b92019828b68282df1ae4c6144d4d11f678247d75dcb8502549dfc41d888b6e2

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 23:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_3bc48fe17c90c0fe44846b89e9e23d7b_goldeneye.exe
Size

180KB
MD5

3bc48fe17c90c0fe44846b89e9e23d7b
SHA1

59f0f45b9daa9ca857ddc7bf2eb5f6cf7d8d2910
SHA256

b92019828b68282df1ae4c6144d4d11f678247d75dcb8502549dfc41d888b6e2
SHA512

e4fdde4b1abf162a8a691517c5c3242058906b6c58d256f9caa77557fc0a519b1652b513d778a3c18db2dae56ec963486d063c9fdf14fbb501865f642836dc41
SSDEEP

3072:jEGh0oUlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGql5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023115-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023054-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023213-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023054-13.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000022008-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000022009-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000022008-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000036-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000036-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000036-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B54ECA6-A754-404f-8EBE-A9EBC053D553}	{69E429E9-CD53-4e89-9E82-764BAE9EF9B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B54ECA6-A754-404f-8EBE-A9EBC053D553}\stubpath = "C:\\Windows\\{7B54ECA6-A754-404f-8EBE-A9EBC053D553}.exe"	{69E429E9-CD53-4e89-9E82-764BAE9EF9B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{880B09CA-A97E-4c0a-AE43-8FA206ECAB48}\stubpath = "C:\\Windows\\{880B09CA-A97E-4c0a-AE43-8FA206ECAB48}.exe"	{7B54ECA6-A754-404f-8EBE-A9EBC053D553}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0BACDA72-15F0-439c-8654-907BEB9C2DC2}	{26226DE8-3DBC-46fa-A55C-AE5705B50E3C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{619BB049-0ED8-4272-A406-9F6D46644325}\stubpath = "C:\\Windows\\{619BB049-0ED8-4272-A406-9F6D46644325}.exe"	{8CEBBDFC-96BE-426b-A0D6-73F32AA7F166}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C05BE998-D654-4028-9EB0-2BE48B180734}\stubpath = "C:\\Windows\\{C05BE998-D654-4028-9EB0-2BE48B180734}.exe"	{EBEF4004-B5E1-4c4f-BE71-58F77658747A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69E429E9-CD53-4e89-9E82-764BAE9EF9B6}	{C05BE998-D654-4028-9EB0-2BE48B180734}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69E429E9-CD53-4e89-9E82-764BAE9EF9B6}\stubpath = "C:\\Windows\\{69E429E9-CD53-4e89-9E82-764BAE9EF9B6}.exe"	{C05BE998-D654-4028-9EB0-2BE48B180734}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C05BE998-D654-4028-9EB0-2BE48B180734}	{EBEF4004-B5E1-4c4f-BE71-58F77658747A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{880B09CA-A97E-4c0a-AE43-8FA206ECAB48}	{7B54ECA6-A754-404f-8EBE-A9EBC053D553}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0BACDA72-15F0-439c-8654-907BEB9C2DC2}\stubpath = "C:\\Windows\\{0BACDA72-15F0-439c-8654-907BEB9C2DC2}.exe"	{26226DE8-3DBC-46fa-A55C-AE5705B50E3C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D51CB0B4-125A-4a72-B64E-426A494C61D1}	{0BACDA72-15F0-439c-8654-907BEB9C2DC2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D51CB0B4-125A-4a72-B64E-426A494C61D1}\stubpath = "C:\\Windows\\{D51CB0B4-125A-4a72-B64E-426A494C61D1}.exe"	{0BACDA72-15F0-439c-8654-907BEB9C2DC2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CEBBDFC-96BE-426b-A0D6-73F32AA7F166}	{D51CB0B4-125A-4a72-B64E-426A494C61D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBEF4004-B5E1-4c4f-BE71-58F77658747A}	{32C7C343-8EFF-4c35-88AA-0C6F09F19131}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26226DE8-3DBC-46fa-A55C-AE5705B50E3C}	2024-01-25_3bc48fe17c90c0fe44846b89e9e23d7b_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26226DE8-3DBC-46fa-A55C-AE5705B50E3C}\stubpath = "C:\\Windows\\{26226DE8-3DBC-46fa-A55C-AE5705B50E3C}.exe"	2024-01-25_3bc48fe17c90c0fe44846b89e9e23d7b_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DCC732D2-8AF4-4311-A3A4-78BFA3AD88E2}	{880B09CA-A97E-4c0a-AE43-8FA206ECAB48}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DCC732D2-8AF4-4311-A3A4-78BFA3AD88E2}\stubpath = "C:\\Windows\\{DCC732D2-8AF4-4311-A3A4-78BFA3AD88E2}.exe"	{880B09CA-A97E-4c0a-AE43-8FA206ECAB48}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CEBBDFC-96BE-426b-A0D6-73F32AA7F166}\stubpath = "C:\\Windows\\{8CEBBDFC-96BE-426b-A0D6-73F32AA7F166}.exe"	{D51CB0B4-125A-4a72-B64E-426A494C61D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{619BB049-0ED8-4272-A406-9F6D46644325}	{8CEBBDFC-96BE-426b-A0D6-73F32AA7F166}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32C7C343-8EFF-4c35-88AA-0C6F09F19131}	{619BB049-0ED8-4272-A406-9F6D46644325}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32C7C343-8EFF-4c35-88AA-0C6F09F19131}\stubpath = "C:\\Windows\\{32C7C343-8EFF-4c35-88AA-0C6F09F19131}.exe"	{619BB049-0ED8-4272-A406-9F6D46644325}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBEF4004-B5E1-4c4f-BE71-58F77658747A}\stubpath = "C:\\Windows\\{EBEF4004-B5E1-4c4f-BE71-58F77658747A}.exe"	{32C7C343-8EFF-4c35-88AA-0C6F09F19131}.exe

Executes dropped EXE 12 IoCs

pid	Process
1236	{26226DE8-3DBC-46fa-A55C-AE5705B50E3C}.exe
2948	{0BACDA72-15F0-439c-8654-907BEB9C2DC2}.exe
2012	{D51CB0B4-125A-4a72-B64E-426A494C61D1}.exe
4872	{8CEBBDFC-96BE-426b-A0D6-73F32AA7F166}.exe
1944	{619BB049-0ED8-4272-A406-9F6D46644325}.exe
1644	{32C7C343-8EFF-4c35-88AA-0C6F09F19131}.exe
3280	{EBEF4004-B5E1-4c4f-BE71-58F77658747A}.exe
1984	{C05BE998-D654-4028-9EB0-2BE48B180734}.exe
4008	{69E429E9-CD53-4e89-9E82-764BAE9EF9B6}.exe
4076	{7B54ECA6-A754-404f-8EBE-A9EBC053D553}.exe
4632	{880B09CA-A97E-4c0a-AE43-8FA206ECAB48}.exe
2912	{DCC732D2-8AF4-4311-A3A4-78BFA3AD88E2}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{32C7C343-8EFF-4c35-88AA-0C6F09F19131}.exe	{619BB049-0ED8-4272-A406-9F6D46644325}.exe
File created	C:\Windows\{C05BE998-D654-4028-9EB0-2BE48B180734}.exe	{EBEF4004-B5E1-4c4f-BE71-58F77658747A}.exe
File created	C:\Windows\{69E429E9-CD53-4e89-9E82-764BAE9EF9B6}.exe	{C05BE998-D654-4028-9EB0-2BE48B180734}.exe
File created	C:\Windows\{DCC732D2-8AF4-4311-A3A4-78BFA3AD88E2}.exe	{880B09CA-A97E-4c0a-AE43-8FA206ECAB48}.exe
File created	C:\Windows\{0BACDA72-15F0-439c-8654-907BEB9C2DC2}.exe	{26226DE8-3DBC-46fa-A55C-AE5705B50E3C}.exe
File created	C:\Windows\{D51CB0B4-125A-4a72-B64E-426A494C61D1}.exe	{0BACDA72-15F0-439c-8654-907BEB9C2DC2}.exe
File created	C:\Windows\{8CEBBDFC-96BE-426b-A0D6-73F32AA7F166}.exe	{D51CB0B4-125A-4a72-B64E-426A494C61D1}.exe
File created	C:\Windows\{7B54ECA6-A754-404f-8EBE-A9EBC053D553}.exe	{69E429E9-CD53-4e89-9E82-764BAE9EF9B6}.exe
File created	C:\Windows\{880B09CA-A97E-4c0a-AE43-8FA206ECAB48}.exe	{7B54ECA6-A754-404f-8EBE-A9EBC053D553}.exe
File created	C:\Windows\{26226DE8-3DBC-46fa-A55C-AE5705B50E3C}.exe	2024-01-25_3bc48fe17c90c0fe44846b89e9e23d7b_goldeneye.exe
File created	C:\Windows\{619BB049-0ED8-4272-A406-9F6D46644325}.exe	{8CEBBDFC-96BE-426b-A0D6-73F32AA7F166}.exe
File created	C:\Windows\{EBEF4004-B5E1-4c4f-BE71-58F77658747A}.exe	{32C7C343-8EFF-4c35-88AA-0C6F09F19131}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2876	2024-01-25_3bc48fe17c90c0fe44846b89e9e23d7b_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1236	{26226DE8-3DBC-46fa-A55C-AE5705B50E3C}.exe
Token: SeIncBasePriorityPrivilege	2948	{0BACDA72-15F0-439c-8654-907BEB9C2DC2}.exe
Token: SeIncBasePriorityPrivilege	2012	{D51CB0B4-125A-4a72-B64E-426A494C61D1}.exe
Token: SeIncBasePriorityPrivilege	4872	{8CEBBDFC-96BE-426b-A0D6-73F32AA7F166}.exe
Token: SeIncBasePriorityPrivilege	1944	{619BB049-0ED8-4272-A406-9F6D46644325}.exe
Token: SeIncBasePriorityPrivilege	1644	{32C7C343-8EFF-4c35-88AA-0C6F09F19131}.exe
Token: SeIncBasePriorityPrivilege	3280	{EBEF4004-B5E1-4c4f-BE71-58F77658747A}.exe
Token: SeIncBasePriorityPrivilege	1984	{C05BE998-D654-4028-9EB0-2BE48B180734}.exe
Token: SeIncBasePriorityPrivilege	4008	{69E429E9-CD53-4e89-9E82-764BAE9EF9B6}.exe
Token: SeIncBasePriorityPrivilege	4076	{7B54ECA6-A754-404f-8EBE-A9EBC053D553}.exe
Token: SeIncBasePriorityPrivilege	4632	{880B09CA-A97E-4c0a-AE43-8FA206ECAB48}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 1236	2876	2024-01-25_3bc48fe17c90c0fe44846b89e9e23d7b_goldeneye.exe	96
PID 2876 wrote to memory of 1236	2876	2024-01-25_3bc48fe17c90c0fe44846b89e9e23d7b_goldeneye.exe	96
PID 2876 wrote to memory of 1236	2876	2024-01-25_3bc48fe17c90c0fe44846b89e9e23d7b_goldeneye.exe	96
PID 2876 wrote to memory of 4724	2876	2024-01-25_3bc48fe17c90c0fe44846b89e9e23d7b_goldeneye.exe	97
PID 2876 wrote to memory of 4724	2876	2024-01-25_3bc48fe17c90c0fe44846b89e9e23d7b_goldeneye.exe	97
PID 2876 wrote to memory of 4724	2876	2024-01-25_3bc48fe17c90c0fe44846b89e9e23d7b_goldeneye.exe	97
PID 1236 wrote to memory of 2948	1236	{26226DE8-3DBC-46fa-A55C-AE5705B50E3C}.exe	98
PID 1236 wrote to memory of 2948	1236	{26226DE8-3DBC-46fa-A55C-AE5705B50E3C}.exe	98
PID 1236 wrote to memory of 2948	1236	{26226DE8-3DBC-46fa-A55C-AE5705B50E3C}.exe	98
PID 1236 wrote to memory of 2360	1236	{26226DE8-3DBC-46fa-A55C-AE5705B50E3C}.exe	99
PID 1236 wrote to memory of 2360	1236	{26226DE8-3DBC-46fa-A55C-AE5705B50E3C}.exe	99
PID 1236 wrote to memory of 2360	1236	{26226DE8-3DBC-46fa-A55C-AE5705B50E3C}.exe	99
PID 2948 wrote to memory of 2012	2948	{0BACDA72-15F0-439c-8654-907BEB9C2DC2}.exe	101
PID 2948 wrote to memory of 2012	2948	{0BACDA72-15F0-439c-8654-907BEB9C2DC2}.exe	101
PID 2948 wrote to memory of 2012	2948	{0BACDA72-15F0-439c-8654-907BEB9C2DC2}.exe	101
PID 2948 wrote to memory of 1124	2948	{0BACDA72-15F0-439c-8654-907BEB9C2DC2}.exe	102
PID 2948 wrote to memory of 1124	2948	{0BACDA72-15F0-439c-8654-907BEB9C2DC2}.exe	102
PID 2948 wrote to memory of 1124	2948	{0BACDA72-15F0-439c-8654-907BEB9C2DC2}.exe	102
PID 2012 wrote to memory of 4872	2012	{D51CB0B4-125A-4a72-B64E-426A494C61D1}.exe	103
PID 2012 wrote to memory of 4872	2012	{D51CB0B4-125A-4a72-B64E-426A494C61D1}.exe	103
PID 2012 wrote to memory of 4872	2012	{D51CB0B4-125A-4a72-B64E-426A494C61D1}.exe	103
PID 2012 wrote to memory of 3160	2012	{D51CB0B4-125A-4a72-B64E-426A494C61D1}.exe	104
PID 2012 wrote to memory of 3160	2012	{D51CB0B4-125A-4a72-B64E-426A494C61D1}.exe	104
PID 2012 wrote to memory of 3160	2012	{D51CB0B4-125A-4a72-B64E-426A494C61D1}.exe	104
PID 4872 wrote to memory of 1944	4872	{8CEBBDFC-96BE-426b-A0D6-73F32AA7F166}.exe	105
PID 4872 wrote to memory of 1944	4872	{8CEBBDFC-96BE-426b-A0D6-73F32AA7F166}.exe	105
PID 4872 wrote to memory of 1944	4872	{8CEBBDFC-96BE-426b-A0D6-73F32AA7F166}.exe	105
PID 4872 wrote to memory of 4320	4872	{8CEBBDFC-96BE-426b-A0D6-73F32AA7F166}.exe	106
PID 4872 wrote to memory of 4320	4872	{8CEBBDFC-96BE-426b-A0D6-73F32AA7F166}.exe	106
PID 4872 wrote to memory of 4320	4872	{8CEBBDFC-96BE-426b-A0D6-73F32AA7F166}.exe	106
PID 1944 wrote to memory of 1644	1944	{619BB049-0ED8-4272-A406-9F6D46644325}.exe	107
PID 1944 wrote to memory of 1644	1944	{619BB049-0ED8-4272-A406-9F6D46644325}.exe	107
PID 1944 wrote to memory of 1644	1944	{619BB049-0ED8-4272-A406-9F6D46644325}.exe	107
PID 1944 wrote to memory of 396	1944	{619BB049-0ED8-4272-A406-9F6D46644325}.exe	108
PID 1944 wrote to memory of 396	1944	{619BB049-0ED8-4272-A406-9F6D46644325}.exe	108
PID 1944 wrote to memory of 396	1944	{619BB049-0ED8-4272-A406-9F6D46644325}.exe	108
PID 1644 wrote to memory of 3280	1644	{32C7C343-8EFF-4c35-88AA-0C6F09F19131}.exe	110
PID 1644 wrote to memory of 3280	1644	{32C7C343-8EFF-4c35-88AA-0C6F09F19131}.exe	110
PID 1644 wrote to memory of 3280	1644	{32C7C343-8EFF-4c35-88AA-0C6F09F19131}.exe	110
PID 1644 wrote to memory of 4476	1644	{32C7C343-8EFF-4c35-88AA-0C6F09F19131}.exe	109
PID 1644 wrote to memory of 4476	1644	{32C7C343-8EFF-4c35-88AA-0C6F09F19131}.exe	109
PID 1644 wrote to memory of 4476	1644	{32C7C343-8EFF-4c35-88AA-0C6F09F19131}.exe	109
PID 3280 wrote to memory of 1984	3280	{EBEF4004-B5E1-4c4f-BE71-58F77658747A}.exe	112
PID 3280 wrote to memory of 1984	3280	{EBEF4004-B5E1-4c4f-BE71-58F77658747A}.exe	112
PID 3280 wrote to memory of 1984	3280	{EBEF4004-B5E1-4c4f-BE71-58F77658747A}.exe	112
PID 3280 wrote to memory of 1844	3280	{EBEF4004-B5E1-4c4f-BE71-58F77658747A}.exe	111
PID 3280 wrote to memory of 1844	3280	{EBEF4004-B5E1-4c4f-BE71-58F77658747A}.exe	111
PID 3280 wrote to memory of 1844	3280	{EBEF4004-B5E1-4c4f-BE71-58F77658747A}.exe	111
PID 1984 wrote to memory of 4008	1984	{C05BE998-D654-4028-9EB0-2BE48B180734}.exe	113
PID 1984 wrote to memory of 4008	1984	{C05BE998-D654-4028-9EB0-2BE48B180734}.exe	113
PID 1984 wrote to memory of 4008	1984	{C05BE998-D654-4028-9EB0-2BE48B180734}.exe	113
PID 1984 wrote to memory of 2728	1984	{C05BE998-D654-4028-9EB0-2BE48B180734}.exe	114
PID 1984 wrote to memory of 2728	1984	{C05BE998-D654-4028-9EB0-2BE48B180734}.exe	114
PID 1984 wrote to memory of 2728	1984	{C05BE998-D654-4028-9EB0-2BE48B180734}.exe	114
PID 4008 wrote to memory of 4076	4008	{69E429E9-CD53-4e89-9E82-764BAE9EF9B6}.exe	116
PID 4008 wrote to memory of 4076	4008	{69E429E9-CD53-4e89-9E82-764BAE9EF9B6}.exe	116
PID 4008 wrote to memory of 4076	4008	{69E429E9-CD53-4e89-9E82-764BAE9EF9B6}.exe	116
PID 4008 wrote to memory of 1012	4008	{69E429E9-CD53-4e89-9E82-764BAE9EF9B6}.exe	115
PID 4008 wrote to memory of 1012	4008	{69E429E9-CD53-4e89-9E82-764BAE9EF9B6}.exe	115
PID 4008 wrote to memory of 1012	4008	{69E429E9-CD53-4e89-9E82-764BAE9EF9B6}.exe	115
PID 4076 wrote to memory of 4632	4076	{7B54ECA6-A754-404f-8EBE-A9EBC053D553}.exe	117
PID 4076 wrote to memory of 4632	4076	{7B54ECA6-A754-404f-8EBE-A9EBC053D553}.exe	117
PID 4076 wrote to memory of 4632	4076	{7B54ECA6-A754-404f-8EBE-A9EBC053D553}.exe	117
PID 4076 wrote to memory of 4772	4076	{7B54ECA6-A754-404f-8EBE-A9EBC053D553}.exe	118

C:\Users\Admin\AppData\Local\Temp\2024-01-25_3bc48fe17c90c0fe44846b89e9e23d7b_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_3bc48fe17c90c0fe44846b89e9e23d7b_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\{26226DE8-3DBC-46fa-A55C-AE5705B50E3C}.exe
  C:\Windows\{26226DE8-3DBC-46fa-A55C-AE5705B50E3C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1236
- - C:\Windows\{0BACDA72-15F0-439c-8654-907BEB9C2DC2}.exe
    C:\Windows\{0BACDA72-15F0-439c-8654-907BEB9C2DC2}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2948
  - - C:\Windows\{D51CB0B4-125A-4a72-B64E-426A494C61D1}.exe
      C:\Windows\{D51CB0B4-125A-4a72-B64E-426A494C61D1}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2012
    - - C:\Windows\{8CEBBDFC-96BE-426b-A0D6-73F32AA7F166}.exe
        
        C:\Windows\{8CEBBDFC-96BE-426b-A0D6-73F32AA7F166}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4872
      - C:\Windows\{619BB049-0ED8-4272-A406-9F6D46644325}.exe
        
        C:\Windows\{619BB049-0ED8-4272-A406-9F6D46644325}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\{32C7C343-8EFF-4c35-88AA-0C6F09F19131}.exe
        
        C:\Windows\{32C7C343-8EFF-4c35-88AA-0C6F09F19131}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{32C7C~1.EXE > nul
        8⤵
        
        PID:4476
        
        C:\Windows\{EBEF4004-B5E1-4c4f-BE71-58F77658747A}.exe
        
        C:\Windows\{EBEF4004-B5E1-4c4f-BE71-58F77658747A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EBEF4~1.EXE > nul
        9⤵
        
        PID:1844
        
        C:\Windows\{C05BE998-D654-4028-9EB0-2BE48B180734}.exe
        
        C:\Windows\{C05BE998-D654-4028-9EB0-2BE48B180734}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\{69E429E9-CD53-4e89-9E82-764BAE9EF9B6}.exe
        
        C:\Windows\{69E429E9-CD53-4e89-9E82-764BAE9EF9B6}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69E42~1.EXE > nul
        11⤵
        
        PID:1012
        
        C:\Windows\{7B54ECA6-A754-404f-8EBE-A9EBC053D553}.exe
        
        C:\Windows\{7B54ECA6-A754-404f-8EBE-A9EBC053D553}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\{880B09CA-A97E-4c0a-AE43-8FA206ECAB48}.exe
        
        C:\Windows\{880B09CA-A97E-4c0a-AE43-8FA206ECAB48}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4632
        
        C:\Windows\{DCC732D2-8AF4-4311-A3A4-78BFA3AD88E2}.exe
        
        C:\Windows\{DCC732D2-8AF4-4311-A3A4-78BFA3AD88E2}.exe
        13⤵
        Executes dropped EXE
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{880B0~1.EXE > nul
        13⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7B54E~1.EXE > nul
        12⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C05BE~1.EXE > nul
        10⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{619BB~1.EXE > nul
        7⤵
        
        PID:396
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8CEBB~1.EXE > nul
        6⤵
        
        PID:4320
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D51CB~1.EXE > nul
        5⤵
        
        PID:3160
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0BACD~1.EXE > nul
      4⤵
      PID:1124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{26226~1.EXE > nul
    3⤵
    PID:2360
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0BACDA72-15F0-439c-8654-907BEB9C2DC2}.exe

Filesize
180KB

MD5
6bc5cd754819f114f1804c2e0377b9a5

SHA1
10e642eb390b2a0aac5e9c9876f372f8c86986c9

SHA256
c108284ec7a7bc39f6b29dc44ad10bf1fba6fb47a9eb790bb2cc1a654875d238

SHA512
c2c2cf3a376dae0a1a5dd34156b01cedfd3bde3cd981be16b2abd62c57763d44e01e8399677acae8688c6697ec4d567a2bc8f9b951e47c81507ff21482c4109e

Download Submit
C:\Windows\{26226DE8-3DBC-46fa-A55C-AE5705B50E3C}.exe

Filesize
180KB

MD5
9e9a24ff63a1b5a026bde36bdda01375

SHA1
3dd0a11a39f6af7c554bed009e8b75114bde7ffc

SHA256
569f72e3e6ec1ef9725a5b539f49bf0467852038f123bdb9b3869138c2007d82

SHA512
d811995aaa236e64cc05eccacadc316a364a63eccddd0c3df46cba5a40286b5924f8482d4825744f123ddd860c62974eb5d8ddc8d38ddae2167e8954e7160b9c

Download Submit
C:\Windows\{32C7C343-8EFF-4c35-88AA-0C6F09F19131}.exe

Filesize
180KB

MD5
04ecf258be5dc6c5e1a75efa0052307c

SHA1
2564bb1476923694f2d6f2b1be5f873935fafdea

SHA256
b10ae9594262f06d9691f652f19584aac34c93a298a7dd8795225aca4e605934

SHA512
a0b1eafa5b7591a9b05d4be0d9c6e7c5aab5cf08b9375f7c9efa693ca6fab84bc0cedc2a0f0b2dbcf77e96026add0a22cd3a406e92aa6a1e470cd78cb3d89e76

Download Submit
C:\Windows\{619BB049-0ED8-4272-A406-9F6D46644325}.exe

Filesize
180KB

MD5
01d35c6ffd3a43dec4352955cfc98dab

SHA1
da828698a8c8596e2f9f8157f5dd65b6426219e5

SHA256
fbac7bda2817da3bed3227d8245920c3795ba3cf147f86236acb0851b6b7caed

SHA512
cd9252e285003a2bc8e730a233ec6b018c029b51b86fae3b557326eaf516730dc5f06ba5b2a60a159e551146d05abdc32cb257ad3c84513ecd7da1726c07a2ec

Download Submit
C:\Windows\{69E429E9-CD53-4e89-9E82-764BAE9EF9B6}.exe

Filesize
180KB

MD5
9b7b7ec5d30a505298c93d066e1f9dce

SHA1
e45b505a3965417163050eaf2fc30c7f15e8b55a

SHA256
3f1cc71d69e6ce496382dc985ab7f98c81b154c8825ee63b0a33b00d4b5d75c8

SHA512
08088bb4c4d66e174f205568b54b886d52d2a7fab0cba65efc0f2d81f83340bf0850424eec72d256fcdcf2fc4b9c067e60b1a80babf84ccc756cf49e29af8b16

Download Submit
C:\Windows\{7B54ECA6-A754-404f-8EBE-A9EBC053D553}.exe

Filesize
180KB

MD5
8c7e388eef940ce4b36e38a70abee6e0

SHA1
177adcf34feffacd5e71245093d2592542a2fb87

SHA256
4b7356bcac86655e01fb6665014219f425e8c17cb5383b4efd9f5826aac4382f

SHA512
6850b9ffe3b7166ef57223256e72dfa8861a0df1ce16aad6e6e2b337d6c168baf8c9cb10f6c8e696183c2b78b3384fa61fd15eab569702fcfc383f4eb71610a5

Download Submit
C:\Windows\{880B09CA-A97E-4c0a-AE43-8FA206ECAB48}.exe

Filesize
180KB

MD5
f8875ad8f2c814336846cee7be4fbbca

SHA1
1ee140b78eddd962780920379426ba8ae0c1a9a4

SHA256
91bfec39ecd26f829350b7149b0a4c3131a939b40ce9eb7dbdc8a00dba926a74

SHA512
474ca70d9f88040e0a20c542d2782f92cc71fd8ac742d951f41e44b620429c6f860207bf7fb2c284ea908ee7cae656b29ea1bb5c2fd1461c173e2a61a541a21e

Download Submit
C:\Windows\{8CEBBDFC-96BE-426b-A0D6-73F32AA7F166}.exe

Filesize
180KB

MD5
590f0867a7bf710db102ced38508f013

SHA1
7431ab638ade30b9f40926bea848efc66f66020f

SHA256
a60b9c2cf8d07ee4420c0537f37020eadeb831323ed988e9be1a9371d8f8e8e9

SHA512
12fe4c2bb0fc27014c4e58cf3b9d58448b3ba55f865ae9d5a0bcca08773cc4e0c87412cf3b305f618b87e23d39b4620a251974babd0bed5983226454464789aa

Download Submit
C:\Windows\{C05BE998-D654-4028-9EB0-2BE48B180734}.exe

Filesize
180KB

MD5
8e56cf8d602ee5e2410a5d42814eee66

SHA1
424f69c7f29047841e99f59aab1e4da4e29e281a

SHA256
42d5c3b25c349ac58d9e36152645f4f28180aad675191340ab6c4aff966b19f2

SHA512
db2438b033419955f4c6d58bc69910e44f2708124fbc39998c9c93fcfec8d2ab5f2d13dd6ccce23074175a94266ae48744e507f714eb66d99906ddb27f449544

Download Submit
C:\Windows\{D51CB0B4-125A-4a72-B64E-426A494C61D1}.exe

Filesize
180KB

MD5
055f132058625fe01d71998e967c0540

SHA1
0fce859e98c3ceb5574c5808ccf6bd84266dacb0

SHA256
648101eba6a2c51209b6adcb3aaf89715a6880fcb0d79730ccae28394b01580e

SHA512
4dcfed2ff000b24844120d32dce82866c43a53f165b0d985a1d9b4b2d695810f403238cc5721baa38d1274af5f4b1ebce844d09b050d78b0591ac14158b4229c

Download Submit
C:\Windows\{DCC732D2-8AF4-4311-A3A4-78BFA3AD88E2}.exe

Filesize
180KB

MD5
e47508cd406d3ee94de59b75336b53f3

SHA1
58431cc0d7823906d551a044fde30faffa9cad3f

SHA256
7ab4c4f25b0d34a43612adb571d0b22c2bbb59b75901561e1c6b4f8ee2cba1a8

SHA512
97f9d5edec3e9ea8ae88b5320d3192ef7cc8c47fc02b6ba99290608b13addcce480d65b4d8a040594adcc576f619aa7a0b3b46caa826f9e88caaa820a14e1628

Download Submit
C:\Windows\{EBEF4004-B5E1-4c4f-BE71-58F77658747A}.exe

Filesize
180KB

MD5
5f3892cd70d5c329c87d828f50f1018c

SHA1
e5529b32c3c8b578ff0930007289104bf175748a

SHA256
c41d96da85cd334896c323f03dd5a4f5a222bf46f2eb2206c1fc014f1de10a88

SHA512
136592bb39802426d1abde9c8680a46db5345e0f2df4f463dc810f9a3bf673fd2a970fc7ca59bec6db308b3f4c67139954f3ba1fe4c5c114c1b380a9c4c63f19

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads