24d9a6fc0f82101b6ef2777e35af7cebf3d6ba8d71fc3efff7673bbae84459c8

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
25/04/2024, 05:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-25_49bc73a2a4faf4559c14ef64b382cee0_goldeneye.exe
Size

408KB
MD5

49bc73a2a4faf4559c14ef64b382cee0
SHA1

86cf75e333ca717841926e1da05eda373584596a
SHA256

24d9a6fc0f82101b6ef2777e35af7cebf3d6ba8d71fc3efff7673bbae84459c8
SHA512

d8b120f8c7767dff837980c87f88b7c775fc8ba8a47b9badf1fed7a0aaa2da42a6183bbe3e90b440de9b5a7369321a1e6fe2299dafec7f80003fbdfd222e4ac7
SSDEEP

3072:CEGh0oUl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEG2ldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023419-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001100000002341a-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023421-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001200000002341a-13.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d00000002337e-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023428-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e00000002337e-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023434-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f00000002337e-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023412-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e00000002337c-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023412-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B925D084-D7B5-4eef-93C0-C726CDCB7ACF}	{C1448606-D6FA-4101-9583-FAAF228DE803}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E736E3C-664B-4ee9-8882-7AA71EA8EB57}	{B925D084-D7B5-4eef-93C0-C726CDCB7ACF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E736E3C-664B-4ee9-8882-7AA71EA8EB57}\stubpath = "C:\\Windows\\{9E736E3C-664B-4ee9-8882-7AA71EA8EB57}.exe"	{B925D084-D7B5-4eef-93C0-C726CDCB7ACF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{404B45C2-B551-445d-BDAE-5CDF9611423C}\stubpath = "C:\\Windows\\{404B45C2-B551-445d-BDAE-5CDF9611423C}.exe"	{1B1258B2-CA79-4170-B7B8-81746F4FF850}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1EC09A29-1967-4382-B84D-09583000E056}	{438AD48F-B8EF-4919-9F4E-97345B7C1F34}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1448606-D6FA-4101-9583-FAAF228DE803}	{A516C04A-7D1F-4f97-AEB0-5D325C07C86B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1448606-D6FA-4101-9583-FAAF228DE803}\stubpath = "C:\\Windows\\{C1448606-D6FA-4101-9583-FAAF228DE803}.exe"	{A516C04A-7D1F-4f97-AEB0-5D325C07C86B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1EC09A29-1967-4382-B84D-09583000E056}\stubpath = "C:\\Windows\\{1EC09A29-1967-4382-B84D-09583000E056}.exe"	{438AD48F-B8EF-4919-9F4E-97345B7C1F34}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A516C04A-7D1F-4f97-AEB0-5D325C07C86B}	{1EC09A29-1967-4382-B84D-09583000E056}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B925D084-D7B5-4eef-93C0-C726CDCB7ACF}\stubpath = "C:\\Windows\\{B925D084-D7B5-4eef-93C0-C726CDCB7ACF}.exe"	{C1448606-D6FA-4101-9583-FAAF228DE803}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E486A187-EA23-4bbb-9A6A-EE3D3ADF9A60}	{9E736E3C-664B-4ee9-8882-7AA71EA8EB57}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6FB8DFCC-A395-4812-9742-5A5EB8806F63}	{E486A187-EA23-4bbb-9A6A-EE3D3ADF9A60}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A82E01F-D333-4463-9238-F04FB8A65904}\stubpath = "C:\\Windows\\{7A82E01F-D333-4463-9238-F04FB8A65904}.exe"	2024-04-25_49bc73a2a4faf4559c14ef64b382cee0_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{438AD48F-B8EF-4919-9F4E-97345B7C1F34}	{7A82E01F-D333-4463-9238-F04FB8A65904}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{438AD48F-B8EF-4919-9F4E-97345B7C1F34}\stubpath = "C:\\Windows\\{438AD48F-B8EF-4919-9F4E-97345B7C1F34}.exe"	{7A82E01F-D333-4463-9238-F04FB8A65904}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6FB8DFCC-A395-4812-9742-5A5EB8806F63}\stubpath = "C:\\Windows\\{6FB8DFCC-A395-4812-9742-5A5EB8806F63}.exe"	{E486A187-EA23-4bbb-9A6A-EE3D3ADF9A60}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B1258B2-CA79-4170-B7B8-81746F4FF850}	{6FB8DFCC-A395-4812-9742-5A5EB8806F63}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CE17A1C-A336-41a3-8B20-AD450DA40231}\stubpath = "C:\\Windows\\{8CE17A1C-A336-41a3-8B20-AD450DA40231}.exe"	{404B45C2-B551-445d-BDAE-5CDF9611423C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E486A187-EA23-4bbb-9A6A-EE3D3ADF9A60}\stubpath = "C:\\Windows\\{E486A187-EA23-4bbb-9A6A-EE3D3ADF9A60}.exe"	{9E736E3C-664B-4ee9-8882-7AA71EA8EB57}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B1258B2-CA79-4170-B7B8-81746F4FF850}\stubpath = "C:\\Windows\\{1B1258B2-CA79-4170-B7B8-81746F4FF850}.exe"	{6FB8DFCC-A395-4812-9742-5A5EB8806F63}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CE17A1C-A336-41a3-8B20-AD450DA40231}	{404B45C2-B551-445d-BDAE-5CDF9611423C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A82E01F-D333-4463-9238-F04FB8A65904}	2024-04-25_49bc73a2a4faf4559c14ef64b382cee0_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A516C04A-7D1F-4f97-AEB0-5D325C07C86B}\stubpath = "C:\\Windows\\{A516C04A-7D1F-4f97-AEB0-5D325C07C86B}.exe"	{1EC09A29-1967-4382-B84D-09583000E056}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{404B45C2-B551-445d-BDAE-5CDF9611423C}	{1B1258B2-CA79-4170-B7B8-81746F4FF850}.exe

Executes dropped EXE 12 IoCs

pid	Process
3348	{7A82E01F-D333-4463-9238-F04FB8A65904}.exe
4840	{438AD48F-B8EF-4919-9F4E-97345B7C1F34}.exe
3660	{1EC09A29-1967-4382-B84D-09583000E056}.exe
4200	{A516C04A-7D1F-4f97-AEB0-5D325C07C86B}.exe
3744	{C1448606-D6FA-4101-9583-FAAF228DE803}.exe
916	{B925D084-D7B5-4eef-93C0-C726CDCB7ACF}.exe
3552	{9E736E3C-664B-4ee9-8882-7AA71EA8EB57}.exe
1064	{E486A187-EA23-4bbb-9A6A-EE3D3ADF9A60}.exe
2208	{6FB8DFCC-A395-4812-9742-5A5EB8806F63}.exe
3928	{1B1258B2-CA79-4170-B7B8-81746F4FF850}.exe
3900	{404B45C2-B551-445d-BDAE-5CDF9611423C}.exe
1512	{8CE17A1C-A336-41a3-8B20-AD450DA40231}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{7A82E01F-D333-4463-9238-F04FB8A65904}.exe	2024-04-25_49bc73a2a4faf4559c14ef64b382cee0_goldeneye.exe
File created	C:\Windows\{1EC09A29-1967-4382-B84D-09583000E056}.exe	{438AD48F-B8EF-4919-9F4E-97345B7C1F34}.exe
File created	C:\Windows\{A516C04A-7D1F-4f97-AEB0-5D325C07C86B}.exe	{1EC09A29-1967-4382-B84D-09583000E056}.exe
File created	C:\Windows\{C1448606-D6FA-4101-9583-FAAF228DE803}.exe	{A516C04A-7D1F-4f97-AEB0-5D325C07C86B}.exe
File created	C:\Windows\{9E736E3C-664B-4ee9-8882-7AA71EA8EB57}.exe	{B925D084-D7B5-4eef-93C0-C726CDCB7ACF}.exe
File created	C:\Windows\{6FB8DFCC-A395-4812-9742-5A5EB8806F63}.exe	{E486A187-EA23-4bbb-9A6A-EE3D3ADF9A60}.exe
File created	C:\Windows\{438AD48F-B8EF-4919-9F4E-97345B7C1F34}.exe	{7A82E01F-D333-4463-9238-F04FB8A65904}.exe
File created	C:\Windows\{B925D084-D7B5-4eef-93C0-C726CDCB7ACF}.exe	{C1448606-D6FA-4101-9583-FAAF228DE803}.exe
File created	C:\Windows\{E486A187-EA23-4bbb-9A6A-EE3D3ADF9A60}.exe	{9E736E3C-664B-4ee9-8882-7AA71EA8EB57}.exe
File created	C:\Windows\{1B1258B2-CA79-4170-B7B8-81746F4FF850}.exe	{6FB8DFCC-A395-4812-9742-5A5EB8806F63}.exe
File created	C:\Windows\{404B45C2-B551-445d-BDAE-5CDF9611423C}.exe	{1B1258B2-CA79-4170-B7B8-81746F4FF850}.exe
File created	C:\Windows\{8CE17A1C-A336-41a3-8B20-AD450DA40231}.exe	{404B45C2-B551-445d-BDAE-5CDF9611423C}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3940	2024-04-25_49bc73a2a4faf4559c14ef64b382cee0_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3348	{7A82E01F-D333-4463-9238-F04FB8A65904}.exe
Token: SeIncBasePriorityPrivilege	4840	{438AD48F-B8EF-4919-9F4E-97345B7C1F34}.exe
Token: SeIncBasePriorityPrivilege	3660	{1EC09A29-1967-4382-B84D-09583000E056}.exe
Token: SeIncBasePriorityPrivilege	4200	{A516C04A-7D1F-4f97-AEB0-5D325C07C86B}.exe
Token: SeIncBasePriorityPrivilege	3744	{C1448606-D6FA-4101-9583-FAAF228DE803}.exe
Token: SeIncBasePriorityPrivilege	916	{B925D084-D7B5-4eef-93C0-C726CDCB7ACF}.exe
Token: SeIncBasePriorityPrivilege	3552	{9E736E3C-664B-4ee9-8882-7AA71EA8EB57}.exe
Token: SeIncBasePriorityPrivilege	1064	{E486A187-EA23-4bbb-9A6A-EE3D3ADF9A60}.exe
Token: SeIncBasePriorityPrivilege	2208	{6FB8DFCC-A395-4812-9742-5A5EB8806F63}.exe
Token: SeIncBasePriorityPrivilege	3928	{1B1258B2-CA79-4170-B7B8-81746F4FF850}.exe
Token: SeIncBasePriorityPrivilege	3900	{404B45C2-B551-445d-BDAE-5CDF9611423C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3940 wrote to memory of 3348	3940	2024-04-25_49bc73a2a4faf4559c14ef64b382cee0_goldeneye.exe	101
PID 3940 wrote to memory of 3348	3940	2024-04-25_49bc73a2a4faf4559c14ef64b382cee0_goldeneye.exe	101
PID 3940 wrote to memory of 3348	3940	2024-04-25_49bc73a2a4faf4559c14ef64b382cee0_goldeneye.exe	101
PID 3940 wrote to memory of 3744	3940	2024-04-25_49bc73a2a4faf4559c14ef64b382cee0_goldeneye.exe	102
PID 3940 wrote to memory of 3744	3940	2024-04-25_49bc73a2a4faf4559c14ef64b382cee0_goldeneye.exe	102
PID 3940 wrote to memory of 3744	3940	2024-04-25_49bc73a2a4faf4559c14ef64b382cee0_goldeneye.exe	102
PID 3348 wrote to memory of 4840	3348	{7A82E01F-D333-4463-9238-F04FB8A65904}.exe	103
PID 3348 wrote to memory of 4840	3348	{7A82E01F-D333-4463-9238-F04FB8A65904}.exe	103
PID 3348 wrote to memory of 4840	3348	{7A82E01F-D333-4463-9238-F04FB8A65904}.exe	103
PID 3348 wrote to memory of 1724	3348	{7A82E01F-D333-4463-9238-F04FB8A65904}.exe	104
PID 3348 wrote to memory of 1724	3348	{7A82E01F-D333-4463-9238-F04FB8A65904}.exe	104
PID 3348 wrote to memory of 1724	3348	{7A82E01F-D333-4463-9238-F04FB8A65904}.exe	104
PID 4840 wrote to memory of 3660	4840	{438AD48F-B8EF-4919-9F4E-97345B7C1F34}.exe	107
PID 4840 wrote to memory of 3660	4840	{438AD48F-B8EF-4919-9F4E-97345B7C1F34}.exe	107
PID 4840 wrote to memory of 3660	4840	{438AD48F-B8EF-4919-9F4E-97345B7C1F34}.exe	107
PID 4840 wrote to memory of 2328	4840	{438AD48F-B8EF-4919-9F4E-97345B7C1F34}.exe	108
PID 4840 wrote to memory of 2328	4840	{438AD48F-B8EF-4919-9F4E-97345B7C1F34}.exe	108
PID 4840 wrote to memory of 2328	4840	{438AD48F-B8EF-4919-9F4E-97345B7C1F34}.exe	108
PID 3660 wrote to memory of 4200	3660	{1EC09A29-1967-4382-B84D-09583000E056}.exe	109
PID 3660 wrote to memory of 4200	3660	{1EC09A29-1967-4382-B84D-09583000E056}.exe	109
PID 3660 wrote to memory of 4200	3660	{1EC09A29-1967-4382-B84D-09583000E056}.exe	109
PID 3660 wrote to memory of 4680	3660	{1EC09A29-1967-4382-B84D-09583000E056}.exe	110
PID 3660 wrote to memory of 4680	3660	{1EC09A29-1967-4382-B84D-09583000E056}.exe	110
PID 3660 wrote to memory of 4680	3660	{1EC09A29-1967-4382-B84D-09583000E056}.exe	110
PID 4200 wrote to memory of 3744	4200	{A516C04A-7D1F-4f97-AEB0-5D325C07C86B}.exe	112
PID 4200 wrote to memory of 3744	4200	{A516C04A-7D1F-4f97-AEB0-5D325C07C86B}.exe	112
PID 4200 wrote to memory of 3744	4200	{A516C04A-7D1F-4f97-AEB0-5D325C07C86B}.exe	112
PID 4200 wrote to memory of 840	4200	{A516C04A-7D1F-4f97-AEB0-5D325C07C86B}.exe	113
PID 4200 wrote to memory of 840	4200	{A516C04A-7D1F-4f97-AEB0-5D325C07C86B}.exe	113
PID 4200 wrote to memory of 840	4200	{A516C04A-7D1F-4f97-AEB0-5D325C07C86B}.exe	113
PID 3744 wrote to memory of 916	3744	{C1448606-D6FA-4101-9583-FAAF228DE803}.exe	118
PID 3744 wrote to memory of 916	3744	{C1448606-D6FA-4101-9583-FAAF228DE803}.exe	118
PID 3744 wrote to memory of 916	3744	{C1448606-D6FA-4101-9583-FAAF228DE803}.exe	118
PID 3744 wrote to memory of 4308	3744	{C1448606-D6FA-4101-9583-FAAF228DE803}.exe	119
PID 3744 wrote to memory of 4308	3744	{C1448606-D6FA-4101-9583-FAAF228DE803}.exe	119
PID 3744 wrote to memory of 4308	3744	{C1448606-D6FA-4101-9583-FAAF228DE803}.exe	119
PID 916 wrote to memory of 3552	916	{B925D084-D7B5-4eef-93C0-C726CDCB7ACF}.exe	120
PID 916 wrote to memory of 3552	916	{B925D084-D7B5-4eef-93C0-C726CDCB7ACF}.exe	120
PID 916 wrote to memory of 3552	916	{B925D084-D7B5-4eef-93C0-C726CDCB7ACF}.exe	120
PID 916 wrote to memory of 2980	916	{B925D084-D7B5-4eef-93C0-C726CDCB7ACF}.exe	121
PID 916 wrote to memory of 2980	916	{B925D084-D7B5-4eef-93C0-C726CDCB7ACF}.exe	121
PID 916 wrote to memory of 2980	916	{B925D084-D7B5-4eef-93C0-C726CDCB7ACF}.exe	121
PID 3552 wrote to memory of 1064	3552	{9E736E3C-664B-4ee9-8882-7AA71EA8EB57}.exe	129
PID 3552 wrote to memory of 1064	3552	{9E736E3C-664B-4ee9-8882-7AA71EA8EB57}.exe	129
PID 3552 wrote to memory of 1064	3552	{9E736E3C-664B-4ee9-8882-7AA71EA8EB57}.exe	129
PID 3552 wrote to memory of 2024	3552	{9E736E3C-664B-4ee9-8882-7AA71EA8EB57}.exe	130
PID 3552 wrote to memory of 2024	3552	{9E736E3C-664B-4ee9-8882-7AA71EA8EB57}.exe	130
PID 3552 wrote to memory of 2024	3552	{9E736E3C-664B-4ee9-8882-7AA71EA8EB57}.exe	130
PID 1064 wrote to memory of 2208	1064	{E486A187-EA23-4bbb-9A6A-EE3D3ADF9A60}.exe	131
PID 1064 wrote to memory of 2208	1064	{E486A187-EA23-4bbb-9A6A-EE3D3ADF9A60}.exe	131
PID 1064 wrote to memory of 2208	1064	{E486A187-EA23-4bbb-9A6A-EE3D3ADF9A60}.exe	131
PID 1064 wrote to memory of 1796	1064	{E486A187-EA23-4bbb-9A6A-EE3D3ADF9A60}.exe	132
PID 1064 wrote to memory of 1796	1064	{E486A187-EA23-4bbb-9A6A-EE3D3ADF9A60}.exe	132
PID 1064 wrote to memory of 1796	1064	{E486A187-EA23-4bbb-9A6A-EE3D3ADF9A60}.exe	132
PID 2208 wrote to memory of 3928	2208	{6FB8DFCC-A395-4812-9742-5A5EB8806F63}.exe	133
PID 2208 wrote to memory of 3928	2208	{6FB8DFCC-A395-4812-9742-5A5EB8806F63}.exe	133
PID 2208 wrote to memory of 3928	2208	{6FB8DFCC-A395-4812-9742-5A5EB8806F63}.exe	133
PID 2208 wrote to memory of 1444	2208	{6FB8DFCC-A395-4812-9742-5A5EB8806F63}.exe	134
PID 2208 wrote to memory of 1444	2208	{6FB8DFCC-A395-4812-9742-5A5EB8806F63}.exe	134
PID 2208 wrote to memory of 1444	2208	{6FB8DFCC-A395-4812-9742-5A5EB8806F63}.exe	134
PID 3928 wrote to memory of 3900	3928	{1B1258B2-CA79-4170-B7B8-81746F4FF850}.exe	137
PID 3928 wrote to memory of 3900	3928	{1B1258B2-CA79-4170-B7B8-81746F4FF850}.exe	137
PID 3928 wrote to memory of 3900	3928	{1B1258B2-CA79-4170-B7B8-81746F4FF850}.exe	137
PID 3928 wrote to memory of 1208	3928	{1B1258B2-CA79-4170-B7B8-81746F4FF850}.exe	138

C:\Users\Admin\AppData\Local\Temp\2024-04-25_49bc73a2a4faf4559c14ef64b382cee0_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-25_49bc73a2a4faf4559c14ef64b382cee0_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3940
- C:\Windows\{7A82E01F-D333-4463-9238-F04FB8A65904}.exe
  C:\Windows\{7A82E01F-D333-4463-9238-F04FB8A65904}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3348
- - C:\Windows\{438AD48F-B8EF-4919-9F4E-97345B7C1F34}.exe
    C:\Windows\{438AD48F-B8EF-4919-9F4E-97345B7C1F34}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4840
  - - C:\Windows\{1EC09A29-1967-4382-B84D-09583000E056}.exe
      C:\Windows\{1EC09A29-1967-4382-B84D-09583000E056}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3660
    - - C:\Windows\{A516C04A-7D1F-4f97-AEB0-5D325C07C86B}.exe
        
        C:\Windows\{A516C04A-7D1F-4f97-AEB0-5D325C07C86B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4200
      - C:\Windows\{C1448606-D6FA-4101-9583-FAAF228DE803}.exe
        
        C:\Windows\{C1448606-D6FA-4101-9583-FAAF228DE803}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3744
        
        C:\Windows\{B925D084-D7B5-4eef-93C0-C726CDCB7ACF}.exe
        
        C:\Windows\{B925D084-D7B5-4eef-93C0-C726CDCB7ACF}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\{9E736E3C-664B-4ee9-8882-7AA71EA8EB57}.exe
        
        C:\Windows\{9E736E3C-664B-4ee9-8882-7AA71EA8EB57}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3552
        
        C:\Windows\{E486A187-EA23-4bbb-9A6A-EE3D3ADF9A60}.exe
        
        C:\Windows\{E486A187-EA23-4bbb-9A6A-EE3D3ADF9A60}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\{6FB8DFCC-A395-4812-9742-5A5EB8806F63}.exe
        
        C:\Windows\{6FB8DFCC-A395-4812-9742-5A5EB8806F63}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\{1B1258B2-CA79-4170-B7B8-81746F4FF850}.exe
        
        C:\Windows\{1B1258B2-CA79-4170-B7B8-81746F4FF850}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\Windows\{404B45C2-B551-445d-BDAE-5CDF9611423C}.exe
        
        C:\Windows\{404B45C2-B551-445d-BDAE-5CDF9611423C}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3900
        
        C:\Windows\{8CE17A1C-A336-41a3-8B20-AD450DA40231}.exe
        
        C:\Windows\{8CE17A1C-A336-41a3-8B20-AD450DA40231}.exe
        13⤵
        Executes dropped EXE
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{404B4~1.EXE > nul
        13⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1B125~1.EXE > nul
        12⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6FB8D~1.EXE > nul
        11⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E486A~1.EXE > nul
        10⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E736~1.EXE > nul
        9⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B925D~1.EXE > nul
        8⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C1448~1.EXE > nul
        7⤵
        
        PID:4308
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A516C~1.EXE > nul
        6⤵
        
        PID:840
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1EC09~1.EXE > nul
        5⤵
        
        PID:4680
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{438AD~1.EXE > nul
      4⤵
      PID:2328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7A82E~1.EXE > nul
    3⤵
    PID:1724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1B1258B2-CA79-4170-B7B8-81746F4FF850}.exe

Filesize
408KB

MD5
ab7fdbc2d5f3a2796c07a538e4c30881

SHA1
8fa050af005adc61d12588cbe494d3162ade0f47

SHA256
1857b0245e5f905312d3851ced162fc1265d8e853ca7254426704322a81eca46

SHA512
86b86f71cf072b82e7f65621c89223f0c566469257b82fd8207a62696eedc724d71ccacf1de785fb24422bcf86986b40dad5e009ebfe523deed125e9beb620b0

Download Submit
C:\Windows\{1EC09A29-1967-4382-B84D-09583000E056}.exe

Filesize
408KB

MD5
04cf40d368adf49cbb4ff5a41c8a2b0a

SHA1
23cd03de4ddadce6538d56805617ddf1489d8d90

SHA256
5e466c1f05927fadb5a6dec1aded119de3fffd40fd57a95e3380f73a3f554ce8

SHA512
702c765cb1b441fe70ce8e2323c9911de09ff967d497033d05ff8240249fecc2ba29522a374e1dea7438f38ca8f4351a4e4959b35e0d47993b65470bf0759047

Download Submit
C:\Windows\{404B45C2-B551-445d-BDAE-5CDF9611423C}.exe

Filesize
408KB

MD5
5364d4062bcdb9d323e695cc006c2a2f

SHA1
86b48433fd976bc46ca17c9172b6568da3a546fc

SHA256
e8ddf7128099e06fd2ca3d6d63eac1c9b143b87829ea57fc533940bbc69913bf

SHA512
119011b221d0beee4b4c200831112acee2fdf56e8ca4f4e67a8768eeee74c3dc8fb25a39c5e8e4bce67857c8df04e42f0b6d5ab9b24108d3aec1a6c3964ae308

Download Submit
C:\Windows\{438AD48F-B8EF-4919-9F4E-97345B7C1F34}.exe

Filesize
408KB

MD5
4c31bfeb3340173d50f9a32594c4e7d6

SHA1
571314bb1512b5f5e7cbb55eccf555f76201fc9d

SHA256
a0d8868c96a13d0bdea1c7e9ddc67860d695145c73810263d0b9b7e5d2f7aec5

SHA512
e33c81b53cc89117cdd89863d5f3e564c4a45d84846ce62a317536b72f90580ce93dcc40c32b63819edd9b67a563e5a4121c9fa3f3a0b9a2a82f387ab7b084ca

Download Submit
C:\Windows\{6FB8DFCC-A395-4812-9742-5A5EB8806F63}.exe

Filesize
408KB

MD5
cb0a852ec50b2880ea263e858eae320a

SHA1
f9ac1c4b3efad8d836197b83f6222711832c3193

SHA256
2e5655ec437716924500b26abf7c8e81e1e0ed2f1c45a3ae26d844a9b250b72a

SHA512
2507f8f7c7d6a04aed110e6313b622d2e314abcc0d4d9b0c399b1a255e10574f0f12e53be573e871341bcca59555d65c258821ecde4cb4e675907c7c218e2a3d

Download Submit
C:\Windows\{7A82E01F-D333-4463-9238-F04FB8A65904}.exe

Filesize
408KB

MD5
b2384872486ff593f2ab0bedb64cd567

SHA1
a3c611299aefab8c33fa7b203a26a3832aff394d

SHA256
a1019d55304bfe513984946e8f568fa35abca223da34bf097fa202914bb6f2a5

SHA512
5626f58e4d7c11f1fbec0e46407e101e9e0f8452d44c46f8dfd1d0483c50a8424a76a47fc56ba9b078d6f5c122086536a9775d93ff6bed78009f1f1a2667c9bb

Download Submit
C:\Windows\{8CE17A1C-A336-41a3-8B20-AD450DA40231}.exe

Filesize
408KB

MD5
3d8a2d86170846c9f037a55312c1bf45

SHA1
f8e5748a7e561b19c96100d9ea004800fc26b5e4

SHA256
6721ba0a7edbac917aa316e56ecc41ee26139bbd6546c526cf7cff17b347c1a1

SHA512
1f1ae7ead14e08ce3351f7431e60d17666e0c4b3cf6ca3bc6a0446829b9df51121a7119e6503380d325ce6cb3c2450ce3264b13de4d7e5f2e0085f7012ba68bf

Download Submit
C:\Windows\{9E736E3C-664B-4ee9-8882-7AA71EA8EB57}.exe

Filesize
408KB

MD5
b9acda4fea8fd232b960b479696df1f4

SHA1
3d9bd33b74425a50a6742743a125be608e84adcc

SHA256
9e9e343fc6e1d3f50369faee38b52fc29aadadefe70f3502c3d5e8ad0ea6cf92

SHA512
1206d522b069b6df9e103794419c5504dfc679ce194f67ec6bb0f790527e475c032b202dc264928bfe4574b362a8d706394d903f922cb205c2713bc45cc90106

Download Submit
C:\Windows\{A516C04A-7D1F-4f97-AEB0-5D325C07C86B}.exe

Filesize
408KB

MD5
592769dd24ed75c6431ff3b576c2b729

SHA1
c59c738faa66a6db1f5ec580d22bd22571f9ec3c

SHA256
70b8f2495199b163f14a17c79329830ab355322da4c7942d1409ca47c3cf0a0f

SHA512
2e97b39ae50f2323ab40b67638ff68c6bfc0715c40aeb92462d105f022b491d20a5d5cf8b8b8c348411f32ad5896e89f6393381f3cbb3b4b91142d39b6839a95

Download Submit
C:\Windows\{B925D084-D7B5-4eef-93C0-C726CDCB7ACF}.exe

Filesize
408KB

MD5
a7de78b1d256acfc8372ce387409800e

SHA1
95f5ad3b2b38640fa1b3eaa020ac2e88b98349b5

SHA256
8d07ddf30fba64a924f86ed74bad5e319a64eb01fda6817b3d9610aca29a98bc

SHA512
03c193c303351729e6a66c1810a98ce48bf453a8956a3bd18c0e54a7ec47c1cde938d37b4b212ddcd00e8db5ecc8e7306e395814f847e22bbf9a747f0aae19ef

Download Submit
C:\Windows\{C1448606-D6FA-4101-9583-FAAF228DE803}.exe

Filesize
408KB

MD5
b6759c71210496cfd1e4f8085861bd02

SHA1
605f021096fa0e1267e158309200817aa9632cea

SHA256
199bd54723cbd68345076387782c7f105e35ebce9b0671b8540edd36184f18bc

SHA512
03ddd9f0202ad18b6dbd2ae549b0007d7f18301623da89ab204340722b69f5236101e5e6252ab88ba33ff4dd7500973770eebfedfdfc66f5cca47a0b50e8e101

Download Submit
C:\Windows\{E486A187-EA23-4bbb-9A6A-EE3D3ADF9A60}.exe

Filesize
408KB

MD5
712df4bbb74e899b176edd17d07888e5

SHA1
ae14621952d8245989bd116b76c3e755299f6477

SHA256
5a8ca52783491a98fef3195a8d090a54cd6292ba03d921e5bf6c24b4b4e338c7

SHA512
d9789a355c4592a0ec072f224e039e25570d05e3696213107db92dc5575acb89dc298b1bfe9ff5ae0a143545c00a0308e95c6cf8255cb07032522888c8b17546

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads