18f523602db666ede2e1768671f7d4642ded25691a9472d195da953fe89ca296

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 04:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-10_eeaa516f9071acd5506e713620920fb2_goldeneye.exe
Size

204KB
MD5

eeaa516f9071acd5506e713620920fb2
SHA1

5196011ebd137e449b2283419baf13dc0f9d1b77
SHA256

18f523602db666ede2e1768671f7d4642ded25691a9472d195da953fe89ca296
SHA512

7516d831a2d6fbe1fb140f7661856aa1bbceb8bbbfef3d28807fcf085f0ea489e43ad21aaf2d13201fb762a876eb6ed22379642d8d81f39fd9795fb426e8a901
SSDEEP

1536:1EGh0o+l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0o+l1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0018000000021f87-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000022abb-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d00000002339e-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000022abb-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e00000002339e-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000022abb-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f00000002339e-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000022abb-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001000000002339e-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000022abb-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001100000002339e-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000022abb-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{188E6566-8D22-4518-8C54-C1553F0DD209}\stubpath = "C:\\Windows\\{188E6566-8D22-4518-8C54-C1553F0DD209}.exe"	{E9B5D44D-A51B-4d84-AA41-6A0FDE3EA9CA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C85716A-8773-43c1-B593-DAD2A7CEF883}	{4BBC50D8-1AA7-4362-ACA3-660E6E4F3CA7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D77F08A-0C0C-4ff6-80EA-09E7A4EF436D}	{6F15A017-592F-4cae-B394-CAB83FFA186B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D77F08A-0C0C-4ff6-80EA-09E7A4EF436D}\stubpath = "C:\\Windows\\{7D77F08A-0C0C-4ff6-80EA-09E7A4EF436D}.exe"	{6F15A017-592F-4cae-B394-CAB83FFA186B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9B5D44D-A51B-4d84-AA41-6A0FDE3EA9CA}\stubpath = "C:\\Windows\\{E9B5D44D-A51B-4d84-AA41-6A0FDE3EA9CA}.exe"	{A72E9814-88B5-4849-B7C5-0A5024AA852C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{188E6566-8D22-4518-8C54-C1553F0DD209}	{E9B5D44D-A51B-4d84-AA41-6A0FDE3EA9CA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4741255-0B26-4f61-A455-7A4370F33860}	{72A96A36-9AD0-4e6d-A6A9-D28451ACE066}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4BBC50D8-1AA7-4362-ACA3-660E6E4F3CA7}	{B4741255-0B26-4f61-A455-7A4370F33860}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C85716A-8773-43c1-B593-DAD2A7CEF883}\stubpath = "C:\\Windows\\{8C85716A-8773-43c1-B593-DAD2A7CEF883}.exe"	{4BBC50D8-1AA7-4362-ACA3-660E6E4F3CA7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80BCAA94-04BF-4a62-A75F-0C438F8D6AC0}\stubpath = "C:\\Windows\\{80BCAA94-04BF-4a62-A75F-0C438F8D6AC0}.exe"	{31506C61-D731-4ec3-B230-D74AE2B2A0EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F15A017-592F-4cae-B394-CAB83FFA186B}	{80BCAA94-04BF-4a62-A75F-0C438F8D6AC0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A72E9814-88B5-4849-B7C5-0A5024AA852C}	2024-05-10_eeaa516f9071acd5506e713620920fb2_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A72E9814-88B5-4849-B7C5-0A5024AA852C}\stubpath = "C:\\Windows\\{A72E9814-88B5-4849-B7C5-0A5024AA852C}.exe"	2024-05-10_eeaa516f9071acd5506e713620920fb2_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72A96A36-9AD0-4e6d-A6A9-D28451ACE066}\stubpath = "C:\\Windows\\{72A96A36-9AD0-4e6d-A6A9-D28451ACE066}.exe"	{188E6566-8D22-4518-8C54-C1553F0DD209}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4741255-0B26-4f61-A455-7A4370F33860}\stubpath = "C:\\Windows\\{B4741255-0B26-4f61-A455-7A4370F33860}.exe"	{72A96A36-9AD0-4e6d-A6A9-D28451ACE066}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31506C61-D731-4ec3-B230-D74AE2B2A0EF}	{8C85716A-8773-43c1-B593-DAD2A7CEF883}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31506C61-D731-4ec3-B230-D74AE2B2A0EF}\stubpath = "C:\\Windows\\{31506C61-D731-4ec3-B230-D74AE2B2A0EF}.exe"	{8C85716A-8773-43c1-B593-DAD2A7CEF883}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F15A017-592F-4cae-B394-CAB83FFA186B}\stubpath = "C:\\Windows\\{6F15A017-592F-4cae-B394-CAB83FFA186B}.exe"	{80BCAA94-04BF-4a62-A75F-0C438F8D6AC0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9B5D44D-A51B-4d84-AA41-6A0FDE3EA9CA}	{A72E9814-88B5-4849-B7C5-0A5024AA852C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72A96A36-9AD0-4e6d-A6A9-D28451ACE066}	{188E6566-8D22-4518-8C54-C1553F0DD209}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4BBC50D8-1AA7-4362-ACA3-660E6E4F3CA7}\stubpath = "C:\\Windows\\{4BBC50D8-1AA7-4362-ACA3-660E6E4F3CA7}.exe"	{B4741255-0B26-4f61-A455-7A4370F33860}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80BCAA94-04BF-4a62-A75F-0C438F8D6AC0}	{31506C61-D731-4ec3-B230-D74AE2B2A0EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39672CE8-B4B4-41cb-9B12-DCB439B5D1C2}	{7D77F08A-0C0C-4ff6-80EA-09E7A4EF436D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39672CE8-B4B4-41cb-9B12-DCB439B5D1C2}\stubpath = "C:\\Windows\\{39672CE8-B4B4-41cb-9B12-DCB439B5D1C2}.exe"	{7D77F08A-0C0C-4ff6-80EA-09E7A4EF436D}.exe

Executes dropped EXE 12 IoCs

pid	Process
1432	{A72E9814-88B5-4849-B7C5-0A5024AA852C}.exe
2672	{E9B5D44D-A51B-4d84-AA41-6A0FDE3EA9CA}.exe
3464	{188E6566-8D22-4518-8C54-C1553F0DD209}.exe
4860	{72A96A36-9AD0-4e6d-A6A9-D28451ACE066}.exe
1136	{B4741255-0B26-4f61-A455-7A4370F33860}.exe
688	{4BBC50D8-1AA7-4362-ACA3-660E6E4F3CA7}.exe
4676	{8C85716A-8773-43c1-B593-DAD2A7CEF883}.exe
632	{31506C61-D731-4ec3-B230-D74AE2B2A0EF}.exe
2476	{80BCAA94-04BF-4a62-A75F-0C438F8D6AC0}.exe
748	{6F15A017-592F-4cae-B394-CAB83FFA186B}.exe
3512	{7D77F08A-0C0C-4ff6-80EA-09E7A4EF436D}.exe
3516	{39672CE8-B4B4-41cb-9B12-DCB439B5D1C2}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{188E6566-8D22-4518-8C54-C1553F0DD209}.exe	{E9B5D44D-A51B-4d84-AA41-6A0FDE3EA9CA}.exe
File created	C:\Windows\{72A96A36-9AD0-4e6d-A6A9-D28451ACE066}.exe	{188E6566-8D22-4518-8C54-C1553F0DD209}.exe
File created	C:\Windows\{B4741255-0B26-4f61-A455-7A4370F33860}.exe	{72A96A36-9AD0-4e6d-A6A9-D28451ACE066}.exe
File created	C:\Windows\{4BBC50D8-1AA7-4362-ACA3-660E6E4F3CA7}.exe	{B4741255-0B26-4f61-A455-7A4370F33860}.exe
File created	C:\Windows\{39672CE8-B4B4-41cb-9B12-DCB439B5D1C2}.exe	{7D77F08A-0C0C-4ff6-80EA-09E7A4EF436D}.exe
File created	C:\Windows\{7D77F08A-0C0C-4ff6-80EA-09E7A4EF436D}.exe	{6F15A017-592F-4cae-B394-CAB83FFA186B}.exe
File created	C:\Windows\{A72E9814-88B5-4849-B7C5-0A5024AA852C}.exe	2024-05-10_eeaa516f9071acd5506e713620920fb2_goldeneye.exe
File created	C:\Windows\{E9B5D44D-A51B-4d84-AA41-6A0FDE3EA9CA}.exe	{A72E9814-88B5-4849-B7C5-0A5024AA852C}.exe
File created	C:\Windows\{8C85716A-8773-43c1-B593-DAD2A7CEF883}.exe	{4BBC50D8-1AA7-4362-ACA3-660E6E4F3CA7}.exe
File created	C:\Windows\{31506C61-D731-4ec3-B230-D74AE2B2A0EF}.exe	{8C85716A-8773-43c1-B593-DAD2A7CEF883}.exe
File created	C:\Windows\{80BCAA94-04BF-4a62-A75F-0C438F8D6AC0}.exe	{31506C61-D731-4ec3-B230-D74AE2B2A0EF}.exe
File created	C:\Windows\{6F15A017-592F-4cae-B394-CAB83FFA186B}.exe	{80BCAA94-04BF-4a62-A75F-0C438F8D6AC0}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3516	2024-05-10_eeaa516f9071acd5506e713620920fb2_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1432	{A72E9814-88B5-4849-B7C5-0A5024AA852C}.exe
Token: SeIncBasePriorityPrivilege	2672	{E9B5D44D-A51B-4d84-AA41-6A0FDE3EA9CA}.exe
Token: SeIncBasePriorityPrivilege	3464	{188E6566-8D22-4518-8C54-C1553F0DD209}.exe
Token: SeIncBasePriorityPrivilege	4860	{72A96A36-9AD0-4e6d-A6A9-D28451ACE066}.exe
Token: SeIncBasePriorityPrivilege	1136	{B4741255-0B26-4f61-A455-7A4370F33860}.exe
Token: SeIncBasePriorityPrivilege	688	{4BBC50D8-1AA7-4362-ACA3-660E6E4F3CA7}.exe
Token: SeIncBasePriorityPrivilege	4676	{8C85716A-8773-43c1-B593-DAD2A7CEF883}.exe
Token: SeIncBasePriorityPrivilege	632	{31506C61-D731-4ec3-B230-D74AE2B2A0EF}.exe
Token: SeIncBasePriorityPrivilege	2476	{80BCAA94-04BF-4a62-A75F-0C438F8D6AC0}.exe
Token: SeIncBasePriorityPrivilege	748	{6F15A017-592F-4cae-B394-CAB83FFA186B}.exe
Token: SeIncBasePriorityPrivilege	3512	{7D77F08A-0C0C-4ff6-80EA-09E7A4EF436D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3516 wrote to memory of 1432	3516	2024-05-10_eeaa516f9071acd5506e713620920fb2_goldeneye.exe	88
PID 3516 wrote to memory of 1432	3516	2024-05-10_eeaa516f9071acd5506e713620920fb2_goldeneye.exe	88
PID 3516 wrote to memory of 1432	3516	2024-05-10_eeaa516f9071acd5506e713620920fb2_goldeneye.exe	88
PID 3516 wrote to memory of 436	3516	2024-05-10_eeaa516f9071acd5506e713620920fb2_goldeneye.exe	89
PID 3516 wrote to memory of 436	3516	2024-05-10_eeaa516f9071acd5506e713620920fb2_goldeneye.exe	89
PID 3516 wrote to memory of 436	3516	2024-05-10_eeaa516f9071acd5506e713620920fb2_goldeneye.exe	89
PID 1432 wrote to memory of 2672	1432	{A72E9814-88B5-4849-B7C5-0A5024AA852C}.exe	90
PID 1432 wrote to memory of 2672	1432	{A72E9814-88B5-4849-B7C5-0A5024AA852C}.exe	90
PID 1432 wrote to memory of 2672	1432	{A72E9814-88B5-4849-B7C5-0A5024AA852C}.exe	90
PID 1432 wrote to memory of 3688	1432	{A72E9814-88B5-4849-B7C5-0A5024AA852C}.exe	91
PID 1432 wrote to memory of 3688	1432	{A72E9814-88B5-4849-B7C5-0A5024AA852C}.exe	91
PID 1432 wrote to memory of 3688	1432	{A72E9814-88B5-4849-B7C5-0A5024AA852C}.exe	91
PID 2672 wrote to memory of 3464	2672	{E9B5D44D-A51B-4d84-AA41-6A0FDE3EA9CA}.exe	95
PID 2672 wrote to memory of 3464	2672	{E9B5D44D-A51B-4d84-AA41-6A0FDE3EA9CA}.exe	95
PID 2672 wrote to memory of 3464	2672	{E9B5D44D-A51B-4d84-AA41-6A0FDE3EA9CA}.exe	95
PID 2672 wrote to memory of 4896	2672	{E9B5D44D-A51B-4d84-AA41-6A0FDE3EA9CA}.exe	96
PID 2672 wrote to memory of 4896	2672	{E9B5D44D-A51B-4d84-AA41-6A0FDE3EA9CA}.exe	96
PID 2672 wrote to memory of 4896	2672	{E9B5D44D-A51B-4d84-AA41-6A0FDE3EA9CA}.exe	96
PID 3464 wrote to memory of 4860	3464	{188E6566-8D22-4518-8C54-C1553F0DD209}.exe	97
PID 3464 wrote to memory of 4860	3464	{188E6566-8D22-4518-8C54-C1553F0DD209}.exe	97
PID 3464 wrote to memory of 4860	3464	{188E6566-8D22-4518-8C54-C1553F0DD209}.exe	97
PID 3464 wrote to memory of 1020	3464	{188E6566-8D22-4518-8C54-C1553F0DD209}.exe	98
PID 3464 wrote to memory of 1020	3464	{188E6566-8D22-4518-8C54-C1553F0DD209}.exe	98
PID 3464 wrote to memory of 1020	3464	{188E6566-8D22-4518-8C54-C1553F0DD209}.exe	98
PID 4860 wrote to memory of 1136	4860	{72A96A36-9AD0-4e6d-A6A9-D28451ACE066}.exe	99
PID 4860 wrote to memory of 1136	4860	{72A96A36-9AD0-4e6d-A6A9-D28451ACE066}.exe	99
PID 4860 wrote to memory of 1136	4860	{72A96A36-9AD0-4e6d-A6A9-D28451ACE066}.exe	99
PID 4860 wrote to memory of 4492	4860	{72A96A36-9AD0-4e6d-A6A9-D28451ACE066}.exe	100
PID 4860 wrote to memory of 4492	4860	{72A96A36-9AD0-4e6d-A6A9-D28451ACE066}.exe	100
PID 4860 wrote to memory of 4492	4860	{72A96A36-9AD0-4e6d-A6A9-D28451ACE066}.exe	100
PID 1136 wrote to memory of 688	1136	{B4741255-0B26-4f61-A455-7A4370F33860}.exe	101
PID 1136 wrote to memory of 688	1136	{B4741255-0B26-4f61-A455-7A4370F33860}.exe	101
PID 1136 wrote to memory of 688	1136	{B4741255-0B26-4f61-A455-7A4370F33860}.exe	101
PID 1136 wrote to memory of 2552	1136	{B4741255-0B26-4f61-A455-7A4370F33860}.exe	102
PID 1136 wrote to memory of 2552	1136	{B4741255-0B26-4f61-A455-7A4370F33860}.exe	102
PID 1136 wrote to memory of 2552	1136	{B4741255-0B26-4f61-A455-7A4370F33860}.exe	102
PID 688 wrote to memory of 4676	688	{4BBC50D8-1AA7-4362-ACA3-660E6E4F3CA7}.exe	103
PID 688 wrote to memory of 4676	688	{4BBC50D8-1AA7-4362-ACA3-660E6E4F3CA7}.exe	103
PID 688 wrote to memory of 4676	688	{4BBC50D8-1AA7-4362-ACA3-660E6E4F3CA7}.exe	103
PID 688 wrote to memory of 2544	688	{4BBC50D8-1AA7-4362-ACA3-660E6E4F3CA7}.exe	104
PID 688 wrote to memory of 2544	688	{4BBC50D8-1AA7-4362-ACA3-660E6E4F3CA7}.exe	104
PID 688 wrote to memory of 2544	688	{4BBC50D8-1AA7-4362-ACA3-660E6E4F3CA7}.exe	104
PID 4676 wrote to memory of 632	4676	{8C85716A-8773-43c1-B593-DAD2A7CEF883}.exe	105
PID 4676 wrote to memory of 632	4676	{8C85716A-8773-43c1-B593-DAD2A7CEF883}.exe	105
PID 4676 wrote to memory of 632	4676	{8C85716A-8773-43c1-B593-DAD2A7CEF883}.exe	105
PID 4676 wrote to memory of 3756	4676	{8C85716A-8773-43c1-B593-DAD2A7CEF883}.exe	106
PID 4676 wrote to memory of 3756	4676	{8C85716A-8773-43c1-B593-DAD2A7CEF883}.exe	106
PID 4676 wrote to memory of 3756	4676	{8C85716A-8773-43c1-B593-DAD2A7CEF883}.exe	106
PID 632 wrote to memory of 2476	632	{31506C61-D731-4ec3-B230-D74AE2B2A0EF}.exe	107
PID 632 wrote to memory of 2476	632	{31506C61-D731-4ec3-B230-D74AE2B2A0EF}.exe	107
PID 632 wrote to memory of 2476	632	{31506C61-D731-4ec3-B230-D74AE2B2A0EF}.exe	107
PID 632 wrote to memory of 400	632	{31506C61-D731-4ec3-B230-D74AE2B2A0EF}.exe	108
PID 632 wrote to memory of 400	632	{31506C61-D731-4ec3-B230-D74AE2B2A0EF}.exe	108
PID 632 wrote to memory of 400	632	{31506C61-D731-4ec3-B230-D74AE2B2A0EF}.exe	108
PID 2476 wrote to memory of 748	2476	{80BCAA94-04BF-4a62-A75F-0C438F8D6AC0}.exe	109
PID 2476 wrote to memory of 748	2476	{80BCAA94-04BF-4a62-A75F-0C438F8D6AC0}.exe	109
PID 2476 wrote to memory of 748	2476	{80BCAA94-04BF-4a62-A75F-0C438F8D6AC0}.exe	109
PID 2476 wrote to memory of 3332	2476	{80BCAA94-04BF-4a62-A75F-0C438F8D6AC0}.exe	110
PID 2476 wrote to memory of 3332	2476	{80BCAA94-04BF-4a62-A75F-0C438F8D6AC0}.exe	110
PID 2476 wrote to memory of 3332	2476	{80BCAA94-04BF-4a62-A75F-0C438F8D6AC0}.exe	110
PID 748 wrote to memory of 3512	748	{6F15A017-592F-4cae-B394-CAB83FFA186B}.exe	111
PID 748 wrote to memory of 3512	748	{6F15A017-592F-4cae-B394-CAB83FFA186B}.exe	111
PID 748 wrote to memory of 3512	748	{6F15A017-592F-4cae-B394-CAB83FFA186B}.exe	111
PID 748 wrote to memory of 2884	748	{6F15A017-592F-4cae-B394-CAB83FFA186B}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-05-10_eeaa516f9071acd5506e713620920fb2_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-10_eeaa516f9071acd5506e713620920fb2_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3516
- C:\Windows\{A72E9814-88B5-4849-B7C5-0A5024AA852C}.exe
  C:\Windows\{A72E9814-88B5-4849-B7C5-0A5024AA852C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1432
- - C:\Windows\{E9B5D44D-A51B-4d84-AA41-6A0FDE3EA9CA}.exe
    C:\Windows\{E9B5D44D-A51B-4d84-AA41-6A0FDE3EA9CA}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\{188E6566-8D22-4518-8C54-C1553F0DD209}.exe
      C:\Windows\{188E6566-8D22-4518-8C54-C1553F0DD209}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3464
    - - C:\Windows\{72A96A36-9AD0-4e6d-A6A9-D28451ACE066}.exe
        
        C:\Windows\{72A96A36-9AD0-4e6d-A6A9-D28451ACE066}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4860
      - C:\Windows\{B4741255-0B26-4f61-A455-7A4370F33860}.exe
        
        C:\Windows\{B4741255-0B26-4f61-A455-7A4370F33860}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Windows\{4BBC50D8-1AA7-4362-ACA3-660E6E4F3CA7}.exe
        
        C:\Windows\{4BBC50D8-1AA7-4362-ACA3-660E6E4F3CA7}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:688
        
        C:\Windows\{8C85716A-8773-43c1-B593-DAD2A7CEF883}.exe
        
        C:\Windows\{8C85716A-8773-43c1-B593-DAD2A7CEF883}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Windows\{31506C61-D731-4ec3-B230-D74AE2B2A0EF}.exe
        
        C:\Windows\{31506C61-D731-4ec3-B230-D74AE2B2A0EF}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\{80BCAA94-04BF-4a62-A75F-0C438F8D6AC0}.exe
        
        C:\Windows\{80BCAA94-04BF-4a62-A75F-0C438F8D6AC0}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\{6F15A017-592F-4cae-B394-CAB83FFA186B}.exe
        
        C:\Windows\{6F15A017-592F-4cae-B394-CAB83FFA186B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:748
        
        C:\Windows\{7D77F08A-0C0C-4ff6-80EA-09E7A4EF436D}.exe
        
        C:\Windows\{7D77F08A-0C0C-4ff6-80EA-09E7A4EF436D}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3512
        
        C:\Windows\{39672CE8-B4B4-41cb-9B12-DCB439B5D1C2}.exe
        
        C:\Windows\{39672CE8-B4B4-41cb-9B12-DCB439B5D1C2}.exe
        13⤵
        Executes dropped EXE
        
        PID:3516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D77F~1.EXE > nul
        13⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6F15A~1.EXE > nul
        12⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{80BCA~1.EXE > nul
        11⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{31506~1.EXE > nul
        10⤵
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C857~1.EXE > nul
        9⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4BBC5~1.EXE > nul
        8⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B4741~1.EXE > nul
        7⤵
        
        PID:2552
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{72A96~1.EXE > nul
        6⤵
        
        PID:4492
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{188E6~1.EXE > nul
        5⤵
        
        PID:1020
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E9B5D~1.EXE > nul
      4⤵
      PID:4896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A72E9~1.EXE > nul
    3⤵
    PID:3688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{188E6566-8D22-4518-8C54-C1553F0DD209}.exe

Filesize
204KB

MD5
eebb84c5deaf59d205a1b5e0492ae4db

SHA1
2ab8c1112d1872b83918dc11b96425a7ab8e8c7c

SHA256
069580d61260b927362c60e47dca8410a2e5aeb8c0dc83723be97e7df21c3149

SHA512
bb0dac091c4156ac4d3baccaa47629d8afdf9c367631c88fd333404579f954f9e2493cfda38a038a6349e0c020f4fd113c324b7f5adf976c8d902fbc40645ef2

Download Submit
C:\Windows\{31506C61-D731-4ec3-B230-D74AE2B2A0EF}.exe

Filesize
204KB

MD5
c742824ef94db1c5217c2d5c81246f1c

SHA1
ad189c8426875efc4f614893bd5830d14b583398

SHA256
3e97e99f0a27d995edc14a0878914bf65f303f091fb1d19ed5c7e1ffd96e3f75

SHA512
76946f01281cc638505f7c3871928cfd98c18eb3f40665fe71fbfe5a2015cc0b907b2ba1e17437581d9c41bcbce4b660b489d60f300fd3ec890029faf68eb413

Download Submit
C:\Windows\{39672CE8-B4B4-41cb-9B12-DCB439B5D1C2}.exe

Filesize
204KB

MD5
a34c4fece5e2d974ff7bb515b09a2918

SHA1
8e9408ae1b0a22a729671eec9a0841214ab11dea

SHA256
806a24d6d65cf22d458961cf71a71c8bbfd9be4663d0c255b669cd43f673a7b1

SHA512
cefd28f418207657a042d919afbd9298cb6a5e68a07c0a3751fdbe0c43b2c8174b7a46c48e8f61972ba96a9d09413ada9a6e1179d128abbb6cdfc4f87b8a700f

Download Submit
C:\Windows\{4BBC50D8-1AA7-4362-ACA3-660E6E4F3CA7}.exe

Filesize
204KB

MD5
f43609562fe649ba85b423a3055a82bb

SHA1
2b0d27c900667d353fe956668185c627433b4ca7

SHA256
10eb2a5d51ba056629d70d62985b12864535c7d9a13dbb294dab846f35982f43

SHA512
7f5b8aa1f489404281538681d382f8611fbf4787d94522be7b6f2d1c030d417b49f587a3294efd2ca7b4beb8aa144cba67618d5adbdc184c85e86caaa5980b2a

Download Submit
C:\Windows\{6F15A017-592F-4cae-B394-CAB83FFA186B}.exe

Filesize
204KB

MD5
02b7cf614d55fc138a37fa94d90edbc2

SHA1
1df5d03e19c780b746bcf458a79deaa2f39dcbef

SHA256
9c0c2cdbbc061603b534432e7d5d22230800149fe1b8f27224a9e92a58f95ac8

SHA512
c6fc06034c6ec5141898cbdbaa44e56c3f319a3bbb0b10e4d7593658f307a9a923aaee57b458fa8b5607a54ee2f27551f0888b54be47b2a636dc72d25e103975

Download Submit
C:\Windows\{72A96A36-9AD0-4e6d-A6A9-D28451ACE066}.exe

Filesize
204KB

MD5
c7fb97dde5a7393ad83c79a8bf717279

SHA1
a6c7282b4b1db4fc4ae6c7843f562c4c121ca891

SHA256
a3f233e1af0446b967782832ed3b09398d2ce246b42f3faba87557f084987738

SHA512
9e40e7c99ca5ef694bfdbc19e4910397e318c4a051863a3229f9de518466fa0837db4c967bfdb3011e5d43ae7a6b4ec09f5d9b99496055b036a84000d2e2e49c

Download Submit
C:\Windows\{7D77F08A-0C0C-4ff6-80EA-09E7A4EF436D}.exe

Filesize
204KB

MD5
a3fa3a99c4a5c3e2c852fc60690c3ed9

SHA1
e56a6c10470e1021a0d1af1ddef313805eb4c446

SHA256
5931502ce10d43eebb660366b12f794b93879380a84ccd62ae1bcb3b83ec376c

SHA512
3e8bc7f27b59e9fa7b409da3591bae1aa593d044091e51584c1bceb53f6a4917f2db69eafc32afba9795ef0cb9921ad4ed6ae0d33c6b218caeedbaaa59ff2db5

Download Submit
C:\Windows\{80BCAA94-04BF-4a62-A75F-0C438F8D6AC0}.exe

Filesize
204KB

MD5
8791c95c0eb980fba19fc898ea2bf71f

SHA1
f8ad074510b93199498ab539818b8cbb0a534d78

SHA256
f9ff685845a0f476769dbd4193e33d5f92ba05861e44b60912246ebb261dcdf6

SHA512
741f697a81eaa0e818177158330d79ecc7ce7316466cce792c6bc1fdaa10bce6d1282e290d1079f9bd5964a0a6b430ceb6b10d64020c6a28a780575d9461bb11

Download Submit
C:\Windows\{8C85716A-8773-43c1-B593-DAD2A7CEF883}.exe

Filesize
204KB

MD5
5d8170861b488b5fe1b5de241e839138

SHA1
101a85f6a71ce3960f4bf229305a22f32a1943b9

SHA256
f3ddf99e6dfe39ab232990a915d53e16c5d15d5ffb0419c639c31257bcde2941

SHA512
9a8b38a8d20eded2d03aeb0f0592af337aa91e8ea56bd29893bf17c99c31f003e89e28d9f41d9d7690ae57853c93bb614619178e5b79cf4188282bdaf6abcf4b

Download Submit
C:\Windows\{A72E9814-88B5-4849-B7C5-0A5024AA852C}.exe

Filesize
204KB

MD5
62d5353031a57d87fd2006e4bb5ffc68

SHA1
29c6d226854cbbbccd33397fef0622720daea1bd

SHA256
98bad2930c5cac79c2fb87baba7db024faf0b866df80c1b31de9d51b00eb9fca

SHA512
6b89ff13c1f8d1c1dbea6a88eeffae2b7b4506b57ab044a23c2c5f01ac2617703627ab8ff7fbff90add944d76c29274635d205400277823c9d3b296dc90a53dc

Download Submit
C:\Windows\{B4741255-0B26-4f61-A455-7A4370F33860}.exe

Filesize
204KB

MD5
cfbac68a89a17cf3929c9fda6bd19f54

SHA1
ed87be17060b1c8342c0a93b37dfd7a3a85720cb

SHA256
3b0a4cf4427f28ab5f9875b62911f17b18b5012b106cfd4fbad9b1e89ff65cb5

SHA512
335ab551b45cfe447490ab4787f9dba64980329c250011ff47e0daf9d3d1a7af5c2554d32949763cc608f2bd66d6bc097694dc68269c9860da4badb343a452dd

Download Submit
C:\Windows\{E9B5D44D-A51B-4d84-AA41-6A0FDE3EA9CA}.exe

Filesize
204KB

MD5
19fd82fff23bd0bf8e3f6cea763ad7e8

SHA1
2d3d7900ff8cfe00e8a64258d2987a6145cf12bb

SHA256
20133f6c8593b5194b6be0cb6aa71011009b45fde5500478a42269cf4a601c3d

SHA512
feb898edd8a525ea3a01ef34d6394331b3c7d5dea6cf2c9f06fc5e5fba181f2ce8b4082d4876f0141476c8df5cb61b924b6d5abfc84695ce964ed78dccbca766

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads