9a910bf2d5d76ef4609d33965132f4182762b7a503115ac646c1c36fe9e9b4dd

Analysis

max time kernel
150s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-04-2024 15:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-08_2581fd023ecf8aa758f67b5a01fe907b_goldeneye.exe
Size

192KB
MD5

2581fd023ecf8aa758f67b5a01fe907b
SHA1

859f0b63573e6fdaec58c94169eb3034d8b7c664
SHA256

9a910bf2d5d76ef4609d33965132f4182762b7a503115ac646c1c36fe9e9b4dd
SHA512

ed019bc813f193d5725e5c7542f63435b8cdedba86be63c7ff85460ecccd813613623bfd5467888de9c5f3253dbe412388fb049c1df4f6d4b36c104d7ba3f72a
SSDEEP

1536:1EGh0o/l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0o/l1OPOe2MUVg3Ve+rXfMUa

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00070000000231fb-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023200-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023207-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0012000000023200-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023207-17.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000021524-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000021526-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000037-29.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000037-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000733-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{670543CD-B9B0-4bcf-85D6-146CEE4217DE}	2024-04-08_2581fd023ecf8aa758f67b5a01fe907b_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2EAAF16A-3A5C-4022-808A-CC71CF5226A3}\stubpath = "C:\\Windows\\{2EAAF16A-3A5C-4022-808A-CC71CF5226A3}.exe"	{61E4E65B-5611-4aa1-A487-48FDB222DF75}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82111B3A-D95B-4293-B87E-D72FC82EC617}	{2EAAF16A-3A5C-4022-808A-CC71CF5226A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82111B3A-D95B-4293-B87E-D72FC82EC617}\stubpath = "C:\\Windows\\{82111B3A-D95B-4293-B87E-D72FC82EC617}.exe"	{2EAAF16A-3A5C-4022-808A-CC71CF5226A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6210FBA8-50FF-4371-BBD1-E64AB652DF22}\stubpath = "C:\\Windows\\{6210FBA8-50FF-4371-BBD1-E64AB652DF22}.exe"	{82111B3A-D95B-4293-B87E-D72FC82EC617}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24F862E1-2028-4850-B6B4-EAC7B17CBEDC}	{6210FBA8-50FF-4371-BBD1-E64AB652DF22}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24F862E1-2028-4850-B6B4-EAC7B17CBEDC}\stubpath = "C:\\Windows\\{24F862E1-2028-4850-B6B4-EAC7B17CBEDC}.exe"	{6210FBA8-50FF-4371-BBD1-E64AB652DF22}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8BC4C56C-7715-4b76-B980-FE8B9DEE5C1F}	{24F862E1-2028-4850-B6B4-EAC7B17CBEDC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8BC4C56C-7715-4b76-B980-FE8B9DEE5C1F}\stubpath = "C:\\Windows\\{8BC4C56C-7715-4b76-B980-FE8B9DEE5C1F}.exe"	{24F862E1-2028-4850-B6B4-EAC7B17CBEDC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2027210-363A-428c-B554-696FD80DD177}\stubpath = "C:\\Windows\\{F2027210-363A-428c-B554-696FD80DD177}.exe"	{8BC4C56C-7715-4b76-B980-FE8B9DEE5C1F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DDE6176-1938-46b1-B5E7-065A1AB61EAF}	{F2027210-363A-428c-B554-696FD80DD177}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C10214C7-D4B3-4669-85D7-137C0B73D992}	{670543CD-B9B0-4bcf-85D6-146CEE4217DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6210FBA8-50FF-4371-BBD1-E64AB652DF22}	{82111B3A-D95B-4293-B87E-D72FC82EC617}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DDE6176-1938-46b1-B5E7-065A1AB61EAF}\stubpath = "C:\\Windows\\{9DDE6176-1938-46b1-B5E7-065A1AB61EAF}.exe"	{F2027210-363A-428c-B554-696FD80DD177}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{670543CD-B9B0-4bcf-85D6-146CEE4217DE}\stubpath = "C:\\Windows\\{670543CD-B9B0-4bcf-85D6-146CEE4217DE}.exe"	2024-04-08_2581fd023ecf8aa758f67b5a01fe907b_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C10214C7-D4B3-4669-85D7-137C0B73D992}\stubpath = "C:\\Windows\\{C10214C7-D4B3-4669-85D7-137C0B73D992}.exe"	{670543CD-B9B0-4bcf-85D6-146CEE4217DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{735DB9BB-5B98-4003-8DF9-F814ED5E2C11}	{1FADDB87-8463-427c-8C33-8F33572A42B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{735DB9BB-5B98-4003-8DF9-F814ED5E2C11}\stubpath = "C:\\Windows\\{735DB9BB-5B98-4003-8DF9-F814ED5E2C11}.exe"	{1FADDB87-8463-427c-8C33-8F33572A42B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61E4E65B-5611-4aa1-A487-48FDB222DF75}	{735DB9BB-5B98-4003-8DF9-F814ED5E2C11}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61E4E65B-5611-4aa1-A487-48FDB222DF75}\stubpath = "C:\\Windows\\{61E4E65B-5611-4aa1-A487-48FDB222DF75}.exe"	{735DB9BB-5B98-4003-8DF9-F814ED5E2C11}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2027210-363A-428c-B554-696FD80DD177}	{8BC4C56C-7715-4b76-B980-FE8B9DEE5C1F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1FADDB87-8463-427c-8C33-8F33572A42B6}	{C10214C7-D4B3-4669-85D7-137C0B73D992}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1FADDB87-8463-427c-8C33-8F33572A42B6}\stubpath = "C:\\Windows\\{1FADDB87-8463-427c-8C33-8F33572A42B6}.exe"	{C10214C7-D4B3-4669-85D7-137C0B73D992}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2EAAF16A-3A5C-4022-808A-CC71CF5226A3}	{61E4E65B-5611-4aa1-A487-48FDB222DF75}.exe

Executes dropped EXE 12 IoCs

pid	Process
2304	{670543CD-B9B0-4bcf-85D6-146CEE4217DE}.exe
3552	{C10214C7-D4B3-4669-85D7-137C0B73D992}.exe
400	{1FADDB87-8463-427c-8C33-8F33572A42B6}.exe
1428	{735DB9BB-5B98-4003-8DF9-F814ED5E2C11}.exe
2204	{61E4E65B-5611-4aa1-A487-48FDB222DF75}.exe
5020	{2EAAF16A-3A5C-4022-808A-CC71CF5226A3}.exe
4336	{82111B3A-D95B-4293-B87E-D72FC82EC617}.exe
1692	{6210FBA8-50FF-4371-BBD1-E64AB652DF22}.exe
3504	{24F862E1-2028-4850-B6B4-EAC7B17CBEDC}.exe
1932	{8BC4C56C-7715-4b76-B980-FE8B9DEE5C1F}.exe
732	{F2027210-363A-428c-B554-696FD80DD177}.exe
3248	{9DDE6176-1938-46b1-B5E7-065A1AB61EAF}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{61E4E65B-5611-4aa1-A487-48FDB222DF75}.exe	{735DB9BB-5B98-4003-8DF9-F814ED5E2C11}.exe
File created	C:\Windows\{82111B3A-D95B-4293-B87E-D72FC82EC617}.exe	{2EAAF16A-3A5C-4022-808A-CC71CF5226A3}.exe
File created	C:\Windows\{9DDE6176-1938-46b1-B5E7-065A1AB61EAF}.exe	{F2027210-363A-428c-B554-696FD80DD177}.exe
File created	C:\Windows\{735DB9BB-5B98-4003-8DF9-F814ED5E2C11}.exe	{1FADDB87-8463-427c-8C33-8F33572A42B6}.exe
File created	C:\Windows\{2EAAF16A-3A5C-4022-808A-CC71CF5226A3}.exe	{61E4E65B-5611-4aa1-A487-48FDB222DF75}.exe
File created	C:\Windows\{6210FBA8-50FF-4371-BBD1-E64AB652DF22}.exe	{82111B3A-D95B-4293-B87E-D72FC82EC617}.exe
File created	C:\Windows\{24F862E1-2028-4850-B6B4-EAC7B17CBEDC}.exe	{6210FBA8-50FF-4371-BBD1-E64AB652DF22}.exe
File created	C:\Windows\{8BC4C56C-7715-4b76-B980-FE8B9DEE5C1F}.exe	{24F862E1-2028-4850-B6B4-EAC7B17CBEDC}.exe
File created	C:\Windows\{670543CD-B9B0-4bcf-85D6-146CEE4217DE}.exe	2024-04-08_2581fd023ecf8aa758f67b5a01fe907b_goldeneye.exe
File created	C:\Windows\{C10214C7-D4B3-4669-85D7-137C0B73D992}.exe	{670543CD-B9B0-4bcf-85D6-146CEE4217DE}.exe
File created	C:\Windows\{1FADDB87-8463-427c-8C33-8F33572A42B6}.exe	{C10214C7-D4B3-4669-85D7-137C0B73D992}.exe
File created	C:\Windows\{F2027210-363A-428c-B554-696FD80DD177}.exe	{8BC4C56C-7715-4b76-B980-FE8B9DEE5C1F}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3784	2024-04-08_2581fd023ecf8aa758f67b5a01fe907b_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2304	{670543CD-B9B0-4bcf-85D6-146CEE4217DE}.exe
Token: SeIncBasePriorityPrivilege	3552	{C10214C7-D4B3-4669-85D7-137C0B73D992}.exe
Token: SeIncBasePriorityPrivilege	400	{1FADDB87-8463-427c-8C33-8F33572A42B6}.exe
Token: SeIncBasePriorityPrivilege	1428	{735DB9BB-5B98-4003-8DF9-F814ED5E2C11}.exe
Token: SeIncBasePriorityPrivilege	2204	{61E4E65B-5611-4aa1-A487-48FDB222DF75}.exe
Token: SeIncBasePriorityPrivilege	5020	{2EAAF16A-3A5C-4022-808A-CC71CF5226A3}.exe
Token: SeIncBasePriorityPrivilege	4336	{82111B3A-D95B-4293-B87E-D72FC82EC617}.exe
Token: SeIncBasePriorityPrivilege	1692	{6210FBA8-50FF-4371-BBD1-E64AB652DF22}.exe
Token: SeIncBasePriorityPrivilege	3504	{24F862E1-2028-4850-B6B4-EAC7B17CBEDC}.exe
Token: SeIncBasePriorityPrivilege	1932	{8BC4C56C-7715-4b76-B980-FE8B9DEE5C1F}.exe
Token: SeIncBasePriorityPrivilege	732	{F2027210-363A-428c-B554-696FD80DD177}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3784 wrote to memory of 2304	3784	2024-04-08_2581fd023ecf8aa758f67b5a01fe907b_goldeneye.exe	96
PID 3784 wrote to memory of 2304	3784	2024-04-08_2581fd023ecf8aa758f67b5a01fe907b_goldeneye.exe	96
PID 3784 wrote to memory of 2304	3784	2024-04-08_2581fd023ecf8aa758f67b5a01fe907b_goldeneye.exe	96
PID 3784 wrote to memory of 4992	3784	2024-04-08_2581fd023ecf8aa758f67b5a01fe907b_goldeneye.exe	97
PID 3784 wrote to memory of 4992	3784	2024-04-08_2581fd023ecf8aa758f67b5a01fe907b_goldeneye.exe	97
PID 3784 wrote to memory of 4992	3784	2024-04-08_2581fd023ecf8aa758f67b5a01fe907b_goldeneye.exe	97
PID 2304 wrote to memory of 3552	2304	{670543CD-B9B0-4bcf-85D6-146CEE4217DE}.exe	98
PID 2304 wrote to memory of 3552	2304	{670543CD-B9B0-4bcf-85D6-146CEE4217DE}.exe	98
PID 2304 wrote to memory of 3552	2304	{670543CD-B9B0-4bcf-85D6-146CEE4217DE}.exe	98
PID 2304 wrote to memory of 2832	2304	{670543CD-B9B0-4bcf-85D6-146CEE4217DE}.exe	99
PID 2304 wrote to memory of 2832	2304	{670543CD-B9B0-4bcf-85D6-146CEE4217DE}.exe	99
PID 2304 wrote to memory of 2832	2304	{670543CD-B9B0-4bcf-85D6-146CEE4217DE}.exe	99
PID 3552 wrote to memory of 400	3552	{C10214C7-D4B3-4669-85D7-137C0B73D992}.exe	101
PID 3552 wrote to memory of 400	3552	{C10214C7-D4B3-4669-85D7-137C0B73D992}.exe	101
PID 3552 wrote to memory of 400	3552	{C10214C7-D4B3-4669-85D7-137C0B73D992}.exe	101
PID 3552 wrote to memory of 548	3552	{C10214C7-D4B3-4669-85D7-137C0B73D992}.exe	102
PID 3552 wrote to memory of 548	3552	{C10214C7-D4B3-4669-85D7-137C0B73D992}.exe	102
PID 3552 wrote to memory of 548	3552	{C10214C7-D4B3-4669-85D7-137C0B73D992}.exe	102
PID 400 wrote to memory of 1428	400	{1FADDB87-8463-427c-8C33-8F33572A42B6}.exe	103
PID 400 wrote to memory of 1428	400	{1FADDB87-8463-427c-8C33-8F33572A42B6}.exe	103
PID 400 wrote to memory of 1428	400	{1FADDB87-8463-427c-8C33-8F33572A42B6}.exe	103
PID 400 wrote to memory of 684	400	{1FADDB87-8463-427c-8C33-8F33572A42B6}.exe	104
PID 400 wrote to memory of 684	400	{1FADDB87-8463-427c-8C33-8F33572A42B6}.exe	104
PID 400 wrote to memory of 684	400	{1FADDB87-8463-427c-8C33-8F33572A42B6}.exe	104
PID 1428 wrote to memory of 2204	1428	{735DB9BB-5B98-4003-8DF9-F814ED5E2C11}.exe	105
PID 1428 wrote to memory of 2204	1428	{735DB9BB-5B98-4003-8DF9-F814ED5E2C11}.exe	105
PID 1428 wrote to memory of 2204	1428	{735DB9BB-5B98-4003-8DF9-F814ED5E2C11}.exe	105
PID 1428 wrote to memory of 1392	1428	{735DB9BB-5B98-4003-8DF9-F814ED5E2C11}.exe	106
PID 1428 wrote to memory of 1392	1428	{735DB9BB-5B98-4003-8DF9-F814ED5E2C11}.exe	106
PID 1428 wrote to memory of 1392	1428	{735DB9BB-5B98-4003-8DF9-F814ED5E2C11}.exe	106
PID 2204 wrote to memory of 5020	2204	{61E4E65B-5611-4aa1-A487-48FDB222DF75}.exe	107
PID 2204 wrote to memory of 5020	2204	{61E4E65B-5611-4aa1-A487-48FDB222DF75}.exe	107
PID 2204 wrote to memory of 5020	2204	{61E4E65B-5611-4aa1-A487-48FDB222DF75}.exe	107
PID 2204 wrote to memory of 1668	2204	{61E4E65B-5611-4aa1-A487-48FDB222DF75}.exe	108
PID 2204 wrote to memory of 1668	2204	{61E4E65B-5611-4aa1-A487-48FDB222DF75}.exe	108
PID 2204 wrote to memory of 1668	2204	{61E4E65B-5611-4aa1-A487-48FDB222DF75}.exe	108
PID 5020 wrote to memory of 4336	5020	{2EAAF16A-3A5C-4022-808A-CC71CF5226A3}.exe	109
PID 5020 wrote to memory of 4336	5020	{2EAAF16A-3A5C-4022-808A-CC71CF5226A3}.exe	109
PID 5020 wrote to memory of 4336	5020	{2EAAF16A-3A5C-4022-808A-CC71CF5226A3}.exe	109
PID 5020 wrote to memory of 3756	5020	{2EAAF16A-3A5C-4022-808A-CC71CF5226A3}.exe	110
PID 5020 wrote to memory of 3756	5020	{2EAAF16A-3A5C-4022-808A-CC71CF5226A3}.exe	110
PID 5020 wrote to memory of 3756	5020	{2EAAF16A-3A5C-4022-808A-CC71CF5226A3}.exe	110
PID 4336 wrote to memory of 1692	4336	{82111B3A-D95B-4293-B87E-D72FC82EC617}.exe	111
PID 4336 wrote to memory of 1692	4336	{82111B3A-D95B-4293-B87E-D72FC82EC617}.exe	111
PID 4336 wrote to memory of 1692	4336	{82111B3A-D95B-4293-B87E-D72FC82EC617}.exe	111
PID 4336 wrote to memory of 4076	4336	{82111B3A-D95B-4293-B87E-D72FC82EC617}.exe	112
PID 4336 wrote to memory of 4076	4336	{82111B3A-D95B-4293-B87E-D72FC82EC617}.exe	112
PID 4336 wrote to memory of 4076	4336	{82111B3A-D95B-4293-B87E-D72FC82EC617}.exe	112
PID 1692 wrote to memory of 3504	1692	{6210FBA8-50FF-4371-BBD1-E64AB652DF22}.exe	113
PID 1692 wrote to memory of 3504	1692	{6210FBA8-50FF-4371-BBD1-E64AB652DF22}.exe	113
PID 1692 wrote to memory of 3504	1692	{6210FBA8-50FF-4371-BBD1-E64AB652DF22}.exe	113
PID 1692 wrote to memory of 1320	1692	{6210FBA8-50FF-4371-BBD1-E64AB652DF22}.exe	114
PID 1692 wrote to memory of 1320	1692	{6210FBA8-50FF-4371-BBD1-E64AB652DF22}.exe	114
PID 1692 wrote to memory of 1320	1692	{6210FBA8-50FF-4371-BBD1-E64AB652DF22}.exe	114
PID 3504 wrote to memory of 1932	3504	{24F862E1-2028-4850-B6B4-EAC7B17CBEDC}.exe	115
PID 3504 wrote to memory of 1932	3504	{24F862E1-2028-4850-B6B4-EAC7B17CBEDC}.exe	115
PID 3504 wrote to memory of 1932	3504	{24F862E1-2028-4850-B6B4-EAC7B17CBEDC}.exe	115
PID 3504 wrote to memory of 4248	3504	{24F862E1-2028-4850-B6B4-EAC7B17CBEDC}.exe	116
PID 3504 wrote to memory of 4248	3504	{24F862E1-2028-4850-B6B4-EAC7B17CBEDC}.exe	116
PID 3504 wrote to memory of 4248	3504	{24F862E1-2028-4850-B6B4-EAC7B17CBEDC}.exe	116
PID 1932 wrote to memory of 732	1932	{8BC4C56C-7715-4b76-B980-FE8B9DEE5C1F}.exe	117
PID 1932 wrote to memory of 732	1932	{8BC4C56C-7715-4b76-B980-FE8B9DEE5C1F}.exe	117
PID 1932 wrote to memory of 732	1932	{8BC4C56C-7715-4b76-B980-FE8B9DEE5C1F}.exe	117
PID 1932 wrote to memory of 3672	1932	{8BC4C56C-7715-4b76-B980-FE8B9DEE5C1F}.exe	118

C:\Users\Admin\AppData\Local\Temp\2024-04-08_2581fd023ecf8aa758f67b5a01fe907b_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-08_2581fd023ecf8aa758f67b5a01fe907b_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3784
- C:\Windows\{670543CD-B9B0-4bcf-85D6-146CEE4217DE}.exe
  C:\Windows\{670543CD-B9B0-4bcf-85D6-146CEE4217DE}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Windows\{C10214C7-D4B3-4669-85D7-137C0B73D992}.exe
    C:\Windows\{C10214C7-D4B3-4669-85D7-137C0B73D992}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3552
  - - C:\Windows\{1FADDB87-8463-427c-8C33-8F33572A42B6}.exe
      C:\Windows\{1FADDB87-8463-427c-8C33-8F33572A42B6}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:400
    - - C:\Windows\{735DB9BB-5B98-4003-8DF9-F814ED5E2C11}.exe
        
        C:\Windows\{735DB9BB-5B98-4003-8DF9-F814ED5E2C11}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1428
      - C:\Windows\{61E4E65B-5611-4aa1-A487-48FDB222DF75}.exe
        
        C:\Windows\{61E4E65B-5611-4aa1-A487-48FDB222DF75}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\{2EAAF16A-3A5C-4022-808A-CC71CF5226A3}.exe
        
        C:\Windows\{2EAAF16A-3A5C-4022-808A-CC71CF5226A3}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\{82111B3A-D95B-4293-B87E-D72FC82EC617}.exe
        
        C:\Windows\{82111B3A-D95B-4293-B87E-D72FC82EC617}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\{6210FBA8-50FF-4371-BBD1-E64AB652DF22}.exe
        
        C:\Windows\{6210FBA8-50FF-4371-BBD1-E64AB652DF22}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\{24F862E1-2028-4850-B6B4-EAC7B17CBEDC}.exe
        
        C:\Windows\{24F862E1-2028-4850-B6B4-EAC7B17CBEDC}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3504
        
        C:\Windows\{8BC4C56C-7715-4b76-B980-FE8B9DEE5C1F}.exe
        
        C:\Windows\{8BC4C56C-7715-4b76-B980-FE8B9DEE5C1F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\{F2027210-363A-428c-B554-696FD80DD177}.exe
        
        C:\Windows\{F2027210-363A-428c-B554-696FD80DD177}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:732
        
        C:\Windows\{9DDE6176-1938-46b1-B5E7-065A1AB61EAF}.exe
        
        C:\Windows\{9DDE6176-1938-46b1-B5E7-065A1AB61EAF}.exe
        13⤵
        Executes dropped EXE
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2027~1.EXE > nul
        13⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8BC4C~1.EXE > nul
        12⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{24F86~1.EXE > nul
        11⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6210F~1.EXE > nul
        10⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{82111~1.EXE > nul
        9⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2EAAF~1.EXE > nul
        8⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{61E4E~1.EXE > nul
        7⤵
        
        PID:1668
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{735DB~1.EXE > nul
        6⤵
        
        PID:1392
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1FADD~1.EXE > nul
        5⤵
        
        PID:684
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C1021~1.EXE > nul
      4⤵
      PID:548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{67054~1.EXE > nul
    3⤵
    PID:2832
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1FADDB87-8463-427c-8C33-8F33572A42B6}.exe

Filesize
192KB

MD5
a4f4c5a2ab45b5362891a9eafa5a2e12

SHA1
041d950373bb16d3840df15814961a0325b4014d

SHA256
b9f6626798588ada8a524adbee28d4daa3dfa54bad3199a8219c618efd396e73

SHA512
2a147507032e517de7726229d6d3884709ae6a84e04e79328033bd8e95ba9f897171d7421aeb8ef05b1731ec35cce5da0f29c064d43a4e5cfcb9564f2cc6d788

Download Submit
C:\Windows\{24F862E1-2028-4850-B6B4-EAC7B17CBEDC}.exe

Filesize
192KB

MD5
b688692e10ff7c296b5c7438442eefce

SHA1
9ed98b6aaf88b7ce39c7ed6b196a57b2df4bacdb

SHA256
b68e83bb04a76d6783ccf147460ea2415fa1b24d5326b93cafbc5ccaccb7164e

SHA512
a33516d629e935eefc6103e3e49d1065118e668e91e610705bb6012b68a4f4bd04e2dd6ffe7b2a2f535046163be8659b8bd1df48423cd97dcf5cf9913f6e781b

Download Submit
C:\Windows\{2EAAF16A-3A5C-4022-808A-CC71CF5226A3}.exe

Filesize
192KB

MD5
53c5ba906d8a1721080ee2348c65b97c

SHA1
0e61dc975fb6fcc4288900711393e3140e14af93

SHA256
feee9e955042c899087da300481b21234285bbd2ded67a8035382b19c86f605c

SHA512
4376fba8b61a7896bfea39a50ed98e13a022f2b60278a765f11b0a1a9a321abf34455f8dd748d9360ddb9f1378653d019fe40470d25a48c8530163b22f5ce10e

Download Submit
C:\Windows\{61E4E65B-5611-4aa1-A487-48FDB222DF75}.exe

Filesize
192KB

MD5
9744ce2c0379333ba40663864799c020

SHA1
fa727686c5e41a8fda6cfcb928931137bfaa87c5

SHA256
2fbbbd48f770d60a228979b30e54c0d683a5d84ffb53c2061dfec3fd7d3682fe

SHA512
d9acf2a95f8b9bc3c7d7620611788d4a427fab57f57c75961e876289e561e62594986c0701da3d80a8a9c1b25709254208f7875204272a8f19ee6ad1fda1a0c1

Download Submit
C:\Windows\{6210FBA8-50FF-4371-BBD1-E64AB652DF22}.exe

Filesize
192KB

MD5
9539b84d24add9ce090f757ab3ee5fb6

SHA1
20c206a1875d314b1a1291bee684a043ef73b859

SHA256
f40e865af14800a04299b3069b3325d7f5f85f1143801044269c3a8243112ffa

SHA512
454283d53f92029455b29c0fdd506b03c71dd4199191966af95f05abab7accd8464bf2e2179b5a217677039a19d0a1e74b0b227c1a0b343b2fdd24440eaa494a

Download Submit
C:\Windows\{670543CD-B9B0-4bcf-85D6-146CEE4217DE}.exe

Filesize
192KB

MD5
c28543f55d0ca6647f1f8b75292c78a1

SHA1
3585b392a0f0159d072c0d745b5b1e380d5b12cf

SHA256
4138ff37b9dfe550fb7a70143c84d080051d5ac26a5d520bd393cc5138e4d3a8

SHA512
49b89e0fbbfdb6555b976f78a1e08a08694edd8807356ee02c255fe7804b34431d9b500b5f8415f2e66d497d2215662816c58d517bf4300cdaca472473b05e0a

Download Submit
C:\Windows\{735DB9BB-5B98-4003-8DF9-F814ED5E2C11}.exe

Filesize
192KB

MD5
7a625c43c4b8825ac44723a24f1a0f9c

SHA1
2f3063179e25e71abed2ba97c5861a04cdfb962d

SHA256
78c8c6d12d344d0bc13d6d3f1c0a1877735f3cda70bfb36a6cb07f7816eabe18

SHA512
99db1597cda2bc2a750e3c34b0641767bae8f8012ce85b264867aee8959f95a300da9a5c64f57ae79a0bf17cb30bc7a5a892fbd84fe3e389609880f936b5d748

Download Submit
C:\Windows\{82111B3A-D95B-4293-B87E-D72FC82EC617}.exe

Filesize
192KB

MD5
f3ce886eb8cd7c517ec374303158c06d

SHA1
0cf11b6496716a854761edc49f40569f2fa20d33

SHA256
bd736451f24a5f24d1499be3bc948e6a8ccab7faf5023f1c22f4976c11238029

SHA512
0bb4fc1ec853c4bd4909c35cf2cb54705fceb627a6c87f5badc03576d95b912d189f60bdc7794dd51166196189b234bdf13da83f2238b36832081dd22254e3ee

Download Submit
C:\Windows\{8BC4C56C-7715-4b76-B980-FE8B9DEE5C1F}.exe

Filesize
192KB

MD5
b24ad0f02fb0788e108a27859073c1b1

SHA1
0bb8b484ad610aa45de1819d51fd672dd7299afb

SHA256
7dadce79332f8d3259013658c69e2394a808e12e2a54bf1e2d3bf51603504661

SHA512
486ef27e0e84d796590664ea0ef1d4a7049e3ea389572ae4a7db8ba7f02d1e47c3f26ec93683700ee943ce7fba39dd73d15ec325af73cce8ff89d379757518a8

Download Submit
C:\Windows\{9DDE6176-1938-46b1-B5E7-065A1AB61EAF}.exe

Filesize
192KB

MD5
9dc045e056c66ebef85f8f80d8a49b52

SHA1
83dbaa93ae6ce7696de8bb9ffdb74f8cef1a56bb

SHA256
1adad9ddb5aebffde13806e9ce09dbf76070191c8926acc9d475d17c856a5d73

SHA512
0c1a0819844f2e99861059aca6879754b3017614df6df0862ae817d777e1f33f0ce9d7466755176aa608f1be8f62ad4395aa1550b863fd79a41b7277fc0a45f9

Download Submit
C:\Windows\{C10214C7-D4B3-4669-85D7-137C0B73D992}.exe

Filesize
192KB

MD5
e421088eafbff78c4bb9c3893c728532

SHA1
e37366e1cdbe9e073ef199359e72f5191ebb4457

SHA256
e568e8da20e1a19d8eb51fe7387136bbfc47aba7dbd1a85412980325bb2b57a0

SHA512
2a11fc3e49683b2a739119c86c686dd56597fd71e7ddef0d2453c78a7a3da6286cf964ae50a47f982b1cfb86769a3130b7a94db3ee16edd7edadb929cd0c3e78

Download Submit
C:\Windows\{F2027210-363A-428c-B554-696FD80DD177}.exe

Filesize
192KB

MD5
e09e408ff8586f95d5888c4283141685

SHA1
6359428f6e19d0934c32cfc463d28d2552c1cfb5

SHA256
c969749e1d00a208b87dea3148834d35b48feb120db33d366a59821a640cd70b

SHA512
a2a01f9b081acba722372c1727bef938d43bd48ee7b67b616880b5e03baef72a6aa1c9ffb6caa661c3afafbb65d359e7bbd75c4f6c90fc59a9417ec22119247c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads