514cb7f711fba5e8c007f89c1bbf412f832c73ce16d52124381b290f8cc05f93

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22/04/2024, 09:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-22_bc9183935bae8bb259558bdbc920676f_goldeneye.exe
Size

372KB
MD5

bc9183935bae8bb259558bdbc920676f
SHA1

ab7458632fc87b9a265ae6acc83e231d50826dc7
SHA256

514cb7f711fba5e8c007f89c1bbf412f832c73ce16d52124381b290f8cc05f93
SHA512

d9aebfac4f7d9339e3d6fd20259313f19fe6c855e0e76e001c1ee4d86ca77ffef08b3102e756497c1b1b83d0c43a8f6fee99ea20d0d7690f09996f74a5dd7dcd
SSDEEP

3072:CEGh0odlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGPlkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023372-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00110000000233f2-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000233fa-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00120000000233f2-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d0000000233fa-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000233fd-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e0000000233fa-25.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d0000000233fd-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00180000000233f2-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023374-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00190000000233f2-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002335f-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37F5DAED-D998-4cf4-8BEA-74741C4194A3}\stubpath = "C:\\Windows\\{37F5DAED-D998-4cf4-8BEA-74741C4194A3}.exe"	{14D70404-F840-4df2-8188-50A461A00F35}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4756DA56-6EF0-4c2a-8990-3AED383E3B66}\stubpath = "C:\\Windows\\{4756DA56-6EF0-4c2a-8990-3AED383E3B66}.exe"	{37F5DAED-D998-4cf4-8BEA-74741C4194A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9C8F335-DDA7-4756-B04A-4EFCF6FAE833}\stubpath = "C:\\Windows\\{D9C8F335-DDA7-4756-B04A-4EFCF6FAE833}.exe"	{4756DA56-6EF0-4c2a-8990-3AED383E3B66}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC4A6421-50CF-4cb1-882F-1EC0398AF8A5}	{91EF7059-077B-4597-AA74-4BCF4B877A97}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C7EB5E0-85BB-4cf2-B421-79B372585F71}\stubpath = "C:\\Windows\\{7C7EB5E0-85BB-4cf2-B421-79B372585F71}.exe"	{FC4A6421-50CF-4cb1-882F-1EC0398AF8A5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F04BEDCD-57CF-4943-9426-51AB0D874E50}\stubpath = "C:\\Windows\\{F04BEDCD-57CF-4943-9426-51AB0D874E50}.exe"	{6B5A5F0F-64A1-4101-8B39-79BD66004683}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0DDB87E8-B5FC-4396-8D2D-2048C1AA7112}\stubpath = "C:\\Windows\\{0DDB87E8-B5FC-4396-8D2D-2048C1AA7112}.exe"	{D09120CC-37AC-43e5-B067-B3F1E1576849}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14D70404-F840-4df2-8188-50A461A00F35}	{0DDB87E8-B5FC-4396-8D2D-2048C1AA7112}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4756DA56-6EF0-4c2a-8990-3AED383E3B66}	{37F5DAED-D998-4cf4-8BEA-74741C4194A3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9C8F335-DDA7-4756-B04A-4EFCF6FAE833}	{4756DA56-6EF0-4c2a-8990-3AED383E3B66}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91EF7059-077B-4597-AA74-4BCF4B877A97}	{02DB32E7-DA4F-47b8-927E-D75C74C9C78A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91EF7059-077B-4597-AA74-4BCF4B877A97}\stubpath = "C:\\Windows\\{91EF7059-077B-4597-AA74-4BCF4B877A97}.exe"	{02DB32E7-DA4F-47b8-927E-D75C74C9C78A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F04BEDCD-57CF-4943-9426-51AB0D874E50}	{6B5A5F0F-64A1-4101-8B39-79BD66004683}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D09120CC-37AC-43e5-B067-B3F1E1576849}\stubpath = "C:\\Windows\\{D09120CC-37AC-43e5-B067-B3F1E1576849}.exe"	2024-04-22_bc9183935bae8bb259558bdbc920676f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0DDB87E8-B5FC-4396-8D2D-2048C1AA7112}	{D09120CC-37AC-43e5-B067-B3F1E1576849}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02DB32E7-DA4F-47b8-927E-D75C74C9C78A}	{D9C8F335-DDA7-4756-B04A-4EFCF6FAE833}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02DB32E7-DA4F-47b8-927E-D75C74C9C78A}\stubpath = "C:\\Windows\\{02DB32E7-DA4F-47b8-927E-D75C74C9C78A}.exe"	{D9C8F335-DDA7-4756-B04A-4EFCF6FAE833}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C7EB5E0-85BB-4cf2-B421-79B372585F71}	{FC4A6421-50CF-4cb1-882F-1EC0398AF8A5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B5A5F0F-64A1-4101-8B39-79BD66004683}	{7C7EB5E0-85BB-4cf2-B421-79B372585F71}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D09120CC-37AC-43e5-B067-B3F1E1576849}	2024-04-22_bc9183935bae8bb259558bdbc920676f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14D70404-F840-4df2-8188-50A461A00F35}\stubpath = "C:\\Windows\\{14D70404-F840-4df2-8188-50A461A00F35}.exe"	{0DDB87E8-B5FC-4396-8D2D-2048C1AA7112}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37F5DAED-D998-4cf4-8BEA-74741C4194A3}	{14D70404-F840-4df2-8188-50A461A00F35}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC4A6421-50CF-4cb1-882F-1EC0398AF8A5}\stubpath = "C:\\Windows\\{FC4A6421-50CF-4cb1-882F-1EC0398AF8A5}.exe"	{91EF7059-077B-4597-AA74-4BCF4B877A97}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B5A5F0F-64A1-4101-8B39-79BD66004683}\stubpath = "C:\\Windows\\{6B5A5F0F-64A1-4101-8B39-79BD66004683}.exe"	{7C7EB5E0-85BB-4cf2-B421-79B372585F71}.exe

Executes dropped EXE 12 IoCs

pid	Process
3164	{D09120CC-37AC-43e5-B067-B3F1E1576849}.exe
1644	{0DDB87E8-B5FC-4396-8D2D-2048C1AA7112}.exe
4348	{14D70404-F840-4df2-8188-50A461A00F35}.exe
4800	{37F5DAED-D998-4cf4-8BEA-74741C4194A3}.exe
4640	{4756DA56-6EF0-4c2a-8990-3AED383E3B66}.exe
3308	{D9C8F335-DDA7-4756-B04A-4EFCF6FAE833}.exe
3520	{02DB32E7-DA4F-47b8-927E-D75C74C9C78A}.exe
3616	{91EF7059-077B-4597-AA74-4BCF4B877A97}.exe
4376	{FC4A6421-50CF-4cb1-882F-1EC0398AF8A5}.exe
2684	{7C7EB5E0-85BB-4cf2-B421-79B372585F71}.exe
2968	{6B5A5F0F-64A1-4101-8B39-79BD66004683}.exe
4912	{F04BEDCD-57CF-4943-9426-51AB0D874E50}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{37F5DAED-D998-4cf4-8BEA-74741C4194A3}.exe	{14D70404-F840-4df2-8188-50A461A00F35}.exe
File created	C:\Windows\{4756DA56-6EF0-4c2a-8990-3AED383E3B66}.exe	{37F5DAED-D998-4cf4-8BEA-74741C4194A3}.exe
File created	C:\Windows\{6B5A5F0F-64A1-4101-8B39-79BD66004683}.exe	{7C7EB5E0-85BB-4cf2-B421-79B372585F71}.exe
File created	C:\Windows\{D09120CC-37AC-43e5-B067-B3F1E1576849}.exe	2024-04-22_bc9183935bae8bb259558bdbc920676f_goldeneye.exe
File created	C:\Windows\{0DDB87E8-B5FC-4396-8D2D-2048C1AA7112}.exe	{D09120CC-37AC-43e5-B067-B3F1E1576849}.exe
File created	C:\Windows\{14D70404-F840-4df2-8188-50A461A00F35}.exe	{0DDB87E8-B5FC-4396-8D2D-2048C1AA7112}.exe
File created	C:\Windows\{FC4A6421-50CF-4cb1-882F-1EC0398AF8A5}.exe	{91EF7059-077B-4597-AA74-4BCF4B877A97}.exe
File created	C:\Windows\{7C7EB5E0-85BB-4cf2-B421-79B372585F71}.exe	{FC4A6421-50CF-4cb1-882F-1EC0398AF8A5}.exe
File created	C:\Windows\{F04BEDCD-57CF-4943-9426-51AB0D874E50}.exe	{6B5A5F0F-64A1-4101-8B39-79BD66004683}.exe
File created	C:\Windows\{D9C8F335-DDA7-4756-B04A-4EFCF6FAE833}.exe	{4756DA56-6EF0-4c2a-8990-3AED383E3B66}.exe
File created	C:\Windows\{02DB32E7-DA4F-47b8-927E-D75C74C9C78A}.exe	{D9C8F335-DDA7-4756-B04A-4EFCF6FAE833}.exe
File created	C:\Windows\{91EF7059-077B-4597-AA74-4BCF4B877A97}.exe	{02DB32E7-DA4F-47b8-927E-D75C74C9C78A}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4012	2024-04-22_bc9183935bae8bb259558bdbc920676f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3164	{D09120CC-37AC-43e5-B067-B3F1E1576849}.exe
Token: SeIncBasePriorityPrivilege	1644	{0DDB87E8-B5FC-4396-8D2D-2048C1AA7112}.exe
Token: SeIncBasePriorityPrivilege	4348	{14D70404-F840-4df2-8188-50A461A00F35}.exe
Token: SeIncBasePriorityPrivilege	4800	{37F5DAED-D998-4cf4-8BEA-74741C4194A3}.exe
Token: SeIncBasePriorityPrivilege	4640	{4756DA56-6EF0-4c2a-8990-3AED383E3B66}.exe
Token: SeIncBasePriorityPrivilege	3308	{D9C8F335-DDA7-4756-B04A-4EFCF6FAE833}.exe
Token: SeIncBasePriorityPrivilege	3520	{02DB32E7-DA4F-47b8-927E-D75C74C9C78A}.exe
Token: SeIncBasePriorityPrivilege	3616	{91EF7059-077B-4597-AA74-4BCF4B877A97}.exe
Token: SeIncBasePriorityPrivilege	4376	{FC4A6421-50CF-4cb1-882F-1EC0398AF8A5}.exe
Token: SeIncBasePriorityPrivilege	2684	{7C7EB5E0-85BB-4cf2-B421-79B372585F71}.exe
Token: SeIncBasePriorityPrivilege	2968	{6B5A5F0F-64A1-4101-8B39-79BD66004683}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4012 wrote to memory of 3164	4012	2024-04-22_bc9183935bae8bb259558bdbc920676f_goldeneye.exe	99
PID 4012 wrote to memory of 3164	4012	2024-04-22_bc9183935bae8bb259558bdbc920676f_goldeneye.exe	99
PID 4012 wrote to memory of 3164	4012	2024-04-22_bc9183935bae8bb259558bdbc920676f_goldeneye.exe	99
PID 4012 wrote to memory of 2456	4012	2024-04-22_bc9183935bae8bb259558bdbc920676f_goldeneye.exe	100
PID 4012 wrote to memory of 2456	4012	2024-04-22_bc9183935bae8bb259558bdbc920676f_goldeneye.exe	100
PID 4012 wrote to memory of 2456	4012	2024-04-22_bc9183935bae8bb259558bdbc920676f_goldeneye.exe	100
PID 3164 wrote to memory of 1644	3164	{D09120CC-37AC-43e5-B067-B3F1E1576849}.exe	102
PID 3164 wrote to memory of 1644	3164	{D09120CC-37AC-43e5-B067-B3F1E1576849}.exe	102
PID 3164 wrote to memory of 1644	3164	{D09120CC-37AC-43e5-B067-B3F1E1576849}.exe	102
PID 3164 wrote to memory of 4464	3164	{D09120CC-37AC-43e5-B067-B3F1E1576849}.exe	103
PID 3164 wrote to memory of 4464	3164	{D09120CC-37AC-43e5-B067-B3F1E1576849}.exe	103
PID 3164 wrote to memory of 4464	3164	{D09120CC-37AC-43e5-B067-B3F1E1576849}.exe	103
PID 1644 wrote to memory of 4348	1644	{0DDB87E8-B5FC-4396-8D2D-2048C1AA7112}.exe	106
PID 1644 wrote to memory of 4348	1644	{0DDB87E8-B5FC-4396-8D2D-2048C1AA7112}.exe	106
PID 1644 wrote to memory of 4348	1644	{0DDB87E8-B5FC-4396-8D2D-2048C1AA7112}.exe	106
PID 1644 wrote to memory of 4400	1644	{0DDB87E8-B5FC-4396-8D2D-2048C1AA7112}.exe	107
PID 1644 wrote to memory of 4400	1644	{0DDB87E8-B5FC-4396-8D2D-2048C1AA7112}.exe	107
PID 1644 wrote to memory of 4400	1644	{0DDB87E8-B5FC-4396-8D2D-2048C1AA7112}.exe	107
PID 4348 wrote to memory of 4800	4348	{14D70404-F840-4df2-8188-50A461A00F35}.exe	108
PID 4348 wrote to memory of 4800	4348	{14D70404-F840-4df2-8188-50A461A00F35}.exe	108
PID 4348 wrote to memory of 4800	4348	{14D70404-F840-4df2-8188-50A461A00F35}.exe	108
PID 4348 wrote to memory of 5076	4348	{14D70404-F840-4df2-8188-50A461A00F35}.exe	109
PID 4348 wrote to memory of 5076	4348	{14D70404-F840-4df2-8188-50A461A00F35}.exe	109
PID 4348 wrote to memory of 5076	4348	{14D70404-F840-4df2-8188-50A461A00F35}.exe	109
PID 4800 wrote to memory of 4640	4800	{37F5DAED-D998-4cf4-8BEA-74741C4194A3}.exe	110
PID 4800 wrote to memory of 4640	4800	{37F5DAED-D998-4cf4-8BEA-74741C4194A3}.exe	110
PID 4800 wrote to memory of 4640	4800	{37F5DAED-D998-4cf4-8BEA-74741C4194A3}.exe	110
PID 4800 wrote to memory of 3556	4800	{37F5DAED-D998-4cf4-8BEA-74741C4194A3}.exe	111
PID 4800 wrote to memory of 3556	4800	{37F5DAED-D998-4cf4-8BEA-74741C4194A3}.exe	111
PID 4800 wrote to memory of 3556	4800	{37F5DAED-D998-4cf4-8BEA-74741C4194A3}.exe	111
PID 4640 wrote to memory of 3308	4640	{4756DA56-6EF0-4c2a-8990-3AED383E3B66}.exe	116
PID 4640 wrote to memory of 3308	4640	{4756DA56-6EF0-4c2a-8990-3AED383E3B66}.exe	116
PID 4640 wrote to memory of 3308	4640	{4756DA56-6EF0-4c2a-8990-3AED383E3B66}.exe	116
PID 4640 wrote to memory of 3512	4640	{4756DA56-6EF0-4c2a-8990-3AED383E3B66}.exe	117
PID 4640 wrote to memory of 3512	4640	{4756DA56-6EF0-4c2a-8990-3AED383E3B66}.exe	117
PID 4640 wrote to memory of 3512	4640	{4756DA56-6EF0-4c2a-8990-3AED383E3B66}.exe	117
PID 3308 wrote to memory of 3520	3308	{D9C8F335-DDA7-4756-B04A-4EFCF6FAE833}.exe	118
PID 3308 wrote to memory of 3520	3308	{D9C8F335-DDA7-4756-B04A-4EFCF6FAE833}.exe	118
PID 3308 wrote to memory of 3520	3308	{D9C8F335-DDA7-4756-B04A-4EFCF6FAE833}.exe	118
PID 3308 wrote to memory of 3164	3308	{D9C8F335-DDA7-4756-B04A-4EFCF6FAE833}.exe	119
PID 3308 wrote to memory of 3164	3308	{D9C8F335-DDA7-4756-B04A-4EFCF6FAE833}.exe	119
PID 3308 wrote to memory of 3164	3308	{D9C8F335-DDA7-4756-B04A-4EFCF6FAE833}.exe	119
PID 3520 wrote to memory of 3616	3520	{02DB32E7-DA4F-47b8-927E-D75C74C9C78A}.exe	122
PID 3520 wrote to memory of 3616	3520	{02DB32E7-DA4F-47b8-927E-D75C74C9C78A}.exe	122
PID 3520 wrote to memory of 3616	3520	{02DB32E7-DA4F-47b8-927E-D75C74C9C78A}.exe	122
PID 3520 wrote to memory of 4400	3520	{02DB32E7-DA4F-47b8-927E-D75C74C9C78A}.exe	123
PID 3520 wrote to memory of 4400	3520	{02DB32E7-DA4F-47b8-927E-D75C74C9C78A}.exe	123
PID 3520 wrote to memory of 4400	3520	{02DB32E7-DA4F-47b8-927E-D75C74C9C78A}.exe	123
PID 3616 wrote to memory of 4376	3616	{91EF7059-077B-4597-AA74-4BCF4B877A97}.exe	129
PID 3616 wrote to memory of 4376	3616	{91EF7059-077B-4597-AA74-4BCF4B877A97}.exe	129
PID 3616 wrote to memory of 4376	3616	{91EF7059-077B-4597-AA74-4BCF4B877A97}.exe	129
PID 3616 wrote to memory of 4424	3616	{91EF7059-077B-4597-AA74-4BCF4B877A97}.exe	130
PID 3616 wrote to memory of 4424	3616	{91EF7059-077B-4597-AA74-4BCF4B877A97}.exe	130
PID 3616 wrote to memory of 4424	3616	{91EF7059-077B-4597-AA74-4BCF4B877A97}.exe	130
PID 4376 wrote to memory of 2684	4376	{FC4A6421-50CF-4cb1-882F-1EC0398AF8A5}.exe	131
PID 4376 wrote to memory of 2684	4376	{FC4A6421-50CF-4cb1-882F-1EC0398AF8A5}.exe	131
PID 4376 wrote to memory of 2684	4376	{FC4A6421-50CF-4cb1-882F-1EC0398AF8A5}.exe	131
PID 4376 wrote to memory of 728	4376	{FC4A6421-50CF-4cb1-882F-1EC0398AF8A5}.exe	132
PID 4376 wrote to memory of 728	4376	{FC4A6421-50CF-4cb1-882F-1EC0398AF8A5}.exe	132
PID 4376 wrote to memory of 728	4376	{FC4A6421-50CF-4cb1-882F-1EC0398AF8A5}.exe	132
PID 2684 wrote to memory of 2968	2684	{7C7EB5E0-85BB-4cf2-B421-79B372585F71}.exe	133
PID 2684 wrote to memory of 2968	2684	{7C7EB5E0-85BB-4cf2-B421-79B372585F71}.exe	133
PID 2684 wrote to memory of 2968	2684	{7C7EB5E0-85BB-4cf2-B421-79B372585F71}.exe	133
PID 2684 wrote to memory of 2420	2684	{7C7EB5E0-85BB-4cf2-B421-79B372585F71}.exe	134

C:\Users\Admin\AppData\Local\Temp\2024-04-22_bc9183935bae8bb259558bdbc920676f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-22_bc9183935bae8bb259558bdbc920676f_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4012
- C:\Windows\{D09120CC-37AC-43e5-B067-B3F1E1576849}.exe
  C:\Windows\{D09120CC-37AC-43e5-B067-B3F1E1576849}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3164
- - C:\Windows\{0DDB87E8-B5FC-4396-8D2D-2048C1AA7112}.exe
    C:\Windows\{0DDB87E8-B5FC-4396-8D2D-2048C1AA7112}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1644
  - - C:\Windows\{14D70404-F840-4df2-8188-50A461A00F35}.exe
      C:\Windows\{14D70404-F840-4df2-8188-50A461A00F35}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4348
    - - C:\Windows\{37F5DAED-D998-4cf4-8BEA-74741C4194A3}.exe
        
        C:\Windows\{37F5DAED-D998-4cf4-8BEA-74741C4194A3}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4800
      - C:\Windows\{4756DA56-6EF0-4c2a-8990-3AED383E3B66}.exe
        
        C:\Windows\{4756DA56-6EF0-4c2a-8990-3AED383E3B66}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\{D9C8F335-DDA7-4756-B04A-4EFCF6FAE833}.exe
        
        C:\Windows\{D9C8F335-DDA7-4756-B04A-4EFCF6FAE833}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\Windows\{02DB32E7-DA4F-47b8-927E-D75C74C9C78A}.exe
        
        C:\Windows\{02DB32E7-DA4F-47b8-927E-D75C74C9C78A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\{91EF7059-077B-4597-AA74-4BCF4B877A97}.exe
        
        C:\Windows\{91EF7059-077B-4597-AA74-4BCF4B877A97}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3616
        
        C:\Windows\{FC4A6421-50CF-4cb1-882F-1EC0398AF8A5}.exe
        
        C:\Windows\{FC4A6421-50CF-4cb1-882F-1EC0398AF8A5}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Windows\{7C7EB5E0-85BB-4cf2-B421-79B372585F71}.exe
        
        C:\Windows\{7C7EB5E0-85BB-4cf2-B421-79B372585F71}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\{6B5A5F0F-64A1-4101-8B39-79BD66004683}.exe
        
        C:\Windows\{6B5A5F0F-64A1-4101-8B39-79BD66004683}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
        
        C:\Windows\{F04BEDCD-57CF-4943-9426-51AB0D874E50}.exe
        
        C:\Windows\{F04BEDCD-57CF-4943-9426-51AB0D874E50}.exe
        13⤵
        Executes dropped EXE
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B5A5~1.EXE > nul
        13⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7C7EB~1.EXE > nul
        12⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FC4A6~1.EXE > nul
        11⤵
        
        PID:728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91EF7~1.EXE > nul
        10⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{02DB3~1.EXE > nul
        9⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D9C8F~1.EXE > nul
        8⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4756D~1.EXE > nul
        7⤵
        
        PID:3512
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37F5D~1.EXE > nul
        6⤵
        
        PID:3556
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{14D70~1.EXE > nul
        5⤵
        
        PID:5076
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0DDB8~1.EXE > nul
      4⤵
      PID:4400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D0912~1.EXE > nul
    3⤵
    PID:4464
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02DB32E7-DA4F-47b8-927E-D75C74C9C78A}.exe

Filesize
372KB

MD5
477825b5160a9ff0354ed506d400323e

SHA1
483a12134b7278d1ab11c7fff0c0877da8448c47

SHA256
c58029bd134441f9b88f35cd82b7208714e641513095ead4731db7a616a1a2ac

SHA512
edc763e2cd9a891212d4fd3c52b1f434b9e1f8ca1e8fd7c1d277d7500758b070dee82f69d7028554ab9744021c49f93379dbad4f62e6da1d07916bb2be93312f

Download Submit
C:\Windows\{0DDB87E8-B5FC-4396-8D2D-2048C1AA7112}.exe

Filesize
372KB

MD5
45682ff4ddb21e1f8d5441cff82079af

SHA1
ac6d9b34817cafcaa87659c2022103dbd2bb56b0

SHA256
8a88f3c42b17d78080082ea43795f58b862c57bbfddc97a946568c4fd7ed3b0c

SHA512
1967f9271a572e82b44eea25a5be262c85bfd5194941c1861366d401a8d0fc70e3b1d4240d135eb3336b13741fa842a56374b74da22e123942e4fcfc1e3753aa

Download Submit
C:\Windows\{14D70404-F840-4df2-8188-50A461A00F35}.exe

Filesize
372KB

MD5
a0daf2f288d09cc4a460c2515a0321da

SHA1
99c61ca92c544658befb70eec98977fda1f2d35f

SHA256
b40aad2b658e35eb4b3e2e5e1b12bff2b00dd6eac00375469c2cb94ab9d0a532

SHA512
39d3bba5b67a5b7e8938992e4b2042ce0451ed7164f67888f1b90fa6d7786b6da0c5b32b6343ba19eea3263cfe0c0985a6789221310b8758aaa95cc7318686d2

Download Submit
C:\Windows\{37F5DAED-D998-4cf4-8BEA-74741C4194A3}.exe

Filesize
372KB

MD5
fa2f11a17813823262979c3110e1f2da

SHA1
e99857498ceae7dadc9c90bb23b988f8051c64bf

SHA256
f5d4e84f151cb361f6cf4408f194ea12ad11ce041b1a414538944deeb19b8f03

SHA512
bc81ad95cfb31e3fc7965b8645d2aeb0abc3366762612b48732cb2a064ca3a50feb52c1e2dc9a3340be3ddcd4efaad4fbec542890fc9bc0bc88c4a872b7938b6

Download Submit
C:\Windows\{4756DA56-6EF0-4c2a-8990-3AED383E3B66}.exe

Filesize
372KB

MD5
ca5e5933eef4ddb36d565c19483ec546

SHA1
f6d993d6b55f2265e0c1e2f73e3ffb002c33347d

SHA256
60f663597d8fa23b81956931cef3e1ab0a473970a0e945d85961b819b818ba13

SHA512
e88f6deb6d2a4020b77f792cd56ff2314ab76aae64cec3537a2718b645374c27cce3a5cb8d09fb59687f234e08253ec4eceb054f4e9c1734147762058520a70d

Download Submit
C:\Windows\{6B5A5F0F-64A1-4101-8B39-79BD66004683}.exe

Filesize
372KB

MD5
4316107363014aa75f7056e0e16de89e

SHA1
6fcc0b7c00db4dac530670eda2ed28a82338281f

SHA256
ad38a0b37f7fb0afd7646c6ca0594337b539f9b6e60cbc2dadd0ca89a3feeab5

SHA512
ef3f12b9abb60b91737c3adebe9f58b35724949e2b2f2be46b0a5c565808fee6037408eccd9770b8337e7ab9d9231bcc67eccc97afcac77ca9a6016a90516165

Download Submit
C:\Windows\{7C7EB5E0-85BB-4cf2-B421-79B372585F71}.exe

Filesize
372KB

MD5
569e37463fd240c0cfbad0ff078e5273

SHA1
3f1cec02565cbab880caec9704fc6821800b749c

SHA256
128c97b49391f0732aaae4e692e4a1e3eba8a3feb58d12b960f9029540bfd11a

SHA512
36eac7b753967c2fb52000966b374034a02de2c01c18f802e7d414378d2754a8e6f34a4a589b5ab929d27a22a6ed5ec5d4140d19f6a32ec8b22e5506e4931d97

Download Submit
C:\Windows\{91EF7059-077B-4597-AA74-4BCF4B877A97}.exe

Filesize
372KB

MD5
1e148a638dec703d67f8a2db8117c4e2

SHA1
60c6962c174c3a862e969abdd40122f36b126c06

SHA256
765981e9cde7b10913143335a08da92772261f0b43e000398e383637ae468664

SHA512
c55e4a5ddc1858579ced5f930278e8a9d4abf6d9e41501518fa2c1e3bc67192f49c9ba46ebb6f519c4e14b41563983780b27b7e6881c753b9fb6b359150c3833

Download Submit
C:\Windows\{D09120CC-37AC-43e5-B067-B3F1E1576849}.exe

Filesize
372KB

MD5
272c33734e876751b16a0bb4910554f1

SHA1
30272d51963cd5aa11bce0a806faab9c83267746

SHA256
914484ddd14108e33bcba8dd761e07c9ef9e9beb89cafcb3dc0d8534501562ef

SHA512
9905765be0973f8dc802ac0698b9c38da0b0167889b80f17aedcabea974935abbecc6380b5a59bbf455a6acc7e6c12cd80ec77f4cf1947ede8ca99e3a5fab9fc

Download Submit
C:\Windows\{D9C8F335-DDA7-4756-B04A-4EFCF6FAE833}.exe

Filesize
372KB

MD5
e6f3910402e4f3877898f27ff224b89f

SHA1
d9e3d958f242e5369aafceaef0d2113e642397a2

SHA256
4d5445b159ff46615d0a17b040ec4dc81731db2757efa113598449f47558ac95

SHA512
5c1415da1a7a51c1caf780351e2f7f972114c64b0edf95c8a6d566c7b2c2276a16250bd665c27f3ea025866ffa1fe0c23e8108aebe65d3bc47de5617fbbda37b

Download Submit
C:\Windows\{F04BEDCD-57CF-4943-9426-51AB0D874E50}.exe

Filesize
372KB

MD5
c5fde5db2fa35a95160973e63952dfb5

SHA1
c36243dac4a0cb305c40e7a75b2e1bb64ac5123c

SHA256
6b20e138e4887eb6ff102f99a98121674927a0e9d8289be690ae474c77aa607f

SHA512
11abf4ea0a9bcb9f816eb2645ded3274f2c813e40f2c1e9389677aa4730cdb515f44484d734e9ac0814420e00d567d3a420bcc466a2a11217274220dc2751e4c

Download Submit
C:\Windows\{FC4A6421-50CF-4cb1-882F-1EC0398AF8A5}.exe

Filesize
372KB

MD5
dd308d38cd43f58d981f4c355d7e07aa

SHA1
d5f8a00cc20ba71cead5032ff8e73afb06ee0556

SHA256
cce4f650440bf0bd2d18c84f992b90531d1df5c9de1290f86bd1b711a437f124

SHA512
4853d664fc96e96015282a1a9a35896fb36099e8017fc2fadba14ae322558b00471592bc56b1f001a182aebbd7e28e11f7528b857ec9dfe77ad21975e31789b0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads