710582cf06dbf689f036ea995d273d7fad4e360f8d666d7bbd83cd82e3416d0b

Analysis

max time kernel
149s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
08-04-2024 12:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-08_ca560f2a56c345baf900332a40fcfd23_goldeneye.exe
Size

168KB
MD5

ca560f2a56c345baf900332a40fcfd23
SHA1

a97ed4fc5e88fd25e760da3924fc7020f7481f78
SHA256

710582cf06dbf689f036ea995d273d7fad4e360f8d666d7bbd83cd82e3416d0b
SHA512

c98d8e8d80514ce95978002e0d95975041bb72b1e43722c381f05f43555bff6482a346aecd2c21804774715a887195edf614729c0be36c9bb76ce5b1a2d72b04
SSDEEP

1536:1EGh0oYlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oYlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000600000002320d-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000023215-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002321b-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023215-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021f82-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021f83-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021f82-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000705-45.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D65B3F2F-1939-431e-88E2-A915F0D899AE}	2024-04-08_ca560f2a56c345baf900332a40fcfd23_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC20739C-6435-46f7-BF4E-8205D47D0E32}\stubpath = "C:\\Windows\\{DC20739C-6435-46f7-BF4E-8205D47D0E32}.exe"	{E487BA9D-D11F-4bd3-8B8E-AB778047FFD8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1E7E6FA-663A-4d31-845A-4BE64201BE4D}	{DC20739C-6435-46f7-BF4E-8205D47D0E32}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{867B9E07-DA2E-4515-AC25-2FA6EFE5BDF9}	{6913B112-F77C-44b1-A4AD-D398258DD3C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7853439B-6ECD-43a1-8BA5-A1AC3C3476DA}	{13364BB1-9CFC-4132-B186-9115B66CB9E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E487BA9D-D11F-4bd3-8B8E-AB778047FFD8}\stubpath = "C:\\Windows\\{E487BA9D-D11F-4bd3-8B8E-AB778047FFD8}.exe"	{D65B3F2F-1939-431e-88E2-A915F0D899AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC20739C-6435-46f7-BF4E-8205D47D0E32}	{E487BA9D-D11F-4bd3-8B8E-AB778047FFD8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50736739-FADA-44a9-A8FA-112BED9D50D3}	{867B9E07-DA2E-4515-AC25-2FA6EFE5BDF9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13364BB1-9CFC-4132-B186-9115B66CB9E1}\stubpath = "C:\\Windows\\{13364BB1-9CFC-4132-B186-9115B66CB9E1}.exe"	{50736739-FADA-44a9-A8FA-112BED9D50D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13364BB1-9CFC-4132-B186-9115B66CB9E1}	{50736739-FADA-44a9-A8FA-112BED9D50D3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7853439B-6ECD-43a1-8BA5-A1AC3C3476DA}\stubpath = "C:\\Windows\\{7853439B-6ECD-43a1-8BA5-A1AC3C3476DA}.exe"	{13364BB1-9CFC-4132-B186-9115B66CB9E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A64FFB8F-3397-4dea-9ABA-797BA6C4F5DC}	{4B709BC1-23B3-4fee-83C1-8AF7AABB6296}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D65B3F2F-1939-431e-88E2-A915F0D899AE}\stubpath = "C:\\Windows\\{D65B3F2F-1939-431e-88E2-A915F0D899AE}.exe"	2024-04-08_ca560f2a56c345baf900332a40fcfd23_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1E7E6FA-663A-4d31-845A-4BE64201BE4D}\stubpath = "C:\\Windows\\{B1E7E6FA-663A-4d31-845A-4BE64201BE4D}.exe"	{DC20739C-6435-46f7-BF4E-8205D47D0E32}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52C4BC59-FD68-41fd-83FF-AAB25C358B7B}	{B1E7E6FA-663A-4d31-845A-4BE64201BE4D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52C4BC59-FD68-41fd-83FF-AAB25C358B7B}\stubpath = "C:\\Windows\\{52C4BC59-FD68-41fd-83FF-AAB25C358B7B}.exe"	{B1E7E6FA-663A-4d31-845A-4BE64201BE4D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{867B9E07-DA2E-4515-AC25-2FA6EFE5BDF9}\stubpath = "C:\\Windows\\{867B9E07-DA2E-4515-AC25-2FA6EFE5BDF9}.exe"	{6913B112-F77C-44b1-A4AD-D398258DD3C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A64FFB8F-3397-4dea-9ABA-797BA6C4F5DC}\stubpath = "C:\\Windows\\{A64FFB8F-3397-4dea-9ABA-797BA6C4F5DC}.exe"	{4B709BC1-23B3-4fee-83C1-8AF7AABB6296}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B709BC1-23B3-4fee-83C1-8AF7AABB6296}\stubpath = "C:\\Windows\\{4B709BC1-23B3-4fee-83C1-8AF7AABB6296}.exe"	{7853439B-6ECD-43a1-8BA5-A1AC3C3476DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E487BA9D-D11F-4bd3-8B8E-AB778047FFD8}	{D65B3F2F-1939-431e-88E2-A915F0D899AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6913B112-F77C-44b1-A4AD-D398258DD3C9}	{52C4BC59-FD68-41fd-83FF-AAB25C358B7B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6913B112-F77C-44b1-A4AD-D398258DD3C9}\stubpath = "C:\\Windows\\{6913B112-F77C-44b1-A4AD-D398258DD3C9}.exe"	{52C4BC59-FD68-41fd-83FF-AAB25C358B7B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50736739-FADA-44a9-A8FA-112BED9D50D3}\stubpath = "C:\\Windows\\{50736739-FADA-44a9-A8FA-112BED9D50D3}.exe"	{867B9E07-DA2E-4515-AC25-2FA6EFE5BDF9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B709BC1-23B3-4fee-83C1-8AF7AABB6296}	{7853439B-6ECD-43a1-8BA5-A1AC3C3476DA}.exe

Executes dropped EXE 12 IoCs

pid	Process
8	{D65B3F2F-1939-431e-88E2-A915F0D899AE}.exe
4624	{E487BA9D-D11F-4bd3-8B8E-AB778047FFD8}.exe
2868	{DC20739C-6435-46f7-BF4E-8205D47D0E32}.exe
792	{B1E7E6FA-663A-4d31-845A-4BE64201BE4D}.exe
1456	{52C4BC59-FD68-41fd-83FF-AAB25C358B7B}.exe
4632	{6913B112-F77C-44b1-A4AD-D398258DD3C9}.exe
3540	{867B9E07-DA2E-4515-AC25-2FA6EFE5BDF9}.exe
4460	{50736739-FADA-44a9-A8FA-112BED9D50D3}.exe
3524	{13364BB1-9CFC-4132-B186-9115B66CB9E1}.exe
1116	{7853439B-6ECD-43a1-8BA5-A1AC3C3476DA}.exe
5000	{4B709BC1-23B3-4fee-83C1-8AF7AABB6296}.exe
4336	{A64FFB8F-3397-4dea-9ABA-797BA6C4F5DC}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{13364BB1-9CFC-4132-B186-9115B66CB9E1}.exe	{50736739-FADA-44a9-A8FA-112BED9D50D3}.exe
File created	C:\Windows\{4B709BC1-23B3-4fee-83C1-8AF7AABB6296}.exe	{7853439B-6ECD-43a1-8BA5-A1AC3C3476DA}.exe
File created	C:\Windows\{A64FFB8F-3397-4dea-9ABA-797BA6C4F5DC}.exe	{4B709BC1-23B3-4fee-83C1-8AF7AABB6296}.exe
File created	C:\Windows\{E487BA9D-D11F-4bd3-8B8E-AB778047FFD8}.exe	{D65B3F2F-1939-431e-88E2-A915F0D899AE}.exe
File created	C:\Windows\{DC20739C-6435-46f7-BF4E-8205D47D0E32}.exe	{E487BA9D-D11F-4bd3-8B8E-AB778047FFD8}.exe
File created	C:\Windows\{52C4BC59-FD68-41fd-83FF-AAB25C358B7B}.exe	{B1E7E6FA-663A-4d31-845A-4BE64201BE4D}.exe
File created	C:\Windows\{867B9E07-DA2E-4515-AC25-2FA6EFE5BDF9}.exe	{6913B112-F77C-44b1-A4AD-D398258DD3C9}.exe
File created	C:\Windows\{50736739-FADA-44a9-A8FA-112BED9D50D3}.exe	{867B9E07-DA2E-4515-AC25-2FA6EFE5BDF9}.exe
File created	C:\Windows\{7853439B-6ECD-43a1-8BA5-A1AC3C3476DA}.exe	{13364BB1-9CFC-4132-B186-9115B66CB9E1}.exe
File created	C:\Windows\{D65B3F2F-1939-431e-88E2-A915F0D899AE}.exe	2024-04-08_ca560f2a56c345baf900332a40fcfd23_goldeneye.exe
File created	C:\Windows\{B1E7E6FA-663A-4d31-845A-4BE64201BE4D}.exe	{DC20739C-6435-46f7-BF4E-8205D47D0E32}.exe
File created	C:\Windows\{6913B112-F77C-44b1-A4AD-D398258DD3C9}.exe	{52C4BC59-FD68-41fd-83FF-AAB25C358B7B}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	796	2024-04-08_ca560f2a56c345baf900332a40fcfd23_goldeneye.exe
Token: SeIncBasePriorityPrivilege	8	{D65B3F2F-1939-431e-88E2-A915F0D899AE}.exe
Token: SeIncBasePriorityPrivilege	4624	{E487BA9D-D11F-4bd3-8B8E-AB778047FFD8}.exe
Token: SeIncBasePriorityPrivilege	2868	{DC20739C-6435-46f7-BF4E-8205D47D0E32}.exe
Token: SeIncBasePriorityPrivilege	792	{B1E7E6FA-663A-4d31-845A-4BE64201BE4D}.exe
Token: SeIncBasePriorityPrivilege	1456	{52C4BC59-FD68-41fd-83FF-AAB25C358B7B}.exe
Token: SeIncBasePriorityPrivilege	4632	{6913B112-F77C-44b1-A4AD-D398258DD3C9}.exe
Token: SeIncBasePriorityPrivilege	3540	{867B9E07-DA2E-4515-AC25-2FA6EFE5BDF9}.exe
Token: SeIncBasePriorityPrivilege	4460	{50736739-FADA-44a9-A8FA-112BED9D50D3}.exe
Token: SeIncBasePriorityPrivilege	3524	{13364BB1-9CFC-4132-B186-9115B66CB9E1}.exe
Token: SeIncBasePriorityPrivilege	1116	{7853439B-6ECD-43a1-8BA5-A1AC3C3476DA}.exe
Token: SeIncBasePriorityPrivilege	5000	{4B709BC1-23B3-4fee-83C1-8AF7AABB6296}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 796 wrote to memory of 8	796	2024-04-08_ca560f2a56c345baf900332a40fcfd23_goldeneye.exe	89
PID 796 wrote to memory of 8	796	2024-04-08_ca560f2a56c345baf900332a40fcfd23_goldeneye.exe	89
PID 796 wrote to memory of 8	796	2024-04-08_ca560f2a56c345baf900332a40fcfd23_goldeneye.exe	89
PID 796 wrote to memory of 3728	796	2024-04-08_ca560f2a56c345baf900332a40fcfd23_goldeneye.exe	90
PID 796 wrote to memory of 3728	796	2024-04-08_ca560f2a56c345baf900332a40fcfd23_goldeneye.exe	90
PID 796 wrote to memory of 3728	796	2024-04-08_ca560f2a56c345baf900332a40fcfd23_goldeneye.exe	90
PID 8 wrote to memory of 4624	8	{D65B3F2F-1939-431e-88E2-A915F0D899AE}.exe	93
PID 8 wrote to memory of 4624	8	{D65B3F2F-1939-431e-88E2-A915F0D899AE}.exe	93
PID 8 wrote to memory of 4624	8	{D65B3F2F-1939-431e-88E2-A915F0D899AE}.exe	93
PID 8 wrote to memory of 2140	8	{D65B3F2F-1939-431e-88E2-A915F0D899AE}.exe	94
PID 8 wrote to memory of 2140	8	{D65B3F2F-1939-431e-88E2-A915F0D899AE}.exe	94
PID 8 wrote to memory of 2140	8	{D65B3F2F-1939-431e-88E2-A915F0D899AE}.exe	94
PID 4624 wrote to memory of 2868	4624	{E487BA9D-D11F-4bd3-8B8E-AB778047FFD8}.exe	96
PID 4624 wrote to memory of 2868	4624	{E487BA9D-D11F-4bd3-8B8E-AB778047FFD8}.exe	96
PID 4624 wrote to memory of 2868	4624	{E487BA9D-D11F-4bd3-8B8E-AB778047FFD8}.exe	96
PID 4624 wrote to memory of 2752	4624	{E487BA9D-D11F-4bd3-8B8E-AB778047FFD8}.exe	97
PID 4624 wrote to memory of 2752	4624	{E487BA9D-D11F-4bd3-8B8E-AB778047FFD8}.exe	97
PID 4624 wrote to memory of 2752	4624	{E487BA9D-D11F-4bd3-8B8E-AB778047FFD8}.exe	97
PID 2868 wrote to memory of 792	2868	{DC20739C-6435-46f7-BF4E-8205D47D0E32}.exe	98
PID 2868 wrote to memory of 792	2868	{DC20739C-6435-46f7-BF4E-8205D47D0E32}.exe	98
PID 2868 wrote to memory of 792	2868	{DC20739C-6435-46f7-BF4E-8205D47D0E32}.exe	98
PID 2868 wrote to memory of 1984	2868	{DC20739C-6435-46f7-BF4E-8205D47D0E32}.exe	99
PID 2868 wrote to memory of 1984	2868	{DC20739C-6435-46f7-BF4E-8205D47D0E32}.exe	99
PID 2868 wrote to memory of 1984	2868	{DC20739C-6435-46f7-BF4E-8205D47D0E32}.exe	99
PID 792 wrote to memory of 1456	792	{B1E7E6FA-663A-4d31-845A-4BE64201BE4D}.exe	100
PID 792 wrote to memory of 1456	792	{B1E7E6FA-663A-4d31-845A-4BE64201BE4D}.exe	100
PID 792 wrote to memory of 1456	792	{B1E7E6FA-663A-4d31-845A-4BE64201BE4D}.exe	100
PID 792 wrote to memory of 1220	792	{B1E7E6FA-663A-4d31-845A-4BE64201BE4D}.exe	101
PID 792 wrote to memory of 1220	792	{B1E7E6FA-663A-4d31-845A-4BE64201BE4D}.exe	101
PID 792 wrote to memory of 1220	792	{B1E7E6FA-663A-4d31-845A-4BE64201BE4D}.exe	101
PID 1456 wrote to memory of 4632	1456	{52C4BC59-FD68-41fd-83FF-AAB25C358B7B}.exe	102
PID 1456 wrote to memory of 4632	1456	{52C4BC59-FD68-41fd-83FF-AAB25C358B7B}.exe	102
PID 1456 wrote to memory of 4632	1456	{52C4BC59-FD68-41fd-83FF-AAB25C358B7B}.exe	102
PID 1456 wrote to memory of 392	1456	{52C4BC59-FD68-41fd-83FF-AAB25C358B7B}.exe	103
PID 1456 wrote to memory of 392	1456	{52C4BC59-FD68-41fd-83FF-AAB25C358B7B}.exe	103
PID 1456 wrote to memory of 392	1456	{52C4BC59-FD68-41fd-83FF-AAB25C358B7B}.exe	103
PID 4632 wrote to memory of 3540	4632	{6913B112-F77C-44b1-A4AD-D398258DD3C9}.exe	104
PID 4632 wrote to memory of 3540	4632	{6913B112-F77C-44b1-A4AD-D398258DD3C9}.exe	104
PID 4632 wrote to memory of 3540	4632	{6913B112-F77C-44b1-A4AD-D398258DD3C9}.exe	104
PID 4632 wrote to memory of 692	4632	{6913B112-F77C-44b1-A4AD-D398258DD3C9}.exe	105
PID 4632 wrote to memory of 692	4632	{6913B112-F77C-44b1-A4AD-D398258DD3C9}.exe	105
PID 4632 wrote to memory of 692	4632	{6913B112-F77C-44b1-A4AD-D398258DD3C9}.exe	105
PID 3540 wrote to memory of 4460	3540	{867B9E07-DA2E-4515-AC25-2FA6EFE5BDF9}.exe	106
PID 3540 wrote to memory of 4460	3540	{867B9E07-DA2E-4515-AC25-2FA6EFE5BDF9}.exe	106
PID 3540 wrote to memory of 4460	3540	{867B9E07-DA2E-4515-AC25-2FA6EFE5BDF9}.exe	106
PID 3540 wrote to memory of 4188	3540	{867B9E07-DA2E-4515-AC25-2FA6EFE5BDF9}.exe	107
PID 3540 wrote to memory of 4188	3540	{867B9E07-DA2E-4515-AC25-2FA6EFE5BDF9}.exe	107
PID 3540 wrote to memory of 4188	3540	{867B9E07-DA2E-4515-AC25-2FA6EFE5BDF9}.exe	107
PID 4460 wrote to memory of 3524	4460	{50736739-FADA-44a9-A8FA-112BED9D50D3}.exe	108
PID 4460 wrote to memory of 3524	4460	{50736739-FADA-44a9-A8FA-112BED9D50D3}.exe	108
PID 4460 wrote to memory of 3524	4460	{50736739-FADA-44a9-A8FA-112BED9D50D3}.exe	108
PID 4460 wrote to memory of 3528	4460	{50736739-FADA-44a9-A8FA-112BED9D50D3}.exe	109
PID 4460 wrote to memory of 3528	4460	{50736739-FADA-44a9-A8FA-112BED9D50D3}.exe	109
PID 4460 wrote to memory of 3528	4460	{50736739-FADA-44a9-A8FA-112BED9D50D3}.exe	109
PID 3524 wrote to memory of 1116	3524	{13364BB1-9CFC-4132-B186-9115B66CB9E1}.exe	110
PID 3524 wrote to memory of 1116	3524	{13364BB1-9CFC-4132-B186-9115B66CB9E1}.exe	110
PID 3524 wrote to memory of 1116	3524	{13364BB1-9CFC-4132-B186-9115B66CB9E1}.exe	110
PID 3524 wrote to memory of 5020	3524	{13364BB1-9CFC-4132-B186-9115B66CB9E1}.exe	111
PID 3524 wrote to memory of 5020	3524	{13364BB1-9CFC-4132-B186-9115B66CB9E1}.exe	111
PID 3524 wrote to memory of 5020	3524	{13364BB1-9CFC-4132-B186-9115B66CB9E1}.exe	111
PID 1116 wrote to memory of 5000	1116	{7853439B-6ECD-43a1-8BA5-A1AC3C3476DA}.exe	112
PID 1116 wrote to memory of 5000	1116	{7853439B-6ECD-43a1-8BA5-A1AC3C3476DA}.exe	112
PID 1116 wrote to memory of 5000	1116	{7853439B-6ECD-43a1-8BA5-A1AC3C3476DA}.exe	112
PID 1116 wrote to memory of 1472	1116	{7853439B-6ECD-43a1-8BA5-A1AC3C3476DA}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-04-08_ca560f2a56c345baf900332a40fcfd23_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-08_ca560f2a56c345baf900332a40fcfd23_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:796
- C:\Windows\{D65B3F2F-1939-431e-88E2-A915F0D899AE}.exe
  C:\Windows\{D65B3F2F-1939-431e-88E2-A915F0D899AE}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:8
- - C:\Windows\{E487BA9D-D11F-4bd3-8B8E-AB778047FFD8}.exe
    C:\Windows\{E487BA9D-D11F-4bd3-8B8E-AB778047FFD8}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4624
  - - C:\Windows\{DC20739C-6435-46f7-BF4E-8205D47D0E32}.exe
      C:\Windows\{DC20739C-6435-46f7-BF4E-8205D47D0E32}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2868
    - - C:\Windows\{B1E7E6FA-663A-4d31-845A-4BE64201BE4D}.exe
        
        C:\Windows\{B1E7E6FA-663A-4d31-845A-4BE64201BE4D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:792
      - C:\Windows\{52C4BC59-FD68-41fd-83FF-AAB25C358B7B}.exe
        
        C:\Windows\{52C4BC59-FD68-41fd-83FF-AAB25C358B7B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Windows\{6913B112-F77C-44b1-A4AD-D398258DD3C9}.exe
        
        C:\Windows\{6913B112-F77C-44b1-A4AD-D398258DD3C9}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Windows\{867B9E07-DA2E-4515-AC25-2FA6EFE5BDF9}.exe
        
        C:\Windows\{867B9E07-DA2E-4515-AC25-2FA6EFE5BDF9}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Windows\{50736739-FADA-44a9-A8FA-112BED9D50D3}.exe
        
        C:\Windows\{50736739-FADA-44a9-A8FA-112BED9D50D3}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\{13364BB1-9CFC-4132-B186-9115B66CB9E1}.exe
        
        C:\Windows\{13364BB1-9CFC-4132-B186-9115B66CB9E1}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3524
        
        C:\Windows\{7853439B-6ECD-43a1-8BA5-A1AC3C3476DA}.exe
        
        C:\Windows\{7853439B-6ECD-43a1-8BA5-A1AC3C3476DA}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1116
        
        C:\Windows\{4B709BC1-23B3-4fee-83C1-8AF7AABB6296}.exe
        
        C:\Windows\{4B709BC1-23B3-4fee-83C1-8AF7AABB6296}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5000
        
        C:\Windows\{A64FFB8F-3397-4dea-9ABA-797BA6C4F5DC}.exe
        
        C:\Windows\{A64FFB8F-3397-4dea-9ABA-797BA6C4F5DC}.exe
        13⤵
        Executes dropped EXE
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4B709~1.EXE > nul
        13⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{78534~1.EXE > nul
        12⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{13364~1.EXE > nul
        11⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{50736~1.EXE > nul
        10⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{867B9~1.EXE > nul
        9⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6913B~1.EXE > nul
        8⤵
        
        PID:692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{52C4B~1.EXE > nul
        7⤵
        
        PID:392
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1E7E~1.EXE > nul
        6⤵
        
        PID:1220
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC207~1.EXE > nul
        5⤵
        
        PID:1984
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E487B~1.EXE > nul
      4⤵
      PID:2752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D65B3~1.EXE > nul
    3⤵
    PID:2140
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{13364BB1-9CFC-4132-B186-9115B66CB9E1}.exe

Filesize
168KB

MD5
fc5501f5bf5ac10c886e5f89f3a4bb14

SHA1
7f4510e2363fe9d16a966dea7a4d9b0433c12f2e

SHA256
f3ff5ae122a799d59a404e0cccdbaea87dba182a85642938ad343ca5d16084d4

SHA512
df4ccf46e5787b74881ac9a585b84018c46f2c116a428f025f986283631dcbe060c133e15edb8c83e4123d948228e41785293ac64945421108f12cf709de4496

Download Submit
C:\Windows\{4B709BC1-23B3-4fee-83C1-8AF7AABB6296}.exe

Filesize
168KB

MD5
edd8f8dd04126f19d8f54caf1e1495a9

SHA1
35c9f1a863ea91357e0471d56a142e952549491c

SHA256
2cfdcde2e56cae7d60b75876d003faa98a5701eadcc9aa9458d1c40171783448

SHA512
3ea1492704bb43681be7d630555fe3eeec1e039792195b1c4e164d8b95215d15b87b34dcd8944d33681d224d3a0b538a699db7fd3d4922684bf9876a24edc7f1

Download Submit
C:\Windows\{50736739-FADA-44a9-A8FA-112BED9D50D3}.exe

Filesize
168KB

MD5
08ad9279d1973f75a30e511a7fa35a7a

SHA1
e06c6825f1b20c3fb8ff50fbdfaddfc2933b1b3d

SHA256
6666dc6c07c0d45645049b7f4bcd88c78853173266a8c0b29dece1750f06c484

SHA512
fa64c2bd026a80f8c11331d39ef6ef6195abf7e2d5d3b09c257c58f619b861b0c65644664bead7ab38b70697a38b8708cb167e1f0bc1797e19297e990d2097c1

Download Submit
C:\Windows\{52C4BC59-FD68-41fd-83FF-AAB25C358B7B}.exe

Filesize
168KB

MD5
ce674c2634bbc222b32eecc1ec08cb4e

SHA1
9a8dd725d13e0b692bc9b02a37483853467da721

SHA256
f2b3f88e38c11961ce9c620f52172b4f5b0843ad949592d7b544ebc5523aeec4

SHA512
da553b802a98c555b20e99ba0670391c95cf7b52b4bdd8f115ad4770ba80b4ac0b1d4fceb63bcf2cb3a458efcfcb861a5c9590ff9c696808918b7e83ce532a11

Download Submit
C:\Windows\{6913B112-F77C-44b1-A4AD-D398258DD3C9}.exe

Filesize
168KB

MD5
a7c87b07fecce79d360e673032dc1509

SHA1
0a0a708e0853f681ffcf3e68115ff9f05701054e

SHA256
5d38a1b1c917f0e20b50736c3586be7decad1898575aee49ef69fdc45b0ad0f2

SHA512
a990b87b1e12626260c9259127f17dfc07370dc1a348525df117e3ada1c462df4215e34e1ee948fb4df46ba0c71946d8a86dd495dab34ae867437cfbceeb6853

Download Submit
C:\Windows\{7853439B-6ECD-43a1-8BA5-A1AC3C3476DA}.exe

Filesize
168KB

MD5
f4b7c16a538937ea61fa36f8dc5f9538

SHA1
67d05dc6799e0464b6a09355043ad4cfe8523b0b

SHA256
470c4a9c12537e89e97713ff35eb2427320d0b1ddcfcd42f0ed7875c16d55e6a

SHA512
42d18b4d7ca0768789b96a3a0599b3af8ac145e6509585ca7ae60361f9a7c22cfd1d42288ecda50fb575b664ab16dd5992b015b373cfbf43dc0e3ff52240b256

Download Submit
C:\Windows\{867B9E07-DA2E-4515-AC25-2FA6EFE5BDF9}.exe

Filesize
168KB

MD5
0b0eb8a35bf45ecd9de0b984a7a36286

SHA1
89a13903849c3ceb6b69aaf22bbd93f386241e82

SHA256
5bf664cfdd933fbe19ddc46803871a2cf11dada2c42f40d92231335859b0574e

SHA512
5d2df3e0cd007dc5172250af631cb7cae23e0888ce97eef7db67e80aed13f2881fc3eb4b9cd5f666cbf7fa0f0019a9f429a7233575f5c94f51cc4e6a48a03476

Download Submit
C:\Windows\{A64FFB8F-3397-4dea-9ABA-797BA6C4F5DC}.exe

Filesize
168KB

MD5
25a8cc6bc6b1764f21a248ba4944b428

SHA1
53b90e772f5c11d746370c9c3f3ed9281ee73870

SHA256
d8a161b635e5c694e75e8d90be3fccb003e55d4ac9b63ac8976f5fed0de14924

SHA512
42040766b6dcee3712227744b6df02b20cb8ce579b46d5a6a27e8446a182bb87ab9e455aa32b746bb31ec9defbace78f2dab813949e670dd8904ef685123fec2

Download Submit
C:\Windows\{B1E7E6FA-663A-4d31-845A-4BE64201BE4D}.exe

Filesize
168KB

MD5
0cf68d141fc6eff7d8424dad43b45161

SHA1
b29d65e42b73537c8c25f303212e68459d9ec9d8

SHA256
c031db639a7aca5981f7272837570234dbc47a1376732b04c80f3eb75f5afa39

SHA512
f0a55e1d74884a405e6101bcf1cee222183e249151575c031513a3dcf34df9018b94437d4fa3520193d2ec37326bc7f8ddb7435a799c4c991acc014e6e7730f5

Download Submit
C:\Windows\{D65B3F2F-1939-431e-88E2-A915F0D899AE}.exe

Filesize
168KB

MD5
507829df455f6658975b57d94a9736f5

SHA1
635fb765377cb6530fbdefc4eb2247917f19f9ea

SHA256
557c096dc053665d39c3feba7a91ea0497a9fbb1bd4e1cab9a1f96cae5c4673f

SHA512
33a30f9ea083d97c7f0088867211cb62affcd25ec68445b400e10b708383e77239938603ca0baf55310e09e21d9bef3541ba7c6358692e1f4c571d13761936f3

Download Submit
C:\Windows\{DC20739C-6435-46f7-BF4E-8205D47D0E32}.exe

Filesize
168KB

MD5
cc519b134c52d5b75ba9561453cb5ebc

SHA1
cefe75b13f889c12fbba27f0fe2bd16ec6949699

SHA256
c30e5234cf6b0be1b0b3de5d15a86b34636f4d535dfe2372b1890387201e758d

SHA512
b69fc993efd8c12311f53cda3160926da340b709566aaa5da0d39866f0f562b0967c3bdcf9ee4ec3c5c125c8c40bfbddd1e047961e272abb3b45e4a6d85c9507

Download Submit
C:\Windows\{E487BA9D-D11F-4bd3-8B8E-AB778047FFD8}.exe

Filesize
168KB

MD5
8226af6f713207075e172c3217bd68d5

SHA1
5a65471f7e9d7ff1405c80f0f5b81121d641b90b

SHA256
0afd25acb6aa96d19705f1c8e7bffd889cce31dc29c195f749f356a5cf9de4f4

SHA512
e5a50408400652f9086e7a3b7fdff75478699b5fe7ea4024c2526e397c3f91ac9d6779cc58a974162228dff71318cbbf4818e6ea2c1a4d29cb41991ee9b99f6b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads