1ee7387805bdfdb6d145033d4c5df25235eb204f81699ff69613b840922f8c52

Analysis

max time kernel
184s
max time network
198s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19-04-2024 12:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-19_19ff94abde1f2f976ede0fb076ba666d_goldeneye.exe
Size

197KB
MD5

19ff94abde1f2f976ede0fb076ba666d
SHA1

30d997c7010e392248833444410a3680f8a80b71
SHA256

1ee7387805bdfdb6d145033d4c5df25235eb204f81699ff69613b840922f8c52
SHA512

2890da9ceddbc6528107eb161f876cfaed015e1e1084320d4e4254cc5cc02559927e252d5494db366e61f155e6f8965415bb074c5bc43814809a4202eca87865
SSDEEP

3072:jEGh0orl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEG5lEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000400000001e827-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001e828-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00160000000006c5-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000001e748-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00170000000006c5-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000001e748-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00180000000006c5-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001e748-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00190000000006c5-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000001e748-37.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001a0000000006c5-41.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000001e748-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F7111A3-46E4-4f5b-A7C7-9ACF72E84180}\stubpath = "C:\\Windows\\{3F7111A3-46E4-4f5b-A7C7-9ACF72E84180}.exe"	{9A0CAE39-2449-451d-AE4A-6E5D864D8F53}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{980DB619-CA53-4e06-948D-65CF7FDD0D4E}	{C6E9C362-9604-4c7c-A314-79C4AEF14A49}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F4E9740-C2CB-4b8c-8031-0788DC952F2E}	{980DB619-CA53-4e06-948D-65CF7FDD0D4E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D8EDDEC-F1DB-478f-A169-E1163CD7D4AA}	{C98680E7-A790-4e4d-A23C-3B7DF7F08700}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6E9C362-9604-4c7c-A314-79C4AEF14A49}	{3F7111A3-46E4-4f5b-A7C7-9ACF72E84180}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{980DB619-CA53-4e06-948D-65CF7FDD0D4E}\stubpath = "C:\\Windows\\{980DB619-CA53-4e06-948D-65CF7FDD0D4E}.exe"	{C6E9C362-9604-4c7c-A314-79C4AEF14A49}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{094980D5-1F39-4db5-9A85-BBDCE5B09747}\stubpath = "C:\\Windows\\{094980D5-1F39-4db5-9A85-BBDCE5B09747}.exe"	{C0A4B8F7-CF71-49f4-B27C-AD6900E31301}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18C202B6-181B-4b02-8D9A-ED6E6E97B850}\stubpath = "C:\\Windows\\{18C202B6-181B-4b02-8D9A-ED6E6E97B850}.exe"	{094980D5-1F39-4db5-9A85-BBDCE5B09747}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C211656F-0786-4e1b-8FCA-FBB822549A1D}\stubpath = "C:\\Windows\\{C211656F-0786-4e1b-8FCA-FBB822549A1D}.exe"	{18C202B6-181B-4b02-8D9A-ED6E6E97B850}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18C202B6-181B-4b02-8D9A-ED6E6E97B850}	{094980D5-1F39-4db5-9A85-BBDCE5B09747}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C211656F-0786-4e1b-8FCA-FBB822549A1D}	{18C202B6-181B-4b02-8D9A-ED6E6E97B850}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A0CAE39-2449-451d-AE4A-6E5D864D8F53}\stubpath = "C:\\Windows\\{9A0CAE39-2449-451d-AE4A-6E5D864D8F53}.exe"	2024-04-19_19ff94abde1f2f976ede0fb076ba666d_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F7111A3-46E4-4f5b-A7C7-9ACF72E84180}	{9A0CAE39-2449-451d-AE4A-6E5D864D8F53}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F4E9740-C2CB-4b8c-8031-0788DC952F2E}\stubpath = "C:\\Windows\\{1F4E9740-C2CB-4b8c-8031-0788DC952F2E}.exe"	{980DB619-CA53-4e06-948D-65CF7FDD0D4E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0A4B8F7-CF71-49f4-B27C-AD6900E31301}	{1F4E9740-C2CB-4b8c-8031-0788DC952F2E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0A4B8F7-CF71-49f4-B27C-AD6900E31301}\stubpath = "C:\\Windows\\{C0A4B8F7-CF71-49f4-B27C-AD6900E31301}.exe"	{1F4E9740-C2CB-4b8c-8031-0788DC952F2E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{094980D5-1F39-4db5-9A85-BBDCE5B09747}	{C0A4B8F7-CF71-49f4-B27C-AD6900E31301}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C98680E7-A790-4e4d-A23C-3B7DF7F08700}\stubpath = "C:\\Windows\\{C98680E7-A790-4e4d-A23C-3B7DF7F08700}.exe"	{98DB313B-9256-495f-93F3-D5D708E97724}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A0CAE39-2449-451d-AE4A-6E5D864D8F53}	2024-04-19_19ff94abde1f2f976ede0fb076ba666d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6E9C362-9604-4c7c-A314-79C4AEF14A49}\stubpath = "C:\\Windows\\{C6E9C362-9604-4c7c-A314-79C4AEF14A49}.exe"	{3F7111A3-46E4-4f5b-A7C7-9ACF72E84180}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98DB313B-9256-495f-93F3-D5D708E97724}	{C211656F-0786-4e1b-8FCA-FBB822549A1D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98DB313B-9256-495f-93F3-D5D708E97724}\stubpath = "C:\\Windows\\{98DB313B-9256-495f-93F3-D5D708E97724}.exe"	{C211656F-0786-4e1b-8FCA-FBB822549A1D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C98680E7-A790-4e4d-A23C-3B7DF7F08700}	{98DB313B-9256-495f-93F3-D5D708E97724}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D8EDDEC-F1DB-478f-A169-E1163CD7D4AA}\stubpath = "C:\\Windows\\{6D8EDDEC-F1DB-478f-A169-E1163CD7D4AA}.exe"	{C98680E7-A790-4e4d-A23C-3B7DF7F08700}.exe

Executes dropped EXE 12 IoCs

pid	Process
2332	{9A0CAE39-2449-451d-AE4A-6E5D864D8F53}.exe
1212	{3F7111A3-46E4-4f5b-A7C7-9ACF72E84180}.exe
1452	{C6E9C362-9604-4c7c-A314-79C4AEF14A49}.exe
4672	{980DB619-CA53-4e06-948D-65CF7FDD0D4E}.exe
2616	{1F4E9740-C2CB-4b8c-8031-0788DC952F2E}.exe
2476	{C0A4B8F7-CF71-49f4-B27C-AD6900E31301}.exe
3676	{094980D5-1F39-4db5-9A85-BBDCE5B09747}.exe
4288	{18C202B6-181B-4b02-8D9A-ED6E6E97B850}.exe
1652	{C211656F-0786-4e1b-8FCA-FBB822549A1D}.exe
436	{98DB313B-9256-495f-93F3-D5D708E97724}.exe
4884	{C98680E7-A790-4e4d-A23C-3B7DF7F08700}.exe
2252	{6D8EDDEC-F1DB-478f-A169-E1163CD7D4AA}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{9A0CAE39-2449-451d-AE4A-6E5D864D8F53}.exe	2024-04-19_19ff94abde1f2f976ede0fb076ba666d_goldeneye.exe
File created	C:\Windows\{980DB619-CA53-4e06-948D-65CF7FDD0D4E}.exe	{C6E9C362-9604-4c7c-A314-79C4AEF14A49}.exe
File created	C:\Windows\{C0A4B8F7-CF71-49f4-B27C-AD6900E31301}.exe	{1F4E9740-C2CB-4b8c-8031-0788DC952F2E}.exe
File created	C:\Windows\{094980D5-1F39-4db5-9A85-BBDCE5B09747}.exe	{C0A4B8F7-CF71-49f4-B27C-AD6900E31301}.exe
File created	C:\Windows\{18C202B6-181B-4b02-8D9A-ED6E6E97B850}.exe	{094980D5-1F39-4db5-9A85-BBDCE5B09747}.exe
File created	C:\Windows\{C211656F-0786-4e1b-8FCA-FBB822549A1D}.exe	{18C202B6-181B-4b02-8D9A-ED6E6E97B850}.exe
File created	C:\Windows\{3F7111A3-46E4-4f5b-A7C7-9ACF72E84180}.exe	{9A0CAE39-2449-451d-AE4A-6E5D864D8F53}.exe
File created	C:\Windows\{C6E9C362-9604-4c7c-A314-79C4AEF14A49}.exe	{3F7111A3-46E4-4f5b-A7C7-9ACF72E84180}.exe
File created	C:\Windows\{1F4E9740-C2CB-4b8c-8031-0788DC952F2E}.exe	{980DB619-CA53-4e06-948D-65CF7FDD0D4E}.exe
File created	C:\Windows\{98DB313B-9256-495f-93F3-D5D708E97724}.exe	{C211656F-0786-4e1b-8FCA-FBB822549A1D}.exe
File created	C:\Windows\{C98680E7-A790-4e4d-A23C-3B7DF7F08700}.exe	{98DB313B-9256-495f-93F3-D5D708E97724}.exe
File created	C:\Windows\{6D8EDDEC-F1DB-478f-A169-E1163CD7D4AA}.exe	{C98680E7-A790-4e4d-A23C-3B7DF7F08700}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1576	2024-04-19_19ff94abde1f2f976ede0fb076ba666d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2332	{9A0CAE39-2449-451d-AE4A-6E5D864D8F53}.exe
Token: SeIncBasePriorityPrivilege	1212	{3F7111A3-46E4-4f5b-A7C7-9ACF72E84180}.exe
Token: SeIncBasePriorityPrivilege	1452	{C6E9C362-9604-4c7c-A314-79C4AEF14A49}.exe
Token: SeIncBasePriorityPrivilege	4672	{980DB619-CA53-4e06-948D-65CF7FDD0D4E}.exe
Token: SeIncBasePriorityPrivilege	2616	{1F4E9740-C2CB-4b8c-8031-0788DC952F2E}.exe
Token: SeIncBasePriorityPrivilege	2476	{C0A4B8F7-CF71-49f4-B27C-AD6900E31301}.exe
Token: SeIncBasePriorityPrivilege	3676	{094980D5-1F39-4db5-9A85-BBDCE5B09747}.exe
Token: SeIncBasePriorityPrivilege	4288	{18C202B6-181B-4b02-8D9A-ED6E6E97B850}.exe
Token: SeIncBasePriorityPrivilege	1652	{C211656F-0786-4e1b-8FCA-FBB822549A1D}.exe
Token: SeIncBasePriorityPrivilege	436	{98DB313B-9256-495f-93F3-D5D708E97724}.exe
Token: SeIncBasePriorityPrivilege	4884	{C98680E7-A790-4e4d-A23C-3B7DF7F08700}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1576 wrote to memory of 2332	1576	2024-04-19_19ff94abde1f2f976ede0fb076ba666d_goldeneye.exe	89
PID 1576 wrote to memory of 2332	1576	2024-04-19_19ff94abde1f2f976ede0fb076ba666d_goldeneye.exe	89
PID 1576 wrote to memory of 2332	1576	2024-04-19_19ff94abde1f2f976ede0fb076ba666d_goldeneye.exe	89
PID 1576 wrote to memory of 432	1576	2024-04-19_19ff94abde1f2f976ede0fb076ba666d_goldeneye.exe	90
PID 1576 wrote to memory of 432	1576	2024-04-19_19ff94abde1f2f976ede0fb076ba666d_goldeneye.exe	90
PID 1576 wrote to memory of 432	1576	2024-04-19_19ff94abde1f2f976ede0fb076ba666d_goldeneye.exe	90
PID 2332 wrote to memory of 1212	2332	{9A0CAE39-2449-451d-AE4A-6E5D864D8F53}.exe	91
PID 2332 wrote to memory of 1212	2332	{9A0CAE39-2449-451d-AE4A-6E5D864D8F53}.exe	91
PID 2332 wrote to memory of 1212	2332	{9A0CAE39-2449-451d-AE4A-6E5D864D8F53}.exe	91
PID 2332 wrote to memory of 2252	2332	{9A0CAE39-2449-451d-AE4A-6E5D864D8F53}.exe	92
PID 2332 wrote to memory of 2252	2332	{9A0CAE39-2449-451d-AE4A-6E5D864D8F53}.exe	92
PID 2332 wrote to memory of 2252	2332	{9A0CAE39-2449-451d-AE4A-6E5D864D8F53}.exe	92
PID 1212 wrote to memory of 1452	1212	{3F7111A3-46E4-4f5b-A7C7-9ACF72E84180}.exe	93
PID 1212 wrote to memory of 1452	1212	{3F7111A3-46E4-4f5b-A7C7-9ACF72E84180}.exe	93
PID 1212 wrote to memory of 1452	1212	{3F7111A3-46E4-4f5b-A7C7-9ACF72E84180}.exe	93
PID 1212 wrote to memory of 3380	1212	{3F7111A3-46E4-4f5b-A7C7-9ACF72E84180}.exe	94
PID 1212 wrote to memory of 3380	1212	{3F7111A3-46E4-4f5b-A7C7-9ACF72E84180}.exe	94
PID 1212 wrote to memory of 3380	1212	{3F7111A3-46E4-4f5b-A7C7-9ACF72E84180}.exe	94
PID 1452 wrote to memory of 4672	1452	{C6E9C362-9604-4c7c-A314-79C4AEF14A49}.exe	96
PID 1452 wrote to memory of 4672	1452	{C6E9C362-9604-4c7c-A314-79C4AEF14A49}.exe	96
PID 1452 wrote to memory of 4672	1452	{C6E9C362-9604-4c7c-A314-79C4AEF14A49}.exe	96
PID 1452 wrote to memory of 4080	1452	{C6E9C362-9604-4c7c-A314-79C4AEF14A49}.exe	97
PID 1452 wrote to memory of 4080	1452	{C6E9C362-9604-4c7c-A314-79C4AEF14A49}.exe	97
PID 1452 wrote to memory of 4080	1452	{C6E9C362-9604-4c7c-A314-79C4AEF14A49}.exe	97
PID 4672 wrote to memory of 2616	4672	{980DB619-CA53-4e06-948D-65CF7FDD0D4E}.exe	98
PID 4672 wrote to memory of 2616	4672	{980DB619-CA53-4e06-948D-65CF7FDD0D4E}.exe	98
PID 4672 wrote to memory of 2616	4672	{980DB619-CA53-4e06-948D-65CF7FDD0D4E}.exe	98
PID 4672 wrote to memory of 1196	4672	{980DB619-CA53-4e06-948D-65CF7FDD0D4E}.exe	99
PID 4672 wrote to memory of 1196	4672	{980DB619-CA53-4e06-948D-65CF7FDD0D4E}.exe	99
PID 4672 wrote to memory of 1196	4672	{980DB619-CA53-4e06-948D-65CF7FDD0D4E}.exe	99
PID 2616 wrote to memory of 2476	2616	{1F4E9740-C2CB-4b8c-8031-0788DC952F2E}.exe	100
PID 2616 wrote to memory of 2476	2616	{1F4E9740-C2CB-4b8c-8031-0788DC952F2E}.exe	100
PID 2616 wrote to memory of 2476	2616	{1F4E9740-C2CB-4b8c-8031-0788DC952F2E}.exe	100
PID 2616 wrote to memory of 4196	2616	{1F4E9740-C2CB-4b8c-8031-0788DC952F2E}.exe	101
PID 2616 wrote to memory of 4196	2616	{1F4E9740-C2CB-4b8c-8031-0788DC952F2E}.exe	101
PID 2616 wrote to memory of 4196	2616	{1F4E9740-C2CB-4b8c-8031-0788DC952F2E}.exe	101
PID 2476 wrote to memory of 3676	2476	{C0A4B8F7-CF71-49f4-B27C-AD6900E31301}.exe	102
PID 2476 wrote to memory of 3676	2476	{C0A4B8F7-CF71-49f4-B27C-AD6900E31301}.exe	102
PID 2476 wrote to memory of 3676	2476	{C0A4B8F7-CF71-49f4-B27C-AD6900E31301}.exe	102
PID 2476 wrote to memory of 4236	2476	{C0A4B8F7-CF71-49f4-B27C-AD6900E31301}.exe	103
PID 2476 wrote to memory of 4236	2476	{C0A4B8F7-CF71-49f4-B27C-AD6900E31301}.exe	103
PID 2476 wrote to memory of 4236	2476	{C0A4B8F7-CF71-49f4-B27C-AD6900E31301}.exe	103
PID 3676 wrote to memory of 4288	3676	{094980D5-1F39-4db5-9A85-BBDCE5B09747}.exe	104
PID 3676 wrote to memory of 4288	3676	{094980D5-1F39-4db5-9A85-BBDCE5B09747}.exe	104
PID 3676 wrote to memory of 4288	3676	{094980D5-1F39-4db5-9A85-BBDCE5B09747}.exe	104
PID 3676 wrote to memory of 2360	3676	{094980D5-1F39-4db5-9A85-BBDCE5B09747}.exe	105
PID 3676 wrote to memory of 2360	3676	{094980D5-1F39-4db5-9A85-BBDCE5B09747}.exe	105
PID 3676 wrote to memory of 2360	3676	{094980D5-1F39-4db5-9A85-BBDCE5B09747}.exe	105
PID 4288 wrote to memory of 1652	4288	{18C202B6-181B-4b02-8D9A-ED6E6E97B850}.exe	106
PID 4288 wrote to memory of 1652	4288	{18C202B6-181B-4b02-8D9A-ED6E6E97B850}.exe	106
PID 4288 wrote to memory of 1652	4288	{18C202B6-181B-4b02-8D9A-ED6E6E97B850}.exe	106
PID 4288 wrote to memory of 4040	4288	{18C202B6-181B-4b02-8D9A-ED6E6E97B850}.exe	107
PID 4288 wrote to memory of 4040	4288	{18C202B6-181B-4b02-8D9A-ED6E6E97B850}.exe	107
PID 4288 wrote to memory of 4040	4288	{18C202B6-181B-4b02-8D9A-ED6E6E97B850}.exe	107
PID 1652 wrote to memory of 436	1652	{C211656F-0786-4e1b-8FCA-FBB822549A1D}.exe	108
PID 1652 wrote to memory of 436	1652	{C211656F-0786-4e1b-8FCA-FBB822549A1D}.exe	108
PID 1652 wrote to memory of 436	1652	{C211656F-0786-4e1b-8FCA-FBB822549A1D}.exe	108
PID 1652 wrote to memory of 3200	1652	{C211656F-0786-4e1b-8FCA-FBB822549A1D}.exe	109
PID 1652 wrote to memory of 3200	1652	{C211656F-0786-4e1b-8FCA-FBB822549A1D}.exe	109
PID 1652 wrote to memory of 3200	1652	{C211656F-0786-4e1b-8FCA-FBB822549A1D}.exe	109
PID 436 wrote to memory of 4884	436	{98DB313B-9256-495f-93F3-D5D708E97724}.exe	110
PID 436 wrote to memory of 4884	436	{98DB313B-9256-495f-93F3-D5D708E97724}.exe	110
PID 436 wrote to memory of 4884	436	{98DB313B-9256-495f-93F3-D5D708E97724}.exe	110
PID 436 wrote to memory of 1576	436	{98DB313B-9256-495f-93F3-D5D708E97724}.exe	111

C:\Users\Admin\AppData\Local\Temp\2024-04-19_19ff94abde1f2f976ede0fb076ba666d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-19_19ff94abde1f2f976ede0fb076ba666d_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Windows\{9A0CAE39-2449-451d-AE4A-6E5D864D8F53}.exe
  C:\Windows\{9A0CAE39-2449-451d-AE4A-6E5D864D8F53}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\{3F7111A3-46E4-4f5b-A7C7-9ACF72E84180}.exe
    C:\Windows\{3F7111A3-46E4-4f5b-A7C7-9ACF72E84180}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1212
  - - C:\Windows\{C6E9C362-9604-4c7c-A314-79C4AEF14A49}.exe
      C:\Windows\{C6E9C362-9604-4c7c-A314-79C4AEF14A49}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1452
    - - C:\Windows\{980DB619-CA53-4e06-948D-65CF7FDD0D4E}.exe
        
        C:\Windows\{980DB619-CA53-4e06-948D-65CF7FDD0D4E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4672
      - C:\Windows\{1F4E9740-C2CB-4b8c-8031-0788DC952F2E}.exe
        
        C:\Windows\{1F4E9740-C2CB-4b8c-8031-0788DC952F2E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\{C0A4B8F7-CF71-49f4-B27C-AD6900E31301}.exe
        
        C:\Windows\{C0A4B8F7-CF71-49f4-B27C-AD6900E31301}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\{094980D5-1F39-4db5-9A85-BBDCE5B09747}.exe
        
        C:\Windows\{094980D5-1F39-4db5-9A85-BBDCE5B09747}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3676
        
        C:\Windows\{18C202B6-181B-4b02-8D9A-ED6E6E97B850}.exe
        
        C:\Windows\{18C202B6-181B-4b02-8D9A-ED6E6E97B850}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4288
        
        C:\Windows\{C211656F-0786-4e1b-8FCA-FBB822549A1D}.exe
        
        C:\Windows\{C211656F-0786-4e1b-8FCA-FBB822549A1D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\{98DB313B-9256-495f-93F3-D5D708E97724}.exe
        
        C:\Windows\{98DB313B-9256-495f-93F3-D5D708E97724}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Windows\{C98680E7-A790-4e4d-A23C-3B7DF7F08700}.exe
        
        C:\Windows\{C98680E7-A790-4e4d-A23C-3B7DF7F08700}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4884
        
        C:\Windows\{6D8EDDEC-F1DB-478f-A169-E1163CD7D4AA}.exe
        
        C:\Windows\{6D8EDDEC-F1DB-478f-A169-E1163CD7D4AA}.exe
        13⤵
        Executes dropped EXE
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9868~1.EXE > nul
        13⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{98DB3~1.EXE > nul
        12⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C2116~1.EXE > nul
        11⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{18C20~1.EXE > nul
        10⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09498~1.EXE > nul
        9⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C0A4B~1.EXE > nul
        8⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1F4E9~1.EXE > nul
        7⤵
        
        PID:4196
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{980DB~1.EXE > nul
        6⤵
        
        PID:1196
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C6E9C~1.EXE > nul
        5⤵
        
        PID:4080
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3F711~1.EXE > nul
      4⤵
      PID:3380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9A0CA~1.EXE > nul
    3⤵
    PID:2252
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{094980D5-1F39-4db5-9A85-BBDCE5B09747}.exe

Filesize
197KB

MD5
827303aaafe6b70ea01ab16c806ff622

SHA1
4a4d661548bfc7a48fa2907f44a9c56e1aee0761

SHA256
e743dc711fe3f348538ce67dd6282735f3b6ca1194a0196bb4d4cff081a462aa

SHA512
9999e46b453cafc9f6029e4ca35bb233c867ceade1e55ce7d9f2d697a585fa38dfa9de15acf7e20ab4a117648faa11f0a3213e020e09384e040e63b844a405c4

Download Submit
C:\Windows\{18C202B6-181B-4b02-8D9A-ED6E6E97B850}.exe

Filesize
197KB

MD5
28d539f404840bea1206ef34dd67d597

SHA1
8531b3b6da5bb0ae64a2b627e26a428475dfc9ea

SHA256
ffceb64774c8e808a96e8dd085d0e03b1f4227eeaf0b938b379926e8896f0d36

SHA512
82cd39d2f8817f55de98b75a928e784ef93731144759aa114929338fb8aa2f872bed92604d2ef4a07c41dd5feae06612436392fe9b3cc7236cabb8f32189c4a8

Download Submit
C:\Windows\{1F4E9740-C2CB-4b8c-8031-0788DC952F2E}.exe

Filesize
197KB

MD5
9a9bbb3cf7956289a39e26fc938dc9a6

SHA1
eb7c64231c23105246d3347aa6078a239c009a4f

SHA256
74f1634519deefeac7a13e87ec5675a10b8539eb157cbf74c1607fde9617917f

SHA512
1bf9278bc2f16d09c25fef119ca01985af14fe7b7a0f044362fac13108adcc07e3f0d9a39c2edbd86759219c8a1f8b90eea05e540126aae03dbcb9e401593bd5

Download Submit
C:\Windows\{3F7111A3-46E4-4f5b-A7C7-9ACF72E84180}.exe

Filesize
197KB

MD5
2973ae9df8de3944391e001380ecd325

SHA1
9e184350a37b7bd7f62ff8d489bc76dc176bfe51

SHA256
539f46a1ac5d92330e061849923f2d8a6fe1a2c58f2f6d0f2ec6c6812ce76655

SHA512
c269794d6812d498b6d3e08118f471f43b52d578f56b09f1b6536668d76f1eb63d4a861c96b406570669df6b6e123502b2fd685ef3fd431d87d3a1078f32fbef

Download Submit
C:\Windows\{6D8EDDEC-F1DB-478f-A169-E1163CD7D4AA}.exe

Filesize
197KB

MD5
7571ee91d37360c49829b59845f38185

SHA1
1428aeada647c101f9801d36d5a0a17640fa2aab

SHA256
b77db16ff3bd31f0fa3e132015b63e4ef26bbd471d0b546260a4d0b25a4adf38

SHA512
06c8138ea87fdae1cd18b61c46611b100b88176d081856d03ccabebc9ca5e8c41a23bad739a2bce37ca282ae6ead32c5ec64e8c452780ae64f8fc3e0a37ba8f4

Download Submit
C:\Windows\{980DB619-CA53-4e06-948D-65CF7FDD0D4E}.exe

Filesize
197KB

MD5
cfbf8f84c9c4efd9c8c400ab62196a3a

SHA1
db696d319733e911f75a603032867d9a91da2f7a

SHA256
90aa3c18714936809158603298f47341b7e3d35ffbef99b8546d31747d1654ed

SHA512
3b4f05c2da90fbda89cdae18428c5d82d1524c66bcc17d0050028e3edd42d9d70645fca4a74200587c7c7925815a75b5aae8cca77f28900fff47c1696e3a9baa

Download Submit
C:\Windows\{98DB313B-9256-495f-93F3-D5D708E97724}.exe

Filesize
197KB

MD5
c3bba18e7c1416930bbe74aeb48f9493

SHA1
12ff3f9f0c1c05a21660c4c64d463ea6dd06b6c6

SHA256
856b87f07978362fc4f590526fcda1af2d03cb395039789fe399b7f41d3b2911

SHA512
f3039b247fbd05b64f2a01ba55f898143b077a96cef6959dafb1d652f9b1cbe08d44edb3c001c9c11604be6d3911a784f6746c0b2406acfdf7276ffa4cc53d8d

Download Submit
C:\Windows\{9A0CAE39-2449-451d-AE4A-6E5D864D8F53}.exe

Filesize
197KB

MD5
76791d9464b1e05dd454d09e24ab2f98

SHA1
cafc2df067a80a0e701a918deaf6e1f0ce770aa7

SHA256
d84b319177b6733a5f04bc68e152955c52ea1c479d8faf48b29449a0517e038d

SHA512
daf4f707124928ae6ef0c01aa4d777ceb7a31c48a4aaf981e91973fd1134703091e0507f248ef1d18ff6a6ea0d296ca2fba5cc9c9c037b7ea25465fc8115a237

Download Submit
C:\Windows\{C0A4B8F7-CF71-49f4-B27C-AD6900E31301}.exe

Filesize
197KB

MD5
966d00944a946fc4ec08f0d4c981dc97

SHA1
ea21b0e78710f8cacc2f6d13aa9a9b040830c791

SHA256
456e32d7246122985280bfbf62545516909ee8f309fe6523e143a2f0d97364aa

SHA512
31e5175f43c3c7f4d9f7f010a7d724e0d7bb483bd3d60f31da5070b9edff64e5fb7259ac73d901847491873dcbe697f50f1d7baee2b368d6a5dbd5e00d6d91fe

Download Submit
C:\Windows\{C211656F-0786-4e1b-8FCA-FBB822549A1D}.exe

Filesize
197KB

MD5
e82235eeb66e0b8f81a2548a0d6063c6

SHA1
ce5f4d6b1e85ef06510c54141089d4e4aacf6c49

SHA256
b7445819529b717ac28d7ec70baa2997ea0c8cc863f1a072c90b447ebd15fb53

SHA512
eef698ad04f5a0ba1336498a56193aebdf71f2f97f7a6ad9b4255f2c568e7e7e230ac5edf68334945ebbb14cfcc503801de1d374e0f579885b42d2542035992e

Download Submit
C:\Windows\{C6E9C362-9604-4c7c-A314-79C4AEF14A49}.exe

Filesize
197KB

MD5
282d311e01faaa037f0c99ca7c7b87f3

SHA1
5e3bd006f7fb5bb75b8db24958a9d6526bea5418

SHA256
ef9a12b3b04dda1092be2719ef4824641559585eb7363ce26b9401339bb2ff61

SHA512
0d14332cd8cd50b6b5bf546084e6a3c94a5be53eeb150d8e182fbf8ba78f4174ab307192ae63f06ccf1e80b8a319cabd9df53d1172babcf93ada711baf1fbd95

Download Submit
C:\Windows\{C98680E7-A790-4e4d-A23C-3B7DF7F08700}.exe

Filesize
197KB

MD5
4bcbc135edb87626e766d364fe684b45

SHA1
6be0e25651a3cbeebb672abdb73bbec809d61b02

SHA256
155e6ff609614aa9d7d61f657b20e98fc9038419102f3e255a4315b5b57cc1b7

SHA512
7957dd9506d1b2a5514d55db3c77ff487422ff4f2f7b7c44d1b9a80a9fcda9ca51ebeddf44afc4012738d502208f99eaeac158a0614d07cefd93b121ea32f44d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads