c78d3f0bf0a4d328d16bf179b67a767261d33248dadf00de548d9ade75b6fe2b

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
27-04-2024 05:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-27_a79013869de5bb8ffa994d55fd8946fa_goldeneye.exe
Size

204KB
MD5

a79013869de5bb8ffa994d55fd8946fa
SHA1

97babb54a0146e3867702f38a8fb7b656270430f
SHA256

c78d3f0bf0a4d328d16bf179b67a767261d33248dadf00de548d9ade75b6fe2b
SHA512

f3051593e8de324dc4161cd316ec39cf1a60c93ece7a64179b927dae52685b9a70a2ebf3b3ba5589cb0f05ae25f66294103fd92ebaa74a44db7a325da85fce99
SSDEEP

1536:1EGh0oWl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oWl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023487-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002348d-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023403-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002348d-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f000000023403-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002348d-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023403-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002348d-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023403-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d00000002348d-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0012000000023403-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023494-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A390F44A-3169-4b42-A91B-C3412C9B150F}	{B62A8D0C-B59C-40bc-A8B5-46B8E1A58892}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1703C593-32EE-47a4-925F-9796EFB57E88}	{8B269619-16B5-49e1-BA8F-01B696EF7821}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6762960-6D81-4353-968E-63FB5F09C2ED}	{D88A15BE-664A-4a29-9BE4-664C54BA0A52}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6762960-6D81-4353-968E-63FB5F09C2ED}\stubpath = "C:\\Windows\\{A6762960-6D81-4353-968E-63FB5F09C2ED}.exe"	{D88A15BE-664A-4a29-9BE4-664C54BA0A52}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92D529CE-1BF7-4c55-A9F1-4D8266C3B086}	{1A37AAFF-49EB-4c05-B01B-8D0D36F9ACD5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41B5135B-44C8-4ec5-952A-69B5D907409F}\stubpath = "C:\\Windows\\{41B5135B-44C8-4ec5-952A-69B5D907409F}.exe"	{8B245D32-CD1D-4a8d-994D-EFDC36A68E63}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56A15870-30F4-4a90-801C-E2DCD3D5D6DB}	2024-04-27_a79013869de5bb8ffa994d55fd8946fa_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56A15870-30F4-4a90-801C-E2DCD3D5D6DB}\stubpath = "C:\\Windows\\{56A15870-30F4-4a90-801C-E2DCD3D5D6DB}.exe"	2024-04-27_a79013869de5bb8ffa994d55fd8946fa_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A390F44A-3169-4b42-A91B-C3412C9B150F}\stubpath = "C:\\Windows\\{A390F44A-3169-4b42-A91B-C3412C9B150F}.exe"	{B62A8D0C-B59C-40bc-A8B5-46B8E1A58892}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D88A15BE-664A-4a29-9BE4-664C54BA0A52}	{A390F44A-3169-4b42-A91B-C3412C9B150F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A37AAFF-49EB-4c05-B01B-8D0D36F9ACD5}\stubpath = "C:\\Windows\\{1A37AAFF-49EB-4c05-B01B-8D0D36F9ACD5}.exe"	{1703C593-32EE-47a4-925F-9796EFB57E88}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41B5135B-44C8-4ec5-952A-69B5D907409F}	{8B245D32-CD1D-4a8d-994D-EFDC36A68E63}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99A482B7-4DFA-4e79-AC8E-1F9919948AD4}\stubpath = "C:\\Windows\\{99A482B7-4DFA-4e79-AC8E-1F9919948AD4}.exe"	{41B5135B-44C8-4ec5-952A-69B5D907409F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B62A8D0C-B59C-40bc-A8B5-46B8E1A58892}\stubpath = "C:\\Windows\\{B62A8D0C-B59C-40bc-A8B5-46B8E1A58892}.exe"	{56A15870-30F4-4a90-801C-E2DCD3D5D6DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D88A15BE-664A-4a29-9BE4-664C54BA0A52}\stubpath = "C:\\Windows\\{D88A15BE-664A-4a29-9BE4-664C54BA0A52}.exe"	{A390F44A-3169-4b42-A91B-C3412C9B150F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B269619-16B5-49e1-BA8F-01B696EF7821}\stubpath = "C:\\Windows\\{8B269619-16B5-49e1-BA8F-01B696EF7821}.exe"	{A6762960-6D81-4353-968E-63FB5F09C2ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A37AAFF-49EB-4c05-B01B-8D0D36F9ACD5}	{1703C593-32EE-47a4-925F-9796EFB57E88}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B245D32-CD1D-4a8d-994D-EFDC36A68E63}	{92D529CE-1BF7-4c55-A9F1-4D8266C3B086}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B245D32-CD1D-4a8d-994D-EFDC36A68E63}\stubpath = "C:\\Windows\\{8B245D32-CD1D-4a8d-994D-EFDC36A68E63}.exe"	{92D529CE-1BF7-4c55-A9F1-4D8266C3B086}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99A482B7-4DFA-4e79-AC8E-1F9919948AD4}	{41B5135B-44C8-4ec5-952A-69B5D907409F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B62A8D0C-B59C-40bc-A8B5-46B8E1A58892}	{56A15870-30F4-4a90-801C-E2DCD3D5D6DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B269619-16B5-49e1-BA8F-01B696EF7821}	{A6762960-6D81-4353-968E-63FB5F09C2ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1703C593-32EE-47a4-925F-9796EFB57E88}\stubpath = "C:\\Windows\\{1703C593-32EE-47a4-925F-9796EFB57E88}.exe"	{8B269619-16B5-49e1-BA8F-01B696EF7821}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92D529CE-1BF7-4c55-A9F1-4D8266C3B086}\stubpath = "C:\\Windows\\{92D529CE-1BF7-4c55-A9F1-4D8266C3B086}.exe"	{1A37AAFF-49EB-4c05-B01B-8D0D36F9ACD5}.exe

Executes dropped EXE 12 IoCs

pid	Process
4780	{56A15870-30F4-4a90-801C-E2DCD3D5D6DB}.exe
4452	{B62A8D0C-B59C-40bc-A8B5-46B8E1A58892}.exe
4568	{A390F44A-3169-4b42-A91B-C3412C9B150F}.exe
4292	{D88A15BE-664A-4a29-9BE4-664C54BA0A52}.exe
2572	{A6762960-6D81-4353-968E-63FB5F09C2ED}.exe
2724	{8B269619-16B5-49e1-BA8F-01B696EF7821}.exe
3664	{1703C593-32EE-47a4-925F-9796EFB57E88}.exe
4392	{1A37AAFF-49EB-4c05-B01B-8D0D36F9ACD5}.exe
5116	{92D529CE-1BF7-4c55-A9F1-4D8266C3B086}.exe
4868	{8B245D32-CD1D-4a8d-994D-EFDC36A68E63}.exe
4716	{41B5135B-44C8-4ec5-952A-69B5D907409F}.exe
3840	{99A482B7-4DFA-4e79-AC8E-1F9919948AD4}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{92D529CE-1BF7-4c55-A9F1-4D8266C3B086}.exe	{1A37AAFF-49EB-4c05-B01B-8D0D36F9ACD5}.exe
File created	C:\Windows\{99A482B7-4DFA-4e79-AC8E-1F9919948AD4}.exe	{41B5135B-44C8-4ec5-952A-69B5D907409F}.exe
File created	C:\Windows\{56A15870-30F4-4a90-801C-E2DCD3D5D6DB}.exe	2024-04-27_a79013869de5bb8ffa994d55fd8946fa_goldeneye.exe
File created	C:\Windows\{B62A8D0C-B59C-40bc-A8B5-46B8E1A58892}.exe	{56A15870-30F4-4a90-801C-E2DCD3D5D6DB}.exe
File created	C:\Windows\{A390F44A-3169-4b42-A91B-C3412C9B150F}.exe	{B62A8D0C-B59C-40bc-A8B5-46B8E1A58892}.exe
File created	C:\Windows\{8B269619-16B5-49e1-BA8F-01B696EF7821}.exe	{A6762960-6D81-4353-968E-63FB5F09C2ED}.exe
File created	C:\Windows\{1703C593-32EE-47a4-925F-9796EFB57E88}.exe	{8B269619-16B5-49e1-BA8F-01B696EF7821}.exe
File created	C:\Windows\{D88A15BE-664A-4a29-9BE4-664C54BA0A52}.exe	{A390F44A-3169-4b42-A91B-C3412C9B150F}.exe
File created	C:\Windows\{A6762960-6D81-4353-968E-63FB5F09C2ED}.exe	{D88A15BE-664A-4a29-9BE4-664C54BA0A52}.exe
File created	C:\Windows\{1A37AAFF-49EB-4c05-B01B-8D0D36F9ACD5}.exe	{1703C593-32EE-47a4-925F-9796EFB57E88}.exe
File created	C:\Windows\{8B245D32-CD1D-4a8d-994D-EFDC36A68E63}.exe	{92D529CE-1BF7-4c55-A9F1-4D8266C3B086}.exe
File created	C:\Windows\{41B5135B-44C8-4ec5-952A-69B5D907409F}.exe	{8B245D32-CD1D-4a8d-994D-EFDC36A68E63}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2212	2024-04-27_a79013869de5bb8ffa994d55fd8946fa_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4780	{56A15870-30F4-4a90-801C-E2DCD3D5D6DB}.exe
Token: SeIncBasePriorityPrivilege	4452	{B62A8D0C-B59C-40bc-A8B5-46B8E1A58892}.exe
Token: SeIncBasePriorityPrivilege	4568	{A390F44A-3169-4b42-A91B-C3412C9B150F}.exe
Token: SeIncBasePriorityPrivilege	4292	{D88A15BE-664A-4a29-9BE4-664C54BA0A52}.exe
Token: SeIncBasePriorityPrivilege	2572	{A6762960-6D81-4353-968E-63FB5F09C2ED}.exe
Token: SeIncBasePriorityPrivilege	2724	{8B269619-16B5-49e1-BA8F-01B696EF7821}.exe
Token: SeIncBasePriorityPrivilege	3664	{1703C593-32EE-47a4-925F-9796EFB57E88}.exe
Token: SeIncBasePriorityPrivilege	4392	{1A37AAFF-49EB-4c05-B01B-8D0D36F9ACD5}.exe
Token: SeIncBasePriorityPrivilege	5116	{92D529CE-1BF7-4c55-A9F1-4D8266C3B086}.exe
Token: SeIncBasePriorityPrivilege	4868	{8B245D32-CD1D-4a8d-994D-EFDC36A68E63}.exe
Token: SeIncBasePriorityPrivilege	4716	{41B5135B-44C8-4ec5-952A-69B5D907409F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 4780	2212	2024-04-27_a79013869de5bb8ffa994d55fd8946fa_goldeneye.exe	87
PID 2212 wrote to memory of 4780	2212	2024-04-27_a79013869de5bb8ffa994d55fd8946fa_goldeneye.exe	87
PID 2212 wrote to memory of 4780	2212	2024-04-27_a79013869de5bb8ffa994d55fd8946fa_goldeneye.exe	87
PID 2212 wrote to memory of 4536	2212	2024-04-27_a79013869de5bb8ffa994d55fd8946fa_goldeneye.exe	88
PID 2212 wrote to memory of 4536	2212	2024-04-27_a79013869de5bb8ffa994d55fd8946fa_goldeneye.exe	88
PID 2212 wrote to memory of 4536	2212	2024-04-27_a79013869de5bb8ffa994d55fd8946fa_goldeneye.exe	88
PID 4780 wrote to memory of 4452	4780	{56A15870-30F4-4a90-801C-E2DCD3D5D6DB}.exe	89
PID 4780 wrote to memory of 4452	4780	{56A15870-30F4-4a90-801C-E2DCD3D5D6DB}.exe	89
PID 4780 wrote to memory of 4452	4780	{56A15870-30F4-4a90-801C-E2DCD3D5D6DB}.exe	89
PID 4780 wrote to memory of 2252	4780	{56A15870-30F4-4a90-801C-E2DCD3D5D6DB}.exe	90
PID 4780 wrote to memory of 2252	4780	{56A15870-30F4-4a90-801C-E2DCD3D5D6DB}.exe	90
PID 4780 wrote to memory of 2252	4780	{56A15870-30F4-4a90-801C-E2DCD3D5D6DB}.exe	90
PID 4452 wrote to memory of 4568	4452	{B62A8D0C-B59C-40bc-A8B5-46B8E1A58892}.exe	92
PID 4452 wrote to memory of 4568	4452	{B62A8D0C-B59C-40bc-A8B5-46B8E1A58892}.exe	92
PID 4452 wrote to memory of 4568	4452	{B62A8D0C-B59C-40bc-A8B5-46B8E1A58892}.exe	92
PID 4452 wrote to memory of 1572	4452	{B62A8D0C-B59C-40bc-A8B5-46B8E1A58892}.exe	93
PID 4452 wrote to memory of 1572	4452	{B62A8D0C-B59C-40bc-A8B5-46B8E1A58892}.exe	93
PID 4452 wrote to memory of 1572	4452	{B62A8D0C-B59C-40bc-A8B5-46B8E1A58892}.exe	93
PID 4568 wrote to memory of 4292	4568	{A390F44A-3169-4b42-A91B-C3412C9B150F}.exe	94
PID 4568 wrote to memory of 4292	4568	{A390F44A-3169-4b42-A91B-C3412C9B150F}.exe	94
PID 4568 wrote to memory of 4292	4568	{A390F44A-3169-4b42-A91B-C3412C9B150F}.exe	94
PID 4568 wrote to memory of 1116	4568	{A390F44A-3169-4b42-A91B-C3412C9B150F}.exe	95
PID 4568 wrote to memory of 1116	4568	{A390F44A-3169-4b42-A91B-C3412C9B150F}.exe	95
PID 4568 wrote to memory of 1116	4568	{A390F44A-3169-4b42-A91B-C3412C9B150F}.exe	95
PID 4292 wrote to memory of 2572	4292	{D88A15BE-664A-4a29-9BE4-664C54BA0A52}.exe	96
PID 4292 wrote to memory of 2572	4292	{D88A15BE-664A-4a29-9BE4-664C54BA0A52}.exe	96
PID 4292 wrote to memory of 2572	4292	{D88A15BE-664A-4a29-9BE4-664C54BA0A52}.exe	96
PID 4292 wrote to memory of 1916	4292	{D88A15BE-664A-4a29-9BE4-664C54BA0A52}.exe	97
PID 4292 wrote to memory of 1916	4292	{D88A15BE-664A-4a29-9BE4-664C54BA0A52}.exe	97
PID 4292 wrote to memory of 1916	4292	{D88A15BE-664A-4a29-9BE4-664C54BA0A52}.exe	97
PID 2572 wrote to memory of 2724	2572	{A6762960-6D81-4353-968E-63FB5F09C2ED}.exe	98
PID 2572 wrote to memory of 2724	2572	{A6762960-6D81-4353-968E-63FB5F09C2ED}.exe	98
PID 2572 wrote to memory of 2724	2572	{A6762960-6D81-4353-968E-63FB5F09C2ED}.exe	98
PID 2572 wrote to memory of 4412	2572	{A6762960-6D81-4353-968E-63FB5F09C2ED}.exe	99
PID 2572 wrote to memory of 4412	2572	{A6762960-6D81-4353-968E-63FB5F09C2ED}.exe	99
PID 2572 wrote to memory of 4412	2572	{A6762960-6D81-4353-968E-63FB5F09C2ED}.exe	99
PID 2724 wrote to memory of 3664	2724	{8B269619-16B5-49e1-BA8F-01B696EF7821}.exe	100
PID 2724 wrote to memory of 3664	2724	{8B269619-16B5-49e1-BA8F-01B696EF7821}.exe	100
PID 2724 wrote to memory of 3664	2724	{8B269619-16B5-49e1-BA8F-01B696EF7821}.exe	100
PID 2724 wrote to memory of 736	2724	{8B269619-16B5-49e1-BA8F-01B696EF7821}.exe	101
PID 2724 wrote to memory of 736	2724	{8B269619-16B5-49e1-BA8F-01B696EF7821}.exe	101
PID 2724 wrote to memory of 736	2724	{8B269619-16B5-49e1-BA8F-01B696EF7821}.exe	101
PID 3664 wrote to memory of 4392	3664	{1703C593-32EE-47a4-925F-9796EFB57E88}.exe	102
PID 3664 wrote to memory of 4392	3664	{1703C593-32EE-47a4-925F-9796EFB57E88}.exe	102
PID 3664 wrote to memory of 4392	3664	{1703C593-32EE-47a4-925F-9796EFB57E88}.exe	102
PID 3664 wrote to memory of 3960	3664	{1703C593-32EE-47a4-925F-9796EFB57E88}.exe	103
PID 3664 wrote to memory of 3960	3664	{1703C593-32EE-47a4-925F-9796EFB57E88}.exe	103
PID 3664 wrote to memory of 3960	3664	{1703C593-32EE-47a4-925F-9796EFB57E88}.exe	103
PID 4392 wrote to memory of 5116	4392	{1A37AAFF-49EB-4c05-B01B-8D0D36F9ACD5}.exe	104
PID 4392 wrote to memory of 5116	4392	{1A37AAFF-49EB-4c05-B01B-8D0D36F9ACD5}.exe	104
PID 4392 wrote to memory of 5116	4392	{1A37AAFF-49EB-4c05-B01B-8D0D36F9ACD5}.exe	104
PID 4392 wrote to memory of 3624	4392	{1A37AAFF-49EB-4c05-B01B-8D0D36F9ACD5}.exe	105
PID 4392 wrote to memory of 3624	4392	{1A37AAFF-49EB-4c05-B01B-8D0D36F9ACD5}.exe	105
PID 4392 wrote to memory of 3624	4392	{1A37AAFF-49EB-4c05-B01B-8D0D36F9ACD5}.exe	105
PID 5116 wrote to memory of 4868	5116	{92D529CE-1BF7-4c55-A9F1-4D8266C3B086}.exe	106
PID 5116 wrote to memory of 4868	5116	{92D529CE-1BF7-4c55-A9F1-4D8266C3B086}.exe	106
PID 5116 wrote to memory of 4868	5116	{92D529CE-1BF7-4c55-A9F1-4D8266C3B086}.exe	106
PID 5116 wrote to memory of 2276	5116	{92D529CE-1BF7-4c55-A9F1-4D8266C3B086}.exe	107
PID 5116 wrote to memory of 2276	5116	{92D529CE-1BF7-4c55-A9F1-4D8266C3B086}.exe	107
PID 5116 wrote to memory of 2276	5116	{92D529CE-1BF7-4c55-A9F1-4D8266C3B086}.exe	107
PID 4868 wrote to memory of 4716	4868	{8B245D32-CD1D-4a8d-994D-EFDC36A68E63}.exe	108
PID 4868 wrote to memory of 4716	4868	{8B245D32-CD1D-4a8d-994D-EFDC36A68E63}.exe	108
PID 4868 wrote to memory of 4716	4868	{8B245D32-CD1D-4a8d-994D-EFDC36A68E63}.exe	108
PID 4868 wrote to memory of 1860	4868	{8B245D32-CD1D-4a8d-994D-EFDC36A68E63}.exe	109

C:\Users\Admin\AppData\Local\Temp\2024-04-27_a79013869de5bb8ffa994d55fd8946fa_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-27_a79013869de5bb8ffa994d55fd8946fa_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\{56A15870-30F4-4a90-801C-E2DCD3D5D6DB}.exe
  C:\Windows\{56A15870-30F4-4a90-801C-E2DCD3D5D6DB}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4780
- - C:\Windows\{B62A8D0C-B59C-40bc-A8B5-46B8E1A58892}.exe
    C:\Windows\{B62A8D0C-B59C-40bc-A8B5-46B8E1A58892}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4452
  - - C:\Windows\{A390F44A-3169-4b42-A91B-C3412C9B150F}.exe
      C:\Windows\{A390F44A-3169-4b42-A91B-C3412C9B150F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4568
    - - C:\Windows\{D88A15BE-664A-4a29-9BE4-664C54BA0A52}.exe
        
        C:\Windows\{D88A15BE-664A-4a29-9BE4-664C54BA0A52}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4292
      - C:\Windows\{A6762960-6D81-4353-968E-63FB5F09C2ED}.exe
        
        C:\Windows\{A6762960-6D81-4353-968E-63FB5F09C2ED}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\{8B269619-16B5-49e1-BA8F-01B696EF7821}.exe
        
        C:\Windows\{8B269619-16B5-49e1-BA8F-01B696EF7821}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\{1703C593-32EE-47a4-925F-9796EFB57E88}.exe
        
        C:\Windows\{1703C593-32EE-47a4-925F-9796EFB57E88}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3664
        
        C:\Windows\{1A37AAFF-49EB-4c05-B01B-8D0D36F9ACD5}.exe
        
        C:\Windows\{1A37AAFF-49EB-4c05-B01B-8D0D36F9ACD5}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\Windows\{92D529CE-1BF7-4c55-A9F1-4D8266C3B086}.exe
        
        C:\Windows\{92D529CE-1BF7-4c55-A9F1-4D8266C3B086}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\{8B245D32-CD1D-4a8d-994D-EFDC36A68E63}.exe
        
        C:\Windows\{8B245D32-CD1D-4a8d-994D-EFDC36A68E63}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Windows\{41B5135B-44C8-4ec5-952A-69B5D907409F}.exe
        
        C:\Windows\{41B5135B-44C8-4ec5-952A-69B5D907409F}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4716
        
        C:\Windows\{99A482B7-4DFA-4e79-AC8E-1F9919948AD4}.exe
        
        C:\Windows\{99A482B7-4DFA-4e79-AC8E-1F9919948AD4}.exe
        13⤵
        Executes dropped EXE
        
        PID:3840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{41B51~1.EXE > nul
        13⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B245~1.EXE > nul
        12⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92D52~1.EXE > nul
        11⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1A37A~1.EXE > nul
        10⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1703C~1.EXE > nul
        9⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B269~1.EXE > nul
        8⤵
        
        PID:736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6762~1.EXE > nul
        7⤵
        
        PID:4412
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D88A1~1.EXE > nul
        6⤵
        
        PID:1916
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A390F~1.EXE > nul
        5⤵
        
        PID:1116
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B62A8~1.EXE > nul
      4⤵
      PID:1572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{56A15~1.EXE > nul
    3⤵
    PID:2252
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1703C593-32EE-47a4-925F-9796EFB57E88}.exe

Filesize
204KB

MD5
a226b5ef698d8d5076152f9e92777fa2

SHA1
956209ffb7312e2ea49def57e371c0f986507f0e

SHA256
e987fd18c60709a8fca977b7e647ab832e1499195df3059415386b5777780382

SHA512
f0c13b1ec50fa18d5ac5056cb51b6116eda9cc655a90646557798b513e97346a71165e73211405332e88a2c1bfc9e247d2bd240fac568f75eaf6850ec4925053

Download Submit
C:\Windows\{1A37AAFF-49EB-4c05-B01B-8D0D36F9ACD5}.exe

Filesize
204KB

MD5
ce1bd70de6d761cfcac8748bb1890955

SHA1
f53dab64a13b4e84a28f5f58da1645e35f343d2d

SHA256
dd041bb7db9dc4f2f74e252df59f36f2cf31885ddbeb25eaed2e50cba78f7397

SHA512
5e120c8fe842bd3dbc4e389742177abf978c36be51863977b2485dc1869128292cfe0f697d4ab0912f065a5c21264b3fcc6a01fdd47f10e37823d7c0b193e0e0

Download Submit
C:\Windows\{41B5135B-44C8-4ec5-952A-69B5D907409F}.exe

Filesize
204KB

MD5
302f571116198c8a44e0154a17e6a17b

SHA1
2a3b5002261728589145f2f42d3e9873598cb067

SHA256
f4fa9ca0e5bf76f6db073dcbab2084b301a084390afece3437b886df2dfdf029

SHA512
b92151b85dc35b8094a6f6ab49d5752eb821d92397a6364651bd53a6612a1cc07adeba66c5beda644c3bb7baa19216c459dbc53ab2c12da5abf6f13af801157c

Download Submit
C:\Windows\{56A15870-30F4-4a90-801C-E2DCD3D5D6DB}.exe

Filesize
204KB

MD5
2be6040f1aaa53ab66cf804d1ee7ea18

SHA1
de05c1bb2a9f772d9a8569a1bbb8d80eaebca628

SHA256
e7c01338e509b757ff803576f361d10a0c99f58e8dcdb2ec6fc3c5167018f32f

SHA512
124b305581827a638b1291f710cab654b9e6ea215e5ed8e38d1d73ee3c96975205857f7108928b7bc4564a414b80edfae88c709125a575ee706e18a53688aaf0

Download Submit
C:\Windows\{8B245D32-CD1D-4a8d-994D-EFDC36A68E63}.exe

Filesize
204KB

MD5
bdb6aa0d14c87bdef2cb26b239efd801

SHA1
7c7574b93ceeee7de951fd8f1d805f468a645189

SHA256
d05c963e49e3c0229e3ddb531d2b0a636ef176dc6b6d8c1d2bdaba0c6d483d8e

SHA512
c4b60b64ecc9fbb3dabd408797d50a779ada9ec608f1116d89fdf2ec20112338a2d1f94ccd257135452eb1b89ee519393bfbdac050d08c768f0fd86b39fe1a26

Download Submit
C:\Windows\{8B269619-16B5-49e1-BA8F-01B696EF7821}.exe

Filesize
204KB

MD5
8af6a242457022598949a4ad31c2ca4d

SHA1
e8b62fb1aad4231b23f29d1cb8a66578a42ace5e

SHA256
bb082ec33b6f6e0282f8d7fc3c347d07434a5d98e09a59d1178ac3eb0f862612

SHA512
9e05996ed5e855c80a3c76d48110c9b16cc59472ca49eefc90428ea19d8e248a5a4a8e5848f4e25472298a48104c3f76a5f0031912805a038ced395dfaf8e993

Download Submit
C:\Windows\{92D529CE-1BF7-4c55-A9F1-4D8266C3B086}.exe

Filesize
204KB

MD5
9bb67243baf62c6312bff3ddc1a33363

SHA1
57e712f1ffa2a4646d51f02ccc6cd0e760041798

SHA256
21bbf9cf568c819cfda02fac0c8fb71916e9e1e53fbb3fd04f46354d268edecc

SHA512
54435aa63ed37ac87b7f21bc83a7dc4795254cef3b9f608a0097147504282ada2dd659f4ca3c64c1bf44e920759cc54da3d1ebede09852f6265521af0a8be140

Download Submit
C:\Windows\{99A482B7-4DFA-4e79-AC8E-1F9919948AD4}.exe

Filesize
204KB

MD5
f82a0f1dd9207e236744ea767327a174

SHA1
40f2f26f3dcd2064a18a4e06be3bc49ca53325bc

SHA256
f1548cbe73298425fa9f38c68e3d690c566ba2c23b6656abf5a632d5447f5ead

SHA512
d8a3b0c61c4ac370c5f04565b48b0514a5ac2e98f5ad87c27439a34d927178296724473396a0ae0dcb85a6fa33e932554431e2fbe0710f248d4751af4867172f

Download Submit
C:\Windows\{A390F44A-3169-4b42-A91B-C3412C9B150F}.exe

Filesize
204KB

MD5
1e0a4d41aa6eb88e871f666b077caaa7

SHA1
1283fd13fa92155ceb66b369d53e19d23c1f63ff

SHA256
80960a956eaee0037b7525828f5f107419ba0b60547da417f5fd8703014ae6de

SHA512
94c85ef5af903ac961e6af3407af4f66891cb5d82d878a83d683e34300dc68735a6c18292b75f7a08e808acdee46aa34de00dc41002c70bd868a636f51261d20

Download Submit
C:\Windows\{A6762960-6D81-4353-968E-63FB5F09C2ED}.exe

Filesize
204KB

MD5
aefabb9c4b8265910d913524ea02968c

SHA1
2cf9005cad0f7ca9de13b5461829fe7f4e78da61

SHA256
23bfc29f50f0c855889b7576814bed56fda4b5777393c08bb919e68bfb43e973

SHA512
9f6b06186e74383837311a7ba7a75594267ff7ba528cd0de15e7794c216a78868d964e52138ad781f0b81371e1d04a5df98ae9a63b1eb0bc5bc6239cddedfdfb

Download Submit
C:\Windows\{B62A8D0C-B59C-40bc-A8B5-46B8E1A58892}.exe

Filesize
204KB

MD5
0f2654bf93f1d8b628054ab3f8b1aa9a

SHA1
a4a183d0503afab8a077ae01dfed203e9ff3deee

SHA256
e7cfdbe23ce66913b45df85628496e3784d18f891acb761c23fffca4a26a5086

SHA512
06a01ed67c3f2e7c700cbf19ae3989becb591c540bf5fa4c050d27d9ace618a4def0f063c522a2e844767568b860aa14c15ab394721f1cc586557613a9273c8b

Download Submit
C:\Windows\{D88A15BE-664A-4a29-9BE4-664C54BA0A52}.exe

Filesize
204KB

MD5
3c26e9170f759d26cba1af378ed18516

SHA1
999152aa3244bf5a67821583056dad7850ed88d3

SHA256
9e89a60c210cbb35e51186749522bb694b639a64cbf9dbc6c99f2385348fdbdf

SHA512
04137dc572a9a1e66eccb0b1196d1a17e91bc1b0613b184fdeebeb048d16ec7393fc9343057827634723d8d3a0011d13f6b0a6bc61646c31d6f41fd04b25ccc6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads