f750904e0634e1918f6201e4feb046a73794cef58fb08049c687f0cb5d884d61

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/04/2024, 07:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-06_b9354e01cdd041e7f28b4920c673fca7_goldeneye.exe
Size

372KB
MD5

b9354e01cdd041e7f28b4920c673fca7
SHA1

a2d670b445f547f2677059c73cf8f562a04d9a05
SHA256

f750904e0634e1918f6201e4feb046a73794cef58fb08049c687f0cb5d884d61
SHA512

22c311c171b80c0d8e4bc736b2d1de194a8849f5e11759f1e25f7c9cced569027d72d2a3f04a987b9256a4c4abfb515384b9b114a8aa9cea6009eef3396b82f2
SSDEEP

3072:CEGh0oulMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGYlkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00070000000231f4-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00110000000231f9-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023200-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00120000000231f9-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021d05-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021d06-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021d05-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-41.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000705-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1FB8C057-BE1C-4adb-A9A2-E6266849B661}\stubpath = "C:\\Windows\\{1FB8C057-BE1C-4adb-A9A2-E6266849B661}.exe"	{3064F748-AE8F-4d7f-B70A-F80802457C2B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56A90781-77BD-4981-A56D-F1B118BDB78C}\stubpath = "C:\\Windows\\{56A90781-77BD-4981-A56D-F1B118BDB78C}.exe"	2024-04-06_b9354e01cdd041e7f28b4920c673fca7_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE22D671-3F5A-4e95-853F-1C87F1D61F4E}	{56A90781-77BD-4981-A56D-F1B118BDB78C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18B1F000-5DA4-4bfd-A59B-4C1B16351562}	{2C9E4ED9-CA72-4a80-A8B9-642955DB8770}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3064F748-AE8F-4d7f-B70A-F80802457C2B}	{2413B900-060A-46eb-A6F1-245D7388650A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3064F748-AE8F-4d7f-B70A-F80802457C2B}\stubpath = "C:\\Windows\\{3064F748-AE8F-4d7f-B70A-F80802457C2B}.exe"	{2413B900-060A-46eb-A6F1-245D7388650A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89812D44-F23E-4d03-8966-62D540D14FA6}	{1F6ABFAD-E4D0-4b56-96E1-D06AE92978AF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF761BE6-17C0-44fc-B55B-983BE1D3BF36}	{89812D44-F23E-4d03-8966-62D540D14FA6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC72F836-D7D0-48e4-BCEE-A415D681678A}	{C10B7010-A875-49cb-A474-3A34C057105A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2413B900-060A-46eb-A6F1-245D7388650A}\stubpath = "C:\\Windows\\{2413B900-060A-46eb-A6F1-245D7388650A}.exe"	{AC72F836-D7D0-48e4-BCEE-A415D681678A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1FB8C057-BE1C-4adb-A9A2-E6266849B661}	{3064F748-AE8F-4d7f-B70A-F80802457C2B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C10B7010-A875-49cb-A474-3A34C057105A}	{18B1F000-5DA4-4bfd-A59B-4C1B16351562}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C10B7010-A875-49cb-A474-3A34C057105A}\stubpath = "C:\\Windows\\{C10B7010-A875-49cb-A474-3A34C057105A}.exe"	{18B1F000-5DA4-4bfd-A59B-4C1B16351562}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC72F836-D7D0-48e4-BCEE-A415D681678A}\stubpath = "C:\\Windows\\{AC72F836-D7D0-48e4-BCEE-A415D681678A}.exe"	{C10B7010-A875-49cb-A474-3A34C057105A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F6ABFAD-E4D0-4b56-96E1-D06AE92978AF}	{CE22D671-3F5A-4e95-853F-1C87F1D61F4E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F6ABFAD-E4D0-4b56-96E1-D06AE92978AF}\stubpath = "C:\\Windows\\{1F6ABFAD-E4D0-4b56-96E1-D06AE92978AF}.exe"	{CE22D671-3F5A-4e95-853F-1C87F1D61F4E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89812D44-F23E-4d03-8966-62D540D14FA6}\stubpath = "C:\\Windows\\{89812D44-F23E-4d03-8966-62D540D14FA6}.exe"	{1F6ABFAD-E4D0-4b56-96E1-D06AE92978AF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C9E4ED9-CA72-4a80-A8B9-642955DB8770}\stubpath = "C:\\Windows\\{2C9E4ED9-CA72-4a80-A8B9-642955DB8770}.exe"	{AF761BE6-17C0-44fc-B55B-983BE1D3BF36}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18B1F000-5DA4-4bfd-A59B-4C1B16351562}\stubpath = "C:\\Windows\\{18B1F000-5DA4-4bfd-A59B-4C1B16351562}.exe"	{2C9E4ED9-CA72-4a80-A8B9-642955DB8770}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56A90781-77BD-4981-A56D-F1B118BDB78C}	2024-04-06_b9354e01cdd041e7f28b4920c673fca7_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE22D671-3F5A-4e95-853F-1C87F1D61F4E}\stubpath = "C:\\Windows\\{CE22D671-3F5A-4e95-853F-1C87F1D61F4E}.exe"	{56A90781-77BD-4981-A56D-F1B118BDB78C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF761BE6-17C0-44fc-B55B-983BE1D3BF36}\stubpath = "C:\\Windows\\{AF761BE6-17C0-44fc-B55B-983BE1D3BF36}.exe"	{89812D44-F23E-4d03-8966-62D540D14FA6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C9E4ED9-CA72-4a80-A8B9-642955DB8770}	{AF761BE6-17C0-44fc-B55B-983BE1D3BF36}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2413B900-060A-46eb-A6F1-245D7388650A}	{AC72F836-D7D0-48e4-BCEE-A415D681678A}.exe

Executes dropped EXE 12 IoCs

pid	Process
4512	{56A90781-77BD-4981-A56D-F1B118BDB78C}.exe
1440	{CE22D671-3F5A-4e95-853F-1C87F1D61F4E}.exe
3556	{1F6ABFAD-E4D0-4b56-96E1-D06AE92978AF}.exe
1080	{89812D44-F23E-4d03-8966-62D540D14FA6}.exe
2732	{AF761BE6-17C0-44fc-B55B-983BE1D3BF36}.exe
1268	{2C9E4ED9-CA72-4a80-A8B9-642955DB8770}.exe
3440	{18B1F000-5DA4-4bfd-A59B-4C1B16351562}.exe
2928	{C10B7010-A875-49cb-A474-3A34C057105A}.exe
216	{AC72F836-D7D0-48e4-BCEE-A415D681678A}.exe
4280	{2413B900-060A-46eb-A6F1-245D7388650A}.exe
1260	{3064F748-AE8F-4d7f-B70A-F80802457C2B}.exe
2244	{1FB8C057-BE1C-4adb-A9A2-E6266849B661}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{AF761BE6-17C0-44fc-B55B-983BE1D3BF36}.exe	{89812D44-F23E-4d03-8966-62D540D14FA6}.exe
File created	C:\Windows\{C10B7010-A875-49cb-A474-3A34C057105A}.exe	{18B1F000-5DA4-4bfd-A59B-4C1B16351562}.exe
File created	C:\Windows\{AC72F836-D7D0-48e4-BCEE-A415D681678A}.exe	{C10B7010-A875-49cb-A474-3A34C057105A}.exe
File created	C:\Windows\{2413B900-060A-46eb-A6F1-245D7388650A}.exe	{AC72F836-D7D0-48e4-BCEE-A415D681678A}.exe
File created	C:\Windows\{56A90781-77BD-4981-A56D-F1B118BDB78C}.exe	2024-04-06_b9354e01cdd041e7f28b4920c673fca7_goldeneye.exe
File created	C:\Windows\{1F6ABFAD-E4D0-4b56-96E1-D06AE92978AF}.exe	{CE22D671-3F5A-4e95-853F-1C87F1D61F4E}.exe
File created	C:\Windows\{89812D44-F23E-4d03-8966-62D540D14FA6}.exe	{1F6ABFAD-E4D0-4b56-96E1-D06AE92978AF}.exe
File created	C:\Windows\{2C9E4ED9-CA72-4a80-A8B9-642955DB8770}.exe	{AF761BE6-17C0-44fc-B55B-983BE1D3BF36}.exe
File created	C:\Windows\{18B1F000-5DA4-4bfd-A59B-4C1B16351562}.exe	{2C9E4ED9-CA72-4a80-A8B9-642955DB8770}.exe
File created	C:\Windows\{3064F748-AE8F-4d7f-B70A-F80802457C2B}.exe	{2413B900-060A-46eb-A6F1-245D7388650A}.exe
File created	C:\Windows\{1FB8C057-BE1C-4adb-A9A2-E6266849B661}.exe	{3064F748-AE8F-4d7f-B70A-F80802457C2B}.exe
File created	C:\Windows\{CE22D671-3F5A-4e95-853F-1C87F1D61F4E}.exe	{56A90781-77BD-4981-A56D-F1B118BDB78C}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2008	2024-04-06_b9354e01cdd041e7f28b4920c673fca7_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4512	{56A90781-77BD-4981-A56D-F1B118BDB78C}.exe
Token: SeIncBasePriorityPrivilege	1440	{CE22D671-3F5A-4e95-853F-1C87F1D61F4E}.exe
Token: SeIncBasePriorityPrivilege	3556	{1F6ABFAD-E4D0-4b56-96E1-D06AE92978AF}.exe
Token: SeIncBasePriorityPrivilege	1080	{89812D44-F23E-4d03-8966-62D540D14FA6}.exe
Token: SeIncBasePriorityPrivilege	2732	{AF761BE6-17C0-44fc-B55B-983BE1D3BF36}.exe
Token: SeIncBasePriorityPrivilege	1268	{2C9E4ED9-CA72-4a80-A8B9-642955DB8770}.exe
Token: SeIncBasePriorityPrivilege	3440	{18B1F000-5DA4-4bfd-A59B-4C1B16351562}.exe
Token: SeIncBasePriorityPrivilege	2928	{C10B7010-A875-49cb-A474-3A34C057105A}.exe
Token: SeIncBasePriorityPrivilege	216	{AC72F836-D7D0-48e4-BCEE-A415D681678A}.exe
Token: SeIncBasePriorityPrivilege	4280	{2413B900-060A-46eb-A6F1-245D7388650A}.exe
Token: SeIncBasePriorityPrivilege	1260	{3064F748-AE8F-4d7f-B70A-F80802457C2B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 4512	2008	2024-04-06_b9354e01cdd041e7f28b4920c673fca7_goldeneye.exe	97
PID 2008 wrote to memory of 4512	2008	2024-04-06_b9354e01cdd041e7f28b4920c673fca7_goldeneye.exe	97
PID 2008 wrote to memory of 4512	2008	2024-04-06_b9354e01cdd041e7f28b4920c673fca7_goldeneye.exe	97
PID 2008 wrote to memory of 4104	2008	2024-04-06_b9354e01cdd041e7f28b4920c673fca7_goldeneye.exe	98
PID 2008 wrote to memory of 4104	2008	2024-04-06_b9354e01cdd041e7f28b4920c673fca7_goldeneye.exe	98
PID 2008 wrote to memory of 4104	2008	2024-04-06_b9354e01cdd041e7f28b4920c673fca7_goldeneye.exe	98
PID 4512 wrote to memory of 1440	4512	{56A90781-77BD-4981-A56D-F1B118BDB78C}.exe	99
PID 4512 wrote to memory of 1440	4512	{56A90781-77BD-4981-A56D-F1B118BDB78C}.exe	99
PID 4512 wrote to memory of 1440	4512	{56A90781-77BD-4981-A56D-F1B118BDB78C}.exe	99
PID 4512 wrote to memory of 2632	4512	{56A90781-77BD-4981-A56D-F1B118BDB78C}.exe	100
PID 4512 wrote to memory of 2632	4512	{56A90781-77BD-4981-A56D-F1B118BDB78C}.exe	100
PID 4512 wrote to memory of 2632	4512	{56A90781-77BD-4981-A56D-F1B118BDB78C}.exe	100
PID 1440 wrote to memory of 3556	1440	{CE22D671-3F5A-4e95-853F-1C87F1D61F4E}.exe	102
PID 1440 wrote to memory of 3556	1440	{CE22D671-3F5A-4e95-853F-1C87F1D61F4E}.exe	102
PID 1440 wrote to memory of 3556	1440	{CE22D671-3F5A-4e95-853F-1C87F1D61F4E}.exe	102
PID 1440 wrote to memory of 1824	1440	{CE22D671-3F5A-4e95-853F-1C87F1D61F4E}.exe	103
PID 1440 wrote to memory of 1824	1440	{CE22D671-3F5A-4e95-853F-1C87F1D61F4E}.exe	103
PID 1440 wrote to memory of 1824	1440	{CE22D671-3F5A-4e95-853F-1C87F1D61F4E}.exe	103
PID 3556 wrote to memory of 1080	3556	{1F6ABFAD-E4D0-4b56-96E1-D06AE92978AF}.exe	104
PID 3556 wrote to memory of 1080	3556	{1F6ABFAD-E4D0-4b56-96E1-D06AE92978AF}.exe	104
PID 3556 wrote to memory of 1080	3556	{1F6ABFAD-E4D0-4b56-96E1-D06AE92978AF}.exe	104
PID 3556 wrote to memory of 804	3556	{1F6ABFAD-E4D0-4b56-96E1-D06AE92978AF}.exe	105
PID 3556 wrote to memory of 804	3556	{1F6ABFAD-E4D0-4b56-96E1-D06AE92978AF}.exe	105
PID 3556 wrote to memory of 804	3556	{1F6ABFAD-E4D0-4b56-96E1-D06AE92978AF}.exe	105
PID 1080 wrote to memory of 2732	1080	{89812D44-F23E-4d03-8966-62D540D14FA6}.exe	106
PID 1080 wrote to memory of 2732	1080	{89812D44-F23E-4d03-8966-62D540D14FA6}.exe	106
PID 1080 wrote to memory of 2732	1080	{89812D44-F23E-4d03-8966-62D540D14FA6}.exe	106
PID 1080 wrote to memory of 4740	1080	{89812D44-F23E-4d03-8966-62D540D14FA6}.exe	107
PID 1080 wrote to memory of 4740	1080	{89812D44-F23E-4d03-8966-62D540D14FA6}.exe	107
PID 1080 wrote to memory of 4740	1080	{89812D44-F23E-4d03-8966-62D540D14FA6}.exe	107
PID 2732 wrote to memory of 1268	2732	{AF761BE6-17C0-44fc-B55B-983BE1D3BF36}.exe	108
PID 2732 wrote to memory of 1268	2732	{AF761BE6-17C0-44fc-B55B-983BE1D3BF36}.exe	108
PID 2732 wrote to memory of 1268	2732	{AF761BE6-17C0-44fc-B55B-983BE1D3BF36}.exe	108
PID 2732 wrote to memory of 2832	2732	{AF761BE6-17C0-44fc-B55B-983BE1D3BF36}.exe	109
PID 2732 wrote to memory of 2832	2732	{AF761BE6-17C0-44fc-B55B-983BE1D3BF36}.exe	109
PID 2732 wrote to memory of 2832	2732	{AF761BE6-17C0-44fc-B55B-983BE1D3BF36}.exe	109
PID 1268 wrote to memory of 3440	1268	{2C9E4ED9-CA72-4a80-A8B9-642955DB8770}.exe	110
PID 1268 wrote to memory of 3440	1268	{2C9E4ED9-CA72-4a80-A8B9-642955DB8770}.exe	110
PID 1268 wrote to memory of 3440	1268	{2C9E4ED9-CA72-4a80-A8B9-642955DB8770}.exe	110
PID 1268 wrote to memory of 4488	1268	{2C9E4ED9-CA72-4a80-A8B9-642955DB8770}.exe	111
PID 1268 wrote to memory of 4488	1268	{2C9E4ED9-CA72-4a80-A8B9-642955DB8770}.exe	111
PID 1268 wrote to memory of 4488	1268	{2C9E4ED9-CA72-4a80-A8B9-642955DB8770}.exe	111
PID 3440 wrote to memory of 2928	3440	{18B1F000-5DA4-4bfd-A59B-4C1B16351562}.exe	112
PID 3440 wrote to memory of 2928	3440	{18B1F000-5DA4-4bfd-A59B-4C1B16351562}.exe	112
PID 3440 wrote to memory of 2928	3440	{18B1F000-5DA4-4bfd-A59B-4C1B16351562}.exe	112
PID 3440 wrote to memory of 2540	3440	{18B1F000-5DA4-4bfd-A59B-4C1B16351562}.exe	113
PID 3440 wrote to memory of 2540	3440	{18B1F000-5DA4-4bfd-A59B-4C1B16351562}.exe	113
PID 3440 wrote to memory of 2540	3440	{18B1F000-5DA4-4bfd-A59B-4C1B16351562}.exe	113
PID 2928 wrote to memory of 216	2928	{C10B7010-A875-49cb-A474-3A34C057105A}.exe	114
PID 2928 wrote to memory of 216	2928	{C10B7010-A875-49cb-A474-3A34C057105A}.exe	114
PID 2928 wrote to memory of 216	2928	{C10B7010-A875-49cb-A474-3A34C057105A}.exe	114
PID 2928 wrote to memory of 2764	2928	{C10B7010-A875-49cb-A474-3A34C057105A}.exe	115
PID 2928 wrote to memory of 2764	2928	{C10B7010-A875-49cb-A474-3A34C057105A}.exe	115
PID 2928 wrote to memory of 2764	2928	{C10B7010-A875-49cb-A474-3A34C057105A}.exe	115
PID 216 wrote to memory of 4280	216	{AC72F836-D7D0-48e4-BCEE-A415D681678A}.exe	116
PID 216 wrote to memory of 4280	216	{AC72F836-D7D0-48e4-BCEE-A415D681678A}.exe	116
PID 216 wrote to memory of 4280	216	{AC72F836-D7D0-48e4-BCEE-A415D681678A}.exe	116
PID 216 wrote to memory of 4540	216	{AC72F836-D7D0-48e4-BCEE-A415D681678A}.exe	117
PID 216 wrote to memory of 4540	216	{AC72F836-D7D0-48e4-BCEE-A415D681678A}.exe	117
PID 216 wrote to memory of 4540	216	{AC72F836-D7D0-48e4-BCEE-A415D681678A}.exe	117
PID 4280 wrote to memory of 1260	4280	{2413B900-060A-46eb-A6F1-245D7388650A}.exe	118
PID 4280 wrote to memory of 1260	4280	{2413B900-060A-46eb-A6F1-245D7388650A}.exe	118
PID 4280 wrote to memory of 1260	4280	{2413B900-060A-46eb-A6F1-245D7388650A}.exe	118
PID 4280 wrote to memory of 3860	4280	{2413B900-060A-46eb-A6F1-245D7388650A}.exe	119

C:\Users\Admin\AppData\Local\Temp\2024-04-06_b9354e01cdd041e7f28b4920c673fca7_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-06_b9354e01cdd041e7f28b4920c673fca7_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\{56A90781-77BD-4981-A56D-F1B118BDB78C}.exe
  C:\Windows\{56A90781-77BD-4981-A56D-F1B118BDB78C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4512
- - C:\Windows\{CE22D671-3F5A-4e95-853F-1C87F1D61F4E}.exe
    C:\Windows\{CE22D671-3F5A-4e95-853F-1C87F1D61F4E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1440
  - - C:\Windows\{1F6ABFAD-E4D0-4b56-96E1-D06AE92978AF}.exe
      C:\Windows\{1F6ABFAD-E4D0-4b56-96E1-D06AE92978AF}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3556
    - - C:\Windows\{89812D44-F23E-4d03-8966-62D540D14FA6}.exe
        
        C:\Windows\{89812D44-F23E-4d03-8966-62D540D14FA6}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1080
      - C:\Windows\{AF761BE6-17C0-44fc-B55B-983BE1D3BF36}.exe
        
        C:\Windows\{AF761BE6-17C0-44fc-B55B-983BE1D3BF36}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\{2C9E4ED9-CA72-4a80-A8B9-642955DB8770}.exe
        
        C:\Windows\{2C9E4ED9-CA72-4a80-A8B9-642955DB8770}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Windows\{18B1F000-5DA4-4bfd-A59B-4C1B16351562}.exe
        
        C:\Windows\{18B1F000-5DA4-4bfd-A59B-4C1B16351562}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3440
        
        C:\Windows\{C10B7010-A875-49cb-A474-3A34C057105A}.exe
        
        C:\Windows\{C10B7010-A875-49cb-A474-3A34C057105A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\{AC72F836-D7D0-48e4-BCEE-A415D681678A}.exe
        
        C:\Windows\{AC72F836-D7D0-48e4-BCEE-A415D681678A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Windows\{2413B900-060A-46eb-A6F1-245D7388650A}.exe
        
        C:\Windows\{2413B900-060A-46eb-A6F1-245D7388650A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\{3064F748-AE8F-4d7f-B70A-F80802457C2B}.exe
        
        C:\Windows\{3064F748-AE8F-4d7f-B70A-F80802457C2B}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1260
        
        C:\Windows\{1FB8C057-BE1C-4adb-A9A2-E6266849B661}.exe
        
        C:\Windows\{1FB8C057-BE1C-4adb-A9A2-E6266849B661}.exe
        13⤵
        Executes dropped EXE
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3064F~1.EXE > nul
        13⤵
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2413B~1.EXE > nul
        12⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AC72F~1.EXE > nul
        11⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C10B7~1.EXE > nul
        10⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{18B1F~1.EXE > nul
        9⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2C9E4~1.EXE > nul
        8⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AF761~1.EXE > nul
        7⤵
        
        PID:2832
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{89812~1.EXE > nul
        6⤵
        
        PID:4740
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1F6AB~1.EXE > nul
        5⤵
        
        PID:804
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CE22D~1.EXE > nul
      4⤵
      PID:1824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{56A90~1.EXE > nul
    3⤵
    PID:2632
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{18B1F000-5DA4-4bfd-A59B-4C1B16351562}.exe

Filesize
372KB

MD5
42496a0d9fecc5bd61df3cdd25ca0548

SHA1
909cbb9bde4d2e393cf921930a2fe869bbb87123

SHA256
06e16d74cef3bcf85fb61fe017301403b2feda958059d2696d80e06990d1ee60

SHA512
b8d2ac8bacba86991b5f7356583410fb230be8e8043682617dc82eee527a3c55426cce1dcd23a0aeca467ff7ce8427c060fe2e11503cdc453c2fa1414752a006

Download Submit
C:\Windows\{1F6ABFAD-E4D0-4b56-96E1-D06AE92978AF}.exe

Filesize
372KB

MD5
82a7e6e402b63c150959dda945651f3a

SHA1
58e45aeba2dc31f61ea50cca893aaec1057bea34

SHA256
d19169d2fe7c3455d14841613d7eca08c91447bfee96ef3be7da5f8011c5a517

SHA512
776686b5547f4435ec9b002f6f31833ee9a3fd9985c0d4bd886a0e1e5e6349d84b2e7aa48e35d3da195bf184e7a9a4b4ce70ff7a9ea412ee0383ed2b34d56352

Download Submit
C:\Windows\{1FB8C057-BE1C-4adb-A9A2-E6266849B661}.exe

Filesize
372KB

MD5
752d3156986442245d5da2d255d7c675

SHA1
c91f4886ac05c2a4af7ab81f332952314863cb51

SHA256
29eedaae032b367cd29df11411d8f1bcd23d3ad1402eec14ff25be2882516e2d

SHA512
b4fba68d5d774e418d7e01ffedec18942ef6a47b07e97c0ae268a5b3ad90e796c77def409601034cb8a1725ed90ca53498c4fa8671ab58dc0e6f7a535de38903

Download Submit
C:\Windows\{2413B900-060A-46eb-A6F1-245D7388650A}.exe

Filesize
372KB

MD5
8fc3f047fc30c860623519f1eb513ae1

SHA1
9fe3dfeaae8c9c06429810078ace0c418e3db4c9

SHA256
369befa3a31a4a1c676cb2a1ee57c2e87e216ad625acd55713ead4635e8f98eb

SHA512
650ab4fc585c28c74b6563d59404e6911cd6d63a415e2f60b12528f4309a630f5770251d5a74ee5da9a776ea6d25de3ff8467d91a3b5926a0a820385fa8d26f1

Download Submit
C:\Windows\{2C9E4ED9-CA72-4a80-A8B9-642955DB8770}.exe

Filesize
372KB

MD5
251d2b230c5bc08b2987fc39f0cfca10

SHA1
f12e1ef197de3009aa93d8df06631763757044f6

SHA256
d195e0460be4ff100855cc30ef5d8f0ed714a5b524812392f5aabc2b4f4b45ba

SHA512
b6c76558db9963267b8d1e568161099db89e33d95da22f280d68ef498ad39cec04d773c14404bdd6c88629c938765dba442f1157decc822aaf034d1b314d72e2

Download Submit
C:\Windows\{3064F748-AE8F-4d7f-B70A-F80802457C2B}.exe

Filesize
372KB

MD5
7e1ae1c86e64511a98b729fecb3702c8

SHA1
6613b37ed6a3fb885bc15d2ba6b569133dc1efa9

SHA256
4f5afd6895240099c5386ed721011822b4cf2db1fed3c1e29d530069b1383c8a

SHA512
3b937a011e0366b8987031d69a6ecd3d831fbf810fa1ddec1cbf7cc1cf6040c79edf10da1a4cf3684ae0c11325cb6b520be28dc21c5a4c2b0f489a5f50ea4162

Download Submit
C:\Windows\{56A90781-77BD-4981-A56D-F1B118BDB78C}.exe

Filesize
372KB

MD5
0e81e47bedac34a6b1b9b7c1fcce97ee

SHA1
6c0415ca0b42a99fe5e496f7b6f214be3dcfd3f2

SHA256
b0143a717cef9e104c9505b3716c24f8f4c19bf36c114a741d579a754950b529

SHA512
0a01e161f93ba38f4c703689fca645c165e306dafc1867a31fd6cb29722224b36a0aaa17e1b0466617abc4e05aa0a2d94f1fb7b127e04c1571327393e91a536c

Download Submit
C:\Windows\{89812D44-F23E-4d03-8966-62D540D14FA6}.exe

Filesize
372KB

MD5
a7ac53b32b5bf8271904128a1766dd8b

SHA1
ab0b2801f2ad4aee9c00e746bec2a50321886103

SHA256
fb87f2f008d5f2ce8cc51a7429832921a07aad2d94f4faecd6ee15aacf73d91e

SHA512
0c2ba86e03459416a8b4c7809f36de14b0647fbf2f0e47de57e56900f926b3b9999975931bb68623daf45bd8b3818e5f307918e76f0cca0c77092294c4095647

Download Submit
C:\Windows\{AC72F836-D7D0-48e4-BCEE-A415D681678A}.exe

Filesize
372KB

MD5
092aebbb08177e2031f5bee5e02e907b

SHA1
5a06e8cee780ec2f0b438f8ac64fde375353d1cc

SHA256
7a420293fbdb1fad594bfcfb1949775c443d270227c0c38dbb56b1e62f488578

SHA512
d9d722a03a6499d7969a3a60812f10b82a51b69f201aa74d6727b25ecad41dd4081b054caed3095ee4e1b1e7d341ea438df1392d7b8cb7e7b3118ef53083a7b5

Download Submit
C:\Windows\{AF761BE6-17C0-44fc-B55B-983BE1D3BF36}.exe

Filesize
372KB

MD5
c9961b5b1cea0dfe2254c7c847721504

SHA1
87521b88bb9f18c9fd3742b72b63509a6969a5b4

SHA256
5ce720e2bb972df14f2613b8d749eb476e01cedbb32177685b79d569678a1ec6

SHA512
282bc027495985b911516f1bb29414ffa95e6156b7ad017b349c013bc33f0300d0f950de51c6eb07582d17721ce7fd5e271a436b1e4ec0b01dc6a210e884f058

Download Submit
C:\Windows\{C10B7010-A875-49cb-A474-3A34C057105A}.exe

Filesize
372KB

MD5
ccc6127f2aacced12e59473d2b65486c

SHA1
50f93faa168ef8e526e5a4a44b5cc7ca903631c8

SHA256
955d50f2ab09d725b2cc555e7d8e9e04032f3a1570087d12f466157c532f18ea

SHA512
c09524989323cc9a374dd0d0805f7381c4341e58de982f81c8ecdc75b900f1952e7fd24fcfcbb84acb24925cd8204b7de89da7bcfdae0471f1c8be876ae9cb4c

Download Submit
C:\Windows\{CE22D671-3F5A-4e95-853F-1C87F1D61F4E}.exe

Filesize
372KB

MD5
1f9fcdcc6732ddc7792ecce12fe69152

SHA1
0ce83c81ff369e925be6e5d50c2f979532640689

SHA256
c6fe7fe47a792c2c7b147491189353709f095e73d9d72558fd49a0835b9a48e1

SHA512
9204feb32eac6e201bc6e77baa640906c973b36ad0fbd69e62cab59b6523791c894eb7106e72d800486e8ca7fcfc419956bd0d157b2c37241115a2a32138de10

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads