214650f284173ce5f7520fd8bd229771e11af6f7f955738279ee30a96a5de15b

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-15_3ecf06040e090df8f50709fb0bbb8e76_goldeneye.exe
Size

344KB
MD5

3ecf06040e090df8f50709fb0bbb8e76
SHA1

d3a16a547a6ae28cbe1548a7f4f3727efbb6076a
SHA256

214650f284173ce5f7520fd8bd229771e11af6f7f955738279ee30a96a5de15b
SHA512

29d3d521c27d15c752ebb6b81e49496ac45297441aa82a310c987d90c882c857db63a2f48c328f201863408d678cb228c704f5fa9ad42314a0bffd0309e3f412
SSDEEP

3072:mEGh0oplEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGflqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000b00000002339e-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000233a3-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000022e34-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000233a3-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000022e34-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000233a3-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000022e34-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002343e-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023444-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002343e-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023444-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000233a0-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A24760C-E65B-4c94-899B-79BD759DE2D0}	{AA65F71F-FADB-4096-B166-9E65E9FC39D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A24760C-E65B-4c94-899B-79BD759DE2D0}\stubpath = "C:\\Windows\\{3A24760C-E65B-4c94-899B-79BD759DE2D0}.exe"	{AA65F71F-FADB-4096-B166-9E65E9FC39D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D0D6C22-82E1-4135-A8DD-5788B3338F6F}\stubpath = "C:\\Windows\\{2D0D6C22-82E1-4135-A8DD-5788B3338F6F}.exe"	{B1E6D052-0A59-42e2-9F2A-F13FDF282587}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A51AC48B-C0F1-4e26-BB95-2C713927644D}\stubpath = "C:\\Windows\\{A51AC48B-C0F1-4e26-BB95-2C713927644D}.exe"	{2D0D6C22-82E1-4135-A8DD-5788B3338F6F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE264287-E052-4ee0-94F9-14AB96AA046E}\stubpath = "C:\\Windows\\{FE264287-E052-4ee0-94F9-14AB96AA046E}.exe"	{A51AC48B-C0F1-4e26-BB95-2C713927644D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1792B0E-2BF6-49a3-87EB-72593C13EFFB}\stubpath = "C:\\Windows\\{C1792B0E-2BF6-49a3-87EB-72593C13EFFB}.exe"	{A6AD1649-8F23-4801-9709-D89F4EC9873D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80125E71-614A-4645-9F14-662954539008}	2024-05-15_3ecf06040e090df8f50709fb0bbb8e76_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA65F71F-FADB-4096-B166-9E65E9FC39D8}	{80125E71-614A-4645-9F14-662954539008}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1E6D052-0A59-42e2-9F2A-F13FDF282587}\stubpath = "C:\\Windows\\{B1E6D052-0A59-42e2-9F2A-F13FDF282587}.exe"	{3A24760C-E65B-4c94-899B-79BD759DE2D0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D0D6C22-82E1-4135-A8DD-5788B3338F6F}	{B1E6D052-0A59-42e2-9F2A-F13FDF282587}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CEA71BED-913E-4c6b-A0DE-32EFDE9559F5}\stubpath = "C:\\Windows\\{CEA71BED-913E-4c6b-A0DE-32EFDE9559F5}.exe"	{FE264287-E052-4ee0-94F9-14AB96AA046E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B673AC73-AF18-4c23-B8E5-2051A6082ADC}\stubpath = "C:\\Windows\\{B673AC73-AF18-4c23-B8E5-2051A6082ADC}.exe"	{CEA71BED-913E-4c6b-A0DE-32EFDE9559F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1792B0E-2BF6-49a3-87EB-72593C13EFFB}	{A6AD1649-8F23-4801-9709-D89F4EC9873D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C1BF71B-9455-4bf0-9C1B-DF8BA9FED49E}	{C1792B0E-2BF6-49a3-87EB-72593C13EFFB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C1BF71B-9455-4bf0-9C1B-DF8BA9FED49E}\stubpath = "C:\\Windows\\{9C1BF71B-9455-4bf0-9C1B-DF8BA9FED49E}.exe"	{C1792B0E-2BF6-49a3-87EB-72593C13EFFB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80125E71-614A-4645-9F14-662954539008}\stubpath = "C:\\Windows\\{80125E71-614A-4645-9F14-662954539008}.exe"	2024-05-15_3ecf06040e090df8f50709fb0bbb8e76_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE264287-E052-4ee0-94F9-14AB96AA046E}	{A51AC48B-C0F1-4e26-BB95-2C713927644D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B673AC73-AF18-4c23-B8E5-2051A6082ADC}	{CEA71BED-913E-4c6b-A0DE-32EFDE9559F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA65F71F-FADB-4096-B166-9E65E9FC39D8}\stubpath = "C:\\Windows\\{AA65F71F-FADB-4096-B166-9E65E9FC39D8}.exe"	{80125E71-614A-4645-9F14-662954539008}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1E6D052-0A59-42e2-9F2A-F13FDF282587}	{3A24760C-E65B-4c94-899B-79BD759DE2D0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A51AC48B-C0F1-4e26-BB95-2C713927644D}	{2D0D6C22-82E1-4135-A8DD-5788B3338F6F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CEA71BED-913E-4c6b-A0DE-32EFDE9559F5}	{FE264287-E052-4ee0-94F9-14AB96AA046E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6AD1649-8F23-4801-9709-D89F4EC9873D}	{B673AC73-AF18-4c23-B8E5-2051A6082ADC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6AD1649-8F23-4801-9709-D89F4EC9873D}\stubpath = "C:\\Windows\\{A6AD1649-8F23-4801-9709-D89F4EC9873D}.exe"	{B673AC73-AF18-4c23-B8E5-2051A6082ADC}.exe

Executes dropped EXE 12 IoCs

pid	Process
4480	{80125E71-614A-4645-9F14-662954539008}.exe
4084	{AA65F71F-FADB-4096-B166-9E65E9FC39D8}.exe
4876	{3A24760C-E65B-4c94-899B-79BD759DE2D0}.exe
2384	{B1E6D052-0A59-42e2-9F2A-F13FDF282587}.exe
4932	{2D0D6C22-82E1-4135-A8DD-5788B3338F6F}.exe
5004	{A51AC48B-C0F1-4e26-BB95-2C713927644D}.exe
1412	{FE264287-E052-4ee0-94F9-14AB96AA046E}.exe
3604	{CEA71BED-913E-4c6b-A0DE-32EFDE9559F5}.exe
4976	{B673AC73-AF18-4c23-B8E5-2051A6082ADC}.exe
1812	{A6AD1649-8F23-4801-9709-D89F4EC9873D}.exe
3260	{C1792B0E-2BF6-49a3-87EB-72593C13EFFB}.exe
1348	{9C1BF71B-9455-4bf0-9C1B-DF8BA9FED49E}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{AA65F71F-FADB-4096-B166-9E65E9FC39D8}.exe	{80125E71-614A-4645-9F14-662954539008}.exe
File created	C:\Windows\{3A24760C-E65B-4c94-899B-79BD759DE2D0}.exe	{AA65F71F-FADB-4096-B166-9E65E9FC39D8}.exe
File created	C:\Windows\{B1E6D052-0A59-42e2-9F2A-F13FDF282587}.exe	{3A24760C-E65B-4c94-899B-79BD759DE2D0}.exe
File created	C:\Windows\{2D0D6C22-82E1-4135-A8DD-5788B3338F6F}.exe	{B1E6D052-0A59-42e2-9F2A-F13FDF282587}.exe
File created	C:\Windows\{CEA71BED-913E-4c6b-A0DE-32EFDE9559F5}.exe	{FE264287-E052-4ee0-94F9-14AB96AA046E}.exe
File created	C:\Windows\{C1792B0E-2BF6-49a3-87EB-72593C13EFFB}.exe	{A6AD1649-8F23-4801-9709-D89F4EC9873D}.exe
File created	C:\Windows\{9C1BF71B-9455-4bf0-9C1B-DF8BA9FED49E}.exe	{C1792B0E-2BF6-49a3-87EB-72593C13EFFB}.exe
File created	C:\Windows\{80125E71-614A-4645-9F14-662954539008}.exe	2024-05-15_3ecf06040e090df8f50709fb0bbb8e76_goldeneye.exe
File created	C:\Windows\{FE264287-E052-4ee0-94F9-14AB96AA046E}.exe	{A51AC48B-C0F1-4e26-BB95-2C713927644D}.exe
File created	C:\Windows\{B673AC73-AF18-4c23-B8E5-2051A6082ADC}.exe	{CEA71BED-913E-4c6b-A0DE-32EFDE9559F5}.exe
File created	C:\Windows\{A6AD1649-8F23-4801-9709-D89F4EC9873D}.exe	{B673AC73-AF18-4c23-B8E5-2051A6082ADC}.exe
File created	C:\Windows\{A51AC48B-C0F1-4e26-BB95-2C713927644D}.exe	{2D0D6C22-82E1-4135-A8DD-5788B3338F6F}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4068	2024-05-15_3ecf06040e090df8f50709fb0bbb8e76_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4480	{80125E71-614A-4645-9F14-662954539008}.exe
Token: SeIncBasePriorityPrivilege	4084	{AA65F71F-FADB-4096-B166-9E65E9FC39D8}.exe
Token: SeIncBasePriorityPrivilege	4876	{3A24760C-E65B-4c94-899B-79BD759DE2D0}.exe
Token: SeIncBasePriorityPrivilege	2384	{B1E6D052-0A59-42e2-9F2A-F13FDF282587}.exe
Token: SeIncBasePriorityPrivilege	4932	{2D0D6C22-82E1-4135-A8DD-5788B3338F6F}.exe
Token: SeIncBasePriorityPrivilege	5004	{A51AC48B-C0F1-4e26-BB95-2C713927644D}.exe
Token: SeIncBasePriorityPrivilege	1412	{FE264287-E052-4ee0-94F9-14AB96AA046E}.exe
Token: SeIncBasePriorityPrivilege	3604	{CEA71BED-913E-4c6b-A0DE-32EFDE9559F5}.exe
Token: SeIncBasePriorityPrivilege	4976	{B673AC73-AF18-4c23-B8E5-2051A6082ADC}.exe
Token: SeIncBasePriorityPrivilege	1812	{A6AD1649-8F23-4801-9709-D89F4EC9873D}.exe
Token: SeIncBasePriorityPrivilege	3260	{C1792B0E-2BF6-49a3-87EB-72593C13EFFB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4068 wrote to memory of 4480	4068	2024-05-15_3ecf06040e090df8f50709fb0bbb8e76_goldeneye.exe	94
PID 4068 wrote to memory of 4480	4068	2024-05-15_3ecf06040e090df8f50709fb0bbb8e76_goldeneye.exe	94
PID 4068 wrote to memory of 4480	4068	2024-05-15_3ecf06040e090df8f50709fb0bbb8e76_goldeneye.exe	94
PID 4068 wrote to memory of 1948	4068	2024-05-15_3ecf06040e090df8f50709fb0bbb8e76_goldeneye.exe	95
PID 4068 wrote to memory of 1948	4068	2024-05-15_3ecf06040e090df8f50709fb0bbb8e76_goldeneye.exe	95
PID 4068 wrote to memory of 1948	4068	2024-05-15_3ecf06040e090df8f50709fb0bbb8e76_goldeneye.exe	95
PID 4480 wrote to memory of 4084	4480	{80125E71-614A-4645-9F14-662954539008}.exe	96
PID 4480 wrote to memory of 4084	4480	{80125E71-614A-4645-9F14-662954539008}.exe	96
PID 4480 wrote to memory of 4084	4480	{80125E71-614A-4645-9F14-662954539008}.exe	96
PID 4480 wrote to memory of 4244	4480	{80125E71-614A-4645-9F14-662954539008}.exe	97
PID 4480 wrote to memory of 4244	4480	{80125E71-614A-4645-9F14-662954539008}.exe	97
PID 4480 wrote to memory of 4244	4480	{80125E71-614A-4645-9F14-662954539008}.exe	97
PID 4084 wrote to memory of 4876	4084	{AA65F71F-FADB-4096-B166-9E65E9FC39D8}.exe	100
PID 4084 wrote to memory of 4876	4084	{AA65F71F-FADB-4096-B166-9E65E9FC39D8}.exe	100
PID 4084 wrote to memory of 4876	4084	{AA65F71F-FADB-4096-B166-9E65E9FC39D8}.exe	100
PID 4084 wrote to memory of 3044	4084	{AA65F71F-FADB-4096-B166-9E65E9FC39D8}.exe	101
PID 4084 wrote to memory of 3044	4084	{AA65F71F-FADB-4096-B166-9E65E9FC39D8}.exe	101
PID 4084 wrote to memory of 3044	4084	{AA65F71F-FADB-4096-B166-9E65E9FC39D8}.exe	101
PID 4876 wrote to memory of 2384	4876	{3A24760C-E65B-4c94-899B-79BD759DE2D0}.exe	102
PID 4876 wrote to memory of 2384	4876	{3A24760C-E65B-4c94-899B-79BD759DE2D0}.exe	102
PID 4876 wrote to memory of 2384	4876	{3A24760C-E65B-4c94-899B-79BD759DE2D0}.exe	102
PID 4876 wrote to memory of 4192	4876	{3A24760C-E65B-4c94-899B-79BD759DE2D0}.exe	103
PID 4876 wrote to memory of 4192	4876	{3A24760C-E65B-4c94-899B-79BD759DE2D0}.exe	103
PID 4876 wrote to memory of 4192	4876	{3A24760C-E65B-4c94-899B-79BD759DE2D0}.exe	103
PID 2384 wrote to memory of 4932	2384	{B1E6D052-0A59-42e2-9F2A-F13FDF282587}.exe	104
PID 2384 wrote to memory of 4932	2384	{B1E6D052-0A59-42e2-9F2A-F13FDF282587}.exe	104
PID 2384 wrote to memory of 4932	2384	{B1E6D052-0A59-42e2-9F2A-F13FDF282587}.exe	104
PID 2384 wrote to memory of 4332	2384	{B1E6D052-0A59-42e2-9F2A-F13FDF282587}.exe	105
PID 2384 wrote to memory of 4332	2384	{B1E6D052-0A59-42e2-9F2A-F13FDF282587}.exe	105
PID 2384 wrote to memory of 4332	2384	{B1E6D052-0A59-42e2-9F2A-F13FDF282587}.exe	105
PID 4932 wrote to memory of 5004	4932	{2D0D6C22-82E1-4135-A8DD-5788B3338F6F}.exe	107
PID 4932 wrote to memory of 5004	4932	{2D0D6C22-82E1-4135-A8DD-5788B3338F6F}.exe	107
PID 4932 wrote to memory of 5004	4932	{2D0D6C22-82E1-4135-A8DD-5788B3338F6F}.exe	107
PID 4932 wrote to memory of 2220	4932	{2D0D6C22-82E1-4135-A8DD-5788B3338F6F}.exe	108
PID 4932 wrote to memory of 2220	4932	{2D0D6C22-82E1-4135-A8DD-5788B3338F6F}.exe	108
PID 4932 wrote to memory of 2220	4932	{2D0D6C22-82E1-4135-A8DD-5788B3338F6F}.exe	108
PID 5004 wrote to memory of 1412	5004	{A51AC48B-C0F1-4e26-BB95-2C713927644D}.exe	109
PID 5004 wrote to memory of 1412	5004	{A51AC48B-C0F1-4e26-BB95-2C713927644D}.exe	109
PID 5004 wrote to memory of 1412	5004	{A51AC48B-C0F1-4e26-BB95-2C713927644D}.exe	109
PID 5004 wrote to memory of 2752	5004	{A51AC48B-C0F1-4e26-BB95-2C713927644D}.exe	110
PID 5004 wrote to memory of 2752	5004	{A51AC48B-C0F1-4e26-BB95-2C713927644D}.exe	110
PID 5004 wrote to memory of 2752	5004	{A51AC48B-C0F1-4e26-BB95-2C713927644D}.exe	110
PID 1412 wrote to memory of 3604	1412	{FE264287-E052-4ee0-94F9-14AB96AA046E}.exe	112
PID 1412 wrote to memory of 3604	1412	{FE264287-E052-4ee0-94F9-14AB96AA046E}.exe	112
PID 1412 wrote to memory of 3604	1412	{FE264287-E052-4ee0-94F9-14AB96AA046E}.exe	112
PID 1412 wrote to memory of 1640	1412	{FE264287-E052-4ee0-94F9-14AB96AA046E}.exe	113
PID 1412 wrote to memory of 1640	1412	{FE264287-E052-4ee0-94F9-14AB96AA046E}.exe	113
PID 1412 wrote to memory of 1640	1412	{FE264287-E052-4ee0-94F9-14AB96AA046E}.exe	113
PID 3604 wrote to memory of 4976	3604	{CEA71BED-913E-4c6b-A0DE-32EFDE9559F5}.exe	119
PID 3604 wrote to memory of 4976	3604	{CEA71BED-913E-4c6b-A0DE-32EFDE9559F5}.exe	119
PID 3604 wrote to memory of 4976	3604	{CEA71BED-913E-4c6b-A0DE-32EFDE9559F5}.exe	119
PID 3604 wrote to memory of 4084	3604	{CEA71BED-913E-4c6b-A0DE-32EFDE9559F5}.exe	120
PID 3604 wrote to memory of 4084	3604	{CEA71BED-913E-4c6b-A0DE-32EFDE9559F5}.exe	120
PID 3604 wrote to memory of 4084	3604	{CEA71BED-913E-4c6b-A0DE-32EFDE9559F5}.exe	120
PID 4976 wrote to memory of 1812	4976	{B673AC73-AF18-4c23-B8E5-2051A6082ADC}.exe	121
PID 4976 wrote to memory of 1812	4976	{B673AC73-AF18-4c23-B8E5-2051A6082ADC}.exe	121
PID 4976 wrote to memory of 1812	4976	{B673AC73-AF18-4c23-B8E5-2051A6082ADC}.exe	121
PID 4976 wrote to memory of 4952	4976	{B673AC73-AF18-4c23-B8E5-2051A6082ADC}.exe	122
PID 4976 wrote to memory of 4952	4976	{B673AC73-AF18-4c23-B8E5-2051A6082ADC}.exe	122
PID 4976 wrote to memory of 4952	4976	{B673AC73-AF18-4c23-B8E5-2051A6082ADC}.exe	122
PID 1812 wrote to memory of 3260	1812	{A6AD1649-8F23-4801-9709-D89F4EC9873D}.exe	123
PID 1812 wrote to memory of 3260	1812	{A6AD1649-8F23-4801-9709-D89F4EC9873D}.exe	123
PID 1812 wrote to memory of 3260	1812	{A6AD1649-8F23-4801-9709-D89F4EC9873D}.exe	123
PID 1812 wrote to memory of 3756	1812	{A6AD1649-8F23-4801-9709-D89F4EC9873D}.exe	124

C:\Users\Admin\AppData\Local\Temp\2024-05-15_3ecf06040e090df8f50709fb0bbb8e76_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-15_3ecf06040e090df8f50709fb0bbb8e76_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4068
- C:\Windows\{80125E71-614A-4645-9F14-662954539008}.exe
  C:\Windows\{80125E71-614A-4645-9F14-662954539008}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4480
- - C:\Windows\{AA65F71F-FADB-4096-B166-9E65E9FC39D8}.exe
    C:\Windows\{AA65F71F-FADB-4096-B166-9E65E9FC39D8}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4084
  - - C:\Windows\{3A24760C-E65B-4c94-899B-79BD759DE2D0}.exe
      C:\Windows\{3A24760C-E65B-4c94-899B-79BD759DE2D0}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4876
    - - C:\Windows\{B1E6D052-0A59-42e2-9F2A-F13FDF282587}.exe
        
        C:\Windows\{B1E6D052-0A59-42e2-9F2A-F13FDF282587}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2384
      - C:\Windows\{2D0D6C22-82E1-4135-A8DD-5788B3338F6F}.exe
        
        C:\Windows\{2D0D6C22-82E1-4135-A8DD-5788B3338F6F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Windows\{A51AC48B-C0F1-4e26-BB95-2C713927644D}.exe
        
        C:\Windows\{A51AC48B-C0F1-4e26-BB95-2C713927644D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\{FE264287-E052-4ee0-94F9-14AB96AA046E}.exe
        
        C:\Windows\{FE264287-E052-4ee0-94F9-14AB96AA046E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Windows\{CEA71BED-913E-4c6b-A0DE-32EFDE9559F5}.exe
        
        C:\Windows\{CEA71BED-913E-4c6b-A0DE-32EFDE9559F5}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3604
        
        C:\Windows\{B673AC73-AF18-4c23-B8E5-2051A6082ADC}.exe
        
        C:\Windows\{B673AC73-AF18-4c23-B8E5-2051A6082ADC}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\{A6AD1649-8F23-4801-9709-D89F4EC9873D}.exe
        
        C:\Windows\{A6AD1649-8F23-4801-9709-D89F4EC9873D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\{C1792B0E-2BF6-49a3-87EB-72593C13EFFB}.exe
        
        C:\Windows\{C1792B0E-2BF6-49a3-87EB-72593C13EFFB}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3260
        
        C:\Windows\{9C1BF71B-9455-4bf0-9C1B-DF8BA9FED49E}.exe
        
        C:\Windows\{9C1BF71B-9455-4bf0-9C1B-DF8BA9FED49E}.exe
        13⤵
        Executes dropped EXE
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C1792~1.EXE > nul
        13⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6AD1~1.EXE > nul
        12⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B673A~1.EXE > nul
        11⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CEA71~1.EXE > nul
        10⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FE264~1.EXE > nul
        9⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A51AC~1.EXE > nul
        8⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D0D6~1.EXE > nul
        7⤵
        
        PID:2220
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1E6D~1.EXE > nul
        6⤵
        
        PID:4332
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3A247~1.EXE > nul
        5⤵
        
        PID:4192
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{AA65F~1.EXE > nul
      4⤵
      PID:3044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{80125~1.EXE > nul
    3⤵
    PID:4244
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2D0D6C22-82E1-4135-A8DD-5788B3338F6F}.exe

Filesize
344KB

MD5
f0e7cce961e5ee72f90614b8b7f479c7

SHA1
ed02048da7c69d23328006ce7ddc70247772b8b3

SHA256
72862bc5720bb9dbef654e5ff7359b2713c72515fddc3f8f2b47cab74b4f3d8b

SHA512
30eb5c3703c7de3c2c1e0154f2a234c3f4d87f26af01ebfa79f84db5eb5d44eadaab97103ea4bdc11cd153f549994577cbbaa0ecf4b39b90f71688b56a647986

Download Submit
C:\Windows\{3A24760C-E65B-4c94-899B-79BD759DE2D0}.exe

Filesize
344KB

MD5
0ddd89686384944a25274dbd4cb5f11a

SHA1
37eae86522daab164ca7f617cc90189b80d31222

SHA256
f06ab9f350427e21f72df5906854537bdde6cf85f4cf483c6eef4e5652d6fcd1

SHA512
c021fe0f0c318da2fa48a51c4588c7e7ed1cc88db1a683cd8e0d2d88c300714401453c64fd1eddb31f6c26e6039b6a1132a8effe273a0d8dd4b795f0ba83adf1

Download Submit
C:\Windows\{80125E71-614A-4645-9F14-662954539008}.exe

Filesize
344KB

MD5
5941f5735346328adb9e4289b5d3d1de

SHA1
1869b33eb94e7180e89918e4f6f423f4347399fa

SHA256
0aa4f302f79e68d53224e7e531693df7de700483e841b0e386f340de69aa73ad

SHA512
34cf5ea43d131eba864f2bfda051616d72cf2c9ba8a869c91f0295cad596f04efffd9c542bf52611ba26e9b426248050e4544e04734e108e1baf0c350cf1c8d3

Download Submit
C:\Windows\{9C1BF71B-9455-4bf0-9C1B-DF8BA9FED49E}.exe

Filesize
344KB

MD5
0ff93538829c51a3efcd5f531a75f3b5

SHA1
ed85bcc01650c2c11fe0f781a3bd705f4de085ac

SHA256
e1bd5992bda32070bb0aa44e107a6a3c443fdf999644cc7ed3af5c4d2dd363ff

SHA512
e9d17f360e62d2ffc03291a4d4f425be3bfb03319678f46c6399e123291c139279920f6d5df3ae4e8885e99f19912fd88a272c1bd985c0ae0c79d31cb89ec6b9

Download Submit
C:\Windows\{A51AC48B-C0F1-4e26-BB95-2C713927644D}.exe

Filesize
344KB

MD5
8f1c02b355047f3b8e2eba6da467fa58

SHA1
a06425b70d86338c137da74f9b03ec0c8649fede

SHA256
92f0de66b1ae84e6ab1be1d61b176f1cc298eb3e93a71039e2ba991b59fd9f52

SHA512
92d09fc584a85807bd27c12b9f8e7426e09bce21a2bf974bcc2469be1753340171e5ee79759fad917e0d14bb165b63f807782010e615a7978fee7aa340039f9e

Download Submit
C:\Windows\{A6AD1649-8F23-4801-9709-D89F4EC9873D}.exe

Filesize
344KB

MD5
71193ffeaa5cea66cdbff4d595a675f4

SHA1
87d402c820c5ef3a2cbd56ba62b22bd69bc7c0d8

SHA256
82a3f87124bed4db930213d2640f5129d3fe8a1f3c04e8a532efa6dd09e43b3b

SHA512
4536d63708f13a3d3909984eef5d368b2f59eb4d40c09a54e5906a0a8b46f78a2e1b197347b0661519071f47de6114dcf6c39af1ace258866e0a4d6481dc2fcd

Download Submit
C:\Windows\{AA65F71F-FADB-4096-B166-9E65E9FC39D8}.exe

Filesize
344KB

MD5
494b06379f9862621249ba584d076b54

SHA1
348249924e1a67b85e9f1cbfaa03e195e68ff23e

SHA256
432bd8e713305672d0149b30606d4e4bc407d20140a5dc54d96e9cc6eff834ec

SHA512
f29efba351cbc9d749152e7b78d565baf352ef8d5054813d72e0f6349a4b07ca13ced4889a41e3614b56d8adcea19e1a1b6d47bbd4f277120fcc6c141ecddb5d

Download Submit
C:\Windows\{B1E6D052-0A59-42e2-9F2A-F13FDF282587}.exe

Filesize
344KB

MD5
a87ddc7bcd75e99275e412f6f47f70d2

SHA1
98dffb8f57f7ba6a0134fa7a7b718edf0dfcb174

SHA256
eb66cdad29fc553a077df29bd084b8e5b4a19fc6245e9afdca6ee8d81320bcfc

SHA512
87851135bf9ba1bbb52ae512ec38ef12020525cf63be9234e9b3a0c27f15dff47316b31ed711d864f1e03884c4ed7acfdaeb77a6bff3f7be560521b8b64c2e2f

Download Submit
C:\Windows\{B673AC73-AF18-4c23-B8E5-2051A6082ADC}.exe

Filesize
344KB

MD5
ea0d1e88e47f73c60b319a6e8f7a496b

SHA1
3912643959f031f74687ae86ac929b6f6f3e7cc4

SHA256
67afacd8cbb3f8d1bd9ac12f8f6df155c7221bb86f3f5cae15509a483ef189d0

SHA512
3a0d2e43a540a1948d8cb1b43ffb24fcfcedd325b0dc240da42804f88b0162cc34c017975a7f4b002616662a17f0ff37fdf29073e712b9fa5f6acc132fb5feee

Download Submit
C:\Windows\{C1792B0E-2BF6-49a3-87EB-72593C13EFFB}.exe

Filesize
344KB

MD5
96a67c2e2c96af2e2f12467aebc51a71

SHA1
35674834ceeaeb52ebaec1d9e5ee55afeefb8d6b

SHA256
6be3fe6ef593c927cf3f8c8f31865681ba3bbdf26e36aea821e437875e897863

SHA512
52445b4829db0a0cf66374a5c80cc367116b3bd8479f6e5099f2bc35503ada840335e4d5a752e65d01f648d9300cc9c042a31755b3a81336e4700d11dc067abf

Download Submit
C:\Windows\{CEA71BED-913E-4c6b-A0DE-32EFDE9559F5}.exe

Filesize
344KB

MD5
f7c2665bb57b392db58c769ef35619b3

SHA1
d6618071ddd85385c7fa871329752af1926d48c1

SHA256
ff3fb57f9f0c15898075501bb168804e5eb565eaade66c6b216632ba7317c998

SHA512
6402254b8f44efaa9772c6e727d8f5d7341d4f32a7649921d1866ae0b864f451ccdd7b2cba7e070a53f6d364f1c0202c7718b3fed2425ab751d64152cfad5d2f

Download Submit
C:\Windows\{FE264287-E052-4ee0-94F9-14AB96AA046E}.exe

Filesize
344KB

MD5
ac371c9ee1f337c7135510d54b4a10d1

SHA1
0d05f95263a0ef29babb53a3f0142f9660b0a140

SHA256
b2c9421295dbe559477298e4898ccf11c88eeb3a2540af878922501f2e75d53e

SHA512
d2292b29c1ee45ec6d553b55f5469f4bd6558234e38370c7dd6d63742e905bdfec59bdbfb6d918b8d99bc1ed07afc57f9900cbf8b5150114f4831589c1098ad7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads