8c48efcc060ae647b2640109d99c976e5000a725a2c7951c732646819dc8d821

Analysis

max time kernel
149s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18/04/2024, 07:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-18_884e7d7120686ecbd603bf0058a43cfc_goldeneye.exe
Size

408KB
MD5

884e7d7120686ecbd603bf0058a43cfc
SHA1

2707f2dde34e2722a465ba1507862b6675af0ad7
SHA256

8c48efcc060ae647b2640109d99c976e5000a725a2c7951c732646819dc8d821
SHA512

978f19e34f3bc5d70dd253f8f90c431a92f67e298ce460f9b94baa601eade38f76bdf7c47eaf5ce7153d10c0a352eeb4bf16e748fd5192608efc440e2157f704
SSDEEP

3072:CEGh0oul3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGsldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023362-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000233af-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023362-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000233af-13.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023362-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000233af-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023362-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d0000000233af-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023362-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e0000000233af-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023362-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f0000000233af-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C7A60AE-CFBD-49c9-BF33-A357F7D94FFA}\stubpath = "C:\\Windows\\{9C7A60AE-CFBD-49c9-BF33-A357F7D94FFA}.exe"	{D1F317F2-C518-4ec0-94BD-5DA9E78731EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E4DD7CC-76D0-470d-8582-2FBBC98D3637}\stubpath = "C:\\Windows\\{0E4DD7CC-76D0-470d-8582-2FBBC98D3637}.exe"	{D213B02E-37F4-4a1c-B47F-707656F985AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77A8C30F-AFBB-41f0-98AA-116448431E1E}	{79DB052E-53ED-4174-8DD7-7147832DCAD0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D1F317F2-C518-4ec0-94BD-5DA9E78731EB}	2024-04-18_884e7d7120686ecbd603bf0058a43cfc_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{297AFECC-4476-4048-AEAC-AD875CE857B6}	{F78D22B3-FE0F-4fdb-BA28-8AC6257CA161}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D213B02E-37F4-4a1c-B47F-707656F985AB}\stubpath = "C:\\Windows\\{D213B02E-37F4-4a1c-B47F-707656F985AB}.exe"	{297AFECC-4476-4048-AEAC-AD875CE857B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E4DD7CC-76D0-470d-8582-2FBBC98D3637}	{D213B02E-37F4-4a1c-B47F-707656F985AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15F2F9C5-7C85-468c-9C51-A2DD87519CF5}\stubpath = "C:\\Windows\\{15F2F9C5-7C85-468c-9C51-A2DD87519CF5}.exe"	{EFDC1E19-D99E-4db0-96B3-A77D00B0D04A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79DB052E-53ED-4174-8DD7-7147832DCAD0}	{0E4DD7CC-76D0-470d-8582-2FBBC98D3637}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77A8C30F-AFBB-41f0-98AA-116448431E1E}\stubpath = "C:\\Windows\\{77A8C30F-AFBB-41f0-98AA-116448431E1E}.exe"	{79DB052E-53ED-4174-8DD7-7147832DCAD0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC960809-8D75-4595-882B-DB076CE052CC}\stubpath = "C:\\Windows\\{EC960809-8D75-4595-882B-DB076CE052CC}.exe"	{77A8C30F-AFBB-41f0-98AA-116448431E1E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C388800-E999-4d4e-9110-51A4474D4E39}	{EC960809-8D75-4595-882B-DB076CE052CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFDC1E19-D99E-4db0-96B3-A77D00B0D04A}	{1C388800-E999-4d4e-9110-51A4474D4E39}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D213B02E-37F4-4a1c-B47F-707656F985AB}	{297AFECC-4476-4048-AEAC-AD875CE857B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79DB052E-53ED-4174-8DD7-7147832DCAD0}\stubpath = "C:\\Windows\\{79DB052E-53ED-4174-8DD7-7147832DCAD0}.exe"	{0E4DD7CC-76D0-470d-8582-2FBBC98D3637}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC960809-8D75-4595-882B-DB076CE052CC}	{77A8C30F-AFBB-41f0-98AA-116448431E1E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D1F317F2-C518-4ec0-94BD-5DA9E78731EB}\stubpath = "C:\\Windows\\{D1F317F2-C518-4ec0-94BD-5DA9E78731EB}.exe"	2024-04-18_884e7d7120686ecbd603bf0058a43cfc_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C7A60AE-CFBD-49c9-BF33-A357F7D94FFA}	{D1F317F2-C518-4ec0-94BD-5DA9E78731EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F78D22B3-FE0F-4fdb-BA28-8AC6257CA161}	{9C7A60AE-CFBD-49c9-BF33-A357F7D94FFA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F78D22B3-FE0F-4fdb-BA28-8AC6257CA161}\stubpath = "C:\\Windows\\{F78D22B3-FE0F-4fdb-BA28-8AC6257CA161}.exe"	{9C7A60AE-CFBD-49c9-BF33-A357F7D94FFA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{297AFECC-4476-4048-AEAC-AD875CE857B6}\stubpath = "C:\\Windows\\{297AFECC-4476-4048-AEAC-AD875CE857B6}.exe"	{F78D22B3-FE0F-4fdb-BA28-8AC6257CA161}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C388800-E999-4d4e-9110-51A4474D4E39}\stubpath = "C:\\Windows\\{1C388800-E999-4d4e-9110-51A4474D4E39}.exe"	{EC960809-8D75-4595-882B-DB076CE052CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFDC1E19-D99E-4db0-96B3-A77D00B0D04A}\stubpath = "C:\\Windows\\{EFDC1E19-D99E-4db0-96B3-A77D00B0D04A}.exe"	{1C388800-E999-4d4e-9110-51A4474D4E39}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15F2F9C5-7C85-468c-9C51-A2DD87519CF5}	{EFDC1E19-D99E-4db0-96B3-A77D00B0D04A}.exe

Executes dropped EXE 12 IoCs

pid	Process
4828	{D1F317F2-C518-4ec0-94BD-5DA9E78731EB}.exe
2036	{9C7A60AE-CFBD-49c9-BF33-A357F7D94FFA}.exe
4128	{F78D22B3-FE0F-4fdb-BA28-8AC6257CA161}.exe
1860	{297AFECC-4476-4048-AEAC-AD875CE857B6}.exe
2672	{D213B02E-37F4-4a1c-B47F-707656F985AB}.exe
1280	{0E4DD7CC-76D0-470d-8582-2FBBC98D3637}.exe
1532	{79DB052E-53ED-4174-8DD7-7147832DCAD0}.exe
824	{77A8C30F-AFBB-41f0-98AA-116448431E1E}.exe
1872	{EC960809-8D75-4595-882B-DB076CE052CC}.exe
4796	{1C388800-E999-4d4e-9110-51A4474D4E39}.exe
5044	{EFDC1E19-D99E-4db0-96B3-A77D00B0D04A}.exe
4424	{15F2F9C5-7C85-468c-9C51-A2DD87519CF5}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{F78D22B3-FE0F-4fdb-BA28-8AC6257CA161}.exe	{9C7A60AE-CFBD-49c9-BF33-A357F7D94FFA}.exe
File created	C:\Windows\{D213B02E-37F4-4a1c-B47F-707656F985AB}.exe	{297AFECC-4476-4048-AEAC-AD875CE857B6}.exe
File created	C:\Windows\{79DB052E-53ED-4174-8DD7-7147832DCAD0}.exe	{0E4DD7CC-76D0-470d-8582-2FBBC98D3637}.exe
File created	C:\Windows\{15F2F9C5-7C85-468c-9C51-A2DD87519CF5}.exe	{EFDC1E19-D99E-4db0-96B3-A77D00B0D04A}.exe
File created	C:\Windows\{D1F317F2-C518-4ec0-94BD-5DA9E78731EB}.exe	2024-04-18_884e7d7120686ecbd603bf0058a43cfc_goldeneye.exe
File created	C:\Windows\{297AFECC-4476-4048-AEAC-AD875CE857B6}.exe	{F78D22B3-FE0F-4fdb-BA28-8AC6257CA161}.exe
File created	C:\Windows\{0E4DD7CC-76D0-470d-8582-2FBBC98D3637}.exe	{D213B02E-37F4-4a1c-B47F-707656F985AB}.exe
File created	C:\Windows\{77A8C30F-AFBB-41f0-98AA-116448431E1E}.exe	{79DB052E-53ED-4174-8DD7-7147832DCAD0}.exe
File created	C:\Windows\{EC960809-8D75-4595-882B-DB076CE052CC}.exe	{77A8C30F-AFBB-41f0-98AA-116448431E1E}.exe
File created	C:\Windows\{1C388800-E999-4d4e-9110-51A4474D4E39}.exe	{EC960809-8D75-4595-882B-DB076CE052CC}.exe
File created	C:\Windows\{EFDC1E19-D99E-4db0-96B3-A77D00B0D04A}.exe	{1C388800-E999-4d4e-9110-51A4474D4E39}.exe
File created	C:\Windows\{9C7A60AE-CFBD-49c9-BF33-A357F7D94FFA}.exe	{D1F317F2-C518-4ec0-94BD-5DA9E78731EB}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	392	2024-04-18_884e7d7120686ecbd603bf0058a43cfc_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4828	{D1F317F2-C518-4ec0-94BD-5DA9E78731EB}.exe
Token: SeIncBasePriorityPrivilege	2036	{9C7A60AE-CFBD-49c9-BF33-A357F7D94FFA}.exe
Token: SeIncBasePriorityPrivilege	4128	{F78D22B3-FE0F-4fdb-BA28-8AC6257CA161}.exe
Token: SeIncBasePriorityPrivilege	1860	{297AFECC-4476-4048-AEAC-AD875CE857B6}.exe
Token: SeIncBasePriorityPrivilege	2672	{D213B02E-37F4-4a1c-B47F-707656F985AB}.exe
Token: SeIncBasePriorityPrivilege	1280	{0E4DD7CC-76D0-470d-8582-2FBBC98D3637}.exe
Token: SeIncBasePriorityPrivilege	1532	{79DB052E-53ED-4174-8DD7-7147832DCAD0}.exe
Token: SeIncBasePriorityPrivilege	824	{77A8C30F-AFBB-41f0-98AA-116448431E1E}.exe
Token: SeIncBasePriorityPrivilege	1872	{EC960809-8D75-4595-882B-DB076CE052CC}.exe
Token: SeIncBasePriorityPrivilege	4796	{1C388800-E999-4d4e-9110-51A4474D4E39}.exe
Token: SeIncBasePriorityPrivilege	5044	{EFDC1E19-D99E-4db0-96B3-A77D00B0D04A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 392 wrote to memory of 4828	392	2024-04-18_884e7d7120686ecbd603bf0058a43cfc_goldeneye.exe	84
PID 392 wrote to memory of 4828	392	2024-04-18_884e7d7120686ecbd603bf0058a43cfc_goldeneye.exe	84
PID 392 wrote to memory of 4828	392	2024-04-18_884e7d7120686ecbd603bf0058a43cfc_goldeneye.exe	84
PID 392 wrote to memory of 3712	392	2024-04-18_884e7d7120686ecbd603bf0058a43cfc_goldeneye.exe	85
PID 392 wrote to memory of 3712	392	2024-04-18_884e7d7120686ecbd603bf0058a43cfc_goldeneye.exe	85
PID 392 wrote to memory of 3712	392	2024-04-18_884e7d7120686ecbd603bf0058a43cfc_goldeneye.exe	85
PID 4828 wrote to memory of 2036	4828	{D1F317F2-C518-4ec0-94BD-5DA9E78731EB}.exe	86
PID 4828 wrote to memory of 2036	4828	{D1F317F2-C518-4ec0-94BD-5DA9E78731EB}.exe	86
PID 4828 wrote to memory of 2036	4828	{D1F317F2-C518-4ec0-94BD-5DA9E78731EB}.exe	86
PID 4828 wrote to memory of 4728	4828	{D1F317F2-C518-4ec0-94BD-5DA9E78731EB}.exe	87
PID 4828 wrote to memory of 4728	4828	{D1F317F2-C518-4ec0-94BD-5DA9E78731EB}.exe	87
PID 4828 wrote to memory of 4728	4828	{D1F317F2-C518-4ec0-94BD-5DA9E78731EB}.exe	87
PID 2036 wrote to memory of 4128	2036	{9C7A60AE-CFBD-49c9-BF33-A357F7D94FFA}.exe	88
PID 2036 wrote to memory of 4128	2036	{9C7A60AE-CFBD-49c9-BF33-A357F7D94FFA}.exe	88
PID 2036 wrote to memory of 4128	2036	{9C7A60AE-CFBD-49c9-BF33-A357F7D94FFA}.exe	88
PID 2036 wrote to memory of 3360	2036	{9C7A60AE-CFBD-49c9-BF33-A357F7D94FFA}.exe	89
PID 2036 wrote to memory of 3360	2036	{9C7A60AE-CFBD-49c9-BF33-A357F7D94FFA}.exe	89
PID 2036 wrote to memory of 3360	2036	{9C7A60AE-CFBD-49c9-BF33-A357F7D94FFA}.exe	89
PID 4128 wrote to memory of 1860	4128	{F78D22B3-FE0F-4fdb-BA28-8AC6257CA161}.exe	90
PID 4128 wrote to memory of 1860	4128	{F78D22B3-FE0F-4fdb-BA28-8AC6257CA161}.exe	90
PID 4128 wrote to memory of 1860	4128	{F78D22B3-FE0F-4fdb-BA28-8AC6257CA161}.exe	90
PID 4128 wrote to memory of 1776	4128	{F78D22B3-FE0F-4fdb-BA28-8AC6257CA161}.exe	91
PID 4128 wrote to memory of 1776	4128	{F78D22B3-FE0F-4fdb-BA28-8AC6257CA161}.exe	91
PID 4128 wrote to memory of 1776	4128	{F78D22B3-FE0F-4fdb-BA28-8AC6257CA161}.exe	91
PID 1860 wrote to memory of 2672	1860	{297AFECC-4476-4048-AEAC-AD875CE857B6}.exe	92
PID 1860 wrote to memory of 2672	1860	{297AFECC-4476-4048-AEAC-AD875CE857B6}.exe	92
PID 1860 wrote to memory of 2672	1860	{297AFECC-4476-4048-AEAC-AD875CE857B6}.exe	92
PID 1860 wrote to memory of 3784	1860	{297AFECC-4476-4048-AEAC-AD875CE857B6}.exe	93
PID 1860 wrote to memory of 3784	1860	{297AFECC-4476-4048-AEAC-AD875CE857B6}.exe	93
PID 1860 wrote to memory of 3784	1860	{297AFECC-4476-4048-AEAC-AD875CE857B6}.exe	93
PID 2672 wrote to memory of 1280	2672	{D213B02E-37F4-4a1c-B47F-707656F985AB}.exe	94
PID 2672 wrote to memory of 1280	2672	{D213B02E-37F4-4a1c-B47F-707656F985AB}.exe	94
PID 2672 wrote to memory of 1280	2672	{D213B02E-37F4-4a1c-B47F-707656F985AB}.exe	94
PID 2672 wrote to memory of 1144	2672	{D213B02E-37F4-4a1c-B47F-707656F985AB}.exe	95
PID 2672 wrote to memory of 1144	2672	{D213B02E-37F4-4a1c-B47F-707656F985AB}.exe	95
PID 2672 wrote to memory of 1144	2672	{D213B02E-37F4-4a1c-B47F-707656F985AB}.exe	95
PID 1280 wrote to memory of 1532	1280	{0E4DD7CC-76D0-470d-8582-2FBBC98D3637}.exe	96
PID 1280 wrote to memory of 1532	1280	{0E4DD7CC-76D0-470d-8582-2FBBC98D3637}.exe	96
PID 1280 wrote to memory of 1532	1280	{0E4DD7CC-76D0-470d-8582-2FBBC98D3637}.exe	96
PID 1280 wrote to memory of 1960	1280	{0E4DD7CC-76D0-470d-8582-2FBBC98D3637}.exe	97
PID 1280 wrote to memory of 1960	1280	{0E4DD7CC-76D0-470d-8582-2FBBC98D3637}.exe	97
PID 1280 wrote to memory of 1960	1280	{0E4DD7CC-76D0-470d-8582-2FBBC98D3637}.exe	97
PID 1532 wrote to memory of 824	1532	{79DB052E-53ED-4174-8DD7-7147832DCAD0}.exe	98
PID 1532 wrote to memory of 824	1532	{79DB052E-53ED-4174-8DD7-7147832DCAD0}.exe	98
PID 1532 wrote to memory of 824	1532	{79DB052E-53ED-4174-8DD7-7147832DCAD0}.exe	98
PID 1532 wrote to memory of 1480	1532	{79DB052E-53ED-4174-8DD7-7147832DCAD0}.exe	99
PID 1532 wrote to memory of 1480	1532	{79DB052E-53ED-4174-8DD7-7147832DCAD0}.exe	99
PID 1532 wrote to memory of 1480	1532	{79DB052E-53ED-4174-8DD7-7147832DCAD0}.exe	99
PID 824 wrote to memory of 1872	824	{77A8C30F-AFBB-41f0-98AA-116448431E1E}.exe	100
PID 824 wrote to memory of 1872	824	{77A8C30F-AFBB-41f0-98AA-116448431E1E}.exe	100
PID 824 wrote to memory of 1872	824	{77A8C30F-AFBB-41f0-98AA-116448431E1E}.exe	100
PID 824 wrote to memory of 2076	824	{77A8C30F-AFBB-41f0-98AA-116448431E1E}.exe	101
PID 824 wrote to memory of 2076	824	{77A8C30F-AFBB-41f0-98AA-116448431E1E}.exe	101
PID 824 wrote to memory of 2076	824	{77A8C30F-AFBB-41f0-98AA-116448431E1E}.exe	101
PID 1872 wrote to memory of 4796	1872	{EC960809-8D75-4595-882B-DB076CE052CC}.exe	102
PID 1872 wrote to memory of 4796	1872	{EC960809-8D75-4595-882B-DB076CE052CC}.exe	102
PID 1872 wrote to memory of 4796	1872	{EC960809-8D75-4595-882B-DB076CE052CC}.exe	102
PID 1872 wrote to memory of 4112	1872	{EC960809-8D75-4595-882B-DB076CE052CC}.exe	103
PID 1872 wrote to memory of 4112	1872	{EC960809-8D75-4595-882B-DB076CE052CC}.exe	103
PID 1872 wrote to memory of 4112	1872	{EC960809-8D75-4595-882B-DB076CE052CC}.exe	103
PID 4796 wrote to memory of 5044	4796	{1C388800-E999-4d4e-9110-51A4474D4E39}.exe	104
PID 4796 wrote to memory of 5044	4796	{1C388800-E999-4d4e-9110-51A4474D4E39}.exe	104
PID 4796 wrote to memory of 5044	4796	{1C388800-E999-4d4e-9110-51A4474D4E39}.exe	104
PID 4796 wrote to memory of 2196	4796	{1C388800-E999-4d4e-9110-51A4474D4E39}.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-04-18_884e7d7120686ecbd603bf0058a43cfc_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-18_884e7d7120686ecbd603bf0058a43cfc_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:392
- C:\Windows\{D1F317F2-C518-4ec0-94BD-5DA9E78731EB}.exe
  C:\Windows\{D1F317F2-C518-4ec0-94BD-5DA9E78731EB}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4828
- - C:\Windows\{9C7A60AE-CFBD-49c9-BF33-A357F7D94FFA}.exe
    C:\Windows\{9C7A60AE-CFBD-49c9-BF33-A357F7D94FFA}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2036
  - - C:\Windows\{F78D22B3-FE0F-4fdb-BA28-8AC6257CA161}.exe
      C:\Windows\{F78D22B3-FE0F-4fdb-BA28-8AC6257CA161}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4128
    - - C:\Windows\{297AFECC-4476-4048-AEAC-AD875CE857B6}.exe
        
        C:\Windows\{297AFECC-4476-4048-AEAC-AD875CE857B6}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1860
      - C:\Windows\{D213B02E-37F4-4a1c-B47F-707656F985AB}.exe
        
        C:\Windows\{D213B02E-37F4-4a1c-B47F-707656F985AB}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\{0E4DD7CC-76D0-470d-8582-2FBBC98D3637}.exe
        
        C:\Windows\{0E4DD7CC-76D0-470d-8582-2FBBC98D3637}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1280
        
        C:\Windows\{79DB052E-53ED-4174-8DD7-7147832DCAD0}.exe
        
        C:\Windows\{79DB052E-53ED-4174-8DD7-7147832DCAD0}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\{77A8C30F-AFBB-41f0-98AA-116448431E1E}.exe
        
        C:\Windows\{77A8C30F-AFBB-41f0-98AA-116448431E1E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:824
        
        C:\Windows\{EC960809-8D75-4595-882B-DB076CE052CC}.exe
        
        C:\Windows\{EC960809-8D75-4595-882B-DB076CE052CC}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\{1C388800-E999-4d4e-9110-51A4474D4E39}.exe
        
        C:\Windows\{1C388800-E999-4d4e-9110-51A4474D4E39}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\{EFDC1E19-D99E-4db0-96B3-A77D00B0D04A}.exe
        
        C:\Windows\{EFDC1E19-D99E-4db0-96B3-A77D00B0D04A}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5044
        
        C:\Windows\{15F2F9C5-7C85-468c-9C51-A2DD87519CF5}.exe
        
        C:\Windows\{15F2F9C5-7C85-468c-9C51-A2DD87519CF5}.exe
        13⤵
        Executes dropped EXE
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EFDC1~1.EXE > nul
        13⤵
        
        PID:632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1C388~1.EXE > nul
        12⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EC960~1.EXE > nul
        11⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{77A8C~1.EXE > nul
        10⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79DB0~1.EXE > nul
        9⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0E4DD~1.EXE > nul
        8⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D213B~1.EXE > nul
        7⤵
        
        PID:1144
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{297AF~1.EXE > nul
        6⤵
        
        PID:3784
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F78D2~1.EXE > nul
        5⤵
        
        PID:1776
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9C7A6~1.EXE > nul
      4⤵
      PID:3360
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D1F31~1.EXE > nul
    3⤵
    PID:4728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0E4DD7CC-76D0-470d-8582-2FBBC98D3637}.exe

Filesize
408KB

MD5
c645a3e2f38c0fb9a05883e956a49039

SHA1
e7694d882ffe10724e378952770ed33945435f35

SHA256
45ba82c5563ea5e8770e52d1d05efc2d26a4e15628293ff8c3472b9058250678

SHA512
6da783086d047d43c954542aacf88340ff22388982d132a838b23a74c4b773ac73e82ca31be3a079480863b67b99497993c6a797f5d36a2a4168ab424348c82c

Download Submit
C:\Windows\{15F2F9C5-7C85-468c-9C51-A2DD87519CF5}.exe

Filesize
408KB

MD5
dfc98fb0d552e859777939e4213e49e9

SHA1
a10da78ed2f50447f762339c03a4f31399c71eb4

SHA256
d410512326e6e15dfa674d5cf1ca2729e53d1b858fa148d531af4b98e5801216

SHA512
955481cde25000e03d1e8f4096d7cdf2023e344ab1ca96c2e9857f0bcf26410bbee3f847e9ff402bbb5b1a16d920c5a2c967a08a651e3af9166a9d985fc5e281

Download Submit
C:\Windows\{1C388800-E999-4d4e-9110-51A4474D4E39}.exe

Filesize
408KB

MD5
9ed84b55c3881bf102ef28848dec9d9b

SHA1
484fddb0fc2bda533e5f666e3a9c59655f0d9cdd

SHA256
2b9a7101e220377c512172edce27f2d2d76ad12410a997dfa0f5f5aa4ccd591f

SHA512
ccf0944f10ae38c9208ffad52094979e5a2fd971ff11fa68382a556aa6842113d45ef89db32e456f878a0915743e08990d6e03bf6f03a5bf7dab67df06d5a6ee

Download Submit
C:\Windows\{297AFECC-4476-4048-AEAC-AD875CE857B6}.exe

Filesize
408KB

MD5
5eaa5db90f3f0671dd40de0d008bdaed

SHA1
c581d326a387d139033ea1d0735df577e15aeaaa

SHA256
cf5c368c3855a7bccbc5af0f2694dc7e84305136f061375194ca7e9fdc61c34d

SHA512
ec3238f375144784b8fdea03fcc0ca0586f939131fc62b1634c868a1b4a7d81e27a3f4289f1a928daeac01ca0c11276075b37839bbbcfb02501ab32cf186d84a

Download Submit
C:\Windows\{77A8C30F-AFBB-41f0-98AA-116448431E1E}.exe

Filesize
408KB

MD5
5db57b905b5a266812ce01bc3d381f55

SHA1
7610a494291f1a15c0bbe87ccfead468af7b098e

SHA256
3d05cc842b39e88ed717944b415c4cf7acd729b582ef5a2cf7ccb542cb2b463f

SHA512
7721fe27214dac7e51fba6647337ea4d06e75b61d64c1d74208650358f8d8c194f513d499ce815117a0d1563c5ed6d385e664edac785fd6715c2318741370d02

Download Submit
C:\Windows\{79DB052E-53ED-4174-8DD7-7147832DCAD0}.exe

Filesize
408KB

MD5
4f5016c8ff9d9fc0bdfd25201fdb4436

SHA1
87f71cae06019099b2bd6cef144600a47e364669

SHA256
b63edd803f534406705a73baa1a1a36d84f3a964caef67a45917d544d59ba41f

SHA512
6e74245ec308dc00f3380179ab320d77c097496322d098720cd32ad67bc54003ec945118599a0712e7743fd3470e6032e223338ba0b571eb1bf1780661ad67d4

Download Submit
C:\Windows\{9C7A60AE-CFBD-49c9-BF33-A357F7D94FFA}.exe

Filesize
408KB

MD5
a549dea79e582291d04cde406798eb21

SHA1
1565b53f947a651d034cea2fa4d849ba16dec623

SHA256
02cac85fbefd6831097847f174b6dbf6dbc9a4522651bf6333deec192c93a219

SHA512
9cada9837833df13500036a742904ba2bbf0a896b759a409902c123eb682fb76dc57f95f6960ef83500dd0436eb1b8472db2bd7ef0273a26a669b591c15160c9

Download Submit
C:\Windows\{D1F317F2-C518-4ec0-94BD-5DA9E78731EB}.exe

Filesize
408KB

MD5
62183984e0d10f91aafeede9a5233b49

SHA1
5156d5bf040896e03b02e1cfaa5fdcf89cf31efa

SHA256
8f1938fee5323c67c4e30e8538f383fdfcfc8ce1692ab434bac3fa99401cef51

SHA512
0aea4e8f08bd3cc055943a4a9c913343533a66892f7df89de46ca43a4f706cf1862a11c5aaba5d6e7993611ba9c13e402e885b989845b6391442cface19378c7

Download Submit
C:\Windows\{D213B02E-37F4-4a1c-B47F-707656F985AB}.exe

Filesize
408KB

MD5
2f71b26997bb2dd1d96255177b31ec78

SHA1
3ecd9e25746d043bae05158ed6a5dbf397b2341e

SHA256
3c804552b9bcc31cf78fd5a29687ad8048905a727ded373348ae53e45e139bc0

SHA512
85a4f4b5f83dcb7c87b8dbd532de3c31ce8dd72bff61865ad35799351d454c8a59cb4a9b03bb30657c166b7070883fd918dadca7d2b7cd09ee85d4cc965a14a2

Download Submit
C:\Windows\{EC960809-8D75-4595-882B-DB076CE052CC}.exe

Filesize
408KB

MD5
af35e8c0dcf783a2b3af3358ad6d96af

SHA1
29abd3bbdabee498b8b5fe92c4e7442c150b49cc

SHA256
fd549dfc26e1ef9282c5cf5411be67eb08dd1586a17e7b84a035e9ce85232346

SHA512
4f5a78f44305341015be3170ec331c7e1953e83e51e37d1a68b95c6dffd213295c42027a0068a838edeed3c4b6e062d2a8e8e98e7c77d8f5c729fdfdf8e49687

Download Submit
C:\Windows\{EFDC1E19-D99E-4db0-96B3-A77D00B0D04A}.exe

Filesize
408KB

MD5
53c0f96bee862e67f454096337966bb6

SHA1
b70cd574e5491de301ac24ac609b8ee00aa437f2

SHA256
b80443717cb1a7731db462fbde86734d321dcce16ed7ef0a365ace3a1a5cd851

SHA512
8b40c61ba133b53c1621fb62b0cc350955c435d995a7217c66267571254856ed52614e2830c3781ecd1faf204b35fb5b2ab80caa9300e2959e9188944bc78739

Download Submit
C:\Windows\{F78D22B3-FE0F-4fdb-BA28-8AC6257CA161}.exe

Filesize
408KB

MD5
fcee71f8d4d02d18c087f2e980f19ac9

SHA1
82dfc3f004cba355d8637d43f860889daeeda644

SHA256
bf242ef6052173b237452c64ebb8b3dfb9338e50a2170ad74d68232d0de6e790

SHA512
0b9ef0963c0bec1452c34b87d093c88f25b97c3c1e5b375b83739ea519ae1add5de4d36ac7b90eefcb01af7fd9aa762b31d434655c696140813bbc1660088dec

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads