3bad01588dba540a3173901aab5c197beaec4302f769f5f9deee3c7d76777c6b

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
25/04/2024, 05:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-25_985872f47f0279d719588e2c4b55b641_goldeneye.exe
Size

372KB
MD5

985872f47f0279d719588e2c4b55b641
SHA1

a2062db6026a00e504fd78c0d8f63c13f65e3c3f
SHA256

3bad01588dba540a3173901aab5c197beaec4302f769f5f9deee3c7d76777c6b
SHA512

0f63a39a53228f27f0c361dd03a633a4b664175d2b92f977da3087c2062d5a2f4ce4255ef7c6bb8d9ddc8336a672ad9850701f720b87be8414ceedaa6a34c8c3
SSDEEP

3072:CEGh0oRlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGjlkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023414-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001200000002340a-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002341b-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001300000002340a-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002341b-17.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002341e-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002341b-25.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00110000000233b2-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002341b-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00120000000233b2-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002340d-41.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000233b4-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7766B438-44B3-4676-B4C8-0F9883B6641E}\stubpath = "C:\\Windows\\{7766B438-44B3-4676-B4C8-0F9883B6641E}.exe"	{3D971A91-69A4-429f-AD7F-05B48332FBCC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{254BB44A-D724-45e0-8620-FE9FBFB6F158}\stubpath = "C:\\Windows\\{254BB44A-D724-45e0-8620-FE9FBFB6F158}.exe"	{7766B438-44B3-4676-B4C8-0F9883B6641E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B5123E5-CC88-4924-916D-93D5EEBEBE30}	{254BB44A-D724-45e0-8620-FE9FBFB6F158}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63D66BDE-1B3D-4111-8E3D-620464656A9B}	{39E4F5EF-C467-49ce-85C2-84844D62BD1C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63D66BDE-1B3D-4111-8E3D-620464656A9B}\stubpath = "C:\\Windows\\{63D66BDE-1B3D-4111-8E3D-620464656A9B}.exe"	{39E4F5EF-C467-49ce-85C2-84844D62BD1C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD16B59E-1228-469d-99E1-FEECAD02FC39}	2024-04-25_985872f47f0279d719588e2c4b55b641_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9CC61DC5-8538-4cf4-B4D1-6EE1023E3F4B}\stubpath = "C:\\Windows\\{9CC61DC5-8538-4cf4-B4D1-6EE1023E3F4B}.exe"	{E49D3DD8-F3F5-4c73-A39C-466013CE35CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D971A91-69A4-429f-AD7F-05B48332FBCC}\stubpath = "C:\\Windows\\{3D971A91-69A4-429f-AD7F-05B48332FBCC}.exe"	{9CC61DC5-8538-4cf4-B4D1-6EE1023E3F4B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE4EDED4-76DD-4987-AE47-74C7A3388960}	{63D66BDE-1B3D-4111-8E3D-620464656A9B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39E4F5EF-C467-49ce-85C2-84844D62BD1C}\stubpath = "C:\\Windows\\{39E4F5EF-C467-49ce-85C2-84844D62BD1C}.exe"	{770A86C1-6611-4e4a-88E3-0DDCE94A558A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D971A91-69A4-429f-AD7F-05B48332FBCC}	{9CC61DC5-8538-4cf4-B4D1-6EE1023E3F4B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{254BB44A-D724-45e0-8620-FE9FBFB6F158}	{7766B438-44B3-4676-B4C8-0F9883B6641E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B5123E5-CC88-4924-916D-93D5EEBEBE30}\stubpath = "C:\\Windows\\{0B5123E5-CC88-4924-916D-93D5EEBEBE30}.exe"	{254BB44A-D724-45e0-8620-FE9FBFB6F158}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{770A86C1-6611-4e4a-88E3-0DDCE94A558A}	{0B5123E5-CC88-4924-916D-93D5EEBEBE30}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39E4F5EF-C467-49ce-85C2-84844D62BD1C}	{770A86C1-6611-4e4a-88E3-0DDCE94A558A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E49D3DD8-F3F5-4c73-A39C-466013CE35CB}	{AD16B59E-1228-469d-99E1-FEECAD02FC39}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9CC61DC5-8538-4cf4-B4D1-6EE1023E3F4B}	{E49D3DD8-F3F5-4c73-A39C-466013CE35CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7766B438-44B3-4676-B4C8-0F9883B6641E}	{3D971A91-69A4-429f-AD7F-05B48332FBCC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE4EDED4-76DD-4987-AE47-74C7A3388960}\stubpath = "C:\\Windows\\{EE4EDED4-76DD-4987-AE47-74C7A3388960}.exe"	{63D66BDE-1B3D-4111-8E3D-620464656A9B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80617974-8DE3-45b8-93FE-97C2D73B1B33}	{EE4EDED4-76DD-4987-AE47-74C7A3388960}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80617974-8DE3-45b8-93FE-97C2D73B1B33}\stubpath = "C:\\Windows\\{80617974-8DE3-45b8-93FE-97C2D73B1B33}.exe"	{EE4EDED4-76DD-4987-AE47-74C7A3388960}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD16B59E-1228-469d-99E1-FEECAD02FC39}\stubpath = "C:\\Windows\\{AD16B59E-1228-469d-99E1-FEECAD02FC39}.exe"	2024-04-25_985872f47f0279d719588e2c4b55b641_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E49D3DD8-F3F5-4c73-A39C-466013CE35CB}\stubpath = "C:\\Windows\\{E49D3DD8-F3F5-4c73-A39C-466013CE35CB}.exe"	{AD16B59E-1228-469d-99E1-FEECAD02FC39}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{770A86C1-6611-4e4a-88E3-0DDCE94A558A}\stubpath = "C:\\Windows\\{770A86C1-6611-4e4a-88E3-0DDCE94A558A}.exe"	{0B5123E5-CC88-4924-916D-93D5EEBEBE30}.exe

Executes dropped EXE 12 IoCs

pid	Process
3476	{AD16B59E-1228-469d-99E1-FEECAD02FC39}.exe
1484	{E49D3DD8-F3F5-4c73-A39C-466013CE35CB}.exe
4664	{9CC61DC5-8538-4cf4-B4D1-6EE1023E3F4B}.exe
4420	{3D971A91-69A4-429f-AD7F-05B48332FBCC}.exe
2524	{7766B438-44B3-4676-B4C8-0F9883B6641E}.exe
2316	{254BB44A-D724-45e0-8620-FE9FBFB6F158}.exe
1744	{0B5123E5-CC88-4924-916D-93D5EEBEBE30}.exe
1304	{770A86C1-6611-4e4a-88E3-0DDCE94A558A}.exe
3452	{39E4F5EF-C467-49ce-85C2-84844D62BD1C}.exe
2332	{63D66BDE-1B3D-4111-8E3D-620464656A9B}.exe
1956	{EE4EDED4-76DD-4987-AE47-74C7A3388960}.exe
1604	{80617974-8DE3-45b8-93FE-97C2D73B1B33}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{E49D3DD8-F3F5-4c73-A39C-466013CE35CB}.exe	{AD16B59E-1228-469d-99E1-FEECAD02FC39}.exe
File created	C:\Windows\{9CC61DC5-8538-4cf4-B4D1-6EE1023E3F4B}.exe	{E49D3DD8-F3F5-4c73-A39C-466013CE35CB}.exe
File created	C:\Windows\{3D971A91-69A4-429f-AD7F-05B48332FBCC}.exe	{9CC61DC5-8538-4cf4-B4D1-6EE1023E3F4B}.exe
File created	C:\Windows\{7766B438-44B3-4676-B4C8-0F9883B6641E}.exe	{3D971A91-69A4-429f-AD7F-05B48332FBCC}.exe
File created	C:\Windows\{254BB44A-D724-45e0-8620-FE9FBFB6F158}.exe	{7766B438-44B3-4676-B4C8-0F9883B6641E}.exe
File created	C:\Windows\{80617974-8DE3-45b8-93FE-97C2D73B1B33}.exe	{EE4EDED4-76DD-4987-AE47-74C7A3388960}.exe
File created	C:\Windows\{AD16B59E-1228-469d-99E1-FEECAD02FC39}.exe	2024-04-25_985872f47f0279d719588e2c4b55b641_goldeneye.exe
File created	C:\Windows\{770A86C1-6611-4e4a-88E3-0DDCE94A558A}.exe	{0B5123E5-CC88-4924-916D-93D5EEBEBE30}.exe
File created	C:\Windows\{39E4F5EF-C467-49ce-85C2-84844D62BD1C}.exe	{770A86C1-6611-4e4a-88E3-0DDCE94A558A}.exe
File created	C:\Windows\{63D66BDE-1B3D-4111-8E3D-620464656A9B}.exe	{39E4F5EF-C467-49ce-85C2-84844D62BD1C}.exe
File created	C:\Windows\{EE4EDED4-76DD-4987-AE47-74C7A3388960}.exe	{63D66BDE-1B3D-4111-8E3D-620464656A9B}.exe
File created	C:\Windows\{0B5123E5-CC88-4924-916D-93D5EEBEBE30}.exe	{254BB44A-D724-45e0-8620-FE9FBFB6F158}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1080	2024-04-25_985872f47f0279d719588e2c4b55b641_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3476	{AD16B59E-1228-469d-99E1-FEECAD02FC39}.exe
Token: SeIncBasePriorityPrivilege	1484	{E49D3DD8-F3F5-4c73-A39C-466013CE35CB}.exe
Token: SeIncBasePriorityPrivilege	4664	{9CC61DC5-8538-4cf4-B4D1-6EE1023E3F4B}.exe
Token: SeIncBasePriorityPrivilege	4420	{3D971A91-69A4-429f-AD7F-05B48332FBCC}.exe
Token: SeIncBasePriorityPrivilege	2524	{7766B438-44B3-4676-B4C8-0F9883B6641E}.exe
Token: SeIncBasePriorityPrivilege	2316	{254BB44A-D724-45e0-8620-FE9FBFB6F158}.exe
Token: SeIncBasePriorityPrivilege	1744	{0B5123E5-CC88-4924-916D-93D5EEBEBE30}.exe
Token: SeIncBasePriorityPrivilege	1304	{770A86C1-6611-4e4a-88E3-0DDCE94A558A}.exe
Token: SeIncBasePriorityPrivilege	3452	{39E4F5EF-C467-49ce-85C2-84844D62BD1C}.exe
Token: SeIncBasePriorityPrivilege	2332	{63D66BDE-1B3D-4111-8E3D-620464656A9B}.exe
Token: SeIncBasePriorityPrivilege	1956	{EE4EDED4-76DD-4987-AE47-74C7A3388960}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 3476	1080	2024-04-25_985872f47f0279d719588e2c4b55b641_goldeneye.exe	99
PID 1080 wrote to memory of 3476	1080	2024-04-25_985872f47f0279d719588e2c4b55b641_goldeneye.exe	99
PID 1080 wrote to memory of 3476	1080	2024-04-25_985872f47f0279d719588e2c4b55b641_goldeneye.exe	99
PID 1080 wrote to memory of 3952	1080	2024-04-25_985872f47f0279d719588e2c4b55b641_goldeneye.exe	100
PID 1080 wrote to memory of 3952	1080	2024-04-25_985872f47f0279d719588e2c4b55b641_goldeneye.exe	100
PID 1080 wrote to memory of 3952	1080	2024-04-25_985872f47f0279d719588e2c4b55b641_goldeneye.exe	100
PID 3476 wrote to memory of 1484	3476	{AD16B59E-1228-469d-99E1-FEECAD02FC39}.exe	101
PID 3476 wrote to memory of 1484	3476	{AD16B59E-1228-469d-99E1-FEECAD02FC39}.exe	101
PID 3476 wrote to memory of 1484	3476	{AD16B59E-1228-469d-99E1-FEECAD02FC39}.exe	101
PID 3476 wrote to memory of 4336	3476	{AD16B59E-1228-469d-99E1-FEECAD02FC39}.exe	102
PID 3476 wrote to memory of 4336	3476	{AD16B59E-1228-469d-99E1-FEECAD02FC39}.exe	102
PID 3476 wrote to memory of 4336	3476	{AD16B59E-1228-469d-99E1-FEECAD02FC39}.exe	102
PID 1484 wrote to memory of 4664	1484	{E49D3DD8-F3F5-4c73-A39C-466013CE35CB}.exe	105
PID 1484 wrote to memory of 4664	1484	{E49D3DD8-F3F5-4c73-A39C-466013CE35CB}.exe	105
PID 1484 wrote to memory of 4664	1484	{E49D3DD8-F3F5-4c73-A39C-466013CE35CB}.exe	105
PID 1484 wrote to memory of 4444	1484	{E49D3DD8-F3F5-4c73-A39C-466013CE35CB}.exe	106
PID 1484 wrote to memory of 4444	1484	{E49D3DD8-F3F5-4c73-A39C-466013CE35CB}.exe	106
PID 1484 wrote to memory of 4444	1484	{E49D3DD8-F3F5-4c73-A39C-466013CE35CB}.exe	106
PID 4664 wrote to memory of 4420	4664	{9CC61DC5-8538-4cf4-B4D1-6EE1023E3F4B}.exe	107
PID 4664 wrote to memory of 4420	4664	{9CC61DC5-8538-4cf4-B4D1-6EE1023E3F4B}.exe	107
PID 4664 wrote to memory of 4420	4664	{9CC61DC5-8538-4cf4-B4D1-6EE1023E3F4B}.exe	107
PID 4664 wrote to memory of 5036	4664	{9CC61DC5-8538-4cf4-B4D1-6EE1023E3F4B}.exe	108
PID 4664 wrote to memory of 5036	4664	{9CC61DC5-8538-4cf4-B4D1-6EE1023E3F4B}.exe	108
PID 4664 wrote to memory of 5036	4664	{9CC61DC5-8538-4cf4-B4D1-6EE1023E3F4B}.exe	108
PID 4420 wrote to memory of 2524	4420	{3D971A91-69A4-429f-AD7F-05B48332FBCC}.exe	109
PID 4420 wrote to memory of 2524	4420	{3D971A91-69A4-429f-AD7F-05B48332FBCC}.exe	109
PID 4420 wrote to memory of 2524	4420	{3D971A91-69A4-429f-AD7F-05B48332FBCC}.exe	109
PID 4420 wrote to memory of 2532	4420	{3D971A91-69A4-429f-AD7F-05B48332FBCC}.exe	110
PID 4420 wrote to memory of 2532	4420	{3D971A91-69A4-429f-AD7F-05B48332FBCC}.exe	110
PID 4420 wrote to memory of 2532	4420	{3D971A91-69A4-429f-AD7F-05B48332FBCC}.exe	110
PID 2524 wrote to memory of 2316	2524	{7766B438-44B3-4676-B4C8-0F9883B6641E}.exe	116
PID 2524 wrote to memory of 2316	2524	{7766B438-44B3-4676-B4C8-0F9883B6641E}.exe	116
PID 2524 wrote to memory of 2316	2524	{7766B438-44B3-4676-B4C8-0F9883B6641E}.exe	116
PID 2524 wrote to memory of 2676	2524	{7766B438-44B3-4676-B4C8-0F9883B6641E}.exe	117
PID 2524 wrote to memory of 2676	2524	{7766B438-44B3-4676-B4C8-0F9883B6641E}.exe	117
PID 2524 wrote to memory of 2676	2524	{7766B438-44B3-4676-B4C8-0F9883B6641E}.exe	117
PID 2316 wrote to memory of 1744	2316	{254BB44A-D724-45e0-8620-FE9FBFB6F158}.exe	118
PID 2316 wrote to memory of 1744	2316	{254BB44A-D724-45e0-8620-FE9FBFB6F158}.exe	118
PID 2316 wrote to memory of 1744	2316	{254BB44A-D724-45e0-8620-FE9FBFB6F158}.exe	118
PID 2316 wrote to memory of 1404	2316	{254BB44A-D724-45e0-8620-FE9FBFB6F158}.exe	119
PID 2316 wrote to memory of 1404	2316	{254BB44A-D724-45e0-8620-FE9FBFB6F158}.exe	119
PID 2316 wrote to memory of 1404	2316	{254BB44A-D724-45e0-8620-FE9FBFB6F158}.exe	119
PID 1744 wrote to memory of 1304	1744	{0B5123E5-CC88-4924-916D-93D5EEBEBE30}.exe	127
PID 1744 wrote to memory of 1304	1744	{0B5123E5-CC88-4924-916D-93D5EEBEBE30}.exe	127
PID 1744 wrote to memory of 1304	1744	{0B5123E5-CC88-4924-916D-93D5EEBEBE30}.exe	127
PID 1744 wrote to memory of 2936	1744	{0B5123E5-CC88-4924-916D-93D5EEBEBE30}.exe	128
PID 1744 wrote to memory of 2936	1744	{0B5123E5-CC88-4924-916D-93D5EEBEBE30}.exe	128
PID 1744 wrote to memory of 2936	1744	{0B5123E5-CC88-4924-916D-93D5EEBEBE30}.exe	128
PID 1304 wrote to memory of 3452	1304	{770A86C1-6611-4e4a-88E3-0DDCE94A558A}.exe	129
PID 1304 wrote to memory of 3452	1304	{770A86C1-6611-4e4a-88E3-0DDCE94A558A}.exe	129
PID 1304 wrote to memory of 3452	1304	{770A86C1-6611-4e4a-88E3-0DDCE94A558A}.exe	129
PID 1304 wrote to memory of 2632	1304	{770A86C1-6611-4e4a-88E3-0DDCE94A558A}.exe	130
PID 1304 wrote to memory of 2632	1304	{770A86C1-6611-4e4a-88E3-0DDCE94A558A}.exe	130
PID 1304 wrote to memory of 2632	1304	{770A86C1-6611-4e4a-88E3-0DDCE94A558A}.exe	130
PID 3452 wrote to memory of 2332	3452	{39E4F5EF-C467-49ce-85C2-84844D62BD1C}.exe	131
PID 3452 wrote to memory of 2332	3452	{39E4F5EF-C467-49ce-85C2-84844D62BD1C}.exe	131
PID 3452 wrote to memory of 2332	3452	{39E4F5EF-C467-49ce-85C2-84844D62BD1C}.exe	131
PID 3452 wrote to memory of 4092	3452	{39E4F5EF-C467-49ce-85C2-84844D62BD1C}.exe	132
PID 3452 wrote to memory of 4092	3452	{39E4F5EF-C467-49ce-85C2-84844D62BD1C}.exe	132
PID 3452 wrote to memory of 4092	3452	{39E4F5EF-C467-49ce-85C2-84844D62BD1C}.exe	132
PID 2332 wrote to memory of 1956	2332	{63D66BDE-1B3D-4111-8E3D-620464656A9B}.exe	133
PID 2332 wrote to memory of 1956	2332	{63D66BDE-1B3D-4111-8E3D-620464656A9B}.exe	133
PID 2332 wrote to memory of 1956	2332	{63D66BDE-1B3D-4111-8E3D-620464656A9B}.exe	133
PID 2332 wrote to memory of 4492	2332	{63D66BDE-1B3D-4111-8E3D-620464656A9B}.exe	134

C:\Users\Admin\AppData\Local\Temp\2024-04-25_985872f47f0279d719588e2c4b55b641_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-25_985872f47f0279d719588e2c4b55b641_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Windows\{AD16B59E-1228-469d-99E1-FEECAD02FC39}.exe
  C:\Windows\{AD16B59E-1228-469d-99E1-FEECAD02FC39}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3476
- - C:\Windows\{E49D3DD8-F3F5-4c73-A39C-466013CE35CB}.exe
    C:\Windows\{E49D3DD8-F3F5-4c73-A39C-466013CE35CB}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1484
  - - C:\Windows\{9CC61DC5-8538-4cf4-B4D1-6EE1023E3F4B}.exe
      C:\Windows\{9CC61DC5-8538-4cf4-B4D1-6EE1023E3F4B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4664
    - - C:\Windows\{3D971A91-69A4-429f-AD7F-05B48332FBCC}.exe
        
        C:\Windows\{3D971A91-69A4-429f-AD7F-05B48332FBCC}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4420
      - C:\Windows\{7766B438-44B3-4676-B4C8-0F9883B6641E}.exe
        
        C:\Windows\{7766B438-44B3-4676-B4C8-0F9883B6641E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\{254BB44A-D724-45e0-8620-FE9FBFB6F158}.exe
        
        C:\Windows\{254BB44A-D724-45e0-8620-FE9FBFB6F158}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\{0B5123E5-CC88-4924-916D-93D5EEBEBE30}.exe
        
        C:\Windows\{0B5123E5-CC88-4924-916D-93D5EEBEBE30}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\{770A86C1-6611-4e4a-88E3-0DDCE94A558A}.exe
        
        C:\Windows\{770A86C1-6611-4e4a-88E3-0DDCE94A558A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1304
        
        C:\Windows\{39E4F5EF-C467-49ce-85C2-84844D62BD1C}.exe
        
        C:\Windows\{39E4F5EF-C467-49ce-85C2-84844D62BD1C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3452
        
        C:\Windows\{63D66BDE-1B3D-4111-8E3D-620464656A9B}.exe
        
        C:\Windows\{63D66BDE-1B3D-4111-8E3D-620464656A9B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\{EE4EDED4-76DD-4987-AE47-74C7A3388960}.exe
        
        C:\Windows\{EE4EDED4-76DD-4987-AE47-74C7A3388960}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
        
        C:\Windows\{80617974-8DE3-45b8-93FE-97C2D73B1B33}.exe
        
        C:\Windows\{80617974-8DE3-45b8-93FE-97C2D73B1B33}.exe
        13⤵
        Executes dropped EXE
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EE4ED~1.EXE > nul
        13⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{63D66~1.EXE > nul
        12⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39E4F~1.EXE > nul
        11⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{770A8~1.EXE > nul
        10⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0B512~1.EXE > nul
        9⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{254BB~1.EXE > nul
        8⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7766B~1.EXE > nul
        7⤵
        
        PID:2676
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3D971~1.EXE > nul
        6⤵
        
        PID:2532
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9CC61~1.EXE > nul
        5⤵
        
        PID:5036
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E49D3~1.EXE > nul
      4⤵
      PID:4444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{AD16B~1.EXE > nul
    3⤵
    PID:4336
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0B5123E5-CC88-4924-916D-93D5EEBEBE30}.exe

Filesize
372KB

MD5
db8821e80e3a18749deb8301fa6193e2

SHA1
b9a001758ac9d0828b81652bd1be5a9c7b452e95

SHA256
0f712a70ac95eb37cce651028602834c79c01755930b3ea1a0bdf10fea92d58f

SHA512
c6a4093e8691f22e62ab2a08049582423c90cabd10d39a5e2cf203169f03c96fb7c47d8310002a9ee6dbbe04c1a69caaedb6d45eb85628d62961e0f106a6670e

Download Submit
C:\Windows\{254BB44A-D724-45e0-8620-FE9FBFB6F158}.exe

Filesize
372KB

MD5
2b8380fd79fd7abe91a49fb616c3954e

SHA1
e5e5c05875c2136de8903637b29fed47648f44e0

SHA256
77b6444ecabdea4bcbdead008816b7d672ff4fb6745c3b84964bb0645d97d357

SHA512
b881496973d6669ee00d1e97cb6cb61738e6fb381a1b39dcd18fc45de33642d4d3a816b409c33fa453218e6fdd27dffc0d9d0e1cae4959b38721c6036bfc9a3c

Download Submit
C:\Windows\{39E4F5EF-C467-49ce-85C2-84844D62BD1C}.exe

Filesize
372KB

MD5
78c09c5474a335a083f82e7a85c58b49

SHA1
25902eb057c3381253d69710c65b5f7855c19dea

SHA256
b1d88bbb243803e10d80e0f19cd04e6ba79a9fd12386080e549b5cfe14fc4f63

SHA512
32b6b77e207c8ca78f0833831887c244405c663227376d928ec7d529cfd7f3fd802b753112652ca25f724412a4fab4661c68521dcec991c934c43ae891ff54c7

Download Submit
C:\Windows\{3D971A91-69A4-429f-AD7F-05B48332FBCC}.exe

Filesize
372KB

MD5
70ac18e7901565ac9c8ace4509020811

SHA1
ac17be4bf1499a8c1b83cb4b97afbbc46330c863

SHA256
4c59e539b00005ad950bd16d3dcfa555b081824ab6f34a47f7a3db9074c621d0

SHA512
e9576d21caa41b9f8388acf00af4682c5eb117e324d9d8f0fce7fdee505e339b400247955e54b61e0fa9b6417569d80a78b687c5bbf7032804d36041d47fd2f9

Download Submit
C:\Windows\{63D66BDE-1B3D-4111-8E3D-620464656A9B}.exe

Filesize
372KB

MD5
3906af782a13824065072009e02ca1c6

SHA1
f9a8dcfc870272c7585572eac7cf0fb987228aa8

SHA256
0b4554d6c54ea218a493d6d04de8cf50d52b99d1deb9b07b9b95ffb9664c0b40

SHA512
7141bf60331c0fbee96278387e2f433181bc450961a12f3db70073be59c43e7a8b36debf9a6308919e2efaa0b26aefcfdf93afbc6d8b542cab616821b52e7b40

Download Submit
C:\Windows\{770A86C1-6611-4e4a-88E3-0DDCE94A558A}.exe

Filesize
372KB

MD5
ca261a8b56d29afa0040398bad55bd7b

SHA1
6bf0fe966fdd071ec9cb073ebbb6c6bf0c11035c

SHA256
fca98ad189e76479f5ef410d356266bc7f97db0f70d0d0ebc8eda648e60da8e4

SHA512
b91d90c657aacb2b1cc1d72c2a89e24cf67eedd67e0bac302d21ec690a5895e0d8a82f91b78c9051f9084c118a5349b2d38540a2e0c01e35e80210b74ea8d1d2

Download Submit
C:\Windows\{7766B438-44B3-4676-B4C8-0F9883B6641E}.exe

Filesize
372KB

MD5
baa2da1bdb138cd86688379bfea50251

SHA1
1b74bea6b7dbb2421a7705112f551e7977c005eb

SHA256
84a9a90f17c72524d7d2c7e0806ae3dc5e5ad0528aab0ea17cc653ba2bf2b41d

SHA512
18ec289c5d102779c8b16d6c9795f217337015686de43029b527f620a150495bb4f73c8badf3b20e4c02a7240a9f14a0d4e6287c7c6f4a03614b0a82f5f9f26d

Download Submit
C:\Windows\{80617974-8DE3-45b8-93FE-97C2D73B1B33}.exe

Filesize
372KB

MD5
c5627b9a62a7da608c41bb66ddb7b1ba

SHA1
a9107bf163918bf67dd72665cd12007ef64b57c2

SHA256
7c14e5d7166aec0dc6b50b6b931975e44c2a72eb25fb45a59833785e4d32cb51

SHA512
9562ea8cdcf6496180832b688167b5921c80585e1d40afecd41276f48aa2e53301b3229d99e982862871af7951b823bd053d883b41a885fd21cca7ad70198da5

Download Submit
C:\Windows\{9CC61DC5-8538-4cf4-B4D1-6EE1023E3F4B}.exe

Filesize
372KB

MD5
778a04e83689631ebcc1c5be51562618

SHA1
4034c99708d7947804ab38f35e31a75b41fd59b1

SHA256
badf3c69571245e5385f01bcd5d26bc28f9a29a69340d3ef071c460411096d14

SHA512
0f2ed8c361cde22ad6d5b4160bb4e06a8c0493099f61ed371539acf0d7c582ed51bf32ceb8e5a3a38b6afec650031c48ca8f74177aaa30eac7ad329236222b44

Download Submit
C:\Windows\{AD16B59E-1228-469d-99E1-FEECAD02FC39}.exe

Filesize
372KB

MD5
55db47929cef36064fd0446eb9067fb5

SHA1
6f6731419243895f52e42876bcb90ffbc3889666

SHA256
92e2882279064ca82b0e1e1bb45ab068ca589952010b1d237916124c24e60f47

SHA512
709abce0c3fb1df6f1279e7dc56f5406296d6583808693b3f97474c7f0b4f17553597915a71e0cdd40d49e1d489a5b68b39803f8a23b6e4236f25df630ecb9e9

Download Submit
C:\Windows\{E49D3DD8-F3F5-4c73-A39C-466013CE35CB}.exe

Filesize
372KB

MD5
a8ffe138cc1506c4d082037dad9e0abc

SHA1
c16f78cd1958e0c5650d71a379109fc196ea04b3

SHA256
17ee8ed2bdab846a39584875a5745ff4164c1e1be9a01d4655afba55aba5d804

SHA512
1169b0e2b22b01324ffd328b3d866d93550689b0031932c124b6071e73df2f9e6368eebb0b5bcbb3c992d33badbe41a301ded6ab55194ddf9e551b3b3faba22f

Download Submit
C:\Windows\{EE4EDED4-76DD-4987-AE47-74C7A3388960}.exe

Filesize
372KB

MD5
9f924b3b832c546c7e039b441d54bd76

SHA1
baeff1ed229fa3c8f21e14142d2c0f339b668e4a

SHA256
e46e492832006fcae2b138223953f6673f6e37b8a80160516ac8d2c5e5833a72

SHA512
196f8b126d496fb1fe26864e2d2a311849dcb89bc9f242fefbf031acdf3d68e95eb38fa01d5d488e3a394e8ecbc2aff80f2b8fbaa94d8f2e10dedaea48272587

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads