f61ecd53abc1436811fb4d81056a68b71698160b90c95f9981ad5cc18b99877a

Analysis

max time kernel
151s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18/01/2024, 11:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-01_49c30108063ffaf9b1267fc4c8d87375_goldeneye.exe
Size

168KB
MD5

49c30108063ffaf9b1267fc4c8d87375
SHA1

f5fff7e4d50a12d4e66dfe8c4cc2dcfc14649835
SHA256

f61ecd53abc1436811fb4d81056a68b71698160b90c95f9981ad5cc18b99877a
SHA512

26650dd996f5549566d22a150c1048ed5e70c69eba6b9e65c9a9d505f9df5c961de89b3b7bc30e8853c9f4f987d7dafdf55909f81707fed7dbc67953e739eaf2
SSDEEP

1536:1EGh0oqlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oqlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000600000002320e-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023213-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002321a-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023213-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000021569-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000021570-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000021569-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000739-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000073b-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000739-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000073b-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006e5-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{786772C9-F701-4bef-9E62-C26FD4A1DB96}	{D7947514-B3BD-45fc-913F-87FCA72357BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E19DC13C-53C7-4f48-8C69-4514B561D1E8}	{A5F2244A-1384-4048-B0D9-063F761F25B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{084CA07F-B461-4b30-A134-A3AC72A50C17}	{E19DC13C-53C7-4f48-8C69-4514B561D1E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F302804-1EAD-4af0-87AE-2A8EBE3C22FA}\stubpath = "C:\\Windows\\{9F302804-1EAD-4af0-87AE-2A8EBE3C22FA}.exe"	{084CA07F-B461-4b30-A134-A3AC72A50C17}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCF84860-C7FE-4f97-B750-66A1D684DE8B}\stubpath = "C:\\Windows\\{CCF84860-C7FE-4f97-B750-66A1D684DE8B}.exe"	{9F302804-1EAD-4af0-87AE-2A8EBE3C22FA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7C2403E-EB5D-44ec-A56A-AE902407E837}\stubpath = "C:\\Windows\\{F7C2403E-EB5D-44ec-A56A-AE902407E837}.exe"	{CCF84860-C7FE-4f97-B750-66A1D684DE8B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26A0A0DD-F8C2-4396-99A3-1FD3CC633823}	{F7C2403E-EB5D-44ec-A56A-AE902407E837}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66A35439-0564-4fad-A95E-C8C47C89E1FD}\stubpath = "C:\\Windows\\{66A35439-0564-4fad-A95E-C8C47C89E1FD}.exe"	2024-01-01_49c30108063ffaf9b1267fc4c8d87375_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28217E6A-9289-4b3a-B114-FAA51EC93077}	{26A0A0DD-F8C2-4396-99A3-1FD3CC633823}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5F2244A-1384-4048-B0D9-063F761F25B3}\stubpath = "C:\\Windows\\{A5F2244A-1384-4048-B0D9-063F761F25B3}.exe"	{786772C9-F701-4bef-9E62-C26FD4A1DB96}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26A0A0DD-F8C2-4396-99A3-1FD3CC633823}\stubpath = "C:\\Windows\\{26A0A0DD-F8C2-4396-99A3-1FD3CC633823}.exe"	{F7C2403E-EB5D-44ec-A56A-AE902407E837}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DD925D5-405F-42c1-A0C8-BCCE9EA56D7B}\stubpath = "C:\\Windows\\{4DD925D5-405F-42c1-A0C8-BCCE9EA56D7B}.exe"	{28217E6A-9289-4b3a-B114-FAA51EC93077}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{786772C9-F701-4bef-9E62-C26FD4A1DB96}\stubpath = "C:\\Windows\\{786772C9-F701-4bef-9E62-C26FD4A1DB96}.exe"	{D7947514-B3BD-45fc-913F-87FCA72357BF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E19DC13C-53C7-4f48-8C69-4514B561D1E8}\stubpath = "C:\\Windows\\{E19DC13C-53C7-4f48-8C69-4514B561D1E8}.exe"	{A5F2244A-1384-4048-B0D9-063F761F25B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28217E6A-9289-4b3a-B114-FAA51EC93077}\stubpath = "C:\\Windows\\{28217E6A-9289-4b3a-B114-FAA51EC93077}.exe"	{26A0A0DD-F8C2-4396-99A3-1FD3CC633823}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7947514-B3BD-45fc-913F-87FCA72357BF}\stubpath = "C:\\Windows\\{D7947514-B3BD-45fc-913F-87FCA72357BF}.exe"	{66A35439-0564-4fad-A95E-C8C47C89E1FD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7947514-B3BD-45fc-913F-87FCA72357BF}	{66A35439-0564-4fad-A95E-C8C47C89E1FD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5F2244A-1384-4048-B0D9-063F761F25B3}	{786772C9-F701-4bef-9E62-C26FD4A1DB96}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{084CA07F-B461-4b30-A134-A3AC72A50C17}\stubpath = "C:\\Windows\\{084CA07F-B461-4b30-A134-A3AC72A50C17}.exe"	{E19DC13C-53C7-4f48-8C69-4514B561D1E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F302804-1EAD-4af0-87AE-2A8EBE3C22FA}	{084CA07F-B461-4b30-A134-A3AC72A50C17}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCF84860-C7FE-4f97-B750-66A1D684DE8B}	{9F302804-1EAD-4af0-87AE-2A8EBE3C22FA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7C2403E-EB5D-44ec-A56A-AE902407E837}	{CCF84860-C7FE-4f97-B750-66A1D684DE8B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DD925D5-405F-42c1-A0C8-BCCE9EA56D7B}	{28217E6A-9289-4b3a-B114-FAA51EC93077}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66A35439-0564-4fad-A95E-C8C47C89E1FD}	2024-01-01_49c30108063ffaf9b1267fc4c8d87375_goldeneye.exe

Executes dropped EXE 12 IoCs

pid	Process
1308	{66A35439-0564-4fad-A95E-C8C47C89E1FD}.exe
3980	{D7947514-B3BD-45fc-913F-87FCA72357BF}.exe
4876	{786772C9-F701-4bef-9E62-C26FD4A1DB96}.exe
5116	{A5F2244A-1384-4048-B0D9-063F761F25B3}.exe
3180	{E19DC13C-53C7-4f48-8C69-4514B561D1E8}.exe
3508	{084CA07F-B461-4b30-A134-A3AC72A50C17}.exe
1508	{9F302804-1EAD-4af0-87AE-2A8EBE3C22FA}.exe
1808	{CCF84860-C7FE-4f97-B750-66A1D684DE8B}.exe
3232	{F7C2403E-EB5D-44ec-A56A-AE902407E837}.exe
1016	{26A0A0DD-F8C2-4396-99A3-1FD3CC633823}.exe
2684	{28217E6A-9289-4b3a-B114-FAA51EC93077}.exe
4584	{4DD925D5-405F-42c1-A0C8-BCCE9EA56D7B}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{28217E6A-9289-4b3a-B114-FAA51EC93077}.exe	{26A0A0DD-F8C2-4396-99A3-1FD3CC633823}.exe
File created	C:\Windows\{66A35439-0564-4fad-A95E-C8C47C89E1FD}.exe	2024-01-01_49c30108063ffaf9b1267fc4c8d87375_goldeneye.exe
File created	C:\Windows\{786772C9-F701-4bef-9E62-C26FD4A1DB96}.exe	{D7947514-B3BD-45fc-913F-87FCA72357BF}.exe
File created	C:\Windows\{E19DC13C-53C7-4f48-8C69-4514B561D1E8}.exe	{A5F2244A-1384-4048-B0D9-063F761F25B3}.exe
File created	C:\Windows\{9F302804-1EAD-4af0-87AE-2A8EBE3C22FA}.exe	{084CA07F-B461-4b30-A134-A3AC72A50C17}.exe
File created	C:\Windows\{CCF84860-C7FE-4f97-B750-66A1D684DE8B}.exe	{9F302804-1EAD-4af0-87AE-2A8EBE3C22FA}.exe
File created	C:\Windows\{F7C2403E-EB5D-44ec-A56A-AE902407E837}.exe	{CCF84860-C7FE-4f97-B750-66A1D684DE8B}.exe
File created	C:\Windows\{26A0A0DD-F8C2-4396-99A3-1FD3CC633823}.exe	{F7C2403E-EB5D-44ec-A56A-AE902407E837}.exe
File created	C:\Windows\{D7947514-B3BD-45fc-913F-87FCA72357BF}.exe	{66A35439-0564-4fad-A95E-C8C47C89E1FD}.exe
File created	C:\Windows\{A5F2244A-1384-4048-B0D9-063F761F25B3}.exe	{786772C9-F701-4bef-9E62-C26FD4A1DB96}.exe
File created	C:\Windows\{084CA07F-B461-4b30-A134-A3AC72A50C17}.exe	{E19DC13C-53C7-4f48-8C69-4514B561D1E8}.exe
File created	C:\Windows\{4DD925D5-405F-42c1-A0C8-BCCE9EA56D7B}.exe	{28217E6A-9289-4b3a-B114-FAA51EC93077}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3892	2024-01-01_49c30108063ffaf9b1267fc4c8d87375_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1308	{66A35439-0564-4fad-A95E-C8C47C89E1FD}.exe
Token: SeIncBasePriorityPrivilege	3980	{D7947514-B3BD-45fc-913F-87FCA72357BF}.exe
Token: SeIncBasePriorityPrivilege	4876	{786772C9-F701-4bef-9E62-C26FD4A1DB96}.exe
Token: SeIncBasePriorityPrivilege	5116	{A5F2244A-1384-4048-B0D9-063F761F25B3}.exe
Token: SeIncBasePriorityPrivilege	3180	{E19DC13C-53C7-4f48-8C69-4514B561D1E8}.exe
Token: SeIncBasePriorityPrivilege	3508	{084CA07F-B461-4b30-A134-A3AC72A50C17}.exe
Token: SeIncBasePriorityPrivilege	1508	{9F302804-1EAD-4af0-87AE-2A8EBE3C22FA}.exe
Token: SeIncBasePriorityPrivilege	1808	{CCF84860-C7FE-4f97-B750-66A1D684DE8B}.exe
Token: SeIncBasePriorityPrivilege	3232	{F7C2403E-EB5D-44ec-A56A-AE902407E837}.exe
Token: SeIncBasePriorityPrivilege	1016	{26A0A0DD-F8C2-4396-99A3-1FD3CC633823}.exe
Token: SeIncBasePriorityPrivilege	2684	{28217E6A-9289-4b3a-B114-FAA51EC93077}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3892 wrote to memory of 1308	3892	2024-01-01_49c30108063ffaf9b1267fc4c8d87375_goldeneye.exe	94
PID 3892 wrote to memory of 1308	3892	2024-01-01_49c30108063ffaf9b1267fc4c8d87375_goldeneye.exe	94
PID 3892 wrote to memory of 1308	3892	2024-01-01_49c30108063ffaf9b1267fc4c8d87375_goldeneye.exe	94
PID 3892 wrote to memory of 2060	3892	2024-01-01_49c30108063ffaf9b1267fc4c8d87375_goldeneye.exe	95
PID 3892 wrote to memory of 2060	3892	2024-01-01_49c30108063ffaf9b1267fc4c8d87375_goldeneye.exe	95
PID 3892 wrote to memory of 2060	3892	2024-01-01_49c30108063ffaf9b1267fc4c8d87375_goldeneye.exe	95
PID 1308 wrote to memory of 3980	1308	{66A35439-0564-4fad-A95E-C8C47C89E1FD}.exe	96
PID 1308 wrote to memory of 3980	1308	{66A35439-0564-4fad-A95E-C8C47C89E1FD}.exe	96
PID 1308 wrote to memory of 3980	1308	{66A35439-0564-4fad-A95E-C8C47C89E1FD}.exe	96
PID 1308 wrote to memory of 1736	1308	{66A35439-0564-4fad-A95E-C8C47C89E1FD}.exe	97
PID 1308 wrote to memory of 1736	1308	{66A35439-0564-4fad-A95E-C8C47C89E1FD}.exe	97
PID 1308 wrote to memory of 1736	1308	{66A35439-0564-4fad-A95E-C8C47C89E1FD}.exe	97
PID 3980 wrote to memory of 4876	3980	{D7947514-B3BD-45fc-913F-87FCA72357BF}.exe	100
PID 3980 wrote to memory of 4876	3980	{D7947514-B3BD-45fc-913F-87FCA72357BF}.exe	100
PID 3980 wrote to memory of 4876	3980	{D7947514-B3BD-45fc-913F-87FCA72357BF}.exe	100
PID 3980 wrote to memory of 3244	3980	{D7947514-B3BD-45fc-913F-87FCA72357BF}.exe	99
PID 3980 wrote to memory of 3244	3980	{D7947514-B3BD-45fc-913F-87FCA72357BF}.exe	99
PID 3980 wrote to memory of 3244	3980	{D7947514-B3BD-45fc-913F-87FCA72357BF}.exe	99
PID 4876 wrote to memory of 5116	4876	{786772C9-F701-4bef-9E62-C26FD4A1DB96}.exe	101
PID 4876 wrote to memory of 5116	4876	{786772C9-F701-4bef-9E62-C26FD4A1DB96}.exe	101
PID 4876 wrote to memory of 5116	4876	{786772C9-F701-4bef-9E62-C26FD4A1DB96}.exe	101
PID 4876 wrote to memory of 4352	4876	{786772C9-F701-4bef-9E62-C26FD4A1DB96}.exe	102
PID 4876 wrote to memory of 4352	4876	{786772C9-F701-4bef-9E62-C26FD4A1DB96}.exe	102
PID 4876 wrote to memory of 4352	4876	{786772C9-F701-4bef-9E62-C26FD4A1DB96}.exe	102
PID 5116 wrote to memory of 3180	5116	{A5F2244A-1384-4048-B0D9-063F761F25B3}.exe	103
PID 5116 wrote to memory of 3180	5116	{A5F2244A-1384-4048-B0D9-063F761F25B3}.exe	103
PID 5116 wrote to memory of 3180	5116	{A5F2244A-1384-4048-B0D9-063F761F25B3}.exe	103
PID 5116 wrote to memory of 1444	5116	{A5F2244A-1384-4048-B0D9-063F761F25B3}.exe	104
PID 5116 wrote to memory of 1444	5116	{A5F2244A-1384-4048-B0D9-063F761F25B3}.exe	104
PID 5116 wrote to memory of 1444	5116	{A5F2244A-1384-4048-B0D9-063F761F25B3}.exe	104
PID 3180 wrote to memory of 3508	3180	{E19DC13C-53C7-4f48-8C69-4514B561D1E8}.exe	105
PID 3180 wrote to memory of 3508	3180	{E19DC13C-53C7-4f48-8C69-4514B561D1E8}.exe	105
PID 3180 wrote to memory of 3508	3180	{E19DC13C-53C7-4f48-8C69-4514B561D1E8}.exe	105
PID 3180 wrote to memory of 1588	3180	{E19DC13C-53C7-4f48-8C69-4514B561D1E8}.exe	106
PID 3180 wrote to memory of 1588	3180	{E19DC13C-53C7-4f48-8C69-4514B561D1E8}.exe	106
PID 3180 wrote to memory of 1588	3180	{E19DC13C-53C7-4f48-8C69-4514B561D1E8}.exe	106
PID 3508 wrote to memory of 1508	3508	{084CA07F-B461-4b30-A134-A3AC72A50C17}.exe	107
PID 3508 wrote to memory of 1508	3508	{084CA07F-B461-4b30-A134-A3AC72A50C17}.exe	107
PID 3508 wrote to memory of 1508	3508	{084CA07F-B461-4b30-A134-A3AC72A50C17}.exe	107
PID 3508 wrote to memory of 1816	3508	{084CA07F-B461-4b30-A134-A3AC72A50C17}.exe	108
PID 3508 wrote to memory of 1816	3508	{084CA07F-B461-4b30-A134-A3AC72A50C17}.exe	108
PID 3508 wrote to memory of 1816	3508	{084CA07F-B461-4b30-A134-A3AC72A50C17}.exe	108
PID 1508 wrote to memory of 1808	1508	{9F302804-1EAD-4af0-87AE-2A8EBE3C22FA}.exe	109
PID 1508 wrote to memory of 1808	1508	{9F302804-1EAD-4af0-87AE-2A8EBE3C22FA}.exe	109
PID 1508 wrote to memory of 1808	1508	{9F302804-1EAD-4af0-87AE-2A8EBE3C22FA}.exe	109
PID 1508 wrote to memory of 4548	1508	{9F302804-1EAD-4af0-87AE-2A8EBE3C22FA}.exe	110
PID 1508 wrote to memory of 4548	1508	{9F302804-1EAD-4af0-87AE-2A8EBE3C22FA}.exe	110
PID 1508 wrote to memory of 4548	1508	{9F302804-1EAD-4af0-87AE-2A8EBE3C22FA}.exe	110
PID 1808 wrote to memory of 3232	1808	{CCF84860-C7FE-4f97-B750-66A1D684DE8B}.exe	111
PID 1808 wrote to memory of 3232	1808	{CCF84860-C7FE-4f97-B750-66A1D684DE8B}.exe	111
PID 1808 wrote to memory of 3232	1808	{CCF84860-C7FE-4f97-B750-66A1D684DE8B}.exe	111
PID 1808 wrote to memory of 1776	1808	{CCF84860-C7FE-4f97-B750-66A1D684DE8B}.exe	112
PID 1808 wrote to memory of 1776	1808	{CCF84860-C7FE-4f97-B750-66A1D684DE8B}.exe	112
PID 1808 wrote to memory of 1776	1808	{CCF84860-C7FE-4f97-B750-66A1D684DE8B}.exe	112
PID 3232 wrote to memory of 1016	3232	{F7C2403E-EB5D-44ec-A56A-AE902407E837}.exe	113
PID 3232 wrote to memory of 1016	3232	{F7C2403E-EB5D-44ec-A56A-AE902407E837}.exe	113
PID 3232 wrote to memory of 1016	3232	{F7C2403E-EB5D-44ec-A56A-AE902407E837}.exe	113
PID 3232 wrote to memory of 4808	3232	{F7C2403E-EB5D-44ec-A56A-AE902407E837}.exe	114
PID 3232 wrote to memory of 4808	3232	{F7C2403E-EB5D-44ec-A56A-AE902407E837}.exe	114
PID 3232 wrote to memory of 4808	3232	{F7C2403E-EB5D-44ec-A56A-AE902407E837}.exe	114
PID 1016 wrote to memory of 2684	1016	{26A0A0DD-F8C2-4396-99A3-1FD3CC633823}.exe	116
PID 1016 wrote to memory of 2684	1016	{26A0A0DD-F8C2-4396-99A3-1FD3CC633823}.exe	116
PID 1016 wrote to memory of 2684	1016	{26A0A0DD-F8C2-4396-99A3-1FD3CC633823}.exe	116
PID 1016 wrote to memory of 4060	1016	{26A0A0DD-F8C2-4396-99A3-1FD3CC633823}.exe	115

C:\Users\Admin\AppData\Local\Temp\2024-01-01_49c30108063ffaf9b1267fc4c8d87375_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-01_49c30108063ffaf9b1267fc4c8d87375_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3892
- C:\Windows\{66A35439-0564-4fad-A95E-C8C47C89E1FD}.exe
  C:\Windows\{66A35439-0564-4fad-A95E-C8C47C89E1FD}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1308
- - C:\Windows\{D7947514-B3BD-45fc-913F-87FCA72357BF}.exe
    C:\Windows\{D7947514-B3BD-45fc-913F-87FCA72357BF}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3980
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D7947~1.EXE > nul
      4⤵
      PID:3244
  - - C:\Windows\{786772C9-F701-4bef-9E62-C26FD4A1DB96}.exe
      C:\Windows\{786772C9-F701-4bef-9E62-C26FD4A1DB96}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4876
    - - C:\Windows\{A5F2244A-1384-4048-B0D9-063F761F25B3}.exe
        
        C:\Windows\{A5F2244A-1384-4048-B0D9-063F761F25B3}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5116
      - C:\Windows\{E19DC13C-53C7-4f48-8C69-4514B561D1E8}.exe
        
        C:\Windows\{E19DC13C-53C7-4f48-8C69-4514B561D1E8}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Windows\{084CA07F-B461-4b30-A134-A3AC72A50C17}.exe
        
        C:\Windows\{084CA07F-B461-4b30-A134-A3AC72A50C17}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3508
        
        C:\Windows\{9F302804-1EAD-4af0-87AE-2A8EBE3C22FA}.exe
        
        C:\Windows\{9F302804-1EAD-4af0-87AE-2A8EBE3C22FA}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\{CCF84860-C7FE-4f97-B750-66A1D684DE8B}.exe
        
        C:\Windows\{CCF84860-C7FE-4f97-B750-66A1D684DE8B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\{F7C2403E-EB5D-44ec-A56A-AE902407E837}.exe
        
        C:\Windows\{F7C2403E-EB5D-44ec-A56A-AE902407E837}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\Windows\{26A0A0DD-F8C2-4396-99A3-1FD3CC633823}.exe
        
        C:\Windows\{26A0A0DD-F8C2-4396-99A3-1FD3CC633823}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{26A0A~1.EXE > nul
        12⤵
        
        PID:4060
        
        C:\Windows\{28217E6A-9289-4b3a-B114-FAA51EC93077}.exe
        
        C:\Windows\{28217E6A-9289-4b3a-B114-FAA51EC93077}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
        
        C:\Windows\{4DD925D5-405F-42c1-A0C8-BCCE9EA56D7B}.exe
        
        C:\Windows\{4DD925D5-405F-42c1-A0C8-BCCE9EA56D7B}.exe
        13⤵
        Executes dropped EXE
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{28217~1.EXE > nul
        13⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F7C24~1.EXE > nul
        11⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CCF84~1.EXE > nul
        10⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9F302~1.EXE > nul
        9⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{084CA~1.EXE > nul
        8⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E19DC~1.EXE > nul
        7⤵
        
        PID:1588
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A5F22~1.EXE > nul
        6⤵
        
        PID:1444
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{78677~1.EXE > nul
        5⤵
        
        PID:4352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{66A35~1.EXE > nul
    3⤵
    PID:1736
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{084CA07F-B461-4b30-A134-A3AC72A50C17}.exe

Filesize
168KB

MD5
5cf6e47040ac9724ce0d9cfc7c400db6

SHA1
837bde7a8199dece8f5d47fc9188c52753768da2

SHA256
fe38acf7629489b2e8ec0717f41f3f10c84db842d0034c1984177f46d1a8562c

SHA512
b3742801e4866a27e3cec8688a6b0d764067389ce1a9259185510fc043a667f01739f56ab1c699600e2cffa81e2e883a27770ef2376b29deb079c2c854dc4f19

Download Submit
C:\Windows\{26A0A0DD-F8C2-4396-99A3-1FD3CC633823}.exe

Filesize
168KB

MD5
37f4784ca679b143edfadb65228d7200

SHA1
2e0fbec586a3f3b27bc78dcd8529501c1cadf9cc

SHA256
e395f1dd762a75d622060bf838ca1d2dd124c3a7be9df9bba11b4e6e27eaf0e8

SHA512
aac6a4acfd55979e733b671e087794cb76faa83d7e32ad22aeeabdacad11466988e9adf9828393ba4339577e8779bfdedff720fa76eff330a938889803725e0e

Download Submit
C:\Windows\{28217E6A-9289-4b3a-B114-FAA51EC93077}.exe

Filesize
168KB

MD5
78b8451bb397c1b38f62b0feff0b00b0

SHA1
c3c4f05cf0b1c9f8c547cf8158f12c09c471b179

SHA256
67e5781b86782449ffea1f6dccaa9d3e63916b950de6470b733221ca10b3035a

SHA512
0f85f219d7b2c201b947e9a4d159a2cc54a23331aa50bb92a219972db71f202d87cf86bc9b56b4550e60550c17f5015102e8dad32389952a8620252863c9cf41

Download Submit
C:\Windows\{4DD925D5-405F-42c1-A0C8-BCCE9EA56D7B}.exe

Filesize
168KB

MD5
7dd30bdab0c513a64c36491d8ebcc273

SHA1
086c391e6488cc023bd1cbbe17eb8fd78cc69d51

SHA256
444c8793fd57a74b7a33a40d8ce13c354a3de9d64142cf94ed17e1716655dce5

SHA512
3df2dc35178be93f71c9f2438f3eaa124ee7af2a377bb8280586fafacdadfce5350fbca1b7f53b674c5e81c4430a7619e2a2bd6a7ce0f074f03b7af356c299fe

Download Submit
C:\Windows\{66A35439-0564-4fad-A95E-C8C47C89E1FD}.exe

Filesize
168KB

MD5
611f6b64bacde37d6834d881bb61b2a3

SHA1
6afa973e3d34638c0660675b7cea10b8da6c4a02

SHA256
43412835b9216787d384afe72370d0c5ed0a5a2661166ee0feb74acbb25429cd

SHA512
74b2249f4b1406bd97972a1081c03982a3a67c93253cced226f3ff394a799155fbc524c015ffe0ddc513ce354fa676061fc859df1dcbd28a3851eb0b9e658120

Download Submit
C:\Windows\{786772C9-F701-4bef-9E62-C26FD4A1DB96}.exe

Filesize
168KB

MD5
60f99b357bcdd2cd579c87f5c277a430

SHA1
33b8bc4af6ef2a747f291b6c94ffc39baeff27c5

SHA256
58b124b2709848cdacea1fc981beccf4b99c2db1dc3988b4b8830fa66c8863e7

SHA512
25b33ba52648a4a22edfc632ced1b7eb3cec9e5c67f12cf6484f5364910a0d0b75ee028813dbc9dd3d9796553be2cad5a44f0c38be4134b8ad60b19b27ed221c

Download Submit
C:\Windows\{9F302804-1EAD-4af0-87AE-2A8EBE3C22FA}.exe

Filesize
168KB

MD5
f95ec89f8121919cc73f76eeccdb9eae

SHA1
471dc485626d2065589fdfdb0ba7a295d8ed485f

SHA256
74290941d479feeaf0b95d5723dc79569848c7309860ef2d9f75019d54d0d237

SHA512
18c6a0eaba3cc9ce1c1ca6c09579bedbdaaa93867dfbae5fbe03f1d3d2e8bac2e67df4d3d4bf5dbe1c0f8a8b6508592bc48927453ac4c7f16d91b32613df2ebb

Download Submit
C:\Windows\{A5F2244A-1384-4048-B0D9-063F761F25B3}.exe

Filesize
168KB

MD5
4fef8240b4e46ad98d649c6f5c1ef0e0

SHA1
68944e562e974b0da1f51470c15a8ac1fbac7174

SHA256
18b5ddf694a7ba6f586cca5322445aa44233271e3ba66acf0f69607b611a733c

SHA512
3ca71d3303d77cb286fa92417791af7f81a24d71d7edb86b059cb9c83d857e13e4db967c4704c277065056311e0288c4f177927acf4837827b39c346522c970d

Download Submit
C:\Windows\{CCF84860-C7FE-4f97-B750-66A1D684DE8B}.exe

Filesize
168KB

MD5
ed9cbe21865c11cbbf5fcf78d9e29f13

SHA1
d82b7fe9e840a917aa688188777d6d8d5f0ffd95

SHA256
244ce1cecd070228df371f54f446a53e2c3398de13a6cc2e33e224926808bef1

SHA512
c3ff298f22ecfa4a8e9277fb89b2dfa0cee51cfdee80ee5c2db4963e9343067f712269f5bff7e351b14d4c45687729be8e73b5b6ef87902d52a009efa35c882a

Download Submit
C:\Windows\{D7947514-B3BD-45fc-913F-87FCA72357BF}.exe

Filesize
168KB

MD5
10b785804fb82936c145fce6710d6aea

SHA1
861e877fa9aa1809d9742e0385205f02aa5a8197

SHA256
d1fc392d7fd1126122edcdfedf3ac90706a04d3541e89ca876b25bae9292a661

SHA512
f62b9daa5fddb279879d34ccfb1c7345396bf00919f8f31033edafd51513c9980cd08e8995ed856dc2422c203939b535ec968035d8c8a9ad71df7a44c0a2dab7

Download Submit
C:\Windows\{E19DC13C-53C7-4f48-8C69-4514B561D1E8}.exe

Filesize
168KB

MD5
415e7adf33460a62d09aa29f2abf155f

SHA1
17be732e3cefdb82a9272792247b30d9e5fa2888

SHA256
92e32205de09d112d1380f26575d66cd6eb7d67b94e410decc5df72cb5b8dd94

SHA512
605af1c0896a7dc9b73d82095017225c0f50fa962a33bb0b4cfab3bf33f7f404704994966cdf4df85382e6a51c97d7b5a4ce285092bbd7f43c68a301128491da

Download Submit
C:\Windows\{F7C2403E-EB5D-44ec-A56A-AE902407E837}.exe

Filesize
168KB

MD5
0173d40b97314fc1f4cdebec980eda83

SHA1
f33af978678c39ca52ff78a856860aaf79a1a5bf

SHA256
7ea8976efe1fe8950468808b17c3b0fbea548ff5c45e3213305891a08fff867b

SHA512
d70d8d36167730ed2fa94a00c8cf8727c65b51bf867239c2cd09baf415606a7513cde4ea4ecaaf3af57a29ab81d4380267ae7a1488f51551f4ea8fc5942cf2d6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads