19ebbfbc12b19ac420e6fe662d8942d9f55a53e1ebcac21c813480c25c8a8362

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13/03/2024, 01:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-13_cf00cb6dcdec71c0319f95ce18f251de_goldeneye.exe
Size

344KB
MD5

cf00cb6dcdec71c0319f95ce18f251de
SHA1

9bebe76ff0f7318a95f7f0aa12d2a95bdc214038
SHA256

19ebbfbc12b19ac420e6fe662d8942d9f55a53e1ebcac21c813480c25c8a8362
SHA512

c63f9e0dbf2c5cb9880f185a48ba1e75b83ca1d2505d0a17f285aa3843725c56ecc86552b7f78041ccad05cd9b168749c861c3e895a2afcf89a518c5ef832e6d
SSDEEP

3072:mEGh0oBlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGLlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x00080000000231f8-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00110000000231fe-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023205-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023109-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023205-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023205-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f000000023109-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023205-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023219-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002331b-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000216c9-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023104-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002311f-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{503AC1DE-C694-4196-97A0-7338639BDD8B}	{B05BF6DF-B466-44ce-8151-322485F0F533}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F291197A-C361-4d39-801F-65B1EEC39E39}\stubpath = "C:\\Windows\\{F291197A-C361-4d39-801F-65B1EEC39E39}.exe"	{503AC1DE-C694-4196-97A0-7338639BDD8B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F4DBE4A-B373-4d61-8FBD-457E079AEC7B}\stubpath = "C:\\Windows\\{9F4DBE4A-B373-4d61-8FBD-457E079AEC7B}.exe"	{E451225E-9EEC-4eba-9BB6-CB658B24A7EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77953CA8-AD3D-46a2-A3BB-12FB02DE0156}	{BA28C237-4819-4c8d-AAA6-4C942EA638D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B05BF6DF-B466-44ce-8151-322485F0F533}	2024-03-13_cf00cb6dcdec71c0319f95ce18f251de_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B05BF6DF-B466-44ce-8151-322485F0F533}\stubpath = "C:\\Windows\\{B05BF6DF-B466-44ce-8151-322485F0F533}.exe"	2024-03-13_cf00cb6dcdec71c0319f95ce18f251de_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F291197A-C361-4d39-801F-65B1EEC39E39}	{503AC1DE-C694-4196-97A0-7338639BDD8B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11EF428D-B29D-4f13-99F3-4143754EDAFB}	{F291197A-C361-4d39-801F-65B1EEC39E39}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57239A30-7913-42e8-939A-1A7BE18B726B}	{11EF428D-B29D-4f13-99F3-4143754EDAFB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E451225E-9EEC-4eba-9BB6-CB658B24A7EF}	{57239A30-7913-42e8-939A-1A7BE18B726B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4378738-B906-4c5a-8B5D-CD4BEBDBBDEA}\stubpath = "C:\\Windows\\{C4378738-B906-4c5a-8B5D-CD4BEBDBBDEA}.exe"	{60C6FCAB-D658-45ad-90D4-DA417727C656}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77953CA8-AD3D-46a2-A3BB-12FB02DE0156}\stubpath = "C:\\Windows\\{77953CA8-AD3D-46a2-A3BB-12FB02DE0156}.exe"	{BA28C237-4819-4c8d-AAA6-4C942EA638D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68F5D706-6E43-43bc-888E-941CB14EED0A}	{77953CA8-AD3D-46a2-A3BB-12FB02DE0156}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E451225E-9EEC-4eba-9BB6-CB658B24A7EF}\stubpath = "C:\\Windows\\{E451225E-9EEC-4eba-9BB6-CB658B24A7EF}.exe"	{57239A30-7913-42e8-939A-1A7BE18B726B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60C6FCAB-D658-45ad-90D4-DA417727C656}	{9F4DBE4A-B373-4d61-8FBD-457E079AEC7B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA28C237-4819-4c8d-AAA6-4C942EA638D6}\stubpath = "C:\\Windows\\{BA28C237-4819-4c8d-AAA6-4C942EA638D6}.exe"	{C4378738-B906-4c5a-8B5D-CD4BEBDBBDEA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68F5D706-6E43-43bc-888E-941CB14EED0A}\stubpath = "C:\\Windows\\{68F5D706-6E43-43bc-888E-941CB14EED0A}.exe"	{77953CA8-AD3D-46a2-A3BB-12FB02DE0156}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{503AC1DE-C694-4196-97A0-7338639BDD8B}\stubpath = "C:\\Windows\\{503AC1DE-C694-4196-97A0-7338639BDD8B}.exe"	{B05BF6DF-B466-44ce-8151-322485F0F533}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11EF428D-B29D-4f13-99F3-4143754EDAFB}\stubpath = "C:\\Windows\\{11EF428D-B29D-4f13-99F3-4143754EDAFB}.exe"	{F291197A-C361-4d39-801F-65B1EEC39E39}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57239A30-7913-42e8-939A-1A7BE18B726B}\stubpath = "C:\\Windows\\{57239A30-7913-42e8-939A-1A7BE18B726B}.exe"	{11EF428D-B29D-4f13-99F3-4143754EDAFB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F4DBE4A-B373-4d61-8FBD-457E079AEC7B}	{E451225E-9EEC-4eba-9BB6-CB658B24A7EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60C6FCAB-D658-45ad-90D4-DA417727C656}\stubpath = "C:\\Windows\\{60C6FCAB-D658-45ad-90D4-DA417727C656}.exe"	{9F4DBE4A-B373-4d61-8FBD-457E079AEC7B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4378738-B906-4c5a-8B5D-CD4BEBDBBDEA}	{60C6FCAB-D658-45ad-90D4-DA417727C656}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA28C237-4819-4c8d-AAA6-4C942EA638D6}	{C4378738-B906-4c5a-8B5D-CD4BEBDBBDEA}.exe

Executes dropped EXE 12 IoCs

pid	Process
3760	{B05BF6DF-B466-44ce-8151-322485F0F533}.exe
3984	{503AC1DE-C694-4196-97A0-7338639BDD8B}.exe
4356	{F291197A-C361-4d39-801F-65B1EEC39E39}.exe
1508	{11EF428D-B29D-4f13-99F3-4143754EDAFB}.exe
1624	{57239A30-7913-42e8-939A-1A7BE18B726B}.exe
4480	{E451225E-9EEC-4eba-9BB6-CB658B24A7EF}.exe
1340	{9F4DBE4A-B373-4d61-8FBD-457E079AEC7B}.exe
4284	{60C6FCAB-D658-45ad-90D4-DA417727C656}.exe
1580	{C4378738-B906-4c5a-8B5D-CD4BEBDBBDEA}.exe
3788	{BA28C237-4819-4c8d-AAA6-4C942EA638D6}.exe
3624	{77953CA8-AD3D-46a2-A3BB-12FB02DE0156}.exe
3496	{68F5D706-6E43-43bc-888E-941CB14EED0A}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{77953CA8-AD3D-46a2-A3BB-12FB02DE0156}.exe	{BA28C237-4819-4c8d-AAA6-4C942EA638D6}.exe
File created	C:\Windows\{11EF428D-B29D-4f13-99F3-4143754EDAFB}.exe	{F291197A-C361-4d39-801F-65B1EEC39E39}.exe
File created	C:\Windows\{E451225E-9EEC-4eba-9BB6-CB658B24A7EF}.exe	{57239A30-7913-42e8-939A-1A7BE18B726B}.exe
File created	C:\Windows\{60C6FCAB-D658-45ad-90D4-DA417727C656}.exe	{9F4DBE4A-B373-4d61-8FBD-457E079AEC7B}.exe
File created	C:\Windows\{C4378738-B906-4c5a-8B5D-CD4BEBDBBDEA}.exe	{60C6FCAB-D658-45ad-90D4-DA417727C656}.exe
File created	C:\Windows\{BA28C237-4819-4c8d-AAA6-4C942EA638D6}.exe	{C4378738-B906-4c5a-8B5D-CD4BEBDBBDEA}.exe
File created	C:\Windows\{68F5D706-6E43-43bc-888E-941CB14EED0A}.exe	{77953CA8-AD3D-46a2-A3BB-12FB02DE0156}.exe
File created	C:\Windows\{B05BF6DF-B466-44ce-8151-322485F0F533}.exe	2024-03-13_cf00cb6dcdec71c0319f95ce18f251de_goldeneye.exe
File created	C:\Windows\{503AC1DE-C694-4196-97A0-7338639BDD8B}.exe	{B05BF6DF-B466-44ce-8151-322485F0F533}.exe
File created	C:\Windows\{F291197A-C361-4d39-801F-65B1EEC39E39}.exe	{503AC1DE-C694-4196-97A0-7338639BDD8B}.exe
File created	C:\Windows\{57239A30-7913-42e8-939A-1A7BE18B726B}.exe	{11EF428D-B29D-4f13-99F3-4143754EDAFB}.exe
File created	C:\Windows\{9F4DBE4A-B373-4d61-8FBD-457E079AEC7B}.exe	{E451225E-9EEC-4eba-9BB6-CB658B24A7EF}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	5060	2024-03-13_cf00cb6dcdec71c0319f95ce18f251de_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3760	{B05BF6DF-B466-44ce-8151-322485F0F533}.exe
Token: SeIncBasePriorityPrivilege	3984	{503AC1DE-C694-4196-97A0-7338639BDD8B}.exe
Token: SeIncBasePriorityPrivilege	4356	{F291197A-C361-4d39-801F-65B1EEC39E39}.exe
Token: SeIncBasePriorityPrivilege	1508	{11EF428D-B29D-4f13-99F3-4143754EDAFB}.exe
Token: SeIncBasePriorityPrivilege	1624	{57239A30-7913-42e8-939A-1A7BE18B726B}.exe
Token: SeIncBasePriorityPrivilege	4480	{E451225E-9EEC-4eba-9BB6-CB658B24A7EF}.exe
Token: SeIncBasePriorityPrivilege	1340	{9F4DBE4A-B373-4d61-8FBD-457E079AEC7B}.exe
Token: SeIncBasePriorityPrivilege	4284	{60C6FCAB-D658-45ad-90D4-DA417727C656}.exe
Token: SeIncBasePriorityPrivilege	1580	{C4378738-B906-4c5a-8B5D-CD4BEBDBBDEA}.exe
Token: SeIncBasePriorityPrivilege	3788	{BA28C237-4819-4c8d-AAA6-4C942EA638D6}.exe
Token: SeIncBasePriorityPrivilege	3624	{77953CA8-AD3D-46a2-A3BB-12FB02DE0156}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5060 wrote to memory of 3760	5060	2024-03-13_cf00cb6dcdec71c0319f95ce18f251de_goldeneye.exe	98
PID 5060 wrote to memory of 3760	5060	2024-03-13_cf00cb6dcdec71c0319f95ce18f251de_goldeneye.exe	98
PID 5060 wrote to memory of 3760	5060	2024-03-13_cf00cb6dcdec71c0319f95ce18f251de_goldeneye.exe	98
PID 5060 wrote to memory of 5080	5060	2024-03-13_cf00cb6dcdec71c0319f95ce18f251de_goldeneye.exe	99
PID 5060 wrote to memory of 5080	5060	2024-03-13_cf00cb6dcdec71c0319f95ce18f251de_goldeneye.exe	99
PID 5060 wrote to memory of 5080	5060	2024-03-13_cf00cb6dcdec71c0319f95ce18f251de_goldeneye.exe	99
PID 3760 wrote to memory of 3984	3760	{B05BF6DF-B466-44ce-8151-322485F0F533}.exe	100
PID 3760 wrote to memory of 3984	3760	{B05BF6DF-B466-44ce-8151-322485F0F533}.exe	100
PID 3760 wrote to memory of 3984	3760	{B05BF6DF-B466-44ce-8151-322485F0F533}.exe	100
PID 3760 wrote to memory of 3540	3760	{B05BF6DF-B466-44ce-8151-322485F0F533}.exe	101
PID 3760 wrote to memory of 3540	3760	{B05BF6DF-B466-44ce-8151-322485F0F533}.exe	101
PID 3760 wrote to memory of 3540	3760	{B05BF6DF-B466-44ce-8151-322485F0F533}.exe	101
PID 3984 wrote to memory of 4356	3984	{503AC1DE-C694-4196-97A0-7338639BDD8B}.exe	104
PID 3984 wrote to memory of 4356	3984	{503AC1DE-C694-4196-97A0-7338639BDD8B}.exe	104
PID 3984 wrote to memory of 4356	3984	{503AC1DE-C694-4196-97A0-7338639BDD8B}.exe	104
PID 3984 wrote to memory of 3712	3984	{503AC1DE-C694-4196-97A0-7338639BDD8B}.exe	105
PID 3984 wrote to memory of 3712	3984	{503AC1DE-C694-4196-97A0-7338639BDD8B}.exe	105
PID 3984 wrote to memory of 3712	3984	{503AC1DE-C694-4196-97A0-7338639BDD8B}.exe	105
PID 4356 wrote to memory of 1508	4356	{F291197A-C361-4d39-801F-65B1EEC39E39}.exe	106
PID 4356 wrote to memory of 1508	4356	{F291197A-C361-4d39-801F-65B1EEC39E39}.exe	106
PID 4356 wrote to memory of 1508	4356	{F291197A-C361-4d39-801F-65B1EEC39E39}.exe	106
PID 4356 wrote to memory of 2836	4356	{F291197A-C361-4d39-801F-65B1EEC39E39}.exe	107
PID 4356 wrote to memory of 2836	4356	{F291197A-C361-4d39-801F-65B1EEC39E39}.exe	107
PID 4356 wrote to memory of 2836	4356	{F291197A-C361-4d39-801F-65B1EEC39E39}.exe	107
PID 1508 wrote to memory of 1624	1508	{11EF428D-B29D-4f13-99F3-4143754EDAFB}.exe	108
PID 1508 wrote to memory of 1624	1508	{11EF428D-B29D-4f13-99F3-4143754EDAFB}.exe	108
PID 1508 wrote to memory of 1624	1508	{11EF428D-B29D-4f13-99F3-4143754EDAFB}.exe	108
PID 1508 wrote to memory of 3408	1508	{11EF428D-B29D-4f13-99F3-4143754EDAFB}.exe	109
PID 1508 wrote to memory of 3408	1508	{11EF428D-B29D-4f13-99F3-4143754EDAFB}.exe	109
PID 1508 wrote to memory of 3408	1508	{11EF428D-B29D-4f13-99F3-4143754EDAFB}.exe	109
PID 1624 wrote to memory of 4480	1624	{57239A30-7913-42e8-939A-1A7BE18B726B}.exe	111
PID 1624 wrote to memory of 4480	1624	{57239A30-7913-42e8-939A-1A7BE18B726B}.exe	111
PID 1624 wrote to memory of 4480	1624	{57239A30-7913-42e8-939A-1A7BE18B726B}.exe	111
PID 1624 wrote to memory of 4644	1624	{57239A30-7913-42e8-939A-1A7BE18B726B}.exe	112
PID 1624 wrote to memory of 4644	1624	{57239A30-7913-42e8-939A-1A7BE18B726B}.exe	112
PID 1624 wrote to memory of 4644	1624	{57239A30-7913-42e8-939A-1A7BE18B726B}.exe	112
PID 4480 wrote to memory of 1340	4480	{E451225E-9EEC-4eba-9BB6-CB658B24A7EF}.exe	113
PID 4480 wrote to memory of 1340	4480	{E451225E-9EEC-4eba-9BB6-CB658B24A7EF}.exe	113
PID 4480 wrote to memory of 1340	4480	{E451225E-9EEC-4eba-9BB6-CB658B24A7EF}.exe	113
PID 4480 wrote to memory of 2000	4480	{E451225E-9EEC-4eba-9BB6-CB658B24A7EF}.exe	114
PID 4480 wrote to memory of 2000	4480	{E451225E-9EEC-4eba-9BB6-CB658B24A7EF}.exe	114
PID 4480 wrote to memory of 2000	4480	{E451225E-9EEC-4eba-9BB6-CB658B24A7EF}.exe	114
PID 1340 wrote to memory of 4284	1340	{9F4DBE4A-B373-4d61-8FBD-457E079AEC7B}.exe	116
PID 1340 wrote to memory of 4284	1340	{9F4DBE4A-B373-4d61-8FBD-457E079AEC7B}.exe	116
PID 1340 wrote to memory of 4284	1340	{9F4DBE4A-B373-4d61-8FBD-457E079AEC7B}.exe	116
PID 1340 wrote to memory of 4888	1340	{9F4DBE4A-B373-4d61-8FBD-457E079AEC7B}.exe	117
PID 1340 wrote to memory of 4888	1340	{9F4DBE4A-B373-4d61-8FBD-457E079AEC7B}.exe	117
PID 1340 wrote to memory of 4888	1340	{9F4DBE4A-B373-4d61-8FBD-457E079AEC7B}.exe	117
PID 4284 wrote to memory of 1580	4284	{60C6FCAB-D658-45ad-90D4-DA417727C656}.exe	122
PID 4284 wrote to memory of 1580	4284	{60C6FCAB-D658-45ad-90D4-DA417727C656}.exe	122
PID 4284 wrote to memory of 1580	4284	{60C6FCAB-D658-45ad-90D4-DA417727C656}.exe	122
PID 4284 wrote to memory of 216	4284	{60C6FCAB-D658-45ad-90D4-DA417727C656}.exe	123
PID 4284 wrote to memory of 216	4284	{60C6FCAB-D658-45ad-90D4-DA417727C656}.exe	123
PID 4284 wrote to memory of 216	4284	{60C6FCAB-D658-45ad-90D4-DA417727C656}.exe	123
PID 1580 wrote to memory of 3788	1580	{C4378738-B906-4c5a-8B5D-CD4BEBDBBDEA}.exe	127
PID 1580 wrote to memory of 3788	1580	{C4378738-B906-4c5a-8B5D-CD4BEBDBBDEA}.exe	127
PID 1580 wrote to memory of 3788	1580	{C4378738-B906-4c5a-8B5D-CD4BEBDBBDEA}.exe	127
PID 1580 wrote to memory of 912	1580	{C4378738-B906-4c5a-8B5D-CD4BEBDBBDEA}.exe	128
PID 1580 wrote to memory of 912	1580	{C4378738-B906-4c5a-8B5D-CD4BEBDBBDEA}.exe	128
PID 1580 wrote to memory of 912	1580	{C4378738-B906-4c5a-8B5D-CD4BEBDBBDEA}.exe	128
PID 3788 wrote to memory of 3624	3788	{BA28C237-4819-4c8d-AAA6-4C942EA638D6}.exe	129
PID 3788 wrote to memory of 3624	3788	{BA28C237-4819-4c8d-AAA6-4C942EA638D6}.exe	129
PID 3788 wrote to memory of 3624	3788	{BA28C237-4819-4c8d-AAA6-4C942EA638D6}.exe	129
PID 3788 wrote to memory of 4356	3788	{BA28C237-4819-4c8d-AAA6-4C942EA638D6}.exe	130

C:\Users\Admin\AppData\Local\Temp\2024-03-13_cf00cb6dcdec71c0319f95ce18f251de_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-13_cf00cb6dcdec71c0319f95ce18f251de_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Windows\{B05BF6DF-B466-44ce-8151-322485F0F533}.exe
  C:\Windows\{B05BF6DF-B466-44ce-8151-322485F0F533}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3760
- - C:\Windows\{503AC1DE-C694-4196-97A0-7338639BDD8B}.exe
    C:\Windows\{503AC1DE-C694-4196-97A0-7338639BDD8B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3984
  - - C:\Windows\{F291197A-C361-4d39-801F-65B1EEC39E39}.exe
      C:\Windows\{F291197A-C361-4d39-801F-65B1EEC39E39}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4356
    - - C:\Windows\{11EF428D-B29D-4f13-99F3-4143754EDAFB}.exe
        
        C:\Windows\{11EF428D-B29D-4f13-99F3-4143754EDAFB}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1508
      - C:\Windows\{57239A30-7913-42e8-939A-1A7BE18B726B}.exe
        
        C:\Windows\{57239A30-7913-42e8-939A-1A7BE18B726B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\{E451225E-9EEC-4eba-9BB6-CB658B24A7EF}.exe
        
        C:\Windows\{E451225E-9EEC-4eba-9BB6-CB658B24A7EF}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\{9F4DBE4A-B373-4d61-8FBD-457E079AEC7B}.exe
        
        C:\Windows\{9F4DBE4A-B373-4d61-8FBD-457E079AEC7B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Windows\{60C6FCAB-D658-45ad-90D4-DA417727C656}.exe
        
        C:\Windows\{60C6FCAB-D658-45ad-90D4-DA417727C656}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Windows\{C4378738-B906-4c5a-8B5D-CD4BEBDBBDEA}.exe
        
        C:\Windows\{C4378738-B906-4c5a-8B5D-CD4BEBDBBDEA}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\{BA28C237-4819-4c8d-AAA6-4C942EA638D6}.exe
        
        C:\Windows\{BA28C237-4819-4c8d-AAA6-4C942EA638D6}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3788
        
        C:\Windows\{77953CA8-AD3D-46a2-A3BB-12FB02DE0156}.exe
        
        C:\Windows\{77953CA8-AD3D-46a2-A3BB-12FB02DE0156}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3624
        
        C:\Windows\{68F5D706-6E43-43bc-888E-941CB14EED0A}.exe
        
        C:\Windows\{68F5D706-6E43-43bc-888E-941CB14EED0A}.exe
        13⤵
        Executes dropped EXE
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{77953~1.EXE > nul
        13⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BA28C~1.EXE > nul
        12⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4378~1.EXE > nul
        11⤵
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{60C6F~1.EXE > nul
        10⤵
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9F4DB~1.EXE > nul
        9⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E4512~1.EXE > nul
        8⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{57239~1.EXE > nul
        7⤵
        
        PID:4644
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{11EF4~1.EXE > nul
        6⤵
        
        PID:3408
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2911~1.EXE > nul
        5⤵
        
        PID:2836
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{503AC~1.EXE > nul
      4⤵
      PID:3712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B05BF~1.EXE > nul
    3⤵
    PID:3540
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:5080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{11EF428D-B29D-4f13-99F3-4143754EDAFB}.exe

Filesize
344KB

MD5
703260d165afe8f185b60072040d372d

SHA1
cb99a6dd54a9ed35ca62b771778963649b88f6da

SHA256
bee57e6e94351f5163b10d04513323e6f0915849652e3597006c732358d7f6da

SHA512
617394ba41e8787d127775aee010b3462a506aa8f9c18eeb307a7067cb229ad68ea16b0c029555de2f90b00dffbfd6b80a6df9b337e302d365b53c087befbc95

Download Submit
C:\Windows\{503AC1DE-C694-4196-97A0-7338639BDD8B}.exe

Filesize
344KB

MD5
09c3949f98677ef83987f114249de6dd

SHA1
708a99b69f06a6e93a59d52d707fd72e3d339881

SHA256
235d004cfbd5a073581a8d9770987b4011d18d215318a447cf2afbbe2f98a590

SHA512
32044b159f6b6d674536b272dee8f237881c566d5481f005d718e89a6ab3b9c07fedc9e84d0835cca9870186c064806cd285326c4a108e48d7b55c06b508a759

Download Submit
C:\Windows\{57239A30-7913-42e8-939A-1A7BE18B726B}.exe

Filesize
334KB

MD5
8a15fba7878512416700b7422484afc5

SHA1
0731889eec2ef2eef703934b4bc85e8d4ed71735

SHA256
ed975fb77a8d46a77ba10002caf304bf9cbdd335021748acce980ab67a17e542

SHA512
98a13fc79f88570f10518655adfed922cdbe94b9f991f54bf31b0f61fdc875d91a93fb9726347d71c7028e5b436fe8d0e00a5ccb40cbc3c993493dfbcdd99c37

Download Submit
C:\Windows\{57239A30-7913-42e8-939A-1A7BE18B726B}.exe

Filesize
256KB

MD5
f980df745a7720c10096e1941da80a7c

SHA1
43726a75e5a34e6f1ffa1cb13645fd085b94e741

SHA256
11ce2c7a9f757132ac0ed15209e334db670786aa65ef0b91526f99bb1029f556

SHA512
d25301879fefc95078bb8a3227c3acdd66e7445107340162f3ab2f89ed32b72cbd3b217b609aa26dde6ac8faf4398b420b498f9b456b9d0149263644c8cb6639

Download Submit
C:\Windows\{60C6FCAB-D658-45ad-90D4-DA417727C656}.exe

Filesize
344KB

MD5
2c45376493239c5d15dde8bb476b5d17

SHA1
af0969ecf52b845881f493b9cfccd5288873c68c

SHA256
fcb18a9cf1165015359cf2414229beae6706ff01336cbe17a7416962b29bb736

SHA512
dccfe69c06bf348ed61f1870a6c75f9709a1b52c8541e0bcebea5733d76c99db247df54b6877272fdc5a023831deebefbf00e13cc77d45b2f0b4048836847e2d

Download Submit
C:\Windows\{68F5D706-6E43-43bc-888E-941CB14EED0A}.exe

Filesize
344KB

MD5
3359b19828c7a96fd006a86655da1582

SHA1
81e384ee541e5ef56e08bb2babebbd20d310d981

SHA256
241898113437bace0c580583bdfbb21d4001275e153fe67a3808ee4b2f7a300b

SHA512
5dafed4a443ae54fbb1ddf600d5d137ab84c089a06e7eb588387ceaf45f7d785b42b6217b4e570c8dc6c8647b07bfc64f7826217095407357c8c3aa40663877a

Download Submit
C:\Windows\{77953CA8-AD3D-46a2-A3BB-12FB02DE0156}.exe

Filesize
344KB

MD5
36f8b8cd21b41c2bb158fb95661aa2d1

SHA1
a7d70fa63a4134cc48e5d6fc3ca902af8151dd9d

SHA256
26de825b1739cfb3ec29034f2e3ad0d46731b69037a6b6c82f22f230fd390c19

SHA512
6baef8ba6f7e6daba96cbac18bea39f895fddfb13e1b8ff208ad29e3fcdfacdeb1dcece4bd7a975597178ec349e54b9bb50e81de5de9c9fd3d5eaefa5680883d

Download Submit
C:\Windows\{9F4DBE4A-B373-4d61-8FBD-457E079AEC7B}.exe

Filesize
344KB

MD5
766f9738a1acef75fdb2360aab655ff3

SHA1
80ee66937cf5cb56f31aa2e3f0660a30d90cfb73

SHA256
cbdde9e9d41437bcc19f1ff43f6d82c58d8a97db730c8343480adbbb6ee7ee3d

SHA512
01b0a8024327213f573b0d1211329c68ddb2a76dce63eae5981198422da45ad0f4ee1cf39969ddbf9c324a3d54530ec99aae38f43a6fa16244ffb2bee979da12

Download Submit
C:\Windows\{B05BF6DF-B466-44ce-8151-322485F0F533}.exe

Filesize
344KB

MD5
024956aa7b2a48237e3b8dd59e3f58a7

SHA1
94b05f246717cd996e9422ff116cdffd06b0799f

SHA256
2fa6c005e4db21b0c9bd8b5f20f336ba332fb51d2c90cfe5257dd095f0267226

SHA512
1fd7daf0da25400c7c8d2640c8feb798ea4cb49e434617fbc5e82b0701320aacd92ebc2d7f195c2fada73059893422612c2b2c5ffaad03c66f704325da283f3d

Download Submit
C:\Windows\{BA28C237-4819-4c8d-AAA6-4C942EA638D6}.exe

Filesize
344KB

MD5
7aa28c743b7c71801fdb257b04572aae

SHA1
2c37e86d07425037a30375652c8106cd9a6808a0

SHA256
a9b656cd35b0e4507ed1e45f9c95a9082f023e463706960a65713eae7293e722

SHA512
7bb5adefefe6c7d5caac47340c93b8b8e2e53759b5956a688090e4d6d88895ee15d0f90a5ce63da02f3934df54b8ca8bd9c7e573622ee2354c0573801d62cb97

Download Submit
C:\Windows\{C4378738-B906-4c5a-8B5D-CD4BEBDBBDEA}.exe

Filesize
344KB

MD5
7b4e1b3801c0dad9715f60bbaee398d3

SHA1
93d66587496f3686011d235420fd137cb8035b7d

SHA256
40c08ccb20226684807e885cbd18249f47bd87222affe3b88375d3d1e35c16fc

SHA512
308701f4175dc06658c667bc63d6884532764df87bf717453e29453571e242202d502559d7311a3dc30e5eadcd72c8f574169a82a1afffa4ad628e51c375051c

Download Submit
C:\Windows\{E451225E-9EEC-4eba-9BB6-CB658B24A7EF}.exe

Filesize
344KB

MD5
1a95a6632176f6ea727e1bec33683cc5

SHA1
d2d2aad6d5996a3ce4cc526aafa19dec4f18d218

SHA256
ed890c783783cb2f04eafafc43873fce89f49190a04fea4e2065f4461da38864

SHA512
f0f6492c3045d06a866b9669a81fc94e84c0797c25760b8610dc422edccd30f72c6491145bdc472a478bff476a7438a211fde16b6b0c8c299943f0cc952453d5

Download Submit
C:\Windows\{F291197A-C361-4d39-801F-65B1EEC39E39}.exe

Filesize
344KB

MD5
c1dda923f2b58e83b7c02f0497f096c0

SHA1
8cdc308736a036a5749de5b0b676c3f188540d73

SHA256
ed5b230cad991d18a2aace6ffedb72f9fb638ee04e98b3bb67ed18a6cb5dd681

SHA512
278ce1863ca8d8f98d9feb5513d56e8f17bd4e60cfce7e26a12b746adf6065cb35855b24ab4c2d7c3a6e239d66be45ec8c56d9cff16bbc589ea2311c95386d80

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads