0f8140ecb9c0eaa9b3f7aee03057979122c7fe0029e5c2844d9444c02e5402c3

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
04-04-2024 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-04_c92223fefa56331a4895bb670d93e9c6_goldeneye.exe
Size

380KB
MD5

c92223fefa56331a4895bb670d93e9c6
SHA1

ea7a40f45964a8b26b80a2f03168d9cadb10ab03
SHA256

0f8140ecb9c0eaa9b3f7aee03057979122c7fe0029e5c2844d9444c02e5402c3
SHA512

35eb0f410f574ee961e0047aada495cd43b9acb6237e354a22be098d9e8824554eebf3b3d1877558c39e147dc5229bebb644d5b2cb2e76dc11b9afca7084e4f2
SSDEEP

3072:mEGh0o5lPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGvl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023158-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023232-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023239-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0012000000023232-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021b3f-17.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021b40-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021b3f-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000709-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000731-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7AE5DAF9-2E33-4283-8115-985931B1C762}	{B92AD132-1652-4300-A19E-0A2D82E0FE52}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0CD27A4E-BADA-4946-AE28-165B7DF77530}\stubpath = "C:\\Windows\\{0CD27A4E-BADA-4946-AE28-165B7DF77530}.exe"	2024-04-04_c92223fefa56331a4895bb670d93e9c6_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A7AADE2-7A1A-4590-B8D8-5EC718DADB5D}	{0CD27A4E-BADA-4946-AE28-165B7DF77530}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE44A5A0-B94E-4099-9601-677547A9219A}	{5F70189F-241F-4664-A99D-36EFFF624CCA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C527DAC-41DE-4330-9CB2-6145CF20E468}	{BE44A5A0-B94E-4099-9601-677547A9219A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E433C40-B2E0-42ab-B25D-0D8BE91B78DD}\stubpath = "C:\\Windows\\{2E433C40-B2E0-42ab-B25D-0D8BE91B78DD}.exe"	{8C527DAC-41DE-4330-9CB2-6145CF20E468}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F20671C8-A960-4ddd-9333-E6625453CE99}	{CB78AD52-D91F-4bc3-BBC9-BB53D096CE85}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B92AD132-1652-4300-A19E-0A2D82E0FE52}\stubpath = "C:\\Windows\\{B92AD132-1652-4300-A19E-0A2D82E0FE52}.exe"	{8004F38C-B637-4872-88AF-6FCE9AC8CE85}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41645790-4BE9-45b3-A350-DB83650D9868}	{7AE5DAF9-2E33-4283-8115-985931B1C762}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0CD27A4E-BADA-4946-AE28-165B7DF77530}	2024-04-04_c92223fefa56331a4895bb670d93e9c6_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A7AADE2-7A1A-4590-B8D8-5EC718DADB5D}\stubpath = "C:\\Windows\\{0A7AADE2-7A1A-4590-B8D8-5EC718DADB5D}.exe"	{0CD27A4E-BADA-4946-AE28-165B7DF77530}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F70189F-241F-4664-A99D-36EFFF624CCA}	{0A7AADE2-7A1A-4590-B8D8-5EC718DADB5D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F20671C8-A960-4ddd-9333-E6625453CE99}\stubpath = "C:\\Windows\\{F20671C8-A960-4ddd-9333-E6625453CE99}.exe"	{CB78AD52-D91F-4bc3-BBC9-BB53D096CE85}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8004F38C-B637-4872-88AF-6FCE9AC8CE85}\stubpath = "C:\\Windows\\{8004F38C-B637-4872-88AF-6FCE9AC8CE85}.exe"	{F20671C8-A960-4ddd-9333-E6625453CE99}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41645790-4BE9-45b3-A350-DB83650D9868}\stubpath = "C:\\Windows\\{41645790-4BE9-45b3-A350-DB83650D9868}.exe"	{7AE5DAF9-2E33-4283-8115-985931B1C762}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB78AD52-D91F-4bc3-BBC9-BB53D096CE85}\stubpath = "C:\\Windows\\{CB78AD52-D91F-4bc3-BBC9-BB53D096CE85}.exe"	{2E433C40-B2E0-42ab-B25D-0D8BE91B78DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8004F38C-B637-4872-88AF-6FCE9AC8CE85}	{F20671C8-A960-4ddd-9333-E6625453CE99}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F70189F-241F-4664-A99D-36EFFF624CCA}\stubpath = "C:\\Windows\\{5F70189F-241F-4664-A99D-36EFFF624CCA}.exe"	{0A7AADE2-7A1A-4590-B8D8-5EC718DADB5D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE44A5A0-B94E-4099-9601-677547A9219A}\stubpath = "C:\\Windows\\{BE44A5A0-B94E-4099-9601-677547A9219A}.exe"	{5F70189F-241F-4664-A99D-36EFFF624CCA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C527DAC-41DE-4330-9CB2-6145CF20E468}\stubpath = "C:\\Windows\\{8C527DAC-41DE-4330-9CB2-6145CF20E468}.exe"	{BE44A5A0-B94E-4099-9601-677547A9219A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E433C40-B2E0-42ab-B25D-0D8BE91B78DD}	{8C527DAC-41DE-4330-9CB2-6145CF20E468}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB78AD52-D91F-4bc3-BBC9-BB53D096CE85}	{2E433C40-B2E0-42ab-B25D-0D8BE91B78DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B92AD132-1652-4300-A19E-0A2D82E0FE52}	{8004F38C-B637-4872-88AF-6FCE9AC8CE85}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7AE5DAF9-2E33-4283-8115-985931B1C762}\stubpath = "C:\\Windows\\{7AE5DAF9-2E33-4283-8115-985931B1C762}.exe"	{B92AD132-1652-4300-A19E-0A2D82E0FE52}.exe

Executes dropped EXE 12 IoCs

pid	Process
2360	{0CD27A4E-BADA-4946-AE28-165B7DF77530}.exe
3232	{0A7AADE2-7A1A-4590-B8D8-5EC718DADB5D}.exe
960	{5F70189F-241F-4664-A99D-36EFFF624CCA}.exe
636	{BE44A5A0-B94E-4099-9601-677547A9219A}.exe
2828	{8C527DAC-41DE-4330-9CB2-6145CF20E468}.exe
4848	{2E433C40-B2E0-42ab-B25D-0D8BE91B78DD}.exe
1852	{CB78AD52-D91F-4bc3-BBC9-BB53D096CE85}.exe
944	{F20671C8-A960-4ddd-9333-E6625453CE99}.exe
1536	{8004F38C-B637-4872-88AF-6FCE9AC8CE85}.exe
4968	{B92AD132-1652-4300-A19E-0A2D82E0FE52}.exe
2760	{7AE5DAF9-2E33-4283-8115-985931B1C762}.exe
2520	{41645790-4BE9-45b3-A350-DB83650D9868}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{CB78AD52-D91F-4bc3-BBC9-BB53D096CE85}.exe	{2E433C40-B2E0-42ab-B25D-0D8BE91B78DD}.exe
File created	C:\Windows\{0A7AADE2-7A1A-4590-B8D8-5EC718DADB5D}.exe	{0CD27A4E-BADA-4946-AE28-165B7DF77530}.exe
File created	C:\Windows\{5F70189F-241F-4664-A99D-36EFFF624CCA}.exe	{0A7AADE2-7A1A-4590-B8D8-5EC718DADB5D}.exe
File created	C:\Windows\{BE44A5A0-B94E-4099-9601-677547A9219A}.exe	{5F70189F-241F-4664-A99D-36EFFF624CCA}.exe
File created	C:\Windows\{F20671C8-A960-4ddd-9333-E6625453CE99}.exe	{CB78AD52-D91F-4bc3-BBC9-BB53D096CE85}.exe
File created	C:\Windows\{8004F38C-B637-4872-88AF-6FCE9AC8CE85}.exe	{F20671C8-A960-4ddd-9333-E6625453CE99}.exe
File created	C:\Windows\{B92AD132-1652-4300-A19E-0A2D82E0FE52}.exe	{8004F38C-B637-4872-88AF-6FCE9AC8CE85}.exe
File created	C:\Windows\{7AE5DAF9-2E33-4283-8115-985931B1C762}.exe	{B92AD132-1652-4300-A19E-0A2D82E0FE52}.exe
File created	C:\Windows\{41645790-4BE9-45b3-A350-DB83650D9868}.exe	{7AE5DAF9-2E33-4283-8115-985931B1C762}.exe
File created	C:\Windows\{0CD27A4E-BADA-4946-AE28-165B7DF77530}.exe	2024-04-04_c92223fefa56331a4895bb670d93e9c6_goldeneye.exe
File created	C:\Windows\{8C527DAC-41DE-4330-9CB2-6145CF20E468}.exe	{BE44A5A0-B94E-4099-9601-677547A9219A}.exe
File created	C:\Windows\{2E433C40-B2E0-42ab-B25D-0D8BE91B78DD}.exe	{8C527DAC-41DE-4330-9CB2-6145CF20E468}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4108	2024-04-04_c92223fefa56331a4895bb670d93e9c6_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2360	{0CD27A4E-BADA-4946-AE28-165B7DF77530}.exe
Token: SeIncBasePriorityPrivilege	3232	{0A7AADE2-7A1A-4590-B8D8-5EC718DADB5D}.exe
Token: SeIncBasePriorityPrivilege	960	{5F70189F-241F-4664-A99D-36EFFF624CCA}.exe
Token: SeIncBasePriorityPrivilege	636	{BE44A5A0-B94E-4099-9601-677547A9219A}.exe
Token: SeIncBasePriorityPrivilege	2828	{8C527DAC-41DE-4330-9CB2-6145CF20E468}.exe
Token: SeIncBasePriorityPrivilege	4848	{2E433C40-B2E0-42ab-B25D-0D8BE91B78DD}.exe
Token: SeIncBasePriorityPrivilege	1852	{CB78AD52-D91F-4bc3-BBC9-BB53D096CE85}.exe
Token: SeIncBasePriorityPrivilege	944	{F20671C8-A960-4ddd-9333-E6625453CE99}.exe
Token: SeIncBasePriorityPrivilege	1536	{8004F38C-B637-4872-88AF-6FCE9AC8CE85}.exe
Token: SeIncBasePriorityPrivilege	4968	{B92AD132-1652-4300-A19E-0A2D82E0FE52}.exe
Token: SeIncBasePriorityPrivilege	2760	{7AE5DAF9-2E33-4283-8115-985931B1C762}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4108 wrote to memory of 2360	4108	2024-04-04_c92223fefa56331a4895bb670d93e9c6_goldeneye.exe	94
PID 4108 wrote to memory of 2360	4108	2024-04-04_c92223fefa56331a4895bb670d93e9c6_goldeneye.exe	94
PID 4108 wrote to memory of 2360	4108	2024-04-04_c92223fefa56331a4895bb670d93e9c6_goldeneye.exe	94
PID 4108 wrote to memory of 1364	4108	2024-04-04_c92223fefa56331a4895bb670d93e9c6_goldeneye.exe	95
PID 4108 wrote to memory of 1364	4108	2024-04-04_c92223fefa56331a4895bb670d93e9c6_goldeneye.exe	95
PID 4108 wrote to memory of 1364	4108	2024-04-04_c92223fefa56331a4895bb670d93e9c6_goldeneye.exe	95
PID 2360 wrote to memory of 3232	2360	{0CD27A4E-BADA-4946-AE28-165B7DF77530}.exe	96
PID 2360 wrote to memory of 3232	2360	{0CD27A4E-BADA-4946-AE28-165B7DF77530}.exe	96
PID 2360 wrote to memory of 3232	2360	{0CD27A4E-BADA-4946-AE28-165B7DF77530}.exe	96
PID 2360 wrote to memory of 3412	2360	{0CD27A4E-BADA-4946-AE28-165B7DF77530}.exe	97
PID 2360 wrote to memory of 3412	2360	{0CD27A4E-BADA-4946-AE28-165B7DF77530}.exe	97
PID 2360 wrote to memory of 3412	2360	{0CD27A4E-BADA-4946-AE28-165B7DF77530}.exe	97
PID 3232 wrote to memory of 960	3232	{0A7AADE2-7A1A-4590-B8D8-5EC718DADB5D}.exe	99
PID 3232 wrote to memory of 960	3232	{0A7AADE2-7A1A-4590-B8D8-5EC718DADB5D}.exe	99
PID 3232 wrote to memory of 960	3232	{0A7AADE2-7A1A-4590-B8D8-5EC718DADB5D}.exe	99
PID 3232 wrote to memory of 4824	3232	{0A7AADE2-7A1A-4590-B8D8-5EC718DADB5D}.exe	100
PID 3232 wrote to memory of 4824	3232	{0A7AADE2-7A1A-4590-B8D8-5EC718DADB5D}.exe	100
PID 3232 wrote to memory of 4824	3232	{0A7AADE2-7A1A-4590-B8D8-5EC718DADB5D}.exe	100
PID 960 wrote to memory of 636	960	{5F70189F-241F-4664-A99D-36EFFF624CCA}.exe	101
PID 960 wrote to memory of 636	960	{5F70189F-241F-4664-A99D-36EFFF624CCA}.exe	101
PID 960 wrote to memory of 636	960	{5F70189F-241F-4664-A99D-36EFFF624CCA}.exe	101
PID 960 wrote to memory of 3164	960	{5F70189F-241F-4664-A99D-36EFFF624CCA}.exe	102
PID 960 wrote to memory of 3164	960	{5F70189F-241F-4664-A99D-36EFFF624CCA}.exe	102
PID 960 wrote to memory of 3164	960	{5F70189F-241F-4664-A99D-36EFFF624CCA}.exe	102
PID 636 wrote to memory of 2828	636	{BE44A5A0-B94E-4099-9601-677547A9219A}.exe	103
PID 636 wrote to memory of 2828	636	{BE44A5A0-B94E-4099-9601-677547A9219A}.exe	103
PID 636 wrote to memory of 2828	636	{BE44A5A0-B94E-4099-9601-677547A9219A}.exe	103
PID 636 wrote to memory of 2844	636	{BE44A5A0-B94E-4099-9601-677547A9219A}.exe	104
PID 636 wrote to memory of 2844	636	{BE44A5A0-B94E-4099-9601-677547A9219A}.exe	104
PID 636 wrote to memory of 2844	636	{BE44A5A0-B94E-4099-9601-677547A9219A}.exe	104
PID 2828 wrote to memory of 4848	2828	{8C527DAC-41DE-4330-9CB2-6145CF20E468}.exe	105
PID 2828 wrote to memory of 4848	2828	{8C527DAC-41DE-4330-9CB2-6145CF20E468}.exe	105
PID 2828 wrote to memory of 4848	2828	{8C527DAC-41DE-4330-9CB2-6145CF20E468}.exe	105
PID 2828 wrote to memory of 2208	2828	{8C527DAC-41DE-4330-9CB2-6145CF20E468}.exe	106
PID 2828 wrote to memory of 2208	2828	{8C527DAC-41DE-4330-9CB2-6145CF20E468}.exe	106
PID 2828 wrote to memory of 2208	2828	{8C527DAC-41DE-4330-9CB2-6145CF20E468}.exe	106
PID 4848 wrote to memory of 1852	4848	{2E433C40-B2E0-42ab-B25D-0D8BE91B78DD}.exe	107
PID 4848 wrote to memory of 1852	4848	{2E433C40-B2E0-42ab-B25D-0D8BE91B78DD}.exe	107
PID 4848 wrote to memory of 1852	4848	{2E433C40-B2E0-42ab-B25D-0D8BE91B78DD}.exe	107
PID 4848 wrote to memory of 4992	4848	{2E433C40-B2E0-42ab-B25D-0D8BE91B78DD}.exe	108
PID 4848 wrote to memory of 4992	4848	{2E433C40-B2E0-42ab-B25D-0D8BE91B78DD}.exe	108
PID 4848 wrote to memory of 4992	4848	{2E433C40-B2E0-42ab-B25D-0D8BE91B78DD}.exe	108
PID 1852 wrote to memory of 944	1852	{CB78AD52-D91F-4bc3-BBC9-BB53D096CE85}.exe	109
PID 1852 wrote to memory of 944	1852	{CB78AD52-D91F-4bc3-BBC9-BB53D096CE85}.exe	109
PID 1852 wrote to memory of 944	1852	{CB78AD52-D91F-4bc3-BBC9-BB53D096CE85}.exe	109
PID 1852 wrote to memory of 4800	1852	{CB78AD52-D91F-4bc3-BBC9-BB53D096CE85}.exe	110
PID 1852 wrote to memory of 4800	1852	{CB78AD52-D91F-4bc3-BBC9-BB53D096CE85}.exe	110
PID 1852 wrote to memory of 4800	1852	{CB78AD52-D91F-4bc3-BBC9-BB53D096CE85}.exe	110
PID 944 wrote to memory of 1536	944	{F20671C8-A960-4ddd-9333-E6625453CE99}.exe	111
PID 944 wrote to memory of 1536	944	{F20671C8-A960-4ddd-9333-E6625453CE99}.exe	111
PID 944 wrote to memory of 1536	944	{F20671C8-A960-4ddd-9333-E6625453CE99}.exe	111
PID 944 wrote to memory of 3672	944	{F20671C8-A960-4ddd-9333-E6625453CE99}.exe	112
PID 944 wrote to memory of 3672	944	{F20671C8-A960-4ddd-9333-E6625453CE99}.exe	112
PID 944 wrote to memory of 3672	944	{F20671C8-A960-4ddd-9333-E6625453CE99}.exe	112
PID 1536 wrote to memory of 4968	1536	{8004F38C-B637-4872-88AF-6FCE9AC8CE85}.exe	113
PID 1536 wrote to memory of 4968	1536	{8004F38C-B637-4872-88AF-6FCE9AC8CE85}.exe	113
PID 1536 wrote to memory of 4968	1536	{8004F38C-B637-4872-88AF-6FCE9AC8CE85}.exe	113
PID 1536 wrote to memory of 4864	1536	{8004F38C-B637-4872-88AF-6FCE9AC8CE85}.exe	114
PID 1536 wrote to memory of 4864	1536	{8004F38C-B637-4872-88AF-6FCE9AC8CE85}.exe	114
PID 1536 wrote to memory of 4864	1536	{8004F38C-B637-4872-88AF-6FCE9AC8CE85}.exe	114
PID 4968 wrote to memory of 2760	4968	{B92AD132-1652-4300-A19E-0A2D82E0FE52}.exe	115
PID 4968 wrote to memory of 2760	4968	{B92AD132-1652-4300-A19E-0A2D82E0FE52}.exe	115
PID 4968 wrote to memory of 2760	4968	{B92AD132-1652-4300-A19E-0A2D82E0FE52}.exe	115
PID 4968 wrote to memory of 3432	4968	{B92AD132-1652-4300-A19E-0A2D82E0FE52}.exe	116

C:\Users\Admin\AppData\Local\Temp\2024-04-04_c92223fefa56331a4895bb670d93e9c6_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-04_c92223fefa56331a4895bb670d93e9c6_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4108
- C:\Windows\{0CD27A4E-BADA-4946-AE28-165B7DF77530}.exe
  C:\Windows\{0CD27A4E-BADA-4946-AE28-165B7DF77530}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\{0A7AADE2-7A1A-4590-B8D8-5EC718DADB5D}.exe
    C:\Windows\{0A7AADE2-7A1A-4590-B8D8-5EC718DADB5D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3232
  - - C:\Windows\{5F70189F-241F-4664-A99D-36EFFF624CCA}.exe
      C:\Windows\{5F70189F-241F-4664-A99D-36EFFF624CCA}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:960
    - - C:\Windows\{BE44A5A0-B94E-4099-9601-677547A9219A}.exe
        
        C:\Windows\{BE44A5A0-B94E-4099-9601-677547A9219A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:636
      - C:\Windows\{8C527DAC-41DE-4330-9CB2-6145CF20E468}.exe
        
        C:\Windows\{8C527DAC-41DE-4330-9CB2-6145CF20E468}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\{2E433C40-B2E0-42ab-B25D-0D8BE91B78DD}.exe
        
        C:\Windows\{2E433C40-B2E0-42ab-B25D-0D8BE91B78DD}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\{CB78AD52-D91F-4bc3-BBC9-BB53D096CE85}.exe
        
        C:\Windows\{CB78AD52-D91F-4bc3-BBC9-BB53D096CE85}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1852
        
        C:\Windows\{F20671C8-A960-4ddd-9333-E6625453CE99}.exe
        
        C:\Windows\{F20671C8-A960-4ddd-9333-E6625453CE99}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:944
        
        C:\Windows\{8004F38C-B637-4872-88AF-6FCE9AC8CE85}.exe
        
        C:\Windows\{8004F38C-B637-4872-88AF-6FCE9AC8CE85}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Windows\{B92AD132-1652-4300-A19E-0A2D82E0FE52}.exe
        
        C:\Windows\{B92AD132-1652-4300-A19E-0A2D82E0FE52}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\{7AE5DAF9-2E33-4283-8115-985931B1C762}.exe
        
        C:\Windows\{7AE5DAF9-2E33-4283-8115-985931B1C762}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760
        
        C:\Windows\{41645790-4BE9-45b3-A350-DB83650D9868}.exe
        
        C:\Windows\{41645790-4BE9-45b3-A350-DB83650D9868}.exe
        13⤵
        Executes dropped EXE
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7AE5D~1.EXE > nul
        13⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B92AD~1.EXE > nul
        12⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8004F~1.EXE > nul
        11⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2067~1.EXE > nul
        10⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CB78A~1.EXE > nul
        9⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E433~1.EXE > nul
        8⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C527~1.EXE > nul
        7⤵
        
        PID:2208
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE44A~1.EXE > nul
        6⤵
        
        PID:2844
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5F701~1.EXE > nul
        5⤵
        
        PID:3164
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0A7AA~1.EXE > nul
      4⤵
      PID:4824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0CD27~1.EXE > nul
    3⤵
    PID:3412
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0A7AADE2-7A1A-4590-B8D8-5EC718DADB5D}.exe

Filesize
380KB

MD5
8647cbee075174a276858837aecd1f07

SHA1
c1dd70d797b71092f2cbcd7f300f9072613fd1b4

SHA256
db4bef18dba1075d63fea58e6d85ccc571101374e22bd2d69fa1fe26d383c05a

SHA512
03f64688437d25c323e7c3791295d1f2041e09959d8e534493144800497260dc5630a141966ea52692e99436c1706dcdd146eeccac5fc9afe83f8553a90b90c4

Download Submit
C:\Windows\{0CD27A4E-BADA-4946-AE28-165B7DF77530}.exe

Filesize
380KB

MD5
f0a10371506a7632237359730449a318

SHA1
ebbeaf7c5b3ed97a99f1dc3099da9f70d9c0ea22

SHA256
6640de3801d6948c2dea8ef24ea54aee4ec2ecef309ec5eb0d792a5d0b06cf68

SHA512
efaaa023f1d41ce03bb51278e1240d541f7514ce1a3cb2ebac98e2c315a50a94a2451d48fd12c6e2f9d508c96bfd943a01950fba5bc270f34247d04cb8acec5c

Download Submit
C:\Windows\{2E433C40-B2E0-42ab-B25D-0D8BE91B78DD}.exe

Filesize
380KB

MD5
52592f9330188c01c77f2337e7416db1

SHA1
9fc8f8c0b85b20958159d8799633535e70202311

SHA256
77cd53ec8393529096312af75c40ce5e80b4fd8b12eec9fc9dc6a038e36f509d

SHA512
56b191e6dc134b36d6623c9a56b0ae5940d1692de0d5f9d9c10ee73a04c1c23b8ce0ec0af6d2ef1aa42e7cebe2c92f8a2f83ad601741d5e74156690256575e48

Download Submit
C:\Windows\{41645790-4BE9-45b3-A350-DB83650D9868}.exe

Filesize
380KB

MD5
f4400b598aa3c5681c175d10b92c12e9

SHA1
93d2b77f2eb455112c012086d466ebad8dedbc78

SHA256
bfcbb35510ad614158e5d56c2fc5d2fbe9ed7ece12928e1930812e0c95beabd0

SHA512
e93a5aa2b840cf512608db0b85a5dbbcb833726fea649d18ba8b56ea76af852b140fe6780e1c25c516efa4794ae56529f49185845ff609c014ea04dde98ea254

Download Submit
C:\Windows\{5F70189F-241F-4664-A99D-36EFFF624CCA}.exe

Filesize
380KB

MD5
0a5e56bf54e7b94d8ce9e206eb08fbd5

SHA1
a5d8466ce3025a46499836c4584a2019dff3adb8

SHA256
3c5ef686c74700d525ae3f624a47d9a76a649fd5af7f3cd2464c00120db863f0

SHA512
50213c3bad399ee951795b7c48bdf8fc8e9d584a39d048cac46dc8a3ee8cebbeaddcc0e0e8b10d6af270f4badc65df6a3e1191f26ca35ef6312b80d03d91cda5

Download Submit
C:\Windows\{7AE5DAF9-2E33-4283-8115-985931B1C762}.exe

Filesize
380KB

MD5
bcc8272cdc90600955dabd4c448f87e5

SHA1
1d7d5f3263f126978d09137d05b44faac8eca6c3

SHA256
23c8eeb3c14067acae9c4d23acc4725aa5abf36cea4b51a9ea6b454dffa3bc1a

SHA512
707a7e81804e4596c3fc3276cfa0c2c3ee771d229b8d529c9b653ef8a9c527a76168b63a53d7835c2c17c290c6f94d05b0f58629d5eefcfb75f7a9f770daa2cc

Download Submit
C:\Windows\{8004F38C-B637-4872-88AF-6FCE9AC8CE85}.exe

Filesize
380KB

MD5
7795eac699d38a1e57756dd203dcf3f1

SHA1
1145b3f9c824e8a7097e73e2fbcc96a1b7784c89

SHA256
890bed33047a99f502424f7f5b48821250c8d4162fb411405e6ada6be7378215

SHA512
abb7db316106ead2b125cb4dee67959bc7ec3b5ef0a59c734c68ff6700080865e26586eeaed9b7efb2da2229c4dea1d5e229cc8f71f849f62a4747a90d7ac6c8

Download Submit
C:\Windows\{8C527DAC-41DE-4330-9CB2-6145CF20E468}.exe

Filesize
380KB

MD5
8accd011ebaebb61beeb0ef89e2015f9

SHA1
4b39170d1a86c81219ff65bdd479acec8b45f040

SHA256
bfbd28a02a068b6235a791316e535ea47e37a5b23b9da0e17fbecec367cbd803

SHA512
2519ec82fcae7f485948ad76b383e96940b0b5e035da72a36acb82ab0bd74414b71f2e14b967171e30229606fa3a2d92ad44fff3193c1c3d35dc0cc0d0c008c4

Download Submit
C:\Windows\{B92AD132-1652-4300-A19E-0A2D82E0FE52}.exe

Filesize
380KB

MD5
863873d73a52deeb5a487a49fa5daf55

SHA1
9104d75677f96bea242675afc546d2e2bff3924c

SHA256
0d62283ba31a7838e78675396ba4d864099a5347e0d0bcec220b3f24d587904f

SHA512
da60dc19df99db5975694ed5e8ee4a4d6267bdb2f7c7cf5ce946bb3b83647784f1cc8670a7e68a0b337453864f02b200bece4a2d62258090e323da94d39676ee

Download Submit
C:\Windows\{BE44A5A0-B94E-4099-9601-677547A9219A}.exe

Filesize
380KB

MD5
3b803ad02f2d6f6d40be1d79818dac32

SHA1
3f0fb602bd16515e070635207fb5c1e46b4625d0

SHA256
22190484e4934cafb4772e381424c1497f2d35debf3f9429b4a91aad7a4b8719

SHA512
67988605f8a9222edb20f2d1c713adc86a7af9887e07e23535b972e53852e9eab16f7ee441180e2bb808fc07dd26e2cb9581a9b2bc9cfea86781d8966c44553e

Download Submit
C:\Windows\{CB78AD52-D91F-4bc3-BBC9-BB53D096CE85}.exe

Filesize
380KB

MD5
c5d83b265aaf3fbfa0e21e55f57f5804

SHA1
15c0aba4521a8b223e3394fa6c94dfd617047baf

SHA256
aeb2ac65cd62921c2a7062f2876b60aa7feb4bea9307a617fce5517d8a14d399

SHA512
40d3bde163b0a0da676bbf8c6786acbbabc98bbc772c0f4999c6ed85f4cd0c0dcd6430d04da2de56237d1261653525fedcddf3bfa2b9c3cf5c5a6c21a8b769b7

Download Submit
C:\Windows\{F20671C8-A960-4ddd-9333-E6625453CE99}.exe

Filesize
380KB

MD5
8ffeedbafbf531ae0aa449fb72c034b0

SHA1
344f76d64365b0281caab7455f7cd80344855a51

SHA256
13b06f4ac95a43ff335acbbcbc78cefef019325d4d47e8fa21fc2158fcfc0e99

SHA512
c7ce960b0f01acd29439467ca34aef703c5f425150dbe730c2f321f258c0869bae336915cfaa33da288004c8fc6f6b2ebe447dc357df34e424d8bca12808b78e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads