285932479cb96763784c922cf1e4d6829f22938d7bdf893c50b563228ebdf3c3

Analysis

max time kernel
149s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/04/2024, 12:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-06_dfc07a647c746e2495351336407a88e8_goldeneye.exe
Size

168KB
MD5

dfc07a647c746e2495351336407a88e8
SHA1

c183f86115f5e74b712807e064cdf3983ed3f77b
SHA256

285932479cb96763784c922cf1e4d6829f22938d7bdf893c50b563228ebdf3c3
SHA512

beaef43d0821cddfe272314921a3e8fa2a5098957979af0b803e8fae56f22636008e5a30dddfed87315096c49723c95df6fccca70c60baa32edee6e1a8f56f11
SSDEEP

1536:1EGh0o7lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o7lqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000700000002321d-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023217-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023223-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023217-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021fa2-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021fa3-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021fa2-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000703-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000703-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000703-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{655F7C5F-D74F-4776-BCE4-584C77299C81}	{414578D7-6615-4008-8ECD-0FF5037B34E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{810DCF95-404C-45d9-BD84-3116E57660E2}\stubpath = "C:\\Windows\\{810DCF95-404C-45d9-BD84-3116E57660E2}.exe"	{4CA1BBBF-3269-4368-BEC8-1FCCD4739073}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7DB233C-780A-4fcc-A8EB-4663B2ABCB9D}\stubpath = "C:\\Windows\\{F7DB233C-780A-4fcc-A8EB-4663B2ABCB9D}.exe"	{810DCF95-404C-45d9-BD84-3116E57660E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A129C9C2-3ECB-42bf-8C58-DB99C8B47247}	{33BFD2DE-AF4F-43fb-925F-1CD688D22BF7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A129C9C2-3ECB-42bf-8C58-DB99C8B47247}\stubpath = "C:\\Windows\\{A129C9C2-3ECB-42bf-8C58-DB99C8B47247}.exe"	{33BFD2DE-AF4F-43fb-925F-1CD688D22BF7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31F268F1-988A-4097-8D1C-805BA24562B8}	{A129C9C2-3ECB-42bf-8C58-DB99C8B47247}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D665979-85CE-477f-940F-9AA7D91A1A78}	2024-04-06_dfc07a647c746e2495351336407a88e8_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D665979-85CE-477f-940F-9AA7D91A1A78}\stubpath = "C:\\Windows\\{2D665979-85CE-477f-940F-9AA7D91A1A78}.exe"	2024-04-06_dfc07a647c746e2495351336407a88e8_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90DA8C5A-1F3A-41d5-8E0F-395BDC871EAA}	{2D665979-85CE-477f-940F-9AA7D91A1A78}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C20D757-6111-41c0-8A9C-CBD93030C1F6}	{90DA8C5A-1F3A-41d5-8E0F-395BDC871EAA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{655F7C5F-D74F-4776-BCE4-584C77299C81}\stubpath = "C:\\Windows\\{655F7C5F-D74F-4776-BCE4-584C77299C81}.exe"	{414578D7-6615-4008-8ECD-0FF5037B34E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD6E82AD-D31A-4c07-BACA-1A508DF9AC0C}	{655F7C5F-D74F-4776-BCE4-584C77299C81}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4CA1BBBF-3269-4368-BEC8-1FCCD4739073}	{CD6E82AD-D31A-4c07-BACA-1A508DF9AC0C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7DB233C-780A-4fcc-A8EB-4663B2ABCB9D}	{810DCF95-404C-45d9-BD84-3116E57660E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90DA8C5A-1F3A-41d5-8E0F-395BDC871EAA}\stubpath = "C:\\Windows\\{90DA8C5A-1F3A-41d5-8E0F-395BDC871EAA}.exe"	{2D665979-85CE-477f-940F-9AA7D91A1A78}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C20D757-6111-41c0-8A9C-CBD93030C1F6}\stubpath = "C:\\Windows\\{4C20D757-6111-41c0-8A9C-CBD93030C1F6}.exe"	{90DA8C5A-1F3A-41d5-8E0F-395BDC871EAA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{414578D7-6615-4008-8ECD-0FF5037B34E1}	{4C20D757-6111-41c0-8A9C-CBD93030C1F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31F268F1-988A-4097-8D1C-805BA24562B8}\stubpath = "C:\\Windows\\{31F268F1-988A-4097-8D1C-805BA24562B8}.exe"	{A129C9C2-3ECB-42bf-8C58-DB99C8B47247}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{414578D7-6615-4008-8ECD-0FF5037B34E1}\stubpath = "C:\\Windows\\{414578D7-6615-4008-8ECD-0FF5037B34E1}.exe"	{4C20D757-6111-41c0-8A9C-CBD93030C1F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD6E82AD-D31A-4c07-BACA-1A508DF9AC0C}\stubpath = "C:\\Windows\\{CD6E82AD-D31A-4c07-BACA-1A508DF9AC0C}.exe"	{655F7C5F-D74F-4776-BCE4-584C77299C81}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4CA1BBBF-3269-4368-BEC8-1FCCD4739073}\stubpath = "C:\\Windows\\{4CA1BBBF-3269-4368-BEC8-1FCCD4739073}.exe"	{CD6E82AD-D31A-4c07-BACA-1A508DF9AC0C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{810DCF95-404C-45d9-BD84-3116E57660E2}	{4CA1BBBF-3269-4368-BEC8-1FCCD4739073}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33BFD2DE-AF4F-43fb-925F-1CD688D22BF7}	{F7DB233C-780A-4fcc-A8EB-4663B2ABCB9D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33BFD2DE-AF4F-43fb-925F-1CD688D22BF7}\stubpath = "C:\\Windows\\{33BFD2DE-AF4F-43fb-925F-1CD688D22BF7}.exe"	{F7DB233C-780A-4fcc-A8EB-4663B2ABCB9D}.exe

Executes dropped EXE 12 IoCs

pid	Process
2296	{2D665979-85CE-477f-940F-9AA7D91A1A78}.exe
1260	{90DA8C5A-1F3A-41d5-8E0F-395BDC871EAA}.exe
4860	{4C20D757-6111-41c0-8A9C-CBD93030C1F6}.exe
1428	{414578D7-6615-4008-8ECD-0FF5037B34E1}.exe
3172	{655F7C5F-D74F-4776-BCE4-584C77299C81}.exe
4296	{CD6E82AD-D31A-4c07-BACA-1A508DF9AC0C}.exe
4116	{4CA1BBBF-3269-4368-BEC8-1FCCD4739073}.exe
4100	{810DCF95-404C-45d9-BD84-3116E57660E2}.exe
3976	{F7DB233C-780A-4fcc-A8EB-4663B2ABCB9D}.exe
2952	{33BFD2DE-AF4F-43fb-925F-1CD688D22BF7}.exe
1868	{A129C9C2-3ECB-42bf-8C58-DB99C8B47247}.exe
4812	{31F268F1-988A-4097-8D1C-805BA24562B8}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{414578D7-6615-4008-8ECD-0FF5037B34E1}.exe	{4C20D757-6111-41c0-8A9C-CBD93030C1F6}.exe
File created	C:\Windows\{F7DB233C-780A-4fcc-A8EB-4663B2ABCB9D}.exe	{810DCF95-404C-45d9-BD84-3116E57660E2}.exe
File created	C:\Windows\{2D665979-85CE-477f-940F-9AA7D91A1A78}.exe	2024-04-06_dfc07a647c746e2495351336407a88e8_goldeneye.exe
File created	C:\Windows\{90DA8C5A-1F3A-41d5-8E0F-395BDC871EAA}.exe	{2D665979-85CE-477f-940F-9AA7D91A1A78}.exe
File created	C:\Windows\{4C20D757-6111-41c0-8A9C-CBD93030C1F6}.exe	{90DA8C5A-1F3A-41d5-8E0F-395BDC871EAA}.exe
File created	C:\Windows\{810DCF95-404C-45d9-BD84-3116E57660E2}.exe	{4CA1BBBF-3269-4368-BEC8-1FCCD4739073}.exe
File created	C:\Windows\{33BFD2DE-AF4F-43fb-925F-1CD688D22BF7}.exe	{F7DB233C-780A-4fcc-A8EB-4663B2ABCB9D}.exe
File created	C:\Windows\{A129C9C2-3ECB-42bf-8C58-DB99C8B47247}.exe	{33BFD2DE-AF4F-43fb-925F-1CD688D22BF7}.exe
File created	C:\Windows\{31F268F1-988A-4097-8D1C-805BA24562B8}.exe	{A129C9C2-3ECB-42bf-8C58-DB99C8B47247}.exe
File created	C:\Windows\{655F7C5F-D74F-4776-BCE4-584C77299C81}.exe	{414578D7-6615-4008-8ECD-0FF5037B34E1}.exe
File created	C:\Windows\{CD6E82AD-D31A-4c07-BACA-1A508DF9AC0C}.exe	{655F7C5F-D74F-4776-BCE4-584C77299C81}.exe
File created	C:\Windows\{4CA1BBBF-3269-4368-BEC8-1FCCD4739073}.exe	{CD6E82AD-D31A-4c07-BACA-1A508DF9AC0C}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4168	2024-04-06_dfc07a647c746e2495351336407a88e8_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2296	{2D665979-85CE-477f-940F-9AA7D91A1A78}.exe
Token: SeIncBasePriorityPrivilege	1260	{90DA8C5A-1F3A-41d5-8E0F-395BDC871EAA}.exe
Token: SeIncBasePriorityPrivilege	4860	{4C20D757-6111-41c0-8A9C-CBD93030C1F6}.exe
Token: SeIncBasePriorityPrivilege	1428	{414578D7-6615-4008-8ECD-0FF5037B34E1}.exe
Token: SeIncBasePriorityPrivilege	3172	{655F7C5F-D74F-4776-BCE4-584C77299C81}.exe
Token: SeIncBasePriorityPrivilege	4296	{CD6E82AD-D31A-4c07-BACA-1A508DF9AC0C}.exe
Token: SeIncBasePriorityPrivilege	4116	{4CA1BBBF-3269-4368-BEC8-1FCCD4739073}.exe
Token: SeIncBasePriorityPrivilege	4100	{810DCF95-404C-45d9-BD84-3116E57660E2}.exe
Token: SeIncBasePriorityPrivilege	3976	{F7DB233C-780A-4fcc-A8EB-4663B2ABCB9D}.exe
Token: SeIncBasePriorityPrivilege	2952	{33BFD2DE-AF4F-43fb-925F-1CD688D22BF7}.exe
Token: SeIncBasePriorityPrivilege	1868	{A129C9C2-3ECB-42bf-8C58-DB99C8B47247}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4168 wrote to memory of 2296	4168	2024-04-06_dfc07a647c746e2495351336407a88e8_goldeneye.exe	97
PID 4168 wrote to memory of 2296	4168	2024-04-06_dfc07a647c746e2495351336407a88e8_goldeneye.exe	97
PID 4168 wrote to memory of 2296	4168	2024-04-06_dfc07a647c746e2495351336407a88e8_goldeneye.exe	97
PID 4168 wrote to memory of 1012	4168	2024-04-06_dfc07a647c746e2495351336407a88e8_goldeneye.exe	98
PID 4168 wrote to memory of 1012	4168	2024-04-06_dfc07a647c746e2495351336407a88e8_goldeneye.exe	98
PID 4168 wrote to memory of 1012	4168	2024-04-06_dfc07a647c746e2495351336407a88e8_goldeneye.exe	98
PID 2296 wrote to memory of 1260	2296	{2D665979-85CE-477f-940F-9AA7D91A1A78}.exe	99
PID 2296 wrote to memory of 1260	2296	{2D665979-85CE-477f-940F-9AA7D91A1A78}.exe	99
PID 2296 wrote to memory of 1260	2296	{2D665979-85CE-477f-940F-9AA7D91A1A78}.exe	99
PID 2296 wrote to memory of 404	2296	{2D665979-85CE-477f-940F-9AA7D91A1A78}.exe	100
PID 2296 wrote to memory of 404	2296	{2D665979-85CE-477f-940F-9AA7D91A1A78}.exe	100
PID 2296 wrote to memory of 404	2296	{2D665979-85CE-477f-940F-9AA7D91A1A78}.exe	100
PID 1260 wrote to memory of 4860	1260	{90DA8C5A-1F3A-41d5-8E0F-395BDC871EAA}.exe	102
PID 1260 wrote to memory of 4860	1260	{90DA8C5A-1F3A-41d5-8E0F-395BDC871EAA}.exe	102
PID 1260 wrote to memory of 4860	1260	{90DA8C5A-1F3A-41d5-8E0F-395BDC871EAA}.exe	102
PID 1260 wrote to memory of 2156	1260	{90DA8C5A-1F3A-41d5-8E0F-395BDC871EAA}.exe	103
PID 1260 wrote to memory of 2156	1260	{90DA8C5A-1F3A-41d5-8E0F-395BDC871EAA}.exe	103
PID 1260 wrote to memory of 2156	1260	{90DA8C5A-1F3A-41d5-8E0F-395BDC871EAA}.exe	103
PID 4860 wrote to memory of 1428	4860	{4C20D757-6111-41c0-8A9C-CBD93030C1F6}.exe	104
PID 4860 wrote to memory of 1428	4860	{4C20D757-6111-41c0-8A9C-CBD93030C1F6}.exe	104
PID 4860 wrote to memory of 1428	4860	{4C20D757-6111-41c0-8A9C-CBD93030C1F6}.exe	104
PID 4860 wrote to memory of 2320	4860	{4C20D757-6111-41c0-8A9C-CBD93030C1F6}.exe	105
PID 4860 wrote to memory of 2320	4860	{4C20D757-6111-41c0-8A9C-CBD93030C1F6}.exe	105
PID 4860 wrote to memory of 2320	4860	{4C20D757-6111-41c0-8A9C-CBD93030C1F6}.exe	105
PID 1428 wrote to memory of 3172	1428	{414578D7-6615-4008-8ECD-0FF5037B34E1}.exe	106
PID 1428 wrote to memory of 3172	1428	{414578D7-6615-4008-8ECD-0FF5037B34E1}.exe	106
PID 1428 wrote to memory of 3172	1428	{414578D7-6615-4008-8ECD-0FF5037B34E1}.exe	106
PID 1428 wrote to memory of 3984	1428	{414578D7-6615-4008-8ECD-0FF5037B34E1}.exe	107
PID 1428 wrote to memory of 3984	1428	{414578D7-6615-4008-8ECD-0FF5037B34E1}.exe	107
PID 1428 wrote to memory of 3984	1428	{414578D7-6615-4008-8ECD-0FF5037B34E1}.exe	107
PID 3172 wrote to memory of 4296	3172	{655F7C5F-D74F-4776-BCE4-584C77299C81}.exe	108
PID 3172 wrote to memory of 4296	3172	{655F7C5F-D74F-4776-BCE4-584C77299C81}.exe	108
PID 3172 wrote to memory of 4296	3172	{655F7C5F-D74F-4776-BCE4-584C77299C81}.exe	108
PID 3172 wrote to memory of 4144	3172	{655F7C5F-D74F-4776-BCE4-584C77299C81}.exe	109
PID 3172 wrote to memory of 4144	3172	{655F7C5F-D74F-4776-BCE4-584C77299C81}.exe	109
PID 3172 wrote to memory of 4144	3172	{655F7C5F-D74F-4776-BCE4-584C77299C81}.exe	109
PID 4296 wrote to memory of 4116	4296	{CD6E82AD-D31A-4c07-BACA-1A508DF9AC0C}.exe	110
PID 4296 wrote to memory of 4116	4296	{CD6E82AD-D31A-4c07-BACA-1A508DF9AC0C}.exe	110
PID 4296 wrote to memory of 4116	4296	{CD6E82AD-D31A-4c07-BACA-1A508DF9AC0C}.exe	110
PID 4296 wrote to memory of 2044	4296	{CD6E82AD-D31A-4c07-BACA-1A508DF9AC0C}.exe	111
PID 4296 wrote to memory of 2044	4296	{CD6E82AD-D31A-4c07-BACA-1A508DF9AC0C}.exe	111
PID 4296 wrote to memory of 2044	4296	{CD6E82AD-D31A-4c07-BACA-1A508DF9AC0C}.exe	111
PID 4116 wrote to memory of 4100	4116	{4CA1BBBF-3269-4368-BEC8-1FCCD4739073}.exe	112
PID 4116 wrote to memory of 4100	4116	{4CA1BBBF-3269-4368-BEC8-1FCCD4739073}.exe	112
PID 4116 wrote to memory of 4100	4116	{4CA1BBBF-3269-4368-BEC8-1FCCD4739073}.exe	112
PID 4116 wrote to memory of 4400	4116	{4CA1BBBF-3269-4368-BEC8-1FCCD4739073}.exe	113
PID 4116 wrote to memory of 4400	4116	{4CA1BBBF-3269-4368-BEC8-1FCCD4739073}.exe	113
PID 4116 wrote to memory of 4400	4116	{4CA1BBBF-3269-4368-BEC8-1FCCD4739073}.exe	113
PID 4100 wrote to memory of 3976	4100	{810DCF95-404C-45d9-BD84-3116E57660E2}.exe	114
PID 4100 wrote to memory of 3976	4100	{810DCF95-404C-45d9-BD84-3116E57660E2}.exe	114
PID 4100 wrote to memory of 3976	4100	{810DCF95-404C-45d9-BD84-3116E57660E2}.exe	114
PID 4100 wrote to memory of 864	4100	{810DCF95-404C-45d9-BD84-3116E57660E2}.exe	115
PID 4100 wrote to memory of 864	4100	{810DCF95-404C-45d9-BD84-3116E57660E2}.exe	115
PID 4100 wrote to memory of 864	4100	{810DCF95-404C-45d9-BD84-3116E57660E2}.exe	115
PID 3976 wrote to memory of 2952	3976	{F7DB233C-780A-4fcc-A8EB-4663B2ABCB9D}.exe	116
PID 3976 wrote to memory of 2952	3976	{F7DB233C-780A-4fcc-A8EB-4663B2ABCB9D}.exe	116
PID 3976 wrote to memory of 2952	3976	{F7DB233C-780A-4fcc-A8EB-4663B2ABCB9D}.exe	116
PID 3976 wrote to memory of 1936	3976	{F7DB233C-780A-4fcc-A8EB-4663B2ABCB9D}.exe	117
PID 3976 wrote to memory of 1936	3976	{F7DB233C-780A-4fcc-A8EB-4663B2ABCB9D}.exe	117
PID 3976 wrote to memory of 1936	3976	{F7DB233C-780A-4fcc-A8EB-4663B2ABCB9D}.exe	117
PID 2952 wrote to memory of 1868	2952	{33BFD2DE-AF4F-43fb-925F-1CD688D22BF7}.exe	118
PID 2952 wrote to memory of 1868	2952	{33BFD2DE-AF4F-43fb-925F-1CD688D22BF7}.exe	118
PID 2952 wrote to memory of 1868	2952	{33BFD2DE-AF4F-43fb-925F-1CD688D22BF7}.exe	118
PID 2952 wrote to memory of 4620	2952	{33BFD2DE-AF4F-43fb-925F-1CD688D22BF7}.exe	119

C:\Users\Admin\AppData\Local\Temp\2024-04-06_dfc07a647c746e2495351336407a88e8_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-06_dfc07a647c746e2495351336407a88e8_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4168
- C:\Windows\{2D665979-85CE-477f-940F-9AA7D91A1A78}.exe
  C:\Windows\{2D665979-85CE-477f-940F-9AA7D91A1A78}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\{90DA8C5A-1F3A-41d5-8E0F-395BDC871EAA}.exe
    C:\Windows\{90DA8C5A-1F3A-41d5-8E0F-395BDC871EAA}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1260
  - - C:\Windows\{4C20D757-6111-41c0-8A9C-CBD93030C1F6}.exe
      C:\Windows\{4C20D757-6111-41c0-8A9C-CBD93030C1F6}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4860
    - - C:\Windows\{414578D7-6615-4008-8ECD-0FF5037B34E1}.exe
        
        C:\Windows\{414578D7-6615-4008-8ECD-0FF5037B34E1}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1428
      - C:\Windows\{655F7C5F-D74F-4776-BCE4-584C77299C81}.exe
        
        C:\Windows\{655F7C5F-D74F-4776-BCE4-584C77299C81}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3172
        
        C:\Windows\{CD6E82AD-D31A-4c07-BACA-1A508DF9AC0C}.exe
        
        C:\Windows\{CD6E82AD-D31A-4c07-BACA-1A508DF9AC0C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4296
        
        C:\Windows\{4CA1BBBF-3269-4368-BEC8-1FCCD4739073}.exe
        
        C:\Windows\{4CA1BBBF-3269-4368-BEC8-1FCCD4739073}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4116
        
        C:\Windows\{810DCF95-404C-45d9-BD84-3116E57660E2}.exe
        
        C:\Windows\{810DCF95-404C-45d9-BD84-3116E57660E2}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4100
        
        C:\Windows\{F7DB233C-780A-4fcc-A8EB-4663B2ABCB9D}.exe
        
        C:\Windows\{F7DB233C-780A-4fcc-A8EB-4663B2ABCB9D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3976
        
        C:\Windows\{33BFD2DE-AF4F-43fb-925F-1CD688D22BF7}.exe
        
        C:\Windows\{33BFD2DE-AF4F-43fb-925F-1CD688D22BF7}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\{A129C9C2-3ECB-42bf-8C58-DB99C8B47247}.exe
        
        C:\Windows\{A129C9C2-3ECB-42bf-8C58-DB99C8B47247}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1868
        
        C:\Windows\{31F268F1-988A-4097-8D1C-805BA24562B8}.exe
        
        C:\Windows\{31F268F1-988A-4097-8D1C-805BA24562B8}.exe
        13⤵
        Executes dropped EXE
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A129C~1.EXE > nul
        13⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{33BFD~1.EXE > nul
        12⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F7DB2~1.EXE > nul
        11⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{810DC~1.EXE > nul
        10⤵
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4CA1B~1.EXE > nul
        9⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CD6E8~1.EXE > nul
        8⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{655F7~1.EXE > nul
        7⤵
        
        PID:4144
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{41457~1.EXE > nul
        6⤵
        
        PID:3984
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4C20D~1.EXE > nul
        5⤵
        
        PID:2320
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{90DA8~1.EXE > nul
      4⤵
      PID:2156
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2D665~1.EXE > nul
    3⤵
    PID:404
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2D665979-85CE-477f-940F-9AA7D91A1A78}.exe

Filesize
168KB

MD5
913e4eb13bfbfa2af52aae5c47ae4147

SHA1
d2c3d5581ebb20c50c1bf4e2cc3881d7c2c4adc7

SHA256
8d28b25c2e4998537420356f95f78f59b9d41ff8ff574a6dd66d4948339e8b04

SHA512
bb263d00a4e17069dd63e4f378a20922c197fb4e01a738ede3ae539f2d2d9f380ab473d7be86d7ac72e3474a47ad75e4902174a3ee4cf336fbeb85039163eb30

Download Submit
C:\Windows\{31F268F1-988A-4097-8D1C-805BA24562B8}.exe

Filesize
168KB

MD5
59e6e86d749d4efe58055861f1466017

SHA1
83c0c4e18256bd6ec3e476e330467a7addde5293

SHA256
6848e4b1fd5c4c8d75c7e680ca2944751ad0f4c251c199a16d0bf70ce2a5391d

SHA512
d523d1dbc0133d44feb528e7c6f45396dcc0600f61fc61ff9cebef78cc2c3a0426a0b807e95c6a3f8c218a451f838f30478de7f8dc24bf94cf9a71adc787aac9

Download Submit
C:\Windows\{33BFD2DE-AF4F-43fb-925F-1CD688D22BF7}.exe

Filesize
168KB

MD5
80a5d9535e208b56ef9b592c5e34b270

SHA1
4bc5fba3bd435cbe14ea33a65151a069f6ae8f4d

SHA256
1fe48f259124a9c78af205ee04f090224ba512d7905322f4144245df13c1c275

SHA512
2231e746d2c9b0df32a0aaf1222382d035151324717f823e412a018d7ed5bec109d12dfee0c8d6707ff57ec306dfcd20a20840085d23c0dada285084b50bc055

Download Submit
C:\Windows\{414578D7-6615-4008-8ECD-0FF5037B34E1}.exe

Filesize
168KB

MD5
2e26c9e6e6e2c8b391f8bed7791400be

SHA1
5f9df13011dce289670883509b13fd7b340a6561

SHA256
eb885ea95392ae0ce74c0f52063e451c153045f4900caf168e1f1a66db1eefa1

SHA512
1f588fbc9bc7bc6e0d1251c833f01277a51c555bd76a50f5baf3a8a7662998fb2c9e4bc2ba0ee8d34688e1fe390151b72f0551d0c6d6b305ae5757c2b4493314

Download Submit
C:\Windows\{4C20D757-6111-41c0-8A9C-CBD93030C1F6}.exe

Filesize
168KB

MD5
3c49bc61451d22f7ec271d1acc8fa8ee

SHA1
030683d5a5cb87bafb876ab032491d999832a3e4

SHA256
eb1654a8d787ad601d822e8878007cba556441a18a034b1063d185daad0e1c36

SHA512
e1fc9ad635cd9eec4c4dc4f6415c4f963d424cbec2b018686968fae47e10c917863aa01eb38ba897226e05c563bcb19430f9cda7d804ffdd1388553c4a8a86d6

Download Submit
C:\Windows\{4CA1BBBF-3269-4368-BEC8-1FCCD4739073}.exe

Filesize
168KB

MD5
79d2cb9be19a91838804475e48e7c2cb

SHA1
c929735cc5fb46429ca2dc2f62ad872d1efc8f87

SHA256
f2a68c1f9ec9a28027461cfe4ed581d1fb7af76f085f65ec63ca1e899a48b629

SHA512
ca9be7a928c77dfe604febe21154c7c7c62203c9c6a5be172e3e034178df07fa0d7d67465dc08c4565487a8bce42f4f8c3fd60aeff4f2456fa76ede1bad26723

Download Submit
C:\Windows\{655F7C5F-D74F-4776-BCE4-584C77299C81}.exe

Filesize
168KB

MD5
53015525f8964b2fffd5073fb9ea7fe1

SHA1
1efdc84adeeeb3d7bedbe6287071bc0957a8bc00

SHA256
bd2b85530688f43222a82dddfcdcce3695765d0d2aec4b18ebd5dc4c8df348db

SHA512
df859947ea53f311c1ffd0ec6453815dd7c66adbe32f7f151484e04637fcf62cae9f17cbe5765ce9b2ea5846209b84f3cb2a60f5791c622be42068bc0623f0fb

Download Submit
C:\Windows\{810DCF95-404C-45d9-BD84-3116E57660E2}.exe

Filesize
168KB

MD5
6bc3a21969fec5a3f2489b95a0eccfe7

SHA1
36ff068a19fbcab622b06bc26fd07a2e2b71b2ee

SHA256
6413213cc58828717a1718c5294281ff9044c3bdf0d8f8abad4e74e74e690615

SHA512
92409e4abefd7dc3bde77eee498c937cb60980d26a499ba1b017df1e659e734b1dd692395856654f915d63a64ef12131c280befb71b9fa59f69dda9c66075cd4

Download Submit
C:\Windows\{90DA8C5A-1F3A-41d5-8E0F-395BDC871EAA}.exe

Filesize
168KB

MD5
6ad617b68ec4338f5aabd34409a7e9f3

SHA1
9c92b6d34aeff3acc9245291d1c979f610b84bb1

SHA256
532844c1487b36a00703c5abe5e6a383297d3e60ddbc27f27c31dd06865b1861

SHA512
d8e4b26527ef0450bfe972d134007a6486f0b31215e5c2919a6637992bb4a4792abfa6dd0352c6a8d3398fa98de4b7ddd19a18025a5485d26a9559e860443766

Download Submit
C:\Windows\{A129C9C2-3ECB-42bf-8C58-DB99C8B47247}.exe

Filesize
168KB

MD5
467ee3282525c28a3890ac7e9d7aa703

SHA1
21cf976a6aa71a5481b6c4eedf535fc6c78c36bd

SHA256
13e6ddbd40c9c9caf19e8f130d31281a671f03ee2bf645710bcaacdc16b05bcc

SHA512
b17dc76d35ec3a298565aa39559e04b222fdd3ff0ac2402e4766d1bc4fe66deffafb043eaa1a8b7672b50567857f2fa2e6036ef3c91d0d8c24a700c9abb81897

Download Submit
C:\Windows\{CD6E82AD-D31A-4c07-BACA-1A508DF9AC0C}.exe

Filesize
168KB

MD5
f23673ae3bd7df2a70d183f6759dffd0

SHA1
a9eb3cd37ee2fb298e94deb8ad388a78ee5b795d

SHA256
55fca448620aaebd7ca4162710932429ea3af7c684b32cb5c6ea2c299a1e2550

SHA512
9d874c8a4f21e96c4ca863122d0e9d9a669c6d84a429938e054769174c6bfa5421f528cd46fa344a0ed4a07fa1b0ce9686b576b6a1f60ff53cf251ec00882859

Download Submit
C:\Windows\{F7DB233C-780A-4fcc-A8EB-4663B2ABCB9D}.exe

Filesize
168KB

MD5
2986ebf969df37797812313522302292

SHA1
46c304b0601ab88da27d7f2aff5ffb9511950527

SHA256
7ce4416bf808b1877e7b4b918f34c6cc6c2fcca42417f2b03e416b482071d3d5

SHA512
2f2556b012bebeb311a83b6a4ce6ddff71be8a964c1444fb1b8a9226c9f32e48e4e72f0c3bdb338213ed4d797cb6d2a7dcb7c2945987329b09aafb518c9fcff6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads