54678880728f19cf94891aeb0a57dc2c622f5782ec0a5285bb32e8cdf2797221

Analysis

max time kernel
149s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18/01/2024, 23:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-18_85281ba2da493641c6535ece62c3b1c2_goldeneye.exe
Size

180KB
MD5

85281ba2da493641c6535ece62c3b1c2
SHA1

03ef27f511debe16b7f98850065b49a5e193d2d8
SHA256

54678880728f19cf94891aeb0a57dc2c622f5782ec0a5285bb32e8cdf2797221
SHA512

7001488519c674324380d4289283152dda980c983de880e119029b51331e95658c2e2d455299fc7926f1cfc97b00241400c2dcb4cd76a9a44f7a8fd6d7340e6a
SSDEEP

3072:jEGh0oGlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGsl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x00080000000231c9-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00100000000231d1-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000231d8-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00110000000231d1-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021f82-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021f83-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021f82-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000705-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0CCF74F7-47D5-4ea2-BDEF-2875E171C928}	{64636F26-0286-4359-8A88-C12FE7D8FBC9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E303F65-28EA-4afe-BDFF-BDB13CCA6222}\stubpath = "C:\\Windows\\{2E303F65-28EA-4afe-BDFF-BDB13CCA6222}.exe"	{6987DBA4-0095-4863-A592-02691FA00C15}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E840904-12A4-4744-AF9D-48897FC29948}\stubpath = "C:\\Windows\\{4E840904-12A4-4744-AF9D-48897FC29948}.exe"	2024-01-18_85281ba2da493641c6535ece62c3b1c2_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09FE51CB-CC69-4527-AF97-1A9C346DE75B}	{4E840904-12A4-4744-AF9D-48897FC29948}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64636F26-0286-4359-8A88-C12FE7D8FBC9}\stubpath = "C:\\Windows\\{64636F26-0286-4359-8A88-C12FE7D8FBC9}.exe"	{882A57D9-7EA0-4a5e-B048-3601449C7013}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E3E4ECB-0B1E-412f-A09D-8EF8B6C80564}\stubpath = "C:\\Windows\\{5E3E4ECB-0B1E-412f-A09D-8EF8B6C80564}.exe"	{0CCF74F7-47D5-4ea2-BDEF-2875E171C928}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E303F65-28EA-4afe-BDFF-BDB13CCA6222}	{6987DBA4-0095-4863-A592-02691FA00C15}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76D6FDB6-0BE0-4cee-99B6-46B20BF7B9E4}\stubpath = "C:\\Windows\\{76D6FDB6-0BE0-4cee-99B6-46B20BF7B9E4}.exe"	{2E303F65-28EA-4afe-BDFF-BDB13CCA6222}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6987DBA4-0095-4863-A592-02691FA00C15}	{FCFF1062-E22F-4421-8141-C404EDD4389D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09FE51CB-CC69-4527-AF97-1A9C346DE75B}\stubpath = "C:\\Windows\\{09FE51CB-CC69-4527-AF97-1A9C346DE75B}.exe"	{4E840904-12A4-4744-AF9D-48897FC29948}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{882A57D9-7EA0-4a5e-B048-3601449C7013}	{09FE51CB-CC69-4527-AF97-1A9C346DE75B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0CCF74F7-47D5-4ea2-BDEF-2875E171C928}\stubpath = "C:\\Windows\\{0CCF74F7-47D5-4ea2-BDEF-2875E171C928}.exe"	{64636F26-0286-4359-8A88-C12FE7D8FBC9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E3E4ECB-0B1E-412f-A09D-8EF8B6C80564}	{0CCF74F7-47D5-4ea2-BDEF-2875E171C928}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FABECAE1-0274-445d-9861-16B0B5CC072C}\stubpath = "C:\\Windows\\{FABECAE1-0274-445d-9861-16B0B5CC072C}.exe"	{5E3E4ECB-0B1E-412f-A09D-8EF8B6C80564}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FCFF1062-E22F-4421-8141-C404EDD4389D}	{FABECAE1-0274-445d-9861-16B0B5CC072C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FCFF1062-E22F-4421-8141-C404EDD4389D}\stubpath = "C:\\Windows\\{FCFF1062-E22F-4421-8141-C404EDD4389D}.exe"	{FABECAE1-0274-445d-9861-16B0B5CC072C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76D6FDB6-0BE0-4cee-99B6-46B20BF7B9E4}	{2E303F65-28EA-4afe-BDFF-BDB13CCA6222}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E840904-12A4-4744-AF9D-48897FC29948}	2024-01-18_85281ba2da493641c6535ece62c3b1c2_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{882A57D9-7EA0-4a5e-B048-3601449C7013}\stubpath = "C:\\Windows\\{882A57D9-7EA0-4a5e-B048-3601449C7013}.exe"	{09FE51CB-CC69-4527-AF97-1A9C346DE75B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64636F26-0286-4359-8A88-C12FE7D8FBC9}	{882A57D9-7EA0-4a5e-B048-3601449C7013}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FABECAE1-0274-445d-9861-16B0B5CC072C}	{5E3E4ECB-0B1E-412f-A09D-8EF8B6C80564}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6987DBA4-0095-4863-A592-02691FA00C15}\stubpath = "C:\\Windows\\{6987DBA4-0095-4863-A592-02691FA00C15}.exe"	{FCFF1062-E22F-4421-8141-C404EDD4389D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5DBC91F-8878-458c-9B41-3750DEBF3D23}	{76D6FDB6-0BE0-4cee-99B6-46B20BF7B9E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5DBC91F-8878-458c-9B41-3750DEBF3D23}\stubpath = "C:\\Windows\\{F5DBC91F-8878-458c-9B41-3750DEBF3D23}.exe"	{76D6FDB6-0BE0-4cee-99B6-46B20BF7B9E4}.exe

Executes dropped EXE 12 IoCs

pid	Process
4836	{4E840904-12A4-4744-AF9D-48897FC29948}.exe
3864	{09FE51CB-CC69-4527-AF97-1A9C346DE75B}.exe
3712	{882A57D9-7EA0-4a5e-B048-3601449C7013}.exe
968	{64636F26-0286-4359-8A88-C12FE7D8FBC9}.exe
2960	{0CCF74F7-47D5-4ea2-BDEF-2875E171C928}.exe
4360	{5E3E4ECB-0B1E-412f-A09D-8EF8B6C80564}.exe
2384	{FABECAE1-0274-445d-9861-16B0B5CC072C}.exe
4564	{FCFF1062-E22F-4421-8141-C404EDD4389D}.exe
3256	{6987DBA4-0095-4863-A592-02691FA00C15}.exe
2596	{2E303F65-28EA-4afe-BDFF-BDB13CCA6222}.exe
1320	{76D6FDB6-0BE0-4cee-99B6-46B20BF7B9E4}.exe
440	{F5DBC91F-8878-458c-9B41-3750DEBF3D23}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{882A57D9-7EA0-4a5e-B048-3601449C7013}.exe	{09FE51CB-CC69-4527-AF97-1A9C346DE75B}.exe
File created	C:\Windows\{5E3E4ECB-0B1E-412f-A09D-8EF8B6C80564}.exe	{0CCF74F7-47D5-4ea2-BDEF-2875E171C928}.exe
File created	C:\Windows\{FCFF1062-E22F-4421-8141-C404EDD4389D}.exe	{FABECAE1-0274-445d-9861-16B0B5CC072C}.exe
File created	C:\Windows\{76D6FDB6-0BE0-4cee-99B6-46B20BF7B9E4}.exe	{2E303F65-28EA-4afe-BDFF-BDB13CCA6222}.exe
File created	C:\Windows\{F5DBC91F-8878-458c-9B41-3750DEBF3D23}.exe	{76D6FDB6-0BE0-4cee-99B6-46B20BF7B9E4}.exe
File created	C:\Windows\{4E840904-12A4-4744-AF9D-48897FC29948}.exe	2024-01-18_85281ba2da493641c6535ece62c3b1c2_goldeneye.exe
File created	C:\Windows\{09FE51CB-CC69-4527-AF97-1A9C346DE75B}.exe	{4E840904-12A4-4744-AF9D-48897FC29948}.exe
File created	C:\Windows\{64636F26-0286-4359-8A88-C12FE7D8FBC9}.exe	{882A57D9-7EA0-4a5e-B048-3601449C7013}.exe
File created	C:\Windows\{0CCF74F7-47D5-4ea2-BDEF-2875E171C928}.exe	{64636F26-0286-4359-8A88-C12FE7D8FBC9}.exe
File created	C:\Windows\{FABECAE1-0274-445d-9861-16B0B5CC072C}.exe	{5E3E4ECB-0B1E-412f-A09D-8EF8B6C80564}.exe
File created	C:\Windows\{6987DBA4-0095-4863-A592-02691FA00C15}.exe	{FCFF1062-E22F-4421-8141-C404EDD4389D}.exe
File created	C:\Windows\{2E303F65-28EA-4afe-BDFF-BDB13CCA6222}.exe	{6987DBA4-0095-4863-A592-02691FA00C15}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2420	2024-01-18_85281ba2da493641c6535ece62c3b1c2_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4836	{4E840904-12A4-4744-AF9D-48897FC29948}.exe
Token: SeIncBasePriorityPrivilege	3864	{09FE51CB-CC69-4527-AF97-1A9C346DE75B}.exe
Token: SeIncBasePriorityPrivilege	3712	{882A57D9-7EA0-4a5e-B048-3601449C7013}.exe
Token: SeIncBasePriorityPrivilege	968	{64636F26-0286-4359-8A88-C12FE7D8FBC9}.exe
Token: SeIncBasePriorityPrivilege	2960	{0CCF74F7-47D5-4ea2-BDEF-2875E171C928}.exe
Token: SeIncBasePriorityPrivilege	4360	{5E3E4ECB-0B1E-412f-A09D-8EF8B6C80564}.exe
Token: SeIncBasePriorityPrivilege	2384	{FABECAE1-0274-445d-9861-16B0B5CC072C}.exe
Token: SeIncBasePriorityPrivilege	4564	{FCFF1062-E22F-4421-8141-C404EDD4389D}.exe
Token: SeIncBasePriorityPrivilege	3256	{6987DBA4-0095-4863-A592-02691FA00C15}.exe
Token: SeIncBasePriorityPrivilege	2596	{2E303F65-28EA-4afe-BDFF-BDB13CCA6222}.exe
Token: SeIncBasePriorityPrivilege	1320	{76D6FDB6-0BE0-4cee-99B6-46B20BF7B9E4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 4836	2420	2024-01-18_85281ba2da493641c6535ece62c3b1c2_goldeneye.exe	97
PID 2420 wrote to memory of 4836	2420	2024-01-18_85281ba2da493641c6535ece62c3b1c2_goldeneye.exe	97
PID 2420 wrote to memory of 4836	2420	2024-01-18_85281ba2da493641c6535ece62c3b1c2_goldeneye.exe	97
PID 2420 wrote to memory of 2780	2420	2024-01-18_85281ba2da493641c6535ece62c3b1c2_goldeneye.exe	98
PID 2420 wrote to memory of 2780	2420	2024-01-18_85281ba2da493641c6535ece62c3b1c2_goldeneye.exe	98
PID 2420 wrote to memory of 2780	2420	2024-01-18_85281ba2da493641c6535ece62c3b1c2_goldeneye.exe	98
PID 4836 wrote to memory of 3864	4836	{4E840904-12A4-4744-AF9D-48897FC29948}.exe	99
PID 4836 wrote to memory of 3864	4836	{4E840904-12A4-4744-AF9D-48897FC29948}.exe	99
PID 4836 wrote to memory of 3864	4836	{4E840904-12A4-4744-AF9D-48897FC29948}.exe	99
PID 4836 wrote to memory of 3316	4836	{4E840904-12A4-4744-AF9D-48897FC29948}.exe	100
PID 4836 wrote to memory of 3316	4836	{4E840904-12A4-4744-AF9D-48897FC29948}.exe	100
PID 4836 wrote to memory of 3316	4836	{4E840904-12A4-4744-AF9D-48897FC29948}.exe	100
PID 3864 wrote to memory of 3712	3864	{09FE51CB-CC69-4527-AF97-1A9C346DE75B}.exe	102
PID 3864 wrote to memory of 3712	3864	{09FE51CB-CC69-4527-AF97-1A9C346DE75B}.exe	102
PID 3864 wrote to memory of 3712	3864	{09FE51CB-CC69-4527-AF97-1A9C346DE75B}.exe	102
PID 3864 wrote to memory of 4500	3864	{09FE51CB-CC69-4527-AF97-1A9C346DE75B}.exe	103
PID 3864 wrote to memory of 4500	3864	{09FE51CB-CC69-4527-AF97-1A9C346DE75B}.exe	103
PID 3864 wrote to memory of 4500	3864	{09FE51CB-CC69-4527-AF97-1A9C346DE75B}.exe	103
PID 3712 wrote to memory of 968	3712	{882A57D9-7EA0-4a5e-B048-3601449C7013}.exe	104
PID 3712 wrote to memory of 968	3712	{882A57D9-7EA0-4a5e-B048-3601449C7013}.exe	104
PID 3712 wrote to memory of 968	3712	{882A57D9-7EA0-4a5e-B048-3601449C7013}.exe	104
PID 3712 wrote to memory of 4412	3712	{882A57D9-7EA0-4a5e-B048-3601449C7013}.exe	105
PID 3712 wrote to memory of 4412	3712	{882A57D9-7EA0-4a5e-B048-3601449C7013}.exe	105
PID 3712 wrote to memory of 4412	3712	{882A57D9-7EA0-4a5e-B048-3601449C7013}.exe	105
PID 968 wrote to memory of 2960	968	{64636F26-0286-4359-8A88-C12FE7D8FBC9}.exe	106
PID 968 wrote to memory of 2960	968	{64636F26-0286-4359-8A88-C12FE7D8FBC9}.exe	106
PID 968 wrote to memory of 2960	968	{64636F26-0286-4359-8A88-C12FE7D8FBC9}.exe	106
PID 968 wrote to memory of 4116	968	{64636F26-0286-4359-8A88-C12FE7D8FBC9}.exe	107
PID 968 wrote to memory of 4116	968	{64636F26-0286-4359-8A88-C12FE7D8FBC9}.exe	107
PID 968 wrote to memory of 4116	968	{64636F26-0286-4359-8A88-C12FE7D8FBC9}.exe	107
PID 2960 wrote to memory of 4360	2960	{0CCF74F7-47D5-4ea2-BDEF-2875E171C928}.exe	108
PID 2960 wrote to memory of 4360	2960	{0CCF74F7-47D5-4ea2-BDEF-2875E171C928}.exe	108
PID 2960 wrote to memory of 4360	2960	{0CCF74F7-47D5-4ea2-BDEF-2875E171C928}.exe	108
PID 2960 wrote to memory of 5036	2960	{0CCF74F7-47D5-4ea2-BDEF-2875E171C928}.exe	109
PID 2960 wrote to memory of 5036	2960	{0CCF74F7-47D5-4ea2-BDEF-2875E171C928}.exe	109
PID 2960 wrote to memory of 5036	2960	{0CCF74F7-47D5-4ea2-BDEF-2875E171C928}.exe	109
PID 4360 wrote to memory of 2384	4360	{5E3E4ECB-0B1E-412f-A09D-8EF8B6C80564}.exe	110
PID 4360 wrote to memory of 2384	4360	{5E3E4ECB-0B1E-412f-A09D-8EF8B6C80564}.exe	110
PID 4360 wrote to memory of 2384	4360	{5E3E4ECB-0B1E-412f-A09D-8EF8B6C80564}.exe	110
PID 4360 wrote to memory of 5044	4360	{5E3E4ECB-0B1E-412f-A09D-8EF8B6C80564}.exe	111
PID 4360 wrote to memory of 5044	4360	{5E3E4ECB-0B1E-412f-A09D-8EF8B6C80564}.exe	111
PID 4360 wrote to memory of 5044	4360	{5E3E4ECB-0B1E-412f-A09D-8EF8B6C80564}.exe	111
PID 2384 wrote to memory of 4564	2384	{FABECAE1-0274-445d-9861-16B0B5CC072C}.exe	112
PID 2384 wrote to memory of 4564	2384	{FABECAE1-0274-445d-9861-16B0B5CC072C}.exe	112
PID 2384 wrote to memory of 4564	2384	{FABECAE1-0274-445d-9861-16B0B5CC072C}.exe	112
PID 2384 wrote to memory of 3460	2384	{FABECAE1-0274-445d-9861-16B0B5CC072C}.exe	113
PID 2384 wrote to memory of 3460	2384	{FABECAE1-0274-445d-9861-16B0B5CC072C}.exe	113
PID 2384 wrote to memory of 3460	2384	{FABECAE1-0274-445d-9861-16B0B5CC072C}.exe	113
PID 4564 wrote to memory of 3256	4564	{FCFF1062-E22F-4421-8141-C404EDD4389D}.exe	114
PID 4564 wrote to memory of 3256	4564	{FCFF1062-E22F-4421-8141-C404EDD4389D}.exe	114
PID 4564 wrote to memory of 3256	4564	{FCFF1062-E22F-4421-8141-C404EDD4389D}.exe	114
PID 4564 wrote to memory of 1540	4564	{FCFF1062-E22F-4421-8141-C404EDD4389D}.exe	115
PID 4564 wrote to memory of 1540	4564	{FCFF1062-E22F-4421-8141-C404EDD4389D}.exe	115
PID 4564 wrote to memory of 1540	4564	{FCFF1062-E22F-4421-8141-C404EDD4389D}.exe	115
PID 3256 wrote to memory of 2596	3256	{6987DBA4-0095-4863-A592-02691FA00C15}.exe	116
PID 3256 wrote to memory of 2596	3256	{6987DBA4-0095-4863-A592-02691FA00C15}.exe	116
PID 3256 wrote to memory of 2596	3256	{6987DBA4-0095-4863-A592-02691FA00C15}.exe	116
PID 3256 wrote to memory of 4748	3256	{6987DBA4-0095-4863-A592-02691FA00C15}.exe	117
PID 3256 wrote to memory of 4748	3256	{6987DBA4-0095-4863-A592-02691FA00C15}.exe	117
PID 3256 wrote to memory of 4748	3256	{6987DBA4-0095-4863-A592-02691FA00C15}.exe	117
PID 2596 wrote to memory of 1320	2596	{2E303F65-28EA-4afe-BDFF-BDB13CCA6222}.exe	118
PID 2596 wrote to memory of 1320	2596	{2E303F65-28EA-4afe-BDFF-BDB13CCA6222}.exe	118
PID 2596 wrote to memory of 1320	2596	{2E303F65-28EA-4afe-BDFF-BDB13CCA6222}.exe	118
PID 2596 wrote to memory of 1720	2596	{2E303F65-28EA-4afe-BDFF-BDB13CCA6222}.exe	119

C:\Users\Admin\AppData\Local\Temp\2024-01-18_85281ba2da493641c6535ece62c3b1c2_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-18_85281ba2da493641c6535ece62c3b1c2_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Windows\{4E840904-12A4-4744-AF9D-48897FC29948}.exe
  C:\Windows\{4E840904-12A4-4744-AF9D-48897FC29948}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4836
- - C:\Windows\{09FE51CB-CC69-4527-AF97-1A9C346DE75B}.exe
    C:\Windows\{09FE51CB-CC69-4527-AF97-1A9C346DE75B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3864
  - - C:\Windows\{882A57D9-7EA0-4a5e-B048-3601449C7013}.exe
      C:\Windows\{882A57D9-7EA0-4a5e-B048-3601449C7013}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3712
    - - C:\Windows\{64636F26-0286-4359-8A88-C12FE7D8FBC9}.exe
        
        C:\Windows\{64636F26-0286-4359-8A88-C12FE7D8FBC9}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:968
      - C:\Windows\{0CCF74F7-47D5-4ea2-BDEF-2875E171C928}.exe
        
        C:\Windows\{0CCF74F7-47D5-4ea2-BDEF-2875E171C928}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\{5E3E4ECB-0B1E-412f-A09D-8EF8B6C80564}.exe
        
        C:\Windows\{5E3E4ECB-0B1E-412f-A09D-8EF8B6C80564}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Windows\{FABECAE1-0274-445d-9861-16B0B5CC072C}.exe
        
        C:\Windows\{FABECAE1-0274-445d-9861-16B0B5CC072C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\{FCFF1062-E22F-4421-8141-C404EDD4389D}.exe
        
        C:\Windows\{FCFF1062-E22F-4421-8141-C404EDD4389D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\{6987DBA4-0095-4863-A592-02691FA00C15}.exe
        
        C:\Windows\{6987DBA4-0095-4863-A592-02691FA00C15}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3256
        
        C:\Windows\{2E303F65-28EA-4afe-BDFF-BDB13CCA6222}.exe
        
        C:\Windows\{2E303F65-28EA-4afe-BDFF-BDB13CCA6222}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\{76D6FDB6-0BE0-4cee-99B6-46B20BF7B9E4}.exe
        
        C:\Windows\{76D6FDB6-0BE0-4cee-99B6-46B20BF7B9E4}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1320
        
        C:\Windows\{F5DBC91F-8878-458c-9B41-3750DEBF3D23}.exe
        
        C:\Windows\{F5DBC91F-8878-458c-9B41-3750DEBF3D23}.exe
        13⤵
        Executes dropped EXE
        
        PID:440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76D6F~1.EXE > nul
        13⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E303~1.EXE > nul
        12⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6987D~1.EXE > nul
        11⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FCFF1~1.EXE > nul
        10⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FABEC~1.EXE > nul
        9⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5E3E4~1.EXE > nul
        8⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0CCF7~1.EXE > nul
        7⤵
        
        PID:5036
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64636~1.EXE > nul
        6⤵
        
        PID:4116
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{882A5~1.EXE > nul
        5⤵
        
        PID:4412
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{09FE5~1.EXE > nul
      4⤵
      PID:4500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4E840~1.EXE > nul
    3⤵
    PID:3316
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{09FE51CB-CC69-4527-AF97-1A9C346DE75B}.exe

Filesize
180KB

MD5
262a53442a5c6f22e58f28ca28aa72b9

SHA1
62feb066c85a3361e28554c33121394303059f5b

SHA256
1cded51950baa33f3646bcf8482242711677643f35f457a8e038a0e2b4b008a0

SHA512
14333c7b28d498a621d7f3c12ec76a241666cc04426eff33e3d9ae0ef855487f63a07299cb67b1719ac3d8211dea31f2263b6bd7e3af308e01b25e3eeee29ac3

Download Submit
C:\Windows\{0CCF74F7-47D5-4ea2-BDEF-2875E171C928}.exe

Filesize
180KB

MD5
ef51a26c4f0b8f78ff5e5a9ddfec58d0

SHA1
3c3f3bef8287d8e15d48c91a7b826f149fd3df0a

SHA256
b7b3b4be0e2168f5001c8bcf44c8775bc0af762cda0fe019890eef642ea6e212

SHA512
1c92c2961ed62f1a5b2d2807cc691c26e9c9bee5cc0cb7790b5c42af628cc2a24a4bfdb54187701e540732fb6a625c3d6bef26ffd310f864c83419d95a81be16

Download Submit
C:\Windows\{2E303F65-28EA-4afe-BDFF-BDB13CCA6222}.exe

Filesize
180KB

MD5
9341ab593cf369415e2598aed1a56a33

SHA1
5578169627bf1f0de0dc08ca52f258dce3a3b17a

SHA256
0af4d807b3db7c23a72053303e1878db12170e79acbe8bd00c480a92a5654a3d

SHA512
456b9bb5f8f8aca18e9a2a54517901e8200db2391fe7ce3099a32f96f691b3373054d2b87934bbc2e6cc3f096c506f79b1eb6d9208d019a3ecb80745a64806d6

Download Submit
C:\Windows\{4E840904-12A4-4744-AF9D-48897FC29948}.exe

Filesize
180KB

MD5
7e7fa7d121931f7ca636742bd9b7dea3

SHA1
764cf6a489bd91a7808cc43ddd2afe1f8809701a

SHA256
5a643f4b51ac659d25e9f16ecb03c9821556920ee4f2be527490d1f9babd009f

SHA512
29bce689a89b88f91af75b46db118736145b2524722df8dc2331fb2d851be466a9127e93236e6352bd40e80cb47236b0e66f27c5068ede0c33f813adf08672e8

Download Submit
C:\Windows\{5E3E4ECB-0B1E-412f-A09D-8EF8B6C80564}.exe

Filesize
180KB

MD5
4cddeec846efc17ffec068a673059375

SHA1
f6de02f377133e6acf48f7b3a406e6343d928ad9

SHA256
b88a65aebd5d895c144e23f225099eaa37c6c9c1f65198e8b99f634762ee96b9

SHA512
ce94b99f8823f908e8aa58035f4a565aeff646dddf0e81fdf04eda4783f9bde94203ea1a4605bc445f27a06c99d2b86706dd7319fcb3664e0c59981c543a378d

Download Submit
C:\Windows\{64636F26-0286-4359-8A88-C12FE7D8FBC9}.exe

Filesize
180KB

MD5
6f81e715ea2c260b1314b280132e64d8

SHA1
c8d9795c4814cfba488d46420594d58fba581a64

SHA256
1e6cad5fd1a3a9d67d85e15d245ca204c9e48dc7a059485e4652beb6a8a055e5

SHA512
6bd64bbb4364acae56f925a0ea7759f1b536ad8086f224061605adde4fe2c16df324d241c0a3a8992f02f43a6d1c33ded33ec7304eaa6daf33908bdc84f30515

Download Submit
C:\Windows\{6987DBA4-0095-4863-A592-02691FA00C15}.exe

Filesize
180KB

MD5
86fdd89459183ef089772e4cf64e5b39

SHA1
6e51fb547599880b69592e37386209ed82804e3c

SHA256
0b6abb13d5362f8705dba570a43e356a0834ceedd74a7c00e6cacda90376bad6

SHA512
534aa46618494278cb1e87b28cb2a05ecd4c63e183fb406edf592efcf940cd1a549e07cbc4e9081e69cec962ae2989f1bbcab702a8fb550b36368c74ea03a729

Download Submit
C:\Windows\{6987DBA4-0095-4863-A592-02691FA00C15}.exe

Filesize
64KB

MD5
cd9c7d21ca3506addf0092191381be31

SHA1
93ca6bf9f54ad4e0fc42c6572074c4287ca11949

SHA256
ad52a7f2df03fa6908f1d23c45f03a3d695dcebe01c3972db70e6cc147cfcc19

SHA512
0db1ad8b97ffc27904b1115dfcf46d9c05ae11a774cf2fc42158e11d817b72856db3bcbaf7db02b6ae285ad8db12286dc4ff32a3fbc107cf39ddc87e6e5ca50e

Download Submit
C:\Windows\{76D6FDB6-0BE0-4cee-99B6-46B20BF7B9E4}.exe

Filesize
180KB

MD5
50ef9cda4f174ad950f292279fc29617

SHA1
d34d34f24b45db0fc98ba82de637355521b0e249

SHA256
a2587fe40b4db0ee193a2c102842a994cee1be237780aa7b53ea8c2ef2645300

SHA512
d5e118de72492898229630243259d100c00db232f9cedf6f67c7b0fa458c261652edac837453288f1faca6f81db2b36e8e950e0a6153bc31f525af4e6108f14a

Download Submit
C:\Windows\{882A57D9-7EA0-4a5e-B048-3601449C7013}.exe

Filesize
180KB

MD5
3178dd69aa2df42ccb930e2d39f2d842

SHA1
6324eda50f7e94d89875a62250f458bccece0ce1

SHA256
a783b096fdcbe5d6d41fd01ddff1f0a91f5f68604077c82a677c7a6ce8982458

SHA512
bc04b0b8a6b3f1fb87d6448210dd5a3419fa28201fb7eb3d81dac2adfffb7511106b0c4b0c871493b512cfab49cb92473ced89a51cde659a12744397cc3d006f

Download Submit
C:\Windows\{F5DBC91F-8878-458c-9B41-3750DEBF3D23}.exe

Filesize
180KB

MD5
bf1ec341a9eb81801a455c6386679c51

SHA1
2900554664028aea9ef982d6d90fd0884a3d79e6

SHA256
224a1aad575cf4e0ca26899dc7b825e5d75090d4d98176d3246251a051d96e83

SHA512
dc9f570145713e65611f5097456b1b7607eb30b3183d4f11f9de45a7c773cf11ed628f37258c0f010508613d9e4b769218bdd848fcb24e8a79875b8551d64e85

Download Submit
C:\Windows\{FABECAE1-0274-445d-9861-16B0B5CC072C}.exe

Filesize
180KB

MD5
2bd61ebd97220a81ae295359fccb1bbe

SHA1
b6adacaaf660d3000726fcc08fc5a0f4c35c6d9e

SHA256
e3862262b7bf92dec498ebf49328091fab1b6c9d239ac8962968412065b79ebb

SHA512
2a9a21d3d8835f8794deb0bc512e0d6df48e025463c146d87ab20eb81ecf3391b22cba4cb142af14e6b664fac36f93afdcaea40d17d768928375124402d9dfe0

Download Submit
C:\Windows\{FCFF1062-E22F-4421-8141-C404EDD4389D}.exe

Filesize
180KB

MD5
4fe16cbc9ee614884561e011b9963fde

SHA1
36e60f4066773273fd346383a7294c703b1e222b

SHA256
95f59fc3f074fd78923fe5f685fafb5b50ac30013f61407818601eb1e52fbc04

SHA512
99431ab620c6425f17f15fcf39c61315d8fdf3d345d69474d4e695b2662d7b7c66e1f9010eb8eceb42f7d1efa58c76708664c009da921f5930b629235cb48f63

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads