a69550ac9ac56b6ddd367bf372d1ab9e7a3366c89e4f5214d5b1f82fc98c925f

Analysis

max time kernel
149s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/04/2024, 12:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-06_62fd446ef26582e954ba394c23ceb1a7_goldeneye.exe
Size

380KB
MD5

62fd446ef26582e954ba394c23ceb1a7
SHA1

4320ea056e9be70b0cd433a0d7ad2521749038eb
SHA256

a69550ac9ac56b6ddd367bf372d1ab9e7a3366c89e4f5214d5b1f82fc98c925f
SHA512

3b4cdb40f2a05172e704d66ad45bfabe2414a27eead05e622c9a37bb09c60efb7679a06e92ea2517fe4dd93cddee253d81b1d9840a1565c0c22e4375d741ce82
SSDEEP

3072:mEGh0oqlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGsl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00080000000231fd-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023204-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002320b-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0012000000023204-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002320b-17.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021fa2-21.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021fa3-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000703-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000703-37.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000703-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17F15731-C550-43fe-9C07-1ECF0B63EF3A}	{42DA06A7-4257-4934-A161-9171C1C4449D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{506DECE3-A272-450b-80A6-01EF80FF7A2B}	{17F15731-C550-43fe-9C07-1ECF0B63EF3A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE048C53-5CEE-4f5f-B033-8FEAD597657B}	{D19D1629-1024-4962-BBC8-F2D2E1177A8B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5697400-55CC-48fb-91B0-F6A3C97AFE89}\stubpath = "C:\\Windows\\{A5697400-55CC-48fb-91B0-F6A3C97AFE89}.exe"	{28590353-6C41-459a-9FCB-CDCA4A06A070}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42DA06A7-4257-4934-A161-9171C1C4449D}	{D60A1373-153A-494c-A1B3-10E076C4E342}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28590353-6C41-459a-9FCB-CDCA4A06A070}	{FE048C53-5CEE-4f5f-B033-8FEAD597657B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D60A1373-153A-494c-A1B3-10E076C4E342}	{E52D5BDD-E38A-4b0d-8299-69C4C932D48E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42DA06A7-4257-4934-A161-9171C1C4449D}\stubpath = "C:\\Windows\\{42DA06A7-4257-4934-A161-9171C1C4449D}.exe"	{D60A1373-153A-494c-A1B3-10E076C4E342}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17F15731-C550-43fe-9C07-1ECF0B63EF3A}\stubpath = "C:\\Windows\\{17F15731-C550-43fe-9C07-1ECF0B63EF3A}.exe"	{42DA06A7-4257-4934-A161-9171C1C4449D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9CBE4F0-1E9B-4886-A265-FDF087545D3D}\stubpath = "C:\\Windows\\{B9CBE4F0-1E9B-4886-A265-FDF087545D3D}.exe"	{506DECE3-A272-450b-80A6-01EF80FF7A2B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8951BC7C-FCB2-4da8-97E0-5D66DA137B17}\stubpath = "C:\\Windows\\{8951BC7C-FCB2-4da8-97E0-5D66DA137B17}.exe"	2024-04-06_62fd446ef26582e954ba394c23ceb1a7_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D19D1629-1024-4962-BBC8-F2D2E1177A8B}	{8951BC7C-FCB2-4da8-97E0-5D66DA137B17}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE048C53-5CEE-4f5f-B033-8FEAD597657B}\stubpath = "C:\\Windows\\{FE048C53-5CEE-4f5f-B033-8FEAD597657B}.exe"	{D19D1629-1024-4962-BBC8-F2D2E1177A8B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9CBE4F0-1E9B-4886-A265-FDF087545D3D}	{506DECE3-A272-450b-80A6-01EF80FF7A2B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5697400-55CC-48fb-91B0-F6A3C97AFE89}	{28590353-6C41-459a-9FCB-CDCA4A06A070}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{456BE2CE-0CF5-40c9-B3C2-194F4B5FF5E4}	{A5697400-55CC-48fb-91B0-F6A3C97AFE89}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E52D5BDD-E38A-4b0d-8299-69C4C932D48E}	{456BE2CE-0CF5-40c9-B3C2-194F4B5FF5E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{456BE2CE-0CF5-40c9-B3C2-194F4B5FF5E4}\stubpath = "C:\\Windows\\{456BE2CE-0CF5-40c9-B3C2-194F4B5FF5E4}.exe"	{A5697400-55CC-48fb-91B0-F6A3C97AFE89}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E52D5BDD-E38A-4b0d-8299-69C4C932D48E}\stubpath = "C:\\Windows\\{E52D5BDD-E38A-4b0d-8299-69C4C932D48E}.exe"	{456BE2CE-0CF5-40c9-B3C2-194F4B5FF5E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D60A1373-153A-494c-A1B3-10E076C4E342}\stubpath = "C:\\Windows\\{D60A1373-153A-494c-A1B3-10E076C4E342}.exe"	{E52D5BDD-E38A-4b0d-8299-69C4C932D48E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{506DECE3-A272-450b-80A6-01EF80FF7A2B}\stubpath = "C:\\Windows\\{506DECE3-A272-450b-80A6-01EF80FF7A2B}.exe"	{17F15731-C550-43fe-9C07-1ECF0B63EF3A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8951BC7C-FCB2-4da8-97E0-5D66DA137B17}	2024-04-06_62fd446ef26582e954ba394c23ceb1a7_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D19D1629-1024-4962-BBC8-F2D2E1177A8B}\stubpath = "C:\\Windows\\{D19D1629-1024-4962-BBC8-F2D2E1177A8B}.exe"	{8951BC7C-FCB2-4da8-97E0-5D66DA137B17}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28590353-6C41-459a-9FCB-CDCA4A06A070}\stubpath = "C:\\Windows\\{28590353-6C41-459a-9FCB-CDCA4A06A070}.exe"	{FE048C53-5CEE-4f5f-B033-8FEAD597657B}.exe

Executes dropped EXE 12 IoCs

pid	Process
4388	{8951BC7C-FCB2-4da8-97E0-5D66DA137B17}.exe
1528	{D19D1629-1024-4962-BBC8-F2D2E1177A8B}.exe
1388	{FE048C53-5CEE-4f5f-B033-8FEAD597657B}.exe
4472	{28590353-6C41-459a-9FCB-CDCA4A06A070}.exe
856	{A5697400-55CC-48fb-91B0-F6A3C97AFE89}.exe
1036	{456BE2CE-0CF5-40c9-B3C2-194F4B5FF5E4}.exe
4828	{E52D5BDD-E38A-4b0d-8299-69C4C932D48E}.exe
4744	{D60A1373-153A-494c-A1B3-10E076C4E342}.exe
4004	{42DA06A7-4257-4934-A161-9171C1C4449D}.exe
1588	{17F15731-C550-43fe-9C07-1ECF0B63EF3A}.exe
700	{506DECE3-A272-450b-80A6-01EF80FF7A2B}.exe
1072	{B9CBE4F0-1E9B-4886-A265-FDF087545D3D}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{8951BC7C-FCB2-4da8-97E0-5D66DA137B17}.exe	2024-04-06_62fd446ef26582e954ba394c23ceb1a7_goldeneye.exe
File created	C:\Windows\{D19D1629-1024-4962-BBC8-F2D2E1177A8B}.exe	{8951BC7C-FCB2-4da8-97E0-5D66DA137B17}.exe
File created	C:\Windows\{42DA06A7-4257-4934-A161-9171C1C4449D}.exe	{D60A1373-153A-494c-A1B3-10E076C4E342}.exe
File created	C:\Windows\{17F15731-C550-43fe-9C07-1ECF0B63EF3A}.exe	{42DA06A7-4257-4934-A161-9171C1C4449D}.exe
File created	C:\Windows\{506DECE3-A272-450b-80A6-01EF80FF7A2B}.exe	{17F15731-C550-43fe-9C07-1ECF0B63EF3A}.exe
File created	C:\Windows\{B9CBE4F0-1E9B-4886-A265-FDF087545D3D}.exe	{506DECE3-A272-450b-80A6-01EF80FF7A2B}.exe
File created	C:\Windows\{FE048C53-5CEE-4f5f-B033-8FEAD597657B}.exe	{D19D1629-1024-4962-BBC8-F2D2E1177A8B}.exe
File created	C:\Windows\{28590353-6C41-459a-9FCB-CDCA4A06A070}.exe	{FE048C53-5CEE-4f5f-B033-8FEAD597657B}.exe
File created	C:\Windows\{A5697400-55CC-48fb-91B0-F6A3C97AFE89}.exe	{28590353-6C41-459a-9FCB-CDCA4A06A070}.exe
File created	C:\Windows\{456BE2CE-0CF5-40c9-B3C2-194F4B5FF5E4}.exe	{A5697400-55CC-48fb-91B0-F6A3C97AFE89}.exe
File created	C:\Windows\{E52D5BDD-E38A-4b0d-8299-69C4C932D48E}.exe	{456BE2CE-0CF5-40c9-B3C2-194F4B5FF5E4}.exe
File created	C:\Windows\{D60A1373-153A-494c-A1B3-10E076C4E342}.exe	{E52D5BDD-E38A-4b0d-8299-69C4C932D48E}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2812	2024-04-06_62fd446ef26582e954ba394c23ceb1a7_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4388	{8951BC7C-FCB2-4da8-97E0-5D66DA137B17}.exe
Token: SeIncBasePriorityPrivilege	1528	{D19D1629-1024-4962-BBC8-F2D2E1177A8B}.exe
Token: SeIncBasePriorityPrivilege	1388	{FE048C53-5CEE-4f5f-B033-8FEAD597657B}.exe
Token: SeIncBasePriorityPrivilege	4472	{28590353-6C41-459a-9FCB-CDCA4A06A070}.exe
Token: SeIncBasePriorityPrivilege	856	{A5697400-55CC-48fb-91B0-F6A3C97AFE89}.exe
Token: SeIncBasePriorityPrivilege	1036	{456BE2CE-0CF5-40c9-B3C2-194F4B5FF5E4}.exe
Token: SeIncBasePriorityPrivilege	4828	{E52D5BDD-E38A-4b0d-8299-69C4C932D48E}.exe
Token: SeIncBasePriorityPrivilege	4744	{D60A1373-153A-494c-A1B3-10E076C4E342}.exe
Token: SeIncBasePriorityPrivilege	4004	{42DA06A7-4257-4934-A161-9171C1C4449D}.exe
Token: SeIncBasePriorityPrivilege	1588	{17F15731-C550-43fe-9C07-1ECF0B63EF3A}.exe
Token: SeIncBasePriorityPrivilege	700	{506DECE3-A272-450b-80A6-01EF80FF7A2B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2812 wrote to memory of 4388	2812	2024-04-06_62fd446ef26582e954ba394c23ceb1a7_goldeneye.exe	97
PID 2812 wrote to memory of 4388	2812	2024-04-06_62fd446ef26582e954ba394c23ceb1a7_goldeneye.exe	97
PID 2812 wrote to memory of 4388	2812	2024-04-06_62fd446ef26582e954ba394c23ceb1a7_goldeneye.exe	97
PID 2812 wrote to memory of 4356	2812	2024-04-06_62fd446ef26582e954ba394c23ceb1a7_goldeneye.exe	98
PID 2812 wrote to memory of 4356	2812	2024-04-06_62fd446ef26582e954ba394c23ceb1a7_goldeneye.exe	98
PID 2812 wrote to memory of 4356	2812	2024-04-06_62fd446ef26582e954ba394c23ceb1a7_goldeneye.exe	98
PID 4388 wrote to memory of 1528	4388	{8951BC7C-FCB2-4da8-97E0-5D66DA137B17}.exe	99
PID 4388 wrote to memory of 1528	4388	{8951BC7C-FCB2-4da8-97E0-5D66DA137B17}.exe	99
PID 4388 wrote to memory of 1528	4388	{8951BC7C-FCB2-4da8-97E0-5D66DA137B17}.exe	99
PID 4388 wrote to memory of 1108	4388	{8951BC7C-FCB2-4da8-97E0-5D66DA137B17}.exe	100
PID 4388 wrote to memory of 1108	4388	{8951BC7C-FCB2-4da8-97E0-5D66DA137B17}.exe	100
PID 4388 wrote to memory of 1108	4388	{8951BC7C-FCB2-4da8-97E0-5D66DA137B17}.exe	100
PID 1528 wrote to memory of 1388	1528	{D19D1629-1024-4962-BBC8-F2D2E1177A8B}.exe	102
PID 1528 wrote to memory of 1388	1528	{D19D1629-1024-4962-BBC8-F2D2E1177A8B}.exe	102
PID 1528 wrote to memory of 1388	1528	{D19D1629-1024-4962-BBC8-F2D2E1177A8B}.exe	102
PID 1528 wrote to memory of 3464	1528	{D19D1629-1024-4962-BBC8-F2D2E1177A8B}.exe	103
PID 1528 wrote to memory of 3464	1528	{D19D1629-1024-4962-BBC8-F2D2E1177A8B}.exe	103
PID 1528 wrote to memory of 3464	1528	{D19D1629-1024-4962-BBC8-F2D2E1177A8B}.exe	103
PID 1388 wrote to memory of 4472	1388	{FE048C53-5CEE-4f5f-B033-8FEAD597657B}.exe	104
PID 1388 wrote to memory of 4472	1388	{FE048C53-5CEE-4f5f-B033-8FEAD597657B}.exe	104
PID 1388 wrote to memory of 4472	1388	{FE048C53-5CEE-4f5f-B033-8FEAD597657B}.exe	104
PID 1388 wrote to memory of 4520	1388	{FE048C53-5CEE-4f5f-B033-8FEAD597657B}.exe	105
PID 1388 wrote to memory of 4520	1388	{FE048C53-5CEE-4f5f-B033-8FEAD597657B}.exe	105
PID 1388 wrote to memory of 4520	1388	{FE048C53-5CEE-4f5f-B033-8FEAD597657B}.exe	105
PID 4472 wrote to memory of 856	4472	{28590353-6C41-459a-9FCB-CDCA4A06A070}.exe	106
PID 4472 wrote to memory of 856	4472	{28590353-6C41-459a-9FCB-CDCA4A06A070}.exe	106
PID 4472 wrote to memory of 856	4472	{28590353-6C41-459a-9FCB-CDCA4A06A070}.exe	106
PID 4472 wrote to memory of 4912	4472	{28590353-6C41-459a-9FCB-CDCA4A06A070}.exe	107
PID 4472 wrote to memory of 4912	4472	{28590353-6C41-459a-9FCB-CDCA4A06A070}.exe	107
PID 4472 wrote to memory of 4912	4472	{28590353-6C41-459a-9FCB-CDCA4A06A070}.exe	107
PID 856 wrote to memory of 1036	856	{A5697400-55CC-48fb-91B0-F6A3C97AFE89}.exe	108
PID 856 wrote to memory of 1036	856	{A5697400-55CC-48fb-91B0-F6A3C97AFE89}.exe	108
PID 856 wrote to memory of 1036	856	{A5697400-55CC-48fb-91B0-F6A3C97AFE89}.exe	108
PID 856 wrote to memory of 1516	856	{A5697400-55CC-48fb-91B0-F6A3C97AFE89}.exe	109
PID 856 wrote to memory of 1516	856	{A5697400-55CC-48fb-91B0-F6A3C97AFE89}.exe	109
PID 856 wrote to memory of 1516	856	{A5697400-55CC-48fb-91B0-F6A3C97AFE89}.exe	109
PID 1036 wrote to memory of 4828	1036	{456BE2CE-0CF5-40c9-B3C2-194F4B5FF5E4}.exe	110
PID 1036 wrote to memory of 4828	1036	{456BE2CE-0CF5-40c9-B3C2-194F4B5FF5E4}.exe	110
PID 1036 wrote to memory of 4828	1036	{456BE2CE-0CF5-40c9-B3C2-194F4B5FF5E4}.exe	110
PID 1036 wrote to memory of 2556	1036	{456BE2CE-0CF5-40c9-B3C2-194F4B5FF5E4}.exe	111
PID 1036 wrote to memory of 2556	1036	{456BE2CE-0CF5-40c9-B3C2-194F4B5FF5E4}.exe	111
PID 1036 wrote to memory of 2556	1036	{456BE2CE-0CF5-40c9-B3C2-194F4B5FF5E4}.exe	111
PID 4828 wrote to memory of 4744	4828	{E52D5BDD-E38A-4b0d-8299-69C4C932D48E}.exe	112
PID 4828 wrote to memory of 4744	4828	{E52D5BDD-E38A-4b0d-8299-69C4C932D48E}.exe	112
PID 4828 wrote to memory of 4744	4828	{E52D5BDD-E38A-4b0d-8299-69C4C932D48E}.exe	112
PID 4828 wrote to memory of 532	4828	{E52D5BDD-E38A-4b0d-8299-69C4C932D48E}.exe	113
PID 4828 wrote to memory of 532	4828	{E52D5BDD-E38A-4b0d-8299-69C4C932D48E}.exe	113
PID 4828 wrote to memory of 532	4828	{E52D5BDD-E38A-4b0d-8299-69C4C932D48E}.exe	113
PID 4744 wrote to memory of 4004	4744	{D60A1373-153A-494c-A1B3-10E076C4E342}.exe	114
PID 4744 wrote to memory of 4004	4744	{D60A1373-153A-494c-A1B3-10E076C4E342}.exe	114
PID 4744 wrote to memory of 4004	4744	{D60A1373-153A-494c-A1B3-10E076C4E342}.exe	114
PID 4744 wrote to memory of 4088	4744	{D60A1373-153A-494c-A1B3-10E076C4E342}.exe	115
PID 4744 wrote to memory of 4088	4744	{D60A1373-153A-494c-A1B3-10E076C4E342}.exe	115
PID 4744 wrote to memory of 4088	4744	{D60A1373-153A-494c-A1B3-10E076C4E342}.exe	115
PID 4004 wrote to memory of 1588	4004	{42DA06A7-4257-4934-A161-9171C1C4449D}.exe	116
PID 4004 wrote to memory of 1588	4004	{42DA06A7-4257-4934-A161-9171C1C4449D}.exe	116
PID 4004 wrote to memory of 1588	4004	{42DA06A7-4257-4934-A161-9171C1C4449D}.exe	116
PID 4004 wrote to memory of 1120	4004	{42DA06A7-4257-4934-A161-9171C1C4449D}.exe	117
PID 4004 wrote to memory of 1120	4004	{42DA06A7-4257-4934-A161-9171C1C4449D}.exe	117
PID 4004 wrote to memory of 1120	4004	{42DA06A7-4257-4934-A161-9171C1C4449D}.exe	117
PID 1588 wrote to memory of 700	1588	{17F15731-C550-43fe-9C07-1ECF0B63EF3A}.exe	118
PID 1588 wrote to memory of 700	1588	{17F15731-C550-43fe-9C07-1ECF0B63EF3A}.exe	118
PID 1588 wrote to memory of 700	1588	{17F15731-C550-43fe-9C07-1ECF0B63EF3A}.exe	118
PID 1588 wrote to memory of 3444	1588	{17F15731-C550-43fe-9C07-1ECF0B63EF3A}.exe	119

C:\Users\Admin\AppData\Local\Temp\2024-04-06_62fd446ef26582e954ba394c23ceb1a7_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-06_62fd446ef26582e954ba394c23ceb1a7_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Windows\{8951BC7C-FCB2-4da8-97E0-5D66DA137B17}.exe
  C:\Windows\{8951BC7C-FCB2-4da8-97E0-5D66DA137B17}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4388
- - C:\Windows\{D19D1629-1024-4962-BBC8-F2D2E1177A8B}.exe
    C:\Windows\{D19D1629-1024-4962-BBC8-F2D2E1177A8B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1528
  - - C:\Windows\{FE048C53-5CEE-4f5f-B033-8FEAD597657B}.exe
      C:\Windows\{FE048C53-5CEE-4f5f-B033-8FEAD597657B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1388
    - - C:\Windows\{28590353-6C41-459a-9FCB-CDCA4A06A070}.exe
        
        C:\Windows\{28590353-6C41-459a-9FCB-CDCA4A06A070}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4472
      - C:\Windows\{A5697400-55CC-48fb-91B0-F6A3C97AFE89}.exe
        
        C:\Windows\{A5697400-55CC-48fb-91B0-F6A3C97AFE89}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Windows\{456BE2CE-0CF5-40c9-B3C2-194F4B5FF5E4}.exe
        
        C:\Windows\{456BE2CE-0CF5-40c9-B3C2-194F4B5FF5E4}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\{E52D5BDD-E38A-4b0d-8299-69C4C932D48E}.exe
        
        C:\Windows\{E52D5BDD-E38A-4b0d-8299-69C4C932D48E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4828
        
        C:\Windows\{D60A1373-153A-494c-A1B3-10E076C4E342}.exe
        
        C:\Windows\{D60A1373-153A-494c-A1B3-10E076C4E342}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4744
        
        C:\Windows\{42DA06A7-4257-4934-A161-9171C1C4449D}.exe
        
        C:\Windows\{42DA06A7-4257-4934-A161-9171C1C4449D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4004
        
        C:\Windows\{17F15731-C550-43fe-9C07-1ECF0B63EF3A}.exe
        
        C:\Windows\{17F15731-C550-43fe-9C07-1ECF0B63EF3A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\{506DECE3-A272-450b-80A6-01EF80FF7A2B}.exe
        
        C:\Windows\{506DECE3-A272-450b-80A6-01EF80FF7A2B}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:700
        
        C:\Windows\{B9CBE4F0-1E9B-4886-A265-FDF087545D3D}.exe
        
        C:\Windows\{B9CBE4F0-1E9B-4886-A265-FDF087545D3D}.exe
        13⤵
        Executes dropped EXE
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{506DE~1.EXE > nul
        13⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{17F15~1.EXE > nul
        12⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{42DA0~1.EXE > nul
        11⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D60A1~1.EXE > nul
        10⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E52D5~1.EXE > nul
        9⤵
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{456BE~1.EXE > nul
        8⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A5697~1.EXE > nul
        7⤵
        
        PID:1516
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{28590~1.EXE > nul
        6⤵
        
        PID:4912
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FE048~1.EXE > nul
        5⤵
        
        PID:4520
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D19D1~1.EXE > nul
      4⤵
      PID:3464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8951B~1.EXE > nul
    3⤵
    PID:1108
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{17F15731-C550-43fe-9C07-1ECF0B63EF3A}.exe

Filesize
380KB

MD5
82433fb6f6c7fed9276afef1a0711b55

SHA1
aaaf33e4401f44a1bb50e23a2f87718e4dc7d67c

SHA256
ef115370a7e67e6f2f1779af4b6053de453725d1196e0d9e8a92fec4ed10bbbc

SHA512
1350536553ac73cd7dcc080a0eb7eaf6f9bdaca2df159296c0ffbd405f970b168457aa54129604b8db8fa33f1b8c8d3174fa488f37582d903da40a5486958164

Download Submit
C:\Windows\{28590353-6C41-459a-9FCB-CDCA4A06A070}.exe

Filesize
380KB

MD5
da5d3455acd8d9132c70de09291f169f

SHA1
b6777f6686fab1f6802675f165590b417c9f96c2

SHA256
a5d3ac04aa64358fa29b425decfecee0e91287df384ca0b7781dc6d0253d772d

SHA512
4a0070d856cf6e9e1e0975889cab7d53d28c60992e13f684a277a0f062f780435609e163f1063c9e36ca66939d5e5f8c7396031ec42a662054354aa82183a242

Download Submit
C:\Windows\{42DA06A7-4257-4934-A161-9171C1C4449D}.exe

Filesize
380KB

MD5
49732e2b41515eb64faa4984e1c4b231

SHA1
822ca9f8ceaf72353cf3ad03e02b608bc40baf35

SHA256
ead0016e878ea666be11fb3fdb455bed4c10897a10cc5106e38aeff77de6777e

SHA512
faaeba2e531affcd68408d57d251a77a8e2b82dbce577f14dd40257bef6d56b1628a32cb477e771ca8a662c7b113c50f6e6315e88a85d8dfb1b13bd9671d0ca1

Download Submit
C:\Windows\{456BE2CE-0CF5-40c9-B3C2-194F4B5FF5E4}.exe

Filesize
380KB

MD5
8ec2ebf64971b590ff1a372cb9fc366b

SHA1
a8a49c6027d2b2c66130c6952e6fcb51a1965531

SHA256
38268aab6e9eb93eeb803da97f0000a9b532ad1d93e563b1ad28efb0287ef854

SHA512
c81e610f70b81fceebb7a7cd3a40aaef5749c95cf11e2a08b5817c9059ccbd67d372ac3c8a2f3425f06a3cf8da39a6111ddbdea6cc033fdabc45aad750aa7d82

Download Submit
C:\Windows\{506DECE3-A272-450b-80A6-01EF80FF7A2B}.exe

Filesize
380KB

MD5
d650c10cfa92ceb4e9d8808d477e1561

SHA1
365ffcce6deeb3ed305497a9c1e68ea46700570e

SHA256
9ed214beab38f88bab7cbcead689175c37d68a95c94e846aab375f94a1d9643f

SHA512
e54cc4dbb7f93051f0fd8854147b4da3b16c58111766c149dd7fc2975c8c138b9720b5f34eb95f4383c10f25683cf487195783ca0f018dc876a5b93bc06029e8

Download Submit
C:\Windows\{8951BC7C-FCB2-4da8-97E0-5D66DA137B17}.exe

Filesize
380KB

MD5
06af07233d0573e313d66238afce7310

SHA1
8e8d682c41cd056f400c151daf21625bf65fe8cb

SHA256
0eefc2cbdd55df64e7cb6d8b691711d29ffe796dc2742c34e75a1ff4909f1ee9

SHA512
ee3c3fb2e081e11ede9e0c529143d668a05d3583ad29b1b32953eb2cb774def4fc55bff7ea86bb370b58c1d6bfc86ea2e518335c248793810ca93515230537a0

Download Submit
C:\Windows\{A5697400-55CC-48fb-91B0-F6A3C97AFE89}.exe

Filesize
380KB

MD5
978b0ad67b45a6d2e648bf6b172feb7b

SHA1
c04153595e94125bb294c840f7d3598fd283ddae

SHA256
38a754ed6ca7720b8a1b6ea5378ac8d08ce8410215aa0e177e9abdba70c4e032

SHA512
8ae4cc5a65a762d34ce5d92ff617917068642bea22f92352488760bc2543be9c53445ae6cd34d7c151ed8678e70e49a59deefcf5138b3a54449b127029cdfd64

Download Submit
C:\Windows\{B9CBE4F0-1E9B-4886-A265-FDF087545D3D}.exe

Filesize
380KB

MD5
764bff0ba775ec2b48991bcd2dcbe586

SHA1
d3f96f30b43b57a8dcf23451173891338c205d57

SHA256
12aa5589e974d6d06d30495b5ec31b76c62d0273100f0805c5cfaabb341fbdf9

SHA512
ff229d88f4c1065b8784e83761cc8e7558ad2973befa678a68cfc58b8a1e146a155da1e8ef0513fa6f866965c4493f373653963ad9297cf23113a36b17a95e89

Download Submit
C:\Windows\{D19D1629-1024-4962-BBC8-F2D2E1177A8B}.exe

Filesize
380KB

MD5
55a7de465bb3d9a95dea87fe4fdd5d8e

SHA1
1246002abd5b67b2061b850680f63f7efde335eb

SHA256
8a6aac1ae13691a1102e7be495ade980f5613c25c85b4c7c4d41383bf8e63c12

SHA512
ec0f38dbd2f2e45436bac40013f62e3f258b3ad16af242287a668fcf088b179e406e7cd05ad76339df54410dc8a3876e099f3262783732f52bd27b997f0321c0

Download Submit
C:\Windows\{D60A1373-153A-494c-A1B3-10E076C4E342}.exe

Filesize
380KB

MD5
50806a3f60a562b4dc8668b4616095c5

SHA1
f9bf193919d2131c7de9701191b22d57e6960b08

SHA256
ffe22261cbf71c80c07d16293d4d3b35349a5fa6cdb506906303f4d77b6fa3d8

SHA512
94ec44cbcd4fac41f605bbb7ba6c32f4164e169177f42c9dc3ba6f9bebb47ea49c2e3ad221ee9b6e3294be97456b82b6db2b8170d66193cc0f78a4131e1027a9

Download Submit
C:\Windows\{E52D5BDD-E38A-4b0d-8299-69C4C932D48E}.exe

Filesize
380KB

MD5
9584a8eb2c2e2ee96de69ca5bc9178da

SHA1
3103ff3b73bcdee9c068262ef4b521f7371aa6a9

SHA256
8f70b75889fa4b82d399bdf1802142a8b10b8d9eecead975cdae9c4a513121c5

SHA512
cccc5f86ffd40333594de8e0bf8ed397d4c08eb647aadbb7568cd3b90728f008bff7bb745c1e0f88b5c0163421a437a543da30c73990d33361566fa11d894fb3

Download Submit
C:\Windows\{FE048C53-5CEE-4f5f-B033-8FEAD597657B}.exe

Filesize
380KB

MD5
fde4f0a474a3921fb9b8cf259688d913

SHA1
c902cfbf333e32e8be65cc78292e6b2a16380de0

SHA256
1f736fc401b157331da0bfa8e8b3e3f4675dfb259fd4a6268948d0aff8594818

SHA512
bdf5a84a8e02e400516b575e93a8f6f09189d6dd097317cfe8b216040e24b6ac424a32fb5a75f7c419fc7b91ec1ad8142b11842ac3ee8ec8f512320564bad9fb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads