6dadb3c3bcf9ff028932aaa2a95e62fcd7292ff54c56647aced136422306dcb2

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2024, 18:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-19_f427301dfc3c2af8d510edb9a9c29293_goldeneye.exe
Size

197KB
MD5

f427301dfc3c2af8d510edb9a9c29293
SHA1

5cf1e65e7c00c4687f8a02c7da0a0eeb7f12d8eb
SHA256

6dadb3c3bcf9ff028932aaa2a95e62fcd7292ff54c56647aced136422306dcb2
SHA512

957e9bb1f92d791028a1f19fa2bccf2effca155ed83b3ce7c006759b5bb3f2a7b903d13279001fbe987e71f959ec8303533b19831012a548d6d95d72b3efcae5
SSDEEP

3072:jEGh0o9l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGTlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023220-1.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023232-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023337-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000216c9-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023337-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000233a4-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023337-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000233b3-29.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000233a6-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000234d8-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000234dd-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000234d8-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23532CB3-3BD5-4c47-9BF0-BC1C3ED6296E}\stubpath = "C:\\Windows\\{23532CB3-3BD5-4c47-9BF0-BC1C3ED6296E}.exe"	{0CDCD6F7-BE8E-427c-914A-2A0FD2986645}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DB61C77-D960-4a34-8E67-0EB3927D9F66}	{73DEF08A-F15F-4322-897E-8E731D4E42EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DB61C77-D960-4a34-8E67-0EB3927D9F66}\stubpath = "C:\\Windows\\{2DB61C77-D960-4a34-8E67-0EB3927D9F66}.exe"	{73DEF08A-F15F-4322-897E-8E731D4E42EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{476060ED-BB84-480b-9677-6FC974AED9AE}	{2DB61C77-D960-4a34-8E67-0EB3927D9F66}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BAE111F6-3C7D-4a69-A183-72EF94DA3678}\stubpath = "C:\\Windows\\{BAE111F6-3C7D-4a69-A183-72EF94DA3678}.exe"	{476060ED-BB84-480b-9677-6FC974AED9AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E3117A3F-5E92-4694-9567-ABE0831DC024}	{3E7C401C-C5A3-427c-BA58-096BFFB127CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D68E014B-6826-4345-9FB5-512C24CC7DF1}	{72E0CF41-3BD5-409a-A332-2E894ADBEDFC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0CDCD6F7-BE8E-427c-914A-2A0FD2986645}	{7682B3C9-C9BC-4e87-9C32-58F5E8D2B934}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73DEF08A-F15F-4322-897E-8E731D4E42EF}	2024-03-19_f427301dfc3c2af8d510edb9a9c29293_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BAE111F6-3C7D-4a69-A183-72EF94DA3678}	{476060ED-BB84-480b-9677-6FC974AED9AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72E0CF41-3BD5-409a-A332-2E894ADBEDFC}	{E3117A3F-5E92-4694-9567-ABE0831DC024}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A155C9C-11CA-47c7-BE24-FBB2223A7DA1}\stubpath = "C:\\Windows\\{5A155C9C-11CA-47c7-BE24-FBB2223A7DA1}.exe"	{D68E014B-6826-4345-9FB5-512C24CC7DF1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0CDCD6F7-BE8E-427c-914A-2A0FD2986645}\stubpath = "C:\\Windows\\{0CDCD6F7-BE8E-427c-914A-2A0FD2986645}.exe"	{7682B3C9-C9BC-4e87-9C32-58F5E8D2B934}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23532CB3-3BD5-4c47-9BF0-BC1C3ED6296E}	{0CDCD6F7-BE8E-427c-914A-2A0FD2986645}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73DEF08A-F15F-4322-897E-8E731D4E42EF}\stubpath = "C:\\Windows\\{73DEF08A-F15F-4322-897E-8E731D4E42EF}.exe"	2024-03-19_f427301dfc3c2af8d510edb9a9c29293_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{476060ED-BB84-480b-9677-6FC974AED9AE}\stubpath = "C:\\Windows\\{476060ED-BB84-480b-9677-6FC974AED9AE}.exe"	{2DB61C77-D960-4a34-8E67-0EB3927D9F66}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D68E014B-6826-4345-9FB5-512C24CC7DF1}\stubpath = "C:\\Windows\\{D68E014B-6826-4345-9FB5-512C24CC7DF1}.exe"	{72E0CF41-3BD5-409a-A332-2E894ADBEDFC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7682B3C9-C9BC-4e87-9C32-58F5E8D2B934}	{5A155C9C-11CA-47c7-BE24-FBB2223A7DA1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7682B3C9-C9BC-4e87-9C32-58F5E8D2B934}\stubpath = "C:\\Windows\\{7682B3C9-C9BC-4e87-9C32-58F5E8D2B934}.exe"	{5A155C9C-11CA-47c7-BE24-FBB2223A7DA1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E7C401C-C5A3-427c-BA58-096BFFB127CE}	{BAE111F6-3C7D-4a69-A183-72EF94DA3678}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E7C401C-C5A3-427c-BA58-096BFFB127CE}\stubpath = "C:\\Windows\\{3E7C401C-C5A3-427c-BA58-096BFFB127CE}.exe"	{BAE111F6-3C7D-4a69-A183-72EF94DA3678}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E3117A3F-5E92-4694-9567-ABE0831DC024}\stubpath = "C:\\Windows\\{E3117A3F-5E92-4694-9567-ABE0831DC024}.exe"	{3E7C401C-C5A3-427c-BA58-096BFFB127CE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72E0CF41-3BD5-409a-A332-2E894ADBEDFC}\stubpath = "C:\\Windows\\{72E0CF41-3BD5-409a-A332-2E894ADBEDFC}.exe"	{E3117A3F-5E92-4694-9567-ABE0831DC024}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A155C9C-11CA-47c7-BE24-FBB2223A7DA1}	{D68E014B-6826-4345-9FB5-512C24CC7DF1}.exe

Executes dropped EXE 12 IoCs

pid	Process
3484	{73DEF08A-F15F-4322-897E-8E731D4E42EF}.exe
2112	{2DB61C77-D960-4a34-8E67-0EB3927D9F66}.exe
2400	{476060ED-BB84-480b-9677-6FC974AED9AE}.exe
3920	{BAE111F6-3C7D-4a69-A183-72EF94DA3678}.exe
2088	{3E7C401C-C5A3-427c-BA58-096BFFB127CE}.exe
4508	{E3117A3F-5E92-4694-9567-ABE0831DC024}.exe
4812	{72E0CF41-3BD5-409a-A332-2E894ADBEDFC}.exe
3836	{D68E014B-6826-4345-9FB5-512C24CC7DF1}.exe
2184	{5A155C9C-11CA-47c7-BE24-FBB2223A7DA1}.exe
432	{7682B3C9-C9BC-4e87-9C32-58F5E8D2B934}.exe
1936	{0CDCD6F7-BE8E-427c-914A-2A0FD2986645}.exe
5024	{23532CB3-3BD5-4c47-9BF0-BC1C3ED6296E}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{0CDCD6F7-BE8E-427c-914A-2A0FD2986645}.exe	{7682B3C9-C9BC-4e87-9C32-58F5E8D2B934}.exe
File created	C:\Windows\{2DB61C77-D960-4a34-8E67-0EB3927D9F66}.exe	{73DEF08A-F15F-4322-897E-8E731D4E42EF}.exe
File created	C:\Windows\{BAE111F6-3C7D-4a69-A183-72EF94DA3678}.exe	{476060ED-BB84-480b-9677-6FC974AED9AE}.exe
File created	C:\Windows\{3E7C401C-C5A3-427c-BA58-096BFFB127CE}.exe	{BAE111F6-3C7D-4a69-A183-72EF94DA3678}.exe
File created	C:\Windows\{E3117A3F-5E92-4694-9567-ABE0831DC024}.exe	{3E7C401C-C5A3-427c-BA58-096BFFB127CE}.exe
File created	C:\Windows\{7682B3C9-C9BC-4e87-9C32-58F5E8D2B934}.exe	{5A155C9C-11CA-47c7-BE24-FBB2223A7DA1}.exe
File created	C:\Windows\{23532CB3-3BD5-4c47-9BF0-BC1C3ED6296E}.exe	{0CDCD6F7-BE8E-427c-914A-2A0FD2986645}.exe
File created	C:\Windows\{73DEF08A-F15F-4322-897E-8E731D4E42EF}.exe	2024-03-19_f427301dfc3c2af8d510edb9a9c29293_goldeneye.exe
File created	C:\Windows\{476060ED-BB84-480b-9677-6FC974AED9AE}.exe	{2DB61C77-D960-4a34-8E67-0EB3927D9F66}.exe
File created	C:\Windows\{72E0CF41-3BD5-409a-A332-2E894ADBEDFC}.exe	{E3117A3F-5E92-4694-9567-ABE0831DC024}.exe
File created	C:\Windows\{D68E014B-6826-4345-9FB5-512C24CC7DF1}.exe	{72E0CF41-3BD5-409a-A332-2E894ADBEDFC}.exe
File created	C:\Windows\{5A155C9C-11CA-47c7-BE24-FBB2223A7DA1}.exe	{D68E014B-6826-4345-9FB5-512C24CC7DF1}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	5112	2024-03-19_f427301dfc3c2af8d510edb9a9c29293_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3484	{73DEF08A-F15F-4322-897E-8E731D4E42EF}.exe
Token: SeIncBasePriorityPrivilege	2112	{2DB61C77-D960-4a34-8E67-0EB3927D9F66}.exe
Token: SeIncBasePriorityPrivilege	2400	{476060ED-BB84-480b-9677-6FC974AED9AE}.exe
Token: SeIncBasePriorityPrivilege	3920	{BAE111F6-3C7D-4a69-A183-72EF94DA3678}.exe
Token: SeIncBasePriorityPrivilege	2088	{3E7C401C-C5A3-427c-BA58-096BFFB127CE}.exe
Token: SeIncBasePriorityPrivilege	4508	{E3117A3F-5E92-4694-9567-ABE0831DC024}.exe
Token: SeIncBasePriorityPrivilege	4812	{72E0CF41-3BD5-409a-A332-2E894ADBEDFC}.exe
Token: SeIncBasePriorityPrivilege	3836	{D68E014B-6826-4345-9FB5-512C24CC7DF1}.exe
Token: SeIncBasePriorityPrivilege	2184	{5A155C9C-11CA-47c7-BE24-FBB2223A7DA1}.exe
Token: SeIncBasePriorityPrivilege	432	{7682B3C9-C9BC-4e87-9C32-58F5E8D2B934}.exe
Token: SeIncBasePriorityPrivilege	1936	{0CDCD6F7-BE8E-427c-914A-2A0FD2986645}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5112 wrote to memory of 3484	5112	2024-03-19_f427301dfc3c2af8d510edb9a9c29293_goldeneye.exe	99
PID 5112 wrote to memory of 3484	5112	2024-03-19_f427301dfc3c2af8d510edb9a9c29293_goldeneye.exe	99
PID 5112 wrote to memory of 3484	5112	2024-03-19_f427301dfc3c2af8d510edb9a9c29293_goldeneye.exe	99
PID 5112 wrote to memory of 2900	5112	2024-03-19_f427301dfc3c2af8d510edb9a9c29293_goldeneye.exe	100
PID 5112 wrote to memory of 2900	5112	2024-03-19_f427301dfc3c2af8d510edb9a9c29293_goldeneye.exe	100
PID 5112 wrote to memory of 2900	5112	2024-03-19_f427301dfc3c2af8d510edb9a9c29293_goldeneye.exe	100
PID 3484 wrote to memory of 2112	3484	{73DEF08A-F15F-4322-897E-8E731D4E42EF}.exe	103
PID 3484 wrote to memory of 2112	3484	{73DEF08A-F15F-4322-897E-8E731D4E42EF}.exe	103
PID 3484 wrote to memory of 2112	3484	{73DEF08A-F15F-4322-897E-8E731D4E42EF}.exe	103
PID 3484 wrote to memory of 4948	3484	{73DEF08A-F15F-4322-897E-8E731D4E42EF}.exe	104
PID 3484 wrote to memory of 4948	3484	{73DEF08A-F15F-4322-897E-8E731D4E42EF}.exe	104
PID 3484 wrote to memory of 4948	3484	{73DEF08A-F15F-4322-897E-8E731D4E42EF}.exe	104
PID 2112 wrote to memory of 2400	2112	{2DB61C77-D960-4a34-8E67-0EB3927D9F66}.exe	108
PID 2112 wrote to memory of 2400	2112	{2DB61C77-D960-4a34-8E67-0EB3927D9F66}.exe	108
PID 2112 wrote to memory of 2400	2112	{2DB61C77-D960-4a34-8E67-0EB3927D9F66}.exe	108
PID 2112 wrote to memory of 3512	2112	{2DB61C77-D960-4a34-8E67-0EB3927D9F66}.exe	109
PID 2112 wrote to memory of 3512	2112	{2DB61C77-D960-4a34-8E67-0EB3927D9F66}.exe	109
PID 2112 wrote to memory of 3512	2112	{2DB61C77-D960-4a34-8E67-0EB3927D9F66}.exe	109
PID 2400 wrote to memory of 3920	2400	{476060ED-BB84-480b-9677-6FC974AED9AE}.exe	110
PID 2400 wrote to memory of 3920	2400	{476060ED-BB84-480b-9677-6FC974AED9AE}.exe	110
PID 2400 wrote to memory of 3920	2400	{476060ED-BB84-480b-9677-6FC974AED9AE}.exe	110
PID 2400 wrote to memory of 2968	2400	{476060ED-BB84-480b-9677-6FC974AED9AE}.exe	111
PID 2400 wrote to memory of 2968	2400	{476060ED-BB84-480b-9677-6FC974AED9AE}.exe	111
PID 2400 wrote to memory of 2968	2400	{476060ED-BB84-480b-9677-6FC974AED9AE}.exe	111
PID 3920 wrote to memory of 2088	3920	{BAE111F6-3C7D-4a69-A183-72EF94DA3678}.exe	112
PID 3920 wrote to memory of 2088	3920	{BAE111F6-3C7D-4a69-A183-72EF94DA3678}.exe	112
PID 3920 wrote to memory of 2088	3920	{BAE111F6-3C7D-4a69-A183-72EF94DA3678}.exe	112
PID 3920 wrote to memory of 464	3920	{BAE111F6-3C7D-4a69-A183-72EF94DA3678}.exe	113
PID 3920 wrote to memory of 464	3920	{BAE111F6-3C7D-4a69-A183-72EF94DA3678}.exe	113
PID 3920 wrote to memory of 464	3920	{BAE111F6-3C7D-4a69-A183-72EF94DA3678}.exe	113
PID 2088 wrote to memory of 4508	2088	{3E7C401C-C5A3-427c-BA58-096BFFB127CE}.exe	115
PID 2088 wrote to memory of 4508	2088	{3E7C401C-C5A3-427c-BA58-096BFFB127CE}.exe	115
PID 2088 wrote to memory of 4508	2088	{3E7C401C-C5A3-427c-BA58-096BFFB127CE}.exe	115
PID 2088 wrote to memory of 4588	2088	{3E7C401C-C5A3-427c-BA58-096BFFB127CE}.exe	116
PID 2088 wrote to memory of 4588	2088	{3E7C401C-C5A3-427c-BA58-096BFFB127CE}.exe	116
PID 2088 wrote to memory of 4588	2088	{3E7C401C-C5A3-427c-BA58-096BFFB127CE}.exe	116
PID 4508 wrote to memory of 4812	4508	{E3117A3F-5E92-4694-9567-ABE0831DC024}.exe	117
PID 4508 wrote to memory of 4812	4508	{E3117A3F-5E92-4694-9567-ABE0831DC024}.exe	117
PID 4508 wrote to memory of 4812	4508	{E3117A3F-5E92-4694-9567-ABE0831DC024}.exe	117
PID 4508 wrote to memory of 4444	4508	{E3117A3F-5E92-4694-9567-ABE0831DC024}.exe	118
PID 4508 wrote to memory of 4444	4508	{E3117A3F-5E92-4694-9567-ABE0831DC024}.exe	118
PID 4508 wrote to memory of 4444	4508	{E3117A3F-5E92-4694-9567-ABE0831DC024}.exe	118
PID 4812 wrote to memory of 3836	4812	{72E0CF41-3BD5-409a-A332-2E894ADBEDFC}.exe	122
PID 4812 wrote to memory of 3836	4812	{72E0CF41-3BD5-409a-A332-2E894ADBEDFC}.exe	122
PID 4812 wrote to memory of 3836	4812	{72E0CF41-3BD5-409a-A332-2E894ADBEDFC}.exe	122
PID 4812 wrote to memory of 4448	4812	{72E0CF41-3BD5-409a-A332-2E894ADBEDFC}.exe	123
PID 4812 wrote to memory of 4448	4812	{72E0CF41-3BD5-409a-A332-2E894ADBEDFC}.exe	123
PID 4812 wrote to memory of 4448	4812	{72E0CF41-3BD5-409a-A332-2E894ADBEDFC}.exe	123
PID 3836 wrote to memory of 2184	3836	{D68E014B-6826-4345-9FB5-512C24CC7DF1}.exe	128
PID 3836 wrote to memory of 2184	3836	{D68E014B-6826-4345-9FB5-512C24CC7DF1}.exe	128
PID 3836 wrote to memory of 2184	3836	{D68E014B-6826-4345-9FB5-512C24CC7DF1}.exe	128
PID 3836 wrote to memory of 5008	3836	{D68E014B-6826-4345-9FB5-512C24CC7DF1}.exe	129
PID 3836 wrote to memory of 5008	3836	{D68E014B-6826-4345-9FB5-512C24CC7DF1}.exe	129
PID 3836 wrote to memory of 5008	3836	{D68E014B-6826-4345-9FB5-512C24CC7DF1}.exe	129
PID 2184 wrote to memory of 432	2184	{5A155C9C-11CA-47c7-BE24-FBB2223A7DA1}.exe	130
PID 2184 wrote to memory of 432	2184	{5A155C9C-11CA-47c7-BE24-FBB2223A7DA1}.exe	130
PID 2184 wrote to memory of 432	2184	{5A155C9C-11CA-47c7-BE24-FBB2223A7DA1}.exe	130
PID 2184 wrote to memory of 2396	2184	{5A155C9C-11CA-47c7-BE24-FBB2223A7DA1}.exe	131
PID 2184 wrote to memory of 2396	2184	{5A155C9C-11CA-47c7-BE24-FBB2223A7DA1}.exe	131
PID 2184 wrote to memory of 2396	2184	{5A155C9C-11CA-47c7-BE24-FBB2223A7DA1}.exe	131
PID 432 wrote to memory of 1936	432	{7682B3C9-C9BC-4e87-9C32-58F5E8D2B934}.exe	135
PID 432 wrote to memory of 1936	432	{7682B3C9-C9BC-4e87-9C32-58F5E8D2B934}.exe	135
PID 432 wrote to memory of 1936	432	{7682B3C9-C9BC-4e87-9C32-58F5E8D2B934}.exe	135
PID 432 wrote to memory of 2108	432	{7682B3C9-C9BC-4e87-9C32-58F5E8D2B934}.exe	136

C:\Users\Admin\AppData\Local\Temp\2024-03-19_f427301dfc3c2af8d510edb9a9c29293_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-19_f427301dfc3c2af8d510edb9a9c29293_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5112
- C:\Windows\{73DEF08A-F15F-4322-897E-8E731D4E42EF}.exe
  C:\Windows\{73DEF08A-F15F-4322-897E-8E731D4E42EF}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3484
- - C:\Windows\{2DB61C77-D960-4a34-8E67-0EB3927D9F66}.exe
    C:\Windows\{2DB61C77-D960-4a34-8E67-0EB3927D9F66}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2112
  - - C:\Windows\{476060ED-BB84-480b-9677-6FC974AED9AE}.exe
      C:\Windows\{476060ED-BB84-480b-9677-6FC974AED9AE}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2400
    - - C:\Windows\{BAE111F6-3C7D-4a69-A183-72EF94DA3678}.exe
        
        C:\Windows\{BAE111F6-3C7D-4a69-A183-72EF94DA3678}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3920
      - C:\Windows\{3E7C401C-C5A3-427c-BA58-096BFFB127CE}.exe
        
        C:\Windows\{3E7C401C-C5A3-427c-BA58-096BFFB127CE}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\{E3117A3F-5E92-4694-9567-ABE0831DC024}.exe
        
        C:\Windows\{E3117A3F-5E92-4694-9567-ABE0831DC024}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\Windows\{72E0CF41-3BD5-409a-A332-2E894ADBEDFC}.exe
        
        C:\Windows\{72E0CF41-3BD5-409a-A332-2E894ADBEDFC}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4812
        
        C:\Windows\{D68E014B-6826-4345-9FB5-512C24CC7DF1}.exe
        
        C:\Windows\{D68E014B-6826-4345-9FB5-512C24CC7DF1}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3836
        
        C:\Windows\{5A155C9C-11CA-47c7-BE24-FBB2223A7DA1}.exe
        
        C:\Windows\{5A155C9C-11CA-47c7-BE24-FBB2223A7DA1}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\{7682B3C9-C9BC-4e87-9C32-58F5E8D2B934}.exe
        
        C:\Windows\{7682B3C9-C9BC-4e87-9C32-58F5E8D2B934}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:432
        
        C:\Windows\{0CDCD6F7-BE8E-427c-914A-2A0FD2986645}.exe
        
        C:\Windows\{0CDCD6F7-BE8E-427c-914A-2A0FD2986645}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
        
        C:\Windows\{23532CB3-3BD5-4c47-9BF0-BC1C3ED6296E}.exe
        
        C:\Windows\{23532CB3-3BD5-4c47-9BF0-BC1C3ED6296E}.exe
        13⤵
        Executes dropped EXE
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0CDCD~1.EXE > nul
        13⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7682B~1.EXE > nul
        12⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5A155~1.EXE > nul
        11⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D68E0~1.EXE > nul
        10⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{72E0C~1.EXE > nul
        9⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E3117~1.EXE > nul
        8⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3E7C4~1.EXE > nul
        7⤵
        
        PID:4588
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BAE11~1.EXE > nul
        6⤵
        
        PID:464
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{47606~1.EXE > nul
        5⤵
        
        PID:2968
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2DB61~1.EXE > nul
      4⤵
      PID:3512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{73DEF~1.EXE > nul
    3⤵
    PID:4948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0CDCD6F7-BE8E-427c-914A-2A0FD2986645}.exe

Filesize
197KB

MD5
d4b5ce1a2d6a61936be9a9982d6f0d58

SHA1
c37cbaf53484b158acf2f5d35406d8095d4d40d5

SHA256
42c59d831b7dec38edd49960aa87e23c7847caf5ad5f40487bbdc05b6300e167

SHA512
64188e04dd7a68d382277b308207e63f4468922e41f09694d0dc11e0e5611fc122c44c1e09025a65e8480000a90083b9208bab90914f6488416e4b7cca295a40

Download Submit
C:\Windows\{23532CB3-3BD5-4c47-9BF0-BC1C3ED6296E}.exe

Filesize
197KB

MD5
fafaaac171cfce2747b78fe064dafd32

SHA1
4b14a5c874e4e24f5d8792cea185c917618c2163

SHA256
6ae0bfd80473d1e102a01914d38927669bc14e1c84091d1fbe78d8e07045766c

SHA512
86b8783186d2544bccb171c1090cadd6d00e3b8f9a70626373d48c85b1e99a658fa796ab119b350fe71402c420b52ac2d0faabe5b45dfb0bc2bc71a1a1d4e8c0

Download Submit
C:\Windows\{2DB61C77-D960-4a34-8E67-0EB3927D9F66}.exe

Filesize
197KB

MD5
4c0e4da023eedb0aed056484e913be79

SHA1
95f28894496cf98264289e1e29aa1a29abb9f95b

SHA256
d6085a8c737cadc488ee1226658917fb9abc5ce042f0f076a8c08989b7b27338

SHA512
c78ce411fc0929ef6aa14158d7c8fb86b4bc63974af818fd7b11d61b05305075d2f5bd1b7b3a244b2b79ceb702855080e7735836a266fac9f78f77c65006d473

Download Submit
C:\Windows\{3E7C401C-C5A3-427c-BA58-096BFFB127CE}.exe

Filesize
197KB

MD5
3fc497074e40b5e26f6856ba6694a06b

SHA1
d1807d4853afd2882b6cfded8b0730f99103ae8f

SHA256
592e804e0525c0aaa167802a6c9d76cbcdadf72179710e665b71eb41bd6843db

SHA512
b05afe296c375259206670bab748e8c47cdaf049eb1fe1b0622e6ffddd3cd27b5a9b4f1a6240ad1db11c33f0ff5e6a638005c571e0503681db23736695abb39d

Download Submit
C:\Windows\{476060ED-BB84-480b-9677-6FC974AED9AE}.exe

Filesize
197KB

MD5
b7ffcb61de81e10a9689db98f7972137

SHA1
85237c8166f9f8b1ba1d5d4993639db5010ec968

SHA256
40c644c911045d298880a3de1cccc030d4649621a16270a08619b1d68781147d

SHA512
428408982a204680df5e27c55b1a7cdd1ce109ea0b685460d8d727f089f8cbc484e25de0899eb7d381a05daa5c6112a963437c8fc64b9148732fbeafd074afe9

Download Submit
C:\Windows\{5A155C9C-11CA-47c7-BE24-FBB2223A7DA1}.exe

Filesize
197KB

MD5
ade3ba2f31d2957bf06edfe26a703776

SHA1
80e2a01ad966dc1555dcff9454f12707a47d3a9e

SHA256
94a34a6028caa990a8d4d3d46a53a83d36b4e5ec74c6161367d9adea9adfe43d

SHA512
c6a39ed0066c54a7bee1c6ec512ed7e30e12c25eba5ef6cc41e6ea192b71b01f65dfdf51be999e3b42b184218e02d715427e99f8a1beac5f5fd886c3f0d1782a

Download Submit
C:\Windows\{72E0CF41-3BD5-409a-A332-2E894ADBEDFC}.exe

Filesize
197KB

MD5
ddb84aefcb80a39d42068ea14dfcb0aa

SHA1
3cb0d84895d95a02a39f6c9c34df22d2555d219d

SHA256
3254bb159395784f6627407f6c5a608d2febd3a08c7369c3bf394642bd0af227

SHA512
f85dd50c266b8411702a5f98b78c4d8f5a497a26d0f52f2f834d42ce971b42d7b2a97734d4d2e09eae5733da9108851ba02f0fb6997e4aade924c07f4af41112

Download Submit
C:\Windows\{73DEF08A-F15F-4322-897E-8E731D4E42EF}.exe

Filesize
197KB

MD5
c9620ee3752ad5d1d20e3730cef408af

SHA1
eb116c5c4506114c399fe054970566a28c02354b

SHA256
707d5f7a88dfa0a29a1602a974fc5c1a368f08773cd24276180fbdf168db22ca

SHA512
1a16696ac6a437f8e3de4e132772069bbf722285cf70c125700e87f2b689a67c4853f597d1094ce3ef62516997e10671f5dc507d787f1d4c300b399e5c1546b9

Download Submit
C:\Windows\{7682B3C9-C9BC-4e87-9C32-58F5E8D2B934}.exe

Filesize
197KB

MD5
1f1d48b200dcb96ce7423785d191a060

SHA1
d26a70bd81202769c179aa30778e2d284b8eed28

SHA256
cd7a8e820ac3b1f4cb89ca0ce15f8badc2b6ef0b66125fd7776237f8451c42cf

SHA512
0e86c8e840cf13a881a7af56f327a0dddb8f395952f686d4f448caed3e2a5d00b5cd6988cb6eef2ac7132896c0d9233366488eccb3978449046182587dbc5ef0

Download Submit
C:\Windows\{BAE111F6-3C7D-4a69-A183-72EF94DA3678}.exe

Filesize
197KB

MD5
b48bbbb03a5e6da551b6fd8abc48bdd1

SHA1
b9506b5cf19bedfd1119622cbbd7e4f9bac57e96

SHA256
874fe9ef1926b6442ab1780289c8ecdf24d7a0b4e4a5bb086480be83968f0fde

SHA512
6bc4f5f419ee0102310f38fe5a79d1f6aa609cde1de8e8d3c08d17b3e2df06f6f55b5e55dd8e2aca03d2c41097bf15343dd111beb79bc063fcd81afdd5d43804

Download Submit
C:\Windows\{D68E014B-6826-4345-9FB5-512C24CC7DF1}.exe

Filesize
197KB

MD5
5f0612a816ecea567f21d048bf428a57

SHA1
b44dec1742a8d5d97bc481741eeadad75fe15ff6

SHA256
b8483148656120e758530f980f5217dc2dea2d7eab4295457d9b5ec282ba3f44

SHA512
dd993961384140a4d84bcab2d22bd4a98babd2575d35a86b454b9cbdddf0b60e00477a38abb06a6fcdd2068d25c43c52d02a2e0fcb2227bc984fa1c096ea766a

Download Submit
C:\Windows\{E3117A3F-5E92-4694-9567-ABE0831DC024}.exe

Filesize
197KB

MD5
eb269a6eafacb177351904c43fc1c69a

SHA1
5ef5b7c0d4070e79a01d7938cea241004fd256b1

SHA256
fd7018823e6c39e92632177c01af2ac8eb19d4cdbf370912c86936e9eedfccc6

SHA512
5f8ace5be7b94168c93127cd9625359e8a8857af2be5f9676a5cb2fadcf1c55044e241bcd1b052d81f2e13a4ab2fcf6efccd5cb2eab6d2ddc2c5ef9784c2cb48

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads