2478ee977fdad419354796062ec76a69c2ed2799b77451eaabf31d488bd4f474

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
04-04-2024 16:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-04_3fffeef5581fb6beaa474c4d61381576_goldeneye.exe
Size

180KB
MD5

3fffeef5581fb6beaa474c4d61381576
SHA1

a7072bb850452316c4328925a41cdbf31a7473ff
SHA256

2478ee977fdad419354796062ec76a69c2ed2799b77451eaabf31d488bd4f474
SHA512

1859ee3aa9445d30484f93aefa95d23244fcd746656bbd563e5549f9b1105805b5d10bd133e4811abb755c003395baad2b5f7e0271be37f50c8c9f34d20bd494
SSDEEP

3072:jEGh0o+lfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGYl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023227-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000001db0b-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023233-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000001db0b-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000021524-17.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000001db0b-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000021524-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000037-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000037-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006e3-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{265CFBDA-2B66-4248-8B8A-BBAC06B13AEE}	{A7DC1C50-F9A4-48df-837E-7BCD2722F26F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8AD6F8C9-A90D-4bad-BC8E-1EB7E41D3B4C}	{35898799-2ADE-49cc-89D9-D52D566A712E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2D6D0F0-406D-403c-A4C0-820ADFD29DC4}	2024-04-04_3fffeef5581fb6beaa474c4d61381576_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2D6D0F0-406D-403c-A4C0-820ADFD29DC4}\stubpath = "C:\\Windows\\{E2D6D0F0-406D-403c-A4C0-820ADFD29DC4}.exe"	2024-04-04_3fffeef5581fb6beaa474c4d61381576_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7DC1C50-F9A4-48df-837E-7BCD2722F26F}	{6CC3EF9D-3BDF-4715-B3FD-1597467BB95D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7DC1C50-F9A4-48df-837E-7BCD2722F26F}\stubpath = "C:\\Windows\\{A7DC1C50-F9A4-48df-837E-7BCD2722F26F}.exe"	{6CC3EF9D-3BDF-4715-B3FD-1597467BB95D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35898799-2ADE-49cc-89D9-D52D566A712E}	{265CFBDA-2B66-4248-8B8A-BBAC06B13AEE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70182F27-A329-4a42-907D-23803330A11D}\stubpath = "C:\\Windows\\{70182F27-A329-4a42-907D-23803330A11D}.exe"	{8AD6F8C9-A90D-4bad-BC8E-1EB7E41D3B4C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15B430BC-7E93-45e9-94FB-986755CFA5A4}	{29B3B6B1-7C71-4e6a-A365-9B3690F18110}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6CC3EF9D-3BDF-4715-B3FD-1597467BB95D}	{CEB902DA-58FC-4293-BE13-905C0F12A2D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35898799-2ADE-49cc-89D9-D52D566A712E}\stubpath = "C:\\Windows\\{35898799-2ADE-49cc-89D9-D52D566A712E}.exe"	{265CFBDA-2B66-4248-8B8A-BBAC06B13AEE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8AD6F8C9-A90D-4bad-BC8E-1EB7E41D3B4C}\stubpath = "C:\\Windows\\{8AD6F8C9-A90D-4bad-BC8E-1EB7E41D3B4C}.exe"	{35898799-2ADE-49cc-89D9-D52D566A712E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70182F27-A329-4a42-907D-23803330A11D}	{8AD6F8C9-A90D-4bad-BC8E-1EB7E41D3B4C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B90A8A05-9C4D-4ed6-A754-990141241F28}\stubpath = "C:\\Windows\\{B90A8A05-9C4D-4ed6-A754-990141241F28}.exe"	{70182F27-A329-4a42-907D-23803330A11D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3AC7DCA-9B39-442c-B935-D39EEC3F0EE6}\stubpath = "C:\\Windows\\{B3AC7DCA-9B39-442c-B935-D39EEC3F0EE6}.exe"	{B90A8A05-9C4D-4ed6-A754-990141241F28}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29B3B6B1-7C71-4e6a-A365-9B3690F18110}\stubpath = "C:\\Windows\\{29B3B6B1-7C71-4e6a-A365-9B3690F18110}.exe"	{E2D6D0F0-406D-403c-A4C0-820ADFD29DC4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CEB902DA-58FC-4293-BE13-905C0F12A2D2}	{15B430BC-7E93-45e9-94FB-986755CFA5A4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CEB902DA-58FC-4293-BE13-905C0F12A2D2}\stubpath = "C:\\Windows\\{CEB902DA-58FC-4293-BE13-905C0F12A2D2}.exe"	{15B430BC-7E93-45e9-94FB-986755CFA5A4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6CC3EF9D-3BDF-4715-B3FD-1597467BB95D}\stubpath = "C:\\Windows\\{6CC3EF9D-3BDF-4715-B3FD-1597467BB95D}.exe"	{CEB902DA-58FC-4293-BE13-905C0F12A2D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{265CFBDA-2B66-4248-8B8A-BBAC06B13AEE}\stubpath = "C:\\Windows\\{265CFBDA-2B66-4248-8B8A-BBAC06B13AEE}.exe"	{A7DC1C50-F9A4-48df-837E-7BCD2722F26F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B90A8A05-9C4D-4ed6-A754-990141241F28}	{70182F27-A329-4a42-907D-23803330A11D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3AC7DCA-9B39-442c-B935-D39EEC3F0EE6}	{B90A8A05-9C4D-4ed6-A754-990141241F28}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29B3B6B1-7C71-4e6a-A365-9B3690F18110}	{E2D6D0F0-406D-403c-A4C0-820ADFD29DC4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15B430BC-7E93-45e9-94FB-986755CFA5A4}\stubpath = "C:\\Windows\\{15B430BC-7E93-45e9-94FB-986755CFA5A4}.exe"	{29B3B6B1-7C71-4e6a-A365-9B3690F18110}.exe

Executes dropped EXE 12 IoCs

pid	Process
724	{E2D6D0F0-406D-403c-A4C0-820ADFD29DC4}.exe
624	{29B3B6B1-7C71-4e6a-A365-9B3690F18110}.exe
4708	{15B430BC-7E93-45e9-94FB-986755CFA5A4}.exe
1156	{CEB902DA-58FC-4293-BE13-905C0F12A2D2}.exe
3616	{6CC3EF9D-3BDF-4715-B3FD-1597467BB95D}.exe
4416	{A7DC1C50-F9A4-48df-837E-7BCD2722F26F}.exe
4920	{265CFBDA-2B66-4248-8B8A-BBAC06B13AEE}.exe
4728	{35898799-2ADE-49cc-89D9-D52D566A712E}.exe
4492	{8AD6F8C9-A90D-4bad-BC8E-1EB7E41D3B4C}.exe
4944	{70182F27-A329-4a42-907D-23803330A11D}.exe
2024	{B90A8A05-9C4D-4ed6-A754-990141241F28}.exe
1072	{B3AC7DCA-9B39-442c-B935-D39EEC3F0EE6}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{A7DC1C50-F9A4-48df-837E-7BCD2722F26F}.exe	{6CC3EF9D-3BDF-4715-B3FD-1597467BB95D}.exe
File created	C:\Windows\{265CFBDA-2B66-4248-8B8A-BBAC06B13AEE}.exe	{A7DC1C50-F9A4-48df-837E-7BCD2722F26F}.exe
File created	C:\Windows\{35898799-2ADE-49cc-89D9-D52D566A712E}.exe	{265CFBDA-2B66-4248-8B8A-BBAC06B13AEE}.exe
File created	C:\Windows\{8AD6F8C9-A90D-4bad-BC8E-1EB7E41D3B4C}.exe	{35898799-2ADE-49cc-89D9-D52D566A712E}.exe
File created	C:\Windows\{E2D6D0F0-406D-403c-A4C0-820ADFD29DC4}.exe	2024-04-04_3fffeef5581fb6beaa474c4d61381576_goldeneye.exe
File created	C:\Windows\{15B430BC-7E93-45e9-94FB-986755CFA5A4}.exe	{29B3B6B1-7C71-4e6a-A365-9B3690F18110}.exe
File created	C:\Windows\{CEB902DA-58FC-4293-BE13-905C0F12A2D2}.exe	{15B430BC-7E93-45e9-94FB-986755CFA5A4}.exe
File created	C:\Windows\{6CC3EF9D-3BDF-4715-B3FD-1597467BB95D}.exe	{CEB902DA-58FC-4293-BE13-905C0F12A2D2}.exe
File created	C:\Windows\{B3AC7DCA-9B39-442c-B935-D39EEC3F0EE6}.exe	{B90A8A05-9C4D-4ed6-A754-990141241F28}.exe
File created	C:\Windows\{29B3B6B1-7C71-4e6a-A365-9B3690F18110}.exe	{E2D6D0F0-406D-403c-A4C0-820ADFD29DC4}.exe
File created	C:\Windows\{70182F27-A329-4a42-907D-23803330A11D}.exe	{8AD6F8C9-A90D-4bad-BC8E-1EB7E41D3B4C}.exe
File created	C:\Windows\{B90A8A05-9C4D-4ed6-A754-990141241F28}.exe	{70182F27-A329-4a42-907D-23803330A11D}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4304	2024-04-04_3fffeef5581fb6beaa474c4d61381576_goldeneye.exe
Token: SeIncBasePriorityPrivilege	724	{E2D6D0F0-406D-403c-A4C0-820ADFD29DC4}.exe
Token: SeIncBasePriorityPrivilege	624	{29B3B6B1-7C71-4e6a-A365-9B3690F18110}.exe
Token: SeIncBasePriorityPrivilege	4708	{15B430BC-7E93-45e9-94FB-986755CFA5A4}.exe
Token: SeIncBasePriorityPrivilege	1156	{CEB902DA-58FC-4293-BE13-905C0F12A2D2}.exe
Token: SeIncBasePriorityPrivilege	3616	{6CC3EF9D-3BDF-4715-B3FD-1597467BB95D}.exe
Token: SeIncBasePriorityPrivilege	4416	{A7DC1C50-F9A4-48df-837E-7BCD2722F26F}.exe
Token: SeIncBasePriorityPrivilege	4920	{265CFBDA-2B66-4248-8B8A-BBAC06B13AEE}.exe
Token: SeIncBasePriorityPrivilege	4728	{35898799-2ADE-49cc-89D9-D52D566A712E}.exe
Token: SeIncBasePriorityPrivilege	4492	{8AD6F8C9-A90D-4bad-BC8E-1EB7E41D3B4C}.exe
Token: SeIncBasePriorityPrivilege	4944	{70182F27-A329-4a42-907D-23803330A11D}.exe
Token: SeIncBasePriorityPrivilege	2024	{B90A8A05-9C4D-4ed6-A754-990141241F28}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4304 wrote to memory of 724	4304	2024-04-04_3fffeef5581fb6beaa474c4d61381576_goldeneye.exe	96
PID 4304 wrote to memory of 724	4304	2024-04-04_3fffeef5581fb6beaa474c4d61381576_goldeneye.exe	96
PID 4304 wrote to memory of 724	4304	2024-04-04_3fffeef5581fb6beaa474c4d61381576_goldeneye.exe	96
PID 4304 wrote to memory of 4428	4304	2024-04-04_3fffeef5581fb6beaa474c4d61381576_goldeneye.exe	97
PID 4304 wrote to memory of 4428	4304	2024-04-04_3fffeef5581fb6beaa474c4d61381576_goldeneye.exe	97
PID 4304 wrote to memory of 4428	4304	2024-04-04_3fffeef5581fb6beaa474c4d61381576_goldeneye.exe	97
PID 724 wrote to memory of 624	724	{E2D6D0F0-406D-403c-A4C0-820ADFD29DC4}.exe	98
PID 724 wrote to memory of 624	724	{E2D6D0F0-406D-403c-A4C0-820ADFD29DC4}.exe	98
PID 724 wrote to memory of 624	724	{E2D6D0F0-406D-403c-A4C0-820ADFD29DC4}.exe	98
PID 724 wrote to memory of 376	724	{E2D6D0F0-406D-403c-A4C0-820ADFD29DC4}.exe	99
PID 724 wrote to memory of 376	724	{E2D6D0F0-406D-403c-A4C0-820ADFD29DC4}.exe	99
PID 724 wrote to memory of 376	724	{E2D6D0F0-406D-403c-A4C0-820ADFD29DC4}.exe	99
PID 624 wrote to memory of 4708	624	{29B3B6B1-7C71-4e6a-A365-9B3690F18110}.exe	101
PID 624 wrote to memory of 4708	624	{29B3B6B1-7C71-4e6a-A365-9B3690F18110}.exe	101
PID 624 wrote to memory of 4708	624	{29B3B6B1-7C71-4e6a-A365-9B3690F18110}.exe	101
PID 624 wrote to memory of 4864	624	{29B3B6B1-7C71-4e6a-A365-9B3690F18110}.exe	102
PID 624 wrote to memory of 4864	624	{29B3B6B1-7C71-4e6a-A365-9B3690F18110}.exe	102
PID 624 wrote to memory of 4864	624	{29B3B6B1-7C71-4e6a-A365-9B3690F18110}.exe	102
PID 4708 wrote to memory of 1156	4708	{15B430BC-7E93-45e9-94FB-986755CFA5A4}.exe	103
PID 4708 wrote to memory of 1156	4708	{15B430BC-7E93-45e9-94FB-986755CFA5A4}.exe	103
PID 4708 wrote to memory of 1156	4708	{15B430BC-7E93-45e9-94FB-986755CFA5A4}.exe	103
PID 4708 wrote to memory of 4388	4708	{15B430BC-7E93-45e9-94FB-986755CFA5A4}.exe	104
PID 4708 wrote to memory of 4388	4708	{15B430BC-7E93-45e9-94FB-986755CFA5A4}.exe	104
PID 4708 wrote to memory of 4388	4708	{15B430BC-7E93-45e9-94FB-986755CFA5A4}.exe	104
PID 1156 wrote to memory of 3616	1156	{CEB902DA-58FC-4293-BE13-905C0F12A2D2}.exe	105
PID 1156 wrote to memory of 3616	1156	{CEB902DA-58FC-4293-BE13-905C0F12A2D2}.exe	105
PID 1156 wrote to memory of 3616	1156	{CEB902DA-58FC-4293-BE13-905C0F12A2D2}.exe	105
PID 1156 wrote to memory of 1552	1156	{CEB902DA-58FC-4293-BE13-905C0F12A2D2}.exe	106
PID 1156 wrote to memory of 1552	1156	{CEB902DA-58FC-4293-BE13-905C0F12A2D2}.exe	106
PID 1156 wrote to memory of 1552	1156	{CEB902DA-58FC-4293-BE13-905C0F12A2D2}.exe	106
PID 3616 wrote to memory of 4416	3616	{6CC3EF9D-3BDF-4715-B3FD-1597467BB95D}.exe	107
PID 3616 wrote to memory of 4416	3616	{6CC3EF9D-3BDF-4715-B3FD-1597467BB95D}.exe	107
PID 3616 wrote to memory of 4416	3616	{6CC3EF9D-3BDF-4715-B3FD-1597467BB95D}.exe	107
PID 3616 wrote to memory of 4780	3616	{6CC3EF9D-3BDF-4715-B3FD-1597467BB95D}.exe	108
PID 3616 wrote to memory of 4780	3616	{6CC3EF9D-3BDF-4715-B3FD-1597467BB95D}.exe	108
PID 3616 wrote to memory of 4780	3616	{6CC3EF9D-3BDF-4715-B3FD-1597467BB95D}.exe	108
PID 4416 wrote to memory of 4920	4416	{A7DC1C50-F9A4-48df-837E-7BCD2722F26F}.exe	109
PID 4416 wrote to memory of 4920	4416	{A7DC1C50-F9A4-48df-837E-7BCD2722F26F}.exe	109
PID 4416 wrote to memory of 4920	4416	{A7DC1C50-F9A4-48df-837E-7BCD2722F26F}.exe	109
PID 4416 wrote to memory of 4112	4416	{A7DC1C50-F9A4-48df-837E-7BCD2722F26F}.exe	110
PID 4416 wrote to memory of 4112	4416	{A7DC1C50-F9A4-48df-837E-7BCD2722F26F}.exe	110
PID 4416 wrote to memory of 4112	4416	{A7DC1C50-F9A4-48df-837E-7BCD2722F26F}.exe	110
PID 4920 wrote to memory of 4728	4920	{265CFBDA-2B66-4248-8B8A-BBAC06B13AEE}.exe	111
PID 4920 wrote to memory of 4728	4920	{265CFBDA-2B66-4248-8B8A-BBAC06B13AEE}.exe	111
PID 4920 wrote to memory of 4728	4920	{265CFBDA-2B66-4248-8B8A-BBAC06B13AEE}.exe	111
PID 4920 wrote to memory of 2280	4920	{265CFBDA-2B66-4248-8B8A-BBAC06B13AEE}.exe	112
PID 4920 wrote to memory of 2280	4920	{265CFBDA-2B66-4248-8B8A-BBAC06B13AEE}.exe	112
PID 4920 wrote to memory of 2280	4920	{265CFBDA-2B66-4248-8B8A-BBAC06B13AEE}.exe	112
PID 4728 wrote to memory of 4492	4728	{35898799-2ADE-49cc-89D9-D52D566A712E}.exe	113
PID 4728 wrote to memory of 4492	4728	{35898799-2ADE-49cc-89D9-D52D566A712E}.exe	113
PID 4728 wrote to memory of 4492	4728	{35898799-2ADE-49cc-89D9-D52D566A712E}.exe	113
PID 4728 wrote to memory of 372	4728	{35898799-2ADE-49cc-89D9-D52D566A712E}.exe	114
PID 4728 wrote to memory of 372	4728	{35898799-2ADE-49cc-89D9-D52D566A712E}.exe	114
PID 4728 wrote to memory of 372	4728	{35898799-2ADE-49cc-89D9-D52D566A712E}.exe	114
PID 4492 wrote to memory of 4944	4492	{8AD6F8C9-A90D-4bad-BC8E-1EB7E41D3B4C}.exe	115
PID 4492 wrote to memory of 4944	4492	{8AD6F8C9-A90D-4bad-BC8E-1EB7E41D3B4C}.exe	115
PID 4492 wrote to memory of 4944	4492	{8AD6F8C9-A90D-4bad-BC8E-1EB7E41D3B4C}.exe	115
PID 4492 wrote to memory of 4520	4492	{8AD6F8C9-A90D-4bad-BC8E-1EB7E41D3B4C}.exe	116
PID 4492 wrote to memory of 4520	4492	{8AD6F8C9-A90D-4bad-BC8E-1EB7E41D3B4C}.exe	116
PID 4492 wrote to memory of 4520	4492	{8AD6F8C9-A90D-4bad-BC8E-1EB7E41D3B4C}.exe	116
PID 4944 wrote to memory of 2024	4944	{70182F27-A329-4a42-907D-23803330A11D}.exe	117
PID 4944 wrote to memory of 2024	4944	{70182F27-A329-4a42-907D-23803330A11D}.exe	117
PID 4944 wrote to memory of 2024	4944	{70182F27-A329-4a42-907D-23803330A11D}.exe	117
PID 4944 wrote to memory of 3108	4944	{70182F27-A329-4a42-907D-23803330A11D}.exe	118

C:\Users\Admin\AppData\Local\Temp\2024-04-04_3fffeef5581fb6beaa474c4d61381576_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-04_3fffeef5581fb6beaa474c4d61381576_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4304
- C:\Windows\{E2D6D0F0-406D-403c-A4C0-820ADFD29DC4}.exe
  C:\Windows\{E2D6D0F0-406D-403c-A4C0-820ADFD29DC4}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:724
- - C:\Windows\{29B3B6B1-7C71-4e6a-A365-9B3690F18110}.exe
    C:\Windows\{29B3B6B1-7C71-4e6a-A365-9B3690F18110}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:624
  - - C:\Windows\{15B430BC-7E93-45e9-94FB-986755CFA5A4}.exe
      C:\Windows\{15B430BC-7E93-45e9-94FB-986755CFA5A4}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4708
    - - C:\Windows\{CEB902DA-58FC-4293-BE13-905C0F12A2D2}.exe
        
        C:\Windows\{CEB902DA-58FC-4293-BE13-905C0F12A2D2}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1156
      - C:\Windows\{6CC3EF9D-3BDF-4715-B3FD-1597467BB95D}.exe
        
        C:\Windows\{6CC3EF9D-3BDF-4715-B3FD-1597467BB95D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3616
        
        C:\Windows\{A7DC1C50-F9A4-48df-837E-7BCD2722F26F}.exe
        
        C:\Windows\{A7DC1C50-F9A4-48df-837E-7BCD2722F26F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Windows\{265CFBDA-2B66-4248-8B8A-BBAC06B13AEE}.exe
        
        C:\Windows\{265CFBDA-2B66-4248-8B8A-BBAC06B13AEE}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\{35898799-2ADE-49cc-89D9-D52D566A712E}.exe
        
        C:\Windows\{35898799-2ADE-49cc-89D9-D52D566A712E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\{8AD6F8C9-A90D-4bad-BC8E-1EB7E41D3B4C}.exe
        
        C:\Windows\{8AD6F8C9-A90D-4bad-BC8E-1EB7E41D3B4C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4492
        
        C:\Windows\{70182F27-A329-4a42-907D-23803330A11D}.exe
        
        C:\Windows\{70182F27-A329-4a42-907D-23803330A11D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\{B90A8A05-9C4D-4ed6-A754-990141241F28}.exe
        
        C:\Windows\{B90A8A05-9C4D-4ed6-A754-990141241F28}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
        
        C:\Windows\{B3AC7DCA-9B39-442c-B935-D39EEC3F0EE6}.exe
        
        C:\Windows\{B3AC7DCA-9B39-442c-B935-D39EEC3F0EE6}.exe
        13⤵
        Executes dropped EXE
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B90A8~1.EXE > nul
        13⤵
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{70182~1.EXE > nul
        12⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8AD6F~1.EXE > nul
        11⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{35898~1.EXE > nul
        10⤵
        
        PID:372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{265CF~1.EXE > nul
        9⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7DC1~1.EXE > nul
        8⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6CC3E~1.EXE > nul
        7⤵
        
        PID:4780
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CEB90~1.EXE > nul
        6⤵
        
        PID:1552
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{15B43~1.EXE > nul
        5⤵
        
        PID:4388
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{29B3B~1.EXE > nul
      4⤵
      PID:4864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E2D6D~1.EXE > nul
    3⤵
    PID:376
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{15B430BC-7E93-45e9-94FB-986755CFA5A4}.exe

Filesize
180KB

MD5
32f98a1e853b33bfc05f809c1e8bcb47

SHA1
d41a42bd8d316efcd7b2ab777c8d41df6f492c67

SHA256
b28e4a7140e92b0800170b9ff8bd79578bf6960f296ddad1cb5333034c54239b

SHA512
9057aeb6f4d33421da6eaa0820a5313163e5b732e3585bcd0473b70e8f9ade0f2a10afd426f2ce8c1a01efa2bcfb785c36456e774ec240370709b9f7539b3219

Download Submit
C:\Windows\{265CFBDA-2B66-4248-8B8A-BBAC06B13AEE}.exe

Filesize
180KB

MD5
058a0d48ea38c4bdd74dcb679088aadc

SHA1
33eb27c714edba479c108342f23f7e75fe64e496

SHA256
ab92c49944197473fc7a20f0a9e00fcbda3c3374da2042b8da97e93de36681a2

SHA512
42be26a178a845b83c8a62339e1646697af70c16df3a9fac65e665a27b6ad694c2d60d304524d14564b164d65386c7b982520df6b4db25eff3d02776a4b54515

Download Submit
C:\Windows\{29B3B6B1-7C71-4e6a-A365-9B3690F18110}.exe

Filesize
180KB

MD5
f0efb511200e0114c7ff8ba77b6cf9cc

SHA1
8cb0fbe02d25f6ff12004c38d416712ec8e6188b

SHA256
746b40e7b7b072ca20196d8939b8691c175852a820759c4f34759a2df3517c07

SHA512
bd887cef7b418cfc8decb02d11cb24ac44e7004b669000b413447f8ac6068af100d26d1cdd1272452831af9ef1e41290841f6e21eb5e79e8a0a2e1e9b8793e09

Download Submit
C:\Windows\{35898799-2ADE-49cc-89D9-D52D566A712E}.exe

Filesize
180KB

MD5
bd27a1101269a166975e9ad49dd870ce

SHA1
1f00f0ae4b81e1e026032e75381c322c69be7ecb

SHA256
897182fca2014133a39712b4083679b3468c8a1982a60d082fd4a9f0add7c057

SHA512
e4454bc950a0f675b9893b45e08afc3c6f49eb7ef35c6119ce8805a327f7de82f319fdaaff229185d115de7978aae32227a1d9b00366a89004f4a38b09f47b2e

Download Submit
C:\Windows\{6CC3EF9D-3BDF-4715-B3FD-1597467BB95D}.exe

Filesize
180KB

MD5
e467fd9bf0ca29b8200ca3c81ff464a0

SHA1
e239404d41af88d14b27380f32c6bf9f165792a1

SHA256
bc63af9bc76bcc5a7e8a4363a828c936b7ea7cccbdd4e17d5b51d0cca7ed5c17

SHA512
3cfad00db1c982434ecde56991a0a42fb3c232eafb5a8e6d745827380ec93bcd6b9868cfed40efb94b9842b63f12dc56afcb189837344d6d58839afa7af4a1e7

Download Submit
C:\Windows\{70182F27-A329-4a42-907D-23803330A11D}.exe

Filesize
180KB

MD5
87758b1619571acd3d5114072086b14e

SHA1
52436a8adae16c0afb0a26dc66ed3337b4232819

SHA256
ad2adb1ab59d16395650394e730d5afd37b078a25a6cc7fc8558e492bbc8a615

SHA512
2fa37234602b4f4747d0b0b0d37a7b6526cb787a707d53d5c201d2fea40ef426e4f69ba2601734c036ba1db26e051eaefe98e61b4d8e6e44b452cf41e565cbf4

Download Submit
C:\Windows\{8AD6F8C9-A90D-4bad-BC8E-1EB7E41D3B4C}.exe

Filesize
180KB

MD5
68fadf36471177822b238dd22cbc9856

SHA1
bc5630f116d7e38d10db60b65b99d0e04738d652

SHA256
de6659b50e8e888dd88bc16d2a1f2cb71ff7dede454105f8b92cbf01ee2d68c6

SHA512
fd8a5b5861dafb07b7329594bb45b0f0585d0df059083df01b76df192d97b40579c04bbaa4291f1cd18984afd3acd3d5a6cf63779647557120bb120d2e7da0f8

Download Submit
C:\Windows\{A7DC1C50-F9A4-48df-837E-7BCD2722F26F}.exe

Filesize
180KB

MD5
10d520979d8daf39fc4cc3105ff1ca0f

SHA1
0492dca8abf970d0117a92b79ff313dbaee40b6b

SHA256
4816319fe36895244585332734b9f107a0d384043aa46c81d813e014b955daad

SHA512
b5f97e9799d042571f698f0a9595bc2ab85b59d17230cce63100f8838fd6be05c083b49843ba754b153952615ef74cf0293e9242cf3cbddfb28a8cedb014c5f9

Download Submit
C:\Windows\{B3AC7DCA-9B39-442c-B935-D39EEC3F0EE6}.exe

Filesize
180KB

MD5
24774d325f84ada44b83661cb295117a

SHA1
bb16d5151a02597cf27be4cde957bab87453caa6

SHA256
958498dd181db648d7d6f161e01bbe70feee13f0a132b7858bec986fd5b217d0

SHA512
56b3ba168d49729d725e81732b0901c4fa26d29c750b242434b6aa9cd47f24990b5f77cc59992b32987d858b7687805f54bb76c28a7f2878053d2530ee210918

Download Submit
C:\Windows\{B90A8A05-9C4D-4ed6-A754-990141241F28}.exe

Filesize
180KB

MD5
16e8dd0612e71e900189fe35e7555cdb

SHA1
c8b4f0e9d2510beb90176160d0be238403699a43

SHA256
3f1fd8d3f8c2b455690be341f029ceda8de0400fb2291bef02b6d81176464f1f

SHA512
13b28483c4a8f36cb40099062bdb2f47285536955c781fe41827e0e77accec26dc7546e0737d48a086c31c650c261bd628a3b458df2030f96874553079e1f1de

Download Submit
C:\Windows\{CEB902DA-58FC-4293-BE13-905C0F12A2D2}.exe

Filesize
180KB

MD5
d2a34e87e2bfb265e1db9f1dad3d6585

SHA1
4f09926fef5c2cd605857b07cf88ba387dfe2451

SHA256
65039d12c2b84c674ebdb3d9587e10e501caa4f118a69358cb0b05cef9b2528e

SHA512
5e85369404652323f166ce9a3f7fa1c4fc407713261669e640eca4e7f33169facd1635f4765fcb49ae5371ab03af4ce1f2875a3f002c9ff6e68d75021dbe2925

Download Submit
C:\Windows\{E2D6D0F0-406D-403c-A4C0-820ADFD29DC4}.exe

Filesize
180KB

MD5
1fbd7958d06a965948c9a72daaef90e0

SHA1
02dae06546671083716b6e7317be2f1a1e3472e2

SHA256
c4c06c920a5894a637615a3fc13c28e4e5ffe0e86811b5316eca91911530dc32

SHA512
7bc826731f6e2b0f60068fcd9a745d5bd4664ea52de8b03658f7740ceeb203624cc86b0728dba70dad81d9c22ee3ceb820e4292cb9ea287b8b8ca0a6f48c3a0d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads