9b024334379e699787aa9aa2e30da03f7b1c2d2a5be77f740ee2771eaaf56e34

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
29-04-2024 20:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-29_d31e57d544baf0ba8710f0189b7ef119_goldeneye.exe
Size

344KB
MD5

d31e57d544baf0ba8710f0189b7ef119
SHA1

edb0408897673736fa8d3a2abc67ea2f0658b1e4
SHA256

9b024334379e699787aa9aa2e30da03f7b1c2d2a5be77f740ee2771eaaf56e34
SHA512

30453a207fd3448fc1bbd94360a41bef4cb27ca54572af0bb3a73a47abf4ad36e6f65fa778f93dab3c10c5021aa75cd7c863c3501bf995af93c1998873c3e45e
SSDEEP

3072:mEGh0o5lEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGflqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0004000000022ab8-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001b00000002399d-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023a0b-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023b94-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000016935-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0017000000023a0b-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000016935-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0018000000023a0b-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000016935-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0019000000023a0b-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000016935-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001a000000023a0b-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E126526-7FBF-460a-AD4C-33DF42F3C0EE}	2024-04-29_d31e57d544baf0ba8710f0189b7ef119_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B405575A-CC71-4b70-9D02-735AC6E2E0B8}	{9E126526-7FBF-460a-AD4C-33DF42F3C0EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{181A329F-E8F0-4362-ACE6-C3B8615479A8}	{B405575A-CC71-4b70-9D02-735AC6E2E0B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B790C39D-2717-425a-8BD6-85AFC1366838}	{181A329F-E8F0-4362-ACE6-C3B8615479A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFAEE3DF-00C4-4a51-999A-58C1E3DDC867}\stubpath = "C:\\Windows\\{DFAEE3DF-00C4-4a51-999A-58C1E3DDC867}.exe"	{2610B690-2C0D-45da-A378-8C8C9D82806C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95017CE4-01EC-4b02-A4CE-C0B5801C4B0C}\stubpath = "C:\\Windows\\{95017CE4-01EC-4b02-A4CE-C0B5801C4B0C}.exe"	{14374157-D6FE-4e9a-9894-0CDE31F928AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D50799A4-7420-4be9-9EF4-6CA7C6E2D74F}	{8B4B342E-59DC-4866-A8B7-E58B635BC079}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2610B690-2C0D-45da-A378-8C8C9D82806C}\stubpath = "C:\\Windows\\{2610B690-2C0D-45da-A378-8C8C9D82806C}.exe"	{9379CEFB-02CD-45eb-8971-33CEB4FDCD28}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFAEE3DF-00C4-4a51-999A-58C1E3DDC867}	{2610B690-2C0D-45da-A378-8C8C9D82806C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B4B342E-59DC-4866-A8B7-E58B635BC079}	{95017CE4-01EC-4b02-A4CE-C0B5801C4B0C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B4B342E-59DC-4866-A8B7-E58B635BC079}\stubpath = "C:\\Windows\\{8B4B342E-59DC-4866-A8B7-E58B635BC079}.exe"	{95017CE4-01EC-4b02-A4CE-C0B5801C4B0C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D2060AA-0A59-408c-89B4-2C2093C898CA}\stubpath = "C:\\Windows\\{3D2060AA-0A59-408c-89B4-2C2093C898CA}.exe"	{D50799A4-7420-4be9-9EF4-6CA7C6E2D74F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9379CEFB-02CD-45eb-8971-33CEB4FDCD28}	{3D2060AA-0A59-408c-89B4-2C2093C898CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B405575A-CC71-4b70-9D02-735AC6E2E0B8}\stubpath = "C:\\Windows\\{B405575A-CC71-4b70-9D02-735AC6E2E0B8}.exe"	{9E126526-7FBF-460a-AD4C-33DF42F3C0EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B790C39D-2717-425a-8BD6-85AFC1366838}\stubpath = "C:\\Windows\\{B790C39D-2717-425a-8BD6-85AFC1366838}.exe"	{181A329F-E8F0-4362-ACE6-C3B8615479A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14374157-D6FE-4e9a-9894-0CDE31F928AE}\stubpath = "C:\\Windows\\{14374157-D6FE-4e9a-9894-0CDE31F928AE}.exe"	{B790C39D-2717-425a-8BD6-85AFC1366838}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95017CE4-01EC-4b02-A4CE-C0B5801C4B0C}	{14374157-D6FE-4e9a-9894-0CDE31F928AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9379CEFB-02CD-45eb-8971-33CEB4FDCD28}\stubpath = "C:\\Windows\\{9379CEFB-02CD-45eb-8971-33CEB4FDCD28}.exe"	{3D2060AA-0A59-408c-89B4-2C2093C898CA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2610B690-2C0D-45da-A378-8C8C9D82806C}	{9379CEFB-02CD-45eb-8971-33CEB4FDCD28}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D2060AA-0A59-408c-89B4-2C2093C898CA}	{D50799A4-7420-4be9-9EF4-6CA7C6E2D74F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E126526-7FBF-460a-AD4C-33DF42F3C0EE}\stubpath = "C:\\Windows\\{9E126526-7FBF-460a-AD4C-33DF42F3C0EE}.exe"	2024-04-29_d31e57d544baf0ba8710f0189b7ef119_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{181A329F-E8F0-4362-ACE6-C3B8615479A8}\stubpath = "C:\\Windows\\{181A329F-E8F0-4362-ACE6-C3B8615479A8}.exe"	{B405575A-CC71-4b70-9D02-735AC6E2E0B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14374157-D6FE-4e9a-9894-0CDE31F928AE}	{B790C39D-2717-425a-8BD6-85AFC1366838}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D50799A4-7420-4be9-9EF4-6CA7C6E2D74F}\stubpath = "C:\\Windows\\{D50799A4-7420-4be9-9EF4-6CA7C6E2D74F}.exe"	{8B4B342E-59DC-4866-A8B7-E58B635BC079}.exe

Executes dropped EXE 12 IoCs

pid	Process
4840	{9E126526-7FBF-460a-AD4C-33DF42F3C0EE}.exe
4512	{B405575A-CC71-4b70-9D02-735AC6E2E0B8}.exe
4420	{181A329F-E8F0-4362-ACE6-C3B8615479A8}.exe
712	{B790C39D-2717-425a-8BD6-85AFC1366838}.exe
1816	{14374157-D6FE-4e9a-9894-0CDE31F928AE}.exe
4600	{95017CE4-01EC-4b02-A4CE-C0B5801C4B0C}.exe
1896	{8B4B342E-59DC-4866-A8B7-E58B635BC079}.exe
928	{D50799A4-7420-4be9-9EF4-6CA7C6E2D74F}.exe
1988	{3D2060AA-0A59-408c-89B4-2C2093C898CA}.exe
4604	{9379CEFB-02CD-45eb-8971-33CEB4FDCD28}.exe
4112	{2610B690-2C0D-45da-A378-8C8C9D82806C}.exe
5056	{DFAEE3DF-00C4-4a51-999A-58C1E3DDC867}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{DFAEE3DF-00C4-4a51-999A-58C1E3DDC867}.exe	{2610B690-2C0D-45da-A378-8C8C9D82806C}.exe
File created	C:\Windows\{181A329F-E8F0-4362-ACE6-C3B8615479A8}.exe	{B405575A-CC71-4b70-9D02-735AC6E2E0B8}.exe
File created	C:\Windows\{B790C39D-2717-425a-8BD6-85AFC1366838}.exe	{181A329F-E8F0-4362-ACE6-C3B8615479A8}.exe
File created	C:\Windows\{95017CE4-01EC-4b02-A4CE-C0B5801C4B0C}.exe	{14374157-D6FE-4e9a-9894-0CDE31F928AE}.exe
File created	C:\Windows\{8B4B342E-59DC-4866-A8B7-E58B635BC079}.exe	{95017CE4-01EC-4b02-A4CE-C0B5801C4B0C}.exe
File created	C:\Windows\{D50799A4-7420-4be9-9EF4-6CA7C6E2D74F}.exe	{8B4B342E-59DC-4866-A8B7-E58B635BC079}.exe
File created	C:\Windows\{2610B690-2C0D-45da-A378-8C8C9D82806C}.exe	{9379CEFB-02CD-45eb-8971-33CEB4FDCD28}.exe
File created	C:\Windows\{9E126526-7FBF-460a-AD4C-33DF42F3C0EE}.exe	2024-04-29_d31e57d544baf0ba8710f0189b7ef119_goldeneye.exe
File created	C:\Windows\{B405575A-CC71-4b70-9D02-735AC6E2E0B8}.exe	{9E126526-7FBF-460a-AD4C-33DF42F3C0EE}.exe
File created	C:\Windows\{14374157-D6FE-4e9a-9894-0CDE31F928AE}.exe	{B790C39D-2717-425a-8BD6-85AFC1366838}.exe
File created	C:\Windows\{3D2060AA-0A59-408c-89B4-2C2093C898CA}.exe	{D50799A4-7420-4be9-9EF4-6CA7C6E2D74F}.exe
File created	C:\Windows\{9379CEFB-02CD-45eb-8971-33CEB4FDCD28}.exe	{3D2060AA-0A59-408c-89B4-2C2093C898CA}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3036	2024-04-29_d31e57d544baf0ba8710f0189b7ef119_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4840	{9E126526-7FBF-460a-AD4C-33DF42F3C0EE}.exe
Token: SeIncBasePriorityPrivilege	4512	{B405575A-CC71-4b70-9D02-735AC6E2E0B8}.exe
Token: SeIncBasePriorityPrivilege	4420	{181A329F-E8F0-4362-ACE6-C3B8615479A8}.exe
Token: SeIncBasePriorityPrivilege	712	{B790C39D-2717-425a-8BD6-85AFC1366838}.exe
Token: SeIncBasePriorityPrivilege	1816	{14374157-D6FE-4e9a-9894-0CDE31F928AE}.exe
Token: SeIncBasePriorityPrivilege	4600	{95017CE4-01EC-4b02-A4CE-C0B5801C4B0C}.exe
Token: SeIncBasePriorityPrivilege	1896	{8B4B342E-59DC-4866-A8B7-E58B635BC079}.exe
Token: SeIncBasePriorityPrivilege	928	{D50799A4-7420-4be9-9EF4-6CA7C6E2D74F}.exe
Token: SeIncBasePriorityPrivilege	1988	{3D2060AA-0A59-408c-89B4-2C2093C898CA}.exe
Token: SeIncBasePriorityPrivilege	4604	{9379CEFB-02CD-45eb-8971-33CEB4FDCD28}.exe
Token: SeIncBasePriorityPrivilege	4112	{2610B690-2C0D-45da-A378-8C8C9D82806C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 4840	3036	2024-04-29_d31e57d544baf0ba8710f0189b7ef119_goldeneye.exe	87
PID 3036 wrote to memory of 4840	3036	2024-04-29_d31e57d544baf0ba8710f0189b7ef119_goldeneye.exe	87
PID 3036 wrote to memory of 4840	3036	2024-04-29_d31e57d544baf0ba8710f0189b7ef119_goldeneye.exe	87
PID 3036 wrote to memory of 632	3036	2024-04-29_d31e57d544baf0ba8710f0189b7ef119_goldeneye.exe	88
PID 3036 wrote to memory of 632	3036	2024-04-29_d31e57d544baf0ba8710f0189b7ef119_goldeneye.exe	88
PID 3036 wrote to memory of 632	3036	2024-04-29_d31e57d544baf0ba8710f0189b7ef119_goldeneye.exe	88
PID 4840 wrote to memory of 4512	4840	{9E126526-7FBF-460a-AD4C-33DF42F3C0EE}.exe	89
PID 4840 wrote to memory of 4512	4840	{9E126526-7FBF-460a-AD4C-33DF42F3C0EE}.exe	89
PID 4840 wrote to memory of 4512	4840	{9E126526-7FBF-460a-AD4C-33DF42F3C0EE}.exe	89
PID 4840 wrote to memory of 4412	4840	{9E126526-7FBF-460a-AD4C-33DF42F3C0EE}.exe	90
PID 4840 wrote to memory of 4412	4840	{9E126526-7FBF-460a-AD4C-33DF42F3C0EE}.exe	90
PID 4840 wrote to memory of 4412	4840	{9E126526-7FBF-460a-AD4C-33DF42F3C0EE}.exe	90
PID 4512 wrote to memory of 4420	4512	{B405575A-CC71-4b70-9D02-735AC6E2E0B8}.exe	97
PID 4512 wrote to memory of 4420	4512	{B405575A-CC71-4b70-9D02-735AC6E2E0B8}.exe	97
PID 4512 wrote to memory of 4420	4512	{B405575A-CC71-4b70-9D02-735AC6E2E0B8}.exe	97
PID 4512 wrote to memory of 3052	4512	{B405575A-CC71-4b70-9D02-735AC6E2E0B8}.exe	98
PID 4512 wrote to memory of 3052	4512	{B405575A-CC71-4b70-9D02-735AC6E2E0B8}.exe	98
PID 4512 wrote to memory of 3052	4512	{B405575A-CC71-4b70-9D02-735AC6E2E0B8}.exe	98
PID 4420 wrote to memory of 712	4420	{181A329F-E8F0-4362-ACE6-C3B8615479A8}.exe	101
PID 4420 wrote to memory of 712	4420	{181A329F-E8F0-4362-ACE6-C3B8615479A8}.exe	101
PID 4420 wrote to memory of 712	4420	{181A329F-E8F0-4362-ACE6-C3B8615479A8}.exe	101
PID 4420 wrote to memory of 4424	4420	{181A329F-E8F0-4362-ACE6-C3B8615479A8}.exe	102
PID 4420 wrote to memory of 4424	4420	{181A329F-E8F0-4362-ACE6-C3B8615479A8}.exe	102
PID 4420 wrote to memory of 4424	4420	{181A329F-E8F0-4362-ACE6-C3B8615479A8}.exe	102
PID 712 wrote to memory of 1816	712	{B790C39D-2717-425a-8BD6-85AFC1366838}.exe	104
PID 712 wrote to memory of 1816	712	{B790C39D-2717-425a-8BD6-85AFC1366838}.exe	104
PID 712 wrote to memory of 1816	712	{B790C39D-2717-425a-8BD6-85AFC1366838}.exe	104
PID 712 wrote to memory of 1800	712	{B790C39D-2717-425a-8BD6-85AFC1366838}.exe	105
PID 712 wrote to memory of 1800	712	{B790C39D-2717-425a-8BD6-85AFC1366838}.exe	105
PID 712 wrote to memory of 1800	712	{B790C39D-2717-425a-8BD6-85AFC1366838}.exe	105
PID 1816 wrote to memory of 4600	1816	{14374157-D6FE-4e9a-9894-0CDE31F928AE}.exe	106
PID 1816 wrote to memory of 4600	1816	{14374157-D6FE-4e9a-9894-0CDE31F928AE}.exe	106
PID 1816 wrote to memory of 4600	1816	{14374157-D6FE-4e9a-9894-0CDE31F928AE}.exe	106
PID 1816 wrote to memory of 4328	1816	{14374157-D6FE-4e9a-9894-0CDE31F928AE}.exe	107
PID 1816 wrote to memory of 4328	1816	{14374157-D6FE-4e9a-9894-0CDE31F928AE}.exe	107
PID 1816 wrote to memory of 4328	1816	{14374157-D6FE-4e9a-9894-0CDE31F928AE}.exe	107
PID 4600 wrote to memory of 1896	4600	{95017CE4-01EC-4b02-A4CE-C0B5801C4B0C}.exe	108
PID 4600 wrote to memory of 1896	4600	{95017CE4-01EC-4b02-A4CE-C0B5801C4B0C}.exe	108
PID 4600 wrote to memory of 1896	4600	{95017CE4-01EC-4b02-A4CE-C0B5801C4B0C}.exe	108
PID 4600 wrote to memory of 756	4600	{95017CE4-01EC-4b02-A4CE-C0B5801C4B0C}.exe	109
PID 4600 wrote to memory of 756	4600	{95017CE4-01EC-4b02-A4CE-C0B5801C4B0C}.exe	109
PID 4600 wrote to memory of 756	4600	{95017CE4-01EC-4b02-A4CE-C0B5801C4B0C}.exe	109
PID 1896 wrote to memory of 928	1896	{8B4B342E-59DC-4866-A8B7-E58B635BC079}.exe	110
PID 1896 wrote to memory of 928	1896	{8B4B342E-59DC-4866-A8B7-E58B635BC079}.exe	110
PID 1896 wrote to memory of 928	1896	{8B4B342E-59DC-4866-A8B7-E58B635BC079}.exe	110
PID 1896 wrote to memory of 1208	1896	{8B4B342E-59DC-4866-A8B7-E58B635BC079}.exe	111
PID 1896 wrote to memory of 1208	1896	{8B4B342E-59DC-4866-A8B7-E58B635BC079}.exe	111
PID 1896 wrote to memory of 1208	1896	{8B4B342E-59DC-4866-A8B7-E58B635BC079}.exe	111
PID 928 wrote to memory of 1988	928	{D50799A4-7420-4be9-9EF4-6CA7C6E2D74F}.exe	112
PID 928 wrote to memory of 1988	928	{D50799A4-7420-4be9-9EF4-6CA7C6E2D74F}.exe	112
PID 928 wrote to memory of 1988	928	{D50799A4-7420-4be9-9EF4-6CA7C6E2D74F}.exe	112
PID 928 wrote to memory of 1348	928	{D50799A4-7420-4be9-9EF4-6CA7C6E2D74F}.exe	113
PID 928 wrote to memory of 1348	928	{D50799A4-7420-4be9-9EF4-6CA7C6E2D74F}.exe	113
PID 928 wrote to memory of 1348	928	{D50799A4-7420-4be9-9EF4-6CA7C6E2D74F}.exe	113
PID 1988 wrote to memory of 4604	1988	{3D2060AA-0A59-408c-89B4-2C2093C898CA}.exe	114
PID 1988 wrote to memory of 4604	1988	{3D2060AA-0A59-408c-89B4-2C2093C898CA}.exe	114
PID 1988 wrote to memory of 4604	1988	{3D2060AA-0A59-408c-89B4-2C2093C898CA}.exe	114
PID 1988 wrote to memory of 5052	1988	{3D2060AA-0A59-408c-89B4-2C2093C898CA}.exe	115
PID 1988 wrote to memory of 5052	1988	{3D2060AA-0A59-408c-89B4-2C2093C898CA}.exe	115
PID 1988 wrote to memory of 5052	1988	{3D2060AA-0A59-408c-89B4-2C2093C898CA}.exe	115
PID 4604 wrote to memory of 4112	4604	{9379CEFB-02CD-45eb-8971-33CEB4FDCD28}.exe	116
PID 4604 wrote to memory of 4112	4604	{9379CEFB-02CD-45eb-8971-33CEB4FDCD28}.exe	116
PID 4604 wrote to memory of 4112	4604	{9379CEFB-02CD-45eb-8971-33CEB4FDCD28}.exe	116
PID 4604 wrote to memory of 3512	4604	{9379CEFB-02CD-45eb-8971-33CEB4FDCD28}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-04-29_d31e57d544baf0ba8710f0189b7ef119_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-29_d31e57d544baf0ba8710f0189b7ef119_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Windows\{9E126526-7FBF-460a-AD4C-33DF42F3C0EE}.exe
  C:\Windows\{9E126526-7FBF-460a-AD4C-33DF42F3C0EE}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4840
- - C:\Windows\{B405575A-CC71-4b70-9D02-735AC6E2E0B8}.exe
    C:\Windows\{B405575A-CC71-4b70-9D02-735AC6E2E0B8}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4512
  - - C:\Windows\{181A329F-E8F0-4362-ACE6-C3B8615479A8}.exe
      C:\Windows\{181A329F-E8F0-4362-ACE6-C3B8615479A8}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4420
    - - C:\Windows\{B790C39D-2717-425a-8BD6-85AFC1366838}.exe
        
        C:\Windows\{B790C39D-2717-425a-8BD6-85AFC1366838}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:712
      - C:\Windows\{14374157-D6FE-4e9a-9894-0CDE31F928AE}.exe
        
        C:\Windows\{14374157-D6FE-4e9a-9894-0CDE31F928AE}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\{95017CE4-01EC-4b02-A4CE-C0B5801C4B0C}.exe
        
        C:\Windows\{95017CE4-01EC-4b02-A4CE-C0B5801C4B0C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Windows\{8B4B342E-59DC-4866-A8B7-E58B635BC079}.exe
        
        C:\Windows\{8B4B342E-59DC-4866-A8B7-E58B635BC079}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Windows\{D50799A4-7420-4be9-9EF4-6CA7C6E2D74F}.exe
        
        C:\Windows\{D50799A4-7420-4be9-9EF4-6CA7C6E2D74F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:928
        
        C:\Windows\{3D2060AA-0A59-408c-89B4-2C2093C898CA}.exe
        
        C:\Windows\{3D2060AA-0A59-408c-89B4-2C2093C898CA}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\{9379CEFB-02CD-45eb-8971-33CEB4FDCD28}.exe
        
        C:\Windows\{9379CEFB-02CD-45eb-8971-33CEB4FDCD28}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\{2610B690-2C0D-45da-A378-8C8C9D82806C}.exe
        
        C:\Windows\{2610B690-2C0D-45da-A378-8C8C9D82806C}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4112
        
        C:\Windows\{DFAEE3DF-00C4-4a51-999A-58C1E3DDC867}.exe
        
        C:\Windows\{DFAEE3DF-00C4-4a51-999A-58C1E3DDC867}.exe
        13⤵
        Executes dropped EXE
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2610B~1.EXE > nul
        13⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9379C~1.EXE > nul
        12⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3D206~1.EXE > nul
        11⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D5079~1.EXE > nul
        10⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B4B3~1.EXE > nul
        9⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95017~1.EXE > nul
        8⤵
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{14374~1.EXE > nul
        7⤵
        
        PID:4328
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B790C~1.EXE > nul
        6⤵
        
        PID:1800
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{181A3~1.EXE > nul
        5⤵
        
        PID:4424
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B4055~1.EXE > nul
      4⤵
      PID:3052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9E126~1.EXE > nul
    3⤵
    PID:4412
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{14374157-D6FE-4e9a-9894-0CDE31F928AE}.exe

Filesize
344KB

MD5
0b71046aeee2a7072b02ff7b251b22a1

SHA1
389f80a0f818342facc6afaed1336cd43bf96de2

SHA256
822374e8f56fa702910d55aae20548ace663cef0694c42d128f7cccfcb6975c5

SHA512
8cdf95991d95e696951f2b3993daeff554d27f4005740268e78375338be3858eecd2839a758baafd5c17e8ada80199a75dec05ec265d679b130e2019ae9dd8af

Download Submit
C:\Windows\{181A329F-E8F0-4362-ACE6-C3B8615479A8}.exe

Filesize
344KB

MD5
70bcb92b33f6bee9c3294cf276a5e2a6

SHA1
c7f153890daf2b80d30f8fcaaa7af93c44917caf

SHA256
2c34f5736e170b32c6434e0bd8358ccc7f4ddc9321bb0761719f745296af3253

SHA512
5beb93647fedfb8c61f3a6abc0f580c7ea3da45ccc812ef6b986d1da1665b03c277c1fe87fbf9515f2c3611db17d932eb680d296e09c6069dcb0e4d12c785d72

Download Submit
C:\Windows\{2610B690-2C0D-45da-A378-8C8C9D82806C}.exe

Filesize
344KB

MD5
0c7a696238fa86390f57b82c800c06f1

SHA1
29f199c97eba37fa704d2bf03cb50a41aa8406d5

SHA256
cdb26363d3ef19e95518368bcd408ca7e1f0887efdc65d66cc7b1f88de73960f

SHA512
6d1365aa8ca6a83591ba75abc56930fbf1df53e9ab2d383a1a2adf63683efaad2c9a54b2d3344e30ee58133279ce1df4f5fec94105d4233484a45e7a31da50e4

Download Submit
C:\Windows\{3D2060AA-0A59-408c-89B4-2C2093C898CA}.exe

Filesize
344KB

MD5
e0e3e349be402f361bc4b23ad2f69932

SHA1
7adcea11ecf4191e2d2dba7b787aaa4c9ff174f1

SHA256
ffce6c65f30485f0945a2710f90bbe65c9ce365bc68bf612aa061eca1227f29d

SHA512
54e0302bbdc91ff9ca7ddfb0c01e38ac2e6ee12e96d054ca7ac74d79be2bea4fd579b1ed030cca6843dcb5fec4099a56fa0728cc349a0ceb4ef53a15c8f04f86

Download Submit
C:\Windows\{8B4B342E-59DC-4866-A8B7-E58B635BC079}.exe

Filesize
344KB

MD5
83e87d58799de3a9f2e53ca8dad2a980

SHA1
3c6683c4bf23ea3c578b959bcfd3c56aa55353ea

SHA256
0aa4c9522488887771573b025a1936d73761b6c3a25eb535289c8255efd36bc6

SHA512
a03350e711e85c5a66b8558448fa17e21699295c26ddc8e200224ebb2f462d25f5abcf9ef31a792b5f22b512568d896ab4ac030494821fde189bb9d40f504be5

Download Submit
C:\Windows\{9379CEFB-02CD-45eb-8971-33CEB4FDCD28}.exe

Filesize
344KB

MD5
5c93698fef0f22a5cf861223b1a38a59

SHA1
024caa0db0d8ee85e0a45edb785559dd50055df3

SHA256
a04979fc1c6065e610a292f1e56b2167139a95634b40597a1b7fbeed27f337c4

SHA512
d9c9f2a7bc8f3284f6c148686c266e15d67cdd34c14c247b245555f2fa80fc43220e3fe8133f2caf510960cad34b334304f55624de583e0a415194a6efc47d5a

Download Submit
C:\Windows\{95017CE4-01EC-4b02-A4CE-C0B5801C4B0C}.exe

Filesize
344KB

MD5
a7c93c9bbff6e384c1c010313312e432

SHA1
5e7b023cf107bc8864e43143df2e6db6bf8e4d52

SHA256
57cbfc6a581f9bc60d33e2eb54f2d671f34aa34d116ce5cd135d37dbe55f3365

SHA512
36447594f25f6c72c93d0e4fb558bc5aed583564361c43de73f40dd4dd3bad9321f329e366d3e720b5b05dbd55b31d98844675c06b895e1f0d26f09dd0143b72

Download Submit
C:\Windows\{9E126526-7FBF-460a-AD4C-33DF42F3C0EE}.exe

Filesize
344KB

MD5
f5faafd14150c199b6d139dc523f57c4

SHA1
dcbd382417c596c5a95ad22df6657fe44774f07b

SHA256
c067a5795636a58a96588ab461be21fe2cc7a643f1d64ef499895c95b1aa1e59

SHA512
3bae49c61ed188f154569bc347247866c629ebc6f5e0f0f0f818cb8eaccaa1ab634beddd31ed36d966e6faeba65a247663923aa664e7ee02b4cc029752cbac92

Download Submit
C:\Windows\{B405575A-CC71-4b70-9D02-735AC6E2E0B8}.exe

Filesize
344KB

MD5
e78731860724683889918b1273970d2f

SHA1
db7f4aa76b9b1e03d24b8bc50ffea67112e31c50

SHA256
17b8fc79656b2060af882d844a941a7f29dcb3a067edf40a355e2000c39e530b

SHA512
f34c1f120371f74dc633128bbfd6bcb149d66d91a1d940ab0eedf9f59d3fd0c0a9d00f3769b334d4b1cb6af7dfbd82f87bb305e4b56026355b66bd876a6c7cdc

Download Submit
C:\Windows\{B790C39D-2717-425a-8BD6-85AFC1366838}.exe

Filesize
344KB

MD5
3fbaf80a1b4bf994148f883087f1ad58

SHA1
481dc75ef357736b09e7bf7da7eb74da40c142ed

SHA256
64737cc694a6ffa5f3c0f3a9acc177448bc71697922ba0454aef96f728f5c916

SHA512
e010a53148825ba76e9f8d12632fee2157548095e45d6130559c5cd557961488285c6b47f88a93e964f8990c833c4d562a9af10d418b47ba7d7572edaf3f5a03

Download Submit
C:\Windows\{D50799A4-7420-4be9-9EF4-6CA7C6E2D74F}.exe

Filesize
344KB

MD5
7f464b6f911e0f03389e9026d29b4e91

SHA1
24ab8ced6b36a13c0ea3ff1c1d2586f6b12f7c9c

SHA256
13126172220bc1b2ddac30545d5091a725e395736528d6e474618113e73b630d

SHA512
59f4d1f5bf227dc40562eb1a7208fc5d5f2413716c5100363187d0baef0cf86bd09107c97734a95947177be52a9dec85dc24cc0ec4ff87ce2b336285af2d5850

Download Submit
C:\Windows\{DFAEE3DF-00C4-4a51-999A-58C1E3DDC867}.exe

Filesize
344KB

MD5
0a7d4cb808bab5d8c71344c048475d51

SHA1
d9059f0e67d8cf80c89faf36a713b460ebad54c2

SHA256
3224c01fc870b38c473b4184909638e72a5f1baea1cce2d66264b6d3ca67d471

SHA512
be1eb40172b3c04e3e01bc9308f7e426567881b0c71f2983bbf551cba7d1839de3a7bbe1d24a3b28355f14a94a89dda76d1d3d9049cd6ceabce3cec3c9aa01ee

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads