2e68aeef0a75a6d7ac65ac664ab2f14460960fc80dd488774b0c8399205d5606

Analysis

max time kernel
149s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/01/2024, 00:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-24_2c368aae5d8fa358c62036771c68d04d_goldeneye.exe
Size

168KB
MD5

2c368aae5d8fa358c62036771c68d04d
SHA1

886d440b4a2d487a470cbe3361f41d6475241577
SHA256

2e68aeef0a75a6d7ac65ac664ab2f14460960fc80dd488774b0c8399205d5606
SHA512

c87a91a12fbbc6f7deb6be71eab4097d91e1cb7b05c377de9f62f9f1cfaabfa21173be7d2d399b9982c5028887e291d44bf963a20aec6bed83b210f106562ca9
SSDEEP

1536:1EGh0oQlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oQlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000b000000022ffa-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001000000002310b-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023112-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001100000002310b-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023112-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00050000000217fa-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002181f-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006df-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7557080-BE7B-4a8e-AFB4-F8098FB58D54}\stubpath = "C:\\Windows\\{B7557080-BE7B-4a8e-AFB4-F8098FB58D54}.exe"	{0F488C38-BB5B-4b9b-916F-ECEBBCBC5A5E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7801C9E6-BF90-49b4-A9FC-AC9ABAE85F2D}\stubpath = "C:\\Windows\\{7801C9E6-BF90-49b4-A9FC-AC9ABAE85F2D}.exe"	2024-01-24_2c368aae5d8fa358c62036771c68d04d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{613DB1A6-FC54-4a81-8D94-59C7A0DC9585}\stubpath = "C:\\Windows\\{613DB1A6-FC54-4a81-8D94-59C7A0DC9585}.exe"	{DA364B6D-00CE-419a-AF4B-379CAE91073C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B849A5A-C931-411a-871E-A671C3C74DB9}	{DC8BC963-72EB-4cdb-A57A-74C5061C46AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F488C38-BB5B-4b9b-916F-ECEBBCBC5A5E}\stubpath = "C:\\Windows\\{0F488C38-BB5B-4b9b-916F-ECEBBCBC5A5E}.exe"	{3B849A5A-C931-411a-871E-A671C3C74DB9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F488C38-BB5B-4b9b-916F-ECEBBCBC5A5E}	{3B849A5A-C931-411a-871E-A671C3C74DB9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8BC85374-70C2-4db7-93A4-863F34C2575A}	{B7557080-BE7B-4a8e-AFB4-F8098FB58D54}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8BC85374-70C2-4db7-93A4-863F34C2575A}\stubpath = "C:\\Windows\\{8BC85374-70C2-4db7-93A4-863F34C2575A}.exe"	{B7557080-BE7B-4a8e-AFB4-F8098FB58D54}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9861814C-0F13-4ab0-8E1D-4EF430325D42}\stubpath = "C:\\Windows\\{9861814C-0F13-4ab0-8E1D-4EF430325D42}.exe"	{7801C9E6-BF90-49b4-A9FC-AC9ABAE85F2D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA364B6D-00CE-419a-AF4B-379CAE91073C}\stubpath = "C:\\Windows\\{DA364B6D-00CE-419a-AF4B-379CAE91073C}.exe"	{9861814C-0F13-4ab0-8E1D-4EF430325D42}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{932F2ECA-A68F-4112-BD24-E38B6922DDF6}	{514106CB-938A-405b-977C-C86AF39F3AC3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC8BC963-72EB-4cdb-A57A-74C5061C46AC}	{932F2ECA-A68F-4112-BD24-E38B6922DDF6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{932F2ECA-A68F-4112-BD24-E38B6922DDF6}\stubpath = "C:\\Windows\\{932F2ECA-A68F-4112-BD24-E38B6922DDF6}.exe"	{514106CB-938A-405b-977C-C86AF39F3AC3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC8BC963-72EB-4cdb-A57A-74C5061C46AC}\stubpath = "C:\\Windows\\{DC8BC963-72EB-4cdb-A57A-74C5061C46AC}.exe"	{932F2ECA-A68F-4112-BD24-E38B6922DDF6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B849A5A-C931-411a-871E-A671C3C74DB9}\stubpath = "C:\\Windows\\{3B849A5A-C931-411a-871E-A671C3C74DB9}.exe"	{DC8BC963-72EB-4cdb-A57A-74C5061C46AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7557080-BE7B-4a8e-AFB4-F8098FB58D54}	{0F488C38-BB5B-4b9b-916F-ECEBBCBC5A5E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9861814C-0F13-4ab0-8E1D-4EF430325D42}	{7801C9E6-BF90-49b4-A9FC-AC9ABAE85F2D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA364B6D-00CE-419a-AF4B-379CAE91073C}	{9861814C-0F13-4ab0-8E1D-4EF430325D42}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{514106CB-938A-405b-977C-C86AF39F3AC3}	{613DB1A6-FC54-4a81-8D94-59C7A0DC9585}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{514106CB-938A-405b-977C-C86AF39F3AC3}\stubpath = "C:\\Windows\\{514106CB-938A-405b-977C-C86AF39F3AC3}.exe"	{613DB1A6-FC54-4a81-8D94-59C7A0DC9585}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{515C6242-98DC-4421-BAEF-286AA34AC094}\stubpath = "C:\\Windows\\{515C6242-98DC-4421-BAEF-286AA34AC094}.exe"	{8BC85374-70C2-4db7-93A4-863F34C2575A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7801C9E6-BF90-49b4-A9FC-AC9ABAE85F2D}	2024-01-24_2c368aae5d8fa358c62036771c68d04d_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{613DB1A6-FC54-4a81-8D94-59C7A0DC9585}	{DA364B6D-00CE-419a-AF4B-379CAE91073C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{515C6242-98DC-4421-BAEF-286AA34AC094}	{8BC85374-70C2-4db7-93A4-863F34C2575A}.exe

Executes dropped EXE 12 IoCs

pid	Process
684	{7801C9E6-BF90-49b4-A9FC-AC9ABAE85F2D}.exe
3448	{9861814C-0F13-4ab0-8E1D-4EF430325D42}.exe
208	{DA364B6D-00CE-419a-AF4B-379CAE91073C}.exe
3944	{613DB1A6-FC54-4a81-8D94-59C7A0DC9585}.exe
1276	{514106CB-938A-405b-977C-C86AF39F3AC3}.exe
540	{932F2ECA-A68F-4112-BD24-E38B6922DDF6}.exe
740	{DC8BC963-72EB-4cdb-A57A-74C5061C46AC}.exe
2204	{3B849A5A-C931-411a-871E-A671C3C74DB9}.exe
1444	{0F488C38-BB5B-4b9b-916F-ECEBBCBC5A5E}.exe
4152	{B7557080-BE7B-4a8e-AFB4-F8098FB58D54}.exe
3632	{8BC85374-70C2-4db7-93A4-863F34C2575A}.exe
4724	{515C6242-98DC-4421-BAEF-286AA34AC094}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{7801C9E6-BF90-49b4-A9FC-AC9ABAE85F2D}.exe	2024-01-24_2c368aae5d8fa358c62036771c68d04d_goldeneye.exe
File created	C:\Windows\{DA364B6D-00CE-419a-AF4B-379CAE91073C}.exe	{9861814C-0F13-4ab0-8E1D-4EF430325D42}.exe
File created	C:\Windows\{613DB1A6-FC54-4a81-8D94-59C7A0DC9585}.exe	{DA364B6D-00CE-419a-AF4B-379CAE91073C}.exe
File created	C:\Windows\{DC8BC963-72EB-4cdb-A57A-74C5061C46AC}.exe	{932F2ECA-A68F-4112-BD24-E38B6922DDF6}.exe
File created	C:\Windows\{0F488C38-BB5B-4b9b-916F-ECEBBCBC5A5E}.exe	{3B849A5A-C931-411a-871E-A671C3C74DB9}.exe
File created	C:\Windows\{B7557080-BE7B-4a8e-AFB4-F8098FB58D54}.exe	{0F488C38-BB5B-4b9b-916F-ECEBBCBC5A5E}.exe
File created	C:\Windows\{9861814C-0F13-4ab0-8E1D-4EF430325D42}.exe	{7801C9E6-BF90-49b4-A9FC-AC9ABAE85F2D}.exe
File created	C:\Windows\{514106CB-938A-405b-977C-C86AF39F3AC3}.exe	{613DB1A6-FC54-4a81-8D94-59C7A0DC9585}.exe
File created	C:\Windows\{932F2ECA-A68F-4112-BD24-E38B6922DDF6}.exe	{514106CB-938A-405b-977C-C86AF39F3AC3}.exe
File created	C:\Windows\{3B849A5A-C931-411a-871E-A671C3C74DB9}.exe	{DC8BC963-72EB-4cdb-A57A-74C5061C46AC}.exe
File created	C:\Windows\{8BC85374-70C2-4db7-93A4-863F34C2575A}.exe	{B7557080-BE7B-4a8e-AFB4-F8098FB58D54}.exe
File created	C:\Windows\{515C6242-98DC-4421-BAEF-286AA34AC094}.exe	{8BC85374-70C2-4db7-93A4-863F34C2575A}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3636	2024-01-24_2c368aae5d8fa358c62036771c68d04d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	684	{7801C9E6-BF90-49b4-A9FC-AC9ABAE85F2D}.exe
Token: SeIncBasePriorityPrivilege	3448	{9861814C-0F13-4ab0-8E1D-4EF430325D42}.exe
Token: SeIncBasePriorityPrivilege	208	{DA364B6D-00CE-419a-AF4B-379CAE91073C}.exe
Token: SeIncBasePriorityPrivilege	3944	{613DB1A6-FC54-4a81-8D94-59C7A0DC9585}.exe
Token: SeIncBasePriorityPrivilege	1276	{514106CB-938A-405b-977C-C86AF39F3AC3}.exe
Token: SeIncBasePriorityPrivilege	540	{932F2ECA-A68F-4112-BD24-E38B6922DDF6}.exe
Token: SeIncBasePriorityPrivilege	740	{DC8BC963-72EB-4cdb-A57A-74C5061C46AC}.exe
Token: SeIncBasePriorityPrivilege	2204	{3B849A5A-C931-411a-871E-A671C3C74DB9}.exe
Token: SeIncBasePriorityPrivilege	1444	{0F488C38-BB5B-4b9b-916F-ECEBBCBC5A5E}.exe
Token: SeIncBasePriorityPrivilege	4152	{B7557080-BE7B-4a8e-AFB4-F8098FB58D54}.exe
Token: SeIncBasePriorityPrivilege	3632	{8BC85374-70C2-4db7-93A4-863F34C2575A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3636 wrote to memory of 684	3636	2024-01-24_2c368aae5d8fa358c62036771c68d04d_goldeneye.exe	93
PID 3636 wrote to memory of 684	3636	2024-01-24_2c368aae5d8fa358c62036771c68d04d_goldeneye.exe	93
PID 3636 wrote to memory of 684	3636	2024-01-24_2c368aae5d8fa358c62036771c68d04d_goldeneye.exe	93
PID 3636 wrote to memory of 3584	3636	2024-01-24_2c368aae5d8fa358c62036771c68d04d_goldeneye.exe	94
PID 3636 wrote to memory of 3584	3636	2024-01-24_2c368aae5d8fa358c62036771c68d04d_goldeneye.exe	94
PID 3636 wrote to memory of 3584	3636	2024-01-24_2c368aae5d8fa358c62036771c68d04d_goldeneye.exe	94
PID 684 wrote to memory of 3448	684	{7801C9E6-BF90-49b4-A9FC-AC9ABAE85F2D}.exe	98
PID 684 wrote to memory of 3448	684	{7801C9E6-BF90-49b4-A9FC-AC9ABAE85F2D}.exe	98
PID 684 wrote to memory of 3448	684	{7801C9E6-BF90-49b4-A9FC-AC9ABAE85F2D}.exe	98
PID 684 wrote to memory of 3248	684	{7801C9E6-BF90-49b4-A9FC-AC9ABAE85F2D}.exe	99
PID 684 wrote to memory of 3248	684	{7801C9E6-BF90-49b4-A9FC-AC9ABAE85F2D}.exe	99
PID 684 wrote to memory of 3248	684	{7801C9E6-BF90-49b4-A9FC-AC9ABAE85F2D}.exe	99
PID 3448 wrote to memory of 208	3448	{9861814C-0F13-4ab0-8E1D-4EF430325D42}.exe	101
PID 3448 wrote to memory of 208	3448	{9861814C-0F13-4ab0-8E1D-4EF430325D42}.exe	101
PID 3448 wrote to memory of 208	3448	{9861814C-0F13-4ab0-8E1D-4EF430325D42}.exe	101
PID 3448 wrote to memory of 680	3448	{9861814C-0F13-4ab0-8E1D-4EF430325D42}.exe	102
PID 3448 wrote to memory of 680	3448	{9861814C-0F13-4ab0-8E1D-4EF430325D42}.exe	102
PID 3448 wrote to memory of 680	3448	{9861814C-0F13-4ab0-8E1D-4EF430325D42}.exe	102
PID 208 wrote to memory of 3944	208	{DA364B6D-00CE-419a-AF4B-379CAE91073C}.exe	103
PID 208 wrote to memory of 3944	208	{DA364B6D-00CE-419a-AF4B-379CAE91073C}.exe	103
PID 208 wrote to memory of 3944	208	{DA364B6D-00CE-419a-AF4B-379CAE91073C}.exe	103
PID 208 wrote to memory of 1816	208	{DA364B6D-00CE-419a-AF4B-379CAE91073C}.exe	104
PID 208 wrote to memory of 1816	208	{DA364B6D-00CE-419a-AF4B-379CAE91073C}.exe	104
PID 208 wrote to memory of 1816	208	{DA364B6D-00CE-419a-AF4B-379CAE91073C}.exe	104
PID 3944 wrote to memory of 1276	3944	{613DB1A6-FC54-4a81-8D94-59C7A0DC9585}.exe	105
PID 3944 wrote to memory of 1276	3944	{613DB1A6-FC54-4a81-8D94-59C7A0DC9585}.exe	105
PID 3944 wrote to memory of 1276	3944	{613DB1A6-FC54-4a81-8D94-59C7A0DC9585}.exe	105
PID 3944 wrote to memory of 5060	3944	{613DB1A6-FC54-4a81-8D94-59C7A0DC9585}.exe	106
PID 3944 wrote to memory of 5060	3944	{613DB1A6-FC54-4a81-8D94-59C7A0DC9585}.exe	106
PID 3944 wrote to memory of 5060	3944	{613DB1A6-FC54-4a81-8D94-59C7A0DC9585}.exe	106
PID 1276 wrote to memory of 540	1276	{514106CB-938A-405b-977C-C86AF39F3AC3}.exe	107
PID 1276 wrote to memory of 540	1276	{514106CB-938A-405b-977C-C86AF39F3AC3}.exe	107
PID 1276 wrote to memory of 540	1276	{514106CB-938A-405b-977C-C86AF39F3AC3}.exe	107
PID 1276 wrote to memory of 2792	1276	{514106CB-938A-405b-977C-C86AF39F3AC3}.exe	108
PID 1276 wrote to memory of 2792	1276	{514106CB-938A-405b-977C-C86AF39F3AC3}.exe	108
PID 1276 wrote to memory of 2792	1276	{514106CB-938A-405b-977C-C86AF39F3AC3}.exe	108
PID 540 wrote to memory of 740	540	{932F2ECA-A68F-4112-BD24-E38B6922DDF6}.exe	109
PID 540 wrote to memory of 740	540	{932F2ECA-A68F-4112-BD24-E38B6922DDF6}.exe	109
PID 540 wrote to memory of 740	540	{932F2ECA-A68F-4112-BD24-E38B6922DDF6}.exe	109
PID 540 wrote to memory of 4904	540	{932F2ECA-A68F-4112-BD24-E38B6922DDF6}.exe	110
PID 540 wrote to memory of 4904	540	{932F2ECA-A68F-4112-BD24-E38B6922DDF6}.exe	110
PID 540 wrote to memory of 4904	540	{932F2ECA-A68F-4112-BD24-E38B6922DDF6}.exe	110
PID 740 wrote to memory of 2204	740	{DC8BC963-72EB-4cdb-A57A-74C5061C46AC}.exe	111
PID 740 wrote to memory of 2204	740	{DC8BC963-72EB-4cdb-A57A-74C5061C46AC}.exe	111
PID 740 wrote to memory of 2204	740	{DC8BC963-72EB-4cdb-A57A-74C5061C46AC}.exe	111
PID 740 wrote to memory of 3884	740	{DC8BC963-72EB-4cdb-A57A-74C5061C46AC}.exe	112
PID 740 wrote to memory of 3884	740	{DC8BC963-72EB-4cdb-A57A-74C5061C46AC}.exe	112
PID 740 wrote to memory of 3884	740	{DC8BC963-72EB-4cdb-A57A-74C5061C46AC}.exe	112
PID 2204 wrote to memory of 1444	2204	{3B849A5A-C931-411a-871E-A671C3C74DB9}.exe	113
PID 2204 wrote to memory of 1444	2204	{3B849A5A-C931-411a-871E-A671C3C74DB9}.exe	113
PID 2204 wrote to memory of 1444	2204	{3B849A5A-C931-411a-871E-A671C3C74DB9}.exe	113
PID 2204 wrote to memory of 3940	2204	{3B849A5A-C931-411a-871E-A671C3C74DB9}.exe	114
PID 2204 wrote to memory of 3940	2204	{3B849A5A-C931-411a-871E-A671C3C74DB9}.exe	114
PID 2204 wrote to memory of 3940	2204	{3B849A5A-C931-411a-871E-A671C3C74DB9}.exe	114
PID 1444 wrote to memory of 4152	1444	{0F488C38-BB5B-4b9b-916F-ECEBBCBC5A5E}.exe	115
PID 1444 wrote to memory of 4152	1444	{0F488C38-BB5B-4b9b-916F-ECEBBCBC5A5E}.exe	115
PID 1444 wrote to memory of 4152	1444	{0F488C38-BB5B-4b9b-916F-ECEBBCBC5A5E}.exe	115
PID 1444 wrote to memory of 1740	1444	{0F488C38-BB5B-4b9b-916F-ECEBBCBC5A5E}.exe	116
PID 1444 wrote to memory of 1740	1444	{0F488C38-BB5B-4b9b-916F-ECEBBCBC5A5E}.exe	116
PID 1444 wrote to memory of 1740	1444	{0F488C38-BB5B-4b9b-916F-ECEBBCBC5A5E}.exe	116
PID 4152 wrote to memory of 3632	4152	{B7557080-BE7B-4a8e-AFB4-F8098FB58D54}.exe	117
PID 4152 wrote to memory of 3632	4152	{B7557080-BE7B-4a8e-AFB4-F8098FB58D54}.exe	117
PID 4152 wrote to memory of 3632	4152	{B7557080-BE7B-4a8e-AFB4-F8098FB58D54}.exe	117
PID 4152 wrote to memory of 1152	4152	{B7557080-BE7B-4a8e-AFB4-F8098FB58D54}.exe	118

C:\Users\Admin\AppData\Local\Temp\2024-01-24_2c368aae5d8fa358c62036771c68d04d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-24_2c368aae5d8fa358c62036771c68d04d_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3636
- C:\Windows\{7801C9E6-BF90-49b4-A9FC-AC9ABAE85F2D}.exe
  C:\Windows\{7801C9E6-BF90-49b4-A9FC-AC9ABAE85F2D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:684
- - C:\Windows\{9861814C-0F13-4ab0-8E1D-4EF430325D42}.exe
    C:\Windows\{9861814C-0F13-4ab0-8E1D-4EF430325D42}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3448
  - - C:\Windows\{DA364B6D-00CE-419a-AF4B-379CAE91073C}.exe
      C:\Windows\{DA364B6D-00CE-419a-AF4B-379CAE91073C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:208
    - - C:\Windows\{613DB1A6-FC54-4a81-8D94-59C7A0DC9585}.exe
        
        C:\Windows\{613DB1A6-FC54-4a81-8D94-59C7A0DC9585}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3944
      - C:\Windows\{514106CB-938A-405b-977C-C86AF39F3AC3}.exe
        
        C:\Windows\{514106CB-938A-405b-977C-C86AF39F3AC3}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1276
        
        C:\Windows\{932F2ECA-A68F-4112-BD24-E38B6922DDF6}.exe
        
        C:\Windows\{932F2ECA-A68F-4112-BD24-E38B6922DDF6}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\{DC8BC963-72EB-4cdb-A57A-74C5061C46AC}.exe
        
        C:\Windows\{DC8BC963-72EB-4cdb-A57A-74C5061C46AC}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:740
        
        C:\Windows\{3B849A5A-C931-411a-871E-A671C3C74DB9}.exe
        
        C:\Windows\{3B849A5A-C931-411a-871E-A671C3C74DB9}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\{0F488C38-BB5B-4b9b-916F-ECEBBCBC5A5E}.exe
        
        C:\Windows\{0F488C38-BB5B-4b9b-916F-ECEBBCBC5A5E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\{B7557080-BE7B-4a8e-AFB4-F8098FB58D54}.exe
        
        C:\Windows\{B7557080-BE7B-4a8e-AFB4-F8098FB58D54}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4152
        
        C:\Windows\{8BC85374-70C2-4db7-93A4-863F34C2575A}.exe
        
        C:\Windows\{8BC85374-70C2-4db7-93A4-863F34C2575A}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3632
        
        C:\Windows\{515C6242-98DC-4421-BAEF-286AA34AC094}.exe
        
        C:\Windows\{515C6242-98DC-4421-BAEF-286AA34AC094}.exe
        13⤵
        Executes dropped EXE
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8BC85~1.EXE > nul
        13⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7557~1.EXE > nul
        12⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F488~1.EXE > nul
        11⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3B849~1.EXE > nul
        10⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC8BC~1.EXE > nul
        9⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{932F2~1.EXE > nul
        8⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51410~1.EXE > nul
        7⤵
        
        PID:2792
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{613DB~1.EXE > nul
        6⤵
        
        PID:5060
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DA364~1.EXE > nul
        5⤵
        
        PID:1816
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{98618~1.EXE > nul
      4⤵
      PID:680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7801C~1.EXE > nul
    3⤵
    PID:3248
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0F488C38-BB5B-4b9b-916F-ECEBBCBC5A5E}.exe

Filesize
168KB

MD5
02c3d1fa0f72587e9e9d7809d91b255e

SHA1
77854a82b67b22f5d916941a2ec1265c0966cefa

SHA256
a7b9fa9c8b51d24c36379d84d4ce6002bf9ff7acfc2d18a6162bfff87b900bdc

SHA512
0182d5e62e3502d52c0ab93621480fec5beaa26f2f5248ebe8ff32c4438a4d0f9d813d2947bcd8ffeb4882b52fd864d72baa57504f3034173fa57c5b21a9da2e

Download Submit
C:\Windows\{3B849A5A-C931-411a-871E-A671C3C74DB9}.exe

Filesize
168KB

MD5
858349e2094c691e2ef02dbe511e057d

SHA1
ca38464e9fc00d5feaa1860d58ca29f67863c652

SHA256
81f49c43b922db1942629a4dbf8f63460a4d4e57f77215294bb1bf3a147f7c43

SHA512
0b1c6f22a592cf8343a47fab8b002b7694c9b9b52247255bacf9fca1abd24b4fead53c93791e5516dd866f138bd7276a0df852a7c96ce900342086ade8289ace

Download Submit
C:\Windows\{514106CB-938A-405b-977C-C86AF39F3AC3}.exe

Filesize
168KB

MD5
3c46d76cf2509766646f6265902b7dd7

SHA1
0f484b1525e220b0ce9b13b489108a8baa8f0f8d

SHA256
1ddd28ee5af380f84d08456d6590f688239425ec883dc6cdb6ec1676acd6df52

SHA512
e6424e6413bc731bb78f5de62f5f271cb5168a2cd84a3978ee00b99f9b591610b60030b6779d5512509549a20e45905aff4c1d35f7af42749d6f01dad593479b

Download Submit
C:\Windows\{515C6242-98DC-4421-BAEF-286AA34AC094}.exe

Filesize
168KB

MD5
2d25fed1778bb1d5f0db7617b462e565

SHA1
c289afbd50a4513468c1a1f630101cfd25028775

SHA256
12ff68335dc5c6ce5254243389becf1c43971560d05123da78559623d9771cf9

SHA512
eb0381c6b72d8122d6d1290cd99712e2cbd76aae42cbaac84d5ea1f3cdb6d529ef2aa423539d591f4fdea5257afeb368345becfb70b1b96c0e5b10adf7701755

Download Submit
C:\Windows\{613DB1A6-FC54-4a81-8D94-59C7A0DC9585}.exe

Filesize
168KB

MD5
bbf6c4eb432bd88b4ccaa66d61ba1a08

SHA1
4d2e0fb99ef328decf31894454d6729368d2c708

SHA256
fd2f49615d24eecf4e372b10ed387340669720f9e1f37dafd3dde90cc4f7fc83

SHA512
528ec6b315c2cc9960e32806c5843fa9616969a413906cb7d77aa6e686527c98365db8aefbc6a4a17eac2406ea39186c3b60786512fb9f4e8ced74687f90f5e9

Download Submit
C:\Windows\{7801C9E6-BF90-49b4-A9FC-AC9ABAE85F2D}.exe

Filesize
168KB

MD5
e6fc46cefefe1f06f2e5ac5e6a07a82f

SHA1
cb529ff28d8223891e64086a5a10db26571a7166

SHA256
3a5576a4b8f9dc7741f35153d4ceca81e5d2749de8a62af3c9ca1de78cc7fc77

SHA512
fd47700c4f20c458a632fad5cb342502d7a8f54b68edaad28631b5d145c1e00b4f05370baa5f65b3016a52edaf8b3b9d04f3637d695319c8c686ed69eadc4584

Download Submit
C:\Windows\{8BC85374-70C2-4db7-93A4-863F34C2575A}.exe

Filesize
168KB

MD5
7268533ec707967cc51ec2b1b0c869c3

SHA1
dbb96da243f58f48d9c4a54d566a7a37f3b92683

SHA256
f4be42666d02059c850cfb4d59970029ce26ef14edc572f57465bf1a2c713ba5

SHA512
b5eca0a803d944eb2a9a4c318a655853e56b384b71ae1b9414e2d47bf6b1afe4cbb11852711d782d5ff58fc9f303763bf1a633614b4cea7bfd5b1feaa9edde1f

Download Submit
C:\Windows\{932F2ECA-A68F-4112-BD24-E38B6922DDF6}.exe

Filesize
168KB

MD5
5e386491fe993ef0ca93fb09f07acde0

SHA1
3d37c3cd05d6961ed2630d0d36eacd411e3d3601

SHA256
a56e5411b8b326fed57eec26a45659bf65a48df4158921c04632da1713d75f4d

SHA512
d320b677ef85d427b08e211bfe8c8a2dfc4cb2d8428f6cc06936786ca4b8cdb4d3e2aaa384f8f2202409727b79e76282e0a527aec84a6a878dd802deced8199e

Download Submit
C:\Windows\{9861814C-0F13-4ab0-8E1D-4EF430325D42}.exe

Filesize
168KB

MD5
f341add401831ed974daf17dadcc546c

SHA1
313553727952d67823b6e1735fe41a8d740cfe54

SHA256
38b48097443df64cd8838c81d2cc2fe6b4ba3875aa35c67a2d0d526fc83fd8c6

SHA512
19f9b9793fc5db6d120005821d316193e46d499830bfcb48709c4fc5b6e50fc0c137419c7b555fd805c67862cd898cf40f9202eb79e97b80575e11acb8ad42a9

Download Submit
C:\Windows\{B7557080-BE7B-4a8e-AFB4-F8098FB58D54}.exe

Filesize
168KB

MD5
79344e711e341fc40d7690a595542e79

SHA1
a3753394d51ec53409e1ff934478c320e75fa876

SHA256
803c6f2881b034c657c94d29294c966b2099b723e767b331f75e6bad72ea9439

SHA512
dba344ac6e82bf1d78e0812d0cda9ee01d043ed3c04c2cb7bd33cf1326948c60c3f1c5b9142750b0ce7aecac57ec9f790644da2bc73eb52c271fd51044cd1408

Download Submit
C:\Windows\{DA364B6D-00CE-419a-AF4B-379CAE91073C}.exe

Filesize
168KB

MD5
41e6850de02af9067bcf8c0058626f80

SHA1
2c8853b11a42a34566de448d148af81829648437

SHA256
79e763ab8dd8da3b57edf629dc541d47fa7a2f8bbefec8aad6d49f0ac0bc81f9

SHA512
e04f3fe71320cffbb4cca34f04cf2758de083b49d424e215acd214bc5ed57987e245098434e994659e0f58dcc6eea1784679c249dfd8021b675a9e19b399f668

Download Submit
C:\Windows\{DC8BC963-72EB-4cdb-A57A-74C5061C46AC}.exe

Filesize
168KB

MD5
8453cce057351221c17c05ca495abce4

SHA1
e9105a80a9c71e4004ac01505191231a7de03246

SHA256
4781fe53154ca9f6fb55e7e5bf92c13759d2c7eaa49cb0746b669f03a877e499

SHA512
2ed3ce61bfc6eb3062ab680bbd61df7e17c63195c150703487ec8214f31057c95fc3c4761e2236dab09d6b2bcde5c45d7cd156665c01248a1248cb3d17037324

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads