856cdbff2ace043cf7d63cbfc7f0479cbd183929fdae22260a6ec1ba78606497

Analysis

max time kernel
149s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 06:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-26_867dfb9870a9d4bf0aac9882cf35c045_goldeneye.exe
Size

344KB
MD5

867dfb9870a9d4bf0aac9882cf35c045
SHA1

981c43ab18e6a95e466e8b2d68fb28766dd41222
SHA256

856cdbff2ace043cf7d63cbfc7f0479cbd183929fdae22260a6ec1ba78606497
SHA512

2fdeabfc62669e453897d73f868b7bd72dc87b24364ec3b7a58f7ea375abe0fb4b65e2357b33a90116ed7720cfb3870a3062760a8bb3d720a213c4c5cafb6ead
SSDEEP

3072:mEGh0oulEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGYlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000b00000002336e-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023379-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023391-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023379-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023391-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023379-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f000000023391-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023416-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023391-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023406-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023371-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023406-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4484F30F-699C-43a6-A374-1173FDFF7AAC}	{5347103F-9F6F-44ff-917A-855419929694}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8C9EA8E-622A-4a37-A275-2AFAFFD1B3A4}	{A5D259F1-4034-4363-8187-008531D251C2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F025CCD0-49B3-4615-9030-4443A451ECCA}	{C8C9EA8E-622A-4a37-A275-2AFAFFD1B3A4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB6BBE6E-09F7-4e20-8982-AC34A6D180C6}	2024-05-26_867dfb9870a9d4bf0aac9882cf35c045_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4791845-695E-4187-9038-5A8C845CDE4B}\stubpath = "C:\\Windows\\{D4791845-695E-4187-9038-5A8C845CDE4B}.exe"	{FE15602A-1BF9-42bf-9FA5-8103FA36C58C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{530365D2-8E97-4493-BDBC-2462D9C2D2F4}\stubpath = "C:\\Windows\\{530365D2-8E97-4493-BDBC-2462D9C2D2F4}.exe"	{D4791845-695E-4187-9038-5A8C845CDE4B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25B744EB-8E1E-439e-B84F-42C55AC6B9E5}\stubpath = "C:\\Windows\\{25B744EB-8E1E-439e-B84F-42C55AC6B9E5}.exe"	{530365D2-8E97-4493-BDBC-2462D9C2D2F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8C9EA8E-622A-4a37-A275-2AFAFFD1B3A4}\stubpath = "C:\\Windows\\{C8C9EA8E-622A-4a37-A275-2AFAFFD1B3A4}.exe"	{A5D259F1-4034-4363-8187-008531D251C2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14BFBB56-181A-4d15-BD53-95EFD0DE47F4}	{FB6BBE6E-09F7-4e20-8982-AC34A6D180C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14BFBB56-181A-4d15-BD53-95EFD0DE47F4}\stubpath = "C:\\Windows\\{14BFBB56-181A-4d15-BD53-95EFD0DE47F4}.exe"	{FB6BBE6E-09F7-4e20-8982-AC34A6D180C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{530365D2-8E97-4493-BDBC-2462D9C2D2F4}	{D4791845-695E-4187-9038-5A8C845CDE4B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5D259F1-4034-4363-8187-008531D251C2}\stubpath = "C:\\Windows\\{A5D259F1-4034-4363-8187-008531D251C2}.exe"	{4484F30F-699C-43a6-A374-1173FDFF7AAC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5D259F1-4034-4363-8187-008531D251C2}	{4484F30F-699C-43a6-A374-1173FDFF7AAC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE15602A-1BF9-42bf-9FA5-8103FA36C58C}	{FF540690-BDD7-48f1-B13B-2AB6453B17A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25B744EB-8E1E-439e-B84F-42C55AC6B9E5}	{530365D2-8E97-4493-BDBC-2462D9C2D2F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5347103F-9F6F-44ff-917A-855419929694}	{25B744EB-8E1E-439e-B84F-42C55AC6B9E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4484F30F-699C-43a6-A374-1173FDFF7AAC}\stubpath = "C:\\Windows\\{4484F30F-699C-43a6-A374-1173FDFF7AAC}.exe"	{5347103F-9F6F-44ff-917A-855419929694}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4791845-695E-4187-9038-5A8C845CDE4B}	{FE15602A-1BF9-42bf-9FA5-8103FA36C58C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5347103F-9F6F-44ff-917A-855419929694}\stubpath = "C:\\Windows\\{5347103F-9F6F-44ff-917A-855419929694}.exe"	{25B744EB-8E1E-439e-B84F-42C55AC6B9E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F025CCD0-49B3-4615-9030-4443A451ECCA}\stubpath = "C:\\Windows\\{F025CCD0-49B3-4615-9030-4443A451ECCA}.exe"	{C8C9EA8E-622A-4a37-A275-2AFAFFD1B3A4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB6BBE6E-09F7-4e20-8982-AC34A6D180C6}\stubpath = "C:\\Windows\\{FB6BBE6E-09F7-4e20-8982-AC34A6D180C6}.exe"	2024-05-26_867dfb9870a9d4bf0aac9882cf35c045_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF540690-BDD7-48f1-B13B-2AB6453B17A6}	{14BFBB56-181A-4d15-BD53-95EFD0DE47F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF540690-BDD7-48f1-B13B-2AB6453B17A6}\stubpath = "C:\\Windows\\{FF540690-BDD7-48f1-B13B-2AB6453B17A6}.exe"	{14BFBB56-181A-4d15-BD53-95EFD0DE47F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE15602A-1BF9-42bf-9FA5-8103FA36C58C}\stubpath = "C:\\Windows\\{FE15602A-1BF9-42bf-9FA5-8103FA36C58C}.exe"	{FF540690-BDD7-48f1-B13B-2AB6453B17A6}.exe

Executes dropped EXE 12 IoCs

pid	Process
2568	{FB6BBE6E-09F7-4e20-8982-AC34A6D180C6}.exe
4564	{14BFBB56-181A-4d15-BD53-95EFD0DE47F4}.exe
1216	{FF540690-BDD7-48f1-B13B-2AB6453B17A6}.exe
1624	{FE15602A-1BF9-42bf-9FA5-8103FA36C58C}.exe
3344	{D4791845-695E-4187-9038-5A8C845CDE4B}.exe
1504	{530365D2-8E97-4493-BDBC-2462D9C2D2F4}.exe
4312	{25B744EB-8E1E-439e-B84F-42C55AC6B9E5}.exe
2468	{5347103F-9F6F-44ff-917A-855419929694}.exe
2768	{4484F30F-699C-43a6-A374-1173FDFF7AAC}.exe
1060	{A5D259F1-4034-4363-8187-008531D251C2}.exe
4796	{C8C9EA8E-622A-4a37-A275-2AFAFFD1B3A4}.exe
2092	{F025CCD0-49B3-4615-9030-4443A451ECCA}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{FE15602A-1BF9-42bf-9FA5-8103FA36C58C}.exe	{FF540690-BDD7-48f1-B13B-2AB6453B17A6}.exe
File created	C:\Windows\{530365D2-8E97-4493-BDBC-2462D9C2D2F4}.exe	{D4791845-695E-4187-9038-5A8C845CDE4B}.exe
File created	C:\Windows\{25B744EB-8E1E-439e-B84F-42C55AC6B9E5}.exe	{530365D2-8E97-4493-BDBC-2462D9C2D2F4}.exe
File created	C:\Windows\{5347103F-9F6F-44ff-917A-855419929694}.exe	{25B744EB-8E1E-439e-B84F-42C55AC6B9E5}.exe
File created	C:\Windows\{14BFBB56-181A-4d15-BD53-95EFD0DE47F4}.exe	{FB6BBE6E-09F7-4e20-8982-AC34A6D180C6}.exe
File created	C:\Windows\{FF540690-BDD7-48f1-B13B-2AB6453B17A6}.exe	{14BFBB56-181A-4d15-BD53-95EFD0DE47F4}.exe
File created	C:\Windows\{D4791845-695E-4187-9038-5A8C845CDE4B}.exe	{FE15602A-1BF9-42bf-9FA5-8103FA36C58C}.exe
File created	C:\Windows\{4484F30F-699C-43a6-A374-1173FDFF7AAC}.exe	{5347103F-9F6F-44ff-917A-855419929694}.exe
File created	C:\Windows\{A5D259F1-4034-4363-8187-008531D251C2}.exe	{4484F30F-699C-43a6-A374-1173FDFF7AAC}.exe
File created	C:\Windows\{C8C9EA8E-622A-4a37-A275-2AFAFFD1B3A4}.exe	{A5D259F1-4034-4363-8187-008531D251C2}.exe
File created	C:\Windows\{F025CCD0-49B3-4615-9030-4443A451ECCA}.exe	{C8C9EA8E-622A-4a37-A275-2AFAFFD1B3A4}.exe
File created	C:\Windows\{FB6BBE6E-09F7-4e20-8982-AC34A6D180C6}.exe	2024-05-26_867dfb9870a9d4bf0aac9882cf35c045_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3620	2024-05-26_867dfb9870a9d4bf0aac9882cf35c045_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2568	{FB6BBE6E-09F7-4e20-8982-AC34A6D180C6}.exe
Token: SeIncBasePriorityPrivilege	4564	{14BFBB56-181A-4d15-BD53-95EFD0DE47F4}.exe
Token: SeIncBasePriorityPrivilege	1216	{FF540690-BDD7-48f1-B13B-2AB6453B17A6}.exe
Token: SeIncBasePriorityPrivilege	1624	{FE15602A-1BF9-42bf-9FA5-8103FA36C58C}.exe
Token: SeIncBasePriorityPrivilege	3344	{D4791845-695E-4187-9038-5A8C845CDE4B}.exe
Token: SeIncBasePriorityPrivilege	1504	{530365D2-8E97-4493-BDBC-2462D9C2D2F4}.exe
Token: SeIncBasePriorityPrivilege	4312	{25B744EB-8E1E-439e-B84F-42C55AC6B9E5}.exe
Token: SeIncBasePriorityPrivilege	2468	{5347103F-9F6F-44ff-917A-855419929694}.exe
Token: SeIncBasePriorityPrivilege	2768	{4484F30F-699C-43a6-A374-1173FDFF7AAC}.exe
Token: SeIncBasePriorityPrivilege	1060	{A5D259F1-4034-4363-8187-008531D251C2}.exe
Token: SeIncBasePriorityPrivilege	4796	{C8C9EA8E-622A-4a37-A275-2AFAFFD1B3A4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3620 wrote to memory of 2568	3620	2024-05-26_867dfb9870a9d4bf0aac9882cf35c045_goldeneye.exe	98
PID 3620 wrote to memory of 2568	3620	2024-05-26_867dfb9870a9d4bf0aac9882cf35c045_goldeneye.exe	98
PID 3620 wrote to memory of 2568	3620	2024-05-26_867dfb9870a9d4bf0aac9882cf35c045_goldeneye.exe	98
PID 3620 wrote to memory of 4076	3620	2024-05-26_867dfb9870a9d4bf0aac9882cf35c045_goldeneye.exe	99
PID 3620 wrote to memory of 4076	3620	2024-05-26_867dfb9870a9d4bf0aac9882cf35c045_goldeneye.exe	99
PID 3620 wrote to memory of 4076	3620	2024-05-26_867dfb9870a9d4bf0aac9882cf35c045_goldeneye.exe	99
PID 2568 wrote to memory of 4564	2568	{FB6BBE6E-09F7-4e20-8982-AC34A6D180C6}.exe	100
PID 2568 wrote to memory of 4564	2568	{FB6BBE6E-09F7-4e20-8982-AC34A6D180C6}.exe	100
PID 2568 wrote to memory of 4564	2568	{FB6BBE6E-09F7-4e20-8982-AC34A6D180C6}.exe	100
PID 2568 wrote to memory of 1380	2568	{FB6BBE6E-09F7-4e20-8982-AC34A6D180C6}.exe	101
PID 2568 wrote to memory of 1380	2568	{FB6BBE6E-09F7-4e20-8982-AC34A6D180C6}.exe	101
PID 2568 wrote to memory of 1380	2568	{FB6BBE6E-09F7-4e20-8982-AC34A6D180C6}.exe	101
PID 4564 wrote to memory of 1216	4564	{14BFBB56-181A-4d15-BD53-95EFD0DE47F4}.exe	105
PID 4564 wrote to memory of 1216	4564	{14BFBB56-181A-4d15-BD53-95EFD0DE47F4}.exe	105
PID 4564 wrote to memory of 1216	4564	{14BFBB56-181A-4d15-BD53-95EFD0DE47F4}.exe	105
PID 4564 wrote to memory of 1348	4564	{14BFBB56-181A-4d15-BD53-95EFD0DE47F4}.exe	106
PID 4564 wrote to memory of 1348	4564	{14BFBB56-181A-4d15-BD53-95EFD0DE47F4}.exe	106
PID 4564 wrote to memory of 1348	4564	{14BFBB56-181A-4d15-BD53-95EFD0DE47F4}.exe	106
PID 1216 wrote to memory of 1624	1216	{FF540690-BDD7-48f1-B13B-2AB6453B17A6}.exe	107
PID 1216 wrote to memory of 1624	1216	{FF540690-BDD7-48f1-B13B-2AB6453B17A6}.exe	107
PID 1216 wrote to memory of 1624	1216	{FF540690-BDD7-48f1-B13B-2AB6453B17A6}.exe	107
PID 1216 wrote to memory of 756	1216	{FF540690-BDD7-48f1-B13B-2AB6453B17A6}.exe	108
PID 1216 wrote to memory of 756	1216	{FF540690-BDD7-48f1-B13B-2AB6453B17A6}.exe	108
PID 1216 wrote to memory of 756	1216	{FF540690-BDD7-48f1-B13B-2AB6453B17A6}.exe	108
PID 1624 wrote to memory of 3344	1624	{FE15602A-1BF9-42bf-9FA5-8103FA36C58C}.exe	109
PID 1624 wrote to memory of 3344	1624	{FE15602A-1BF9-42bf-9FA5-8103FA36C58C}.exe	109
PID 1624 wrote to memory of 3344	1624	{FE15602A-1BF9-42bf-9FA5-8103FA36C58C}.exe	109
PID 1624 wrote to memory of 1556	1624	{FE15602A-1BF9-42bf-9FA5-8103FA36C58C}.exe	110
PID 1624 wrote to memory of 1556	1624	{FE15602A-1BF9-42bf-9FA5-8103FA36C58C}.exe	110
PID 1624 wrote to memory of 1556	1624	{FE15602A-1BF9-42bf-9FA5-8103FA36C58C}.exe	110
PID 3344 wrote to memory of 1504	3344	{D4791845-695E-4187-9038-5A8C845CDE4B}.exe	112
PID 3344 wrote to memory of 1504	3344	{D4791845-695E-4187-9038-5A8C845CDE4B}.exe	112
PID 3344 wrote to memory of 1504	3344	{D4791845-695E-4187-9038-5A8C845CDE4B}.exe	112
PID 3344 wrote to memory of 3532	3344	{D4791845-695E-4187-9038-5A8C845CDE4B}.exe	113
PID 3344 wrote to memory of 3532	3344	{D4791845-695E-4187-9038-5A8C845CDE4B}.exe	113
PID 3344 wrote to memory of 3532	3344	{D4791845-695E-4187-9038-5A8C845CDE4B}.exe	113
PID 1504 wrote to memory of 4312	1504	{530365D2-8E97-4493-BDBC-2462D9C2D2F4}.exe	114
PID 1504 wrote to memory of 4312	1504	{530365D2-8E97-4493-BDBC-2462D9C2D2F4}.exe	114
PID 1504 wrote to memory of 4312	1504	{530365D2-8E97-4493-BDBC-2462D9C2D2F4}.exe	114
PID 1504 wrote to memory of 1748	1504	{530365D2-8E97-4493-BDBC-2462D9C2D2F4}.exe	115
PID 1504 wrote to memory of 1748	1504	{530365D2-8E97-4493-BDBC-2462D9C2D2F4}.exe	115
PID 1504 wrote to memory of 1748	1504	{530365D2-8E97-4493-BDBC-2462D9C2D2F4}.exe	115
PID 4312 wrote to memory of 2468	4312	{25B744EB-8E1E-439e-B84F-42C55AC6B9E5}.exe	119
PID 4312 wrote to memory of 2468	4312	{25B744EB-8E1E-439e-B84F-42C55AC6B9E5}.exe	119
PID 4312 wrote to memory of 2468	4312	{25B744EB-8E1E-439e-B84F-42C55AC6B9E5}.exe	119
PID 4312 wrote to memory of 4388	4312	{25B744EB-8E1E-439e-B84F-42C55AC6B9E5}.exe	120
PID 4312 wrote to memory of 4388	4312	{25B744EB-8E1E-439e-B84F-42C55AC6B9E5}.exe	120
PID 4312 wrote to memory of 4388	4312	{25B744EB-8E1E-439e-B84F-42C55AC6B9E5}.exe	120
PID 2468 wrote to memory of 2768	2468	{5347103F-9F6F-44ff-917A-855419929694}.exe	124
PID 2468 wrote to memory of 2768	2468	{5347103F-9F6F-44ff-917A-855419929694}.exe	124
PID 2468 wrote to memory of 2768	2468	{5347103F-9F6F-44ff-917A-855419929694}.exe	124
PID 2468 wrote to memory of 1364	2468	{5347103F-9F6F-44ff-917A-855419929694}.exe	125
PID 2468 wrote to memory of 1364	2468	{5347103F-9F6F-44ff-917A-855419929694}.exe	125
PID 2468 wrote to memory of 1364	2468	{5347103F-9F6F-44ff-917A-855419929694}.exe	125
PID 2768 wrote to memory of 1060	2768	{4484F30F-699C-43a6-A374-1173FDFF7AAC}.exe	126
PID 2768 wrote to memory of 1060	2768	{4484F30F-699C-43a6-A374-1173FDFF7AAC}.exe	126
PID 2768 wrote to memory of 1060	2768	{4484F30F-699C-43a6-A374-1173FDFF7AAC}.exe	126
PID 2768 wrote to memory of 3192	2768	{4484F30F-699C-43a6-A374-1173FDFF7AAC}.exe	127
PID 2768 wrote to memory of 3192	2768	{4484F30F-699C-43a6-A374-1173FDFF7AAC}.exe	127
PID 2768 wrote to memory of 3192	2768	{4484F30F-699C-43a6-A374-1173FDFF7AAC}.exe	127
PID 1060 wrote to memory of 4796	1060	{A5D259F1-4034-4363-8187-008531D251C2}.exe	130
PID 1060 wrote to memory of 4796	1060	{A5D259F1-4034-4363-8187-008531D251C2}.exe	130
PID 1060 wrote to memory of 4796	1060	{A5D259F1-4034-4363-8187-008531D251C2}.exe	130
PID 1060 wrote to memory of 4544	1060	{A5D259F1-4034-4363-8187-008531D251C2}.exe	131

C:\Users\Admin\AppData\Local\Temp\2024-05-26_867dfb9870a9d4bf0aac9882cf35c045_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-26_867dfb9870a9d4bf0aac9882cf35c045_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3620
- C:\Windows\{FB6BBE6E-09F7-4e20-8982-AC34A6D180C6}.exe
  C:\Windows\{FB6BBE6E-09F7-4e20-8982-AC34A6D180C6}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\{14BFBB56-181A-4d15-BD53-95EFD0DE47F4}.exe
    C:\Windows\{14BFBB56-181A-4d15-BD53-95EFD0DE47F4}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4564
  - - C:\Windows\{FF540690-BDD7-48f1-B13B-2AB6453B17A6}.exe
      C:\Windows\{FF540690-BDD7-48f1-B13B-2AB6453B17A6}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1216
    - - C:\Windows\{FE15602A-1BF9-42bf-9FA5-8103FA36C58C}.exe
        
        C:\Windows\{FE15602A-1BF9-42bf-9FA5-8103FA36C58C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1624
      - C:\Windows\{D4791845-695E-4187-9038-5A8C845CDE4B}.exe
        
        C:\Windows\{D4791845-695E-4187-9038-5A8C845CDE4B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3344
        
        C:\Windows\{530365D2-8E97-4493-BDBC-2462D9C2D2F4}.exe
        
        C:\Windows\{530365D2-8E97-4493-BDBC-2462D9C2D2F4}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\{25B744EB-8E1E-439e-B84F-42C55AC6B9E5}.exe
        
        C:\Windows\{25B744EB-8E1E-439e-B84F-42C55AC6B9E5}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Windows\{5347103F-9F6F-44ff-917A-855419929694}.exe
        
        C:\Windows\{5347103F-9F6F-44ff-917A-855419929694}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\{4484F30F-699C-43a6-A374-1173FDFF7AAC}.exe
        
        C:\Windows\{4484F30F-699C-43a6-A374-1173FDFF7AAC}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\{A5D259F1-4034-4363-8187-008531D251C2}.exe
        
        C:\Windows\{A5D259F1-4034-4363-8187-008531D251C2}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\{C8C9EA8E-622A-4a37-A275-2AFAFFD1B3A4}.exe
        
        C:\Windows\{C8C9EA8E-622A-4a37-A275-2AFAFFD1B3A4}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4796
        
        C:\Windows\{F025CCD0-49B3-4615-9030-4443A451ECCA}.exe
        
        C:\Windows\{F025CCD0-49B3-4615-9030-4443A451ECCA}.exe
        13⤵
        Executes dropped EXE
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8C9E~1.EXE > nul
        13⤵
        
        PID:596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A5D25~1.EXE > nul
        12⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4484F~1.EXE > nul
        11⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53471~1.EXE > nul
        10⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{25B74~1.EXE > nul
        9⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53036~1.EXE > nul
        8⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D4791~1.EXE > nul
        7⤵
        
        PID:3532
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FE156~1.EXE > nul
        6⤵
        
        PID:1556
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF540~1.EXE > nul
        5⤵
        
        PID:756
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{14BFB~1.EXE > nul
      4⤵
      PID:1348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{FB6BB~1.EXE > nul
    3⤵
    PID:1380
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{14BFBB56-181A-4d15-BD53-95EFD0DE47F4}.exe

Filesize
344KB

MD5
c3710a2a0c924b3df36687a265299c52

SHA1
1a5b846cc35d07a457525c02f0b9d9786030fa8a

SHA256
ea4a01ac1f1183bac7859b964ef17d0ac975f50a22486091114e1ccf0cbbc970

SHA512
727f2477398fc9e6a29b3645be939e3af7b3ac0619655d7e467024e0fe310485d2066531360e299a1d125c2af75feb6f2dd8151dc937a0dc75c1bf1389f8590f

Download Submit
C:\Windows\{25B744EB-8E1E-439e-B84F-42C55AC6B9E5}.exe

Filesize
344KB

MD5
155850ca375d325e4c1b3b697db5237c

SHA1
10290c35890e8a3826ec689b563f9d3e92526ef5

SHA256
6c801b80bca4d21f5796cb3482a60f027fd107901a15aa29e73c5d9f2ee39fa2

SHA512
3c027689e998309f1fc32b43e0edb6a87feb9e0a06e63489de13068dff03fe1411bfcb00b2e1ad23cd995780285a45e312b692cb5a8487a71fc896ceb7ca5cda

Download Submit
C:\Windows\{4484F30F-699C-43a6-A374-1173FDFF7AAC}.exe

Filesize
344KB

MD5
1fb8bb6c57b6e97e2005efdffb92c5fe

SHA1
a5505dbff8835eb594e43b817d95185d3f1df2a3

SHA256
6b4824ced1b3f0d2a1aa192ea9179959987fde0624c7cc586b872ffaff64c5e2

SHA512
65bcd6251274fa8899d25ce4014e2814da1d0604aecc5822cb5c08c84192d83b994e4a53f761b749c346bc3260f752a6111211191d31393b5c4ef6752d5244e9

Download Submit
C:\Windows\{530365D2-8E97-4493-BDBC-2462D9C2D2F4}.exe

Filesize
344KB

MD5
0c81ff68bea62ef50af4b74f1930fbca

SHA1
3a7cc2942d2e99fb1db4f0f0e6e22ad507c27f65

SHA256
8c8ddd332cac19aec69644ca1f2d21b2a68e8d9e19b2aab1dfa8cd947cea026a

SHA512
2034f3568b9074e6c1a5288b26d26e9c3d058e0d00c4fc21bab0727151282e0efa81188f776ef4a2655d82a14b09904db02e1749ea0907d207f0fc73a95c3a99

Download Submit
C:\Windows\{5347103F-9F6F-44ff-917A-855419929694}.exe

Filesize
344KB

MD5
22bd399a32c354d06535c84813c2df63

SHA1
61e4fb81c63e06ea053b67ca0910f62ddea99824

SHA256
f36efc5d2cefff96cdc2be858d1b33a3e6eaa01db6ffdd09902b8d0588cfb666

SHA512
5ec01fc42a4be2b5f14c68b5116dbf6abfc9a9d186c14164dc010171450b304cf57909696007310abacb81692248e156e765c0354912914508a4cbf7cf0e0f56

Download Submit
C:\Windows\{A5D259F1-4034-4363-8187-008531D251C2}.exe

Filesize
344KB

MD5
098adb8d10629cfbdf7f27e4552a3065

SHA1
982679293b8bd69d111b8c587b37df2733dbeeff

SHA256
a621d57656bf3da20ffaedc01fbcb490d6b46b84a0bcc6197653d2c7bdf5498e

SHA512
b18ca51c5031e27361ea991775a43df4d6dbd1d8be793e0ea76fc84a71e461e8e6f7ce481ae0990a6514f5eeeff9e50d1f2070841784c997a1a633531dbd04aa

Download Submit
C:\Windows\{C8C9EA8E-622A-4a37-A275-2AFAFFD1B3A4}.exe

Filesize
344KB

MD5
7925594372d5364b7c9a61d3b033a1c9

SHA1
ebd47f35e02c4c8ee176e4099d4a93de0e26046d

SHA256
b54a129b552e46943974e9a54ae215a3353094d62ecf6b290b0b128529057df3

SHA512
d1493599b4d0b76dc1370590b7b67904615c3aaf0f5cce8593a9f6bb24333bdb9fa5452ef89b3b546ae460fadac6f1ccbc7a1ab36da294cfa5b21a4702ed6e02

Download Submit
C:\Windows\{D4791845-695E-4187-9038-5A8C845CDE4B}.exe

Filesize
344KB

MD5
8f967b48da9f962395e87b89f04930f9

SHA1
20039a3c2c4db433b795ef4daec18e58b9b96a7b

SHA256
45dc986af9faa1b7849fe324439157b1a8499c6302e012b66b5f8eee1d5d3d39

SHA512
77b385e6d6737f5f4d58395fd194ff571e6ebca1f371f4f27cfb2e42d72b23aa6fdf16f5ddc94d0afb9744504778883952f814df4a0900ab814bc807e9eae1ab

Download Submit
C:\Windows\{F025CCD0-49B3-4615-9030-4443A451ECCA}.exe

Filesize
344KB

MD5
91bdae0e6ad0315c2e9ae29977e018d0

SHA1
3ec524312156dcb2fe33861eeca55fa2628f8e51

SHA256
864df69637fc114f862cc111464b877393199f5ecb7d051e80945b3f1fdbdda3

SHA512
31670d64d9ca5ea87d7bfd75f7c16405cb25ca288beef7a0fe9ab0a9dd3998596afc166abc6debab257722b5456869c02f7db4c0e96ef801a730f619a9247352

Download Submit
C:\Windows\{FB6BBE6E-09F7-4e20-8982-AC34A6D180C6}.exe

Filesize
344KB

MD5
39353a8abb8b9a63b2a92299ac66cb00

SHA1
2819ef3b865dff1a581e8f57a0602927f5cdd667

SHA256
dee7c53fddc3a8f79b4bb1d12d63dffe9893480cc7b630f8000a5ba5c0c710bd

SHA512
1d5c1553d2ceef6b8d3f860922577f36e74a2f8b455b375ba7f5959031aadcf9e7c74438b7b0acacaa15414ec61172311ba1e51ddcabf7902a1bd11fdd64b2e5

Download Submit
C:\Windows\{FE15602A-1BF9-42bf-9FA5-8103FA36C58C}.exe

Filesize
344KB

MD5
189351b6ce8dd347554a01e17ab8ede7

SHA1
275a18d4af51d49be4620b40bb5782f568b033a8

SHA256
aad0e36eac442b2175bec2241911b019002a95b02417d3565d4c6b2684e455f9

SHA512
23f00e603e04610e5483072e247fc4bdd6aec024761406f919c39a9f54b1b3b55f9b347ef3d4e171fae100b4967ce10ceff6866a0f605e08b28542377a29b29c

Download Submit
C:\Windows\{FF540690-BDD7-48f1-B13B-2AB6453B17A6}.exe

Filesize
344KB

MD5
80c6e4c8b60f5d55bd31d6efd70f10d5

SHA1
62a90c424581c954e8a6e40233dc74c832b2fc69

SHA256
d1749446c6a15f616b5323feca32104454cfe6b3fc74bd680c0ad93e4a87a487

SHA512
2eaf1d71d264c972716925ba265667fe9d2f720159f03d55d054b977b9f61d376d0eef9106332ddec296c6d311f11605f59518cb33bb6ae45f925d3b60b66b60

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads