27399b4882f00578218e5723b6312edb8ec4302deef21b726ebc10cf5ff4c8eb

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
01/06/2024, 04:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-01_25bd23d4a4df74e1941b757663a16f1b_goldeneye.exe
Size

197KB
MD5

25bd23d4a4df74e1941b757663a16f1b
SHA1

8911ef6929eceef043b9289efb885c6331b6edca
SHA256

27399b4882f00578218e5723b6312edb8ec4302deef21b726ebc10cf5ff4c8eb
SHA512

54177981a3b4c59c8fd4661a5f9145aa613e5f91a76a6815a3c504f96db0a3bdde17789bfbfcd702c6661794404b8d8bed412cb3bbedbfbd6f94bf3d547e3058
SSDEEP

3072:jEGh0oTl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGRlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023419-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023412-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002341f-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023412-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000021793-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000021797-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000021793-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000715-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D692DE5-A944-4db0-9DE1-C33080973EC9}\stubpath = "C:\\Windows\\{7D692DE5-A944-4db0-9DE1-C33080973EC9}.exe"	2024-06-01_25bd23d4a4df74e1941b757663a16f1b_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A8A3C13-1EFD-4863-A050-FB95D4060595}\stubpath = "C:\\Windows\\{2A8A3C13-1EFD-4863-A050-FB95D4060595}.exe"	{EA1DDC21-FF45-43cd-AA5E-8140098BC332}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21D2C57F-764F-41c9-82A4-26E521FDB67B}\stubpath = "C:\\Windows\\{21D2C57F-764F-41c9-82A4-26E521FDB67B}.exe"	{43F2EE64-F14D-40e9-8307-119B94C79ACC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41E26CDF-B945-4830-980E-848DB287AD39}\stubpath = "C:\\Windows\\{41E26CDF-B945-4830-980E-848DB287AD39}.exe"	{04427CA3-FDE3-400f-BC69-230D328E0811}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DBE0AD54-5FF1-4683-BE63-4506BFAAA1C9}\stubpath = "C:\\Windows\\{DBE0AD54-5FF1-4683-BE63-4506BFAAA1C9}.exe"	{7D692DE5-A944-4db0-9DE1-C33080973EC9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA1DDC21-FF45-43cd-AA5E-8140098BC332}\stubpath = "C:\\Windows\\{EA1DDC21-FF45-43cd-AA5E-8140098BC332}.exe"	{DBE0AD54-5FF1-4683-BE63-4506BFAAA1C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21D2C57F-764F-41c9-82A4-26E521FDB67B}	{43F2EE64-F14D-40e9-8307-119B94C79ACC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB38DAF2-E287-448a-8E5B-32CE2E2CF1FB}	{21D2C57F-764F-41c9-82A4-26E521FDB67B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73D2F294-A862-47f8-9107-84C9A94D04DB}\stubpath = "C:\\Windows\\{73D2F294-A862-47f8-9107-84C9A94D04DB}.exe"	{D7FA8D44-352D-47e2-BF6A-0907A4C30EF9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA6B92B9-04EB-4aed-A50C-4B36B32FBD3F}\stubpath = "C:\\Windows\\{EA6B92B9-04EB-4aed-A50C-4B36B32FBD3F}.exe"	{41E26CDF-B945-4830-980E-848DB287AD39}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D692DE5-A944-4db0-9DE1-C33080973EC9}	2024-06-01_25bd23d4a4df74e1941b757663a16f1b_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DBE0AD54-5FF1-4683-BE63-4506BFAAA1C9}	{7D692DE5-A944-4db0-9DE1-C33080973EC9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA1DDC21-FF45-43cd-AA5E-8140098BC332}	{DBE0AD54-5FF1-4683-BE63-4506BFAAA1C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7FA8D44-352D-47e2-BF6A-0907A4C30EF9}	{CB38DAF2-E287-448a-8E5B-32CE2E2CF1FB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41E26CDF-B945-4830-980E-848DB287AD39}	{04427CA3-FDE3-400f-BC69-230D328E0811}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73D2F294-A862-47f8-9107-84C9A94D04DB}	{D7FA8D44-352D-47e2-BF6A-0907A4C30EF9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04427CA3-FDE3-400f-BC69-230D328E0811}	{73D2F294-A862-47f8-9107-84C9A94D04DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04427CA3-FDE3-400f-BC69-230D328E0811}\stubpath = "C:\\Windows\\{04427CA3-FDE3-400f-BC69-230D328E0811}.exe"	{73D2F294-A862-47f8-9107-84C9A94D04DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A8A3C13-1EFD-4863-A050-FB95D4060595}	{EA1DDC21-FF45-43cd-AA5E-8140098BC332}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43F2EE64-F14D-40e9-8307-119B94C79ACC}	{2A8A3C13-1EFD-4863-A050-FB95D4060595}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43F2EE64-F14D-40e9-8307-119B94C79ACC}\stubpath = "C:\\Windows\\{43F2EE64-F14D-40e9-8307-119B94C79ACC}.exe"	{2A8A3C13-1EFD-4863-A050-FB95D4060595}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB38DAF2-E287-448a-8E5B-32CE2E2CF1FB}\stubpath = "C:\\Windows\\{CB38DAF2-E287-448a-8E5B-32CE2E2CF1FB}.exe"	{21D2C57F-764F-41c9-82A4-26E521FDB67B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7FA8D44-352D-47e2-BF6A-0907A4C30EF9}\stubpath = "C:\\Windows\\{D7FA8D44-352D-47e2-BF6A-0907A4C30EF9}.exe"	{CB38DAF2-E287-448a-8E5B-32CE2E2CF1FB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA6B92B9-04EB-4aed-A50C-4B36B32FBD3F}	{41E26CDF-B945-4830-980E-848DB287AD39}.exe

Executes dropped EXE 12 IoCs

pid	Process
4312	{7D692DE5-A944-4db0-9DE1-C33080973EC9}.exe
4292	{DBE0AD54-5FF1-4683-BE63-4506BFAAA1C9}.exe
812	{EA1DDC21-FF45-43cd-AA5E-8140098BC332}.exe
4088	{2A8A3C13-1EFD-4863-A050-FB95D4060595}.exe
1292	{43F2EE64-F14D-40e9-8307-119B94C79ACC}.exe
1844	{21D2C57F-764F-41c9-82A4-26E521FDB67B}.exe
3324	{CB38DAF2-E287-448a-8E5B-32CE2E2CF1FB}.exe
1916	{D7FA8D44-352D-47e2-BF6A-0907A4C30EF9}.exe
4736	{73D2F294-A862-47f8-9107-84C9A94D04DB}.exe
848	{04427CA3-FDE3-400f-BC69-230D328E0811}.exe
1128	{41E26CDF-B945-4830-980E-848DB287AD39}.exe
1432	{EA6B92B9-04EB-4aed-A50C-4B36B32FBD3F}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{DBE0AD54-5FF1-4683-BE63-4506BFAAA1C9}.exe	{7D692DE5-A944-4db0-9DE1-C33080973EC9}.exe
File created	C:\Windows\{2A8A3C13-1EFD-4863-A050-FB95D4060595}.exe	{EA1DDC21-FF45-43cd-AA5E-8140098BC332}.exe
File created	C:\Windows\{21D2C57F-764F-41c9-82A4-26E521FDB67B}.exe	{43F2EE64-F14D-40e9-8307-119B94C79ACC}.exe
File created	C:\Windows\{04427CA3-FDE3-400f-BC69-230D328E0811}.exe	{73D2F294-A862-47f8-9107-84C9A94D04DB}.exe
File created	C:\Windows\{41E26CDF-B945-4830-980E-848DB287AD39}.exe	{04427CA3-FDE3-400f-BC69-230D328E0811}.exe
File created	C:\Windows\{7D692DE5-A944-4db0-9DE1-C33080973EC9}.exe	2024-06-01_25bd23d4a4df74e1941b757663a16f1b_goldeneye.exe
File created	C:\Windows\{43F2EE64-F14D-40e9-8307-119B94C79ACC}.exe	{2A8A3C13-1EFD-4863-A050-FB95D4060595}.exe
File created	C:\Windows\{CB38DAF2-E287-448a-8E5B-32CE2E2CF1FB}.exe	{21D2C57F-764F-41c9-82A4-26E521FDB67B}.exe
File created	C:\Windows\{D7FA8D44-352D-47e2-BF6A-0907A4C30EF9}.exe	{CB38DAF2-E287-448a-8E5B-32CE2E2CF1FB}.exe
File created	C:\Windows\{73D2F294-A862-47f8-9107-84C9A94D04DB}.exe	{D7FA8D44-352D-47e2-BF6A-0907A4C30EF9}.exe
File created	C:\Windows\{EA6B92B9-04EB-4aed-A50C-4B36B32FBD3F}.exe	{41E26CDF-B945-4830-980E-848DB287AD39}.exe
File created	C:\Windows\{EA1DDC21-FF45-43cd-AA5E-8140098BC332}.exe	{DBE0AD54-5FF1-4683-BE63-4506BFAAA1C9}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	736	2024-06-01_25bd23d4a4df74e1941b757663a16f1b_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4312	{7D692DE5-A944-4db0-9DE1-C33080973EC9}.exe
Token: SeIncBasePriorityPrivilege	4292	{DBE0AD54-5FF1-4683-BE63-4506BFAAA1C9}.exe
Token: SeIncBasePriorityPrivilege	812	{EA1DDC21-FF45-43cd-AA5E-8140098BC332}.exe
Token: SeIncBasePriorityPrivilege	4088	{2A8A3C13-1EFD-4863-A050-FB95D4060595}.exe
Token: SeIncBasePriorityPrivilege	1292	{43F2EE64-F14D-40e9-8307-119B94C79ACC}.exe
Token: SeIncBasePriorityPrivilege	1844	{21D2C57F-764F-41c9-82A4-26E521FDB67B}.exe
Token: SeIncBasePriorityPrivilege	3324	{CB38DAF2-E287-448a-8E5B-32CE2E2CF1FB}.exe
Token: SeIncBasePriorityPrivilege	1916	{D7FA8D44-352D-47e2-BF6A-0907A4C30EF9}.exe
Token: SeIncBasePriorityPrivilege	4736	{73D2F294-A862-47f8-9107-84C9A94D04DB}.exe
Token: SeIncBasePriorityPrivilege	848	{04427CA3-FDE3-400f-BC69-230D328E0811}.exe
Token: SeIncBasePriorityPrivilege	1128	{41E26CDF-B945-4830-980E-848DB287AD39}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 736 wrote to memory of 4312	736	2024-06-01_25bd23d4a4df74e1941b757663a16f1b_goldeneye.exe	91
PID 736 wrote to memory of 4312	736	2024-06-01_25bd23d4a4df74e1941b757663a16f1b_goldeneye.exe	91
PID 736 wrote to memory of 4312	736	2024-06-01_25bd23d4a4df74e1941b757663a16f1b_goldeneye.exe	91
PID 736 wrote to memory of 2252	736	2024-06-01_25bd23d4a4df74e1941b757663a16f1b_goldeneye.exe	92
PID 736 wrote to memory of 2252	736	2024-06-01_25bd23d4a4df74e1941b757663a16f1b_goldeneye.exe	92
PID 736 wrote to memory of 2252	736	2024-06-01_25bd23d4a4df74e1941b757663a16f1b_goldeneye.exe	92
PID 4312 wrote to memory of 4292	4312	{7D692DE5-A944-4db0-9DE1-C33080973EC9}.exe	93
PID 4312 wrote to memory of 4292	4312	{7D692DE5-A944-4db0-9DE1-C33080973EC9}.exe	93
PID 4312 wrote to memory of 4292	4312	{7D692DE5-A944-4db0-9DE1-C33080973EC9}.exe	93
PID 4312 wrote to memory of 3884	4312	{7D692DE5-A944-4db0-9DE1-C33080973EC9}.exe	94
PID 4312 wrote to memory of 3884	4312	{7D692DE5-A944-4db0-9DE1-C33080973EC9}.exe	94
PID 4312 wrote to memory of 3884	4312	{7D692DE5-A944-4db0-9DE1-C33080973EC9}.exe	94
PID 4292 wrote to memory of 812	4292	{DBE0AD54-5FF1-4683-BE63-4506BFAAA1C9}.exe	96
PID 4292 wrote to memory of 812	4292	{DBE0AD54-5FF1-4683-BE63-4506BFAAA1C9}.exe	96
PID 4292 wrote to memory of 812	4292	{DBE0AD54-5FF1-4683-BE63-4506BFAAA1C9}.exe	96
PID 4292 wrote to memory of 4748	4292	{DBE0AD54-5FF1-4683-BE63-4506BFAAA1C9}.exe	97
PID 4292 wrote to memory of 4748	4292	{DBE0AD54-5FF1-4683-BE63-4506BFAAA1C9}.exe	97
PID 4292 wrote to memory of 4748	4292	{DBE0AD54-5FF1-4683-BE63-4506BFAAA1C9}.exe	97
PID 812 wrote to memory of 4088	812	{EA1DDC21-FF45-43cd-AA5E-8140098BC332}.exe	98
PID 812 wrote to memory of 4088	812	{EA1DDC21-FF45-43cd-AA5E-8140098BC332}.exe	98
PID 812 wrote to memory of 4088	812	{EA1DDC21-FF45-43cd-AA5E-8140098BC332}.exe	98
PID 812 wrote to memory of 1792	812	{EA1DDC21-FF45-43cd-AA5E-8140098BC332}.exe	99
PID 812 wrote to memory of 1792	812	{EA1DDC21-FF45-43cd-AA5E-8140098BC332}.exe	99
PID 812 wrote to memory of 1792	812	{EA1DDC21-FF45-43cd-AA5E-8140098BC332}.exe	99
PID 4088 wrote to memory of 1292	4088	{2A8A3C13-1EFD-4863-A050-FB95D4060595}.exe	100
PID 4088 wrote to memory of 1292	4088	{2A8A3C13-1EFD-4863-A050-FB95D4060595}.exe	100
PID 4088 wrote to memory of 1292	4088	{2A8A3C13-1EFD-4863-A050-FB95D4060595}.exe	100
PID 4088 wrote to memory of 4512	4088	{2A8A3C13-1EFD-4863-A050-FB95D4060595}.exe	101
PID 4088 wrote to memory of 4512	4088	{2A8A3C13-1EFD-4863-A050-FB95D4060595}.exe	101
PID 4088 wrote to memory of 4512	4088	{2A8A3C13-1EFD-4863-A050-FB95D4060595}.exe	101
PID 1292 wrote to memory of 1844	1292	{43F2EE64-F14D-40e9-8307-119B94C79ACC}.exe	102
PID 1292 wrote to memory of 1844	1292	{43F2EE64-F14D-40e9-8307-119B94C79ACC}.exe	102
PID 1292 wrote to memory of 1844	1292	{43F2EE64-F14D-40e9-8307-119B94C79ACC}.exe	102
PID 1292 wrote to memory of 4328	1292	{43F2EE64-F14D-40e9-8307-119B94C79ACC}.exe	103
PID 1292 wrote to memory of 4328	1292	{43F2EE64-F14D-40e9-8307-119B94C79ACC}.exe	103
PID 1292 wrote to memory of 4328	1292	{43F2EE64-F14D-40e9-8307-119B94C79ACC}.exe	103
PID 1844 wrote to memory of 3324	1844	{21D2C57F-764F-41c9-82A4-26E521FDB67B}.exe	104
PID 1844 wrote to memory of 3324	1844	{21D2C57F-764F-41c9-82A4-26E521FDB67B}.exe	104
PID 1844 wrote to memory of 3324	1844	{21D2C57F-764F-41c9-82A4-26E521FDB67B}.exe	104
PID 1844 wrote to memory of 920	1844	{21D2C57F-764F-41c9-82A4-26E521FDB67B}.exe	105
PID 1844 wrote to memory of 920	1844	{21D2C57F-764F-41c9-82A4-26E521FDB67B}.exe	105
PID 1844 wrote to memory of 920	1844	{21D2C57F-764F-41c9-82A4-26E521FDB67B}.exe	105
PID 3324 wrote to memory of 1916	3324	{CB38DAF2-E287-448a-8E5B-32CE2E2CF1FB}.exe	106
PID 3324 wrote to memory of 1916	3324	{CB38DAF2-E287-448a-8E5B-32CE2E2CF1FB}.exe	106
PID 3324 wrote to memory of 1916	3324	{CB38DAF2-E287-448a-8E5B-32CE2E2CF1FB}.exe	106
PID 3324 wrote to memory of 960	3324	{CB38DAF2-E287-448a-8E5B-32CE2E2CF1FB}.exe	107
PID 3324 wrote to memory of 960	3324	{CB38DAF2-E287-448a-8E5B-32CE2E2CF1FB}.exe	107
PID 3324 wrote to memory of 960	3324	{CB38DAF2-E287-448a-8E5B-32CE2E2CF1FB}.exe	107
PID 1916 wrote to memory of 4736	1916	{D7FA8D44-352D-47e2-BF6A-0907A4C30EF9}.exe	108
PID 1916 wrote to memory of 4736	1916	{D7FA8D44-352D-47e2-BF6A-0907A4C30EF9}.exe	108
PID 1916 wrote to memory of 4736	1916	{D7FA8D44-352D-47e2-BF6A-0907A4C30EF9}.exe	108
PID 1916 wrote to memory of 2340	1916	{D7FA8D44-352D-47e2-BF6A-0907A4C30EF9}.exe	109
PID 1916 wrote to memory of 2340	1916	{D7FA8D44-352D-47e2-BF6A-0907A4C30EF9}.exe	109
PID 1916 wrote to memory of 2340	1916	{D7FA8D44-352D-47e2-BF6A-0907A4C30EF9}.exe	109
PID 4736 wrote to memory of 848	4736	{73D2F294-A862-47f8-9107-84C9A94D04DB}.exe	110
PID 4736 wrote to memory of 848	4736	{73D2F294-A862-47f8-9107-84C9A94D04DB}.exe	110
PID 4736 wrote to memory of 848	4736	{73D2F294-A862-47f8-9107-84C9A94D04DB}.exe	110
PID 4736 wrote to memory of 456	4736	{73D2F294-A862-47f8-9107-84C9A94D04DB}.exe	111
PID 4736 wrote to memory of 456	4736	{73D2F294-A862-47f8-9107-84C9A94D04DB}.exe	111
PID 4736 wrote to memory of 456	4736	{73D2F294-A862-47f8-9107-84C9A94D04DB}.exe	111
PID 848 wrote to memory of 1128	848	{04427CA3-FDE3-400f-BC69-230D328E0811}.exe	112
PID 848 wrote to memory of 1128	848	{04427CA3-FDE3-400f-BC69-230D328E0811}.exe	112
PID 848 wrote to memory of 1128	848	{04427CA3-FDE3-400f-BC69-230D328E0811}.exe	112
PID 848 wrote to memory of 4608	848	{04427CA3-FDE3-400f-BC69-230D328E0811}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-06-01_25bd23d4a4df74e1941b757663a16f1b_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_25bd23d4a4df74e1941b757663a16f1b_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:736
- C:\Windows\{7D692DE5-A944-4db0-9DE1-C33080973EC9}.exe
  C:\Windows\{7D692DE5-A944-4db0-9DE1-C33080973EC9}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4312
- - C:\Windows\{DBE0AD54-5FF1-4683-BE63-4506BFAAA1C9}.exe
    C:\Windows\{DBE0AD54-5FF1-4683-BE63-4506BFAAA1C9}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4292
  - - C:\Windows\{EA1DDC21-FF45-43cd-AA5E-8140098BC332}.exe
      C:\Windows\{EA1DDC21-FF45-43cd-AA5E-8140098BC332}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:812
    - - C:\Windows\{2A8A3C13-1EFD-4863-A050-FB95D4060595}.exe
        
        C:\Windows\{2A8A3C13-1EFD-4863-A050-FB95D4060595}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4088
      - C:\Windows\{43F2EE64-F14D-40e9-8307-119B94C79ACC}.exe
        
        C:\Windows\{43F2EE64-F14D-40e9-8307-119B94C79ACC}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\{21D2C57F-764F-41c9-82A4-26E521FDB67B}.exe
        
        C:\Windows\{21D2C57F-764F-41c9-82A4-26E521FDB67B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\{CB38DAF2-E287-448a-8E5B-32CE2E2CF1FB}.exe
        
        C:\Windows\{CB38DAF2-E287-448a-8E5B-32CE2E2CF1FB}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3324
        
        C:\Windows\{D7FA8D44-352D-47e2-BF6A-0907A4C30EF9}.exe
        
        C:\Windows\{D7FA8D44-352D-47e2-BF6A-0907A4C30EF9}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\{73D2F294-A862-47f8-9107-84C9A94D04DB}.exe
        
        C:\Windows\{73D2F294-A862-47f8-9107-84C9A94D04DB}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Windows\{04427CA3-FDE3-400f-BC69-230D328E0811}.exe
        
        C:\Windows\{04427CA3-FDE3-400f-BC69-230D328E0811}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:848
        
        C:\Windows\{41E26CDF-B945-4830-980E-848DB287AD39}.exe
        
        C:\Windows\{41E26CDF-B945-4830-980E-848DB287AD39}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1128
        
        C:\Windows\{EA6B92B9-04EB-4aed-A50C-4B36B32FBD3F}.exe
        
        C:\Windows\{EA6B92B9-04EB-4aed-A50C-4B36B32FBD3F}.exe
        13⤵
        Executes dropped EXE
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{41E26~1.EXE > nul
        13⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{04427~1.EXE > nul
        12⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{73D2F~1.EXE > nul
        11⤵
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D7FA8~1.EXE > nul
        10⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CB38D~1.EXE > nul
        9⤵
        
        PID:960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{21D2C~1.EXE > nul
        8⤵
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{43F2E~1.EXE > nul
        7⤵
        
        PID:4328
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A8A3~1.EXE > nul
        6⤵
        
        PID:4512
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA1DD~1.EXE > nul
        5⤵
        
        PID:1792
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{DBE0A~1.EXE > nul
      4⤵
      PID:4748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7D692~1.EXE > nul
    3⤵
    PID:3884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04427CA3-FDE3-400f-BC69-230D328E0811}.exe

Filesize
197KB

MD5
bb93df95b844903378e909999cd108f4

SHA1
9063c6da6ea0f86d6675d2c8666cf8acb8eea04d

SHA256
482a1fe18e87f2ed03027f860f978f0ae3560e65eb52be3762e503efe1112ee9

SHA512
3887f48be5a6be78d72c62b17640ac27a79c2f571ff937ac6a7ca5363ea0132a81ee08a1c19fc80faae0c38a1536fc82b09b8a2e4e51c387b8ef6be468a01ece

Download Submit
C:\Windows\{21D2C57F-764F-41c9-82A4-26E521FDB67B}.exe

Filesize
197KB

MD5
f6d6384977a9789bc3cf951053274903

SHA1
070ab5528ad38934728475c2e99dfef3ed8e36a8

SHA256
19285f7fd132c3eeeeb8a0c7dd44c8bed6841cc0e4108d25140d66e14fc67864

SHA512
0e74cfa02641d47a4e2433ccea4e1681e4da4ecfd74f65a60b92a3b586acca61899efddec3b372d3b5c2aa4679da3623e42e70ac31986c89557b728f02e0ab15

Download Submit
C:\Windows\{2A8A3C13-1EFD-4863-A050-FB95D4060595}.exe

Filesize
197KB

MD5
e2588d2240f6b3542faa9e1b0747980f

SHA1
6bb36be40a8704bb0defae9a3de8b10651ae97e2

SHA256
a532c3aa7fd3273234061f8dffeb93a8e6b2a726d56363125769d86df10adaa8

SHA512
740785ccc686aaef32df5030018526db86710c96786dacbed277330f2304e00dc8205792bce35ccc5c0217d04a924682c42c59037f4daa95bf59a6e09c780a40

Download Submit
C:\Windows\{41E26CDF-B945-4830-980E-848DB287AD39}.exe

Filesize
197KB

MD5
4fdddbc198d6b4100f34b2c94448e009

SHA1
e92ab02c7156678e983ad2c529609ebbe6b9bb90

SHA256
9187f0aa4deca26a80c6e3b45ee4bc4c449f537a0ce718b3aa1499f839cee8c6

SHA512
8257498c534d71d5c369a4b2ac3c992b782b7835cf77bad067e3f4667487d8f2c199f82958674d5900c8be410926ba9d8a37e4dda0e44d488aece7d55b2d15cb

Download Submit
C:\Windows\{43F2EE64-F14D-40e9-8307-119B94C79ACC}.exe

Filesize
197KB

MD5
507cb536881f3abf6477590ff0ac5750

SHA1
c7c65aaa516ff58ea1d9652686d3847812b0317a

SHA256
e23ad525f07e8a5680f27227c0eff8f41e277e728ccea7739779295834dc9077

SHA512
2d11aab2f9099b7f01767ad84c92b3392a719b22788ab2dc1be5633e14197611a3d4103096d27d3e378861ead8e33a0463ea0c550303a86efc38ed50468d1fc0

Download Submit
C:\Windows\{73D2F294-A862-47f8-9107-84C9A94D04DB}.exe

Filesize
197KB

MD5
c50dcf8157765a8af23f784a5f95290c

SHA1
85c248f3172813d9646b65bc2869241d4abec4eb

SHA256
91540b2f98387eb6e6b12e53f9cbdeea16ad269abb780770c55ba39d24920859

SHA512
8bf45210e7dca7de6aa682518102f5986df91e665b7dbfa6b3aea4d29603b565c43ffc4cb2ceff8b41f36831695de9a9e95298efbf74c3f911e36003a2e6c311

Download Submit
C:\Windows\{7D692DE5-A944-4db0-9DE1-C33080973EC9}.exe

Filesize
197KB

MD5
48d2fc69248c1d23c623e96412b45ad5

SHA1
df6fdb86b0916a12fc5169d80a3760d3b966ee73

SHA256
8e0f5baa8ec454534adc2d54e0b0deae39e911f2d699ea90efb60cc10c34354d

SHA512
c8a6e090861117d13bd1cb816736ee2c37c772fa750a6ea4b191795567705be3a26ddde1617f0bd289eb269c0f5e92964cb7c3bd45e8891d79fdc95a4de49f54

Download Submit
C:\Windows\{CB38DAF2-E287-448a-8E5B-32CE2E2CF1FB}.exe

Filesize
197KB

MD5
311da045d507e24a2d26a3f731b7cf67

SHA1
1860d4cf69f0aa89c9bb292761aa0fb6eddc275b

SHA256
d82ea4cb57c3902c5c3bcdc925025f02a37eaa22f04bd7a73a013ec97cffbd06

SHA512
655fd5ad7ea6488c49e4c40d2f75a533c0eb5e4de92a14d2802b3d100965c68842b80bb44c17f8b9dc226c56166ae28470324fef52b3272067cc5c2b65e0bb5e

Download Submit
C:\Windows\{D7FA8D44-352D-47e2-BF6A-0907A4C30EF9}.exe

Filesize
197KB

MD5
848f18ef5e30ce3d3b7a24e3ab8e24dd

SHA1
0c77d86eb4e82db2d2d8ee681548f071d1a9db8f

SHA256
3c976f90758ede7dd8989efdff2d6532cc5742c67cf910a22c12122f2999fb83

SHA512
c69a3a38a23d6abba98c7541667f5c94db0edaa732979e448d47c3c04d3d900f997eacec73dba24575fdeef0da145aa320dec15a59e4f4d563aaa9262cd8e370

Download Submit
C:\Windows\{DBE0AD54-5FF1-4683-BE63-4506BFAAA1C9}.exe

Filesize
197KB

MD5
93756b1b8c56197d902db5493761b1ec

SHA1
3472fcff7ff7b37dab89f59865e24c693ae57abf

SHA256
fcd6ca88d85e801cd253ef4d3a013c574b56a5f903f803b886455f196bc640ff

SHA512
8b4c3070817cacb2488a898b66ced5ef1111e1319b804845f66fedd3ee7aa8b04d5becf58c6cc72557472886380ddd35bbe9e73b5d54df39e40b10a19a6b9c56

Download Submit
C:\Windows\{EA1DDC21-FF45-43cd-AA5E-8140098BC332}.exe

Filesize
197KB

MD5
f8eb262404a44ad03638307e0f336365

SHA1
4ad548a9bca41220eaa63a2c90509232c6dc481d

SHA256
c8ab9d7cd7823b53f2a8ca38286f89a3c805bddc098a1415aa975314f00cb531

SHA512
1bab87c4ae89ad1433072f126423be774e5f8427ec170170ee0d406a9dbd0efb6264b93ef83a8bc8731968828914c41c5a363d3cb8c4535d4f8b717ff4c822a9

Download Submit
C:\Windows\{EA6B92B9-04EB-4aed-A50C-4B36B32FBD3F}.exe

Filesize
197KB

MD5
22e79f6ec2345054c58fa838505c66b0

SHA1
91d60c65e6fd7437a4f00f16a48387cea0af5e73

SHA256
31814cd71b83e76980e3f5254056e09c764b250ed576a7820606d126cedb63cd

SHA512
5c9f1a7e8d866da0ee8759208a60b09fa6d7accc44964609db4362f499243cb6029dff621b59c2bd8bcb78fb59bf837ec3d43861fdf77ab25da370b78dc5fcc8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads