e45ad870f215b1bb3f509cd687b831122e69563f6259d60d76c0c0521e36c396

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22/04/2024, 17:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-22_bc597010000e12cb4698567e16d777e9_goldeneye.exe
Size

372KB
MD5

bc597010000e12cb4698567e16d777e9
SHA1

a8ecd8afe54e4a365f658e22523be6014172a093
SHA256

e45ad870f215b1bb3f509cd687b831122e69563f6259d60d76c0c0521e36c396
SHA512

759ba77a25964444832e07140c050ed2397787384f099ebf22031b1a2b2aecd6463925ce2d388196754ee528e2bff75e5e3d55e260bcf27c4d49a23a5ebad285
SSDEEP

3072:CEGh0oHlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEG5lkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023419-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002342b-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023527-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002335e-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023527-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000001db5a-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001db5c-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000022978-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000001db28-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000001db71-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000001db28-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d00000002336b-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F0ADCF0-8F70-4445-AF0E-A4F69284376D}\stubpath = "C:\\Windows\\{5F0ADCF0-8F70-4445-AF0E-A4F69284376D}.exe"	{9E02AC1D-DD1F-4cf0-9123-940123003282}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04230400-7A67-466f-BD64-81439E174DC1}	{2AC7CA76-BE00-4311-91FA-2B8FB6112788}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB223B1B-24C9-4113-AD6C-D6F3EFEFB986}	{EE1D517D-27A2-4b1b-93F5-9AE9E24A2F36}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F1D8A3C-2F00-47a3-8CF1-01441F903E13}\stubpath = "C:\\Windows\\{9F1D8A3C-2F00-47a3-8CF1-01441F903E13}.exe"	{65AB5ED4-677D-442d-A707-F7F5EAF6F530}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F0ADCF0-8F70-4445-AF0E-A4F69284376D}	{9E02AC1D-DD1F-4cf0-9123-940123003282}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2AC7CA76-BE00-4311-91FA-2B8FB6112788}\stubpath = "C:\\Windows\\{2AC7CA76-BE00-4311-91FA-2B8FB6112788}.exe"	{5F0ADCF0-8F70-4445-AF0E-A4F69284376D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51DCDCD1-2A02-45a7-AFAC-721024544C67}\stubpath = "C:\\Windows\\{51DCDCD1-2A02-45a7-AFAC-721024544C67}.exe"	{04230400-7A67-466f-BD64-81439E174DC1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9CE043AF-ED5D-4f41-BAD3-F628478AFCFA}\stubpath = "C:\\Windows\\{9CE043AF-ED5D-4f41-BAD3-F628478AFCFA}.exe"	{51DCDCD1-2A02-45a7-AFAC-721024544C67}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE1D517D-27A2-4b1b-93F5-9AE9E24A2F36}\stubpath = "C:\\Windows\\{EE1D517D-27A2-4b1b-93F5-9AE9E24A2F36}.exe"	{43A36D8B-57BA-4eb3-9972-4CF17EAC03BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65AB5ED4-677D-442d-A707-F7F5EAF6F530}\stubpath = "C:\\Windows\\{65AB5ED4-677D-442d-A707-F7F5EAF6F530}.exe"	{DB223B1B-24C9-4113-AD6C-D6F3EFEFB986}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F1D8A3C-2F00-47a3-8CF1-01441F903E13}	{65AB5ED4-677D-442d-A707-F7F5EAF6F530}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51DCDCD1-2A02-45a7-AFAC-721024544C67}	{04230400-7A67-466f-BD64-81439E174DC1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43A36D8B-57BA-4eb3-9972-4CF17EAC03BC}	{9CE043AF-ED5D-4f41-BAD3-F628478AFCFA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43A36D8B-57BA-4eb3-9972-4CF17EAC03BC}\stubpath = "C:\\Windows\\{43A36D8B-57BA-4eb3-9972-4CF17EAC03BC}.exe"	{9CE043AF-ED5D-4f41-BAD3-F628478AFCFA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB223B1B-24C9-4113-AD6C-D6F3EFEFB986}\stubpath = "C:\\Windows\\{DB223B1B-24C9-4113-AD6C-D6F3EFEFB986}.exe"	{EE1D517D-27A2-4b1b-93F5-9AE9E24A2F36}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E6CCC96-2F5C-4524-AE78-FA5882134803}	2024-04-22_bc597010000e12cb4698567e16d777e9_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E6CCC96-2F5C-4524-AE78-FA5882134803}\stubpath = "C:\\Windows\\{0E6CCC96-2F5C-4524-AE78-FA5882134803}.exe"	2024-04-22_bc597010000e12cb4698567e16d777e9_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E02AC1D-DD1F-4cf0-9123-940123003282}	{0E6CCC96-2F5C-4524-AE78-FA5882134803}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E02AC1D-DD1F-4cf0-9123-940123003282}\stubpath = "C:\\Windows\\{9E02AC1D-DD1F-4cf0-9123-940123003282}.exe"	{0E6CCC96-2F5C-4524-AE78-FA5882134803}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2AC7CA76-BE00-4311-91FA-2B8FB6112788}	{5F0ADCF0-8F70-4445-AF0E-A4F69284376D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04230400-7A67-466f-BD64-81439E174DC1}\stubpath = "C:\\Windows\\{04230400-7A67-466f-BD64-81439E174DC1}.exe"	{2AC7CA76-BE00-4311-91FA-2B8FB6112788}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9CE043AF-ED5D-4f41-BAD3-F628478AFCFA}	{51DCDCD1-2A02-45a7-AFAC-721024544C67}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE1D517D-27A2-4b1b-93F5-9AE9E24A2F36}	{43A36D8B-57BA-4eb3-9972-4CF17EAC03BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65AB5ED4-677D-442d-A707-F7F5EAF6F530}	{DB223B1B-24C9-4113-AD6C-D6F3EFEFB986}.exe

Executes dropped EXE 12 IoCs

pid	Process
4416	{0E6CCC96-2F5C-4524-AE78-FA5882134803}.exe
3884	{9E02AC1D-DD1F-4cf0-9123-940123003282}.exe
2460	{5F0ADCF0-8F70-4445-AF0E-A4F69284376D}.exe
544	{2AC7CA76-BE00-4311-91FA-2B8FB6112788}.exe
4568	{04230400-7A67-466f-BD64-81439E174DC1}.exe
3996	{51DCDCD1-2A02-45a7-AFAC-721024544C67}.exe
4052	{9CE043AF-ED5D-4f41-BAD3-F628478AFCFA}.exe
4736	{43A36D8B-57BA-4eb3-9972-4CF17EAC03BC}.exe
3940	{EE1D517D-27A2-4b1b-93F5-9AE9E24A2F36}.exe
4100	{DB223B1B-24C9-4113-AD6C-D6F3EFEFB986}.exe
1816	{65AB5ED4-677D-442d-A707-F7F5EAF6F530}.exe
2020	{9F1D8A3C-2F00-47a3-8CF1-01441F903E13}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{2AC7CA76-BE00-4311-91FA-2B8FB6112788}.exe	{5F0ADCF0-8F70-4445-AF0E-A4F69284376D}.exe
File created	C:\Windows\{04230400-7A67-466f-BD64-81439E174DC1}.exe	{2AC7CA76-BE00-4311-91FA-2B8FB6112788}.exe
File created	C:\Windows\{51DCDCD1-2A02-45a7-AFAC-721024544C67}.exe	{04230400-7A67-466f-BD64-81439E174DC1}.exe
File created	C:\Windows\{9CE043AF-ED5D-4f41-BAD3-F628478AFCFA}.exe	{51DCDCD1-2A02-45a7-AFAC-721024544C67}.exe
File created	C:\Windows\{EE1D517D-27A2-4b1b-93F5-9AE9E24A2F36}.exe	{43A36D8B-57BA-4eb3-9972-4CF17EAC03BC}.exe
File created	C:\Windows\{DB223B1B-24C9-4113-AD6C-D6F3EFEFB986}.exe	{EE1D517D-27A2-4b1b-93F5-9AE9E24A2F36}.exe
File created	C:\Windows\{65AB5ED4-677D-442d-A707-F7F5EAF6F530}.exe	{DB223B1B-24C9-4113-AD6C-D6F3EFEFB986}.exe
File created	C:\Windows\{5F0ADCF0-8F70-4445-AF0E-A4F69284376D}.exe	{9E02AC1D-DD1F-4cf0-9123-940123003282}.exe
File created	C:\Windows\{9E02AC1D-DD1F-4cf0-9123-940123003282}.exe	{0E6CCC96-2F5C-4524-AE78-FA5882134803}.exe
File created	C:\Windows\{43A36D8B-57BA-4eb3-9972-4CF17EAC03BC}.exe	{9CE043AF-ED5D-4f41-BAD3-F628478AFCFA}.exe
File created	C:\Windows\{9F1D8A3C-2F00-47a3-8CF1-01441F903E13}.exe	{65AB5ED4-677D-442d-A707-F7F5EAF6F530}.exe
File created	C:\Windows\{0E6CCC96-2F5C-4524-AE78-FA5882134803}.exe	2024-04-22_bc597010000e12cb4698567e16d777e9_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1796	2024-04-22_bc597010000e12cb4698567e16d777e9_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4416	{0E6CCC96-2F5C-4524-AE78-FA5882134803}.exe
Token: SeIncBasePriorityPrivilege	3884	{9E02AC1D-DD1F-4cf0-9123-940123003282}.exe
Token: SeIncBasePriorityPrivilege	2460	{5F0ADCF0-8F70-4445-AF0E-A4F69284376D}.exe
Token: SeIncBasePriorityPrivilege	544	{2AC7CA76-BE00-4311-91FA-2B8FB6112788}.exe
Token: SeIncBasePriorityPrivilege	4568	{04230400-7A67-466f-BD64-81439E174DC1}.exe
Token: SeIncBasePriorityPrivilege	3996	{51DCDCD1-2A02-45a7-AFAC-721024544C67}.exe
Token: SeIncBasePriorityPrivilege	4052	{9CE043AF-ED5D-4f41-BAD3-F628478AFCFA}.exe
Token: SeIncBasePriorityPrivilege	4736	{43A36D8B-57BA-4eb3-9972-4CF17EAC03BC}.exe
Token: SeIncBasePriorityPrivilege	3940	{EE1D517D-27A2-4b1b-93F5-9AE9E24A2F36}.exe
Token: SeIncBasePriorityPrivilege	4100	{DB223B1B-24C9-4113-AD6C-D6F3EFEFB986}.exe
Token: SeIncBasePriorityPrivilege	1816	{65AB5ED4-677D-442d-A707-F7F5EAF6F530}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 4416	1796	2024-04-22_bc597010000e12cb4698567e16d777e9_goldeneye.exe	96
PID 1796 wrote to memory of 4416	1796	2024-04-22_bc597010000e12cb4698567e16d777e9_goldeneye.exe	96
PID 1796 wrote to memory of 4416	1796	2024-04-22_bc597010000e12cb4698567e16d777e9_goldeneye.exe	96
PID 1796 wrote to memory of 1944	1796	2024-04-22_bc597010000e12cb4698567e16d777e9_goldeneye.exe	97
PID 1796 wrote to memory of 1944	1796	2024-04-22_bc597010000e12cb4698567e16d777e9_goldeneye.exe	97
PID 1796 wrote to memory of 1944	1796	2024-04-22_bc597010000e12cb4698567e16d777e9_goldeneye.exe	97
PID 4416 wrote to memory of 3884	4416	{0E6CCC96-2F5C-4524-AE78-FA5882134803}.exe	100
PID 4416 wrote to memory of 3884	4416	{0E6CCC96-2F5C-4524-AE78-FA5882134803}.exe	100
PID 4416 wrote to memory of 3884	4416	{0E6CCC96-2F5C-4524-AE78-FA5882134803}.exe	100
PID 4416 wrote to memory of 928	4416	{0E6CCC96-2F5C-4524-AE78-FA5882134803}.exe	101
PID 4416 wrote to memory of 928	4416	{0E6CCC96-2F5C-4524-AE78-FA5882134803}.exe	101
PID 4416 wrote to memory of 928	4416	{0E6CCC96-2F5C-4524-AE78-FA5882134803}.exe	101
PID 3884 wrote to memory of 2460	3884	{9E02AC1D-DD1F-4cf0-9123-940123003282}.exe	104
PID 3884 wrote to memory of 2460	3884	{9E02AC1D-DD1F-4cf0-9123-940123003282}.exe	104
PID 3884 wrote to memory of 2460	3884	{9E02AC1D-DD1F-4cf0-9123-940123003282}.exe	104
PID 3884 wrote to memory of 4496	3884	{9E02AC1D-DD1F-4cf0-9123-940123003282}.exe	105
PID 3884 wrote to memory of 4496	3884	{9E02AC1D-DD1F-4cf0-9123-940123003282}.exe	105
PID 3884 wrote to memory of 4496	3884	{9E02AC1D-DD1F-4cf0-9123-940123003282}.exe	105
PID 2460 wrote to memory of 544	2460	{5F0ADCF0-8F70-4445-AF0E-A4F69284376D}.exe	106
PID 2460 wrote to memory of 544	2460	{5F0ADCF0-8F70-4445-AF0E-A4F69284376D}.exe	106
PID 2460 wrote to memory of 544	2460	{5F0ADCF0-8F70-4445-AF0E-A4F69284376D}.exe	106
PID 2460 wrote to memory of 1940	2460	{5F0ADCF0-8F70-4445-AF0E-A4F69284376D}.exe	107
PID 2460 wrote to memory of 1940	2460	{5F0ADCF0-8F70-4445-AF0E-A4F69284376D}.exe	107
PID 2460 wrote to memory of 1940	2460	{5F0ADCF0-8F70-4445-AF0E-A4F69284376D}.exe	107
PID 544 wrote to memory of 4568	544	{2AC7CA76-BE00-4311-91FA-2B8FB6112788}.exe	108
PID 544 wrote to memory of 4568	544	{2AC7CA76-BE00-4311-91FA-2B8FB6112788}.exe	108
PID 544 wrote to memory of 4568	544	{2AC7CA76-BE00-4311-91FA-2B8FB6112788}.exe	108
PID 544 wrote to memory of 2596	544	{2AC7CA76-BE00-4311-91FA-2B8FB6112788}.exe	109
PID 544 wrote to memory of 2596	544	{2AC7CA76-BE00-4311-91FA-2B8FB6112788}.exe	109
PID 544 wrote to memory of 2596	544	{2AC7CA76-BE00-4311-91FA-2B8FB6112788}.exe	109
PID 4568 wrote to memory of 3996	4568	{04230400-7A67-466f-BD64-81439E174DC1}.exe	116
PID 4568 wrote to memory of 3996	4568	{04230400-7A67-466f-BD64-81439E174DC1}.exe	116
PID 4568 wrote to memory of 3996	4568	{04230400-7A67-466f-BD64-81439E174DC1}.exe	116
PID 4568 wrote to memory of 3960	4568	{04230400-7A67-466f-BD64-81439E174DC1}.exe	117
PID 4568 wrote to memory of 3960	4568	{04230400-7A67-466f-BD64-81439E174DC1}.exe	117
PID 4568 wrote to memory of 3960	4568	{04230400-7A67-466f-BD64-81439E174DC1}.exe	117
PID 3996 wrote to memory of 4052	3996	{51DCDCD1-2A02-45a7-AFAC-721024544C67}.exe	118
PID 3996 wrote to memory of 4052	3996	{51DCDCD1-2A02-45a7-AFAC-721024544C67}.exe	118
PID 3996 wrote to memory of 4052	3996	{51DCDCD1-2A02-45a7-AFAC-721024544C67}.exe	118
PID 3996 wrote to memory of 2260	3996	{51DCDCD1-2A02-45a7-AFAC-721024544C67}.exe	119
PID 3996 wrote to memory of 2260	3996	{51DCDCD1-2A02-45a7-AFAC-721024544C67}.exe	119
PID 3996 wrote to memory of 2260	3996	{51DCDCD1-2A02-45a7-AFAC-721024544C67}.exe	119
PID 4052 wrote to memory of 4736	4052	{9CE043AF-ED5D-4f41-BAD3-F628478AFCFA}.exe	122
PID 4052 wrote to memory of 4736	4052	{9CE043AF-ED5D-4f41-BAD3-F628478AFCFA}.exe	122
PID 4052 wrote to memory of 4736	4052	{9CE043AF-ED5D-4f41-BAD3-F628478AFCFA}.exe	122
PID 4052 wrote to memory of 2392	4052	{9CE043AF-ED5D-4f41-BAD3-F628478AFCFA}.exe	123
PID 4052 wrote to memory of 2392	4052	{9CE043AF-ED5D-4f41-BAD3-F628478AFCFA}.exe	123
PID 4052 wrote to memory of 2392	4052	{9CE043AF-ED5D-4f41-BAD3-F628478AFCFA}.exe	123
PID 4736 wrote to memory of 3940	4736	{43A36D8B-57BA-4eb3-9972-4CF17EAC03BC}.exe	129
PID 4736 wrote to memory of 3940	4736	{43A36D8B-57BA-4eb3-9972-4CF17EAC03BC}.exe	129
PID 4736 wrote to memory of 3940	4736	{43A36D8B-57BA-4eb3-9972-4CF17EAC03BC}.exe	129
PID 4736 wrote to memory of 648	4736	{43A36D8B-57BA-4eb3-9972-4CF17EAC03BC}.exe	130
PID 4736 wrote to memory of 648	4736	{43A36D8B-57BA-4eb3-9972-4CF17EAC03BC}.exe	130
PID 4736 wrote to memory of 648	4736	{43A36D8B-57BA-4eb3-9972-4CF17EAC03BC}.exe	130
PID 3940 wrote to memory of 4100	3940	{EE1D517D-27A2-4b1b-93F5-9AE9E24A2F36}.exe	131
PID 3940 wrote to memory of 4100	3940	{EE1D517D-27A2-4b1b-93F5-9AE9E24A2F36}.exe	131
PID 3940 wrote to memory of 4100	3940	{EE1D517D-27A2-4b1b-93F5-9AE9E24A2F36}.exe	131
PID 3940 wrote to memory of 2892	3940	{EE1D517D-27A2-4b1b-93F5-9AE9E24A2F36}.exe	132
PID 3940 wrote to memory of 2892	3940	{EE1D517D-27A2-4b1b-93F5-9AE9E24A2F36}.exe	132
PID 3940 wrote to memory of 2892	3940	{EE1D517D-27A2-4b1b-93F5-9AE9E24A2F36}.exe	132
PID 4100 wrote to memory of 1816	4100	{DB223B1B-24C9-4113-AD6C-D6F3EFEFB986}.exe	133
PID 4100 wrote to memory of 1816	4100	{DB223B1B-24C9-4113-AD6C-D6F3EFEFB986}.exe	133
PID 4100 wrote to memory of 1816	4100	{DB223B1B-24C9-4113-AD6C-D6F3EFEFB986}.exe	133
PID 4100 wrote to memory of 5044	4100	{DB223B1B-24C9-4113-AD6C-D6F3EFEFB986}.exe	134

C:\Users\Admin\AppData\Local\Temp\2024-04-22_bc597010000e12cb4698567e16d777e9_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-22_bc597010000e12cb4698567e16d777e9_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Windows\{0E6CCC96-2F5C-4524-AE78-FA5882134803}.exe
  C:\Windows\{0E6CCC96-2F5C-4524-AE78-FA5882134803}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4416
- - C:\Windows\{9E02AC1D-DD1F-4cf0-9123-940123003282}.exe
    C:\Windows\{9E02AC1D-DD1F-4cf0-9123-940123003282}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3884
  - - C:\Windows\{5F0ADCF0-8F70-4445-AF0E-A4F69284376D}.exe
      C:\Windows\{5F0ADCF0-8F70-4445-AF0E-A4F69284376D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2460
    - - C:\Windows\{2AC7CA76-BE00-4311-91FA-2B8FB6112788}.exe
        
        C:\Windows\{2AC7CA76-BE00-4311-91FA-2B8FB6112788}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:544
      - C:\Windows\{04230400-7A67-466f-BD64-81439E174DC1}.exe
        
        C:\Windows\{04230400-7A67-466f-BD64-81439E174DC1}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4568
        
        C:\Windows\{51DCDCD1-2A02-45a7-AFAC-721024544C67}.exe
        
        C:\Windows\{51DCDCD1-2A02-45a7-AFAC-721024544C67}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\{9CE043AF-ED5D-4f41-BAD3-F628478AFCFA}.exe
        
        C:\Windows\{9CE043AF-ED5D-4f41-BAD3-F628478AFCFA}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4052
        
        C:\Windows\{43A36D8B-57BA-4eb3-9972-4CF17EAC03BC}.exe
        
        C:\Windows\{43A36D8B-57BA-4eb3-9972-4CF17EAC03BC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Windows\{EE1D517D-27A2-4b1b-93F5-9AE9E24A2F36}.exe
        
        C:\Windows\{EE1D517D-27A2-4b1b-93F5-9AE9E24A2F36}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\{DB223B1B-24C9-4113-AD6C-D6F3EFEFB986}.exe
        
        C:\Windows\{DB223B1B-24C9-4113-AD6C-D6F3EFEFB986}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4100
        
        C:\Windows\{65AB5ED4-677D-442d-A707-F7F5EAF6F530}.exe
        
        C:\Windows\{65AB5ED4-677D-442d-A707-F7F5EAF6F530}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1816
        
        C:\Windows\{9F1D8A3C-2F00-47a3-8CF1-01441F903E13}.exe
        
        C:\Windows\{9F1D8A3C-2F00-47a3-8CF1-01441F903E13}.exe
        13⤵
        Executes dropped EXE
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{65AB5~1.EXE > nul
        13⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DB223~1.EXE > nul
        12⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EE1D5~1.EXE > nul
        11⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{43A36~1.EXE > nul
        10⤵
        
        PID:648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9CE04~1.EXE > nul
        9⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51DCD~1.EXE > nul
        8⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{04230~1.EXE > nul
        7⤵
        
        PID:3960
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2AC7C~1.EXE > nul
        6⤵
        
        PID:2596
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5F0AD~1.EXE > nul
        5⤵
        
        PID:1940
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9E02A~1.EXE > nul
      4⤵
      PID:4496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0E6CC~1.EXE > nul
    3⤵
    PID:928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04230400-7A67-466f-BD64-81439E174DC1}.exe

Filesize
372KB

MD5
c0f3c459b1867b8af4ab0ea9c2f67814

SHA1
c5275f11bba33b85d269f93867845cef88c9b50e

SHA256
4bcb375ce948b34cfeee286bff47f89572cbf3e39cfd397076a5026ab1fca5aa

SHA512
5bc26324312e1e052915436190405bfd728f0cf86200d8b814c3a867ff93c2d2432253a421bcf20bdc655f8151ac06e8a064ac3adf5578ea071ca36ff673a488

Download Submit
C:\Windows\{0E6CCC96-2F5C-4524-AE78-FA5882134803}.exe

Filesize
372KB

MD5
9bc5f633b5f121b75126787314e8d07c

SHA1
451656b4bf1882fbece7d81036a361c8bb589b3d

SHA256
d9d988204e3c5aa451c022cd0f6972c13438423af24393d71907abcfc639564a

SHA512
5bbeba310f50e809bc7b3c3c0ace9c874d16ae69840ebfc8a8052830a14637b97a878333397dd50ccf1dacb10926fa59eddeb3efb3237af9cc2cf429d84d854a

Download Submit
C:\Windows\{2AC7CA76-BE00-4311-91FA-2B8FB6112788}.exe

Filesize
372KB

MD5
8c37b1526d1123fd1ad97a3c85bd2e69

SHA1
a43bd1aad4b8b30c5d3282f62a152b6c9d34f187

SHA256
b9b3dbd159aa496ea7b6df473eeab9437451b5fbbd49edec6ad58ae696fb0e02

SHA512
a1920a0e29fb24e93a811a8961c7492302dcf3229cdc9f5c727004726bfbf69f63d6d0112500d42a5a55fe6a1fe49ecbce645677cc1fa1520c88d956e62aab4c

Download Submit
C:\Windows\{43A36D8B-57BA-4eb3-9972-4CF17EAC03BC}.exe

Filesize
372KB

MD5
1867fb34d4cf366938478b59193aea64

SHA1
eb1cb7a87e2c28ed34f69112b9efaed2cf17ff64

SHA256
c797f3d1014d1e2142febbb88a14f096025ca8c3d8cc372825998b16e2d92977

SHA512
801b3a7ad8538484fe798a6eca8be2d944dd014a2afeb0bd868fdf60403f4ed5e8ed2d85666fa3f8218f09f1dcc100b034aad28d9e2a19017372d28cf7dae40e

Download Submit
C:\Windows\{51DCDCD1-2A02-45a7-AFAC-721024544C67}.exe

Filesize
372KB

MD5
114f686a17a8c0363200fad6deda0830

SHA1
211c2bcb08f3e2c842d5bb50dd138e2889117b55

SHA256
86c0c2ce6ba168780eeebf0ee9834b7f6ed49fd09b377e291b837fbf001fd0f1

SHA512
259359d0b93999da6e11aeb616223329e40c2b5c7e2c3afd9d170fc30294d16f0415520046c65de3f4c8f5387b45f6b841a30f0b08353ead9c2ca0b32cd844d2

Download Submit
C:\Windows\{5F0ADCF0-8F70-4445-AF0E-A4F69284376D}.exe

Filesize
372KB

MD5
24a0063d63029da221eab5069e619e3e

SHA1
c9ce876f9bd282fc26cbe4099f1b8ab274ce247d

SHA256
4e275301a94846966db5dad358d8ffec42bc9d30c96cb6105c8ec7504efb9160

SHA512
5808f63fd89a246ea2daeaf7ed7eb6766f2aadc7dac002c56e87933b925bf7ba2ee1e65d0e07c28b3e744cb5f82fe8ce2a4db27e99387f0f6a5c2f91d440eaf5

Download Submit
C:\Windows\{65AB5ED4-677D-442d-A707-F7F5EAF6F530}.exe

Filesize
372KB

MD5
9cb9241fee16a67ba122ad43ab644f48

SHA1
7983b937e7fb83e62f0be55f5427fd8095be6bd9

SHA256
e45290c1c827c3188a38c5805575d1daaff74cf988836e3b8448590ded7106c0

SHA512
67f0015d2ea42b19a950e4837de06519d925d3f8bafd498b098f2655a85d706246fab61b151862953ecdbef24ec2e6dbd19415af5f8de4a9bb9ab828ceb3a8f0

Download Submit
C:\Windows\{9CE043AF-ED5D-4f41-BAD3-F628478AFCFA}.exe

Filesize
372KB

MD5
5a9e634794379a079a4e8550ec62b152

SHA1
863d05e0794eede4648eaa373338cf84b77525ef

SHA256
8e854cc8c937ed637bd9da6d897d3fb8b433dd25854cd12a08407d6b84cd6293

SHA512
82860201632e793fd4ae62565ebdf534bb8a75caef5cd563605e367e5e56046892bc4c0499afdf4f09b1646a80978563e837e78ff62c09a75f2c14609a1ac5f5

Download Submit
C:\Windows\{9E02AC1D-DD1F-4cf0-9123-940123003282}.exe

Filesize
372KB

MD5
4216e3edd0bd97954a942162017b7d7e

SHA1
a5d6d1b88d09566b1f7a37af1c192a5b6706ea0e

SHA256
70e630a4281d22c5cab1dff7357cb7c364289e3ef9460e5d3d023cda4bd867d2

SHA512
ad82a37b562b96845188cb9402e0cc87851ff16728810a69bbda8077108ced9054471f349b73328c1da78bee6d8031258bf75afe5bacad31a44e9b4bb3fe8425

Download Submit
C:\Windows\{9F1D8A3C-2F00-47a3-8CF1-01441F903E13}.exe

Filesize
372KB

MD5
8560835cb8c42b9813316f8d20202473

SHA1
4f060dfc4ddecbaa1b99df7f01df104b8257a4a1

SHA256
856037312b9b3be2db337155f0f4f3175a202cbd14e4e64de851d915fae116bd

SHA512
67ee837459d944e6d8e29281620165dce236352fbe27a311b276776ceda15bd523e0043ffc482e07fa8cee798faf2e6e32536d5ab8432545ec305dab1b899285

Download Submit
C:\Windows\{DB223B1B-24C9-4113-AD6C-D6F3EFEFB986}.exe

Filesize
372KB

MD5
78ad1d6d487ddf7486e7d8e8081a6a47

SHA1
99f08c89e1f33b1d1081c1cf6492ecfae63564f1

SHA256
9e549340f566347e118921ad0d40b98eebe86345b141f9c4b107c67da2171c85

SHA512
07f55358b13a57decba2da75be1ea7286542e29d65f847300924258c990c5c7abffd51eb82621bdbc4e2bd5e31bc9168175a66bc5988370a248a1be13becedf4

Download Submit
C:\Windows\{EE1D517D-27A2-4b1b-93F5-9AE9E24A2F36}.exe

Filesize
372KB

MD5
a44ac15fec4a7450b64a2eb232d65cdb

SHA1
49d79b3b6b8589b42452936f2d17fc3b342809cf

SHA256
f2b8cc631ff4c58a19fa479fa64651158e7cefdf64f03f7be374a06cb59cc67b

SHA512
506ffe0b18d5cad18df784f0fc9490a28f927800a0b8986217a74dcb8803f9c0e29e3e1f5604ddf76589b0328ad1999f15a7dbdc44511d837bdc39cd8ac28a9d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads