d6ba1e53c4e1bfd19a20b204acaaf38b1feaa68ebad0d61e5899dc9e7734c0b4

Analysis

max time kernel
149s
max time network
52s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
27/04/2024, 22:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-27_aa399fda7d6d1372a3e9ec581cd54229_goldeneye.exe
Size

408KB
MD5

aa399fda7d6d1372a3e9ec581cd54229
SHA1

3d765d7c6f2dff137fb70880eb93e03f55c0fdb8
SHA256

d6ba1e53c4e1bfd19a20b204acaaf38b1feaa68ebad0d61e5899dc9e7734c0b4
SHA512

b8f09ed062be054135e9b23b4d8828fb1567df0c7b64d3b231dd4c177a7cb085c9fcaad19ecd1988db06d0472b4782fa8173336da079d225881d9af7a83a1f24
SSDEEP

3072:CEGh0orl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGhldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023ba4-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023ba5-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023baa-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023bad-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023bb9-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023bad-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023bb9-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023bad-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023bb9-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023bad-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023bb9-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023bad-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09E96868-822D-487c-A9B6-87580E43C28B}\stubpath = "C:\\Windows\\{09E96868-822D-487c-A9B6-87580E43C28B}.exe"	{7F9F5552-135E-4e7c-BE38-1D0513D17F7C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DAF179F3-7154-42f2-9D97-DDF98CACB5C3}\stubpath = "C:\\Windows\\{DAF179F3-7154-42f2-9D97-DDF98CACB5C3}.exe"	{09E96868-822D-487c-A9B6-87580E43C28B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{676FE0BB-C2B0-40f6-8041-28F6F2549353}	2024-04-27_aa399fda7d6d1372a3e9ec581cd54229_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C73EEF4C-7DFF-4185-B6AF-7C829D17BA8D}\stubpath = "C:\\Windows\\{C73EEF4C-7DFF-4185-B6AF-7C829D17BA8D}.exe"	{676FE0BB-C2B0-40f6-8041-28F6F2549353}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28E5F358-195F-4460-B005-C28275550EC8}	{C73EEF4C-7DFF-4185-B6AF-7C829D17BA8D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B62368EC-8B5B-4703-8AB2-EEDC85702096}\stubpath = "C:\\Windows\\{B62368EC-8B5B-4703-8AB2-EEDC85702096}.exe"	{28E5F358-195F-4460-B005-C28275550EC8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8505CCC3-5439-4684-AC9E-EDAB66838DE7}	{CA94183D-4D47-4dfe-8F3E-AADFE9086B51}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F9F5552-135E-4e7c-BE38-1D0513D17F7C}	{8505CCC3-5439-4684-AC9E-EDAB66838DE7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09E96868-822D-487c-A9B6-87580E43C28B}	{7F9F5552-135E-4e7c-BE38-1D0513D17F7C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DAF179F3-7154-42f2-9D97-DDF98CACB5C3}	{09E96868-822D-487c-A9B6-87580E43C28B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C73EEF4C-7DFF-4185-B6AF-7C829D17BA8D}	{676FE0BB-C2B0-40f6-8041-28F6F2549353}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3691B9B1-771A-43cc-BD40-576ED98E394B}	{B62368EC-8B5B-4703-8AB2-EEDC85702096}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96BD7982-C34A-4c59-BB05-FDBA48B9F8D8}	{3691B9B1-771A-43cc-BD40-576ED98E394B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96BD7982-C34A-4c59-BB05-FDBA48B9F8D8}\stubpath = "C:\\Windows\\{96BD7982-C34A-4c59-BB05-FDBA48B9F8D8}.exe"	{3691B9B1-771A-43cc-BD40-576ED98E394B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA94183D-4D47-4dfe-8F3E-AADFE9086B51}\stubpath = "C:\\Windows\\{CA94183D-4D47-4dfe-8F3E-AADFE9086B51}.exe"	{96BD7982-C34A-4c59-BB05-FDBA48B9F8D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8505CCC3-5439-4684-AC9E-EDAB66838DE7}\stubpath = "C:\\Windows\\{8505CCC3-5439-4684-AC9E-EDAB66838DE7}.exe"	{CA94183D-4D47-4dfe-8F3E-AADFE9086B51}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07625C31-03CB-4303-985C-9724614DC363}\stubpath = "C:\\Windows\\{07625C31-03CB-4303-985C-9724614DC363}.exe"	{DAF179F3-7154-42f2-9D97-DDF98CACB5C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28E5F358-195F-4460-B005-C28275550EC8}\stubpath = "C:\\Windows\\{28E5F358-195F-4460-B005-C28275550EC8}.exe"	{C73EEF4C-7DFF-4185-B6AF-7C829D17BA8D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F9F5552-135E-4e7c-BE38-1D0513D17F7C}\stubpath = "C:\\Windows\\{7F9F5552-135E-4e7c-BE38-1D0513D17F7C}.exe"	{8505CCC3-5439-4684-AC9E-EDAB66838DE7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07625C31-03CB-4303-985C-9724614DC363}	{DAF179F3-7154-42f2-9D97-DDF98CACB5C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{676FE0BB-C2B0-40f6-8041-28F6F2549353}\stubpath = "C:\\Windows\\{676FE0BB-C2B0-40f6-8041-28F6F2549353}.exe"	2024-04-27_aa399fda7d6d1372a3e9ec581cd54229_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B62368EC-8B5B-4703-8AB2-EEDC85702096}	{28E5F358-195F-4460-B005-C28275550EC8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3691B9B1-771A-43cc-BD40-576ED98E394B}\stubpath = "C:\\Windows\\{3691B9B1-771A-43cc-BD40-576ED98E394B}.exe"	{B62368EC-8B5B-4703-8AB2-EEDC85702096}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA94183D-4D47-4dfe-8F3E-AADFE9086B51}	{96BD7982-C34A-4c59-BB05-FDBA48B9F8D8}.exe

Executes dropped EXE 12 IoCs

pid	Process
1968	{676FE0BB-C2B0-40f6-8041-28F6F2549353}.exe
768	{C73EEF4C-7DFF-4185-B6AF-7C829D17BA8D}.exe
4852	{28E5F358-195F-4460-B005-C28275550EC8}.exe
4392	{B62368EC-8B5B-4703-8AB2-EEDC85702096}.exe
3336	{3691B9B1-771A-43cc-BD40-576ED98E394B}.exe
4596	{96BD7982-C34A-4c59-BB05-FDBA48B9F8D8}.exe
2016	{CA94183D-4D47-4dfe-8F3E-AADFE9086B51}.exe
4716	{8505CCC3-5439-4684-AC9E-EDAB66838DE7}.exe
2896	{7F9F5552-135E-4e7c-BE38-1D0513D17F7C}.exe
3996	{09E96868-822D-487c-A9B6-87580E43C28B}.exe
880	{DAF179F3-7154-42f2-9D97-DDF98CACB5C3}.exe
3760	{07625C31-03CB-4303-985C-9724614DC363}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{09E96868-822D-487c-A9B6-87580E43C28B}.exe	{7F9F5552-135E-4e7c-BE38-1D0513D17F7C}.exe
File created	C:\Windows\{28E5F358-195F-4460-B005-C28275550EC8}.exe	{C73EEF4C-7DFF-4185-B6AF-7C829D17BA8D}.exe
File created	C:\Windows\{96BD7982-C34A-4c59-BB05-FDBA48B9F8D8}.exe	{3691B9B1-771A-43cc-BD40-576ED98E394B}.exe
File created	C:\Windows\{8505CCC3-5439-4684-AC9E-EDAB66838DE7}.exe	{CA94183D-4D47-4dfe-8F3E-AADFE9086B51}.exe
File created	C:\Windows\{7F9F5552-135E-4e7c-BE38-1D0513D17F7C}.exe	{8505CCC3-5439-4684-AC9E-EDAB66838DE7}.exe
File created	C:\Windows\{CA94183D-4D47-4dfe-8F3E-AADFE9086B51}.exe	{96BD7982-C34A-4c59-BB05-FDBA48B9F8D8}.exe
File created	C:\Windows\{DAF179F3-7154-42f2-9D97-DDF98CACB5C3}.exe	{09E96868-822D-487c-A9B6-87580E43C28B}.exe
File created	C:\Windows\{07625C31-03CB-4303-985C-9724614DC363}.exe	{DAF179F3-7154-42f2-9D97-DDF98CACB5C3}.exe
File created	C:\Windows\{676FE0BB-C2B0-40f6-8041-28F6F2549353}.exe	2024-04-27_aa399fda7d6d1372a3e9ec581cd54229_goldeneye.exe
File created	C:\Windows\{C73EEF4C-7DFF-4185-B6AF-7C829D17BA8D}.exe	{676FE0BB-C2B0-40f6-8041-28F6F2549353}.exe
File created	C:\Windows\{B62368EC-8B5B-4703-8AB2-EEDC85702096}.exe	{28E5F358-195F-4460-B005-C28275550EC8}.exe
File created	C:\Windows\{3691B9B1-771A-43cc-BD40-576ED98E394B}.exe	{B62368EC-8B5B-4703-8AB2-EEDC85702096}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3600	2024-04-27_aa399fda7d6d1372a3e9ec581cd54229_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1968	{676FE0BB-C2B0-40f6-8041-28F6F2549353}.exe
Token: SeIncBasePriorityPrivilege	768	{C73EEF4C-7DFF-4185-B6AF-7C829D17BA8D}.exe
Token: SeIncBasePriorityPrivilege	4852	{28E5F358-195F-4460-B005-C28275550EC8}.exe
Token: SeIncBasePriorityPrivilege	4392	{B62368EC-8B5B-4703-8AB2-EEDC85702096}.exe
Token: SeIncBasePriorityPrivilege	3336	{3691B9B1-771A-43cc-BD40-576ED98E394B}.exe
Token: SeIncBasePriorityPrivilege	4596	{96BD7982-C34A-4c59-BB05-FDBA48B9F8D8}.exe
Token: SeIncBasePriorityPrivilege	2016	{CA94183D-4D47-4dfe-8F3E-AADFE9086B51}.exe
Token: SeIncBasePriorityPrivilege	4716	{8505CCC3-5439-4684-AC9E-EDAB66838DE7}.exe
Token: SeIncBasePriorityPrivilege	2896	{7F9F5552-135E-4e7c-BE38-1D0513D17F7C}.exe
Token: SeIncBasePriorityPrivilege	3996	{09E96868-822D-487c-A9B6-87580E43C28B}.exe
Token: SeIncBasePriorityPrivilege	880	{DAF179F3-7154-42f2-9D97-DDF98CACB5C3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3600 wrote to memory of 1968	3600	2024-04-27_aa399fda7d6d1372a3e9ec581cd54229_goldeneye.exe	88
PID 3600 wrote to memory of 1968	3600	2024-04-27_aa399fda7d6d1372a3e9ec581cd54229_goldeneye.exe	88
PID 3600 wrote to memory of 1968	3600	2024-04-27_aa399fda7d6d1372a3e9ec581cd54229_goldeneye.exe	88
PID 3600 wrote to memory of 1756	3600	2024-04-27_aa399fda7d6d1372a3e9ec581cd54229_goldeneye.exe	89
PID 3600 wrote to memory of 1756	3600	2024-04-27_aa399fda7d6d1372a3e9ec581cd54229_goldeneye.exe	89
PID 3600 wrote to memory of 1756	3600	2024-04-27_aa399fda7d6d1372a3e9ec581cd54229_goldeneye.exe	89
PID 1968 wrote to memory of 768	1968	{676FE0BB-C2B0-40f6-8041-28F6F2549353}.exe	90
PID 1968 wrote to memory of 768	1968	{676FE0BB-C2B0-40f6-8041-28F6F2549353}.exe	90
PID 1968 wrote to memory of 768	1968	{676FE0BB-C2B0-40f6-8041-28F6F2549353}.exe	90
PID 1968 wrote to memory of 2908	1968	{676FE0BB-C2B0-40f6-8041-28F6F2549353}.exe	91
PID 1968 wrote to memory of 2908	1968	{676FE0BB-C2B0-40f6-8041-28F6F2549353}.exe	91
PID 1968 wrote to memory of 2908	1968	{676FE0BB-C2B0-40f6-8041-28F6F2549353}.exe	91
PID 768 wrote to memory of 4852	768	{C73EEF4C-7DFF-4185-B6AF-7C829D17BA8D}.exe	94
PID 768 wrote to memory of 4852	768	{C73EEF4C-7DFF-4185-B6AF-7C829D17BA8D}.exe	94
PID 768 wrote to memory of 4852	768	{C73EEF4C-7DFF-4185-B6AF-7C829D17BA8D}.exe	94
PID 768 wrote to memory of 3296	768	{C73EEF4C-7DFF-4185-B6AF-7C829D17BA8D}.exe	95
PID 768 wrote to memory of 3296	768	{C73EEF4C-7DFF-4185-B6AF-7C829D17BA8D}.exe	95
PID 768 wrote to memory of 3296	768	{C73EEF4C-7DFF-4185-B6AF-7C829D17BA8D}.exe	95
PID 4852 wrote to memory of 4392	4852	{28E5F358-195F-4460-B005-C28275550EC8}.exe	100
PID 4852 wrote to memory of 4392	4852	{28E5F358-195F-4460-B005-C28275550EC8}.exe	100
PID 4852 wrote to memory of 4392	4852	{28E5F358-195F-4460-B005-C28275550EC8}.exe	100
PID 4852 wrote to memory of 2520	4852	{28E5F358-195F-4460-B005-C28275550EC8}.exe	101
PID 4852 wrote to memory of 2520	4852	{28E5F358-195F-4460-B005-C28275550EC8}.exe	101
PID 4852 wrote to memory of 2520	4852	{28E5F358-195F-4460-B005-C28275550EC8}.exe	101
PID 4392 wrote to memory of 3336	4392	{B62368EC-8B5B-4703-8AB2-EEDC85702096}.exe	103
PID 4392 wrote to memory of 3336	4392	{B62368EC-8B5B-4703-8AB2-EEDC85702096}.exe	103
PID 4392 wrote to memory of 3336	4392	{B62368EC-8B5B-4703-8AB2-EEDC85702096}.exe	103
PID 4392 wrote to memory of 5016	4392	{B62368EC-8B5B-4703-8AB2-EEDC85702096}.exe	104
PID 4392 wrote to memory of 5016	4392	{B62368EC-8B5B-4703-8AB2-EEDC85702096}.exe	104
PID 4392 wrote to memory of 5016	4392	{B62368EC-8B5B-4703-8AB2-EEDC85702096}.exe	104
PID 3336 wrote to memory of 4596	3336	{3691B9B1-771A-43cc-BD40-576ED98E394B}.exe	107
PID 3336 wrote to memory of 4596	3336	{3691B9B1-771A-43cc-BD40-576ED98E394B}.exe	107
PID 3336 wrote to memory of 4596	3336	{3691B9B1-771A-43cc-BD40-576ED98E394B}.exe	107
PID 3336 wrote to memory of 5100	3336	{3691B9B1-771A-43cc-BD40-576ED98E394B}.exe	108
PID 3336 wrote to memory of 5100	3336	{3691B9B1-771A-43cc-BD40-576ED98E394B}.exe	108
PID 3336 wrote to memory of 5100	3336	{3691B9B1-771A-43cc-BD40-576ED98E394B}.exe	108
PID 4596 wrote to memory of 2016	4596	{96BD7982-C34A-4c59-BB05-FDBA48B9F8D8}.exe	109
PID 4596 wrote to memory of 2016	4596	{96BD7982-C34A-4c59-BB05-FDBA48B9F8D8}.exe	109
PID 4596 wrote to memory of 2016	4596	{96BD7982-C34A-4c59-BB05-FDBA48B9F8D8}.exe	109
PID 4596 wrote to memory of 3900	4596	{96BD7982-C34A-4c59-BB05-FDBA48B9F8D8}.exe	110
PID 4596 wrote to memory of 3900	4596	{96BD7982-C34A-4c59-BB05-FDBA48B9F8D8}.exe	110
PID 4596 wrote to memory of 3900	4596	{96BD7982-C34A-4c59-BB05-FDBA48B9F8D8}.exe	110
PID 2016 wrote to memory of 4716	2016	{CA94183D-4D47-4dfe-8F3E-AADFE9086B51}.exe	111
PID 2016 wrote to memory of 4716	2016	{CA94183D-4D47-4dfe-8F3E-AADFE9086B51}.exe	111
PID 2016 wrote to memory of 4716	2016	{CA94183D-4D47-4dfe-8F3E-AADFE9086B51}.exe	111
PID 2016 wrote to memory of 1216	2016	{CA94183D-4D47-4dfe-8F3E-AADFE9086B51}.exe	112
PID 2016 wrote to memory of 1216	2016	{CA94183D-4D47-4dfe-8F3E-AADFE9086B51}.exe	112
PID 2016 wrote to memory of 1216	2016	{CA94183D-4D47-4dfe-8F3E-AADFE9086B51}.exe	112
PID 4716 wrote to memory of 2896	4716	{8505CCC3-5439-4684-AC9E-EDAB66838DE7}.exe	113
PID 4716 wrote to memory of 2896	4716	{8505CCC3-5439-4684-AC9E-EDAB66838DE7}.exe	113
PID 4716 wrote to memory of 2896	4716	{8505CCC3-5439-4684-AC9E-EDAB66838DE7}.exe	113
PID 4716 wrote to memory of 3300	4716	{8505CCC3-5439-4684-AC9E-EDAB66838DE7}.exe	114
PID 4716 wrote to memory of 3300	4716	{8505CCC3-5439-4684-AC9E-EDAB66838DE7}.exe	114
PID 4716 wrote to memory of 3300	4716	{8505CCC3-5439-4684-AC9E-EDAB66838DE7}.exe	114
PID 2896 wrote to memory of 3996	2896	{7F9F5552-135E-4e7c-BE38-1D0513D17F7C}.exe	115
PID 2896 wrote to memory of 3996	2896	{7F9F5552-135E-4e7c-BE38-1D0513D17F7C}.exe	115
PID 2896 wrote to memory of 3996	2896	{7F9F5552-135E-4e7c-BE38-1D0513D17F7C}.exe	115
PID 2896 wrote to memory of 2324	2896	{7F9F5552-135E-4e7c-BE38-1D0513D17F7C}.exe	116
PID 2896 wrote to memory of 2324	2896	{7F9F5552-135E-4e7c-BE38-1D0513D17F7C}.exe	116
PID 2896 wrote to memory of 2324	2896	{7F9F5552-135E-4e7c-BE38-1D0513D17F7C}.exe	116
PID 3996 wrote to memory of 880	3996	{09E96868-822D-487c-A9B6-87580E43C28B}.exe	117
PID 3996 wrote to memory of 880	3996	{09E96868-822D-487c-A9B6-87580E43C28B}.exe	117
PID 3996 wrote to memory of 880	3996	{09E96868-822D-487c-A9B6-87580E43C28B}.exe	117
PID 3996 wrote to memory of 1348	3996	{09E96868-822D-487c-A9B6-87580E43C28B}.exe	118

C:\Users\Admin\AppData\Local\Temp\2024-04-27_aa399fda7d6d1372a3e9ec581cd54229_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-27_aa399fda7d6d1372a3e9ec581cd54229_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3600
- C:\Windows\{676FE0BB-C2B0-40f6-8041-28F6F2549353}.exe
  C:\Windows\{676FE0BB-C2B0-40f6-8041-28F6F2549353}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Windows\{C73EEF4C-7DFF-4185-B6AF-7C829D17BA8D}.exe
    C:\Windows\{C73EEF4C-7DFF-4185-B6AF-7C829D17BA8D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:768
  - - C:\Windows\{28E5F358-195F-4460-B005-C28275550EC8}.exe
      C:\Windows\{28E5F358-195F-4460-B005-C28275550EC8}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4852
    - - C:\Windows\{B62368EC-8B5B-4703-8AB2-EEDC85702096}.exe
        
        C:\Windows\{B62368EC-8B5B-4703-8AB2-EEDC85702096}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4392
      - C:\Windows\{3691B9B1-771A-43cc-BD40-576ED98E394B}.exe
        
        C:\Windows\{3691B9B1-771A-43cc-BD40-576ED98E394B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3336
        
        C:\Windows\{96BD7982-C34A-4c59-BB05-FDBA48B9F8D8}.exe
        
        C:\Windows\{96BD7982-C34A-4c59-BB05-FDBA48B9F8D8}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4596
        
        C:\Windows\{CA94183D-4D47-4dfe-8F3E-AADFE9086B51}.exe
        
        C:\Windows\{CA94183D-4D47-4dfe-8F3E-AADFE9086B51}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\{8505CCC3-5439-4684-AC9E-EDAB66838DE7}.exe
        
        C:\Windows\{8505CCC3-5439-4684-AC9E-EDAB66838DE7}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\{7F9F5552-135E-4e7c-BE38-1D0513D17F7C}.exe
        
        C:\Windows\{7F9F5552-135E-4e7c-BE38-1D0513D17F7C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\{09E96868-822D-487c-A9B6-87580E43C28B}.exe
        
        C:\Windows\{09E96868-822D-487c-A9B6-87580E43C28B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\{DAF179F3-7154-42f2-9D97-DDF98CACB5C3}.exe
        
        C:\Windows\{DAF179F3-7154-42f2-9D97-DDF98CACB5C3}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:880
        
        C:\Windows\{07625C31-03CB-4303-985C-9724614DC363}.exe
        
        C:\Windows\{07625C31-03CB-4303-985C-9724614DC363}.exe
        13⤵
        Executes dropped EXE
        
        PID:3760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DAF17~1.EXE > nul
        13⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09E96~1.EXE > nul
        12⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F9F5~1.EXE > nul
        11⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8505C~1.EXE > nul
        10⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA941~1.EXE > nul
        9⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96BD7~1.EXE > nul
        8⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3691B~1.EXE > nul
        7⤵
        
        PID:5100
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6236~1.EXE > nul
        6⤵
        
        PID:5016
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{28E5F~1.EXE > nul
        5⤵
        
        PID:2520
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C73EE~1.EXE > nul
      4⤵
      PID:3296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{676FE~1.EXE > nul
    3⤵
    PID:2908
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{07625C31-03CB-4303-985C-9724614DC363}.exe

Filesize
408KB

MD5
bbd98d363b0c1f5710a87ac6095ef7b3

SHA1
123e211d36a87ebbac878f5bb33f4e347e646b97

SHA256
f72aa8ed990e4ec3260d1d46521d002129e759f2207daf86d2c60f377cf84cd0

SHA512
4d508b988a6a6322360473b8b7ea7975a30978899d8abefc0cf7502bdbe7f3e28a8c81b4882e547feb82fb07b566ac1d02f8e342f92ab2e86734a9155f48fdd8

Download Submit
C:\Windows\{09E96868-822D-487c-A9B6-87580E43C28B}.exe

Filesize
408KB

MD5
3fe99f2cdf366bb1ee6c4e21ee69c020

SHA1
74b74b34f3b06858af70d70b64b9e6736699df82

SHA256
84901c8dff5c0d474371cc63f5ecb3ea24fbc4e6e80882af70d97464694bd691

SHA512
baf2db5f789ded54d73913d6312e7811eb99e5f76d8a650939478da216fee1f9f97d9402d603ebe913500fee40f37112ed1ef7cb3d1a7417ee6753de100d1694

Download Submit
C:\Windows\{28E5F358-195F-4460-B005-C28275550EC8}.exe

Filesize
408KB

MD5
48fadcf10c0fe2e2f47281d349789987

SHA1
812e0c1326bfb617ea12c642f0d603fee99c87fb

SHA256
e8f60d20a383dffcee90a0a1823374ca83d0dbe8520c688d10beb2bf926cf2b9

SHA512
6fbd56ee3e7273cca51b7cc06afeb32c558f6c18c418b705f1d49ac7de484f6cdddc0676aceeaa4b686266aec44612a0afd8fe09735bb189dc2b57c2f7d7805d

Download Submit
C:\Windows\{3691B9B1-771A-43cc-BD40-576ED98E394B}.exe

Filesize
408KB

MD5
97a580c1b3c1abb205df897179a43718

SHA1
381721f95c84c0fef14d7f52703ab5dc340942e5

SHA256
17fae7bb1db6a63439d3e11bc2dd996ec4c4634691146f32cbaf962ce2195e43

SHA512
48adc084725ded8fee566c0eae08397823cbf3c960e20907b3f8ebaccca5c7e5c0829a4ecc67ee6010fe4f84980c9931d530473d58c0297ae8eb3fdf9a370810

Download Submit
C:\Windows\{676FE0BB-C2B0-40f6-8041-28F6F2549353}.exe

Filesize
408KB

MD5
6932de334f8d7576acae135901c32783

SHA1
da23546442640dcaacafd1ef1c4efcfe18bbdc47

SHA256
157510ece125a1e3b31392a792f597b0b586ba2787f74e990b0e28238f3ff2fe

SHA512
f149668d667401233d7902efc73331a8d4d09f2de3d900f7128bfbeb2048d143e9bd4e248efa171d23825cd3c397e3615f1882a12751480cb8e50b717acdeca4

Download Submit
C:\Windows\{7F9F5552-135E-4e7c-BE38-1D0513D17F7C}.exe

Filesize
408KB

MD5
059ea9f5aa1b88edeaca9098fe1fe39f

SHA1
8bab5e71f069cb8452548b1a5a88b09003a4b7aa

SHA256
5c7465eb1ce5145ee2c67b258e8396390b16dbe7385fcce3575e81419367897a

SHA512
b4c2406df27984411a0f9bddf14a54c8c68a38fea4ae04326e28b4d7c96dba44332dc7747f93d96bddf63d0293014831b3e0e3526eedee2f76d355bea1d95878

Download Submit
C:\Windows\{8505CCC3-5439-4684-AC9E-EDAB66838DE7}.exe

Filesize
408KB

MD5
2a6a72f9c9f74433e9a381af6399f056

SHA1
35cc7af877b60032b8d3be230eabfd4203ff3d91

SHA256
ac300b4c4d24df7d3f14285690b5d90db09b1d175522cd2ae737908dcdcecf53

SHA512
00e59ca1fddd6b6e08e48d8b270ef7819ccd93b1acfe784072cf90509f28d22882c2f99bc3ebdfa9af89b832c119e5609e4144a4710b4a6955fe873982155b52

Download Submit
C:\Windows\{96BD7982-C34A-4c59-BB05-FDBA48B9F8D8}.exe

Filesize
408KB

MD5
756126122bd14cb14510106459f2b2ff

SHA1
162da61fee0534bb81b1d8b2cb95467b9f9d2f8a

SHA256
4387db5b7cf20e7ae24c176f37ca86a12ee7ff2cc9b1c2882e13e1a7115fc97b

SHA512
edd91f8d82d945aca4b1c12ecdef0bea7b4dda5eeb3087d44cf686dd42c6b63089e67f3ea2683a35da77884b21c7b9f8739b2d616a9cfaf0d6279950eb860360

Download Submit
C:\Windows\{B62368EC-8B5B-4703-8AB2-EEDC85702096}.exe

Filesize
408KB

MD5
9d319f4ca1ab7c94502597813058b5bd

SHA1
0304c598e4eda6a3427cb32a8432692c06b98386

SHA256
d1d10d4c5f751282894b4cc5e1c8b8f4ba29e9be04618995aa3974e018fbadf4

SHA512
cfd67c7dd57b88c5c769f75eb1889bc249f5afc1553441c27d403bf3bb55ca6d24edacdac8f8b5b16aefb1703f31afbcaa7e8801ac753fab7f22e5b625be8396

Download Submit
C:\Windows\{C73EEF4C-7DFF-4185-B6AF-7C829D17BA8D}.exe

Filesize
408KB

MD5
c3a3c847d7d2637d29aab568317873d8

SHA1
626a8337efcd768e9c5e0afc2c4191166fb855bb

SHA256
fa26affd024fb3cb3820ed5aa108fdc5b9ffa48360d7e57dfeb3075e51d87822

SHA512
bdb1f3054644a6f5cc0a45ef9896dc173d20339406999180275bb22ffd3495f9936308246c5614303f5ff165df3651ec8fbacbc901a8bb661c44517b4d5483d2

Download Submit
C:\Windows\{CA94183D-4D47-4dfe-8F3E-AADFE9086B51}.exe

Filesize
408KB

MD5
36aa62f5f8f6717c44a0f73c999e76b0

SHA1
c7568f28682b869c6d0330c4d167280e4ec1ef6d

SHA256
717bc51117d5be5bf19c74f95154ee92723655c6287ac5a23131246a96bb9ed6

SHA512
8fc53a8662afaae0bb5741f757d37ee26caef7a32ad6c412f95ce8220e325c9c1566cac9e9c0eced3987e483b03cdeaadb329de9a4f8f9a00ed46a522f8e41ab

Download Submit
C:\Windows\{DAF179F3-7154-42f2-9D97-DDF98CACB5C3}.exe

Filesize
408KB

MD5
1cf4f02588b66ef02d83da00b8e3d994

SHA1
38e44a46b8aad1cf52bc3f0457433da561c52134

SHA256
cf2005b94b2b5131fdca294e5116afaf2552b19488c83acdd4ecd53bd763a869

SHA512
3c6ba9c7837cfb6d68299ba436f36a92c9afd3b6c2f930e9a0b4162a410506251fc61c9a603774880dfe285bab919b3d9d562eb1149543d025d2d0cbf3dae68a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads