d3d3ed679b181d1d2467b7a2314b6148ff1ddf30b6bfb557ae1816df3635d13c

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08-04-2024 15:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-08_9dbd6af397555824fb7c58da23e7c4a0_goldeneye.exe
Size

197KB
MD5

9dbd6af397555824fb7c58da23e7c4a0
SHA1

7f770ae62dcebc902fab13561885ea128d1f433b
SHA256

d3d3ed679b181d1d2467b7a2314b6148ff1ddf30b6bfb557ae1816df3635d13c
SHA512

42c7a959dec27e7cba8434d9d39dd8b6202aab954e1a4f6da39bab2c069723c77984a65fba0ce6c4715bfe3c44d25dd8b2f56b05bd321098f670e6e9c64bd272
SSDEEP

3072:jEGh0oFl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGjlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000800000002321f-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023227-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002322e-11.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023227-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021cfa-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021cfb-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021cfa-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000709-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000072f-45.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{573508A0-8E65-4856-B2D8-D076247B47DB}	{06C4835D-EC96-4aec-B8F1-4CB436AACA3A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56261D71-9D33-4cfd-B840-7541ECA7BAB0}	{9BA455BE-1D70-4fee-A623-4DA5A675CAA3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56261D71-9D33-4cfd-B840-7541ECA7BAB0}\stubpath = "C:\\Windows\\{56261D71-9D33-4cfd-B840-7541ECA7BAB0}.exe"	{9BA455BE-1D70-4fee-A623-4DA5A675CAA3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06C4835D-EC96-4aec-B8F1-4CB436AACA3A}	{DDECEA87-A6AD-4333-80B0-0859E5B4FE3A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DDECEA87-A6AD-4333-80B0-0859E5B4FE3A}\stubpath = "C:\\Windows\\{DDECEA87-A6AD-4333-80B0-0859E5B4FE3A}.exe"	{FE398626-64B9-40ce-8B9A-97D8035D0A55}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0CF3CCB-7111-452a-8211-B0A2B84502C0}	{573508A0-8E65-4856-B2D8-D076247B47DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0CF3CCB-7111-452a-8211-B0A2B84502C0}\stubpath = "C:\\Windows\\{B0CF3CCB-7111-452a-8211-B0A2B84502C0}.exe"	{573508A0-8E65-4856-B2D8-D076247B47DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4FC581C4-F390-4c4c-BA9B-F85B03303740}\stubpath = "C:\\Windows\\{4FC581C4-F390-4c4c-BA9B-F85B03303740}.exe"	2024-04-08_9dbd6af397555824fb7c58da23e7c4a0_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA65B391-E58C-47b8-942D-FB643F133A24}\stubpath = "C:\\Windows\\{EA65B391-E58C-47b8-942D-FB643F133A24}.exe"	{56261D71-9D33-4cfd-B840-7541ECA7BAB0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DDECEA87-A6AD-4333-80B0-0859E5B4FE3A}	{FE398626-64B9-40ce-8B9A-97D8035D0A55}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9CF5B0C-9753-40b6-9CC4-2050FE581597}\stubpath = "C:\\Windows\\{D9CF5B0C-9753-40b6-9CC4-2050FE581597}.exe"	{EA65B391-E58C-47b8-942D-FB643F133A24}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE398626-64B9-40ce-8B9A-97D8035D0A55}\stubpath = "C:\\Windows\\{FE398626-64B9-40ce-8B9A-97D8035D0A55}.exe"	{D9CF5B0C-9753-40b6-9CC4-2050FE581597}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4F9CE7B-ABAD-4da2-95FF-001C194ECEF3}	{B0CF3CCB-7111-452a-8211-B0A2B84502C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4F9CE7B-ABAD-4da2-95FF-001C194ECEF3}\stubpath = "C:\\Windows\\{F4F9CE7B-ABAD-4da2-95FF-001C194ECEF3}.exe"	{B0CF3CCB-7111-452a-8211-B0A2B84502C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{981123D0-45B1-49b9-A95A-944E52916580}\stubpath = "C:\\Windows\\{981123D0-45B1-49b9-A95A-944E52916580}.exe"	{F4F9CE7B-ABAD-4da2-95FF-001C194ECEF3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4FC581C4-F390-4c4c-BA9B-F85B03303740}	2024-04-08_9dbd6af397555824fb7c58da23e7c4a0_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9BA455BE-1D70-4fee-A623-4DA5A675CAA3}	{4FC581C4-F390-4c4c-BA9B-F85B03303740}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9CF5B0C-9753-40b6-9CC4-2050FE581597}	{EA65B391-E58C-47b8-942D-FB643F133A24}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06C4835D-EC96-4aec-B8F1-4CB436AACA3A}\stubpath = "C:\\Windows\\{06C4835D-EC96-4aec-B8F1-4CB436AACA3A}.exe"	{DDECEA87-A6AD-4333-80B0-0859E5B4FE3A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{573508A0-8E65-4856-B2D8-D076247B47DB}\stubpath = "C:\\Windows\\{573508A0-8E65-4856-B2D8-D076247B47DB}.exe"	{06C4835D-EC96-4aec-B8F1-4CB436AACA3A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{981123D0-45B1-49b9-A95A-944E52916580}	{F4F9CE7B-ABAD-4da2-95FF-001C194ECEF3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9BA455BE-1D70-4fee-A623-4DA5A675CAA3}\stubpath = "C:\\Windows\\{9BA455BE-1D70-4fee-A623-4DA5A675CAA3}.exe"	{4FC581C4-F390-4c4c-BA9B-F85B03303740}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA65B391-E58C-47b8-942D-FB643F133A24}	{56261D71-9D33-4cfd-B840-7541ECA7BAB0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE398626-64B9-40ce-8B9A-97D8035D0A55}	{D9CF5B0C-9753-40b6-9CC4-2050FE581597}.exe

Executes dropped EXE 12 IoCs

pid	Process
4956	{4FC581C4-F390-4c4c-BA9B-F85B03303740}.exe
1420	{9BA455BE-1D70-4fee-A623-4DA5A675CAA3}.exe
2220	{56261D71-9D33-4cfd-B840-7541ECA7BAB0}.exe
3604	{EA65B391-E58C-47b8-942D-FB643F133A24}.exe
5012	{D9CF5B0C-9753-40b6-9CC4-2050FE581597}.exe
4380	{FE398626-64B9-40ce-8B9A-97D8035D0A55}.exe
2840	{DDECEA87-A6AD-4333-80B0-0859E5B4FE3A}.exe
552	{06C4835D-EC96-4aec-B8F1-4CB436AACA3A}.exe
2568	{573508A0-8E65-4856-B2D8-D076247B47DB}.exe
3856	{B0CF3CCB-7111-452a-8211-B0A2B84502C0}.exe
2960	{F4F9CE7B-ABAD-4da2-95FF-001C194ECEF3}.exe
4924	{981123D0-45B1-49b9-A95A-944E52916580}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{9BA455BE-1D70-4fee-A623-4DA5A675CAA3}.exe	{4FC581C4-F390-4c4c-BA9B-F85B03303740}.exe
File created	C:\Windows\{56261D71-9D33-4cfd-B840-7541ECA7BAB0}.exe	{9BA455BE-1D70-4fee-A623-4DA5A675CAA3}.exe
File created	C:\Windows\{EA65B391-E58C-47b8-942D-FB643F133A24}.exe	{56261D71-9D33-4cfd-B840-7541ECA7BAB0}.exe
File created	C:\Windows\{DDECEA87-A6AD-4333-80B0-0859E5B4FE3A}.exe	{FE398626-64B9-40ce-8B9A-97D8035D0A55}.exe
File created	C:\Windows\{06C4835D-EC96-4aec-B8F1-4CB436AACA3A}.exe	{DDECEA87-A6AD-4333-80B0-0859E5B4FE3A}.exe
File created	C:\Windows\{B0CF3CCB-7111-452a-8211-B0A2B84502C0}.exe	{573508A0-8E65-4856-B2D8-D076247B47DB}.exe
File created	C:\Windows\{4FC581C4-F390-4c4c-BA9B-F85B03303740}.exe	2024-04-08_9dbd6af397555824fb7c58da23e7c4a0_goldeneye.exe
File created	C:\Windows\{D9CF5B0C-9753-40b6-9CC4-2050FE581597}.exe	{EA65B391-E58C-47b8-942D-FB643F133A24}.exe
File created	C:\Windows\{FE398626-64B9-40ce-8B9A-97D8035D0A55}.exe	{D9CF5B0C-9753-40b6-9CC4-2050FE581597}.exe
File created	C:\Windows\{573508A0-8E65-4856-B2D8-D076247B47DB}.exe	{06C4835D-EC96-4aec-B8F1-4CB436AACA3A}.exe
File created	C:\Windows\{F4F9CE7B-ABAD-4da2-95FF-001C194ECEF3}.exe	{B0CF3CCB-7111-452a-8211-B0A2B84502C0}.exe
File created	C:\Windows\{981123D0-45B1-49b9-A95A-944E52916580}.exe	{F4F9CE7B-ABAD-4da2-95FF-001C194ECEF3}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3972	2024-04-08_9dbd6af397555824fb7c58da23e7c4a0_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4956	{4FC581C4-F390-4c4c-BA9B-F85B03303740}.exe
Token: SeIncBasePriorityPrivilege	1420	{9BA455BE-1D70-4fee-A623-4DA5A675CAA3}.exe
Token: SeIncBasePriorityPrivilege	2220	{56261D71-9D33-4cfd-B840-7541ECA7BAB0}.exe
Token: SeIncBasePriorityPrivilege	3604	{EA65B391-E58C-47b8-942D-FB643F133A24}.exe
Token: SeIncBasePriorityPrivilege	5012	{D9CF5B0C-9753-40b6-9CC4-2050FE581597}.exe
Token: SeIncBasePriorityPrivilege	4380	{FE398626-64B9-40ce-8B9A-97D8035D0A55}.exe
Token: SeIncBasePriorityPrivilege	2840	{DDECEA87-A6AD-4333-80B0-0859E5B4FE3A}.exe
Token: SeIncBasePriorityPrivilege	552	{06C4835D-EC96-4aec-B8F1-4CB436AACA3A}.exe
Token: SeIncBasePriorityPrivilege	2568	{573508A0-8E65-4856-B2D8-D076247B47DB}.exe
Token: SeIncBasePriorityPrivilege	3856	{B0CF3CCB-7111-452a-8211-B0A2B84502C0}.exe
Token: SeIncBasePriorityPrivilege	2960	{F4F9CE7B-ABAD-4da2-95FF-001C194ECEF3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3972 wrote to memory of 4956	3972	2024-04-08_9dbd6af397555824fb7c58da23e7c4a0_goldeneye.exe	96
PID 3972 wrote to memory of 4956	3972	2024-04-08_9dbd6af397555824fb7c58da23e7c4a0_goldeneye.exe	96
PID 3972 wrote to memory of 4956	3972	2024-04-08_9dbd6af397555824fb7c58da23e7c4a0_goldeneye.exe	96
PID 3972 wrote to memory of 4084	3972	2024-04-08_9dbd6af397555824fb7c58da23e7c4a0_goldeneye.exe	97
PID 3972 wrote to memory of 4084	3972	2024-04-08_9dbd6af397555824fb7c58da23e7c4a0_goldeneye.exe	97
PID 3972 wrote to memory of 4084	3972	2024-04-08_9dbd6af397555824fb7c58da23e7c4a0_goldeneye.exe	97
PID 4956 wrote to memory of 1420	4956	{4FC581C4-F390-4c4c-BA9B-F85B03303740}.exe	98
PID 4956 wrote to memory of 1420	4956	{4FC581C4-F390-4c4c-BA9B-F85B03303740}.exe	98
PID 4956 wrote to memory of 1420	4956	{4FC581C4-F390-4c4c-BA9B-F85B03303740}.exe	98
PID 4956 wrote to memory of 5044	4956	{4FC581C4-F390-4c4c-BA9B-F85B03303740}.exe	99
PID 4956 wrote to memory of 5044	4956	{4FC581C4-F390-4c4c-BA9B-F85B03303740}.exe	99
PID 4956 wrote to memory of 5044	4956	{4FC581C4-F390-4c4c-BA9B-F85B03303740}.exe	99
PID 1420 wrote to memory of 2220	1420	{9BA455BE-1D70-4fee-A623-4DA5A675CAA3}.exe	101
PID 1420 wrote to memory of 2220	1420	{9BA455BE-1D70-4fee-A623-4DA5A675CAA3}.exe	101
PID 1420 wrote to memory of 2220	1420	{9BA455BE-1D70-4fee-A623-4DA5A675CAA3}.exe	101
PID 1420 wrote to memory of 4556	1420	{9BA455BE-1D70-4fee-A623-4DA5A675CAA3}.exe	102
PID 1420 wrote to memory of 4556	1420	{9BA455BE-1D70-4fee-A623-4DA5A675CAA3}.exe	102
PID 1420 wrote to memory of 4556	1420	{9BA455BE-1D70-4fee-A623-4DA5A675CAA3}.exe	102
PID 2220 wrote to memory of 3604	2220	{56261D71-9D33-4cfd-B840-7541ECA7BAB0}.exe	103
PID 2220 wrote to memory of 3604	2220	{56261D71-9D33-4cfd-B840-7541ECA7BAB0}.exe	103
PID 2220 wrote to memory of 3604	2220	{56261D71-9D33-4cfd-B840-7541ECA7BAB0}.exe	103
PID 2220 wrote to memory of 728	2220	{56261D71-9D33-4cfd-B840-7541ECA7BAB0}.exe	104
PID 2220 wrote to memory of 728	2220	{56261D71-9D33-4cfd-B840-7541ECA7BAB0}.exe	104
PID 2220 wrote to memory of 728	2220	{56261D71-9D33-4cfd-B840-7541ECA7BAB0}.exe	104
PID 3604 wrote to memory of 5012	3604	{EA65B391-E58C-47b8-942D-FB643F133A24}.exe	105
PID 3604 wrote to memory of 5012	3604	{EA65B391-E58C-47b8-942D-FB643F133A24}.exe	105
PID 3604 wrote to memory of 5012	3604	{EA65B391-E58C-47b8-942D-FB643F133A24}.exe	105
PID 3604 wrote to memory of 3228	3604	{EA65B391-E58C-47b8-942D-FB643F133A24}.exe	106
PID 3604 wrote to memory of 3228	3604	{EA65B391-E58C-47b8-942D-FB643F133A24}.exe	106
PID 3604 wrote to memory of 3228	3604	{EA65B391-E58C-47b8-942D-FB643F133A24}.exe	106
PID 5012 wrote to memory of 4380	5012	{D9CF5B0C-9753-40b6-9CC4-2050FE581597}.exe	107
PID 5012 wrote to memory of 4380	5012	{D9CF5B0C-9753-40b6-9CC4-2050FE581597}.exe	107
PID 5012 wrote to memory of 4380	5012	{D9CF5B0C-9753-40b6-9CC4-2050FE581597}.exe	107
PID 5012 wrote to memory of 2368	5012	{D9CF5B0C-9753-40b6-9CC4-2050FE581597}.exe	108
PID 5012 wrote to memory of 2368	5012	{D9CF5B0C-9753-40b6-9CC4-2050FE581597}.exe	108
PID 5012 wrote to memory of 2368	5012	{D9CF5B0C-9753-40b6-9CC4-2050FE581597}.exe	108
PID 4380 wrote to memory of 2840	4380	{FE398626-64B9-40ce-8B9A-97D8035D0A55}.exe	109
PID 4380 wrote to memory of 2840	4380	{FE398626-64B9-40ce-8B9A-97D8035D0A55}.exe	109
PID 4380 wrote to memory of 2840	4380	{FE398626-64B9-40ce-8B9A-97D8035D0A55}.exe	109
PID 4380 wrote to memory of 2188	4380	{FE398626-64B9-40ce-8B9A-97D8035D0A55}.exe	110
PID 4380 wrote to memory of 2188	4380	{FE398626-64B9-40ce-8B9A-97D8035D0A55}.exe	110
PID 4380 wrote to memory of 2188	4380	{FE398626-64B9-40ce-8B9A-97D8035D0A55}.exe	110
PID 2840 wrote to memory of 552	2840	{DDECEA87-A6AD-4333-80B0-0859E5B4FE3A}.exe	111
PID 2840 wrote to memory of 552	2840	{DDECEA87-A6AD-4333-80B0-0859E5B4FE3A}.exe	111
PID 2840 wrote to memory of 552	2840	{DDECEA87-A6AD-4333-80B0-0859E5B4FE3A}.exe	111
PID 2840 wrote to memory of 4520	2840	{DDECEA87-A6AD-4333-80B0-0859E5B4FE3A}.exe	112
PID 2840 wrote to memory of 4520	2840	{DDECEA87-A6AD-4333-80B0-0859E5B4FE3A}.exe	112
PID 2840 wrote to memory of 4520	2840	{DDECEA87-A6AD-4333-80B0-0859E5B4FE3A}.exe	112
PID 552 wrote to memory of 2568	552	{06C4835D-EC96-4aec-B8F1-4CB436AACA3A}.exe	113
PID 552 wrote to memory of 2568	552	{06C4835D-EC96-4aec-B8F1-4CB436AACA3A}.exe	113
PID 552 wrote to memory of 2568	552	{06C4835D-EC96-4aec-B8F1-4CB436AACA3A}.exe	113
PID 552 wrote to memory of 2548	552	{06C4835D-EC96-4aec-B8F1-4CB436AACA3A}.exe	114
PID 552 wrote to memory of 2548	552	{06C4835D-EC96-4aec-B8F1-4CB436AACA3A}.exe	114
PID 552 wrote to memory of 2548	552	{06C4835D-EC96-4aec-B8F1-4CB436AACA3A}.exe	114
PID 2568 wrote to memory of 3856	2568	{573508A0-8E65-4856-B2D8-D076247B47DB}.exe	115
PID 2568 wrote to memory of 3856	2568	{573508A0-8E65-4856-B2D8-D076247B47DB}.exe	115
PID 2568 wrote to memory of 3856	2568	{573508A0-8E65-4856-B2D8-D076247B47DB}.exe	115
PID 2568 wrote to memory of 2288	2568	{573508A0-8E65-4856-B2D8-D076247B47DB}.exe	116
PID 2568 wrote to memory of 2288	2568	{573508A0-8E65-4856-B2D8-D076247B47DB}.exe	116
PID 2568 wrote to memory of 2288	2568	{573508A0-8E65-4856-B2D8-D076247B47DB}.exe	116
PID 3856 wrote to memory of 2960	3856	{B0CF3CCB-7111-452a-8211-B0A2B84502C0}.exe	117
PID 3856 wrote to memory of 2960	3856	{B0CF3CCB-7111-452a-8211-B0A2B84502C0}.exe	117
PID 3856 wrote to memory of 2960	3856	{B0CF3CCB-7111-452a-8211-B0A2B84502C0}.exe	117
PID 3856 wrote to memory of 4872	3856	{B0CF3CCB-7111-452a-8211-B0A2B84502C0}.exe	118

C:\Users\Admin\AppData\Local\Temp\2024-04-08_9dbd6af397555824fb7c58da23e7c4a0_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-08_9dbd6af397555824fb7c58da23e7c4a0_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3972
- C:\Windows\{4FC581C4-F390-4c4c-BA9B-F85B03303740}.exe
  C:\Windows\{4FC581C4-F390-4c4c-BA9B-F85B03303740}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Windows\{9BA455BE-1D70-4fee-A623-4DA5A675CAA3}.exe
    C:\Windows\{9BA455BE-1D70-4fee-A623-4DA5A675CAA3}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1420
  - - C:\Windows\{56261D71-9D33-4cfd-B840-7541ECA7BAB0}.exe
      C:\Windows\{56261D71-9D33-4cfd-B840-7541ECA7BAB0}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2220
    - - C:\Windows\{EA65B391-E58C-47b8-942D-FB643F133A24}.exe
        
        C:\Windows\{EA65B391-E58C-47b8-942D-FB643F133A24}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3604
      - C:\Windows\{D9CF5B0C-9753-40b6-9CC4-2050FE581597}.exe
        
        C:\Windows\{D9CF5B0C-9753-40b6-9CC4-2050FE581597}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\{FE398626-64B9-40ce-8B9A-97D8035D0A55}.exe
        
        C:\Windows\{FE398626-64B9-40ce-8B9A-97D8035D0A55}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Windows\{DDECEA87-A6AD-4333-80B0-0859E5B4FE3A}.exe
        
        C:\Windows\{DDECEA87-A6AD-4333-80B0-0859E5B4FE3A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\{06C4835D-EC96-4aec-B8F1-4CB436AACA3A}.exe
        
        C:\Windows\{06C4835D-EC96-4aec-B8F1-4CB436AACA3A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Windows\{573508A0-8E65-4856-B2D8-D076247B47DB}.exe
        
        C:\Windows\{573508A0-8E65-4856-B2D8-D076247B47DB}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\{B0CF3CCB-7111-452a-8211-B0A2B84502C0}.exe
        
        C:\Windows\{B0CF3CCB-7111-452a-8211-B0A2B84502C0}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3856
        
        C:\Windows\{F4F9CE7B-ABAD-4da2-95FF-001C194ECEF3}.exe
        
        C:\Windows\{F4F9CE7B-ABAD-4da2-95FF-001C194ECEF3}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2960
        
        C:\Windows\{981123D0-45B1-49b9-A95A-944E52916580}.exe
        
        C:\Windows\{981123D0-45B1-49b9-A95A-944E52916580}.exe
        13⤵
        Executes dropped EXE
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F4F9C~1.EXE > nul
        13⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B0CF3~1.EXE > nul
        12⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{57350~1.EXE > nul
        11⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{06C48~1.EXE > nul
        10⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DDECE~1.EXE > nul
        9⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FE398~1.EXE > nul
        8⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D9CF5~1.EXE > nul
        7⤵
        
        PID:2368
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA65B~1.EXE > nul
        6⤵
        
        PID:3228
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{56261~1.EXE > nul
        5⤵
        
        PID:728
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9BA45~1.EXE > nul
      4⤵
      PID:4556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4FC58~1.EXE > nul
    3⤵
    PID:5044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{06C4835D-EC96-4aec-B8F1-4CB436AACA3A}.exe

Filesize
197KB

MD5
6c517ba26d3030118604bf446fe9d5c3

SHA1
50d90b23ba64d5a5b28f29c4cacc475aa1cfca62

SHA256
4765e26351ecdc7b867961f12adfa1160be25d554c6e1b180dfab409597c513c

SHA512
6f9eca5f75baa65589f079944bfcc9bd79abc04c0448fc794feb2dcfe815049ffb4f24e6aece5cbee739117aa490b6882c0f142ee5399b11c3b6baab41e9a86d

Download Submit
C:\Windows\{4FC581C4-F390-4c4c-BA9B-F85B03303740}.exe

Filesize
197KB

MD5
d2a09bcdea911be9af2c388d8f2893e7

SHA1
be352b46d7a15a3550cad01ee906b65fcec4e5ba

SHA256
0ffdb9700d07b42a145e3eafe3c62385a224d6b3b305fb67ce1b51241f0233eb

SHA512
3da9ff6cbfd99791f80472df67d84ed3d41f752783061c9e819fcffa34515ec8313b54a7286c6a7f2a2a1cf69f4101c9c21d9ad3ef65d644522f077c402713f1

Download Submit
C:\Windows\{56261D71-9D33-4cfd-B840-7541ECA7BAB0}.exe

Filesize
197KB

MD5
6188a17466b6dc003f98708737a66768

SHA1
2a37a535b37ce9c21ecf776e9dc192b3207a3b40

SHA256
ca15746d4021fb9d6487f0c3f4707d399333eb68674a1bcc4ae3659405f2e339

SHA512
349c3b3fc860cc5f5ade8dae035428c364548ced3653a5d0e4a656d69d08605e8957c8117309d583903f3c0555a5c618b1ae09e87f8dfe162d3d761898b420fd

Download Submit
C:\Windows\{573508A0-8E65-4856-B2D8-D076247B47DB}.exe

Filesize
197KB

MD5
dbd353ecbe956117a0b1a5ebdfdd0836

SHA1
bbb6dc4de2f2c0d9f7bf2433b101709fa611ca16

SHA256
709a382db160c7d8a054a239fe0a05ced4f5010ab8503477518b42eeb4c10c9a

SHA512
6945a49504205d00da7db53a5069cf04e39e65629d65c41aedfe2ae87f893ab35ffc359b3211072ba99ec92547b0f56e821e1928f1836de2e3abb784c815a75f

Download Submit
C:\Windows\{981123D0-45B1-49b9-A95A-944E52916580}.exe

Filesize
197KB

MD5
55f529523f4f6270097050168ebdc5cc

SHA1
232e5ce959d70b8291f34d4017f26c2f6f1d8037

SHA256
2f648f53ec578deef09e7a51fb91cdeccf4f745299089e0adcac6076ea67f442

SHA512
9f8d2674a86ee3aa1b2054f7391820949f974a4d37f79b98f35f86d0971f32459e4871081a7021cbf2ed7dfa63b499a513aafa9f81565eaa168ddcef775191d5

Download Submit
C:\Windows\{9BA455BE-1D70-4fee-A623-4DA5A675CAA3}.exe

Filesize
197KB

MD5
b8c18488eb17c84d640f3d15ba47ffb2

SHA1
5c8d613249d192dc56b22500f8ae5654f059bca5

SHA256
4c3c8e6784d62864cf0f729309892264eee38e546d22ceb86b9ffc62fad72822

SHA512
a624caface4c789491dd0e13f8d3e07f8f1791940f204a4051502739586c4e8bb1d2367881b19a8f559cc7111abed0af3b557ba1c72d5d11d7599b7b2e2bbf0e

Download Submit
C:\Windows\{B0CF3CCB-7111-452a-8211-B0A2B84502C0}.exe

Filesize
197KB

MD5
e4a9f7eb804a641a9c25d41345430ab1

SHA1
93f6ccc64218fdc58cfc89c44f7ed102ad1687b2

SHA256
0f88675d960b22f7513c7c12d1170f52981d84cc0505e9df786140543edb935c

SHA512
ab94a20e825141b90d6daebe480be6eefef3feaa391d80e856a71b56977d34a1fb7344b704f09d3745cdcc8ddf520ee92df6774e2db78a5c8a92593251eb4ba1

Download Submit
C:\Windows\{D9CF5B0C-9753-40b6-9CC4-2050FE581597}.exe

Filesize
197KB

MD5
5bd7ea219414177ced340bcea609fb81

SHA1
f384ce07aeb43864eb82036f49c9cc1d68877e98

SHA256
3fae4db61b34ee7b3cb445e711913488c3d6ba7531f725caf2c2bebb8757f7ba

SHA512
460648d44ac4cf5df2f5519f5a204c062c61bdc9b564475dcd6d208b76d16f1e2d969fb0c9f0bd0289ed262e8a3fd695626ee6e1d5f7db2dd663c17dfa372d6a

Download Submit
C:\Windows\{DDECEA87-A6AD-4333-80B0-0859E5B4FE3A}.exe

Filesize
197KB

MD5
b49cc92b8076576ef5e0db8de90ae3ad

SHA1
303d93ceb77ab56104a687ca56846c05392d260a

SHA256
b3df6aeeee47b042701b3cfbe9e8e5ff07dc56dc1095504289588cdbc6ee9a90

SHA512
57e711a5cffcd00795b5ec70c3bb72ad32b18fca34d841bd749d0457f89db35279cc281ca73734036810a763fc9a6b387520cf5adfca654e7bd079ce7ea44fd8

Download Submit
C:\Windows\{EA65B391-E58C-47b8-942D-FB643F133A24}.exe

Filesize
197KB

MD5
5b29e510a0a9e5476b1c7ff5553e36b4

SHA1
99fb18f164855b654686970a72d01cace429a972

SHA256
c467100f763a795dc6e0bb9be98837974be1c106a531b058d5b99bf68a9f5664

SHA512
0c1853663c24b8e18622a7afec7ee93577853904b4473ebe0e208a9f362bcf6a0b2598c4198387a925f25e6e596a40fb0e81ea7aeee81061c444a2c2ec12e4a6

Download Submit
C:\Windows\{F4F9CE7B-ABAD-4da2-95FF-001C194ECEF3}.exe

Filesize
197KB

MD5
e17eb735cbeec71f5361a644789e88c3

SHA1
b039eec12c53cc9305e524279f0ca9f3d06d79f1

SHA256
66d7c70d459e27216d253f3037fc5a8e2a3a11bf78ee9996bdfecaed98a99c4f

SHA512
93dbd65ea602ff50ef08054d156f084e5379dc95e0e46b4024254c0c176acefd4c126682a991a8b622d987fa4cd9a8dc02eb022318ae52eeef09280fc881e46f

Download Submit
C:\Windows\{FE398626-64B9-40ce-8B9A-97D8035D0A55}.exe

Filesize
197KB

MD5
d035aa6777193f01f24412e5b19e402d

SHA1
6c1af08235784f7466e216da8cbc4b5eda05b547

SHA256
9de64e45690187acf56e4cb7d60d348dc16ffc8deb34316c9e55d5bd614b10cf

SHA512
72e05bacb9c8946a3d3aac2b2f94511aa5dd29328660266047eab7751fbbc9634bb93ae5a98dc9c2c63bbcf5f83eb2a21ac1e1aa178a608d241c09716002983f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads