aeb2415ed40f66403ba78f3494acbf4d359d14fea1b0113c680d00b94839de28

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2024, 03:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-19_03571f00c7c703f977a75c7e950f9950_goldeneye.exe
Size

372KB
MD5

03571f00c7c703f977a75c7e950f9950
SHA1

5dfa5d40499305be9b68c59bc86517b98b2e593f
SHA256

aeb2415ed40f66403ba78f3494acbf4d359d14fea1b0113c680d00b94839de28
SHA512

a179b1d3b7aae99b4c74fdb099143b8fd90d4c94b849bf95004aaff3af422fbd6facfbb5f90d853cc58e36226a875f5b2c00f74b47d6f03e5657ddacf0841ebb
SSDEEP

3072:CEGh0oelMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGMlkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023439-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023435-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d0000000233ac-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023435-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e0000000233ac-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023435-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f0000000233ac-25.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023435-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00100000000233ac-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023435-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00110000000233ac-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023435-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5643482B-A2C5-44d3-8631-9D4EFD54FF62}\stubpath = "C:\\Windows\\{5643482B-A2C5-44d3-8631-9D4EFD54FF62}.exe"	{916A9FE0-3000-4720-B7C8-7467F0488241}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B78EA61A-2841-4371-AD89-4CD249D472D0}\stubpath = "C:\\Windows\\{B78EA61A-2841-4371-AD89-4CD249D472D0}.exe"	{1873C2F7-8461-47d1-9CBD-DD8138618663}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9AD21511-1EB3-4e6e-BC0E-58A2630DCBB9}	{B78EA61A-2841-4371-AD89-4CD249D472D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2EF797B2-203C-4f31-9397-79B1A40995C8}\stubpath = "C:\\Windows\\{2EF797B2-203C-4f31-9397-79B1A40995C8}.exe"	{2181EFD6-A81A-463d-B714-396E4BDAD04A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1873C2F7-8461-47d1-9CBD-DD8138618663}	{2EF797B2-203C-4f31-9397-79B1A40995C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B78EA61A-2841-4371-AD89-4CD249D472D0}	{1873C2F7-8461-47d1-9CBD-DD8138618663}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{916A9FE0-3000-4720-B7C8-7467F0488241}\stubpath = "C:\\Windows\\{916A9FE0-3000-4720-B7C8-7467F0488241}.exe"	{9AD21511-1EB3-4e6e-BC0E-58A2630DCBB9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5643482B-A2C5-44d3-8631-9D4EFD54FF62}	{916A9FE0-3000-4720-B7C8-7467F0488241}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72347306-AA33-4f63-954A-B41B30C53DC4}	{5643482B-A2C5-44d3-8631-9D4EFD54FF62}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F89B3BA-D6A9-479a-9970-DA2D949795CF}\stubpath = "C:\\Windows\\{7F89B3BA-D6A9-479a-9970-DA2D949795CF}.exe"	{71B85EB4-C9EB-4b80-8510-C36A341430F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2181EFD6-A81A-463d-B714-396E4BDAD04A}\stubpath = "C:\\Windows\\{2181EFD6-A81A-463d-B714-396E4BDAD04A}.exe"	{B0EE0A3D-6F47-4fb1-95C6-34FCEF33C8E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0EE0A3D-6F47-4fb1-95C6-34FCEF33C8E4}	{7F89B3BA-D6A9-479a-9970-DA2D949795CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1873C2F7-8461-47d1-9CBD-DD8138618663}\stubpath = "C:\\Windows\\{1873C2F7-8461-47d1-9CBD-DD8138618663}.exe"	{2EF797B2-203C-4f31-9397-79B1A40995C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9AD21511-1EB3-4e6e-BC0E-58A2630DCBB9}\stubpath = "C:\\Windows\\{9AD21511-1EB3-4e6e-BC0E-58A2630DCBB9}.exe"	{B78EA61A-2841-4371-AD89-4CD249D472D0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A86EB27E-E022-45a5-BF79-3A550FF5714D}	{72347306-AA33-4f63-954A-B41B30C53DC4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A86EB27E-E022-45a5-BF79-3A550FF5714D}\stubpath = "C:\\Windows\\{A86EB27E-E022-45a5-BF79-3A550FF5714D}.exe"	{72347306-AA33-4f63-954A-B41B30C53DC4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71B85EB4-C9EB-4b80-8510-C36A341430F7}	2024-04-19_03571f00c7c703f977a75c7e950f9950_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F89B3BA-D6A9-479a-9970-DA2D949795CF}	{71B85EB4-C9EB-4b80-8510-C36A341430F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2181EFD6-A81A-463d-B714-396E4BDAD04A}	{B0EE0A3D-6F47-4fb1-95C6-34FCEF33C8E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2EF797B2-203C-4f31-9397-79B1A40995C8}	{2181EFD6-A81A-463d-B714-396E4BDAD04A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{916A9FE0-3000-4720-B7C8-7467F0488241}	{9AD21511-1EB3-4e6e-BC0E-58A2630DCBB9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72347306-AA33-4f63-954A-B41B30C53DC4}\stubpath = "C:\\Windows\\{72347306-AA33-4f63-954A-B41B30C53DC4}.exe"	{5643482B-A2C5-44d3-8631-9D4EFD54FF62}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71B85EB4-C9EB-4b80-8510-C36A341430F7}\stubpath = "C:\\Windows\\{71B85EB4-C9EB-4b80-8510-C36A341430F7}.exe"	2024-04-19_03571f00c7c703f977a75c7e950f9950_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0EE0A3D-6F47-4fb1-95C6-34FCEF33C8E4}\stubpath = "C:\\Windows\\{B0EE0A3D-6F47-4fb1-95C6-34FCEF33C8E4}.exe"	{7F89B3BA-D6A9-479a-9970-DA2D949795CF}.exe

Executes dropped EXE 12 IoCs

pid	Process
1364	{71B85EB4-C9EB-4b80-8510-C36A341430F7}.exe
1828	{7F89B3BA-D6A9-479a-9970-DA2D949795CF}.exe
1204	{B0EE0A3D-6F47-4fb1-95C6-34FCEF33C8E4}.exe
2824	{2181EFD6-A81A-463d-B714-396E4BDAD04A}.exe
2248	{2EF797B2-203C-4f31-9397-79B1A40995C8}.exe
2540	{1873C2F7-8461-47d1-9CBD-DD8138618663}.exe
3960	{B78EA61A-2841-4371-AD89-4CD249D472D0}.exe
4284	{9AD21511-1EB3-4e6e-BC0E-58A2630DCBB9}.exe
1424	{916A9FE0-3000-4720-B7C8-7467F0488241}.exe
4956	{5643482B-A2C5-44d3-8631-9D4EFD54FF62}.exe
4924	{72347306-AA33-4f63-954A-B41B30C53DC4}.exe
1668	{A86EB27E-E022-45a5-BF79-3A550FF5714D}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{71B85EB4-C9EB-4b80-8510-C36A341430F7}.exe	2024-04-19_03571f00c7c703f977a75c7e950f9950_goldeneye.exe
File created	C:\Windows\{2181EFD6-A81A-463d-B714-396E4BDAD04A}.exe	{B0EE0A3D-6F47-4fb1-95C6-34FCEF33C8E4}.exe
File created	C:\Windows\{1873C2F7-8461-47d1-9CBD-DD8138618663}.exe	{2EF797B2-203C-4f31-9397-79B1A40995C8}.exe
File created	C:\Windows\{5643482B-A2C5-44d3-8631-9D4EFD54FF62}.exe	{916A9FE0-3000-4720-B7C8-7467F0488241}.exe
File created	C:\Windows\{72347306-AA33-4f63-954A-B41B30C53DC4}.exe	{5643482B-A2C5-44d3-8631-9D4EFD54FF62}.exe
File created	C:\Windows\{916A9FE0-3000-4720-B7C8-7467F0488241}.exe	{9AD21511-1EB3-4e6e-BC0E-58A2630DCBB9}.exe
File created	C:\Windows\{A86EB27E-E022-45a5-BF79-3A550FF5714D}.exe	{72347306-AA33-4f63-954A-B41B30C53DC4}.exe
File created	C:\Windows\{7F89B3BA-D6A9-479a-9970-DA2D949795CF}.exe	{71B85EB4-C9EB-4b80-8510-C36A341430F7}.exe
File created	C:\Windows\{B0EE0A3D-6F47-4fb1-95C6-34FCEF33C8E4}.exe	{7F89B3BA-D6A9-479a-9970-DA2D949795CF}.exe
File created	C:\Windows\{2EF797B2-203C-4f31-9397-79B1A40995C8}.exe	{2181EFD6-A81A-463d-B714-396E4BDAD04A}.exe
File created	C:\Windows\{B78EA61A-2841-4371-AD89-4CD249D472D0}.exe	{1873C2F7-8461-47d1-9CBD-DD8138618663}.exe
File created	C:\Windows\{9AD21511-1EB3-4e6e-BC0E-58A2630DCBB9}.exe	{B78EA61A-2841-4371-AD89-4CD249D472D0}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3664	2024-04-19_03571f00c7c703f977a75c7e950f9950_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1364	{71B85EB4-C9EB-4b80-8510-C36A341430F7}.exe
Token: SeIncBasePriorityPrivilege	1828	{7F89B3BA-D6A9-479a-9970-DA2D949795CF}.exe
Token: SeIncBasePriorityPrivilege	1204	{B0EE0A3D-6F47-4fb1-95C6-34FCEF33C8E4}.exe
Token: SeIncBasePriorityPrivilege	2824	{2181EFD6-A81A-463d-B714-396E4BDAD04A}.exe
Token: SeIncBasePriorityPrivilege	2248	{2EF797B2-203C-4f31-9397-79B1A40995C8}.exe
Token: SeIncBasePriorityPrivilege	2540	{1873C2F7-8461-47d1-9CBD-DD8138618663}.exe
Token: SeIncBasePriorityPrivilege	3960	{B78EA61A-2841-4371-AD89-4CD249D472D0}.exe
Token: SeIncBasePriorityPrivilege	4284	{9AD21511-1EB3-4e6e-BC0E-58A2630DCBB9}.exe
Token: SeIncBasePriorityPrivilege	1424	{916A9FE0-3000-4720-B7C8-7467F0488241}.exe
Token: SeIncBasePriorityPrivilege	4956	{5643482B-A2C5-44d3-8631-9D4EFD54FF62}.exe
Token: SeIncBasePriorityPrivilege	4924	{72347306-AA33-4f63-954A-B41B30C53DC4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3664 wrote to memory of 1364	3664	2024-04-19_03571f00c7c703f977a75c7e950f9950_goldeneye.exe	89
PID 3664 wrote to memory of 1364	3664	2024-04-19_03571f00c7c703f977a75c7e950f9950_goldeneye.exe	89
PID 3664 wrote to memory of 1364	3664	2024-04-19_03571f00c7c703f977a75c7e950f9950_goldeneye.exe	89
PID 3664 wrote to memory of 5116	3664	2024-04-19_03571f00c7c703f977a75c7e950f9950_goldeneye.exe	90
PID 3664 wrote to memory of 5116	3664	2024-04-19_03571f00c7c703f977a75c7e950f9950_goldeneye.exe	90
PID 3664 wrote to memory of 5116	3664	2024-04-19_03571f00c7c703f977a75c7e950f9950_goldeneye.exe	90
PID 1364 wrote to memory of 1828	1364	{71B85EB4-C9EB-4b80-8510-C36A341430F7}.exe	91
PID 1364 wrote to memory of 1828	1364	{71B85EB4-C9EB-4b80-8510-C36A341430F7}.exe	91
PID 1364 wrote to memory of 1828	1364	{71B85EB4-C9EB-4b80-8510-C36A341430F7}.exe	91
PID 1364 wrote to memory of 2556	1364	{71B85EB4-C9EB-4b80-8510-C36A341430F7}.exe	92
PID 1364 wrote to memory of 2556	1364	{71B85EB4-C9EB-4b80-8510-C36A341430F7}.exe	92
PID 1364 wrote to memory of 2556	1364	{71B85EB4-C9EB-4b80-8510-C36A341430F7}.exe	92
PID 1828 wrote to memory of 1204	1828	{7F89B3BA-D6A9-479a-9970-DA2D949795CF}.exe	96
PID 1828 wrote to memory of 1204	1828	{7F89B3BA-D6A9-479a-9970-DA2D949795CF}.exe	96
PID 1828 wrote to memory of 1204	1828	{7F89B3BA-D6A9-479a-9970-DA2D949795CF}.exe	96
PID 1828 wrote to memory of 1176	1828	{7F89B3BA-D6A9-479a-9970-DA2D949795CF}.exe	97
PID 1828 wrote to memory of 1176	1828	{7F89B3BA-D6A9-479a-9970-DA2D949795CF}.exe	97
PID 1828 wrote to memory of 1176	1828	{7F89B3BA-D6A9-479a-9970-DA2D949795CF}.exe	97
PID 1204 wrote to memory of 2824	1204	{B0EE0A3D-6F47-4fb1-95C6-34FCEF33C8E4}.exe	98
PID 1204 wrote to memory of 2824	1204	{B0EE0A3D-6F47-4fb1-95C6-34FCEF33C8E4}.exe	98
PID 1204 wrote to memory of 2824	1204	{B0EE0A3D-6F47-4fb1-95C6-34FCEF33C8E4}.exe	98
PID 1204 wrote to memory of 4744	1204	{B0EE0A3D-6F47-4fb1-95C6-34FCEF33C8E4}.exe	99
PID 1204 wrote to memory of 4744	1204	{B0EE0A3D-6F47-4fb1-95C6-34FCEF33C8E4}.exe	99
PID 1204 wrote to memory of 4744	1204	{B0EE0A3D-6F47-4fb1-95C6-34FCEF33C8E4}.exe	99
PID 2824 wrote to memory of 2248	2824	{2181EFD6-A81A-463d-B714-396E4BDAD04A}.exe	100
PID 2824 wrote to memory of 2248	2824	{2181EFD6-A81A-463d-B714-396E4BDAD04A}.exe	100
PID 2824 wrote to memory of 2248	2824	{2181EFD6-A81A-463d-B714-396E4BDAD04A}.exe	100
PID 2824 wrote to memory of 3972	2824	{2181EFD6-A81A-463d-B714-396E4BDAD04A}.exe	101
PID 2824 wrote to memory of 3972	2824	{2181EFD6-A81A-463d-B714-396E4BDAD04A}.exe	101
PID 2824 wrote to memory of 3972	2824	{2181EFD6-A81A-463d-B714-396E4BDAD04A}.exe	101
PID 2248 wrote to memory of 2540	2248	{2EF797B2-203C-4f31-9397-79B1A40995C8}.exe	102
PID 2248 wrote to memory of 2540	2248	{2EF797B2-203C-4f31-9397-79B1A40995C8}.exe	102
PID 2248 wrote to memory of 2540	2248	{2EF797B2-203C-4f31-9397-79B1A40995C8}.exe	102
PID 2248 wrote to memory of 4860	2248	{2EF797B2-203C-4f31-9397-79B1A40995C8}.exe	103
PID 2248 wrote to memory of 4860	2248	{2EF797B2-203C-4f31-9397-79B1A40995C8}.exe	103
PID 2248 wrote to memory of 4860	2248	{2EF797B2-203C-4f31-9397-79B1A40995C8}.exe	103
PID 2540 wrote to memory of 3960	2540	{1873C2F7-8461-47d1-9CBD-DD8138618663}.exe	104
PID 2540 wrote to memory of 3960	2540	{1873C2F7-8461-47d1-9CBD-DD8138618663}.exe	104
PID 2540 wrote to memory of 3960	2540	{1873C2F7-8461-47d1-9CBD-DD8138618663}.exe	104
PID 2540 wrote to memory of 5044	2540	{1873C2F7-8461-47d1-9CBD-DD8138618663}.exe	105
PID 2540 wrote to memory of 5044	2540	{1873C2F7-8461-47d1-9CBD-DD8138618663}.exe	105
PID 2540 wrote to memory of 5044	2540	{1873C2F7-8461-47d1-9CBD-DD8138618663}.exe	105
PID 3960 wrote to memory of 4284	3960	{B78EA61A-2841-4371-AD89-4CD249D472D0}.exe	106
PID 3960 wrote to memory of 4284	3960	{B78EA61A-2841-4371-AD89-4CD249D472D0}.exe	106
PID 3960 wrote to memory of 4284	3960	{B78EA61A-2841-4371-AD89-4CD249D472D0}.exe	106
PID 3960 wrote to memory of 3576	3960	{B78EA61A-2841-4371-AD89-4CD249D472D0}.exe	107
PID 3960 wrote to memory of 3576	3960	{B78EA61A-2841-4371-AD89-4CD249D472D0}.exe	107
PID 3960 wrote to memory of 3576	3960	{B78EA61A-2841-4371-AD89-4CD249D472D0}.exe	107
PID 4284 wrote to memory of 1424	4284	{9AD21511-1EB3-4e6e-BC0E-58A2630DCBB9}.exe	108
PID 4284 wrote to memory of 1424	4284	{9AD21511-1EB3-4e6e-BC0E-58A2630DCBB9}.exe	108
PID 4284 wrote to memory of 1424	4284	{9AD21511-1EB3-4e6e-BC0E-58A2630DCBB9}.exe	108
PID 4284 wrote to memory of 4600	4284	{9AD21511-1EB3-4e6e-BC0E-58A2630DCBB9}.exe	109
PID 4284 wrote to memory of 4600	4284	{9AD21511-1EB3-4e6e-BC0E-58A2630DCBB9}.exe	109
PID 4284 wrote to memory of 4600	4284	{9AD21511-1EB3-4e6e-BC0E-58A2630DCBB9}.exe	109
PID 1424 wrote to memory of 4956	1424	{916A9FE0-3000-4720-B7C8-7467F0488241}.exe	110
PID 1424 wrote to memory of 4956	1424	{916A9FE0-3000-4720-B7C8-7467F0488241}.exe	110
PID 1424 wrote to memory of 4956	1424	{916A9FE0-3000-4720-B7C8-7467F0488241}.exe	110
PID 1424 wrote to memory of 2760	1424	{916A9FE0-3000-4720-B7C8-7467F0488241}.exe	111
PID 1424 wrote to memory of 2760	1424	{916A9FE0-3000-4720-B7C8-7467F0488241}.exe	111
PID 1424 wrote to memory of 2760	1424	{916A9FE0-3000-4720-B7C8-7467F0488241}.exe	111
PID 4956 wrote to memory of 4924	4956	{5643482B-A2C5-44d3-8631-9D4EFD54FF62}.exe	112
PID 4956 wrote to memory of 4924	4956	{5643482B-A2C5-44d3-8631-9D4EFD54FF62}.exe	112
PID 4956 wrote to memory of 4924	4956	{5643482B-A2C5-44d3-8631-9D4EFD54FF62}.exe	112
PID 4956 wrote to memory of 4960	4956	{5643482B-A2C5-44d3-8631-9D4EFD54FF62}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-04-19_03571f00c7c703f977a75c7e950f9950_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-19_03571f00c7c703f977a75c7e950f9950_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3664
- C:\Windows\{71B85EB4-C9EB-4b80-8510-C36A341430F7}.exe
  C:\Windows\{71B85EB4-C9EB-4b80-8510-C36A341430F7}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Windows\{7F89B3BA-D6A9-479a-9970-DA2D949795CF}.exe
    C:\Windows\{7F89B3BA-D6A9-479a-9970-DA2D949795CF}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1828
  - - C:\Windows\{B0EE0A3D-6F47-4fb1-95C6-34FCEF33C8E4}.exe
      C:\Windows\{B0EE0A3D-6F47-4fb1-95C6-34FCEF33C8E4}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1204
    - - C:\Windows\{2181EFD6-A81A-463d-B714-396E4BDAD04A}.exe
        
        C:\Windows\{2181EFD6-A81A-463d-B714-396E4BDAD04A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2824
      - C:\Windows\{2EF797B2-203C-4f31-9397-79B1A40995C8}.exe
        
        C:\Windows\{2EF797B2-203C-4f31-9397-79B1A40995C8}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\{1873C2F7-8461-47d1-9CBD-DD8138618663}.exe
        
        C:\Windows\{1873C2F7-8461-47d1-9CBD-DD8138618663}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\{B78EA61A-2841-4371-AD89-4CD249D472D0}.exe
        
        C:\Windows\{B78EA61A-2841-4371-AD89-4CD249D472D0}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Windows\{9AD21511-1EB3-4e6e-BC0E-58A2630DCBB9}.exe
        
        C:\Windows\{9AD21511-1EB3-4e6e-BC0E-58A2630DCBB9}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Windows\{916A9FE0-3000-4720-B7C8-7467F0488241}.exe
        
        C:\Windows\{916A9FE0-3000-4720-B7C8-7467F0488241}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Windows\{5643482B-A2C5-44d3-8631-9D4EFD54FF62}.exe
        
        C:\Windows\{5643482B-A2C5-44d3-8631-9D4EFD54FF62}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\{72347306-AA33-4f63-954A-B41B30C53DC4}.exe
        
        C:\Windows\{72347306-AA33-4f63-954A-B41B30C53DC4}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4924
        
        C:\Windows\{A86EB27E-E022-45a5-BF79-3A550FF5714D}.exe
        
        C:\Windows\{A86EB27E-E022-45a5-BF79-3A550FF5714D}.exe
        13⤵
        Executes dropped EXE
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{72347~1.EXE > nul
        13⤵
        
        PID:60
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{56434~1.EXE > nul
        12⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{916A9~1.EXE > nul
        11⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9AD21~1.EXE > nul
        10⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B78EA~1.EXE > nul
        9⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1873C~1.EXE > nul
        8⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2EF79~1.EXE > nul
        7⤵
        
        PID:4860
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2181E~1.EXE > nul
        6⤵
        
        PID:3972
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B0EE0~1.EXE > nul
        5⤵
        
        PID:4744
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7F89B~1.EXE > nul
      4⤵
      PID:1176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{71B85~1.EXE > nul
    3⤵
    PID:2556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:5116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1873C2F7-8461-47d1-9CBD-DD8138618663}.exe

Filesize
372KB

MD5
4f73b35d9b30d03f7063f3396dc03052

SHA1
2de4d1c729aa3df51fb82822650b7845919d26c4

SHA256
bfa4b9927dd29dbb0038c3f303fbafd0dc89c7006feeee829bb685d096a82202

SHA512
bc973c0738fea724ae8b22159ec8a23e4e5df9faad48a838d194dd7ab50724d946e87bb00e86a835a3ec04ab230a0b6a749d0e7b11d4ad2a72249fb67d8222cc

Download Submit
C:\Windows\{2181EFD6-A81A-463d-B714-396E4BDAD04A}.exe

Filesize
372KB

MD5
d7230e03713e1a7ad2c20a00f3adaa3c

SHA1
02b84b73a6f2ae6208af22751d061fe89dc2436a

SHA256
3dbf2d57d0e444d8c1a687f8fbf48f9ad89e5582f24e253b7c7db15d3606d707

SHA512
ce3e86cc34703d6e4406cd8b778b2b411fbca43dad72e1799f991adb799494e6c1cc98b561d3712adb5ac6d7833cb1d833ec785e2de01263626c3ecba52ccb3d

Download Submit
C:\Windows\{2EF797B2-203C-4f31-9397-79B1A40995C8}.exe

Filesize
372KB

MD5
9a78886df11259c6aefef11f30825c4a

SHA1
ebe44642a0a71358ab3196675db39f7edbb198dd

SHA256
af65347f7670d24bd0dbb97faf5f8a23385287758627d6092314798dc2fce1a0

SHA512
10cb267b55a25041903853dba9d24de56055501d8a267aeb606b30a88295d0fb7ad5929395e930c77e6549238d377745451ac743b8bfb5b2c505c37f7bc871d2

Download Submit
C:\Windows\{5643482B-A2C5-44d3-8631-9D4EFD54FF62}.exe

Filesize
372KB

MD5
c744e175c64336128c575077e50b6802

SHA1
322d21c2b97875b47363813f1bea07d9fc2e806b

SHA256
d2a588ab50ca649dc46bfddb052af8ec089f8bcd99b6255d88ab784c140d116a

SHA512
23d5ea6a716af5479b9f81ab7526c62dc3b245dc59be04a8d81dbe5d67bbb1deef2d3707ef2f11c20811cceee2aa1f2e9d2a04269ce0e3ff8904d804307d71a4

Download Submit
C:\Windows\{71B85EB4-C9EB-4b80-8510-C36A341430F7}.exe

Filesize
372KB

MD5
3a2493aaf2302cc3b45b9555f35289b7

SHA1
0ed2bd2b63efd4adfe3c4c7b85e09d78cf978599

SHA256
8f45ce1db9eb0b82ec9eecadb202c2ea68a3bbd637d6550a326335e0f2cebc4c

SHA512
a53942d47c6df52f638864bf4dda3fab41f3c2b827a7623d1dd760057f0edc234e50b820a9ce07f657c4ca6486e5e524fc30fd9d07c876a70fe8c19ec38813d7

Download Submit
C:\Windows\{72347306-AA33-4f63-954A-B41B30C53DC4}.exe

Filesize
372KB

MD5
0865bb7a8de056e2f3310c1ce58edac1

SHA1
782ce378155b5425a2b850fbe50d99bde3f033ad

SHA256
f5e37c74d5365d04f3d4266878e0f2f3df098f3f55dea7c4b9134007a805341d

SHA512
0edef6e270dd5b5bf5fa897861a0ee0cbd000bfe466705885663714c14735ad420cf04c3d8df4d0e286b8b02030a9fcae3e46e74eefb3a6c1119c846def80010

Download Submit
C:\Windows\{7F89B3BA-D6A9-479a-9970-DA2D949795CF}.exe

Filesize
372KB

MD5
d2ad8de4ab4ab4c9db6340319676ca87

SHA1
8bbab61464020d98971a1c3358697a26a6e5c0b7

SHA256
24af41071851275e5123760f2f1fecf82e72db764b1dd1c5961f53c623102c2a

SHA512
75ba4fa4b47d07b32dd905acfa565f3149aa092a27b5e546cc61503e35e3d346393f4b28821739268b6959b0d8282242b0294fb084c7ed1f67f69f7bcb8c804a

Download Submit
C:\Windows\{916A9FE0-3000-4720-B7C8-7467F0488241}.exe

Filesize
372KB

MD5
1ea89bcb23e13b2dea4b17848c7eafab

SHA1
0494249055fe596f31325b9306b2c7ce9ce7b42a

SHA256
1ddf1a2efd66fed73751cb4eac7fff97383bbe01c2e6a7c330e995ff25aa5c78

SHA512
2315e7c9e112f149852c4090b64790c927ee1b9dd6aa30fe862915abc4ac6c383f02a132f1b766f3558badc6202cab91f58a33e47ead9883420e076d28a0dea7

Download Submit
C:\Windows\{9AD21511-1EB3-4e6e-BC0E-58A2630DCBB9}.exe

Filesize
372KB

MD5
6f7ce21e81b4b1141d1e08dcf0abc770

SHA1
9bb86eeedf97efb1cb911d8b26f94a481e04224a

SHA256
33c86c754c9b3418ea361ed61f64e0612b44f0feb34640f89c686706f018cb45

SHA512
9d26e1b70178e0d580f62624add16f930892f402109a8a0c4ce1c0d7d5dd0f7a82fad4306aa80f8a0be3f91cfa6d5b6d6243111e38a6e334c844a91c51378070

Download Submit
C:\Windows\{A86EB27E-E022-45a5-BF79-3A550FF5714D}.exe

Filesize
372KB

MD5
90e0edcfed3f28bf2e78e6e5522a285d

SHA1
3627ff3f845d47ac07a0661ef50e381413656205

SHA256
d58dc06506fcbad2616fbc7b1452463eb6cf57763b196c6c58975615f66e84d8

SHA512
7e98c6fe66eb8b3d6906dec64f0199b9f81f74cd6f514cb02edf959221d386d03ea3bac19140c05c000377c64589a27e2fb9f02b35705462c3828df0cd46b462

Download Submit
C:\Windows\{B0EE0A3D-6F47-4fb1-95C6-34FCEF33C8E4}.exe

Filesize
372KB

MD5
2065c21b94e1aa98be2f5a164f72a286

SHA1
666eb9283fae4b490bc934248a202ca1f6fa59ca

SHA256
18bf803f6877443183502cbee9b424000e2e56d13ae40d0ebe48abb8eda96c7f

SHA512
2148ed0f767604bc13bbca536bfdce60f1ea7712e66fa13dcab62549db51d00c75bbfd68bab3e3fb3262bacb767ec1c4b8f825fe96c6a7bee2b1441349cf58d7

Download Submit
C:\Windows\{B78EA61A-2841-4371-AD89-4CD249D472D0}.exe

Filesize
372KB

MD5
e7c59045d6237efae601f3cd283dc9ed

SHA1
91a35e036ae7003c112c7828f205d6c37954243e

SHA256
465ebf02f63e3bbe94469cd3fae8bda74f884e56fbc4df027e720478d2ba38d6

SHA512
b0fd2f92f6d72dd9e30db20465c255a2782bb4f11c797d7d74211b8a2e6f1aae9240262f125783c729cb5c323928582235b4d33ebf47bb077b85a79259aa0d36

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads