e9ad494fcd90011a42146eb888a18681f8910a40d53e040fbe0db35f9bf52944

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2024, 23:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-10_9a84b7e048153e283358868ba097287e_goldeneye.exe
Size

408KB
MD5

9a84b7e048153e283358868ba097287e
SHA1

46df13bc610ecfa846166b22ffb225e432117877
SHA256

e9ad494fcd90011a42146eb888a18681f8910a40d53e040fbe0db35f9bf52944
SHA512

3ca1ce5f8ef681b583cece33f4d7fc49b3a5f7b8ee5170620c9380c777a3ab6459083492fcd80eee3ff410712de23839bd87d211673182c339922e73f932de90
SSDEEP

3072:CEGh0orl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGFldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00070000000231f0-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00110000000231f6-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000231fd-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00120000000231f6-13.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021d41-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021d42-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021d41-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000709-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000072f-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6D1A4D9-1258-46cf-A2A8-759098E25E80}\stubpath = "C:\\Windows\\{F6D1A4D9-1258-46cf-A2A8-759098E25E80}.exe"	{17E29CC5-A5DA-4e88-AACB-F82A71C5D746}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C913745-CE4E-4477-BDE5-460A3EB852D4}	{363FA5BC-53BF-4a8c-ABEA-2030233B9FB8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A096334-978A-41d7-931D-798A178E17EB}	2024-04-10_9a84b7e048153e283358868ba097287e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A096334-978A-41d7-931D-798A178E17EB}\stubpath = "C:\\Windows\\{6A096334-978A-41d7-931D-798A178E17EB}.exe"	2024-04-10_9a84b7e048153e283358868ba097287e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A39A7A36-B543-4b93-8271-8DDE8A85C54E}	{6A096334-978A-41d7-931D-798A178E17EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08826B9B-370E-48b2-95D1-893E899F4185}	{A39A7A36-B543-4b93-8271-8DDE8A85C54E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A22C285-D956-4567-BD75-DA137513C717}\stubpath = "C:\\Windows\\{4A22C285-D956-4567-BD75-DA137513C717}.exe"	{6E5F5C5B-AFF7-4dbf-AEF8-9A12D7AC964C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17E29CC5-A5DA-4e88-AACB-F82A71C5D746}\stubpath = "C:\\Windows\\{17E29CC5-A5DA-4e88-AACB-F82A71C5D746}.exe"	{4A22C285-D956-4567-BD75-DA137513C717}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C913745-CE4E-4477-BDE5-460A3EB852D4}\stubpath = "C:\\Windows\\{8C913745-CE4E-4477-BDE5-460A3EB852D4}.exe"	{363FA5BC-53BF-4a8c-ABEA-2030233B9FB8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8BE65FE-BE51-40c6-A0ED-AFB814B3C20B}	{8C913745-CE4E-4477-BDE5-460A3EB852D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E5F5C5B-AFF7-4dbf-AEF8-9A12D7AC964C}\stubpath = "C:\\Windows\\{6E5F5C5B-AFF7-4dbf-AEF8-9A12D7AC964C}.exe"	{F224F01F-813A-42bc-8C2D-FC4AD4FA9154}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A22C285-D956-4567-BD75-DA137513C717}	{6E5F5C5B-AFF7-4dbf-AEF8-9A12D7AC964C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{363FA5BC-53BF-4a8c-ABEA-2030233B9FB8}	{F6D1A4D9-1258-46cf-A2A8-759098E25E80}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8BE65FE-BE51-40c6-A0ED-AFB814B3C20B}\stubpath = "C:\\Windows\\{B8BE65FE-BE51-40c6-A0ED-AFB814B3C20B}.exe"	{8C913745-CE4E-4477-BDE5-460A3EB852D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08826B9B-370E-48b2-95D1-893E899F4185}\stubpath = "C:\\Windows\\{08826B9B-370E-48b2-95D1-893E899F4185}.exe"	{A39A7A36-B543-4b93-8271-8DDE8A85C54E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F224F01F-813A-42bc-8C2D-FC4AD4FA9154}\stubpath = "C:\\Windows\\{F224F01F-813A-42bc-8C2D-FC4AD4FA9154}.exe"	{08826B9B-370E-48b2-95D1-893E899F4185}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B93BEEC-8571-4c7d-830F-65EB756A17BB}	{B8BE65FE-BE51-40c6-A0ED-AFB814B3C20B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B93BEEC-8571-4c7d-830F-65EB756A17BB}\stubpath = "C:\\Windows\\{7B93BEEC-8571-4c7d-830F-65EB756A17BB}.exe"	{B8BE65FE-BE51-40c6-A0ED-AFB814B3C20B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A39A7A36-B543-4b93-8271-8DDE8A85C54E}\stubpath = "C:\\Windows\\{A39A7A36-B543-4b93-8271-8DDE8A85C54E}.exe"	{6A096334-978A-41d7-931D-798A178E17EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F224F01F-813A-42bc-8C2D-FC4AD4FA9154}	{08826B9B-370E-48b2-95D1-893E899F4185}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E5F5C5B-AFF7-4dbf-AEF8-9A12D7AC964C}	{F224F01F-813A-42bc-8C2D-FC4AD4FA9154}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17E29CC5-A5DA-4e88-AACB-F82A71C5D746}	{4A22C285-D956-4567-BD75-DA137513C717}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6D1A4D9-1258-46cf-A2A8-759098E25E80}	{17E29CC5-A5DA-4e88-AACB-F82A71C5D746}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{363FA5BC-53BF-4a8c-ABEA-2030233B9FB8}\stubpath = "C:\\Windows\\{363FA5BC-53BF-4a8c-ABEA-2030233B9FB8}.exe"	{F6D1A4D9-1258-46cf-A2A8-759098E25E80}.exe

Executes dropped EXE 12 IoCs

pid	Process
220	{6A096334-978A-41d7-931D-798A178E17EB}.exe
2640	{A39A7A36-B543-4b93-8271-8DDE8A85C54E}.exe
4332	{08826B9B-370E-48b2-95D1-893E899F4185}.exe
3512	{F224F01F-813A-42bc-8C2D-FC4AD4FA9154}.exe
1020	{6E5F5C5B-AFF7-4dbf-AEF8-9A12D7AC964C}.exe
572	{4A22C285-D956-4567-BD75-DA137513C717}.exe
1520	{17E29CC5-A5DA-4e88-AACB-F82A71C5D746}.exe
2692	{F6D1A4D9-1258-46cf-A2A8-759098E25E80}.exe
4744	{363FA5BC-53BF-4a8c-ABEA-2030233B9FB8}.exe
4896	{8C913745-CE4E-4477-BDE5-460A3EB852D4}.exe
2204	{B8BE65FE-BE51-40c6-A0ED-AFB814B3C20B}.exe
3836	{7B93BEEC-8571-4c7d-830F-65EB756A17BB}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{6E5F5C5B-AFF7-4dbf-AEF8-9A12D7AC964C}.exe	{F224F01F-813A-42bc-8C2D-FC4AD4FA9154}.exe
File created	C:\Windows\{4A22C285-D956-4567-BD75-DA137513C717}.exe	{6E5F5C5B-AFF7-4dbf-AEF8-9A12D7AC964C}.exe
File created	C:\Windows\{363FA5BC-53BF-4a8c-ABEA-2030233B9FB8}.exe	{F6D1A4D9-1258-46cf-A2A8-759098E25E80}.exe
File created	C:\Windows\{B8BE65FE-BE51-40c6-A0ED-AFB814B3C20B}.exe	{8C913745-CE4E-4477-BDE5-460A3EB852D4}.exe
File created	C:\Windows\{6A096334-978A-41d7-931D-798A178E17EB}.exe	2024-04-10_9a84b7e048153e283358868ba097287e_goldeneye.exe
File created	C:\Windows\{08826B9B-370E-48b2-95D1-893E899F4185}.exe	{A39A7A36-B543-4b93-8271-8DDE8A85C54E}.exe
File created	C:\Windows\{17E29CC5-A5DA-4e88-AACB-F82A71C5D746}.exe	{4A22C285-D956-4567-BD75-DA137513C717}.exe
File created	C:\Windows\{F6D1A4D9-1258-46cf-A2A8-759098E25E80}.exe	{17E29CC5-A5DA-4e88-AACB-F82A71C5D746}.exe
File created	C:\Windows\{8C913745-CE4E-4477-BDE5-460A3EB852D4}.exe	{363FA5BC-53BF-4a8c-ABEA-2030233B9FB8}.exe
File created	C:\Windows\{7B93BEEC-8571-4c7d-830F-65EB756A17BB}.exe	{B8BE65FE-BE51-40c6-A0ED-AFB814B3C20B}.exe
File created	C:\Windows\{A39A7A36-B543-4b93-8271-8DDE8A85C54E}.exe	{6A096334-978A-41d7-931D-798A178E17EB}.exe
File created	C:\Windows\{F224F01F-813A-42bc-8C2D-FC4AD4FA9154}.exe	{08826B9B-370E-48b2-95D1-893E899F4185}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3776	2024-04-10_9a84b7e048153e283358868ba097287e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	220	{6A096334-978A-41d7-931D-798A178E17EB}.exe
Token: SeIncBasePriorityPrivilege	2640	{A39A7A36-B543-4b93-8271-8DDE8A85C54E}.exe
Token: SeIncBasePriorityPrivilege	4332	{08826B9B-370E-48b2-95D1-893E899F4185}.exe
Token: SeIncBasePriorityPrivilege	3512	{F224F01F-813A-42bc-8C2D-FC4AD4FA9154}.exe
Token: SeIncBasePriorityPrivilege	1020	{6E5F5C5B-AFF7-4dbf-AEF8-9A12D7AC964C}.exe
Token: SeIncBasePriorityPrivilege	572	{4A22C285-D956-4567-BD75-DA137513C717}.exe
Token: SeIncBasePriorityPrivilege	1520	{17E29CC5-A5DA-4e88-AACB-F82A71C5D746}.exe
Token: SeIncBasePriorityPrivilege	2692	{F6D1A4D9-1258-46cf-A2A8-759098E25E80}.exe
Token: SeIncBasePriorityPrivilege	4744	{363FA5BC-53BF-4a8c-ABEA-2030233B9FB8}.exe
Token: SeIncBasePriorityPrivilege	4896	{8C913745-CE4E-4477-BDE5-460A3EB852D4}.exe
Token: SeIncBasePriorityPrivilege	2204	{B8BE65FE-BE51-40c6-A0ED-AFB814B3C20B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3776 wrote to memory of 220	3776	2024-04-10_9a84b7e048153e283358868ba097287e_goldeneye.exe	91
PID 3776 wrote to memory of 220	3776	2024-04-10_9a84b7e048153e283358868ba097287e_goldeneye.exe	91
PID 3776 wrote to memory of 220	3776	2024-04-10_9a84b7e048153e283358868ba097287e_goldeneye.exe	91
PID 3776 wrote to memory of 216	3776	2024-04-10_9a84b7e048153e283358868ba097287e_goldeneye.exe	92
PID 3776 wrote to memory of 216	3776	2024-04-10_9a84b7e048153e283358868ba097287e_goldeneye.exe	92
PID 3776 wrote to memory of 216	3776	2024-04-10_9a84b7e048153e283358868ba097287e_goldeneye.exe	92
PID 220 wrote to memory of 2640	220	{6A096334-978A-41d7-931D-798A178E17EB}.exe	93
PID 220 wrote to memory of 2640	220	{6A096334-978A-41d7-931D-798A178E17EB}.exe	93
PID 220 wrote to memory of 2640	220	{6A096334-978A-41d7-931D-798A178E17EB}.exe	93
PID 220 wrote to memory of 4136	220	{6A096334-978A-41d7-931D-798A178E17EB}.exe	94
PID 220 wrote to memory of 4136	220	{6A096334-978A-41d7-931D-798A178E17EB}.exe	94
PID 220 wrote to memory of 4136	220	{6A096334-978A-41d7-931D-798A178E17EB}.exe	94
PID 2640 wrote to memory of 4332	2640	{A39A7A36-B543-4b93-8271-8DDE8A85C54E}.exe	96
PID 2640 wrote to memory of 4332	2640	{A39A7A36-B543-4b93-8271-8DDE8A85C54E}.exe	96
PID 2640 wrote to memory of 4332	2640	{A39A7A36-B543-4b93-8271-8DDE8A85C54E}.exe	96
PID 2640 wrote to memory of 4492	2640	{A39A7A36-B543-4b93-8271-8DDE8A85C54E}.exe	97
PID 2640 wrote to memory of 4492	2640	{A39A7A36-B543-4b93-8271-8DDE8A85C54E}.exe	97
PID 2640 wrote to memory of 4492	2640	{A39A7A36-B543-4b93-8271-8DDE8A85C54E}.exe	97
PID 4332 wrote to memory of 3512	4332	{08826B9B-370E-48b2-95D1-893E899F4185}.exe	98
PID 4332 wrote to memory of 3512	4332	{08826B9B-370E-48b2-95D1-893E899F4185}.exe	98
PID 4332 wrote to memory of 3512	4332	{08826B9B-370E-48b2-95D1-893E899F4185}.exe	98
PID 4332 wrote to memory of 3448	4332	{08826B9B-370E-48b2-95D1-893E899F4185}.exe	99
PID 4332 wrote to memory of 3448	4332	{08826B9B-370E-48b2-95D1-893E899F4185}.exe	99
PID 4332 wrote to memory of 3448	4332	{08826B9B-370E-48b2-95D1-893E899F4185}.exe	99
PID 3512 wrote to memory of 1020	3512	{F224F01F-813A-42bc-8C2D-FC4AD4FA9154}.exe	100
PID 3512 wrote to memory of 1020	3512	{F224F01F-813A-42bc-8C2D-FC4AD4FA9154}.exe	100
PID 3512 wrote to memory of 1020	3512	{F224F01F-813A-42bc-8C2D-FC4AD4FA9154}.exe	100
PID 3512 wrote to memory of 1844	3512	{F224F01F-813A-42bc-8C2D-FC4AD4FA9154}.exe	101
PID 3512 wrote to memory of 1844	3512	{F224F01F-813A-42bc-8C2D-FC4AD4FA9154}.exe	101
PID 3512 wrote to memory of 1844	3512	{F224F01F-813A-42bc-8C2D-FC4AD4FA9154}.exe	101
PID 1020 wrote to memory of 572	1020	{6E5F5C5B-AFF7-4dbf-AEF8-9A12D7AC964C}.exe	102
PID 1020 wrote to memory of 572	1020	{6E5F5C5B-AFF7-4dbf-AEF8-9A12D7AC964C}.exe	102
PID 1020 wrote to memory of 572	1020	{6E5F5C5B-AFF7-4dbf-AEF8-9A12D7AC964C}.exe	102
PID 1020 wrote to memory of 2192	1020	{6E5F5C5B-AFF7-4dbf-AEF8-9A12D7AC964C}.exe	103
PID 1020 wrote to memory of 2192	1020	{6E5F5C5B-AFF7-4dbf-AEF8-9A12D7AC964C}.exe	103
PID 1020 wrote to memory of 2192	1020	{6E5F5C5B-AFF7-4dbf-AEF8-9A12D7AC964C}.exe	103
PID 572 wrote to memory of 1520	572	{4A22C285-D956-4567-BD75-DA137513C717}.exe	104
PID 572 wrote to memory of 1520	572	{4A22C285-D956-4567-BD75-DA137513C717}.exe	104
PID 572 wrote to memory of 1520	572	{4A22C285-D956-4567-BD75-DA137513C717}.exe	104
PID 572 wrote to memory of 2932	572	{4A22C285-D956-4567-BD75-DA137513C717}.exe	105
PID 572 wrote to memory of 2932	572	{4A22C285-D956-4567-BD75-DA137513C717}.exe	105
PID 572 wrote to memory of 2932	572	{4A22C285-D956-4567-BD75-DA137513C717}.exe	105
PID 1520 wrote to memory of 2692	1520	{17E29CC5-A5DA-4e88-AACB-F82A71C5D746}.exe	106
PID 1520 wrote to memory of 2692	1520	{17E29CC5-A5DA-4e88-AACB-F82A71C5D746}.exe	106
PID 1520 wrote to memory of 2692	1520	{17E29CC5-A5DA-4e88-AACB-F82A71C5D746}.exe	106
PID 1520 wrote to memory of 4416	1520	{17E29CC5-A5DA-4e88-AACB-F82A71C5D746}.exe	107
PID 1520 wrote to memory of 4416	1520	{17E29CC5-A5DA-4e88-AACB-F82A71C5D746}.exe	107
PID 1520 wrote to memory of 4416	1520	{17E29CC5-A5DA-4e88-AACB-F82A71C5D746}.exe	107
PID 2692 wrote to memory of 4744	2692	{F6D1A4D9-1258-46cf-A2A8-759098E25E80}.exe	108
PID 2692 wrote to memory of 4744	2692	{F6D1A4D9-1258-46cf-A2A8-759098E25E80}.exe	108
PID 2692 wrote to memory of 4744	2692	{F6D1A4D9-1258-46cf-A2A8-759098E25E80}.exe	108
PID 2692 wrote to memory of 3112	2692	{F6D1A4D9-1258-46cf-A2A8-759098E25E80}.exe	109
PID 2692 wrote to memory of 3112	2692	{F6D1A4D9-1258-46cf-A2A8-759098E25E80}.exe	109
PID 2692 wrote to memory of 3112	2692	{F6D1A4D9-1258-46cf-A2A8-759098E25E80}.exe	109
PID 4744 wrote to memory of 4896	4744	{363FA5BC-53BF-4a8c-ABEA-2030233B9FB8}.exe	110
PID 4744 wrote to memory of 4896	4744	{363FA5BC-53BF-4a8c-ABEA-2030233B9FB8}.exe	110
PID 4744 wrote to memory of 4896	4744	{363FA5BC-53BF-4a8c-ABEA-2030233B9FB8}.exe	110
PID 4744 wrote to memory of 1104	4744	{363FA5BC-53BF-4a8c-ABEA-2030233B9FB8}.exe	111
PID 4744 wrote to memory of 1104	4744	{363FA5BC-53BF-4a8c-ABEA-2030233B9FB8}.exe	111
PID 4744 wrote to memory of 1104	4744	{363FA5BC-53BF-4a8c-ABEA-2030233B9FB8}.exe	111
PID 4896 wrote to memory of 2204	4896	{8C913745-CE4E-4477-BDE5-460A3EB852D4}.exe	112
PID 4896 wrote to memory of 2204	4896	{8C913745-CE4E-4477-BDE5-460A3EB852D4}.exe	112
PID 4896 wrote to memory of 2204	4896	{8C913745-CE4E-4477-BDE5-460A3EB852D4}.exe	112
PID 4896 wrote to memory of 380	4896	{8C913745-CE4E-4477-BDE5-460A3EB852D4}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-04-10_9a84b7e048153e283358868ba097287e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-10_9a84b7e048153e283358868ba097287e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3776
- C:\Windows\{6A096334-978A-41d7-931D-798A178E17EB}.exe
  C:\Windows\{6A096334-978A-41d7-931D-798A178E17EB}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:220
- - C:\Windows\{A39A7A36-B543-4b93-8271-8DDE8A85C54E}.exe
    C:\Windows\{A39A7A36-B543-4b93-8271-8DDE8A85C54E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Windows\{08826B9B-370E-48b2-95D1-893E899F4185}.exe
      C:\Windows\{08826B9B-370E-48b2-95D1-893E899F4185}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4332
    - - C:\Windows\{F224F01F-813A-42bc-8C2D-FC4AD4FA9154}.exe
        
        C:\Windows\{F224F01F-813A-42bc-8C2D-FC4AD4FA9154}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3512
      - C:\Windows\{6E5F5C5B-AFF7-4dbf-AEF8-9A12D7AC964C}.exe
        
        C:\Windows\{6E5F5C5B-AFF7-4dbf-AEF8-9A12D7AC964C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\{4A22C285-D956-4567-BD75-DA137513C717}.exe
        
        C:\Windows\{4A22C285-D956-4567-BD75-DA137513C717}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:572
        
        C:\Windows\{17E29CC5-A5DA-4e88-AACB-F82A71C5D746}.exe
        
        C:\Windows\{17E29CC5-A5DA-4e88-AACB-F82A71C5D746}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\{F6D1A4D9-1258-46cf-A2A8-759098E25E80}.exe
        
        C:\Windows\{F6D1A4D9-1258-46cf-A2A8-759098E25E80}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\{363FA5BC-53BF-4a8c-ABEA-2030233B9FB8}.exe
        
        C:\Windows\{363FA5BC-53BF-4a8c-ABEA-2030233B9FB8}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4744
        
        C:\Windows\{8C913745-CE4E-4477-BDE5-460A3EB852D4}.exe
        
        C:\Windows\{8C913745-CE4E-4477-BDE5-460A3EB852D4}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\{B8BE65FE-BE51-40c6-A0ED-AFB814B3C20B}.exe
        
        C:\Windows\{B8BE65FE-BE51-40c6-A0ED-AFB814B3C20B}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
        
        C:\Windows\{7B93BEEC-8571-4c7d-830F-65EB756A17BB}.exe
        
        C:\Windows\{7B93BEEC-8571-4c7d-830F-65EB756A17BB}.exe
        13⤵
        Executes dropped EXE
        
        PID:3836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B8BE6~1.EXE > nul
        13⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C913~1.EXE > nul
        12⤵
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{363FA~1.EXE > nul
        11⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F6D1A~1.EXE > nul
        10⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{17E29~1.EXE > nul
        9⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4A22C~1.EXE > nul
        8⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6E5F5~1.EXE > nul
        7⤵
        
        PID:2192
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F224F~1.EXE > nul
        6⤵
        
        PID:1844
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{08826~1.EXE > nul
        5⤵
        
        PID:3448
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A39A7~1.EXE > nul
      4⤵
      PID:4492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6A096~1.EXE > nul
    3⤵
    PID:4136
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{08826B9B-370E-48b2-95D1-893E899F4185}.exe

Filesize
408KB

MD5
af65c5c95ce6b2c0f5c47a889e6c3f2a

SHA1
2008a74763e1d7e73adeeeeff75be65b4906bcf1

SHA256
597ae0542aff43ecbe24aec81dd27729cb2f9000e0884a90877366ff422357a0

SHA512
5bbc1ee4136aecddf1fe07b1791fb773cc0fb0d4b6797d2800b28035d205621bbbbeba3c0c3034cf8ee79a70b16e2c4a11f50f79e77cd1ce44e768845f03b54e

Download Submit
C:\Windows\{17E29CC5-A5DA-4e88-AACB-F82A71C5D746}.exe

Filesize
408KB

MD5
e161ce70a9fd8c27cec87f18cc84a56f

SHA1
890793424df7c5f11fded9d412ae0bc047979177

SHA256
cc68b8ddf29472dd241765b8ac882fccd4486d16151701a7943d7731d0c39dfc

SHA512
0033b0b237051a6fda477f6d89d277d5be1f6b5f9d9b1f7048f88a06f3a0a7f370124be837c5d47c47d66d3a6ed20c807c1a83558252fda46f36412b294347de

Download Submit
C:\Windows\{363FA5BC-53BF-4a8c-ABEA-2030233B9FB8}.exe

Filesize
408KB

MD5
e503d43ae282b40a6ed6e2d78b6fbb85

SHA1
2fa96644d96f80be13a2691783c2233509350373

SHA256
a346bf335331d226231e785c00f8e2870eb2aa82f9f2264dce0141a89ba76b82

SHA512
340310eebcf7b1dc16e829f16c2eb4dd875cd97199d0a4de8baa59e715f1ac5f55d4cad3dfe147530caf0497f2678f758f2e7c58f2047deedcf4bc02c5cbc74f

Download Submit
C:\Windows\{4A22C285-D956-4567-BD75-DA137513C717}.exe

Filesize
408KB

MD5
8eb8d432852c00b6addeec6be287bb67

SHA1
06bbf4e3d60b31febec4108ef743a741f9aedfa7

SHA256
8fe9ccb39700e83e1b9f913e61a8665a058b88dd6eec72b9008031dc64f243c0

SHA512
6fe168796598261ac10d992b69db1fc794b3c922e27fff09d51648ded0a5a3d2cd503810d7099060f29399d35e6bc7ae164ab16a8605535919b857c455dec039

Download Submit
C:\Windows\{6A096334-978A-41d7-931D-798A178E17EB}.exe

Filesize
408KB

MD5
4b71db8e9b9e3696a2df50e6fa74feeb

SHA1
4804d980abca846b7aed6b2d84e1f8a3fefa8951

SHA256
4fcdf4c4df4c4c2ba6af735f4acc870b936ac8bfda6ad9a67b855130927ba402

SHA512
40f638933d8b0f7bd12e3d223aefb43ec18af82f2899c8a64a50d9ccc99ac82496f2260de33d16d5ab8c50f0181535ce66f4ed4127981e34e0c1961ae9022c21

Download Submit
C:\Windows\{6E5F5C5B-AFF7-4dbf-AEF8-9A12D7AC964C}.exe

Filesize
408KB

MD5
79ba3ba75c0a62578c9d8f4f0a94dd77

SHA1
ed230ea87324aa48c595092e1714971ce0f7ca32

SHA256
03d4cb2fa2ea7482cf112eb35f3b159886087dd80f008df187edcc67c5c0bb97

SHA512
77d36f373eebae1bf1a7f9dd9603af700a863d5ad7318f00fc22dcd797a7ace361b76405c1e3b07530c1c3d0b088c1a0dfe2c0d1f347dead861d49b433877425

Download Submit
C:\Windows\{7B93BEEC-8571-4c7d-830F-65EB756A17BB}.exe

Filesize
408KB

MD5
3412d6727c813088c5902f8084a0c9dd

SHA1
176129aa55fc827a39e9446b76ac90b8e965f169

SHA256
01303f615002b222488afe84e5d269020d493011f6ad11684c34e1f2ebe103f2

SHA512
ce511bdf6f713864c27022002a6e5de583b040058dc698e5618ac6d51f9bbfd5af4b8edf2a3e4da379b0aedab078186b59c87a54c8e95fd9c21546a4a44bc547

Download Submit
C:\Windows\{8C913745-CE4E-4477-BDE5-460A3EB852D4}.exe

Filesize
408KB

MD5
58ece1c18071b15c758ebfeedd7f74ba

SHA1
35b6ba858a5945c2dd65788272d90a282938e127

SHA256
16937908be79a8b8d990c45ec1fabfaa6ddb5a553f7534baf2313f282a4c9ca8

SHA512
33ff063ac2e6b93b4b2ce6539c4bc1dad8c80520de2f3b272afe8de333af203ca8ca2168eda02d06268dd2735dbb70ebc730dbf104e8a7069cb50025e8bd60de

Download Submit
C:\Windows\{A39A7A36-B543-4b93-8271-8DDE8A85C54E}.exe

Filesize
408KB

MD5
47ba2882214a0e039147ca45e2d2f54b

SHA1
d291443382ae11e873ea9be24fc19cd8ef82db4e

SHA256
a2c44bbc0b4d555cc3880d9f2234afd58a80f898eaaf687e71f76b5ee39233f9

SHA512
b1b6a3a31fb1cd19c3b81b286b71840a63a0ab5313ec196875d66553f0d28029c78cd3d4f4857f88d6884cff347bed9287bd3a24ccaf420a632c1b6f8d4a525d

Download Submit
C:\Windows\{B8BE65FE-BE51-40c6-A0ED-AFB814B3C20B}.exe

Filesize
408KB

MD5
9a6327016da0a8c3e5b014adb74626b5

SHA1
523f5583dd0a146c408407828309a6b54b049384

SHA256
9f76b71d1d61fbfe13e9e1080ce743efa6a86d1745c08ec9333f288fe35a2eba

SHA512
93fe02b030b321e8ce74423bc9ca4cc220ffac9eb069784d31375fce9753ba429d38aa2c947c00216e9eda33854b6b77db32eef6cc1a088474eef70fac13d6e7

Download Submit
C:\Windows\{F224F01F-813A-42bc-8C2D-FC4AD4FA9154}.exe

Filesize
408KB

MD5
0c1b636165b846c8b65d02b9cfddb3c1

SHA1
b585e7bd062a9b93e413b7389b6fd9a6d94dd337

SHA256
6474ba88340daec099964911ad843bbdc6d671075124bb6c9dd614ae54ce6dab

SHA512
8a9e8473dba25c2a9e016718523f9b1010b3d19f3811f226191ea843f49c35f91c1b43379456d5648b2c836b1fa1b7df726aa0bf0bf7862b883b0311c48a8447

Download Submit
C:\Windows\{F6D1A4D9-1258-46cf-A2A8-759098E25E80}.exe

Filesize
408KB

MD5
b648e60e84f1b1e411f8806fd1df504c

SHA1
a2ded75c991d5e1c436855b4eff41f895bab6960

SHA256
f97ebc4553cb9bc481827e80088966ed891d91e9a06a6a6cd3e47ad62210cd65

SHA512
71a72cb3f4794e839a69a835f34e9857c0e09bccfa6703978cbd6513115ca79b2c4627ffb11fe3e6be35d1567c35c670610238040f4a0971442b328a5483d0dc

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads