2b48451f5ae3713b27a2d7aa9f2a18228012ccf8afb244a174a49c8ebc87270a

Analysis

max time kernel
149s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2024, 08:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-28_274e45daa138c575cfeb8742684b99fc_goldeneye.exe
Size

216KB
MD5

274e45daa138c575cfeb8742684b99fc
SHA1

539ebe34bc5b61d6fe3acb76849167e0704c1f3e
SHA256

2b48451f5ae3713b27a2d7aa9f2a18228012ccf8afb244a174a49c8ebc87270a
SHA512

362a897712943045d114e3b45e160599220d1eff189fe41079328ed41e176a606e908b4cd39921f5a9fb8b62285f1b92725152f5fb62eaa241080aeb9186f8e5
SSDEEP

3072:jEGh0oDl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGtlEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000600000002320d-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000018062-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023219-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000018062-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021f82-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000018062-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021f82-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000705-45.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADF47E1C-6B45-480f-8F52-3024FE74B2EF}	{AB5C22F0-3B2B-49f8-ACEB-5BAA973E0739}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3211974-6620-48a3-A8BC-E53F75F017BC}	{ADF47E1C-6B45-480f-8F52-3024FE74B2EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3211974-6620-48a3-A8BC-E53F75F017BC}\stubpath = "C:\\Windows\\{F3211974-6620-48a3-A8BC-E53F75F017BC}.exe"	{ADF47E1C-6B45-480f-8F52-3024FE74B2EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4359BF4-27AD-4679-B53A-C984471A3491}\stubpath = "C:\\Windows\\{F4359BF4-27AD-4679-B53A-C984471A3491}.exe"	{F3211974-6620-48a3-A8BC-E53F75F017BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1FE6167-9619-460d-A6E3-63804DED7816}	{8C0D8EFD-2F9F-4d29-AAB1-CC4F8FB77FE4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EB886BC-72A5-47b2-81B3-9833B0B16853}\stubpath = "C:\\Windows\\{6EB886BC-72A5-47b2-81B3-9833B0B16853}.exe"	{AD9E9C5A-D7B2-4cf3-B631-F724512B4133}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB5C22F0-3B2B-49f8-ACEB-5BAA973E0739}\stubpath = "C:\\Windows\\{AB5C22F0-3B2B-49f8-ACEB-5BAA973E0739}.exe"	2024-03-28_274e45daa138c575cfeb8742684b99fc_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1FE6167-9619-460d-A6E3-63804DED7816}\stubpath = "C:\\Windows\\{A1FE6167-9619-460d-A6E3-63804DED7816}.exe"	{8C0D8EFD-2F9F-4d29-AAB1-CC4F8FB77FE4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9322EB9B-3C10-4c2b-8055-238D1311CB72}	{C584ED4A-FFE9-4077-9A71-037CCC271FED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C84B9CB5-D1E1-4f8b-9E1A-F16BE0D5B281}\stubpath = "C:\\Windows\\{C84B9CB5-D1E1-4f8b-9E1A-F16BE0D5B281}.exe"	{9322EB9B-3C10-4c2b-8055-238D1311CB72}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD9E9C5A-D7B2-4cf3-B631-F724512B4133}	{C84B9CB5-D1E1-4f8b-9E1A-F16BE0D5B281}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB5C22F0-3B2B-49f8-ACEB-5BAA973E0739}	2024-03-28_274e45daa138c575cfeb8742684b99fc_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C0D8EFD-2F9F-4d29-AAB1-CC4F8FB77FE4}\stubpath = "C:\\Windows\\{8C0D8EFD-2F9F-4d29-AAB1-CC4F8FB77FE4}.exe"	{F4359BF4-27AD-4679-B53A-C984471A3491}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C584ED4A-FFE9-4077-9A71-037CCC271FED}	{A1FE6167-9619-460d-A6E3-63804DED7816}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9CBCB814-5C8E-46a3-B90C-A4708A4C8686}	{6EB886BC-72A5-47b2-81B3-9833B0B16853}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C0D8EFD-2F9F-4d29-AAB1-CC4F8FB77FE4}	{F4359BF4-27AD-4679-B53A-C984471A3491}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4359BF4-27AD-4679-B53A-C984471A3491}	{F3211974-6620-48a3-A8BC-E53F75F017BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C584ED4A-FFE9-4077-9A71-037CCC271FED}\stubpath = "C:\\Windows\\{C584ED4A-FFE9-4077-9A71-037CCC271FED}.exe"	{A1FE6167-9619-460d-A6E3-63804DED7816}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9322EB9B-3C10-4c2b-8055-238D1311CB72}\stubpath = "C:\\Windows\\{9322EB9B-3C10-4c2b-8055-238D1311CB72}.exe"	{C584ED4A-FFE9-4077-9A71-037CCC271FED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C84B9CB5-D1E1-4f8b-9E1A-F16BE0D5B281}	{9322EB9B-3C10-4c2b-8055-238D1311CB72}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD9E9C5A-D7B2-4cf3-B631-F724512B4133}\stubpath = "C:\\Windows\\{AD9E9C5A-D7B2-4cf3-B631-F724512B4133}.exe"	{C84B9CB5-D1E1-4f8b-9E1A-F16BE0D5B281}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EB886BC-72A5-47b2-81B3-9833B0B16853}	{AD9E9C5A-D7B2-4cf3-B631-F724512B4133}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9CBCB814-5C8E-46a3-B90C-A4708A4C8686}\stubpath = "C:\\Windows\\{9CBCB814-5C8E-46a3-B90C-A4708A4C8686}.exe"	{6EB886BC-72A5-47b2-81B3-9833B0B16853}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADF47E1C-6B45-480f-8F52-3024FE74B2EF}\stubpath = "C:\\Windows\\{ADF47E1C-6B45-480f-8F52-3024FE74B2EF}.exe"	{AB5C22F0-3B2B-49f8-ACEB-5BAA973E0739}.exe

Executes dropped EXE 12 IoCs

pid	Process
1096	{AB5C22F0-3B2B-49f8-ACEB-5BAA973E0739}.exe
2612	{ADF47E1C-6B45-480f-8F52-3024FE74B2EF}.exe
620	{F3211974-6620-48a3-A8BC-E53F75F017BC}.exe
2260	{F4359BF4-27AD-4679-B53A-C984471A3491}.exe
2348	{8C0D8EFD-2F9F-4d29-AAB1-CC4F8FB77FE4}.exe
4656	{A1FE6167-9619-460d-A6E3-63804DED7816}.exe
3252	{C584ED4A-FFE9-4077-9A71-037CCC271FED}.exe
740	{9322EB9B-3C10-4c2b-8055-238D1311CB72}.exe
884	{C84B9CB5-D1E1-4f8b-9E1A-F16BE0D5B281}.exe
896	{AD9E9C5A-D7B2-4cf3-B631-F724512B4133}.exe
4356	{6EB886BC-72A5-47b2-81B3-9833B0B16853}.exe
4772	{9CBCB814-5C8E-46a3-B90C-A4708A4C8686}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{ADF47E1C-6B45-480f-8F52-3024FE74B2EF}.exe	{AB5C22F0-3B2B-49f8-ACEB-5BAA973E0739}.exe
File created	C:\Windows\{9322EB9B-3C10-4c2b-8055-238D1311CB72}.exe	{C584ED4A-FFE9-4077-9A71-037CCC271FED}.exe
File created	C:\Windows\{AD9E9C5A-D7B2-4cf3-B631-F724512B4133}.exe	{C84B9CB5-D1E1-4f8b-9E1A-F16BE0D5B281}.exe
File created	C:\Windows\{AB5C22F0-3B2B-49f8-ACEB-5BAA973E0739}.exe	2024-03-28_274e45daa138c575cfeb8742684b99fc_goldeneye.exe
File created	C:\Windows\{F3211974-6620-48a3-A8BC-E53F75F017BC}.exe	{ADF47E1C-6B45-480f-8F52-3024FE74B2EF}.exe
File created	C:\Windows\{F4359BF4-27AD-4679-B53A-C984471A3491}.exe	{F3211974-6620-48a3-A8BC-E53F75F017BC}.exe
File created	C:\Windows\{8C0D8EFD-2F9F-4d29-AAB1-CC4F8FB77FE4}.exe	{F4359BF4-27AD-4679-B53A-C984471A3491}.exe
File created	C:\Windows\{A1FE6167-9619-460d-A6E3-63804DED7816}.exe	{8C0D8EFD-2F9F-4d29-AAB1-CC4F8FB77FE4}.exe
File created	C:\Windows\{C584ED4A-FFE9-4077-9A71-037CCC271FED}.exe	{A1FE6167-9619-460d-A6E3-63804DED7816}.exe
File created	C:\Windows\{C84B9CB5-D1E1-4f8b-9E1A-F16BE0D5B281}.exe	{9322EB9B-3C10-4c2b-8055-238D1311CB72}.exe
File created	C:\Windows\{6EB886BC-72A5-47b2-81B3-9833B0B16853}.exe	{AD9E9C5A-D7B2-4cf3-B631-F724512B4133}.exe
File created	C:\Windows\{9CBCB814-5C8E-46a3-B90C-A4708A4C8686}.exe	{6EB886BC-72A5-47b2-81B3-9833B0B16853}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	976	2024-03-28_274e45daa138c575cfeb8742684b99fc_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1096	{AB5C22F0-3B2B-49f8-ACEB-5BAA973E0739}.exe
Token: SeIncBasePriorityPrivilege	2612	{ADF47E1C-6B45-480f-8F52-3024FE74B2EF}.exe
Token: SeIncBasePriorityPrivilege	620	{F3211974-6620-48a3-A8BC-E53F75F017BC}.exe
Token: SeIncBasePriorityPrivilege	2260	{F4359BF4-27AD-4679-B53A-C984471A3491}.exe
Token: SeIncBasePriorityPrivilege	2348	{8C0D8EFD-2F9F-4d29-AAB1-CC4F8FB77FE4}.exe
Token: SeIncBasePriorityPrivilege	4656	{A1FE6167-9619-460d-A6E3-63804DED7816}.exe
Token: SeIncBasePriorityPrivilege	3252	{C584ED4A-FFE9-4077-9A71-037CCC271FED}.exe
Token: SeIncBasePriorityPrivilege	740	{9322EB9B-3C10-4c2b-8055-238D1311CB72}.exe
Token: SeIncBasePriorityPrivilege	884	{C84B9CB5-D1E1-4f8b-9E1A-F16BE0D5B281}.exe
Token: SeIncBasePriorityPrivilege	896	{AD9E9C5A-D7B2-4cf3-B631-F724512B4133}.exe
Token: SeIncBasePriorityPrivilege	4356	{6EB886BC-72A5-47b2-81B3-9833B0B16853}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 976 wrote to memory of 1096	976	2024-03-28_274e45daa138c575cfeb8742684b99fc_goldeneye.exe	92
PID 976 wrote to memory of 1096	976	2024-03-28_274e45daa138c575cfeb8742684b99fc_goldeneye.exe	92
PID 976 wrote to memory of 1096	976	2024-03-28_274e45daa138c575cfeb8742684b99fc_goldeneye.exe	92
PID 976 wrote to memory of 3156	976	2024-03-28_274e45daa138c575cfeb8742684b99fc_goldeneye.exe	93
PID 976 wrote to memory of 3156	976	2024-03-28_274e45daa138c575cfeb8742684b99fc_goldeneye.exe	93
PID 976 wrote to memory of 3156	976	2024-03-28_274e45daa138c575cfeb8742684b99fc_goldeneye.exe	93
PID 1096 wrote to memory of 2612	1096	{AB5C22F0-3B2B-49f8-ACEB-5BAA973E0739}.exe	94
PID 1096 wrote to memory of 2612	1096	{AB5C22F0-3B2B-49f8-ACEB-5BAA973E0739}.exe	94
PID 1096 wrote to memory of 2612	1096	{AB5C22F0-3B2B-49f8-ACEB-5BAA973E0739}.exe	94
PID 1096 wrote to memory of 2144	1096	{AB5C22F0-3B2B-49f8-ACEB-5BAA973E0739}.exe	95
PID 1096 wrote to memory of 2144	1096	{AB5C22F0-3B2B-49f8-ACEB-5BAA973E0739}.exe	95
PID 1096 wrote to memory of 2144	1096	{AB5C22F0-3B2B-49f8-ACEB-5BAA973E0739}.exe	95
PID 2612 wrote to memory of 620	2612	{ADF47E1C-6B45-480f-8F52-3024FE74B2EF}.exe	97
PID 2612 wrote to memory of 620	2612	{ADF47E1C-6B45-480f-8F52-3024FE74B2EF}.exe	97
PID 2612 wrote to memory of 620	2612	{ADF47E1C-6B45-480f-8F52-3024FE74B2EF}.exe	97
PID 2612 wrote to memory of 3456	2612	{ADF47E1C-6B45-480f-8F52-3024FE74B2EF}.exe	98
PID 2612 wrote to memory of 3456	2612	{ADF47E1C-6B45-480f-8F52-3024FE74B2EF}.exe	98
PID 2612 wrote to memory of 3456	2612	{ADF47E1C-6B45-480f-8F52-3024FE74B2EF}.exe	98
PID 620 wrote to memory of 2260	620	{F3211974-6620-48a3-A8BC-E53F75F017BC}.exe	99
PID 620 wrote to memory of 2260	620	{F3211974-6620-48a3-A8BC-E53F75F017BC}.exe	99
PID 620 wrote to memory of 2260	620	{F3211974-6620-48a3-A8BC-E53F75F017BC}.exe	99
PID 620 wrote to memory of 1328	620	{F3211974-6620-48a3-A8BC-E53F75F017BC}.exe	100
PID 620 wrote to memory of 1328	620	{F3211974-6620-48a3-A8BC-E53F75F017BC}.exe	100
PID 620 wrote to memory of 1328	620	{F3211974-6620-48a3-A8BC-E53F75F017BC}.exe	100
PID 2260 wrote to memory of 2348	2260	{F4359BF4-27AD-4679-B53A-C984471A3491}.exe	101
PID 2260 wrote to memory of 2348	2260	{F4359BF4-27AD-4679-B53A-C984471A3491}.exe	101
PID 2260 wrote to memory of 2348	2260	{F4359BF4-27AD-4679-B53A-C984471A3491}.exe	101
PID 2260 wrote to memory of 4132	2260	{F4359BF4-27AD-4679-B53A-C984471A3491}.exe	102
PID 2260 wrote to memory of 4132	2260	{F4359BF4-27AD-4679-B53A-C984471A3491}.exe	102
PID 2260 wrote to memory of 4132	2260	{F4359BF4-27AD-4679-B53A-C984471A3491}.exe	102
PID 2348 wrote to memory of 4656	2348	{8C0D8EFD-2F9F-4d29-AAB1-CC4F8FB77FE4}.exe	103
PID 2348 wrote to memory of 4656	2348	{8C0D8EFD-2F9F-4d29-AAB1-CC4F8FB77FE4}.exe	103
PID 2348 wrote to memory of 4656	2348	{8C0D8EFD-2F9F-4d29-AAB1-CC4F8FB77FE4}.exe	103
PID 2348 wrote to memory of 3160	2348	{8C0D8EFD-2F9F-4d29-AAB1-CC4F8FB77FE4}.exe	104
PID 2348 wrote to memory of 3160	2348	{8C0D8EFD-2F9F-4d29-AAB1-CC4F8FB77FE4}.exe	104
PID 2348 wrote to memory of 3160	2348	{8C0D8EFD-2F9F-4d29-AAB1-CC4F8FB77FE4}.exe	104
PID 4656 wrote to memory of 3252	4656	{A1FE6167-9619-460d-A6E3-63804DED7816}.exe	105
PID 4656 wrote to memory of 3252	4656	{A1FE6167-9619-460d-A6E3-63804DED7816}.exe	105
PID 4656 wrote to memory of 3252	4656	{A1FE6167-9619-460d-A6E3-63804DED7816}.exe	105
PID 4656 wrote to memory of 836	4656	{A1FE6167-9619-460d-A6E3-63804DED7816}.exe	106
PID 4656 wrote to memory of 836	4656	{A1FE6167-9619-460d-A6E3-63804DED7816}.exe	106
PID 4656 wrote to memory of 836	4656	{A1FE6167-9619-460d-A6E3-63804DED7816}.exe	106
PID 3252 wrote to memory of 740	3252	{C584ED4A-FFE9-4077-9A71-037CCC271FED}.exe	107
PID 3252 wrote to memory of 740	3252	{C584ED4A-FFE9-4077-9A71-037CCC271FED}.exe	107
PID 3252 wrote to memory of 740	3252	{C584ED4A-FFE9-4077-9A71-037CCC271FED}.exe	107
PID 3252 wrote to memory of 4908	3252	{C584ED4A-FFE9-4077-9A71-037CCC271FED}.exe	108
PID 3252 wrote to memory of 4908	3252	{C584ED4A-FFE9-4077-9A71-037CCC271FED}.exe	108
PID 3252 wrote to memory of 4908	3252	{C584ED4A-FFE9-4077-9A71-037CCC271FED}.exe	108
PID 740 wrote to memory of 884	740	{9322EB9B-3C10-4c2b-8055-238D1311CB72}.exe	109
PID 740 wrote to memory of 884	740	{9322EB9B-3C10-4c2b-8055-238D1311CB72}.exe	109
PID 740 wrote to memory of 884	740	{9322EB9B-3C10-4c2b-8055-238D1311CB72}.exe	109
PID 740 wrote to memory of 2040	740	{9322EB9B-3C10-4c2b-8055-238D1311CB72}.exe	110
PID 740 wrote to memory of 2040	740	{9322EB9B-3C10-4c2b-8055-238D1311CB72}.exe	110
PID 740 wrote to memory of 2040	740	{9322EB9B-3C10-4c2b-8055-238D1311CB72}.exe	110
PID 884 wrote to memory of 896	884	{C84B9CB5-D1E1-4f8b-9E1A-F16BE0D5B281}.exe	111
PID 884 wrote to memory of 896	884	{C84B9CB5-D1E1-4f8b-9E1A-F16BE0D5B281}.exe	111
PID 884 wrote to memory of 896	884	{C84B9CB5-D1E1-4f8b-9E1A-F16BE0D5B281}.exe	111
PID 884 wrote to memory of 4576	884	{C84B9CB5-D1E1-4f8b-9E1A-F16BE0D5B281}.exe	112
PID 884 wrote to memory of 4576	884	{C84B9CB5-D1E1-4f8b-9E1A-F16BE0D5B281}.exe	112
PID 884 wrote to memory of 4576	884	{C84B9CB5-D1E1-4f8b-9E1A-F16BE0D5B281}.exe	112
PID 896 wrote to memory of 4356	896	{AD9E9C5A-D7B2-4cf3-B631-F724512B4133}.exe	113
PID 896 wrote to memory of 4356	896	{AD9E9C5A-D7B2-4cf3-B631-F724512B4133}.exe	113
PID 896 wrote to memory of 4356	896	{AD9E9C5A-D7B2-4cf3-B631-F724512B4133}.exe	113
PID 896 wrote to memory of 3880	896	{AD9E9C5A-D7B2-4cf3-B631-F724512B4133}.exe	114

C:\Users\Admin\AppData\Local\Temp\2024-03-28_274e45daa138c575cfeb8742684b99fc_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-28_274e45daa138c575cfeb8742684b99fc_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:976
- C:\Windows\{AB5C22F0-3B2B-49f8-ACEB-5BAA973E0739}.exe
  C:\Windows\{AB5C22F0-3B2B-49f8-ACEB-5BAA973E0739}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Windows\{ADF47E1C-6B45-480f-8F52-3024FE74B2EF}.exe
    C:\Windows\{ADF47E1C-6B45-480f-8F52-3024FE74B2EF}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\{F3211974-6620-48a3-A8BC-E53F75F017BC}.exe
      C:\Windows\{F3211974-6620-48a3-A8BC-E53F75F017BC}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:620
    - - C:\Windows\{F4359BF4-27AD-4679-B53A-C984471A3491}.exe
        
        C:\Windows\{F4359BF4-27AD-4679-B53A-C984471A3491}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2260
      - C:\Windows\{8C0D8EFD-2F9F-4d29-AAB1-CC4F8FB77FE4}.exe
        
        C:\Windows\{8C0D8EFD-2F9F-4d29-AAB1-CC4F8FB77FE4}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\{A1FE6167-9619-460d-A6E3-63804DED7816}.exe
        
        C:\Windows\{A1FE6167-9619-460d-A6E3-63804DED7816}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Windows\{C584ED4A-FFE9-4077-9A71-037CCC271FED}.exe
        
        C:\Windows\{C584ED4A-FFE9-4077-9A71-037CCC271FED}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3252
        
        C:\Windows\{9322EB9B-3C10-4c2b-8055-238D1311CB72}.exe
        
        C:\Windows\{9322EB9B-3C10-4c2b-8055-238D1311CB72}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:740
        
        C:\Windows\{C84B9CB5-D1E1-4f8b-9E1A-F16BE0D5B281}.exe
        
        C:\Windows\{C84B9CB5-D1E1-4f8b-9E1A-F16BE0D5B281}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\{AD9E9C5A-D7B2-4cf3-B631-F724512B4133}.exe
        
        C:\Windows\{AD9E9C5A-D7B2-4cf3-B631-F724512B4133}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:896
        
        C:\Windows\{6EB886BC-72A5-47b2-81B3-9833B0B16853}.exe
        
        C:\Windows\{6EB886BC-72A5-47b2-81B3-9833B0B16853}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4356
        
        C:\Windows\{9CBCB814-5C8E-46a3-B90C-A4708A4C8686}.exe
        
        C:\Windows\{9CBCB814-5C8E-46a3-B90C-A4708A4C8686}.exe
        13⤵
        Executes dropped EXE
        
        PID:4772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6EB88~1.EXE > nul
        13⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD9E9~1.EXE > nul
        12⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C84B9~1.EXE > nul
        11⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9322E~1.EXE > nul
        10⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C584E~1.EXE > nul
        9⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A1FE6~1.EXE > nul
        8⤵
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C0D8~1.EXE > nul
        7⤵
        
        PID:3160
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F4359~1.EXE > nul
        6⤵
        
        PID:4132
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F3211~1.EXE > nul
        5⤵
        
        PID:1328
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{ADF47~1.EXE > nul
      4⤵
      PID:3456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{AB5C2~1.EXE > nul
    3⤵
    PID:2144
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{6EB886BC-72A5-47b2-81B3-9833B0B16853}.exe

Filesize
216KB

MD5
d7afa37e1726ad02a32ebf5b88e69405

SHA1
bb73ab60037ee6853951c4d3bd222288793d99c6

SHA256
cb0ffb4aa9757c62804712c55c84679afc7f53d74a167aecf2092704aada29be

SHA512
170d69c41f23ff382e84bd2dbf4ab4aa30baccd3a6c6bc86f389c5f7b27cc38e920179be763694d7dd7b1df70a2dd6b8f4294f810b58381ae4071c3c0ab4d19f

Download Submit
C:\Windows\{8C0D8EFD-2F9F-4d29-AAB1-CC4F8FB77FE4}.exe

Filesize
216KB

MD5
838b2da95e109e28ea663b38556c655e

SHA1
ee6cd6fa7b59578275f37568a1b4cfaa4457e949

SHA256
f7aca4954b128b3f7b7f8604b1bb24da0c24aad3c70afbe0360afc7a1d8e6ad3

SHA512
2b192979a5a8fd6a1f433fd5ce5e4a7d7610c21d8fae920841ebf13d115799a4628f620a3eab775aeed7a68ee30ba0ca96dc67c11598d5672eb3d8c154c11bb8

Download Submit
C:\Windows\{9322EB9B-3C10-4c2b-8055-238D1311CB72}.exe

Filesize
216KB

MD5
8fcac4d608c357c1a8b2d01097ffc548

SHA1
6d6a069823e17aa7efd081586c306b78e4e59b83

SHA256
f22311721d4407520a5b2c433f5526b0836c1c784b44ca5bdfaae34a884207c7

SHA512
fd14335b96eb7b73ad95101dd469a6cbb4130d13b2cebc5580d54ddbbf3c97c0f96122683272c4df109ad7bb974f730ba0b07f19768ae9bb7e436cfe58cf5a38

Download Submit
C:\Windows\{9CBCB814-5C8E-46a3-B90C-A4708A4C8686}.exe

Filesize
216KB

MD5
675bc5abcef3c6c4193d4268ffb38f8b

SHA1
e993fa154fa0f610a29d642e1f4833765db0ec91

SHA256
1c2056b9b0d6c6ab3d4fcb76264382095dbe44522383f8b91f915800c1c91c90

SHA512
1054c2a4123287c9b899cac8db3ee88e0269cdef4bda1e8c0e16c852a36a1e5e6a61369713ee4d151d28c49efe6c9a7f7c33f40dcf4062a67e665b17bb29b95f

Download Submit
C:\Windows\{A1FE6167-9619-460d-A6E3-63804DED7816}.exe

Filesize
216KB

MD5
59b6934e7054da5662abce69f011f49a

SHA1
d3e6fec771d195a223615942e37e69a9c7ec7a62

SHA256
bd98b16f978db293d4228a5e8e99f72d98974f0cccd55a1d77c22ce553a1d164

SHA512
5038215d2e652dfbd467e27bcc0a6d659ff84ae0b599335a0c286bd5e3ed3ed00266db433d43e5065b56836fe0743149bfdfe48124fd8daf5093205f098e4b0f

Download Submit
C:\Windows\{AB5C22F0-3B2B-49f8-ACEB-5BAA973E0739}.exe

Filesize
216KB

MD5
2cddd6e9e767185d20e739969702e645

SHA1
4da04c4e890b3910428b1a50681eda302fccb52d

SHA256
3c1b50b6103f92153b74e1d3d3b2defcafd78e5a5f98f05b4a33d7d47335866d

SHA512
4854b5940df8e05b3321a1452bad56439d4b1212f348dbff346d50a4cddf5d8a6d237335eff687c821b4f575362225496d0e659b4c61a76768b79f2cf4765b3f

Download Submit
C:\Windows\{AD9E9C5A-D7B2-4cf3-B631-F724512B4133}.exe

Filesize
216KB

MD5
4ef0ed8fb6734f1c8d2c0721b45404ec

SHA1
e521ffe489d74eb5388832ba7d265a4f074e6b9e

SHA256
f16a98b04d9610fa72f8d38f78078b2d4da030bd321e614ce5961b3c6a29451a

SHA512
f0dcd5909ff6b4d2da0b46bbbe162e55aaaa6593bd6933449dc9f409c56258417290d86822bf71174db75310e3ee1348a02ba2ea3e8bb0aa8dbd63445d5d75d8

Download Submit
C:\Windows\{ADF47E1C-6B45-480f-8F52-3024FE74B2EF}.exe

Filesize
216KB

MD5
c733f020ea79f28f62a2225973e76a6c

SHA1
420ce4cc2605ea73df2b7ad53a8becd00c6a83b0

SHA256
dfd636f9c8f18f4822edd5171104ed052c3a70b31e0b21dccc1c5ef63b5ed73a

SHA512
a04e3a00593bfae0e2a80ea7895cca45b7397705ce8eb9f3105bfe598f1dcf4c26f49e27518c10aa4994c5aa2c6a156cb0494e45e8fb75585aec214a36e45d39

Download Submit
C:\Windows\{C584ED4A-FFE9-4077-9A71-037CCC271FED}.exe

Filesize
216KB

MD5
003d8f294d4459c01fca8f6488d240d9

SHA1
7b8e625edfe21dd51a954aaabaa3ad7888e2114e

SHA256
f16f8e308adf30f2ce02096406344a25eb5d389230f753002d2ecd1ce97bc4b8

SHA512
956b7ce2e0161cce41b772a621c38df93482e255a8b31c1a2f7c6330c8ba6112812ef67c3c691086c92615c41b2dd80349f38d2731b681e210833cdedff4a422

Download Submit
C:\Windows\{C84B9CB5-D1E1-4f8b-9E1A-F16BE0D5B281}.exe

Filesize
216KB

MD5
394a39666ae903f470d1739cd5333692

SHA1
5d0377673e3d6b8bf94048665b20ba4d2d6a89d2

SHA256
4dd705018ecdc225a90ba751686bd746ad8143e1d4818118e332b1829142a146

SHA512
faaf8ceaeb3a7072f6e4523fd691c6a25b303433bc5671e5d16514764edd7f30174fece08cbefc85ea02b73b9d8e288d402415f1f37ad4143960388148238d0e

Download Submit
C:\Windows\{F3211974-6620-48a3-A8BC-E53F75F017BC}.exe

Filesize
216KB

MD5
d0e9a2111e1719ba14cc54c8a00f414f

SHA1
0057b3e4c8457f4213cce425b986bb9051910804

SHA256
844e52056afd9b51801ade11cf38c252bf514b6b9774e0066db06e3725c32e76

SHA512
622030ff1cbd973382edb93195f49911f755fdec6c998e7f4b5d6afb7fabcf6f7ad1d5e418ab014f86669629dc6eb3b5f5798058247a4fbf6d4fb81531fa4853

Download Submit
C:\Windows\{F4359BF4-27AD-4679-B53A-C984471A3491}.exe

Filesize
216KB

MD5
24aac5de0d2bdd70feb6c7309c93f672

SHA1
6a5bae1ac85d36a69a77df3a8254d23ffe641060

SHA256
381555ca7662363e43098fdb8be421152a5df3e437debcf2e9454ad5b9eebc32

SHA512
35613f2d25fb5c0e3cd8b7ae524da087978a734e3b3497a6d7383706fa9ff206270da170b6c75313703fa1d225d86f53e91f95827b5d6e102107f3a0b5245a9f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads