815e162576a1af21b4b0c98ac57e08daa8973343cc0dbeeeb0da3c0bbe3d1f47

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27/05/2024, 06:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-05-27_710e29806463078c8a0df7f12f4e433f_goldeneye.exe
Size

197KB
MD5

710e29806463078c8a0df7f12f4e433f
SHA1

4d50330b06b9f2b96894856dc4a0a44995708915
SHA256

815e162576a1af21b4b0c98ac57e08daa8973343cc0dbeeeb0da3c0bbe3d1f47
SHA512

7fb2783a036ba07fa975e30f25ea742d2e79546770ae423b20f2918da2f99049216095863fd17b28f0c36e36346d36fe78636966b92ae2a951c0a67e20413c20
SSDEEP

3072:jEGh0oxl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEG7lEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00090000000233cf-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000233d0-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000233c7-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000233c8-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000233c7-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000233c8-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000233c7-25.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023452-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000233c7-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023452-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023456-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023452-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28A375A4-9682-4391-848C-E2BBDD4BB2D5}\stubpath = "C:\\Windows\\{28A375A4-9682-4391-848C-E2BBDD4BB2D5}.exe"	{29C8AF57-F669-4d7b-85B0-0D25F86188DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A1C539D-5C56-488c-A95E-EDAB5CE4A381}	{28A375A4-9682-4391-848C-E2BBDD4BB2D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0CB5CC6E-15DE-4eab-A3B7-39DAD6A4F157}\stubpath = "C:\\Windows\\{0CB5CC6E-15DE-4eab-A3B7-39DAD6A4F157}.exe"	{86588C8A-DF89-41e7-8903-74528AF893A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{760DD9E3-3E7E-4767-8B7B-602466A241F2}\stubpath = "C:\\Windows\\{760DD9E3-3E7E-4767-8B7B-602466A241F2}.exe"	2024-05-27_710e29806463078c8a0df7f12f4e433f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{595C285C-7126-472d-8214-C7887C9D7869}\stubpath = "C:\\Windows\\{595C285C-7126-472d-8214-C7887C9D7869}.exe"	{760DD9E3-3E7E-4767-8B7B-602466A241F2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29C8AF57-F669-4d7b-85B0-0D25F86188DA}\stubpath = "C:\\Windows\\{29C8AF57-F669-4d7b-85B0-0D25F86188DA}.exe"	{1005F8D0-479E-4482-9170-C2F4D5CE0D02}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29C8AF57-F669-4d7b-85B0-0D25F86188DA}	{1005F8D0-479E-4482-9170-C2F4D5CE0D02}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28A375A4-9682-4391-848C-E2BBDD4BB2D5}	{29C8AF57-F669-4d7b-85B0-0D25F86188DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86588C8A-DF89-41e7-8903-74528AF893A8}	{0A1C539D-5C56-488c-A95E-EDAB5CE4A381}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0CB5CC6E-15DE-4eab-A3B7-39DAD6A4F157}	{86588C8A-DF89-41e7-8903-74528AF893A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{760DD9E3-3E7E-4767-8B7B-602466A241F2}	2024-05-27_710e29806463078c8a0df7f12f4e433f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{595C285C-7126-472d-8214-C7887C9D7869}	{760DD9E3-3E7E-4767-8B7B-602466A241F2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4277E5C7-EBF9-4d23-B302-DA703AD65C1A}\stubpath = "C:\\Windows\\{4277E5C7-EBF9-4d23-B302-DA703AD65C1A}.exe"	{595C285C-7126-472d-8214-C7887C9D7869}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2EAFDD75-93D5-4e8c-8D49-74A50F6C8E5D}	{0CB5CC6E-15DE-4eab-A3B7-39DAD6A4F157}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C819F2BB-E9C8-4157-9859-F511AFD4A10B}\stubpath = "C:\\Windows\\{C819F2BB-E9C8-4157-9859-F511AFD4A10B}.exe"	{BE0F9E4F-76BE-458a-BA8B-3C42509338B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1005F8D0-479E-4482-9170-C2F4D5CE0D02}	{4277E5C7-EBF9-4d23-B302-DA703AD65C1A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1005F8D0-479E-4482-9170-C2F4D5CE0D02}\stubpath = "C:\\Windows\\{1005F8D0-479E-4482-9170-C2F4D5CE0D02}.exe"	{4277E5C7-EBF9-4d23-B302-DA703AD65C1A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86588C8A-DF89-41e7-8903-74528AF893A8}\stubpath = "C:\\Windows\\{86588C8A-DF89-41e7-8903-74528AF893A8}.exe"	{0A1C539D-5C56-488c-A95E-EDAB5CE4A381}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE0F9E4F-76BE-458a-BA8B-3C42509338B6}	{2EAFDD75-93D5-4e8c-8D49-74A50F6C8E5D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE0F9E4F-76BE-458a-BA8B-3C42509338B6}\stubpath = "C:\\Windows\\{BE0F9E4F-76BE-458a-BA8B-3C42509338B6}.exe"	{2EAFDD75-93D5-4e8c-8D49-74A50F6C8E5D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C819F2BB-E9C8-4157-9859-F511AFD4A10B}	{BE0F9E4F-76BE-458a-BA8B-3C42509338B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4277E5C7-EBF9-4d23-B302-DA703AD65C1A}	{595C285C-7126-472d-8214-C7887C9D7869}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A1C539D-5C56-488c-A95E-EDAB5CE4A381}\stubpath = "C:\\Windows\\{0A1C539D-5C56-488c-A95E-EDAB5CE4A381}.exe"	{28A375A4-9682-4391-848C-E2BBDD4BB2D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2EAFDD75-93D5-4e8c-8D49-74A50F6C8E5D}\stubpath = "C:\\Windows\\{2EAFDD75-93D5-4e8c-8D49-74A50F6C8E5D}.exe"	{0CB5CC6E-15DE-4eab-A3B7-39DAD6A4F157}.exe

Executes dropped EXE 12 IoCs

pid	Process
4308	{760DD9E3-3E7E-4767-8B7B-602466A241F2}.exe
376	{595C285C-7126-472d-8214-C7887C9D7869}.exe
2972	{4277E5C7-EBF9-4d23-B302-DA703AD65C1A}.exe
3928	{1005F8D0-479E-4482-9170-C2F4D5CE0D02}.exe
5028	{29C8AF57-F669-4d7b-85B0-0D25F86188DA}.exe
1428	{28A375A4-9682-4391-848C-E2BBDD4BB2D5}.exe
1000	{0A1C539D-5C56-488c-A95E-EDAB5CE4A381}.exe
3456	{86588C8A-DF89-41e7-8903-74528AF893A8}.exe
852	{0CB5CC6E-15DE-4eab-A3B7-39DAD6A4F157}.exe
4384	{2EAFDD75-93D5-4e8c-8D49-74A50F6C8E5D}.exe
4472	{BE0F9E4F-76BE-458a-BA8B-3C42509338B6}.exe
4516	{C819F2BB-E9C8-4157-9859-F511AFD4A10B}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{0A1C539D-5C56-488c-A95E-EDAB5CE4A381}.exe	{28A375A4-9682-4391-848C-E2BBDD4BB2D5}.exe
File created	C:\Windows\{2EAFDD75-93D5-4e8c-8D49-74A50F6C8E5D}.exe	{0CB5CC6E-15DE-4eab-A3B7-39DAD6A4F157}.exe
File created	C:\Windows\{4277E5C7-EBF9-4d23-B302-DA703AD65C1A}.exe	{595C285C-7126-472d-8214-C7887C9D7869}.exe
File created	C:\Windows\{29C8AF57-F669-4d7b-85B0-0D25F86188DA}.exe	{1005F8D0-479E-4482-9170-C2F4D5CE0D02}.exe
File created	C:\Windows\{1005F8D0-479E-4482-9170-C2F4D5CE0D02}.exe	{4277E5C7-EBF9-4d23-B302-DA703AD65C1A}.exe
File created	C:\Windows\{28A375A4-9682-4391-848C-E2BBDD4BB2D5}.exe	{29C8AF57-F669-4d7b-85B0-0D25F86188DA}.exe
File created	C:\Windows\{86588C8A-DF89-41e7-8903-74528AF893A8}.exe	{0A1C539D-5C56-488c-A95E-EDAB5CE4A381}.exe
File created	C:\Windows\{0CB5CC6E-15DE-4eab-A3B7-39DAD6A4F157}.exe	{86588C8A-DF89-41e7-8903-74528AF893A8}.exe
File created	C:\Windows\{BE0F9E4F-76BE-458a-BA8B-3C42509338B6}.exe	{2EAFDD75-93D5-4e8c-8D49-74A50F6C8E5D}.exe
File created	C:\Windows\{C819F2BB-E9C8-4157-9859-F511AFD4A10B}.exe	{BE0F9E4F-76BE-458a-BA8B-3C42509338B6}.exe
File created	C:\Windows\{760DD9E3-3E7E-4767-8B7B-602466A241F2}.exe	2024-05-27_710e29806463078c8a0df7f12f4e433f_goldeneye.exe
File created	C:\Windows\{595C285C-7126-472d-8214-C7887C9D7869}.exe	{760DD9E3-3E7E-4767-8B7B-602466A241F2}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	968	2024-05-27_710e29806463078c8a0df7f12f4e433f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4308	{760DD9E3-3E7E-4767-8B7B-602466A241F2}.exe
Token: SeIncBasePriorityPrivilege	376	{595C285C-7126-472d-8214-C7887C9D7869}.exe
Token: SeIncBasePriorityPrivilege	2972	{4277E5C7-EBF9-4d23-B302-DA703AD65C1A}.exe
Token: SeIncBasePriorityPrivilege	3928	{1005F8D0-479E-4482-9170-C2F4D5CE0D02}.exe
Token: SeIncBasePriorityPrivilege	5028	{29C8AF57-F669-4d7b-85B0-0D25F86188DA}.exe
Token: SeIncBasePriorityPrivilege	1428	{28A375A4-9682-4391-848C-E2BBDD4BB2D5}.exe
Token: SeIncBasePriorityPrivilege	1000	{0A1C539D-5C56-488c-A95E-EDAB5CE4A381}.exe
Token: SeIncBasePriorityPrivilege	3456	{86588C8A-DF89-41e7-8903-74528AF893A8}.exe
Token: SeIncBasePriorityPrivilege	852	{0CB5CC6E-15DE-4eab-A3B7-39DAD6A4F157}.exe
Token: SeIncBasePriorityPrivilege	4384	{2EAFDD75-93D5-4e8c-8D49-74A50F6C8E5D}.exe
Token: SeIncBasePriorityPrivilege	4472	{BE0F9E4F-76BE-458a-BA8B-3C42509338B6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 968 wrote to memory of 4308	968	2024-05-27_710e29806463078c8a0df7f12f4e433f_goldeneye.exe	95
PID 968 wrote to memory of 4308	968	2024-05-27_710e29806463078c8a0df7f12f4e433f_goldeneye.exe	95
PID 968 wrote to memory of 4308	968	2024-05-27_710e29806463078c8a0df7f12f4e433f_goldeneye.exe	95
PID 968 wrote to memory of 3864	968	2024-05-27_710e29806463078c8a0df7f12f4e433f_goldeneye.exe	96
PID 968 wrote to memory of 3864	968	2024-05-27_710e29806463078c8a0df7f12f4e433f_goldeneye.exe	96
PID 968 wrote to memory of 3864	968	2024-05-27_710e29806463078c8a0df7f12f4e433f_goldeneye.exe	96
PID 4308 wrote to memory of 376	4308	{760DD9E3-3E7E-4767-8B7B-602466A241F2}.exe	97
PID 4308 wrote to memory of 376	4308	{760DD9E3-3E7E-4767-8B7B-602466A241F2}.exe	97
PID 4308 wrote to memory of 376	4308	{760DD9E3-3E7E-4767-8B7B-602466A241F2}.exe	97
PID 4308 wrote to memory of 3260	4308	{760DD9E3-3E7E-4767-8B7B-602466A241F2}.exe	98
PID 4308 wrote to memory of 3260	4308	{760DD9E3-3E7E-4767-8B7B-602466A241F2}.exe	98
PID 4308 wrote to memory of 3260	4308	{760DD9E3-3E7E-4767-8B7B-602466A241F2}.exe	98
PID 376 wrote to memory of 2972	376	{595C285C-7126-472d-8214-C7887C9D7869}.exe	101
PID 376 wrote to memory of 2972	376	{595C285C-7126-472d-8214-C7887C9D7869}.exe	101
PID 376 wrote to memory of 2972	376	{595C285C-7126-472d-8214-C7887C9D7869}.exe	101
PID 376 wrote to memory of 952	376	{595C285C-7126-472d-8214-C7887C9D7869}.exe	102
PID 376 wrote to memory of 952	376	{595C285C-7126-472d-8214-C7887C9D7869}.exe	102
PID 376 wrote to memory of 952	376	{595C285C-7126-472d-8214-C7887C9D7869}.exe	102
PID 2972 wrote to memory of 3928	2972	{4277E5C7-EBF9-4d23-B302-DA703AD65C1A}.exe	103
PID 2972 wrote to memory of 3928	2972	{4277E5C7-EBF9-4d23-B302-DA703AD65C1A}.exe	103
PID 2972 wrote to memory of 3928	2972	{4277E5C7-EBF9-4d23-B302-DA703AD65C1A}.exe	103
PID 2972 wrote to memory of 4296	2972	{4277E5C7-EBF9-4d23-B302-DA703AD65C1A}.exe	104
PID 2972 wrote to memory of 4296	2972	{4277E5C7-EBF9-4d23-B302-DA703AD65C1A}.exe	104
PID 2972 wrote to memory of 4296	2972	{4277E5C7-EBF9-4d23-B302-DA703AD65C1A}.exe	104
PID 3928 wrote to memory of 5028	3928	{1005F8D0-479E-4482-9170-C2F4D5CE0D02}.exe	106
PID 3928 wrote to memory of 5028	3928	{1005F8D0-479E-4482-9170-C2F4D5CE0D02}.exe	106
PID 3928 wrote to memory of 5028	3928	{1005F8D0-479E-4482-9170-C2F4D5CE0D02}.exe	106
PID 3928 wrote to memory of 3064	3928	{1005F8D0-479E-4482-9170-C2F4D5CE0D02}.exe	107
PID 3928 wrote to memory of 3064	3928	{1005F8D0-479E-4482-9170-C2F4D5CE0D02}.exe	107
PID 3928 wrote to memory of 3064	3928	{1005F8D0-479E-4482-9170-C2F4D5CE0D02}.exe	107
PID 5028 wrote to memory of 1428	5028	{29C8AF57-F669-4d7b-85B0-0D25F86188DA}.exe	108
PID 5028 wrote to memory of 1428	5028	{29C8AF57-F669-4d7b-85B0-0D25F86188DA}.exe	108
PID 5028 wrote to memory of 1428	5028	{29C8AF57-F669-4d7b-85B0-0D25F86188DA}.exe	108
PID 5028 wrote to memory of 1208	5028	{29C8AF57-F669-4d7b-85B0-0D25F86188DA}.exe	109
PID 5028 wrote to memory of 1208	5028	{29C8AF57-F669-4d7b-85B0-0D25F86188DA}.exe	109
PID 5028 wrote to memory of 1208	5028	{29C8AF57-F669-4d7b-85B0-0D25F86188DA}.exe	109
PID 1428 wrote to memory of 1000	1428	{28A375A4-9682-4391-848C-E2BBDD4BB2D5}.exe	110
PID 1428 wrote to memory of 1000	1428	{28A375A4-9682-4391-848C-E2BBDD4BB2D5}.exe	110
PID 1428 wrote to memory of 1000	1428	{28A375A4-9682-4391-848C-E2BBDD4BB2D5}.exe	110
PID 1428 wrote to memory of 3480	1428	{28A375A4-9682-4391-848C-E2BBDD4BB2D5}.exe	111
PID 1428 wrote to memory of 3480	1428	{28A375A4-9682-4391-848C-E2BBDD4BB2D5}.exe	111
PID 1428 wrote to memory of 3480	1428	{28A375A4-9682-4391-848C-E2BBDD4BB2D5}.exe	111
PID 1000 wrote to memory of 3456	1000	{0A1C539D-5C56-488c-A95E-EDAB5CE4A381}.exe	119
PID 1000 wrote to memory of 3456	1000	{0A1C539D-5C56-488c-A95E-EDAB5CE4A381}.exe	119
PID 1000 wrote to memory of 3456	1000	{0A1C539D-5C56-488c-A95E-EDAB5CE4A381}.exe	119
PID 1000 wrote to memory of 768	1000	{0A1C539D-5C56-488c-A95E-EDAB5CE4A381}.exe	120
PID 1000 wrote to memory of 768	1000	{0A1C539D-5C56-488c-A95E-EDAB5CE4A381}.exe	120
PID 1000 wrote to memory of 768	1000	{0A1C539D-5C56-488c-A95E-EDAB5CE4A381}.exe	120
PID 3456 wrote to memory of 852	3456	{86588C8A-DF89-41e7-8903-74528AF893A8}.exe	121
PID 3456 wrote to memory of 852	3456	{86588C8A-DF89-41e7-8903-74528AF893A8}.exe	121
PID 3456 wrote to memory of 852	3456	{86588C8A-DF89-41e7-8903-74528AF893A8}.exe	121
PID 3456 wrote to memory of 3584	3456	{86588C8A-DF89-41e7-8903-74528AF893A8}.exe	122
PID 3456 wrote to memory of 3584	3456	{86588C8A-DF89-41e7-8903-74528AF893A8}.exe	122
PID 3456 wrote to memory of 3584	3456	{86588C8A-DF89-41e7-8903-74528AF893A8}.exe	122
PID 852 wrote to memory of 4384	852	{0CB5CC6E-15DE-4eab-A3B7-39DAD6A4F157}.exe	123
PID 852 wrote to memory of 4384	852	{0CB5CC6E-15DE-4eab-A3B7-39DAD6A4F157}.exe	123
PID 852 wrote to memory of 4384	852	{0CB5CC6E-15DE-4eab-A3B7-39DAD6A4F157}.exe	123
PID 852 wrote to memory of 4956	852	{0CB5CC6E-15DE-4eab-A3B7-39DAD6A4F157}.exe	124
PID 852 wrote to memory of 4956	852	{0CB5CC6E-15DE-4eab-A3B7-39DAD6A4F157}.exe	124
PID 852 wrote to memory of 4956	852	{0CB5CC6E-15DE-4eab-A3B7-39DAD6A4F157}.exe	124
PID 4384 wrote to memory of 4472	4384	{2EAFDD75-93D5-4e8c-8D49-74A50F6C8E5D}.exe	127
PID 4384 wrote to memory of 4472	4384	{2EAFDD75-93D5-4e8c-8D49-74A50F6C8E5D}.exe	127
PID 4384 wrote to memory of 4472	4384	{2EAFDD75-93D5-4e8c-8D49-74A50F6C8E5D}.exe	127
PID 4384 wrote to memory of 632	4384	{2EAFDD75-93D5-4e8c-8D49-74A50F6C8E5D}.exe	128

C:\Users\Admin\AppData\Local\Temp\2024-05-27_710e29806463078c8a0df7f12f4e433f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-27_710e29806463078c8a0df7f12f4e433f_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:968
- C:\Windows\{760DD9E3-3E7E-4767-8B7B-602466A241F2}.exe
  C:\Windows\{760DD9E3-3E7E-4767-8B7B-602466A241F2}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4308
- - C:\Windows\{595C285C-7126-472d-8214-C7887C9D7869}.exe
    C:\Windows\{595C285C-7126-472d-8214-C7887C9D7869}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:376
  - - C:\Windows\{4277E5C7-EBF9-4d23-B302-DA703AD65C1A}.exe
      C:\Windows\{4277E5C7-EBF9-4d23-B302-DA703AD65C1A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2972
    - - C:\Windows\{1005F8D0-479E-4482-9170-C2F4D5CE0D02}.exe
        
        C:\Windows\{1005F8D0-479E-4482-9170-C2F4D5CE0D02}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3928
      - C:\Windows\{29C8AF57-F669-4d7b-85B0-0D25F86188DA}.exe
        
        C:\Windows\{29C8AF57-F669-4d7b-85B0-0D25F86188DA}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\{28A375A4-9682-4391-848C-E2BBDD4BB2D5}.exe
        
        C:\Windows\{28A375A4-9682-4391-848C-E2BBDD4BB2D5}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\{0A1C539D-5C56-488c-A95E-EDAB5CE4A381}.exe
        
        C:\Windows\{0A1C539D-5C56-488c-A95E-EDAB5CE4A381}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1000
        
        C:\Windows\{86588C8A-DF89-41e7-8903-74528AF893A8}.exe
        
        C:\Windows\{86588C8A-DF89-41e7-8903-74528AF893A8}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3456
        
        C:\Windows\{0CB5CC6E-15DE-4eab-A3B7-39DAD6A4F157}.exe
        
        C:\Windows\{0CB5CC6E-15DE-4eab-A3B7-39DAD6A4F157}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\Windows\{2EAFDD75-93D5-4e8c-8D49-74A50F6C8E5D}.exe
        
        C:\Windows\{2EAFDD75-93D5-4e8c-8D49-74A50F6C8E5D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Windows\{BE0F9E4F-76BE-458a-BA8B-3C42509338B6}.exe
        
        C:\Windows\{BE0F9E4F-76BE-458a-BA8B-3C42509338B6}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4472
        
        C:\Windows\{C819F2BB-E9C8-4157-9859-F511AFD4A10B}.exe
        
        C:\Windows\{C819F2BB-E9C8-4157-9859-F511AFD4A10B}.exe
        13⤵
        Executes dropped EXE
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE0F9~1.EXE > nul
        13⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2EAFD~1.EXE > nul
        12⤵
        
        PID:632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0CB5C~1.EXE > nul
        11⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86588~1.EXE > nul
        10⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0A1C5~1.EXE > nul
        9⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{28A37~1.EXE > nul
        8⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{29C8A~1.EXE > nul
        7⤵
        
        PID:1208
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1005F~1.EXE > nul
        6⤵
        
        PID:3064
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4277E~1.EXE > nul
        5⤵
        
        PID:4296
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{595C2~1.EXE > nul
      4⤵
      PID:952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{760DD~1.EXE > nul
    3⤵
    PID:3260
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0A1C539D-5C56-488c-A95E-EDAB5CE4A381}.exe

Filesize
197KB

MD5
ddd691ad6559da71c25cb458c8998761

SHA1
b6569a9a06e4a41f1940f0c148039715d6a06870

SHA256
baa3ce0f61d6ef5810d95ff15cf92fff558d2e26cca458ba07a26b645946eb62

SHA512
b7570753134bd462e21275abb679f229b9a834ed821e2db3fc99c9a38eb16aab5af8e93b30a7c947eded3f2aac5b3c0e5a048f21807c0b3ffba1d0c9d106215d

Download Submit
C:\Windows\{0CB5CC6E-15DE-4eab-A3B7-39DAD6A4F157}.exe

Filesize
197KB

MD5
f00c1d59773b280c4899612ff706a61a

SHA1
d5ddfe71185a5058d56a060894a605abba53442b

SHA256
c9341e38a8239fa908c8918112ed9a2e0a74e92c45e411d6061d53b16e99d8c8

SHA512
85d1d9bb837c16684dc601ae1107bcb26cfd2c17f5387291ed5bf946c8bdf8c2350f27888550f629f6379634feae04d83653d9c6c36f8f3bde28d16a97987f82

Download Submit
C:\Windows\{1005F8D0-479E-4482-9170-C2F4D5CE0D02}.exe

Filesize
197KB

MD5
4c5e7daa6b252c435b395331e01f4782

SHA1
0ca2cddee9ae81fdfc517fe19a518ad70ded67ee

SHA256
40f1f9f891cb8913e8f85aca856ea54bb259ba3e57db63996e05be88b719a07d

SHA512
e92f147e6eaa5c8dc772a8136834d952684b2ac1f2bb76955384e7c2228e5380d0b06a9d84bfc2470068324470369c5f180ed0d426a8da19d7653519444dfd3c

Download Submit
C:\Windows\{28A375A4-9682-4391-848C-E2BBDD4BB2D5}.exe

Filesize
197KB

MD5
925af41aa4796cccac1db00b302bec10

SHA1
4e6072c33be0a4c61779ced01b6aa1da7b2e4a6a

SHA256
56eac63f5e87ce61cc979192134e5afa61dc8c49e0525734948d2d2c7acfecd2

SHA512
325f2f2561168f0aa7fae529612d1d7565139fffbbbefe0423bf8b4f1f29961c16e740db22ded8e3dea982e2350508d0510b819d204e7b41fc667f131f07ef1b

Download Submit
C:\Windows\{29C8AF57-F669-4d7b-85B0-0D25F86188DA}.exe

Filesize
197KB

MD5
a24884753bcd77d6187e686a2194cd6e

SHA1
954685669f88f8bdcebd08407299d619b62ee596

SHA256
42ca34141d9ce866a247726620534b313d4a044c90e315af988b0820fc1ddb6c

SHA512
66cfcbe8c5c49411acdda037dc2b8873c4e3d88d3305a5c4d9a0a9e751a45329563c41652c2afb5d9fb5e1a2b13060ddd672319e7d78179fa7f3ead363f809e6

Download Submit
C:\Windows\{2EAFDD75-93D5-4e8c-8D49-74A50F6C8E5D}.exe

Filesize
197KB

MD5
06b0b5c74747f1c123766bdf866792eb

SHA1
c43bd2781f06f9643ce08d70f097c40dfd1f8bb1

SHA256
0992844e0afec5f61d1561529976fb0f6fcea6e3b170d4490c2d3be4a0ab83e4

SHA512
c96f36fa4120bc7be357e8be7f9737ee13b35aa3be367a4c691b3810c44b029d2cbddfbc0b0737dc3c3949a4c80a51b11ff2ae5930d52e9fad2d035501dd9712

Download Submit
C:\Windows\{4277E5C7-EBF9-4d23-B302-DA703AD65C1A}.exe

Filesize
197KB

MD5
382a94111125eb44224263241f7a71e1

SHA1
c2b5f55da8cc4f5e89e6b727f37e79ec8913c2e5

SHA256
609ce2ec9db951990a74a40bdf22f713f28eea82de5ff0af36b1423957f465f0

SHA512
dd1cef64b69cf88c63cd8499ba942125c86cd48f8a21b7dac6429257ee6e735155d09927a42e8a74b8963da4feb53f9a9af48bad63ac47782d4920788d52d075

Download Submit
C:\Windows\{595C285C-7126-472d-8214-C7887C9D7869}.exe

Filesize
197KB

MD5
53804059c60c1553493b7eeb601f3d5c

SHA1
136c4dbffd7c0cc4b42ad4693c793a2f36021424

SHA256
a6765c5a814c150d8df389a4e39018f7e89b49f67c7a3890e93b2874ed48d604

SHA512
55faed9b9f5b2ed62b56332eb96a90caca4503d0214a7921df4af6d32e17f92fdaed30438626ee5143cfc4881a28fefa23302a55b576039ce04e31477c03f0a1

Download Submit
C:\Windows\{760DD9E3-3E7E-4767-8B7B-602466A241F2}.exe

Filesize
197KB

MD5
285a53066d2115b3bf9f30dd8148f98e

SHA1
58d6e326f2648d8da4fe7897fb9523d8024a269a

SHA256
7cb7ba14cc7bf41dae08d98568df4b93b187a0ce074ded81aa272630fa6f4b9b

SHA512
b0952534d8f6ff708d576b027f7ca81c925c39d98909a7c2b0cfea719dbca1fb5cffc75de8e27ccbbe7fe3f46ef8ee555aa4486dffaa7d73c5efead46a135b18

Download Submit
C:\Windows\{86588C8A-DF89-41e7-8903-74528AF893A8}.exe

Filesize
197KB

MD5
ef99ad449050e0e7de3f246b3bc51393

SHA1
bb914cdaa4096ebec8bf6c2c8ade3c21fcb50ca6

SHA256
c93c582025b797522b3d3c8658c937fd48e5c36f7ccf59510075a0aafaa3ac5b

SHA512
36c176386027f68e04f3c9ecbb82efd364a4db789e60c6e7a4784e350f8bf948f65f0f9366319e10119db393bbf695e74dfa967224bf42a8fb1a6f3050609e01

Download Submit
C:\Windows\{BE0F9E4F-76BE-458a-BA8B-3C42509338B6}.exe

Filesize
197KB

MD5
f2e6bcc9d78e2d774ac3237fb16f9450

SHA1
74d71c017d9d52e80016ee6f32316cfddaca861f

SHA256
f17431c79e45cb25708739adafe27b03e212c3aa5f2f88e67b81d87504be49b1

SHA512
7c2802e60e9ded3b36d6152b78df2c592606da7a6c27cd79b0dda4a5f6eedce6e5f07b0b4fda5c1d6e25e401a78d2035f631f6387afdb48884567dbcff899274

Download Submit
C:\Windows\{C819F2BB-E9C8-4157-9859-F511AFD4A10B}.exe

Filesize
197KB

MD5
cc2817c63806cf49dbd9764319a4bc52

SHA1
b3204b3b7192ddeaa5dcbbdfb6551b8cf592c809

SHA256
ee6775f081e79a1eac1e7a472989076578f4f578081155c985f4ab738f74b0a6

SHA512
58c155912594bf6c73b432be18a072db3475421519ad2ffa4c6b57d3ca2a487554a8febbc5cf91beb732607ff239c68ac554efe01533536400beac06a7f2ec97

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads