2cbf73b59d8883b39503a8957465aca64e97ef7838f200a39f9955612353e42f

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 00:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-17_9697825d0ad61534375222c95642a42b_goldeneye.exe
Size

372KB
MD5

9697825d0ad61534375222c95642a42b
SHA1

7d8aff23051a41d794a1f32c5c41a3fe440a0a9d
SHA256

2cbf73b59d8883b39503a8957465aca64e97ef7838f200a39f9955612353e42f
SHA512

c7a8b137a6cc2e2f88f51a77201fdca32eaf5b223225f7a6bf3af9e196680bce4eda3b39d94c909804de84287c74b4c0c272330f8e3a026a4e8f2c07384be76d
SSDEEP

3072:CEGh0o/lMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGNlkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000e00000002334b-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002334f-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023354-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d0000000233ea-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f000000023354-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e0000000233ea-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023354-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f0000000233ea-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023354-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00100000000233ea-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0012000000023354-41.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00110000000233ea-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3E1BD9B-7565-4725-AB02-4DC524B77D62}	{8207C608-547F-4757-822A-5FCC0B0B7205}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2866A52-C373-4b32-AE03-E8D8FC1BB88E}	{A3E1BD9B-7565-4725-AB02-4DC524B77D62}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DBDE8220-7422-4518-B7B1-8FAD1FCC10AC}	{C2866A52-C373-4b32-AE03-E8D8FC1BB88E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B340EAD-B9CE-41ee-809F-A7CB2B0D94F2}	{DBDE8220-7422-4518-B7B1-8FAD1FCC10AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFE94F7D-5E89-40db-900D-587C15FF7826}	{2B340EAD-B9CE-41ee-809F-A7CB2B0D94F2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C496E0AF-4B58-43c2-BBA4-D94A73C1D166}\stubpath = "C:\\Windows\\{C496E0AF-4B58-43c2-BBA4-D94A73C1D166}.exe"	2024-04-17_9697825d0ad61534375222c95642a42b_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D8E09AB-B772-4b26-8945-511992F29A06}	{E672D3DD-B347-43b0-9845-51003F16A5A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D8E09AB-B772-4b26-8945-511992F29A06}\stubpath = "C:\\Windows\\{5D8E09AB-B772-4b26-8945-511992F29A06}.exe"	{E672D3DD-B347-43b0-9845-51003F16A5A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08A518CA-7FD9-4c48-80BB-621068DE494E}	{AA0A63FA-EC99-4ca5-B973-246848ADF03F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08A518CA-7FD9-4c48-80BB-621068DE494E}\stubpath = "C:\\Windows\\{08A518CA-7FD9-4c48-80BB-621068DE494E}.exe"	{AA0A63FA-EC99-4ca5-B973-246848ADF03F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8207C608-547F-4757-822A-5FCC0B0B7205}\stubpath = "C:\\Windows\\{8207C608-547F-4757-822A-5FCC0B0B7205}.exe"	{5D8E09AB-B772-4b26-8945-511992F29A06}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DBDE8220-7422-4518-B7B1-8FAD1FCC10AC}\stubpath = "C:\\Windows\\{DBDE8220-7422-4518-B7B1-8FAD1FCC10AC}.exe"	{C2866A52-C373-4b32-AE03-E8D8FC1BB88E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B340EAD-B9CE-41ee-809F-A7CB2B0D94F2}\stubpath = "C:\\Windows\\{2B340EAD-B9CE-41ee-809F-A7CB2B0D94F2}.exe"	{DBDE8220-7422-4518-B7B1-8FAD1FCC10AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C496E0AF-4B58-43c2-BBA4-D94A73C1D166}	2024-04-17_9697825d0ad61534375222c95642a42b_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E672D3DD-B347-43b0-9845-51003F16A5A8}	{C496E0AF-4B58-43c2-BBA4-D94A73C1D166}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8207C608-547F-4757-822A-5FCC0B0B7205}	{5D8E09AB-B772-4b26-8945-511992F29A06}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC24DA16-7EA6-474b-A960-2F800DE85769}	{EFE94F7D-5E89-40db-900D-587C15FF7826}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA0A63FA-EC99-4ca5-B973-246848ADF03F}\stubpath = "C:\\Windows\\{AA0A63FA-EC99-4ca5-B973-246848ADF03F}.exe"	{EC24DA16-7EA6-474b-A960-2F800DE85769}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E672D3DD-B347-43b0-9845-51003F16A5A8}\stubpath = "C:\\Windows\\{E672D3DD-B347-43b0-9845-51003F16A5A8}.exe"	{C496E0AF-4B58-43c2-BBA4-D94A73C1D166}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3E1BD9B-7565-4725-AB02-4DC524B77D62}\stubpath = "C:\\Windows\\{A3E1BD9B-7565-4725-AB02-4DC524B77D62}.exe"	{8207C608-547F-4757-822A-5FCC0B0B7205}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFE94F7D-5E89-40db-900D-587C15FF7826}\stubpath = "C:\\Windows\\{EFE94F7D-5E89-40db-900D-587C15FF7826}.exe"	{2B340EAD-B9CE-41ee-809F-A7CB2B0D94F2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2866A52-C373-4b32-AE03-E8D8FC1BB88E}\stubpath = "C:\\Windows\\{C2866A52-C373-4b32-AE03-E8D8FC1BB88E}.exe"	{A3E1BD9B-7565-4725-AB02-4DC524B77D62}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC24DA16-7EA6-474b-A960-2F800DE85769}\stubpath = "C:\\Windows\\{EC24DA16-7EA6-474b-A960-2F800DE85769}.exe"	{EFE94F7D-5E89-40db-900D-587C15FF7826}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA0A63FA-EC99-4ca5-B973-246848ADF03F}	{EC24DA16-7EA6-474b-A960-2F800DE85769}.exe

Executes dropped EXE 12 IoCs

pid	Process
4652	{C496E0AF-4B58-43c2-BBA4-D94A73C1D166}.exe
3712	{E672D3DD-B347-43b0-9845-51003F16A5A8}.exe
2940	{5D8E09AB-B772-4b26-8945-511992F29A06}.exe
2776	{8207C608-547F-4757-822A-5FCC0B0B7205}.exe
4460	{A3E1BD9B-7565-4725-AB02-4DC524B77D62}.exe
768	{C2866A52-C373-4b32-AE03-E8D8FC1BB88E}.exe
1512	{DBDE8220-7422-4518-B7B1-8FAD1FCC10AC}.exe
4636	{2B340EAD-B9CE-41ee-809F-A7CB2B0D94F2}.exe
5068	{EFE94F7D-5E89-40db-900D-587C15FF7826}.exe
4800	{EC24DA16-7EA6-474b-A960-2F800DE85769}.exe
3336	{AA0A63FA-EC99-4ca5-B973-246848ADF03F}.exe
3128	{08A518CA-7FD9-4c48-80BB-621068DE494E}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{EC24DA16-7EA6-474b-A960-2F800DE85769}.exe	{EFE94F7D-5E89-40db-900D-587C15FF7826}.exe
File created	C:\Windows\{08A518CA-7FD9-4c48-80BB-621068DE494E}.exe	{AA0A63FA-EC99-4ca5-B973-246848ADF03F}.exe
File created	C:\Windows\{E672D3DD-B347-43b0-9845-51003F16A5A8}.exe	{C496E0AF-4B58-43c2-BBA4-D94A73C1D166}.exe
File created	C:\Windows\{5D8E09AB-B772-4b26-8945-511992F29A06}.exe	{E672D3DD-B347-43b0-9845-51003F16A5A8}.exe
File created	C:\Windows\{8207C608-547F-4757-822A-5FCC0B0B7205}.exe	{5D8E09AB-B772-4b26-8945-511992F29A06}.exe
File created	C:\Windows\{DBDE8220-7422-4518-B7B1-8FAD1FCC10AC}.exe	{C2866A52-C373-4b32-AE03-E8D8FC1BB88E}.exe
File created	C:\Windows\{2B340EAD-B9CE-41ee-809F-A7CB2B0D94F2}.exe	{DBDE8220-7422-4518-B7B1-8FAD1FCC10AC}.exe
File created	C:\Windows\{EFE94F7D-5E89-40db-900D-587C15FF7826}.exe	{2B340EAD-B9CE-41ee-809F-A7CB2B0D94F2}.exe
File created	C:\Windows\{C496E0AF-4B58-43c2-BBA4-D94A73C1D166}.exe	2024-04-17_9697825d0ad61534375222c95642a42b_goldeneye.exe
File created	C:\Windows\{A3E1BD9B-7565-4725-AB02-4DC524B77D62}.exe	{8207C608-547F-4757-822A-5FCC0B0B7205}.exe
File created	C:\Windows\{C2866A52-C373-4b32-AE03-E8D8FC1BB88E}.exe	{A3E1BD9B-7565-4725-AB02-4DC524B77D62}.exe
File created	C:\Windows\{AA0A63FA-EC99-4ca5-B973-246848ADF03F}.exe	{EC24DA16-7EA6-474b-A960-2F800DE85769}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3568	2024-04-17_9697825d0ad61534375222c95642a42b_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4652	{C496E0AF-4B58-43c2-BBA4-D94A73C1D166}.exe
Token: SeIncBasePriorityPrivilege	3712	{E672D3DD-B347-43b0-9845-51003F16A5A8}.exe
Token: SeIncBasePriorityPrivilege	2940	{5D8E09AB-B772-4b26-8945-511992F29A06}.exe
Token: SeIncBasePriorityPrivilege	2776	{8207C608-547F-4757-822A-5FCC0B0B7205}.exe
Token: SeIncBasePriorityPrivilege	4460	{A3E1BD9B-7565-4725-AB02-4DC524B77D62}.exe
Token: SeIncBasePriorityPrivilege	768	{C2866A52-C373-4b32-AE03-E8D8FC1BB88E}.exe
Token: SeIncBasePriorityPrivilege	1512	{DBDE8220-7422-4518-B7B1-8FAD1FCC10AC}.exe
Token: SeIncBasePriorityPrivilege	4636	{2B340EAD-B9CE-41ee-809F-A7CB2B0D94F2}.exe
Token: SeIncBasePriorityPrivilege	5068	{EFE94F7D-5E89-40db-900D-587C15FF7826}.exe
Token: SeIncBasePriorityPrivilege	4800	{EC24DA16-7EA6-474b-A960-2F800DE85769}.exe
Token: SeIncBasePriorityPrivilege	3336	{AA0A63FA-EC99-4ca5-B973-246848ADF03F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3568 wrote to memory of 4652	3568	2024-04-17_9697825d0ad61534375222c95642a42b_goldeneye.exe	93
PID 3568 wrote to memory of 4652	3568	2024-04-17_9697825d0ad61534375222c95642a42b_goldeneye.exe	93
PID 3568 wrote to memory of 4652	3568	2024-04-17_9697825d0ad61534375222c95642a42b_goldeneye.exe	93
PID 3568 wrote to memory of 4120	3568	2024-04-17_9697825d0ad61534375222c95642a42b_goldeneye.exe	94
PID 3568 wrote to memory of 4120	3568	2024-04-17_9697825d0ad61534375222c95642a42b_goldeneye.exe	94
PID 3568 wrote to memory of 4120	3568	2024-04-17_9697825d0ad61534375222c95642a42b_goldeneye.exe	94
PID 4652 wrote to memory of 3712	4652	{C496E0AF-4B58-43c2-BBA4-D94A73C1D166}.exe	95
PID 4652 wrote to memory of 3712	4652	{C496E0AF-4B58-43c2-BBA4-D94A73C1D166}.exe	95
PID 4652 wrote to memory of 3712	4652	{C496E0AF-4B58-43c2-BBA4-D94A73C1D166}.exe	95
PID 4652 wrote to memory of 3424	4652	{C496E0AF-4B58-43c2-BBA4-D94A73C1D166}.exe	96
PID 4652 wrote to memory of 3424	4652	{C496E0AF-4B58-43c2-BBA4-D94A73C1D166}.exe	96
PID 4652 wrote to memory of 3424	4652	{C496E0AF-4B58-43c2-BBA4-D94A73C1D166}.exe	96
PID 3712 wrote to memory of 2940	3712	{E672D3DD-B347-43b0-9845-51003F16A5A8}.exe	100
PID 3712 wrote to memory of 2940	3712	{E672D3DD-B347-43b0-9845-51003F16A5A8}.exe	100
PID 3712 wrote to memory of 2940	3712	{E672D3DD-B347-43b0-9845-51003F16A5A8}.exe	100
PID 3712 wrote to memory of 748	3712	{E672D3DD-B347-43b0-9845-51003F16A5A8}.exe	101
PID 3712 wrote to memory of 748	3712	{E672D3DD-B347-43b0-9845-51003F16A5A8}.exe	101
PID 3712 wrote to memory of 748	3712	{E672D3DD-B347-43b0-9845-51003F16A5A8}.exe	101
PID 2940 wrote to memory of 2776	2940	{5D8E09AB-B772-4b26-8945-511992F29A06}.exe	102
PID 2940 wrote to memory of 2776	2940	{5D8E09AB-B772-4b26-8945-511992F29A06}.exe	102
PID 2940 wrote to memory of 2776	2940	{5D8E09AB-B772-4b26-8945-511992F29A06}.exe	102
PID 2940 wrote to memory of 2440	2940	{5D8E09AB-B772-4b26-8945-511992F29A06}.exe	103
PID 2940 wrote to memory of 2440	2940	{5D8E09AB-B772-4b26-8945-511992F29A06}.exe	103
PID 2940 wrote to memory of 2440	2940	{5D8E09AB-B772-4b26-8945-511992F29A06}.exe	103
PID 2776 wrote to memory of 4460	2776	{8207C608-547F-4757-822A-5FCC0B0B7205}.exe	104
PID 2776 wrote to memory of 4460	2776	{8207C608-547F-4757-822A-5FCC0B0B7205}.exe	104
PID 2776 wrote to memory of 4460	2776	{8207C608-547F-4757-822A-5FCC0B0B7205}.exe	104
PID 2776 wrote to memory of 1652	2776	{8207C608-547F-4757-822A-5FCC0B0B7205}.exe	105
PID 2776 wrote to memory of 1652	2776	{8207C608-547F-4757-822A-5FCC0B0B7205}.exe	105
PID 2776 wrote to memory of 1652	2776	{8207C608-547F-4757-822A-5FCC0B0B7205}.exe	105
PID 4460 wrote to memory of 768	4460	{A3E1BD9B-7565-4725-AB02-4DC524B77D62}.exe	106
PID 4460 wrote to memory of 768	4460	{A3E1BD9B-7565-4725-AB02-4DC524B77D62}.exe	106
PID 4460 wrote to memory of 768	4460	{A3E1BD9B-7565-4725-AB02-4DC524B77D62}.exe	106
PID 4460 wrote to memory of 820	4460	{A3E1BD9B-7565-4725-AB02-4DC524B77D62}.exe	107
PID 4460 wrote to memory of 820	4460	{A3E1BD9B-7565-4725-AB02-4DC524B77D62}.exe	107
PID 4460 wrote to memory of 820	4460	{A3E1BD9B-7565-4725-AB02-4DC524B77D62}.exe	107
PID 768 wrote to memory of 1512	768	{C2866A52-C373-4b32-AE03-E8D8FC1BB88E}.exe	108
PID 768 wrote to memory of 1512	768	{C2866A52-C373-4b32-AE03-E8D8FC1BB88E}.exe	108
PID 768 wrote to memory of 1512	768	{C2866A52-C373-4b32-AE03-E8D8FC1BB88E}.exe	108
PID 768 wrote to memory of 5092	768	{C2866A52-C373-4b32-AE03-E8D8FC1BB88E}.exe	109
PID 768 wrote to memory of 5092	768	{C2866A52-C373-4b32-AE03-E8D8FC1BB88E}.exe	109
PID 768 wrote to memory of 5092	768	{C2866A52-C373-4b32-AE03-E8D8FC1BB88E}.exe	109
PID 1512 wrote to memory of 4636	1512	{DBDE8220-7422-4518-B7B1-8FAD1FCC10AC}.exe	110
PID 1512 wrote to memory of 4636	1512	{DBDE8220-7422-4518-B7B1-8FAD1FCC10AC}.exe	110
PID 1512 wrote to memory of 4636	1512	{DBDE8220-7422-4518-B7B1-8FAD1FCC10AC}.exe	110
PID 1512 wrote to memory of 2580	1512	{DBDE8220-7422-4518-B7B1-8FAD1FCC10AC}.exe	111
PID 1512 wrote to memory of 2580	1512	{DBDE8220-7422-4518-B7B1-8FAD1FCC10AC}.exe	111
PID 1512 wrote to memory of 2580	1512	{DBDE8220-7422-4518-B7B1-8FAD1FCC10AC}.exe	111
PID 4636 wrote to memory of 5068	4636	{2B340EAD-B9CE-41ee-809F-A7CB2B0D94F2}.exe	112
PID 4636 wrote to memory of 5068	4636	{2B340EAD-B9CE-41ee-809F-A7CB2B0D94F2}.exe	112
PID 4636 wrote to memory of 5068	4636	{2B340EAD-B9CE-41ee-809F-A7CB2B0D94F2}.exe	112
PID 4636 wrote to memory of 1092	4636	{2B340EAD-B9CE-41ee-809F-A7CB2B0D94F2}.exe	113
PID 4636 wrote to memory of 1092	4636	{2B340EAD-B9CE-41ee-809F-A7CB2B0D94F2}.exe	113
PID 4636 wrote to memory of 1092	4636	{2B340EAD-B9CE-41ee-809F-A7CB2B0D94F2}.exe	113
PID 5068 wrote to memory of 4800	5068	{EFE94F7D-5E89-40db-900D-587C15FF7826}.exe	114
PID 5068 wrote to memory of 4800	5068	{EFE94F7D-5E89-40db-900D-587C15FF7826}.exe	114
PID 5068 wrote to memory of 4800	5068	{EFE94F7D-5E89-40db-900D-587C15FF7826}.exe	114
PID 5068 wrote to memory of 4864	5068	{EFE94F7D-5E89-40db-900D-587C15FF7826}.exe	115
PID 5068 wrote to memory of 4864	5068	{EFE94F7D-5E89-40db-900D-587C15FF7826}.exe	115
PID 5068 wrote to memory of 4864	5068	{EFE94F7D-5E89-40db-900D-587C15FF7826}.exe	115
PID 4800 wrote to memory of 3336	4800	{EC24DA16-7EA6-474b-A960-2F800DE85769}.exe	116
PID 4800 wrote to memory of 3336	4800	{EC24DA16-7EA6-474b-A960-2F800DE85769}.exe	116
PID 4800 wrote to memory of 3336	4800	{EC24DA16-7EA6-474b-A960-2F800DE85769}.exe	116
PID 4800 wrote to memory of 2720	4800	{EC24DA16-7EA6-474b-A960-2F800DE85769}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-04-17_9697825d0ad61534375222c95642a42b_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-17_9697825d0ad61534375222c95642a42b_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3568
- C:\Windows\{C496E0AF-4B58-43c2-BBA4-D94A73C1D166}.exe
  C:\Windows\{C496E0AF-4B58-43c2-BBA4-D94A73C1D166}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4652
- - C:\Windows\{E672D3DD-B347-43b0-9845-51003F16A5A8}.exe
    C:\Windows\{E672D3DD-B347-43b0-9845-51003F16A5A8}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3712
  - - C:\Windows\{5D8E09AB-B772-4b26-8945-511992F29A06}.exe
      C:\Windows\{5D8E09AB-B772-4b26-8945-511992F29A06}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2940
    - - C:\Windows\{8207C608-547F-4757-822A-5FCC0B0B7205}.exe
        
        C:\Windows\{8207C608-547F-4757-822A-5FCC0B0B7205}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2776
      - C:\Windows\{A3E1BD9B-7565-4725-AB02-4DC524B77D62}.exe
        
        C:\Windows\{A3E1BD9B-7565-4725-AB02-4DC524B77D62}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\{C2866A52-C373-4b32-AE03-E8D8FC1BB88E}.exe
        
        C:\Windows\{C2866A52-C373-4b32-AE03-E8D8FC1BB88E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\{DBDE8220-7422-4518-B7B1-8FAD1FCC10AC}.exe
        
        C:\Windows\{DBDE8220-7422-4518-B7B1-8FAD1FCC10AC}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\{2B340EAD-B9CE-41ee-809F-A7CB2B0D94F2}.exe
        
        C:\Windows\{2B340EAD-B9CE-41ee-809F-A7CB2B0D94F2}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4636
        
        C:\Windows\{EFE94F7D-5E89-40db-900D-587C15FF7826}.exe
        
        C:\Windows\{EFE94F7D-5E89-40db-900D-587C15FF7826}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\{EC24DA16-7EA6-474b-A960-2F800DE85769}.exe
        
        C:\Windows\{EC24DA16-7EA6-474b-A960-2F800DE85769}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Windows\{AA0A63FA-EC99-4ca5-B973-246848ADF03F}.exe
        
        C:\Windows\{AA0A63FA-EC99-4ca5-B973-246848ADF03F}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3336
        
        C:\Windows\{08A518CA-7FD9-4c48-80BB-621068DE494E}.exe
        
        C:\Windows\{08A518CA-7FD9-4c48-80BB-621068DE494E}.exe
        13⤵
        Executes dropped EXE
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AA0A6~1.EXE > nul
        13⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EC24D~1.EXE > nul
        12⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EFE94~1.EXE > nul
        11⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B340~1.EXE > nul
        10⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DBDE8~1.EXE > nul
        9⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C2866~1.EXE > nul
        8⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A3E1B~1.EXE > nul
        7⤵
        
        PID:820
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8207C~1.EXE > nul
        6⤵
        
        PID:1652
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5D8E0~1.EXE > nul
        5⤵
        
        PID:2440
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E672D~1.EXE > nul
      4⤵
      PID:748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C496E~1.EXE > nul
    3⤵
    PID:3424
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{08A518CA-7FD9-4c48-80BB-621068DE494E}.exe

Filesize
372KB

MD5
b5ac1257bd86a92af55257513ca26e11

SHA1
7ca0e977d02d4ae5553a68d49a036759ed217fe2

SHA256
0e1fdfb990176fa613c3eee86ffb244e76184676ea276ca5dd3454d721e741c6

SHA512
e93143de68d6fe699f7130aac207b0285372ddac985a72d89303f5a1cafd010e05a4cb7bede7f0f75ac861b5a28bda6b420234c5cb0d1d9734867f269b29ad6a

Download Submit
C:\Windows\{2B340EAD-B9CE-41ee-809F-A7CB2B0D94F2}.exe

Filesize
372KB

MD5
a64ff7bea30ff259d0ad876ac62edb8c

SHA1
efbf676ddf1dac344197104142a1ce66327271d8

SHA256
6052c90412cc749b8b63e984ca51c3e6ca5028b49e781f28016e95bc493135a6

SHA512
0eaf30eb8af045ea37eb57710e87e57e0e883d07e2c37cace1aaa28fe53d00c7804e506508baf8b15db388b7636c86ffd9cd7d01ae2d9ee24d140ec5e6add522

Download Submit
C:\Windows\{5D8E09AB-B772-4b26-8945-511992F29A06}.exe

Filesize
372KB

MD5
1f71445735036fccb991eb91f84c57af

SHA1
17e68161138c1d53b553db62065302143a5c6259

SHA256
1569b33024e8ce180b8d94114efbaeb103c883b189f1a35761958d21576b8dd6

SHA512
1fd1212257b9d7a272ef7bfd9e37675c3e87397696c91e80912eaab56a478971cc021dbf70dfefa30e9f686e7161c4f703259865d2676b45f6d807899aad86d0

Download Submit
C:\Windows\{8207C608-547F-4757-822A-5FCC0B0B7205}.exe

Filesize
372KB

MD5
c6e180fbe51ffa72865cb165a738f9bb

SHA1
d9cb867276237e85b6c054166261a7a91728912d

SHA256
adecb415790550a11311c43674f7ecebbebb1fd83572eab478534775a6ac16b6

SHA512
46b415bdb84807cb28a8121ed461c73edd5eb4f4315693476f3100b8b3a4adbdb64e9e23f57f5c7243148c5d6abdfdc253727c6291648d769ed3deec9d145956

Download Submit
C:\Windows\{A3E1BD9B-7565-4725-AB02-4DC524B77D62}.exe

Filesize
372KB

MD5
a8b3956782a8742e71ae31821bd7a1ce

SHA1
cb0c22c2d45e16fd05b68048fbddbf9594b5e481

SHA256
a5be25b0032b26b74ae2339a78da9dfadb46b52357c14fe36edfc54bfcee4db0

SHA512
665cbcc438db4f29d1faf0878d872cd0dfee7f6f3431c9e2fdb1afed5a0eaefaa8da4380836c0c0bb20a337ab0ab1663beb8ed3ee23e12f80fc0613dbcb80140

Download Submit
C:\Windows\{AA0A63FA-EC99-4ca5-B973-246848ADF03F}.exe

Filesize
372KB

MD5
6e0b4c4e6086b0fada451d61d1e66a70

SHA1
a981da568dcbefeb27133a116ecc89a0628305a8

SHA256
1d76431ed6f1738b2de20cefd64a8e6f5decc9f1c651dee3bc98e3cd667cd84f

SHA512
6279a68308c707f6d81e36c2f9482bb8f5ade41c27905b8d6fe682184d34597349e5798e1eb181ac49174cf6b3e639bcd8420ebc938bc361b5801fc4845b5c15

Download Submit
C:\Windows\{C2866A52-C373-4b32-AE03-E8D8FC1BB88E}.exe

Filesize
372KB

MD5
3c90ee06f9eefa809d8c886f9d4391ad

SHA1
1d81d093758a4d5af54906fc0e965fd0d79aae4e

SHA256
16bfbdff2e7a0a835b3909ce6a9319a8b45842ffb9ae10834d9320596426c90e

SHA512
beed74632403d1d2d2050a72e4860ac0103dc0d5fb1ba6bc76a96bcd75a8d137984e32c37b005aad726a3dc21eefaa8609bf89061e05d1f9a753186cac28f83a

Download Submit
C:\Windows\{C496E0AF-4B58-43c2-BBA4-D94A73C1D166}.exe

Filesize
372KB

MD5
3b9c1a28795a6198552cd9efe227d81b

SHA1
99c5dcf5d12b81c7fc335b850963573533da0d82

SHA256
5977b015081269a2d4120ca2a755ca625d87b58d8d0224b3efe4cae64e186330

SHA512
001b638ec3c067e1a325bdf43d74eb597c8048f8628d1625aa74f445276ed5cf0ee50b28171ded3ed4fc8fe48a45218c90bbf6f381affd91f8f300bb038e337c

Download Submit
C:\Windows\{DBDE8220-7422-4518-B7B1-8FAD1FCC10AC}.exe

Filesize
372KB

MD5
c0c9b5ca3b1e57c5976b49de54641e66

SHA1
ce6aeae9422302396509cf4edc4e6f49534de6c7

SHA256
0a141215176cf37c894f675ae154a30fb28a9af3eb437e7191ebefe57539759d

SHA512
19fa740393e84b42fb75e19e928c858c0ad2f6d1b5e79fcc3bcb4bb3f85dae68786d72c30d53a09da7cdb2484ce919b7eecfd74b3100ed5d8b539bbb2b532557

Download Submit
C:\Windows\{E672D3DD-B347-43b0-9845-51003F16A5A8}.exe

Filesize
372KB

MD5
1dbba017c011960cbf2b0e17c775379c

SHA1
8a1f4ca4e6c18deb1a45ba2b255730d7ce279161

SHA256
726fd65dcbe12213314680a1867f794a8fc3ed620df447245c6e74dcb2aa0750

SHA512
f5d9e9ae6c373f5b23be0764edaf82f5ba9fe59192d9cb6ed13b9704c77edbad6c00a6c4534230de43035df6b93f9a9da43c19e5948778773ba9331bf5ecf423

Download Submit
C:\Windows\{EC24DA16-7EA6-474b-A960-2F800DE85769}.exe

Filesize
372KB

MD5
033d4be204f3a3f59544584e58a39cee

SHA1
5b8c47a5a155c20c3311e2f9ced07a49566a722b

SHA256
a99e0e10950b5fead2118d8bd1d7547178085d90d5c161515c839c54488a140b

SHA512
911df9610ea6405ceb94c580d54892dba068ecead82d33562e1f423530ceeab1950dd6e79298d7ccd133b03a2571e2c79ecf194952a01250a87f0f82f5ec8ff6

Download Submit
C:\Windows\{EFE94F7D-5E89-40db-900D-587C15FF7826}.exe

Filesize
372KB

MD5
78de3150d27695aa0766f329b0708588

SHA1
463f21c89f7f6a0f4217f60734b0fa14443d537a

SHA256
15a98371607e40ad0ec5ef56f15d66da59a1071816065d82d4d2c6c99c6bc8ed

SHA512
a365668d3948a0ce3d7a52c580ee2631d0f5efee6783ad65086d6a377ec9f18d406a4371bf0e0290d339c5667f1987cad6a5c77f831e3dd8a1c9a546fe5f8e0b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads