ad1e9414bcbfb48493e0d7a3daf48caf5f6cf11262b43ce3143c1d37742ac13a

Analysis

max time kernel
149s
max time network
48s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
29/04/2024, 16:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-29_53c5caea0fcb28fe3e6142dfa2d01d77_goldeneye.exe
Size

180KB
MD5

53c5caea0fcb28fe3e6142dfa2d01d77
SHA1

de470816f85b07bd4c7000abfefe71d48061d202
SHA256

ad1e9414bcbfb48493e0d7a3daf48caf5f6cf11262b43ce3143c1d37742ac13a
SHA512

ec6dbf337b78548b46b5c39db18c9982c8dee86935813931defbcba4d24031221a20a30fbbc17d7cc0bcaca62f9bac842b2726d054d88a48b0f1fbb8d33e096e
SSDEEP

3072:jEGh0orlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGxl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023bb0-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023bb3-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001000000001e4eb-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023bb8-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023bc5-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023bb8-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023bc5-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023bb8-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023bc5-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023bb8-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023bc5-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023bb8-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F4F82EC-9AB4-4cd7-9663-373767000CEC}	2024-04-29_53c5caea0fcb28fe3e6142dfa2d01d77_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9FB9523-6EC3-4498-AAC6-A03D10E97080}	{65A8F8A4-6600-41cf-AE68-53503EB79415}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34A0A01B-2300-44fa-9676-90ED5376BD98}	{E9FB9523-6EC3-4498-AAC6-A03D10E97080}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7CE74B2D-168E-422d-AD31-05FE15696525}	{697F6713-86B4-4686-9875-F5C147CF2609}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{652C7B6F-DB6A-4f31-89B8-8CDEA4C75897}	{7CE74B2D-168E-422d-AD31-05FE15696525}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF62886E-AAB0-46fe-B14E-48A850C07846}\stubpath = "C:\\Windows\\{EF62886E-AAB0-46fe-B14E-48A850C07846}.exe"	{652C7B6F-DB6A-4f31-89B8-8CDEA4C75897}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34A0A01B-2300-44fa-9676-90ED5376BD98}\stubpath = "C:\\Windows\\{34A0A01B-2300-44fa-9676-90ED5376BD98}.exe"	{E9FB9523-6EC3-4498-AAC6-A03D10E97080}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{055EF1D6-333A-4df3-8A36-BE45805E9B2F}	{C77C5641-DCD3-4799-B1DC-43FB906AB957}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{697F6713-86B4-4686-9875-F5C147CF2609}	{40926F2B-ABC2-4727-BD65-33EBBA72BFC0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7CE74B2D-168E-422d-AD31-05FE15696525}\stubpath = "C:\\Windows\\{7CE74B2D-168E-422d-AD31-05FE15696525}.exe"	{697F6713-86B4-4686-9875-F5C147CF2609}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{652C7B6F-DB6A-4f31-89B8-8CDEA4C75897}\stubpath = "C:\\Windows\\{652C7B6F-DB6A-4f31-89B8-8CDEA4C75897}.exe"	{7CE74B2D-168E-422d-AD31-05FE15696525}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F4F82EC-9AB4-4cd7-9663-373767000CEC}\stubpath = "C:\\Windows\\{8F4F82EC-9AB4-4cd7-9663-373767000CEC}.exe"	2024-04-29_53c5caea0fcb28fe3e6142dfa2d01d77_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65A8F8A4-6600-41cf-AE68-53503EB79415}\stubpath = "C:\\Windows\\{65A8F8A4-6600-41cf-AE68-53503EB79415}.exe"	{8F4F82EC-9AB4-4cd7-9663-373767000CEC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C77C5641-DCD3-4799-B1DC-43FB906AB957}	{34A0A01B-2300-44fa-9676-90ED5376BD98}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{055EF1D6-333A-4df3-8A36-BE45805E9B2F}\stubpath = "C:\\Windows\\{055EF1D6-333A-4df3-8A36-BE45805E9B2F}.exe"	{C77C5641-DCD3-4799-B1DC-43FB906AB957}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37B76A33-5F3A-4fe9-B340-FBECFB0F8159}\stubpath = "C:\\Windows\\{37B76A33-5F3A-4fe9-B340-FBECFB0F8159}.exe"	{055EF1D6-333A-4df3-8A36-BE45805E9B2F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40926F2B-ABC2-4727-BD65-33EBBA72BFC0}\stubpath = "C:\\Windows\\{40926F2B-ABC2-4727-BD65-33EBBA72BFC0}.exe"	{37B76A33-5F3A-4fe9-B340-FBECFB0F8159}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{697F6713-86B4-4686-9875-F5C147CF2609}\stubpath = "C:\\Windows\\{697F6713-86B4-4686-9875-F5C147CF2609}.exe"	{40926F2B-ABC2-4727-BD65-33EBBA72BFC0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65A8F8A4-6600-41cf-AE68-53503EB79415}	{8F4F82EC-9AB4-4cd7-9663-373767000CEC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9FB9523-6EC3-4498-AAC6-A03D10E97080}\stubpath = "C:\\Windows\\{E9FB9523-6EC3-4498-AAC6-A03D10E97080}.exe"	{65A8F8A4-6600-41cf-AE68-53503EB79415}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C77C5641-DCD3-4799-B1DC-43FB906AB957}\stubpath = "C:\\Windows\\{C77C5641-DCD3-4799-B1DC-43FB906AB957}.exe"	{34A0A01B-2300-44fa-9676-90ED5376BD98}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37B76A33-5F3A-4fe9-B340-FBECFB0F8159}	{055EF1D6-333A-4df3-8A36-BE45805E9B2F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40926F2B-ABC2-4727-BD65-33EBBA72BFC0}	{37B76A33-5F3A-4fe9-B340-FBECFB0F8159}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF62886E-AAB0-46fe-B14E-48A850C07846}	{652C7B6F-DB6A-4f31-89B8-8CDEA4C75897}.exe

Executes dropped EXE 12 IoCs

pid	Process
2600	{8F4F82EC-9AB4-4cd7-9663-373767000CEC}.exe
4884	{65A8F8A4-6600-41cf-AE68-53503EB79415}.exe
2976	{E9FB9523-6EC3-4498-AAC6-A03D10E97080}.exe
4232	{34A0A01B-2300-44fa-9676-90ED5376BD98}.exe
2652	{C77C5641-DCD3-4799-B1DC-43FB906AB957}.exe
220	{055EF1D6-333A-4df3-8A36-BE45805E9B2F}.exe
4328	{37B76A33-5F3A-4fe9-B340-FBECFB0F8159}.exe
4228	{40926F2B-ABC2-4727-BD65-33EBBA72BFC0}.exe
3124	{697F6713-86B4-4686-9875-F5C147CF2609}.exe
1564	{7CE74B2D-168E-422d-AD31-05FE15696525}.exe
1880	{652C7B6F-DB6A-4f31-89B8-8CDEA4C75897}.exe
2244	{EF62886E-AAB0-46fe-B14E-48A850C07846}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{8F4F82EC-9AB4-4cd7-9663-373767000CEC}.exe	2024-04-29_53c5caea0fcb28fe3e6142dfa2d01d77_goldeneye.exe
File created	C:\Windows\{E9FB9523-6EC3-4498-AAC6-A03D10E97080}.exe	{65A8F8A4-6600-41cf-AE68-53503EB79415}.exe
File created	C:\Windows\{C77C5641-DCD3-4799-B1DC-43FB906AB957}.exe	{34A0A01B-2300-44fa-9676-90ED5376BD98}.exe
File created	C:\Windows\{40926F2B-ABC2-4727-BD65-33EBBA72BFC0}.exe	{37B76A33-5F3A-4fe9-B340-FBECFB0F8159}.exe
File created	C:\Windows\{697F6713-86B4-4686-9875-F5C147CF2609}.exe	{40926F2B-ABC2-4727-BD65-33EBBA72BFC0}.exe
File created	C:\Windows\{EF62886E-AAB0-46fe-B14E-48A850C07846}.exe	{652C7B6F-DB6A-4f31-89B8-8CDEA4C75897}.exe
File created	C:\Windows\{65A8F8A4-6600-41cf-AE68-53503EB79415}.exe	{8F4F82EC-9AB4-4cd7-9663-373767000CEC}.exe
File created	C:\Windows\{34A0A01B-2300-44fa-9676-90ED5376BD98}.exe	{E9FB9523-6EC3-4498-AAC6-A03D10E97080}.exe
File created	C:\Windows\{055EF1D6-333A-4df3-8A36-BE45805E9B2F}.exe	{C77C5641-DCD3-4799-B1DC-43FB906AB957}.exe
File created	C:\Windows\{37B76A33-5F3A-4fe9-B340-FBECFB0F8159}.exe	{055EF1D6-333A-4df3-8A36-BE45805E9B2F}.exe
File created	C:\Windows\{7CE74B2D-168E-422d-AD31-05FE15696525}.exe	{697F6713-86B4-4686-9875-F5C147CF2609}.exe
File created	C:\Windows\{652C7B6F-DB6A-4f31-89B8-8CDEA4C75897}.exe	{7CE74B2D-168E-422d-AD31-05FE15696525}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	116	2024-04-29_53c5caea0fcb28fe3e6142dfa2d01d77_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2600	{8F4F82EC-9AB4-4cd7-9663-373767000CEC}.exe
Token: SeIncBasePriorityPrivilege	4884	{65A8F8A4-6600-41cf-AE68-53503EB79415}.exe
Token: SeIncBasePriorityPrivilege	2976	{E9FB9523-6EC3-4498-AAC6-A03D10E97080}.exe
Token: SeIncBasePriorityPrivilege	4232	{34A0A01B-2300-44fa-9676-90ED5376BD98}.exe
Token: SeIncBasePriorityPrivilege	2652	{C77C5641-DCD3-4799-B1DC-43FB906AB957}.exe
Token: SeIncBasePriorityPrivilege	220	{055EF1D6-333A-4df3-8A36-BE45805E9B2F}.exe
Token: SeIncBasePriorityPrivilege	4328	{37B76A33-5F3A-4fe9-B340-FBECFB0F8159}.exe
Token: SeIncBasePriorityPrivilege	4228	{40926F2B-ABC2-4727-BD65-33EBBA72BFC0}.exe
Token: SeIncBasePriorityPrivilege	3124	{697F6713-86B4-4686-9875-F5C147CF2609}.exe
Token: SeIncBasePriorityPrivilege	1564	{7CE74B2D-168E-422d-AD31-05FE15696525}.exe
Token: SeIncBasePriorityPrivilege	1880	{652C7B6F-DB6A-4f31-89B8-8CDEA4C75897}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 116 wrote to memory of 2600	116	2024-04-29_53c5caea0fcb28fe3e6142dfa2d01d77_goldeneye.exe	88
PID 116 wrote to memory of 2600	116	2024-04-29_53c5caea0fcb28fe3e6142dfa2d01d77_goldeneye.exe	88
PID 116 wrote to memory of 2600	116	2024-04-29_53c5caea0fcb28fe3e6142dfa2d01d77_goldeneye.exe	88
PID 116 wrote to memory of 3248	116	2024-04-29_53c5caea0fcb28fe3e6142dfa2d01d77_goldeneye.exe	89
PID 116 wrote to memory of 3248	116	2024-04-29_53c5caea0fcb28fe3e6142dfa2d01d77_goldeneye.exe	89
PID 116 wrote to memory of 3248	116	2024-04-29_53c5caea0fcb28fe3e6142dfa2d01d77_goldeneye.exe	89
PID 2600 wrote to memory of 4884	2600	{8F4F82EC-9AB4-4cd7-9663-373767000CEC}.exe	90
PID 2600 wrote to memory of 4884	2600	{8F4F82EC-9AB4-4cd7-9663-373767000CEC}.exe	90
PID 2600 wrote to memory of 4884	2600	{8F4F82EC-9AB4-4cd7-9663-373767000CEC}.exe	90
PID 2600 wrote to memory of 2636	2600	{8F4F82EC-9AB4-4cd7-9663-373767000CEC}.exe	91
PID 2600 wrote to memory of 2636	2600	{8F4F82EC-9AB4-4cd7-9663-373767000CEC}.exe	91
PID 2600 wrote to memory of 2636	2600	{8F4F82EC-9AB4-4cd7-9663-373767000CEC}.exe	91
PID 4884 wrote to memory of 2976	4884	{65A8F8A4-6600-41cf-AE68-53503EB79415}.exe	94
PID 4884 wrote to memory of 2976	4884	{65A8F8A4-6600-41cf-AE68-53503EB79415}.exe	94
PID 4884 wrote to memory of 2976	4884	{65A8F8A4-6600-41cf-AE68-53503EB79415}.exe	94
PID 4884 wrote to memory of 4828	4884	{65A8F8A4-6600-41cf-AE68-53503EB79415}.exe	95
PID 4884 wrote to memory of 4828	4884	{65A8F8A4-6600-41cf-AE68-53503EB79415}.exe	95
PID 4884 wrote to memory of 4828	4884	{65A8F8A4-6600-41cf-AE68-53503EB79415}.exe	95
PID 2976 wrote to memory of 4232	2976	{E9FB9523-6EC3-4498-AAC6-A03D10E97080}.exe	100
PID 2976 wrote to memory of 4232	2976	{E9FB9523-6EC3-4498-AAC6-A03D10E97080}.exe	100
PID 2976 wrote to memory of 4232	2976	{E9FB9523-6EC3-4498-AAC6-A03D10E97080}.exe	100
PID 2976 wrote to memory of 2752	2976	{E9FB9523-6EC3-4498-AAC6-A03D10E97080}.exe	101
PID 2976 wrote to memory of 2752	2976	{E9FB9523-6EC3-4498-AAC6-A03D10E97080}.exe	101
PID 2976 wrote to memory of 2752	2976	{E9FB9523-6EC3-4498-AAC6-A03D10E97080}.exe	101
PID 4232 wrote to memory of 2652	4232	{34A0A01B-2300-44fa-9676-90ED5376BD98}.exe	103
PID 4232 wrote to memory of 2652	4232	{34A0A01B-2300-44fa-9676-90ED5376BD98}.exe	103
PID 4232 wrote to memory of 2652	4232	{34A0A01B-2300-44fa-9676-90ED5376BD98}.exe	103
PID 4232 wrote to memory of 1068	4232	{34A0A01B-2300-44fa-9676-90ED5376BD98}.exe	104
PID 4232 wrote to memory of 1068	4232	{34A0A01B-2300-44fa-9676-90ED5376BD98}.exe	104
PID 4232 wrote to memory of 1068	4232	{34A0A01B-2300-44fa-9676-90ED5376BD98}.exe	104
PID 2652 wrote to memory of 220	2652	{C77C5641-DCD3-4799-B1DC-43FB906AB957}.exe	107
PID 2652 wrote to memory of 220	2652	{C77C5641-DCD3-4799-B1DC-43FB906AB957}.exe	107
PID 2652 wrote to memory of 220	2652	{C77C5641-DCD3-4799-B1DC-43FB906AB957}.exe	107
PID 2652 wrote to memory of 4856	2652	{C77C5641-DCD3-4799-B1DC-43FB906AB957}.exe	108
PID 2652 wrote to memory of 4856	2652	{C77C5641-DCD3-4799-B1DC-43FB906AB957}.exe	108
PID 2652 wrote to memory of 4856	2652	{C77C5641-DCD3-4799-B1DC-43FB906AB957}.exe	108
PID 220 wrote to memory of 4328	220	{055EF1D6-333A-4df3-8A36-BE45805E9B2F}.exe	109
PID 220 wrote to memory of 4328	220	{055EF1D6-333A-4df3-8A36-BE45805E9B2F}.exe	109
PID 220 wrote to memory of 4328	220	{055EF1D6-333A-4df3-8A36-BE45805E9B2F}.exe	109
PID 220 wrote to memory of 4420	220	{055EF1D6-333A-4df3-8A36-BE45805E9B2F}.exe	110
PID 220 wrote to memory of 4420	220	{055EF1D6-333A-4df3-8A36-BE45805E9B2F}.exe	110
PID 220 wrote to memory of 4420	220	{055EF1D6-333A-4df3-8A36-BE45805E9B2F}.exe	110
PID 4328 wrote to memory of 4228	4328	{37B76A33-5F3A-4fe9-B340-FBECFB0F8159}.exe	111
PID 4328 wrote to memory of 4228	4328	{37B76A33-5F3A-4fe9-B340-FBECFB0F8159}.exe	111
PID 4328 wrote to memory of 4228	4328	{37B76A33-5F3A-4fe9-B340-FBECFB0F8159}.exe	111
PID 4328 wrote to memory of 4596	4328	{37B76A33-5F3A-4fe9-B340-FBECFB0F8159}.exe	112
PID 4328 wrote to memory of 4596	4328	{37B76A33-5F3A-4fe9-B340-FBECFB0F8159}.exe	112
PID 4328 wrote to memory of 4596	4328	{37B76A33-5F3A-4fe9-B340-FBECFB0F8159}.exe	112
PID 4228 wrote to memory of 3124	4228	{40926F2B-ABC2-4727-BD65-33EBBA72BFC0}.exe	113
PID 4228 wrote to memory of 3124	4228	{40926F2B-ABC2-4727-BD65-33EBBA72BFC0}.exe	113
PID 4228 wrote to memory of 3124	4228	{40926F2B-ABC2-4727-BD65-33EBBA72BFC0}.exe	113
PID 4228 wrote to memory of 1788	4228	{40926F2B-ABC2-4727-BD65-33EBBA72BFC0}.exe	114
PID 4228 wrote to memory of 1788	4228	{40926F2B-ABC2-4727-BD65-33EBBA72BFC0}.exe	114
PID 4228 wrote to memory of 1788	4228	{40926F2B-ABC2-4727-BD65-33EBBA72BFC0}.exe	114
PID 3124 wrote to memory of 1564	3124	{697F6713-86B4-4686-9875-F5C147CF2609}.exe	115
PID 3124 wrote to memory of 1564	3124	{697F6713-86B4-4686-9875-F5C147CF2609}.exe	115
PID 3124 wrote to memory of 1564	3124	{697F6713-86B4-4686-9875-F5C147CF2609}.exe	115
PID 3124 wrote to memory of 3460	3124	{697F6713-86B4-4686-9875-F5C147CF2609}.exe	116
PID 3124 wrote to memory of 3460	3124	{697F6713-86B4-4686-9875-F5C147CF2609}.exe	116
PID 3124 wrote to memory of 3460	3124	{697F6713-86B4-4686-9875-F5C147CF2609}.exe	116
PID 1564 wrote to memory of 1880	1564	{7CE74B2D-168E-422d-AD31-05FE15696525}.exe	117
PID 1564 wrote to memory of 1880	1564	{7CE74B2D-168E-422d-AD31-05FE15696525}.exe	117
PID 1564 wrote to memory of 1880	1564	{7CE74B2D-168E-422d-AD31-05FE15696525}.exe	117
PID 1564 wrote to memory of 688	1564	{7CE74B2D-168E-422d-AD31-05FE15696525}.exe	118

C:\Users\Admin\AppData\Local\Temp\2024-04-29_53c5caea0fcb28fe3e6142dfa2d01d77_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-29_53c5caea0fcb28fe3e6142dfa2d01d77_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:116
- C:\Windows\{8F4F82EC-9AB4-4cd7-9663-373767000CEC}.exe
  C:\Windows\{8F4F82EC-9AB4-4cd7-9663-373767000CEC}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\{65A8F8A4-6600-41cf-AE68-53503EB79415}.exe
    C:\Windows\{65A8F8A4-6600-41cf-AE68-53503EB79415}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4884
  - - C:\Windows\{E9FB9523-6EC3-4498-AAC6-A03D10E97080}.exe
      C:\Windows\{E9FB9523-6EC3-4498-AAC6-A03D10E97080}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2976
    - - C:\Windows\{34A0A01B-2300-44fa-9676-90ED5376BD98}.exe
        
        C:\Windows\{34A0A01B-2300-44fa-9676-90ED5376BD98}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4232
      - C:\Windows\{C77C5641-DCD3-4799-B1DC-43FB906AB957}.exe
        
        C:\Windows\{C77C5641-DCD3-4799-B1DC-43FB906AB957}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\{055EF1D6-333A-4df3-8A36-BE45805E9B2F}.exe
        
        C:\Windows\{055EF1D6-333A-4df3-8A36-BE45805E9B2F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\{37B76A33-5F3A-4fe9-B340-FBECFB0F8159}.exe
        
        C:\Windows\{37B76A33-5F3A-4fe9-B340-FBECFB0F8159}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Windows\{40926F2B-ABC2-4727-BD65-33EBBA72BFC0}.exe
        
        C:\Windows\{40926F2B-ABC2-4727-BD65-33EBBA72BFC0}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4228
        
        C:\Windows\{697F6713-86B4-4686-9875-F5C147CF2609}.exe
        
        C:\Windows\{697F6713-86B4-4686-9875-F5C147CF2609}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Windows\{7CE74B2D-168E-422d-AD31-05FE15696525}.exe
        
        C:\Windows\{7CE74B2D-168E-422d-AD31-05FE15696525}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\{652C7B6F-DB6A-4f31-89B8-8CDEA4C75897}.exe
        
        C:\Windows\{652C7B6F-DB6A-4f31-89B8-8CDEA4C75897}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1880
        
        C:\Windows\{EF62886E-AAB0-46fe-B14E-48A850C07846}.exe
        
        C:\Windows\{EF62886E-AAB0-46fe-B14E-48A850C07846}.exe
        13⤵
        Executes dropped EXE
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{652C7~1.EXE > nul
        13⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7CE74~1.EXE > nul
        12⤵
        
        PID:688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{697F6~1.EXE > nul
        11⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{40926~1.EXE > nul
        10⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37B76~1.EXE > nul
        9⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{055EF~1.EXE > nul
        8⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C77C5~1.EXE > nul
        7⤵
        
        PID:4856
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{34A0A~1.EXE > nul
        6⤵
        
        PID:1068
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E9FB9~1.EXE > nul
        5⤵
        
        PID:2752
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{65A8F~1.EXE > nul
      4⤵
      PID:4828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8F4F8~1.EXE > nul
    3⤵
    PID:2636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{055EF1D6-333A-4df3-8A36-BE45805E9B2F}.exe

Filesize
180KB

MD5
ed4225760d3cc81122d9cee65e035149

SHA1
8ec197a20e9534077af272536bce9eb28f0f4324

SHA256
4efb9c7f4b0a8ec8060b9c1419536b9a5ccd8e235b6d56ea35110d1fea46d3e5

SHA512
0f017dad4cd97fd703cb77d1549962dfbd9491b1483043dff654dd0d987f286e8aaa0f740005ba691f82137c0ddfce8876ccfeaa3cf9f8f0aa269a1dd6ecb72f

Download Submit
C:\Windows\{34A0A01B-2300-44fa-9676-90ED5376BD98}.exe

Filesize
180KB

MD5
c760e66d55f876fdfb94da467b600644

SHA1
aa541f2a271685476a925a19f862b274dd40cfa8

SHA256
175ae9931a91e1c9c5ea4dd63e2ebb356f5945d18bc03ea08babed97ef3c896f

SHA512
2e4aea500435fc0493dfa812c48aa1b925c44a5e7eb05758acf8405b356b66312ffe4f42f721daf808487fadd06c99282fc0c3f0186c5967defbaab986a37a7b

Download Submit
C:\Windows\{37B76A33-5F3A-4fe9-B340-FBECFB0F8159}.exe

Filesize
180KB

MD5
708461abe935d817813cbd9b341bf876

SHA1
b1222dda2ce829d1ed60f73f2b9a8223ebe168b3

SHA256
e3a9de4bf9171ba59ffe902489ed4c52106a7dc8fd681bca38128b18d52aa007

SHA512
05cb4b9d77238eaa8900fc0cff08222da12b3deca13bf5684ae269d999ace5acd72df46399099a0c732cc9e56de305750e9c2349b6f659d8cf7eee43362d3a14

Download Submit
C:\Windows\{40926F2B-ABC2-4727-BD65-33EBBA72BFC0}.exe

Filesize
180KB

MD5
204a81e9ad6560e20b1bf2d6faa528c0

SHA1
cbdf4bc0cf1ed1ee2174de42ae77de68d9c43257

SHA256
9c53426ef2031181c738506e0f40e5d8ce5993ee004f3ce737f706dc6f4c87fe

SHA512
0673a19eb867fcc042bdbbdbe5e9218d37703ed20422dccaabbeb776d083dc2d5ba12766902dd7eb55cf6c74537a3a9e45c9a1f81e02c3627e4cf0952667ac41

Download Submit
C:\Windows\{652C7B6F-DB6A-4f31-89B8-8CDEA4C75897}.exe

Filesize
180KB

MD5
4011668323074d4eaef9886ecd689c28

SHA1
6af33127f8bbffd4eb49a113c3e83287438d3f82

SHA256
ecfcfff8e80463df265f56904fb814256f0d9fc8e6e3f8734c20c8bc52c21287

SHA512
bdb66c73e3b6d76c4ee04dff4567d1216dd24908d0626dc745a22b201eba863c5ac70d3091e4fc3e9f4d0df62133992470481e6509735703b6530d4d8802e00a

Download Submit
C:\Windows\{65A8F8A4-6600-41cf-AE68-53503EB79415}.exe

Filesize
180KB

MD5
80600ec1fbc933fe53210c646eebb13a

SHA1
989fa7f75b3f2e5e25855391db1c475842b79800

SHA256
d8a31f4cb21650ff78e218b158ffd35311898f17e020a2596ac8adb8f5fd2f44

SHA512
d7953b0be6cff2449a44d8fe0547893432f2f9441b425493020f58016c1da6596e21a898b8a545480761e0a259c13fb9fa723f686147c62df0b413919285d3b6

Download Submit
C:\Windows\{697F6713-86B4-4686-9875-F5C147CF2609}.exe

Filesize
180KB

MD5
a97a5768cb524a101ab01edd0c7e04fd

SHA1
95bc8954429deb7cb87df3f024f543ca08107957

SHA256
8839d12cb951a80ad4a1de76ec3445b6c90654aa5c56add3c30fdf571f94c4b1

SHA512
37dbf2cf416f95a9488ba0ed544364fc7047cad75b79531dae26853909ce5016a1fa45c1d3b01bc9497982976fb981f2975cdcd58f88c9a66a394525cde6e53b

Download Submit
C:\Windows\{7CE74B2D-168E-422d-AD31-05FE15696525}.exe

Filesize
180KB

MD5
f60160fddd84c1c67c3ffc8297445329

SHA1
e9a85d7c00ec828d7c460674ad244925e9bca7ad

SHA256
abac3868be7f265cab1ce7abf5dfc9350f5b1b6a0b0703a14331bd2c385e7b9f

SHA512
4536da9f3582c4639403badf0debee8a4f30bef6bc735c616cbcba03d2202286997e5c9ada4d4ddb2f77ddc6547efbf82d3a4dfbd1c415b5af1d91b5522df046

Download Submit
C:\Windows\{8F4F82EC-9AB4-4cd7-9663-373767000CEC}.exe

Filesize
180KB

MD5
ef7c9cdedf4b5095be3f46c844e852a2

SHA1
03bdc2695fa21ea8e02a123a46a8386229c4c18c

SHA256
7c0a63f3b67bcf2ad64c996a6f1380246def621fa0df47a2d8a3a945d8928a66

SHA512
916a63a20c77eb503005f3cbf098aaa1857b38a6c216027db98ff4b64f3a37ffc5e3c67fc320be7eba04e7af5930734c720ae2025dd23dc5271394d171283ff6

Download Submit
C:\Windows\{C77C5641-DCD3-4799-B1DC-43FB906AB957}.exe

Filesize
180KB

MD5
8069e09ef384336b2022d19d01e18406

SHA1
cfb367acfd224da0a7a9cb689e2eae0cb443938a

SHA256
6cc8df6a16e25e3e7105858136844ef2234da4c490c8afc183103d1b7a79cd9b

SHA512
6a983dd6199f87b8c8505cf6b48035c9bad7e8821a5b32448edeb2cc7a4d267a78f09431a44cf55ea637ec91aab95e9342d32e3fe645dacd3973448ea63fc3c5

Download Submit
C:\Windows\{E9FB9523-6EC3-4498-AAC6-A03D10E97080}.exe

Filesize
180KB

MD5
20b15d7bac092dfc6017bc790fcf57dd

SHA1
31b937de3c656d60cba28d7f23413d17eac62902

SHA256
cb7498f8a9b0ac43fe04e9f35367f03bcccb25b35d27113cf4c240ec35823f97

SHA512
d8965e6de5e3cb673527bbe8aaf41cf855cdec592959df12a250354567e2d8ba5722c196e68972681161f5a875ea3ff4978cd40a1a5b29804233bda3bc0dc746

Download Submit
C:\Windows\{EF62886E-AAB0-46fe-B14E-48A850C07846}.exe

Filesize
180KB

MD5
c24906e94bd1f2edb52dde45fbb73d93

SHA1
f47440a9c9df25a817fe79849fe44762a08fc36f

SHA256
484a4100b2997574469ab84bd7b6cf688a2c9f04bcc972796a9b6c7cf34e568b

SHA512
d5610d63a6d33079d985022f22fc8cf20525c0396683aa1fabf3325f8f4bca12c953ce98c552cc5e9bc688abcea47e811ffd2b0da5c45e53f0d5a26d6d76a4c5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads