087519c9a244a53c67718807932d6194f268808f2369f5f7142ea6271e0ce3cd

Analysis

max time kernel
149s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/04/2024, 12:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-06_9d60e416c2ac86b36a71eab3e5481c09_goldeneye.exe
Size

380KB
MD5

9d60e416c2ac86b36a71eab3e5481c09
SHA1

f6fdaaf8523a580a9739540ce2cd4a3b3e53d7d3
SHA256

087519c9a244a53c67718807932d6194f268808f2369f5f7142ea6271e0ce3cd
SHA512

09c1868f9784b64112ce938f8195af14e89cf6bcc5d5ac465c48264995c088c16779f4e7b03c99a0ecf035eefeb2f1ef61965314246d785309a6711e3030533e
SSDEEP

3072:mEGh0onlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGZl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023212-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0012000000023207-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023219-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0013000000023207-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021df7-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021df8-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021df7-25.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-29.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000709-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000707-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10EA96B8-5F1A-472c-B3E7-5460E5E1C19B}	{AF5959D2-4E69-4021-B952-2FFB90AB3C3C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10EA96B8-5F1A-472c-B3E7-5460E5E1C19B}\stubpath = "C:\\Windows\\{10EA96B8-5F1A-472c-B3E7-5460E5E1C19B}.exe"	{AF5959D2-4E69-4021-B952-2FFB90AB3C3C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DB0D6F2-1A45-4f4e-9F1C-86D25CB74871}\stubpath = "C:\\Windows\\{2DB0D6F2-1A45-4f4e-9F1C-86D25CB74871}.exe"	{72D466B6-DEF2-43cb-A237-B2A25658EEBF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94E25643-99EB-444d-B947-6DF112BC1905}	{585706CC-897B-4b00-8DE4-F85A1EA7EED1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF5959D2-4E69-4021-B952-2FFB90AB3C3C}	{F3F7D830-0411-4410-8712-BA4744D30603}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B21FB0B-B1F3-4178-B36C-405C177F26EB}\stubpath = "C:\\Windows\\{8B21FB0B-B1F3-4178-B36C-405C177F26EB}.exe"	{10EA96B8-5F1A-472c-B3E7-5460E5E1C19B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72D466B6-DEF2-43cb-A237-B2A25658EEBF}	{8B21FB0B-B1F3-4178-B36C-405C177F26EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B382BE5B-9876-41dc-8ED9-50C264E42D64}	{2DB0D6F2-1A45-4f4e-9F1C-86D25CB74871}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{585706CC-897B-4b00-8DE4-F85A1EA7EED1}\stubpath = "C:\\Windows\\{585706CC-897B-4b00-8DE4-F85A1EA7EED1}.exe"	{9E427E3E-9472-405e-8938-0A096D9DBD3F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF5959D2-4E69-4021-B952-2FFB90AB3C3C}\stubpath = "C:\\Windows\\{AF5959D2-4E69-4021-B952-2FFB90AB3C3C}.exe"	{F3F7D830-0411-4410-8712-BA4744D30603}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{992544CA-63D4-42f9-BCEC-73C19EDE6F38}\stubpath = "C:\\Windows\\{992544CA-63D4-42f9-BCEC-73C19EDE6F38}.exe"	{94E25643-99EB-444d-B947-6DF112BC1905}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6C51C97-366A-44c4-AECE-E317D216B63F}	{992544CA-63D4-42f9-BCEC-73C19EDE6F38}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72D466B6-DEF2-43cb-A237-B2A25658EEBF}\stubpath = "C:\\Windows\\{72D466B6-DEF2-43cb-A237-B2A25658EEBF}.exe"	{8B21FB0B-B1F3-4178-B36C-405C177F26EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E427E3E-9472-405e-8938-0A096D9DBD3F}\stubpath = "C:\\Windows\\{9E427E3E-9472-405e-8938-0A096D9DBD3F}.exe"	2024-04-06_9d60e416c2ac86b36a71eab3e5481c09_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{585706CC-897B-4b00-8DE4-F85A1EA7EED1}	{9E427E3E-9472-405e-8938-0A096D9DBD3F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{992544CA-63D4-42f9-BCEC-73C19EDE6F38}	{94E25643-99EB-444d-B947-6DF112BC1905}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6C51C97-366A-44c4-AECE-E317D216B63F}\stubpath = "C:\\Windows\\{A6C51C97-366A-44c4-AECE-E317D216B63F}.exe"	{992544CA-63D4-42f9-BCEC-73C19EDE6F38}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3F7D830-0411-4410-8712-BA4744D30603}	{A6C51C97-366A-44c4-AECE-E317D216B63F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3F7D830-0411-4410-8712-BA4744D30603}\stubpath = "C:\\Windows\\{F3F7D830-0411-4410-8712-BA4744D30603}.exe"	{A6C51C97-366A-44c4-AECE-E317D216B63F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B21FB0B-B1F3-4178-B36C-405C177F26EB}	{10EA96B8-5F1A-472c-B3E7-5460E5E1C19B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DB0D6F2-1A45-4f4e-9F1C-86D25CB74871}	{72D466B6-DEF2-43cb-A237-B2A25658EEBF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E427E3E-9472-405e-8938-0A096D9DBD3F}	2024-04-06_9d60e416c2ac86b36a71eab3e5481c09_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94E25643-99EB-444d-B947-6DF112BC1905}\stubpath = "C:\\Windows\\{94E25643-99EB-444d-B947-6DF112BC1905}.exe"	{585706CC-897B-4b00-8DE4-F85A1EA7EED1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B382BE5B-9876-41dc-8ED9-50C264E42D64}\stubpath = "C:\\Windows\\{B382BE5B-9876-41dc-8ED9-50C264E42D64}.exe"	{2DB0D6F2-1A45-4f4e-9F1C-86D25CB74871}.exe

Executes dropped EXE 12 IoCs

pid	Process
4676	{9E427E3E-9472-405e-8938-0A096D9DBD3F}.exe
4440	{585706CC-897B-4b00-8DE4-F85A1EA7EED1}.exe
2564	{94E25643-99EB-444d-B947-6DF112BC1905}.exe
4852	{992544CA-63D4-42f9-BCEC-73C19EDE6F38}.exe
3284	{A6C51C97-366A-44c4-AECE-E317D216B63F}.exe
1760	{F3F7D830-0411-4410-8712-BA4744D30603}.exe
3900	{AF5959D2-4E69-4021-B952-2FFB90AB3C3C}.exe
2476	{10EA96B8-5F1A-472c-B3E7-5460E5E1C19B}.exe
3112	{8B21FB0B-B1F3-4178-B36C-405C177F26EB}.exe
1112	{72D466B6-DEF2-43cb-A237-B2A25658EEBF}.exe
4080	{2DB0D6F2-1A45-4f4e-9F1C-86D25CB74871}.exe
3200	{B382BE5B-9876-41dc-8ED9-50C264E42D64}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{992544CA-63D4-42f9-BCEC-73C19EDE6F38}.exe	{94E25643-99EB-444d-B947-6DF112BC1905}.exe
File created	C:\Windows\{F3F7D830-0411-4410-8712-BA4744D30603}.exe	{A6C51C97-366A-44c4-AECE-E317D216B63F}.exe
File created	C:\Windows\{8B21FB0B-B1F3-4178-B36C-405C177F26EB}.exe	{10EA96B8-5F1A-472c-B3E7-5460E5E1C19B}.exe
File created	C:\Windows\{72D466B6-DEF2-43cb-A237-B2A25658EEBF}.exe	{8B21FB0B-B1F3-4178-B36C-405C177F26EB}.exe
File created	C:\Windows\{2DB0D6F2-1A45-4f4e-9F1C-86D25CB74871}.exe	{72D466B6-DEF2-43cb-A237-B2A25658EEBF}.exe
File created	C:\Windows\{B382BE5B-9876-41dc-8ED9-50C264E42D64}.exe	{2DB0D6F2-1A45-4f4e-9F1C-86D25CB74871}.exe
File created	C:\Windows\{9E427E3E-9472-405e-8938-0A096D9DBD3F}.exe	2024-04-06_9d60e416c2ac86b36a71eab3e5481c09_goldeneye.exe
File created	C:\Windows\{585706CC-897B-4b00-8DE4-F85A1EA7EED1}.exe	{9E427E3E-9472-405e-8938-0A096D9DBD3F}.exe
File created	C:\Windows\{94E25643-99EB-444d-B947-6DF112BC1905}.exe	{585706CC-897B-4b00-8DE4-F85A1EA7EED1}.exe
File created	C:\Windows\{A6C51C97-366A-44c4-AECE-E317D216B63F}.exe	{992544CA-63D4-42f9-BCEC-73C19EDE6F38}.exe
File created	C:\Windows\{AF5959D2-4E69-4021-B952-2FFB90AB3C3C}.exe	{F3F7D830-0411-4410-8712-BA4744D30603}.exe
File created	C:\Windows\{10EA96B8-5F1A-472c-B3E7-5460E5E1C19B}.exe	{AF5959D2-4E69-4021-B952-2FFB90AB3C3C}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1444	2024-04-06_9d60e416c2ac86b36a71eab3e5481c09_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4676	{9E427E3E-9472-405e-8938-0A096D9DBD3F}.exe
Token: SeIncBasePriorityPrivilege	4440	{585706CC-897B-4b00-8DE4-F85A1EA7EED1}.exe
Token: SeIncBasePriorityPrivilege	2564	{94E25643-99EB-444d-B947-6DF112BC1905}.exe
Token: SeIncBasePriorityPrivilege	4852	{992544CA-63D4-42f9-BCEC-73C19EDE6F38}.exe
Token: SeIncBasePriorityPrivilege	3284	{A6C51C97-366A-44c4-AECE-E317D216B63F}.exe
Token: SeIncBasePriorityPrivilege	1760	{F3F7D830-0411-4410-8712-BA4744D30603}.exe
Token: SeIncBasePriorityPrivilege	3900	{AF5959D2-4E69-4021-B952-2FFB90AB3C3C}.exe
Token: SeIncBasePriorityPrivilege	2476	{10EA96B8-5F1A-472c-B3E7-5460E5E1C19B}.exe
Token: SeIncBasePriorityPrivilege	3112	{8B21FB0B-B1F3-4178-B36C-405C177F26EB}.exe
Token: SeIncBasePriorityPrivilege	1112	{72D466B6-DEF2-43cb-A237-B2A25658EEBF}.exe
Token: SeIncBasePriorityPrivilege	4080	{2DB0D6F2-1A45-4f4e-9F1C-86D25CB74871}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 4676	1444	2024-04-06_9d60e416c2ac86b36a71eab3e5481c09_goldeneye.exe	96
PID 1444 wrote to memory of 4676	1444	2024-04-06_9d60e416c2ac86b36a71eab3e5481c09_goldeneye.exe	96
PID 1444 wrote to memory of 4676	1444	2024-04-06_9d60e416c2ac86b36a71eab3e5481c09_goldeneye.exe	96
PID 1444 wrote to memory of 1984	1444	2024-04-06_9d60e416c2ac86b36a71eab3e5481c09_goldeneye.exe	97
PID 1444 wrote to memory of 1984	1444	2024-04-06_9d60e416c2ac86b36a71eab3e5481c09_goldeneye.exe	97
PID 1444 wrote to memory of 1984	1444	2024-04-06_9d60e416c2ac86b36a71eab3e5481c09_goldeneye.exe	97
PID 4676 wrote to memory of 4440	4676	{9E427E3E-9472-405e-8938-0A096D9DBD3F}.exe	98
PID 4676 wrote to memory of 4440	4676	{9E427E3E-9472-405e-8938-0A096D9DBD3F}.exe	98
PID 4676 wrote to memory of 4440	4676	{9E427E3E-9472-405e-8938-0A096D9DBD3F}.exe	98
PID 4676 wrote to memory of 4968	4676	{9E427E3E-9472-405e-8938-0A096D9DBD3F}.exe	99
PID 4676 wrote to memory of 4968	4676	{9E427E3E-9472-405e-8938-0A096D9DBD3F}.exe	99
PID 4676 wrote to memory of 4968	4676	{9E427E3E-9472-405e-8938-0A096D9DBD3F}.exe	99
PID 4440 wrote to memory of 2564	4440	{585706CC-897B-4b00-8DE4-F85A1EA7EED1}.exe	101
PID 4440 wrote to memory of 2564	4440	{585706CC-897B-4b00-8DE4-F85A1EA7EED1}.exe	101
PID 4440 wrote to memory of 2564	4440	{585706CC-897B-4b00-8DE4-F85A1EA7EED1}.exe	101
PID 4440 wrote to memory of 4164	4440	{585706CC-897B-4b00-8DE4-F85A1EA7EED1}.exe	102
PID 4440 wrote to memory of 4164	4440	{585706CC-897B-4b00-8DE4-F85A1EA7EED1}.exe	102
PID 4440 wrote to memory of 4164	4440	{585706CC-897B-4b00-8DE4-F85A1EA7EED1}.exe	102
PID 2564 wrote to memory of 4852	2564	{94E25643-99EB-444d-B947-6DF112BC1905}.exe	103
PID 2564 wrote to memory of 4852	2564	{94E25643-99EB-444d-B947-6DF112BC1905}.exe	103
PID 2564 wrote to memory of 4852	2564	{94E25643-99EB-444d-B947-6DF112BC1905}.exe	103
PID 2564 wrote to memory of 3428	2564	{94E25643-99EB-444d-B947-6DF112BC1905}.exe	104
PID 2564 wrote to memory of 3428	2564	{94E25643-99EB-444d-B947-6DF112BC1905}.exe	104
PID 2564 wrote to memory of 3428	2564	{94E25643-99EB-444d-B947-6DF112BC1905}.exe	104
PID 4852 wrote to memory of 3284	4852	{992544CA-63D4-42f9-BCEC-73C19EDE6F38}.exe	105
PID 4852 wrote to memory of 3284	4852	{992544CA-63D4-42f9-BCEC-73C19EDE6F38}.exe	105
PID 4852 wrote to memory of 3284	4852	{992544CA-63D4-42f9-BCEC-73C19EDE6F38}.exe	105
PID 4852 wrote to memory of 5060	4852	{992544CA-63D4-42f9-BCEC-73C19EDE6F38}.exe	106
PID 4852 wrote to memory of 5060	4852	{992544CA-63D4-42f9-BCEC-73C19EDE6F38}.exe	106
PID 4852 wrote to memory of 5060	4852	{992544CA-63D4-42f9-BCEC-73C19EDE6F38}.exe	106
PID 3284 wrote to memory of 1760	3284	{A6C51C97-366A-44c4-AECE-E317D216B63F}.exe	107
PID 3284 wrote to memory of 1760	3284	{A6C51C97-366A-44c4-AECE-E317D216B63F}.exe	107
PID 3284 wrote to memory of 1760	3284	{A6C51C97-366A-44c4-AECE-E317D216B63F}.exe	107
PID 3284 wrote to memory of 1828	3284	{A6C51C97-366A-44c4-AECE-E317D216B63F}.exe	108
PID 3284 wrote to memory of 1828	3284	{A6C51C97-366A-44c4-AECE-E317D216B63F}.exe	108
PID 3284 wrote to memory of 1828	3284	{A6C51C97-366A-44c4-AECE-E317D216B63F}.exe	108
PID 1760 wrote to memory of 3900	1760	{F3F7D830-0411-4410-8712-BA4744D30603}.exe	109
PID 1760 wrote to memory of 3900	1760	{F3F7D830-0411-4410-8712-BA4744D30603}.exe	109
PID 1760 wrote to memory of 3900	1760	{F3F7D830-0411-4410-8712-BA4744D30603}.exe	109
PID 1760 wrote to memory of 3104	1760	{F3F7D830-0411-4410-8712-BA4744D30603}.exe	110
PID 1760 wrote to memory of 3104	1760	{F3F7D830-0411-4410-8712-BA4744D30603}.exe	110
PID 1760 wrote to memory of 3104	1760	{F3F7D830-0411-4410-8712-BA4744D30603}.exe	110
PID 3900 wrote to memory of 2476	3900	{AF5959D2-4E69-4021-B952-2FFB90AB3C3C}.exe	111
PID 3900 wrote to memory of 2476	3900	{AF5959D2-4E69-4021-B952-2FFB90AB3C3C}.exe	111
PID 3900 wrote to memory of 2476	3900	{AF5959D2-4E69-4021-B952-2FFB90AB3C3C}.exe	111
PID 3900 wrote to memory of 348	3900	{AF5959D2-4E69-4021-B952-2FFB90AB3C3C}.exe	112
PID 3900 wrote to memory of 348	3900	{AF5959D2-4E69-4021-B952-2FFB90AB3C3C}.exe	112
PID 3900 wrote to memory of 348	3900	{AF5959D2-4E69-4021-B952-2FFB90AB3C3C}.exe	112
PID 2476 wrote to memory of 3112	2476	{10EA96B8-5F1A-472c-B3E7-5460E5E1C19B}.exe	113
PID 2476 wrote to memory of 3112	2476	{10EA96B8-5F1A-472c-B3E7-5460E5E1C19B}.exe	113
PID 2476 wrote to memory of 3112	2476	{10EA96B8-5F1A-472c-B3E7-5460E5E1C19B}.exe	113
PID 2476 wrote to memory of 1416	2476	{10EA96B8-5F1A-472c-B3E7-5460E5E1C19B}.exe	114
PID 2476 wrote to memory of 1416	2476	{10EA96B8-5F1A-472c-B3E7-5460E5E1C19B}.exe	114
PID 2476 wrote to memory of 1416	2476	{10EA96B8-5F1A-472c-B3E7-5460E5E1C19B}.exe	114
PID 3112 wrote to memory of 1112	3112	{8B21FB0B-B1F3-4178-B36C-405C177F26EB}.exe	115
PID 3112 wrote to memory of 1112	3112	{8B21FB0B-B1F3-4178-B36C-405C177F26EB}.exe	115
PID 3112 wrote to memory of 1112	3112	{8B21FB0B-B1F3-4178-B36C-405C177F26EB}.exe	115
PID 3112 wrote to memory of 3660	3112	{8B21FB0B-B1F3-4178-B36C-405C177F26EB}.exe	116
PID 3112 wrote to memory of 3660	3112	{8B21FB0B-B1F3-4178-B36C-405C177F26EB}.exe	116
PID 3112 wrote to memory of 3660	3112	{8B21FB0B-B1F3-4178-B36C-405C177F26EB}.exe	116
PID 1112 wrote to memory of 4080	1112	{72D466B6-DEF2-43cb-A237-B2A25658EEBF}.exe	117
PID 1112 wrote to memory of 4080	1112	{72D466B6-DEF2-43cb-A237-B2A25658EEBF}.exe	117
PID 1112 wrote to memory of 4080	1112	{72D466B6-DEF2-43cb-A237-B2A25658EEBF}.exe	117
PID 1112 wrote to memory of 2648	1112	{72D466B6-DEF2-43cb-A237-B2A25658EEBF}.exe	118

C:\Users\Admin\AppData\Local\Temp\2024-04-06_9d60e416c2ac86b36a71eab3e5481c09_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-06_9d60e416c2ac86b36a71eab3e5481c09_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Windows\{9E427E3E-9472-405e-8938-0A096D9DBD3F}.exe
  C:\Windows\{9E427E3E-9472-405e-8938-0A096D9DBD3F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4676
- - C:\Windows\{585706CC-897B-4b00-8DE4-F85A1EA7EED1}.exe
    C:\Windows\{585706CC-897B-4b00-8DE4-F85A1EA7EED1}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4440
  - - C:\Windows\{94E25643-99EB-444d-B947-6DF112BC1905}.exe
      C:\Windows\{94E25643-99EB-444d-B947-6DF112BC1905}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2564
    - - C:\Windows\{992544CA-63D4-42f9-BCEC-73C19EDE6F38}.exe
        
        C:\Windows\{992544CA-63D4-42f9-BCEC-73C19EDE6F38}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4852
      - C:\Windows\{A6C51C97-366A-44c4-AECE-E317D216B63F}.exe
        
        C:\Windows\{A6C51C97-366A-44c4-AECE-E317D216B63F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3284
        
        C:\Windows\{F3F7D830-0411-4410-8712-BA4744D30603}.exe
        
        C:\Windows\{F3F7D830-0411-4410-8712-BA4744D30603}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Windows\{AF5959D2-4E69-4021-B952-2FFB90AB3C3C}.exe
        
        C:\Windows\{AF5959D2-4E69-4021-B952-2FFB90AB3C3C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3900
        
        C:\Windows\{10EA96B8-5F1A-472c-B3E7-5460E5E1C19B}.exe
        
        C:\Windows\{10EA96B8-5F1A-472c-B3E7-5460E5E1C19B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\{8B21FB0B-B1F3-4178-B36C-405C177F26EB}.exe
        
        C:\Windows\{8B21FB0B-B1F3-4178-B36C-405C177F26EB}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3112
        
        C:\Windows\{72D466B6-DEF2-43cb-A237-B2A25658EEBF}.exe
        
        C:\Windows\{72D466B6-DEF2-43cb-A237-B2A25658EEBF}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1112
        
        C:\Windows\{2DB0D6F2-1A45-4f4e-9F1C-86D25CB74871}.exe
        
        C:\Windows\{2DB0D6F2-1A45-4f4e-9F1C-86D25CB74871}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4080
        
        C:\Windows\{B382BE5B-9876-41dc-8ED9-50C264E42D64}.exe
        
        C:\Windows\{B382BE5B-9876-41dc-8ED9-50C264E42D64}.exe
        13⤵
        Executes dropped EXE
        
        PID:3200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2DB0D~1.EXE > nul
        13⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{72D46~1.EXE > nul
        12⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B21F~1.EXE > nul
        11⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{10EA9~1.EXE > nul
        10⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AF595~1.EXE > nul
        9⤵
        
        PID:348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F3F7D~1.EXE > nul
        8⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6C51~1.EXE > nul
        7⤵
        
        PID:1828
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{99254~1.EXE > nul
        6⤵
        
        PID:5060
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94E25~1.EXE > nul
        5⤵
        
        PID:3428
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{58570~1.EXE > nul
      4⤵
      PID:4164
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9E427~1.EXE > nul
    3⤵
    PID:4968
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{10EA96B8-5F1A-472c-B3E7-5460E5E1C19B}.exe

Filesize
380KB

MD5
64d5921da36d5e45c5148ff193680562

SHA1
a70e68ab98693b19d7913130786fe3395136516b

SHA256
6a6024fa54ee4a030ea42902c80cac6edd7b9b4b2c832a09266ee958e562f068

SHA512
412f5393a8121f9197eafd5da6c85e0fb8c6c304910512b6dc3e49c84cad80785df388d3802c7189fde79ee48969d7e5f8495020cfdf24f6d03b14c8bb3aefc2

Download Submit
C:\Windows\{2DB0D6F2-1A45-4f4e-9F1C-86D25CB74871}.exe

Filesize
380KB

MD5
3620a4175fb5bfeeceda06ece685d83f

SHA1
6b9dc37211dd4cde8bec4fe520acc9e739dbe35e

SHA256
3a81648627e255dadaec0a77e9176ca9c57a2f79eeae8f5d2c28a2b40e419e6b

SHA512
2c472dd58e2f20a0dfd113ace31e179e0f8ac35bebea835b69148c69cb3d8237fb24f57dea51c1eb287caf10cbceb641b58f4a82f9600f6de52fb3fc739fee9b

Download Submit
C:\Windows\{585706CC-897B-4b00-8DE4-F85A1EA7EED1}.exe

Filesize
380KB

MD5
52f7dc351600009a696372212c84ae32

SHA1
c6d3e845f4c1adcec1d8e8a906b8ad7aa6be7010

SHA256
fc6fc9e49c8bdad42c27668032295537b667130d1dfb8938bdf48cf411b27b26

SHA512
bba325ce14af37fbf51a28785f4494334ffbe5b58d9cba1cb1f1fc99878b185923c17b3543c55b3890d7d59322ed4045bf95e2832df68992d04bcb9253a9e2c6

Download Submit
C:\Windows\{72D466B6-DEF2-43cb-A237-B2A25658EEBF}.exe

Filesize
380KB

MD5
def4fb1610cf17c368f92c54e29c81ba

SHA1
bfc1572ccf5582da8e32d2565c8ab86cd433648d

SHA256
4c7cdedaff05632642eb8583e54313eef3fd8908c829e3c4e189e8606176cf40

SHA512
f9cf36d3792bdc97684d010ae4e420ff177c0eb40d2c70d67401dd9c80f965146663638774bed805c5874629d9d0b88abb3e2328a69ca269a71c37d53ba97b30

Download Submit
C:\Windows\{8B21FB0B-B1F3-4178-B36C-405C177F26EB}.exe

Filesize
380KB

MD5
eab065878b2f8a5c6bbedc3cd6ef2054

SHA1
2bc2505167868c52eeb513ebb86491d3dd83607c

SHA256
1f0e1f1973671c95ed08f75bd6e46385a54d196154867067e3c14595ec49afb9

SHA512
f993c746b6160350353996197f9b8c1e0643f23395deec8cff050e2e49194e961ea9be68cb8e2cdc9b0c6ebbbfffaeedab07387ba810594d55978121f3c9daca

Download Submit
C:\Windows\{94E25643-99EB-444d-B947-6DF112BC1905}.exe

Filesize
380KB

MD5
e1217e579060dab580ff29ffda12d399

SHA1
e1378847c6d2d69bff809c08508748dc6b43a0a6

SHA256
51e6a81765a327fc2eebe0e275734173aeb377c65c27e5bd2ed20d9b2a64be7d

SHA512
ed4a0b0c6e4fe48dc784e9de926d568672b9297350460b447b6e9a8977e0f9f1ce57a8c0096d0daafcc137bd4f0d965fdc7f2c49fa6babb3273c5b9e55de4c53

Download Submit
C:\Windows\{992544CA-63D4-42f9-BCEC-73C19EDE6F38}.exe

Filesize
380KB

MD5
5c086e5c575a8762af18196daf2db5bb

SHA1
b9c2b06f3b1999ef6380eeed91870f040a91b61b

SHA256
b7a4120f4a761d41ecd258df7e19652ddb8845d3553edd793e1253d3b649f853

SHA512
6d22b9622139609400dba280b5cc04a94ea9f32d40ecf89e245cc8ca8717d00dddd22f5a5b4d366be29cb8171f2a2b0f381ba6c701674da2f8e042d9c2b78cc6

Download Submit
C:\Windows\{9E427E3E-9472-405e-8938-0A096D9DBD3F}.exe

Filesize
380KB

MD5
b7cb2b3cc03b99e00c05fde26db91b2a

SHA1
9de84972649c4906a42ecdfe7f1185d429c49244

SHA256
e1870effd347f7516bd55e57719a123774534b22a4a1f7d97acd9c3b84f7178a

SHA512
f52a43a664f56815627b62e0239b71521bfb0071b642712e430fbf2540ab2644e0342edd7223dd100f19f28814bd983cf243435a2331f6d64282fcade164b17c

Download Submit
C:\Windows\{A6C51C97-366A-44c4-AECE-E317D216B63F}.exe

Filesize
380KB

MD5
4685a01f3125391a0e6b42be1bd7e5f4

SHA1
be87a5594fca6538887c816c40b2c5d2f26dee67

SHA256
7c4955e0721c7000a007adca93d707d5058d64b02503ae6df5cc701ff107a876

SHA512
10c135bbd62d5f2194de7ecc4a876442c964658e069e29150a284dfd49d0cd763c5cc5fe169aab42441e737e353ce847ca62bb0c2e9211e8e8260c6769073b44

Download Submit
C:\Windows\{AF5959D2-4E69-4021-B952-2FFB90AB3C3C}.exe

Filesize
380KB

MD5
3aabdfa0b797c41580a38751978252ac

SHA1
627277f93ac3d8f26c3f0b95b8b282c0c4f5509c

SHA256
5d7925effe1b1a14d97f7f9265f385c0dd53cac2518c64b1789b1e767b9b2735

SHA512
4bdb4b2ebe97df7606fc86ed99583a8a598ea8bd46fd8017fa2d110987ee0b81fa910c74b2033cc25db76ce30480bf02eedae289105c2cfcd3e3f1b841744a7d

Download Submit
C:\Windows\{B382BE5B-9876-41dc-8ED9-50C264E42D64}.exe

Filesize
380KB

MD5
f7aec6ed336e9e913f6b56d67ef5061c

SHA1
66f592ee8cd69451e1b05989397ab0cd7ebf38d9

SHA256
df52430565e879af65e84e366a44a265d8b8c8b300d69eeef479e01105d42beb

SHA512
1a448c1e288767f1bc7a7e8c0b44ec644872bed611edf83cb6a4c69def96abab5d448764c0780119e30a43e0b6974387df34fc30d31daa4bca3d443b93297cc6

Download Submit
C:\Windows\{F3F7D830-0411-4410-8712-BA4744D30603}.exe

Filesize
380KB

MD5
0134bb2376990dffbc53800e336c587d

SHA1
49baa67d6ceac7dff552ed089de798487297cce2

SHA256
7c7b07936a3fd6064005ece6ba70fab76f699e3bdb0b448c2d256a73995593d0

SHA512
9188c2152ae44d86da94f605535ce217d86b7d05c34f06013f58306732385a149514e44e85c10f614b22d5f284bf14d1e79dd007e855976cb3e5a1c30d6516be

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads