2cd46ce3036e586734fe8440a5a97030a0c2722e78b2ef98085987061b16b4e3

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/04/2024, 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-11_cfedb16492903c61a6c70d08e1fcfaa9_goldeneye.exe
Size

168KB
MD5

cfedb16492903c61a6c70d08e1fcfaa9
SHA1

3b02fe75e35590332b34ff62dbf0b3d65a1bd230
SHA256

2cd46ce3036e586734fe8440a5a97030a0c2722e78b2ef98085987061b16b4e3
SHA512

72db918a1042a216d9eed15254cca211a9de35c8c42210131e279838f1ba232cba3c96508d17b33d3ad66d8982e54ceaad612821b391dbed91bf325c25e57f0b
SSDEEP

1536:1EGh0o0lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o0lqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023224-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023228-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002322f-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0012000000023228-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021b3f-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021b40-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021b3f-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000709-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000731-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63AE665D-11AC-444c-9026-E78CF4101474}\stubpath = "C:\\Windows\\{63AE665D-11AC-444c-9026-E78CF4101474}.exe"	{3B54A4CE-4F23-4186-B57B-59095E8D2E07}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6CDCAC57-FC87-4934-9E94-573022CD5E26}	{A1F84E29-BF84-410e-BD2B-8FF4B62AF22E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B54A4CE-4F23-4186-B57B-59095E8D2E07}	{C2A0127A-D30C-4a77-8F7A-9C0B8011184F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A053DED3-67D7-4f1a-BE5A-93F26DB1F0A3}\stubpath = "C:\\Windows\\{A053DED3-67D7-4f1a-BE5A-93F26DB1F0A3}.exe"	{A37ABD88-74FE-4431-9180-75E4495590B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E346217-8847-4850-BAB1-FF1DCFB0E9E0}	{A053DED3-67D7-4f1a-BE5A-93F26DB1F0A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E346217-8847-4850-BAB1-FF1DCFB0E9E0}\stubpath = "C:\\Windows\\{2E346217-8847-4850-BAB1-FF1DCFB0E9E0}.exe"	{A053DED3-67D7-4f1a-BE5A-93F26DB1F0A3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2A0127A-D30C-4a77-8F7A-9C0B8011184F}	{2E346217-8847-4850-BAB1-FF1DCFB0E9E0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1F84E29-BF84-410e-BD2B-8FF4B62AF22E}\stubpath = "C:\\Windows\\{A1F84E29-BF84-410e-BD2B-8FF4B62AF22E}.exe"	{63AE665D-11AC-444c-9026-E78CF4101474}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6CDCAC57-FC87-4934-9E94-573022CD5E26}\stubpath = "C:\\Windows\\{6CDCAC57-FC87-4934-9E94-573022CD5E26}.exe"	{A1F84E29-BF84-410e-BD2B-8FF4B62AF22E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6614846-4BEF-4579-987C-190130CB54E5}	{8F585D7D-CFFF-4929-AFEB-8FBE29A2A407}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6614846-4BEF-4579-987C-190130CB54E5}\stubpath = "C:\\Windows\\{C6614846-4BEF-4579-987C-190130CB54E5}.exe"	{8F585D7D-CFFF-4929-AFEB-8FBE29A2A407}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A37ABD88-74FE-4431-9180-75E4495590B1}	{C6614846-4BEF-4579-987C-190130CB54E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A37ABD88-74FE-4431-9180-75E4495590B1}\stubpath = "C:\\Windows\\{A37ABD88-74FE-4431-9180-75E4495590B1}.exe"	{C6614846-4BEF-4579-987C-190130CB54E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63AE665D-11AC-444c-9026-E78CF4101474}	{3B54A4CE-4F23-4186-B57B-59095E8D2E07}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8601576F-FDCC-47e6-BC34-AF29B592C717}	{6CDCAC57-FC87-4934-9E94-573022CD5E26}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA23BBC5-1BB2-4f2e-996F-3CFEDAB7FC75}	{8601576F-FDCC-47e6-BC34-AF29B592C717}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F585D7D-CFFF-4929-AFEB-8FBE29A2A407}\stubpath = "C:\\Windows\\{8F585D7D-CFFF-4929-AFEB-8FBE29A2A407}.exe"	2024-04-11_cfedb16492903c61a6c70d08e1fcfaa9_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A053DED3-67D7-4f1a-BE5A-93F26DB1F0A3}	{A37ABD88-74FE-4431-9180-75E4495590B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2A0127A-D30C-4a77-8F7A-9C0B8011184F}\stubpath = "C:\\Windows\\{C2A0127A-D30C-4a77-8F7A-9C0B8011184F}.exe"	{2E346217-8847-4850-BAB1-FF1DCFB0E9E0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B54A4CE-4F23-4186-B57B-59095E8D2E07}\stubpath = "C:\\Windows\\{3B54A4CE-4F23-4186-B57B-59095E8D2E07}.exe"	{C2A0127A-D30C-4a77-8F7A-9C0B8011184F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1F84E29-BF84-410e-BD2B-8FF4B62AF22E}	{63AE665D-11AC-444c-9026-E78CF4101474}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8601576F-FDCC-47e6-BC34-AF29B592C717}\stubpath = "C:\\Windows\\{8601576F-FDCC-47e6-BC34-AF29B592C717}.exe"	{6CDCAC57-FC87-4934-9E94-573022CD5E26}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA23BBC5-1BB2-4f2e-996F-3CFEDAB7FC75}\stubpath = "C:\\Windows\\{CA23BBC5-1BB2-4f2e-996F-3CFEDAB7FC75}.exe"	{8601576F-FDCC-47e6-BC34-AF29B592C717}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F585D7D-CFFF-4929-AFEB-8FBE29A2A407}	2024-04-11_cfedb16492903c61a6c70d08e1fcfaa9_goldeneye.exe

Executes dropped EXE 12 IoCs

pid	Process
5040	{8F585D7D-CFFF-4929-AFEB-8FBE29A2A407}.exe
2904	{C6614846-4BEF-4579-987C-190130CB54E5}.exe
2600	{A37ABD88-74FE-4431-9180-75E4495590B1}.exe
1016	{A053DED3-67D7-4f1a-BE5A-93F26DB1F0A3}.exe
1652	{2E346217-8847-4850-BAB1-FF1DCFB0E9E0}.exe
1012	{C2A0127A-D30C-4a77-8F7A-9C0B8011184F}.exe
2604	{3B54A4CE-4F23-4186-B57B-59095E8D2E07}.exe
4248	{63AE665D-11AC-444c-9026-E78CF4101474}.exe
3716	{A1F84E29-BF84-410e-BD2B-8FF4B62AF22E}.exe
1864	{6CDCAC57-FC87-4934-9E94-573022CD5E26}.exe
4448	{8601576F-FDCC-47e6-BC34-AF29B592C717}.exe
1992	{CA23BBC5-1BB2-4f2e-996F-3CFEDAB7FC75}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{6CDCAC57-FC87-4934-9E94-573022CD5E26}.exe	{A1F84E29-BF84-410e-BD2B-8FF4B62AF22E}.exe
File created	C:\Windows\{8601576F-FDCC-47e6-BC34-AF29B592C717}.exe	{6CDCAC57-FC87-4934-9E94-573022CD5E26}.exe
File created	C:\Windows\{CA23BBC5-1BB2-4f2e-996F-3CFEDAB7FC75}.exe	{8601576F-FDCC-47e6-BC34-AF29B592C717}.exe
File created	C:\Windows\{C2A0127A-D30C-4a77-8F7A-9C0B8011184F}.exe	{2E346217-8847-4850-BAB1-FF1DCFB0E9E0}.exe
File created	C:\Windows\{3B54A4CE-4F23-4186-B57B-59095E8D2E07}.exe	{C2A0127A-D30C-4a77-8F7A-9C0B8011184F}.exe
File created	C:\Windows\{63AE665D-11AC-444c-9026-E78CF4101474}.exe	{3B54A4CE-4F23-4186-B57B-59095E8D2E07}.exe
File created	C:\Windows\{A1F84E29-BF84-410e-BD2B-8FF4B62AF22E}.exe	{63AE665D-11AC-444c-9026-E78CF4101474}.exe
File created	C:\Windows\{2E346217-8847-4850-BAB1-FF1DCFB0E9E0}.exe	{A053DED3-67D7-4f1a-BE5A-93F26DB1F0A3}.exe
File created	C:\Windows\{8F585D7D-CFFF-4929-AFEB-8FBE29A2A407}.exe	2024-04-11_cfedb16492903c61a6c70d08e1fcfaa9_goldeneye.exe
File created	C:\Windows\{C6614846-4BEF-4579-987C-190130CB54E5}.exe	{8F585D7D-CFFF-4929-AFEB-8FBE29A2A407}.exe
File created	C:\Windows\{A37ABD88-74FE-4431-9180-75E4495590B1}.exe	{C6614846-4BEF-4579-987C-190130CB54E5}.exe
File created	C:\Windows\{A053DED3-67D7-4f1a-BE5A-93F26DB1F0A3}.exe	{A37ABD88-74FE-4431-9180-75E4495590B1}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3504	2024-04-11_cfedb16492903c61a6c70d08e1fcfaa9_goldeneye.exe
Token: SeIncBasePriorityPrivilege	5040	{8F585D7D-CFFF-4929-AFEB-8FBE29A2A407}.exe
Token: SeIncBasePriorityPrivilege	2904	{C6614846-4BEF-4579-987C-190130CB54E5}.exe
Token: SeIncBasePriorityPrivilege	2600	{A37ABD88-74FE-4431-9180-75E4495590B1}.exe
Token: SeIncBasePriorityPrivilege	1016	{A053DED3-67D7-4f1a-BE5A-93F26DB1F0A3}.exe
Token: SeIncBasePriorityPrivilege	1652	{2E346217-8847-4850-BAB1-FF1DCFB0E9E0}.exe
Token: SeIncBasePriorityPrivilege	1012	{C2A0127A-D30C-4a77-8F7A-9C0B8011184F}.exe
Token: SeIncBasePriorityPrivilege	2604	{3B54A4CE-4F23-4186-B57B-59095E8D2E07}.exe
Token: SeIncBasePriorityPrivilege	4248	{63AE665D-11AC-444c-9026-E78CF4101474}.exe
Token: SeIncBasePriorityPrivilege	3716	{A1F84E29-BF84-410e-BD2B-8FF4B62AF22E}.exe
Token: SeIncBasePriorityPrivilege	1864	{6CDCAC57-FC87-4934-9E94-573022CD5E26}.exe
Token: SeIncBasePriorityPrivilege	4448	{8601576F-FDCC-47e6-BC34-AF29B592C717}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3504 wrote to memory of 5040	3504	2024-04-11_cfedb16492903c61a6c70d08e1fcfaa9_goldeneye.exe	90
PID 3504 wrote to memory of 5040	3504	2024-04-11_cfedb16492903c61a6c70d08e1fcfaa9_goldeneye.exe	90
PID 3504 wrote to memory of 5040	3504	2024-04-11_cfedb16492903c61a6c70d08e1fcfaa9_goldeneye.exe	90
PID 3504 wrote to memory of 3792	3504	2024-04-11_cfedb16492903c61a6c70d08e1fcfaa9_goldeneye.exe	91
PID 3504 wrote to memory of 3792	3504	2024-04-11_cfedb16492903c61a6c70d08e1fcfaa9_goldeneye.exe	91
PID 3504 wrote to memory of 3792	3504	2024-04-11_cfedb16492903c61a6c70d08e1fcfaa9_goldeneye.exe	91
PID 5040 wrote to memory of 2904	5040	{8F585D7D-CFFF-4929-AFEB-8FBE29A2A407}.exe	92
PID 5040 wrote to memory of 2904	5040	{8F585D7D-CFFF-4929-AFEB-8FBE29A2A407}.exe	92
PID 5040 wrote to memory of 2904	5040	{8F585D7D-CFFF-4929-AFEB-8FBE29A2A407}.exe	92
PID 5040 wrote to memory of 4492	5040	{8F585D7D-CFFF-4929-AFEB-8FBE29A2A407}.exe	93
PID 5040 wrote to memory of 4492	5040	{8F585D7D-CFFF-4929-AFEB-8FBE29A2A407}.exe	93
PID 5040 wrote to memory of 4492	5040	{8F585D7D-CFFF-4929-AFEB-8FBE29A2A407}.exe	93
PID 2904 wrote to memory of 2600	2904	{C6614846-4BEF-4579-987C-190130CB54E5}.exe	95
PID 2904 wrote to memory of 2600	2904	{C6614846-4BEF-4579-987C-190130CB54E5}.exe	95
PID 2904 wrote to memory of 2600	2904	{C6614846-4BEF-4579-987C-190130CB54E5}.exe	95
PID 2904 wrote to memory of 180	2904	{C6614846-4BEF-4579-987C-190130CB54E5}.exe	96
PID 2904 wrote to memory of 180	2904	{C6614846-4BEF-4579-987C-190130CB54E5}.exe	96
PID 2904 wrote to memory of 180	2904	{C6614846-4BEF-4579-987C-190130CB54E5}.exe	96
PID 2600 wrote to memory of 1016	2600	{A37ABD88-74FE-4431-9180-75E4495590B1}.exe	97
PID 2600 wrote to memory of 1016	2600	{A37ABD88-74FE-4431-9180-75E4495590B1}.exe	97
PID 2600 wrote to memory of 1016	2600	{A37ABD88-74FE-4431-9180-75E4495590B1}.exe	97
PID 2600 wrote to memory of 456	2600	{A37ABD88-74FE-4431-9180-75E4495590B1}.exe	98
PID 2600 wrote to memory of 456	2600	{A37ABD88-74FE-4431-9180-75E4495590B1}.exe	98
PID 2600 wrote to memory of 456	2600	{A37ABD88-74FE-4431-9180-75E4495590B1}.exe	98
PID 1016 wrote to memory of 1652	1016	{A053DED3-67D7-4f1a-BE5A-93F26DB1F0A3}.exe	99
PID 1016 wrote to memory of 1652	1016	{A053DED3-67D7-4f1a-BE5A-93F26DB1F0A3}.exe	99
PID 1016 wrote to memory of 1652	1016	{A053DED3-67D7-4f1a-BE5A-93F26DB1F0A3}.exe	99
PID 1016 wrote to memory of 4832	1016	{A053DED3-67D7-4f1a-BE5A-93F26DB1F0A3}.exe	100
PID 1016 wrote to memory of 4832	1016	{A053DED3-67D7-4f1a-BE5A-93F26DB1F0A3}.exe	100
PID 1016 wrote to memory of 4832	1016	{A053DED3-67D7-4f1a-BE5A-93F26DB1F0A3}.exe	100
PID 1652 wrote to memory of 1012	1652	{2E346217-8847-4850-BAB1-FF1DCFB0E9E0}.exe	101
PID 1652 wrote to memory of 1012	1652	{2E346217-8847-4850-BAB1-FF1DCFB0E9E0}.exe	101
PID 1652 wrote to memory of 1012	1652	{2E346217-8847-4850-BAB1-FF1DCFB0E9E0}.exe	101
PID 1652 wrote to memory of 1412	1652	{2E346217-8847-4850-BAB1-FF1DCFB0E9E0}.exe	102
PID 1652 wrote to memory of 1412	1652	{2E346217-8847-4850-BAB1-FF1DCFB0E9E0}.exe	102
PID 1652 wrote to memory of 1412	1652	{2E346217-8847-4850-BAB1-FF1DCFB0E9E0}.exe	102
PID 1012 wrote to memory of 2604	1012	{C2A0127A-D30C-4a77-8F7A-9C0B8011184F}.exe	103
PID 1012 wrote to memory of 2604	1012	{C2A0127A-D30C-4a77-8F7A-9C0B8011184F}.exe	103
PID 1012 wrote to memory of 2604	1012	{C2A0127A-D30C-4a77-8F7A-9C0B8011184F}.exe	103
PID 1012 wrote to memory of 2368	1012	{C2A0127A-D30C-4a77-8F7A-9C0B8011184F}.exe	104
PID 1012 wrote to memory of 2368	1012	{C2A0127A-D30C-4a77-8F7A-9C0B8011184F}.exe	104
PID 1012 wrote to memory of 2368	1012	{C2A0127A-D30C-4a77-8F7A-9C0B8011184F}.exe	104
PID 2604 wrote to memory of 4248	2604	{3B54A4CE-4F23-4186-B57B-59095E8D2E07}.exe	105
PID 2604 wrote to memory of 4248	2604	{3B54A4CE-4F23-4186-B57B-59095E8D2E07}.exe	105
PID 2604 wrote to memory of 4248	2604	{3B54A4CE-4F23-4186-B57B-59095E8D2E07}.exe	105
PID 2604 wrote to memory of 3272	2604	{3B54A4CE-4F23-4186-B57B-59095E8D2E07}.exe	106
PID 2604 wrote to memory of 3272	2604	{3B54A4CE-4F23-4186-B57B-59095E8D2E07}.exe	106
PID 2604 wrote to memory of 3272	2604	{3B54A4CE-4F23-4186-B57B-59095E8D2E07}.exe	106
PID 4248 wrote to memory of 3716	4248	{63AE665D-11AC-444c-9026-E78CF4101474}.exe	107
PID 4248 wrote to memory of 3716	4248	{63AE665D-11AC-444c-9026-E78CF4101474}.exe	107
PID 4248 wrote to memory of 3716	4248	{63AE665D-11AC-444c-9026-E78CF4101474}.exe	107
PID 4248 wrote to memory of 2724	4248	{63AE665D-11AC-444c-9026-E78CF4101474}.exe	108
PID 4248 wrote to memory of 2724	4248	{63AE665D-11AC-444c-9026-E78CF4101474}.exe	108
PID 4248 wrote to memory of 2724	4248	{63AE665D-11AC-444c-9026-E78CF4101474}.exe	108
PID 3716 wrote to memory of 1864	3716	{A1F84E29-BF84-410e-BD2B-8FF4B62AF22E}.exe	109
PID 3716 wrote to memory of 1864	3716	{A1F84E29-BF84-410e-BD2B-8FF4B62AF22E}.exe	109
PID 3716 wrote to memory of 1864	3716	{A1F84E29-BF84-410e-BD2B-8FF4B62AF22E}.exe	109
PID 3716 wrote to memory of 4632	3716	{A1F84E29-BF84-410e-BD2B-8FF4B62AF22E}.exe	110
PID 3716 wrote to memory of 4632	3716	{A1F84E29-BF84-410e-BD2B-8FF4B62AF22E}.exe	110
PID 3716 wrote to memory of 4632	3716	{A1F84E29-BF84-410e-BD2B-8FF4B62AF22E}.exe	110
PID 1864 wrote to memory of 4448	1864	{6CDCAC57-FC87-4934-9E94-573022CD5E26}.exe	111
PID 1864 wrote to memory of 4448	1864	{6CDCAC57-FC87-4934-9E94-573022CD5E26}.exe	111
PID 1864 wrote to memory of 4448	1864	{6CDCAC57-FC87-4934-9E94-573022CD5E26}.exe	111
PID 1864 wrote to memory of 4976	1864	{6CDCAC57-FC87-4934-9E94-573022CD5E26}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-04-11_cfedb16492903c61a6c70d08e1fcfaa9_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-11_cfedb16492903c61a6c70d08e1fcfaa9_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3504
- C:\Windows\{8F585D7D-CFFF-4929-AFEB-8FBE29A2A407}.exe
  C:\Windows\{8F585D7D-CFFF-4929-AFEB-8FBE29A2A407}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5040
- - C:\Windows\{C6614846-4BEF-4579-987C-190130CB54E5}.exe
    C:\Windows\{C6614846-4BEF-4579-987C-190130CB54E5}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Windows\{A37ABD88-74FE-4431-9180-75E4495590B1}.exe
      C:\Windows\{A37ABD88-74FE-4431-9180-75E4495590B1}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2600
    - - C:\Windows\{A053DED3-67D7-4f1a-BE5A-93F26DB1F0A3}.exe
        
        C:\Windows\{A053DED3-67D7-4f1a-BE5A-93F26DB1F0A3}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1016
      - C:\Windows\{2E346217-8847-4850-BAB1-FF1DCFB0E9E0}.exe
        
        C:\Windows\{2E346217-8847-4850-BAB1-FF1DCFB0E9E0}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\{C2A0127A-D30C-4a77-8F7A-9C0B8011184F}.exe
        
        C:\Windows\{C2A0127A-D30C-4a77-8F7A-9C0B8011184F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Windows\{3B54A4CE-4F23-4186-B57B-59095E8D2E07}.exe
        
        C:\Windows\{3B54A4CE-4F23-4186-B57B-59095E8D2E07}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\{63AE665D-11AC-444c-9026-E78CF4101474}.exe
        
        C:\Windows\{63AE665D-11AC-444c-9026-E78CF4101474}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Windows\{A1F84E29-BF84-410e-BD2B-8FF4B62AF22E}.exe
        
        C:\Windows\{A1F84E29-BF84-410e-BD2B-8FF4B62AF22E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3716
        
        C:\Windows\{6CDCAC57-FC87-4934-9E94-573022CD5E26}.exe
        
        C:\Windows\{6CDCAC57-FC87-4934-9E94-573022CD5E26}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\{8601576F-FDCC-47e6-BC34-AF29B592C717}.exe
        
        C:\Windows\{8601576F-FDCC-47e6-BC34-AF29B592C717}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4448
        
        C:\Windows\{CA23BBC5-1BB2-4f2e-996F-3CFEDAB7FC75}.exe
        
        C:\Windows\{CA23BBC5-1BB2-4f2e-996F-3CFEDAB7FC75}.exe
        13⤵
        Executes dropped EXE
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86015~1.EXE > nul
        13⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6CDCA~1.EXE > nul
        12⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A1F84~1.EXE > nul
        11⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{63AE6~1.EXE > nul
        10⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3B54A~1.EXE > nul
        9⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C2A01~1.EXE > nul
        8⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E346~1.EXE > nul
        7⤵
        
        PID:1412
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A053D~1.EXE > nul
        6⤵
        
        PID:4832
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A37AB~1.EXE > nul
        5⤵
        
        PID:456
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C6614~1.EXE > nul
      4⤵
      PID:180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8F585~1.EXE > nul
    3⤵
    PID:4492
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2E346217-8847-4850-BAB1-FF1DCFB0E9E0}.exe

Filesize
168KB

MD5
3f1e178ff48fc5364e1c211629e9a858

SHA1
4a00c20bc236e21124dd4ee824d27b604e17a0d0

SHA256
f1c27f24682897672898bd8600bfd62a6d3382ba7a7d3da8bd2f9b0d6d059806

SHA512
b3d7f25a8f8c38232d1eafe512cee3811a74fe2734888ded12457bb760fa8d299a7b3111e799925fb5781b2c852e1350480305e2f26dacfb0011fd6f56b55f72

Download Submit
C:\Windows\{3B54A4CE-4F23-4186-B57B-59095E8D2E07}.exe

Filesize
168KB

MD5
c402bab7ba85994013446bf6c1fcc927

SHA1
e66515d8653c825ad10b0032d024b00eed399cf6

SHA256
590c0091f3caeab14bf8fd3254115ae552f39d4ca6cd704bc5550b64d16c49ad

SHA512
88ded105d6a79b0c1c2a08babffc73cdabd2492459e2e0b613d82dc5f26d84bece797308fc80f0afbfc44b34a83f404615b758560cd9ac36ec0411c4417bd0c2

Download Submit
C:\Windows\{63AE665D-11AC-444c-9026-E78CF4101474}.exe

Filesize
168KB

MD5
c8a99cbd5c9c765ff41049365e3b105c

SHA1
df2a93c330c0db160fb6583e0a70d7e47ae63771

SHA256
9ea30d539461e95cfa9a309c98e644734c57c406ea2d5ca978acf4e4f971b1f8

SHA512
3997ac79faf7cdc664726fde252021c9ef423b3dd07a1c79a021a8e161aebad519b24c87dc118c712af47b62353eac326bf901e484626dfbcd8cb3df52e4623b

Download Submit
C:\Windows\{6CDCAC57-FC87-4934-9E94-573022CD5E26}.exe

Filesize
168KB

MD5
2fa285f1dde80c5ed84dfa6f42c217fa

SHA1
1792236a99d0385f1ddf777239347cf32c81213d

SHA256
0df145f1898db2e4f92c3885d0d56cd1eeb91867060b7948384ef8ae50938455

SHA512
427ef311fa70ab6739a5645739b2b637a18062f48e72ec22a5dbb706d4bfee6f1d4157671d53c619beddae0e252e4ad3d27fac21e6b85241f3516eb9a4a63fbf

Download Submit
C:\Windows\{8601576F-FDCC-47e6-BC34-AF29B592C717}.exe

Filesize
168KB

MD5
ec68dc653896a3ab39f9de141354392b

SHA1
62c28443c0f9aff5f57822881264e9368593306b

SHA256
a0b6a01c07fcd4d80f1e0a86f1462e2f00305075cebfc9cabc686e75f4258401

SHA512
f6c178a92accc4d6e017ce713a2a187070153c93eaf2c4a95ab48cea32e25446e20aa1ea236766febc9402877b7893d56cea5a1eecd1c6ef33dbc853cf591e24

Download Submit
C:\Windows\{8F585D7D-CFFF-4929-AFEB-8FBE29A2A407}.exe

Filesize
168KB

MD5
7daa6889a3f4bc68e463c698cd04a1f1

SHA1
16e40baf3ff77c7f530c0d2be879811614d5f5ca

SHA256
e16a1d6f9638f1c6b2f937bc164784f159a71ae32ec944a0ba61c5ca2959021d

SHA512
d2fb694c42731d1d3447a02d395420d894fdc7106fc2ab43be6ea09f1929e422a2d6fed9c9930cdfd2f24a9a0e7415d26c185a539a5f73882294a86f3c02b4ee

Download Submit
C:\Windows\{A053DED3-67D7-4f1a-BE5A-93F26DB1F0A3}.exe

Filesize
168KB

MD5
7565773f365c5a7972e7d940a76773ad

SHA1
78fbcce9f183a04d1d9a7362059252bba1f03fb3

SHA256
8df91a994d6e1f6860be40272d982668352d8d027e70bc8f7673893224f2e500

SHA512
68c08a1095bb403069c9e368bafbe06016ebf4961ffb63f6924908fb2f0e630a80fc4190a5d2a6e11bcea3777ee998476f1715c6c04a8b62ab7dd21e30ec3aa0

Download Submit
C:\Windows\{A1F84E29-BF84-410e-BD2B-8FF4B62AF22E}.exe

Filesize
168KB

MD5
d111234a9f1d683548d2049eeab24992

SHA1
66e57c7063c7fadfe14f2fea84373eef1d656c0b

SHA256
0f9b4e6139bb3afb07e618322ad79f7a13bf74dd068807f20b211b84b44c4a51

SHA512
4aee7e083e325c8d2a08395c2090b8db05799786c3c96e25d96959a3be7c86ac931841d12c13304c1db3d5bed6211dac0619204bb331fe12c168fefb08b6616d

Download Submit
C:\Windows\{A37ABD88-74FE-4431-9180-75E4495590B1}.exe

Filesize
168KB

MD5
b687bacef6a9551ea787d0f9415c7406

SHA1
b2f4151e29b4865571343bec9302841eae467eae

SHA256
c6407eeac1daa395e548102137053e7b3c615a9ab675d4a2ba292fac040e3dd9

SHA512
29a4ef6feb93462824eb2074d78c8916383f91ae270b5da69dc1f27e8aad01c5c0b131c1d8b395fa198679c6c7fdbe6f44aa64c21026499f60360297bcccb1aa

Download Submit
C:\Windows\{C2A0127A-D30C-4a77-8F7A-9C0B8011184F}.exe

Filesize
168KB

MD5
0a750ed6b3dc75f86fd85b9597df7295

SHA1
54f810d5ca2dd22190110829a9363d7a3799cfff

SHA256
09e609f72c5c28d1e048f5b90c9db593a046d1d6e965a9ec40f6d482e8304265

SHA512
f7e39a57ce00302d7dbc1cc8660c72bdd62ec213e8dab420b19da8849a8a053673e7aa57d5f752804d3564817e24697bbf67015b543520c307f4142ddafb37f4

Download Submit
C:\Windows\{C6614846-4BEF-4579-987C-190130CB54E5}.exe

Filesize
168KB

MD5
3e9e6852764df17d4b78bbe19b058bb5

SHA1
52f034554ae8ad9b326c480a77ad71279db8d1bf

SHA256
6cde7df1bfae74094fb9c91a4da3e005454986a6764ce8b23cab222cefe2995a

SHA512
746be03e2e57d37c45d2f1d8815563bbf35a9f46049a2cf5196a881be482c64ee2e1363c7a910fb06293b14eea850c312cce906571942e8fc652f7b825caad4c

Download Submit
C:\Windows\{CA23BBC5-1BB2-4f2e-996F-3CFEDAB7FC75}.exe

Filesize
168KB

MD5
334e6df7623f4333961684229c44bb4e

SHA1
5e1a57e342be00e0ba53a8b9257c6e23ec5b6354

SHA256
c8a693f1a5eb086f51704a99beff4e1d256ab0aa235ec6f6584a6a5a61595a37

SHA512
91ac95ee5dbd955281e3502300a3ed0ebc6444009cd0111142ec7dfe8dc0bc3ad68b001d5e2738aca1f1780b829b72a5120f2b40d6c3eef8da964e5bcb4cbb38

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads