453cf23f444d31cb9d3d4d1847a6e0a4dba07cebf7ac873c888d0f6a294d407c

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2024, 20:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-19_29a512540da7b664e3089be412067791_goldeneye.exe
Size

408KB
MD5

29a512540da7b664e3089be412067791
SHA1

25cdf11335dfde089cd19e8b566119770c433b8d
SHA256

453cf23f444d31cb9d3d4d1847a6e0a4dba07cebf7ac873c888d0f6a294d407c
SHA512

91df77414c0a24aa97eac868069c2757cfdfd759cae6ac16149787d0856139bbe628a7f96a46a1c6973e903628138eba611527ace51700cb0bfaad52bfa42dfe
SSDEEP

3072:CEGh0oXl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGpldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000700000002341f-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002342d-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001e743-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023443-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023533-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000002296d-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002335e-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002296d-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002354c-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000001e405-37.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002353a-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000001e4ce-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD9F5A72-5850-4ce2-87CB-40D3389FE12C}	{5097885B-4799-4a6a-98AE-AA23B8B1D7C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3003DEE8-3E2C-42ed-B426-1DCDD2F306CE}\stubpath = "C:\\Windows\\{3003DEE8-3E2C-42ed-B426-1DCDD2F306CE}.exe"	{DD9F5A72-5850-4ce2-87CB-40D3389FE12C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADFE450E-A7BA-4293-BBE2-CB3F32FEBC0A}\stubpath = "C:\\Windows\\{ADFE450E-A7BA-4293-BBE2-CB3F32FEBC0A}.exe"	2024-04-19_29a512540da7b664e3089be412067791_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22A354BC-B2C4-4b4f-8ED2-72B15B96A243}\stubpath = "C:\\Windows\\{22A354BC-B2C4-4b4f-8ED2-72B15B96A243}.exe"	{ADFE450E-A7BA-4293-BBE2-CB3F32FEBC0A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCDB3E95-51F1-4666-AC83-5DB328568429}	{B8EB2F84-0CFF-458d-8461-9DECF859BFA1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCDB3E95-51F1-4666-AC83-5DB328568429}\stubpath = "C:\\Windows\\{BCDB3E95-51F1-4666-AC83-5DB328568429}.exe"	{B8EB2F84-0CFF-458d-8461-9DECF859BFA1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{413B08F4-A0E7-4cb8-B888-B73A810A4683}	{E02D905B-F734-4796-988F-C3F8065FDBA4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2EF8566-1C73-44a0-9B39-1C260302D092}\stubpath = "C:\\Windows\\{C2EF8566-1C73-44a0-9B39-1C260302D092}.exe"	{413B08F4-A0E7-4cb8-B888-B73A810A4683}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5097885B-4799-4a6a-98AE-AA23B8B1D7C6}\stubpath = "C:\\Windows\\{5097885B-4799-4a6a-98AE-AA23B8B1D7C6}.exe"	{C2EF8566-1C73-44a0-9B39-1C260302D092}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD9F5A72-5850-4ce2-87CB-40D3389FE12C}\stubpath = "C:\\Windows\\{DD9F5A72-5850-4ce2-87CB-40D3389FE12C}.exe"	{5097885B-4799-4a6a-98AE-AA23B8B1D7C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADFE450E-A7BA-4293-BBE2-CB3F32FEBC0A}	2024-04-19_29a512540da7b664e3089be412067791_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8EB2F84-0CFF-458d-8461-9DECF859BFA1}	{22A354BC-B2C4-4b4f-8ED2-72B15B96A243}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8EB2F84-0CFF-458d-8461-9DECF859BFA1}\stubpath = "C:\\Windows\\{B8EB2F84-0CFF-458d-8461-9DECF859BFA1}.exe"	{22A354BC-B2C4-4b4f-8ED2-72B15B96A243}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{139EB0AC-FFB9-44b4-8466-112B79217A98}	{BCDB3E95-51F1-4666-AC83-5DB328568429}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{413B08F4-A0E7-4cb8-B888-B73A810A4683}\stubpath = "C:\\Windows\\{413B08F4-A0E7-4cb8-B888-B73A810A4683}.exe"	{E02D905B-F734-4796-988F-C3F8065FDBA4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2EF8566-1C73-44a0-9B39-1C260302D092}	{413B08F4-A0E7-4cb8-B888-B73A810A4683}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{352743B0-4704-4de6-9112-767D6FFCF9EC}\stubpath = "C:\\Windows\\{352743B0-4704-4de6-9112-767D6FFCF9EC}.exe"	{3003DEE8-3E2C-42ed-B426-1DCDD2F306CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22A354BC-B2C4-4b4f-8ED2-72B15B96A243}	{ADFE450E-A7BA-4293-BBE2-CB3F32FEBC0A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{139EB0AC-FFB9-44b4-8466-112B79217A98}\stubpath = "C:\\Windows\\{139EB0AC-FFB9-44b4-8466-112B79217A98}.exe"	{BCDB3E95-51F1-4666-AC83-5DB328568429}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E02D905B-F734-4796-988F-C3F8065FDBA4}\stubpath = "C:\\Windows\\{E02D905B-F734-4796-988F-C3F8065FDBA4}.exe"	{139EB0AC-FFB9-44b4-8466-112B79217A98}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{352743B0-4704-4de6-9112-767D6FFCF9EC}	{3003DEE8-3E2C-42ed-B426-1DCDD2F306CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E02D905B-F734-4796-988F-C3F8065FDBA4}	{139EB0AC-FFB9-44b4-8466-112B79217A98}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5097885B-4799-4a6a-98AE-AA23B8B1D7C6}	{C2EF8566-1C73-44a0-9B39-1C260302D092}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3003DEE8-3E2C-42ed-B426-1DCDD2F306CE}	{DD9F5A72-5850-4ce2-87CB-40D3389FE12C}.exe

Executes dropped EXE 12 IoCs

pid	Process
972	{ADFE450E-A7BA-4293-BBE2-CB3F32FEBC0A}.exe
4764	{22A354BC-B2C4-4b4f-8ED2-72B15B96A243}.exe
4400	{B8EB2F84-0CFF-458d-8461-9DECF859BFA1}.exe
3588	{BCDB3E95-51F1-4666-AC83-5DB328568429}.exe
780	{139EB0AC-FFB9-44b4-8466-112B79217A98}.exe
2768	{E02D905B-F734-4796-988F-C3F8065FDBA4}.exe
3548	{413B08F4-A0E7-4cb8-B888-B73A810A4683}.exe
1508	{C2EF8566-1C73-44a0-9B39-1C260302D092}.exe
3252	{5097885B-4799-4a6a-98AE-AA23B8B1D7C6}.exe
4772	{DD9F5A72-5850-4ce2-87CB-40D3389FE12C}.exe
4728	{3003DEE8-3E2C-42ed-B426-1DCDD2F306CE}.exe
4032	{352743B0-4704-4de6-9112-767D6FFCF9EC}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{BCDB3E95-51F1-4666-AC83-5DB328568429}.exe	{B8EB2F84-0CFF-458d-8461-9DECF859BFA1}.exe
File created	C:\Windows\{139EB0AC-FFB9-44b4-8466-112B79217A98}.exe	{BCDB3E95-51F1-4666-AC83-5DB328568429}.exe
File created	C:\Windows\{E02D905B-F734-4796-988F-C3F8065FDBA4}.exe	{139EB0AC-FFB9-44b4-8466-112B79217A98}.exe
File created	C:\Windows\{413B08F4-A0E7-4cb8-B888-B73A810A4683}.exe	{E02D905B-F734-4796-988F-C3F8065FDBA4}.exe
File created	C:\Windows\{C2EF8566-1C73-44a0-9B39-1C260302D092}.exe	{413B08F4-A0E7-4cb8-B888-B73A810A4683}.exe
File created	C:\Windows\{5097885B-4799-4a6a-98AE-AA23B8B1D7C6}.exe	{C2EF8566-1C73-44a0-9B39-1C260302D092}.exe
File created	C:\Windows\{ADFE450E-A7BA-4293-BBE2-CB3F32FEBC0A}.exe	2024-04-19_29a512540da7b664e3089be412067791_goldeneye.exe
File created	C:\Windows\{22A354BC-B2C4-4b4f-8ED2-72B15B96A243}.exe	{ADFE450E-A7BA-4293-BBE2-CB3F32FEBC0A}.exe
File created	C:\Windows\{DD9F5A72-5850-4ce2-87CB-40D3389FE12C}.exe	{5097885B-4799-4a6a-98AE-AA23B8B1D7C6}.exe
File created	C:\Windows\{3003DEE8-3E2C-42ed-B426-1DCDD2F306CE}.exe	{DD9F5A72-5850-4ce2-87CB-40D3389FE12C}.exe
File created	C:\Windows\{B8EB2F84-0CFF-458d-8461-9DECF859BFA1}.exe	{22A354BC-B2C4-4b4f-8ED2-72B15B96A243}.exe
File created	C:\Windows\{352743B0-4704-4de6-9112-767D6FFCF9EC}.exe	{3003DEE8-3E2C-42ed-B426-1DCDD2F306CE}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2432	2024-04-19_29a512540da7b664e3089be412067791_goldeneye.exe
Token: SeIncBasePriorityPrivilege	972	{ADFE450E-A7BA-4293-BBE2-CB3F32FEBC0A}.exe
Token: SeIncBasePriorityPrivilege	4764	{22A354BC-B2C4-4b4f-8ED2-72B15B96A243}.exe
Token: SeIncBasePriorityPrivilege	4400	{B8EB2F84-0CFF-458d-8461-9DECF859BFA1}.exe
Token: SeIncBasePriorityPrivilege	3588	{BCDB3E95-51F1-4666-AC83-5DB328568429}.exe
Token: SeIncBasePriorityPrivilege	780	{139EB0AC-FFB9-44b4-8466-112B79217A98}.exe
Token: SeIncBasePriorityPrivilege	2768	{E02D905B-F734-4796-988F-C3F8065FDBA4}.exe
Token: SeIncBasePriorityPrivilege	3548	{413B08F4-A0E7-4cb8-B888-B73A810A4683}.exe
Token: SeIncBasePriorityPrivilege	1508	{C2EF8566-1C73-44a0-9B39-1C260302D092}.exe
Token: SeIncBasePriorityPrivilege	3252	{5097885B-4799-4a6a-98AE-AA23B8B1D7C6}.exe
Token: SeIncBasePriorityPrivilege	4772	{DD9F5A72-5850-4ce2-87CB-40D3389FE12C}.exe
Token: SeIncBasePriorityPrivilege	4728	{3003DEE8-3E2C-42ed-B426-1DCDD2F306CE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 972	2432	2024-04-19_29a512540da7b664e3089be412067791_goldeneye.exe	97
PID 2432 wrote to memory of 972	2432	2024-04-19_29a512540da7b664e3089be412067791_goldeneye.exe	97
PID 2432 wrote to memory of 972	2432	2024-04-19_29a512540da7b664e3089be412067791_goldeneye.exe	97
PID 2432 wrote to memory of 4612	2432	2024-04-19_29a512540da7b664e3089be412067791_goldeneye.exe	98
PID 2432 wrote to memory of 4612	2432	2024-04-19_29a512540da7b664e3089be412067791_goldeneye.exe	98
PID 2432 wrote to memory of 4612	2432	2024-04-19_29a512540da7b664e3089be412067791_goldeneye.exe	98
PID 972 wrote to memory of 4764	972	{ADFE450E-A7BA-4293-BBE2-CB3F32FEBC0A}.exe	100
PID 972 wrote to memory of 4764	972	{ADFE450E-A7BA-4293-BBE2-CB3F32FEBC0A}.exe	100
PID 972 wrote to memory of 4764	972	{ADFE450E-A7BA-4293-BBE2-CB3F32FEBC0A}.exe	100
PID 972 wrote to memory of 2896	972	{ADFE450E-A7BA-4293-BBE2-CB3F32FEBC0A}.exe	101
PID 972 wrote to memory of 2896	972	{ADFE450E-A7BA-4293-BBE2-CB3F32FEBC0A}.exe	101
PID 972 wrote to memory of 2896	972	{ADFE450E-A7BA-4293-BBE2-CB3F32FEBC0A}.exe	101
PID 4764 wrote to memory of 4400	4764	{22A354BC-B2C4-4b4f-8ED2-72B15B96A243}.exe	104
PID 4764 wrote to memory of 4400	4764	{22A354BC-B2C4-4b4f-8ED2-72B15B96A243}.exe	104
PID 4764 wrote to memory of 4400	4764	{22A354BC-B2C4-4b4f-8ED2-72B15B96A243}.exe	104
PID 4764 wrote to memory of 1368	4764	{22A354BC-B2C4-4b4f-8ED2-72B15B96A243}.exe	105
PID 4764 wrote to memory of 1368	4764	{22A354BC-B2C4-4b4f-8ED2-72B15B96A243}.exe	105
PID 4764 wrote to memory of 1368	4764	{22A354BC-B2C4-4b4f-8ED2-72B15B96A243}.exe	105
PID 4400 wrote to memory of 3588	4400	{B8EB2F84-0CFF-458d-8461-9DECF859BFA1}.exe	107
PID 4400 wrote to memory of 3588	4400	{B8EB2F84-0CFF-458d-8461-9DECF859BFA1}.exe	107
PID 4400 wrote to memory of 3588	4400	{B8EB2F84-0CFF-458d-8461-9DECF859BFA1}.exe	107
PID 4400 wrote to memory of 1900	4400	{B8EB2F84-0CFF-458d-8461-9DECF859BFA1}.exe	108
PID 4400 wrote to memory of 1900	4400	{B8EB2F84-0CFF-458d-8461-9DECF859BFA1}.exe	108
PID 4400 wrote to memory of 1900	4400	{B8EB2F84-0CFF-458d-8461-9DECF859BFA1}.exe	108
PID 3588 wrote to memory of 780	3588	{BCDB3E95-51F1-4666-AC83-5DB328568429}.exe	109
PID 3588 wrote to memory of 780	3588	{BCDB3E95-51F1-4666-AC83-5DB328568429}.exe	109
PID 3588 wrote to memory of 780	3588	{BCDB3E95-51F1-4666-AC83-5DB328568429}.exe	109
PID 3588 wrote to memory of 1124	3588	{BCDB3E95-51F1-4666-AC83-5DB328568429}.exe	110
PID 3588 wrote to memory of 1124	3588	{BCDB3E95-51F1-4666-AC83-5DB328568429}.exe	110
PID 3588 wrote to memory of 1124	3588	{BCDB3E95-51F1-4666-AC83-5DB328568429}.exe	110
PID 780 wrote to memory of 2768	780	{139EB0AC-FFB9-44b4-8466-112B79217A98}.exe	115
PID 780 wrote to memory of 2768	780	{139EB0AC-FFB9-44b4-8466-112B79217A98}.exe	115
PID 780 wrote to memory of 2768	780	{139EB0AC-FFB9-44b4-8466-112B79217A98}.exe	115
PID 780 wrote to memory of 3560	780	{139EB0AC-FFB9-44b4-8466-112B79217A98}.exe	116
PID 780 wrote to memory of 3560	780	{139EB0AC-FFB9-44b4-8466-112B79217A98}.exe	116
PID 780 wrote to memory of 3560	780	{139EB0AC-FFB9-44b4-8466-112B79217A98}.exe	116
PID 2768 wrote to memory of 3548	2768	{E02D905B-F734-4796-988F-C3F8065FDBA4}.exe	117
PID 2768 wrote to memory of 3548	2768	{E02D905B-F734-4796-988F-C3F8065FDBA4}.exe	117
PID 2768 wrote to memory of 3548	2768	{E02D905B-F734-4796-988F-C3F8065FDBA4}.exe	117
PID 2768 wrote to memory of 2612	2768	{E02D905B-F734-4796-988F-C3F8065FDBA4}.exe	118
PID 2768 wrote to memory of 2612	2768	{E02D905B-F734-4796-988F-C3F8065FDBA4}.exe	118
PID 2768 wrote to memory of 2612	2768	{E02D905B-F734-4796-988F-C3F8065FDBA4}.exe	118
PID 3548 wrote to memory of 1508	3548	{413B08F4-A0E7-4cb8-B888-B73A810A4683}.exe	119
PID 3548 wrote to memory of 1508	3548	{413B08F4-A0E7-4cb8-B888-B73A810A4683}.exe	119
PID 3548 wrote to memory of 1508	3548	{413B08F4-A0E7-4cb8-B888-B73A810A4683}.exe	119
PID 3548 wrote to memory of 1768	3548	{413B08F4-A0E7-4cb8-B888-B73A810A4683}.exe	120
PID 3548 wrote to memory of 1768	3548	{413B08F4-A0E7-4cb8-B888-B73A810A4683}.exe	120
PID 3548 wrote to memory of 1768	3548	{413B08F4-A0E7-4cb8-B888-B73A810A4683}.exe	120
PID 1508 wrote to memory of 3252	1508	{C2EF8566-1C73-44a0-9B39-1C260302D092}.exe	125
PID 1508 wrote to memory of 3252	1508	{C2EF8566-1C73-44a0-9B39-1C260302D092}.exe	125
PID 1508 wrote to memory of 3252	1508	{C2EF8566-1C73-44a0-9B39-1C260302D092}.exe	125
PID 1508 wrote to memory of 1076	1508	{C2EF8566-1C73-44a0-9B39-1C260302D092}.exe	126
PID 1508 wrote to memory of 1076	1508	{C2EF8566-1C73-44a0-9B39-1C260302D092}.exe	126
PID 1508 wrote to memory of 1076	1508	{C2EF8566-1C73-44a0-9B39-1C260302D092}.exe	126
PID 3252 wrote to memory of 4772	3252	{5097885B-4799-4a6a-98AE-AA23B8B1D7C6}.exe	127
PID 3252 wrote to memory of 4772	3252	{5097885B-4799-4a6a-98AE-AA23B8B1D7C6}.exe	127
PID 3252 wrote to memory of 4772	3252	{5097885B-4799-4a6a-98AE-AA23B8B1D7C6}.exe	127
PID 3252 wrote to memory of 4004	3252	{5097885B-4799-4a6a-98AE-AA23B8B1D7C6}.exe	128
PID 3252 wrote to memory of 4004	3252	{5097885B-4799-4a6a-98AE-AA23B8B1D7C6}.exe	128
PID 3252 wrote to memory of 4004	3252	{5097885B-4799-4a6a-98AE-AA23B8B1D7C6}.exe	128
PID 4772 wrote to memory of 4728	4772	{DD9F5A72-5850-4ce2-87CB-40D3389FE12C}.exe	129
PID 4772 wrote to memory of 4728	4772	{DD9F5A72-5850-4ce2-87CB-40D3389FE12C}.exe	129
PID 4772 wrote to memory of 4728	4772	{DD9F5A72-5850-4ce2-87CB-40D3389FE12C}.exe	129
PID 4772 wrote to memory of 3728	4772	{DD9F5A72-5850-4ce2-87CB-40D3389FE12C}.exe	130

C:\Users\Admin\AppData\Local\Temp\2024-04-19_29a512540da7b664e3089be412067791_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-19_29a512540da7b664e3089be412067791_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Windows\{ADFE450E-A7BA-4293-BBE2-CB3F32FEBC0A}.exe
  C:\Windows\{ADFE450E-A7BA-4293-BBE2-CB3F32FEBC0A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:972
- - C:\Windows\{22A354BC-B2C4-4b4f-8ED2-72B15B96A243}.exe
    C:\Windows\{22A354BC-B2C4-4b4f-8ED2-72B15B96A243}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4764
  - - C:\Windows\{B8EB2F84-0CFF-458d-8461-9DECF859BFA1}.exe
      C:\Windows\{B8EB2F84-0CFF-458d-8461-9DECF859BFA1}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4400
    - - C:\Windows\{BCDB3E95-51F1-4666-AC83-5DB328568429}.exe
        
        C:\Windows\{BCDB3E95-51F1-4666-AC83-5DB328568429}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3588
      - C:\Windows\{139EB0AC-FFB9-44b4-8466-112B79217A98}.exe
        
        C:\Windows\{139EB0AC-FFB9-44b4-8466-112B79217A98}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:780
        
        C:\Windows\{E02D905B-F734-4796-988F-C3F8065FDBA4}.exe
        
        C:\Windows\{E02D905B-F734-4796-988F-C3F8065FDBA4}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\{413B08F4-A0E7-4cb8-B888-B73A810A4683}.exe
        
        C:\Windows\{413B08F4-A0E7-4cb8-B888-B73A810A4683}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Windows\{C2EF8566-1C73-44a0-9B39-1C260302D092}.exe
        
        C:\Windows\{C2EF8566-1C73-44a0-9B39-1C260302D092}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\{5097885B-4799-4a6a-98AE-AA23B8B1D7C6}.exe
        
        C:\Windows\{5097885B-4799-4a6a-98AE-AA23B8B1D7C6}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3252
        
        C:\Windows\{DD9F5A72-5850-4ce2-87CB-40D3389FE12C}.exe
        
        C:\Windows\{DD9F5A72-5850-4ce2-87CB-40D3389FE12C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4772
        
        C:\Windows\{3003DEE8-3E2C-42ed-B426-1DCDD2F306CE}.exe
        
        C:\Windows\{3003DEE8-3E2C-42ed-B426-1DCDD2F306CE}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4728
        
        C:\Windows\{352743B0-4704-4de6-9112-767D6FFCF9EC}.exe
        
        C:\Windows\{352743B0-4704-4de6-9112-767D6FFCF9EC}.exe
        13⤵
        Executes dropped EXE
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3003D~1.EXE > nul
        13⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD9F5~1.EXE > nul
        12⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{50978~1.EXE > nul
        11⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C2EF8~1.EXE > nul
        10⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{413B0~1.EXE > nul
        9⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E02D9~1.EXE > nul
        8⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{139EB~1.EXE > nul
        7⤵
        
        PID:3560
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BCDB3~1.EXE > nul
        6⤵
        
        PID:1124
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B8EB2~1.EXE > nul
        5⤵
        
        PID:1900
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{22A35~1.EXE > nul
      4⤵
      PID:1368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{ADFE4~1.EXE > nul
    3⤵
    PID:2896
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{139EB0AC-FFB9-44b4-8466-112B79217A98}.exe

Filesize
408KB

MD5
c78645bf0aa52b51406785ab38f00fe8

SHA1
dbfc67eb574477027075a4275191f28b9feab461

SHA256
1c6c0b24815b8801c3142cf285223529d01899d311b34a6478274eab0d7984d3

SHA512
22cc8515373f475e98e2e6a4fce8fabf26e53c11d92a93eedc9103e8bad1dd6ab4e405386aea696f6795fb70ee0c5149d99f855e0ef8052d7a6202fb80914126

Download Submit
C:\Windows\{22A354BC-B2C4-4b4f-8ED2-72B15B96A243}.exe

Filesize
408KB

MD5
5e842bfa803f452c1ae25a1a07254b6d

SHA1
98faf8a1172441adeb23737e795af5b0b361aa94

SHA256
e611ebafabbb8d0ff440db937725badf434ac0f15bc5cb7c975118c852aa7b3a

SHA512
cfc3eafa357c4d3bb55322dbf9847c57d72f7a55c51f6908019015c0141a0697e508fbd430f25c975f21af76e5367816c0c5eeb47b65a5b99976cd1d1ead4306

Download Submit
C:\Windows\{3003DEE8-3E2C-42ed-B426-1DCDD2F306CE}.exe

Filesize
408KB

MD5
f18250206372815480ddac88a3cb7506

SHA1
d19411677bb49d4982b5489fc2a3520040254bca

SHA256
ee322385bf23fe71d7d1990e1af9aea997163d98e20ddb2373499c23e831dbf1

SHA512
ad6b80bcbba401106e3beea8de6aeb17f4b8a3b9627b3032cb7f2a2570b45a8bc2897ed51534a748b7b341c0d5c1d0382a28e22048782de64733a0b268e12dad

Download Submit
C:\Windows\{352743B0-4704-4de6-9112-767D6FFCF9EC}.exe

Filesize
408KB

MD5
b158cbae497612e45e12c0e28eba9c1c

SHA1
8520e32df2f3efe27b7cf9e110a2d1f61db8393a

SHA256
0db8b05261606b2bd027373cf9a89d504195e1fca173036c55abdea8c02fd26d

SHA512
d3274d6f8b80c41d5e3bfdeba091eac2d576ac52ea0e2eee4415a61bcbd64aa29c870395e2d2d1d8b14321e1781bedb6bce9bb1e5613651d65861991d7699775

Download Submit
C:\Windows\{413B08F4-A0E7-4cb8-B888-B73A810A4683}.exe

Filesize
408KB

MD5
7d6325bab6ca53a83c26d06892ff855d

SHA1
e4f8bc43243a690465348126e64dffa7dbbc8854

SHA256
7879e39681610c855db9ec350048f470e237cd67752ca7ac97e0b970df2a82da

SHA512
1eb61ff07e772e8ee7c4b8174a72847dc33be82cad6169c4aac1b4e337205bb8fb6c998fbd641ec77784d09240f3c8df551107cec3252d78d109d4e7e9ebf102

Download Submit
C:\Windows\{5097885B-4799-4a6a-98AE-AA23B8B1D7C6}.exe

Filesize
408KB

MD5
c1fbd58ee7cfb6423d921a35551db67d

SHA1
e331c3d02741faba298724b6c8fe53307c548ed6

SHA256
6c48b64a315df07aae8fc433d08d333bdb08ca5158e7ceeb4fe9ee04c2a2a54a

SHA512
eb20124dbf628b9570671a962ec8c81308a6bf101871712c506111fa4bf5a4d7e1097d7959f93e4a2f7c51ecc741364da9098929087733bbd01429ef435dce58

Download Submit
C:\Windows\{ADFE450E-A7BA-4293-BBE2-CB3F32FEBC0A}.exe

Filesize
408KB

MD5
719d05310352543025eabaccf2a62cb5

SHA1
b14f07d249f0b3ccd429ba4eac92229176a14b80

SHA256
4d85fa3143759db003a366c86ed74994721fc860ecf4c087e7dbf5c1f63f492f

SHA512
dd32aef7b795a22f4fe4094aac069a0fa4bee55dc4f0f417faf75a441a6d9d1975592c2e6e7e76c163f250f7de1d56af7b7e68f8bcd5637746c02beba11ddbff

Download Submit
C:\Windows\{B8EB2F84-0CFF-458d-8461-9DECF859BFA1}.exe

Filesize
408KB

MD5
4467e5b0579b9ca7c590fa6b42d6acf3

SHA1
6a6f15cf178bcc8967b7d3647ea06a2a8b5717c3

SHA256
ce39d9bc85ab2b8313a8959bd55940046d5e738dcee1440dca267c49418b6d47

SHA512
e4a1ea5a415108a5b4356b8bafddcb42faf732cfbece04c21db9352a12f8a1b17753b19349123acda56809e06a6e9fc0ca93601b869c3aed163ab14e9b668ddd

Download Submit
C:\Windows\{BCDB3E95-51F1-4666-AC83-5DB328568429}.exe

Filesize
408KB

MD5
99921b85f1dc6937c3d43d0e22828627

SHA1
1e7bc024e8180ac89fe7c6c7a3ebe73b0cf76e94

SHA256
e605dea3dd4e4dc197642b1c2d43271bdeeb810fe9f9f8c0c73fc577e993a3a2

SHA512
67e7b4019586484f451bac5987ddb48d4f96d728610ba3f8368faad0227a70d8cf86e1e00b5d92821bd926bebdbb2a2944d75cac92e3eff2f0f8be87068abbbe

Download Submit
C:\Windows\{C2EF8566-1C73-44a0-9B39-1C260302D092}.exe

Filesize
408KB

MD5
61d3c69916b64671e4aa8ea50d539008

SHA1
bc75ca995d8ff6b857286bbd32cfde40372ce593

SHA256
afce348d4add72dcbb7db2c1f4a6bfb618f725fffaebfdd4aeb8cbdd72b6e833

SHA512
a42f00e1cedf8d9e6cd182cb31a7fb646287fecb5747f71f822c87f9056897a23ab9dee2f5b1e789f2118f175ed219024dfe040527a2c296df0c0599386c1ebb

Download Submit
C:\Windows\{DD9F5A72-5850-4ce2-87CB-40D3389FE12C}.exe

Filesize
408KB

MD5
8abe4368f3aa9faf962fa0d3e5d8f330

SHA1
a941eb9b248c591f90fdd044cf4d207e07a7b275

SHA256
b7ec6f200bc9ba7e0ee49658ceafd98dcd575d320a8e40ab3abcc7050b396276

SHA512
eb5ba11e15910dda85f7683bf517bca0c8055e20097d65c9c1a11aabdf1a0af2902dedc6ca5745157c578a216cd5ad0da545f03ef2e96994edeee566ecd7ad8b

Download Submit
C:\Windows\{E02D905B-F734-4796-988F-C3F8065FDBA4}.exe

Filesize
408KB

MD5
413473e78747e0fda9f8c4c4f5964044

SHA1
ea84091cd41d49ba05c300e25146d353be2a4a63

SHA256
3494c2c613ca5425dd8c24dc322815920e9fefae9786d9da4f6a056451ca767a

SHA512
7b7366869ec3189f16614819580ad78e3039ac4bc65b188d84d19b10453535841ed06e6113f8dd9ae5074cb5a29536e457deac10e1693b2016b571bb48ee5e10

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads