bced06fceef1ad0ee8f2f82ec704fa3a18f34e48246598e3b288d0956035fb88

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22/04/2024, 17:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-22_25fd9b6a67ca48aa908563ca90fb9345_goldeneye.exe
Size

216KB
MD5

25fd9b6a67ca48aa908563ca90fb9345
SHA1

4edd4d6dee260ab25aa66d1a5e84d5b3cfdd0c45
SHA256

bced06fceef1ad0ee8f2f82ec704fa3a18f34e48246598e3b288d0956035fb88
SHA512

41b1e96a18ff0272ef9622a22b49555496acceccf71ebc4da6d8371ace1737008e927a514c3681fac41bdeac738c32aa4f40af45144577604c938bdea4c5ea29
SSDEEP

3072:jEGh0oPl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEG5lEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00090000000233ee-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00110000000233f7-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000006c1-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023357-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f0000000006c1-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002336a-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00100000000006c1-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e00000002334a-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00110000000006c1-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f00000002334a-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023347-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001000000002334a-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8BB4AAC3-01AB-4161-8B81-71F4C0FFC0CC}\stubpath = "C:\\Windows\\{8BB4AAC3-01AB-4161-8B81-71F4C0FFC0CC}.exe"	{1303BBCA-53F7-4c7a-9BAD-75CB21A84421}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A8E3D73-AD4C-441c-9D03-D2440150C61C}\stubpath = "C:\\Windows\\{3A8E3D73-AD4C-441c-9D03-D2440150C61C}.exe"	{8BB4AAC3-01AB-4161-8B81-71F4C0FFC0CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EDEBF219-1B25-4230-91BD-428C2F624D82}	{3A8E3D73-AD4C-441c-9D03-D2440150C61C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C082E664-DF27-4246-89A7-269C53653646}	{8E2A7BF8-2D76-4033-8530-CD73E2160058}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{599D4752-0E34-466c-B68C-0218370C8F11}	{D3EA1FAC-1631-4d01-BE38-32808788F296}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41A1EEDA-B83A-4f88-950C-30603AE70BEF}	{599D4752-0E34-466c-B68C-0218370C8F11}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED7EE90D-9026-4b4b-B64B-A80D4363C6D2}	{437900EC-25AC-4d7f-A8EA-A6ADC0C5D16B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8BB4AAC3-01AB-4161-8B81-71F4C0FFC0CC}	{1303BBCA-53F7-4c7a-9BAD-75CB21A84421}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C082E664-DF27-4246-89A7-269C53653646}\stubpath = "C:\\Windows\\{C082E664-DF27-4246-89A7-269C53653646}.exe"	{8E2A7BF8-2D76-4033-8530-CD73E2160058}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A8E3D73-AD4C-441c-9D03-D2440150C61C}	{8BB4AAC3-01AB-4161-8B81-71F4C0FFC0CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E2A7BF8-2D76-4033-8530-CD73E2160058}	{38DD462E-09F9-4260-8847-8508D9700B39}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3EA1FAC-1631-4d01-BE38-32808788F296}	2024-04-22_25fd9b6a67ca48aa908563ca90fb9345_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED7EE90D-9026-4b4b-B64B-A80D4363C6D2}\stubpath = "C:\\Windows\\{ED7EE90D-9026-4b4b-B64B-A80D4363C6D2}.exe"	{437900EC-25AC-4d7f-A8EA-A6ADC0C5D16B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1303BBCA-53F7-4c7a-9BAD-75CB21A84421}	{ED7EE90D-9026-4b4b-B64B-A80D4363C6D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1303BBCA-53F7-4c7a-9BAD-75CB21A84421}\stubpath = "C:\\Windows\\{1303BBCA-53F7-4c7a-9BAD-75CB21A84421}.exe"	{ED7EE90D-9026-4b4b-B64B-A80D4363C6D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E2A7BF8-2D76-4033-8530-CD73E2160058}\stubpath = "C:\\Windows\\{8E2A7BF8-2D76-4033-8530-CD73E2160058}.exe"	{38DD462E-09F9-4260-8847-8508D9700B39}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{599D4752-0E34-466c-B68C-0218370C8F11}\stubpath = "C:\\Windows\\{599D4752-0E34-466c-B68C-0218370C8F11}.exe"	{D3EA1FAC-1631-4d01-BE38-32808788F296}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{437900EC-25AC-4d7f-A8EA-A6ADC0C5D16B}\stubpath = "C:\\Windows\\{437900EC-25AC-4d7f-A8EA-A6ADC0C5D16B}.exe"	{41A1EEDA-B83A-4f88-950C-30603AE70BEF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EDEBF219-1B25-4230-91BD-428C2F624D82}\stubpath = "C:\\Windows\\{EDEBF219-1B25-4230-91BD-428C2F624D82}.exe"	{3A8E3D73-AD4C-441c-9D03-D2440150C61C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38DD462E-09F9-4260-8847-8508D9700B39}	{EDEBF219-1B25-4230-91BD-428C2F624D82}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3EA1FAC-1631-4d01-BE38-32808788F296}\stubpath = "C:\\Windows\\{D3EA1FAC-1631-4d01-BE38-32808788F296}.exe"	2024-04-22_25fd9b6a67ca48aa908563ca90fb9345_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41A1EEDA-B83A-4f88-950C-30603AE70BEF}\stubpath = "C:\\Windows\\{41A1EEDA-B83A-4f88-950C-30603AE70BEF}.exe"	{599D4752-0E34-466c-B68C-0218370C8F11}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{437900EC-25AC-4d7f-A8EA-A6ADC0C5D16B}	{41A1EEDA-B83A-4f88-950C-30603AE70BEF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38DD462E-09F9-4260-8847-8508D9700B39}\stubpath = "C:\\Windows\\{38DD462E-09F9-4260-8847-8508D9700B39}.exe"	{EDEBF219-1B25-4230-91BD-428C2F624D82}.exe

Executes dropped EXE 12 IoCs

pid	Process
2692	{D3EA1FAC-1631-4d01-BE38-32808788F296}.exe
464	{599D4752-0E34-466c-B68C-0218370C8F11}.exe
748	{41A1EEDA-B83A-4f88-950C-30603AE70BEF}.exe
4156	{437900EC-25AC-4d7f-A8EA-A6ADC0C5D16B}.exe
1784	{ED7EE90D-9026-4b4b-B64B-A80D4363C6D2}.exe
1272	{1303BBCA-53F7-4c7a-9BAD-75CB21A84421}.exe
1916	{8BB4AAC3-01AB-4161-8B81-71F4C0FFC0CC}.exe
2652	{3A8E3D73-AD4C-441c-9D03-D2440150C61C}.exe
5040	{EDEBF219-1B25-4230-91BD-428C2F624D82}.exe
2196	{38DD462E-09F9-4260-8847-8508D9700B39}.exe
1724	{8E2A7BF8-2D76-4033-8530-CD73E2160058}.exe
1052	{C082E664-DF27-4246-89A7-269C53653646}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{8E2A7BF8-2D76-4033-8530-CD73E2160058}.exe	{38DD462E-09F9-4260-8847-8508D9700B39}.exe
File created	C:\Windows\{437900EC-25AC-4d7f-A8EA-A6ADC0C5D16B}.exe	{41A1EEDA-B83A-4f88-950C-30603AE70BEF}.exe
File created	C:\Windows\{1303BBCA-53F7-4c7a-9BAD-75CB21A84421}.exe	{ED7EE90D-9026-4b4b-B64B-A80D4363C6D2}.exe
File created	C:\Windows\{8BB4AAC3-01AB-4161-8B81-71F4C0FFC0CC}.exe	{1303BBCA-53F7-4c7a-9BAD-75CB21A84421}.exe
File created	C:\Windows\{3A8E3D73-AD4C-441c-9D03-D2440150C61C}.exe	{8BB4AAC3-01AB-4161-8B81-71F4C0FFC0CC}.exe
File created	C:\Windows\{38DD462E-09F9-4260-8847-8508D9700B39}.exe	{EDEBF219-1B25-4230-91BD-428C2F624D82}.exe
File created	C:\Windows\{C082E664-DF27-4246-89A7-269C53653646}.exe	{8E2A7BF8-2D76-4033-8530-CD73E2160058}.exe
File created	C:\Windows\{D3EA1FAC-1631-4d01-BE38-32808788F296}.exe	2024-04-22_25fd9b6a67ca48aa908563ca90fb9345_goldeneye.exe
File created	C:\Windows\{599D4752-0E34-466c-B68C-0218370C8F11}.exe	{D3EA1FAC-1631-4d01-BE38-32808788F296}.exe
File created	C:\Windows\{41A1EEDA-B83A-4f88-950C-30603AE70BEF}.exe	{599D4752-0E34-466c-B68C-0218370C8F11}.exe
File created	C:\Windows\{ED7EE90D-9026-4b4b-B64B-A80D4363C6D2}.exe	{437900EC-25AC-4d7f-A8EA-A6ADC0C5D16B}.exe
File created	C:\Windows\{EDEBF219-1B25-4230-91BD-428C2F624D82}.exe	{3A8E3D73-AD4C-441c-9D03-D2440150C61C}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1256	2024-04-22_25fd9b6a67ca48aa908563ca90fb9345_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2692	{D3EA1FAC-1631-4d01-BE38-32808788F296}.exe
Token: SeIncBasePriorityPrivilege	464	{599D4752-0E34-466c-B68C-0218370C8F11}.exe
Token: SeIncBasePriorityPrivilege	748	{41A1EEDA-B83A-4f88-950C-30603AE70BEF}.exe
Token: SeIncBasePriorityPrivilege	4156	{437900EC-25AC-4d7f-A8EA-A6ADC0C5D16B}.exe
Token: SeIncBasePriorityPrivilege	1784	{ED7EE90D-9026-4b4b-B64B-A80D4363C6D2}.exe
Token: SeIncBasePriorityPrivilege	1272	{1303BBCA-53F7-4c7a-9BAD-75CB21A84421}.exe
Token: SeIncBasePriorityPrivilege	1916	{8BB4AAC3-01AB-4161-8B81-71F4C0FFC0CC}.exe
Token: SeIncBasePriorityPrivilege	2652	{3A8E3D73-AD4C-441c-9D03-D2440150C61C}.exe
Token: SeIncBasePriorityPrivilege	5040	{EDEBF219-1B25-4230-91BD-428C2F624D82}.exe
Token: SeIncBasePriorityPrivilege	2196	{38DD462E-09F9-4260-8847-8508D9700B39}.exe
Token: SeIncBasePriorityPrivilege	1724	{8E2A7BF8-2D76-4033-8530-CD73E2160058}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1256 wrote to memory of 2692	1256	2024-04-22_25fd9b6a67ca48aa908563ca90fb9345_goldeneye.exe	97
PID 1256 wrote to memory of 2692	1256	2024-04-22_25fd9b6a67ca48aa908563ca90fb9345_goldeneye.exe	97
PID 1256 wrote to memory of 2692	1256	2024-04-22_25fd9b6a67ca48aa908563ca90fb9345_goldeneye.exe	97
PID 1256 wrote to memory of 1480	1256	2024-04-22_25fd9b6a67ca48aa908563ca90fb9345_goldeneye.exe	98
PID 1256 wrote to memory of 1480	1256	2024-04-22_25fd9b6a67ca48aa908563ca90fb9345_goldeneye.exe	98
PID 1256 wrote to memory of 1480	1256	2024-04-22_25fd9b6a67ca48aa908563ca90fb9345_goldeneye.exe	98
PID 2692 wrote to memory of 464	2692	{D3EA1FAC-1631-4d01-BE38-32808788F296}.exe	100
PID 2692 wrote to memory of 464	2692	{D3EA1FAC-1631-4d01-BE38-32808788F296}.exe	100
PID 2692 wrote to memory of 464	2692	{D3EA1FAC-1631-4d01-BE38-32808788F296}.exe	100
PID 2692 wrote to memory of 840	2692	{D3EA1FAC-1631-4d01-BE38-32808788F296}.exe	101
PID 2692 wrote to memory of 840	2692	{D3EA1FAC-1631-4d01-BE38-32808788F296}.exe	101
PID 2692 wrote to memory of 840	2692	{D3EA1FAC-1631-4d01-BE38-32808788F296}.exe	101
PID 464 wrote to memory of 748	464	{599D4752-0E34-466c-B68C-0218370C8F11}.exe	105
PID 464 wrote to memory of 748	464	{599D4752-0E34-466c-B68C-0218370C8F11}.exe	105
PID 464 wrote to memory of 748	464	{599D4752-0E34-466c-B68C-0218370C8F11}.exe	105
PID 464 wrote to memory of 2320	464	{599D4752-0E34-466c-B68C-0218370C8F11}.exe	106
PID 464 wrote to memory of 2320	464	{599D4752-0E34-466c-B68C-0218370C8F11}.exe	106
PID 464 wrote to memory of 2320	464	{599D4752-0E34-466c-B68C-0218370C8F11}.exe	106
PID 748 wrote to memory of 4156	748	{41A1EEDA-B83A-4f88-950C-30603AE70BEF}.exe	107
PID 748 wrote to memory of 4156	748	{41A1EEDA-B83A-4f88-950C-30603AE70BEF}.exe	107
PID 748 wrote to memory of 4156	748	{41A1EEDA-B83A-4f88-950C-30603AE70BEF}.exe	107
PID 748 wrote to memory of 1416	748	{41A1EEDA-B83A-4f88-950C-30603AE70BEF}.exe	108
PID 748 wrote to memory of 1416	748	{41A1EEDA-B83A-4f88-950C-30603AE70BEF}.exe	108
PID 748 wrote to memory of 1416	748	{41A1EEDA-B83A-4f88-950C-30603AE70BEF}.exe	108
PID 4156 wrote to memory of 1784	4156	{437900EC-25AC-4d7f-A8EA-A6ADC0C5D16B}.exe	110
PID 4156 wrote to memory of 1784	4156	{437900EC-25AC-4d7f-A8EA-A6ADC0C5D16B}.exe	110
PID 4156 wrote to memory of 1784	4156	{437900EC-25AC-4d7f-A8EA-A6ADC0C5D16B}.exe	110
PID 4156 wrote to memory of 1480	4156	{437900EC-25AC-4d7f-A8EA-A6ADC0C5D16B}.exe	111
PID 4156 wrote to memory of 1480	4156	{437900EC-25AC-4d7f-A8EA-A6ADC0C5D16B}.exe	111
PID 4156 wrote to memory of 1480	4156	{437900EC-25AC-4d7f-A8EA-A6ADC0C5D16B}.exe	111
PID 1784 wrote to memory of 1272	1784	{ED7EE90D-9026-4b4b-B64B-A80D4363C6D2}.exe	115
PID 1784 wrote to memory of 1272	1784	{ED7EE90D-9026-4b4b-B64B-A80D4363C6D2}.exe	115
PID 1784 wrote to memory of 1272	1784	{ED7EE90D-9026-4b4b-B64B-A80D4363C6D2}.exe	115
PID 1784 wrote to memory of 1428	1784	{ED7EE90D-9026-4b4b-B64B-A80D4363C6D2}.exe	116
PID 1784 wrote to memory of 1428	1784	{ED7EE90D-9026-4b4b-B64B-A80D4363C6D2}.exe	116
PID 1784 wrote to memory of 1428	1784	{ED7EE90D-9026-4b4b-B64B-A80D4363C6D2}.exe	116
PID 1272 wrote to memory of 1916	1272	{1303BBCA-53F7-4c7a-9BAD-75CB21A84421}.exe	117
PID 1272 wrote to memory of 1916	1272	{1303BBCA-53F7-4c7a-9BAD-75CB21A84421}.exe	117
PID 1272 wrote to memory of 1916	1272	{1303BBCA-53F7-4c7a-9BAD-75CB21A84421}.exe	117
PID 1272 wrote to memory of 4744	1272	{1303BBCA-53F7-4c7a-9BAD-75CB21A84421}.exe	118
PID 1272 wrote to memory of 4744	1272	{1303BBCA-53F7-4c7a-9BAD-75CB21A84421}.exe	118
PID 1272 wrote to memory of 4744	1272	{1303BBCA-53F7-4c7a-9BAD-75CB21A84421}.exe	118
PID 1916 wrote to memory of 2652	1916	{8BB4AAC3-01AB-4161-8B81-71F4C0FFC0CC}.exe	126
PID 1916 wrote to memory of 2652	1916	{8BB4AAC3-01AB-4161-8B81-71F4C0FFC0CC}.exe	126
PID 1916 wrote to memory of 2652	1916	{8BB4AAC3-01AB-4161-8B81-71F4C0FFC0CC}.exe	126
PID 1916 wrote to memory of 736	1916	{8BB4AAC3-01AB-4161-8B81-71F4C0FFC0CC}.exe	127
PID 1916 wrote to memory of 736	1916	{8BB4AAC3-01AB-4161-8B81-71F4C0FFC0CC}.exe	127
PID 1916 wrote to memory of 736	1916	{8BB4AAC3-01AB-4161-8B81-71F4C0FFC0CC}.exe	127
PID 2652 wrote to memory of 5040	2652	{3A8E3D73-AD4C-441c-9D03-D2440150C61C}.exe	128
PID 2652 wrote to memory of 5040	2652	{3A8E3D73-AD4C-441c-9D03-D2440150C61C}.exe	128
PID 2652 wrote to memory of 5040	2652	{3A8E3D73-AD4C-441c-9D03-D2440150C61C}.exe	128
PID 2652 wrote to memory of 3256	2652	{3A8E3D73-AD4C-441c-9D03-D2440150C61C}.exe	129
PID 2652 wrote to memory of 3256	2652	{3A8E3D73-AD4C-441c-9D03-D2440150C61C}.exe	129
PID 2652 wrote to memory of 3256	2652	{3A8E3D73-AD4C-441c-9D03-D2440150C61C}.exe	129
PID 5040 wrote to memory of 2196	5040	{EDEBF219-1B25-4230-91BD-428C2F624D82}.exe	130
PID 5040 wrote to memory of 2196	5040	{EDEBF219-1B25-4230-91BD-428C2F624D82}.exe	130
PID 5040 wrote to memory of 2196	5040	{EDEBF219-1B25-4230-91BD-428C2F624D82}.exe	130
PID 5040 wrote to memory of 5072	5040	{EDEBF219-1B25-4230-91BD-428C2F624D82}.exe	131
PID 5040 wrote to memory of 5072	5040	{EDEBF219-1B25-4230-91BD-428C2F624D82}.exe	131
PID 5040 wrote to memory of 5072	5040	{EDEBF219-1B25-4230-91BD-428C2F624D82}.exe	131
PID 2196 wrote to memory of 1724	2196	{38DD462E-09F9-4260-8847-8508D9700B39}.exe	135
PID 2196 wrote to memory of 1724	2196	{38DD462E-09F9-4260-8847-8508D9700B39}.exe	135
PID 2196 wrote to memory of 1724	2196	{38DD462E-09F9-4260-8847-8508D9700B39}.exe	135
PID 2196 wrote to memory of 3032	2196	{38DD462E-09F9-4260-8847-8508D9700B39}.exe	136

C:\Users\Admin\AppData\Local\Temp\2024-04-22_25fd9b6a67ca48aa908563ca90fb9345_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-22_25fd9b6a67ca48aa908563ca90fb9345_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Windows\{D3EA1FAC-1631-4d01-BE38-32808788F296}.exe
  C:\Windows\{D3EA1FAC-1631-4d01-BE38-32808788F296}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\{599D4752-0E34-466c-B68C-0218370C8F11}.exe
    C:\Windows\{599D4752-0E34-466c-B68C-0218370C8F11}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:464
  - - C:\Windows\{41A1EEDA-B83A-4f88-950C-30603AE70BEF}.exe
      C:\Windows\{41A1EEDA-B83A-4f88-950C-30603AE70BEF}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:748
    - - C:\Windows\{437900EC-25AC-4d7f-A8EA-A6ADC0C5D16B}.exe
        
        C:\Windows\{437900EC-25AC-4d7f-A8EA-A6ADC0C5D16B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4156
      - C:\Windows\{ED7EE90D-9026-4b4b-B64B-A80D4363C6D2}.exe
        
        C:\Windows\{ED7EE90D-9026-4b4b-B64B-A80D4363C6D2}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\{1303BBCA-53F7-4c7a-9BAD-75CB21A84421}.exe
        
        C:\Windows\{1303BBCA-53F7-4c7a-9BAD-75CB21A84421}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1272
        
        C:\Windows\{8BB4AAC3-01AB-4161-8B81-71F4C0FFC0CC}.exe
        
        C:\Windows\{8BB4AAC3-01AB-4161-8B81-71F4C0FFC0CC}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\{3A8E3D73-AD4C-441c-9D03-D2440150C61C}.exe
        
        C:\Windows\{3A8E3D73-AD4C-441c-9D03-D2440150C61C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\{EDEBF219-1B25-4230-91BD-428C2F624D82}.exe
        
        C:\Windows\{EDEBF219-1B25-4230-91BD-428C2F624D82}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\{38DD462E-09F9-4260-8847-8508D9700B39}.exe
        
        C:\Windows\{38DD462E-09F9-4260-8847-8508D9700B39}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\{8E2A7BF8-2D76-4033-8530-CD73E2160058}.exe
        
        C:\Windows\{8E2A7BF8-2D76-4033-8530-CD73E2160058}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
        
        C:\Windows\{C082E664-DF27-4246-89A7-269C53653646}.exe
        
        C:\Windows\{C082E664-DF27-4246-89A7-269C53653646}.exe
        13⤵
        Executes dropped EXE
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8E2A7~1.EXE > nul
        13⤵
        
        PID:392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{38DD4~1.EXE > nul
        12⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EDEBF~1.EXE > nul
        11⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3A8E3~1.EXE > nul
        10⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8BB4A~1.EXE > nul
        9⤵
        
        PID:736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1303B~1.EXE > nul
        8⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ED7EE~1.EXE > nul
        7⤵
        
        PID:1428
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{43790~1.EXE > nul
        6⤵
        
        PID:1480
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{41A1E~1.EXE > nul
        5⤵
        
        PID:1416
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{599D4~1.EXE > nul
      4⤵
      PID:2320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D3EA1~1.EXE > nul
    3⤵
    PID:840
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1303BBCA-53F7-4c7a-9BAD-75CB21A84421}.exe

Filesize
216KB

MD5
ac5c88025b8781a660496aaf52dc3865

SHA1
15f499dc570c516c8266a466fd044bc21d1a25e3

SHA256
b3f95db1a16c77da8382ef2f663ffc542d17f3d36c5db6edfbbd57a549ee5bd3

SHA512
f40401fff9dc8a8b9c22f345db2695e6fe91216218c47ece75d07c241b6e094a2400ffe2096cdfc335fbd29a05b009e1bf529074cdc749c8278fbe6c6d3ed39a

Download Submit
C:\Windows\{38DD462E-09F9-4260-8847-8508D9700B39}.exe

Filesize
216KB

MD5
b0bb0dfa196db9de651eee0c0200ff86

SHA1
30056878c64ac0a9cc8f92b7b2dfb6c6ccdfb72d

SHA256
cc96cc30a428ad90fdf5a78f3e7e73fe7f109e924ced1b30db569bc44a0b92e9

SHA512
5864e77aa9443adaeb3f0cc528ed3a5f5ee04508ec2ef3c3ef5bc7a13101e15c51fe80e020d1b0bca18d6e66a886686c85ace25043f0a4c741f8714a576747d3

Download Submit
C:\Windows\{3A8E3D73-AD4C-441c-9D03-D2440150C61C}.exe

Filesize
216KB

MD5
5bad19c006395ba13965ac6c110a6453

SHA1
ff49de61f758bf7de93cbbe0dc0cef7513c25e61

SHA256
30c3bfb19fb5d1427f8a6463641c7fbd6ba5bbf805ef14fdd659cd4a6eadbdf7

SHA512
c0f5e3338d1975b490895bd3fc8616f927e31df9879a0941cd9549739f1e5322850d2b351a8b16cfa39850ad6b4aaacbd267debdf9e30e923e5b3ad4a32bb123

Download Submit
C:\Windows\{41A1EEDA-B83A-4f88-950C-30603AE70BEF}.exe

Filesize
216KB

MD5
5fb6c71389b283226d4255f78ecd9119

SHA1
932464b632e2a8be3ee96e7e8c79c6e2723e72cc

SHA256
bef40eb67a62b2b55ddd072fc1a254ce15f6cf5232e66a1cfbe39ebc2073ef67

SHA512
ff36dc6763dfbae7ac1f783cb1428d7073a6fe334b88226d52bb76aefeca114d066f676ba24715aecb7f16e0b7338ac65ad4b8db70f6aece0bc429d0ce120618

Download Submit
C:\Windows\{437900EC-25AC-4d7f-A8EA-A6ADC0C5D16B}.exe

Filesize
216KB

MD5
e378d9efa2ae10d130dd6b7d54661372

SHA1
8658f6c36b0618dcfac78e27fdcf6c372af04073

SHA256
327ff23f39a379726ebd7213f3fb37bee55b0ce27ed61beedf7a2bc72b983309

SHA512
67cc6e6d70d05432f7c222803d7016890afb9859667fb11e43ca64c5670024e5eeba62d7040a5a255e1d6ecd67482bfccdbca6f703f8747237d0cc332ea6a607

Download Submit
C:\Windows\{599D4752-0E34-466c-B68C-0218370C8F11}.exe

Filesize
216KB

MD5
bd4a46f77b8fcce05f91a441591b1a35

SHA1
f022c1ac7fd43fe59347782c6be907b66987e93c

SHA256
2539af87ee6fc953e013341f7bcf9fa993fa505fbb5ec3f808f2b10e71fee8ee

SHA512
15374bb918544ba8a1aba03f4562592dc003df25f405988915bf16ee009bd060d53bdbd3f98199d93a0d3d48364cd90a995e48c0d3e995346e9574ed490ac44c

Download Submit
C:\Windows\{8BB4AAC3-01AB-4161-8B81-71F4C0FFC0CC}.exe

Filesize
216KB

MD5
d01bb90e3961fceeed380174e328d152

SHA1
1ce2e0a44bb83e08c9a7cfb8eb87728275ce77c1

SHA256
be169d356f1b4c44b98e9647857723babfbe618d54bfc9a1f0bccbfbb49ed6b0

SHA512
e8818ec18f34e920e4dbde103c3847cf3a9868cd1eb7cbbe71ea67d5469e029f8d9bfc7139d9b355c1ea5e042acd5186e9cef1142fcbd78871789159c3c3c3dc

Download Submit
C:\Windows\{8E2A7BF8-2D76-4033-8530-CD73E2160058}.exe

Filesize
216KB

MD5
c068affa5673590ee348e78e9e280891

SHA1
87c67132d763bd5be4c3388f511dd0249e49edc7

SHA256
70d4313b41a46d18a26586f67784b3489785c0950f3832ef133eae6e7209fdf5

SHA512
d39d4c809356b543fcd258186f837e5084dc169c428799247dee4fe9c342fd1d26901ff5611a0841f3da6521fdf62e3f6834a84b67385d4151a0f4bc9cac8df9

Download Submit
C:\Windows\{C082E664-DF27-4246-89A7-269C53653646}.exe

Filesize
216KB

MD5
320ed616164bb53d28f67027163a23e0

SHA1
3e210c2a34738268426b5fd32d8181c94d13ad76

SHA256
088f804a0497fca7131dd87662b5647473987fcdc925aa0c14da8e39d56672b9

SHA512
87f930c77c385cd01918008a40ad6f524f03b7cb1d80a7055039edcc9cb48b61b7cc310118d6ecf1942363ad9a34c0ea6ab02e359cc0440cbe1267523d953e2e

Download Submit
C:\Windows\{D3EA1FAC-1631-4d01-BE38-32808788F296}.exe

Filesize
216KB

MD5
d6ab7773fc5aad49957fed2f22f1d897

SHA1
216d80a1d82f7841fc88e06850cbca2277eed163

SHA256
a6d1fdcfcc07532723d4987125c5d7ecced50c22f2e8d43a2a9e65c496abc1df

SHA512
c83bf6191ee8e6e0fd0607209d59a7f0077bdb9e2d781d01f390e625cebedfea9aafbc0066df438ae6bd99ef2bbab436d282ad228fca7a503853cbea23735481

Download Submit
C:\Windows\{ED7EE90D-9026-4b4b-B64B-A80D4363C6D2}.exe

Filesize
216KB

MD5
c4c29ceacd64264be3ca42884eb4d41c

SHA1
e59743b9c292b7f2f5012db8d2816abbac089e17

SHA256
7ea627b811960773ade69fff7bc1713fd47802d9b508e480f4a8653d24b09647

SHA512
53ea8b00a3eadc8a66c7a5123ac295365be17e10d38f0c5aeca1e47dd0e6626a0f0677113c9e276736c19eb90ad1716dd5fa004fe6a7fad3aadb4cfbaeaff203

Download Submit
C:\Windows\{EDEBF219-1B25-4230-91BD-428C2F624D82}.exe

Filesize
216KB

MD5
2f04f039604b147c38c0d82aa5d7be3e

SHA1
379ea1c9c2a55fc281a61cd714dc1fb6475f6abe

SHA256
2d3281dc80a368887ad33c4bd1aa2d19bdeb2b7f6af13a45e7f0afa699737935

SHA512
d05cb783334ea7f5577975db90bfd6fdc84cf25e4f84f95c64623e94f04ea7e1df38d594ed5c3dfd30a12977651737cf58d4441af34382054f9e326267e92fa3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads