540ea6eefec94453d488fe12c9ec2a36f4c890541b1610011c5cc60a1f45055b

Analysis

max time kernel
149s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-17_c1c914b974832a5132dcd0194d17c0bd_goldeneye.exe
Size

344KB
MD5

c1c914b974832a5132dcd0194d17c0bd
SHA1

30940967c9c03d281e0f501a765ac44d9d3d3185
SHA256

540ea6eefec94453d488fe12c9ec2a36f4c890541b1610011c5cc60a1f45055b
SHA512

fcb180e9b2853e4ab245c18ceed60c235ef04c2864a9e4805e86dab8ed4bcac7a9cf3c86f5dfa36a1af48f5350c48d4c5e584e29bf8eef29d854c6e0e16d7ef1
SSDEEP

3072:mEGh0oslEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEG+lqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000a0000000233ad-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000233ae-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023431-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000232b9-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023431-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000232b9-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023431-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000232b9-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023431-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000232b9-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002342c-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d0000000232b9-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD75D497-6B71-48de-B819-16762BFBB252}\stubpath = "C:\\Windows\\{BD75D497-6B71-48de-B819-16762BFBB252}.exe"	{DE8B2A4D-2F90-4c92-8207-F0B59B9C3B2A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28FB48E9-AE56-4b3f-B81A-5CDD2FF9F3A6}\stubpath = "C:\\Windows\\{28FB48E9-AE56-4b3f-B81A-5CDD2FF9F3A6}.exe"	{FBE43C1C-3348-4138-B6CF-255D0311BDAB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE7C9740-838C-4370-8465-24838A41EFA8}\stubpath = "C:\\Windows\\{CE7C9740-838C-4370-8465-24838A41EFA8}.exe"	{28FB48E9-AE56-4b3f-B81A-5CDD2FF9F3A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B6E2EBD-991C-4897-A98D-672418BE849B}	{CE7C9740-838C-4370-8465-24838A41EFA8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72456DCE-E766-4cad-B533-C53CD3885FA2}\stubpath = "C:\\Windows\\{72456DCE-E766-4cad-B533-C53CD3885FA2}.exe"	{0B6E2EBD-991C-4897-A98D-672418BE849B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C81F169F-81E2-40e2-8423-9EC7B5578F1A}	{CD1D33D9-65C7-4074-A62E-7C6DEA5AA01A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE8B2A4D-2F90-4c92-8207-F0B59B9C3B2A}	{095A4EBA-C310-48bd-B7B0-7D9E813ED9AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{673D1F43-C600-4052-BC5B-8A855374A0FF}\stubpath = "C:\\Windows\\{673D1F43-C600-4052-BC5B-8A855374A0FF}.exe"	{72456DCE-E766-4cad-B533-C53CD3885FA2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD1D33D9-65C7-4074-A62E-7C6DEA5AA01A}	2024-04-17_c1c914b974832a5132dcd0194d17c0bd_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD1D33D9-65C7-4074-A62E-7C6DEA5AA01A}\stubpath = "C:\\Windows\\{CD1D33D9-65C7-4074-A62E-7C6DEA5AA01A}.exe"	2024-04-17_c1c914b974832a5132dcd0194d17c0bd_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{095A4EBA-C310-48bd-B7B0-7D9E813ED9AA}\stubpath = "C:\\Windows\\{095A4EBA-C310-48bd-B7B0-7D9E813ED9AA}.exe"	{38F91069-0DCC-449c-9059-095EDE8540B9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FBE43C1C-3348-4138-B6CF-255D0311BDAB}	{BD75D497-6B71-48de-B819-16762BFBB252}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28FB48E9-AE56-4b3f-B81A-5CDD2FF9F3A6}	{FBE43C1C-3348-4138-B6CF-255D0311BDAB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B6E2EBD-991C-4897-A98D-672418BE849B}\stubpath = "C:\\Windows\\{0B6E2EBD-991C-4897-A98D-672418BE849B}.exe"	{CE7C9740-838C-4370-8465-24838A41EFA8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72456DCE-E766-4cad-B533-C53CD3885FA2}	{0B6E2EBD-991C-4897-A98D-672418BE849B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38F91069-0DCC-449c-9059-095EDE8540B9}\stubpath = "C:\\Windows\\{38F91069-0DCC-449c-9059-095EDE8540B9}.exe"	{C81F169F-81E2-40e2-8423-9EC7B5578F1A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{095A4EBA-C310-48bd-B7B0-7D9E813ED9AA}	{38F91069-0DCC-449c-9059-095EDE8540B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE8B2A4D-2F90-4c92-8207-F0B59B9C3B2A}\stubpath = "C:\\Windows\\{DE8B2A4D-2F90-4c92-8207-F0B59B9C3B2A}.exe"	{095A4EBA-C310-48bd-B7B0-7D9E813ED9AA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD75D497-6B71-48de-B819-16762BFBB252}	{DE8B2A4D-2F90-4c92-8207-F0B59B9C3B2A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FBE43C1C-3348-4138-B6CF-255D0311BDAB}\stubpath = "C:\\Windows\\{FBE43C1C-3348-4138-B6CF-255D0311BDAB}.exe"	{BD75D497-6B71-48de-B819-16762BFBB252}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE7C9740-838C-4370-8465-24838A41EFA8}	{28FB48E9-AE56-4b3f-B81A-5CDD2FF9F3A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{673D1F43-C600-4052-BC5B-8A855374A0FF}	{72456DCE-E766-4cad-B533-C53CD3885FA2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C81F169F-81E2-40e2-8423-9EC7B5578F1A}\stubpath = "C:\\Windows\\{C81F169F-81E2-40e2-8423-9EC7B5578F1A}.exe"	{CD1D33D9-65C7-4074-A62E-7C6DEA5AA01A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38F91069-0DCC-449c-9059-095EDE8540B9}	{C81F169F-81E2-40e2-8423-9EC7B5578F1A}.exe

Executes dropped EXE 12 IoCs

pid	Process
1228	{CD1D33D9-65C7-4074-A62E-7C6DEA5AA01A}.exe
3236	{C81F169F-81E2-40e2-8423-9EC7B5578F1A}.exe
2408	{38F91069-0DCC-449c-9059-095EDE8540B9}.exe
3940	{095A4EBA-C310-48bd-B7B0-7D9E813ED9AA}.exe
956	{DE8B2A4D-2F90-4c92-8207-F0B59B9C3B2A}.exe
348	{BD75D497-6B71-48de-B819-16762BFBB252}.exe
3000	{FBE43C1C-3348-4138-B6CF-255D0311BDAB}.exe
2376	{28FB48E9-AE56-4b3f-B81A-5CDD2FF9F3A6}.exe
876	{CE7C9740-838C-4370-8465-24838A41EFA8}.exe
852	{0B6E2EBD-991C-4897-A98D-672418BE849B}.exe
5036	{72456DCE-E766-4cad-B533-C53CD3885FA2}.exe
824	{673D1F43-C600-4052-BC5B-8A855374A0FF}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{38F91069-0DCC-449c-9059-095EDE8540B9}.exe	{C81F169F-81E2-40e2-8423-9EC7B5578F1A}.exe
File created	C:\Windows\{BD75D497-6B71-48de-B819-16762BFBB252}.exe	{DE8B2A4D-2F90-4c92-8207-F0B59B9C3B2A}.exe
File created	C:\Windows\{FBE43C1C-3348-4138-B6CF-255D0311BDAB}.exe	{BD75D497-6B71-48de-B819-16762BFBB252}.exe
File created	C:\Windows\{28FB48E9-AE56-4b3f-B81A-5CDD2FF9F3A6}.exe	{FBE43C1C-3348-4138-B6CF-255D0311BDAB}.exe
File created	C:\Windows\{72456DCE-E766-4cad-B533-C53CD3885FA2}.exe	{0B6E2EBD-991C-4897-A98D-672418BE849B}.exe
File created	C:\Windows\{CD1D33D9-65C7-4074-A62E-7C6DEA5AA01A}.exe	2024-04-17_c1c914b974832a5132dcd0194d17c0bd_goldeneye.exe
File created	C:\Windows\{C81F169F-81E2-40e2-8423-9EC7B5578F1A}.exe	{CD1D33D9-65C7-4074-A62E-7C6DEA5AA01A}.exe
File created	C:\Windows\{095A4EBA-C310-48bd-B7B0-7D9E813ED9AA}.exe	{38F91069-0DCC-449c-9059-095EDE8540B9}.exe
File created	C:\Windows\{DE8B2A4D-2F90-4c92-8207-F0B59B9C3B2A}.exe	{095A4EBA-C310-48bd-B7B0-7D9E813ED9AA}.exe
File created	C:\Windows\{CE7C9740-838C-4370-8465-24838A41EFA8}.exe	{28FB48E9-AE56-4b3f-B81A-5CDD2FF9F3A6}.exe
File created	C:\Windows\{0B6E2EBD-991C-4897-A98D-672418BE849B}.exe	{CE7C9740-838C-4370-8465-24838A41EFA8}.exe
File created	C:\Windows\{673D1F43-C600-4052-BC5B-8A855374A0FF}.exe	{72456DCE-E766-4cad-B533-C53CD3885FA2}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3064	2024-04-17_c1c914b974832a5132dcd0194d17c0bd_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1228	{CD1D33D9-65C7-4074-A62E-7C6DEA5AA01A}.exe
Token: SeIncBasePriorityPrivilege	3236	{C81F169F-81E2-40e2-8423-9EC7B5578F1A}.exe
Token: SeIncBasePriorityPrivilege	2408	{38F91069-0DCC-449c-9059-095EDE8540B9}.exe
Token: SeIncBasePriorityPrivilege	3940	{095A4EBA-C310-48bd-B7B0-7D9E813ED9AA}.exe
Token: SeIncBasePriorityPrivilege	956	{DE8B2A4D-2F90-4c92-8207-F0B59B9C3B2A}.exe
Token: SeIncBasePriorityPrivilege	348	{BD75D497-6B71-48de-B819-16762BFBB252}.exe
Token: SeIncBasePriorityPrivilege	3000	{FBE43C1C-3348-4138-B6CF-255D0311BDAB}.exe
Token: SeIncBasePriorityPrivilege	2376	{28FB48E9-AE56-4b3f-B81A-5CDD2FF9F3A6}.exe
Token: SeIncBasePriorityPrivilege	876	{CE7C9740-838C-4370-8465-24838A41EFA8}.exe
Token: SeIncBasePriorityPrivilege	852	{0B6E2EBD-991C-4897-A98D-672418BE849B}.exe
Token: SeIncBasePriorityPrivilege	5036	{72456DCE-E766-4cad-B533-C53CD3885FA2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 1228	3064	2024-04-17_c1c914b974832a5132dcd0194d17c0bd_goldeneye.exe	92
PID 3064 wrote to memory of 1228	3064	2024-04-17_c1c914b974832a5132dcd0194d17c0bd_goldeneye.exe	92
PID 3064 wrote to memory of 1228	3064	2024-04-17_c1c914b974832a5132dcd0194d17c0bd_goldeneye.exe	92
PID 3064 wrote to memory of 4456	3064	2024-04-17_c1c914b974832a5132dcd0194d17c0bd_goldeneye.exe	93
PID 3064 wrote to memory of 4456	3064	2024-04-17_c1c914b974832a5132dcd0194d17c0bd_goldeneye.exe	93
PID 3064 wrote to memory of 4456	3064	2024-04-17_c1c914b974832a5132dcd0194d17c0bd_goldeneye.exe	93
PID 1228 wrote to memory of 3236	1228	{CD1D33D9-65C7-4074-A62E-7C6DEA5AA01A}.exe	94
PID 1228 wrote to memory of 3236	1228	{CD1D33D9-65C7-4074-A62E-7C6DEA5AA01A}.exe	94
PID 1228 wrote to memory of 3236	1228	{CD1D33D9-65C7-4074-A62E-7C6DEA5AA01A}.exe	94
PID 1228 wrote to memory of 2072	1228	{CD1D33D9-65C7-4074-A62E-7C6DEA5AA01A}.exe	95
PID 1228 wrote to memory of 2072	1228	{CD1D33D9-65C7-4074-A62E-7C6DEA5AA01A}.exe	95
PID 1228 wrote to memory of 2072	1228	{CD1D33D9-65C7-4074-A62E-7C6DEA5AA01A}.exe	95
PID 3236 wrote to memory of 2408	3236	{C81F169F-81E2-40e2-8423-9EC7B5578F1A}.exe	98
PID 3236 wrote to memory of 2408	3236	{C81F169F-81E2-40e2-8423-9EC7B5578F1A}.exe	98
PID 3236 wrote to memory of 2408	3236	{C81F169F-81E2-40e2-8423-9EC7B5578F1A}.exe	98
PID 3236 wrote to memory of 1816	3236	{C81F169F-81E2-40e2-8423-9EC7B5578F1A}.exe	99
PID 3236 wrote to memory of 1816	3236	{C81F169F-81E2-40e2-8423-9EC7B5578F1A}.exe	99
PID 3236 wrote to memory of 1816	3236	{C81F169F-81E2-40e2-8423-9EC7B5578F1A}.exe	99
PID 2408 wrote to memory of 3940	2408	{38F91069-0DCC-449c-9059-095EDE8540B9}.exe	101
PID 2408 wrote to memory of 3940	2408	{38F91069-0DCC-449c-9059-095EDE8540B9}.exe	101
PID 2408 wrote to memory of 3940	2408	{38F91069-0DCC-449c-9059-095EDE8540B9}.exe	101
PID 2408 wrote to memory of 4888	2408	{38F91069-0DCC-449c-9059-095EDE8540B9}.exe	102
PID 2408 wrote to memory of 4888	2408	{38F91069-0DCC-449c-9059-095EDE8540B9}.exe	102
PID 2408 wrote to memory of 4888	2408	{38F91069-0DCC-449c-9059-095EDE8540B9}.exe	102
PID 3940 wrote to memory of 956	3940	{095A4EBA-C310-48bd-B7B0-7D9E813ED9AA}.exe	103
PID 3940 wrote to memory of 956	3940	{095A4EBA-C310-48bd-B7B0-7D9E813ED9AA}.exe	103
PID 3940 wrote to memory of 956	3940	{095A4EBA-C310-48bd-B7B0-7D9E813ED9AA}.exe	103
PID 3940 wrote to memory of 2328	3940	{095A4EBA-C310-48bd-B7B0-7D9E813ED9AA}.exe	104
PID 3940 wrote to memory of 2328	3940	{095A4EBA-C310-48bd-B7B0-7D9E813ED9AA}.exe	104
PID 3940 wrote to memory of 2328	3940	{095A4EBA-C310-48bd-B7B0-7D9E813ED9AA}.exe	104
PID 956 wrote to memory of 348	956	{DE8B2A4D-2F90-4c92-8207-F0B59B9C3B2A}.exe	105
PID 956 wrote to memory of 348	956	{DE8B2A4D-2F90-4c92-8207-F0B59B9C3B2A}.exe	105
PID 956 wrote to memory of 348	956	{DE8B2A4D-2F90-4c92-8207-F0B59B9C3B2A}.exe	105
PID 956 wrote to memory of 4440	956	{DE8B2A4D-2F90-4c92-8207-F0B59B9C3B2A}.exe	106
PID 956 wrote to memory of 4440	956	{DE8B2A4D-2F90-4c92-8207-F0B59B9C3B2A}.exe	106
PID 956 wrote to memory of 4440	956	{DE8B2A4D-2F90-4c92-8207-F0B59B9C3B2A}.exe	106
PID 348 wrote to memory of 3000	348	{BD75D497-6B71-48de-B819-16762BFBB252}.exe	107
PID 348 wrote to memory of 3000	348	{BD75D497-6B71-48de-B819-16762BFBB252}.exe	107
PID 348 wrote to memory of 3000	348	{BD75D497-6B71-48de-B819-16762BFBB252}.exe	107
PID 348 wrote to memory of 968	348	{BD75D497-6B71-48de-B819-16762BFBB252}.exe	108
PID 348 wrote to memory of 968	348	{BD75D497-6B71-48de-B819-16762BFBB252}.exe	108
PID 348 wrote to memory of 968	348	{BD75D497-6B71-48de-B819-16762BFBB252}.exe	108
PID 3000 wrote to memory of 2376	3000	{FBE43C1C-3348-4138-B6CF-255D0311BDAB}.exe	109
PID 3000 wrote to memory of 2376	3000	{FBE43C1C-3348-4138-B6CF-255D0311BDAB}.exe	109
PID 3000 wrote to memory of 2376	3000	{FBE43C1C-3348-4138-B6CF-255D0311BDAB}.exe	109
PID 3000 wrote to memory of 4684	3000	{FBE43C1C-3348-4138-B6CF-255D0311BDAB}.exe	110
PID 3000 wrote to memory of 4684	3000	{FBE43C1C-3348-4138-B6CF-255D0311BDAB}.exe	110
PID 3000 wrote to memory of 4684	3000	{FBE43C1C-3348-4138-B6CF-255D0311BDAB}.exe	110
PID 2376 wrote to memory of 876	2376	{28FB48E9-AE56-4b3f-B81A-5CDD2FF9F3A6}.exe	111
PID 2376 wrote to memory of 876	2376	{28FB48E9-AE56-4b3f-B81A-5CDD2FF9F3A6}.exe	111
PID 2376 wrote to memory of 876	2376	{28FB48E9-AE56-4b3f-B81A-5CDD2FF9F3A6}.exe	111
PID 2376 wrote to memory of 2884	2376	{28FB48E9-AE56-4b3f-B81A-5CDD2FF9F3A6}.exe	112
PID 2376 wrote to memory of 2884	2376	{28FB48E9-AE56-4b3f-B81A-5CDD2FF9F3A6}.exe	112
PID 2376 wrote to memory of 2884	2376	{28FB48E9-AE56-4b3f-B81A-5CDD2FF9F3A6}.exe	112
PID 876 wrote to memory of 852	876	{CE7C9740-838C-4370-8465-24838A41EFA8}.exe	113
PID 876 wrote to memory of 852	876	{CE7C9740-838C-4370-8465-24838A41EFA8}.exe	113
PID 876 wrote to memory of 852	876	{CE7C9740-838C-4370-8465-24838A41EFA8}.exe	113
PID 876 wrote to memory of 412	876	{CE7C9740-838C-4370-8465-24838A41EFA8}.exe	114
PID 876 wrote to memory of 412	876	{CE7C9740-838C-4370-8465-24838A41EFA8}.exe	114
PID 876 wrote to memory of 412	876	{CE7C9740-838C-4370-8465-24838A41EFA8}.exe	114
PID 852 wrote to memory of 5036	852	{0B6E2EBD-991C-4897-A98D-672418BE849B}.exe	115
PID 852 wrote to memory of 5036	852	{0B6E2EBD-991C-4897-A98D-672418BE849B}.exe	115
PID 852 wrote to memory of 5036	852	{0B6E2EBD-991C-4897-A98D-672418BE849B}.exe	115
PID 852 wrote to memory of 1860	852	{0B6E2EBD-991C-4897-A98D-672418BE849B}.exe	116

C:\Users\Admin\AppData\Local\Temp\2024-04-17_c1c914b974832a5132dcd0194d17c0bd_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-17_c1c914b974832a5132dcd0194d17c0bd_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Windows\{CD1D33D9-65C7-4074-A62E-7C6DEA5AA01A}.exe
  C:\Windows\{CD1D33D9-65C7-4074-A62E-7C6DEA5AA01A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1228
- - C:\Windows\{C81F169F-81E2-40e2-8423-9EC7B5578F1A}.exe
    C:\Windows\{C81F169F-81E2-40e2-8423-9EC7B5578F1A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3236
  - - C:\Windows\{38F91069-0DCC-449c-9059-095EDE8540B9}.exe
      C:\Windows\{38F91069-0DCC-449c-9059-095EDE8540B9}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2408
    - - C:\Windows\{095A4EBA-C310-48bd-B7B0-7D9E813ED9AA}.exe
        
        C:\Windows\{095A4EBA-C310-48bd-B7B0-7D9E813ED9AA}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3940
      - C:\Windows\{DE8B2A4D-2F90-4c92-8207-F0B59B9C3B2A}.exe
        
        C:\Windows\{DE8B2A4D-2F90-4c92-8207-F0B59B9C3B2A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:956
        
        C:\Windows\{BD75D497-6B71-48de-B819-16762BFBB252}.exe
        
        C:\Windows\{BD75D497-6B71-48de-B819-16762BFBB252}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:348
        
        C:\Windows\{FBE43C1C-3348-4138-B6CF-255D0311BDAB}.exe
        
        C:\Windows\{FBE43C1C-3348-4138-B6CF-255D0311BDAB}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\{28FB48E9-AE56-4b3f-B81A-5CDD2FF9F3A6}.exe
        
        C:\Windows\{28FB48E9-AE56-4b3f-B81A-5CDD2FF9F3A6}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\{CE7C9740-838C-4370-8465-24838A41EFA8}.exe
        
        C:\Windows\{CE7C9740-838C-4370-8465-24838A41EFA8}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\{0B6E2EBD-991C-4897-A98D-672418BE849B}.exe
        
        C:\Windows\{0B6E2EBD-991C-4897-A98D-672418BE849B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\Windows\{72456DCE-E766-4cad-B533-C53CD3885FA2}.exe
        
        C:\Windows\{72456DCE-E766-4cad-B533-C53CD3885FA2}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5036
        
        C:\Windows\{673D1F43-C600-4052-BC5B-8A855374A0FF}.exe
        
        C:\Windows\{673D1F43-C600-4052-BC5B-8A855374A0FF}.exe
        13⤵
        Executes dropped EXE
        
        PID:824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{72456~1.EXE > nul
        13⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0B6E2~1.EXE > nul
        12⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CE7C9~1.EXE > nul
        11⤵
        
        PID:412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{28FB4~1.EXE > nul
        10⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FBE43~1.EXE > nul
        9⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD75D~1.EXE > nul
        8⤵
        
        PID:968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DE8B2~1.EXE > nul
        7⤵
        
        PID:4440
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{095A4~1.EXE > nul
        6⤵
        
        PID:2328
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{38F91~1.EXE > nul
        5⤵
        
        PID:4888
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C81F1~1.EXE > nul
      4⤵
      PID:1816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CD1D3~1.EXE > nul
    3⤵
    PID:2072
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{095A4EBA-C310-48bd-B7B0-7D9E813ED9AA}.exe

Filesize
344KB

MD5
ae93a44e8300011842ad5e85d6e5cb5f

SHA1
d82c6478d425b5ec94434346686ce0b737594899

SHA256
e2f170d2bee02e1c036b4d16a953f0907e931e155e83c81ee939d819123d2787

SHA512
05f275e46ef4f6432624f15e6b649ee70c0d0d41bd16764e7bfab64c391e10ee8c852e53195f6075cbdf22449b3cf89869b20b083f9c6f174950940c1cbe4bca

Download Submit
C:\Windows\{0B6E2EBD-991C-4897-A98D-672418BE849B}.exe

Filesize
344KB

MD5
f768da503d61a2a0c14409fdb94931e5

SHA1
ab21ab5f78119daa60040d094a60622608825a96

SHA256
54d00d463dc40a76f5457454774e63178432d94c3948e78078afc8af54bd045f

SHA512
e81462d12766b8ff67ac33ef0437b827482c8595bbc73083045264362e7fb640d32f63cd0a7af769747a63edc7a79607936b652f8751266be7a864c7b7c619c2

Download Submit
C:\Windows\{28FB48E9-AE56-4b3f-B81A-5CDD2FF9F3A6}.exe

Filesize
344KB

MD5
c96cb309cdb8f78cfe0bd343a457929e

SHA1
6c61ec9ba23c5f5398b29faa6853b15f223a0d2d

SHA256
cf7cff714eb53f2508851ec26a663f8fe82fb709c36b3d6d73d55c422b3f0b3b

SHA512
13623ac20d5d569fca735c4597f37a2bea76b377d0dbd8f96b1394be8e55b8283df31b68abc540295373db2887585b213d72de0e54895e81e60c566f74a29109

Download Submit
C:\Windows\{38F91069-0DCC-449c-9059-095EDE8540B9}.exe

Filesize
344KB

MD5
295affb0f61edfdf99d6440588f4ebee

SHA1
d592b99e6622b5c0ac14d70d37d4ca4ea2c0c0d7

SHA256
770f0977aab432c773c76dc939472dc15a43d6e40e93fe4d254fd76794a8d3ee

SHA512
6a3fd1a5b5403330785dff1a5fd141e213bf96ae823060f605b6646906d4f6eaaf4d6abb56df6451dad8eacc0d99440a7aa51471d1f53b0eee6145c5662ec1a7

Download Submit
C:\Windows\{673D1F43-C600-4052-BC5B-8A855374A0FF}.exe

Filesize
344KB

MD5
92ee31cbc5febb02f75e0e949782147e

SHA1
a93910dfd3c873d0f19ac36327d053e9c044786f

SHA256
4be8658dac58dcc621ab981fffabb25d5eceb2df8ab06f5fb5c29c998b079c77

SHA512
e144331cb68884e7598b65af9ca4cf84cf04bdf46086f5e0742a2d44bc5a298663a69064fc21c01d0c5041b75be615635267cf16707c4a19392c38469c29b6f8

Download Submit
C:\Windows\{72456DCE-E766-4cad-B533-C53CD3885FA2}.exe

Filesize
344KB

MD5
413458bf83d6660d5c2c1bf26afe0743

SHA1
633e02f61cc019eead43659d5c18d8c3b9cd88a8

SHA256
aa9980dc921c96da67b113db454cc6fbd4a56f1698834bea63877c880bbb1f1f

SHA512
f0d1151d970fd920547b36f2e37bb73bcf8ed125e840fdd89eec8c36c5d0c018242503e9191d9442a1c1adc7e9cdb02fe23423c5092c6ccf65e7bcf7e7d8a5f7

Download Submit
C:\Windows\{BD75D497-6B71-48de-B819-16762BFBB252}.exe

Filesize
344KB

MD5
e057bdc1319f661c1f31dcd4b33fa684

SHA1
2453b8a50753a6c83bd1a4365f3379589b2e46b5

SHA256
8496440c6bb0695458228e42cb6553a4435752f635775022e49aadf9ad2d42fe

SHA512
c76a8e506ac3c06123661cbcab928e15525e497b7ab7e7fd1710884af50c05df87a6552930bec91407cb73f6d4e657f3a15ecdb1f481851ed5e2c68b71ff0fb6

Download Submit
C:\Windows\{C81F169F-81E2-40e2-8423-9EC7B5578F1A}.exe

Filesize
344KB

MD5
a011c3d16a142abe1f9bbfbc5b2371d4

SHA1
1cc743ba3abc50a96f0dc1559705faba445c71f4

SHA256
5a937ca18694cf326c6078f3653d558312717f28556059bde409d340a93440a4

SHA512
0ed688609636b056cf733a6931d755005f2e5eb0328d98d7e2e7801589212bf16f048d9ceccf1d50f7133d98795a23d2da6c407d571c6e924538bf169a14e0c6

Download Submit
C:\Windows\{CD1D33D9-65C7-4074-A62E-7C6DEA5AA01A}.exe

Filesize
344KB

MD5
e4ea6f2b2bc0f501cbeb8407abe5f03b

SHA1
267248ac931978416e0a24a7e5b1441b7a5a7895

SHA256
6c8fb904696fe045d7ccfaac8e476ae1b768199657bdc86cae4a07fea4901a25

SHA512
31b6236c56ab8a2aaabba21b886688be21b4009f6e8683363e27da32bf02d2b05270535a3eeebb6f4e1a526c6785042dca62c9749a5bb2a90f47b467f9ac154b

Download Submit
C:\Windows\{CE7C9740-838C-4370-8465-24838A41EFA8}.exe

Filesize
344KB

MD5
56486034693063d50382c86f2c876f1a

SHA1
9494b9526f59d4591f0440a4fa0af924b0048a02

SHA256
25e0f87c90a9943ebb1be04b47d80f4d97e3ce7cd31af71e792c7b7f47486817

SHA512
cfc0b580bec30c571669d921585feb8d3e9c1ecd7d5e385eccb47bdff96bd40b9c9810319bc800771ff64a296cd59e0390b84525376d090152b3d28343a02f81

Download Submit
C:\Windows\{DE8B2A4D-2F90-4c92-8207-F0B59B9C3B2A}.exe

Filesize
344KB

MD5
b5d148c65ffdf6824e379505d0282591

SHA1
30e9b6702caab72881cae048fb5339cbbb66cd59

SHA256
bcc35bcccf95904d0d14f8d4dc7528999620a8d800b66f14ba69a168405a02aa

SHA512
4ab3252d47c5b3e81eed90fb81024654b256e60050a51fad8d60e62f672e1c2294b7fa8a24e704f898ab79393772023f4adebbe911f35148246cb9d3f98e4908

Download Submit
C:\Windows\{FBE43C1C-3348-4138-B6CF-255D0311BDAB}.exe

Filesize
344KB

MD5
6f987ae738344ed80c3cec4a0e419840

SHA1
172401067bf02c7cc2b3b1021ce30c8025e33737

SHA256
43e2deb80746ebed424fafb2a0bf3219ad557883ddc160fb4ebb9e4233dfe71a

SHA512
1f35be9725ef4ccc021b577fe6e71fb683d70df1f15eed553c9e4b29878fa2b0cc74394f200309b31dec9e0b2b31dd50c23acd377518a03f10443f41e2e476f7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads