9ca513d9cac3b635578fe370f25e495bfffb14b6c1d59d0d0d4821d5fb5b47d1

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
03/05/2024, 05:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-03_8688031bfd82e7066eb671e98204f1bd_goldeneye.exe
Size

380KB
MD5

8688031bfd82e7066eb671e98204f1bd
SHA1

7ed38933891867e42fbd19e3df2dbefd2c7dd8ff
SHA256

9ca513d9cac3b635578fe370f25e495bfffb14b6c1d59d0d0d4821d5fb5b47d1
SHA512

32fa43aaf137a802a23ab7d1d2563cd36e047dfb0932b62ce1f4c6d28afb451de58d121c49cee06d85fdf0bf290d15312b6a7ba52957b5920ad60ce36699f9de
SSDEEP

3072:mEGh0omlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGgl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0010000000023a12-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0019000000023b23-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f000000023b90-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001a000000023b23-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023b90-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023b93-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023b90-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023ba9-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0020000000023b23-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0015000000023b90-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0021000000023b23-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x002400000002384c-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87EA8685-CC52-4a8c-88EF-E0B06385295B}\stubpath = "C:\\Windows\\{87EA8685-CC52-4a8c-88EF-E0B06385295B}.exe"	{6BB6B02F-BDFF-4d60-A38D-EBBD07885FC5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD3BCE75-144B-4ef4-9E41-AA723347AC54}\stubpath = "C:\\Windows\\{AD3BCE75-144B-4ef4-9E41-AA723347AC54}.exe"	{873CF0A7-701C-4606-A77F-5DB000745524}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97E63D1E-DCA5-438d-872B-0C911CB76A9B}	{327B76CC-A178-4653-BDA2-5A013BE85D5C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0195D66C-96B7-4566-B83F-A2EA80DE6AC3}	{97E63D1E-DCA5-438d-872B-0C911CB76A9B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B491DB11-0BA0-4706-AB77-9A8D864B6E85}	{0195D66C-96B7-4566-B83F-A2EA80DE6AC3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B491DB11-0BA0-4706-AB77-9A8D864B6E85}\stubpath = "C:\\Windows\\{B491DB11-0BA0-4706-AB77-9A8D864B6E85}.exe"	{0195D66C-96B7-4566-B83F-A2EA80DE6AC3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BB6B02F-BDFF-4d60-A38D-EBBD07885FC5}	{B491DB11-0BA0-4706-AB77-9A8D864B6E85}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BB6B02F-BDFF-4d60-A38D-EBBD07885FC5}\stubpath = "C:\\Windows\\{6BB6B02F-BDFF-4d60-A38D-EBBD07885FC5}.exe"	{B491DB11-0BA0-4706-AB77-9A8D864B6E85}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E325016-D169-4edc-95F2-E0C104247FFD}\stubpath = "C:\\Windows\\{6E325016-D169-4edc-95F2-E0C104247FFD}.exe"	{AD3BCE75-144B-4ef4-9E41-AA723347AC54}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60526F2A-4C06-4287-83DD-7D28636E7319}	{6E325016-D169-4edc-95F2-E0C104247FFD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60526F2A-4C06-4287-83DD-7D28636E7319}\stubpath = "C:\\Windows\\{60526F2A-4C06-4287-83DD-7D28636E7319}.exe"	{6E325016-D169-4edc-95F2-E0C104247FFD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{327B76CC-A178-4653-BDA2-5A013BE85D5C}\stubpath = "C:\\Windows\\{327B76CC-A178-4653-BDA2-5A013BE85D5C}.exe"	2024-05-03_8688031bfd82e7066eb671e98204f1bd_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0195D66C-96B7-4566-B83F-A2EA80DE6AC3}\stubpath = "C:\\Windows\\{0195D66C-96B7-4566-B83F-A2EA80DE6AC3}.exe"	{97E63D1E-DCA5-438d-872B-0C911CB76A9B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40B18048-7A3C-4db2-9708-1F87BF2BEAA5}	{0DA1D4E1-2296-429a-92CE-EB1B96A97C31}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{873CF0A7-701C-4606-A77F-5DB000745524}	{40B18048-7A3C-4db2-9708-1F87BF2BEAA5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{873CF0A7-701C-4606-A77F-5DB000745524}\stubpath = "C:\\Windows\\{873CF0A7-701C-4606-A77F-5DB000745524}.exe"	{40B18048-7A3C-4db2-9708-1F87BF2BEAA5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E325016-D169-4edc-95F2-E0C104247FFD}	{AD3BCE75-144B-4ef4-9E41-AA723347AC54}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87EA8685-CC52-4a8c-88EF-E0B06385295B}	{6BB6B02F-BDFF-4d60-A38D-EBBD07885FC5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{327B76CC-A178-4653-BDA2-5A013BE85D5C}	2024-05-03_8688031bfd82e7066eb671e98204f1bd_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97E63D1E-DCA5-438d-872B-0C911CB76A9B}\stubpath = "C:\\Windows\\{97E63D1E-DCA5-438d-872B-0C911CB76A9B}.exe"	{327B76CC-A178-4653-BDA2-5A013BE85D5C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0DA1D4E1-2296-429a-92CE-EB1B96A97C31}	{87EA8685-CC52-4a8c-88EF-E0B06385295B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0DA1D4E1-2296-429a-92CE-EB1B96A97C31}\stubpath = "C:\\Windows\\{0DA1D4E1-2296-429a-92CE-EB1B96A97C31}.exe"	{87EA8685-CC52-4a8c-88EF-E0B06385295B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40B18048-7A3C-4db2-9708-1F87BF2BEAA5}\stubpath = "C:\\Windows\\{40B18048-7A3C-4db2-9708-1F87BF2BEAA5}.exe"	{0DA1D4E1-2296-429a-92CE-EB1B96A97C31}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD3BCE75-144B-4ef4-9E41-AA723347AC54}	{873CF0A7-701C-4606-A77F-5DB000745524}.exe

Executes dropped EXE 12 IoCs

pid	Process
4860	{327B76CC-A178-4653-BDA2-5A013BE85D5C}.exe
2292	{97E63D1E-DCA5-438d-872B-0C911CB76A9B}.exe
364	{0195D66C-96B7-4566-B83F-A2EA80DE6AC3}.exe
4940	{B491DB11-0BA0-4706-AB77-9A8D864B6E85}.exe
4508	{6BB6B02F-BDFF-4d60-A38D-EBBD07885FC5}.exe
5000	{87EA8685-CC52-4a8c-88EF-E0B06385295B}.exe
4984	{0DA1D4E1-2296-429a-92CE-EB1B96A97C31}.exe
4192	{40B18048-7A3C-4db2-9708-1F87BF2BEAA5}.exe
1032	{873CF0A7-701C-4606-A77F-5DB000745524}.exe
544	{AD3BCE75-144B-4ef4-9E41-AA723347AC54}.exe
2736	{6E325016-D169-4edc-95F2-E0C104247FFD}.exe
3960	{60526F2A-4C06-4287-83DD-7D28636E7319}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{60526F2A-4C06-4287-83DD-7D28636E7319}.exe	{6E325016-D169-4edc-95F2-E0C104247FFD}.exe
File created	C:\Windows\{B491DB11-0BA0-4706-AB77-9A8D864B6E85}.exe	{0195D66C-96B7-4566-B83F-A2EA80DE6AC3}.exe
File created	C:\Windows\{0DA1D4E1-2296-429a-92CE-EB1B96A97C31}.exe	{87EA8685-CC52-4a8c-88EF-E0B06385295B}.exe
File created	C:\Windows\{40B18048-7A3C-4db2-9708-1F87BF2BEAA5}.exe	{0DA1D4E1-2296-429a-92CE-EB1B96A97C31}.exe
File created	C:\Windows\{873CF0A7-701C-4606-A77F-5DB000745524}.exe	{40B18048-7A3C-4db2-9708-1F87BF2BEAA5}.exe
File created	C:\Windows\{AD3BCE75-144B-4ef4-9E41-AA723347AC54}.exe	{873CF0A7-701C-4606-A77F-5DB000745524}.exe
File created	C:\Windows\{6E325016-D169-4edc-95F2-E0C104247FFD}.exe	{AD3BCE75-144B-4ef4-9E41-AA723347AC54}.exe
File created	C:\Windows\{327B76CC-A178-4653-BDA2-5A013BE85D5C}.exe	2024-05-03_8688031bfd82e7066eb671e98204f1bd_goldeneye.exe
File created	C:\Windows\{97E63D1E-DCA5-438d-872B-0C911CB76A9B}.exe	{327B76CC-A178-4653-BDA2-5A013BE85D5C}.exe
File created	C:\Windows\{0195D66C-96B7-4566-B83F-A2EA80DE6AC3}.exe	{97E63D1E-DCA5-438d-872B-0C911CB76A9B}.exe
File created	C:\Windows\{6BB6B02F-BDFF-4d60-A38D-EBBD07885FC5}.exe	{B491DB11-0BA0-4706-AB77-9A8D864B6E85}.exe
File created	C:\Windows\{87EA8685-CC52-4a8c-88EF-E0B06385295B}.exe	{6BB6B02F-BDFF-4d60-A38D-EBBD07885FC5}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3396	2024-05-03_8688031bfd82e7066eb671e98204f1bd_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4860	{327B76CC-A178-4653-BDA2-5A013BE85D5C}.exe
Token: SeIncBasePriorityPrivilege	2292	{97E63D1E-DCA5-438d-872B-0C911CB76A9B}.exe
Token: SeIncBasePriorityPrivilege	364	{0195D66C-96B7-4566-B83F-A2EA80DE6AC3}.exe
Token: SeIncBasePriorityPrivilege	4940	{B491DB11-0BA0-4706-AB77-9A8D864B6E85}.exe
Token: SeIncBasePriorityPrivilege	4508	{6BB6B02F-BDFF-4d60-A38D-EBBD07885FC5}.exe
Token: SeIncBasePriorityPrivilege	5000	{87EA8685-CC52-4a8c-88EF-E0B06385295B}.exe
Token: SeIncBasePriorityPrivilege	4984	{0DA1D4E1-2296-429a-92CE-EB1B96A97C31}.exe
Token: SeIncBasePriorityPrivilege	4192	{40B18048-7A3C-4db2-9708-1F87BF2BEAA5}.exe
Token: SeIncBasePriorityPrivilege	1032	{873CF0A7-701C-4606-A77F-5DB000745524}.exe
Token: SeIncBasePriorityPrivilege	544	{AD3BCE75-144B-4ef4-9E41-AA723347AC54}.exe
Token: SeIncBasePriorityPrivilege	2736	{6E325016-D169-4edc-95F2-E0C104247FFD}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3396 wrote to memory of 4860	3396	2024-05-03_8688031bfd82e7066eb671e98204f1bd_goldeneye.exe	96
PID 3396 wrote to memory of 4860	3396	2024-05-03_8688031bfd82e7066eb671e98204f1bd_goldeneye.exe	96
PID 3396 wrote to memory of 4860	3396	2024-05-03_8688031bfd82e7066eb671e98204f1bd_goldeneye.exe	96
PID 3396 wrote to memory of 692	3396	2024-05-03_8688031bfd82e7066eb671e98204f1bd_goldeneye.exe	97
PID 3396 wrote to memory of 692	3396	2024-05-03_8688031bfd82e7066eb671e98204f1bd_goldeneye.exe	97
PID 3396 wrote to memory of 692	3396	2024-05-03_8688031bfd82e7066eb671e98204f1bd_goldeneye.exe	97
PID 4860 wrote to memory of 2292	4860	{327B76CC-A178-4653-BDA2-5A013BE85D5C}.exe	98
PID 4860 wrote to memory of 2292	4860	{327B76CC-A178-4653-BDA2-5A013BE85D5C}.exe	98
PID 4860 wrote to memory of 2292	4860	{327B76CC-A178-4653-BDA2-5A013BE85D5C}.exe	98
PID 4860 wrote to memory of 1688	4860	{327B76CC-A178-4653-BDA2-5A013BE85D5C}.exe	99
PID 4860 wrote to memory of 1688	4860	{327B76CC-A178-4653-BDA2-5A013BE85D5C}.exe	99
PID 4860 wrote to memory of 1688	4860	{327B76CC-A178-4653-BDA2-5A013BE85D5C}.exe	99
PID 2292 wrote to memory of 364	2292	{97E63D1E-DCA5-438d-872B-0C911CB76A9B}.exe	102
PID 2292 wrote to memory of 364	2292	{97E63D1E-DCA5-438d-872B-0C911CB76A9B}.exe	102
PID 2292 wrote to memory of 364	2292	{97E63D1E-DCA5-438d-872B-0C911CB76A9B}.exe	102
PID 2292 wrote to memory of 4308	2292	{97E63D1E-DCA5-438d-872B-0C911CB76A9B}.exe	103
PID 2292 wrote to memory of 4308	2292	{97E63D1E-DCA5-438d-872B-0C911CB76A9B}.exe	103
PID 2292 wrote to memory of 4308	2292	{97E63D1E-DCA5-438d-872B-0C911CB76A9B}.exe	103
PID 364 wrote to memory of 4940	364	{0195D66C-96B7-4566-B83F-A2EA80DE6AC3}.exe	104
PID 364 wrote to memory of 4940	364	{0195D66C-96B7-4566-B83F-A2EA80DE6AC3}.exe	104
PID 364 wrote to memory of 4940	364	{0195D66C-96B7-4566-B83F-A2EA80DE6AC3}.exe	104
PID 364 wrote to memory of 2096	364	{0195D66C-96B7-4566-B83F-A2EA80DE6AC3}.exe	105
PID 364 wrote to memory of 2096	364	{0195D66C-96B7-4566-B83F-A2EA80DE6AC3}.exe	105
PID 364 wrote to memory of 2096	364	{0195D66C-96B7-4566-B83F-A2EA80DE6AC3}.exe	105
PID 4940 wrote to memory of 4508	4940	{B491DB11-0BA0-4706-AB77-9A8D864B6E85}.exe	106
PID 4940 wrote to memory of 4508	4940	{B491DB11-0BA0-4706-AB77-9A8D864B6E85}.exe	106
PID 4940 wrote to memory of 4508	4940	{B491DB11-0BA0-4706-AB77-9A8D864B6E85}.exe	106
PID 4940 wrote to memory of 4460	4940	{B491DB11-0BA0-4706-AB77-9A8D864B6E85}.exe	107
PID 4940 wrote to memory of 4460	4940	{B491DB11-0BA0-4706-AB77-9A8D864B6E85}.exe	107
PID 4940 wrote to memory of 4460	4940	{B491DB11-0BA0-4706-AB77-9A8D864B6E85}.exe	107
PID 4508 wrote to memory of 5000	4508	{6BB6B02F-BDFF-4d60-A38D-EBBD07885FC5}.exe	113
PID 4508 wrote to memory of 5000	4508	{6BB6B02F-BDFF-4d60-A38D-EBBD07885FC5}.exe	113
PID 4508 wrote to memory of 5000	4508	{6BB6B02F-BDFF-4d60-A38D-EBBD07885FC5}.exe	113
PID 4508 wrote to memory of 3040	4508	{6BB6B02F-BDFF-4d60-A38D-EBBD07885FC5}.exe	114
PID 4508 wrote to memory of 3040	4508	{6BB6B02F-BDFF-4d60-A38D-EBBD07885FC5}.exe	114
PID 4508 wrote to memory of 3040	4508	{6BB6B02F-BDFF-4d60-A38D-EBBD07885FC5}.exe	114
PID 5000 wrote to memory of 4984	5000	{87EA8685-CC52-4a8c-88EF-E0B06385295B}.exe	115
PID 5000 wrote to memory of 4984	5000	{87EA8685-CC52-4a8c-88EF-E0B06385295B}.exe	115
PID 5000 wrote to memory of 4984	5000	{87EA8685-CC52-4a8c-88EF-E0B06385295B}.exe	115
PID 5000 wrote to memory of 4016	5000	{87EA8685-CC52-4a8c-88EF-E0B06385295B}.exe	116
PID 5000 wrote to memory of 4016	5000	{87EA8685-CC52-4a8c-88EF-E0B06385295B}.exe	116
PID 5000 wrote to memory of 4016	5000	{87EA8685-CC52-4a8c-88EF-E0B06385295B}.exe	116
PID 4984 wrote to memory of 4192	4984	{0DA1D4E1-2296-429a-92CE-EB1B96A97C31}.exe	121
PID 4984 wrote to memory of 4192	4984	{0DA1D4E1-2296-429a-92CE-EB1B96A97C31}.exe	121
PID 4984 wrote to memory of 4192	4984	{0DA1D4E1-2296-429a-92CE-EB1B96A97C31}.exe	121
PID 4984 wrote to memory of 2524	4984	{0DA1D4E1-2296-429a-92CE-EB1B96A97C31}.exe	122
PID 4984 wrote to memory of 2524	4984	{0DA1D4E1-2296-429a-92CE-EB1B96A97C31}.exe	122
PID 4984 wrote to memory of 2524	4984	{0DA1D4E1-2296-429a-92CE-EB1B96A97C31}.exe	122
PID 4192 wrote to memory of 1032	4192	{40B18048-7A3C-4db2-9708-1F87BF2BEAA5}.exe	126
PID 4192 wrote to memory of 1032	4192	{40B18048-7A3C-4db2-9708-1F87BF2BEAA5}.exe	126
PID 4192 wrote to memory of 1032	4192	{40B18048-7A3C-4db2-9708-1F87BF2BEAA5}.exe	126
PID 4192 wrote to memory of 3400	4192	{40B18048-7A3C-4db2-9708-1F87BF2BEAA5}.exe	127
PID 4192 wrote to memory of 3400	4192	{40B18048-7A3C-4db2-9708-1F87BF2BEAA5}.exe	127
PID 4192 wrote to memory of 3400	4192	{40B18048-7A3C-4db2-9708-1F87BF2BEAA5}.exe	127
PID 1032 wrote to memory of 544	1032	{873CF0A7-701C-4606-A77F-5DB000745524}.exe	128
PID 1032 wrote to memory of 544	1032	{873CF0A7-701C-4606-A77F-5DB000745524}.exe	128
PID 1032 wrote to memory of 544	1032	{873CF0A7-701C-4606-A77F-5DB000745524}.exe	128
PID 1032 wrote to memory of 3608	1032	{873CF0A7-701C-4606-A77F-5DB000745524}.exe	129
PID 1032 wrote to memory of 3608	1032	{873CF0A7-701C-4606-A77F-5DB000745524}.exe	129
PID 1032 wrote to memory of 3608	1032	{873CF0A7-701C-4606-A77F-5DB000745524}.exe	129
PID 544 wrote to memory of 2736	544	{AD3BCE75-144B-4ef4-9E41-AA723347AC54}.exe	130
PID 544 wrote to memory of 2736	544	{AD3BCE75-144B-4ef4-9E41-AA723347AC54}.exe	130
PID 544 wrote to memory of 2736	544	{AD3BCE75-144B-4ef4-9E41-AA723347AC54}.exe	130
PID 544 wrote to memory of 4472	544	{AD3BCE75-144B-4ef4-9E41-AA723347AC54}.exe	131

C:\Users\Admin\AppData\Local\Temp\2024-05-03_8688031bfd82e7066eb671e98204f1bd_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-03_8688031bfd82e7066eb671e98204f1bd_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3396
- C:\Windows\{327B76CC-A178-4653-BDA2-5A013BE85D5C}.exe
  C:\Windows\{327B76CC-A178-4653-BDA2-5A013BE85D5C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4860
- - C:\Windows\{97E63D1E-DCA5-438d-872B-0C911CB76A9B}.exe
    C:\Windows\{97E63D1E-DCA5-438d-872B-0C911CB76A9B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Windows\{0195D66C-96B7-4566-B83F-A2EA80DE6AC3}.exe
      C:\Windows\{0195D66C-96B7-4566-B83F-A2EA80DE6AC3}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:364
    - - C:\Windows\{B491DB11-0BA0-4706-AB77-9A8D864B6E85}.exe
        
        C:\Windows\{B491DB11-0BA0-4706-AB77-9A8D864B6E85}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4940
      - C:\Windows\{6BB6B02F-BDFF-4d60-A38D-EBBD07885FC5}.exe
        
        C:\Windows\{6BB6B02F-BDFF-4d60-A38D-EBBD07885FC5}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\Windows\{87EA8685-CC52-4a8c-88EF-E0B06385295B}.exe
        
        C:\Windows\{87EA8685-CC52-4a8c-88EF-E0B06385295B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\{0DA1D4E1-2296-429a-92CE-EB1B96A97C31}.exe
        
        C:\Windows\{0DA1D4E1-2296-429a-92CE-EB1B96A97C31}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\{40B18048-7A3C-4db2-9708-1F87BF2BEAA5}.exe
        
        C:\Windows\{40B18048-7A3C-4db2-9708-1F87BF2BEAA5}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4192
        
        C:\Windows\{873CF0A7-701C-4606-A77F-5DB000745524}.exe
        
        C:\Windows\{873CF0A7-701C-4606-A77F-5DB000745524}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Windows\{AD3BCE75-144B-4ef4-9E41-AA723347AC54}.exe
        
        C:\Windows\{AD3BCE75-144B-4ef4-9E41-AA723347AC54}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Windows\{6E325016-D169-4edc-95F2-E0C104247FFD}.exe
        
        C:\Windows\{6E325016-D169-4edc-95F2-E0C104247FFD}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
        
        C:\Windows\{60526F2A-4C06-4287-83DD-7D28636E7319}.exe
        
        C:\Windows\{60526F2A-4C06-4287-83DD-7D28636E7319}.exe
        13⤵
        Executes dropped EXE
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6E325~1.EXE > nul
        13⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD3BC~1.EXE > nul
        12⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{873CF~1.EXE > nul
        11⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{40B18~1.EXE > nul
        10⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0DA1D~1.EXE > nul
        9⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{87EA8~1.EXE > nul
        8⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6BB6B~1.EXE > nul
        7⤵
        
        PID:3040
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B491D~1.EXE > nul
        6⤵
        
        PID:4460
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0195D~1.EXE > nul
        5⤵
        
        PID:2096
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{97E63~1.EXE > nul
      4⤵
      PID:4308
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{327B7~1.EXE > nul
    3⤵
    PID:1688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0195D66C-96B7-4566-B83F-A2EA80DE6AC3}.exe

Filesize
380KB

MD5
c1b07fb4d03eb3c0c467c233d6aaee83

SHA1
2373965382da2174af0d93f24e870e5f77ecff4d

SHA256
d47dca937bf147b4c9a5449267381cc37787d531d00a72aa878e4f191ee80ca6

SHA512
43da3a5a09951f2cacebe2aadd88c6d66c5205229d2b73ffb568e8eddafe6c507fbae1f7f6a7efc4304851e893684af9af06661cb8c00a763b6246212fec2491

Download Submit
C:\Windows\{0DA1D4E1-2296-429a-92CE-EB1B96A97C31}.exe

Filesize
380KB

MD5
7151aaaeceb2aae5130a96fea62efc25

SHA1
fdca931f6c4e3b88ded3d9518cf34467046f7714

SHA256
282156b4024a21bde767de83a0909900cf024b1995d86320582d59d32653d3f1

SHA512
36d1ca9a8cab4ee1becb50a4b1ada3d297d8755e836a7051db8607d312b19754b1001614d5dd868d653d10ac4c3d41dc8cf54f8cbce6bf673ebfd1ae5340bcf3

Download Submit
C:\Windows\{327B76CC-A178-4653-BDA2-5A013BE85D5C}.exe

Filesize
380KB

MD5
9297ad9e27333d48cc422e73672b7658

SHA1
ff2cd09b93c34cfec44b39859fea233529407b11

SHA256
490424731cd50ed519e843642d66fc3a5d7b5768c08b20cb0ed11727316e56ef

SHA512
713c1d310992563cb4b955e0964780a2320f514659960ee53b50db36de52131d6b819a56882cbcc9d6e9c37c883c505a9e7c61fd6e5d3033516bbc604aeec948

Download Submit
C:\Windows\{40B18048-7A3C-4db2-9708-1F87BF2BEAA5}.exe

Filesize
380KB

MD5
08ff832d4b932041e18921a4352366fe

SHA1
4ec809b29c4cee301d0da5c97f4a4c0b6459e3db

SHA256
9c72ab9a8f1cd00dc483321f15bb311fe7a3745b7f5f97ea6a6e15009395e3a8

SHA512
103e3416141b6a10c9a699738efbfcbccaf793e1fba574a782a7a249e60270f14aaeabecf4800cb0b66a5498cb8c6d9a5370d92b7aee19fa0b664a9e841e9b98

Download Submit
C:\Windows\{60526F2A-4C06-4287-83DD-7D28636E7319}.exe

Filesize
380KB

MD5
339f56dbc08ba26e175f0271e787974d

SHA1
b2df79c34dfe94a91a86586d4d590f869f0ab550

SHA256
29687088d1efec500792a3992028ae35160ebb4638ab97ee32c3397449834ed0

SHA512
4507c21a42fa7c2358f316b06f462512affbacd3e6ef22fec5f3677cd3ed7309d39bcca87ab533651695cf79fe88820613ae2957ee30ddcea4c5198c27a138dd

Download Submit
C:\Windows\{6BB6B02F-BDFF-4d60-A38D-EBBD07885FC5}.exe

Filesize
380KB

MD5
a3655a3dcc7b0e3a6d2e00f59bf3d3b7

SHA1
fba258f3805333ae2b5ab4a2acf9ebecc66b408e

SHA256
d59682686f53063c7b0e6b6062c3948772cb31dac611eca7281404635e57f7a9

SHA512
97e40c16b231423dd8d02ab104cd72cb35f5a4da12836842ad45c3b432620a1d34b2246cccb299cbcf0a32d86dd26923cecdd6e0742a9f2e1c0630e5d24518ef

Download Submit
C:\Windows\{6E325016-D169-4edc-95F2-E0C104247FFD}.exe

Filesize
380KB

MD5
9e26320691a0d9439870f9bdc248c865

SHA1
de9f79c8157307d32064f8d0ddc13eeefa1d3d04

SHA256
9d8248a831fd5e39d244dbade0017262fae8256863ba7ea161ef748b60231677

SHA512
39334865e52f728331c1f8316aa41848cd8d3e5fc8a2b2c0cb2ef2e953054d3a78ce575c2da601758fcf36da9dc064f1da36b50dbcb13fad2edfc75014dba4f0

Download Submit
C:\Windows\{873CF0A7-701C-4606-A77F-5DB000745524}.exe

Filesize
380KB

MD5
5ae3cacf87864f885dbe61e543045ba5

SHA1
e4a534f5fe42eedce403cbbec76cd8b0e42196e6

SHA256
bdd128c8aab9ac0ca79d415dbaaef68099c556fd16a11189063a89dc5850b72e

SHA512
d2e591a35cf3747365c9f1c960e9e3503c2e018f7b02181952f2b00bb6fd483f315d4a3d2901f8c3d6e8fe47e4ab83043fb67f15fcc908efbb1532e99f159dd2

Download Submit
C:\Windows\{87EA8685-CC52-4a8c-88EF-E0B06385295B}.exe

Filesize
380KB

MD5
ef54a6b341cbff316a755a650bf125eb

SHA1
4bdd7c45400a79b36801070510ababd298d5092a

SHA256
aa22e349c9151856f7a4adcb26eadddbfd3442fb906148f5de88417d992ba7d5

SHA512
ca8e4323ab9030bceaccb49fbdffe1aa9d12c58804382490920b1573db60d06af9fd607a285ff8df908dce9dbb86b6f228feb8f7fe582de2b3dd8da6d53514b1

Download Submit
C:\Windows\{97E63D1E-DCA5-438d-872B-0C911CB76A9B}.exe

Filesize
380KB

MD5
f88f9f011cd05d45c26623a8c8b63748

SHA1
37573a9ae782e82cc0b6282903dd7e443b1842e6

SHA256
1fe917088153841a7cc73c67516cbfdf281e7359a1921b57a5de3aa0eb00e3e7

SHA512
eb23d1c786ed6e4294e47d13eb693e467906b69e13d8298c92247e54cf42e754fa0ac23b88ef7704c58b89d2bf77a9b244ab7560b707447e2b95ebd8b710a1b3

Download Submit
C:\Windows\{AD3BCE75-144B-4ef4-9E41-AA723347AC54}.exe

Filesize
380KB

MD5
9350aa38c141f2697a5a8f5bbfcb24b4

SHA1
d4fe9814f35b750b293d30f26120df418a5f717f

SHA256
daf22328eafaefa50e24073498406cba25800c8f7d2a53d1f42d2f20d85f9127

SHA512
c280103e98937065c0b86aa952228f04feb99d86e78d70a261b10e6e605cbbe9845f6d8b5dcfe81d45299ff0a5ff98e634dcca3fb04996372ad9ca7b1452a903

Download Submit
C:\Windows\{B491DB11-0BA0-4706-AB77-9A8D864B6E85}.exe

Filesize
380KB

MD5
7e6acba963589710f4c919f201781818

SHA1
7d87a0f103832f4f371762255e458588e244d5df

SHA256
82881c68d4cf374397000d73b20199657b81e4d65f39bcc3caf24e86cc9e4a19

SHA512
10fddf30846bace9a7fe16b9f91f3853f870240372756128fb175a0993c43a9a18bd0a7f32db98c77c88686a3d4adb7e23b50aae31d8c48ad67bedb09a628800

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads