a02ce3fd1598057fe35d6bc5b1eeab4d03340b6f7a15aab6ce1bf7d993cf41a4

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2024 13:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-08_cd0cfba882cf98e912c9d7831509f264_goldeneye.exe
Size

344KB
MD5

cd0cfba882cf98e912c9d7831509f264
SHA1

59e7f14d57c12806800266c531dfc1a1fb7eb390
SHA256

a02ce3fd1598057fe35d6bc5b1eeab4d03340b6f7a15aab6ce1bf7d993cf41a4
SHA512

d85ba5cdc4631bd8b24df0afeaf58c7a08b7aad05981b8348de2fd6416b482b81159345459350ff277d320f8f5b8f98379e85c67f2e88302805bd792fbb9c675
SSDEEP

3072:mEGh0oUlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGalqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000700000002341b-1.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023416-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023421-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023416-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023421-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023416-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023421-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000072d-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000072f-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000072d-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000072f-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000000072d-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0248A941-F504-410f-A6EB-1664DD8CF86C}\stubpath = "C:\\Windows\\{0248A941-F504-410f-A6EB-1664DD8CF86C}.exe"	{4AFC6610-5B2E-4181-A42B-FCD36D6043EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1FCC422-DB4A-4c15-A718-6DE1268D8906}	{9A569633-36F6-4e73-8EB0-2C15207F8862}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DA87A96-0AD9-497c-B138-623EDD66A915}	{A1FCC422-DB4A-4c15-A718-6DE1268D8906}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0248A941-F504-410f-A6EB-1664DD8CF86C}	{4AFC6610-5B2E-4181-A42B-FCD36D6043EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF6E8D85-57A5-4f82-BA65-AEFD37ADD34C}	{0248A941-F504-410f-A6EB-1664DD8CF86C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8EB6A1CF-10E9-45cb-A852-79BC177CFEEC}\stubpath = "C:\\Windows\\{8EB6A1CF-10E9-45cb-A852-79BC177CFEEC}.exe"	{D13A6EF3-FE17-4dd0-8013-A714B9240DA0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{552CB6EE-7724-4435-9045-A22A525A4203}	{362E6FA6-E8AA-444b-97B9-ACAFD9099C58}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{552CB6EE-7724-4435-9045-A22A525A4203}\stubpath = "C:\\Windows\\{552CB6EE-7724-4435-9045-A22A525A4203}.exe"	{362E6FA6-E8AA-444b-97B9-ACAFD9099C58}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{362E6FA6-E8AA-444b-97B9-ACAFD9099C58}\stubpath = "C:\\Windows\\{362E6FA6-E8AA-444b-97B9-ACAFD9099C58}.exe"	{8EB6A1CF-10E9-45cb-A852-79BC177CFEEC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A569633-36F6-4e73-8EB0-2C15207F8862}	2024-06-08_cd0cfba882cf98e912c9d7831509f264_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1FCC422-DB4A-4c15-A718-6DE1268D8906}\stubpath = "C:\\Windows\\{A1FCC422-DB4A-4c15-A718-6DE1268D8906}.exe"	{9A569633-36F6-4e73-8EB0-2C15207F8862}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DA87A96-0AD9-497c-B138-623EDD66A915}\stubpath = "C:\\Windows\\{9DA87A96-0AD9-497c-B138-623EDD66A915}.exe"	{A1FCC422-DB4A-4c15-A718-6DE1268D8906}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AFC6610-5B2E-4181-A42B-FCD36D6043EF}	{9DA87A96-0AD9-497c-B138-623EDD66A915}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D13A6EF3-FE17-4dd0-8013-A714B9240DA0}	{AF6E8D85-57A5-4f82-BA65-AEFD37ADD34C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D13A6EF3-FE17-4dd0-8013-A714B9240DA0}\stubpath = "C:\\Windows\\{D13A6EF3-FE17-4dd0-8013-A714B9240DA0}.exe"	{AF6E8D85-57A5-4f82-BA65-AEFD37ADD34C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8EB6A1CF-10E9-45cb-A852-79BC177CFEEC}	{D13A6EF3-FE17-4dd0-8013-A714B9240DA0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F73189AA-2014-476b-935F-E83EFC084174}	{552CB6EE-7724-4435-9045-A22A525A4203}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F73189AA-2014-476b-935F-E83EFC084174}\stubpath = "C:\\Windows\\{F73189AA-2014-476b-935F-E83EFC084174}.exe"	{552CB6EE-7724-4435-9045-A22A525A4203}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A569633-36F6-4e73-8EB0-2C15207F8862}\stubpath = "C:\\Windows\\{9A569633-36F6-4e73-8EB0-2C15207F8862}.exe"	2024-06-08_cd0cfba882cf98e912c9d7831509f264_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AFC6610-5B2E-4181-A42B-FCD36D6043EF}\stubpath = "C:\\Windows\\{4AFC6610-5B2E-4181-A42B-FCD36D6043EF}.exe"	{9DA87A96-0AD9-497c-B138-623EDD66A915}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF6E8D85-57A5-4f82-BA65-AEFD37ADD34C}\stubpath = "C:\\Windows\\{AF6E8D85-57A5-4f82-BA65-AEFD37ADD34C}.exe"	{0248A941-F504-410f-A6EB-1664DD8CF86C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{362E6FA6-E8AA-444b-97B9-ACAFD9099C58}	{8EB6A1CF-10E9-45cb-A852-79BC177CFEEC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0211F4F-35D3-4b4d-87C9-C358A9F99415}	{F73189AA-2014-476b-935F-E83EFC084174}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0211F4F-35D3-4b4d-87C9-C358A9F99415}\stubpath = "C:\\Windows\\{D0211F4F-35D3-4b4d-87C9-C358A9F99415}.exe"	{F73189AA-2014-476b-935F-E83EFC084174}.exe

Executes dropped EXE 12 IoCs

pid	Process
1868	{9A569633-36F6-4e73-8EB0-2C15207F8862}.exe
3476	{A1FCC422-DB4A-4c15-A718-6DE1268D8906}.exe
1588	{9DA87A96-0AD9-497c-B138-623EDD66A915}.exe
2256	{4AFC6610-5B2E-4181-A42B-FCD36D6043EF}.exe
4728	{0248A941-F504-410f-A6EB-1664DD8CF86C}.exe
3036	{AF6E8D85-57A5-4f82-BA65-AEFD37ADD34C}.exe
1860	{D13A6EF3-FE17-4dd0-8013-A714B9240DA0}.exe
3808	{8EB6A1CF-10E9-45cb-A852-79BC177CFEEC}.exe
3580	{362E6FA6-E8AA-444b-97B9-ACAFD9099C58}.exe
4028	{552CB6EE-7724-4435-9045-A22A525A4203}.exe
864	{F73189AA-2014-476b-935F-E83EFC084174}.exe
4088	{D0211F4F-35D3-4b4d-87C9-C358A9F99415}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{4AFC6610-5B2E-4181-A42B-FCD36D6043EF}.exe	{9DA87A96-0AD9-497c-B138-623EDD66A915}.exe
File created	C:\Windows\{0248A941-F504-410f-A6EB-1664DD8CF86C}.exe	{4AFC6610-5B2E-4181-A42B-FCD36D6043EF}.exe
File created	C:\Windows\{F73189AA-2014-476b-935F-E83EFC084174}.exe	{552CB6EE-7724-4435-9045-A22A525A4203}.exe
File created	C:\Windows\{9A569633-36F6-4e73-8EB0-2C15207F8862}.exe	2024-06-08_cd0cfba882cf98e912c9d7831509f264_goldeneye.exe
File created	C:\Windows\{A1FCC422-DB4A-4c15-A718-6DE1268D8906}.exe	{9A569633-36F6-4e73-8EB0-2C15207F8862}.exe
File created	C:\Windows\{9DA87A96-0AD9-497c-B138-623EDD66A915}.exe	{A1FCC422-DB4A-4c15-A718-6DE1268D8906}.exe
File created	C:\Windows\{AF6E8D85-57A5-4f82-BA65-AEFD37ADD34C}.exe	{0248A941-F504-410f-A6EB-1664DD8CF86C}.exe
File created	C:\Windows\{D13A6EF3-FE17-4dd0-8013-A714B9240DA0}.exe	{AF6E8D85-57A5-4f82-BA65-AEFD37ADD34C}.exe
File created	C:\Windows\{8EB6A1CF-10E9-45cb-A852-79BC177CFEEC}.exe	{D13A6EF3-FE17-4dd0-8013-A714B9240DA0}.exe
File created	C:\Windows\{362E6FA6-E8AA-444b-97B9-ACAFD9099C58}.exe	{8EB6A1CF-10E9-45cb-A852-79BC177CFEEC}.exe
File created	C:\Windows\{552CB6EE-7724-4435-9045-A22A525A4203}.exe	{362E6FA6-E8AA-444b-97B9-ACAFD9099C58}.exe
File created	C:\Windows\{D0211F4F-35D3-4b4d-87C9-C358A9F99415}.exe	{F73189AA-2014-476b-935F-E83EFC084174}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	336	2024-06-08_cd0cfba882cf98e912c9d7831509f264_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1868	{9A569633-36F6-4e73-8EB0-2C15207F8862}.exe
Token: SeIncBasePriorityPrivilege	3476	{A1FCC422-DB4A-4c15-A718-6DE1268D8906}.exe
Token: SeIncBasePriorityPrivilege	1588	{9DA87A96-0AD9-497c-B138-623EDD66A915}.exe
Token: SeIncBasePriorityPrivilege	2256	{4AFC6610-5B2E-4181-A42B-FCD36D6043EF}.exe
Token: SeIncBasePriorityPrivilege	4728	{0248A941-F504-410f-A6EB-1664DD8CF86C}.exe
Token: SeIncBasePriorityPrivilege	3036	{AF6E8D85-57A5-4f82-BA65-AEFD37ADD34C}.exe
Token: SeIncBasePriorityPrivilege	1860	{D13A6EF3-FE17-4dd0-8013-A714B9240DA0}.exe
Token: SeIncBasePriorityPrivilege	3808	{8EB6A1CF-10E9-45cb-A852-79BC177CFEEC}.exe
Token: SeIncBasePriorityPrivilege	3580	{362E6FA6-E8AA-444b-97B9-ACAFD9099C58}.exe
Token: SeIncBasePriorityPrivilege	4028	{552CB6EE-7724-4435-9045-A22A525A4203}.exe
Token: SeIncBasePriorityPrivilege	864	{F73189AA-2014-476b-935F-E83EFC084174}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 336 wrote to memory of 1868	336	2024-06-08_cd0cfba882cf98e912c9d7831509f264_goldeneye.exe	92
PID 336 wrote to memory of 1868	336	2024-06-08_cd0cfba882cf98e912c9d7831509f264_goldeneye.exe	92
PID 336 wrote to memory of 1868	336	2024-06-08_cd0cfba882cf98e912c9d7831509f264_goldeneye.exe	92
PID 336 wrote to memory of 4064	336	2024-06-08_cd0cfba882cf98e912c9d7831509f264_goldeneye.exe	93
PID 336 wrote to memory of 4064	336	2024-06-08_cd0cfba882cf98e912c9d7831509f264_goldeneye.exe	93
PID 336 wrote to memory of 4064	336	2024-06-08_cd0cfba882cf98e912c9d7831509f264_goldeneye.exe	93
PID 1868 wrote to memory of 3476	1868	{9A569633-36F6-4e73-8EB0-2C15207F8862}.exe	94
PID 1868 wrote to memory of 3476	1868	{9A569633-36F6-4e73-8EB0-2C15207F8862}.exe	94
PID 1868 wrote to memory of 3476	1868	{9A569633-36F6-4e73-8EB0-2C15207F8862}.exe	94
PID 1868 wrote to memory of 4604	1868	{9A569633-36F6-4e73-8EB0-2C15207F8862}.exe	95
PID 1868 wrote to memory of 4604	1868	{9A569633-36F6-4e73-8EB0-2C15207F8862}.exe	95
PID 1868 wrote to memory of 4604	1868	{9A569633-36F6-4e73-8EB0-2C15207F8862}.exe	95
PID 3476 wrote to memory of 1588	3476	{A1FCC422-DB4A-4c15-A718-6DE1268D8906}.exe	97
PID 3476 wrote to memory of 1588	3476	{A1FCC422-DB4A-4c15-A718-6DE1268D8906}.exe	97
PID 3476 wrote to memory of 1588	3476	{A1FCC422-DB4A-4c15-A718-6DE1268D8906}.exe	97
PID 3476 wrote to memory of 2536	3476	{A1FCC422-DB4A-4c15-A718-6DE1268D8906}.exe	98
PID 3476 wrote to memory of 2536	3476	{A1FCC422-DB4A-4c15-A718-6DE1268D8906}.exe	98
PID 3476 wrote to memory of 2536	3476	{A1FCC422-DB4A-4c15-A718-6DE1268D8906}.exe	98
PID 1588 wrote to memory of 2256	1588	{9DA87A96-0AD9-497c-B138-623EDD66A915}.exe	99
PID 1588 wrote to memory of 2256	1588	{9DA87A96-0AD9-497c-B138-623EDD66A915}.exe	99
PID 1588 wrote to memory of 2256	1588	{9DA87A96-0AD9-497c-B138-623EDD66A915}.exe	99
PID 1588 wrote to memory of 2484	1588	{9DA87A96-0AD9-497c-B138-623EDD66A915}.exe	100
PID 1588 wrote to memory of 2484	1588	{9DA87A96-0AD9-497c-B138-623EDD66A915}.exe	100
PID 1588 wrote to memory of 2484	1588	{9DA87A96-0AD9-497c-B138-623EDD66A915}.exe	100
PID 2256 wrote to memory of 4728	2256	{4AFC6610-5B2E-4181-A42B-FCD36D6043EF}.exe	101
PID 2256 wrote to memory of 4728	2256	{4AFC6610-5B2E-4181-A42B-FCD36D6043EF}.exe	101
PID 2256 wrote to memory of 4728	2256	{4AFC6610-5B2E-4181-A42B-FCD36D6043EF}.exe	101
PID 2256 wrote to memory of 3624	2256	{4AFC6610-5B2E-4181-A42B-FCD36D6043EF}.exe	102
PID 2256 wrote to memory of 3624	2256	{4AFC6610-5B2E-4181-A42B-FCD36D6043EF}.exe	102
PID 2256 wrote to memory of 3624	2256	{4AFC6610-5B2E-4181-A42B-FCD36D6043EF}.exe	102
PID 4728 wrote to memory of 3036	4728	{0248A941-F504-410f-A6EB-1664DD8CF86C}.exe	103
PID 4728 wrote to memory of 3036	4728	{0248A941-F504-410f-A6EB-1664DD8CF86C}.exe	103
PID 4728 wrote to memory of 3036	4728	{0248A941-F504-410f-A6EB-1664DD8CF86C}.exe	103
PID 4728 wrote to memory of 1408	4728	{0248A941-F504-410f-A6EB-1664DD8CF86C}.exe	104
PID 4728 wrote to memory of 1408	4728	{0248A941-F504-410f-A6EB-1664DD8CF86C}.exe	104
PID 4728 wrote to memory of 1408	4728	{0248A941-F504-410f-A6EB-1664DD8CF86C}.exe	104
PID 3036 wrote to memory of 1860	3036	{AF6E8D85-57A5-4f82-BA65-AEFD37ADD34C}.exe	105
PID 3036 wrote to memory of 1860	3036	{AF6E8D85-57A5-4f82-BA65-AEFD37ADD34C}.exe	105
PID 3036 wrote to memory of 1860	3036	{AF6E8D85-57A5-4f82-BA65-AEFD37ADD34C}.exe	105
PID 3036 wrote to memory of 2216	3036	{AF6E8D85-57A5-4f82-BA65-AEFD37ADD34C}.exe	106
PID 3036 wrote to memory of 2216	3036	{AF6E8D85-57A5-4f82-BA65-AEFD37ADD34C}.exe	106
PID 3036 wrote to memory of 2216	3036	{AF6E8D85-57A5-4f82-BA65-AEFD37ADD34C}.exe	106
PID 1860 wrote to memory of 3808	1860	{D13A6EF3-FE17-4dd0-8013-A714B9240DA0}.exe	107
PID 1860 wrote to memory of 3808	1860	{D13A6EF3-FE17-4dd0-8013-A714B9240DA0}.exe	107
PID 1860 wrote to memory of 3808	1860	{D13A6EF3-FE17-4dd0-8013-A714B9240DA0}.exe	107
PID 1860 wrote to memory of 1520	1860	{D13A6EF3-FE17-4dd0-8013-A714B9240DA0}.exe	108
PID 1860 wrote to memory of 1520	1860	{D13A6EF3-FE17-4dd0-8013-A714B9240DA0}.exe	108
PID 1860 wrote to memory of 1520	1860	{D13A6EF3-FE17-4dd0-8013-A714B9240DA0}.exe	108
PID 3808 wrote to memory of 3580	3808	{8EB6A1CF-10E9-45cb-A852-79BC177CFEEC}.exe	109
PID 3808 wrote to memory of 3580	3808	{8EB6A1CF-10E9-45cb-A852-79BC177CFEEC}.exe	109
PID 3808 wrote to memory of 3580	3808	{8EB6A1CF-10E9-45cb-A852-79BC177CFEEC}.exe	109
PID 3808 wrote to memory of 4436	3808	{8EB6A1CF-10E9-45cb-A852-79BC177CFEEC}.exe	110
PID 3808 wrote to memory of 4436	3808	{8EB6A1CF-10E9-45cb-A852-79BC177CFEEC}.exe	110
PID 3808 wrote to memory of 4436	3808	{8EB6A1CF-10E9-45cb-A852-79BC177CFEEC}.exe	110
PID 3580 wrote to memory of 4028	3580	{362E6FA6-E8AA-444b-97B9-ACAFD9099C58}.exe	111
PID 3580 wrote to memory of 4028	3580	{362E6FA6-E8AA-444b-97B9-ACAFD9099C58}.exe	111
PID 3580 wrote to memory of 4028	3580	{362E6FA6-E8AA-444b-97B9-ACAFD9099C58}.exe	111
PID 3580 wrote to memory of 2916	3580	{362E6FA6-E8AA-444b-97B9-ACAFD9099C58}.exe	112
PID 3580 wrote to memory of 2916	3580	{362E6FA6-E8AA-444b-97B9-ACAFD9099C58}.exe	112
PID 3580 wrote to memory of 2916	3580	{362E6FA6-E8AA-444b-97B9-ACAFD9099C58}.exe	112
PID 4028 wrote to memory of 864	4028	{552CB6EE-7724-4435-9045-A22A525A4203}.exe	113
PID 4028 wrote to memory of 864	4028	{552CB6EE-7724-4435-9045-A22A525A4203}.exe	113
PID 4028 wrote to memory of 864	4028	{552CB6EE-7724-4435-9045-A22A525A4203}.exe	113
PID 4028 wrote to memory of 4428	4028	{552CB6EE-7724-4435-9045-A22A525A4203}.exe	114

C:\Users\Admin\AppData\Local\Temp\2024-06-08_cd0cfba882cf98e912c9d7831509f264_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_cd0cfba882cf98e912c9d7831509f264_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:336
- C:\Windows\{9A569633-36F6-4e73-8EB0-2C15207F8862}.exe
  C:\Windows\{9A569633-36F6-4e73-8EB0-2C15207F8862}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Windows\{A1FCC422-DB4A-4c15-A718-6DE1268D8906}.exe
    C:\Windows\{A1FCC422-DB4A-4c15-A718-6DE1268D8906}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3476
  - - C:\Windows\{9DA87A96-0AD9-497c-B138-623EDD66A915}.exe
      C:\Windows\{9DA87A96-0AD9-497c-B138-623EDD66A915}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1588
    - - C:\Windows\{4AFC6610-5B2E-4181-A42B-FCD36D6043EF}.exe
        
        C:\Windows\{4AFC6610-5B2E-4181-A42B-FCD36D6043EF}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2256
      - C:\Windows\{0248A941-F504-410f-A6EB-1664DD8CF86C}.exe
        
        C:\Windows\{0248A941-F504-410f-A6EB-1664DD8CF86C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\{AF6E8D85-57A5-4f82-BA65-AEFD37ADD34C}.exe
        
        C:\Windows\{AF6E8D85-57A5-4f82-BA65-AEFD37ADD34C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\{D13A6EF3-FE17-4dd0-8013-A714B9240DA0}.exe
        
        C:\Windows\{D13A6EF3-FE17-4dd0-8013-A714B9240DA0}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\{8EB6A1CF-10E9-45cb-A852-79BC177CFEEC}.exe
        
        C:\Windows\{8EB6A1CF-10E9-45cb-A852-79BC177CFEEC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3808
        
        C:\Windows\{362E6FA6-E8AA-444b-97B9-ACAFD9099C58}.exe
        
        C:\Windows\{362E6FA6-E8AA-444b-97B9-ACAFD9099C58}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3580
        
        C:\Windows\{552CB6EE-7724-4435-9045-A22A525A4203}.exe
        
        C:\Windows\{552CB6EE-7724-4435-9045-A22A525A4203}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\{F73189AA-2014-476b-935F-E83EFC084174}.exe
        
        C:\Windows\{F73189AA-2014-476b-935F-E83EFC084174}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:864
        
        C:\Windows\{D0211F4F-35D3-4b4d-87C9-C358A9F99415}.exe
        
        C:\Windows\{D0211F4F-35D3-4b4d-87C9-C358A9F99415}.exe
        13⤵
        Executes dropped EXE
        
        PID:4088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F7318~1.EXE > nul
        13⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{552CB~1.EXE > nul
        12⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{362E6~1.EXE > nul
        11⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8EB6A~1.EXE > nul
        10⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D13A6~1.EXE > nul
        9⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AF6E8~1.EXE > nul
        8⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0248A~1.EXE > nul
        7⤵
        
        PID:1408
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4AFC6~1.EXE > nul
        6⤵
        
        PID:3624
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9DA87~1.EXE > nul
        5⤵
        
        PID:2484
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A1FCC~1.EXE > nul
      4⤵
      PID:2536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9A569~1.EXE > nul
    3⤵
    PID:4604
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0248A941-F504-410f-A6EB-1664DD8CF86C}.exe

Filesize
344KB

MD5
659fc9d3ad43fbdaeb91d77433cb61f2

SHA1
9c9f7aab05235ef3249a640a5814f3d8fa829306

SHA256
43a89b9d6787a6cb91923e47375b16a1d595e1f63cb23d1f7b1024b5bcabdfb1

SHA512
5791a8b5f7a38aeb7d15a4c4c112d6a66b029ff686fa78bf17cbd8a194bd9c33d4ac7c68bd2d83389fae73f2aa2760ca5262ce170bf130896e3eb8036b8439ce

Download Submit
C:\Windows\{362E6FA6-E8AA-444b-97B9-ACAFD9099C58}.exe

Filesize
344KB

MD5
ccfe9abdb33c038d75322acc23708987

SHA1
7c86d481f3cfa0a64c83566751e55a42370feced

SHA256
992d9828ebe4ea176a731ff5b7c60639100dce246fadfa604e0e9084099c2ffe

SHA512
d299b5df804078b2e56833aeecbee69412aa67e875736b8f2755ba3ce3342cd26a7859284216827deabf0405c47406ba81dee627fa26dc528661c28820cb0825

Download Submit
C:\Windows\{4AFC6610-5B2E-4181-A42B-FCD36D6043EF}.exe

Filesize
344KB

MD5
07e13b09fc38357de963ea43d8ad48d9

SHA1
c17ef8298346df8058ae9070627239606edd1472

SHA256
03753571b5119e9f3ba363489e767f0eb572c7aaf84f723405c54de55bad7f2d

SHA512
ddaf8615ec460dd54d0fa4ee32e8a43b5c72ba457a30371a66945c1bddb4a1d5acfc22c6c5ca096caf241fc151dc72835959705ce8a4fe562291278674e56ddf

Download Submit
C:\Windows\{552CB6EE-7724-4435-9045-A22A525A4203}.exe

Filesize
344KB

MD5
1fa4400d85ec1af805b02c5ddd98ac04

SHA1
92eecc4b592a65bb4f52806385c3438a6017819c

SHA256
08322d02c6ba06c6b09d77c05622a0c7f859552dfe61ddd30d6f7772e209d011

SHA512
e6746f66c27a0d596bff5fa7ee5a55e4afef5345239cc71c4598ceae5613cf49ac51d397d508bf9be044ed543fb8cab122b666feb58cd9b8c6dc127554037f49

Download Submit
C:\Windows\{8EB6A1CF-10E9-45cb-A852-79BC177CFEEC}.exe

Filesize
344KB

MD5
3e0d023574c4c558334493c25371fa95

SHA1
2f578df328d5572feda6ca6c9bc4946a6bc08ddb

SHA256
d6a34503d03b5cb8699f57676a79e63d047c30805145d1ee4917b4e2491f97dd

SHA512
73bb36ebd86f1e09ba62775c239187071aa1cd4c5ebc61e38e6500c5d7c4150711162a01dcd07577a5291c264f8b7d7cf0ee399ed9d8d7d6a78a1fcc2f743d4a

Download Submit
C:\Windows\{9A569633-36F6-4e73-8EB0-2C15207F8862}.exe

Filesize
344KB

MD5
527163d98d58e308a0b4a8f7a483b46a

SHA1
48902dfcd003457cf6b6fef8aa88421c3f7daded

SHA256
ced58c3e23a3f8b3e010438c4416fa6af89a6d3e8abe86794c314c033711f14d

SHA512
bd2e5c13b9d1b72d07b658daa4614ffc9816e066e7cdcafe5cbf7994664c1124d601babbc57641dc3c26d4574a25294088e500ec52e5ede6a64b3e2650598c28

Download Submit
C:\Windows\{9DA87A96-0AD9-497c-B138-623EDD66A915}.exe

Filesize
344KB

MD5
69d73330975569b02b9e0741c466437c

SHA1
01349c5e774521c6dca12f1d1a3675ee686ff144

SHA256
b299e5f83d248d567a62eabbf3dc0b299c77fd668a69e194a5f91f1d7b99e118

SHA512
87d75bdb23dd8ec4346ca1cd333319b3e6029128c3ef8e5c00e84cfe92ef103e6182e09f3f593ae043f6d3eb3979de1a9d6e6583f54da17fec164e80174a026d

Download Submit
C:\Windows\{A1FCC422-DB4A-4c15-A718-6DE1268D8906}.exe

Filesize
344KB

MD5
92f6b856b8c4479c249911bc9c5c9f57

SHA1
3847f8bd4a048bf4113789174b0d8d941361ad19

SHA256
70eccb71bbb2ab4170c7e5f6cb19713105632f4ff4442bd817c0e49dc050e7f9

SHA512
a62d5e80050d0c1ae2606a85eb6f247543deb33bbd0f5fc091f05a103e8de299704c6aa12ea1711e5c1df47f8b2fbf4feb628ce1cbc36bc080b536f96cc1ad4b

Download Submit
C:\Windows\{AF6E8D85-57A5-4f82-BA65-AEFD37ADD34C}.exe

Filesize
344KB

MD5
8ad5e4ae421537fa9fa19fc6a61f8f42

SHA1
8de178337eb43b94d07a61ae23547f26adb8b6bc

SHA256
2b3cd5a0f347bad14e878041e80e07832febc7345b9093fa24354c9465ca8d6f

SHA512
5e54023582aed100885a0d3ceedfeb73c105370de9cde26b868f0b8242f2d39e456821fd02ba455456552919ad1301aa26e510fef0f9cf81e81aa8723a21939e

Download Submit
C:\Windows\{D0211F4F-35D3-4b4d-87C9-C358A9F99415}.exe

Filesize
344KB

MD5
632ee849a79829a1005b5e0df48f03f8

SHA1
7c594ffdd549df45523afc3b4e3280c7c96bcc95

SHA256
193e89917f712dd5223504f09c8fe7abedecf0e3febdc1963b630c9fa8877a82

SHA512
c20426f2d027120971012491abc18feba84cde84378ee0a5f3b927af70bba3177ad6b95adf88e61aa33f6afa86d959af6457060a33cf0ef3b303836fdd69ce03

Download Submit
C:\Windows\{D13A6EF3-FE17-4dd0-8013-A714B9240DA0}.exe

Filesize
344KB

MD5
2fc056dbc0f959c8076deb6409768f7b

SHA1
2cbfa93a40fedd7b24a6c75c7f755507d4f5429f

SHA256
da670648fd65dd49bbc145db86f41f4032ebe6f78f8d9f783190ee292f006dd5

SHA512
1cc7ec0cf3b1509473c5ca66ed5e638bb34c0bebc23adc7a88d93e2d1bf209003673f390cc3029c949066bc78406d3017a6f0b8b65dc8f950e9ae1d839ec0ae6

Download Submit
C:\Windows\{F73189AA-2014-476b-935F-E83EFC084174}.exe

Filesize
344KB

MD5
a60cba6ca9e2372d887b449c3a4cc383

SHA1
30cf607f0f9fa1113b4bdafba333bb285868de10

SHA256
dbde58a5a064e6125f4e8f91933f592a204f02e026212a7ab2c613e2d252b53e

SHA512
796f652ec29235c32d6ace551826ca3b1bcfbf1b0e898225ed69f9b902e92eddf26d50fc3e70a05ac8446f0fc38dbb3e5af7d3ddd8e115bd8f7c6a631d7088ff

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads