bb104483b76e984f3bdd7051a4ce3fcaecd5fe61bcba513fc4052cfb04486286

Analysis

max time kernel
149s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2024, 11:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-10_6f56a19ff2c437eed444ff63094b403f_goldeneye.exe
Size

380KB
MD5

6f56a19ff2c437eed444ff63094b403f
SHA1

dfe57fd59378865717cd990018cbcc6c40ad0fb0
SHA256

bb104483b76e984f3bdd7051a4ce3fcaecd5fe61bcba513fc4052cfb04486286
SHA512

ff1fc643ceb2089880c2089e8bc598339d36d7456219981b8f28fb8135a36288c05c55a143eab98d153d3e4ce8f62d1f3c688571c0d3a4738c0e3987a86037db
SSDEEP

3072:mEGh0oElPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGil7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00090000000231ef-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00120000000231fc-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023204-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00130000000231fc-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021df7-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021df8-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021df7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000709-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000707-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{007B7A1C-DCE0-4cda-90A6-EC3F6CBE9EA2}	{DC94C59D-789B-4fd9-BB7E-99F36D175AB9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{007B7A1C-DCE0-4cda-90A6-EC3F6CBE9EA2}\stubpath = "C:\\Windows\\{007B7A1C-DCE0-4cda-90A6-EC3F6CBE9EA2}.exe"	{DC94C59D-789B-4fd9-BB7E-99F36D175AB9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A01B147-8668-462e-8C2C-3F8F1017A19A}	{7C5AA51D-AF23-4a3c-B172-970857341369}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17F89E29-7C3F-487f-8A5F-AFFAAC25011A}\stubpath = "C:\\Windows\\{17F89E29-7C3F-487f-8A5F-AFFAAC25011A}.exe"	{8A01B147-8668-462e-8C2C-3F8F1017A19A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC94C59D-789B-4fd9-BB7E-99F36D175AB9}	2024-04-10_6f56a19ff2c437eed444ff63094b403f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC94C59D-789B-4fd9-BB7E-99F36D175AB9}\stubpath = "C:\\Windows\\{DC94C59D-789B-4fd9-BB7E-99F36D175AB9}.exe"	2024-04-10_6f56a19ff2c437eed444ff63094b403f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1A1AF15-3171-4561-BACF-10CE24C452B3}	{007B7A1C-DCE0-4cda-90A6-EC3F6CBE9EA2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1A1AF15-3171-4561-BACF-10CE24C452B3}\stubpath = "C:\\Windows\\{E1A1AF15-3171-4561-BACF-10CE24C452B3}.exe"	{007B7A1C-DCE0-4cda-90A6-EC3F6CBE9EA2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27011C5C-47A9-44ee-8798-9FDFA08267AA}\stubpath = "C:\\Windows\\{27011C5C-47A9-44ee-8798-9FDFA08267AA}.exe"	{E1A1AF15-3171-4561-BACF-10CE24C452B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04C964A6-122D-4981-955A-FEAC1818037D}	{26DBD659-F69F-4cd5-9DBA-6DB94EAC23E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A01B147-8668-462e-8C2C-3F8F1017A19A}\stubpath = "C:\\Windows\\{8A01B147-8668-462e-8C2C-3F8F1017A19A}.exe"	{7C5AA51D-AF23-4a3c-B172-970857341369}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4D7FC34-0FD8-429c-AA18-B1D61054B135}	{C168F85E-4447-4823-9B86-6CAF541921E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27011C5C-47A9-44ee-8798-9FDFA08267AA}	{E1A1AF15-3171-4561-BACF-10CE24C452B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{634FEAF6-5E30-4019-9A85-BD1FAC2B6935}	{27011C5C-47A9-44ee-8798-9FDFA08267AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{634FEAF6-5E30-4019-9A85-BD1FAC2B6935}\stubpath = "C:\\Windows\\{634FEAF6-5E30-4019-9A85-BD1FAC2B6935}.exe"	{27011C5C-47A9-44ee-8798-9FDFA08267AA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26DBD659-F69F-4cd5-9DBA-6DB94EAC23E7}	{634FEAF6-5E30-4019-9A85-BD1FAC2B6935}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26DBD659-F69F-4cd5-9DBA-6DB94EAC23E7}\stubpath = "C:\\Windows\\{26DBD659-F69F-4cd5-9DBA-6DB94EAC23E7}.exe"	{634FEAF6-5E30-4019-9A85-BD1FAC2B6935}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C5AA51D-AF23-4a3c-B172-970857341369}	{04C964A6-122D-4981-955A-FEAC1818037D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C5AA51D-AF23-4a3c-B172-970857341369}\stubpath = "C:\\Windows\\{7C5AA51D-AF23-4a3c-B172-970857341369}.exe"	{04C964A6-122D-4981-955A-FEAC1818037D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04C964A6-122D-4981-955A-FEAC1818037D}\stubpath = "C:\\Windows\\{04C964A6-122D-4981-955A-FEAC1818037D}.exe"	{26DBD659-F69F-4cd5-9DBA-6DB94EAC23E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17F89E29-7C3F-487f-8A5F-AFFAAC25011A}	{8A01B147-8668-462e-8C2C-3F8F1017A19A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C168F85E-4447-4823-9B86-6CAF541921E8}	{17F89E29-7C3F-487f-8A5F-AFFAAC25011A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C168F85E-4447-4823-9B86-6CAF541921E8}\stubpath = "C:\\Windows\\{C168F85E-4447-4823-9B86-6CAF541921E8}.exe"	{17F89E29-7C3F-487f-8A5F-AFFAAC25011A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4D7FC34-0FD8-429c-AA18-B1D61054B135}\stubpath = "C:\\Windows\\{D4D7FC34-0FD8-429c-AA18-B1D61054B135}.exe"	{C168F85E-4447-4823-9B86-6CAF541921E8}.exe

Executes dropped EXE 12 IoCs

pid	Process
3564	{DC94C59D-789B-4fd9-BB7E-99F36D175AB9}.exe
3728	{007B7A1C-DCE0-4cda-90A6-EC3F6CBE9EA2}.exe
1716	{E1A1AF15-3171-4561-BACF-10CE24C452B3}.exe
2164	{27011C5C-47A9-44ee-8798-9FDFA08267AA}.exe
4696	{634FEAF6-5E30-4019-9A85-BD1FAC2B6935}.exe
1976	{26DBD659-F69F-4cd5-9DBA-6DB94EAC23E7}.exe
4596	{04C964A6-122D-4981-955A-FEAC1818037D}.exe
4280	{7C5AA51D-AF23-4a3c-B172-970857341369}.exe
940	{8A01B147-8668-462e-8C2C-3F8F1017A19A}.exe
5064	{17F89E29-7C3F-487f-8A5F-AFFAAC25011A}.exe
4540	{C168F85E-4447-4823-9B86-6CAF541921E8}.exe
4124	{D4D7FC34-0FD8-429c-AA18-B1D61054B135}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{E1A1AF15-3171-4561-BACF-10CE24C452B3}.exe	{007B7A1C-DCE0-4cda-90A6-EC3F6CBE9EA2}.exe
File created	C:\Windows\{26DBD659-F69F-4cd5-9DBA-6DB94EAC23E7}.exe	{634FEAF6-5E30-4019-9A85-BD1FAC2B6935}.exe
File created	C:\Windows\{04C964A6-122D-4981-955A-FEAC1818037D}.exe	{26DBD659-F69F-4cd5-9DBA-6DB94EAC23E7}.exe
File created	C:\Windows\{8A01B147-8668-462e-8C2C-3F8F1017A19A}.exe	{7C5AA51D-AF23-4a3c-B172-970857341369}.exe
File created	C:\Windows\{C168F85E-4447-4823-9B86-6CAF541921E8}.exe	{17F89E29-7C3F-487f-8A5F-AFFAAC25011A}.exe
File created	C:\Windows\{DC94C59D-789B-4fd9-BB7E-99F36D175AB9}.exe	2024-04-10_6f56a19ff2c437eed444ff63094b403f_goldeneye.exe
File created	C:\Windows\{007B7A1C-DCE0-4cda-90A6-EC3F6CBE9EA2}.exe	{DC94C59D-789B-4fd9-BB7E-99F36D175AB9}.exe
File created	C:\Windows\{27011C5C-47A9-44ee-8798-9FDFA08267AA}.exe	{E1A1AF15-3171-4561-BACF-10CE24C452B3}.exe
File created	C:\Windows\{634FEAF6-5E30-4019-9A85-BD1FAC2B6935}.exe	{27011C5C-47A9-44ee-8798-9FDFA08267AA}.exe
File created	C:\Windows\{7C5AA51D-AF23-4a3c-B172-970857341369}.exe	{04C964A6-122D-4981-955A-FEAC1818037D}.exe
File created	C:\Windows\{17F89E29-7C3F-487f-8A5F-AFFAAC25011A}.exe	{8A01B147-8668-462e-8C2C-3F8F1017A19A}.exe
File created	C:\Windows\{D4D7FC34-0FD8-429c-AA18-B1D61054B135}.exe	{C168F85E-4447-4823-9B86-6CAF541921E8}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1548	2024-04-10_6f56a19ff2c437eed444ff63094b403f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3564	{DC94C59D-789B-4fd9-BB7E-99F36D175AB9}.exe
Token: SeIncBasePriorityPrivilege	3728	{007B7A1C-DCE0-4cda-90A6-EC3F6CBE9EA2}.exe
Token: SeIncBasePriorityPrivilege	1716	{E1A1AF15-3171-4561-BACF-10CE24C452B3}.exe
Token: SeIncBasePriorityPrivilege	2164	{27011C5C-47A9-44ee-8798-9FDFA08267AA}.exe
Token: SeIncBasePriorityPrivilege	4696	{634FEAF6-5E30-4019-9A85-BD1FAC2B6935}.exe
Token: SeIncBasePriorityPrivilege	1976	{26DBD659-F69F-4cd5-9DBA-6DB94EAC23E7}.exe
Token: SeIncBasePriorityPrivilege	4596	{04C964A6-122D-4981-955A-FEAC1818037D}.exe
Token: SeIncBasePriorityPrivilege	4280	{7C5AA51D-AF23-4a3c-B172-970857341369}.exe
Token: SeIncBasePriorityPrivilege	940	{8A01B147-8668-462e-8C2C-3F8F1017A19A}.exe
Token: SeIncBasePriorityPrivilege	5064	{17F89E29-7C3F-487f-8A5F-AFFAAC25011A}.exe
Token: SeIncBasePriorityPrivilege	4540	{C168F85E-4447-4823-9B86-6CAF541921E8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1548 wrote to memory of 3564	1548	2024-04-10_6f56a19ff2c437eed444ff63094b403f_goldeneye.exe	95
PID 1548 wrote to memory of 3564	1548	2024-04-10_6f56a19ff2c437eed444ff63094b403f_goldeneye.exe	95
PID 1548 wrote to memory of 3564	1548	2024-04-10_6f56a19ff2c437eed444ff63094b403f_goldeneye.exe	95
PID 1548 wrote to memory of 2576	1548	2024-04-10_6f56a19ff2c437eed444ff63094b403f_goldeneye.exe	96
PID 1548 wrote to memory of 2576	1548	2024-04-10_6f56a19ff2c437eed444ff63094b403f_goldeneye.exe	96
PID 1548 wrote to memory of 2576	1548	2024-04-10_6f56a19ff2c437eed444ff63094b403f_goldeneye.exe	96
PID 3564 wrote to memory of 3728	3564	{DC94C59D-789B-4fd9-BB7E-99F36D175AB9}.exe	97
PID 3564 wrote to memory of 3728	3564	{DC94C59D-789B-4fd9-BB7E-99F36D175AB9}.exe	97
PID 3564 wrote to memory of 3728	3564	{DC94C59D-789B-4fd9-BB7E-99F36D175AB9}.exe	97
PID 3564 wrote to memory of 4888	3564	{DC94C59D-789B-4fd9-BB7E-99F36D175AB9}.exe	98
PID 3564 wrote to memory of 4888	3564	{DC94C59D-789B-4fd9-BB7E-99F36D175AB9}.exe	98
PID 3564 wrote to memory of 4888	3564	{DC94C59D-789B-4fd9-BB7E-99F36D175AB9}.exe	98
PID 3728 wrote to memory of 1716	3728	{007B7A1C-DCE0-4cda-90A6-EC3F6CBE9EA2}.exe	100
PID 3728 wrote to memory of 1716	3728	{007B7A1C-DCE0-4cda-90A6-EC3F6CBE9EA2}.exe	100
PID 3728 wrote to memory of 1716	3728	{007B7A1C-DCE0-4cda-90A6-EC3F6CBE9EA2}.exe	100
PID 3728 wrote to memory of 1448	3728	{007B7A1C-DCE0-4cda-90A6-EC3F6CBE9EA2}.exe	101
PID 3728 wrote to memory of 1448	3728	{007B7A1C-DCE0-4cda-90A6-EC3F6CBE9EA2}.exe	101
PID 3728 wrote to memory of 1448	3728	{007B7A1C-DCE0-4cda-90A6-EC3F6CBE9EA2}.exe	101
PID 1716 wrote to memory of 2164	1716	{E1A1AF15-3171-4561-BACF-10CE24C452B3}.exe	102
PID 1716 wrote to memory of 2164	1716	{E1A1AF15-3171-4561-BACF-10CE24C452B3}.exe	102
PID 1716 wrote to memory of 2164	1716	{E1A1AF15-3171-4561-BACF-10CE24C452B3}.exe	102
PID 1716 wrote to memory of 3296	1716	{E1A1AF15-3171-4561-BACF-10CE24C452B3}.exe	103
PID 1716 wrote to memory of 3296	1716	{E1A1AF15-3171-4561-BACF-10CE24C452B3}.exe	103
PID 1716 wrote to memory of 3296	1716	{E1A1AF15-3171-4561-BACF-10CE24C452B3}.exe	103
PID 2164 wrote to memory of 4696	2164	{27011C5C-47A9-44ee-8798-9FDFA08267AA}.exe	104
PID 2164 wrote to memory of 4696	2164	{27011C5C-47A9-44ee-8798-9FDFA08267AA}.exe	104
PID 2164 wrote to memory of 4696	2164	{27011C5C-47A9-44ee-8798-9FDFA08267AA}.exe	104
PID 2164 wrote to memory of 3732	2164	{27011C5C-47A9-44ee-8798-9FDFA08267AA}.exe	105
PID 2164 wrote to memory of 3732	2164	{27011C5C-47A9-44ee-8798-9FDFA08267AA}.exe	105
PID 2164 wrote to memory of 3732	2164	{27011C5C-47A9-44ee-8798-9FDFA08267AA}.exe	105
PID 4696 wrote to memory of 1976	4696	{634FEAF6-5E30-4019-9A85-BD1FAC2B6935}.exe	106
PID 4696 wrote to memory of 1976	4696	{634FEAF6-5E30-4019-9A85-BD1FAC2B6935}.exe	106
PID 4696 wrote to memory of 1976	4696	{634FEAF6-5E30-4019-9A85-BD1FAC2B6935}.exe	106
PID 4696 wrote to memory of 1908	4696	{634FEAF6-5E30-4019-9A85-BD1FAC2B6935}.exe	107
PID 4696 wrote to memory of 1908	4696	{634FEAF6-5E30-4019-9A85-BD1FAC2B6935}.exe	107
PID 4696 wrote to memory of 1908	4696	{634FEAF6-5E30-4019-9A85-BD1FAC2B6935}.exe	107
PID 1976 wrote to memory of 4596	1976	{26DBD659-F69F-4cd5-9DBA-6DB94EAC23E7}.exe	108
PID 1976 wrote to memory of 4596	1976	{26DBD659-F69F-4cd5-9DBA-6DB94EAC23E7}.exe	108
PID 1976 wrote to memory of 4596	1976	{26DBD659-F69F-4cd5-9DBA-6DB94EAC23E7}.exe	108
PID 1976 wrote to memory of 1648	1976	{26DBD659-F69F-4cd5-9DBA-6DB94EAC23E7}.exe	109
PID 1976 wrote to memory of 1648	1976	{26DBD659-F69F-4cd5-9DBA-6DB94EAC23E7}.exe	109
PID 1976 wrote to memory of 1648	1976	{26DBD659-F69F-4cd5-9DBA-6DB94EAC23E7}.exe	109
PID 4596 wrote to memory of 4280	4596	{04C964A6-122D-4981-955A-FEAC1818037D}.exe	110
PID 4596 wrote to memory of 4280	4596	{04C964A6-122D-4981-955A-FEAC1818037D}.exe	110
PID 4596 wrote to memory of 4280	4596	{04C964A6-122D-4981-955A-FEAC1818037D}.exe	110
PID 4596 wrote to memory of 4312	4596	{04C964A6-122D-4981-955A-FEAC1818037D}.exe	111
PID 4596 wrote to memory of 4312	4596	{04C964A6-122D-4981-955A-FEAC1818037D}.exe	111
PID 4596 wrote to memory of 4312	4596	{04C964A6-122D-4981-955A-FEAC1818037D}.exe	111
PID 4280 wrote to memory of 940	4280	{7C5AA51D-AF23-4a3c-B172-970857341369}.exe	112
PID 4280 wrote to memory of 940	4280	{7C5AA51D-AF23-4a3c-B172-970857341369}.exe	112
PID 4280 wrote to memory of 940	4280	{7C5AA51D-AF23-4a3c-B172-970857341369}.exe	112
PID 4280 wrote to memory of 3148	4280	{7C5AA51D-AF23-4a3c-B172-970857341369}.exe	113
PID 4280 wrote to memory of 3148	4280	{7C5AA51D-AF23-4a3c-B172-970857341369}.exe	113
PID 4280 wrote to memory of 3148	4280	{7C5AA51D-AF23-4a3c-B172-970857341369}.exe	113
PID 940 wrote to memory of 5064	940	{8A01B147-8668-462e-8C2C-3F8F1017A19A}.exe	114
PID 940 wrote to memory of 5064	940	{8A01B147-8668-462e-8C2C-3F8F1017A19A}.exe	114
PID 940 wrote to memory of 5064	940	{8A01B147-8668-462e-8C2C-3F8F1017A19A}.exe	114
PID 940 wrote to memory of 4020	940	{8A01B147-8668-462e-8C2C-3F8F1017A19A}.exe	115
PID 940 wrote to memory of 4020	940	{8A01B147-8668-462e-8C2C-3F8F1017A19A}.exe	115
PID 940 wrote to memory of 4020	940	{8A01B147-8668-462e-8C2C-3F8F1017A19A}.exe	115
PID 5064 wrote to memory of 4540	5064	{17F89E29-7C3F-487f-8A5F-AFFAAC25011A}.exe	116
PID 5064 wrote to memory of 4540	5064	{17F89E29-7C3F-487f-8A5F-AFFAAC25011A}.exe	116
PID 5064 wrote to memory of 4540	5064	{17F89E29-7C3F-487f-8A5F-AFFAAC25011A}.exe	116
PID 5064 wrote to memory of 4264	5064	{17F89E29-7C3F-487f-8A5F-AFFAAC25011A}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-04-10_6f56a19ff2c437eed444ff63094b403f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-10_6f56a19ff2c437eed444ff63094b403f_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Windows\{DC94C59D-789B-4fd9-BB7E-99F36D175AB9}.exe
  C:\Windows\{DC94C59D-789B-4fd9-BB7E-99F36D175AB9}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3564
- - C:\Windows\{007B7A1C-DCE0-4cda-90A6-EC3F6CBE9EA2}.exe
    C:\Windows\{007B7A1C-DCE0-4cda-90A6-EC3F6CBE9EA2}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3728
  - - C:\Windows\{E1A1AF15-3171-4561-BACF-10CE24C452B3}.exe
      C:\Windows\{E1A1AF15-3171-4561-BACF-10CE24C452B3}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1716
    - - C:\Windows\{27011C5C-47A9-44ee-8798-9FDFA08267AA}.exe
        
        C:\Windows\{27011C5C-47A9-44ee-8798-9FDFA08267AA}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2164
      - C:\Windows\{634FEAF6-5E30-4019-9A85-BD1FAC2B6935}.exe
        
        C:\Windows\{634FEAF6-5E30-4019-9A85-BD1FAC2B6935}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\{26DBD659-F69F-4cd5-9DBA-6DB94EAC23E7}.exe
        
        C:\Windows\{26DBD659-F69F-4cd5-9DBA-6DB94EAC23E7}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\{04C964A6-122D-4981-955A-FEAC1818037D}.exe
        
        C:\Windows\{04C964A6-122D-4981-955A-FEAC1818037D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4596
        
        C:\Windows\{7C5AA51D-AF23-4a3c-B172-970857341369}.exe
        
        C:\Windows\{7C5AA51D-AF23-4a3c-B172-970857341369}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\{8A01B147-8668-462e-8C2C-3F8F1017A19A}.exe
        
        C:\Windows\{8A01B147-8668-462e-8C2C-3F8F1017A19A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:940
        
        C:\Windows\{17F89E29-7C3F-487f-8A5F-AFFAAC25011A}.exe
        
        C:\Windows\{17F89E29-7C3F-487f-8A5F-AFFAAC25011A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\{C168F85E-4447-4823-9B86-6CAF541921E8}.exe
        
        C:\Windows\{C168F85E-4447-4823-9B86-6CAF541921E8}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4540
        
        C:\Windows\{D4D7FC34-0FD8-429c-AA18-B1D61054B135}.exe
        
        C:\Windows\{D4D7FC34-0FD8-429c-AA18-B1D61054B135}.exe
        13⤵
        Executes dropped EXE
        
        PID:4124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C168F~1.EXE > nul
        13⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{17F89~1.EXE > nul
        12⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8A01B~1.EXE > nul
        11⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7C5AA~1.EXE > nul
        10⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{04C96~1.EXE > nul
        9⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{26DBD~1.EXE > nul
        8⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{634FE~1.EXE > nul
        7⤵
        
        PID:1908
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{27011~1.EXE > nul
        6⤵
        
        PID:3732
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E1A1A~1.EXE > nul
        5⤵
        
        PID:3296
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{007B7~1.EXE > nul
      4⤵
      PID:1448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DC94C~1.EXE > nul
    3⤵
    PID:4888
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{007B7A1C-DCE0-4cda-90A6-EC3F6CBE9EA2}.exe

Filesize
380KB

MD5
36b67e77f77971c21e44101df9689a9c

SHA1
586e38fbb3292b389d4aff4395b1e8b590dba786

SHA256
5374263fbfcfa7a7c081505fbd8dbe56b8479c43c6cefe5b2206b3501c28db7e

SHA512
474b364fcd801e935c6e12b3335eeb8b341958944744a0e3195d996c58bef1e65992a2604c0e556e7c7f50933c0ef3fbc4d496d60de9f151e832fa6668864c81

Download Submit
C:\Windows\{04C964A6-122D-4981-955A-FEAC1818037D}.exe

Filesize
380KB

MD5
d3eea187dc3432b03720295c4c49a0e3

SHA1
8580987fe37524b4d3ace0deaa49235a52efdb7a

SHA256
4130fce93f026be00cea003afbf94d011b865c4917f6e2a4c01da3794285a3ba

SHA512
95a552f0fa409c2c87c5c4ccb9d9df1458108c3aad900e55f1d73f734ae9bc87798d20a86e9ec4ce74a3491b1ce61d99c02fcaccca95d25ea4230e809e28312b

Download Submit
C:\Windows\{17F89E29-7C3F-487f-8A5F-AFFAAC25011A}.exe

Filesize
380KB

MD5
7af79370685a36fe10e3cc7f15614a25

SHA1
48b2ec86689a4af451ac665bc5167835a39fc638

SHA256
715874cbf09e46e8787e56618f6737e316e7e1ba0289cb8533be96eae42b9d42

SHA512
c0db1d055b6084913baf382940c41390b02c0cfa3eab03824316e3e52b96a13aaff6529b407781c3af6d03d55c1abf6f4ecb72fe119a17eb96b8bba36c1cbc40

Download Submit
C:\Windows\{26DBD659-F69F-4cd5-9DBA-6DB94EAC23E7}.exe

Filesize
380KB

MD5
4a4e8932c882c883677b28233ba547b4

SHA1
629853cda8a87c5699a546e34179a8da6afd8af1

SHA256
8936956047176a4582873555a8e4759fd26db884bab53e9d82c721c4733175bc

SHA512
75a66814a5e4ffb07070d26af6fa54e6cc052672c06dc46837493eb6910222c9114e46fb7387d821af6765f4f03636d20a51835abe06d5522b764fbafa4d090a

Download Submit
C:\Windows\{27011C5C-47A9-44ee-8798-9FDFA08267AA}.exe

Filesize
380KB

MD5
ed3033b1725129e34c27f30bc00b4efc

SHA1
261fa5c424810a386b73f7116ffc367e67d7e900

SHA256
3071e04b37d9214d70c6bfa34f0b4e0925f0753eb06e3d46b7748f761b6611d6

SHA512
d97140cf388917b15ebced3827ef75614e7daba2d2cbc0be4e86617428397f86914ba88431dd6910b617eab046f0ddfefe0a6ad915ce8a9c6a0e02879ea8fb04

Download Submit
C:\Windows\{634FEAF6-5E30-4019-9A85-BD1FAC2B6935}.exe

Filesize
380KB

MD5
b2df4146f506d3d5f8ba4ef0bd9d7f67

SHA1
1d3e305658a8410a62a8776ab4092badaaab1bac

SHA256
0a65fff2499c938d48f46f776d5878058b3462b1eaedeba0c79d02eb35bfe0ed

SHA512
0c15ab1aba7a4e80e02b9f69c84a1f9886e32e9ac6378700dfa07b7c54a041b92941ac04bea853986e865c490095f3f214b7471493d1e37ab615a561d7ddc821

Download Submit
C:\Windows\{7C5AA51D-AF23-4a3c-B172-970857341369}.exe

Filesize
380KB

MD5
8027bd42c099ce419396133b17576dd2

SHA1
0233bab5e2fa7f6fb3c50a84b536e30f5745c1ec

SHA256
85436c9d769e9e4b4817822facc873c660d51b4b285cf928260506bbbe5965c6

SHA512
83aad016a85abb8f932218e9232c9ba78517ec1631d79743da1cf1e1113c0d84d5b977bffb0a83fbf856be49b726bfb51ab822cce56c9cff8313c9b81389bac7

Download Submit
C:\Windows\{8A01B147-8668-462e-8C2C-3F8F1017A19A}.exe

Filesize
380KB

MD5
6705ac5a456c54a1d272e743e7f4cf89

SHA1
46223d49067fb8daf34a0a1bae4800e1748e9952

SHA256
f8008360cbe1dac863c973517e9aa3d340b6223247b0a98acc0653ca1c5c88fb

SHA512
190c693dd266fba4308aea74be02c1eac8cd6c06bb533e531279cde81e4547bb440e65c4384ca7da901f0667de04ffefcc036ec7f007d4aded3c05426b64eb8f

Download Submit
C:\Windows\{C168F85E-4447-4823-9B86-6CAF541921E8}.exe

Filesize
380KB

MD5
9677ff2633535e7c1b9739b7667bcb68

SHA1
0ef30f50cb94b073c3ace0f49959b3fa1ec32948

SHA256
ec5a7b747bca3048487a689dd74a06e8ccbb16294730d0914669196c10d20b88

SHA512
036f0bf6cdac0738d5b8405192f415641ddaf9643d924ac3a71b89846ec967646d736eb67b92f8c2ab03527371fbc4b2688685f291e922153d5c13269ea3f9ec

Download Submit
C:\Windows\{D4D7FC34-0FD8-429c-AA18-B1D61054B135}.exe

Filesize
380KB

MD5
82358d8635207dd0dee44e6bb274d1a9

SHA1
c89bbdd6485e735a9015593386ad7d0c951d444b

SHA256
73b6265c82de681fbe8b92fc04f3fde6d1bf55d0c240124d0275a7ebf5854b21

SHA512
40277f200b1ba73a07525386133c823e1bd415746ffca5d03d7df8972af2b973416f0a667c2d30ac29992d65ca30f4f01a0affd13dd3c6cf671101b283e91309

Download Submit
C:\Windows\{DC94C59D-789B-4fd9-BB7E-99F36D175AB9}.exe

Filesize
380KB

MD5
34a4cd659e16d05595f18153c99b024c

SHA1
f747ae6eac93ee5017f2b8ce2f2ba9e97251c6ca

SHA256
bfeaec23ac32c58b61a94d1f38cc160e5648fac1754c85726865ae4c40184fb9

SHA512
7f02b41e3b62050d9a173567d91aba99dbca201fdd3852ae03d8aec6e54324206dfb24485e5180f5db78b550d367d31d02b2146550779204a427c42c335359ec

Download Submit
C:\Windows\{E1A1AF15-3171-4561-BACF-10CE24C452B3}.exe

Filesize
380KB

MD5
00dd3fc92a1314b06ae0ebc447d93ceb

SHA1
8444704aa96f6c276947d3bc93230a4cf3ad6d43

SHA256
9fd638c483b3a3b6c5e2e895b30ff88b9e4248d5c332d30c7480548bb9368103

SHA512
7c0ed4bf8944388f197accc29ca85f76ef9ef7a3996b5e3d9a9d97db428248c220a1b93b7e1f6db930330004e502e12b21a66254045343dc2d5699f9b3235452

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads