671182cab623d5b185d47dff9467e99e9eb4ea7c73b4d918c64b721525a785dd

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-17_bf841c8c655ff0aa0ba14c89ed0951b7_goldeneye.exe
Size

372KB
MD5

bf841c8c655ff0aa0ba14c89ed0951b7
SHA1

4747da80ca86634e486659f8bad5a5ae75c01502
SHA256

671182cab623d5b185d47dff9467e99e9eb4ea7c73b4d918c64b721525a785dd
SHA512

fd9ec3b9a41b6f22c9432fe1c649c2e3bdd15ab4cdf7ded47ea652c3e3dda03a30284fd9dc43d65c82896ad4bc0ed798ea029dc402fb17ad31128bf6e9cf73e9
SSDEEP

3072:CEGh0ojlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGJlkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000800000002341f-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023414-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023427-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023414-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023427-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023414-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023427-25.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0012000000023414-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023427-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0013000000023414-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023424-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002342e-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{515FFF14-36C4-4073-A0BA-99D7DE2B150B}	{79B1791D-AA48-4c87-9EC8-D3F7B88B270A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77624927-09CF-467b-9E4A-C4306CB3B8EA}	{515FFF14-36C4-4073-A0BA-99D7DE2B150B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD919288-556C-46b4-AEF9-7213FBFE380F}\stubpath = "C:\\Windows\\{DD919288-556C-46b4-AEF9-7213FBFE380F}.exe"	{3B50904C-3E73-4133-9FDC-6A5823AAB69C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F74F7C83-E517-4004-A677-9FDD323C055A}\stubpath = "C:\\Windows\\{F74F7C83-E517-4004-A677-9FDD323C055A}.exe"	{DD919288-556C-46b4-AEF9-7213FBFE380F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0FE684C4-4F90-4491-917D-344E934DF05F}	{10EF6326-FFDC-4c4c-8F9B-1A20384798A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0FE684C4-4F90-4491-917D-344E934DF05F}\stubpath = "C:\\Windows\\{0FE684C4-4F90-4491-917D-344E934DF05F}.exe"	{10EF6326-FFDC-4c4c-8F9B-1A20384798A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E3866BF-B1E3-4e65-AFEF-6466316ADBF5}	{0FE684C4-4F90-4491-917D-344E934DF05F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16AD8F16-8762-4906-B8AB-054D128C4DD6}\stubpath = "C:\\Windows\\{16AD8F16-8762-4906-B8AB-054D128C4DD6}.exe"	{9E3866BF-B1E3-4e65-AFEF-6466316ADBF5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF6F87BC-5108-402a-964F-4E8445836C83}	{77624927-09CF-467b-9E4A-C4306CB3B8EA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E264140-9897-4853-9B89-DCAF9E34F835}\stubpath = "C:\\Windows\\{5E264140-9897-4853-9B89-DCAF9E34F835}.exe"	2024-04-17_bf841c8c655ff0aa0ba14c89ed0951b7_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79B1791D-AA48-4c87-9EC8-D3F7B88B270A}	{16AD8F16-8762-4906-B8AB-054D128C4DD6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79B1791D-AA48-4c87-9EC8-D3F7B88B270A}\stubpath = "C:\\Windows\\{79B1791D-AA48-4c87-9EC8-D3F7B88B270A}.exe"	{16AD8F16-8762-4906-B8AB-054D128C4DD6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{515FFF14-36C4-4073-A0BA-99D7DE2B150B}\stubpath = "C:\\Windows\\{515FFF14-36C4-4073-A0BA-99D7DE2B150B}.exe"	{79B1791D-AA48-4c87-9EC8-D3F7B88B270A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77624927-09CF-467b-9E4A-C4306CB3B8EA}\stubpath = "C:\\Windows\\{77624927-09CF-467b-9E4A-C4306CB3B8EA}.exe"	{515FFF14-36C4-4073-A0BA-99D7DE2B150B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E264140-9897-4853-9B89-DCAF9E34F835}	2024-04-17_bf841c8c655ff0aa0ba14c89ed0951b7_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B50904C-3E73-4133-9FDC-6A5823AAB69C}\stubpath = "C:\\Windows\\{3B50904C-3E73-4133-9FDC-6A5823AAB69C}.exe"	{5E264140-9897-4853-9B89-DCAF9E34F835}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD919288-556C-46b4-AEF9-7213FBFE380F}	{3B50904C-3E73-4133-9FDC-6A5823AAB69C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F74F7C83-E517-4004-A677-9FDD323C055A}	{DD919288-556C-46b4-AEF9-7213FBFE380F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16AD8F16-8762-4906-B8AB-054D128C4DD6}	{9E3866BF-B1E3-4e65-AFEF-6466316ADBF5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF6F87BC-5108-402a-964F-4E8445836C83}\stubpath = "C:\\Windows\\{BF6F87BC-5108-402a-964F-4E8445836C83}.exe"	{77624927-09CF-467b-9E4A-C4306CB3B8EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B50904C-3E73-4133-9FDC-6A5823AAB69C}	{5E264140-9897-4853-9B89-DCAF9E34F835}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10EF6326-FFDC-4c4c-8F9B-1A20384798A7}	{F74F7C83-E517-4004-A677-9FDD323C055A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10EF6326-FFDC-4c4c-8F9B-1A20384798A7}\stubpath = "C:\\Windows\\{10EF6326-FFDC-4c4c-8F9B-1A20384798A7}.exe"	{F74F7C83-E517-4004-A677-9FDD323C055A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E3866BF-B1E3-4e65-AFEF-6466316ADBF5}\stubpath = "C:\\Windows\\{9E3866BF-B1E3-4e65-AFEF-6466316ADBF5}.exe"	{0FE684C4-4F90-4491-917D-344E934DF05F}.exe

Executes dropped EXE 12 IoCs

pid	Process
3572	{5E264140-9897-4853-9B89-DCAF9E34F835}.exe
2248	{3B50904C-3E73-4133-9FDC-6A5823AAB69C}.exe
3460	{DD919288-556C-46b4-AEF9-7213FBFE380F}.exe
3376	{F74F7C83-E517-4004-A677-9FDD323C055A}.exe
1772	{10EF6326-FFDC-4c4c-8F9B-1A20384798A7}.exe
4296	{0FE684C4-4F90-4491-917D-344E934DF05F}.exe
4544	{9E3866BF-B1E3-4e65-AFEF-6466316ADBF5}.exe
2732	{16AD8F16-8762-4906-B8AB-054D128C4DD6}.exe
4460	{79B1791D-AA48-4c87-9EC8-D3F7B88B270A}.exe
4448	{515FFF14-36C4-4073-A0BA-99D7DE2B150B}.exe
2076	{77624927-09CF-467b-9E4A-C4306CB3B8EA}.exe
4208	{BF6F87BC-5108-402a-964F-4E8445836C83}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{0FE684C4-4F90-4491-917D-344E934DF05F}.exe	{10EF6326-FFDC-4c4c-8F9B-1A20384798A7}.exe
File created	C:\Windows\{9E3866BF-B1E3-4e65-AFEF-6466316ADBF5}.exe	{0FE684C4-4F90-4491-917D-344E934DF05F}.exe
File created	C:\Windows\{16AD8F16-8762-4906-B8AB-054D128C4DD6}.exe	{9E3866BF-B1E3-4e65-AFEF-6466316ADBF5}.exe
File created	C:\Windows\{79B1791D-AA48-4c87-9EC8-D3F7B88B270A}.exe	{16AD8F16-8762-4906-B8AB-054D128C4DD6}.exe
File created	C:\Windows\{77624927-09CF-467b-9E4A-C4306CB3B8EA}.exe	{515FFF14-36C4-4073-A0BA-99D7DE2B150B}.exe
File created	C:\Windows\{3B50904C-3E73-4133-9FDC-6A5823AAB69C}.exe	{5E264140-9897-4853-9B89-DCAF9E34F835}.exe
File created	C:\Windows\{DD919288-556C-46b4-AEF9-7213FBFE380F}.exe	{3B50904C-3E73-4133-9FDC-6A5823AAB69C}.exe
File created	C:\Windows\{F74F7C83-E517-4004-A677-9FDD323C055A}.exe	{DD919288-556C-46b4-AEF9-7213FBFE380F}.exe
File created	C:\Windows\{10EF6326-FFDC-4c4c-8F9B-1A20384798A7}.exe	{F74F7C83-E517-4004-A677-9FDD323C055A}.exe
File created	C:\Windows\{515FFF14-36C4-4073-A0BA-99D7DE2B150B}.exe	{79B1791D-AA48-4c87-9EC8-D3F7B88B270A}.exe
File created	C:\Windows\{BF6F87BC-5108-402a-964F-4E8445836C83}.exe	{77624927-09CF-467b-9E4A-C4306CB3B8EA}.exe
File created	C:\Windows\{5E264140-9897-4853-9B89-DCAF9E34F835}.exe	2024-04-17_bf841c8c655ff0aa0ba14c89ed0951b7_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	320	2024-04-17_bf841c8c655ff0aa0ba14c89ed0951b7_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3572	{5E264140-9897-4853-9B89-DCAF9E34F835}.exe
Token: SeIncBasePriorityPrivilege	2248	{3B50904C-3E73-4133-9FDC-6A5823AAB69C}.exe
Token: SeIncBasePriorityPrivilege	3460	{DD919288-556C-46b4-AEF9-7213FBFE380F}.exe
Token: SeIncBasePriorityPrivilege	3376	{F74F7C83-E517-4004-A677-9FDD323C055A}.exe
Token: SeIncBasePriorityPrivilege	1772	{10EF6326-FFDC-4c4c-8F9B-1A20384798A7}.exe
Token: SeIncBasePriorityPrivilege	4296	{0FE684C4-4F90-4491-917D-344E934DF05F}.exe
Token: SeIncBasePriorityPrivilege	4544	{9E3866BF-B1E3-4e65-AFEF-6466316ADBF5}.exe
Token: SeIncBasePriorityPrivilege	2732	{16AD8F16-8762-4906-B8AB-054D128C4DD6}.exe
Token: SeIncBasePriorityPrivilege	4460	{79B1791D-AA48-4c87-9EC8-D3F7B88B270A}.exe
Token: SeIncBasePriorityPrivilege	4448	{515FFF14-36C4-4073-A0BA-99D7DE2B150B}.exe
Token: SeIncBasePriorityPrivilege	2076	{77624927-09CF-467b-9E4A-C4306CB3B8EA}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 320 wrote to memory of 3572	320	2024-04-17_bf841c8c655ff0aa0ba14c89ed0951b7_goldeneye.exe	91
PID 320 wrote to memory of 3572	320	2024-04-17_bf841c8c655ff0aa0ba14c89ed0951b7_goldeneye.exe	91
PID 320 wrote to memory of 3572	320	2024-04-17_bf841c8c655ff0aa0ba14c89ed0951b7_goldeneye.exe	91
PID 320 wrote to memory of 2076	320	2024-04-17_bf841c8c655ff0aa0ba14c89ed0951b7_goldeneye.exe	92
PID 320 wrote to memory of 2076	320	2024-04-17_bf841c8c655ff0aa0ba14c89ed0951b7_goldeneye.exe	92
PID 320 wrote to memory of 2076	320	2024-04-17_bf841c8c655ff0aa0ba14c89ed0951b7_goldeneye.exe	92
PID 3572 wrote to memory of 2248	3572	{5E264140-9897-4853-9B89-DCAF9E34F835}.exe	93
PID 3572 wrote to memory of 2248	3572	{5E264140-9897-4853-9B89-DCAF9E34F835}.exe	93
PID 3572 wrote to memory of 2248	3572	{5E264140-9897-4853-9B89-DCAF9E34F835}.exe	93
PID 3572 wrote to memory of 3768	3572	{5E264140-9897-4853-9B89-DCAF9E34F835}.exe	94
PID 3572 wrote to memory of 3768	3572	{5E264140-9897-4853-9B89-DCAF9E34F835}.exe	94
PID 3572 wrote to memory of 3768	3572	{5E264140-9897-4853-9B89-DCAF9E34F835}.exe	94
PID 2248 wrote to memory of 3460	2248	{3B50904C-3E73-4133-9FDC-6A5823AAB69C}.exe	98
PID 2248 wrote to memory of 3460	2248	{3B50904C-3E73-4133-9FDC-6A5823AAB69C}.exe	98
PID 2248 wrote to memory of 3460	2248	{3B50904C-3E73-4133-9FDC-6A5823AAB69C}.exe	98
PID 2248 wrote to memory of 3488	2248	{3B50904C-3E73-4133-9FDC-6A5823AAB69C}.exe	99
PID 2248 wrote to memory of 3488	2248	{3B50904C-3E73-4133-9FDC-6A5823AAB69C}.exe	99
PID 2248 wrote to memory of 3488	2248	{3B50904C-3E73-4133-9FDC-6A5823AAB69C}.exe	99
PID 3460 wrote to memory of 3376	3460	{DD919288-556C-46b4-AEF9-7213FBFE380F}.exe	100
PID 3460 wrote to memory of 3376	3460	{DD919288-556C-46b4-AEF9-7213FBFE380F}.exe	100
PID 3460 wrote to memory of 3376	3460	{DD919288-556C-46b4-AEF9-7213FBFE380F}.exe	100
PID 3460 wrote to memory of 3756	3460	{DD919288-556C-46b4-AEF9-7213FBFE380F}.exe	101
PID 3460 wrote to memory of 3756	3460	{DD919288-556C-46b4-AEF9-7213FBFE380F}.exe	101
PID 3460 wrote to memory of 3756	3460	{DD919288-556C-46b4-AEF9-7213FBFE380F}.exe	101
PID 3376 wrote to memory of 1772	3376	{F74F7C83-E517-4004-A677-9FDD323C055A}.exe	102
PID 3376 wrote to memory of 1772	3376	{F74F7C83-E517-4004-A677-9FDD323C055A}.exe	102
PID 3376 wrote to memory of 1772	3376	{F74F7C83-E517-4004-A677-9FDD323C055A}.exe	102
PID 3376 wrote to memory of 4676	3376	{F74F7C83-E517-4004-A677-9FDD323C055A}.exe	103
PID 3376 wrote to memory of 4676	3376	{F74F7C83-E517-4004-A677-9FDD323C055A}.exe	103
PID 3376 wrote to memory of 4676	3376	{F74F7C83-E517-4004-A677-9FDD323C055A}.exe	103
PID 1772 wrote to memory of 4296	1772	{10EF6326-FFDC-4c4c-8F9B-1A20384798A7}.exe	104
PID 1772 wrote to memory of 4296	1772	{10EF6326-FFDC-4c4c-8F9B-1A20384798A7}.exe	104
PID 1772 wrote to memory of 4296	1772	{10EF6326-FFDC-4c4c-8F9B-1A20384798A7}.exe	104
PID 1772 wrote to memory of 2304	1772	{10EF6326-FFDC-4c4c-8F9B-1A20384798A7}.exe	105
PID 1772 wrote to memory of 2304	1772	{10EF6326-FFDC-4c4c-8F9B-1A20384798A7}.exe	105
PID 1772 wrote to memory of 2304	1772	{10EF6326-FFDC-4c4c-8F9B-1A20384798A7}.exe	105
PID 4296 wrote to memory of 4544	4296	{0FE684C4-4F90-4491-917D-344E934DF05F}.exe	106
PID 4296 wrote to memory of 4544	4296	{0FE684C4-4F90-4491-917D-344E934DF05F}.exe	106
PID 4296 wrote to memory of 4544	4296	{0FE684C4-4F90-4491-917D-344E934DF05F}.exe	106
PID 4296 wrote to memory of 812	4296	{0FE684C4-4F90-4491-917D-344E934DF05F}.exe	107
PID 4296 wrote to memory of 812	4296	{0FE684C4-4F90-4491-917D-344E934DF05F}.exe	107
PID 4296 wrote to memory of 812	4296	{0FE684C4-4F90-4491-917D-344E934DF05F}.exe	107
PID 4544 wrote to memory of 2732	4544	{9E3866BF-B1E3-4e65-AFEF-6466316ADBF5}.exe	109
PID 4544 wrote to memory of 2732	4544	{9E3866BF-B1E3-4e65-AFEF-6466316ADBF5}.exe	109
PID 4544 wrote to memory of 2732	4544	{9E3866BF-B1E3-4e65-AFEF-6466316ADBF5}.exe	109
PID 4544 wrote to memory of 1956	4544	{9E3866BF-B1E3-4e65-AFEF-6466316ADBF5}.exe	110
PID 4544 wrote to memory of 1956	4544	{9E3866BF-B1E3-4e65-AFEF-6466316ADBF5}.exe	110
PID 4544 wrote to memory of 1956	4544	{9E3866BF-B1E3-4e65-AFEF-6466316ADBF5}.exe	110
PID 2732 wrote to memory of 4460	2732	{16AD8F16-8762-4906-B8AB-054D128C4DD6}.exe	111
PID 2732 wrote to memory of 4460	2732	{16AD8F16-8762-4906-B8AB-054D128C4DD6}.exe	111
PID 2732 wrote to memory of 4460	2732	{16AD8F16-8762-4906-B8AB-054D128C4DD6}.exe	111
PID 2732 wrote to memory of 4856	2732	{16AD8F16-8762-4906-B8AB-054D128C4DD6}.exe	112
PID 2732 wrote to memory of 4856	2732	{16AD8F16-8762-4906-B8AB-054D128C4DD6}.exe	112
PID 2732 wrote to memory of 4856	2732	{16AD8F16-8762-4906-B8AB-054D128C4DD6}.exe	112
PID 4460 wrote to memory of 4448	4460	{79B1791D-AA48-4c87-9EC8-D3F7B88B270A}.exe	113
PID 4460 wrote to memory of 4448	4460	{79B1791D-AA48-4c87-9EC8-D3F7B88B270A}.exe	113
PID 4460 wrote to memory of 4448	4460	{79B1791D-AA48-4c87-9EC8-D3F7B88B270A}.exe	113
PID 4460 wrote to memory of 4776	4460	{79B1791D-AA48-4c87-9EC8-D3F7B88B270A}.exe	114
PID 4460 wrote to memory of 4776	4460	{79B1791D-AA48-4c87-9EC8-D3F7B88B270A}.exe	114
PID 4460 wrote to memory of 4776	4460	{79B1791D-AA48-4c87-9EC8-D3F7B88B270A}.exe	114
PID 4448 wrote to memory of 2076	4448	{515FFF14-36C4-4073-A0BA-99D7DE2B150B}.exe	115
PID 4448 wrote to memory of 2076	4448	{515FFF14-36C4-4073-A0BA-99D7DE2B150B}.exe	115
PID 4448 wrote to memory of 2076	4448	{515FFF14-36C4-4073-A0BA-99D7DE2B150B}.exe	115
PID 4448 wrote to memory of 2236	4448	{515FFF14-36C4-4073-A0BA-99D7DE2B150B}.exe	116

C:\Users\Admin\AppData\Local\Temp\2024-04-17_bf841c8c655ff0aa0ba14c89ed0951b7_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-17_bf841c8c655ff0aa0ba14c89ed0951b7_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:320
- C:\Windows\{5E264140-9897-4853-9B89-DCAF9E34F835}.exe
  C:\Windows\{5E264140-9897-4853-9B89-DCAF9E34F835}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3572
- - C:\Windows\{3B50904C-3E73-4133-9FDC-6A5823AAB69C}.exe
    C:\Windows\{3B50904C-3E73-4133-9FDC-6A5823AAB69C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2248
  - - C:\Windows\{DD919288-556C-46b4-AEF9-7213FBFE380F}.exe
      C:\Windows\{DD919288-556C-46b4-AEF9-7213FBFE380F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3460
    - - C:\Windows\{F74F7C83-E517-4004-A677-9FDD323C055A}.exe
        
        C:\Windows\{F74F7C83-E517-4004-A677-9FDD323C055A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3376
      - C:\Windows\{10EF6326-FFDC-4c4c-8F9B-1A20384798A7}.exe
        
        C:\Windows\{10EF6326-FFDC-4c4c-8F9B-1A20384798A7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\{0FE684C4-4F90-4491-917D-344E934DF05F}.exe
        
        C:\Windows\{0FE684C4-4F90-4491-917D-344E934DF05F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4296
        
        C:\Windows\{9E3866BF-B1E3-4e65-AFEF-6466316ADBF5}.exe
        
        C:\Windows\{9E3866BF-B1E3-4e65-AFEF-6466316ADBF5}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Windows\{16AD8F16-8762-4906-B8AB-054D128C4DD6}.exe
        
        C:\Windows\{16AD8F16-8762-4906-B8AB-054D128C4DD6}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\{79B1791D-AA48-4c87-9EC8-D3F7B88B270A}.exe
        
        C:\Windows\{79B1791D-AA48-4c87-9EC8-D3F7B88B270A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\{515FFF14-36C4-4073-A0BA-99D7DE2B150B}.exe
        
        C:\Windows\{515FFF14-36C4-4073-A0BA-99D7DE2B150B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\{77624927-09CF-467b-9E4A-C4306CB3B8EA}.exe
        
        C:\Windows\{77624927-09CF-467b-9E4A-C4306CB3B8EA}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076
        
        C:\Windows\{BF6F87BC-5108-402a-964F-4E8445836C83}.exe
        
        C:\Windows\{BF6F87BC-5108-402a-964F-4E8445836C83}.exe
        13⤵
        Executes dropped EXE
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{77624~1.EXE > nul
        13⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{515FF~1.EXE > nul
        12⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79B17~1.EXE > nul
        11⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16AD8~1.EXE > nul
        10⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E386~1.EXE > nul
        9⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0FE68~1.EXE > nul
        8⤵
        
        PID:812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{10EF6~1.EXE > nul
        7⤵
        
        PID:2304
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F74F7~1.EXE > nul
        6⤵
        
        PID:4676
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD919~1.EXE > nul
        5⤵
        
        PID:3756
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3B509~1.EXE > nul
      4⤵
      PID:3488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5E264~1.EXE > nul
    3⤵
    PID:3768
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0FE684C4-4F90-4491-917D-344E934DF05F}.exe

Filesize
372KB

MD5
78370772992dd5c0812c05e4bf87d4c0

SHA1
8704203ec4fa53986863ae83f514d532576c18b1

SHA256
8937b5e60eebb20de6b0a8fd5978930e0c949366459eb575db59020417dcc395

SHA512
76b62631898cb338f3c01c0e998c3784b6364d627c6dce4345ac29874338a6dcb637e25207a7c03818b6d78c21675dfee5226a6fa7018a696a8e7e767d002812

Download Submit
C:\Windows\{10EF6326-FFDC-4c4c-8F9B-1A20384798A7}.exe

Filesize
372KB

MD5
65266b223260425e7193d72f2e5cde63

SHA1
f0b474c67795f16b7793dded999bee43e69e0844

SHA256
1c15d9e9a320a7775153cc676b93ff170ffb64a1d710a6725e2ce734494f8ff5

SHA512
42b924761d4f3e24299ff46b6f3495f7c95399dad532c79eb6e692692c30733b57202e0d215205e48294efa09dab8d4b56e3c87563dd3b3f9ffbc14b39b08692

Download Submit
C:\Windows\{16AD8F16-8762-4906-B8AB-054D128C4DD6}.exe

Filesize
372KB

MD5
6c17d52ad486e721b0d129d02b1a1f5e

SHA1
c14e043d8397eba617ffed9d97ddfe81d91292c6

SHA256
0612f1f6607bb1df894303cb00b38215d742f08503f33d6c136df234724f047c

SHA512
adc41ffc5ce796f5d724b69497a78f86c966e06d4c6ed34bfdef4dd38ff16a026003ee00014aa2389c9ff50996e3bced7073b6cc12eb7c08d049f80d25b3df67

Download Submit
C:\Windows\{3B50904C-3E73-4133-9FDC-6A5823AAB69C}.exe

Filesize
372KB

MD5
850f53a060e7c3270157b989af2693e8

SHA1
000d1f1143c7994a36097b6b4c999b0910d3ab02

SHA256
da8c65746dc9070287a9501b22bc418a3d0f233b8aae01999540cadfb29919d1

SHA512
e66e4a647c2b34a88cd4f9846045d1ab5029ee6bc8e538ccde3e6647f69c6a01a27947d0c0c123083cada69b64fc9af6782e2274c6bb80f6b425bd7315c84132

Download Submit
C:\Windows\{515FFF14-36C4-4073-A0BA-99D7DE2B150B}.exe

Filesize
372KB

MD5
b53e880dd6a1d0c84d207ac48f15762d

SHA1
bec7b6c4e9f523643ef9fd21d0a481bbd4c45c29

SHA256
6bc8a6131e65528d40d1825eecb526e6c14ea63e04a3f7413941589a27298129

SHA512
541e0298e4e6060889bbbc2a9122491cbb84d04c1ebf91042ae5b229e6626b0064fd924c3a581213871cdaa396682eacaa16a75c3179a192638058b8333523d3

Download Submit
C:\Windows\{5E264140-9897-4853-9B89-DCAF9E34F835}.exe

Filesize
372KB

MD5
0b7ac1550cf161761ce549510270cc1d

SHA1
683dd52515f0e0677b6070d649e67a068d68d4bf

SHA256
fde04ec14a56bbdbb5966f3d873e3c3e72a9d783af624e784dc40f722f5ec1bd

SHA512
b9594b5d619a540a994e8276fb1ec2f6529566ce4b90ab811460cbd3f71c76e3c9376eceb45e1287a36c48ae74bfb8399c4b029dc163890a31792f0b9dc91fed

Download Submit
C:\Windows\{77624927-09CF-467b-9E4A-C4306CB3B8EA}.exe

Filesize
372KB

MD5
e92039c69a2ed2a571a353d75c6f3b28

SHA1
fe5bbc8370bdcdd2dba3a264958684179aeaa1cf

SHA256
9a2286d1d98fda8b3a33da3459f40eb991ee544e14325a02b650a7f9a626208a

SHA512
0d302dca8fb20c76e9156344438d056961e6e4521a6f7d44243778fb7ba250fe75eeed9814ccc07c7480e7a74c93284229a3890826d509662c1cda5ce4755fda

Download Submit
C:\Windows\{79B1791D-AA48-4c87-9EC8-D3F7B88B270A}.exe

Filesize
372KB

MD5
83f0792c07437dcfedcd8f9f758035e1

SHA1
5fc131970b2ada2388732f6261cfe1eb80b8b6ae

SHA256
fabe8ce26ea8d7b106f357e8ddb126dd7c77771dbec03c3048ed61b670e8c47a

SHA512
207cadfb0bc7cadbfae1ff64adac863ef81b4c48764a6669e34b9fef4829bb7d18727c9368eed6a7292c198bba78e515e80cd2ea05b81377bca4881551f3db8c

Download Submit
C:\Windows\{9E3866BF-B1E3-4e65-AFEF-6466316ADBF5}.exe

Filesize
372KB

MD5
eeffe0b4856672a6f0d13fd02e30c398

SHA1
36deb1dc1d95a5aa45c08d321a8b1b3d8b5a0155

SHA256
a81a8ccec30d823e673846d1014e7248534d77f23b187013f9ee4a3fc2cfc17e

SHA512
e003392c9b0c588b7f02f4745d63a3ef601f402be27a6284e236624f03b45b2c3aa88757651ff51d60d456390a5197110984dec4529b0b219f2cce6c36361347

Download Submit
C:\Windows\{BF6F87BC-5108-402a-964F-4E8445836C83}.exe

Filesize
372KB

MD5
2006392b50a1405ac6ad3baf4cc90279

SHA1
4a0fcd5706f99a1092b9f9ab75af13d91c4345fb

SHA256
8f841d8f791eaeb461aef5bb1f45b6341a31919bbcf3ee7377c327db2305b91f

SHA512
22965c6d67513f67eaef4ea72771c63e6a3f28cdb1d375114760d84fc13808965e092c031e0ce21253a6c44637d2d9d9ad748c345e1ce365c5e59339476c4a72

Download Submit
C:\Windows\{DD919288-556C-46b4-AEF9-7213FBFE380F}.exe

Filesize
372KB

MD5
ce10d40ed36b64038a1a686d7a43e816

SHA1
5698eba23145ee966dd906e50f7f7aca8ec97333

SHA256
4254220709e27b0e9a76dd35f0f1aa7b91f39399a0d30b1260f6371f90a4df57

SHA512
56d30995ee47635477292fee1f7dab44d82cd0c1f77c2f2af9be25ea070330e004f09fded3f4ae1b67ae4d0ef57d72f3ee94b00edfe541d833472f8b02e6183f

Download Submit
C:\Windows\{F74F7C83-E517-4004-A677-9FDD323C055A}.exe

Filesize
372KB

MD5
24401c4db5316bd796db8adb5f569d63

SHA1
98be901f65ab89922b36e6d49e6196b64e404f40

SHA256
00a6210cd4adbe05e862e24086c6e442d5dc53fd51ab74021ff25adc8e09826e

SHA512
e6c7197a7a0b7690a0c80da085634af5a88b2cd449224f467d222edf56068c1e3735d391caa6f4452bb35064b193a19535bd2d57e9ed87d242ccb381b3a533f7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads