a8cf2e753fa7f82884ff838203c525b8c20422d4ca04c4c7f01d3ae8c12befea

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/04/2024, 10:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-06_13e64cf87886a02b669607064f618fd1_goldeneye.exe
Size

180KB
MD5

13e64cf87886a02b669607064f618fd1
SHA1

5b8396b769881f06592fd72a37d488da08c7de20
SHA256

a8cf2e753fa7f82884ff838203c525b8c20422d4ca04c4c7f01d3ae8c12befea
SHA512

f0a0a350beb03339c01f23d3bf19694b2c30c2c177d6ef814cb672d1e29225550de813679ec6a101825864baa66756a692c1559324814766afe8de23ef14d5e5
SSDEEP

3072:jEGh0onlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEG1l5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00070000000231ec-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00110000000231f1-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000231f8-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00120000000231f1-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021d41-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000006cf-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021d41-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000006cf-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000006cf-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000072d-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2519744B-DB60-47f0-83A1-C9942C00A1BF}\stubpath = "C:\\Windows\\{2519744B-DB60-47f0-83A1-C9942C00A1BF}.exe"	{423FEBAB-2123-4760-9912-C2DAB345CB96}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFCA1327-CD6B-4b87-AB0E-12398D05534B}\stubpath = "C:\\Windows\\{EFCA1327-CD6B-4b87-AB0E-12398D05534B}.exe"	{2519744B-DB60-47f0-83A1-C9942C00A1BF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A1D048C-E4EC-4470-A64D-D54D2404AA8B}\stubpath = "C:\\Windows\\{8A1D048C-E4EC-4470-A64D-D54D2404AA8B}.exe"	{FA98559E-C47B-4e6d-A5FF-6C19E5F151BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B2D3C2B-7C99-42c9-AF65-542C10D00617}	{8A1D048C-E4EC-4470-A64D-D54D2404AA8B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{212B8B45-7E75-4312-BA87-04F9378C9BD8}\stubpath = "C:\\Windows\\{212B8B45-7E75-4312-BA87-04F9378C9BD8}.exe"	2024-04-06_13e64cf87886a02b669607064f618fd1_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D667FC2-462E-475e-9885-60EED2F4ECB4}\stubpath = "C:\\Windows\\{9D667FC2-462E-475e-9885-60EED2F4ECB4}.exe"	{94432CC6-66F9-464a-8BAD-303525C16CDD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94432CC6-66F9-464a-8BAD-303525C16CDD}\stubpath = "C:\\Windows\\{94432CC6-66F9-464a-8BAD-303525C16CDD}.exe"	{015821E6-705B-4e8d-B87C-CF98D614E7F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE9FBD9D-0B2B-44b3-8A3A-84447462CFE3}	{212B8B45-7E75-4312-BA87-04F9378C9BD8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE9FBD9D-0B2B-44b3-8A3A-84447462CFE3}\stubpath = "C:\\Windows\\{BE9FBD9D-0B2B-44b3-8A3A-84447462CFE3}.exe"	{212B8B45-7E75-4312-BA87-04F9378C9BD8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{423FEBAB-2123-4760-9912-C2DAB345CB96}\stubpath = "C:\\Windows\\{423FEBAB-2123-4760-9912-C2DAB345CB96}.exe"	{BE9FBD9D-0B2B-44b3-8A3A-84447462CFE3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2519744B-DB60-47f0-83A1-C9942C00A1BF}	{423FEBAB-2123-4760-9912-C2DAB345CB96}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E60C6EEC-9F84-4f69-BA0C-019BD80B839F}	{EFCA1327-CD6B-4b87-AB0E-12398D05534B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E60C6EEC-9F84-4f69-BA0C-019BD80B839F}\stubpath = "C:\\Windows\\{E60C6EEC-9F84-4f69-BA0C-019BD80B839F}.exe"	{EFCA1327-CD6B-4b87-AB0E-12398D05534B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94432CC6-66F9-464a-8BAD-303525C16CDD}	{015821E6-705B-4e8d-B87C-CF98D614E7F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D667FC2-462E-475e-9885-60EED2F4ECB4}	{94432CC6-66F9-464a-8BAD-303525C16CDD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA98559E-C47B-4e6d-A5FF-6C19E5F151BC}	{9D667FC2-462E-475e-9885-60EED2F4ECB4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A1D048C-E4EC-4470-A64D-D54D2404AA8B}	{FA98559E-C47B-4e6d-A5FF-6C19E5F151BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{212B8B45-7E75-4312-BA87-04F9378C9BD8}	2024-04-06_13e64cf87886a02b669607064f618fd1_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{423FEBAB-2123-4760-9912-C2DAB345CB96}	{BE9FBD9D-0B2B-44b3-8A3A-84447462CFE3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFCA1327-CD6B-4b87-AB0E-12398D05534B}	{2519744B-DB60-47f0-83A1-C9942C00A1BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{015821E6-705B-4e8d-B87C-CF98D614E7F4}	{E60C6EEC-9F84-4f69-BA0C-019BD80B839F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{015821E6-705B-4e8d-B87C-CF98D614E7F4}\stubpath = "C:\\Windows\\{015821E6-705B-4e8d-B87C-CF98D614E7F4}.exe"	{E60C6EEC-9F84-4f69-BA0C-019BD80B839F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA98559E-C47B-4e6d-A5FF-6C19E5F151BC}\stubpath = "C:\\Windows\\{FA98559E-C47B-4e6d-A5FF-6C19E5F151BC}.exe"	{9D667FC2-462E-475e-9885-60EED2F4ECB4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B2D3C2B-7C99-42c9-AF65-542C10D00617}\stubpath = "C:\\Windows\\{1B2D3C2B-7C99-42c9-AF65-542C10D00617}.exe"	{8A1D048C-E4EC-4470-A64D-D54D2404AA8B}.exe

Executes dropped EXE 12 IoCs

pid	Process
952	{212B8B45-7E75-4312-BA87-04F9378C9BD8}.exe
1740	{BE9FBD9D-0B2B-44b3-8A3A-84447462CFE3}.exe
2112	{423FEBAB-2123-4760-9912-C2DAB345CB96}.exe
4656	{2519744B-DB60-47f0-83A1-C9942C00A1BF}.exe
4860	{EFCA1327-CD6B-4b87-AB0E-12398D05534B}.exe
4592	{E60C6EEC-9F84-4f69-BA0C-019BD80B839F}.exe
1152	{015821E6-705B-4e8d-B87C-CF98D614E7F4}.exe
4324	{94432CC6-66F9-464a-8BAD-303525C16CDD}.exe
3052	{9D667FC2-462E-475e-9885-60EED2F4ECB4}.exe
3332	{FA98559E-C47B-4e6d-A5FF-6C19E5F151BC}.exe
436	{8A1D048C-E4EC-4470-A64D-D54D2404AA8B}.exe
3068	{1B2D3C2B-7C99-42c9-AF65-542C10D00617}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{1B2D3C2B-7C99-42c9-AF65-542C10D00617}.exe	{8A1D048C-E4EC-4470-A64D-D54D2404AA8B}.exe
File created	C:\Windows\{212B8B45-7E75-4312-BA87-04F9378C9BD8}.exe	2024-04-06_13e64cf87886a02b669607064f618fd1_goldeneye.exe
File created	C:\Windows\{015821E6-705B-4e8d-B87C-CF98D614E7F4}.exe	{E60C6EEC-9F84-4f69-BA0C-019BD80B839F}.exe
File created	C:\Windows\{94432CC6-66F9-464a-8BAD-303525C16CDD}.exe	{015821E6-705B-4e8d-B87C-CF98D614E7F4}.exe
File created	C:\Windows\{FA98559E-C47B-4e6d-A5FF-6C19E5F151BC}.exe	{9D667FC2-462E-475e-9885-60EED2F4ECB4}.exe
File created	C:\Windows\{8A1D048C-E4EC-4470-A64D-D54D2404AA8B}.exe	{FA98559E-C47B-4e6d-A5FF-6C19E5F151BC}.exe
File created	C:\Windows\{9D667FC2-462E-475e-9885-60EED2F4ECB4}.exe	{94432CC6-66F9-464a-8BAD-303525C16CDD}.exe
File created	C:\Windows\{BE9FBD9D-0B2B-44b3-8A3A-84447462CFE3}.exe	{212B8B45-7E75-4312-BA87-04F9378C9BD8}.exe
File created	C:\Windows\{423FEBAB-2123-4760-9912-C2DAB345CB96}.exe	{BE9FBD9D-0B2B-44b3-8A3A-84447462CFE3}.exe
File created	C:\Windows\{2519744B-DB60-47f0-83A1-C9942C00A1BF}.exe	{423FEBAB-2123-4760-9912-C2DAB345CB96}.exe
File created	C:\Windows\{EFCA1327-CD6B-4b87-AB0E-12398D05534B}.exe	{2519744B-DB60-47f0-83A1-C9942C00A1BF}.exe
File created	C:\Windows\{E60C6EEC-9F84-4f69-BA0C-019BD80B839F}.exe	{EFCA1327-CD6B-4b87-AB0E-12398D05534B}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2080	2024-04-06_13e64cf87886a02b669607064f618fd1_goldeneye.exe
Token: SeIncBasePriorityPrivilege	952	{212B8B45-7E75-4312-BA87-04F9378C9BD8}.exe
Token: SeIncBasePriorityPrivilege	1740	{BE9FBD9D-0B2B-44b3-8A3A-84447462CFE3}.exe
Token: SeIncBasePriorityPrivilege	2112	{423FEBAB-2123-4760-9912-C2DAB345CB96}.exe
Token: SeIncBasePriorityPrivilege	4656	{2519744B-DB60-47f0-83A1-C9942C00A1BF}.exe
Token: SeIncBasePriorityPrivilege	4860	{EFCA1327-CD6B-4b87-AB0E-12398D05534B}.exe
Token: SeIncBasePriorityPrivilege	4592	{E60C6EEC-9F84-4f69-BA0C-019BD80B839F}.exe
Token: SeIncBasePriorityPrivilege	1152	{015821E6-705B-4e8d-B87C-CF98D614E7F4}.exe
Token: SeIncBasePriorityPrivilege	4324	{94432CC6-66F9-464a-8BAD-303525C16CDD}.exe
Token: SeIncBasePriorityPrivilege	3052	{9D667FC2-462E-475e-9885-60EED2F4ECB4}.exe
Token: SeIncBasePriorityPrivilege	3332	{FA98559E-C47B-4e6d-A5FF-6C19E5F151BC}.exe
Token: SeIncBasePriorityPrivilege	436	{8A1D048C-E4EC-4470-A64D-D54D2404AA8B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 952	2080	2024-04-06_13e64cf87886a02b669607064f618fd1_goldeneye.exe	96
PID 2080 wrote to memory of 952	2080	2024-04-06_13e64cf87886a02b669607064f618fd1_goldeneye.exe	96
PID 2080 wrote to memory of 952	2080	2024-04-06_13e64cf87886a02b669607064f618fd1_goldeneye.exe	96
PID 2080 wrote to memory of 4760	2080	2024-04-06_13e64cf87886a02b669607064f618fd1_goldeneye.exe	97
PID 2080 wrote to memory of 4760	2080	2024-04-06_13e64cf87886a02b669607064f618fd1_goldeneye.exe	97
PID 2080 wrote to memory of 4760	2080	2024-04-06_13e64cf87886a02b669607064f618fd1_goldeneye.exe	97
PID 952 wrote to memory of 1740	952	{212B8B45-7E75-4312-BA87-04F9378C9BD8}.exe	98
PID 952 wrote to memory of 1740	952	{212B8B45-7E75-4312-BA87-04F9378C9BD8}.exe	98
PID 952 wrote to memory of 1740	952	{212B8B45-7E75-4312-BA87-04F9378C9BD8}.exe	98
PID 952 wrote to memory of 3416	952	{212B8B45-7E75-4312-BA87-04F9378C9BD8}.exe	99
PID 952 wrote to memory of 3416	952	{212B8B45-7E75-4312-BA87-04F9378C9BD8}.exe	99
PID 952 wrote to memory of 3416	952	{212B8B45-7E75-4312-BA87-04F9378C9BD8}.exe	99
PID 1740 wrote to memory of 2112	1740	{BE9FBD9D-0B2B-44b3-8A3A-84447462CFE3}.exe	101
PID 1740 wrote to memory of 2112	1740	{BE9FBD9D-0B2B-44b3-8A3A-84447462CFE3}.exe	101
PID 1740 wrote to memory of 2112	1740	{BE9FBD9D-0B2B-44b3-8A3A-84447462CFE3}.exe	101
PID 1740 wrote to memory of 3240	1740	{BE9FBD9D-0B2B-44b3-8A3A-84447462CFE3}.exe	102
PID 1740 wrote to memory of 3240	1740	{BE9FBD9D-0B2B-44b3-8A3A-84447462CFE3}.exe	102
PID 1740 wrote to memory of 3240	1740	{BE9FBD9D-0B2B-44b3-8A3A-84447462CFE3}.exe	102
PID 2112 wrote to memory of 4656	2112	{423FEBAB-2123-4760-9912-C2DAB345CB96}.exe	103
PID 2112 wrote to memory of 4656	2112	{423FEBAB-2123-4760-9912-C2DAB345CB96}.exe	103
PID 2112 wrote to memory of 4656	2112	{423FEBAB-2123-4760-9912-C2DAB345CB96}.exe	103
PID 2112 wrote to memory of 2336	2112	{423FEBAB-2123-4760-9912-C2DAB345CB96}.exe	104
PID 2112 wrote to memory of 2336	2112	{423FEBAB-2123-4760-9912-C2DAB345CB96}.exe	104
PID 2112 wrote to memory of 2336	2112	{423FEBAB-2123-4760-9912-C2DAB345CB96}.exe	104
PID 4656 wrote to memory of 4860	4656	{2519744B-DB60-47f0-83A1-C9942C00A1BF}.exe	105
PID 4656 wrote to memory of 4860	4656	{2519744B-DB60-47f0-83A1-C9942C00A1BF}.exe	105
PID 4656 wrote to memory of 4860	4656	{2519744B-DB60-47f0-83A1-C9942C00A1BF}.exe	105
PID 4656 wrote to memory of 2024	4656	{2519744B-DB60-47f0-83A1-C9942C00A1BF}.exe	106
PID 4656 wrote to memory of 2024	4656	{2519744B-DB60-47f0-83A1-C9942C00A1BF}.exe	106
PID 4656 wrote to memory of 2024	4656	{2519744B-DB60-47f0-83A1-C9942C00A1BF}.exe	106
PID 4860 wrote to memory of 4592	4860	{EFCA1327-CD6B-4b87-AB0E-12398D05534B}.exe	107
PID 4860 wrote to memory of 4592	4860	{EFCA1327-CD6B-4b87-AB0E-12398D05534B}.exe	107
PID 4860 wrote to memory of 4592	4860	{EFCA1327-CD6B-4b87-AB0E-12398D05534B}.exe	107
PID 4860 wrote to memory of 528	4860	{EFCA1327-CD6B-4b87-AB0E-12398D05534B}.exe	108
PID 4860 wrote to memory of 528	4860	{EFCA1327-CD6B-4b87-AB0E-12398D05534B}.exe	108
PID 4860 wrote to memory of 528	4860	{EFCA1327-CD6B-4b87-AB0E-12398D05534B}.exe	108
PID 4592 wrote to memory of 1152	4592	{E60C6EEC-9F84-4f69-BA0C-019BD80B839F}.exe	109
PID 4592 wrote to memory of 1152	4592	{E60C6EEC-9F84-4f69-BA0C-019BD80B839F}.exe	109
PID 4592 wrote to memory of 1152	4592	{E60C6EEC-9F84-4f69-BA0C-019BD80B839F}.exe	109
PID 4592 wrote to memory of 2920	4592	{E60C6EEC-9F84-4f69-BA0C-019BD80B839F}.exe	110
PID 4592 wrote to memory of 2920	4592	{E60C6EEC-9F84-4f69-BA0C-019BD80B839F}.exe	110
PID 4592 wrote to memory of 2920	4592	{E60C6EEC-9F84-4f69-BA0C-019BD80B839F}.exe	110
PID 1152 wrote to memory of 4324	1152	{015821E6-705B-4e8d-B87C-CF98D614E7F4}.exe	111
PID 1152 wrote to memory of 4324	1152	{015821E6-705B-4e8d-B87C-CF98D614E7F4}.exe	111
PID 1152 wrote to memory of 4324	1152	{015821E6-705B-4e8d-B87C-CF98D614E7F4}.exe	111
PID 1152 wrote to memory of 1984	1152	{015821E6-705B-4e8d-B87C-CF98D614E7F4}.exe	112
PID 1152 wrote to memory of 1984	1152	{015821E6-705B-4e8d-B87C-CF98D614E7F4}.exe	112
PID 1152 wrote to memory of 1984	1152	{015821E6-705B-4e8d-B87C-CF98D614E7F4}.exe	112
PID 4324 wrote to memory of 3052	4324	{94432CC6-66F9-464a-8BAD-303525C16CDD}.exe	113
PID 4324 wrote to memory of 3052	4324	{94432CC6-66F9-464a-8BAD-303525C16CDD}.exe	113
PID 4324 wrote to memory of 3052	4324	{94432CC6-66F9-464a-8BAD-303525C16CDD}.exe	113
PID 4324 wrote to memory of 876	4324	{94432CC6-66F9-464a-8BAD-303525C16CDD}.exe	114
PID 4324 wrote to memory of 876	4324	{94432CC6-66F9-464a-8BAD-303525C16CDD}.exe	114
PID 4324 wrote to memory of 876	4324	{94432CC6-66F9-464a-8BAD-303525C16CDD}.exe	114
PID 3052 wrote to memory of 3332	3052	{9D667FC2-462E-475e-9885-60EED2F4ECB4}.exe	115
PID 3052 wrote to memory of 3332	3052	{9D667FC2-462E-475e-9885-60EED2F4ECB4}.exe	115
PID 3052 wrote to memory of 3332	3052	{9D667FC2-462E-475e-9885-60EED2F4ECB4}.exe	115
PID 3052 wrote to memory of 4028	3052	{9D667FC2-462E-475e-9885-60EED2F4ECB4}.exe	116
PID 3052 wrote to memory of 4028	3052	{9D667FC2-462E-475e-9885-60EED2F4ECB4}.exe	116
PID 3052 wrote to memory of 4028	3052	{9D667FC2-462E-475e-9885-60EED2F4ECB4}.exe	116
PID 3332 wrote to memory of 436	3332	{FA98559E-C47B-4e6d-A5FF-6C19E5F151BC}.exe	117
PID 3332 wrote to memory of 436	3332	{FA98559E-C47B-4e6d-A5FF-6C19E5F151BC}.exe	117
PID 3332 wrote to memory of 436	3332	{FA98559E-C47B-4e6d-A5FF-6C19E5F151BC}.exe	117
PID 3332 wrote to memory of 4760	3332	{FA98559E-C47B-4e6d-A5FF-6C19E5F151BC}.exe	118

C:\Users\Admin\AppData\Local\Temp\2024-04-06_13e64cf87886a02b669607064f618fd1_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-06_13e64cf87886a02b669607064f618fd1_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\{212B8B45-7E75-4312-BA87-04F9378C9BD8}.exe
  C:\Windows\{212B8B45-7E75-4312-BA87-04F9378C9BD8}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:952
- - C:\Windows\{BE9FBD9D-0B2B-44b3-8A3A-84447462CFE3}.exe
    C:\Windows\{BE9FBD9D-0B2B-44b3-8A3A-84447462CFE3}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1740
  - - C:\Windows\{423FEBAB-2123-4760-9912-C2DAB345CB96}.exe
      C:\Windows\{423FEBAB-2123-4760-9912-C2DAB345CB96}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2112
    - - C:\Windows\{2519744B-DB60-47f0-83A1-C9942C00A1BF}.exe
        
        C:\Windows\{2519744B-DB60-47f0-83A1-C9942C00A1BF}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4656
      - C:\Windows\{EFCA1327-CD6B-4b87-AB0E-12398D05534B}.exe
        
        C:\Windows\{EFCA1327-CD6B-4b87-AB0E-12398D05534B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Windows\{E60C6EEC-9F84-4f69-BA0C-019BD80B839F}.exe
        
        C:\Windows\{E60C6EEC-9F84-4f69-BA0C-019BD80B839F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\{015821E6-705B-4e8d-B87C-CF98D614E7F4}.exe
        
        C:\Windows\{015821E6-705B-4e8d-B87C-CF98D614E7F4}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\{94432CC6-66F9-464a-8BAD-303525C16CDD}.exe
        
        C:\Windows\{94432CC6-66F9-464a-8BAD-303525C16CDD}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\Windows\{9D667FC2-462E-475e-9885-60EED2F4ECB4}.exe
        
        C:\Windows\{9D667FC2-462E-475e-9885-60EED2F4ECB4}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\{FA98559E-C47B-4e6d-A5FF-6C19E5F151BC}.exe
        
        C:\Windows\{FA98559E-C47B-4e6d-A5FF-6C19E5F151BC}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3332
        
        C:\Windows\{8A1D048C-E4EC-4470-A64D-D54D2404AA8B}.exe
        
        C:\Windows\{8A1D048C-E4EC-4470-A64D-D54D2404AA8B}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:436
        
        C:\Windows\{1B2D3C2B-7C99-42c9-AF65-542C10D00617}.exe
        
        C:\Windows\{1B2D3C2B-7C99-42c9-AF65-542C10D00617}.exe
        13⤵
        Executes dropped EXE
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8A1D0~1.EXE > nul
        13⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA985~1.EXE > nul
        12⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9D667~1.EXE > nul
        11⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94432~1.EXE > nul
        10⤵
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{01582~1.EXE > nul
        9⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E60C6~1.EXE > nul
        8⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EFCA1~1.EXE > nul
        7⤵
        
        PID:528
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{25197~1.EXE > nul
        6⤵
        
        PID:2024
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{423FE~1.EXE > nul
        5⤵
        
        PID:2336
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BE9FB~1.EXE > nul
      4⤵
      PID:3240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{212B8~1.EXE > nul
    3⤵
    PID:3416
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{015821E6-705B-4e8d-B87C-CF98D614E7F4}.exe

Filesize
180KB

MD5
9cc600383301f8b4980215f0644e5ee6

SHA1
77156653a8060a8d6048274109e532bf51cddb85

SHA256
e0fac7f830682096b8288880e79c94d8eab3af2e7ff36d8034271817aafb7fbf

SHA512
74e6eed4f0331bc3c35b6515879df207f448e9e5d79ae7fdf89a1660094f5ec9c6acc80649f3c252e17bb9ab57a208abb8d260fd3d4421100096cd40eff85c88

Download Submit
C:\Windows\{1B2D3C2B-7C99-42c9-AF65-542C10D00617}.exe

Filesize
180KB

MD5
8a1df847862b476f0f32fcc6ec60659c

SHA1
5c1b95ca3a4ebb4e4a2f7059550f7517404156cd

SHA256
7ef9b586e7b0debe9589fb0dd06c4ee6666ac072c4219162b6960de2837e1e9e

SHA512
09f875178d01e1f20c456259ea128457937611f2ac6fd8aa5b8128185baab30c98bd0e87bc5d5fa351d5e77eb312c5f331637c7b79f4c02c9255a5a14b7b8ec1

Download Submit
C:\Windows\{212B8B45-7E75-4312-BA87-04F9378C9BD8}.exe

Filesize
180KB

MD5
e57bb108048731838cdfa7215880eea8

SHA1
13a0c76833e96caea9ac088f210497459083989a

SHA256
2846a80ec7663c10f58c1b0ac8fc3a489a70723f5785365617544f223799cbf4

SHA512
ec90e4b28f38704c7cd8ade3c89225e1370b8bba38c38d40f25918ad6d33bb8eee3af6f3b2385c278365556a2814f8ed02e4bf1de760394225b6115ff1579846

Download Submit
C:\Windows\{2519744B-DB60-47f0-83A1-C9942C00A1BF}.exe

Filesize
180KB

MD5
aa92febce76efe877cc29203fa2d57db

SHA1
2e5f5ec95dc899049c39699ff64a7dd0950c9fd1

SHA256
b968f946b1f662fd62303d9a6b1c38dfc6e9e3dfa5390bc606864a2a1b71a0dc

SHA512
e13aaaa52f25e66f080594b6215e329032bbbab2054a0f9b4393a14bd079878c2f46400b7db4c5f3ea1b13a115c7e177b30f975ed02a158236d067406c8e3ab7

Download Submit
C:\Windows\{423FEBAB-2123-4760-9912-C2DAB345CB96}.exe

Filesize
180KB

MD5
816771b72ec76c40c3239822025ded0a

SHA1
8c7d6e12b05c140032728c20fa0729d457c6da08

SHA256
6e83317406aed1dffafaa708af380073c65b37eb1afaf7941402db2d2580cf20

SHA512
5a134c6f754c5d6d1a099992a0593c0c15b2e6d890a9a4dfdd3e6ad3ed6fe24c003a22a31869f7c6b255fabd865a5787f9e7ab70d1e9efdba4f52d9c9540b0b7

Download Submit
C:\Windows\{8A1D048C-E4EC-4470-A64D-D54D2404AA8B}.exe

Filesize
180KB

MD5
ddc892adf0f0245acd455557b736fec4

SHA1
2bff473f0a3ba72019a8832779e8cc3d33f7c871

SHA256
a03000010c953605277e478bd9a33734f0f7b43004422614915e24a605555de4

SHA512
5ad31bb5c3aab59ff37980b18ddcbc99154631d5faff86103472a7944062975598a73733684748283fc6ddf3f707d338b3670aeb23e721c3b323338a6ec93626

Download Submit
C:\Windows\{94432CC6-66F9-464a-8BAD-303525C16CDD}.exe

Filesize
180KB

MD5
e8dfe886090227419257bb927ddd41d7

SHA1
34084d4fa631c29f52e95cb9837b777e6443a18f

SHA256
8279e3abddd251e2117437a93238e915fafde9e3091654a279b10086f91cf706

SHA512
9156c5d843cb6f56120cd5762d2439b658ab39899cf0317d8be2b91f932d42860caa75be338393c047bd215b9d871d894a93f49252b37df486f8c78edaf46633

Download Submit
C:\Windows\{9D667FC2-462E-475e-9885-60EED2F4ECB4}.exe

Filesize
180KB

MD5
d857897b6bae9545beeeacc4d26d1b8e

SHA1
3a96556b6c85a735cea468548019f413fb553073

SHA256
51e0e0201046468450eb199c985c743b2ba2c2a3e8bc75367d3262fc37e313d5

SHA512
4da1d4b764a623efccc34c4dcd504790f79c015f20313c9a1250ca931bf54fd95130fc212897051cf4b9a867fc63bf3bfdf2a435012fde8b24c262cf2a7b2a13

Download Submit
C:\Windows\{BE9FBD9D-0B2B-44b3-8A3A-84447462CFE3}.exe

Filesize
180KB

MD5
f915e693267c78d955604913f9b6bc36

SHA1
0946f7cbd8d43ec78d447dd0e608f6a8298192b7

SHA256
58343518ac88404937b92a225908c249d10a1a4bf5aae30afefb6ec9d6623806

SHA512
6c1c348478714fd4160588eca7316a9215befbe600b4c0e5226bf053c9e67f506113a1123e2b418f0d710eb29684cc5c776afae21e81961891287eeedc8e2695

Download Submit
C:\Windows\{E60C6EEC-9F84-4f69-BA0C-019BD80B839F}.exe

Filesize
180KB

MD5
14188ae9357d2f326f1f3637f976fe0e

SHA1
d3ca162afbcc87d65c47da678435fdaa63cede76

SHA256
50d5235f8980dd7688a6ce2263bbe0777d39022ae9f90823d4b9819d2607f2c7

SHA512
56fa173cb6acaa3e760c042f17105c334ea6e3167a38edea6e6b8f4da1b012871fb3ee4793288a0fd1f5097d7e48d55b3d369e250f05a6083e129b9a67eec621

Download Submit
C:\Windows\{EFCA1327-CD6B-4b87-AB0E-12398D05534B}.exe

Filesize
180KB

MD5
4441fd67ad7c80efda9da36ddba58dc1

SHA1
c67ed3d0479b183a8f69f30f1f3556c2c782856d

SHA256
ae4f1ac47f71ce7ba51d127c8a1e7782c9aaeabe2324019c17c0fbb0eca025b7

SHA512
2977715d81a369939797630e5e4de0467a3fac9a38c98b39716781f52c08275cb893e3200b014d9bb76adb784a25550b42160d9b47f3905ec7db907a2e7450e1

Download Submit
C:\Windows\{FA98559E-C47B-4e6d-A5FF-6C19E5F151BC}.exe

Filesize
180KB

MD5
bdd07871e12d5e580a308904e29acf25

SHA1
e3d134f0c31c8eed2afba036f2f74ec663b74ede

SHA256
b09024ad3831eecb29729c1caedeed8289ea9fac30c5d8e93a8ceae0f543e0c4

SHA512
dba212a6c48f9984e2f2663da59af80d541695abb67472cc4a7f541dbb942491aa694c45f4ea86b25a38320db1e7be48b6fefb69e12fc75f30cc5ede9034d2e2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads