ebb5e1b0fe2aa739501b2da1755d927e614ed2f1872d7d2dad14c174a54525d3

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26-01-2024 03:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-26_c8d45fe99f261d75ba6714704ae7931a_goldeneye.exe
Size

408KB
MD5

c8d45fe99f261d75ba6714704ae7931a
SHA1

f34032950e78e80d8cb65ec0961a5918ed02861c
SHA256

ebb5e1b0fe2aa739501b2da1755d927e614ed2f1872d7d2dad14c174a54525d3
SHA512

96b651eb5d71afa8bdc9f40f97c5127eb32affdc955ee78e7b61de0024b3756e7a39e99762624d01e4acb7e63edb846402cdd7295415059965bff51acf3acb0f
SSDEEP

3072:CEGh0oUl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGOldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023001-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000023114-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002311a-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023114-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002311a-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00050000000217fa-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002181f-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006df-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000707-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB0E4B79-CF06-4d67-B729-FC4674F37661}	{3210D525-8BDE-4952-B723-60216D3059A4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB0E4B79-CF06-4d67-B729-FC4674F37661}\stubpath = "C:\\Windows\\{CB0E4B79-CF06-4d67-B729-FC4674F37661}.exe"	{3210D525-8BDE-4952-B723-60216D3059A4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30F0918C-9556-4ba0-994B-E022BDD6CAED}\stubpath = "C:\\Windows\\{30F0918C-9556-4ba0-994B-E022BDD6CAED}.exe"	{608597FA-63D5-40bd-A382-C045A5595381}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99C60711-AD16-4d7a-A869-8B83B8444BD0}	{54CF3F2F-7F70-4239-AA4F-1FDA932ACB40}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3BD32670-0DA9-4288-9053-D6A510FA8A5A}	{D226787F-7A5D-43b4-9B2C-61AB131BB5C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E8BB0AB-5894-4cc1-84F5-E70E2E19532C}\stubpath = "C:\\Windows\\{7E8BB0AB-5894-4cc1-84F5-E70E2E19532C}.exe"	{6577D7A3-9017-4abe-9FD7-053DC3278DBE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3210D525-8BDE-4952-B723-60216D3059A4}	{7E8BB0AB-5894-4cc1-84F5-E70E2E19532C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3210D525-8BDE-4952-B723-60216D3059A4}\stubpath = "C:\\Windows\\{3210D525-8BDE-4952-B723-60216D3059A4}.exe"	{7E8BB0AB-5894-4cc1-84F5-E70E2E19532C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54CF3F2F-7F70-4239-AA4F-1FDA932ACB40}\stubpath = "C:\\Windows\\{54CF3F2F-7F70-4239-AA4F-1FDA932ACB40}.exe"	{B9616562-970E-4686-8C2A-F8641A7A35C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D226787F-7A5D-43b4-9B2C-61AB131BB5C8}	{3C7593F4-9FD2-4c8e-BA1F-AED596F72143}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E8BB0AB-5894-4cc1-84F5-E70E2E19532C}	{6577D7A3-9017-4abe-9FD7-053DC3278DBE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3BD32670-0DA9-4288-9053-D6A510FA8A5A}\stubpath = "C:\\Windows\\{3BD32670-0DA9-4288-9053-D6A510FA8A5A}.exe"	{D226787F-7A5D-43b4-9B2C-61AB131BB5C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6577D7A3-9017-4abe-9FD7-053DC3278DBE}\stubpath = "C:\\Windows\\{6577D7A3-9017-4abe-9FD7-053DC3278DBE}.exe"	{3BD32670-0DA9-4288-9053-D6A510FA8A5A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{608597FA-63D5-40bd-A382-C045A5595381}\stubpath = "C:\\Windows\\{608597FA-63D5-40bd-A382-C045A5595381}.exe"	2024-01-26_c8d45fe99f261d75ba6714704ae7931a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30F0918C-9556-4ba0-994B-E022BDD6CAED}	{608597FA-63D5-40bd-A382-C045A5595381}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9616562-970E-4686-8C2A-F8641A7A35C3}	{30F0918C-9556-4ba0-994B-E022BDD6CAED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C7593F4-9FD2-4c8e-BA1F-AED596F72143}	{99C60711-AD16-4d7a-A869-8B83B8444BD0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C7593F4-9FD2-4c8e-BA1F-AED596F72143}\stubpath = "C:\\Windows\\{3C7593F4-9FD2-4c8e-BA1F-AED596F72143}.exe"	{99C60711-AD16-4d7a-A869-8B83B8444BD0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D226787F-7A5D-43b4-9B2C-61AB131BB5C8}\stubpath = "C:\\Windows\\{D226787F-7A5D-43b4-9B2C-61AB131BB5C8}.exe"	{3C7593F4-9FD2-4c8e-BA1F-AED596F72143}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{608597FA-63D5-40bd-A382-C045A5595381}	2024-01-26_c8d45fe99f261d75ba6714704ae7931a_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9616562-970E-4686-8C2A-F8641A7A35C3}\stubpath = "C:\\Windows\\{B9616562-970E-4686-8C2A-F8641A7A35C3}.exe"	{30F0918C-9556-4ba0-994B-E022BDD6CAED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54CF3F2F-7F70-4239-AA4F-1FDA932ACB40}	{B9616562-970E-4686-8C2A-F8641A7A35C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99C60711-AD16-4d7a-A869-8B83B8444BD0}\stubpath = "C:\\Windows\\{99C60711-AD16-4d7a-A869-8B83B8444BD0}.exe"	{54CF3F2F-7F70-4239-AA4F-1FDA932ACB40}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6577D7A3-9017-4abe-9FD7-053DC3278DBE}	{3BD32670-0DA9-4288-9053-D6A510FA8A5A}.exe

Executes dropped EXE 12 IoCs

pid	Process
208	{608597FA-63D5-40bd-A382-C045A5595381}.exe
1464	{30F0918C-9556-4ba0-994B-E022BDD6CAED}.exe
1348	{B9616562-970E-4686-8C2A-F8641A7A35C3}.exe
3800	{54CF3F2F-7F70-4239-AA4F-1FDA932ACB40}.exe
4576	{99C60711-AD16-4d7a-A869-8B83B8444BD0}.exe
4560	{3C7593F4-9FD2-4c8e-BA1F-AED596F72143}.exe
4232	{D226787F-7A5D-43b4-9B2C-61AB131BB5C8}.exe
4344	{3BD32670-0DA9-4288-9053-D6A510FA8A5A}.exe
1612	{6577D7A3-9017-4abe-9FD7-053DC3278DBE}.exe
4796	{7E8BB0AB-5894-4cc1-84F5-E70E2E19532C}.exe
2504	{3210D525-8BDE-4952-B723-60216D3059A4}.exe
2876	{CB0E4B79-CF06-4d67-B729-FC4674F37661}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{30F0918C-9556-4ba0-994B-E022BDD6CAED}.exe	{608597FA-63D5-40bd-A382-C045A5595381}.exe
File created	C:\Windows\{99C60711-AD16-4d7a-A869-8B83B8444BD0}.exe	{54CF3F2F-7F70-4239-AA4F-1FDA932ACB40}.exe
File created	C:\Windows\{3C7593F4-9FD2-4c8e-BA1F-AED596F72143}.exe	{99C60711-AD16-4d7a-A869-8B83B8444BD0}.exe
File created	C:\Windows\{D226787F-7A5D-43b4-9B2C-61AB131BB5C8}.exe	{3C7593F4-9FD2-4c8e-BA1F-AED596F72143}.exe
File created	C:\Windows\{6577D7A3-9017-4abe-9FD7-053DC3278DBE}.exe	{3BD32670-0DA9-4288-9053-D6A510FA8A5A}.exe
File created	C:\Windows\{CB0E4B79-CF06-4d67-B729-FC4674F37661}.exe	{3210D525-8BDE-4952-B723-60216D3059A4}.exe
File created	C:\Windows\{608597FA-63D5-40bd-A382-C045A5595381}.exe	2024-01-26_c8d45fe99f261d75ba6714704ae7931a_goldeneye.exe
File created	C:\Windows\{B9616562-970E-4686-8C2A-F8641A7A35C3}.exe	{30F0918C-9556-4ba0-994B-E022BDD6CAED}.exe
File created	C:\Windows\{54CF3F2F-7F70-4239-AA4F-1FDA932ACB40}.exe	{B9616562-970E-4686-8C2A-F8641A7A35C3}.exe
File created	C:\Windows\{3BD32670-0DA9-4288-9053-D6A510FA8A5A}.exe	{D226787F-7A5D-43b4-9B2C-61AB131BB5C8}.exe
File created	C:\Windows\{7E8BB0AB-5894-4cc1-84F5-E70E2E19532C}.exe	{6577D7A3-9017-4abe-9FD7-053DC3278DBE}.exe
File created	C:\Windows\{3210D525-8BDE-4952-B723-60216D3059A4}.exe	{7E8BB0AB-5894-4cc1-84F5-E70E2E19532C}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2264	2024-01-26_c8d45fe99f261d75ba6714704ae7931a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	208	{608597FA-63D5-40bd-A382-C045A5595381}.exe
Token: SeIncBasePriorityPrivilege	1464	{30F0918C-9556-4ba0-994B-E022BDD6CAED}.exe
Token: SeIncBasePriorityPrivilege	1348	{B9616562-970E-4686-8C2A-F8641A7A35C3}.exe
Token: SeIncBasePriorityPrivilege	3800	{54CF3F2F-7F70-4239-AA4F-1FDA932ACB40}.exe
Token: SeIncBasePriorityPrivilege	4576	{99C60711-AD16-4d7a-A869-8B83B8444BD0}.exe
Token: SeIncBasePriorityPrivilege	4560	{3C7593F4-9FD2-4c8e-BA1F-AED596F72143}.exe
Token: SeIncBasePriorityPrivilege	4232	{D226787F-7A5D-43b4-9B2C-61AB131BB5C8}.exe
Token: SeIncBasePriorityPrivilege	4344	{3BD32670-0DA9-4288-9053-D6A510FA8A5A}.exe
Token: SeIncBasePriorityPrivilege	1612	{6577D7A3-9017-4abe-9FD7-053DC3278DBE}.exe
Token: SeIncBasePriorityPrivilege	4796	{7E8BB0AB-5894-4cc1-84F5-E70E2E19532C}.exe
Token: SeIncBasePriorityPrivilege	2504	{3210D525-8BDE-4952-B723-60216D3059A4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 208	2264	2024-01-26_c8d45fe99f261d75ba6714704ae7931a_goldeneye.exe	93
PID 2264 wrote to memory of 208	2264	2024-01-26_c8d45fe99f261d75ba6714704ae7931a_goldeneye.exe	93
PID 2264 wrote to memory of 208	2264	2024-01-26_c8d45fe99f261d75ba6714704ae7931a_goldeneye.exe	93
PID 2264 wrote to memory of 2952	2264	2024-01-26_c8d45fe99f261d75ba6714704ae7931a_goldeneye.exe	94
PID 2264 wrote to memory of 2952	2264	2024-01-26_c8d45fe99f261d75ba6714704ae7931a_goldeneye.exe	94
PID 2264 wrote to memory of 2952	2264	2024-01-26_c8d45fe99f261d75ba6714704ae7931a_goldeneye.exe	94
PID 208 wrote to memory of 1464	208	{608597FA-63D5-40bd-A382-C045A5595381}.exe	98
PID 208 wrote to memory of 1464	208	{608597FA-63D5-40bd-A382-C045A5595381}.exe	98
PID 208 wrote to memory of 1464	208	{608597FA-63D5-40bd-A382-C045A5595381}.exe	98
PID 208 wrote to memory of 1364	208	{608597FA-63D5-40bd-A382-C045A5595381}.exe	99
PID 208 wrote to memory of 1364	208	{608597FA-63D5-40bd-A382-C045A5595381}.exe	99
PID 208 wrote to memory of 1364	208	{608597FA-63D5-40bd-A382-C045A5595381}.exe	99
PID 1464 wrote to memory of 1348	1464	{30F0918C-9556-4ba0-994B-E022BDD6CAED}.exe	101
PID 1464 wrote to memory of 1348	1464	{30F0918C-9556-4ba0-994B-E022BDD6CAED}.exe	101
PID 1464 wrote to memory of 1348	1464	{30F0918C-9556-4ba0-994B-E022BDD6CAED}.exe	101
PID 1464 wrote to memory of 4460	1464	{30F0918C-9556-4ba0-994B-E022BDD6CAED}.exe	102
PID 1464 wrote to memory of 4460	1464	{30F0918C-9556-4ba0-994B-E022BDD6CAED}.exe	102
PID 1464 wrote to memory of 4460	1464	{30F0918C-9556-4ba0-994B-E022BDD6CAED}.exe	102
PID 1348 wrote to memory of 3800	1348	{B9616562-970E-4686-8C2A-F8641A7A35C3}.exe	103
PID 1348 wrote to memory of 3800	1348	{B9616562-970E-4686-8C2A-F8641A7A35C3}.exe	103
PID 1348 wrote to memory of 3800	1348	{B9616562-970E-4686-8C2A-F8641A7A35C3}.exe	103
PID 1348 wrote to memory of 2328	1348	{B9616562-970E-4686-8C2A-F8641A7A35C3}.exe	104
PID 1348 wrote to memory of 2328	1348	{B9616562-970E-4686-8C2A-F8641A7A35C3}.exe	104
PID 1348 wrote to memory of 2328	1348	{B9616562-970E-4686-8C2A-F8641A7A35C3}.exe	104
PID 3800 wrote to memory of 4576	3800	{54CF3F2F-7F70-4239-AA4F-1FDA932ACB40}.exe	105
PID 3800 wrote to memory of 4576	3800	{54CF3F2F-7F70-4239-AA4F-1FDA932ACB40}.exe	105
PID 3800 wrote to memory of 4576	3800	{54CF3F2F-7F70-4239-AA4F-1FDA932ACB40}.exe	105
PID 3800 wrote to memory of 3996	3800	{54CF3F2F-7F70-4239-AA4F-1FDA932ACB40}.exe	106
PID 3800 wrote to memory of 3996	3800	{54CF3F2F-7F70-4239-AA4F-1FDA932ACB40}.exe	106
PID 3800 wrote to memory of 3996	3800	{54CF3F2F-7F70-4239-AA4F-1FDA932ACB40}.exe	106
PID 4576 wrote to memory of 4560	4576	{99C60711-AD16-4d7a-A869-8B83B8444BD0}.exe	107
PID 4576 wrote to memory of 4560	4576	{99C60711-AD16-4d7a-A869-8B83B8444BD0}.exe	107
PID 4576 wrote to memory of 4560	4576	{99C60711-AD16-4d7a-A869-8B83B8444BD0}.exe	107
PID 4576 wrote to memory of 3660	4576	{99C60711-AD16-4d7a-A869-8B83B8444BD0}.exe	108
PID 4576 wrote to memory of 3660	4576	{99C60711-AD16-4d7a-A869-8B83B8444BD0}.exe	108
PID 4576 wrote to memory of 3660	4576	{99C60711-AD16-4d7a-A869-8B83B8444BD0}.exe	108
PID 4560 wrote to memory of 4232	4560	{3C7593F4-9FD2-4c8e-BA1F-AED596F72143}.exe	109
PID 4560 wrote to memory of 4232	4560	{3C7593F4-9FD2-4c8e-BA1F-AED596F72143}.exe	109
PID 4560 wrote to memory of 4232	4560	{3C7593F4-9FD2-4c8e-BA1F-AED596F72143}.exe	109
PID 4560 wrote to memory of 2088	4560	{3C7593F4-9FD2-4c8e-BA1F-AED596F72143}.exe	110
PID 4560 wrote to memory of 2088	4560	{3C7593F4-9FD2-4c8e-BA1F-AED596F72143}.exe	110
PID 4560 wrote to memory of 2088	4560	{3C7593F4-9FD2-4c8e-BA1F-AED596F72143}.exe	110
PID 4232 wrote to memory of 4344	4232	{D226787F-7A5D-43b4-9B2C-61AB131BB5C8}.exe	111
PID 4232 wrote to memory of 4344	4232	{D226787F-7A5D-43b4-9B2C-61AB131BB5C8}.exe	111
PID 4232 wrote to memory of 4344	4232	{D226787F-7A5D-43b4-9B2C-61AB131BB5C8}.exe	111
PID 4232 wrote to memory of 4656	4232	{D226787F-7A5D-43b4-9B2C-61AB131BB5C8}.exe	112
PID 4232 wrote to memory of 4656	4232	{D226787F-7A5D-43b4-9B2C-61AB131BB5C8}.exe	112
PID 4232 wrote to memory of 4656	4232	{D226787F-7A5D-43b4-9B2C-61AB131BB5C8}.exe	112
PID 4344 wrote to memory of 1612	4344	{3BD32670-0DA9-4288-9053-D6A510FA8A5A}.exe	113
PID 4344 wrote to memory of 1612	4344	{3BD32670-0DA9-4288-9053-D6A510FA8A5A}.exe	113
PID 4344 wrote to memory of 1612	4344	{3BD32670-0DA9-4288-9053-D6A510FA8A5A}.exe	113
PID 4344 wrote to memory of 2124	4344	{3BD32670-0DA9-4288-9053-D6A510FA8A5A}.exe	114
PID 4344 wrote to memory of 2124	4344	{3BD32670-0DA9-4288-9053-D6A510FA8A5A}.exe	114
PID 4344 wrote to memory of 2124	4344	{3BD32670-0DA9-4288-9053-D6A510FA8A5A}.exe	114
PID 1612 wrote to memory of 4796	1612	{6577D7A3-9017-4abe-9FD7-053DC3278DBE}.exe	115
PID 1612 wrote to memory of 4796	1612	{6577D7A3-9017-4abe-9FD7-053DC3278DBE}.exe	115
PID 1612 wrote to memory of 4796	1612	{6577D7A3-9017-4abe-9FD7-053DC3278DBE}.exe	115
PID 1612 wrote to memory of 4228	1612	{6577D7A3-9017-4abe-9FD7-053DC3278DBE}.exe	116
PID 1612 wrote to memory of 4228	1612	{6577D7A3-9017-4abe-9FD7-053DC3278DBE}.exe	116
PID 1612 wrote to memory of 4228	1612	{6577D7A3-9017-4abe-9FD7-053DC3278DBE}.exe	116
PID 4796 wrote to memory of 2504	4796	{7E8BB0AB-5894-4cc1-84F5-E70E2E19532C}.exe	117
PID 4796 wrote to memory of 2504	4796	{7E8BB0AB-5894-4cc1-84F5-E70E2E19532C}.exe	117
PID 4796 wrote to memory of 2504	4796	{7E8BB0AB-5894-4cc1-84F5-E70E2E19532C}.exe	117
PID 4796 wrote to memory of 3524	4796	{7E8BB0AB-5894-4cc1-84F5-E70E2E19532C}.exe	118

C:\Users\Admin\AppData\Local\Temp\2024-01-26_c8d45fe99f261d75ba6714704ae7931a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-26_c8d45fe99f261d75ba6714704ae7931a_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Windows\{608597FA-63D5-40bd-A382-C045A5595381}.exe
  C:\Windows\{608597FA-63D5-40bd-A382-C045A5595381}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:208
- - C:\Windows\{30F0918C-9556-4ba0-994B-E022BDD6CAED}.exe
    C:\Windows\{30F0918C-9556-4ba0-994B-E022BDD6CAED}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1464
  - - C:\Windows\{B9616562-970E-4686-8C2A-F8641A7A35C3}.exe
      C:\Windows\{B9616562-970E-4686-8C2A-F8641A7A35C3}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1348
    - - C:\Windows\{54CF3F2F-7F70-4239-AA4F-1FDA932ACB40}.exe
        
        C:\Windows\{54CF3F2F-7F70-4239-AA4F-1FDA932ACB40}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3800
      - C:\Windows\{99C60711-AD16-4d7a-A869-8B83B8444BD0}.exe
        
        C:\Windows\{99C60711-AD16-4d7a-A869-8B83B8444BD0}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\{3C7593F4-9FD2-4c8e-BA1F-AED596F72143}.exe
        
        C:\Windows\{3C7593F4-9FD2-4c8e-BA1F-AED596F72143}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\{D226787F-7A5D-43b4-9B2C-61AB131BB5C8}.exe
        
        C:\Windows\{D226787F-7A5D-43b4-9B2C-61AB131BB5C8}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4232
        
        C:\Windows\{3BD32670-0DA9-4288-9053-D6A510FA8A5A}.exe
        
        C:\Windows\{3BD32670-0DA9-4288-9053-D6A510FA8A5A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Windows\{6577D7A3-9017-4abe-9FD7-053DC3278DBE}.exe
        
        C:\Windows\{6577D7A3-9017-4abe-9FD7-053DC3278DBE}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\{7E8BB0AB-5894-4cc1-84F5-E70E2E19532C}.exe
        
        C:\Windows\{7E8BB0AB-5894-4cc1-84F5-E70E2E19532C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\{3210D525-8BDE-4952-B723-60216D3059A4}.exe
        
        C:\Windows\{3210D525-8BDE-4952-B723-60216D3059A4}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
        
        C:\Windows\{CB0E4B79-CF06-4d67-B729-FC4674F37661}.exe
        
        C:\Windows\{CB0E4B79-CF06-4d67-B729-FC4674F37661}.exe
        13⤵
        Executes dropped EXE
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3210D~1.EXE > nul
        13⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E8BB~1.EXE > nul
        12⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6577D~1.EXE > nul
        11⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3BD32~1.EXE > nul
        10⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D2267~1.EXE > nul
        9⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C759~1.EXE > nul
        8⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{99C60~1.EXE > nul
        7⤵
        
        PID:3660
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{54CF3~1.EXE > nul
        6⤵
        
        PID:3996
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B9616~1.EXE > nul
        5⤵
        
        PID:2328
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{30F09~1.EXE > nul
      4⤵
      PID:4460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{60859~1.EXE > nul
    3⤵
    PID:1364
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{30F0918C-9556-4ba0-994B-E022BDD6CAED}.exe

Filesize
408KB

MD5
7e45543a810f5c807c02a07d586f786e

SHA1
b93f6421c73782a43510a5336e4c4ae35c422802

SHA256
8595d3a99a61d5a5bbdcf5bc6f6348e5a2dd78953bbb0df8351d8fc5b10fa1bc

SHA512
29c7c09dc5f7753941f2f0737289854f546550e05b2476ddc3f3c8fb557995cfecda6d58bf1f64dba8ddc1a57c6c1b13a2b439df62a8583fd2f9d4b1cd5e7db3

Download Submit
C:\Windows\{3210D525-8BDE-4952-B723-60216D3059A4}.exe

Filesize
408KB

MD5
747cd81cc6d5a5f1fa6b3d60235e38be

SHA1
1ee73f07a091323f1ecf79012af365977e8476d7

SHA256
40d5027d50af752fd531bffe36aae2c958330a57e1eee8207e48d891706082b4

SHA512
96f71fd1bb8c15febba13e78a11861e7a903f92155d0fa628ea8b8c787c706d55c3fecdf283d15990eb9e9a1d07fda2280fe387b9c991c8bbf5f04e154819d1d

Download Submit
C:\Windows\{3BD32670-0DA9-4288-9053-D6A510FA8A5A}.exe

Filesize
408KB

MD5
922bbbe2eea88930a800298fa3a88b6c

SHA1
3693bb6fc266bd2ccc5c7c2e6c5f0199440af540

SHA256
b567bf328015a406e0aab7088d8b1989244635bb3e2fcff8ddb67033edc3c267

SHA512
815cc011f53877e8e615fa551b63d3d3f01e18fd4fc0f2bc5956deafce0d3ee4c73109c5620eb1a4def1d22dafa919f18d86ce10862bb97499aca6d3405c9141

Download Submit
C:\Windows\{3C7593F4-9FD2-4c8e-BA1F-AED596F72143}.exe

Filesize
408KB

MD5
5c125a58c4d28c3e498558f93822a6c2

SHA1
e771ae55d2879b009a068348183c04fae8f8a204

SHA256
3c6f64a964e620262b8183ddfa2f6d9621db3881edf624c3d6e9cad7c73d0df9

SHA512
8b91fb6611e2e154a813bee1fb53b34ff4de6a34a462758c6aaee4d130b80bdaa5766e881d379ba637171cc14c4b61dc6ba6bae14365dc40aab8984cacfe304b

Download Submit
C:\Windows\{54CF3F2F-7F70-4239-AA4F-1FDA932ACB40}.exe

Filesize
408KB

MD5
f3f03bd19bf743e2cfe3f29f40b2217c

SHA1
1c12c56226c81c5d69eba610572a77dcd2cd9b8a

SHA256
09ea006b0ed31992cf445b7b50e445bea143ad9dac235f2971702b9a670c6d15

SHA512
c9d1d20c57586ede9334e6c90821dc551875737d9b70cfddfaffd747a567c282342661f9c967353b7b6b5d00589d212abd92b9a707d9b94eb58ccea73ff02eb8

Download Submit
C:\Windows\{608597FA-63D5-40bd-A382-C045A5595381}.exe

Filesize
408KB

MD5
744a64abf63d109c67a19d5c8f12a7a6

SHA1
6df6bb937a2becf616e9f0fd02fbe6f68d427689

SHA256
c01b444c079c0f948bec41b85b47e098df48ab6b2862c2e384b653ec02b8e3f6

SHA512
04e07db46d551d97ac28f3d14df26b620efdc9b4e9bf804a8aa52b85157b7534e34f2da54788a8398efd8dcaf63ba392acc996101b16b8d170f31fbc6e9d71fc

Download Submit
C:\Windows\{6577D7A3-9017-4abe-9FD7-053DC3278DBE}.exe

Filesize
408KB

MD5
fc457bf24379f4c09e3f09514721820e

SHA1
3fae1dcad10a657a1967c84263d8838d78115c75

SHA256
f552493257b26553ee10c7d2953c14889ab61937c3e77ef32340b4bf4bb2fe60

SHA512
44421991b0abbb3d374c32da5be16fd8c72665ac31fe44b912753c3ab1c51f8d9bd2d500622b1bd307b942bad962d698e7be2e1844974581b1fe73276976aa98

Download Submit
C:\Windows\{7E8BB0AB-5894-4cc1-84F5-E70E2E19532C}.exe

Filesize
408KB

MD5
ee368967b8f9187d9e365e500ba2aba3

SHA1
b9026cf90b2740ca981477649668a8fa67d66d7e

SHA256
86a137829927674232773d26224db9041f60f3286621d98a89c3c669f4927416

SHA512
f47040df77e389b526eeb8ae71488fe9d84ff489516d952b058b18187abad8229c9d78740b6e2ba3f86c0a215410e1ecede96371553391b6a1deb2afa7c8fb9e

Download Submit
C:\Windows\{99C60711-AD16-4d7a-A869-8B83B8444BD0}.exe

Filesize
408KB

MD5
74dab8a9b693b76be51d4a9de14ec74c

SHA1
874efe059ada79c98c9c3a6d4109082d245a5768

SHA256
ccc09589af915fa0c2d452b5447f1f37cb859e98d5be4663a12b575e253630f3

SHA512
f81545ca17871784d5e894b1a42c24ae28f38407c8382d1c52efad3189631e3c541740a59ec25649c32e86a81ea3752905e631714d9c381bc7017d2fe2cd9eb1

Download Submit
C:\Windows\{B9616562-970E-4686-8C2A-F8641A7A35C3}.exe

Filesize
408KB

MD5
93bb616dc33d118a8bd182db56cc7d31

SHA1
5b9e2c155962cbf7d250b33132838a50958c7a2a

SHA256
1c7c7f93e523fd78b0c1276dc5e060a2174815794bbad4753f2cf519c36a7f0d

SHA512
bf0010f74c735db8422ff73961a9d36ab2c1208fa5971f39f212978054d7ed30cb08134df4e627ba471b6be38db1f36a04459c5c0feb2d3f24a3cba81d4935bd

Download Submit
C:\Windows\{CB0E4B79-CF06-4d67-B729-FC4674F37661}.exe

Filesize
408KB

MD5
aa15c3a6e97d49ec8b80bfde87196166

SHA1
76949d4969c72e8fecf80d4618185c7f35bd06a8

SHA256
943851d66f612f5a97ca30f16f13418221e2ad88b45e7feda0e0cc965e5264f1

SHA512
4cbc5ccd68fdc310c3b0bdabf7c4c69e159ea1b77368089a64237f858719a82d8aca3566c64d9fc97fcc92144ee364a0187f65cdc40d7b8250d8986830d2df4f

Download Submit
C:\Windows\{D226787F-7A5D-43b4-9B2C-61AB131BB5C8}.exe

Filesize
408KB

MD5
81a2eae2515edd41f3e4d42fc9e149c4

SHA1
1a714856f18cb25199d50bad11788023c527572e

SHA256
ed414c4c25022a28d56450ce1c675643f37ef9e3e949c07686057074aa291b3c

SHA512
e7e801380629a45a4fdff383c35df1984d4e6e46e7c6a73d6bb00350afb5ba8c6aae8efc256c27df4818a6a8b604fda392c6d4dcbec9ea5be5fe5cd38e77813a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads