b71f48546ba0351207f8092ed6545a69b724e3f8dadbee81423edfcc8b886228

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/06/2024, 11:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-15_9c8074fb888228dbea488d1e9bb9e3fd_goldeneye.exe
Size

216KB
MD5

9c8074fb888228dbea488d1e9bb9e3fd
SHA1

763ca5fd627cac8812839a2d2b6c2058ac8242b8
SHA256

b71f48546ba0351207f8092ed6545a69b724e3f8dadbee81423edfcc8b886228
SHA512

295dc7a2b861edf868e9e09311f1012b5c9213289bf4d81e3763c6d637de0dfca1b3774c3b7c4611d33b8489e1a76ce38c30721dcc61b7d237d779e61290267f
SSDEEP

3072:jEGh0oIl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGqlEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023399-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d00000002339b-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002342a-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002342d-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023433-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002342d-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023433-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002342d-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023433-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002342d-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023433-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002342d-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{052D2CB6-F592-4cc1-A9EE-05F7B3386F55}\stubpath = "C:\\Windows\\{052D2CB6-F592-4cc1-A9EE-05F7B3386F55}.exe"	{3A4EDC71-DB76-45ea-86B0-E1523BFE11B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59FE6B80-413F-4e1e-AEFF-EC197DE8B65E}\stubpath = "C:\\Windows\\{59FE6B80-413F-4e1e-AEFF-EC197DE8B65E}.exe"	{61D2524D-BE72-4006-AAA4-0EA9CDD40A14}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42A736A4-5F67-42d5-A789-D2CC443F288B}\stubpath = "C:\\Windows\\{42A736A4-5F67-42d5-A789-D2CC443F288B}.exe"	{77D27A25-8EBA-4f81-A397-76F404D3F086}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64B81388-78F0-4bb4-8F15-43576BE13365}	{3850BA48-DECD-423e-ACC1-48B74150EB5B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1AA4CEA-2A4E-440a-B705-414F7E825037}\stubpath = "C:\\Windows\\{A1AA4CEA-2A4E-440a-B705-414F7E825037}.exe"	{64B81388-78F0-4bb4-8F15-43576BE13365}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A4EDC71-DB76-45ea-86B0-E1523BFE11B2}	{BE36A925-DEA3-43c0-845A-350B6E5A5FF1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A4EDC71-DB76-45ea-86B0-E1523BFE11B2}\stubpath = "C:\\Windows\\{3A4EDC71-DB76-45ea-86B0-E1523BFE11B2}.exe"	{BE36A925-DEA3-43c0-845A-350B6E5A5FF1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{052D2CB6-F592-4cc1-A9EE-05F7B3386F55}	{3A4EDC71-DB76-45ea-86B0-E1523BFE11B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{822F8CB9-5B36-47dd-8126-9D67743215FB}\stubpath = "C:\\Windows\\{822F8CB9-5B36-47dd-8126-9D67743215FB}.exe"	{06137D55-A4A4-474b-BA3B-204161B2F05C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE36A925-DEA3-43c0-845A-350B6E5A5FF1}	{A1AA4CEA-2A4E-440a-B705-414F7E825037}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61D2524D-BE72-4006-AAA4-0EA9CDD40A14}	{052D2CB6-F592-4cc1-A9EE-05F7B3386F55}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06137D55-A4A4-474b-BA3B-204161B2F05C}	{42A736A4-5F67-42d5-A789-D2CC443F288B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3850BA48-DECD-423e-ACC1-48B74150EB5B}	2024-06-15_9c8074fb888228dbea488d1e9bb9e3fd_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE36A925-DEA3-43c0-845A-350B6E5A5FF1}\stubpath = "C:\\Windows\\{BE36A925-DEA3-43c0-845A-350B6E5A5FF1}.exe"	{A1AA4CEA-2A4E-440a-B705-414F7E825037}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61D2524D-BE72-4006-AAA4-0EA9CDD40A14}\stubpath = "C:\\Windows\\{61D2524D-BE72-4006-AAA4-0EA9CDD40A14}.exe"	{052D2CB6-F592-4cc1-A9EE-05F7B3386F55}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59FE6B80-413F-4e1e-AEFF-EC197DE8B65E}	{61D2524D-BE72-4006-AAA4-0EA9CDD40A14}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42A736A4-5F67-42d5-A789-D2CC443F288B}	{77D27A25-8EBA-4f81-A397-76F404D3F086}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06137D55-A4A4-474b-BA3B-204161B2F05C}\stubpath = "C:\\Windows\\{06137D55-A4A4-474b-BA3B-204161B2F05C}.exe"	{42A736A4-5F67-42d5-A789-D2CC443F288B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{822F8CB9-5B36-47dd-8126-9D67743215FB}	{06137D55-A4A4-474b-BA3B-204161B2F05C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3850BA48-DECD-423e-ACC1-48B74150EB5B}\stubpath = "C:\\Windows\\{3850BA48-DECD-423e-ACC1-48B74150EB5B}.exe"	2024-06-15_9c8074fb888228dbea488d1e9bb9e3fd_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64B81388-78F0-4bb4-8F15-43576BE13365}\stubpath = "C:\\Windows\\{64B81388-78F0-4bb4-8F15-43576BE13365}.exe"	{3850BA48-DECD-423e-ACC1-48B74150EB5B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1AA4CEA-2A4E-440a-B705-414F7E825037}	{64B81388-78F0-4bb4-8F15-43576BE13365}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77D27A25-8EBA-4f81-A397-76F404D3F086}	{59FE6B80-413F-4e1e-AEFF-EC197DE8B65E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77D27A25-8EBA-4f81-A397-76F404D3F086}\stubpath = "C:\\Windows\\{77D27A25-8EBA-4f81-A397-76F404D3F086}.exe"	{59FE6B80-413F-4e1e-AEFF-EC197DE8B65E}.exe

Executes dropped EXE 12 IoCs

pid	Process
4276	{3850BA48-DECD-423e-ACC1-48B74150EB5B}.exe
3688	{64B81388-78F0-4bb4-8F15-43576BE13365}.exe
1464	{A1AA4CEA-2A4E-440a-B705-414F7E825037}.exe
5024	{BE36A925-DEA3-43c0-845A-350B6E5A5FF1}.exe
2520	{3A4EDC71-DB76-45ea-86B0-E1523BFE11B2}.exe
2140	{052D2CB6-F592-4cc1-A9EE-05F7B3386F55}.exe
2496	{61D2524D-BE72-4006-AAA4-0EA9CDD40A14}.exe
1400	{59FE6B80-413F-4e1e-AEFF-EC197DE8B65E}.exe
784	{77D27A25-8EBA-4f81-A397-76F404D3F086}.exe
4712	{42A736A4-5F67-42d5-A789-D2CC443F288B}.exe
3576	{06137D55-A4A4-474b-BA3B-204161B2F05C}.exe
2356	{822F8CB9-5B36-47dd-8126-9D67743215FB}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{BE36A925-DEA3-43c0-845A-350B6E5A5FF1}.exe	{A1AA4CEA-2A4E-440a-B705-414F7E825037}.exe
File created	C:\Windows\{3A4EDC71-DB76-45ea-86B0-E1523BFE11B2}.exe	{BE36A925-DEA3-43c0-845A-350B6E5A5FF1}.exe
File created	C:\Windows\{052D2CB6-F592-4cc1-A9EE-05F7B3386F55}.exe	{3A4EDC71-DB76-45ea-86B0-E1523BFE11B2}.exe
File created	C:\Windows\{59FE6B80-413F-4e1e-AEFF-EC197DE8B65E}.exe	{61D2524D-BE72-4006-AAA4-0EA9CDD40A14}.exe
File created	C:\Windows\{77D27A25-8EBA-4f81-A397-76F404D3F086}.exe	{59FE6B80-413F-4e1e-AEFF-EC197DE8B65E}.exe
File created	C:\Windows\{06137D55-A4A4-474b-BA3B-204161B2F05C}.exe	{42A736A4-5F67-42d5-A789-D2CC443F288B}.exe
File created	C:\Windows\{822F8CB9-5B36-47dd-8126-9D67743215FB}.exe	{06137D55-A4A4-474b-BA3B-204161B2F05C}.exe
File created	C:\Windows\{3850BA48-DECD-423e-ACC1-48B74150EB5B}.exe	2024-06-15_9c8074fb888228dbea488d1e9bb9e3fd_goldeneye.exe
File created	C:\Windows\{A1AA4CEA-2A4E-440a-B705-414F7E825037}.exe	{64B81388-78F0-4bb4-8F15-43576BE13365}.exe
File created	C:\Windows\{61D2524D-BE72-4006-AAA4-0EA9CDD40A14}.exe	{052D2CB6-F592-4cc1-A9EE-05F7B3386F55}.exe
File created	C:\Windows\{42A736A4-5F67-42d5-A789-D2CC443F288B}.exe	{77D27A25-8EBA-4f81-A397-76F404D3F086}.exe
File created	C:\Windows\{64B81388-78F0-4bb4-8F15-43576BE13365}.exe	{3850BA48-DECD-423e-ACC1-48B74150EB5B}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	5108	2024-06-15_9c8074fb888228dbea488d1e9bb9e3fd_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4276	{3850BA48-DECD-423e-ACC1-48B74150EB5B}.exe
Token: SeIncBasePriorityPrivilege	3688	{64B81388-78F0-4bb4-8F15-43576BE13365}.exe
Token: SeIncBasePriorityPrivilege	1464	{A1AA4CEA-2A4E-440a-B705-414F7E825037}.exe
Token: SeIncBasePriorityPrivilege	5024	{BE36A925-DEA3-43c0-845A-350B6E5A5FF1}.exe
Token: SeIncBasePriorityPrivilege	2520	{3A4EDC71-DB76-45ea-86B0-E1523BFE11B2}.exe
Token: SeIncBasePriorityPrivilege	2140	{052D2CB6-F592-4cc1-A9EE-05F7B3386F55}.exe
Token: SeIncBasePriorityPrivilege	2496	{61D2524D-BE72-4006-AAA4-0EA9CDD40A14}.exe
Token: SeIncBasePriorityPrivilege	1400	{59FE6B80-413F-4e1e-AEFF-EC197DE8B65E}.exe
Token: SeIncBasePriorityPrivilege	784	{77D27A25-8EBA-4f81-A397-76F404D3F086}.exe
Token: SeIncBasePriorityPrivilege	4712	{42A736A4-5F67-42d5-A789-D2CC443F288B}.exe
Token: SeIncBasePriorityPrivilege	3576	{06137D55-A4A4-474b-BA3B-204161B2F05C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5108 wrote to memory of 4276	5108	2024-06-15_9c8074fb888228dbea488d1e9bb9e3fd_goldeneye.exe	85
PID 5108 wrote to memory of 4276	5108	2024-06-15_9c8074fb888228dbea488d1e9bb9e3fd_goldeneye.exe	85
PID 5108 wrote to memory of 4276	5108	2024-06-15_9c8074fb888228dbea488d1e9bb9e3fd_goldeneye.exe	85
PID 5108 wrote to memory of 4080	5108	2024-06-15_9c8074fb888228dbea488d1e9bb9e3fd_goldeneye.exe	86
PID 5108 wrote to memory of 4080	5108	2024-06-15_9c8074fb888228dbea488d1e9bb9e3fd_goldeneye.exe	86
PID 5108 wrote to memory of 4080	5108	2024-06-15_9c8074fb888228dbea488d1e9bb9e3fd_goldeneye.exe	86
PID 4276 wrote to memory of 3688	4276	{3850BA48-DECD-423e-ACC1-48B74150EB5B}.exe	87
PID 4276 wrote to memory of 3688	4276	{3850BA48-DECD-423e-ACC1-48B74150EB5B}.exe	87
PID 4276 wrote to memory of 3688	4276	{3850BA48-DECD-423e-ACC1-48B74150EB5B}.exe	87
PID 4276 wrote to memory of 2748	4276	{3850BA48-DECD-423e-ACC1-48B74150EB5B}.exe	88
PID 4276 wrote to memory of 2748	4276	{3850BA48-DECD-423e-ACC1-48B74150EB5B}.exe	88
PID 4276 wrote to memory of 2748	4276	{3850BA48-DECD-423e-ACC1-48B74150EB5B}.exe	88
PID 3688 wrote to memory of 1464	3688	{64B81388-78F0-4bb4-8F15-43576BE13365}.exe	91
PID 3688 wrote to memory of 1464	3688	{64B81388-78F0-4bb4-8F15-43576BE13365}.exe	91
PID 3688 wrote to memory of 1464	3688	{64B81388-78F0-4bb4-8F15-43576BE13365}.exe	91
PID 3688 wrote to memory of 1144	3688	{64B81388-78F0-4bb4-8F15-43576BE13365}.exe	92
PID 3688 wrote to memory of 1144	3688	{64B81388-78F0-4bb4-8F15-43576BE13365}.exe	92
PID 3688 wrote to memory of 1144	3688	{64B81388-78F0-4bb4-8F15-43576BE13365}.exe	92
PID 1464 wrote to memory of 5024	1464	{A1AA4CEA-2A4E-440a-B705-414F7E825037}.exe	97
PID 1464 wrote to memory of 5024	1464	{A1AA4CEA-2A4E-440a-B705-414F7E825037}.exe	97
PID 1464 wrote to memory of 5024	1464	{A1AA4CEA-2A4E-440a-B705-414F7E825037}.exe	97
PID 1464 wrote to memory of 4868	1464	{A1AA4CEA-2A4E-440a-B705-414F7E825037}.exe	98
PID 1464 wrote to memory of 4868	1464	{A1AA4CEA-2A4E-440a-B705-414F7E825037}.exe	98
PID 1464 wrote to memory of 4868	1464	{A1AA4CEA-2A4E-440a-B705-414F7E825037}.exe	98
PID 5024 wrote to memory of 2520	5024	{BE36A925-DEA3-43c0-845A-350B6E5A5FF1}.exe	100
PID 5024 wrote to memory of 2520	5024	{BE36A925-DEA3-43c0-845A-350B6E5A5FF1}.exe	100
PID 5024 wrote to memory of 2520	5024	{BE36A925-DEA3-43c0-845A-350B6E5A5FF1}.exe	100
PID 5024 wrote to memory of 3708	5024	{BE36A925-DEA3-43c0-845A-350B6E5A5FF1}.exe	101
PID 5024 wrote to memory of 3708	5024	{BE36A925-DEA3-43c0-845A-350B6E5A5FF1}.exe	101
PID 5024 wrote to memory of 3708	5024	{BE36A925-DEA3-43c0-845A-350B6E5A5FF1}.exe	101
PID 2520 wrote to memory of 2140	2520	{3A4EDC71-DB76-45ea-86B0-E1523BFE11B2}.exe	102
PID 2520 wrote to memory of 2140	2520	{3A4EDC71-DB76-45ea-86B0-E1523BFE11B2}.exe	102
PID 2520 wrote to memory of 2140	2520	{3A4EDC71-DB76-45ea-86B0-E1523BFE11B2}.exe	102
PID 2520 wrote to memory of 976	2520	{3A4EDC71-DB76-45ea-86B0-E1523BFE11B2}.exe	103
PID 2520 wrote to memory of 976	2520	{3A4EDC71-DB76-45ea-86B0-E1523BFE11B2}.exe	103
PID 2520 wrote to memory of 976	2520	{3A4EDC71-DB76-45ea-86B0-E1523BFE11B2}.exe	103
PID 2140 wrote to memory of 2496	2140	{052D2CB6-F592-4cc1-A9EE-05F7B3386F55}.exe	104
PID 2140 wrote to memory of 2496	2140	{052D2CB6-F592-4cc1-A9EE-05F7B3386F55}.exe	104
PID 2140 wrote to memory of 2496	2140	{052D2CB6-F592-4cc1-A9EE-05F7B3386F55}.exe	104
PID 2140 wrote to memory of 3000	2140	{052D2CB6-F592-4cc1-A9EE-05F7B3386F55}.exe	105
PID 2140 wrote to memory of 3000	2140	{052D2CB6-F592-4cc1-A9EE-05F7B3386F55}.exe	105
PID 2140 wrote to memory of 3000	2140	{052D2CB6-F592-4cc1-A9EE-05F7B3386F55}.exe	105
PID 2496 wrote to memory of 1400	2496	{61D2524D-BE72-4006-AAA4-0EA9CDD40A14}.exe	106
PID 2496 wrote to memory of 1400	2496	{61D2524D-BE72-4006-AAA4-0EA9CDD40A14}.exe	106
PID 2496 wrote to memory of 1400	2496	{61D2524D-BE72-4006-AAA4-0EA9CDD40A14}.exe	106
PID 2496 wrote to memory of 3348	2496	{61D2524D-BE72-4006-AAA4-0EA9CDD40A14}.exe	107
PID 2496 wrote to memory of 3348	2496	{61D2524D-BE72-4006-AAA4-0EA9CDD40A14}.exe	107
PID 2496 wrote to memory of 3348	2496	{61D2524D-BE72-4006-AAA4-0EA9CDD40A14}.exe	107
PID 1400 wrote to memory of 784	1400	{59FE6B80-413F-4e1e-AEFF-EC197DE8B65E}.exe	108
PID 1400 wrote to memory of 784	1400	{59FE6B80-413F-4e1e-AEFF-EC197DE8B65E}.exe	108
PID 1400 wrote to memory of 784	1400	{59FE6B80-413F-4e1e-AEFF-EC197DE8B65E}.exe	108
PID 1400 wrote to memory of 3472	1400	{59FE6B80-413F-4e1e-AEFF-EC197DE8B65E}.exe	109
PID 1400 wrote to memory of 3472	1400	{59FE6B80-413F-4e1e-AEFF-EC197DE8B65E}.exe	109
PID 1400 wrote to memory of 3472	1400	{59FE6B80-413F-4e1e-AEFF-EC197DE8B65E}.exe	109
PID 784 wrote to memory of 4712	784	{77D27A25-8EBA-4f81-A397-76F404D3F086}.exe	110
PID 784 wrote to memory of 4712	784	{77D27A25-8EBA-4f81-A397-76F404D3F086}.exe	110
PID 784 wrote to memory of 4712	784	{77D27A25-8EBA-4f81-A397-76F404D3F086}.exe	110
PID 784 wrote to memory of 2096	784	{77D27A25-8EBA-4f81-A397-76F404D3F086}.exe	111
PID 784 wrote to memory of 2096	784	{77D27A25-8EBA-4f81-A397-76F404D3F086}.exe	111
PID 784 wrote to memory of 2096	784	{77D27A25-8EBA-4f81-A397-76F404D3F086}.exe	111
PID 4712 wrote to memory of 3576	4712	{42A736A4-5F67-42d5-A789-D2CC443F288B}.exe	112
PID 4712 wrote to memory of 3576	4712	{42A736A4-5F67-42d5-A789-D2CC443F288B}.exe	112
PID 4712 wrote to memory of 3576	4712	{42A736A4-5F67-42d5-A789-D2CC443F288B}.exe	112
PID 4712 wrote to memory of 660	4712	{42A736A4-5F67-42d5-A789-D2CC443F288B}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-06-15_9c8074fb888228dbea488d1e9bb9e3fd_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-15_9c8074fb888228dbea488d1e9bb9e3fd_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5108
- C:\Windows\{3850BA48-DECD-423e-ACC1-48B74150EB5B}.exe
  C:\Windows\{3850BA48-DECD-423e-ACC1-48B74150EB5B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4276
- - C:\Windows\{64B81388-78F0-4bb4-8F15-43576BE13365}.exe
    C:\Windows\{64B81388-78F0-4bb4-8F15-43576BE13365}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3688
  - - C:\Windows\{A1AA4CEA-2A4E-440a-B705-414F7E825037}.exe
      C:\Windows\{A1AA4CEA-2A4E-440a-B705-414F7E825037}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1464
    - - C:\Windows\{BE36A925-DEA3-43c0-845A-350B6E5A5FF1}.exe
        
        C:\Windows\{BE36A925-DEA3-43c0-845A-350B6E5A5FF1}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5024
      - C:\Windows\{3A4EDC71-DB76-45ea-86B0-E1523BFE11B2}.exe
        
        C:\Windows\{3A4EDC71-DB76-45ea-86B0-E1523BFE11B2}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\{052D2CB6-F592-4cc1-A9EE-05F7B3386F55}.exe
        
        C:\Windows\{052D2CB6-F592-4cc1-A9EE-05F7B3386F55}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\{61D2524D-BE72-4006-AAA4-0EA9CDD40A14}.exe
        
        C:\Windows\{61D2524D-BE72-4006-AAA4-0EA9CDD40A14}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\{59FE6B80-413F-4e1e-AEFF-EC197DE8B65E}.exe
        
        C:\Windows\{59FE6B80-413F-4e1e-AEFF-EC197DE8B65E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\{77D27A25-8EBA-4f81-A397-76F404D3F086}.exe
        
        C:\Windows\{77D27A25-8EBA-4f81-A397-76F404D3F086}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:784
        
        C:\Windows\{42A736A4-5F67-42d5-A789-D2CC443F288B}.exe
        
        C:\Windows\{42A736A4-5F67-42d5-A789-D2CC443F288B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4712
        
        C:\Windows\{06137D55-A4A4-474b-BA3B-204161B2F05C}.exe
        
        C:\Windows\{06137D55-A4A4-474b-BA3B-204161B2F05C}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3576
        
        C:\Windows\{822F8CB9-5B36-47dd-8126-9D67743215FB}.exe
        
        C:\Windows\{822F8CB9-5B36-47dd-8126-9D67743215FB}.exe
        13⤵
        Executes dropped EXE
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{06137~1.EXE > nul
        13⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{42A73~1.EXE > nul
        12⤵
        
        PID:660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{77D27~1.EXE > nul
        11⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{59FE6~1.EXE > nul
        10⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{61D25~1.EXE > nul
        9⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{052D2~1.EXE > nul
        8⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3A4ED~1.EXE > nul
        7⤵
        
        PID:976
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE36A~1.EXE > nul
        6⤵
        
        PID:3708
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A1AA4~1.EXE > nul
        5⤵
        
        PID:4868
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{64B81~1.EXE > nul
      4⤵
      PID:1144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3850B~1.EXE > nul
    3⤵
    PID:2748
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{052D2CB6-F592-4cc1-A9EE-05F7B3386F55}.exe

Filesize
216KB

MD5
63189753315a695f5451973fd376b31b

SHA1
f58cd03431ba76798ca0d0ccb2dbcb329e5dbea8

SHA256
417d556e6f543037dc1558c02f9cab3d059f0e0719cc9dbaf6ee484505987f15

SHA512
71428b4ce39ac76524404f46aa9349a6380b03df318814f40f7e4aeceb5461d6aa73559202e26d63ed321aa024087c2077be5ecc0c68f82481c2758feb962d9a

Download Submit
C:\Windows\{06137D55-A4A4-474b-BA3B-204161B2F05C}.exe

Filesize
216KB

MD5
b02011df5f5f0b77749e444e6b140d3c

SHA1
a66adfe3e7de2b5c39eed61c39341e1192abd56a

SHA256
58c7b52ac9464519c81d7f68691114a94b65eeec3b77e1db1d467d22eb76167b

SHA512
8c6904fbde7e57470dfcaa45d44a89cd127531d02a07336c2e38ac5be33dd4958f913d8133d087dd9573d9c9c808e3d8822aca3fc72d48a4d09f1012d728f87f

Download Submit
C:\Windows\{3850BA48-DECD-423e-ACC1-48B74150EB5B}.exe

Filesize
216KB

MD5
9e4d19eb3563f0f7306cd91bffd1cf69

SHA1
929b164671d79a9b887f8974747b65308ad656b1

SHA256
20f691e9a8966aa13996b6e8a47fc7bbbf3b5085bb3b003f062673a0060628b0

SHA512
7e21db8023dc412120f2ebdcbb7f591532a4980a9cd766a0eb69b44461d5e8287a0d84c5efd979fcb74a4a22ffeb852611ea8bdeb6079739cd25ede6ce3d2d8c

Download Submit
C:\Windows\{3A4EDC71-DB76-45ea-86B0-E1523BFE11B2}.exe

Filesize
216KB

MD5
403f62ea4043c25a978ae26b71808be5

SHA1
657d85459e732e7d3427ff95fe438b1fe14d296d

SHA256
cb51c00ecd30771ecb3425942c840022d745e5dcb11791611e57b4b1ba3b8075

SHA512
cbecfaf4f87a94c5b04a7145ec500d05fdf8a14f1c1ef3045e489c85d5fddd6de41147ca2bacc9d06b444932beecafe65815604627dfa4721345dea46320c0e0

Download Submit
C:\Windows\{42A736A4-5F67-42d5-A789-D2CC443F288B}.exe

Filesize
216KB

MD5
d6ae158a8cb7d0d6e5f4ed678ee97925

SHA1
3395508443017f4254d2391be0e25fbb37239e37

SHA256
512c82d03b72a3f20b25648e31343343ab633a5315b2fe33e29d44268269c560

SHA512
ca1f9d2cb2bf2a2add8705b928f6cb35a8197b69cb3e1eb17f1b1beb738d3be2a97b7c9470ede39570b967d1bcbcc7559150dabc3e776225a38a798ebba430de

Download Submit
C:\Windows\{59FE6B80-413F-4e1e-AEFF-EC197DE8B65E}.exe

Filesize
216KB

MD5
148d2bf894802077d2d16b9e9fea75fe

SHA1
96e41653614f87210f14718d7da648d84b223a06

SHA256
726a972c3b902f578d7a91737942853a57e55c1daacbcc6e2e07452ef256ddfa

SHA512
7435f3605d3faeb86e228e1854fd124222ee2c516e3cd39654f1c4d70181f0979d2867c4b998b1699fd9596fecfa81e1142a377b4eb26453ecb7988809ce8356

Download Submit
C:\Windows\{61D2524D-BE72-4006-AAA4-0EA9CDD40A14}.exe

Filesize
216KB

MD5
c9799c1e447a804b886c3bd75fe727d7

SHA1
5305e8e6cd6cdc7a0f9e2245c02b457479bb0a9c

SHA256
2d87bd2cd6b44e078752cadbc94a5601ef7e651095c91f6f097960e913ae75cd

SHA512
49c68285969e867a44b4448808ce05a25791c5c5c8974428b931c6c591a4b0d3f5cee5995b4a00394c572f566ba817d8c3fc5ac7007adb246c84015fb6e5446b

Download Submit
C:\Windows\{64B81388-78F0-4bb4-8F15-43576BE13365}.exe

Filesize
216KB

MD5
9183c82fa8c28c33568e2aca67bd8a79

SHA1
93d90d047639855def9295a1db5ac0723195a92d

SHA256
01e41a4297ec834acf7cb2b41e287020f8ec235907a7cb2203b5e2b22fca0ed4

SHA512
5eb5d5546d0edd424878974e412d7f3e7e532d0b5ef6970ca29b2de093ff308519750abff238b8073ee21a0998a7344c61cf569c01789da73b49ebbde7d598b5

Download Submit
C:\Windows\{77D27A25-8EBA-4f81-A397-76F404D3F086}.exe

Filesize
216KB

MD5
975588aff22aa0d02382d009ba107b3d

SHA1
a54acf965da4c1477c17264b483ebab81edbcd1d

SHA256
390f00a843a4b3f5347f05f397b653167fb624915e9e46ddae1237e9bd538f4f

SHA512
de2299bff657e8204364c7a28ce3fae0566b7171036f8ed1474bf8adedaba435fe9c9d5784692e14a04e92c4a736b923853a205eed5fb84b58305c29d7fc8968

Download Submit
C:\Windows\{822F8CB9-5B36-47dd-8126-9D67743215FB}.exe

Filesize
216KB

MD5
1558d4d02aec4ca161cf63d69b3113bf

SHA1
f1893913cfe408ebdcd029fa7e1f198e87a514ba

SHA256
063a03af91d8e84726b9eb6d5d428e2b2c1548e5d14be898a593cb3542265ed1

SHA512
1041549eeda22b5b252905ffa9b26d492bf3f5d76a24e1366a6631b9439512504f874d86110e4a603aec800d55f3493a043c17870ddb39e9e75af3c12102a0d6

Download Submit
C:\Windows\{A1AA4CEA-2A4E-440a-B705-414F7E825037}.exe

Filesize
216KB

MD5
3415dfa92be82201a0b5765a81f33900

SHA1
e7143531d4c23a276567764d73299fccfffd407d

SHA256
f47ad4d96c207b8650daa9c4edf037d06cf7114dcd71243755f07719d3923194

SHA512
c7c2a0b3557938a130b0187677c607d4c9c3bcea55e56a1aad16b78f8cb6e0adb5ad2276538da7ec44577cb5357b8e4d270ce3a4b80dd0e20b087f4b461b7d23

Download Submit
C:\Windows\{BE36A925-DEA3-43c0-845A-350B6E5A5FF1}.exe

Filesize
216KB

MD5
d8ae096b3323d974a2b29a40bf498cbf

SHA1
a3ba8c2d959851ab40f5b1a8b3e4238409539d68

SHA256
d376ba066638abf457aee1d70d4fb4478010f38998526373a710f23b24761c28

SHA512
866049e5109a25d51181534f4da6580f982c46b5250bafb52996a5d941758ed097fd4756dc7f19a06a77e4c949652241f1922bece0c502c09b7f0d137dade5e7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads