6eb4845ed049d737478953a8f32366a7799adc83947d60cd6009d0b2db44de8f

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
23/04/2024, 00:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-23_45936a116c4f106575d65026d99c7b73_goldeneye.exe
Size

180KB
MD5

45936a116c4f106575d65026d99c7b73
SHA1

a27ecbb81052cd24bdd541ec0111c73b774ec827
SHA256

6eb4845ed049d737478953a8f32366a7799adc83947d60cd6009d0b2db44de8f
SHA512

f134966eb82f1c2715761b9fa0504419a65b6aba7c43e3daf57e3d6964c6c8c28558586d261e184662da92f415121f09928cffd91e97fcaadae46e1a55c6ca58
SSDEEP

3072:jEGh0oolfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGCl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00080000000233f7-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002340a-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023502-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002340a-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023502-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000229d1-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002333f-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000001dadb-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000001db62-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001dadb-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000001db62-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023340-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AEBD7B9B-DD64-4e18-8F24-CE20F62988C3}	{0C2A5218-8486-456d-ADA6-30BD8FEF4514}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B321AA3-6F12-4352-A83E-11C1EBF8511A}	{AEBD7B9B-DD64-4e18-8F24-CE20F62988C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{155FB081-45BB-4397-91DB-F41A4E7E419B}\stubpath = "C:\\Windows\\{155FB081-45BB-4397-91DB-F41A4E7E419B}.exe"	2024-04-23_45936a116c4f106575d65026d99c7b73_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7C45FEF-EA20-4abe-80C5-FEB9940665B2}\stubpath = "C:\\Windows\\{D7C45FEF-EA20-4abe-80C5-FEB9940665B2}.exe"	{155FB081-45BB-4397-91DB-F41A4E7E419B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DAD8F3C8-D4AA-4e66-878D-B2A238F6814B}\stubpath = "C:\\Windows\\{DAD8F3C8-D4AA-4e66-878D-B2A238F6814B}.exe"	{E9EDCE67-933D-431b-ABDE-FE36D4B5FB33}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0E435C9-5B6B-4cb5-8CB1-C636E29BE992}\stubpath = "C:\\Windows\\{E0E435C9-5B6B-4cb5-8CB1-C636E29BE992}.exe"	{9F844194-59B0-4969-8476-D10F3FE4CC51}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58398376-4C63-48d3-9F2F-AE3A0275E039}	{E0E435C9-5B6B-4cb5-8CB1-C636E29BE992}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C2A5218-8486-456d-ADA6-30BD8FEF4514}	{2961B190-BB02-47e2-87CF-6C535A3F46BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7C45FEF-EA20-4abe-80C5-FEB9940665B2}	{155FB081-45BB-4397-91DB-F41A4E7E419B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9EDCE67-933D-431b-ABDE-FE36D4B5FB33}\stubpath = "C:\\Windows\\{E9EDCE67-933D-431b-ABDE-FE36D4B5FB33}.exe"	{D7C45FEF-EA20-4abe-80C5-FEB9940665B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DAD8F3C8-D4AA-4e66-878D-B2A238F6814B}	{E9EDCE67-933D-431b-ABDE-FE36D4B5FB33}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48EA37A1-2B35-4860-A673-3553CC5CE89C}	{DAD8F3C8-D4AA-4e66-878D-B2A238F6814B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F844194-59B0-4969-8476-D10F3FE4CC51}	{48EA37A1-2B35-4860-A673-3553CC5CE89C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AEBD7B9B-DD64-4e18-8F24-CE20F62988C3}\stubpath = "C:\\Windows\\{AEBD7B9B-DD64-4e18-8F24-CE20F62988C3}.exe"	{0C2A5218-8486-456d-ADA6-30BD8FEF4514}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B321AA3-6F12-4352-A83E-11C1EBF8511A}\stubpath = "C:\\Windows\\{8B321AA3-6F12-4352-A83E-11C1EBF8511A}.exe"	{AEBD7B9B-DD64-4e18-8F24-CE20F62988C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{155FB081-45BB-4397-91DB-F41A4E7E419B}	2024-04-23_45936a116c4f106575d65026d99c7b73_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F844194-59B0-4969-8476-D10F3FE4CC51}\stubpath = "C:\\Windows\\{9F844194-59B0-4969-8476-D10F3FE4CC51}.exe"	{48EA37A1-2B35-4860-A673-3553CC5CE89C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0E435C9-5B6B-4cb5-8CB1-C636E29BE992}	{9F844194-59B0-4969-8476-D10F3FE4CC51}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2961B190-BB02-47e2-87CF-6C535A3F46BA}	{58398376-4C63-48d3-9F2F-AE3A0275E039}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2961B190-BB02-47e2-87CF-6C535A3F46BA}\stubpath = "C:\\Windows\\{2961B190-BB02-47e2-87CF-6C535A3F46BA}.exe"	{58398376-4C63-48d3-9F2F-AE3A0275E039}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C2A5218-8486-456d-ADA6-30BD8FEF4514}\stubpath = "C:\\Windows\\{0C2A5218-8486-456d-ADA6-30BD8FEF4514}.exe"	{2961B190-BB02-47e2-87CF-6C535A3F46BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9EDCE67-933D-431b-ABDE-FE36D4B5FB33}	{D7C45FEF-EA20-4abe-80C5-FEB9940665B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48EA37A1-2B35-4860-A673-3553CC5CE89C}\stubpath = "C:\\Windows\\{48EA37A1-2B35-4860-A673-3553CC5CE89C}.exe"	{DAD8F3C8-D4AA-4e66-878D-B2A238F6814B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58398376-4C63-48d3-9F2F-AE3A0275E039}\stubpath = "C:\\Windows\\{58398376-4C63-48d3-9F2F-AE3A0275E039}.exe"	{E0E435C9-5B6B-4cb5-8CB1-C636E29BE992}.exe

Executes dropped EXE 12 IoCs

pid	Process
3536	{155FB081-45BB-4397-91DB-F41A4E7E419B}.exe
4720	{D7C45FEF-EA20-4abe-80C5-FEB9940665B2}.exe
4628	{E9EDCE67-933D-431b-ABDE-FE36D4B5FB33}.exe
2152	{DAD8F3C8-D4AA-4e66-878D-B2A238F6814B}.exe
3232	{48EA37A1-2B35-4860-A673-3553CC5CE89C}.exe
1060	{9F844194-59B0-4969-8476-D10F3FE4CC51}.exe
1784	{E0E435C9-5B6B-4cb5-8CB1-C636E29BE992}.exe
4396	{58398376-4C63-48d3-9F2F-AE3A0275E039}.exe
3884	{2961B190-BB02-47e2-87CF-6C535A3F46BA}.exe
4072	{0C2A5218-8486-456d-ADA6-30BD8FEF4514}.exe
2016	{AEBD7B9B-DD64-4e18-8F24-CE20F62988C3}.exe
2112	{8B321AA3-6F12-4352-A83E-11C1EBF8511A}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{8B321AA3-6F12-4352-A83E-11C1EBF8511A}.exe	{AEBD7B9B-DD64-4e18-8F24-CE20F62988C3}.exe
File created	C:\Windows\{E9EDCE67-933D-431b-ABDE-FE36D4B5FB33}.exe	{D7C45FEF-EA20-4abe-80C5-FEB9940665B2}.exe
File created	C:\Windows\{DAD8F3C8-D4AA-4e66-878D-B2A238F6814B}.exe	{E9EDCE67-933D-431b-ABDE-FE36D4B5FB33}.exe
File created	C:\Windows\{58398376-4C63-48d3-9F2F-AE3A0275E039}.exe	{E0E435C9-5B6B-4cb5-8CB1-C636E29BE992}.exe
File created	C:\Windows\{2961B190-BB02-47e2-87CF-6C535A3F46BA}.exe	{58398376-4C63-48d3-9F2F-AE3A0275E039}.exe
File created	C:\Windows\{E0E435C9-5B6B-4cb5-8CB1-C636E29BE992}.exe	{9F844194-59B0-4969-8476-D10F3FE4CC51}.exe
File created	C:\Windows\{0C2A5218-8486-456d-ADA6-30BD8FEF4514}.exe	{2961B190-BB02-47e2-87CF-6C535A3F46BA}.exe
File created	C:\Windows\{AEBD7B9B-DD64-4e18-8F24-CE20F62988C3}.exe	{0C2A5218-8486-456d-ADA6-30BD8FEF4514}.exe
File created	C:\Windows\{155FB081-45BB-4397-91DB-F41A4E7E419B}.exe	2024-04-23_45936a116c4f106575d65026d99c7b73_goldeneye.exe
File created	C:\Windows\{D7C45FEF-EA20-4abe-80C5-FEB9940665B2}.exe	{155FB081-45BB-4397-91DB-F41A4E7E419B}.exe
File created	C:\Windows\{48EA37A1-2B35-4860-A673-3553CC5CE89C}.exe	{DAD8F3C8-D4AA-4e66-878D-B2A238F6814B}.exe
File created	C:\Windows\{9F844194-59B0-4969-8476-D10F3FE4CC51}.exe	{48EA37A1-2B35-4860-A673-3553CC5CE89C}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4396	2024-04-23_45936a116c4f106575d65026d99c7b73_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3536	{155FB081-45BB-4397-91DB-F41A4E7E419B}.exe
Token: SeIncBasePriorityPrivilege	4720	{D7C45FEF-EA20-4abe-80C5-FEB9940665B2}.exe
Token: SeIncBasePriorityPrivilege	4628	{E9EDCE67-933D-431b-ABDE-FE36D4B5FB33}.exe
Token: SeIncBasePriorityPrivilege	2152	{DAD8F3C8-D4AA-4e66-878D-B2A238F6814B}.exe
Token: SeIncBasePriorityPrivilege	3232	{48EA37A1-2B35-4860-A673-3553CC5CE89C}.exe
Token: SeIncBasePriorityPrivilege	1060	{9F844194-59B0-4969-8476-D10F3FE4CC51}.exe
Token: SeIncBasePriorityPrivilege	1784	{E0E435C9-5B6B-4cb5-8CB1-C636E29BE992}.exe
Token: SeIncBasePriorityPrivilege	4396	{58398376-4C63-48d3-9F2F-AE3A0275E039}.exe
Token: SeIncBasePriorityPrivilege	3884	{2961B190-BB02-47e2-87CF-6C535A3F46BA}.exe
Token: SeIncBasePriorityPrivilege	4072	{0C2A5218-8486-456d-ADA6-30BD8FEF4514}.exe
Token: SeIncBasePriorityPrivilege	2016	{AEBD7B9B-DD64-4e18-8F24-CE20F62988C3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4396 wrote to memory of 3536	4396	2024-04-23_45936a116c4f106575d65026d99c7b73_goldeneye.exe	96
PID 4396 wrote to memory of 3536	4396	2024-04-23_45936a116c4f106575d65026d99c7b73_goldeneye.exe	96
PID 4396 wrote to memory of 3536	4396	2024-04-23_45936a116c4f106575d65026d99c7b73_goldeneye.exe	96
PID 4396 wrote to memory of 1436	4396	2024-04-23_45936a116c4f106575d65026d99c7b73_goldeneye.exe	97
PID 4396 wrote to memory of 1436	4396	2024-04-23_45936a116c4f106575d65026d99c7b73_goldeneye.exe	97
PID 4396 wrote to memory of 1436	4396	2024-04-23_45936a116c4f106575d65026d99c7b73_goldeneye.exe	97
PID 3536 wrote to memory of 4720	3536	{155FB081-45BB-4397-91DB-F41A4E7E419B}.exe	100
PID 3536 wrote to memory of 4720	3536	{155FB081-45BB-4397-91DB-F41A4E7E419B}.exe	100
PID 3536 wrote to memory of 4720	3536	{155FB081-45BB-4397-91DB-F41A4E7E419B}.exe	100
PID 3536 wrote to memory of 3992	3536	{155FB081-45BB-4397-91DB-F41A4E7E419B}.exe	101
PID 3536 wrote to memory of 3992	3536	{155FB081-45BB-4397-91DB-F41A4E7E419B}.exe	101
PID 3536 wrote to memory of 3992	3536	{155FB081-45BB-4397-91DB-F41A4E7E419B}.exe	101
PID 4720 wrote to memory of 4628	4720	{D7C45FEF-EA20-4abe-80C5-FEB9940665B2}.exe	104
PID 4720 wrote to memory of 4628	4720	{D7C45FEF-EA20-4abe-80C5-FEB9940665B2}.exe	104
PID 4720 wrote to memory of 4628	4720	{D7C45FEF-EA20-4abe-80C5-FEB9940665B2}.exe	104
PID 4720 wrote to memory of 4396	4720	{D7C45FEF-EA20-4abe-80C5-FEB9940665B2}.exe	105
PID 4720 wrote to memory of 4396	4720	{D7C45FEF-EA20-4abe-80C5-FEB9940665B2}.exe	105
PID 4720 wrote to memory of 4396	4720	{D7C45FEF-EA20-4abe-80C5-FEB9940665B2}.exe	105
PID 4628 wrote to memory of 2152	4628	{E9EDCE67-933D-431b-ABDE-FE36D4B5FB33}.exe	106
PID 4628 wrote to memory of 2152	4628	{E9EDCE67-933D-431b-ABDE-FE36D4B5FB33}.exe	106
PID 4628 wrote to memory of 2152	4628	{E9EDCE67-933D-431b-ABDE-FE36D4B5FB33}.exe	106
PID 4628 wrote to memory of 4400	4628	{E9EDCE67-933D-431b-ABDE-FE36D4B5FB33}.exe	107
PID 4628 wrote to memory of 4400	4628	{E9EDCE67-933D-431b-ABDE-FE36D4B5FB33}.exe	107
PID 4628 wrote to memory of 4400	4628	{E9EDCE67-933D-431b-ABDE-FE36D4B5FB33}.exe	107
PID 2152 wrote to memory of 3232	2152	{DAD8F3C8-D4AA-4e66-878D-B2A238F6814B}.exe	108
PID 2152 wrote to memory of 3232	2152	{DAD8F3C8-D4AA-4e66-878D-B2A238F6814B}.exe	108
PID 2152 wrote to memory of 3232	2152	{DAD8F3C8-D4AA-4e66-878D-B2A238F6814B}.exe	108
PID 2152 wrote to memory of 1756	2152	{DAD8F3C8-D4AA-4e66-878D-B2A238F6814B}.exe	109
PID 2152 wrote to memory of 1756	2152	{DAD8F3C8-D4AA-4e66-878D-B2A238F6814B}.exe	109
PID 2152 wrote to memory of 1756	2152	{DAD8F3C8-D4AA-4e66-878D-B2A238F6814B}.exe	109
PID 3232 wrote to memory of 1060	3232	{48EA37A1-2B35-4860-A673-3553CC5CE89C}.exe	115
PID 3232 wrote to memory of 1060	3232	{48EA37A1-2B35-4860-A673-3553CC5CE89C}.exe	115
PID 3232 wrote to memory of 1060	3232	{48EA37A1-2B35-4860-A673-3553CC5CE89C}.exe	115
PID 3232 wrote to memory of 3136	3232	{48EA37A1-2B35-4860-A673-3553CC5CE89C}.exe	116
PID 3232 wrote to memory of 3136	3232	{48EA37A1-2B35-4860-A673-3553CC5CE89C}.exe	116
PID 3232 wrote to memory of 3136	3232	{48EA37A1-2B35-4860-A673-3553CC5CE89C}.exe	116
PID 1060 wrote to memory of 1784	1060	{9F844194-59B0-4969-8476-D10F3FE4CC51}.exe	117
PID 1060 wrote to memory of 1784	1060	{9F844194-59B0-4969-8476-D10F3FE4CC51}.exe	117
PID 1060 wrote to memory of 1784	1060	{9F844194-59B0-4969-8476-D10F3FE4CC51}.exe	117
PID 1060 wrote to memory of 1624	1060	{9F844194-59B0-4969-8476-D10F3FE4CC51}.exe	118
PID 1060 wrote to memory of 1624	1060	{9F844194-59B0-4969-8476-D10F3FE4CC51}.exe	118
PID 1060 wrote to memory of 1624	1060	{9F844194-59B0-4969-8476-D10F3FE4CC51}.exe	118
PID 1784 wrote to memory of 4396	1784	{E0E435C9-5B6B-4cb5-8CB1-C636E29BE992}.exe	119
PID 1784 wrote to memory of 4396	1784	{E0E435C9-5B6B-4cb5-8CB1-C636E29BE992}.exe	119
PID 1784 wrote to memory of 4396	1784	{E0E435C9-5B6B-4cb5-8CB1-C636E29BE992}.exe	119
PID 1784 wrote to memory of 1692	1784	{E0E435C9-5B6B-4cb5-8CB1-C636E29BE992}.exe	120
PID 1784 wrote to memory of 1692	1784	{E0E435C9-5B6B-4cb5-8CB1-C636E29BE992}.exe	120
PID 1784 wrote to memory of 1692	1784	{E0E435C9-5B6B-4cb5-8CB1-C636E29BE992}.exe	120
PID 4396 wrote to memory of 3884	4396	{58398376-4C63-48d3-9F2F-AE3A0275E039}.exe	127
PID 4396 wrote to memory of 3884	4396	{58398376-4C63-48d3-9F2F-AE3A0275E039}.exe	127
PID 4396 wrote to memory of 3884	4396	{58398376-4C63-48d3-9F2F-AE3A0275E039}.exe	127
PID 4396 wrote to memory of 4376	4396	{58398376-4C63-48d3-9F2F-AE3A0275E039}.exe	128
PID 4396 wrote to memory of 4376	4396	{58398376-4C63-48d3-9F2F-AE3A0275E039}.exe	128
PID 4396 wrote to memory of 4376	4396	{58398376-4C63-48d3-9F2F-AE3A0275E039}.exe	128
PID 3884 wrote to memory of 4072	3884	{2961B190-BB02-47e2-87CF-6C535A3F46BA}.exe	129
PID 3884 wrote to memory of 4072	3884	{2961B190-BB02-47e2-87CF-6C535A3F46BA}.exe	129
PID 3884 wrote to memory of 4072	3884	{2961B190-BB02-47e2-87CF-6C535A3F46BA}.exe	129
PID 3884 wrote to memory of 4544	3884	{2961B190-BB02-47e2-87CF-6C535A3F46BA}.exe	130
PID 3884 wrote to memory of 4544	3884	{2961B190-BB02-47e2-87CF-6C535A3F46BA}.exe	130
PID 3884 wrote to memory of 4544	3884	{2961B190-BB02-47e2-87CF-6C535A3F46BA}.exe	130
PID 4072 wrote to memory of 2016	4072	{0C2A5218-8486-456d-ADA6-30BD8FEF4514}.exe	131
PID 4072 wrote to memory of 2016	4072	{0C2A5218-8486-456d-ADA6-30BD8FEF4514}.exe	131
PID 4072 wrote to memory of 2016	4072	{0C2A5218-8486-456d-ADA6-30BD8FEF4514}.exe	131
PID 4072 wrote to memory of 2916	4072	{0C2A5218-8486-456d-ADA6-30BD8FEF4514}.exe	132

C:\Users\Admin\AppData\Local\Temp\2024-04-23_45936a116c4f106575d65026d99c7b73_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-23_45936a116c4f106575d65026d99c7b73_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4396
- C:\Windows\{155FB081-45BB-4397-91DB-F41A4E7E419B}.exe
  C:\Windows\{155FB081-45BB-4397-91DB-F41A4E7E419B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3536
- - C:\Windows\{D7C45FEF-EA20-4abe-80C5-FEB9940665B2}.exe
    C:\Windows\{D7C45FEF-EA20-4abe-80C5-FEB9940665B2}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4720
  - - C:\Windows\{E9EDCE67-933D-431b-ABDE-FE36D4B5FB33}.exe
      C:\Windows\{E9EDCE67-933D-431b-ABDE-FE36D4B5FB33}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4628
    - - C:\Windows\{DAD8F3C8-D4AA-4e66-878D-B2A238F6814B}.exe
        
        C:\Windows\{DAD8F3C8-D4AA-4e66-878D-B2A238F6814B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2152
      - C:\Windows\{48EA37A1-2B35-4860-A673-3553CC5CE89C}.exe
        
        C:\Windows\{48EA37A1-2B35-4860-A673-3553CC5CE89C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\Windows\{9F844194-59B0-4969-8476-D10F3FE4CC51}.exe
        
        C:\Windows\{9F844194-59B0-4969-8476-D10F3FE4CC51}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\{E0E435C9-5B6B-4cb5-8CB1-C636E29BE992}.exe
        
        C:\Windows\{E0E435C9-5B6B-4cb5-8CB1-C636E29BE992}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\{58398376-4C63-48d3-9F2F-AE3A0275E039}.exe
        
        C:\Windows\{58398376-4C63-48d3-9F2F-AE3A0275E039}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4396
        
        C:\Windows\{2961B190-BB02-47e2-87CF-6C535A3F46BA}.exe
        
        C:\Windows\{2961B190-BB02-47e2-87CF-6C535A3F46BA}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3884
        
        C:\Windows\{0C2A5218-8486-456d-ADA6-30BD8FEF4514}.exe
        
        C:\Windows\{0C2A5218-8486-456d-ADA6-30BD8FEF4514}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4072
        
        C:\Windows\{AEBD7B9B-DD64-4e18-8F24-CE20F62988C3}.exe
        
        C:\Windows\{AEBD7B9B-DD64-4e18-8F24-CE20F62988C3}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2016
        
        C:\Windows\{8B321AA3-6F12-4352-A83E-11C1EBF8511A}.exe
        
        C:\Windows\{8B321AA3-6F12-4352-A83E-11C1EBF8511A}.exe
        13⤵
        Executes dropped EXE
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AEBD7~1.EXE > nul
        13⤵
        
        PID:372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0C2A5~1.EXE > nul
        12⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2961B~1.EXE > nul
        11⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{58398~1.EXE > nul
        10⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E0E43~1.EXE > nul
        9⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9F844~1.EXE > nul
        8⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{48EA3~1.EXE > nul
        7⤵
        
        PID:3136
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DAD8F~1.EXE > nul
        6⤵
        
        PID:1756
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E9EDC~1.EXE > nul
        5⤵
        
        PID:4400
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D7C45~1.EXE > nul
      4⤵
      PID:4396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{155FB~1.EXE > nul
    3⤵
    PID:3992
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0C2A5218-8486-456d-ADA6-30BD8FEF4514}.exe

Filesize
180KB

MD5
0dd5f50a591576e1215c9b9dcada0c8d

SHA1
c60ee62e34950f9314f939ea5785210fd71a6862

SHA256
b3d77e60989097208fa5a4ef8a336872124ad97f513fea73491884e92679ea32

SHA512
0c01dde24db83571cbf459aff697339b39157244001bef6a36a82b27e1bbd0beffcfbb063cee524c092bc66c72bcd13afe23051acdd7c1fba27f9253590c0b45

Download Submit
C:\Windows\{155FB081-45BB-4397-91DB-F41A4E7E419B}.exe

Filesize
180KB

MD5
b63aeb30ef9f3f383398f4ba06af9871

SHA1
13584df94cde1a05aa2b596b7d19c604cffd3401

SHA256
1af952df8c4d9ca4ddf356ff700668ae730164dd1469040793f828a2943e3701

SHA512
f15001b303681a3ef6f3005d30081342c878e03d5356ad8cce3f46936acebd9ef131edd936ce8fb4acf11a8c94c2a70a5ef47d1f330bb84d3ecc32944108cef5

Download Submit
C:\Windows\{2961B190-BB02-47e2-87CF-6C535A3F46BA}.exe

Filesize
180KB

MD5
d07e4d59647e9536ccbdefe91007385e

SHA1
d6f482b05a47b8a4892c6e0c72f0fa7163747084

SHA256
1c2127df09a2d430c126eba3f226adb64745f6467a90a1ed668823294b65bf07

SHA512
3c017317ad31ca74147e9901c7ee76cccb577b039e210f29ad4b3590e51977971327d5dbaa224c744d68df01d6f977834a19140c00a9a78c113386bba1b75dba

Download Submit
C:\Windows\{48EA37A1-2B35-4860-A673-3553CC5CE89C}.exe

Filesize
180KB

MD5
64356242e66f20ea74980a36eef77955

SHA1
e04a0a307932def5d2da8fc753945ead5a4e52a0

SHA256
a600629ccc9b56ef54c46b888860b51db4df909db060afe8dc36153e4ca3edb9

SHA512
8c4a07fe98994d80e1f5ccda933e7bf4afdb9c1228fcdc28860e9720d227893dd0a1962515f2e271509bd445b078b285f24346a994b06ba071e415f6070eabb9

Download Submit
C:\Windows\{58398376-4C63-48d3-9F2F-AE3A0275E039}.exe

Filesize
180KB

MD5
9980fe3a15057564b3e6f7ff53226d12

SHA1
8acb218e647af33df10b91668cd2ccea10e2e25b

SHA256
fa258ceea4baa34547f6cfcbecb5bbebb7ca97222dcb5e43c8a6a00a7f93b16c

SHA512
2f92924d21afce12146100a7585ef32bd4bea60d710ac5c5436664846ec6108d62494c3250674cd87853ce6c3219fe58193323be361756b385f5cd47dcfdf3bd

Download Submit
C:\Windows\{8B321AA3-6F12-4352-A83E-11C1EBF8511A}.exe

Filesize
180KB

MD5
e848700d75783c3f90865d5893a77363

SHA1
e73334b61faab4dbcf599ff535bb4cf081ee5fc0

SHA256
472a538c4189d7486959e3156aaf388cefe8021113fbda570546cdcceee74b47

SHA512
46af8aa50686979b366990aa6cf2ccd272b7203a5faa504dc094af3d0aab97a2eb256b9e79015991e1883d3acd150d34755021187f7b2576b84817e6ff37add1

Download Submit
C:\Windows\{9F844194-59B0-4969-8476-D10F3FE4CC51}.exe

Filesize
180KB

MD5
e5e3b23e0569f2a9200002829867a282

SHA1
2c62cbee8ee3a72c488c346bd7d7889e3d640db3

SHA256
a4ed6067b31a45938c05e9718f79b6e9be6066c6208f593d3e529ad48fac9495

SHA512
3c77bfa4fa9e3189e50b8baab7e2c80828624a02763a7216bab0220b50ed6ee256923ecb308f8e025248be54149c078c00d9805c995c6372d68a39e9912e3090

Download Submit
C:\Windows\{AEBD7B9B-DD64-4e18-8F24-CE20F62988C3}.exe

Filesize
180KB

MD5
bb6ef81a4850e57defc645a008872a26

SHA1
b1a85779874695bde7bb86b6e741c2417fc65a43

SHA256
8747043640f67db380ed8f3b7f6d61bed9d0bbac960da63dd7a418a3a0c5ccc2

SHA512
0e1a89b07efa3bf0b512503344de1e77a0fba311f54e3fffb84d815a4fca01c4d31c84f1402b3c95341112d2554c98234ee6addaa1a422201bd7635ae5f0c097

Download Submit
C:\Windows\{D7C45FEF-EA20-4abe-80C5-FEB9940665B2}.exe

Filesize
180KB

MD5
9b8a05b0be5543d886c2274e30d51943

SHA1
d61d300961e9411737a968c85b0f082b38688cad

SHA256
61627d7274312ec309236f0c7927254c278f6053325fc5ff1424a237b4b5b1a1

SHA512
828b1879f43af95bea96c728f7494fe4ab10614df925ddd53cdf964f65f4aab59af31512bbe0963390783e6ea37657b43fa51a2b235bf031aba83614427064eb

Download Submit
C:\Windows\{DAD8F3C8-D4AA-4e66-878D-B2A238F6814B}.exe

Filesize
180KB

MD5
f535ccb1ef84199d596c6f37261dabcb

SHA1
56ae779b0bfe2d5402dbf9306d7fa66908b619cd

SHA256
192df18340fb4d8a04c82da377c769006f9718d99bf49f8baab0eb6c82e0289f

SHA512
d647acc51d87bd0ea1c88f670c8b27b70f9b8f48a057416bd3b655bb467cd25e6ef97eb186d6ee1b63634bf79ce0e68ccafdd57d6410f0e7b0a681b4f7038b71

Download Submit
C:\Windows\{E0E435C9-5B6B-4cb5-8CB1-C636E29BE992}.exe

Filesize
180KB

MD5
821320444c389972b9b90e66b9d0524d

SHA1
81983e09043bb7dc44e3bc5e11a82a528583067a

SHA256
c5fad4930b3e4d5034ab07bd45af7e93c1656b2602a7211f229e537f467d631f

SHA512
4c35d48dcca074734baf4ee3f762e695d9a9e0be5ca1bc118de3e1b07cfe43007b9fbac9d5e3e610f70a3c849a3a8884aa360bd633445d09e4668be8636c098d

Download Submit
C:\Windows\{E9EDCE67-933D-431b-ABDE-FE36D4B5FB33}.exe

Filesize
180KB

MD5
755f98d9e9cb4a62fb36eba6eda815b2

SHA1
0eb306d6ffbed8bc10ffe2c7167f5725eafc8b34

SHA256
09f4efd382acf76451ed1db2aad52aedbd0a59cf408533dad34d3bbd01a0cbd8

SHA512
273d7615f7243d059ff8cb02eb8838eb75bb82c83d6b46dd6c76a7830b00c2137b81ce1147b474140f5b2f8bb432e17621686c8f5f0ca2fde48fbc48cd3e16f0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads