3e1198d565e8d2161a4323e829ef4f74018916915ea3b5b0733e8120d2307b17

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
16/03/2024, 12:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-16_36f5f40cb2ae788e2316f43a765028ab_goldeneye.exe
Size

204KB
MD5

36f5f40cb2ae788e2316f43a765028ab
SHA1

d2fb504f4068b6f5b563fd1e51554734126c57ab
SHA256

3e1198d565e8d2161a4323e829ef4f74018916915ea3b5b0733e8120d2307b17
SHA512

f7c1139bedb407207c11701732a839f6efe57c9c79781203916e3e24dd2915d956ed6f17eb35894cb369f4fbd6b5a29e66a543ef456e5510a1b5887a829059ad
SSDEEP

1536:1EGh0o1l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0o1l1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023219-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023221-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023233-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002332e-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000001e80c-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023393-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023394-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023396-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000234b6-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000234b7-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023129-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000234b7-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B679271-5238-4d1d-9F4B-246228209B76}\stubpath = "C:\\Windows\\{0B679271-5238-4d1d-9F4B-246228209B76}.exe"	{D90CF068-C94A-4c4e-A85A-94C50967C0AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7C76215-D8FD-4990-8F2B-650DC11338C9}	2024-03-16_36f5f40cb2ae788e2316f43a765028ab_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7C76215-D8FD-4990-8F2B-650DC11338C9}\stubpath = "C:\\Windows\\{C7C76215-D8FD-4990-8F2B-650DC11338C9}.exe"	2024-03-16_36f5f40cb2ae788e2316f43a765028ab_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3683DFD2-CB4C-46d7-A4DB-3DB316839352}\stubpath = "C:\\Windows\\{3683DFD2-CB4C-46d7-A4DB-3DB316839352}.exe"	{C7C76215-D8FD-4990-8F2B-650DC11338C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1BDF3DD-2F2C-4a90-AEA7-821B071EA086}\stubpath = "C:\\Windows\\{A1BDF3DD-2F2C-4a90-AEA7-821B071EA086}.exe"	{3DEAA064-7E70-4e5f-8313-CD8ABE4CC84F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50DBE2DF-0952-4258-AC11-B66EA5753A58}\stubpath = "C:\\Windows\\{50DBE2DF-0952-4258-AC11-B66EA5753A58}.exe"	{5035244A-7892-471e-9881-0439939A8EB3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{310A7F65-9D48-43f2-89AB-878619D39031}	{50DBE2DF-0952-4258-AC11-B66EA5753A58}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D90CF068-C94A-4c4e-A85A-94C50967C0AD}\stubpath = "C:\\Windows\\{D90CF068-C94A-4c4e-A85A-94C50967C0AD}.exe"	{310A7F65-9D48-43f2-89AB-878619D39031}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A8C673C-8351-4a80-88D1-8C3B4C698734}	{AE9F781F-A18C-4236-A8D1-C82FC0E5C7D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A8C673C-8351-4a80-88D1-8C3B4C698734}\stubpath = "C:\\Windows\\{2A8C673C-8351-4a80-88D1-8C3B4C698734}.exe"	{AE9F781F-A18C-4236-A8D1-C82FC0E5C7D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3683DFD2-CB4C-46d7-A4DB-3DB316839352}	{C7C76215-D8FD-4990-8F2B-650DC11338C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DEAA064-7E70-4e5f-8313-CD8ABE4CC84F}	{3683DFD2-CB4C-46d7-A4DB-3DB316839352}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DEAA064-7E70-4e5f-8313-CD8ABE4CC84F}\stubpath = "C:\\Windows\\{3DEAA064-7E70-4e5f-8313-CD8ABE4CC84F}.exe"	{3683DFD2-CB4C-46d7-A4DB-3DB316839352}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08BBF059-3501-4b82-AA4A-3C5F4E2DE667}\stubpath = "C:\\Windows\\{08BBF059-3501-4b82-AA4A-3C5F4E2DE667}.exe"	{A1BDF3DD-2F2C-4a90-AEA7-821B071EA086}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{310A7F65-9D48-43f2-89AB-878619D39031}\stubpath = "C:\\Windows\\{310A7F65-9D48-43f2-89AB-878619D39031}.exe"	{50DBE2DF-0952-4258-AC11-B66EA5753A58}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE9F781F-A18C-4236-A8D1-C82FC0E5C7D8}	{0B679271-5238-4d1d-9F4B-246228209B76}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE9F781F-A18C-4236-A8D1-C82FC0E5C7D8}\stubpath = "C:\\Windows\\{AE9F781F-A18C-4236-A8D1-C82FC0E5C7D8}.exe"	{0B679271-5238-4d1d-9F4B-246228209B76}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5035244A-7892-471e-9881-0439939A8EB3}	{08BBF059-3501-4b82-AA4A-3C5F4E2DE667}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5035244A-7892-471e-9881-0439939A8EB3}\stubpath = "C:\\Windows\\{5035244A-7892-471e-9881-0439939A8EB3}.exe"	{08BBF059-3501-4b82-AA4A-3C5F4E2DE667}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1BDF3DD-2F2C-4a90-AEA7-821B071EA086}	{3DEAA064-7E70-4e5f-8313-CD8ABE4CC84F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08BBF059-3501-4b82-AA4A-3C5F4E2DE667}	{A1BDF3DD-2F2C-4a90-AEA7-821B071EA086}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50DBE2DF-0952-4258-AC11-B66EA5753A58}	{5035244A-7892-471e-9881-0439939A8EB3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D90CF068-C94A-4c4e-A85A-94C50967C0AD}	{310A7F65-9D48-43f2-89AB-878619D39031}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B679271-5238-4d1d-9F4B-246228209B76}	{D90CF068-C94A-4c4e-A85A-94C50967C0AD}.exe

Executes dropped EXE 12 IoCs

pid	Process
452	{C7C76215-D8FD-4990-8F2B-650DC11338C9}.exe
4732	{3683DFD2-CB4C-46d7-A4DB-3DB316839352}.exe
2100	{3DEAA064-7E70-4e5f-8313-CD8ABE4CC84F}.exe
1236	{A1BDF3DD-2F2C-4a90-AEA7-821B071EA086}.exe
4364	{08BBF059-3501-4b82-AA4A-3C5F4E2DE667}.exe
4908	{5035244A-7892-471e-9881-0439939A8EB3}.exe
3772	{50DBE2DF-0952-4258-AC11-B66EA5753A58}.exe
1920	{310A7F65-9D48-43f2-89AB-878619D39031}.exe
4220	{D90CF068-C94A-4c4e-A85A-94C50967C0AD}.exe
1060	{0B679271-5238-4d1d-9F4B-246228209B76}.exe
4952	{AE9F781F-A18C-4236-A8D1-C82FC0E5C7D8}.exe
1444	{2A8C673C-8351-4a80-88D1-8C3B4C698734}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{3DEAA064-7E70-4e5f-8313-CD8ABE4CC84F}.exe	{3683DFD2-CB4C-46d7-A4DB-3DB316839352}.exe
File created	C:\Windows\{08BBF059-3501-4b82-AA4A-3C5F4E2DE667}.exe	{A1BDF3DD-2F2C-4a90-AEA7-821B071EA086}.exe
File created	C:\Windows\{0B679271-5238-4d1d-9F4B-246228209B76}.exe	{D90CF068-C94A-4c4e-A85A-94C50967C0AD}.exe
File created	C:\Windows\{AE9F781F-A18C-4236-A8D1-C82FC0E5C7D8}.exe	{0B679271-5238-4d1d-9F4B-246228209B76}.exe
File created	C:\Windows\{2A8C673C-8351-4a80-88D1-8C3B4C698734}.exe	{AE9F781F-A18C-4236-A8D1-C82FC0E5C7D8}.exe
File created	C:\Windows\{C7C76215-D8FD-4990-8F2B-650DC11338C9}.exe	2024-03-16_36f5f40cb2ae788e2316f43a765028ab_goldeneye.exe
File created	C:\Windows\{3683DFD2-CB4C-46d7-A4DB-3DB316839352}.exe	{C7C76215-D8FD-4990-8F2B-650DC11338C9}.exe
File created	C:\Windows\{A1BDF3DD-2F2C-4a90-AEA7-821B071EA086}.exe	{3DEAA064-7E70-4e5f-8313-CD8ABE4CC84F}.exe
File created	C:\Windows\{5035244A-7892-471e-9881-0439939A8EB3}.exe	{08BBF059-3501-4b82-AA4A-3C5F4E2DE667}.exe
File created	C:\Windows\{50DBE2DF-0952-4258-AC11-B66EA5753A58}.exe	{5035244A-7892-471e-9881-0439939A8EB3}.exe
File created	C:\Windows\{310A7F65-9D48-43f2-89AB-878619D39031}.exe	{50DBE2DF-0952-4258-AC11-B66EA5753A58}.exe
File created	C:\Windows\{D90CF068-C94A-4c4e-A85A-94C50967C0AD}.exe	{310A7F65-9D48-43f2-89AB-878619D39031}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4832	2024-03-16_36f5f40cb2ae788e2316f43a765028ab_goldeneye.exe
Token: SeIncBasePriorityPrivilege	452	{C7C76215-D8FD-4990-8F2B-650DC11338C9}.exe
Token: SeIncBasePriorityPrivilege	4732	{3683DFD2-CB4C-46d7-A4DB-3DB316839352}.exe
Token: SeIncBasePriorityPrivilege	2100	{3DEAA064-7E70-4e5f-8313-CD8ABE4CC84F}.exe
Token: SeIncBasePriorityPrivilege	1236	{A1BDF3DD-2F2C-4a90-AEA7-821B071EA086}.exe
Token: SeIncBasePriorityPrivilege	4364	{08BBF059-3501-4b82-AA4A-3C5F4E2DE667}.exe
Token: SeIncBasePriorityPrivilege	4908	{5035244A-7892-471e-9881-0439939A8EB3}.exe
Token: SeIncBasePriorityPrivilege	3772	{50DBE2DF-0952-4258-AC11-B66EA5753A58}.exe
Token: SeIncBasePriorityPrivilege	1920	{310A7F65-9D48-43f2-89AB-878619D39031}.exe
Token: SeIncBasePriorityPrivilege	4220	{D90CF068-C94A-4c4e-A85A-94C50967C0AD}.exe
Token: SeIncBasePriorityPrivilege	1060	{0B679271-5238-4d1d-9F4B-246228209B76}.exe
Token: SeIncBasePriorityPrivilege	4952	{AE9F781F-A18C-4236-A8D1-C82FC0E5C7D8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4832 wrote to memory of 452	4832	2024-03-16_36f5f40cb2ae788e2316f43a765028ab_goldeneye.exe	99
PID 4832 wrote to memory of 452	4832	2024-03-16_36f5f40cb2ae788e2316f43a765028ab_goldeneye.exe	99
PID 4832 wrote to memory of 452	4832	2024-03-16_36f5f40cb2ae788e2316f43a765028ab_goldeneye.exe	99
PID 4832 wrote to memory of 2348	4832	2024-03-16_36f5f40cb2ae788e2316f43a765028ab_goldeneye.exe	100
PID 4832 wrote to memory of 2348	4832	2024-03-16_36f5f40cb2ae788e2316f43a765028ab_goldeneye.exe	100
PID 4832 wrote to memory of 2348	4832	2024-03-16_36f5f40cb2ae788e2316f43a765028ab_goldeneye.exe	100
PID 452 wrote to memory of 4732	452	{C7C76215-D8FD-4990-8F2B-650DC11338C9}.exe	101
PID 452 wrote to memory of 4732	452	{C7C76215-D8FD-4990-8F2B-650DC11338C9}.exe	101
PID 452 wrote to memory of 4732	452	{C7C76215-D8FD-4990-8F2B-650DC11338C9}.exe	101
PID 452 wrote to memory of 4784	452	{C7C76215-D8FD-4990-8F2B-650DC11338C9}.exe	102
PID 452 wrote to memory of 4784	452	{C7C76215-D8FD-4990-8F2B-650DC11338C9}.exe	102
PID 452 wrote to memory of 4784	452	{C7C76215-D8FD-4990-8F2B-650DC11338C9}.exe	102
PID 4732 wrote to memory of 2100	4732	{3683DFD2-CB4C-46d7-A4DB-3DB316839352}.exe	105
PID 4732 wrote to memory of 2100	4732	{3683DFD2-CB4C-46d7-A4DB-3DB316839352}.exe	105
PID 4732 wrote to memory of 2100	4732	{3683DFD2-CB4C-46d7-A4DB-3DB316839352}.exe	105
PID 4732 wrote to memory of 3704	4732	{3683DFD2-CB4C-46d7-A4DB-3DB316839352}.exe	106
PID 4732 wrote to memory of 3704	4732	{3683DFD2-CB4C-46d7-A4DB-3DB316839352}.exe	106
PID 4732 wrote to memory of 3704	4732	{3683DFD2-CB4C-46d7-A4DB-3DB316839352}.exe	106
PID 2100 wrote to memory of 1236	2100	{3DEAA064-7E70-4e5f-8313-CD8ABE4CC84F}.exe	108
PID 2100 wrote to memory of 1236	2100	{3DEAA064-7E70-4e5f-8313-CD8ABE4CC84F}.exe	108
PID 2100 wrote to memory of 1236	2100	{3DEAA064-7E70-4e5f-8313-CD8ABE4CC84F}.exe	108
PID 2100 wrote to memory of 3260	2100	{3DEAA064-7E70-4e5f-8313-CD8ABE4CC84F}.exe	109
PID 2100 wrote to memory of 3260	2100	{3DEAA064-7E70-4e5f-8313-CD8ABE4CC84F}.exe	109
PID 2100 wrote to memory of 3260	2100	{3DEAA064-7E70-4e5f-8313-CD8ABE4CC84F}.exe	109
PID 1236 wrote to memory of 4364	1236	{A1BDF3DD-2F2C-4a90-AEA7-821B071EA086}.exe	110
PID 1236 wrote to memory of 4364	1236	{A1BDF3DD-2F2C-4a90-AEA7-821B071EA086}.exe	110
PID 1236 wrote to memory of 4364	1236	{A1BDF3DD-2F2C-4a90-AEA7-821B071EA086}.exe	110
PID 1236 wrote to memory of 1636	1236	{A1BDF3DD-2F2C-4a90-AEA7-821B071EA086}.exe	111
PID 1236 wrote to memory of 1636	1236	{A1BDF3DD-2F2C-4a90-AEA7-821B071EA086}.exe	111
PID 1236 wrote to memory of 1636	1236	{A1BDF3DD-2F2C-4a90-AEA7-821B071EA086}.exe	111
PID 4364 wrote to memory of 4908	4364	{08BBF059-3501-4b82-AA4A-3C5F4E2DE667}.exe	113
PID 4364 wrote to memory of 4908	4364	{08BBF059-3501-4b82-AA4A-3C5F4E2DE667}.exe	113
PID 4364 wrote to memory of 4908	4364	{08BBF059-3501-4b82-AA4A-3C5F4E2DE667}.exe	113
PID 4364 wrote to memory of 680	4364	{08BBF059-3501-4b82-AA4A-3C5F4E2DE667}.exe	114
PID 4364 wrote to memory of 680	4364	{08BBF059-3501-4b82-AA4A-3C5F4E2DE667}.exe	114
PID 4364 wrote to memory of 680	4364	{08BBF059-3501-4b82-AA4A-3C5F4E2DE667}.exe	114
PID 4908 wrote to memory of 3772	4908	{5035244A-7892-471e-9881-0439939A8EB3}.exe	115
PID 4908 wrote to memory of 3772	4908	{5035244A-7892-471e-9881-0439939A8EB3}.exe	115
PID 4908 wrote to memory of 3772	4908	{5035244A-7892-471e-9881-0439939A8EB3}.exe	115
PID 4908 wrote to memory of 1484	4908	{5035244A-7892-471e-9881-0439939A8EB3}.exe	116
PID 4908 wrote to memory of 1484	4908	{5035244A-7892-471e-9881-0439939A8EB3}.exe	116
PID 4908 wrote to memory of 1484	4908	{5035244A-7892-471e-9881-0439939A8EB3}.exe	116
PID 3772 wrote to memory of 1920	3772	{50DBE2DF-0952-4258-AC11-B66EA5753A58}.exe	117
PID 3772 wrote to memory of 1920	3772	{50DBE2DF-0952-4258-AC11-B66EA5753A58}.exe	117
PID 3772 wrote to memory of 1920	3772	{50DBE2DF-0952-4258-AC11-B66EA5753A58}.exe	117
PID 3772 wrote to memory of 4704	3772	{50DBE2DF-0952-4258-AC11-B66EA5753A58}.exe	118
PID 3772 wrote to memory of 4704	3772	{50DBE2DF-0952-4258-AC11-B66EA5753A58}.exe	118
PID 3772 wrote to memory of 4704	3772	{50DBE2DF-0952-4258-AC11-B66EA5753A58}.exe	118
PID 1920 wrote to memory of 4220	1920	{310A7F65-9D48-43f2-89AB-878619D39031}.exe	125
PID 1920 wrote to memory of 4220	1920	{310A7F65-9D48-43f2-89AB-878619D39031}.exe	125
PID 1920 wrote to memory of 4220	1920	{310A7F65-9D48-43f2-89AB-878619D39031}.exe	125
PID 1920 wrote to memory of 1732	1920	{310A7F65-9D48-43f2-89AB-878619D39031}.exe	126
PID 1920 wrote to memory of 1732	1920	{310A7F65-9D48-43f2-89AB-878619D39031}.exe	126
PID 1920 wrote to memory of 1732	1920	{310A7F65-9D48-43f2-89AB-878619D39031}.exe	126
PID 4220 wrote to memory of 1060	4220	{D90CF068-C94A-4c4e-A85A-94C50967C0AD}.exe	127
PID 4220 wrote to memory of 1060	4220	{D90CF068-C94A-4c4e-A85A-94C50967C0AD}.exe	127
PID 4220 wrote to memory of 1060	4220	{D90CF068-C94A-4c4e-A85A-94C50967C0AD}.exe	127
PID 4220 wrote to memory of 3676	4220	{D90CF068-C94A-4c4e-A85A-94C50967C0AD}.exe	128
PID 4220 wrote to memory of 3676	4220	{D90CF068-C94A-4c4e-A85A-94C50967C0AD}.exe	128
PID 4220 wrote to memory of 3676	4220	{D90CF068-C94A-4c4e-A85A-94C50967C0AD}.exe	128
PID 1060 wrote to memory of 4952	1060	{0B679271-5238-4d1d-9F4B-246228209B76}.exe	132
PID 1060 wrote to memory of 4952	1060	{0B679271-5238-4d1d-9F4B-246228209B76}.exe	132
PID 1060 wrote to memory of 4952	1060	{0B679271-5238-4d1d-9F4B-246228209B76}.exe	132
PID 1060 wrote to memory of 4464	1060	{0B679271-5238-4d1d-9F4B-246228209B76}.exe	133

C:\Users\Admin\AppData\Local\Temp\2024-03-16_36f5f40cb2ae788e2316f43a765028ab_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-16_36f5f40cb2ae788e2316f43a765028ab_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4832
- C:\Windows\{C7C76215-D8FD-4990-8F2B-650DC11338C9}.exe
  C:\Windows\{C7C76215-D8FD-4990-8F2B-650DC11338C9}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:452
- - C:\Windows\{3683DFD2-CB4C-46d7-A4DB-3DB316839352}.exe
    C:\Windows\{3683DFD2-CB4C-46d7-A4DB-3DB316839352}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4732
  - - C:\Windows\{3DEAA064-7E70-4e5f-8313-CD8ABE4CC84F}.exe
      C:\Windows\{3DEAA064-7E70-4e5f-8313-CD8ABE4CC84F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2100
    - - C:\Windows\{A1BDF3DD-2F2C-4a90-AEA7-821B071EA086}.exe
        
        C:\Windows\{A1BDF3DD-2F2C-4a90-AEA7-821B071EA086}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1236
      - C:\Windows\{08BBF059-3501-4b82-AA4A-3C5F4E2DE667}.exe
        
        C:\Windows\{08BBF059-3501-4b82-AA4A-3C5F4E2DE667}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4364
        
        C:\Windows\{5035244A-7892-471e-9881-0439939A8EB3}.exe
        
        C:\Windows\{5035244A-7892-471e-9881-0439939A8EB3}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Windows\{50DBE2DF-0952-4258-AC11-B66EA5753A58}.exe
        
        C:\Windows\{50DBE2DF-0952-4258-AC11-B66EA5753A58}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3772
        
        C:\Windows\{310A7F65-9D48-43f2-89AB-878619D39031}.exe
        
        C:\Windows\{310A7F65-9D48-43f2-89AB-878619D39031}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\{D90CF068-C94A-4c4e-A85A-94C50967C0AD}.exe
        
        C:\Windows\{D90CF068-C94A-4c4e-A85A-94C50967C0AD}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4220
        
        C:\Windows\{0B679271-5238-4d1d-9F4B-246228209B76}.exe
        
        C:\Windows\{0B679271-5238-4d1d-9F4B-246228209B76}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\{AE9F781F-A18C-4236-A8D1-C82FC0E5C7D8}.exe
        
        C:\Windows\{AE9F781F-A18C-4236-A8D1-C82FC0E5C7D8}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4952
        
        C:\Windows\{2A8C673C-8351-4a80-88D1-8C3B4C698734}.exe
        
        C:\Windows\{2A8C673C-8351-4a80-88D1-8C3B4C698734}.exe
        13⤵
        Executes dropped EXE
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE9F7~1.EXE > nul
        13⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0B679~1.EXE > nul
        12⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D90CF~1.EXE > nul
        11⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{310A7~1.EXE > nul
        10⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{50DBE~1.EXE > nul
        9⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{50352~1.EXE > nul
        8⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{08BBF~1.EXE > nul
        7⤵
        
        PID:680
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A1BDF~1.EXE > nul
        6⤵
        
        PID:1636
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3DEAA~1.EXE > nul
        5⤵
        
        PID:3260
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3683D~1.EXE > nul
      4⤵
      PID:3704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C7C76~1.EXE > nul
    3⤵
    PID:4784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{08BBF059-3501-4b82-AA4A-3C5F4E2DE667}.exe

Filesize
204KB

MD5
2f550320e71e5d2522d1bc735ea2a531

SHA1
51b2fd9af435ddd89e3bda5bd5dfcac94f97448c

SHA256
858607dedc07401c2223705207b40f018678b2732384ce302897e1f5634b8838

SHA512
9147b9cd75e4454343908c1a72d21af2fccc63f964c6bd13503dfc7a778061ad33f260ab2f2aba908f16580366cb19b58d2db4ad544082942ce8268abc359163

Download Submit
C:\Windows\{0B679271-5238-4d1d-9F4B-246228209B76}.exe

Filesize
204KB

MD5
063e44663951455403727b24f1b34ee7

SHA1
10cacfd1d7d97823f2a3a230f8b3295630f2f3f9

SHA256
e90837f78b6021188ddb65dc5da05268ea6d86ad406e2b674c47d9f10f14ec68

SHA512
bbc4876ba180daac00fca5e808d1c60f2ff3820ad414661af5b3a6e36906d8eb7e59cafb522e3dd188571c2a70c7f021333c18ebace130114d80b5c15a16f6a4

Download Submit
C:\Windows\{2A8C673C-8351-4a80-88D1-8C3B4C698734}.exe

Filesize
204KB

MD5
4f307155dba184bd0fd4ad77e6a91f09

SHA1
aae75438ed1d4f45f80776144a86e4f9045d8b3c

SHA256
537d3b2181e7f86cab745cbba4f32d379abda2a26b0d8e57fbd312ab09510db7

SHA512
170179bcdbce5bcb54660ed1511a7a6c9e274a3d2e8b7a5869c68c83df6d472f520d8f84b1c42bb63f2245c747c9007942f61b41de8587878a0698e284c3e594

Download Submit
C:\Windows\{310A7F65-9D48-43f2-89AB-878619D39031}.exe

Filesize
204KB

MD5
a72039c9ff2577502c44689e1e505c39

SHA1
198e9249ddfba7aead2944be842d591b1c849591

SHA256
965ea356d625427316c01d9f66d23b441913e244a36460bda94a0be4e6d3a094

SHA512
75e92b0ce620147207bf3066e00310007173dc2187b8dd5aa1e3b4848b53abcada0deb8e37373f27c934442e840e2f26a1fb8e9e5bfd0c9560e988616e9c8b5e

Download Submit
C:\Windows\{3683DFD2-CB4C-46d7-A4DB-3DB316839352}.exe

Filesize
204KB

MD5
0e14b8c2d0c4fc22e057176658670174

SHA1
28a5383a1e3b53cacc87e20e8127c5e08ef0864c

SHA256
2711d94a6b910b1c307706e0036476db39587b5410b95937046f01033732b7a1

SHA512
b649ad8d86a4eb80dab0cbbbf06ef0e9bec1296201e1c3e214992079a4e64f30fabab7b4bd1ed413bf6ce225fecb4124283d45c987968b55aaa631ec2cb211f8

Download Submit
C:\Windows\{3DEAA064-7E70-4e5f-8313-CD8ABE4CC84F}.exe

Filesize
204KB

MD5
df11552c57d29fdd4c411f7d074b8ea4

SHA1
ef438caf47dcb1ca9f33d3f2358148ab0288822d

SHA256
ed80f3d9a13483217a2e5c56fc47ffb7958a90d7bee10d795bfc2e2fe58678dd

SHA512
16780499ba44c8072658e98bade1370cbd6ebe4321bbd357b842d0e29850b93c408c349ed9706606bf534aaae6e5c08dfab524818a70274855fd60e4f0ab6077

Download Submit
C:\Windows\{5035244A-7892-471e-9881-0439939A8EB3}.exe

Filesize
204KB

MD5
3d82f2a6d0851bd17364258193c9c2ab

SHA1
da835ac60645e93f651f2442904caf832f2b117e

SHA256
e7ed94df96e41ddaa4619a90b94445ad20193fb930030ebd710e465932943eee

SHA512
fed9b3c2dce27f35d860576f19286b5db7c94b992e1ccaab8233513cc68b68607eada0318ece9d51a1889a6de0b3731c1a726c3d0c0d3bdd20b0fecfc78e3959

Download Submit
C:\Windows\{50DBE2DF-0952-4258-AC11-B66EA5753A58}.exe

Filesize
204KB

MD5
8725457fd24f48598852ef5769c2d1fc

SHA1
fcf5b793bb357f276d41111e5d2c04ad77a770bc

SHA256
664cd88ebc88fc9cc58eab14a45f8ae7efd03ea3579159afa512e6de223e4fa1

SHA512
a6d3810e38b402ecb5cc0d1a72e1c53819f201033b35895697b93cfcf9c20754b0cae2bc3318aa8a1b608a59b3b56c2890b6cf4772869deb011c79f8b884b7c1

Download Submit
C:\Windows\{A1BDF3DD-2F2C-4a90-AEA7-821B071EA086}.exe

Filesize
204KB

MD5
2a07a3e5e2f705332b150eae763479f4

SHA1
43fe7b7b8c1cd5749a4e2b66be1811d0070fac64

SHA256
64c70e6c227acc746b5d8117c305618fcc9532f79afb2d5804de6764c6aafd6f

SHA512
cbb53adabe04c80a04db870252017692d95175585b6d85fcba6a92d4872744526078fa442fc44ef3227b4253fe03d55d3aee4a5da5db6efeab0f8e22f25c77bc

Download Submit
C:\Windows\{AE9F781F-A18C-4236-A8D1-C82FC0E5C7D8}.exe

Filesize
204KB

MD5
e556bec1bbdd8b6ff1f5603831a043e8

SHA1
1ab2a8ffaf7e6ef9ff37b2ada6becb444b2d8419

SHA256
757d1d3decd7e0273e5009381e6ed2119d3a780abfd38abb56834f9311c45b94

SHA512
cd267cc0cdf9b7e5802fdf3f0b8fb279f586d1e226ec3b4f8e2f28b85429c033d32778a2e22f4f7d5b12af739afe7f47fb37092dec85b9ebfbe995a81e231850

Download Submit
C:\Windows\{C7C76215-D8FD-4990-8F2B-650DC11338C9}.exe

Filesize
204KB

MD5
6a110857b84497855886ec73a40b4ec8

SHA1
574dc5e90ac5cdfdee866fa17b007b6036be47a8

SHA256
5cca90aa476b4c1bbbd86640810ef94e000e42f8655daa52ce0a8d7b8fa42690

SHA512
894d725a327d7a356052c28efa1900dd81242a804163a09729328fadb0b6d46b222d1844045b8f2c71a6946ecae0628193df1233216c95027a291938dc5ab737

Download Submit
C:\Windows\{D90CF068-C94A-4c4e-A85A-94C50967C0AD}.exe

Filesize
204KB

MD5
47f4a540442fd0e2054b0aa4be65408d

SHA1
72e61fa8c54bd1d39147243b384ff88876d2f412

SHA256
37640dd3a2d48893ff7d37f24741ce4bc4cd3de93ee88dce129a92803f67a5bf

SHA512
d0eb88951472e426badd91a4c02a2b57406fb4fcaf12fb292d66f91ac85b75b8077794c780bd841c8ea1a2d36c43cadd397e006b87337d03ab6e2ce306bf9c38

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads