c874ffc8f0d844ac7620e00f10649cc6c8575234779343603c91a6b7f1361116

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
26/04/2024, 05:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-26_0a7f1b0f2256b78d135263d93fb02202_goldeneye.exe
Size

372KB
MD5

0a7f1b0f2256b78d135263d93fb02202
SHA1

5586236647458a93f77143f9da33c2b25727030e
SHA256

c874ffc8f0d844ac7620e00f10649cc6c8575234779343603c91a6b7f1361116
SHA512

bd51621a5aaf5901077c91e2a89fe637c8ae6607944a0db78edbf29fb096a84f80cb559172d9c9b4c81d18eab98b303980a3a0bd226be8395399b3ab429b471e
SSDEEP

3072:CEGh0oKlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEG4lkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023371-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00110000000233f6-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000233fd-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00120000000233f6-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000233fd-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023400-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000233fd-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023407-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000233fd-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023374-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000233fd-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023408-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4458DBB-87B5-44cf-953A-71B7F583A18A}	{A297E09F-9FA6-4c95-985B-F1CE36B6CA97}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4458DBB-87B5-44cf-953A-71B7F583A18A}\stubpath = "C:\\Windows\\{C4458DBB-87B5-44cf-953A-71B7F583A18A}.exe"	{A297E09F-9FA6-4c95-985B-F1CE36B6CA97}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BEBC7A46-BF7F-47f3-9639-60B39F306753}	{C4458DBB-87B5-44cf-953A-71B7F583A18A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AAC82894-9B14-473e-9D87-4008EB170F8F}\stubpath = "C:\\Windows\\{AAC82894-9B14-473e-9D87-4008EB170F8F}.exe"	{6FEF9AEB-57DD-461f-B17B-37F80AA1F07F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69357C4E-FFE9-483f-948E-BC9514837661}\stubpath = "C:\\Windows\\{69357C4E-FFE9-483f-948E-BC9514837661}.exe"	{02AB473E-8313-43f6-9DCF-31E4F4929C8B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2AB64AA-7EA4-4b34-BDA2-B5590D6F213F}	{69357C4E-FFE9-483f-948E-BC9514837661}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2AB64AA-7EA4-4b34-BDA2-B5590D6F213F}\stubpath = "C:\\Windows\\{D2AB64AA-7EA4-4b34-BDA2-B5590D6F213F}.exe"	{69357C4E-FFE9-483f-948E-BC9514837661}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A297E09F-9FA6-4c95-985B-F1CE36B6CA97}\stubpath = "C:\\Windows\\{A297E09F-9FA6-4c95-985B-F1CE36B6CA97}.exe"	{D2AB64AA-7EA4-4b34-BDA2-B5590D6F213F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BEBC7A46-BF7F-47f3-9639-60B39F306753}\stubpath = "C:\\Windows\\{BEBC7A46-BF7F-47f3-9639-60B39F306753}.exe"	{C4458DBB-87B5-44cf-953A-71B7F583A18A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB1AF33B-7F51-4831-A477-63B5E8AA30BE}	{AAC82894-9B14-473e-9D87-4008EB170F8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB1AF33B-7F51-4831-A477-63B5E8AA30BE}\stubpath = "C:\\Windows\\{EB1AF33B-7F51-4831-A477-63B5E8AA30BE}.exe"	{AAC82894-9B14-473e-9D87-4008EB170F8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D77ECAA6-BA99-4564-85CB-71DE7E49811F}	{EB1AF33B-7F51-4831-A477-63B5E8AA30BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69357C4E-FFE9-483f-948E-BC9514837661}	{02AB473E-8313-43f6-9DCF-31E4F4929C8B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A297E09F-9FA6-4c95-985B-F1CE36B6CA97}	{D2AB64AA-7EA4-4b34-BDA2-B5590D6F213F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6FEF9AEB-57DD-461f-B17B-37F80AA1F07F}\stubpath = "C:\\Windows\\{6FEF9AEB-57DD-461f-B17B-37F80AA1F07F}.exe"	2024-04-26_0a7f1b0f2256b78d135263d93fb02202_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D77ECAA6-BA99-4564-85CB-71DE7E49811F}\stubpath = "C:\\Windows\\{D77ECAA6-BA99-4564-85CB-71DE7E49811F}.exe"	{EB1AF33B-7F51-4831-A477-63B5E8AA30BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02AB473E-8313-43f6-9DCF-31E4F4929C8B}\stubpath = "C:\\Windows\\{02AB473E-8313-43f6-9DCF-31E4F4929C8B}.exe"	{D77ECAA6-BA99-4564-85CB-71DE7E49811F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B00319F3-FF31-4c0e-A54A-76B958B5B64A}\stubpath = "C:\\Windows\\{B00319F3-FF31-4c0e-A54A-76B958B5B64A}.exe"	{BEBC7A46-BF7F-47f3-9639-60B39F306753}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37CB06B2-876D-44ea-BE22-D51BBBD15279}	{B00319F3-FF31-4c0e-A54A-76B958B5B64A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6FEF9AEB-57DD-461f-B17B-37F80AA1F07F}	2024-04-26_0a7f1b0f2256b78d135263d93fb02202_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AAC82894-9B14-473e-9D87-4008EB170F8F}	{6FEF9AEB-57DD-461f-B17B-37F80AA1F07F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02AB473E-8313-43f6-9DCF-31E4F4929C8B}	{D77ECAA6-BA99-4564-85CB-71DE7E49811F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B00319F3-FF31-4c0e-A54A-76B958B5B64A}	{BEBC7A46-BF7F-47f3-9639-60B39F306753}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37CB06B2-876D-44ea-BE22-D51BBBD15279}\stubpath = "C:\\Windows\\{37CB06B2-876D-44ea-BE22-D51BBBD15279}.exe"	{B00319F3-FF31-4c0e-A54A-76B958B5B64A}.exe

Executes dropped EXE 12 IoCs

pid	Process
1716	{6FEF9AEB-57DD-461f-B17B-37F80AA1F07F}.exe
4696	{AAC82894-9B14-473e-9D87-4008EB170F8F}.exe
1972	{EB1AF33B-7F51-4831-A477-63B5E8AA30BE}.exe
3856	{D77ECAA6-BA99-4564-85CB-71DE7E49811F}.exe
1428	{02AB473E-8313-43f6-9DCF-31E4F4929C8B}.exe
2176	{69357C4E-FFE9-483f-948E-BC9514837661}.exe
3588	{D2AB64AA-7EA4-4b34-BDA2-B5590D6F213F}.exe
1664	{A297E09F-9FA6-4c95-985B-F1CE36B6CA97}.exe
4316	{C4458DBB-87B5-44cf-953A-71B7F583A18A}.exe
4220	{BEBC7A46-BF7F-47f3-9639-60B39F306753}.exe
880	{B00319F3-FF31-4c0e-A54A-76B958B5B64A}.exe
4020	{37CB06B2-876D-44ea-BE22-D51BBBD15279}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{C4458DBB-87B5-44cf-953A-71B7F583A18A}.exe	{A297E09F-9FA6-4c95-985B-F1CE36B6CA97}.exe
File created	C:\Windows\{AAC82894-9B14-473e-9D87-4008EB170F8F}.exe	{6FEF9AEB-57DD-461f-B17B-37F80AA1F07F}.exe
File created	C:\Windows\{EB1AF33B-7F51-4831-A477-63B5E8AA30BE}.exe	{AAC82894-9B14-473e-9D87-4008EB170F8F}.exe
File created	C:\Windows\{02AB473E-8313-43f6-9DCF-31E4F4929C8B}.exe	{D77ECAA6-BA99-4564-85CB-71DE7E49811F}.exe
File created	C:\Windows\{D2AB64AA-7EA4-4b34-BDA2-B5590D6F213F}.exe	{69357C4E-FFE9-483f-948E-BC9514837661}.exe
File created	C:\Windows\{BEBC7A46-BF7F-47f3-9639-60B39F306753}.exe	{C4458DBB-87B5-44cf-953A-71B7F583A18A}.exe
File created	C:\Windows\{B00319F3-FF31-4c0e-A54A-76B958B5B64A}.exe	{BEBC7A46-BF7F-47f3-9639-60B39F306753}.exe
File created	C:\Windows\{37CB06B2-876D-44ea-BE22-D51BBBD15279}.exe	{B00319F3-FF31-4c0e-A54A-76B958B5B64A}.exe
File created	C:\Windows\{6FEF9AEB-57DD-461f-B17B-37F80AA1F07F}.exe	2024-04-26_0a7f1b0f2256b78d135263d93fb02202_goldeneye.exe
File created	C:\Windows\{D77ECAA6-BA99-4564-85CB-71DE7E49811F}.exe	{EB1AF33B-7F51-4831-A477-63B5E8AA30BE}.exe
File created	C:\Windows\{69357C4E-FFE9-483f-948E-BC9514837661}.exe	{02AB473E-8313-43f6-9DCF-31E4F4929C8B}.exe
File created	C:\Windows\{A297E09F-9FA6-4c95-985B-F1CE36B6CA97}.exe	{D2AB64AA-7EA4-4b34-BDA2-B5590D6F213F}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4156	2024-04-26_0a7f1b0f2256b78d135263d93fb02202_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1716	{6FEF9AEB-57DD-461f-B17B-37F80AA1F07F}.exe
Token: SeIncBasePriorityPrivilege	4696	{AAC82894-9B14-473e-9D87-4008EB170F8F}.exe
Token: SeIncBasePriorityPrivilege	1972	{EB1AF33B-7F51-4831-A477-63B5E8AA30BE}.exe
Token: SeIncBasePriorityPrivilege	3856	{D77ECAA6-BA99-4564-85CB-71DE7E49811F}.exe
Token: SeIncBasePriorityPrivilege	1428	{02AB473E-8313-43f6-9DCF-31E4F4929C8B}.exe
Token: SeIncBasePriorityPrivilege	2176	{69357C4E-FFE9-483f-948E-BC9514837661}.exe
Token: SeIncBasePriorityPrivilege	3588	{D2AB64AA-7EA4-4b34-BDA2-B5590D6F213F}.exe
Token: SeIncBasePriorityPrivilege	1664	{A297E09F-9FA6-4c95-985B-F1CE36B6CA97}.exe
Token: SeIncBasePriorityPrivilege	4316	{C4458DBB-87B5-44cf-953A-71B7F583A18A}.exe
Token: SeIncBasePriorityPrivilege	4220	{BEBC7A46-BF7F-47f3-9639-60B39F306753}.exe
Token: SeIncBasePriorityPrivilege	880	{B00319F3-FF31-4c0e-A54A-76B958B5B64A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4156 wrote to memory of 1716	4156	2024-04-26_0a7f1b0f2256b78d135263d93fb02202_goldeneye.exe	101
PID 4156 wrote to memory of 1716	4156	2024-04-26_0a7f1b0f2256b78d135263d93fb02202_goldeneye.exe	101
PID 4156 wrote to memory of 1716	4156	2024-04-26_0a7f1b0f2256b78d135263d93fb02202_goldeneye.exe	101
PID 4156 wrote to memory of 2148	4156	2024-04-26_0a7f1b0f2256b78d135263d93fb02202_goldeneye.exe	102
PID 4156 wrote to memory of 2148	4156	2024-04-26_0a7f1b0f2256b78d135263d93fb02202_goldeneye.exe	102
PID 4156 wrote to memory of 2148	4156	2024-04-26_0a7f1b0f2256b78d135263d93fb02202_goldeneye.exe	102
PID 1716 wrote to memory of 4696	1716	{6FEF9AEB-57DD-461f-B17B-37F80AA1F07F}.exe	104
PID 1716 wrote to memory of 4696	1716	{6FEF9AEB-57DD-461f-B17B-37F80AA1F07F}.exe	104
PID 1716 wrote to memory of 4696	1716	{6FEF9AEB-57DD-461f-B17B-37F80AA1F07F}.exe	104
PID 1716 wrote to memory of 876	1716	{6FEF9AEB-57DD-461f-B17B-37F80AA1F07F}.exe	105
PID 1716 wrote to memory of 876	1716	{6FEF9AEB-57DD-461f-B17B-37F80AA1F07F}.exe	105
PID 1716 wrote to memory of 876	1716	{6FEF9AEB-57DD-461f-B17B-37F80AA1F07F}.exe	105
PID 4696 wrote to memory of 1972	4696	{AAC82894-9B14-473e-9D87-4008EB170F8F}.exe	108
PID 4696 wrote to memory of 1972	4696	{AAC82894-9B14-473e-9D87-4008EB170F8F}.exe	108
PID 4696 wrote to memory of 1972	4696	{AAC82894-9B14-473e-9D87-4008EB170F8F}.exe	108
PID 4696 wrote to memory of 4480	4696	{AAC82894-9B14-473e-9D87-4008EB170F8F}.exe	109
PID 4696 wrote to memory of 4480	4696	{AAC82894-9B14-473e-9D87-4008EB170F8F}.exe	109
PID 4696 wrote to memory of 4480	4696	{AAC82894-9B14-473e-9D87-4008EB170F8F}.exe	109
PID 1972 wrote to memory of 3856	1972	{EB1AF33B-7F51-4831-A477-63B5E8AA30BE}.exe	110
PID 1972 wrote to memory of 3856	1972	{EB1AF33B-7F51-4831-A477-63B5E8AA30BE}.exe	110
PID 1972 wrote to memory of 3856	1972	{EB1AF33B-7F51-4831-A477-63B5E8AA30BE}.exe	110
PID 1972 wrote to memory of 4440	1972	{EB1AF33B-7F51-4831-A477-63B5E8AA30BE}.exe	111
PID 1972 wrote to memory of 4440	1972	{EB1AF33B-7F51-4831-A477-63B5E8AA30BE}.exe	111
PID 1972 wrote to memory of 4440	1972	{EB1AF33B-7F51-4831-A477-63B5E8AA30BE}.exe	111
PID 3856 wrote to memory of 1428	3856	{D77ECAA6-BA99-4564-85CB-71DE7E49811F}.exe	112
PID 3856 wrote to memory of 1428	3856	{D77ECAA6-BA99-4564-85CB-71DE7E49811F}.exe	112
PID 3856 wrote to memory of 1428	3856	{D77ECAA6-BA99-4564-85CB-71DE7E49811F}.exe	112
PID 3856 wrote to memory of 688	3856	{D77ECAA6-BA99-4564-85CB-71DE7E49811F}.exe	113
PID 3856 wrote to memory of 688	3856	{D77ECAA6-BA99-4564-85CB-71DE7E49811F}.exe	113
PID 3856 wrote to memory of 688	3856	{D77ECAA6-BA99-4564-85CB-71DE7E49811F}.exe	113
PID 1428 wrote to memory of 2176	1428	{02AB473E-8313-43f6-9DCF-31E4F4929C8B}.exe	119
PID 1428 wrote to memory of 2176	1428	{02AB473E-8313-43f6-9DCF-31E4F4929C8B}.exe	119
PID 1428 wrote to memory of 2176	1428	{02AB473E-8313-43f6-9DCF-31E4F4929C8B}.exe	119
PID 1428 wrote to memory of 1288	1428	{02AB473E-8313-43f6-9DCF-31E4F4929C8B}.exe	120
PID 1428 wrote to memory of 1288	1428	{02AB473E-8313-43f6-9DCF-31E4F4929C8B}.exe	120
PID 1428 wrote to memory of 1288	1428	{02AB473E-8313-43f6-9DCF-31E4F4929C8B}.exe	120
PID 2176 wrote to memory of 3588	2176	{69357C4E-FFE9-483f-948E-BC9514837661}.exe	121
PID 2176 wrote to memory of 3588	2176	{69357C4E-FFE9-483f-948E-BC9514837661}.exe	121
PID 2176 wrote to memory of 3588	2176	{69357C4E-FFE9-483f-948E-BC9514837661}.exe	121
PID 2176 wrote to memory of 1044	2176	{69357C4E-FFE9-483f-948E-BC9514837661}.exe	122
PID 2176 wrote to memory of 1044	2176	{69357C4E-FFE9-483f-948E-BC9514837661}.exe	122
PID 2176 wrote to memory of 1044	2176	{69357C4E-FFE9-483f-948E-BC9514837661}.exe	122
PID 3588 wrote to memory of 1664	3588	{D2AB64AA-7EA4-4b34-BDA2-B5590D6F213F}.exe	130
PID 3588 wrote to memory of 1664	3588	{D2AB64AA-7EA4-4b34-BDA2-B5590D6F213F}.exe	130
PID 3588 wrote to memory of 1664	3588	{D2AB64AA-7EA4-4b34-BDA2-B5590D6F213F}.exe	130
PID 3588 wrote to memory of 2388	3588	{D2AB64AA-7EA4-4b34-BDA2-B5590D6F213F}.exe	131
PID 3588 wrote to memory of 2388	3588	{D2AB64AA-7EA4-4b34-BDA2-B5590D6F213F}.exe	131
PID 3588 wrote to memory of 2388	3588	{D2AB64AA-7EA4-4b34-BDA2-B5590D6F213F}.exe	131
PID 1664 wrote to memory of 4316	1664	{A297E09F-9FA6-4c95-985B-F1CE36B6CA97}.exe	132
PID 1664 wrote to memory of 4316	1664	{A297E09F-9FA6-4c95-985B-F1CE36B6CA97}.exe	132
PID 1664 wrote to memory of 4316	1664	{A297E09F-9FA6-4c95-985B-F1CE36B6CA97}.exe	132
PID 1664 wrote to memory of 1540	1664	{A297E09F-9FA6-4c95-985B-F1CE36B6CA97}.exe	133
PID 1664 wrote to memory of 1540	1664	{A297E09F-9FA6-4c95-985B-F1CE36B6CA97}.exe	133
PID 1664 wrote to memory of 1540	1664	{A297E09F-9FA6-4c95-985B-F1CE36B6CA97}.exe	133
PID 4316 wrote to memory of 4220	4316	{C4458DBB-87B5-44cf-953A-71B7F583A18A}.exe	134
PID 4316 wrote to memory of 4220	4316	{C4458DBB-87B5-44cf-953A-71B7F583A18A}.exe	134
PID 4316 wrote to memory of 4220	4316	{C4458DBB-87B5-44cf-953A-71B7F583A18A}.exe	134
PID 4316 wrote to memory of 1880	4316	{C4458DBB-87B5-44cf-953A-71B7F583A18A}.exe	135
PID 4316 wrote to memory of 1880	4316	{C4458DBB-87B5-44cf-953A-71B7F583A18A}.exe	135
PID 4316 wrote to memory of 1880	4316	{C4458DBB-87B5-44cf-953A-71B7F583A18A}.exe	135
PID 4220 wrote to memory of 880	4220	{BEBC7A46-BF7F-47f3-9639-60B39F306753}.exe	136
PID 4220 wrote to memory of 880	4220	{BEBC7A46-BF7F-47f3-9639-60B39F306753}.exe	136
PID 4220 wrote to memory of 880	4220	{BEBC7A46-BF7F-47f3-9639-60B39F306753}.exe	136
PID 4220 wrote to memory of 2276	4220	{BEBC7A46-BF7F-47f3-9639-60B39F306753}.exe	137

C:\Users\Admin\AppData\Local\Temp\2024-04-26_0a7f1b0f2256b78d135263d93fb02202_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-26_0a7f1b0f2256b78d135263d93fb02202_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4156
- C:\Windows\{6FEF9AEB-57DD-461f-B17B-37F80AA1F07F}.exe
  C:\Windows\{6FEF9AEB-57DD-461f-B17B-37F80AA1F07F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Windows\{AAC82894-9B14-473e-9D87-4008EB170F8F}.exe
    C:\Windows\{AAC82894-9B14-473e-9D87-4008EB170F8F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4696
  - - C:\Windows\{EB1AF33B-7F51-4831-A477-63B5E8AA30BE}.exe
      C:\Windows\{EB1AF33B-7F51-4831-A477-63B5E8AA30BE}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1972
    - - C:\Windows\{D77ECAA6-BA99-4564-85CB-71DE7E49811F}.exe
        
        C:\Windows\{D77ECAA6-BA99-4564-85CB-71DE7E49811F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3856
      - C:\Windows\{02AB473E-8313-43f6-9DCF-31E4F4929C8B}.exe
        
        C:\Windows\{02AB473E-8313-43f6-9DCF-31E4F4929C8B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\{69357C4E-FFE9-483f-948E-BC9514837661}.exe
        
        C:\Windows\{69357C4E-FFE9-483f-948E-BC9514837661}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\{D2AB64AA-7EA4-4b34-BDA2-B5590D6F213F}.exe
        
        C:\Windows\{D2AB64AA-7EA4-4b34-BDA2-B5590D6F213F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\{A297E09F-9FA6-4c95-985B-F1CE36B6CA97}.exe
        
        C:\Windows\{A297E09F-9FA6-4c95-985B-F1CE36B6CA97}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\{C4458DBB-87B5-44cf-953A-71B7F583A18A}.exe
        
        C:\Windows\{C4458DBB-87B5-44cf-953A-71B7F583A18A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4316
        
        C:\Windows\{BEBC7A46-BF7F-47f3-9639-60B39F306753}.exe
        
        C:\Windows\{BEBC7A46-BF7F-47f3-9639-60B39F306753}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4220
        
        C:\Windows\{B00319F3-FF31-4c0e-A54A-76B958B5B64A}.exe
        
        C:\Windows\{B00319F3-FF31-4c0e-A54A-76B958B5B64A}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:880
        
        C:\Windows\{37CB06B2-876D-44ea-BE22-D51BBBD15279}.exe
        
        C:\Windows\{37CB06B2-876D-44ea-BE22-D51BBBD15279}.exe
        13⤵
        Executes dropped EXE
        
        PID:4020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B0031~1.EXE > nul
        13⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BEBC7~1.EXE > nul
        12⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4458~1.EXE > nul
        11⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A297E~1.EXE > nul
        10⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D2AB6~1.EXE > nul
        9⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69357~1.EXE > nul
        8⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{02AB4~1.EXE > nul
        7⤵
        
        PID:1288
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D77EC~1.EXE > nul
        6⤵
        
        PID:688
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EB1AF~1.EXE > nul
        5⤵
        
        PID:4440
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{AAC82~1.EXE > nul
      4⤵
      PID:4480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6FEF9~1.EXE > nul
    3⤵
    PID:876
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02AB473E-8313-43f6-9DCF-31E4F4929C8B}.exe

Filesize
372KB

MD5
657095be5fddc4befe6f51977cd1af30

SHA1
2acdcfe87afabb5a90eb761aa1ad6aee6f874b1d

SHA256
843b757079f1e961e5d4042fdffd126a122ee8d9cbc92cc4a23fc753726e54e1

SHA512
ab702bd23072fb7845d90959cd24d69c0c9631a2b78dcbeec0cf4e680237d546532feb83eadef0cbc862f149de26545f18ab41e40cddc652c5ecfca209621835

Download Submit
C:\Windows\{37CB06B2-876D-44ea-BE22-D51BBBD15279}.exe

Filesize
372KB

MD5
d665891dc6071f1a58cc824d8fc4db1c

SHA1
5389067b4b88e8be01481f532389239b7851dd89

SHA256
fda17f4d45a5b25a798d89995e4693e5e1c6ab5958052f789bcfa6050455314e

SHA512
f1a3b5b9366ccdda0d8e304ac543cee081e8daf3eb45fd5c71ce5a5ef0ec69d42f1e09b36b4a6dfa0a6aefc8c02ad297e6a3d0755a4d479f27dd304e5352c078

Download Submit
C:\Windows\{69357C4E-FFE9-483f-948E-BC9514837661}.exe

Filesize
372KB

MD5
5072bcc9662e486db0f1e731f432aeb5

SHA1
35e27927e7e6c49ffe8a6056b15a587349836d07

SHA256
ecd60a79d2807fa3708aba61937382fc20a4baafd77f2c58577a32a382dd7572

SHA512
88f537eec3b2a1f85a647c259ce2f1a51b88a1205a9eaf000d550982debbaaf9058342dd10986d3058639cd4401f52ddaad8044d9a9de0f118f32a96c7cc9301

Download Submit
C:\Windows\{6FEF9AEB-57DD-461f-B17B-37F80AA1F07F}.exe

Filesize
372KB

MD5
695ed57b368daf7f4c3791b47e762e9a

SHA1
3c59f9b04ee6cfc066b711f56aa3828144fa2b59

SHA256
8a05cd2ef3ce0b2ee19b2f4b7d51ea6af143d7aabd38e57bdf94359f7da2e0f3

SHA512
e09c97266e5491e2713f9b765207337208884067e6795b2334ee672e9bff1198008d2c87e1ef6c415eacca3298f9ba4824b467823f9946a76fdab5f7677361b3

Download Submit
C:\Windows\{A297E09F-9FA6-4c95-985B-F1CE36B6CA97}.exe

Filesize
372KB

MD5
cdb2d5395001205668db3755e851ae18

SHA1
4bcc668ba3a59c61544124f102627d726298e207

SHA256
f1164187e0fc983b4711fbd9188c522cf46cca09d7e66ae5f99fe1307963eb45

SHA512
8405227f4c07d2631a46b600d4d22b8573838b65839eec14b6f93b2ffab9c6baaf78be7858076fbabb2f881e9c29b7da6ab5b2a46ef304d933fe01e007d16793

Download Submit
C:\Windows\{AAC82894-9B14-473e-9D87-4008EB170F8F}.exe

Filesize
372KB

MD5
1402e203bae9e53a86a78dc5c3f9d3e3

SHA1
da6694d22fb786d9f554a68500fd55e8e3391312

SHA256
dc4390fd760b8604db72c971a7bff75d1d7d2346e790140d644f7a6e17a36eb0

SHA512
4615ea31df9a7d330cdd909b2d529594b6510149c9bc60160da8ca7fda30cbdd4795fa6d86dc8709634a422e1a006a81f39472386f670ab6e082c7ebbcd3a694

Download Submit
C:\Windows\{B00319F3-FF31-4c0e-A54A-76B958B5B64A}.exe

Filesize
372KB

MD5
f9ea354d37fe3c2a51fc29ce82fca46b

SHA1
55cc16c39e37a8c542fa8603802ee554e3a785a9

SHA256
612e7f0ca838789daada69a116ad367cd2fbb072682568c25052eac3f2129533

SHA512
b0a81cec643d88a5abf2285578929fefec3b63a989df0ea32cbe4e745cef2c9408e72f7549f4221f9762c8a145e24adbc98cf939bbb069df7fafe960cf2b8992

Download Submit
C:\Windows\{BEBC7A46-BF7F-47f3-9639-60B39F306753}.exe

Filesize
372KB

MD5
a6e16ee030953a69bd76350dfe084107

SHA1
68a9c4519d4920c9ef11b7a60f0d1ca1e7f39897

SHA256
855e18861bcbc278273985ff3ad107ab5ba112b49fe04dadc1fc0601531ce38d

SHA512
1c0bcbefff83ad3ca7bb92f9c50cfca233dcb129bdb87cb7c959fef425fe7a3bed61d528ef74b82912bb8e90432b61f0e20d4448848882afad89e606ee42996c

Download Submit
C:\Windows\{C4458DBB-87B5-44cf-953A-71B7F583A18A}.exe

Filesize
372KB

MD5
029e6a07f282c857d7715dd3612b3ff3

SHA1
3edae83a048e86b43579216dd48ca8dd0f24da6d

SHA256
4908431d3edb96815032ce78641c8b6a5110da49a8b40c668e04405090882951

SHA512
d6ad62179a80fdb51d2f43ae0a2e82fb4f3e5b87daafd4bb73aedcfb65ce5a31bc29ca40dc3bf6c5c8d499f8ea6ea2b6c39c6624fbb9fb82bf2a167d45a46519

Download Submit
C:\Windows\{D2AB64AA-7EA4-4b34-BDA2-B5590D6F213F}.exe

Filesize
372KB

MD5
cf9ad58b67f5746dc846a19e874abe88

SHA1
c3436f913587d5107fdc3e37f41406e98c1ce424

SHA256
c3389169352e13a913540eda3db5c992756656330a41c652750ac3555843fca3

SHA512
eb54d9f3135621697f03e1a686e47c1b6750f626d9900a8878e37b49a5081811f87b3b689a3580c2e12d213b409147b4f303874504650a52d7f4c7f1afdd20bb

Download Submit
C:\Windows\{D77ECAA6-BA99-4564-85CB-71DE7E49811F}.exe

Filesize
372KB

MD5
2a7d75b6bfb16b4941e4d0e4285e6d58

SHA1
d66d920dd54033805497221a0b416046f919cca6

SHA256
fd47977b4bb52c2e6b6953b1ebaad9170254f3ea41f65b5bf120760f95f0b395

SHA512
e3143412b2ffe61c109c3e97606687c105318d5c0f6a518b7250844cc5134e93265f9487f5a9916018fb6ba0a356b6ae1ec3f61464045e1cbdde7176b63cba88

Download Submit
C:\Windows\{EB1AF33B-7F51-4831-A477-63B5E8AA30BE}.exe

Filesize
372KB

MD5
59935d132e9874d3b7b0eed415951621

SHA1
bb3b6c1265230abf228c787fb6ae623ecb45543b

SHA256
33ba23bfde23e94c8e0a8870e6bd1147b7597e3d4b59b53641d25b7607fed687

SHA512
917477bef053ec15a1d2f2afc5e21639f62230f298d01b6da90c3ba602c8d53bee5ef561c9f37c5e3a7d6200d7b9a8ae8e7380dcda4107ae6a37e7eaff86d8bb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads