0d3f788037b3856851ee164afdd9a38319610eb0c99be4a54a432d706c7bfd0f

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 03:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-05-10_6fb6de560023033bd8efa26eb26a95d6_goldeneye.exe
Size

408KB
MD5

6fb6de560023033bd8efa26eb26a95d6
SHA1

60af5d1a08dd01c6363c5262a96a4adf73916670
SHA256

0d3f788037b3856851ee164afdd9a38319610eb0c99be4a54a432d706c7bfd0f
SHA512

d1e41e119cfb7863f70c7f56233e0f24853dfd871af6155cb43689bc406c751341a526d48bf59bc23337f2579d748498693bf97284b76623b35afcf4b81242f5
SSDEEP

3072:CEGh0ocl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGeldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0016000000021f87-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000022ac3-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023390-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000022ac3-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023390-17.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000022ac3-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f000000023390-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000022ac3-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023390-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000022ac3-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023390-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000022ac3-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70B6CB23-2558-41da-AC31-2DFF4CB77D3D}	{48A43347-1B7D-4ada-80C5-E6A2927D79F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16A74915-B093-4567-8E6E-C2B6B8680995}\stubpath = "C:\\Windows\\{16A74915-B093-4567-8E6E-C2B6B8680995}.exe"	{DEDDB39A-CD1D-4331-A574-67EFABD80BB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F628C0B-531C-4e78-88EA-5A8EA2B27C9C}	2024-05-10_6fb6de560023033bd8efa26eb26a95d6_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48A43347-1B7D-4ada-80C5-E6A2927D79F5}	{970E4DE8-EEFD-4ffb-8D93-5020A83701A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48A43347-1B7D-4ada-80C5-E6A2927D79F5}\stubpath = "C:\\Windows\\{48A43347-1B7D-4ada-80C5-E6A2927D79F5}.exe"	{970E4DE8-EEFD-4ffb-8D93-5020A83701A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA49C71B-3934-48d0-8268-BC5851A182E7}	{70B6CB23-2558-41da-AC31-2DFF4CB77D3D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DEDDB39A-CD1D-4331-A574-67EFABD80BB6}\stubpath = "C:\\Windows\\{DEDDB39A-CD1D-4331-A574-67EFABD80BB6}.exe"	{BA49C71B-3934-48d0-8268-BC5851A182E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F46C74B8-9D98-4bbc-BE2C-D49415DD01E9}	{88082B9C-BA11-4e39-BA73-6BB91A53CF04}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84858968-73B2-4cdb-91A4-F88873838898}\stubpath = "C:\\Windows\\{84858968-73B2-4cdb-91A4-F88873838898}.exe"	{F46C74B8-9D98-4bbc-BE2C-D49415DD01E9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE3DB7B8-D53D-4927-87F0-4391041864F1}	{84858968-73B2-4cdb-91A4-F88873838898}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{536828B7-2D76-42e5-9C23-B50400F61784}	{BE3DB7B8-D53D-4927-87F0-4391041864F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F628C0B-531C-4e78-88EA-5A8EA2B27C9C}\stubpath = "C:\\Windows\\{5F628C0B-531C-4e78-88EA-5A8EA2B27C9C}.exe"	2024-05-10_6fb6de560023033bd8efa26eb26a95d6_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{970E4DE8-EEFD-4ffb-8D93-5020A83701A9}	{5F628C0B-531C-4e78-88EA-5A8EA2B27C9C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{970E4DE8-EEFD-4ffb-8D93-5020A83701A9}\stubpath = "C:\\Windows\\{970E4DE8-EEFD-4ffb-8D93-5020A83701A9}.exe"	{5F628C0B-531C-4e78-88EA-5A8EA2B27C9C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70B6CB23-2558-41da-AC31-2DFF4CB77D3D}\stubpath = "C:\\Windows\\{70B6CB23-2558-41da-AC31-2DFF4CB77D3D}.exe"	{48A43347-1B7D-4ada-80C5-E6A2927D79F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DEDDB39A-CD1D-4331-A574-67EFABD80BB6}	{BA49C71B-3934-48d0-8268-BC5851A182E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16A74915-B093-4567-8E6E-C2B6B8680995}	{DEDDB39A-CD1D-4331-A574-67EFABD80BB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88082B9C-BA11-4e39-BA73-6BB91A53CF04}\stubpath = "C:\\Windows\\{88082B9C-BA11-4e39-BA73-6BB91A53CF04}.exe"	{16A74915-B093-4567-8E6E-C2B6B8680995}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F46C74B8-9D98-4bbc-BE2C-D49415DD01E9}\stubpath = "C:\\Windows\\{F46C74B8-9D98-4bbc-BE2C-D49415DD01E9}.exe"	{88082B9C-BA11-4e39-BA73-6BB91A53CF04}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE3DB7B8-D53D-4927-87F0-4391041864F1}\stubpath = "C:\\Windows\\{BE3DB7B8-D53D-4927-87F0-4391041864F1}.exe"	{84858968-73B2-4cdb-91A4-F88873838898}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA49C71B-3934-48d0-8268-BC5851A182E7}\stubpath = "C:\\Windows\\{BA49C71B-3934-48d0-8268-BC5851A182E7}.exe"	{70B6CB23-2558-41da-AC31-2DFF4CB77D3D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88082B9C-BA11-4e39-BA73-6BB91A53CF04}	{16A74915-B093-4567-8E6E-C2B6B8680995}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84858968-73B2-4cdb-91A4-F88873838898}	{F46C74B8-9D98-4bbc-BE2C-D49415DD01E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{536828B7-2D76-42e5-9C23-B50400F61784}\stubpath = "C:\\Windows\\{536828B7-2D76-42e5-9C23-B50400F61784}.exe"	{BE3DB7B8-D53D-4927-87F0-4391041864F1}.exe

Executes dropped EXE 12 IoCs

pid	Process
3648	{5F628C0B-531C-4e78-88EA-5A8EA2B27C9C}.exe
3860	{970E4DE8-EEFD-4ffb-8D93-5020A83701A9}.exe
3752	{48A43347-1B7D-4ada-80C5-E6A2927D79F5}.exe
1640	{70B6CB23-2558-41da-AC31-2DFF4CB77D3D}.exe
1604	{BA49C71B-3934-48d0-8268-BC5851A182E7}.exe
2272	{DEDDB39A-CD1D-4331-A574-67EFABD80BB6}.exe
4592	{16A74915-B093-4567-8E6E-C2B6B8680995}.exe
972	{88082B9C-BA11-4e39-BA73-6BB91A53CF04}.exe
3636	{F46C74B8-9D98-4bbc-BE2C-D49415DD01E9}.exe
3492	{84858968-73B2-4cdb-91A4-F88873838898}.exe
4992	{BE3DB7B8-D53D-4927-87F0-4391041864F1}.exe
3528	{536828B7-2D76-42e5-9C23-B50400F61784}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{5F628C0B-531C-4e78-88EA-5A8EA2B27C9C}.exe	2024-05-10_6fb6de560023033bd8efa26eb26a95d6_goldeneye.exe
File created	C:\Windows\{970E4DE8-EEFD-4ffb-8D93-5020A83701A9}.exe	{5F628C0B-531C-4e78-88EA-5A8EA2B27C9C}.exe
File created	C:\Windows\{BA49C71B-3934-48d0-8268-BC5851A182E7}.exe	{70B6CB23-2558-41da-AC31-2DFF4CB77D3D}.exe
File created	C:\Windows\{F46C74B8-9D98-4bbc-BE2C-D49415DD01E9}.exe	{88082B9C-BA11-4e39-BA73-6BB91A53CF04}.exe
File created	C:\Windows\{84858968-73B2-4cdb-91A4-F88873838898}.exe	{F46C74B8-9D98-4bbc-BE2C-D49415DD01E9}.exe
File created	C:\Windows\{536828B7-2D76-42e5-9C23-B50400F61784}.exe	{BE3DB7B8-D53D-4927-87F0-4391041864F1}.exe
File created	C:\Windows\{48A43347-1B7D-4ada-80C5-E6A2927D79F5}.exe	{970E4DE8-EEFD-4ffb-8D93-5020A83701A9}.exe
File created	C:\Windows\{70B6CB23-2558-41da-AC31-2DFF4CB77D3D}.exe	{48A43347-1B7D-4ada-80C5-E6A2927D79F5}.exe
File created	C:\Windows\{DEDDB39A-CD1D-4331-A574-67EFABD80BB6}.exe	{BA49C71B-3934-48d0-8268-BC5851A182E7}.exe
File created	C:\Windows\{16A74915-B093-4567-8E6E-C2B6B8680995}.exe	{DEDDB39A-CD1D-4331-A574-67EFABD80BB6}.exe
File created	C:\Windows\{88082B9C-BA11-4e39-BA73-6BB91A53CF04}.exe	{16A74915-B093-4567-8E6E-C2B6B8680995}.exe
File created	C:\Windows\{BE3DB7B8-D53D-4927-87F0-4391041864F1}.exe	{84858968-73B2-4cdb-91A4-F88873838898}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	764	2024-05-10_6fb6de560023033bd8efa26eb26a95d6_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3648	{5F628C0B-531C-4e78-88EA-5A8EA2B27C9C}.exe
Token: SeIncBasePriorityPrivilege	3860	{970E4DE8-EEFD-4ffb-8D93-5020A83701A9}.exe
Token: SeIncBasePriorityPrivilege	3752	{48A43347-1B7D-4ada-80C5-E6A2927D79F5}.exe
Token: SeIncBasePriorityPrivilege	1640	{70B6CB23-2558-41da-AC31-2DFF4CB77D3D}.exe
Token: SeIncBasePriorityPrivilege	1604	{BA49C71B-3934-48d0-8268-BC5851A182E7}.exe
Token: SeIncBasePriorityPrivilege	2272	{DEDDB39A-CD1D-4331-A574-67EFABD80BB6}.exe
Token: SeIncBasePriorityPrivilege	4592	{16A74915-B093-4567-8E6E-C2B6B8680995}.exe
Token: SeIncBasePriorityPrivilege	972	{88082B9C-BA11-4e39-BA73-6BB91A53CF04}.exe
Token: SeIncBasePriorityPrivilege	3636	{F46C74B8-9D98-4bbc-BE2C-D49415DD01E9}.exe
Token: SeIncBasePriorityPrivilege	3492	{84858968-73B2-4cdb-91A4-F88873838898}.exe
Token: SeIncBasePriorityPrivilege	4992	{BE3DB7B8-D53D-4927-87F0-4391041864F1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 764 wrote to memory of 3648	764	2024-05-10_6fb6de560023033bd8efa26eb26a95d6_goldeneye.exe	87
PID 764 wrote to memory of 3648	764	2024-05-10_6fb6de560023033bd8efa26eb26a95d6_goldeneye.exe	87
PID 764 wrote to memory of 3648	764	2024-05-10_6fb6de560023033bd8efa26eb26a95d6_goldeneye.exe	87
PID 764 wrote to memory of 1688	764	2024-05-10_6fb6de560023033bd8efa26eb26a95d6_goldeneye.exe	88
PID 764 wrote to memory of 1688	764	2024-05-10_6fb6de560023033bd8efa26eb26a95d6_goldeneye.exe	88
PID 764 wrote to memory of 1688	764	2024-05-10_6fb6de560023033bd8efa26eb26a95d6_goldeneye.exe	88
PID 3648 wrote to memory of 3860	3648	{5F628C0B-531C-4e78-88EA-5A8EA2B27C9C}.exe	89
PID 3648 wrote to memory of 3860	3648	{5F628C0B-531C-4e78-88EA-5A8EA2B27C9C}.exe	89
PID 3648 wrote to memory of 3860	3648	{5F628C0B-531C-4e78-88EA-5A8EA2B27C9C}.exe	89
PID 3648 wrote to memory of 1620	3648	{5F628C0B-531C-4e78-88EA-5A8EA2B27C9C}.exe	90
PID 3648 wrote to memory of 1620	3648	{5F628C0B-531C-4e78-88EA-5A8EA2B27C9C}.exe	90
PID 3648 wrote to memory of 1620	3648	{5F628C0B-531C-4e78-88EA-5A8EA2B27C9C}.exe	90
PID 3860 wrote to memory of 3752	3860	{970E4DE8-EEFD-4ffb-8D93-5020A83701A9}.exe	94
PID 3860 wrote to memory of 3752	3860	{970E4DE8-EEFD-4ffb-8D93-5020A83701A9}.exe	94
PID 3860 wrote to memory of 3752	3860	{970E4DE8-EEFD-4ffb-8D93-5020A83701A9}.exe	94
PID 3860 wrote to memory of 4392	3860	{970E4DE8-EEFD-4ffb-8D93-5020A83701A9}.exe	95
PID 3860 wrote to memory of 4392	3860	{970E4DE8-EEFD-4ffb-8D93-5020A83701A9}.exe	95
PID 3860 wrote to memory of 4392	3860	{970E4DE8-EEFD-4ffb-8D93-5020A83701A9}.exe	95
PID 3752 wrote to memory of 1640	3752	{48A43347-1B7D-4ada-80C5-E6A2927D79F5}.exe	96
PID 3752 wrote to memory of 1640	3752	{48A43347-1B7D-4ada-80C5-E6A2927D79F5}.exe	96
PID 3752 wrote to memory of 1640	3752	{48A43347-1B7D-4ada-80C5-E6A2927D79F5}.exe	96
PID 3752 wrote to memory of 5064	3752	{48A43347-1B7D-4ada-80C5-E6A2927D79F5}.exe	97
PID 3752 wrote to memory of 5064	3752	{48A43347-1B7D-4ada-80C5-E6A2927D79F5}.exe	97
PID 3752 wrote to memory of 5064	3752	{48A43347-1B7D-4ada-80C5-E6A2927D79F5}.exe	97
PID 1640 wrote to memory of 1604	1640	{70B6CB23-2558-41da-AC31-2DFF4CB77D3D}.exe	98
PID 1640 wrote to memory of 1604	1640	{70B6CB23-2558-41da-AC31-2DFF4CB77D3D}.exe	98
PID 1640 wrote to memory of 1604	1640	{70B6CB23-2558-41da-AC31-2DFF4CB77D3D}.exe	98
PID 1640 wrote to memory of 3876	1640	{70B6CB23-2558-41da-AC31-2DFF4CB77D3D}.exe	99
PID 1640 wrote to memory of 3876	1640	{70B6CB23-2558-41da-AC31-2DFF4CB77D3D}.exe	99
PID 1640 wrote to memory of 3876	1640	{70B6CB23-2558-41da-AC31-2DFF4CB77D3D}.exe	99
PID 1604 wrote to memory of 2272	1604	{BA49C71B-3934-48d0-8268-BC5851A182E7}.exe	100
PID 1604 wrote to memory of 2272	1604	{BA49C71B-3934-48d0-8268-BC5851A182E7}.exe	100
PID 1604 wrote to memory of 2272	1604	{BA49C71B-3934-48d0-8268-BC5851A182E7}.exe	100
PID 1604 wrote to memory of 1208	1604	{BA49C71B-3934-48d0-8268-BC5851A182E7}.exe	101
PID 1604 wrote to memory of 1208	1604	{BA49C71B-3934-48d0-8268-BC5851A182E7}.exe	101
PID 1604 wrote to memory of 1208	1604	{BA49C71B-3934-48d0-8268-BC5851A182E7}.exe	101
PID 2272 wrote to memory of 4592	2272	{DEDDB39A-CD1D-4331-A574-67EFABD80BB6}.exe	102
PID 2272 wrote to memory of 4592	2272	{DEDDB39A-CD1D-4331-A574-67EFABD80BB6}.exe	102
PID 2272 wrote to memory of 4592	2272	{DEDDB39A-CD1D-4331-A574-67EFABD80BB6}.exe	102
PID 2272 wrote to memory of 4008	2272	{DEDDB39A-CD1D-4331-A574-67EFABD80BB6}.exe	103
PID 2272 wrote to memory of 4008	2272	{DEDDB39A-CD1D-4331-A574-67EFABD80BB6}.exe	103
PID 2272 wrote to memory of 4008	2272	{DEDDB39A-CD1D-4331-A574-67EFABD80BB6}.exe	103
PID 4592 wrote to memory of 972	4592	{16A74915-B093-4567-8E6E-C2B6B8680995}.exe	104
PID 4592 wrote to memory of 972	4592	{16A74915-B093-4567-8E6E-C2B6B8680995}.exe	104
PID 4592 wrote to memory of 972	4592	{16A74915-B093-4567-8E6E-C2B6B8680995}.exe	104
PID 4592 wrote to memory of 3224	4592	{16A74915-B093-4567-8E6E-C2B6B8680995}.exe	105
PID 4592 wrote to memory of 3224	4592	{16A74915-B093-4567-8E6E-C2B6B8680995}.exe	105
PID 4592 wrote to memory of 3224	4592	{16A74915-B093-4567-8E6E-C2B6B8680995}.exe	105
PID 972 wrote to memory of 3636	972	{88082B9C-BA11-4e39-BA73-6BB91A53CF04}.exe	106
PID 972 wrote to memory of 3636	972	{88082B9C-BA11-4e39-BA73-6BB91A53CF04}.exe	106
PID 972 wrote to memory of 3636	972	{88082B9C-BA11-4e39-BA73-6BB91A53CF04}.exe	106
PID 972 wrote to memory of 3736	972	{88082B9C-BA11-4e39-BA73-6BB91A53CF04}.exe	107
PID 972 wrote to memory of 3736	972	{88082B9C-BA11-4e39-BA73-6BB91A53CF04}.exe	107
PID 972 wrote to memory of 3736	972	{88082B9C-BA11-4e39-BA73-6BB91A53CF04}.exe	107
PID 3636 wrote to memory of 3492	3636	{F46C74B8-9D98-4bbc-BE2C-D49415DD01E9}.exe	108
PID 3636 wrote to memory of 3492	3636	{F46C74B8-9D98-4bbc-BE2C-D49415DD01E9}.exe	108
PID 3636 wrote to memory of 3492	3636	{F46C74B8-9D98-4bbc-BE2C-D49415DD01E9}.exe	108
PID 3636 wrote to memory of 3252	3636	{F46C74B8-9D98-4bbc-BE2C-D49415DD01E9}.exe	109
PID 3636 wrote to memory of 3252	3636	{F46C74B8-9D98-4bbc-BE2C-D49415DD01E9}.exe	109
PID 3636 wrote to memory of 3252	3636	{F46C74B8-9D98-4bbc-BE2C-D49415DD01E9}.exe	109
PID 3492 wrote to memory of 4992	3492	{84858968-73B2-4cdb-91A4-F88873838898}.exe	110
PID 3492 wrote to memory of 4992	3492	{84858968-73B2-4cdb-91A4-F88873838898}.exe	110
PID 3492 wrote to memory of 4992	3492	{84858968-73B2-4cdb-91A4-F88873838898}.exe	110
PID 3492 wrote to memory of 1052	3492	{84858968-73B2-4cdb-91A4-F88873838898}.exe	111

C:\Users\Admin\AppData\Local\Temp\2024-05-10_6fb6de560023033bd8efa26eb26a95d6_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-10_6fb6de560023033bd8efa26eb26a95d6_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:764
- C:\Windows\{5F628C0B-531C-4e78-88EA-5A8EA2B27C9C}.exe
  C:\Windows\{5F628C0B-531C-4e78-88EA-5A8EA2B27C9C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3648
- - C:\Windows\{970E4DE8-EEFD-4ffb-8D93-5020A83701A9}.exe
    C:\Windows\{970E4DE8-EEFD-4ffb-8D93-5020A83701A9}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3860
  - - C:\Windows\{48A43347-1B7D-4ada-80C5-E6A2927D79F5}.exe
      C:\Windows\{48A43347-1B7D-4ada-80C5-E6A2927D79F5}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3752
    - - C:\Windows\{70B6CB23-2558-41da-AC31-2DFF4CB77D3D}.exe
        
        C:\Windows\{70B6CB23-2558-41da-AC31-2DFF4CB77D3D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1640
      - C:\Windows\{BA49C71B-3934-48d0-8268-BC5851A182E7}.exe
        
        C:\Windows\{BA49C71B-3934-48d0-8268-BC5851A182E7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\{DEDDB39A-CD1D-4331-A574-67EFABD80BB6}.exe
        
        C:\Windows\{DEDDB39A-CD1D-4331-A574-67EFABD80BB6}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\{16A74915-B093-4567-8E6E-C2B6B8680995}.exe
        
        C:\Windows\{16A74915-B093-4567-8E6E-C2B6B8680995}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\{88082B9C-BA11-4e39-BA73-6BB91A53CF04}.exe
        
        C:\Windows\{88082B9C-BA11-4e39-BA73-6BB91A53CF04}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:972
        
        C:\Windows\{F46C74B8-9D98-4bbc-BE2C-D49415DD01E9}.exe
        
        C:\Windows\{F46C74B8-9D98-4bbc-BE2C-D49415DD01E9}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3636
        
        C:\Windows\{84858968-73B2-4cdb-91A4-F88873838898}.exe
        
        C:\Windows\{84858968-73B2-4cdb-91A4-F88873838898}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3492
        
        C:\Windows\{BE3DB7B8-D53D-4927-87F0-4391041864F1}.exe
        
        C:\Windows\{BE3DB7B8-D53D-4927-87F0-4391041864F1}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4992
        
        C:\Windows\{536828B7-2D76-42e5-9C23-B50400F61784}.exe
        
        C:\Windows\{536828B7-2D76-42e5-9C23-B50400F61784}.exe
        13⤵
        Executes dropped EXE
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE3DB~1.EXE > nul
        13⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{84858~1.EXE > nul
        12⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F46C7~1.EXE > nul
        11⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{88082~1.EXE > nul
        10⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16A74~1.EXE > nul
        9⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DEDDB~1.EXE > nul
        8⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BA49C~1.EXE > nul
        7⤵
        
        PID:1208
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{70B6C~1.EXE > nul
        6⤵
        
        PID:3876
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{48A43~1.EXE > nul
        5⤵
        
        PID:5064
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{970E4~1.EXE > nul
      4⤵
      PID:4392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5F628~1.EXE > nul
    3⤵
    PID:1620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{16A74915-B093-4567-8E6E-C2B6B8680995}.exe

Filesize
408KB

MD5
733d04ef8fa7aad7814e3198cfec221f

SHA1
c8824cdc19ee3b87b191aebf9688b55365b70d16

SHA256
713e93001db13fb538d59789196fb74aec043e56574ca7430088e679b4883780

SHA512
3d9aeefa84caec0aae83e3aa1ca960d55f142d145595962dfaacb12d1cfc3edf343f5fcdcbc3182db2a6f1210ff13f22f9bf7eb0fa0c3caaf111eb62ffba00d6

Download Submit
C:\Windows\{48A43347-1B7D-4ada-80C5-E6A2927D79F5}.exe

Filesize
408KB

MD5
32bfc0eb9b0eac18f332e854f5607043

SHA1
39dd3389ed734511f210901d2a35055e2c97d35f

SHA256
da7c473bd9be7efad3d0f40a4de67f025d43675215f1b67d11b38c756c71af79

SHA512
49cca54cd615e0079e9502044a96c474c2962cf4205eb6a812bee8967b45bd1eb29051706bd1266bc595e4c464e7977f770f7e9dfa70c9ee02c678654aefdc50

Download Submit
C:\Windows\{536828B7-2D76-42e5-9C23-B50400F61784}.exe

Filesize
408KB

MD5
3885f8c8d7d79904a396a4f6e280315a

SHA1
a445d1b4c4682160953fb2e2e09ed5963828ea13

SHA256
f856a9b7b12cec0a3a841769832708714992908030d1fece58469cb06545b5dd

SHA512
106ee8dfc8dcb82c07aa74363f93123364f6d068aa4f0dc802959067798d617fa33183af306f1fbeadf8589a2639777d9df3f99bd77908973e49ac8257c924cc

Download Submit
C:\Windows\{5F628C0B-531C-4e78-88EA-5A8EA2B27C9C}.exe

Filesize
408KB

MD5
26a577e00543cf150c6355cbbb81be52

SHA1
dae93ece35ec410afe4de25599f3c51e6179dc8f

SHA256
407af3de7e5404da1a7cfc5f0b48fdf67f837561d2bf558c99e514e71a258dc4

SHA512
ff9f8821f8c08a8d89d7f2e6e3469a2cfea6f29c51275c32816627872a30872af7983a6f1c3b79511f557911fbb0181b57bbbadd58ddebf697e4671bb6610b85

Download Submit
C:\Windows\{70B6CB23-2558-41da-AC31-2DFF4CB77D3D}.exe

Filesize
408KB

MD5
86261a9da74cb9bbafdc1d1946c91a5d

SHA1
2f0542a44dbd77cc11bab6105e7e9d1b10a967b4

SHA256
0e78244d96ec5886839916fc8be3ef7fe0a4ad183e701e3e7e7512544e09bc5f

SHA512
b9fd33ed486c37819e1700768e6a3ae12aeec915d2c1145a07251ae99404899360370e003667588c30a77113beeeb1b68e066dd93826be93fe74a6cf77fa4db3

Download Submit
C:\Windows\{84858968-73B2-4cdb-91A4-F88873838898}.exe

Filesize
408KB

MD5
c0f8ac59ad3005dc8c855c86872bf210

SHA1
f72b940e8e7e090bdc6c6b592c16cb0143d3ef2e

SHA256
cd92d7a70be2954c873ace911090929e0a5b6c35981da8b1a7568f1ef037337c

SHA512
71e96487f0797e3472c220c5f1087460ac51a60ba2f259f6d69807b23f77c01d2886ad775877de6007034a286d58a135d4234da618079f947d1306a521f5993d

Download Submit
C:\Windows\{88082B9C-BA11-4e39-BA73-6BB91A53CF04}.exe

Filesize
408KB

MD5
db8de4024f0b8a4ddb0b8fda8e96f778

SHA1
ff072e9f0eaab0b244a90307086601d535e45c89

SHA256
b74ea78dbf6be434aad8d7693d63776096d49e048a314480f333833f66d75f78

SHA512
7277db12cff2eb9fe3d3739a7c9cc8d9e82a53a6b008506931ccaed60dbb93df5442889cc2e2165aa5860024d5c5422488be7807a6848c19fc79f72a555b778b

Download Submit
C:\Windows\{970E4DE8-EEFD-4ffb-8D93-5020A83701A9}.exe

Filesize
408KB

MD5
f39fac6941f0286c686cfce6420ceaf1

SHA1
cb3950c1a8e1dd598a1558e131ed96336387dcf7

SHA256
52230fdaeeb8a99edd5f32e80d7401b817416dac69923a3276e2db958308b1f4

SHA512
f68970c4374756fe642930125a9efba3787b7f677138fbdb8cadc72d25019ba0bff59d7cce5e70eae93ab533742bc36b98b6463655fa037212fcda02adacd3d0

Download Submit
C:\Windows\{BA49C71B-3934-48d0-8268-BC5851A182E7}.exe

Filesize
408KB

MD5
5296363ad676d0958fc9be21328e0d4b

SHA1
e48fb8ed8ea3255ee75904d7e9a4d3f18ee9a355

SHA256
8a89cf83692e05ea05f45c1ab8374604f90fa974fb2d697e025b85eafbc0c99f

SHA512
31bd6c2b968c7e40e79d8c3a48b94858ab7af35ee55ac0c52e6da71614e4f16f7121911fe9418363d1595902bb0759811ac0bc4fd46ee0c6588906734f38a8a1

Download Submit
C:\Windows\{BE3DB7B8-D53D-4927-87F0-4391041864F1}.exe

Filesize
408KB

MD5
9a4a1fd56517fb491c373ae36306873b

SHA1
6d0434d87e2f04b0c405010b4c59a8a9b2af33a5

SHA256
c6258ee48edd563fa0f86a48ffc5a0e0cae725603c426c7bec48934031c62a87

SHA512
7a14224f6069cbf5f1e7ba69aff6f559dc1bbd90cc16665521b81379731ab1f398aa8981bb3c3445da4f5a6201cb2c347ded083a87a2af6897de4dc04b09f17d

Download Submit
C:\Windows\{DEDDB39A-CD1D-4331-A574-67EFABD80BB6}.exe

Filesize
408KB

MD5
d81b2800809b67e09d051281dc84644d

SHA1
f8870e56730193531c3c2b2af30defc1117badfa

SHA256
92cceafdb835f1b553715331889280d9d28c35b737bcd1f7c078284612f6c012

SHA512
5e2be44210a84098f6fdbcf6787f63a8f5fac2e481fe449e12dfd0893592ed8f806459ea24170a9c0efc7de9e201d09a599cc01a801af7cddd7a543803701369

Download Submit
C:\Windows\{F46C74B8-9D98-4bbc-BE2C-D49415DD01E9}.exe

Filesize
408KB

MD5
1f3e7e5d1bb1d02ccf8cde18b6f41e0f

SHA1
1a12952845f334e6e8c07de6b71548c109b3cced

SHA256
cf8bc2ade31ec85bf69d27e98aaee74b5484d9e407c1566a45942d0a89470eaf

SHA512
f0522b19d3b65c5c886f2cc0329d83100e80e793d2f5b1cc313eea39b694101619ed49e311913d4cefd8503bb218245055fed4cc206d03039641c1f531e3e2f3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads