4b78051774b5c521e900ca48e31670d15c06f571c98ebd87000b1ca7acdc13fa

Analysis

max time kernel
149s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2024, 19:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-10_fb2d55ad242c2b7414390b13743ad292_goldeneye.exe
Size

408KB
MD5

fb2d55ad242c2b7414390b13743ad292
SHA1

832b2459312e787b7bf40b6ac64b742d9b059dce
SHA256

4b78051774b5c521e900ca48e31670d15c06f571c98ebd87000b1ca7acdc13fa
SHA512

f85b85cb4489e39703adb7e2214a7d108e2fa1606f51367ca0d08c69708f65426a26d9d8fe8c40b57c2c384843951461e0df0d8e52b3c4d69ce6406409262b52
SSDEEP

3072:CEGh0oXl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGRldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00070000000231f4-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000231f5-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000231fc-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023024-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021fa2-17.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021fa3-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021fa2-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000703-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000703-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000703-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1011DFA8-FDEE-45dd-9AFA-B29426285607}\stubpath = "C:\\Windows\\{1011DFA8-FDEE-45dd-9AFA-B29426285607}.exe"	2024-04-10_fb2d55ad242c2b7414390b13743ad292_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BA33254-F69A-4893-95E9-6A8EA70677F5}	{BCD0EA89-BAFF-4d7c-B399-C09AD77864ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0181615-1116-4512-9AEC-A55F2BDC30CB}	{6BA33254-F69A-4893-95E9-6A8EA70677F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0181615-1116-4512-9AEC-A55F2BDC30CB}\stubpath = "C:\\Windows\\{F0181615-1116-4512-9AEC-A55F2BDC30CB}.exe"	{6BA33254-F69A-4893-95E9-6A8EA70677F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4575E93-5644-4b5a-88FF-7AC989E6A43B}\stubpath = "C:\\Windows\\{B4575E93-5644-4b5a-88FF-7AC989E6A43B}.exe"	{F0181615-1116-4512-9AEC-A55F2BDC30CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{908B266D-49D5-41be-9B2C-F394A113154F}\stubpath = "C:\\Windows\\{908B266D-49D5-41be-9B2C-F394A113154F}.exe"	{F8A64AFF-429A-4e94-BF36-BF2DBA9434E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{314B47EB-3B78-4f49-A098-76FC5DA02A25}\stubpath = "C:\\Windows\\{314B47EB-3B78-4f49-A098-76FC5DA02A25}.exe"	{908B266D-49D5-41be-9B2C-F394A113154F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D28600EB-A69B-406c-B117-642523D81F4B}	{314B47EB-3B78-4f49-A098-76FC5DA02A25}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1011DFA8-FDEE-45dd-9AFA-B29426285607}	2024-04-10_fb2d55ad242c2b7414390b13743ad292_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{365348A5-9286-4e34-993D-F90EF1007A74}	{1011DFA8-FDEE-45dd-9AFA-B29426285607}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{365348A5-9286-4e34-993D-F90EF1007A74}\stubpath = "C:\\Windows\\{365348A5-9286-4e34-993D-F90EF1007A74}.exe"	{1011DFA8-FDEE-45dd-9AFA-B29426285607}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F435FF99-C5D1-47c6-AE9E-F9EDD36A8313}	{365348A5-9286-4e34-993D-F90EF1007A74}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F435FF99-C5D1-47c6-AE9E-F9EDD36A8313}\stubpath = "C:\\Windows\\{F435FF99-C5D1-47c6-AE9E-F9EDD36A8313}.exe"	{365348A5-9286-4e34-993D-F90EF1007A74}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A6FE01F-750F-4176-AFBB-B2221AF727D5}	{F435FF99-C5D1-47c6-AE9E-F9EDD36A8313}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCD0EA89-BAFF-4d7c-B399-C09AD77864ED}	{3A6FE01F-750F-4176-AFBB-B2221AF727D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BA33254-F69A-4893-95E9-6A8EA70677F5}\stubpath = "C:\\Windows\\{6BA33254-F69A-4893-95E9-6A8EA70677F5}.exe"	{BCD0EA89-BAFF-4d7c-B399-C09AD77864ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4575E93-5644-4b5a-88FF-7AC989E6A43B}	{F0181615-1116-4512-9AEC-A55F2BDC30CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8A64AFF-429A-4e94-BF36-BF2DBA9434E4}\stubpath = "C:\\Windows\\{F8A64AFF-429A-4e94-BF36-BF2DBA9434E4}.exe"	{B4575E93-5644-4b5a-88FF-7AC989E6A43B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{908B266D-49D5-41be-9B2C-F394A113154F}	{F8A64AFF-429A-4e94-BF36-BF2DBA9434E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{314B47EB-3B78-4f49-A098-76FC5DA02A25}	{908B266D-49D5-41be-9B2C-F394A113154F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A6FE01F-750F-4176-AFBB-B2221AF727D5}\stubpath = "C:\\Windows\\{3A6FE01F-750F-4176-AFBB-B2221AF727D5}.exe"	{F435FF99-C5D1-47c6-AE9E-F9EDD36A8313}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCD0EA89-BAFF-4d7c-B399-C09AD77864ED}\stubpath = "C:\\Windows\\{BCD0EA89-BAFF-4d7c-B399-C09AD77864ED}.exe"	{3A6FE01F-750F-4176-AFBB-B2221AF727D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8A64AFF-429A-4e94-BF36-BF2DBA9434E4}	{B4575E93-5644-4b5a-88FF-7AC989E6A43B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D28600EB-A69B-406c-B117-642523D81F4B}\stubpath = "C:\\Windows\\{D28600EB-A69B-406c-B117-642523D81F4B}.exe"	{314B47EB-3B78-4f49-A098-76FC5DA02A25}.exe

Executes dropped EXE 12 IoCs

pid	Process
2676	{1011DFA8-FDEE-45dd-9AFA-B29426285607}.exe
1912	{365348A5-9286-4e34-993D-F90EF1007A74}.exe
1104	{F435FF99-C5D1-47c6-AE9E-F9EDD36A8313}.exe
4916	{3A6FE01F-750F-4176-AFBB-B2221AF727D5}.exe
1356	{BCD0EA89-BAFF-4d7c-B399-C09AD77864ED}.exe
4760	{6BA33254-F69A-4893-95E9-6A8EA70677F5}.exe
5108	{F0181615-1116-4512-9AEC-A55F2BDC30CB}.exe
4544	{B4575E93-5644-4b5a-88FF-7AC989E6A43B}.exe
380	{F8A64AFF-429A-4e94-BF36-BF2DBA9434E4}.exe
2480	{908B266D-49D5-41be-9B2C-F394A113154F}.exe
4272	{314B47EB-3B78-4f49-A098-76FC5DA02A25}.exe
2564	{D28600EB-A69B-406c-B117-642523D81F4B}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{F435FF99-C5D1-47c6-AE9E-F9EDD36A8313}.exe	{365348A5-9286-4e34-993D-F90EF1007A74}.exe
File created	C:\Windows\{3A6FE01F-750F-4176-AFBB-B2221AF727D5}.exe	{F435FF99-C5D1-47c6-AE9E-F9EDD36A8313}.exe
File created	C:\Windows\{BCD0EA89-BAFF-4d7c-B399-C09AD77864ED}.exe	{3A6FE01F-750F-4176-AFBB-B2221AF727D5}.exe
File created	C:\Windows\{F0181615-1116-4512-9AEC-A55F2BDC30CB}.exe	{6BA33254-F69A-4893-95E9-6A8EA70677F5}.exe
File created	C:\Windows\{B4575E93-5644-4b5a-88FF-7AC989E6A43B}.exe	{F0181615-1116-4512-9AEC-A55F2BDC30CB}.exe
File created	C:\Windows\{314B47EB-3B78-4f49-A098-76FC5DA02A25}.exe	{908B266D-49D5-41be-9B2C-F394A113154F}.exe
File created	C:\Windows\{1011DFA8-FDEE-45dd-9AFA-B29426285607}.exe	2024-04-10_fb2d55ad242c2b7414390b13743ad292_goldeneye.exe
File created	C:\Windows\{365348A5-9286-4e34-993D-F90EF1007A74}.exe	{1011DFA8-FDEE-45dd-9AFA-B29426285607}.exe
File created	C:\Windows\{6BA33254-F69A-4893-95E9-6A8EA70677F5}.exe	{BCD0EA89-BAFF-4d7c-B399-C09AD77864ED}.exe
File created	C:\Windows\{F8A64AFF-429A-4e94-BF36-BF2DBA9434E4}.exe	{B4575E93-5644-4b5a-88FF-7AC989E6A43B}.exe
File created	C:\Windows\{908B266D-49D5-41be-9B2C-F394A113154F}.exe	{F8A64AFF-429A-4e94-BF36-BF2DBA9434E4}.exe
File created	C:\Windows\{D28600EB-A69B-406c-B117-642523D81F4B}.exe	{314B47EB-3B78-4f49-A098-76FC5DA02A25}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3012	2024-04-10_fb2d55ad242c2b7414390b13743ad292_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2676	{1011DFA8-FDEE-45dd-9AFA-B29426285607}.exe
Token: SeIncBasePriorityPrivilege	1912	{365348A5-9286-4e34-993D-F90EF1007A74}.exe
Token: SeIncBasePriorityPrivilege	1104	{F435FF99-C5D1-47c6-AE9E-F9EDD36A8313}.exe
Token: SeIncBasePriorityPrivilege	4916	{3A6FE01F-750F-4176-AFBB-B2221AF727D5}.exe
Token: SeIncBasePriorityPrivilege	1356	{BCD0EA89-BAFF-4d7c-B399-C09AD77864ED}.exe
Token: SeIncBasePriorityPrivilege	4760	{6BA33254-F69A-4893-95E9-6A8EA70677F5}.exe
Token: SeIncBasePriorityPrivilege	5108	{F0181615-1116-4512-9AEC-A55F2BDC30CB}.exe
Token: SeIncBasePriorityPrivilege	4544	{B4575E93-5644-4b5a-88FF-7AC989E6A43B}.exe
Token: SeIncBasePriorityPrivilege	380	{F8A64AFF-429A-4e94-BF36-BF2DBA9434E4}.exe
Token: SeIncBasePriorityPrivilege	2480	{908B266D-49D5-41be-9B2C-F394A113154F}.exe
Token: SeIncBasePriorityPrivilege	4272	{314B47EB-3B78-4f49-A098-76FC5DA02A25}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2676	3012	2024-04-10_fb2d55ad242c2b7414390b13743ad292_goldeneye.exe	91
PID 3012 wrote to memory of 2676	3012	2024-04-10_fb2d55ad242c2b7414390b13743ad292_goldeneye.exe	91
PID 3012 wrote to memory of 2676	3012	2024-04-10_fb2d55ad242c2b7414390b13743ad292_goldeneye.exe	91
PID 3012 wrote to memory of 3920	3012	2024-04-10_fb2d55ad242c2b7414390b13743ad292_goldeneye.exe	92
PID 3012 wrote to memory of 3920	3012	2024-04-10_fb2d55ad242c2b7414390b13743ad292_goldeneye.exe	92
PID 3012 wrote to memory of 3920	3012	2024-04-10_fb2d55ad242c2b7414390b13743ad292_goldeneye.exe	92
PID 2676 wrote to memory of 1912	2676	{1011DFA8-FDEE-45dd-9AFA-B29426285607}.exe	93
PID 2676 wrote to memory of 1912	2676	{1011DFA8-FDEE-45dd-9AFA-B29426285607}.exe	93
PID 2676 wrote to memory of 1912	2676	{1011DFA8-FDEE-45dd-9AFA-B29426285607}.exe	93
PID 2676 wrote to memory of 2872	2676	{1011DFA8-FDEE-45dd-9AFA-B29426285607}.exe	94
PID 2676 wrote to memory of 2872	2676	{1011DFA8-FDEE-45dd-9AFA-B29426285607}.exe	94
PID 2676 wrote to memory of 2872	2676	{1011DFA8-FDEE-45dd-9AFA-B29426285607}.exe	94
PID 1912 wrote to memory of 1104	1912	{365348A5-9286-4e34-993D-F90EF1007A74}.exe	96
PID 1912 wrote to memory of 1104	1912	{365348A5-9286-4e34-993D-F90EF1007A74}.exe	96
PID 1912 wrote to memory of 1104	1912	{365348A5-9286-4e34-993D-F90EF1007A74}.exe	96
PID 1912 wrote to memory of 2344	1912	{365348A5-9286-4e34-993D-F90EF1007A74}.exe	97
PID 1912 wrote to memory of 2344	1912	{365348A5-9286-4e34-993D-F90EF1007A74}.exe	97
PID 1912 wrote to memory of 2344	1912	{365348A5-9286-4e34-993D-F90EF1007A74}.exe	97
PID 1104 wrote to memory of 4916	1104	{F435FF99-C5D1-47c6-AE9E-F9EDD36A8313}.exe	98
PID 1104 wrote to memory of 4916	1104	{F435FF99-C5D1-47c6-AE9E-F9EDD36A8313}.exe	98
PID 1104 wrote to memory of 4916	1104	{F435FF99-C5D1-47c6-AE9E-F9EDD36A8313}.exe	98
PID 1104 wrote to memory of 2176	1104	{F435FF99-C5D1-47c6-AE9E-F9EDD36A8313}.exe	99
PID 1104 wrote to memory of 2176	1104	{F435FF99-C5D1-47c6-AE9E-F9EDD36A8313}.exe	99
PID 1104 wrote to memory of 2176	1104	{F435FF99-C5D1-47c6-AE9E-F9EDD36A8313}.exe	99
PID 4916 wrote to memory of 1356	4916	{3A6FE01F-750F-4176-AFBB-B2221AF727D5}.exe	100
PID 4916 wrote to memory of 1356	4916	{3A6FE01F-750F-4176-AFBB-B2221AF727D5}.exe	100
PID 4916 wrote to memory of 1356	4916	{3A6FE01F-750F-4176-AFBB-B2221AF727D5}.exe	100
PID 4916 wrote to memory of 4040	4916	{3A6FE01F-750F-4176-AFBB-B2221AF727D5}.exe	101
PID 4916 wrote to memory of 4040	4916	{3A6FE01F-750F-4176-AFBB-B2221AF727D5}.exe	101
PID 4916 wrote to memory of 4040	4916	{3A6FE01F-750F-4176-AFBB-B2221AF727D5}.exe	101
PID 1356 wrote to memory of 4760	1356	{BCD0EA89-BAFF-4d7c-B399-C09AD77864ED}.exe	102
PID 1356 wrote to memory of 4760	1356	{BCD0EA89-BAFF-4d7c-B399-C09AD77864ED}.exe	102
PID 1356 wrote to memory of 4760	1356	{BCD0EA89-BAFF-4d7c-B399-C09AD77864ED}.exe	102
PID 1356 wrote to memory of 1436	1356	{BCD0EA89-BAFF-4d7c-B399-C09AD77864ED}.exe	103
PID 1356 wrote to memory of 1436	1356	{BCD0EA89-BAFF-4d7c-B399-C09AD77864ED}.exe	103
PID 1356 wrote to memory of 1436	1356	{BCD0EA89-BAFF-4d7c-B399-C09AD77864ED}.exe	103
PID 4760 wrote to memory of 5108	4760	{6BA33254-F69A-4893-95E9-6A8EA70677F5}.exe	104
PID 4760 wrote to memory of 5108	4760	{6BA33254-F69A-4893-95E9-6A8EA70677F5}.exe	104
PID 4760 wrote to memory of 5108	4760	{6BA33254-F69A-4893-95E9-6A8EA70677F5}.exe	104
PID 4760 wrote to memory of 4200	4760	{6BA33254-F69A-4893-95E9-6A8EA70677F5}.exe	105
PID 4760 wrote to memory of 4200	4760	{6BA33254-F69A-4893-95E9-6A8EA70677F5}.exe	105
PID 4760 wrote to memory of 4200	4760	{6BA33254-F69A-4893-95E9-6A8EA70677F5}.exe	105
PID 5108 wrote to memory of 4544	5108	{F0181615-1116-4512-9AEC-A55F2BDC30CB}.exe	106
PID 5108 wrote to memory of 4544	5108	{F0181615-1116-4512-9AEC-A55F2BDC30CB}.exe	106
PID 5108 wrote to memory of 4544	5108	{F0181615-1116-4512-9AEC-A55F2BDC30CB}.exe	106
PID 5108 wrote to memory of 4768	5108	{F0181615-1116-4512-9AEC-A55F2BDC30CB}.exe	107
PID 5108 wrote to memory of 4768	5108	{F0181615-1116-4512-9AEC-A55F2BDC30CB}.exe	107
PID 5108 wrote to memory of 4768	5108	{F0181615-1116-4512-9AEC-A55F2BDC30CB}.exe	107
PID 4544 wrote to memory of 380	4544	{B4575E93-5644-4b5a-88FF-7AC989E6A43B}.exe	108
PID 4544 wrote to memory of 380	4544	{B4575E93-5644-4b5a-88FF-7AC989E6A43B}.exe	108
PID 4544 wrote to memory of 380	4544	{B4575E93-5644-4b5a-88FF-7AC989E6A43B}.exe	108
PID 4544 wrote to memory of 2948	4544	{B4575E93-5644-4b5a-88FF-7AC989E6A43B}.exe	109
PID 4544 wrote to memory of 2948	4544	{B4575E93-5644-4b5a-88FF-7AC989E6A43B}.exe	109
PID 4544 wrote to memory of 2948	4544	{B4575E93-5644-4b5a-88FF-7AC989E6A43B}.exe	109
PID 380 wrote to memory of 2480	380	{F8A64AFF-429A-4e94-BF36-BF2DBA9434E4}.exe	110
PID 380 wrote to memory of 2480	380	{F8A64AFF-429A-4e94-BF36-BF2DBA9434E4}.exe	110
PID 380 wrote to memory of 2480	380	{F8A64AFF-429A-4e94-BF36-BF2DBA9434E4}.exe	110
PID 380 wrote to memory of 4352	380	{F8A64AFF-429A-4e94-BF36-BF2DBA9434E4}.exe	111
PID 380 wrote to memory of 4352	380	{F8A64AFF-429A-4e94-BF36-BF2DBA9434E4}.exe	111
PID 380 wrote to memory of 4352	380	{F8A64AFF-429A-4e94-BF36-BF2DBA9434E4}.exe	111
PID 2480 wrote to memory of 4272	2480	{908B266D-49D5-41be-9B2C-F394A113154F}.exe	112
PID 2480 wrote to memory of 4272	2480	{908B266D-49D5-41be-9B2C-F394A113154F}.exe	112
PID 2480 wrote to memory of 4272	2480	{908B266D-49D5-41be-9B2C-F394A113154F}.exe	112
PID 2480 wrote to memory of 3768	2480	{908B266D-49D5-41be-9B2C-F394A113154F}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-04-10_fb2d55ad242c2b7414390b13743ad292_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-10_fb2d55ad242c2b7414390b13743ad292_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\{1011DFA8-FDEE-45dd-9AFA-B29426285607}.exe
  C:\Windows\{1011DFA8-FDEE-45dd-9AFA-B29426285607}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\{365348A5-9286-4e34-993D-F90EF1007A74}.exe
    C:\Windows\{365348A5-9286-4e34-993D-F90EF1007A74}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1912
  - - C:\Windows\{F435FF99-C5D1-47c6-AE9E-F9EDD36A8313}.exe
      C:\Windows\{F435FF99-C5D1-47c6-AE9E-F9EDD36A8313}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1104
    - - C:\Windows\{3A6FE01F-750F-4176-AFBB-B2221AF727D5}.exe
        
        C:\Windows\{3A6FE01F-750F-4176-AFBB-B2221AF727D5}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4916
      - C:\Windows\{BCD0EA89-BAFF-4d7c-B399-C09AD77864ED}.exe
        
        C:\Windows\{BCD0EA89-BAFF-4d7c-B399-C09AD77864ED}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\{6BA33254-F69A-4893-95E9-6A8EA70677F5}.exe
        
        C:\Windows\{6BA33254-F69A-4893-95E9-6A8EA70677F5}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4760
        
        C:\Windows\{F0181615-1116-4512-9AEC-A55F2BDC30CB}.exe
        
        C:\Windows\{F0181615-1116-4512-9AEC-A55F2BDC30CB}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\{B4575E93-5644-4b5a-88FF-7AC989E6A43B}.exe
        
        C:\Windows\{B4575E93-5644-4b5a-88FF-7AC989E6A43B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Windows\{F8A64AFF-429A-4e94-BF36-BF2DBA9434E4}.exe
        
        C:\Windows\{F8A64AFF-429A-4e94-BF36-BF2DBA9434E4}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:380
        
        C:\Windows\{908B266D-49D5-41be-9B2C-F394A113154F}.exe
        
        C:\Windows\{908B266D-49D5-41be-9B2C-F394A113154F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Windows\{314B47EB-3B78-4f49-A098-76FC5DA02A25}.exe
        
        C:\Windows\{314B47EB-3B78-4f49-A098-76FC5DA02A25}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4272
        
        C:\Windows\{D28600EB-A69B-406c-B117-642523D81F4B}.exe
        
        C:\Windows\{D28600EB-A69B-406c-B117-642523D81F4B}.exe
        13⤵
        Executes dropped EXE
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{314B4~1.EXE > nul
        13⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{908B2~1.EXE > nul
        12⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F8A64~1.EXE > nul
        11⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B4575~1.EXE > nul
        10⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F0181~1.EXE > nul
        9⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6BA33~1.EXE > nul
        8⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BCD0E~1.EXE > nul
        7⤵
        
        PID:1436
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3A6FE~1.EXE > nul
        6⤵
        
        PID:4040
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F435F~1.EXE > nul
        5⤵
        
        PID:2176
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{36534~1.EXE > nul
      4⤵
      PID:2344
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1011D~1.EXE > nul
    3⤵
    PID:2872
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1011DFA8-FDEE-45dd-9AFA-B29426285607}.exe

Filesize
408KB

MD5
644734406925b27c89884e1217def057

SHA1
de679a9a06106390994f930bcc0e26a0e9da4828

SHA256
4f35383d83a6fd7c054a73209ca72a17f0fc39d94f89ec446c8da03e4a575466

SHA512
c5665ca95c9eec253eae69528ae08e5060c7a8aa1783cdc779c549116042791a47e1c3b276785f09256d7bdc98c47590d11e4a269482637c262964ca98377702

Download Submit
C:\Windows\{314B47EB-3B78-4f49-A098-76FC5DA02A25}.exe

Filesize
408KB

MD5
c5789ef1c3134399ad8c1fcb1e1a4216

SHA1
a0c78826c7e54ca123ff09140e22300b5fd9c728

SHA256
f020227810a9e9e34b6c4c90ae9c68f95869bd0ffa4b596f1b68fda71a16c519

SHA512
9a3b07d6dce8a8522c92287d3b717c4551e239241f6665d712583d586cf8200bcd9017838613c3fb990d7b71ea86f8cea74aaded592d96a4550b80d4f6ac9c4b

Download Submit
C:\Windows\{365348A5-9286-4e34-993D-F90EF1007A74}.exe

Filesize
408KB

MD5
60decc414a1e52344c949a252c65fa64

SHA1
2d5ac67c53d8fd0d0ad16901b861d55f88b93004

SHA256
b7f51ec58f6f9842e550ece52efebf2e049334c47d995284d6b71a7194640491

SHA512
b742e42ea281f92c100e4ce67e174533ec930b22339fa8f890e9c1cb801800e98adb5d1f1d311e457d94f0518da6f0bb00f662123c3a7b81b73e3c3b57b4f045

Download Submit
C:\Windows\{3A6FE01F-750F-4176-AFBB-B2221AF727D5}.exe

Filesize
408KB

MD5
c1170b1e99428426683a26d1235516b2

SHA1
9758f755f9462ac05ba79c1955c92b1894bdeb29

SHA256
6825ba1afc3f3dd6e522dfe387026f5c5553ef48c39409acf1dd2520feec3ac8

SHA512
eb3b680776558ef7f54d56f0c680254b8f67cf4360f408f0c131efbab5457de969cde8e186d6cb841c9b590528c4e748d500fc3d146922bb5b5c266dedbbc7d4

Download Submit
C:\Windows\{6BA33254-F69A-4893-95E9-6A8EA70677F5}.exe

Filesize
408KB

MD5
054afe75df3f5bfb374d7ff4bb0aad40

SHA1
719fa168dfb3f0dd2ed6f390472077203730a22d

SHA256
5fe2e75c54f2bdef886134ec4cc2d5397ec904247b8edd475943d90c39b9cb35

SHA512
aa7e8d33c1a7713fcdc95be22f8fbf644299751d93976d41ca7c5c28099bfb77763b40592b0cab450b505f331fffbe6fdc9aaa9dcb1d64b98641dbf1412cd65a

Download Submit
C:\Windows\{908B266D-49D5-41be-9B2C-F394A113154F}.exe

Filesize
408KB

MD5
8252c1922662143d799a160ed95263a9

SHA1
9f195c195e406319533b988b148f1dbfdf00aad7

SHA256
f2fc478aaf3d2176e6c23193358631414a10ab0f2daebbe2b0d140e01b5138d0

SHA512
8a5f3dbdc98a5371b56495974f7afabc6bc048e8d80bf1e6823c9d5f4a2847a0622c27a9810a0a3dc04e16a7de10cb786eaeca226a6b2cd21b8314aad4ea116e

Download Submit
C:\Windows\{B4575E93-5644-4b5a-88FF-7AC989E6A43B}.exe

Filesize
408KB

MD5
5346e26e77930a326db4e3e5ad5c25aa

SHA1
b598f83348cdb87dc5716f34759716c29d844d65

SHA256
a2b75832e2a43b508439683382e7f6afcd3b88697e1d383b28b9b363ccbb45e3

SHA512
5c0039f6cecc0dcfc8ae051833aecd475a06f73ab27edeef54ca04ad54bba1a1d6cabfbee517ef430d2accba4b2068a1a70a346348d6485170c64f7360597240

Download Submit
C:\Windows\{BCD0EA89-BAFF-4d7c-B399-C09AD77864ED}.exe

Filesize
408KB

MD5
d9a8dbd586d7915f7a0bf24b6c303c10

SHA1
b84454a5e6cef696a785c8bf672fa1ce27722f4f

SHA256
4d841281f3ba78ce00327d6acfb2ad5b5d4055968b433a448928b29dc56647db

SHA512
659fcfcbc172e0d439794d48d35aea7f2db5041d8afa624a74b71b8c4a7075043d2263e0070e3bfef942c2838176adb5317b450cc27376310a1fc255faec74ae

Download Submit
C:\Windows\{D28600EB-A69B-406c-B117-642523D81F4B}.exe

Filesize
408KB

MD5
37d6268e6fd6a08e9d2365d0847223a5

SHA1
72bc690eda5de4f4a62cf896cc62b4cfc9a414bb

SHA256
3f25ad3e67bc0506620185adb2e95106695df42c748f2232352ed9f74156cdb0

SHA512
3c607a1b81491bfeaac6728115c1aeac125167e1fca88fcc917a85e84ac3e707c1205916d297dd125e724b1d5e88c4fc1f63220fcca7a2bc64fa092ed88258ab

Download Submit
C:\Windows\{F0181615-1116-4512-9AEC-A55F2BDC30CB}.exe

Filesize
408KB

MD5
e693a5bbd76fc00f1640f651d5cf5c71

SHA1
41876d242c040bbde2d2d540cf57d8dcd0977ffe

SHA256
de9d987aa5da3cda60e99d5e6975aaa0897dca79cd81c851200e66541ea1f9b7

SHA512
0a63377abbfcf90a3d70424f913b0b98f18d2b3946890077c451ad3fb351d54e5f4e799862fed1a46fcad90a47e35fca8e8c3195c75efeb33da596910516772e

Download Submit
C:\Windows\{F435FF99-C5D1-47c6-AE9E-F9EDD36A8313}.exe

Filesize
408KB

MD5
258fb2bbc57b76f6a481a3eab577a015

SHA1
e61a9ab6b8eaf32e48f9ebaafc3eb1c06d3f26a0

SHA256
33ac97f5f777aa418e7602ea09e45ea30d49df7a2a6e182efb8b95737bae5d30

SHA512
02ce4a9f0ce438d4b734a40db9ac39a76053518c58d591c77dc39a4b38529b0eab3a9cc68971668567e21c63eba6f17e16a6999782167d601e66a47a8690b7de

Download Submit
C:\Windows\{F8A64AFF-429A-4e94-BF36-BF2DBA9434E4}.exe

Filesize
408KB

MD5
43ce5a58f079a5bc36251669f803cc09

SHA1
282afb4eeafc78704ed388398e99463fbc776b9d

SHA256
8e4a6e30130a2c058cd47be34d7b6e3e0b2ccfb63c17f6e0a6f80ccd26c79aab

SHA512
bb4ba5eb6bb9518958226d6f7a384af09303d0830be7c6a268e773afe6c8227c752389efe8f68f8a70c55c38e0ba0d647da711178878d8f065fda3e47615c113

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads