766479b07cac21aca2345fd57b03e847b4af2ad5cab1f1d1e48e17a72c9e991e

Analysis

max time kernel
149s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
07-06-2024 04:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-07_b88d8a8d11dc5a7252e9b84af5ea2ed0_goldeneye.exe
Size

180KB
MD5

b88d8a8d11dc5a7252e9b84af5ea2ed0
SHA1

a262911f2e966a07c9e293cf33760f1a7bb7f9bb
SHA256

766479b07cac21aca2345fd57b03e847b4af2ad5cab1f1d1e48e17a72c9e991e
SHA512

cd827ca07c46a1306203c3413c1f85787b207c4a1dd63d288f0de43f00ab00fa66c25048ca2fffc42ae215453222b9e60dc2657ac8b1b25aa21952f0745868b3
SSDEEP

3072:jEGh0ojlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEG9l5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023403-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023408-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002340e-11.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023408-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000021793-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000021797-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000021793-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000705-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4804963-326F-488a-A3AF-E8F6515596EE}	{323860E0-96B1-4f68-9A80-6D30E2708BCC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19141873-3DE0-451c-A4F1-283A5402EFCB}\stubpath = "C:\\Windows\\{19141873-3DE0-451c-A4F1-283A5402EFCB}.exe"	{E4804963-326F-488a-A3AF-E8F6515596EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8DE60B82-57DC-456c-AB56-46E4C879E096}	{19141873-3DE0-451c-A4F1-283A5402EFCB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C631507-56BF-4298-A1F3-42814A58D0D1}	{52890C36-B180-481e-AA74-D190D7F4839D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C631507-56BF-4298-A1F3-42814A58D0D1}\stubpath = "C:\\Windows\\{9C631507-56BF-4298-A1F3-42814A58D0D1}.exe"	{52890C36-B180-481e-AA74-D190D7F4839D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFB5ACFB-8BAF-4d73-8FB6-8613D7D83EBF}	{BD6F25AB-F4BC-4caa-A7FA-D09761AE2DCC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{323860E0-96B1-4f68-9A80-6D30E2708BCC}	{3BF2AB82-C8E9-419e-8872-A0E2A80DFC5B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C53A5B5-DB00-46d1-80E8-B438A05B7561}	{8DE60B82-57DC-456c-AB56-46E4C879E096}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C53A5B5-DB00-46d1-80E8-B438A05B7561}\stubpath = "C:\\Windows\\{4C53A5B5-DB00-46d1-80E8-B438A05B7561}.exe"	{8DE60B82-57DC-456c-AB56-46E4C879E096}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52890C36-B180-481e-AA74-D190D7F4839D}	{4C53A5B5-DB00-46d1-80E8-B438A05B7561}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52890C36-B180-481e-AA74-D190D7F4839D}\stubpath = "C:\\Windows\\{52890C36-B180-481e-AA74-D190D7F4839D}.exe"	{4C53A5B5-DB00-46d1-80E8-B438A05B7561}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F89D5D9B-73EE-46b5-8BA2-5DD634273D58}	{9C631507-56BF-4298-A1F3-42814A58D0D1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{323860E0-96B1-4f68-9A80-6D30E2708BCC}\stubpath = "C:\\Windows\\{323860E0-96B1-4f68-9A80-6D30E2708BCC}.exe"	{3BF2AB82-C8E9-419e-8872-A0E2A80DFC5B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4804963-326F-488a-A3AF-E8F6515596EE}\stubpath = "C:\\Windows\\{E4804963-326F-488a-A3AF-E8F6515596EE}.exe"	{323860E0-96B1-4f68-9A80-6D30E2708BCC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19141873-3DE0-451c-A4F1-283A5402EFCB}	{E4804963-326F-488a-A3AF-E8F6515596EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8DE60B82-57DC-456c-AB56-46E4C879E096}\stubpath = "C:\\Windows\\{8DE60B82-57DC-456c-AB56-46E4C879E096}.exe"	{19141873-3DE0-451c-A4F1-283A5402EFCB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F89D5D9B-73EE-46b5-8BA2-5DD634273D58}\stubpath = "C:\\Windows\\{F89D5D9B-73EE-46b5-8BA2-5DD634273D58}.exe"	{9C631507-56BF-4298-A1F3-42814A58D0D1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD6F25AB-F4BC-4caa-A7FA-D09761AE2DCC}\stubpath = "C:\\Windows\\{BD6F25AB-F4BC-4caa-A7FA-D09761AE2DCC}.exe"	{F89D5D9B-73EE-46b5-8BA2-5DD634273D58}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFB5ACFB-8BAF-4d73-8FB6-8613D7D83EBF}\stubpath = "C:\\Windows\\{AFB5ACFB-8BAF-4d73-8FB6-8613D7D83EBF}.exe"	{BD6F25AB-F4BC-4caa-A7FA-D09761AE2DCC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D415BF7D-57B4-4db5-A513-87151802527E}\stubpath = "C:\\Windows\\{D415BF7D-57B4-4db5-A513-87151802527E}.exe"	2024-06-07_b88d8a8d11dc5a7252e9b84af5ea2ed0_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3BF2AB82-C8E9-419e-8872-A0E2A80DFC5B}	{D415BF7D-57B4-4db5-A513-87151802527E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3BF2AB82-C8E9-419e-8872-A0E2A80DFC5B}\stubpath = "C:\\Windows\\{3BF2AB82-C8E9-419e-8872-A0E2A80DFC5B}.exe"	{D415BF7D-57B4-4db5-A513-87151802527E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD6F25AB-F4BC-4caa-A7FA-D09761AE2DCC}	{F89D5D9B-73EE-46b5-8BA2-5DD634273D58}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D415BF7D-57B4-4db5-A513-87151802527E}	2024-06-07_b88d8a8d11dc5a7252e9b84af5ea2ed0_goldeneye.exe

Executes dropped EXE 12 IoCs

pid	Process
5532	{D415BF7D-57B4-4db5-A513-87151802527E}.exe
3848	{3BF2AB82-C8E9-419e-8872-A0E2A80DFC5B}.exe
3092	{323860E0-96B1-4f68-9A80-6D30E2708BCC}.exe
4316	{E4804963-326F-488a-A3AF-E8F6515596EE}.exe
2628	{19141873-3DE0-451c-A4F1-283A5402EFCB}.exe
4292	{8DE60B82-57DC-456c-AB56-46E4C879E096}.exe
856	{4C53A5B5-DB00-46d1-80E8-B438A05B7561}.exe
3808	{52890C36-B180-481e-AA74-D190D7F4839D}.exe
3732	{9C631507-56BF-4298-A1F3-42814A58D0D1}.exe
4844	{F89D5D9B-73EE-46b5-8BA2-5DD634273D58}.exe
4728	{BD6F25AB-F4BC-4caa-A7FA-D09761AE2DCC}.exe
5020	{AFB5ACFB-8BAF-4d73-8FB6-8613D7D83EBF}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{D415BF7D-57B4-4db5-A513-87151802527E}.exe	2024-06-07_b88d8a8d11dc5a7252e9b84af5ea2ed0_goldeneye.exe
File created	C:\Windows\{3BF2AB82-C8E9-419e-8872-A0E2A80DFC5B}.exe	{D415BF7D-57B4-4db5-A513-87151802527E}.exe
File created	C:\Windows\{8DE60B82-57DC-456c-AB56-46E4C879E096}.exe	{19141873-3DE0-451c-A4F1-283A5402EFCB}.exe
File created	C:\Windows\{4C53A5B5-DB00-46d1-80E8-B438A05B7561}.exe	{8DE60B82-57DC-456c-AB56-46E4C879E096}.exe
File created	C:\Windows\{F89D5D9B-73EE-46b5-8BA2-5DD634273D58}.exe	{9C631507-56BF-4298-A1F3-42814A58D0D1}.exe
File created	C:\Windows\{AFB5ACFB-8BAF-4d73-8FB6-8613D7D83EBF}.exe	{BD6F25AB-F4BC-4caa-A7FA-D09761AE2DCC}.exe
File created	C:\Windows\{323860E0-96B1-4f68-9A80-6D30E2708BCC}.exe	{3BF2AB82-C8E9-419e-8872-A0E2A80DFC5B}.exe
File created	C:\Windows\{E4804963-326F-488a-A3AF-E8F6515596EE}.exe	{323860E0-96B1-4f68-9A80-6D30E2708BCC}.exe
File created	C:\Windows\{19141873-3DE0-451c-A4F1-283A5402EFCB}.exe	{E4804963-326F-488a-A3AF-E8F6515596EE}.exe
File created	C:\Windows\{52890C36-B180-481e-AA74-D190D7F4839D}.exe	{4C53A5B5-DB00-46d1-80E8-B438A05B7561}.exe
File created	C:\Windows\{9C631507-56BF-4298-A1F3-42814A58D0D1}.exe	{52890C36-B180-481e-AA74-D190D7F4839D}.exe
File created	C:\Windows\{BD6F25AB-F4BC-4caa-A7FA-D09761AE2DCC}.exe	{F89D5D9B-73EE-46b5-8BA2-5DD634273D58}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4852	2024-06-07_b88d8a8d11dc5a7252e9b84af5ea2ed0_goldeneye.exe
Token: SeIncBasePriorityPrivilege	5532	{D415BF7D-57B4-4db5-A513-87151802527E}.exe
Token: SeIncBasePriorityPrivilege	3848	{3BF2AB82-C8E9-419e-8872-A0E2A80DFC5B}.exe
Token: SeIncBasePriorityPrivilege	3092	{323860E0-96B1-4f68-9A80-6D30E2708BCC}.exe
Token: SeIncBasePriorityPrivilege	4316	{E4804963-326F-488a-A3AF-E8F6515596EE}.exe
Token: SeIncBasePriorityPrivilege	2628	{19141873-3DE0-451c-A4F1-283A5402EFCB}.exe
Token: SeIncBasePriorityPrivilege	4292	{8DE60B82-57DC-456c-AB56-46E4C879E096}.exe
Token: SeIncBasePriorityPrivilege	856	{4C53A5B5-DB00-46d1-80E8-B438A05B7561}.exe
Token: SeIncBasePriorityPrivilege	3808	{52890C36-B180-481e-AA74-D190D7F4839D}.exe
Token: SeIncBasePriorityPrivilege	3732	{9C631507-56BF-4298-A1F3-42814A58D0D1}.exe
Token: SeIncBasePriorityPrivilege	4844	{F89D5D9B-73EE-46b5-8BA2-5DD634273D58}.exe
Token: SeIncBasePriorityPrivilege	4728	{BD6F25AB-F4BC-4caa-A7FA-D09761AE2DCC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4852 wrote to memory of 5532	4852	2024-06-07_b88d8a8d11dc5a7252e9b84af5ea2ed0_goldeneye.exe	91
PID 4852 wrote to memory of 5532	4852	2024-06-07_b88d8a8d11dc5a7252e9b84af5ea2ed0_goldeneye.exe	91
PID 4852 wrote to memory of 5532	4852	2024-06-07_b88d8a8d11dc5a7252e9b84af5ea2ed0_goldeneye.exe	91
PID 4852 wrote to memory of 1152	4852	2024-06-07_b88d8a8d11dc5a7252e9b84af5ea2ed0_goldeneye.exe	92
PID 4852 wrote to memory of 1152	4852	2024-06-07_b88d8a8d11dc5a7252e9b84af5ea2ed0_goldeneye.exe	92
PID 4852 wrote to memory of 1152	4852	2024-06-07_b88d8a8d11dc5a7252e9b84af5ea2ed0_goldeneye.exe	92
PID 5532 wrote to memory of 3848	5532	{D415BF7D-57B4-4db5-A513-87151802527E}.exe	93
PID 5532 wrote to memory of 3848	5532	{D415BF7D-57B4-4db5-A513-87151802527E}.exe	93
PID 5532 wrote to memory of 3848	5532	{D415BF7D-57B4-4db5-A513-87151802527E}.exe	93
PID 5532 wrote to memory of 3580	5532	{D415BF7D-57B4-4db5-A513-87151802527E}.exe	94
PID 5532 wrote to memory of 3580	5532	{D415BF7D-57B4-4db5-A513-87151802527E}.exe	94
PID 5532 wrote to memory of 3580	5532	{D415BF7D-57B4-4db5-A513-87151802527E}.exe	94
PID 3848 wrote to memory of 3092	3848	{3BF2AB82-C8E9-419e-8872-A0E2A80DFC5B}.exe	96
PID 3848 wrote to memory of 3092	3848	{3BF2AB82-C8E9-419e-8872-A0E2A80DFC5B}.exe	96
PID 3848 wrote to memory of 3092	3848	{3BF2AB82-C8E9-419e-8872-A0E2A80DFC5B}.exe	96
PID 3848 wrote to memory of 5560	3848	{3BF2AB82-C8E9-419e-8872-A0E2A80DFC5B}.exe	97
PID 3848 wrote to memory of 5560	3848	{3BF2AB82-C8E9-419e-8872-A0E2A80DFC5B}.exe	97
PID 3848 wrote to memory of 5560	3848	{3BF2AB82-C8E9-419e-8872-A0E2A80DFC5B}.exe	97
PID 3092 wrote to memory of 4316	3092	{323860E0-96B1-4f68-9A80-6D30E2708BCC}.exe	98
PID 3092 wrote to memory of 4316	3092	{323860E0-96B1-4f68-9A80-6D30E2708BCC}.exe	98
PID 3092 wrote to memory of 4316	3092	{323860E0-96B1-4f68-9A80-6D30E2708BCC}.exe	98
PID 3092 wrote to memory of 5700	3092	{323860E0-96B1-4f68-9A80-6D30E2708BCC}.exe	99
PID 3092 wrote to memory of 5700	3092	{323860E0-96B1-4f68-9A80-6D30E2708BCC}.exe	99
PID 3092 wrote to memory of 5700	3092	{323860E0-96B1-4f68-9A80-6D30E2708BCC}.exe	99
PID 4316 wrote to memory of 2628	4316	{E4804963-326F-488a-A3AF-E8F6515596EE}.exe	100
PID 4316 wrote to memory of 2628	4316	{E4804963-326F-488a-A3AF-E8F6515596EE}.exe	100
PID 4316 wrote to memory of 2628	4316	{E4804963-326F-488a-A3AF-E8F6515596EE}.exe	100
PID 4316 wrote to memory of 5144	4316	{E4804963-326F-488a-A3AF-E8F6515596EE}.exe	101
PID 4316 wrote to memory of 5144	4316	{E4804963-326F-488a-A3AF-E8F6515596EE}.exe	101
PID 4316 wrote to memory of 5144	4316	{E4804963-326F-488a-A3AF-E8F6515596EE}.exe	101
PID 2628 wrote to memory of 4292	2628	{19141873-3DE0-451c-A4F1-283A5402EFCB}.exe	102
PID 2628 wrote to memory of 4292	2628	{19141873-3DE0-451c-A4F1-283A5402EFCB}.exe	102
PID 2628 wrote to memory of 4292	2628	{19141873-3DE0-451c-A4F1-283A5402EFCB}.exe	102
PID 2628 wrote to memory of 1888	2628	{19141873-3DE0-451c-A4F1-283A5402EFCB}.exe	103
PID 2628 wrote to memory of 1888	2628	{19141873-3DE0-451c-A4F1-283A5402EFCB}.exe	103
PID 2628 wrote to memory of 1888	2628	{19141873-3DE0-451c-A4F1-283A5402EFCB}.exe	103
PID 4292 wrote to memory of 856	4292	{8DE60B82-57DC-456c-AB56-46E4C879E096}.exe	104
PID 4292 wrote to memory of 856	4292	{8DE60B82-57DC-456c-AB56-46E4C879E096}.exe	104
PID 4292 wrote to memory of 856	4292	{8DE60B82-57DC-456c-AB56-46E4C879E096}.exe	104
PID 4292 wrote to memory of 3800	4292	{8DE60B82-57DC-456c-AB56-46E4C879E096}.exe	105
PID 4292 wrote to memory of 3800	4292	{8DE60B82-57DC-456c-AB56-46E4C879E096}.exe	105
PID 4292 wrote to memory of 3800	4292	{8DE60B82-57DC-456c-AB56-46E4C879E096}.exe	105
PID 856 wrote to memory of 3808	856	{4C53A5B5-DB00-46d1-80E8-B438A05B7561}.exe	106
PID 856 wrote to memory of 3808	856	{4C53A5B5-DB00-46d1-80E8-B438A05B7561}.exe	106
PID 856 wrote to memory of 3808	856	{4C53A5B5-DB00-46d1-80E8-B438A05B7561}.exe	106
PID 856 wrote to memory of 4684	856	{4C53A5B5-DB00-46d1-80E8-B438A05B7561}.exe	107
PID 856 wrote to memory of 4684	856	{4C53A5B5-DB00-46d1-80E8-B438A05B7561}.exe	107
PID 856 wrote to memory of 4684	856	{4C53A5B5-DB00-46d1-80E8-B438A05B7561}.exe	107
PID 3808 wrote to memory of 3732	3808	{52890C36-B180-481e-AA74-D190D7F4839D}.exe	108
PID 3808 wrote to memory of 3732	3808	{52890C36-B180-481e-AA74-D190D7F4839D}.exe	108
PID 3808 wrote to memory of 3732	3808	{52890C36-B180-481e-AA74-D190D7F4839D}.exe	108
PID 3808 wrote to memory of 4144	3808	{52890C36-B180-481e-AA74-D190D7F4839D}.exe	109
PID 3808 wrote to memory of 4144	3808	{52890C36-B180-481e-AA74-D190D7F4839D}.exe	109
PID 3808 wrote to memory of 4144	3808	{52890C36-B180-481e-AA74-D190D7F4839D}.exe	109
PID 3732 wrote to memory of 4844	3732	{9C631507-56BF-4298-A1F3-42814A58D0D1}.exe	110
PID 3732 wrote to memory of 4844	3732	{9C631507-56BF-4298-A1F3-42814A58D0D1}.exe	110
PID 3732 wrote to memory of 4844	3732	{9C631507-56BF-4298-A1F3-42814A58D0D1}.exe	110
PID 3732 wrote to memory of 1364	3732	{9C631507-56BF-4298-A1F3-42814A58D0D1}.exe	111
PID 3732 wrote to memory of 1364	3732	{9C631507-56BF-4298-A1F3-42814A58D0D1}.exe	111
PID 3732 wrote to memory of 1364	3732	{9C631507-56BF-4298-A1F3-42814A58D0D1}.exe	111
PID 4844 wrote to memory of 4728	4844	{F89D5D9B-73EE-46b5-8BA2-5DD634273D58}.exe	112
PID 4844 wrote to memory of 4728	4844	{F89D5D9B-73EE-46b5-8BA2-5DD634273D58}.exe	112
PID 4844 wrote to memory of 4728	4844	{F89D5D9B-73EE-46b5-8BA2-5DD634273D58}.exe	112
PID 4844 wrote to memory of 5200	4844	{F89D5D9B-73EE-46b5-8BA2-5DD634273D58}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-06-07_b88d8a8d11dc5a7252e9b84af5ea2ed0_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-07_b88d8a8d11dc5a7252e9b84af5ea2ed0_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4852
- C:\Windows\{D415BF7D-57B4-4db5-A513-87151802527E}.exe
  C:\Windows\{D415BF7D-57B4-4db5-A513-87151802527E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5532
- - C:\Windows\{3BF2AB82-C8E9-419e-8872-A0E2A80DFC5B}.exe
    C:\Windows\{3BF2AB82-C8E9-419e-8872-A0E2A80DFC5B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3848
  - - C:\Windows\{323860E0-96B1-4f68-9A80-6D30E2708BCC}.exe
      C:\Windows\{323860E0-96B1-4f68-9A80-6D30E2708BCC}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3092
    - - C:\Windows\{E4804963-326F-488a-A3AF-E8F6515596EE}.exe
        
        C:\Windows\{E4804963-326F-488a-A3AF-E8F6515596EE}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4316
      - C:\Windows\{19141873-3DE0-451c-A4F1-283A5402EFCB}.exe
        
        C:\Windows\{19141873-3DE0-451c-A4F1-283A5402EFCB}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\{8DE60B82-57DC-456c-AB56-46E4C879E096}.exe
        
        C:\Windows\{8DE60B82-57DC-456c-AB56-46E4C879E096}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Windows\{4C53A5B5-DB00-46d1-80E8-B438A05B7561}.exe
        
        C:\Windows\{4C53A5B5-DB00-46d1-80E8-B438A05B7561}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Windows\{52890C36-B180-481e-AA74-D190D7F4839D}.exe
        
        C:\Windows\{52890C36-B180-481e-AA74-D190D7F4839D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3808
        
        C:\Windows\{9C631507-56BF-4298-A1F3-42814A58D0D1}.exe
        
        C:\Windows\{9C631507-56BF-4298-A1F3-42814A58D0D1}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3732
        
        C:\Windows\{F89D5D9B-73EE-46b5-8BA2-5DD634273D58}.exe
        
        C:\Windows\{F89D5D9B-73EE-46b5-8BA2-5DD634273D58}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\{BD6F25AB-F4BC-4caa-A7FA-D09761AE2DCC}.exe
        
        C:\Windows\{BD6F25AB-F4BC-4caa-A7FA-D09761AE2DCC}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4728
        
        C:\Windows\{AFB5ACFB-8BAF-4d73-8FB6-8613D7D83EBF}.exe
        
        C:\Windows\{AFB5ACFB-8BAF-4d73-8FB6-8613D7D83EBF}.exe
        13⤵
        Executes dropped EXE
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD6F2~1.EXE > nul
        13⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F89D5~1.EXE > nul
        12⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C631~1.EXE > nul
        11⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{52890~1.EXE > nul
        10⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4C53A~1.EXE > nul
        9⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8DE60~1.EXE > nul
        8⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{19141~1.EXE > nul
        7⤵
        
        PID:1888
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E4804~1.EXE > nul
        6⤵
        
        PID:5144
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{32386~1.EXE > nul
        5⤵
        
        PID:5700
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3BF2A~1.EXE > nul
      4⤵
      PID:5560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D415B~1.EXE > nul
    3⤵
    PID:3580
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{19141873-3DE0-451c-A4F1-283A5402EFCB}.exe

Filesize
180KB

MD5
af94a629e81c7413de66b8e61b7e694e

SHA1
7864b737adcb920fbe33604f98fc1ac8e0c9083a

SHA256
6da5af401c206ec7bd87e85e8de7925201b435c69499f6d96c0302b3dfcb62e7

SHA512
8d68cf45fee67202c81e49bfa3d98ba9c7ae9176d996e0c3772a6beaf02fa06a84adeaee1097630eec17e978d94d42722b111db5c8163656e70c3dfacb52e3f6

Download Submit
C:\Windows\{323860E0-96B1-4f68-9A80-6D30E2708BCC}.exe

Filesize
180KB

MD5
be1f618519ad1398fc28f295369eaeec

SHA1
c7ce93be61d83c93e0eb278d4cd62e223db40cbc

SHA256
2d1c67527b4de1616db5c595d737ccb42ec9feab2ea08ad6f9a2443d205491a1

SHA512
9ef4beb4681adfc9426dcc6ca4a1c6ba991101dc0933abc0d2777e47310811efb85b0d7e7c33a5643a9b1a1963d6c8d3f2cb85eadec309ed4686b6f47b548136

Download Submit
C:\Windows\{3BF2AB82-C8E9-419e-8872-A0E2A80DFC5B}.exe

Filesize
180KB

MD5
fbc4c7c26e390637ab9e9d94f1aca39a

SHA1
6d75f0912d47ccdc51f2ddc0a3be43ba8b76b4c9

SHA256
1777f64eb5c82594925f8590e618374d8e35c34499adaeba8b44f6b2e24a9bf6

SHA512
97857a3a977b659a179fbf6cb98d0256fb7580ca5126c28f801ef878e81d5eaf2cb8fbb059097676b50f1470e84b184631415cb33a22107265bfa131cf2493a3

Download Submit
C:\Windows\{4C53A5B5-DB00-46d1-80E8-B438A05B7561}.exe

Filesize
180KB

MD5
3c2e94e1785cecaac0f7711ac8de63b1

SHA1
df50e502661d4a8861ba546ee9a15182aa28d95f

SHA256
431c8d78de41e95200c82912512850598e79f52f9363bd07943cae14e7510c00

SHA512
2d6f5589d1769577754b7506f2212361ec1d326284cdd77462102bc04ff18a735d80fbd9d55940b3596596909d2c6bc41c041616b9e34d6d33324a3110aca9ea

Download Submit
C:\Windows\{52890C36-B180-481e-AA74-D190D7F4839D}.exe

Filesize
180KB

MD5
e21b9065f08dd76fce299963ff8dc3f8

SHA1
68f8d6b50fd10e9849e8bd5c5d308abdade084ae

SHA256
fa1f345bfb57f809bf625291753597b1adff6ef82b09a182bac9de8da9ac0966

SHA512
35774795be0ae37bd845e93370c16af9b125e0743f2e85019cf5197ff6b09a473c642b514572ba76e2ad1878395c04f6981b4e3eb53c5b5e4829326e7d9f2c1a

Download Submit
C:\Windows\{8DE60B82-57DC-456c-AB56-46E4C879E096}.exe

Filesize
180KB

MD5
5fc4f1a4e8f8c7363b9e7e7a98d7c273

SHA1
25a2145c8837f8cb70473830b3af5454d5f381b9

SHA256
9220e9f1b37cf324a0a59ef0c79ba9aae3d1837a420bb5f9f639e8c5e61db85c

SHA512
5ebbc3621e389b33286afb35a895c37dc2aae49f9cd25c184d749cb440f41aa1171dd9135df0d9f88068679c559685d5cfe01a37477d01f8cc8e2a306053ee71

Download Submit
C:\Windows\{9C631507-56BF-4298-A1F3-42814A58D0D1}.exe

Filesize
180KB

MD5
d5b8533f714460fe3bc6b7db78cfb4b9

SHA1
d6bf58b43e9c235803270a442bcbd2950d8f3a84

SHA256
134c27fe5877dc123dcd87a1e7dbd768d2f82cbd73518fcc8ebf20683dddc5d7

SHA512
ab75a3fba488d3002a2bd9ce485509bc6f839cf4bf7402ac1253f4dd8aa5bb92bca8d9ca9949121a073ec730abe6d57adacfbc8597de582372cdb6849fbf3d42

Download Submit
C:\Windows\{AFB5ACFB-8BAF-4d73-8FB6-8613D7D83EBF}.exe

Filesize
180KB

MD5
21aaad57474d08ace56b80f63a85ccae

SHA1
f82903fd1924e400aebe715b63fff12d3d10d2c9

SHA256
7db12d366310a52852f66ae1eb828f9ff6a7056c0a079500f63481bf05b448ff

SHA512
564ec9383c89539ff0f28a0557d3834b91f02edb79fab6fe93254fa2d6643ba5a62ede170258e3214e753470b04f823b71213cc98661df6891c0d23e95a98518

Download Submit
C:\Windows\{BD6F25AB-F4BC-4caa-A7FA-D09761AE2DCC}.exe

Filesize
180KB

MD5
7358d54d455b57066ae3df9dce40ee2e

SHA1
ddd0f12f555d25f70190205ac17bfce6e0bc4b8d

SHA256
11b3faa3d80de60efc11a92111b9af2fa1bbe8180a271cc2e5658308d6093ed9

SHA512
fd5ea9e589a2cdaf8280bf1c57d4da796de82c4c63e85634785c5fc4b0e941e527291b90f4922fa1d1e75d3a11fbaacbba4147365148dc3296b215e4ae3f79ac

Download Submit
C:\Windows\{D415BF7D-57B4-4db5-A513-87151802527E}.exe

Filesize
180KB

MD5
c01934dd5e3c72eef9e777820816ff7f

SHA1
e0336556c4620b1f19d0f4c3eedae1d0a9862ca4

SHA256
fee041558205d02e0e2139092549d8b389847fd7500b520b77fea3b7ab5feb24

SHA512
a4efb8724555c38d1f4350566846bf608650ab4bc2ddcefaf0d0872e49859547d57e06e9b8b169fa0e789b0b34d3e397a7f79cf97921cca3bf8b7f850fcab949

Download Submit
C:\Windows\{E4804963-326F-488a-A3AF-E8F6515596EE}.exe

Filesize
180KB

MD5
c320b307efe1fcdc3f563670f282c92b

SHA1
672632579f8abc76213c880c74a30d334bf942fa

SHA256
ac87f48e3cbaa78408e3f8487aa31fcc6c7b830fc3e1f11c308bb6568e113775

SHA512
4730fe80f0a6d53663e134e582e8b9636789e1f4256ddaf80fafc2db5c7725b92456899794e9f21a219397467aa1c08c18ab15b904a1889dbe1b0822dfc50163

Download Submit
C:\Windows\{F89D5D9B-73EE-46b5-8BA2-5DD634273D58}.exe

Filesize
180KB

MD5
02943fca359e7ad0599b48eb3eff16e0

SHA1
eb50a45c5a05931a6ae94b884cb32cc6ca019d76

SHA256
e936a50bfec4acf994e3fdf2738c54371485973c39f94b5522e79de10a996387

SHA512
0cd9f85c883c1937f89487624140aa9c499b8c90c46b09d984608fd4dc782767b317cdf2c831a01a56d7861a0d57769d78e06b2e702a56a73454908f9b32fac1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads