7be7764447e22519d2c39a1c1ead3a421f678b91e9cf6b82d5d9a19a2ba61dc1

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05-04-2024 20:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-05_de5a6479cf631935338912a19b7d81cd_goldeneye.exe
Size

204KB
MD5

de5a6479cf631935338912a19b7d81cd
SHA1

ed2d3742586add5d1d29e1d84398f6a641b0a130
SHA256

7be7764447e22519d2c39a1c1ead3a421f678b91e9cf6b82d5d9a19a2ba61dc1
SHA512

9cfe368e4021ab9f3f3af38f824e1872b4904fd7f27fd4f09ddef1d1a20710da72dd3e44c3f20710f45c07d5d7849c6241b0a005b37ddb0f9c1b85d4e515a13c
SSDEEP

1536:1EGh0o6l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0o6l1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000e000000023129-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d00000002320b-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023213-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e00000002320b-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00130000000006d1-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000021838-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00140000000006d1-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000000037-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00150000000006d1-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000000037-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00160000000006d1-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000000037-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E471B86-074A-4989-948C-2A28256B25F6}\stubpath = "C:\\Windows\\{2E471B86-074A-4989-948C-2A28256B25F6}.exe"	{D40D3425-5CF8-47d7-B235-FC4250E48AF3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1111C065-06FC-47b0-BEAB-FC9C1061950F}	{2E471B86-074A-4989-948C-2A28256B25F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D1FE62B-7EE3-4a87-91C4-B973C8848D5C}\stubpath = "C:\\Windows\\{3D1FE62B-7EE3-4a87-91C4-B973C8848D5C}.exe"	{CC1A9B16-FF0B-4863-A4E2-BE84102C7842}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3624A862-C8E8-41f2-9A53-BD631E81AD9C}	{3D1FE62B-7EE3-4a87-91C4-B973C8848D5C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3624A862-C8E8-41f2-9A53-BD631E81AD9C}\stubpath = "C:\\Windows\\{3624A862-C8E8-41f2-9A53-BD631E81AD9C}.exe"	{3D1FE62B-7EE3-4a87-91C4-B973C8848D5C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09598DE4-D30E-4b52-8A43-F283D9E3D1D8}	{B982BE52-1378-4c9e-BD9C-03C2A01EC1B4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09598DE4-D30E-4b52-8A43-F283D9E3D1D8}\stubpath = "C:\\Windows\\{09598DE4-D30E-4b52-8A43-F283D9E3D1D8}.exe"	{B982BE52-1378-4c9e-BD9C-03C2A01EC1B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D40D3425-5CF8-47d7-B235-FC4250E48AF3}	{09598DE4-D30E-4b52-8A43-F283D9E3D1D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D40D3425-5CF8-47d7-B235-FC4250E48AF3}\stubpath = "C:\\Windows\\{D40D3425-5CF8-47d7-B235-FC4250E48AF3}.exe"	{09598DE4-D30E-4b52-8A43-F283D9E3D1D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{943EDDA8-1A0E-413f-8E61-88D0188D8A4C}	{1111C065-06FC-47b0-BEAB-FC9C1061950F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{254321CF-6991-4e37-B660-C68659775A41}	2024-04-05_de5a6479cf631935338912a19b7d81cd_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{254321CF-6991-4e37-B660-C68659775A41}\stubpath = "C:\\Windows\\{254321CF-6991-4e37-B660-C68659775A41}.exe"	2024-04-05_de5a6479cf631935338912a19b7d81cd_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B982BE52-1378-4c9e-BD9C-03C2A01EC1B4}	{7BFE314C-398C-45ab-81EA-A1C9A0E675E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B982BE52-1378-4c9e-BD9C-03C2A01EC1B4}\stubpath = "C:\\Windows\\{B982BE52-1378-4c9e-BD9C-03C2A01EC1B4}.exe"	{7BFE314C-398C-45ab-81EA-A1C9A0E675E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{943EDDA8-1A0E-413f-8E61-88D0188D8A4C}\stubpath = "C:\\Windows\\{943EDDA8-1A0E-413f-8E61-88D0188D8A4C}.exe"	{1111C065-06FC-47b0-BEAB-FC9C1061950F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D1FE62B-7EE3-4a87-91C4-B973C8848D5C}	{CC1A9B16-FF0B-4863-A4E2-BE84102C7842}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7BFE314C-398C-45ab-81EA-A1C9A0E675E5}	{211AD7B3-9C2D-4812-AE2E-A83142FC54BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7BFE314C-398C-45ab-81EA-A1C9A0E675E5}\stubpath = "C:\\Windows\\{7BFE314C-398C-45ab-81EA-A1C9A0E675E5}.exe"	{211AD7B3-9C2D-4812-AE2E-A83142FC54BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1111C065-06FC-47b0-BEAB-FC9C1061950F}\stubpath = "C:\\Windows\\{1111C065-06FC-47b0-BEAB-FC9C1061950F}.exe"	{2E471B86-074A-4989-948C-2A28256B25F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E471B86-074A-4989-948C-2A28256B25F6}	{D40D3425-5CF8-47d7-B235-FC4250E48AF3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC1A9B16-FF0B-4863-A4E2-BE84102C7842}	{254321CF-6991-4e37-B660-C68659775A41}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC1A9B16-FF0B-4863-A4E2-BE84102C7842}\stubpath = "C:\\Windows\\{CC1A9B16-FF0B-4863-A4E2-BE84102C7842}.exe"	{254321CF-6991-4e37-B660-C68659775A41}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{211AD7B3-9C2D-4812-AE2E-A83142FC54BB}	{3624A862-C8E8-41f2-9A53-BD631E81AD9C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{211AD7B3-9C2D-4812-AE2E-A83142FC54BB}\stubpath = "C:\\Windows\\{211AD7B3-9C2D-4812-AE2E-A83142FC54BB}.exe"	{3624A862-C8E8-41f2-9A53-BD631E81AD9C}.exe

Executes dropped EXE 12 IoCs

pid	Process
4980	{254321CF-6991-4e37-B660-C68659775A41}.exe
3660	{CC1A9B16-FF0B-4863-A4E2-BE84102C7842}.exe
2904	{3D1FE62B-7EE3-4a87-91C4-B973C8848D5C}.exe
2508	{3624A862-C8E8-41f2-9A53-BD631E81AD9C}.exe
3732	{211AD7B3-9C2D-4812-AE2E-A83142FC54BB}.exe
1624	{7BFE314C-398C-45ab-81EA-A1C9A0E675E5}.exe
4856	{B982BE52-1378-4c9e-BD9C-03C2A01EC1B4}.exe
2944	{09598DE4-D30E-4b52-8A43-F283D9E3D1D8}.exe
1412	{D40D3425-5CF8-47d7-B235-FC4250E48AF3}.exe
3092	{2E471B86-074A-4989-948C-2A28256B25F6}.exe
5108	{1111C065-06FC-47b0-BEAB-FC9C1061950F}.exe
4924	{943EDDA8-1A0E-413f-8E61-88D0188D8A4C}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{211AD7B3-9C2D-4812-AE2E-A83142FC54BB}.exe	{3624A862-C8E8-41f2-9A53-BD631E81AD9C}.exe
File created	C:\Windows\{7BFE314C-398C-45ab-81EA-A1C9A0E675E5}.exe	{211AD7B3-9C2D-4812-AE2E-A83142FC54BB}.exe
File created	C:\Windows\{B982BE52-1378-4c9e-BD9C-03C2A01EC1B4}.exe	{7BFE314C-398C-45ab-81EA-A1C9A0E675E5}.exe
File created	C:\Windows\{09598DE4-D30E-4b52-8A43-F283D9E3D1D8}.exe	{B982BE52-1378-4c9e-BD9C-03C2A01EC1B4}.exe
File created	C:\Windows\{D40D3425-5CF8-47d7-B235-FC4250E48AF3}.exe	{09598DE4-D30E-4b52-8A43-F283D9E3D1D8}.exe
File created	C:\Windows\{2E471B86-074A-4989-948C-2A28256B25F6}.exe	{D40D3425-5CF8-47d7-B235-FC4250E48AF3}.exe
File created	C:\Windows\{3D1FE62B-7EE3-4a87-91C4-B973C8848D5C}.exe	{CC1A9B16-FF0B-4863-A4E2-BE84102C7842}.exe
File created	C:\Windows\{CC1A9B16-FF0B-4863-A4E2-BE84102C7842}.exe	{254321CF-6991-4e37-B660-C68659775A41}.exe
File created	C:\Windows\{3624A862-C8E8-41f2-9A53-BD631E81AD9C}.exe	{3D1FE62B-7EE3-4a87-91C4-B973C8848D5C}.exe
File created	C:\Windows\{1111C065-06FC-47b0-BEAB-FC9C1061950F}.exe	{2E471B86-074A-4989-948C-2A28256B25F6}.exe
File created	C:\Windows\{943EDDA8-1A0E-413f-8E61-88D0188D8A4C}.exe	{1111C065-06FC-47b0-BEAB-FC9C1061950F}.exe
File created	C:\Windows\{254321CF-6991-4e37-B660-C68659775A41}.exe	2024-04-05_de5a6479cf631935338912a19b7d81cd_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1448	2024-04-05_de5a6479cf631935338912a19b7d81cd_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4980	{254321CF-6991-4e37-B660-C68659775A41}.exe
Token: SeIncBasePriorityPrivilege	3660	{CC1A9B16-FF0B-4863-A4E2-BE84102C7842}.exe
Token: SeIncBasePriorityPrivilege	2904	{3D1FE62B-7EE3-4a87-91C4-B973C8848D5C}.exe
Token: SeIncBasePriorityPrivilege	2508	{3624A862-C8E8-41f2-9A53-BD631E81AD9C}.exe
Token: SeIncBasePriorityPrivilege	3732	{211AD7B3-9C2D-4812-AE2E-A83142FC54BB}.exe
Token: SeIncBasePriorityPrivilege	1624	{7BFE314C-398C-45ab-81EA-A1C9A0E675E5}.exe
Token: SeIncBasePriorityPrivilege	4856	{B982BE52-1378-4c9e-BD9C-03C2A01EC1B4}.exe
Token: SeIncBasePriorityPrivilege	2944	{09598DE4-D30E-4b52-8A43-F283D9E3D1D8}.exe
Token: SeIncBasePriorityPrivilege	1412	{D40D3425-5CF8-47d7-B235-FC4250E48AF3}.exe
Token: SeIncBasePriorityPrivilege	3092	{2E471B86-074A-4989-948C-2A28256B25F6}.exe
Token: SeIncBasePriorityPrivilege	5108	{1111C065-06FC-47b0-BEAB-FC9C1061950F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 4980	1448	2024-04-05_de5a6479cf631935338912a19b7d81cd_goldeneye.exe	93
PID 1448 wrote to memory of 4980	1448	2024-04-05_de5a6479cf631935338912a19b7d81cd_goldeneye.exe	93
PID 1448 wrote to memory of 4980	1448	2024-04-05_de5a6479cf631935338912a19b7d81cd_goldeneye.exe	93
PID 1448 wrote to memory of 1056	1448	2024-04-05_de5a6479cf631935338912a19b7d81cd_goldeneye.exe	94
PID 1448 wrote to memory of 1056	1448	2024-04-05_de5a6479cf631935338912a19b7d81cd_goldeneye.exe	94
PID 1448 wrote to memory of 1056	1448	2024-04-05_de5a6479cf631935338912a19b7d81cd_goldeneye.exe	94
PID 4980 wrote to memory of 3660	4980	{254321CF-6991-4e37-B660-C68659775A41}.exe	97
PID 4980 wrote to memory of 3660	4980	{254321CF-6991-4e37-B660-C68659775A41}.exe	97
PID 4980 wrote to memory of 3660	4980	{254321CF-6991-4e37-B660-C68659775A41}.exe	97
PID 4980 wrote to memory of 2808	4980	{254321CF-6991-4e37-B660-C68659775A41}.exe	98
PID 4980 wrote to memory of 2808	4980	{254321CF-6991-4e37-B660-C68659775A41}.exe	98
PID 4980 wrote to memory of 2808	4980	{254321CF-6991-4e37-B660-C68659775A41}.exe	98
PID 3660 wrote to memory of 2904	3660	{CC1A9B16-FF0B-4863-A4E2-BE84102C7842}.exe	100
PID 3660 wrote to memory of 2904	3660	{CC1A9B16-FF0B-4863-A4E2-BE84102C7842}.exe	100
PID 3660 wrote to memory of 2904	3660	{CC1A9B16-FF0B-4863-A4E2-BE84102C7842}.exe	100
PID 3660 wrote to memory of 2196	3660	{CC1A9B16-FF0B-4863-A4E2-BE84102C7842}.exe	101
PID 3660 wrote to memory of 2196	3660	{CC1A9B16-FF0B-4863-A4E2-BE84102C7842}.exe	101
PID 3660 wrote to memory of 2196	3660	{CC1A9B16-FF0B-4863-A4E2-BE84102C7842}.exe	101
PID 2904 wrote to memory of 2508	2904	{3D1FE62B-7EE3-4a87-91C4-B973C8848D5C}.exe	102
PID 2904 wrote to memory of 2508	2904	{3D1FE62B-7EE3-4a87-91C4-B973C8848D5C}.exe	102
PID 2904 wrote to memory of 2508	2904	{3D1FE62B-7EE3-4a87-91C4-B973C8848D5C}.exe	102
PID 2904 wrote to memory of 1860	2904	{3D1FE62B-7EE3-4a87-91C4-B973C8848D5C}.exe	103
PID 2904 wrote to memory of 1860	2904	{3D1FE62B-7EE3-4a87-91C4-B973C8848D5C}.exe	103
PID 2904 wrote to memory of 1860	2904	{3D1FE62B-7EE3-4a87-91C4-B973C8848D5C}.exe	103
PID 2508 wrote to memory of 3732	2508	{3624A862-C8E8-41f2-9A53-BD631E81AD9C}.exe	104
PID 2508 wrote to memory of 3732	2508	{3624A862-C8E8-41f2-9A53-BD631E81AD9C}.exe	104
PID 2508 wrote to memory of 3732	2508	{3624A862-C8E8-41f2-9A53-BD631E81AD9C}.exe	104
PID 2508 wrote to memory of 3456	2508	{3624A862-C8E8-41f2-9A53-BD631E81AD9C}.exe	105
PID 2508 wrote to memory of 3456	2508	{3624A862-C8E8-41f2-9A53-BD631E81AD9C}.exe	105
PID 2508 wrote to memory of 3456	2508	{3624A862-C8E8-41f2-9A53-BD631E81AD9C}.exe	105
PID 3732 wrote to memory of 1624	3732	{211AD7B3-9C2D-4812-AE2E-A83142FC54BB}.exe	106
PID 3732 wrote to memory of 1624	3732	{211AD7B3-9C2D-4812-AE2E-A83142FC54BB}.exe	106
PID 3732 wrote to memory of 1624	3732	{211AD7B3-9C2D-4812-AE2E-A83142FC54BB}.exe	106
PID 3732 wrote to memory of 1632	3732	{211AD7B3-9C2D-4812-AE2E-A83142FC54BB}.exe	107
PID 3732 wrote to memory of 1632	3732	{211AD7B3-9C2D-4812-AE2E-A83142FC54BB}.exe	107
PID 3732 wrote to memory of 1632	3732	{211AD7B3-9C2D-4812-AE2E-A83142FC54BB}.exe	107
PID 1624 wrote to memory of 4856	1624	{7BFE314C-398C-45ab-81EA-A1C9A0E675E5}.exe	108
PID 1624 wrote to memory of 4856	1624	{7BFE314C-398C-45ab-81EA-A1C9A0E675E5}.exe	108
PID 1624 wrote to memory of 4856	1624	{7BFE314C-398C-45ab-81EA-A1C9A0E675E5}.exe	108
PID 1624 wrote to memory of 2424	1624	{7BFE314C-398C-45ab-81EA-A1C9A0E675E5}.exe	109
PID 1624 wrote to memory of 2424	1624	{7BFE314C-398C-45ab-81EA-A1C9A0E675E5}.exe	109
PID 1624 wrote to memory of 2424	1624	{7BFE314C-398C-45ab-81EA-A1C9A0E675E5}.exe	109
PID 4856 wrote to memory of 2944	4856	{B982BE52-1378-4c9e-BD9C-03C2A01EC1B4}.exe	110
PID 4856 wrote to memory of 2944	4856	{B982BE52-1378-4c9e-BD9C-03C2A01EC1B4}.exe	110
PID 4856 wrote to memory of 2944	4856	{B982BE52-1378-4c9e-BD9C-03C2A01EC1B4}.exe	110
PID 4856 wrote to memory of 888	4856	{B982BE52-1378-4c9e-BD9C-03C2A01EC1B4}.exe	111
PID 4856 wrote to memory of 888	4856	{B982BE52-1378-4c9e-BD9C-03C2A01EC1B4}.exe	111
PID 4856 wrote to memory of 888	4856	{B982BE52-1378-4c9e-BD9C-03C2A01EC1B4}.exe	111
PID 2944 wrote to memory of 1412	2944	{09598DE4-D30E-4b52-8A43-F283D9E3D1D8}.exe	112
PID 2944 wrote to memory of 1412	2944	{09598DE4-D30E-4b52-8A43-F283D9E3D1D8}.exe	112
PID 2944 wrote to memory of 1412	2944	{09598DE4-D30E-4b52-8A43-F283D9E3D1D8}.exe	112
PID 2944 wrote to memory of 4340	2944	{09598DE4-D30E-4b52-8A43-F283D9E3D1D8}.exe	113
PID 2944 wrote to memory of 4340	2944	{09598DE4-D30E-4b52-8A43-F283D9E3D1D8}.exe	113
PID 2944 wrote to memory of 4340	2944	{09598DE4-D30E-4b52-8A43-F283D9E3D1D8}.exe	113
PID 1412 wrote to memory of 3092	1412	{D40D3425-5CF8-47d7-B235-FC4250E48AF3}.exe	114
PID 1412 wrote to memory of 3092	1412	{D40D3425-5CF8-47d7-B235-FC4250E48AF3}.exe	114
PID 1412 wrote to memory of 3092	1412	{D40D3425-5CF8-47d7-B235-FC4250E48AF3}.exe	114
PID 1412 wrote to memory of 4016	1412	{D40D3425-5CF8-47d7-B235-FC4250E48AF3}.exe	115
PID 1412 wrote to memory of 4016	1412	{D40D3425-5CF8-47d7-B235-FC4250E48AF3}.exe	115
PID 1412 wrote to memory of 4016	1412	{D40D3425-5CF8-47d7-B235-FC4250E48AF3}.exe	115
PID 3092 wrote to memory of 5108	3092	{2E471B86-074A-4989-948C-2A28256B25F6}.exe	116
PID 3092 wrote to memory of 5108	3092	{2E471B86-074A-4989-948C-2A28256B25F6}.exe	116
PID 3092 wrote to memory of 5108	3092	{2E471B86-074A-4989-948C-2A28256B25F6}.exe	116
PID 3092 wrote to memory of 1488	3092	{2E471B86-074A-4989-948C-2A28256B25F6}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-04-05_de5a6479cf631935338912a19b7d81cd_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-05_de5a6479cf631935338912a19b7d81cd_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Windows\{254321CF-6991-4e37-B660-C68659775A41}.exe
  C:\Windows\{254321CF-6991-4e37-B660-C68659775A41}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4980
- - C:\Windows\{CC1A9B16-FF0B-4863-A4E2-BE84102C7842}.exe
    C:\Windows\{CC1A9B16-FF0B-4863-A4E2-BE84102C7842}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3660
  - - C:\Windows\{3D1FE62B-7EE3-4a87-91C4-B973C8848D5C}.exe
      C:\Windows\{3D1FE62B-7EE3-4a87-91C4-B973C8848D5C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2904
    - - C:\Windows\{3624A862-C8E8-41f2-9A53-BD631E81AD9C}.exe
        
        C:\Windows\{3624A862-C8E8-41f2-9A53-BD631E81AD9C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2508
      - C:\Windows\{211AD7B3-9C2D-4812-AE2E-A83142FC54BB}.exe
        
        C:\Windows\{211AD7B3-9C2D-4812-AE2E-A83142FC54BB}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3732
        
        C:\Windows\{7BFE314C-398C-45ab-81EA-A1C9A0E675E5}.exe
        
        C:\Windows\{7BFE314C-398C-45ab-81EA-A1C9A0E675E5}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\{B982BE52-1378-4c9e-BD9C-03C2A01EC1B4}.exe
        
        C:\Windows\{B982BE52-1378-4c9e-BD9C-03C2A01EC1B4}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\{09598DE4-D30E-4b52-8A43-F283D9E3D1D8}.exe
        
        C:\Windows\{09598DE4-D30E-4b52-8A43-F283D9E3D1D8}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\{D40D3425-5CF8-47d7-B235-FC4250E48AF3}.exe
        
        C:\Windows\{D40D3425-5CF8-47d7-B235-FC4250E48AF3}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Windows\{2E471B86-074A-4989-948C-2A28256B25F6}.exe
        
        C:\Windows\{2E471B86-074A-4989-948C-2A28256B25F6}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3092
        
        C:\Windows\{1111C065-06FC-47b0-BEAB-FC9C1061950F}.exe
        
        C:\Windows\{1111C065-06FC-47b0-BEAB-FC9C1061950F}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5108
        
        C:\Windows\{943EDDA8-1A0E-413f-8E61-88D0188D8A4C}.exe
        
        C:\Windows\{943EDDA8-1A0E-413f-8E61-88D0188D8A4C}.exe
        13⤵
        Executes dropped EXE
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1111C~1.EXE > nul
        13⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E471~1.EXE > nul
        12⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D40D3~1.EXE > nul
        11⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09598~1.EXE > nul
        10⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B982B~1.EXE > nul
        9⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7BFE3~1.EXE > nul
        8⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{211AD~1.EXE > nul
        7⤵
        
        PID:1632
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3624A~1.EXE > nul
        6⤵
        
        PID:3456
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3D1FE~1.EXE > nul
        5⤵
        
        PID:1860
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CC1A9~1.EXE > nul
      4⤵
      PID:2196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{25432~1.EXE > nul
    3⤵
    PID:2808
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{09598DE4-D30E-4b52-8A43-F283D9E3D1D8}.exe

Filesize
204KB

MD5
ea4ba3f6cf0990c73e5c42f5c8d92707

SHA1
6cceeaa035fb232ec1eac4c3ef00853b0d0b46f5

SHA256
f7090e52689cbc4bc441cfbad27ba1a3cc361ebd180fd7478783b2d5692f7be9

SHA512
ade5be79f2589ff9a52b6ff47e7ee02f6ff41ebe8868cb894ad063872104ac00b2de2ac9efa4160f805c36b78ca8e641e66e62e666f089d25dfb3c87a9ae0a68

Download Submit
C:\Windows\{1111C065-06FC-47b0-BEAB-FC9C1061950F}.exe

Filesize
204KB

MD5
fb9a5399107704acfb6642bc10ae183b

SHA1
1239275d9d60dab8ab3de24ba554dbf1e6f39bbc

SHA256
208fc7444727d1f370e907d934096081f7a7eab7b79cc88f07626fdb5ec83674

SHA512
2c53c2b93260f11ff9233c9fb39aeb907d5073dca6a7518450709ff126e7c1c97ebee541accd8e13078fd48b70a0bd9fbfdeb96c96b62448681bd79182d881c0

Download Submit
C:\Windows\{211AD7B3-9C2D-4812-AE2E-A83142FC54BB}.exe

Filesize
204KB

MD5
b1ed49bcc5292107903c6355c2d58545

SHA1
87f3ad584b416e8e9e825f3befb6f894375b7f42

SHA256
a1034b4ebe30c8e20f65e812f58aca15c6ac3b19420b53072ac41b8884662bc6

SHA512
350cb7b00e42d19520248bc70d52ac92ee3c11d9742092d2857f7f447b4dc901a0692772f52351f254e66af134452e6dd4e267a1fe82fa7f5b134db5ef2382e5

Download Submit
C:\Windows\{254321CF-6991-4e37-B660-C68659775A41}.exe

Filesize
204KB

MD5
35a5c2b419900d046c9cc900965a7627

SHA1
8b16ba1aa6114fe1518c75c1aa0e361c954f605e

SHA256
aeaf41c432fc3214ed4e594d4aa3cf7e9791aaf01f0e23b1e596ddb26e623278

SHA512
7c014551e931650dd36693a6d7c6c0ab062a29ca0231066da97a575d5b22a59e96c117172a113b8db3c5ef7a038f69f35c7c690b34fcf7b8457b673bad0cb408

Download Submit
C:\Windows\{2E471B86-074A-4989-948C-2A28256B25F6}.exe

Filesize
204KB

MD5
a9f42c79c16eb7ab7a83b1225f0a937c

SHA1
899e590f7f7c877b2de473e86308f7992bfd0f03

SHA256
0e7f58584eb33b062ef59aea4e251a6c404ed1470494aa37eca4b8f8d7808b21

SHA512
b51ec726a8ca590160f478d7e7f22afbe529a3e1c4253a093b9e6045f5a8f3910ea2022c2a9da4f8914b1eb1fc64103fac10d4abfca8591dcaab3d5ed46d7043

Download Submit
C:\Windows\{3624A862-C8E8-41f2-9A53-BD631E81AD9C}.exe

Filesize
204KB

MD5
43b1d7f50c746d24a13cc0829776fb13

SHA1
630158c2edf3b7584f7216afb0057d72d22852fb

SHA256
55fc0d13331aa76bc6d14da89f92f95bc4876de44723d8aa30175a29409adf90

SHA512
f3690eb6c891184640b1863c3b8230e7876c9a34248f575c55df300de6b5a0511ff41850e2c7f358f8449b880fe48f4fbaf35a3f1bf75321338fe99d0256bb2a

Download Submit
C:\Windows\{3D1FE62B-7EE3-4a87-91C4-B973C8848D5C}.exe

Filesize
204KB

MD5
36de71e7a50cdf6a22e896b04e53cb1f

SHA1
a117f7379e6c7b22fa293dfd7c4c8e9bfb158bf7

SHA256
5188c0236f45243b6575851b3d23e4e2a8cc28f998e49f3635cba6e054f17464

SHA512
b6cfd6607356800c04f0640b012982a9dc823a036ee4dc69c27815af675001cdc78ad9e56ae3059e0bd38c96e49415c8d739e42a2538a2aaee8fb054b7041c43

Download Submit
C:\Windows\{7BFE314C-398C-45ab-81EA-A1C9A0E675E5}.exe

Filesize
204KB

MD5
2f5d9697b464c66208b6467f38c382eb

SHA1
72fa62966f3f4bf1ba72781fafc2114ade7db3ad

SHA256
e470d74e36b32b1969ab4e254c6c4f49cdcc20372bd8db777b29d535d2fac32e

SHA512
0ba0809b354e8549bdb7e04f9884da11e60afa504705fb14a8c4239ccccb5f46cd2b4018c4922bc2c0615ccbec35c410384e69a8096f850cb3055e2d1f7c299f

Download Submit
C:\Windows\{943EDDA8-1A0E-413f-8E61-88D0188D8A4C}.exe

Filesize
204KB

MD5
47be47ffaf23a110b45d46ff87cfe4a5

SHA1
6081c2cb210077b3abf454f991428a6f171c8cd9

SHA256
d293166b885b9b5521746a05bb9a0204fc383134cb487d95140c0513a028947b

SHA512
835bbc71f45f4742da39e9335d6412f0b21693444762f389d2baa521df7ff92b9ad28bee1805bf81a4b902122ddf9767e59cb914b6ad52378a643165cadeda50

Download Submit
C:\Windows\{B982BE52-1378-4c9e-BD9C-03C2A01EC1B4}.exe

Filesize
204KB

MD5
a750b6f744168e94876ee0501c15f36d

SHA1
a9a89b99b6fdaa454bce5be4be599d13b6e89d94

SHA256
4d8ef3177592ae2e28476fb83dbcb611009aaa1d32d3458616bdb7a3b2d4171b

SHA512
5758b616942c19342b78794ed1b66cb11ddc44e7e15a8418a97ca72845a11fc12b5664277c76147a31640db6b4834d430f6db0c54ad4c79097979dc22f1b854b

Download Submit
C:\Windows\{CC1A9B16-FF0B-4863-A4E2-BE84102C7842}.exe

Filesize
204KB

MD5
bbd7abef5e2206493c7860966b834046

SHA1
e30aba1b03c4f221c480dac97fbe3ed01d1f88b3

SHA256
46b7c6107de263c98221c967a3cf6217d91c1dbefaf340dc91445bdc19c363e8

SHA512
6338c01414eecd9a8e2c6619e56841f321241bf6720d158545a2e7ac4eaa8f6f7c8ef588e05a6cf49fe233a3b552fd4a0c2d5c03e1cbaac04be048001c77b4ad

Download Submit
C:\Windows\{D40D3425-5CF8-47d7-B235-FC4250E48AF3}.exe

Filesize
204KB

MD5
a52557c8233fd48b3d7c36e56ae4f47f

SHA1
919232148e607ad1174586c73800c64e5b96e107

SHA256
6eab248361ea1a2af2d73293664fe9ed21ab30fdbcc1db666fc63f4e60854e72

SHA512
417d9eadc72d30b985879cb45cae1213b2419c9576aca0bdde0e320ef4e6bbd0a991a43697aed602066dcab68b19a10d2ed0f2138c41544d7025a4962ace490f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads