ef08b3d734eb333b41536cc7aa1233b11adcde8a2376391b1e1775e1e265b95e

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21-04-2024 01:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-21_f7d7eb6c166f378d7305595537ac530f_goldeneye.exe
Size

168KB
MD5

f7d7eb6c166f378d7305595537ac530f
SHA1

b61bda19e915efa8a0f457dfa0a846232c2ec81d
SHA256

ef08b3d734eb333b41536cc7aa1233b11adcde8a2376391b1e1775e1e265b95e
SHA512

f53b10f1ae232212ba951e691b5c401f9aa360244332f47c783ffdccffae6e61971948beec443d951b840bf6a4a289d2b7b042920bf364af2e39494bd05c26b8
SSDEEP

1536:1EGh0ovlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0ovlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000700000002340e-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023419-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023376-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002338f-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023509-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002350a-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023509-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023522-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023525-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023522-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023525-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002336e-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD5EB491-C7D3-4d72-96AD-152CF06B0DDE}\stubpath = "C:\\Windows\\{DD5EB491-C7D3-4d72-96AD-152CF06B0DDE}.exe"	2024-04-21_f7d7eb6c166f378d7305595537ac530f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B50FED6-CE33-4a25-9D27-50C4859C53FF}	{1DE249D6-B87D-4480-93A7-1B674135EC0B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38327F77-56F2-4e08-8D5F-6DD777F9959F}	{9457A142-035F-449c-B7D7-99E9F518DC05}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86254E42-6702-491e-B063-B41B859BE061}\stubpath = "C:\\Windows\\{86254E42-6702-491e-B063-B41B859BE061}.exe"	{38327F77-56F2-4e08-8D5F-6DD777F9959F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DE249D6-B87D-4480-93A7-1B674135EC0B}\stubpath = "C:\\Windows\\{1DE249D6-B87D-4480-93A7-1B674135EC0B}.exe"	{527AC684-31F4-4cb3-B96C-F3FFD6BFDDD3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D085670E-DCB7-404f-BCC4-3ABDD5570FF4}	{6B50FED6-CE33-4a25-9D27-50C4859C53FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08A69D69-1262-4e05-A745-58CA64DF775F}\stubpath = "C:\\Windows\\{08A69D69-1262-4e05-A745-58CA64DF775F}.exe"	{2389A21B-B3E2-43b3-A866-71B8F69D83B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38327F77-56F2-4e08-8D5F-6DD777F9959F}\stubpath = "C:\\Windows\\{38327F77-56F2-4e08-8D5F-6DD777F9959F}.exe"	{9457A142-035F-449c-B7D7-99E9F518DC05}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53EE257D-9FD4-4518-8E2E-B64E632C0702}\stubpath = "C:\\Windows\\{53EE257D-9FD4-4518-8E2E-B64E632C0702}.exe"	{86254E42-6702-491e-B063-B41B859BE061}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1699AB7-B41D-4a7d-9DDE-241C2CE7EEB5}\stubpath = "C:\\Windows\\{E1699AB7-B41D-4a7d-9DDE-241C2CE7EEB5}.exe"	{08A69D69-1262-4e05-A745-58CA64DF775F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9457A142-035F-449c-B7D7-99E9F518DC05}	{E1699AB7-B41D-4a7d-9DDE-241C2CE7EEB5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9457A142-035F-449c-B7D7-99E9F518DC05}\stubpath = "C:\\Windows\\{9457A142-035F-449c-B7D7-99E9F518DC05}.exe"	{E1699AB7-B41D-4a7d-9DDE-241C2CE7EEB5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD5EB491-C7D3-4d72-96AD-152CF06B0DDE}	2024-04-21_f7d7eb6c166f378d7305595537ac530f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{527AC684-31F4-4cb3-B96C-F3FFD6BFDDD3}	{DD5EB491-C7D3-4d72-96AD-152CF06B0DDE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{527AC684-31F4-4cb3-B96C-F3FFD6BFDDD3}\stubpath = "C:\\Windows\\{527AC684-31F4-4cb3-B96C-F3FFD6BFDDD3}.exe"	{DD5EB491-C7D3-4d72-96AD-152CF06B0DDE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B50FED6-CE33-4a25-9D27-50C4859C53FF}\stubpath = "C:\\Windows\\{6B50FED6-CE33-4a25-9D27-50C4859C53FF}.exe"	{1DE249D6-B87D-4480-93A7-1B674135EC0B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D085670E-DCB7-404f-BCC4-3ABDD5570FF4}\stubpath = "C:\\Windows\\{D085670E-DCB7-404f-BCC4-3ABDD5570FF4}.exe"	{6B50FED6-CE33-4a25-9D27-50C4859C53FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86254E42-6702-491e-B063-B41B859BE061}	{38327F77-56F2-4e08-8D5F-6DD777F9959F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53EE257D-9FD4-4518-8E2E-B64E632C0702}	{86254E42-6702-491e-B063-B41B859BE061}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DE249D6-B87D-4480-93A7-1B674135EC0B}	{527AC684-31F4-4cb3-B96C-F3FFD6BFDDD3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2389A21B-B3E2-43b3-A866-71B8F69D83B3}	{D085670E-DCB7-404f-BCC4-3ABDD5570FF4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2389A21B-B3E2-43b3-A866-71B8F69D83B3}\stubpath = "C:\\Windows\\{2389A21B-B3E2-43b3-A866-71B8F69D83B3}.exe"	{D085670E-DCB7-404f-BCC4-3ABDD5570FF4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08A69D69-1262-4e05-A745-58CA64DF775F}	{2389A21B-B3E2-43b3-A866-71B8F69D83B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1699AB7-B41D-4a7d-9DDE-241C2CE7EEB5}	{08A69D69-1262-4e05-A745-58CA64DF775F}.exe

Executes dropped EXE 12 IoCs

pid	Process
656	{DD5EB491-C7D3-4d72-96AD-152CF06B0DDE}.exe
2080	{527AC684-31F4-4cb3-B96C-F3FFD6BFDDD3}.exe
2756	{1DE249D6-B87D-4480-93A7-1B674135EC0B}.exe
1480	{6B50FED6-CE33-4a25-9D27-50C4859C53FF}.exe
3220	{D085670E-DCB7-404f-BCC4-3ABDD5570FF4}.exe
1636	{2389A21B-B3E2-43b3-A866-71B8F69D83B3}.exe
436	{08A69D69-1262-4e05-A745-58CA64DF775F}.exe
1524	{E1699AB7-B41D-4a7d-9DDE-241C2CE7EEB5}.exe
3408	{9457A142-035F-449c-B7D7-99E9F518DC05}.exe
1932	{38327F77-56F2-4e08-8D5F-6DD777F9959F}.exe
2696	{86254E42-6702-491e-B063-B41B859BE061}.exe
3200	{53EE257D-9FD4-4518-8E2E-B64E632C0702}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{2389A21B-B3E2-43b3-A866-71B8F69D83B3}.exe	{D085670E-DCB7-404f-BCC4-3ABDD5570FF4}.exe
File created	C:\Windows\{08A69D69-1262-4e05-A745-58CA64DF775F}.exe	{2389A21B-B3E2-43b3-A866-71B8F69D83B3}.exe
File created	C:\Windows\{E1699AB7-B41D-4a7d-9DDE-241C2CE7EEB5}.exe	{08A69D69-1262-4e05-A745-58CA64DF775F}.exe
File created	C:\Windows\{38327F77-56F2-4e08-8D5F-6DD777F9959F}.exe	{9457A142-035F-449c-B7D7-99E9F518DC05}.exe
File created	C:\Windows\{DD5EB491-C7D3-4d72-96AD-152CF06B0DDE}.exe	2024-04-21_f7d7eb6c166f378d7305595537ac530f_goldeneye.exe
File created	C:\Windows\{527AC684-31F4-4cb3-B96C-F3FFD6BFDDD3}.exe	{DD5EB491-C7D3-4d72-96AD-152CF06B0DDE}.exe
File created	C:\Windows\{6B50FED6-CE33-4a25-9D27-50C4859C53FF}.exe	{1DE249D6-B87D-4480-93A7-1B674135EC0B}.exe
File created	C:\Windows\{D085670E-DCB7-404f-BCC4-3ABDD5570FF4}.exe	{6B50FED6-CE33-4a25-9D27-50C4859C53FF}.exe
File created	C:\Windows\{86254E42-6702-491e-B063-B41B859BE061}.exe	{38327F77-56F2-4e08-8D5F-6DD777F9959F}.exe
File created	C:\Windows\{1DE249D6-B87D-4480-93A7-1B674135EC0B}.exe	{527AC684-31F4-4cb3-B96C-F3FFD6BFDDD3}.exe
File created	C:\Windows\{9457A142-035F-449c-B7D7-99E9F518DC05}.exe	{E1699AB7-B41D-4a7d-9DDE-241C2CE7EEB5}.exe
File created	C:\Windows\{53EE257D-9FD4-4518-8E2E-B64E632C0702}.exe	{86254E42-6702-491e-B063-B41B859BE061}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1828	2024-04-21_f7d7eb6c166f378d7305595537ac530f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	656	{DD5EB491-C7D3-4d72-96AD-152CF06B0DDE}.exe
Token: SeIncBasePriorityPrivilege	2080	{527AC684-31F4-4cb3-B96C-F3FFD6BFDDD3}.exe
Token: SeIncBasePriorityPrivilege	2756	{1DE249D6-B87D-4480-93A7-1B674135EC0B}.exe
Token: SeIncBasePriorityPrivilege	1480	{6B50FED6-CE33-4a25-9D27-50C4859C53FF}.exe
Token: SeIncBasePriorityPrivilege	3220	{D085670E-DCB7-404f-BCC4-3ABDD5570FF4}.exe
Token: SeIncBasePriorityPrivilege	1636	{2389A21B-B3E2-43b3-A866-71B8F69D83B3}.exe
Token: SeIncBasePriorityPrivilege	436	{08A69D69-1262-4e05-A745-58CA64DF775F}.exe
Token: SeIncBasePriorityPrivilege	1524	{E1699AB7-B41D-4a7d-9DDE-241C2CE7EEB5}.exe
Token: SeIncBasePriorityPrivilege	3408	{9457A142-035F-449c-B7D7-99E9F518DC05}.exe
Token: SeIncBasePriorityPrivilege	1932	{38327F77-56F2-4e08-8D5F-6DD777F9959F}.exe
Token: SeIncBasePriorityPrivilege	2696	{86254E42-6702-491e-B063-B41B859BE061}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1828 wrote to memory of 656	1828	2024-04-21_f7d7eb6c166f378d7305595537ac530f_goldeneye.exe	94
PID 1828 wrote to memory of 656	1828	2024-04-21_f7d7eb6c166f378d7305595537ac530f_goldeneye.exe	94
PID 1828 wrote to memory of 656	1828	2024-04-21_f7d7eb6c166f378d7305595537ac530f_goldeneye.exe	94
PID 1828 wrote to memory of 2384	1828	2024-04-21_f7d7eb6c166f378d7305595537ac530f_goldeneye.exe	95
PID 1828 wrote to memory of 2384	1828	2024-04-21_f7d7eb6c166f378d7305595537ac530f_goldeneye.exe	95
PID 1828 wrote to memory of 2384	1828	2024-04-21_f7d7eb6c166f378d7305595537ac530f_goldeneye.exe	95
PID 656 wrote to memory of 2080	656	{DD5EB491-C7D3-4d72-96AD-152CF06B0DDE}.exe	97
PID 656 wrote to memory of 2080	656	{DD5EB491-C7D3-4d72-96AD-152CF06B0DDE}.exe	97
PID 656 wrote to memory of 2080	656	{DD5EB491-C7D3-4d72-96AD-152CF06B0DDE}.exe	97
PID 656 wrote to memory of 4284	656	{DD5EB491-C7D3-4d72-96AD-152CF06B0DDE}.exe	98
PID 656 wrote to memory of 4284	656	{DD5EB491-C7D3-4d72-96AD-152CF06B0DDE}.exe	98
PID 656 wrote to memory of 4284	656	{DD5EB491-C7D3-4d72-96AD-152CF06B0DDE}.exe	98
PID 2080 wrote to memory of 2756	2080	{527AC684-31F4-4cb3-B96C-F3FFD6BFDDD3}.exe	102
PID 2080 wrote to memory of 2756	2080	{527AC684-31F4-4cb3-B96C-F3FFD6BFDDD3}.exe	102
PID 2080 wrote to memory of 2756	2080	{527AC684-31F4-4cb3-B96C-F3FFD6BFDDD3}.exe	102
PID 2080 wrote to memory of 4952	2080	{527AC684-31F4-4cb3-B96C-F3FFD6BFDDD3}.exe	103
PID 2080 wrote to memory of 4952	2080	{527AC684-31F4-4cb3-B96C-F3FFD6BFDDD3}.exe	103
PID 2080 wrote to memory of 4952	2080	{527AC684-31F4-4cb3-B96C-F3FFD6BFDDD3}.exe	103
PID 2756 wrote to memory of 1480	2756	{1DE249D6-B87D-4480-93A7-1B674135EC0B}.exe	105
PID 2756 wrote to memory of 1480	2756	{1DE249D6-B87D-4480-93A7-1B674135EC0B}.exe	105
PID 2756 wrote to memory of 1480	2756	{1DE249D6-B87D-4480-93A7-1B674135EC0B}.exe	105
PID 2756 wrote to memory of 1776	2756	{1DE249D6-B87D-4480-93A7-1B674135EC0B}.exe	106
PID 2756 wrote to memory of 1776	2756	{1DE249D6-B87D-4480-93A7-1B674135EC0B}.exe	106
PID 2756 wrote to memory of 1776	2756	{1DE249D6-B87D-4480-93A7-1B674135EC0B}.exe	106
PID 1480 wrote to memory of 3220	1480	{6B50FED6-CE33-4a25-9D27-50C4859C53FF}.exe	107
PID 1480 wrote to memory of 3220	1480	{6B50FED6-CE33-4a25-9D27-50C4859C53FF}.exe	107
PID 1480 wrote to memory of 3220	1480	{6B50FED6-CE33-4a25-9D27-50C4859C53FF}.exe	107
PID 1480 wrote to memory of 1364	1480	{6B50FED6-CE33-4a25-9D27-50C4859C53FF}.exe	108
PID 1480 wrote to memory of 1364	1480	{6B50FED6-CE33-4a25-9D27-50C4859C53FF}.exe	108
PID 1480 wrote to memory of 1364	1480	{6B50FED6-CE33-4a25-9D27-50C4859C53FF}.exe	108
PID 3220 wrote to memory of 1636	3220	{D085670E-DCB7-404f-BCC4-3ABDD5570FF4}.exe	114
PID 3220 wrote to memory of 1636	3220	{D085670E-DCB7-404f-BCC4-3ABDD5570FF4}.exe	114
PID 3220 wrote to memory of 1636	3220	{D085670E-DCB7-404f-BCC4-3ABDD5570FF4}.exe	114
PID 3220 wrote to memory of 2964	3220	{D085670E-DCB7-404f-BCC4-3ABDD5570FF4}.exe	115
PID 3220 wrote to memory of 2964	3220	{D085670E-DCB7-404f-BCC4-3ABDD5570FF4}.exe	115
PID 3220 wrote to memory of 2964	3220	{D085670E-DCB7-404f-BCC4-3ABDD5570FF4}.exe	115
PID 1636 wrote to memory of 436	1636	{2389A21B-B3E2-43b3-A866-71B8F69D83B3}.exe	116
PID 1636 wrote to memory of 436	1636	{2389A21B-B3E2-43b3-A866-71B8F69D83B3}.exe	116
PID 1636 wrote to memory of 436	1636	{2389A21B-B3E2-43b3-A866-71B8F69D83B3}.exe	116
PID 1636 wrote to memory of 1448	1636	{2389A21B-B3E2-43b3-A866-71B8F69D83B3}.exe	117
PID 1636 wrote to memory of 1448	1636	{2389A21B-B3E2-43b3-A866-71B8F69D83B3}.exe	117
PID 1636 wrote to memory of 1448	1636	{2389A21B-B3E2-43b3-A866-71B8F69D83B3}.exe	117
PID 436 wrote to memory of 1524	436	{08A69D69-1262-4e05-A745-58CA64DF775F}.exe	121
PID 436 wrote to memory of 1524	436	{08A69D69-1262-4e05-A745-58CA64DF775F}.exe	121
PID 436 wrote to memory of 1524	436	{08A69D69-1262-4e05-A745-58CA64DF775F}.exe	121
PID 436 wrote to memory of 1928	436	{08A69D69-1262-4e05-A745-58CA64DF775F}.exe	122
PID 436 wrote to memory of 1928	436	{08A69D69-1262-4e05-A745-58CA64DF775F}.exe	122
PID 436 wrote to memory of 1928	436	{08A69D69-1262-4e05-A745-58CA64DF775F}.exe	122
PID 1524 wrote to memory of 3408	1524	{E1699AB7-B41D-4a7d-9DDE-241C2CE7EEB5}.exe	123
PID 1524 wrote to memory of 3408	1524	{E1699AB7-B41D-4a7d-9DDE-241C2CE7EEB5}.exe	123
PID 1524 wrote to memory of 3408	1524	{E1699AB7-B41D-4a7d-9DDE-241C2CE7EEB5}.exe	123
PID 1524 wrote to memory of 1776	1524	{E1699AB7-B41D-4a7d-9DDE-241C2CE7EEB5}.exe	124
PID 1524 wrote to memory of 1776	1524	{E1699AB7-B41D-4a7d-9DDE-241C2CE7EEB5}.exe	124
PID 1524 wrote to memory of 1776	1524	{E1699AB7-B41D-4a7d-9DDE-241C2CE7EEB5}.exe	124
PID 3408 wrote to memory of 1932	3408	{9457A142-035F-449c-B7D7-99E9F518DC05}.exe	125
PID 3408 wrote to memory of 1932	3408	{9457A142-035F-449c-B7D7-99E9F518DC05}.exe	125
PID 3408 wrote to memory of 1932	3408	{9457A142-035F-449c-B7D7-99E9F518DC05}.exe	125
PID 3408 wrote to memory of 2852	3408	{9457A142-035F-449c-B7D7-99E9F518DC05}.exe	126
PID 3408 wrote to memory of 2852	3408	{9457A142-035F-449c-B7D7-99E9F518DC05}.exe	126
PID 3408 wrote to memory of 2852	3408	{9457A142-035F-449c-B7D7-99E9F518DC05}.exe	126
PID 1932 wrote to memory of 2696	1932	{38327F77-56F2-4e08-8D5F-6DD777F9959F}.exe	127
PID 1932 wrote to memory of 2696	1932	{38327F77-56F2-4e08-8D5F-6DD777F9959F}.exe	127
PID 1932 wrote to memory of 2696	1932	{38327F77-56F2-4e08-8D5F-6DD777F9959F}.exe	127
PID 1932 wrote to memory of 1120	1932	{38327F77-56F2-4e08-8D5F-6DD777F9959F}.exe	128

C:\Users\Admin\AppData\Local\Temp\2024-04-21_f7d7eb6c166f378d7305595537ac530f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-21_f7d7eb6c166f378d7305595537ac530f_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1828
- C:\Windows\{DD5EB491-C7D3-4d72-96AD-152CF06B0DDE}.exe
  C:\Windows\{DD5EB491-C7D3-4d72-96AD-152CF06B0DDE}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:656
- - C:\Windows\{527AC684-31F4-4cb3-B96C-F3FFD6BFDDD3}.exe
    C:\Windows\{527AC684-31F4-4cb3-B96C-F3FFD6BFDDD3}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2080
  - - C:\Windows\{1DE249D6-B87D-4480-93A7-1B674135EC0B}.exe
      C:\Windows\{1DE249D6-B87D-4480-93A7-1B674135EC0B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2756
    - - C:\Windows\{6B50FED6-CE33-4a25-9D27-50C4859C53FF}.exe
        
        C:\Windows\{6B50FED6-CE33-4a25-9D27-50C4859C53FF}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1480
      - C:\Windows\{D085670E-DCB7-404f-BCC4-3ABDD5570FF4}.exe
        
        C:\Windows\{D085670E-DCB7-404f-BCC4-3ABDD5570FF4}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3220
        
        C:\Windows\{2389A21B-B3E2-43b3-A866-71B8F69D83B3}.exe
        
        C:\Windows\{2389A21B-B3E2-43b3-A866-71B8F69D83B3}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\{08A69D69-1262-4e05-A745-58CA64DF775F}.exe
        
        C:\Windows\{08A69D69-1262-4e05-A745-58CA64DF775F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Windows\{E1699AB7-B41D-4a7d-9DDE-241C2CE7EEB5}.exe
        
        C:\Windows\{E1699AB7-B41D-4a7d-9DDE-241C2CE7EEB5}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\{9457A142-035F-449c-B7D7-99E9F518DC05}.exe
        
        C:\Windows\{9457A142-035F-449c-B7D7-99E9F518DC05}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\Windows\{38327F77-56F2-4e08-8D5F-6DD777F9959F}.exe
        
        C:\Windows\{38327F77-56F2-4e08-8D5F-6DD777F9959F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\{86254E42-6702-491e-B063-B41B859BE061}.exe
        
        C:\Windows\{86254E42-6702-491e-B063-B41B859BE061}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
        
        C:\Windows\{53EE257D-9FD4-4518-8E2E-B64E632C0702}.exe
        
        C:\Windows\{53EE257D-9FD4-4518-8E2E-B64E632C0702}.exe
        13⤵
        Executes dropped EXE
        
        PID:3200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86254~1.EXE > nul
        13⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{38327~1.EXE > nul
        12⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9457A~1.EXE > nul
        11⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E1699~1.EXE > nul
        10⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{08A69~1.EXE > nul
        9⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2389A~1.EXE > nul
        8⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D0856~1.EXE > nul
        7⤵
        
        PID:2964
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B50F~1.EXE > nul
        6⤵
        
        PID:1364
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1DE24~1.EXE > nul
        5⤵
        
        PID:1776
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{527AC~1.EXE > nul
      4⤵
      PID:4952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DD5EB~1.EXE > nul
    3⤵
    PID:4284
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{08A69D69-1262-4e05-A745-58CA64DF775F}.exe

Filesize
168KB

MD5
2aeb871e879ae3f01adff89150c3c819

SHA1
c9d10ad6b9b4448bb6b4e90cb5aa9b3c030e2010

SHA256
88a47f76de125ba457146ce8f891535c24ba4bdae6e337be99a5e980cd41b940

SHA512
eba46062dd8e5d924f44523b7de3de6c403ceb16e49646cbbcaff21d6b7e632d1ccf336792cc66ef37663a355195203caf3b4fd2f93e1106080dc8c7d524414f

Download Submit
C:\Windows\{1DE249D6-B87D-4480-93A7-1B674135EC0B}.exe

Filesize
168KB

MD5
4f8d93c9a85d871b29277e976a8b0a85

SHA1
890e60aa9ee76736e7c97c4baf126668b6982b09

SHA256
5b632ecaedc7a7c42b40e07ae2d97b878b9524f817448de5d80a388351f042f3

SHA512
e1a99d97917c553d76bef8d8686e9d38ddc904627549e84a7e8cd969174a86dffb456096de03c6fd5ecfd54303a4e8db37beaaad320d92f417c6c2cf9a365131

Download Submit
C:\Windows\{2389A21B-B3E2-43b3-A866-71B8F69D83B3}.exe

Filesize
168KB

MD5
096eca1a17c7f9a49b76df4fa96b0415

SHA1
d00bc6d29a34844210592d7d18d659a794949952

SHA256
abe3ea443738e8929ec8bd0a9f75106d43af6a068c2d39659328c98e4e478704

SHA512
805ec9c0d192bb08089cac9411b8873452f6a71ff17feb23c161906e0fa51aa85719015caa51afb3a701760718105074a88d75aaf166760e43b6f69fb40f08c1

Download Submit
C:\Windows\{38327F77-56F2-4e08-8D5F-6DD777F9959F}.exe

Filesize
168KB

MD5
098740edcd57864bce1472de10b2566b

SHA1
31a8864610e1cba38bf60af2cdf45e7bd9eaa2dd

SHA256
7249bb27620cfc40f033ed0e563691431e147b654b1fe201b38bf7adb889bce6

SHA512
0595ebe90bb1804949576f61003a156e6dd052b631b43936b8c1105efeadf121a7e68344baa29aef93dc43dd51c5fa891c2a17b836db1ff4720e6032e3317cd9

Download Submit
C:\Windows\{527AC684-31F4-4cb3-B96C-F3FFD6BFDDD3}.exe

Filesize
168KB

MD5
1755869ec59955dccd73e6483e4c174d

SHA1
622c40a06fff16649b1daa056e7c5693543e654f

SHA256
32eb12fdfa39d4d12bf12e124a0b71e6640be546fe8218d63bc96537047d5071

SHA512
f6b53fd2ca63f7388326fae6fc9343a9bddd457e4f1bfc01991bd7c9f0a55546a9de5d3a51af6049867836c45f9d243f037946926ce90182d9b762aa90054674

Download Submit
C:\Windows\{53EE257D-9FD4-4518-8E2E-B64E632C0702}.exe

Filesize
168KB

MD5
bb775fc5f7f7e0715afc4b33b7bdcb70

SHA1
3b3f94ad9423a6820f4b48c27ed5b6f4125c78ee

SHA256
cb4a2a0c343219ca190e1c54657fe1d214206839eb90ce4e98780d3638db5628

SHA512
38cd647dc999095bc9d75295ed21ef83897b1e4a8c2cd31cd0c341e1d09fd2a2eaa478689fe93b8027232a6aa57eba10f6cf23d5b91d00c315fee0fdd240e1a1

Download Submit
C:\Windows\{6B50FED6-CE33-4a25-9D27-50C4859C53FF}.exe

Filesize
168KB

MD5
1030228e188890b98d88528be184b888

SHA1
2db6d3bbb683513c7d6bee901d126cc12fec9bf4

SHA256
05bdca7d6fa1736b8e661716387d2aaf5f91e5ac1ce55ccea5d32047af029ac4

SHA512
f32d12e3cc07452e0648195b82decdda7b97266bab49d538868ec669c2248e440daef81655e4f9d28b1116b70c582145d573c30f2c0f79e13bec5a9d0fa6d4d9

Download Submit
C:\Windows\{86254E42-6702-491e-B063-B41B859BE061}.exe

Filesize
168KB

MD5
e6813b3a799c3c5ec4d56f258813f7b2

SHA1
38dfe4308f36bdec55beadf7edf7a7ddd055ce9b

SHA256
f2aee9a24b9a9eec6c38a29cd36d59839b4ec08a25f52ee7dcb29bfe9d714ada

SHA512
eb007e17862f8098a36a45f2102f24c8370e46d836d8387ee5ef8ba94943174fa613a47e1dab99cf09b8589e93460dc402eb2e00b6c564ddc40062dacd8c3f0f

Download Submit
C:\Windows\{9457A142-035F-449c-B7D7-99E9F518DC05}.exe

Filesize
168KB

MD5
0bc0484a0f2cb02f947607752b035df5

SHA1
22ed7baaba27d5cda2d8dd9549a67f880d4dd88a

SHA256
20d465070dcf4b4975809a5c2da87a77645435b24c235f347258684229ac5cce

SHA512
eaaba77d4c4d2be743eedadf37620fbb0fabd636e51eb09a36e5d15577dbf3239f58d46de4096fc6a139db931f875e730625b749caa49b8a37f6985fd597f7e7

Download Submit
C:\Windows\{D085670E-DCB7-404f-BCC4-3ABDD5570FF4}.exe

Filesize
168KB

MD5
cf608d01dad4d63b6f2999f07c49c6db

SHA1
11954f601cf767e78e25d37d5d83dd94f6667d3b

SHA256
4f34f8aceb74476fdbac4482c28387498a590beb5c7bf06699faf36f7b7af463

SHA512
527511ab53370fc189157c9eea051166af64a2bd802281150a65644c522d53c0d8b688879c47ac0d33e13678ff4455216b55af6aa26d9d4e32ae08ecde79e629

Download Submit
C:\Windows\{DD5EB491-C7D3-4d72-96AD-152CF06B0DDE}.exe

Filesize
168KB

MD5
3329caaaac47a2044237bd82960a7250

SHA1
f9dbfc6c0437dee85bb376064f7f2fb651d92130

SHA256
400b97e9c9ba6b39955411c1aae4c47f2b3ae853a64fd629a8dd065f47dd8f81

SHA512
e047f2b4940dc86072354bbb5ade721062ff69810102743285f7c511d73487639609e2f15deeb1ac335d325449735224ca6dfdd90ab1577a5571839360dd4e46

Download Submit
C:\Windows\{E1699AB7-B41D-4a7d-9DDE-241C2CE7EEB5}.exe

Filesize
168KB

MD5
6357c9c546b6be5998742c4b15af6684

SHA1
f081c1085014c7dbaed0dc8d2cd3fb0d810e678a

SHA256
e81a6b8cc6771fb8411c76330a32faf09a4c97ac9b9f7db57e871f4b4fdbfbeb

SHA512
3b6f9e4a36fbf954983f8c13833b6fb908f67212872f0497ef5d4682988246287fa148d0f8ebabac47eef422edd2d2b6655c1537bafeea412e1e5133deb8bbe1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads