c95a52bc974ee93b7316f498a32b0e91f1d0f7aa09fec0600093bf9370f5ef41

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/04/2024, 16:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-08_e1823958ea7bb7b4439758b0f3c80349_goldeneye.exe
Size

180KB
MD5

e1823958ea7bb7b4439758b0f3c80349
SHA1

8a0498cabf182a0fd8301a1b146088db1878b10b
SHA256

c95a52bc974ee93b7316f498a32b0e91f1d0f7aa09fec0600093bf9370f5ef41
SHA512

0005d6451aa27beda109c1378e597969c053504d86b163a8147cfacbcb902297a350365e6342289d0a532da34d546345737d19837c24bc3fa7f265d483da7ac9
SSDEEP

3072:jEGh0oblfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGZl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023225-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001100000002322d-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023234-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001200000002322d-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021c86-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021c87-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000006d5-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000006d5-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000006d5-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006e3-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87F95675-812E-453b-9322-E1EBB3B59CFC}\stubpath = "C:\\Windows\\{87F95675-812E-453b-9322-E1EBB3B59CFC}.exe"	2024-04-08_e1823958ea7bb7b4439758b0f3c80349_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12169B12-EB2B-45c9-8153-26FB13D22D13}\stubpath = "C:\\Windows\\{12169B12-EB2B-45c9-8153-26FB13D22D13}.exe"	{2D72C3EF-CF49-4727-93B6-6E4E22A3B55B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6174216-A6A6-4091-94C2-906B884F24C9}\stubpath = "C:\\Windows\\{F6174216-A6A6-4091-94C2-906B884F24C9}.exe"	{E529427F-D6E2-418d-B772-4AEFDB00AFE4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87F95675-812E-453b-9322-E1EBB3B59CFC}	2024-04-08_e1823958ea7bb7b4439758b0f3c80349_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8257F5E3-E903-4442-A4BC-F5793A4FAC27}	{E2A952AC-B2D7-4fb4-986B-7096413631A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8257F5E3-E903-4442-A4BC-F5793A4FAC27}\stubpath = "C:\\Windows\\{8257F5E3-E903-4442-A4BC-F5793A4FAC27}.exe"	{E2A952AC-B2D7-4fb4-986B-7096413631A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18C08ACC-1315-40db-9E8D-D6D7BF733D1A}\stubpath = "C:\\Windows\\{18C08ACC-1315-40db-9E8D-D6D7BF733D1A}.exe"	{12169B12-EB2B-45c9-8153-26FB13D22D13}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ECDADF82-B3F9-4e0c-9699-0D2BBCCA1D65}\stubpath = "C:\\Windows\\{ECDADF82-B3F9-4e0c-9699-0D2BBCCA1D65}.exe"	{18C08ACC-1315-40db-9E8D-D6D7BF733D1A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E529427F-D6E2-418d-B772-4AEFDB00AFE4}\stubpath = "C:\\Windows\\{E529427F-D6E2-418d-B772-4AEFDB00AFE4}.exe"	{5CFF56B6-E999-4a53-961A-EC2289DC517D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12169B12-EB2B-45c9-8153-26FB13D22D13}	{2D72C3EF-CF49-4727-93B6-6E4E22A3B55B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18C08ACC-1315-40db-9E8D-D6D7BF733D1A}	{12169B12-EB2B-45c9-8153-26FB13D22D13}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC1454A2-2413-40a1-93BC-E2965CD160F8}	{87F95675-812E-453b-9322-E1EBB3B59CFC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC1454A2-2413-40a1-93BC-E2965CD160F8}\stubpath = "C:\\Windows\\{BC1454A2-2413-40a1-93BC-E2965CD160F8}.exe"	{87F95675-812E-453b-9322-E1EBB3B59CFC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{269B3A72-3293-439a-A841-5AE257409FBB}	{BC1454A2-2413-40a1-93BC-E2965CD160F8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{269B3A72-3293-439a-A841-5AE257409FBB}\stubpath = "C:\\Windows\\{269B3A72-3293-439a-A841-5AE257409FBB}.exe"	{BC1454A2-2413-40a1-93BC-E2965CD160F8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2A952AC-B2D7-4fb4-986B-7096413631A6}\stubpath = "C:\\Windows\\{E2A952AC-B2D7-4fb4-986B-7096413631A6}.exe"	{269B3A72-3293-439a-A841-5AE257409FBB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D72C3EF-CF49-4727-93B6-6E4E22A3B55B}\stubpath = "C:\\Windows\\{2D72C3EF-CF49-4727-93B6-6E4E22A3B55B}.exe"	{8257F5E3-E903-4442-A4BC-F5793A4FAC27}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ECDADF82-B3F9-4e0c-9699-0D2BBCCA1D65}	{18C08ACC-1315-40db-9E8D-D6D7BF733D1A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CFF56B6-E999-4a53-961A-EC2289DC517D}\stubpath = "C:\\Windows\\{5CFF56B6-E999-4a53-961A-EC2289DC517D}.exe"	{ECDADF82-B3F9-4e0c-9699-0D2BBCCA1D65}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6174216-A6A6-4091-94C2-906B884F24C9}	{E529427F-D6E2-418d-B772-4AEFDB00AFE4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2A952AC-B2D7-4fb4-986B-7096413631A6}	{269B3A72-3293-439a-A841-5AE257409FBB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D72C3EF-CF49-4727-93B6-6E4E22A3B55B}	{8257F5E3-E903-4442-A4BC-F5793A4FAC27}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CFF56B6-E999-4a53-961A-EC2289DC517D}	{ECDADF82-B3F9-4e0c-9699-0D2BBCCA1D65}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E529427F-D6E2-418d-B772-4AEFDB00AFE4}	{5CFF56B6-E999-4a53-961A-EC2289DC517D}.exe

Executes dropped EXE 12 IoCs

pid	Process
1044	{87F95675-812E-453b-9322-E1EBB3B59CFC}.exe
2688	{BC1454A2-2413-40a1-93BC-E2965CD160F8}.exe
4812	{269B3A72-3293-439a-A841-5AE257409FBB}.exe
2996	{E2A952AC-B2D7-4fb4-986B-7096413631A6}.exe
3464	{8257F5E3-E903-4442-A4BC-F5793A4FAC27}.exe
1864	{2D72C3EF-CF49-4727-93B6-6E4E22A3B55B}.exe
2008	{12169B12-EB2B-45c9-8153-26FB13D22D13}.exe
3228	{18C08ACC-1315-40db-9E8D-D6D7BF733D1A}.exe
2628	{ECDADF82-B3F9-4e0c-9699-0D2BBCCA1D65}.exe
3124	{5CFF56B6-E999-4a53-961A-EC2289DC517D}.exe
544	{E529427F-D6E2-418d-B772-4AEFDB00AFE4}.exe
4404	{F6174216-A6A6-4091-94C2-906B884F24C9}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{ECDADF82-B3F9-4e0c-9699-0D2BBCCA1D65}.exe	{18C08ACC-1315-40db-9E8D-D6D7BF733D1A}.exe
File created	C:\Windows\{F6174216-A6A6-4091-94C2-906B884F24C9}.exe	{E529427F-D6E2-418d-B772-4AEFDB00AFE4}.exe
File created	C:\Windows\{87F95675-812E-453b-9322-E1EBB3B59CFC}.exe	2024-04-08_e1823958ea7bb7b4439758b0f3c80349_goldeneye.exe
File created	C:\Windows\{269B3A72-3293-439a-A841-5AE257409FBB}.exe	{BC1454A2-2413-40a1-93BC-E2965CD160F8}.exe
File created	C:\Windows\{E2A952AC-B2D7-4fb4-986B-7096413631A6}.exe	{269B3A72-3293-439a-A841-5AE257409FBB}.exe
File created	C:\Windows\{8257F5E3-E903-4442-A4BC-F5793A4FAC27}.exe	{E2A952AC-B2D7-4fb4-986B-7096413631A6}.exe
File created	C:\Windows\{2D72C3EF-CF49-4727-93B6-6E4E22A3B55B}.exe	{8257F5E3-E903-4442-A4BC-F5793A4FAC27}.exe
File created	C:\Windows\{BC1454A2-2413-40a1-93BC-E2965CD160F8}.exe	{87F95675-812E-453b-9322-E1EBB3B59CFC}.exe
File created	C:\Windows\{12169B12-EB2B-45c9-8153-26FB13D22D13}.exe	{2D72C3EF-CF49-4727-93B6-6E4E22A3B55B}.exe
File created	C:\Windows\{18C08ACC-1315-40db-9E8D-D6D7BF733D1A}.exe	{12169B12-EB2B-45c9-8153-26FB13D22D13}.exe
File created	C:\Windows\{5CFF56B6-E999-4a53-961A-EC2289DC517D}.exe	{ECDADF82-B3F9-4e0c-9699-0D2BBCCA1D65}.exe
File created	C:\Windows\{E529427F-D6E2-418d-B772-4AEFDB00AFE4}.exe	{5CFF56B6-E999-4a53-961A-EC2289DC517D}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1340	2024-04-08_e1823958ea7bb7b4439758b0f3c80349_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1044	{87F95675-812E-453b-9322-E1EBB3B59CFC}.exe
Token: SeIncBasePriorityPrivilege	2688	{BC1454A2-2413-40a1-93BC-E2965CD160F8}.exe
Token: SeIncBasePriorityPrivilege	4812	{269B3A72-3293-439a-A841-5AE257409FBB}.exe
Token: SeIncBasePriorityPrivilege	2996	{E2A952AC-B2D7-4fb4-986B-7096413631A6}.exe
Token: SeIncBasePriorityPrivilege	3464	{8257F5E3-E903-4442-A4BC-F5793A4FAC27}.exe
Token: SeIncBasePriorityPrivilege	1864	{2D72C3EF-CF49-4727-93B6-6E4E22A3B55B}.exe
Token: SeIncBasePriorityPrivilege	2008	{12169B12-EB2B-45c9-8153-26FB13D22D13}.exe
Token: SeIncBasePriorityPrivilege	3228	{18C08ACC-1315-40db-9E8D-D6D7BF733D1A}.exe
Token: SeIncBasePriorityPrivilege	2628	{ECDADF82-B3F9-4e0c-9699-0D2BBCCA1D65}.exe
Token: SeIncBasePriorityPrivilege	3124	{5CFF56B6-E999-4a53-961A-EC2289DC517D}.exe
Token: SeIncBasePriorityPrivilege	544	{E529427F-D6E2-418d-B772-4AEFDB00AFE4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 1044	1340	2024-04-08_e1823958ea7bb7b4439758b0f3c80349_goldeneye.exe	96
PID 1340 wrote to memory of 1044	1340	2024-04-08_e1823958ea7bb7b4439758b0f3c80349_goldeneye.exe	96
PID 1340 wrote to memory of 1044	1340	2024-04-08_e1823958ea7bb7b4439758b0f3c80349_goldeneye.exe	96
PID 1340 wrote to memory of 3304	1340	2024-04-08_e1823958ea7bb7b4439758b0f3c80349_goldeneye.exe	97
PID 1340 wrote to memory of 3304	1340	2024-04-08_e1823958ea7bb7b4439758b0f3c80349_goldeneye.exe	97
PID 1340 wrote to memory of 3304	1340	2024-04-08_e1823958ea7bb7b4439758b0f3c80349_goldeneye.exe	97
PID 1044 wrote to memory of 2688	1044	{87F95675-812E-453b-9322-E1EBB3B59CFC}.exe	98
PID 1044 wrote to memory of 2688	1044	{87F95675-812E-453b-9322-E1EBB3B59CFC}.exe	98
PID 1044 wrote to memory of 2688	1044	{87F95675-812E-453b-9322-E1EBB3B59CFC}.exe	98
PID 1044 wrote to memory of 2556	1044	{87F95675-812E-453b-9322-E1EBB3B59CFC}.exe	99
PID 1044 wrote to memory of 2556	1044	{87F95675-812E-453b-9322-E1EBB3B59CFC}.exe	99
PID 1044 wrote to memory of 2556	1044	{87F95675-812E-453b-9322-E1EBB3B59CFC}.exe	99
PID 2688 wrote to memory of 4812	2688	{BC1454A2-2413-40a1-93BC-E2965CD160F8}.exe	101
PID 2688 wrote to memory of 4812	2688	{BC1454A2-2413-40a1-93BC-E2965CD160F8}.exe	101
PID 2688 wrote to memory of 4812	2688	{BC1454A2-2413-40a1-93BC-E2965CD160F8}.exe	101
PID 2688 wrote to memory of 3552	2688	{BC1454A2-2413-40a1-93BC-E2965CD160F8}.exe	102
PID 2688 wrote to memory of 3552	2688	{BC1454A2-2413-40a1-93BC-E2965CD160F8}.exe	102
PID 2688 wrote to memory of 3552	2688	{BC1454A2-2413-40a1-93BC-E2965CD160F8}.exe	102
PID 4812 wrote to memory of 2996	4812	{269B3A72-3293-439a-A841-5AE257409FBB}.exe	103
PID 4812 wrote to memory of 2996	4812	{269B3A72-3293-439a-A841-5AE257409FBB}.exe	103
PID 4812 wrote to memory of 2996	4812	{269B3A72-3293-439a-A841-5AE257409FBB}.exe	103
PID 4812 wrote to memory of 2000	4812	{269B3A72-3293-439a-A841-5AE257409FBB}.exe	104
PID 4812 wrote to memory of 2000	4812	{269B3A72-3293-439a-A841-5AE257409FBB}.exe	104
PID 4812 wrote to memory of 2000	4812	{269B3A72-3293-439a-A841-5AE257409FBB}.exe	104
PID 2996 wrote to memory of 3464	2996	{E2A952AC-B2D7-4fb4-986B-7096413631A6}.exe	105
PID 2996 wrote to memory of 3464	2996	{E2A952AC-B2D7-4fb4-986B-7096413631A6}.exe	105
PID 2996 wrote to memory of 3464	2996	{E2A952AC-B2D7-4fb4-986B-7096413631A6}.exe	105
PID 2996 wrote to memory of 3776	2996	{E2A952AC-B2D7-4fb4-986B-7096413631A6}.exe	106
PID 2996 wrote to memory of 3776	2996	{E2A952AC-B2D7-4fb4-986B-7096413631A6}.exe	106
PID 2996 wrote to memory of 3776	2996	{E2A952AC-B2D7-4fb4-986B-7096413631A6}.exe	106
PID 3464 wrote to memory of 1864	3464	{8257F5E3-E903-4442-A4BC-F5793A4FAC27}.exe	107
PID 3464 wrote to memory of 1864	3464	{8257F5E3-E903-4442-A4BC-F5793A4FAC27}.exe	107
PID 3464 wrote to memory of 1864	3464	{8257F5E3-E903-4442-A4BC-F5793A4FAC27}.exe	107
PID 3464 wrote to memory of 1272	3464	{8257F5E3-E903-4442-A4BC-F5793A4FAC27}.exe	108
PID 3464 wrote to memory of 1272	3464	{8257F5E3-E903-4442-A4BC-F5793A4FAC27}.exe	108
PID 3464 wrote to memory of 1272	3464	{8257F5E3-E903-4442-A4BC-F5793A4FAC27}.exe	108
PID 1864 wrote to memory of 2008	1864	{2D72C3EF-CF49-4727-93B6-6E4E22A3B55B}.exe	109
PID 1864 wrote to memory of 2008	1864	{2D72C3EF-CF49-4727-93B6-6E4E22A3B55B}.exe	109
PID 1864 wrote to memory of 2008	1864	{2D72C3EF-CF49-4727-93B6-6E4E22A3B55B}.exe	109
PID 1864 wrote to memory of 2500	1864	{2D72C3EF-CF49-4727-93B6-6E4E22A3B55B}.exe	110
PID 1864 wrote to memory of 2500	1864	{2D72C3EF-CF49-4727-93B6-6E4E22A3B55B}.exe	110
PID 1864 wrote to memory of 2500	1864	{2D72C3EF-CF49-4727-93B6-6E4E22A3B55B}.exe	110
PID 2008 wrote to memory of 3228	2008	{12169B12-EB2B-45c9-8153-26FB13D22D13}.exe	111
PID 2008 wrote to memory of 3228	2008	{12169B12-EB2B-45c9-8153-26FB13D22D13}.exe	111
PID 2008 wrote to memory of 3228	2008	{12169B12-EB2B-45c9-8153-26FB13D22D13}.exe	111
PID 2008 wrote to memory of 4432	2008	{12169B12-EB2B-45c9-8153-26FB13D22D13}.exe	112
PID 2008 wrote to memory of 4432	2008	{12169B12-EB2B-45c9-8153-26FB13D22D13}.exe	112
PID 2008 wrote to memory of 4432	2008	{12169B12-EB2B-45c9-8153-26FB13D22D13}.exe	112
PID 3228 wrote to memory of 2628	3228	{18C08ACC-1315-40db-9E8D-D6D7BF733D1A}.exe	113
PID 3228 wrote to memory of 2628	3228	{18C08ACC-1315-40db-9E8D-D6D7BF733D1A}.exe	113
PID 3228 wrote to memory of 2628	3228	{18C08ACC-1315-40db-9E8D-D6D7BF733D1A}.exe	113
PID 3228 wrote to memory of 4044	3228	{18C08ACC-1315-40db-9E8D-D6D7BF733D1A}.exe	114
PID 3228 wrote to memory of 4044	3228	{18C08ACC-1315-40db-9E8D-D6D7BF733D1A}.exe	114
PID 3228 wrote to memory of 4044	3228	{18C08ACC-1315-40db-9E8D-D6D7BF733D1A}.exe	114
PID 2628 wrote to memory of 3124	2628	{ECDADF82-B3F9-4e0c-9699-0D2BBCCA1D65}.exe	115
PID 2628 wrote to memory of 3124	2628	{ECDADF82-B3F9-4e0c-9699-0D2BBCCA1D65}.exe	115
PID 2628 wrote to memory of 3124	2628	{ECDADF82-B3F9-4e0c-9699-0D2BBCCA1D65}.exe	115
PID 2628 wrote to memory of 4160	2628	{ECDADF82-B3F9-4e0c-9699-0D2BBCCA1D65}.exe	116
PID 2628 wrote to memory of 4160	2628	{ECDADF82-B3F9-4e0c-9699-0D2BBCCA1D65}.exe	116
PID 2628 wrote to memory of 4160	2628	{ECDADF82-B3F9-4e0c-9699-0D2BBCCA1D65}.exe	116
PID 3124 wrote to memory of 544	3124	{5CFF56B6-E999-4a53-961A-EC2289DC517D}.exe	117
PID 3124 wrote to memory of 544	3124	{5CFF56B6-E999-4a53-961A-EC2289DC517D}.exe	117
PID 3124 wrote to memory of 544	3124	{5CFF56B6-E999-4a53-961A-EC2289DC517D}.exe	117
PID 3124 wrote to memory of 4392	3124	{5CFF56B6-E999-4a53-961A-EC2289DC517D}.exe	118

C:\Users\Admin\AppData\Local\Temp\2024-04-08_e1823958ea7bb7b4439758b0f3c80349_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-08_e1823958ea7bb7b4439758b0f3c80349_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Windows\{87F95675-812E-453b-9322-E1EBB3B59CFC}.exe
  C:\Windows\{87F95675-812E-453b-9322-E1EBB3B59CFC}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1044
- - C:\Windows\{BC1454A2-2413-40a1-93BC-E2965CD160F8}.exe
    C:\Windows\{BC1454A2-2413-40a1-93BC-E2965CD160F8}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\{269B3A72-3293-439a-A841-5AE257409FBB}.exe
      C:\Windows\{269B3A72-3293-439a-A841-5AE257409FBB}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4812
    - - C:\Windows\{E2A952AC-B2D7-4fb4-986B-7096413631A6}.exe
        
        C:\Windows\{E2A952AC-B2D7-4fb4-986B-7096413631A6}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2996
      - C:\Windows\{8257F5E3-E903-4442-A4BC-F5793A4FAC27}.exe
        
        C:\Windows\{8257F5E3-E903-4442-A4BC-F5793A4FAC27}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\Windows\{2D72C3EF-CF49-4727-93B6-6E4E22A3B55B}.exe
        
        C:\Windows\{2D72C3EF-CF49-4727-93B6-6E4E22A3B55B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\{12169B12-EB2B-45c9-8153-26FB13D22D13}.exe
        
        C:\Windows\{12169B12-EB2B-45c9-8153-26FB13D22D13}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\{18C08ACC-1315-40db-9E8D-D6D7BF733D1A}.exe
        
        C:\Windows\{18C08ACC-1315-40db-9E8D-D6D7BF733D1A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3228
        
        C:\Windows\{ECDADF82-B3F9-4e0c-9699-0D2BBCCA1D65}.exe
        
        C:\Windows\{ECDADF82-B3F9-4e0c-9699-0D2BBCCA1D65}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\{5CFF56B6-E999-4a53-961A-EC2289DC517D}.exe
        
        C:\Windows\{5CFF56B6-E999-4a53-961A-EC2289DC517D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Windows\{E529427F-D6E2-418d-B772-4AEFDB00AFE4}.exe
        
        C:\Windows\{E529427F-D6E2-418d-B772-4AEFDB00AFE4}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:544
        
        C:\Windows\{F6174216-A6A6-4091-94C2-906B884F24C9}.exe
        
        C:\Windows\{F6174216-A6A6-4091-94C2-906B884F24C9}.exe
        13⤵
        Executes dropped EXE
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5294~1.EXE > nul
        13⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5CFF5~1.EXE > nul
        12⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ECDAD~1.EXE > nul
        11⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{18C08~1.EXE > nul
        10⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{12169~1.EXE > nul
        9⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D72C~1.EXE > nul
        8⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8257F~1.EXE > nul
        7⤵
        
        PID:1272
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2A95~1.EXE > nul
        6⤵
        
        PID:3776
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{269B3~1.EXE > nul
        5⤵
        
        PID:2000
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BC145~1.EXE > nul
      4⤵
      PID:3552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{87F95~1.EXE > nul
    3⤵
    PID:2556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{12169B12-EB2B-45c9-8153-26FB13D22D13}.exe

Filesize
180KB

MD5
607c047d28e48ccbb1d7447355fd2533

SHA1
bdfe678196a7c919966186876570926a75530aac

SHA256
ce4284c665a5c86b09850a94ea8fd1ef0f6964aa6a367f5fd29c2cc8244f892d

SHA512
9dca177d45227f9dc96ad8cb3eaecf350aee1ca44bff80ed0b18f69728fd61c6bb5acbfc60a6e2670e2c2b9327fcfdd33302cfc2245267079e69a77723462613

Download Submit
C:\Windows\{18C08ACC-1315-40db-9E8D-D6D7BF733D1A}.exe

Filesize
180KB

MD5
4c81fcba5707907d2f974b0ec5095df8

SHA1
3aa5587636cbf23aa785231c8d5e5fd46987425e

SHA256
33e5c9567bc71d9131a8f1b39622aa0e91c6ea5e8e1156b3acb12aac693f50d0

SHA512
c6fb4a43292f0a649ebc755a11873c0dcc1b65ea53ab71af5f0d92fa3a56bd22b49bac20122dd7be01408085fd52712c92d2d1a297de738a1e92afb00f7d9ff7

Download Submit
C:\Windows\{269B3A72-3293-439a-A841-5AE257409FBB}.exe

Filesize
180KB

MD5
dd45ca7085e5b9a45784be27291cfcf3

SHA1
1969b1c74eebc60514114b55700318dd92b6da74

SHA256
760079f75eec70cf7e6f91f21ef763c61d1d9e2fee03ca5fabf7f38ebc64d12c

SHA512
ff4d6213edf9259890f915329ef7f856de6045847dac59e0381b42ed82b75e0998ea21767958f07feabc45404c3e9f2e30b0ca9d95e0a9aacc337be51440d8e7

Download Submit
C:\Windows\{2D72C3EF-CF49-4727-93B6-6E4E22A3B55B}.exe

Filesize
180KB

MD5
5e04712198615c729066920d1e7e0c8f

SHA1
8aaed3ece70847f2b63f29427f8fd83f7a3f074d

SHA256
b7e7b8a9c8c75eeed837d00b88f45e876d5da5ed10da773eed52bbf71e62dd16

SHA512
a60a66b09b228e573a5c4542409de72ae7780628c3ead2babe5e3c6297b8c9fb2c570747c4164724638babb3bee421804e97266036b4906d141fd878c3fc5e98

Download Submit
C:\Windows\{5CFF56B6-E999-4a53-961A-EC2289DC517D}.exe

Filesize
180KB

MD5
662765560afd0c75325fce70ce4f03ce

SHA1
5acba6912a8c1c235807fd4b7121450487b44248

SHA256
8bb53eef62444403e099a0d173d9226dbef2d4193c36669fbd3b3cdd5b1ab34b

SHA512
415d18c77af46bab515368a4c9c04fcc2049e2959678a37c1d046b1bf28679799a66704f4ee8456e6188a764f98aed920c8ad2efa6406ac5501ee9dcb4e40701

Download Submit
C:\Windows\{8257F5E3-E903-4442-A4BC-F5793A4FAC27}.exe

Filesize
180KB

MD5
bb10d8ed61e0987d4e47f44c487fb4ec

SHA1
c20248b1b128e7564f78588617f7f106ad35ff0a

SHA256
09c1e45acb339530bd175982b541ddc01508227cb07c5b6fa3fbceebb60ff69e

SHA512
57b9cb020c2413ec2c630db64d248edd209e4b2742005d291722efc49fc6b130e379d73b4a8860dfa54888cf151c37f26d9b9cf3bae3521aefb4e608c75ba4c2

Download Submit
C:\Windows\{87F95675-812E-453b-9322-E1EBB3B59CFC}.exe

Filesize
180KB

MD5
654b819cdc599dc7bd3dabd9131eb508

SHA1
411d431740b86b0239a164252b936147a1d02527

SHA256
3636ca1e50b8ddc2aa85f644e5152674cf5fe0c3793f4aecca37c3a6ffaa597d

SHA512
769bfea6afa13a79213971c7e211becdee33e5ea3dd6f8b77b205589b5473ffa2509fce006cff8e6700366c334fa1afebba552174e9be722f4fef1edf7306e0c

Download Submit
C:\Windows\{BC1454A2-2413-40a1-93BC-E2965CD160F8}.exe

Filesize
180KB

MD5
d4283ff39fc968a34fe17594b52589eb

SHA1
906e44251a471f4f35fb88b40b1db32c699ecdfc

SHA256
c70d09e6ee13a4f3a73c3185e20b9cbc394cf2ab34ab74c7e839fe33e11d5264

SHA512
88ded40822de192ffaee9565da9bc197ad8fcb68e61a766f369aaff7410177d3e622e5caa407e4cb7ca0546bccd81ce1e3a461075962629dd554953d35eba436

Download Submit
C:\Windows\{E2A952AC-B2D7-4fb4-986B-7096413631A6}.exe

Filesize
180KB

MD5
f12fff0475c280ad2335e50f04714a1a

SHA1
9dc38c056584417d63e78ec5b2b252c30e16145e

SHA256
d74f54f8bb927165139719df89951b201847a433df7638175a79ef4533a76149

SHA512
2a6ad932fbcd5061a808e05ab3f1d072456de38edc2c7afe756f34c7c364e4dc9e9456883b79ad4f2e3ef7c7113423643dedd0c0b1dff8b32ce2050088134e42

Download Submit
C:\Windows\{E529427F-D6E2-418d-B772-4AEFDB00AFE4}.exe

Filesize
180KB

MD5
7242364326f333ebb25fcb419d68648f

SHA1
42155a61fdc9d2b5d90d41059929fdcc90f5477d

SHA256
e696c7e98c75af41cdd17e326e1c2600896c64f993e1147e72a00f62436a58dc

SHA512
ac63bf32b6cac0113f898b83c09a2e5b362b1513d6540b1a7276f77e5b4af3011bed67ce82fc7f9d615329a326d21f87ecf546c336557acf136385330d2cd051

Download Submit
C:\Windows\{ECDADF82-B3F9-4e0c-9699-0D2BBCCA1D65}.exe

Filesize
180KB

MD5
9cb1c4efb8a8104b6eb99e92ace9ca04

SHA1
30ec4e84aacadb0d1adca6be51aa20c7f7c1869a

SHA256
b0f19fcd868ecf061726b377a7c9dd0cee19d9e4633c08a1346d0813a7dacc36

SHA512
80b7d461ce60b181297524144b70090da1aa4c1f48815ee211383acdccec185ba1fbb341d1958932d187710d1af3a47bc500f48bf48d8eed76e5be87a5536f32

Download Submit
C:\Windows\{F6174216-A6A6-4091-94C2-906B884F24C9}.exe

Filesize
180KB

MD5
e5e2ac372e205d35de27cec88015108f

SHA1
07885f4903ddd01b49e95bc7cb9480ec454c2216

SHA256
0c51a0c1d6f0dc63326ede2cee35b934a7dfd68926bb09bb81de059fcc048475

SHA512
2abb30eacb84d8a1692cda50bdb0492aceaa90d91d00b8eedd7a0084f7fa65d32784c24fac16e6c55cad931e72e733b824129f8ef20b6df0c254d10e69409f6e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads