fc4319a2f7625f342debcd3e2f64f4c87db5127838b506eb2eef9673c04d01b0

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/04/2024, 18:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-08_3bd9ae7226c412e3e6a9291732140a72_goldeneye.exe
Size

408KB
MD5

3bd9ae7226c412e3e6a9291732140a72
SHA1

bd941ff83e8bf3d80d85b512f64565b2c8bb17ae
SHA256

fc4319a2f7625f342debcd3e2f64f4c87db5127838b506eb2eef9673c04d01b0
SHA512

ff4e5008117b897b4727bf15cd447572901e953f9cadc57879c6a7e6ef4423d0cda1706391ea9f9fa7a196d7bcb37bf544dce7f8ac9747ce49f2b3dba81e3949
SSDEEP

3072:CEGh0oal3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEG4ldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023206-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023201-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002320d-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023201-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021fa2-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021fa3-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021fa2-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000703-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000703-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000703-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4F8E91F-C6EB-44ee-8CDF-96DC6EE23B23}\stubpath = "C:\\Windows\\{D4F8E91F-C6EB-44ee-8CDF-96DC6EE23B23}.exe"	{9DEEC7C1-A979-43ff-A1DD-19ADA89893E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4C17323-FBB3-47b3-B594-1768C08D0465}\stubpath = "C:\\Windows\\{A4C17323-FBB3-47b3-B594-1768C08D0465}.exe"	{D4F8E91F-C6EB-44ee-8CDF-96DC6EE23B23}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E38379F-4B06-45ad-AE4D-A55AA7B761A5}	{A4C17323-FBB3-47b3-B594-1768C08D0465}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2CF829A-024A-41e8-8BC2-9F63877F4F8E}	{88F1C262-F51E-4bc6-B399-42A02A6A2AF5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2CF829A-024A-41e8-8BC2-9F63877F4F8E}\stubpath = "C:\\Windows\\{F2CF829A-024A-41e8-8BC2-9F63877F4F8E}.exe"	{88F1C262-F51E-4bc6-B399-42A02A6A2AF5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1B86473-3161-44f2-93CB-64D049E18A66}\stubpath = "C:\\Windows\\{A1B86473-3161-44f2-93CB-64D049E18A66}.exe"	{2A030667-049F-475f-85FB-703DAEF56030}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88F1C262-F51E-4bc6-B399-42A02A6A2AF5}\stubpath = "C:\\Windows\\{88F1C262-F51E-4bc6-B399-42A02A6A2AF5}.exe"	{A1B86473-3161-44f2-93CB-64D049E18A66}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4C17323-FBB3-47b3-B594-1768C08D0465}	{D4F8E91F-C6EB-44ee-8CDF-96DC6EE23B23}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E75EDD26-4A7A-4aad-833D-9ECC15914163}	2024-04-08_3bd9ae7226c412e3e6a9291732140a72_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E778678C-9AF1-48cc-A389-DB9DC69CA87F}\stubpath = "C:\\Windows\\{E778678C-9AF1-48cc-A389-DB9DC69CA87F}.exe"	{2214DDDB-73E3-47e4-8AE0-27BD043AEDDA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2214DDDB-73E3-47e4-8AE0-27BD043AEDDA}\stubpath = "C:\\Windows\\{2214DDDB-73E3-47e4-8AE0-27BD043AEDDA}.exe"	{2CCE013E-3539-4564-9A57-BD94CFA3BA93}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A030667-049F-475f-85FB-703DAEF56030}	{E778678C-9AF1-48cc-A389-DB9DC69CA87F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1B86473-3161-44f2-93CB-64D049E18A66}	{2A030667-049F-475f-85FB-703DAEF56030}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88F1C262-F51E-4bc6-B399-42A02A6A2AF5}	{A1B86473-3161-44f2-93CB-64D049E18A66}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DEEC7C1-A979-43ff-A1DD-19ADA89893E5}\stubpath = "C:\\Windows\\{9DEEC7C1-A979-43ff-A1DD-19ADA89893E5}.exe"	{F2CF829A-024A-41e8-8BC2-9F63877F4F8E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E38379F-4B06-45ad-AE4D-A55AA7B761A5}\stubpath = "C:\\Windows\\{3E38379F-4B06-45ad-AE4D-A55AA7B761A5}.exe"	{A4C17323-FBB3-47b3-B594-1768C08D0465}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E75EDD26-4A7A-4aad-833D-9ECC15914163}\stubpath = "C:\\Windows\\{E75EDD26-4A7A-4aad-833D-9ECC15914163}.exe"	2024-04-08_3bd9ae7226c412e3e6a9291732140a72_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2CCE013E-3539-4564-9A57-BD94CFA3BA93}	{E75EDD26-4A7A-4aad-833D-9ECC15914163}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E778678C-9AF1-48cc-A389-DB9DC69CA87F}	{2214DDDB-73E3-47e4-8AE0-27BD043AEDDA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A030667-049F-475f-85FB-703DAEF56030}\stubpath = "C:\\Windows\\{2A030667-049F-475f-85FB-703DAEF56030}.exe"	{E778678C-9AF1-48cc-A389-DB9DC69CA87F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DEEC7C1-A979-43ff-A1DD-19ADA89893E5}	{F2CF829A-024A-41e8-8BC2-9F63877F4F8E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4F8E91F-C6EB-44ee-8CDF-96DC6EE23B23}	{9DEEC7C1-A979-43ff-A1DD-19ADA89893E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2CCE013E-3539-4564-9A57-BD94CFA3BA93}\stubpath = "C:\\Windows\\{2CCE013E-3539-4564-9A57-BD94CFA3BA93}.exe"	{E75EDD26-4A7A-4aad-833D-9ECC15914163}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2214DDDB-73E3-47e4-8AE0-27BD043AEDDA}	{2CCE013E-3539-4564-9A57-BD94CFA3BA93}.exe

Executes dropped EXE 12 IoCs

pid	Process
2428	{E75EDD26-4A7A-4aad-833D-9ECC15914163}.exe
116	{2CCE013E-3539-4564-9A57-BD94CFA3BA93}.exe
1008	{2214DDDB-73E3-47e4-8AE0-27BD043AEDDA}.exe
2712	{E778678C-9AF1-48cc-A389-DB9DC69CA87F}.exe
1636	{2A030667-049F-475f-85FB-703DAEF56030}.exe
4480	{A1B86473-3161-44f2-93CB-64D049E18A66}.exe
2012	{88F1C262-F51E-4bc6-B399-42A02A6A2AF5}.exe
3212	{F2CF829A-024A-41e8-8BC2-9F63877F4F8E}.exe
644	{9DEEC7C1-A979-43ff-A1DD-19ADA89893E5}.exe
4316	{D4F8E91F-C6EB-44ee-8CDF-96DC6EE23B23}.exe
3912	{A4C17323-FBB3-47b3-B594-1768C08D0465}.exe
2540	{3E38379F-4B06-45ad-AE4D-A55AA7B761A5}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{88F1C262-F51E-4bc6-B399-42A02A6A2AF5}.exe	{A1B86473-3161-44f2-93CB-64D049E18A66}.exe
File created	C:\Windows\{9DEEC7C1-A979-43ff-A1DD-19ADA89893E5}.exe	{F2CF829A-024A-41e8-8BC2-9F63877F4F8E}.exe
File created	C:\Windows\{D4F8E91F-C6EB-44ee-8CDF-96DC6EE23B23}.exe	{9DEEC7C1-A979-43ff-A1DD-19ADA89893E5}.exe
File created	C:\Windows\{A4C17323-FBB3-47b3-B594-1768C08D0465}.exe	{D4F8E91F-C6EB-44ee-8CDF-96DC6EE23B23}.exe
File created	C:\Windows\{3E38379F-4B06-45ad-AE4D-A55AA7B761A5}.exe	{A4C17323-FBB3-47b3-B594-1768C08D0465}.exe
File created	C:\Windows\{2CCE013E-3539-4564-9A57-BD94CFA3BA93}.exe	{E75EDD26-4A7A-4aad-833D-9ECC15914163}.exe
File created	C:\Windows\{E778678C-9AF1-48cc-A389-DB9DC69CA87F}.exe	{2214DDDB-73E3-47e4-8AE0-27BD043AEDDA}.exe
File created	C:\Windows\{A1B86473-3161-44f2-93CB-64D049E18A66}.exe	{2A030667-049F-475f-85FB-703DAEF56030}.exe
File created	C:\Windows\{F2CF829A-024A-41e8-8BC2-9F63877F4F8E}.exe	{88F1C262-F51E-4bc6-B399-42A02A6A2AF5}.exe
File created	C:\Windows\{E75EDD26-4A7A-4aad-833D-9ECC15914163}.exe	2024-04-08_3bd9ae7226c412e3e6a9291732140a72_goldeneye.exe
File created	C:\Windows\{2214DDDB-73E3-47e4-8AE0-27BD043AEDDA}.exe	{2CCE013E-3539-4564-9A57-BD94CFA3BA93}.exe
File created	C:\Windows\{2A030667-049F-475f-85FB-703DAEF56030}.exe	{E778678C-9AF1-48cc-A389-DB9DC69CA87F}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3236	2024-04-08_3bd9ae7226c412e3e6a9291732140a72_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2428	{E75EDD26-4A7A-4aad-833D-9ECC15914163}.exe
Token: SeIncBasePriorityPrivilege	116	{2CCE013E-3539-4564-9A57-BD94CFA3BA93}.exe
Token: SeIncBasePriorityPrivilege	1008	{2214DDDB-73E3-47e4-8AE0-27BD043AEDDA}.exe
Token: SeIncBasePriorityPrivilege	2712	{E778678C-9AF1-48cc-A389-DB9DC69CA87F}.exe
Token: SeIncBasePriorityPrivilege	1636	{2A030667-049F-475f-85FB-703DAEF56030}.exe
Token: SeIncBasePriorityPrivilege	4480	{A1B86473-3161-44f2-93CB-64D049E18A66}.exe
Token: SeIncBasePriorityPrivilege	2012	{88F1C262-F51E-4bc6-B399-42A02A6A2AF5}.exe
Token: SeIncBasePriorityPrivilege	3212	{F2CF829A-024A-41e8-8BC2-9F63877F4F8E}.exe
Token: SeIncBasePriorityPrivilege	644	{9DEEC7C1-A979-43ff-A1DD-19ADA89893E5}.exe
Token: SeIncBasePriorityPrivilege	4316	{D4F8E91F-C6EB-44ee-8CDF-96DC6EE23B23}.exe
Token: SeIncBasePriorityPrivilege	3912	{A4C17323-FBB3-47b3-B594-1768C08D0465}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3236 wrote to memory of 2428	3236	2024-04-08_3bd9ae7226c412e3e6a9291732140a72_goldeneye.exe	97
PID 3236 wrote to memory of 2428	3236	2024-04-08_3bd9ae7226c412e3e6a9291732140a72_goldeneye.exe	97
PID 3236 wrote to memory of 2428	3236	2024-04-08_3bd9ae7226c412e3e6a9291732140a72_goldeneye.exe	97
PID 3236 wrote to memory of 4596	3236	2024-04-08_3bd9ae7226c412e3e6a9291732140a72_goldeneye.exe	98
PID 3236 wrote to memory of 4596	3236	2024-04-08_3bd9ae7226c412e3e6a9291732140a72_goldeneye.exe	98
PID 3236 wrote to memory of 4596	3236	2024-04-08_3bd9ae7226c412e3e6a9291732140a72_goldeneye.exe	98
PID 2428 wrote to memory of 116	2428	{E75EDD26-4A7A-4aad-833D-9ECC15914163}.exe	99
PID 2428 wrote to memory of 116	2428	{E75EDD26-4A7A-4aad-833D-9ECC15914163}.exe	99
PID 2428 wrote to memory of 116	2428	{E75EDD26-4A7A-4aad-833D-9ECC15914163}.exe	99
PID 2428 wrote to memory of 4696	2428	{E75EDD26-4A7A-4aad-833D-9ECC15914163}.exe	100
PID 2428 wrote to memory of 4696	2428	{E75EDD26-4A7A-4aad-833D-9ECC15914163}.exe	100
PID 2428 wrote to memory of 4696	2428	{E75EDD26-4A7A-4aad-833D-9ECC15914163}.exe	100
PID 116 wrote to memory of 1008	116	{2CCE013E-3539-4564-9A57-BD94CFA3BA93}.exe	102
PID 116 wrote to memory of 1008	116	{2CCE013E-3539-4564-9A57-BD94CFA3BA93}.exe	102
PID 116 wrote to memory of 1008	116	{2CCE013E-3539-4564-9A57-BD94CFA3BA93}.exe	102
PID 116 wrote to memory of 1876	116	{2CCE013E-3539-4564-9A57-BD94CFA3BA93}.exe	103
PID 116 wrote to memory of 1876	116	{2CCE013E-3539-4564-9A57-BD94CFA3BA93}.exe	103
PID 116 wrote to memory of 1876	116	{2CCE013E-3539-4564-9A57-BD94CFA3BA93}.exe	103
PID 1008 wrote to memory of 2712	1008	{2214DDDB-73E3-47e4-8AE0-27BD043AEDDA}.exe	104
PID 1008 wrote to memory of 2712	1008	{2214DDDB-73E3-47e4-8AE0-27BD043AEDDA}.exe	104
PID 1008 wrote to memory of 2712	1008	{2214DDDB-73E3-47e4-8AE0-27BD043AEDDA}.exe	104
PID 1008 wrote to memory of 860	1008	{2214DDDB-73E3-47e4-8AE0-27BD043AEDDA}.exe	105
PID 1008 wrote to memory of 860	1008	{2214DDDB-73E3-47e4-8AE0-27BD043AEDDA}.exe	105
PID 1008 wrote to memory of 860	1008	{2214DDDB-73E3-47e4-8AE0-27BD043AEDDA}.exe	105
PID 2712 wrote to memory of 1636	2712	{E778678C-9AF1-48cc-A389-DB9DC69CA87F}.exe	106
PID 2712 wrote to memory of 1636	2712	{E778678C-9AF1-48cc-A389-DB9DC69CA87F}.exe	106
PID 2712 wrote to memory of 1636	2712	{E778678C-9AF1-48cc-A389-DB9DC69CA87F}.exe	106
PID 2712 wrote to memory of 2968	2712	{E778678C-9AF1-48cc-A389-DB9DC69CA87F}.exe	107
PID 2712 wrote to memory of 2968	2712	{E778678C-9AF1-48cc-A389-DB9DC69CA87F}.exe	107
PID 2712 wrote to memory of 2968	2712	{E778678C-9AF1-48cc-A389-DB9DC69CA87F}.exe	107
PID 1636 wrote to memory of 4480	1636	{2A030667-049F-475f-85FB-703DAEF56030}.exe	108
PID 1636 wrote to memory of 4480	1636	{2A030667-049F-475f-85FB-703DAEF56030}.exe	108
PID 1636 wrote to memory of 4480	1636	{2A030667-049F-475f-85FB-703DAEF56030}.exe	108
PID 1636 wrote to memory of 5084	1636	{2A030667-049F-475f-85FB-703DAEF56030}.exe	109
PID 1636 wrote to memory of 5084	1636	{2A030667-049F-475f-85FB-703DAEF56030}.exe	109
PID 1636 wrote to memory of 5084	1636	{2A030667-049F-475f-85FB-703DAEF56030}.exe	109
PID 4480 wrote to memory of 2012	4480	{A1B86473-3161-44f2-93CB-64D049E18A66}.exe	110
PID 4480 wrote to memory of 2012	4480	{A1B86473-3161-44f2-93CB-64D049E18A66}.exe	110
PID 4480 wrote to memory of 2012	4480	{A1B86473-3161-44f2-93CB-64D049E18A66}.exe	110
PID 4480 wrote to memory of 3680	4480	{A1B86473-3161-44f2-93CB-64D049E18A66}.exe	111
PID 4480 wrote to memory of 3680	4480	{A1B86473-3161-44f2-93CB-64D049E18A66}.exe	111
PID 4480 wrote to memory of 3680	4480	{A1B86473-3161-44f2-93CB-64D049E18A66}.exe	111
PID 2012 wrote to memory of 3212	2012	{88F1C262-F51E-4bc6-B399-42A02A6A2AF5}.exe	112
PID 2012 wrote to memory of 3212	2012	{88F1C262-F51E-4bc6-B399-42A02A6A2AF5}.exe	112
PID 2012 wrote to memory of 3212	2012	{88F1C262-F51E-4bc6-B399-42A02A6A2AF5}.exe	112
PID 2012 wrote to memory of 4844	2012	{88F1C262-F51E-4bc6-B399-42A02A6A2AF5}.exe	113
PID 2012 wrote to memory of 4844	2012	{88F1C262-F51E-4bc6-B399-42A02A6A2AF5}.exe	113
PID 2012 wrote to memory of 4844	2012	{88F1C262-F51E-4bc6-B399-42A02A6A2AF5}.exe	113
PID 3212 wrote to memory of 644	3212	{F2CF829A-024A-41e8-8BC2-9F63877F4F8E}.exe	114
PID 3212 wrote to memory of 644	3212	{F2CF829A-024A-41e8-8BC2-9F63877F4F8E}.exe	114
PID 3212 wrote to memory of 644	3212	{F2CF829A-024A-41e8-8BC2-9F63877F4F8E}.exe	114
PID 3212 wrote to memory of 432	3212	{F2CF829A-024A-41e8-8BC2-9F63877F4F8E}.exe	115
PID 3212 wrote to memory of 432	3212	{F2CF829A-024A-41e8-8BC2-9F63877F4F8E}.exe	115
PID 3212 wrote to memory of 432	3212	{F2CF829A-024A-41e8-8BC2-9F63877F4F8E}.exe	115
PID 644 wrote to memory of 4316	644	{9DEEC7C1-A979-43ff-A1DD-19ADA89893E5}.exe	116
PID 644 wrote to memory of 4316	644	{9DEEC7C1-A979-43ff-A1DD-19ADA89893E5}.exe	116
PID 644 wrote to memory of 4316	644	{9DEEC7C1-A979-43ff-A1DD-19ADA89893E5}.exe	116
PID 644 wrote to memory of 1680	644	{9DEEC7C1-A979-43ff-A1DD-19ADA89893E5}.exe	117
PID 644 wrote to memory of 1680	644	{9DEEC7C1-A979-43ff-A1DD-19ADA89893E5}.exe	117
PID 644 wrote to memory of 1680	644	{9DEEC7C1-A979-43ff-A1DD-19ADA89893E5}.exe	117
PID 4316 wrote to memory of 3912	4316	{D4F8E91F-C6EB-44ee-8CDF-96DC6EE23B23}.exe	118
PID 4316 wrote to memory of 3912	4316	{D4F8E91F-C6EB-44ee-8CDF-96DC6EE23B23}.exe	118
PID 4316 wrote to memory of 3912	4316	{D4F8E91F-C6EB-44ee-8CDF-96DC6EE23B23}.exe	118
PID 4316 wrote to memory of 4416	4316	{D4F8E91F-C6EB-44ee-8CDF-96DC6EE23B23}.exe	119

C:\Users\Admin\AppData\Local\Temp\2024-04-08_3bd9ae7226c412e3e6a9291732140a72_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-08_3bd9ae7226c412e3e6a9291732140a72_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3236
- C:\Windows\{E75EDD26-4A7A-4aad-833D-9ECC15914163}.exe
  C:\Windows\{E75EDD26-4A7A-4aad-833D-9ECC15914163}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Windows\{2CCE013E-3539-4564-9A57-BD94CFA3BA93}.exe
    C:\Windows\{2CCE013E-3539-4564-9A57-BD94CFA3BA93}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:116
  - - C:\Windows\{2214DDDB-73E3-47e4-8AE0-27BD043AEDDA}.exe
      C:\Windows\{2214DDDB-73E3-47e4-8AE0-27BD043AEDDA}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1008
    - - C:\Windows\{E778678C-9AF1-48cc-A389-DB9DC69CA87F}.exe
        
        C:\Windows\{E778678C-9AF1-48cc-A389-DB9DC69CA87F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2712
      - C:\Windows\{2A030667-049F-475f-85FB-703DAEF56030}.exe
        
        C:\Windows\{2A030667-049F-475f-85FB-703DAEF56030}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\{A1B86473-3161-44f2-93CB-64D049E18A66}.exe
        
        C:\Windows\{A1B86473-3161-44f2-93CB-64D049E18A66}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\{88F1C262-F51E-4bc6-B399-42A02A6A2AF5}.exe
        
        C:\Windows\{88F1C262-F51E-4bc6-B399-42A02A6A2AF5}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\{F2CF829A-024A-41e8-8BC2-9F63877F4F8E}.exe
        
        C:\Windows\{F2CF829A-024A-41e8-8BC2-9F63877F4F8E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\{9DEEC7C1-A979-43ff-A1DD-19ADA89893E5}.exe
        
        C:\Windows\{9DEEC7C1-A979-43ff-A1DD-19ADA89893E5}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:644
        
        C:\Windows\{D4F8E91F-C6EB-44ee-8CDF-96DC6EE23B23}.exe
        
        C:\Windows\{D4F8E91F-C6EB-44ee-8CDF-96DC6EE23B23}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4316
        
        C:\Windows\{A4C17323-FBB3-47b3-B594-1768C08D0465}.exe
        
        C:\Windows\{A4C17323-FBB3-47b3-B594-1768C08D0465}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3912
        
        C:\Windows\{3E38379F-4B06-45ad-AE4D-A55AA7B761A5}.exe
        
        C:\Windows\{3E38379F-4B06-45ad-AE4D-A55AA7B761A5}.exe
        13⤵
        Executes dropped EXE
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A4C17~1.EXE > nul
        13⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D4F8E~1.EXE > nul
        12⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9DEEC~1.EXE > nul
        11⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2CF8~1.EXE > nul
        10⤵
        
        PID:432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{88F1C~1.EXE > nul
        9⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A1B86~1.EXE > nul
        8⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A030~1.EXE > nul
        7⤵
        
        PID:5084
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7786~1.EXE > nul
        6⤵
        
        PID:2968
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2214D~1.EXE > nul
        5⤵
        
        PID:860
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2CCE0~1.EXE > nul
      4⤵
      PID:1876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E75ED~1.EXE > nul
    3⤵
    PID:4696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2214DDDB-73E3-47e4-8AE0-27BD043AEDDA}.exe

Filesize
408KB

MD5
c170651596a599e0e53cc38febcafe4b

SHA1
b58b14932112b26ea6b2798119956fda52db0cb7

SHA256
b65d32e1d31ec478daa601160a644c8d028a4abeff33a5b4810ad2aa53209101

SHA512
b9325b13ebe681f9fd174fe0f1d9d0d01626b56342c0042691b411381f905afcbcdec73f4639ada2c4c0b49e5380cc23623a620e35999e899a845f4835e2549b

Download Submit
C:\Windows\{2A030667-049F-475f-85FB-703DAEF56030}.exe

Filesize
408KB

MD5
23fc4f91f8ce62c69eb76edda6ba8448

SHA1
56971c3294867ce9c4ff504ac51cad40a17b8cb5

SHA256
c1167f9c1240992a47d6ed37fb992bcf838a08d815d6086f374e52ee5c3de0ed

SHA512
fcd94c28a5ba5e7e20f3a6c57ecb0469905c4769fc240418a25089a5c9267dec71f137358d9812735217181c703366f3891d155a1518c2d7a6d0fca8526abced

Download Submit
C:\Windows\{2CCE013E-3539-4564-9A57-BD94CFA3BA93}.exe

Filesize
408KB

MD5
357e601ef1a9be913849c956875d5cfb

SHA1
4066552b7cbaa5d92864b4adcb0c9420a81d9b88

SHA256
6127ddfa4ea2b2e3c4c4a8d3761d4663528301f04475f140b728bcc169af4f9e

SHA512
eb97521b3091a8fdaa1d20219f3fda3c5f1a815b2995e5a4a9e771562942da580184397bf6d77dd930d7d97b37c8dabe1f1de271cd1a03a6297eee2b1e11be41

Download Submit
C:\Windows\{3E38379F-4B06-45ad-AE4D-A55AA7B761A5}.exe

Filesize
408KB

MD5
900d7fe8a6e2dd4cc8cb16c15d824d7e

SHA1
5f24928b49d8dfb93030a3a303411aec05abce0d

SHA256
20035ee040ae1acc0681ebe0e8fcaf980d1df45cc9f7fc56bc272b1808892d66

SHA512
c60f5d8e8ebebb044f108778c0d3b32e581f7bb779be2d67215930fd5ee2f312bd939fa63ccb85bed9cda380e47f00b7ec13b46c43c54c7f4d29c3de089b331c

Download Submit
C:\Windows\{88F1C262-F51E-4bc6-B399-42A02A6A2AF5}.exe

Filesize
408KB

MD5
9cd1cceb86c21930a37e9b6b6e46cf0f

SHA1
ddabcb7d4cda90bd9ff424e3cadecf20052bcdf8

SHA256
686c048ebd3daa67a3d512cba526cd04175d7b2b6aa6d31e6015164fe49dbe92

SHA512
fb06b95d10dc6973d0a30332056118f7cc8c95d5f344a50b15054242ca2819eec5093ebd74cf04f2dc61ff8d201f7894d36d9df1bbcd87524493ff96fcba1178

Download Submit
C:\Windows\{9DEEC7C1-A979-43ff-A1DD-19ADA89893E5}.exe

Filesize
408KB

MD5
3495f0062d4bf3b9c92503def68bd6df

SHA1
0f7c1d129fd72c5e246f16cdc19b0f7c90325064

SHA256
f7aa462e5e58d2911d43b1c3e9cc0d5fd16d13bfd67956b402e62deb9f5ef6cc

SHA512
3d1efd9a7dbf6e575ef4e0d4058aec69766726877c9af7910d95c2390e9c90e1ab9c5554067302ced33b61029614b29038359a1afab0b5d8d158cbe7b34096c3

Download Submit
C:\Windows\{A1B86473-3161-44f2-93CB-64D049E18A66}.exe

Filesize
408KB

MD5
534a78d4d77d35a8fe77148c79ab30ba

SHA1
c948e214fa17eb61cf26377f6eb88cc7dd1b929f

SHA256
7ee9961a79caea3ced91d30294de93614f93a088b9353a2cd682dc96b60022af

SHA512
302d87606d653790dfe9f6ee2867fecc406ffef1beaad2789e2ff61de59d76933469acb2841a95776ee58bd7d47ade235ffcbe976198ec31a12ae843c634e5a9

Download Submit
C:\Windows\{A4C17323-FBB3-47b3-B594-1768C08D0465}.exe

Filesize
408KB

MD5
724ea361cc38715a63bb2a98cf8d9acb

SHA1
f92e395d794b3ac775bdf6e05fb8f1b73cfaf30c

SHA256
9f4a69088a7adb86540b249cec4da18e74a1de30d679899b554214fac48d3776

SHA512
a7f914a3633207c7f84870482072d43ef2e899db6fb4de3fabd72cad5208943c9378b076ba1dce67192cf32a2fb6055f195dfafdc59be1a81098f9f4baf645b4

Download Submit
C:\Windows\{D4F8E91F-C6EB-44ee-8CDF-96DC6EE23B23}.exe

Filesize
408KB

MD5
c6c9465286accd61b5b17141e01b0de0

SHA1
5ce00e6709736e45190e5d816053f83f1cfea691

SHA256
47d988c6cc0454273c889d4c3cfe73b5914a0335910417777e8d4e6434ae8f7c

SHA512
cf874c187688627943d1c722f5060f3ef6b28e5b84e03cd35bf73e99d155954e1c5627cf034632cc466ca8ad0b2be2bdee0d863854dd9a260421a7923f3e3565

Download Submit
C:\Windows\{E75EDD26-4A7A-4aad-833D-9ECC15914163}.exe

Filesize
408KB

MD5
fc8515e026ef2aafc8233416f803abb9

SHA1
88f9974c8876a05000fd24e126dabedaf7c28f5f

SHA256
6d6504b324b639d477cd7ba0619f40decbef7ee42eefcaf7d34cd911ac95d782

SHA512
9a3859595762818b651311044a47c80dd786a750b8be43618022baa1ebe605938f6e4ea1259cbaee23150eec6e3a6c9038550034ab94f0f6304aa76f22801bf3

Download Submit
C:\Windows\{E778678C-9AF1-48cc-A389-DB9DC69CA87F}.exe

Filesize
408KB

MD5
c4a24d5c673183594577973cbd088bd7

SHA1
59f2c67ba5a9642e611141250cbb07d495c67f92

SHA256
300c01890df5800467571177dd90c80da0ff2ada934ae4ac8d6cf5e7b68a77f0

SHA512
82b5687d14d326649bf2e98f47d5e5d05028f7a6e9a13fc97860feecef76d28704beeea53e466694ec12c08e5ce4459337caf278854c15911f5f3b32d21720fd

Download Submit
C:\Windows\{F2CF829A-024A-41e8-8BC2-9F63877F4F8E}.exe

Filesize
408KB

MD5
78676b61bc6df6da41d883562f60fdc8

SHA1
88601f3f61d66955121fe70854cca4af17a049dd

SHA256
6de384a6adab0f1526419c6769d197a9d4fff99877611831fab53149bd56d607

SHA512
e46b727bbf9eb887f72e632bda47b1a23c55aa517c88825fd95a8ba5253633ae3668d3d9f4d187268323f0a5e52714357d3e8c43e8ea7ca5283898cd0992a3d6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads