f1a053e823d69bfa1f70e8755300b5b76b429cf0a8435bd5e72b1f169a9381ed

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-09_4de9dd0b8583dfd946e49655960f398f_goldeneye.exe
Size

380KB
MD5

4de9dd0b8583dfd946e49655960f398f
SHA1

c99cd58c5999a760fd12d3bfc9cc444efa2f0f2e
SHA256

f1a053e823d69bfa1f70e8755300b5b76b429cf0a8435bd5e72b1f169a9381ed
SHA512

f221408838dfe85f660c075325b7fa1409827168f411ae24917be7933cd2b26f3dc44b5cfe51a38532191e55ee63e8e72c012272c935156bda0c94102c49fe8f
SSDEEP

3072:mEGh0ovlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGll7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000d000000023127-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002320f-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023216-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002320f-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021c86-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021c87-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021c86-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070f-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000735-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B62B983C-366F-4390-9D42-8F10767884B7}\stubpath = "C:\\Windows\\{B62B983C-366F-4390-9D42-8F10767884B7}.exe"	{C066E545-EFC4-4dce-92F6-5EBD51E3425D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7CADFEF7-CE59-4e4c-8791-13A637D006D9}	{B62B983C-366F-4390-9D42-8F10767884B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2DFBF81-82B2-4952-86C4-5D6434AB8A66}\stubpath = "C:\\Windows\\{D2DFBF81-82B2-4952-86C4-5D6434AB8A66}.exe"	2024-04-09_4de9dd0b8583dfd946e49655960f398f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B3D89AF-082F-4b39-BFCA-C8470C7D4A22}	{D2DFBF81-82B2-4952-86C4-5D6434AB8A66}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2BEE31C-E807-4326-9307-BEF64DE5B396}	{9237ADBA-1811-4f4d-A168-4ACE2DB91F60}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2BEE31C-E807-4326-9307-BEF64DE5B396}\stubpath = "C:\\Windows\\{D2BEE31C-E807-4326-9307-BEF64DE5B396}.exe"	{9237ADBA-1811-4f4d-A168-4ACE2DB91F60}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A65483A1-25C3-4859-A094-47A52E75E0F7}	{D2BEE31C-E807-4326-9307-BEF64DE5B396}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A65483A1-25C3-4859-A094-47A52E75E0F7}\stubpath = "C:\\Windows\\{A65483A1-25C3-4859-A094-47A52E75E0F7}.exe"	{D2BEE31C-E807-4326-9307-BEF64DE5B396}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{468BA55A-EE52-4642-8C1E-DA677E0B6CCA}	{A65483A1-25C3-4859-A094-47A52E75E0F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C066E545-EFC4-4dce-92F6-5EBD51E3425D}\stubpath = "C:\\Windows\\{C066E545-EFC4-4dce-92F6-5EBD51E3425D}.exe"	{468BA55A-EE52-4642-8C1E-DA677E0B6CCA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2DFBF81-82B2-4952-86C4-5D6434AB8A66}	2024-04-09_4de9dd0b8583dfd946e49655960f398f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D64BFB1-AB4E-40b2-AB04-787EEC71C484}\stubpath = "C:\\Windows\\{5D64BFB1-AB4E-40b2-AB04-787EEC71C484}.exe"	{2B3D89AF-082F-4b39-BFCA-C8470C7D4A22}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50915BE9-6B67-4f16-AE94-B28209756847}	{787397C1-C644-41c5-A011-E6A3D20E4E59}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D64BFB1-AB4E-40b2-AB04-787EEC71C484}	{2B3D89AF-082F-4b39-BFCA-C8470C7D4A22}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{468BA55A-EE52-4642-8C1E-DA677E0B6CCA}\stubpath = "C:\\Windows\\{468BA55A-EE52-4642-8C1E-DA677E0B6CCA}.exe"	{A65483A1-25C3-4859-A094-47A52E75E0F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9237ADBA-1811-4f4d-A168-4ACE2DB91F60}\stubpath = "C:\\Windows\\{9237ADBA-1811-4f4d-A168-4ACE2DB91F60}.exe"	{5D64BFB1-AB4E-40b2-AB04-787EEC71C484}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C066E545-EFC4-4dce-92F6-5EBD51E3425D}	{468BA55A-EE52-4642-8C1E-DA677E0B6CCA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B62B983C-366F-4390-9D42-8F10767884B7}	{C066E545-EFC4-4dce-92F6-5EBD51E3425D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7CADFEF7-CE59-4e4c-8791-13A637D006D9}\stubpath = "C:\\Windows\\{7CADFEF7-CE59-4e4c-8791-13A637D006D9}.exe"	{B62B983C-366F-4390-9D42-8F10767884B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{787397C1-C644-41c5-A011-E6A3D20E4E59}	{7CADFEF7-CE59-4e4c-8791-13A637D006D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{787397C1-C644-41c5-A011-E6A3D20E4E59}\stubpath = "C:\\Windows\\{787397C1-C644-41c5-A011-E6A3D20E4E59}.exe"	{7CADFEF7-CE59-4e4c-8791-13A637D006D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B3D89AF-082F-4b39-BFCA-C8470C7D4A22}\stubpath = "C:\\Windows\\{2B3D89AF-082F-4b39-BFCA-C8470C7D4A22}.exe"	{D2DFBF81-82B2-4952-86C4-5D6434AB8A66}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9237ADBA-1811-4f4d-A168-4ACE2DB91F60}	{5D64BFB1-AB4E-40b2-AB04-787EEC71C484}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50915BE9-6B67-4f16-AE94-B28209756847}\stubpath = "C:\\Windows\\{50915BE9-6B67-4f16-AE94-B28209756847}.exe"	{787397C1-C644-41c5-A011-E6A3D20E4E59}.exe

Executes dropped EXE 12 IoCs

pid	Process
2876	{D2DFBF81-82B2-4952-86C4-5D6434AB8A66}.exe
2312	{2B3D89AF-082F-4b39-BFCA-C8470C7D4A22}.exe
3556	{5D64BFB1-AB4E-40b2-AB04-787EEC71C484}.exe
1572	{9237ADBA-1811-4f4d-A168-4ACE2DB91F60}.exe
624	{D2BEE31C-E807-4326-9307-BEF64DE5B396}.exe
5076	{A65483A1-25C3-4859-A094-47A52E75E0F7}.exe
4760	{468BA55A-EE52-4642-8C1E-DA677E0B6CCA}.exe
2796	{C066E545-EFC4-4dce-92F6-5EBD51E3425D}.exe
2720	{B62B983C-366F-4390-9D42-8F10767884B7}.exe
4752	{7CADFEF7-CE59-4e4c-8791-13A637D006D9}.exe
3000	{787397C1-C644-41c5-A011-E6A3D20E4E59}.exe
4736	{50915BE9-6B67-4f16-AE94-B28209756847}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{D2DFBF81-82B2-4952-86C4-5D6434AB8A66}.exe	2024-04-09_4de9dd0b8583dfd946e49655960f398f_goldeneye.exe
File created	C:\Windows\{2B3D89AF-082F-4b39-BFCA-C8470C7D4A22}.exe	{D2DFBF81-82B2-4952-86C4-5D6434AB8A66}.exe
File created	C:\Windows\{C066E545-EFC4-4dce-92F6-5EBD51E3425D}.exe	{468BA55A-EE52-4642-8C1E-DA677E0B6CCA}.exe
File created	C:\Windows\{7CADFEF7-CE59-4e4c-8791-13A637D006D9}.exe	{B62B983C-366F-4390-9D42-8F10767884B7}.exe
File created	C:\Windows\{50915BE9-6B67-4f16-AE94-B28209756847}.exe	{787397C1-C644-41c5-A011-E6A3D20E4E59}.exe
File created	C:\Windows\{787397C1-C644-41c5-A011-E6A3D20E4E59}.exe	{7CADFEF7-CE59-4e4c-8791-13A637D006D9}.exe
File created	C:\Windows\{5D64BFB1-AB4E-40b2-AB04-787EEC71C484}.exe	{2B3D89AF-082F-4b39-BFCA-C8470C7D4A22}.exe
File created	C:\Windows\{9237ADBA-1811-4f4d-A168-4ACE2DB91F60}.exe	{5D64BFB1-AB4E-40b2-AB04-787EEC71C484}.exe
File created	C:\Windows\{D2BEE31C-E807-4326-9307-BEF64DE5B396}.exe	{9237ADBA-1811-4f4d-A168-4ACE2DB91F60}.exe
File created	C:\Windows\{A65483A1-25C3-4859-A094-47A52E75E0F7}.exe	{D2BEE31C-E807-4326-9307-BEF64DE5B396}.exe
File created	C:\Windows\{468BA55A-EE52-4642-8C1E-DA677E0B6CCA}.exe	{A65483A1-25C3-4859-A094-47A52E75E0F7}.exe
File created	C:\Windows\{B62B983C-366F-4390-9D42-8F10767884B7}.exe	{C066E545-EFC4-4dce-92F6-5EBD51E3425D}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4244	2024-04-09_4de9dd0b8583dfd946e49655960f398f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2876	{D2DFBF81-82B2-4952-86C4-5D6434AB8A66}.exe
Token: SeIncBasePriorityPrivilege	2312	{2B3D89AF-082F-4b39-BFCA-C8470C7D4A22}.exe
Token: SeIncBasePriorityPrivilege	3556	{5D64BFB1-AB4E-40b2-AB04-787EEC71C484}.exe
Token: SeIncBasePriorityPrivilege	1572	{9237ADBA-1811-4f4d-A168-4ACE2DB91F60}.exe
Token: SeIncBasePriorityPrivilege	624	{D2BEE31C-E807-4326-9307-BEF64DE5B396}.exe
Token: SeIncBasePriorityPrivilege	5076	{A65483A1-25C3-4859-A094-47A52E75E0F7}.exe
Token: SeIncBasePriorityPrivilege	4760	{468BA55A-EE52-4642-8C1E-DA677E0B6CCA}.exe
Token: SeIncBasePriorityPrivilege	2796	{C066E545-EFC4-4dce-92F6-5EBD51E3425D}.exe
Token: SeIncBasePriorityPrivilege	2720	{B62B983C-366F-4390-9D42-8F10767884B7}.exe
Token: SeIncBasePriorityPrivilege	4752	{7CADFEF7-CE59-4e4c-8791-13A637D006D9}.exe
Token: SeIncBasePriorityPrivilege	3000	{787397C1-C644-41c5-A011-E6A3D20E4E59}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4244 wrote to memory of 2876	4244	2024-04-09_4de9dd0b8583dfd946e49655960f398f_goldeneye.exe	95
PID 4244 wrote to memory of 2876	4244	2024-04-09_4de9dd0b8583dfd946e49655960f398f_goldeneye.exe	95
PID 4244 wrote to memory of 2876	4244	2024-04-09_4de9dd0b8583dfd946e49655960f398f_goldeneye.exe	95
PID 4244 wrote to memory of 5072	4244	2024-04-09_4de9dd0b8583dfd946e49655960f398f_goldeneye.exe	96
PID 4244 wrote to memory of 5072	4244	2024-04-09_4de9dd0b8583dfd946e49655960f398f_goldeneye.exe	96
PID 4244 wrote to memory of 5072	4244	2024-04-09_4de9dd0b8583dfd946e49655960f398f_goldeneye.exe	96
PID 2876 wrote to memory of 2312	2876	{D2DFBF81-82B2-4952-86C4-5D6434AB8A66}.exe	97
PID 2876 wrote to memory of 2312	2876	{D2DFBF81-82B2-4952-86C4-5D6434AB8A66}.exe	97
PID 2876 wrote to memory of 2312	2876	{D2DFBF81-82B2-4952-86C4-5D6434AB8A66}.exe	97
PID 2876 wrote to memory of 3976	2876	{D2DFBF81-82B2-4952-86C4-5D6434AB8A66}.exe	98
PID 2876 wrote to memory of 3976	2876	{D2DFBF81-82B2-4952-86C4-5D6434AB8A66}.exe	98
PID 2876 wrote to memory of 3976	2876	{D2DFBF81-82B2-4952-86C4-5D6434AB8A66}.exe	98
PID 2312 wrote to memory of 3556	2312	{2B3D89AF-082F-4b39-BFCA-C8470C7D4A22}.exe	100
PID 2312 wrote to memory of 3556	2312	{2B3D89AF-082F-4b39-BFCA-C8470C7D4A22}.exe	100
PID 2312 wrote to memory of 3556	2312	{2B3D89AF-082F-4b39-BFCA-C8470C7D4A22}.exe	100
PID 2312 wrote to memory of 844	2312	{2B3D89AF-082F-4b39-BFCA-C8470C7D4A22}.exe	101
PID 2312 wrote to memory of 844	2312	{2B3D89AF-082F-4b39-BFCA-C8470C7D4A22}.exe	101
PID 2312 wrote to memory of 844	2312	{2B3D89AF-082F-4b39-BFCA-C8470C7D4A22}.exe	101
PID 3556 wrote to memory of 1572	3556	{5D64BFB1-AB4E-40b2-AB04-787EEC71C484}.exe	102
PID 3556 wrote to memory of 1572	3556	{5D64BFB1-AB4E-40b2-AB04-787EEC71C484}.exe	102
PID 3556 wrote to memory of 1572	3556	{5D64BFB1-AB4E-40b2-AB04-787EEC71C484}.exe	102
PID 3556 wrote to memory of 4928	3556	{5D64BFB1-AB4E-40b2-AB04-787EEC71C484}.exe	103
PID 3556 wrote to memory of 4928	3556	{5D64BFB1-AB4E-40b2-AB04-787EEC71C484}.exe	103
PID 3556 wrote to memory of 4928	3556	{5D64BFB1-AB4E-40b2-AB04-787EEC71C484}.exe	103
PID 1572 wrote to memory of 624	1572	{9237ADBA-1811-4f4d-A168-4ACE2DB91F60}.exe	104
PID 1572 wrote to memory of 624	1572	{9237ADBA-1811-4f4d-A168-4ACE2DB91F60}.exe	104
PID 1572 wrote to memory of 624	1572	{9237ADBA-1811-4f4d-A168-4ACE2DB91F60}.exe	104
PID 1572 wrote to memory of 4064	1572	{9237ADBA-1811-4f4d-A168-4ACE2DB91F60}.exe	105
PID 1572 wrote to memory of 4064	1572	{9237ADBA-1811-4f4d-A168-4ACE2DB91F60}.exe	105
PID 1572 wrote to memory of 4064	1572	{9237ADBA-1811-4f4d-A168-4ACE2DB91F60}.exe	105
PID 624 wrote to memory of 5076	624	{D2BEE31C-E807-4326-9307-BEF64DE5B396}.exe	106
PID 624 wrote to memory of 5076	624	{D2BEE31C-E807-4326-9307-BEF64DE5B396}.exe	106
PID 624 wrote to memory of 5076	624	{D2BEE31C-E807-4326-9307-BEF64DE5B396}.exe	106
PID 624 wrote to memory of 3984	624	{D2BEE31C-E807-4326-9307-BEF64DE5B396}.exe	107
PID 624 wrote to memory of 3984	624	{D2BEE31C-E807-4326-9307-BEF64DE5B396}.exe	107
PID 624 wrote to memory of 3984	624	{D2BEE31C-E807-4326-9307-BEF64DE5B396}.exe	107
PID 5076 wrote to memory of 4760	5076	{A65483A1-25C3-4859-A094-47A52E75E0F7}.exe	108
PID 5076 wrote to memory of 4760	5076	{A65483A1-25C3-4859-A094-47A52E75E0F7}.exe	108
PID 5076 wrote to memory of 4760	5076	{A65483A1-25C3-4859-A094-47A52E75E0F7}.exe	108
PID 5076 wrote to memory of 2700	5076	{A65483A1-25C3-4859-A094-47A52E75E0F7}.exe	109
PID 5076 wrote to memory of 2700	5076	{A65483A1-25C3-4859-A094-47A52E75E0F7}.exe	109
PID 5076 wrote to memory of 2700	5076	{A65483A1-25C3-4859-A094-47A52E75E0F7}.exe	109
PID 4760 wrote to memory of 2796	4760	{468BA55A-EE52-4642-8C1E-DA677E0B6CCA}.exe	110
PID 4760 wrote to memory of 2796	4760	{468BA55A-EE52-4642-8C1E-DA677E0B6CCA}.exe	110
PID 4760 wrote to memory of 2796	4760	{468BA55A-EE52-4642-8C1E-DA677E0B6CCA}.exe	110
PID 4760 wrote to memory of 4172	4760	{468BA55A-EE52-4642-8C1E-DA677E0B6CCA}.exe	111
PID 4760 wrote to memory of 4172	4760	{468BA55A-EE52-4642-8C1E-DA677E0B6CCA}.exe	111
PID 4760 wrote to memory of 4172	4760	{468BA55A-EE52-4642-8C1E-DA677E0B6CCA}.exe	111
PID 2796 wrote to memory of 2720	2796	{C066E545-EFC4-4dce-92F6-5EBD51E3425D}.exe	112
PID 2796 wrote to memory of 2720	2796	{C066E545-EFC4-4dce-92F6-5EBD51E3425D}.exe	112
PID 2796 wrote to memory of 2720	2796	{C066E545-EFC4-4dce-92F6-5EBD51E3425D}.exe	112
PID 2796 wrote to memory of 3488	2796	{C066E545-EFC4-4dce-92F6-5EBD51E3425D}.exe	113
PID 2796 wrote to memory of 3488	2796	{C066E545-EFC4-4dce-92F6-5EBD51E3425D}.exe	113
PID 2796 wrote to memory of 3488	2796	{C066E545-EFC4-4dce-92F6-5EBD51E3425D}.exe	113
PID 2720 wrote to memory of 4752	2720	{B62B983C-366F-4390-9D42-8F10767884B7}.exe	114
PID 2720 wrote to memory of 4752	2720	{B62B983C-366F-4390-9D42-8F10767884B7}.exe	114
PID 2720 wrote to memory of 4752	2720	{B62B983C-366F-4390-9D42-8F10767884B7}.exe	114
PID 2720 wrote to memory of 1432	2720	{B62B983C-366F-4390-9D42-8F10767884B7}.exe	115
PID 2720 wrote to memory of 1432	2720	{B62B983C-366F-4390-9D42-8F10767884B7}.exe	115
PID 2720 wrote to memory of 1432	2720	{B62B983C-366F-4390-9D42-8F10767884B7}.exe	115
PID 4752 wrote to memory of 3000	4752	{7CADFEF7-CE59-4e4c-8791-13A637D006D9}.exe	116
PID 4752 wrote to memory of 3000	4752	{7CADFEF7-CE59-4e4c-8791-13A637D006D9}.exe	116
PID 4752 wrote to memory of 3000	4752	{7CADFEF7-CE59-4e4c-8791-13A637D006D9}.exe	116
PID 4752 wrote to memory of 1352	4752	{7CADFEF7-CE59-4e4c-8791-13A637D006D9}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-04-09_4de9dd0b8583dfd946e49655960f398f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-09_4de9dd0b8583dfd946e49655960f398f_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4244
- C:\Windows\{D2DFBF81-82B2-4952-86C4-5D6434AB8A66}.exe
  C:\Windows\{D2DFBF81-82B2-4952-86C4-5D6434AB8A66}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\{2B3D89AF-082F-4b39-BFCA-C8470C7D4A22}.exe
    C:\Windows\{2B3D89AF-082F-4b39-BFCA-C8470C7D4A22}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2312
  - - C:\Windows\{5D64BFB1-AB4E-40b2-AB04-787EEC71C484}.exe
      C:\Windows\{5D64BFB1-AB4E-40b2-AB04-787EEC71C484}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3556
    - - C:\Windows\{9237ADBA-1811-4f4d-A168-4ACE2DB91F60}.exe
        
        C:\Windows\{9237ADBA-1811-4f4d-A168-4ACE2DB91F60}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1572
      - C:\Windows\{D2BEE31C-E807-4326-9307-BEF64DE5B396}.exe
        
        C:\Windows\{D2BEE31C-E807-4326-9307-BEF64DE5B396}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Windows\{A65483A1-25C3-4859-A094-47A52E75E0F7}.exe
        
        C:\Windows\{A65483A1-25C3-4859-A094-47A52E75E0F7}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\{468BA55A-EE52-4642-8C1E-DA677E0B6CCA}.exe
        
        C:\Windows\{468BA55A-EE52-4642-8C1E-DA677E0B6CCA}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4760
        
        C:\Windows\{C066E545-EFC4-4dce-92F6-5EBD51E3425D}.exe
        
        C:\Windows\{C066E545-EFC4-4dce-92F6-5EBD51E3425D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\{B62B983C-366F-4390-9D42-8F10767884B7}.exe
        
        C:\Windows\{B62B983C-366F-4390-9D42-8F10767884B7}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\{7CADFEF7-CE59-4e4c-8791-13A637D006D9}.exe
        
        C:\Windows\{7CADFEF7-CE59-4e4c-8791-13A637D006D9}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4752
        
        C:\Windows\{787397C1-C644-41c5-A011-E6A3D20E4E59}.exe
        
        C:\Windows\{787397C1-C644-41c5-A011-E6A3D20E4E59}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
        
        C:\Windows\{50915BE9-6B67-4f16-AE94-B28209756847}.exe
        
        C:\Windows\{50915BE9-6B67-4f16-AE94-B28209756847}.exe
        13⤵
        Executes dropped EXE
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{78739~1.EXE > nul
        13⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7CADF~1.EXE > nul
        12⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B62B9~1.EXE > nul
        11⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C066E~1.EXE > nul
        10⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{468BA~1.EXE > nul
        9⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6548~1.EXE > nul
        8⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D2BEE~1.EXE > nul
        7⤵
        
        PID:3984
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9237A~1.EXE > nul
        6⤵
        
        PID:4064
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5D64B~1.EXE > nul
        5⤵
        
        PID:4928
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2B3D8~1.EXE > nul
      4⤵
      PID:844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D2DFB~1.EXE > nul
    3⤵
    PID:3976
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:5072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2B3D89AF-082F-4b39-BFCA-C8470C7D4A22}.exe

Filesize
380KB

MD5
cc9efdb399abe69327b04a191ce96354

SHA1
f486b70627e3a521cfc77420dd205d45d0a29f44

SHA256
a7e6cba7ce21576d2244055ffa0faaa8885a58f37f6fee19036d3d19ef64c80e

SHA512
c87982acc835cb0be86e6242b26ec507dab77790f000c0d680d0d800e92e2bb3168af4f1a15f2c4da77aa94b109947aaa4ec6fd54d7406b03b4d2c9996011c4f

Download Submit
C:\Windows\{468BA55A-EE52-4642-8C1E-DA677E0B6CCA}.exe

Filesize
380KB

MD5
788bac2ddc07c96e7581067bdf20f581

SHA1
81797a4cb19f58e76c80e7e3502b5e4ad611c5de

SHA256
3b2d205656c55d1a2d1fe58a6c054cf6617246a5a2f1b9d3cc0acd3dced9c968

SHA512
77cdd7c12f04bc76dc6d5e44ed81142d5da94aa14df1fc015cd6cd5ddeda6df0be56111c850486b8b83c10d8019094d06b1e8b13d1422e1f94c0dc32b664b70d

Download Submit
C:\Windows\{50915BE9-6B67-4f16-AE94-B28209756847}.exe

Filesize
380KB

MD5
5883a2b2f4d23df19be59475b709a0bb

SHA1
96a8b5731230a87f86be90386226fc90ed80d195

SHA256
7b974d6de84c3e8bc2d01f20f698920caa35dfce71eb734ad21814198cb2f3da

SHA512
82c06a924269a33b057f0d1c3ccb3ea19b634c993e690cf802da934efd342db7f59c25ab79d2d7e6879591da03042d781603be5e52e6acefef30959d325e1cd3

Download Submit
C:\Windows\{5D64BFB1-AB4E-40b2-AB04-787EEC71C484}.exe

Filesize
380KB

MD5
d7aed3e09622f5cb9c148acda9709817

SHA1
2bbbeed3be3280c817a4aa4135eb6c786a2980f2

SHA256
267a9ed2f42fff21194b7778f053a67e9678fa4dc48700393b16a78258717043

SHA512
57cf3fa3f54d5d7dab297b32624b181579fccd4b6777d04b034a67677e1794a5cfecf42fbe56f0e6f26e252bb2ed20d3a77173adce7dd77b37e1482e0ff44512

Download Submit
C:\Windows\{787397C1-C644-41c5-A011-E6A3D20E4E59}.exe

Filesize
380KB

MD5
96e7e097bbe7fe46aff5663cfe035979

SHA1
d956c635f9ce91795a6d5a91395e6ed66afdab49

SHA256
2c429d63793ccbca7d39a2a09ce2eb013b91eb0c5fa9f5e7c55980dbbceb9cf1

SHA512
0c3373d0c77be010b6e4f91ee5154068d440362c0545eb5239256849ce9108a875ecc0ca06ae401329972af97c5dc65460cebd2b371bbbed2043ccc47b318d59

Download Submit
C:\Windows\{7CADFEF7-CE59-4e4c-8791-13A637D006D9}.exe

Filesize
380KB

MD5
68aa1f06155a315ccb9c3c740f8703ac

SHA1
15044733da845c09a5a01a11e35bc6870c063e8e

SHA256
213fa0772ff2bacadebead42dd6455b144b143b575d8de6858f4855be060487b

SHA512
424c38176b5cde53c2cb1ec1e96053cd4453bf557f1668f12265a34397c41ea8d01650509acb91fc209a0bd10ccc2cf2039b350551a10a133621753aa4aedd13

Download Submit
C:\Windows\{9237ADBA-1811-4f4d-A168-4ACE2DB91F60}.exe

Filesize
380KB

MD5
8a063096141115ae7245c4a85da54487

SHA1
6850f4a72779be1d6b2ad5cb26f7efbaa5de77e7

SHA256
2e883bb1dc6e8e6b6c6508f25b37a09f898f641440db3fb1543fa35ce8c607ee

SHA512
ac15c08918681ae9cc4aa52c2de195d93a8269ea1507e7ce2b615172ba150548bf71928f725e4c36bcb284b59f214f59516c59a810ca74a4ae93a714e6f368ae

Download Submit
C:\Windows\{A65483A1-25C3-4859-A094-47A52E75E0F7}.exe

Filesize
380KB

MD5
618ccf6108b25ef246756fad2eab4c12

SHA1
6a33cc4e917c4b38aefd973abeb66fe308db06ae

SHA256
0adf313ff51abec9d8aab6cdb4468e75c79fafaa2aca080bc5f88e9f32bdef4a

SHA512
81e44edab38a73e939c902bc3817f46e65760745952f6d426674a8ddee5f00cb1034b4ef07d0e768c34ab4a2b9e61bc95f9e7d53884429c3ea0af7c53107c689

Download Submit
C:\Windows\{B62B983C-366F-4390-9D42-8F10767884B7}.exe

Filesize
380KB

MD5
04859f527f25ba0c1b6993043b4f2261

SHA1
66b4a9375a14dcc1e6c67f18bbc1d1fbf83192ca

SHA256
6c67467e55a2e98e6b1cc9e62949289fb24230817879017538ded19bd26d27de

SHA512
79e30bdc9aa80a99d0fe577d5822e727b2b8f61f79730ac1bfd948630fce22ebf19fff869266f02727400ebd0da1ddd377a8f83a1c2ca8b8003d328d77732df5

Download Submit
C:\Windows\{C066E545-EFC4-4dce-92F6-5EBD51E3425D}.exe

Filesize
380KB

MD5
b73a88f5904e86035b14388aec5f359d

SHA1
8b18bc77d865f2496e72aae9cf71ebec7be1f6c7

SHA256
7d02447e22aab3e9501525b2c2ea7cd03e3e131dfffbcd190833e48027efedbf

SHA512
ed93467cc2d0a488e848dc2a54557a8c1cdb74b145fc6199dd6ea5f5204f6dc701167670b97c657cc47eabb2af54359a11e3150f4821b14d1b16210950c83d5f

Download Submit
C:\Windows\{D2BEE31C-E807-4326-9307-BEF64DE5B396}.exe

Filesize
380KB

MD5
d5eaadaf4b243d057963cabf86d4d2c2

SHA1
b8395fbdcd5f37ef3799303ee11dd632c4fabef0

SHA256
1c533994e6e9b99d79e4c8dae484fd87c49ecd6ba0d9aad610013e978e330831

SHA512
8b7a6f7561d47b34bb6b36473dfe59e40487df33f990c73bbcba153769a31f52c0c05bbaa77888431d9405855d86269d79e814afa72ae29b11a5bcd12ad1d897

Download Submit
C:\Windows\{D2DFBF81-82B2-4952-86C4-5D6434AB8A66}.exe

Filesize
380KB

MD5
55b113a71c9924e9d9feddaa256c2cd3

SHA1
446ae6571307e02e22526ba4de037fe499615816

SHA256
ce539994626366134cd061194d6a34256e6d522d74a6a432bc71cc74365c5f3e

SHA512
938e3b025acdede05f6463b61d7d3b0a7f44962c548855a4e852ce808739d99c6031456458ea434f93812aa6845e4666d5223759577ba8e5988295d8253f687b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads