838dc351e86cbe4b2bd3746b533ce6f20d5273462c8921b55d091206d7e321eb

Analysis

max time kernel
155s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2024, 03:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-29_a5a2640dfcae1ba217461f199538a8ba_goldeneye.exe
Size

216KB
MD5

a5a2640dfcae1ba217461f199538a8ba
SHA1

140a8505969909418609a99873d04eb682d5b618
SHA256

838dc351e86cbe4b2bd3746b533ce6f20d5273462c8921b55d091206d7e321eb
SHA512

1cf8d20803b54ad75d17fbcf9ba4bffce408b639bf22240629c5ff1b706a24d636e90776dd947da0dd8eee71039f5408c1fe89ac33146f19f7465a612948edfd
SSDEEP

3072:jEGh0oVl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGTlEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000d0000000230ea-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023210-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023217-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0012000000023210-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023217-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0013000000023210-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023217-25.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000733-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000735-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000733-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000735-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000733-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B328C4EB-2AB9-4b0a-B176-11CF103B68D8}	2024-03-29_a5a2640dfcae1ba217461f199538a8ba_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F44B3108-8879-47fb-BA55-FE09C60562D1}\stubpath = "C:\\Windows\\{F44B3108-8879-47fb-BA55-FE09C60562D1}.exe"	{B328C4EB-2AB9-4b0a-B176-11CF103B68D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90163C3A-7866-4c11-92E9-F73AE6D4C423}	{AA70180A-93F3-49bd-A62C-93656059FEE3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{496BDA02-6B75-4f2a-8EAC-63C8C8A1D931}	{BFAC54EE-B054-4604-A583-69DFACB381C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{496BDA02-6B75-4f2a-8EAC-63C8C8A1D931}\stubpath = "C:\\Windows\\{496BDA02-6B75-4f2a-8EAC-63C8C8A1D931}.exe"	{BFAC54EE-B054-4604-A583-69DFACB381C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F44B3108-8879-47fb-BA55-FE09C60562D1}	{B328C4EB-2AB9-4b0a-B176-11CF103B68D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA9A00BC-FB3F-4bcd-B267-BD4B71EA0C82}	{AB225AE4-0CD5-42bc-82E3-8EF797707879}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA9A00BC-FB3F-4bcd-B267-BD4B71EA0C82}\stubpath = "C:\\Windows\\{EA9A00BC-FB3F-4bcd-B267-BD4B71EA0C82}.exe"	{AB225AE4-0CD5-42bc-82E3-8EF797707879}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{871975ED-34AE-4d14-94A6-2030D0122ED3}	{90163C3A-7866-4c11-92E9-F73AE6D4C423}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BFAC54EE-B054-4604-A583-69DFACB381C8}	{871975ED-34AE-4d14-94A6-2030D0122ED3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BFAC54EE-B054-4604-A583-69DFACB381C8}\stubpath = "C:\\Windows\\{BFAC54EE-B054-4604-A583-69DFACB381C8}.exe"	{871975ED-34AE-4d14-94A6-2030D0122ED3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB335B2A-A6D2-472a-884F-BB0A0B16A522}\stubpath = "C:\\Windows\\{EB335B2A-A6D2-472a-884F-BB0A0B16A522}.exe"	{496BDA02-6B75-4f2a-8EAC-63C8C8A1D931}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB225AE4-0CD5-42bc-82E3-8EF797707879}	{F44B3108-8879-47fb-BA55-FE09C60562D1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4FA773C2-D054-45db-B1AA-A893EF40AF47}\stubpath = "C:\\Windows\\{4FA773C2-D054-45db-B1AA-A893EF40AF47}.exe"	{EA9A00BC-FB3F-4bcd-B267-BD4B71EA0C82}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6702D46-AA8B-4d38-827C-D6DA71614390}	{4FA773C2-D054-45db-B1AA-A893EF40AF47}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA70180A-93F3-49bd-A62C-93656059FEE3}	{A6702D46-AA8B-4d38-827C-D6DA71614390}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA70180A-93F3-49bd-A62C-93656059FEE3}\stubpath = "C:\\Windows\\{AA70180A-93F3-49bd-A62C-93656059FEE3}.exe"	{A6702D46-AA8B-4d38-827C-D6DA71614390}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90163C3A-7866-4c11-92E9-F73AE6D4C423}\stubpath = "C:\\Windows\\{90163C3A-7866-4c11-92E9-F73AE6D4C423}.exe"	{AA70180A-93F3-49bd-A62C-93656059FEE3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{871975ED-34AE-4d14-94A6-2030D0122ED3}\stubpath = "C:\\Windows\\{871975ED-34AE-4d14-94A6-2030D0122ED3}.exe"	{90163C3A-7866-4c11-92E9-F73AE6D4C423}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B328C4EB-2AB9-4b0a-B176-11CF103B68D8}\stubpath = "C:\\Windows\\{B328C4EB-2AB9-4b0a-B176-11CF103B68D8}.exe"	2024-03-29_a5a2640dfcae1ba217461f199538a8ba_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB225AE4-0CD5-42bc-82E3-8EF797707879}\stubpath = "C:\\Windows\\{AB225AE4-0CD5-42bc-82E3-8EF797707879}.exe"	{F44B3108-8879-47fb-BA55-FE09C60562D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4FA773C2-D054-45db-B1AA-A893EF40AF47}	{EA9A00BC-FB3F-4bcd-B267-BD4B71EA0C82}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6702D46-AA8B-4d38-827C-D6DA71614390}\stubpath = "C:\\Windows\\{A6702D46-AA8B-4d38-827C-D6DA71614390}.exe"	{4FA773C2-D054-45db-B1AA-A893EF40AF47}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB335B2A-A6D2-472a-884F-BB0A0B16A522}	{496BDA02-6B75-4f2a-8EAC-63C8C8A1D931}.exe

Executes dropped EXE 12 IoCs

pid	Process
4588	{B328C4EB-2AB9-4b0a-B176-11CF103B68D8}.exe
1468	{F44B3108-8879-47fb-BA55-FE09C60562D1}.exe
3244	{AB225AE4-0CD5-42bc-82E3-8EF797707879}.exe
4148	{EA9A00BC-FB3F-4bcd-B267-BD4B71EA0C82}.exe
1744	{4FA773C2-D054-45db-B1AA-A893EF40AF47}.exe
2476	{A6702D46-AA8B-4d38-827C-D6DA71614390}.exe
4444	{AA70180A-93F3-49bd-A62C-93656059FEE3}.exe
4660	{90163C3A-7866-4c11-92E9-F73AE6D4C423}.exe
4984	{871975ED-34AE-4d14-94A6-2030D0122ED3}.exe
1424	{BFAC54EE-B054-4604-A583-69DFACB381C8}.exe
220	{496BDA02-6B75-4f2a-8EAC-63C8C8A1D931}.exe
4424	{EB335B2A-A6D2-472a-884F-BB0A0B16A522}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{A6702D46-AA8B-4d38-827C-D6DA71614390}.exe	{4FA773C2-D054-45db-B1AA-A893EF40AF47}.exe
File created	C:\Windows\{90163C3A-7866-4c11-92E9-F73AE6D4C423}.exe	{AA70180A-93F3-49bd-A62C-93656059FEE3}.exe
File created	C:\Windows\{871975ED-34AE-4d14-94A6-2030D0122ED3}.exe	{90163C3A-7866-4c11-92E9-F73AE6D4C423}.exe
File created	C:\Windows\{496BDA02-6B75-4f2a-8EAC-63C8C8A1D931}.exe	{BFAC54EE-B054-4604-A583-69DFACB381C8}.exe
File created	C:\Windows\{B328C4EB-2AB9-4b0a-B176-11CF103B68D8}.exe	2024-03-29_a5a2640dfcae1ba217461f199538a8ba_goldeneye.exe
File created	C:\Windows\{F44B3108-8879-47fb-BA55-FE09C60562D1}.exe	{B328C4EB-2AB9-4b0a-B176-11CF103B68D8}.exe
File created	C:\Windows\{AB225AE4-0CD5-42bc-82E3-8EF797707879}.exe	{F44B3108-8879-47fb-BA55-FE09C60562D1}.exe
File created	C:\Windows\{EA9A00BC-FB3F-4bcd-B267-BD4B71EA0C82}.exe	{AB225AE4-0CD5-42bc-82E3-8EF797707879}.exe
File created	C:\Windows\{4FA773C2-D054-45db-B1AA-A893EF40AF47}.exe	{EA9A00BC-FB3F-4bcd-B267-BD4B71EA0C82}.exe
File created	C:\Windows\{AA70180A-93F3-49bd-A62C-93656059FEE3}.exe	{A6702D46-AA8B-4d38-827C-D6DA71614390}.exe
File created	C:\Windows\{BFAC54EE-B054-4604-A583-69DFACB381C8}.exe	{871975ED-34AE-4d14-94A6-2030D0122ED3}.exe
File created	C:\Windows\{EB335B2A-A6D2-472a-884F-BB0A0B16A522}.exe	{496BDA02-6B75-4f2a-8EAC-63C8C8A1D931}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3160	2024-03-29_a5a2640dfcae1ba217461f199538a8ba_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4588	{B328C4EB-2AB9-4b0a-B176-11CF103B68D8}.exe
Token: SeIncBasePriorityPrivilege	1468	{F44B3108-8879-47fb-BA55-FE09C60562D1}.exe
Token: SeIncBasePriorityPrivilege	3244	{AB225AE4-0CD5-42bc-82E3-8EF797707879}.exe
Token: SeIncBasePriorityPrivilege	4148	{EA9A00BC-FB3F-4bcd-B267-BD4B71EA0C82}.exe
Token: SeIncBasePriorityPrivilege	1744	{4FA773C2-D054-45db-B1AA-A893EF40AF47}.exe
Token: SeIncBasePriorityPrivilege	2476	{A6702D46-AA8B-4d38-827C-D6DA71614390}.exe
Token: SeIncBasePriorityPrivilege	4444	{AA70180A-93F3-49bd-A62C-93656059FEE3}.exe
Token: SeIncBasePriorityPrivilege	4660	{90163C3A-7866-4c11-92E9-F73AE6D4C423}.exe
Token: SeIncBasePriorityPrivilege	4984	{871975ED-34AE-4d14-94A6-2030D0122ED3}.exe
Token: SeIncBasePriorityPrivilege	1424	{BFAC54EE-B054-4604-A583-69DFACB381C8}.exe
Token: SeIncBasePriorityPrivilege	220	{496BDA02-6B75-4f2a-8EAC-63C8C8A1D931}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3160 wrote to memory of 4588	3160	2024-03-29_a5a2640dfcae1ba217461f199538a8ba_goldeneye.exe	93
PID 3160 wrote to memory of 4588	3160	2024-03-29_a5a2640dfcae1ba217461f199538a8ba_goldeneye.exe	93
PID 3160 wrote to memory of 4588	3160	2024-03-29_a5a2640dfcae1ba217461f199538a8ba_goldeneye.exe	93
PID 3160 wrote to memory of 4880	3160	2024-03-29_a5a2640dfcae1ba217461f199538a8ba_goldeneye.exe	94
PID 3160 wrote to memory of 4880	3160	2024-03-29_a5a2640dfcae1ba217461f199538a8ba_goldeneye.exe	94
PID 3160 wrote to memory of 4880	3160	2024-03-29_a5a2640dfcae1ba217461f199538a8ba_goldeneye.exe	94
PID 4588 wrote to memory of 1468	4588	{B328C4EB-2AB9-4b0a-B176-11CF103B68D8}.exe	98
PID 4588 wrote to memory of 1468	4588	{B328C4EB-2AB9-4b0a-B176-11CF103B68D8}.exe	98
PID 4588 wrote to memory of 1468	4588	{B328C4EB-2AB9-4b0a-B176-11CF103B68D8}.exe	98
PID 4588 wrote to memory of 4416	4588	{B328C4EB-2AB9-4b0a-B176-11CF103B68D8}.exe	99
PID 4588 wrote to memory of 4416	4588	{B328C4EB-2AB9-4b0a-B176-11CF103B68D8}.exe	99
PID 4588 wrote to memory of 4416	4588	{B328C4EB-2AB9-4b0a-B176-11CF103B68D8}.exe	99
PID 1468 wrote to memory of 3244	1468	{F44B3108-8879-47fb-BA55-FE09C60562D1}.exe	101
PID 1468 wrote to memory of 3244	1468	{F44B3108-8879-47fb-BA55-FE09C60562D1}.exe	101
PID 1468 wrote to memory of 3244	1468	{F44B3108-8879-47fb-BA55-FE09C60562D1}.exe	101
PID 1468 wrote to memory of 4828	1468	{F44B3108-8879-47fb-BA55-FE09C60562D1}.exe	102
PID 1468 wrote to memory of 4828	1468	{F44B3108-8879-47fb-BA55-FE09C60562D1}.exe	102
PID 1468 wrote to memory of 4828	1468	{F44B3108-8879-47fb-BA55-FE09C60562D1}.exe	102
PID 3244 wrote to memory of 4148	3244	{AB225AE4-0CD5-42bc-82E3-8EF797707879}.exe	103
PID 3244 wrote to memory of 4148	3244	{AB225AE4-0CD5-42bc-82E3-8EF797707879}.exe	103
PID 3244 wrote to memory of 4148	3244	{AB225AE4-0CD5-42bc-82E3-8EF797707879}.exe	103
PID 3244 wrote to memory of 2244	3244	{AB225AE4-0CD5-42bc-82E3-8EF797707879}.exe	104
PID 3244 wrote to memory of 2244	3244	{AB225AE4-0CD5-42bc-82E3-8EF797707879}.exe	104
PID 3244 wrote to memory of 2244	3244	{AB225AE4-0CD5-42bc-82E3-8EF797707879}.exe	104
PID 4148 wrote to memory of 1744	4148	{EA9A00BC-FB3F-4bcd-B267-BD4B71EA0C82}.exe	105
PID 4148 wrote to memory of 1744	4148	{EA9A00BC-FB3F-4bcd-B267-BD4B71EA0C82}.exe	105
PID 4148 wrote to memory of 1744	4148	{EA9A00BC-FB3F-4bcd-B267-BD4B71EA0C82}.exe	105
PID 4148 wrote to memory of 4756	4148	{EA9A00BC-FB3F-4bcd-B267-BD4B71EA0C82}.exe	106
PID 4148 wrote to memory of 4756	4148	{EA9A00BC-FB3F-4bcd-B267-BD4B71EA0C82}.exe	106
PID 4148 wrote to memory of 4756	4148	{EA9A00BC-FB3F-4bcd-B267-BD4B71EA0C82}.exe	106
PID 1744 wrote to memory of 2476	1744	{4FA773C2-D054-45db-B1AA-A893EF40AF47}.exe	107
PID 1744 wrote to memory of 2476	1744	{4FA773C2-D054-45db-B1AA-A893EF40AF47}.exe	107
PID 1744 wrote to memory of 2476	1744	{4FA773C2-D054-45db-B1AA-A893EF40AF47}.exe	107
PID 1744 wrote to memory of 2208	1744	{4FA773C2-D054-45db-B1AA-A893EF40AF47}.exe	108
PID 1744 wrote to memory of 2208	1744	{4FA773C2-D054-45db-B1AA-A893EF40AF47}.exe	108
PID 1744 wrote to memory of 2208	1744	{4FA773C2-D054-45db-B1AA-A893EF40AF47}.exe	108
PID 2476 wrote to memory of 4444	2476	{A6702D46-AA8B-4d38-827C-D6DA71614390}.exe	109
PID 2476 wrote to memory of 4444	2476	{A6702D46-AA8B-4d38-827C-D6DA71614390}.exe	109
PID 2476 wrote to memory of 4444	2476	{A6702D46-AA8B-4d38-827C-D6DA71614390}.exe	109
PID 2476 wrote to memory of 4440	2476	{A6702D46-AA8B-4d38-827C-D6DA71614390}.exe	110
PID 2476 wrote to memory of 4440	2476	{A6702D46-AA8B-4d38-827C-D6DA71614390}.exe	110
PID 2476 wrote to memory of 4440	2476	{A6702D46-AA8B-4d38-827C-D6DA71614390}.exe	110
PID 4444 wrote to memory of 4660	4444	{AA70180A-93F3-49bd-A62C-93656059FEE3}.exe	111
PID 4444 wrote to memory of 4660	4444	{AA70180A-93F3-49bd-A62C-93656059FEE3}.exe	111
PID 4444 wrote to memory of 4660	4444	{AA70180A-93F3-49bd-A62C-93656059FEE3}.exe	111
PID 4444 wrote to memory of 5076	4444	{AA70180A-93F3-49bd-A62C-93656059FEE3}.exe	112
PID 4444 wrote to memory of 5076	4444	{AA70180A-93F3-49bd-A62C-93656059FEE3}.exe	112
PID 4444 wrote to memory of 5076	4444	{AA70180A-93F3-49bd-A62C-93656059FEE3}.exe	112
PID 4660 wrote to memory of 4984	4660	{90163C3A-7866-4c11-92E9-F73AE6D4C423}.exe	113
PID 4660 wrote to memory of 4984	4660	{90163C3A-7866-4c11-92E9-F73AE6D4C423}.exe	113
PID 4660 wrote to memory of 4984	4660	{90163C3A-7866-4c11-92E9-F73AE6D4C423}.exe	113
PID 4660 wrote to memory of 2184	4660	{90163C3A-7866-4c11-92E9-F73AE6D4C423}.exe	114
PID 4660 wrote to memory of 2184	4660	{90163C3A-7866-4c11-92E9-F73AE6D4C423}.exe	114
PID 4660 wrote to memory of 2184	4660	{90163C3A-7866-4c11-92E9-F73AE6D4C423}.exe	114
PID 4984 wrote to memory of 1424	4984	{871975ED-34AE-4d14-94A6-2030D0122ED3}.exe	115
PID 4984 wrote to memory of 1424	4984	{871975ED-34AE-4d14-94A6-2030D0122ED3}.exe	115
PID 4984 wrote to memory of 1424	4984	{871975ED-34AE-4d14-94A6-2030D0122ED3}.exe	115
PID 4984 wrote to memory of 1560	4984	{871975ED-34AE-4d14-94A6-2030D0122ED3}.exe	116
PID 4984 wrote to memory of 1560	4984	{871975ED-34AE-4d14-94A6-2030D0122ED3}.exe	116
PID 4984 wrote to memory of 1560	4984	{871975ED-34AE-4d14-94A6-2030D0122ED3}.exe	116
PID 1424 wrote to memory of 220	1424	{BFAC54EE-B054-4604-A583-69DFACB381C8}.exe	117
PID 1424 wrote to memory of 220	1424	{BFAC54EE-B054-4604-A583-69DFACB381C8}.exe	117
PID 1424 wrote to memory of 220	1424	{BFAC54EE-B054-4604-A583-69DFACB381C8}.exe	117
PID 1424 wrote to memory of 1868	1424	{BFAC54EE-B054-4604-A583-69DFACB381C8}.exe	118

C:\Users\Admin\AppData\Local\Temp\2024-03-29_a5a2640dfcae1ba217461f199538a8ba_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-29_a5a2640dfcae1ba217461f199538a8ba_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3160
- C:\Windows\{B328C4EB-2AB9-4b0a-B176-11CF103B68D8}.exe
  C:\Windows\{B328C4EB-2AB9-4b0a-B176-11CF103B68D8}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4588
- - C:\Windows\{F44B3108-8879-47fb-BA55-FE09C60562D1}.exe
    C:\Windows\{F44B3108-8879-47fb-BA55-FE09C60562D1}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1468
  - - C:\Windows\{AB225AE4-0CD5-42bc-82E3-8EF797707879}.exe
      C:\Windows\{AB225AE4-0CD5-42bc-82E3-8EF797707879}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3244
    - - C:\Windows\{EA9A00BC-FB3F-4bcd-B267-BD4B71EA0C82}.exe
        
        C:\Windows\{EA9A00BC-FB3F-4bcd-B267-BD4B71EA0C82}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4148
      - C:\Windows\{4FA773C2-D054-45db-B1AA-A893EF40AF47}.exe
        
        C:\Windows\{4FA773C2-D054-45db-B1AA-A893EF40AF47}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\{A6702D46-AA8B-4d38-827C-D6DA71614390}.exe
        
        C:\Windows\{A6702D46-AA8B-4d38-827C-D6DA71614390}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\{AA70180A-93F3-49bd-A62C-93656059FEE3}.exe
        
        C:\Windows\{AA70180A-93F3-49bd-A62C-93656059FEE3}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\{90163C3A-7866-4c11-92E9-F73AE6D4C423}.exe
        
        C:\Windows\{90163C3A-7866-4c11-92E9-F73AE6D4C423}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4660
        
        C:\Windows\{871975ED-34AE-4d14-94A6-2030D0122ED3}.exe
        
        C:\Windows\{871975ED-34AE-4d14-94A6-2030D0122ED3}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\{BFAC54EE-B054-4604-A583-69DFACB381C8}.exe
        
        C:\Windows\{BFAC54EE-B054-4604-A583-69DFACB381C8}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Windows\{496BDA02-6B75-4f2a-8EAC-63C8C8A1D931}.exe
        
        C:\Windows\{496BDA02-6B75-4f2a-8EAC-63C8C8A1D931}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:220
        
        C:\Windows\{EB335B2A-A6D2-472a-884F-BB0A0B16A522}.exe
        
        C:\Windows\{EB335B2A-A6D2-472a-884F-BB0A0B16A522}.exe
        13⤵
        Executes dropped EXE
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{496BD~1.EXE > nul
        13⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BFAC5~1.EXE > nul
        12⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{87197~1.EXE > nul
        11⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{90163~1.EXE > nul
        10⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AA701~1.EXE > nul
        9⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6702~1.EXE > nul
        8⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4FA77~1.EXE > nul
        7⤵
        
        PID:2208
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA9A0~1.EXE > nul
        6⤵
        
        PID:4756
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AB225~1.EXE > nul
        5⤵
        
        PID:2244
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F44B3~1.EXE > nul
      4⤵
      PID:4828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B328C~1.EXE > nul
    3⤵
    PID:4416
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{496BDA02-6B75-4f2a-8EAC-63C8C8A1D931}.exe

Filesize
216KB

MD5
a441df36004010a2226178c191420e98

SHA1
11a2bc529cda64b452be4ba7eb56b4f377473892

SHA256
e8c8814f31f3ba21b6cb740a94036f5d5dea42a2b4632dd944e073b52055a6a0

SHA512
9c1919c918790c1130bd4ee611040df42d6571e4a827d6b0e0d8477f01f59b51a930436f2319c99d181253bf9c071a95bd1ab64d40826fbb088bf95cc2837f93

Download Submit
C:\Windows\{4FA773C2-D054-45db-B1AA-A893EF40AF47}.exe

Filesize
216KB

MD5
74b79352fc322ec79b390b53a1aba229

SHA1
5ca83c55e741112fe09690de1d2902a254f715b7

SHA256
c7b2ff655fcb41a96a550ad0b1191d00b919a6411842cfdbee9df69893ad6355

SHA512
c44986549ee03d4e01d0fe8344e9d78697fc5f35d6d8359bd580da6353110647e38d1f4039f274d35c8f2ea928ee7368833357677fc7ac932096815c7e31cdb8

Download Submit
C:\Windows\{871975ED-34AE-4d14-94A6-2030D0122ED3}.exe

Filesize
216KB

MD5
c5165efe684fabe9b7882e098566826d

SHA1
24cbeacd5032e7d444e2693421e00f277dd30260

SHA256
b2e0ec7642e2ad69fe4d9f95b3ff4795623d3a8c8428b7c11c68f8dc5c22667f

SHA512
e3481aac4d22f9251abe3832cf5bb6aae4af22322775103cd102fbc9edf766604d494325b5b1e87e79de59f0e629043e33f03cf7c0cc98fe5cf5681a73d77e5d

Download Submit
C:\Windows\{90163C3A-7866-4c11-92E9-F73AE6D4C423}.exe

Filesize
216KB

MD5
887cde8434490c1155b9a576fafc5541

SHA1
a5951270e399edc97a768f21008dc91a8938fef8

SHA256
83ad10ab87a02ab5884e453b6751f357b9bf8f0b8ac5d6730e7c9108f5c452e6

SHA512
b10f72334da11760edc5ab47de702d5ab9e3d9e06f120c6b450e080939d1072785bd5a48d801a7b40554a65381f8fb34cab58d538471580fb8381e6d8089745c

Download Submit
C:\Windows\{A6702D46-AA8B-4d38-827C-D6DA71614390}.exe

Filesize
216KB

MD5
f79fa593fab4b3d26a9b246b99a37fe7

SHA1
305a4557fdf91e3f5bf775a93e1cd53f4c03ac08

SHA256
bb059573cf727e8b914fe8cb9309c29d42dc960163f9ebfeab10d698612f6458

SHA512
dd9e515607aebc63c8fafa728e1625e9169c5814f1ef8cc3e140ccf09355364122596082310461e0bca417b7818fda10ad6d9add0ef4f848d6bb43fe03ef6b05

Download Submit
C:\Windows\{AA70180A-93F3-49bd-A62C-93656059FEE3}.exe

Filesize
216KB

MD5
0723f667d37c1326fb3feb9fbbe18e0a

SHA1
aa8fb19cceeea940ca6596f3ce92a21327201376

SHA256
0b4c590ff270b36b6bd6a088816ddd2cd43d7dd875d73556491c41a88e315276

SHA512
58fb96ed215298ca8fab7b86bd4c96230da7b6c54fd9cd0f305cbe21357445033049ae14f51022a7b5ec0f46659666a93ab7760ee52c6ddf7875e89e992d4d99

Download Submit
C:\Windows\{AB225AE4-0CD5-42bc-82E3-8EF797707879}.exe

Filesize
216KB

MD5
ab5fb0d45d5ed81d19410da615f6a6f4

SHA1
810e5f6af9c5eda7b556fced134d938344276681

SHA256
abdb531991b0f4e117dd896a9f6364f4f38a5c86a4a012220def4c0d0eee7099

SHA512
a306e7afca1555480e431c9fd62a208d9a84aa9e3798a5a46c785f240b4a2ed14de4913e11f7fc978598e25ff39805a62c2ca6a6925d0924ee509a965f9df09f

Download Submit
C:\Windows\{B328C4EB-2AB9-4b0a-B176-11CF103B68D8}.exe

Filesize
216KB

MD5
e41178f25670ca910ff6ba15c812cc98

SHA1
eecd7ebc124119af024dd3d69252290b94d23f50

SHA256
feac6b1ea4946eb2a08ffd9f7cb50f9bc5e43d8fa4064af398df70e08c7bf191

SHA512
8c0762a692473878454334c03862f557619bdf93dffc2ddf88fa49ec7d4a612d4d61b4215da797fa1cd7cb842b0acb1638b4d7d03b8c56d33eac4e98a1dc228e

Download Submit
C:\Windows\{BFAC54EE-B054-4604-A583-69DFACB381C8}.exe

Filesize
216KB

MD5
9f262a2e335a97e7224f596400eda73a

SHA1
961e24e32fbbbfa12510bc4a82ac23e5e717b47b

SHA256
0fda438a447eac1ec7187fb34d4a19d2c71e195b0f9a5beb6ae042bf2e258bd2

SHA512
4ab6df095eb242c6c7596481ab0057bcb2623e3d5984a51656221bba0a8c26f9a4f8f7c5600c437cff59656c493f89adc7379264c51229b2021cc2055b5a1767

Download Submit
C:\Windows\{EA9A00BC-FB3F-4bcd-B267-BD4B71EA0C82}.exe

Filesize
216KB

MD5
01b3b67a399784c13b01f17e49e9c953

SHA1
67d7d26bbcc0d573c288859a9c143600d28e0e7b

SHA256
11477df48a54bf50768758e4819e54cf4e8c05f03caf796daaead3044d81ea04

SHA512
e358f838e98b337270d85cc52a9cfaa59e90ae7c51fb61a70d0373b25fc314c1ba3f3f703842df28db516a935fef521b55a0bfcfbf24283c1d3184ab77a8de3f

Download Submit
C:\Windows\{EB335B2A-A6D2-472a-884F-BB0A0B16A522}.exe

Filesize
216KB

MD5
892b1a2e0534097179b27384177d98f1

SHA1
36953885fc7d0f912a0f11475c33346d70a05a05

SHA256
6b608a0223d90b1a8f850091165a20ad950ab6c5623d09732976b58979e1ea1e

SHA512
b9ae92494a9c7271ae0b196941aa9a9a8c16a8db875ab410ecb8b80326418cfe7f7f79ea21981ab64a9e4a42c7be60a00bb7b5495c0d1b9652d689d51e0fc875

Download Submit
C:\Windows\{F44B3108-8879-47fb-BA55-FE09C60562D1}.exe

Filesize
216KB

MD5
8f44a7870493cac4dbc78cd1dfc19b5b

SHA1
a8103565ca7f1ad8a9e9a3521851038b48506bd4

SHA256
c31134ce6e866dc2275beecda16e16447a04d3501822bffad4b997eb4f3aa197

SHA512
49b36b77be3b19901607cd2aa2e9e86a24f36215ac6cb70411458d552d08e1933cd6207f6a985a6aad95f9729072fde4efd9bba86c89a2311b75daf5cbef0bca

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads