a1688dbf25d82a32fd692f30d1f4e5011ca86a52a332e8c8e7fb44194f0c5e26

Analysis

max time kernel
149s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11-04-2024 12:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-11_1b126990d9ab5c8b10b215f564fcbc97_goldeneye.exe
Size

197KB
MD5

1b126990d9ab5c8b10b215f564fcbc97
SHA1

93043cef76b1e1e04586a1e37602bcf896292f57
SHA256

a1688dbf25d82a32fd692f30d1f4e5011ca86a52a332e8c8e7fb44194f0c5e26
SHA512

7f461512982e0fa1d79cfe5dd73437a657590f0ff975a48497001ebfdabd5663457b7013b1067184e32f5222712913a2e43da121b507934b5b55e7a7eb53f347
SSDEEP

3072:jEGh0oMl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGmlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00070000000231ea-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00130000000231dd-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000231f1-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00140000000231dd-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021d41-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021d42-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021d41-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000709-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000707-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6E4EDD3-8672-471d-9AEC-7B6BBDE399B5}	2024-04-11_1b126990d9ab5c8b10b215f564fcbc97_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78E9A5D2-E678-4880-88A9-7BC50BACFAEE}\stubpath = "C:\\Windows\\{78E9A5D2-E678-4880-88A9-7BC50BACFAEE}.exe"	{43FF3646-3E64-4628-AE29-9F36A9639997}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB16B071-730A-4f09-BA0F-5BF1AB37E120}	{3531E3F5-D8DF-45f3-9872-35B5D1C01405}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43FF3646-3E64-4628-AE29-9F36A9639997}\stubpath = "C:\\Windows\\{43FF3646-3E64-4628-AE29-9F36A9639997}.exe"	{6F85FDCA-65B1-4040-90A3-0D87F2FB7BB8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E188B06B-A182-4b31-8190-231D2066583B}\stubpath = "C:\\Windows\\{E188B06B-A182-4b31-8190-231D2066583B}.exe"	{0DE083E9-3D5D-4069-90B9-30EF3F42EED4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F85FDCA-65B1-4040-90A3-0D87F2FB7BB8}	{963FFBEB-1D07-4892-8EAC-16F5C4F31581}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F85FDCA-65B1-4040-90A3-0D87F2FB7BB8}\stubpath = "C:\\Windows\\{6F85FDCA-65B1-4040-90A3-0D87F2FB7BB8}.exe"	{963FFBEB-1D07-4892-8EAC-16F5C4F31581}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43FF3646-3E64-4628-AE29-9F36A9639997}	{6F85FDCA-65B1-4040-90A3-0D87F2FB7BB8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0DE083E9-3D5D-4069-90B9-30EF3F42EED4}\stubpath = "C:\\Windows\\{0DE083E9-3D5D-4069-90B9-30EF3F42EED4}.exe"	{A1BABFFE-0284-4a26-AB19-CBE77796B189}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{963FFBEB-1D07-4892-8EAC-16F5C4F31581}	{8213F75D-CE17-4276-9E48-BACE4F80F0A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{963FFBEB-1D07-4892-8EAC-16F5C4F31581}\stubpath = "C:\\Windows\\{963FFBEB-1D07-4892-8EAC-16F5C4F31581}.exe"	{8213F75D-CE17-4276-9E48-BACE4F80F0A3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78E9A5D2-E678-4880-88A9-7BC50BACFAEE}	{43FF3646-3E64-4628-AE29-9F36A9639997}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6E4EDD3-8672-471d-9AEC-7B6BBDE399B5}\stubpath = "C:\\Windows\\{C6E4EDD3-8672-471d-9AEC-7B6BBDE399B5}.exe"	2024-04-11_1b126990d9ab5c8b10b215f564fcbc97_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1BABFFE-0284-4a26-AB19-CBE77796B189}	{C6E4EDD3-8672-471d-9AEC-7B6BBDE399B5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1BABFFE-0284-4a26-AB19-CBE77796B189}\stubpath = "C:\\Windows\\{A1BABFFE-0284-4a26-AB19-CBE77796B189}.exe"	{C6E4EDD3-8672-471d-9AEC-7B6BBDE399B5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0DE083E9-3D5D-4069-90B9-30EF3F42EED4}	{A1BABFFE-0284-4a26-AB19-CBE77796B189}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3531E3F5-D8DF-45f3-9872-35B5D1C01405}	{4A534062-D58B-46c3-B7C2-8740CAD48073}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3531E3F5-D8DF-45f3-9872-35B5D1C01405}\stubpath = "C:\\Windows\\{3531E3F5-D8DF-45f3-9872-35B5D1C01405}.exe"	{4A534062-D58B-46c3-B7C2-8740CAD48073}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A534062-D58B-46c3-B7C2-8740CAD48073}\stubpath = "C:\\Windows\\{4A534062-D58B-46c3-B7C2-8740CAD48073}.exe"	{78E9A5D2-E678-4880-88A9-7BC50BACFAEE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB16B071-730A-4f09-BA0F-5BF1AB37E120}\stubpath = "C:\\Windows\\{BB16B071-730A-4f09-BA0F-5BF1AB37E120}.exe"	{3531E3F5-D8DF-45f3-9872-35B5D1C01405}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E188B06B-A182-4b31-8190-231D2066583B}	{0DE083E9-3D5D-4069-90B9-30EF3F42EED4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8213F75D-CE17-4276-9E48-BACE4F80F0A3}	{E188B06B-A182-4b31-8190-231D2066583B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8213F75D-CE17-4276-9E48-BACE4F80F0A3}\stubpath = "C:\\Windows\\{8213F75D-CE17-4276-9E48-BACE4F80F0A3}.exe"	{E188B06B-A182-4b31-8190-231D2066583B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A534062-D58B-46c3-B7C2-8740CAD48073}	{78E9A5D2-E678-4880-88A9-7BC50BACFAEE}.exe

Executes dropped EXE 12 IoCs

pid	Process
1196	{C6E4EDD3-8672-471d-9AEC-7B6BBDE399B5}.exe
2316	{A1BABFFE-0284-4a26-AB19-CBE77796B189}.exe
4224	{0DE083E9-3D5D-4069-90B9-30EF3F42EED4}.exe
2800	{E188B06B-A182-4b31-8190-231D2066583B}.exe
2592	{8213F75D-CE17-4276-9E48-BACE4F80F0A3}.exe
3100	{963FFBEB-1D07-4892-8EAC-16F5C4F31581}.exe
1976	{6F85FDCA-65B1-4040-90A3-0D87F2FB7BB8}.exe
5036	{43FF3646-3E64-4628-AE29-9F36A9639997}.exe
4192	{78E9A5D2-E678-4880-88A9-7BC50BACFAEE}.exe
4040	{4A534062-D58B-46c3-B7C2-8740CAD48073}.exe
3028	{3531E3F5-D8DF-45f3-9872-35B5D1C01405}.exe
1932	{BB16B071-730A-4f09-BA0F-5BF1AB37E120}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{A1BABFFE-0284-4a26-AB19-CBE77796B189}.exe	{C6E4EDD3-8672-471d-9AEC-7B6BBDE399B5}.exe
File created	C:\Windows\{E188B06B-A182-4b31-8190-231D2066583B}.exe	{0DE083E9-3D5D-4069-90B9-30EF3F42EED4}.exe
File created	C:\Windows\{43FF3646-3E64-4628-AE29-9F36A9639997}.exe	{6F85FDCA-65B1-4040-90A3-0D87F2FB7BB8}.exe
File created	C:\Windows\{3531E3F5-D8DF-45f3-9872-35B5D1C01405}.exe	{4A534062-D58B-46c3-B7C2-8740CAD48073}.exe
File created	C:\Windows\{BB16B071-730A-4f09-BA0F-5BF1AB37E120}.exe	{3531E3F5-D8DF-45f3-9872-35B5D1C01405}.exe
File created	C:\Windows\{C6E4EDD3-8672-471d-9AEC-7B6BBDE399B5}.exe	2024-04-11_1b126990d9ab5c8b10b215f564fcbc97_goldeneye.exe
File created	C:\Windows\{8213F75D-CE17-4276-9E48-BACE4F80F0A3}.exe	{E188B06B-A182-4b31-8190-231D2066583B}.exe
File created	C:\Windows\{963FFBEB-1D07-4892-8EAC-16F5C4F31581}.exe	{8213F75D-CE17-4276-9E48-BACE4F80F0A3}.exe
File created	C:\Windows\{6F85FDCA-65B1-4040-90A3-0D87F2FB7BB8}.exe	{963FFBEB-1D07-4892-8EAC-16F5C4F31581}.exe
File created	C:\Windows\{78E9A5D2-E678-4880-88A9-7BC50BACFAEE}.exe	{43FF3646-3E64-4628-AE29-9F36A9639997}.exe
File created	C:\Windows\{4A534062-D58B-46c3-B7C2-8740CAD48073}.exe	{78E9A5D2-E678-4880-88A9-7BC50BACFAEE}.exe
File created	C:\Windows\{0DE083E9-3D5D-4069-90B9-30EF3F42EED4}.exe	{A1BABFFE-0284-4a26-AB19-CBE77796B189}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4924	2024-04-11_1b126990d9ab5c8b10b215f564fcbc97_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1196	{C6E4EDD3-8672-471d-9AEC-7B6BBDE399B5}.exe
Token: SeIncBasePriorityPrivilege	2316	{A1BABFFE-0284-4a26-AB19-CBE77796B189}.exe
Token: SeIncBasePriorityPrivilege	4224	{0DE083E9-3D5D-4069-90B9-30EF3F42EED4}.exe
Token: SeIncBasePriorityPrivilege	2800	{E188B06B-A182-4b31-8190-231D2066583B}.exe
Token: SeIncBasePriorityPrivilege	2592	{8213F75D-CE17-4276-9E48-BACE4F80F0A3}.exe
Token: SeIncBasePriorityPrivilege	3100	{963FFBEB-1D07-4892-8EAC-16F5C4F31581}.exe
Token: SeIncBasePriorityPrivilege	1976	{6F85FDCA-65B1-4040-90A3-0D87F2FB7BB8}.exe
Token: SeIncBasePriorityPrivilege	5036	{43FF3646-3E64-4628-AE29-9F36A9639997}.exe
Token: SeIncBasePriorityPrivilege	4192	{78E9A5D2-E678-4880-88A9-7BC50BACFAEE}.exe
Token: SeIncBasePriorityPrivilege	4040	{4A534062-D58B-46c3-B7C2-8740CAD48073}.exe
Token: SeIncBasePriorityPrivilege	3028	{3531E3F5-D8DF-45f3-9872-35B5D1C01405}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4924 wrote to memory of 1196	4924	2024-04-11_1b126990d9ab5c8b10b215f564fcbc97_goldeneye.exe	91
PID 4924 wrote to memory of 1196	4924	2024-04-11_1b126990d9ab5c8b10b215f564fcbc97_goldeneye.exe	91
PID 4924 wrote to memory of 1196	4924	2024-04-11_1b126990d9ab5c8b10b215f564fcbc97_goldeneye.exe	91
PID 4924 wrote to memory of 680	4924	2024-04-11_1b126990d9ab5c8b10b215f564fcbc97_goldeneye.exe	92
PID 4924 wrote to memory of 680	4924	2024-04-11_1b126990d9ab5c8b10b215f564fcbc97_goldeneye.exe	92
PID 4924 wrote to memory of 680	4924	2024-04-11_1b126990d9ab5c8b10b215f564fcbc97_goldeneye.exe	92
PID 1196 wrote to memory of 2316	1196	{C6E4EDD3-8672-471d-9AEC-7B6BBDE399B5}.exe	93
PID 1196 wrote to memory of 2316	1196	{C6E4EDD3-8672-471d-9AEC-7B6BBDE399B5}.exe	93
PID 1196 wrote to memory of 2316	1196	{C6E4EDD3-8672-471d-9AEC-7B6BBDE399B5}.exe	93
PID 1196 wrote to memory of 2796	1196	{C6E4EDD3-8672-471d-9AEC-7B6BBDE399B5}.exe	94
PID 1196 wrote to memory of 2796	1196	{C6E4EDD3-8672-471d-9AEC-7B6BBDE399B5}.exe	94
PID 1196 wrote to memory of 2796	1196	{C6E4EDD3-8672-471d-9AEC-7B6BBDE399B5}.exe	94
PID 2316 wrote to memory of 4224	2316	{A1BABFFE-0284-4a26-AB19-CBE77796B189}.exe	96
PID 2316 wrote to memory of 4224	2316	{A1BABFFE-0284-4a26-AB19-CBE77796B189}.exe	96
PID 2316 wrote to memory of 4224	2316	{A1BABFFE-0284-4a26-AB19-CBE77796B189}.exe	96
PID 2316 wrote to memory of 5108	2316	{A1BABFFE-0284-4a26-AB19-CBE77796B189}.exe	97
PID 2316 wrote to memory of 5108	2316	{A1BABFFE-0284-4a26-AB19-CBE77796B189}.exe	97
PID 2316 wrote to memory of 5108	2316	{A1BABFFE-0284-4a26-AB19-CBE77796B189}.exe	97
PID 4224 wrote to memory of 2800	4224	{0DE083E9-3D5D-4069-90B9-30EF3F42EED4}.exe	98
PID 4224 wrote to memory of 2800	4224	{0DE083E9-3D5D-4069-90B9-30EF3F42EED4}.exe	98
PID 4224 wrote to memory of 2800	4224	{0DE083E9-3D5D-4069-90B9-30EF3F42EED4}.exe	98
PID 4224 wrote to memory of 1144	4224	{0DE083E9-3D5D-4069-90B9-30EF3F42EED4}.exe	99
PID 4224 wrote to memory of 1144	4224	{0DE083E9-3D5D-4069-90B9-30EF3F42EED4}.exe	99
PID 4224 wrote to memory of 1144	4224	{0DE083E9-3D5D-4069-90B9-30EF3F42EED4}.exe	99
PID 2800 wrote to memory of 2592	2800	{E188B06B-A182-4b31-8190-231D2066583B}.exe	100
PID 2800 wrote to memory of 2592	2800	{E188B06B-A182-4b31-8190-231D2066583B}.exe	100
PID 2800 wrote to memory of 2592	2800	{E188B06B-A182-4b31-8190-231D2066583B}.exe	100
PID 2800 wrote to memory of 3552	2800	{E188B06B-A182-4b31-8190-231D2066583B}.exe	101
PID 2800 wrote to memory of 3552	2800	{E188B06B-A182-4b31-8190-231D2066583B}.exe	101
PID 2800 wrote to memory of 3552	2800	{E188B06B-A182-4b31-8190-231D2066583B}.exe	101
PID 2592 wrote to memory of 3100	2592	{8213F75D-CE17-4276-9E48-BACE4F80F0A3}.exe	102
PID 2592 wrote to memory of 3100	2592	{8213F75D-CE17-4276-9E48-BACE4F80F0A3}.exe	102
PID 2592 wrote to memory of 3100	2592	{8213F75D-CE17-4276-9E48-BACE4F80F0A3}.exe	102
PID 2592 wrote to memory of 3988	2592	{8213F75D-CE17-4276-9E48-BACE4F80F0A3}.exe	103
PID 2592 wrote to memory of 3988	2592	{8213F75D-CE17-4276-9E48-BACE4F80F0A3}.exe	103
PID 2592 wrote to memory of 3988	2592	{8213F75D-CE17-4276-9E48-BACE4F80F0A3}.exe	103
PID 3100 wrote to memory of 1976	3100	{963FFBEB-1D07-4892-8EAC-16F5C4F31581}.exe	104
PID 3100 wrote to memory of 1976	3100	{963FFBEB-1D07-4892-8EAC-16F5C4F31581}.exe	104
PID 3100 wrote to memory of 1976	3100	{963FFBEB-1D07-4892-8EAC-16F5C4F31581}.exe	104
PID 3100 wrote to memory of 2304	3100	{963FFBEB-1D07-4892-8EAC-16F5C4F31581}.exe	105
PID 3100 wrote to memory of 2304	3100	{963FFBEB-1D07-4892-8EAC-16F5C4F31581}.exe	105
PID 3100 wrote to memory of 2304	3100	{963FFBEB-1D07-4892-8EAC-16F5C4F31581}.exe	105
PID 1976 wrote to memory of 5036	1976	{6F85FDCA-65B1-4040-90A3-0D87F2FB7BB8}.exe	106
PID 1976 wrote to memory of 5036	1976	{6F85FDCA-65B1-4040-90A3-0D87F2FB7BB8}.exe	106
PID 1976 wrote to memory of 5036	1976	{6F85FDCA-65B1-4040-90A3-0D87F2FB7BB8}.exe	106
PID 1976 wrote to memory of 2660	1976	{6F85FDCA-65B1-4040-90A3-0D87F2FB7BB8}.exe	107
PID 1976 wrote to memory of 2660	1976	{6F85FDCA-65B1-4040-90A3-0D87F2FB7BB8}.exe	107
PID 1976 wrote to memory of 2660	1976	{6F85FDCA-65B1-4040-90A3-0D87F2FB7BB8}.exe	107
PID 5036 wrote to memory of 4192	5036	{43FF3646-3E64-4628-AE29-9F36A9639997}.exe	108
PID 5036 wrote to memory of 4192	5036	{43FF3646-3E64-4628-AE29-9F36A9639997}.exe	108
PID 5036 wrote to memory of 4192	5036	{43FF3646-3E64-4628-AE29-9F36A9639997}.exe	108
PID 5036 wrote to memory of 1896	5036	{43FF3646-3E64-4628-AE29-9F36A9639997}.exe	109
PID 5036 wrote to memory of 1896	5036	{43FF3646-3E64-4628-AE29-9F36A9639997}.exe	109
PID 5036 wrote to memory of 1896	5036	{43FF3646-3E64-4628-AE29-9F36A9639997}.exe	109
PID 4192 wrote to memory of 4040	4192	{78E9A5D2-E678-4880-88A9-7BC50BACFAEE}.exe	110
PID 4192 wrote to memory of 4040	4192	{78E9A5D2-E678-4880-88A9-7BC50BACFAEE}.exe	110
PID 4192 wrote to memory of 4040	4192	{78E9A5D2-E678-4880-88A9-7BC50BACFAEE}.exe	110
PID 4192 wrote to memory of 896	4192	{78E9A5D2-E678-4880-88A9-7BC50BACFAEE}.exe	111
PID 4192 wrote to memory of 896	4192	{78E9A5D2-E678-4880-88A9-7BC50BACFAEE}.exe	111
PID 4192 wrote to memory of 896	4192	{78E9A5D2-E678-4880-88A9-7BC50BACFAEE}.exe	111
PID 4040 wrote to memory of 3028	4040	{4A534062-D58B-46c3-B7C2-8740CAD48073}.exe	112
PID 4040 wrote to memory of 3028	4040	{4A534062-D58B-46c3-B7C2-8740CAD48073}.exe	112
PID 4040 wrote to memory of 3028	4040	{4A534062-D58B-46c3-B7C2-8740CAD48073}.exe	112
PID 4040 wrote to memory of 2912	4040	{4A534062-D58B-46c3-B7C2-8740CAD48073}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-04-11_1b126990d9ab5c8b10b215f564fcbc97_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-11_1b126990d9ab5c8b10b215f564fcbc97_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4924
- C:\Windows\{C6E4EDD3-8672-471d-9AEC-7B6BBDE399B5}.exe
  C:\Windows\{C6E4EDD3-8672-471d-9AEC-7B6BBDE399B5}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1196
- - C:\Windows\{A1BABFFE-0284-4a26-AB19-CBE77796B189}.exe
    C:\Windows\{A1BABFFE-0284-4a26-AB19-CBE77796B189}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2316
  - - C:\Windows\{0DE083E9-3D5D-4069-90B9-30EF3F42EED4}.exe
      C:\Windows\{0DE083E9-3D5D-4069-90B9-30EF3F42EED4}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4224
    - - C:\Windows\{E188B06B-A182-4b31-8190-231D2066583B}.exe
        
        C:\Windows\{E188B06B-A182-4b31-8190-231D2066583B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2800
      - C:\Windows\{8213F75D-CE17-4276-9E48-BACE4F80F0A3}.exe
        
        C:\Windows\{8213F75D-CE17-4276-9E48-BACE4F80F0A3}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\{963FFBEB-1D07-4892-8EAC-16F5C4F31581}.exe
        
        C:\Windows\{963FFBEB-1D07-4892-8EAC-16F5C4F31581}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Windows\{6F85FDCA-65B1-4040-90A3-0D87F2FB7BB8}.exe
        
        C:\Windows\{6F85FDCA-65B1-4040-90A3-0D87F2FB7BB8}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\{43FF3646-3E64-4628-AE29-9F36A9639997}.exe
        
        C:\Windows\{43FF3646-3E64-4628-AE29-9F36A9639997}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\{78E9A5D2-E678-4880-88A9-7BC50BACFAEE}.exe
        
        C:\Windows\{78E9A5D2-E678-4880-88A9-7BC50BACFAEE}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4192
        
        C:\Windows\{4A534062-D58B-46c3-B7C2-8740CAD48073}.exe
        
        C:\Windows\{4A534062-D58B-46c3-B7C2-8740CAD48073}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4040
        
        C:\Windows\{3531E3F5-D8DF-45f3-9872-35B5D1C01405}.exe
        
        C:\Windows\{3531E3F5-D8DF-45f3-9872-35B5D1C01405}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
        
        C:\Windows\{BB16B071-730A-4f09-BA0F-5BF1AB37E120}.exe
        
        C:\Windows\{BB16B071-730A-4f09-BA0F-5BF1AB37E120}.exe
        13⤵
        Executes dropped EXE
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3531E~1.EXE > nul
        13⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4A534~1.EXE > nul
        12⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{78E9A~1.EXE > nul
        11⤵
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{43FF3~1.EXE > nul
        10⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6F85F~1.EXE > nul
        9⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{963FF~1.EXE > nul
        8⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8213F~1.EXE > nul
        7⤵
        
        PID:3988
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E188B~1.EXE > nul
        6⤵
        
        PID:3552
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0DE08~1.EXE > nul
        5⤵
        
        PID:1144
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A1BAB~1.EXE > nul
      4⤵
      PID:5108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C6E4E~1.EXE > nul
    3⤵
    PID:2796
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0DE083E9-3D5D-4069-90B9-30EF3F42EED4}.exe

Filesize
197KB

MD5
429bbbfef97cf77e8b8ffa0347aef556

SHA1
031ea9fa3e6cfd74e3b7aeeed71de973f57b71db

SHA256
f7e8c0313c92248d6d2dff3f40835c719574a7da590eb7d90414f2bb2081df15

SHA512
f7305bcc0a05df210f32b22c7f21b79e4d4b33938cd306cde403e8aa22b32be8d5e8e1d91e71c937a3d031181106948c72bd583bb46191bbe17c82f4de40b57c

Download Submit
C:\Windows\{3531E3F5-D8DF-45f3-9872-35B5D1C01405}.exe

Filesize
197KB

MD5
53b5fd3bc3e9589f136befefbabcb872

SHA1
072a1671222b7e06af84b143b8a7992c6f45bcf6

SHA256
dd27ddea1025ec172cf426c41a6e6686bada0ebaa38a9bbcee5df70426dbf86d

SHA512
52388a7d5b9875c72e217995721e46308bafe00ec33c1de3072f483a508253dbc90e921b9b0ba8b6a48cb52c6b4e1efaaa49cb0e0101698edcc1ec2e56abf15a

Download Submit
C:\Windows\{43FF3646-3E64-4628-AE29-9F36A9639997}.exe

Filesize
197KB

MD5
2997d85fe8ebdb6ec78419f4928572ec

SHA1
9a9fb8cfd7e3bf79bdc2cf4c8139489ec87ac548

SHA256
0e7e313f9e0f6d7366b3878dc4f34ff2a6989e99c9588762b3bd1983cf20156b

SHA512
299102adfabddcf94c3fcdda8953dbd35a8b82fd62e2f8a8b53ec159498f1a093b9879b6081e6cd1f88c2b86a3d7693af93aae2ce79f24138eea0ae48da9e0ae

Download Submit
C:\Windows\{4A534062-D58B-46c3-B7C2-8740CAD48073}.exe

Filesize
197KB

MD5
da8457bac2e297cc03349a24bb3ba805

SHA1
294cc441a95c9500a2cd9ec674c87f29fb9ffa66

SHA256
41a34214793c46544b9d7034859ff785418c9d44319da283291857b18f48c602

SHA512
a901dadf9ff77ee723e291d461e37b42842a50711017705ccd1bcff503bfc8648d4993aa375adf7b1b052dbc747dd143c7b0494a40039cada3ef5dab396ca72b

Download Submit
C:\Windows\{6F85FDCA-65B1-4040-90A3-0D87F2FB7BB8}.exe

Filesize
197KB

MD5
b4aa7b2a3eb28a3a65bd4e241040fe58

SHA1
70bb2b3d1c1a9dc5dd4297550e74420bc489bbcc

SHA256
214a8d39b3d3e120aaa96cfb797b4863a082c364477bea92408a0b55a38d61ec

SHA512
dab6d1186bfa5ede124a332349adf3c653b565c3b05398042d1ec3eadf1fb371eb6097505390f31956c45937a2350501fb8b86ee3e29871f5d5d3b78a5ccf772

Download Submit
C:\Windows\{78E9A5D2-E678-4880-88A9-7BC50BACFAEE}.exe

Filesize
197KB

MD5
d3778e440f9e38cd130d6d7a1d9009d5

SHA1
65884d4bb643bd321465fa20b3b15bea76543ee1

SHA256
93070fd828997ecff61188298ee91851f63bd09745dac129c50f460c718d0549

SHA512
02e89da10de27f82b543cd8133022fdb36dc7c3e604cbe1ed09b58c054719c41a9e8490c42fb427aaba55c60f6ae9dd2b9b3c5e705d436b53c39c8f0978d95a9

Download Submit
C:\Windows\{8213F75D-CE17-4276-9E48-BACE4F80F0A3}.exe

Filesize
197KB

MD5
c60257c9d84d675434af19fff39a3acd

SHA1
c40349b9a570b13683134a0f8427aa6bf418eb6c

SHA256
c5dbac36836d256a1a077ac4c7047041eb7e536606aa1a1fbbdbfb02457330b0

SHA512
82c8dfeb3a06eb421c5c9c2180b63f188f8b5127c9a5f42a58e73824b1a6c2152373e72ee34eadd8d608199f4baefa22af900447a6f2ad62288b02028f136224

Download Submit
C:\Windows\{963FFBEB-1D07-4892-8EAC-16F5C4F31581}.exe

Filesize
197KB

MD5
3daabdb66ae01d65fbbef19a192093c2

SHA1
563a5eed08f80b2689fa814fc16e331f42871102

SHA256
478f72641e197cb2137cad2fbaef9c9495602da9abe4fa68436431bfe5ecd3c6

SHA512
dda55c26bba72dccc9cfd146f10ae7d306d72690e7001140e68644d74a333d684856c4e127dafe20126a24e6a2336c5a50a3e678ef343c766508912661b52a85

Download Submit
C:\Windows\{A1BABFFE-0284-4a26-AB19-CBE77796B189}.exe

Filesize
197KB

MD5
23dede2586b7abe9ee2336faeeddfde6

SHA1
0b00d711a8ef63c450f59976cdad6ba2a7edb9cb

SHA256
4fd7028ce8edff0fa502d98876025d2470325f19560ecebac9fe34465b367d2a

SHA512
ecc0198e09b563f322600ebd9214a04cbd4f80fcad04384d31b4b61350a0809836eeae88d5611ae1882abe11f652690c52b920fe733f240bdd1ecfd7764ee300

Download Submit
C:\Windows\{BB16B071-730A-4f09-BA0F-5BF1AB37E120}.exe

Filesize
197KB

MD5
5b07a042db2384ba9fe7d0cbedc7a904

SHA1
66524d75b08c091e0be216b9360ded1789fc7fa8

SHA256
e9d121eec62a89f4b131b522406b452528e49c2427cfd8cb71fa34682ab8e5aa

SHA512
0cd6a0010852695885edb2ea3bd9e1de85595b084a77cd01655add325dbd842356bea3ef7795ab41636471343ebcc210777ad8cd697e39b27c7cbe6c55885746

Download Submit
C:\Windows\{C6E4EDD3-8672-471d-9AEC-7B6BBDE399B5}.exe

Filesize
197KB

MD5
d8abde7e1b64cccd8610ae5e3e686c25

SHA1
66dc6502dd1afee7d1e09b0933c5de12d1582145

SHA256
0d99fb1681cb1ec6a57e16e4c7a0aec9e0db16bd5cb13498d7b9b1720eaf3984

SHA512
be15eef960e9ff01a41bb03e2a284e3d5e59717398efdada4b92072253161d9efcf790386691bc9f869f18011108f16c533f2fe860d2d121fcb4b0af75a70c0b

Download Submit
C:\Windows\{E188B06B-A182-4b31-8190-231D2066583B}.exe

Filesize
197KB

MD5
e5e39a7315c260d1a4752aa9b619bbc5

SHA1
b4e3a8a992a51c505d7886fd9d11cbb69019c9fb

SHA256
2c91ee41cc6172252af3c5c285bcb1a135e6d67de16866b84ad460038155a559

SHA512
c19eca4dd3402e55fb8ac2dac2023ffba3c386974f7ab517052195fd786cfca6aeafc8c71387e3d8d590b0f3e3fbb1578392255a0dd667db91eb0be1bafe2992

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads