70bb857b6e3d60831bd34606658171ebad538312d00769961938f068daf87bfc

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2024, 20:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-10_8bbf9e4158f854a560171b4729b11545_goldeneye.exe
Size

168KB
MD5

8bbf9e4158f854a560171b4729b11545
SHA1

99f5fd9a8f54b42890fbdf076d9bfbea9dcca0ef
SHA256

70bb857b6e3d60831bd34606658171ebad538312d00769961938f068daf87bfc
SHA512

2451d2afa72f8021cb36cbf50980f26d725b94af594629068bd647a6cc6bd086ce2629d49592c96a198d498c556ad5fe2463306d667de04376d91e3f26c2b0a6
SSDEEP

1536:1EGh0oblq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oblqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023232-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023236-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002323d-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0012000000023236-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021b3f-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021b40-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021b3f-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000709-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000731-45.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA42630C-3768-416d-9521-FEB4B7B134A4}	{65521132-3C82-486d-A2BD-2DD7467C0A1C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{939D3BDC-669F-4b57-90C7-5481C8699022}	{94782CBC-5B25-4021-B43C-D28E9F1D88A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1FB754BD-1CD0-4e26-B177-DA6947A7F43C}\stubpath = "C:\\Windows\\{1FB754BD-1CD0-4e26-B177-DA6947A7F43C}.exe"	{1FD62B0E-8C92-42d6-9064-750866BC74C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{562E88AF-E78B-4d94-85F8-044A042DEDB2}	{CC0FAB04-C918-4e36-A41D-45CD3A5E66FE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{445DB2BC-1EEA-4dcc-93E4-073578BED6D4}	{12A246B3-B1F3-4fc7-9634-650DD73CCF39}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65521132-3C82-486d-A2BD-2DD7467C0A1C}\stubpath = "C:\\Windows\\{65521132-3C82-486d-A2BD-2DD7467C0A1C}.exe"	{D9DD5F58-7759-4386-AAC1-2380C4AC9512}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65521132-3C82-486d-A2BD-2DD7467C0A1C}	{D9DD5F58-7759-4386-AAC1-2380C4AC9512}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{939D3BDC-669F-4b57-90C7-5481C8699022}\stubpath = "C:\\Windows\\{939D3BDC-669F-4b57-90C7-5481C8699022}.exe"	{94782CBC-5B25-4021-B43C-D28E9F1D88A0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1FD62B0E-8C92-42d6-9064-750866BC74C6}	{939D3BDC-669F-4b57-90C7-5481C8699022}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1FD62B0E-8C92-42d6-9064-750866BC74C6}\stubpath = "C:\\Windows\\{1FD62B0E-8C92-42d6-9064-750866BC74C6}.exe"	{939D3BDC-669F-4b57-90C7-5481C8699022}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9CF86B03-CE4C-492c-BD1C-6719424E4F85}\stubpath = "C:\\Windows\\{9CF86B03-CE4C-492c-BD1C-6719424E4F85}.exe"	{1FB754BD-1CD0-4e26-B177-DA6947A7F43C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{562E88AF-E78B-4d94-85F8-044A042DEDB2}\stubpath = "C:\\Windows\\{562E88AF-E78B-4d94-85F8-044A042DEDB2}.exe"	{CC0FAB04-C918-4e36-A41D-45CD3A5E66FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{445DB2BC-1EEA-4dcc-93E4-073578BED6D4}\stubpath = "C:\\Windows\\{445DB2BC-1EEA-4dcc-93E4-073578BED6D4}.exe"	{12A246B3-B1F3-4fc7-9634-650DD73CCF39}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9DD5F58-7759-4386-AAC1-2380C4AC9512}	{445DB2BC-1EEA-4dcc-93E4-073578BED6D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1FB754BD-1CD0-4e26-B177-DA6947A7F43C}	{1FD62B0E-8C92-42d6-9064-750866BC74C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9CF86B03-CE4C-492c-BD1C-6719424E4F85}	{1FB754BD-1CD0-4e26-B177-DA6947A7F43C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC0FAB04-C918-4e36-A41D-45CD3A5E66FE}	{9CF86B03-CE4C-492c-BD1C-6719424E4F85}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12A246B3-B1F3-4fc7-9634-650DD73CCF39}	2024-04-10_8bbf9e4158f854a560171b4729b11545_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94782CBC-5B25-4021-B43C-D28E9F1D88A0}\stubpath = "C:\\Windows\\{94782CBC-5B25-4021-B43C-D28E9F1D88A0}.exe"	{DA42630C-3768-416d-9521-FEB4B7B134A4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA42630C-3768-416d-9521-FEB4B7B134A4}\stubpath = "C:\\Windows\\{DA42630C-3768-416d-9521-FEB4B7B134A4}.exe"	{65521132-3C82-486d-A2BD-2DD7467C0A1C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94782CBC-5B25-4021-B43C-D28E9F1D88A0}	{DA42630C-3768-416d-9521-FEB4B7B134A4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC0FAB04-C918-4e36-A41D-45CD3A5E66FE}\stubpath = "C:\\Windows\\{CC0FAB04-C918-4e36-A41D-45CD3A5E66FE}.exe"	{9CF86B03-CE4C-492c-BD1C-6719424E4F85}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12A246B3-B1F3-4fc7-9634-650DD73CCF39}\stubpath = "C:\\Windows\\{12A246B3-B1F3-4fc7-9634-650DD73CCF39}.exe"	2024-04-10_8bbf9e4158f854a560171b4729b11545_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9DD5F58-7759-4386-AAC1-2380C4AC9512}\stubpath = "C:\\Windows\\{D9DD5F58-7759-4386-AAC1-2380C4AC9512}.exe"	{445DB2BC-1EEA-4dcc-93E4-073578BED6D4}.exe

Executes dropped EXE 12 IoCs

pid	Process
3708	{12A246B3-B1F3-4fc7-9634-650DD73CCF39}.exe
1752	{445DB2BC-1EEA-4dcc-93E4-073578BED6D4}.exe
1540	{D9DD5F58-7759-4386-AAC1-2380C4AC9512}.exe
4412	{65521132-3C82-486d-A2BD-2DD7467C0A1C}.exe
1864	{DA42630C-3768-416d-9521-FEB4B7B134A4}.exe
3892	{94782CBC-5B25-4021-B43C-D28E9F1D88A0}.exe
3136	{939D3BDC-669F-4b57-90C7-5481C8699022}.exe
3160	{1FD62B0E-8C92-42d6-9064-750866BC74C6}.exe
3840	{1FB754BD-1CD0-4e26-B177-DA6947A7F43C}.exe
2852	{9CF86B03-CE4C-492c-BD1C-6719424E4F85}.exe
2164	{CC0FAB04-C918-4e36-A41D-45CD3A5E66FE}.exe
3608	{562E88AF-E78B-4d94-85F8-044A042DEDB2}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{1FB754BD-1CD0-4e26-B177-DA6947A7F43C}.exe	{1FD62B0E-8C92-42d6-9064-750866BC74C6}.exe
File created	C:\Windows\{9CF86B03-CE4C-492c-BD1C-6719424E4F85}.exe	{1FB754BD-1CD0-4e26-B177-DA6947A7F43C}.exe
File created	C:\Windows\{CC0FAB04-C918-4e36-A41D-45CD3A5E66FE}.exe	{9CF86B03-CE4C-492c-BD1C-6719424E4F85}.exe
File created	C:\Windows\{445DB2BC-1EEA-4dcc-93E4-073578BED6D4}.exe	{12A246B3-B1F3-4fc7-9634-650DD73CCF39}.exe
File created	C:\Windows\{D9DD5F58-7759-4386-AAC1-2380C4AC9512}.exe	{445DB2BC-1EEA-4dcc-93E4-073578BED6D4}.exe
File created	C:\Windows\{DA42630C-3768-416d-9521-FEB4B7B134A4}.exe	{65521132-3C82-486d-A2BD-2DD7467C0A1C}.exe
File created	C:\Windows\{939D3BDC-669F-4b57-90C7-5481C8699022}.exe	{94782CBC-5B25-4021-B43C-D28E9F1D88A0}.exe
File created	C:\Windows\{1FD62B0E-8C92-42d6-9064-750866BC74C6}.exe	{939D3BDC-669F-4b57-90C7-5481C8699022}.exe
File created	C:\Windows\{12A246B3-B1F3-4fc7-9634-650DD73CCF39}.exe	2024-04-10_8bbf9e4158f854a560171b4729b11545_goldeneye.exe
File created	C:\Windows\{65521132-3C82-486d-A2BD-2DD7467C0A1C}.exe	{D9DD5F58-7759-4386-AAC1-2380C4AC9512}.exe
File created	C:\Windows\{94782CBC-5B25-4021-B43C-D28E9F1D88A0}.exe	{DA42630C-3768-416d-9521-FEB4B7B134A4}.exe
File created	C:\Windows\{562E88AF-E78B-4d94-85F8-044A042DEDB2}.exe	{CC0FAB04-C918-4e36-A41D-45CD3A5E66FE}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4864	2024-04-10_8bbf9e4158f854a560171b4729b11545_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3708	{12A246B3-B1F3-4fc7-9634-650DD73CCF39}.exe
Token: SeIncBasePriorityPrivilege	1752	{445DB2BC-1EEA-4dcc-93E4-073578BED6D4}.exe
Token: SeIncBasePriorityPrivilege	1540	{D9DD5F58-7759-4386-AAC1-2380C4AC9512}.exe
Token: SeIncBasePriorityPrivilege	4412	{65521132-3C82-486d-A2BD-2DD7467C0A1C}.exe
Token: SeIncBasePriorityPrivilege	1864	{DA42630C-3768-416d-9521-FEB4B7B134A4}.exe
Token: SeIncBasePriorityPrivilege	3892	{94782CBC-5B25-4021-B43C-D28E9F1D88A0}.exe
Token: SeIncBasePriorityPrivilege	3136	{939D3BDC-669F-4b57-90C7-5481C8699022}.exe
Token: SeIncBasePriorityPrivilege	3160	{1FD62B0E-8C92-42d6-9064-750866BC74C6}.exe
Token: SeIncBasePriorityPrivilege	3840	{1FB754BD-1CD0-4e26-B177-DA6947A7F43C}.exe
Token: SeIncBasePriorityPrivilege	2852	{9CF86B03-CE4C-492c-BD1C-6719424E4F85}.exe
Token: SeIncBasePriorityPrivilege	2164	{CC0FAB04-C918-4e36-A41D-45CD3A5E66FE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4864 wrote to memory of 3708	4864	2024-04-10_8bbf9e4158f854a560171b4729b11545_goldeneye.exe	91
PID 4864 wrote to memory of 3708	4864	2024-04-10_8bbf9e4158f854a560171b4729b11545_goldeneye.exe	91
PID 4864 wrote to memory of 3708	4864	2024-04-10_8bbf9e4158f854a560171b4729b11545_goldeneye.exe	91
PID 4864 wrote to memory of 4196	4864	2024-04-10_8bbf9e4158f854a560171b4729b11545_goldeneye.exe	92
PID 4864 wrote to memory of 4196	4864	2024-04-10_8bbf9e4158f854a560171b4729b11545_goldeneye.exe	92
PID 4864 wrote to memory of 4196	4864	2024-04-10_8bbf9e4158f854a560171b4729b11545_goldeneye.exe	92
PID 3708 wrote to memory of 1752	3708	{12A246B3-B1F3-4fc7-9634-650DD73CCF39}.exe	93
PID 3708 wrote to memory of 1752	3708	{12A246B3-B1F3-4fc7-9634-650DD73CCF39}.exe	93
PID 3708 wrote to memory of 1752	3708	{12A246B3-B1F3-4fc7-9634-650DD73CCF39}.exe	93
PID 3708 wrote to memory of 5076	3708	{12A246B3-B1F3-4fc7-9634-650DD73CCF39}.exe	94
PID 3708 wrote to memory of 5076	3708	{12A246B3-B1F3-4fc7-9634-650DD73CCF39}.exe	94
PID 3708 wrote to memory of 5076	3708	{12A246B3-B1F3-4fc7-9634-650DD73CCF39}.exe	94
PID 1752 wrote to memory of 1540	1752	{445DB2BC-1EEA-4dcc-93E4-073578BED6D4}.exe	96
PID 1752 wrote to memory of 1540	1752	{445DB2BC-1EEA-4dcc-93E4-073578BED6D4}.exe	96
PID 1752 wrote to memory of 1540	1752	{445DB2BC-1EEA-4dcc-93E4-073578BED6D4}.exe	96
PID 1752 wrote to memory of 3648	1752	{445DB2BC-1EEA-4dcc-93E4-073578BED6D4}.exe	97
PID 1752 wrote to memory of 3648	1752	{445DB2BC-1EEA-4dcc-93E4-073578BED6D4}.exe	97
PID 1752 wrote to memory of 3648	1752	{445DB2BC-1EEA-4dcc-93E4-073578BED6D4}.exe	97
PID 1540 wrote to memory of 4412	1540	{D9DD5F58-7759-4386-AAC1-2380C4AC9512}.exe	98
PID 1540 wrote to memory of 4412	1540	{D9DD5F58-7759-4386-AAC1-2380C4AC9512}.exe	98
PID 1540 wrote to memory of 4412	1540	{D9DD5F58-7759-4386-AAC1-2380C4AC9512}.exe	98
PID 1540 wrote to memory of 2908	1540	{D9DD5F58-7759-4386-AAC1-2380C4AC9512}.exe	99
PID 1540 wrote to memory of 2908	1540	{D9DD5F58-7759-4386-AAC1-2380C4AC9512}.exe	99
PID 1540 wrote to memory of 2908	1540	{D9DD5F58-7759-4386-AAC1-2380C4AC9512}.exe	99
PID 4412 wrote to memory of 1864	4412	{65521132-3C82-486d-A2BD-2DD7467C0A1C}.exe	100
PID 4412 wrote to memory of 1864	4412	{65521132-3C82-486d-A2BD-2DD7467C0A1C}.exe	100
PID 4412 wrote to memory of 1864	4412	{65521132-3C82-486d-A2BD-2DD7467C0A1C}.exe	100
PID 4412 wrote to memory of 3752	4412	{65521132-3C82-486d-A2BD-2DD7467C0A1C}.exe	101
PID 4412 wrote to memory of 3752	4412	{65521132-3C82-486d-A2BD-2DD7467C0A1C}.exe	101
PID 4412 wrote to memory of 3752	4412	{65521132-3C82-486d-A2BD-2DD7467C0A1C}.exe	101
PID 1864 wrote to memory of 3892	1864	{DA42630C-3768-416d-9521-FEB4B7B134A4}.exe	102
PID 1864 wrote to memory of 3892	1864	{DA42630C-3768-416d-9521-FEB4B7B134A4}.exe	102
PID 1864 wrote to memory of 3892	1864	{DA42630C-3768-416d-9521-FEB4B7B134A4}.exe	102
PID 1864 wrote to memory of 3972	1864	{DA42630C-3768-416d-9521-FEB4B7B134A4}.exe	103
PID 1864 wrote to memory of 3972	1864	{DA42630C-3768-416d-9521-FEB4B7B134A4}.exe	103
PID 1864 wrote to memory of 3972	1864	{DA42630C-3768-416d-9521-FEB4B7B134A4}.exe	103
PID 3892 wrote to memory of 3136	3892	{94782CBC-5B25-4021-B43C-D28E9F1D88A0}.exe	104
PID 3892 wrote to memory of 3136	3892	{94782CBC-5B25-4021-B43C-D28E9F1D88A0}.exe	104
PID 3892 wrote to memory of 3136	3892	{94782CBC-5B25-4021-B43C-D28E9F1D88A0}.exe	104
PID 3892 wrote to memory of 1408	3892	{94782CBC-5B25-4021-B43C-D28E9F1D88A0}.exe	105
PID 3892 wrote to memory of 1408	3892	{94782CBC-5B25-4021-B43C-D28E9F1D88A0}.exe	105
PID 3892 wrote to memory of 1408	3892	{94782CBC-5B25-4021-B43C-D28E9F1D88A0}.exe	105
PID 3136 wrote to memory of 3160	3136	{939D3BDC-669F-4b57-90C7-5481C8699022}.exe	106
PID 3136 wrote to memory of 3160	3136	{939D3BDC-669F-4b57-90C7-5481C8699022}.exe	106
PID 3136 wrote to memory of 3160	3136	{939D3BDC-669F-4b57-90C7-5481C8699022}.exe	106
PID 3136 wrote to memory of 3148	3136	{939D3BDC-669F-4b57-90C7-5481C8699022}.exe	107
PID 3136 wrote to memory of 3148	3136	{939D3BDC-669F-4b57-90C7-5481C8699022}.exe	107
PID 3136 wrote to memory of 3148	3136	{939D3BDC-669F-4b57-90C7-5481C8699022}.exe	107
PID 3160 wrote to memory of 3840	3160	{1FD62B0E-8C92-42d6-9064-750866BC74C6}.exe	108
PID 3160 wrote to memory of 3840	3160	{1FD62B0E-8C92-42d6-9064-750866BC74C6}.exe	108
PID 3160 wrote to memory of 3840	3160	{1FD62B0E-8C92-42d6-9064-750866BC74C6}.exe	108
PID 3160 wrote to memory of 4620	3160	{1FD62B0E-8C92-42d6-9064-750866BC74C6}.exe	109
PID 3160 wrote to memory of 4620	3160	{1FD62B0E-8C92-42d6-9064-750866BC74C6}.exe	109
PID 3160 wrote to memory of 4620	3160	{1FD62B0E-8C92-42d6-9064-750866BC74C6}.exe	109
PID 3840 wrote to memory of 2852	3840	{1FB754BD-1CD0-4e26-B177-DA6947A7F43C}.exe	110
PID 3840 wrote to memory of 2852	3840	{1FB754BD-1CD0-4e26-B177-DA6947A7F43C}.exe	110
PID 3840 wrote to memory of 2852	3840	{1FB754BD-1CD0-4e26-B177-DA6947A7F43C}.exe	110
PID 3840 wrote to memory of 2924	3840	{1FB754BD-1CD0-4e26-B177-DA6947A7F43C}.exe	111
PID 3840 wrote to memory of 2924	3840	{1FB754BD-1CD0-4e26-B177-DA6947A7F43C}.exe	111
PID 3840 wrote to memory of 2924	3840	{1FB754BD-1CD0-4e26-B177-DA6947A7F43C}.exe	111
PID 2852 wrote to memory of 2164	2852	{9CF86B03-CE4C-492c-BD1C-6719424E4F85}.exe	112
PID 2852 wrote to memory of 2164	2852	{9CF86B03-CE4C-492c-BD1C-6719424E4F85}.exe	112
PID 2852 wrote to memory of 2164	2852	{9CF86B03-CE4C-492c-BD1C-6719424E4F85}.exe	112
PID 2852 wrote to memory of 892	2852	{9CF86B03-CE4C-492c-BD1C-6719424E4F85}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-04-10_8bbf9e4158f854a560171b4729b11545_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-10_8bbf9e4158f854a560171b4729b11545_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4864
- C:\Windows\{12A246B3-B1F3-4fc7-9634-650DD73CCF39}.exe
  C:\Windows\{12A246B3-B1F3-4fc7-9634-650DD73CCF39}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3708
- - C:\Windows\{445DB2BC-1EEA-4dcc-93E4-073578BED6D4}.exe
    C:\Windows\{445DB2BC-1EEA-4dcc-93E4-073578BED6D4}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1752
  - - C:\Windows\{D9DD5F58-7759-4386-AAC1-2380C4AC9512}.exe
      C:\Windows\{D9DD5F58-7759-4386-AAC1-2380C4AC9512}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1540
    - - C:\Windows\{65521132-3C82-486d-A2BD-2DD7467C0A1C}.exe
        
        C:\Windows\{65521132-3C82-486d-A2BD-2DD7467C0A1C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4412
      - C:\Windows\{DA42630C-3768-416d-9521-FEB4B7B134A4}.exe
        
        C:\Windows\{DA42630C-3768-416d-9521-FEB4B7B134A4}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\{94782CBC-5B25-4021-B43C-D28E9F1D88A0}.exe
        
        C:\Windows\{94782CBC-5B25-4021-B43C-D28E9F1D88A0}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3892
        
        C:\Windows\{939D3BDC-669F-4b57-90C7-5481C8699022}.exe
        
        C:\Windows\{939D3BDC-669F-4b57-90C7-5481C8699022}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3136
        
        C:\Windows\{1FD62B0E-8C92-42d6-9064-750866BC74C6}.exe
        
        C:\Windows\{1FD62B0E-8C92-42d6-9064-750866BC74C6}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3160
        
        C:\Windows\{1FB754BD-1CD0-4e26-B177-DA6947A7F43C}.exe
        
        C:\Windows\{1FB754BD-1CD0-4e26-B177-DA6947A7F43C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3840
        
        C:\Windows\{9CF86B03-CE4C-492c-BD1C-6719424E4F85}.exe
        
        C:\Windows\{9CF86B03-CE4C-492c-BD1C-6719424E4F85}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\{CC0FAB04-C918-4e36-A41D-45CD3A5E66FE}.exe
        
        C:\Windows\{CC0FAB04-C918-4e36-A41D-45CD3A5E66FE}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2164
        
        C:\Windows\{562E88AF-E78B-4d94-85F8-044A042DEDB2}.exe
        
        C:\Windows\{562E88AF-E78B-4d94-85F8-044A042DEDB2}.exe
        13⤵
        Executes dropped EXE
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CC0FA~1.EXE > nul
        13⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9CF86~1.EXE > nul
        12⤵
        
        PID:892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1FB75~1.EXE > nul
        11⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1FD62~1.EXE > nul
        10⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{939D3~1.EXE > nul
        9⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94782~1.EXE > nul
        8⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DA426~1.EXE > nul
        7⤵
        
        PID:3972
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{65521~1.EXE > nul
        6⤵
        
        PID:3752
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D9DD5~1.EXE > nul
        5⤵
        
        PID:2908
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{445DB~1.EXE > nul
      4⤵
      PID:3648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{12A24~1.EXE > nul
    3⤵
    PID:5076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{12A246B3-B1F3-4fc7-9634-650DD73CCF39}.exe

Filesize
168KB

MD5
4776bd315cdc94daa41dac1f6d6e6b51

SHA1
ec003e3088111ac7fb04a8c2047c84288e03e9c6

SHA256
c313bbcb60d321cb97a1f1f5cf29259f8c48e5226c348089d5e485c8770294ed

SHA512
f42c7104451d17b82948cd647c8f42117be219bf55563571ad53e0849758d7e3e2792bfdd356f57e6a72dd4236f917d533bec3bb33167f1ece44655c615060bc

Download Submit
C:\Windows\{1FB754BD-1CD0-4e26-B177-DA6947A7F43C}.exe

Filesize
168KB

MD5
80aa30c70a289ba2b21a1296be923e92

SHA1
b590ca4543e41ab6d6a4df585db2d0b7c9850092

SHA256
462c137a1eafb27a7be60724c6d5071ac3b40308ffed940a38aab606ac6dc9df

SHA512
51275cb60e804dc6e0912fafec9d8fd17f36903765f7eae6d95e0462eae6350cdb2e7789aa2a48be686e9918aa789fc6a0c01b25ddbfe6536822efb4d17534d4

Download Submit
C:\Windows\{1FD62B0E-8C92-42d6-9064-750866BC74C6}.exe

Filesize
168KB

MD5
be31c61e91b3cac271d79bf79770d67c

SHA1
a8e91623133e15cdc343b6dc208624d88f1b03ae

SHA256
e3bed3c6785ec36006428d0cdbc409c91eeff1e824518c8c35975e9bf97ca413

SHA512
470cfa6716bd2e3615ba0c68d45621ab68ba60341fa86b22010da6c038c65697e839083e55c6f7701dd6c7691e061d575629a0187a21008f97eb42240d6170eb

Download Submit
C:\Windows\{445DB2BC-1EEA-4dcc-93E4-073578BED6D4}.exe

Filesize
168KB

MD5
9abd2f7bc457249375a0746c01367cc2

SHA1
9101fc485472c02db165d5ea5dfbcef11bc1f421

SHA256
0b44ef14628d391947aaecf4c8df0b93ee566b4210d49046490fc0c0ca3fe396

SHA512
10425d9d13bd5f613c4b78aa6bb78abc11c1e7ab8d1da40b96a9ffca7cb75f65bdd1618280409f11c6de9373c69b33724a31b44090c34bdccf6b902a907b8bc7

Download Submit
C:\Windows\{562E88AF-E78B-4d94-85F8-044A042DEDB2}.exe

Filesize
168KB

MD5
bd331919b1216e089906f7544b96a317

SHA1
34b4f203e02fef5ccb3765d800aeb87770d91dd5

SHA256
5ecdfc223ec5d0d8321b33e5fe046864059cdcf2f4af08814bb1ccd8e02441b9

SHA512
f76389ca371545d9b582c4f23a645e75111c4f3ce98ad3b08cabe2b19488475330a688cf75ad000468f302ce4447b35c2f10332d34eee1e8d40c38bf8be979d0

Download Submit
C:\Windows\{65521132-3C82-486d-A2BD-2DD7467C0A1C}.exe

Filesize
168KB

MD5
8b268b3f019bbf70730653723a71f522

SHA1
2c9a683ef8dee25da364c7fbdc7a2f0568452331

SHA256
2c00e5b48ea737ca1fca7522556b987d0bb66283fb81de4f1ce28555bfade805

SHA512
31b9d9608693afff565cc281d51e5538d908a0d7d9958da74e0b35dcf575a183ca8d8de7446528a343e0d5534607134618f85f23ad55d9104d945f13b774b321

Download Submit
C:\Windows\{939D3BDC-669F-4b57-90C7-5481C8699022}.exe

Filesize
168KB

MD5
5fef41520e64e9a6fb0afa6cb60d8f46

SHA1
40887d28281a7759df552a1c571af3afc8b9bea7

SHA256
7337e920c3efc8dcc75dbc92012d658207b0e7268b94c85344c47d0cff3b6baf

SHA512
57aa5fac22869c51fdfb2f73215d3cf423958ee905940176bcdea56462bc81dafe4b3852fe4858f9523850faf78901b436526b3d8ca40a830a24f0441de8a706

Download Submit
C:\Windows\{94782CBC-5B25-4021-B43C-D28E9F1D88A0}.exe

Filesize
168KB

MD5
7a9a76187b03b0f2a7b1999f457e3add

SHA1
e81c80e2ee211b6c3f717528c2058da65a6e8b14

SHA256
7b2d0343753d129a2212b1c05f7d441070a5e66f55b00bb6f04eb242c239546d

SHA512
fb48cd0781b1473d776dc024aae2f97839445310ca722ecfb93b0f513b25481c9220a072348c15ab70e2ddffc8e6c229f9fc7b3dc8216fbbdf13d2eb97dda1b2

Download Submit
C:\Windows\{9CF86B03-CE4C-492c-BD1C-6719424E4F85}.exe

Filesize
168KB

MD5
062e791f20f659e480b0cc9ce5cf16f8

SHA1
39f20df228835b89f33cc888b1130e7d7bbffa90

SHA256
c00e14f07e03ca4fed1afd36db66ecdb21b9fa9b5bf30fda3dd15d650361f13d

SHA512
aa314da9743bda36c5633e945a2c41003187d3d7f4c93cd6270b8e9a748e24ee83490ad357e63d28a266b29e6f9be0bb96c7dadde5402b33bd17dfd2c7f46ec7

Download Submit
C:\Windows\{CC0FAB04-C918-4e36-A41D-45CD3A5E66FE}.exe

Filesize
168KB

MD5
a2a54f45ca83693848b5e73e34071353

SHA1
3954c9a09c40970f23d67731b283b1f5c2f69f4e

SHA256
86d85be99026648ad1e0a2c4b2bd084c3047507827cd84c7f066325acd06f56d

SHA512
cbcb4c15c662477da814ec51cda657cb3f42fae3aac9948b9a843fbf3234bf8e0eab0b792686e02d9b0dde7c9e6c32f1fbfdb5cbcca914622fc9931f21177674

Download Submit
C:\Windows\{D9DD5F58-7759-4386-AAC1-2380C4AC9512}.exe

Filesize
168KB

MD5
b8442df4e0361a64ddd91ef6d92bb47c

SHA1
db310f8f33cea0d4e0fdf6b38192222cb4c21d31

SHA256
6f4129d15668f4e1673d4905573e650c6ca5620bd8f7d8009eeb78b273ebf20d

SHA512
2183fd48c5af8298f80d11766dbe559383255ce57c7b5d18f80129fa929672ce27dcb2bd14aae9fa62380fdccb4a019e0c99f235cb150233b72a3aa2512be226

Download Submit
C:\Windows\{DA42630C-3768-416d-9521-FEB4B7B134A4}.exe

Filesize
168KB

MD5
96e7b69ebbdb22114c64ea836d50adba

SHA1
17a937b402c6f582be5329614081ed39aa573330

SHA256
aafdbb8b5383d0ec00e14d01cf27faef026c15744f660b27859e2b28973aca96

SHA512
b1b6a3159e8c621ff3a925903e05ed245245d18e53d6fe93d37738c2767b541ed56ed7acca58bad2dbe715e6f8226479782230e32dd9c9371f1722f081455d27

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads