339cf799ef6ad6bae034fb2e85ec1c0bcf453674192864a1f33ece9227e63f5c

Analysis

max time kernel
149s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18-04-2024 01:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-18_a8104c2fe4772229751aa612dc3e331c_goldeneye.exe
Size

204KB
MD5

a8104c2fe4772229751aa612dc3e331c
SHA1

be0dab4c2fa64a4474c60725c1ada4bc20b16cd4
SHA256

339cf799ef6ad6bae034fb2e85ec1c0bcf453674192864a1f33ece9227e63f5c
SHA512

9ce663530d29eda43c3c82cde2a33eb2000d7b3eb88904e3851d024f13bf799dbbe815bcf524fa1e7e22da718da827f847ff3878f3aca09a0f3096e872d9ccd6
SSDEEP

1536:1EGh0oJl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oJl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023439-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002343a-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023442-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e00000002336f-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000022963-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f00000002336f-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000022963-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001000000002336f-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000022963-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001100000002336f-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000022963-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001200000002336f-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B3BEC0B-395E-4386-A865-8F3825C88E51}	2024-04-18_a8104c2fe4772229751aa612dc3e331c_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B3BEC0B-395E-4386-A865-8F3825C88E51}\stubpath = "C:\\Windows\\{0B3BEC0B-395E-4386-A865-8F3825C88E51}.exe"	2024-04-18_a8104c2fe4772229751aa612dc3e331c_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C598D0B6-8281-4348-AA55-7F6C11CCCE1E}	{E9B3C305-567A-4060-A21B-C1B87C341006}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54F2F83C-EACC-48a4-8ABC-E3D7731149A0}	{F2BDB0DC-DB43-4252-A0E0-76F689E594C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9177B160-513B-43a1-B063-C8EEC45F3C08}\stubpath = "C:\\Windows\\{9177B160-513B-43a1-B063-C8EEC45F3C08}.exe"	{E261C2D6-DAD5-433f-8A3E-C72B612E1785}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67B9640A-504A-40af-8FE9-B7BCA7103768}	{9177B160-513B-43a1-B063-C8EEC45F3C08}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A295D6E-EA85-437d-A216-C518CDD03B68}\stubpath = "C:\\Windows\\{6A295D6E-EA85-437d-A216-C518CDD03B68}.exe"	{4AD6D63E-F551-4f3e-AB66-779020D79AE1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ABEDFB8B-5C7A-4791-9319-B490AC8E6B5F}\stubpath = "C:\\Windows\\{ABEDFB8B-5C7A-4791-9319-B490AC8E6B5F}.exe"	{C598D0B6-8281-4348-AA55-7F6C11CCCE1E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2BDB0DC-DB43-4252-A0E0-76F689E594C4}	{ABEDFB8B-5C7A-4791-9319-B490AC8E6B5F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2BDB0DC-DB43-4252-A0E0-76F689E594C4}\stubpath = "C:\\Windows\\{F2BDB0DC-DB43-4252-A0E0-76F689E594C4}.exe"	{ABEDFB8B-5C7A-4791-9319-B490AC8E6B5F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54F2F83C-EACC-48a4-8ABC-E3D7731149A0}\stubpath = "C:\\Windows\\{54F2F83C-EACC-48a4-8ABC-E3D7731149A0}.exe"	{F2BDB0DC-DB43-4252-A0E0-76F689E594C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E261C2D6-DAD5-433f-8A3E-C72B612E1785}\stubpath = "C:\\Windows\\{E261C2D6-DAD5-433f-8A3E-C72B612E1785}.exe"	{8C617B0D-6F4C-4b54-92ED-CDC74C8ED290}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9B3C305-567A-4060-A21B-C1B87C341006}\stubpath = "C:\\Windows\\{E9B3C305-567A-4060-A21B-C1B87C341006}.exe"	{0B3BEC0B-395E-4386-A865-8F3825C88E51}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C598D0B6-8281-4348-AA55-7F6C11CCCE1E}\stubpath = "C:\\Windows\\{C598D0B6-8281-4348-AA55-7F6C11CCCE1E}.exe"	{E9B3C305-567A-4060-A21B-C1B87C341006}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9177B160-513B-43a1-B063-C8EEC45F3C08}	{E261C2D6-DAD5-433f-8A3E-C72B612E1785}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AD6D63E-F551-4f3e-AB66-779020D79AE1}\stubpath = "C:\\Windows\\{4AD6D63E-F551-4f3e-AB66-779020D79AE1}.exe"	{67B9640A-504A-40af-8FE9-B7BCA7103768}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67B9640A-504A-40af-8FE9-B7BCA7103768}\stubpath = "C:\\Windows\\{67B9640A-504A-40af-8FE9-B7BCA7103768}.exe"	{9177B160-513B-43a1-B063-C8EEC45F3C08}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AD6D63E-F551-4f3e-AB66-779020D79AE1}	{67B9640A-504A-40af-8FE9-B7BCA7103768}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A295D6E-EA85-437d-A216-C518CDD03B68}	{4AD6D63E-F551-4f3e-AB66-779020D79AE1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9B3C305-567A-4060-A21B-C1B87C341006}	{0B3BEC0B-395E-4386-A865-8F3825C88E51}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ABEDFB8B-5C7A-4791-9319-B490AC8E6B5F}	{C598D0B6-8281-4348-AA55-7F6C11CCCE1E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C617B0D-6F4C-4b54-92ED-CDC74C8ED290}	{54F2F83C-EACC-48a4-8ABC-E3D7731149A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C617B0D-6F4C-4b54-92ED-CDC74C8ED290}\stubpath = "C:\\Windows\\{8C617B0D-6F4C-4b54-92ED-CDC74C8ED290}.exe"	{54F2F83C-EACC-48a4-8ABC-E3D7731149A0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E261C2D6-DAD5-433f-8A3E-C72B612E1785}	{8C617B0D-6F4C-4b54-92ED-CDC74C8ED290}.exe

Executes dropped EXE 12 IoCs

pid	Process
1240	{0B3BEC0B-395E-4386-A865-8F3825C88E51}.exe
5060	{E9B3C305-567A-4060-A21B-C1B87C341006}.exe
432	{C598D0B6-8281-4348-AA55-7F6C11CCCE1E}.exe
1620	{ABEDFB8B-5C7A-4791-9319-B490AC8E6B5F}.exe
3952	{F2BDB0DC-DB43-4252-A0E0-76F689E594C4}.exe
1400	{54F2F83C-EACC-48a4-8ABC-E3D7731149A0}.exe
4860	{8C617B0D-6F4C-4b54-92ED-CDC74C8ED290}.exe
4452	{E261C2D6-DAD5-433f-8A3E-C72B612E1785}.exe
4328	{9177B160-513B-43a1-B063-C8EEC45F3C08}.exe
3056	{67B9640A-504A-40af-8FE9-B7BCA7103768}.exe
1060	{4AD6D63E-F551-4f3e-AB66-779020D79AE1}.exe
2260	{6A295D6E-EA85-437d-A216-C518CDD03B68}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{0B3BEC0B-395E-4386-A865-8F3825C88E51}.exe	2024-04-18_a8104c2fe4772229751aa612dc3e331c_goldeneye.exe
File created	C:\Windows\{E9B3C305-567A-4060-A21B-C1B87C341006}.exe	{0B3BEC0B-395E-4386-A865-8F3825C88E51}.exe
File created	C:\Windows\{ABEDFB8B-5C7A-4791-9319-B490AC8E6B5F}.exe	{C598D0B6-8281-4348-AA55-7F6C11CCCE1E}.exe
File created	C:\Windows\{F2BDB0DC-DB43-4252-A0E0-76F689E594C4}.exe	{ABEDFB8B-5C7A-4791-9319-B490AC8E6B5F}.exe
File created	C:\Windows\{54F2F83C-EACC-48a4-8ABC-E3D7731149A0}.exe	{F2BDB0DC-DB43-4252-A0E0-76F689E594C4}.exe
File created	C:\Windows\{8C617B0D-6F4C-4b54-92ED-CDC74C8ED290}.exe	{54F2F83C-EACC-48a4-8ABC-E3D7731149A0}.exe
File created	C:\Windows\{E261C2D6-DAD5-433f-8A3E-C72B612E1785}.exe	{8C617B0D-6F4C-4b54-92ED-CDC74C8ED290}.exe
File created	C:\Windows\{67B9640A-504A-40af-8FE9-B7BCA7103768}.exe	{9177B160-513B-43a1-B063-C8EEC45F3C08}.exe
File created	C:\Windows\{4AD6D63E-F551-4f3e-AB66-779020D79AE1}.exe	{67B9640A-504A-40af-8FE9-B7BCA7103768}.exe
File created	C:\Windows\{C598D0B6-8281-4348-AA55-7F6C11CCCE1E}.exe	{E9B3C305-567A-4060-A21B-C1B87C341006}.exe
File created	C:\Windows\{9177B160-513B-43a1-B063-C8EEC45F3C08}.exe	{E261C2D6-DAD5-433f-8A3E-C72B612E1785}.exe
File created	C:\Windows\{6A295D6E-EA85-437d-A216-C518CDD03B68}.exe	{4AD6D63E-F551-4f3e-AB66-779020D79AE1}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2492	2024-04-18_a8104c2fe4772229751aa612dc3e331c_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1240	{0B3BEC0B-395E-4386-A865-8F3825C88E51}.exe
Token: SeIncBasePriorityPrivilege	5060	{E9B3C305-567A-4060-A21B-C1B87C341006}.exe
Token: SeIncBasePriorityPrivilege	432	{C598D0B6-8281-4348-AA55-7F6C11CCCE1E}.exe
Token: SeIncBasePriorityPrivilege	1620	{ABEDFB8B-5C7A-4791-9319-B490AC8E6B5F}.exe
Token: SeIncBasePriorityPrivilege	3952	{F2BDB0DC-DB43-4252-A0E0-76F689E594C4}.exe
Token: SeIncBasePriorityPrivilege	1400	{54F2F83C-EACC-48a4-8ABC-E3D7731149A0}.exe
Token: SeIncBasePriorityPrivilege	4860	{8C617B0D-6F4C-4b54-92ED-CDC74C8ED290}.exe
Token: SeIncBasePriorityPrivilege	4452	{E261C2D6-DAD5-433f-8A3E-C72B612E1785}.exe
Token: SeIncBasePriorityPrivilege	4328	{9177B160-513B-43a1-B063-C8EEC45F3C08}.exe
Token: SeIncBasePriorityPrivilege	3056	{67B9640A-504A-40af-8FE9-B7BCA7103768}.exe
Token: SeIncBasePriorityPrivilege	1060	{4AD6D63E-F551-4f3e-AB66-779020D79AE1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 1240	2492	2024-04-18_a8104c2fe4772229751aa612dc3e331c_goldeneye.exe	93
PID 2492 wrote to memory of 1240	2492	2024-04-18_a8104c2fe4772229751aa612dc3e331c_goldeneye.exe	93
PID 2492 wrote to memory of 1240	2492	2024-04-18_a8104c2fe4772229751aa612dc3e331c_goldeneye.exe	93
PID 2492 wrote to memory of 5096	2492	2024-04-18_a8104c2fe4772229751aa612dc3e331c_goldeneye.exe	94
PID 2492 wrote to memory of 5096	2492	2024-04-18_a8104c2fe4772229751aa612dc3e331c_goldeneye.exe	94
PID 2492 wrote to memory of 5096	2492	2024-04-18_a8104c2fe4772229751aa612dc3e331c_goldeneye.exe	94
PID 1240 wrote to memory of 5060	1240	{0B3BEC0B-395E-4386-A865-8F3825C88E51}.exe	95
PID 1240 wrote to memory of 5060	1240	{0B3BEC0B-395E-4386-A865-8F3825C88E51}.exe	95
PID 1240 wrote to memory of 5060	1240	{0B3BEC0B-395E-4386-A865-8F3825C88E51}.exe	95
PID 1240 wrote to memory of 2364	1240	{0B3BEC0B-395E-4386-A865-8F3825C88E51}.exe	96
PID 1240 wrote to memory of 2364	1240	{0B3BEC0B-395E-4386-A865-8F3825C88E51}.exe	96
PID 1240 wrote to memory of 2364	1240	{0B3BEC0B-395E-4386-A865-8F3825C88E51}.exe	96
PID 5060 wrote to memory of 432	5060	{E9B3C305-567A-4060-A21B-C1B87C341006}.exe	99
PID 5060 wrote to memory of 432	5060	{E9B3C305-567A-4060-A21B-C1B87C341006}.exe	99
PID 5060 wrote to memory of 432	5060	{E9B3C305-567A-4060-A21B-C1B87C341006}.exe	99
PID 5060 wrote to memory of 4900	5060	{E9B3C305-567A-4060-A21B-C1B87C341006}.exe	100
PID 5060 wrote to memory of 4900	5060	{E9B3C305-567A-4060-A21B-C1B87C341006}.exe	100
PID 5060 wrote to memory of 4900	5060	{E9B3C305-567A-4060-A21B-C1B87C341006}.exe	100
PID 432 wrote to memory of 1620	432	{C598D0B6-8281-4348-AA55-7F6C11CCCE1E}.exe	102
PID 432 wrote to memory of 1620	432	{C598D0B6-8281-4348-AA55-7F6C11CCCE1E}.exe	102
PID 432 wrote to memory of 1620	432	{C598D0B6-8281-4348-AA55-7F6C11CCCE1E}.exe	102
PID 432 wrote to memory of 2340	432	{C598D0B6-8281-4348-AA55-7F6C11CCCE1E}.exe	103
PID 432 wrote to memory of 2340	432	{C598D0B6-8281-4348-AA55-7F6C11CCCE1E}.exe	103
PID 432 wrote to memory of 2340	432	{C598D0B6-8281-4348-AA55-7F6C11CCCE1E}.exe	103
PID 1620 wrote to memory of 3952	1620	{ABEDFB8B-5C7A-4791-9319-B490AC8E6B5F}.exe	104
PID 1620 wrote to memory of 3952	1620	{ABEDFB8B-5C7A-4791-9319-B490AC8E6B5F}.exe	104
PID 1620 wrote to memory of 3952	1620	{ABEDFB8B-5C7A-4791-9319-B490AC8E6B5F}.exe	104
PID 1620 wrote to memory of 224	1620	{ABEDFB8B-5C7A-4791-9319-B490AC8E6B5F}.exe	105
PID 1620 wrote to memory of 224	1620	{ABEDFB8B-5C7A-4791-9319-B490AC8E6B5F}.exe	105
PID 1620 wrote to memory of 224	1620	{ABEDFB8B-5C7A-4791-9319-B490AC8E6B5F}.exe	105
PID 3952 wrote to memory of 1400	3952	{F2BDB0DC-DB43-4252-A0E0-76F689E594C4}.exe	106
PID 3952 wrote to memory of 1400	3952	{F2BDB0DC-DB43-4252-A0E0-76F689E594C4}.exe	106
PID 3952 wrote to memory of 1400	3952	{F2BDB0DC-DB43-4252-A0E0-76F689E594C4}.exe	106
PID 3952 wrote to memory of 2148	3952	{F2BDB0DC-DB43-4252-A0E0-76F689E594C4}.exe	107
PID 3952 wrote to memory of 2148	3952	{F2BDB0DC-DB43-4252-A0E0-76F689E594C4}.exe	107
PID 3952 wrote to memory of 2148	3952	{F2BDB0DC-DB43-4252-A0E0-76F689E594C4}.exe	107
PID 1400 wrote to memory of 4860	1400	{54F2F83C-EACC-48a4-8ABC-E3D7731149A0}.exe	108
PID 1400 wrote to memory of 4860	1400	{54F2F83C-EACC-48a4-8ABC-E3D7731149A0}.exe	108
PID 1400 wrote to memory of 4860	1400	{54F2F83C-EACC-48a4-8ABC-E3D7731149A0}.exe	108
PID 1400 wrote to memory of 3292	1400	{54F2F83C-EACC-48a4-8ABC-E3D7731149A0}.exe	109
PID 1400 wrote to memory of 3292	1400	{54F2F83C-EACC-48a4-8ABC-E3D7731149A0}.exe	109
PID 1400 wrote to memory of 3292	1400	{54F2F83C-EACC-48a4-8ABC-E3D7731149A0}.exe	109
PID 4860 wrote to memory of 4452	4860	{8C617B0D-6F4C-4b54-92ED-CDC74C8ED290}.exe	110
PID 4860 wrote to memory of 4452	4860	{8C617B0D-6F4C-4b54-92ED-CDC74C8ED290}.exe	110
PID 4860 wrote to memory of 4452	4860	{8C617B0D-6F4C-4b54-92ED-CDC74C8ED290}.exe	110
PID 4860 wrote to memory of 4304	4860	{8C617B0D-6F4C-4b54-92ED-CDC74C8ED290}.exe	111
PID 4860 wrote to memory of 4304	4860	{8C617B0D-6F4C-4b54-92ED-CDC74C8ED290}.exe	111
PID 4860 wrote to memory of 4304	4860	{8C617B0D-6F4C-4b54-92ED-CDC74C8ED290}.exe	111
PID 4452 wrote to memory of 4328	4452	{E261C2D6-DAD5-433f-8A3E-C72B612E1785}.exe	112
PID 4452 wrote to memory of 4328	4452	{E261C2D6-DAD5-433f-8A3E-C72B612E1785}.exe	112
PID 4452 wrote to memory of 4328	4452	{E261C2D6-DAD5-433f-8A3E-C72B612E1785}.exe	112
PID 4452 wrote to memory of 4628	4452	{E261C2D6-DAD5-433f-8A3E-C72B612E1785}.exe	113
PID 4452 wrote to memory of 4628	4452	{E261C2D6-DAD5-433f-8A3E-C72B612E1785}.exe	113
PID 4452 wrote to memory of 4628	4452	{E261C2D6-DAD5-433f-8A3E-C72B612E1785}.exe	113
PID 4328 wrote to memory of 3056	4328	{9177B160-513B-43a1-B063-C8EEC45F3C08}.exe	114
PID 4328 wrote to memory of 3056	4328	{9177B160-513B-43a1-B063-C8EEC45F3C08}.exe	114
PID 4328 wrote to memory of 3056	4328	{9177B160-513B-43a1-B063-C8EEC45F3C08}.exe	114
PID 4328 wrote to memory of 1476	4328	{9177B160-513B-43a1-B063-C8EEC45F3C08}.exe	115
PID 4328 wrote to memory of 1476	4328	{9177B160-513B-43a1-B063-C8EEC45F3C08}.exe	115
PID 4328 wrote to memory of 1476	4328	{9177B160-513B-43a1-B063-C8EEC45F3C08}.exe	115
PID 3056 wrote to memory of 1060	3056	{67B9640A-504A-40af-8FE9-B7BCA7103768}.exe	116
PID 3056 wrote to memory of 1060	3056	{67B9640A-504A-40af-8FE9-B7BCA7103768}.exe	116
PID 3056 wrote to memory of 1060	3056	{67B9640A-504A-40af-8FE9-B7BCA7103768}.exe	116
PID 3056 wrote to memory of 3924	3056	{67B9640A-504A-40af-8FE9-B7BCA7103768}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-04-18_a8104c2fe4772229751aa612dc3e331c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-18_a8104c2fe4772229751aa612dc3e331c_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Windows\{0B3BEC0B-395E-4386-A865-8F3825C88E51}.exe
  C:\Windows\{0B3BEC0B-395E-4386-A865-8F3825C88E51}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1240
- - C:\Windows\{E9B3C305-567A-4060-A21B-C1B87C341006}.exe
    C:\Windows\{E9B3C305-567A-4060-A21B-C1B87C341006}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5060
  - - C:\Windows\{C598D0B6-8281-4348-AA55-7F6C11CCCE1E}.exe
      C:\Windows\{C598D0B6-8281-4348-AA55-7F6C11CCCE1E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:432
    - - C:\Windows\{ABEDFB8B-5C7A-4791-9319-B490AC8E6B5F}.exe
        
        C:\Windows\{ABEDFB8B-5C7A-4791-9319-B490AC8E6B5F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1620
      - C:\Windows\{F2BDB0DC-DB43-4252-A0E0-76F689E594C4}.exe
        
        C:\Windows\{F2BDB0DC-DB43-4252-A0E0-76F689E594C4}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\{54F2F83C-EACC-48a4-8ABC-E3D7731149A0}.exe
        
        C:\Windows\{54F2F83C-EACC-48a4-8ABC-E3D7731149A0}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\{8C617B0D-6F4C-4b54-92ED-CDC74C8ED290}.exe
        
        C:\Windows\{8C617B0D-6F4C-4b54-92ED-CDC74C8ED290}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Windows\{E261C2D6-DAD5-433f-8A3E-C72B612E1785}.exe
        
        C:\Windows\{E261C2D6-DAD5-433f-8A3E-C72B612E1785}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\{9177B160-513B-43a1-B063-C8EEC45F3C08}.exe
        
        C:\Windows\{9177B160-513B-43a1-B063-C8EEC45F3C08}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Windows\{67B9640A-504A-40af-8FE9-B7BCA7103768}.exe
        
        C:\Windows\{67B9640A-504A-40af-8FE9-B7BCA7103768}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\{4AD6D63E-F551-4f3e-AB66-779020D79AE1}.exe
        
        C:\Windows\{4AD6D63E-F551-4f3e-AB66-779020D79AE1}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1060
        
        C:\Windows\{6A295D6E-EA85-437d-A216-C518CDD03B68}.exe
        
        C:\Windows\{6A295D6E-EA85-437d-A216-C518CDD03B68}.exe
        13⤵
        Executes dropped EXE
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4AD6D~1.EXE > nul
        13⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{67B96~1.EXE > nul
        12⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9177B~1.EXE > nul
        11⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E261C~1.EXE > nul
        10⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C617~1.EXE > nul
        9⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{54F2F~1.EXE > nul
        8⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2BDB~1.EXE > nul
        7⤵
        
        PID:2148
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ABEDF~1.EXE > nul
        6⤵
        
        PID:224
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C598D~1.EXE > nul
        5⤵
        
        PID:2340
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E9B3C~1.EXE > nul
      4⤵
      PID:4900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0B3BE~1.EXE > nul
    3⤵
    PID:2364
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:5096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0B3BEC0B-395E-4386-A865-8F3825C88E51}.exe

Filesize
204KB

MD5
91e201141e5e69bb4ffeda7ae146dcbc

SHA1
71b4b74176081a68d5db90e6a1600b2946a3ef82

SHA256
e233823c99477083af0f901f5b86ceda2d70d30f940cdee06bf5792ddc4d7079

SHA512
98f5f5573b94ae93be8906a4af4520137d1672e800231c007571494b82de10ceeb60fc17d0c4f90bf8527948de83774f2bfdf9453ffb8a75eff521933f669717

Download Submit
C:\Windows\{4AD6D63E-F551-4f3e-AB66-779020D79AE1}.exe

Filesize
204KB

MD5
3a915ab58d1f57ad63c6bc2f84446e05

SHA1
9e98e03c3d7651e7b9b795d6b93ae07048c2173c

SHA256
8826c61fd901db38ed72cee1ebd1782cb6bf8c54ae48613127ec6ed268af124e

SHA512
714513397ef0e11654be8ccb6fa1c5c1654c227c705f94d32bb5b546204fbe83ea6139df537426f86d6b10ee66e88a3fdabe5156c2705ca8e04c4601b4a1187c

Download Submit
C:\Windows\{54F2F83C-EACC-48a4-8ABC-E3D7731149A0}.exe

Filesize
204KB

MD5
cbc6d65e4a03de9e28c4d1a2805edcdb

SHA1
2c025cd67d16b7116ca05b67e01edb0b176e297f

SHA256
1727c984ba86be31ed685be85c9a3ce75c6e513b4eb12dfb20bf6a47b0e5a4f6

SHA512
32553264036b8d371ed8809d2b869d4b6b1f3f58821b025acde5411d4a9d88649c9b917931b17288bc2bba4f55dbd9e01760502c0f4237e4e592704f61fc17f8

Download Submit
C:\Windows\{67B9640A-504A-40af-8FE9-B7BCA7103768}.exe

Filesize
204KB

MD5
722928f409f0bb3baa7bcf043fbfaab5

SHA1
e1d9b3754a5cb24a1972ab688262b5ad1dacc994

SHA256
884c78424127589b36d7eaf844114cce11f6322b2a4e18007552f43d51d7946e

SHA512
ac87d7903d96e8e15a0508a304481f025f5b52f62c734727cffa8451be44015194aa82edb37bd97ed48763673cae210354bd1b377279184e5b34ad43c9c27a1f

Download Submit
C:\Windows\{6A295D6E-EA85-437d-A216-C518CDD03B68}.exe

Filesize
204KB

MD5
154f1b4f0ba9610882d7282dc310b471

SHA1
cc33fd0c1cd7679ddd683cd844fbe0c0a3482dde

SHA256
021a7cc68a9a1706fbc07a5a81d5c80578a337fc14c8db086c65b1c5f7275ee5

SHA512
b4ac15d3938a3b27354ecfab7c9b8e482ab8bb84d902680669f571e4fda18ea4a90719208110a184702efe2f6d412dda2e64aca31d5daa989b14b86f84c7ec13

Download Submit
C:\Windows\{8C617B0D-6F4C-4b54-92ED-CDC74C8ED290}.exe

Filesize
204KB

MD5
a010559058ee5ebc104fae9a6262295f

SHA1
ce64e2f27851bae828ca788cba5c04066d457b16

SHA256
8dc8fc0bc3a308536ac725d88d01d9350810962347f4d7c003c18cc0f04bde95

SHA512
5d538f1ad0044b0ee122599a66d187c8d7f880fa1f97510be8f157963a7f4169298d2e11f789fe987b69a23d0c0b274b0fa2c1beb4a8145aaed0a51efe2f2a1f

Download Submit
C:\Windows\{9177B160-513B-43a1-B063-C8EEC45F3C08}.exe

Filesize
204KB

MD5
cb812aac11f1c739bd2384ef0990ff5e

SHA1
4dc3ee8219aa80a33a4acc2908f9efccf13e7bf5

SHA256
0897ecb1bcabb97dc11eacc01976de51eae5a9374e5fca871b6fe2784f2f1bd3

SHA512
09fad17d762256458774b3c9dfb95023f6d96d8018c14cca398bc67693eb2a9aba937bf04299e5e12e562b3c220e8f3a2f2b15c662e5dd1eb05dba9f9545b9f6

Download Submit
C:\Windows\{ABEDFB8B-5C7A-4791-9319-B490AC8E6B5F}.exe

Filesize
204KB

MD5
46cb873aef645630d9223c54b34d57d1

SHA1
8be8c221b1903b846eeccea9f5a829564fdd463b

SHA256
548f25a5268fcbd194c7d7a1485ed41413215592326e8134811a4eadf7a05eed

SHA512
90047f4aeb39e662834eadd80a7ca5c131e5f6b4012e5330c6d3f1246944c3281e9afd82f471f769f208e7f4fe96760b67e1a70b6bfa902a29a59874dd1888fd

Download Submit
C:\Windows\{C598D0B6-8281-4348-AA55-7F6C11CCCE1E}.exe

Filesize
204KB

MD5
c651a6b2fdf3f639fe255fa4273c24e5

SHA1
44fbe31f1cb83c603a91c46d7fb08b64ed4d920f

SHA256
555fe4d1043d677a65ce625c7fe36628206f549248b3a0856ed9420a44a0c6d4

SHA512
25cb234edb13838cbfbe99b449715e79c5264f2e24afb608c3fac00cb1a3338f6e3072162dc1e64caa32173de6530e6d7e1b1424cba65c0e91cc372fe4911afe

Download Submit
C:\Windows\{E261C2D6-DAD5-433f-8A3E-C72B612E1785}.exe

Filesize
204KB

MD5
86009cdf916b08026a29e2e174fbb26b

SHA1
44d37fb6c7895950bf8a48045cccb87353b246a0

SHA256
e0b58bdf48c94cae9b5474817780cccc1d4209bdca402c6d8d1fab32c8824154

SHA512
1b7b8667abb53d3d41ceced9f1c2eac9e3bafde6825adfd0e09ff965a724199ea5c9a4df2b03db18a34ad178b5c830ce5966f602eeedfb5a6a2208f97c57e43c

Download Submit
C:\Windows\{E9B3C305-567A-4060-A21B-C1B87C341006}.exe

Filesize
204KB

MD5
2c3eae4006f96d1ec16f6297ad066573

SHA1
720fab6a1ccff202090e622c684ff3aa3b9a76bf

SHA256
867d35fa1ee1ed9a5fbecef705fec61a5d3a870076a656eb3e6e4c55f6a7b79d

SHA512
00c8200a22ab0156eada75424f75ed18d06cbbf52297fa00b2d0edad20f29380c3f0fa84419e3dceb9ed5b9e6b7383bd3490142e7d8f0d0cd9a53f6f43799fb8

Download Submit
C:\Windows\{F2BDB0DC-DB43-4252-A0E0-76F689E594C4}.exe

Filesize
204KB

MD5
7c06bd60896328b373ebbd823e6406cf

SHA1
da53f1df28ec35608754d0e9083a78a483a93633

SHA256
ccf372f23ed151acbd4cc2cf1061a6277c665706395379cb9ceb402a04f1afc5

SHA512
760e21c12ec71440108027af98355f04065e3c3056c63d8eb9572eb207dd145c2d72646a6ff4cd3eb0302e3b7d5c23737a5d57757ba6beca92e5dc0501126fe0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads