ddfbc0eb05f4694a462a238577ecaf16b6b610348830afcf6cd3805631983ee4

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-04-2024 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-25_4d6bae8d8a733cea2115c1b5d9142b0b_goldeneye.exe
Size

168KB
MD5

4d6bae8d8a733cea2115c1b5d9142b0b
SHA1

d979f9025d054564690d737b108ee57db1522c8c
SHA256

ddfbc0eb05f4694a462a238577ecaf16b6b610348830afcf6cd3805631983ee4
SHA512

7209e36a76b351bed97cc357d13f33259a9e882257f49e6aca9a9b042fdda727137745369c82238c79cb9217f0ee87135f807a42020659ac5873900dc21e3809
SSDEEP

1536:1EGh0oVlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oVlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a00000001418d-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000016056-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000001418d-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001418d-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001418d-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001418d-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001418d-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E6B1FE8-38F7-4cb4-B261-F9E999FBBB2F}	{C029C2D3-51FC-46e3-8BC1-DCDF9C6A9AF8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B93D0F83-5B5B-4470-952E-494AFD3E5C13}\stubpath = "C:\\Windows\\{B93D0F83-5B5B-4470-952E-494AFD3E5C13}.exe"	{8E6B1FE8-38F7-4cb4-B261-F9E999FBBB2F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB35BF6D-BBF0-4a72-910C-AAD2A0D0C18B}	{6AD7ACD0-9CBA-4c29-BAFA-629C48D3643C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CF037F7-62D5-4462-A92F-ED706F914ABA}	{BB35BF6D-BBF0-4a72-910C-AAD2A0D0C18B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9CA7FE1-67D7-4afc-B7E1-6A7D8CEC4E32}\stubpath = "C:\\Windows\\{F9CA7FE1-67D7-4afc-B7E1-6A7D8CEC4E32}.exe"	{4CF037F7-62D5-4462-A92F-ED706F914ABA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3ABBFEB6-8156-4122-AE6C-34ACC6F52DDA}\stubpath = "C:\\Windows\\{3ABBFEB6-8156-4122-AE6C-34ACC6F52DDA}.exe"	{F9CA7FE1-67D7-4afc-B7E1-6A7D8CEC4E32}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D2B85F4-1511-4d27-9562-5F4C17BF1BBC}\stubpath = "C:\\Windows\\{6D2B85F4-1511-4d27-9562-5F4C17BF1BBC}.exe"	2024-04-25_4d6bae8d8a733cea2115c1b5d9142b0b_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E6B1FE8-38F7-4cb4-B261-F9E999FBBB2F}\stubpath = "C:\\Windows\\{8E6B1FE8-38F7-4cb4-B261-F9E999FBBB2F}.exe"	{C029C2D3-51FC-46e3-8BC1-DCDF9C6A9AF8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AD7ACD0-9CBA-4c29-BAFA-629C48D3643C}	{B93D0F83-5B5B-4470-952E-494AFD3E5C13}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB35BF6D-BBF0-4a72-910C-AAD2A0D0C18B}\stubpath = "C:\\Windows\\{BB35BF6D-BBF0-4a72-910C-AAD2A0D0C18B}.exe"	{6AD7ACD0-9CBA-4c29-BAFA-629C48D3643C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CF037F7-62D5-4462-A92F-ED706F914ABA}\stubpath = "C:\\Windows\\{4CF037F7-62D5-4462-A92F-ED706F914ABA}.exe"	{BB35BF6D-BBF0-4a72-910C-AAD2A0D0C18B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3ABBFEB6-8156-4122-AE6C-34ACC6F52DDA}	{F9CA7FE1-67D7-4afc-B7E1-6A7D8CEC4E32}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A1A2040-51A8-4ea9-840D-011E1070B135}	{3ABBFEB6-8156-4122-AE6C-34ACC6F52DDA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A1A2040-51A8-4ea9-840D-011E1070B135}\stubpath = "C:\\Windows\\{4A1A2040-51A8-4ea9-840D-011E1070B135}.exe"	{3ABBFEB6-8156-4122-AE6C-34ACC6F52DDA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C029C2D3-51FC-46e3-8BC1-DCDF9C6A9AF8}\stubpath = "C:\\Windows\\{C029C2D3-51FC-46e3-8BC1-DCDF9C6A9AF8}.exe"	{6D2B85F4-1511-4d27-9562-5F4C17BF1BBC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9CA7FE1-67D7-4afc-B7E1-6A7D8CEC4E32}	{4CF037F7-62D5-4462-A92F-ED706F914ABA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBC8663A-C238-416f-A920-6F853A37AFD4}\stubpath = "C:\\Windows\\{DBC8663A-C238-416f-A920-6F853A37AFD4}.exe"	{4A1A2040-51A8-4ea9-840D-011E1070B135}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AD7ACD0-9CBA-4c29-BAFA-629C48D3643C}\stubpath = "C:\\Windows\\{6AD7ACD0-9CBA-4c29-BAFA-629C48D3643C}.exe"	{B93D0F83-5B5B-4470-952E-494AFD3E5C13}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C029C2D3-51FC-46e3-8BC1-DCDF9C6A9AF8}	{6D2B85F4-1511-4d27-9562-5F4C17BF1BBC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B93D0F83-5B5B-4470-952E-494AFD3E5C13}	{8E6B1FE8-38F7-4cb4-B261-F9E999FBBB2F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBC8663A-C238-416f-A920-6F853A37AFD4}	{4A1A2040-51A8-4ea9-840D-011E1070B135}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D2B85F4-1511-4d27-9562-5F4C17BF1BBC}	2024-04-25_4d6bae8d8a733cea2115c1b5d9142b0b_goldeneye.exe

Deletes itself 1 IoCs

pid	Process
2536	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2976	{6D2B85F4-1511-4d27-9562-5F4C17BF1BBC}.exe
2988	{C029C2D3-51FC-46e3-8BC1-DCDF9C6A9AF8}.exe
2952	{8E6B1FE8-38F7-4cb4-B261-F9E999FBBB2F}.exe
2396	{B93D0F83-5B5B-4470-952E-494AFD3E5C13}.exe
2856	{6AD7ACD0-9CBA-4c29-BAFA-629C48D3643C}.exe
1636	{BB35BF6D-BBF0-4a72-910C-AAD2A0D0C18B}.exe
2468	{4CF037F7-62D5-4462-A92F-ED706F914ABA}.exe
1168	{F9CA7FE1-67D7-4afc-B7E1-6A7D8CEC4E32}.exe
2124	{3ABBFEB6-8156-4122-AE6C-34ACC6F52DDA}.exe
1976	{4A1A2040-51A8-4ea9-840D-011E1070B135}.exe
2392	{DBC8663A-C238-416f-A920-6F853A37AFD4}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{6D2B85F4-1511-4d27-9562-5F4C17BF1BBC}.exe	2024-04-25_4d6bae8d8a733cea2115c1b5d9142b0b_goldeneye.exe
File created	C:\Windows\{6AD7ACD0-9CBA-4c29-BAFA-629C48D3643C}.exe	{B93D0F83-5B5B-4470-952E-494AFD3E5C13}.exe
File created	C:\Windows\{F9CA7FE1-67D7-4afc-B7E1-6A7D8CEC4E32}.exe	{4CF037F7-62D5-4462-A92F-ED706F914ABA}.exe
File created	C:\Windows\{3ABBFEB6-8156-4122-AE6C-34ACC6F52DDA}.exe	{F9CA7FE1-67D7-4afc-B7E1-6A7D8CEC4E32}.exe
File created	C:\Windows\{DBC8663A-C238-416f-A920-6F853A37AFD4}.exe	{4A1A2040-51A8-4ea9-840D-011E1070B135}.exe
File created	C:\Windows\{C029C2D3-51FC-46e3-8BC1-DCDF9C6A9AF8}.exe	{6D2B85F4-1511-4d27-9562-5F4C17BF1BBC}.exe
File created	C:\Windows\{8E6B1FE8-38F7-4cb4-B261-F9E999FBBB2F}.exe	{C029C2D3-51FC-46e3-8BC1-DCDF9C6A9AF8}.exe
File created	C:\Windows\{B93D0F83-5B5B-4470-952E-494AFD3E5C13}.exe	{8E6B1FE8-38F7-4cb4-B261-F9E999FBBB2F}.exe
File created	C:\Windows\{BB35BF6D-BBF0-4a72-910C-AAD2A0D0C18B}.exe	{6AD7ACD0-9CBA-4c29-BAFA-629C48D3643C}.exe
File created	C:\Windows\{4CF037F7-62D5-4462-A92F-ED706F914ABA}.exe	{BB35BF6D-BBF0-4a72-910C-AAD2A0D0C18B}.exe
File created	C:\Windows\{4A1A2040-51A8-4ea9-840D-011E1070B135}.exe	{3ABBFEB6-8156-4122-AE6C-34ACC6F52DDA}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2020	2024-04-25_4d6bae8d8a733cea2115c1b5d9142b0b_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2976	{6D2B85F4-1511-4d27-9562-5F4C17BF1BBC}.exe
Token: SeIncBasePriorityPrivilege	2988	{C029C2D3-51FC-46e3-8BC1-DCDF9C6A9AF8}.exe
Token: SeIncBasePriorityPrivilege	2952	{8E6B1FE8-38F7-4cb4-B261-F9E999FBBB2F}.exe
Token: SeIncBasePriorityPrivilege	2396	{B93D0F83-5B5B-4470-952E-494AFD3E5C13}.exe
Token: SeIncBasePriorityPrivilege	2856	{6AD7ACD0-9CBA-4c29-BAFA-629C48D3643C}.exe
Token: SeIncBasePriorityPrivilege	1636	{BB35BF6D-BBF0-4a72-910C-AAD2A0D0C18B}.exe
Token: SeIncBasePriorityPrivilege	2468	{4CF037F7-62D5-4462-A92F-ED706F914ABA}.exe
Token: SeIncBasePriorityPrivilege	1168	{F9CA7FE1-67D7-4afc-B7E1-6A7D8CEC4E32}.exe
Token: SeIncBasePriorityPrivilege	2124	{3ABBFEB6-8156-4122-AE6C-34ACC6F52DDA}.exe
Token: SeIncBasePriorityPrivilege	1976	{4A1A2040-51A8-4ea9-840D-011E1070B135}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 2976	2020	2024-04-25_4d6bae8d8a733cea2115c1b5d9142b0b_goldeneye.exe	28
PID 2020 wrote to memory of 2976	2020	2024-04-25_4d6bae8d8a733cea2115c1b5d9142b0b_goldeneye.exe	28
PID 2020 wrote to memory of 2976	2020	2024-04-25_4d6bae8d8a733cea2115c1b5d9142b0b_goldeneye.exe	28
PID 2020 wrote to memory of 2976	2020	2024-04-25_4d6bae8d8a733cea2115c1b5d9142b0b_goldeneye.exe	28
PID 2020 wrote to memory of 2536	2020	2024-04-25_4d6bae8d8a733cea2115c1b5d9142b0b_goldeneye.exe	29
PID 2020 wrote to memory of 2536	2020	2024-04-25_4d6bae8d8a733cea2115c1b5d9142b0b_goldeneye.exe	29
PID 2020 wrote to memory of 2536	2020	2024-04-25_4d6bae8d8a733cea2115c1b5d9142b0b_goldeneye.exe	29
PID 2020 wrote to memory of 2536	2020	2024-04-25_4d6bae8d8a733cea2115c1b5d9142b0b_goldeneye.exe	29
PID 2976 wrote to memory of 2988	2976	{6D2B85F4-1511-4d27-9562-5F4C17BF1BBC}.exe	30
PID 2976 wrote to memory of 2988	2976	{6D2B85F4-1511-4d27-9562-5F4C17BF1BBC}.exe	30
PID 2976 wrote to memory of 2988	2976	{6D2B85F4-1511-4d27-9562-5F4C17BF1BBC}.exe	30
PID 2976 wrote to memory of 2988	2976	{6D2B85F4-1511-4d27-9562-5F4C17BF1BBC}.exe	30
PID 2976 wrote to memory of 2680	2976	{6D2B85F4-1511-4d27-9562-5F4C17BF1BBC}.exe	31
PID 2976 wrote to memory of 2680	2976	{6D2B85F4-1511-4d27-9562-5F4C17BF1BBC}.exe	31
PID 2976 wrote to memory of 2680	2976	{6D2B85F4-1511-4d27-9562-5F4C17BF1BBC}.exe	31
PID 2976 wrote to memory of 2680	2976	{6D2B85F4-1511-4d27-9562-5F4C17BF1BBC}.exe	31
PID 2988 wrote to memory of 2952	2988	{C029C2D3-51FC-46e3-8BC1-DCDF9C6A9AF8}.exe	32
PID 2988 wrote to memory of 2952	2988	{C029C2D3-51FC-46e3-8BC1-DCDF9C6A9AF8}.exe	32
PID 2988 wrote to memory of 2952	2988	{C029C2D3-51FC-46e3-8BC1-DCDF9C6A9AF8}.exe	32
PID 2988 wrote to memory of 2952	2988	{C029C2D3-51FC-46e3-8BC1-DCDF9C6A9AF8}.exe	32
PID 2988 wrote to memory of 2200	2988	{C029C2D3-51FC-46e3-8BC1-DCDF9C6A9AF8}.exe	33
PID 2988 wrote to memory of 2200	2988	{C029C2D3-51FC-46e3-8BC1-DCDF9C6A9AF8}.exe	33
PID 2988 wrote to memory of 2200	2988	{C029C2D3-51FC-46e3-8BC1-DCDF9C6A9AF8}.exe	33
PID 2988 wrote to memory of 2200	2988	{C029C2D3-51FC-46e3-8BC1-DCDF9C6A9AF8}.exe	33
PID 2952 wrote to memory of 2396	2952	{8E6B1FE8-38F7-4cb4-B261-F9E999FBBB2F}.exe	36
PID 2952 wrote to memory of 2396	2952	{8E6B1FE8-38F7-4cb4-B261-F9E999FBBB2F}.exe	36
PID 2952 wrote to memory of 2396	2952	{8E6B1FE8-38F7-4cb4-B261-F9E999FBBB2F}.exe	36
PID 2952 wrote to memory of 2396	2952	{8E6B1FE8-38F7-4cb4-B261-F9E999FBBB2F}.exe	36
PID 2952 wrote to memory of 2720	2952	{8E6B1FE8-38F7-4cb4-B261-F9E999FBBB2F}.exe	37
PID 2952 wrote to memory of 2720	2952	{8E6B1FE8-38F7-4cb4-B261-F9E999FBBB2F}.exe	37
PID 2952 wrote to memory of 2720	2952	{8E6B1FE8-38F7-4cb4-B261-F9E999FBBB2F}.exe	37
PID 2952 wrote to memory of 2720	2952	{8E6B1FE8-38F7-4cb4-B261-F9E999FBBB2F}.exe	37
PID 2396 wrote to memory of 2856	2396	{B93D0F83-5B5B-4470-952E-494AFD3E5C13}.exe	38
PID 2396 wrote to memory of 2856	2396	{B93D0F83-5B5B-4470-952E-494AFD3E5C13}.exe	38
PID 2396 wrote to memory of 2856	2396	{B93D0F83-5B5B-4470-952E-494AFD3E5C13}.exe	38
PID 2396 wrote to memory of 2856	2396	{B93D0F83-5B5B-4470-952E-494AFD3E5C13}.exe	38
PID 2396 wrote to memory of 2384	2396	{B93D0F83-5B5B-4470-952E-494AFD3E5C13}.exe	39
PID 2396 wrote to memory of 2384	2396	{B93D0F83-5B5B-4470-952E-494AFD3E5C13}.exe	39
PID 2396 wrote to memory of 2384	2396	{B93D0F83-5B5B-4470-952E-494AFD3E5C13}.exe	39
PID 2396 wrote to memory of 2384	2396	{B93D0F83-5B5B-4470-952E-494AFD3E5C13}.exe	39
PID 2856 wrote to memory of 1636	2856	{6AD7ACD0-9CBA-4c29-BAFA-629C48D3643C}.exe	40
PID 2856 wrote to memory of 1636	2856	{6AD7ACD0-9CBA-4c29-BAFA-629C48D3643C}.exe	40
PID 2856 wrote to memory of 1636	2856	{6AD7ACD0-9CBA-4c29-BAFA-629C48D3643C}.exe	40
PID 2856 wrote to memory of 1636	2856	{6AD7ACD0-9CBA-4c29-BAFA-629C48D3643C}.exe	40
PID 2856 wrote to memory of 1868	2856	{6AD7ACD0-9CBA-4c29-BAFA-629C48D3643C}.exe	41
PID 2856 wrote to memory of 1868	2856	{6AD7ACD0-9CBA-4c29-BAFA-629C48D3643C}.exe	41
PID 2856 wrote to memory of 1868	2856	{6AD7ACD0-9CBA-4c29-BAFA-629C48D3643C}.exe	41
PID 2856 wrote to memory of 1868	2856	{6AD7ACD0-9CBA-4c29-BAFA-629C48D3643C}.exe	41
PID 1636 wrote to memory of 2468	1636	{BB35BF6D-BBF0-4a72-910C-AAD2A0D0C18B}.exe	42
PID 1636 wrote to memory of 2468	1636	{BB35BF6D-BBF0-4a72-910C-AAD2A0D0C18B}.exe	42
PID 1636 wrote to memory of 2468	1636	{BB35BF6D-BBF0-4a72-910C-AAD2A0D0C18B}.exe	42
PID 1636 wrote to memory of 2468	1636	{BB35BF6D-BBF0-4a72-910C-AAD2A0D0C18B}.exe	42
PID 1636 wrote to memory of 2476	1636	{BB35BF6D-BBF0-4a72-910C-AAD2A0D0C18B}.exe	43
PID 1636 wrote to memory of 2476	1636	{BB35BF6D-BBF0-4a72-910C-AAD2A0D0C18B}.exe	43
PID 1636 wrote to memory of 2476	1636	{BB35BF6D-BBF0-4a72-910C-AAD2A0D0C18B}.exe	43
PID 1636 wrote to memory of 2476	1636	{BB35BF6D-BBF0-4a72-910C-AAD2A0D0C18B}.exe	43
PID 2468 wrote to memory of 1168	2468	{4CF037F7-62D5-4462-A92F-ED706F914ABA}.exe	44
PID 2468 wrote to memory of 1168	2468	{4CF037F7-62D5-4462-A92F-ED706F914ABA}.exe	44
PID 2468 wrote to memory of 1168	2468	{4CF037F7-62D5-4462-A92F-ED706F914ABA}.exe	44
PID 2468 wrote to memory of 1168	2468	{4CF037F7-62D5-4462-A92F-ED706F914ABA}.exe	44
PID 2468 wrote to memory of 1264	2468	{4CF037F7-62D5-4462-A92F-ED706F914ABA}.exe	45
PID 2468 wrote to memory of 1264	2468	{4CF037F7-62D5-4462-A92F-ED706F914ABA}.exe	45
PID 2468 wrote to memory of 1264	2468	{4CF037F7-62D5-4462-A92F-ED706F914ABA}.exe	45
PID 2468 wrote to memory of 1264	2468	{4CF037F7-62D5-4462-A92F-ED706F914ABA}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d6bae8d8a733cea2115c1b5d9142b0b_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d6bae8d8a733cea2115c1b5d9142b0b_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\{6D2B85F4-1511-4d27-9562-5F4C17BF1BBC}.exe
  C:\Windows\{6D2B85F4-1511-4d27-9562-5F4C17BF1BBC}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\{C029C2D3-51FC-46e3-8BC1-DCDF9C6A9AF8}.exe
    C:\Windows\{C029C2D3-51FC-46e3-8BC1-DCDF9C6A9AF8}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2988
  - - C:\Windows\{8E6B1FE8-38F7-4cb4-B261-F9E999FBBB2F}.exe
      C:\Windows\{8E6B1FE8-38F7-4cb4-B261-F9E999FBBB2F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2952
    - - C:\Windows\{B93D0F83-5B5B-4470-952E-494AFD3E5C13}.exe
        
        C:\Windows\{B93D0F83-5B5B-4470-952E-494AFD3E5C13}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2396
      - C:\Windows\{6AD7ACD0-9CBA-4c29-BAFA-629C48D3643C}.exe
        
        C:\Windows\{6AD7ACD0-9CBA-4c29-BAFA-629C48D3643C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\{BB35BF6D-BBF0-4a72-910C-AAD2A0D0C18B}.exe
        
        C:\Windows\{BB35BF6D-BBF0-4a72-910C-AAD2A0D0C18B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\{4CF037F7-62D5-4462-A92F-ED706F914ABA}.exe
        
        C:\Windows\{4CF037F7-62D5-4462-A92F-ED706F914ABA}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\{F9CA7FE1-67D7-4afc-B7E1-6A7D8CEC4E32}.exe
        
        C:\Windows\{F9CA7FE1-67D7-4afc-B7E1-6A7D8CEC4E32}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1168
        
        C:\Windows\{3ABBFEB6-8156-4122-AE6C-34ACC6F52DDA}.exe
        
        C:\Windows\{3ABBFEB6-8156-4122-AE6C-34ACC6F52DDA}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
        
        C:\Windows\{4A1A2040-51A8-4ea9-840D-011E1070B135}.exe
        
        C:\Windows\{4A1A2040-51A8-4ea9-840D-011E1070B135}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1976
        
        C:\Windows\{DBC8663A-C238-416f-A920-6F853A37AFD4}.exe
        
        C:\Windows\{DBC8663A-C238-416f-A920-6F853A37AFD4}.exe
        12⤵
        Executes dropped EXE
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4A1A2~1.EXE > nul
        12⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3ABBF~1.EXE > nul
        11⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F9CA7~1.EXE > nul
        10⤵
        
        PID:792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4CF03~1.EXE > nul
        9⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BB35B~1.EXE > nul
        8⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6AD7A~1.EXE > nul
        7⤵
        
        PID:1868
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B93D0~1.EXE > nul
        6⤵
        
        PID:2384
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8E6B1~1.EXE > nul
        5⤵
        
        PID:2720
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C029C~1.EXE > nul
      4⤵
      PID:2200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6D2B8~1.EXE > nul
    3⤵
    PID:2680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3ABBFEB6-8156-4122-AE6C-34ACC6F52DDA}.exe

Filesize
168KB

MD5
9dc219b87d62e4a5a42c45e11d692e11

SHA1
b0d550736fc0972017b6f20aea180fafb85a301c

SHA256
cc7f564b9f437c96f85d993e00b66ba864c12ef4d069510f74ade428ced5cc0b

SHA512
5a63c777fdb5ecd49c874eea567b119c6ca6e166330f6a7e4f8e5e218fe58f0c5ed8324db8521b30bcb7e25222b37a08278afa41dfcb5ae7fa7f5697ea2b3f07

Download Submit
C:\Windows\{4A1A2040-51A8-4ea9-840D-011E1070B135}.exe

Filesize
168KB

MD5
8bb4c427bae2560202df2a7bcdfb9aec

SHA1
502089ab57b04a8841465fe38fabf44206bc9025

SHA256
f8811b736bf110d84106ebf5461f872c2b266623e17b1757c717e3b0685a1bf5

SHA512
f90775a15f4de5b0b50c0f12446ea799d655e3c3d1d671e2f1dd858ccf2da56ae5ddeec4701485b510b93a27b988dd9090f2c7f3ea31afcdb821d641a36644c6

Download Submit
C:\Windows\{4CF037F7-62D5-4462-A92F-ED706F914ABA}.exe

Filesize
168KB

MD5
824154ff468470fea6c68bc71790b419

SHA1
622e7073fae1a50754829fd9f82251a28d058ed2

SHA256
b78e64a68d4a0847bd116978abf3d33c2c350b5b4a959055876ec61d79af3fe1

SHA512
9e811bb03e90afec500eb264f0fe7ae95cf6d8d533dee7f85c35163ac464bb363d87a248497318f71212c0e1c81661fa68626bb2276b30f54a13accd8eda72b3

Download Submit
C:\Windows\{6AD7ACD0-9CBA-4c29-BAFA-629C48D3643C}.exe

Filesize
168KB

MD5
9e96f2faeafaba22baf7cef176216730

SHA1
3e1c72f244878e5836f6b53832940b63ff2814fd

SHA256
2f08d4e6d9bd4cc342413a4d7e9a6bacb8c3168b427fae390fa8995abdd8c35e

SHA512
d7ea790959f376734a837c9f02e24fd1a5b1a68c41d89ad906b9cb627a28fda31ab11e3157371841e3e86f250b8c6d46f41e04dbb85556d595020a4b64ee263a

Download Submit
C:\Windows\{6D2B85F4-1511-4d27-9562-5F4C17BF1BBC}.exe

Filesize
168KB

MD5
27f2124d0c70e11711cfc859e6ea86b8

SHA1
d3af06995c4e0147122e32f8f2394c5496ba172f

SHA256
21e8d831f5a9d5528a812836af3932f3de0d4191bb98ab0b9cb5a1569904b4fe

SHA512
ee7aec6706b10979f3433c0a5466de85923d0331744813322d6da03a6d0246459e104bbe039d6d413444c800e0eeb4908010df81c4a25077612c905864b085db

Download Submit
C:\Windows\{8E6B1FE8-38F7-4cb4-B261-F9E999FBBB2F}.exe

Filesize
168KB

MD5
0617e2f2e4a7838eac8b770ef4ac606d

SHA1
e8753cc823b7aac61ac5f858c3708f4caf76fdb3

SHA256
18c6d7556028bf3faab856dac7155b4a906503984f29cd1de3a9fa7042cd09e7

SHA512
28f5d6bb758988367ec39d4a29a90e25bbb4f2db5859231b1f9f70c19e9a3d05b8a6c646d1a5bec7d43c52e890a0ba622527c1b2b8732b9525bca27804851321

Download Submit
C:\Windows\{B93D0F83-5B5B-4470-952E-494AFD3E5C13}.exe

Filesize
168KB

MD5
119e5b65dea9a63543c3df95f59c625b

SHA1
948580989e95fcbf455772838395ab80e89cfe98

SHA256
34f9c93e0b36f19fa333a7514f3bc5c8414f53ee5e5b052abae3d8dc2723149c

SHA512
d0779bb55a30025dda65696715014d8257f503454d56a3c732bccddb36cebd031e612dffb945b179c853d7266ed878bc4fe9667e727a17ce0136f614d12dd2ce

Download Submit
C:\Windows\{BB35BF6D-BBF0-4a72-910C-AAD2A0D0C18B}.exe

Filesize
168KB

MD5
1cfc0cceb562b0484063b6fbbc3b9b92

SHA1
583cd2947fca414d1bf9db4a326928871c3aecd0

SHA256
f46ac94567e177ddeb2c666227078017987b40570beb18a84fb5da61ed3d9e9f

SHA512
bc446e012a52026e254ec584ef6dde264030d3b32076ed2dfcec8e6871da4882b3c395cefce3d2cf6bd9e1d6053b771f17b7e0423e9212f0db4864587baa2297

Download Submit
C:\Windows\{C029C2D3-51FC-46e3-8BC1-DCDF9C6A9AF8}.exe

Filesize
168KB

MD5
173c4b3514199029b8ceec4f4b191d06

SHA1
ed22045a51ac43fb5c890da64c81daedb54dba1a

SHA256
e63b13a8df5c88c1dc05f2b89a9ba32efb21d376842d3a08ca1f2216a80d83fa

SHA512
566462b1a4e778789eecb89b6e52daa504bd2c0ed586c1bd351fba49b712391675fd96cdf7f32e2ab745f3b04fc3b020baaa3b932a68e48210bfd542fa08f5d6

Download Submit
C:\Windows\{DBC8663A-C238-416f-A920-6F853A37AFD4}.exe

Filesize
168KB

MD5
9829650be58bd1aa84f1a298722abcae

SHA1
0f4946b97924f3dee915bcf61bd55b7c20ada2f2

SHA256
cd45df00c9b35979826de23e9f53e55e54fa12fa441689977947e9297f3fb4b6

SHA512
d1e18437926124082bc643be66b750e4f225c3ccdad8c487fb6894759857a740deb46fc68693b5359def3db144119f12835a2e9c1f10c48f72ab478a51de2bc8

Download Submit
C:\Windows\{F9CA7FE1-67D7-4afc-B7E1-6A7D8CEC4E32}.exe

Filesize
168KB

MD5
63419a8cc4e3185f39ce438f09a546ff

SHA1
887f847453f52fd9e0793e2c865db27c1393b3de

SHA256
ae8b08ae2d6de9d238ba267200f790c2402a6c539be3306218e9ffd0105b99c1

SHA512
2ef71936502fc2724c15334afd1300e893f56f42192d7b77399497f35aad0cbdaa95111f08f2a5eb5ceb726844833db64e38e8578290627ffe98d202d920781a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads