0a411e5a493001d89f9455449eb04f07e34311224df8a0a7112acd42bdad0668

Analysis

max time kernel
149s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
24/04/2024, 03:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-24_6aec37b3680afa76b11328f3f4e83ac4_goldeneye.exe
Size

204KB
MD5

6aec37b3680afa76b11328f3f4e83ac4
SHA1

335a392a0169a5eb636d16096262d2366052cc92
SHA256

0a411e5a493001d89f9455449eb04f07e34311224df8a0a7112acd42bdad0668
SHA512

4807899e36c60b84abd0bf306fa6b195aab09b9bb83bc0dd10f4d4caac580f84b6cbde113105c2ba27a340e64816ac87c4da230bd6115e68a166039a009f9c29
SSDEEP

1536:1EGh0o1l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0o1l1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00070000000233eb-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00120000000233e3-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000233f2-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00130000000233e3-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000233f2-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000233f4-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000233f2-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002340b-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000233f2-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000233e2-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000022aa3-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000233e2-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{945C58EA-E766-4741-91AB-64F9E16A56D2}	{D7C93BF0-A40B-4ae6-BDB7-DB69C6242ABB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4ACF822-318D-4c9d-BE28-F36EEEE4394F}\stubpath = "C:\\Windows\\{F4ACF822-318D-4c9d-BE28-F36EEEE4394F}.exe"	{2931382F-CB71-4dbc-AD30-84CA009ED83F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{349E3866-993E-40bd-913A-E867F4A1800C}\stubpath = "C:\\Windows\\{349E3866-993E-40bd-913A-E867F4A1800C}.exe"	{1F751C2A-0AE9-44bd-994D-C8B2096A6CA8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F94D6A8-95F9-4707-A825-4C29815CFD8F}\stubpath = "C:\\Windows\\{3F94D6A8-95F9-4707-A825-4C29815CFD8F}.exe"	{0F734453-3ECD-4e95-A09C-5E550399D17C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A51BE95-37AA-4f37-860A-8FB421D983A5}\stubpath = "C:\\Windows\\{9A51BE95-37AA-4f37-860A-8FB421D983A5}.exe"	{3F94D6A8-95F9-4707-A825-4C29815CFD8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8C74B9A-5930-4e04-AAD2-93247BBB1373}\stubpath = "C:\\Windows\\{F8C74B9A-5930-4e04-AAD2-93247BBB1373}.exe"	{9A51BE95-37AA-4f37-860A-8FB421D983A5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7C93BF0-A40B-4ae6-BDB7-DB69C6242ABB}\stubpath = "C:\\Windows\\{D7C93BF0-A40B-4ae6-BDB7-DB69C6242ABB}.exe"	{F8C74B9A-5930-4e04-AAD2-93247BBB1373}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C0F466E-61A1-4ae9-8B23-72FEA72B4458}	2024-04-24_6aec37b3680afa76b11328f3f4e83ac4_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{349E3866-993E-40bd-913A-E867F4A1800C}	{1F751C2A-0AE9-44bd-994D-C8B2096A6CA8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A51BE95-37AA-4f37-860A-8FB421D983A5}	{3F94D6A8-95F9-4707-A825-4C29815CFD8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0605F4AA-EEA2-4472-9256-1050CA0CE08D}\stubpath = "C:\\Windows\\{0605F4AA-EEA2-4472-9256-1050CA0CE08D}.exe"	{945C58EA-E766-4741-91AB-64F9E16A56D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2931382F-CB71-4dbc-AD30-84CA009ED83F}\stubpath = "C:\\Windows\\{2931382F-CB71-4dbc-AD30-84CA009ED83F}.exe"	{0605F4AA-EEA2-4472-9256-1050CA0CE08D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8C74B9A-5930-4e04-AAD2-93247BBB1373}	{9A51BE95-37AA-4f37-860A-8FB421D983A5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{945C58EA-E766-4741-91AB-64F9E16A56D2}\stubpath = "C:\\Windows\\{945C58EA-E766-4741-91AB-64F9E16A56D2}.exe"	{D7C93BF0-A40B-4ae6-BDB7-DB69C6242ABB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2931382F-CB71-4dbc-AD30-84CA009ED83F}	{0605F4AA-EEA2-4472-9256-1050CA0CE08D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C0F466E-61A1-4ae9-8B23-72FEA72B4458}\stubpath = "C:\\Windows\\{0C0F466E-61A1-4ae9-8B23-72FEA72B4458}.exe"	2024-04-24_6aec37b3680afa76b11328f3f4e83ac4_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F751C2A-0AE9-44bd-994D-C8B2096A6CA8}	{0C0F466E-61A1-4ae9-8B23-72FEA72B4458}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F751C2A-0AE9-44bd-994D-C8B2096A6CA8}\stubpath = "C:\\Windows\\{1F751C2A-0AE9-44bd-994D-C8B2096A6CA8}.exe"	{0C0F466E-61A1-4ae9-8B23-72FEA72B4458}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F734453-3ECD-4e95-A09C-5E550399D17C}	{349E3866-993E-40bd-913A-E867F4A1800C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F94D6A8-95F9-4707-A825-4C29815CFD8F}	{0F734453-3ECD-4e95-A09C-5E550399D17C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F734453-3ECD-4e95-A09C-5E550399D17C}\stubpath = "C:\\Windows\\{0F734453-3ECD-4e95-A09C-5E550399D17C}.exe"	{349E3866-993E-40bd-913A-E867F4A1800C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7C93BF0-A40B-4ae6-BDB7-DB69C6242ABB}	{F8C74B9A-5930-4e04-AAD2-93247BBB1373}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0605F4AA-EEA2-4472-9256-1050CA0CE08D}	{945C58EA-E766-4741-91AB-64F9E16A56D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4ACF822-318D-4c9d-BE28-F36EEEE4394F}	{2931382F-CB71-4dbc-AD30-84CA009ED83F}.exe

Executes dropped EXE 12 IoCs

pid	Process
3652	{0C0F466E-61A1-4ae9-8B23-72FEA72B4458}.exe
3556	{1F751C2A-0AE9-44bd-994D-C8B2096A6CA8}.exe
2184	{349E3866-993E-40bd-913A-E867F4A1800C}.exe
2536	{0F734453-3ECD-4e95-A09C-5E550399D17C}.exe
4068	{3F94D6A8-95F9-4707-A825-4C29815CFD8F}.exe
3652	{9A51BE95-37AA-4f37-860A-8FB421D983A5}.exe
4744	{F8C74B9A-5930-4e04-AAD2-93247BBB1373}.exe
3876	{D7C93BF0-A40B-4ae6-BDB7-DB69C6242ABB}.exe
3656	{945C58EA-E766-4741-91AB-64F9E16A56D2}.exe
3204	{0605F4AA-EEA2-4472-9256-1050CA0CE08D}.exe
2344	{2931382F-CB71-4dbc-AD30-84CA009ED83F}.exe
4184	{F4ACF822-318D-4c9d-BE28-F36EEEE4394F}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{0F734453-3ECD-4e95-A09C-5E550399D17C}.exe	{349E3866-993E-40bd-913A-E867F4A1800C}.exe
File created	C:\Windows\{9A51BE95-37AA-4f37-860A-8FB421D983A5}.exe	{3F94D6A8-95F9-4707-A825-4C29815CFD8F}.exe
File created	C:\Windows\{945C58EA-E766-4741-91AB-64F9E16A56D2}.exe	{D7C93BF0-A40B-4ae6-BDB7-DB69C6242ABB}.exe
File created	C:\Windows\{0C0F466E-61A1-4ae9-8B23-72FEA72B4458}.exe	2024-04-24_6aec37b3680afa76b11328f3f4e83ac4_goldeneye.exe
File created	C:\Windows\{1F751C2A-0AE9-44bd-994D-C8B2096A6CA8}.exe	{0C0F466E-61A1-4ae9-8B23-72FEA72B4458}.exe
File created	C:\Windows\{349E3866-993E-40bd-913A-E867F4A1800C}.exe	{1F751C2A-0AE9-44bd-994D-C8B2096A6CA8}.exe
File created	C:\Windows\{0605F4AA-EEA2-4472-9256-1050CA0CE08D}.exe	{945C58EA-E766-4741-91AB-64F9E16A56D2}.exe
File created	C:\Windows\{2931382F-CB71-4dbc-AD30-84CA009ED83F}.exe	{0605F4AA-EEA2-4472-9256-1050CA0CE08D}.exe
File created	C:\Windows\{F4ACF822-318D-4c9d-BE28-F36EEEE4394F}.exe	{2931382F-CB71-4dbc-AD30-84CA009ED83F}.exe
File created	C:\Windows\{3F94D6A8-95F9-4707-A825-4C29815CFD8F}.exe	{0F734453-3ECD-4e95-A09C-5E550399D17C}.exe
File created	C:\Windows\{F8C74B9A-5930-4e04-AAD2-93247BBB1373}.exe	{9A51BE95-37AA-4f37-860A-8FB421D983A5}.exe
File created	C:\Windows\{D7C93BF0-A40B-4ae6-BDB7-DB69C6242ABB}.exe	{F8C74B9A-5930-4e04-AAD2-93247BBB1373}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1752	2024-04-24_6aec37b3680afa76b11328f3f4e83ac4_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3652	{0C0F466E-61A1-4ae9-8B23-72FEA72B4458}.exe
Token: SeIncBasePriorityPrivilege	3556	{1F751C2A-0AE9-44bd-994D-C8B2096A6CA8}.exe
Token: SeIncBasePriorityPrivilege	2184	{349E3866-993E-40bd-913A-E867F4A1800C}.exe
Token: SeIncBasePriorityPrivilege	2536	{0F734453-3ECD-4e95-A09C-5E550399D17C}.exe
Token: SeIncBasePriorityPrivilege	4068	{3F94D6A8-95F9-4707-A825-4C29815CFD8F}.exe
Token: SeIncBasePriorityPrivilege	3652	{9A51BE95-37AA-4f37-860A-8FB421D983A5}.exe
Token: SeIncBasePriorityPrivilege	4744	{F8C74B9A-5930-4e04-AAD2-93247BBB1373}.exe
Token: SeIncBasePriorityPrivilege	3876	{D7C93BF0-A40B-4ae6-BDB7-DB69C6242ABB}.exe
Token: SeIncBasePriorityPrivilege	3656	{945C58EA-E766-4741-91AB-64F9E16A56D2}.exe
Token: SeIncBasePriorityPrivilege	3204	{0605F4AA-EEA2-4472-9256-1050CA0CE08D}.exe
Token: SeIncBasePriorityPrivilege	2344	{2931382F-CB71-4dbc-AD30-84CA009ED83F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 3652	1752	2024-04-24_6aec37b3680afa76b11328f3f4e83ac4_goldeneye.exe	102
PID 1752 wrote to memory of 3652	1752	2024-04-24_6aec37b3680afa76b11328f3f4e83ac4_goldeneye.exe	102
PID 1752 wrote to memory of 3652	1752	2024-04-24_6aec37b3680afa76b11328f3f4e83ac4_goldeneye.exe	102
PID 1752 wrote to memory of 464	1752	2024-04-24_6aec37b3680afa76b11328f3f4e83ac4_goldeneye.exe	103
PID 1752 wrote to memory of 464	1752	2024-04-24_6aec37b3680afa76b11328f3f4e83ac4_goldeneye.exe	103
PID 1752 wrote to memory of 464	1752	2024-04-24_6aec37b3680afa76b11328f3f4e83ac4_goldeneye.exe	103
PID 3652 wrote to memory of 3556	3652	{0C0F466E-61A1-4ae9-8B23-72FEA72B4458}.exe	104
PID 3652 wrote to memory of 3556	3652	{0C0F466E-61A1-4ae9-8B23-72FEA72B4458}.exe	104
PID 3652 wrote to memory of 3556	3652	{0C0F466E-61A1-4ae9-8B23-72FEA72B4458}.exe	104
PID 3652 wrote to memory of 536	3652	{0C0F466E-61A1-4ae9-8B23-72FEA72B4458}.exe	105
PID 3652 wrote to memory of 536	3652	{0C0F466E-61A1-4ae9-8B23-72FEA72B4458}.exe	105
PID 3652 wrote to memory of 536	3652	{0C0F466E-61A1-4ae9-8B23-72FEA72B4458}.exe	105
PID 3556 wrote to memory of 2184	3556	{1F751C2A-0AE9-44bd-994D-C8B2096A6CA8}.exe	108
PID 3556 wrote to memory of 2184	3556	{1F751C2A-0AE9-44bd-994D-C8B2096A6CA8}.exe	108
PID 3556 wrote to memory of 2184	3556	{1F751C2A-0AE9-44bd-994D-C8B2096A6CA8}.exe	108
PID 3556 wrote to memory of 2092	3556	{1F751C2A-0AE9-44bd-994D-C8B2096A6CA8}.exe	109
PID 3556 wrote to memory of 2092	3556	{1F751C2A-0AE9-44bd-994D-C8B2096A6CA8}.exe	109
PID 3556 wrote to memory of 2092	3556	{1F751C2A-0AE9-44bd-994D-C8B2096A6CA8}.exe	109
PID 2184 wrote to memory of 2536	2184	{349E3866-993E-40bd-913A-E867F4A1800C}.exe	110
PID 2184 wrote to memory of 2536	2184	{349E3866-993E-40bd-913A-E867F4A1800C}.exe	110
PID 2184 wrote to memory of 2536	2184	{349E3866-993E-40bd-913A-E867F4A1800C}.exe	110
PID 2184 wrote to memory of 4276	2184	{349E3866-993E-40bd-913A-E867F4A1800C}.exe	111
PID 2184 wrote to memory of 4276	2184	{349E3866-993E-40bd-913A-E867F4A1800C}.exe	111
PID 2184 wrote to memory of 4276	2184	{349E3866-993E-40bd-913A-E867F4A1800C}.exe	111
PID 2536 wrote to memory of 4068	2536	{0F734453-3ECD-4e95-A09C-5E550399D17C}.exe	113
PID 2536 wrote to memory of 4068	2536	{0F734453-3ECD-4e95-A09C-5E550399D17C}.exe	113
PID 2536 wrote to memory of 4068	2536	{0F734453-3ECD-4e95-A09C-5E550399D17C}.exe	113
PID 2536 wrote to memory of 2848	2536	{0F734453-3ECD-4e95-A09C-5E550399D17C}.exe	114
PID 2536 wrote to memory of 2848	2536	{0F734453-3ECD-4e95-A09C-5E550399D17C}.exe	114
PID 2536 wrote to memory of 2848	2536	{0F734453-3ECD-4e95-A09C-5E550399D17C}.exe	114
PID 4068 wrote to memory of 3652	4068	{3F94D6A8-95F9-4707-A825-4C29815CFD8F}.exe	119
PID 4068 wrote to memory of 3652	4068	{3F94D6A8-95F9-4707-A825-4C29815CFD8F}.exe	119
PID 4068 wrote to memory of 3652	4068	{3F94D6A8-95F9-4707-A825-4C29815CFD8F}.exe	119
PID 4068 wrote to memory of 1844	4068	{3F94D6A8-95F9-4707-A825-4C29815CFD8F}.exe	120
PID 4068 wrote to memory of 1844	4068	{3F94D6A8-95F9-4707-A825-4C29815CFD8F}.exe	120
PID 4068 wrote to memory of 1844	4068	{3F94D6A8-95F9-4707-A825-4C29815CFD8F}.exe	120
PID 3652 wrote to memory of 4744	3652	{9A51BE95-37AA-4f37-860A-8FB421D983A5}.exe	121
PID 3652 wrote to memory of 4744	3652	{9A51BE95-37AA-4f37-860A-8FB421D983A5}.exe	121
PID 3652 wrote to memory of 4744	3652	{9A51BE95-37AA-4f37-860A-8FB421D983A5}.exe	121
PID 3652 wrote to memory of 1236	3652	{9A51BE95-37AA-4f37-860A-8FB421D983A5}.exe	122
PID 3652 wrote to memory of 1236	3652	{9A51BE95-37AA-4f37-860A-8FB421D983A5}.exe	122
PID 3652 wrote to memory of 1236	3652	{9A51BE95-37AA-4f37-860A-8FB421D983A5}.exe	122
PID 4744 wrote to memory of 3876	4744	{F8C74B9A-5930-4e04-AAD2-93247BBB1373}.exe	127
PID 4744 wrote to memory of 3876	4744	{F8C74B9A-5930-4e04-AAD2-93247BBB1373}.exe	127
PID 4744 wrote to memory of 3876	4744	{F8C74B9A-5930-4e04-AAD2-93247BBB1373}.exe	127
PID 4744 wrote to memory of 1932	4744	{F8C74B9A-5930-4e04-AAD2-93247BBB1373}.exe	128
PID 4744 wrote to memory of 1932	4744	{F8C74B9A-5930-4e04-AAD2-93247BBB1373}.exe	128
PID 4744 wrote to memory of 1932	4744	{F8C74B9A-5930-4e04-AAD2-93247BBB1373}.exe	128
PID 3876 wrote to memory of 3656	3876	{D7C93BF0-A40B-4ae6-BDB7-DB69C6242ABB}.exe	129
PID 3876 wrote to memory of 3656	3876	{D7C93BF0-A40B-4ae6-BDB7-DB69C6242ABB}.exe	129
PID 3876 wrote to memory of 3656	3876	{D7C93BF0-A40B-4ae6-BDB7-DB69C6242ABB}.exe	129
PID 3876 wrote to memory of 884	3876	{D7C93BF0-A40B-4ae6-BDB7-DB69C6242ABB}.exe	130
PID 3876 wrote to memory of 884	3876	{D7C93BF0-A40B-4ae6-BDB7-DB69C6242ABB}.exe	130
PID 3876 wrote to memory of 884	3876	{D7C93BF0-A40B-4ae6-BDB7-DB69C6242ABB}.exe	130
PID 3656 wrote to memory of 3204	3656	{945C58EA-E766-4741-91AB-64F9E16A56D2}.exe	131
PID 3656 wrote to memory of 3204	3656	{945C58EA-E766-4741-91AB-64F9E16A56D2}.exe	131
PID 3656 wrote to memory of 3204	3656	{945C58EA-E766-4741-91AB-64F9E16A56D2}.exe	131
PID 3656 wrote to memory of 5000	3656	{945C58EA-E766-4741-91AB-64F9E16A56D2}.exe	132
PID 3656 wrote to memory of 5000	3656	{945C58EA-E766-4741-91AB-64F9E16A56D2}.exe	132
PID 3656 wrote to memory of 5000	3656	{945C58EA-E766-4741-91AB-64F9E16A56D2}.exe	132
PID 3204 wrote to memory of 2344	3204	{0605F4AA-EEA2-4472-9256-1050CA0CE08D}.exe	135
PID 3204 wrote to memory of 2344	3204	{0605F4AA-EEA2-4472-9256-1050CA0CE08D}.exe	135
PID 3204 wrote to memory of 2344	3204	{0605F4AA-EEA2-4472-9256-1050CA0CE08D}.exe	135
PID 3204 wrote to memory of 420	3204	{0605F4AA-EEA2-4472-9256-1050CA0CE08D}.exe	136

C:\Users\Admin\AppData\Local\Temp\2024-04-24_6aec37b3680afa76b11328f3f4e83ac4_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-24_6aec37b3680afa76b11328f3f4e83ac4_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Windows\{0C0F466E-61A1-4ae9-8B23-72FEA72B4458}.exe
  C:\Windows\{0C0F466E-61A1-4ae9-8B23-72FEA72B4458}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3652
- - C:\Windows\{1F751C2A-0AE9-44bd-994D-C8B2096A6CA8}.exe
    C:\Windows\{1F751C2A-0AE9-44bd-994D-C8B2096A6CA8}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3556
  - - C:\Windows\{349E3866-993E-40bd-913A-E867F4A1800C}.exe
      C:\Windows\{349E3866-993E-40bd-913A-E867F4A1800C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2184
    - - C:\Windows\{0F734453-3ECD-4e95-A09C-5E550399D17C}.exe
        
        C:\Windows\{0F734453-3ECD-4e95-A09C-5E550399D17C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2536
      - C:\Windows\{3F94D6A8-95F9-4707-A825-4C29815CFD8F}.exe
        
        C:\Windows\{3F94D6A8-95F9-4707-A825-4C29815CFD8F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\{9A51BE95-37AA-4f37-860A-8FB421D983A5}.exe
        
        C:\Windows\{9A51BE95-37AA-4f37-860A-8FB421D983A5}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Windows\{F8C74B9A-5930-4e04-AAD2-93247BBB1373}.exe
        
        C:\Windows\{F8C74B9A-5930-4e04-AAD2-93247BBB1373}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4744
        
        C:\Windows\{D7C93BF0-A40B-4ae6-BDB7-DB69C6242ABB}.exe
        
        C:\Windows\{D7C93BF0-A40B-4ae6-BDB7-DB69C6242ABB}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3876
        
        C:\Windows\{945C58EA-E766-4741-91AB-64F9E16A56D2}.exe
        
        C:\Windows\{945C58EA-E766-4741-91AB-64F9E16A56D2}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3656
        
        C:\Windows\{0605F4AA-EEA2-4472-9256-1050CA0CE08D}.exe
        
        C:\Windows\{0605F4AA-EEA2-4472-9256-1050CA0CE08D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3204
        
        C:\Windows\{2931382F-CB71-4dbc-AD30-84CA009ED83F}.exe
        
        C:\Windows\{2931382F-CB71-4dbc-AD30-84CA009ED83F}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
        
        C:\Windows\{F4ACF822-318D-4c9d-BE28-F36EEEE4394F}.exe
        
        C:\Windows\{F4ACF822-318D-4c9d-BE28-F36EEEE4394F}.exe
        13⤵
        Executes dropped EXE
        
        PID:4184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{29313~1.EXE > nul
        13⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0605F~1.EXE > nul
        12⤵
        
        PID:420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{945C5~1.EXE > nul
        11⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D7C93~1.EXE > nul
        10⤵
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F8C74~1.EXE > nul
        9⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9A51B~1.EXE > nul
        8⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3F94D~1.EXE > nul
        7⤵
        
        PID:1844
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F734~1.EXE > nul
        6⤵
        
        PID:2848
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{349E3~1.EXE > nul
        5⤵
        
        PID:4276
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1F751~1.EXE > nul
      4⤵
      PID:2092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0C0F4~1.EXE > nul
    3⤵
    PID:536
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0605F4AA-EEA2-4472-9256-1050CA0CE08D}.exe

Filesize
204KB

MD5
6204852e8ae5ad30fbfc5e936cf7f6bd

SHA1
ea3710dd8160acf3361802aafce5693c9a2a21b3

SHA256
113ee45c895e1c7fcfe9d0d00d05b7a9478fc2afb476e3d543cb3a00f9376274

SHA512
efba636e5486fc8d305378e56906808198659123ce465a5f99bb9c8584194345136592187a078f9c676f05b7c9ce646f84622b1c4aebcbb7dc44a8e6bce17755

Download Submit
C:\Windows\{0C0F466E-61A1-4ae9-8B23-72FEA72B4458}.exe

Filesize
204KB

MD5
1b4637e3eb6d3fe51d8375fd67afd70d

SHA1
f64544ff3cd454c9e593f49200007d2eb77e3908

SHA256
64e11ef1278db5a744282e7da94bd72bf90c1db702b7dbd8f888068d14fdf205

SHA512
4ff7a217bd180681e3db9443513e4c0f14d06b5663e82964be4b13a6c2dbf9f2f22d56b008eab3ccdf327a1f6437694f502438fb1a54952f56a19a375bcd5352

Download Submit
C:\Windows\{0F734453-3ECD-4e95-A09C-5E550399D17C}.exe

Filesize
204KB

MD5
0d1307697a75ae0fd87614a8ba087b5c

SHA1
998a732bf669e3ee96545b8a56c86f8b9fbcb184

SHA256
a9156ba6068caf5bfe4876295fc0815ff379e81bcd650b45360761fbc325f675

SHA512
c5914b3122599d15a6f109610923f9a3fa1430f3e02c233b1511603f564133d3b9b3a05dc69781e89be98014207beb3618dee30cce3c1808309e9390bc78dc5c

Download Submit
C:\Windows\{1F751C2A-0AE9-44bd-994D-C8B2096A6CA8}.exe

Filesize
204KB

MD5
174bf7b6e5f56d527e992b6178325d60

SHA1
64437f399c5d82e21ce5f5d1030648230d0fb7df

SHA256
a6f5c9fe3c169574a4007ee6d99b62a506b25e8ec9112269fa0b19443d4da509

SHA512
fa56cfd956225efbcf0f152d286a06ebe2710388e3b759fcd4f2abdb84f2a7384358f66d2fe2fcc527447c6a3cb15ec58fbf384db5364039d80e78654e00ec58

Download Submit
C:\Windows\{2931382F-CB71-4dbc-AD30-84CA009ED83F}.exe

Filesize
204KB

MD5
53a7e2763cf71385b48b97552ab849b2

SHA1
b05d21f421de850c9c8adbadd7137aa838a5c193

SHA256
075b787d054cc8a69032de37b2f8c384c4a91c0edaef097b9d5432d67f87367c

SHA512
ca1467af5936d1ad38371e5865edbd80607eaa7e2057bc3eb824860b098bb02f3167be577a501a2b553152b8acedcc0764377e5da687cafd0ca3fc7fbfb57ff9

Download Submit
C:\Windows\{349E3866-993E-40bd-913A-E867F4A1800C}.exe

Filesize
204KB

MD5
ff9ac1d82039e2d0caaf79f0c47c2cc3

SHA1
2a020d71cb7695f10ca14b061958534f29509d5f

SHA256
0af7d4a9bdba13a3afc49ca6acbb44830d258a7434fb0e3e3b68aa7384308c86

SHA512
ecea9b3e117f969ba91b71001b6a9381366640f50ff5c2dc86c146c81461eddfd567e3db94c7da0b92e6c928c1f626ccc58da15b201c07895e7cb2b88cc75d8f

Download Submit
C:\Windows\{3F94D6A8-95F9-4707-A825-4C29815CFD8F}.exe

Filesize
204KB

MD5
fb72e67cbcc511402c495267094935c1

SHA1
a38a213bbb8a270446f39ac920826ca6f6ec91d4

SHA256
afbbbfe1f48c59a838cbd2b5290162fab5a8a0bc1f2889b94f9279b32fbc848f

SHA512
fc7fe11eaae3111d2dd32adc8ab3af3c2ca9f8a2d308a0b9d764c726a65a7d87a3b4351e06b3f38fdc1f27620d63d78472544da68fb6af3e1536d5fa2a28af53

Download Submit
C:\Windows\{945C58EA-E766-4741-91AB-64F9E16A56D2}.exe

Filesize
204KB

MD5
fc232f7e35e20f660da2b739cbd6594e

SHA1
73fda9fdc58ba4081ae7e4cf64d1b9630a89cf6a

SHA256
1b8d6c21d8fb5589afa4ae38ad256d307f2ed17c1476863cacccfa8684e4a68e

SHA512
265610704d60571b5eaaa79795c5971761e4624104a176af44a03e56c9d8b58d8f5dcd04ce06743ba59a79c7596716ae1c217f6381d0426a9bfe9471c6811745

Download Submit
C:\Windows\{9A51BE95-37AA-4f37-860A-8FB421D983A5}.exe

Filesize
204KB

MD5
b14870a572bb719c11255f8a3039c3e1

SHA1
ecb1f4a63b094787e6f5c3433d6c76d6b6fd761c

SHA256
48f39dbe6bc144163a131efcc53e8918cc25cc66b08a535bb43108c130aa5276

SHA512
e329ed43f09a741447962f4baee0c1a2458aa401a64c38396ad311854c1e5e9b7c6cd2bfdf102fcfeed3dddc744d876a6ac0af2ee452328d4e76968779ca76a4

Download Submit
C:\Windows\{D7C93BF0-A40B-4ae6-BDB7-DB69C6242ABB}.exe

Filesize
204KB

MD5
c7ef55c155f64921a5e64886a0660ab2

SHA1
962041ebfc55287c6097574ae7d94f2184198258

SHA256
edcec01b46579991afcc81062e39cb97ca2bc1097ccd8ab6ac110206460c2e26

SHA512
79388b48ae9bbd92b04ab02a119a5b2eaac20e394d058fdd06461958da620d37de14fbcc1f3bf589d955018bb772c233c986f6c10933bda64e1067c049c62909

Download Submit
C:\Windows\{F4ACF822-318D-4c9d-BE28-F36EEEE4394F}.exe

Filesize
204KB

MD5
1855aa40eeface91230b7ce9f76743be

SHA1
b3b4e4a57ba4b6da06ac89ef26bd429ca2f9c097

SHA256
17d243b626c8ca8202f936429a7a9a0682a3a23406484e6c086aec337d829bde

SHA512
4604b915ea627800ff3314c8dedf75e5206375a169bfd34223e642411c9d4976075c8de6c010112a7c2f53b8d1768ba801c8696bc1118ca6b020763285b9878d

Download Submit
C:\Windows\{F8C74B9A-5930-4e04-AAD2-93247BBB1373}.exe

Filesize
204KB

MD5
abbb96276a87af7b56f8ecffb30a61c4

SHA1
ab2b6dfdb50d004d7555148f651b79a3934e66b9

SHA256
c876ba1ec073f99b33b9c5b096bd34ec47ec2645d9000519af74b2ae038f09db

SHA512
09bc4e92b4e16a2e3dc9ac7db58641502c1472233870867aea74958612319c95b792e65f8c6ce6ee8308c445cfa74c6f81a81080622548df9f8d8aefc8b1ec21

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads