579f48a8cad4a77c0e44

SHA512
63e746e912f8c6fbd54d2f67733440a420193c622751f7e28f0783ddf089a8335fe0a3d50d73dbfbd7b4b4c9e59c747874ef0f3c8dd2d62a417351086e637d18

Download Submit
C:\Windows\{B4BA36D8-2661-412d-8CDD-F954AEA98D62}.exe

Filesize
344KB

MD5
e8b1bda2ce1eab631501203d5f69cd74

SHA1
996252a3d44ba450ee58e55936d154b690db258a

SHA256
225b038f4f205c5e04b4e1b0d2c4f75f995354906e38ec6caa3f0e8685a87f1b

SHA512
6dfd7f3b47c36382cf52cc6a805cb4c363336a36c6617e09f5e623cf29f72ca7cb1cdc533e74631951c50de3dfb7003c840ba07f915a275696bcefc30805819d

Download Submit
C:\Windows\{BB61B086-775E-4ccc-BA81-9939E14D13D2}.exe

Filesize
344KB

MD5
fa70f27e4a8e7e914b2286d3108ba1bd

SHA1
3845de70fb48eafa0c3d2079b6e98f8c0c8cbb94

SHA256
dbcd83687363bf9b2d1f4713365a8cd6e70f41b03bc12ba94c311e5a51aafddd

SHA512
4573f223458bf7b33e60aebc9e5daf1747b59e24ab02ada47aba8d7de5f87cfd15fa8be9918ed532966fc5863cf289e448d27bd86da40bba13d0aea10fe5e68b

Download Submit
C:\Windows\{D0F4169B-9AB2-44dd-9021-E57E4FA6044C}.exe

Filesize
344KB

MD5
43e1eb864718e311e78780c3c4767aeb

SHA1
c872aec9f17df01c66b8aa612bdaffbd099d3df1

SHA256
3fc6d8c10637270c53770a5fe574feb6c35575a757d5b09fe9ba47801dfd4f95

SHA512
a47e4d017bd9f815b86477af82dc8ca01354a7eb0faec9d2edf1a30ce9db0c72dfd401fba986b4d2df4f18ea506e3db1eaa579200b1df598f701315f0206aa75

Download Submit
C:\Windows\{D5F95DE3-758C-491c-AED4-079FB1020487}.exe

Filesize
344KB

MD5
b8374efca1e633a21d6f56e07c0d735e

SHA1
edefd71d482ae7340903226f32d0e484b6cf5e19

SHA256
99ee31362645c8e10d480f422da021eae96dcc3fe88120c436d866bb627faefd

SHA512
2753d4cfc8858fc4520a1c19af82cefb68d953e4d7d01ecfc6956ba88c8ed04f857989e83a67cededbed78fd1fe12e0afc79eee0b460723ab77e2cdb5e7fd319

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads