f2db4afc1aeddbe5d7c364df5bfedaeed038a4cf605de39eafb57bce5a10f69a

Analysis

max time kernel
149s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27/06/2024, 12:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-27_4fe4e43b26805901cbc5c2379e901014_goldeneye.exe
Size

180KB
MD5

4fe4e43b26805901cbc5c2379e901014
SHA1

196c3dd615d1206e001d93635415e4f57b6bdaa3
SHA256

f2db4afc1aeddbe5d7c364df5bfedaeed038a4cf605de39eafb57bce5a10f69a
SHA512

a0e079d44eef53a6da1c7cdf49a353291efd6c517a300c000e23bd9e8270a35a4e33d92a3f569022d21118d2522c83a7ffde6d68ede8a720b9dae3765bc65739
SSDEEP

3072:jEGh0o2lfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGkl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00080000000233ea-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000233eb-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000233ef-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000233f2-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000233f8-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000233f2-21.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000233f8-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000233f2-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000233f8-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000233f2-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000233f8-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000233f2-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87AA2A80-1A07-45a0-8FE9-89397DE0E174}	{3948D1BF-043E-4bff-A416-518AA48E15A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6AB72A3-C2EF-4dbf-967A-465032E7511F}	{9A41B4DD-28E8-40df-A8DC-6F3F5E4481D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A17465EC-957F-4af5-9D95-1D897B89E9F9}\stubpath = "C:\\Windows\\{A17465EC-957F-4af5-9D95-1D897B89E9F9}.exe"	{AA68B5D5-2377-47d5-A2E9-719D4251722F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C729BC7B-12B9-414c-8215-C5C206788EFB}	{A17465EC-957F-4af5-9D95-1D897B89E9F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C729BC7B-12B9-414c-8215-C5C206788EFB}\stubpath = "C:\\Windows\\{C729BC7B-12B9-414c-8215-C5C206788EFB}.exe"	{A17465EC-957F-4af5-9D95-1D897B89E9F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19E87910-2BAE-4ac0-AC7A-B4A7C7BC706B}\stubpath = "C:\\Windows\\{19E87910-2BAE-4ac0-AC7A-B4A7C7BC706B}.exe"	{B773C92D-2149-41d5-BA8F-88CE9F0EE381}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A41B4DD-28E8-40df-A8DC-6F3F5E4481D7}\stubpath = "C:\\Windows\\{9A41B4DD-28E8-40df-A8DC-6F3F5E4481D7}.exe"	{87AA2A80-1A07-45a0-8FE9-89397DE0E174}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A17465EC-957F-4af5-9D95-1D897B89E9F9}	{AA68B5D5-2377-47d5-A2E9-719D4251722F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB8EAA85-7883-4b25-B1A6-5CD4A0E29494}	{C729BC7B-12B9-414c-8215-C5C206788EFB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{079EA34D-1068-4971-AC0A-23C237C5A88B}	{FB8EAA85-7883-4b25-B1A6-5CD4A0E29494}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA5A196D-04FC-456d-9FDB-97DBED255EB0}	{079EA34D-1068-4971-AC0A-23C237C5A88B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B773C92D-2149-41d5-BA8F-88CE9F0EE381}	{DA5A196D-04FC-456d-9FDB-97DBED255EB0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B773C92D-2149-41d5-BA8F-88CE9F0EE381}\stubpath = "C:\\Windows\\{B773C92D-2149-41d5-BA8F-88CE9F0EE381}.exe"	{DA5A196D-04FC-456d-9FDB-97DBED255EB0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3948D1BF-043E-4bff-A416-518AA48E15A6}\stubpath = "C:\\Windows\\{3948D1BF-043E-4bff-A416-518AA48E15A6}.exe"	2024-06-27_4fe4e43b26805901cbc5c2379e901014_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA68B5D5-2377-47d5-A2E9-719D4251722F}\stubpath = "C:\\Windows\\{AA68B5D5-2377-47d5-A2E9-719D4251722F}.exe"	{E6AB72A3-C2EF-4dbf-967A-465032E7511F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{079EA34D-1068-4971-AC0A-23C237C5A88B}\stubpath = "C:\\Windows\\{079EA34D-1068-4971-AC0A-23C237C5A88B}.exe"	{FB8EAA85-7883-4b25-B1A6-5CD4A0E29494}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19E87910-2BAE-4ac0-AC7A-B4A7C7BC706B}	{B773C92D-2149-41d5-BA8F-88CE9F0EE381}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3948D1BF-043E-4bff-A416-518AA48E15A6}	2024-06-27_4fe4e43b26805901cbc5c2379e901014_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87AA2A80-1A07-45a0-8FE9-89397DE0E174}\stubpath = "C:\\Windows\\{87AA2A80-1A07-45a0-8FE9-89397DE0E174}.exe"	{3948D1BF-043E-4bff-A416-518AA48E15A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A41B4DD-28E8-40df-A8DC-6F3F5E4481D7}	{87AA2A80-1A07-45a0-8FE9-89397DE0E174}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6AB72A3-C2EF-4dbf-967A-465032E7511F}\stubpath = "C:\\Windows\\{E6AB72A3-C2EF-4dbf-967A-465032E7511F}.exe"	{9A41B4DD-28E8-40df-A8DC-6F3F5E4481D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA68B5D5-2377-47d5-A2E9-719D4251722F}	{E6AB72A3-C2EF-4dbf-967A-465032E7511F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB8EAA85-7883-4b25-B1A6-5CD4A0E29494}\stubpath = "C:\\Windows\\{FB8EAA85-7883-4b25-B1A6-5CD4A0E29494}.exe"	{C729BC7B-12B9-414c-8215-C5C206788EFB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA5A196D-04FC-456d-9FDB-97DBED255EB0}\stubpath = "C:\\Windows\\{DA5A196D-04FC-456d-9FDB-97DBED255EB0}.exe"	{079EA34D-1068-4971-AC0A-23C237C5A88B}.exe

Executes dropped EXE 12 IoCs

pid	Process
4596	{3948D1BF-043E-4bff-A416-518AA48E15A6}.exe
4844	{87AA2A80-1A07-45a0-8FE9-89397DE0E174}.exe
3712	{9A41B4DD-28E8-40df-A8DC-6F3F5E4481D7}.exe
1740	{E6AB72A3-C2EF-4dbf-967A-465032E7511F}.exe
412	{AA68B5D5-2377-47d5-A2E9-719D4251722F}.exe
680	{A17465EC-957F-4af5-9D95-1D897B89E9F9}.exe
2008	{C729BC7B-12B9-414c-8215-C5C206788EFB}.exe
4988	{FB8EAA85-7883-4b25-B1A6-5CD4A0E29494}.exe
2920	{079EA34D-1068-4971-AC0A-23C237C5A88B}.exe
640	{DA5A196D-04FC-456d-9FDB-97DBED255EB0}.exe
1204	{B773C92D-2149-41d5-BA8F-88CE9F0EE381}.exe
4440	{19E87910-2BAE-4ac0-AC7A-B4A7C7BC706B}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{19E87910-2BAE-4ac0-AC7A-B4A7C7BC706B}.exe	{B773C92D-2149-41d5-BA8F-88CE9F0EE381}.exe
File created	C:\Windows\{3948D1BF-043E-4bff-A416-518AA48E15A6}.exe	2024-06-27_4fe4e43b26805901cbc5c2379e901014_goldeneye.exe
File created	C:\Windows\{87AA2A80-1A07-45a0-8FE9-89397DE0E174}.exe	{3948D1BF-043E-4bff-A416-518AA48E15A6}.exe
File created	C:\Windows\{E6AB72A3-C2EF-4dbf-967A-465032E7511F}.exe	{9A41B4DD-28E8-40df-A8DC-6F3F5E4481D7}.exe
File created	C:\Windows\{AA68B5D5-2377-47d5-A2E9-719D4251722F}.exe	{E6AB72A3-C2EF-4dbf-967A-465032E7511F}.exe
File created	C:\Windows\{C729BC7B-12B9-414c-8215-C5C206788EFB}.exe	{A17465EC-957F-4af5-9D95-1D897B89E9F9}.exe
File created	C:\Windows\{FB8EAA85-7883-4b25-B1A6-5CD4A0E29494}.exe	{C729BC7B-12B9-414c-8215-C5C206788EFB}.exe
File created	C:\Windows\{B773C92D-2149-41d5-BA8F-88CE9F0EE381}.exe	{DA5A196D-04FC-456d-9FDB-97DBED255EB0}.exe
File created	C:\Windows\{9A41B4DD-28E8-40df-A8DC-6F3F5E4481D7}.exe	{87AA2A80-1A07-45a0-8FE9-89397DE0E174}.exe
File created	C:\Windows\{A17465EC-957F-4af5-9D95-1D897B89E9F9}.exe	{AA68B5D5-2377-47d5-A2E9-719D4251722F}.exe
File created	C:\Windows\{079EA34D-1068-4971-AC0A-23C237C5A88B}.exe	{FB8EAA85-7883-4b25-B1A6-5CD4A0E29494}.exe
File created	C:\Windows\{DA5A196D-04FC-456d-9FDB-97DBED255EB0}.exe	{079EA34D-1068-4971-AC0A-23C237C5A88B}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4524	2024-06-27_4fe4e43b26805901cbc5c2379e901014_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4596	{3948D1BF-043E-4bff-A416-518AA48E15A6}.exe
Token: SeIncBasePriorityPrivilege	4844	{87AA2A80-1A07-45a0-8FE9-89397DE0E174}.exe
Token: SeIncBasePriorityPrivilege	3712	{9A41B4DD-28E8-40df-A8DC-6F3F5E4481D7}.exe
Token: SeIncBasePriorityPrivilege	1740	{E6AB72A3-C2EF-4dbf-967A-465032E7511F}.exe
Token: SeIncBasePriorityPrivilege	412	{AA68B5D5-2377-47d5-A2E9-719D4251722F}.exe
Token: SeIncBasePriorityPrivilege	680	{A17465EC-957F-4af5-9D95-1D897B89E9F9}.exe
Token: SeIncBasePriorityPrivilege	2008	{C729BC7B-12B9-414c-8215-C5C206788EFB}.exe
Token: SeIncBasePriorityPrivilege	4988	{FB8EAA85-7883-4b25-B1A6-5CD4A0E29494}.exe
Token: SeIncBasePriorityPrivilege	2920	{079EA34D-1068-4971-AC0A-23C237C5A88B}.exe
Token: SeIncBasePriorityPrivilege	640	{DA5A196D-04FC-456d-9FDB-97DBED255EB0}.exe
Token: SeIncBasePriorityPrivilege	1204	{B773C92D-2149-41d5-BA8F-88CE9F0EE381}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4524 wrote to memory of 4596	4524	2024-06-27_4fe4e43b26805901cbc5c2379e901014_goldeneye.exe	80
PID 4524 wrote to memory of 4596	4524	2024-06-27_4fe4e43b26805901cbc5c2379e901014_goldeneye.exe	80
PID 4524 wrote to memory of 4596	4524	2024-06-27_4fe4e43b26805901cbc5c2379e901014_goldeneye.exe	80
PID 4524 wrote to memory of 1888	4524	2024-06-27_4fe4e43b26805901cbc5c2379e901014_goldeneye.exe	81
PID 4524 wrote to memory of 1888	4524	2024-06-27_4fe4e43b26805901cbc5c2379e901014_goldeneye.exe	81
PID 4524 wrote to memory of 1888	4524	2024-06-27_4fe4e43b26805901cbc5c2379e901014_goldeneye.exe	81
PID 4596 wrote to memory of 4844	4596	{3948D1BF-043E-4bff-A416-518AA48E15A6}.exe	82
PID 4596 wrote to memory of 4844	4596	{3948D1BF-043E-4bff-A416-518AA48E15A6}.exe	82
PID 4596 wrote to memory of 4844	4596	{3948D1BF-043E-4bff-A416-518AA48E15A6}.exe	82
PID 4596 wrote to memory of 3520	4596	{3948D1BF-043E-4bff-A416-518AA48E15A6}.exe	83
PID 4596 wrote to memory of 3520	4596	{3948D1BF-043E-4bff-A416-518AA48E15A6}.exe	83
PID 4596 wrote to memory of 3520	4596	{3948D1BF-043E-4bff-A416-518AA48E15A6}.exe	83
PID 4844 wrote to memory of 3712	4844	{87AA2A80-1A07-45a0-8FE9-89397DE0E174}.exe	86
PID 4844 wrote to memory of 3712	4844	{87AA2A80-1A07-45a0-8FE9-89397DE0E174}.exe	86
PID 4844 wrote to memory of 3712	4844	{87AA2A80-1A07-45a0-8FE9-89397DE0E174}.exe	86
PID 4844 wrote to memory of 5028	4844	{87AA2A80-1A07-45a0-8FE9-89397DE0E174}.exe	87
PID 4844 wrote to memory of 5028	4844	{87AA2A80-1A07-45a0-8FE9-89397DE0E174}.exe	87
PID 4844 wrote to memory of 5028	4844	{87AA2A80-1A07-45a0-8FE9-89397DE0E174}.exe	87
PID 3712 wrote to memory of 1740	3712	{9A41B4DD-28E8-40df-A8DC-6F3F5E4481D7}.exe	92
PID 3712 wrote to memory of 1740	3712	{9A41B4DD-28E8-40df-A8DC-6F3F5E4481D7}.exe	92
PID 3712 wrote to memory of 1740	3712	{9A41B4DD-28E8-40df-A8DC-6F3F5E4481D7}.exe	92
PID 3712 wrote to memory of 4360	3712	{9A41B4DD-28E8-40df-A8DC-6F3F5E4481D7}.exe	93
PID 3712 wrote to memory of 4360	3712	{9A41B4DD-28E8-40df-A8DC-6F3F5E4481D7}.exe	93
PID 3712 wrote to memory of 4360	3712	{9A41B4DD-28E8-40df-A8DC-6F3F5E4481D7}.exe	93
PID 1740 wrote to memory of 412	1740	{E6AB72A3-C2EF-4dbf-967A-465032E7511F}.exe	95
PID 1740 wrote to memory of 412	1740	{E6AB72A3-C2EF-4dbf-967A-465032E7511F}.exe	95
PID 1740 wrote to memory of 412	1740	{E6AB72A3-C2EF-4dbf-967A-465032E7511F}.exe	95
PID 1740 wrote to memory of 1296	1740	{E6AB72A3-C2EF-4dbf-967A-465032E7511F}.exe	96
PID 1740 wrote to memory of 1296	1740	{E6AB72A3-C2EF-4dbf-967A-465032E7511F}.exe	96
PID 1740 wrote to memory of 1296	1740	{E6AB72A3-C2EF-4dbf-967A-465032E7511F}.exe	96
PID 412 wrote to memory of 680	412	{AA68B5D5-2377-47d5-A2E9-719D4251722F}.exe	97
PID 412 wrote to memory of 680	412	{AA68B5D5-2377-47d5-A2E9-719D4251722F}.exe	97
PID 412 wrote to memory of 680	412	{AA68B5D5-2377-47d5-A2E9-719D4251722F}.exe	97
PID 412 wrote to memory of 3108	412	{AA68B5D5-2377-47d5-A2E9-719D4251722F}.exe	98
PID 412 wrote to memory of 3108	412	{AA68B5D5-2377-47d5-A2E9-719D4251722F}.exe	98
PID 412 wrote to memory of 3108	412	{AA68B5D5-2377-47d5-A2E9-719D4251722F}.exe	98
PID 680 wrote to memory of 2008	680	{A17465EC-957F-4af5-9D95-1D897B89E9F9}.exe	99
PID 680 wrote to memory of 2008	680	{A17465EC-957F-4af5-9D95-1D897B89E9F9}.exe	99
PID 680 wrote to memory of 2008	680	{A17465EC-957F-4af5-9D95-1D897B89E9F9}.exe	99
PID 680 wrote to memory of 668	680	{A17465EC-957F-4af5-9D95-1D897B89E9F9}.exe	100
PID 680 wrote to memory of 668	680	{A17465EC-957F-4af5-9D95-1D897B89E9F9}.exe	100
PID 680 wrote to memory of 668	680	{A17465EC-957F-4af5-9D95-1D897B89E9F9}.exe	100
PID 2008 wrote to memory of 4988	2008	{C729BC7B-12B9-414c-8215-C5C206788EFB}.exe	101
PID 2008 wrote to memory of 4988	2008	{C729BC7B-12B9-414c-8215-C5C206788EFB}.exe	101
PID 2008 wrote to memory of 4988	2008	{C729BC7B-12B9-414c-8215-C5C206788EFB}.exe	101
PID 2008 wrote to memory of 1524	2008	{C729BC7B-12B9-414c-8215-C5C206788EFB}.exe	102
PID 2008 wrote to memory of 1524	2008	{C729BC7B-12B9-414c-8215-C5C206788EFB}.exe	102
PID 2008 wrote to memory of 1524	2008	{C729BC7B-12B9-414c-8215-C5C206788EFB}.exe	102
PID 4988 wrote to memory of 2920	4988	{FB8EAA85-7883-4b25-B1A6-5CD4A0E29494}.exe	103
PID 4988 wrote to memory of 2920	4988	{FB8EAA85-7883-4b25-B1A6-5CD4A0E29494}.exe	103
PID 4988 wrote to memory of 2920	4988	{FB8EAA85-7883-4b25-B1A6-5CD4A0E29494}.exe	103
PID 4988 wrote to memory of 1100	4988	{FB8EAA85-7883-4b25-B1A6-5CD4A0E29494}.exe	104
PID 4988 wrote to memory of 1100	4988	{FB8EAA85-7883-4b25-B1A6-5CD4A0E29494}.exe	104
PID 4988 wrote to memory of 1100	4988	{FB8EAA85-7883-4b25-B1A6-5CD4A0E29494}.exe	104
PID 2920 wrote to memory of 640	2920	{079EA34D-1068-4971-AC0A-23C237C5A88B}.exe	105
PID 2920 wrote to memory of 640	2920	{079EA34D-1068-4971-AC0A-23C237C5A88B}.exe	105
PID 2920 wrote to memory of 640	2920	{079EA34D-1068-4971-AC0A-23C237C5A88B}.exe	105
PID 2920 wrote to memory of 4560	2920	{079EA34D-1068-4971-AC0A-23C237C5A88B}.exe	106
PID 2920 wrote to memory of 4560	2920	{079EA34D-1068-4971-AC0A-23C237C5A88B}.exe	106
PID 2920 wrote to memory of 4560	2920	{079EA34D-1068-4971-AC0A-23C237C5A88B}.exe	106
PID 640 wrote to memory of 1204	640	{DA5A196D-04FC-456d-9FDB-97DBED255EB0}.exe	107
PID 640 wrote to memory of 1204	640	{DA5A196D-04FC-456d-9FDB-97DBED255EB0}.exe	107
PID 640 wrote to memory of 1204	640	{DA5A196D-04FC-456d-9FDB-97DBED255EB0}.exe	107
PID 640 wrote to memory of 3212	640	{DA5A196D-04FC-456d-9FDB-97DBED255EB0}.exe	108

C:\Users\Admin\AppData\Local\Temp\2024-06-27_4fe4e43b26805901cbc5c2379e901014_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-27_4fe4e43b26805901cbc5c2379e901014_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4524
- C:\Windows\{3948D1BF-043E-4bff-A416-518AA48E15A6}.exe
  C:\Windows\{3948D1BF-043E-4bff-A416-518AA48E15A6}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4596
- - C:\Windows\{87AA2A80-1A07-45a0-8FE9-89397DE0E174}.exe
    C:\Windows\{87AA2A80-1A07-45a0-8FE9-89397DE0E174}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4844
  - - C:\Windows\{9A41B4DD-28E8-40df-A8DC-6F3F5E4481D7}.exe
      C:\Windows\{9A41B4DD-28E8-40df-A8DC-6F3F5E4481D7}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3712
    - - C:\Windows\{E6AB72A3-C2EF-4dbf-967A-465032E7511F}.exe
        
        C:\Windows\{E6AB72A3-C2EF-4dbf-967A-465032E7511F}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1740
      - C:\Windows\{AA68B5D5-2377-47d5-A2E9-719D4251722F}.exe
        
        C:\Windows\{AA68B5D5-2377-47d5-A2E9-719D4251722F}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:412
        
        C:\Windows\{A17465EC-957F-4af5-9D95-1D897B89E9F9}.exe
        
        C:\Windows\{A17465EC-957F-4af5-9D95-1D897B89E9F9}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:680
        
        C:\Windows\{C729BC7B-12B9-414c-8215-C5C206788EFB}.exe
        
        C:\Windows\{C729BC7B-12B9-414c-8215-C5C206788EFB}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\{FB8EAA85-7883-4b25-B1A6-5CD4A0E29494}.exe
        
        C:\Windows\{FB8EAA85-7883-4b25-B1A6-5CD4A0E29494}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\{079EA34D-1068-4971-AC0A-23C237C5A88B}.exe
        
        C:\Windows\{079EA34D-1068-4971-AC0A-23C237C5A88B}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\{DA5A196D-04FC-456d-9FDB-97DBED255EB0}.exe
        
        C:\Windows\{DA5A196D-04FC-456d-9FDB-97DBED255EB0}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\{B773C92D-2149-41d5-BA8F-88CE9F0EE381}.exe
        
        C:\Windows\{B773C92D-2149-41d5-BA8F-88CE9F0EE381}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1204
        
        C:\Windows\{19E87910-2BAE-4ac0-AC7A-B4A7C7BC706B}.exe
        
        C:\Windows\{19E87910-2BAE-4ac0-AC7A-B4A7C7BC706B}.exe
        13⤵
        Executes dropped EXE
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B773C~1.EXE > nul
        13⤵
        
        PID:960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DA5A1~1.EXE > nul
        12⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{079EA~1.EXE > nul
        11⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FB8EA~1.EXE > nul
        10⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C729B~1.EXE > nul
        9⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A1746~1.EXE > nul
        8⤵
        
        PID:668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AA68B~1.EXE > nul
        7⤵
        
        PID:3108
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6AB7~1.EXE > nul
        6⤵
        
        PID:1296
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9A41B~1.EXE > nul
        5⤵
        
        PID:4360
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{87AA2~1.EXE > nul
      4⤵
      PID:5028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3948D~1.EXE > nul
    3⤵
    PID:3520
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{079EA34D-1068-4971-AC0A-23C237C5A88B}.exe

Filesize
180KB

MD5
d946e65153edba4d2ace03567f151548

SHA1
7775906e41991eb7a9242a8398d36675889dae35

SHA256
c270b7f78226a28893b3bdc757183c846cdd8fc03a9d3206108bdb2aea5945f9

SHA512
f54cda7fed948e3c4182a46740f1ccd4ba2d3748552ddfe343e516fb44d8ff73e452a8237b91e6bb2553b43e829793cc4de9e7b7c031e3f7776f4c84267be7e0

Download Submit
C:\Windows\{19E87910-2BAE-4ac0-AC7A-B4A7C7BC706B}.exe

Filesize
180KB

MD5
423fd021e31e87de433ef47ab81c1304

SHA1
3c461e0a27e69a611559445fb91449aa285286cd

SHA256
2fe49598015f08a342703e47b308234e73aefce76467df68bb9556d4e25da03a

SHA512
e7b229af5f313c247c4ecb54e377e1532ee6d904f34567657adc68eb22ec47b11a8ef34d69077d235703bdda157502c86979b03fd890619a45a8898e6767deb9

Download Submit
C:\Windows\{3948D1BF-043E-4bff-A416-518AA48E15A6}.exe

Filesize
180KB

MD5
e768c127f490e06d13fab61674f07562

SHA1
0106c3d81d665e829b31ca40180a6e9d7d6a9e38

SHA256
ec5653aebe0155e2de0b227a961ac3954df8738986ae9ffda836ea9abccd98d4

SHA512
94f8adc2d005431b971bcbd1f4980c5aa7bc1454ebc629dbd205c5bb22095f98b76caa483367269b8c0096720e215958fa06a23fb7a6fa17259eba987054abb8

Download Submit
C:\Windows\{87AA2A80-1A07-45a0-8FE9-89397DE0E174}.exe

Filesize
180KB

MD5
bc1bf0d1e8af73df9376b0513ed8f181

SHA1
129c3ada4028eaa6b000db070c2ac1b4337f22b3

SHA256
9b685243fff683c345a8b656682a38e2b1db609b11d43188b5f23656354e593a

SHA512
b9579cc6085ed3a4b8000e3f2ceebab1d8876d419c4ec9d4217df02d90d2cc629d44d9c1d909d278ca30e7236744930871185a981a2a5984a325ab4584d0e3e1

Download Submit
C:\Windows\{9A41B4DD-28E8-40df-A8DC-6F3F5E4481D7}.exe

Filesize
180KB

MD5
bb082aa1c892adfaa6be66df53facdae

SHA1
5796e0c38840bfa10e0c3acdae60f8ef1ce65516

SHA256
9df5ad5f1355baaf4298782fc80f86efa1e3476382dc2518dc3e507a49b8510a

SHA512
4fe99879da98ee121ae6072eb5308dca48a142573cb45d35119443685577713872162a1027c7b406dab584efb98dc86a0d0b5942e4166e4d70cb916a7a3c6ab0

Download Submit
C:\Windows\{A17465EC-957F-4af5-9D95-1D897B89E9F9}.exe

Filesize
180KB

MD5
f1806049d23102a1e069fbd2420ca92b

SHA1
ee31a5ec363f5bf0a76c62b7e96ac0a96b7c5d5c

SHA256
3893b91fb44721e292c804153e153dfbd83831298bc37e532d0e04af2b125ea0

SHA512
674e822aca284f58d348704ea3acb07e4ed27c0f04a28a0c9f0e37f2ac9546e87c31db36939767bef966d84109d31389bf960a3570e673f867ba3d07484c6a8e

Download Submit
C:\Windows\{AA68B5D5-2377-47d5-A2E9-719D4251722F}.exe

Filesize
180KB

MD5
5c784dc5ed3af5fce5cf278bd3ad2624

SHA1
0b9c05fa41b7d9dc4bd10e6a7bd7c550d4434ce0

SHA256
660d9c41d64ed663bdef392a7e8a3a19ccf40e16f7eb0c4ccc033633302e3ea7

SHA512
deaad1e9aa9f025adf30f5db00bd7772e88894eb46ab1502a7793318d72b76cb82a7efea0f4ec966e2042d75029de25fa22f9dc9fd2457e1d1146ad800a75a33

Download Submit
C:\Windows\{B773C92D-2149-41d5-BA8F-88CE9F0EE381}.exe

Filesize
180KB

MD5
c764ee2bfb735661b3c75e608ca0e8b0

SHA1
1bfd6990aeb4ca29cc5449120b15caccdfe7c316

SHA256
d77fcf1231285c4ac153a28a01e8e55e985f74e46d00ca7607a007cf46240bd4

SHA512
d5c956b7bbc0764b06f0a37f53de1a7e79f5b808c3da9b4f7106567fb6332b652e00895adf539b2b336979aefe199b45ff18765a916481d7414f4a8b38d8184e

Download Submit
C:\Windows\{C729BC7B-12B9-414c-8215-C5C206788EFB}.exe

Filesize
180KB

MD5
b1112a94044e25ee00f87813b1905dae

SHA1
2db562e797f1676acf052ecbac97f70bfc1ddd85

SHA256
0a02b72e6345fb41d72b353e37a07246f4c8a9b0f3b8aee07d3aad716ab95994

SHA512
1612aac4fdef4ddd530be3949b4f1285ab021384333e2243e3514ba37746b57cf3c02bedf1204c9396cf2d099d6545bdf702e4ccaef6eda08b20d4db83c9029d

Download Submit
C:\Windows\{DA5A196D-04FC-456d-9FDB-97DBED255EB0}.exe

Filesize
180KB

MD5
10412c29df9740b843fc0c98f0a45075

SHA1
e9eb4ed64426b45d9380f0ec747ed69feada6af2

SHA256
68643449c3e5b2c292ba3138885535c5138a73b9a50e292e45a4047a99420072

SHA512
80edc1f34fdc0d3dc377dba90257375cfa6a00ef721350ee7b71960ba22252b2b18f4fdd7677ba58715758f85619f984cbe7b655328716c771eb829b45ae865e

Download Submit
C:\Windows\{E6AB72A3-C2EF-4dbf-967A-465032E7511F}.exe

Filesize
180KB

MD5
80029639287539596cecb0913fa86591

SHA1
9d22d6de41d7fb59698c9be34f55684f4e62f7e6

SHA256
49e99823f4feee07753e7a2923b68d148441b2f8070b2a9ef1f1bd9404e9f1cd

SHA512
9f31d1fb833679ccf3a78d5d8aef2027bf196e9f6cdd57209900122dc2d98c6a66b01155a8745a89a9f55aa94178b276de0ee5cac6d5c693357d60cd26220c57

Download Submit
C:\Windows\{FB8EAA85-7883-4b25-B1A6-5CD4A0E29494}.exe

Filesize
180KB

MD5
31d9ed216d4a264eadf8507edd6c9caa

SHA1
f84181d54a7202b7a73d2005bc10e6cf5666c0a5

SHA256
d4cb7eef3fbbc01d79d5adb2c537135b4a3708bae8ee6af359468d60ad8a4857

SHA512
d893872b25575500a01e642caee58f37276340bc67eab2d04972f0911acb55012cd10d3eb2f6825eddb91c1bc25f3b24aa4627f87f67aa352c037fbcfd36ac59

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads