4b7d8a2737d39247e1cd858b2b5db348d7e236e11f5e18a43ceb888c409df6ef

Analysis

max time kernel
149s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11/06/2024, 05:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-11_8e9b385c64ee616c194650116e451269_goldeneye.exe
Size

344KB
MD5

8e9b385c64ee616c194650116e451269
SHA1

3a7925d84cc6b09566c12d435a507aa50d338f60
SHA256

4b7d8a2737d39247e1cd858b2b5db348d7e236e11f5e18a43ceb888c409df6ef
SHA512

70e8309214949aafb2732c3f62654370a8a28d106306ffe1d7654e055a7a795b9dca5a0467f8ffebd18a303f8d7c7b4ef978d61045e248937e0fb7a0b93ddf3f
SSDEEP

3072:mEGh0oilEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGMlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0011000000023438-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002343d-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023443-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002343d-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000022118-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000022119-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000022118-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000709-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000707-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12F168EB-A005-49e2-87C8-A9793EB38BD8}\stubpath = "C:\\Windows\\{12F168EB-A005-49e2-87C8-A9793EB38BD8}.exe"	{EDDAF429-0EB7-4ddb-864B-56C999A6B646}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF3DC661-0671-44ab-BC6C-2629714C9510}	{12F168EB-A005-49e2-87C8-A9793EB38BD8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA5B93E9-77DB-4183-9D38-D7CB92B96813}\stubpath = "C:\\Windows\\{FA5B93E9-77DB-4183-9D38-D7CB92B96813}.exe"	{CF3DC661-0671-44ab-BC6C-2629714C9510}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5AE43D23-C5E3-46e2-A770-70C1A989F9E7}	{FA5B93E9-77DB-4183-9D38-D7CB92B96813}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1EB71079-6188-43ce-8FC0-1C4BE95AD450}	2024-06-11_8e9b385c64ee616c194650116e451269_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C0A089B-8A1D-42d5-B1FE-634570D01EB0}\stubpath = "C:\\Windows\\{5C0A089B-8A1D-42d5-B1FE-634570D01EB0}.exe"	{1EB71079-6188-43ce-8FC0-1C4BE95AD450}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6733C611-DA99-4d9c-8D23-BDB4B27BD49C}	{6CAD9E77-58F9-437f-AB1E-1C3B6AEFAC13}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EDDAF429-0EB7-4ddb-864B-56C999A6B646}\stubpath = "C:\\Windows\\{EDDAF429-0EB7-4ddb-864B-56C999A6B646}.exe"	{D52D8BCC-B437-4399-ABE7-DED45CECFAC5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6CAD9E77-58F9-437f-AB1E-1C3B6AEFAC13}	{6B416DE3-3375-4022-811F-E3B3C44F0962}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D52D8BCC-B437-4399-ABE7-DED45CECFAC5}\stubpath = "C:\\Windows\\{D52D8BCC-B437-4399-ABE7-DED45CECFAC5}.exe"	{6733C611-DA99-4d9c-8D23-BDB4B27BD49C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF3DC661-0671-44ab-BC6C-2629714C9510}\stubpath = "C:\\Windows\\{CF3DC661-0671-44ab-BC6C-2629714C9510}.exe"	{12F168EB-A005-49e2-87C8-A9793EB38BD8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D52D8BCC-B437-4399-ABE7-DED45CECFAC5}	{6733C611-DA99-4d9c-8D23-BDB4B27BD49C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C0A089B-8A1D-42d5-B1FE-634570D01EB0}	{1EB71079-6188-43ce-8FC0-1C4BE95AD450}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D1D0D45-E894-45eb-AFBD-1D315F12649D}	{5C0A089B-8A1D-42d5-B1FE-634570D01EB0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B416DE3-3375-4022-811F-E3B3C44F0962}	{3D1D0D45-E894-45eb-AFBD-1D315F12649D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6733C611-DA99-4d9c-8D23-BDB4B27BD49C}\stubpath = "C:\\Windows\\{6733C611-DA99-4d9c-8D23-BDB4B27BD49C}.exe"	{6CAD9E77-58F9-437f-AB1E-1C3B6AEFAC13}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EDDAF429-0EB7-4ddb-864B-56C999A6B646}	{D52D8BCC-B437-4399-ABE7-DED45CECFAC5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12F168EB-A005-49e2-87C8-A9793EB38BD8}	{EDDAF429-0EB7-4ddb-864B-56C999A6B646}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA5B93E9-77DB-4183-9D38-D7CB92B96813}	{CF3DC661-0671-44ab-BC6C-2629714C9510}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5AE43D23-C5E3-46e2-A770-70C1A989F9E7}\stubpath = "C:\\Windows\\{5AE43D23-C5E3-46e2-A770-70C1A989F9E7}.exe"	{FA5B93E9-77DB-4183-9D38-D7CB92B96813}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1EB71079-6188-43ce-8FC0-1C4BE95AD450}\stubpath = "C:\\Windows\\{1EB71079-6188-43ce-8FC0-1C4BE95AD450}.exe"	2024-06-11_8e9b385c64ee616c194650116e451269_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D1D0D45-E894-45eb-AFBD-1D315F12649D}\stubpath = "C:\\Windows\\{3D1D0D45-E894-45eb-AFBD-1D315F12649D}.exe"	{5C0A089B-8A1D-42d5-B1FE-634570D01EB0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B416DE3-3375-4022-811F-E3B3C44F0962}\stubpath = "C:\\Windows\\{6B416DE3-3375-4022-811F-E3B3C44F0962}.exe"	{3D1D0D45-E894-45eb-AFBD-1D315F12649D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6CAD9E77-58F9-437f-AB1E-1C3B6AEFAC13}\stubpath = "C:\\Windows\\{6CAD9E77-58F9-437f-AB1E-1C3B6AEFAC13}.exe"	{6B416DE3-3375-4022-811F-E3B3C44F0962}.exe

Executes dropped EXE 12 IoCs

pid	Process
884	{1EB71079-6188-43ce-8FC0-1C4BE95AD450}.exe
2104	{5C0A089B-8A1D-42d5-B1FE-634570D01EB0}.exe
220	{3D1D0D45-E894-45eb-AFBD-1D315F12649D}.exe
4516	{6B416DE3-3375-4022-811F-E3B3C44F0962}.exe
3668	{6CAD9E77-58F9-437f-AB1E-1C3B6AEFAC13}.exe
3972	{6733C611-DA99-4d9c-8D23-BDB4B27BD49C}.exe
3228	{D52D8BCC-B437-4399-ABE7-DED45CECFAC5}.exe
4100	{EDDAF429-0EB7-4ddb-864B-56C999A6B646}.exe
4800	{12F168EB-A005-49e2-87C8-A9793EB38BD8}.exe
400	{CF3DC661-0671-44ab-BC6C-2629714C9510}.exe
2612	{FA5B93E9-77DB-4183-9D38-D7CB92B96813}.exe
872	{5AE43D23-C5E3-46e2-A770-70C1A989F9E7}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{FA5B93E9-77DB-4183-9D38-D7CB92B96813}.exe	{CF3DC661-0671-44ab-BC6C-2629714C9510}.exe
File created	C:\Windows\{1EB71079-6188-43ce-8FC0-1C4BE95AD450}.exe	2024-06-11_8e9b385c64ee616c194650116e451269_goldeneye.exe
File created	C:\Windows\{6B416DE3-3375-4022-811F-E3B3C44F0962}.exe	{3D1D0D45-E894-45eb-AFBD-1D315F12649D}.exe
File created	C:\Windows\{6CAD9E77-58F9-437f-AB1E-1C3B6AEFAC13}.exe	{6B416DE3-3375-4022-811F-E3B3C44F0962}.exe
File created	C:\Windows\{D52D8BCC-B437-4399-ABE7-DED45CECFAC5}.exe	{6733C611-DA99-4d9c-8D23-BDB4B27BD49C}.exe
File created	C:\Windows\{12F168EB-A005-49e2-87C8-A9793EB38BD8}.exe	{EDDAF429-0EB7-4ddb-864B-56C999A6B646}.exe
File created	C:\Windows\{5AE43D23-C5E3-46e2-A770-70C1A989F9E7}.exe	{FA5B93E9-77DB-4183-9D38-D7CB92B96813}.exe
File created	C:\Windows\{5C0A089B-8A1D-42d5-B1FE-634570D01EB0}.exe	{1EB71079-6188-43ce-8FC0-1C4BE95AD450}.exe
File created	C:\Windows\{3D1D0D45-E894-45eb-AFBD-1D315F12649D}.exe	{5C0A089B-8A1D-42d5-B1FE-634570D01EB0}.exe
File created	C:\Windows\{6733C611-DA99-4d9c-8D23-BDB4B27BD49C}.exe	{6CAD9E77-58F9-437f-AB1E-1C3B6AEFAC13}.exe
File created	C:\Windows\{EDDAF429-0EB7-4ddb-864B-56C999A6B646}.exe	{D52D8BCC-B437-4399-ABE7-DED45CECFAC5}.exe
File created	C:\Windows\{CF3DC661-0671-44ab-BC6C-2629714C9510}.exe	{12F168EB-A005-49e2-87C8-A9793EB38BD8}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1740	2024-06-11_8e9b385c64ee616c194650116e451269_goldeneye.exe
Token: SeIncBasePriorityPrivilege	884	{1EB71079-6188-43ce-8FC0-1C4BE95AD450}.exe
Token: SeIncBasePriorityPrivilege	2104	{5C0A089B-8A1D-42d5-B1FE-634570D01EB0}.exe
Token: SeIncBasePriorityPrivilege	220	{3D1D0D45-E894-45eb-AFBD-1D315F12649D}.exe
Token: SeIncBasePriorityPrivilege	4516	{6B416DE3-3375-4022-811F-E3B3C44F0962}.exe
Token: SeIncBasePriorityPrivilege	3668	{6CAD9E77-58F9-437f-AB1E-1C3B6AEFAC13}.exe
Token: SeIncBasePriorityPrivilege	3972	{6733C611-DA99-4d9c-8D23-BDB4B27BD49C}.exe
Token: SeIncBasePriorityPrivilege	3228	{D52D8BCC-B437-4399-ABE7-DED45CECFAC5}.exe
Token: SeIncBasePriorityPrivilege	4100	{EDDAF429-0EB7-4ddb-864B-56C999A6B646}.exe
Token: SeIncBasePriorityPrivilege	4800	{12F168EB-A005-49e2-87C8-A9793EB38BD8}.exe
Token: SeIncBasePriorityPrivilege	400	{CF3DC661-0671-44ab-BC6C-2629714C9510}.exe
Token: SeIncBasePriorityPrivilege	2612	{FA5B93E9-77DB-4183-9D38-D7CB92B96813}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 884	1740	2024-06-11_8e9b385c64ee616c194650116e451269_goldeneye.exe	88
PID 1740 wrote to memory of 884	1740	2024-06-11_8e9b385c64ee616c194650116e451269_goldeneye.exe	88
PID 1740 wrote to memory of 884	1740	2024-06-11_8e9b385c64ee616c194650116e451269_goldeneye.exe	88
PID 1740 wrote to memory of 1172	1740	2024-06-11_8e9b385c64ee616c194650116e451269_goldeneye.exe	89
PID 1740 wrote to memory of 1172	1740	2024-06-11_8e9b385c64ee616c194650116e451269_goldeneye.exe	89
PID 1740 wrote to memory of 1172	1740	2024-06-11_8e9b385c64ee616c194650116e451269_goldeneye.exe	89
PID 884 wrote to memory of 2104	884	{1EB71079-6188-43ce-8FC0-1C4BE95AD450}.exe	90
PID 884 wrote to memory of 2104	884	{1EB71079-6188-43ce-8FC0-1C4BE95AD450}.exe	90
PID 884 wrote to memory of 2104	884	{1EB71079-6188-43ce-8FC0-1C4BE95AD450}.exe	90
PID 884 wrote to memory of 3628	884	{1EB71079-6188-43ce-8FC0-1C4BE95AD450}.exe	91
PID 884 wrote to memory of 3628	884	{1EB71079-6188-43ce-8FC0-1C4BE95AD450}.exe	91
PID 884 wrote to memory of 3628	884	{1EB71079-6188-43ce-8FC0-1C4BE95AD450}.exe	91
PID 2104 wrote to memory of 220	2104	{5C0A089B-8A1D-42d5-B1FE-634570D01EB0}.exe	93
PID 2104 wrote to memory of 220	2104	{5C0A089B-8A1D-42d5-B1FE-634570D01EB0}.exe	93
PID 2104 wrote to memory of 220	2104	{5C0A089B-8A1D-42d5-B1FE-634570D01EB0}.exe	93
PID 2104 wrote to memory of 2532	2104	{5C0A089B-8A1D-42d5-B1FE-634570D01EB0}.exe	94
PID 2104 wrote to memory of 2532	2104	{5C0A089B-8A1D-42d5-B1FE-634570D01EB0}.exe	94
PID 2104 wrote to memory of 2532	2104	{5C0A089B-8A1D-42d5-B1FE-634570D01EB0}.exe	94
PID 220 wrote to memory of 4516	220	{3D1D0D45-E894-45eb-AFBD-1D315F12649D}.exe	95
PID 220 wrote to memory of 4516	220	{3D1D0D45-E894-45eb-AFBD-1D315F12649D}.exe	95
PID 220 wrote to memory of 4516	220	{3D1D0D45-E894-45eb-AFBD-1D315F12649D}.exe	95
PID 220 wrote to memory of 212	220	{3D1D0D45-E894-45eb-AFBD-1D315F12649D}.exe	96
PID 220 wrote to memory of 212	220	{3D1D0D45-E894-45eb-AFBD-1D315F12649D}.exe	96
PID 220 wrote to memory of 212	220	{3D1D0D45-E894-45eb-AFBD-1D315F12649D}.exe	96
PID 4516 wrote to memory of 3668	4516	{6B416DE3-3375-4022-811F-E3B3C44F0962}.exe	97
PID 4516 wrote to memory of 3668	4516	{6B416DE3-3375-4022-811F-E3B3C44F0962}.exe	97
PID 4516 wrote to memory of 3668	4516	{6B416DE3-3375-4022-811F-E3B3C44F0962}.exe	97
PID 4516 wrote to memory of 3980	4516	{6B416DE3-3375-4022-811F-E3B3C44F0962}.exe	98
PID 4516 wrote to memory of 3980	4516	{6B416DE3-3375-4022-811F-E3B3C44F0962}.exe	98
PID 4516 wrote to memory of 3980	4516	{6B416DE3-3375-4022-811F-E3B3C44F0962}.exe	98
PID 3668 wrote to memory of 3972	3668	{6CAD9E77-58F9-437f-AB1E-1C3B6AEFAC13}.exe	99
PID 3668 wrote to memory of 3972	3668	{6CAD9E77-58F9-437f-AB1E-1C3B6AEFAC13}.exe	99
PID 3668 wrote to memory of 3972	3668	{6CAD9E77-58F9-437f-AB1E-1C3B6AEFAC13}.exe	99
PID 3668 wrote to memory of 4640	3668	{6CAD9E77-58F9-437f-AB1E-1C3B6AEFAC13}.exe	100
PID 3668 wrote to memory of 4640	3668	{6CAD9E77-58F9-437f-AB1E-1C3B6AEFAC13}.exe	100
PID 3668 wrote to memory of 4640	3668	{6CAD9E77-58F9-437f-AB1E-1C3B6AEFAC13}.exe	100
PID 3972 wrote to memory of 3228	3972	{6733C611-DA99-4d9c-8D23-BDB4B27BD49C}.exe	101
PID 3972 wrote to memory of 3228	3972	{6733C611-DA99-4d9c-8D23-BDB4B27BD49C}.exe	101
PID 3972 wrote to memory of 3228	3972	{6733C611-DA99-4d9c-8D23-BDB4B27BD49C}.exe	101
PID 3972 wrote to memory of 4552	3972	{6733C611-DA99-4d9c-8D23-BDB4B27BD49C}.exe	102
PID 3972 wrote to memory of 4552	3972	{6733C611-DA99-4d9c-8D23-BDB4B27BD49C}.exe	102
PID 3972 wrote to memory of 4552	3972	{6733C611-DA99-4d9c-8D23-BDB4B27BD49C}.exe	102
PID 3228 wrote to memory of 4100	3228	{D52D8BCC-B437-4399-ABE7-DED45CECFAC5}.exe	103
PID 3228 wrote to memory of 4100	3228	{D52D8BCC-B437-4399-ABE7-DED45CECFAC5}.exe	103
PID 3228 wrote to memory of 4100	3228	{D52D8BCC-B437-4399-ABE7-DED45CECFAC5}.exe	103
PID 3228 wrote to memory of 3788	3228	{D52D8BCC-B437-4399-ABE7-DED45CECFAC5}.exe	104
PID 3228 wrote to memory of 3788	3228	{D52D8BCC-B437-4399-ABE7-DED45CECFAC5}.exe	104
PID 3228 wrote to memory of 3788	3228	{D52D8BCC-B437-4399-ABE7-DED45CECFAC5}.exe	104
PID 4100 wrote to memory of 4800	4100	{EDDAF429-0EB7-4ddb-864B-56C999A6B646}.exe	105
PID 4100 wrote to memory of 4800	4100	{EDDAF429-0EB7-4ddb-864B-56C999A6B646}.exe	105
PID 4100 wrote to memory of 4800	4100	{EDDAF429-0EB7-4ddb-864B-56C999A6B646}.exe	105
PID 4100 wrote to memory of 5096	4100	{EDDAF429-0EB7-4ddb-864B-56C999A6B646}.exe	106
PID 4100 wrote to memory of 5096	4100	{EDDAF429-0EB7-4ddb-864B-56C999A6B646}.exe	106
PID 4100 wrote to memory of 5096	4100	{EDDAF429-0EB7-4ddb-864B-56C999A6B646}.exe	106
PID 4800 wrote to memory of 400	4800	{12F168EB-A005-49e2-87C8-A9793EB38BD8}.exe	107
PID 4800 wrote to memory of 400	4800	{12F168EB-A005-49e2-87C8-A9793EB38BD8}.exe	107
PID 4800 wrote to memory of 400	4800	{12F168EB-A005-49e2-87C8-A9793EB38BD8}.exe	107
PID 4800 wrote to memory of 116	4800	{12F168EB-A005-49e2-87C8-A9793EB38BD8}.exe	108
PID 4800 wrote to memory of 116	4800	{12F168EB-A005-49e2-87C8-A9793EB38BD8}.exe	108
PID 4800 wrote to memory of 116	4800	{12F168EB-A005-49e2-87C8-A9793EB38BD8}.exe	108
PID 400 wrote to memory of 2612	400	{CF3DC661-0671-44ab-BC6C-2629714C9510}.exe	109
PID 400 wrote to memory of 2612	400	{CF3DC661-0671-44ab-BC6C-2629714C9510}.exe	109
PID 400 wrote to memory of 2612	400	{CF3DC661-0671-44ab-BC6C-2629714C9510}.exe	109
PID 400 wrote to memory of 2228	400	{CF3DC661-0671-44ab-BC6C-2629714C9510}.exe	110

C:\Users\Admin\AppData\Local\Temp\2024-06-11_8e9b385c64ee616c194650116e451269_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_8e9b385c64ee616c194650116e451269_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\{1EB71079-6188-43ce-8FC0-1C4BE95AD450}.exe
  C:\Windows\{1EB71079-6188-43ce-8FC0-1C4BE95AD450}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:884
- - C:\Windows\{5C0A089B-8A1D-42d5-B1FE-634570D01EB0}.exe
    C:\Windows\{5C0A089B-8A1D-42d5-B1FE-634570D01EB0}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2104
  - - C:\Windows\{3D1D0D45-E894-45eb-AFBD-1D315F12649D}.exe
      C:\Windows\{3D1D0D45-E894-45eb-AFBD-1D315F12649D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:220
    - - C:\Windows\{6B416DE3-3375-4022-811F-E3B3C44F0962}.exe
        
        C:\Windows\{6B416DE3-3375-4022-811F-E3B3C44F0962}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4516
      - C:\Windows\{6CAD9E77-58F9-437f-AB1E-1C3B6AEFAC13}.exe
        
        C:\Windows\{6CAD9E77-58F9-437f-AB1E-1C3B6AEFAC13}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Windows\{6733C611-DA99-4d9c-8D23-BDB4B27BD49C}.exe
        
        C:\Windows\{6733C611-DA99-4d9c-8D23-BDB4B27BD49C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3972
        
        C:\Windows\{D52D8BCC-B437-4399-ABE7-DED45CECFAC5}.exe
        
        C:\Windows\{D52D8BCC-B437-4399-ABE7-DED45CECFAC5}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3228
        
        C:\Windows\{EDDAF429-0EB7-4ddb-864B-56C999A6B646}.exe
        
        C:\Windows\{EDDAF429-0EB7-4ddb-864B-56C999A6B646}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4100
        
        C:\Windows\{12F168EB-A005-49e2-87C8-A9793EB38BD8}.exe
        
        C:\Windows\{12F168EB-A005-49e2-87C8-A9793EB38BD8}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Windows\{CF3DC661-0671-44ab-BC6C-2629714C9510}.exe
        
        C:\Windows\{CF3DC661-0671-44ab-BC6C-2629714C9510}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\{FA5B93E9-77DB-4183-9D38-D7CB92B96813}.exe
        
        C:\Windows\{FA5B93E9-77DB-4183-9D38-D7CB92B96813}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
        
        C:\Windows\{5AE43D23-C5E3-46e2-A770-70C1A989F9E7}.exe
        
        C:\Windows\{5AE43D23-C5E3-46e2-A770-70C1A989F9E7}.exe
        13⤵
        Executes dropped EXE
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA5B9~1.EXE > nul
        13⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CF3DC~1.EXE > nul
        12⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{12F16~1.EXE > nul
        11⤵
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EDDAF~1.EXE > nul
        10⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D52D8~1.EXE > nul
        9⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6733C~1.EXE > nul
        8⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6CAD9~1.EXE > nul
        7⤵
        
        PID:4640
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B416~1.EXE > nul
        6⤵
        
        PID:3980
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3D1D0~1.EXE > nul
        5⤵
        
        PID:212
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5C0A0~1.EXE > nul
      4⤵
      PID:2532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1EB71~1.EXE > nul
    3⤵
    PID:3628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{12F168EB-A005-49e2-87C8-A9793EB38BD8}.exe

Filesize
344KB

MD5
453bac3be224a65fc70984af3f57d72c

SHA1
d65d432e400c9bca7d291976a154ee2ddef43d19

SHA256
89372e71a021c5014f55622c301f599b4bb9d0cd45dd5427e761e2b24ecb4ea2

SHA512
556a5d1304baf45d6791fbd588c57a9f9db60cff3ddad67ffc6ae557d22cfa5795829386e4d15d1da7e5ca13d5c62200b18c25304923e9265cf9af3151d379f9

Download Submit
C:\Windows\{1EB71079-6188-43ce-8FC0-1C4BE95AD450}.exe

Filesize
344KB

MD5
b0dcdf79782af4725d276aef1747ccc0

SHA1
d9bb5d2b075d9d45f41ca2af5aae1bcfe85b256f

SHA256
aeeb8e26c2bfdb5b3e8fd2be4b43623c1f094e5aee2d9abe36ee9b4a8f84480d

SHA512
a79e052558ecdcc93b0b377da3fa58db4ae968567b978eaa291a7e39220212c75b9395435f4c5ec238a0877ef05c009b14940e0858e0697e329b98b5265d382f

Download Submit
C:\Windows\{3D1D0D45-E894-45eb-AFBD-1D315F12649D}.exe

Filesize
344KB

MD5
959283b332bc885caa931eb197a2162e

SHA1
eb5826bd403e23c9650f065a42733de1708bb8a1

SHA256
3c07acb8ec9b6d406eb6cfab37530ec6140d665391e9c0749519bdbdd62a68e3

SHA512
51593bc412739007f9bf0249a5aee1c7074d9c0ac08fb25ed52cd12752acb7cfba95f2de5ff7651ada46c1c282945dd3f3154bccbba2b5b41fca2559b4b93120

Download Submit
C:\Windows\{5AE43D23-C5E3-46e2-A770-70C1A989F9E7}.exe

Filesize
344KB

MD5
1e4c273f487a976b1bb6540aba60abec

SHA1
0e582f77b6c6e8bc6dbc43fca7fe588a09c4f3b6

SHA256
594f35c83f3bc3200fdb90491ea6d6dbcb47f987bf79bd6c96ce0aa8550f09e4

SHA512
d32cfeb3c81e0dcb0cdec9901d2041ed0961e58bb743e14db1a871ff64911387c54c6ad34f791b464b0dc8637692ed2d0c8229a76e8b3d4f7d0431e113c2174b

Download Submit
C:\Windows\{5C0A089B-8A1D-42d5-B1FE-634570D01EB0}.exe

Filesize
344KB

MD5
0efd1f69fff6b2321d9d20b044ee2432

SHA1
51afea244d54ef28210dfc40645f6a341380fc6b

SHA256
c25c53d409c4793a34eb29d6b9f02d43c96e374d62cb200a6c70f4ecffeb2739

SHA512
c70e8b4c29fff4650626f13f220b8adb32ed735cc363ebaa22212b3638eab517f39bb04dd7211f78d023d0444ebb4ed5198abfc35bcb0e08e119afe0d5e02678

Download Submit
C:\Windows\{6733C611-DA99-4d9c-8D23-BDB4B27BD49C}.exe

Filesize
344KB

MD5
e2efdebb401dfa6c06d68a660d9b221a

SHA1
faacf0536975cbc5c85b990b2e676b8ffde0cb83

SHA256
786141a07bd3aed7cd4bc9f564159b39a17873127bc872f2625e1152cca54a03

SHA512
8fae6d85a4dd811042505d8ae185bddbe69a63900cbb60df44802321a4be591977a07eb4c05f6c3e36a9ea31e5f6ca081d3d24ef3b9acbc5f754a88f0342c3e8

Download Submit
C:\Windows\{6B416DE3-3375-4022-811F-E3B3C44F0962}.exe

Filesize
344KB

MD5
399dfabead609760c47b2e96ff331d45

SHA1
9f751a32bf7e81a83a8ebb5322dd2978cd5cf9ae

SHA256
7925afa8d5764ce346ba203d416b7e353e3942fc15b9760c23b76c8b6191fedd

SHA512
999c1229e7f3360440dbd73c4d333263e7b13c8b02e65c3bc4350bce845045007e78fb3b71594e97cf8fb0f7d979a07287a362762f5d94408b3b245f7beaf948

Download Submit
C:\Windows\{6CAD9E77-58F9-437f-AB1E-1C3B6AEFAC13}.exe

Filesize
344KB

MD5
ac003fa6effce9afafbe9b5c62512ffe

SHA1
a5e5fb2a84ad3db41f257a74ba80a8613dfb63ad

SHA256
21a87ba0c418047df7e3b83ce0c13eaa4bf980b6061bc984f6b2b640692db172

SHA512
f11e2c299373db578478249e519b653d843c8ddbbc0852db787e7140b831888eb7f93c2ef97e5719b95d91c1ec94c21115bfdb4e9a76481d634d3f65ce442a8a

Download Submit
C:\Windows\{CF3DC661-0671-44ab-BC6C-2629714C9510}.exe

Filesize
344KB

MD5
d4383ff99ad5f74bd94ff42593b57d59

SHA1
a794c0b719838e8523b1f8f831b5848150b4a818

SHA256
0dbbb0a028415628d9ae01bb97961e9b1559ab9f693c11e519d55e8c3cd79ca9

SHA512
53250ad88538e7f8e8946520b7f751889cf806c8f47335f6295f86e936a1b0508e34213934611bd8d25aebe7ab620c30981c3baf8fe3de4ad6504297b906620c

Download Submit
C:\Windows\{D52D8BCC-B437-4399-ABE7-DED45CECFAC5}.exe

Filesize
344KB

MD5
5e9071863da531df9b7842fe690faad3

SHA1
1b7ee70785cf8681a0f486f48c6ab602bbb209e7

SHA256
a217b25616487a290eee082455d3cdb13529d464448d1827d210fe429aa05590

SHA512
6b9bf0c7acfb93292afb22ed8933a72accff838c5aca63093a33014a6a4b921257aae58fa21c49d1eca5d5cd72fd7ba59deca1277f58cb2239618cbaed5c94ca

Download Submit
C:\Windows\{EDDAF429-0EB7-4ddb-864B-56C999A6B646}.exe

Filesize
344KB

MD5
4497d82780e9b190d18351e051535cca

SHA1
a5f3215446eae2ddd136edd16160b54fccae3f92

SHA256
3576ba632958f57b8251315fb4e82463396b6c7d7f91ecb0bd0fc485fb7139fb

SHA512
5019aabea9b798ce2e52f8cf822cbd586349ad0d8302567d993105010fca1b255996faff6589d102996f676d7cec8842dd198ea16a282a9d1548d063a680a36b

Download Submit
C:\Windows\{FA5B93E9-77DB-4183-9D38-D7CB92B96813}.exe

Filesize
344KB

MD5
538b17c00ed0b10f22133f636df2d5bb

SHA1
34f5f2a7dd01da4f2e3a6f646a56eb814f813b32

SHA256
46d6c946b2700a8419dac0317f08a06b7e0c3908191c23bd31559fe19b229948

SHA512
320c3577b6cbb63bc2baf42fe5f3f73fc4d5c415298d385f3ab56973b81607330ba033f28c4fa3ee7e92ddf7d206a787b8785d6742d8954a753ceb9ed99ccd0e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads