fbde691cdfa4479bd45e82929e7499e9dc819edd14f213798192d7ed684c0d5d

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2024 13:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-20_d1f07e4eaa15b5fce11b22fbf8834116_goldeneye.exe
Size

408KB
MD5

d1f07e4eaa15b5fce11b22fbf8834116
SHA1

1a30df9c4c885d5502a888b29bafd0e1dd5b4d09
SHA256

fbde691cdfa4479bd45e82929e7499e9dc819edd14f213798192d7ed684c0d5d
SHA512

474a641a291a63dd117f5e6b2face57ec07a20a9324cb8d1025f294a7383c4f2f9c2df7ec59b1736d753dff31c00241e1c286e7891b7f614c58e758cf4f8dd19
SSDEEP

3072:CEGh0oYl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGKldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000700000002341b-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023414-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023422-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023414-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f000000021581-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000021a0a-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000021581-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000709-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000707-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B719DC8-E0A0-49be-820E-B371840A8CD4}	{2286D033-E4AE-4511-A2FB-96C3E1D79E0F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B719DC8-E0A0-49be-820E-B371840A8CD4}\stubpath = "C:\\Windows\\{0B719DC8-E0A0-49be-820E-B371840A8CD4}.exe"	{2286D033-E4AE-4511-A2FB-96C3E1D79E0F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42FA2782-FE50-4bf6-A0BA-7021095D618B}	{0B719DC8-E0A0-49be-820E-B371840A8CD4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC2EE5FA-AF32-4424-9368-7C9C5B07FA38}	2024-06-20_d1f07e4eaa15b5fce11b22fbf8834116_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E3A02F16-D7CB-4f20-BB17-07FFC1F753F7}	{EC2EE5FA-AF32-4424-9368-7C9C5B07FA38}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E3A02F16-D7CB-4f20-BB17-07FFC1F753F7}\stubpath = "C:\\Windows\\{E3A02F16-D7CB-4f20-BB17-07FFC1F753F7}.exe"	{EC2EE5FA-AF32-4424-9368-7C9C5B07FA38}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EE7027F-B965-44de-99A0-EBEC5C258B85}	{4BC26012-74AB-4a68-BC05-54D0269D053C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55034683-B822-4a12-977B-8AB9B461932E}\stubpath = "C:\\Windows\\{55034683-B822-4a12-977B-8AB9B461932E}.exe"	{B8E7DBB8-0611-4802-9627-CC6D51CB0522}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8E7DBB8-0611-4802-9627-CC6D51CB0522}\stubpath = "C:\\Windows\\{B8E7DBB8-0611-4802-9627-CC6D51CB0522}.exe"	{A6F83BE4-BEBD-4342-B422-17F08F707E7D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55034683-B822-4a12-977B-8AB9B461932E}	{B8E7DBB8-0611-4802-9627-CC6D51CB0522}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD562E26-A228-4787-9CA4-4781BEDDBBEC}	{55034683-B822-4a12-977B-8AB9B461932E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{499F2E29-D639-4c66-890A-30148974E9B7}	{E3A02F16-D7CB-4f20-BB17-07FFC1F753F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4BC26012-74AB-4a68-BC05-54D0269D053C}	{499F2E29-D639-4c66-890A-30148974E9B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EE7027F-B965-44de-99A0-EBEC5C258B85}\stubpath = "C:\\Windows\\{6EE7027F-B965-44de-99A0-EBEC5C258B85}.exe"	{4BC26012-74AB-4a68-BC05-54D0269D053C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6F83BE4-BEBD-4342-B422-17F08F707E7D}\stubpath = "C:\\Windows\\{A6F83BE4-BEBD-4342-B422-17F08F707E7D}.exe"	{6EE7027F-B965-44de-99A0-EBEC5C258B85}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8E7DBB8-0611-4802-9627-CC6D51CB0522}	{A6F83BE4-BEBD-4342-B422-17F08F707E7D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42FA2782-FE50-4bf6-A0BA-7021095D618B}\stubpath = "C:\\Windows\\{42FA2782-FE50-4bf6-A0BA-7021095D618B}.exe"	{0B719DC8-E0A0-49be-820E-B371840A8CD4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4BC26012-74AB-4a68-BC05-54D0269D053C}\stubpath = "C:\\Windows\\{4BC26012-74AB-4a68-BC05-54D0269D053C}.exe"	{499F2E29-D639-4c66-890A-30148974E9B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD562E26-A228-4787-9CA4-4781BEDDBBEC}\stubpath = "C:\\Windows\\{DD562E26-A228-4787-9CA4-4781BEDDBBEC}.exe"	{55034683-B822-4a12-977B-8AB9B461932E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2286D033-E4AE-4511-A2FB-96C3E1D79E0F}	{DD562E26-A228-4787-9CA4-4781BEDDBBEC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC2EE5FA-AF32-4424-9368-7C9C5B07FA38}\stubpath = "C:\\Windows\\{EC2EE5FA-AF32-4424-9368-7C9C5B07FA38}.exe"	2024-06-20_d1f07e4eaa15b5fce11b22fbf8834116_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{499F2E29-D639-4c66-890A-30148974E9B7}\stubpath = "C:\\Windows\\{499F2E29-D639-4c66-890A-30148974E9B7}.exe"	{E3A02F16-D7CB-4f20-BB17-07FFC1F753F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6F83BE4-BEBD-4342-B422-17F08F707E7D}	{6EE7027F-B965-44de-99A0-EBEC5C258B85}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2286D033-E4AE-4511-A2FB-96C3E1D79E0F}\stubpath = "C:\\Windows\\{2286D033-E4AE-4511-A2FB-96C3E1D79E0F}.exe"	{DD562E26-A228-4787-9CA4-4781BEDDBBEC}.exe

Executes dropped EXE 12 IoCs

pid	Process
3820	{EC2EE5FA-AF32-4424-9368-7C9C5B07FA38}.exe
1204	{E3A02F16-D7CB-4f20-BB17-07FFC1F753F7}.exe
3928	{499F2E29-D639-4c66-890A-30148974E9B7}.exe
3696	{4BC26012-74AB-4a68-BC05-54D0269D053C}.exe
5012	{6EE7027F-B965-44de-99A0-EBEC5C258B85}.exe
320	{A6F83BE4-BEBD-4342-B422-17F08F707E7D}.exe
4824	{B8E7DBB8-0611-4802-9627-CC6D51CB0522}.exe
2068	{55034683-B822-4a12-977B-8AB9B461932E}.exe
3652	{DD562E26-A228-4787-9CA4-4781BEDDBBEC}.exe
2556	{2286D033-E4AE-4511-A2FB-96C3E1D79E0F}.exe
2552	{0B719DC8-E0A0-49be-820E-B371840A8CD4}.exe
2000	{42FA2782-FE50-4bf6-A0BA-7021095D618B}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{499F2E29-D639-4c66-890A-30148974E9B7}.exe	{E3A02F16-D7CB-4f20-BB17-07FFC1F753F7}.exe
File created	C:\Windows\{6EE7027F-B965-44de-99A0-EBEC5C258B85}.exe	{4BC26012-74AB-4a68-BC05-54D0269D053C}.exe
File created	C:\Windows\{B8E7DBB8-0611-4802-9627-CC6D51CB0522}.exe	{A6F83BE4-BEBD-4342-B422-17F08F707E7D}.exe
File created	C:\Windows\{2286D033-E4AE-4511-A2FB-96C3E1D79E0F}.exe	{DD562E26-A228-4787-9CA4-4781BEDDBBEC}.exe
File created	C:\Windows\{0B719DC8-E0A0-49be-820E-B371840A8CD4}.exe	{2286D033-E4AE-4511-A2FB-96C3E1D79E0F}.exe
File created	C:\Windows\{EC2EE5FA-AF32-4424-9368-7C9C5B07FA38}.exe	2024-06-20_d1f07e4eaa15b5fce11b22fbf8834116_goldeneye.exe
File created	C:\Windows\{E3A02F16-D7CB-4f20-BB17-07FFC1F753F7}.exe	{EC2EE5FA-AF32-4424-9368-7C9C5B07FA38}.exe
File created	C:\Windows\{55034683-B822-4a12-977B-8AB9B461932E}.exe	{B8E7DBB8-0611-4802-9627-CC6D51CB0522}.exe
File created	C:\Windows\{DD562E26-A228-4787-9CA4-4781BEDDBBEC}.exe	{55034683-B822-4a12-977B-8AB9B461932E}.exe
File created	C:\Windows\{42FA2782-FE50-4bf6-A0BA-7021095D618B}.exe	{0B719DC8-E0A0-49be-820E-B371840A8CD4}.exe
File created	C:\Windows\{4BC26012-74AB-4a68-BC05-54D0269D053C}.exe	{499F2E29-D639-4c66-890A-30148974E9B7}.exe
File created	C:\Windows\{A6F83BE4-BEBD-4342-B422-17F08F707E7D}.exe	{6EE7027F-B965-44de-99A0-EBEC5C258B85}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4076	2024-06-20_d1f07e4eaa15b5fce11b22fbf8834116_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3820	{EC2EE5FA-AF32-4424-9368-7C9C5B07FA38}.exe
Token: SeIncBasePriorityPrivilege	1204	{E3A02F16-D7CB-4f20-BB17-07FFC1F753F7}.exe
Token: SeIncBasePriorityPrivilege	3928	{499F2E29-D639-4c66-890A-30148974E9B7}.exe
Token: SeIncBasePriorityPrivilege	3696	{4BC26012-74AB-4a68-BC05-54D0269D053C}.exe
Token: SeIncBasePriorityPrivilege	5012	{6EE7027F-B965-44de-99A0-EBEC5C258B85}.exe
Token: SeIncBasePriorityPrivilege	320	{A6F83BE4-BEBD-4342-B422-17F08F707E7D}.exe
Token: SeIncBasePriorityPrivilege	4824	{B8E7DBB8-0611-4802-9627-CC6D51CB0522}.exe
Token: SeIncBasePriorityPrivilege	2068	{55034683-B822-4a12-977B-8AB9B461932E}.exe
Token: SeIncBasePriorityPrivilege	3652	{DD562E26-A228-4787-9CA4-4781BEDDBBEC}.exe
Token: SeIncBasePriorityPrivilege	2556	{2286D033-E4AE-4511-A2FB-96C3E1D79E0F}.exe
Token: SeIncBasePriorityPrivilege	2552	{0B719DC8-E0A0-49be-820E-B371840A8CD4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4076 wrote to memory of 3820	4076	2024-06-20_d1f07e4eaa15b5fce11b22fbf8834116_goldeneye.exe	93
PID 4076 wrote to memory of 3820	4076	2024-06-20_d1f07e4eaa15b5fce11b22fbf8834116_goldeneye.exe	93
PID 4076 wrote to memory of 3820	4076	2024-06-20_d1f07e4eaa15b5fce11b22fbf8834116_goldeneye.exe	93
PID 4076 wrote to memory of 1664	4076	2024-06-20_d1f07e4eaa15b5fce11b22fbf8834116_goldeneye.exe	94
PID 4076 wrote to memory of 1664	4076	2024-06-20_d1f07e4eaa15b5fce11b22fbf8834116_goldeneye.exe	94
PID 4076 wrote to memory of 1664	4076	2024-06-20_d1f07e4eaa15b5fce11b22fbf8834116_goldeneye.exe	94
PID 3820 wrote to memory of 1204	3820	{EC2EE5FA-AF32-4424-9368-7C9C5B07FA38}.exe	95
PID 3820 wrote to memory of 1204	3820	{EC2EE5FA-AF32-4424-9368-7C9C5B07FA38}.exe	95
PID 3820 wrote to memory of 1204	3820	{EC2EE5FA-AF32-4424-9368-7C9C5B07FA38}.exe	95
PID 3820 wrote to memory of 3540	3820	{EC2EE5FA-AF32-4424-9368-7C9C5B07FA38}.exe	96
PID 3820 wrote to memory of 3540	3820	{EC2EE5FA-AF32-4424-9368-7C9C5B07FA38}.exe	96
PID 3820 wrote to memory of 3540	3820	{EC2EE5FA-AF32-4424-9368-7C9C5B07FA38}.exe	96
PID 1204 wrote to memory of 3928	1204	{E3A02F16-D7CB-4f20-BB17-07FFC1F753F7}.exe	99
PID 1204 wrote to memory of 3928	1204	{E3A02F16-D7CB-4f20-BB17-07FFC1F753F7}.exe	99
PID 1204 wrote to memory of 3928	1204	{E3A02F16-D7CB-4f20-BB17-07FFC1F753F7}.exe	99
PID 1204 wrote to memory of 2852	1204	{E3A02F16-D7CB-4f20-BB17-07FFC1F753F7}.exe	100
PID 1204 wrote to memory of 2852	1204	{E3A02F16-D7CB-4f20-BB17-07FFC1F753F7}.exe	100
PID 1204 wrote to memory of 2852	1204	{E3A02F16-D7CB-4f20-BB17-07FFC1F753F7}.exe	100
PID 3928 wrote to memory of 3696	3928	{499F2E29-D639-4c66-890A-30148974E9B7}.exe	101
PID 3928 wrote to memory of 3696	3928	{499F2E29-D639-4c66-890A-30148974E9B7}.exe	101
PID 3928 wrote to memory of 3696	3928	{499F2E29-D639-4c66-890A-30148974E9B7}.exe	101
PID 3928 wrote to memory of 3492	3928	{499F2E29-D639-4c66-890A-30148974E9B7}.exe	102
PID 3928 wrote to memory of 3492	3928	{499F2E29-D639-4c66-890A-30148974E9B7}.exe	102
PID 3928 wrote to memory of 3492	3928	{499F2E29-D639-4c66-890A-30148974E9B7}.exe	102
PID 3696 wrote to memory of 5012	3696	{4BC26012-74AB-4a68-BC05-54D0269D053C}.exe	103
PID 3696 wrote to memory of 5012	3696	{4BC26012-74AB-4a68-BC05-54D0269D053C}.exe	103
PID 3696 wrote to memory of 5012	3696	{4BC26012-74AB-4a68-BC05-54D0269D053C}.exe	103
PID 3696 wrote to memory of 972	3696	{4BC26012-74AB-4a68-BC05-54D0269D053C}.exe	104
PID 3696 wrote to memory of 972	3696	{4BC26012-74AB-4a68-BC05-54D0269D053C}.exe	104
PID 3696 wrote to memory of 972	3696	{4BC26012-74AB-4a68-BC05-54D0269D053C}.exe	104
PID 5012 wrote to memory of 320	5012	{6EE7027F-B965-44de-99A0-EBEC5C258B85}.exe	105
PID 5012 wrote to memory of 320	5012	{6EE7027F-B965-44de-99A0-EBEC5C258B85}.exe	105
PID 5012 wrote to memory of 320	5012	{6EE7027F-B965-44de-99A0-EBEC5C258B85}.exe	105
PID 5012 wrote to memory of 2484	5012	{6EE7027F-B965-44de-99A0-EBEC5C258B85}.exe	106
PID 5012 wrote to memory of 2484	5012	{6EE7027F-B965-44de-99A0-EBEC5C258B85}.exe	106
PID 5012 wrote to memory of 2484	5012	{6EE7027F-B965-44de-99A0-EBEC5C258B85}.exe	106
PID 320 wrote to memory of 4824	320	{A6F83BE4-BEBD-4342-B422-17F08F707E7D}.exe	107
PID 320 wrote to memory of 4824	320	{A6F83BE4-BEBD-4342-B422-17F08F707E7D}.exe	107
PID 320 wrote to memory of 4824	320	{A6F83BE4-BEBD-4342-B422-17F08F707E7D}.exe	107
PID 320 wrote to memory of 4716	320	{A6F83BE4-BEBD-4342-B422-17F08F707E7D}.exe	108
PID 320 wrote to memory of 4716	320	{A6F83BE4-BEBD-4342-B422-17F08F707E7D}.exe	108
PID 320 wrote to memory of 4716	320	{A6F83BE4-BEBD-4342-B422-17F08F707E7D}.exe	108
PID 4824 wrote to memory of 2068	4824	{B8E7DBB8-0611-4802-9627-CC6D51CB0522}.exe	109
PID 4824 wrote to memory of 2068	4824	{B8E7DBB8-0611-4802-9627-CC6D51CB0522}.exe	109
PID 4824 wrote to memory of 2068	4824	{B8E7DBB8-0611-4802-9627-CC6D51CB0522}.exe	109
PID 4824 wrote to memory of 2184	4824	{B8E7DBB8-0611-4802-9627-CC6D51CB0522}.exe	110
PID 4824 wrote to memory of 2184	4824	{B8E7DBB8-0611-4802-9627-CC6D51CB0522}.exe	110
PID 4824 wrote to memory of 2184	4824	{B8E7DBB8-0611-4802-9627-CC6D51CB0522}.exe	110
PID 2068 wrote to memory of 3652	2068	{55034683-B822-4a12-977B-8AB9B461932E}.exe	111
PID 2068 wrote to memory of 3652	2068	{55034683-B822-4a12-977B-8AB9B461932E}.exe	111
PID 2068 wrote to memory of 3652	2068	{55034683-B822-4a12-977B-8AB9B461932E}.exe	111
PID 2068 wrote to memory of 1632	2068	{55034683-B822-4a12-977B-8AB9B461932E}.exe	112
PID 2068 wrote to memory of 1632	2068	{55034683-B822-4a12-977B-8AB9B461932E}.exe	112
PID 2068 wrote to memory of 1632	2068	{55034683-B822-4a12-977B-8AB9B461932E}.exe	112
PID 3652 wrote to memory of 2556	3652	{DD562E26-A228-4787-9CA4-4781BEDDBBEC}.exe	113
PID 3652 wrote to memory of 2556	3652	{DD562E26-A228-4787-9CA4-4781BEDDBBEC}.exe	113
PID 3652 wrote to memory of 2556	3652	{DD562E26-A228-4787-9CA4-4781BEDDBBEC}.exe	113
PID 3652 wrote to memory of 4924	3652	{DD562E26-A228-4787-9CA4-4781BEDDBBEC}.exe	114
PID 3652 wrote to memory of 4924	3652	{DD562E26-A228-4787-9CA4-4781BEDDBBEC}.exe	114
PID 3652 wrote to memory of 4924	3652	{DD562E26-A228-4787-9CA4-4781BEDDBBEC}.exe	114
PID 2556 wrote to memory of 2552	2556	{2286D033-E4AE-4511-A2FB-96C3E1D79E0F}.exe	115
PID 2556 wrote to memory of 2552	2556	{2286D033-E4AE-4511-A2FB-96C3E1D79E0F}.exe	115
PID 2556 wrote to memory of 2552	2556	{2286D033-E4AE-4511-A2FB-96C3E1D79E0F}.exe	115
PID 2556 wrote to memory of 4228	2556	{2286D033-E4AE-4511-A2FB-96C3E1D79E0F}.exe	116

C:\Users\Admin\AppData\Local\Temp\2024-06-20_d1f07e4eaa15b5fce11b22fbf8834116_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-20_d1f07e4eaa15b5fce11b22fbf8834116_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4076
- C:\Windows\{EC2EE5FA-AF32-4424-9368-7C9C5B07FA38}.exe
  C:\Windows\{EC2EE5FA-AF32-4424-9368-7C9C5B07FA38}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3820
- - C:\Windows\{E3A02F16-D7CB-4f20-BB17-07FFC1F753F7}.exe
    C:\Windows\{E3A02F16-D7CB-4f20-BB17-07FFC1F753F7}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1204
  - - C:\Windows\{499F2E29-D639-4c66-890A-30148974E9B7}.exe
      C:\Windows\{499F2E29-D639-4c66-890A-30148974E9B7}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3928
    - - C:\Windows\{4BC26012-74AB-4a68-BC05-54D0269D053C}.exe
        
        C:\Windows\{4BC26012-74AB-4a68-BC05-54D0269D053C}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3696
      - C:\Windows\{6EE7027F-B965-44de-99A0-EBEC5C258B85}.exe
        
        C:\Windows\{6EE7027F-B965-44de-99A0-EBEC5C258B85}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\{A6F83BE4-BEBD-4342-B422-17F08F707E7D}.exe
        
        C:\Windows\{A6F83BE4-BEBD-4342-B422-17F08F707E7D}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\{B8E7DBB8-0611-4802-9627-CC6D51CB0522}.exe
        
        C:\Windows\{B8E7DBB8-0611-4802-9627-CC6D51CB0522}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\{55034683-B822-4a12-977B-8AB9B461932E}.exe
        
        C:\Windows\{55034683-B822-4a12-977B-8AB9B461932E}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\{DD562E26-A228-4787-9CA4-4781BEDDBBEC}.exe
        
        C:\Windows\{DD562E26-A228-4787-9CA4-4781BEDDBBEC}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Windows\{2286D033-E4AE-4511-A2FB-96C3E1D79E0F}.exe
        
        C:\Windows\{2286D033-E4AE-4511-A2FB-96C3E1D79E0F}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\{0B719DC8-E0A0-49be-820E-B371840A8CD4}.exe
        
        C:\Windows\{0B719DC8-E0A0-49be-820E-B371840A8CD4}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2552
        
        C:\Windows\{42FA2782-FE50-4bf6-A0BA-7021095D618B}.exe
        
        C:\Windows\{42FA2782-FE50-4bf6-A0BA-7021095D618B}.exe
        13⤵
        Executes dropped EXE
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0B719~1.EXE > nul
        13⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2286D~1.EXE > nul
        12⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD562~1.EXE > nul
        11⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{55034~1.EXE > nul
        10⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B8E7D~1.EXE > nul
        9⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6F83~1.EXE > nul
        8⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6EE70~1.EXE > nul
        7⤵
        
        PID:2484
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4BC26~1.EXE > nul
        6⤵
        
        PID:972
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{499F2~1.EXE > nul
        5⤵
        
        PID:3492
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E3A02~1.EXE > nul
      4⤵
      PID:2852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{EC2EE~1.EXE > nul
    3⤵
    PID:3540
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0B719DC8-E0A0-49be-820E-B371840A8CD4}.exe

Filesize
408KB

MD5
97c1a6647faff2e25a7e5e904e1dba04

SHA1
b414dde80c03d004c5e21bcb2befaf2f58c52693

SHA256
5fe9432378e8802c4cf0485ff224faed8ce46791bca0bcbaff109f17b8f9b8c2

SHA512
ffa9cb27cdd61dbf0eff45139c264cbc9ee2a543eb35d3382843c1a846a9fd206beb4d0942b685c62ff3a2042c406fcad8dfc28a0068e2a0791ce0f7536e2af0

Download Submit
C:\Windows\{2286D033-E4AE-4511-A2FB-96C3E1D79E0F}.exe

Filesize
408KB

MD5
0abde76fb8b49852e19395f8a5b37b5e

SHA1
6876d32f5b02552917a42dd4afcc2065f75195ad

SHA256
d1cfbc130fe88bdc72ee51d6cb82f7fc21f8ed5bac2c1ca415254b328eb49900

SHA512
ae2a1637da69b5aebc2c4ac96e837a560a8cc978bb6649e6c2e5b06c48a7637fdee0d0de225fbf0b1099a6c42fd6759e90e986e385227ee5adb6bd1f7b10f531

Download Submit
C:\Windows\{42FA2782-FE50-4bf6-A0BA-7021095D618B}.exe

Filesize
408KB

MD5
4896588c64349a67af6fe4c62d6fddf7

SHA1
4473522087457f552af141fc1a548204d5bf3017

SHA256
bfc4e0775b888ba1c5de8d8df2333c2a9dfbe57cdeb0f9621ddc4cd466d30ef6

SHA512
6bcab3abc07680ec2f883d438bcc125bf95808bfc8f52849333d3e357649db9dde09f16b0ac7d7fffc8d053826d30a5abce0bad665bcf6d34dd98d3d084664a6

Download Submit
C:\Windows\{499F2E29-D639-4c66-890A-30148974E9B7}.exe

Filesize
408KB

MD5
d357cfd5f6d6b27f922de1628b86150d

SHA1
de4aa2a6bdf95aaa9724c6d4e7d870181f42a111

SHA256
917347ed96994b29d6f09965b858b30021e9510e194c1fa0695ff8c9f4064c4d

SHA512
ce26629a4a8ab9463f52b63159516f0c63ced79507aafe5e250164ef0151af00ea91189725f4c41f43847f9d9ed15aafddb3b6139b32b7dd8f2084c7dd9a07ce

Download Submit
C:\Windows\{4BC26012-74AB-4a68-BC05-54D0269D053C}.exe

Filesize
408KB

MD5
fff2642e3d798b8001dc96536d92c62f

SHA1
662057c6ede8605aebb5bb4c992d211f54acc2cd

SHA256
81a38ef288eb7e6e491a87912393ae920262e909bcb9fb44ff046b4bd9d3ddea

SHA512
85c5f1f1f7fb730ad610549ba73ee18a1bd363d649d4d58b5da07a43d6092e2657fc9b1fbb3cf0db683d518887732d41104ec0deb53016258ada161c7f97a0b0

Download Submit
C:\Windows\{55034683-B822-4a12-977B-8AB9B461932E}.exe

Filesize
408KB

MD5
ac7c295f0267fcf2f020b12708b3a7e7

SHA1
bc5754c3b3372f1d3807c8987430a719ff7622cb

SHA256
92adbd95cb47c8c3dd4b2e479467ccf8e7582dd7130a01e3615529a9b44e8561

SHA512
1576e80cd89aa9304475b35a98050768698b7ab1f1abbbbebc58cca1d1ce840b0fedc2656acf5d7fda9693b03658206eb39e4de1478b4466570115fb89415e77

Download Submit
C:\Windows\{6EE7027F-B965-44de-99A0-EBEC5C258B85}.exe

Filesize
408KB

MD5
fa4ff3bd5cfef0ff09b8c52ee4a6f87f

SHA1
e15565668b5b7e693398e0c63f127ff4d6674443

SHA256
42653761931b2ad177879829da6d5aec3c34e94604dafec0a8cf56d0d88dae89

SHA512
495c399152349e5fee426754a6dc8ad2f1cc9dab1dd074252a1131e9d8084604a113022cf7bccb17867ccc3ec1675e618ba69e68afd7c205d8b0b240bc00f736

Download Submit
C:\Windows\{A6F83BE4-BEBD-4342-B422-17F08F707E7D}.exe

Filesize
408KB

MD5
2c12ad353f55ef253b92af942b5efee9

SHA1
f500cf2e7363eae1edc14934861b4cf892fb7c1c

SHA256
e926c86dc1e9b762b6bf47086af5d106151c6b428e341bbef7453d6181f946ad

SHA512
4bc0d3385124b63285017ba3fc03c2cd4b8c458e91d14f739c79b070c53c46a5063ae614204377a856f5c554751040a00a5a5292ce7b2810f7ac71e7ac0a01b6

Download Submit
C:\Windows\{B8E7DBB8-0611-4802-9627-CC6D51CB0522}.exe

Filesize
408KB

MD5
7794ed60dae68e75a1f3b9f19dd62500

SHA1
352ddecef6c69ba909e2eca0e8a36285978f24cc

SHA256
a1b42fc3a90b6f9a6ff8a156e2c86140bf0a3b89e6ce72c0e407ac108d929295

SHA512
2b271dbd866a44a1db1676b89eb35f86284ac3b6d47f413aea82da4d15d32e50c285328b2d031d9f1002ed4908d371121b1642a65afe6b16dbde2be2ff216a5a

Download Submit
C:\Windows\{DD562E26-A228-4787-9CA4-4781BEDDBBEC}.exe

Filesize
408KB

MD5
b504f308e0d851773b4e10aaa2e622ae

SHA1
baa9b5841ee39bbbd8713000f130aa0b3b27b11e

SHA256
b62208edb04a61fa1e20250f50a1a0ed51c8440464c12e5314510cb958b3ba93

SHA512
524a62bd388c361d2aa91b2567ddad60dbe4fe554e6943de704963f516024d9311774dd7e6b4588101976c0d6b41873ef44dcd971deeeea5d9bad0323885cff7

Download Submit
C:\Windows\{E3A02F16-D7CB-4f20-BB17-07FFC1F753F7}.exe

Filesize
408KB

MD5
2d830d35477d79acada876fa2fc84199

SHA1
bfee83635a741bb0b287b21cdc538047e159571a

SHA256
485a45ed477d3b543e5f4e403a002a9d08311e67aa99cf3c23cfc2a005ca67c2

SHA512
30d0dfd91eb2293e0ca86a716746e623fa7146662bf3841a5ede01fdcc48e664cfb56b48de31357bc8cf75da4934f0d524e2355fd93a751f8795ab7ec8065cf3

Download Submit
C:\Windows\{EC2EE5FA-AF32-4424-9368-7C9C5B07FA38}.exe

Filesize
408KB

MD5
630d7147fcfa559c575794f664f767a7

SHA1
a02bc8b13ccd85a3256e4acb299aff404d648c2d

SHA256
76bb935019a7058035add109d8982010c341262706d94f46d1d7d090864ead6a

SHA512
e80a51308db6988781bbccc575ba58420d2118b44467bb42d8186c748e3b5de55490bd31231e1fc25f9b009aa9fc9dcdd7c7242395cae0133edb343fd6918577

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads