eadc633d0be3cf7c9fbac3923d31603e071e0e10c2178ce1eb327135cde4e2ca

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-01_7b409cd90f9134447bbc426fbf21a3b1_goldeneye.exe
Size

408KB
MD5

7b409cd90f9134447bbc426fbf21a3b1
SHA1

967f2aecfee3e18a9610c6b87694f823fb341456
SHA256

eadc633d0be3cf7c9fbac3923d31603e071e0e10c2178ce1eb327135cde4e2ca
SHA512

d216b325d8dfcbbee1f701fe1bae3fccad8cafc3dd8cda8f60b3bc13d60a9a61f0003bc9343dc8d2e3eb398c53576ca3ca730c832774f983598a31df79629d05
SSDEEP

3072:CEGh0oVl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGfldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000700000002357f-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023576-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00100000000234ce-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000234d0-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00110000000234ce-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000234d0-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00120000000234ce-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f0000000234d6-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00130000000234ce-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00100000000234d6-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000234d8-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00110000000234d6-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{559DBB04-B59B-4dd8-B873-E382BA26F9DC}\stubpath = "C:\\Windows\\{559DBB04-B59B-4dd8-B873-E382BA26F9DC}.exe"	{F45F9D08-BFC4-4ae3-9DA5-84A32090C52D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C8C79BE-1F97-49b0-913C-DC407CD892A4}	{DD0AC03C-CB6A-4410-AA76-E5D58A0D466D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A80DB355-EF1F-477c-B409-B927FFF1E199}\stubpath = "C:\\Windows\\{A80DB355-EF1F-477c-B409-B927FFF1E199}.exe"	{9C8C79BE-1F97-49b0-913C-DC407CD892A4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C1879EA-B1DB-4ece-80AB-98110F810FA6}\stubpath = "C:\\Windows\\{9C1879EA-B1DB-4ece-80AB-98110F810FA6}.exe"	2024-07-01_7b409cd90f9134447bbc426fbf21a3b1_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43ED9506-5AD2-4def-A27E-FEE599D8075D}	{9C1879EA-B1DB-4ece-80AB-98110F810FA6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F45F9D08-BFC4-4ae3-9DA5-84A32090C52D}	{8D276C98-430E-46ac-8450-A03644216C62}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F45F9D08-BFC4-4ae3-9DA5-84A32090C52D}\stubpath = "C:\\Windows\\{F45F9D08-BFC4-4ae3-9DA5-84A32090C52D}.exe"	{8D276C98-430E-46ac-8450-A03644216C62}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD3B139F-4186-43b6-9F7A-10EC732795FC}	{559DBB04-B59B-4dd8-B873-E382BA26F9DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C1879EA-B1DB-4ece-80AB-98110F810FA6}	2024-07-01_7b409cd90f9134447bbc426fbf21a3b1_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75500036-75B3-4ae8-A993-40B9EEF8CBF8}	{43ED9506-5AD2-4def-A27E-FEE599D8075D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75500036-75B3-4ae8-A993-40B9EEF8CBF8}\stubpath = "C:\\Windows\\{75500036-75B3-4ae8-A993-40B9EEF8CBF8}.exe"	{43ED9506-5AD2-4def-A27E-FEE599D8075D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65808F4D-0210-4a9e-A79C-F75432D6FA0E}\stubpath = "C:\\Windows\\{65808F4D-0210-4a9e-A79C-F75432D6FA0E}.exe"	{75500036-75B3-4ae8-A993-40B9EEF8CBF8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{559DBB04-B59B-4dd8-B873-E382BA26F9DC}	{F45F9D08-BFC4-4ae3-9DA5-84A32090C52D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD3B139F-4186-43b6-9F7A-10EC732795FC}\stubpath = "C:\\Windows\\{FD3B139F-4186-43b6-9F7A-10EC732795FC}.exe"	{559DBB04-B59B-4dd8-B873-E382BA26F9DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD0AC03C-CB6A-4410-AA76-E5D58A0D466D}\stubpath = "C:\\Windows\\{DD0AC03C-CB6A-4410-AA76-E5D58A0D466D}.exe"	{FD3B139F-4186-43b6-9F7A-10EC732795FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C8C79BE-1F97-49b0-913C-DC407CD892A4}\stubpath = "C:\\Windows\\{9C8C79BE-1F97-49b0-913C-DC407CD892A4}.exe"	{DD0AC03C-CB6A-4410-AA76-E5D58A0D466D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD0AC03C-CB6A-4410-AA76-E5D58A0D466D}	{FD3B139F-4186-43b6-9F7A-10EC732795FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A80DB355-EF1F-477c-B409-B927FFF1E199}	{9C8C79BE-1F97-49b0-913C-DC407CD892A4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67BC002F-922E-459a-A794-D6C1498D5159}	{A80DB355-EF1F-477c-B409-B927FFF1E199}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67BC002F-922E-459a-A794-D6C1498D5159}\stubpath = "C:\\Windows\\{67BC002F-922E-459a-A794-D6C1498D5159}.exe"	{A80DB355-EF1F-477c-B409-B927FFF1E199}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43ED9506-5AD2-4def-A27E-FEE599D8075D}\stubpath = "C:\\Windows\\{43ED9506-5AD2-4def-A27E-FEE599D8075D}.exe"	{9C1879EA-B1DB-4ece-80AB-98110F810FA6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65808F4D-0210-4a9e-A79C-F75432D6FA0E}	{75500036-75B3-4ae8-A993-40B9EEF8CBF8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D276C98-430E-46ac-8450-A03644216C62}	{65808F4D-0210-4a9e-A79C-F75432D6FA0E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D276C98-430E-46ac-8450-A03644216C62}\stubpath = "C:\\Windows\\{8D276C98-430E-46ac-8450-A03644216C62}.exe"	{65808F4D-0210-4a9e-A79C-F75432D6FA0E}.exe

Executes dropped EXE 12 IoCs

pid	Process
3480	{9C1879EA-B1DB-4ece-80AB-98110F810FA6}.exe
2568	{43ED9506-5AD2-4def-A27E-FEE599D8075D}.exe
4316	{75500036-75B3-4ae8-A993-40B9EEF8CBF8}.exe
4612	{65808F4D-0210-4a9e-A79C-F75432D6FA0E}.exe
2572	{8D276C98-430E-46ac-8450-A03644216C62}.exe
3536	{F45F9D08-BFC4-4ae3-9DA5-84A32090C52D}.exe
4724	{559DBB04-B59B-4dd8-B873-E382BA26F9DC}.exe
1508	{FD3B139F-4186-43b6-9F7A-10EC732795FC}.exe
400	{DD0AC03C-CB6A-4410-AA76-E5D58A0D466D}.exe
1264	{9C8C79BE-1F97-49b0-913C-DC407CD892A4}.exe
2172	{A80DB355-EF1F-477c-B409-B927FFF1E199}.exe
2152	{67BC002F-922E-459a-A794-D6C1498D5159}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{F45F9D08-BFC4-4ae3-9DA5-84A32090C52D}.exe	{8D276C98-430E-46ac-8450-A03644216C62}.exe
File created	C:\Windows\{559DBB04-B59B-4dd8-B873-E382BA26F9DC}.exe	{F45F9D08-BFC4-4ae3-9DA5-84A32090C52D}.exe
File created	C:\Windows\{FD3B139F-4186-43b6-9F7A-10EC732795FC}.exe	{559DBB04-B59B-4dd8-B873-E382BA26F9DC}.exe
File created	C:\Windows\{DD0AC03C-CB6A-4410-AA76-E5D58A0D466D}.exe	{FD3B139F-4186-43b6-9F7A-10EC732795FC}.exe
File created	C:\Windows\{A80DB355-EF1F-477c-B409-B927FFF1E199}.exe	{9C8C79BE-1F97-49b0-913C-DC407CD892A4}.exe
File created	C:\Windows\{9C1879EA-B1DB-4ece-80AB-98110F810FA6}.exe	2024-07-01_7b409cd90f9134447bbc426fbf21a3b1_goldeneye.exe
File created	C:\Windows\{75500036-75B3-4ae8-A993-40B9EEF8CBF8}.exe	{43ED9506-5AD2-4def-A27E-FEE599D8075D}.exe
File created	C:\Windows\{8D276C98-430E-46ac-8450-A03644216C62}.exe	{65808F4D-0210-4a9e-A79C-F75432D6FA0E}.exe
File created	C:\Windows\{67BC002F-922E-459a-A794-D6C1498D5159}.exe	{A80DB355-EF1F-477c-B409-B927FFF1E199}.exe
File created	C:\Windows\{43ED9506-5AD2-4def-A27E-FEE599D8075D}.exe	{9C1879EA-B1DB-4ece-80AB-98110F810FA6}.exe
File created	C:\Windows\{65808F4D-0210-4a9e-A79C-F75432D6FA0E}.exe	{75500036-75B3-4ae8-A993-40B9EEF8CBF8}.exe
File created	C:\Windows\{9C8C79BE-1F97-49b0-913C-DC407CD892A4}.exe	{DD0AC03C-CB6A-4410-AA76-E5D58A0D466D}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4408	2024-07-01_7b409cd90f9134447bbc426fbf21a3b1_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3480	{9C1879EA-B1DB-4ece-80AB-98110F810FA6}.exe
Token: SeIncBasePriorityPrivilege	2568	{43ED9506-5AD2-4def-A27E-FEE599D8075D}.exe
Token: SeIncBasePriorityPrivilege	4316	{75500036-75B3-4ae8-A993-40B9EEF8CBF8}.exe
Token: SeIncBasePriorityPrivilege	4612	{65808F4D-0210-4a9e-A79C-F75432D6FA0E}.exe
Token: SeIncBasePriorityPrivilege	2572	{8D276C98-430E-46ac-8450-A03644216C62}.exe
Token: SeIncBasePriorityPrivilege	3536	{F45F9D08-BFC4-4ae3-9DA5-84A32090C52D}.exe
Token: SeIncBasePriorityPrivilege	4724	{559DBB04-B59B-4dd8-B873-E382BA26F9DC}.exe
Token: SeIncBasePriorityPrivilege	1508	{FD3B139F-4186-43b6-9F7A-10EC732795FC}.exe
Token: SeIncBasePriorityPrivilege	400	{DD0AC03C-CB6A-4410-AA76-E5D58A0D466D}.exe
Token: SeIncBasePriorityPrivilege	1264	{9C8C79BE-1F97-49b0-913C-DC407CD892A4}.exe
Token: SeIncBasePriorityPrivilege	2172	{A80DB355-EF1F-477c-B409-B927FFF1E199}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4408 wrote to memory of 3480	4408	2024-07-01_7b409cd90f9134447bbc426fbf21a3b1_goldeneye.exe	94
PID 4408 wrote to memory of 3480	4408	2024-07-01_7b409cd90f9134447bbc426fbf21a3b1_goldeneye.exe	94
PID 4408 wrote to memory of 3480	4408	2024-07-01_7b409cd90f9134447bbc426fbf21a3b1_goldeneye.exe	94
PID 4408 wrote to memory of 1068	4408	2024-07-01_7b409cd90f9134447bbc426fbf21a3b1_goldeneye.exe	95
PID 4408 wrote to memory of 1068	4408	2024-07-01_7b409cd90f9134447bbc426fbf21a3b1_goldeneye.exe	95
PID 4408 wrote to memory of 1068	4408	2024-07-01_7b409cd90f9134447bbc426fbf21a3b1_goldeneye.exe	95
PID 3480 wrote to memory of 2568	3480	{9C1879EA-B1DB-4ece-80AB-98110F810FA6}.exe	96
PID 3480 wrote to memory of 2568	3480	{9C1879EA-B1DB-4ece-80AB-98110F810FA6}.exe	96
PID 3480 wrote to memory of 2568	3480	{9C1879EA-B1DB-4ece-80AB-98110F810FA6}.exe	96
PID 3480 wrote to memory of 1628	3480	{9C1879EA-B1DB-4ece-80AB-98110F810FA6}.exe	97
PID 3480 wrote to memory of 1628	3480	{9C1879EA-B1DB-4ece-80AB-98110F810FA6}.exe	97
PID 3480 wrote to memory of 1628	3480	{9C1879EA-B1DB-4ece-80AB-98110F810FA6}.exe	97
PID 2568 wrote to memory of 4316	2568	{43ED9506-5AD2-4def-A27E-FEE599D8075D}.exe	102
PID 2568 wrote to memory of 4316	2568	{43ED9506-5AD2-4def-A27E-FEE599D8075D}.exe	102
PID 2568 wrote to memory of 4316	2568	{43ED9506-5AD2-4def-A27E-FEE599D8075D}.exe	102
PID 2568 wrote to memory of 4324	2568	{43ED9506-5AD2-4def-A27E-FEE599D8075D}.exe	103
PID 2568 wrote to memory of 4324	2568	{43ED9506-5AD2-4def-A27E-FEE599D8075D}.exe	103
PID 2568 wrote to memory of 4324	2568	{43ED9506-5AD2-4def-A27E-FEE599D8075D}.exe	103
PID 4316 wrote to memory of 4612	4316	{75500036-75B3-4ae8-A993-40B9EEF8CBF8}.exe	104
PID 4316 wrote to memory of 4612	4316	{75500036-75B3-4ae8-A993-40B9EEF8CBF8}.exe	104
PID 4316 wrote to memory of 4612	4316	{75500036-75B3-4ae8-A993-40B9EEF8CBF8}.exe	104
PID 4316 wrote to memory of 4216	4316	{75500036-75B3-4ae8-A993-40B9EEF8CBF8}.exe	105
PID 4316 wrote to memory of 4216	4316	{75500036-75B3-4ae8-A993-40B9EEF8CBF8}.exe	105
PID 4316 wrote to memory of 4216	4316	{75500036-75B3-4ae8-A993-40B9EEF8CBF8}.exe	105
PID 4612 wrote to memory of 2572	4612	{65808F4D-0210-4a9e-A79C-F75432D6FA0E}.exe	106
PID 4612 wrote to memory of 2572	4612	{65808F4D-0210-4a9e-A79C-F75432D6FA0E}.exe	106
PID 4612 wrote to memory of 2572	4612	{65808F4D-0210-4a9e-A79C-F75432D6FA0E}.exe	106
PID 4612 wrote to memory of 4604	4612	{65808F4D-0210-4a9e-A79C-F75432D6FA0E}.exe	107
PID 4612 wrote to memory of 4604	4612	{65808F4D-0210-4a9e-A79C-F75432D6FA0E}.exe	107
PID 4612 wrote to memory of 4604	4612	{65808F4D-0210-4a9e-A79C-F75432D6FA0E}.exe	107
PID 2572 wrote to memory of 3536	2572	{8D276C98-430E-46ac-8450-A03644216C62}.exe	109
PID 2572 wrote to memory of 3536	2572	{8D276C98-430E-46ac-8450-A03644216C62}.exe	109
PID 2572 wrote to memory of 3536	2572	{8D276C98-430E-46ac-8450-A03644216C62}.exe	109
PID 2572 wrote to memory of 5044	2572	{8D276C98-430E-46ac-8450-A03644216C62}.exe	110
PID 2572 wrote to memory of 5044	2572	{8D276C98-430E-46ac-8450-A03644216C62}.exe	110
PID 2572 wrote to memory of 5044	2572	{8D276C98-430E-46ac-8450-A03644216C62}.exe	110
PID 3536 wrote to memory of 4724	3536	{F45F9D08-BFC4-4ae3-9DA5-84A32090C52D}.exe	111
PID 3536 wrote to memory of 4724	3536	{F45F9D08-BFC4-4ae3-9DA5-84A32090C52D}.exe	111
PID 3536 wrote to memory of 4724	3536	{F45F9D08-BFC4-4ae3-9DA5-84A32090C52D}.exe	111
PID 3536 wrote to memory of 3472	3536	{F45F9D08-BFC4-4ae3-9DA5-84A32090C52D}.exe	112
PID 3536 wrote to memory of 3472	3536	{F45F9D08-BFC4-4ae3-9DA5-84A32090C52D}.exe	112
PID 3536 wrote to memory of 3472	3536	{F45F9D08-BFC4-4ae3-9DA5-84A32090C52D}.exe	112
PID 4724 wrote to memory of 1508	4724	{559DBB04-B59B-4dd8-B873-E382BA26F9DC}.exe	119
PID 4724 wrote to memory of 1508	4724	{559DBB04-B59B-4dd8-B873-E382BA26F9DC}.exe	119
PID 4724 wrote to memory of 1508	4724	{559DBB04-B59B-4dd8-B873-E382BA26F9DC}.exe	119
PID 4724 wrote to memory of 4468	4724	{559DBB04-B59B-4dd8-B873-E382BA26F9DC}.exe	120
PID 4724 wrote to memory of 4468	4724	{559DBB04-B59B-4dd8-B873-E382BA26F9DC}.exe	120
PID 4724 wrote to memory of 4468	4724	{559DBB04-B59B-4dd8-B873-E382BA26F9DC}.exe	120
PID 1508 wrote to memory of 400	1508	{FD3B139F-4186-43b6-9F7A-10EC732795FC}.exe	121
PID 1508 wrote to memory of 400	1508	{FD3B139F-4186-43b6-9F7A-10EC732795FC}.exe	121
PID 1508 wrote to memory of 400	1508	{FD3B139F-4186-43b6-9F7A-10EC732795FC}.exe	121
PID 1508 wrote to memory of 4044	1508	{FD3B139F-4186-43b6-9F7A-10EC732795FC}.exe	122
PID 1508 wrote to memory of 4044	1508	{FD3B139F-4186-43b6-9F7A-10EC732795FC}.exe	122
PID 1508 wrote to memory of 4044	1508	{FD3B139F-4186-43b6-9F7A-10EC732795FC}.exe	122
PID 400 wrote to memory of 1264	400	{DD0AC03C-CB6A-4410-AA76-E5D58A0D466D}.exe	123
PID 400 wrote to memory of 1264	400	{DD0AC03C-CB6A-4410-AA76-E5D58A0D466D}.exe	123
PID 400 wrote to memory of 1264	400	{DD0AC03C-CB6A-4410-AA76-E5D58A0D466D}.exe	123
PID 400 wrote to memory of 528	400	{DD0AC03C-CB6A-4410-AA76-E5D58A0D466D}.exe	124
PID 400 wrote to memory of 528	400	{DD0AC03C-CB6A-4410-AA76-E5D58A0D466D}.exe	124
PID 400 wrote to memory of 528	400	{DD0AC03C-CB6A-4410-AA76-E5D58A0D466D}.exe	124
PID 1264 wrote to memory of 2172	1264	{9C8C79BE-1F97-49b0-913C-DC407CD892A4}.exe	128
PID 1264 wrote to memory of 2172	1264	{9C8C79BE-1F97-49b0-913C-DC407CD892A4}.exe	128
PID 1264 wrote to memory of 2172	1264	{9C8C79BE-1F97-49b0-913C-DC407CD892A4}.exe	128
PID 1264 wrote to memory of 2536	1264	{9C8C79BE-1F97-49b0-913C-DC407CD892A4}.exe	129

C:\Users\Admin\AppData\Local\Temp\2024-07-01_7b409cd90f9134447bbc426fbf21a3b1_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-01_7b409cd90f9134447bbc426fbf21a3b1_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4408
- C:\Windows\{9C1879EA-B1DB-4ece-80AB-98110F810FA6}.exe
  C:\Windows\{9C1879EA-B1DB-4ece-80AB-98110F810FA6}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3480
- - C:\Windows\{43ED9506-5AD2-4def-A27E-FEE599D8075D}.exe
    C:\Windows\{43ED9506-5AD2-4def-A27E-FEE599D8075D}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Windows\{75500036-75B3-4ae8-A993-40B9EEF8CBF8}.exe
      C:\Windows\{75500036-75B3-4ae8-A993-40B9EEF8CBF8}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4316
    - - C:\Windows\{65808F4D-0210-4a9e-A79C-F75432D6FA0E}.exe
        
        C:\Windows\{65808F4D-0210-4a9e-A79C-F75432D6FA0E}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4612
      - C:\Windows\{8D276C98-430E-46ac-8450-A03644216C62}.exe
        
        C:\Windows\{8D276C98-430E-46ac-8450-A03644216C62}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\{F45F9D08-BFC4-4ae3-9DA5-84A32090C52D}.exe
        
        C:\Windows\{F45F9D08-BFC4-4ae3-9DA5-84A32090C52D}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3536
        
        C:\Windows\{559DBB04-B59B-4dd8-B873-E382BA26F9DC}.exe
        
        C:\Windows\{559DBB04-B59B-4dd8-B873-E382BA26F9DC}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Windows\{FD3B139F-4186-43b6-9F7A-10EC732795FC}.exe
        
        C:\Windows\{FD3B139F-4186-43b6-9F7A-10EC732795FC}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\{DD0AC03C-CB6A-4410-AA76-E5D58A0D466D}.exe
        
        C:\Windows\{DD0AC03C-CB6A-4410-AA76-E5D58A0D466D}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\{9C8C79BE-1F97-49b0-913C-DC407CD892A4}.exe
        
        C:\Windows\{9C8C79BE-1F97-49b0-913C-DC407CD892A4}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\{A80DB355-EF1F-477c-B409-B927FFF1E199}.exe
        
        C:\Windows\{A80DB355-EF1F-477c-B409-B927FFF1E199}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
        
        C:\Windows\{67BC002F-922E-459a-A794-D6C1498D5159}.exe
        
        C:\Windows\{67BC002F-922E-459a-A794-D6C1498D5159}.exe
        13⤵
        Executes dropped EXE
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A80DB~1.EXE > nul
        13⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C8C7~1.EXE > nul
        12⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD0AC~1.EXE > nul
        11⤵
        
        PID:528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD3B1~1.EXE > nul
        10⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{559DB~1.EXE > nul
        9⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F45F9~1.EXE > nul
        8⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D276~1.EXE > nul
        7⤵
        
        PID:5044
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{65808~1.EXE > nul
        6⤵
        
        PID:4604
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{75500~1.EXE > nul
        5⤵
        
        PID:4216
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{43ED9~1.EXE > nul
      4⤵
      PID:4324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9C187~1.EXE > nul
    3⤵
    PID:1628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{43ED9506-5AD2-4def-A27E-FEE599D8075D}.exe

Filesize
408KB

MD5
92160d2de5b3c11a238099744b7112f7

SHA1
04de88f9d42a58a5334d9f62476120fac535f533

SHA256
528c7e5ae12a51d7d377258bebfc3ed9c866abc7707cfbdab9e4f7ac486179e3

SHA512
e432006d03da79fad3c3c75c5326af8ef1612840cdbcfc03dc7c2dc62f2fa7e2422df2cd27f685ce0898704aea7eba5cb75dc89dd48f54944652075912f1b482

Download Submit
C:\Windows\{559DBB04-B59B-4dd8-B873-E382BA26F9DC}.exe

Filesize
408KB

MD5
4d5d0519d302ca9254ec0d12707bc719

SHA1
df2ba0768f59f7b204a3c5f6189f3e3a725c12bf

SHA256
a2d893266fe3aaf60909cf1bb51f9b558fbe468e865d6560874a4a50781e4902

SHA512
8eae75d367f6f5cf52388239bee5a6d23157bb804caed00911e28a44898a71dcdafd2f554d55d55f946624313ba67666faa37f846d698870a8e2f00b8e629189

Download Submit
C:\Windows\{65808F4D-0210-4a9e-A79C-F75432D6FA0E}.exe

Filesize
408KB

MD5
25a7ce314129a2ba7bd01e1955e8f00a

SHA1
c527704c587940b4a38d923b48ace6057d0b651d

SHA256
409d3912dc4a1c9bea421b5701ea86f8734ef805d940f1535928ca59472a231a

SHA512
52cb917ad3a525da312c34f12f71b72f175d151f0b92486441663257d5c4e3d11d9f354f92e900180fee923a31da6ff4217a4279af81546662d13134edf5147e

Download Submit
C:\Windows\{67BC002F-922E-459a-A794-D6C1498D5159}.exe

Filesize
408KB

MD5
77f276abb335a3ca436f6f7eb33f67cf

SHA1
8ac9ba55a6cabd0166ade45e77733ff267c7f742

SHA256
be4441468437ea3d06d81ba693e66253b4e774185f0f184fc5c6348c1877664c

SHA512
aace01d3d081f0f29b6e52c632caef8835810be5eab84a2b57416d1d2ac3c786a965deee5a162f670c80d5e7fe0388d062b19c35c97368c4bd57e82b0df4b498

Download Submit
C:\Windows\{75500036-75B3-4ae8-A993-40B9EEF8CBF8}.exe

Filesize
408KB

MD5
e3b33bb0614251dc2c1b30d8b8ac911a

SHA1
f04e930abb13bddc45f79c95dbe0e672a6751cb5

SHA256
34f3220895e35a7250896c862fe5001da41388d8165f5afb4e77a29314372ace

SHA512
4f9483d165f31da590377392a2c613d570543e89425ad5e4c6799cc8d5e81e5b7964474847f98673b636e95f992549d8fc92f11ebbe6fb6ed2ee7b85464d642b

Download Submit
C:\Windows\{8D276C98-430E-46ac-8450-A03644216C62}.exe

Filesize
408KB

MD5
ded0f7095a0f9c66259591ba1985fea6

SHA1
be02d465d40911ed06a9b1c212344bdbd94b23c6

SHA256
87ad295e45350c03737b831ce3e7b40b7891333445c39bdf050cd49e8c9da706

SHA512
264eed4930e77b96de45fc6eb38a83f28ec986debee035cd9c57925ffb327fa5372b78ee821fcf2217d425d86e4bcad53239adf72d6a29392c3f6aa0b898bf94

Download Submit
C:\Windows\{9C1879EA-B1DB-4ece-80AB-98110F810FA6}.exe

Filesize
408KB

MD5
209157dfb0440ba46cb05777608bd044

SHA1
0c72625498f1d7f3228efabcb43d660f8b9bf87a

SHA256
c47c0f32ad490baa2e3e8476b588024cd4a8a913fe8a4776013a3eb1778d8928

SHA512
c0f4e3c2e75de1837f164fd5870686e58d81f4af4e5100f6e31bc0d97f665c57dea7e85e228fa5458f9bb7693a663eb77bc79396351d37c2deadff781ac43423

Download Submit
C:\Windows\{9C8C79BE-1F97-49b0-913C-DC407CD892A4}.exe

Filesize
408KB

MD5
cef93b6ea44335d3de79b0323cd72cb0

SHA1
78a079a7dcdf313b67e8dc57c6b376efb0e41816

SHA256
77a78e9710d8b9d0f477c9474e6943a11cebae74fe8e408eae37caa14ac7106a

SHA512
a6fdf1ffa5ae333814a14ee674c2b56640d467a438752be9d2c106dc82c7d8a9bd86c43483e19168fac791bc18faa410b78e51472a6d971ef28d3b70e459d885

Download Submit
C:\Windows\{A80DB355-EF1F-477c-B409-B927FFF1E199}.exe

Filesize
408KB

MD5
69897b3ec0f097f258bf38917ff1f6d0

SHA1
48309fb4169602f272580094de72f818a1b05481

SHA256
0cfcfc39c6bfe3a5f9add2aceb0fc71e6beb2d63ea851902358762dcc35bb3ee

SHA512
15dc92318bae2547a3eb8158feb4b4ffae6f96f862cb832516a5a15e2b4c703dc9360a3fbe54c5f2c7406d15168f59f855eae33ac8b6155c81e3f4eadd4d3b7c

Download Submit
C:\Windows\{DD0AC03C-CB6A-4410-AA76-E5D58A0D466D}.exe

Filesize
408KB

MD5
b3d7805dd8affa09e739228584cd04a1

SHA1
df97b3f21c60c0d754c48286a643705efccafafd

SHA256
047c59707d0e2d6403df3b818627da92be5e79b23667ab346b9bbf2d9d861f3b

SHA512
6b0fd87183f112baf1fd9b1b3de5dcde26016f1e971d8efb63e810eebeb5e7d502bcc1f0f070e8db89106e51cb956847c5348d575e39f94b1277b41f2f7f2d39

Download Submit
C:\Windows\{F45F9D08-BFC4-4ae3-9DA5-84A32090C52D}.exe

Filesize
408KB

MD5
5b06d1738cd520067feecd9efc1ce497

SHA1
565e739d602846c5d0b99ab1a71ef4d324adcd22

SHA256
6626f4f98e285b1d025b52be05e6361e48514b46ec9ec44acc5a74418cf94297

SHA512
2b2a28a71d01b780b22b15a2ec34585757c0327da05831b30d584403bc325631a83221a7ad9ded389cb82c9da7e23249623408999ce62f0976b1690cd9fc6bd4

Download Submit
C:\Windows\{FD3B139F-4186-43b6-9F7A-10EC732795FC}.exe

Filesize
408KB

MD5
7d9c0728bd6eff29705ab73fec9205ca

SHA1
2acde018a5cd2778a9f23acb2a9bb0538954a040

SHA256
547714cb45380b3439431ed9dd48cbfe2cc7f5e4d8b03132472c52ddc9725057

SHA512
d6d943f8f6f8dc4b66333417133db52f3a7b0ea401595ba325ce4ad846c95a473f81c436be32db1590b5c9e55475accfea29a01dc8346f3effe37d454b48661b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads