000242af7be11235970c26a74bce257449cd77cdedfcaa9ed23967e3263ec515

Analysis

max time kernel
149s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06-04-2024 11:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-06_97956a24a74ce4a359c9900765acd7fc_goldeneye.exe
Size

192KB
MD5

97956a24a74ce4a359c9900765acd7fc
SHA1

0819963aa5612561925e4f6c1cf90ffaaf3cd71d
SHA256

000242af7be11235970c26a74bce257449cd77cdedfcaa9ed23967e3263ec515
SHA512

ef8f5bf0b63f9efb5983923ae363e93840190d7ef5d66681f64d9c25a16ca7b05f09d58548f5370ce5b77c5fd15ea3e78f37261c4cab7de5ea74fd6d4fcb757d
SSDEEP

1536:1EGh0oul15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oul1OPOe2MUVg3Ve+rXfMUa

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00110000000231ea-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000231da-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000231ee-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000231f1-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021d41-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021d42-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021d41-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000709-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000707-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{020B3BD2-8DB1-46c7-9AAB-89BB1C664F78}	{261EA40A-B94E-4e59-B5DF-B3106E96F998}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DCC2FA7-E900-4f4d-9FCA-346C2AB24B7D}\stubpath = "C:\\Windows\\{1DCC2FA7-E900-4f4d-9FCA-346C2AB24B7D}.exe"	{A5F4410A-694A-4de5-8D89-1A53A35D2EBE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A59CC8EA-1D00-4288-9264-31A0DD6DB10F}	{4676C9C0-6E4B-4d9a-979D-1A5B403F641D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A5126D8-DC7B-44f7-9930-5253656D0B49}\stubpath = "C:\\Windows\\{8A5126D8-DC7B-44f7-9930-5253656D0B49}.exe"	{A59CC8EA-1D00-4288-9264-31A0DD6DB10F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06F23372-FFC9-45f9-9DBF-70FBAACA6DF5}\stubpath = "C:\\Windows\\{06F23372-FFC9-45f9-9DBF-70FBAACA6DF5}.exe"	{A6D63264-1455-4e55-9921-CAC80E82852A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6D63264-1455-4e55-9921-CAC80E82852A}\stubpath = "C:\\Windows\\{A6D63264-1455-4e55-9921-CAC80E82852A}.exe"	{5DD80C72-0DB0-4e12-820A-7835AB539184}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{261EA40A-B94E-4e59-B5DF-B3106E96F998}	{06F23372-FFC9-45f9-9DBF-70FBAACA6DF5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{261EA40A-B94E-4e59-B5DF-B3106E96F998}\stubpath = "C:\\Windows\\{261EA40A-B94E-4e59-B5DF-B3106E96F998}.exe"	{06F23372-FFC9-45f9-9DBF-70FBAACA6DF5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DCC2FA7-E900-4f4d-9FCA-346C2AB24B7D}	{A5F4410A-694A-4de5-8D89-1A53A35D2EBE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB0A39F7-A013-401b-9772-61122089006F}	{8A5126D8-DC7B-44f7-9930-5253656D0B49}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB0A39F7-A013-401b-9772-61122089006F}\stubpath = "C:\\Windows\\{BB0A39F7-A013-401b-9772-61122089006F}.exe"	{8A5126D8-DC7B-44f7-9930-5253656D0B49}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DD80C72-0DB0-4e12-820A-7835AB539184}\stubpath = "C:\\Windows\\{5DD80C72-0DB0-4e12-820A-7835AB539184}.exe"	{BB0A39F7-A013-401b-9772-61122089006F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A5126D8-DC7B-44f7-9930-5253656D0B49}	{A59CC8EA-1D00-4288-9264-31A0DD6DB10F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DD80C72-0DB0-4e12-820A-7835AB539184}	{BB0A39F7-A013-401b-9772-61122089006F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6D63264-1455-4e55-9921-CAC80E82852A}	{5DD80C72-0DB0-4e12-820A-7835AB539184}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06F23372-FFC9-45f9-9DBF-70FBAACA6DF5}	{A6D63264-1455-4e55-9921-CAC80E82852A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{020B3BD2-8DB1-46c7-9AAB-89BB1C664F78}\stubpath = "C:\\Windows\\{020B3BD2-8DB1-46c7-9AAB-89BB1C664F78}.exe"	{261EA40A-B94E-4e59-B5DF-B3106E96F998}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4676C9C0-6E4B-4d9a-979D-1A5B403F641D}	2024-04-06_97956a24a74ce4a359c9900765acd7fc_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4676C9C0-6E4B-4d9a-979D-1A5B403F641D}\stubpath = "C:\\Windows\\{4676C9C0-6E4B-4d9a-979D-1A5B403F641D}.exe"	2024-04-06_97956a24a74ce4a359c9900765acd7fc_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A59CC8EA-1D00-4288-9264-31A0DD6DB10F}\stubpath = "C:\\Windows\\{A59CC8EA-1D00-4288-9264-31A0DD6DB10F}.exe"	{4676C9C0-6E4B-4d9a-979D-1A5B403F641D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5F4410A-694A-4de5-8D89-1A53A35D2EBE}	{020B3BD2-8DB1-46c7-9AAB-89BB1C664F78}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4FACF595-0EBA-4a36-B015-72AC3F761C6C}	{1DCC2FA7-E900-4f4d-9FCA-346C2AB24B7D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5F4410A-694A-4de5-8D89-1A53A35D2EBE}\stubpath = "C:\\Windows\\{A5F4410A-694A-4de5-8D89-1A53A35D2EBE}.exe"	{020B3BD2-8DB1-46c7-9AAB-89BB1C664F78}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4FACF595-0EBA-4a36-B015-72AC3F761C6C}\stubpath = "C:\\Windows\\{4FACF595-0EBA-4a36-B015-72AC3F761C6C}.exe"	{1DCC2FA7-E900-4f4d-9FCA-346C2AB24B7D}.exe

Executes dropped EXE 12 IoCs

pid	Process
4216	{4676C9C0-6E4B-4d9a-979D-1A5B403F641D}.exe
3496	{A59CC8EA-1D00-4288-9264-31A0DD6DB10F}.exe
376	{8A5126D8-DC7B-44f7-9930-5253656D0B49}.exe
2416	{BB0A39F7-A013-401b-9772-61122089006F}.exe
4876	{5DD80C72-0DB0-4e12-820A-7835AB539184}.exe
624	{A6D63264-1455-4e55-9921-CAC80E82852A}.exe
2700	{06F23372-FFC9-45f9-9DBF-70FBAACA6DF5}.exe
768	{261EA40A-B94E-4e59-B5DF-B3106E96F998}.exe
2412	{020B3BD2-8DB1-46c7-9AAB-89BB1C664F78}.exe
1420	{A5F4410A-694A-4de5-8D89-1A53A35D2EBE}.exe
3216	{1DCC2FA7-E900-4f4d-9FCA-346C2AB24B7D}.exe
4008	{4FACF595-0EBA-4a36-B015-72AC3F761C6C}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{8A5126D8-DC7B-44f7-9930-5253656D0B49}.exe	{A59CC8EA-1D00-4288-9264-31A0DD6DB10F}.exe
File created	C:\Windows\{5DD80C72-0DB0-4e12-820A-7835AB539184}.exe	{BB0A39F7-A013-401b-9772-61122089006F}.exe
File created	C:\Windows\{06F23372-FFC9-45f9-9DBF-70FBAACA6DF5}.exe	{A6D63264-1455-4e55-9921-CAC80E82852A}.exe
File created	C:\Windows\{1DCC2FA7-E900-4f4d-9FCA-346C2AB24B7D}.exe	{A5F4410A-694A-4de5-8D89-1A53A35D2EBE}.exe
File created	C:\Windows\{4676C9C0-6E4B-4d9a-979D-1A5B403F641D}.exe	2024-04-06_97956a24a74ce4a359c9900765acd7fc_goldeneye.exe
File created	C:\Windows\{A59CC8EA-1D00-4288-9264-31A0DD6DB10F}.exe	{4676C9C0-6E4B-4d9a-979D-1A5B403F641D}.exe
File created	C:\Windows\{BB0A39F7-A013-401b-9772-61122089006F}.exe	{8A5126D8-DC7B-44f7-9930-5253656D0B49}.exe
File created	C:\Windows\{A6D63264-1455-4e55-9921-CAC80E82852A}.exe	{5DD80C72-0DB0-4e12-820A-7835AB539184}.exe
File created	C:\Windows\{261EA40A-B94E-4e59-B5DF-B3106E96F998}.exe	{06F23372-FFC9-45f9-9DBF-70FBAACA6DF5}.exe
File created	C:\Windows\{020B3BD2-8DB1-46c7-9AAB-89BB1C664F78}.exe	{261EA40A-B94E-4e59-B5DF-B3106E96F998}.exe
File created	C:\Windows\{A5F4410A-694A-4de5-8D89-1A53A35D2EBE}.exe	{020B3BD2-8DB1-46c7-9AAB-89BB1C664F78}.exe
File created	C:\Windows\{4FACF595-0EBA-4a36-B015-72AC3F761C6C}.exe	{1DCC2FA7-E900-4f4d-9FCA-346C2AB24B7D}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3100	2024-04-06_97956a24a74ce4a359c9900765acd7fc_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4216	{4676C9C0-6E4B-4d9a-979D-1A5B403F641D}.exe
Token: SeIncBasePriorityPrivilege	3496	{A59CC8EA-1D00-4288-9264-31A0DD6DB10F}.exe
Token: SeIncBasePriorityPrivilege	376	{8A5126D8-DC7B-44f7-9930-5253656D0B49}.exe
Token: SeIncBasePriorityPrivilege	2416	{BB0A39F7-A013-401b-9772-61122089006F}.exe
Token: SeIncBasePriorityPrivilege	4876	{5DD80C72-0DB0-4e12-820A-7835AB539184}.exe
Token: SeIncBasePriorityPrivilege	624	{A6D63264-1455-4e55-9921-CAC80E82852A}.exe
Token: SeIncBasePriorityPrivilege	2700	{06F23372-FFC9-45f9-9DBF-70FBAACA6DF5}.exe
Token: SeIncBasePriorityPrivilege	768	{261EA40A-B94E-4e59-B5DF-B3106E96F998}.exe
Token: SeIncBasePriorityPrivilege	2412	{020B3BD2-8DB1-46c7-9AAB-89BB1C664F78}.exe
Token: SeIncBasePriorityPrivilege	1420	{A5F4410A-694A-4de5-8D89-1A53A35D2EBE}.exe
Token: SeIncBasePriorityPrivilege	3216	{1DCC2FA7-E900-4f4d-9FCA-346C2AB24B7D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3100 wrote to memory of 4216	3100	2024-04-06_97956a24a74ce4a359c9900765acd7fc_goldeneye.exe	96
PID 3100 wrote to memory of 4216	3100	2024-04-06_97956a24a74ce4a359c9900765acd7fc_goldeneye.exe	96
PID 3100 wrote to memory of 4216	3100	2024-04-06_97956a24a74ce4a359c9900765acd7fc_goldeneye.exe	96
PID 3100 wrote to memory of 2596	3100	2024-04-06_97956a24a74ce4a359c9900765acd7fc_goldeneye.exe	97
PID 3100 wrote to memory of 2596	3100	2024-04-06_97956a24a74ce4a359c9900765acd7fc_goldeneye.exe	97
PID 3100 wrote to memory of 2596	3100	2024-04-06_97956a24a74ce4a359c9900765acd7fc_goldeneye.exe	97
PID 4216 wrote to memory of 3496	4216	{4676C9C0-6E4B-4d9a-979D-1A5B403F641D}.exe	98
PID 4216 wrote to memory of 3496	4216	{4676C9C0-6E4B-4d9a-979D-1A5B403F641D}.exe	98
PID 4216 wrote to memory of 3496	4216	{4676C9C0-6E4B-4d9a-979D-1A5B403F641D}.exe	98
PID 4216 wrote to memory of 4872	4216	{4676C9C0-6E4B-4d9a-979D-1A5B403F641D}.exe	99
PID 4216 wrote to memory of 4872	4216	{4676C9C0-6E4B-4d9a-979D-1A5B403F641D}.exe	99
PID 4216 wrote to memory of 4872	4216	{4676C9C0-6E4B-4d9a-979D-1A5B403F641D}.exe	99
PID 3496 wrote to memory of 376	3496	{A59CC8EA-1D00-4288-9264-31A0DD6DB10F}.exe	101
PID 3496 wrote to memory of 376	3496	{A59CC8EA-1D00-4288-9264-31A0DD6DB10F}.exe	101
PID 3496 wrote to memory of 376	3496	{A59CC8EA-1D00-4288-9264-31A0DD6DB10F}.exe	101
PID 3496 wrote to memory of 2044	3496	{A59CC8EA-1D00-4288-9264-31A0DD6DB10F}.exe	102
PID 3496 wrote to memory of 2044	3496	{A59CC8EA-1D00-4288-9264-31A0DD6DB10F}.exe	102
PID 3496 wrote to memory of 2044	3496	{A59CC8EA-1D00-4288-9264-31A0DD6DB10F}.exe	102
PID 376 wrote to memory of 2416	376	{8A5126D8-DC7B-44f7-9930-5253656D0B49}.exe	103
PID 376 wrote to memory of 2416	376	{8A5126D8-DC7B-44f7-9930-5253656D0B49}.exe	103
PID 376 wrote to memory of 2416	376	{8A5126D8-DC7B-44f7-9930-5253656D0B49}.exe	103
PID 376 wrote to memory of 1540	376	{8A5126D8-DC7B-44f7-9930-5253656D0B49}.exe	104
PID 376 wrote to memory of 1540	376	{8A5126D8-DC7B-44f7-9930-5253656D0B49}.exe	104
PID 376 wrote to memory of 1540	376	{8A5126D8-DC7B-44f7-9930-5253656D0B49}.exe	104
PID 2416 wrote to memory of 4876	2416	{BB0A39F7-A013-401b-9772-61122089006F}.exe	105
PID 2416 wrote to memory of 4876	2416	{BB0A39F7-A013-401b-9772-61122089006F}.exe	105
PID 2416 wrote to memory of 4876	2416	{BB0A39F7-A013-401b-9772-61122089006F}.exe	105
PID 2416 wrote to memory of 4384	2416	{BB0A39F7-A013-401b-9772-61122089006F}.exe	106
PID 2416 wrote to memory of 4384	2416	{BB0A39F7-A013-401b-9772-61122089006F}.exe	106
PID 2416 wrote to memory of 4384	2416	{BB0A39F7-A013-401b-9772-61122089006F}.exe	106
PID 4876 wrote to memory of 624	4876	{5DD80C72-0DB0-4e12-820A-7835AB539184}.exe	107
PID 4876 wrote to memory of 624	4876	{5DD80C72-0DB0-4e12-820A-7835AB539184}.exe	107
PID 4876 wrote to memory of 624	4876	{5DD80C72-0DB0-4e12-820A-7835AB539184}.exe	107
PID 4876 wrote to memory of 1364	4876	{5DD80C72-0DB0-4e12-820A-7835AB539184}.exe	108
PID 4876 wrote to memory of 1364	4876	{5DD80C72-0DB0-4e12-820A-7835AB539184}.exe	108
PID 4876 wrote to memory of 1364	4876	{5DD80C72-0DB0-4e12-820A-7835AB539184}.exe	108
PID 624 wrote to memory of 2700	624	{A6D63264-1455-4e55-9921-CAC80E82852A}.exe	109
PID 624 wrote to memory of 2700	624	{A6D63264-1455-4e55-9921-CAC80E82852A}.exe	109
PID 624 wrote to memory of 2700	624	{A6D63264-1455-4e55-9921-CAC80E82852A}.exe	109
PID 624 wrote to memory of 4304	624	{A6D63264-1455-4e55-9921-CAC80E82852A}.exe	110
PID 624 wrote to memory of 4304	624	{A6D63264-1455-4e55-9921-CAC80E82852A}.exe	110
PID 624 wrote to memory of 4304	624	{A6D63264-1455-4e55-9921-CAC80E82852A}.exe	110
PID 2700 wrote to memory of 768	2700	{06F23372-FFC9-45f9-9DBF-70FBAACA6DF5}.exe	111
PID 2700 wrote to memory of 768	2700	{06F23372-FFC9-45f9-9DBF-70FBAACA6DF5}.exe	111
PID 2700 wrote to memory of 768	2700	{06F23372-FFC9-45f9-9DBF-70FBAACA6DF5}.exe	111
PID 2700 wrote to memory of 1468	2700	{06F23372-FFC9-45f9-9DBF-70FBAACA6DF5}.exe	112
PID 2700 wrote to memory of 1468	2700	{06F23372-FFC9-45f9-9DBF-70FBAACA6DF5}.exe	112
PID 2700 wrote to memory of 1468	2700	{06F23372-FFC9-45f9-9DBF-70FBAACA6DF5}.exe	112
PID 768 wrote to memory of 2412	768	{261EA40A-B94E-4e59-B5DF-B3106E96F998}.exe	113
PID 768 wrote to memory of 2412	768	{261EA40A-B94E-4e59-B5DF-B3106E96F998}.exe	113
PID 768 wrote to memory of 2412	768	{261EA40A-B94E-4e59-B5DF-B3106E96F998}.exe	113
PID 768 wrote to memory of 2264	768	{261EA40A-B94E-4e59-B5DF-B3106E96F998}.exe	114
PID 768 wrote to memory of 2264	768	{261EA40A-B94E-4e59-B5DF-B3106E96F998}.exe	114
PID 768 wrote to memory of 2264	768	{261EA40A-B94E-4e59-B5DF-B3106E96F998}.exe	114
PID 2412 wrote to memory of 1420	2412	{020B3BD2-8DB1-46c7-9AAB-89BB1C664F78}.exe	115
PID 2412 wrote to memory of 1420	2412	{020B3BD2-8DB1-46c7-9AAB-89BB1C664F78}.exe	115
PID 2412 wrote to memory of 1420	2412	{020B3BD2-8DB1-46c7-9AAB-89BB1C664F78}.exe	115
PID 2412 wrote to memory of 4832	2412	{020B3BD2-8DB1-46c7-9AAB-89BB1C664F78}.exe	116
PID 2412 wrote to memory of 4832	2412	{020B3BD2-8DB1-46c7-9AAB-89BB1C664F78}.exe	116
PID 2412 wrote to memory of 4832	2412	{020B3BD2-8DB1-46c7-9AAB-89BB1C664F78}.exe	116
PID 1420 wrote to memory of 3216	1420	{A5F4410A-694A-4de5-8D89-1A53A35D2EBE}.exe	117
PID 1420 wrote to memory of 3216	1420	{A5F4410A-694A-4de5-8D89-1A53A35D2EBE}.exe	117
PID 1420 wrote to memory of 3216	1420	{A5F4410A-694A-4de5-8D89-1A53A35D2EBE}.exe	117
PID 1420 wrote to memory of 2384	1420	{A5F4410A-694A-4de5-8D89-1A53A35D2EBE}.exe	118

C:\Users\Admin\AppData\Local\Temp\2024-04-06_97956a24a74ce4a359c9900765acd7fc_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-06_97956a24a74ce4a359c9900765acd7fc_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3100
- C:\Windows\{4676C9C0-6E4B-4d9a-979D-1A5B403F641D}.exe
  C:\Windows\{4676C9C0-6E4B-4d9a-979D-1A5B403F641D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4216
- - C:\Windows\{A59CC8EA-1D00-4288-9264-31A0DD6DB10F}.exe
    C:\Windows\{A59CC8EA-1D00-4288-9264-31A0DD6DB10F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3496
  - - C:\Windows\{8A5126D8-DC7B-44f7-9930-5253656D0B49}.exe
      C:\Windows\{8A5126D8-DC7B-44f7-9930-5253656D0B49}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:376
    - - C:\Windows\{BB0A39F7-A013-401b-9772-61122089006F}.exe
        
        C:\Windows\{BB0A39F7-A013-401b-9772-61122089006F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2416
      - C:\Windows\{5DD80C72-0DB0-4e12-820A-7835AB539184}.exe
        
        C:\Windows\{5DD80C72-0DB0-4e12-820A-7835AB539184}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Windows\{A6D63264-1455-4e55-9921-CAC80E82852A}.exe
        
        C:\Windows\{A6D63264-1455-4e55-9921-CAC80E82852A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Windows\{06F23372-FFC9-45f9-9DBF-70FBAACA6DF5}.exe
        
        C:\Windows\{06F23372-FFC9-45f9-9DBF-70FBAACA6DF5}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\{261EA40A-B94E-4e59-B5DF-B3106E96F998}.exe
        
        C:\Windows\{261EA40A-B94E-4e59-B5DF-B3106E96F998}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\{020B3BD2-8DB1-46c7-9AAB-89BB1C664F78}.exe
        
        C:\Windows\{020B3BD2-8DB1-46c7-9AAB-89BB1C664F78}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\{A5F4410A-694A-4de5-8D89-1A53A35D2EBE}.exe
        
        C:\Windows\{A5F4410A-694A-4de5-8D89-1A53A35D2EBE}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1420
        
        C:\Windows\{1DCC2FA7-E900-4f4d-9FCA-346C2AB24B7D}.exe
        
        C:\Windows\{1DCC2FA7-E900-4f4d-9FCA-346C2AB24B7D}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3216
        
        C:\Windows\{4FACF595-0EBA-4a36-B015-72AC3F761C6C}.exe
        
        C:\Windows\{4FACF595-0EBA-4a36-B015-72AC3F761C6C}.exe
        13⤵
        Executes dropped EXE
        
        PID:4008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1DCC2~1.EXE > nul
        13⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A5F44~1.EXE > nul
        12⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{020B3~1.EXE > nul
        11⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{261EA~1.EXE > nul
        10⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{06F23~1.EXE > nul
        9⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6D63~1.EXE > nul
        8⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5DD80~1.EXE > nul
        7⤵
        
        PID:1364
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BB0A3~1.EXE > nul
        6⤵
        
        PID:4384
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8A512~1.EXE > nul
        5⤵
        
        PID:1540
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A59CC~1.EXE > nul
      4⤵
      PID:2044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4676C~1.EXE > nul
    3⤵
    PID:4872
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{020B3BD2-8DB1-46c7-9AAB-89BB1C664F78}.exe

Filesize
192KB

MD5
5a39806e1690d0674c2bbea3b91d98e3

SHA1
2f1817ac09c6637b4b2ae2598f7730ce478eebac

SHA256
675e3a97fe14425adabc3bfee334b9dfd50e97bb689bc9f83c847aa198bea896

SHA512
51d1bc578e84843abe9414f989b79d8ac1fed20a438f8a7db388a94278c0be7fb882d1fc0614e8b36f35d70ad09715c2d863babec6a83023e3629592b0f04c60

Download Submit
C:\Windows\{06F23372-FFC9-45f9-9DBF-70FBAACA6DF5}.exe

Filesize
192KB

MD5
079b8bf566baa79d5aee6e6be7393c95

SHA1
bcc2db57d97b692215b78db0a16789e4e598e052

SHA256
a1d8ee7f2d51a01aa6abc10ad8873414a11a9e2ba41d1337311534af8c036f2e

SHA512
1e2855484d82249ed3fb1dc0af88eac8a1bb4acd31521f548a900cd1abb635f4cd1839b63ca2288222e3f0f39c1ff344982a1d99e6d7975d6ecfedf140ff4651

Download Submit
C:\Windows\{1DCC2FA7-E900-4f4d-9FCA-346C2AB24B7D}.exe

Filesize
192KB

MD5
837ca8294697825a34bbd2e28c2a77e4

SHA1
0af7549196352eab6821ee49260137a75771f788

SHA256
fc2be990ff00f5289f5aeb66a663115317d367a6ede37a2027dd7cca30a086eb

SHA512
2079fe52a9054d4e151fecbdfaf6cd7d17d5fb44178b4923dda09d779ef28b71aad1b4373bc35f7382fc475f622567d9c3cf1d6776626b6fa555ece9e887796e

Download Submit
C:\Windows\{261EA40A-B94E-4e59-B5DF-B3106E96F998}.exe

Filesize
192KB

MD5
d8b4bb7de46fd1c8ac91b2a2c7bbad14

SHA1
ce1a82b1d4b588270a0661c0f61b5a6ba32ebc87

SHA256
d3a62871e1fe528042beff68a1bd1e998e8f5f67d8806af78b4f9f31562d537a

SHA512
76c47284642ecc61ee7ef3fb3e33812d73b529fc63b56f5fbe8c7830d1514ac2a3f949b39976346b2fe649fed753c3f8ad0ddd50f3db60c585cccaf76627cb8d

Download Submit
C:\Windows\{4676C9C0-6E4B-4d9a-979D-1A5B403F641D}.exe

Filesize
192KB

MD5
8b837e30682e0a172c5d6e433a6fe49a

SHA1
d987f6c89d325add419413a4b6eeeac12bbc7498

SHA256
6a09e56a65b3a871525272a4b92e80c3b15553e5494716347ec3d4dd1c66f479

SHA512
fddc5b1bf489e5c79659d9d5dad2fc21f362493d92d2fe9ecb0628069fd31193c96c9650cd5a34ed1a3d4694bb132ce3ac1e7b1ff33b7766c55e0afd8ac8f819

Download Submit
C:\Windows\{4FACF595-0EBA-4a36-B015-72AC3F761C6C}.exe

Filesize
192KB

MD5
01ef020355d323c2494e7b83ad8d26cc

SHA1
78a475569b4dfdabcc145cfdb013bab7833cb533

SHA256
559ee4755aa2795b1cb53733d4d398ddc2b3647e96f9be9464959791b74c8bad

SHA512
b988940cafd83a43dd66fb62411cf78b8070e3a02f2b766f8d6e0bbae16b9ec678843d98603d5da6523b7bb143dbcfd20a7aade1fb82d2b19ec769b4755890e8

Download Submit
C:\Windows\{5DD80C72-0DB0-4e12-820A-7835AB539184}.exe

Filesize
192KB

MD5
7ff89dce67e2ccdcd88c4f9d414c70b2

SHA1
9b92b96e5ef5b855db235063b42be995764969b6

SHA256
96cf85b8f6b24406007371f36cf53311e53626e748bc22df6134335f884ba4b4

SHA512
a7ddf9e57c0d7a4af8d00ad08c13672bd8a18f607386266fa59d06804308f1bd492a660717f6a13728e0ca0ece18a7181741f29100fc8efbe47a49994d67a63e

Download Submit
C:\Windows\{8A5126D8-DC7B-44f7-9930-5253656D0B49}.exe

Filesize
192KB

MD5
01f2192abc1ffa8142bc7308e2d5c503

SHA1
e253f5bc6145e0e973e9ab04942ef4248c0bf72f

SHA256
ff14791170cbbe45ad1ba50c25fc8077cff0d2f79512a573237ec2dc77898099

SHA512
87f2854d8fcb3d7a305a596e97a9fa34a135bfff88975ddb06ad8f90bbe895c3d43ca370172f3d32ebfb33abbe48482a46d51d9a33616592d0c6a992001d6f47

Download Submit
C:\Windows\{A59CC8EA-1D00-4288-9264-31A0DD6DB10F}.exe

Filesize
192KB

MD5
2d117019279f17c9be97659ec8ff454c

SHA1
42b5848d04e0d0ee192f69fc6759209f69815e3c

SHA256
aeeb8b4f123641387fd09c40cb9841053833b715b3710dec291e660888bc3d42

SHA512
18a011b221f6b11f3e4e5625284f0204de56c4b6d13d959bf35605d467a85afea69013439a06eeadac67ebb4ed30ccd2843ab87d8c7ac9d1da419adc006e89fe

Download Submit
C:\Windows\{A5F4410A-694A-4de5-8D89-1A53A35D2EBE}.exe

Filesize
192KB

MD5
68b0041884c0ac1ddba91910a65548d6

SHA1
46b7b35b2a5f8d0ba680011f878996d99de70cb3

SHA256
b9cffac3ae200d397dc01c71db8255ee51ea28c1138dde0b04c01093e747e3ca

SHA512
1f90dae7287537031ec794ce67b6bf178fc1b2e1cac247a715300cc42377301ec4f6e04779f8b1874d64732a055282767834066c90a19074217668ebfd1ef70c

Download Submit
C:\Windows\{A6D63264-1455-4e55-9921-CAC80E82852A}.exe

Filesize
192KB

MD5
a7777580b717881e740be39217045f29

SHA1
55a5c2ec5a96cd33afcc7b5251e39da238088d3a

SHA256
2c98ed8d493fc478c22cb07f06c51e4b4eb6ee50a97f15fdbb2830a8990565bf

SHA512
0b21bbb2de4fe55e6dd581be409e0b88f73f22203662ad1e326c8ff04730e68948fac87dad8ff785aea8f92538ec2d338594b487f8f42cd51af29669a9d683ba

Download Submit
C:\Windows\{BB0A39F7-A013-401b-9772-61122089006F}.exe

Filesize
192KB

MD5
3c0570770937a8634f6af44bdea8a31a

SHA1
01f78279a020df5cf182607f0589e17c424bee5a

SHA256
04c1539e431b2d62e54b59a767ae3881e8c8ac93e2e0c667a9a597f54899b002

SHA512
901037c09c904c411470ae1c03daa0e01423bc0bd4ccd1ce197287c16f4d9a3098001780a77eab51d5beda0b031793a18c28ca2e67fe48b200671efacbf5928f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads