a854c053db6fe5a40a4bd293aa56ff706e6982a658b794ac5c8b4c96f3977ad5

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
23/04/2024, 04:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-23_ae68e30253e1764755ead503930ac4ee_goldeneye.exe
Size

168KB
MD5

ae68e30253e1764755ead503930ac4ee
SHA1

004cb47f48dc1229be6c6a23b2a8f5ca0af4db3d
SHA256

a854c053db6fe5a40a4bd293aa56ff706e6982a658b794ac5c8b4c96f3977ad5
SHA512

df600c0118ec3eae38b4f625622bb82cc5ac2f7b3222bd9fb26ccbee4d5847b22b9445c4f65e8e878267253ba39a7ac705078beaece9d2b351022ecd5c321953
SSDEEP

1536:1EGh0onlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0onlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023411-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023509-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000200000001e316-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023509-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000001dadb-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000001db62-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001dadb-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002351e-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002335b-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e00000002335c-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002335b-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023358-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC1A1A56-4FA3-4140-9B53-42951BC6EA03}	{42B55F9B-B284-47e5-9D44-491CD3BAE92E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF9D744E-67DB-446e-8F7D-A7686D084EB6}	{AC1A1A56-4FA3-4140-9B53-42951BC6EA03}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B2CAA64-5EC3-4237-8789-B9BADCA832FC}	{EF9D744E-67DB-446e-8F7D-A7686D084EB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD006994-395F-4dc4-81DA-E51BC12ADE26}	{FC95619B-F61B-4710-87D8-5324EBB3732D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD006994-395F-4dc4-81DA-E51BC12ADE26}\stubpath = "C:\\Windows\\{BD006994-395F-4dc4-81DA-E51BC12ADE26}.exe"	{FC95619B-F61B-4710-87D8-5324EBB3732D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDB0F764-4542-430e-B01D-8C1A4A2BEA5B}	{9D1F8C10-CFDA-4d3d-8397-0819DCEC51AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42B55F9B-B284-47e5-9D44-491CD3BAE92E}	{8837D11B-2709-437d-9F46-34D611297DE7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42B55F9B-B284-47e5-9D44-491CD3BAE92E}\stubpath = "C:\\Windows\\{42B55F9B-B284-47e5-9D44-491CD3BAE92E}.exe"	{8837D11B-2709-437d-9F46-34D611297DE7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC1A1A56-4FA3-4140-9B53-42951BC6EA03}\stubpath = "C:\\Windows\\{AC1A1A56-4FA3-4140-9B53-42951BC6EA03}.exe"	{42B55F9B-B284-47e5-9D44-491CD3BAE92E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF9D744E-67DB-446e-8F7D-A7686D084EB6}\stubpath = "C:\\Windows\\{EF9D744E-67DB-446e-8F7D-A7686D084EB6}.exe"	{AC1A1A56-4FA3-4140-9B53-42951BC6EA03}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4378FA41-3440-4181-A97E-A1C4C39979CE}	{1B2CAA64-5EC3-4237-8789-B9BADCA832FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01BAAC88-6854-4824-932B-DFB58F80B3B7}	{BD006994-395F-4dc4-81DA-E51BC12ADE26}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01BAAC88-6854-4824-932B-DFB58F80B3B7}\stubpath = "C:\\Windows\\{01BAAC88-6854-4824-932B-DFB58F80B3B7}.exe"	{BD006994-395F-4dc4-81DA-E51BC12ADE26}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFE3BB96-9447-407d-AB98-AE229EB3180B}	{BDB0F764-4542-430e-B01D-8C1A4A2BEA5B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8837D11B-2709-437d-9F46-34D611297DE7}\stubpath = "C:\\Windows\\{8837D11B-2709-437d-9F46-34D611297DE7}.exe"	{CFE3BB96-9447-407d-AB98-AE229EB3180B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDB0F764-4542-430e-B01D-8C1A4A2BEA5B}\stubpath = "C:\\Windows\\{BDB0F764-4542-430e-B01D-8C1A4A2BEA5B}.exe"	{9D1F8C10-CFDA-4d3d-8397-0819DCEC51AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B2CAA64-5EC3-4237-8789-B9BADCA832FC}\stubpath = "C:\\Windows\\{1B2CAA64-5EC3-4237-8789-B9BADCA832FC}.exe"	{EF9D744E-67DB-446e-8F7D-A7686D084EB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC95619B-F61B-4710-87D8-5324EBB3732D}\stubpath = "C:\\Windows\\{FC95619B-F61B-4710-87D8-5324EBB3732D}.exe"	{4378FA41-3440-4181-A97E-A1C4C39979CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D1F8C10-CFDA-4d3d-8397-0819DCEC51AE}	2024-04-23_ae68e30253e1764755ead503930ac4ee_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D1F8C10-CFDA-4d3d-8397-0819DCEC51AE}\stubpath = "C:\\Windows\\{9D1F8C10-CFDA-4d3d-8397-0819DCEC51AE}.exe"	2024-04-23_ae68e30253e1764755ead503930ac4ee_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4378FA41-3440-4181-A97E-A1C4C39979CE}\stubpath = "C:\\Windows\\{4378FA41-3440-4181-A97E-A1C4C39979CE}.exe"	{1B2CAA64-5EC3-4237-8789-B9BADCA832FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC95619B-F61B-4710-87D8-5324EBB3732D}	{4378FA41-3440-4181-A97E-A1C4C39979CE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFE3BB96-9447-407d-AB98-AE229EB3180B}\stubpath = "C:\\Windows\\{CFE3BB96-9447-407d-AB98-AE229EB3180B}.exe"	{BDB0F764-4542-430e-B01D-8C1A4A2BEA5B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8837D11B-2709-437d-9F46-34D611297DE7}	{CFE3BB96-9447-407d-AB98-AE229EB3180B}.exe

Executes dropped EXE 12 IoCs

pid	Process
816	{9D1F8C10-CFDA-4d3d-8397-0819DCEC51AE}.exe
3388	{BDB0F764-4542-430e-B01D-8C1A4A2BEA5B}.exe
2220	{CFE3BB96-9447-407d-AB98-AE229EB3180B}.exe
2968	{8837D11B-2709-437d-9F46-34D611297DE7}.exe
4636	{42B55F9B-B284-47e5-9D44-491CD3BAE92E}.exe
5000	{AC1A1A56-4FA3-4140-9B53-42951BC6EA03}.exe
2172	{EF9D744E-67DB-446e-8F7D-A7686D084EB6}.exe
1924	{1B2CAA64-5EC3-4237-8789-B9BADCA832FC}.exe
2484	{4378FA41-3440-4181-A97E-A1C4C39979CE}.exe
2504	{FC95619B-F61B-4710-87D8-5324EBB3732D}.exe
468	{BD006994-395F-4dc4-81DA-E51BC12ADE26}.exe
3028	{01BAAC88-6854-4824-932B-DFB58F80B3B7}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{9D1F8C10-CFDA-4d3d-8397-0819DCEC51AE}.exe	2024-04-23_ae68e30253e1764755ead503930ac4ee_goldeneye.exe
File created	C:\Windows\{CFE3BB96-9447-407d-AB98-AE229EB3180B}.exe	{BDB0F764-4542-430e-B01D-8C1A4A2BEA5B}.exe
File created	C:\Windows\{42B55F9B-B284-47e5-9D44-491CD3BAE92E}.exe	{8837D11B-2709-437d-9F46-34D611297DE7}.exe
File created	C:\Windows\{4378FA41-3440-4181-A97E-A1C4C39979CE}.exe	{1B2CAA64-5EC3-4237-8789-B9BADCA832FC}.exe
File created	C:\Windows\{FC95619B-F61B-4710-87D8-5324EBB3732D}.exe	{4378FA41-3440-4181-A97E-A1C4C39979CE}.exe
File created	C:\Windows\{BD006994-395F-4dc4-81DA-E51BC12ADE26}.exe	{FC95619B-F61B-4710-87D8-5324EBB3732D}.exe
File created	C:\Windows\{01BAAC88-6854-4824-932B-DFB58F80B3B7}.exe	{BD006994-395F-4dc4-81DA-E51BC12ADE26}.exe
File created	C:\Windows\{BDB0F764-4542-430e-B01D-8C1A4A2BEA5B}.exe	{9D1F8C10-CFDA-4d3d-8397-0819DCEC51AE}.exe
File created	C:\Windows\{8837D11B-2709-437d-9F46-34D611297DE7}.exe	{CFE3BB96-9447-407d-AB98-AE229EB3180B}.exe
File created	C:\Windows\{AC1A1A56-4FA3-4140-9B53-42951BC6EA03}.exe	{42B55F9B-B284-47e5-9D44-491CD3BAE92E}.exe
File created	C:\Windows\{EF9D744E-67DB-446e-8F7D-A7686D084EB6}.exe	{AC1A1A56-4FA3-4140-9B53-42951BC6EA03}.exe
File created	C:\Windows\{1B2CAA64-5EC3-4237-8789-B9BADCA832FC}.exe	{EF9D744E-67DB-446e-8F7D-A7686D084EB6}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4492	2024-04-23_ae68e30253e1764755ead503930ac4ee_goldeneye.exe
Token: SeIncBasePriorityPrivilege	816	{9D1F8C10-CFDA-4d3d-8397-0819DCEC51AE}.exe
Token: SeIncBasePriorityPrivilege	3388	{BDB0F764-4542-430e-B01D-8C1A4A2BEA5B}.exe
Token: SeIncBasePriorityPrivilege	2220	{CFE3BB96-9447-407d-AB98-AE229EB3180B}.exe
Token: SeIncBasePriorityPrivilege	2968	{8837D11B-2709-437d-9F46-34D611297DE7}.exe
Token: SeIncBasePriorityPrivilege	4636	{42B55F9B-B284-47e5-9D44-491CD3BAE92E}.exe
Token: SeIncBasePriorityPrivilege	5000	{AC1A1A56-4FA3-4140-9B53-42951BC6EA03}.exe
Token: SeIncBasePriorityPrivilege	2172	{EF9D744E-67DB-446e-8F7D-A7686D084EB6}.exe
Token: SeIncBasePriorityPrivilege	1924	{1B2CAA64-5EC3-4237-8789-B9BADCA832FC}.exe
Token: SeIncBasePriorityPrivilege	2484	{4378FA41-3440-4181-A97E-A1C4C39979CE}.exe
Token: SeIncBasePriorityPrivilege	2504	{FC95619B-F61B-4710-87D8-5324EBB3732D}.exe
Token: SeIncBasePriorityPrivilege	468	{BD006994-395F-4dc4-81DA-E51BC12ADE26}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4492 wrote to memory of 816	4492	2024-04-23_ae68e30253e1764755ead503930ac4ee_goldeneye.exe	99
PID 4492 wrote to memory of 816	4492	2024-04-23_ae68e30253e1764755ead503930ac4ee_goldeneye.exe	99
PID 4492 wrote to memory of 816	4492	2024-04-23_ae68e30253e1764755ead503930ac4ee_goldeneye.exe	99
PID 4492 wrote to memory of 4716	4492	2024-04-23_ae68e30253e1764755ead503930ac4ee_goldeneye.exe	100
PID 4492 wrote to memory of 4716	4492	2024-04-23_ae68e30253e1764755ead503930ac4ee_goldeneye.exe	100
PID 4492 wrote to memory of 4716	4492	2024-04-23_ae68e30253e1764755ead503930ac4ee_goldeneye.exe	100
PID 816 wrote to memory of 3388	816	{9D1F8C10-CFDA-4d3d-8397-0819DCEC51AE}.exe	102
PID 816 wrote to memory of 3388	816	{9D1F8C10-CFDA-4d3d-8397-0819DCEC51AE}.exe	102
PID 816 wrote to memory of 3388	816	{9D1F8C10-CFDA-4d3d-8397-0819DCEC51AE}.exe	102
PID 816 wrote to memory of 4252	816	{9D1F8C10-CFDA-4d3d-8397-0819DCEC51AE}.exe	103
PID 816 wrote to memory of 4252	816	{9D1F8C10-CFDA-4d3d-8397-0819DCEC51AE}.exe	103
PID 816 wrote to memory of 4252	816	{9D1F8C10-CFDA-4d3d-8397-0819DCEC51AE}.exe	103
PID 3388 wrote to memory of 2220	3388	{BDB0F764-4542-430e-B01D-8C1A4A2BEA5B}.exe	106
PID 3388 wrote to memory of 2220	3388	{BDB0F764-4542-430e-B01D-8C1A4A2BEA5B}.exe	106
PID 3388 wrote to memory of 2220	3388	{BDB0F764-4542-430e-B01D-8C1A4A2BEA5B}.exe	106
PID 3388 wrote to memory of 1112	3388	{BDB0F764-4542-430e-B01D-8C1A4A2BEA5B}.exe	107
PID 3388 wrote to memory of 1112	3388	{BDB0F764-4542-430e-B01D-8C1A4A2BEA5B}.exe	107
PID 3388 wrote to memory of 1112	3388	{BDB0F764-4542-430e-B01D-8C1A4A2BEA5B}.exe	107
PID 2220 wrote to memory of 2968	2220	{CFE3BB96-9447-407d-AB98-AE229EB3180B}.exe	108
PID 2220 wrote to memory of 2968	2220	{CFE3BB96-9447-407d-AB98-AE229EB3180B}.exe	108
PID 2220 wrote to memory of 2968	2220	{CFE3BB96-9447-407d-AB98-AE229EB3180B}.exe	108
PID 2220 wrote to memory of 4908	2220	{CFE3BB96-9447-407d-AB98-AE229EB3180B}.exe	109
PID 2220 wrote to memory of 4908	2220	{CFE3BB96-9447-407d-AB98-AE229EB3180B}.exe	109
PID 2220 wrote to memory of 4908	2220	{CFE3BB96-9447-407d-AB98-AE229EB3180B}.exe	109
PID 2968 wrote to memory of 4636	2968	{8837D11B-2709-437d-9F46-34D611297DE7}.exe	110
PID 2968 wrote to memory of 4636	2968	{8837D11B-2709-437d-9F46-34D611297DE7}.exe	110
PID 2968 wrote to memory of 4636	2968	{8837D11B-2709-437d-9F46-34D611297DE7}.exe	110
PID 2968 wrote to memory of 2340	2968	{8837D11B-2709-437d-9F46-34D611297DE7}.exe	111
PID 2968 wrote to memory of 2340	2968	{8837D11B-2709-437d-9F46-34D611297DE7}.exe	111
PID 2968 wrote to memory of 2340	2968	{8837D11B-2709-437d-9F46-34D611297DE7}.exe	111
PID 4636 wrote to memory of 5000	4636	{42B55F9B-B284-47e5-9D44-491CD3BAE92E}.exe	117
PID 4636 wrote to memory of 5000	4636	{42B55F9B-B284-47e5-9D44-491CD3BAE92E}.exe	117
PID 4636 wrote to memory of 5000	4636	{42B55F9B-B284-47e5-9D44-491CD3BAE92E}.exe	117
PID 4636 wrote to memory of 1060	4636	{42B55F9B-B284-47e5-9D44-491CD3BAE92E}.exe	118
PID 4636 wrote to memory of 1060	4636	{42B55F9B-B284-47e5-9D44-491CD3BAE92E}.exe	118
PID 4636 wrote to memory of 1060	4636	{42B55F9B-B284-47e5-9D44-491CD3BAE92E}.exe	118
PID 5000 wrote to memory of 2172	5000	{AC1A1A56-4FA3-4140-9B53-42951BC6EA03}.exe	119
PID 5000 wrote to memory of 2172	5000	{AC1A1A56-4FA3-4140-9B53-42951BC6EA03}.exe	119
PID 5000 wrote to memory of 2172	5000	{AC1A1A56-4FA3-4140-9B53-42951BC6EA03}.exe	119
PID 5000 wrote to memory of 4464	5000	{AC1A1A56-4FA3-4140-9B53-42951BC6EA03}.exe	120
PID 5000 wrote to memory of 4464	5000	{AC1A1A56-4FA3-4140-9B53-42951BC6EA03}.exe	120
PID 5000 wrote to memory of 4464	5000	{AC1A1A56-4FA3-4140-9B53-42951BC6EA03}.exe	120
PID 2172 wrote to memory of 1924	2172	{EF9D744E-67DB-446e-8F7D-A7686D084EB6}.exe	124
PID 2172 wrote to memory of 1924	2172	{EF9D744E-67DB-446e-8F7D-A7686D084EB6}.exe	124
PID 2172 wrote to memory of 1924	2172	{EF9D744E-67DB-446e-8F7D-A7686D084EB6}.exe	124
PID 2172 wrote to memory of 3152	2172	{EF9D744E-67DB-446e-8F7D-A7686D084EB6}.exe	125
PID 2172 wrote to memory of 3152	2172	{EF9D744E-67DB-446e-8F7D-A7686D084EB6}.exe	125
PID 2172 wrote to memory of 3152	2172	{EF9D744E-67DB-446e-8F7D-A7686D084EB6}.exe	125
PID 1924 wrote to memory of 2484	1924	{1B2CAA64-5EC3-4237-8789-B9BADCA832FC}.exe	130
PID 1924 wrote to memory of 2484	1924	{1B2CAA64-5EC3-4237-8789-B9BADCA832FC}.exe	130
PID 1924 wrote to memory of 2484	1924	{1B2CAA64-5EC3-4237-8789-B9BADCA832FC}.exe	130
PID 1924 wrote to memory of 5076	1924	{1B2CAA64-5EC3-4237-8789-B9BADCA832FC}.exe	131
PID 1924 wrote to memory of 5076	1924	{1B2CAA64-5EC3-4237-8789-B9BADCA832FC}.exe	131
PID 1924 wrote to memory of 5076	1924	{1B2CAA64-5EC3-4237-8789-B9BADCA832FC}.exe	131
PID 2484 wrote to memory of 2504	2484	{4378FA41-3440-4181-A97E-A1C4C39979CE}.exe	132
PID 2484 wrote to memory of 2504	2484	{4378FA41-3440-4181-A97E-A1C4C39979CE}.exe	132
PID 2484 wrote to memory of 2504	2484	{4378FA41-3440-4181-A97E-A1C4C39979CE}.exe	132
PID 2484 wrote to memory of 4440	2484	{4378FA41-3440-4181-A97E-A1C4C39979CE}.exe	133
PID 2484 wrote to memory of 4440	2484	{4378FA41-3440-4181-A97E-A1C4C39979CE}.exe	133
PID 2484 wrote to memory of 4440	2484	{4378FA41-3440-4181-A97E-A1C4C39979CE}.exe	133
PID 2504 wrote to memory of 468	2504	{FC95619B-F61B-4710-87D8-5324EBB3732D}.exe	134
PID 2504 wrote to memory of 468	2504	{FC95619B-F61B-4710-87D8-5324EBB3732D}.exe	134
PID 2504 wrote to memory of 468	2504	{FC95619B-F61B-4710-87D8-5324EBB3732D}.exe	134
PID 2504 wrote to memory of 3652	2504	{FC95619B-F61B-4710-87D8-5324EBB3732D}.exe	135

C:\Users\Admin\AppData\Local\Temp\2024-04-23_ae68e30253e1764755ead503930ac4ee_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-23_ae68e30253e1764755ead503930ac4ee_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4492
- C:\Windows\{9D1F8C10-CFDA-4d3d-8397-0819DCEC51AE}.exe
  C:\Windows\{9D1F8C10-CFDA-4d3d-8397-0819DCEC51AE}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:816
- - C:\Windows\{BDB0F764-4542-430e-B01D-8C1A4A2BEA5B}.exe
    C:\Windows\{BDB0F764-4542-430e-B01D-8C1A4A2BEA5B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3388
  - - C:\Windows\{CFE3BB96-9447-407d-AB98-AE229EB3180B}.exe
      C:\Windows\{CFE3BB96-9447-407d-AB98-AE229EB3180B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2220
    - - C:\Windows\{8837D11B-2709-437d-9F46-34D611297DE7}.exe
        
        C:\Windows\{8837D11B-2709-437d-9F46-34D611297DE7}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2968
      - C:\Windows\{42B55F9B-B284-47e5-9D44-491CD3BAE92E}.exe
        
        C:\Windows\{42B55F9B-B284-47e5-9D44-491CD3BAE92E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4636
        
        C:\Windows\{AC1A1A56-4FA3-4140-9B53-42951BC6EA03}.exe
        
        C:\Windows\{AC1A1A56-4FA3-4140-9B53-42951BC6EA03}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\{EF9D744E-67DB-446e-8F7D-A7686D084EB6}.exe
        
        C:\Windows\{EF9D744E-67DB-446e-8F7D-A7686D084EB6}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\{1B2CAA64-5EC3-4237-8789-B9BADCA832FC}.exe
        
        C:\Windows\{1B2CAA64-5EC3-4237-8789-B9BADCA832FC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\{4378FA41-3440-4181-A97E-A1C4C39979CE}.exe
        
        C:\Windows\{4378FA41-3440-4181-A97E-A1C4C39979CE}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\{FC95619B-F61B-4710-87D8-5324EBB3732D}.exe
        
        C:\Windows\{FC95619B-F61B-4710-87D8-5324EBB3732D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\{BD006994-395F-4dc4-81DA-E51BC12ADE26}.exe
        
        C:\Windows\{BD006994-395F-4dc4-81DA-E51BC12ADE26}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:468
        
        C:\Windows\{01BAAC88-6854-4824-932B-DFB58F80B3B7}.exe
        
        C:\Windows\{01BAAC88-6854-4824-932B-DFB58F80B3B7}.exe
        13⤵
        Executes dropped EXE
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD006~1.EXE > nul
        13⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FC956~1.EXE > nul
        12⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4378F~1.EXE > nul
        11⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1B2CA~1.EXE > nul
        10⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF9D7~1.EXE > nul
        9⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AC1A1~1.EXE > nul
        8⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{42B55~1.EXE > nul
        7⤵
        
        PID:1060
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8837D~1.EXE > nul
        6⤵
        
        PID:2340
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CFE3B~1.EXE > nul
        5⤵
        
        PID:4908
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BDB0F~1.EXE > nul
      4⤵
      PID:1112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9D1F8~1.EXE > nul
    3⤵
    PID:4252
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{01BAAC88-6854-4824-932B-DFB58F80B3B7}.exe

Filesize
168KB

MD5
f6c21e8d21992b862d78388985d7caf0

SHA1
08856388ac0ef83d3ae9ea9b228bbaac44b1fd98

SHA256
f2959a065d4813ef1d9124c4869835f19d3a435818534acf45156a793349d9fc

SHA512
ee1e9453a9caa71232ba4d502dfdfd21281977faa582592db0bc17994ce3a30139a269921b368bdd97b5f86ed742ab405b233eb59eea41e74d9660796a2d2462

Download Submit
C:\Windows\{1B2CAA64-5EC3-4237-8789-B9BADCA832FC}.exe

Filesize
168KB

MD5
7652348a8737be35066dfaf6144bc75e

SHA1
aff11339bf63c72907e350cf38681bc444d053c9

SHA256
796207d785ce4f1a132c2d2dea9081adcc4f6eb28b513113ebc670292e4a32d8

SHA512
b34fc97bc92584576f19b6d95e3ebf52503ec244575ad196299901104457ba0c605a080efe586df87384ef75386bb3a66da4740bb743337e65756a75b174d1b2

Download Submit
C:\Windows\{42B55F9B-B284-47e5-9D44-491CD3BAE92E}.exe

Filesize
168KB

MD5
e49c51b486914b7cc0549d5be60d6bd4

SHA1
5a47b1973b9c42a0b7cfea54816861e727f358f0

SHA256
74148d1bc4ebb5375983a22c788193c086cbfa24d8446098666769960563d2fa

SHA512
56cfce9ff7e7d06fc8b34eb7cec73a7c42a36c3e6b0e3903ed26de8fc998a9e43e67fb9b01fe76f5ccbc539b644f7c54ef694eb4cf07a370ac8aa48eb20e8d89

Download Submit
C:\Windows\{4378FA41-3440-4181-A97E-A1C4C39979CE}.exe

Filesize
168KB

MD5
8880d1c94fa4052788a07cdb1cd548d3

SHA1
6ef75944b32ca5c08ff611e8f44a8ce239ae3e57

SHA256
345006dd13d5fb26279e2120aba10db1bb0ea9bb39a8ea3cb720778880954fb9

SHA512
145bbd8b7c0bd09f291d8882f370779b13ae999b0b53b02d81048f279398379ac44b3e16b1ed76b656f8724e632fd6c89186051e6ee1b8b9c3dfa11dc607f25e

Download Submit
C:\Windows\{8837D11B-2709-437d-9F46-34D611297DE7}.exe

Filesize
168KB

MD5
d6de0880274a46b351b0c3655cee411a

SHA1
9904ab497af69b4aa61fc37cb3131940e6f2972a

SHA256
27bec39c42870024e60ccb3a2d1e9d6903748cbc8d11210541254a011213b7f4

SHA512
f9e50b09d81fd121bc13128365a81ca900ebacc610d5e89fa4624c91bc7faa4f3e2f424db823879d72c4b7e9bf44be4508a34b501dd4f214d1c85336e2c44ce3

Download Submit
C:\Windows\{9D1F8C10-CFDA-4d3d-8397-0819DCEC51AE}.exe

Filesize
168KB

MD5
ae9601c0911225819bea7ec77bd554f9

SHA1
9edeea63a268dfeaa81ce406f8bda3a939e2b860

SHA256
31d34eb35ed8593e842b26d563fc614ee768c3ff655bc18d296ad43364ac6c92

SHA512
9000ed3c4a0165cf282df475aab132277fb10d70248ca20a58b54381614bc2b5f133dab8e82dce78f0eff3fe472ff28a88e6d8da4e44ad2d0d5a92fbffeb5b41

Download Submit
C:\Windows\{AC1A1A56-4FA3-4140-9B53-42951BC6EA03}.exe

Filesize
168KB

MD5
53f4f737b7e0cab7935fcacd1ac6fd07

SHA1
e3ff513d2fdac22c2d418da6258a9da0c4e5aa86

SHA256
9f23a269e730f821534feaab607afb31b0f2adbb60ae419810e8348313694327

SHA512
8003efb0b07bb0c7a1b7df9b12e361ff044bc6faceba2defebe0ad1d1fcadd5025b2d4566f6bd06da3797fc60bb16ec13dd3c01bb762d7f4e908f735861801e7

Download Submit
C:\Windows\{BD006994-395F-4dc4-81DA-E51BC12ADE26}.exe

Filesize
168KB

MD5
a36ab2ffae7f1e9b52d36b95f5b90964

SHA1
5f4f061b600c9adfed0f88a266526b7ee3f16beb

SHA256
d1858ca78c1146b39e0dd18ba6a524c817e9d3ef9b10fc42dcc964de4a6857ef

SHA512
7f705c1daa0b2a9d0b4523b5ed0056f48569b61deb4b3762e48cd8399045745751e26971c57a97aee240c23f0c8b4d1e504b15bbc114b708292f3c11a53b739e

Download Submit
C:\Windows\{BDB0F764-4542-430e-B01D-8C1A4A2BEA5B}.exe

Filesize
168KB

MD5
376afcc48a032ced6fd2b500eb970637

SHA1
dd59082f55cc1a6a4a3f6852502d451f91f9c0b1

SHA256
bee762c3a70c36707f63757d4f4d83b2fa1fa8e787fdd751b1b78459bf543af9

SHA512
79f5f5ede398a80a245fe1ece5d77ef902a3391f6887369f26e5b50cfd220558b05faa2301b449c51f89c799680e9afbe3a87e97b816d75dadef6cc9f926458c

Download Submit
C:\Windows\{CFE3BB96-9447-407d-AB98-AE229EB3180B}.exe

Filesize
168KB

MD5
24feded7ee77478254d1b987a3b406c7

SHA1
3a100b93249c9aeb1e9542b09995685a20b92073

SHA256
23e48619a69e9e14c23a6c392aed7a1c8934576cc9a5eb0a7eb64ac05e257de2

SHA512
f94f1768392c0cc06569b226080c1db1dcd1f1bb6b1a290bdb9aae2210179618dd66b7c327ead98f3ecb492e80c1160667755f0815c1b00aef487812b7e5a6d7

Download Submit
C:\Windows\{EF9D744E-67DB-446e-8F7D-A7686D084EB6}.exe

Filesize
168KB

MD5
837bb8991086ccf73cab25ebd71f483f

SHA1
817a7fb3222470c6f1127fae943724bf0d955e8a

SHA256
ad5cef74f097801d5102fd429414bddfcc7c3d5e79021880cf21a4410fd4b0de

SHA512
b6ad0daf9eb4d52f9b5fd519e89e35ba00e9c0f40889b78276677a72c5be91d8bfd00d6c1a10f1d16cb734e8310458892ec4f562c598ec26eab36ef645724733

Download Submit
C:\Windows\{FC95619B-F61B-4710-87D8-5324EBB3732D}.exe

Filesize
168KB

MD5
b36f4a128fb4ccc85b12bbb31f3164b0

SHA1
9f06837c49e0b8b73608da0a3eb8d928464cd3e4

SHA256
988198e4dea903090f66fa95c002b7b77951b411b0735b179957cf38425cf5a7

SHA512
c6447f3dfa3629473ce6c0cbb3c13f28ee80e2dd34d2d9695d80a83dfd36951bede2b13024990e5ba19712c00569cf01d612f96019256e6033a3d1965202c437

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads