09f0f380852de773bac766a53f08c787664bb17c49958c90dce991eb104d2347

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
27-01-2024 10:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-27_9afcce7aeaa503c77dbf092ae0584cc3_goldeneye.exe
Size

408KB
MD5

9afcce7aeaa503c77dbf092ae0584cc3
SHA1

542701d64d921d6dec0cdd3443acb94f76f3bd3d
SHA256

09f0f380852de773bac766a53f08c787664bb17c49958c90dce991eb104d2347
SHA512

edc99e45262accac276a15775562e95d6b8aa7a8d56937c749b288e203a6c73ecfbe1cdd3b18c614c4496dc5797add37a44c676c4aaa0f330c7cb7d7e29d06a4
SSDEEP

3072:CEGh0oZl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEG/ldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023000-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023109-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002311f-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023109-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002311f-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00050000000217fa-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002181f-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006df-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000707-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE930BA4-A298-4070-8517-B3C5B998B403}	{806D0851-5FCC-4f55-9B2D-5B3CCF7D1934}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0AEF649A-2756-49f7-8958-DFA3D5ED8670}	{EE434EC0-FB5D-4462-ADE8-C5B483646567}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{806D0851-5FCC-4f55-9B2D-5B3CCF7D1934}\stubpath = "C:\\Windows\\{806D0851-5FCC-4f55-9B2D-5B3CCF7D1934}.exe"	{A72FBE8C-41D5-4c0b-8D2B-7CA6011064E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B810FACC-25EC-48a0-91D4-E052E0BA4EC8}\stubpath = "C:\\Windows\\{B810FACC-25EC-48a0-91D4-E052E0BA4EC8}.exe"	{A1173F24-37AF-484b-A519-44AA6D22FFC4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DDBE8A34-54C0-4b05-B556-8B53251F1383}	{B810FACC-25EC-48a0-91D4-E052E0BA4EC8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DDBE8A34-54C0-4b05-B556-8B53251F1383}\stubpath = "C:\\Windows\\{DDBE8A34-54C0-4b05-B556-8B53251F1383}.exe"	{B810FACC-25EC-48a0-91D4-E052E0BA4EC8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C96C34D8-37AC-4280-B629-38A122A4D18C}\stubpath = "C:\\Windows\\{C96C34D8-37AC-4280-B629-38A122A4D18C}.exe"	{CDA70871-A64E-4f84-AE3D-E7FF279AE969}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C913094-49F0-4178-890A-606BCB3D1024}	{C96C34D8-37AC-4280-B629-38A122A4D18C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0ED4E196-0E0E-4282-85DC-91E7B074D984}	{7C913094-49F0-4178-890A-606BCB3D1024}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE434EC0-FB5D-4462-ADE8-C5B483646567}\stubpath = "C:\\Windows\\{EE434EC0-FB5D-4462-ADE8-C5B483646567}.exe"	{DE930BA4-A298-4070-8517-B3C5B998B403}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1173F24-37AF-484b-A519-44AA6D22FFC4}\stubpath = "C:\\Windows\\{A1173F24-37AF-484b-A519-44AA6D22FFC4}.exe"	2024-01-27_9afcce7aeaa503c77dbf092ae0584cc3_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0AEF649A-2756-49f7-8958-DFA3D5ED8670}\stubpath = "C:\\Windows\\{0AEF649A-2756-49f7-8958-DFA3D5ED8670}.exe"	{EE434EC0-FB5D-4462-ADE8-C5B483646567}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C96C34D8-37AC-4280-B629-38A122A4D18C}	{CDA70871-A64E-4f84-AE3D-E7FF279AE969}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0ED4E196-0E0E-4282-85DC-91E7B074D984}\stubpath = "C:\\Windows\\{0ED4E196-0E0E-4282-85DC-91E7B074D984}.exe"	{7C913094-49F0-4178-890A-606BCB3D1024}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A72FBE8C-41D5-4c0b-8D2B-7CA6011064E6}	{0ED4E196-0E0E-4282-85DC-91E7B074D984}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A72FBE8C-41D5-4c0b-8D2B-7CA6011064E6}\stubpath = "C:\\Windows\\{A72FBE8C-41D5-4c0b-8D2B-7CA6011064E6}.exe"	{0ED4E196-0E0E-4282-85DC-91E7B074D984}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE930BA4-A298-4070-8517-B3C5B998B403}\stubpath = "C:\\Windows\\{DE930BA4-A298-4070-8517-B3C5B998B403}.exe"	{806D0851-5FCC-4f55-9B2D-5B3CCF7D1934}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CDA70871-A64E-4f84-AE3D-E7FF279AE969}\stubpath = "C:\\Windows\\{CDA70871-A64E-4f84-AE3D-E7FF279AE969}.exe"	{DDBE8A34-54C0-4b05-B556-8B53251F1383}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B810FACC-25EC-48a0-91D4-E052E0BA4EC8}	{A1173F24-37AF-484b-A519-44AA6D22FFC4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CDA70871-A64E-4f84-AE3D-E7FF279AE969}	{DDBE8A34-54C0-4b05-B556-8B53251F1383}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C913094-49F0-4178-890A-606BCB3D1024}\stubpath = "C:\\Windows\\{7C913094-49F0-4178-890A-606BCB3D1024}.exe"	{C96C34D8-37AC-4280-B629-38A122A4D18C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{806D0851-5FCC-4f55-9B2D-5B3CCF7D1934}	{A72FBE8C-41D5-4c0b-8D2B-7CA6011064E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE434EC0-FB5D-4462-ADE8-C5B483646567}	{DE930BA4-A298-4070-8517-B3C5B998B403}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1173F24-37AF-484b-A519-44AA6D22FFC4}	2024-01-27_9afcce7aeaa503c77dbf092ae0584cc3_goldeneye.exe

Executes dropped EXE 12 IoCs

pid	Process
4500	{A1173F24-37AF-484b-A519-44AA6D22FFC4}.exe
3056	{B810FACC-25EC-48a0-91D4-E052E0BA4EC8}.exe
2788	{DDBE8A34-54C0-4b05-B556-8B53251F1383}.exe
2804	{CDA70871-A64E-4f84-AE3D-E7FF279AE969}.exe
4164	{C96C34D8-37AC-4280-B629-38A122A4D18C}.exe
2500	{7C913094-49F0-4178-890A-606BCB3D1024}.exe
4460	{0ED4E196-0E0E-4282-85DC-91E7B074D984}.exe
3540	{A72FBE8C-41D5-4c0b-8D2B-7CA6011064E6}.exe
5040	{806D0851-5FCC-4f55-9B2D-5B3CCF7D1934}.exe
4832	{DE930BA4-A298-4070-8517-B3C5B998B403}.exe
3104	{EE434EC0-FB5D-4462-ADE8-C5B483646567}.exe
1004	{0AEF649A-2756-49f7-8958-DFA3D5ED8670}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{CDA70871-A64E-4f84-AE3D-E7FF279AE969}.exe	{DDBE8A34-54C0-4b05-B556-8B53251F1383}.exe
File created	C:\Windows\{C96C34D8-37AC-4280-B629-38A122A4D18C}.exe	{CDA70871-A64E-4f84-AE3D-E7FF279AE969}.exe
File created	C:\Windows\{7C913094-49F0-4178-890A-606BCB3D1024}.exe	{C96C34D8-37AC-4280-B629-38A122A4D18C}.exe
File created	C:\Windows\{DE930BA4-A298-4070-8517-B3C5B998B403}.exe	{806D0851-5FCC-4f55-9B2D-5B3CCF7D1934}.exe
File created	C:\Windows\{EE434EC0-FB5D-4462-ADE8-C5B483646567}.exe	{DE930BA4-A298-4070-8517-B3C5B998B403}.exe
File created	C:\Windows\{0AEF649A-2756-49f7-8958-DFA3D5ED8670}.exe	{EE434EC0-FB5D-4462-ADE8-C5B483646567}.exe
File created	C:\Windows\{B810FACC-25EC-48a0-91D4-E052E0BA4EC8}.exe	{A1173F24-37AF-484b-A519-44AA6D22FFC4}.exe
File created	C:\Windows\{DDBE8A34-54C0-4b05-B556-8B53251F1383}.exe	{B810FACC-25EC-48a0-91D4-E052E0BA4EC8}.exe
File created	C:\Windows\{0ED4E196-0E0E-4282-85DC-91E7B074D984}.exe	{7C913094-49F0-4178-890A-606BCB3D1024}.exe
File created	C:\Windows\{A72FBE8C-41D5-4c0b-8D2B-7CA6011064E6}.exe	{0ED4E196-0E0E-4282-85DC-91E7B074D984}.exe
File created	C:\Windows\{806D0851-5FCC-4f55-9B2D-5B3CCF7D1934}.exe	{A72FBE8C-41D5-4c0b-8D2B-7CA6011064E6}.exe
File created	C:\Windows\{A1173F24-37AF-484b-A519-44AA6D22FFC4}.exe	2024-01-27_9afcce7aeaa503c77dbf092ae0584cc3_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4064	2024-01-27_9afcce7aeaa503c77dbf092ae0584cc3_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4500	{A1173F24-37AF-484b-A519-44AA6D22FFC4}.exe
Token: SeIncBasePriorityPrivilege	3056	{B810FACC-25EC-48a0-91D4-E052E0BA4EC8}.exe
Token: SeIncBasePriorityPrivilege	2788	{DDBE8A34-54C0-4b05-B556-8B53251F1383}.exe
Token: SeIncBasePriorityPrivilege	2804	{CDA70871-A64E-4f84-AE3D-E7FF279AE969}.exe
Token: SeIncBasePriorityPrivilege	4164	{C96C34D8-37AC-4280-B629-38A122A4D18C}.exe
Token: SeIncBasePriorityPrivilege	2500	{7C913094-49F0-4178-890A-606BCB3D1024}.exe
Token: SeIncBasePriorityPrivilege	4460	{0ED4E196-0E0E-4282-85DC-91E7B074D984}.exe
Token: SeIncBasePriorityPrivilege	3540	{A72FBE8C-41D5-4c0b-8D2B-7CA6011064E6}.exe
Token: SeIncBasePriorityPrivilege	5040	{806D0851-5FCC-4f55-9B2D-5B3CCF7D1934}.exe
Token: SeIncBasePriorityPrivilege	4832	{DE930BA4-A298-4070-8517-B3C5B998B403}.exe
Token: SeIncBasePriorityPrivilege	3104	{EE434EC0-FB5D-4462-ADE8-C5B483646567}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4064 wrote to memory of 4500	4064	2024-01-27_9afcce7aeaa503c77dbf092ae0584cc3_goldeneye.exe	88
PID 4064 wrote to memory of 4500	4064	2024-01-27_9afcce7aeaa503c77dbf092ae0584cc3_goldeneye.exe	88
PID 4064 wrote to memory of 4500	4064	2024-01-27_9afcce7aeaa503c77dbf092ae0584cc3_goldeneye.exe	88
PID 4064 wrote to memory of 4796	4064	2024-01-27_9afcce7aeaa503c77dbf092ae0584cc3_goldeneye.exe	89
PID 4064 wrote to memory of 4796	4064	2024-01-27_9afcce7aeaa503c77dbf092ae0584cc3_goldeneye.exe	89
PID 4064 wrote to memory of 4796	4064	2024-01-27_9afcce7aeaa503c77dbf092ae0584cc3_goldeneye.exe	89
PID 4500 wrote to memory of 3056	4500	{A1173F24-37AF-484b-A519-44AA6D22FFC4}.exe	95
PID 4500 wrote to memory of 3056	4500	{A1173F24-37AF-484b-A519-44AA6D22FFC4}.exe	95
PID 4500 wrote to memory of 3056	4500	{A1173F24-37AF-484b-A519-44AA6D22FFC4}.exe	95
PID 4500 wrote to memory of 2208	4500	{A1173F24-37AF-484b-A519-44AA6D22FFC4}.exe	97
PID 4500 wrote to memory of 2208	4500	{A1173F24-37AF-484b-A519-44AA6D22FFC4}.exe	97
PID 4500 wrote to memory of 2208	4500	{A1173F24-37AF-484b-A519-44AA6D22FFC4}.exe	97
PID 3056 wrote to memory of 2788	3056	{B810FACC-25EC-48a0-91D4-E052E0BA4EC8}.exe	101
PID 3056 wrote to memory of 2788	3056	{B810FACC-25EC-48a0-91D4-E052E0BA4EC8}.exe	101
PID 3056 wrote to memory of 2788	3056	{B810FACC-25EC-48a0-91D4-E052E0BA4EC8}.exe	101
PID 3056 wrote to memory of 1916	3056	{B810FACC-25EC-48a0-91D4-E052E0BA4EC8}.exe	100
PID 3056 wrote to memory of 1916	3056	{B810FACC-25EC-48a0-91D4-E052E0BA4EC8}.exe	100
PID 3056 wrote to memory of 1916	3056	{B810FACC-25EC-48a0-91D4-E052E0BA4EC8}.exe	100
PID 2788 wrote to memory of 2804	2788	{DDBE8A34-54C0-4b05-B556-8B53251F1383}.exe	102
PID 2788 wrote to memory of 2804	2788	{DDBE8A34-54C0-4b05-B556-8B53251F1383}.exe	102
PID 2788 wrote to memory of 2804	2788	{DDBE8A34-54C0-4b05-B556-8B53251F1383}.exe	102
PID 2788 wrote to memory of 5100	2788	{DDBE8A34-54C0-4b05-B556-8B53251F1383}.exe	103
PID 2788 wrote to memory of 5100	2788	{DDBE8A34-54C0-4b05-B556-8B53251F1383}.exe	103
PID 2788 wrote to memory of 5100	2788	{DDBE8A34-54C0-4b05-B556-8B53251F1383}.exe	103
PID 2804 wrote to memory of 4164	2804	{CDA70871-A64E-4f84-AE3D-E7FF279AE969}.exe	104
PID 2804 wrote to memory of 4164	2804	{CDA70871-A64E-4f84-AE3D-E7FF279AE969}.exe	104
PID 2804 wrote to memory of 4164	2804	{CDA70871-A64E-4f84-AE3D-E7FF279AE969}.exe	104
PID 2804 wrote to memory of 5008	2804	{CDA70871-A64E-4f84-AE3D-E7FF279AE969}.exe	105
PID 2804 wrote to memory of 5008	2804	{CDA70871-A64E-4f84-AE3D-E7FF279AE969}.exe	105
PID 2804 wrote to memory of 5008	2804	{CDA70871-A64E-4f84-AE3D-E7FF279AE969}.exe	105
PID 4164 wrote to memory of 2500	4164	{C96C34D8-37AC-4280-B629-38A122A4D18C}.exe	106
PID 4164 wrote to memory of 2500	4164	{C96C34D8-37AC-4280-B629-38A122A4D18C}.exe	106
PID 4164 wrote to memory of 2500	4164	{C96C34D8-37AC-4280-B629-38A122A4D18C}.exe	106
PID 4164 wrote to memory of 4416	4164	{C96C34D8-37AC-4280-B629-38A122A4D18C}.exe	107
PID 4164 wrote to memory of 4416	4164	{C96C34D8-37AC-4280-B629-38A122A4D18C}.exe	107
PID 4164 wrote to memory of 4416	4164	{C96C34D8-37AC-4280-B629-38A122A4D18C}.exe	107
PID 2500 wrote to memory of 4460	2500	{7C913094-49F0-4178-890A-606BCB3D1024}.exe	108
PID 2500 wrote to memory of 4460	2500	{7C913094-49F0-4178-890A-606BCB3D1024}.exe	108
PID 2500 wrote to memory of 4460	2500	{7C913094-49F0-4178-890A-606BCB3D1024}.exe	108
PID 2500 wrote to memory of 2296	2500	{7C913094-49F0-4178-890A-606BCB3D1024}.exe	109
PID 2500 wrote to memory of 2296	2500	{7C913094-49F0-4178-890A-606BCB3D1024}.exe	109
PID 2500 wrote to memory of 2296	2500	{7C913094-49F0-4178-890A-606BCB3D1024}.exe	109
PID 4460 wrote to memory of 3540	4460	{0ED4E196-0E0E-4282-85DC-91E7B074D984}.exe	110
PID 4460 wrote to memory of 3540	4460	{0ED4E196-0E0E-4282-85DC-91E7B074D984}.exe	110
PID 4460 wrote to memory of 3540	4460	{0ED4E196-0E0E-4282-85DC-91E7B074D984}.exe	110
PID 4460 wrote to memory of 5108	4460	{0ED4E196-0E0E-4282-85DC-91E7B074D984}.exe	111
PID 4460 wrote to memory of 5108	4460	{0ED4E196-0E0E-4282-85DC-91E7B074D984}.exe	111
PID 4460 wrote to memory of 5108	4460	{0ED4E196-0E0E-4282-85DC-91E7B074D984}.exe	111
PID 3540 wrote to memory of 5040	3540	{A72FBE8C-41D5-4c0b-8D2B-7CA6011064E6}.exe	112
PID 3540 wrote to memory of 5040	3540	{A72FBE8C-41D5-4c0b-8D2B-7CA6011064E6}.exe	112
PID 3540 wrote to memory of 5040	3540	{A72FBE8C-41D5-4c0b-8D2B-7CA6011064E6}.exe	112
PID 3540 wrote to memory of 2080	3540	{A72FBE8C-41D5-4c0b-8D2B-7CA6011064E6}.exe	113
PID 3540 wrote to memory of 2080	3540	{A72FBE8C-41D5-4c0b-8D2B-7CA6011064E6}.exe	113
PID 3540 wrote to memory of 2080	3540	{A72FBE8C-41D5-4c0b-8D2B-7CA6011064E6}.exe	113
PID 5040 wrote to memory of 4832	5040	{806D0851-5FCC-4f55-9B2D-5B3CCF7D1934}.exe	114
PID 5040 wrote to memory of 4832	5040	{806D0851-5FCC-4f55-9B2D-5B3CCF7D1934}.exe	114
PID 5040 wrote to memory of 4832	5040	{806D0851-5FCC-4f55-9B2D-5B3CCF7D1934}.exe	114
PID 5040 wrote to memory of 1784	5040	{806D0851-5FCC-4f55-9B2D-5B3CCF7D1934}.exe	115
PID 5040 wrote to memory of 1784	5040	{806D0851-5FCC-4f55-9B2D-5B3CCF7D1934}.exe	115
PID 5040 wrote to memory of 1784	5040	{806D0851-5FCC-4f55-9B2D-5B3CCF7D1934}.exe	115
PID 4832 wrote to memory of 3104	4832	{DE930BA4-A298-4070-8517-B3C5B998B403}.exe	117
PID 4832 wrote to memory of 3104	4832	{DE930BA4-A298-4070-8517-B3C5B998B403}.exe	117
PID 4832 wrote to memory of 3104	4832	{DE930BA4-A298-4070-8517-B3C5B998B403}.exe	117
PID 4832 wrote to memory of 4088	4832	{DE930BA4-A298-4070-8517-B3C5B998B403}.exe	116

C:\Users\Admin\AppData\Local\Temp\2024-01-27_9afcce7aeaa503c77dbf092ae0584cc3_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-27_9afcce7aeaa503c77dbf092ae0584cc3_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4064
- C:\Windows\{A1173F24-37AF-484b-A519-44AA6D22FFC4}.exe
  C:\Windows\{A1173F24-37AF-484b-A519-44AA6D22FFC4}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4500
- - C:\Windows\{B810FACC-25EC-48a0-91D4-E052E0BA4EC8}.exe
    C:\Windows\{B810FACC-25EC-48a0-91D4-E052E0BA4EC8}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3056
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B810F~1.EXE > nul
      4⤵
      PID:1916
  - - C:\Windows\{DDBE8A34-54C0-4b05-B556-8B53251F1383}.exe
      C:\Windows\{DDBE8A34-54C0-4b05-B556-8B53251F1383}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2788
    - - C:\Windows\{CDA70871-A64E-4f84-AE3D-E7FF279AE969}.exe
        
        C:\Windows\{CDA70871-A64E-4f84-AE3D-E7FF279AE969}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2804
      - C:\Windows\{C96C34D8-37AC-4280-B629-38A122A4D18C}.exe
        
        C:\Windows\{C96C34D8-37AC-4280-B629-38A122A4D18C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4164
        
        C:\Windows\{7C913094-49F0-4178-890A-606BCB3D1024}.exe
        
        C:\Windows\{7C913094-49F0-4178-890A-606BCB3D1024}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\{0ED4E196-0E0E-4282-85DC-91E7B074D984}.exe
        
        C:\Windows\{0ED4E196-0E0E-4282-85DC-91E7B074D984}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\{A72FBE8C-41D5-4c0b-8D2B-7CA6011064E6}.exe
        
        C:\Windows\{A72FBE8C-41D5-4c0b-8D2B-7CA6011064E6}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Windows\{806D0851-5FCC-4f55-9B2D-5B3CCF7D1934}.exe
        
        C:\Windows\{806D0851-5FCC-4f55-9B2D-5B3CCF7D1934}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\{DE930BA4-A298-4070-8517-B3C5B998B403}.exe
        
        C:\Windows\{DE930BA4-A298-4070-8517-B3C5B998B403}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DE930~1.EXE > nul
        12⤵
        
        PID:4088
        
        C:\Windows\{EE434EC0-FB5D-4462-ADE8-C5B483646567}.exe
        
        C:\Windows\{EE434EC0-FB5D-4462-ADE8-C5B483646567}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3104
        
        C:\Windows\{0AEF649A-2756-49f7-8958-DFA3D5ED8670}.exe
        
        C:\Windows\{0AEF649A-2756-49f7-8958-DFA3D5ED8670}.exe
        13⤵
        Executes dropped EXE
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EE434~1.EXE > nul
        13⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{806D0~1.EXE > nul
        11⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A72FB~1.EXE > nul
        10⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0ED4E~1.EXE > nul
        9⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7C913~1.EXE > nul
        8⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C96C3~1.EXE > nul
        7⤵
        
        PID:4416
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CDA70~1.EXE > nul
        6⤵
        
        PID:5008
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DDBE8~1.EXE > nul
        5⤵
        
        PID:5100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A1173~1.EXE > nul
    3⤵
    PID:2208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0AEF649A-2756-49f7-8958-DFA3D5ED8670}.exe

Filesize
408KB

MD5
0439ce3ff0564df7f98b07d8647ffadb

SHA1
f40125c5549e15a527978c8a5d49351c01e04aa0

SHA256
08e14210739abc0097f21cfaf79879b354bb005b4a74c402815cd2cb4fc766f9

SHA512
6f465d8db34d6ddf0a41a92cb5a7a20e1b45b6e712b4d567764d5ae26fd8b49fe35fb0ef2bce487090b05da26c5bff679efa79dc3239cfcadff8e8449b0405d0

Download Submit
C:\Windows\{0ED4E196-0E0E-4282-85DC-91E7B074D984}.exe

Filesize
408KB

MD5
44042925af3f7f54a0d6b7b2cdca53f6

SHA1
c1e998d3c146f18d54173a3e45d63fa570745bf1

SHA256
ccc8c4678080a9f8a852832206bee667c5aa2528be3b1faf1ecb5bd6682c3f92

SHA512
090de2d100802eeeb357a03fffebdfef1484a4644fad7cfab81e31fae38bc17d9b8130926f9c4c9f6f01b5d87179054378eea62b433fc536f88594eb924cedb1

Download Submit
C:\Windows\{7C913094-49F0-4178-890A-606BCB3D1024}.exe

Filesize
408KB

MD5
c9756a435de4756177afc50b5fe996c4

SHA1
a44de62d591d1656b313ed104221a540db9a1281

SHA256
d28f0ed261fd45d2530633c95f55c6a37bbd9cec7781bf18517ca78542f3c5b9

SHA512
35bd35b7333198660c60878080378c4729a768d1ce1d6001501fa96282b179e16bb40cd01256e4533dc6e9fe64f49f78ada6bc657592902511a4794d1c1041b7

Download Submit
C:\Windows\{806D0851-5FCC-4f55-9B2D-5B3CCF7D1934}.exe

Filesize
408KB

MD5
1f2f48faf6372c628970992123dfdb54

SHA1
06c50efcad7380174e912d1529d87b1eaaf97fca

SHA256
13c43c8f0f736f3ebbf307c49c768b0dfa2ff916bd7b0c660521dd88a8df5044

SHA512
189f9eadfcc9d639dff5e8910cd6cad53de1c24b28da67d643ae8a6369659ada6bbd5c091668421195758e67019e7075d9c0fff17956bc41ab0868dcf72cd791

Download Submit
C:\Windows\{A1173F24-37AF-484b-A519-44AA6D22FFC4}.exe

Filesize
408KB

MD5
e3d5e05604b8dc87d19f6e4318e8782d

SHA1
c622780141faa212ffcc60ebe01516aea1d75877

SHA256
dd10df9432da21ac94643a88632b12f4fd6845f6401db39cbc9f03a573d39515

SHA512
851da38ed0397635ed6f13a464c9707bc3bb59e1e092cd1e924fcac09879866743850078ecd221d4c831b1af5cd6981832895b28be621d62d91880c1f0d59fb1

Download Submit
C:\Windows\{A72FBE8C-41D5-4c0b-8D2B-7CA6011064E6}.exe

Filesize
408KB

MD5
2a9f6ba051fcaa3d1442eed7d3a5997a

SHA1
ba42394a89fbe9154beca78112f4f5f7c2e26202

SHA256
524598c42d64ab6650148b0c576fad291b89594fb7a620c01ab4c93313dc8d18

SHA512
a18bf349dd355dede12bed06a0e983b7d98a7354b2a47fde97472a9e04fe381f3f2755ab436eae06e5d4c34dc8d0d2b49a251ecfb2d2e10d6118aa974419d6b9

Download Submit
C:\Windows\{B810FACC-25EC-48a0-91D4-E052E0BA4EC8}.exe

Filesize
408KB

MD5
8e5b2b98231ccbb75a448090b9a2c0ef

SHA1
549772f660e02ea36f25cb40f543e1287611b8bf

SHA256
9ce7401f1c72b2b3135c6eb768e432acae8709e6769d57ca95b59279d07d6611

SHA512
b58a0894582227ffb144bf9467bbc83d03680c289fc419cbc09985f07a203ec4f5363440c1c54207e0ffcafbd0f94e29fcb2f5721df065fe010a227166f1e695

Download Submit
C:\Windows\{C96C34D8-37AC-4280-B629-38A122A4D18C}.exe

Filesize
408KB

MD5
4408bc7d149232d7b73fdd3f93c9766f

SHA1
ba233efed6b5b4eaa3a311e0811b203ea873cedb

SHA256
e9f451a44507ad93f2664b67ae629476d2ad24f26d817d5500a39e84714679e1

SHA512
b004262e29028f33e9784758939d3450dee29879552ff50193dfb3a72f3bbd4572f2540f3a9017e060b2e746c9c6a8048e5cc31219067d5d2e6986b7a977e075

Download Submit
C:\Windows\{CDA70871-A64E-4f84-AE3D-E7FF279AE969}.exe

Filesize
408KB

MD5
4b2c0e27a69a3888c56098fad23bcde2

SHA1
fec80e10bef0b2aec9f561ddadddd4d8cdb557ae

SHA256
d22a9b004af548454294e73fffcf175ca4d6a713ce846ebe39727d7561cdd92b

SHA512
23d76eda17399a658a7abfdf27c10fe11309ca126e7c91fcf97badd7db0695dbe1d064a7fa5ff80b4f697557014bfe9363f41c2037682e398160002d6f266a3f

Download Submit
C:\Windows\{DDBE8A34-54C0-4b05-B556-8B53251F1383}.exe

Filesize
408KB

MD5
ebdacd81af9034e209a6fadb98325254

SHA1
57af080c442c3f8613c2488e07c10797f06be852

SHA256
aa6638d54d95582d4f69d9c556c3197dd0e7db9e60a66d43287b2d46fba8ff17

SHA512
40d445aae4021cea15937d5298003ffd91b5f9464c4470b3fcd68c432cdc514f2f3544528c72e6c8c6a84a94dea4fa99ce3e7b34d79efefdd19b780662da03a5

Download Submit
C:\Windows\{DE930BA4-A298-4070-8517-B3C5B998B403}.exe

Filesize
408KB

MD5
71841a70026aa5c840308d28682ee6cc

SHA1
4385b2045664921133385cef9c3ae744d2cd2722

SHA256
25856dd896b5ce56dc9894b5a389e7f697f4c347b6551821ff7f3fb31f922b7a

SHA512
1073e9ef4f7b1ffde711ee74fed4b8c82f461e9d244da6d99a066d3db395bdbbcd3c8cf9019d852dfed11064828c5d6883c3df7443630ee8cf2335c9ff7c20d5

Download Submit
C:\Windows\{EE434EC0-FB5D-4462-ADE8-C5B483646567}.exe

Filesize
408KB

MD5
ba9a0143e9da9c823c0dd8751ecdb8eb

SHA1
354e82c28ba3b1adfc2c37caaf8c9e94893bbaf2

SHA256
260ca1d9cc7a2ba989d43e73c24887223704a1110023d470204f3e8f6beb8487

SHA512
d3baf03033e20a7d9cac5f4271a872b5cb4cd7aba41baac51ba99e2f158a78edd8cf35eb223a6e3390ced261a414ea108bbd1b1f79325b46a4ae62169f5607fc

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads