65fe210acb7b5c75f214300dbc0731a1d8646d990237e434a27c56b4bc85d981

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 04:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-09_e3e4959489cb3a62c8e40c9a0d40a97b_goldeneye.exe
Size

216KB
MD5

e3e4959489cb3a62c8e40c9a0d40a97b
SHA1

4e23879e251c270d51e6b55e25361ca9a9676cf2
SHA256

65fe210acb7b5c75f214300dbc0731a1d8646d990237e434a27c56b4bc85d981
SHA512

7d1708bf45b17667cb81f583c2a92b3cf7c8a2d552c24f20f0aa97e8c8468b28bdff4b81b43691566c580ed3182ddee3c91ce20b67ac9a7123be569617b204d5
SSDEEP

3072:jEGh0oBl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEG3lEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00080000000231fa-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023202-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023209-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0012000000023202-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021cfa-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021cfb-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021cfa-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000709-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000735-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FDBB3A5-55D8-4dbd-B032-905E3C581E31}	{6B341307-4978-4094-B53A-6C234B3EE853}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFA95D80-30FD-410e-9305-C4AB8CFB9F8E}	{12E699A6-9263-444c-A354-B5D2B2119D6D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA1E20DA-EF0B-4832-B251-6B1D9A117D58}\stubpath = "C:\\Windows\\{FA1E20DA-EF0B-4832-B251-6B1D9A117D58}.exe"	{AFA95D80-30FD-410e-9305-C4AB8CFB9F8E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB3AC9E3-4246-484c-9858-B8A658FA7BDD}	{FA1E20DA-EF0B-4832-B251-6B1D9A117D58}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB3AC9E3-4246-484c-9858-B8A658FA7BDD}\stubpath = "C:\\Windows\\{FB3AC9E3-4246-484c-9858-B8A658FA7BDD}.exe"	{FA1E20DA-EF0B-4832-B251-6B1D9A117D58}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F462136-A538-496d-8EED-6400E407423C}	{4850B10E-24EE-4421-8C72-42CFB22895D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C05F1BF8-DB37-4051-854E-E0CCE9EF6944}	{0F462136-A538-496d-8EED-6400E407423C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C05F1BF8-DB37-4051-854E-E0CCE9EF6944}\stubpath = "C:\\Windows\\{C05F1BF8-DB37-4051-854E-E0CCE9EF6944}.exe"	{0F462136-A538-496d-8EED-6400E407423C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFB5F3FB-4C16-4982-8E25-63A0264593AA}	{3FDBB3A5-55D8-4dbd-B032-905E3C581E31}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12E699A6-9263-444c-A354-B5D2B2119D6D}	2024-04-09_e3e4959489cb3a62c8e40c9a0d40a97b_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12E699A6-9263-444c-A354-B5D2B2119D6D}\stubpath = "C:\\Windows\\{12E699A6-9263-444c-A354-B5D2B2119D6D}.exe"	2024-04-09_e3e4959489cb3a62c8e40c9a0d40a97b_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFA95D80-30FD-410e-9305-C4AB8CFB9F8E}\stubpath = "C:\\Windows\\{AFA95D80-30FD-410e-9305-C4AB8CFB9F8E}.exe"	{12E699A6-9263-444c-A354-B5D2B2119D6D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F6B87D8-22EF-4d82-B263-7CE5899209E0}	{6164FC3A-D7AB-4e03-BA91-ACA13CDE8ACE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B341307-4978-4094-B53A-6C234B3EE853}	{C05F1BF8-DB37-4051-854E-E0CCE9EF6944}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FDBB3A5-55D8-4dbd-B032-905E3C581E31}\stubpath = "C:\\Windows\\{3FDBB3A5-55D8-4dbd-B032-905E3C581E31}.exe"	{6B341307-4978-4094-B53A-6C234B3EE853}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6164FC3A-D7AB-4e03-BA91-ACA13CDE8ACE}	{FB3AC9E3-4246-484c-9858-B8A658FA7BDD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4850B10E-24EE-4421-8C72-42CFB22895D9}	{6F6B87D8-22EF-4d82-B263-7CE5899209E0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F462136-A538-496d-8EED-6400E407423C}\stubpath = "C:\\Windows\\{0F462136-A538-496d-8EED-6400E407423C}.exe"	{4850B10E-24EE-4421-8C72-42CFB22895D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA1E20DA-EF0B-4832-B251-6B1D9A117D58}	{AFA95D80-30FD-410e-9305-C4AB8CFB9F8E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6164FC3A-D7AB-4e03-BA91-ACA13CDE8ACE}\stubpath = "C:\\Windows\\{6164FC3A-D7AB-4e03-BA91-ACA13CDE8ACE}.exe"	{FB3AC9E3-4246-484c-9858-B8A658FA7BDD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F6B87D8-22EF-4d82-B263-7CE5899209E0}\stubpath = "C:\\Windows\\{6F6B87D8-22EF-4d82-B263-7CE5899209E0}.exe"	{6164FC3A-D7AB-4e03-BA91-ACA13CDE8ACE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4850B10E-24EE-4421-8C72-42CFB22895D9}\stubpath = "C:\\Windows\\{4850B10E-24EE-4421-8C72-42CFB22895D9}.exe"	{6F6B87D8-22EF-4d82-B263-7CE5899209E0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B341307-4978-4094-B53A-6C234B3EE853}\stubpath = "C:\\Windows\\{6B341307-4978-4094-B53A-6C234B3EE853}.exe"	{C05F1BF8-DB37-4051-854E-E0CCE9EF6944}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFB5F3FB-4C16-4982-8E25-63A0264593AA}\stubpath = "C:\\Windows\\{AFB5F3FB-4C16-4982-8E25-63A0264593AA}.exe"	{3FDBB3A5-55D8-4dbd-B032-905E3C581E31}.exe

Executes dropped EXE 12 IoCs

pid	Process
3244	{12E699A6-9263-444c-A354-B5D2B2119D6D}.exe
1440	{AFA95D80-30FD-410e-9305-C4AB8CFB9F8E}.exe
3100	{FA1E20DA-EF0B-4832-B251-6B1D9A117D58}.exe
4204	{FB3AC9E3-4246-484c-9858-B8A658FA7BDD}.exe
3888	{6164FC3A-D7AB-4e03-BA91-ACA13CDE8ACE}.exe
4560	{6F6B87D8-22EF-4d82-B263-7CE5899209E0}.exe
4116	{4850B10E-24EE-4421-8C72-42CFB22895D9}.exe
2628	{0F462136-A538-496d-8EED-6400E407423C}.exe
2736	{C05F1BF8-DB37-4051-854E-E0CCE9EF6944}.exe
2408	{6B341307-4978-4094-B53A-6C234B3EE853}.exe
2464	{3FDBB3A5-55D8-4dbd-B032-905E3C581E31}.exe
4060	{AFB5F3FB-4C16-4982-8E25-63A0264593AA}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{12E699A6-9263-444c-A354-B5D2B2119D6D}.exe	2024-04-09_e3e4959489cb3a62c8e40c9a0d40a97b_goldeneye.exe
File created	C:\Windows\{AFA95D80-30FD-410e-9305-C4AB8CFB9F8E}.exe	{12E699A6-9263-444c-A354-B5D2B2119D6D}.exe
File created	C:\Windows\{4850B10E-24EE-4421-8C72-42CFB22895D9}.exe	{6F6B87D8-22EF-4d82-B263-7CE5899209E0}.exe
File created	C:\Windows\{6F6B87D8-22EF-4d82-B263-7CE5899209E0}.exe	{6164FC3A-D7AB-4e03-BA91-ACA13CDE8ACE}.exe
File created	C:\Windows\{0F462136-A538-496d-8EED-6400E407423C}.exe	{4850B10E-24EE-4421-8C72-42CFB22895D9}.exe
File created	C:\Windows\{C05F1BF8-DB37-4051-854E-E0CCE9EF6944}.exe	{0F462136-A538-496d-8EED-6400E407423C}.exe
File created	C:\Windows\{6B341307-4978-4094-B53A-6C234B3EE853}.exe	{C05F1BF8-DB37-4051-854E-E0CCE9EF6944}.exe
File created	C:\Windows\{3FDBB3A5-55D8-4dbd-B032-905E3C581E31}.exe	{6B341307-4978-4094-B53A-6C234B3EE853}.exe
File created	C:\Windows\{FA1E20DA-EF0B-4832-B251-6B1D9A117D58}.exe	{AFA95D80-30FD-410e-9305-C4AB8CFB9F8E}.exe
File created	C:\Windows\{FB3AC9E3-4246-484c-9858-B8A658FA7BDD}.exe	{FA1E20DA-EF0B-4832-B251-6B1D9A117D58}.exe
File created	C:\Windows\{6164FC3A-D7AB-4e03-BA91-ACA13CDE8ACE}.exe	{FB3AC9E3-4246-484c-9858-B8A658FA7BDD}.exe
File created	C:\Windows\{AFB5F3FB-4C16-4982-8E25-63A0264593AA}.exe	{3FDBB3A5-55D8-4dbd-B032-905E3C581E31}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2024	2024-04-09_e3e4959489cb3a62c8e40c9a0d40a97b_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3244	{12E699A6-9263-444c-A354-B5D2B2119D6D}.exe
Token: SeIncBasePriorityPrivilege	1440	{AFA95D80-30FD-410e-9305-C4AB8CFB9F8E}.exe
Token: SeIncBasePriorityPrivilege	3100	{FA1E20DA-EF0B-4832-B251-6B1D9A117D58}.exe
Token: SeIncBasePriorityPrivilege	4204	{FB3AC9E3-4246-484c-9858-B8A658FA7BDD}.exe
Token: SeIncBasePriorityPrivilege	3888	{6164FC3A-D7AB-4e03-BA91-ACA13CDE8ACE}.exe
Token: SeIncBasePriorityPrivilege	4560	{6F6B87D8-22EF-4d82-B263-7CE5899209E0}.exe
Token: SeIncBasePriorityPrivilege	4116	{4850B10E-24EE-4421-8C72-42CFB22895D9}.exe
Token: SeIncBasePriorityPrivilege	2628	{0F462136-A538-496d-8EED-6400E407423C}.exe
Token: SeIncBasePriorityPrivilege	2736	{C05F1BF8-DB37-4051-854E-E0CCE9EF6944}.exe
Token: SeIncBasePriorityPrivilege	2408	{6B341307-4978-4094-B53A-6C234B3EE853}.exe
Token: SeIncBasePriorityPrivilege	2464	{3FDBB3A5-55D8-4dbd-B032-905E3C581E31}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 3244	2024	2024-04-09_e3e4959489cb3a62c8e40c9a0d40a97b_goldeneye.exe	96
PID 2024 wrote to memory of 3244	2024	2024-04-09_e3e4959489cb3a62c8e40c9a0d40a97b_goldeneye.exe	96
PID 2024 wrote to memory of 3244	2024	2024-04-09_e3e4959489cb3a62c8e40c9a0d40a97b_goldeneye.exe	96
PID 2024 wrote to memory of 2732	2024	2024-04-09_e3e4959489cb3a62c8e40c9a0d40a97b_goldeneye.exe	97
PID 2024 wrote to memory of 2732	2024	2024-04-09_e3e4959489cb3a62c8e40c9a0d40a97b_goldeneye.exe	97
PID 2024 wrote to memory of 2732	2024	2024-04-09_e3e4959489cb3a62c8e40c9a0d40a97b_goldeneye.exe	97
PID 3244 wrote to memory of 1440	3244	{12E699A6-9263-444c-A354-B5D2B2119D6D}.exe	98
PID 3244 wrote to memory of 1440	3244	{12E699A6-9263-444c-A354-B5D2B2119D6D}.exe	98
PID 3244 wrote to memory of 1440	3244	{12E699A6-9263-444c-A354-B5D2B2119D6D}.exe	98
PID 3244 wrote to memory of 3388	3244	{12E699A6-9263-444c-A354-B5D2B2119D6D}.exe	99
PID 3244 wrote to memory of 3388	3244	{12E699A6-9263-444c-A354-B5D2B2119D6D}.exe	99
PID 3244 wrote to memory of 3388	3244	{12E699A6-9263-444c-A354-B5D2B2119D6D}.exe	99
PID 1440 wrote to memory of 3100	1440	{AFA95D80-30FD-410e-9305-C4AB8CFB9F8E}.exe	101
PID 1440 wrote to memory of 3100	1440	{AFA95D80-30FD-410e-9305-C4AB8CFB9F8E}.exe	101
PID 1440 wrote to memory of 3100	1440	{AFA95D80-30FD-410e-9305-C4AB8CFB9F8E}.exe	101
PID 1440 wrote to memory of 1492	1440	{AFA95D80-30FD-410e-9305-C4AB8CFB9F8E}.exe	102
PID 1440 wrote to memory of 1492	1440	{AFA95D80-30FD-410e-9305-C4AB8CFB9F8E}.exe	102
PID 1440 wrote to memory of 1492	1440	{AFA95D80-30FD-410e-9305-C4AB8CFB9F8E}.exe	102
PID 3100 wrote to memory of 4204	3100	{FA1E20DA-EF0B-4832-B251-6B1D9A117D58}.exe	103
PID 3100 wrote to memory of 4204	3100	{FA1E20DA-EF0B-4832-B251-6B1D9A117D58}.exe	103
PID 3100 wrote to memory of 4204	3100	{FA1E20DA-EF0B-4832-B251-6B1D9A117D58}.exe	103
PID 3100 wrote to memory of 1868	3100	{FA1E20DA-EF0B-4832-B251-6B1D9A117D58}.exe	104
PID 3100 wrote to memory of 1868	3100	{FA1E20DA-EF0B-4832-B251-6B1D9A117D58}.exe	104
PID 3100 wrote to memory of 1868	3100	{FA1E20DA-EF0B-4832-B251-6B1D9A117D58}.exe	104
PID 4204 wrote to memory of 3888	4204	{FB3AC9E3-4246-484c-9858-B8A658FA7BDD}.exe	105
PID 4204 wrote to memory of 3888	4204	{FB3AC9E3-4246-484c-9858-B8A658FA7BDD}.exe	105
PID 4204 wrote to memory of 3888	4204	{FB3AC9E3-4246-484c-9858-B8A658FA7BDD}.exe	105
PID 4204 wrote to memory of 4884	4204	{FB3AC9E3-4246-484c-9858-B8A658FA7BDD}.exe	106
PID 4204 wrote to memory of 4884	4204	{FB3AC9E3-4246-484c-9858-B8A658FA7BDD}.exe	106
PID 4204 wrote to memory of 4884	4204	{FB3AC9E3-4246-484c-9858-B8A658FA7BDD}.exe	106
PID 3888 wrote to memory of 4560	3888	{6164FC3A-D7AB-4e03-BA91-ACA13CDE8ACE}.exe	107
PID 3888 wrote to memory of 4560	3888	{6164FC3A-D7AB-4e03-BA91-ACA13CDE8ACE}.exe	107
PID 3888 wrote to memory of 4560	3888	{6164FC3A-D7AB-4e03-BA91-ACA13CDE8ACE}.exe	107
PID 3888 wrote to memory of 3184	3888	{6164FC3A-D7AB-4e03-BA91-ACA13CDE8ACE}.exe	108
PID 3888 wrote to memory of 3184	3888	{6164FC3A-D7AB-4e03-BA91-ACA13CDE8ACE}.exe	108
PID 3888 wrote to memory of 3184	3888	{6164FC3A-D7AB-4e03-BA91-ACA13CDE8ACE}.exe	108
PID 4560 wrote to memory of 4116	4560	{6F6B87D8-22EF-4d82-B263-7CE5899209E0}.exe	109
PID 4560 wrote to memory of 4116	4560	{6F6B87D8-22EF-4d82-B263-7CE5899209E0}.exe	109
PID 4560 wrote to memory of 4116	4560	{6F6B87D8-22EF-4d82-B263-7CE5899209E0}.exe	109
PID 4560 wrote to memory of 4940	4560	{6F6B87D8-22EF-4d82-B263-7CE5899209E0}.exe	110
PID 4560 wrote to memory of 4940	4560	{6F6B87D8-22EF-4d82-B263-7CE5899209E0}.exe	110
PID 4560 wrote to memory of 4940	4560	{6F6B87D8-22EF-4d82-B263-7CE5899209E0}.exe	110
PID 4116 wrote to memory of 2628	4116	{4850B10E-24EE-4421-8C72-42CFB22895D9}.exe	111
PID 4116 wrote to memory of 2628	4116	{4850B10E-24EE-4421-8C72-42CFB22895D9}.exe	111
PID 4116 wrote to memory of 2628	4116	{4850B10E-24EE-4421-8C72-42CFB22895D9}.exe	111
PID 4116 wrote to memory of 3520	4116	{4850B10E-24EE-4421-8C72-42CFB22895D9}.exe	112
PID 4116 wrote to memory of 3520	4116	{4850B10E-24EE-4421-8C72-42CFB22895D9}.exe	112
PID 4116 wrote to memory of 3520	4116	{4850B10E-24EE-4421-8C72-42CFB22895D9}.exe	112
PID 2628 wrote to memory of 2736	2628	{0F462136-A538-496d-8EED-6400E407423C}.exe	113
PID 2628 wrote to memory of 2736	2628	{0F462136-A538-496d-8EED-6400E407423C}.exe	113
PID 2628 wrote to memory of 2736	2628	{0F462136-A538-496d-8EED-6400E407423C}.exe	113
PID 2628 wrote to memory of 1808	2628	{0F462136-A538-496d-8EED-6400E407423C}.exe	114
PID 2628 wrote to memory of 1808	2628	{0F462136-A538-496d-8EED-6400E407423C}.exe	114
PID 2628 wrote to memory of 1808	2628	{0F462136-A538-496d-8EED-6400E407423C}.exe	114
PID 2736 wrote to memory of 2408	2736	{C05F1BF8-DB37-4051-854E-E0CCE9EF6944}.exe	115
PID 2736 wrote to memory of 2408	2736	{C05F1BF8-DB37-4051-854E-E0CCE9EF6944}.exe	115
PID 2736 wrote to memory of 2408	2736	{C05F1BF8-DB37-4051-854E-E0CCE9EF6944}.exe	115
PID 2736 wrote to memory of 1624	2736	{C05F1BF8-DB37-4051-854E-E0CCE9EF6944}.exe	116
PID 2736 wrote to memory of 1624	2736	{C05F1BF8-DB37-4051-854E-E0CCE9EF6944}.exe	116
PID 2736 wrote to memory of 1624	2736	{C05F1BF8-DB37-4051-854E-E0CCE9EF6944}.exe	116
PID 2408 wrote to memory of 2464	2408	{6B341307-4978-4094-B53A-6C234B3EE853}.exe	117
PID 2408 wrote to memory of 2464	2408	{6B341307-4978-4094-B53A-6C234B3EE853}.exe	117
PID 2408 wrote to memory of 2464	2408	{6B341307-4978-4094-B53A-6C234B3EE853}.exe	117
PID 2408 wrote to memory of 3028	2408	{6B341307-4978-4094-B53A-6C234B3EE853}.exe	118

C:\Users\Admin\AppData\Local\Temp\2024-04-09_e3e4959489cb3a62c8e40c9a0d40a97b_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-09_e3e4959489cb3a62c8e40c9a0d40a97b_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\{12E699A6-9263-444c-A354-B5D2B2119D6D}.exe
  C:\Windows\{12E699A6-9263-444c-A354-B5D2B2119D6D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3244
- - C:\Windows\{AFA95D80-30FD-410e-9305-C4AB8CFB9F8E}.exe
    C:\Windows\{AFA95D80-30FD-410e-9305-C4AB8CFB9F8E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1440
  - - C:\Windows\{FA1E20DA-EF0B-4832-B251-6B1D9A117D58}.exe
      C:\Windows\{FA1E20DA-EF0B-4832-B251-6B1D9A117D58}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3100
    - - C:\Windows\{FB3AC9E3-4246-484c-9858-B8A658FA7BDD}.exe
        
        C:\Windows\{FB3AC9E3-4246-484c-9858-B8A658FA7BDD}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4204
      - C:\Windows\{6164FC3A-D7AB-4e03-BA91-ACA13CDE8ACE}.exe
        
        C:\Windows\{6164FC3A-D7AB-4e03-BA91-ACA13CDE8ACE}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3888
        
        C:\Windows\{6F6B87D8-22EF-4d82-B263-7CE5899209E0}.exe
        
        C:\Windows\{6F6B87D8-22EF-4d82-B263-7CE5899209E0}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\{4850B10E-24EE-4421-8C72-42CFB22895D9}.exe
        
        C:\Windows\{4850B10E-24EE-4421-8C72-42CFB22895D9}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4116
        
        C:\Windows\{0F462136-A538-496d-8EED-6400E407423C}.exe
        
        C:\Windows\{0F462136-A538-496d-8EED-6400E407423C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\{C05F1BF8-DB37-4051-854E-E0CCE9EF6944}.exe
        
        C:\Windows\{C05F1BF8-DB37-4051-854E-E0CCE9EF6944}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\{6B341307-4978-4094-B53A-6C234B3EE853}.exe
        
        C:\Windows\{6B341307-4978-4094-B53A-6C234B3EE853}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\{3FDBB3A5-55D8-4dbd-B032-905E3C581E31}.exe
        
        C:\Windows\{3FDBB3A5-55D8-4dbd-B032-905E3C581E31}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2464
        
        C:\Windows\{AFB5F3FB-4C16-4982-8E25-63A0264593AA}.exe
        
        C:\Windows\{AFB5F3FB-4C16-4982-8E25-63A0264593AA}.exe
        13⤵
        Executes dropped EXE
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3FDBB~1.EXE > nul
        13⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B341~1.EXE > nul
        12⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C05F1~1.EXE > nul
        11⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F462~1.EXE > nul
        10⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4850B~1.EXE > nul
        9⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6F6B8~1.EXE > nul
        8⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6164F~1.EXE > nul
        7⤵
        
        PID:3184
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FB3AC~1.EXE > nul
        6⤵
        
        PID:4884
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA1E2~1.EXE > nul
        5⤵
        
        PID:1868
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{AFA95~1.EXE > nul
      4⤵
      PID:1492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{12E69~1.EXE > nul
    3⤵
    PID:3388
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0F462136-A538-496d-8EED-6400E407423C}.exe

Filesize
216KB

MD5
58f28293d256674ac24c36e62c154e58

SHA1
d4061f67e61d2b9ec862b72b5af293ccd28399d6

SHA256
2212cad50f19013c364f70f06b6ea408bafdadfffe87b6946021f85058b7eb34

SHA512
2a706c272696f13a5c7fe936a547f097df58cfe7b72050d86ac37b1a17d9a31ce063506434deaa18275ae341fb41095bce25a6e01f6d4c580b2c91b17926449f

Download Submit
C:\Windows\{12E699A6-9263-444c-A354-B5D2B2119D6D}.exe

Filesize
216KB

MD5
32a8fe79c4b075b040f33715bcca301d

SHA1
a2679fcb2e7dd55d762535425f1fa3f1d38f713f

SHA256
e415d27c6c9eb75c9d3fa25b76097bfcdf01fd9ec332d0f9086e49f429186bb5

SHA512
b466c43d4dbaa0be35b95576d012af9ee80644b30a866b603387bf33b037644bc484bc558d814110de884eb87b087d6b8e5f568092aa9cfe930bd2df08a5d389

Download Submit
C:\Windows\{3FDBB3A5-55D8-4dbd-B032-905E3C581E31}.exe

Filesize
216KB

MD5
336d58fa24d2511a3bb0c64f459b6498

SHA1
95cb50bba9dcaeef0a628abf511a9e90cc10fda4

SHA256
9defe22bf5f41c680a5c1febf10ec4eb2b3b5689b65fc017fadaa4f26c5cb890

SHA512
47e1c63bb64ea8b1b37e9a454d68927f3fe0812d94517ae5b28030fdb20962710fa112dd1dafc2dd47be14b224b703e2decdb032ff3338b060bc49f790990ed3

Download Submit
C:\Windows\{4850B10E-24EE-4421-8C72-42CFB22895D9}.exe

Filesize
216KB

MD5
3f8d83b426adcf74acbb96af88d8f13f

SHA1
d6f393a2a925955de18cdb8701b4552468788388

SHA256
9329f202896f813d4bc16e24595dbdaf32bd6face58e31a40d43a8c0c4e1d785

SHA512
22a94706b8d3faa5e77f178e6546ec4d40bdc2e80909efadfc3f5067da811e4151f41e1eee2fcaabe50e84429d8c28cdae841a44bf4d3730643e9e00080de8b7

Download Submit
C:\Windows\{6164FC3A-D7AB-4e03-BA91-ACA13CDE8ACE}.exe

Filesize
216KB

MD5
25ffa07513d247870563d0fc87ae21a0

SHA1
45562c524c26bd0cac8dfbabf02cd77410b918a3

SHA256
24cd585233f2d07e6ece43b008d6fc02c20673eb6c7cc748d3f78dcf1c9c9224

SHA512
86d6b1a43e2c8777b256876763691a42a4fddd33eea9f9b75349440c1048d94a2910c104e4b8040f18d8c3fa49ca1bd979adfbf7ba5b826c9ca20e470ad33cd3

Download Submit
C:\Windows\{6B341307-4978-4094-B53A-6C234B3EE853}.exe

Filesize
216KB

MD5
e1f2d8d347ecf326c073f2aed3f108fc

SHA1
6af97c62908e01dc39efd156bd086cb3942918f5

SHA256
2da008cac50d68062001eb7d2cb3b3bcba857d2ca6046b1af491348fdaaf2b9a

SHA512
b5d7dce44ff9e89c3323403e6c0d29116a6cfd5dbdc44d18d2200010e41c19db15027f1d6e882470bddb7d50427d793b17df42a3187d696866fe2f19ce726466

Download Submit
C:\Windows\{6F6B87D8-22EF-4d82-B263-7CE5899209E0}.exe

Filesize
216KB

MD5
16b4a04331554c3acc76a5941490167a

SHA1
f4628b018d81de5bb144f281756ce41549482100

SHA256
efd7f9118e95471814033aaaadb6a8af0a9db14b4842dc5669df610c9bbc0045

SHA512
870f32bab9bdb0e2c87e9e164449568873e53dcef13cf918eef98503bf3090e9ae2386d3b7d15454d3fe6d52b0c971e854505a64106d6c95f830243c05ed85e7

Download Submit
C:\Windows\{AFA95D80-30FD-410e-9305-C4AB8CFB9F8E}.exe

Filesize
216KB

MD5
07a926a97a3d8f4524c48e242962eb88

SHA1
8510d2df41c8da7103ed1457bcb57df0239acb24

SHA256
ea78beeffa307e28e925df06eff4dfd5e9111ca4070dec53a27993fde15f0988

SHA512
acbc8a9263102b442e2e696abab4d34100dba1331d25c40c49ac83151e39e91848f81c1a513a062c2fda35b677667e74db949e8b7b6e0e98f4fc0cec9e28e1e2

Download Submit
C:\Windows\{AFB5F3FB-4C16-4982-8E25-63A0264593AA}.exe

Filesize
216KB

MD5
9cb09e88d4d523cda77f5d595ce896c3

SHA1
48b42e4de73146f87d83511946361042a677d09a

SHA256
5b12a90bce8659878a6150b9efd39e3d5960d742d9d94095bd86e42d54fd46f1

SHA512
38e09a739cb739c7d7592b7e171acadb70c4dcb3b5c69d83ffa9453b29a02710f7e2a6de95b053d01f8d90439d5217690ebd16e7b5dce09bc6831bfb6145e16d

Download Submit
C:\Windows\{C05F1BF8-DB37-4051-854E-E0CCE9EF6944}.exe

Filesize
216KB

MD5
4df3154aa6e28b6eedeb65c844367758

SHA1
2f04818e5a975aefe63f473a04e3d30582229fae

SHA256
af6526e13693ef21300b8c7bfc75399e0fa8f001269d6c9bc5153125e50f2e3e

SHA512
e1d200f9817efb97d99f9980353fac71e8e2ff7518d60a1acd2646d4b0fcd59a6810ad43a85ca317bcb62fc6f06ca20a3ced8a2703a3a2a214251a7464a8a0bc

Download Submit
C:\Windows\{FA1E20DA-EF0B-4832-B251-6B1D9A117D58}.exe

Filesize
216KB

MD5
c683280bd4f8f8b920d1afd978b9e0a1

SHA1
2ac61017b8d4058468393f2a92136dd30ac969d7

SHA256
0168ac052ad261fa5d397d3bc5f7caa34acdc8bbbc5d34cfbedf0fd7acdb76ff

SHA512
9d37711a5c2bbe6ba0dac7c62b046912bf5b45330de380d151204b968e29fe05cec33bfa67d162a5daaee39ea6c4b03e54f1d52b00fbb2519db3541ded5032c5

Download Submit
C:\Windows\{FB3AC9E3-4246-484c-9858-B8A658FA7BDD}.exe

Filesize
216KB

MD5
bb0f93a8798445845e93d87cf957e626

SHA1
cfd8af233ead195b1b24f73bd4ce211a2ac827ad

SHA256
31e6005aec9bc640be5630bcaafeca084e8668a8a3a9c4538e8f98149f5a74ad

SHA512
331c699c5958f725609439583d196326250a9136477778f5dedcc65bac819adda72eaf960e62c88cf00b1f4c1da6dac13c9821c838b2ba61f3c928f612dec187

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads