dffa8a852a149502c21389669097297446d341969440f91d20a5336c4785b45e

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
25-04-2024 12:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-25_f22ee516851d8f5a79e947fdd7647631_goldeneye.exe
Size

372KB
MD5

f22ee516851d8f5a79e947fdd7647631
SHA1

54abbbc72846a9ac3bcee35150741f766a6bf5f1
SHA256

dffa8a852a149502c21389669097297446d341969440f91d20a5336c4785b45e
SHA512

f204f09613191b4ef8aca3ff54d9645e9033e1451d3be5554fe93a8596b9d896cc878567436f490b9c29f5ca9b01acf7bd17bcaaa16131fa25915a95482850b1
SSDEEP

3072:CEGh0o8lMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEG+lkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00090000000233da-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000233f8-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023334-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000016956-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000016963-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000001db0e-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000006d9-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d00000001db0e-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023502-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000016956-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f00000001db0e-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e00000002334d-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E650062A-CC0E-498f-8FC6-D67AB3D4C243}	{10582649-FEED-4663-9E8D-7CBB3DEB918E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04DD37D4-1159-4340-AD35-25D5281149FF}	{E650062A-CC0E-498f-8FC6-D67AB3D4C243}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A04B5E5-3996-4a07-ACA7-EEE63082CCA1}	{00730683-C229-41a3-A1AF-3AA92E2F62CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF486A1A-9527-4203-AB11-37C8C001CA65}	{0A04B5E5-3996-4a07-ACA7-EEE63082CCA1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF486A1A-9527-4203-AB11-37C8C001CA65}\stubpath = "C:\\Windows\\{CF486A1A-9527-4203-AB11-37C8C001CA65}.exe"	{0A04B5E5-3996-4a07-ACA7-EEE63082CCA1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3ECE1F86-517C-4a02-8F3B-58410CC361E5}\stubpath = "C:\\Windows\\{3ECE1F86-517C-4a02-8F3B-58410CC361E5}.exe"	{CF486A1A-9527-4203-AB11-37C8C001CA65}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19CB8C0D-5C4F-4b04-94C8-1711037F9DCF}\stubpath = "C:\\Windows\\{19CB8C0D-5C4F-4b04-94C8-1711037F9DCF}.exe"	2024-04-25_f22ee516851d8f5a79e947fdd7647631_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10582649-FEED-4663-9E8D-7CBB3DEB918E}	{900FA65B-ADBB-4544-AF13-A34037A8B13F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F791D5E-B73E-405f-8C7C-74A43D9FDB6D}	{4621C3D2-E3ED-49ce-AC2F-384A5621D3C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E721A100-BBE4-417c-9A4F-1B6345344819}	{0F791D5E-B73E-405f-8C7C-74A43D9FDB6D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00730683-C229-41a3-A1AF-3AA92E2F62CF}	{E721A100-BBE4-417c-9A4F-1B6345344819}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00730683-C229-41a3-A1AF-3AA92E2F62CF}\stubpath = "C:\\Windows\\{00730683-C229-41a3-A1AF-3AA92E2F62CF}.exe"	{E721A100-BBE4-417c-9A4F-1B6345344819}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A04B5E5-3996-4a07-ACA7-EEE63082CCA1}\stubpath = "C:\\Windows\\{0A04B5E5-3996-4a07-ACA7-EEE63082CCA1}.exe"	{00730683-C229-41a3-A1AF-3AA92E2F62CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{900FA65B-ADBB-4544-AF13-A34037A8B13F}	{19CB8C0D-5C4F-4b04-94C8-1711037F9DCF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4621C3D2-E3ED-49ce-AC2F-384A5621D3C8}\stubpath = "C:\\Windows\\{4621C3D2-E3ED-49ce-AC2F-384A5621D3C8}.exe"	{04DD37D4-1159-4340-AD35-25D5281149FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E650062A-CC0E-498f-8FC6-D67AB3D4C243}\stubpath = "C:\\Windows\\{E650062A-CC0E-498f-8FC6-D67AB3D4C243}.exe"	{10582649-FEED-4663-9E8D-7CBB3DEB918E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4621C3D2-E3ED-49ce-AC2F-384A5621D3C8}	{04DD37D4-1159-4340-AD35-25D5281149FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E721A100-BBE4-417c-9A4F-1B6345344819}\stubpath = "C:\\Windows\\{E721A100-BBE4-417c-9A4F-1B6345344819}.exe"	{0F791D5E-B73E-405f-8C7C-74A43D9FDB6D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3ECE1F86-517C-4a02-8F3B-58410CC361E5}	{CF486A1A-9527-4203-AB11-37C8C001CA65}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19CB8C0D-5C4F-4b04-94C8-1711037F9DCF}	2024-04-25_f22ee516851d8f5a79e947fdd7647631_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10582649-FEED-4663-9E8D-7CBB3DEB918E}\stubpath = "C:\\Windows\\{10582649-FEED-4663-9E8D-7CBB3DEB918E}.exe"	{900FA65B-ADBB-4544-AF13-A34037A8B13F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F791D5E-B73E-405f-8C7C-74A43D9FDB6D}\stubpath = "C:\\Windows\\{0F791D5E-B73E-405f-8C7C-74A43D9FDB6D}.exe"	{4621C3D2-E3ED-49ce-AC2F-384A5621D3C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{900FA65B-ADBB-4544-AF13-A34037A8B13F}\stubpath = "C:\\Windows\\{900FA65B-ADBB-4544-AF13-A34037A8B13F}.exe"	{19CB8C0D-5C4F-4b04-94C8-1711037F9DCF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04DD37D4-1159-4340-AD35-25D5281149FF}\stubpath = "C:\\Windows\\{04DD37D4-1159-4340-AD35-25D5281149FF}.exe"	{E650062A-CC0E-498f-8FC6-D67AB3D4C243}.exe

Executes dropped EXE 12 IoCs

pid	Process
4064	{19CB8C0D-5C4F-4b04-94C8-1711037F9DCF}.exe
1328	{900FA65B-ADBB-4544-AF13-A34037A8B13F}.exe
5108	{10582649-FEED-4663-9E8D-7CBB3DEB918E}.exe
1580	{E650062A-CC0E-498f-8FC6-D67AB3D4C243}.exe
2768	{04DD37D4-1159-4340-AD35-25D5281149FF}.exe
3096	{4621C3D2-E3ED-49ce-AC2F-384A5621D3C8}.exe
3948	{0F791D5E-B73E-405f-8C7C-74A43D9FDB6D}.exe
1220	{E721A100-BBE4-417c-9A4F-1B6345344819}.exe
4548	{00730683-C229-41a3-A1AF-3AA92E2F62CF}.exe
4912	{0A04B5E5-3996-4a07-ACA7-EEE63082CCA1}.exe
2240	{CF486A1A-9527-4203-AB11-37C8C001CA65}.exe
4216	{3ECE1F86-517C-4a02-8F3B-58410CC361E5}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{0F791D5E-B73E-405f-8C7C-74A43D9FDB6D}.exe	{4621C3D2-E3ED-49ce-AC2F-384A5621D3C8}.exe
File created	C:\Windows\{0A04B5E5-3996-4a07-ACA7-EEE63082CCA1}.exe	{00730683-C229-41a3-A1AF-3AA92E2F62CF}.exe
File created	C:\Windows\{CF486A1A-9527-4203-AB11-37C8C001CA65}.exe	{0A04B5E5-3996-4a07-ACA7-EEE63082CCA1}.exe
File created	C:\Windows\{3ECE1F86-517C-4a02-8F3B-58410CC361E5}.exe	{CF486A1A-9527-4203-AB11-37C8C001CA65}.exe
File created	C:\Windows\{19CB8C0D-5C4F-4b04-94C8-1711037F9DCF}.exe	2024-04-25_f22ee516851d8f5a79e947fdd7647631_goldeneye.exe
File created	C:\Windows\{E650062A-CC0E-498f-8FC6-D67AB3D4C243}.exe	{10582649-FEED-4663-9E8D-7CBB3DEB918E}.exe
File created	C:\Windows\{4621C3D2-E3ED-49ce-AC2F-384A5621D3C8}.exe	{04DD37D4-1159-4340-AD35-25D5281149FF}.exe
File created	C:\Windows\{E721A100-BBE4-417c-9A4F-1B6345344819}.exe	{0F791D5E-B73E-405f-8C7C-74A43D9FDB6D}.exe
File created	C:\Windows\{00730683-C229-41a3-A1AF-3AA92E2F62CF}.exe	{E721A100-BBE4-417c-9A4F-1B6345344819}.exe
File created	C:\Windows\{900FA65B-ADBB-4544-AF13-A34037A8B13F}.exe	{19CB8C0D-5C4F-4b04-94C8-1711037F9DCF}.exe
File created	C:\Windows\{10582649-FEED-4663-9E8D-7CBB3DEB918E}.exe	{900FA65B-ADBB-4544-AF13-A34037A8B13F}.exe
File created	C:\Windows\{04DD37D4-1159-4340-AD35-25D5281149FF}.exe	{E650062A-CC0E-498f-8FC6-D67AB3D4C243}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1768	2024-04-25_f22ee516851d8f5a79e947fdd7647631_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4064	{19CB8C0D-5C4F-4b04-94C8-1711037F9DCF}.exe
Token: SeIncBasePriorityPrivilege	1328	{900FA65B-ADBB-4544-AF13-A34037A8B13F}.exe
Token: SeIncBasePriorityPrivilege	5108	{10582649-FEED-4663-9E8D-7CBB3DEB918E}.exe
Token: SeIncBasePriorityPrivilege	1580	{E650062A-CC0E-498f-8FC6-D67AB3D4C243}.exe
Token: SeIncBasePriorityPrivilege	2768	{04DD37D4-1159-4340-AD35-25D5281149FF}.exe
Token: SeIncBasePriorityPrivilege	3096	{4621C3D2-E3ED-49ce-AC2F-384A5621D3C8}.exe
Token: SeIncBasePriorityPrivilege	3948	{0F791D5E-B73E-405f-8C7C-74A43D9FDB6D}.exe
Token: SeIncBasePriorityPrivilege	1220	{E721A100-BBE4-417c-9A4F-1B6345344819}.exe
Token: SeIncBasePriorityPrivilege	4548	{00730683-C229-41a3-A1AF-3AA92E2F62CF}.exe
Token: SeIncBasePriorityPrivilege	4912	{0A04B5E5-3996-4a07-ACA7-EEE63082CCA1}.exe
Token: SeIncBasePriorityPrivilege	2240	{CF486A1A-9527-4203-AB11-37C8C001CA65}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 4064	1768	2024-04-25_f22ee516851d8f5a79e947fdd7647631_goldeneye.exe	101
PID 1768 wrote to memory of 4064	1768	2024-04-25_f22ee516851d8f5a79e947fdd7647631_goldeneye.exe	101
PID 1768 wrote to memory of 4064	1768	2024-04-25_f22ee516851d8f5a79e947fdd7647631_goldeneye.exe	101
PID 1768 wrote to memory of 4956	1768	2024-04-25_f22ee516851d8f5a79e947fdd7647631_goldeneye.exe	102
PID 1768 wrote to memory of 4956	1768	2024-04-25_f22ee516851d8f5a79e947fdd7647631_goldeneye.exe	102
PID 1768 wrote to memory of 4956	1768	2024-04-25_f22ee516851d8f5a79e947fdd7647631_goldeneye.exe	102
PID 4064 wrote to memory of 1328	4064	{19CB8C0D-5C4F-4b04-94C8-1711037F9DCF}.exe	105
PID 4064 wrote to memory of 1328	4064	{19CB8C0D-5C4F-4b04-94C8-1711037F9DCF}.exe	105
PID 4064 wrote to memory of 1328	4064	{19CB8C0D-5C4F-4b04-94C8-1711037F9DCF}.exe	105
PID 4064 wrote to memory of 1056	4064	{19CB8C0D-5C4F-4b04-94C8-1711037F9DCF}.exe	106
PID 4064 wrote to memory of 1056	4064	{19CB8C0D-5C4F-4b04-94C8-1711037F9DCF}.exe	106
PID 4064 wrote to memory of 1056	4064	{19CB8C0D-5C4F-4b04-94C8-1711037F9DCF}.exe	106
PID 1328 wrote to memory of 5108	1328	{900FA65B-ADBB-4544-AF13-A34037A8B13F}.exe	108
PID 1328 wrote to memory of 5108	1328	{900FA65B-ADBB-4544-AF13-A34037A8B13F}.exe	108
PID 1328 wrote to memory of 5108	1328	{900FA65B-ADBB-4544-AF13-A34037A8B13F}.exe	108
PID 1328 wrote to memory of 2060	1328	{900FA65B-ADBB-4544-AF13-A34037A8B13F}.exe	109
PID 1328 wrote to memory of 2060	1328	{900FA65B-ADBB-4544-AF13-A34037A8B13F}.exe	109
PID 1328 wrote to memory of 2060	1328	{900FA65B-ADBB-4544-AF13-A34037A8B13F}.exe	109
PID 5108 wrote to memory of 1580	5108	{10582649-FEED-4663-9E8D-7CBB3DEB918E}.exe	111
PID 5108 wrote to memory of 1580	5108	{10582649-FEED-4663-9E8D-7CBB3DEB918E}.exe	111
PID 5108 wrote to memory of 1580	5108	{10582649-FEED-4663-9E8D-7CBB3DEB918E}.exe	111
PID 5108 wrote to memory of 4736	5108	{10582649-FEED-4663-9E8D-7CBB3DEB918E}.exe	112
PID 5108 wrote to memory of 4736	5108	{10582649-FEED-4663-9E8D-7CBB3DEB918E}.exe	112
PID 5108 wrote to memory of 4736	5108	{10582649-FEED-4663-9E8D-7CBB3DEB918E}.exe	112
PID 1580 wrote to memory of 2768	1580	{E650062A-CC0E-498f-8FC6-D67AB3D4C243}.exe	113
PID 1580 wrote to memory of 2768	1580	{E650062A-CC0E-498f-8FC6-D67AB3D4C243}.exe	113
PID 1580 wrote to memory of 2768	1580	{E650062A-CC0E-498f-8FC6-D67AB3D4C243}.exe	113
PID 1580 wrote to memory of 4764	1580	{E650062A-CC0E-498f-8FC6-D67AB3D4C243}.exe	114
PID 1580 wrote to memory of 4764	1580	{E650062A-CC0E-498f-8FC6-D67AB3D4C243}.exe	114
PID 1580 wrote to memory of 4764	1580	{E650062A-CC0E-498f-8FC6-D67AB3D4C243}.exe	114
PID 2768 wrote to memory of 3096	2768	{04DD37D4-1159-4340-AD35-25D5281149FF}.exe	121
PID 2768 wrote to memory of 3096	2768	{04DD37D4-1159-4340-AD35-25D5281149FF}.exe	121
PID 2768 wrote to memory of 3096	2768	{04DD37D4-1159-4340-AD35-25D5281149FF}.exe	121
PID 2768 wrote to memory of 4916	2768	{04DD37D4-1159-4340-AD35-25D5281149FF}.exe	122
PID 2768 wrote to memory of 4916	2768	{04DD37D4-1159-4340-AD35-25D5281149FF}.exe	122
PID 2768 wrote to memory of 4916	2768	{04DD37D4-1159-4340-AD35-25D5281149FF}.exe	122
PID 3096 wrote to memory of 3948	3096	{4621C3D2-E3ED-49ce-AC2F-384A5621D3C8}.exe	123
PID 3096 wrote to memory of 3948	3096	{4621C3D2-E3ED-49ce-AC2F-384A5621D3C8}.exe	123
PID 3096 wrote to memory of 3948	3096	{4621C3D2-E3ED-49ce-AC2F-384A5621D3C8}.exe	123
PID 3096 wrote to memory of 3456	3096	{4621C3D2-E3ED-49ce-AC2F-384A5621D3C8}.exe	124
PID 3096 wrote to memory of 3456	3096	{4621C3D2-E3ED-49ce-AC2F-384A5621D3C8}.exe	124
PID 3096 wrote to memory of 3456	3096	{4621C3D2-E3ED-49ce-AC2F-384A5621D3C8}.exe	124
PID 3948 wrote to memory of 1220	3948	{0F791D5E-B73E-405f-8C7C-74A43D9FDB6D}.exe	125
PID 3948 wrote to memory of 1220	3948	{0F791D5E-B73E-405f-8C7C-74A43D9FDB6D}.exe	125
PID 3948 wrote to memory of 1220	3948	{0F791D5E-B73E-405f-8C7C-74A43D9FDB6D}.exe	125
PID 3948 wrote to memory of 640	3948	{0F791D5E-B73E-405f-8C7C-74A43D9FDB6D}.exe	126
PID 3948 wrote to memory of 640	3948	{0F791D5E-B73E-405f-8C7C-74A43D9FDB6D}.exe	126
PID 3948 wrote to memory of 640	3948	{0F791D5E-B73E-405f-8C7C-74A43D9FDB6D}.exe	126
PID 1220 wrote to memory of 4548	1220	{E721A100-BBE4-417c-9A4F-1B6345344819}.exe	131
PID 1220 wrote to memory of 4548	1220	{E721A100-BBE4-417c-9A4F-1B6345344819}.exe	131
PID 1220 wrote to memory of 4548	1220	{E721A100-BBE4-417c-9A4F-1B6345344819}.exe	131
PID 1220 wrote to memory of 3784	1220	{E721A100-BBE4-417c-9A4F-1B6345344819}.exe	132
PID 1220 wrote to memory of 3784	1220	{E721A100-BBE4-417c-9A4F-1B6345344819}.exe	132
PID 1220 wrote to memory of 3784	1220	{E721A100-BBE4-417c-9A4F-1B6345344819}.exe	132
PID 4548 wrote to memory of 4912	4548	{00730683-C229-41a3-A1AF-3AA92E2F62CF}.exe	137
PID 4548 wrote to memory of 4912	4548	{00730683-C229-41a3-A1AF-3AA92E2F62CF}.exe	137
PID 4548 wrote to memory of 4912	4548	{00730683-C229-41a3-A1AF-3AA92E2F62CF}.exe	137
PID 4548 wrote to memory of 4632	4548	{00730683-C229-41a3-A1AF-3AA92E2F62CF}.exe	138
PID 4548 wrote to memory of 4632	4548	{00730683-C229-41a3-A1AF-3AA92E2F62CF}.exe	138
PID 4548 wrote to memory of 4632	4548	{00730683-C229-41a3-A1AF-3AA92E2F62CF}.exe	138
PID 4912 wrote to memory of 2240	4912	{0A04B5E5-3996-4a07-ACA7-EEE63082CCA1}.exe	139
PID 4912 wrote to memory of 2240	4912	{0A04B5E5-3996-4a07-ACA7-EEE63082CCA1}.exe	139
PID 4912 wrote to memory of 2240	4912	{0A04B5E5-3996-4a07-ACA7-EEE63082CCA1}.exe	139
PID 4912 wrote to memory of 2028	4912	{0A04B5E5-3996-4a07-ACA7-EEE63082CCA1}.exe	140

C:\Users\Admin\AppData\Local\Temp\2024-04-25_f22ee516851d8f5a79e947fdd7647631_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-25_f22ee516851d8f5a79e947fdd7647631_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Windows\{19CB8C0D-5C4F-4b04-94C8-1711037F9DCF}.exe
  C:\Windows\{19CB8C0D-5C4F-4b04-94C8-1711037F9DCF}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4064
- - C:\Windows\{900FA65B-ADBB-4544-AF13-A34037A8B13F}.exe
    C:\Windows\{900FA65B-ADBB-4544-AF13-A34037A8B13F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1328
  - - C:\Windows\{10582649-FEED-4663-9E8D-7CBB3DEB918E}.exe
      C:\Windows\{10582649-FEED-4663-9E8D-7CBB3DEB918E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5108
    - - C:\Windows\{E650062A-CC0E-498f-8FC6-D67AB3D4C243}.exe
        
        C:\Windows\{E650062A-CC0E-498f-8FC6-D67AB3D4C243}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1580
      - C:\Windows\{04DD37D4-1159-4340-AD35-25D5281149FF}.exe
        
        C:\Windows\{04DD37D4-1159-4340-AD35-25D5281149FF}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\{4621C3D2-E3ED-49ce-AC2F-384A5621D3C8}.exe
        
        C:\Windows\{4621C3D2-E3ED-49ce-AC2F-384A5621D3C8}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3096
        
        C:\Windows\{0F791D5E-B73E-405f-8C7C-74A43D9FDB6D}.exe
        
        C:\Windows\{0F791D5E-B73E-405f-8C7C-74A43D9FDB6D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\{E721A100-BBE4-417c-9A4F-1B6345344819}.exe
        
        C:\Windows\{E721A100-BBE4-417c-9A4F-1B6345344819}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Windows\{00730683-C229-41a3-A1AF-3AA92E2F62CF}.exe
        
        C:\Windows\{00730683-C229-41a3-A1AF-3AA92E2F62CF}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\{0A04B5E5-3996-4a07-ACA7-EEE63082CCA1}.exe
        
        C:\Windows\{0A04B5E5-3996-4a07-ACA7-EEE63082CCA1}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\{CF486A1A-9527-4203-AB11-37C8C001CA65}.exe
        
        C:\Windows\{CF486A1A-9527-4203-AB11-37C8C001CA65}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2240
        
        C:\Windows\{3ECE1F86-517C-4a02-8F3B-58410CC361E5}.exe
        
        C:\Windows\{3ECE1F86-517C-4a02-8F3B-58410CC361E5}.exe
        13⤵
        Executes dropped EXE
        
        PID:4216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CF486~1.EXE > nul
        13⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0A04B~1.EXE > nul
        12⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{00730~1.EXE > nul
        11⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E721A~1.EXE > nul
        10⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F791~1.EXE > nul
        9⤵
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4621C~1.EXE > nul
        8⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{04DD3~1.EXE > nul
        7⤵
        
        PID:4916
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6500~1.EXE > nul
        6⤵
        
        PID:4764
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{10582~1.EXE > nul
        5⤵
        
        PID:4736
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{900FA~1.EXE > nul
      4⤵
      PID:2060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{19CB8~1.EXE > nul
    3⤵
    PID:1056
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00730683-C229-41a3-A1AF-3AA92E2F62CF}.exe

Filesize
372KB

MD5
82a4e66c8900d616b6f792c3cefcd995

SHA1
479888452d785190da8f7dfa9fa843c4a8f87a03

SHA256
e79d2a4e75331ef3551d37b6760323febd91c5520fd9f45b8acb973087015106

SHA512
307d74ac9b773d489fb0f19c270ce147a115244913c8dbad3eca6b11fa6367c8f34d72609b2dcde9a0103f8c2ddda6b01cdab1ead43d0095d264fc65e51eccd2

Download Submit
C:\Windows\{04DD37D4-1159-4340-AD35-25D5281149FF}.exe

Filesize
372KB

MD5
2f58675b5ff6cce0012ab7f224c70c96

SHA1
a0601442b683eb6621fff1d204fe57099013b2ed

SHA256
5a93ae0d6c249573ea6571a792b4dd2a4377fd7a38ceab988e64088e1626b124

SHA512
85d968529cedb308e51e68abe39427bb24bba89a6c77e809ac89c8b6266fcf864deac11461a9476b3cb803379e80b83be812a86454f60de07211b23b7d05a94b

Download Submit
C:\Windows\{0A04B5E5-3996-4a07-ACA7-EEE63082CCA1}.exe

Filesize
372KB

MD5
1ae97f4c3c542cf7f75a0f4c38942583

SHA1
603060d67c727851963036d031d9ec4f3df1ae7e

SHA256
239cc580d62a4580e585924cd048bf00092fbf66c33e623550d723822c1db460

SHA512
bfe62ca3dc2d14a279664b9066656eddcf487dd4993b25498ad6f6b3b5b625158a1149403aa528096107c28d5c75ac4c43115d87c532cc461d1ec41982f80024

Download Submit
C:\Windows\{0F791D5E-B73E-405f-8C7C-74A43D9FDB6D}.exe

Filesize
372KB

MD5
66763afb6c697732bc2595fe6e6a94db

SHA1
33f95dcf6d20444cca14f832aee9d19d20a5deee

SHA256
4ad339dad50b6d9251b100fb80f8147ede610855e702999651167010c03e9b76

SHA512
1423c10ab7f51e27677da7df488a3eed1553e12b688e96ee16c341ba094817afb84d506d86cb3735a4a78794392ddc763e1e5abd6ad56cc42f5bceade2dd8abd

Download Submit
C:\Windows\{10582649-FEED-4663-9E8D-7CBB3DEB918E}.exe

Filesize
372KB

MD5
13b0d50e268593ea314e0ae91176a1ae

SHA1
9f3867495b01f952aaa6815a2baffcabbd21ca96

SHA256
fdb8dfcc5ebf1f9bac992cde2d5b895cc0dba259dd8f54d98ff8384e5be2af07

SHA512
66d0dba58faa0ba571aa3bfa125bc3be54001c32caf34647283caf6df22e3293f691271e3753310eb755e8c9f00403cf577ca5606873393aab49192e591a7062

Download Submit
C:\Windows\{19CB8C0D-5C4F-4b04-94C8-1711037F9DCF}.exe

Filesize
372KB

MD5
cf37ed48de308e48d5d13a6b0dba886d

SHA1
fe9532c80819da123da4cc6aa0b9c60a20ec59b5

SHA256
c90551938a22548bb32ca4a5c6c9584c99c2cdf95b1667904ac132baf20065a6

SHA512
bddc8bea80733749ad8e3fbed58bd54a29e36735209fc20353a0a89963b9b13578399f921cefb1b6cfa645037afa42786c18a3a17d0000077adf401ffe488b9c

Download Submit
C:\Windows\{3ECE1F86-517C-4a02-8F3B-58410CC361E5}.exe

Filesize
372KB

MD5
3cd341a09dd4b7adb13e345969ea2f6d

SHA1
c181075d2eeb0d6e1d9b887e673fd8e33f977b9e

SHA256
1ba5e82e0bc08ffcb1177663398a241e5540cc0cff9e8cb9037b6ec0d6a6a5a0

SHA512
c09236a5c27cb6acbdced46fa656189feb3055070429094fb7c301afa1f85d5b27b40072b1d9bf2a826bf1f8d718d4d93bcb8898a612c9ac10d35a5dd7bd19d2

Download Submit
C:\Windows\{4621C3D2-E3ED-49ce-AC2F-384A5621D3C8}.exe

Filesize
372KB

MD5
dbf63ad82068dc3a4b53c267a1dd1948

SHA1
d0c3fed0196310471bac074e7c184f0f2d718171

SHA256
3d9411b054d5b5fd4c25298ce5f07e47160d0f5adfe1fcfd5933d6eb8100c255

SHA512
e73c1258e987a1ce4b33bb001ee56a82aefb57db9e7378e1ba49b0071762cb079fa01c707a86dbedfafacedb37a666889ed1dad2860331ed970e53827ba665a8

Download Submit
C:\Windows\{900FA65B-ADBB-4544-AF13-A34037A8B13F}.exe

Filesize
372KB

MD5
fc232909a638237cf251bf869e4cc6b7

SHA1
073f3c2d533efc3184f5a79244a5ff753449fcf8

SHA256
95dbbfd1149c424aa9733e8ae481ecee4cc94595ea4857105f2c6d6caf9d4906

SHA512
456af150a48a5f324c86fdb7c6fb0cb76405afb2de36796bca6d2e570b101da1336ce9a2d8676f3d5732635c077fe5216bb8c94d811d571cfadaffc192018dba

Download Submit
C:\Windows\{CF486A1A-9527-4203-AB11-37C8C001CA65}.exe

Filesize
372KB

MD5
2733b201a94599ff37bba82eeccc96f7

SHA1
23844e0e88ca572ad2951dabea90638a3fd2ac23

SHA256
8db450d2580445336e5435a8ae46699d436235d08da5fcb0add7d49df7aa8274

SHA512
066646cb7a9eae3d03667dd510c00885fd12ad39fa84276f921b4f9a9300ac1a60543c99c75f7b77919a8a0c6418fed27d7a5bfa1255a0e430c1f178504e61f7

Download Submit
C:\Windows\{E650062A-CC0E-498f-8FC6-D67AB3D4C243}.exe

Filesize
372KB

MD5
eec7e5575a1af6e1593d745bc0eb4258

SHA1
5819dc90a6b43adcd440986625d95aba2acb47d8

SHA256
556e7c6e226222b8f231e9dd6369e43b46453be2c78e8433156afe87d245d040

SHA512
38bf97d3ab4d0da76dfba4e9ac45c01bab091c390d21deb92e531f4aeffecfbcf846aa1a7c04ed31462845c032edf89ba7ca6e957a38d67e95695bdd63c91b9a

Download Submit
C:\Windows\{E721A100-BBE4-417c-9A4F-1B6345344819}.exe

Filesize
372KB

MD5
90033267ee92acd2979861bce5ce6fb8

SHA1
8976347e760a237318668daba5a4d0f3130fe3c8

SHA256
1dcbae24518c7781bc83ea0f884dab855b6f640cb6c1e1eb00787e5f55d88116

SHA512
6acb6416fd9722852123d1a9ee7683d705aaa28e1022a704a71bc33c15eb426e78141f6747a8f710b2f785ecf0cb924280382e98975d0b48eb0bb8e9a106bf8a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads