10b34aa06f9cdf71abee78931fab243ee80d3844224b2dde230976a2b377190f

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
04/04/2024, 19:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-04_f8177f4b0601668bfcf44dee6518bf22_goldeneye.exe
Size

344KB
MD5

f8177f4b0601668bfcf44dee6518bf22
SHA1

48a850aadb5df9e320807eb749cbc40a7d66fe87
SHA256

10b34aa06f9cdf71abee78931fab243ee80d3844224b2dde230976a2b377190f
SHA512

14bf64c5589626bebe89f8bf662016c849396e910ffd460a4f1e7f67d93258f2a061d365da7c85d93acd5f5f5c838ab478b5695c0248e9cab2d339213958c161
SSDEEP

3072:mEGh0oHlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGRlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000800000002320f-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001100000002321d-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023224-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001200000002321d-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000021524-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000021526-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000021524-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000037-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000037-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000733-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6FBC7668-2D51-42fd-9B99-B051FE893DF7}\stubpath = "C:\\Windows\\{6FBC7668-2D51-42fd-9B99-B051FE893DF7}.exe"	{1F82E114-C3A4-457d-9AD1-40931486C309}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B633149-CD79-4728-9EB4-48C623447EC7}\stubpath = "C:\\Windows\\{4B633149-CD79-4728-9EB4-48C623447EC7}.exe"	{F09ED4EF-48CA-47e0-9CAC-953F2F7942F8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D71ABF1-DC40-47ab-B5BC-BA224BE862F9}\stubpath = "C:\\Windows\\{4D71ABF1-DC40-47ab-B5BC-BA224BE862F9}.exe"	{CC2A2A16-3444-498e-BFBD-F701F627D3FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A94CB07-6B59-4f5c-A46C-C546159F7067}	{967EDDA2-7F26-4b2c-9A60-404D88DBAB3C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52D88FD0-30F8-4230-976F-3AD475DE42D3}	{2A94CB07-6B59-4f5c-A46C-C546159F7067}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52D88FD0-30F8-4230-976F-3AD475DE42D3}\stubpath = "C:\\Windows\\{52D88FD0-30F8-4230-976F-3AD475DE42D3}.exe"	{2A94CB07-6B59-4f5c-A46C-C546159F7067}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F82E114-C3A4-457d-9AD1-40931486C309}\stubpath = "C:\\Windows\\{1F82E114-C3A4-457d-9AD1-40931486C309}.exe"	{52D88FD0-30F8-4230-976F-3AD475DE42D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F09ED4EF-48CA-47e0-9CAC-953F2F7942F8}	2024-04-04_f8177f4b0601668bfcf44dee6518bf22_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F09ED4EF-48CA-47e0-9CAC-953F2F7942F8}\stubpath = "C:\\Windows\\{F09ED4EF-48CA-47e0-9CAC-953F2F7942F8}.exe"	2024-04-04_f8177f4b0601668bfcf44dee6518bf22_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC2A2A16-3444-498e-BFBD-F701F627D3FC}\stubpath = "C:\\Windows\\{CC2A2A16-3444-498e-BFBD-F701F627D3FC}.exe"	{4B633149-CD79-4728-9EB4-48C623447EC7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{967EDDA2-7F26-4b2c-9A60-404D88DBAB3C}\stubpath = "C:\\Windows\\{967EDDA2-7F26-4b2c-9A60-404D88DBAB3C}.exe"	{A2531E95-5F84-4f08-B9CC-C2959774F907}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67E9FEC0-B8CF-477d-88A5-0ACC22480F76}\stubpath = "C:\\Windows\\{67E9FEC0-B8CF-477d-88A5-0ACC22480F76}.exe"	{703DF620-4E35-48af-A6D4-673195ECDE75}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67E9FEC0-B8CF-477d-88A5-0ACC22480F76}	{703DF620-4E35-48af-A6D4-673195ECDE75}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B633149-CD79-4728-9EB4-48C623447EC7}	{F09ED4EF-48CA-47e0-9CAC-953F2F7942F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D71ABF1-DC40-47ab-B5BC-BA224BE862F9}	{CC2A2A16-3444-498e-BFBD-F701F627D3FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2531E95-5F84-4f08-B9CC-C2959774F907}	{4D71ABF1-DC40-47ab-B5BC-BA224BE862F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2531E95-5F84-4f08-B9CC-C2959774F907}\stubpath = "C:\\Windows\\{A2531E95-5F84-4f08-B9CC-C2959774F907}.exe"	{4D71ABF1-DC40-47ab-B5BC-BA224BE862F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F82E114-C3A4-457d-9AD1-40931486C309}	{52D88FD0-30F8-4230-976F-3AD475DE42D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{703DF620-4E35-48af-A6D4-673195ECDE75}	{6FBC7668-2D51-42fd-9B99-B051FE893DF7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC2A2A16-3444-498e-BFBD-F701F627D3FC}	{4B633149-CD79-4728-9EB4-48C623447EC7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{967EDDA2-7F26-4b2c-9A60-404D88DBAB3C}	{A2531E95-5F84-4f08-B9CC-C2959774F907}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A94CB07-6B59-4f5c-A46C-C546159F7067}\stubpath = "C:\\Windows\\{2A94CB07-6B59-4f5c-A46C-C546159F7067}.exe"	{967EDDA2-7F26-4b2c-9A60-404D88DBAB3C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6FBC7668-2D51-42fd-9B99-B051FE893DF7}	{1F82E114-C3A4-457d-9AD1-40931486C309}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{703DF620-4E35-48af-A6D4-673195ECDE75}\stubpath = "C:\\Windows\\{703DF620-4E35-48af-A6D4-673195ECDE75}.exe"	{6FBC7668-2D51-42fd-9B99-B051FE893DF7}.exe

Executes dropped EXE 12 IoCs

pid	Process
4836	{F09ED4EF-48CA-47e0-9CAC-953F2F7942F8}.exe
4032	{4B633149-CD79-4728-9EB4-48C623447EC7}.exe
3248	{CC2A2A16-3444-498e-BFBD-F701F627D3FC}.exe
2716	{4D71ABF1-DC40-47ab-B5BC-BA224BE862F9}.exe
4440	{A2531E95-5F84-4f08-B9CC-C2959774F907}.exe
2336	{967EDDA2-7F26-4b2c-9A60-404D88DBAB3C}.exe
668	{2A94CB07-6B59-4f5c-A46C-C546159F7067}.exe
4688	{52D88FD0-30F8-4230-976F-3AD475DE42D3}.exe
4028	{1F82E114-C3A4-457d-9AD1-40931486C309}.exe
2564	{6FBC7668-2D51-42fd-9B99-B051FE893DF7}.exe
952	{703DF620-4E35-48af-A6D4-673195ECDE75}.exe
1744	{67E9FEC0-B8CF-477d-88A5-0ACC22480F76}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{F09ED4EF-48CA-47e0-9CAC-953F2F7942F8}.exe	2024-04-04_f8177f4b0601668bfcf44dee6518bf22_goldeneye.exe
File created	C:\Windows\{4D71ABF1-DC40-47ab-B5BC-BA224BE862F9}.exe	{CC2A2A16-3444-498e-BFBD-F701F627D3FC}.exe
File created	C:\Windows\{A2531E95-5F84-4f08-B9CC-C2959774F907}.exe	{4D71ABF1-DC40-47ab-B5BC-BA224BE862F9}.exe
File created	C:\Windows\{52D88FD0-30F8-4230-976F-3AD475DE42D3}.exe	{2A94CB07-6B59-4f5c-A46C-C546159F7067}.exe
File created	C:\Windows\{1F82E114-C3A4-457d-9AD1-40931486C309}.exe	{52D88FD0-30F8-4230-976F-3AD475DE42D3}.exe
File created	C:\Windows\{67E9FEC0-B8CF-477d-88A5-0ACC22480F76}.exe	{703DF620-4E35-48af-A6D4-673195ECDE75}.exe
File created	C:\Windows\{4B633149-CD79-4728-9EB4-48C623447EC7}.exe	{F09ED4EF-48CA-47e0-9CAC-953F2F7942F8}.exe
File created	C:\Windows\{CC2A2A16-3444-498e-BFBD-F701F627D3FC}.exe	{4B633149-CD79-4728-9EB4-48C623447EC7}.exe
File created	C:\Windows\{967EDDA2-7F26-4b2c-9A60-404D88DBAB3C}.exe	{A2531E95-5F84-4f08-B9CC-C2959774F907}.exe
File created	C:\Windows\{2A94CB07-6B59-4f5c-A46C-C546159F7067}.exe	{967EDDA2-7F26-4b2c-9A60-404D88DBAB3C}.exe
File created	C:\Windows\{6FBC7668-2D51-42fd-9B99-B051FE893DF7}.exe	{1F82E114-C3A4-457d-9AD1-40931486C309}.exe
File created	C:\Windows\{703DF620-4E35-48af-A6D4-673195ECDE75}.exe	{6FBC7668-2D51-42fd-9B99-B051FE893DF7}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2040	2024-04-04_f8177f4b0601668bfcf44dee6518bf22_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4836	{F09ED4EF-48CA-47e0-9CAC-953F2F7942F8}.exe
Token: SeIncBasePriorityPrivilege	4032	{4B633149-CD79-4728-9EB4-48C623447EC7}.exe
Token: SeIncBasePriorityPrivilege	3248	{CC2A2A16-3444-498e-BFBD-F701F627D3FC}.exe
Token: SeIncBasePriorityPrivilege	2716	{4D71ABF1-DC40-47ab-B5BC-BA224BE862F9}.exe
Token: SeIncBasePriorityPrivilege	4440	{A2531E95-5F84-4f08-B9CC-C2959774F907}.exe
Token: SeIncBasePriorityPrivilege	2336	{967EDDA2-7F26-4b2c-9A60-404D88DBAB3C}.exe
Token: SeIncBasePriorityPrivilege	668	{2A94CB07-6B59-4f5c-A46C-C546159F7067}.exe
Token: SeIncBasePriorityPrivilege	4688	{52D88FD0-30F8-4230-976F-3AD475DE42D3}.exe
Token: SeIncBasePriorityPrivilege	4028	{1F82E114-C3A4-457d-9AD1-40931486C309}.exe
Token: SeIncBasePriorityPrivilege	2564	{6FBC7668-2D51-42fd-9B99-B051FE893DF7}.exe
Token: SeIncBasePriorityPrivilege	952	{703DF620-4E35-48af-A6D4-673195ECDE75}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 4836	2040	2024-04-04_f8177f4b0601668bfcf44dee6518bf22_goldeneye.exe	95
PID 2040 wrote to memory of 4836	2040	2024-04-04_f8177f4b0601668bfcf44dee6518bf22_goldeneye.exe	95
PID 2040 wrote to memory of 4836	2040	2024-04-04_f8177f4b0601668bfcf44dee6518bf22_goldeneye.exe	95
PID 2040 wrote to memory of 4636	2040	2024-04-04_f8177f4b0601668bfcf44dee6518bf22_goldeneye.exe	96
PID 2040 wrote to memory of 4636	2040	2024-04-04_f8177f4b0601668bfcf44dee6518bf22_goldeneye.exe	96
PID 2040 wrote to memory of 4636	2040	2024-04-04_f8177f4b0601668bfcf44dee6518bf22_goldeneye.exe	96
PID 4836 wrote to memory of 4032	4836	{F09ED4EF-48CA-47e0-9CAC-953F2F7942F8}.exe	97
PID 4836 wrote to memory of 4032	4836	{F09ED4EF-48CA-47e0-9CAC-953F2F7942F8}.exe	97
PID 4836 wrote to memory of 4032	4836	{F09ED4EF-48CA-47e0-9CAC-953F2F7942F8}.exe	97
PID 4836 wrote to memory of 3272	4836	{F09ED4EF-48CA-47e0-9CAC-953F2F7942F8}.exe	98
PID 4836 wrote to memory of 3272	4836	{F09ED4EF-48CA-47e0-9CAC-953F2F7942F8}.exe	98
PID 4836 wrote to memory of 3272	4836	{F09ED4EF-48CA-47e0-9CAC-953F2F7942F8}.exe	98
PID 4032 wrote to memory of 3248	4032	{4B633149-CD79-4728-9EB4-48C623447EC7}.exe	100
PID 4032 wrote to memory of 3248	4032	{4B633149-CD79-4728-9EB4-48C623447EC7}.exe	100
PID 4032 wrote to memory of 3248	4032	{4B633149-CD79-4728-9EB4-48C623447EC7}.exe	100
PID 4032 wrote to memory of 2756	4032	{4B633149-CD79-4728-9EB4-48C623447EC7}.exe	101
PID 4032 wrote to memory of 2756	4032	{4B633149-CD79-4728-9EB4-48C623447EC7}.exe	101
PID 4032 wrote to memory of 2756	4032	{4B633149-CD79-4728-9EB4-48C623447EC7}.exe	101
PID 3248 wrote to memory of 2716	3248	{CC2A2A16-3444-498e-BFBD-F701F627D3FC}.exe	102
PID 3248 wrote to memory of 2716	3248	{CC2A2A16-3444-498e-BFBD-F701F627D3FC}.exe	102
PID 3248 wrote to memory of 2716	3248	{CC2A2A16-3444-498e-BFBD-F701F627D3FC}.exe	102
PID 3248 wrote to memory of 3604	3248	{CC2A2A16-3444-498e-BFBD-F701F627D3FC}.exe	103
PID 3248 wrote to memory of 3604	3248	{CC2A2A16-3444-498e-BFBD-F701F627D3FC}.exe	103
PID 3248 wrote to memory of 3604	3248	{CC2A2A16-3444-498e-BFBD-F701F627D3FC}.exe	103
PID 2716 wrote to memory of 4440	2716	{4D71ABF1-DC40-47ab-B5BC-BA224BE862F9}.exe	104
PID 2716 wrote to memory of 4440	2716	{4D71ABF1-DC40-47ab-B5BC-BA224BE862F9}.exe	104
PID 2716 wrote to memory of 4440	2716	{4D71ABF1-DC40-47ab-B5BC-BA224BE862F9}.exe	104
PID 2716 wrote to memory of 4444	2716	{4D71ABF1-DC40-47ab-B5BC-BA224BE862F9}.exe	105
PID 2716 wrote to memory of 4444	2716	{4D71ABF1-DC40-47ab-B5BC-BA224BE862F9}.exe	105
PID 2716 wrote to memory of 4444	2716	{4D71ABF1-DC40-47ab-B5BC-BA224BE862F9}.exe	105
PID 4440 wrote to memory of 2336	4440	{A2531E95-5F84-4f08-B9CC-C2959774F907}.exe	106
PID 4440 wrote to memory of 2336	4440	{A2531E95-5F84-4f08-B9CC-C2959774F907}.exe	106
PID 4440 wrote to memory of 2336	4440	{A2531E95-5F84-4f08-B9CC-C2959774F907}.exe	106
PID 4440 wrote to memory of 3964	4440	{A2531E95-5F84-4f08-B9CC-C2959774F907}.exe	107
PID 4440 wrote to memory of 3964	4440	{A2531E95-5F84-4f08-B9CC-C2959774F907}.exe	107
PID 4440 wrote to memory of 3964	4440	{A2531E95-5F84-4f08-B9CC-C2959774F907}.exe	107
PID 2336 wrote to memory of 668	2336	{967EDDA2-7F26-4b2c-9A60-404D88DBAB3C}.exe	108
PID 2336 wrote to memory of 668	2336	{967EDDA2-7F26-4b2c-9A60-404D88DBAB3C}.exe	108
PID 2336 wrote to memory of 668	2336	{967EDDA2-7F26-4b2c-9A60-404D88DBAB3C}.exe	108
PID 2336 wrote to memory of 5032	2336	{967EDDA2-7F26-4b2c-9A60-404D88DBAB3C}.exe	109
PID 2336 wrote to memory of 5032	2336	{967EDDA2-7F26-4b2c-9A60-404D88DBAB3C}.exe	109
PID 2336 wrote to memory of 5032	2336	{967EDDA2-7F26-4b2c-9A60-404D88DBAB3C}.exe	109
PID 668 wrote to memory of 4688	668	{2A94CB07-6B59-4f5c-A46C-C546159F7067}.exe	110
PID 668 wrote to memory of 4688	668	{2A94CB07-6B59-4f5c-A46C-C546159F7067}.exe	110
PID 668 wrote to memory of 4688	668	{2A94CB07-6B59-4f5c-A46C-C546159F7067}.exe	110
PID 668 wrote to memory of 4800	668	{2A94CB07-6B59-4f5c-A46C-C546159F7067}.exe	111
PID 668 wrote to memory of 4800	668	{2A94CB07-6B59-4f5c-A46C-C546159F7067}.exe	111
PID 668 wrote to memory of 4800	668	{2A94CB07-6B59-4f5c-A46C-C546159F7067}.exe	111
PID 4688 wrote to memory of 4028	4688	{52D88FD0-30F8-4230-976F-3AD475DE42D3}.exe	112
PID 4688 wrote to memory of 4028	4688	{52D88FD0-30F8-4230-976F-3AD475DE42D3}.exe	112
PID 4688 wrote to memory of 4028	4688	{52D88FD0-30F8-4230-976F-3AD475DE42D3}.exe	112
PID 4688 wrote to memory of 1728	4688	{52D88FD0-30F8-4230-976F-3AD475DE42D3}.exe	113
PID 4688 wrote to memory of 1728	4688	{52D88FD0-30F8-4230-976F-3AD475DE42D3}.exe	113
PID 4688 wrote to memory of 1728	4688	{52D88FD0-30F8-4230-976F-3AD475DE42D3}.exe	113
PID 4028 wrote to memory of 2564	4028	{1F82E114-C3A4-457d-9AD1-40931486C309}.exe	114
PID 4028 wrote to memory of 2564	4028	{1F82E114-C3A4-457d-9AD1-40931486C309}.exe	114
PID 4028 wrote to memory of 2564	4028	{1F82E114-C3A4-457d-9AD1-40931486C309}.exe	114
PID 4028 wrote to memory of 5088	4028	{1F82E114-C3A4-457d-9AD1-40931486C309}.exe	115
PID 4028 wrote to memory of 5088	4028	{1F82E114-C3A4-457d-9AD1-40931486C309}.exe	115
PID 4028 wrote to memory of 5088	4028	{1F82E114-C3A4-457d-9AD1-40931486C309}.exe	115
PID 2564 wrote to memory of 952	2564	{6FBC7668-2D51-42fd-9B99-B051FE893DF7}.exe	116
PID 2564 wrote to memory of 952	2564	{6FBC7668-2D51-42fd-9B99-B051FE893DF7}.exe	116
PID 2564 wrote to memory of 952	2564	{6FBC7668-2D51-42fd-9B99-B051FE893DF7}.exe	116
PID 2564 wrote to memory of 1740	2564	{6FBC7668-2D51-42fd-9B99-B051FE893DF7}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-04-04_f8177f4b0601668bfcf44dee6518bf22_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-04_f8177f4b0601668bfcf44dee6518bf22_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\{F09ED4EF-48CA-47e0-9CAC-953F2F7942F8}.exe
  C:\Windows\{F09ED4EF-48CA-47e0-9CAC-953F2F7942F8}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4836
- - C:\Windows\{4B633149-CD79-4728-9EB4-48C623447EC7}.exe
    C:\Windows\{4B633149-CD79-4728-9EB4-48C623447EC7}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4032
  - - C:\Windows\{CC2A2A16-3444-498e-BFBD-F701F627D3FC}.exe
      C:\Windows\{CC2A2A16-3444-498e-BFBD-F701F627D3FC}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3248
    - - C:\Windows\{4D71ABF1-DC40-47ab-B5BC-BA224BE862F9}.exe
        
        C:\Windows\{4D71ABF1-DC40-47ab-B5BC-BA224BE862F9}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2716
      - C:\Windows\{A2531E95-5F84-4f08-B9CC-C2959774F907}.exe
        
        C:\Windows\{A2531E95-5F84-4f08-B9CC-C2959774F907}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Windows\{967EDDA2-7F26-4b2c-9A60-404D88DBAB3C}.exe
        
        C:\Windows\{967EDDA2-7F26-4b2c-9A60-404D88DBAB3C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\{2A94CB07-6B59-4f5c-A46C-C546159F7067}.exe
        
        C:\Windows\{2A94CB07-6B59-4f5c-A46C-C546159F7067}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:668
        
        C:\Windows\{52D88FD0-30F8-4230-976F-3AD475DE42D3}.exe
        
        C:\Windows\{52D88FD0-30F8-4230-976F-3AD475DE42D3}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4688
        
        C:\Windows\{1F82E114-C3A4-457d-9AD1-40931486C309}.exe
        
        C:\Windows\{1F82E114-C3A4-457d-9AD1-40931486C309}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\{6FBC7668-2D51-42fd-9B99-B051FE893DF7}.exe
        
        C:\Windows\{6FBC7668-2D51-42fd-9B99-B051FE893DF7}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\{703DF620-4E35-48af-A6D4-673195ECDE75}.exe
        
        C:\Windows\{703DF620-4E35-48af-A6D4-673195ECDE75}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:952
        
        C:\Windows\{67E9FEC0-B8CF-477d-88A5-0ACC22480F76}.exe
        
        C:\Windows\{67E9FEC0-B8CF-477d-88A5-0ACC22480F76}.exe
        13⤵
        Executes dropped EXE
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{703DF~1.EXE > nul
        13⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6FBC7~1.EXE > nul
        12⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1F82E~1.EXE > nul
        11⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{52D88~1.EXE > nul
        10⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A94C~1.EXE > nul
        9⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{967ED~1.EXE > nul
        8⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A2531~1.EXE > nul
        7⤵
        
        PID:3964
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D71A~1.EXE > nul
        6⤵
        
        PID:4444
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CC2A2~1.EXE > nul
        5⤵
        
        PID:3604
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4B633~1.EXE > nul
      4⤵
      PID:2756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F09ED~1.EXE > nul
    3⤵
    PID:3272
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1F82E114-C3A4-457d-9AD1-40931486C309}.exe

Filesize
344KB

MD5
48094deb19608bdc6c60dcc00151e009

SHA1
40a60537c506b6e040f2566b9fe39134cc26603d

SHA256
14f5a0c9957a42efe596028465b7c932172faddde708416e167cb5e669ef3cb4

SHA512
8feaf7663c326be4855585af20cda02bcf7f9088571367a7cb7023d8dc8e79ca1f9b183360cac45577d550b1f8980840552dfef964a911fb5da5782fd3c9f083

Download Submit
C:\Windows\{2A94CB07-6B59-4f5c-A46C-C546159F7067}.exe

Filesize
344KB

MD5
7bdeb805f92d85d921d27cb5347a649e

SHA1
f7b32360e5d4102f69ad82b732867e0e688ae8cc

SHA256
118d782fa3b1e4f84dd9cc955a739543667958b832f0fdb15268817da7d60a89

SHA512
486342c00a5f73cff8f172c8869e54783e58521d99537401e8495dcebba31b04796f3ebadb8bd0edeca709595bcfe20f86304e8cc2133acb933078781ee47ef2

Download Submit
C:\Windows\{4B633149-CD79-4728-9EB4-48C623447EC7}.exe

Filesize
344KB

MD5
db4d217fd187949f19d85fb66fbd2ae1

SHA1
62751a2749baecaad14bd982d4bca7ee61f92317

SHA256
c3e87258a71f75106147a1b4cc87166daf71cc28a2f3bc68bc7fa33fe713bd77

SHA512
3dce8cc749dbfb69c029bfd2f13f78a57ec2d4caed5c72fccebbda7abe4b1f9a5592d1ea5c04397678e0e8d69ebf5f06df6c21544f86ada7f2577ae537f91a8b

Download Submit
C:\Windows\{4D71ABF1-DC40-47ab-B5BC-BA224BE862F9}.exe

Filesize
344KB

MD5
78f38805438ea07cb1defc78fb5f2d23

SHA1
50f6d198c5f20f42e83786404c82e2156ebf463c

SHA256
48eed66466c4ebb8251ad221a75ffdd1b1560b1d414d880425bbb410ae74ca12

SHA512
604badcf47b29f17889073de37fe655e2b8572aef1f1d112b557160d20607c31777d66469c0fb06662abd572f20c00d6401f8604c9f11b5079d0e1c761292ea9

Download Submit
C:\Windows\{52D88FD0-30F8-4230-976F-3AD475DE42D3}.exe

Filesize
344KB

MD5
f0c9a455c84ef742cd3a40c9777652da

SHA1
1fb6076f0ed7bbff2014f805f6c1eec18d39c781

SHA256
5a0247cdde85e6e2b863a6a3352bc5f557b5d3b8d693db7c51d4d7e74ecae173

SHA512
f5207030901646d7c19a88b6292aa9174705d4aab2625e02fd5fb86727df76962db51fa4f72c8990024d8e14c562b56acfe707b9f46f9994e1b7501198ff44ee

Download Submit
C:\Windows\{67E9FEC0-B8CF-477d-88A5-0ACC22480F76}.exe

Filesize
344KB

MD5
0791d70176972792cf76c16b58f63974

SHA1
0827c21fd62b2e5f9c6a993c27ecf33ce3f452fe

SHA256
9c426deec5ff1d05411a3afac6bc95bb560f457abe2657e2cd723ef1df557e3a

SHA512
4ba480bdcc832a195b0426334a4a16927a171a43f5cf9dacf3d807595eb972a3d4034009732fcc9238ea57fd65bcd23693b209409a1bf12115dd32be6e74e6a9

Download Submit
C:\Windows\{6FBC7668-2D51-42fd-9B99-B051FE893DF7}.exe

Filesize
344KB

MD5
0a73263e65e6d2ef435541512819d6c5

SHA1
5f28200e8a8c9417859bd3877f9a7aed1320ce71

SHA256
3426e3a28c20b277c2091c7bd351d851d8ee2d2e13550fddb979a0ccb17b919d

SHA512
d49f186cb0bc623564dd063bd6dcd91b9d5c5f4eca5bea783fb2b8d735bd06ca52f88adc697aecaad3c9b8f68be7f3adf86d593a3ddae98064ed0ef55cf62dda

Download Submit
C:\Windows\{703DF620-4E35-48af-A6D4-673195ECDE75}.exe

Filesize
344KB

MD5
bc051ebb5144f8fcebe943a7b7f85f23

SHA1
4de78d443015862e72576bfd1297a1261e5a955d

SHA256
21c613f374ddf9c1f82d0c12aecd345788f7860cd0b3382a778bd97172d48620

SHA512
5ba6716b331d6e9556a6b86d439dab151b330e24650f345f0fc8354ce6cc05bf5279c373909c52f6b3d8862a904d95f104d71558107cbbbda54b623a9799e995

Download Submit
C:\Windows\{967EDDA2-7F26-4b2c-9A60-404D88DBAB3C}.exe

Filesize
344KB

MD5
e88199ec2c4576865b246b899834e7cb

SHA1
2ac5c8f7950029f703eadeb37ea4b27f3430ff49

SHA256
da93b1266082617fa5ba4f9f60f011c8851aaf1e5a0cf9313bcc7afb75b0d865

SHA512
07bcf72d27cf93b0eb500e874abeccb995c88797ff3367abb65383f7c0ac5cbeb7c5a71287787155c2c40cc67f03a59bcd54aba6cc3248ec723540930794496b

Download Submit
C:\Windows\{A2531E95-5F84-4f08-B9CC-C2959774F907}.exe

Filesize
344KB

MD5
cd2a2846ea0bd41cf5fdb376c095516f

SHA1
57c3836811947e9b9eef1643abef1b4608202c4e

SHA256
b2d1e63b8bffce2481a2db341e7a89cf71263df5ad4275daeb62eb28051acec7

SHA512
e35fbf72e22f7c2ae06ecb54a1a810dc9f82bcac2c6eb430e63bfacbec9bdaa5868acf520ac773f934df0257a50a89a1ef790b4bc92a9d27a30e38e2eac55aa5

Download Submit
C:\Windows\{CC2A2A16-3444-498e-BFBD-F701F627D3FC}.exe

Filesize
344KB

MD5
f5ab6e67ad1b0dc932284914af54002a

SHA1
6d4436583a3f2fb31649e2838214ff398586b1fc

SHA256
04cd066c7933eed9ed6731968d139af2650996f5d87433e2c59fc323d95fcfe8

SHA512
5b6872cae3436db3e49eef415a7fd7563aa208d125e577941f166c51fdad8961ace704a9c289afbf05be4cd1c8791a3c8d90cf164e90db726934851a90febe81

Download Submit
C:\Windows\{F09ED4EF-48CA-47e0-9CAC-953F2F7942F8}.exe

Filesize
344KB

MD5
661d6efb2a23f884400a025176b04824

SHA1
b6e3d42aac9a20d24c4e849f4b13ca8ebe8911e3

SHA256
64df59f7e9216af535568cb9c44ef700f2fbb7eb611e8b2bb865117f463d67cf

SHA512
01f61ade2e4e38ea328d47d5573099a7dce5676489be79f020c045818d5261900a901642a9b7e2a91e2c17799fcbcb53a251f92317cd1f3d8a40ec25a1b99135

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads