452252f66fe1100f3ae1dcebefd24a8d1ddd099a4fea68260e08d0a5b2f4f0ca

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
04/04/2024, 16:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-04_b58f875eeb051d5b64adcae5f66ff507_goldeneye.exe
Size

344KB
MD5

b58f875eeb051d5b64adcae5f66ff507
SHA1

ae4b843ecc3be28acf53251c5b69db99e3561339
SHA256

452252f66fe1100f3ae1dcebefd24a8d1ddd099a4fea68260e08d0a5b2f4f0ca
SHA512

5ece80002880fabebb89af00f4d268cab0554433240c0609b4bbc9aa60b8a7a4ec3d41c5064d7541b3b84737b2d61cbda06490243e99ef025ae684d6b74eb62a
SSDEEP

3072:mEGh0o7lEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEG5lqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00070000000231fd-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000231a5-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023204-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000231a5-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021d41-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021d42-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021d41-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000709-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000072f-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E249C30D-50EE-435f-A517-DDF86DAC0E56}\stubpath = "C:\\Windows\\{E249C30D-50EE-435f-A517-DDF86DAC0E56}.exe"	{B09F6E62-7FC4-463a-BE95-11FFC6EED4BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81654FA5-648D-421d-9AAC-95C12DC1AB56}	{9DCEA958-E004-421f-B679-D5187ED8AB62}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6838A6A0-7CE2-420f-8BD7-92103CDBA1AE}	{D710CED4-AB3C-472c-8244-983C0EF22354}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F44877D-0EFB-4290-A642-9BE4D1127768}	2024-04-04_b58f875eeb051d5b64adcae5f66ff507_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F44877D-0EFB-4290-A642-9BE4D1127768}\stubpath = "C:\\Windows\\{7F44877D-0EFB-4290-A642-9BE4D1127768}.exe"	2024-04-04_b58f875eeb051d5b64adcae5f66ff507_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E7F08BC-3378-4522-A64D-B88825965FD6}\stubpath = "C:\\Windows\\{4E7F08BC-3378-4522-A64D-B88825965FD6}.exe"	{81654FA5-648D-421d-9AAC-95C12DC1AB56}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F60C9C4-9327-4c0c-B9C6-57B2C93F1F75}	{4E7F08BC-3378-4522-A64D-B88825965FD6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B09F6E62-7FC4-463a-BE95-11FFC6EED4BD}	{F5478597-B1E2-462d-9A32-D257DE82547B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81654FA5-648D-421d-9AAC-95C12DC1AB56}\stubpath = "C:\\Windows\\{81654FA5-648D-421d-9AAC-95C12DC1AB56}.exe"	{9DCEA958-E004-421f-B679-D5187ED8AB62}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F16E2E5-9ED1-41a1-BA04-C2ED223CA590}\stubpath = "C:\\Windows\\{9F16E2E5-9ED1-41a1-BA04-C2ED223CA590}.exe"	{E249C30D-50EE-435f-A517-DDF86DAC0E56}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DCEA958-E004-421f-B679-D5187ED8AB62}	{9F16E2E5-9ED1-41a1-BA04-C2ED223CA590}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50E3E65B-11B7-47bc-8FAD-B15D5A6F2CE4}	{6838A6A0-7CE2-420f-8BD7-92103CDBA1AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B09F6E62-7FC4-463a-BE95-11FFC6EED4BD}\stubpath = "C:\\Windows\\{B09F6E62-7FC4-463a-BE95-11FFC6EED4BD}.exe"	{F5478597-B1E2-462d-9A32-D257DE82547B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E249C30D-50EE-435f-A517-DDF86DAC0E56}	{B09F6E62-7FC4-463a-BE95-11FFC6EED4BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F16E2E5-9ED1-41a1-BA04-C2ED223CA590}	{E249C30D-50EE-435f-A517-DDF86DAC0E56}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DCEA958-E004-421f-B679-D5187ED8AB62}\stubpath = "C:\\Windows\\{9DCEA958-E004-421f-B679-D5187ED8AB62}.exe"	{9F16E2E5-9ED1-41a1-BA04-C2ED223CA590}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E7F08BC-3378-4522-A64D-B88825965FD6}	{81654FA5-648D-421d-9AAC-95C12DC1AB56}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F60C9C4-9327-4c0c-B9C6-57B2C93F1F75}\stubpath = "C:\\Windows\\{2F60C9C4-9327-4c0c-B9C6-57B2C93F1F75}.exe"	{4E7F08BC-3378-4522-A64D-B88825965FD6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D710CED4-AB3C-472c-8244-983C0EF22354}	{2F60C9C4-9327-4c0c-B9C6-57B2C93F1F75}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D710CED4-AB3C-472c-8244-983C0EF22354}\stubpath = "C:\\Windows\\{D710CED4-AB3C-472c-8244-983C0EF22354}.exe"	{2F60C9C4-9327-4c0c-B9C6-57B2C93F1F75}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5478597-B1E2-462d-9A32-D257DE82547B}	{7F44877D-0EFB-4290-A642-9BE4D1127768}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5478597-B1E2-462d-9A32-D257DE82547B}\stubpath = "C:\\Windows\\{F5478597-B1E2-462d-9A32-D257DE82547B}.exe"	{7F44877D-0EFB-4290-A642-9BE4D1127768}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6838A6A0-7CE2-420f-8BD7-92103CDBA1AE}\stubpath = "C:\\Windows\\{6838A6A0-7CE2-420f-8BD7-92103CDBA1AE}.exe"	{D710CED4-AB3C-472c-8244-983C0EF22354}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50E3E65B-11B7-47bc-8FAD-B15D5A6F2CE4}\stubpath = "C:\\Windows\\{50E3E65B-11B7-47bc-8FAD-B15D5A6F2CE4}.exe"	{6838A6A0-7CE2-420f-8BD7-92103CDBA1AE}.exe

Executes dropped EXE 12 IoCs

pid	Process
2768	{7F44877D-0EFB-4290-A642-9BE4D1127768}.exe
1220	{F5478597-B1E2-462d-9A32-D257DE82547B}.exe
4612	{B09F6E62-7FC4-463a-BE95-11FFC6EED4BD}.exe
3800	{E249C30D-50EE-435f-A517-DDF86DAC0E56}.exe
3440	{9F16E2E5-9ED1-41a1-BA04-C2ED223CA590}.exe
1212	{9DCEA958-E004-421f-B679-D5187ED8AB62}.exe
3424	{81654FA5-648D-421d-9AAC-95C12DC1AB56}.exe
1664	{4E7F08BC-3378-4522-A64D-B88825965FD6}.exe
1964	{2F60C9C4-9327-4c0c-B9C6-57B2C93F1F75}.exe
1204	{D710CED4-AB3C-472c-8244-983C0EF22354}.exe
2328	{6838A6A0-7CE2-420f-8BD7-92103CDBA1AE}.exe
2304	{50E3E65B-11B7-47bc-8FAD-B15D5A6F2CE4}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{2F60C9C4-9327-4c0c-B9C6-57B2C93F1F75}.exe	{4E7F08BC-3378-4522-A64D-B88825965FD6}.exe
File created	C:\Windows\{6838A6A0-7CE2-420f-8BD7-92103CDBA1AE}.exe	{D710CED4-AB3C-472c-8244-983C0EF22354}.exe
File created	C:\Windows\{50E3E65B-11B7-47bc-8FAD-B15D5A6F2CE4}.exe	{6838A6A0-7CE2-420f-8BD7-92103CDBA1AE}.exe
File created	C:\Windows\{B09F6E62-7FC4-463a-BE95-11FFC6EED4BD}.exe	{F5478597-B1E2-462d-9A32-D257DE82547B}.exe
File created	C:\Windows\{E249C30D-50EE-435f-A517-DDF86DAC0E56}.exe	{B09F6E62-7FC4-463a-BE95-11FFC6EED4BD}.exe
File created	C:\Windows\{9F16E2E5-9ED1-41a1-BA04-C2ED223CA590}.exe	{E249C30D-50EE-435f-A517-DDF86DAC0E56}.exe
File created	C:\Windows\{81654FA5-648D-421d-9AAC-95C12DC1AB56}.exe	{9DCEA958-E004-421f-B679-D5187ED8AB62}.exe
File created	C:\Windows\{4E7F08BC-3378-4522-A64D-B88825965FD6}.exe	{81654FA5-648D-421d-9AAC-95C12DC1AB56}.exe
File created	C:\Windows\{D710CED4-AB3C-472c-8244-983C0EF22354}.exe	{2F60C9C4-9327-4c0c-B9C6-57B2C93F1F75}.exe
File created	C:\Windows\{7F44877D-0EFB-4290-A642-9BE4D1127768}.exe	2024-04-04_b58f875eeb051d5b64adcae5f66ff507_goldeneye.exe
File created	C:\Windows\{F5478597-B1E2-462d-9A32-D257DE82547B}.exe	{7F44877D-0EFB-4290-A642-9BE4D1127768}.exe
File created	C:\Windows\{9DCEA958-E004-421f-B679-D5187ED8AB62}.exe	{9F16E2E5-9ED1-41a1-BA04-C2ED223CA590}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3868	2024-04-04_b58f875eeb051d5b64adcae5f66ff507_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2768	{7F44877D-0EFB-4290-A642-9BE4D1127768}.exe
Token: SeIncBasePriorityPrivilege	1220	{F5478597-B1E2-462d-9A32-D257DE82547B}.exe
Token: SeIncBasePriorityPrivilege	4612	{B09F6E62-7FC4-463a-BE95-11FFC6EED4BD}.exe
Token: SeIncBasePriorityPrivilege	3800	{E249C30D-50EE-435f-A517-DDF86DAC0E56}.exe
Token: SeIncBasePriorityPrivilege	3440	{9F16E2E5-9ED1-41a1-BA04-C2ED223CA590}.exe
Token: SeIncBasePriorityPrivilege	1212	{9DCEA958-E004-421f-B679-D5187ED8AB62}.exe
Token: SeIncBasePriorityPrivilege	3424	{81654FA5-648D-421d-9AAC-95C12DC1AB56}.exe
Token: SeIncBasePriorityPrivilege	1664	{4E7F08BC-3378-4522-A64D-B88825965FD6}.exe
Token: SeIncBasePriorityPrivilege	1964	{2F60C9C4-9327-4c0c-B9C6-57B2C93F1F75}.exe
Token: SeIncBasePriorityPrivilege	1204	{D710CED4-AB3C-472c-8244-983C0EF22354}.exe
Token: SeIncBasePriorityPrivilege	2328	{6838A6A0-7CE2-420f-8BD7-92103CDBA1AE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3868 wrote to memory of 2768	3868	2024-04-04_b58f875eeb051d5b64adcae5f66ff507_goldeneye.exe	96
PID 3868 wrote to memory of 2768	3868	2024-04-04_b58f875eeb051d5b64adcae5f66ff507_goldeneye.exe	96
PID 3868 wrote to memory of 2768	3868	2024-04-04_b58f875eeb051d5b64adcae5f66ff507_goldeneye.exe	96
PID 3868 wrote to memory of 3648	3868	2024-04-04_b58f875eeb051d5b64adcae5f66ff507_goldeneye.exe	97
PID 3868 wrote to memory of 3648	3868	2024-04-04_b58f875eeb051d5b64adcae5f66ff507_goldeneye.exe	97
PID 3868 wrote to memory of 3648	3868	2024-04-04_b58f875eeb051d5b64adcae5f66ff507_goldeneye.exe	97
PID 2768 wrote to memory of 1220	2768	{7F44877D-0EFB-4290-A642-9BE4D1127768}.exe	98
PID 2768 wrote to memory of 1220	2768	{7F44877D-0EFB-4290-A642-9BE4D1127768}.exe	98
PID 2768 wrote to memory of 1220	2768	{7F44877D-0EFB-4290-A642-9BE4D1127768}.exe	98
PID 2768 wrote to memory of 5048	2768	{7F44877D-0EFB-4290-A642-9BE4D1127768}.exe	99
PID 2768 wrote to memory of 5048	2768	{7F44877D-0EFB-4290-A642-9BE4D1127768}.exe	99
PID 2768 wrote to memory of 5048	2768	{7F44877D-0EFB-4290-A642-9BE4D1127768}.exe	99
PID 1220 wrote to memory of 4612	1220	{F5478597-B1E2-462d-9A32-D257DE82547B}.exe	101
PID 1220 wrote to memory of 4612	1220	{F5478597-B1E2-462d-9A32-D257DE82547B}.exe	101
PID 1220 wrote to memory of 4612	1220	{F5478597-B1E2-462d-9A32-D257DE82547B}.exe	101
PID 1220 wrote to memory of 3088	1220	{F5478597-B1E2-462d-9A32-D257DE82547B}.exe	102
PID 1220 wrote to memory of 3088	1220	{F5478597-B1E2-462d-9A32-D257DE82547B}.exe	102
PID 1220 wrote to memory of 3088	1220	{F5478597-B1E2-462d-9A32-D257DE82547B}.exe	102
PID 4612 wrote to memory of 3800	4612	{B09F6E62-7FC4-463a-BE95-11FFC6EED4BD}.exe	103
PID 4612 wrote to memory of 3800	4612	{B09F6E62-7FC4-463a-BE95-11FFC6EED4BD}.exe	103
PID 4612 wrote to memory of 3800	4612	{B09F6E62-7FC4-463a-BE95-11FFC6EED4BD}.exe	103
PID 4612 wrote to memory of 5096	4612	{B09F6E62-7FC4-463a-BE95-11FFC6EED4BD}.exe	104
PID 4612 wrote to memory of 5096	4612	{B09F6E62-7FC4-463a-BE95-11FFC6EED4BD}.exe	104
PID 4612 wrote to memory of 5096	4612	{B09F6E62-7FC4-463a-BE95-11FFC6EED4BD}.exe	104
PID 3800 wrote to memory of 3440	3800	{E249C30D-50EE-435f-A517-DDF86DAC0E56}.exe	105
PID 3800 wrote to memory of 3440	3800	{E249C30D-50EE-435f-A517-DDF86DAC0E56}.exe	105
PID 3800 wrote to memory of 3440	3800	{E249C30D-50EE-435f-A517-DDF86DAC0E56}.exe	105
PID 3800 wrote to memory of 1068	3800	{E249C30D-50EE-435f-A517-DDF86DAC0E56}.exe	106
PID 3800 wrote to memory of 1068	3800	{E249C30D-50EE-435f-A517-DDF86DAC0E56}.exe	106
PID 3800 wrote to memory of 1068	3800	{E249C30D-50EE-435f-A517-DDF86DAC0E56}.exe	106
PID 3440 wrote to memory of 1212	3440	{9F16E2E5-9ED1-41a1-BA04-C2ED223CA590}.exe	107
PID 3440 wrote to memory of 1212	3440	{9F16E2E5-9ED1-41a1-BA04-C2ED223CA590}.exe	107
PID 3440 wrote to memory of 1212	3440	{9F16E2E5-9ED1-41a1-BA04-C2ED223CA590}.exe	107
PID 3440 wrote to memory of 1192	3440	{9F16E2E5-9ED1-41a1-BA04-C2ED223CA590}.exe	108
PID 3440 wrote to memory of 1192	3440	{9F16E2E5-9ED1-41a1-BA04-C2ED223CA590}.exe	108
PID 3440 wrote to memory of 1192	3440	{9F16E2E5-9ED1-41a1-BA04-C2ED223CA590}.exe	108
PID 1212 wrote to memory of 3424	1212	{9DCEA958-E004-421f-B679-D5187ED8AB62}.exe	109
PID 1212 wrote to memory of 3424	1212	{9DCEA958-E004-421f-B679-D5187ED8AB62}.exe	109
PID 1212 wrote to memory of 3424	1212	{9DCEA958-E004-421f-B679-D5187ED8AB62}.exe	109
PID 1212 wrote to memory of 4364	1212	{9DCEA958-E004-421f-B679-D5187ED8AB62}.exe	110
PID 1212 wrote to memory of 4364	1212	{9DCEA958-E004-421f-B679-D5187ED8AB62}.exe	110
PID 1212 wrote to memory of 4364	1212	{9DCEA958-E004-421f-B679-D5187ED8AB62}.exe	110
PID 3424 wrote to memory of 1664	3424	{81654FA5-648D-421d-9AAC-95C12DC1AB56}.exe	111
PID 3424 wrote to memory of 1664	3424	{81654FA5-648D-421d-9AAC-95C12DC1AB56}.exe	111
PID 3424 wrote to memory of 1664	3424	{81654FA5-648D-421d-9AAC-95C12DC1AB56}.exe	111
PID 3424 wrote to memory of 4448	3424	{81654FA5-648D-421d-9AAC-95C12DC1AB56}.exe	112
PID 3424 wrote to memory of 4448	3424	{81654FA5-648D-421d-9AAC-95C12DC1AB56}.exe	112
PID 3424 wrote to memory of 4448	3424	{81654FA5-648D-421d-9AAC-95C12DC1AB56}.exe	112
PID 1664 wrote to memory of 1964	1664	{4E7F08BC-3378-4522-A64D-B88825965FD6}.exe	113
PID 1664 wrote to memory of 1964	1664	{4E7F08BC-3378-4522-A64D-B88825965FD6}.exe	113
PID 1664 wrote to memory of 1964	1664	{4E7F08BC-3378-4522-A64D-B88825965FD6}.exe	113
PID 1664 wrote to memory of 4308	1664	{4E7F08BC-3378-4522-A64D-B88825965FD6}.exe	114
PID 1664 wrote to memory of 4308	1664	{4E7F08BC-3378-4522-A64D-B88825965FD6}.exe	114
PID 1664 wrote to memory of 4308	1664	{4E7F08BC-3378-4522-A64D-B88825965FD6}.exe	114
PID 1964 wrote to memory of 1204	1964	{2F60C9C4-9327-4c0c-B9C6-57B2C93F1F75}.exe	115
PID 1964 wrote to memory of 1204	1964	{2F60C9C4-9327-4c0c-B9C6-57B2C93F1F75}.exe	115
PID 1964 wrote to memory of 1204	1964	{2F60C9C4-9327-4c0c-B9C6-57B2C93F1F75}.exe	115
PID 1964 wrote to memory of 2728	1964	{2F60C9C4-9327-4c0c-B9C6-57B2C93F1F75}.exe	116
PID 1964 wrote to memory of 2728	1964	{2F60C9C4-9327-4c0c-B9C6-57B2C93F1F75}.exe	116
PID 1964 wrote to memory of 2728	1964	{2F60C9C4-9327-4c0c-B9C6-57B2C93F1F75}.exe	116
PID 1204 wrote to memory of 2328	1204	{D710CED4-AB3C-472c-8244-983C0EF22354}.exe	117
PID 1204 wrote to memory of 2328	1204	{D710CED4-AB3C-472c-8244-983C0EF22354}.exe	117
PID 1204 wrote to memory of 2328	1204	{D710CED4-AB3C-472c-8244-983C0EF22354}.exe	117
PID 1204 wrote to memory of 5004	1204	{D710CED4-AB3C-472c-8244-983C0EF22354}.exe	118

C:\Users\Admin\AppData\Local\Temp\2024-04-04_b58f875eeb051d5b64adcae5f66ff507_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-04_b58f875eeb051d5b64adcae5f66ff507_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3868
- C:\Windows\{7F44877D-0EFB-4290-A642-9BE4D1127768}.exe
  C:\Windows\{7F44877D-0EFB-4290-A642-9BE4D1127768}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\{F5478597-B1E2-462d-9A32-D257DE82547B}.exe
    C:\Windows\{F5478597-B1E2-462d-9A32-D257DE82547B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1220
  - - C:\Windows\{B09F6E62-7FC4-463a-BE95-11FFC6EED4BD}.exe
      C:\Windows\{B09F6E62-7FC4-463a-BE95-11FFC6EED4BD}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4612
    - - C:\Windows\{E249C30D-50EE-435f-A517-DDF86DAC0E56}.exe
        
        C:\Windows\{E249C30D-50EE-435f-A517-DDF86DAC0E56}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3800
      - C:\Windows\{9F16E2E5-9ED1-41a1-BA04-C2ED223CA590}.exe
        
        C:\Windows\{9F16E2E5-9ED1-41a1-BA04-C2ED223CA590}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3440
        
        C:\Windows\{9DCEA958-E004-421f-B679-D5187ED8AB62}.exe
        
        C:\Windows\{9DCEA958-E004-421f-B679-D5187ED8AB62}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Windows\{81654FA5-648D-421d-9AAC-95C12DC1AB56}.exe
        
        C:\Windows\{81654FA5-648D-421d-9AAC-95C12DC1AB56}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3424
        
        C:\Windows\{4E7F08BC-3378-4522-A64D-B88825965FD6}.exe
        
        C:\Windows\{4E7F08BC-3378-4522-A64D-B88825965FD6}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\{2F60C9C4-9327-4c0c-B9C6-57B2C93F1F75}.exe
        
        C:\Windows\{2F60C9C4-9327-4c0c-B9C6-57B2C93F1F75}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\{D710CED4-AB3C-472c-8244-983C0EF22354}.exe
        
        C:\Windows\{D710CED4-AB3C-472c-8244-983C0EF22354}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\{6838A6A0-7CE2-420f-8BD7-92103CDBA1AE}.exe
        
        C:\Windows\{6838A6A0-7CE2-420f-8BD7-92103CDBA1AE}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2328
        
        C:\Windows\{50E3E65B-11B7-47bc-8FAD-B15D5A6F2CE4}.exe
        
        C:\Windows\{50E3E65B-11B7-47bc-8FAD-B15D5A6F2CE4}.exe
        13⤵
        Executes dropped EXE
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6838A~1.EXE > nul
        13⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D710C~1.EXE > nul
        12⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2F60C~1.EXE > nul
        11⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4E7F0~1.EXE > nul
        10⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{81654~1.EXE > nul
        9⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9DCEA~1.EXE > nul
        8⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9F16E~1.EXE > nul
        7⤵
        
        PID:1192
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E249C~1.EXE > nul
        6⤵
        
        PID:1068
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B09F6~1.EXE > nul
        5⤵
        
        PID:5096
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F5478~1.EXE > nul
      4⤵
      PID:3088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7F448~1.EXE > nul
    3⤵
    PID:5048
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2F60C9C4-9327-4c0c-B9C6-57B2C93F1F75}.exe

Filesize
344KB

MD5
5f7a760fa1690ce7c9cb1c3aa36c6c4b

SHA1
78bd991affb896ee595813f27d147cdb62bd8f53

SHA256
136f3d90f92c57398d6cc98df0149f8b29c4b4fd608c97fe3ecfcc1d65aeaa36

SHA512
6671c2960d463d39dc66fe5eafcbcb26e243b561adce89f29dc99bd5ffdd210fe1fb2f38189d45aa7521fbbcc888bbc5529566a2804cf9104ea5b79a6e0b61aa

Download Submit
C:\Windows\{4E7F08BC-3378-4522-A64D-B88825965FD6}.exe

Filesize
344KB

MD5
9b0455a7967b4e8cd74c264dfcdbcf0a

SHA1
e672a8bc65fa3be79623c5f467e4952847488782

SHA256
74356ce3d1d76febd92e33437e5d194707a6ea36dc286f54b188d215cfe7e149

SHA512
e9ae4b5345282b74e18adf99511bcb05cb7e3d8ea803687486bdbb15fe879964a625fd9945817f9b835ede22b41789bae03958baa4a1aa29e029fb963c3a3b40

Download Submit
C:\Windows\{50E3E65B-11B7-47bc-8FAD-B15D5A6F2CE4}.exe

Filesize
344KB

MD5
bfad43b776b0a0a33fc132e7c74476b7

SHA1
85ff5ded835cf3f858135a0bdd3d313c3b296a20

SHA256
35cf18d125643144f776626b9f52f96b8b66c9a2caf964a1f5f774677f5d55d4

SHA512
d1bb74b84df27c2af4cfa26d55daa5388638192eeef851ba0031f8091e921ddb7562a3b2a725939a653eef86e180dd5232fca7f4542c32b0634652778b99f04b

Download Submit
C:\Windows\{6838A6A0-7CE2-420f-8BD7-92103CDBA1AE}.exe

Filesize
344KB

MD5
8f6e4c3978479dbdd7992dba28be14ea

SHA1
db9662b70e8ec6f9d6a61d2a22130454249e8481

SHA256
025c263ee97878af1baf13dd8299f68a932ef1b83f7a60d98b864eac10a65cdb

SHA512
070ae61f2fb06603166a261c6e00c07595668587fc8c23133e5046d7b87435d16ad0f4d22d5b59c23e172f7ba97be3a141525531ddd23e5f9efbe4749a91a122

Download Submit
C:\Windows\{7F44877D-0EFB-4290-A642-9BE4D1127768}.exe

Filesize
344KB

MD5
bc322c7fd6157bfb493f96fdb7e26cfb

SHA1
29f7c0e17ae4f800f4935995b0ddcae21ae2e6d0

SHA256
ccbfa6d105202bae402f29d8ac6e06069111cdae5932b6162da8ed86d1f36786

SHA512
c11d2ae01376014bbc52f42b55bb9bf9b9a04c485a084e11f6fb911ca02638774c87b0b9284c639c4af37d16e876f4d0f21d601ec1ef439d5c8116bea20a7bcc

Download Submit
C:\Windows\{81654FA5-648D-421d-9AAC-95C12DC1AB56}.exe

Filesize
344KB

MD5
65dd6a34f0671547f75df96111029119

SHA1
394aa0bc2355e00f49b0982b44541a8181b384f4

SHA256
ffbb38b359743e4641cd276f18662acd880191f2bb6caaffdcb7b11979ff5d26

SHA512
5d424810c998d2eb3011f0acfc4a5900770d4bc2ddd1b019fc979638daa278024e328f7041f668d0a07b23fe5847ef47f6f1e545d4dba8163d5c096af1b3c18e

Download Submit
C:\Windows\{9DCEA958-E004-421f-B679-D5187ED8AB62}.exe

Filesize
344KB

MD5
4334a1ba42c1e996e54c8cfeb3a34d83

SHA1
d8cc90a029b5fef67f7264fd04565ae35a416a41

SHA256
5a6da907e89f349a9d49112d81288380b88da5806cd89e3d9091e4c452d4157a

SHA512
c7517697c00f1095d46559bb54d673df878963b8de4d215730d07b1211841359b1dfa516d5c01398930dc3d45fc5a6c96ab7e85d0e8cb2dfb787cf7f02c59fd5

Download Submit
C:\Windows\{9F16E2E5-9ED1-41a1-BA04-C2ED223CA590}.exe

Filesize
344KB

MD5
e327c78fc1a8afaea29e3b2546f029e2

SHA1
000a5e0dd20ca42b4caa2b8ca58a62c4783c21d5

SHA256
6ce81021975f9084af8aad240714b858e1d7058d5fdccd9f54acb7555ce0661b

SHA512
63e68e51a884352e454112f688f0eb09eacca61b23b6cbc77873b2ccca6212483015ebfa86bf4c10ba00464e17a3d139176b23f85e4b070e8a8c583b8408d360

Download Submit
C:\Windows\{B09F6E62-7FC4-463a-BE95-11FFC6EED4BD}.exe

Filesize
344KB

MD5
bbb5275caef6ad28b8fa7a26c23ee44e

SHA1
f56419ca0ec1aca4df3fb9b4449bcb2e31ef4372

SHA256
2dc8488122b7b0958d4b59ff31daac9075a1a906081766240474a4093bf0111b

SHA512
8e222cd9b5bd1b26aa95f208eb07294aac6c5e404b7e275b13febd73103d7170379e42f9079e3331680149227f5045c4099f8c6936359e688bc56f9adfe07d03

Download Submit
C:\Windows\{D710CED4-AB3C-472c-8244-983C0EF22354}.exe

Filesize
344KB

MD5
fa10537524b4211dc838f31ba4693d34

SHA1
4e4d77e43b5e31094d6506dddca330dea01c0837

SHA256
61a063b2735558d53ff67aced694b646293d73de89206ec80553beedc33e62ee

SHA512
8ac1d0618196a15030407be8c0a45264d5617864905ceefda0803266ce309a3d127ef4e1827465f6a1dd30b02ab69d0ad2c3c193283e6083a4bc932185569f2e

Download Submit
C:\Windows\{E249C30D-50EE-435f-A517-DDF86DAC0E56}.exe

Filesize
344KB

MD5
ae160ca1083a4359b8152f14b40ec310

SHA1
d319a1357355452011f72da94b5c0557d5573586

SHA256
6681bbf73f814fded67186b6c32ccef7168140e151191838005f7717c75ca657

SHA512
2fd3de04f761829ef13e5b4dc1aaa0918ac37df1226387c47f79fd78a40e0320624489df2097a63c571eaeacc01edbfd1d626f1d2b3cea5b1656e0a064947c63

Download Submit
C:\Windows\{F5478597-B1E2-462d-9A32-D257DE82547B}.exe

Filesize
344KB

MD5
23e1019be6f8ede9eefb0385356ce94e

SHA1
2b165a799cf1170eb33cc6a6205089bd2d5b9b7e

SHA256
c056d61f4b01c3b523754097ba5cfbf8be5cd4fc0b4fdc2a40490c953f5b50e9

SHA512
fc82ee9ef0d0e6b6cb6c127ee9444a03b49b740f3bb190ddfaa85bed64b96cc31d70f31b9cfa695f10e4045a51aba5592ec5683cabbbdf06f912b408e23c58b3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads