b15c89c1cf24cfafd11e66edbfec6ca074d7f0efdf77271f0a8949306768f8bd

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2024, 07:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-19_5485b1d9a6ccb2c6fd41972cebee8199_goldeneye.exe
Size

216KB
MD5

5485b1d9a6ccb2c6fd41972cebee8199
SHA1

d59625083eb07b20562912afbc7cb778463a945c
SHA256

b15c89c1cf24cfafd11e66edbfec6ca074d7f0efdf77271f0a8949306768f8bd
SHA512

45fb70d434f37b887ed06be1831726a48cb10d35df84a76f02f6d6b587e8dca23b6062e340b644b4b357f5e029539891b1cd3138d59bf7e835d9b296c22d5546
SSDEEP

3072:jEGh0oWl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGclEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023204-1.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002320c-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023216-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002321c-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023216-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002321c-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002321e-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002321c-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023239-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d00000002311d-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023122-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023136-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E4B86A5-9135-40e9-BA95-C3037FD0C4E6}\stubpath = "C:\\Windows\\{2E4B86A5-9135-40e9-BA95-C3037FD0C4E6}.exe"	{131D35FC-E1E3-4766-AE4F-3BD378FE3B48}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87B3075A-F0CF-49ba-9005-26E615091A18}\stubpath = "C:\\Windows\\{87B3075A-F0CF-49ba-9005-26E615091A18}.exe"	{2E4B86A5-9135-40e9-BA95-C3037FD0C4E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30986BFC-94F0-43b0-86C5-DDD2661157AE}\stubpath = "C:\\Windows\\{30986BFC-94F0-43b0-86C5-DDD2661157AE}.exe"	2024-03-19_5485b1d9a6ccb2c6fd41972cebee8199_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7682C206-BCB5-47f0-8A53-A882BDC62211}\stubpath = "C:\\Windows\\{7682C206-BCB5-47f0-8A53-A882BDC62211}.exe"	{30986BFC-94F0-43b0-86C5-DDD2661157AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A8480FD-0493-43a4-BA7D-CE71207254C5}\stubpath = "C:\\Windows\\{9A8480FD-0493-43a4-BA7D-CE71207254C5}.exe"	{EA342234-D17F-4c91-8FC2-B6EBE9FC9C1E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5EAD628E-99AF-4c30-B44F-3612CDFCECBC}	{9A8480FD-0493-43a4-BA7D-CE71207254C5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5EAD628E-99AF-4c30-B44F-3612CDFCECBC}\stubpath = "C:\\Windows\\{5EAD628E-99AF-4c30-B44F-3612CDFCECBC}.exe"	{9A8480FD-0493-43a4-BA7D-CE71207254C5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{131D35FC-E1E3-4766-AE4F-3BD378FE3B48}	{5EAD628E-99AF-4c30-B44F-3612CDFCECBC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1AC2EE7-7B1F-4898-8ACD-54954712F158}	{096DD5ED-563F-406d-82F2-59515584984E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{096DD5ED-563F-406d-82F2-59515584984E}	{87B3075A-F0CF-49ba-9005-26E615091A18}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{096DD5ED-563F-406d-82F2-59515584984E}\stubpath = "C:\\Windows\\{096DD5ED-563F-406d-82F2-59515584984E}.exe"	{87B3075A-F0CF-49ba-9005-26E615091A18}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3742CCE7-D108-4421-B9B0-389AE82AEF3B}	{E1AC2EE7-7B1F-4898-8ACD-54954712F158}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7682C206-BCB5-47f0-8A53-A882BDC62211}	{30986BFC-94F0-43b0-86C5-DDD2661157AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10F7FFF7-2A51-4b1a-8E7F-13D55D50C182}	{7682C206-BCB5-47f0-8A53-A882BDC62211}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10F7FFF7-2A51-4b1a-8E7F-13D55D50C182}\stubpath = "C:\\Windows\\{10F7FFF7-2A51-4b1a-8E7F-13D55D50C182}.exe"	{7682C206-BCB5-47f0-8A53-A882BDC62211}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA342234-D17F-4c91-8FC2-B6EBE9FC9C1E}\stubpath = "C:\\Windows\\{EA342234-D17F-4c91-8FC2-B6EBE9FC9C1E}.exe"	{10F7FFF7-2A51-4b1a-8E7F-13D55D50C182}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A8480FD-0493-43a4-BA7D-CE71207254C5}	{EA342234-D17F-4c91-8FC2-B6EBE9FC9C1E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87B3075A-F0CF-49ba-9005-26E615091A18}	{2E4B86A5-9135-40e9-BA95-C3037FD0C4E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30986BFC-94F0-43b0-86C5-DDD2661157AE}	2024-03-19_5485b1d9a6ccb2c6fd41972cebee8199_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA342234-D17F-4c91-8FC2-B6EBE9FC9C1E}	{10F7FFF7-2A51-4b1a-8E7F-13D55D50C182}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{131D35FC-E1E3-4766-AE4F-3BD378FE3B48}\stubpath = "C:\\Windows\\{131D35FC-E1E3-4766-AE4F-3BD378FE3B48}.exe"	{5EAD628E-99AF-4c30-B44F-3612CDFCECBC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E4B86A5-9135-40e9-BA95-C3037FD0C4E6}	{131D35FC-E1E3-4766-AE4F-3BD378FE3B48}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1AC2EE7-7B1F-4898-8ACD-54954712F158}\stubpath = "C:\\Windows\\{E1AC2EE7-7B1F-4898-8ACD-54954712F158}.exe"	{096DD5ED-563F-406d-82F2-59515584984E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3742CCE7-D108-4421-B9B0-389AE82AEF3B}\stubpath = "C:\\Windows\\{3742CCE7-D108-4421-B9B0-389AE82AEF3B}.exe"	{E1AC2EE7-7B1F-4898-8ACD-54954712F158}.exe

Executes dropped EXE 12 IoCs

pid	Process
4240	{30986BFC-94F0-43b0-86C5-DDD2661157AE}.exe
4352	{7682C206-BCB5-47f0-8A53-A882BDC62211}.exe
116	{10F7FFF7-2A51-4b1a-8E7F-13D55D50C182}.exe
2960	{EA342234-D17F-4c91-8FC2-B6EBE9FC9C1E}.exe
4516	{9A8480FD-0493-43a4-BA7D-CE71207254C5}.exe
3608	{5EAD628E-99AF-4c30-B44F-3612CDFCECBC}.exe
4648	{131D35FC-E1E3-4766-AE4F-3BD378FE3B48}.exe
4340	{2E4B86A5-9135-40e9-BA95-C3037FD0C4E6}.exe
4616	{87B3075A-F0CF-49ba-9005-26E615091A18}.exe
4764	{096DD5ED-563F-406d-82F2-59515584984E}.exe
3044	{E1AC2EE7-7B1F-4898-8ACD-54954712F158}.exe
1048	{3742CCE7-D108-4421-B9B0-389AE82AEF3B}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{EA342234-D17F-4c91-8FC2-B6EBE9FC9C1E}.exe	{10F7FFF7-2A51-4b1a-8E7F-13D55D50C182}.exe
File created	C:\Windows\{2E4B86A5-9135-40e9-BA95-C3037FD0C4E6}.exe	{131D35FC-E1E3-4766-AE4F-3BD378FE3B48}.exe
File created	C:\Windows\{87B3075A-F0CF-49ba-9005-26E615091A18}.exe	{2E4B86A5-9135-40e9-BA95-C3037FD0C4E6}.exe
File created	C:\Windows\{E1AC2EE7-7B1F-4898-8ACD-54954712F158}.exe	{096DD5ED-563F-406d-82F2-59515584984E}.exe
File created	C:\Windows\{3742CCE7-D108-4421-B9B0-389AE82AEF3B}.exe	{E1AC2EE7-7B1F-4898-8ACD-54954712F158}.exe
File created	C:\Windows\{7682C206-BCB5-47f0-8A53-A882BDC62211}.exe	{30986BFC-94F0-43b0-86C5-DDD2661157AE}.exe
File created	C:\Windows\{10F7FFF7-2A51-4b1a-8E7F-13D55D50C182}.exe	{7682C206-BCB5-47f0-8A53-A882BDC62211}.exe
File created	C:\Windows\{9A8480FD-0493-43a4-BA7D-CE71207254C5}.exe	{EA342234-D17F-4c91-8FC2-B6EBE9FC9C1E}.exe
File created	C:\Windows\{5EAD628E-99AF-4c30-B44F-3612CDFCECBC}.exe	{9A8480FD-0493-43a4-BA7D-CE71207254C5}.exe
File created	C:\Windows\{131D35FC-E1E3-4766-AE4F-3BD378FE3B48}.exe	{5EAD628E-99AF-4c30-B44F-3612CDFCECBC}.exe
File created	C:\Windows\{096DD5ED-563F-406d-82F2-59515584984E}.exe	{87B3075A-F0CF-49ba-9005-26E615091A18}.exe
File created	C:\Windows\{30986BFC-94F0-43b0-86C5-DDD2661157AE}.exe	2024-03-19_5485b1d9a6ccb2c6fd41972cebee8199_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2320	2024-03-19_5485b1d9a6ccb2c6fd41972cebee8199_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4240	{30986BFC-94F0-43b0-86C5-DDD2661157AE}.exe
Token: SeIncBasePriorityPrivilege	4352	{7682C206-BCB5-47f0-8A53-A882BDC62211}.exe
Token: SeIncBasePriorityPrivilege	116	{10F7FFF7-2A51-4b1a-8E7F-13D55D50C182}.exe
Token: SeIncBasePriorityPrivilege	2960	{EA342234-D17F-4c91-8FC2-B6EBE9FC9C1E}.exe
Token: SeIncBasePriorityPrivilege	4516	{9A8480FD-0493-43a4-BA7D-CE71207254C5}.exe
Token: SeIncBasePriorityPrivilege	3608	{5EAD628E-99AF-4c30-B44F-3612CDFCECBC}.exe
Token: SeIncBasePriorityPrivilege	4648	{131D35FC-E1E3-4766-AE4F-3BD378FE3B48}.exe
Token: SeIncBasePriorityPrivilege	4340	{2E4B86A5-9135-40e9-BA95-C3037FD0C4E6}.exe
Token: SeIncBasePriorityPrivilege	4616	{87B3075A-F0CF-49ba-9005-26E615091A18}.exe
Token: SeIncBasePriorityPrivilege	4764	{096DD5ED-563F-406d-82F2-59515584984E}.exe
Token: SeIncBasePriorityPrivilege	3044	{E1AC2EE7-7B1F-4898-8ACD-54954712F158}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 4240	2320	2024-03-19_5485b1d9a6ccb2c6fd41972cebee8199_goldeneye.exe	93
PID 2320 wrote to memory of 4240	2320	2024-03-19_5485b1d9a6ccb2c6fd41972cebee8199_goldeneye.exe	93
PID 2320 wrote to memory of 4240	2320	2024-03-19_5485b1d9a6ccb2c6fd41972cebee8199_goldeneye.exe	93
PID 2320 wrote to memory of 5004	2320	2024-03-19_5485b1d9a6ccb2c6fd41972cebee8199_goldeneye.exe	94
PID 2320 wrote to memory of 5004	2320	2024-03-19_5485b1d9a6ccb2c6fd41972cebee8199_goldeneye.exe	94
PID 2320 wrote to memory of 5004	2320	2024-03-19_5485b1d9a6ccb2c6fd41972cebee8199_goldeneye.exe	94
PID 4240 wrote to memory of 4352	4240	{30986BFC-94F0-43b0-86C5-DDD2661157AE}.exe	103
PID 4240 wrote to memory of 4352	4240	{30986BFC-94F0-43b0-86C5-DDD2661157AE}.exe	103
PID 4240 wrote to memory of 4352	4240	{30986BFC-94F0-43b0-86C5-DDD2661157AE}.exe	103
PID 4240 wrote to memory of 4256	4240	{30986BFC-94F0-43b0-86C5-DDD2661157AE}.exe	104
PID 4240 wrote to memory of 4256	4240	{30986BFC-94F0-43b0-86C5-DDD2661157AE}.exe	104
PID 4240 wrote to memory of 4256	4240	{30986BFC-94F0-43b0-86C5-DDD2661157AE}.exe	104
PID 4352 wrote to memory of 116	4352	{7682C206-BCB5-47f0-8A53-A882BDC62211}.exe	106
PID 4352 wrote to memory of 116	4352	{7682C206-BCB5-47f0-8A53-A882BDC62211}.exe	106
PID 4352 wrote to memory of 116	4352	{7682C206-BCB5-47f0-8A53-A882BDC62211}.exe	106
PID 4352 wrote to memory of 4332	4352	{7682C206-BCB5-47f0-8A53-A882BDC62211}.exe	107
PID 4352 wrote to memory of 4332	4352	{7682C206-BCB5-47f0-8A53-A882BDC62211}.exe	107
PID 4352 wrote to memory of 4332	4352	{7682C206-BCB5-47f0-8A53-A882BDC62211}.exe	107
PID 116 wrote to memory of 2960	116	{10F7FFF7-2A51-4b1a-8E7F-13D55D50C182}.exe	111
PID 116 wrote to memory of 2960	116	{10F7FFF7-2A51-4b1a-8E7F-13D55D50C182}.exe	111
PID 116 wrote to memory of 2960	116	{10F7FFF7-2A51-4b1a-8E7F-13D55D50C182}.exe	111
PID 116 wrote to memory of 1768	116	{10F7FFF7-2A51-4b1a-8E7F-13D55D50C182}.exe	112
PID 116 wrote to memory of 1768	116	{10F7FFF7-2A51-4b1a-8E7F-13D55D50C182}.exe	112
PID 116 wrote to memory of 1768	116	{10F7FFF7-2A51-4b1a-8E7F-13D55D50C182}.exe	112
PID 2960 wrote to memory of 4516	2960	{EA342234-D17F-4c91-8FC2-B6EBE9FC9C1E}.exe	113
PID 2960 wrote to memory of 4516	2960	{EA342234-D17F-4c91-8FC2-B6EBE9FC9C1E}.exe	113
PID 2960 wrote to memory of 4516	2960	{EA342234-D17F-4c91-8FC2-B6EBE9FC9C1E}.exe	113
PID 2960 wrote to memory of 4912	2960	{EA342234-D17F-4c91-8FC2-B6EBE9FC9C1E}.exe	114
PID 2960 wrote to memory of 4912	2960	{EA342234-D17F-4c91-8FC2-B6EBE9FC9C1E}.exe	114
PID 2960 wrote to memory of 4912	2960	{EA342234-D17F-4c91-8FC2-B6EBE9FC9C1E}.exe	114
PID 4516 wrote to memory of 3608	4516	{9A8480FD-0493-43a4-BA7D-CE71207254C5}.exe	116
PID 4516 wrote to memory of 3608	4516	{9A8480FD-0493-43a4-BA7D-CE71207254C5}.exe	116
PID 4516 wrote to memory of 3608	4516	{9A8480FD-0493-43a4-BA7D-CE71207254C5}.exe	116
PID 4516 wrote to memory of 2356	4516	{9A8480FD-0493-43a4-BA7D-CE71207254C5}.exe	117
PID 4516 wrote to memory of 2356	4516	{9A8480FD-0493-43a4-BA7D-CE71207254C5}.exe	117
PID 4516 wrote to memory of 2356	4516	{9A8480FD-0493-43a4-BA7D-CE71207254C5}.exe	117
PID 3608 wrote to memory of 4648	3608	{5EAD628E-99AF-4c30-B44F-3612CDFCECBC}.exe	118
PID 3608 wrote to memory of 4648	3608	{5EAD628E-99AF-4c30-B44F-3612CDFCECBC}.exe	118
PID 3608 wrote to memory of 4648	3608	{5EAD628E-99AF-4c30-B44F-3612CDFCECBC}.exe	118
PID 3608 wrote to memory of 2132	3608	{5EAD628E-99AF-4c30-B44F-3612CDFCECBC}.exe	119
PID 3608 wrote to memory of 2132	3608	{5EAD628E-99AF-4c30-B44F-3612CDFCECBC}.exe	119
PID 3608 wrote to memory of 2132	3608	{5EAD628E-99AF-4c30-B44F-3612CDFCECBC}.exe	119
PID 4648 wrote to memory of 4340	4648	{131D35FC-E1E3-4766-AE4F-3BD378FE3B48}.exe	120
PID 4648 wrote to memory of 4340	4648	{131D35FC-E1E3-4766-AE4F-3BD378FE3B48}.exe	120
PID 4648 wrote to memory of 4340	4648	{131D35FC-E1E3-4766-AE4F-3BD378FE3B48}.exe	120
PID 4648 wrote to memory of 4332	4648	{131D35FC-E1E3-4766-AE4F-3BD378FE3B48}.exe	121
PID 4648 wrote to memory of 4332	4648	{131D35FC-E1E3-4766-AE4F-3BD378FE3B48}.exe	121
PID 4648 wrote to memory of 4332	4648	{131D35FC-E1E3-4766-AE4F-3BD378FE3B48}.exe	121
PID 4340 wrote to memory of 4616	4340	{2E4B86A5-9135-40e9-BA95-C3037FD0C4E6}.exe	126
PID 4340 wrote to memory of 4616	4340	{2E4B86A5-9135-40e9-BA95-C3037FD0C4E6}.exe	126
PID 4340 wrote to memory of 4616	4340	{2E4B86A5-9135-40e9-BA95-C3037FD0C4E6}.exe	126
PID 4340 wrote to memory of 2448	4340	{2E4B86A5-9135-40e9-BA95-C3037FD0C4E6}.exe	127
PID 4340 wrote to memory of 2448	4340	{2E4B86A5-9135-40e9-BA95-C3037FD0C4E6}.exe	127
PID 4340 wrote to memory of 2448	4340	{2E4B86A5-9135-40e9-BA95-C3037FD0C4E6}.exe	127
PID 4616 wrote to memory of 4764	4616	{87B3075A-F0CF-49ba-9005-26E615091A18}.exe	132
PID 4616 wrote to memory of 4764	4616	{87B3075A-F0CF-49ba-9005-26E615091A18}.exe	132
PID 4616 wrote to memory of 4764	4616	{87B3075A-F0CF-49ba-9005-26E615091A18}.exe	132
PID 4616 wrote to memory of 2248	4616	{87B3075A-F0CF-49ba-9005-26E615091A18}.exe	133
PID 4616 wrote to memory of 2248	4616	{87B3075A-F0CF-49ba-9005-26E615091A18}.exe	133
PID 4616 wrote to memory of 2248	4616	{87B3075A-F0CF-49ba-9005-26E615091A18}.exe	133
PID 4764 wrote to memory of 3044	4764	{096DD5ED-563F-406d-82F2-59515584984E}.exe	134
PID 4764 wrote to memory of 3044	4764	{096DD5ED-563F-406d-82F2-59515584984E}.exe	134
PID 4764 wrote to memory of 3044	4764	{096DD5ED-563F-406d-82F2-59515584984E}.exe	134
PID 4764 wrote to memory of 2612	4764	{096DD5ED-563F-406d-82F2-59515584984E}.exe	135

C:\Users\Admin\AppData\Local\Temp\2024-03-19_5485b1d9a6ccb2c6fd41972cebee8199_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-19_5485b1d9a6ccb2c6fd41972cebee8199_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\{30986BFC-94F0-43b0-86C5-DDD2661157AE}.exe
  C:\Windows\{30986BFC-94F0-43b0-86C5-DDD2661157AE}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4240
- - C:\Windows\{7682C206-BCB5-47f0-8A53-A882BDC62211}.exe
    C:\Windows\{7682C206-BCB5-47f0-8A53-A882BDC62211}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4352
  - - C:\Windows\{10F7FFF7-2A51-4b1a-8E7F-13D55D50C182}.exe
      C:\Windows\{10F7FFF7-2A51-4b1a-8E7F-13D55D50C182}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:116
    - - C:\Windows\{EA342234-D17F-4c91-8FC2-B6EBE9FC9C1E}.exe
        
        C:\Windows\{EA342234-D17F-4c91-8FC2-B6EBE9FC9C1E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2960
      - C:\Windows\{9A8480FD-0493-43a4-BA7D-CE71207254C5}.exe
        
        C:\Windows\{9A8480FD-0493-43a4-BA7D-CE71207254C5}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\{5EAD628E-99AF-4c30-B44F-3612CDFCECBC}.exe
        
        C:\Windows\{5EAD628E-99AF-4c30-B44F-3612CDFCECBC}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3608
        
        C:\Windows\{131D35FC-E1E3-4766-AE4F-3BD378FE3B48}.exe
        
        C:\Windows\{131D35FC-E1E3-4766-AE4F-3BD378FE3B48}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4648
        
        C:\Windows\{2E4B86A5-9135-40e9-BA95-C3037FD0C4E6}.exe
        
        C:\Windows\{2E4B86A5-9135-40e9-BA95-C3037FD0C4E6}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Windows\{87B3075A-F0CF-49ba-9005-26E615091A18}.exe
        
        C:\Windows\{87B3075A-F0CF-49ba-9005-26E615091A18}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4616
        
        C:\Windows\{096DD5ED-563F-406d-82F2-59515584984E}.exe
        
        C:\Windows\{096DD5ED-563F-406d-82F2-59515584984E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\Windows\{E1AC2EE7-7B1F-4898-8ACD-54954712F158}.exe
        
        C:\Windows\{E1AC2EE7-7B1F-4898-8ACD-54954712F158}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
        
        C:\Windows\{3742CCE7-D108-4421-B9B0-389AE82AEF3B}.exe
        
        C:\Windows\{3742CCE7-D108-4421-B9B0-389AE82AEF3B}.exe
        13⤵
        Executes dropped EXE
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E1AC2~1.EXE > nul
        13⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{096DD~1.EXE > nul
        12⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{87B30~1.EXE > nul
        11⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E4B8~1.EXE > nul
        10⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{131D3~1.EXE > nul
        9⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5EAD6~1.EXE > nul
        8⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9A848~1.EXE > nul
        7⤵
        
        PID:2356
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA342~1.EXE > nul
        6⤵
        
        PID:4912
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{10F7F~1.EXE > nul
        5⤵
        
        PID:1768
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7682C~1.EXE > nul
      4⤵
      PID:4332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{30986~1.EXE > nul
    3⤵
    PID:4256
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:5004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{096DD5ED-563F-406d-82F2-59515584984E}.exe

Filesize
216KB

MD5
17b35efca1494e55e9c01a74d4c5228a

SHA1
dffb9bd6c8c37ee1181fcc661259d5b0d7780e73

SHA256
46e5866a7cd0080b1a8b0d981f2a1b18a6c4692398454e885e95517d0ac96a30

SHA512
dc637ee5de13bb092054c302936e1830bb2d870ad7af21c0c8c5c9c23c15b502ac88cdda908c224169572ef0b724212abc5b392f3c7838f4a4a637ea354c67d5

Download Submit
C:\Windows\{10F7FFF7-2A51-4b1a-8E7F-13D55D50C182}.exe

Filesize
216KB

MD5
f0ea2cb858e1db2bc09f6bb62b24aa87

SHA1
732997e62c980c943347f01281ac7ff48ee5b035

SHA256
3315ac93ee2f208c11251b25f825ddd0743aec7aed6ace0d48c565fa51675450

SHA512
2a3a0f9faba533cc5b58ca0dbb103d2f15a7ac7ff3728a18f9ca596da3cdd0e97d006c8e9b1eafc596e7ff1ebedff104dbc442ddfaa6ff43732f79d2a0d9008e

Download Submit
C:\Windows\{131D35FC-E1E3-4766-AE4F-3BD378FE3B48}.exe

Filesize
216KB

MD5
90d76877f836263a26a9006c55fc018e

SHA1
f5f7f658e565ff76e11b0cd7f254005fb20173ce

SHA256
8fd5912105e21e95c7ee22d30cfe695b3b7496bdafdcfd0ae6d79a7622190b80

SHA512
6b6092deb6d12674a20a54e535e9cce95c7b1671698f20a607cb540b597449597a8be79aeaedec15d483bf2a0f90ab6a1d7f6a8d67c216f12427af6f80a42cc4

Download Submit
C:\Windows\{2E4B86A5-9135-40e9-BA95-C3037FD0C4E6}.exe

Filesize
216KB

MD5
9f52872bd49f49a74519ef450b973b87

SHA1
aa1047e6de7dd6f0b048f1fa888213f5d065b9ec

SHA256
e3e5015a385e7e73ff671c713d9f3218954ba8d574982fda474ed6c9855c6a14

SHA512
f9dd993362821eb0f88606e25f3462fd46d77c7991ecb5d89c9cc11a702fb05f30f838e6bbc6461c64ecfdbb44ace8ac2bf973c6708f69d774b498bec8fad04b

Download Submit
C:\Windows\{30986BFC-94F0-43b0-86C5-DDD2661157AE}.exe

Filesize
216KB

MD5
3602bf90ac9f44b68dd4882dd7f314e6

SHA1
85675afc623eda6aab481052fc4eb59b3988b596

SHA256
7fe582a644f9d0481d2f0f0ed04e6e3d917e491561ae6990530e24ce599b05c8

SHA512
0839e84802b09c6fcb7621c7a1489cd21c1732f83e66542216f30799033b69b8d38972a014ccc6bc2e631212bcdeaf6b7c39fc0b4d4364e4ae6e70f961747618

Download Submit
C:\Windows\{3742CCE7-D108-4421-B9B0-389AE82AEF3B}.exe

Filesize
216KB

MD5
06a4010931ca23ac9f7d64fc4230ea45

SHA1
d97e18928763bdae91188e2a3db2bbd30af07cb4

SHA256
4d1630c8a18c35af574c9486a8f892ca18bceeb46626c3877131ac0e13c345a7

SHA512
292ab8a9150116a6356960f05bf7a0e1bf26a6b08f2cd8a82f997c8af1b721e6e94993ff4b26638b44460e8b84911defdc5cbdb9e7be029aaaa333c65254f9e6

Download Submit
C:\Windows\{5EAD628E-99AF-4c30-B44F-3612CDFCECBC}.exe

Filesize
216KB

MD5
a5ab62cfe1a32aad8b361dc3b0100cf1

SHA1
edd17a18b386e59242f58d16c5433d695230b916

SHA256
39815c694289bc6250086907878363cc5393cf18d3bce828be3bcd45db08a6ac

SHA512
c5aaa2521715e4611bd02b38304ead81c092f7a175f4d7f3bc78676354ada1f524b4e2566b7407e30db2c0aa865f0a72acfc89eb1d9b1357466d2715cd5e6837

Download Submit
C:\Windows\{7682C206-BCB5-47f0-8A53-A882BDC62211}.exe

Filesize
216KB

MD5
6dc7c8bfc84e84267c68ecb0b79be122

SHA1
6b275031b206d6995a2274ac7e0cdb179abb39aa

SHA256
8584b641d3eebe1cdad0a6cf4a2d848a25178bd02125e8ba0d8ef0287d93d5a6

SHA512
f6468f4f51d1835b3e62690f62fc74e7bae583a0ab614290ce4e557e8e3cfe96aa51582e502020cb6eb1b419b84caee61396da1360e89da28f6f1e2929847486

Download Submit
C:\Windows\{87B3075A-F0CF-49ba-9005-26E615091A18}.exe

Filesize
216KB

MD5
cfdfcc598d853efb84e33f193ed1c8e4

SHA1
772ea795b88f872cf02f676755d6a8aa24539107

SHA256
a28cb34d5d421f448e7753005448b20776fe17b2029d536eb261e447ba6dcf3a

SHA512
a96b4291e91d64446c1855bcca6662509b2337d6efb46fb2651355e05aa4fd45ba65a432eb7c6fa0a840f84fcbab345c9e7f6030fc23a1fae0229505a795b2c5

Download Submit
C:\Windows\{9A8480FD-0493-43a4-BA7D-CE71207254C5}.exe

Filesize
216KB

MD5
c76f24617ee8250d7a31bd73d87469a8

SHA1
1e42cce026a4d18eda11826a2386288912cab706

SHA256
65578547fe861d1d8d0ddce07ba8f2c7ef9b62dce0f8bd8c0307e8df19618af2

SHA512
a7a691f9bf84bfcd94565eabecb0544c6848e8fed92ef3f83d06e34b4a3acf950fa36637ddd1356f21f60524c6189c09eb446a826d63f72a29a98017ec303cfa

Download Submit
C:\Windows\{E1AC2EE7-7B1F-4898-8ACD-54954712F158}.exe

Filesize
216KB

MD5
feb25ed48a6194b0d3640df65996869b

SHA1
b711385f9a8ccded333af607148f2b1adf1d7acc

SHA256
8352c84ba5eb70f3f31ee19fa8c2cb597f558a4ca4f87327f1258614072a6f59

SHA512
83564db56589db3c479237be21cd414236a846db61778e3b09ecf00306dced26d4bef52b4dd917e68b947d8a21651138143ffd09bdaf2d7643adc63087617939

Download Submit
C:\Windows\{EA342234-D17F-4c91-8FC2-B6EBE9FC9C1E}.exe

Filesize
216KB

MD5
f737354a821c09583af7b1d5914c3366

SHA1
7d27097a30c979d557e54760538d30ab59dc570f

SHA256
c9eefa2301982c79632a4bd3f5ef38f928350271a1cba3e4cf6eba2b491856ad

SHA512
3c49195e40c38851f977d1115695cacf418553089548f6422af9b971d2855a127085d6ba409c3a972cf3e14875de3d0d00d99a6c731204a52055bff54a7d136b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads