6dd4aff30e8cd3853f05db757e8eda456009ef7e9a41a35e3ba8eca4642794d6

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 04:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-17_c630aadb89d63ed7faf70501990829b5_goldeneye.exe
Size

408KB
MD5

c630aadb89d63ed7faf70501990829b5
SHA1

998a49124e2aa5faff99a20b027d198dab6dd179
SHA256

6dd4aff30e8cd3853f05db757e8eda456009ef7e9a41a35e3ba8eca4642794d6
SHA512

744f3e948f89bb392ca286bdfa889d4c8f9eececd71fe142788e8e9c7b0768d79265173b0d7c332fd4e5359ce65d53f94b65049f57df21c7f97a1ab7a9bf908a
SSDEEP

3072:CEGh0o1l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGrldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023410-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023411-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023419-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000001e752-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023419-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000001e752-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023419-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001e752-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023419-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000001e752-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023415-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000001e752-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7188205D-3E14-4e2f-A68F-F1AE6955B60D}\stubpath = "C:\\Windows\\{7188205D-3E14-4e2f-A68F-F1AE6955B60D}.exe"	{AD4C874B-5753-4581-B668-48AA2BAF3BC8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96295F08-7745-42a5-AEAD-1F513220F7FF}	{2246488D-7F4C-4f0f-88D2-99E1E04F4438}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C0080B9-B4B6-4650-A13A-7A6DEE9D9A81}\stubpath = "C:\\Windows\\{1C0080B9-B4B6-4650-A13A-7A6DEE9D9A81}.exe"	{629E3C80-D635-47a0-AE06-087800C3E115}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{737317A7-6712-48a8-A3B3-D7514049EFC9}\stubpath = "C:\\Windows\\{737317A7-6712-48a8-A3B3-D7514049EFC9}.exe"	2024-04-17_c630aadb89d63ed7faf70501990829b5_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A725D90-034E-4442-9CAF-382A8B778405}	{737317A7-6712-48a8-A3B3-D7514049EFC9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7188205D-3E14-4e2f-A68F-F1AE6955B60D}	{AD4C874B-5753-4581-B668-48AA2BAF3BC8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96295F08-7745-42a5-AEAD-1F513220F7FF}\stubpath = "C:\\Windows\\{96295F08-7745-42a5-AEAD-1F513220F7FF}.exe"	{2246488D-7F4C-4f0f-88D2-99E1E04F4438}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{629E3C80-D635-47a0-AE06-087800C3E115}	{96295F08-7745-42a5-AEAD-1F513220F7FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{629E3C80-D635-47a0-AE06-087800C3E115}\stubpath = "C:\\Windows\\{629E3C80-D635-47a0-AE06-087800C3E115}.exe"	{96295F08-7745-42a5-AEAD-1F513220F7FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B27A518F-863C-4bfa-89A8-CA6847B8C81F}	{1C0080B9-B4B6-4650-A13A-7A6DEE9D9A81}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CCB9F20-2CA0-4f60-8FEC-B08D2BB75CB4}\stubpath = "C:\\Windows\\{1CCB9F20-2CA0-4f60-8FEC-B08D2BB75CB4}.exe"	{B27A518F-863C-4bfa-89A8-CA6847B8C81F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{737317A7-6712-48a8-A3B3-D7514049EFC9}	2024-04-17_c630aadb89d63ed7faf70501990829b5_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2246488D-7F4C-4f0f-88D2-99E1E04F4438}	{40BB2A12-B00C-4b62-BCF6-8FACFA625215}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2246488D-7F4C-4f0f-88D2-99E1E04F4438}\stubpath = "C:\\Windows\\{2246488D-7F4C-4f0f-88D2-99E1E04F4438}.exe"	{40BB2A12-B00C-4b62-BCF6-8FACFA625215}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46EB2605-B9A7-4aad-A077-94D7FDAEC3DF}	{1CCB9F20-2CA0-4f60-8FEC-B08D2BB75CB4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C0080B9-B4B6-4650-A13A-7A6DEE9D9A81}	{629E3C80-D635-47a0-AE06-087800C3E115}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46EB2605-B9A7-4aad-A077-94D7FDAEC3DF}\stubpath = "C:\\Windows\\{46EB2605-B9A7-4aad-A077-94D7FDAEC3DF}.exe"	{1CCB9F20-2CA0-4f60-8FEC-B08D2BB75CB4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A725D90-034E-4442-9CAF-382A8B778405}\stubpath = "C:\\Windows\\{1A725D90-034E-4442-9CAF-382A8B778405}.exe"	{737317A7-6712-48a8-A3B3-D7514049EFC9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD4C874B-5753-4581-B668-48AA2BAF3BC8}	{1A725D90-034E-4442-9CAF-382A8B778405}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40BB2A12-B00C-4b62-BCF6-8FACFA625215}\stubpath = "C:\\Windows\\{40BB2A12-B00C-4b62-BCF6-8FACFA625215}.exe"	{7188205D-3E14-4e2f-A68F-F1AE6955B60D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CCB9F20-2CA0-4f60-8FEC-B08D2BB75CB4}	{B27A518F-863C-4bfa-89A8-CA6847B8C81F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD4C874B-5753-4581-B668-48AA2BAF3BC8}\stubpath = "C:\\Windows\\{AD4C874B-5753-4581-B668-48AA2BAF3BC8}.exe"	{1A725D90-034E-4442-9CAF-382A8B778405}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40BB2A12-B00C-4b62-BCF6-8FACFA625215}	{7188205D-3E14-4e2f-A68F-F1AE6955B60D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B27A518F-863C-4bfa-89A8-CA6847B8C81F}\stubpath = "C:\\Windows\\{B27A518F-863C-4bfa-89A8-CA6847B8C81F}.exe"	{1C0080B9-B4B6-4650-A13A-7A6DEE9D9A81}.exe

Executes dropped EXE 12 IoCs

pid	Process
3904	{737317A7-6712-48a8-A3B3-D7514049EFC9}.exe
3516	{1A725D90-034E-4442-9CAF-382A8B778405}.exe
4952	{AD4C874B-5753-4581-B668-48AA2BAF3BC8}.exe
1368	{7188205D-3E14-4e2f-A68F-F1AE6955B60D}.exe
2728	{40BB2A12-B00C-4b62-BCF6-8FACFA625215}.exe
3644	{2246488D-7F4C-4f0f-88D2-99E1E04F4438}.exe
1396	{96295F08-7745-42a5-AEAD-1F513220F7FF}.exe
4324	{629E3C80-D635-47a0-AE06-087800C3E115}.exe
4784	{1C0080B9-B4B6-4650-A13A-7A6DEE9D9A81}.exe
1692	{B27A518F-863C-4bfa-89A8-CA6847B8C81F}.exe
2272	{1CCB9F20-2CA0-4f60-8FEC-B08D2BB75CB4}.exe
4288	{46EB2605-B9A7-4aad-A077-94D7FDAEC3DF}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{1A725D90-034E-4442-9CAF-382A8B778405}.exe	{737317A7-6712-48a8-A3B3-D7514049EFC9}.exe
File created	C:\Windows\{7188205D-3E14-4e2f-A68F-F1AE6955B60D}.exe	{AD4C874B-5753-4581-B668-48AA2BAF3BC8}.exe
File created	C:\Windows\{40BB2A12-B00C-4b62-BCF6-8FACFA625215}.exe	{7188205D-3E14-4e2f-A68F-F1AE6955B60D}.exe
File created	C:\Windows\{629E3C80-D635-47a0-AE06-087800C3E115}.exe	{96295F08-7745-42a5-AEAD-1F513220F7FF}.exe
File created	C:\Windows\{1C0080B9-B4B6-4650-A13A-7A6DEE9D9A81}.exe	{629E3C80-D635-47a0-AE06-087800C3E115}.exe
File created	C:\Windows\{1CCB9F20-2CA0-4f60-8FEC-B08D2BB75CB4}.exe	{B27A518F-863C-4bfa-89A8-CA6847B8C81F}.exe
File created	C:\Windows\{737317A7-6712-48a8-A3B3-D7514049EFC9}.exe	2024-04-17_c630aadb89d63ed7faf70501990829b5_goldeneye.exe
File created	C:\Windows\{AD4C874B-5753-4581-B668-48AA2BAF3BC8}.exe	{1A725D90-034E-4442-9CAF-382A8B778405}.exe
File created	C:\Windows\{2246488D-7F4C-4f0f-88D2-99E1E04F4438}.exe	{40BB2A12-B00C-4b62-BCF6-8FACFA625215}.exe
File created	C:\Windows\{96295F08-7745-42a5-AEAD-1F513220F7FF}.exe	{2246488D-7F4C-4f0f-88D2-99E1E04F4438}.exe
File created	C:\Windows\{B27A518F-863C-4bfa-89A8-CA6847B8C81F}.exe	{1C0080B9-B4B6-4650-A13A-7A6DEE9D9A81}.exe
File created	C:\Windows\{46EB2605-B9A7-4aad-A077-94D7FDAEC3DF}.exe	{1CCB9F20-2CA0-4f60-8FEC-B08D2BB75CB4}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3700	2024-04-17_c630aadb89d63ed7faf70501990829b5_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3904	{737317A7-6712-48a8-A3B3-D7514049EFC9}.exe
Token: SeIncBasePriorityPrivilege	3516	{1A725D90-034E-4442-9CAF-382A8B778405}.exe
Token: SeIncBasePriorityPrivilege	4952	{AD4C874B-5753-4581-B668-48AA2BAF3BC8}.exe
Token: SeIncBasePriorityPrivilege	1368	{7188205D-3E14-4e2f-A68F-F1AE6955B60D}.exe
Token: SeIncBasePriorityPrivilege	2728	{40BB2A12-B00C-4b62-BCF6-8FACFA625215}.exe
Token: SeIncBasePriorityPrivilege	3644	{2246488D-7F4C-4f0f-88D2-99E1E04F4438}.exe
Token: SeIncBasePriorityPrivilege	1396	{96295F08-7745-42a5-AEAD-1F513220F7FF}.exe
Token: SeIncBasePriorityPrivilege	4324	{629E3C80-D635-47a0-AE06-087800C3E115}.exe
Token: SeIncBasePriorityPrivilege	4784	{1C0080B9-B4B6-4650-A13A-7A6DEE9D9A81}.exe
Token: SeIncBasePriorityPrivilege	1692	{B27A518F-863C-4bfa-89A8-CA6847B8C81F}.exe
Token: SeIncBasePriorityPrivilege	2272	{1CCB9F20-2CA0-4f60-8FEC-B08D2BB75CB4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3700 wrote to memory of 3904	3700	2024-04-17_c630aadb89d63ed7faf70501990829b5_goldeneye.exe	90
PID 3700 wrote to memory of 3904	3700	2024-04-17_c630aadb89d63ed7faf70501990829b5_goldeneye.exe	90
PID 3700 wrote to memory of 3904	3700	2024-04-17_c630aadb89d63ed7faf70501990829b5_goldeneye.exe	90
PID 3700 wrote to memory of 3836	3700	2024-04-17_c630aadb89d63ed7faf70501990829b5_goldeneye.exe	91
PID 3700 wrote to memory of 3836	3700	2024-04-17_c630aadb89d63ed7faf70501990829b5_goldeneye.exe	91
PID 3700 wrote to memory of 3836	3700	2024-04-17_c630aadb89d63ed7faf70501990829b5_goldeneye.exe	91
PID 3904 wrote to memory of 3516	3904	{737317A7-6712-48a8-A3B3-D7514049EFC9}.exe	92
PID 3904 wrote to memory of 3516	3904	{737317A7-6712-48a8-A3B3-D7514049EFC9}.exe	92
PID 3904 wrote to memory of 3516	3904	{737317A7-6712-48a8-A3B3-D7514049EFC9}.exe	92
PID 3904 wrote to memory of 4700	3904	{737317A7-6712-48a8-A3B3-D7514049EFC9}.exe	93
PID 3904 wrote to memory of 4700	3904	{737317A7-6712-48a8-A3B3-D7514049EFC9}.exe	93
PID 3904 wrote to memory of 4700	3904	{737317A7-6712-48a8-A3B3-D7514049EFC9}.exe	93
PID 3516 wrote to memory of 4952	3516	{1A725D90-034E-4442-9CAF-382A8B778405}.exe	96
PID 3516 wrote to memory of 4952	3516	{1A725D90-034E-4442-9CAF-382A8B778405}.exe	96
PID 3516 wrote to memory of 4952	3516	{1A725D90-034E-4442-9CAF-382A8B778405}.exe	96
PID 3516 wrote to memory of 2192	3516	{1A725D90-034E-4442-9CAF-382A8B778405}.exe	97
PID 3516 wrote to memory of 2192	3516	{1A725D90-034E-4442-9CAF-382A8B778405}.exe	97
PID 3516 wrote to memory of 2192	3516	{1A725D90-034E-4442-9CAF-382A8B778405}.exe	97
PID 4952 wrote to memory of 1368	4952	{AD4C874B-5753-4581-B668-48AA2BAF3BC8}.exe	99
PID 4952 wrote to memory of 1368	4952	{AD4C874B-5753-4581-B668-48AA2BAF3BC8}.exe	99
PID 4952 wrote to memory of 1368	4952	{AD4C874B-5753-4581-B668-48AA2BAF3BC8}.exe	99
PID 4952 wrote to memory of 1880	4952	{AD4C874B-5753-4581-B668-48AA2BAF3BC8}.exe	100
PID 4952 wrote to memory of 1880	4952	{AD4C874B-5753-4581-B668-48AA2BAF3BC8}.exe	100
PID 4952 wrote to memory of 1880	4952	{AD4C874B-5753-4581-B668-48AA2BAF3BC8}.exe	100
PID 1368 wrote to memory of 2728	1368	{7188205D-3E14-4e2f-A68F-F1AE6955B60D}.exe	101
PID 1368 wrote to memory of 2728	1368	{7188205D-3E14-4e2f-A68F-F1AE6955B60D}.exe	101
PID 1368 wrote to memory of 2728	1368	{7188205D-3E14-4e2f-A68F-F1AE6955B60D}.exe	101
PID 1368 wrote to memory of 3832	1368	{7188205D-3E14-4e2f-A68F-F1AE6955B60D}.exe	102
PID 1368 wrote to memory of 3832	1368	{7188205D-3E14-4e2f-A68F-F1AE6955B60D}.exe	102
PID 1368 wrote to memory of 3832	1368	{7188205D-3E14-4e2f-A68F-F1AE6955B60D}.exe	102
PID 2728 wrote to memory of 3644	2728	{40BB2A12-B00C-4b62-BCF6-8FACFA625215}.exe	103
PID 2728 wrote to memory of 3644	2728	{40BB2A12-B00C-4b62-BCF6-8FACFA625215}.exe	103
PID 2728 wrote to memory of 3644	2728	{40BB2A12-B00C-4b62-BCF6-8FACFA625215}.exe	103
PID 2728 wrote to memory of 4628	2728	{40BB2A12-B00C-4b62-BCF6-8FACFA625215}.exe	104
PID 2728 wrote to memory of 4628	2728	{40BB2A12-B00C-4b62-BCF6-8FACFA625215}.exe	104
PID 2728 wrote to memory of 4628	2728	{40BB2A12-B00C-4b62-BCF6-8FACFA625215}.exe	104
PID 3644 wrote to memory of 1396	3644	{2246488D-7F4C-4f0f-88D2-99E1E04F4438}.exe	105
PID 3644 wrote to memory of 1396	3644	{2246488D-7F4C-4f0f-88D2-99E1E04F4438}.exe	105
PID 3644 wrote to memory of 1396	3644	{2246488D-7F4C-4f0f-88D2-99E1E04F4438}.exe	105
PID 3644 wrote to memory of 3288	3644	{2246488D-7F4C-4f0f-88D2-99E1E04F4438}.exe	106
PID 3644 wrote to memory of 3288	3644	{2246488D-7F4C-4f0f-88D2-99E1E04F4438}.exe	106
PID 3644 wrote to memory of 3288	3644	{2246488D-7F4C-4f0f-88D2-99E1E04F4438}.exe	106
PID 1396 wrote to memory of 4324	1396	{96295F08-7745-42a5-AEAD-1F513220F7FF}.exe	107
PID 1396 wrote to memory of 4324	1396	{96295F08-7745-42a5-AEAD-1F513220F7FF}.exe	107
PID 1396 wrote to memory of 4324	1396	{96295F08-7745-42a5-AEAD-1F513220F7FF}.exe	107
PID 1396 wrote to memory of 1864	1396	{96295F08-7745-42a5-AEAD-1F513220F7FF}.exe	108
PID 1396 wrote to memory of 1864	1396	{96295F08-7745-42a5-AEAD-1F513220F7FF}.exe	108
PID 1396 wrote to memory of 1864	1396	{96295F08-7745-42a5-AEAD-1F513220F7FF}.exe	108
PID 4324 wrote to memory of 4784	4324	{629E3C80-D635-47a0-AE06-087800C3E115}.exe	109
PID 4324 wrote to memory of 4784	4324	{629E3C80-D635-47a0-AE06-087800C3E115}.exe	109
PID 4324 wrote to memory of 4784	4324	{629E3C80-D635-47a0-AE06-087800C3E115}.exe	109
PID 4324 wrote to memory of 2380	4324	{629E3C80-D635-47a0-AE06-087800C3E115}.exe	110
PID 4324 wrote to memory of 2380	4324	{629E3C80-D635-47a0-AE06-087800C3E115}.exe	110
PID 4324 wrote to memory of 2380	4324	{629E3C80-D635-47a0-AE06-087800C3E115}.exe	110
PID 4784 wrote to memory of 1692	4784	{1C0080B9-B4B6-4650-A13A-7A6DEE9D9A81}.exe	111
PID 4784 wrote to memory of 1692	4784	{1C0080B9-B4B6-4650-A13A-7A6DEE9D9A81}.exe	111
PID 4784 wrote to memory of 1692	4784	{1C0080B9-B4B6-4650-A13A-7A6DEE9D9A81}.exe	111
PID 4784 wrote to memory of 2776	4784	{1C0080B9-B4B6-4650-A13A-7A6DEE9D9A81}.exe	112
PID 4784 wrote to memory of 2776	4784	{1C0080B9-B4B6-4650-A13A-7A6DEE9D9A81}.exe	112
PID 4784 wrote to memory of 2776	4784	{1C0080B9-B4B6-4650-A13A-7A6DEE9D9A81}.exe	112
PID 1692 wrote to memory of 2272	1692	{B27A518F-863C-4bfa-89A8-CA6847B8C81F}.exe	113
PID 1692 wrote to memory of 2272	1692	{B27A518F-863C-4bfa-89A8-CA6847B8C81F}.exe	113
PID 1692 wrote to memory of 2272	1692	{B27A518F-863C-4bfa-89A8-CA6847B8C81F}.exe	113
PID 1692 wrote to memory of 3036	1692	{B27A518F-863C-4bfa-89A8-CA6847B8C81F}.exe	114

C:\Users\Admin\AppData\Local\Temp\2024-04-17_c630aadb89d63ed7faf70501990829b5_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-17_c630aadb89d63ed7faf70501990829b5_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3700
- C:\Windows\{737317A7-6712-48a8-A3B3-D7514049EFC9}.exe
  C:\Windows\{737317A7-6712-48a8-A3B3-D7514049EFC9}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3904
- - C:\Windows\{1A725D90-034E-4442-9CAF-382A8B778405}.exe
    C:\Windows\{1A725D90-034E-4442-9CAF-382A8B778405}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3516
  - - C:\Windows\{AD4C874B-5753-4581-B668-48AA2BAF3BC8}.exe
      C:\Windows\{AD4C874B-5753-4581-B668-48AA2BAF3BC8}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4952
    - - C:\Windows\{7188205D-3E14-4e2f-A68F-F1AE6955B60D}.exe
        
        C:\Windows\{7188205D-3E14-4e2f-A68F-F1AE6955B60D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1368
      - C:\Windows\{40BB2A12-B00C-4b62-BCF6-8FACFA625215}.exe
        
        C:\Windows\{40BB2A12-B00C-4b62-BCF6-8FACFA625215}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\{2246488D-7F4C-4f0f-88D2-99E1E04F4438}.exe
        
        C:\Windows\{2246488D-7F4C-4f0f-88D2-99E1E04F4438}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3644
        
        C:\Windows\{96295F08-7745-42a5-AEAD-1F513220F7FF}.exe
        
        C:\Windows\{96295F08-7745-42a5-AEAD-1F513220F7FF}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\{629E3C80-D635-47a0-AE06-087800C3E115}.exe
        
        C:\Windows\{629E3C80-D635-47a0-AE06-087800C3E115}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\Windows\{1C0080B9-B4B6-4650-A13A-7A6DEE9D9A81}.exe
        
        C:\Windows\{1C0080B9-B4B6-4650-A13A-7A6DEE9D9A81}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Windows\{B27A518F-863C-4bfa-89A8-CA6847B8C81F}.exe
        
        C:\Windows\{B27A518F-863C-4bfa-89A8-CA6847B8C81F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\{1CCB9F20-2CA0-4f60-8FEC-B08D2BB75CB4}.exe
        
        C:\Windows\{1CCB9F20-2CA0-4f60-8FEC-B08D2BB75CB4}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
        
        C:\Windows\{46EB2605-B9A7-4aad-A077-94D7FDAEC3DF}.exe
        
        C:\Windows\{46EB2605-B9A7-4aad-A077-94D7FDAEC3DF}.exe
        13⤵
        Executes dropped EXE
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1CCB9~1.EXE > nul
        13⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B27A5~1.EXE > nul
        12⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1C008~1.EXE > nul
        11⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{629E3~1.EXE > nul
        10⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96295~1.EXE > nul
        9⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{22464~1.EXE > nul
        8⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{40BB2~1.EXE > nul
        7⤵
        
        PID:4628
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71882~1.EXE > nul
        6⤵
        
        PID:3832
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD4C8~1.EXE > nul
        5⤵
        
        PID:1880
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1A725~1.EXE > nul
      4⤵
      PID:2192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{73731~1.EXE > nul
    3⤵
    PID:4700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1A725D90-034E-4442-9CAF-382A8B778405}.exe

Filesize
408KB

MD5
fca7564536dbfa8d5217bdc4d1b990b2

SHA1
79d5d0226f447161d89d390fb53cac062f5ee1ef

SHA256
912347344673cbc738b4a5f8a6b0375b30413d9a255c46f5f5544ba9948d487e

SHA512
c617c197db7568b975575053c90a7500e42a8d3f58a9040d3ee5b7589f960bffd136984ea475f1f621a6fe7768baee1a14e283b7e131afa09892acd79d06fde5

Download Submit
C:\Windows\{1C0080B9-B4B6-4650-A13A-7A6DEE9D9A81}.exe

Filesize
408KB

MD5
9668e50d08e0bb93857409e22caf2921

SHA1
2c16d566348a62b29233b4cfd1afafa2336d5ea2

SHA256
7cc1c7387e79e521db59c29b55d9d4ac03cb4ea8246bdee0c1a836b6ac62e482

SHA512
31817adac82b57660f8020d46684e9b549d63fc2869168ec0412c048cc0a50ce65a33fec27e4a05fb651aa485192a3107c97bcaa6dcd7f26a1a1c442b5b68c8d

Download Submit
C:\Windows\{1CCB9F20-2CA0-4f60-8FEC-B08D2BB75CB4}.exe

Filesize
408KB

MD5
c02f48944cda8418acd32e96f9498407

SHA1
8bd4e4b6a922a67c1d2c2efdfc71dc33fcdd7b19

SHA256
ed63f92f78675298624f6d562c2a4ff32d7a9768822c2761d2e86870cdb52b28

SHA512
24121e26e6de507ff0a4af1d6d2d5c006188d74fee8511e0dfc03a07c1a43e2d7b9a566ca3d0b9510060a634dea096cec21b1acfb8bc1f7e79881543f664cf7f

Download Submit
C:\Windows\{2246488D-7F4C-4f0f-88D2-99E1E04F4438}.exe

Filesize
408KB

MD5
784176004ffc972761e97271ba5b5aa1

SHA1
849342c6cd0695ab56e60c4b3247fa15729c003e

SHA256
c675d4330b30b5fbf46e6fe1b860594897759c98cff82ecb60b62bc9578d9546

SHA512
98182372ddbb62a899a1ad7c142e56745057b40a4adca3b92dff0c2a5370967650811ad00f942e05f962ffc481f7223d3d49afbcfd7b5c1515c9fdf4846ab414

Download Submit
C:\Windows\{40BB2A12-B00C-4b62-BCF6-8FACFA625215}.exe

Filesize
408KB

MD5
7308bf905eeb06e142707de02e0bbce2

SHA1
84ada020568c144c98c22747cc13243855f9de4a

SHA256
e93b6505a18bc82da3c04774a1033e331e343d3c56718c7422a0e53d5d3912af

SHA512
d743412a0a623e2a7bc357b0ba484655d16af8985697433e7adbe52c562dc421c0942a98c3d5b8248825cd73b749f1bd3f730ceb78675a49ffb7510607844e7d

Download Submit
C:\Windows\{46EB2605-B9A7-4aad-A077-94D7FDAEC3DF}.exe

Filesize
408KB

MD5
10eaeddeb34d26eeb879b3588dd7f37f

SHA1
5b34a4cb804ec1e654e11aa6999410362a7cb946

SHA256
e5234b2876eb1486833727297f330015e8432cc707719d739ef88f7b6b898bd5

SHA512
a29fc9a3b401172edd36cea674731b68fc03bdbd1fbfe2ec138354fe845a9fc2b2f83993f88870cbe8756378d0c0e3911a389ccb3fd26aa749e7dea5e2d2d068

Download Submit
C:\Windows\{629E3C80-D635-47a0-AE06-087800C3E115}.exe

Filesize
408KB

MD5
28c11ebbb9ce0bb8b5a8572799c66ca2

SHA1
fb4a4f9528b918e00037bebd7765c213419d7c77

SHA256
3e0d5380f12ac528a57e0d3a06551ce697b46975a50d50301262d3ac348182ad

SHA512
1d9b0286a8450df3c7d712911dbe8d08c15927cda1064df1146bfec351f116f342ef9f6b039da0c90eca45d22325fce5102218e6e93139c43afa9fe159e0fc1b

Download Submit
C:\Windows\{7188205D-3E14-4e2f-A68F-F1AE6955B60D}.exe

Filesize
408KB

MD5
2c57967af2840d7c6c3f9948530c56ec

SHA1
b9680256e7225814dcdde0be7d9c8fcf31f17668

SHA256
b896073a9410108b4272dfd6a9bcb3836cdf7646f3d886b9f61b6281b9c4dd6a

SHA512
5b17e169ca015833605e90b7f72b8e06867fd8ca1f92bf627dc19b34f313c91823543fecd8c7d90f2696bbc160dfb827b6f1026bb780d549bc855f4d86da1bf3

Download Submit
C:\Windows\{737317A7-6712-48a8-A3B3-D7514049EFC9}.exe

Filesize
408KB

MD5
2a3e4d90f7c79b9d5c1afdd0a73aa690

SHA1
163e90649e0c9d3bb6ca26ec7a979731d9e9d3ca

SHA256
bb2da740b385f17ee92766630321025bfc3507e557f6b2af59ff9e5b6cc60086

SHA512
3759fd138dc02b590552bf2cbd2cf09f73de6dfe176dc97ee45a58bbc2a55b83b191d48511baa6052e02b597f3304ea1cfbe3b43dd2683eb580327bd0e7e8a47

Download Submit
C:\Windows\{96295F08-7745-42a5-AEAD-1F513220F7FF}.exe

Filesize
408KB

MD5
6e93864189d5ca9cfaa6125ecabc30e5

SHA1
51f800bea01888dd0b3313b5223c1a0bac046530

SHA256
8e35c7312a2d0544d56927ca38e787fa0543f30565de681e6b4135e34a5edfd4

SHA512
23abd1649e0b056851f41fe29902228153bfbe472798521a5b607e21c8406cf40c7b4aa2e84ea5345afd7687f07929c388739cc6af8fd77cc5e24e581db2cee5

Download Submit
C:\Windows\{AD4C874B-5753-4581-B668-48AA2BAF3BC8}.exe

Filesize
408KB

MD5
d489d55c76497f8246aba41843c5a8a5

SHA1
5cc3c3d0015ce684329ab3ebda0526e63f681fe6

SHA256
7262ac1a5bed81040c2d7a08c193b690dd4f089ae3fde84d6dc53a25958573bd

SHA512
ca8952ee8c970dbef0e1f9da65499004a7a8542f79be6cb6b2a44855211c0af4dc3c820a6c505a617b0c0dcbef265b9cf003dad22176bc12d678bb138c2ca868

Download Submit
C:\Windows\{B27A518F-863C-4bfa-89A8-CA6847B8C81F}.exe

Filesize
408KB

MD5
e54b9e4ddb75408790fed21d4e67fa40

SHA1
ff9eaa9cbd9155158c9b62afd12e35935b1985ed

SHA256
7cee652730622f50f125e9afad000ee563942f2d2ec8d74df8bb57629cba2969

SHA512
346eaf0235fa813a2e746ac8f03978734f77c4ecc2ef0e53f6addbd7ddb7f7a67e9af72d62503d08db89c0b3e6ac6950cda8efad6f18131a5e969a8cf20a43db

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads