6d75a1b2f698f0b2fa8ecd0f792f08df61b909e0dba48258912ad077bdcfa8e1

Analysis

max time kernel
149s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2024, 09:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-19_1a28d11e29f336a006ab5485c4bc881b_goldeneye.exe
Size

168KB
MD5

1a28d11e29f336a006ab5485c4bc881b
SHA1

4faa11804e0cc7604408b3d60a002960a5764fec
SHA256

6d75a1b2f698f0b2fa8ecd0f792f08df61b909e0dba48258912ad077bdcfa8e1
SHA512

382ade42f06b96a408a7e209c7aa8a7931056a1b8ad1983b83f6529c692ad5c0801817406d779b4f179f1e85e1ff642610dea8650abccb0f85b80ed4003af8d5
SSDEEP

1536:1EGh0oJli5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oJliOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000a0000000006d5-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023404-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002340c-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f00000002334c-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002340c-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001000000002334c-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002340c-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001100000002334c-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002340c-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001200000002334c-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023408-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001300000002334c-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B0AA6F0-B993-4a3c-95EB-89C279F07B4A}	{EC70B423-430D-4e07-B887-682D29E6637F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA84AE8C-4CC6-4361-BBDE-7DBB7903CAB8}	{C2330D98-8DFB-4dc8-8305-F8DA5ECDB033}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DE85261-59BB-478e-B1FA-F1883A75E722}	{AA84AE8C-4CC6-4361-BBDE-7DBB7903CAB8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FEDF99D4-E53C-4181-BA74-108854C5FAE9}	{BC38B05A-FEF1-4f4c-A09B-422B064CC376}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87E78895-1F56-42d6-B6A7-AB41E84DA182}	2024-04-19_1a28d11e29f336a006ab5485c4bc881b_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87E78895-1F56-42d6-B6A7-AB41E84DA182}\stubpath = "C:\\Windows\\{87E78895-1F56-42d6-B6A7-AB41E84DA182}.exe"	2024-04-19_1a28d11e29f336a006ab5485c4bc881b_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6699642-7E76-459b-A7E4-C630BBB41162}	{87E78895-1F56-42d6-B6A7-AB41E84DA182}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09A2C556-92F8-4da1-A2C4-B780DEEB259F}	{B37C5256-589E-4a13-A283-5FEFF124E095}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43E4E491-4B70-4611-99CE-312D89585FA7}\stubpath = "C:\\Windows\\{43E4E491-4B70-4611-99CE-312D89585FA7}.exe"	{FEDF99D4-E53C-4181-BA74-108854C5FAE9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FEDF99D4-E53C-4181-BA74-108854C5FAE9}\stubpath = "C:\\Windows\\{FEDF99D4-E53C-4181-BA74-108854C5FAE9}.exe"	{BC38B05A-FEF1-4f4c-A09B-422B064CC376}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC70B423-430D-4e07-B887-682D29E6637F}\stubpath = "C:\\Windows\\{EC70B423-430D-4e07-B887-682D29E6637F}.exe"	{09A2C556-92F8-4da1-A2C4-B780DEEB259F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA84AE8C-4CC6-4361-BBDE-7DBB7903CAB8}\stubpath = "C:\\Windows\\{AA84AE8C-4CC6-4361-BBDE-7DBB7903CAB8}.exe"	{C2330D98-8DFB-4dc8-8305-F8DA5ECDB033}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DE85261-59BB-478e-B1FA-F1883A75E722}\stubpath = "C:\\Windows\\{3DE85261-59BB-478e-B1FA-F1883A75E722}.exe"	{AA84AE8C-4CC6-4361-BBDE-7DBB7903CAB8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC38B05A-FEF1-4f4c-A09B-422B064CC376}	{3DE85261-59BB-478e-B1FA-F1883A75E722}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2330D98-8DFB-4dc8-8305-F8DA5ECDB033}\stubpath = "C:\\Windows\\{C2330D98-8DFB-4dc8-8305-F8DA5ECDB033}.exe"	{9B0AA6F0-B993-4a3c-95EB-89C279F07B4A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43E4E491-4B70-4611-99CE-312D89585FA7}	{FEDF99D4-E53C-4181-BA74-108854C5FAE9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6699642-7E76-459b-A7E4-C630BBB41162}\stubpath = "C:\\Windows\\{C6699642-7E76-459b-A7E4-C630BBB41162}.exe"	{87E78895-1F56-42d6-B6A7-AB41E84DA182}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B37C5256-589E-4a13-A283-5FEFF124E095}	{C6699642-7E76-459b-A7E4-C630BBB41162}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09A2C556-92F8-4da1-A2C4-B780DEEB259F}\stubpath = "C:\\Windows\\{09A2C556-92F8-4da1-A2C4-B780DEEB259F}.exe"	{B37C5256-589E-4a13-A283-5FEFF124E095}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2330D98-8DFB-4dc8-8305-F8DA5ECDB033}	{9B0AA6F0-B993-4a3c-95EB-89C279F07B4A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B37C5256-589E-4a13-A283-5FEFF124E095}\stubpath = "C:\\Windows\\{B37C5256-589E-4a13-A283-5FEFF124E095}.exe"	{C6699642-7E76-459b-A7E4-C630BBB41162}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC70B423-430D-4e07-B887-682D29E6637F}	{09A2C556-92F8-4da1-A2C4-B780DEEB259F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B0AA6F0-B993-4a3c-95EB-89C279F07B4A}\stubpath = "C:\\Windows\\{9B0AA6F0-B993-4a3c-95EB-89C279F07B4A}.exe"	{EC70B423-430D-4e07-B887-682D29E6637F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC38B05A-FEF1-4f4c-A09B-422B064CC376}\stubpath = "C:\\Windows\\{BC38B05A-FEF1-4f4c-A09B-422B064CC376}.exe"	{3DE85261-59BB-478e-B1FA-F1883A75E722}.exe

Executes dropped EXE 12 IoCs

pid	Process
512	{87E78895-1F56-42d6-B6A7-AB41E84DA182}.exe
4280	{C6699642-7E76-459b-A7E4-C630BBB41162}.exe
1908	{B37C5256-589E-4a13-A283-5FEFF124E095}.exe
3232	{09A2C556-92F8-4da1-A2C4-B780DEEB259F}.exe
1476	{EC70B423-430D-4e07-B887-682D29E6637F}.exe
400	{9B0AA6F0-B993-4a3c-95EB-89C279F07B4A}.exe
4048	{C2330D98-8DFB-4dc8-8305-F8DA5ECDB033}.exe
5080	{AA84AE8C-4CC6-4361-BBDE-7DBB7903CAB8}.exe
4004	{3DE85261-59BB-478e-B1FA-F1883A75E722}.exe
3412	{BC38B05A-FEF1-4f4c-A09B-422B064CC376}.exe
1460	{FEDF99D4-E53C-4181-BA74-108854C5FAE9}.exe
2688	{43E4E491-4B70-4611-99CE-312D89585FA7}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{C6699642-7E76-459b-A7E4-C630BBB41162}.exe	{87E78895-1F56-42d6-B6A7-AB41E84DA182}.exe
File created	C:\Windows\{C2330D98-8DFB-4dc8-8305-F8DA5ECDB033}.exe	{9B0AA6F0-B993-4a3c-95EB-89C279F07B4A}.exe
File created	C:\Windows\{AA84AE8C-4CC6-4361-BBDE-7DBB7903CAB8}.exe	{C2330D98-8DFB-4dc8-8305-F8DA5ECDB033}.exe
File created	C:\Windows\{43E4E491-4B70-4611-99CE-312D89585FA7}.exe	{FEDF99D4-E53C-4181-BA74-108854C5FAE9}.exe
File created	C:\Windows\{9B0AA6F0-B993-4a3c-95EB-89C279F07B4A}.exe	{EC70B423-430D-4e07-B887-682D29E6637F}.exe
File created	C:\Windows\{3DE85261-59BB-478e-B1FA-F1883A75E722}.exe	{AA84AE8C-4CC6-4361-BBDE-7DBB7903CAB8}.exe
File created	C:\Windows\{BC38B05A-FEF1-4f4c-A09B-422B064CC376}.exe	{3DE85261-59BB-478e-B1FA-F1883A75E722}.exe
File created	C:\Windows\{FEDF99D4-E53C-4181-BA74-108854C5FAE9}.exe	{BC38B05A-FEF1-4f4c-A09B-422B064CC376}.exe
File created	C:\Windows\{87E78895-1F56-42d6-B6A7-AB41E84DA182}.exe	2024-04-19_1a28d11e29f336a006ab5485c4bc881b_goldeneye.exe
File created	C:\Windows\{B37C5256-589E-4a13-A283-5FEFF124E095}.exe	{C6699642-7E76-459b-A7E4-C630BBB41162}.exe
File created	C:\Windows\{09A2C556-92F8-4da1-A2C4-B780DEEB259F}.exe	{B37C5256-589E-4a13-A283-5FEFF124E095}.exe
File created	C:\Windows\{EC70B423-430D-4e07-B887-682D29E6637F}.exe	{09A2C556-92F8-4da1-A2C4-B780DEEB259F}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4240	2024-04-19_1a28d11e29f336a006ab5485c4bc881b_goldeneye.exe
Token: SeIncBasePriorityPrivilege	512	{87E78895-1F56-42d6-B6A7-AB41E84DA182}.exe
Token: SeIncBasePriorityPrivilege	4280	{C6699642-7E76-459b-A7E4-C630BBB41162}.exe
Token: SeIncBasePriorityPrivilege	1908	{B37C5256-589E-4a13-A283-5FEFF124E095}.exe
Token: SeIncBasePriorityPrivilege	3232	{09A2C556-92F8-4da1-A2C4-B780DEEB259F}.exe
Token: SeIncBasePriorityPrivilege	1476	{EC70B423-430D-4e07-B887-682D29E6637F}.exe
Token: SeIncBasePriorityPrivilege	400	{9B0AA6F0-B993-4a3c-95EB-89C279F07B4A}.exe
Token: SeIncBasePriorityPrivilege	4048	{C2330D98-8DFB-4dc8-8305-F8DA5ECDB033}.exe
Token: SeIncBasePriorityPrivilege	5080	{AA84AE8C-4CC6-4361-BBDE-7DBB7903CAB8}.exe
Token: SeIncBasePriorityPrivilege	4004	{3DE85261-59BB-478e-B1FA-F1883A75E722}.exe
Token: SeIncBasePriorityPrivilege	3412	{BC38B05A-FEF1-4f4c-A09B-422B064CC376}.exe
Token: SeIncBasePriorityPrivilege	1460	{FEDF99D4-E53C-4181-BA74-108854C5FAE9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4240 wrote to memory of 512	4240	2024-04-19_1a28d11e29f336a006ab5485c4bc881b_goldeneye.exe	90
PID 4240 wrote to memory of 512	4240	2024-04-19_1a28d11e29f336a006ab5485c4bc881b_goldeneye.exe	90
PID 4240 wrote to memory of 512	4240	2024-04-19_1a28d11e29f336a006ab5485c4bc881b_goldeneye.exe	90
PID 4240 wrote to memory of 664	4240	2024-04-19_1a28d11e29f336a006ab5485c4bc881b_goldeneye.exe	91
PID 4240 wrote to memory of 664	4240	2024-04-19_1a28d11e29f336a006ab5485c4bc881b_goldeneye.exe	91
PID 4240 wrote to memory of 664	4240	2024-04-19_1a28d11e29f336a006ab5485c4bc881b_goldeneye.exe	91
PID 512 wrote to memory of 4280	512	{87E78895-1F56-42d6-B6A7-AB41E84DA182}.exe	92
PID 512 wrote to memory of 4280	512	{87E78895-1F56-42d6-B6A7-AB41E84DA182}.exe	92
PID 512 wrote to memory of 4280	512	{87E78895-1F56-42d6-B6A7-AB41E84DA182}.exe	92
PID 512 wrote to memory of 2376	512	{87E78895-1F56-42d6-B6A7-AB41E84DA182}.exe	93
PID 512 wrote to memory of 2376	512	{87E78895-1F56-42d6-B6A7-AB41E84DA182}.exe	93
PID 512 wrote to memory of 2376	512	{87E78895-1F56-42d6-B6A7-AB41E84DA182}.exe	93
PID 4280 wrote to memory of 1908	4280	{C6699642-7E76-459b-A7E4-C630BBB41162}.exe	96
PID 4280 wrote to memory of 1908	4280	{C6699642-7E76-459b-A7E4-C630BBB41162}.exe	96
PID 4280 wrote to memory of 1908	4280	{C6699642-7E76-459b-A7E4-C630BBB41162}.exe	96
PID 4280 wrote to memory of 3980	4280	{C6699642-7E76-459b-A7E4-C630BBB41162}.exe	97
PID 4280 wrote to memory of 3980	4280	{C6699642-7E76-459b-A7E4-C630BBB41162}.exe	97
PID 4280 wrote to memory of 3980	4280	{C6699642-7E76-459b-A7E4-C630BBB41162}.exe	97
PID 1908 wrote to memory of 3232	1908	{B37C5256-589E-4a13-A283-5FEFF124E095}.exe	99
PID 1908 wrote to memory of 3232	1908	{B37C5256-589E-4a13-A283-5FEFF124E095}.exe	99
PID 1908 wrote to memory of 3232	1908	{B37C5256-589E-4a13-A283-5FEFF124E095}.exe	99
PID 1908 wrote to memory of 2864	1908	{B37C5256-589E-4a13-A283-5FEFF124E095}.exe	100
PID 1908 wrote to memory of 2864	1908	{B37C5256-589E-4a13-A283-5FEFF124E095}.exe	100
PID 1908 wrote to memory of 2864	1908	{B37C5256-589E-4a13-A283-5FEFF124E095}.exe	100
PID 3232 wrote to memory of 1476	3232	{09A2C556-92F8-4da1-A2C4-B780DEEB259F}.exe	101
PID 3232 wrote to memory of 1476	3232	{09A2C556-92F8-4da1-A2C4-B780DEEB259F}.exe	101
PID 3232 wrote to memory of 1476	3232	{09A2C556-92F8-4da1-A2C4-B780DEEB259F}.exe	101
PID 3232 wrote to memory of 4180	3232	{09A2C556-92F8-4da1-A2C4-B780DEEB259F}.exe	102
PID 3232 wrote to memory of 4180	3232	{09A2C556-92F8-4da1-A2C4-B780DEEB259F}.exe	102
PID 3232 wrote to memory of 4180	3232	{09A2C556-92F8-4da1-A2C4-B780DEEB259F}.exe	102
PID 1476 wrote to memory of 400	1476	{EC70B423-430D-4e07-B887-682D29E6637F}.exe	103
PID 1476 wrote to memory of 400	1476	{EC70B423-430D-4e07-B887-682D29E6637F}.exe	103
PID 1476 wrote to memory of 400	1476	{EC70B423-430D-4e07-B887-682D29E6637F}.exe	103
PID 1476 wrote to memory of 3028	1476	{EC70B423-430D-4e07-B887-682D29E6637F}.exe	104
PID 1476 wrote to memory of 3028	1476	{EC70B423-430D-4e07-B887-682D29E6637F}.exe	104
PID 1476 wrote to memory of 3028	1476	{EC70B423-430D-4e07-B887-682D29E6637F}.exe	104
PID 400 wrote to memory of 4048	400	{9B0AA6F0-B993-4a3c-95EB-89C279F07B4A}.exe	105
PID 400 wrote to memory of 4048	400	{9B0AA6F0-B993-4a3c-95EB-89C279F07B4A}.exe	105
PID 400 wrote to memory of 4048	400	{9B0AA6F0-B993-4a3c-95EB-89C279F07B4A}.exe	105
PID 400 wrote to memory of 4352	400	{9B0AA6F0-B993-4a3c-95EB-89C279F07B4A}.exe	106
PID 400 wrote to memory of 4352	400	{9B0AA6F0-B993-4a3c-95EB-89C279F07B4A}.exe	106
PID 400 wrote to memory of 4352	400	{9B0AA6F0-B993-4a3c-95EB-89C279F07B4A}.exe	106
PID 4048 wrote to memory of 5080	4048	{C2330D98-8DFB-4dc8-8305-F8DA5ECDB033}.exe	107
PID 4048 wrote to memory of 5080	4048	{C2330D98-8DFB-4dc8-8305-F8DA5ECDB033}.exe	107
PID 4048 wrote to memory of 5080	4048	{C2330D98-8DFB-4dc8-8305-F8DA5ECDB033}.exe	107
PID 4048 wrote to memory of 3524	4048	{C2330D98-8DFB-4dc8-8305-F8DA5ECDB033}.exe	108
PID 4048 wrote to memory of 3524	4048	{C2330D98-8DFB-4dc8-8305-F8DA5ECDB033}.exe	108
PID 4048 wrote to memory of 3524	4048	{C2330D98-8DFB-4dc8-8305-F8DA5ECDB033}.exe	108
PID 5080 wrote to memory of 4004	5080	{AA84AE8C-4CC6-4361-BBDE-7DBB7903CAB8}.exe	109
PID 5080 wrote to memory of 4004	5080	{AA84AE8C-4CC6-4361-BBDE-7DBB7903CAB8}.exe	109
PID 5080 wrote to memory of 4004	5080	{AA84AE8C-4CC6-4361-BBDE-7DBB7903CAB8}.exe	109
PID 5080 wrote to memory of 4892	5080	{AA84AE8C-4CC6-4361-BBDE-7DBB7903CAB8}.exe	110
PID 5080 wrote to memory of 4892	5080	{AA84AE8C-4CC6-4361-BBDE-7DBB7903CAB8}.exe	110
PID 5080 wrote to memory of 4892	5080	{AA84AE8C-4CC6-4361-BBDE-7DBB7903CAB8}.exe	110
PID 4004 wrote to memory of 3412	4004	{3DE85261-59BB-478e-B1FA-F1883A75E722}.exe	111
PID 4004 wrote to memory of 3412	4004	{3DE85261-59BB-478e-B1FA-F1883A75E722}.exe	111
PID 4004 wrote to memory of 3412	4004	{3DE85261-59BB-478e-B1FA-F1883A75E722}.exe	111
PID 4004 wrote to memory of 1200	4004	{3DE85261-59BB-478e-B1FA-F1883A75E722}.exe	112
PID 4004 wrote to memory of 1200	4004	{3DE85261-59BB-478e-B1FA-F1883A75E722}.exe	112
PID 4004 wrote to memory of 1200	4004	{3DE85261-59BB-478e-B1FA-F1883A75E722}.exe	112
PID 3412 wrote to memory of 1460	3412	{BC38B05A-FEF1-4f4c-A09B-422B064CC376}.exe	113
PID 3412 wrote to memory of 1460	3412	{BC38B05A-FEF1-4f4c-A09B-422B064CC376}.exe	113
PID 3412 wrote to memory of 1460	3412	{BC38B05A-FEF1-4f4c-A09B-422B064CC376}.exe	113
PID 3412 wrote to memory of 4648	3412	{BC38B05A-FEF1-4f4c-A09B-422B064CC376}.exe	114

C:\Users\Admin\AppData\Local\Temp\2024-04-19_1a28d11e29f336a006ab5485c4bc881b_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-19_1a28d11e29f336a006ab5485c4bc881b_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4240
- C:\Windows\{87E78895-1F56-42d6-B6A7-AB41E84DA182}.exe
  C:\Windows\{87E78895-1F56-42d6-B6A7-AB41E84DA182}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:512
- - C:\Windows\{C6699642-7E76-459b-A7E4-C630BBB41162}.exe
    C:\Windows\{C6699642-7E76-459b-A7E4-C630BBB41162}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4280
  - - C:\Windows\{B37C5256-589E-4a13-A283-5FEFF124E095}.exe
      C:\Windows\{B37C5256-589E-4a13-A283-5FEFF124E095}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1908
    - - C:\Windows\{09A2C556-92F8-4da1-A2C4-B780DEEB259F}.exe
        
        C:\Windows\{09A2C556-92F8-4da1-A2C4-B780DEEB259F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3232
      - C:\Windows\{EC70B423-430D-4e07-B887-682D29E6637F}.exe
        
        C:\Windows\{EC70B423-430D-4e07-B887-682D29E6637F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Windows\{9B0AA6F0-B993-4a3c-95EB-89C279F07B4A}.exe
        
        C:\Windows\{9B0AA6F0-B993-4a3c-95EB-89C279F07B4A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\{C2330D98-8DFB-4dc8-8305-F8DA5ECDB033}.exe
        
        C:\Windows\{C2330D98-8DFB-4dc8-8305-F8DA5ECDB033}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Windows\{AA84AE8C-4CC6-4361-BBDE-7DBB7903CAB8}.exe
        
        C:\Windows\{AA84AE8C-4CC6-4361-BBDE-7DBB7903CAB8}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\{3DE85261-59BB-478e-B1FA-F1883A75E722}.exe
        
        C:\Windows\{3DE85261-59BB-478e-B1FA-F1883A75E722}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4004
        
        C:\Windows\{BC38B05A-FEF1-4f4c-A09B-422B064CC376}.exe
        
        C:\Windows\{BC38B05A-FEF1-4f4c-A09B-422B064CC376}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3412
        
        C:\Windows\{FEDF99D4-E53C-4181-BA74-108854C5FAE9}.exe
        
        C:\Windows\{FEDF99D4-E53C-4181-BA74-108854C5FAE9}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1460
        
        C:\Windows\{43E4E491-4B70-4611-99CE-312D89585FA7}.exe
        
        C:\Windows\{43E4E491-4B70-4611-99CE-312D89585FA7}.exe
        13⤵
        Executes dropped EXE
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FEDF9~1.EXE > nul
        13⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BC38B~1.EXE > nul
        12⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3DE85~1.EXE > nul
        11⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AA84A~1.EXE > nul
        10⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C2330~1.EXE > nul
        9⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9B0AA~1.EXE > nul
        8⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EC70B~1.EXE > nul
        7⤵
        
        PID:3028
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09A2C~1.EXE > nul
        6⤵
        
        PID:4180
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B37C5~1.EXE > nul
        5⤵
        
        PID:2864
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C6699~1.EXE > nul
      4⤵
      PID:3980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{87E78~1.EXE > nul
    3⤵
    PID:2376
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{09A2C556-92F8-4da1-A2C4-B780DEEB259F}.exe

Filesize
168KB

MD5
50cbab011a9d8d8df3f36fe37a2ed372

SHA1
a89c703f51841da026389c70a301d95827f2f5a7

SHA256
6bf512b4b741c03f999ad764ea646f4188e79ee04892321983bab9429feda653

SHA512
e14923a6f3c04a4e6d69c5e7934f9b119ac06cb7fc77cb9d659307af295dcd7c146524151ccd326e3c8dc713294b542f338591273be6596185f6fc9f2a11ee44

Download Submit
C:\Windows\{3DE85261-59BB-478e-B1FA-F1883A75E722}.exe

Filesize
168KB

MD5
c7197959737e9c253e284111914a7620

SHA1
ccd36535c9e7109df97b3028d49247fe03853489

SHA256
f8f594981cf06457858b868c8b27ef50cf82bb87ff3e58993ac5dc2d914ad3de

SHA512
3caaf80018e98bf0a9ecfdcdf5e40939be92a504cf22bca070b323b0726c697cdccd061dea8c4ca5ca47feba6c792fa12f43bcf592c200cd92a2636eff09533c

Download Submit
C:\Windows\{43E4E491-4B70-4611-99CE-312D89585FA7}.exe

Filesize
168KB

MD5
72056720891575ca7a9c2acdeae44516

SHA1
5c0e7e1c4adab000ccb94d6d3cc6a1136f60bbd6

SHA256
d640ec21ec454a2fc31b79f9d089b228780a920f19c212458070cb52d520e4eb

SHA512
323b93c0f31dca50e2825f2bc43a1827f0c24961acd77c4fe936f9fc04a971fc965e30c869ee571798765ed7fb9b9725500b2c46b4a6e2f7169775837c976e43

Download Submit
C:\Windows\{87E78895-1F56-42d6-B6A7-AB41E84DA182}.exe

Filesize
168KB

MD5
8f9a20d3de14161c4ba1b6f26a306361

SHA1
c73fb8b3c4f5819a4ff60a18361375eebe470e7a

SHA256
12421ddc5c13bdf4516189098e2727498c31851da4a17e7784e1c96c6ee54af0

SHA512
6d5c3469b6ab7f3aa56248f4958127270b0e75a588af6dc188c82085c9dd6fc468808beb703ce903bb2d2028a653e843ce3ee922d790cbd80282ee4d78d7b48b

Download Submit
C:\Windows\{9B0AA6F0-B993-4a3c-95EB-89C279F07B4A}.exe

Filesize
168KB

MD5
cb7896ca08307933467a2f309d4b9e6c

SHA1
ab696a4841815724a1ff39f353f082daadeb0114

SHA256
bbac52f53f8182115926a6ac3bc73b45065bd0af859522db7625b781a72eac7e

SHA512
6bfff6e6becc4a934836b5777b4c1fdd8df40b687355d9d0bbbf2864a8a164f7f39587727df5cc8911e4aab58ccec0644eaa4560ef3bdb43d1fc729d1d1a6132

Download Submit
C:\Windows\{AA84AE8C-4CC6-4361-BBDE-7DBB7903CAB8}.exe

Filesize
168KB

MD5
6873ad01878009b5300c3e6682780b89

SHA1
668e4cdc93a74d5859370b226ab96782c97b12cb

SHA256
285c57bb381c4bac7ae5057d5db13119fa5607291dcf450f705dbe662b1f4395

SHA512
a422990dfab880347e50702b368ad8a43cb2e033f9f6cd45b13247e5912b6fb985c2e8325f6745f6e6d68c56c17e3b61e3a51c9bb0f807c5d7ce85ac24082887

Download Submit
C:\Windows\{B37C5256-589E-4a13-A283-5FEFF124E095}.exe

Filesize
168KB

MD5
328d114b654068a8c96d4c81c94f2711

SHA1
43b889ce54c575d55f6bfc5ddbb30048e3f3a289

SHA256
dc215c861ec0dbf88aac9e940bd31fd690b5102a0cac972be5d1420e77b959de

SHA512
c0ff816c1731624a56d286bd22a3f511d430f3ffef4879e5dfb8a0baf3ddcac204e96b0bcc6828a49d125fd7b4e79d25e326ebf7b2bed3165e6fd5dbf02ac44e

Download Submit
C:\Windows\{BC38B05A-FEF1-4f4c-A09B-422B064CC376}.exe

Filesize
168KB

MD5
0698461cbee909ef0f255adca6f86dbf

SHA1
64f2d4852ec78b7523d8ab3c2a117b2914e3dc58

SHA256
022ac6ef046e04655573de114b98ea83e0930f30114e5963e4f7aace58fe2130

SHA512
f7cfa3c72698dac11477fd904c643b20c145d82efc8c5999863f8dfaa799fc3417e7c476d69e713eadc04af0b72db535a4c9e5e82d941dec5afb70fa6c76c8dc

Download Submit
C:\Windows\{C2330D98-8DFB-4dc8-8305-F8DA5ECDB033}.exe

Filesize
168KB

MD5
c0c3dee0f126d93c228b5c649a8c6c95

SHA1
1e05edbb60f855de067e130fe2341ae24caf5b21

SHA256
46efdc00447a1d6309e98f55b96c6a03371771a0779f995b1fa8d9355a1a0dac

SHA512
54c200a6042c732aa07424dea3ecc9247baf8bbd41d7e676aee9c47d0bef354320a092d2a446af2af3bae3efd23388147c8ed155d3cdd2e71a68a48d75765125

Download Submit
C:\Windows\{C6699642-7E76-459b-A7E4-C630BBB41162}.exe

Filesize
168KB

MD5
ba1e8884b91d483693428bdc4da7f97f

SHA1
c2f1e7231179d978b84966b0f6e9a42edf1c6aff

SHA256
e93120a9074d5dccd40dd3c67e951b8462e4fb170261a45cd93ed2324bf3fca0

SHA512
923c5d86f60a07446860aedd7fcde8ba98578d0f15ba23669fa86763b26fa00795e964d0b8fd3cb858fe2699dad0c94d7a292d8bd85c9eed6a69bfbc180208cd

Download Submit
C:\Windows\{EC70B423-430D-4e07-B887-682D29E6637F}.exe

Filesize
168KB

MD5
11e97d4934cbb4a526dd17010c59d87e

SHA1
33f67474037d7d5df408caaeb8ed63c7fda4f3d1

SHA256
7c55a45dcd734d66f239cc3d98780f48668cb1f6a53e034edc3edb5a8645b9ca

SHA512
e44c54d540c628a181c8fbc40acc37a20b027f691903562384444fbe2f8122c66ccffae05f84ddac14087c1ba967d29465e46db6d55c057a11bcb731bb519e33

Download Submit
C:\Windows\{FEDF99D4-E53C-4181-BA74-108854C5FAE9}.exe

Filesize
168KB

MD5
212c3801e0c5d53631df4db7fc08cccd

SHA1
1e1e36ca5f1207f2202b98bab53d5a753f9fcd22

SHA256
2e89597e5e989543d0b89a8abd59999f120a0bace78d1853c52a23bed03101ce

SHA512
127f4aa4caa3a15558cb204b6c90bcace6c057bd392a81d9b98a4b1cd5462291917335fdd09abb3694ac134268e0581acdbdc2d8709c78032581c1c5f6fb2498

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads