bac9666b064c4036d52c171e738c0ee5f15d0d6a51bce16afd94af5a262ca3e7

Analysis

max time kernel
149s
max time network
53s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
27/04/2024, 03:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-27_ad336ad6d2574145e379ba9bf0671535_goldeneye.exe
Size

168KB
MD5

ad336ad6d2574145e379ba9bf0671535
SHA1

267410f225576b98a015266c8eef7dec314fd00f
SHA256

bac9666b064c4036d52c171e738c0ee5f15d0d6a51bce16afd94af5a262ca3e7
SHA512

20fe5c36de9c3830f434a1921abdcd8b1f3da853bb6459a4e4c5a8d5e8f390e8de4bbecabba07fa033c0014f9f0d4b7d227af43c991f3e94554a86bf4789c8f8
SSDEEP

1536:1EGh0oQlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oQlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023b9d-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023b9e-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023ba2-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023ba5-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0031000000023bb1-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023ba5-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0032000000023bb1-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0031000000023bb2-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0033000000023bb1-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0032000000023bb2-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0034000000023bb1-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0033000000023bb2-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{087B842C-D2D9-461b-B1C6-312D97B3C7B4}	2024-04-27_ad336ad6d2574145e379ba9bf0671535_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5849111A-E303-4c57-A74A-36FB48A57CF4}	{087B842C-D2D9-461b-B1C6-312D97B3C7B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27190B4B-9643-47f5-8615-F672819B2CA7}	{5849111A-E303-4c57-A74A-36FB48A57CF4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{477A94FD-BE10-44fa-B6E6-B6C27FA79A87}\stubpath = "C:\\Windows\\{477A94FD-BE10-44fa-B6E6-B6C27FA79A87}.exe"	{1E6006FE-25C9-4140-8777-8CF5951AB3EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02ED6363-ABE2-4fb3-988F-16481C655C3E}	{27190B4B-9643-47f5-8615-F672819B2CA7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02ED6363-ABE2-4fb3-988F-16481C655C3E}\stubpath = "C:\\Windows\\{02ED6363-ABE2-4fb3-988F-16481C655C3E}.exe"	{27190B4B-9643-47f5-8615-F672819B2CA7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E6006FE-25C9-4140-8777-8CF5951AB3EF}\stubpath = "C:\\Windows\\{1E6006FE-25C9-4140-8777-8CF5951AB3EF}.exe"	{4539BF78-50A4-4924-B1F9-09DF81E01551}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{477A94FD-BE10-44fa-B6E6-B6C27FA79A87}	{1E6006FE-25C9-4140-8777-8CF5951AB3EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A5988B5-E24A-4cdc-B570-159CE2621DEA}	{477A94FD-BE10-44fa-B6E6-B6C27FA79A87}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DCB43ED0-8178-4164-9CD7-39EC2069EA11}\stubpath = "C:\\Windows\\{DCB43ED0-8178-4164-9CD7-39EC2069EA11}.exe"	{FE78030C-D0F9-452f-8C75-D00E21708FF7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D629CF0E-E7CB-4691-B175-E1E4B67A4C98}	{DCB43ED0-8178-4164-9CD7-39EC2069EA11}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5849111A-E303-4c57-A74A-36FB48A57CF4}\stubpath = "C:\\Windows\\{5849111A-E303-4c57-A74A-36FB48A57CF4}.exe"	{087B842C-D2D9-461b-B1C6-312D97B3C7B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4539BF78-50A4-4924-B1F9-09DF81E01551}	{02ED6363-ABE2-4fb3-988F-16481C655C3E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4539BF78-50A4-4924-B1F9-09DF81E01551}\stubpath = "C:\\Windows\\{4539BF78-50A4-4924-B1F9-09DF81E01551}.exe"	{02ED6363-ABE2-4fb3-988F-16481C655C3E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E6006FE-25C9-4140-8777-8CF5951AB3EF}	{4539BF78-50A4-4924-B1F9-09DF81E01551}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A5988B5-E24A-4cdc-B570-159CE2621DEA}\stubpath = "C:\\Windows\\{2A5988B5-E24A-4cdc-B570-159CE2621DEA}.exe"	{477A94FD-BE10-44fa-B6E6-B6C27FA79A87}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE78030C-D0F9-452f-8C75-D00E21708FF7}	{2A5988B5-E24A-4cdc-B570-159CE2621DEA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE78030C-D0F9-452f-8C75-D00E21708FF7}\stubpath = "C:\\Windows\\{FE78030C-D0F9-452f-8C75-D00E21708FF7}.exe"	{2A5988B5-E24A-4cdc-B570-159CE2621DEA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DCB43ED0-8178-4164-9CD7-39EC2069EA11}	{FE78030C-D0F9-452f-8C75-D00E21708FF7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D629CF0E-E7CB-4691-B175-E1E4B67A4C98}\stubpath = "C:\\Windows\\{D629CF0E-E7CB-4691-B175-E1E4B67A4C98}.exe"	{DCB43ED0-8178-4164-9CD7-39EC2069EA11}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75D9C34C-C7C7-4f1d-A694-0DC5861E1D9A}	{D629CF0E-E7CB-4691-B175-E1E4B67A4C98}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75D9C34C-C7C7-4f1d-A694-0DC5861E1D9A}\stubpath = "C:\\Windows\\{75D9C34C-C7C7-4f1d-A694-0DC5861E1D9A}.exe"	{D629CF0E-E7CB-4691-B175-E1E4B67A4C98}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{087B842C-D2D9-461b-B1C6-312D97B3C7B4}\stubpath = "C:\\Windows\\{087B842C-D2D9-461b-B1C6-312D97B3C7B4}.exe"	2024-04-27_ad336ad6d2574145e379ba9bf0671535_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27190B4B-9643-47f5-8615-F672819B2CA7}\stubpath = "C:\\Windows\\{27190B4B-9643-47f5-8615-F672819B2CA7}.exe"	{5849111A-E303-4c57-A74A-36FB48A57CF4}.exe

Executes dropped EXE 12 IoCs

pid	Process
3104	{087B842C-D2D9-461b-B1C6-312D97B3C7B4}.exe
3376	{5849111A-E303-4c57-A74A-36FB48A57CF4}.exe
3036	{27190B4B-9643-47f5-8615-F672819B2CA7}.exe
3936	{02ED6363-ABE2-4fb3-988F-16481C655C3E}.exe
1448	{4539BF78-50A4-4924-B1F9-09DF81E01551}.exe
4952	{1E6006FE-25C9-4140-8777-8CF5951AB3EF}.exe
4052	{477A94FD-BE10-44fa-B6E6-B6C27FA79A87}.exe
3736	{2A5988B5-E24A-4cdc-B570-159CE2621DEA}.exe
1512	{FE78030C-D0F9-452f-8C75-D00E21708FF7}.exe
4016	{DCB43ED0-8178-4164-9CD7-39EC2069EA11}.exe
1084	{D629CF0E-E7CB-4691-B175-E1E4B67A4C98}.exe
452	{75D9C34C-C7C7-4f1d-A694-0DC5861E1D9A}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{5849111A-E303-4c57-A74A-36FB48A57CF4}.exe	{087B842C-D2D9-461b-B1C6-312D97B3C7B4}.exe
File created	C:\Windows\{1E6006FE-25C9-4140-8777-8CF5951AB3EF}.exe	{4539BF78-50A4-4924-B1F9-09DF81E01551}.exe
File created	C:\Windows\{2A5988B5-E24A-4cdc-B570-159CE2621DEA}.exe	{477A94FD-BE10-44fa-B6E6-B6C27FA79A87}.exe
File created	C:\Windows\{FE78030C-D0F9-452f-8C75-D00E21708FF7}.exe	{2A5988B5-E24A-4cdc-B570-159CE2621DEA}.exe
File created	C:\Windows\{D629CF0E-E7CB-4691-B175-E1E4B67A4C98}.exe	{DCB43ED0-8178-4164-9CD7-39EC2069EA11}.exe
File created	C:\Windows\{75D9C34C-C7C7-4f1d-A694-0DC5861E1D9A}.exe	{D629CF0E-E7CB-4691-B175-E1E4B67A4C98}.exe
File created	C:\Windows\{087B842C-D2D9-461b-B1C6-312D97B3C7B4}.exe	2024-04-27_ad336ad6d2574145e379ba9bf0671535_goldeneye.exe
File created	C:\Windows\{27190B4B-9643-47f5-8615-F672819B2CA7}.exe	{5849111A-E303-4c57-A74A-36FB48A57CF4}.exe
File created	C:\Windows\{02ED6363-ABE2-4fb3-988F-16481C655C3E}.exe	{27190B4B-9643-47f5-8615-F672819B2CA7}.exe
File created	C:\Windows\{4539BF78-50A4-4924-B1F9-09DF81E01551}.exe	{02ED6363-ABE2-4fb3-988F-16481C655C3E}.exe
File created	C:\Windows\{477A94FD-BE10-44fa-B6E6-B6C27FA79A87}.exe	{1E6006FE-25C9-4140-8777-8CF5951AB3EF}.exe
File created	C:\Windows\{DCB43ED0-8178-4164-9CD7-39EC2069EA11}.exe	{FE78030C-D0F9-452f-8C75-D00E21708FF7}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4736	2024-04-27_ad336ad6d2574145e379ba9bf0671535_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3104	{087B842C-D2D9-461b-B1C6-312D97B3C7B4}.exe
Token: SeIncBasePriorityPrivilege	3376	{5849111A-E303-4c57-A74A-36FB48A57CF4}.exe
Token: SeIncBasePriorityPrivilege	3036	{27190B4B-9643-47f5-8615-F672819B2CA7}.exe
Token: SeIncBasePriorityPrivilege	3936	{02ED6363-ABE2-4fb3-988F-16481C655C3E}.exe
Token: SeIncBasePriorityPrivilege	1448	{4539BF78-50A4-4924-B1F9-09DF81E01551}.exe
Token: SeIncBasePriorityPrivilege	4952	{1E6006FE-25C9-4140-8777-8CF5951AB3EF}.exe
Token: SeIncBasePriorityPrivilege	4052	{477A94FD-BE10-44fa-B6E6-B6C27FA79A87}.exe
Token: SeIncBasePriorityPrivilege	3736	{2A5988B5-E24A-4cdc-B570-159CE2621DEA}.exe
Token: SeIncBasePriorityPrivilege	1512	{FE78030C-D0F9-452f-8C75-D00E21708FF7}.exe
Token: SeIncBasePriorityPrivilege	4016	{DCB43ED0-8178-4164-9CD7-39EC2069EA11}.exe
Token: SeIncBasePriorityPrivilege	1084	{D629CF0E-E7CB-4691-B175-E1E4B67A4C98}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4736 wrote to memory of 3104	4736	2024-04-27_ad336ad6d2574145e379ba9bf0671535_goldeneye.exe	86
PID 4736 wrote to memory of 3104	4736	2024-04-27_ad336ad6d2574145e379ba9bf0671535_goldeneye.exe	86
PID 4736 wrote to memory of 3104	4736	2024-04-27_ad336ad6d2574145e379ba9bf0671535_goldeneye.exe	86
PID 4736 wrote to memory of 3632	4736	2024-04-27_ad336ad6d2574145e379ba9bf0671535_goldeneye.exe	87
PID 4736 wrote to memory of 3632	4736	2024-04-27_ad336ad6d2574145e379ba9bf0671535_goldeneye.exe	87
PID 4736 wrote to memory of 3632	4736	2024-04-27_ad336ad6d2574145e379ba9bf0671535_goldeneye.exe	87
PID 3104 wrote to memory of 3376	3104	{087B842C-D2D9-461b-B1C6-312D97B3C7B4}.exe	88
PID 3104 wrote to memory of 3376	3104	{087B842C-D2D9-461b-B1C6-312D97B3C7B4}.exe	88
PID 3104 wrote to memory of 3376	3104	{087B842C-D2D9-461b-B1C6-312D97B3C7B4}.exe	88
PID 3104 wrote to memory of 4164	3104	{087B842C-D2D9-461b-B1C6-312D97B3C7B4}.exe	89
PID 3104 wrote to memory of 4164	3104	{087B842C-D2D9-461b-B1C6-312D97B3C7B4}.exe	89
PID 3104 wrote to memory of 4164	3104	{087B842C-D2D9-461b-B1C6-312D97B3C7B4}.exe	89
PID 3376 wrote to memory of 3036	3376	{5849111A-E303-4c57-A74A-36FB48A57CF4}.exe	92
PID 3376 wrote to memory of 3036	3376	{5849111A-E303-4c57-A74A-36FB48A57CF4}.exe	92
PID 3376 wrote to memory of 3036	3376	{5849111A-E303-4c57-A74A-36FB48A57CF4}.exe	92
PID 3376 wrote to memory of 1656	3376	{5849111A-E303-4c57-A74A-36FB48A57CF4}.exe	93
PID 3376 wrote to memory of 1656	3376	{5849111A-E303-4c57-A74A-36FB48A57CF4}.exe	93
PID 3376 wrote to memory of 1656	3376	{5849111A-E303-4c57-A74A-36FB48A57CF4}.exe	93
PID 3036 wrote to memory of 3936	3036	{27190B4B-9643-47f5-8615-F672819B2CA7}.exe	98
PID 3036 wrote to memory of 3936	3036	{27190B4B-9643-47f5-8615-F672819B2CA7}.exe	98
PID 3036 wrote to memory of 3936	3036	{27190B4B-9643-47f5-8615-F672819B2CA7}.exe	98
PID 3036 wrote to memory of 1540	3036	{27190B4B-9643-47f5-8615-F672819B2CA7}.exe	99
PID 3036 wrote to memory of 1540	3036	{27190B4B-9643-47f5-8615-F672819B2CA7}.exe	99
PID 3036 wrote to memory of 1540	3036	{27190B4B-9643-47f5-8615-F672819B2CA7}.exe	99
PID 3936 wrote to memory of 1448	3936	{02ED6363-ABE2-4fb3-988F-16481C655C3E}.exe	101
PID 3936 wrote to memory of 1448	3936	{02ED6363-ABE2-4fb3-988F-16481C655C3E}.exe	101
PID 3936 wrote to memory of 1448	3936	{02ED6363-ABE2-4fb3-988F-16481C655C3E}.exe	101
PID 3936 wrote to memory of 940	3936	{02ED6363-ABE2-4fb3-988F-16481C655C3E}.exe	102
PID 3936 wrote to memory of 940	3936	{02ED6363-ABE2-4fb3-988F-16481C655C3E}.exe	102
PID 3936 wrote to memory of 940	3936	{02ED6363-ABE2-4fb3-988F-16481C655C3E}.exe	102
PID 1448 wrote to memory of 4952	1448	{4539BF78-50A4-4924-B1F9-09DF81E01551}.exe	105
PID 1448 wrote to memory of 4952	1448	{4539BF78-50A4-4924-B1F9-09DF81E01551}.exe	105
PID 1448 wrote to memory of 4952	1448	{4539BF78-50A4-4924-B1F9-09DF81E01551}.exe	105
PID 1448 wrote to memory of 4440	1448	{4539BF78-50A4-4924-B1F9-09DF81E01551}.exe	106
PID 1448 wrote to memory of 4440	1448	{4539BF78-50A4-4924-B1F9-09DF81E01551}.exe	106
PID 1448 wrote to memory of 4440	1448	{4539BF78-50A4-4924-B1F9-09DF81E01551}.exe	106
PID 4952 wrote to memory of 4052	4952	{1E6006FE-25C9-4140-8777-8CF5951AB3EF}.exe	107
PID 4952 wrote to memory of 4052	4952	{1E6006FE-25C9-4140-8777-8CF5951AB3EF}.exe	107
PID 4952 wrote to memory of 4052	4952	{1E6006FE-25C9-4140-8777-8CF5951AB3EF}.exe	107
PID 4952 wrote to memory of 2472	4952	{1E6006FE-25C9-4140-8777-8CF5951AB3EF}.exe	108
PID 4952 wrote to memory of 2472	4952	{1E6006FE-25C9-4140-8777-8CF5951AB3EF}.exe	108
PID 4952 wrote to memory of 2472	4952	{1E6006FE-25C9-4140-8777-8CF5951AB3EF}.exe	108
PID 4052 wrote to memory of 3736	4052	{477A94FD-BE10-44fa-B6E6-B6C27FA79A87}.exe	109
PID 4052 wrote to memory of 3736	4052	{477A94FD-BE10-44fa-B6E6-B6C27FA79A87}.exe	109
PID 4052 wrote to memory of 3736	4052	{477A94FD-BE10-44fa-B6E6-B6C27FA79A87}.exe	109
PID 4052 wrote to memory of 4212	4052	{477A94FD-BE10-44fa-B6E6-B6C27FA79A87}.exe	110
PID 4052 wrote to memory of 4212	4052	{477A94FD-BE10-44fa-B6E6-B6C27FA79A87}.exe	110
PID 4052 wrote to memory of 4212	4052	{477A94FD-BE10-44fa-B6E6-B6C27FA79A87}.exe	110
PID 3736 wrote to memory of 1512	3736	{2A5988B5-E24A-4cdc-B570-159CE2621DEA}.exe	111
PID 3736 wrote to memory of 1512	3736	{2A5988B5-E24A-4cdc-B570-159CE2621DEA}.exe	111
PID 3736 wrote to memory of 1512	3736	{2A5988B5-E24A-4cdc-B570-159CE2621DEA}.exe	111
PID 3736 wrote to memory of 3084	3736	{2A5988B5-E24A-4cdc-B570-159CE2621DEA}.exe	112
PID 3736 wrote to memory of 3084	3736	{2A5988B5-E24A-4cdc-B570-159CE2621DEA}.exe	112
PID 3736 wrote to memory of 3084	3736	{2A5988B5-E24A-4cdc-B570-159CE2621DEA}.exe	112
PID 1512 wrote to memory of 4016	1512	{FE78030C-D0F9-452f-8C75-D00E21708FF7}.exe	113
PID 1512 wrote to memory of 4016	1512	{FE78030C-D0F9-452f-8C75-D00E21708FF7}.exe	113
PID 1512 wrote to memory of 4016	1512	{FE78030C-D0F9-452f-8C75-D00E21708FF7}.exe	113
PID 1512 wrote to memory of 2776	1512	{FE78030C-D0F9-452f-8C75-D00E21708FF7}.exe	114
PID 1512 wrote to memory of 2776	1512	{FE78030C-D0F9-452f-8C75-D00E21708FF7}.exe	114
PID 1512 wrote to memory of 2776	1512	{FE78030C-D0F9-452f-8C75-D00E21708FF7}.exe	114
PID 4016 wrote to memory of 1084	4016	{DCB43ED0-8178-4164-9CD7-39EC2069EA11}.exe	115
PID 4016 wrote to memory of 1084	4016	{DCB43ED0-8178-4164-9CD7-39EC2069EA11}.exe	115
PID 4016 wrote to memory of 1084	4016	{DCB43ED0-8178-4164-9CD7-39EC2069EA11}.exe	115
PID 4016 wrote to memory of 4676	4016	{DCB43ED0-8178-4164-9CD7-39EC2069EA11}.exe	116

C:\Users\Admin\AppData\Local\Temp\2024-04-27_ad336ad6d2574145e379ba9bf0671535_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-27_ad336ad6d2574145e379ba9bf0671535_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Windows\{087B842C-D2D9-461b-B1C6-312D97B3C7B4}.exe
  C:\Windows\{087B842C-D2D9-461b-B1C6-312D97B3C7B4}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3104
- - C:\Windows\{5849111A-E303-4c57-A74A-36FB48A57CF4}.exe
    C:\Windows\{5849111A-E303-4c57-A74A-36FB48A57CF4}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3376
  - - C:\Windows\{27190B4B-9643-47f5-8615-F672819B2CA7}.exe
      C:\Windows\{27190B4B-9643-47f5-8615-F672819B2CA7}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3036
    - - C:\Windows\{02ED6363-ABE2-4fb3-988F-16481C655C3E}.exe
        
        C:\Windows\{02ED6363-ABE2-4fb3-988F-16481C655C3E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3936
      - C:\Windows\{4539BF78-50A4-4924-B1F9-09DF81E01551}.exe
        
        C:\Windows\{4539BF78-50A4-4924-B1F9-09DF81E01551}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Windows\{1E6006FE-25C9-4140-8777-8CF5951AB3EF}.exe
        
        C:\Windows\{1E6006FE-25C9-4140-8777-8CF5951AB3EF}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\{477A94FD-BE10-44fa-B6E6-B6C27FA79A87}.exe
        
        C:\Windows\{477A94FD-BE10-44fa-B6E6-B6C27FA79A87}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4052
        
        C:\Windows\{2A5988B5-E24A-4cdc-B570-159CE2621DEA}.exe
        
        C:\Windows\{2A5988B5-E24A-4cdc-B570-159CE2621DEA}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3736
        
        C:\Windows\{FE78030C-D0F9-452f-8C75-D00E21708FF7}.exe
        
        C:\Windows\{FE78030C-D0F9-452f-8C75-D00E21708FF7}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\{DCB43ED0-8178-4164-9CD7-39EC2069EA11}.exe
        
        C:\Windows\{DCB43ED0-8178-4164-9CD7-39EC2069EA11}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Windows\{D629CF0E-E7CB-4691-B175-E1E4B67A4C98}.exe
        
        C:\Windows\{D629CF0E-E7CB-4691-B175-E1E4B67A4C98}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1084
        
        C:\Windows\{75D9C34C-C7C7-4f1d-A694-0DC5861E1D9A}.exe
        
        C:\Windows\{75D9C34C-C7C7-4f1d-A694-0DC5861E1D9A}.exe
        13⤵
        Executes dropped EXE
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D629C~1.EXE > nul
        13⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DCB43~1.EXE > nul
        12⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FE780~1.EXE > nul
        11⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A598~1.EXE > nul
        10⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{477A9~1.EXE > nul
        9⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E600~1.EXE > nul
        8⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4539B~1.EXE > nul
        7⤵
        
        PID:4440
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{02ED6~1.EXE > nul
        6⤵
        
        PID:940
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{27190~1.EXE > nul
        5⤵
        
        PID:1540
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{58491~1.EXE > nul
      4⤵
      PID:1656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{087B8~1.EXE > nul
    3⤵
    PID:4164
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02ED6363-ABE2-4fb3-988F-16481C655C3E}.exe

Filesize
168KB

MD5
40f84ddd37cc7acd7eff5d9b5cd15fc8

SHA1
ccdf3d0077f7f8e65c8467c2c63348faa73fb007

SHA256
93dbb1744499330923ae89c570f67222f254699b7f900fbad5b7852ba2ac982d

SHA512
632ceaeeb8f300911eb8750a3a89b2cd55d2453f722f7386585a3e02c3b4209cbce53879ae50a8ae452d8f409f8d923ceef4548cf4f05c159f8e9051c0ab28e7

Download Submit
C:\Windows\{087B842C-D2D9-461b-B1C6-312D97B3C7B4}.exe

Filesize
168KB

MD5
80f51801c7e9dde72760e416bf3cc405

SHA1
ac14ea16f6b5114148a3755e17b77a7f966f65ce

SHA256
390971e018c09c60bfb5d29613e1a966510fcc7fb815d8eec99de48040edfe44

SHA512
19f6d47042e40f8351b660e126206de0b73680a094551897219a2996ce775b95b31d13c44a5d743e7b600df40e82419569c7c5da36a49177f0b59adc9110fbe8

Download Submit
C:\Windows\{1E6006FE-25C9-4140-8777-8CF5951AB3EF}.exe

Filesize
168KB

MD5
d59c833b050ef5bb74c2d365ae2a9c0a

SHA1
4fe7b1018c5b6d55d813325d67570dc51c62052b

SHA256
a79bcfa3f56ce65ae15df612c47c2a5e41e99e53fd19312e8ca4182a74b04fd5

SHA512
b16d8ea9254338e2086094a4ec62d12d175fa598e17228ad8a68d2ce1cf13007c79c555c29932c195a86345eb1d1f174d90e58cd1d2b55b02456364273d47ea1

Download Submit
C:\Windows\{27190B4B-9643-47f5-8615-F672819B2CA7}.exe

Filesize
168KB

MD5
741881e9ffaf8ffb14da95bb281b4ec7

SHA1
143d40fdd2891c777cc291b55d29abd114a29085

SHA256
59ba6820758d84ea895015fb6e5908995018e92059f5353111d63862f215ace2

SHA512
c0a9c0c1d3c9813371e530e571769280a72bcac63820e78f53f1f280e370a8dca0317facea79190f565d726a6ff6749f9443a06ea1c68eed32dc6d189170716a

Download Submit
C:\Windows\{2A5988B5-E24A-4cdc-B570-159CE2621DEA}.exe

Filesize
168KB

MD5
36e0035d2094e1541f71e521ad1492b6

SHA1
5d7c735c701283d246c4d6865006f789ff68944b

SHA256
28416a770c395e656fb902b42389ceda729f9444c224a67965ab826697d02d4e

SHA512
5be9389e94e976a0e075c5e4f810b45b975f60f815cf6b2bc15a47d0b34242eb42b9b83dbb7da0f7ff8b79662035dc7a9059640b1731549201d990e50d49180e

Download Submit
C:\Windows\{4539BF78-50A4-4924-B1F9-09DF81E01551}.exe

Filesize
168KB

MD5
4c7f83880a479fb6d092326148bf93ef

SHA1
b97e3eae76d1ae250710809c052ad3723bdf243e

SHA256
4a806b3df587e34abd24e437b170093f2bbcbccaa302e8e59d00e4f6f1632699

SHA512
950b385d5a81c8bec13456a7f06b909b4542f0113f165a93ba6891722dc8a6981e0f048ea09a3d5489fed30e23572082aec5635291ed2a3bc1d2c8defd742098

Download Submit
C:\Windows\{477A94FD-BE10-44fa-B6E6-B6C27FA79A87}.exe

Filesize
168KB

MD5
4ba59da74d15034e0443aad9895b9f68

SHA1
81a2b4ade636608b5ae25829cbfc9bf5a6dc1f07

SHA256
b33cdd9ec3370df5612d4412f5d2e6d1a1185536f11079725d836d97d5f09c08

SHA512
005d1a00e1ee8b11654e7963086343069ed8de5b0f34548b2136fffcbb8a1b776e87ca69e7c53fa988252d425552e67b7f5d0b61bada043b7e1c41c691fd07d9

Download Submit
C:\Windows\{5849111A-E303-4c57-A74A-36FB48A57CF4}.exe

Filesize
168KB

MD5
f8097efd51d7fbb4d4a06972767451d9

SHA1
6d4a6b91a07159878a5a2a8a63b49989b623cebd

SHA256
679e090a273cf1d9f6d57e76ad3f51840298152b13998458ca720afd21530970

SHA512
25bc6941c8af1ca3adb79b9c08dc8fa50eb03f3312236eb0afb5dca50f274574b7e097f8db305eec600129b6dad918f8954dfef9a0e72ea9615f9b4da6dc6ad7

Download Submit
C:\Windows\{75D9C34C-C7C7-4f1d-A694-0DC5861E1D9A}.exe

Filesize
168KB

MD5
4c954c47d43ac89d6b8238aeb0191cb2

SHA1
7eec484ce498fc7b85d70f90e2378cc69b9f2239

SHA256
e9454ea6f98c3c18e37a8c367becc9cf61e458267bffb60b66853721a7402249

SHA512
2b62786f474987f6f7aa090f274d8f3b4b1cef734ec0567f018f538cde9d8289401918ffa34c0a7ff76e2dfbf452b2dc16967116882f4faee6b0e95e078bcf88

Download Submit
C:\Windows\{D629CF0E-E7CB-4691-B175-E1E4B67A4C98}.exe

Filesize
168KB

MD5
db53808cfd00f4bd2a85bda9433e3788

SHA1
3ae1b907df8ed93542c3c5eed53261c8c48e819f

SHA256
515f39e8eb5459ab8e61522ae26253a01053287cb56ea3eacd3ac2debcd3cf35

SHA512
ce0e687a1cc4a5b5fa316d1450da988b1a8c7aa836035db61e554e3861cf752875f569db924b14c980c1b2cf05e237fb01c1f800a5e8c6ad0cb4d52be514f67c

Download Submit
C:\Windows\{DCB43ED0-8178-4164-9CD7-39EC2069EA11}.exe

Filesize
168KB

MD5
84a9b4394821c2a6f146698cacd4822a

SHA1
2cffcba29edf65584ec20b932ad07733e8cd9ae8

SHA256
a854c7ff60ec4089f6a0ae08a524ab688c87e6cf6b9a28d9af9626f915202d19

SHA512
bbf3949a7921ca0c2cec54d70725401b9228b08297a1c083fd51f58828659d68d1ac04f79e2e54de59fe9d77f6b09c1516fa4cfba33f4410798327782a395004

Download Submit
C:\Windows\{FE78030C-D0F9-452f-8C75-D00E21708FF7}.exe

Filesize
168KB

MD5
37826de6e31b67c75ff665ca89264929

SHA1
74e5a1e2c0cdd28d51202e3189669b1c42fa5a81

SHA256
d679e260327f3cb11b0958768190732af1ca9e5168379722922f95499e3a9494

SHA512
17cec3d624b36266dd4ad2eba6d2a1d5a8d5703abca2eb119621382f42d36c10bf6939476bf759a2c2dd7d5744c5949272e89d73efd5fbed2bc6ce1c7b9ff0d8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads