8bb837bbc5d61a4c38a010aff25bafb0baac7591b06c1153c95f76953dac3107

Analysis

max time kernel
149s
max time network
49s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
27/04/2024, 01:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-27_304f6243f273291c82db85cd5d0f14bc_goldeneye.exe
Size

180KB
MD5

304f6243f273291c82db85cd5d0f14bc
SHA1

109d742fdae1c6d5955d6c0ecea24d1d23998411
SHA256

8bb837bbc5d61a4c38a010aff25bafb0baac7591b06c1153c95f76953dac3107
SHA512

2144a90fd6fc63afefe7e20a85dd8e851ece6cd4b652ab5e695ec1f109a7f5245e106ca93bfee97dd7294357de4539f43e7139d16554a7cca839547a8a039fd6
SSDEEP

3072:jEGh0oTlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGtl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023bac-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023bad-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023bb2-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023bbf-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000001e74c-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023bbf-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000001e74c-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023bbf-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001e74c-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023bbf-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000001e74c-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023bbf-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A44C2FD-1A6E-48c0-8587-5780F6EAE911}	{4A92C94C-E849-41c4-85D8-27E552C10232}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B9FACFB-EE76-4f51-A1F9-5C21A784F225}\stubpath = "C:\\Windows\\{6B9FACFB-EE76-4f51-A1F9-5C21A784F225}.exe"	{2A44C2FD-1A6E-48c0-8587-5780F6EAE911}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D54165D-66F7-4322-83E9-32582CA8AE79}	{7266EC88-513B-4ede-BE80-7A8E6A719705}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C13AF6A-89F7-4bc4-9FA4-D33F3717760D}	{7D54165D-66F7-4322-83E9-32582CA8AE79}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6CED7FB-1547-43e1-B99A-28F87B1B1308}	2024-04-27_304f6243f273291c82db85cd5d0f14bc_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06C9F47E-C8FF-4e9b-83E8-47B635C93553}	{A6CED7FB-1547-43e1-B99A-28F87B1B1308}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A92C94C-E849-41c4-85D8-27E552C10232}	{8B31CA89-FE33-4a12-B9C3-998CC67EB851}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52C7E883-8A08-47cf-9B04-30E6B0FCFDD5}	{DE5BE55D-B3D8-49c7-8471-F81A70296862}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06C9F47E-C8FF-4e9b-83E8-47B635C93553}\stubpath = "C:\\Windows\\{06C9F47E-C8FF-4e9b-83E8-47B635C93553}.exe"	{A6CED7FB-1547-43e1-B99A-28F87B1B1308}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B31CA89-FE33-4a12-B9C3-998CC67EB851}	{C354E182-F17F-4d55-BE24-6EA4C70BC6B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE5BE55D-B3D8-49c7-8471-F81A70296862}	{6B9FACFB-EE76-4f51-A1F9-5C21A784F225}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B31CA89-FE33-4a12-B9C3-998CC67EB851}\stubpath = "C:\\Windows\\{8B31CA89-FE33-4a12-B9C3-998CC67EB851}.exe"	{C354E182-F17F-4d55-BE24-6EA4C70BC6B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B9FACFB-EE76-4f51-A1F9-5C21A784F225}	{2A44C2FD-1A6E-48c0-8587-5780F6EAE911}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52C7E883-8A08-47cf-9B04-30E6B0FCFDD5}\stubpath = "C:\\Windows\\{52C7E883-8A08-47cf-9B04-30E6B0FCFDD5}.exe"	{DE5BE55D-B3D8-49c7-8471-F81A70296862}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D54165D-66F7-4322-83E9-32582CA8AE79}\stubpath = "C:\\Windows\\{7D54165D-66F7-4322-83E9-32582CA8AE79}.exe"	{7266EC88-513B-4ede-BE80-7A8E6A719705}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6CED7FB-1547-43e1-B99A-28F87B1B1308}\stubpath = "C:\\Windows\\{A6CED7FB-1547-43e1-B99A-28F87B1B1308}.exe"	2024-04-27_304f6243f273291c82db85cd5d0f14bc_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C354E182-F17F-4d55-BE24-6EA4C70BC6B0}	{06C9F47E-C8FF-4e9b-83E8-47B635C93553}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C354E182-F17F-4d55-BE24-6EA4C70BC6B0}\stubpath = "C:\\Windows\\{C354E182-F17F-4d55-BE24-6EA4C70BC6B0}.exe"	{06C9F47E-C8FF-4e9b-83E8-47B635C93553}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7266EC88-513B-4ede-BE80-7A8E6A719705}	{52C7E883-8A08-47cf-9B04-30E6B0FCFDD5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7266EC88-513B-4ede-BE80-7A8E6A719705}\stubpath = "C:\\Windows\\{7266EC88-513B-4ede-BE80-7A8E6A719705}.exe"	{52C7E883-8A08-47cf-9B04-30E6B0FCFDD5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C13AF6A-89F7-4bc4-9FA4-D33F3717760D}\stubpath = "C:\\Windows\\{4C13AF6A-89F7-4bc4-9FA4-D33F3717760D}.exe"	{7D54165D-66F7-4322-83E9-32582CA8AE79}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A92C94C-E849-41c4-85D8-27E552C10232}\stubpath = "C:\\Windows\\{4A92C94C-E849-41c4-85D8-27E552C10232}.exe"	{8B31CA89-FE33-4a12-B9C3-998CC67EB851}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A44C2FD-1A6E-48c0-8587-5780F6EAE911}\stubpath = "C:\\Windows\\{2A44C2FD-1A6E-48c0-8587-5780F6EAE911}.exe"	{4A92C94C-E849-41c4-85D8-27E552C10232}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE5BE55D-B3D8-49c7-8471-F81A70296862}\stubpath = "C:\\Windows\\{DE5BE55D-B3D8-49c7-8471-F81A70296862}.exe"	{6B9FACFB-EE76-4f51-A1F9-5C21A784F225}.exe

Executes dropped EXE 12 IoCs

pid	Process
3756	{A6CED7FB-1547-43e1-B99A-28F87B1B1308}.exe
2648	{06C9F47E-C8FF-4e9b-83E8-47B635C93553}.exe
1116	{C354E182-F17F-4d55-BE24-6EA4C70BC6B0}.exe
2492	{8B31CA89-FE33-4a12-B9C3-998CC67EB851}.exe
2692	{4A92C94C-E849-41c4-85D8-27E552C10232}.exe
3416	{2A44C2FD-1A6E-48c0-8587-5780F6EAE911}.exe
652	{6B9FACFB-EE76-4f51-A1F9-5C21A784F225}.exe
3192	{DE5BE55D-B3D8-49c7-8471-F81A70296862}.exe
1392	{52C7E883-8A08-47cf-9B04-30E6B0FCFDD5}.exe
1788	{7266EC88-513B-4ede-BE80-7A8E6A719705}.exe
4948	{7D54165D-66F7-4322-83E9-32582CA8AE79}.exe
1592	{4C13AF6A-89F7-4bc4-9FA4-D33F3717760D}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{4C13AF6A-89F7-4bc4-9FA4-D33F3717760D}.exe	{7D54165D-66F7-4322-83E9-32582CA8AE79}.exe
File created	C:\Windows\{06C9F47E-C8FF-4e9b-83E8-47B635C93553}.exe	{A6CED7FB-1547-43e1-B99A-28F87B1B1308}.exe
File created	C:\Windows\{C354E182-F17F-4d55-BE24-6EA4C70BC6B0}.exe	{06C9F47E-C8FF-4e9b-83E8-47B635C93553}.exe
File created	C:\Windows\{2A44C2FD-1A6E-48c0-8587-5780F6EAE911}.exe	{4A92C94C-E849-41c4-85D8-27E552C10232}.exe
File created	C:\Windows\{6B9FACFB-EE76-4f51-A1F9-5C21A784F225}.exe	{2A44C2FD-1A6E-48c0-8587-5780F6EAE911}.exe
File created	C:\Windows\{52C7E883-8A08-47cf-9B04-30E6B0FCFDD5}.exe	{DE5BE55D-B3D8-49c7-8471-F81A70296862}.exe
File created	C:\Windows\{7266EC88-513B-4ede-BE80-7A8E6A719705}.exe	{52C7E883-8A08-47cf-9B04-30E6B0FCFDD5}.exe
File created	C:\Windows\{7D54165D-66F7-4322-83E9-32582CA8AE79}.exe	{7266EC88-513B-4ede-BE80-7A8E6A719705}.exe
File created	C:\Windows\{A6CED7FB-1547-43e1-B99A-28F87B1B1308}.exe	2024-04-27_304f6243f273291c82db85cd5d0f14bc_goldeneye.exe
File created	C:\Windows\{8B31CA89-FE33-4a12-B9C3-998CC67EB851}.exe	{C354E182-F17F-4d55-BE24-6EA4C70BC6B0}.exe
File created	C:\Windows\{4A92C94C-E849-41c4-85D8-27E552C10232}.exe	{8B31CA89-FE33-4a12-B9C3-998CC67EB851}.exe
File created	C:\Windows\{DE5BE55D-B3D8-49c7-8471-F81A70296862}.exe	{6B9FACFB-EE76-4f51-A1F9-5C21A784F225}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4800	2024-04-27_304f6243f273291c82db85cd5d0f14bc_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3756	{A6CED7FB-1547-43e1-B99A-28F87B1B1308}.exe
Token: SeIncBasePriorityPrivilege	2648	{06C9F47E-C8FF-4e9b-83E8-47B635C93553}.exe
Token: SeIncBasePriorityPrivilege	1116	{C354E182-F17F-4d55-BE24-6EA4C70BC6B0}.exe
Token: SeIncBasePriorityPrivilege	2492	{8B31CA89-FE33-4a12-B9C3-998CC67EB851}.exe
Token: SeIncBasePriorityPrivilege	2692	{4A92C94C-E849-41c4-85D8-27E552C10232}.exe
Token: SeIncBasePriorityPrivilege	3416	{2A44C2FD-1A6E-48c0-8587-5780F6EAE911}.exe
Token: SeIncBasePriorityPrivilege	652	{6B9FACFB-EE76-4f51-A1F9-5C21A784F225}.exe
Token: SeIncBasePriorityPrivilege	3192	{DE5BE55D-B3D8-49c7-8471-F81A70296862}.exe
Token: SeIncBasePriorityPrivilege	1392	{52C7E883-8A08-47cf-9B04-30E6B0FCFDD5}.exe
Token: SeIncBasePriorityPrivilege	1788	{7266EC88-513B-4ede-BE80-7A8E6A719705}.exe
Token: SeIncBasePriorityPrivilege	4948	{7D54165D-66F7-4322-83E9-32582CA8AE79}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4800 wrote to memory of 3756	4800	2024-04-27_304f6243f273291c82db85cd5d0f14bc_goldeneye.exe	86
PID 4800 wrote to memory of 3756	4800	2024-04-27_304f6243f273291c82db85cd5d0f14bc_goldeneye.exe	86
PID 4800 wrote to memory of 3756	4800	2024-04-27_304f6243f273291c82db85cd5d0f14bc_goldeneye.exe	86
PID 4800 wrote to memory of 3048	4800	2024-04-27_304f6243f273291c82db85cd5d0f14bc_goldeneye.exe	87
PID 4800 wrote to memory of 3048	4800	2024-04-27_304f6243f273291c82db85cd5d0f14bc_goldeneye.exe	87
PID 4800 wrote to memory of 3048	4800	2024-04-27_304f6243f273291c82db85cd5d0f14bc_goldeneye.exe	87
PID 3756 wrote to memory of 2648	3756	{A6CED7FB-1547-43e1-B99A-28F87B1B1308}.exe	88
PID 3756 wrote to memory of 2648	3756	{A6CED7FB-1547-43e1-B99A-28F87B1B1308}.exe	88
PID 3756 wrote to memory of 2648	3756	{A6CED7FB-1547-43e1-B99A-28F87B1B1308}.exe	88
PID 3756 wrote to memory of 4864	3756	{A6CED7FB-1547-43e1-B99A-28F87B1B1308}.exe	89
PID 3756 wrote to memory of 4864	3756	{A6CED7FB-1547-43e1-B99A-28F87B1B1308}.exe	89
PID 3756 wrote to memory of 4864	3756	{A6CED7FB-1547-43e1-B99A-28F87B1B1308}.exe	89
PID 2648 wrote to memory of 1116	2648	{06C9F47E-C8FF-4e9b-83E8-47B635C93553}.exe	95
PID 2648 wrote to memory of 1116	2648	{06C9F47E-C8FF-4e9b-83E8-47B635C93553}.exe	95
PID 2648 wrote to memory of 1116	2648	{06C9F47E-C8FF-4e9b-83E8-47B635C93553}.exe	95
PID 2648 wrote to memory of 460	2648	{06C9F47E-C8FF-4e9b-83E8-47B635C93553}.exe	96
PID 2648 wrote to memory of 460	2648	{06C9F47E-C8FF-4e9b-83E8-47B635C93553}.exe	96
PID 2648 wrote to memory of 460	2648	{06C9F47E-C8FF-4e9b-83E8-47B635C93553}.exe	96
PID 1116 wrote to memory of 2492	1116	{C354E182-F17F-4d55-BE24-6EA4C70BC6B0}.exe	99
PID 1116 wrote to memory of 2492	1116	{C354E182-F17F-4d55-BE24-6EA4C70BC6B0}.exe	99
PID 1116 wrote to memory of 2492	1116	{C354E182-F17F-4d55-BE24-6EA4C70BC6B0}.exe	99
PID 1116 wrote to memory of 1596	1116	{C354E182-F17F-4d55-BE24-6EA4C70BC6B0}.exe	100
PID 1116 wrote to memory of 1596	1116	{C354E182-F17F-4d55-BE24-6EA4C70BC6B0}.exe	100
PID 1116 wrote to memory of 1596	1116	{C354E182-F17F-4d55-BE24-6EA4C70BC6B0}.exe	100
PID 2492 wrote to memory of 2692	2492	{8B31CA89-FE33-4a12-B9C3-998CC67EB851}.exe	103
PID 2492 wrote to memory of 2692	2492	{8B31CA89-FE33-4a12-B9C3-998CC67EB851}.exe	103
PID 2492 wrote to memory of 2692	2492	{8B31CA89-FE33-4a12-B9C3-998CC67EB851}.exe	103
PID 2492 wrote to memory of 4064	2492	{8B31CA89-FE33-4a12-B9C3-998CC67EB851}.exe	104
PID 2492 wrote to memory of 4064	2492	{8B31CA89-FE33-4a12-B9C3-998CC67EB851}.exe	104
PID 2492 wrote to memory of 4064	2492	{8B31CA89-FE33-4a12-B9C3-998CC67EB851}.exe	104
PID 2692 wrote to memory of 3416	2692	{4A92C94C-E849-41c4-85D8-27E552C10232}.exe	105
PID 2692 wrote to memory of 3416	2692	{4A92C94C-E849-41c4-85D8-27E552C10232}.exe	105
PID 2692 wrote to memory of 3416	2692	{4A92C94C-E849-41c4-85D8-27E552C10232}.exe	105
PID 2692 wrote to memory of 4424	2692	{4A92C94C-E849-41c4-85D8-27E552C10232}.exe	106
PID 2692 wrote to memory of 4424	2692	{4A92C94C-E849-41c4-85D8-27E552C10232}.exe	106
PID 2692 wrote to memory of 4424	2692	{4A92C94C-E849-41c4-85D8-27E552C10232}.exe	106
PID 3416 wrote to memory of 652	3416	{2A44C2FD-1A6E-48c0-8587-5780F6EAE911}.exe	107
PID 3416 wrote to memory of 652	3416	{2A44C2FD-1A6E-48c0-8587-5780F6EAE911}.exe	107
PID 3416 wrote to memory of 652	3416	{2A44C2FD-1A6E-48c0-8587-5780F6EAE911}.exe	107
PID 3416 wrote to memory of 3728	3416	{2A44C2FD-1A6E-48c0-8587-5780F6EAE911}.exe	108
PID 3416 wrote to memory of 3728	3416	{2A44C2FD-1A6E-48c0-8587-5780F6EAE911}.exe	108
PID 3416 wrote to memory of 3728	3416	{2A44C2FD-1A6E-48c0-8587-5780F6EAE911}.exe	108
PID 652 wrote to memory of 3192	652	{6B9FACFB-EE76-4f51-A1F9-5C21A784F225}.exe	109
PID 652 wrote to memory of 3192	652	{6B9FACFB-EE76-4f51-A1F9-5C21A784F225}.exe	109
PID 652 wrote to memory of 3192	652	{6B9FACFB-EE76-4f51-A1F9-5C21A784F225}.exe	109
PID 652 wrote to memory of 2580	652	{6B9FACFB-EE76-4f51-A1F9-5C21A784F225}.exe	110
PID 652 wrote to memory of 2580	652	{6B9FACFB-EE76-4f51-A1F9-5C21A784F225}.exe	110
PID 652 wrote to memory of 2580	652	{6B9FACFB-EE76-4f51-A1F9-5C21A784F225}.exe	110
PID 3192 wrote to memory of 1392	3192	{DE5BE55D-B3D8-49c7-8471-F81A70296862}.exe	111
PID 3192 wrote to memory of 1392	3192	{DE5BE55D-B3D8-49c7-8471-F81A70296862}.exe	111
PID 3192 wrote to memory of 1392	3192	{DE5BE55D-B3D8-49c7-8471-F81A70296862}.exe	111
PID 3192 wrote to memory of 2612	3192	{DE5BE55D-B3D8-49c7-8471-F81A70296862}.exe	112
PID 3192 wrote to memory of 2612	3192	{DE5BE55D-B3D8-49c7-8471-F81A70296862}.exe	112
PID 3192 wrote to memory of 2612	3192	{DE5BE55D-B3D8-49c7-8471-F81A70296862}.exe	112
PID 1392 wrote to memory of 1788	1392	{52C7E883-8A08-47cf-9B04-30E6B0FCFDD5}.exe	113
PID 1392 wrote to memory of 1788	1392	{52C7E883-8A08-47cf-9B04-30E6B0FCFDD5}.exe	113
PID 1392 wrote to memory of 1788	1392	{52C7E883-8A08-47cf-9B04-30E6B0FCFDD5}.exe	113
PID 1392 wrote to memory of 4808	1392	{52C7E883-8A08-47cf-9B04-30E6B0FCFDD5}.exe	114
PID 1392 wrote to memory of 4808	1392	{52C7E883-8A08-47cf-9B04-30E6B0FCFDD5}.exe	114
PID 1392 wrote to memory of 4808	1392	{52C7E883-8A08-47cf-9B04-30E6B0FCFDD5}.exe	114
PID 1788 wrote to memory of 4948	1788	{7266EC88-513B-4ede-BE80-7A8E6A719705}.exe	115
PID 1788 wrote to memory of 4948	1788	{7266EC88-513B-4ede-BE80-7A8E6A719705}.exe	115
PID 1788 wrote to memory of 4948	1788	{7266EC88-513B-4ede-BE80-7A8E6A719705}.exe	115
PID 1788 wrote to memory of 3568	1788	{7266EC88-513B-4ede-BE80-7A8E6A719705}.exe	116

C:\Users\Admin\AppData\Local\Temp\2024-04-27_304f6243f273291c82db85cd5d0f14bc_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-27_304f6243f273291c82db85cd5d0f14bc_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Windows\{A6CED7FB-1547-43e1-B99A-28F87B1B1308}.exe
  C:\Windows\{A6CED7FB-1547-43e1-B99A-28F87B1B1308}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3756
- - C:\Windows\{06C9F47E-C8FF-4e9b-83E8-47B635C93553}.exe
    C:\Windows\{06C9F47E-C8FF-4e9b-83E8-47B635C93553}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Windows\{C354E182-F17F-4d55-BE24-6EA4C70BC6B0}.exe
      C:\Windows\{C354E182-F17F-4d55-BE24-6EA4C70BC6B0}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1116
    - - C:\Windows\{8B31CA89-FE33-4a12-B9C3-998CC67EB851}.exe
        
        C:\Windows\{8B31CA89-FE33-4a12-B9C3-998CC67EB851}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2492
      - C:\Windows\{4A92C94C-E849-41c4-85D8-27E552C10232}.exe
        
        C:\Windows\{4A92C94C-E849-41c4-85D8-27E552C10232}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\{2A44C2FD-1A6E-48c0-8587-5780F6EAE911}.exe
        
        C:\Windows\{2A44C2FD-1A6E-48c0-8587-5780F6EAE911}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3416
        
        C:\Windows\{6B9FACFB-EE76-4f51-A1F9-5C21A784F225}.exe
        
        C:\Windows\{6B9FACFB-EE76-4f51-A1F9-5C21A784F225}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:652
        
        C:\Windows\{DE5BE55D-B3D8-49c7-8471-F81A70296862}.exe
        
        C:\Windows\{DE5BE55D-B3D8-49c7-8471-F81A70296862}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3192
        
        C:\Windows\{52C7E883-8A08-47cf-9B04-30E6B0FCFDD5}.exe
        
        C:\Windows\{52C7E883-8A08-47cf-9B04-30E6B0FCFDD5}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Windows\{7266EC88-513B-4ede-BE80-7A8E6A719705}.exe
        
        C:\Windows\{7266EC88-513B-4ede-BE80-7A8E6A719705}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\{7D54165D-66F7-4322-83E9-32582CA8AE79}.exe
        
        C:\Windows\{7D54165D-66F7-4322-83E9-32582CA8AE79}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4948
        
        C:\Windows\{4C13AF6A-89F7-4bc4-9FA4-D33F3717760D}.exe
        
        C:\Windows\{4C13AF6A-89F7-4bc4-9FA4-D33F3717760D}.exe
        13⤵
        Executes dropped EXE
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D541~1.EXE > nul
        13⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7266E~1.EXE > nul
        12⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{52C7E~1.EXE > nul
        11⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DE5BE~1.EXE > nul
        10⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B9FA~1.EXE > nul
        9⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A44C~1.EXE > nul
        8⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4A92C~1.EXE > nul
        7⤵
        
        PID:4424
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B31C~1.EXE > nul
        6⤵
        
        PID:4064
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C354E~1.EXE > nul
        5⤵
        
        PID:1596
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{06C9F~1.EXE > nul
      4⤵
      PID:460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A6CED~1.EXE > nul
    3⤵
    PID:4864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{06C9F47E-C8FF-4e9b-83E8-47B635C93553}.exe

Filesize
180KB

MD5
186818409e4c63ea5e81d76cccef0e57

SHA1
96e3e06bae3bb05a6595d42c6072e54e9a8b0560

SHA256
3b6e94c4022e546536cd7e541d4eebaaa672d98ac65b7651f205e083686f085f

SHA512
f3fc79528d3894e1ba07118aaadb7f74d8442e53c36ced1a853497cef1a14abefd6a0c0ee73416090de1395cc78c0c14f548a748d920898910d713c53374329e

Download Submit
C:\Windows\{2A44C2FD-1A6E-48c0-8587-5780F6EAE911}.exe

Filesize
180KB

MD5
6f80130dd16542342a1326953498c498

SHA1
4a7c9d051483040c436cde30fa5d7f89338e7652

SHA256
a13271e203d1614652804904e2e8e42b66e17724c2945b0e0f28d28fb21538b0

SHA512
b4d66df0b71ad18c4961ee940f887489e919ec3f2dc1cdd223c753b085a52097a53cfca909a90adc2929dcfb400f72b0c487484dc9a3ac4e61a0dfba45dcaed0

Download Submit
C:\Windows\{4A92C94C-E849-41c4-85D8-27E552C10232}.exe

Filesize
180KB

MD5
d4541dd9afc4c04a8e7f13cb1f4c5a8c

SHA1
108bb3d93119dd0b31199049ebf84ce07478d3ef

SHA256
076fc555285f4b96d27af5ed1116a23c0605e7a3c72767c3a6d639816b06fa14

SHA512
fac1a9bda205e242d4cfcec5fb19b0d335e75690fff2c31271ed1c87a46780c07386123e7d98069b2df12e0fc212cc70ca42822122509ee8e36816e8141fcbe4

Download Submit
C:\Windows\{4C13AF6A-89F7-4bc4-9FA4-D33F3717760D}.exe

Filesize
180KB

MD5
b766c7682fa5c84386aef2aeb45b2d38

SHA1
4213523e0fd4e74bc8a99d63239725876847eb7e

SHA256
00d64ce9d19aa1bc46147eb5d4b7b8c8e957f659f4db6d7da7f762613db95441

SHA512
a4386f84508109ea9ab83add84e667b5c18cb41a6985d73211c2349b8ba8dbe2db60014d543d829c45364a59727a2fc6b87180bb4bb545b20c99239776e5d2dc

Download Submit
C:\Windows\{52C7E883-8A08-47cf-9B04-30E6B0FCFDD5}.exe

Filesize
180KB

MD5
26fdfb0f1497aeea95dc9f394057b002

SHA1
e4ca28f99dd38ef6553951e9b81af9af63d723c6

SHA256
bea435c8d1dec0d6249790e07f8e9b3ac9a7d31f8beb89eafd431aa7529d8924

SHA512
0c11eb58a2d9a184244b77605aa6db5d1e3638c8855be55b0083a3d8fa045f49f0a3ae7e4a766c1bb2ff00b1e6685ff5b980931eb0eadae96af37e40da4c2c11

Download Submit
C:\Windows\{6B9FACFB-EE76-4f51-A1F9-5C21A784F225}.exe

Filesize
180KB

MD5
25ec931f51a24b4ffe701f63c82de018

SHA1
5150e97e6651484aa713fe3275630559473e1bfe

SHA256
a16ab54ff294e77404aae73bb2dd68e12737bb66dfc2d4a6c7b3fc9fb52b7a87

SHA512
28c35fc44e447871b8fc6c515f7266363d931b7b48e633d4947b59421d026c8ee981d3dc58d35c0891996ac373868a81410c620eb75f3373f1e10fea8d5e769a

Download Submit
C:\Windows\{7266EC88-513B-4ede-BE80-7A8E6A719705}.exe

Filesize
180KB

MD5
a370bbc4c91ee6b04035e77bef25b583

SHA1
09344936599b781b28cc274fcd2ea9e86f25f9e1

SHA256
674f0a7b21ec62c2a5e7457700848ae9fc7063c755a6d8f80f39f210d778bdaf

SHA512
864394182e2317f40a5ab9d779ca1c5a0d7e98ef778924b6840c9b389f656545f79cbeba2c690106a89087c6b58d3cc5c3b86a5456df7a8b36b528ad4b9da1bf

Download Submit
C:\Windows\{7D54165D-66F7-4322-83E9-32582CA8AE79}.exe

Filesize
180KB

MD5
fbeeb2c350c2e56f271eb8f514877f32

SHA1
e9d995ddf046e3bcf9e0247910e6683b79c5dabd

SHA256
450629848d868b88c0c42eecd63ed814cc258e57c53408dee598bf4059b73910

SHA512
e8db89525bc5eddef8939e8f1cbef88c4997448eb5b0ec21c457461e6868f1d6a6b0ba900d155461aba01d9d0b23b375fdbcec12e144fb7d5d11b170f19ea700

Download Submit
C:\Windows\{8B31CA89-FE33-4a12-B9C3-998CC67EB851}.exe

Filesize
180KB

MD5
3d2550d31bd9a6615f663d668dcf5747

SHA1
08da7c50b4067940868a282b59886bc3dbc75b65

SHA256
1225d3f1faa2ee4da18388a7261422012ae860e82c55dc7906b59f74a008feb3

SHA512
964f35a5f9292cd1d93f6f2f2db89e5c1e51847541aa6dbdc2c59e8000ce2b35b3960d248f46323b9ae11af3e93da0e03b93b466c787b54b29f185158e2e8cb4

Download Submit
C:\Windows\{A6CED7FB-1547-43e1-B99A-28F87B1B1308}.exe

Filesize
180KB

MD5
b5d625b44dd22c800827d0a24a92898c

SHA1
d05d8b0ae316a699c3cef5748f390735c4904c6a

SHA256
ad52149d3e2dbc54fab3e0ec8dfb6f884408e99b7b2eb794fcf5dcb9238071c0

SHA512
2e4b496e86c436c1e59edfb4f765fb52eab6ebcc5c64d5d04f2ca12c59bc344a97ae9916146b8fa68ff4b410173b93a7a431a580ff0e379d138396af7e60a24f

Download Submit
C:\Windows\{C354E182-F17F-4d55-BE24-6EA4C70BC6B0}.exe

Filesize
180KB

MD5
91b8d846329f129787bd94f675d10d4c

SHA1
f640d8cc7525aef1dcb40f5f42faef433e10047c

SHA256
b8d35d412797f1dbd5234d5fc6a4b5db1b6184613561faadd40acefdf6c5d81e

SHA512
845d0125857e5ffb58d571c639d2489f8ecb70215f80d4f5a6a1f75795759ba7f5e3177935531683d767796a7e27a66619e86992689c2e7443b63cdbe9b030a4

Download Submit
C:\Windows\{DE5BE55D-B3D8-49c7-8471-F81A70296862}.exe

Filesize
180KB

MD5
845e6203561b707097d0f4d74e958fa9

SHA1
ec1d2dfe4247871404ffdc83980ea7e2bf7021f6

SHA256
0f48ff056cab907f61ae0a89fa59b15e5dcd301d799cbbd25d158ef4111ee891

SHA512
9094630efb2195fae4d0b758402fcd1d64d42731ac8b80d7c2cf2514e167a296bc6a3b8553c9e538ce151bd5345735cd871605712e1ff62ff8b3500ccffeaca9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads