bddf241fe184ab55b39ee163b5df8b7e636a51df2d4e4e5ad438504176434cc4

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
23-04-2024 18:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-23_f244127dd33a5a42ef3f5be3fefafbdc_goldeneye.exe
Size

380KB
MD5

f244127dd33a5a42ef3f5be3fefafbdc
SHA1

e4cc34240a4cc5ed28ed9b28a21c919bd6715f46
SHA256

bddf241fe184ab55b39ee163b5df8b7e636a51df2d4e4e5ad438504176434cc4
SHA512

f76dd156784af59154db42b3b8e02618327d522f456a14f9142192bfedd5e187b59b7b7193a1318aa51ed4bfffb2dcd8e5606e25e8ae4494fcbde87961b4a0e4
SSDEEP

3072:mEGh0oLlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGJl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023433-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002352b-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023531-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000001db28-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000001db58-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001db28-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001db58-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000001db28-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023548-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000001db28-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000001db71-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002337c-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E995200-40AB-4c61-BA62-97D2F48578A6}	{47937BB0-0215-4b88-9B3F-57EA1F90A807}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79D87163-8F1B-4d30-8CBF-9C818E383863}	{7E995200-40AB-4c61-BA62-97D2F48578A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3C82A62-7121-40a7-8211-C30C9B17986A}\stubpath = "C:\\Windows\\{F3C82A62-7121-40a7-8211-C30C9B17986A}.exe"	2024-04-23_f244127dd33a5a42ef3f5be3fefafbdc_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A16D711-B51F-4dd2-BFE7-8FE5FD04ACBD}	{3C868703-DF48-4224-95F0-51F918FEE619}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A16D711-B51F-4dd2-BFE7-8FE5FD04ACBD}\stubpath = "C:\\Windows\\{3A16D711-B51F-4dd2-BFE7-8FE5FD04ACBD}.exe"	{3C868703-DF48-4224-95F0-51F918FEE619}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3375F6C5-2071-4391-B850-71504D099F7B}\stubpath = "C:\\Windows\\{3375F6C5-2071-4391-B850-71504D099F7B}.exe"	{52A73C02-8094-4078-AAF4-FF33F2485647}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E8BBBC2-E0B8-4861-AC5A-34BC599FB6E1}	{F3C82A62-7121-40a7-8211-C30C9B17986A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79D87163-8F1B-4d30-8CBF-9C818E383863}\stubpath = "C:\\Windows\\{79D87163-8F1B-4d30-8CBF-9C818E383863}.exe"	{7E995200-40AB-4c61-BA62-97D2F48578A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52A73C02-8094-4078-AAF4-FF33F2485647}	{5AC974DB-7550-487b-B368-5E779DC2EB54}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{771A1336-5AE6-42b5-8904-CB1D355BED36}\stubpath = "C:\\Windows\\{771A1336-5AE6-42b5-8904-CB1D355BED36}.exe"	{3A16D711-B51F-4dd2-BFE7-8FE5FD04ACBD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47937BB0-0215-4b88-9B3F-57EA1F90A807}	{771A1336-5AE6-42b5-8904-CB1D355BED36}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E995200-40AB-4c61-BA62-97D2F48578A6}\stubpath = "C:\\Windows\\{7E995200-40AB-4c61-BA62-97D2F48578A6}.exe"	{47937BB0-0215-4b88-9B3F-57EA1F90A807}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D851EDE0-6F52-45fc-915A-C21D2B1C8BBF}	{3375F6C5-2071-4391-B850-71504D099F7B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E8BBBC2-E0B8-4861-AC5A-34BC599FB6E1}\stubpath = "C:\\Windows\\{2E8BBBC2-E0B8-4861-AC5A-34BC599FB6E1}.exe"	{F3C82A62-7121-40a7-8211-C30C9B17986A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C868703-DF48-4224-95F0-51F918FEE619}	{2E8BBBC2-E0B8-4861-AC5A-34BC599FB6E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C868703-DF48-4224-95F0-51F918FEE619}\stubpath = "C:\\Windows\\{3C868703-DF48-4224-95F0-51F918FEE619}.exe"	{2E8BBBC2-E0B8-4861-AC5A-34BC599FB6E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5AC974DB-7550-487b-B368-5E779DC2EB54}	{79D87163-8F1B-4d30-8CBF-9C818E383863}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5AC974DB-7550-487b-B368-5E779DC2EB54}\stubpath = "C:\\Windows\\{5AC974DB-7550-487b-B368-5E779DC2EB54}.exe"	{79D87163-8F1B-4d30-8CBF-9C818E383863}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52A73C02-8094-4078-AAF4-FF33F2485647}\stubpath = "C:\\Windows\\{52A73C02-8094-4078-AAF4-FF33F2485647}.exe"	{5AC974DB-7550-487b-B368-5E779DC2EB54}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3375F6C5-2071-4391-B850-71504D099F7B}	{52A73C02-8094-4078-AAF4-FF33F2485647}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D851EDE0-6F52-45fc-915A-C21D2B1C8BBF}\stubpath = "C:\\Windows\\{D851EDE0-6F52-45fc-915A-C21D2B1C8BBF}.exe"	{3375F6C5-2071-4391-B850-71504D099F7B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3C82A62-7121-40a7-8211-C30C9B17986A}	2024-04-23_f244127dd33a5a42ef3f5be3fefafbdc_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{771A1336-5AE6-42b5-8904-CB1D355BED36}	{3A16D711-B51F-4dd2-BFE7-8FE5FD04ACBD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47937BB0-0215-4b88-9B3F-57EA1F90A807}\stubpath = "C:\\Windows\\{47937BB0-0215-4b88-9B3F-57EA1F90A807}.exe"	{771A1336-5AE6-42b5-8904-CB1D355BED36}.exe

Executes dropped EXE 12 IoCs

pid	Process
1120	{F3C82A62-7121-40a7-8211-C30C9B17986A}.exe
4984	{2E8BBBC2-E0B8-4861-AC5A-34BC599FB6E1}.exe
4104	{3C868703-DF48-4224-95F0-51F918FEE619}.exe
1876	{3A16D711-B51F-4dd2-BFE7-8FE5FD04ACBD}.exe
2248	{771A1336-5AE6-42b5-8904-CB1D355BED36}.exe
2876	{47937BB0-0215-4b88-9B3F-57EA1F90A807}.exe
4524	{7E995200-40AB-4c61-BA62-97D2F48578A6}.exe
3972	{79D87163-8F1B-4d30-8CBF-9C818E383863}.exe
1632	{5AC974DB-7550-487b-B368-5E779DC2EB54}.exe
3824	{52A73C02-8094-4078-AAF4-FF33F2485647}.exe
1968	{3375F6C5-2071-4391-B850-71504D099F7B}.exe
4532	{D851EDE0-6F52-45fc-915A-C21D2B1C8BBF}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{F3C82A62-7121-40a7-8211-C30C9B17986A}.exe	2024-04-23_f244127dd33a5a42ef3f5be3fefafbdc_goldeneye.exe
File created	C:\Windows\{3C868703-DF48-4224-95F0-51F918FEE619}.exe	{2E8BBBC2-E0B8-4861-AC5A-34BC599FB6E1}.exe
File created	C:\Windows\{771A1336-5AE6-42b5-8904-CB1D355BED36}.exe	{3A16D711-B51F-4dd2-BFE7-8FE5FD04ACBD}.exe
File created	C:\Windows\{7E995200-40AB-4c61-BA62-97D2F48578A6}.exe	{47937BB0-0215-4b88-9B3F-57EA1F90A807}.exe
File created	C:\Windows\{52A73C02-8094-4078-AAF4-FF33F2485647}.exe	{5AC974DB-7550-487b-B368-5E779DC2EB54}.exe
File created	C:\Windows\{3375F6C5-2071-4391-B850-71504D099F7B}.exe	{52A73C02-8094-4078-AAF4-FF33F2485647}.exe
File created	C:\Windows\{D851EDE0-6F52-45fc-915A-C21D2B1C8BBF}.exe	{3375F6C5-2071-4391-B850-71504D099F7B}.exe
File created	C:\Windows\{2E8BBBC2-E0B8-4861-AC5A-34BC599FB6E1}.exe	{F3C82A62-7121-40a7-8211-C30C9B17986A}.exe
File created	C:\Windows\{3A16D711-B51F-4dd2-BFE7-8FE5FD04ACBD}.exe	{3C868703-DF48-4224-95F0-51F918FEE619}.exe
File created	C:\Windows\{47937BB0-0215-4b88-9B3F-57EA1F90A807}.exe	{771A1336-5AE6-42b5-8904-CB1D355BED36}.exe
File created	C:\Windows\{79D87163-8F1B-4d30-8CBF-9C818E383863}.exe	{7E995200-40AB-4c61-BA62-97D2F48578A6}.exe
File created	C:\Windows\{5AC974DB-7550-487b-B368-5E779DC2EB54}.exe	{79D87163-8F1B-4d30-8CBF-9C818E383863}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1136	2024-04-23_f244127dd33a5a42ef3f5be3fefafbdc_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1120	{F3C82A62-7121-40a7-8211-C30C9B17986A}.exe
Token: SeIncBasePriorityPrivilege	4984	{2E8BBBC2-E0B8-4861-AC5A-34BC599FB6E1}.exe
Token: SeIncBasePriorityPrivilege	4104	{3C868703-DF48-4224-95F0-51F918FEE619}.exe
Token: SeIncBasePriorityPrivilege	1876	{3A16D711-B51F-4dd2-BFE7-8FE5FD04ACBD}.exe
Token: SeIncBasePriorityPrivilege	2248	{771A1336-5AE6-42b5-8904-CB1D355BED36}.exe
Token: SeIncBasePriorityPrivilege	2876	{47937BB0-0215-4b88-9B3F-57EA1F90A807}.exe
Token: SeIncBasePriorityPrivilege	4524	{7E995200-40AB-4c61-BA62-97D2F48578A6}.exe
Token: SeIncBasePriorityPrivilege	3972	{79D87163-8F1B-4d30-8CBF-9C818E383863}.exe
Token: SeIncBasePriorityPrivilege	1632	{5AC974DB-7550-487b-B368-5E779DC2EB54}.exe
Token: SeIncBasePriorityPrivilege	3824	{52A73C02-8094-4078-AAF4-FF33F2485647}.exe
Token: SeIncBasePriorityPrivilege	1968	{3375F6C5-2071-4391-B850-71504D099F7B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1136 wrote to memory of 1120	1136	2024-04-23_f244127dd33a5a42ef3f5be3fefafbdc_goldeneye.exe	97
PID 1136 wrote to memory of 1120	1136	2024-04-23_f244127dd33a5a42ef3f5be3fefafbdc_goldeneye.exe	97
PID 1136 wrote to memory of 1120	1136	2024-04-23_f244127dd33a5a42ef3f5be3fefafbdc_goldeneye.exe	97
PID 1136 wrote to memory of 1916	1136	2024-04-23_f244127dd33a5a42ef3f5be3fefafbdc_goldeneye.exe	98
PID 1136 wrote to memory of 1916	1136	2024-04-23_f244127dd33a5a42ef3f5be3fefafbdc_goldeneye.exe	98
PID 1136 wrote to memory of 1916	1136	2024-04-23_f244127dd33a5a42ef3f5be3fefafbdc_goldeneye.exe	98
PID 1120 wrote to memory of 4984	1120	{F3C82A62-7121-40a7-8211-C30C9B17986A}.exe	100
PID 1120 wrote to memory of 4984	1120	{F3C82A62-7121-40a7-8211-C30C9B17986A}.exe	100
PID 1120 wrote to memory of 4984	1120	{F3C82A62-7121-40a7-8211-C30C9B17986A}.exe	100
PID 1120 wrote to memory of 1328	1120	{F3C82A62-7121-40a7-8211-C30C9B17986A}.exe	101
PID 1120 wrote to memory of 1328	1120	{F3C82A62-7121-40a7-8211-C30C9B17986A}.exe	101
PID 1120 wrote to memory of 1328	1120	{F3C82A62-7121-40a7-8211-C30C9B17986A}.exe	101
PID 4984 wrote to memory of 4104	4984	{2E8BBBC2-E0B8-4861-AC5A-34BC599FB6E1}.exe	104
PID 4984 wrote to memory of 4104	4984	{2E8BBBC2-E0B8-4861-AC5A-34BC599FB6E1}.exe	104
PID 4984 wrote to memory of 4104	4984	{2E8BBBC2-E0B8-4861-AC5A-34BC599FB6E1}.exe	104
PID 4984 wrote to memory of 1136	4984	{2E8BBBC2-E0B8-4861-AC5A-34BC599FB6E1}.exe	105
PID 4984 wrote to memory of 1136	4984	{2E8BBBC2-E0B8-4861-AC5A-34BC599FB6E1}.exe	105
PID 4984 wrote to memory of 1136	4984	{2E8BBBC2-E0B8-4861-AC5A-34BC599FB6E1}.exe	105
PID 4104 wrote to memory of 1876	4104	{3C868703-DF48-4224-95F0-51F918FEE619}.exe	106
PID 4104 wrote to memory of 1876	4104	{3C868703-DF48-4224-95F0-51F918FEE619}.exe	106
PID 4104 wrote to memory of 1876	4104	{3C868703-DF48-4224-95F0-51F918FEE619}.exe	106
PID 4104 wrote to memory of 4444	4104	{3C868703-DF48-4224-95F0-51F918FEE619}.exe	107
PID 4104 wrote to memory of 4444	4104	{3C868703-DF48-4224-95F0-51F918FEE619}.exe	107
PID 4104 wrote to memory of 4444	4104	{3C868703-DF48-4224-95F0-51F918FEE619}.exe	107
PID 1876 wrote to memory of 2248	1876	{3A16D711-B51F-4dd2-BFE7-8FE5FD04ACBD}.exe	109
PID 1876 wrote to memory of 2248	1876	{3A16D711-B51F-4dd2-BFE7-8FE5FD04ACBD}.exe	109
PID 1876 wrote to memory of 2248	1876	{3A16D711-B51F-4dd2-BFE7-8FE5FD04ACBD}.exe	109
PID 1876 wrote to memory of 2232	1876	{3A16D711-B51F-4dd2-BFE7-8FE5FD04ACBD}.exe	110
PID 1876 wrote to memory of 2232	1876	{3A16D711-B51F-4dd2-BFE7-8FE5FD04ACBD}.exe	110
PID 1876 wrote to memory of 2232	1876	{3A16D711-B51F-4dd2-BFE7-8FE5FD04ACBD}.exe	110
PID 2248 wrote to memory of 2876	2248	{771A1336-5AE6-42b5-8904-CB1D355BED36}.exe	111
PID 2248 wrote to memory of 2876	2248	{771A1336-5AE6-42b5-8904-CB1D355BED36}.exe	111
PID 2248 wrote to memory of 2876	2248	{771A1336-5AE6-42b5-8904-CB1D355BED36}.exe	111
PID 2248 wrote to memory of 2536	2248	{771A1336-5AE6-42b5-8904-CB1D355BED36}.exe	112
PID 2248 wrote to memory of 2536	2248	{771A1336-5AE6-42b5-8904-CB1D355BED36}.exe	112
PID 2248 wrote to memory of 2536	2248	{771A1336-5AE6-42b5-8904-CB1D355BED36}.exe	112
PID 2876 wrote to memory of 4524	2876	{47937BB0-0215-4b88-9B3F-57EA1F90A807}.exe	113
PID 2876 wrote to memory of 4524	2876	{47937BB0-0215-4b88-9B3F-57EA1F90A807}.exe	113
PID 2876 wrote to memory of 4524	2876	{47937BB0-0215-4b88-9B3F-57EA1F90A807}.exe	113
PID 2876 wrote to memory of 4700	2876	{47937BB0-0215-4b88-9B3F-57EA1F90A807}.exe	114
PID 2876 wrote to memory of 4700	2876	{47937BB0-0215-4b88-9B3F-57EA1F90A807}.exe	114
PID 2876 wrote to memory of 4700	2876	{47937BB0-0215-4b88-9B3F-57EA1F90A807}.exe	114
PID 4524 wrote to memory of 3972	4524	{7E995200-40AB-4c61-BA62-97D2F48578A6}.exe	115
PID 4524 wrote to memory of 3972	4524	{7E995200-40AB-4c61-BA62-97D2F48578A6}.exe	115
PID 4524 wrote to memory of 3972	4524	{7E995200-40AB-4c61-BA62-97D2F48578A6}.exe	115
PID 4524 wrote to memory of 3364	4524	{7E995200-40AB-4c61-BA62-97D2F48578A6}.exe	116
PID 4524 wrote to memory of 3364	4524	{7E995200-40AB-4c61-BA62-97D2F48578A6}.exe	116
PID 4524 wrote to memory of 3364	4524	{7E995200-40AB-4c61-BA62-97D2F48578A6}.exe	116
PID 3972 wrote to memory of 1632	3972	{79D87163-8F1B-4d30-8CBF-9C818E383863}.exe	121
PID 3972 wrote to memory of 1632	3972	{79D87163-8F1B-4d30-8CBF-9C818E383863}.exe	121
PID 3972 wrote to memory of 1632	3972	{79D87163-8F1B-4d30-8CBF-9C818E383863}.exe	121
PID 3972 wrote to memory of 4592	3972	{79D87163-8F1B-4d30-8CBF-9C818E383863}.exe	122
PID 3972 wrote to memory of 4592	3972	{79D87163-8F1B-4d30-8CBF-9C818E383863}.exe	122
PID 3972 wrote to memory of 4592	3972	{79D87163-8F1B-4d30-8CBF-9C818E383863}.exe	122
PID 1632 wrote to memory of 3824	1632	{5AC974DB-7550-487b-B368-5E779DC2EB54}.exe	127
PID 1632 wrote to memory of 3824	1632	{5AC974DB-7550-487b-B368-5E779DC2EB54}.exe	127
PID 1632 wrote to memory of 3824	1632	{5AC974DB-7550-487b-B368-5E779DC2EB54}.exe	127
PID 1632 wrote to memory of 1788	1632	{5AC974DB-7550-487b-B368-5E779DC2EB54}.exe	128
PID 1632 wrote to memory of 1788	1632	{5AC974DB-7550-487b-B368-5E779DC2EB54}.exe	128
PID 1632 wrote to memory of 1788	1632	{5AC974DB-7550-487b-B368-5E779DC2EB54}.exe	128
PID 3824 wrote to memory of 1968	3824	{52A73C02-8094-4078-AAF4-FF33F2485647}.exe	129
PID 3824 wrote to memory of 1968	3824	{52A73C02-8094-4078-AAF4-FF33F2485647}.exe	129
PID 3824 wrote to memory of 1968	3824	{52A73C02-8094-4078-AAF4-FF33F2485647}.exe	129
PID 3824 wrote to memory of 2468	3824	{52A73C02-8094-4078-AAF4-FF33F2485647}.exe	130

C:\Users\Admin\AppData\Local\Temp\2024-04-23_f244127dd33a5a42ef3f5be3fefafbdc_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-23_f244127dd33a5a42ef3f5be3fefafbdc_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1136
- C:\Windows\{F3C82A62-7121-40a7-8211-C30C9B17986A}.exe
  C:\Windows\{F3C82A62-7121-40a7-8211-C30C9B17986A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1120
- - C:\Windows\{2E8BBBC2-E0B8-4861-AC5A-34BC599FB6E1}.exe
    C:\Windows\{2E8BBBC2-E0B8-4861-AC5A-34BC599FB6E1}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4984
  - - C:\Windows\{3C868703-DF48-4224-95F0-51F918FEE619}.exe
      C:\Windows\{3C868703-DF48-4224-95F0-51F918FEE619}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4104
    - - C:\Windows\{3A16D711-B51F-4dd2-BFE7-8FE5FD04ACBD}.exe
        
        C:\Windows\{3A16D711-B51F-4dd2-BFE7-8FE5FD04ACBD}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1876
      - C:\Windows\{771A1336-5AE6-42b5-8904-CB1D355BED36}.exe
        
        C:\Windows\{771A1336-5AE6-42b5-8904-CB1D355BED36}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\{47937BB0-0215-4b88-9B3F-57EA1F90A807}.exe
        
        C:\Windows\{47937BB0-0215-4b88-9B3F-57EA1F90A807}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\{7E995200-40AB-4c61-BA62-97D2F48578A6}.exe
        
        C:\Windows\{7E995200-40AB-4c61-BA62-97D2F48578A6}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\{79D87163-8F1B-4d30-8CBF-9C818E383863}.exe
        
        C:\Windows\{79D87163-8F1B-4d30-8CBF-9C818E383863}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3972
        
        C:\Windows\{5AC974DB-7550-487b-B368-5E779DC2EB54}.exe
        
        C:\Windows\{5AC974DB-7550-487b-B368-5E779DC2EB54}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\{52A73C02-8094-4078-AAF4-FF33F2485647}.exe
        
        C:\Windows\{52A73C02-8094-4078-AAF4-FF33F2485647}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3824
        
        C:\Windows\{3375F6C5-2071-4391-B850-71504D099F7B}.exe
        
        C:\Windows\{3375F6C5-2071-4391-B850-71504D099F7B}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968
        
        C:\Windows\{D851EDE0-6F52-45fc-915A-C21D2B1C8BBF}.exe
        
        C:\Windows\{D851EDE0-6F52-45fc-915A-C21D2B1C8BBF}.exe
        13⤵
        Executes dropped EXE
        
        PID:4532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3375F~1.EXE > nul
        13⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{52A73~1.EXE > nul
        12⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5AC97~1.EXE > nul
        11⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79D87~1.EXE > nul
        10⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E995~1.EXE > nul
        9⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{47937~1.EXE > nul
        8⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{771A1~1.EXE > nul
        7⤵
        
        PID:2536
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3A16D~1.EXE > nul
        6⤵
        
        PID:2232
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C868~1.EXE > nul
        5⤵
        
        PID:4444
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2E8BB~1.EXE > nul
      4⤵
      PID:1136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F3C82~1.EXE > nul
    3⤵
    PID:1328
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2E8BBBC2-E0B8-4861-AC5A-34BC599FB6E1}.exe

Filesize
380KB

MD5
dfb8731070a47b91aa00ae639eed8bc6

SHA1
94dd2568b79bb406c71af92104099b579eca87b5

SHA256
5d4e31950b39c95ab6fd042aeaa8f75bd80a0df2b10a6a220b3292beff19fa86

SHA512
7a36a6036638d882e963f63a864171b0e8b0e0099dd0153c41d6231061467efbf0644bdfa38dffe78dba7f5500ac53e3b536d47b6dd018d9da0905499ef42993

Download Submit
C:\Windows\{3375F6C5-2071-4391-B850-71504D099F7B}.exe

Filesize
380KB

MD5
6a7aa8e6724795830210f9bc8ea3f8ca

SHA1
d3c97e9bf2c3cefd05ca9a99b9767d49bff8d8ef

SHA256
94a95611f451453ab322c724feb020cdd0d5bd57a93a7f3a52f440687ce8fbf9

SHA512
50dd6732aaab52794846ecc5ea42cf82a46cda4a74b4e0f8ed133bfde78eb299c8a311b39410517086185c74c35b3cfe8a636e07e0efe3b28993a51d0063cb07

Download Submit
C:\Windows\{3A16D711-B51F-4dd2-BFE7-8FE5FD04ACBD}.exe

Filesize
380KB

MD5
7114365d39455a6b1668c0f78501efd0

SHA1
6474b1082d299a927683790498edf0126e997a88

SHA256
4a195050338bc56b72a7836e9f8ca16eacbbed49bd615010675c04ecfefc58bf

SHA512
60496f2a63a6917dcc83c9adcfa61d9da7e74ab26fc99a08aea9a4b5a2ddb1a531aa601a57194a4abd1dd1fadaac1b5ab14825d4b488ba876af4f66c64bcb945

Download Submit
C:\Windows\{3C868703-DF48-4224-95F0-51F918FEE619}.exe

Filesize
380KB

MD5
be197a0265a17e7de4d8eff10a098d92

SHA1
f0b37a447c4ae18a306109f73545a9efeab4acb4

SHA256
fab0636c86801652f3947246ec299bdf3f13313294d0f1d361c0476262a7257c

SHA512
5b6553325f59934a00cf1f790ac1c17f48a532ca8bca60656ff62d0e4564e39e2d391f8062b51352722619cd57baca2cce80d59405bb4b65b0ff756eded36e6c

Download Submit
C:\Windows\{47937BB0-0215-4b88-9B3F-57EA1F90A807}.exe

Filesize
380KB

MD5
75e55707c384a46ce3226f6026d618ba

SHA1
8fb7b28b0bcd95541a04a8dcd418025204c1ee81

SHA256
69ddf08790ecbfc9b441624c0d91e69becef74f06f98924db22ebe8eef5369e3

SHA512
5aa2be15a5369f99c153b9466cf177771e55e44d738b0d09a88fdcd676c3fa82388de8cd22b9e22b7cb24abf9c018b75e43433b71ba43cf3733d4f265999fd74

Download Submit
C:\Windows\{52A73C02-8094-4078-AAF4-FF33F2485647}.exe

Filesize
380KB

MD5
4351bec9e6df3f009cc8b7137ce735c7

SHA1
e01a73d1892017f820584d411561c391aa418b4e

SHA256
82b707ded55c6cfc6ced0835bd1d5b957df789b9e475bc7ef5128151e74c646b

SHA512
8ecfd9eb18bbb96bb7390221e59235221f488f27604f17652a4af96a5fdf0bf73fdddccde01cb7e3f9be329b3e6f6a3cd48361a98d04c5ecf1076d82b0b6b19b

Download Submit
C:\Windows\{5AC974DB-7550-487b-B368-5E779DC2EB54}.exe

Filesize
380KB

MD5
3491e363c7a64ddfb1d9125ae3ec6daa

SHA1
f810df174ef4caf835c1c231cf4964ca0fbe30bb

SHA256
9d5adc05690b4937b105a68542136f5307ec7e8c4fe549dc793644a8c500bddc

SHA512
a43c65413d56c4948ec48b48cd4aa94d764da42a64d051dc2d00c2d884d20f06cc4f55451159801ef7fd94cffc1295300a15c76be9356d1e13df295db2463ff0

Download Submit
C:\Windows\{771A1336-5AE6-42b5-8904-CB1D355BED36}.exe

Filesize
380KB

MD5
783ac5774fd5fa6017d12cc33747391c

SHA1
317eacdd2abbd804b954dc37af7a9bb182e62836

SHA256
c315a4e2b32d726e58725d04a854864f6a2a00f67a86cd3767a0f198fd78b0b6

SHA512
ce5a566fc71c0c5c1e4abe52155f76d74414671e732802fa04869ce2b1d21834a35cda8ceced40ca67ca5550ea5f1c47f2075afeb9a81ea15c953fcf788b7676

Download Submit
C:\Windows\{79D87163-8F1B-4d30-8CBF-9C818E383863}.exe

Filesize
380KB

MD5
265bf78c07fa0d655e2803272b3e768c

SHA1
c7f60b35a467ab1d5b520e4ed9580b6c9980f19c

SHA256
0978f61c3e19447f509fcd58985279c51a0c1547f7c7f2095c8254edf9f38902

SHA512
d4388c3ee699faf2745f2eebe122a7df840198bb35ed8e1ca0541d82a3ff3ee8c2a849b3904ffe08ba120e2a150cedcf42ed8a6064a4ffe52f4c496ee64beef1

Download Submit
C:\Windows\{7E995200-40AB-4c61-BA62-97D2F48578A6}.exe

Filesize
380KB

MD5
500a41b3bd1c4dbc38739943a6dcf9eb

SHA1
07db77c9215419702661b2ac60ec4e9f5ab3330d

SHA256
e1515d538c05bd974abbe374c6e48d5353457690e3fa9eda90dcc0beabcdc9f8

SHA512
d0e15b2650e924c0fe065546cb81ed9ddfb1e1f9e738cb083b04393be1bcfdd6ff7d19530149373013b4c46209857b13b5f0dbb1190de5acb277b43dabbb6c5b

Download Submit
C:\Windows\{D851EDE0-6F52-45fc-915A-C21D2B1C8BBF}.exe

Filesize
380KB

MD5
2f3c67ef19957fecbdaee6b5b33a19b7

SHA1
d13af772c482ef27dc29d4109347dfc17fd22fcf

SHA256
ec7d2043ee5be5bb23097c16c1d52f648e27409a42f0d4c32d23b382cec7e5c6

SHA512
ca794e324bfbc9871fe104b00470d89065fdba37511692cb4f7b07a8c4bea1113fc748c69f85fd47d3c5e52973474c235869633a2f58dd2e6f089912bc226c97

Download Submit
C:\Windows\{F3C82A62-7121-40a7-8211-C30C9B17986A}.exe

Filesize
380KB

MD5
b352c4d3beb184b97e04e85195a58a9b

SHA1
8967ce20ccec3176ca42649d6b4f170284a9ae00

SHA256
9aa060040d40975a4a6ebc628d1c6d73e3ad6200ac1018c53e5888cde25f112c

SHA512
fc594c12cfe0cf7e5c48318ecf4174d511578b716fc1802137d7d44985f7174276574e3acde7729e129961927bc375bd8b8e5ee655b6edbdfc0bf2610bbf651c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads