78cc575f1d769f42f5c952874409c032d9cf74c0000611a9b6407418f4b7f4f7

Analysis

max time kernel
149s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
03-05-2024 03:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-03_83bc0013b0b2315d4afc71ba9a24c5de_goldeneye.exe
Size

197KB
MD5

83bc0013b0b2315d4afc71ba9a24c5de
SHA1

30b3a1cfc8702b2fbc03bf6c0a7ca11819afb98e
SHA256

78cc575f1d769f42f5c952874409c032d9cf74c0000611a9b6407418f4b7f4f7
SHA512

4f068bf25e17edba080b4137f2901a16d23efedd51a338a047098fc332b66bdbd31342ae500acc546090390a43cbc28946b0c2735a06ba8c1f13c3835893ef9f
SSDEEP

3072:jEGh0osl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEG+lEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023bbb-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0015000000023bb4-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f000000023bc3-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0016000000023bb4-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023bc3-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023bc5-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023bc3-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001b000000023bb4-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0012000000023bc3-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001c000000023bb4-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0013000000023bc3-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023a82-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{977DCF5B-7F02-459f-BDC7-D41D7344BA9A}	2024-05-03_83bc0013b0b2315d4afc71ba9a24c5de_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{977DCF5B-7F02-459f-BDC7-D41D7344BA9A}\stubpath = "C:\\Windows\\{977DCF5B-7F02-459f-BDC7-D41D7344BA9A}.exe"	2024-05-03_83bc0013b0b2315d4afc71ba9a24c5de_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C44599B4-4364-4873-8D9B-6C23D41DB1F2}\stubpath = "C:\\Windows\\{C44599B4-4364-4873-8D9B-6C23D41DB1F2}.exe"	{977DCF5B-7F02-459f-BDC7-D41D7344BA9A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E917C560-1A55-46bd-B062-97683E3D7CAE}\stubpath = "C:\\Windows\\{E917C560-1A55-46bd-B062-97683E3D7CAE}.exe"	{C44599B4-4364-4873-8D9B-6C23D41DB1F2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06B19C2A-3B61-422a-9E17-62EB83DA25CF}	{9E11166B-95A4-45df-A3FE-63D1BE52EEAC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E44352F2-9E94-4d6d-8035-52A7F06F407A}\stubpath = "C:\\Windows\\{E44352F2-9E94-4d6d-8035-52A7F06F407A}.exe"	{06B19C2A-3B61-422a-9E17-62EB83DA25CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DAEDC57F-E48C-449d-8663-F2C6E5B53BE5}	{B15947F5-F26A-4872-A237-B7FC149E5EAA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A40F96BC-1521-4fbc-BA33-72689C5CDB29}\stubpath = "C:\\Windows\\{A40F96BC-1521-4fbc-BA33-72689C5CDB29}.exe"	{DAEDC57F-E48C-449d-8663-F2C6E5B53BE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E11166B-95A4-45df-A3FE-63D1BE52EEAC}	{E917C560-1A55-46bd-B062-97683E3D7CAE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E11166B-95A4-45df-A3FE-63D1BE52EEAC}\stubpath = "C:\\Windows\\{9E11166B-95A4-45df-A3FE-63D1BE52EEAC}.exe"	{E917C560-1A55-46bd-B062-97683E3D7CAE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06B19C2A-3B61-422a-9E17-62EB83DA25CF}\stubpath = "C:\\Windows\\{06B19C2A-3B61-422a-9E17-62EB83DA25CF}.exe"	{9E11166B-95A4-45df-A3FE-63D1BE52EEAC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C561C9BD-8BD9-49b3-95A6-3E080838C0A9}\stubpath = "C:\\Windows\\{C561C9BD-8BD9-49b3-95A6-3E080838C0A9}.exe"	{E44352F2-9E94-4d6d-8035-52A7F06F407A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B15947F5-F26A-4872-A237-B7FC149E5EAA}\stubpath = "C:\\Windows\\{B15947F5-F26A-4872-A237-B7FC149E5EAA}.exe"	{C561C9BD-8BD9-49b3-95A6-3E080838C0A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DAEDC57F-E48C-449d-8663-F2C6E5B53BE5}\stubpath = "C:\\Windows\\{DAEDC57F-E48C-449d-8663-F2C6E5B53BE5}.exe"	{B15947F5-F26A-4872-A237-B7FC149E5EAA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A40F96BC-1521-4fbc-BA33-72689C5CDB29}	{DAEDC57F-E48C-449d-8663-F2C6E5B53BE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A5F63FF-7612-4f6c-A9AD-97F72556971A}	{AE91B675-553E-4e63-A668-50712372B433}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C44599B4-4364-4873-8D9B-6C23D41DB1F2}	{977DCF5B-7F02-459f-BDC7-D41D7344BA9A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E917C560-1A55-46bd-B062-97683E3D7CAE}	{C44599B4-4364-4873-8D9B-6C23D41DB1F2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E44352F2-9E94-4d6d-8035-52A7F06F407A}	{06B19C2A-3B61-422a-9E17-62EB83DA25CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B15947F5-F26A-4872-A237-B7FC149E5EAA}	{C561C9BD-8BD9-49b3-95A6-3E080838C0A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A5F63FF-7612-4f6c-A9AD-97F72556971A}\stubpath = "C:\\Windows\\{7A5F63FF-7612-4f6c-A9AD-97F72556971A}.exe"	{AE91B675-553E-4e63-A668-50712372B433}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C561C9BD-8BD9-49b3-95A6-3E080838C0A9}	{E44352F2-9E94-4d6d-8035-52A7F06F407A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE91B675-553E-4e63-A668-50712372B433}	{A40F96BC-1521-4fbc-BA33-72689C5CDB29}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE91B675-553E-4e63-A668-50712372B433}\stubpath = "C:\\Windows\\{AE91B675-553E-4e63-A668-50712372B433}.exe"	{A40F96BC-1521-4fbc-BA33-72689C5CDB29}.exe

Executes dropped EXE 12 IoCs

pid	Process
1392	{977DCF5B-7F02-459f-BDC7-D41D7344BA9A}.exe
3632	{C44599B4-4364-4873-8D9B-6C23D41DB1F2}.exe
1676	{E917C560-1A55-46bd-B062-97683E3D7CAE}.exe
3908	{9E11166B-95A4-45df-A3FE-63D1BE52EEAC}.exe
3572	{06B19C2A-3B61-422a-9E17-62EB83DA25CF}.exe
3816	{E44352F2-9E94-4d6d-8035-52A7F06F407A}.exe
4032	{C561C9BD-8BD9-49b3-95A6-3E080838C0A9}.exe
2772	{B15947F5-F26A-4872-A237-B7FC149E5EAA}.exe
1256	{DAEDC57F-E48C-449d-8663-F2C6E5B53BE5}.exe
4356	{A40F96BC-1521-4fbc-BA33-72689C5CDB29}.exe
2148	{AE91B675-553E-4e63-A668-50712372B433}.exe
952	{7A5F63FF-7612-4f6c-A9AD-97F72556971A}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{AE91B675-553E-4e63-A668-50712372B433}.exe	{A40F96BC-1521-4fbc-BA33-72689C5CDB29}.exe
File created	C:\Windows\{977DCF5B-7F02-459f-BDC7-D41D7344BA9A}.exe	2024-05-03_83bc0013b0b2315d4afc71ba9a24c5de_goldeneye.exe
File created	C:\Windows\{9E11166B-95A4-45df-A3FE-63D1BE52EEAC}.exe	{E917C560-1A55-46bd-B062-97683E3D7CAE}.exe
File created	C:\Windows\{B15947F5-F26A-4872-A237-B7FC149E5EAA}.exe	{C561C9BD-8BD9-49b3-95A6-3E080838C0A9}.exe
File created	C:\Windows\{E44352F2-9E94-4d6d-8035-52A7F06F407A}.exe	{06B19C2A-3B61-422a-9E17-62EB83DA25CF}.exe
File created	C:\Windows\{C561C9BD-8BD9-49b3-95A6-3E080838C0A9}.exe	{E44352F2-9E94-4d6d-8035-52A7F06F407A}.exe
File created	C:\Windows\{DAEDC57F-E48C-449d-8663-F2C6E5B53BE5}.exe	{B15947F5-F26A-4872-A237-B7FC149E5EAA}.exe
File created	C:\Windows\{A40F96BC-1521-4fbc-BA33-72689C5CDB29}.exe	{DAEDC57F-E48C-449d-8663-F2C6E5B53BE5}.exe
File created	C:\Windows\{7A5F63FF-7612-4f6c-A9AD-97F72556971A}.exe	{AE91B675-553E-4e63-A668-50712372B433}.exe
File created	C:\Windows\{C44599B4-4364-4873-8D9B-6C23D41DB1F2}.exe	{977DCF5B-7F02-459f-BDC7-D41D7344BA9A}.exe
File created	C:\Windows\{E917C560-1A55-46bd-B062-97683E3D7CAE}.exe	{C44599B4-4364-4873-8D9B-6C23D41DB1F2}.exe
File created	C:\Windows\{06B19C2A-3B61-422a-9E17-62EB83DA25CF}.exe	{9E11166B-95A4-45df-A3FE-63D1BE52EEAC}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1312	2024-05-03_83bc0013b0b2315d4afc71ba9a24c5de_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1392	{977DCF5B-7F02-459f-BDC7-D41D7344BA9A}.exe
Token: SeIncBasePriorityPrivilege	3632	{C44599B4-4364-4873-8D9B-6C23D41DB1F2}.exe
Token: SeIncBasePriorityPrivilege	1676	{E917C560-1A55-46bd-B062-97683E3D7CAE}.exe
Token: SeIncBasePriorityPrivilege	3908	{9E11166B-95A4-45df-A3FE-63D1BE52EEAC}.exe
Token: SeIncBasePriorityPrivilege	3572	{06B19C2A-3B61-422a-9E17-62EB83DA25CF}.exe
Token: SeIncBasePriorityPrivilege	3816	{E44352F2-9E94-4d6d-8035-52A7F06F407A}.exe
Token: SeIncBasePriorityPrivilege	4032	{C561C9BD-8BD9-49b3-95A6-3E080838C0A9}.exe
Token: SeIncBasePriorityPrivilege	2772	{B15947F5-F26A-4872-A237-B7FC149E5EAA}.exe
Token: SeIncBasePriorityPrivilege	1256	{DAEDC57F-E48C-449d-8663-F2C6E5B53BE5}.exe
Token: SeIncBasePriorityPrivilege	4356	{A40F96BC-1521-4fbc-BA33-72689C5CDB29}.exe
Token: SeIncBasePriorityPrivilege	2148	{AE91B675-553E-4e63-A668-50712372B433}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 1392	1312	2024-05-03_83bc0013b0b2315d4afc71ba9a24c5de_goldeneye.exe	97
PID 1312 wrote to memory of 1392	1312	2024-05-03_83bc0013b0b2315d4afc71ba9a24c5de_goldeneye.exe	97
PID 1312 wrote to memory of 1392	1312	2024-05-03_83bc0013b0b2315d4afc71ba9a24c5de_goldeneye.exe	97
PID 1312 wrote to memory of 4032	1312	2024-05-03_83bc0013b0b2315d4afc71ba9a24c5de_goldeneye.exe	98
PID 1312 wrote to memory of 4032	1312	2024-05-03_83bc0013b0b2315d4afc71ba9a24c5de_goldeneye.exe	98
PID 1312 wrote to memory of 4032	1312	2024-05-03_83bc0013b0b2315d4afc71ba9a24c5de_goldeneye.exe	98
PID 1392 wrote to memory of 3632	1392	{977DCF5B-7F02-459f-BDC7-D41D7344BA9A}.exe	99
PID 1392 wrote to memory of 3632	1392	{977DCF5B-7F02-459f-BDC7-D41D7344BA9A}.exe	99
PID 1392 wrote to memory of 3632	1392	{977DCF5B-7F02-459f-BDC7-D41D7344BA9A}.exe	99
PID 1392 wrote to memory of 5112	1392	{977DCF5B-7F02-459f-BDC7-D41D7344BA9A}.exe	100
PID 1392 wrote to memory of 5112	1392	{977DCF5B-7F02-459f-BDC7-D41D7344BA9A}.exe	100
PID 1392 wrote to memory of 5112	1392	{977DCF5B-7F02-459f-BDC7-D41D7344BA9A}.exe	100
PID 3632 wrote to memory of 1676	3632	{C44599B4-4364-4873-8D9B-6C23D41DB1F2}.exe	103
PID 3632 wrote to memory of 1676	3632	{C44599B4-4364-4873-8D9B-6C23D41DB1F2}.exe	103
PID 3632 wrote to memory of 1676	3632	{C44599B4-4364-4873-8D9B-6C23D41DB1F2}.exe	103
PID 3632 wrote to memory of 3236	3632	{C44599B4-4364-4873-8D9B-6C23D41DB1F2}.exe	104
PID 3632 wrote to memory of 3236	3632	{C44599B4-4364-4873-8D9B-6C23D41DB1F2}.exe	104
PID 3632 wrote to memory of 3236	3632	{C44599B4-4364-4873-8D9B-6C23D41DB1F2}.exe	104
PID 1676 wrote to memory of 3908	1676	{E917C560-1A55-46bd-B062-97683E3D7CAE}.exe	105
PID 1676 wrote to memory of 3908	1676	{E917C560-1A55-46bd-B062-97683E3D7CAE}.exe	105
PID 1676 wrote to memory of 3908	1676	{E917C560-1A55-46bd-B062-97683E3D7CAE}.exe	105
PID 1676 wrote to memory of 1716	1676	{E917C560-1A55-46bd-B062-97683E3D7CAE}.exe	106
PID 1676 wrote to memory of 1716	1676	{E917C560-1A55-46bd-B062-97683E3D7CAE}.exe	106
PID 1676 wrote to memory of 1716	1676	{E917C560-1A55-46bd-B062-97683E3D7CAE}.exe	106
PID 3908 wrote to memory of 3572	3908	{9E11166B-95A4-45df-A3FE-63D1BE52EEAC}.exe	107
PID 3908 wrote to memory of 3572	3908	{9E11166B-95A4-45df-A3FE-63D1BE52EEAC}.exe	107
PID 3908 wrote to memory of 3572	3908	{9E11166B-95A4-45df-A3FE-63D1BE52EEAC}.exe	107
PID 3908 wrote to memory of 940	3908	{9E11166B-95A4-45df-A3FE-63D1BE52EEAC}.exe	108
PID 3908 wrote to memory of 940	3908	{9E11166B-95A4-45df-A3FE-63D1BE52EEAC}.exe	108
PID 3908 wrote to memory of 940	3908	{9E11166B-95A4-45df-A3FE-63D1BE52EEAC}.exe	108
PID 3572 wrote to memory of 3816	3572	{06B19C2A-3B61-422a-9E17-62EB83DA25CF}.exe	113
PID 3572 wrote to memory of 3816	3572	{06B19C2A-3B61-422a-9E17-62EB83DA25CF}.exe	113
PID 3572 wrote to memory of 3816	3572	{06B19C2A-3B61-422a-9E17-62EB83DA25CF}.exe	113
PID 3572 wrote to memory of 4360	3572	{06B19C2A-3B61-422a-9E17-62EB83DA25CF}.exe	114
PID 3572 wrote to memory of 4360	3572	{06B19C2A-3B61-422a-9E17-62EB83DA25CF}.exe	114
PID 3572 wrote to memory of 4360	3572	{06B19C2A-3B61-422a-9E17-62EB83DA25CF}.exe	114
PID 3816 wrote to memory of 4032	3816	{E44352F2-9E94-4d6d-8035-52A7F06F407A}.exe	115
PID 3816 wrote to memory of 4032	3816	{E44352F2-9E94-4d6d-8035-52A7F06F407A}.exe	115
PID 3816 wrote to memory of 4032	3816	{E44352F2-9E94-4d6d-8035-52A7F06F407A}.exe	115
PID 3816 wrote to memory of 4324	3816	{E44352F2-9E94-4d6d-8035-52A7F06F407A}.exe	116
PID 3816 wrote to memory of 4324	3816	{E44352F2-9E94-4d6d-8035-52A7F06F407A}.exe	116
PID 3816 wrote to memory of 4324	3816	{E44352F2-9E94-4d6d-8035-52A7F06F407A}.exe	116
PID 4032 wrote to memory of 2772	4032	{C561C9BD-8BD9-49b3-95A6-3E080838C0A9}.exe	125
PID 4032 wrote to memory of 2772	4032	{C561C9BD-8BD9-49b3-95A6-3E080838C0A9}.exe	125
PID 4032 wrote to memory of 2772	4032	{C561C9BD-8BD9-49b3-95A6-3E080838C0A9}.exe	125
PID 4032 wrote to memory of 4088	4032	{C561C9BD-8BD9-49b3-95A6-3E080838C0A9}.exe	126
PID 4032 wrote to memory of 4088	4032	{C561C9BD-8BD9-49b3-95A6-3E080838C0A9}.exe	126
PID 4032 wrote to memory of 4088	4032	{C561C9BD-8BD9-49b3-95A6-3E080838C0A9}.exe	126
PID 2772 wrote to memory of 1256	2772	{B15947F5-F26A-4872-A237-B7FC149E5EAA}.exe	127
PID 2772 wrote to memory of 1256	2772	{B15947F5-F26A-4872-A237-B7FC149E5EAA}.exe	127
PID 2772 wrote to memory of 1256	2772	{B15947F5-F26A-4872-A237-B7FC149E5EAA}.exe	127
PID 2772 wrote to memory of 3068	2772	{B15947F5-F26A-4872-A237-B7FC149E5EAA}.exe	128
PID 2772 wrote to memory of 3068	2772	{B15947F5-F26A-4872-A237-B7FC149E5EAA}.exe	128
PID 2772 wrote to memory of 3068	2772	{B15947F5-F26A-4872-A237-B7FC149E5EAA}.exe	128
PID 1256 wrote to memory of 4356	1256	{DAEDC57F-E48C-449d-8663-F2C6E5B53BE5}.exe	129
PID 1256 wrote to memory of 4356	1256	{DAEDC57F-E48C-449d-8663-F2C6E5B53BE5}.exe	129
PID 1256 wrote to memory of 4356	1256	{DAEDC57F-E48C-449d-8663-F2C6E5B53BE5}.exe	129
PID 1256 wrote to memory of 4320	1256	{DAEDC57F-E48C-449d-8663-F2C6E5B53BE5}.exe	130
PID 1256 wrote to memory of 4320	1256	{DAEDC57F-E48C-449d-8663-F2C6E5B53BE5}.exe	130
PID 1256 wrote to memory of 4320	1256	{DAEDC57F-E48C-449d-8663-F2C6E5B53BE5}.exe	130
PID 4356 wrote to memory of 2148	4356	{A40F96BC-1521-4fbc-BA33-72689C5CDB29}.exe	131
PID 4356 wrote to memory of 2148	4356	{A40F96BC-1521-4fbc-BA33-72689C5CDB29}.exe	131
PID 4356 wrote to memory of 2148	4356	{A40F96BC-1521-4fbc-BA33-72689C5CDB29}.exe	131
PID 4356 wrote to memory of 3564	4356	{A40F96BC-1521-4fbc-BA33-72689C5CDB29}.exe	132

C:\Users\Admin\AppData\Local\Temp\2024-05-03_83bc0013b0b2315d4afc71ba9a24c5de_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-03_83bc0013b0b2315d4afc71ba9a24c5de_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Windows\{977DCF5B-7F02-459f-BDC7-D41D7344BA9A}.exe
  C:\Windows\{977DCF5B-7F02-459f-BDC7-D41D7344BA9A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1392
- - C:\Windows\{C44599B4-4364-4873-8D9B-6C23D41DB1F2}.exe
    C:\Windows\{C44599B4-4364-4873-8D9B-6C23D41DB1F2}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3632
  - - C:\Windows\{E917C560-1A55-46bd-B062-97683E3D7CAE}.exe
      C:\Windows\{E917C560-1A55-46bd-B062-97683E3D7CAE}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1676
    - - C:\Windows\{9E11166B-95A4-45df-A3FE-63D1BE52EEAC}.exe
        
        C:\Windows\{9E11166B-95A4-45df-A3FE-63D1BE52EEAC}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3908
      - C:\Windows\{06B19C2A-3B61-422a-9E17-62EB83DA25CF}.exe
        
        C:\Windows\{06B19C2A-3B61-422a-9E17-62EB83DA25CF}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3572
        
        C:\Windows\{E44352F2-9E94-4d6d-8035-52A7F06F407A}.exe
        
        C:\Windows\{E44352F2-9E94-4d6d-8035-52A7F06F407A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3816
        
        C:\Windows\{C561C9BD-8BD9-49b3-95A6-3E080838C0A9}.exe
        
        C:\Windows\{C561C9BD-8BD9-49b3-95A6-3E080838C0A9}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Windows\{B15947F5-F26A-4872-A237-B7FC149E5EAA}.exe
        
        C:\Windows\{B15947F5-F26A-4872-A237-B7FC149E5EAA}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\{DAEDC57F-E48C-449d-8663-F2C6E5B53BE5}.exe
        
        C:\Windows\{DAEDC57F-E48C-449d-8663-F2C6E5B53BE5}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1256
        
        C:\Windows\{A40F96BC-1521-4fbc-BA33-72689C5CDB29}.exe
        
        C:\Windows\{A40F96BC-1521-4fbc-BA33-72689C5CDB29}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4356
        
        C:\Windows\{AE91B675-553E-4e63-A668-50712372B433}.exe
        
        C:\Windows\{AE91B675-553E-4e63-A668-50712372B433}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2148
        
        C:\Windows\{7A5F63FF-7612-4f6c-A9AD-97F72556971A}.exe
        
        C:\Windows\{7A5F63FF-7612-4f6c-A9AD-97F72556971A}.exe
        13⤵
        Executes dropped EXE
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE91B~1.EXE > nul
        13⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A40F9~1.EXE > nul
        12⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DAEDC~1.EXE > nul
        11⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1594~1.EXE > nul
        10⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C561C~1.EXE > nul
        9⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E4435~1.EXE > nul
        8⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{06B19~1.EXE > nul
        7⤵
        
        PID:4360
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E111~1.EXE > nul
        6⤵
        
        PID:940
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E917C~1.EXE > nul
        5⤵
        
        PID:1716
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C4459~1.EXE > nul
      4⤵
      PID:3236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{977DC~1.EXE > nul
    3⤵
    PID:5112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{06B19C2A-3B61-422a-9E17-62EB83DA25CF}.exe

Filesize
197KB

MD5
0d58354342dcb8547d3e5fa80bec54e4

SHA1
c15c9c838c1f72e66ee49755673f662a86388991

SHA256
473455524bf27a78fe824a7ea638ae3c0c718b5627cbcd89a5c4fed07131ef56

SHA512
989791794b5d70868728b5a41ccb06111ce783ab164f03cb9dfca92a30309ebde82494521bdc91e246a1518c2e47624138d29179f974c759a885890043697781

Download Submit
C:\Windows\{7A5F63FF-7612-4f6c-A9AD-97F72556971A}.exe

Filesize
197KB

MD5
84aeee315c64b2c4baf728f9c38ee0e1

SHA1
3d181a2378c05eb95314f82f3dc86bbfe8194bfb

SHA256
d81665e339cb5a1e6e942954dd42b65682fac3df2b1532cdb89e20bae4391005

SHA512
d22ca616530d4760217a4ee619e7789be5e43b3b378235c13bd3be9613046b4c1410e7bb82cb92bffb85cef3cc04e0dc21f75dd87654592090767e813f8f1501

Download Submit
C:\Windows\{977DCF5B-7F02-459f-BDC7-D41D7344BA9A}.exe

Filesize
197KB

MD5
7925cff1e38bc7ffbce5d882f30e6682

SHA1
8dc959679a5208cfc9ee62f443a76cc993c0aa48

SHA256
ad26ded97bfbdfa0aeca13924cab10aaf3327f3de3846b8d54b321740a64fd5c

SHA512
bd0acbbff23c1a487756cd77e9a1a9b6bf0cd0394f5488bf43ecb32232b4172b46c30385760f559c368da560edb79df71d1e6aa543e8edc8a77dcb54573748f9

Download Submit
C:\Windows\{9E11166B-95A4-45df-A3FE-63D1BE52EEAC}.exe

Filesize
197KB

MD5
c363ff8d3e2f9642c01cb67ef1942177

SHA1
8b9c890e0916e9ac69e88b5ba636427394e07362

SHA256
0b32994c016a49a2fc004813b64fc0b0e251aa49fb26b083846022cf95055311

SHA512
b27444058e974853b2234c0e874a30c7ef823248379aba0bb5584ca58546b9b55b193a3bf0c2e9ee1908f98a64919f4bd1489aecaf51dde32fb3ba5fa339cf1e

Download Submit
C:\Windows\{A40F96BC-1521-4fbc-BA33-72689C5CDB29}.exe

Filesize
197KB

MD5
42d71e9b198501c917dd35fbd5c01147

SHA1
71835859b44e0e7d8ff355f9d97519f86aeef840

SHA256
ab7e15addf519a5fce371dea2b3146613355df7201de4556b4757229237b468c

SHA512
4e7b68349216780d83ca4e197c9b67c89115159451f70c37fad6a1a09392c15fbc08868464dc17ec51f7a3372f95d017c907968c34aa6bc88c7d8bab13bae5cb

Download Submit
C:\Windows\{AE91B675-553E-4e63-A668-50712372B433}.exe

Filesize
197KB

MD5
c54afa54c9790669d833feb23da1b0ed

SHA1
e8eea480d5b472bf7c001f6fe5d2298f2903d55e

SHA256
04c4ab1eaab3fed70cf11207ca5a5d09abad323865ff9a5be86563e43b52ba11

SHA512
4a2e6a50133ebfb4161467b9488103c784f420366c3a0c876640e69ea6c44f7e2ee35a6509f456adf4c59e877532f5851e301b5ddec4c667e43d8022583a1db6

Download Submit
C:\Windows\{B15947F5-F26A-4872-A237-B7FC149E5EAA}.exe

Filesize
197KB

MD5
33005e62320684c27e8fd0f383765d0f

SHA1
9d4c00090c7bf488d4ac55085c92c5171ec4ac72

SHA256
ba3e6cb81e99e1f8ccad0fbdeadbbb7965f4063790e307e36850e502976f9e12

SHA512
9a42e2125d68d2fdea313432e507404df940537f37d4a10ace370a6351389046f49c0c35efbf9a632f764a52cfbc000b2c35649d0409ee8c8159f0345982003a

Download Submit
C:\Windows\{C44599B4-4364-4873-8D9B-6C23D41DB1F2}.exe

Filesize
197KB

MD5
db6a1b1b18adfec7b124338a36bb3f10

SHA1
e6a40ca4967d07832ef96f827fe64d704ef67288

SHA256
b452361edb46f39fc6c067879b1445796d5e660ba7df412be236240577da2be9

SHA512
428e26feddf078cd94f7436c3f4c1f7d99b10ee16531490ac2a6e48cb92cdeb7c78b7c2f6ae5f73479f50ddbaf85a5cfe1f67ab0bcb300d5890e0a9bf1c3cbc2

Download Submit
C:\Windows\{C561C9BD-8BD9-49b3-95A6-3E080838C0A9}.exe

Filesize
197KB

MD5
b3bd078c4ca505c08cccbdf001018867

SHA1
af5371d895885c759ce47fbc1a344a1dd206b231

SHA256
5908e01d5eca70fc8288cb4899f462d6dde33e0afad303cceab18591ca3209cb

SHA512
82b258d0de44b512ee85752ac489f8aeb00c7818c898168e0aeea36aca2bf365ea12b5533958cc1e072d2e6aa3ffec66b5575de181c54af36232094ca1794ad8

Download Submit
C:\Windows\{DAEDC57F-E48C-449d-8663-F2C6E5B53BE5}.exe

Filesize
197KB

MD5
977ef553a988649f9ac624e6fab51b8f

SHA1
c20164f888d4f182785bfa0fea2e7d5323283b57

SHA256
5e3e026d3a479dc41d0b93eefb889b3a8772df87b006571282082eb64fe09212

SHA512
10a5919fe48144e0a1c9fe016caf5d065fa0c0a06a143c9ba68301f656b6bd4cc04b6a9985295863147b21150cc1234fc26207c5e9d872e679c1be9823e9fa40

Download Submit
C:\Windows\{E44352F2-9E94-4d6d-8035-52A7F06F407A}.exe

Filesize
197KB

MD5
76b8267b5ef4b1dc7162ad95461694cb

SHA1
59a3ce91821610e55503874438e8786e034e4975

SHA256
7cd8004fb73ce2aa63f8512ab140211adfb9a2e134229da09739183ba24258b5

SHA512
6cb5bf8536c1544e87b87294da0f3dc17f39459e30892b359545380c32e76db62ff4c4061ac0a618ba14e9f5c36f97848ebb5f66dca486957890655d45c079ec

Download Submit
C:\Windows\{E917C560-1A55-46bd-B062-97683E3D7CAE}.exe

Filesize
197KB

MD5
0de2e6c7cd9e6c982b8a58631a17b8cb

SHA1
21148f9de7b7bd905e1318a098e06fdcb38bea73

SHA256
1a82769a1ef7b30b6801545cb46566972160c0d576adb6659103ffd8b8ff3e0b

SHA512
8a8fb5420db0ebb0d9474c8017e9084fe905879ae8509cc9fc7f3377089b48aeb7cac7af199b25c07bef013d8f7f24144974fb31b643363a207b01992fb78534

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads