6f049962a0ceaccb3e07f683ad3d58a64a7ced67995543f2902b8f1cfb3fd3e3

Analysis

max time kernel
149s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/04/2024, 19:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-08_f95b01f8fe2f46edcefbdd1f83d3f54e_goldeneye.exe
Size

380KB
MD5

f95b01f8fe2f46edcefbdd1f83d3f54e
SHA1

f2b723b136b2de7ae4442599f4852e949a88a797
SHA256

6f049962a0ceaccb3e07f683ad3d58a64a7ced67995543f2902b8f1cfb3fd3e3
SHA512

9cd9f7f2cb80c0be4dc0cfa3a1c7430317e43c9c8b468c75e5c3486b2f5664f68370c45573954871651b8a651f5f22ed4c61f3562870e9fdce0495eab35d90e5
SSDEEP

3072:mEGh0oIlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEG2l7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00070000000231f0-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002319a-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000231f7-11.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d00000002319a-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021d41-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021d42-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021d41-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000709-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000707-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BAF8C338-EB4C-43ff-BD8F-C6996E206147}	{F438750E-2A21-4968-95F8-3168D0AEA3B9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB25BE45-F391-470c-944C-EB28F583B06D}	{30E0B1CF-D06A-4671-8C2C-BC562753503A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{966E16DC-D280-4978-8E0E-A8238B86CA3F}	{29690E8C-B62A-4d2a-9553-9551AB0B764A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB9CAA8E-7E53-490d-92C7-DE0CA19C2A30}\stubpath = "C:\\Windows\\{FB9CAA8E-7E53-490d-92C7-DE0CA19C2A30}.exe"	2024-04-08_f95b01f8fe2f46edcefbdd1f83d3f54e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F438750E-2A21-4968-95F8-3168D0AEA3B9}	{09111772-AACA-46c0-9684-0B7E52AA65BF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F438750E-2A21-4968-95F8-3168D0AEA3B9}\stubpath = "C:\\Windows\\{F438750E-2A21-4968-95F8-3168D0AEA3B9}.exe"	{09111772-AACA-46c0-9684-0B7E52AA65BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{456F1DDA-9DD3-443e-9ABF-F196F7655EB1}	{CF44AFD8-AD53-464d-B750-5C037D20BC33}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29690E8C-B62A-4d2a-9553-9551AB0B764A}\stubpath = "C:\\Windows\\{29690E8C-B62A-4d2a-9553-9551AB0B764A}.exe"	{456F1DDA-9DD3-443e-9ABF-F196F7655EB1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5FB25007-CCDC-414a-AFBE-399D69A2BD5A}	{FB9CAA8E-7E53-490d-92C7-DE0CA19C2A30}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09111772-AACA-46c0-9684-0B7E52AA65BF}\stubpath = "C:\\Windows\\{09111772-AACA-46c0-9684-0B7E52AA65BF}.exe"	{5FB25007-CCDC-414a-AFBE-399D69A2BD5A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB25BE45-F391-470c-944C-EB28F583B06D}\stubpath = "C:\\Windows\\{AB25BE45-F391-470c-944C-EB28F583B06D}.exe"	{30E0B1CF-D06A-4671-8C2C-BC562753503A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40073B54-ADB8-4920-ABAB-CC6023B330CE}	{AB25BE45-F391-470c-944C-EB28F583B06D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40073B54-ADB8-4920-ABAB-CC6023B330CE}\stubpath = "C:\\Windows\\{40073B54-ADB8-4920-ABAB-CC6023B330CE}.exe"	{AB25BE45-F391-470c-944C-EB28F583B06D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{456F1DDA-9DD3-443e-9ABF-F196F7655EB1}\stubpath = "C:\\Windows\\{456F1DDA-9DD3-443e-9ABF-F196F7655EB1}.exe"	{CF44AFD8-AD53-464d-B750-5C037D20BC33}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB9CAA8E-7E53-490d-92C7-DE0CA19C2A30}	2024-04-08_f95b01f8fe2f46edcefbdd1f83d3f54e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5FB25007-CCDC-414a-AFBE-399D69A2BD5A}\stubpath = "C:\\Windows\\{5FB25007-CCDC-414a-AFBE-399D69A2BD5A}.exe"	{FB9CAA8E-7E53-490d-92C7-DE0CA19C2A30}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30E0B1CF-D06A-4671-8C2C-BC562753503A}\stubpath = "C:\\Windows\\{30E0B1CF-D06A-4671-8C2C-BC562753503A}.exe"	{BAF8C338-EB4C-43ff-BD8F-C6996E206147}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF44AFD8-AD53-464d-B750-5C037D20BC33}	{40073B54-ADB8-4920-ABAB-CC6023B330CE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF44AFD8-AD53-464d-B750-5C037D20BC33}\stubpath = "C:\\Windows\\{CF44AFD8-AD53-464d-B750-5C037D20BC33}.exe"	{40073B54-ADB8-4920-ABAB-CC6023B330CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29690E8C-B62A-4d2a-9553-9551AB0B764A}	{456F1DDA-9DD3-443e-9ABF-F196F7655EB1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{966E16DC-D280-4978-8E0E-A8238B86CA3F}\stubpath = "C:\\Windows\\{966E16DC-D280-4978-8E0E-A8238B86CA3F}.exe"	{29690E8C-B62A-4d2a-9553-9551AB0B764A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09111772-AACA-46c0-9684-0B7E52AA65BF}	{5FB25007-CCDC-414a-AFBE-399D69A2BD5A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BAF8C338-EB4C-43ff-BD8F-C6996E206147}\stubpath = "C:\\Windows\\{BAF8C338-EB4C-43ff-BD8F-C6996E206147}.exe"	{F438750E-2A21-4968-95F8-3168D0AEA3B9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30E0B1CF-D06A-4671-8C2C-BC562753503A}	{BAF8C338-EB4C-43ff-BD8F-C6996E206147}.exe

Executes dropped EXE 12 IoCs

pid	Process
3184	{FB9CAA8E-7E53-490d-92C7-DE0CA19C2A30}.exe
3264	{5FB25007-CCDC-414a-AFBE-399D69A2BD5A}.exe
984	{09111772-AACA-46c0-9684-0B7E52AA65BF}.exe
1196	{F438750E-2A21-4968-95F8-3168D0AEA3B9}.exe
4972	{BAF8C338-EB4C-43ff-BD8F-C6996E206147}.exe
4312	{30E0B1CF-D06A-4671-8C2C-BC562753503A}.exe
232	{AB25BE45-F391-470c-944C-EB28F583B06D}.exe
4448	{40073B54-ADB8-4920-ABAB-CC6023B330CE}.exe
4820	{CF44AFD8-AD53-464d-B750-5C037D20BC33}.exe
2288	{456F1DDA-9DD3-443e-9ABF-F196F7655EB1}.exe
1500	{29690E8C-B62A-4d2a-9553-9551AB0B764A}.exe
5072	{966E16DC-D280-4978-8E0E-A8238B86CA3F}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{AB25BE45-F391-470c-944C-EB28F583B06D}.exe	{30E0B1CF-D06A-4671-8C2C-BC562753503A}.exe
File created	C:\Windows\{40073B54-ADB8-4920-ABAB-CC6023B330CE}.exe	{AB25BE45-F391-470c-944C-EB28F583B06D}.exe
File created	C:\Windows\{456F1DDA-9DD3-443e-9ABF-F196F7655EB1}.exe	{CF44AFD8-AD53-464d-B750-5C037D20BC33}.exe
File created	C:\Windows\{29690E8C-B62A-4d2a-9553-9551AB0B764A}.exe	{456F1DDA-9DD3-443e-9ABF-F196F7655EB1}.exe
File created	C:\Windows\{FB9CAA8E-7E53-490d-92C7-DE0CA19C2A30}.exe	2024-04-08_f95b01f8fe2f46edcefbdd1f83d3f54e_goldeneye.exe
File created	C:\Windows\{5FB25007-CCDC-414a-AFBE-399D69A2BD5A}.exe	{FB9CAA8E-7E53-490d-92C7-DE0CA19C2A30}.exe
File created	C:\Windows\{BAF8C338-EB4C-43ff-BD8F-C6996E206147}.exe	{F438750E-2A21-4968-95F8-3168D0AEA3B9}.exe
File created	C:\Windows\{30E0B1CF-D06A-4671-8C2C-BC562753503A}.exe	{BAF8C338-EB4C-43ff-BD8F-C6996E206147}.exe
File created	C:\Windows\{966E16DC-D280-4978-8E0E-A8238B86CA3F}.exe	{29690E8C-B62A-4d2a-9553-9551AB0B764A}.exe
File created	C:\Windows\{09111772-AACA-46c0-9684-0B7E52AA65BF}.exe	{5FB25007-CCDC-414a-AFBE-399D69A2BD5A}.exe
File created	C:\Windows\{F438750E-2A21-4968-95F8-3168D0AEA3B9}.exe	{09111772-AACA-46c0-9684-0B7E52AA65BF}.exe
File created	C:\Windows\{CF44AFD8-AD53-464d-B750-5C037D20BC33}.exe	{40073B54-ADB8-4920-ABAB-CC6023B330CE}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	652	2024-04-08_f95b01f8fe2f46edcefbdd1f83d3f54e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3184	{FB9CAA8E-7E53-490d-92C7-DE0CA19C2A30}.exe
Token: SeIncBasePriorityPrivilege	3264	{5FB25007-CCDC-414a-AFBE-399D69A2BD5A}.exe
Token: SeIncBasePriorityPrivilege	984	{09111772-AACA-46c0-9684-0B7E52AA65BF}.exe
Token: SeIncBasePriorityPrivilege	1196	{F438750E-2A21-4968-95F8-3168D0AEA3B9}.exe
Token: SeIncBasePriorityPrivilege	4972	{BAF8C338-EB4C-43ff-BD8F-C6996E206147}.exe
Token: SeIncBasePriorityPrivilege	4312	{30E0B1CF-D06A-4671-8C2C-BC562753503A}.exe
Token: SeIncBasePriorityPrivilege	232	{AB25BE45-F391-470c-944C-EB28F583B06D}.exe
Token: SeIncBasePriorityPrivilege	4448	{40073B54-ADB8-4920-ABAB-CC6023B330CE}.exe
Token: SeIncBasePriorityPrivilege	4820	{CF44AFD8-AD53-464d-B750-5C037D20BC33}.exe
Token: SeIncBasePriorityPrivilege	2288	{456F1DDA-9DD3-443e-9ABF-F196F7655EB1}.exe
Token: SeIncBasePriorityPrivilege	1500	{29690E8C-B62A-4d2a-9553-9551AB0B764A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 652 wrote to memory of 3184	652	2024-04-08_f95b01f8fe2f46edcefbdd1f83d3f54e_goldeneye.exe	96
PID 652 wrote to memory of 3184	652	2024-04-08_f95b01f8fe2f46edcefbdd1f83d3f54e_goldeneye.exe	96
PID 652 wrote to memory of 3184	652	2024-04-08_f95b01f8fe2f46edcefbdd1f83d3f54e_goldeneye.exe	96
PID 652 wrote to memory of 4160	652	2024-04-08_f95b01f8fe2f46edcefbdd1f83d3f54e_goldeneye.exe	97
PID 652 wrote to memory of 4160	652	2024-04-08_f95b01f8fe2f46edcefbdd1f83d3f54e_goldeneye.exe	97
PID 652 wrote to memory of 4160	652	2024-04-08_f95b01f8fe2f46edcefbdd1f83d3f54e_goldeneye.exe	97
PID 3184 wrote to memory of 3264	3184	{FB9CAA8E-7E53-490d-92C7-DE0CA19C2A30}.exe	98
PID 3184 wrote to memory of 3264	3184	{FB9CAA8E-7E53-490d-92C7-DE0CA19C2A30}.exe	98
PID 3184 wrote to memory of 3264	3184	{FB9CAA8E-7E53-490d-92C7-DE0CA19C2A30}.exe	98
PID 3184 wrote to memory of 4404	3184	{FB9CAA8E-7E53-490d-92C7-DE0CA19C2A30}.exe	99
PID 3184 wrote to memory of 4404	3184	{FB9CAA8E-7E53-490d-92C7-DE0CA19C2A30}.exe	99
PID 3184 wrote to memory of 4404	3184	{FB9CAA8E-7E53-490d-92C7-DE0CA19C2A30}.exe	99
PID 3264 wrote to memory of 984	3264	{5FB25007-CCDC-414a-AFBE-399D69A2BD5A}.exe	101
PID 3264 wrote to memory of 984	3264	{5FB25007-CCDC-414a-AFBE-399D69A2BD5A}.exe	101
PID 3264 wrote to memory of 984	3264	{5FB25007-CCDC-414a-AFBE-399D69A2BD5A}.exe	101
PID 3264 wrote to memory of 3784	3264	{5FB25007-CCDC-414a-AFBE-399D69A2BD5A}.exe	102
PID 3264 wrote to memory of 3784	3264	{5FB25007-CCDC-414a-AFBE-399D69A2BD5A}.exe	102
PID 3264 wrote to memory of 3784	3264	{5FB25007-CCDC-414a-AFBE-399D69A2BD5A}.exe	102
PID 984 wrote to memory of 1196	984	{09111772-AACA-46c0-9684-0B7E52AA65BF}.exe	103
PID 984 wrote to memory of 1196	984	{09111772-AACA-46c0-9684-0B7E52AA65BF}.exe	103
PID 984 wrote to memory of 1196	984	{09111772-AACA-46c0-9684-0B7E52AA65BF}.exe	103
PID 984 wrote to memory of 1148	984	{09111772-AACA-46c0-9684-0B7E52AA65BF}.exe	104
PID 984 wrote to memory of 1148	984	{09111772-AACA-46c0-9684-0B7E52AA65BF}.exe	104
PID 984 wrote to memory of 1148	984	{09111772-AACA-46c0-9684-0B7E52AA65BF}.exe	104
PID 1196 wrote to memory of 4972	1196	{F438750E-2A21-4968-95F8-3168D0AEA3B9}.exe	105
PID 1196 wrote to memory of 4972	1196	{F438750E-2A21-4968-95F8-3168D0AEA3B9}.exe	105
PID 1196 wrote to memory of 4972	1196	{F438750E-2A21-4968-95F8-3168D0AEA3B9}.exe	105
PID 1196 wrote to memory of 3776	1196	{F438750E-2A21-4968-95F8-3168D0AEA3B9}.exe	106
PID 1196 wrote to memory of 3776	1196	{F438750E-2A21-4968-95F8-3168D0AEA3B9}.exe	106
PID 1196 wrote to memory of 3776	1196	{F438750E-2A21-4968-95F8-3168D0AEA3B9}.exe	106
PID 4972 wrote to memory of 4312	4972	{BAF8C338-EB4C-43ff-BD8F-C6996E206147}.exe	107
PID 4972 wrote to memory of 4312	4972	{BAF8C338-EB4C-43ff-BD8F-C6996E206147}.exe	107
PID 4972 wrote to memory of 4312	4972	{BAF8C338-EB4C-43ff-BD8F-C6996E206147}.exe	107
PID 4972 wrote to memory of 2988	4972	{BAF8C338-EB4C-43ff-BD8F-C6996E206147}.exe	108
PID 4972 wrote to memory of 2988	4972	{BAF8C338-EB4C-43ff-BD8F-C6996E206147}.exe	108
PID 4972 wrote to memory of 2988	4972	{BAF8C338-EB4C-43ff-BD8F-C6996E206147}.exe	108
PID 4312 wrote to memory of 232	4312	{30E0B1CF-D06A-4671-8C2C-BC562753503A}.exe	109
PID 4312 wrote to memory of 232	4312	{30E0B1CF-D06A-4671-8C2C-BC562753503A}.exe	109
PID 4312 wrote to memory of 232	4312	{30E0B1CF-D06A-4671-8C2C-BC562753503A}.exe	109
PID 4312 wrote to memory of 5076	4312	{30E0B1CF-D06A-4671-8C2C-BC562753503A}.exe	110
PID 4312 wrote to memory of 5076	4312	{30E0B1CF-D06A-4671-8C2C-BC562753503A}.exe	110
PID 4312 wrote to memory of 5076	4312	{30E0B1CF-D06A-4671-8C2C-BC562753503A}.exe	110
PID 232 wrote to memory of 4448	232	{AB25BE45-F391-470c-944C-EB28F583B06D}.exe	111
PID 232 wrote to memory of 4448	232	{AB25BE45-F391-470c-944C-EB28F583B06D}.exe	111
PID 232 wrote to memory of 4448	232	{AB25BE45-F391-470c-944C-EB28F583B06D}.exe	111
PID 232 wrote to memory of 608	232	{AB25BE45-F391-470c-944C-EB28F583B06D}.exe	112
PID 232 wrote to memory of 608	232	{AB25BE45-F391-470c-944C-EB28F583B06D}.exe	112
PID 232 wrote to memory of 608	232	{AB25BE45-F391-470c-944C-EB28F583B06D}.exe	112
PID 4448 wrote to memory of 4820	4448	{40073B54-ADB8-4920-ABAB-CC6023B330CE}.exe	113
PID 4448 wrote to memory of 4820	4448	{40073B54-ADB8-4920-ABAB-CC6023B330CE}.exe	113
PID 4448 wrote to memory of 4820	4448	{40073B54-ADB8-4920-ABAB-CC6023B330CE}.exe	113
PID 4448 wrote to memory of 2144	4448	{40073B54-ADB8-4920-ABAB-CC6023B330CE}.exe	114
PID 4448 wrote to memory of 2144	4448	{40073B54-ADB8-4920-ABAB-CC6023B330CE}.exe	114
PID 4448 wrote to memory of 2144	4448	{40073B54-ADB8-4920-ABAB-CC6023B330CE}.exe	114
PID 4820 wrote to memory of 2288	4820	{CF44AFD8-AD53-464d-B750-5C037D20BC33}.exe	115
PID 4820 wrote to memory of 2288	4820	{CF44AFD8-AD53-464d-B750-5C037D20BC33}.exe	115
PID 4820 wrote to memory of 2288	4820	{CF44AFD8-AD53-464d-B750-5C037D20BC33}.exe	115
PID 4820 wrote to memory of 2052	4820	{CF44AFD8-AD53-464d-B750-5C037D20BC33}.exe	116
PID 4820 wrote to memory of 2052	4820	{CF44AFD8-AD53-464d-B750-5C037D20BC33}.exe	116
PID 4820 wrote to memory of 2052	4820	{CF44AFD8-AD53-464d-B750-5C037D20BC33}.exe	116
PID 2288 wrote to memory of 1500	2288	{456F1DDA-9DD3-443e-9ABF-F196F7655EB1}.exe	117
PID 2288 wrote to memory of 1500	2288	{456F1DDA-9DD3-443e-9ABF-F196F7655EB1}.exe	117
PID 2288 wrote to memory of 1500	2288	{456F1DDA-9DD3-443e-9ABF-F196F7655EB1}.exe	117
PID 2288 wrote to memory of 956	2288	{456F1DDA-9DD3-443e-9ABF-F196F7655EB1}.exe	118

C:\Users\Admin\AppData\Local\Temp\2024-04-08_f95b01f8fe2f46edcefbdd1f83d3f54e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-08_f95b01f8fe2f46edcefbdd1f83d3f54e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:652
- C:\Windows\{FB9CAA8E-7E53-490d-92C7-DE0CA19C2A30}.exe
  C:\Windows\{FB9CAA8E-7E53-490d-92C7-DE0CA19C2A30}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3184
- - C:\Windows\{5FB25007-CCDC-414a-AFBE-399D69A2BD5A}.exe
    C:\Windows\{5FB25007-CCDC-414a-AFBE-399D69A2BD5A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3264
  - - C:\Windows\{09111772-AACA-46c0-9684-0B7E52AA65BF}.exe
      C:\Windows\{09111772-AACA-46c0-9684-0B7E52AA65BF}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:984
    - - C:\Windows\{F438750E-2A21-4968-95F8-3168D0AEA3B9}.exe
        
        C:\Windows\{F438750E-2A21-4968-95F8-3168D0AEA3B9}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1196
      - C:\Windows\{BAF8C338-EB4C-43ff-BD8F-C6996E206147}.exe
        
        C:\Windows\{BAF8C338-EB4C-43ff-BD8F-C6996E206147}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Windows\{30E0B1CF-D06A-4671-8C2C-BC562753503A}.exe
        
        C:\Windows\{30E0B1CF-D06A-4671-8C2C-BC562753503A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Windows\{AB25BE45-F391-470c-944C-EB28F583B06D}.exe
        
        C:\Windows\{AB25BE45-F391-470c-944C-EB28F583B06D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:232
        
        C:\Windows\{40073B54-ADB8-4920-ABAB-CC6023B330CE}.exe
        
        C:\Windows\{40073B54-ADB8-4920-ABAB-CC6023B330CE}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\{CF44AFD8-AD53-464d-B750-5C037D20BC33}.exe
        
        C:\Windows\{CF44AFD8-AD53-464d-B750-5C037D20BC33}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\{456F1DDA-9DD3-443e-9ABF-F196F7655EB1}.exe
        
        C:\Windows\{456F1DDA-9DD3-443e-9ABF-F196F7655EB1}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\{29690E8C-B62A-4d2a-9553-9551AB0B764A}.exe
        
        C:\Windows\{29690E8C-B62A-4d2a-9553-9551AB0B764A}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500
        
        C:\Windows\{966E16DC-D280-4978-8E0E-A8238B86CA3F}.exe
        
        C:\Windows\{966E16DC-D280-4978-8E0E-A8238B86CA3F}.exe
        13⤵
        Executes dropped EXE
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{29690~1.EXE > nul
        13⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{456F1~1.EXE > nul
        12⤵
        
        PID:956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CF44A~1.EXE > nul
        11⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{40073~1.EXE > nul
        10⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AB25B~1.EXE > nul
        9⤵
        
        PID:608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{30E0B~1.EXE > nul
        8⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BAF8C~1.EXE > nul
        7⤵
        
        PID:2988
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F4387~1.EXE > nul
        6⤵
        
        PID:3776
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09111~1.EXE > nul
        5⤵
        
        PID:1148
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5FB25~1.EXE > nul
      4⤵
      PID:3784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{FB9CA~1.EXE > nul
    3⤵
    PID:4404
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{09111772-AACA-46c0-9684-0B7E52AA65BF}.exe

Filesize
380KB

MD5
194a63ac084f6e822083ec3cd6093742

SHA1
0f0b38e087281aa31639c9865771d20fb99a1028

SHA256
b9124d30132c1eadcc4744e1e8621e0c670d16f93dd6b7d10b7cfaf944a8c416

SHA512
c7b729b5d624139dff6e7e014df3a74346e09d84c4ac7857903d9870b27febbbe9809d7ee401d7019a399ec3a28e0dcaac8e3c117a4581bd81edc3b3292ea853

Download Submit
C:\Windows\{29690E8C-B62A-4d2a-9553-9551AB0B764A}.exe

Filesize
380KB

MD5
0c7341c4d544fe39c43d37b5d5557a5d

SHA1
5ff975244443d745a49f2a7305e787db9a6c3876

SHA256
7783a43f7dfbc64a035f7d78178eef969c0af5fcb1c0e14a0e47df82a0d77c42

SHA512
ea1b7027940b7564471900f43821a9d71cc028b5e2cf915ed3ffc8cdf285f5e4fcd89cd999f3f771b680f4b3ac983fa5a9e1be854608394885b3d3333e077af0

Download Submit
C:\Windows\{30E0B1CF-D06A-4671-8C2C-BC562753503A}.exe

Filesize
380KB

MD5
1a7646c963109fbf334a9904def83753

SHA1
3148b518f3f230bd46b21ca955bf171650938b80

SHA256
8786fb82b39c745fde7d28607f665259dbd6ccd7e23c7127b14dd6b512a5b958

SHA512
208db947cfb28fa4146b3de4ecbe043c270804a08087e50f2f568800d9e8d28333f2dc101755852c931a88d09ad58edbdb1d7fcec0c22bccd1b733ea4b55a228

Download Submit
C:\Windows\{40073B54-ADB8-4920-ABAB-CC6023B330CE}.exe

Filesize
380KB

MD5
4dbd23469e9d79a9d1bb2150fb9fdea3

SHA1
833257f5a3f661cebeb64075aaefa52a214e8d19

SHA256
fdab48302b0731cf3502a72c63ca161ab9f794278b9c93f194de0ce50828330c

SHA512
6b98fdb2184e978ab076fd56c24b3fbfa5fb87a62b232ffd6edefc8fff8a05487f6f2c8ba12a7db9a3f6d5378156fefb394e3b5bbf2f729b4828b8342e1f3bec

Download Submit
C:\Windows\{456F1DDA-9DD3-443e-9ABF-F196F7655EB1}.exe

Filesize
380KB

MD5
130ce5235513b4f72171e2e1a816ce28

SHA1
94be423189e47c582f8130a6c4abd61f67871199

SHA256
8797ff8ff1aae00d142b38d59ec7b7554f5e1c6cda8c7ad24b2f2a6872ce06ec

SHA512
1124c224b012c730134720eaf315c61750baf5b70979c27c8202478df0fc37eef1af1144a96733cb1651f471a8ed6a0baf1be64a014bc9694e592b9cf317cab0

Download Submit
C:\Windows\{5FB25007-CCDC-414a-AFBE-399D69A2BD5A}.exe

Filesize
380KB

MD5
7132969dfc6c89eddd30bb676000a7a3

SHA1
9fa360a7873411c71948f0a8f11b2da2569d116b

SHA256
283b2cee410ea9732a5bbb2ff3a124311a3add1fa0308f74da531c88099b2f2a

SHA512
72bfecfd66e75070a3603ab56cc3671cc70e7b025f4e141cfcd74a725c11042a91bdc35857dec0638a5b04222e5087bced46c1b9c8209558b900ccb5009c6857

Download Submit
C:\Windows\{966E16DC-D280-4978-8E0E-A8238B86CA3F}.exe

Filesize
380KB

MD5
c26aae7f85ab23fa3f36af23beaca294

SHA1
74e10d87a02e730c997805094fb60b77b805be8a

SHA256
467c6596cfb0bd0285fefc134acdc296761b2adc0171a63ef516183c6f13814b

SHA512
e3631001feb193794b3126c9b36782440686868566319ba5a359eb7650bfb4ea1ae00a2fb1a6bc3f65f6e1a18029df79f79a881766d441d55efed886438569c0

Download Submit
C:\Windows\{AB25BE45-F391-470c-944C-EB28F583B06D}.exe

Filesize
380KB

MD5
4a4ec1574d0b8ad98a5b13c1641d2edb

SHA1
eac9e900eddee184f9726b96e31e2681d51479bc

SHA256
49eb93440973eb685701a0e52a90957dac32e1e4858fd32db1fa1c5de44e8bce

SHA512
f6cecab2e9ede119c36a6e75370f38ab02a17c061f642daf61883b36d72cc07dd81d4cfb9fe93089c22eb9cf631f3dc931b0114f3755750620147a6da98305a0

Download Submit
C:\Windows\{BAF8C338-EB4C-43ff-BD8F-C6996E206147}.exe

Filesize
380KB

MD5
967b2ee63ae10dfddfcd6cd3880b2f2e

SHA1
427417979aea56a16bd153eed4314f16ef0f7123

SHA256
942d4f0f4e0676e11d866205225e48dd062e210fc8751281aab9c39f25c49d99

SHA512
d1a988c1e26cd2201ad66c85fccfcb8042447be67d736453883d3e962d0b5f933d3629b17b528a82e88f380a92281fe348b137fdffd94a159c478d63e599bc1f

Download Submit
C:\Windows\{CF44AFD8-AD53-464d-B750-5C037D20BC33}.exe

Filesize
380KB

MD5
96d89a17269394c8b30dd5897d098705

SHA1
6e473b74b9112e6aa7b082d41423b66f3f67392a

SHA256
ee5097d05bb659f36e1e49417665eed80e48c29d051dac3bc033af99338e8a91

SHA512
968aa94f0567830201ece93b9926771a47f657c6ec05cf4c0ea57d4d4fe106842fc3a1be63b18eab3b98076aee1563bca9d6884f9309d72b1a79ff512be5e8b1

Download Submit
C:\Windows\{F438750E-2A21-4968-95F8-3168D0AEA3B9}.exe

Filesize
380KB

MD5
2b94a0ff09fc057768e9ea2d90711db4

SHA1
aca52078643be73f1a24382bfebe2f801073c946

SHA256
a101d9b9897131975e14705f7df010ce02094f560dad1021d3c436f64c5e02f7

SHA512
ae6443eeeae29428b8816526d054689ec656523b29f52226cc7e82b219160ea0a4126d5e11c9c09b1176f5d298be345d8b3e3333eaab5f7fef44922241a6f587

Download Submit
C:\Windows\{FB9CAA8E-7E53-490d-92C7-DE0CA19C2A30}.exe

Filesize
380KB

MD5
fdf3be80b575f6bce7226ca3f385dced

SHA1
e5d4edcd2f85908391f096eea830c970969898f7

SHA256
a4c13f78c85f488a8e8dfaab3a0b00a37569c1434a0d78d489f73a5f6fedd8db

SHA512
d681621a0bbbe5342b6d6c360231c5bbaaafbb99d533b69ef8d2cb0cddab38cde1dd7ff78126a96ed013eed51a46a671ef3048f7ad2b3f4c1a6840bf518104c0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads