d56da7c3c7ad4ade89f8a37ca5ef2e8149036a4784e1c55587cb3d29527d0fc5

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 12:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-09_6426dd1a02569cfc4de05d6a3b5c3c95_goldeneye.exe
Size

168KB
MD5

6426dd1a02569cfc4de05d6a3b5c3c95
SHA1

9acd3aff274640115ac4611c657fcf27691c3662
SHA256

d56da7c3c7ad4ade89f8a37ca5ef2e8149036a4784e1c55587cb3d29527d0fc5
SHA512

6500d743c04037eaa4288ba877b3fab94ab93eb0a84d42e48e673b741ef0f92aa05a6db5be1c4ea4b8c581baf295753ed3c741b66361ceeec9e637ac66781005
SSDEEP

1536:1EGh0ohli5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0ohliOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023206-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023201-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002320d-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023201-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021fa2-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021fa3-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021fa2-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000703-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000703-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000703-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED2FD469-1F52-4e2b-821A-733D729C0BBC}	{046C8831-676B-413c-8CB9-D30335E6D841}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6669B98A-F7AC-40a2-B2AA-60BF938A864F}\stubpath = "C:\\Windows\\{6669B98A-F7AC-40a2-B2AA-60BF938A864F}.exe"	{51309A55-865A-4aed-8B6B-7C9A54E9332F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC8439F3-19A9-4d90-8506-FF3581445B79}\stubpath = "C:\\Windows\\{EC8439F3-19A9-4d90-8506-FF3581445B79}.exe"	{1BEB42C1-4365-4ead-BDC6-4913B6EBFBF5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0DC34FD4-0790-4537-AB80-342E58F908F4}	{121E9107-CC20-4e98-BAA7-537941EE664C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51309A55-865A-4aed-8B6B-7C9A54E9332F}\stubpath = "C:\\Windows\\{51309A55-865A-4aed-8B6B-7C9A54E9332F}.exe"	{0DC34FD4-0790-4537-AB80-342E58F908F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6669B98A-F7AC-40a2-B2AA-60BF938A864F}	{51309A55-865A-4aed-8B6B-7C9A54E9332F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16D0C69F-1B71-4437-A389-CF05BC6526E0}\stubpath = "C:\\Windows\\{16D0C69F-1B71-4437-A389-CF05BC6526E0}.exe"	{6669B98A-F7AC-40a2-B2AA-60BF938A864F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3BAF2BE0-C1E8-4fe3-89D7-0E46513FD723}\stubpath = "C:\\Windows\\{3BAF2BE0-C1E8-4fe3-89D7-0E46513FD723}.exe"	{16D0C69F-1B71-4437-A389-CF05BC6526E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5AEF7DD5-CF7C-40fe-85E5-D68011933766}	{ED2FD469-1F52-4e2b-821A-733D729C0BBC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC8439F3-19A9-4d90-8506-FF3581445B79}	{1BEB42C1-4365-4ead-BDC6-4913B6EBFBF5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5AEF7DD5-CF7C-40fe-85E5-D68011933766}\stubpath = "C:\\Windows\\{5AEF7DD5-CF7C-40fe-85E5-D68011933766}.exe"	{ED2FD469-1F52-4e2b-821A-733D729C0BBC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51309A55-865A-4aed-8B6B-7C9A54E9332F}	{0DC34FD4-0790-4537-AB80-342E58F908F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3BAF2BE0-C1E8-4fe3-89D7-0E46513FD723}	{16D0C69F-1B71-4437-A389-CF05BC6526E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{046C8831-676B-413c-8CB9-D30335E6D841}	{3BAF2BE0-C1E8-4fe3-89D7-0E46513FD723}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{046C8831-676B-413c-8CB9-D30335E6D841}\stubpath = "C:\\Windows\\{046C8831-676B-413c-8CB9-D30335E6D841}.exe"	{3BAF2BE0-C1E8-4fe3-89D7-0E46513FD723}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{121E9107-CC20-4e98-BAA7-537941EE664C}	{94B25AE7-0FF9-4051-8B58-EAAA0C588140}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BEB42C1-4365-4ead-BDC6-4913B6EBFBF5}\stubpath = "C:\\Windows\\{1BEB42C1-4365-4ead-BDC6-4913B6EBFBF5}.exe"	2024-04-09_6426dd1a02569cfc4de05d6a3b5c3c95_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94B25AE7-0FF9-4051-8B58-EAAA0C588140}	{EC8439F3-19A9-4d90-8506-FF3581445B79}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94B25AE7-0FF9-4051-8B58-EAAA0C588140}\stubpath = "C:\\Windows\\{94B25AE7-0FF9-4051-8B58-EAAA0C588140}.exe"	{EC8439F3-19A9-4d90-8506-FF3581445B79}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{121E9107-CC20-4e98-BAA7-537941EE664C}\stubpath = "C:\\Windows\\{121E9107-CC20-4e98-BAA7-537941EE664C}.exe"	{94B25AE7-0FF9-4051-8B58-EAAA0C588140}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0DC34FD4-0790-4537-AB80-342E58F908F4}\stubpath = "C:\\Windows\\{0DC34FD4-0790-4537-AB80-342E58F908F4}.exe"	{121E9107-CC20-4e98-BAA7-537941EE664C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16D0C69F-1B71-4437-A389-CF05BC6526E0}	{6669B98A-F7AC-40a2-B2AA-60BF938A864F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED2FD469-1F52-4e2b-821A-733D729C0BBC}\stubpath = "C:\\Windows\\{ED2FD469-1F52-4e2b-821A-733D729C0BBC}.exe"	{046C8831-676B-413c-8CB9-D30335E6D841}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BEB42C1-4365-4ead-BDC6-4913B6EBFBF5}	2024-04-09_6426dd1a02569cfc4de05d6a3b5c3c95_goldeneye.exe

Executes dropped EXE 12 IoCs

pid	Process
4908	{1BEB42C1-4365-4ead-BDC6-4913B6EBFBF5}.exe
4600	{EC8439F3-19A9-4d90-8506-FF3581445B79}.exe
1008	{94B25AE7-0FF9-4051-8B58-EAAA0C588140}.exe
2712	{121E9107-CC20-4e98-BAA7-537941EE664C}.exe
1576	{0DC34FD4-0790-4537-AB80-342E58F908F4}.exe
3136	{51309A55-865A-4aed-8B6B-7C9A54E9332F}.exe
756	{6669B98A-F7AC-40a2-B2AA-60BF938A864F}.exe
4364	{16D0C69F-1B71-4437-A389-CF05BC6526E0}.exe
3284	{3BAF2BE0-C1E8-4fe3-89D7-0E46513FD723}.exe
2004	{046C8831-676B-413c-8CB9-D30335E6D841}.exe
4008	{ED2FD469-1F52-4e2b-821A-733D729C0BBC}.exe
3496	{5AEF7DD5-CF7C-40fe-85E5-D68011933766}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{51309A55-865A-4aed-8B6B-7C9A54E9332F}.exe	{0DC34FD4-0790-4537-AB80-342E58F908F4}.exe
File created	C:\Windows\{16D0C69F-1B71-4437-A389-CF05BC6526E0}.exe	{6669B98A-F7AC-40a2-B2AA-60BF938A864F}.exe
File created	C:\Windows\{3BAF2BE0-C1E8-4fe3-89D7-0E46513FD723}.exe	{16D0C69F-1B71-4437-A389-CF05BC6526E0}.exe
File created	C:\Windows\{5AEF7DD5-CF7C-40fe-85E5-D68011933766}.exe	{ED2FD469-1F52-4e2b-821A-733D729C0BBC}.exe
File created	C:\Windows\{1BEB42C1-4365-4ead-BDC6-4913B6EBFBF5}.exe	2024-04-09_6426dd1a02569cfc4de05d6a3b5c3c95_goldeneye.exe
File created	C:\Windows\{94B25AE7-0FF9-4051-8B58-EAAA0C588140}.exe	{EC8439F3-19A9-4d90-8506-FF3581445B79}.exe
File created	C:\Windows\{121E9107-CC20-4e98-BAA7-537941EE664C}.exe	{94B25AE7-0FF9-4051-8B58-EAAA0C588140}.exe
File created	C:\Windows\{046C8831-676B-413c-8CB9-D30335E6D841}.exe	{3BAF2BE0-C1E8-4fe3-89D7-0E46513FD723}.exe
File created	C:\Windows\{ED2FD469-1F52-4e2b-821A-733D729C0BBC}.exe	{046C8831-676B-413c-8CB9-D30335E6D841}.exe
File created	C:\Windows\{EC8439F3-19A9-4d90-8506-FF3581445B79}.exe	{1BEB42C1-4365-4ead-BDC6-4913B6EBFBF5}.exe
File created	C:\Windows\{0DC34FD4-0790-4537-AB80-342E58F908F4}.exe	{121E9107-CC20-4e98-BAA7-537941EE664C}.exe
File created	C:\Windows\{6669B98A-F7AC-40a2-B2AA-60BF938A864F}.exe	{51309A55-865A-4aed-8B6B-7C9A54E9332F}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2440	2024-04-09_6426dd1a02569cfc4de05d6a3b5c3c95_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4908	{1BEB42C1-4365-4ead-BDC6-4913B6EBFBF5}.exe
Token: SeIncBasePriorityPrivilege	4600	{EC8439F3-19A9-4d90-8506-FF3581445B79}.exe
Token: SeIncBasePriorityPrivilege	1008	{94B25AE7-0FF9-4051-8B58-EAAA0C588140}.exe
Token: SeIncBasePriorityPrivilege	2712	{121E9107-CC20-4e98-BAA7-537941EE664C}.exe
Token: SeIncBasePriorityPrivilege	1576	{0DC34FD4-0790-4537-AB80-342E58F908F4}.exe
Token: SeIncBasePriorityPrivilege	3136	{51309A55-865A-4aed-8B6B-7C9A54E9332F}.exe
Token: SeIncBasePriorityPrivilege	756	{6669B98A-F7AC-40a2-B2AA-60BF938A864F}.exe
Token: SeIncBasePriorityPrivilege	4364	{16D0C69F-1B71-4437-A389-CF05BC6526E0}.exe
Token: SeIncBasePriorityPrivilege	3284	{3BAF2BE0-C1E8-4fe3-89D7-0E46513FD723}.exe
Token: SeIncBasePriorityPrivilege	2004	{046C8831-676B-413c-8CB9-D30335E6D841}.exe
Token: SeIncBasePriorityPrivilege	4008	{ED2FD469-1F52-4e2b-821A-733D729C0BBC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 4908	2440	2024-04-09_6426dd1a02569cfc4de05d6a3b5c3c95_goldeneye.exe	97
PID 2440 wrote to memory of 4908	2440	2024-04-09_6426dd1a02569cfc4de05d6a3b5c3c95_goldeneye.exe	97
PID 2440 wrote to memory of 4908	2440	2024-04-09_6426dd1a02569cfc4de05d6a3b5c3c95_goldeneye.exe	97
PID 2440 wrote to memory of 2708	2440	2024-04-09_6426dd1a02569cfc4de05d6a3b5c3c95_goldeneye.exe	98
PID 2440 wrote to memory of 2708	2440	2024-04-09_6426dd1a02569cfc4de05d6a3b5c3c95_goldeneye.exe	98
PID 2440 wrote to memory of 2708	2440	2024-04-09_6426dd1a02569cfc4de05d6a3b5c3c95_goldeneye.exe	98
PID 4908 wrote to memory of 4600	4908	{1BEB42C1-4365-4ead-BDC6-4913B6EBFBF5}.exe	99
PID 4908 wrote to memory of 4600	4908	{1BEB42C1-4365-4ead-BDC6-4913B6EBFBF5}.exe	99
PID 4908 wrote to memory of 4600	4908	{1BEB42C1-4365-4ead-BDC6-4913B6EBFBF5}.exe	99
PID 4908 wrote to memory of 4176	4908	{1BEB42C1-4365-4ead-BDC6-4913B6EBFBF5}.exe	100
PID 4908 wrote to memory of 4176	4908	{1BEB42C1-4365-4ead-BDC6-4913B6EBFBF5}.exe	100
PID 4908 wrote to memory of 4176	4908	{1BEB42C1-4365-4ead-BDC6-4913B6EBFBF5}.exe	100
PID 4600 wrote to memory of 1008	4600	{EC8439F3-19A9-4d90-8506-FF3581445B79}.exe	102
PID 4600 wrote to memory of 1008	4600	{EC8439F3-19A9-4d90-8506-FF3581445B79}.exe	102
PID 4600 wrote to memory of 1008	4600	{EC8439F3-19A9-4d90-8506-FF3581445B79}.exe	102
PID 4600 wrote to memory of 4700	4600	{EC8439F3-19A9-4d90-8506-FF3581445B79}.exe	103
PID 4600 wrote to memory of 4700	4600	{EC8439F3-19A9-4d90-8506-FF3581445B79}.exe	103
PID 4600 wrote to memory of 4700	4600	{EC8439F3-19A9-4d90-8506-FF3581445B79}.exe	103
PID 1008 wrote to memory of 2712	1008	{94B25AE7-0FF9-4051-8B58-EAAA0C588140}.exe	104
PID 1008 wrote to memory of 2712	1008	{94B25AE7-0FF9-4051-8B58-EAAA0C588140}.exe	104
PID 1008 wrote to memory of 2712	1008	{94B25AE7-0FF9-4051-8B58-EAAA0C588140}.exe	104
PID 1008 wrote to memory of 860	1008	{94B25AE7-0FF9-4051-8B58-EAAA0C588140}.exe	105
PID 1008 wrote to memory of 860	1008	{94B25AE7-0FF9-4051-8B58-EAAA0C588140}.exe	105
PID 1008 wrote to memory of 860	1008	{94B25AE7-0FF9-4051-8B58-EAAA0C588140}.exe	105
PID 2712 wrote to memory of 1576	2712	{121E9107-CC20-4e98-BAA7-537941EE664C}.exe	106
PID 2712 wrote to memory of 1576	2712	{121E9107-CC20-4e98-BAA7-537941EE664C}.exe	106
PID 2712 wrote to memory of 1576	2712	{121E9107-CC20-4e98-BAA7-537941EE664C}.exe	106
PID 2712 wrote to memory of 1660	2712	{121E9107-CC20-4e98-BAA7-537941EE664C}.exe	107
PID 2712 wrote to memory of 1660	2712	{121E9107-CC20-4e98-BAA7-537941EE664C}.exe	107
PID 2712 wrote to memory of 1660	2712	{121E9107-CC20-4e98-BAA7-537941EE664C}.exe	107
PID 1576 wrote to memory of 3136	1576	{0DC34FD4-0790-4537-AB80-342E58F908F4}.exe	108
PID 1576 wrote to memory of 3136	1576	{0DC34FD4-0790-4537-AB80-342E58F908F4}.exe	108
PID 1576 wrote to memory of 3136	1576	{0DC34FD4-0790-4537-AB80-342E58F908F4}.exe	108
PID 1576 wrote to memory of 5084	1576	{0DC34FD4-0790-4537-AB80-342E58F908F4}.exe	109
PID 1576 wrote to memory of 5084	1576	{0DC34FD4-0790-4537-AB80-342E58F908F4}.exe	109
PID 1576 wrote to memory of 5084	1576	{0DC34FD4-0790-4537-AB80-342E58F908F4}.exe	109
PID 3136 wrote to memory of 756	3136	{51309A55-865A-4aed-8B6B-7C9A54E9332F}.exe	110
PID 3136 wrote to memory of 756	3136	{51309A55-865A-4aed-8B6B-7C9A54E9332F}.exe	110
PID 3136 wrote to memory of 756	3136	{51309A55-865A-4aed-8B6B-7C9A54E9332F}.exe	110
PID 3136 wrote to memory of 3248	3136	{51309A55-865A-4aed-8B6B-7C9A54E9332F}.exe	111
PID 3136 wrote to memory of 3248	3136	{51309A55-865A-4aed-8B6B-7C9A54E9332F}.exe	111
PID 3136 wrote to memory of 3248	3136	{51309A55-865A-4aed-8B6B-7C9A54E9332F}.exe	111
PID 756 wrote to memory of 4364	756	{6669B98A-F7AC-40a2-B2AA-60BF938A864F}.exe	112
PID 756 wrote to memory of 4364	756	{6669B98A-F7AC-40a2-B2AA-60BF938A864F}.exe	112
PID 756 wrote to memory of 4364	756	{6669B98A-F7AC-40a2-B2AA-60BF938A864F}.exe	112
PID 756 wrote to memory of 2900	756	{6669B98A-F7AC-40a2-B2AA-60BF938A864F}.exe	113
PID 756 wrote to memory of 2900	756	{6669B98A-F7AC-40a2-B2AA-60BF938A864F}.exe	113
PID 756 wrote to memory of 2900	756	{6669B98A-F7AC-40a2-B2AA-60BF938A864F}.exe	113
PID 4364 wrote to memory of 3284	4364	{16D0C69F-1B71-4437-A389-CF05BC6526E0}.exe	114
PID 4364 wrote to memory of 3284	4364	{16D0C69F-1B71-4437-A389-CF05BC6526E0}.exe	114
PID 4364 wrote to memory of 3284	4364	{16D0C69F-1B71-4437-A389-CF05BC6526E0}.exe	114
PID 4364 wrote to memory of 3772	4364	{16D0C69F-1B71-4437-A389-CF05BC6526E0}.exe	115
PID 4364 wrote to memory of 3772	4364	{16D0C69F-1B71-4437-A389-CF05BC6526E0}.exe	115
PID 4364 wrote to memory of 3772	4364	{16D0C69F-1B71-4437-A389-CF05BC6526E0}.exe	115
PID 3284 wrote to memory of 2004	3284	{3BAF2BE0-C1E8-4fe3-89D7-0E46513FD723}.exe	116
PID 3284 wrote to memory of 2004	3284	{3BAF2BE0-C1E8-4fe3-89D7-0E46513FD723}.exe	116
PID 3284 wrote to memory of 2004	3284	{3BAF2BE0-C1E8-4fe3-89D7-0E46513FD723}.exe	116
PID 3284 wrote to memory of 856	3284	{3BAF2BE0-C1E8-4fe3-89D7-0E46513FD723}.exe	117
PID 3284 wrote to memory of 856	3284	{3BAF2BE0-C1E8-4fe3-89D7-0E46513FD723}.exe	117
PID 3284 wrote to memory of 856	3284	{3BAF2BE0-C1E8-4fe3-89D7-0E46513FD723}.exe	117
PID 2004 wrote to memory of 4008	2004	{046C8831-676B-413c-8CB9-D30335E6D841}.exe	118
PID 2004 wrote to memory of 4008	2004	{046C8831-676B-413c-8CB9-D30335E6D841}.exe	118
PID 2004 wrote to memory of 4008	2004	{046C8831-676B-413c-8CB9-D30335E6D841}.exe	118
PID 2004 wrote to memory of 528	2004	{046C8831-676B-413c-8CB9-D30335E6D841}.exe	119

C:\Users\Admin\AppData\Local\Temp\2024-04-09_6426dd1a02569cfc4de05d6a3b5c3c95_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-09_6426dd1a02569cfc4de05d6a3b5c3c95_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Windows\{1BEB42C1-4365-4ead-BDC6-4913B6EBFBF5}.exe
  C:\Windows\{1BEB42C1-4365-4ead-BDC6-4913B6EBFBF5}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\Windows\{EC8439F3-19A9-4d90-8506-FF3581445B79}.exe
    C:\Windows\{EC8439F3-19A9-4d90-8506-FF3581445B79}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4600
  - - C:\Windows\{94B25AE7-0FF9-4051-8B58-EAAA0C588140}.exe
      C:\Windows\{94B25AE7-0FF9-4051-8B58-EAAA0C588140}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1008
    - - C:\Windows\{121E9107-CC20-4e98-BAA7-537941EE664C}.exe
        
        C:\Windows\{121E9107-CC20-4e98-BAA7-537941EE664C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2712
      - C:\Windows\{0DC34FD4-0790-4537-AB80-342E58F908F4}.exe
        
        C:\Windows\{0DC34FD4-0790-4537-AB80-342E58F908F4}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Windows\{51309A55-865A-4aed-8B6B-7C9A54E9332F}.exe
        
        C:\Windows\{51309A55-865A-4aed-8B6B-7C9A54E9332F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3136
        
        C:\Windows\{6669B98A-F7AC-40a2-B2AA-60BF938A864F}.exe
        
        C:\Windows\{6669B98A-F7AC-40a2-B2AA-60BF938A864F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:756
        
        C:\Windows\{16D0C69F-1B71-4437-A389-CF05BC6526E0}.exe
        
        C:\Windows\{16D0C69F-1B71-4437-A389-CF05BC6526E0}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4364
        
        C:\Windows\{3BAF2BE0-C1E8-4fe3-89D7-0E46513FD723}.exe
        
        C:\Windows\{3BAF2BE0-C1E8-4fe3-89D7-0E46513FD723}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3284
        
        C:\Windows\{046C8831-676B-413c-8CB9-D30335E6D841}.exe
        
        C:\Windows\{046C8831-676B-413c-8CB9-D30335E6D841}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\{ED2FD469-1F52-4e2b-821A-733D729C0BBC}.exe
        
        C:\Windows\{ED2FD469-1F52-4e2b-821A-733D729C0BBC}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4008
        
        C:\Windows\{5AEF7DD5-CF7C-40fe-85E5-D68011933766}.exe
        
        C:\Windows\{5AEF7DD5-CF7C-40fe-85E5-D68011933766}.exe
        13⤵
        Executes dropped EXE
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ED2FD~1.EXE > nul
        13⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{046C8~1.EXE > nul
        12⤵
        
        PID:528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3BAF2~1.EXE > nul
        11⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16D0C~1.EXE > nul
        10⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6669B~1.EXE > nul
        9⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51309~1.EXE > nul
        8⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0DC34~1.EXE > nul
        7⤵
        
        PID:5084
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{121E9~1.EXE > nul
        6⤵
        
        PID:1660
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94B25~1.EXE > nul
        5⤵
        
        PID:860
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EC843~1.EXE > nul
      4⤵
      PID:4700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1BEB4~1.EXE > nul
    3⤵
    PID:4176
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{046C8831-676B-413c-8CB9-D30335E6D841}.exe

Filesize
168KB

MD5
95bc519b307d107e09ef03dedb1251a0

SHA1
b692e106a25fe8c55e24a3a290053b9812102292

SHA256
66d6265b6eb53d186802cabb0d3d41a535c1791a183ff8599be6e77c640de95f

SHA512
9974e8fda4b4796e059c4fe07c8ba6a0422f20a2a4b75ed0aee322a2d96dc89f96794fb8a594a6a5b839a1a8578f412c7838d85abd1139aa4a2bc9cb89b12b75

Download Submit
C:\Windows\{0DC34FD4-0790-4537-AB80-342E58F908F4}.exe

Filesize
168KB

MD5
e769f59ab3354ba16bab94cf313c6e63

SHA1
2a3f31497f1cc1d7bc24ba8485a47b48610a9e02

SHA256
1d1a353116018e350f01389f656dc0f49e471b870c422272d6f4dac2ea67f470

SHA512
6a6b83d4753ccb876c011987fba48c1e300ecc7177e42d9798a6341e1319771fc09de5395131cc5923102d09155bec6f540ee9d13ff65d8c71e6f8455bfb1b42

Download Submit
C:\Windows\{121E9107-CC20-4e98-BAA7-537941EE664C}.exe

Filesize
168KB

MD5
387f003c470ca68bfb5937845a4ca3b8

SHA1
6f76c0994f995bfb4aff0306f0adffdc1a04b797

SHA256
2e19b35220f829c4e649cc32792893c922e5af24f717231aab0540442fee977b

SHA512
05c5e3baba3a71a227a53ef8c9265946caee24271b1e54c6a83f868a2b7db4ae1060b2ae1255ace6c3418028fb4a98d387f7dd62f7c36ea20ea2a316e4c7005e

Download Submit
C:\Windows\{16D0C69F-1B71-4437-A389-CF05BC6526E0}.exe

Filesize
168KB

MD5
03298a4a20ba3778dadf7172f24f5aab

SHA1
24f40bd65b8fc3efe22fa3918f64c633e1ec5d7c

SHA256
5a3c37c397b4c2968b82987585c194bc9051a1a2035718b4c083bfd396a3c6b1

SHA512
6f15e8150507142f89a2aade1f54b8c5d75c203d35ca1742ef1b4c755fbf61e8203eccf166f43dd7ebbb4800a3b69d6571619db66b7d4446a13bf6ed6d959488

Download Submit
C:\Windows\{1BEB42C1-4365-4ead-BDC6-4913B6EBFBF5}.exe

Filesize
168KB

MD5
6b4928a07abf735614cee59dcba24a1d

SHA1
3b5ded46b0aece45ae30ecc36bd648b80a7f62f7

SHA256
7e7390f7576676cafa8978588889061eb381df574ed41a97a5ee74af4fd5ee90

SHA512
903ffe973029af5de743512eb02d571843f6f29379bbb781ce4adf630f0d26e252dd27cbcbadb0b6238007f30a6e4ee2377bd158861fe0e663ccf8b159dd419b

Download Submit
C:\Windows\{3BAF2BE0-C1E8-4fe3-89D7-0E46513FD723}.exe

Filesize
168KB

MD5
594bfd65a4666a78c1a14dc6f7f89ce3

SHA1
eb8954f442597307beb4098e2d9aafbe0a8546d8

SHA256
1556a1bd1d42fb11763471027a07b1d8d8418159eb1e2f2963eafd1ce83e899f

SHA512
3a717643e1dbf45266c26fe13f1ed61170d8eee76486729fee9241680e930993606532d882f85c4105b95bee08e7b08f478061a74a4df46a1c8810c09c3c6e7c

Download Submit
C:\Windows\{51309A55-865A-4aed-8B6B-7C9A54E9332F}.exe

Filesize
168KB

MD5
10e4885288f232feb19fbdec409e612a

SHA1
84eeb4e9ecbde50df0d23ebae146dbe1ef3eb9d7

SHA256
ad4805942818d5702a5605d4a6c8827a42d65b85cb2af3c774f0669cdba3034f

SHA512
eedbc5dfd03ca4d1ac96dbd706af27fe39d90f097fdef538816dc456b519362c7130f49104c164575af2802d6a95f69bdc69919af45a9b5898c338b407f5a284

Download Submit
C:\Windows\{5AEF7DD5-CF7C-40fe-85E5-D68011933766}.exe

Filesize
168KB

MD5
758f1a7bd5734d5af63d28ed73d12d8e

SHA1
b38f04668253098f1bdfb89d552a3038b5cbdef5

SHA256
f11f716e3d876fbbb0d81ccea91365bfc983df88462b2de25c889bad02e40dcc

SHA512
3b1b38f6e12d0607c45c149ffa94417b2304c58cd5de53214d3d1df5465edd892f9137dd1a9b232b987ebbe0410c1d4ec25cf4abbc567c6348c2ba207305439d

Download Submit
C:\Windows\{6669B98A-F7AC-40a2-B2AA-60BF938A864F}.exe

Filesize
168KB

MD5
8ba2d6018f981c2827a308c36c8fc21f

SHA1
497cc3dba27d182b51122728c9daa647ce59ce8a

SHA256
d316c2ae90329460013d0d68529aa97f7125c6d52775e66d3bd33e08c9425eb3

SHA512
24005a5ec74de3d69b3a26102e86d1515176653ecb7a3248d342273c30469ed72f10e5851b691c81dbf92dbcef748e22aa162df8aed4661fffb87e3975398adc

Download Submit
C:\Windows\{94B25AE7-0FF9-4051-8B58-EAAA0C588140}.exe

Filesize
168KB

MD5
d0b63a25dbb6de8d0e1b087e6fb4f375

SHA1
56cacc01d2bf99afb7df6af515eb79c616a9e24c

SHA256
3e7fd1dcd905eea5ae9ac1b0531b1fa0d5cb4f6e5fe1e7663edb789f1b262c4a

SHA512
dd8a3c0e9e8eda676aebe4af6632ff71cf65ae503a87f91a1fa93a43c8c9d229d7675930c42811b472498399a1d1688b3f555f6150405bde34be2da5b49e0494

Download Submit
C:\Windows\{EC8439F3-19A9-4d90-8506-FF3581445B79}.exe

Filesize
168KB

MD5
6a7750afe84b6e09abeb41bef3d12688

SHA1
5959f2c241f0f43ad769da132bb089cdc3a826e0

SHA256
079c521a9719b147e865a91115e07323eac2679a38a3d1bdc6cd66233361985a

SHA512
678d0f8c578f2330618ee7475bf99ca6345156e2331f03a9d474f4c753866a2876b05803eb97e87f3a6273992ee423f1e3ba645003fd7fecf8ae964b0f2b8032

Download Submit
C:\Windows\{ED2FD469-1F52-4e2b-821A-733D729C0BBC}.exe

Filesize
168KB

MD5
eb1a1ec55623974969ac9ebe156c2143

SHA1
b876558386942146f6338fff26e5ca3c39aff7d1

SHA256
ec27e9d6e31dde8e9db50ae307d2acd8e7bd25292e767cd04171db2a7a8ea9f3

SHA512
dbe5b383cc2f5f6116b88b2832585009d3c637af4e17a2ca669aadfb98deb3c4c984451aa6c379ef5124e65e4364c862d2ddb9be1a067703de4d07ac1434ff5d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads