20ccafaaf73ba9672b9e24731a2b8050d8c810b6c31aced86bafa7e4f36a7c3b

Analysis

max time kernel
149s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
16-06-2024 06:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-16_8f8b0c426917bce3fb9738120f855f7a_goldeneye.exe
Size

204KB
MD5

8f8b0c426917bce3fb9738120f855f7a
SHA1

6135d457818bb7af855256caa72098cb92b277bb
SHA256

20ccafaaf73ba9672b9e24731a2b8050d8c810b6c31aced86bafa7e4f36a7c3b
SHA512

8243a22c83541af4fd9037ecd45196c289de0087c5cc48f2db98639bdc6cd4943254581e45469e8f3e85fb341d5c542b4b2ada59a9dcb30db796f30cbea8a5e0
SSDEEP

1536:1EGh0otl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0otl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000b0000000234eb-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000234ed-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000234f1-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000234ed-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000234f1-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000234ed-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000234f1-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d0000000234f4-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000234f1-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e0000000234f4-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000234f1-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f0000000234f4-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B1D7BC2-1C1E-4cb7-B203-12B9F6BF3EBD}\stubpath = "C:\\Windows\\{9B1D7BC2-1C1E-4cb7-B203-12B9F6BF3EBD}.exe"	{B516ED65-294D-409b-B907-D7D66383B6AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75DCB501-4DE3-4d11-8AF0-38E1E2C4E784}	{D4525354-B2CC-4a28-B6DF-3C387AF97BEE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F70D4E6-A737-4dd9-9814-A84BBBB35291}	{9B1D7BC2-1C1E-4cb7-B203-12B9F6BF3EBD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F70D4E6-A737-4dd9-9814-A84BBBB35291}\stubpath = "C:\\Windows\\{7F70D4E6-A737-4dd9-9814-A84BBBB35291}.exe"	{9B1D7BC2-1C1E-4cb7-B203-12B9F6BF3EBD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4525354-B2CC-4a28-B6DF-3C387AF97BEE}\stubpath = "C:\\Windows\\{D4525354-B2CC-4a28-B6DF-3C387AF97BEE}.exe"	{7F70D4E6-A737-4dd9-9814-A84BBBB35291}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CC6B287-B624-49fe-877C-B54AE5A1D315}	{5EC49394-21FE-4ad6-B1FD-DE385635688C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6CD7AEB-1F28-40aa-9695-8D1CCB97BD54}	{3CC6B287-B624-49fe-877C-B54AE5A1D315}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA7937AA-A2F9-4906-BD20-39466A9E0D81}	{48320CEB-5DA6-4341-8516-F380626AECC5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{466483EF-4145-4401-8C33-6616E0B17C36}	{DA7937AA-A2F9-4906-BD20-39466A9E0D81}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{466483EF-4145-4401-8C33-6616E0B17C36}\stubpath = "C:\\Windows\\{466483EF-4145-4401-8C33-6616E0B17C36}.exe"	{DA7937AA-A2F9-4906-BD20-39466A9E0D81}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7EE61E6E-321F-4998-851C-BD07F94F9558}\stubpath = "C:\\Windows\\{7EE61E6E-321F-4998-851C-BD07F94F9558}.exe"	{466483EF-4145-4401-8C33-6616E0B17C36}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4525354-B2CC-4a28-B6DF-3C387AF97BEE}	{7F70D4E6-A737-4dd9-9814-A84BBBB35291}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CC6B287-B624-49fe-877C-B54AE5A1D315}\stubpath = "C:\\Windows\\{3CC6B287-B624-49fe-877C-B54AE5A1D315}.exe"	{5EC49394-21FE-4ad6-B1FD-DE385635688C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48320CEB-5DA6-4341-8516-F380626AECC5}	{E6CD7AEB-1F28-40aa-9695-8D1CCB97BD54}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48320CEB-5DA6-4341-8516-F380626AECC5}\stubpath = "C:\\Windows\\{48320CEB-5DA6-4341-8516-F380626AECC5}.exe"	{E6CD7AEB-1F28-40aa-9695-8D1CCB97BD54}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA7937AA-A2F9-4906-BD20-39466A9E0D81}\stubpath = "C:\\Windows\\{DA7937AA-A2F9-4906-BD20-39466A9E0D81}.exe"	{48320CEB-5DA6-4341-8516-F380626AECC5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7EE61E6E-321F-4998-851C-BD07F94F9558}	{466483EF-4145-4401-8C33-6616E0B17C36}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B516ED65-294D-409b-B907-D7D66383B6AC}	{7EE61E6E-321F-4998-851C-BD07F94F9558}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B516ED65-294D-409b-B907-D7D66383B6AC}\stubpath = "C:\\Windows\\{B516ED65-294D-409b-B907-D7D66383B6AC}.exe"	{7EE61E6E-321F-4998-851C-BD07F94F9558}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B1D7BC2-1C1E-4cb7-B203-12B9F6BF3EBD}	{B516ED65-294D-409b-B907-D7D66383B6AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5EC49394-21FE-4ad6-B1FD-DE385635688C}	2024-06-16_8f8b0c426917bce3fb9738120f855f7a_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5EC49394-21FE-4ad6-B1FD-DE385635688C}\stubpath = "C:\\Windows\\{5EC49394-21FE-4ad6-B1FD-DE385635688C}.exe"	2024-06-16_8f8b0c426917bce3fb9738120f855f7a_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6CD7AEB-1F28-40aa-9695-8D1CCB97BD54}\stubpath = "C:\\Windows\\{E6CD7AEB-1F28-40aa-9695-8D1CCB97BD54}.exe"	{3CC6B287-B624-49fe-877C-B54AE5A1D315}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75DCB501-4DE3-4d11-8AF0-38E1E2C4E784}\stubpath = "C:\\Windows\\{75DCB501-4DE3-4d11-8AF0-38E1E2C4E784}.exe"	{D4525354-B2CC-4a28-B6DF-3C387AF97BEE}.exe

Executes dropped EXE 12 IoCs

pid	Process
2400	{5EC49394-21FE-4ad6-B1FD-DE385635688C}.exe
4512	{3CC6B287-B624-49fe-877C-B54AE5A1D315}.exe
3860	{E6CD7AEB-1F28-40aa-9695-8D1CCB97BD54}.exe
4644	{48320CEB-5DA6-4341-8516-F380626AECC5}.exe
2464	{DA7937AA-A2F9-4906-BD20-39466A9E0D81}.exe
1192	{466483EF-4145-4401-8C33-6616E0B17C36}.exe
3496	{7EE61E6E-321F-4998-851C-BD07F94F9558}.exe
5040	{B516ED65-294D-409b-B907-D7D66383B6AC}.exe
2760	{9B1D7BC2-1C1E-4cb7-B203-12B9F6BF3EBD}.exe
2144	{7F70D4E6-A737-4dd9-9814-A84BBBB35291}.exe
4316	{D4525354-B2CC-4a28-B6DF-3C387AF97BEE}.exe
4792	{75DCB501-4DE3-4d11-8AF0-38E1E2C4E784}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{75DCB501-4DE3-4d11-8AF0-38E1E2C4E784}.exe	{D4525354-B2CC-4a28-B6DF-3C387AF97BEE}.exe
File created	C:\Windows\{48320CEB-5DA6-4341-8516-F380626AECC5}.exe	{E6CD7AEB-1F28-40aa-9695-8D1CCB97BD54}.exe
File created	C:\Windows\{466483EF-4145-4401-8C33-6616E0B17C36}.exe	{DA7937AA-A2F9-4906-BD20-39466A9E0D81}.exe
File created	C:\Windows\{7EE61E6E-321F-4998-851C-BD07F94F9558}.exe	{466483EF-4145-4401-8C33-6616E0B17C36}.exe
File created	C:\Windows\{9B1D7BC2-1C1E-4cb7-B203-12B9F6BF3EBD}.exe	{B516ED65-294D-409b-B907-D7D66383B6AC}.exe
File created	C:\Windows\{B516ED65-294D-409b-B907-D7D66383B6AC}.exe	{7EE61E6E-321F-4998-851C-BD07F94F9558}.exe
File created	C:\Windows\{7F70D4E6-A737-4dd9-9814-A84BBBB35291}.exe	{9B1D7BC2-1C1E-4cb7-B203-12B9F6BF3EBD}.exe
File created	C:\Windows\{D4525354-B2CC-4a28-B6DF-3C387AF97BEE}.exe	{7F70D4E6-A737-4dd9-9814-A84BBBB35291}.exe
File created	C:\Windows\{5EC49394-21FE-4ad6-B1FD-DE385635688C}.exe	2024-06-16_8f8b0c426917bce3fb9738120f855f7a_goldeneye.exe
File created	C:\Windows\{3CC6B287-B624-49fe-877C-B54AE5A1D315}.exe	{5EC49394-21FE-4ad6-B1FD-DE385635688C}.exe
File created	C:\Windows\{E6CD7AEB-1F28-40aa-9695-8D1CCB97BD54}.exe	{3CC6B287-B624-49fe-877C-B54AE5A1D315}.exe
File created	C:\Windows\{DA7937AA-A2F9-4906-BD20-39466A9E0D81}.exe	{48320CEB-5DA6-4341-8516-F380626AECC5}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	368	2024-06-16_8f8b0c426917bce3fb9738120f855f7a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2400	{5EC49394-21FE-4ad6-B1FD-DE385635688C}.exe
Token: SeIncBasePriorityPrivilege	4512	{3CC6B287-B624-49fe-877C-B54AE5A1D315}.exe
Token: SeIncBasePriorityPrivilege	3860	{E6CD7AEB-1F28-40aa-9695-8D1CCB97BD54}.exe
Token: SeIncBasePriorityPrivilege	4644	{48320CEB-5DA6-4341-8516-F380626AECC5}.exe
Token: SeIncBasePriorityPrivilege	2464	{DA7937AA-A2F9-4906-BD20-39466A9E0D81}.exe
Token: SeIncBasePriorityPrivilege	1192	{466483EF-4145-4401-8C33-6616E0B17C36}.exe
Token: SeIncBasePriorityPrivilege	3496	{7EE61E6E-321F-4998-851C-BD07F94F9558}.exe
Token: SeIncBasePriorityPrivilege	5040	{B516ED65-294D-409b-B907-D7D66383B6AC}.exe
Token: SeIncBasePriorityPrivilege	2760	{9B1D7BC2-1C1E-4cb7-B203-12B9F6BF3EBD}.exe
Token: SeIncBasePriorityPrivilege	2144	{7F70D4E6-A737-4dd9-9814-A84BBBB35291}.exe
Token: SeIncBasePriorityPrivilege	4316	{D4525354-B2CC-4a28-B6DF-3C387AF97BEE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 368 wrote to memory of 2400	368	2024-06-16_8f8b0c426917bce3fb9738120f855f7a_goldeneye.exe	84
PID 368 wrote to memory of 2400	368	2024-06-16_8f8b0c426917bce3fb9738120f855f7a_goldeneye.exe	84
PID 368 wrote to memory of 2400	368	2024-06-16_8f8b0c426917bce3fb9738120f855f7a_goldeneye.exe	84
PID 368 wrote to memory of 3728	368	2024-06-16_8f8b0c426917bce3fb9738120f855f7a_goldeneye.exe	85
PID 368 wrote to memory of 3728	368	2024-06-16_8f8b0c426917bce3fb9738120f855f7a_goldeneye.exe	85
PID 368 wrote to memory of 3728	368	2024-06-16_8f8b0c426917bce3fb9738120f855f7a_goldeneye.exe	85
PID 2400 wrote to memory of 4512	2400	{5EC49394-21FE-4ad6-B1FD-DE385635688C}.exe	86
PID 2400 wrote to memory of 4512	2400	{5EC49394-21FE-4ad6-B1FD-DE385635688C}.exe	86
PID 2400 wrote to memory of 4512	2400	{5EC49394-21FE-4ad6-B1FD-DE385635688C}.exe	86
PID 2400 wrote to memory of 376	2400	{5EC49394-21FE-4ad6-B1FD-DE385635688C}.exe	87
PID 2400 wrote to memory of 376	2400	{5EC49394-21FE-4ad6-B1FD-DE385635688C}.exe	87
PID 2400 wrote to memory of 376	2400	{5EC49394-21FE-4ad6-B1FD-DE385635688C}.exe	87
PID 4512 wrote to memory of 3860	4512	{3CC6B287-B624-49fe-877C-B54AE5A1D315}.exe	92
PID 4512 wrote to memory of 3860	4512	{3CC6B287-B624-49fe-877C-B54AE5A1D315}.exe	92
PID 4512 wrote to memory of 3860	4512	{3CC6B287-B624-49fe-877C-B54AE5A1D315}.exe	92
PID 4512 wrote to memory of 2492	4512	{3CC6B287-B624-49fe-877C-B54AE5A1D315}.exe	93
PID 4512 wrote to memory of 2492	4512	{3CC6B287-B624-49fe-877C-B54AE5A1D315}.exe	93
PID 4512 wrote to memory of 2492	4512	{3CC6B287-B624-49fe-877C-B54AE5A1D315}.exe	93
PID 3860 wrote to memory of 4644	3860	{E6CD7AEB-1F28-40aa-9695-8D1CCB97BD54}.exe	94
PID 3860 wrote to memory of 4644	3860	{E6CD7AEB-1F28-40aa-9695-8D1CCB97BD54}.exe	94
PID 3860 wrote to memory of 4644	3860	{E6CD7AEB-1F28-40aa-9695-8D1CCB97BD54}.exe	94
PID 3860 wrote to memory of 1180	3860	{E6CD7AEB-1F28-40aa-9695-8D1CCB97BD54}.exe	95
PID 3860 wrote to memory of 1180	3860	{E6CD7AEB-1F28-40aa-9695-8D1CCB97BD54}.exe	95
PID 3860 wrote to memory of 1180	3860	{E6CD7AEB-1F28-40aa-9695-8D1CCB97BD54}.exe	95
PID 4644 wrote to memory of 2464	4644	{48320CEB-5DA6-4341-8516-F380626AECC5}.exe	96
PID 4644 wrote to memory of 2464	4644	{48320CEB-5DA6-4341-8516-F380626AECC5}.exe	96
PID 4644 wrote to memory of 2464	4644	{48320CEB-5DA6-4341-8516-F380626AECC5}.exe	96
PID 4644 wrote to memory of 2972	4644	{48320CEB-5DA6-4341-8516-F380626AECC5}.exe	97
PID 4644 wrote to memory of 2972	4644	{48320CEB-5DA6-4341-8516-F380626AECC5}.exe	97
PID 4644 wrote to memory of 2972	4644	{48320CEB-5DA6-4341-8516-F380626AECC5}.exe	97
PID 2464 wrote to memory of 1192	2464	{DA7937AA-A2F9-4906-BD20-39466A9E0D81}.exe	98
PID 2464 wrote to memory of 1192	2464	{DA7937AA-A2F9-4906-BD20-39466A9E0D81}.exe	98
PID 2464 wrote to memory of 1192	2464	{DA7937AA-A2F9-4906-BD20-39466A9E0D81}.exe	98
PID 2464 wrote to memory of 3080	2464	{DA7937AA-A2F9-4906-BD20-39466A9E0D81}.exe	99
PID 2464 wrote to memory of 3080	2464	{DA7937AA-A2F9-4906-BD20-39466A9E0D81}.exe	99
PID 2464 wrote to memory of 3080	2464	{DA7937AA-A2F9-4906-BD20-39466A9E0D81}.exe	99
PID 1192 wrote to memory of 3496	1192	{466483EF-4145-4401-8C33-6616E0B17C36}.exe	100
PID 1192 wrote to memory of 3496	1192	{466483EF-4145-4401-8C33-6616E0B17C36}.exe	100
PID 1192 wrote to memory of 3496	1192	{466483EF-4145-4401-8C33-6616E0B17C36}.exe	100
PID 1192 wrote to memory of 5080	1192	{466483EF-4145-4401-8C33-6616E0B17C36}.exe	101
PID 1192 wrote to memory of 5080	1192	{466483EF-4145-4401-8C33-6616E0B17C36}.exe	101
PID 1192 wrote to memory of 5080	1192	{466483EF-4145-4401-8C33-6616E0B17C36}.exe	101
PID 3496 wrote to memory of 5040	3496	{7EE61E6E-321F-4998-851C-BD07F94F9558}.exe	104
PID 3496 wrote to memory of 5040	3496	{7EE61E6E-321F-4998-851C-BD07F94F9558}.exe	104
PID 3496 wrote to memory of 5040	3496	{7EE61E6E-321F-4998-851C-BD07F94F9558}.exe	104
PID 3496 wrote to memory of 4024	3496	{7EE61E6E-321F-4998-851C-BD07F94F9558}.exe	105
PID 3496 wrote to memory of 4024	3496	{7EE61E6E-321F-4998-851C-BD07F94F9558}.exe	105
PID 3496 wrote to memory of 4024	3496	{7EE61E6E-321F-4998-851C-BD07F94F9558}.exe	105
PID 5040 wrote to memory of 2760	5040	{B516ED65-294D-409b-B907-D7D66383B6AC}.exe	106
PID 5040 wrote to memory of 2760	5040	{B516ED65-294D-409b-B907-D7D66383B6AC}.exe	106
PID 5040 wrote to memory of 2760	5040	{B516ED65-294D-409b-B907-D7D66383B6AC}.exe	106
PID 5040 wrote to memory of 4472	5040	{B516ED65-294D-409b-B907-D7D66383B6AC}.exe	107
PID 5040 wrote to memory of 4472	5040	{B516ED65-294D-409b-B907-D7D66383B6AC}.exe	107
PID 5040 wrote to memory of 4472	5040	{B516ED65-294D-409b-B907-D7D66383B6AC}.exe	107
PID 2760 wrote to memory of 2144	2760	{9B1D7BC2-1C1E-4cb7-B203-12B9F6BF3EBD}.exe	108
PID 2760 wrote to memory of 2144	2760	{9B1D7BC2-1C1E-4cb7-B203-12B9F6BF3EBD}.exe	108
PID 2760 wrote to memory of 2144	2760	{9B1D7BC2-1C1E-4cb7-B203-12B9F6BF3EBD}.exe	108
PID 2760 wrote to memory of 3312	2760	{9B1D7BC2-1C1E-4cb7-B203-12B9F6BF3EBD}.exe	109
PID 2760 wrote to memory of 3312	2760	{9B1D7BC2-1C1E-4cb7-B203-12B9F6BF3EBD}.exe	109
PID 2760 wrote to memory of 3312	2760	{9B1D7BC2-1C1E-4cb7-B203-12B9F6BF3EBD}.exe	109
PID 2144 wrote to memory of 4316	2144	{7F70D4E6-A737-4dd9-9814-A84BBBB35291}.exe	110
PID 2144 wrote to memory of 4316	2144	{7F70D4E6-A737-4dd9-9814-A84BBBB35291}.exe	110
PID 2144 wrote to memory of 4316	2144	{7F70D4E6-A737-4dd9-9814-A84BBBB35291}.exe	110
PID 2144 wrote to memory of 1436	2144	{7F70D4E6-A737-4dd9-9814-A84BBBB35291}.exe	111

C:\Users\Admin\AppData\Local\Temp\2024-06-16_8f8b0c426917bce3fb9738120f855f7a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-16_8f8b0c426917bce3fb9738120f855f7a_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:368
- C:\Windows\{5EC49394-21FE-4ad6-B1FD-DE385635688C}.exe
  C:\Windows\{5EC49394-21FE-4ad6-B1FD-DE385635688C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Windows\{3CC6B287-B624-49fe-877C-B54AE5A1D315}.exe
    C:\Windows\{3CC6B287-B624-49fe-877C-B54AE5A1D315}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4512
  - - C:\Windows\{E6CD7AEB-1F28-40aa-9695-8D1CCB97BD54}.exe
      C:\Windows\{E6CD7AEB-1F28-40aa-9695-8D1CCB97BD54}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3860
    - - C:\Windows\{48320CEB-5DA6-4341-8516-F380626AECC5}.exe
        
        C:\Windows\{48320CEB-5DA6-4341-8516-F380626AECC5}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4644
      - C:\Windows\{DA7937AA-A2F9-4906-BD20-39466A9E0D81}.exe
        
        C:\Windows\{DA7937AA-A2F9-4906-BD20-39466A9E0D81}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\{466483EF-4145-4401-8C33-6616E0B17C36}.exe
        
        C:\Windows\{466483EF-4145-4401-8C33-6616E0B17C36}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1192
        
        C:\Windows\{7EE61E6E-321F-4998-851C-BD07F94F9558}.exe
        
        C:\Windows\{7EE61E6E-321F-4998-851C-BD07F94F9558}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3496
        
        C:\Windows\{B516ED65-294D-409b-B907-D7D66383B6AC}.exe
        
        C:\Windows\{B516ED65-294D-409b-B907-D7D66383B6AC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\{9B1D7BC2-1C1E-4cb7-B203-12B9F6BF3EBD}.exe
        
        C:\Windows\{9B1D7BC2-1C1E-4cb7-B203-12B9F6BF3EBD}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\{7F70D4E6-A737-4dd9-9814-A84BBBB35291}.exe
        
        C:\Windows\{7F70D4E6-A737-4dd9-9814-A84BBBB35291}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\{D4525354-B2CC-4a28-B6DF-3C387AF97BEE}.exe
        
        C:\Windows\{D4525354-B2CC-4a28-B6DF-3C387AF97BEE}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4316
        
        C:\Windows\{75DCB501-4DE3-4d11-8AF0-38E1E2C4E784}.exe
        
        C:\Windows\{75DCB501-4DE3-4d11-8AF0-38E1E2C4E784}.exe
        13⤵
        Executes dropped EXE
        
        PID:4792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D4525~1.EXE > nul
        13⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F70D~1.EXE > nul
        12⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9B1D7~1.EXE > nul
        11⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B516E~1.EXE > nul
        10⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7EE61~1.EXE > nul
        9⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{46648~1.EXE > nul
        8⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DA793~1.EXE > nul
        7⤵
        
        PID:3080
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{48320~1.EXE > nul
        6⤵
        
        PID:2972
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6CD7~1.EXE > nul
        5⤵
        
        PID:1180
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3CC6B~1.EXE > nul
      4⤵
      PID:2492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5EC49~1.EXE > nul
    3⤵
    PID:376
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3CC6B287-B624-49fe-877C-B54AE5A1D315}.exe

Filesize
204KB

MD5
84598e9b978fa3a78546be7e641315ae

SHA1
099128cd36999158d6876807ada8de26ff4292eb

SHA256
84c8ede2c086cbd06135c1283aa3d64ff6b3f009d8804ade4081fe0b2c6cb3e9

SHA512
f671cf35651fdbb20eaa147baa210648608e45915c3838411b0f87db6d1a124f81c8912843bb591c63f5044ec5e27a95d8d5ad327c019a6975836970b4e94123

Download Submit
C:\Windows\{466483EF-4145-4401-8C33-6616E0B17C36}.exe

Filesize
204KB

MD5
c45f7caa2e3a612f798a7ed670a37179

SHA1
1caeb3eac0741a94e40584a9e5b4dee7f69099cc

SHA256
6b587c1a3d6f039b408441e2f6044cae4a0efbe7d05936236ed0bfda183262d2

SHA512
68df7174737ad765e43d14a8b5fbee7c1a53f55732130750aa0d5e9fefe1486bf98a7ef55dfcb6d72bc54f1bf7a22f0b1af5f5243020cf7b9a726e0240041d8e

Download Submit
C:\Windows\{48320CEB-5DA6-4341-8516-F380626AECC5}.exe

Filesize
204KB

MD5
457fc26e9b36bd7e767f0c43ed1cbaa1

SHA1
b2f647b152b9109382bace0d2118539ef40fe8cc

SHA256
89f3df49832e162eaac8feead293e05d81f35059af415df37395ca12f46ed674

SHA512
aa03f3133e4ae0b6d0997a44cd8d519a13f46c2eaf15fb0c57d8706e87f7509ada3cb8eece57820ea387a18cf30bd3225088f79e5297d369c9988e389edfd4d0

Download Submit
C:\Windows\{5EC49394-21FE-4ad6-B1FD-DE385635688C}.exe

Filesize
204KB

MD5
038bd67fa601c3d0cc103f130f40a57f

SHA1
09ee8ebd208ccdfb97494e394ce26a4022d6dbb9

SHA256
d572ff573fd15157a07d08668b2648ab8e89eab1bd91865303cd9b0e41544d5d

SHA512
2a1efa9cdbbecbdd1e20d5fb4e035d6231f741b17be04308fbade51f1913f2f73c096863d255d2e5abdf85ea7b8d0e39ca731e329cafc68a4d0f11e7a433d8a6

Download Submit
C:\Windows\{75DCB501-4DE3-4d11-8AF0-38E1E2C4E784}.exe

Filesize
204KB

MD5
4f5c8699033c46f3c7198671f6afdcea

SHA1
b5f78c3b1fe9c8d139b41950263fb5c48e8650d3

SHA256
1bebeaaa2b2e90e311b1bf62cddc95e67ad15d4cfcad4a5be2aa8250bbdceef3

SHA512
559d428d9b1705734a50fec96365ec4ad938488720090fd0f61b58645dd34554466c6c0a33b64d610ef1b74e1d6ae94d66020ff72f91d3bce1e9c5fc180e08a7

Download Submit
C:\Windows\{7EE61E6E-321F-4998-851C-BD07F94F9558}.exe

Filesize
204KB

MD5
db7c5de1124ee488e067f999e5a96423

SHA1
d4ab1a494cffb96856ad104746b78329b2d7fcbe

SHA256
53a824891cbebcce4347bcece12934ec4cc3821f22b1277048ac3257709b8d9f

SHA512
af76077c6ff212375ca1330f956d2f6f078a32ef8d5cabeb8b7877d3938f1986d9017e560486bcb0abade9984e8bab7d2729e2e0787f5866c3f07c79f4703116

Download Submit
C:\Windows\{7F70D4E6-A737-4dd9-9814-A84BBBB35291}.exe

Filesize
204KB

MD5
26d39dd3f843a33b777bb33422468b59

SHA1
5bf69c9e01214c1f4a7ee026a177fbc944576404

SHA256
ae66f113712f00322ff90ee3a32a58d1c9f7f2524a0537a08f8b539e827b344c

SHA512
bcfa1e4c765beb867e31e16e5e1830728e0a9faf438f6f3432414982de606f65dec217c8ad2e5269e24d138fd9aa9e241e720792fa0cf7d4e29d6b157d9cbb44

Download Submit
C:\Windows\{9B1D7BC2-1C1E-4cb7-B203-12B9F6BF3EBD}.exe

Filesize
204KB

MD5
0ffcb21c32212fa69f6556dcb9f2ede7

SHA1
de3a3d114605320a65790c7d11131a288717082a

SHA256
60371e9934089f126cac8174d842ff81ba47dad98de3d832a1f4d2dfb8f3937a

SHA512
3ce7f6f7125fc4d86a3a94d664a6f8e96a2223986fb8493f16873afb2e63fe53fa7985595b8ae9a8d657409b3f4f6e43ba9da35304da303161b262dbbbd64619

Download Submit
C:\Windows\{B516ED65-294D-409b-B907-D7D66383B6AC}.exe

Filesize
204KB

MD5
a2493fe31ffb4b4882c4bb60e1572101

SHA1
d8742f593ee166ed4f2bc0236c37acb50134cbc2

SHA256
c389e0296fc9fc77216f4dfe6807e7324827ded44958573029e3ca999642a9bd

SHA512
57767344ec86d92b161bd76be931569901cd799a4d73966fc67a14690dcdb03c76f92cd3e7248ed9f09e6a64e053a30149e1bb67427d068b0162af9c9353e13f

Download Submit
C:\Windows\{D4525354-B2CC-4a28-B6DF-3C387AF97BEE}.exe

Filesize
204KB

MD5
c717d68c63b3d63f9b06b5c55b7d10bb

SHA1
1e1290372378d607aca37f71952be2fcfbb47ace

SHA256
e87b1cdff5c6eba4bbbf68b8164932902106d4d2bfa10ac5bdd2d390767340a2

SHA512
28029e0242c577ba67fd6ed34be28e611faef0db503f6d932cd18c499bdf6d234420e4f86a454c868afdf32125c660aacff46828a1f29a7383f2e7cae49176bc

Download Submit
C:\Windows\{DA7937AA-A2F9-4906-BD20-39466A9E0D81}.exe

Filesize
204KB

MD5
c087f31aedca59b9d8f7463cc0ed2b35

SHA1
85c8f66fcb112e569d4fe81854d09bf11cc86316

SHA256
b990743392baf6a38d94aa5d1f36e7809fac30cd091898c256cccfa7240e6e3c

SHA512
a4b6d9facd5e9e9779b40276d32508f96d0595c2a77d3644a5f6e6d4d9d48b5d5338691452560d60e202a8e8af4c7bf3871f7d00e7cd647555c5d479a4dcc480

Download Submit
C:\Windows\{E6CD7AEB-1F28-40aa-9695-8D1CCB97BD54}.exe

Filesize
204KB

MD5
16efe930b71074d356336a760ceb2f4d

SHA1
a5e187906175c34388994470b181816bee146ed0

SHA256
2bcd2f294a114e20e9c040e8e05c2184be06a0078483836cd54daf79b3803da7

SHA512
546db7b3459b54415d3f669fccc3214bb5702a047ef487a0336508131eb4b65367bf15e3ebcae1fc4c7aed02d1020fc1960a877891246ab9d4a0bcf126ccea4d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads