f534fe785b47fa843c6c50c680d83ab28d85982e288c1e30b8f1dc7bff005fd5

Analysis

max time kernel
149s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
15-04-2024 20:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-15_98fa977233480748a38de44c390c8b06_goldeneye.exe
Size

204KB
MD5

98fa977233480748a38de44c390c8b06
SHA1

534116220e9b066fbeb9e72af7006af8609937e2
SHA256

f534fe785b47fa843c6c50c680d83ab28d85982e288c1e30b8f1dc7bff005fd5
SHA512

ebe813485bef9a3ca00d1d13aef3fdfb806b2af9b6b751a12e1ef2c9c3625533a4f57d7c6af9e237b030552bde0a620c839e4f52b89b9a016a6079e818944c69
SSDEEP

1536:1EGh0oll15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oll1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023404-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000233fe-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002340c-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023347-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002340c-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023347-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002340c-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f000000023347-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002340c-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023347-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023409-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023347-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0058FFE-AF73-4441-9377-139964ED8AAE}	{EF4697CD-0D33-49d9-87E1-AE3F8BB6D0E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B4D4463-2480-4a89-8ED6-A06BD151C079}	{A9B940FC-8F27-4970-B832-ACA5DE24DE61}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01000E68-7835-4f54-A045-B88DC1BCCC47}	{7B4D4463-2480-4a89-8ED6-A06BD151C079}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{647C3478-F106-49f3-9A79-8C2CF9D4FD13}\stubpath = "C:\\Windows\\{647C3478-F106-49f3-9A79-8C2CF9D4FD13}.exe"	{01000E68-7835-4f54-A045-B88DC1BCCC47}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCF76088-23FC-459c-B906-83D442D028CE}	{647C3478-F106-49f3-9A79-8C2CF9D4FD13}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{786E1847-D671-4cf8-94CE-72ACC17ADAEE}	{BCF76088-23FC-459c-B906-83D442D028CE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0ACC0FCA-88CF-442b-9190-242D0B8F4F6A}\stubpath = "C:\\Windows\\{0ACC0FCA-88CF-442b-9190-242D0B8F4F6A}.exe"	{786E1847-D671-4cf8-94CE-72ACC17ADAEE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DB451D5-B98E-4aa7-86FD-AFDDDA04CA78}	{0ACC0FCA-88CF-442b-9190-242D0B8F4F6A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C367456E-D148-4b19-8319-1DCFA6964605}	{3DB451D5-B98E-4aa7-86FD-AFDDDA04CA78}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9B940FC-8F27-4970-B832-ACA5DE24DE61}	{E0058FFE-AF73-4441-9377-139964ED8AAE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9B940FC-8F27-4970-B832-ACA5DE24DE61}\stubpath = "C:\\Windows\\{A9B940FC-8F27-4970-B832-ACA5DE24DE61}.exe"	{E0058FFE-AF73-4441-9377-139964ED8AAE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0ACC0FCA-88CF-442b-9190-242D0B8F4F6A}	{786E1847-D671-4cf8-94CE-72ACC17ADAEE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C367456E-D148-4b19-8319-1DCFA6964605}\stubpath = "C:\\Windows\\{C367456E-D148-4b19-8319-1DCFA6964605}.exe"	{3DB451D5-B98E-4aa7-86FD-AFDDDA04CA78}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{647C3478-F106-49f3-9A79-8C2CF9D4FD13}	{01000E68-7835-4f54-A045-B88DC1BCCC47}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{786E1847-D671-4cf8-94CE-72ACC17ADAEE}\stubpath = "C:\\Windows\\{786E1847-D671-4cf8-94CE-72ACC17ADAEE}.exe"	{BCF76088-23FC-459c-B906-83D442D028CE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0FB86A4F-07CC-463a-9450-DC0C376DC348}\stubpath = "C:\\Windows\\{0FB86A4F-07CC-463a-9450-DC0C376DC348}.exe"	{C367456E-D148-4b19-8319-1DCFA6964605}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF4697CD-0D33-49d9-87E1-AE3F8BB6D0E8}	2024-04-15_98fa977233480748a38de44c390c8b06_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF4697CD-0D33-49d9-87E1-AE3F8BB6D0E8}\stubpath = "C:\\Windows\\{EF4697CD-0D33-49d9-87E1-AE3F8BB6D0E8}.exe"	2024-04-15_98fa977233480748a38de44c390c8b06_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0058FFE-AF73-4441-9377-139964ED8AAE}\stubpath = "C:\\Windows\\{E0058FFE-AF73-4441-9377-139964ED8AAE}.exe"	{EF4697CD-0D33-49d9-87E1-AE3F8BB6D0E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B4D4463-2480-4a89-8ED6-A06BD151C079}\stubpath = "C:\\Windows\\{7B4D4463-2480-4a89-8ED6-A06BD151C079}.exe"	{A9B940FC-8F27-4970-B832-ACA5DE24DE61}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01000E68-7835-4f54-A045-B88DC1BCCC47}\stubpath = "C:\\Windows\\{01000E68-7835-4f54-A045-B88DC1BCCC47}.exe"	{7B4D4463-2480-4a89-8ED6-A06BD151C079}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCF76088-23FC-459c-B906-83D442D028CE}\stubpath = "C:\\Windows\\{BCF76088-23FC-459c-B906-83D442D028CE}.exe"	{647C3478-F106-49f3-9A79-8C2CF9D4FD13}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DB451D5-B98E-4aa7-86FD-AFDDDA04CA78}\stubpath = "C:\\Windows\\{3DB451D5-B98E-4aa7-86FD-AFDDDA04CA78}.exe"	{0ACC0FCA-88CF-442b-9190-242D0B8F4F6A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0FB86A4F-07CC-463a-9450-DC0C376DC348}	{C367456E-D148-4b19-8319-1DCFA6964605}.exe

Executes dropped EXE 12 IoCs

pid	Process
1680	{EF4697CD-0D33-49d9-87E1-AE3F8BB6D0E8}.exe
4128	{E0058FFE-AF73-4441-9377-139964ED8AAE}.exe
4332	{A9B940FC-8F27-4970-B832-ACA5DE24DE61}.exe
3932	{7B4D4463-2480-4a89-8ED6-A06BD151C079}.exe
4536	{01000E68-7835-4f54-A045-B88DC1BCCC47}.exe
3612	{647C3478-F106-49f3-9A79-8C2CF9D4FD13}.exe
5084	{BCF76088-23FC-459c-B906-83D442D028CE}.exe
1716	{786E1847-D671-4cf8-94CE-72ACC17ADAEE}.exe
3536	{0ACC0FCA-88CF-442b-9190-242D0B8F4F6A}.exe
1816	{3DB451D5-B98E-4aa7-86FD-AFDDDA04CA78}.exe
3260	{C367456E-D148-4b19-8319-1DCFA6964605}.exe
3716	{0FB86A4F-07CC-463a-9450-DC0C376DC348}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{C367456E-D148-4b19-8319-1DCFA6964605}.exe	{3DB451D5-B98E-4aa7-86FD-AFDDDA04CA78}.exe
File created	C:\Windows\{0FB86A4F-07CC-463a-9450-DC0C376DC348}.exe	{C367456E-D148-4b19-8319-1DCFA6964605}.exe
File created	C:\Windows\{E0058FFE-AF73-4441-9377-139964ED8AAE}.exe	{EF4697CD-0D33-49d9-87E1-AE3F8BB6D0E8}.exe
File created	C:\Windows\{01000E68-7835-4f54-A045-B88DC1BCCC47}.exe	{7B4D4463-2480-4a89-8ED6-A06BD151C079}.exe
File created	C:\Windows\{647C3478-F106-49f3-9A79-8C2CF9D4FD13}.exe	{01000E68-7835-4f54-A045-B88DC1BCCC47}.exe
File created	C:\Windows\{786E1847-D671-4cf8-94CE-72ACC17ADAEE}.exe	{BCF76088-23FC-459c-B906-83D442D028CE}.exe
File created	C:\Windows\{0ACC0FCA-88CF-442b-9190-242D0B8F4F6A}.exe	{786E1847-D671-4cf8-94CE-72ACC17ADAEE}.exe
File created	C:\Windows\{3DB451D5-B98E-4aa7-86FD-AFDDDA04CA78}.exe	{0ACC0FCA-88CF-442b-9190-242D0B8F4F6A}.exe
File created	C:\Windows\{EF4697CD-0D33-49d9-87E1-AE3F8BB6D0E8}.exe	2024-04-15_98fa977233480748a38de44c390c8b06_goldeneye.exe
File created	C:\Windows\{A9B940FC-8F27-4970-B832-ACA5DE24DE61}.exe	{E0058FFE-AF73-4441-9377-139964ED8AAE}.exe
File created	C:\Windows\{7B4D4463-2480-4a89-8ED6-A06BD151C079}.exe	{A9B940FC-8F27-4970-B832-ACA5DE24DE61}.exe
File created	C:\Windows\{BCF76088-23FC-459c-B906-83D442D028CE}.exe	{647C3478-F106-49f3-9A79-8C2CF9D4FD13}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3260	2024-04-15_98fa977233480748a38de44c390c8b06_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1680	{EF4697CD-0D33-49d9-87E1-AE3F8BB6D0E8}.exe
Token: SeIncBasePriorityPrivilege	4128	{E0058FFE-AF73-4441-9377-139964ED8AAE}.exe
Token: SeIncBasePriorityPrivilege	4332	{A9B940FC-8F27-4970-B832-ACA5DE24DE61}.exe
Token: SeIncBasePriorityPrivilege	3932	{7B4D4463-2480-4a89-8ED6-A06BD151C079}.exe
Token: SeIncBasePriorityPrivilege	4536	{01000E68-7835-4f54-A045-B88DC1BCCC47}.exe
Token: SeIncBasePriorityPrivilege	3612	{647C3478-F106-49f3-9A79-8C2CF9D4FD13}.exe
Token: SeIncBasePriorityPrivilege	5084	{BCF76088-23FC-459c-B906-83D442D028CE}.exe
Token: SeIncBasePriorityPrivilege	1716	{786E1847-D671-4cf8-94CE-72ACC17ADAEE}.exe
Token: SeIncBasePriorityPrivilege	3536	{0ACC0FCA-88CF-442b-9190-242D0B8F4F6A}.exe
Token: SeIncBasePriorityPrivilege	1816	{3DB451D5-B98E-4aa7-86FD-AFDDDA04CA78}.exe
Token: SeIncBasePriorityPrivilege	3260	{C367456E-D148-4b19-8319-1DCFA6964605}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3260 wrote to memory of 1680	3260	2024-04-15_98fa977233480748a38de44c390c8b06_goldeneye.exe	90
PID 3260 wrote to memory of 1680	3260	2024-04-15_98fa977233480748a38de44c390c8b06_goldeneye.exe	90
PID 3260 wrote to memory of 1680	3260	2024-04-15_98fa977233480748a38de44c390c8b06_goldeneye.exe	90
PID 3260 wrote to memory of 3732	3260	2024-04-15_98fa977233480748a38de44c390c8b06_goldeneye.exe	91
PID 3260 wrote to memory of 3732	3260	2024-04-15_98fa977233480748a38de44c390c8b06_goldeneye.exe	91
PID 3260 wrote to memory of 3732	3260	2024-04-15_98fa977233480748a38de44c390c8b06_goldeneye.exe	91
PID 1680 wrote to memory of 4128	1680	{EF4697CD-0D33-49d9-87E1-AE3F8BB6D0E8}.exe	92
PID 1680 wrote to memory of 4128	1680	{EF4697CD-0D33-49d9-87E1-AE3F8BB6D0E8}.exe	92
PID 1680 wrote to memory of 4128	1680	{EF4697CD-0D33-49d9-87E1-AE3F8BB6D0E8}.exe	92
PID 1680 wrote to memory of 2640	1680	{EF4697CD-0D33-49d9-87E1-AE3F8BB6D0E8}.exe	93
PID 1680 wrote to memory of 2640	1680	{EF4697CD-0D33-49d9-87E1-AE3F8BB6D0E8}.exe	93
PID 1680 wrote to memory of 2640	1680	{EF4697CD-0D33-49d9-87E1-AE3F8BB6D0E8}.exe	93
PID 4128 wrote to memory of 4332	4128	{E0058FFE-AF73-4441-9377-139964ED8AAE}.exe	96
PID 4128 wrote to memory of 4332	4128	{E0058FFE-AF73-4441-9377-139964ED8AAE}.exe	96
PID 4128 wrote to memory of 4332	4128	{E0058FFE-AF73-4441-9377-139964ED8AAE}.exe	96
PID 4128 wrote to memory of 4972	4128	{E0058FFE-AF73-4441-9377-139964ED8AAE}.exe	97
PID 4128 wrote to memory of 4972	4128	{E0058FFE-AF73-4441-9377-139964ED8AAE}.exe	97
PID 4128 wrote to memory of 4972	4128	{E0058FFE-AF73-4441-9377-139964ED8AAE}.exe	97
PID 4332 wrote to memory of 3932	4332	{A9B940FC-8F27-4970-B832-ACA5DE24DE61}.exe	99
PID 4332 wrote to memory of 3932	4332	{A9B940FC-8F27-4970-B832-ACA5DE24DE61}.exe	99
PID 4332 wrote to memory of 3932	4332	{A9B940FC-8F27-4970-B832-ACA5DE24DE61}.exe	99
PID 4332 wrote to memory of 4712	4332	{A9B940FC-8F27-4970-B832-ACA5DE24DE61}.exe	100
PID 4332 wrote to memory of 4712	4332	{A9B940FC-8F27-4970-B832-ACA5DE24DE61}.exe	100
PID 4332 wrote to memory of 4712	4332	{A9B940FC-8F27-4970-B832-ACA5DE24DE61}.exe	100
PID 3932 wrote to memory of 4536	3932	{7B4D4463-2480-4a89-8ED6-A06BD151C079}.exe	101
PID 3932 wrote to memory of 4536	3932	{7B4D4463-2480-4a89-8ED6-A06BD151C079}.exe	101
PID 3932 wrote to memory of 4536	3932	{7B4D4463-2480-4a89-8ED6-A06BD151C079}.exe	101
PID 3932 wrote to memory of 1020	3932	{7B4D4463-2480-4a89-8ED6-A06BD151C079}.exe	102
PID 3932 wrote to memory of 1020	3932	{7B4D4463-2480-4a89-8ED6-A06BD151C079}.exe	102
PID 3932 wrote to memory of 1020	3932	{7B4D4463-2480-4a89-8ED6-A06BD151C079}.exe	102
PID 4536 wrote to memory of 3612	4536	{01000E68-7835-4f54-A045-B88DC1BCCC47}.exe	103
PID 4536 wrote to memory of 3612	4536	{01000E68-7835-4f54-A045-B88DC1BCCC47}.exe	103
PID 4536 wrote to memory of 3612	4536	{01000E68-7835-4f54-A045-B88DC1BCCC47}.exe	103
PID 4536 wrote to memory of 4468	4536	{01000E68-7835-4f54-A045-B88DC1BCCC47}.exe	104
PID 4536 wrote to memory of 4468	4536	{01000E68-7835-4f54-A045-B88DC1BCCC47}.exe	104
PID 4536 wrote to memory of 4468	4536	{01000E68-7835-4f54-A045-B88DC1BCCC47}.exe	104
PID 3612 wrote to memory of 5084	3612	{647C3478-F106-49f3-9A79-8C2CF9D4FD13}.exe	105
PID 3612 wrote to memory of 5084	3612	{647C3478-F106-49f3-9A79-8C2CF9D4FD13}.exe	105
PID 3612 wrote to memory of 5084	3612	{647C3478-F106-49f3-9A79-8C2CF9D4FD13}.exe	105
PID 3612 wrote to memory of 1620	3612	{647C3478-F106-49f3-9A79-8C2CF9D4FD13}.exe	106
PID 3612 wrote to memory of 1620	3612	{647C3478-F106-49f3-9A79-8C2CF9D4FD13}.exe	106
PID 3612 wrote to memory of 1620	3612	{647C3478-F106-49f3-9A79-8C2CF9D4FD13}.exe	106
PID 5084 wrote to memory of 1716	5084	{BCF76088-23FC-459c-B906-83D442D028CE}.exe	107
PID 5084 wrote to memory of 1716	5084	{BCF76088-23FC-459c-B906-83D442D028CE}.exe	107
PID 5084 wrote to memory of 1716	5084	{BCF76088-23FC-459c-B906-83D442D028CE}.exe	107
PID 5084 wrote to memory of 4796	5084	{BCF76088-23FC-459c-B906-83D442D028CE}.exe	108
PID 5084 wrote to memory of 4796	5084	{BCF76088-23FC-459c-B906-83D442D028CE}.exe	108
PID 5084 wrote to memory of 4796	5084	{BCF76088-23FC-459c-B906-83D442D028CE}.exe	108
PID 1716 wrote to memory of 3536	1716	{786E1847-D671-4cf8-94CE-72ACC17ADAEE}.exe	109
PID 1716 wrote to memory of 3536	1716	{786E1847-D671-4cf8-94CE-72ACC17ADAEE}.exe	109
PID 1716 wrote to memory of 3536	1716	{786E1847-D671-4cf8-94CE-72ACC17ADAEE}.exe	109
PID 1716 wrote to memory of 3412	1716	{786E1847-D671-4cf8-94CE-72ACC17ADAEE}.exe	110
PID 1716 wrote to memory of 3412	1716	{786E1847-D671-4cf8-94CE-72ACC17ADAEE}.exe	110
PID 1716 wrote to memory of 3412	1716	{786E1847-D671-4cf8-94CE-72ACC17ADAEE}.exe	110
PID 3536 wrote to memory of 1816	3536	{0ACC0FCA-88CF-442b-9190-242D0B8F4F6A}.exe	111
PID 3536 wrote to memory of 1816	3536	{0ACC0FCA-88CF-442b-9190-242D0B8F4F6A}.exe	111
PID 3536 wrote to memory of 1816	3536	{0ACC0FCA-88CF-442b-9190-242D0B8F4F6A}.exe	111
PID 3536 wrote to memory of 4800	3536	{0ACC0FCA-88CF-442b-9190-242D0B8F4F6A}.exe	112
PID 3536 wrote to memory of 4800	3536	{0ACC0FCA-88CF-442b-9190-242D0B8F4F6A}.exe	112
PID 3536 wrote to memory of 4800	3536	{0ACC0FCA-88CF-442b-9190-242D0B8F4F6A}.exe	112
PID 1816 wrote to memory of 3260	1816	{3DB451D5-B98E-4aa7-86FD-AFDDDA04CA78}.exe	113
PID 1816 wrote to memory of 3260	1816	{3DB451D5-B98E-4aa7-86FD-AFDDDA04CA78}.exe	113
PID 1816 wrote to memory of 3260	1816	{3DB451D5-B98E-4aa7-86FD-AFDDDA04CA78}.exe	113
PID 1816 wrote to memory of 4744	1816	{3DB451D5-B98E-4aa7-86FD-AFDDDA04CA78}.exe	114

C:\Users\Admin\AppData\Local\Temp\2024-04-15_98fa977233480748a38de44c390c8b06_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-15_98fa977233480748a38de44c390c8b06_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3260
- C:\Windows\{EF4697CD-0D33-49d9-87E1-AE3F8BB6D0E8}.exe
  C:\Windows\{EF4697CD-0D33-49d9-87E1-AE3F8BB6D0E8}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Windows\{E0058FFE-AF73-4441-9377-139964ED8AAE}.exe
    C:\Windows\{E0058FFE-AF73-4441-9377-139964ED8AAE}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4128
  - - C:\Windows\{A9B940FC-8F27-4970-B832-ACA5DE24DE61}.exe
      C:\Windows\{A9B940FC-8F27-4970-B832-ACA5DE24DE61}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4332
    - - C:\Windows\{7B4D4463-2480-4a89-8ED6-A06BD151C079}.exe
        
        C:\Windows\{7B4D4463-2480-4a89-8ED6-A06BD151C079}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3932
      - C:\Windows\{01000E68-7835-4f54-A045-B88DC1BCCC47}.exe
        
        C:\Windows\{01000E68-7835-4f54-A045-B88DC1BCCC47}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4536
        
        C:\Windows\{647C3478-F106-49f3-9A79-8C2CF9D4FD13}.exe
        
        C:\Windows\{647C3478-F106-49f3-9A79-8C2CF9D4FD13}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3612
        
        C:\Windows\{BCF76088-23FC-459c-B906-83D442D028CE}.exe
        
        C:\Windows\{BCF76088-23FC-459c-B906-83D442D028CE}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\{786E1847-D671-4cf8-94CE-72ACC17ADAEE}.exe
        
        C:\Windows\{786E1847-D671-4cf8-94CE-72ACC17ADAEE}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\{0ACC0FCA-88CF-442b-9190-242D0B8F4F6A}.exe
        
        C:\Windows\{0ACC0FCA-88CF-442b-9190-242D0B8F4F6A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3536
        
        C:\Windows\{3DB451D5-B98E-4aa7-86FD-AFDDDA04CA78}.exe
        
        C:\Windows\{3DB451D5-B98E-4aa7-86FD-AFDDDA04CA78}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\{C367456E-D148-4b19-8319-1DCFA6964605}.exe
        
        C:\Windows\{C367456E-D148-4b19-8319-1DCFA6964605}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3260
        
        C:\Windows\{0FB86A4F-07CC-463a-9450-DC0C376DC348}.exe
        
        C:\Windows\{0FB86A4F-07CC-463a-9450-DC0C376DC348}.exe
        13⤵
        Executes dropped EXE
        
        PID:3716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3674~1.EXE > nul
        13⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3DB45~1.EXE > nul
        12⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0ACC0~1.EXE > nul
        11⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{786E1~1.EXE > nul
        10⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BCF76~1.EXE > nul
        9⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{647C3~1.EXE > nul
        8⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{01000~1.EXE > nul
        7⤵
        
        PID:4468
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7B4D4~1.EXE > nul
        6⤵
        
        PID:1020
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A9B94~1.EXE > nul
        5⤵
        
        PID:4712
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E0058~1.EXE > nul
      4⤵
      PID:4972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{EF469~1.EXE > nul
    3⤵
    PID:2640
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{01000E68-7835-4f54-A045-B88DC1BCCC47}.exe

Filesize
204KB

MD5
32c2b52bfde395b22cd0f817e20d3226

SHA1
8754770ae2f64401e409ee61f5ab2d6158605ff8

SHA256
c3a224a1b65af5bbedd7dcdeb295cdf2751835280335ec816d25279d9d4c4aaa

SHA512
68b892751a90d517795b0e9eeb57ff6bb1e0a0375fea268250275bbfc192e3bc822b4446b865f19a0d2ab36b908c1a8c5a0856ce42f9d179372613f07d95df81

Download Submit
C:\Windows\{0ACC0FCA-88CF-442b-9190-242D0B8F4F6A}.exe

Filesize
204KB

MD5
508ccbc12176a5f92393a33ed40458b0

SHA1
a1fdf49e69b053dcce7d358e47f34989e704310a

SHA256
aee78725d7d8e857e3ce5a74f160219319eff18dc865def3177fb5bc29b1e989

SHA512
5297533fa24e9a55644524bd8262b6d2c3967fea162cbe49f9077a34218650302e421f7258220054c8eb042580478b80d315af4dc1e0248bfef91e47bc5d13fc

Download Submit
C:\Windows\{0FB86A4F-07CC-463a-9450-DC0C376DC348}.exe

Filesize
204KB

MD5
4a2523011a4b8d834d0d3a053dd0e1e3

SHA1
ab46da9b71a803a57e5e6186a650352c42869427

SHA256
6a6f04917513ecd333e61a02626d94de16f2e47568ed60cf0cedbd578865b130

SHA512
87cf2bf3118341f560912b949450eaa0be42e3781a2a5fb6299f6b86b055829a65c50ea62a2ee14b659bfa66600adb8573493e0f1f77f3807ca5cada934de7e2

Download Submit
C:\Windows\{3DB451D5-B98E-4aa7-86FD-AFDDDA04CA78}.exe

Filesize
204KB

MD5
7f7f44a51adf189ec418bf1dcc6dda23

SHA1
ff9fa9813d8344ba89be3d87e9f4e7518fde9049

SHA256
632f712032375f6ec67aab58babadeeb143fad6f09c44e00e5406c6a512e11fe

SHA512
b80e513ae798e830ff636a2c47f73fc10e31667ad399d70407ccce82bd18db50ba278322650fc2e41494160dbf05a3b5ded08fd6a49885086c0c610d6e7caf18

Download Submit
C:\Windows\{647C3478-F106-49f3-9A79-8C2CF9D4FD13}.exe

Filesize
204KB

MD5
1c911fa2bb6cd3d22f11617f7c1307d7

SHA1
f6bfe2ab50e8d636feff386a4cd0a4bbe084ff2c

SHA256
0676aa67f4b6c14a914f833c661653999ab02fa20677d2e81a37d5d8d939c2d8

SHA512
0a02414497d71af4592dc3ce407b3c565a36bde7161f6d33ddf28341806ed936a30a6b7c126d0c3cb5cde8ea0f840cdb49097482e758b673ee97fd0cbcd212af

Download Submit
C:\Windows\{786E1847-D671-4cf8-94CE-72ACC17ADAEE}.exe

Filesize
204KB

MD5
5399dddc8e5135f751f69175a9f64e57

SHA1
0a2e2871ac12321d13e319c4650d0f74288f6024

SHA256
327a268a1f48961997805b0a842701085d7eceb5289ae6bbbf78bdb6abd30df1

SHA512
297d570a22b08c35d1751a20db6aa7b9e192271619349119c6c58adc0181ea181ccd1947f6a2152c0039ea201234311a4be498da6d665e195acba597e9ff76b1

Download Submit
C:\Windows\{7B4D4463-2480-4a89-8ED6-A06BD151C079}.exe

Filesize
204KB

MD5
318e818ce9eb51ced115ecae9b671ba6

SHA1
bc219b014a824e60a0f423f7d38bf879a6defdff

SHA256
1059c661f5eb04f0d5c3765d2d1f4454734e1cb455f179571c7815d3913e341b

SHA512
92be6bb1110d52e36a6c6c7d77b3aa9c64daeafb527a73e0de178a9687e3852b14ed08f883280cd4ab898656c6ecbc77d907625633a967f0003451f811db8e8f

Download Submit
C:\Windows\{A9B940FC-8F27-4970-B832-ACA5DE24DE61}.exe

Filesize
204KB

MD5
0404072b1f1befba22d84c8e041a67d0

SHA1
48e99e2b25e3b95ed34a97cc3afc5bf78e91c47b

SHA256
11ad1a3e80a9358c698b0cad2c2dd8d66618fc731791a0fb4cfbab7a31dafe38

SHA512
badd2070c12c5e6bbbbc058c5c5539d94137d5b7431c8a1fc2158bac73a56a37f38f2665f63e436883902b73cdacee24e73aaced6558cb0d632863d73b0fb8d7

Download Submit
C:\Windows\{BCF76088-23FC-459c-B906-83D442D028CE}.exe

Filesize
204KB

MD5
f53d0fb881499c167b3ccc07d8c05427

SHA1
a215aeed7bf4112a0e40a0bbfdee411af85189bd

SHA256
b40b89e353e06bd671daf7b847892b7b4d713735661506b1fcf555fb97df4fd8

SHA512
1fcfbbcbb5b38bf836ea979559386a1b8eac679cbdebe882ff7570221cee59d39920a1be9cb715c667b7d4d93c3a668ab446f226568c5a57701ebe2e558c0bcf

Download Submit
C:\Windows\{C367456E-D148-4b19-8319-1DCFA6964605}.exe

Filesize
204KB

MD5
7fc2d3f6c842aa9738dfe323d0f96863

SHA1
f04c57ef460c9403965af98a933c90f01c743a0e

SHA256
fa7bac9c7a3e30fd51e3625d5e24409b06c704649236580ed2c9972d37e4b2f5

SHA512
88531b4574c32d822b91c8c22fd6b58972a0e4c943b0cc3459f3bfe9237571a20af7a60c703d275145c72aa4fbf352b31a6d926ab4cbe7d508dc4904ebc4396c

Download Submit
C:\Windows\{E0058FFE-AF73-4441-9377-139964ED8AAE}.exe

Filesize
204KB

MD5
bfb95969fba9137061ddb02a43306fa3

SHA1
fb85fbe34e58abe07a479213937074569fea353b

SHA256
5f60679df8f0b896dc0b13883c9e35ebb747be184e0201e4049ce65990b29850

SHA512
5998641477b3649f2a78ad265361720b4afc8d25253a06df0246212103b015cfd67fa3d43c97991627e36c05cfa27652c7256fd4e0bc70078ee3789751d78548

Download Submit
C:\Windows\{EF4697CD-0D33-49d9-87E1-AE3F8BB6D0E8}.exe

Filesize
204KB

MD5
2390868d0d2858c81e8daaf70752a114

SHA1
0c02b4fc8f5fbbc13d22f54ecc78430fbb0f2ec9

SHA256
6cad10bc0c3baf124fafad2a4c1b1c58c6b0f531b2bcb0914ff1d1470cc81332

SHA512
ae3e1df0d1afff2b3a700e314a406a13522566c617c3e27afa56f4de80de2e3e83e3c140a5fcf24996b783b575e53f2851591b18976cde75105ddd492d2a3071

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads