5e988e168f6a77b994b2f070474889b39f2e86da9fe1fb20607801273f1b3b8c

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2024, 16:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-28_cdfe91bc8302b86c7898cd3f685c830e_goldeneye.exe
Size

204KB
MD5

cdfe91bc8302b86c7898cd3f685c830e
SHA1

f7407b0f30ad88e5911859ebbf8d5eeb68d170ce
SHA256

5e988e168f6a77b994b2f070474889b39f2e86da9fe1fb20607801273f1b3b8c
SHA512

3ff97be8853eb3a0426d6b5b981241dc2d453979dd6c2cb0b617028ac422f3e9fe1ddbe689932ae66f26a3898b3687b1e164ec0340bb24aa4808bf70785ca87a
SSDEEP

1536:1EGh0oPl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oPl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023216-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001200000002320f-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002321d-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001300000002320f-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002321d-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001400000002320f-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002321d-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000072d-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000072f-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000072d-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000072f-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000000072d-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13483A40-C68A-469a-80F4-DD8F297B7D20}	{D8070E9F-8631-4b73-98FD-97EA233C7E53}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BC8C606-F67A-4239-B0CE-8F607A4B44ED}	{13483A40-C68A-469a-80F4-DD8F297B7D20}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BC8C606-F67A-4239-B0CE-8F607A4B44ED}\stubpath = "C:\\Windows\\{1BC8C606-F67A-4239-B0CE-8F607A4B44ED}.exe"	{13483A40-C68A-469a-80F4-DD8F297B7D20}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{441D54AC-B536-468c-97D1-DDE4BBC39E9A}\stubpath = "C:\\Windows\\{441D54AC-B536-468c-97D1-DDE4BBC39E9A}.exe"	{1BC8C606-F67A-4239-B0CE-8F607A4B44ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48CF9E7F-6C95-4fcc-BBFF-DED9A12FA579}	{632884B6-68D9-4cc3-93DE-CF994D37CDA0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{632884B6-68D9-4cc3-93DE-CF994D37CDA0}\stubpath = "C:\\Windows\\{632884B6-68D9-4cc3-93DE-CF994D37CDA0}.exe"	{4C12641D-83AB-4e45-BB24-04C5BF59FE23}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48CF9E7F-6C95-4fcc-BBFF-DED9A12FA579}\stubpath = "C:\\Windows\\{48CF9E7F-6C95-4fcc-BBFF-DED9A12FA579}.exe"	{632884B6-68D9-4cc3-93DE-CF994D37CDA0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13483A40-C68A-469a-80F4-DD8F297B7D20}\stubpath = "C:\\Windows\\{13483A40-C68A-469a-80F4-DD8F297B7D20}.exe"	{D8070E9F-8631-4b73-98FD-97EA233C7E53}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{441D54AC-B536-468c-97D1-DDE4BBC39E9A}	{1BC8C606-F67A-4239-B0CE-8F607A4B44ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD8E162F-EABF-4334-AB65-98067A5D9E11}	{441D54AC-B536-468c-97D1-DDE4BBC39E9A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C0EB0B7-5BFD-496c-A066-94259C7EE08F}\stubpath = "C:\\Windows\\{9C0EB0B7-5BFD-496c-A066-94259C7EE08F}.exe"	{AD8E162F-EABF-4334-AB65-98067A5D9E11}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0744A74C-EA1C-452b-903F-DF0164DABC63}\stubpath = "C:\\Windows\\{0744A74C-EA1C-452b-903F-DF0164DABC63}.exe"	{9C0EB0B7-5BFD-496c-A066-94259C7EE08F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C12641D-83AB-4e45-BB24-04C5BF59FE23}	2024-03-28_cdfe91bc8302b86c7898cd3f685c830e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FCF30376-80D8-4eab-A187-52FDC8D6859F}	{BC6C3D61-A9A6-4f92-A5FF-26A3F88885EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FCF30376-80D8-4eab-A187-52FDC8D6859F}\stubpath = "C:\\Windows\\{FCF30376-80D8-4eab-A187-52FDC8D6859F}.exe"	{BC6C3D61-A9A6-4f92-A5FF-26A3F88885EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC6C3D61-A9A6-4f92-A5FF-26A3F88885EB}	{0744A74C-EA1C-452b-903F-DF0164DABC63}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{632884B6-68D9-4cc3-93DE-CF994D37CDA0}	{4C12641D-83AB-4e45-BB24-04C5BF59FE23}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD8E162F-EABF-4334-AB65-98067A5D9E11}\stubpath = "C:\\Windows\\{AD8E162F-EABF-4334-AB65-98067A5D9E11}.exe"	{441D54AC-B536-468c-97D1-DDE4BBC39E9A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0744A74C-EA1C-452b-903F-DF0164DABC63}	{9C0EB0B7-5BFD-496c-A066-94259C7EE08F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C12641D-83AB-4e45-BB24-04C5BF59FE23}\stubpath = "C:\\Windows\\{4C12641D-83AB-4e45-BB24-04C5BF59FE23}.exe"	2024-03-28_cdfe91bc8302b86c7898cd3f685c830e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8070E9F-8631-4b73-98FD-97EA233C7E53}\stubpath = "C:\\Windows\\{D8070E9F-8631-4b73-98FD-97EA233C7E53}.exe"	{48CF9E7F-6C95-4fcc-BBFF-DED9A12FA579}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C0EB0B7-5BFD-496c-A066-94259C7EE08F}	{AD8E162F-EABF-4334-AB65-98067A5D9E11}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC6C3D61-A9A6-4f92-A5FF-26A3F88885EB}\stubpath = "C:\\Windows\\{BC6C3D61-A9A6-4f92-A5FF-26A3F88885EB}.exe"	{0744A74C-EA1C-452b-903F-DF0164DABC63}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8070E9F-8631-4b73-98FD-97EA233C7E53}	{48CF9E7F-6C95-4fcc-BBFF-DED9A12FA579}.exe

Executes dropped EXE 12 IoCs

pid	Process
3096	{4C12641D-83AB-4e45-BB24-04C5BF59FE23}.exe
5032	{632884B6-68D9-4cc3-93DE-CF994D37CDA0}.exe
956	{48CF9E7F-6C95-4fcc-BBFF-DED9A12FA579}.exe
4548	{D8070E9F-8631-4b73-98FD-97EA233C7E53}.exe
432	{13483A40-C68A-469a-80F4-DD8F297B7D20}.exe
1180	{1BC8C606-F67A-4239-B0CE-8F607A4B44ED}.exe
5044	{441D54AC-B536-468c-97D1-DDE4BBC39E9A}.exe
636	{AD8E162F-EABF-4334-AB65-98067A5D9E11}.exe
3352	{9C0EB0B7-5BFD-496c-A066-94259C7EE08F}.exe
5020	{0744A74C-EA1C-452b-903F-DF0164DABC63}.exe
3916	{BC6C3D61-A9A6-4f92-A5FF-26A3F88885EB}.exe
4500	{FCF30376-80D8-4eab-A187-52FDC8D6859F}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{632884B6-68D9-4cc3-93DE-CF994D37CDA0}.exe	{4C12641D-83AB-4e45-BB24-04C5BF59FE23}.exe
File created	C:\Windows\{D8070E9F-8631-4b73-98FD-97EA233C7E53}.exe	{48CF9E7F-6C95-4fcc-BBFF-DED9A12FA579}.exe
File created	C:\Windows\{1BC8C606-F67A-4239-B0CE-8F607A4B44ED}.exe	{13483A40-C68A-469a-80F4-DD8F297B7D20}.exe
File created	C:\Windows\{441D54AC-B536-468c-97D1-DDE4BBC39E9A}.exe	{1BC8C606-F67A-4239-B0CE-8F607A4B44ED}.exe
File created	C:\Windows\{AD8E162F-EABF-4334-AB65-98067A5D9E11}.exe	{441D54AC-B536-468c-97D1-DDE4BBC39E9A}.exe
File created	C:\Windows\{4C12641D-83AB-4e45-BB24-04C5BF59FE23}.exe	2024-03-28_cdfe91bc8302b86c7898cd3f685c830e_goldeneye.exe
File created	C:\Windows\{48CF9E7F-6C95-4fcc-BBFF-DED9A12FA579}.exe	{632884B6-68D9-4cc3-93DE-CF994D37CDA0}.exe
File created	C:\Windows\{13483A40-C68A-469a-80F4-DD8F297B7D20}.exe	{D8070E9F-8631-4b73-98FD-97EA233C7E53}.exe
File created	C:\Windows\{9C0EB0B7-5BFD-496c-A066-94259C7EE08F}.exe	{AD8E162F-EABF-4334-AB65-98067A5D9E11}.exe
File created	C:\Windows\{0744A74C-EA1C-452b-903F-DF0164DABC63}.exe	{9C0EB0B7-5BFD-496c-A066-94259C7EE08F}.exe
File created	C:\Windows\{BC6C3D61-A9A6-4f92-A5FF-26A3F88885EB}.exe	{0744A74C-EA1C-452b-903F-DF0164DABC63}.exe
File created	C:\Windows\{FCF30376-80D8-4eab-A187-52FDC8D6859F}.exe	{BC6C3D61-A9A6-4f92-A5FF-26A3F88885EB}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3544	2024-03-28_cdfe91bc8302b86c7898cd3f685c830e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3096	{4C12641D-83AB-4e45-BB24-04C5BF59FE23}.exe
Token: SeIncBasePriorityPrivilege	5032	{632884B6-68D9-4cc3-93DE-CF994D37CDA0}.exe
Token: SeIncBasePriorityPrivilege	956	{48CF9E7F-6C95-4fcc-BBFF-DED9A12FA579}.exe
Token: SeIncBasePriorityPrivilege	4548	{D8070E9F-8631-4b73-98FD-97EA233C7E53}.exe
Token: SeIncBasePriorityPrivilege	432	{13483A40-C68A-469a-80F4-DD8F297B7D20}.exe
Token: SeIncBasePriorityPrivilege	1180	{1BC8C606-F67A-4239-B0CE-8F607A4B44ED}.exe
Token: SeIncBasePriorityPrivilege	5044	{441D54AC-B536-468c-97D1-DDE4BBC39E9A}.exe
Token: SeIncBasePriorityPrivilege	636	{AD8E162F-EABF-4334-AB65-98067A5D9E11}.exe
Token: SeIncBasePriorityPrivilege	3352	{9C0EB0B7-5BFD-496c-A066-94259C7EE08F}.exe
Token: SeIncBasePriorityPrivilege	5020	{0744A74C-EA1C-452b-903F-DF0164DABC63}.exe
Token: SeIncBasePriorityPrivilege	3916	{BC6C3D61-A9A6-4f92-A5FF-26A3F88885EB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3544 wrote to memory of 3096	3544	2024-03-28_cdfe91bc8302b86c7898cd3f685c830e_goldeneye.exe	95
PID 3544 wrote to memory of 3096	3544	2024-03-28_cdfe91bc8302b86c7898cd3f685c830e_goldeneye.exe	95
PID 3544 wrote to memory of 3096	3544	2024-03-28_cdfe91bc8302b86c7898cd3f685c830e_goldeneye.exe	95
PID 3544 wrote to memory of 2808	3544	2024-03-28_cdfe91bc8302b86c7898cd3f685c830e_goldeneye.exe	96
PID 3544 wrote to memory of 2808	3544	2024-03-28_cdfe91bc8302b86c7898cd3f685c830e_goldeneye.exe	96
PID 3544 wrote to memory of 2808	3544	2024-03-28_cdfe91bc8302b86c7898cd3f685c830e_goldeneye.exe	96
PID 3096 wrote to memory of 5032	3096	{4C12641D-83AB-4e45-BB24-04C5BF59FE23}.exe	97
PID 3096 wrote to memory of 5032	3096	{4C12641D-83AB-4e45-BB24-04C5BF59FE23}.exe	97
PID 3096 wrote to memory of 5032	3096	{4C12641D-83AB-4e45-BB24-04C5BF59FE23}.exe	97
PID 3096 wrote to memory of 4048	3096	{4C12641D-83AB-4e45-BB24-04C5BF59FE23}.exe	98
PID 3096 wrote to memory of 4048	3096	{4C12641D-83AB-4e45-BB24-04C5BF59FE23}.exe	98
PID 3096 wrote to memory of 4048	3096	{4C12641D-83AB-4e45-BB24-04C5BF59FE23}.exe	98
PID 5032 wrote to memory of 956	5032	{632884B6-68D9-4cc3-93DE-CF994D37CDA0}.exe	100
PID 5032 wrote to memory of 956	5032	{632884B6-68D9-4cc3-93DE-CF994D37CDA0}.exe	100
PID 5032 wrote to memory of 956	5032	{632884B6-68D9-4cc3-93DE-CF994D37CDA0}.exe	100
PID 5032 wrote to memory of 4896	5032	{632884B6-68D9-4cc3-93DE-CF994D37CDA0}.exe	101
PID 5032 wrote to memory of 4896	5032	{632884B6-68D9-4cc3-93DE-CF994D37CDA0}.exe	101
PID 5032 wrote to memory of 4896	5032	{632884B6-68D9-4cc3-93DE-CF994D37CDA0}.exe	101
PID 956 wrote to memory of 4548	956	{48CF9E7F-6C95-4fcc-BBFF-DED9A12FA579}.exe	102
PID 956 wrote to memory of 4548	956	{48CF9E7F-6C95-4fcc-BBFF-DED9A12FA579}.exe	102
PID 956 wrote to memory of 4548	956	{48CF9E7F-6C95-4fcc-BBFF-DED9A12FA579}.exe	102
PID 956 wrote to memory of 3616	956	{48CF9E7F-6C95-4fcc-BBFF-DED9A12FA579}.exe	103
PID 956 wrote to memory of 3616	956	{48CF9E7F-6C95-4fcc-BBFF-DED9A12FA579}.exe	103
PID 956 wrote to memory of 3616	956	{48CF9E7F-6C95-4fcc-BBFF-DED9A12FA579}.exe	103
PID 4548 wrote to memory of 432	4548	{D8070E9F-8631-4b73-98FD-97EA233C7E53}.exe	104
PID 4548 wrote to memory of 432	4548	{D8070E9F-8631-4b73-98FD-97EA233C7E53}.exe	104
PID 4548 wrote to memory of 432	4548	{D8070E9F-8631-4b73-98FD-97EA233C7E53}.exe	104
PID 4548 wrote to memory of 1216	4548	{D8070E9F-8631-4b73-98FD-97EA233C7E53}.exe	105
PID 4548 wrote to memory of 1216	4548	{D8070E9F-8631-4b73-98FD-97EA233C7E53}.exe	105
PID 4548 wrote to memory of 1216	4548	{D8070E9F-8631-4b73-98FD-97EA233C7E53}.exe	105
PID 432 wrote to memory of 1180	432	{13483A40-C68A-469a-80F4-DD8F297B7D20}.exe	106
PID 432 wrote to memory of 1180	432	{13483A40-C68A-469a-80F4-DD8F297B7D20}.exe	106
PID 432 wrote to memory of 1180	432	{13483A40-C68A-469a-80F4-DD8F297B7D20}.exe	106
PID 432 wrote to memory of 2584	432	{13483A40-C68A-469a-80F4-DD8F297B7D20}.exe	107
PID 432 wrote to memory of 2584	432	{13483A40-C68A-469a-80F4-DD8F297B7D20}.exe	107
PID 432 wrote to memory of 2584	432	{13483A40-C68A-469a-80F4-DD8F297B7D20}.exe	107
PID 1180 wrote to memory of 5044	1180	{1BC8C606-F67A-4239-B0CE-8F607A4B44ED}.exe	108
PID 1180 wrote to memory of 5044	1180	{1BC8C606-F67A-4239-B0CE-8F607A4B44ED}.exe	108
PID 1180 wrote to memory of 5044	1180	{1BC8C606-F67A-4239-B0CE-8F607A4B44ED}.exe	108
PID 1180 wrote to memory of 4860	1180	{1BC8C606-F67A-4239-B0CE-8F607A4B44ED}.exe	109
PID 1180 wrote to memory of 4860	1180	{1BC8C606-F67A-4239-B0CE-8F607A4B44ED}.exe	109
PID 1180 wrote to memory of 4860	1180	{1BC8C606-F67A-4239-B0CE-8F607A4B44ED}.exe	109
PID 5044 wrote to memory of 636	5044	{441D54AC-B536-468c-97D1-DDE4BBC39E9A}.exe	110
PID 5044 wrote to memory of 636	5044	{441D54AC-B536-468c-97D1-DDE4BBC39E9A}.exe	110
PID 5044 wrote to memory of 636	5044	{441D54AC-B536-468c-97D1-DDE4BBC39E9A}.exe	110
PID 5044 wrote to memory of 968	5044	{441D54AC-B536-468c-97D1-DDE4BBC39E9A}.exe	111
PID 5044 wrote to memory of 968	5044	{441D54AC-B536-468c-97D1-DDE4BBC39E9A}.exe	111
PID 5044 wrote to memory of 968	5044	{441D54AC-B536-468c-97D1-DDE4BBC39E9A}.exe	111
PID 636 wrote to memory of 3352	636	{AD8E162F-EABF-4334-AB65-98067A5D9E11}.exe	112
PID 636 wrote to memory of 3352	636	{AD8E162F-EABF-4334-AB65-98067A5D9E11}.exe	112
PID 636 wrote to memory of 3352	636	{AD8E162F-EABF-4334-AB65-98067A5D9E11}.exe	112
PID 636 wrote to memory of 3496	636	{AD8E162F-EABF-4334-AB65-98067A5D9E11}.exe	113
PID 636 wrote to memory of 3496	636	{AD8E162F-EABF-4334-AB65-98067A5D9E11}.exe	113
PID 636 wrote to memory of 3496	636	{AD8E162F-EABF-4334-AB65-98067A5D9E11}.exe	113
PID 3352 wrote to memory of 5020	3352	{9C0EB0B7-5BFD-496c-A066-94259C7EE08F}.exe	114
PID 3352 wrote to memory of 5020	3352	{9C0EB0B7-5BFD-496c-A066-94259C7EE08F}.exe	114
PID 3352 wrote to memory of 5020	3352	{9C0EB0B7-5BFD-496c-A066-94259C7EE08F}.exe	114
PID 3352 wrote to memory of 2640	3352	{9C0EB0B7-5BFD-496c-A066-94259C7EE08F}.exe	115
PID 3352 wrote to memory of 2640	3352	{9C0EB0B7-5BFD-496c-A066-94259C7EE08F}.exe	115
PID 3352 wrote to memory of 2640	3352	{9C0EB0B7-5BFD-496c-A066-94259C7EE08F}.exe	115
PID 5020 wrote to memory of 3916	5020	{0744A74C-EA1C-452b-903F-DF0164DABC63}.exe	116
PID 5020 wrote to memory of 3916	5020	{0744A74C-EA1C-452b-903F-DF0164DABC63}.exe	116
PID 5020 wrote to memory of 3916	5020	{0744A74C-EA1C-452b-903F-DF0164DABC63}.exe	116
PID 5020 wrote to memory of 548	5020	{0744A74C-EA1C-452b-903F-DF0164DABC63}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-03-28_cdfe91bc8302b86c7898cd3f685c830e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-28_cdfe91bc8302b86c7898cd3f685c830e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3544
- C:\Windows\{4C12641D-83AB-4e45-BB24-04C5BF59FE23}.exe
  C:\Windows\{4C12641D-83AB-4e45-BB24-04C5BF59FE23}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3096
- - C:\Windows\{632884B6-68D9-4cc3-93DE-CF994D37CDA0}.exe
    C:\Windows\{632884B6-68D9-4cc3-93DE-CF994D37CDA0}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5032
  - - C:\Windows\{48CF9E7F-6C95-4fcc-BBFF-DED9A12FA579}.exe
      C:\Windows\{48CF9E7F-6C95-4fcc-BBFF-DED9A12FA579}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:956
    - - C:\Windows\{D8070E9F-8631-4b73-98FD-97EA233C7E53}.exe
        
        C:\Windows\{D8070E9F-8631-4b73-98FD-97EA233C7E53}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4548
      - C:\Windows\{13483A40-C68A-469a-80F4-DD8F297B7D20}.exe
        
        C:\Windows\{13483A40-C68A-469a-80F4-DD8F297B7D20}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:432
        
        C:\Windows\{1BC8C606-F67A-4239-B0CE-8F607A4B44ED}.exe
        
        C:\Windows\{1BC8C606-F67A-4239-B0CE-8F607A4B44ED}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1180
        
        C:\Windows\{441D54AC-B536-468c-97D1-DDE4BBC39E9A}.exe
        
        C:\Windows\{441D54AC-B536-468c-97D1-DDE4BBC39E9A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\{AD8E162F-EABF-4334-AB65-98067A5D9E11}.exe
        
        C:\Windows\{AD8E162F-EABF-4334-AB65-98067A5D9E11}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Windows\{9C0EB0B7-5BFD-496c-A066-94259C7EE08F}.exe
        
        C:\Windows\{9C0EB0B7-5BFD-496c-A066-94259C7EE08F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3352
        
        C:\Windows\{0744A74C-EA1C-452b-903F-DF0164DABC63}.exe
        
        C:\Windows\{0744A74C-EA1C-452b-903F-DF0164DABC63}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\{BC6C3D61-A9A6-4f92-A5FF-26A3F88885EB}.exe
        
        C:\Windows\{BC6C3D61-A9A6-4f92-A5FF-26A3F88885EB}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3916
        
        C:\Windows\{FCF30376-80D8-4eab-A187-52FDC8D6859F}.exe
        
        C:\Windows\{FCF30376-80D8-4eab-A187-52FDC8D6859F}.exe
        13⤵
        Executes dropped EXE
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BC6C3~1.EXE > nul
        13⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0744A~1.EXE > nul
        12⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C0EB~1.EXE > nul
        11⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD8E1~1.EXE > nul
        10⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{441D5~1.EXE > nul
        9⤵
        
        PID:968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1BC8C~1.EXE > nul
        8⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{13483~1.EXE > nul
        7⤵
        
        PID:2584
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D8070~1.EXE > nul
        6⤵
        
        PID:1216
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{48CF9~1.EXE > nul
        5⤵
        
        PID:3616
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{63288~1.EXE > nul
      4⤵
      PID:4896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4C126~1.EXE > nul
    3⤵
    PID:4048
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0744A74C-EA1C-452b-903F-DF0164DABC63}.exe

Filesize
204KB

MD5
bfe157e9818651c73444a5058c45d143

SHA1
d7e5fbf1cf661910253bb3c61f32251e678a00a4

SHA256
68fdcb276acf9e23b7c38703e8dd2b0b37ffaec1f5694c4c4ebdfb997abb0644

SHA512
c4d7799c08c7e2f4bd3fd067157f17a9f34dbc1bc48292566177142f8b25e94952b0d27caa12dafed159984fa29cc0d448d187cad4a0c8261bbf14b26fbe8a81

Download Submit
C:\Windows\{13483A40-C68A-469a-80F4-DD8F297B7D20}.exe

Filesize
204KB

MD5
793b49225fa96ddd1dfb1d1f5d788b2b

SHA1
2b62afd8c3e814561010d35a6bf09bb3bef1a619

SHA256
2fb19eb6639e18c11a2c72003ec961acb9547e6fb3f38246360358f3c3584918

SHA512
76b879d70b30f85cf43a0c7eedef50a43b6ce4deec36e71e26eb92d3558422f7195a4b2374be777818c7d6bcd8c2cb87d1d09e348d79173e2f916d83ffc3be41

Download Submit
C:\Windows\{1BC8C606-F67A-4239-B0CE-8F607A4B44ED}.exe

Filesize
204KB

MD5
995f3559c198cbd7b1ee80638d239455

SHA1
79849202d9ff2399a911166260580a93ac7bf44c

SHA256
d8ea57be3cc6c5fdf0540bc74976f03389d461250aae377723873760b788d46d

SHA512
8d9d04e9794515ca638e3452a73812a3b73fc7fea12b114816e54d787b1a7b0316ed92e21762a983a792c2cdcfe3ce41cce871d120ec0fdfa55abd0d0044a49d

Download Submit
C:\Windows\{441D54AC-B536-468c-97D1-DDE4BBC39E9A}.exe

Filesize
204KB

MD5
40ed9b70ae9d2051de497989fbebabb2

SHA1
049388fcabd2a87f2f7c370bdc6bcba225059088

SHA256
bc620b4db2d368b5e9b9e3975afce90a78cd7cf4337631fef72745de8b31ab34

SHA512
3c6417555b837b0e172d89e278be26607c270617dd40cbc359782563bd3a4814bfadd4fa843928708211a7374acde01ddc72075a3d3d175d688cd2876defbc6e

Download Submit
C:\Windows\{48CF9E7F-6C95-4fcc-BBFF-DED9A12FA579}.exe

Filesize
204KB

MD5
e2ead67648b225e6dd54fc234c5410de

SHA1
35f2d97d52827e5552ba8d41f8eaba01c17412c8

SHA256
8392c6d2e9c8594c36e62dd36581e08528b4e108c9b3863fcf4a1443d1c0b666

SHA512
32bfe864d3acf6b9d5cf560a2c82202cf99d9e4950f660af1823a126f8e325d51bdde51977fe645f3010fce217dc02d5d39b14c83ed9fd14a0c198cad9e4b709

Download Submit
C:\Windows\{4C12641D-83AB-4e45-BB24-04C5BF59FE23}.exe

Filesize
204KB

MD5
25d2169ae38084e051ab8c8afb9e2589

SHA1
6d23277d00b14c827efd9cf45ddb5b925961dddf

SHA256
99a76d564138d0fbb213e8ec4919da756f7e82d97df121bad39e47609ff91261

SHA512
f1dffa68c2692371cb65aceb4f80614d987cb2d29bf09e54dcdfdfd500c70f91c59c3f5e6dd89abf373b7169a2d56dbb3dc1dc23bad35220025f2ee4db9e7155

Download Submit
C:\Windows\{632884B6-68D9-4cc3-93DE-CF994D37CDA0}.exe

Filesize
204KB

MD5
e9dabde40a4c4a6fdb06e3cc5855862e

SHA1
2be04891f9432f9b13d49328fc4ef413d4325dd7

SHA256
8c715782bb12b27876810e3a938fd2288f52cff21b9acceb24db1cce20d724c1

SHA512
7655c4275a4c612941cb55c16f137df1db27c6296a348ed947ad5619009abd6b328b3227682c8b786c4f7928f717b0f13cef8a7d8bc160fa7170aebbb2ec6327

Download Submit
C:\Windows\{9C0EB0B7-5BFD-496c-A066-94259C7EE08F}.exe

Filesize
204KB

MD5
8b9e4b48a4320e0d0fcec843cc89baec

SHA1
240c2aef3502eaff7f8ef4620ef859e00789bd98

SHA256
1857cc08fbd9c4a3de6be1eaf3839bb6f96acc5fae9f91c76a1c6da8817a7445

SHA512
2731c96390d7bf944b1866c7f9fb671f8af43b9756699d11fded55047a9bed6c0347f218f7f226fc12f1800ef884456dc2bc3b8620ac4b63beb52f113d8f1bef

Download Submit
C:\Windows\{AD8E162F-EABF-4334-AB65-98067A5D9E11}.exe

Filesize
204KB

MD5
07015ad5abc0136bea7a23835ec4744e

SHA1
62cf7986f80ff642711109983de0316c21b50aef

SHA256
30f91e6f8dffa8690d9390c12419039b3a1468955522c5ac14381724f860a507

SHA512
2e9d9043c00bf90c3856e3944bbee1ec1b63c35b17692f69c02e8e6067918eebe55ca6a2298c1dc7b1886ed181a6182db6e197d34579563d6200dfa3b487c434

Download Submit
C:\Windows\{BC6C3D61-A9A6-4f92-A5FF-26A3F88885EB}.exe

Filesize
204KB

MD5
311c7bc2aaf6dad0eccc1dee1284e471

SHA1
beede43b6ea35b7d289c5f8a38399d1944a352ff

SHA256
ec7b80c46cccaa801f6a20d6bc9f2f5f3e6b527e5e04ed58625eca614e259ece

SHA512
3981304f433a1fb3f65a46cdc1acd2e1dfdc7d65c969daafb13529f6d93ea954a41648274733d1705a3b52f8f36840f536c0a8bc36466cfae0a702e1dbf185b3

Download Submit
C:\Windows\{D8070E9F-8631-4b73-98FD-97EA233C7E53}.exe

Filesize
204KB

MD5
ec5985d12138df74eaac046f4ce49fa0

SHA1
82b7a2d4402d4b46256c7c44512bfafb6222abf8

SHA256
e73da993256afdf65a359e86bfa81d09c43b84f5c10d788c37181eebbafb5814

SHA512
4998fe22419c302157959842485805115b426f9b6e626a7efaf0ea6bd1b6eebb8921a18fa62b594ce1d2e183d8ae5af03f7077f413330619c01383381a9f1f47

Download Submit
C:\Windows\{FCF30376-80D8-4eab-A187-52FDC8D6859F}.exe

Filesize
204KB

MD5
0f6e8ef4f1fc3a763b46cd6f113214c6

SHA1
b69f8d9991384700b84be0954a6e1da545fd1b8b

SHA256
640050615e7b949cf2683e575ef569bb73d92a042eab5c5fdfa572d33239c24a

SHA512
cc643dd666953b706725532fc1cd59da99e5210606e072048db6a551de237d414d5ef5a8ff111b29d6faddf5d9c3a3e5979c3e078691205d0f10a324d7be0ea2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads