acdc812c0d03d7035e5d632c5caed760a55447b010916183470216e39b20d788

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 00:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_43ca1fc9711f0c9a1549147fa429bbd1_goldeneye.exe
Size

168KB
MD5

43ca1fc9711f0c9a1549147fa429bbd1
SHA1

fb3089140875f79be84a501d1194648f70354867
SHA256

acdc812c0d03d7035e5d632c5caed760a55447b010916183470216e39b20d788
SHA512

92184f4a93d49f62749b8f36e1f1aca56f9fa0a412b69b6cb16a2ae81eafa50b8c1e19b5d788504129b14c8b349b122938c551303d7133296b4e9f85d82d659e
SSDEEP

1536:1EGh0oHlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oHlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x00110000000231e9-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000231fa-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002320f-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000231fa-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000231fa-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001300000001d887-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000021558-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001400000001d887-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000709-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000713-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B36048EA-F180-4323-87C8-12E11479A02F}	{31DCE6CC-F630-487a-9E56-7529BC03471D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51BC8D19-5743-44fe-BFF2-CEDC937FCBEA}	{F89EBB64-D24B-4e90-87C3-53D293671E13}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51BC8D19-5743-44fe-BFF2-CEDC937FCBEA}\stubpath = "C:\\Windows\\{51BC8D19-5743-44fe-BFF2-CEDC937FCBEA}.exe"	{F89EBB64-D24B-4e90-87C3-53D293671E13}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47659970-6569-482f-9B5F-00E444BE7D68}\stubpath = "C:\\Windows\\{47659970-6569-482f-9B5F-00E444BE7D68}.exe"	{C61977AB-94A3-49e8-8F1B-12EB849DB7D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{997B7EC5-0A72-46f1-ACD9-37A95B651319}\stubpath = "C:\\Windows\\{997B7EC5-0A72-46f1-ACD9-37A95B651319}.exe"	{3A047DCE-320E-4e62-A81B-A044A30FBCA0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA35B7C0-7AA7-4557-A80B-123C9F3CA807}	{997B7EC5-0A72-46f1-ACD9-37A95B651319}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA98A334-E15C-44c4-9673-5C1256C92A81}	{BA35B7C0-7AA7-4557-A80B-123C9F3CA807}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA98A334-E15C-44c4-9673-5C1256C92A81}\stubpath = "C:\\Windows\\{BA98A334-E15C-44c4-9673-5C1256C92A81}.exe"	{BA35B7C0-7AA7-4557-A80B-123C9F3CA807}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31DCE6CC-F630-487a-9E56-7529BC03471D}\stubpath = "C:\\Windows\\{31DCE6CC-F630-487a-9E56-7529BC03471D}.exe"	{A7C147BC-443A-46fc-86BA-FFDBD224D949}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F89EBB64-D24B-4e90-87C3-53D293671E13}\stubpath = "C:\\Windows\\{F89EBB64-D24B-4e90-87C3-53D293671E13}.exe"	2024-01-25_43ca1fc9711f0c9a1549147fa429bbd1_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C61977AB-94A3-49e8-8F1B-12EB849DB7D5}\stubpath = "C:\\Windows\\{C61977AB-94A3-49e8-8F1B-12EB849DB7D5}.exe"	{51BC8D19-5743-44fe-BFF2-CEDC937FCBEA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47659970-6569-482f-9B5F-00E444BE7D68}	{C61977AB-94A3-49e8-8F1B-12EB849DB7D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7C147BC-443A-46fc-86BA-FFDBD224D949}	{BA98A334-E15C-44c4-9673-5C1256C92A81}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7C147BC-443A-46fc-86BA-FFDBD224D949}\stubpath = "C:\\Windows\\{A7C147BC-443A-46fc-86BA-FFDBD224D949}.exe"	{BA98A334-E15C-44c4-9673-5C1256C92A81}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5EC38E6-1DC1-47fb-BF3F-59280731FAA5}	{B36048EA-F180-4323-87C8-12E11479A02F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F89EBB64-D24B-4e90-87C3-53D293671E13}	2024-01-25_43ca1fc9711f0c9a1549147fa429bbd1_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A047DCE-320E-4e62-A81B-A044A30FBCA0}\stubpath = "C:\\Windows\\{3A047DCE-320E-4e62-A81B-A044A30FBCA0}.exe"	{47659970-6569-482f-9B5F-00E444BE7D68}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA35B7C0-7AA7-4557-A80B-123C9F3CA807}\stubpath = "C:\\Windows\\{BA35B7C0-7AA7-4557-A80B-123C9F3CA807}.exe"	{997B7EC5-0A72-46f1-ACD9-37A95B651319}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31DCE6CC-F630-487a-9E56-7529BC03471D}	{A7C147BC-443A-46fc-86BA-FFDBD224D949}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B36048EA-F180-4323-87C8-12E11479A02F}\stubpath = "C:\\Windows\\{B36048EA-F180-4323-87C8-12E11479A02F}.exe"	{31DCE6CC-F630-487a-9E56-7529BC03471D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5EC38E6-1DC1-47fb-BF3F-59280731FAA5}\stubpath = "C:\\Windows\\{C5EC38E6-1DC1-47fb-BF3F-59280731FAA5}.exe"	{B36048EA-F180-4323-87C8-12E11479A02F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C61977AB-94A3-49e8-8F1B-12EB849DB7D5}	{51BC8D19-5743-44fe-BFF2-CEDC937FCBEA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A047DCE-320E-4e62-A81B-A044A30FBCA0}	{47659970-6569-482f-9B5F-00E444BE7D68}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{997B7EC5-0A72-46f1-ACD9-37A95B651319}	{3A047DCE-320E-4e62-A81B-A044A30FBCA0}.exe

Executes dropped EXE 12 IoCs

pid	Process
412	{F89EBB64-D24B-4e90-87C3-53D293671E13}.exe
1340	{51BC8D19-5743-44fe-BFF2-CEDC937FCBEA}.exe
4384	{C61977AB-94A3-49e8-8F1B-12EB849DB7D5}.exe
3824	{47659970-6569-482f-9B5F-00E444BE7D68}.exe
3208	{3A047DCE-320E-4e62-A81B-A044A30FBCA0}.exe
5020	{997B7EC5-0A72-46f1-ACD9-37A95B651319}.exe
4268	{BA35B7C0-7AA7-4557-A80B-123C9F3CA807}.exe
1172	{BA98A334-E15C-44c4-9673-5C1256C92A81}.exe
4100	{A7C147BC-443A-46fc-86BA-FFDBD224D949}.exe
1876	{31DCE6CC-F630-487a-9E56-7529BC03471D}.exe
3140	{B36048EA-F180-4323-87C8-12E11479A02F}.exe
2772	{C5EC38E6-1DC1-47fb-BF3F-59280731FAA5}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{3A047DCE-320E-4e62-A81B-A044A30FBCA0}.exe	{47659970-6569-482f-9B5F-00E444BE7D68}.exe
File created	C:\Windows\{BA98A334-E15C-44c4-9673-5C1256C92A81}.exe	{BA35B7C0-7AA7-4557-A80B-123C9F3CA807}.exe
File created	C:\Windows\{A7C147BC-443A-46fc-86BA-FFDBD224D949}.exe	{BA98A334-E15C-44c4-9673-5C1256C92A81}.exe
File created	C:\Windows\{B36048EA-F180-4323-87C8-12E11479A02F}.exe	{31DCE6CC-F630-487a-9E56-7529BC03471D}.exe
File created	C:\Windows\{C5EC38E6-1DC1-47fb-BF3F-59280731FAA5}.exe	{B36048EA-F180-4323-87C8-12E11479A02F}.exe
File created	C:\Windows\{51BC8D19-5743-44fe-BFF2-CEDC937FCBEA}.exe	{F89EBB64-D24B-4e90-87C3-53D293671E13}.exe
File created	C:\Windows\{C61977AB-94A3-49e8-8F1B-12EB849DB7D5}.exe	{51BC8D19-5743-44fe-BFF2-CEDC937FCBEA}.exe
File created	C:\Windows\{997B7EC5-0A72-46f1-ACD9-37A95B651319}.exe	{3A047DCE-320E-4e62-A81B-A044A30FBCA0}.exe
File created	C:\Windows\{BA35B7C0-7AA7-4557-A80B-123C9F3CA807}.exe	{997B7EC5-0A72-46f1-ACD9-37A95B651319}.exe
File created	C:\Windows\{31DCE6CC-F630-487a-9E56-7529BC03471D}.exe	{A7C147BC-443A-46fc-86BA-FFDBD224D949}.exe
File created	C:\Windows\{F89EBB64-D24B-4e90-87C3-53D293671E13}.exe	2024-01-25_43ca1fc9711f0c9a1549147fa429bbd1_goldeneye.exe
File created	C:\Windows\{47659970-6569-482f-9B5F-00E444BE7D68}.exe	{C61977AB-94A3-49e8-8F1B-12EB849DB7D5}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	680	2024-01-25_43ca1fc9711f0c9a1549147fa429bbd1_goldeneye.exe
Token: SeIncBasePriorityPrivilege	412	{F89EBB64-D24B-4e90-87C3-53D293671E13}.exe
Token: SeIncBasePriorityPrivilege	1340	{51BC8D19-5743-44fe-BFF2-CEDC937FCBEA}.exe
Token: SeIncBasePriorityPrivilege	4384	{C61977AB-94A3-49e8-8F1B-12EB849DB7D5}.exe
Token: SeIncBasePriorityPrivilege	3824	{47659970-6569-482f-9B5F-00E444BE7D68}.exe
Token: SeIncBasePriorityPrivilege	3208	{3A047DCE-320E-4e62-A81B-A044A30FBCA0}.exe
Token: SeIncBasePriorityPrivilege	5020	{997B7EC5-0A72-46f1-ACD9-37A95B651319}.exe
Token: SeIncBasePriorityPrivilege	4268	{BA35B7C0-7AA7-4557-A80B-123C9F3CA807}.exe
Token: SeIncBasePriorityPrivilege	1172	{BA98A334-E15C-44c4-9673-5C1256C92A81}.exe
Token: SeIncBasePriorityPrivilege	4100	{A7C147BC-443A-46fc-86BA-FFDBD224D949}.exe
Token: SeIncBasePriorityPrivilege	1876	{31DCE6CC-F630-487a-9E56-7529BC03471D}.exe
Token: SeIncBasePriorityPrivilege	3140	{B36048EA-F180-4323-87C8-12E11479A02F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 680 wrote to memory of 412	680	2024-01-25_43ca1fc9711f0c9a1549147fa429bbd1_goldeneye.exe	96
PID 680 wrote to memory of 412	680	2024-01-25_43ca1fc9711f0c9a1549147fa429bbd1_goldeneye.exe	96
PID 680 wrote to memory of 412	680	2024-01-25_43ca1fc9711f0c9a1549147fa429bbd1_goldeneye.exe	96
PID 680 wrote to memory of 3564	680	2024-01-25_43ca1fc9711f0c9a1549147fa429bbd1_goldeneye.exe	97
PID 680 wrote to memory of 3564	680	2024-01-25_43ca1fc9711f0c9a1549147fa429bbd1_goldeneye.exe	97
PID 680 wrote to memory of 3564	680	2024-01-25_43ca1fc9711f0c9a1549147fa429bbd1_goldeneye.exe	97
PID 412 wrote to memory of 1340	412	{F89EBB64-D24B-4e90-87C3-53D293671E13}.exe	98
PID 412 wrote to memory of 1340	412	{F89EBB64-D24B-4e90-87C3-53D293671E13}.exe	98
PID 412 wrote to memory of 1340	412	{F89EBB64-D24B-4e90-87C3-53D293671E13}.exe	98
PID 412 wrote to memory of 1748	412	{F89EBB64-D24B-4e90-87C3-53D293671E13}.exe	99
PID 412 wrote to memory of 1748	412	{F89EBB64-D24B-4e90-87C3-53D293671E13}.exe	99
PID 412 wrote to memory of 1748	412	{F89EBB64-D24B-4e90-87C3-53D293671E13}.exe	99
PID 1340 wrote to memory of 4384	1340	{51BC8D19-5743-44fe-BFF2-CEDC937FCBEA}.exe	101
PID 1340 wrote to memory of 4384	1340	{51BC8D19-5743-44fe-BFF2-CEDC937FCBEA}.exe	101
PID 1340 wrote to memory of 4384	1340	{51BC8D19-5743-44fe-BFF2-CEDC937FCBEA}.exe	101
PID 1340 wrote to memory of 4332	1340	{51BC8D19-5743-44fe-BFF2-CEDC937FCBEA}.exe	102
PID 1340 wrote to memory of 4332	1340	{51BC8D19-5743-44fe-BFF2-CEDC937FCBEA}.exe	102
PID 1340 wrote to memory of 4332	1340	{51BC8D19-5743-44fe-BFF2-CEDC937FCBEA}.exe	102
PID 4384 wrote to memory of 3824	4384	{C61977AB-94A3-49e8-8F1B-12EB849DB7D5}.exe	104
PID 4384 wrote to memory of 3824	4384	{C61977AB-94A3-49e8-8F1B-12EB849DB7D5}.exe	104
PID 4384 wrote to memory of 3824	4384	{C61977AB-94A3-49e8-8F1B-12EB849DB7D5}.exe	104
PID 4384 wrote to memory of 428	4384	{C61977AB-94A3-49e8-8F1B-12EB849DB7D5}.exe	103
PID 4384 wrote to memory of 428	4384	{C61977AB-94A3-49e8-8F1B-12EB849DB7D5}.exe	103
PID 4384 wrote to memory of 428	4384	{C61977AB-94A3-49e8-8F1B-12EB849DB7D5}.exe	103
PID 3824 wrote to memory of 3208	3824	{47659970-6569-482f-9B5F-00E444BE7D68}.exe	105
PID 3824 wrote to memory of 3208	3824	{47659970-6569-482f-9B5F-00E444BE7D68}.exe	105
PID 3824 wrote to memory of 3208	3824	{47659970-6569-482f-9B5F-00E444BE7D68}.exe	105
PID 3824 wrote to memory of 2852	3824	{47659970-6569-482f-9B5F-00E444BE7D68}.exe	106
PID 3824 wrote to memory of 2852	3824	{47659970-6569-482f-9B5F-00E444BE7D68}.exe	106
PID 3824 wrote to memory of 2852	3824	{47659970-6569-482f-9B5F-00E444BE7D68}.exe	106
PID 3208 wrote to memory of 5020	3208	{3A047DCE-320E-4e62-A81B-A044A30FBCA0}.exe	107
PID 3208 wrote to memory of 5020	3208	{3A047DCE-320E-4e62-A81B-A044A30FBCA0}.exe	107
PID 3208 wrote to memory of 5020	3208	{3A047DCE-320E-4e62-A81B-A044A30FBCA0}.exe	107
PID 3208 wrote to memory of 4548	3208	{3A047DCE-320E-4e62-A81B-A044A30FBCA0}.exe	108
PID 3208 wrote to memory of 4548	3208	{3A047DCE-320E-4e62-A81B-A044A30FBCA0}.exe	108
PID 3208 wrote to memory of 4548	3208	{3A047DCE-320E-4e62-A81B-A044A30FBCA0}.exe	108
PID 5020 wrote to memory of 4268	5020	{997B7EC5-0A72-46f1-ACD9-37A95B651319}.exe	109
PID 5020 wrote to memory of 4268	5020	{997B7EC5-0A72-46f1-ACD9-37A95B651319}.exe	109
PID 5020 wrote to memory of 4268	5020	{997B7EC5-0A72-46f1-ACD9-37A95B651319}.exe	109
PID 5020 wrote to memory of 4484	5020	{997B7EC5-0A72-46f1-ACD9-37A95B651319}.exe	110
PID 5020 wrote to memory of 4484	5020	{997B7EC5-0A72-46f1-ACD9-37A95B651319}.exe	110
PID 5020 wrote to memory of 4484	5020	{997B7EC5-0A72-46f1-ACD9-37A95B651319}.exe	110
PID 4268 wrote to memory of 1172	4268	{BA35B7C0-7AA7-4557-A80B-123C9F3CA807}.exe	111
PID 4268 wrote to memory of 1172	4268	{BA35B7C0-7AA7-4557-A80B-123C9F3CA807}.exe	111
PID 4268 wrote to memory of 1172	4268	{BA35B7C0-7AA7-4557-A80B-123C9F3CA807}.exe	111
PID 4268 wrote to memory of 4868	4268	{BA35B7C0-7AA7-4557-A80B-123C9F3CA807}.exe	112
PID 4268 wrote to memory of 4868	4268	{BA35B7C0-7AA7-4557-A80B-123C9F3CA807}.exe	112
PID 4268 wrote to memory of 4868	4268	{BA35B7C0-7AA7-4557-A80B-123C9F3CA807}.exe	112
PID 1172 wrote to memory of 4100	1172	{BA98A334-E15C-44c4-9673-5C1256C92A81}.exe	113
PID 1172 wrote to memory of 4100	1172	{BA98A334-E15C-44c4-9673-5C1256C92A81}.exe	113
PID 1172 wrote to memory of 4100	1172	{BA98A334-E15C-44c4-9673-5C1256C92A81}.exe	113
PID 1172 wrote to memory of 2140	1172	{BA98A334-E15C-44c4-9673-5C1256C92A81}.exe	114
PID 1172 wrote to memory of 2140	1172	{BA98A334-E15C-44c4-9673-5C1256C92A81}.exe	114
PID 1172 wrote to memory of 2140	1172	{BA98A334-E15C-44c4-9673-5C1256C92A81}.exe	114
PID 4100 wrote to memory of 1876	4100	{A7C147BC-443A-46fc-86BA-FFDBD224D949}.exe	116
PID 4100 wrote to memory of 1876	4100	{A7C147BC-443A-46fc-86BA-FFDBD224D949}.exe	116
PID 4100 wrote to memory of 1876	4100	{A7C147BC-443A-46fc-86BA-FFDBD224D949}.exe	116
PID 4100 wrote to memory of 4968	4100	{A7C147BC-443A-46fc-86BA-FFDBD224D949}.exe	115
PID 4100 wrote to memory of 4968	4100	{A7C147BC-443A-46fc-86BA-FFDBD224D949}.exe	115
PID 4100 wrote to memory of 4968	4100	{A7C147BC-443A-46fc-86BA-FFDBD224D949}.exe	115
PID 1876 wrote to memory of 3140	1876	{31DCE6CC-F630-487a-9E56-7529BC03471D}.exe	117
PID 1876 wrote to memory of 3140	1876	{31DCE6CC-F630-487a-9E56-7529BC03471D}.exe	117
PID 1876 wrote to memory of 3140	1876	{31DCE6CC-F630-487a-9E56-7529BC03471D}.exe	117
PID 1876 wrote to memory of 2864	1876	{31DCE6CC-F630-487a-9E56-7529BC03471D}.exe	118

C:\Users\Admin\AppData\Local\Temp\2024-01-25_43ca1fc9711f0c9a1549147fa429bbd1_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_43ca1fc9711f0c9a1549147fa429bbd1_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:680
- C:\Windows\{F89EBB64-D24B-4e90-87C3-53D293671E13}.exe
  C:\Windows\{F89EBB64-D24B-4e90-87C3-53D293671E13}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:412
- - C:\Windows\{51BC8D19-5743-44fe-BFF2-CEDC937FCBEA}.exe
    C:\Windows\{51BC8D19-5743-44fe-BFF2-CEDC937FCBEA}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1340
  - - C:\Windows\{C61977AB-94A3-49e8-8F1B-12EB849DB7D5}.exe
      C:\Windows\{C61977AB-94A3-49e8-8F1B-12EB849DB7D5}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4384
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C6197~1.EXE > nul
        5⤵
        
        PID:428
    - - C:\Windows\{47659970-6569-482f-9B5F-00E444BE7D68}.exe
        
        C:\Windows\{47659970-6569-482f-9B5F-00E444BE7D68}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3824
      - C:\Windows\{3A047DCE-320E-4e62-A81B-A044A30FBCA0}.exe
        
        C:\Windows\{3A047DCE-320E-4e62-A81B-A044A30FBCA0}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\{997B7EC5-0A72-46f1-ACD9-37A95B651319}.exe
        
        C:\Windows\{997B7EC5-0A72-46f1-ACD9-37A95B651319}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\{BA35B7C0-7AA7-4557-A80B-123C9F3CA807}.exe
        
        C:\Windows\{BA35B7C0-7AA7-4557-A80B-123C9F3CA807}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4268
        
        C:\Windows\{BA98A334-E15C-44c4-9673-5C1256C92A81}.exe
        
        C:\Windows\{BA98A334-E15C-44c4-9673-5C1256C92A81}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\{A7C147BC-443A-46fc-86BA-FFDBD224D949}.exe
        
        C:\Windows\{A7C147BC-443A-46fc-86BA-FFDBD224D949}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7C14~1.EXE > nul
        11⤵
        
        PID:4968
        
        C:\Windows\{31DCE6CC-F630-487a-9E56-7529BC03471D}.exe
        
        C:\Windows\{31DCE6CC-F630-487a-9E56-7529BC03471D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        C:\Windows\{B36048EA-F180-4323-87C8-12E11479A02F}.exe
        
        C:\Windows\{B36048EA-F180-4323-87C8-12E11479A02F}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3140
        
        C:\Windows\{C5EC38E6-1DC1-47fb-BF3F-59280731FAA5}.exe
        
        C:\Windows\{C5EC38E6-1DC1-47fb-BF3F-59280731FAA5}.exe
        13⤵
        Executes dropped EXE
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B3604~1.EXE > nul
        13⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{31DCE~1.EXE > nul
        12⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BA98A~1.EXE > nul
        10⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BA35B~1.EXE > nul
        9⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{997B7~1.EXE > nul
        8⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3A047~1.EXE > nul
        7⤵
        
        PID:4548
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{47659~1.EXE > nul
        6⤵
        
        PID:2852
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{51BC8~1.EXE > nul
      4⤵
      PID:4332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F89EB~1.EXE > nul
    3⤵
    PID:1748
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{31DCE6CC-F630-487a-9E56-7529BC03471D}.exe

Filesize
168KB

MD5
70109433069b6642f3c83dc80e61dc60

SHA1
8a015a992d9e1a964d6b0c592a69d021bd2aee42

SHA256
9dc464cda34cc4082f058485fdbc5496b914a17c49346fb99acd19af43aef5c2

SHA512
adb3101677e3fc53a183dacefef466499359831661c97819f2fe924220b0d581873365d5d720907783c757e8d593bb5f74b1089c482e0d2c7e3d2c43f738a101

Download Submit
C:\Windows\{3A047DCE-320E-4e62-A81B-A044A30FBCA0}.exe

Filesize
168KB

MD5
88113cde8fc7e090bba5f3afcef81fed

SHA1
916b70e023f373d192b41fe9813068fe85b0c974

SHA256
d8584f6b76cf2b5662aeb6e45eed499a5d4bef472e6a98c71f428653002a2414

SHA512
42f49c74d5559b552fd2e0334eb1ce908009296bc7b6f81d72e458ba21ea7fc95c2d9b1557da097fb5d345d5cecd35a0014c856638610c7ade7e196495878f6d

Download Submit
C:\Windows\{47659970-6569-482f-9B5F-00E444BE7D68}.exe

Filesize
35KB

MD5
2498fdb3e3ad08960c3e6f040a84804c

SHA1
c67236fea18bb9a481d83045ba2ba233830f7add

SHA256
a1e2e7502a3bcd854cdd132e041f0c9d83d07bb4d6e7de05042d6fb69f809771

SHA512
f46d5eb9d833a3bd57d9d22de86f8fd43d27584cf87cb118ab1f2006b4dbbf39cebcd19b009e88766c707f34e4966f3605eca6fe7d4ec4d1d75c7ecdaba5a72f

Download Submit
C:\Windows\{47659970-6569-482f-9B5F-00E444BE7D68}.exe

Filesize
38KB

MD5
db5536f9f79ea13eed4c270807fd5d57

SHA1
3f11f3789b0c7bb5a6d3299da039cf7c49f5262b

SHA256
a153efc7c422693a157899edd4a073b785762ab1581afe797abf373568ecca4c

SHA512
928d22b2ea26b24c187c2fab51acf068ea1943fb98c23afb510d8b8d8f4bf7b0de9422470566748a39a80f81a2c219c253b26df4cc330b1c1f646c4147c74c65

Download Submit
C:\Windows\{51BC8D19-5743-44fe-BFF2-CEDC937FCBEA}.exe

Filesize
168KB

MD5
36e7ebd5ea57b53d42a992c22f04e08c

SHA1
61b5ecd2dd3b9368b07c390160211a6eed1b9473

SHA256
08ea04987cd8dc134f848a187e9e932be33f6417c171974e6d2b615cccc21e8f

SHA512
5cd7ecc651b60dac641f989b6b3ac4dc549156cc85d8c9939db0cf12e7f0ebd95efd3b7f1a25fab7d4f19427c97845e9e95d8d82a2c239cd292545cac38c2e1f

Download Submit
C:\Windows\{997B7EC5-0A72-46f1-ACD9-37A95B651319}.exe

Filesize
168KB

MD5
0a76efc2388731e786cef8fde9e4f13e

SHA1
d5abefc6202b63ecd39c2db6b7285150f1ce6477

SHA256
f3ad8c1bc9d759832a771fb27b048bd22e8833776ad202e01b4a80297faf2215

SHA512
0c14c4ee0a8f6b8534f86763a84ac33f41f4746af9557ffdf9f308e783ab201401935c4e16b00e485592824bf50b626b8198caf07065ccd2191699b61e4dbdfa

Download Submit
C:\Windows\{A7C147BC-443A-46fc-86BA-FFDBD224D949}.exe

Filesize
168KB

MD5
e1a380f3eee2cf3ec4a328554b8a97cf

SHA1
9a02e7fdc9d2f82be033be8de3a90201e0497a0a

SHA256
580b7a9fc4c365f6022dd99d0206cf0704d132d05a908629370574e54adccb31

SHA512
d59bc9e552c6cf3833171e83d89a9438e904858574f27221f392258739ef2bee17fc93fc9f1117067c67284a8e2a0010f2b2ad3761a3d90c2e8b62939d72da05

Download Submit
C:\Windows\{B36048EA-F180-4323-87C8-12E11479A02F}.exe

Filesize
168KB

MD5
e88b2ca390fca95a15dbfdd06f2e2f73

SHA1
f37e54cb75f4a54b21e5ea08d671252aa16be06e

SHA256
f2352fd651d0c2608b0f442383afbc6a427517c7708580662a91637d694bcc76

SHA512
0f3069096669bf459d6f09d6d6a18d198b438cebe6659a2dc70428a73455eee21fab901f57a978b1f5390b571735727156548d52c0bcdbc2e81ee98070c4fed2

Download Submit
C:\Windows\{BA35B7C0-7AA7-4557-A80B-123C9F3CA807}.exe

Filesize
168KB

MD5
f42750f401b70497d0f03575825f046e

SHA1
820629732a1ea5fb2b38c4d1cbeeb8c90f7fb02c

SHA256
ea8469645c8c490d2e6c2d9db090b8d73a5d2b5a252f3ff34f605aea968906ad

SHA512
0206ea336d109da41acdbb9aed36a6233ae2dae3354348f788e3ecff1777b7447fbcade30af60728a38e2c75ced0344c9d8b340ba617a2faf5d6bf202c70314c

Download Submit
C:\Windows\{BA98A334-E15C-44c4-9673-5C1256C92A81}.exe

Filesize
168KB

MD5
3a1d027ebf7e5cf8eb80b93d29fe6552

SHA1
7b9bb77596f8cb95914f49fbfaa158ec63b49c59

SHA256
9539aa7d570697d21e1839482f4efe72ac8940e2e071a8da9fc0b111e7c79c85

SHA512
5301660fca3adc21295efe96bdce30f1e0e6c31508ed5e6034720e8b42499f4f867a6162a34c614df0e0a5e9e97dbbcab3af63515236ad1f9ddec7106ff0ade5

Download Submit
C:\Windows\{C5EC38E6-1DC1-47fb-BF3F-59280731FAA5}.exe

Filesize
168KB

MD5
1c5415b85648ad8925bbde580728463c

SHA1
faa5a0a04bbcc86073ce4bdd0416531f2ec73dd7

SHA256
1c1826563280627b4efbbbbb0996e725023779d9b212a503b987a64c0b626938

SHA512
72dfe3cf9f12f21ae48ddf62c8d5bb98b3e1bdb055e6c732e1ee97ae0c1cc34fd568b40abe1cc4555517c302629db96a915bbf15e96976047593a099be0718ce

Download Submit
C:\Windows\{C61977AB-94A3-49e8-8F1B-12EB849DB7D5}.exe

Filesize
168KB

MD5
0ac441f80135c542885d229dfa86db7a

SHA1
2fe41f55436259a165cb81a66d4b02e89f0c1672

SHA256
d4a9f7e7ad28fee6666a33cc0159bfb03d951fa739666974a2c4aaeb7f830ec0

SHA512
5cf22d72679f1d5a5c14bcf75549233a1ade1c922d7f9f088caa38f5f1da2309c0dd14cc71e0ae0e93e3c43d7389e71123418a6e8ff0d0227ca93af9adb865ef

Download Submit
C:\Windows\{F89EBB64-D24B-4e90-87C3-53D293671E13}.exe

Filesize
168KB

MD5
0e5bd7ef00d657503ca9210d3ee9fd50

SHA1
125f124e6d881f22b6d72efbd2f62a0a0bb426b4

SHA256
cab4d6447568ed6283b93a5623126da14f5a3678dfbe7977f0fcd7ba4028a8bd

SHA512
88f6fe4626df92da5443f5a316a142d3c3c01a2cc6a2af2c7075961a18f7ba7e888e0f58a60412811a34d929269d008a40d84158c36a0acb4cfcf9af1da95a4d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads