a75d13c3b2e1f580997d853b131a8ecf2c7cc7c12b6ad8506ac9eedbc5ce13d9

Analysis

max time kernel
149s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/01/2024, 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-24_10063c266b213ecb19b229a23bb87e70_goldeneye.exe
Size

180KB
MD5

10063c266b213ecb19b229a23bb87e70
SHA1

ca3af5d663716eef13283439a19757c34d55a21a
SHA256

a75d13c3b2e1f580997d853b131a8ecf2c7cc7c12b6ad8506ac9eedbc5ce13d9
SHA512

5ea2f0ee5dc1dc653f09ef196f6e7076e26b12e9cf8299bfae475d4dd9e916a1c219e254dad1f0ce2c341b83431c9acfad3c6bf0fc35c76d3d3c0299c39a2da1
SSDEEP

3072:jEGh0oglfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEG+l5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023218-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023211-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002321f-11.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002321f-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023211-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001300000001d887-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000021558-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001400000001d887-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000709-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000707-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9F422D9-C2E6-41a6-9826-EEDEABAD7CCF}\stubpath = "C:\\Windows\\{A9F422D9-C2E6-41a6-9826-EEDEABAD7CCF}.exe"	{FBDF5397-001C-4beb-B791-59EA5C350959}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30A22CD4-D0BE-4c8c-A1B8-5424CACE7337}\stubpath = "C:\\Windows\\{30A22CD4-D0BE-4c8c-A1B8-5424CACE7337}.exe"	{1E4DDF86-01B7-496b-946D-357EEE16BA2D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2861A7F-E071-4676-BEC3-A0D5C824C157}	{5305799B-7AFE-4a00-B9CE-162742B67EA8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2861A7F-E071-4676-BEC3-A0D5C824C157}\stubpath = "C:\\Windows\\{D2861A7F-E071-4676-BEC3-A0D5C824C157}.exe"	{5305799B-7AFE-4a00-B9CE-162742B67EA8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5FF8185-8CF2-4f45-AAF8-525A5F158071}	{14115E80-D3C8-45f2-9610-6EEBB3B4F936}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5FF8185-8CF2-4f45-AAF8-525A5F158071}\stubpath = "C:\\Windows\\{E5FF8185-8CF2-4f45-AAF8-525A5F158071}.exe"	{14115E80-D3C8-45f2-9610-6EEBB3B4F936}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B2316D8-84EC-499c-964E-905299036887}	{A9F422D9-C2E6-41a6-9826-EEDEABAD7CCF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5305799B-7AFE-4a00-B9CE-162742B67EA8}\stubpath = "C:\\Windows\\{5305799B-7AFE-4a00-B9CE-162742B67EA8}.exe"	{30A22CD4-D0BE-4c8c-A1B8-5424CACE7337}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C82F958F-AA9E-41a2-80B0-CD5E585B2C17}	{D2861A7F-E071-4676-BEC3-A0D5C824C157}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E03ACFF-63E9-4cf7-851A-BF0659B1A947}	2024-01-24_10063c266b213ecb19b229a23bb87e70_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FBDF5397-001C-4beb-B791-59EA5C350959}	{E5FF8185-8CF2-4f45-AAF8-525A5F158071}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FBDF5397-001C-4beb-B791-59EA5C350959}\stubpath = "C:\\Windows\\{FBDF5397-001C-4beb-B791-59EA5C350959}.exe"	{E5FF8185-8CF2-4f45-AAF8-525A5F158071}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9F422D9-C2E6-41a6-9826-EEDEABAD7CCF}	{FBDF5397-001C-4beb-B791-59EA5C350959}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E4DDF86-01B7-496b-946D-357EEE16BA2D}	{8B2316D8-84EC-499c-964E-905299036887}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E4DDF86-01B7-496b-946D-357EEE16BA2D}\stubpath = "C:\\Windows\\{1E4DDF86-01B7-496b-946D-357EEE16BA2D}.exe"	{8B2316D8-84EC-499c-964E-905299036887}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30A22CD4-D0BE-4c8c-A1B8-5424CACE7337}	{1E4DDF86-01B7-496b-946D-357EEE16BA2D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C82F958F-AA9E-41a2-80B0-CD5E585B2C17}\stubpath = "C:\\Windows\\{C82F958F-AA9E-41a2-80B0-CD5E585B2C17}.exe"	{D2861A7F-E071-4676-BEC3-A0D5C824C157}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD1659AF-DA96-4ec0-8B37-D0FF8DB43E0B}	{C82F958F-AA9E-41a2-80B0-CD5E585B2C17}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E03ACFF-63E9-4cf7-851A-BF0659B1A947}\stubpath = "C:\\Windows\\{8E03ACFF-63E9-4cf7-851A-BF0659B1A947}.exe"	2024-01-24_10063c266b213ecb19b229a23bb87e70_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14115E80-D3C8-45f2-9610-6EEBB3B4F936}	{8E03ACFF-63E9-4cf7-851A-BF0659B1A947}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14115E80-D3C8-45f2-9610-6EEBB3B4F936}\stubpath = "C:\\Windows\\{14115E80-D3C8-45f2-9610-6EEBB3B4F936}.exe"	{8E03ACFF-63E9-4cf7-851A-BF0659B1A947}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B2316D8-84EC-499c-964E-905299036887}\stubpath = "C:\\Windows\\{8B2316D8-84EC-499c-964E-905299036887}.exe"	{A9F422D9-C2E6-41a6-9826-EEDEABAD7CCF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5305799B-7AFE-4a00-B9CE-162742B67EA8}	{30A22CD4-D0BE-4c8c-A1B8-5424CACE7337}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD1659AF-DA96-4ec0-8B37-D0FF8DB43E0B}\stubpath = "C:\\Windows\\{FD1659AF-DA96-4ec0-8B37-D0FF8DB43E0B}.exe"	{C82F958F-AA9E-41a2-80B0-CD5E585B2C17}.exe

Executes dropped EXE 12 IoCs

pid	Process
3732	{8E03ACFF-63E9-4cf7-851A-BF0659B1A947}.exe
1968	{14115E80-D3C8-45f2-9610-6EEBB3B4F936}.exe
1180	{E5FF8185-8CF2-4f45-AAF8-525A5F158071}.exe
3080	{FBDF5397-001C-4beb-B791-59EA5C350959}.exe
1276	{A9F422D9-C2E6-41a6-9826-EEDEABAD7CCF}.exe
980	{8B2316D8-84EC-499c-964E-905299036887}.exe
2304	{1E4DDF86-01B7-496b-946D-357EEE16BA2D}.exe
4872	{30A22CD4-D0BE-4c8c-A1B8-5424CACE7337}.exe
1816	{5305799B-7AFE-4a00-B9CE-162742B67EA8}.exe
2872	{D2861A7F-E071-4676-BEC3-A0D5C824C157}.exe
1488	{C82F958F-AA9E-41a2-80B0-CD5E585B2C17}.exe
4876	{FD1659AF-DA96-4ec0-8B37-D0FF8DB43E0B}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{5305799B-7AFE-4a00-B9CE-162742B67EA8}.exe	{30A22CD4-D0BE-4c8c-A1B8-5424CACE7337}.exe
File created	C:\Windows\{D2861A7F-E071-4676-BEC3-A0D5C824C157}.exe	{5305799B-7AFE-4a00-B9CE-162742B67EA8}.exe
File created	C:\Windows\{C82F958F-AA9E-41a2-80B0-CD5E585B2C17}.exe	{D2861A7F-E071-4676-BEC3-A0D5C824C157}.exe
File created	C:\Windows\{14115E80-D3C8-45f2-9610-6EEBB3B4F936}.exe	{8E03ACFF-63E9-4cf7-851A-BF0659B1A947}.exe
File created	C:\Windows\{8B2316D8-84EC-499c-964E-905299036887}.exe	{A9F422D9-C2E6-41a6-9826-EEDEABAD7CCF}.exe
File created	C:\Windows\{1E4DDF86-01B7-496b-946D-357EEE16BA2D}.exe	{8B2316D8-84EC-499c-964E-905299036887}.exe
File created	C:\Windows\{30A22CD4-D0BE-4c8c-A1B8-5424CACE7337}.exe	{1E4DDF86-01B7-496b-946D-357EEE16BA2D}.exe
File created	C:\Windows\{FD1659AF-DA96-4ec0-8B37-D0FF8DB43E0B}.exe	{C82F958F-AA9E-41a2-80B0-CD5E585B2C17}.exe
File created	C:\Windows\{8E03ACFF-63E9-4cf7-851A-BF0659B1A947}.exe	2024-01-24_10063c266b213ecb19b229a23bb87e70_goldeneye.exe
File created	C:\Windows\{E5FF8185-8CF2-4f45-AAF8-525A5F158071}.exe	{14115E80-D3C8-45f2-9610-6EEBB3B4F936}.exe
File created	C:\Windows\{FBDF5397-001C-4beb-B791-59EA5C350959}.exe	{E5FF8185-8CF2-4f45-AAF8-525A5F158071}.exe
File created	C:\Windows\{A9F422D9-C2E6-41a6-9826-EEDEABAD7CCF}.exe	{FBDF5397-001C-4beb-B791-59EA5C350959}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4556	2024-01-24_10063c266b213ecb19b229a23bb87e70_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3732	{8E03ACFF-63E9-4cf7-851A-BF0659B1A947}.exe
Token: SeIncBasePriorityPrivilege	1968	{14115E80-D3C8-45f2-9610-6EEBB3B4F936}.exe
Token: SeIncBasePriorityPrivilege	1180	{E5FF8185-8CF2-4f45-AAF8-525A5F158071}.exe
Token: SeIncBasePriorityPrivilege	3080	{FBDF5397-001C-4beb-B791-59EA5C350959}.exe
Token: SeIncBasePriorityPrivilege	1276	{A9F422D9-C2E6-41a6-9826-EEDEABAD7CCF}.exe
Token: SeIncBasePriorityPrivilege	980	{8B2316D8-84EC-499c-964E-905299036887}.exe
Token: SeIncBasePriorityPrivilege	2304	{1E4DDF86-01B7-496b-946D-357EEE16BA2D}.exe
Token: SeIncBasePriorityPrivilege	4872	{30A22CD4-D0BE-4c8c-A1B8-5424CACE7337}.exe
Token: SeIncBasePriorityPrivilege	1816	{5305799B-7AFE-4a00-B9CE-162742B67EA8}.exe
Token: SeIncBasePriorityPrivilege	2872	{D2861A7F-E071-4676-BEC3-A0D5C824C157}.exe
Token: SeIncBasePriorityPrivilege	1488	{C82F958F-AA9E-41a2-80B0-CD5E585B2C17}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4556 wrote to memory of 3732	4556	2024-01-24_10063c266b213ecb19b229a23bb87e70_goldeneye.exe	98
PID 4556 wrote to memory of 3732	4556	2024-01-24_10063c266b213ecb19b229a23bb87e70_goldeneye.exe	98
PID 4556 wrote to memory of 3732	4556	2024-01-24_10063c266b213ecb19b229a23bb87e70_goldeneye.exe	98
PID 4556 wrote to memory of 4756	4556	2024-01-24_10063c266b213ecb19b229a23bb87e70_goldeneye.exe	97
PID 4556 wrote to memory of 4756	4556	2024-01-24_10063c266b213ecb19b229a23bb87e70_goldeneye.exe	97
PID 4556 wrote to memory of 4756	4556	2024-01-24_10063c266b213ecb19b229a23bb87e70_goldeneye.exe	97
PID 3732 wrote to memory of 1968	3732	{8E03ACFF-63E9-4cf7-851A-BF0659B1A947}.exe	100
PID 3732 wrote to memory of 1968	3732	{8E03ACFF-63E9-4cf7-851A-BF0659B1A947}.exe	100
PID 3732 wrote to memory of 1968	3732	{8E03ACFF-63E9-4cf7-851A-BF0659B1A947}.exe	100
PID 3732 wrote to memory of 4300	3732	{8E03ACFF-63E9-4cf7-851A-BF0659B1A947}.exe	99
PID 3732 wrote to memory of 4300	3732	{8E03ACFF-63E9-4cf7-851A-BF0659B1A947}.exe	99
PID 3732 wrote to memory of 4300	3732	{8E03ACFF-63E9-4cf7-851A-BF0659B1A947}.exe	99
PID 1968 wrote to memory of 1180	1968	{14115E80-D3C8-45f2-9610-6EEBB3B4F936}.exe	103
PID 1968 wrote to memory of 1180	1968	{14115E80-D3C8-45f2-9610-6EEBB3B4F936}.exe	103
PID 1968 wrote to memory of 1180	1968	{14115E80-D3C8-45f2-9610-6EEBB3B4F936}.exe	103
PID 1968 wrote to memory of 4172	1968	{14115E80-D3C8-45f2-9610-6EEBB3B4F936}.exe	102
PID 1968 wrote to memory of 4172	1968	{14115E80-D3C8-45f2-9610-6EEBB3B4F936}.exe	102
PID 1968 wrote to memory of 4172	1968	{14115E80-D3C8-45f2-9610-6EEBB3B4F936}.exe	102
PID 1180 wrote to memory of 3080	1180	{E5FF8185-8CF2-4f45-AAF8-525A5F158071}.exe	104
PID 1180 wrote to memory of 3080	1180	{E5FF8185-8CF2-4f45-AAF8-525A5F158071}.exe	104
PID 1180 wrote to memory of 3080	1180	{E5FF8185-8CF2-4f45-AAF8-525A5F158071}.exe	104
PID 1180 wrote to memory of 1896	1180	{E5FF8185-8CF2-4f45-AAF8-525A5F158071}.exe	105
PID 1180 wrote to memory of 1896	1180	{E5FF8185-8CF2-4f45-AAF8-525A5F158071}.exe	105
PID 1180 wrote to memory of 1896	1180	{E5FF8185-8CF2-4f45-AAF8-525A5F158071}.exe	105
PID 3080 wrote to memory of 1276	3080	{FBDF5397-001C-4beb-B791-59EA5C350959}.exe	107
PID 3080 wrote to memory of 1276	3080	{FBDF5397-001C-4beb-B791-59EA5C350959}.exe	107
PID 3080 wrote to memory of 1276	3080	{FBDF5397-001C-4beb-B791-59EA5C350959}.exe	107
PID 3080 wrote to memory of 8	3080	{FBDF5397-001C-4beb-B791-59EA5C350959}.exe	106
PID 3080 wrote to memory of 8	3080	{FBDF5397-001C-4beb-B791-59EA5C350959}.exe	106
PID 3080 wrote to memory of 8	3080	{FBDF5397-001C-4beb-B791-59EA5C350959}.exe	106
PID 1276 wrote to memory of 980	1276	{A9F422D9-C2E6-41a6-9826-EEDEABAD7CCF}.exe	108
PID 1276 wrote to memory of 980	1276	{A9F422D9-C2E6-41a6-9826-EEDEABAD7CCF}.exe	108
PID 1276 wrote to memory of 980	1276	{A9F422D9-C2E6-41a6-9826-EEDEABAD7CCF}.exe	108
PID 1276 wrote to memory of 4260	1276	{A9F422D9-C2E6-41a6-9826-EEDEABAD7CCF}.exe	109
PID 1276 wrote to memory of 4260	1276	{A9F422D9-C2E6-41a6-9826-EEDEABAD7CCF}.exe	109
PID 1276 wrote to memory of 4260	1276	{A9F422D9-C2E6-41a6-9826-EEDEABAD7CCF}.exe	109
PID 980 wrote to memory of 2304	980	{8B2316D8-84EC-499c-964E-905299036887}.exe	110
PID 980 wrote to memory of 2304	980	{8B2316D8-84EC-499c-964E-905299036887}.exe	110
PID 980 wrote to memory of 2304	980	{8B2316D8-84EC-499c-964E-905299036887}.exe	110
PID 980 wrote to memory of 1480	980	{8B2316D8-84EC-499c-964E-905299036887}.exe	111
PID 980 wrote to memory of 1480	980	{8B2316D8-84EC-499c-964E-905299036887}.exe	111
PID 980 wrote to memory of 1480	980	{8B2316D8-84EC-499c-964E-905299036887}.exe	111
PID 2304 wrote to memory of 4872	2304	{1E4DDF86-01B7-496b-946D-357EEE16BA2D}.exe	112
PID 2304 wrote to memory of 4872	2304	{1E4DDF86-01B7-496b-946D-357EEE16BA2D}.exe	112
PID 2304 wrote to memory of 4872	2304	{1E4DDF86-01B7-496b-946D-357EEE16BA2D}.exe	112
PID 2304 wrote to memory of 5112	2304	{1E4DDF86-01B7-496b-946D-357EEE16BA2D}.exe	113
PID 2304 wrote to memory of 5112	2304	{1E4DDF86-01B7-496b-946D-357EEE16BA2D}.exe	113
PID 2304 wrote to memory of 5112	2304	{1E4DDF86-01B7-496b-946D-357EEE16BA2D}.exe	113
PID 4872 wrote to memory of 1816	4872	{30A22CD4-D0BE-4c8c-A1B8-5424CACE7337}.exe	114
PID 4872 wrote to memory of 1816	4872	{30A22CD4-D0BE-4c8c-A1B8-5424CACE7337}.exe	114
PID 4872 wrote to memory of 1816	4872	{30A22CD4-D0BE-4c8c-A1B8-5424CACE7337}.exe	114
PID 4872 wrote to memory of 3812	4872	{30A22CD4-D0BE-4c8c-A1B8-5424CACE7337}.exe	115
PID 4872 wrote to memory of 3812	4872	{30A22CD4-D0BE-4c8c-A1B8-5424CACE7337}.exe	115
PID 4872 wrote to memory of 3812	4872	{30A22CD4-D0BE-4c8c-A1B8-5424CACE7337}.exe	115
PID 1816 wrote to memory of 2872	1816	{5305799B-7AFE-4a00-B9CE-162742B67EA8}.exe	116
PID 1816 wrote to memory of 2872	1816	{5305799B-7AFE-4a00-B9CE-162742B67EA8}.exe	116
PID 1816 wrote to memory of 2872	1816	{5305799B-7AFE-4a00-B9CE-162742B67EA8}.exe	116
PID 1816 wrote to memory of 4740	1816	{5305799B-7AFE-4a00-B9CE-162742B67EA8}.exe	117
PID 1816 wrote to memory of 4740	1816	{5305799B-7AFE-4a00-B9CE-162742B67EA8}.exe	117
PID 1816 wrote to memory of 4740	1816	{5305799B-7AFE-4a00-B9CE-162742B67EA8}.exe	117
PID 2872 wrote to memory of 1488	2872	{D2861A7F-E071-4676-BEC3-A0D5C824C157}.exe	118
PID 2872 wrote to memory of 1488	2872	{D2861A7F-E071-4676-BEC3-A0D5C824C157}.exe	118
PID 2872 wrote to memory of 1488	2872	{D2861A7F-E071-4676-BEC3-A0D5C824C157}.exe	118
PID 2872 wrote to memory of 3012	2872	{D2861A7F-E071-4676-BEC3-A0D5C824C157}.exe	119

C:\Users\Admin\AppData\Local\Temp\2024-01-24_10063c266b213ecb19b229a23bb87e70_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-24_10063c266b213ecb19b229a23bb87e70_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4756
- C:\Windows\{8E03ACFF-63E9-4cf7-851A-BF0659B1A947}.exe
  C:\Windows\{8E03ACFF-63E9-4cf7-851A-BF0659B1A947}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8E03A~1.EXE > nul
    3⤵
    PID:4300
- - C:\Windows\{14115E80-D3C8-45f2-9610-6EEBB3B4F936}.exe
    C:\Windows\{14115E80-D3C8-45f2-9610-6EEBB3B4F936}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1968
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{14115~1.EXE > nul
      4⤵
      PID:4172
  - - C:\Windows\{E5FF8185-8CF2-4f45-AAF8-525A5F158071}.exe
      C:\Windows\{E5FF8185-8CF2-4f45-AAF8-525A5F158071}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1180
    - - C:\Windows\{FBDF5397-001C-4beb-B791-59EA5C350959}.exe
        
        C:\Windows\{FBDF5397-001C-4beb-B791-59EA5C350959}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3080
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FBDF5~1.EXE > nul
        6⤵
        
        PID:8
      - C:\Windows\{A9F422D9-C2E6-41a6-9826-EEDEABAD7CCF}.exe
        
        C:\Windows\{A9F422D9-C2E6-41a6-9826-EEDEABAD7CCF}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1276
        
        C:\Windows\{8B2316D8-84EC-499c-964E-905299036887}.exe
        
        C:\Windows\{8B2316D8-84EC-499c-964E-905299036887}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:980
        
        C:\Windows\{1E4DDF86-01B7-496b-946D-357EEE16BA2D}.exe
        
        C:\Windows\{1E4DDF86-01B7-496b-946D-357EEE16BA2D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\{30A22CD4-D0BE-4c8c-A1B8-5424CACE7337}.exe
        
        C:\Windows\{30A22CD4-D0BE-4c8c-A1B8-5424CACE7337}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Windows\{5305799B-7AFE-4a00-B9CE-162742B67EA8}.exe
        
        C:\Windows\{5305799B-7AFE-4a00-B9CE-162742B67EA8}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\{D2861A7F-E071-4676-BEC3-A0D5C824C157}.exe
        
        C:\Windows\{D2861A7F-E071-4676-BEC3-A0D5C824C157}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\{C82F958F-AA9E-41a2-80B0-CD5E585B2C17}.exe
        
        C:\Windows\{C82F958F-AA9E-41a2-80B0-CD5E585B2C17}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1488
        
        C:\Windows\{FD1659AF-DA96-4ec0-8B37-D0FF8DB43E0B}.exe
        
        C:\Windows\{FD1659AF-DA96-4ec0-8B37-D0FF8DB43E0B}.exe
        13⤵
        Executes dropped EXE
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C82F9~1.EXE > nul
        13⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D2861~1.EXE > nul
        12⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53057~1.EXE > nul
        11⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{30A22~1.EXE > nul
        10⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E4DD~1.EXE > nul
        9⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B231~1.EXE > nul
        8⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A9F42~1.EXE > nul
        7⤵
        
        PID:4260
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5FF8~1.EXE > nul
        5⤵
        
        PID:1896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{14115E80-D3C8-45f2-9610-6EEBB3B4F936}.exe

Filesize
180KB

MD5
780d7988cf770b3f222d06d8dd4698a4

SHA1
30ad6484d47a178f91ce777d1b4fe9d503aed5a2

SHA256
f14a17bd8635c8dbc40dd45c8710ee3eceaad8f20b408713c1ff7d7ada2e140b

SHA512
5067823ac117b4c94d40987555c9d0b7e39a124b0103cd98dd62087acb8495f4b79ad88e09217d9cb7b87269d1e4c08735a936ea56a5d0d202a9c3d6e8cae6ab

Download Submit
C:\Windows\{1E4DDF86-01B7-496b-946D-357EEE16BA2D}.exe

Filesize
180KB

MD5
1c0c476af17fa27616b1b87fe9dcdf25

SHA1
5164c97187fc9df255c9e505cef7c84a167d7cf0

SHA256
abd643ddcdff3d8156fd380eb05f09a7c08e54c2f1c4a59899ed0a2dcc67661f

SHA512
e3adc0f7079341303b12e4a319e843cf971fbc38a4e078f28674668643c1a02c72d01741c26b0994e2d7eff32c1aa1dbae3afb51cff04dacfbc9ba1b4d09e726

Download Submit
C:\Windows\{30A22CD4-D0BE-4c8c-A1B8-5424CACE7337}.exe

Filesize
180KB

MD5
d7c6957c0c1d65895e38151c407bff71

SHA1
1bec54f0874aa6f1f00fad4894413b658f95e687

SHA256
586af60a9c7d691cbc03a6025f50819dc979bee3c6eba4552782f732bfba18dd

SHA512
8d2fc63b584566515636184eab72eb3144487b630c95b924d75bb9c35c46f9332c842a42ee5cdbb44d8ef55e2ac3274b40ec8dd62f1719cadc707980767b3f67

Download Submit
C:\Windows\{5305799B-7AFE-4a00-B9CE-162742B67EA8}.exe

Filesize
180KB

MD5
8a943eff17677d16005e1897aaf93155

SHA1
b38f2380190081604beb8fa2177a70b449a11087

SHA256
70112963313386335aacadbe330f2ad0fa39a74a8a8264394b73ce3359203b47

SHA512
809bab850345fc31d191c8a78721a1180495e911b6ec56bf3b26931dd4b13309d1bdd9099e95c1fc79016b54f40814b372af98bb94ce196a80ea25ae5bfb9204

Download Submit
C:\Windows\{8B2316D8-84EC-499c-964E-905299036887}.exe

Filesize
180KB

MD5
f5baf39ad43dcc0f20d348ad147825cf

SHA1
0ed1fc71801f0385e1d338032ebbcbc3c05dadd7

SHA256
3d51316c3be3e48a3346af18b02892d82a4fe4a0cb68070cb381525fb0349071

SHA512
c4cce21dcafc1b3953da06e40d44d12f137411db5dfcc7ed148492113bed7c0388bb3d751d84ce28872f6e96cbaaa1bff40fbfe3c06ba6c1bb252d6b7b21eb36

Download Submit
C:\Windows\{8E03ACFF-63E9-4cf7-851A-BF0659B1A947}.exe

Filesize
180KB

MD5
9a55722965a7c291cd97ecb60f58234c

SHA1
476b383b382b7f82a220307787aa3d1e5ec149e2

SHA256
5cb317fba8894754689f9d76e46098610d8b378de854879cc83c9d572ab5f76c

SHA512
9439eb252602cbdee3a4be8b257d9e8ab35884d41432fb9063367aabcad7f1d523c83a1c0a7d867c83349c0b0facf26a10944f5e7bdab6e3668ee89afe8d6492

Download Submit
C:\Windows\{A9F422D9-C2E6-41a6-9826-EEDEABAD7CCF}.exe

Filesize
180KB

MD5
59af2aa844713df85549431b9c8a6a23

SHA1
771efa2be6ffbafde724a9affd3858d41c0a0348

SHA256
131fd207029069e40cf4b20c3de74a174f9dd4de8334d157f03d1cc3daf61eb6

SHA512
fa88400d2ae429610e00648f5bbeb5749a3ab76d29fe7877a8bb6024f09ab316732cee1727a594caf8fc56a347fe342db130669f0b2ee3b0fbcf96a2ebf55f57

Download Submit
C:\Windows\{C82F958F-AA9E-41a2-80B0-CD5E585B2C17}.exe

Filesize
180KB

MD5
17d7a411d57b5f6f03468b8158602fcb

SHA1
872fbdbaaaafb4df47ff36b5ce32d97ff72d4e38

SHA256
953391cd28e4e024ae28dd929f98c3243ed668acfe0d5ac7048ea5882d480139

SHA512
a0073d0afe237add0fc9906462683fe517830f2c93568afbea212233e688feaba6d14b1a43d7606086a8473ab1b0c9b2fb93792880475e0606958f244fb9cfa3

Download Submit
C:\Windows\{D2861A7F-E071-4676-BEC3-A0D5C824C157}.exe

Filesize
180KB

MD5
536ce3320a57cba24356f45fd6d31c8f

SHA1
0a961e71760904fdb85d8b4af26e173098a1a1b9

SHA256
2c74a5eda606ebcdf98a9aec54f24584a8d1936f1f21193432b047002fbdef76

SHA512
1fd21e63143465e715eb7e7c4916c5b1ac7a11a15821e346eb9c64d02049b02354572d280a1e43a052943c9310b82416401595e0bc5472755da92f54df054669

Download Submit
C:\Windows\{E5FF8185-8CF2-4f45-AAF8-525A5F158071}.exe

Filesize
180KB

MD5
337be769a209cc66b11d66d487cae91e

SHA1
f7e22123ebfc43a63847c384e8df387694c27d74

SHA256
127b7236c71087466ec58c2d3b1ba833afbe7fc88a9b0e298cbb16c86bcbb9d5

SHA512
eb4350abbac1dd85213a0ec711f0a1da5e95bb0edb1069fe398623cb65ff48c27df654548944e26c9f50ed0818dc1d9ca849d4b69f6d3bc21d72fcb3a8221999

Download Submit
C:\Windows\{E5FF8185-8CF2-4f45-AAF8-525A5F158071}.exe

Filesize
161KB

MD5
f35e7c34338e7918f91de97079393aa2

SHA1
b7c6628f760a9fb068cc8d22b6eb25aa250498c0

SHA256
f3a946161fcc156ecbb150e1c86c74b9d697be9730bee020f3a9bbb8de51be5c

SHA512
aa5beb0c9eaeebd6c064ca34df97326f7c065dea51aa169f86d56f1da69e46b6371d816631249d7d36d990382a4fd807382f1f168f8eb1c13cafd3b8c44b3974

Download Submit
C:\Windows\{FBDF5397-001C-4beb-B791-59EA5C350959}.exe

Filesize
180KB

MD5
bbaeac2f7c212562c937ee4bdd3982b6

SHA1
b7b00e3b16f25bef2c4772145a0e50a45273e222

SHA256
a1d4ec5d4d91073d8bfaf69595b2cec835c1d7c701d10a28e5720a28c4df9c5a

SHA512
d8593cdaca232e0be5bf00c48a62aebcf978b35767a8a2374c234efa5e94b1ac74da113bbeba3dbc2ad2ca434419a8da11b75f94268f9a436667fb3f84152918

Download Submit
C:\Windows\{FD1659AF-DA96-4ec0-8B37-D0FF8DB43E0B}.exe

Filesize
180KB

MD5
0d324be039661b1c44dace3a5e85810c

SHA1
a4b367a1e9e87ebb88405866ee8d39ed6054f365

SHA256
856511c63edab24e2192b598c7c62def4f9824e8e460cdf2ba26d02af30c21f5

SHA512
442294854174a1cfe1dc362c78d825d27892c05a87a604e133c0b1803f0db3494e63830c0be618080893529ce4ca827b51dad37cd5ecd792f851a14a2b56bd55

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads