cd2ea7af3c723c3a0db234e9186b461d7b9aeaf836d42e996aca61bc9e94219a

Analysis

max time kernel
149s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 15:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-08_281209c1f670a58bc1b94bc28ab5ef6a_goldeneye.exe
Size

204KB
MD5

281209c1f670a58bc1b94bc28ab5ef6a
SHA1

103005a58dba318a1e026d642ede562ad03adf2d
SHA256

cd2ea7af3c723c3a0db234e9186b461d7b9aeaf836d42e996aca61bc9e94219a
SHA512

108f9ccb1934d65a9eff6dbfa9a2d7a2b9a19b908063ec30c79339250553a8283e7c17f0c694ec7ed6765d555fe327e95bdf6f918abbc77f128c52d2bbe1bceb
SSDEEP

1536:1EGh0oAl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oAl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023210-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000001e804-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000002321d-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000001e804-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021f82-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000001e804-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021f82-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000705-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C31B872D-85FB-4f76-A8B0-BF10C8BA08D9}	{C35EFC88-EED5-4e65-883E-214BA008C460}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C31B872D-85FB-4f76-A8B0-BF10C8BA08D9}\stubpath = "C:\\Windows\\{C31B872D-85FB-4f76-A8B0-BF10C8BA08D9}.exe"	{C35EFC88-EED5-4e65-883E-214BA008C460}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21DB2A9D-BE17-4a68-8160-32F0395EDA11}	{17587969-BA72-4bbe-985D-1B920E48DFC8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7780C020-0C4F-42d5-BCDA-1481229C7EEE}\stubpath = "C:\\Windows\\{7780C020-0C4F-42d5-BCDA-1481229C7EEE}.exe"	{E154DBDF-B8D4-4628-AC1E-0E777FF41310}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F3D4F01-CDB4-4db9-B401-9A2563703298}	{72FA733E-F52E-43f6-92FC-2390033F6AFE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C228ACE7-A815-445e-BDD5-7EA88BF21AEA}	{7F3D4F01-CDB4-4db9-B401-9A2563703298}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C201C931-C249-4e34-BD7E-33F2BFA76B27}\stubpath = "C:\\Windows\\{C201C931-C249-4e34-BD7E-33F2BFA76B27}.exe"	{C228ACE7-A815-445e-BDD5-7EA88BF21AEA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{764C3CE0-D5FC-452a-AC52-4506344987A3}\stubpath = "C:\\Windows\\{764C3CE0-D5FC-452a-AC52-4506344987A3}.exe"	{C201C931-C249-4e34-BD7E-33F2BFA76B27}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C201C931-C249-4e34-BD7E-33F2BFA76B27}	{C228ACE7-A815-445e-BDD5-7EA88BF21AEA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C35EFC88-EED5-4e65-883E-214BA008C460}	{764C3CE0-D5FC-452a-AC52-4506344987A3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17587969-BA72-4bbe-985D-1B920E48DFC8}	{C31B872D-85FB-4f76-A8B0-BF10C8BA08D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21DB2A9D-BE17-4a68-8160-32F0395EDA11}\stubpath = "C:\\Windows\\{21DB2A9D-BE17-4a68-8160-32F0395EDA11}.exe"	{17587969-BA72-4bbe-985D-1B920E48DFC8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35442C36-DE2E-4889-BD0F-C318B57E99B9}\stubpath = "C:\\Windows\\{35442C36-DE2E-4889-BD0F-C318B57E99B9}.exe"	{21DB2A9D-BE17-4a68-8160-32F0395EDA11}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E154DBDF-B8D4-4628-AC1E-0E777FF41310}\stubpath = "C:\\Windows\\{E154DBDF-B8D4-4628-AC1E-0E777FF41310}.exe"	2024-04-08_281209c1f670a58bc1b94bc28ab5ef6a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7780C020-0C4F-42d5-BCDA-1481229C7EEE}	{E154DBDF-B8D4-4628-AC1E-0E777FF41310}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72FA733E-F52E-43f6-92FC-2390033F6AFE}	{7780C020-0C4F-42d5-BCDA-1481229C7EEE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{764C3CE0-D5FC-452a-AC52-4506344987A3}	{C201C931-C249-4e34-BD7E-33F2BFA76B27}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35442C36-DE2E-4889-BD0F-C318B57E99B9}	{21DB2A9D-BE17-4a68-8160-32F0395EDA11}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17587969-BA72-4bbe-985D-1B920E48DFC8}\stubpath = "C:\\Windows\\{17587969-BA72-4bbe-985D-1B920E48DFC8}.exe"	{C31B872D-85FB-4f76-A8B0-BF10C8BA08D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E154DBDF-B8D4-4628-AC1E-0E777FF41310}	2024-04-08_281209c1f670a58bc1b94bc28ab5ef6a_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72FA733E-F52E-43f6-92FC-2390033F6AFE}\stubpath = "C:\\Windows\\{72FA733E-F52E-43f6-92FC-2390033F6AFE}.exe"	{7780C020-0C4F-42d5-BCDA-1481229C7EEE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F3D4F01-CDB4-4db9-B401-9A2563703298}\stubpath = "C:\\Windows\\{7F3D4F01-CDB4-4db9-B401-9A2563703298}.exe"	{72FA733E-F52E-43f6-92FC-2390033F6AFE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C228ACE7-A815-445e-BDD5-7EA88BF21AEA}\stubpath = "C:\\Windows\\{C228ACE7-A815-445e-BDD5-7EA88BF21AEA}.exe"	{7F3D4F01-CDB4-4db9-B401-9A2563703298}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C35EFC88-EED5-4e65-883E-214BA008C460}\stubpath = "C:\\Windows\\{C35EFC88-EED5-4e65-883E-214BA008C460}.exe"	{764C3CE0-D5FC-452a-AC52-4506344987A3}.exe

Executes dropped EXE 12 IoCs

pid	Process
116	{E154DBDF-B8D4-4628-AC1E-0E777FF41310}.exe
1700	{7780C020-0C4F-42d5-BCDA-1481229C7EEE}.exe
4068	{72FA733E-F52E-43f6-92FC-2390033F6AFE}.exe
4640	{7F3D4F01-CDB4-4db9-B401-9A2563703298}.exe
3492	{C228ACE7-A815-445e-BDD5-7EA88BF21AEA}.exe
4160	{C201C931-C249-4e34-BD7E-33F2BFA76B27}.exe
3384	{764C3CE0-D5FC-452a-AC52-4506344987A3}.exe
2952	{C35EFC88-EED5-4e65-883E-214BA008C460}.exe
4240	{C31B872D-85FB-4f76-A8B0-BF10C8BA08D9}.exe
4424	{17587969-BA72-4bbe-985D-1B920E48DFC8}.exe
1276	{21DB2A9D-BE17-4a68-8160-32F0395EDA11}.exe
2432	{35442C36-DE2E-4889-BD0F-C318B57E99B9}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{E154DBDF-B8D4-4628-AC1E-0E777FF41310}.exe	2024-04-08_281209c1f670a58bc1b94bc28ab5ef6a_goldeneye.exe
File created	C:\Windows\{7F3D4F01-CDB4-4db9-B401-9A2563703298}.exe	{72FA733E-F52E-43f6-92FC-2390033F6AFE}.exe
File created	C:\Windows\{35442C36-DE2E-4889-BD0F-C318B57E99B9}.exe	{21DB2A9D-BE17-4a68-8160-32F0395EDA11}.exe
File created	C:\Windows\{17587969-BA72-4bbe-985D-1B920E48DFC8}.exe	{C31B872D-85FB-4f76-A8B0-BF10C8BA08D9}.exe
File created	C:\Windows\{7780C020-0C4F-42d5-BCDA-1481229C7EEE}.exe	{E154DBDF-B8D4-4628-AC1E-0E777FF41310}.exe
File created	C:\Windows\{72FA733E-F52E-43f6-92FC-2390033F6AFE}.exe	{7780C020-0C4F-42d5-BCDA-1481229C7EEE}.exe
File created	C:\Windows\{C228ACE7-A815-445e-BDD5-7EA88BF21AEA}.exe	{7F3D4F01-CDB4-4db9-B401-9A2563703298}.exe
File created	C:\Windows\{C201C931-C249-4e34-BD7E-33F2BFA76B27}.exe	{C228ACE7-A815-445e-BDD5-7EA88BF21AEA}.exe
File created	C:\Windows\{764C3CE0-D5FC-452a-AC52-4506344987A3}.exe	{C201C931-C249-4e34-BD7E-33F2BFA76B27}.exe
File created	C:\Windows\{C35EFC88-EED5-4e65-883E-214BA008C460}.exe	{764C3CE0-D5FC-452a-AC52-4506344987A3}.exe
File created	C:\Windows\{C31B872D-85FB-4f76-A8B0-BF10C8BA08D9}.exe	{C35EFC88-EED5-4e65-883E-214BA008C460}.exe
File created	C:\Windows\{21DB2A9D-BE17-4a68-8160-32F0395EDA11}.exe	{17587969-BA72-4bbe-985D-1B920E48DFC8}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3556	2024-04-08_281209c1f670a58bc1b94bc28ab5ef6a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	116	{E154DBDF-B8D4-4628-AC1E-0E777FF41310}.exe
Token: SeIncBasePriorityPrivilege	1700	{7780C020-0C4F-42d5-BCDA-1481229C7EEE}.exe
Token: SeIncBasePriorityPrivilege	4068	{72FA733E-F52E-43f6-92FC-2390033F6AFE}.exe
Token: SeIncBasePriorityPrivilege	4640	{7F3D4F01-CDB4-4db9-B401-9A2563703298}.exe
Token: SeIncBasePriorityPrivilege	3492	{C228ACE7-A815-445e-BDD5-7EA88BF21AEA}.exe
Token: SeIncBasePriorityPrivilege	4160	{C201C931-C249-4e34-BD7E-33F2BFA76B27}.exe
Token: SeIncBasePriorityPrivilege	3384	{764C3CE0-D5FC-452a-AC52-4506344987A3}.exe
Token: SeIncBasePriorityPrivilege	2952	{C35EFC88-EED5-4e65-883E-214BA008C460}.exe
Token: SeIncBasePriorityPrivilege	4240	{C31B872D-85FB-4f76-A8B0-BF10C8BA08D9}.exe
Token: SeIncBasePriorityPrivilege	4424	{17587969-BA72-4bbe-985D-1B920E48DFC8}.exe
Token: SeIncBasePriorityPrivilege	1276	{21DB2A9D-BE17-4a68-8160-32F0395EDA11}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3556 wrote to memory of 116	3556	2024-04-08_281209c1f670a58bc1b94bc28ab5ef6a_goldeneye.exe	91
PID 3556 wrote to memory of 116	3556	2024-04-08_281209c1f670a58bc1b94bc28ab5ef6a_goldeneye.exe	91
PID 3556 wrote to memory of 116	3556	2024-04-08_281209c1f670a58bc1b94bc28ab5ef6a_goldeneye.exe	91
PID 3556 wrote to memory of 4656	3556	2024-04-08_281209c1f670a58bc1b94bc28ab5ef6a_goldeneye.exe	92
PID 3556 wrote to memory of 4656	3556	2024-04-08_281209c1f670a58bc1b94bc28ab5ef6a_goldeneye.exe	92
PID 3556 wrote to memory of 4656	3556	2024-04-08_281209c1f670a58bc1b94bc28ab5ef6a_goldeneye.exe	92
PID 116 wrote to memory of 1700	116	{E154DBDF-B8D4-4628-AC1E-0E777FF41310}.exe	93
PID 116 wrote to memory of 1700	116	{E154DBDF-B8D4-4628-AC1E-0E777FF41310}.exe	93
PID 116 wrote to memory of 1700	116	{E154DBDF-B8D4-4628-AC1E-0E777FF41310}.exe	93
PID 116 wrote to memory of 4660	116	{E154DBDF-B8D4-4628-AC1E-0E777FF41310}.exe	94
PID 116 wrote to memory of 4660	116	{E154DBDF-B8D4-4628-AC1E-0E777FF41310}.exe	94
PID 116 wrote to memory of 4660	116	{E154DBDF-B8D4-4628-AC1E-0E777FF41310}.exe	94
PID 1700 wrote to memory of 4068	1700	{7780C020-0C4F-42d5-BCDA-1481229C7EEE}.exe	96
PID 1700 wrote to memory of 4068	1700	{7780C020-0C4F-42d5-BCDA-1481229C7EEE}.exe	96
PID 1700 wrote to memory of 4068	1700	{7780C020-0C4F-42d5-BCDA-1481229C7EEE}.exe	96
PID 1700 wrote to memory of 3688	1700	{7780C020-0C4F-42d5-BCDA-1481229C7EEE}.exe	97
PID 1700 wrote to memory of 3688	1700	{7780C020-0C4F-42d5-BCDA-1481229C7EEE}.exe	97
PID 1700 wrote to memory of 3688	1700	{7780C020-0C4F-42d5-BCDA-1481229C7EEE}.exe	97
PID 4068 wrote to memory of 4640	4068	{72FA733E-F52E-43f6-92FC-2390033F6AFE}.exe	98
PID 4068 wrote to memory of 4640	4068	{72FA733E-F52E-43f6-92FC-2390033F6AFE}.exe	98
PID 4068 wrote to memory of 4640	4068	{72FA733E-F52E-43f6-92FC-2390033F6AFE}.exe	98
PID 4068 wrote to memory of 3716	4068	{72FA733E-F52E-43f6-92FC-2390033F6AFE}.exe	99
PID 4068 wrote to memory of 3716	4068	{72FA733E-F52E-43f6-92FC-2390033F6AFE}.exe	99
PID 4068 wrote to memory of 3716	4068	{72FA733E-F52E-43f6-92FC-2390033F6AFE}.exe	99
PID 4640 wrote to memory of 3492	4640	{7F3D4F01-CDB4-4db9-B401-9A2563703298}.exe	100
PID 4640 wrote to memory of 3492	4640	{7F3D4F01-CDB4-4db9-B401-9A2563703298}.exe	100
PID 4640 wrote to memory of 3492	4640	{7F3D4F01-CDB4-4db9-B401-9A2563703298}.exe	100
PID 4640 wrote to memory of 2732	4640	{7F3D4F01-CDB4-4db9-B401-9A2563703298}.exe	101
PID 4640 wrote to memory of 2732	4640	{7F3D4F01-CDB4-4db9-B401-9A2563703298}.exe	101
PID 4640 wrote to memory of 2732	4640	{7F3D4F01-CDB4-4db9-B401-9A2563703298}.exe	101
PID 3492 wrote to memory of 4160	3492	{C228ACE7-A815-445e-BDD5-7EA88BF21AEA}.exe	102
PID 3492 wrote to memory of 4160	3492	{C228ACE7-A815-445e-BDD5-7EA88BF21AEA}.exe	102
PID 3492 wrote to memory of 4160	3492	{C228ACE7-A815-445e-BDD5-7EA88BF21AEA}.exe	102
PID 3492 wrote to memory of 672	3492	{C228ACE7-A815-445e-BDD5-7EA88BF21AEA}.exe	103
PID 3492 wrote to memory of 672	3492	{C228ACE7-A815-445e-BDD5-7EA88BF21AEA}.exe	103
PID 3492 wrote to memory of 672	3492	{C228ACE7-A815-445e-BDD5-7EA88BF21AEA}.exe	103
PID 4160 wrote to memory of 3384	4160	{C201C931-C249-4e34-BD7E-33F2BFA76B27}.exe	104
PID 4160 wrote to memory of 3384	4160	{C201C931-C249-4e34-BD7E-33F2BFA76B27}.exe	104
PID 4160 wrote to memory of 3384	4160	{C201C931-C249-4e34-BD7E-33F2BFA76B27}.exe	104
PID 4160 wrote to memory of 3540	4160	{C201C931-C249-4e34-BD7E-33F2BFA76B27}.exe	105
PID 4160 wrote to memory of 3540	4160	{C201C931-C249-4e34-BD7E-33F2BFA76B27}.exe	105
PID 4160 wrote to memory of 3540	4160	{C201C931-C249-4e34-BD7E-33F2BFA76B27}.exe	105
PID 3384 wrote to memory of 2952	3384	{764C3CE0-D5FC-452a-AC52-4506344987A3}.exe	106
PID 3384 wrote to memory of 2952	3384	{764C3CE0-D5FC-452a-AC52-4506344987A3}.exe	106
PID 3384 wrote to memory of 2952	3384	{764C3CE0-D5FC-452a-AC52-4506344987A3}.exe	106
PID 3384 wrote to memory of 4460	3384	{764C3CE0-D5FC-452a-AC52-4506344987A3}.exe	107
PID 3384 wrote to memory of 4460	3384	{764C3CE0-D5FC-452a-AC52-4506344987A3}.exe	107
PID 3384 wrote to memory of 4460	3384	{764C3CE0-D5FC-452a-AC52-4506344987A3}.exe	107
PID 2952 wrote to memory of 4240	2952	{C35EFC88-EED5-4e65-883E-214BA008C460}.exe	108
PID 2952 wrote to memory of 4240	2952	{C35EFC88-EED5-4e65-883E-214BA008C460}.exe	108
PID 2952 wrote to memory of 4240	2952	{C35EFC88-EED5-4e65-883E-214BA008C460}.exe	108
PID 2952 wrote to memory of 2948	2952	{C35EFC88-EED5-4e65-883E-214BA008C460}.exe	109
PID 2952 wrote to memory of 2948	2952	{C35EFC88-EED5-4e65-883E-214BA008C460}.exe	109
PID 2952 wrote to memory of 2948	2952	{C35EFC88-EED5-4e65-883E-214BA008C460}.exe	109
PID 4240 wrote to memory of 4424	4240	{C31B872D-85FB-4f76-A8B0-BF10C8BA08D9}.exe	110
PID 4240 wrote to memory of 4424	4240	{C31B872D-85FB-4f76-A8B0-BF10C8BA08D9}.exe	110
PID 4240 wrote to memory of 4424	4240	{C31B872D-85FB-4f76-A8B0-BF10C8BA08D9}.exe	110
PID 4240 wrote to memory of 4448	4240	{C31B872D-85FB-4f76-A8B0-BF10C8BA08D9}.exe	111
PID 4240 wrote to memory of 4448	4240	{C31B872D-85FB-4f76-A8B0-BF10C8BA08D9}.exe	111
PID 4240 wrote to memory of 4448	4240	{C31B872D-85FB-4f76-A8B0-BF10C8BA08D9}.exe	111
PID 4424 wrote to memory of 1276	4424	{17587969-BA72-4bbe-985D-1B920E48DFC8}.exe	112
PID 4424 wrote to memory of 1276	4424	{17587969-BA72-4bbe-985D-1B920E48DFC8}.exe	112
PID 4424 wrote to memory of 1276	4424	{17587969-BA72-4bbe-985D-1B920E48DFC8}.exe	112
PID 4424 wrote to memory of 1444	4424	{17587969-BA72-4bbe-985D-1B920E48DFC8}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-04-08_281209c1f670a58bc1b94bc28ab5ef6a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-08_281209c1f670a58bc1b94bc28ab5ef6a_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3556
- C:\Windows\{E154DBDF-B8D4-4628-AC1E-0E777FF41310}.exe
  C:\Windows\{E154DBDF-B8D4-4628-AC1E-0E777FF41310}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:116
- - C:\Windows\{7780C020-0C4F-42d5-BCDA-1481229C7EEE}.exe
    C:\Windows\{7780C020-0C4F-42d5-BCDA-1481229C7EEE}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1700
  - - C:\Windows\{72FA733E-F52E-43f6-92FC-2390033F6AFE}.exe
      C:\Windows\{72FA733E-F52E-43f6-92FC-2390033F6AFE}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4068
    - - C:\Windows\{7F3D4F01-CDB4-4db9-B401-9A2563703298}.exe
        
        C:\Windows\{7F3D4F01-CDB4-4db9-B401-9A2563703298}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4640
      - C:\Windows\{C228ACE7-A815-445e-BDD5-7EA88BF21AEA}.exe
        
        C:\Windows\{C228ACE7-A815-445e-BDD5-7EA88BF21AEA}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3492
        
        C:\Windows\{C201C931-C249-4e34-BD7E-33F2BFA76B27}.exe
        
        C:\Windows\{C201C931-C249-4e34-BD7E-33F2BFA76B27}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4160
        
        C:\Windows\{764C3CE0-D5FC-452a-AC52-4506344987A3}.exe
        
        C:\Windows\{764C3CE0-D5FC-452a-AC52-4506344987A3}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3384
        
        C:\Windows\{C35EFC88-EED5-4e65-883E-214BA008C460}.exe
        
        C:\Windows\{C35EFC88-EED5-4e65-883E-214BA008C460}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\{C31B872D-85FB-4f76-A8B0-BF10C8BA08D9}.exe
        
        C:\Windows\{C31B872D-85FB-4f76-A8B0-BF10C8BA08D9}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4240
        
        C:\Windows\{17587969-BA72-4bbe-985D-1B920E48DFC8}.exe
        
        C:\Windows\{17587969-BA72-4bbe-985D-1B920E48DFC8}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\{21DB2A9D-BE17-4a68-8160-32F0395EDA11}.exe
        
        C:\Windows\{21DB2A9D-BE17-4a68-8160-32F0395EDA11}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1276
        
        C:\Windows\{35442C36-DE2E-4889-BD0F-C318B57E99B9}.exe
        
        C:\Windows\{35442C36-DE2E-4889-BD0F-C318B57E99B9}.exe
        13⤵
        Executes dropped EXE
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{21DB2~1.EXE > nul
        13⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{17587~1.EXE > nul
        12⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C31B8~1.EXE > nul
        11⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C35EF~1.EXE > nul
        10⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{764C3~1.EXE > nul
        9⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C201C~1.EXE > nul
        8⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C228A~1.EXE > nul
        7⤵
        
        PID:672
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F3D4~1.EXE > nul
        6⤵
        
        PID:2732
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{72FA7~1.EXE > nul
        5⤵
        
        PID:3716
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7780C~1.EXE > nul
      4⤵
      PID:3688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E154D~1.EXE > nul
    3⤵
    PID:4660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{17587969-BA72-4bbe-985D-1B920E48DFC8}.exe

Filesize
204KB

MD5
f498c6e3e58ca32be771dfc64bf2ec16

SHA1
88f23bc0bbc60996e0038e5e797ebb6b9e7652c5

SHA256
c52f8a7b47ad20f5c6555593b97f5dd77b6e10aeca549e5ce570274c09ce98b3

SHA512
3ee55392717a5c7913033ef58fc003f1ed2d01abe46257eb605cc5be9f932f51ca7d1fa636ff91033b8b328f4395322e0f7752895e305e6df42be43e78e73f43

Download Submit
C:\Windows\{21DB2A9D-BE17-4a68-8160-32F0395EDA11}.exe

Filesize
204KB

MD5
40e2da42ff6f4414648bda01e2e29416

SHA1
bb6e82b633cb70a1f9b9aac22d86bd51b70d81ff

SHA256
27f0ccc14582b24a3c577c690cdfd5874567f2a5d335d192dbf2af26058a0a11

SHA512
12a03d1b877ff606ba6dd8c601a2dc855426572ed30ca06a8bd14109ff2b51189933d8bb439cc57954b1b352137cb2251c46fff78faf33ff3c0122a2de6fbc87

Download Submit
C:\Windows\{35442C36-DE2E-4889-BD0F-C318B57E99B9}.exe

Filesize
204KB

MD5
a60b2be898a15074f2378b2c38d2a0be

SHA1
82d62bf391d982e468e54809025c8509dd89d0c9

SHA256
a95c0ffe34048667f888f03623a51ad5f5bb6f11c0dab95fad88bd4c16a60671

SHA512
1e9eb4e8116b274029cc6c410d2a6c6ac6524f2f47af7cb955da90cd87e7236ed15d615040ed65f81baf9510dfccd17e98bdb51b254991c0ec7d76dfa3cb856a

Download Submit
C:\Windows\{72FA733E-F52E-43f6-92FC-2390033F6AFE}.exe

Filesize
204KB

MD5
a3622853feb7c7031f43b06139fd6c65

SHA1
1f307962a0eb30926f9cd022e5729ee9a09388fe

SHA256
224621922d24d72dbbe21b827a01c5785df492ed08c7f07bde6cf7981834556f

SHA512
3f970a3a186825ef3c70a0d883740591e4b4e839201a00988a78ec38c4d62a42dc637fb884bc19e0a724f88cb7dd3a1cf1154fb15bb9c0677ae6cba39b026512

Download Submit
C:\Windows\{764C3CE0-D5FC-452a-AC52-4506344987A3}.exe

Filesize
204KB

MD5
5d5cb0bb0e5d1cb6271d13a7b91620d1

SHA1
8cf546d6bc2de3ae792be2172f0e0eda8f21db03

SHA256
7992f03ad987fb34f406104828ef249f6211e30d8402ea6d48e07ffbb3e5baa8

SHA512
c59487bb2e56ee3826c53f109475bcf3be17c51a22b492895e47fa198afc2f9e440c49b178ab814f14b0882f574179300a1ae92b3da6491dc2dfb8ea5f8b70f1

Download Submit
C:\Windows\{7780C020-0C4F-42d5-BCDA-1481229C7EEE}.exe

Filesize
204KB

MD5
7bbf461ecb46ab6414c79a89548e0c06

SHA1
a4f226173fc6af272c7eaf18f28f07a6368937d0

SHA256
0de803dfc536c6b88667140afafaae45d8991d7dfbee89c2360ef14418117ae8

SHA512
ab6777a6c9b79eec60af71a4f4cd9bcc65eb5a627cd0632a6cd830ed45e1df1a39fd4b55fcbd98c7c006119d5705bf917691b5699e527aa1a7b1dccefa72354b

Download Submit
C:\Windows\{7F3D4F01-CDB4-4db9-B401-9A2563703298}.exe

Filesize
204KB

MD5
c2152af874dcbd659a365986cae0d565

SHA1
858ec2e8b156b6e30b3b4c0f289fc93d18308f4a

SHA256
5473d52372c9d79187e7dcac58f3630f908067e621e673f76b053ae267d922f1

SHA512
354df96e77997bf9bb2159f28018aca2783d5aeb4284dec14c0f3a0a241ea6b6bb9257b974085760ad3fa7c784ec82c663bb8170250d1589ef85af1cc9c4d695

Download Submit
C:\Windows\{C201C931-C249-4e34-BD7E-33F2BFA76B27}.exe

Filesize
204KB

MD5
1bc161199307babd6eb7f37f7ab0e615

SHA1
bfce2a8841829248b77615abdc3af7badfcdffd4

SHA256
0d722406878d8e2a48f5d38211d1ec72d7a11881d1c3158cb3c975f0290ededb

SHA512
922dc739f27e8a3ce901dfd3cef9020f711eceee01a4d9fdec4635deebf6bea6095e9c8dc6528e3669f2b7b904d1f93821c085cc007ea2ac0de352be348cab66

Download Submit
C:\Windows\{C228ACE7-A815-445e-BDD5-7EA88BF21AEA}.exe

Filesize
204KB

MD5
64c1f2421c3556412b0f8c5babfbce28

SHA1
00f0ecdc69987db38abc1d6cb6dc878af5872be6

SHA256
707fd784f2ed2bf33d07c42515d2e26f6377260099053300e343ddfac112fc3c

SHA512
f580f996ebb6210997a7c57ff3469d07fbc9d62a3c8a755e6bff7087e5419355a223501f37bc4c77fb01515f6c9e3e92aee3b80520e7546088d30d892127281f

Download Submit
C:\Windows\{C31B872D-85FB-4f76-A8B0-BF10C8BA08D9}.exe

Filesize
204KB

MD5
8c4940808e3a678afdde0bff5e2761a6

SHA1
2c747d86e1d06e72e799db77668c9c2c4c556f8e

SHA256
b70157a7231e212ee6718498edc439f00acb581924e37d043319732284889669

SHA512
68bc796e6ddcdc68bfbb723cdb7fa8d11d117a12740733937a9a53dabae4c6d22751ea2b1fe84d8ae4fa48b9f2d982f8c602bef48c3f3889d2450692862ddfc6

Download Submit
C:\Windows\{C35EFC88-EED5-4e65-883E-214BA008C460}.exe

Filesize
204KB

MD5
a75ed22a450e8714b85206238adda281

SHA1
e97273b419d76a07a6202452602f2db6bfbebd39

SHA256
b0016249a4e7d31ae8f67a1b425a971f3debbeea6415afb8ef672c09276362c8

SHA512
4821d5c941c8a5c4fe270714f86ca23abb39a5d969c9fc4b22ac9ce118613806e3ba2b8d191769ad058f10273d4c663bd9437d0c06fd56ce543797d8566d9a4c

Download Submit
C:\Windows\{E154DBDF-B8D4-4628-AC1E-0E777FF41310}.exe

Filesize
204KB

MD5
1a05592bc69d2329a6e11f3968a8a4c0

SHA1
07e7220b4d9fd856a1d330cd69f974c142262c51

SHA256
091d5f2e727069ca47afc19ddc6e1082da7c5a07d9cf2a55b9e53344f9ff312f

SHA512
683d50541065c3e6a718db59391fdee1e23736b7e6dfab2ee62710c7667a8d62555139ba163696fe9a7ed7e11d3def362ce0d314d83adcb29dc5a9cb63938857

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads