68c82f335cd79a5cd55376a011bef9f2c9ec21b41f73cc2240defd0e61117f6f

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
27/01/2024, 05:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-27_21deda6bab21a9d91af68e2bfac67243_goldeneye.exe
Size

216KB
MD5

21deda6bab21a9d91af68e2bfac67243
SHA1

1207a0da9cb9e2c1034fba11f3e531fe1072e437
SHA256

68c82f335cd79a5cd55376a011bef9f2c9ec21b41f73cc2240defd0e61117f6f
SHA512

2da6002b30943f2f3134642964bc4b10e62a0b52976170fc82f42a6ebca02d04664bdd56dc7ca54e4e5455a8d963b7cebbfd543f9b1a52d923b8d177a2b1086e
SSDEEP

3072:jEGh0o7l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGhlEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023213-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000023213-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002320e-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002321a-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002320e-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000022008-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000022009-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000022008-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000036-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000036-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000036-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FBEA897A-BA3D-427c-AD45-1E44C80C4E64}	{CAF57142-9003-497c-945E-24BFEA06F4E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97553E9F-C070-4221-980F-27CF0F385322}	{74E7D1F7-0351-4f79-AFDD-211CCBD5928D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34B4B5B0-B232-4e86-80CC-2C14748C3437}\stubpath = "C:\\Windows\\{34B4B5B0-B232-4e86-80CC-2C14748C3437}.exe"	{97553E9F-C070-4221-980F-27CF0F385322}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A6DDC63-1D95-4a3e-AECE-1D40D35830A2}\stubpath = "C:\\Windows\\{1A6DDC63-1D95-4a3e-AECE-1D40D35830A2}.exe"	{34B4B5B0-B232-4e86-80CC-2C14748C3437}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E2F9D8D-0707-44f2-8680-93014786E1BC}	{1A6DDC63-1D95-4a3e-AECE-1D40D35830A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CAF57142-9003-497c-945E-24BFEA06F4E4}	2024-01-27_21deda6bab21a9d91af68e2bfac67243_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2411FEC-7660-4453-B649-618FA96CEB83}\stubpath = "C:\\Windows\\{F2411FEC-7660-4453-B649-618FA96CEB83}.exe"	{286D91D9-292B-4cbb-8D7F-C5DAEB0CA172}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5051804C-5B03-43b5-A9AF-4E2E81839423}\stubpath = "C:\\Windows\\{5051804C-5B03-43b5-A9AF-4E2E81839423}.exe"	{F2411FEC-7660-4453-B649-618FA96CEB83}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0BC1F3C5-E928-48b2-A838-FB9204B05BF2}	{5051804C-5B03-43b5-A9AF-4E2E81839423}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74E7D1F7-0351-4f79-AFDD-211CCBD5928D}	{0BC1F3C5-E928-48b2-A838-FB9204B05BF2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97553E9F-C070-4221-980F-27CF0F385322}\stubpath = "C:\\Windows\\{97553E9F-C070-4221-980F-27CF0F385322}.exe"	{74E7D1F7-0351-4f79-AFDD-211CCBD5928D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E2F9D8D-0707-44f2-8680-93014786E1BC}\stubpath = "C:\\Windows\\{2E2F9D8D-0707-44f2-8680-93014786E1BC}.exe"	{1A6DDC63-1D95-4a3e-AECE-1D40D35830A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FBEA897A-BA3D-427c-AD45-1E44C80C4E64}\stubpath = "C:\\Windows\\{FBEA897A-BA3D-427c-AD45-1E44C80C4E64}.exe"	{CAF57142-9003-497c-945E-24BFEA06F4E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88A094AF-ECDE-4f4b-AC0C-64845D226612}	{FBEA897A-BA3D-427c-AD45-1E44C80C4E64}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{286D91D9-292B-4cbb-8D7F-C5DAEB0CA172}\stubpath = "C:\\Windows\\{286D91D9-292B-4cbb-8D7F-C5DAEB0CA172}.exe"	{88A094AF-ECDE-4f4b-AC0C-64845D226612}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74E7D1F7-0351-4f79-AFDD-211CCBD5928D}\stubpath = "C:\\Windows\\{74E7D1F7-0351-4f79-AFDD-211CCBD5928D}.exe"	{0BC1F3C5-E928-48b2-A838-FB9204B05BF2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CAF57142-9003-497c-945E-24BFEA06F4E4}\stubpath = "C:\\Windows\\{CAF57142-9003-497c-945E-24BFEA06F4E4}.exe"	2024-01-27_21deda6bab21a9d91af68e2bfac67243_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{286D91D9-292B-4cbb-8D7F-C5DAEB0CA172}	{88A094AF-ECDE-4f4b-AC0C-64845D226612}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2411FEC-7660-4453-B649-618FA96CEB83}	{286D91D9-292B-4cbb-8D7F-C5DAEB0CA172}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5051804C-5B03-43b5-A9AF-4E2E81839423}	{F2411FEC-7660-4453-B649-618FA96CEB83}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0BC1F3C5-E928-48b2-A838-FB9204B05BF2}\stubpath = "C:\\Windows\\{0BC1F3C5-E928-48b2-A838-FB9204B05BF2}.exe"	{5051804C-5B03-43b5-A9AF-4E2E81839423}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34B4B5B0-B232-4e86-80CC-2C14748C3437}	{97553E9F-C070-4221-980F-27CF0F385322}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A6DDC63-1D95-4a3e-AECE-1D40D35830A2}	{34B4B5B0-B232-4e86-80CC-2C14748C3437}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88A094AF-ECDE-4f4b-AC0C-64845D226612}\stubpath = "C:\\Windows\\{88A094AF-ECDE-4f4b-AC0C-64845D226612}.exe"	{FBEA897A-BA3D-427c-AD45-1E44C80C4E64}.exe

Executes dropped EXE 12 IoCs

pid	Process
648	{CAF57142-9003-497c-945E-24BFEA06F4E4}.exe
4472	{FBEA897A-BA3D-427c-AD45-1E44C80C4E64}.exe
4304	{88A094AF-ECDE-4f4b-AC0C-64845D226612}.exe
2012	{286D91D9-292B-4cbb-8D7F-C5DAEB0CA172}.exe
4908	{F2411FEC-7660-4453-B649-618FA96CEB83}.exe
2860	{5051804C-5B03-43b5-A9AF-4E2E81839423}.exe
4408	{0BC1F3C5-E928-48b2-A838-FB9204B05BF2}.exe
4216	{74E7D1F7-0351-4f79-AFDD-211CCBD5928D}.exe
4180	{97553E9F-C070-4221-980F-27CF0F385322}.exe
4628	{34B4B5B0-B232-4e86-80CC-2C14748C3437}.exe
2316	{1A6DDC63-1D95-4a3e-AECE-1D40D35830A2}.exe
4468	{2E2F9D8D-0707-44f2-8680-93014786E1BC}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{CAF57142-9003-497c-945E-24BFEA06F4E4}.exe	2024-01-27_21deda6bab21a9d91af68e2bfac67243_goldeneye.exe
File created	C:\Windows\{F2411FEC-7660-4453-B649-618FA96CEB83}.exe	{286D91D9-292B-4cbb-8D7F-C5DAEB0CA172}.exe
File created	C:\Windows\{0BC1F3C5-E928-48b2-A838-FB9204B05BF2}.exe	{5051804C-5B03-43b5-A9AF-4E2E81839423}.exe
File created	C:\Windows\{74E7D1F7-0351-4f79-AFDD-211CCBD5928D}.exe	{0BC1F3C5-E928-48b2-A838-FB9204B05BF2}.exe
File created	C:\Windows\{97553E9F-C070-4221-980F-27CF0F385322}.exe	{74E7D1F7-0351-4f79-AFDD-211CCBD5928D}.exe
File created	C:\Windows\{34B4B5B0-B232-4e86-80CC-2C14748C3437}.exe	{97553E9F-C070-4221-980F-27CF0F385322}.exe
File created	C:\Windows\{1A6DDC63-1D95-4a3e-AECE-1D40D35830A2}.exe	{34B4B5B0-B232-4e86-80CC-2C14748C3437}.exe
File created	C:\Windows\{2E2F9D8D-0707-44f2-8680-93014786E1BC}.exe	{1A6DDC63-1D95-4a3e-AECE-1D40D35830A2}.exe
File created	C:\Windows\{FBEA897A-BA3D-427c-AD45-1E44C80C4E64}.exe	{CAF57142-9003-497c-945E-24BFEA06F4E4}.exe
File created	C:\Windows\{88A094AF-ECDE-4f4b-AC0C-64845D226612}.exe	{FBEA897A-BA3D-427c-AD45-1E44C80C4E64}.exe
File created	C:\Windows\{286D91D9-292B-4cbb-8D7F-C5DAEB0CA172}.exe	{88A094AF-ECDE-4f4b-AC0C-64845D226612}.exe
File created	C:\Windows\{5051804C-5B03-43b5-A9AF-4E2E81839423}.exe	{F2411FEC-7660-4453-B649-618FA96CEB83}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1376	2024-01-27_21deda6bab21a9d91af68e2bfac67243_goldeneye.exe
Token: SeIncBasePriorityPrivilege	648	{CAF57142-9003-497c-945E-24BFEA06F4E4}.exe
Token: SeIncBasePriorityPrivilege	4472	{FBEA897A-BA3D-427c-AD45-1E44C80C4E64}.exe
Token: SeIncBasePriorityPrivilege	4304	{88A094AF-ECDE-4f4b-AC0C-64845D226612}.exe
Token: SeIncBasePriorityPrivilege	2012	{286D91D9-292B-4cbb-8D7F-C5DAEB0CA172}.exe
Token: SeIncBasePriorityPrivilege	4908	{F2411FEC-7660-4453-B649-618FA96CEB83}.exe
Token: SeIncBasePriorityPrivilege	2860	{5051804C-5B03-43b5-A9AF-4E2E81839423}.exe
Token: SeIncBasePriorityPrivilege	4408	{0BC1F3C5-E928-48b2-A838-FB9204B05BF2}.exe
Token: SeIncBasePriorityPrivilege	4216	{74E7D1F7-0351-4f79-AFDD-211CCBD5928D}.exe
Token: SeIncBasePriorityPrivilege	4180	{97553E9F-C070-4221-980F-27CF0F385322}.exe
Token: SeIncBasePriorityPrivilege	4628	{34B4B5B0-B232-4e86-80CC-2C14748C3437}.exe
Token: SeIncBasePriorityPrivilege	2316	{1A6DDC63-1D95-4a3e-AECE-1D40D35830A2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 648	1376	2024-01-27_21deda6bab21a9d91af68e2bfac67243_goldeneye.exe	96
PID 1376 wrote to memory of 648	1376	2024-01-27_21deda6bab21a9d91af68e2bfac67243_goldeneye.exe	96
PID 1376 wrote to memory of 648	1376	2024-01-27_21deda6bab21a9d91af68e2bfac67243_goldeneye.exe	96
PID 1376 wrote to memory of 2504	1376	2024-01-27_21deda6bab21a9d91af68e2bfac67243_goldeneye.exe	95
PID 1376 wrote to memory of 2504	1376	2024-01-27_21deda6bab21a9d91af68e2bfac67243_goldeneye.exe	95
PID 1376 wrote to memory of 2504	1376	2024-01-27_21deda6bab21a9d91af68e2bfac67243_goldeneye.exe	95
PID 648 wrote to memory of 4472	648	{CAF57142-9003-497c-945E-24BFEA06F4E4}.exe	97
PID 648 wrote to memory of 4472	648	{CAF57142-9003-497c-945E-24BFEA06F4E4}.exe	97
PID 648 wrote to memory of 4472	648	{CAF57142-9003-497c-945E-24BFEA06F4E4}.exe	97
PID 648 wrote to memory of 2764	648	{CAF57142-9003-497c-945E-24BFEA06F4E4}.exe	98
PID 648 wrote to memory of 2764	648	{CAF57142-9003-497c-945E-24BFEA06F4E4}.exe	98
PID 648 wrote to memory of 2764	648	{CAF57142-9003-497c-945E-24BFEA06F4E4}.exe	98
PID 4472 wrote to memory of 4304	4472	{FBEA897A-BA3D-427c-AD45-1E44C80C4E64}.exe	101
PID 4472 wrote to memory of 4304	4472	{FBEA897A-BA3D-427c-AD45-1E44C80C4E64}.exe	101
PID 4472 wrote to memory of 4304	4472	{FBEA897A-BA3D-427c-AD45-1E44C80C4E64}.exe	101
PID 4472 wrote to memory of 2056	4472	{FBEA897A-BA3D-427c-AD45-1E44C80C4E64}.exe	100
PID 4472 wrote to memory of 2056	4472	{FBEA897A-BA3D-427c-AD45-1E44C80C4E64}.exe	100
PID 4472 wrote to memory of 2056	4472	{FBEA897A-BA3D-427c-AD45-1E44C80C4E64}.exe	100
PID 4304 wrote to memory of 2012	4304	{88A094AF-ECDE-4f4b-AC0C-64845D226612}.exe	102
PID 4304 wrote to memory of 2012	4304	{88A094AF-ECDE-4f4b-AC0C-64845D226612}.exe	102
PID 4304 wrote to memory of 2012	4304	{88A094AF-ECDE-4f4b-AC0C-64845D226612}.exe	102
PID 4304 wrote to memory of 1144	4304	{88A094AF-ECDE-4f4b-AC0C-64845D226612}.exe	103
PID 4304 wrote to memory of 1144	4304	{88A094AF-ECDE-4f4b-AC0C-64845D226612}.exe	103
PID 4304 wrote to memory of 1144	4304	{88A094AF-ECDE-4f4b-AC0C-64845D226612}.exe	103
PID 2012 wrote to memory of 4908	2012	{286D91D9-292B-4cbb-8D7F-C5DAEB0CA172}.exe	104
PID 2012 wrote to memory of 4908	2012	{286D91D9-292B-4cbb-8D7F-C5DAEB0CA172}.exe	104
PID 2012 wrote to memory of 4908	2012	{286D91D9-292B-4cbb-8D7F-C5DAEB0CA172}.exe	104
PID 2012 wrote to memory of 4844	2012	{286D91D9-292B-4cbb-8D7F-C5DAEB0CA172}.exe	105
PID 2012 wrote to memory of 4844	2012	{286D91D9-292B-4cbb-8D7F-C5DAEB0CA172}.exe	105
PID 2012 wrote to memory of 4844	2012	{286D91D9-292B-4cbb-8D7F-C5DAEB0CA172}.exe	105
PID 4908 wrote to memory of 2860	4908	{F2411FEC-7660-4453-B649-618FA96CEB83}.exe	106
PID 4908 wrote to memory of 2860	4908	{F2411FEC-7660-4453-B649-618FA96CEB83}.exe	106
PID 4908 wrote to memory of 2860	4908	{F2411FEC-7660-4453-B649-618FA96CEB83}.exe	106
PID 4908 wrote to memory of 4632	4908	{F2411FEC-7660-4453-B649-618FA96CEB83}.exe	107
PID 4908 wrote to memory of 4632	4908	{F2411FEC-7660-4453-B649-618FA96CEB83}.exe	107
PID 4908 wrote to memory of 4632	4908	{F2411FEC-7660-4453-B649-618FA96CEB83}.exe	107
PID 2860 wrote to memory of 4408	2860	{5051804C-5B03-43b5-A9AF-4E2E81839423}.exe	108
PID 2860 wrote to memory of 4408	2860	{5051804C-5B03-43b5-A9AF-4E2E81839423}.exe	108
PID 2860 wrote to memory of 4408	2860	{5051804C-5B03-43b5-A9AF-4E2E81839423}.exe	108
PID 2860 wrote to memory of 4512	2860	{5051804C-5B03-43b5-A9AF-4E2E81839423}.exe	109
PID 2860 wrote to memory of 4512	2860	{5051804C-5B03-43b5-A9AF-4E2E81839423}.exe	109
PID 2860 wrote to memory of 4512	2860	{5051804C-5B03-43b5-A9AF-4E2E81839423}.exe	109
PID 4408 wrote to memory of 4216	4408	{0BC1F3C5-E928-48b2-A838-FB9204B05BF2}.exe	110
PID 4408 wrote to memory of 4216	4408	{0BC1F3C5-E928-48b2-A838-FB9204B05BF2}.exe	110
PID 4408 wrote to memory of 4216	4408	{0BC1F3C5-E928-48b2-A838-FB9204B05BF2}.exe	110
PID 4408 wrote to memory of 1216	4408	{0BC1F3C5-E928-48b2-A838-FB9204B05BF2}.exe	111
PID 4408 wrote to memory of 1216	4408	{0BC1F3C5-E928-48b2-A838-FB9204B05BF2}.exe	111
PID 4408 wrote to memory of 1216	4408	{0BC1F3C5-E928-48b2-A838-FB9204B05BF2}.exe	111
PID 4216 wrote to memory of 4180	4216	{74E7D1F7-0351-4f79-AFDD-211CCBD5928D}.exe	112
PID 4216 wrote to memory of 4180	4216	{74E7D1F7-0351-4f79-AFDD-211CCBD5928D}.exe	112
PID 4216 wrote to memory of 4180	4216	{74E7D1F7-0351-4f79-AFDD-211CCBD5928D}.exe	112
PID 4216 wrote to memory of 4572	4216	{74E7D1F7-0351-4f79-AFDD-211CCBD5928D}.exe	113
PID 4216 wrote to memory of 4572	4216	{74E7D1F7-0351-4f79-AFDD-211CCBD5928D}.exe	113
PID 4216 wrote to memory of 4572	4216	{74E7D1F7-0351-4f79-AFDD-211CCBD5928D}.exe	113
PID 4180 wrote to memory of 4628	4180	{97553E9F-C070-4221-980F-27CF0F385322}.exe	114
PID 4180 wrote to memory of 4628	4180	{97553E9F-C070-4221-980F-27CF0F385322}.exe	114
PID 4180 wrote to memory of 4628	4180	{97553E9F-C070-4221-980F-27CF0F385322}.exe	114
PID 4180 wrote to memory of 2908	4180	{97553E9F-C070-4221-980F-27CF0F385322}.exe	115
PID 4180 wrote to memory of 2908	4180	{97553E9F-C070-4221-980F-27CF0F385322}.exe	115
PID 4180 wrote to memory of 2908	4180	{97553E9F-C070-4221-980F-27CF0F385322}.exe	115
PID 4628 wrote to memory of 2316	4628	{34B4B5B0-B232-4e86-80CC-2C14748C3437}.exe	116
PID 4628 wrote to memory of 2316	4628	{34B4B5B0-B232-4e86-80CC-2C14748C3437}.exe	116
PID 4628 wrote to memory of 2316	4628	{34B4B5B0-B232-4e86-80CC-2C14748C3437}.exe	116
PID 4628 wrote to memory of 4692	4628	{34B4B5B0-B232-4e86-80CC-2C14748C3437}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-01-27_21deda6bab21a9d91af68e2bfac67243_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-27_21deda6bab21a9d91af68e2bfac67243_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2504
- C:\Windows\{CAF57142-9003-497c-945E-24BFEA06F4E4}.exe
  C:\Windows\{CAF57142-9003-497c-945E-24BFEA06F4E4}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:648
- - C:\Windows\{FBEA897A-BA3D-427c-AD45-1E44C80C4E64}.exe
    C:\Windows\{FBEA897A-BA3D-427c-AD45-1E44C80C4E64}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4472
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FBEA8~1.EXE > nul
      4⤵
      PID:2056
  - - C:\Windows\{88A094AF-ECDE-4f4b-AC0C-64845D226612}.exe
      C:\Windows\{88A094AF-ECDE-4f4b-AC0C-64845D226612}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4304
    - - C:\Windows\{286D91D9-292B-4cbb-8D7F-C5DAEB0CA172}.exe
        
        C:\Windows\{286D91D9-292B-4cbb-8D7F-C5DAEB0CA172}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2012
      - C:\Windows\{F2411FEC-7660-4453-B649-618FA96CEB83}.exe
        
        C:\Windows\{F2411FEC-7660-4453-B649-618FA96CEB83}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Windows\{5051804C-5B03-43b5-A9AF-4E2E81839423}.exe
        
        C:\Windows\{5051804C-5B03-43b5-A9AF-4E2E81839423}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\{0BC1F3C5-E928-48b2-A838-FB9204B05BF2}.exe
        
        C:\Windows\{0BC1F3C5-E928-48b2-A838-FB9204B05BF2}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Windows\{74E7D1F7-0351-4f79-AFDD-211CCBD5928D}.exe
        
        C:\Windows\{74E7D1F7-0351-4f79-AFDD-211CCBD5928D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4216
        
        C:\Windows\{97553E9F-C070-4221-980F-27CF0F385322}.exe
        
        C:\Windows\{97553E9F-C070-4221-980F-27CF0F385322}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4180
        
        C:\Windows\{34B4B5B0-B232-4e86-80CC-2C14748C3437}.exe
        
        C:\Windows\{34B4B5B0-B232-4e86-80CC-2C14748C3437}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        C:\Windows\{1A6DDC63-1D95-4a3e-AECE-1D40D35830A2}.exe
        
        C:\Windows\{1A6DDC63-1D95-4a3e-AECE-1D40D35830A2}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
        
        C:\Windows\{2E2F9D8D-0707-44f2-8680-93014786E1BC}.exe
        
        C:\Windows\{2E2F9D8D-0707-44f2-8680-93014786E1BC}.exe
        13⤵
        Executes dropped EXE
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1A6DD~1.EXE > nul
        13⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{34B4B~1.EXE > nul
        12⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{97553~1.EXE > nul
        11⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74E7D~1.EXE > nul
        10⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0BC1F~1.EXE > nul
        9⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{50518~1.EXE > nul
        8⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2411~1.EXE > nul
        7⤵
        
        PID:4632
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{286D9~1.EXE > nul
        6⤵
        
        PID:4844
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{88A09~1.EXE > nul
        5⤵
        
        PID:1144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CAF57~1.EXE > nul
    3⤵
    PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0BC1F3C5-E928-48b2-A838-FB9204B05BF2}.exe

Filesize
216KB

MD5
cd38c18c9ca9a0a62bd20e3b75814498

SHA1
b3a3ae6ad4febcfa7baa2296ca8b6f592e1f4c56

SHA256
3be43a22f2c3a856d47b7d87ea6f5297c621a3beeb421efad80b419c658f4d01

SHA512
9b64ca51d2b7bdcbf31f1c501255bf802ffd73b2d5e5653dac12efcfd670f4fdf2ee33d0d00828fecdbf6c32e10d640e760304547a15cb146ad5271ac7f80232

Download Submit
C:\Windows\{1A6DDC63-1D95-4a3e-AECE-1D40D35830A2}.exe

Filesize
216KB

MD5
0f079b099c98304601ee87f2fe975af8

SHA1
1df0e4928b422d94b6147e13f8b18e389dffc692

SHA256
03061c00038670335bf4852c871847d69bf1c3dbbe8da23301609739d900d003

SHA512
bdf49f0c284348b923611888a62ea77fd535737b8bc8b112b4a634a950f1fbf10a18ffd9abae55af8bbbd1f7006242ddd4dcdb6159d1861ee9bbd286f001a329

Download Submit
C:\Windows\{286D91D9-292B-4cbb-8D7F-C5DAEB0CA172}.exe

Filesize
216KB

MD5
98033b3264be8f65f505094319dd7316

SHA1
577a2f8bc9e877c0f5a229cc308bf8a85ba578ed

SHA256
dd24c992645d119941f054a30cb63ca9feb1e68b7af21871cc6e9ef3857de78c

SHA512
2fc6cc734bef677251b11053ce0e2739fdbd6c9ea3ef05d96ac0f5095e0f45a3fe06c36bd9b571b933c6a55e9e48ca41824341d5e0132c76fce7a0054cbdb713

Download Submit
C:\Windows\{2E2F9D8D-0707-44f2-8680-93014786E1BC}.exe

Filesize
216KB

MD5
63eecd54ed58c03cc017c3aaa5882951

SHA1
fe0f06307976d1e6c24fbe816e12e2f8f06f559d

SHA256
973e7adfd8e2e195262067b9f526a0bf0387869133735cb3e9fed3917c39fcce

SHA512
e91f6f6fbd8dedf62122dc77bf728b95af80dc0c51e5bb6b43511f169a9d64f842aa3eaf6acfb0f12391adcd09e77ea50eb1e3b142909d326f45c49fc28bf392

Download Submit
C:\Windows\{34B4B5B0-B232-4e86-80CC-2C14748C3437}.exe

Filesize
216KB

MD5
fd3eed6b02a021a81120fe9c1c8a40c7

SHA1
ad5c52048f2b1eeec0e1d463d9866f42c298f937

SHA256
baa41841b5860f145d9b1ef360389c4e7d8febc190341a89c2e656f1deeff203

SHA512
f22fb713ddd94d5438e4404bea1b07e943df9c8cda4b673076f92792fba32537b965b025c9cca24cfa387800e5d59f4c1d24e72d4a6c177438a5eacf8bb607db

Download Submit
C:\Windows\{5051804C-5B03-43b5-A9AF-4E2E81839423}.exe

Filesize
216KB

MD5
5a4229fd936b52136a1fd973f08c73bf

SHA1
0f8ba761ee1b0d1bb67afbb2e13eccb2aa65dbc4

SHA256
610e7deb3f303552018198f28fe857255cefc59445e1394a7821a8a747e83675

SHA512
2f09f69a5e71019c33eed57e14f1e929417f5101674f96fa36a58b0fe26f6c1fe5d63b86c6af55af02641ef304963037daf160c1184cbfe12338c50771a32948

Download Submit
C:\Windows\{74E7D1F7-0351-4f79-AFDD-211CCBD5928D}.exe

Filesize
216KB

MD5
a6f92477e8261b494ba625d0653b0cb6

SHA1
717541d1b3697593b9b84ebc4a58e4edca2709f6

SHA256
29d2685b7a3e379540ffc10a24b82458e4656624746a6f4e345e0147738415c1

SHA512
d8f4899db76f218d5c5bb5687104c7b096db1779e4e6664dac6ade029a495b5a910118fda60a7ba2fb304b385145b33d33f20784db61af7db28f893ff78aecc9

Download Submit
C:\Windows\{88A094AF-ECDE-4f4b-AC0C-64845D226612}.exe

Filesize
216KB

MD5
68d003bb21ac4df8286c91286dade736

SHA1
45d62005af32128301f7424efdc8e06b8bbbd280

SHA256
039a4a5061b0a84256f62b22b5ff5ee4896c6ab857a546b4e1af37de1a3a34d9

SHA512
800ed90bd3fa3550db8a8c44046ad5e315e743b2a2dbba702572a05c9f4f336a7e11b57ff285d5ca6640aaad32e0cbeacbba775d990566b14cf9a7dd2bad6440

Download Submit
C:\Windows\{97553E9F-C070-4221-980F-27CF0F385322}.exe

Filesize
216KB

MD5
877599f22c48034cbf6e9f52af056bef

SHA1
4870a9a65337f6331997f19f353a0126b0e303e5

SHA256
c62fae5750eb051c4d058e4291c85db98378a76e7f36ddcdb52c854a93413521

SHA512
4299b8cecd8bfea9a3bf8e948f21b5311646d251ecccdf2783c94b8a2b65e170b3b60051916537df08b1e3e0afadf36b42ddd0fd406b5b9d284f4ae4b69c1806

Download Submit
C:\Windows\{CAF57142-9003-497c-945E-24BFEA06F4E4}.exe

Filesize
196KB

MD5
b602439a8d89837a28d745e894a7171b

SHA1
1f48db7e1ecf6ed1d75a64d885a25c973d4e9203

SHA256
aae74dfdb829c61e68ad76df08735ae26454d332457ac9dc239c28fbae85aa0e

SHA512
106a8e349a750f203868bef0c644aae39d914822108eb857504e941d270f7188a7fdf539050e0b54a28b92d1ebfbf543b0268f70c83cc64acebb386323d36c70

Download Submit
C:\Windows\{CAF57142-9003-497c-945E-24BFEA06F4E4}.exe

Filesize
216KB

MD5
5351da17f949b565d2cda4ee67942c40

SHA1
f6264094fd66932eee6c34a770a69c3548f1efb4

SHA256
03ff7e74ec796a27167acd7a79abf0e15fa1d224029037fa89181ea9aad63536

SHA512
0834f1f2cc3c2d42288fd4d5857aece20853bde6389544d0d3780d5002bfe7d119b13f868bad744694def0c048d0485341b11953dc7c2d641c6265a4bd143e49

Download Submit
C:\Windows\{F2411FEC-7660-4453-B649-618FA96CEB83}.exe

Filesize
216KB

MD5
22385eb19d6711a4b15b216b8de1d4be

SHA1
511184585e923496ef84247c68f8a825989df445

SHA256
fc979e5583eb3780c6d4123dab16768a66448f85ddde6901588a30f33e49e29b

SHA512
25317ba59034e5d8b04265ba2fca21d49a7d79c35f6c6bf561eafa59b77ca27e5de5cf23380f6259a1cf0cbfb0d7b42ef6a871a4ff9a31c56943b7c4549176d9

Download Submit
C:\Windows\{FBEA897A-BA3D-427c-AD45-1E44C80C4E64}.exe

Filesize
216KB

MD5
b73bd5bc0c07af6cc12f3e2853e45a59

SHA1
86b77a45286c5b70fe56157683b76eaad03276a3

SHA256
ba392b21f393de6105cb88c5b19a6ace34b07dc8be42c64930ed2da9da75514b

SHA512
5ad839f8a1d3605084461a75d66fd34aef7108276e74f40200f3c16fd90f6b8d5d37ad6a6af24e8c6fca2fd3d39f83e6bbeb2c7bd34f9950967254a04a7770b6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads