ef06f2bd5901bc299a92c99d45f7029d84214b8885a816d502085bcb9fac528e

Analysis

max time kernel
151s
max time network
128s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28/01/2024, 04:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-28_81e223ac0a3a37ca500c6a921ce4dfdb_goldeneye.exe
Size

380KB
MD5

81e223ac0a3a37ca500c6a921ce4dfdb
SHA1

59de425381df3c9149120c021823fb3738a99594
SHA256

ef06f2bd5901bc299a92c99d45f7029d84214b8885a816d502085bcb9fac528e
SHA512

0aca55c373546eff488f8ed50a4f782365d66c2231455813df1bd01c70598afd4ab4d6d5b75eb2fc057e69301b43a6747f88249df59c793b010d80d6c9b6e2c0
SSDEEP

3072:mEGh0o/lPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGNl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x000a000000014237-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000142c9-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000000b1f5-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000000b1f5-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00300000000146d4-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001200000000b1f5-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002e00000001482e-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001300000000b1f5-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002f00000001482e-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001400000000b1f5-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003000000001482e-82.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FCBA692D-EBF0-4162-9E81-3660E484638A}\stubpath = "C:\\Windows\\{FCBA692D-EBF0-4162-9E81-3660E484638A}.exe"	{B804D797-F135-4589-B08A-317C795D8EC7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E95A8369-9597-4803-814A-65CE4415982C}	2024-01-28_81e223ac0a3a37ca500c6a921ce4dfdb_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96D6AF31-FF24-4cfd-8B4F-3084BC2834C1}\stubpath = "C:\\Windows\\{96D6AF31-FF24-4cfd-8B4F-3084BC2834C1}.exe"	{55355D07-A10E-4fe0-A925-33588815B4A5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F3C89B5-8639-4d55-BC65-36C0439B1CF5}\stubpath = "C:\\Windows\\{1F3C89B5-8639-4d55-BC65-36C0439B1CF5}.exe"	{96D6AF31-FF24-4cfd-8B4F-3084BC2834C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1DD571C-CA48-4473-A378-B8D5B95C30DC}\stubpath = "C:\\Windows\\{B1DD571C-CA48-4473-A378-B8D5B95C30DC}.exe"	{18893826-AD92-42da-A263-6D24EC4420B0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{440B4956-EC39-4e51-A66D-72FDFB9D63D2}\stubpath = "C:\\Windows\\{440B4956-EC39-4e51-A66D-72FDFB9D63D2}.exe"	{A7BE24BC-A06E-43b6-88B4-CCB7F4DBD208}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04C7E20B-0CCE-43fa-B666-48F538B8CD72}\stubpath = "C:\\Windows\\{04C7E20B-0CCE-43fa-B666-48F538B8CD72}.exe"	{440B4956-EC39-4e51-A66D-72FDFB9D63D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E95A8369-9597-4803-814A-65CE4415982C}\stubpath = "C:\\Windows\\{E95A8369-9597-4803-814A-65CE4415982C}.exe"	2024-01-28_81e223ac0a3a37ca500c6a921ce4dfdb_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18893826-AD92-42da-A263-6D24EC4420B0}\stubpath = "C:\\Windows\\{18893826-AD92-42da-A263-6D24EC4420B0}.exe"	{1F3C89B5-8639-4d55-BC65-36C0439B1CF5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B804D797-F135-4589-B08A-317C795D8EC7}\stubpath = "C:\\Windows\\{B804D797-F135-4589-B08A-317C795D8EC7}.exe"	{B1DD571C-CA48-4473-A378-B8D5B95C30DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{297BE74F-CCE2-45fd-939D-3C958A419DF7}	{FCBA692D-EBF0-4162-9E81-3660E484638A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55355D07-A10E-4fe0-A925-33588815B4A5}	{E95A8369-9597-4803-814A-65CE4415982C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55355D07-A10E-4fe0-A925-33588815B4A5}\stubpath = "C:\\Windows\\{55355D07-A10E-4fe0-A925-33588815B4A5}.exe"	{E95A8369-9597-4803-814A-65CE4415982C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B804D797-F135-4589-B08A-317C795D8EC7}	{B1DD571C-CA48-4473-A378-B8D5B95C30DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FCBA692D-EBF0-4162-9E81-3660E484638A}	{B804D797-F135-4589-B08A-317C795D8EC7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{297BE74F-CCE2-45fd-939D-3C958A419DF7}\stubpath = "C:\\Windows\\{297BE74F-CCE2-45fd-939D-3C958A419DF7}.exe"	{FCBA692D-EBF0-4162-9E81-3660E484638A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7BE24BC-A06E-43b6-88B4-CCB7F4DBD208}	{297BE74F-CCE2-45fd-939D-3C958A419DF7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7BE24BC-A06E-43b6-88B4-CCB7F4DBD208}\stubpath = "C:\\Windows\\{A7BE24BC-A06E-43b6-88B4-CCB7F4DBD208}.exe"	{297BE74F-CCE2-45fd-939D-3C958A419DF7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{440B4956-EC39-4e51-A66D-72FDFB9D63D2}	{A7BE24BC-A06E-43b6-88B4-CCB7F4DBD208}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96D6AF31-FF24-4cfd-8B4F-3084BC2834C1}	{55355D07-A10E-4fe0-A925-33588815B4A5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F3C89B5-8639-4d55-BC65-36C0439B1CF5}	{96D6AF31-FF24-4cfd-8B4F-3084BC2834C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18893826-AD92-42da-A263-6D24EC4420B0}	{1F3C89B5-8639-4d55-BC65-36C0439B1CF5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1DD571C-CA48-4473-A378-B8D5B95C30DC}	{18893826-AD92-42da-A263-6D24EC4420B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04C7E20B-0CCE-43fa-B666-48F538B8CD72}	{440B4956-EC39-4e51-A66D-72FDFB9D63D2}.exe

Deletes itself 1 IoCs

pid	Process
1948	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2140	{E95A8369-9597-4803-814A-65CE4415982C}.exe
2840	{55355D07-A10E-4fe0-A925-33588815B4A5}.exe
2616	{96D6AF31-FF24-4cfd-8B4F-3084BC2834C1}.exe
2000	{1F3C89B5-8639-4d55-BC65-36C0439B1CF5}.exe
2876	{18893826-AD92-42da-A263-6D24EC4420B0}.exe
2432	{B1DD571C-CA48-4473-A378-B8D5B95C30DC}.exe
1880	{B804D797-F135-4589-B08A-317C795D8EC7}.exe
2228	{FCBA692D-EBF0-4162-9E81-3660E484638A}.exe
1560	{297BE74F-CCE2-45fd-939D-3C958A419DF7}.exe
2948	{A7BE24BC-A06E-43b6-88B4-CCB7F4DBD208}.exe
2084	{440B4956-EC39-4e51-A66D-72FDFB9D63D2}.exe
3056	{04C7E20B-0CCE-43fa-B666-48F538B8CD72}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{96D6AF31-FF24-4cfd-8B4F-3084BC2834C1}.exe	{55355D07-A10E-4fe0-A925-33588815B4A5}.exe
File created	C:\Windows\{B804D797-F135-4589-B08A-317C795D8EC7}.exe	{B1DD571C-CA48-4473-A378-B8D5B95C30DC}.exe
File created	C:\Windows\{FCBA692D-EBF0-4162-9E81-3660E484638A}.exe	{B804D797-F135-4589-B08A-317C795D8EC7}.exe
File created	C:\Windows\{A7BE24BC-A06E-43b6-88B4-CCB7F4DBD208}.exe	{297BE74F-CCE2-45fd-939D-3C958A419DF7}.exe
File created	C:\Windows\{440B4956-EC39-4e51-A66D-72FDFB9D63D2}.exe	{A7BE24BC-A06E-43b6-88B4-CCB7F4DBD208}.exe
File created	C:\Windows\{04C7E20B-0CCE-43fa-B666-48F538B8CD72}.exe	{440B4956-EC39-4e51-A66D-72FDFB9D63D2}.exe
File created	C:\Windows\{E95A8369-9597-4803-814A-65CE4415982C}.exe	2024-01-28_81e223ac0a3a37ca500c6a921ce4dfdb_goldeneye.exe
File created	C:\Windows\{55355D07-A10E-4fe0-A925-33588815B4A5}.exe	{E95A8369-9597-4803-814A-65CE4415982C}.exe
File created	C:\Windows\{1F3C89B5-8639-4d55-BC65-36C0439B1CF5}.exe	{96D6AF31-FF24-4cfd-8B4F-3084BC2834C1}.exe
File created	C:\Windows\{18893826-AD92-42da-A263-6D24EC4420B0}.exe	{1F3C89B5-8639-4d55-BC65-36C0439B1CF5}.exe
File created	C:\Windows\{B1DD571C-CA48-4473-A378-B8D5B95C30DC}.exe	{18893826-AD92-42da-A263-6D24EC4420B0}.exe
File created	C:\Windows\{297BE74F-CCE2-45fd-939D-3C958A419DF7}.exe	{FCBA692D-EBF0-4162-9E81-3660E484638A}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1340	2024-01-28_81e223ac0a3a37ca500c6a921ce4dfdb_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2140	{E95A8369-9597-4803-814A-65CE4415982C}.exe
Token: SeIncBasePriorityPrivilege	2840	{55355D07-A10E-4fe0-A925-33588815B4A5}.exe
Token: SeIncBasePriorityPrivilege	2616	{96D6AF31-FF24-4cfd-8B4F-3084BC2834C1}.exe
Token: SeIncBasePriorityPrivilege	2000	{1F3C89B5-8639-4d55-BC65-36C0439B1CF5}.exe
Token: SeIncBasePriorityPrivilege	2876	{18893826-AD92-42da-A263-6D24EC4420B0}.exe
Token: SeIncBasePriorityPrivilege	2432	{B1DD571C-CA48-4473-A378-B8D5B95C30DC}.exe
Token: SeIncBasePriorityPrivilege	1880	{B804D797-F135-4589-B08A-317C795D8EC7}.exe
Token: SeIncBasePriorityPrivilege	2228	{FCBA692D-EBF0-4162-9E81-3660E484638A}.exe
Token: SeIncBasePriorityPrivilege	1560	{297BE74F-CCE2-45fd-939D-3C958A419DF7}.exe
Token: SeIncBasePriorityPrivilege	2948	{A7BE24BC-A06E-43b6-88B4-CCB7F4DBD208}.exe
Token: SeIncBasePriorityPrivilege	2084	{440B4956-EC39-4e51-A66D-72FDFB9D63D2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 2140	1340	2024-01-28_81e223ac0a3a37ca500c6a921ce4dfdb_goldeneye.exe	28
PID 1340 wrote to memory of 2140	1340	2024-01-28_81e223ac0a3a37ca500c6a921ce4dfdb_goldeneye.exe	28
PID 1340 wrote to memory of 2140	1340	2024-01-28_81e223ac0a3a37ca500c6a921ce4dfdb_goldeneye.exe	28
PID 1340 wrote to memory of 2140	1340	2024-01-28_81e223ac0a3a37ca500c6a921ce4dfdb_goldeneye.exe	28
PID 1340 wrote to memory of 1948	1340	2024-01-28_81e223ac0a3a37ca500c6a921ce4dfdb_goldeneye.exe	29
PID 1340 wrote to memory of 1948	1340	2024-01-28_81e223ac0a3a37ca500c6a921ce4dfdb_goldeneye.exe	29
PID 1340 wrote to memory of 1948	1340	2024-01-28_81e223ac0a3a37ca500c6a921ce4dfdb_goldeneye.exe	29
PID 1340 wrote to memory of 1948	1340	2024-01-28_81e223ac0a3a37ca500c6a921ce4dfdb_goldeneye.exe	29
PID 2140 wrote to memory of 2840	2140	{E95A8369-9597-4803-814A-65CE4415982C}.exe	30
PID 2140 wrote to memory of 2840	2140	{E95A8369-9597-4803-814A-65CE4415982C}.exe	30
PID 2140 wrote to memory of 2840	2140	{E95A8369-9597-4803-814A-65CE4415982C}.exe	30
PID 2140 wrote to memory of 2840	2140	{E95A8369-9597-4803-814A-65CE4415982C}.exe	30
PID 2140 wrote to memory of 2580	2140	{E95A8369-9597-4803-814A-65CE4415982C}.exe	31
PID 2140 wrote to memory of 2580	2140	{E95A8369-9597-4803-814A-65CE4415982C}.exe	31
PID 2140 wrote to memory of 2580	2140	{E95A8369-9597-4803-814A-65CE4415982C}.exe	31
PID 2140 wrote to memory of 2580	2140	{E95A8369-9597-4803-814A-65CE4415982C}.exe	31
PID 2840 wrote to memory of 2616	2840	{55355D07-A10E-4fe0-A925-33588815B4A5}.exe	34
PID 2840 wrote to memory of 2616	2840	{55355D07-A10E-4fe0-A925-33588815B4A5}.exe	34
PID 2840 wrote to memory of 2616	2840	{55355D07-A10E-4fe0-A925-33588815B4A5}.exe	34
PID 2840 wrote to memory of 2616	2840	{55355D07-A10E-4fe0-A925-33588815B4A5}.exe	34
PID 2840 wrote to memory of 1476	2840	{55355D07-A10E-4fe0-A925-33588815B4A5}.exe	35
PID 2840 wrote to memory of 1476	2840	{55355D07-A10E-4fe0-A925-33588815B4A5}.exe	35
PID 2840 wrote to memory of 1476	2840	{55355D07-A10E-4fe0-A925-33588815B4A5}.exe	35
PID 2840 wrote to memory of 1476	2840	{55355D07-A10E-4fe0-A925-33588815B4A5}.exe	35
PID 2616 wrote to memory of 2000	2616	{96D6AF31-FF24-4cfd-8B4F-3084BC2834C1}.exe	36
PID 2616 wrote to memory of 2000	2616	{96D6AF31-FF24-4cfd-8B4F-3084BC2834C1}.exe	36
PID 2616 wrote to memory of 2000	2616	{96D6AF31-FF24-4cfd-8B4F-3084BC2834C1}.exe	36
PID 2616 wrote to memory of 2000	2616	{96D6AF31-FF24-4cfd-8B4F-3084BC2834C1}.exe	36
PID 2616 wrote to memory of 1064	2616	{96D6AF31-FF24-4cfd-8B4F-3084BC2834C1}.exe	37
PID 2616 wrote to memory of 1064	2616	{96D6AF31-FF24-4cfd-8B4F-3084BC2834C1}.exe	37
PID 2616 wrote to memory of 1064	2616	{96D6AF31-FF24-4cfd-8B4F-3084BC2834C1}.exe	37
PID 2616 wrote to memory of 1064	2616	{96D6AF31-FF24-4cfd-8B4F-3084BC2834C1}.exe	37
PID 2000 wrote to memory of 2876	2000	{1F3C89B5-8639-4d55-BC65-36C0439B1CF5}.exe	39
PID 2000 wrote to memory of 2876	2000	{1F3C89B5-8639-4d55-BC65-36C0439B1CF5}.exe	39
PID 2000 wrote to memory of 2876	2000	{1F3C89B5-8639-4d55-BC65-36C0439B1CF5}.exe	39
PID 2000 wrote to memory of 2876	2000	{1F3C89B5-8639-4d55-BC65-36C0439B1CF5}.exe	39
PID 2000 wrote to memory of 2892	2000	{1F3C89B5-8639-4d55-BC65-36C0439B1CF5}.exe	38
PID 2000 wrote to memory of 2892	2000	{1F3C89B5-8639-4d55-BC65-36C0439B1CF5}.exe	38
PID 2000 wrote to memory of 2892	2000	{1F3C89B5-8639-4d55-BC65-36C0439B1CF5}.exe	38
PID 2000 wrote to memory of 2892	2000	{1F3C89B5-8639-4d55-BC65-36C0439B1CF5}.exe	38
PID 2876 wrote to memory of 2432	2876	{18893826-AD92-42da-A263-6D24EC4420B0}.exe	40
PID 2876 wrote to memory of 2432	2876	{18893826-AD92-42da-A263-6D24EC4420B0}.exe	40
PID 2876 wrote to memory of 2432	2876	{18893826-AD92-42da-A263-6D24EC4420B0}.exe	40
PID 2876 wrote to memory of 2432	2876	{18893826-AD92-42da-A263-6D24EC4420B0}.exe	40
PID 2876 wrote to memory of 796	2876	{18893826-AD92-42da-A263-6D24EC4420B0}.exe	41
PID 2876 wrote to memory of 796	2876	{18893826-AD92-42da-A263-6D24EC4420B0}.exe	41
PID 2876 wrote to memory of 796	2876	{18893826-AD92-42da-A263-6D24EC4420B0}.exe	41
PID 2876 wrote to memory of 796	2876	{18893826-AD92-42da-A263-6D24EC4420B0}.exe	41
PID 2432 wrote to memory of 1880	2432	{B1DD571C-CA48-4473-A378-B8D5B95C30DC}.exe	42
PID 2432 wrote to memory of 1880	2432	{B1DD571C-CA48-4473-A378-B8D5B95C30DC}.exe	42
PID 2432 wrote to memory of 1880	2432	{B1DD571C-CA48-4473-A378-B8D5B95C30DC}.exe	42
PID 2432 wrote to memory of 1880	2432	{B1DD571C-CA48-4473-A378-B8D5B95C30DC}.exe	42
PID 2432 wrote to memory of 1872	2432	{B1DD571C-CA48-4473-A378-B8D5B95C30DC}.exe	43
PID 2432 wrote to memory of 1872	2432	{B1DD571C-CA48-4473-A378-B8D5B95C30DC}.exe	43
PID 2432 wrote to memory of 1872	2432	{B1DD571C-CA48-4473-A378-B8D5B95C30DC}.exe	43
PID 2432 wrote to memory of 1872	2432	{B1DD571C-CA48-4473-A378-B8D5B95C30DC}.exe	43
PID 1880 wrote to memory of 2228	1880	{B804D797-F135-4589-B08A-317C795D8EC7}.exe	44
PID 1880 wrote to memory of 2228	1880	{B804D797-F135-4589-B08A-317C795D8EC7}.exe	44
PID 1880 wrote to memory of 2228	1880	{B804D797-F135-4589-B08A-317C795D8EC7}.exe	44
PID 1880 wrote to memory of 2228	1880	{B804D797-F135-4589-B08A-317C795D8EC7}.exe	44
PID 1880 wrote to memory of 1684	1880	{B804D797-F135-4589-B08A-317C795D8EC7}.exe	45
PID 1880 wrote to memory of 1684	1880	{B804D797-F135-4589-B08A-317C795D8EC7}.exe	45
PID 1880 wrote to memory of 1684	1880	{B804D797-F135-4589-B08A-317C795D8EC7}.exe	45
PID 1880 wrote to memory of 1684	1880	{B804D797-F135-4589-B08A-317C795D8EC7}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-28_81e223ac0a3a37ca500c6a921ce4dfdb_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-28_81e223ac0a3a37ca500c6a921ce4dfdb_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Windows\{E95A8369-9597-4803-814A-65CE4415982C}.exe
  C:\Windows\{E95A8369-9597-4803-814A-65CE4415982C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\{55355D07-A10E-4fe0-A925-33588815B4A5}.exe
    C:\Windows\{55355D07-A10E-4fe0-A925-33588815B4A5}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Windows\{96D6AF31-FF24-4cfd-8B4F-3084BC2834C1}.exe
      C:\Windows\{96D6AF31-FF24-4cfd-8B4F-3084BC2834C1}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2616
    - - C:\Windows\{1F3C89B5-8639-4d55-BC65-36C0439B1CF5}.exe
        
        C:\Windows\{1F3C89B5-8639-4d55-BC65-36C0439B1CF5}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2000
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1F3C8~1.EXE > nul
        6⤵
        
        PID:2892
      - C:\Windows\{18893826-AD92-42da-A263-6D24EC4420B0}.exe
        
        C:\Windows\{18893826-AD92-42da-A263-6D24EC4420B0}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\{B1DD571C-CA48-4473-A378-B8D5B95C30DC}.exe
        
        C:\Windows\{B1DD571C-CA48-4473-A378-B8D5B95C30DC}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\{B804D797-F135-4589-B08A-317C795D8EC7}.exe
        
        C:\Windows\{B804D797-F135-4589-B08A-317C795D8EC7}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\{FCBA692D-EBF0-4162-9E81-3660E484638A}.exe
        
        C:\Windows\{FCBA692D-EBF0-4162-9E81-3660E484638A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
        
        C:\Windows\{297BE74F-CCE2-45fd-939D-3C958A419DF7}.exe
        
        C:\Windows\{297BE74F-CCE2-45fd-939D-3C958A419DF7}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1560
        
        C:\Windows\{A7BE24BC-A06E-43b6-88B4-CCB7F4DBD208}.exe
        
        C:\Windows\{A7BE24BC-A06E-43b6-88B4-CCB7F4DBD208}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
        
        C:\Windows\{440B4956-EC39-4e51-A66D-72FDFB9D63D2}.exe
        
        C:\Windows\{440B4956-EC39-4e51-A66D-72FDFB9D63D2}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2084
        
        C:\Windows\{04C7E20B-0CCE-43fa-B666-48F538B8CD72}.exe
        
        C:\Windows\{04C7E20B-0CCE-43fa-B666-48F538B8CD72}.exe
        13⤵
        Executes dropped EXE
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{440B4~1.EXE > nul
        13⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7BE2~1.EXE > nul
        12⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{297BE~1.EXE > nul
        11⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FCBA6~1.EXE > nul
        10⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B804D~1.EXE > nul
        9⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1DD5~1.EXE > nul
        8⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{18893~1.EXE > nul
        7⤵
        
        PID:796
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96D6A~1.EXE > nul
        5⤵
        
        PID:1064
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{55355~1.EXE > nul
      4⤵
      PID:1476
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E95A8~1.EXE > nul
    3⤵
    PID:2580
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04C7E20B-0CCE-43fa-B666-48F538B8CD72}.exe

Filesize
380KB

MD5
7c6b5b31bbae9518a7ecc91876bb5508

SHA1
c0035b969f117ca23f29ce77db173970383c83a5

SHA256
869060deb5185c60d4f251790b915c7fd6d6050840cb0af7fc01e26386b1a60a

SHA512
199e8373b5c632250c6098cfbff70ff9a030c14e07100e00038227ee0f8ec33bd234340b678d433e57a04a50d6b7781f7eb9630d5d5365bbbd5f52aaea22deee

Download Submit
C:\Windows\{18893826-AD92-42da-A263-6D24EC4420B0}.exe

Filesize
380KB

MD5
a0ad27f729cce1c210b5f5bab8539ad3

SHA1
419a9a90a194fa4a2d66e33f545c45ec7df998c6

SHA256
cea0f4bbd29325d832c078b0d3f71cef79381b9b809fb6e220fb74228a43c622

SHA512
2084ec349faee8a17b59f0c8a7a848026fb2e4834517c320e100e04d7add4c5c740c0734841fe1d341df97eac7bd9dc3499c2a1ae64076c9ceae51522aa78ac1

Download Submit
C:\Windows\{1F3C89B5-8639-4d55-BC65-36C0439B1CF5}.exe

Filesize
380KB

MD5
7d794720e8d911f19f30acb3ba08c3e5

SHA1
5f81747752a2b32d9dcb2642992adff277925a3c

SHA256
b39642c511ac2db4076ae8afb7b0810a0a23af26e37a404555d89cb4cd4e15e2

SHA512
5b99032424e03a69cb520636a60b664b043d054d411d63e3dd49df4381ad06d09f08f3b05d41e6a690c3fd1775a9885bb8f828335c997a9f290379cec5687e1e

Download Submit
C:\Windows\{297BE74F-CCE2-45fd-939D-3C958A419DF7}.exe

Filesize
380KB

MD5
c31127630f17fe5007761cb4ff175c21

SHA1
a13bb62c9773d0b5600b2c9873e5916d6350d6b2

SHA256
871afea5698e0a24b7e2bdd60b8905d4916a4ae397dca36ac1b115aa386fc467

SHA512
2d4b12fdcd3e2678268988ed82841af664412f4aadeb7cadd396c84014f4b7d7e42da220b8e9ceba8d39f50c04a0ac3bce4e1b5d01137a99c0f9f14885c781d3

Download Submit
C:\Windows\{440B4956-EC39-4e51-A66D-72FDFB9D63D2}.exe

Filesize
380KB

MD5
bb1ccf5651220ebeaf2de1f42c3f5166

SHA1
3135ac70bc2d7c3b17a0dfb13a9577c1ef5b6008

SHA256
a6ed7f3e0c9462d8da7200ce7d6bdc482a2b054182bedd4f251c16eb1850e5fc

SHA512
6453fc4ed01acc9e84ede435d6dd3c42488c02e9c8e11e757666cb31af671efe0bb5d0abd305ad07c2482974c6faca69a4203aa99706bf58507ec2c02cd76fa4

Download Submit
C:\Windows\{55355D07-A10E-4fe0-A925-33588815B4A5}.exe

Filesize
380KB

MD5
9ad99f45cd7f46e9cbc647cbacdf45d5

SHA1
9b29c31772fae1f99fca3f262054334cb046d9e9

SHA256
65aada02ef45d3cc566b034d0f0fdc1e02203583679e7c68521cc8500ad4866a

SHA512
d1599c464b557dfde902ab0d8d9d5e906af1f687d88edfa5f2f59e069b95ce3f60ef9c56363536a9426a81e00a01faf7ea199e59f930f4fc7aff5387fd3c471c

Download Submit
C:\Windows\{96D6AF31-FF24-4cfd-8B4F-3084BC2834C1}.exe

Filesize
380KB

MD5
5cc2dee8118e6d91ad8649cde3abbd01

SHA1
ca45548bf0d4efe9f1ba2951a9db5a56fe1cc126

SHA256
2d419674ee83e5079f3517fc87a5cc3066367944c52421268335382d5a11b35e

SHA512
f1d4b02fbb5fa717b58293b65c4db740eba804644cc812913d1f827ad3282ea2b97c836fcfe531c5259d4c115b65ea8afc1007b4279e1e04fbb8d0389a2bf053

Download Submit
C:\Windows\{A7BE24BC-A06E-43b6-88B4-CCB7F4DBD208}.exe

Filesize
380KB

MD5
01b2b218d73a46f574192474282cdaf5

SHA1
b6e2122d71f4c0b888e454d87de314f2f0945308

SHA256
60c46d21528e89a3363088b970e49fb00b1b074d55874251a653629bdfd6ec25

SHA512
c47bba618ffff02e9f1fd1a3ee51d6c865e6f39aff7944cbc60dde0a2ef02b64a5f8c224a5889b5983c1ea1bc654c38b0f1522583a0b3c171909fa108e4d4863

Download Submit
C:\Windows\{B1DD571C-CA48-4473-A378-B8D5B95C30DC}.exe

Filesize
380KB

MD5
56fe98c3764052366cd7b3f10451643a

SHA1
f6d9a030ad7a08a07c58c573b377e4c02137b202

SHA256
a1774caf84ab1545aa043d6bcd19729a657801e90e038c66deca220e7316f72c

SHA512
d849de5e1527b99ad2a5e0277d9f2655986bc184342fe452824513ed70bf39a266fa208c8cb3a40d6a0bed5a2f0f13745eb85db33a77df71f3ea5246107c8f70

Download Submit
C:\Windows\{B804D797-F135-4589-B08A-317C795D8EC7}.exe

Filesize
380KB

MD5
690a80937185be09e171b6980033d7c2

SHA1
eb6807099e243b3369d9a4f985e14069555a4174

SHA256
82015ffe5dd27a2d47b98ba0206006ba5b2529ae433208cc7f2f20452d83541c

SHA512
d61cdedc8e5ce46d1c89844e0e74c9511a29dc8391ec49106feccdcdde277ffa8ef39c9d6f13332459fa2f9dcf3031a8ad4de43a11bed15ed3473a7fe6586c0b

Download Submit
C:\Windows\{E95A8369-9597-4803-814A-65CE4415982C}.exe

Filesize
380KB

MD5
9ba2fbce44d1fa309de016a8da6535f2

SHA1
1531c4ca11295ae1a404a49f40205a8c3e8558ac

SHA256
f9ac4c4367a952444595041f6e03e52c4b302cb5d393114b1bd72d01f58489e3

SHA512
d79fee5db3fb8911ecb55874040324333e497ba931c9df68296e02355c3159630e5bc7a75fd8210a4f40618e57f263f17a697633e55acda5984fc6215e795747

Download Submit
C:\Windows\{FCBA692D-EBF0-4162-9E81-3660E484638A}.exe

Filesize
380KB

MD5
04c0a4f8decce2252364bddab2f3da87

SHA1
11e8ee39b678439c9915aad15b758085e2323e76

SHA256
5a71a07853d30e135641e405fdfaad8b8dd2aee06a4bf0f7452b4771765a14f4

SHA512
6e3fc809271deebbe51e47dd7c782b63e180c604cfba8cfa8fb7f4dc5d2bc4308cfaf26f1d04ba336647e4e6e1448891e87939c8786c00c774d6657f8251ee5f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads