f56e889f5a1ab10e0818783fda20537a16606315248b11d3538f332ad165c672

Analysis

max time kernel
149s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/01/2024, 07:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-24_2672467ba8137c37b4de80fbb81b7bae_goldeneye.exe
Size

192KB
MD5

2672467ba8137c37b4de80fbb81b7bae
SHA1

ccadbcfbe9d091de71a907c44fa330564d6fafcd
SHA256

f56e889f5a1ab10e0818783fda20537a16606315248b11d3538f332ad165c672
SHA512

b7b5fe37302cd06566f97c78df944827e845c0fc0fb17ebf344f42f21c8d4db3ce2bc95960d97eb967ad9169ba75ec02f6c31ecf07b9b3b363f2e2f3a37a8b97
SSDEEP

1536:1EGh0o1l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0o1l1OPOe2MUVg3Ve+rXfMUa

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023222-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000023223-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023227-11.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002322a-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021e70-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021e71-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021e70-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000705-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{001BADAB-583E-4397-9A3B-8F8515C8827E}	2024-01-24_2672467ba8137c37b4de80fbb81b7bae_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{280E9C2B-0121-4042-A608-6F5BA3A264E1}	{59E128DD-95F5-4296-A084-9D6F21E39907}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF963D05-4598-4891-B03F-AF0682EDF252}	{4D5F6BDF-971A-4e6b-9B6C-E01FB2616931}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF963D05-4598-4891-B03F-AF0682EDF252}\stubpath = "C:\\Windows\\{FF963D05-4598-4891-B03F-AF0682EDF252}.exe"	{4D5F6BDF-971A-4e6b-9B6C-E01FB2616931}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4993E39-4F6E-483b-ABDC-D5A99EC6E1B3}\stubpath = "C:\\Windows\\{E4993E39-4F6E-483b-ABDC-D5A99EC6E1B3}.exe"	{6A67AEC0-7047-4b22-AF64-7893A62784EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16E2C131-A80E-41b5-941A-2416C7597F65}\stubpath = "C:\\Windows\\{16E2C131-A80E-41b5-941A-2416C7597F65}.exe"	{38485C3E-33EC-4af7-9C7F-79D5B1C43DE8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59E128DD-95F5-4296-A084-9D6F21E39907}\stubpath = "C:\\Windows\\{59E128DD-95F5-4296-A084-9D6F21E39907}.exe"	{001BADAB-583E-4397-9A3B-8F8515C8827E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D10FCC69-7435-4597-B3C6-AA5494AFA854}	{280E9C2B-0121-4042-A608-6F5BA3A264E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D5F6BDF-971A-4e6b-9B6C-E01FB2616931}	{D10FCC69-7435-4597-B3C6-AA5494AFA854}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D5F6BDF-971A-4e6b-9B6C-E01FB2616931}\stubpath = "C:\\Windows\\{4D5F6BDF-971A-4e6b-9B6C-E01FB2616931}.exe"	{D10FCC69-7435-4597-B3C6-AA5494AFA854}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A67AEC0-7047-4b22-AF64-7893A62784EE}\stubpath = "C:\\Windows\\{6A67AEC0-7047-4b22-AF64-7893A62784EE}.exe"	{FF963D05-4598-4891-B03F-AF0682EDF252}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4993E39-4F6E-483b-ABDC-D5A99EC6E1B3}	{6A67AEC0-7047-4b22-AF64-7893A62784EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FCABEC1C-B01C-4a82-9AE8-4F0897BEE96D}\stubpath = "C:\\Windows\\{FCABEC1C-B01C-4a82-9AE8-4F0897BEE96D}.exe"	{E4993E39-4F6E-483b-ABDC-D5A99EC6E1B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D10FCC69-7435-4597-B3C6-AA5494AFA854}\stubpath = "C:\\Windows\\{D10FCC69-7435-4597-B3C6-AA5494AFA854}.exe"	{280E9C2B-0121-4042-A608-6F5BA3A264E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FCABEC1C-B01C-4a82-9AE8-4F0897BEE96D}	{E4993E39-4F6E-483b-ABDC-D5A99EC6E1B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38485C3E-33EC-4af7-9C7F-79D5B1C43DE8}	{F73A9AFA-331C-472f-9892-C2DDF0FE725E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{001BADAB-583E-4397-9A3B-8F8515C8827E}\stubpath = "C:\\Windows\\{001BADAB-583E-4397-9A3B-8F8515C8827E}.exe"	2024-01-24_2672467ba8137c37b4de80fbb81b7bae_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59E128DD-95F5-4296-A084-9D6F21E39907}	{001BADAB-583E-4397-9A3B-8F8515C8827E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{280E9C2B-0121-4042-A608-6F5BA3A264E1}\stubpath = "C:\\Windows\\{280E9C2B-0121-4042-A608-6F5BA3A264E1}.exe"	{59E128DD-95F5-4296-A084-9D6F21E39907}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A67AEC0-7047-4b22-AF64-7893A62784EE}	{FF963D05-4598-4891-B03F-AF0682EDF252}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F73A9AFA-331C-472f-9892-C2DDF0FE725E}	{FCABEC1C-B01C-4a82-9AE8-4F0897BEE96D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F73A9AFA-331C-472f-9892-C2DDF0FE725E}\stubpath = "C:\\Windows\\{F73A9AFA-331C-472f-9892-C2DDF0FE725E}.exe"	{FCABEC1C-B01C-4a82-9AE8-4F0897BEE96D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38485C3E-33EC-4af7-9C7F-79D5B1C43DE8}\stubpath = "C:\\Windows\\{38485C3E-33EC-4af7-9C7F-79D5B1C43DE8}.exe"	{F73A9AFA-331C-472f-9892-C2DDF0FE725E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16E2C131-A80E-41b5-941A-2416C7597F65}	{38485C3E-33EC-4af7-9C7F-79D5B1C43DE8}.exe

Executes dropped EXE 12 IoCs

pid	Process
4576	{001BADAB-583E-4397-9A3B-8F8515C8827E}.exe
4088	{59E128DD-95F5-4296-A084-9D6F21E39907}.exe
1720	{280E9C2B-0121-4042-A608-6F5BA3A264E1}.exe
1776	{D10FCC69-7435-4597-B3C6-AA5494AFA854}.exe
3124	{4D5F6BDF-971A-4e6b-9B6C-E01FB2616931}.exe
3184	{FF963D05-4598-4891-B03F-AF0682EDF252}.exe
3632	{6A67AEC0-7047-4b22-AF64-7893A62784EE}.exe
4536	{E4993E39-4F6E-483b-ABDC-D5A99EC6E1B3}.exe
456	{FCABEC1C-B01C-4a82-9AE8-4F0897BEE96D}.exe
1640	{F73A9AFA-331C-472f-9892-C2DDF0FE725E}.exe
1524	{38485C3E-33EC-4af7-9C7F-79D5B1C43DE8}.exe
5044	{16E2C131-A80E-41b5-941A-2416C7597F65}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{16E2C131-A80E-41b5-941A-2416C7597F65}.exe	{38485C3E-33EC-4af7-9C7F-79D5B1C43DE8}.exe
File created	C:\Windows\{001BADAB-583E-4397-9A3B-8F8515C8827E}.exe	2024-01-24_2672467ba8137c37b4de80fbb81b7bae_goldeneye.exe
File created	C:\Windows\{280E9C2B-0121-4042-A608-6F5BA3A264E1}.exe	{59E128DD-95F5-4296-A084-9D6F21E39907}.exe
File created	C:\Windows\{D10FCC69-7435-4597-B3C6-AA5494AFA854}.exe	{280E9C2B-0121-4042-A608-6F5BA3A264E1}.exe
File created	C:\Windows\{4D5F6BDF-971A-4e6b-9B6C-E01FB2616931}.exe	{D10FCC69-7435-4597-B3C6-AA5494AFA854}.exe
File created	C:\Windows\{FF963D05-4598-4891-B03F-AF0682EDF252}.exe	{4D5F6BDF-971A-4e6b-9B6C-E01FB2616931}.exe
File created	C:\Windows\{6A67AEC0-7047-4b22-AF64-7893A62784EE}.exe	{FF963D05-4598-4891-B03F-AF0682EDF252}.exe
File created	C:\Windows\{F73A9AFA-331C-472f-9892-C2DDF0FE725E}.exe	{FCABEC1C-B01C-4a82-9AE8-4F0897BEE96D}.exe
File created	C:\Windows\{59E128DD-95F5-4296-A084-9D6F21E39907}.exe	{001BADAB-583E-4397-9A3B-8F8515C8827E}.exe
File created	C:\Windows\{E4993E39-4F6E-483b-ABDC-D5A99EC6E1B3}.exe	{6A67AEC0-7047-4b22-AF64-7893A62784EE}.exe
File created	C:\Windows\{FCABEC1C-B01C-4a82-9AE8-4F0897BEE96D}.exe	{E4993E39-4F6E-483b-ABDC-D5A99EC6E1B3}.exe
File created	C:\Windows\{38485C3E-33EC-4af7-9C7F-79D5B1C43DE8}.exe	{F73A9AFA-331C-472f-9892-C2DDF0FE725E}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1524	2024-01-24_2672467ba8137c37b4de80fbb81b7bae_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4576	{001BADAB-583E-4397-9A3B-8F8515C8827E}.exe
Token: SeIncBasePriorityPrivilege	4088	{59E128DD-95F5-4296-A084-9D6F21E39907}.exe
Token: SeIncBasePriorityPrivilege	1720	{280E9C2B-0121-4042-A608-6F5BA3A264E1}.exe
Token: SeIncBasePriorityPrivilege	1776	{D10FCC69-7435-4597-B3C6-AA5494AFA854}.exe
Token: SeIncBasePriorityPrivilege	3124	{4D5F6BDF-971A-4e6b-9B6C-E01FB2616931}.exe
Token: SeIncBasePriorityPrivilege	3184	{FF963D05-4598-4891-B03F-AF0682EDF252}.exe
Token: SeIncBasePriorityPrivilege	3632	{6A67AEC0-7047-4b22-AF64-7893A62784EE}.exe
Token: SeIncBasePriorityPrivilege	4536	{E4993E39-4F6E-483b-ABDC-D5A99EC6E1B3}.exe
Token: SeIncBasePriorityPrivilege	456	{FCABEC1C-B01C-4a82-9AE8-4F0897BEE96D}.exe
Token: SeIncBasePriorityPrivilege	1640	{F73A9AFA-331C-472f-9892-C2DDF0FE725E}.exe
Token: SeIncBasePriorityPrivilege	1524	{38485C3E-33EC-4af7-9C7F-79D5B1C43DE8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1524 wrote to memory of 4576	1524	2024-01-24_2672467ba8137c37b4de80fbb81b7bae_goldeneye.exe	95
PID 1524 wrote to memory of 4576	1524	2024-01-24_2672467ba8137c37b4de80fbb81b7bae_goldeneye.exe	95
PID 1524 wrote to memory of 4576	1524	2024-01-24_2672467ba8137c37b4de80fbb81b7bae_goldeneye.exe	95
PID 1524 wrote to memory of 1132	1524	2024-01-24_2672467ba8137c37b4de80fbb81b7bae_goldeneye.exe	96
PID 1524 wrote to memory of 1132	1524	2024-01-24_2672467ba8137c37b4de80fbb81b7bae_goldeneye.exe	96
PID 1524 wrote to memory of 1132	1524	2024-01-24_2672467ba8137c37b4de80fbb81b7bae_goldeneye.exe	96
PID 4576 wrote to memory of 4088	4576	{001BADAB-583E-4397-9A3B-8F8515C8827E}.exe	98
PID 4576 wrote to memory of 4088	4576	{001BADAB-583E-4397-9A3B-8F8515C8827E}.exe	98
PID 4576 wrote to memory of 4088	4576	{001BADAB-583E-4397-9A3B-8F8515C8827E}.exe	98
PID 4576 wrote to memory of 1228	4576	{001BADAB-583E-4397-9A3B-8F8515C8827E}.exe	97
PID 4576 wrote to memory of 1228	4576	{001BADAB-583E-4397-9A3B-8F8515C8827E}.exe	97
PID 4576 wrote to memory of 1228	4576	{001BADAB-583E-4397-9A3B-8F8515C8827E}.exe	97
PID 4088 wrote to memory of 1720	4088	{59E128DD-95F5-4296-A084-9D6F21E39907}.exe	101
PID 4088 wrote to memory of 1720	4088	{59E128DD-95F5-4296-A084-9D6F21E39907}.exe	101
PID 4088 wrote to memory of 1720	4088	{59E128DD-95F5-4296-A084-9D6F21E39907}.exe	101
PID 4088 wrote to memory of 2144	4088	{59E128DD-95F5-4296-A084-9D6F21E39907}.exe	100
PID 4088 wrote to memory of 2144	4088	{59E128DD-95F5-4296-A084-9D6F21E39907}.exe	100
PID 4088 wrote to memory of 2144	4088	{59E128DD-95F5-4296-A084-9D6F21E39907}.exe	100
PID 1720 wrote to memory of 1776	1720	{280E9C2B-0121-4042-A608-6F5BA3A264E1}.exe	102
PID 1720 wrote to memory of 1776	1720	{280E9C2B-0121-4042-A608-6F5BA3A264E1}.exe	102
PID 1720 wrote to memory of 1776	1720	{280E9C2B-0121-4042-A608-6F5BA3A264E1}.exe	102
PID 1720 wrote to memory of 2624	1720	{280E9C2B-0121-4042-A608-6F5BA3A264E1}.exe	103
PID 1720 wrote to memory of 2624	1720	{280E9C2B-0121-4042-A608-6F5BA3A264E1}.exe	103
PID 1720 wrote to memory of 2624	1720	{280E9C2B-0121-4042-A608-6F5BA3A264E1}.exe	103
PID 1776 wrote to memory of 3124	1776	{D10FCC69-7435-4597-B3C6-AA5494AFA854}.exe	104
PID 1776 wrote to memory of 3124	1776	{D10FCC69-7435-4597-B3C6-AA5494AFA854}.exe	104
PID 1776 wrote to memory of 3124	1776	{D10FCC69-7435-4597-B3C6-AA5494AFA854}.exe	104
PID 1776 wrote to memory of 4072	1776	{D10FCC69-7435-4597-B3C6-AA5494AFA854}.exe	105
PID 1776 wrote to memory of 4072	1776	{D10FCC69-7435-4597-B3C6-AA5494AFA854}.exe	105
PID 1776 wrote to memory of 4072	1776	{D10FCC69-7435-4597-B3C6-AA5494AFA854}.exe	105
PID 3124 wrote to memory of 3184	3124	{4D5F6BDF-971A-4e6b-9B6C-E01FB2616931}.exe	107
PID 3124 wrote to memory of 3184	3124	{4D5F6BDF-971A-4e6b-9B6C-E01FB2616931}.exe	107
PID 3124 wrote to memory of 3184	3124	{4D5F6BDF-971A-4e6b-9B6C-E01FB2616931}.exe	107
PID 3124 wrote to memory of 4916	3124	{4D5F6BDF-971A-4e6b-9B6C-E01FB2616931}.exe	106
PID 3124 wrote to memory of 4916	3124	{4D5F6BDF-971A-4e6b-9B6C-E01FB2616931}.exe	106
PID 3124 wrote to memory of 4916	3124	{4D5F6BDF-971A-4e6b-9B6C-E01FB2616931}.exe	106
PID 3184 wrote to memory of 3632	3184	{FF963D05-4598-4891-B03F-AF0682EDF252}.exe	109
PID 3184 wrote to memory of 3632	3184	{FF963D05-4598-4891-B03F-AF0682EDF252}.exe	109
PID 3184 wrote to memory of 3632	3184	{FF963D05-4598-4891-B03F-AF0682EDF252}.exe	109
PID 3184 wrote to memory of 4164	3184	{FF963D05-4598-4891-B03F-AF0682EDF252}.exe	108
PID 3184 wrote to memory of 4164	3184	{FF963D05-4598-4891-B03F-AF0682EDF252}.exe	108
PID 3184 wrote to memory of 4164	3184	{FF963D05-4598-4891-B03F-AF0682EDF252}.exe	108
PID 3632 wrote to memory of 4536	3632	{6A67AEC0-7047-4b22-AF64-7893A62784EE}.exe	111
PID 3632 wrote to memory of 4536	3632	{6A67AEC0-7047-4b22-AF64-7893A62784EE}.exe	111
PID 3632 wrote to memory of 4536	3632	{6A67AEC0-7047-4b22-AF64-7893A62784EE}.exe	111
PID 3632 wrote to memory of 4400	3632	{6A67AEC0-7047-4b22-AF64-7893A62784EE}.exe	110
PID 3632 wrote to memory of 4400	3632	{6A67AEC0-7047-4b22-AF64-7893A62784EE}.exe	110
PID 3632 wrote to memory of 4400	3632	{6A67AEC0-7047-4b22-AF64-7893A62784EE}.exe	110
PID 4536 wrote to memory of 456	4536	{E4993E39-4F6E-483b-ABDC-D5A99EC6E1B3}.exe	113
PID 4536 wrote to memory of 456	4536	{E4993E39-4F6E-483b-ABDC-D5A99EC6E1B3}.exe	113
PID 4536 wrote to memory of 456	4536	{E4993E39-4F6E-483b-ABDC-D5A99EC6E1B3}.exe	113
PID 4536 wrote to memory of 4800	4536	{E4993E39-4F6E-483b-ABDC-D5A99EC6E1B3}.exe	112
PID 4536 wrote to memory of 4800	4536	{E4993E39-4F6E-483b-ABDC-D5A99EC6E1B3}.exe	112
PID 4536 wrote to memory of 4800	4536	{E4993E39-4F6E-483b-ABDC-D5A99EC6E1B3}.exe	112
PID 456 wrote to memory of 1640	456	{FCABEC1C-B01C-4a82-9AE8-4F0897BEE96D}.exe	114
PID 456 wrote to memory of 1640	456	{FCABEC1C-B01C-4a82-9AE8-4F0897BEE96D}.exe	114
PID 456 wrote to memory of 1640	456	{FCABEC1C-B01C-4a82-9AE8-4F0897BEE96D}.exe	114
PID 456 wrote to memory of 3792	456	{FCABEC1C-B01C-4a82-9AE8-4F0897BEE96D}.exe	115
PID 456 wrote to memory of 3792	456	{FCABEC1C-B01C-4a82-9AE8-4F0897BEE96D}.exe	115
PID 456 wrote to memory of 3792	456	{FCABEC1C-B01C-4a82-9AE8-4F0897BEE96D}.exe	115
PID 1640 wrote to memory of 1524	1640	{F73A9AFA-331C-472f-9892-C2DDF0FE725E}.exe	116
PID 1640 wrote to memory of 1524	1640	{F73A9AFA-331C-472f-9892-C2DDF0FE725E}.exe	116
PID 1640 wrote to memory of 1524	1640	{F73A9AFA-331C-472f-9892-C2DDF0FE725E}.exe	116
PID 1640 wrote to memory of 5080	1640	{F73A9AFA-331C-472f-9892-C2DDF0FE725E}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-01-24_2672467ba8137c37b4de80fbb81b7bae_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-24_2672467ba8137c37b4de80fbb81b7bae_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Windows\{001BADAB-583E-4397-9A3B-8F8515C8827E}.exe
  C:\Windows\{001BADAB-583E-4397-9A3B-8F8515C8827E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{001BA~1.EXE > nul
    3⤵
    PID:1228
- - C:\Windows\{59E128DD-95F5-4296-A084-9D6F21E39907}.exe
    C:\Windows\{59E128DD-95F5-4296-A084-9D6F21E39907}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4088
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{59E12~1.EXE > nul
      4⤵
      PID:2144
  - - C:\Windows\{280E9C2B-0121-4042-A608-6F5BA3A264E1}.exe
      C:\Windows\{280E9C2B-0121-4042-A608-6F5BA3A264E1}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1720
    - - C:\Windows\{D10FCC69-7435-4597-B3C6-AA5494AFA854}.exe
        
        C:\Windows\{D10FCC69-7435-4597-B3C6-AA5494AFA854}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1776
      - C:\Windows\{4D5F6BDF-971A-4e6b-9B6C-E01FB2616931}.exe
        
        C:\Windows\{4D5F6BDF-971A-4e6b-9B6C-E01FB2616931}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D5F6~1.EXE > nul
        7⤵
        
        PID:4916
        
        C:\Windows\{FF963D05-4598-4891-B03F-AF0682EDF252}.exe
        
        C:\Windows\{FF963D05-4598-4891-B03F-AF0682EDF252}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF963~1.EXE > nul
        8⤵
        
        PID:4164
        
        C:\Windows\{6A67AEC0-7047-4b22-AF64-7893A62784EE}.exe
        
        C:\Windows\{6A67AEC0-7047-4b22-AF64-7893A62784EE}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6A67A~1.EXE > nul
        9⤵
        
        PID:4400
        
        C:\Windows\{E4993E39-4F6E-483b-ABDC-D5A99EC6E1B3}.exe
        
        C:\Windows\{E4993E39-4F6E-483b-ABDC-D5A99EC6E1B3}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E4993~1.EXE > nul
        10⤵
        
        PID:4800
        
        C:\Windows\{FCABEC1C-B01C-4a82-9AE8-4F0897BEE96D}.exe
        
        C:\Windows\{FCABEC1C-B01C-4a82-9AE8-4F0897BEE96D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\{F73A9AFA-331C-472f-9892-C2DDF0FE725E}.exe
        
        C:\Windows\{F73A9AFA-331C-472f-9892-C2DDF0FE725E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\{38485C3E-33EC-4af7-9C7F-79D5B1C43DE8}.exe
        
        C:\Windows\{38485C3E-33EC-4af7-9C7F-79D5B1C43DE8}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
        
        C:\Windows\{16E2C131-A80E-41b5-941A-2416C7597F65}.exe
        
        C:\Windows\{16E2C131-A80E-41b5-941A-2416C7597F65}.exe
        13⤵
        Executes dropped EXE
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{38485~1.EXE > nul
        13⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F73A9~1.EXE > nul
        12⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FCABE~1.EXE > nul
        11⤵
        
        PID:3792
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D10FC~1.EXE > nul
        6⤵
        
        PID:4072
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{280E9~1.EXE > nul
        5⤵
        
        PID:2624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{001BADAB-583E-4397-9A3B-8F8515C8827E}.exe

Filesize
192KB

MD5
91d3f0177deea16d214f5e1bb1f41314

SHA1
65e656e6c118c652beba34435e2122357f96e097

SHA256
99d456032e33c6ff9ed193a6773bae82fbb56916c928c0d527b3cc2e03aea03d

SHA512
28a2043ed5d913d9e6388c68354efd9974794956fc01b10922b276cd0ae5abde7f64739f2f472035b18e6b3d20d0553c8a495e694decd7731ee8b5de095f0d0a

Download Submit
C:\Windows\{16E2C131-A80E-41b5-941A-2416C7597F65}.exe

Filesize
192KB

MD5
78f4b755033e8bdede056f63f3ee2b97

SHA1
d8a5526c05b8b72da1933cfc88de50cabc8afa4e

SHA256
2dd3cdc368d2c6afe7faac45717f154a50ac7033c08f7aa73378b8e237111de2

SHA512
e06ef067ea60f0eeb2fe307e78fc34397c457dc9f72afe02075226242fdf485554e79de14f93818530c66afa4ce784ed1d031f41e6a2a57f4c533645b245c487

Download Submit
C:\Windows\{280E9C2B-0121-4042-A608-6F5BA3A264E1}.exe

Filesize
192KB

MD5
67b8d6cdfbad15ef7207cbcfe187b30c

SHA1
8295e4fe0918e0a15597c7d0df94b154af94974a

SHA256
4270ab38a81d83b6a8579d067dfb990bd58e622960a96904b3295d2c0620f57b

SHA512
bf463a9eb469f130c7e6c302218425d51b40d0ab5361502af1be0e6853596968c0740574157b46c335bbba634dcde6f5721af0c1be1473892e9ad7bc2272d0cf

Download Submit
C:\Windows\{38485C3E-33EC-4af7-9C7F-79D5B1C43DE8}.exe

Filesize
192KB

MD5
8cf559dd0a2157a47122f35cb450dbea

SHA1
2abfec930a3a569c72fe5ee1e777eb1404a87941

SHA256
d5791016433fbb4e9ac276df13c5d219ec08633a16e1bde82b7f9ba89778982e

SHA512
13100526d5aade1964980a794ba236be3051468fa5d637b5f88bc8a8cfa70a832030a5a12df95c0f1e935eaf1ccdbc2fdd6e07f63ea8d0ec4f885183990d8300

Download Submit
C:\Windows\{4D5F6BDF-971A-4e6b-9B6C-E01FB2616931}.exe

Filesize
192KB

MD5
ec9230585733662f646267cdda903adb

SHA1
c7788b71c81bd1fbac75ea3172aa28b70337cd99

SHA256
306297926256ced5dea37e4a8137166a1ca1453f119f6797f62d48921817eca5

SHA512
c17670eac3b3caafce524da1fa0159a55f05fb7dbb7a11bc4b71039d991541e71952bb58f0ae9229a55717561a08202d00549460454561a2ee9291313f3e5b39

Download Submit
C:\Windows\{59E128DD-95F5-4296-A084-9D6F21E39907}.exe

Filesize
192KB

MD5
77f936ec9b180232a43f61a4b009d0fa

SHA1
8c28b4e8e4aacae8a6cc79aafcc769e58b24c0e0

SHA256
3ec0a7dd6131bbc773db830ef027257105fcae0ae598913011d913a50d9ae94e

SHA512
7d764b6b1ba652b3f2924772dab98db4efaf2ccecbe992f25885c65d2c4488c4c6fe3a9b1e4c299071d51d9228d3bba0fafbb2e16e3b3ee55d18cb79c45a19b6

Download Submit
C:\Windows\{6A67AEC0-7047-4b22-AF64-7893A62784EE}.exe

Filesize
192KB

MD5
39c2e579a6ecb1dd4055c10b0464e31b

SHA1
550aef3e60d1b8de5cbd8709b733e5344bf54858

SHA256
92ee6b918bf55e56fec24f36b131fb4c7fd48ff01f6baf3a0547fc6e4907703e

SHA512
07ca91cb486e0d9d2855f1b8996af4cbdb594a0a047cbadb83a3ee1d962e50c90b193b7084844a7d6aa3be4451551fc9a8a751aa7f97bb0c592e7220428a8f70

Download Submit
C:\Windows\{D10FCC69-7435-4597-B3C6-AA5494AFA854}.exe

Filesize
192KB

MD5
91b40288180605ae498a78e3f8892fc2

SHA1
0ba5e720d3472086b89628dfbfdabe00aa814068

SHA256
1c4e2b8daf6aee36453c2f66f5b9f65a3dd65daa33887a2c78c35dca0b1e942d

SHA512
32546e5cca7bd6672f06d6e95e988ecbd76c0ddd62d5267419784e893a748e775cc07832e3db59585004f18ed8dd8c2f528b6a2d89b08e78449f337cf0bd1091

Download Submit
C:\Windows\{E4993E39-4F6E-483b-ABDC-D5A99EC6E1B3}.exe

Filesize
192KB

MD5
833d64944546a36880f094469afedd33

SHA1
ae84849a4db196b96f7a9c541e24cbd7d53c3c71

SHA256
1156c42cdb07d44f79bc6b930f95df51261eaab02c96ea8e0c6e4916f1827fc7

SHA512
0b0e28e5c4112b3633efb6642f68f9876dc72d59661f4100f44cb7f08840a2aaefa8779b4c7910450d67f6eafa0b9e86de9e22271c4759e23359c7061355fa54

Download Submit
C:\Windows\{F73A9AFA-331C-472f-9892-C2DDF0FE725E}.exe

Filesize
192KB

MD5
824f1f9f00ae28918e4c8453c9b0b52e

SHA1
2e2bbd92482b2cdc5f2dfda573b0a0ce67f65152

SHA256
8e75a43d6bf40ce6d2c465dbb4dd615125f5dbda2c8d5df8e7d5e0e8af793765

SHA512
581bf1bc5a17c71d40f0226a76fa413171e41c0cc72ad8ff9b7a94734791ce966c5c0a9175b225c7141be0808488839d494c600e3c7f9de97c96affe6048b1a5

Download Submit
C:\Windows\{FCABEC1C-B01C-4a82-9AE8-4F0897BEE96D}.exe

Filesize
192KB

MD5
1b6ee1a7b718ad8638e6ba81e1f127bf

SHA1
395ca5bf0b31f4124dd6edaed8999d7dd7131e7d

SHA256
481fc2823e5fd149d9bbb49e2ea3583bfef06b00074a33f61810f5cd09c5ffaa

SHA512
268b72f356d8c6724231c5a1a34c555d79b163111740694c5b3880082cefe76bda8f51f61f3b84bec6a8564c18e5353027c1829fd094486c5226362215419b91

Download Submit
C:\Windows\{FF963D05-4598-4891-B03F-AF0682EDF252}.exe

Filesize
192KB

MD5
b7de0fed39fcd927eee9d440201ba082

SHA1
4ddec97c9c825bc94161cd60fcca206518c88629

SHA256
b8091b7b7b19b1a37832c0c2043fbb94174e9edc35564875f8a34293672154ad

SHA512
7e19b9543c6a430f33d360d9a73a02ed8c2c0d5e47feb9a96928747d75076a12eecbdf2e774d925b99b0a9a9762724413be00af47d32364194410d6f4c12c4f0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads