35711540397b8e223bb7f7e5b42bebaa530e1f4d979c95055793f88d50a07572

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2024, 23:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-19_388dad3ba181065c5fa00d45402ce592_goldeneye.exe
Size

168KB
MD5

388dad3ba181065c5fa00d45402ce592
SHA1

c5647c8eca8a69cc060a2a03b7df81e95555f3d6
SHA256

35711540397b8e223bb7f7e5b42bebaa530e1f4d979c95055793f88d50a07572
SHA512

b62e25f6f611e9b64406710966e27a1634b24b1a4093462e3bae5d37191b62538b8258bf615e600d9e1ff15d09594025a7e96218e1b2d0fd45e88c384e5411e0
SSDEEP

1536:1EGh0ohlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0ohlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023229-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023240-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023147-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000233a4-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023147-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000233c8-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000234c6-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000233c8-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023144-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000233c8-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002313a-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000233c8-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1202D96-D54F-4e94-9181-CC6314F5DF2E}\stubpath = "C:\\Windows\\{F1202D96-D54F-4e94-9181-CC6314F5DF2E}.exe"	{C8DD5F82-BBDD-4347-A12B-FA6AC4976856}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7865D58F-9FD7-4d5d-A007-7AE3C98F8F05}	{F1202D96-D54F-4e94-9181-CC6314F5DF2E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7865D58F-9FD7-4d5d-A007-7AE3C98F8F05}\stubpath = "C:\\Windows\\{7865D58F-9FD7-4d5d-A007-7AE3C98F8F05}.exe"	{F1202D96-D54F-4e94-9181-CC6314F5DF2E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2CD3926F-2CF4-4d76-AE12-94826443A962}	{69DDBF12-FE14-440b-9DB0-951A400C2C55}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E2CA243-D6F7-4533-9A7F-0A91458262AE}\stubpath = "C:\\Windows\\{4E2CA243-D6F7-4533-9A7F-0A91458262AE}.exe"	2024-03-19_388dad3ba181065c5fa00d45402ce592_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8DD5F82-BBDD-4347-A12B-FA6AC4976856}	{B7B4D80D-C0AA-46aa-930B-A168C1C338CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69DDBF12-FE14-440b-9DB0-951A400C2C55}\stubpath = "C:\\Windows\\{69DDBF12-FE14-440b-9DB0-951A400C2C55}.exe"	{437F6ACA-B528-494c-A32F-C0FD863FAF74}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2CD3926F-2CF4-4d76-AE12-94826443A962}\stubpath = "C:\\Windows\\{2CD3926F-2CF4-4d76-AE12-94826443A962}.exe"	{69DDBF12-FE14-440b-9DB0-951A400C2C55}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFAAD98C-1D0C-4569-B7C7-6382E0498EF0}\stubpath = "C:\\Windows\\{CFAAD98C-1D0C-4569-B7C7-6382E0498EF0}.exe"	{9176A689-820D-4299-AA66-B922C7F0B25A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7608A438-1EA9-48f7-931C-CF3E83B09403}	{CFAAD98C-1D0C-4569-B7C7-6382E0498EF0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C817E99B-0A61-4e25-95DD-7493DC577CBE}	{7608A438-1EA9-48f7-931C-CF3E83B09403}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C817E99B-0A61-4e25-95DD-7493DC577CBE}\stubpath = "C:\\Windows\\{C817E99B-0A61-4e25-95DD-7493DC577CBE}.exe"	{7608A438-1EA9-48f7-931C-CF3E83B09403}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7B4D80D-C0AA-46aa-930B-A168C1C338CF}	{4E2CA243-D6F7-4533-9A7F-0A91458262AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7B4D80D-C0AA-46aa-930B-A168C1C338CF}\stubpath = "C:\\Windows\\{B7B4D80D-C0AA-46aa-930B-A168C1C338CF}.exe"	{4E2CA243-D6F7-4533-9A7F-0A91458262AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1202D96-D54F-4e94-9181-CC6314F5DF2E}	{C8DD5F82-BBDD-4347-A12B-FA6AC4976856}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{437F6ACA-B528-494c-A32F-C0FD863FAF74}	{7865D58F-9FD7-4d5d-A007-7AE3C98F8F05}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{437F6ACA-B528-494c-A32F-C0FD863FAF74}\stubpath = "C:\\Windows\\{437F6ACA-B528-494c-A32F-C0FD863FAF74}.exe"	{7865D58F-9FD7-4d5d-A007-7AE3C98F8F05}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69DDBF12-FE14-440b-9DB0-951A400C2C55}	{437F6ACA-B528-494c-A32F-C0FD863FAF74}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9176A689-820D-4299-AA66-B922C7F0B25A}	{2CD3926F-2CF4-4d76-AE12-94826443A962}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9176A689-820D-4299-AA66-B922C7F0B25A}\stubpath = "C:\\Windows\\{9176A689-820D-4299-AA66-B922C7F0B25A}.exe"	{2CD3926F-2CF4-4d76-AE12-94826443A962}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFAAD98C-1D0C-4569-B7C7-6382E0498EF0}	{9176A689-820D-4299-AA66-B922C7F0B25A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E2CA243-D6F7-4533-9A7F-0A91458262AE}	2024-03-19_388dad3ba181065c5fa00d45402ce592_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8DD5F82-BBDD-4347-A12B-FA6AC4976856}\stubpath = "C:\\Windows\\{C8DD5F82-BBDD-4347-A12B-FA6AC4976856}.exe"	{B7B4D80D-C0AA-46aa-930B-A168C1C338CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7608A438-1EA9-48f7-931C-CF3E83B09403}\stubpath = "C:\\Windows\\{7608A438-1EA9-48f7-931C-CF3E83B09403}.exe"	{CFAAD98C-1D0C-4569-B7C7-6382E0498EF0}.exe

Executes dropped EXE 12 IoCs

pid	Process
2704	{4E2CA243-D6F7-4533-9A7F-0A91458262AE}.exe
2752	{B7B4D80D-C0AA-46aa-930B-A168C1C338CF}.exe
1700	{C8DD5F82-BBDD-4347-A12B-FA6AC4976856}.exe
4928	{F1202D96-D54F-4e94-9181-CC6314F5DF2E}.exe
5012	{7865D58F-9FD7-4d5d-A007-7AE3C98F8F05}.exe
4376	{437F6ACA-B528-494c-A32F-C0FD863FAF74}.exe
3984	{69DDBF12-FE14-440b-9DB0-951A400C2C55}.exe
1368	{2CD3926F-2CF4-4d76-AE12-94826443A962}.exe
4736	{9176A689-820D-4299-AA66-B922C7F0B25A}.exe
4492	{CFAAD98C-1D0C-4569-B7C7-6382E0498EF0}.exe
4092	{7608A438-1EA9-48f7-931C-CF3E83B09403}.exe
4992	{C817E99B-0A61-4e25-95DD-7493DC577CBE}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{CFAAD98C-1D0C-4569-B7C7-6382E0498EF0}.exe	{9176A689-820D-4299-AA66-B922C7F0B25A}.exe
File created	C:\Windows\{7608A438-1EA9-48f7-931C-CF3E83B09403}.exe	{CFAAD98C-1D0C-4569-B7C7-6382E0498EF0}.exe
File created	C:\Windows\{4E2CA243-D6F7-4533-9A7F-0A91458262AE}.exe	2024-03-19_388dad3ba181065c5fa00d45402ce592_goldeneye.exe
File created	C:\Windows\{B7B4D80D-C0AA-46aa-930B-A168C1C338CF}.exe	{4E2CA243-D6F7-4533-9A7F-0A91458262AE}.exe
File created	C:\Windows\{7865D58F-9FD7-4d5d-A007-7AE3C98F8F05}.exe	{F1202D96-D54F-4e94-9181-CC6314F5DF2E}.exe
File created	C:\Windows\{437F6ACA-B528-494c-A32F-C0FD863FAF74}.exe	{7865D58F-9FD7-4d5d-A007-7AE3C98F8F05}.exe
File created	C:\Windows\{9176A689-820D-4299-AA66-B922C7F0B25A}.exe	{2CD3926F-2CF4-4d76-AE12-94826443A962}.exe
File created	C:\Windows\{C817E99B-0A61-4e25-95DD-7493DC577CBE}.exe	{7608A438-1EA9-48f7-931C-CF3E83B09403}.exe
File created	C:\Windows\{C8DD5F82-BBDD-4347-A12B-FA6AC4976856}.exe	{B7B4D80D-C0AA-46aa-930B-A168C1C338CF}.exe
File created	C:\Windows\{F1202D96-D54F-4e94-9181-CC6314F5DF2E}.exe	{C8DD5F82-BBDD-4347-A12B-FA6AC4976856}.exe
File created	C:\Windows\{69DDBF12-FE14-440b-9DB0-951A400C2C55}.exe	{437F6ACA-B528-494c-A32F-C0FD863FAF74}.exe
File created	C:\Windows\{2CD3926F-2CF4-4d76-AE12-94826443A962}.exe	{69DDBF12-FE14-440b-9DB0-951A400C2C55}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1520	2024-03-19_388dad3ba181065c5fa00d45402ce592_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2704	{4E2CA243-D6F7-4533-9A7F-0A91458262AE}.exe
Token: SeIncBasePriorityPrivilege	2752	{B7B4D80D-C0AA-46aa-930B-A168C1C338CF}.exe
Token: SeIncBasePriorityPrivilege	1700	{C8DD5F82-BBDD-4347-A12B-FA6AC4976856}.exe
Token: SeIncBasePriorityPrivilege	4928	{F1202D96-D54F-4e94-9181-CC6314F5DF2E}.exe
Token: SeIncBasePriorityPrivilege	5012	{7865D58F-9FD7-4d5d-A007-7AE3C98F8F05}.exe
Token: SeIncBasePriorityPrivilege	4376	{437F6ACA-B528-494c-A32F-C0FD863FAF74}.exe
Token: SeIncBasePriorityPrivilege	3984	{69DDBF12-FE14-440b-9DB0-951A400C2C55}.exe
Token: SeIncBasePriorityPrivilege	1368	{2CD3926F-2CF4-4d76-AE12-94826443A962}.exe
Token: SeIncBasePriorityPrivilege	4736	{9176A689-820D-4299-AA66-B922C7F0B25A}.exe
Token: SeIncBasePriorityPrivilege	4492	{CFAAD98C-1D0C-4569-B7C7-6382E0498EF0}.exe
Token: SeIncBasePriorityPrivilege	4092	{7608A438-1EA9-48f7-931C-CF3E83B09403}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 2704	1520	2024-03-19_388dad3ba181065c5fa00d45402ce592_goldeneye.exe	99
PID 1520 wrote to memory of 2704	1520	2024-03-19_388dad3ba181065c5fa00d45402ce592_goldeneye.exe	99
PID 1520 wrote to memory of 2704	1520	2024-03-19_388dad3ba181065c5fa00d45402ce592_goldeneye.exe	99
PID 1520 wrote to memory of 1964	1520	2024-03-19_388dad3ba181065c5fa00d45402ce592_goldeneye.exe	100
PID 1520 wrote to memory of 1964	1520	2024-03-19_388dad3ba181065c5fa00d45402ce592_goldeneye.exe	100
PID 1520 wrote to memory of 1964	1520	2024-03-19_388dad3ba181065c5fa00d45402ce592_goldeneye.exe	100
PID 2704 wrote to memory of 2752	2704	{4E2CA243-D6F7-4533-9A7F-0A91458262AE}.exe	104
PID 2704 wrote to memory of 2752	2704	{4E2CA243-D6F7-4533-9A7F-0A91458262AE}.exe	104
PID 2704 wrote to memory of 2752	2704	{4E2CA243-D6F7-4533-9A7F-0A91458262AE}.exe	104
PID 2704 wrote to memory of 2772	2704	{4E2CA243-D6F7-4533-9A7F-0A91458262AE}.exe	105
PID 2704 wrote to memory of 2772	2704	{4E2CA243-D6F7-4533-9A7F-0A91458262AE}.exe	105
PID 2704 wrote to memory of 2772	2704	{4E2CA243-D6F7-4533-9A7F-0A91458262AE}.exe	105
PID 2752 wrote to memory of 1700	2752	{B7B4D80D-C0AA-46aa-930B-A168C1C338CF}.exe	108
PID 2752 wrote to memory of 1700	2752	{B7B4D80D-C0AA-46aa-930B-A168C1C338CF}.exe	108
PID 2752 wrote to memory of 1700	2752	{B7B4D80D-C0AA-46aa-930B-A168C1C338CF}.exe	108
PID 2752 wrote to memory of 4072	2752	{B7B4D80D-C0AA-46aa-930B-A168C1C338CF}.exe	109
PID 2752 wrote to memory of 4072	2752	{B7B4D80D-C0AA-46aa-930B-A168C1C338CF}.exe	109
PID 2752 wrote to memory of 4072	2752	{B7B4D80D-C0AA-46aa-930B-A168C1C338CF}.exe	109
PID 1700 wrote to memory of 4928	1700	{C8DD5F82-BBDD-4347-A12B-FA6AC4976856}.exe	110
PID 1700 wrote to memory of 4928	1700	{C8DD5F82-BBDD-4347-A12B-FA6AC4976856}.exe	110
PID 1700 wrote to memory of 4928	1700	{C8DD5F82-BBDD-4347-A12B-FA6AC4976856}.exe	110
PID 1700 wrote to memory of 4804	1700	{C8DD5F82-BBDD-4347-A12B-FA6AC4976856}.exe	111
PID 1700 wrote to memory of 4804	1700	{C8DD5F82-BBDD-4347-A12B-FA6AC4976856}.exe	111
PID 1700 wrote to memory of 4804	1700	{C8DD5F82-BBDD-4347-A12B-FA6AC4976856}.exe	111
PID 4928 wrote to memory of 5012	4928	{F1202D96-D54F-4e94-9181-CC6314F5DF2E}.exe	112
PID 4928 wrote to memory of 5012	4928	{F1202D96-D54F-4e94-9181-CC6314F5DF2E}.exe	112
PID 4928 wrote to memory of 5012	4928	{F1202D96-D54F-4e94-9181-CC6314F5DF2E}.exe	112
PID 4928 wrote to memory of 3388	4928	{F1202D96-D54F-4e94-9181-CC6314F5DF2E}.exe	113
PID 4928 wrote to memory of 3388	4928	{F1202D96-D54F-4e94-9181-CC6314F5DF2E}.exe	113
PID 4928 wrote to memory of 3388	4928	{F1202D96-D54F-4e94-9181-CC6314F5DF2E}.exe	113
PID 5012 wrote to memory of 4376	5012	{7865D58F-9FD7-4d5d-A007-7AE3C98F8F05}.exe	115
PID 5012 wrote to memory of 4376	5012	{7865D58F-9FD7-4d5d-A007-7AE3C98F8F05}.exe	115
PID 5012 wrote to memory of 4376	5012	{7865D58F-9FD7-4d5d-A007-7AE3C98F8F05}.exe	115
PID 5012 wrote to memory of 4672	5012	{7865D58F-9FD7-4d5d-A007-7AE3C98F8F05}.exe	116
PID 5012 wrote to memory of 4672	5012	{7865D58F-9FD7-4d5d-A007-7AE3C98F8F05}.exe	116
PID 5012 wrote to memory of 4672	5012	{7865D58F-9FD7-4d5d-A007-7AE3C98F8F05}.exe	116
PID 4376 wrote to memory of 3984	4376	{437F6ACA-B528-494c-A32F-C0FD863FAF74}.exe	117
PID 4376 wrote to memory of 3984	4376	{437F6ACA-B528-494c-A32F-C0FD863FAF74}.exe	117
PID 4376 wrote to memory of 3984	4376	{437F6ACA-B528-494c-A32F-C0FD863FAF74}.exe	117
PID 4376 wrote to memory of 4352	4376	{437F6ACA-B528-494c-A32F-C0FD863FAF74}.exe	118
PID 4376 wrote to memory of 4352	4376	{437F6ACA-B528-494c-A32F-C0FD863FAF74}.exe	118
PID 4376 wrote to memory of 4352	4376	{437F6ACA-B528-494c-A32F-C0FD863FAF74}.exe	118
PID 3984 wrote to memory of 1368	3984	{69DDBF12-FE14-440b-9DB0-951A400C2C55}.exe	119
PID 3984 wrote to memory of 1368	3984	{69DDBF12-FE14-440b-9DB0-951A400C2C55}.exe	119
PID 3984 wrote to memory of 1368	3984	{69DDBF12-FE14-440b-9DB0-951A400C2C55}.exe	119
PID 3984 wrote to memory of 3216	3984	{69DDBF12-FE14-440b-9DB0-951A400C2C55}.exe	120
PID 3984 wrote to memory of 3216	3984	{69DDBF12-FE14-440b-9DB0-951A400C2C55}.exe	120
PID 3984 wrote to memory of 3216	3984	{69DDBF12-FE14-440b-9DB0-951A400C2C55}.exe	120
PID 1368 wrote to memory of 4736	1368	{2CD3926F-2CF4-4d76-AE12-94826443A962}.exe	127
PID 1368 wrote to memory of 4736	1368	{2CD3926F-2CF4-4d76-AE12-94826443A962}.exe	127
PID 1368 wrote to memory of 4736	1368	{2CD3926F-2CF4-4d76-AE12-94826443A962}.exe	127
PID 1368 wrote to memory of 1784	1368	{2CD3926F-2CF4-4d76-AE12-94826443A962}.exe	128
PID 1368 wrote to memory of 1784	1368	{2CD3926F-2CF4-4d76-AE12-94826443A962}.exe	128
PID 1368 wrote to memory of 1784	1368	{2CD3926F-2CF4-4d76-AE12-94826443A962}.exe	128
PID 4736 wrote to memory of 4492	4736	{9176A689-820D-4299-AA66-B922C7F0B25A}.exe	129
PID 4736 wrote to memory of 4492	4736	{9176A689-820D-4299-AA66-B922C7F0B25A}.exe	129
PID 4736 wrote to memory of 4492	4736	{9176A689-820D-4299-AA66-B922C7F0B25A}.exe	129
PID 4736 wrote to memory of 4412	4736	{9176A689-820D-4299-AA66-B922C7F0B25A}.exe	130
PID 4736 wrote to memory of 4412	4736	{9176A689-820D-4299-AA66-B922C7F0B25A}.exe	130
PID 4736 wrote to memory of 4412	4736	{9176A689-820D-4299-AA66-B922C7F0B25A}.exe	130
PID 4492 wrote to memory of 4092	4492	{CFAAD98C-1D0C-4569-B7C7-6382E0498EF0}.exe	134
PID 4492 wrote to memory of 4092	4492	{CFAAD98C-1D0C-4569-B7C7-6382E0498EF0}.exe	134
PID 4492 wrote to memory of 4092	4492	{CFAAD98C-1D0C-4569-B7C7-6382E0498EF0}.exe	134
PID 4492 wrote to memory of 3712	4492	{CFAAD98C-1D0C-4569-B7C7-6382E0498EF0}.exe	135

C:\Users\Admin\AppData\Local\Temp\2024-03-19_388dad3ba181065c5fa00d45402ce592_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-19_388dad3ba181065c5fa00d45402ce592_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Windows\{4E2CA243-D6F7-4533-9A7F-0A91458262AE}.exe
  C:\Windows\{4E2CA243-D6F7-4533-9A7F-0A91458262AE}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\{B7B4D80D-C0AA-46aa-930B-A168C1C338CF}.exe
    C:\Windows\{B7B4D80D-C0AA-46aa-930B-A168C1C338CF}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\{C8DD5F82-BBDD-4347-A12B-FA6AC4976856}.exe
      C:\Windows\{C8DD5F82-BBDD-4347-A12B-FA6AC4976856}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1700
    - - C:\Windows\{F1202D96-D54F-4e94-9181-CC6314F5DF2E}.exe
        
        C:\Windows\{F1202D96-D54F-4e94-9181-CC6314F5DF2E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4928
      - C:\Windows\{7865D58F-9FD7-4d5d-A007-7AE3C98F8F05}.exe
        
        C:\Windows\{7865D58F-9FD7-4d5d-A007-7AE3C98F8F05}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\{437F6ACA-B528-494c-A32F-C0FD863FAF74}.exe
        
        C:\Windows\{437F6ACA-B528-494c-A32F-C0FD863FAF74}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Windows\{69DDBF12-FE14-440b-9DB0-951A400C2C55}.exe
        
        C:\Windows\{69DDBF12-FE14-440b-9DB0-951A400C2C55}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3984
        
        C:\Windows\{2CD3926F-2CF4-4d76-AE12-94826443A962}.exe
        
        C:\Windows\{2CD3926F-2CF4-4d76-AE12-94826443A962}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Windows\{9176A689-820D-4299-AA66-B922C7F0B25A}.exe
        
        C:\Windows\{9176A689-820D-4299-AA66-B922C7F0B25A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Windows\{CFAAD98C-1D0C-4569-B7C7-6382E0498EF0}.exe
        
        C:\Windows\{CFAAD98C-1D0C-4569-B7C7-6382E0498EF0}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4492
        
        C:\Windows\{7608A438-1EA9-48f7-931C-CF3E83B09403}.exe
        
        C:\Windows\{7608A438-1EA9-48f7-931C-CF3E83B09403}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4092
        
        C:\Windows\{C817E99B-0A61-4e25-95DD-7493DC577CBE}.exe
        
        C:\Windows\{C817E99B-0A61-4e25-95DD-7493DC577CBE}.exe
        13⤵
        Executes dropped EXE
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7608A~1.EXE > nul
        13⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CFAAD~1.EXE > nul
        12⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9176A~1.EXE > nul
        11⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2CD39~1.EXE > nul
        10⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69DDB~1.EXE > nul
        9⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{437F6~1.EXE > nul
        8⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7865D~1.EXE > nul
        7⤵
        
        PID:4672
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F1202~1.EXE > nul
        6⤵
        
        PID:3388
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8DD5~1.EXE > nul
        5⤵
        
        PID:4804
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B7B4D~1.EXE > nul
      4⤵
      PID:4072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4E2CA~1.EXE > nul
    3⤵
    PID:2772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2CD3926F-2CF4-4d76-AE12-94826443A962}.exe

Filesize
168KB

MD5
cf828e47d77717481acfa3b6dfc9ec5b

SHA1
73d113888b5f9531afea3ac6de0107d5c7f2a0da

SHA256
483980f8e3b0ad02d9c064df5bdf36680c9bed2e364af35955bc76aeb0b04177

SHA512
002ae006effe22e5605c2aaf5ef2113ce46f486ce905351a97b272aa15af7b3d28388c8ff5a0d915f2f1346c759aec2e9686bbd9869008a9cd2d04d7bb2bbe11

Download Submit
C:\Windows\{437F6ACA-B528-494c-A32F-C0FD863FAF74}.exe

Filesize
168KB

MD5
137247de4f78e74a3b05ee61655d73fe

SHA1
cb01a25edb040aedc2068cc3dcffb3b74d4a0a9b

SHA256
dd1a1e194ba3bcbb95000ca2050007cdb9045a78902d87206e82286f74fe49e6

SHA512
e8346ecf56898d03b92227e5da0a334f54232149bec6e356683284af894fb145d1c7ecba3dff52a274ed8d855196b6223b93b03d0c912c5c8da24d4482474f20

Download Submit
C:\Windows\{4E2CA243-D6F7-4533-9A7F-0A91458262AE}.exe

Filesize
168KB

MD5
d0d5903a1ee1da5afe304e719a3f397f

SHA1
a0b944be5d1b12c99e75b02312b1d959d4a88b20

SHA256
02f601c5fbf0adf49532d15a03fda7dd85267b688958352c8d853e2aaae9fdeb

SHA512
6207ec65942a3483ff06935863478fdc24f71f1953324d12f347403bbad81a3bee6c35ce486c64e563f8b4315113c9e808ed582a3ba070da02230537fa888061

Download Submit
C:\Windows\{69DDBF12-FE14-440b-9DB0-951A400C2C55}.exe

Filesize
168KB

MD5
26ec8ef4b2443be98ed9c07e1418d8e3

SHA1
c58b867549bc31fa9564d2474088d61c7f7db6bb

SHA256
a441b94b8b1b0c8f7efc343dfe9a76a9bd0c93142b568be88a8820d1883173a9

SHA512
b49711893042c0791a70ca0839c286f7b36b621d48fce141ca15d1c23a0d34be6c266c8df833be2d3774b2f12922321ce5d42b1489df6ab2e42e7778830ddbae

Download Submit
C:\Windows\{7608A438-1EA9-48f7-931C-CF3E83B09403}.exe

Filesize
168KB

MD5
fed1553c41c6828e599f86b957473b98

SHA1
044557d4f58a63584866d493e3ac9740fd5d9eb1

SHA256
30a46222eda6072278553228eb72a8a9e42af159502f76de7e66121cee38c625

SHA512
af55fcf4306052a796cc5edc4b039dc42cefe2999270c6c36a975da2c8212278e915c75056c2165aea958df12ed3f1aa7fc4cadec4a6c7dac2c297fff1f8019a

Download Submit
C:\Windows\{7865D58F-9FD7-4d5d-A007-7AE3C98F8F05}.exe

Filesize
168KB

MD5
fb552183cca79c6a804f3316e49102bd

SHA1
443e1625c3ecfdf30ed8a3a05f64455ff477a216

SHA256
be6326cda89188dcc3ef916543d97cd5b8c18794c0357cd0f39572040aece2c2

SHA512
3e5126d113567852860c9f35c13ca9b4668492b13a21bcde5ac0410f3935d31511df54cdbbfddef9e29fcc11f9e30c2cfc2eec8d02df97890c8b5209d905efa7

Download Submit
C:\Windows\{9176A689-820D-4299-AA66-B922C7F0B25A}.exe

Filesize
168KB

MD5
a9b43bf3fa8f776934fdb397ab3b2ddd

SHA1
809a42fb8fc2549d7264b1b184011b38b1591d54

SHA256
d25ea70fb0fb4f42828c910aca1aea2509bb242c45b610124d329fb64378295a

SHA512
434d926c3a657351371d01f946e40bde21da0dde847d31dd6cbde007f40bafb4bbeabe7a4c1e521e6d73c5a09c7b64b2920f8a816d9ca4cf8cfe22f57617607e

Download Submit
C:\Windows\{B7B4D80D-C0AA-46aa-930B-A168C1C338CF}.exe

Filesize
168KB

MD5
bb4ff1949762f2f259949325ac2b1d03

SHA1
e0879af42fde638dd44d90c6aaf987aa1694ee5a

SHA256
eb891e6844b15934870014d6719461dc1b00bc8c67cae69edb195eb08af9d8b2

SHA512
3962205a14b7cf6f4e070338e08bc33e1ef01e3c486717e6d3d52d241c22f97817c56c82ad1d83d4c6e93ff6fb83549e17c6debc82ea29f31368e1cfe0af3999

Download Submit
C:\Windows\{C817E99B-0A61-4e25-95DD-7493DC577CBE}.exe

Filesize
168KB

MD5
7206c0d6c715d3c4e9955006cdf62e13

SHA1
acda2a47041b1b620a68c5caa20ced95a887c713

SHA256
71543a70b9f2fba168517423b02b1e0ebd57a52076029d2183053716effafc10

SHA512
a4d0551443c24b9cb5d7d0ee5ec390e961dc6049f08cb9b7057d80127faae5b822b35b7e5c1ce5a39789267b8ed6fd25b67ea5fc3b0fd9a31ccecca218e9beee

Download Submit
C:\Windows\{C8DD5F82-BBDD-4347-A12B-FA6AC4976856}.exe

Filesize
168KB

MD5
caebe09b2012ffda08fe2c0a3440882b

SHA1
9508fd180d436a2559f8856cba97a371fc3ced5e

SHA256
9865cc25bd127752b4702c1e2ce3fc2b0d985954bfdb3f48653f32136880abb1

SHA512
2efa36a1f7c86be398cecb5bf7593d3098743cab994b86f38fdd1496bb7c0d93a8300d03c47d317f83344d371d72a7fa30b9c903ceee2bb2c66a3f8271c89207

Download Submit
C:\Windows\{CFAAD98C-1D0C-4569-B7C7-6382E0498EF0}.exe

Filesize
168KB

MD5
5c1ab51c2d182cc066b5183c6e1c0a05

SHA1
6e2810146804df3ae6ec4c82db1119f2cc99c900

SHA256
28ada8ca809de05b82724c21a29e7db82b93e0daaed48fbd82797f67d4ece887

SHA512
abfb6eccc0a5bb8eeaaba510e613d3b5482fe7ff539a1729aa3fc9c40c6ca55678e2ab34faa016cff2adbcde07d323b77509851ac5d872f3ad3a39f9861b6d73

Download Submit
C:\Windows\{F1202D96-D54F-4e94-9181-CC6314F5DF2E}.exe

Filesize
168KB

MD5
cd72686c9f1714f83ee3fee303932c37

SHA1
fce97df881184bdecf70499a8b99a3175735b258

SHA256
875bd1db1c14d9e2f665b2419323cbc2ec8a9ecf8045446597d00919f6d72f93

SHA512
101bdbd9a23e715fe5d2432a9de7cc1e2e2379d0b6e95241a77045dc9eea30c777ea02a12e4c31dd57b1687248600363fff30f79e0e11f9ae8c8a015d08c9b9e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads