a49ed79fc4e17fba40c27b5b540dc87fa4f63cab8590672e9ffabb659582dfda

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2024, 00:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-18_b2f403a833bdb8af1d60927780b0430a_goldeneye.exe
Size

372KB
MD5

b2f403a833bdb8af1d60927780b0430a
SHA1

5a054ffd18ffaf70691783baab645a443091ad1a
SHA256

a49ed79fc4e17fba40c27b5b540dc87fa4f63cab8590672e9ffabb659582dfda
SHA512

fc919fad06a7fda906b45921dd3142ceacd4eed0a5ef0b436e9702d4c0a391394bdec370a2ef76302574c7786a0aa44fde3638699079b92dec20820d8f8472f1
SSDEEP

3072:CEGh0oNlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGzlkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00080000000233fb-1.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000233eb-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023403-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000001e752-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023403-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000001e752-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023403-25.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001e752-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023403-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000001e752-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023400-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000001e752-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1850F9BE-F929-46fe-86E6-E1CAC60C7315}	{9E444422-60D1-4526-8AEA-3C15B4FC68D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DCA4498C-E169-46ae-9098-D8F0F16B4F7C}\stubpath = "C:\\Windows\\{DCA4498C-E169-46ae-9098-D8F0F16B4F7C}.exe"	{CFC54122-123D-46ae-9A3B-8D2B98B987E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{890A389D-8E6F-4796-A288-D25079888F66}	{3D3FAC71-4E05-4394-BC25-A35135B137D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D1246AAB-BA28-4dd1-B37F-18A5517EB937}	{7A1F4C54-2B54-480a-81E4-A8CE6CBDC171}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D1246AAB-BA28-4dd1-B37F-18A5517EB937}\stubpath = "C:\\Windows\\{D1246AAB-BA28-4dd1-B37F-18A5517EB937}.exe"	{7A1F4C54-2B54-480a-81E4-A8CE6CBDC171}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1850F9BE-F929-46fe-86E6-E1CAC60C7315}\stubpath = "C:\\Windows\\{1850F9BE-F929-46fe-86E6-E1CAC60C7315}.exe"	{9E444422-60D1-4526-8AEA-3C15B4FC68D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A1F4C54-2B54-480a-81E4-A8CE6CBDC171}\stubpath = "C:\\Windows\\{7A1F4C54-2B54-480a-81E4-A8CE6CBDC171}.exe"	{37D77B2F-CF26-44f5-8653-0B97A9506F70}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1EA6B894-F40B-4bd3-9644-D551373AE71D}	{7166F6EE-F7B3-47b0-B072-80640F97DB92}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1EA6B894-F40B-4bd3-9644-D551373AE71D}\stubpath = "C:\\Windows\\{1EA6B894-F40B-4bd3-9644-D551373AE71D}.exe"	{7166F6EE-F7B3-47b0-B072-80640F97DB92}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F31DB19-63AC-4492-A9F2-B24B3D72F7B2}	{1EA6B894-F40B-4bd3-9644-D551373AE71D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F31DB19-63AC-4492-A9F2-B24B3D72F7B2}\stubpath = "C:\\Windows\\{5F31DB19-63AC-4492-A9F2-B24B3D72F7B2}.exe"	{1EA6B894-F40B-4bd3-9644-D551373AE71D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFC54122-123D-46ae-9A3B-8D2B98B987E0}	{1850F9BE-F929-46fe-86E6-E1CAC60C7315}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DCA4498C-E169-46ae-9098-D8F0F16B4F7C}	{CFC54122-123D-46ae-9A3B-8D2B98B987E0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{890A389D-8E6F-4796-A288-D25079888F66}\stubpath = "C:\\Windows\\{890A389D-8E6F-4796-A288-D25079888F66}.exe"	{3D3FAC71-4E05-4394-BC25-A35135B137D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37D77B2F-CF26-44f5-8653-0B97A9506F70}\stubpath = "C:\\Windows\\{37D77B2F-CF26-44f5-8653-0B97A9506F70}.exe"	{890A389D-8E6F-4796-A288-D25079888F66}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7166F6EE-F7B3-47b0-B072-80640F97DB92}\stubpath = "C:\\Windows\\{7166F6EE-F7B3-47b0-B072-80640F97DB92}.exe"	{D1246AAB-BA28-4dd1-B37F-18A5517EB937}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37D77B2F-CF26-44f5-8653-0B97A9506F70}	{890A389D-8E6F-4796-A288-D25079888F66}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A1F4C54-2B54-480a-81E4-A8CE6CBDC171}	{37D77B2F-CF26-44f5-8653-0B97A9506F70}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7166F6EE-F7B3-47b0-B072-80640F97DB92}	{D1246AAB-BA28-4dd1-B37F-18A5517EB937}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E444422-60D1-4526-8AEA-3C15B4FC68D8}	2024-04-18_b2f403a833bdb8af1d60927780b0430a_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E444422-60D1-4526-8AEA-3C15B4FC68D8}\stubpath = "C:\\Windows\\{9E444422-60D1-4526-8AEA-3C15B4FC68D8}.exe"	2024-04-18_b2f403a833bdb8af1d60927780b0430a_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFC54122-123D-46ae-9A3B-8D2B98B987E0}\stubpath = "C:\\Windows\\{CFC54122-123D-46ae-9A3B-8D2B98B987E0}.exe"	{1850F9BE-F929-46fe-86E6-E1CAC60C7315}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D3FAC71-4E05-4394-BC25-A35135B137D9}	{DCA4498C-E169-46ae-9098-D8F0F16B4F7C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D3FAC71-4E05-4394-BC25-A35135B137D9}\stubpath = "C:\\Windows\\{3D3FAC71-4E05-4394-BC25-A35135B137D9}.exe"	{DCA4498C-E169-46ae-9098-D8F0F16B4F7C}.exe

Executes dropped EXE 12 IoCs

pid	Process
4912	{9E444422-60D1-4526-8AEA-3C15B4FC68D8}.exe
2884	{1850F9BE-F929-46fe-86E6-E1CAC60C7315}.exe
1836	{CFC54122-123D-46ae-9A3B-8D2B98B987E0}.exe
4816	{DCA4498C-E169-46ae-9098-D8F0F16B4F7C}.exe
4532	{3D3FAC71-4E05-4394-BC25-A35135B137D9}.exe
3460	{890A389D-8E6F-4796-A288-D25079888F66}.exe
2212	{37D77B2F-CF26-44f5-8653-0B97A9506F70}.exe
1600	{7A1F4C54-2B54-480a-81E4-A8CE6CBDC171}.exe
3508	{D1246AAB-BA28-4dd1-B37F-18A5517EB937}.exe
1748	{7166F6EE-F7B3-47b0-B072-80640F97DB92}.exe
1340	{1EA6B894-F40B-4bd3-9644-D551373AE71D}.exe
2260	{5F31DB19-63AC-4492-A9F2-B24B3D72F7B2}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{3D3FAC71-4E05-4394-BC25-A35135B137D9}.exe	{DCA4498C-E169-46ae-9098-D8F0F16B4F7C}.exe
File created	C:\Windows\{890A389D-8E6F-4796-A288-D25079888F66}.exe	{3D3FAC71-4E05-4394-BC25-A35135B137D9}.exe
File created	C:\Windows\{7166F6EE-F7B3-47b0-B072-80640F97DB92}.exe	{D1246AAB-BA28-4dd1-B37F-18A5517EB937}.exe
File created	C:\Windows\{5F31DB19-63AC-4492-A9F2-B24B3D72F7B2}.exe	{1EA6B894-F40B-4bd3-9644-D551373AE71D}.exe
File created	C:\Windows\{9E444422-60D1-4526-8AEA-3C15B4FC68D8}.exe	2024-04-18_b2f403a833bdb8af1d60927780b0430a_goldeneye.exe
File created	C:\Windows\{1850F9BE-F929-46fe-86E6-E1CAC60C7315}.exe	{9E444422-60D1-4526-8AEA-3C15B4FC68D8}.exe
File created	C:\Windows\{CFC54122-123D-46ae-9A3B-8D2B98B987E0}.exe	{1850F9BE-F929-46fe-86E6-E1CAC60C7315}.exe
File created	C:\Windows\{DCA4498C-E169-46ae-9098-D8F0F16B4F7C}.exe	{CFC54122-123D-46ae-9A3B-8D2B98B987E0}.exe
File created	C:\Windows\{37D77B2F-CF26-44f5-8653-0B97A9506F70}.exe	{890A389D-8E6F-4796-A288-D25079888F66}.exe
File created	C:\Windows\{7A1F4C54-2B54-480a-81E4-A8CE6CBDC171}.exe	{37D77B2F-CF26-44f5-8653-0B97A9506F70}.exe
File created	C:\Windows\{D1246AAB-BA28-4dd1-B37F-18A5517EB937}.exe	{7A1F4C54-2B54-480a-81E4-A8CE6CBDC171}.exe
File created	C:\Windows\{1EA6B894-F40B-4bd3-9644-D551373AE71D}.exe	{7166F6EE-F7B3-47b0-B072-80640F97DB92}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4076	2024-04-18_b2f403a833bdb8af1d60927780b0430a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4912	{9E444422-60D1-4526-8AEA-3C15B4FC68D8}.exe
Token: SeIncBasePriorityPrivilege	2884	{1850F9BE-F929-46fe-86E6-E1CAC60C7315}.exe
Token: SeIncBasePriorityPrivilege	1836	{CFC54122-123D-46ae-9A3B-8D2B98B987E0}.exe
Token: SeIncBasePriorityPrivilege	4816	{DCA4498C-E169-46ae-9098-D8F0F16B4F7C}.exe
Token: SeIncBasePriorityPrivilege	4532	{3D3FAC71-4E05-4394-BC25-A35135B137D9}.exe
Token: SeIncBasePriorityPrivilege	3460	{890A389D-8E6F-4796-A288-D25079888F66}.exe
Token: SeIncBasePriorityPrivilege	2212	{37D77B2F-CF26-44f5-8653-0B97A9506F70}.exe
Token: SeIncBasePriorityPrivilege	1600	{7A1F4C54-2B54-480a-81E4-A8CE6CBDC171}.exe
Token: SeIncBasePriorityPrivilege	3508	{D1246AAB-BA28-4dd1-B37F-18A5517EB937}.exe
Token: SeIncBasePriorityPrivilege	1748	{7166F6EE-F7B3-47b0-B072-80640F97DB92}.exe
Token: SeIncBasePriorityPrivilege	1340	{1EA6B894-F40B-4bd3-9644-D551373AE71D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4076 wrote to memory of 4912	4076	2024-04-18_b2f403a833bdb8af1d60927780b0430a_goldeneye.exe	88
PID 4076 wrote to memory of 4912	4076	2024-04-18_b2f403a833bdb8af1d60927780b0430a_goldeneye.exe	88
PID 4076 wrote to memory of 4912	4076	2024-04-18_b2f403a833bdb8af1d60927780b0430a_goldeneye.exe	88
PID 4076 wrote to memory of 788	4076	2024-04-18_b2f403a833bdb8af1d60927780b0430a_goldeneye.exe	89
PID 4076 wrote to memory of 788	4076	2024-04-18_b2f403a833bdb8af1d60927780b0430a_goldeneye.exe	89
PID 4076 wrote to memory of 788	4076	2024-04-18_b2f403a833bdb8af1d60927780b0430a_goldeneye.exe	89
PID 4912 wrote to memory of 2884	4912	{9E444422-60D1-4526-8AEA-3C15B4FC68D8}.exe	90
PID 4912 wrote to memory of 2884	4912	{9E444422-60D1-4526-8AEA-3C15B4FC68D8}.exe	90
PID 4912 wrote to memory of 2884	4912	{9E444422-60D1-4526-8AEA-3C15B4FC68D8}.exe	90
PID 4912 wrote to memory of 1204	4912	{9E444422-60D1-4526-8AEA-3C15B4FC68D8}.exe	91
PID 4912 wrote to memory of 1204	4912	{9E444422-60D1-4526-8AEA-3C15B4FC68D8}.exe	91
PID 4912 wrote to memory of 1204	4912	{9E444422-60D1-4526-8AEA-3C15B4FC68D8}.exe	91
PID 2884 wrote to memory of 1836	2884	{1850F9BE-F929-46fe-86E6-E1CAC60C7315}.exe	94
PID 2884 wrote to memory of 1836	2884	{1850F9BE-F929-46fe-86E6-E1CAC60C7315}.exe	94
PID 2884 wrote to memory of 1836	2884	{1850F9BE-F929-46fe-86E6-E1CAC60C7315}.exe	94
PID 2884 wrote to memory of 3576	2884	{1850F9BE-F929-46fe-86E6-E1CAC60C7315}.exe	95
PID 2884 wrote to memory of 3576	2884	{1850F9BE-F929-46fe-86E6-E1CAC60C7315}.exe	95
PID 2884 wrote to memory of 3576	2884	{1850F9BE-F929-46fe-86E6-E1CAC60C7315}.exe	95
PID 1836 wrote to memory of 4816	1836	{CFC54122-123D-46ae-9A3B-8D2B98B987E0}.exe	97
PID 1836 wrote to memory of 4816	1836	{CFC54122-123D-46ae-9A3B-8D2B98B987E0}.exe	97
PID 1836 wrote to memory of 4816	1836	{CFC54122-123D-46ae-9A3B-8D2B98B987E0}.exe	97
PID 1836 wrote to memory of 5080	1836	{CFC54122-123D-46ae-9A3B-8D2B98B987E0}.exe	98
PID 1836 wrote to memory of 5080	1836	{CFC54122-123D-46ae-9A3B-8D2B98B987E0}.exe	98
PID 1836 wrote to memory of 5080	1836	{CFC54122-123D-46ae-9A3B-8D2B98B987E0}.exe	98
PID 4816 wrote to memory of 4532	4816	{DCA4498C-E169-46ae-9098-D8F0F16B4F7C}.exe	99
PID 4816 wrote to memory of 4532	4816	{DCA4498C-E169-46ae-9098-D8F0F16B4F7C}.exe	99
PID 4816 wrote to memory of 4532	4816	{DCA4498C-E169-46ae-9098-D8F0F16B4F7C}.exe	99
PID 4816 wrote to memory of 2300	4816	{DCA4498C-E169-46ae-9098-D8F0F16B4F7C}.exe	100
PID 4816 wrote to memory of 2300	4816	{DCA4498C-E169-46ae-9098-D8F0F16B4F7C}.exe	100
PID 4816 wrote to memory of 2300	4816	{DCA4498C-E169-46ae-9098-D8F0F16B4F7C}.exe	100
PID 4532 wrote to memory of 3460	4532	{3D3FAC71-4E05-4394-BC25-A35135B137D9}.exe	101
PID 4532 wrote to memory of 3460	4532	{3D3FAC71-4E05-4394-BC25-A35135B137D9}.exe	101
PID 4532 wrote to memory of 3460	4532	{3D3FAC71-4E05-4394-BC25-A35135B137D9}.exe	101
PID 4532 wrote to memory of 4720	4532	{3D3FAC71-4E05-4394-BC25-A35135B137D9}.exe	102
PID 4532 wrote to memory of 4720	4532	{3D3FAC71-4E05-4394-BC25-A35135B137D9}.exe	102
PID 4532 wrote to memory of 4720	4532	{3D3FAC71-4E05-4394-BC25-A35135B137D9}.exe	102
PID 3460 wrote to memory of 2212	3460	{890A389D-8E6F-4796-A288-D25079888F66}.exe	103
PID 3460 wrote to memory of 2212	3460	{890A389D-8E6F-4796-A288-D25079888F66}.exe	103
PID 3460 wrote to memory of 2212	3460	{890A389D-8E6F-4796-A288-D25079888F66}.exe	103
PID 3460 wrote to memory of 3536	3460	{890A389D-8E6F-4796-A288-D25079888F66}.exe	104
PID 3460 wrote to memory of 3536	3460	{890A389D-8E6F-4796-A288-D25079888F66}.exe	104
PID 3460 wrote to memory of 3536	3460	{890A389D-8E6F-4796-A288-D25079888F66}.exe	104
PID 2212 wrote to memory of 1600	2212	{37D77B2F-CF26-44f5-8653-0B97A9506F70}.exe	105
PID 2212 wrote to memory of 1600	2212	{37D77B2F-CF26-44f5-8653-0B97A9506F70}.exe	105
PID 2212 wrote to memory of 1600	2212	{37D77B2F-CF26-44f5-8653-0B97A9506F70}.exe	105
PID 2212 wrote to memory of 1252	2212	{37D77B2F-CF26-44f5-8653-0B97A9506F70}.exe	106
PID 2212 wrote to memory of 1252	2212	{37D77B2F-CF26-44f5-8653-0B97A9506F70}.exe	106
PID 2212 wrote to memory of 1252	2212	{37D77B2F-CF26-44f5-8653-0B97A9506F70}.exe	106
PID 1600 wrote to memory of 3508	1600	{7A1F4C54-2B54-480a-81E4-A8CE6CBDC171}.exe	107
PID 1600 wrote to memory of 3508	1600	{7A1F4C54-2B54-480a-81E4-A8CE6CBDC171}.exe	107
PID 1600 wrote to memory of 3508	1600	{7A1F4C54-2B54-480a-81E4-A8CE6CBDC171}.exe	107
PID 1600 wrote to memory of 4484	1600	{7A1F4C54-2B54-480a-81E4-A8CE6CBDC171}.exe	108
PID 1600 wrote to memory of 4484	1600	{7A1F4C54-2B54-480a-81E4-A8CE6CBDC171}.exe	108
PID 1600 wrote to memory of 4484	1600	{7A1F4C54-2B54-480a-81E4-A8CE6CBDC171}.exe	108
PID 3508 wrote to memory of 1748	3508	{D1246AAB-BA28-4dd1-B37F-18A5517EB937}.exe	109
PID 3508 wrote to memory of 1748	3508	{D1246AAB-BA28-4dd1-B37F-18A5517EB937}.exe	109
PID 3508 wrote to memory of 1748	3508	{D1246AAB-BA28-4dd1-B37F-18A5517EB937}.exe	109
PID 3508 wrote to memory of 2560	3508	{D1246AAB-BA28-4dd1-B37F-18A5517EB937}.exe	110
PID 3508 wrote to memory of 2560	3508	{D1246AAB-BA28-4dd1-B37F-18A5517EB937}.exe	110
PID 3508 wrote to memory of 2560	3508	{D1246AAB-BA28-4dd1-B37F-18A5517EB937}.exe	110
PID 1748 wrote to memory of 1340	1748	{7166F6EE-F7B3-47b0-B072-80640F97DB92}.exe	111
PID 1748 wrote to memory of 1340	1748	{7166F6EE-F7B3-47b0-B072-80640F97DB92}.exe	111
PID 1748 wrote to memory of 1340	1748	{7166F6EE-F7B3-47b0-B072-80640F97DB92}.exe	111
PID 1748 wrote to memory of 4348	1748	{7166F6EE-F7B3-47b0-B072-80640F97DB92}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-04-18_b2f403a833bdb8af1d60927780b0430a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-18_b2f403a833bdb8af1d60927780b0430a_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4076
- C:\Windows\{9E444422-60D1-4526-8AEA-3C15B4FC68D8}.exe
  C:\Windows\{9E444422-60D1-4526-8AEA-3C15B4FC68D8}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4912
- - C:\Windows\{1850F9BE-F929-46fe-86E6-E1CAC60C7315}.exe
    C:\Windows\{1850F9BE-F929-46fe-86E6-E1CAC60C7315}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Windows\{CFC54122-123D-46ae-9A3B-8D2B98B987E0}.exe
      C:\Windows\{CFC54122-123D-46ae-9A3B-8D2B98B987E0}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1836
    - - C:\Windows\{DCA4498C-E169-46ae-9098-D8F0F16B4F7C}.exe
        
        C:\Windows\{DCA4498C-E169-46ae-9098-D8F0F16B4F7C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4816
      - C:\Windows\{3D3FAC71-4E05-4394-BC25-A35135B137D9}.exe
        
        C:\Windows\{3D3FAC71-4E05-4394-BC25-A35135B137D9}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\{890A389D-8E6F-4796-A288-D25079888F66}.exe
        
        C:\Windows\{890A389D-8E6F-4796-A288-D25079888F66}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3460
        
        C:\Windows\{37D77B2F-CF26-44f5-8653-0B97A9506F70}.exe
        
        C:\Windows\{37D77B2F-CF26-44f5-8653-0B97A9506F70}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\{7A1F4C54-2B54-480a-81E4-A8CE6CBDC171}.exe
        
        C:\Windows\{7A1F4C54-2B54-480a-81E4-A8CE6CBDC171}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\{D1246AAB-BA28-4dd1-B37F-18A5517EB937}.exe
        
        C:\Windows\{D1246AAB-BA28-4dd1-B37F-18A5517EB937}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3508
        
        C:\Windows\{7166F6EE-F7B3-47b0-B072-80640F97DB92}.exe
        
        C:\Windows\{7166F6EE-F7B3-47b0-B072-80640F97DB92}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\{1EA6B894-F40B-4bd3-9644-D551373AE71D}.exe
        
        C:\Windows\{1EA6B894-F40B-4bd3-9644-D551373AE71D}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1340
        
        C:\Windows\{5F31DB19-63AC-4492-A9F2-B24B3D72F7B2}.exe
        
        C:\Windows\{5F31DB19-63AC-4492-A9F2-B24B3D72F7B2}.exe
        13⤵
        Executes dropped EXE
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1EA6B~1.EXE > nul
        13⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7166F~1.EXE > nul
        12⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D1246~1.EXE > nul
        11⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7A1F4~1.EXE > nul
        10⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37D77~1.EXE > nul
        9⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{890A3~1.EXE > nul
        8⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3D3FA~1.EXE > nul
        7⤵
        
        PID:4720
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DCA44~1.EXE > nul
        6⤵
        
        PID:2300
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CFC54~1.EXE > nul
        5⤵
        
        PID:5080
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1850F~1.EXE > nul
      4⤵
      PID:3576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9E444~1.EXE > nul
    3⤵
    PID:1204
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1850F9BE-F929-46fe-86E6-E1CAC60C7315}.exe

Filesize
372KB

MD5
25a355ecfb7c031d2d5936b2ba7af4dc

SHA1
041b77a17b15edeb4f0f02cfad0703181c704708

SHA256
5c0be5857ebc9aafac109939144b3009c074aa46a65d6086d0fd750ff3edcb4d

SHA512
13a3cb8303e6b6eaa584adb850a419fabe32a4e38188e1b7b180cd95812df53cc722bb4a8b1006012358f100e45972b92a21631b9c0da8923ef30b34dcc9c3ee

Download Submit
C:\Windows\{1EA6B894-F40B-4bd3-9644-D551373AE71D}.exe

Filesize
372KB

MD5
a55b2d595cbbd6671083002b1cd370d7

SHA1
746e53e9f2a7801b35f70e170dd289c51df9bb17

SHA256
25055130a8457044d6f700854ca1a9e37f184c0fa41858c79bda927293e8045f

SHA512
b2c22b3512320eb3b6222e08426857404bfce3cf0b573696e8d3ad18473578c5649c3fa6e16a3754a0ba03f8b37af88e0a4edbe59dbc9829c4be9cedd064fc1b

Download Submit
C:\Windows\{37D77B2F-CF26-44f5-8653-0B97A9506F70}.exe

Filesize
372KB

MD5
b1cf31b93d718c6e7ff02901756809f3

SHA1
e69726a8cac20562040cde12eadc0afca24de23e

SHA256
5d4611b888f2aa6cb808a711a10cb8c2d51e9fe24d5f405e39025db161b83640

SHA512
912639bbc54fcb2b7b279d59c19c081b25e6f1a369e2c6ee2baf0ad7a054830c6b3a17561247a65cb0f26283782fc372030d897e31170147d1f97f7f41d2fca5

Download Submit
C:\Windows\{3D3FAC71-4E05-4394-BC25-A35135B137D9}.exe

Filesize
372KB

MD5
673be0af08ce0866be43d69649ed7269

SHA1
5c9165b93810347cfb02765214b8893a30fb2e4d

SHA256
44c06277a9e7860fb3403b92c19578c57805ddc6110f91b058fb6f105e1b5d0b

SHA512
cc2aa70d354b4e602fde040c991f8b97da5139d554719715020d263900e5e4509b04f9cdcbe43be170cdada624559e4b4dc4504f65e0dd487614e657214a214c

Download Submit
C:\Windows\{5F31DB19-63AC-4492-A9F2-B24B3D72F7B2}.exe

Filesize
372KB

MD5
14d881e189ccc8aadf07e0b52c6aa75f

SHA1
19f3dac8b9df271f5c89d68a5de5d9ea8904387a

SHA256
5c90d0fdcd6720ba5cf0ad998d9cf0856867408fb59a8d47dc7217112cc2d2a2

SHA512
2faa7138080ef413e0b59eeef3575ff0c7ce56b384c835b7c1d518ca4b36a0a51199b9fe875c899b7dc9efa20648bb5e4469fdd3464c20ba1c5e333e8cc582a6

Download Submit
C:\Windows\{7166F6EE-F7B3-47b0-B072-80640F97DB92}.exe

Filesize
372KB

MD5
7ab98c8b14145efd7b64e6cb42841d02

SHA1
c1f4a957346bff5977d5be11e5ad8f1c541bb831

SHA256
4b1de12bbee53b0c6412a39809ba319701cf918363ee3d74e2796951ca474699

SHA512
3a5c1370de4a491d750df83b28bfee1db1b1b5d7a4a54659dc4b900c9c1f087937f9d31ca6191ced9ab9b06e7e399261450502fce5f9f5f2cab8978e874f5619

Download Submit
C:\Windows\{7A1F4C54-2B54-480a-81E4-A8CE6CBDC171}.exe

Filesize
372KB

MD5
6aefcccc8cadfaa9315cd1cc9f42df53

SHA1
1b29a00dd7b72abb8e4f4cc4a98d5f68cbccb39d

SHA256
35df4bbe3d2a99e2b23bafc05f19eb280e3df920d80ad5d12c7dc9fffb23d604

SHA512
7fbba290f01263356a3574c04e6e0a89ca526fbdcdacade1e0722ae97c0a622705e7dbb2d6941b72a5ed737a3b7ca6fb531ea15a6eb5c3cf89a1b4d0a0cb57b8

Download Submit
C:\Windows\{890A389D-8E6F-4796-A288-D25079888F66}.exe

Filesize
372KB

MD5
a8d857a0b22378852fc400c21de465ad

SHA1
bdc187a9e7078417dbcd1726a6a8ae36e60bb934

SHA256
46006a3873770b57902b474ce0ec353563e651c75633a26baad8510f80fb5953

SHA512
638e11f65155cdc1ed25946b0373edb36038d9a74811ba49daed84a25739fe40e526d278f68107cbd77ca440e9d3e4b356599a23c89527518f94f02ae19f68c5

Download Submit
C:\Windows\{9E444422-60D1-4526-8AEA-3C15B4FC68D8}.exe

Filesize
372KB

MD5
3d948c0bb8a0f6778f20a3f7f2cbfad9

SHA1
81483f3a43dc07fcc2ca953d3b8a77a1c287beb9

SHA256
b5db1461037b279e6c7547b36ff597b9b20f2db872de2c66859ff32f876a1296

SHA512
70b0358d5a4086463975fa51e536037c04e336c37c773196e20bebe4e36e873b31705dffa7b546a2ee4fbdd50957942445cb80c7eb76b0b9e3fc0c91819459a1

Download Submit
C:\Windows\{CFC54122-123D-46ae-9A3B-8D2B98B987E0}.exe

Filesize
372KB

MD5
9627fbd5b047b1d00982b886376f3a10

SHA1
1e8fdf102634ca4a80198eea25fa658b674e5f54

SHA256
b7b2032969f33f736f6dd26cb25d8d2d387beccf0dcfac857c7c8361d1f44639

SHA512
86410fdd8552491a2ed9c29796f3597c384a5cdda4da492bd098f6e803e175b0d933e51685d60718eb30a16851b97bad087329e42497a99b015218dd53c8047d

Download Submit
C:\Windows\{D1246AAB-BA28-4dd1-B37F-18A5517EB937}.exe

Filesize
372KB

MD5
698ec8d88bfa8ed4d9e62ed02d569462

SHA1
66edbd63f8f6bb32d232fec46b7558c4e779c324

SHA256
217ce30602c0ddbdb1f03c8d4aab149e3fda23da0edd74c894110889e076843e

SHA512
ab459b913f1e5515184a6df7142578375e2a9025b20b1387ff9ed8d412a83944ee1c80b0aeb7e7cf9dee9589abe20a0099ad1fb9987734110ae10638cac20478

Download Submit
C:\Windows\{DCA4498C-E169-46ae-9098-D8F0F16B4F7C}.exe

Filesize
372KB

MD5
c5e7e7c7b8c615a591dbff796522e920

SHA1
b6d0eb6c2b6efe665e12d39a27f9c05c5b123f3b

SHA256
400a51caeda29f36f268f0f0ea37379b7d0702cd9d374fbbd4dd05043ed91b8b

SHA512
4d7fc7a0cee0f3118947c2633040d5c1c5b0dbbea4d9616a609bb8bdf00ce8b867d3e1becbde06e29ee1a12b1368e3e763671d26cff94b0867d2f8f5dc2491c9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads