cfd524b74cc4f3555c4e60b5d78955a4cc6ad58e18a772c2cc37e73cf300dda5

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22/05/2024, 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_29d8381dd394bae97612e5952247a9c2_goldeneye.exe
Size

408KB
MD5

29d8381dd394bae97612e5952247a9c2
SHA1

c901f5bfc226652591a8525578dd7c0086f29ecc
SHA256

cfd524b74cc4f3555c4e60b5d78955a4cc6ad58e18a772c2cc37e73cf300dda5
SHA512

ead7d8ff3dabd4f76ce7755f5ef8356fa16f9c3ce5ebdde0fb2064d3a9de8d301d558015f7949bc065f814a5553dbcfa01d563a65f6edf8c5eacaf4b660c3748
SSDEEP

3072:CEGh0oAl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGOldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000b00000002338e-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00120000000233a6-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023427-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00130000000233a6-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023427-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002342b-21.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023427-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023430-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023427-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023430-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023427-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023385-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DDD91B5-F45C-4610-A30D-4266780AD97F}	{BCEC633E-1B4B-4372-B5F3-07230B4ECC3D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4335905-CE0B-405c-8A64-778C7CBC9C91}	{E9339155-85EA-4abb-9478-17E3662EE025}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8FA53895-CF6B-4d9f-83D9-801ED31432B1}	{1B071FDD-F3D4-47ba-8398-B61159EA7088}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8FA53895-CF6B-4d9f-83D9-801ED31432B1}\stubpath = "C:\\Windows\\{8FA53895-CF6B-4d9f-83D9-801ED31432B1}.exe"	{1B071FDD-F3D4-47ba-8398-B61159EA7088}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6059B5BE-457D-4b34-B137-F98DC8534581}\stubpath = "C:\\Windows\\{6059B5BE-457D-4b34-B137-F98DC8534581}.exe"	2024-05-22_29d8381dd394bae97612e5952247a9c2_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C888BB14-CD06-4ee2-B1EB-9D324AAE007B}\stubpath = "C:\\Windows\\{C888BB14-CD06-4ee2-B1EB-9D324AAE007B}.exe"	{6059B5BE-457D-4b34-B137-F98DC8534581}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F0DD7A8-1B58-4ed1-9FBC-ECD89B1032F3}\stubpath = "C:\\Windows\\{1F0DD7A8-1B58-4ed1-9FBC-ECD89B1032F3}.exe"	{C888BB14-CD06-4ee2-B1EB-9D324AAE007B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{735A2EDF-011F-4350-862D-A346D00B5B44}	{A04044F9-A871-40dd-BBBA-0B854743B3DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCEC633E-1B4B-4372-B5F3-07230B4ECC3D}	{735A2EDF-011F-4350-862D-A346D00B5B44}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9339155-85EA-4abb-9478-17E3662EE025}	{BBA6D3E0-8BB9-435c-BECE-A3E9DD9777D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B071FDD-F3D4-47ba-8398-B61159EA7088}	{A4335905-CE0B-405c-8A64-778C7CBC9C91}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C888BB14-CD06-4ee2-B1EB-9D324AAE007B}	{6059B5BE-457D-4b34-B137-F98DC8534581}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F0DD7A8-1B58-4ed1-9FBC-ECD89B1032F3}	{C888BB14-CD06-4ee2-B1EB-9D324AAE007B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{735A2EDF-011F-4350-862D-A346D00B5B44}\stubpath = "C:\\Windows\\{735A2EDF-011F-4350-862D-A346D00B5B44}.exe"	{A04044F9-A871-40dd-BBBA-0B854743B3DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCEC633E-1B4B-4372-B5F3-07230B4ECC3D}\stubpath = "C:\\Windows\\{BCEC633E-1B4B-4372-B5F3-07230B4ECC3D}.exe"	{735A2EDF-011F-4350-862D-A346D00B5B44}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B071FDD-F3D4-47ba-8398-B61159EA7088}\stubpath = "C:\\Windows\\{1B071FDD-F3D4-47ba-8398-B61159EA7088}.exe"	{A4335905-CE0B-405c-8A64-778C7CBC9C91}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A04044F9-A871-40dd-BBBA-0B854743B3DA}	{1F0DD7A8-1B58-4ed1-9FBC-ECD89B1032F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A04044F9-A871-40dd-BBBA-0B854743B3DA}\stubpath = "C:\\Windows\\{A04044F9-A871-40dd-BBBA-0B854743B3DA}.exe"	{1F0DD7A8-1B58-4ed1-9FBC-ECD89B1032F3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BBA6D3E0-8BB9-435c-BECE-A3E9DD9777D5}	{5DDD91B5-F45C-4610-A30D-4266780AD97F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BBA6D3E0-8BB9-435c-BECE-A3E9DD9777D5}\stubpath = "C:\\Windows\\{BBA6D3E0-8BB9-435c-BECE-A3E9DD9777D5}.exe"	{5DDD91B5-F45C-4610-A30D-4266780AD97F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9339155-85EA-4abb-9478-17E3662EE025}\stubpath = "C:\\Windows\\{E9339155-85EA-4abb-9478-17E3662EE025}.exe"	{BBA6D3E0-8BB9-435c-BECE-A3E9DD9777D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4335905-CE0B-405c-8A64-778C7CBC9C91}\stubpath = "C:\\Windows\\{A4335905-CE0B-405c-8A64-778C7CBC9C91}.exe"	{E9339155-85EA-4abb-9478-17E3662EE025}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6059B5BE-457D-4b34-B137-F98DC8534581}	2024-05-22_29d8381dd394bae97612e5952247a9c2_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DDD91B5-F45C-4610-A30D-4266780AD97F}\stubpath = "C:\\Windows\\{5DDD91B5-F45C-4610-A30D-4266780AD97F}.exe"	{BCEC633E-1B4B-4372-B5F3-07230B4ECC3D}.exe

Executes dropped EXE 12 IoCs

pid	Process
5072	{6059B5BE-457D-4b34-B137-F98DC8534581}.exe
4888	{C888BB14-CD06-4ee2-B1EB-9D324AAE007B}.exe
3556	{1F0DD7A8-1B58-4ed1-9FBC-ECD89B1032F3}.exe
1992	{A04044F9-A871-40dd-BBBA-0B854743B3DA}.exe
4424	{735A2EDF-011F-4350-862D-A346D00B5B44}.exe
4912	{BCEC633E-1B4B-4372-B5F3-07230B4ECC3D}.exe
2992	{5DDD91B5-F45C-4610-A30D-4266780AD97F}.exe
3704	{BBA6D3E0-8BB9-435c-BECE-A3E9DD9777D5}.exe
428	{E9339155-85EA-4abb-9478-17E3662EE025}.exe
1692	{A4335905-CE0B-405c-8A64-778C7CBC9C91}.exe
4944	{1B071FDD-F3D4-47ba-8398-B61159EA7088}.exe
2244	{8FA53895-CF6B-4d9f-83D9-801ED31432B1}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{BCEC633E-1B4B-4372-B5F3-07230B4ECC3D}.exe	{735A2EDF-011F-4350-862D-A346D00B5B44}.exe
File created	C:\Windows\{BBA6D3E0-8BB9-435c-BECE-A3E9DD9777D5}.exe	{5DDD91B5-F45C-4610-A30D-4266780AD97F}.exe
File created	C:\Windows\{8FA53895-CF6B-4d9f-83D9-801ED31432B1}.exe	{1B071FDD-F3D4-47ba-8398-B61159EA7088}.exe
File created	C:\Windows\{6059B5BE-457D-4b34-B137-F98DC8534581}.exe	2024-05-22_29d8381dd394bae97612e5952247a9c2_goldeneye.exe
File created	C:\Windows\{735A2EDF-011F-4350-862D-A346D00B5B44}.exe	{A04044F9-A871-40dd-BBBA-0B854743B3DA}.exe
File created	C:\Windows\{A04044F9-A871-40dd-BBBA-0B854743B3DA}.exe	{1F0DD7A8-1B58-4ed1-9FBC-ECD89B1032F3}.exe
File created	C:\Windows\{5DDD91B5-F45C-4610-A30D-4266780AD97F}.exe	{BCEC633E-1B4B-4372-B5F3-07230B4ECC3D}.exe
File created	C:\Windows\{E9339155-85EA-4abb-9478-17E3662EE025}.exe	{BBA6D3E0-8BB9-435c-BECE-A3E9DD9777D5}.exe
File created	C:\Windows\{A4335905-CE0B-405c-8A64-778C7CBC9C91}.exe	{E9339155-85EA-4abb-9478-17E3662EE025}.exe
File created	C:\Windows\{1B071FDD-F3D4-47ba-8398-B61159EA7088}.exe	{A4335905-CE0B-405c-8A64-778C7CBC9C91}.exe
File created	C:\Windows\{C888BB14-CD06-4ee2-B1EB-9D324AAE007B}.exe	{6059B5BE-457D-4b34-B137-F98DC8534581}.exe
File created	C:\Windows\{1F0DD7A8-1B58-4ed1-9FBC-ECD89B1032F3}.exe	{C888BB14-CD06-4ee2-B1EB-9D324AAE007B}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	228	2024-05-22_29d8381dd394bae97612e5952247a9c2_goldeneye.exe
Token: SeIncBasePriorityPrivilege	5072	{6059B5BE-457D-4b34-B137-F98DC8534581}.exe
Token: SeIncBasePriorityPrivilege	4888	{C888BB14-CD06-4ee2-B1EB-9D324AAE007B}.exe
Token: SeIncBasePriorityPrivilege	3556	{1F0DD7A8-1B58-4ed1-9FBC-ECD89B1032F3}.exe
Token: SeIncBasePriorityPrivilege	1992	{A04044F9-A871-40dd-BBBA-0B854743B3DA}.exe
Token: SeIncBasePriorityPrivilege	4424	{735A2EDF-011F-4350-862D-A346D00B5B44}.exe
Token: SeIncBasePriorityPrivilege	4912	{BCEC633E-1B4B-4372-B5F3-07230B4ECC3D}.exe
Token: SeIncBasePriorityPrivilege	2992	{5DDD91B5-F45C-4610-A30D-4266780AD97F}.exe
Token: SeIncBasePriorityPrivilege	3704	{BBA6D3E0-8BB9-435c-BECE-A3E9DD9777D5}.exe
Token: SeIncBasePriorityPrivilege	428	{E9339155-85EA-4abb-9478-17E3662EE025}.exe
Token: SeIncBasePriorityPrivilege	1692	{A4335905-CE0B-405c-8A64-778C7CBC9C91}.exe
Token: SeIncBasePriorityPrivilege	4944	{1B071FDD-F3D4-47ba-8398-B61159EA7088}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 228 wrote to memory of 5072	228	2024-05-22_29d8381dd394bae97612e5952247a9c2_goldeneye.exe	95
PID 228 wrote to memory of 5072	228	2024-05-22_29d8381dd394bae97612e5952247a9c2_goldeneye.exe	95
PID 228 wrote to memory of 5072	228	2024-05-22_29d8381dd394bae97612e5952247a9c2_goldeneye.exe	95
PID 228 wrote to memory of 1576	228	2024-05-22_29d8381dd394bae97612e5952247a9c2_goldeneye.exe	96
PID 228 wrote to memory of 1576	228	2024-05-22_29d8381dd394bae97612e5952247a9c2_goldeneye.exe	96
PID 228 wrote to memory of 1576	228	2024-05-22_29d8381dd394bae97612e5952247a9c2_goldeneye.exe	96
PID 5072 wrote to memory of 4888	5072	{6059B5BE-457D-4b34-B137-F98DC8534581}.exe	98
PID 5072 wrote to memory of 4888	5072	{6059B5BE-457D-4b34-B137-F98DC8534581}.exe	98
PID 5072 wrote to memory of 4888	5072	{6059B5BE-457D-4b34-B137-F98DC8534581}.exe	98
PID 5072 wrote to memory of 1520	5072	{6059B5BE-457D-4b34-B137-F98DC8534581}.exe	99
PID 5072 wrote to memory of 1520	5072	{6059B5BE-457D-4b34-B137-F98DC8534581}.exe	99
PID 5072 wrote to memory of 1520	5072	{6059B5BE-457D-4b34-B137-F98DC8534581}.exe	99
PID 4888 wrote to memory of 3556	4888	{C888BB14-CD06-4ee2-B1EB-9D324AAE007B}.exe	102
PID 4888 wrote to memory of 3556	4888	{C888BB14-CD06-4ee2-B1EB-9D324AAE007B}.exe	102
PID 4888 wrote to memory of 3556	4888	{C888BB14-CD06-4ee2-B1EB-9D324AAE007B}.exe	102
PID 4888 wrote to memory of 4160	4888	{C888BB14-CD06-4ee2-B1EB-9D324AAE007B}.exe	103
PID 4888 wrote to memory of 4160	4888	{C888BB14-CD06-4ee2-B1EB-9D324AAE007B}.exe	103
PID 4888 wrote to memory of 4160	4888	{C888BB14-CD06-4ee2-B1EB-9D324AAE007B}.exe	103
PID 3556 wrote to memory of 1992	3556	{1F0DD7A8-1B58-4ed1-9FBC-ECD89B1032F3}.exe	104
PID 3556 wrote to memory of 1992	3556	{1F0DD7A8-1B58-4ed1-9FBC-ECD89B1032F3}.exe	104
PID 3556 wrote to memory of 1992	3556	{1F0DD7A8-1B58-4ed1-9FBC-ECD89B1032F3}.exe	104
PID 3556 wrote to memory of 4104	3556	{1F0DD7A8-1B58-4ed1-9FBC-ECD89B1032F3}.exe	105
PID 3556 wrote to memory of 4104	3556	{1F0DD7A8-1B58-4ed1-9FBC-ECD89B1032F3}.exe	105
PID 3556 wrote to memory of 4104	3556	{1F0DD7A8-1B58-4ed1-9FBC-ECD89B1032F3}.exe	105
PID 1992 wrote to memory of 4424	1992	{A04044F9-A871-40dd-BBBA-0B854743B3DA}.exe	106
PID 1992 wrote to memory of 4424	1992	{A04044F9-A871-40dd-BBBA-0B854743B3DA}.exe	106
PID 1992 wrote to memory of 4424	1992	{A04044F9-A871-40dd-BBBA-0B854743B3DA}.exe	106
PID 1992 wrote to memory of 3128	1992	{A04044F9-A871-40dd-BBBA-0B854743B3DA}.exe	107
PID 1992 wrote to memory of 3128	1992	{A04044F9-A871-40dd-BBBA-0B854743B3DA}.exe	107
PID 1992 wrote to memory of 3128	1992	{A04044F9-A871-40dd-BBBA-0B854743B3DA}.exe	107
PID 4424 wrote to memory of 4912	4424	{735A2EDF-011F-4350-862D-A346D00B5B44}.exe	109
PID 4424 wrote to memory of 4912	4424	{735A2EDF-011F-4350-862D-A346D00B5B44}.exe	109
PID 4424 wrote to memory of 4912	4424	{735A2EDF-011F-4350-862D-A346D00B5B44}.exe	109
PID 4424 wrote to memory of 4840	4424	{735A2EDF-011F-4350-862D-A346D00B5B44}.exe	110
PID 4424 wrote to memory of 4840	4424	{735A2EDF-011F-4350-862D-A346D00B5B44}.exe	110
PID 4424 wrote to memory of 4840	4424	{735A2EDF-011F-4350-862D-A346D00B5B44}.exe	110
PID 4912 wrote to memory of 2992	4912	{BCEC633E-1B4B-4372-B5F3-07230B4ECC3D}.exe	111
PID 4912 wrote to memory of 2992	4912	{BCEC633E-1B4B-4372-B5F3-07230B4ECC3D}.exe	111
PID 4912 wrote to memory of 2992	4912	{BCEC633E-1B4B-4372-B5F3-07230B4ECC3D}.exe	111
PID 4912 wrote to memory of 3568	4912	{BCEC633E-1B4B-4372-B5F3-07230B4ECC3D}.exe	112
PID 4912 wrote to memory of 3568	4912	{BCEC633E-1B4B-4372-B5F3-07230B4ECC3D}.exe	112
PID 4912 wrote to memory of 3568	4912	{BCEC633E-1B4B-4372-B5F3-07230B4ECC3D}.exe	112
PID 2992 wrote to memory of 3704	2992	{5DDD91B5-F45C-4610-A30D-4266780AD97F}.exe	119
PID 2992 wrote to memory of 3704	2992	{5DDD91B5-F45C-4610-A30D-4266780AD97F}.exe	119
PID 2992 wrote to memory of 3704	2992	{5DDD91B5-F45C-4610-A30D-4266780AD97F}.exe	119
PID 2992 wrote to memory of 1192	2992	{5DDD91B5-F45C-4610-A30D-4266780AD97F}.exe	120
PID 2992 wrote to memory of 1192	2992	{5DDD91B5-F45C-4610-A30D-4266780AD97F}.exe	120
PID 2992 wrote to memory of 1192	2992	{5DDD91B5-F45C-4610-A30D-4266780AD97F}.exe	120
PID 3704 wrote to memory of 428	3704	{BBA6D3E0-8BB9-435c-BECE-A3E9DD9777D5}.exe	121
PID 3704 wrote to memory of 428	3704	{BBA6D3E0-8BB9-435c-BECE-A3E9DD9777D5}.exe	121
PID 3704 wrote to memory of 428	3704	{BBA6D3E0-8BB9-435c-BECE-A3E9DD9777D5}.exe	121
PID 3704 wrote to memory of 4236	3704	{BBA6D3E0-8BB9-435c-BECE-A3E9DD9777D5}.exe	122
PID 3704 wrote to memory of 4236	3704	{BBA6D3E0-8BB9-435c-BECE-A3E9DD9777D5}.exe	122
PID 3704 wrote to memory of 4236	3704	{BBA6D3E0-8BB9-435c-BECE-A3E9DD9777D5}.exe	122
PID 428 wrote to memory of 1692	428	{E9339155-85EA-4abb-9478-17E3662EE025}.exe	123
PID 428 wrote to memory of 1692	428	{E9339155-85EA-4abb-9478-17E3662EE025}.exe	123
PID 428 wrote to memory of 1692	428	{E9339155-85EA-4abb-9478-17E3662EE025}.exe	123
PID 428 wrote to memory of 1920	428	{E9339155-85EA-4abb-9478-17E3662EE025}.exe	124
PID 428 wrote to memory of 1920	428	{E9339155-85EA-4abb-9478-17E3662EE025}.exe	124
PID 428 wrote to memory of 1920	428	{E9339155-85EA-4abb-9478-17E3662EE025}.exe	124
PID 1692 wrote to memory of 4944	1692	{A4335905-CE0B-405c-8A64-778C7CBC9C91}.exe	125
PID 1692 wrote to memory of 4944	1692	{A4335905-CE0B-405c-8A64-778C7CBC9C91}.exe	125
PID 1692 wrote to memory of 4944	1692	{A4335905-CE0B-405c-8A64-778C7CBC9C91}.exe	125
PID 1692 wrote to memory of 3484	1692	{A4335905-CE0B-405c-8A64-778C7CBC9C91}.exe	126

C:\Users\Admin\AppData\Local\Temp\2024-05-22_29d8381dd394bae97612e5952247a9c2_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_29d8381dd394bae97612e5952247a9c2_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:228
- C:\Windows\{6059B5BE-457D-4b34-B137-F98DC8534581}.exe
  C:\Windows\{6059B5BE-457D-4b34-B137-F98DC8534581}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5072
- - C:\Windows\{C888BB14-CD06-4ee2-B1EB-9D324AAE007B}.exe
    C:\Windows\{C888BB14-CD06-4ee2-B1EB-9D324AAE007B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4888
  - - C:\Windows\{1F0DD7A8-1B58-4ed1-9FBC-ECD89B1032F3}.exe
      C:\Windows\{1F0DD7A8-1B58-4ed1-9FBC-ECD89B1032F3}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3556
    - - C:\Windows\{A04044F9-A871-40dd-BBBA-0B854743B3DA}.exe
        
        C:\Windows\{A04044F9-A871-40dd-BBBA-0B854743B3DA}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1992
      - C:\Windows\{735A2EDF-011F-4350-862D-A346D00B5B44}.exe
        
        C:\Windows\{735A2EDF-011F-4350-862D-A346D00B5B44}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\{BCEC633E-1B4B-4372-B5F3-07230B4ECC3D}.exe
        
        C:\Windows\{BCEC633E-1B4B-4372-B5F3-07230B4ECC3D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\{5DDD91B5-F45C-4610-A30D-4266780AD97F}.exe
        
        C:\Windows\{5DDD91B5-F45C-4610-A30D-4266780AD97F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\{BBA6D3E0-8BB9-435c-BECE-A3E9DD9777D5}.exe
        
        C:\Windows\{BBA6D3E0-8BB9-435c-BECE-A3E9DD9777D5}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3704
        
        C:\Windows\{E9339155-85EA-4abb-9478-17E3662EE025}.exe
        
        C:\Windows\{E9339155-85EA-4abb-9478-17E3662EE025}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:428
        
        C:\Windows\{A4335905-CE0B-405c-8A64-778C7CBC9C91}.exe
        
        C:\Windows\{A4335905-CE0B-405c-8A64-778C7CBC9C91}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\{1B071FDD-F3D4-47ba-8398-B61159EA7088}.exe
        
        C:\Windows\{1B071FDD-F3D4-47ba-8398-B61159EA7088}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4944
        
        C:\Windows\{8FA53895-CF6B-4d9f-83D9-801ED31432B1}.exe
        
        C:\Windows\{8FA53895-CF6B-4d9f-83D9-801ED31432B1}.exe
        13⤵
        Executes dropped EXE
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1B071~1.EXE > nul
        13⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A4335~1.EXE > nul
        12⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E9339~1.EXE > nul
        11⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BBA6D~1.EXE > nul
        10⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5DDD9~1.EXE > nul
        9⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BCEC6~1.EXE > nul
        8⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{735A2~1.EXE > nul
        7⤵
        
        PID:4840
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A0404~1.EXE > nul
        6⤵
        
        PID:3128
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1F0DD~1.EXE > nul
        5⤵
        
        PID:4104
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C888B~1.EXE > nul
      4⤵
      PID:4160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6059B~1.EXE > nul
    3⤵
    PID:1520
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1B071FDD-F3D4-47ba-8398-B61159EA7088}.exe

Filesize
408KB

MD5
270a2539b65a6493f7bd9aaadf9a272f

SHA1
e26bd9528e22c74eb022bce5115d395820659cb5

SHA256
77466fa3243fe606511efd2af4354e8e2d9259b910da8ca6311220ced3771bff

SHA512
4d7a12bc4797b17cdd3fab2331f0a5c1b26f002f8566d671b5daf7d283a4899f57489543a92cf43f7933a1aadffca31236c6598b9be45853d5b53454da632062

Download Submit
C:\Windows\{1F0DD7A8-1B58-4ed1-9FBC-ECD89B1032F3}.exe

Filesize
408KB

MD5
5c0ac8053c4e2667717cc51f48dfe5bd

SHA1
e07ecab0af41fa3f2dc57f0e9f8cbd8b60f04bca

SHA256
bd27dc4e3dde41af464c2c008788b31696c043385fd89ac277f7537f78f02535

SHA512
2fc33998fd14370af5507b5030739abf252ed256b0d151eb339a48de26fa923565f9a0f462d7e53743c520ae744414fe0f198e74bcb035c6792ce6b6ca531e4d

Download Submit
C:\Windows\{5DDD91B5-F45C-4610-A30D-4266780AD97F}.exe

Filesize
408KB

MD5
d55879caa8cfe1f81102aedcc11ef5fe

SHA1
e68fb237160a04f83ca6d4b6b7b847097ed4eee6

SHA256
7d5b034ab1e7641703de4c46ffb4669dbac67fb5229bd89382835a8ee99b188b

SHA512
b30ca09343d203d4eefab9a38a648146607ae84c7b34c3d1b1fd0e538781f292c5e66c6bdb7dac6d27a1dbf6a1da0e2aebafeafd12e643ab4fafba690fef49bd

Download Submit
C:\Windows\{6059B5BE-457D-4b34-B137-F98DC8534581}.exe

Filesize
408KB

MD5
74b820d93f092a37fab738ac30f8ac6f

SHA1
1f55e049a51b03f0a617eed3e8aa7687a3977f92

SHA256
ef30d070ce9200e9019d54b4f35202fd7b8f985c913a939cfa19908d8c733f83

SHA512
e1ed5822c053f9aa72346d93b84347aa34e73681a5ffa117833f3e9adc89c5cf1b831876c6bbdde5b895134b998105a9323d1416910c5f6c1e0bf2511c9a4bf1

Download Submit
C:\Windows\{735A2EDF-011F-4350-862D-A346D00B5B44}.exe

Filesize
408KB

MD5
a8e8367ff56e59f1c3487c74f87f3de9

SHA1
a40f2ea7d89b121b796f9c9a91050782704ab3ba

SHA256
6056452ed0841580cdcfebea3b6c2d0900534ad84255287645473ee3193c9742

SHA512
5be08053dcfbd0d67de5a3cd622b52d80e762145563d53165d653f2075de8b5831379016af21c955a59e8d5a517b8460d5cb5f5c5a56b3fcc7fa5d708d6266b8

Download Submit
C:\Windows\{8FA53895-CF6B-4d9f-83D9-801ED31432B1}.exe

Filesize
408KB

MD5
423b58eb4048acac8ff4eb615f8bc079

SHA1
4ebd02c74ebfff08fca5a912745e026b19fe8e23

SHA256
8c2e7d78f26832f11094ff12e2447891e74ac0508db087aefe81422deffcd76b

SHA512
2372306699866d00592d87293826b6cfe2567a7f379ab678dac694ed4008b46dff119b470907f4bee14a05281134f63ac8aa0c93a6670712c605c82f0f2814c6

Download Submit
C:\Windows\{A04044F9-A871-40dd-BBBA-0B854743B3DA}.exe

Filesize
408KB

MD5
3dd855b5cc0630adc21cb58b10f1ad5f

SHA1
dda4c02e202d002acf19694d6f5cad63f4c2146b

SHA256
a349406cac14918049505b812a9fe64b6dc8aaf198f511db27d4647d1bd2e130

SHA512
52bf679eb91f6351f151feb61bac5d473686ef9351c774be64372c7e832c5654b987fb38f8d0348d365f1c79ce5676c03b9be94a4f25fd29c6c8b8dc8c2a2f12

Download Submit
C:\Windows\{A4335905-CE0B-405c-8A64-778C7CBC9C91}.exe

Filesize
408KB

MD5
2e16c34cdf4d28951c7cc0671ad9c581

SHA1
1bf285d770ef019c4b2535cb070e44e64954bf14

SHA256
c562a9f25887a825f2aada7c08975dbffa3867c2b73a643bea8d7eb62cef86d2

SHA512
fbc1ffb3fb1a4bae03b649f75fdde4365e36047327792b84be65e91f9abe6359d27d540a64f2e53dce3fd68157596a5c7671539e520a630829feaf23517a6d23

Download Submit
C:\Windows\{BBA6D3E0-8BB9-435c-BECE-A3E9DD9777D5}.exe

Filesize
408KB

MD5
ea49a990620fd7f39e4900e83bc0c9ca

SHA1
42c06d6e1852c2b474314a5fce6fc4115621cefe

SHA256
033b1c14796b6437d02b1ebde0334fa16af63f2f4b4f6e2a931533bede1ea1c3

SHA512
088ec49441f2fbdafde067a92b372759743c81a69ce4711253fc789ef43ce6b745a7ad1fa13a61f64ab96e393e0c52b628b6fbc55458351dcce1386417692e97

Download Submit
C:\Windows\{BCEC633E-1B4B-4372-B5F3-07230B4ECC3D}.exe

Filesize
408KB

MD5
8622c29e2443c33d3beff289fad7dd68

SHA1
e05a2daca4be1b61177939811bf9a18d6af8d424

SHA256
208af46cfc15f39f3fe2fafe5a845ca80113bfeccf2de349d826cb8a5cad1b4f

SHA512
8d5148f9e055a9bd768d8923a62f500bfb1f290228c59656a21b714dd8b013ba31c561ac6bc0ec14d4c94db6ebb952c92559a55e7f24caa5fb31b2052cd64bc6

Download Submit
C:\Windows\{C888BB14-CD06-4ee2-B1EB-9D324AAE007B}.exe

Filesize
408KB

MD5
7d071fc1645b9f13c69766516622c456

SHA1
a1b6df786f644187c2212c7e306455bbda31c10d

SHA256
dad9a98ae56c0763c1efd84bc18e1fc7699ed9be5b30497de0295b8743305d4e

SHA512
780ea7df763462134b12bccc20a9bca4dbb201bcdf2af14dc8b4bc7738e24426d2899ca976a9e028e0ca902488de1408f9f2c8d3d540cd5deb4b820dfb72c870

Download Submit
C:\Windows\{E9339155-85EA-4abb-9478-17E3662EE025}.exe

Filesize
408KB

MD5
2b7e2592928b616f16b1a4f08bdc3c9e

SHA1
0c95469fa3a6136f73cde3e55ce6abf4ae0f8df2

SHA256
b6b29010f192b87837d08ac72f6239f8f5f2342e4c31e4c5c71d28dc52d1ebbd

SHA512
1477cf65e89fe7c43d0457fc22ce1d316ff7ea22def2b2eeb864f824084fda956140a74ba3a5c0984495a43312f8abe6bfccaa31458ea9614230ee3e545b5d3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads