151b8c97676b8a49587c3ebd2e84412b3759396aeee2a69ec65a9f7c30db2cb4

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 02:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-10_4922dd021c18bbd3d5fc0a36d268f28e_goldeneye.exe
Size

380KB
MD5

4922dd021c18bbd3d5fc0a36d268f28e
SHA1

cfe2ae4c1167095e08f85bc88ac741a41a0710de
SHA256

151b8c97676b8a49587c3ebd2e84412b3759396aeee2a69ec65a9f7c30db2cb4
SHA512

a323ab69224b2b59f36ea13684b082798c632bf008558f0f72248c31f70d355f967cff44a96a9a71ddc1fef1b8d3396e35a24caa733a2cc096d36b168818c5b7
SSDEEP

3072:mEGh0oblPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEG5l7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000a00000002338e-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00160000000233f8-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000022aae-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00170000000233f8-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000022aae-17.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001a0000000233f8-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000022aae-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001b0000000233f8-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f00000002297b-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001c0000000233f8-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001000000002297b-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002296e-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7322A118-CFEC-4dab-8FB8-05C63F75F558}	{12FB5964-C0C9-4a79-A9E0-BBDE2E482330}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54AB2EC8-5C9D-4627-A746-CD280517CF8C}	{7322A118-CFEC-4dab-8FB8-05C63F75F558}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54AB2EC8-5C9D-4627-A746-CD280517CF8C}\stubpath = "C:\\Windows\\{54AB2EC8-5C9D-4627-A746-CD280517CF8C}.exe"	{7322A118-CFEC-4dab-8FB8-05C63F75F558}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61308BE1-801C-43a2-8FDA-5F59324BE0B1}	{ECCF6A76-5B63-4082-ADD0-EDA54470508A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1163998B-4DC6-4120-A875-79272456A862}	{D1251CB8-2179-4bb3-B6F9-6AB5FB0816E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43B13CC6-7ED4-4640-A43C-DBB01BDA0156}	2024-05-10_4922dd021c18bbd3d5fc0a36d268f28e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43B13CC6-7ED4-4640-A43C-DBB01BDA0156}\stubpath = "C:\\Windows\\{43B13CC6-7ED4-4640-A43C-DBB01BDA0156}.exe"	2024-05-10_4922dd021c18bbd3d5fc0a36d268f28e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A58DABCC-4D53-4035-BA22-396F660DB4E3}	{CE798634-28B4-4101-99FF-3121E9A85886}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F216E066-7317-47ac-864E-7E8A033FA684}\stubpath = "C:\\Windows\\{F216E066-7317-47ac-864E-7E8A033FA684}.exe"	{A58DABCC-4D53-4035-BA22-396F660DB4E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F35210E0-56FA-4d02-AC4D-34CBFB398EC2}	{1163998B-4DC6-4120-A875-79272456A862}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12FB5964-C0C9-4a79-A9E0-BBDE2E482330}	{43B13CC6-7ED4-4640-A43C-DBB01BDA0156}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE798634-28B4-4101-99FF-3121E9A85886}\stubpath = "C:\\Windows\\{CE798634-28B4-4101-99FF-3121E9A85886}.exe"	{54AB2EC8-5C9D-4627-A746-CD280517CF8C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A58DABCC-4D53-4035-BA22-396F660DB4E3}\stubpath = "C:\\Windows\\{A58DABCC-4D53-4035-BA22-396F660DB4E3}.exe"	{CE798634-28B4-4101-99FF-3121E9A85886}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D1251CB8-2179-4bb3-B6F9-6AB5FB0816E6}\stubpath = "C:\\Windows\\{D1251CB8-2179-4bb3-B6F9-6AB5FB0816E6}.exe"	{61308BE1-801C-43a2-8FDA-5F59324BE0B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12FB5964-C0C9-4a79-A9E0-BBDE2E482330}\stubpath = "C:\\Windows\\{12FB5964-C0C9-4a79-A9E0-BBDE2E482330}.exe"	{43B13CC6-7ED4-4640-A43C-DBB01BDA0156}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7322A118-CFEC-4dab-8FB8-05C63F75F558}\stubpath = "C:\\Windows\\{7322A118-CFEC-4dab-8FB8-05C63F75F558}.exe"	{12FB5964-C0C9-4a79-A9E0-BBDE2E482330}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ECCF6A76-5B63-4082-ADD0-EDA54470508A}	{F216E066-7317-47ac-864E-7E8A033FA684}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ECCF6A76-5B63-4082-ADD0-EDA54470508A}\stubpath = "C:\\Windows\\{ECCF6A76-5B63-4082-ADD0-EDA54470508A}.exe"	{F216E066-7317-47ac-864E-7E8A033FA684}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61308BE1-801C-43a2-8FDA-5F59324BE0B1}\stubpath = "C:\\Windows\\{61308BE1-801C-43a2-8FDA-5F59324BE0B1}.exe"	{ECCF6A76-5B63-4082-ADD0-EDA54470508A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D1251CB8-2179-4bb3-B6F9-6AB5FB0816E6}	{61308BE1-801C-43a2-8FDA-5F59324BE0B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1163998B-4DC6-4120-A875-79272456A862}\stubpath = "C:\\Windows\\{1163998B-4DC6-4120-A875-79272456A862}.exe"	{D1251CB8-2179-4bb3-B6F9-6AB5FB0816E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F35210E0-56FA-4d02-AC4D-34CBFB398EC2}\stubpath = "C:\\Windows\\{F35210E0-56FA-4d02-AC4D-34CBFB398EC2}.exe"	{1163998B-4DC6-4120-A875-79272456A862}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE798634-28B4-4101-99FF-3121E9A85886}	{54AB2EC8-5C9D-4627-A746-CD280517CF8C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F216E066-7317-47ac-864E-7E8A033FA684}	{A58DABCC-4D53-4035-BA22-396F660DB4E3}.exe

Executes dropped EXE 12 IoCs

pid	Process
212	{43B13CC6-7ED4-4640-A43C-DBB01BDA0156}.exe
1912	{12FB5964-C0C9-4a79-A9E0-BBDE2E482330}.exe
2576	{7322A118-CFEC-4dab-8FB8-05C63F75F558}.exe
1504	{54AB2EC8-5C9D-4627-A746-CD280517CF8C}.exe
632	{CE798634-28B4-4101-99FF-3121E9A85886}.exe
4612	{A58DABCC-4D53-4035-BA22-396F660DB4E3}.exe
2488	{F216E066-7317-47ac-864E-7E8A033FA684}.exe
2988	{ECCF6A76-5B63-4082-ADD0-EDA54470508A}.exe
2260	{61308BE1-801C-43a2-8FDA-5F59324BE0B1}.exe
3988	{D1251CB8-2179-4bb3-B6F9-6AB5FB0816E6}.exe
4852	{1163998B-4DC6-4120-A875-79272456A862}.exe
2272	{F35210E0-56FA-4d02-AC4D-34CBFB398EC2}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{1163998B-4DC6-4120-A875-79272456A862}.exe	{D1251CB8-2179-4bb3-B6F9-6AB5FB0816E6}.exe
File created	C:\Windows\{7322A118-CFEC-4dab-8FB8-05C63F75F558}.exe	{12FB5964-C0C9-4a79-A9E0-BBDE2E482330}.exe
File created	C:\Windows\{ECCF6A76-5B63-4082-ADD0-EDA54470508A}.exe	{F216E066-7317-47ac-864E-7E8A033FA684}.exe
File created	C:\Windows\{54AB2EC8-5C9D-4627-A746-CD280517CF8C}.exe	{7322A118-CFEC-4dab-8FB8-05C63F75F558}.exe
File created	C:\Windows\{CE798634-28B4-4101-99FF-3121E9A85886}.exe	{54AB2EC8-5C9D-4627-A746-CD280517CF8C}.exe
File created	C:\Windows\{A58DABCC-4D53-4035-BA22-396F660DB4E3}.exe	{CE798634-28B4-4101-99FF-3121E9A85886}.exe
File created	C:\Windows\{F216E066-7317-47ac-864E-7E8A033FA684}.exe	{A58DABCC-4D53-4035-BA22-396F660DB4E3}.exe
File created	C:\Windows\{61308BE1-801C-43a2-8FDA-5F59324BE0B1}.exe	{ECCF6A76-5B63-4082-ADD0-EDA54470508A}.exe
File created	C:\Windows\{D1251CB8-2179-4bb3-B6F9-6AB5FB0816E6}.exe	{61308BE1-801C-43a2-8FDA-5F59324BE0B1}.exe
File created	C:\Windows\{43B13CC6-7ED4-4640-A43C-DBB01BDA0156}.exe	2024-05-10_4922dd021c18bbd3d5fc0a36d268f28e_goldeneye.exe
File created	C:\Windows\{12FB5964-C0C9-4a79-A9E0-BBDE2E482330}.exe	{43B13CC6-7ED4-4640-A43C-DBB01BDA0156}.exe
File created	C:\Windows\{F35210E0-56FA-4d02-AC4D-34CBFB398EC2}.exe	{1163998B-4DC6-4120-A875-79272456A862}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2044	2024-05-10_4922dd021c18bbd3d5fc0a36d268f28e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	212	{43B13CC6-7ED4-4640-A43C-DBB01BDA0156}.exe
Token: SeIncBasePriorityPrivilege	1912	{12FB5964-C0C9-4a79-A9E0-BBDE2E482330}.exe
Token: SeIncBasePriorityPrivilege	2576	{7322A118-CFEC-4dab-8FB8-05C63F75F558}.exe
Token: SeIncBasePriorityPrivilege	1504	{54AB2EC8-5C9D-4627-A746-CD280517CF8C}.exe
Token: SeIncBasePriorityPrivilege	632	{CE798634-28B4-4101-99FF-3121E9A85886}.exe
Token: SeIncBasePriorityPrivilege	4612	{A58DABCC-4D53-4035-BA22-396F660DB4E3}.exe
Token: SeIncBasePriorityPrivilege	2488	{F216E066-7317-47ac-864E-7E8A033FA684}.exe
Token: SeIncBasePriorityPrivilege	2988	{ECCF6A76-5B63-4082-ADD0-EDA54470508A}.exe
Token: SeIncBasePriorityPrivilege	2260	{61308BE1-801C-43a2-8FDA-5F59324BE0B1}.exe
Token: SeIncBasePriorityPrivilege	3988	{D1251CB8-2179-4bb3-B6F9-6AB5FB0816E6}.exe
Token: SeIncBasePriorityPrivilege	4852	{1163998B-4DC6-4120-A875-79272456A862}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 212	2044	2024-05-10_4922dd021c18bbd3d5fc0a36d268f28e_goldeneye.exe	94
PID 2044 wrote to memory of 212	2044	2024-05-10_4922dd021c18bbd3d5fc0a36d268f28e_goldeneye.exe	94
PID 2044 wrote to memory of 212	2044	2024-05-10_4922dd021c18bbd3d5fc0a36d268f28e_goldeneye.exe	94
PID 2044 wrote to memory of 220	2044	2024-05-10_4922dd021c18bbd3d5fc0a36d268f28e_goldeneye.exe	95
PID 2044 wrote to memory of 220	2044	2024-05-10_4922dd021c18bbd3d5fc0a36d268f28e_goldeneye.exe	95
PID 2044 wrote to memory of 220	2044	2024-05-10_4922dd021c18bbd3d5fc0a36d268f28e_goldeneye.exe	95
PID 212 wrote to memory of 1912	212	{43B13CC6-7ED4-4640-A43C-DBB01BDA0156}.exe	97
PID 212 wrote to memory of 1912	212	{43B13CC6-7ED4-4640-A43C-DBB01BDA0156}.exe	97
PID 212 wrote to memory of 1912	212	{43B13CC6-7ED4-4640-A43C-DBB01BDA0156}.exe	97
PID 212 wrote to memory of 4632	212	{43B13CC6-7ED4-4640-A43C-DBB01BDA0156}.exe	98
PID 212 wrote to memory of 4632	212	{43B13CC6-7ED4-4640-A43C-DBB01BDA0156}.exe	98
PID 212 wrote to memory of 4632	212	{43B13CC6-7ED4-4640-A43C-DBB01BDA0156}.exe	98
PID 1912 wrote to memory of 2576	1912	{12FB5964-C0C9-4a79-A9E0-BBDE2E482330}.exe	101
PID 1912 wrote to memory of 2576	1912	{12FB5964-C0C9-4a79-A9E0-BBDE2E482330}.exe	101
PID 1912 wrote to memory of 2576	1912	{12FB5964-C0C9-4a79-A9E0-BBDE2E482330}.exe	101
PID 1912 wrote to memory of 2636	1912	{12FB5964-C0C9-4a79-A9E0-BBDE2E482330}.exe	102
PID 1912 wrote to memory of 2636	1912	{12FB5964-C0C9-4a79-A9E0-BBDE2E482330}.exe	102
PID 1912 wrote to memory of 2636	1912	{12FB5964-C0C9-4a79-A9E0-BBDE2E482330}.exe	102
PID 2576 wrote to memory of 1504	2576	{7322A118-CFEC-4dab-8FB8-05C63F75F558}.exe	103
PID 2576 wrote to memory of 1504	2576	{7322A118-CFEC-4dab-8FB8-05C63F75F558}.exe	103
PID 2576 wrote to memory of 1504	2576	{7322A118-CFEC-4dab-8FB8-05C63F75F558}.exe	103
PID 2576 wrote to memory of 4996	2576	{7322A118-CFEC-4dab-8FB8-05C63F75F558}.exe	104
PID 2576 wrote to memory of 4996	2576	{7322A118-CFEC-4dab-8FB8-05C63F75F558}.exe	104
PID 2576 wrote to memory of 4996	2576	{7322A118-CFEC-4dab-8FB8-05C63F75F558}.exe	104
PID 1504 wrote to memory of 632	1504	{54AB2EC8-5C9D-4627-A746-CD280517CF8C}.exe	105
PID 1504 wrote to memory of 632	1504	{54AB2EC8-5C9D-4627-A746-CD280517CF8C}.exe	105
PID 1504 wrote to memory of 632	1504	{54AB2EC8-5C9D-4627-A746-CD280517CF8C}.exe	105
PID 1504 wrote to memory of 4460	1504	{54AB2EC8-5C9D-4627-A746-CD280517CF8C}.exe	106
PID 1504 wrote to memory of 4460	1504	{54AB2EC8-5C9D-4627-A746-CD280517CF8C}.exe	106
PID 1504 wrote to memory of 4460	1504	{54AB2EC8-5C9D-4627-A746-CD280517CF8C}.exe	106
PID 632 wrote to memory of 4612	632	{CE798634-28B4-4101-99FF-3121E9A85886}.exe	108
PID 632 wrote to memory of 4612	632	{CE798634-28B4-4101-99FF-3121E9A85886}.exe	108
PID 632 wrote to memory of 4612	632	{CE798634-28B4-4101-99FF-3121E9A85886}.exe	108
PID 632 wrote to memory of 2772	632	{CE798634-28B4-4101-99FF-3121E9A85886}.exe	109
PID 632 wrote to memory of 2772	632	{CE798634-28B4-4101-99FF-3121E9A85886}.exe	109
PID 632 wrote to memory of 2772	632	{CE798634-28B4-4101-99FF-3121E9A85886}.exe	109
PID 4612 wrote to memory of 2488	4612	{A58DABCC-4D53-4035-BA22-396F660DB4E3}.exe	110
PID 4612 wrote to memory of 2488	4612	{A58DABCC-4D53-4035-BA22-396F660DB4E3}.exe	110
PID 4612 wrote to memory of 2488	4612	{A58DABCC-4D53-4035-BA22-396F660DB4E3}.exe	110
PID 4612 wrote to memory of 4956	4612	{A58DABCC-4D53-4035-BA22-396F660DB4E3}.exe	111
PID 4612 wrote to memory of 4956	4612	{A58DABCC-4D53-4035-BA22-396F660DB4E3}.exe	111
PID 4612 wrote to memory of 4956	4612	{A58DABCC-4D53-4035-BA22-396F660DB4E3}.exe	111
PID 2488 wrote to memory of 2988	2488	{F216E066-7317-47ac-864E-7E8A033FA684}.exe	113
PID 2488 wrote to memory of 2988	2488	{F216E066-7317-47ac-864E-7E8A033FA684}.exe	113
PID 2488 wrote to memory of 2988	2488	{F216E066-7317-47ac-864E-7E8A033FA684}.exe	113
PID 2488 wrote to memory of 2540	2488	{F216E066-7317-47ac-864E-7E8A033FA684}.exe	114
PID 2488 wrote to memory of 2540	2488	{F216E066-7317-47ac-864E-7E8A033FA684}.exe	114
PID 2488 wrote to memory of 2540	2488	{F216E066-7317-47ac-864E-7E8A033FA684}.exe	114
PID 2988 wrote to memory of 2260	2988	{ECCF6A76-5B63-4082-ADD0-EDA54470508A}.exe	120
PID 2988 wrote to memory of 2260	2988	{ECCF6A76-5B63-4082-ADD0-EDA54470508A}.exe	120
PID 2988 wrote to memory of 2260	2988	{ECCF6A76-5B63-4082-ADD0-EDA54470508A}.exe	120
PID 2988 wrote to memory of 612	2988	{ECCF6A76-5B63-4082-ADD0-EDA54470508A}.exe	121
PID 2988 wrote to memory of 612	2988	{ECCF6A76-5B63-4082-ADD0-EDA54470508A}.exe	121
PID 2988 wrote to memory of 612	2988	{ECCF6A76-5B63-4082-ADD0-EDA54470508A}.exe	121
PID 2260 wrote to memory of 3988	2260	{61308BE1-801C-43a2-8FDA-5F59324BE0B1}.exe	122
PID 2260 wrote to memory of 3988	2260	{61308BE1-801C-43a2-8FDA-5F59324BE0B1}.exe	122
PID 2260 wrote to memory of 3988	2260	{61308BE1-801C-43a2-8FDA-5F59324BE0B1}.exe	122
PID 2260 wrote to memory of 452	2260	{61308BE1-801C-43a2-8FDA-5F59324BE0B1}.exe	123
PID 2260 wrote to memory of 452	2260	{61308BE1-801C-43a2-8FDA-5F59324BE0B1}.exe	123
PID 2260 wrote to memory of 452	2260	{61308BE1-801C-43a2-8FDA-5F59324BE0B1}.exe	123
PID 3988 wrote to memory of 4852	3988	{D1251CB8-2179-4bb3-B6F9-6AB5FB0816E6}.exe	124
PID 3988 wrote to memory of 4852	3988	{D1251CB8-2179-4bb3-B6F9-6AB5FB0816E6}.exe	124
PID 3988 wrote to memory of 4852	3988	{D1251CB8-2179-4bb3-B6F9-6AB5FB0816E6}.exe	124
PID 3988 wrote to memory of 4880	3988	{D1251CB8-2179-4bb3-B6F9-6AB5FB0816E6}.exe	125

C:\Users\Admin\AppData\Local\Temp\2024-05-10_4922dd021c18bbd3d5fc0a36d268f28e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-10_4922dd021c18bbd3d5fc0a36d268f28e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\{43B13CC6-7ED4-4640-A43C-DBB01BDA0156}.exe
  C:\Windows\{43B13CC6-7ED4-4640-A43C-DBB01BDA0156}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:212
- - C:\Windows\{12FB5964-C0C9-4a79-A9E0-BBDE2E482330}.exe
    C:\Windows\{12FB5964-C0C9-4a79-A9E0-BBDE2E482330}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1912
  - - C:\Windows\{7322A118-CFEC-4dab-8FB8-05C63F75F558}.exe
      C:\Windows\{7322A118-CFEC-4dab-8FB8-05C63F75F558}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2576
    - - C:\Windows\{54AB2EC8-5C9D-4627-A746-CD280517CF8C}.exe
        
        C:\Windows\{54AB2EC8-5C9D-4627-A746-CD280517CF8C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1504
      - C:\Windows\{CE798634-28B4-4101-99FF-3121E9A85886}.exe
        
        C:\Windows\{CE798634-28B4-4101-99FF-3121E9A85886}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\{A58DABCC-4D53-4035-BA22-396F660DB4E3}.exe
        
        C:\Windows\{A58DABCC-4D53-4035-BA22-396F660DB4E3}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4612
        
        C:\Windows\{F216E066-7317-47ac-864E-7E8A033FA684}.exe
        
        C:\Windows\{F216E066-7317-47ac-864E-7E8A033FA684}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\{ECCF6A76-5B63-4082-ADD0-EDA54470508A}.exe
        
        C:\Windows\{ECCF6A76-5B63-4082-ADD0-EDA54470508A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\{61308BE1-801C-43a2-8FDA-5F59324BE0B1}.exe
        
        C:\Windows\{61308BE1-801C-43a2-8FDA-5F59324BE0B1}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\{D1251CB8-2179-4bb3-B6F9-6AB5FB0816E6}.exe
        
        C:\Windows\{D1251CB8-2179-4bb3-B6F9-6AB5FB0816E6}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\Windows\{1163998B-4DC6-4120-A875-79272456A862}.exe
        
        C:\Windows\{1163998B-4DC6-4120-A875-79272456A862}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4852
        
        C:\Windows\{F35210E0-56FA-4d02-AC4D-34CBFB398EC2}.exe
        
        C:\Windows\{F35210E0-56FA-4d02-AC4D-34CBFB398EC2}.exe
        13⤵
        Executes dropped EXE
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{11639~1.EXE > nul
        13⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D1251~1.EXE > nul
        12⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{61308~1.EXE > nul
        11⤵
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ECCF6~1.EXE > nul
        10⤵
        
        PID:612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F216E~1.EXE > nul
        9⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A58DA~1.EXE > nul
        8⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CE798~1.EXE > nul
        7⤵
        
        PID:2772
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{54AB2~1.EXE > nul
        6⤵
        
        PID:4460
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7322A~1.EXE > nul
        5⤵
        
        PID:4996
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{12FB5~1.EXE > nul
      4⤵
      PID:2636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{43B13~1.EXE > nul
    3⤵
    PID:4632
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1163998B-4DC6-4120-A875-79272456A862}.exe

Filesize
380KB

MD5
e069652d2b3d6f891f79b5f2c1ca91bd

SHA1
849f25d4dd314c53f1cd93d2be80f9dcff03215d

SHA256
4ba241f3f933c1df7661506383b1e448e4023f4c4191d1be069088af020f4c8b

SHA512
93cf96713f14cb448ffff82c2584de6d81bc6e6b4817da53c80f1fb543cbe446f57433129b05656936b4edfd0b828cd8ed620ccd0cfa122a037fe7e95bdf4df9

Download Submit
C:\Windows\{12FB5964-C0C9-4a79-A9E0-BBDE2E482330}.exe

Filesize
380KB

MD5
9055fe3b23e56f8d486fedf4fd23c762

SHA1
d64f9266ef77a08de62e071122d6bf5581fdc0c5

SHA256
9b5ad40b016787d1dbabffecc2d9418a85e9ae3cfd72cda20061991bea7cf3ce

SHA512
dc9ab1b3b67cef8b3906f1ba8f1b8d729e67f0f2ce47a83fddd7bb19d056abc1344574ba0d25c397ab57a56eb7ada3f2f4d1bc63115951299539b2c4695fe786

Download Submit
C:\Windows\{43B13CC6-7ED4-4640-A43C-DBB01BDA0156}.exe

Filesize
380KB

MD5
6cb0d23f6b22e5db670d4fdc7af783b1

SHA1
47d3f04e4c8e166647f59c27c29ce1c4813f8ddd

SHA256
2f32bd86fea1e501e6228df7bc48104a6cd2abb9adf077ea33fd4e1280534c14

SHA512
f1af06e9f7ecac5d6719113f2de80450cbfb97d5039802bded383d6c80424f3fa525b1ea59dbed3dccc5bb7f5f9bc1d925a06ce2a0f21ed50c6d242a47ffc3b9

Download Submit
C:\Windows\{54AB2EC8-5C9D-4627-A746-CD280517CF8C}.exe

Filesize
380KB

MD5
2888876a0d7ab2e34e9805b3e6085cac

SHA1
c00b9a57a884374ef3a5cf6cd1c848802274fc7a

SHA256
e5358805096418055216c1d364824cada9e4e5d432d08132fda1cbf0fcf0e22f

SHA512
7a4d044f50b2f383e8431ca70afa601a818f952119255af846637daed72ce1623585f135ae1f97113b64d719064d679785f15a3b32302881170f823de29c2731

Download Submit
C:\Windows\{61308BE1-801C-43a2-8FDA-5F59324BE0B1}.exe

Filesize
380KB

MD5
032ae63d90b920aef4cabd2e62596c47

SHA1
d916aafb711418908dfd8ad08bd680854a6a7ae8

SHA256
5e8fa9023e02fab9a8cc1e7a6ab2cd1059144eb170e1637d5ef6fa70e5674d52

SHA512
b170aaea5be45de4ec3838213ebce8638f19ebdf157019a0e33d2803b01d94217945bcdd80baebce340ba3ae33439b9d0621ba1d39d654a84d708aadc432a891

Download Submit
C:\Windows\{7322A118-CFEC-4dab-8FB8-05C63F75F558}.exe

Filesize
380KB

MD5
146d880652b52ac4aea7c5e51e446d94

SHA1
600013c69c5750d29098a20036b8d381201ebfa3

SHA256
343ec6fb8f25616e038b4ddec6ecccf35a68a83e1d0c62d379806542b6e822a5

SHA512
092c0ae8de5e1083693f25847bf84b961ee300e766206ad61574f6459bf90ef358d068b298213068a69743ec5b689282f4ace62463cd9b8edd800922ae47dfd5

Download Submit
C:\Windows\{A58DABCC-4D53-4035-BA22-396F660DB4E3}.exe

Filesize
380KB

MD5
eacc58b007555f719270cb0156afd17e

SHA1
4580181db683fb8f989e7cc0036bedaa2bb4f176

SHA256
58dcbad9eb28efb4620fd2196454f618231614b30d5456a6a5c16a5c71dea987

SHA512
815ddd538354dbcceddbc435e1b1584308b898580673dcffb97926f1597f6b3a488ace627c8e72c3dbbd5df08a5000e758ff6de77752c455d47e8d5853986016

Download Submit
C:\Windows\{CE798634-28B4-4101-99FF-3121E9A85886}.exe

Filesize
380KB

MD5
0f6165de292fffe8c61590fc447acf1a

SHA1
7707ce298832adcd75d9a6f1dc4b01e3e80529b3

SHA256
9906150fe93e819afd6dba974fbd3fb9ee62ed39c2d41016cc8fd7fcff42f3b2

SHA512
a78ce206d40a677d926ebc8a09d222acf7aa424fec25dcdb6591653b6b2c5208b758ae451093b91b2eb73729f5fff7481e6885a08bcf5675fe2a50b0046f0722

Download Submit
C:\Windows\{D1251CB8-2179-4bb3-B6F9-6AB5FB0816E6}.exe

Filesize
380KB

MD5
49519a0b44f5a7da5fe88df855e18911

SHA1
528ecdf32919fb81137ac8c3d87a84c24b50f677

SHA256
a8d85776738e05500e58fe6f1b29c71a45c00a876f91afd7cce9bab4936e5202

SHA512
4b102e4fa93230c3b64034da0667bac3884f629cb741fae5e749207bd8b3c6e0cbd156b6ef0f1c7fe6093f9ef581e626f446c541341a6da75e3d07bac37d5b3e

Download Submit
C:\Windows\{ECCF6A76-5B63-4082-ADD0-EDA54470508A}.exe

Filesize
380KB

MD5
c7ba42c1f0f327c7de0e7f21fc458fa1

SHA1
9e5fe6cb459691cd1f2c3a49cd38b3e05cb85c35

SHA256
d47cd9ef3231a3d6fac1f700d795ee0dfb35005349faea21ec2d760756f8d640

SHA512
1119037a5c8e6eaeb46533810d7b99eec528b8824c87fc074f19ef8b3c97535bcf55a120625437c8cefc44a1ce9816be59f276aa226cd78326e7cf13b84b9b74

Download Submit
C:\Windows\{F216E066-7317-47ac-864E-7E8A033FA684}.exe

Filesize
380KB

MD5
830191bd4bc196b630bab869223c978e

SHA1
4e49b0c43375393fea0a9b6a4d04a6b88c846bac

SHA256
99e4326503a4b3f6bb6082cdc61f66e1dc9574dad13a63780d5d19dce5019693

SHA512
91a112668dcf4c4e4018f363d7b72e3fc76351bdbe7a9b08c5ce2216606173c19b95334e9ba311948de4908bfe8c2fde92f3d4dc77a9b6f948874e6ffff62b42

Download Submit
C:\Windows\{F35210E0-56FA-4d02-AC4D-34CBFB398EC2}.exe

Filesize
380KB

MD5
63b0f2c9052b251d74a3f31870ab34e6

SHA1
6ad88a8042c133794e31de26da6cfd9dff493d8d

SHA256
b37e152a61942db94570f86c9b802234cf4fa3e8a31f0db3537d0bfb68e02abd

SHA512
78fe70574fc686e1c60b76491c98ca6c86e227a0ab8c20962bbb756c1ebce630b81ed414dc161294dc5ecc0f02078252067fe9d13547bae7dab9887fdf9d0fed

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads