03a2a0051147cf96b113a0f1bd31e60b2889552059d108b93ad604136a1c753a

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22/04/2024, 01:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-22_47db9e651bb826b9bd3956272695f716_goldeneye.exe
Size

197KB
MD5

47db9e651bb826b9bd3956272695f716
SHA1

93903c448da057c528c5abbd8cd87061d160fc1e
SHA256

03a2a0051147cf96b113a0f1bd31e60b2889552059d108b93ad604136a1c753a
SHA512

720c4286e8a7fb5849347e4724380ec94b1f14f70e25daa6b4c8f6e8617ea21ef58ebe5896d11493349837202f23e4bf6abeed12c084ca94451a6aabcd0a7344
SSDEEP

3072:jEGh0oCl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGMlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00070000000233fe-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00110000000233ff-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000001e752-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00120000000233ff-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000001e752-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023409-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001e752-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023409-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000001e752-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000233f9-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000001e752-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d00000002334d-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61D42008-D0F1-4d53-B191-980F139DC375}\stubpath = "C:\\Windows\\{61D42008-D0F1-4d53-B191-980F139DC375}.exe"	{2D747F86-5484-4ce0-ABAC-43CE9532D7E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BFB2307D-2045-4c1d-84C0-B42579366DA2}\stubpath = "C:\\Windows\\{BFB2307D-2045-4c1d-84C0-B42579366DA2}.exe"	{61D42008-D0F1-4d53-B191-980F139DC375}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{939AF9A9-27A8-4988-92C0-2E340EE3CD85}	2024-04-22_47db9e651bb826b9bd3956272695f716_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{939AF9A9-27A8-4988-92C0-2E340EE3CD85}\stubpath = "C:\\Windows\\{939AF9A9-27A8-4988-92C0-2E340EE3CD85}.exe"	2024-04-22_47db9e651bb826b9bd3956272695f716_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DCD54E4B-D0C8-46fe-8AE0-532AA29CCB6D}	{939AF9A9-27A8-4988-92C0-2E340EE3CD85}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DCD54E4B-D0C8-46fe-8AE0-532AA29CCB6D}\stubpath = "C:\\Windows\\{DCD54E4B-D0C8-46fe-8AE0-532AA29CCB6D}.exe"	{939AF9A9-27A8-4988-92C0-2E340EE3CD85}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78C07254-30C3-4dba-B118-D11034EED73E}\stubpath = "C:\\Windows\\{78C07254-30C3-4dba-B118-D11034EED73E}.exe"	{DCD54E4B-D0C8-46fe-8AE0-532AA29CCB6D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D747F86-5484-4ce0-ABAC-43CE9532D7E3}\stubpath = "C:\\Windows\\{2D747F86-5484-4ce0-ABAC-43CE9532D7E3}.exe"	{1652FD6B-FFF6-47d1-A7E7-435FD46BCC28}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{052823CF-F621-49e6-92D2-E853FBC6E649}\stubpath = "C:\\Windows\\{052823CF-F621-49e6-92D2-E853FBC6E649}.exe"	{BFB2307D-2045-4c1d-84C0-B42579366DA2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78C07254-30C3-4dba-B118-D11034EED73E}	{DCD54E4B-D0C8-46fe-8AE0-532AA29CCB6D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F729170-2C03-47cf-8710-5B0B82D876D3}	{36014A9A-94F8-40b6-90CE-8D74387E040E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1652FD6B-FFF6-47d1-A7E7-435FD46BCC28}	{78C07254-30C3-4dba-B118-D11034EED73E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{052823CF-F621-49e6-92D2-E853FBC6E649}	{BFB2307D-2045-4c1d-84C0-B42579366DA2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA7C3C75-93F6-4fc5-B65E-9DB78B484B33}	{052823CF-F621-49e6-92D2-E853FBC6E649}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB56FADF-58F3-4eb8-9EA9-AE0BD0660CD3}	{BA7C3C75-93F6-4fc5-B65E-9DB78B484B33}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB56FADF-58F3-4eb8-9EA9-AE0BD0660CD3}\stubpath = "C:\\Windows\\{AB56FADF-58F3-4eb8-9EA9-AE0BD0660CD3}.exe"	{BA7C3C75-93F6-4fc5-B65E-9DB78B484B33}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F729170-2C03-47cf-8710-5B0B82D876D3}\stubpath = "C:\\Windows\\{6F729170-2C03-47cf-8710-5B0B82D876D3}.exe"	{36014A9A-94F8-40b6-90CE-8D74387E040E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36014A9A-94F8-40b6-90CE-8D74387E040E}\stubpath = "C:\\Windows\\{36014A9A-94F8-40b6-90CE-8D74387E040E}.exe"	{AB56FADF-58F3-4eb8-9EA9-AE0BD0660CD3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1652FD6B-FFF6-47d1-A7E7-435FD46BCC28}\stubpath = "C:\\Windows\\{1652FD6B-FFF6-47d1-A7E7-435FD46BCC28}.exe"	{78C07254-30C3-4dba-B118-D11034EED73E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D747F86-5484-4ce0-ABAC-43CE9532D7E3}	{1652FD6B-FFF6-47d1-A7E7-435FD46BCC28}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61D42008-D0F1-4d53-B191-980F139DC375}	{2D747F86-5484-4ce0-ABAC-43CE9532D7E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BFB2307D-2045-4c1d-84C0-B42579366DA2}	{61D42008-D0F1-4d53-B191-980F139DC375}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA7C3C75-93F6-4fc5-B65E-9DB78B484B33}\stubpath = "C:\\Windows\\{BA7C3C75-93F6-4fc5-B65E-9DB78B484B33}.exe"	{052823CF-F621-49e6-92D2-E853FBC6E649}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36014A9A-94F8-40b6-90CE-8D74387E040E}	{AB56FADF-58F3-4eb8-9EA9-AE0BD0660CD3}.exe

Executes dropped EXE 12 IoCs

pid	Process
368	{939AF9A9-27A8-4988-92C0-2E340EE3CD85}.exe
4332	{DCD54E4B-D0C8-46fe-8AE0-532AA29CCB6D}.exe
2040	{78C07254-30C3-4dba-B118-D11034EED73E}.exe
2772	{1652FD6B-FFF6-47d1-A7E7-435FD46BCC28}.exe
2776	{2D747F86-5484-4ce0-ABAC-43CE9532D7E3}.exe
4272	{61D42008-D0F1-4d53-B191-980F139DC375}.exe
1152	{BFB2307D-2045-4c1d-84C0-B42579366DA2}.exe
212	{052823CF-F621-49e6-92D2-E853FBC6E649}.exe
5104	{BA7C3C75-93F6-4fc5-B65E-9DB78B484B33}.exe
5096	{AB56FADF-58F3-4eb8-9EA9-AE0BD0660CD3}.exe
3164	{36014A9A-94F8-40b6-90CE-8D74387E040E}.exe
1616	{6F729170-2C03-47cf-8710-5B0B82D876D3}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{BA7C3C75-93F6-4fc5-B65E-9DB78B484B33}.exe	{052823CF-F621-49e6-92D2-E853FBC6E649}.exe
File created	C:\Windows\{6F729170-2C03-47cf-8710-5B0B82D876D3}.exe	{36014A9A-94F8-40b6-90CE-8D74387E040E}.exe
File created	C:\Windows\{939AF9A9-27A8-4988-92C0-2E340EE3CD85}.exe	2024-04-22_47db9e651bb826b9bd3956272695f716_goldeneye.exe
File created	C:\Windows\{78C07254-30C3-4dba-B118-D11034EED73E}.exe	{DCD54E4B-D0C8-46fe-8AE0-532AA29CCB6D}.exe
File created	C:\Windows\{2D747F86-5484-4ce0-ABAC-43CE9532D7E3}.exe	{1652FD6B-FFF6-47d1-A7E7-435FD46BCC28}.exe
File created	C:\Windows\{61D42008-D0F1-4d53-B191-980F139DC375}.exe	{2D747F86-5484-4ce0-ABAC-43CE9532D7E3}.exe
File created	C:\Windows\{052823CF-F621-49e6-92D2-E853FBC6E649}.exe	{BFB2307D-2045-4c1d-84C0-B42579366DA2}.exe
File created	C:\Windows\{DCD54E4B-D0C8-46fe-8AE0-532AA29CCB6D}.exe	{939AF9A9-27A8-4988-92C0-2E340EE3CD85}.exe
File created	C:\Windows\{1652FD6B-FFF6-47d1-A7E7-435FD46BCC28}.exe	{78C07254-30C3-4dba-B118-D11034EED73E}.exe
File created	C:\Windows\{BFB2307D-2045-4c1d-84C0-B42579366DA2}.exe	{61D42008-D0F1-4d53-B191-980F139DC375}.exe
File created	C:\Windows\{AB56FADF-58F3-4eb8-9EA9-AE0BD0660CD3}.exe	{BA7C3C75-93F6-4fc5-B65E-9DB78B484B33}.exe
File created	C:\Windows\{36014A9A-94F8-40b6-90CE-8D74387E040E}.exe	{AB56FADF-58F3-4eb8-9EA9-AE0BD0660CD3}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	908	2024-04-22_47db9e651bb826b9bd3956272695f716_goldeneye.exe
Token: SeIncBasePriorityPrivilege	368	{939AF9A9-27A8-4988-92C0-2E340EE3CD85}.exe
Token: SeIncBasePriorityPrivilege	4332	{DCD54E4B-D0C8-46fe-8AE0-532AA29CCB6D}.exe
Token: SeIncBasePriorityPrivilege	2040	{78C07254-30C3-4dba-B118-D11034EED73E}.exe
Token: SeIncBasePriorityPrivilege	2772	{1652FD6B-FFF6-47d1-A7E7-435FD46BCC28}.exe
Token: SeIncBasePriorityPrivilege	2776	{2D747F86-5484-4ce0-ABAC-43CE9532D7E3}.exe
Token: SeIncBasePriorityPrivilege	4272	{61D42008-D0F1-4d53-B191-980F139DC375}.exe
Token: SeIncBasePriorityPrivilege	1152	{BFB2307D-2045-4c1d-84C0-B42579366DA2}.exe
Token: SeIncBasePriorityPrivilege	212	{052823CF-F621-49e6-92D2-E853FBC6E649}.exe
Token: SeIncBasePriorityPrivilege	5104	{BA7C3C75-93F6-4fc5-B65E-9DB78B484B33}.exe
Token: SeIncBasePriorityPrivilege	5096	{AB56FADF-58F3-4eb8-9EA9-AE0BD0660CD3}.exe
Token: SeIncBasePriorityPrivilege	3164	{36014A9A-94F8-40b6-90CE-8D74387E040E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 908 wrote to memory of 368	908	2024-04-22_47db9e651bb826b9bd3956272695f716_goldeneye.exe	100
PID 908 wrote to memory of 368	908	2024-04-22_47db9e651bb826b9bd3956272695f716_goldeneye.exe	100
PID 908 wrote to memory of 368	908	2024-04-22_47db9e651bb826b9bd3956272695f716_goldeneye.exe	100
PID 908 wrote to memory of 3308	908	2024-04-22_47db9e651bb826b9bd3956272695f716_goldeneye.exe	101
PID 908 wrote to memory of 3308	908	2024-04-22_47db9e651bb826b9bd3956272695f716_goldeneye.exe	101
PID 908 wrote to memory of 3308	908	2024-04-22_47db9e651bb826b9bd3956272695f716_goldeneye.exe	101
PID 368 wrote to memory of 4332	368	{939AF9A9-27A8-4988-92C0-2E340EE3CD85}.exe	102
PID 368 wrote to memory of 4332	368	{939AF9A9-27A8-4988-92C0-2E340EE3CD85}.exe	102
PID 368 wrote to memory of 4332	368	{939AF9A9-27A8-4988-92C0-2E340EE3CD85}.exe	102
PID 368 wrote to memory of 1536	368	{939AF9A9-27A8-4988-92C0-2E340EE3CD85}.exe	103
PID 368 wrote to memory of 1536	368	{939AF9A9-27A8-4988-92C0-2E340EE3CD85}.exe	103
PID 368 wrote to memory of 1536	368	{939AF9A9-27A8-4988-92C0-2E340EE3CD85}.exe	103
PID 4332 wrote to memory of 2040	4332	{DCD54E4B-D0C8-46fe-8AE0-532AA29CCB6D}.exe	106
PID 4332 wrote to memory of 2040	4332	{DCD54E4B-D0C8-46fe-8AE0-532AA29CCB6D}.exe	106
PID 4332 wrote to memory of 2040	4332	{DCD54E4B-D0C8-46fe-8AE0-532AA29CCB6D}.exe	106
PID 4332 wrote to memory of 2068	4332	{DCD54E4B-D0C8-46fe-8AE0-532AA29CCB6D}.exe	107
PID 4332 wrote to memory of 2068	4332	{DCD54E4B-D0C8-46fe-8AE0-532AA29CCB6D}.exe	107
PID 4332 wrote to memory of 2068	4332	{DCD54E4B-D0C8-46fe-8AE0-532AA29CCB6D}.exe	107
PID 2040 wrote to memory of 2772	2040	{78C07254-30C3-4dba-B118-D11034EED73E}.exe	108
PID 2040 wrote to memory of 2772	2040	{78C07254-30C3-4dba-B118-D11034EED73E}.exe	108
PID 2040 wrote to memory of 2772	2040	{78C07254-30C3-4dba-B118-D11034EED73E}.exe	108
PID 2040 wrote to memory of 2804	2040	{78C07254-30C3-4dba-B118-D11034EED73E}.exe	109
PID 2040 wrote to memory of 2804	2040	{78C07254-30C3-4dba-B118-D11034EED73E}.exe	109
PID 2040 wrote to memory of 2804	2040	{78C07254-30C3-4dba-B118-D11034EED73E}.exe	109
PID 2772 wrote to memory of 2776	2772	{1652FD6B-FFF6-47d1-A7E7-435FD46BCC28}.exe	110
PID 2772 wrote to memory of 2776	2772	{1652FD6B-FFF6-47d1-A7E7-435FD46BCC28}.exe	110
PID 2772 wrote to memory of 2776	2772	{1652FD6B-FFF6-47d1-A7E7-435FD46BCC28}.exe	110
PID 2772 wrote to memory of 1832	2772	{1652FD6B-FFF6-47d1-A7E7-435FD46BCC28}.exe	111
PID 2772 wrote to memory of 1832	2772	{1652FD6B-FFF6-47d1-A7E7-435FD46BCC28}.exe	111
PID 2772 wrote to memory of 1832	2772	{1652FD6B-FFF6-47d1-A7E7-435FD46BCC28}.exe	111
PID 2776 wrote to memory of 4272	2776	{2D747F86-5484-4ce0-ABAC-43CE9532D7E3}.exe	117
PID 2776 wrote to memory of 4272	2776	{2D747F86-5484-4ce0-ABAC-43CE9532D7E3}.exe	117
PID 2776 wrote to memory of 4272	2776	{2D747F86-5484-4ce0-ABAC-43CE9532D7E3}.exe	117
PID 2776 wrote to memory of 1564	2776	{2D747F86-5484-4ce0-ABAC-43CE9532D7E3}.exe	118
PID 2776 wrote to memory of 1564	2776	{2D747F86-5484-4ce0-ABAC-43CE9532D7E3}.exe	118
PID 2776 wrote to memory of 1564	2776	{2D747F86-5484-4ce0-ABAC-43CE9532D7E3}.exe	118
PID 4272 wrote to memory of 1152	4272	{61D42008-D0F1-4d53-B191-980F139DC375}.exe	119
PID 4272 wrote to memory of 1152	4272	{61D42008-D0F1-4d53-B191-980F139DC375}.exe	119
PID 4272 wrote to memory of 1152	4272	{61D42008-D0F1-4d53-B191-980F139DC375}.exe	119
PID 4272 wrote to memory of 4584	4272	{61D42008-D0F1-4d53-B191-980F139DC375}.exe	120
PID 4272 wrote to memory of 4584	4272	{61D42008-D0F1-4d53-B191-980F139DC375}.exe	120
PID 4272 wrote to memory of 4584	4272	{61D42008-D0F1-4d53-B191-980F139DC375}.exe	120
PID 1152 wrote to memory of 212	1152	{BFB2307D-2045-4c1d-84C0-B42579366DA2}.exe	124
PID 1152 wrote to memory of 212	1152	{BFB2307D-2045-4c1d-84C0-B42579366DA2}.exe	124
PID 1152 wrote to memory of 212	1152	{BFB2307D-2045-4c1d-84C0-B42579366DA2}.exe	124
PID 1152 wrote to memory of 2000	1152	{BFB2307D-2045-4c1d-84C0-B42579366DA2}.exe	125
PID 1152 wrote to memory of 2000	1152	{BFB2307D-2045-4c1d-84C0-B42579366DA2}.exe	125
PID 1152 wrote to memory of 2000	1152	{BFB2307D-2045-4c1d-84C0-B42579366DA2}.exe	125
PID 212 wrote to memory of 5104	212	{052823CF-F621-49e6-92D2-E853FBC6E649}.exe	131
PID 212 wrote to memory of 5104	212	{052823CF-F621-49e6-92D2-E853FBC6E649}.exe	131
PID 212 wrote to memory of 5104	212	{052823CF-F621-49e6-92D2-E853FBC6E649}.exe	131
PID 212 wrote to memory of 4924	212	{052823CF-F621-49e6-92D2-E853FBC6E649}.exe	132
PID 212 wrote to memory of 4924	212	{052823CF-F621-49e6-92D2-E853FBC6E649}.exe	132
PID 212 wrote to memory of 4924	212	{052823CF-F621-49e6-92D2-E853FBC6E649}.exe	132
PID 5104 wrote to memory of 5096	5104	{BA7C3C75-93F6-4fc5-B65E-9DB78B484B33}.exe	133
PID 5104 wrote to memory of 5096	5104	{BA7C3C75-93F6-4fc5-B65E-9DB78B484B33}.exe	133
PID 5104 wrote to memory of 5096	5104	{BA7C3C75-93F6-4fc5-B65E-9DB78B484B33}.exe	133
PID 5104 wrote to memory of 940	5104	{BA7C3C75-93F6-4fc5-B65E-9DB78B484B33}.exe	134
PID 5104 wrote to memory of 940	5104	{BA7C3C75-93F6-4fc5-B65E-9DB78B484B33}.exe	134
PID 5104 wrote to memory of 940	5104	{BA7C3C75-93F6-4fc5-B65E-9DB78B484B33}.exe	134
PID 5096 wrote to memory of 3164	5096	{AB56FADF-58F3-4eb8-9EA9-AE0BD0660CD3}.exe	135
PID 5096 wrote to memory of 3164	5096	{AB56FADF-58F3-4eb8-9EA9-AE0BD0660CD3}.exe	135
PID 5096 wrote to memory of 3164	5096	{AB56FADF-58F3-4eb8-9EA9-AE0BD0660CD3}.exe	135
PID 5096 wrote to memory of 3440	5096	{AB56FADF-58F3-4eb8-9EA9-AE0BD0660CD3}.exe	136

C:\Users\Admin\AppData\Local\Temp\2024-04-22_47db9e651bb826b9bd3956272695f716_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-22_47db9e651bb826b9bd3956272695f716_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:908
- C:\Windows\{939AF9A9-27A8-4988-92C0-2E340EE3CD85}.exe
  C:\Windows\{939AF9A9-27A8-4988-92C0-2E340EE3CD85}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:368
- - C:\Windows\{DCD54E4B-D0C8-46fe-8AE0-532AA29CCB6D}.exe
    C:\Windows\{DCD54E4B-D0C8-46fe-8AE0-532AA29CCB6D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4332
  - - C:\Windows\{78C07254-30C3-4dba-B118-D11034EED73E}.exe
      C:\Windows\{78C07254-30C3-4dba-B118-D11034EED73E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2040
    - - C:\Windows\{1652FD6B-FFF6-47d1-A7E7-435FD46BCC28}.exe
        
        C:\Windows\{1652FD6B-FFF6-47d1-A7E7-435FD46BCC28}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2772
      - C:\Windows\{2D747F86-5484-4ce0-ABAC-43CE9532D7E3}.exe
        
        C:\Windows\{2D747F86-5484-4ce0-ABAC-43CE9532D7E3}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\{61D42008-D0F1-4d53-B191-980F139DC375}.exe
        
        C:\Windows\{61D42008-D0F1-4d53-B191-980F139DC375}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\Windows\{BFB2307D-2045-4c1d-84C0-B42579366DA2}.exe
        
        C:\Windows\{BFB2307D-2045-4c1d-84C0-B42579366DA2}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\{052823CF-F621-49e6-92D2-E853FBC6E649}.exe
        
        C:\Windows\{052823CF-F621-49e6-92D2-E853FBC6E649}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:212
        
        C:\Windows\{BA7C3C75-93F6-4fc5-B65E-9DB78B484B33}.exe
        
        C:\Windows\{BA7C3C75-93F6-4fc5-B65E-9DB78B484B33}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\Windows\{AB56FADF-58F3-4eb8-9EA9-AE0BD0660CD3}.exe
        
        C:\Windows\{AB56FADF-58F3-4eb8-9EA9-AE0BD0660CD3}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\{36014A9A-94F8-40b6-90CE-8D74387E040E}.exe
        
        C:\Windows\{36014A9A-94F8-40b6-90CE-8D74387E040E}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3164
        
        C:\Windows\{6F729170-2C03-47cf-8710-5B0B82D876D3}.exe
        
        C:\Windows\{6F729170-2C03-47cf-8710-5B0B82D876D3}.exe
        13⤵
        Executes dropped EXE
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{36014~1.EXE > nul
        13⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AB56F~1.EXE > nul
        12⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BA7C3~1.EXE > nul
        11⤵
        
        PID:940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{05282~1.EXE > nul
        10⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BFB23~1.EXE > nul
        9⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{61D42~1.EXE > nul
        8⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D747~1.EXE > nul
        7⤵
        
        PID:1564
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1652F~1.EXE > nul
        6⤵
        
        PID:1832
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{78C07~1.EXE > nul
        5⤵
        
        PID:2804
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{DCD54~1.EXE > nul
      4⤵
      PID:2068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{939AF~1.EXE > nul
    3⤵
    PID:1536
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{052823CF-F621-49e6-92D2-E853FBC6E649}.exe

Filesize
197KB

MD5
bf93a78ddaef8f281d8386c6141c16db

SHA1
b794a0ebfbf43d96dd825bcdec3745f9aaefd130

SHA256
325edbb70b5298d832002b69e2534f0d864b91974b1ab0b2e02bf51a7269c063

SHA512
4cf10c27fcab37ac8cb314c75054d9cba70950f30392c70a92bb80ccd2306ea9f05873f92850fe4647ff691b4e1ec1b8d4cb51fda0104caa5b258a68a5fa8d6c

Download Submit
C:\Windows\{1652FD6B-FFF6-47d1-A7E7-435FD46BCC28}.exe

Filesize
197KB

MD5
0734192ff0090cbc5a60e11fb79c2f32

SHA1
d8981e4b2f1459ab6f64f00c11726e9bacf1ecea

SHA256
89b21f54f90cdf3f0b743a7c4ba218139357196703b16d71e53ec9369fa6c15b

SHA512
63a61caf4ca02844bd1ba39cf6e4ed08c4cb89cf9e726c8a39688c213bfa84176b96f74afc8e2fbe7db1349a307bd9b142de98e8fcfd03e51f0628e89664607d

Download Submit
C:\Windows\{2D747F86-5484-4ce0-ABAC-43CE9532D7E3}.exe

Filesize
197KB

MD5
f6b12f29ba5aec1f84f5d4520965b189

SHA1
d4763a9a0cab6485d701dfa14d5aee1307560656

SHA256
b156a42a85ec2bc7c890f25c11d59512d10840f4fa8928bd9d7bdeb9997cfa31

SHA512
8515d9e4d4ac4656951c8428193f2211b93616dd52cdbb5b76e68c41e4755c1f4a0553ac1bd0880b8ea0aac70e1a8ca093e0013cb990888dc7263475dbc81ae0

Download Submit
C:\Windows\{36014A9A-94F8-40b6-90CE-8D74387E040E}.exe

Filesize
197KB

MD5
96ddc98910408c8971305963c8137986

SHA1
267de1ca846dd5e2ed9df3c2e00f8b53dc2d4a81

SHA256
062b39743a9ff597c6f8b368439c6194144094fbec5cebda9bdfb02d050b3217

SHA512
326819e7704c1ec69aa5cf0972ad91833dffd849b8edf65864d7223ea145d1f0b25e193a15339faefb809661694d6606e45153f793cb04abef750a755d7d2228

Download Submit
C:\Windows\{61D42008-D0F1-4d53-B191-980F139DC375}.exe

Filesize
197KB

MD5
c929d7a938105c2c5edccdb4fca8a1f9

SHA1
00d30006c9a96b0be4f73dffc82e584a75ff02a6

SHA256
a2f293b0e9a3773637ae365e4840b31ea683b1680ec5a0072283d9d05674fca7

SHA512
b8028fdd814f7eaa49ad667bf212ec7177cbb2b941c7d2322a404c2573ee35af5cfeb457fd22231f868325e8e473bdf1da3a0512ebb4b5a1ed185ad50875f2e5

Download Submit
C:\Windows\{6F729170-2C03-47cf-8710-5B0B82D876D3}.exe

Filesize
197KB

MD5
846b204453164251848dab560bf49f3a

SHA1
0d42d68f197c7a9dcdb4bdd034e1291cb8800cf5

SHA256
f080944f44f569da1d21e6ebcbff3ba623ad2942ee84b1d6bd9dc1a8beec31a7

SHA512
1f26c356b4d6d9f49246b36c9c4aaeb6752265f17796e0090c8d9b2cc2f2679bb6ce9467d14191b288ab636cc6bfa8dec7c5601d996ecb554cd2a5195512ce5e

Download Submit
C:\Windows\{78C07254-30C3-4dba-B118-D11034EED73E}.exe

Filesize
197KB

MD5
53869ca0209a28e7e5a8108c706a5068

SHA1
41ab2a9d59b414d127ba374102da1160f79e845d

SHA256
f61bd2efa9198763009b8538f3f16aa73daa9a4b544ca0f40014a0f345b97ec9

SHA512
0a3ac09d5120e18b0687585f649a184e7a47311fc00e1f6fbaef57917caacc63e628e4529cb3dfba42e7875a8e07a564d261448a4ee13d28d3562a238bcac6a3

Download Submit
C:\Windows\{939AF9A9-27A8-4988-92C0-2E340EE3CD85}.exe

Filesize
197KB

MD5
77a2c21272805559b3f7110fa395e0c6

SHA1
7811641e66550cb21771dc6df2bfc1745b28c9f0

SHA256
c5766c80b4bd2d722db77bb1fa38360de5e8dbb7d27ece751ea8c564201dab51

SHA512
50bbdd7c342682ca82e9dfcaceda33d2dccc54b735ea178090bfba5b7bafa4083db1cbfefc5038eef9c3c20662b08f2ec88f65d6f3e58bdeaa491d484f2739d5

Download Submit
C:\Windows\{AB56FADF-58F3-4eb8-9EA9-AE0BD0660CD3}.exe

Filesize
197KB

MD5
d9e9cfc70bf889a4890a275ee6f758e3

SHA1
22ffd1dec1ef81de7211a6ea1c41f8fb6122ac70

SHA256
06c349c2f98496e0f2dc651e152ce91d66eb991afdb52e36f517a3a34f798cb5

SHA512
c6351f890e143354f71e6fdc33244eb6273762272d802ba419926cbd7ec23d6b08ab21a3aa80ca7b35132a8a88220ac3a8828b1fed4147bc5f20ec58dbfed1e2

Download Submit
C:\Windows\{BA7C3C75-93F6-4fc5-B65E-9DB78B484B33}.exe

Filesize
197KB

MD5
f0e6784a12fbf4ad02bb74d1960f6064

SHA1
8e3aeb0b5ec7afdbf7d6b7e9462c93507b7ef33d

SHA256
b8d70fc547bf9aacc11ec1ce361a8a676097e4bfa8bdcf63f979435f5dfb0de5

SHA512
9f3cb4c41d5616f7e21cc0224158ff382e65b85898c5882058a3c56faa86aad227f1e79ff35ded53b2a28a0762e426e2fe699225621d777354ab1199e31c2b12

Download Submit
C:\Windows\{BFB2307D-2045-4c1d-84C0-B42579366DA2}.exe

Filesize
197KB

MD5
1a383df88b66c6ab7830f37100f9f5d2

SHA1
0e6f42411e9104213a75b430ae2864536502ae6c

SHA256
003bbe77741eb0ab78d6bc515d653ffa4a004e803a138980ec55b7a89ecf6a1d

SHA512
cda6e2edb63eb9c492e7eaa83e4cde58917b14d6f5d2768f5ea5010c326de7e8e624fabdef78464382e31b8eafaecbbc8b2b1889d212bf5766b3f1d3a766b1ee

Download Submit
C:\Windows\{DCD54E4B-D0C8-46fe-8AE0-532AA29CCB6D}.exe

Filesize
197KB

MD5
ebbc12fc365a5366e01e151e8b16c6fd

SHA1
d7fac09db6e480b78a3c7006ee11ce854d077d7e

SHA256
6e90d12d84710c51fc16a9d3ef679afcb2c35d2428d7a55d999b3ed0fc50e60a

SHA512
393f02bfbbae3c9ce633f46321ec07ca964f354e181e9ee183abb8bf7b79e673f872db348ff7fedbb40a20fe52c0d1e5e24313e113f9aa278ab38057859ae11c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads