3a0ad4febf202898bcdbbddc4150e206582404c68a8cfc11c0984f085b30715c

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
23/01/2024, 12:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-23_1aadef64cd9bb30c73cea5330e4caaa1_goldeneye.exe
Size

380KB
MD5

1aadef64cd9bb30c73cea5330e4caaa1
SHA1

2cd3ddad1a95a30c3782dd26b8fc22dc0e4946eb
SHA256

3a0ad4febf202898bcdbbddc4150e206582404c68a8cfc11c0984f085b30715c
SHA512

d9ca4d6655582bf1f4ae632ea4e1e4b6c165b50c2e8348d4ce8a29699d190cdf7b06fcc887b86d9ea9af98a2fd11a7b17023d143ac48514ad62760f0eeb1c5b8
SSDEEP

3072:mEGh0o2lPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGUl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00060000000231fb-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000231f5-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023202-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000231f5-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023202-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000231f5-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000231f5-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023202-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000737-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000735-37.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000737-41.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000735-45.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93A1E7AA-B286-4c72-8FD2-CA4C19A59458}	{6F2F0BE9-F294-415f-9E52-26EE7C722AD3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2EC7033-C5F7-4379-8F7E-E7BDC42797CA}	{93A1E7AA-B286-4c72-8FD2-CA4C19A59458}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2251E99-340F-4761-88F7-16685F811865}\stubpath = "C:\\Windows\\{C2251E99-340F-4761-88F7-16685F811865}.exe"	{D318EBC9-66F3-4458-84C5-4B23FAB5E2B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1B54964-C87A-4ac1-92C5-2EBD63681385}	2024-01-23_1aadef64cd9bb30c73cea5330e4caaa1_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B655644-67BE-4d56-A3BB-46213F2DD8E9}	{F1B54964-C87A-4ac1-92C5-2EBD63681385}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33BCAF2C-F182-431d-B3C4-EC024E66D9A5}\stubpath = "C:\\Windows\\{33BCAF2C-F182-431d-B3C4-EC024E66D9A5}.exe"	{7B655644-67BE-4d56-A3BB-46213F2DD8E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C72E94C7-896C-46f1-8ED8-8C0821E0FABF}\stubpath = "C:\\Windows\\{C72E94C7-896C-46f1-8ED8-8C0821E0FABF}.exe"	{0ECE5BB6-D73E-433b-8F80-3E44F90B310A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93A1E7AA-B286-4c72-8FD2-CA4C19A59458}\stubpath = "C:\\Windows\\{93A1E7AA-B286-4c72-8FD2-CA4C19A59458}.exe"	{6F2F0BE9-F294-415f-9E52-26EE7C722AD3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33BCAF2C-F182-431d-B3C4-EC024E66D9A5}	{7B655644-67BE-4d56-A3BB-46213F2DD8E9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0ECE5BB6-D73E-433b-8F80-3E44F90B310A}	{9FEF61C0-A356-466e-BD09-5BF661A1E11A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2EC7033-C5F7-4379-8F7E-E7BDC42797CA}\stubpath = "C:\\Windows\\{F2EC7033-C5F7-4379-8F7E-E7BDC42797CA}.exe"	{93A1E7AA-B286-4c72-8FD2-CA4C19A59458}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D318EBC9-66F3-4458-84C5-4B23FAB5E2B3}	{F2EC7033-C5F7-4379-8F7E-E7BDC42797CA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2251E99-340F-4761-88F7-16685F811865}	{D318EBC9-66F3-4458-84C5-4B23FAB5E2B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9FEF61C0-A356-466e-BD09-5BF661A1E11A}\stubpath = "C:\\Windows\\{9FEF61C0-A356-466e-BD09-5BF661A1E11A}.exe"	{C566A039-66B6-47f3-A66F-5E614DB2BC55}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0ECE5BB6-D73E-433b-8F80-3E44F90B310A}\stubpath = "C:\\Windows\\{0ECE5BB6-D73E-433b-8F80-3E44F90B310A}.exe"	{9FEF61C0-A356-466e-BD09-5BF661A1E11A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C72E94C7-896C-46f1-8ED8-8C0821E0FABF}	{0ECE5BB6-D73E-433b-8F80-3E44F90B310A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1B54964-C87A-4ac1-92C5-2EBD63681385}\stubpath = "C:\\Windows\\{F1B54964-C87A-4ac1-92C5-2EBD63681385}.exe"	2024-01-23_1aadef64cd9bb30c73cea5330e4caaa1_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B655644-67BE-4d56-A3BB-46213F2DD8E9}\stubpath = "C:\\Windows\\{7B655644-67BE-4d56-A3BB-46213F2DD8E9}.exe"	{F1B54964-C87A-4ac1-92C5-2EBD63681385}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C566A039-66B6-47f3-A66F-5E614DB2BC55}	{33BCAF2C-F182-431d-B3C4-EC024E66D9A5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C566A039-66B6-47f3-A66F-5E614DB2BC55}\stubpath = "C:\\Windows\\{C566A039-66B6-47f3-A66F-5E614DB2BC55}.exe"	{33BCAF2C-F182-431d-B3C4-EC024E66D9A5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9FEF61C0-A356-466e-BD09-5BF661A1E11A}	{C566A039-66B6-47f3-A66F-5E614DB2BC55}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F2F0BE9-F294-415f-9E52-26EE7C722AD3}	{C72E94C7-896C-46f1-8ED8-8C0821E0FABF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F2F0BE9-F294-415f-9E52-26EE7C722AD3}\stubpath = "C:\\Windows\\{6F2F0BE9-F294-415f-9E52-26EE7C722AD3}.exe"	{C72E94C7-896C-46f1-8ED8-8C0821E0FABF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D318EBC9-66F3-4458-84C5-4B23FAB5E2B3}\stubpath = "C:\\Windows\\{D318EBC9-66F3-4458-84C5-4B23FAB5E2B3}.exe"	{F2EC7033-C5F7-4379-8F7E-E7BDC42797CA}.exe

Executes dropped EXE 11 IoCs

pid	Process
3244	{F1B54964-C87A-4ac1-92C5-2EBD63681385}.exe
2200	{7B655644-67BE-4d56-A3BB-46213F2DD8E9}.exe
4080	{33BCAF2C-F182-431d-B3C4-EC024E66D9A5}.exe
1272	{C566A039-66B6-47f3-A66F-5E614DB2BC55}.exe
4264	{9FEF61C0-A356-466e-BD09-5BF661A1E11A}.exe
3828	{0ECE5BB6-D73E-433b-8F80-3E44F90B310A}.exe
1388	{C72E94C7-896C-46f1-8ED8-8C0821E0FABF}.exe
4000	{93A1E7AA-B286-4c72-8FD2-CA4C19A59458}.exe
2016	{F2EC7033-C5F7-4379-8F7E-E7BDC42797CA}.exe
2404	{D318EBC9-66F3-4458-84C5-4B23FAB5E2B3}.exe
1104	{C2251E99-340F-4761-88F7-16685F811865}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{33BCAF2C-F182-431d-B3C4-EC024E66D9A5}.exe	{7B655644-67BE-4d56-A3BB-46213F2DD8E9}.exe
File created	C:\Windows\{C566A039-66B6-47f3-A66F-5E614DB2BC55}.exe	{33BCAF2C-F182-431d-B3C4-EC024E66D9A5}.exe
File created	C:\Windows\{C72E94C7-896C-46f1-8ED8-8C0821E0FABF}.exe	{0ECE5BB6-D73E-433b-8F80-3E44F90B310A}.exe
File created	C:\Windows\{93A1E7AA-B286-4c72-8FD2-CA4C19A59458}.exe	{6F2F0BE9-F294-415f-9E52-26EE7C722AD3}.exe
File created	C:\Windows\{C2251E99-340F-4761-88F7-16685F811865}.exe	{D318EBC9-66F3-4458-84C5-4B23FAB5E2B3}.exe
File created	C:\Windows\{F1B54964-C87A-4ac1-92C5-2EBD63681385}.exe	2024-01-23_1aadef64cd9bb30c73cea5330e4caaa1_goldeneye.exe
File created	C:\Windows\{7B655644-67BE-4d56-A3BB-46213F2DD8E9}.exe	{F1B54964-C87A-4ac1-92C5-2EBD63681385}.exe
File created	C:\Windows\{9FEF61C0-A356-466e-BD09-5BF661A1E11A}.exe	{C566A039-66B6-47f3-A66F-5E614DB2BC55}.exe
File created	C:\Windows\{0ECE5BB6-D73E-433b-8F80-3E44F90B310A}.exe	{9FEF61C0-A356-466e-BD09-5BF661A1E11A}.exe
File created	C:\Windows\{F2EC7033-C5F7-4379-8F7E-E7BDC42797CA}.exe	{93A1E7AA-B286-4c72-8FD2-CA4C19A59458}.exe
File created	C:\Windows\{D318EBC9-66F3-4458-84C5-4B23FAB5E2B3}.exe	{F2EC7033-C5F7-4379-8F7E-E7BDC42797CA}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3528	2024-01-23_1aadef64cd9bb30c73cea5330e4caaa1_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3244	{F1B54964-C87A-4ac1-92C5-2EBD63681385}.exe
Token: SeIncBasePriorityPrivilege	2200	{7B655644-67BE-4d56-A3BB-46213F2DD8E9}.exe
Token: SeIncBasePriorityPrivilege	4080	{33BCAF2C-F182-431d-B3C4-EC024E66D9A5}.exe
Token: SeIncBasePriorityPrivilege	1272	{C566A039-66B6-47f3-A66F-5E614DB2BC55}.exe
Token: SeIncBasePriorityPrivilege	4264	{9FEF61C0-A356-466e-BD09-5BF661A1E11A}.exe
Token: SeIncBasePriorityPrivilege	3828	{0ECE5BB6-D73E-433b-8F80-3E44F90B310A}.exe
Token: SeIncBasePriorityPrivilege	5080	{6F2F0BE9-F294-415f-9E52-26EE7C722AD3}.exe
Token: SeIncBasePriorityPrivilege	4000	{93A1E7AA-B286-4c72-8FD2-CA4C19A59458}.exe
Token: SeIncBasePriorityPrivilege	2016	{F2EC7033-C5F7-4379-8F7E-E7BDC42797CA}.exe
Token: SeIncBasePriorityPrivilege	2404	{D318EBC9-66F3-4458-84C5-4B23FAB5E2B3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3528 wrote to memory of 3244	3528	2024-01-23_1aadef64cd9bb30c73cea5330e4caaa1_goldeneye.exe	96
PID 3528 wrote to memory of 3244	3528	2024-01-23_1aadef64cd9bb30c73cea5330e4caaa1_goldeneye.exe	96
PID 3528 wrote to memory of 3244	3528	2024-01-23_1aadef64cd9bb30c73cea5330e4caaa1_goldeneye.exe	96
PID 3528 wrote to memory of 888	3528	2024-01-23_1aadef64cd9bb30c73cea5330e4caaa1_goldeneye.exe	97
PID 3528 wrote to memory of 888	3528	2024-01-23_1aadef64cd9bb30c73cea5330e4caaa1_goldeneye.exe	97
PID 3528 wrote to memory of 888	3528	2024-01-23_1aadef64cd9bb30c73cea5330e4caaa1_goldeneye.exe	97
PID 3244 wrote to memory of 2200	3244	{F1B54964-C87A-4ac1-92C5-2EBD63681385}.exe	98
PID 3244 wrote to memory of 2200	3244	{F1B54964-C87A-4ac1-92C5-2EBD63681385}.exe	98
PID 3244 wrote to memory of 2200	3244	{F1B54964-C87A-4ac1-92C5-2EBD63681385}.exe	98
PID 3244 wrote to memory of 928	3244	{F1B54964-C87A-4ac1-92C5-2EBD63681385}.exe	99
PID 3244 wrote to memory of 928	3244	{F1B54964-C87A-4ac1-92C5-2EBD63681385}.exe	99
PID 3244 wrote to memory of 928	3244	{F1B54964-C87A-4ac1-92C5-2EBD63681385}.exe	99
PID 2200 wrote to memory of 4080	2200	{7B655644-67BE-4d56-A3BB-46213F2DD8E9}.exe	102
PID 2200 wrote to memory of 4080	2200	{7B655644-67BE-4d56-A3BB-46213F2DD8E9}.exe	102
PID 2200 wrote to memory of 4080	2200	{7B655644-67BE-4d56-A3BB-46213F2DD8E9}.exe	102
PID 2200 wrote to memory of 3968	2200	{7B655644-67BE-4d56-A3BB-46213F2DD8E9}.exe	101
PID 2200 wrote to memory of 3968	2200	{7B655644-67BE-4d56-A3BB-46213F2DD8E9}.exe	101
PID 2200 wrote to memory of 3968	2200	{7B655644-67BE-4d56-A3BB-46213F2DD8E9}.exe	101
PID 4080 wrote to memory of 1272	4080	{33BCAF2C-F182-431d-B3C4-EC024E66D9A5}.exe	104
PID 4080 wrote to memory of 1272	4080	{33BCAF2C-F182-431d-B3C4-EC024E66D9A5}.exe	104
PID 4080 wrote to memory of 1272	4080	{33BCAF2C-F182-431d-B3C4-EC024E66D9A5}.exe	104
PID 4080 wrote to memory of 668	4080	{33BCAF2C-F182-431d-B3C4-EC024E66D9A5}.exe	103
PID 4080 wrote to memory of 668	4080	{33BCAF2C-F182-431d-B3C4-EC024E66D9A5}.exe	103
PID 4080 wrote to memory of 668	4080	{33BCAF2C-F182-431d-B3C4-EC024E66D9A5}.exe	103
PID 1272 wrote to memory of 4264	1272	{C566A039-66B6-47f3-A66F-5E614DB2BC55}.exe	105
PID 1272 wrote to memory of 4264	1272	{C566A039-66B6-47f3-A66F-5E614DB2BC55}.exe	105
PID 1272 wrote to memory of 4264	1272	{C566A039-66B6-47f3-A66F-5E614DB2BC55}.exe	105
PID 1272 wrote to memory of 3216	1272	{C566A039-66B6-47f3-A66F-5E614DB2BC55}.exe	106
PID 1272 wrote to memory of 3216	1272	{C566A039-66B6-47f3-A66F-5E614DB2BC55}.exe	106
PID 1272 wrote to memory of 3216	1272	{C566A039-66B6-47f3-A66F-5E614DB2BC55}.exe	106
PID 4264 wrote to memory of 3828	4264	{9FEF61C0-A356-466e-BD09-5BF661A1E11A}.exe	107
PID 4264 wrote to memory of 3828	4264	{9FEF61C0-A356-466e-BD09-5BF661A1E11A}.exe	107
PID 4264 wrote to memory of 3828	4264	{9FEF61C0-A356-466e-BD09-5BF661A1E11A}.exe	107
PID 4264 wrote to memory of 3352	4264	{9FEF61C0-A356-466e-BD09-5BF661A1E11A}.exe	108
PID 4264 wrote to memory of 3352	4264	{9FEF61C0-A356-466e-BD09-5BF661A1E11A}.exe	108
PID 4264 wrote to memory of 3352	4264	{9FEF61C0-A356-466e-BD09-5BF661A1E11A}.exe	108
PID 3828 wrote to memory of 1388	3828	{0ECE5BB6-D73E-433b-8F80-3E44F90B310A}.exe	110
PID 3828 wrote to memory of 1388	3828	{0ECE5BB6-D73E-433b-8F80-3E44F90B310A}.exe	110
PID 3828 wrote to memory of 1388	3828	{0ECE5BB6-D73E-433b-8F80-3E44F90B310A}.exe	110
PID 3828 wrote to memory of 4336	3828	{0ECE5BB6-D73E-433b-8F80-3E44F90B310A}.exe	109
PID 3828 wrote to memory of 4336	3828	{0ECE5BB6-D73E-433b-8F80-3E44F90B310A}.exe	109
PID 3828 wrote to memory of 4336	3828	{0ECE5BB6-D73E-433b-8F80-3E44F90B310A}.exe	109
PID 5080 wrote to memory of 4000	5080	{6F2F0BE9-F294-415f-9E52-26EE7C722AD3}.exe	114
PID 5080 wrote to memory of 4000	5080	{6F2F0BE9-F294-415f-9E52-26EE7C722AD3}.exe	114
PID 5080 wrote to memory of 4000	5080	{6F2F0BE9-F294-415f-9E52-26EE7C722AD3}.exe	114
PID 5080 wrote to memory of 4964	5080	{6F2F0BE9-F294-415f-9E52-26EE7C722AD3}.exe	113
PID 5080 wrote to memory of 4964	5080	{6F2F0BE9-F294-415f-9E52-26EE7C722AD3}.exe	113
PID 5080 wrote to memory of 4964	5080	{6F2F0BE9-F294-415f-9E52-26EE7C722AD3}.exe	113
PID 4000 wrote to memory of 2016	4000	{93A1E7AA-B286-4c72-8FD2-CA4C19A59458}.exe	115
PID 4000 wrote to memory of 2016	4000	{93A1E7AA-B286-4c72-8FD2-CA4C19A59458}.exe	115
PID 4000 wrote to memory of 2016	4000	{93A1E7AA-B286-4c72-8FD2-CA4C19A59458}.exe	115
PID 4000 wrote to memory of 3460	4000	{93A1E7AA-B286-4c72-8FD2-CA4C19A59458}.exe	116
PID 4000 wrote to memory of 3460	4000	{93A1E7AA-B286-4c72-8FD2-CA4C19A59458}.exe	116
PID 4000 wrote to memory of 3460	4000	{93A1E7AA-B286-4c72-8FD2-CA4C19A59458}.exe	116
PID 2016 wrote to memory of 2404	2016	{F2EC7033-C5F7-4379-8F7E-E7BDC42797CA}.exe	117
PID 2016 wrote to memory of 2404	2016	{F2EC7033-C5F7-4379-8F7E-E7BDC42797CA}.exe	117
PID 2016 wrote to memory of 2404	2016	{F2EC7033-C5F7-4379-8F7E-E7BDC42797CA}.exe	117
PID 2016 wrote to memory of 4084	2016	{F2EC7033-C5F7-4379-8F7E-E7BDC42797CA}.exe	118
PID 2016 wrote to memory of 4084	2016	{F2EC7033-C5F7-4379-8F7E-E7BDC42797CA}.exe	118
PID 2016 wrote to memory of 4084	2016	{F2EC7033-C5F7-4379-8F7E-E7BDC42797CA}.exe	118
PID 2404 wrote to memory of 1104	2404	{D318EBC9-66F3-4458-84C5-4B23FAB5E2B3}.exe	120
PID 2404 wrote to memory of 1104	2404	{D318EBC9-66F3-4458-84C5-4B23FAB5E2B3}.exe	120
PID 2404 wrote to memory of 1104	2404	{D318EBC9-66F3-4458-84C5-4B23FAB5E2B3}.exe	120
PID 2404 wrote to memory of 3480	2404	{D318EBC9-66F3-4458-84C5-4B23FAB5E2B3}.exe	119

C:\Users\Admin\AppData\Local\Temp\2024-01-23_1aadef64cd9bb30c73cea5330e4caaa1_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-23_1aadef64cd9bb30c73cea5330e4caaa1_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3528
- C:\Windows\{F1B54964-C87A-4ac1-92C5-2EBD63681385}.exe
  C:\Windows\{F1B54964-C87A-4ac1-92C5-2EBD63681385}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3244
- - C:\Windows\{7B655644-67BE-4d56-A3BB-46213F2DD8E9}.exe
    C:\Windows\{7B655644-67BE-4d56-A3BB-46213F2DD8E9}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2200
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7B655~1.EXE > nul
      4⤵
      PID:3968
  - - C:\Windows\{33BCAF2C-F182-431d-B3C4-EC024E66D9A5}.exe
      C:\Windows\{33BCAF2C-F182-431d-B3C4-EC024E66D9A5}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4080
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{33BCA~1.EXE > nul
        5⤵
        
        PID:668
    - - C:\Windows\{C566A039-66B6-47f3-A66F-5E614DB2BC55}.exe
        
        C:\Windows\{C566A039-66B6-47f3-A66F-5E614DB2BC55}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1272
      - C:\Windows\{9FEF61C0-A356-466e-BD09-5BF661A1E11A}.exe
        
        C:\Windows\{9FEF61C0-A356-466e-BD09-5BF661A1E11A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4264
        
        C:\Windows\{0ECE5BB6-D73E-433b-8F80-3E44F90B310A}.exe
        
        C:\Windows\{0ECE5BB6-D73E-433b-8F80-3E44F90B310A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0ECE5~1.EXE > nul
        8⤵
        
        PID:4336
        
        C:\Windows\{C72E94C7-896C-46f1-8ED8-8C0821E0FABF}.exe
        
        C:\Windows\{C72E94C7-896C-46f1-8ED8-8C0821E0FABF}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C72E9~1.EXE > nul
        9⤵
        
        PID:4548
        
        C:\Windows\{6F2F0BE9-F294-415f-9E52-26EE7C722AD3}.exe
        
        C:\Windows\{6F2F0BE9-F294-415f-9E52-26EE7C722AD3}.exe
        9⤵
        Modifies Installed Components in the registry
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6F2F0~1.EXE > nul
        10⤵
        
        PID:4964
        
        C:\Windows\{93A1E7AA-B286-4c72-8FD2-CA4C19A59458}.exe
        
        C:\Windows\{93A1E7AA-B286-4c72-8FD2-CA4C19A59458}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4000
        
        C:\Windows\{F2EC7033-C5F7-4379-8F7E-E7BDC42797CA}.exe
        
        C:\Windows\{F2EC7033-C5F7-4379-8F7E-E7BDC42797CA}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\{D318EBC9-66F3-4458-84C5-4B23FAB5E2B3}.exe
        
        C:\Windows\{D318EBC9-66F3-4458-84C5-4B23FAB5E2B3}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D318E~1.EXE > nul
        13⤵
        
        PID:3480
        
        C:\Windows\{C2251E99-340F-4761-88F7-16685F811865}.exe
        
        C:\Windows\{C2251E99-340F-4761-88F7-16685F811865}.exe
        13⤵
        Executes dropped EXE
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2EC7~1.EXE > nul
        12⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{93A1E~1.EXE > nul
        11⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9FEF6~1.EXE > nul
        7⤵
        
        PID:3352
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C566A~1.EXE > nul
        6⤵
        
        PID:3216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F1B54~1.EXE > nul
    3⤵
    PID:928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0ECE5BB6-D73E-433b-8F80-3E44F90B310A}.exe

Filesize
320KB

MD5
6c6e5cb06e537c90ea9551da8dcea119

SHA1
40f2d416ce1a0e70d5022b79560174f7bfeb2003

SHA256
032b9e1d0c7b3742b203653101cb44e6d7addf7d02171d5bd5314f65a0465661

SHA512
e2a0bdb415a05bf5590e2bd6656f33502a0eb1b0f8b6cda24ea386aaeeeacd8648f0048f30a497b9cb76d508488d9c3b24978f1448b27ea1f663690655adda31

Download Submit
C:\Windows\{0ECE5BB6-D73E-433b-8F80-3E44F90B310A}.exe

Filesize
256KB

MD5
4fef38982942f071a4273973795761f3

SHA1
961e8fc6bc0fb2be3197276ce02287304b45befe

SHA256
0631ecd9223a44548fd2f44d8fa706879bec41f671235083bf1924195944a2f4

SHA512
148ea4ac9b4bc1c40962f331c4ecca8d921e1311378fb054f79d99bbe23712e13f2c3ef2fdb4747c323b407b7fec7f5ee683786e6882ab6bb9a54f4d31370a92

Download Submit
C:\Windows\{33BCAF2C-F182-431d-B3C4-EC024E66D9A5}.exe

Filesize
380KB

MD5
82dda53b2e6126b9b4533e2efaf890e4

SHA1
7452916ddef835b51ec621399030750dfd9fb70a

SHA256
46d3989901cecb4e1676028d29c6a4a2bb18487409e9401b1688127320eccc16

SHA512
ab41927348f74f83c180d2024656bb3764c42362336d2fec589b21f3fd8de4c9d1dcaa46dbd9914920986aca521768ea642cd4117bd12bf6a2817052c29146d7

Download Submit
C:\Windows\{7B655644-67BE-4d56-A3BB-46213F2DD8E9}.exe

Filesize
380KB

MD5
c223ce235eefa8890f28bf25641230ae

SHA1
8ff264099b8af4b630e6f715bd3255c736769050

SHA256
8cc14e6e215e47d2ce55f62b47fd3a355fdd51ad74d69a114767690f812fb268

SHA512
2d10007275f6d76be95ef42d9b361d86586bb4befa7a4ede5e00b0ac082cae007cce3fbaa23a033abb1beac7313aebdf8acf348b2a8cebc9968c4304480326eb

Download Submit
C:\Windows\{93A1E7AA-B286-4c72-8FD2-CA4C19A59458}.exe

Filesize
380KB

MD5
93fb6c75a426740cf97ae9d152b6981d

SHA1
78cd13102e9d2d80ee5fcaef3860defb66105b01

SHA256
dc1f1aebe3ae274042bdb907d49c0db77ee5e786a0c63c12a37f4e43af341077

SHA512
83115eb1ac3a173fb5712e78ce0cc63a951237aebc7429efa26dfeb8cf69d5a6499ef4ee3e23632401b01503bfe096b4b2d408b3ca3b37dcf0bcf696841e6895

Download Submit
C:\Windows\{9FEF61C0-A356-466e-BD09-5BF661A1E11A}.exe

Filesize
380KB

MD5
870fc70db72208d36549ac2c8ce2090d

SHA1
cf53d8654032e1f23751b750611bd7a133434212

SHA256
249d2b49ce0c22bcb4630ec9a536f200d9aba42f78f2860338dab72d2a93932e

SHA512
58c810765645cc5df5c5d89b9be270cf11165ab618f68a6ae4ac26c3c5f719666042380af4522816a66952323c85e16f7b38525fdcd57173af6d4c7a42a19264

Download Submit
C:\Windows\{C2251E99-340F-4761-88F7-16685F811865}.exe

Filesize
380KB

MD5
9069711f0d778fac2af8641758616bae

SHA1
cdbdd9ab2c8ac873d130ff6744226355c42552a2

SHA256
8df84a6791a3ed09d09e58908c40cd7ef0535d57ec59b5198ab765a87991cacc

SHA512
466d0c53b7066c3165b7bc76f8e4ce94887a3ae1616fd6132857a9716cf9ea750a35d6828775cdc7b1839af9c22cf7a68226fa58863f2e93dd8e378f5c0d4706

Download Submit
C:\Windows\{C566A039-66B6-47f3-A66F-5E614DB2BC55}.exe

Filesize
380KB

MD5
535ae8e2424fe87a4fc0ccf24138040f

SHA1
d5440d28c89b3d1ec907b99a8f5431f1f4eba675

SHA256
ff0c286480a7e803c5bc87159f5940c3f81f1e7cef24284c7dbbf868a9675b7a

SHA512
afdbcb0dacd7964f5d43d459848cb545c80e37ad7ef47a87867b98b23765a44f874b3c7a3cd220a15a22ef87ebfb669c1af3ec44500617ecbd8e481efa7bbd04

Download Submit
C:\Windows\{C72E94C7-896C-46f1-8ED8-8C0821E0FABF}.exe

Filesize
380KB

MD5
721eac02e0d1660c19890368b5f3f4a6

SHA1
be4f5fa71f459f1626306f713ae19ac2237042d4

SHA256
9802748f695a2bc977b1d7757dce6fe274c525f23258d67937c6244aa0eb8848

SHA512
9fbfb727cad6f75f662d0314531c8e843bd14684498f356f431d47562530f4e9ef4276070ab69f65072b605d61ee14ec7ba1a9cb666f73fbbcc31c7fe4833c35

Download Submit
C:\Windows\{D318EBC9-66F3-4458-84C5-4B23FAB5E2B3}.exe

Filesize
380KB

MD5
b06b1586fd57f60650efab0230bac0d0

SHA1
5a5232740c6a653e002aa99fd6f600c8c2d8cdf5

SHA256
cee8db27d874cde2d938cefda56f9b3c6090afcd89a172dc750ab0c5af49a048

SHA512
94fc03ba83838c3fc2d4309b93df6bccb70a23619a7c4cd7e6397acb2fa1056aef0bbadef6f79ac3b2701b3122e1ae99c45bbf333f1c97eaeea61730b03ad797

Download Submit
C:\Windows\{F1B54964-C87A-4ac1-92C5-2EBD63681385}.exe

Filesize
380KB

MD5
da1231715f3e5b07d2307469bdf151c0

SHA1
3ff3521ef3e397052b9f98a5dcab0353dc44c77c

SHA256
3f04ddcddebc5d0929f144065b899c815dfee1239767d99858687f3a539be098

SHA512
2f3c8c09c23ccfb7f365b7735bcac9c5206e404d59b33c4f9bb01be8197305abc204c34a31348161c972178f97b30c30abaa2e7d5d0776ec61d768661df7ca59

Download Submit
C:\Windows\{F2EC7033-C5F7-4379-8F7E-E7BDC42797CA}.exe

Filesize
380KB

MD5
0961a0a20eb3efb51a0133ebc00198ca

SHA1
cf8912bf459b0ed29df1262727510889b3001e0f

SHA256
b36289aab6cae7c9ef59757688056498b806484b32b89fb8bebe108e1c28aa18

SHA512
c13fe1172aa8cb4fbc7e1ea97eda3bec99b38c0e82a10578cbeb946b365417cc849f9e300b003e3ede7e1b031d1f79ccdfc0642af60ff30362d9b634d98481d6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads