b61b64190517ae8492e87e191f76cf8fccc2770a6cda0266071f0cae2cdecd3d

Analysis

max time kernel
149s
max time network
52s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 11:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_54be686c600b9abace98e9850f72fa24_goldeneye.exe
Size

344KB
MD5

54be686c600b9abace98e9850f72fa24
SHA1

8b2e3e0f0a8cca58ce7046d0018731ad1c028d83
SHA256

b61b64190517ae8492e87e191f76cf8fccc2770a6cda0266071f0cae2cdecd3d
SHA512

996b8ab55e29a3366ad9d9ecfda4cb0a123015ea4df1c968725abd3a16e127b5d3441e973da425183c81ab5aa5ed59f9533b094596f055051c9f42b9808bd8c3
SSDEEP

3072:mEGh0o7lEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGRlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023bb2-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023bb3-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023bb8-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023bbb-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023bc7-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023bbb-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023bc7-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023bbb-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023bc7-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023bbb-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023bc7-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023bbb-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DE2B409-C7BD-4ac5-8358-E1375742E7DE}	{8D0C0A03-CE68-4579-8DB0-B4416E208450}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2664C4F-27E1-4d3c-A316-A9A19CF61126}	{794F3542-BD44-46ea-AEAB-DF0460BF3329}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FED07838-624F-465c-84C2-CD6EF977DECE}	{B2664C4F-27E1-4d3c-A316-A9A19CF61126}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{043CB2B0-3ABC-4a38-8C59-F9B2EF2C81A6}	{FED07838-624F-465c-84C2-CD6EF977DECE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{043CB2B0-3ABC-4a38-8C59-F9B2EF2C81A6}\stubpath = "C:\\Windows\\{043CB2B0-3ABC-4a38-8C59-F9B2EF2C81A6}.exe"	{FED07838-624F-465c-84C2-CD6EF977DECE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26B0F69A-0CF7-4335-ABAC-C04CE16E5D5B}	{D9827FDC-565D-4be2-A710-6A45875DC588}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B1CC785-FBA2-4144-91C8-92FCE0052A44}\stubpath = "C:\\Windows\\{6B1CC785-FBA2-4144-91C8-92FCE0052A44}.exe"	{68E71D37-8402-4c25-B6B3-11B9D0F8FAA9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D0C0A03-CE68-4579-8DB0-B4416E208450}\stubpath = "C:\\Windows\\{8D0C0A03-CE68-4579-8DB0-B4416E208450}.exe"	{6B1CC785-FBA2-4144-91C8-92FCE0052A44}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{794F3542-BD44-46ea-AEAB-DF0460BF3329}\stubpath = "C:\\Windows\\{794F3542-BD44-46ea-AEAB-DF0460BF3329}.exe"	2024-04-28_54be686c600b9abace98e9850f72fa24_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2664C4F-27E1-4d3c-A316-A9A19CF61126}\stubpath = "C:\\Windows\\{B2664C4F-27E1-4d3c-A316-A9A19CF61126}.exe"	{794F3542-BD44-46ea-AEAB-DF0460BF3329}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FED07838-624F-465c-84C2-CD6EF977DECE}\stubpath = "C:\\Windows\\{FED07838-624F-465c-84C2-CD6EF977DECE}.exe"	{B2664C4F-27E1-4d3c-A316-A9A19CF61126}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D76AA20-FE8E-4def-A096-827466C21415}	{74852100-08E3-4134-8F65-5E7E38868FAD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D76AA20-FE8E-4def-A096-827466C21415}\stubpath = "C:\\Windows\\{8D76AA20-FE8E-4def-A096-827466C21415}.exe"	{74852100-08E3-4134-8F65-5E7E38868FAD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DE2B409-C7BD-4ac5-8358-E1375742E7DE}\stubpath = "C:\\Windows\\{4DE2B409-C7BD-4ac5-8358-E1375742E7DE}.exe"	{8D0C0A03-CE68-4579-8DB0-B4416E208450}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9827FDC-565D-4be2-A710-6A45875DC588}	{8D76AA20-FE8E-4def-A096-827466C21415}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26B0F69A-0CF7-4335-ABAC-C04CE16E5D5B}\stubpath = "C:\\Windows\\{26B0F69A-0CF7-4335-ABAC-C04CE16E5D5B}.exe"	{D9827FDC-565D-4be2-A710-6A45875DC588}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D0C0A03-CE68-4579-8DB0-B4416E208450}	{6B1CC785-FBA2-4144-91C8-92FCE0052A44}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{794F3542-BD44-46ea-AEAB-DF0460BF3329}	2024-04-28_54be686c600b9abace98e9850f72fa24_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74852100-08E3-4134-8F65-5E7E38868FAD}	{043CB2B0-3ABC-4a38-8C59-F9B2EF2C81A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74852100-08E3-4134-8F65-5E7E38868FAD}\stubpath = "C:\\Windows\\{74852100-08E3-4134-8F65-5E7E38868FAD}.exe"	{043CB2B0-3ABC-4a38-8C59-F9B2EF2C81A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9827FDC-565D-4be2-A710-6A45875DC588}\stubpath = "C:\\Windows\\{D9827FDC-565D-4be2-A710-6A45875DC588}.exe"	{8D76AA20-FE8E-4def-A096-827466C21415}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68E71D37-8402-4c25-B6B3-11B9D0F8FAA9}	{26B0F69A-0CF7-4335-ABAC-C04CE16E5D5B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68E71D37-8402-4c25-B6B3-11B9D0F8FAA9}\stubpath = "C:\\Windows\\{68E71D37-8402-4c25-B6B3-11B9D0F8FAA9}.exe"	{26B0F69A-0CF7-4335-ABAC-C04CE16E5D5B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B1CC785-FBA2-4144-91C8-92FCE0052A44}	{68E71D37-8402-4c25-B6B3-11B9D0F8FAA9}.exe

Executes dropped EXE 12 IoCs

pid	Process
4664	{794F3542-BD44-46ea-AEAB-DF0460BF3329}.exe
4820	{B2664C4F-27E1-4d3c-A316-A9A19CF61126}.exe
5084	{FED07838-624F-465c-84C2-CD6EF977DECE}.exe
1496	{043CB2B0-3ABC-4a38-8C59-F9B2EF2C81A6}.exe
3952	{74852100-08E3-4134-8F65-5E7E38868FAD}.exe
4308	{8D76AA20-FE8E-4def-A096-827466C21415}.exe
1032	{D9827FDC-565D-4be2-A710-6A45875DC588}.exe
1804	{26B0F69A-0CF7-4335-ABAC-C04CE16E5D5B}.exe
3240	{68E71D37-8402-4c25-B6B3-11B9D0F8FAA9}.exe
1960	{6B1CC785-FBA2-4144-91C8-92FCE0052A44}.exe
2308	{8D0C0A03-CE68-4579-8DB0-B4416E208450}.exe
4848	{4DE2B409-C7BD-4ac5-8358-E1375742E7DE}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{794F3542-BD44-46ea-AEAB-DF0460BF3329}.exe	2024-04-28_54be686c600b9abace98e9850f72fa24_goldeneye.exe
File created	C:\Windows\{043CB2B0-3ABC-4a38-8C59-F9B2EF2C81A6}.exe	{FED07838-624F-465c-84C2-CD6EF977DECE}.exe
File created	C:\Windows\{74852100-08E3-4134-8F65-5E7E38868FAD}.exe	{043CB2B0-3ABC-4a38-8C59-F9B2EF2C81A6}.exe
File created	C:\Windows\{26B0F69A-0CF7-4335-ABAC-C04CE16E5D5B}.exe	{D9827FDC-565D-4be2-A710-6A45875DC588}.exe
File created	C:\Windows\{4DE2B409-C7BD-4ac5-8358-E1375742E7DE}.exe	{8D0C0A03-CE68-4579-8DB0-B4416E208450}.exe
File created	C:\Windows\{B2664C4F-27E1-4d3c-A316-A9A19CF61126}.exe	{794F3542-BD44-46ea-AEAB-DF0460BF3329}.exe
File created	C:\Windows\{FED07838-624F-465c-84C2-CD6EF977DECE}.exe	{B2664C4F-27E1-4d3c-A316-A9A19CF61126}.exe
File created	C:\Windows\{8D76AA20-FE8E-4def-A096-827466C21415}.exe	{74852100-08E3-4134-8F65-5E7E38868FAD}.exe
File created	C:\Windows\{D9827FDC-565D-4be2-A710-6A45875DC588}.exe	{8D76AA20-FE8E-4def-A096-827466C21415}.exe
File created	C:\Windows\{68E71D37-8402-4c25-B6B3-11B9D0F8FAA9}.exe	{26B0F69A-0CF7-4335-ABAC-C04CE16E5D5B}.exe
File created	C:\Windows\{6B1CC785-FBA2-4144-91C8-92FCE0052A44}.exe	{68E71D37-8402-4c25-B6B3-11B9D0F8FAA9}.exe
File created	C:\Windows\{8D0C0A03-CE68-4579-8DB0-B4416E208450}.exe	{6B1CC785-FBA2-4144-91C8-92FCE0052A44}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1316	2024-04-28_54be686c600b9abace98e9850f72fa24_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4664	{794F3542-BD44-46ea-AEAB-DF0460BF3329}.exe
Token: SeIncBasePriorityPrivilege	4820	{B2664C4F-27E1-4d3c-A316-A9A19CF61126}.exe
Token: SeIncBasePriorityPrivilege	5084	{FED07838-624F-465c-84C2-CD6EF977DECE}.exe
Token: SeIncBasePriorityPrivilege	1496	{043CB2B0-3ABC-4a38-8C59-F9B2EF2C81A6}.exe
Token: SeIncBasePriorityPrivilege	3952	{74852100-08E3-4134-8F65-5E7E38868FAD}.exe
Token: SeIncBasePriorityPrivilege	4308	{8D76AA20-FE8E-4def-A096-827466C21415}.exe
Token: SeIncBasePriorityPrivilege	1032	{D9827FDC-565D-4be2-A710-6A45875DC588}.exe
Token: SeIncBasePriorityPrivilege	1804	{26B0F69A-0CF7-4335-ABAC-C04CE16E5D5B}.exe
Token: SeIncBasePriorityPrivilege	3240	{68E71D37-8402-4c25-B6B3-11B9D0F8FAA9}.exe
Token: SeIncBasePriorityPrivilege	1960	{6B1CC785-FBA2-4144-91C8-92FCE0052A44}.exe
Token: SeIncBasePriorityPrivilege	2308	{8D0C0A03-CE68-4579-8DB0-B4416E208450}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 4664	1316	2024-04-28_54be686c600b9abace98e9850f72fa24_goldeneye.exe	87
PID 1316 wrote to memory of 4664	1316	2024-04-28_54be686c600b9abace98e9850f72fa24_goldeneye.exe	87
PID 1316 wrote to memory of 4664	1316	2024-04-28_54be686c600b9abace98e9850f72fa24_goldeneye.exe	87
PID 1316 wrote to memory of 412	1316	2024-04-28_54be686c600b9abace98e9850f72fa24_goldeneye.exe	88
PID 1316 wrote to memory of 412	1316	2024-04-28_54be686c600b9abace98e9850f72fa24_goldeneye.exe	88
PID 1316 wrote to memory of 412	1316	2024-04-28_54be686c600b9abace98e9850f72fa24_goldeneye.exe	88
PID 4664 wrote to memory of 4820	4664	{794F3542-BD44-46ea-AEAB-DF0460BF3329}.exe	89
PID 4664 wrote to memory of 4820	4664	{794F3542-BD44-46ea-AEAB-DF0460BF3329}.exe	89
PID 4664 wrote to memory of 4820	4664	{794F3542-BD44-46ea-AEAB-DF0460BF3329}.exe	89
PID 4664 wrote to memory of 2856	4664	{794F3542-BD44-46ea-AEAB-DF0460BF3329}.exe	90
PID 4664 wrote to memory of 2856	4664	{794F3542-BD44-46ea-AEAB-DF0460BF3329}.exe	90
PID 4664 wrote to memory of 2856	4664	{794F3542-BD44-46ea-AEAB-DF0460BF3329}.exe	90
PID 4820 wrote to memory of 5084	4820	{B2664C4F-27E1-4d3c-A316-A9A19CF61126}.exe	93
PID 4820 wrote to memory of 5084	4820	{B2664C4F-27E1-4d3c-A316-A9A19CF61126}.exe	93
PID 4820 wrote to memory of 5084	4820	{B2664C4F-27E1-4d3c-A316-A9A19CF61126}.exe	93
PID 4820 wrote to memory of 4484	4820	{B2664C4F-27E1-4d3c-A316-A9A19CF61126}.exe	94
PID 4820 wrote to memory of 4484	4820	{B2664C4F-27E1-4d3c-A316-A9A19CF61126}.exe	94
PID 4820 wrote to memory of 4484	4820	{B2664C4F-27E1-4d3c-A316-A9A19CF61126}.exe	94
PID 5084 wrote to memory of 1496	5084	{FED07838-624F-465c-84C2-CD6EF977DECE}.exe	99
PID 5084 wrote to memory of 1496	5084	{FED07838-624F-465c-84C2-CD6EF977DECE}.exe	99
PID 5084 wrote to memory of 1496	5084	{FED07838-624F-465c-84C2-CD6EF977DECE}.exe	99
PID 5084 wrote to memory of 2692	5084	{FED07838-624F-465c-84C2-CD6EF977DECE}.exe	100
PID 5084 wrote to memory of 2692	5084	{FED07838-624F-465c-84C2-CD6EF977DECE}.exe	100
PID 5084 wrote to memory of 2692	5084	{FED07838-624F-465c-84C2-CD6EF977DECE}.exe	100
PID 1496 wrote to memory of 3952	1496	{043CB2B0-3ABC-4a38-8C59-F9B2EF2C81A6}.exe	102
PID 1496 wrote to memory of 3952	1496	{043CB2B0-3ABC-4a38-8C59-F9B2EF2C81A6}.exe	102
PID 1496 wrote to memory of 3952	1496	{043CB2B0-3ABC-4a38-8C59-F9B2EF2C81A6}.exe	102
PID 1496 wrote to memory of 4304	1496	{043CB2B0-3ABC-4a38-8C59-F9B2EF2C81A6}.exe	103
PID 1496 wrote to memory of 4304	1496	{043CB2B0-3ABC-4a38-8C59-F9B2EF2C81A6}.exe	103
PID 1496 wrote to memory of 4304	1496	{043CB2B0-3ABC-4a38-8C59-F9B2EF2C81A6}.exe	103
PID 3952 wrote to memory of 4308	3952	{74852100-08E3-4134-8F65-5E7E38868FAD}.exe	106
PID 3952 wrote to memory of 4308	3952	{74852100-08E3-4134-8F65-5E7E38868FAD}.exe	106
PID 3952 wrote to memory of 4308	3952	{74852100-08E3-4134-8F65-5E7E38868FAD}.exe	106
PID 3952 wrote to memory of 2148	3952	{74852100-08E3-4134-8F65-5E7E38868FAD}.exe	107
PID 3952 wrote to memory of 2148	3952	{74852100-08E3-4134-8F65-5E7E38868FAD}.exe	107
PID 3952 wrote to memory of 2148	3952	{74852100-08E3-4134-8F65-5E7E38868FAD}.exe	107
PID 4308 wrote to memory of 1032	4308	{8D76AA20-FE8E-4def-A096-827466C21415}.exe	108
PID 4308 wrote to memory of 1032	4308	{8D76AA20-FE8E-4def-A096-827466C21415}.exe	108
PID 4308 wrote to memory of 1032	4308	{8D76AA20-FE8E-4def-A096-827466C21415}.exe	108
PID 4308 wrote to memory of 1384	4308	{8D76AA20-FE8E-4def-A096-827466C21415}.exe	109
PID 4308 wrote to memory of 1384	4308	{8D76AA20-FE8E-4def-A096-827466C21415}.exe	109
PID 4308 wrote to memory of 1384	4308	{8D76AA20-FE8E-4def-A096-827466C21415}.exe	109
PID 1032 wrote to memory of 1804	1032	{D9827FDC-565D-4be2-A710-6A45875DC588}.exe	110
PID 1032 wrote to memory of 1804	1032	{D9827FDC-565D-4be2-A710-6A45875DC588}.exe	110
PID 1032 wrote to memory of 1804	1032	{D9827FDC-565D-4be2-A710-6A45875DC588}.exe	110
PID 1032 wrote to memory of 3308	1032	{D9827FDC-565D-4be2-A710-6A45875DC588}.exe	111
PID 1032 wrote to memory of 3308	1032	{D9827FDC-565D-4be2-A710-6A45875DC588}.exe	111
PID 1032 wrote to memory of 3308	1032	{D9827FDC-565D-4be2-A710-6A45875DC588}.exe	111
PID 1804 wrote to memory of 3240	1804	{26B0F69A-0CF7-4335-ABAC-C04CE16E5D5B}.exe	112
PID 1804 wrote to memory of 3240	1804	{26B0F69A-0CF7-4335-ABAC-C04CE16E5D5B}.exe	112
PID 1804 wrote to memory of 3240	1804	{26B0F69A-0CF7-4335-ABAC-C04CE16E5D5B}.exe	112
PID 1804 wrote to memory of 3412	1804	{26B0F69A-0CF7-4335-ABAC-C04CE16E5D5B}.exe	113
PID 1804 wrote to memory of 3412	1804	{26B0F69A-0CF7-4335-ABAC-C04CE16E5D5B}.exe	113
PID 1804 wrote to memory of 3412	1804	{26B0F69A-0CF7-4335-ABAC-C04CE16E5D5B}.exe	113
PID 3240 wrote to memory of 1960	3240	{68E71D37-8402-4c25-B6B3-11B9D0F8FAA9}.exe	114
PID 3240 wrote to memory of 1960	3240	{68E71D37-8402-4c25-B6B3-11B9D0F8FAA9}.exe	114
PID 3240 wrote to memory of 1960	3240	{68E71D37-8402-4c25-B6B3-11B9D0F8FAA9}.exe	114
PID 3240 wrote to memory of 3912	3240	{68E71D37-8402-4c25-B6B3-11B9D0F8FAA9}.exe	115
PID 3240 wrote to memory of 3912	3240	{68E71D37-8402-4c25-B6B3-11B9D0F8FAA9}.exe	115
PID 3240 wrote to memory of 3912	3240	{68E71D37-8402-4c25-B6B3-11B9D0F8FAA9}.exe	115
PID 1960 wrote to memory of 2308	1960	{6B1CC785-FBA2-4144-91C8-92FCE0052A44}.exe	116
PID 1960 wrote to memory of 2308	1960	{6B1CC785-FBA2-4144-91C8-92FCE0052A44}.exe	116
PID 1960 wrote to memory of 2308	1960	{6B1CC785-FBA2-4144-91C8-92FCE0052A44}.exe	116
PID 1960 wrote to memory of 4328	1960	{6B1CC785-FBA2-4144-91C8-92FCE0052A44}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-04-28_54be686c600b9abace98e9850f72fa24_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_54be686c600b9abace98e9850f72fa24_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Windows\{794F3542-BD44-46ea-AEAB-DF0460BF3329}.exe
  C:\Windows\{794F3542-BD44-46ea-AEAB-DF0460BF3329}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4664
- - C:\Windows\{B2664C4F-27E1-4d3c-A316-A9A19CF61126}.exe
    C:\Windows\{B2664C4F-27E1-4d3c-A316-A9A19CF61126}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4820
  - - C:\Windows\{FED07838-624F-465c-84C2-CD6EF977DECE}.exe
      C:\Windows\{FED07838-624F-465c-84C2-CD6EF977DECE}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5084
    - - C:\Windows\{043CB2B0-3ABC-4a38-8C59-F9B2EF2C81A6}.exe
        
        C:\Windows\{043CB2B0-3ABC-4a38-8C59-F9B2EF2C81A6}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1496
      - C:\Windows\{74852100-08E3-4134-8F65-5E7E38868FAD}.exe
        
        C:\Windows\{74852100-08E3-4134-8F65-5E7E38868FAD}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\{8D76AA20-FE8E-4def-A096-827466C21415}.exe
        
        C:\Windows\{8D76AA20-FE8E-4def-A096-827466C21415}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4308
        
        C:\Windows\{D9827FDC-565D-4be2-A710-6A45875DC588}.exe
        
        C:\Windows\{D9827FDC-565D-4be2-A710-6A45875DC588}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Windows\{26B0F69A-0CF7-4335-ABAC-C04CE16E5D5B}.exe
        
        C:\Windows\{26B0F69A-0CF7-4335-ABAC-C04CE16E5D5B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\{68E71D37-8402-4c25-B6B3-11B9D0F8FAA9}.exe
        
        C:\Windows\{68E71D37-8402-4c25-B6B3-11B9D0F8FAA9}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3240
        
        C:\Windows\{6B1CC785-FBA2-4144-91C8-92FCE0052A44}.exe
        
        C:\Windows\{6B1CC785-FBA2-4144-91C8-92FCE0052A44}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\{8D0C0A03-CE68-4579-8DB0-B4416E208450}.exe
        
        C:\Windows\{8D0C0A03-CE68-4579-8DB0-B4416E208450}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
        
        C:\Windows\{4DE2B409-C7BD-4ac5-8358-E1375742E7DE}.exe
        
        C:\Windows\{4DE2B409-C7BD-4ac5-8358-E1375742E7DE}.exe
        13⤵
        Executes dropped EXE
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D0C0~1.EXE > nul
        13⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B1CC~1.EXE > nul
        12⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{68E71~1.EXE > nul
        11⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{26B0F~1.EXE > nul
        10⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D9827~1.EXE > nul
        9⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D76A~1.EXE > nul
        8⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74852~1.EXE > nul
        7⤵
        
        PID:2148
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{043CB~1.EXE > nul
        6⤵
        
        PID:4304
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FED07~1.EXE > nul
        5⤵
        
        PID:2692
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B2664~1.EXE > nul
      4⤵
      PID:4484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{794F3~1.EXE > nul
    3⤵
    PID:2856
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{043CB2B0-3ABC-4a38-8C59-F9B2EF2C81A6}.exe

Filesize
344KB

MD5
f9a079bcd65ca1966df69bfcbf61edac

SHA1
181c3fb5e7bf59266f192ad29ff08d1f6f8bc508

SHA256
fc73439fe78d708a98532b6d618019d0934b5aa28a4e0c8669b1e1036d667155

SHA512
11102adc5c0d254f3df90beb74f8c372ba74bd3f683c19830942f06a6e6e350db4397d0dc8595e768a527f20e49040e09c8f290aae99d6124df06a6ad1b15d4f

Download Submit
C:\Windows\{26B0F69A-0CF7-4335-ABAC-C04CE16E5D5B}.exe

Filesize
344KB

MD5
0e2f407530be4b67c44e99b06bd48ab3

SHA1
c8d64e009472a6b363bcd8576a5a1cfd6ce4c39c

SHA256
cc85b4fdb657729ab3d395e780910bbb3323f999371c89fb554cc911c6e8e0f9

SHA512
fe058919d617922583577535b6a684b5a55776ee0b16703f571805889084ca2085ffdf74d6d95622e531fe9fb11f6861cd57ad35ef11af255bb2854f2898f221

Download Submit
C:\Windows\{4DE2B409-C7BD-4ac5-8358-E1375742E7DE}.exe

Filesize
344KB

MD5
738c449e11112204e31ea9254b700573

SHA1
98348c2268ff74bc573b4c0cbac20ec1120b8090

SHA256
ccad888767a4a1aa299ad0e728a28e15b106ee4aa21754bddb71012d6068b625

SHA512
547ec7695b6e98e6c7bab3d18168a060b1838a621899c803f2a6a80cacea49779d3fb842371caada53f292c8d2e2937ebbca24e26b488e5c42cfb62bff7619a3

Download Submit
C:\Windows\{68E71D37-8402-4c25-B6B3-11B9D0F8FAA9}.exe

Filesize
344KB

MD5
249607b46acefad74480883782e0a022

SHA1
9df0dfaea62b276f3cae7d78bbffffd0476ee349

SHA256
98c3cda2d2053358840464edb98db4478872a9dab0cc7a1a5e3e24fc146dc7de

SHA512
73443e78440924891b6fae06fbc94b3358d6204f8d76425cd103a58614ce7e505292c740be21f07b71c1d94866dfd496cbf2f4bed70b86579d4ca9673e358e4a

Download Submit
C:\Windows\{6B1CC785-FBA2-4144-91C8-92FCE0052A44}.exe

Filesize
344KB

MD5
c58f628ea5e35ac262306ad5b9026510

SHA1
988af6da4956d256fe78f7465ced19ef7de7774c

SHA256
c5583f827e475d6cac0f54d43753ef963a9c29580f5a1a3f69071425aa7a162b

SHA512
fdac6c30ada7c25c2bdeab63eeed2b91e8ff5a8654e5d8250bcec84006ac1806b9c552b5c97d897e1194fbdfab34f9b9819c1ea6d10c43193b3c5e0f3fdadf9e

Download Submit
C:\Windows\{74852100-08E3-4134-8F65-5E7E38868FAD}.exe

Filesize
344KB

MD5
cf7263640c09f46d2ac9ea6cdcd3d0c5

SHA1
a98530d6713724030afcb2bb04fbffa06e3942c1

SHA256
debbd6a6b62f216f5c7b85b8b08b20bf19349caf1908e171d4639596af6d6a0c

SHA512
31f7ee1e6ba26fde054667423c5db2d74dee23932f684b98ce9a7928a88ebba045713d52ef1a29f9b270007bd06fd9d2f06b1cf5d67930be83d29d89952ac1ea

Download Submit
C:\Windows\{794F3542-BD44-46ea-AEAB-DF0460BF3329}.exe

Filesize
344KB

MD5
7373194e87325bfe5ed974df965e8ef8

SHA1
6f6732f2580897fc39feef9cd88603b35e1ed36d

SHA256
e8e3c2c5ac93c26365b8cfa139dcb8877bc7868c4d894506aa6869ceceb035a2

SHA512
b580340e10a53eac1bf897416a63c800b47b352f5306515093db27c5d1f2d8b0e4a5695b08f96e43319d5b3812552af291edf1d26991e696fcde03f87f72abe5

Download Submit
C:\Windows\{8D0C0A03-CE68-4579-8DB0-B4416E208450}.exe

Filesize
344KB

MD5
7931c23f50e9b8b777866dc3784602f6

SHA1
a8ded688818d0a84e96e481355bed7004e25be2e

SHA256
93aa8846f831943761ae23772cc438fc8227770a804f29a7293dc6f6dccfca8e

SHA512
17180a91dd266907ee75dd73c05131f00c3883a9cb26867d3e85bf8d00785082428ec5c1355bfcda8aed0ac0e8b48c82d181910fb1b76168ff04c9e3f495df32

Download Submit
C:\Windows\{8D76AA20-FE8E-4def-A096-827466C21415}.exe

Filesize
344KB

MD5
6a7fa63b5c2263ea3946dc9a90a9fee7

SHA1
4ab0ae83fdb5366d28c889da0c3588530553acd3

SHA256
cf2d92f059481c6c5b60730daf6b18b24a1579629f630b12e40b18a90ce2d352

SHA512
c04a85f5a68c0490e4213150fd609f931b7ad3109710d5464e19d4612067ffb445bb8991efd2bdc2097ddccd684f2e0785e83f17dff8c15dfc4122409ea35607

Download Submit
C:\Windows\{B2664C4F-27E1-4d3c-A316-A9A19CF61126}.exe

Filesize
344KB

MD5
1b7bc0ad783890b437baa2e3f92c36d2

SHA1
1e576689bd1bbcf961eafa8e5894149d153da744

SHA256
a1cbeb9c5b20a83cfd79b096c66a709efdcafc1061898dfad6dcbc46800d552e

SHA512
617285cfadfad37f1bc26884f2523f67d20bc237a30db25226c4c488cf006501fcc4ed2e348953c690923b0bd43421e7296bd5bc43996ce3f1a02de0b03cb21e

Download Submit
C:\Windows\{D9827FDC-565D-4be2-A710-6A45875DC588}.exe

Filesize
344KB

MD5
370ef6518b27f8ba087f0241da7f6889

SHA1
89825ab2afd525fe29fb67631812f88be60ad898

SHA256
baeb54e3739d10b86c4dadcbfaeeb22d98df3c513cc8fd0c947abdcd49569179

SHA512
cb4d2a602ece80b8d643eb657d4ce5606a7b350339ea1daec326a5d9c325bcb57fe71522a27860dc9b325d32381b1688e98eab0d69504ab12f2f7de9a3bfc652

Download Submit
C:\Windows\{FED07838-624F-465c-84C2-CD6EF977DECE}.exe

Filesize
344KB

MD5
c3a1efa4f90f6e28a3725c1cdf4b102a

SHA1
cc32661e53cf27d36dcde0b43e48ae4e6f4eb715

SHA256
23874d8e347efa73b8ca3a44adfd96780ec0c1ef0a362f7881783c563a17943d

SHA512
aeec84de93c0112473e2473a36a365bbdba33397f4f4577f28a482f108170c2e91b9d907082ef6e96ad048285186ad62d47551bcf5d3befa0d2e7096356c2ddb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads