3816a0da3247a74108b8dddd209aef54d5ee4ca5417360c6ee1a63f1a964de09

Analysis

max time kernel
149s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22-04-2024 12:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-22_76e710fd6812c7274cdaca384023bd20_goldeneye.exe
Size

372KB
MD5

76e710fd6812c7274cdaca384023bd20
SHA1

613c2b0fd77b75e957d5b2e46951890f0cd5428a
SHA256

3816a0da3247a74108b8dddd209aef54d5ee4ca5417360c6ee1a63f1a964de09
SHA512

fcf8a7de39607f08bd5135fddb8a1e38d051d11c9a9fbbd1da1adee4b9ea40978b84ef7f7d9e12c9beff3767d6409dad8304cf7e7a2451a0be0a63318baa0407
SSDEEP

3072:CEGh0orlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEG9lkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023380-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000233fc-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000022978-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000233fc-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000022978-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023404-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000022978-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023404-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023432-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d0000000233fc-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000233f7-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023367-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8F93F61-BD04-4755-AF85-00A4D8EE0086}	{1F72CB9A-FBAA-4e1d-96B8-DE897661AA23}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{979D5D95-9614-467d-B848-92E3790E792F}	{A8F93F61-BD04-4755-AF85-00A4D8EE0086}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14066DC3-A37F-4d9b-9F67-10A98207343B}\stubpath = "C:\\Windows\\{14066DC3-A37F-4d9b-9F67-10A98207343B}.exe"	{979D5D95-9614-467d-B848-92E3790E792F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{278C0EC6-1C5B-4b58-99DA-D869335831DD}\stubpath = "C:\\Windows\\{278C0EC6-1C5B-4b58-99DA-D869335831DD}.exe"	{14066DC3-A37F-4d9b-9F67-10A98207343B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55A05F62-9A9B-4c6b-97CC-64281D5C82ED}	{B6E6F8EC-EC93-4618-9B2D-412124795671}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6E6F8EC-EC93-4618-9B2D-412124795671}	{E9BB7FDD-3518-40e2-825A-6EC3AA81A43B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76DCA5F4-6A63-44e9-94CA-B1BCAF7DC78B}\stubpath = "C:\\Windows\\{76DCA5F4-6A63-44e9-94CA-B1BCAF7DC78B}.exe"	{55A05F62-9A9B-4c6b-97CC-64281D5C82ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4DE4465-2E8E-498b-8096-42F2A6CB9C74}\stubpath = "C:\\Windows\\{D4DE4465-2E8E-498b-8096-42F2A6CB9C74}.exe"	2024-04-22_76e710fd6812c7274cdaca384023bd20_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F72CB9A-FBAA-4e1d-96B8-DE897661AA23}	{D4DE4465-2E8E-498b-8096-42F2A6CB9C74}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F72CB9A-FBAA-4e1d-96B8-DE897661AA23}\stubpath = "C:\\Windows\\{1F72CB9A-FBAA-4e1d-96B8-DE897661AA23}.exe"	{D4DE4465-2E8E-498b-8096-42F2A6CB9C74}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{979D5D95-9614-467d-B848-92E3790E792F}\stubpath = "C:\\Windows\\{979D5D95-9614-467d-B848-92E3790E792F}.exe"	{A8F93F61-BD04-4755-AF85-00A4D8EE0086}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{278C0EC6-1C5B-4b58-99DA-D869335831DD}	{14066DC3-A37F-4d9b-9F67-10A98207343B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA490EC5-E550-4dad-88A2-D3E8F568023A}	{278C0EC6-1C5B-4b58-99DA-D869335831DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED36BDEA-F15B-4d1f-8CB2-C81118464A0B}	{76DCA5F4-6A63-44e9-94CA-B1BCAF7DC78B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4DE4465-2E8E-498b-8096-42F2A6CB9C74}	2024-04-22_76e710fd6812c7274cdaca384023bd20_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9BB7FDD-3518-40e2-825A-6EC3AA81A43B}	{CA490EC5-E550-4dad-88A2-D3E8F568023A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6E6F8EC-EC93-4618-9B2D-412124795671}\stubpath = "C:\\Windows\\{B6E6F8EC-EC93-4618-9B2D-412124795671}.exe"	{E9BB7FDD-3518-40e2-825A-6EC3AA81A43B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55A05F62-9A9B-4c6b-97CC-64281D5C82ED}\stubpath = "C:\\Windows\\{55A05F62-9A9B-4c6b-97CC-64281D5C82ED}.exe"	{B6E6F8EC-EC93-4618-9B2D-412124795671}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8F93F61-BD04-4755-AF85-00A4D8EE0086}\stubpath = "C:\\Windows\\{A8F93F61-BD04-4755-AF85-00A4D8EE0086}.exe"	{1F72CB9A-FBAA-4e1d-96B8-DE897661AA23}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14066DC3-A37F-4d9b-9F67-10A98207343B}	{979D5D95-9614-467d-B848-92E3790E792F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA490EC5-E550-4dad-88A2-D3E8F568023A}\stubpath = "C:\\Windows\\{CA490EC5-E550-4dad-88A2-D3E8F568023A}.exe"	{278C0EC6-1C5B-4b58-99DA-D869335831DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9BB7FDD-3518-40e2-825A-6EC3AA81A43B}\stubpath = "C:\\Windows\\{E9BB7FDD-3518-40e2-825A-6EC3AA81A43B}.exe"	{CA490EC5-E550-4dad-88A2-D3E8F568023A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76DCA5F4-6A63-44e9-94CA-B1BCAF7DC78B}	{55A05F62-9A9B-4c6b-97CC-64281D5C82ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED36BDEA-F15B-4d1f-8CB2-C81118464A0B}\stubpath = "C:\\Windows\\{ED36BDEA-F15B-4d1f-8CB2-C81118464A0B}.exe"	{76DCA5F4-6A63-44e9-94CA-B1BCAF7DC78B}.exe

Executes dropped EXE 12 IoCs

pid	Process
2184	{D4DE4465-2E8E-498b-8096-42F2A6CB9C74}.exe
4380	{1F72CB9A-FBAA-4e1d-96B8-DE897661AA23}.exe
3304	{A8F93F61-BD04-4755-AF85-00A4D8EE0086}.exe
3064	{979D5D95-9614-467d-B848-92E3790E792F}.exe
1764	{14066DC3-A37F-4d9b-9F67-10A98207343B}.exe
4252	{278C0EC6-1C5B-4b58-99DA-D869335831DD}.exe
3828	{CA490EC5-E550-4dad-88A2-D3E8F568023A}.exe
4696	{E9BB7FDD-3518-40e2-825A-6EC3AA81A43B}.exe
456	{B6E6F8EC-EC93-4618-9B2D-412124795671}.exe
4556	{55A05F62-9A9B-4c6b-97CC-64281D5C82ED}.exe
392	{76DCA5F4-6A63-44e9-94CA-B1BCAF7DC78B}.exe
696	{ED36BDEA-F15B-4d1f-8CB2-C81118464A0B}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{979D5D95-9614-467d-B848-92E3790E792F}.exe	{A8F93F61-BD04-4755-AF85-00A4D8EE0086}.exe
File created	C:\Windows\{278C0EC6-1C5B-4b58-99DA-D869335831DD}.exe	{14066DC3-A37F-4d9b-9F67-10A98207343B}.exe
File created	C:\Windows\{CA490EC5-E550-4dad-88A2-D3E8F568023A}.exe	{278C0EC6-1C5B-4b58-99DA-D869335831DD}.exe
File created	C:\Windows\{55A05F62-9A9B-4c6b-97CC-64281D5C82ED}.exe	{B6E6F8EC-EC93-4618-9B2D-412124795671}.exe
File created	C:\Windows\{ED36BDEA-F15B-4d1f-8CB2-C81118464A0B}.exe	{76DCA5F4-6A63-44e9-94CA-B1BCAF7DC78B}.exe
File created	C:\Windows\{1F72CB9A-FBAA-4e1d-96B8-DE897661AA23}.exe	{D4DE4465-2E8E-498b-8096-42F2A6CB9C74}.exe
File created	C:\Windows\{A8F93F61-BD04-4755-AF85-00A4D8EE0086}.exe	{1F72CB9A-FBAA-4e1d-96B8-DE897661AA23}.exe
File created	C:\Windows\{E9BB7FDD-3518-40e2-825A-6EC3AA81A43B}.exe	{CA490EC5-E550-4dad-88A2-D3E8F568023A}.exe
File created	C:\Windows\{B6E6F8EC-EC93-4618-9B2D-412124795671}.exe	{E9BB7FDD-3518-40e2-825A-6EC3AA81A43B}.exe
File created	C:\Windows\{76DCA5F4-6A63-44e9-94CA-B1BCAF7DC78B}.exe	{55A05F62-9A9B-4c6b-97CC-64281D5C82ED}.exe
File created	C:\Windows\{D4DE4465-2E8E-498b-8096-42F2A6CB9C74}.exe	2024-04-22_76e710fd6812c7274cdaca384023bd20_goldeneye.exe
File created	C:\Windows\{14066DC3-A37F-4d9b-9F67-10A98207343B}.exe	{979D5D95-9614-467d-B848-92E3790E792F}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2460	2024-04-22_76e710fd6812c7274cdaca384023bd20_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2184	{D4DE4465-2E8E-498b-8096-42F2A6CB9C74}.exe
Token: SeIncBasePriorityPrivilege	4380	{1F72CB9A-FBAA-4e1d-96B8-DE897661AA23}.exe
Token: SeIncBasePriorityPrivilege	3304	{A8F93F61-BD04-4755-AF85-00A4D8EE0086}.exe
Token: SeIncBasePriorityPrivilege	3064	{979D5D95-9614-467d-B848-92E3790E792F}.exe
Token: SeIncBasePriorityPrivilege	1764	{14066DC3-A37F-4d9b-9F67-10A98207343B}.exe
Token: SeIncBasePriorityPrivilege	4252	{278C0EC6-1C5B-4b58-99DA-D869335831DD}.exe
Token: SeIncBasePriorityPrivilege	3828	{CA490EC5-E550-4dad-88A2-D3E8F568023A}.exe
Token: SeIncBasePriorityPrivilege	4696	{E9BB7FDD-3518-40e2-825A-6EC3AA81A43B}.exe
Token: SeIncBasePriorityPrivilege	456	{B6E6F8EC-EC93-4618-9B2D-412124795671}.exe
Token: SeIncBasePriorityPrivilege	4556	{55A05F62-9A9B-4c6b-97CC-64281D5C82ED}.exe
Token: SeIncBasePriorityPrivilege	392	{76DCA5F4-6A63-44e9-94CA-B1BCAF7DC78B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 2184	2460	2024-04-22_76e710fd6812c7274cdaca384023bd20_goldeneye.exe	100
PID 2460 wrote to memory of 2184	2460	2024-04-22_76e710fd6812c7274cdaca384023bd20_goldeneye.exe	100
PID 2460 wrote to memory of 2184	2460	2024-04-22_76e710fd6812c7274cdaca384023bd20_goldeneye.exe	100
PID 2460 wrote to memory of 1372	2460	2024-04-22_76e710fd6812c7274cdaca384023bd20_goldeneye.exe	101
PID 2460 wrote to memory of 1372	2460	2024-04-22_76e710fd6812c7274cdaca384023bd20_goldeneye.exe	101
PID 2460 wrote to memory of 1372	2460	2024-04-22_76e710fd6812c7274cdaca384023bd20_goldeneye.exe	101
PID 2184 wrote to memory of 4380	2184	{D4DE4465-2E8E-498b-8096-42F2A6CB9C74}.exe	104
PID 2184 wrote to memory of 4380	2184	{D4DE4465-2E8E-498b-8096-42F2A6CB9C74}.exe	104
PID 2184 wrote to memory of 4380	2184	{D4DE4465-2E8E-498b-8096-42F2A6CB9C74}.exe	104
PID 2184 wrote to memory of 3828	2184	{D4DE4465-2E8E-498b-8096-42F2A6CB9C74}.exe	105
PID 2184 wrote to memory of 3828	2184	{D4DE4465-2E8E-498b-8096-42F2A6CB9C74}.exe	105
PID 2184 wrote to memory of 3828	2184	{D4DE4465-2E8E-498b-8096-42F2A6CB9C74}.exe	105
PID 4380 wrote to memory of 3304	4380	{1F72CB9A-FBAA-4e1d-96B8-DE897661AA23}.exe	108
PID 4380 wrote to memory of 3304	4380	{1F72CB9A-FBAA-4e1d-96B8-DE897661AA23}.exe	108
PID 4380 wrote to memory of 3304	4380	{1F72CB9A-FBAA-4e1d-96B8-DE897661AA23}.exe	108
PID 4380 wrote to memory of 4064	4380	{1F72CB9A-FBAA-4e1d-96B8-DE897661AA23}.exe	109
PID 4380 wrote to memory of 4064	4380	{1F72CB9A-FBAA-4e1d-96B8-DE897661AA23}.exe	109
PID 4380 wrote to memory of 4064	4380	{1F72CB9A-FBAA-4e1d-96B8-DE897661AA23}.exe	109
PID 3304 wrote to memory of 3064	3304	{A8F93F61-BD04-4755-AF85-00A4D8EE0086}.exe	110
PID 3304 wrote to memory of 3064	3304	{A8F93F61-BD04-4755-AF85-00A4D8EE0086}.exe	110
PID 3304 wrote to memory of 3064	3304	{A8F93F61-BD04-4755-AF85-00A4D8EE0086}.exe	110
PID 3304 wrote to memory of 1320	3304	{A8F93F61-BD04-4755-AF85-00A4D8EE0086}.exe	111
PID 3304 wrote to memory of 1320	3304	{A8F93F61-BD04-4755-AF85-00A4D8EE0086}.exe	111
PID 3304 wrote to memory of 1320	3304	{A8F93F61-BD04-4755-AF85-00A4D8EE0086}.exe	111
PID 3064 wrote to memory of 1764	3064	{979D5D95-9614-467d-B848-92E3790E792F}.exe	112
PID 3064 wrote to memory of 1764	3064	{979D5D95-9614-467d-B848-92E3790E792F}.exe	112
PID 3064 wrote to memory of 1764	3064	{979D5D95-9614-467d-B848-92E3790E792F}.exe	112
PID 3064 wrote to memory of 5080	3064	{979D5D95-9614-467d-B848-92E3790E792F}.exe	113
PID 3064 wrote to memory of 5080	3064	{979D5D95-9614-467d-B848-92E3790E792F}.exe	113
PID 3064 wrote to memory of 5080	3064	{979D5D95-9614-467d-B848-92E3790E792F}.exe	113
PID 1764 wrote to memory of 4252	1764	{14066DC3-A37F-4d9b-9F67-10A98207343B}.exe	119
PID 1764 wrote to memory of 4252	1764	{14066DC3-A37F-4d9b-9F67-10A98207343B}.exe	119
PID 1764 wrote to memory of 4252	1764	{14066DC3-A37F-4d9b-9F67-10A98207343B}.exe	119
PID 1764 wrote to memory of 4964	1764	{14066DC3-A37F-4d9b-9F67-10A98207343B}.exe	120
PID 1764 wrote to memory of 4964	1764	{14066DC3-A37F-4d9b-9F67-10A98207343B}.exe	120
PID 1764 wrote to memory of 4964	1764	{14066DC3-A37F-4d9b-9F67-10A98207343B}.exe	120
PID 4252 wrote to memory of 3828	4252	{278C0EC6-1C5B-4b58-99DA-D869335831DD}.exe	121
PID 4252 wrote to memory of 3828	4252	{278C0EC6-1C5B-4b58-99DA-D869335831DD}.exe	121
PID 4252 wrote to memory of 3828	4252	{278C0EC6-1C5B-4b58-99DA-D869335831DD}.exe	121
PID 4252 wrote to memory of 3532	4252	{278C0EC6-1C5B-4b58-99DA-D869335831DD}.exe	122
PID 4252 wrote to memory of 3532	4252	{278C0EC6-1C5B-4b58-99DA-D869335831DD}.exe	122
PID 4252 wrote to memory of 3532	4252	{278C0EC6-1C5B-4b58-99DA-D869335831DD}.exe	122
PID 3828 wrote to memory of 4696	3828	{CA490EC5-E550-4dad-88A2-D3E8F568023A}.exe	123
PID 3828 wrote to memory of 4696	3828	{CA490EC5-E550-4dad-88A2-D3E8F568023A}.exe	123
PID 3828 wrote to memory of 4696	3828	{CA490EC5-E550-4dad-88A2-D3E8F568023A}.exe	123
PID 3828 wrote to memory of 4092	3828	{CA490EC5-E550-4dad-88A2-D3E8F568023A}.exe	124
PID 3828 wrote to memory of 4092	3828	{CA490EC5-E550-4dad-88A2-D3E8F568023A}.exe	124
PID 3828 wrote to memory of 4092	3828	{CA490EC5-E550-4dad-88A2-D3E8F568023A}.exe	124
PID 4696 wrote to memory of 456	4696	{E9BB7FDD-3518-40e2-825A-6EC3AA81A43B}.exe	129
PID 4696 wrote to memory of 456	4696	{E9BB7FDD-3518-40e2-825A-6EC3AA81A43B}.exe	129
PID 4696 wrote to memory of 456	4696	{E9BB7FDD-3518-40e2-825A-6EC3AA81A43B}.exe	129
PID 4696 wrote to memory of 3052	4696	{E9BB7FDD-3518-40e2-825A-6EC3AA81A43B}.exe	130
PID 4696 wrote to memory of 3052	4696	{E9BB7FDD-3518-40e2-825A-6EC3AA81A43B}.exe	130
PID 4696 wrote to memory of 3052	4696	{E9BB7FDD-3518-40e2-825A-6EC3AA81A43B}.exe	130
PID 456 wrote to memory of 4556	456	{B6E6F8EC-EC93-4618-9B2D-412124795671}.exe	134
PID 456 wrote to memory of 4556	456	{B6E6F8EC-EC93-4618-9B2D-412124795671}.exe	134
PID 456 wrote to memory of 4556	456	{B6E6F8EC-EC93-4618-9B2D-412124795671}.exe	134
PID 456 wrote to memory of 2628	456	{B6E6F8EC-EC93-4618-9B2D-412124795671}.exe	135
PID 456 wrote to memory of 2628	456	{B6E6F8EC-EC93-4618-9B2D-412124795671}.exe	135
PID 456 wrote to memory of 2628	456	{B6E6F8EC-EC93-4618-9B2D-412124795671}.exe	135
PID 4556 wrote to memory of 392	4556	{55A05F62-9A9B-4c6b-97CC-64281D5C82ED}.exe	136
PID 4556 wrote to memory of 392	4556	{55A05F62-9A9B-4c6b-97CC-64281D5C82ED}.exe	136
PID 4556 wrote to memory of 392	4556	{55A05F62-9A9B-4c6b-97CC-64281D5C82ED}.exe	136
PID 4556 wrote to memory of 4856	4556	{55A05F62-9A9B-4c6b-97CC-64281D5C82ED}.exe	137

C:\Users\Admin\AppData\Local\Temp\2024-04-22_76e710fd6812c7274cdaca384023bd20_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-22_76e710fd6812c7274cdaca384023bd20_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Windows\{D4DE4465-2E8E-498b-8096-42F2A6CB9C74}.exe
  C:\Windows\{D4DE4465-2E8E-498b-8096-42F2A6CB9C74}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Windows\{1F72CB9A-FBAA-4e1d-96B8-DE897661AA23}.exe
    C:\Windows\{1F72CB9A-FBAA-4e1d-96B8-DE897661AA23}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4380
  - - C:\Windows\{A8F93F61-BD04-4755-AF85-00A4D8EE0086}.exe
      C:\Windows\{A8F93F61-BD04-4755-AF85-00A4D8EE0086}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3304
    - - C:\Windows\{979D5D95-9614-467d-B848-92E3790E792F}.exe
        
        C:\Windows\{979D5D95-9614-467d-B848-92E3790E792F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3064
      - C:\Windows\{14066DC3-A37F-4d9b-9F67-10A98207343B}.exe
        
        C:\Windows\{14066DC3-A37F-4d9b-9F67-10A98207343B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\{278C0EC6-1C5B-4b58-99DA-D869335831DD}.exe
        
        C:\Windows\{278C0EC6-1C5B-4b58-99DA-D869335831DD}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4252
        
        C:\Windows\{CA490EC5-E550-4dad-88A2-D3E8F568023A}.exe
        
        C:\Windows\{CA490EC5-E550-4dad-88A2-D3E8F568023A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3828
        
        C:\Windows\{E9BB7FDD-3518-40e2-825A-6EC3AA81A43B}.exe
        
        C:\Windows\{E9BB7FDD-3518-40e2-825A-6EC3AA81A43B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\{B6E6F8EC-EC93-4618-9B2D-412124795671}.exe
        
        C:\Windows\{B6E6F8EC-EC93-4618-9B2D-412124795671}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\{55A05F62-9A9B-4c6b-97CC-64281D5C82ED}.exe
        
        C:\Windows\{55A05F62-9A9B-4c6b-97CC-64281D5C82ED}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\{76DCA5F4-6A63-44e9-94CA-B1BCAF7DC78B}.exe
        
        C:\Windows\{76DCA5F4-6A63-44e9-94CA-B1BCAF7DC78B}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:392
        
        C:\Windows\{ED36BDEA-F15B-4d1f-8CB2-C81118464A0B}.exe
        
        C:\Windows\{ED36BDEA-F15B-4d1f-8CB2-C81118464A0B}.exe
        13⤵
        Executes dropped EXE
        
        PID:696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76DCA~1.EXE > nul
        13⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{55A05~1.EXE > nul
        12⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6E6F~1.EXE > nul
        11⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E9BB7~1.EXE > nul
        10⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA490~1.EXE > nul
        9⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{278C0~1.EXE > nul
        8⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{14066~1.EXE > nul
        7⤵
        
        PID:4964
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{979D5~1.EXE > nul
        6⤵
        
        PID:5080
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A8F93~1.EXE > nul
        5⤵
        
        PID:1320
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1F72C~1.EXE > nul
      4⤵
      PID:4064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D4DE4~1.EXE > nul
    3⤵
    PID:3828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{14066DC3-A37F-4d9b-9F67-10A98207343B}.exe

Filesize
372KB

MD5
f8d53ca836d5c4c2ef4acf804d2df971

SHA1
02f33625689d4745badd1b0fd7ce8852fead0069

SHA256
7b31193f83d969cbe748b61780f1fd7e4212a7b361611d9bf08b4880b12c14e9

SHA512
46c930c242ef4352dc3973f2a5511d3fda87821151fd37bd09de4165a90a9e2b7a355472f33a46b2b3642437353e041eb424a36d57b57180877fa5161938caf1

Download Submit
C:\Windows\{1F72CB9A-FBAA-4e1d-96B8-DE897661AA23}.exe

Filesize
372KB

MD5
d73f04addd4179cf0f1da1c4bfa71af0

SHA1
1f39e9499fa341fcb83ffc4321da88c83d161d35

SHA256
932d80ea574eac6235d20b4af226578b32485ebbd1a450ee1d6534ec2ae22ba1

SHA512
f0133465e08c11fb888a9abc6b87caae570003fdeece051434d6efa629359b4e1fa1014915e7034d7d2a0ffc53c88e342c51dc715f46e1d6b9595951d001b9f7

Download Submit
C:\Windows\{278C0EC6-1C5B-4b58-99DA-D869335831DD}.exe

Filesize
372KB

MD5
b804de55c977fcfa8399ef20ed208104

SHA1
604a07c2f2d1363080d3b92c5c661876a9ffce21

SHA256
dd0241d4980f1386874c290c7a4e4614a5f41d89684314107c28e6ac0a67fe14

SHA512
fa25c9b8845e0003d3e35064d468b9f90c36aa235a23b1901ecb611b2a12ef816d733cf897a59a001c22e42197e28d1ae7341b510e68a0f3bdb7db8f9dc45909

Download Submit
C:\Windows\{55A05F62-9A9B-4c6b-97CC-64281D5C82ED}.exe

Filesize
372KB

MD5
91899b5a5ad2c095db744f136a8aed9d

SHA1
95a546bee7ea03efe7fa0bec810266da42e4677e

SHA256
9a40dc72e8cf1436ae805d06d45e45a8cf7ac4df77e3f7d5902f382b9c5615df

SHA512
82b3902cef971799cba45045a1dc9ff5c923c194ec796b5e7463d4b017abcc1d4defb60bad3dd6a3a8240310665003a471cbee39a0c7322bdaf4140b89a24ce8

Download Submit
C:\Windows\{76DCA5F4-6A63-44e9-94CA-B1BCAF7DC78B}.exe

Filesize
372KB

MD5
936f5e787eb3b74a3f1578292f6f1986

SHA1
15f6dd23c5abac56e49ddd39cf1a600878844e1a

SHA256
dae04c83784638419c8633b2c2787c952540eb507df8ab7f7b1dcc4e9055eaa4

SHA512
8c497174ed9edbefe10fe1ccf61469fc2e1a1e33956024f82557a3f0a4b5f015490cf406fa73293a2bff41e67eb3c57dbae3be3150aebb25ea89139733f44d96

Download Submit
C:\Windows\{979D5D95-9614-467d-B848-92E3790E792F}.exe

Filesize
372KB

MD5
fed8d76165bcdeb6c4c3c475bfe8b140

SHA1
1fbb410429dccf127ffb71a076174003b8fae383

SHA256
aa929deb508a385e58083c6607b37d3e7eb9e3a42f28f48bc6b4e9033c150639

SHA512
f99c686dc211f32b796bbbda3488f12d3ce7b04df8d7a6b1534627eba669070ad1167b0b557769b791c45227053447ea945d73e8773302d26cbd3493b9505c7c

Download Submit
C:\Windows\{A8F93F61-BD04-4755-AF85-00A4D8EE0086}.exe

Filesize
372KB

MD5
f1e9263dcb9849aca9cff05c400d8fec

SHA1
0e35b8b0ad9d4298533061547ef6f553b1f9aa38

SHA256
1d699c25c68c6a61ad03c43801f3fa9d4df5f399906fb6dc06880b19b73a84c0

SHA512
33b9306f25db2ceb51cf5bbb5e6455dcf8d80ad6a86b970821d9520ce0f077251cfa14be2aca4ee9df739c863985aa2ec8c0720a6ece80b401be799f418eeac3

Download Submit
C:\Windows\{B6E6F8EC-EC93-4618-9B2D-412124795671}.exe

Filesize
372KB

MD5
51259b65dec95d5089951fae9f76bb5f

SHA1
c8983ece79da09a9c2522817cf12cb7fb623a99d

SHA256
ee62e8e1c0903b1f56cb9134e64bf02dc696402db356cbfe165074f7862f56c1

SHA512
1027b7438cd0e16f840ecdb809ab851a77aadfedb5851b5401f0effdf984ebd98f7041d52255d079c0abaccafd496ce041499a1da71a893ad9c7da40162e9066

Download Submit
C:\Windows\{CA490EC5-E550-4dad-88A2-D3E8F568023A}.exe

Filesize
372KB

MD5
85a341b0a79582cd30e6988f0f7574d4

SHA1
0f77bbddbfdf257882dfd083fa6c7a09cd37c862

SHA256
8be589a97bbf99f6ba42f82addf8d6b763fd77efd4fdcce42b7bac71df4468e5

SHA512
a453a01abc777acc070181bf97b73d0407386c6fa5b1753a77c87dbfc9211772a105993698a85edce21be5123516fc707b6a278593e9937d033242fe628f408b

Download Submit
C:\Windows\{D4DE4465-2E8E-498b-8096-42F2A6CB9C74}.exe

Filesize
372KB

MD5
7ae5d5ede6b036b0ebf613567b8ece10

SHA1
fdb038302998c2b5b4a74231cfefb39fc0d07029

SHA256
da8c45d59854e89295d86061105fb552a775d11918da102d3ab1dad72a224838

SHA512
dc93b646d703c8bb6102259e283f9fc85f0261e10a33a7ebda19290642c7564b344506cd8a9b31d003485faaa8079ad9649252cb8ef0713cd00da5edfea4425e

Download Submit
C:\Windows\{E9BB7FDD-3518-40e2-825A-6EC3AA81A43B}.exe

Filesize
372KB

MD5
d379142627a90e68b46729f88f6d1964

SHA1
3ed2867a23f340c8a52befe242293abdb3ae4d7b

SHA256
ea97e792fc63928b2fe57f9c1e2a6ef5888ab648a61e94878979f232df305f36

SHA512
bebf5fd0de6061d45d897e7def7eaf28b03671feffcf3966f9aa35b5fca27f07ec6d79b446daffcedc07473758f2c540d31b9348fa446bfced1ec81819441c37

Download Submit
C:\Windows\{ED36BDEA-F15B-4d1f-8CB2-C81118464A0B}.exe

Filesize
372KB

MD5
72c75a96ced433ea914b21d17ab80b3c

SHA1
20b663e9bcf15df147f136af0a7acd490d29c18c

SHA256
39510fbbfddc18481c76470cf6822b183508ff509ab5b1870d80f824da0d1e3c

SHA512
9f28394415b0dcc3f049ef02e9e1de1e1c173c73d6352149c5c816cb7c7c87796a6b5eccc61a891621165bf095adfdb5e8a232e97e2923a4f5dc2f90cb81ba32

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads