ae68a4f5ab9cdc5ae5e3c144986dc8cfd51476826199c79b3b8d4808c64ccd63

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-08_41fc29f916636233652684f7ea14011b_goldeneye.exe
Size

197KB
MD5

41fc29f916636233652684f7ea14011b
SHA1

6990594236bce3aa7399eb048c73e21ebdca114e
SHA256

ae68a4f5ab9cdc5ae5e3c144986dc8cfd51476826199c79b3b8d4808c64ccd63
SHA512

8488a5e50cc475acf83e34e339e28e1dd2a10c12c31a2c0703fa333865f043c3322d85d307e37b05de58cc6e3febb2a36f5d5e731f72ed8cd3cc2481b2bedc03
SSDEEP

3072:jEGh0oOl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGUlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000b00000002328e-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002340d-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002328e-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002340d-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d00000002328e-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002340d-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002340f-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002340d-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002340f-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d00000002340d-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002340f-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e00000002340d-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2F58F07-C210-4fd8-B9A1-1E4804AD5A64}	{76AC1588-FCD4-4ba9-8182-D39611ECB03D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8504D8BD-F321-4af0-85CD-FDF21EF3E6BE}\stubpath = "C:\\Windows\\{8504D8BD-F321-4af0-85CD-FDF21EF3E6BE}.exe"	2024-05-08_41fc29f916636233652684f7ea14011b_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E31968E-D2A3-4234-91E0-7310325461F5}\stubpath = "C:\\Windows\\{0E31968E-D2A3-4234-91E0-7310325461F5}.exe"	{AA76AD3C-7CC8-4267-AC44-8454E0832EA8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95D4ABC1-BB6F-4590-8298-D910F0955993}	{F3B1B40E-1D19-4d4f-92FC-42638D02E7FA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B89DDD3-D896-4b9f-894C-CE9D88ED0B48}\stubpath = "C:\\Windows\\{9B89DDD3-D896-4b9f-894C-CE9D88ED0B48}.exe"	{F67C5694-E71B-40d5-8944-FD9E51B5373B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF3C034F-E642-4b71-8B1C-0B9E56AAE1D0}\stubpath = "C:\\Windows\\{EF3C034F-E642-4b71-8B1C-0B9E56AAE1D0}.exe"	{8504D8BD-F321-4af0-85CD-FDF21EF3E6BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E763F95-05A4-4e0e-8CC9-F74E48FD9388}	{EF3C034F-E642-4b71-8B1C-0B9E56AAE1D0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA76AD3C-7CC8-4267-AC44-8454E0832EA8}	{8E763F95-05A4-4e0e-8CC9-F74E48FD9388}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B24EC53F-31F4-4103-9D59-92CF6CCA310F}	{0E31968E-D2A3-4234-91E0-7310325461F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3B1B40E-1D19-4d4f-92FC-42638D02E7FA}	{B24EC53F-31F4-4103-9D59-92CF6CCA310F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F67C5694-E71B-40d5-8944-FD9E51B5373B}	{95D4ABC1-BB6F-4590-8298-D910F0955993}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B89DDD3-D896-4b9f-894C-CE9D88ED0B48}	{F67C5694-E71B-40d5-8944-FD9E51B5373B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76AC1588-FCD4-4ba9-8182-D39611ECB03D}\stubpath = "C:\\Windows\\{76AC1588-FCD4-4ba9-8182-D39611ECB03D}.exe"	{9B89DDD3-D896-4b9f-894C-CE9D88ED0B48}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8504D8BD-F321-4af0-85CD-FDF21EF3E6BE}	2024-05-08_41fc29f916636233652684f7ea14011b_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF3C034F-E642-4b71-8B1C-0B9E56AAE1D0}	{8504D8BD-F321-4af0-85CD-FDF21EF3E6BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E763F95-05A4-4e0e-8CC9-F74E48FD9388}\stubpath = "C:\\Windows\\{8E763F95-05A4-4e0e-8CC9-F74E48FD9388}.exe"	{EF3C034F-E642-4b71-8B1C-0B9E56AAE1D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2F58F07-C210-4fd8-B9A1-1E4804AD5A64}\stubpath = "C:\\Windows\\{B2F58F07-C210-4fd8-B9A1-1E4804AD5A64}.exe"	{76AC1588-FCD4-4ba9-8182-D39611ECB03D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3B1B40E-1D19-4d4f-92FC-42638D02E7FA}\stubpath = "C:\\Windows\\{F3B1B40E-1D19-4d4f-92FC-42638D02E7FA}.exe"	{B24EC53F-31F4-4103-9D59-92CF6CCA310F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95D4ABC1-BB6F-4590-8298-D910F0955993}\stubpath = "C:\\Windows\\{95D4ABC1-BB6F-4590-8298-D910F0955993}.exe"	{F3B1B40E-1D19-4d4f-92FC-42638D02E7FA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F67C5694-E71B-40d5-8944-FD9E51B5373B}\stubpath = "C:\\Windows\\{F67C5694-E71B-40d5-8944-FD9E51B5373B}.exe"	{95D4ABC1-BB6F-4590-8298-D910F0955993}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76AC1588-FCD4-4ba9-8182-D39611ECB03D}	{9B89DDD3-D896-4b9f-894C-CE9D88ED0B48}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA76AD3C-7CC8-4267-AC44-8454E0832EA8}\stubpath = "C:\\Windows\\{AA76AD3C-7CC8-4267-AC44-8454E0832EA8}.exe"	{8E763F95-05A4-4e0e-8CC9-F74E48FD9388}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E31968E-D2A3-4234-91E0-7310325461F5}	{AA76AD3C-7CC8-4267-AC44-8454E0832EA8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B24EC53F-31F4-4103-9D59-92CF6CCA310F}\stubpath = "C:\\Windows\\{B24EC53F-31F4-4103-9D59-92CF6CCA310F}.exe"	{0E31968E-D2A3-4234-91E0-7310325461F5}.exe

Executes dropped EXE 12 IoCs

pid	Process
4860	{8504D8BD-F321-4af0-85CD-FDF21EF3E6BE}.exe
1756	{EF3C034F-E642-4b71-8B1C-0B9E56AAE1D0}.exe
1820	{8E763F95-05A4-4e0e-8CC9-F74E48FD9388}.exe
1508	{AA76AD3C-7CC8-4267-AC44-8454E0832EA8}.exe
4604	{0E31968E-D2A3-4234-91E0-7310325461F5}.exe
208	{B24EC53F-31F4-4103-9D59-92CF6CCA310F}.exe
516	{F3B1B40E-1D19-4d4f-92FC-42638D02E7FA}.exe
752	{95D4ABC1-BB6F-4590-8298-D910F0955993}.exe
3048	{F67C5694-E71B-40d5-8944-FD9E51B5373B}.exe
924	{9B89DDD3-D896-4b9f-894C-CE9D88ED0B48}.exe
1484	{76AC1588-FCD4-4ba9-8182-D39611ECB03D}.exe
4556	{B2F58F07-C210-4fd8-B9A1-1E4804AD5A64}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{8504D8BD-F321-4af0-85CD-FDF21EF3E6BE}.exe	2024-05-08_41fc29f916636233652684f7ea14011b_goldeneye.exe
File created	C:\Windows\{AA76AD3C-7CC8-4267-AC44-8454E0832EA8}.exe	{8E763F95-05A4-4e0e-8CC9-F74E48FD9388}.exe
File created	C:\Windows\{F3B1B40E-1D19-4d4f-92FC-42638D02E7FA}.exe	{B24EC53F-31F4-4103-9D59-92CF6CCA310F}.exe
File created	C:\Windows\{F67C5694-E71B-40d5-8944-FD9E51B5373B}.exe	{95D4ABC1-BB6F-4590-8298-D910F0955993}.exe
File created	C:\Windows\{9B89DDD3-D896-4b9f-894C-CE9D88ED0B48}.exe	{F67C5694-E71B-40d5-8944-FD9E51B5373B}.exe
File created	C:\Windows\{76AC1588-FCD4-4ba9-8182-D39611ECB03D}.exe	{9B89DDD3-D896-4b9f-894C-CE9D88ED0B48}.exe
File created	C:\Windows\{EF3C034F-E642-4b71-8B1C-0B9E56AAE1D0}.exe	{8504D8BD-F321-4af0-85CD-FDF21EF3E6BE}.exe
File created	C:\Windows\{8E763F95-05A4-4e0e-8CC9-F74E48FD9388}.exe	{EF3C034F-E642-4b71-8B1C-0B9E56AAE1D0}.exe
File created	C:\Windows\{0E31968E-D2A3-4234-91E0-7310325461F5}.exe	{AA76AD3C-7CC8-4267-AC44-8454E0832EA8}.exe
File created	C:\Windows\{B24EC53F-31F4-4103-9D59-92CF6CCA310F}.exe	{0E31968E-D2A3-4234-91E0-7310325461F5}.exe
File created	C:\Windows\{95D4ABC1-BB6F-4590-8298-D910F0955993}.exe	{F3B1B40E-1D19-4d4f-92FC-42638D02E7FA}.exe
File created	C:\Windows\{B2F58F07-C210-4fd8-B9A1-1E4804AD5A64}.exe	{76AC1588-FCD4-4ba9-8182-D39611ECB03D}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3348	2024-05-08_41fc29f916636233652684f7ea14011b_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4860	{8504D8BD-F321-4af0-85CD-FDF21EF3E6BE}.exe
Token: SeIncBasePriorityPrivilege	1756	{EF3C034F-E642-4b71-8B1C-0B9E56AAE1D0}.exe
Token: SeIncBasePriorityPrivilege	1820	{8E763F95-05A4-4e0e-8CC9-F74E48FD9388}.exe
Token: SeIncBasePriorityPrivilege	1508	{AA76AD3C-7CC8-4267-AC44-8454E0832EA8}.exe
Token: SeIncBasePriorityPrivilege	4604	{0E31968E-D2A3-4234-91E0-7310325461F5}.exe
Token: SeIncBasePriorityPrivilege	208	{B24EC53F-31F4-4103-9D59-92CF6CCA310F}.exe
Token: SeIncBasePriorityPrivilege	516	{F3B1B40E-1D19-4d4f-92FC-42638D02E7FA}.exe
Token: SeIncBasePriorityPrivilege	752	{95D4ABC1-BB6F-4590-8298-D910F0955993}.exe
Token: SeIncBasePriorityPrivilege	3048	{F67C5694-E71B-40d5-8944-FD9E51B5373B}.exe
Token: SeIncBasePriorityPrivilege	924	{9B89DDD3-D896-4b9f-894C-CE9D88ED0B48}.exe
Token: SeIncBasePriorityPrivilege	1484	{76AC1588-FCD4-4ba9-8182-D39611ECB03D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3348 wrote to memory of 4860	3348	2024-05-08_41fc29f916636233652684f7ea14011b_goldeneye.exe	83
PID 3348 wrote to memory of 4860	3348	2024-05-08_41fc29f916636233652684f7ea14011b_goldeneye.exe	83
PID 3348 wrote to memory of 4860	3348	2024-05-08_41fc29f916636233652684f7ea14011b_goldeneye.exe	83
PID 3348 wrote to memory of 4944	3348	2024-05-08_41fc29f916636233652684f7ea14011b_goldeneye.exe	84
PID 3348 wrote to memory of 4944	3348	2024-05-08_41fc29f916636233652684f7ea14011b_goldeneye.exe	84
PID 3348 wrote to memory of 4944	3348	2024-05-08_41fc29f916636233652684f7ea14011b_goldeneye.exe	84
PID 4860 wrote to memory of 1756	4860	{8504D8BD-F321-4af0-85CD-FDF21EF3E6BE}.exe	85
PID 4860 wrote to memory of 1756	4860	{8504D8BD-F321-4af0-85CD-FDF21EF3E6BE}.exe	85
PID 4860 wrote to memory of 1756	4860	{8504D8BD-F321-4af0-85CD-FDF21EF3E6BE}.exe	85
PID 4860 wrote to memory of 2424	4860	{8504D8BD-F321-4af0-85CD-FDF21EF3E6BE}.exe	86
PID 4860 wrote to memory of 2424	4860	{8504D8BD-F321-4af0-85CD-FDF21EF3E6BE}.exe	86
PID 4860 wrote to memory of 2424	4860	{8504D8BD-F321-4af0-85CD-FDF21EF3E6BE}.exe	86
PID 1756 wrote to memory of 1820	1756	{EF3C034F-E642-4b71-8B1C-0B9E56AAE1D0}.exe	88
PID 1756 wrote to memory of 1820	1756	{EF3C034F-E642-4b71-8B1C-0B9E56AAE1D0}.exe	88
PID 1756 wrote to memory of 1820	1756	{EF3C034F-E642-4b71-8B1C-0B9E56AAE1D0}.exe	88
PID 1756 wrote to memory of 4220	1756	{EF3C034F-E642-4b71-8B1C-0B9E56AAE1D0}.exe	89
PID 1756 wrote to memory of 4220	1756	{EF3C034F-E642-4b71-8B1C-0B9E56AAE1D0}.exe	89
PID 1756 wrote to memory of 4220	1756	{EF3C034F-E642-4b71-8B1C-0B9E56AAE1D0}.exe	89
PID 1820 wrote to memory of 1508	1820	{8E763F95-05A4-4e0e-8CC9-F74E48FD9388}.exe	90
PID 1820 wrote to memory of 1508	1820	{8E763F95-05A4-4e0e-8CC9-F74E48FD9388}.exe	90
PID 1820 wrote to memory of 1508	1820	{8E763F95-05A4-4e0e-8CC9-F74E48FD9388}.exe	90
PID 1820 wrote to memory of 4352	1820	{8E763F95-05A4-4e0e-8CC9-F74E48FD9388}.exe	91
PID 1820 wrote to memory of 4352	1820	{8E763F95-05A4-4e0e-8CC9-F74E48FD9388}.exe	91
PID 1820 wrote to memory of 4352	1820	{8E763F95-05A4-4e0e-8CC9-F74E48FD9388}.exe	91
PID 1508 wrote to memory of 4604	1508	{AA76AD3C-7CC8-4267-AC44-8454E0832EA8}.exe	92
PID 1508 wrote to memory of 4604	1508	{AA76AD3C-7CC8-4267-AC44-8454E0832EA8}.exe	92
PID 1508 wrote to memory of 4604	1508	{AA76AD3C-7CC8-4267-AC44-8454E0832EA8}.exe	92
PID 1508 wrote to memory of 4896	1508	{AA76AD3C-7CC8-4267-AC44-8454E0832EA8}.exe	93
PID 1508 wrote to memory of 4896	1508	{AA76AD3C-7CC8-4267-AC44-8454E0832EA8}.exe	93
PID 1508 wrote to memory of 4896	1508	{AA76AD3C-7CC8-4267-AC44-8454E0832EA8}.exe	93
PID 4604 wrote to memory of 208	4604	{0E31968E-D2A3-4234-91E0-7310325461F5}.exe	94
PID 4604 wrote to memory of 208	4604	{0E31968E-D2A3-4234-91E0-7310325461F5}.exe	94
PID 4604 wrote to memory of 208	4604	{0E31968E-D2A3-4234-91E0-7310325461F5}.exe	94
PID 4604 wrote to memory of 4124	4604	{0E31968E-D2A3-4234-91E0-7310325461F5}.exe	95
PID 4604 wrote to memory of 4124	4604	{0E31968E-D2A3-4234-91E0-7310325461F5}.exe	95
PID 4604 wrote to memory of 4124	4604	{0E31968E-D2A3-4234-91E0-7310325461F5}.exe	95
PID 208 wrote to memory of 516	208	{B24EC53F-31F4-4103-9D59-92CF6CCA310F}.exe	96
PID 208 wrote to memory of 516	208	{B24EC53F-31F4-4103-9D59-92CF6CCA310F}.exe	96
PID 208 wrote to memory of 516	208	{B24EC53F-31F4-4103-9D59-92CF6CCA310F}.exe	96
PID 208 wrote to memory of 2040	208	{B24EC53F-31F4-4103-9D59-92CF6CCA310F}.exe	97
PID 208 wrote to memory of 2040	208	{B24EC53F-31F4-4103-9D59-92CF6CCA310F}.exe	97
PID 208 wrote to memory of 2040	208	{B24EC53F-31F4-4103-9D59-92CF6CCA310F}.exe	97
PID 516 wrote to memory of 752	516	{F3B1B40E-1D19-4d4f-92FC-42638D02E7FA}.exe	98
PID 516 wrote to memory of 752	516	{F3B1B40E-1D19-4d4f-92FC-42638D02E7FA}.exe	98
PID 516 wrote to memory of 752	516	{F3B1B40E-1D19-4d4f-92FC-42638D02E7FA}.exe	98
PID 516 wrote to memory of 3128	516	{F3B1B40E-1D19-4d4f-92FC-42638D02E7FA}.exe	99
PID 516 wrote to memory of 3128	516	{F3B1B40E-1D19-4d4f-92FC-42638D02E7FA}.exe	99
PID 516 wrote to memory of 3128	516	{F3B1B40E-1D19-4d4f-92FC-42638D02E7FA}.exe	99
PID 752 wrote to memory of 3048	752	{95D4ABC1-BB6F-4590-8298-D910F0955993}.exe	100
PID 752 wrote to memory of 3048	752	{95D4ABC1-BB6F-4590-8298-D910F0955993}.exe	100
PID 752 wrote to memory of 3048	752	{95D4ABC1-BB6F-4590-8298-D910F0955993}.exe	100
PID 752 wrote to memory of 1288	752	{95D4ABC1-BB6F-4590-8298-D910F0955993}.exe	101
PID 752 wrote to memory of 1288	752	{95D4ABC1-BB6F-4590-8298-D910F0955993}.exe	101
PID 752 wrote to memory of 1288	752	{95D4ABC1-BB6F-4590-8298-D910F0955993}.exe	101
PID 3048 wrote to memory of 924	3048	{F67C5694-E71B-40d5-8944-FD9E51B5373B}.exe	102
PID 3048 wrote to memory of 924	3048	{F67C5694-E71B-40d5-8944-FD9E51B5373B}.exe	102
PID 3048 wrote to memory of 924	3048	{F67C5694-E71B-40d5-8944-FD9E51B5373B}.exe	102
PID 3048 wrote to memory of 1324	3048	{F67C5694-E71B-40d5-8944-FD9E51B5373B}.exe	103
PID 3048 wrote to memory of 1324	3048	{F67C5694-E71B-40d5-8944-FD9E51B5373B}.exe	103
PID 3048 wrote to memory of 1324	3048	{F67C5694-E71B-40d5-8944-FD9E51B5373B}.exe	103
PID 924 wrote to memory of 1484	924	{9B89DDD3-D896-4b9f-894C-CE9D88ED0B48}.exe	104
PID 924 wrote to memory of 1484	924	{9B89DDD3-D896-4b9f-894C-CE9D88ED0B48}.exe	104
PID 924 wrote to memory of 1484	924	{9B89DDD3-D896-4b9f-894C-CE9D88ED0B48}.exe	104
PID 924 wrote to memory of 4128	924	{9B89DDD3-D896-4b9f-894C-CE9D88ED0B48}.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-05-08_41fc29f916636233652684f7ea14011b_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-08_41fc29f916636233652684f7ea14011b_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3348
- C:\Windows\{8504D8BD-F321-4af0-85CD-FDF21EF3E6BE}.exe
  C:\Windows\{8504D8BD-F321-4af0-85CD-FDF21EF3E6BE}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4860
- - C:\Windows\{EF3C034F-E642-4b71-8B1C-0B9E56AAE1D0}.exe
    C:\Windows\{EF3C034F-E642-4b71-8B1C-0B9E56AAE1D0}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1756
  - - C:\Windows\{8E763F95-05A4-4e0e-8CC9-F74E48FD9388}.exe
      C:\Windows\{8E763F95-05A4-4e0e-8CC9-F74E48FD9388}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1820
    - - C:\Windows\{AA76AD3C-7CC8-4267-AC44-8454E0832EA8}.exe
        
        C:\Windows\{AA76AD3C-7CC8-4267-AC44-8454E0832EA8}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1508
      - C:\Windows\{0E31968E-D2A3-4234-91E0-7310325461F5}.exe
        
        C:\Windows\{0E31968E-D2A3-4234-91E0-7310325461F5}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\{B24EC53F-31F4-4103-9D59-92CF6CCA310F}.exe
        
        C:\Windows\{B24EC53F-31F4-4103-9D59-92CF6CCA310F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:208
        
        C:\Windows\{F3B1B40E-1D19-4d4f-92FC-42638D02E7FA}.exe
        
        C:\Windows\{F3B1B40E-1D19-4d4f-92FC-42638D02E7FA}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:516
        
        C:\Windows\{95D4ABC1-BB6F-4590-8298-D910F0955993}.exe
        
        C:\Windows\{95D4ABC1-BB6F-4590-8298-D910F0955993}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Windows\{F67C5694-E71B-40d5-8944-FD9E51B5373B}.exe
        
        C:\Windows\{F67C5694-E71B-40d5-8944-FD9E51B5373B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\{9B89DDD3-D896-4b9f-894C-CE9D88ED0B48}.exe
        
        C:\Windows\{9B89DDD3-D896-4b9f-894C-CE9D88ED0B48}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:924
        
        C:\Windows\{76AC1588-FCD4-4ba9-8182-D39611ECB03D}.exe
        
        C:\Windows\{76AC1588-FCD4-4ba9-8182-D39611ECB03D}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
        
        C:\Windows\{B2F58F07-C210-4fd8-B9A1-1E4804AD5A64}.exe
        
        C:\Windows\{B2F58F07-C210-4fd8-B9A1-1E4804AD5A64}.exe
        13⤵
        Executes dropped EXE
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76AC1~1.EXE > nul
        13⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9B89D~1.EXE > nul
        12⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F67C5~1.EXE > nul
        11⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95D4A~1.EXE > nul
        10⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F3B1B~1.EXE > nul
        9⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B24EC~1.EXE > nul
        8⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0E319~1.EXE > nul
        7⤵
        
        PID:4124
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AA76A~1.EXE > nul
        6⤵
        
        PID:4896
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8E763~1.EXE > nul
        5⤵
        
        PID:4352
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EF3C0~1.EXE > nul
      4⤵
      PID:4220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8504D~1.EXE > nul
    3⤵
    PID:2424
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0E31968E-D2A3-4234-91E0-7310325461F5}.exe

Filesize
197KB

MD5
3ce6501f04ec945a40f46ea744fac88f

SHA1
0ca80bc950d2f272d9ff6a109462ae3bec8fe1a7

SHA256
9ca5573085dd6c063a79bc6722aeb519a4bce39226e6609f9336f44d0d5451d1

SHA512
968306cedb136d4b571b41a3118ee557761c98e7c771d3b5871043ccf6c76f150583b67c03f6c183ce5eddf3d96f901b221e859dab4bdcb42ed137563d79b701

Download Submit
C:\Windows\{76AC1588-FCD4-4ba9-8182-D39611ECB03D}.exe

Filesize
197KB

MD5
978f72eeebad7b0a882ad9d59be09f62

SHA1
ad7a888f2738dc97b12c80011af98e51464519ef

SHA256
370f1895ac14b541717befca20ac1fca4cc01e2edbabbbb4aecc6680ba913b0c

SHA512
a70bdda286744bc750ecefac279caa0f8e0f320f963e68a45ab9b8312abb6c4b3d394c2f5dd9a8f35bc51b79a6ba684fe017a8e62aa91752d976a9fcca560ec8

Download Submit
C:\Windows\{8504D8BD-F321-4af0-85CD-FDF21EF3E6BE}.exe

Filesize
197KB

MD5
4a3d0064a5f9093c991049751180214a

SHA1
f70cf92c8858836f8796f72e737925e1a36dcfe0

SHA256
22d9d1b647bf74ee94ad42b3a8faf1da7013132bd38644c13bf68ab186d2cccc

SHA512
767870deff57335f8feb0579fef366a9b13db860d3ba212efa31841a8ef6187adaea0df27fd60a99c6fa12b1b83530643ef7de216174575aafc1a773ca73ccc5

Download Submit
C:\Windows\{8E763F95-05A4-4e0e-8CC9-F74E48FD9388}.exe

Filesize
197KB

MD5
b1622e72d2caed89faadeabd5aab4309

SHA1
23610f141be8743d320b8e62a31950ed570a5793

SHA256
2bb227ff224f9e6901a179230626f39cb9380e046fb0a69f99ec9f85f67df599

SHA512
7cd1a82341743b82f7396b75e58f7630a51b47dd261d789af486c403916d8fa2e14d493d7d7b659f5f3abaac035f96ecab71742adc5e8007c92b5961cb406ebf

Download Submit
C:\Windows\{95D4ABC1-BB6F-4590-8298-D910F0955993}.exe

Filesize
197KB

MD5
4a75b74991222e0ed95b0683f992cf62

SHA1
25363dc0050c6d6730dc4bfc0a299d0f56d119f5

SHA256
70c0c15b9a0ea6207c4a881c2b46984db24552da6f63e507cb9d78a1e2dda84d

SHA512
4e43c68e5eaec592704b32180e03b657e98a71a3d90655d001b99b5a92fa5397c7a420404cf6cedd3279f153da077b61ee037905b226028653162cbb50839586

Download Submit
C:\Windows\{9B89DDD3-D896-4b9f-894C-CE9D88ED0B48}.exe

Filesize
197KB

MD5
d53c0369358e6bc4b137d9bfb0441a4c

SHA1
63020e06b1c518f4f16b6625bfe9a3604b3840c5

SHA256
3deb08c09012b6e11ee0d42a37a79e00d7bdfc27ee58dc7796d6014a4f7525b9

SHA512
e80ac1339a73d20dcc15af29d89352a121fae0666c109ae062d8a0d89b12927214685877b45b897e00633f3a6f793114bea2373737e83f1f1cbc0c66bb7f1731

Download Submit
C:\Windows\{AA76AD3C-7CC8-4267-AC44-8454E0832EA8}.exe

Filesize
197KB

MD5
5277c2ede7f0d64b05407aec046548a9

SHA1
f217baef594cf2c0a7b4821115e6604c91c1121f

SHA256
e30cf70a72f5aec07bc283079efa839eff56416ac239ddf4775af665194a26fc

SHA512
ed952c566ef0dea3678c790c2e1ec9c41a344a2b110335ac87247ef9d020bc77e6a0ff89c220085ca8098eb0aa0c7ea6594cb9e6e0c40c849d4e4e6c40e6fd0a

Download Submit
C:\Windows\{B24EC53F-31F4-4103-9D59-92CF6CCA310F}.exe

Filesize
197KB

MD5
ce22786019be971a9455ed8901ded92e

SHA1
19e653bca1282887557d0cf79bcafd0ee053b300

SHA256
64077828327c596621a11db343aacf6fa0ae6c9f5fecba497f4a9a5608123dd3

SHA512
ff3044f046cd80105bac0678a7267115bd0e129c034906301aaa1a9dc7f435e0f481b9eb34ac238bbcb84975b238ad3c35c23b26251b8e6c15231520ebb1eb17

Download Submit
C:\Windows\{B2F58F07-C210-4fd8-B9A1-1E4804AD5A64}.exe

Filesize
197KB

MD5
e9593c3874f4affb213a74756c5fccb0

SHA1
5bcd1f99cc1ccd9922494c9d20ac984363b1c649

SHA256
816fc779039f677932fb2f4e66278e6ed3419a360fcee5f2ce56c939e815abe2

SHA512
67e1ce9fedc82138e700c340844f59e8980a97f3a94bc8b246c7788c5030d866b438c78c7a37bb0e00c15d9efa39495cf638dcacb7b65f88ad6061184046bbf2

Download Submit
C:\Windows\{EF3C034F-E642-4b71-8B1C-0B9E56AAE1D0}.exe

Filesize
197KB

MD5
759e9ac5eb813ee461037e74091c5bf1

SHA1
fad13adea5cf0d8590be1688aa60edb483af13c2

SHA256
7c58055f76f6aab779040844fe82b2f7ea05dde1fe65cdc9feedc8e6292d5751

SHA512
57066f4871afa230cfd435855e7ac08a1ca6630b9890c3639230f96c782bb7f273d190ebcd3ad2b04973c72ce15c230ab3237ece1507935cb580431f978118c6

Download Submit
C:\Windows\{F3B1B40E-1D19-4d4f-92FC-42638D02E7FA}.exe

Filesize
197KB

MD5
27faab6aa57fb7f94d48c54dc57229ef

SHA1
949179f9714bc959e40af7a5a1e3072132e1be3a

SHA256
5d70a86088f3b3854b7f6fca77ddf6f1151bc8d5cec82effd29c0ccf13bf101a

SHA512
c1e94669d2ea17c19f8e6c78231a72c247bdde694eea741468e74f3efe54c792729ece89ff7695bb23d3b42f1ae588495fe8f7d40ec2d888c020154a3ac9b6c7

Download Submit
C:\Windows\{F67C5694-E71B-40d5-8944-FD9E51B5373B}.exe

Filesize
197KB

MD5
5fe7a9fb11186162a35b43d199647c76

SHA1
1eab76635939e217bbb3ea9b83d7866c3dcf332c

SHA256
b7cf1e2f15315d4feefe07bcb276b548ce6b7386fb8d0769c3be7518f8ccb367

SHA512
9f0a9e423d4b7e36d28830b0a9bb63439a468f021fbc57db090d9772fe624dfbbff626fafdc7cc693f73a850407ed6b8072d0100b30a2b8ceb6b2de37e7f7d69

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads