d0ac4654f1072521207ac65688bfa944ff00e2ce4af3be6078d006836349c3e0

Analysis

max time kernel
149s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2024, 05:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-19_72958426f7f58eabf999e3c58661bce6_goldeneye.exe
Size

344KB
MD5

72958426f7f58eabf999e3c58661bce6
SHA1

b75935ac3301a08745abd72bf7d73d963761617a
SHA256

d0ac4654f1072521207ac65688bfa944ff00e2ce4af3be6078d006836349c3e0
SHA512

633b423d657044052041047ad8f53025d3ba4ac77b77bdceef4922faa51ab533c96e98345624117f8bae9a1a92ac410486a6f248550db6bca9a60ee040d7c38a
SSDEEP

3072:mEGh0oelEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEG8lqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x00090000000231f4-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00110000000231ff-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023206-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002320a-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023206-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002320a-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002320a-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023206-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002320a-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023224-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e0000000230f9-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023104-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002311f-45.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96342A3F-4DCD-4522-9F01-DB7E67FF1458}\stubpath = "C:\\Windows\\{96342A3F-4DCD-4522-9F01-DB7E67FF1458}.exe"	2024-03-19_72958426f7f58eabf999e3c58661bce6_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C01E57AC-7B75-4daf-AA90-194B42575A17}	{96342A3F-4DCD-4522-9F01-DB7E67FF1458}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0F89969-F3DE-4290-9D2D-E34535A44B70}	{4D884DFD-2293-4316-9198-54A9EF427D8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00F410CB-74E9-4f6f-97CE-20D4155C86AF}\stubpath = "C:\\Windows\\{00F410CB-74E9-4f6f-97CE-20D4155C86AF}.exe"	{684583A8-F166-4520-B784-29C3AF42FE41}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{672C3B48-F39B-4b25-923C-DE34B4BD8163}\stubpath = "C:\\Windows\\{672C3B48-F39B-4b25-923C-DE34B4BD8163}.exe"	{00F410CB-74E9-4f6f-97CE-20D4155C86AF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB88B87E-678B-4234-9BBC-61C48446A96B}\stubpath = "C:\\Windows\\{BB88B87E-678B-4234-9BBC-61C48446A96B}.exe"	{672C3B48-F39B-4b25-923C-DE34B4BD8163}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{562B2282-00F9-4d15-B311-F0E5B2A5D323}	{BB88B87E-678B-4234-9BBC-61C48446A96B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E294EC9D-A0D9-45a5-8CE9-AE323709F1C8}	{C01E57AC-7B75-4daf-AA90-194B42575A17}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E294EC9D-A0D9-45a5-8CE9-AE323709F1C8}\stubpath = "C:\\Windows\\{E294EC9D-A0D9-45a5-8CE9-AE323709F1C8}.exe"	{C01E57AC-7B75-4daf-AA90-194B42575A17}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D884DFD-2293-4316-9198-54A9EF427D8F}\stubpath = "C:\\Windows\\{4D884DFD-2293-4316-9198-54A9EF427D8F}.exe"	{83E90B61-3BA0-4efa-8EF5-D31B8C9B5D8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{486E5760-D095-434a-A07F-D3016688D5A5}\stubpath = "C:\\Windows\\{486E5760-D095-434a-A07F-D3016688D5A5}.exe"	{F0F89969-F3DE-4290-9D2D-E34535A44B70}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{684583A8-F166-4520-B784-29C3AF42FE41}\stubpath = "C:\\Windows\\{684583A8-F166-4520-B784-29C3AF42FE41}.exe"	{486E5760-D095-434a-A07F-D3016688D5A5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{562B2282-00F9-4d15-B311-F0E5B2A5D323}\stubpath = "C:\\Windows\\{562B2282-00F9-4d15-B311-F0E5B2A5D323}.exe"	{BB88B87E-678B-4234-9BBC-61C48446A96B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96342A3F-4DCD-4522-9F01-DB7E67FF1458}	2024-03-19_72958426f7f58eabf999e3c58661bce6_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83E90B61-3BA0-4efa-8EF5-D31B8C9B5D8F}	{E294EC9D-A0D9-45a5-8CE9-AE323709F1C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D884DFD-2293-4316-9198-54A9EF427D8F}	{83E90B61-3BA0-4efa-8EF5-D31B8C9B5D8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{486E5760-D095-434a-A07F-D3016688D5A5}	{F0F89969-F3DE-4290-9D2D-E34535A44B70}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{684583A8-F166-4520-B784-29C3AF42FE41}	{486E5760-D095-434a-A07F-D3016688D5A5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{672C3B48-F39B-4b25-923C-DE34B4BD8163}	{00F410CB-74E9-4f6f-97CE-20D4155C86AF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C01E57AC-7B75-4daf-AA90-194B42575A17}\stubpath = "C:\\Windows\\{C01E57AC-7B75-4daf-AA90-194B42575A17}.exe"	{96342A3F-4DCD-4522-9F01-DB7E67FF1458}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83E90B61-3BA0-4efa-8EF5-D31B8C9B5D8F}\stubpath = "C:\\Windows\\{83E90B61-3BA0-4efa-8EF5-D31B8C9B5D8F}.exe"	{E294EC9D-A0D9-45a5-8CE9-AE323709F1C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0F89969-F3DE-4290-9D2D-E34535A44B70}\stubpath = "C:\\Windows\\{F0F89969-F3DE-4290-9D2D-E34535A44B70}.exe"	{4D884DFD-2293-4316-9198-54A9EF427D8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00F410CB-74E9-4f6f-97CE-20D4155C86AF}	{684583A8-F166-4520-B784-29C3AF42FE41}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB88B87E-678B-4234-9BBC-61C48446A96B}	{672C3B48-F39B-4b25-923C-DE34B4BD8163}.exe

Executes dropped EXE 12 IoCs

pid	Process
4432	{96342A3F-4DCD-4522-9F01-DB7E67FF1458}.exe
668	{C01E57AC-7B75-4daf-AA90-194B42575A17}.exe
3712	{E294EC9D-A0D9-45a5-8CE9-AE323709F1C8}.exe
2836	{83E90B61-3BA0-4efa-8EF5-D31B8C9B5D8F}.exe
3408	{4D884DFD-2293-4316-9198-54A9EF427D8F}.exe
1392	{F0F89969-F3DE-4290-9D2D-E34535A44B70}.exe
3940	{486E5760-D095-434a-A07F-D3016688D5A5}.exe
1840	{684583A8-F166-4520-B784-29C3AF42FE41}.exe
3160	{00F410CB-74E9-4f6f-97CE-20D4155C86AF}.exe
4988	{672C3B48-F39B-4b25-923C-DE34B4BD8163}.exe
2028	{BB88B87E-678B-4234-9BBC-61C48446A96B}.exe
4696	{562B2282-00F9-4d15-B311-F0E5B2A5D323}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{E294EC9D-A0D9-45a5-8CE9-AE323709F1C8}.exe	{C01E57AC-7B75-4daf-AA90-194B42575A17}.exe
File created	C:\Windows\{83E90B61-3BA0-4efa-8EF5-D31B8C9B5D8F}.exe	{E294EC9D-A0D9-45a5-8CE9-AE323709F1C8}.exe
File created	C:\Windows\{F0F89969-F3DE-4290-9D2D-E34535A44B70}.exe	{4D884DFD-2293-4316-9198-54A9EF427D8F}.exe
File created	C:\Windows\{486E5760-D095-434a-A07F-D3016688D5A5}.exe	{F0F89969-F3DE-4290-9D2D-E34535A44B70}.exe
File created	C:\Windows\{684583A8-F166-4520-B784-29C3AF42FE41}.exe	{486E5760-D095-434a-A07F-D3016688D5A5}.exe
File created	C:\Windows\{00F410CB-74E9-4f6f-97CE-20D4155C86AF}.exe	{684583A8-F166-4520-B784-29C3AF42FE41}.exe
File created	C:\Windows\{672C3B48-F39B-4b25-923C-DE34B4BD8163}.exe	{00F410CB-74E9-4f6f-97CE-20D4155C86AF}.exe
File created	C:\Windows\{562B2282-00F9-4d15-B311-F0E5B2A5D323}.exe	{BB88B87E-678B-4234-9BBC-61C48446A96B}.exe
File created	C:\Windows\{96342A3F-4DCD-4522-9F01-DB7E67FF1458}.exe	2024-03-19_72958426f7f58eabf999e3c58661bce6_goldeneye.exe
File created	C:\Windows\{C01E57AC-7B75-4daf-AA90-194B42575A17}.exe	{96342A3F-4DCD-4522-9F01-DB7E67FF1458}.exe
File created	C:\Windows\{4D884DFD-2293-4316-9198-54A9EF427D8F}.exe	{83E90B61-3BA0-4efa-8EF5-D31B8C9B5D8F}.exe
File created	C:\Windows\{BB88B87E-678B-4234-9BBC-61C48446A96B}.exe	{672C3B48-F39B-4b25-923C-DE34B4BD8163}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4796	2024-03-19_72958426f7f58eabf999e3c58661bce6_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4432	{96342A3F-4DCD-4522-9F01-DB7E67FF1458}.exe
Token: SeIncBasePriorityPrivilege	668	{C01E57AC-7B75-4daf-AA90-194B42575A17}.exe
Token: SeIncBasePriorityPrivilege	3712	{E294EC9D-A0D9-45a5-8CE9-AE323709F1C8}.exe
Token: SeIncBasePriorityPrivilege	2836	{83E90B61-3BA0-4efa-8EF5-D31B8C9B5D8F}.exe
Token: SeIncBasePriorityPrivilege	3408	{4D884DFD-2293-4316-9198-54A9EF427D8F}.exe
Token: SeIncBasePriorityPrivilege	1392	{F0F89969-F3DE-4290-9D2D-E34535A44B70}.exe
Token: SeIncBasePriorityPrivilege	3940	{486E5760-D095-434a-A07F-D3016688D5A5}.exe
Token: SeIncBasePriorityPrivilege	1840	{684583A8-F166-4520-B784-29C3AF42FE41}.exe
Token: SeIncBasePriorityPrivilege	3160	{00F410CB-74E9-4f6f-97CE-20D4155C86AF}.exe
Token: SeIncBasePriorityPrivilege	4988	{672C3B48-F39B-4b25-923C-DE34B4BD8163}.exe
Token: SeIncBasePriorityPrivilege	2028	{BB88B87E-678B-4234-9BBC-61C48446A96B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4796 wrote to memory of 4432	4796	2024-03-19_72958426f7f58eabf999e3c58661bce6_goldeneye.exe	97
PID 4796 wrote to memory of 4432	4796	2024-03-19_72958426f7f58eabf999e3c58661bce6_goldeneye.exe	97
PID 4796 wrote to memory of 4432	4796	2024-03-19_72958426f7f58eabf999e3c58661bce6_goldeneye.exe	97
PID 4796 wrote to memory of 1684	4796	2024-03-19_72958426f7f58eabf999e3c58661bce6_goldeneye.exe	98
PID 4796 wrote to memory of 1684	4796	2024-03-19_72958426f7f58eabf999e3c58661bce6_goldeneye.exe	98
PID 4796 wrote to memory of 1684	4796	2024-03-19_72958426f7f58eabf999e3c58661bce6_goldeneye.exe	98
PID 4432 wrote to memory of 668	4432	{96342A3F-4DCD-4522-9F01-DB7E67FF1458}.exe	102
PID 4432 wrote to memory of 668	4432	{96342A3F-4DCD-4522-9F01-DB7E67FF1458}.exe	102
PID 4432 wrote to memory of 668	4432	{96342A3F-4DCD-4522-9F01-DB7E67FF1458}.exe	102
PID 4432 wrote to memory of 3540	4432	{96342A3F-4DCD-4522-9F01-DB7E67FF1458}.exe	103
PID 4432 wrote to memory of 3540	4432	{96342A3F-4DCD-4522-9F01-DB7E67FF1458}.exe	103
PID 4432 wrote to memory of 3540	4432	{96342A3F-4DCD-4522-9F01-DB7E67FF1458}.exe	103
PID 668 wrote to memory of 3712	668	{C01E57AC-7B75-4daf-AA90-194B42575A17}.exe	106
PID 668 wrote to memory of 3712	668	{C01E57AC-7B75-4daf-AA90-194B42575A17}.exe	106
PID 668 wrote to memory of 3712	668	{C01E57AC-7B75-4daf-AA90-194B42575A17}.exe	106
PID 668 wrote to memory of 4508	668	{C01E57AC-7B75-4daf-AA90-194B42575A17}.exe	107
PID 668 wrote to memory of 4508	668	{C01E57AC-7B75-4daf-AA90-194B42575A17}.exe	107
PID 668 wrote to memory of 4508	668	{C01E57AC-7B75-4daf-AA90-194B42575A17}.exe	107
PID 3712 wrote to memory of 2836	3712	{E294EC9D-A0D9-45a5-8CE9-AE323709F1C8}.exe	108
PID 3712 wrote to memory of 2836	3712	{E294EC9D-A0D9-45a5-8CE9-AE323709F1C8}.exe	108
PID 3712 wrote to memory of 2836	3712	{E294EC9D-A0D9-45a5-8CE9-AE323709F1C8}.exe	108
PID 3712 wrote to memory of 1864	3712	{E294EC9D-A0D9-45a5-8CE9-AE323709F1C8}.exe	109
PID 3712 wrote to memory of 1864	3712	{E294EC9D-A0D9-45a5-8CE9-AE323709F1C8}.exe	109
PID 3712 wrote to memory of 1864	3712	{E294EC9D-A0D9-45a5-8CE9-AE323709F1C8}.exe	109
PID 2836 wrote to memory of 3408	2836	{83E90B61-3BA0-4efa-8EF5-D31B8C9B5D8F}.exe	110
PID 2836 wrote to memory of 3408	2836	{83E90B61-3BA0-4efa-8EF5-D31B8C9B5D8F}.exe	110
PID 2836 wrote to memory of 3408	2836	{83E90B61-3BA0-4efa-8EF5-D31B8C9B5D8F}.exe	110
PID 2836 wrote to memory of 2420	2836	{83E90B61-3BA0-4efa-8EF5-D31B8C9B5D8F}.exe	111
PID 2836 wrote to memory of 2420	2836	{83E90B61-3BA0-4efa-8EF5-D31B8C9B5D8F}.exe	111
PID 2836 wrote to memory of 2420	2836	{83E90B61-3BA0-4efa-8EF5-D31B8C9B5D8F}.exe	111
PID 3408 wrote to memory of 1392	3408	{4D884DFD-2293-4316-9198-54A9EF427D8F}.exe	113
PID 3408 wrote to memory of 1392	3408	{4D884DFD-2293-4316-9198-54A9EF427D8F}.exe	113
PID 3408 wrote to memory of 1392	3408	{4D884DFD-2293-4316-9198-54A9EF427D8F}.exe	113
PID 3408 wrote to memory of 840	3408	{4D884DFD-2293-4316-9198-54A9EF427D8F}.exe	114
PID 3408 wrote to memory of 840	3408	{4D884DFD-2293-4316-9198-54A9EF427D8F}.exe	114
PID 3408 wrote to memory of 840	3408	{4D884DFD-2293-4316-9198-54A9EF427D8F}.exe	114
PID 1392 wrote to memory of 3940	1392	{F0F89969-F3DE-4290-9D2D-E34535A44B70}.exe	115
PID 1392 wrote to memory of 3940	1392	{F0F89969-F3DE-4290-9D2D-E34535A44B70}.exe	115
PID 1392 wrote to memory of 3940	1392	{F0F89969-F3DE-4290-9D2D-E34535A44B70}.exe	115
PID 1392 wrote to memory of 3880	1392	{F0F89969-F3DE-4290-9D2D-E34535A44B70}.exe	116
PID 1392 wrote to memory of 3880	1392	{F0F89969-F3DE-4290-9D2D-E34535A44B70}.exe	116
PID 1392 wrote to memory of 3880	1392	{F0F89969-F3DE-4290-9D2D-E34535A44B70}.exe	116
PID 3940 wrote to memory of 1840	3940	{486E5760-D095-434a-A07F-D3016688D5A5}.exe	117
PID 3940 wrote to memory of 1840	3940	{486E5760-D095-434a-A07F-D3016688D5A5}.exe	117
PID 3940 wrote to memory of 1840	3940	{486E5760-D095-434a-A07F-D3016688D5A5}.exe	117
PID 3940 wrote to memory of 3572	3940	{486E5760-D095-434a-A07F-D3016688D5A5}.exe	118
PID 3940 wrote to memory of 3572	3940	{486E5760-D095-434a-A07F-D3016688D5A5}.exe	118
PID 3940 wrote to memory of 3572	3940	{486E5760-D095-434a-A07F-D3016688D5A5}.exe	118
PID 1840 wrote to memory of 3160	1840	{684583A8-F166-4520-B784-29C3AF42FE41}.exe	123
PID 1840 wrote to memory of 3160	1840	{684583A8-F166-4520-B784-29C3AF42FE41}.exe	123
PID 1840 wrote to memory of 3160	1840	{684583A8-F166-4520-B784-29C3AF42FE41}.exe	123
PID 1840 wrote to memory of 1044	1840	{684583A8-F166-4520-B784-29C3AF42FE41}.exe	124
PID 1840 wrote to memory of 1044	1840	{684583A8-F166-4520-B784-29C3AF42FE41}.exe	124
PID 1840 wrote to memory of 1044	1840	{684583A8-F166-4520-B784-29C3AF42FE41}.exe	124
PID 3160 wrote to memory of 4988	3160	{00F410CB-74E9-4f6f-97CE-20D4155C86AF}.exe	128
PID 3160 wrote to memory of 4988	3160	{00F410CB-74E9-4f6f-97CE-20D4155C86AF}.exe	128
PID 3160 wrote to memory of 4988	3160	{00F410CB-74E9-4f6f-97CE-20D4155C86AF}.exe	128
PID 3160 wrote to memory of 1468	3160	{00F410CB-74E9-4f6f-97CE-20D4155C86AF}.exe	129
PID 3160 wrote to memory of 1468	3160	{00F410CB-74E9-4f6f-97CE-20D4155C86AF}.exe	129
PID 3160 wrote to memory of 1468	3160	{00F410CB-74E9-4f6f-97CE-20D4155C86AF}.exe	129
PID 4988 wrote to memory of 2028	4988	{672C3B48-F39B-4b25-923C-DE34B4BD8163}.exe	130
PID 4988 wrote to memory of 2028	4988	{672C3B48-F39B-4b25-923C-DE34B4BD8163}.exe	130
PID 4988 wrote to memory of 2028	4988	{672C3B48-F39B-4b25-923C-DE34B4BD8163}.exe	130
PID 4988 wrote to memory of 1140	4988	{672C3B48-F39B-4b25-923C-DE34B4BD8163}.exe	131

C:\Users\Admin\AppData\Local\Temp\2024-03-19_72958426f7f58eabf999e3c58661bce6_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-19_72958426f7f58eabf999e3c58661bce6_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Windows\{96342A3F-4DCD-4522-9F01-DB7E67FF1458}.exe
  C:\Windows\{96342A3F-4DCD-4522-9F01-DB7E67FF1458}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4432
- - C:\Windows\{C01E57AC-7B75-4daf-AA90-194B42575A17}.exe
    C:\Windows\{C01E57AC-7B75-4daf-AA90-194B42575A17}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:668
  - - C:\Windows\{E294EC9D-A0D9-45a5-8CE9-AE323709F1C8}.exe
      C:\Windows\{E294EC9D-A0D9-45a5-8CE9-AE323709F1C8}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3712
    - - C:\Windows\{83E90B61-3BA0-4efa-8EF5-D31B8C9B5D8F}.exe
        
        C:\Windows\{83E90B61-3BA0-4efa-8EF5-D31B8C9B5D8F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2836
      - C:\Windows\{4D884DFD-2293-4316-9198-54A9EF427D8F}.exe
        
        C:\Windows\{4D884DFD-2293-4316-9198-54A9EF427D8F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\Windows\{F0F89969-F3DE-4290-9D2D-E34535A44B70}.exe
        
        C:\Windows\{F0F89969-F3DE-4290-9D2D-E34535A44B70}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Windows\{486E5760-D095-434a-A07F-D3016688D5A5}.exe
        
        C:\Windows\{486E5760-D095-434a-A07F-D3016688D5A5}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\{684583A8-F166-4520-B784-29C3AF42FE41}.exe
        
        C:\Windows\{684583A8-F166-4520-B784-29C3AF42FE41}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Windows\{00F410CB-74E9-4f6f-97CE-20D4155C86AF}.exe
        
        C:\Windows\{00F410CB-74E9-4f6f-97CE-20D4155C86AF}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3160
        
        C:\Windows\{672C3B48-F39B-4b25-923C-DE34B4BD8163}.exe
        
        C:\Windows\{672C3B48-F39B-4b25-923C-DE34B4BD8163}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\{BB88B87E-678B-4234-9BBC-61C48446A96B}.exe
        
        C:\Windows\{BB88B87E-678B-4234-9BBC-61C48446A96B}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
        
        C:\Windows\{562B2282-00F9-4d15-B311-F0E5B2A5D323}.exe
        
        C:\Windows\{562B2282-00F9-4d15-B311-F0E5B2A5D323}.exe
        13⤵
        Executes dropped EXE
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BB88B~1.EXE > nul
        13⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{672C3~1.EXE > nul
        12⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{00F41~1.EXE > nul
        11⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{68458~1.EXE > nul
        10⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{486E5~1.EXE > nul
        9⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F0F89~1.EXE > nul
        8⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D884~1.EXE > nul
        7⤵
        
        PID:840
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83E90~1.EXE > nul
        6⤵
        
        PID:2420
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E294E~1.EXE > nul
        5⤵
        
        PID:1864
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C01E5~1.EXE > nul
      4⤵
      PID:4508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{96342~1.EXE > nul
    3⤵
    PID:3540
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00F410CB-74E9-4f6f-97CE-20D4155C86AF}.exe

Filesize
344KB

MD5
c400c386ecd1075ab200bdec692b33ae

SHA1
77e3322bd8d4c894617258a5abc821fcb17e177e

SHA256
3d5ca6483af31eb15058ad70218907d1c54f0e7f8a0715eaf9316a04575e21a9

SHA512
448c3c66d910a65f43a5722591ffb2f453e5db516c62d61cec51a78259aa07ba4a65c8c1035c2cc8b6e2a5062c72d554ad3aeffee5af07aa39ca08da27788001

Download Submit
C:\Windows\{486E5760-D095-434a-A07F-D3016688D5A5}.exe

Filesize
344KB

MD5
f2de2eeef5dbb0c992e23f2b54617cb4

SHA1
ae8a9d7ebfa4f00503a6409436808a389c7fa7c8

SHA256
051562ceaffa73b417c50f024a38929b19d469fe994c583f6ebe5257787d59af

SHA512
9aa8106a701d692b6c1dc173355109b970d7e39088f066d039c9ccd304605f10f509b34cbc99200926328a1763cdb14886e7e2ea4db979ebfbaf0cf3fa19e769

Download Submit
C:\Windows\{4D884DFD-2293-4316-9198-54A9EF427D8F}.exe

Filesize
344KB

MD5
4b359a032afd9faf2b13ba6ce2541152

SHA1
989a423a16f7979324fd1b329f3e26d6d96296da

SHA256
c4ba3791f6fe209fb7167913512b111f4d91ea0190588d39f8ce869d9b7eaa75

SHA512
2d4c1dde8a3f9d237177ec0bd83269a0a2375931292ad6d083740e7dce289d7cd3881897fbd1e73081d4781034c02bab8e3cc43120ae6b86621adca213adbafe

Download Submit
C:\Windows\{562B2282-00F9-4d15-B311-F0E5B2A5D323}.exe

Filesize
344KB

MD5
46acfc555c73ba68f99f54ac6f428499

SHA1
6c7e01062303a03c0e49f1fbd268d03b622020d3

SHA256
8520c2a23e2790e1ae2750ecb2a8f81323b6b820c490e4418b5a19e181bde341

SHA512
10ed3bf81239e2416be06e4a75a96496038a47c23065ff3759a8ff3deb5d925ab7807ac2f2ca4687262b8147af61d2ffffb93386938bfaa5b4c8c258093ad8e9

Download Submit
C:\Windows\{672C3B48-F39B-4b25-923C-DE34B4BD8163}.exe

Filesize
344KB

MD5
8df4a872478bd8a6a3c82ad9e430cffb

SHA1
8aaf3d84ae244859e5db002363f0fe89accb19a1

SHA256
d74bf21c2fc99c91997b16803b7fedd429e4008e067a4db89710cee0105955b6

SHA512
913f439429f7ca25a1030b6b2ed9d784f8214a518515e71f7837d4f0a2b135a2e47de9b3643fb4839146302aa47e599ce4247fadb9fba287c0c957d1b7450f7f

Download Submit
C:\Windows\{684583A8-F166-4520-B784-29C3AF42FE41}.exe

Filesize
344KB

MD5
95bb50281ceaa66810ce58d008bee0b7

SHA1
5f079cd43f465a19acfae8a2a518c8ef05567b17

SHA256
1da601fd818946943aad4790d8dec2695e0f23650f0d92b9c45c62d8a33ed9fd

SHA512
585efc63e3d93e1bf841bf4696bc84da00dbd73a528d77d7e67bedecc5b6caf739e38e06ec2dbc8f1371451133701e34516a5bd3d24637906e664b68be78c9ba

Download Submit
C:\Windows\{83E90B61-3BA0-4efa-8EF5-D31B8C9B5D8F}.exe

Filesize
344KB

MD5
ecabce5b6611c2083ce4f6be1ffb7fb9

SHA1
6b727de8b2499bc15f9363e81ececd1cfa71c1db

SHA256
47805b447edba3c2bfb795840d09ebe66adbc58f20c032ff8d2f2ff3ee0d3da4

SHA512
34da3292dde0fdc5be5dc06c884b3357abe9449f500a6e4d248d5984ebdda76205ee4853413dd03a23791299064ddadc3b7e069b9dc8f17125cd3444c784e554

Download Submit
C:\Windows\{96342A3F-4DCD-4522-9F01-DB7E67FF1458}.exe

Filesize
344KB

MD5
dd89881cd999c7d56bfaebafd43bc769

SHA1
68db876b12a0a452c0ed638abe45f9067e1f264a

SHA256
1708c771d46c96c4a685ff56a9a351917ff8cbbdcaf1997d09d97eb21c148ab6

SHA512
75f8c1a9fb02e2ed4108a27b3b1fb1eedd70df11689715a489c75ad9269c679a4d8c4274a541fc07cb94fea4fac23d85f9443f9b379aad37963cfb34bba1835e

Download Submit
C:\Windows\{BB88B87E-678B-4234-9BBC-61C48446A96B}.exe

Filesize
344KB

MD5
8949723b23b07a1d2b5aecceb7c98274

SHA1
7ba5dcdf89a6da6174f4388f7e1b54d67ce8409d

SHA256
68c7f417758dac66ad9994af4f791d3aa3a5dfa05b816793a496be4fb78ab2c3

SHA512
2f45992d7c8e9558455e723e30b5f3937d8ba5e681efc5ce20014a071f760108109d0f6c02a57cae7284a7c7c8a346fae12f2b5797a92a8b626353cc81d9996e

Download Submit
C:\Windows\{C01E57AC-7B75-4daf-AA90-194B42575A17}.exe

Filesize
344KB

MD5
30bac5e24fc3fba212d2890a09a42693

SHA1
3b79018a2bfdee62f7fff074c6e28654db91ae48

SHA256
54aa2aee8333c1b6c4ae773f712b7f2f0fefa47ef7f871b45fc330dbafd25418

SHA512
b510644da01c93323c7e819de702403169c240e767d15a662cbfeb16a74e4f7d151a2db8de57001861dc48d5335206789a7b2ac9ff6055dcb99dc8722a53a36d

Download Submit
C:\Windows\{E294EC9D-A0D9-45a5-8CE9-AE323709F1C8}.exe

Filesize
344KB

MD5
7de8f3a43f09a5a2ba8fb5c12cb6ec98

SHA1
5b036bbaf1c8eacf221a06b7df717c034ab7e17b

SHA256
eeb11da163ed7fcaee008f29290b493bc9f736315072597f08cb375f50e91196

SHA512
d760e9b8421e8bcc61ea2eb4123367ac1fbc3b74c1312e6c3d651b8a9002e85772cffc8c3e7ddd8666c580b50d801bf106520a5b87414fabb4acc51cd12ee737

Download Submit
C:\Windows\{F0F89969-F3DE-4290-9D2D-E34535A44B70}.exe

Filesize
77KB

MD5
23c59661bc67af9f89d3c81e9120c277

SHA1
dfe2b9920f01c69b639966794a009868ff468e17

SHA256
140833f69acb4034234090f792d1318be3606f96db02122f8cedee7a7048d4c9

SHA512
f0adae80aebeb56fc80ce93254a95dea2e9a391b5df5cb12aeb3e298fb342a9a090e667374fdaa60f739d595dbeb8efd49b263bf12a3c52d3e2a130b2459ee0a

Download Submit
C:\Windows\{F0F89969-F3DE-4290-9D2D-E34535A44B70}.exe

Filesize
158KB

MD5
9d3f3f6aab29d23045e92e70bac87a29

SHA1
0acc29eb82b3cccd82231b13c6da32ffac885b81

SHA256
43a1472194362384bf4bb7708d90662e13a093e5c26fe45084099e663ec08b5d

SHA512
6a722215f0737b51761fd413af667fc0d9af0f593fdd19d073981ae8e78b8f0ee79f2c45ecdd9f1ba3ce88d458b949babdf705d6d8278eb849906540791eb763

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads