12e991327ce563ceb2308d3447bf1a3db420206db54e25f15aae9634357bf007

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28/01/2024, 12:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-28_684522b85e915f9abac20f51ae28c145_goldeneye.exe
Size

408KB
MD5

684522b85e915f9abac20f51ae28c145
SHA1

877f9c85527435c465960eb13ffcb7d735616249
SHA256

12e991327ce563ceb2308d3447bf1a3db420206db54e25f15aae9634357bf007
SHA512

1c907d0ddce30ed6d15924aec03b7f6d6caaeb16215c224d3d2007f0f4ecb35f4036e07dab01634e29d074549e954abefb0fc026cf2932deb5d6165268ba10b8
SSDEEP

3072:CEGh0o2l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGgldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023112-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002311d-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023124-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002311d-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023124-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023124-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00050000000217fa-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002181f-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006df-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000707-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CBD03A6B-E395-47b3-90DE-169503B63C54}	{F27666F4-665B-4738-9199-CB55B7D9C782}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4443E0D-550B-4b91-990B-5DB877D27A29}\stubpath = "C:\\Windows\\{F4443E0D-550B-4b91-990B-5DB877D27A29}.exe"	{8AE738C7-2039-41e4-992E-D927FC8F3B7A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F27666F4-665B-4738-9199-CB55B7D9C782}\stubpath = "C:\\Windows\\{F27666F4-665B-4738-9199-CB55B7D9C782}.exe"	{DD451D18-80BE-47f2-9AA4-A47AA60CBE22}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0734083-8250-483e-9DC0-4D76A4B4BF29}	{8F5FA215-CB8B-4a94-B2E2-2151CE6A5038}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0734083-8250-483e-9DC0-4D76A4B4BF29}\stubpath = "C:\\Windows\\{B0734083-8250-483e-9DC0-4D76A4B4BF29}.exe"	{8F5FA215-CB8B-4a94-B2E2-2151CE6A5038}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2946F12E-DC0F-4170-9CA7-18F8C57EBF7A}\stubpath = "C:\\Windows\\{2946F12E-DC0F-4170-9CA7-18F8C57EBF7A}.exe"	{0169F189-72DC-4b22-B419-B2B18B91FF40}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8AE738C7-2039-41e4-992E-D927FC8F3B7A}	{2946F12E-DC0F-4170-9CA7-18F8C57EBF7A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8AE738C7-2039-41e4-992E-D927FC8F3B7A}\stubpath = "C:\\Windows\\{8AE738C7-2039-41e4-992E-D927FC8F3B7A}.exe"	{2946F12E-DC0F-4170-9CA7-18F8C57EBF7A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4443E0D-550B-4b91-990B-5DB877D27A29}	{8AE738C7-2039-41e4-992E-D927FC8F3B7A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F38A1648-F3F9-493b-AA70-814464C0A43D}	{F4443E0D-550B-4b91-990B-5DB877D27A29}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD451D18-80BE-47f2-9AA4-A47AA60CBE22}	2024-01-28_684522b85e915f9abac20f51ae28c145_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F5FA215-CB8B-4a94-B2E2-2151CE6A5038}	{CBD03A6B-E395-47b3-90DE-169503B63C54}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8E02B9D-B750-42e8-8F4C-6CF9D72614C1}	{B0734083-8250-483e-9DC0-4D76A4B4BF29}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E4243BD-7C37-48c8-96FA-C0EB6282C991}\stubpath = "C:\\Windows\\{1E4243BD-7C37-48c8-96FA-C0EB6282C991}.exe"	{E8E02B9D-B750-42e8-8F4C-6CF9D72614C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0169F189-72DC-4b22-B419-B2B18B91FF40}\stubpath = "C:\\Windows\\{0169F189-72DC-4b22-B419-B2B18B91FF40}.exe"	{1E4243BD-7C37-48c8-96FA-C0EB6282C991}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2946F12E-DC0F-4170-9CA7-18F8C57EBF7A}	{0169F189-72DC-4b22-B419-B2B18B91FF40}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F38A1648-F3F9-493b-AA70-814464C0A43D}\stubpath = "C:\\Windows\\{F38A1648-F3F9-493b-AA70-814464C0A43D}.exe"	{F4443E0D-550B-4b91-990B-5DB877D27A29}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0169F189-72DC-4b22-B419-B2B18B91FF40}	{1E4243BD-7C37-48c8-96FA-C0EB6282C991}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD451D18-80BE-47f2-9AA4-A47AA60CBE22}\stubpath = "C:\\Windows\\{DD451D18-80BE-47f2-9AA4-A47AA60CBE22}.exe"	2024-01-28_684522b85e915f9abac20f51ae28c145_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F27666F4-665B-4738-9199-CB55B7D9C782}	{DD451D18-80BE-47f2-9AA4-A47AA60CBE22}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CBD03A6B-E395-47b3-90DE-169503B63C54}\stubpath = "C:\\Windows\\{CBD03A6B-E395-47b3-90DE-169503B63C54}.exe"	{F27666F4-665B-4738-9199-CB55B7D9C782}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F5FA215-CB8B-4a94-B2E2-2151CE6A5038}\stubpath = "C:\\Windows\\{8F5FA215-CB8B-4a94-B2E2-2151CE6A5038}.exe"	{CBD03A6B-E395-47b3-90DE-169503B63C54}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8E02B9D-B750-42e8-8F4C-6CF9D72614C1}\stubpath = "C:\\Windows\\{E8E02B9D-B750-42e8-8F4C-6CF9D72614C1}.exe"	{B0734083-8250-483e-9DC0-4D76A4B4BF29}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E4243BD-7C37-48c8-96FA-C0EB6282C991}	{E8E02B9D-B750-42e8-8F4C-6CF9D72614C1}.exe

Executes dropped EXE 12 IoCs

pid	Process
2428	{DD451D18-80BE-47f2-9AA4-A47AA60CBE22}.exe
4832	{F27666F4-665B-4738-9199-CB55B7D9C782}.exe
4548	{CBD03A6B-E395-47b3-90DE-169503B63C54}.exe
4088	{8F5FA215-CB8B-4a94-B2E2-2151CE6A5038}.exe
3768	{B0734083-8250-483e-9DC0-4D76A4B4BF29}.exe
4524	{E8E02B9D-B750-42e8-8F4C-6CF9D72614C1}.exe
2452	{1E4243BD-7C37-48c8-96FA-C0EB6282C991}.exe
1404	{0169F189-72DC-4b22-B419-B2B18B91FF40}.exe
4484	{2946F12E-DC0F-4170-9CA7-18F8C57EBF7A}.exe
3924	{8AE738C7-2039-41e4-992E-D927FC8F3B7A}.exe
1380	{F4443E0D-550B-4b91-990B-5DB877D27A29}.exe
4996	{F38A1648-F3F9-493b-AA70-814464C0A43D}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{F38A1648-F3F9-493b-AA70-814464C0A43D}.exe	{F4443E0D-550B-4b91-990B-5DB877D27A29}.exe
File created	C:\Windows\{F27666F4-665B-4738-9199-CB55B7D9C782}.exe	{DD451D18-80BE-47f2-9AA4-A47AA60CBE22}.exe
File created	C:\Windows\{CBD03A6B-E395-47b3-90DE-169503B63C54}.exe	{F27666F4-665B-4738-9199-CB55B7D9C782}.exe
File created	C:\Windows\{8F5FA215-CB8B-4a94-B2E2-2151CE6A5038}.exe	{CBD03A6B-E395-47b3-90DE-169503B63C54}.exe
File created	C:\Windows\{1E4243BD-7C37-48c8-96FA-C0EB6282C991}.exe	{E8E02B9D-B750-42e8-8F4C-6CF9D72614C1}.exe
File created	C:\Windows\{0169F189-72DC-4b22-B419-B2B18B91FF40}.exe	{1E4243BD-7C37-48c8-96FA-C0EB6282C991}.exe
File created	C:\Windows\{F4443E0D-550B-4b91-990B-5DB877D27A29}.exe	{8AE738C7-2039-41e4-992E-D927FC8F3B7A}.exe
File created	C:\Windows\{DD451D18-80BE-47f2-9AA4-A47AA60CBE22}.exe	2024-01-28_684522b85e915f9abac20f51ae28c145_goldeneye.exe
File created	C:\Windows\{B0734083-8250-483e-9DC0-4D76A4B4BF29}.exe	{8F5FA215-CB8B-4a94-B2E2-2151CE6A5038}.exe
File created	C:\Windows\{E8E02B9D-B750-42e8-8F4C-6CF9D72614C1}.exe	{B0734083-8250-483e-9DC0-4D76A4B4BF29}.exe
File created	C:\Windows\{2946F12E-DC0F-4170-9CA7-18F8C57EBF7A}.exe	{0169F189-72DC-4b22-B419-B2B18B91FF40}.exe
File created	C:\Windows\{8AE738C7-2039-41e4-992E-D927FC8F3B7A}.exe	{2946F12E-DC0F-4170-9CA7-18F8C57EBF7A}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	404	2024-01-28_684522b85e915f9abac20f51ae28c145_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2428	{DD451D18-80BE-47f2-9AA4-A47AA60CBE22}.exe
Token: SeIncBasePriorityPrivilege	4832	{F27666F4-665B-4738-9199-CB55B7D9C782}.exe
Token: SeIncBasePriorityPrivilege	4548	{CBD03A6B-E395-47b3-90DE-169503B63C54}.exe
Token: SeIncBasePriorityPrivilege	4088	{8F5FA215-CB8B-4a94-B2E2-2151CE6A5038}.exe
Token: SeIncBasePriorityPrivilege	3768	{B0734083-8250-483e-9DC0-4D76A4B4BF29}.exe
Token: SeIncBasePriorityPrivilege	4524	{E8E02B9D-B750-42e8-8F4C-6CF9D72614C1}.exe
Token: SeIncBasePriorityPrivilege	2452	{1E4243BD-7C37-48c8-96FA-C0EB6282C991}.exe
Token: SeIncBasePriorityPrivilege	1404	{0169F189-72DC-4b22-B419-B2B18B91FF40}.exe
Token: SeIncBasePriorityPrivilege	4484	{2946F12E-DC0F-4170-9CA7-18F8C57EBF7A}.exe
Token: SeIncBasePriorityPrivilege	3924	{8AE738C7-2039-41e4-992E-D927FC8F3B7A}.exe
Token: SeIncBasePriorityPrivilege	1380	{F4443E0D-550B-4b91-990B-5DB877D27A29}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 404 wrote to memory of 2428	404	2024-01-28_684522b85e915f9abac20f51ae28c145_goldeneye.exe	86
PID 404 wrote to memory of 2428	404	2024-01-28_684522b85e915f9abac20f51ae28c145_goldeneye.exe	86
PID 404 wrote to memory of 2428	404	2024-01-28_684522b85e915f9abac20f51ae28c145_goldeneye.exe	86
PID 404 wrote to memory of 3168	404	2024-01-28_684522b85e915f9abac20f51ae28c145_goldeneye.exe	87
PID 404 wrote to memory of 3168	404	2024-01-28_684522b85e915f9abac20f51ae28c145_goldeneye.exe	87
PID 404 wrote to memory of 3168	404	2024-01-28_684522b85e915f9abac20f51ae28c145_goldeneye.exe	87
PID 2428 wrote to memory of 4832	2428	{DD451D18-80BE-47f2-9AA4-A47AA60CBE22}.exe	92
PID 2428 wrote to memory of 4832	2428	{DD451D18-80BE-47f2-9AA4-A47AA60CBE22}.exe	92
PID 2428 wrote to memory of 4832	2428	{DD451D18-80BE-47f2-9AA4-A47AA60CBE22}.exe	92
PID 2428 wrote to memory of 660	2428	{DD451D18-80BE-47f2-9AA4-A47AA60CBE22}.exe	93
PID 2428 wrote to memory of 660	2428	{DD451D18-80BE-47f2-9AA4-A47AA60CBE22}.exe	93
PID 2428 wrote to memory of 660	2428	{DD451D18-80BE-47f2-9AA4-A47AA60CBE22}.exe	93
PID 4832 wrote to memory of 4548	4832	{F27666F4-665B-4738-9199-CB55B7D9C782}.exe	96
PID 4832 wrote to memory of 4548	4832	{F27666F4-665B-4738-9199-CB55B7D9C782}.exe	96
PID 4832 wrote to memory of 4548	4832	{F27666F4-665B-4738-9199-CB55B7D9C782}.exe	96
PID 4832 wrote to memory of 4280	4832	{F27666F4-665B-4738-9199-CB55B7D9C782}.exe	95
PID 4832 wrote to memory of 4280	4832	{F27666F4-665B-4738-9199-CB55B7D9C782}.exe	95
PID 4832 wrote to memory of 4280	4832	{F27666F4-665B-4738-9199-CB55B7D9C782}.exe	95
PID 4548 wrote to memory of 4088	4548	{CBD03A6B-E395-47b3-90DE-169503B63C54}.exe	97
PID 4548 wrote to memory of 4088	4548	{CBD03A6B-E395-47b3-90DE-169503B63C54}.exe	97
PID 4548 wrote to memory of 4088	4548	{CBD03A6B-E395-47b3-90DE-169503B63C54}.exe	97
PID 4548 wrote to memory of 2800	4548	{CBD03A6B-E395-47b3-90DE-169503B63C54}.exe	98
PID 4548 wrote to memory of 2800	4548	{CBD03A6B-E395-47b3-90DE-169503B63C54}.exe	98
PID 4548 wrote to memory of 2800	4548	{CBD03A6B-E395-47b3-90DE-169503B63C54}.exe	98
PID 4088 wrote to memory of 3768	4088	{8F5FA215-CB8B-4a94-B2E2-2151CE6A5038}.exe	99
PID 4088 wrote to memory of 3768	4088	{8F5FA215-CB8B-4a94-B2E2-2151CE6A5038}.exe	99
PID 4088 wrote to memory of 3768	4088	{8F5FA215-CB8B-4a94-B2E2-2151CE6A5038}.exe	99
PID 4088 wrote to memory of 3628	4088	{8F5FA215-CB8B-4a94-B2E2-2151CE6A5038}.exe	100
PID 4088 wrote to memory of 3628	4088	{8F5FA215-CB8B-4a94-B2E2-2151CE6A5038}.exe	100
PID 4088 wrote to memory of 3628	4088	{8F5FA215-CB8B-4a94-B2E2-2151CE6A5038}.exe	100
PID 3768 wrote to memory of 4524	3768	{B0734083-8250-483e-9DC0-4D76A4B4BF29}.exe	101
PID 3768 wrote to memory of 4524	3768	{B0734083-8250-483e-9DC0-4D76A4B4BF29}.exe	101
PID 3768 wrote to memory of 4524	3768	{B0734083-8250-483e-9DC0-4D76A4B4BF29}.exe	101
PID 3768 wrote to memory of 3440	3768	{B0734083-8250-483e-9DC0-4D76A4B4BF29}.exe	102
PID 3768 wrote to memory of 3440	3768	{B0734083-8250-483e-9DC0-4D76A4B4BF29}.exe	102
PID 3768 wrote to memory of 3440	3768	{B0734083-8250-483e-9DC0-4D76A4B4BF29}.exe	102
PID 4524 wrote to memory of 2452	4524	{E8E02B9D-B750-42e8-8F4C-6CF9D72614C1}.exe	103
PID 4524 wrote to memory of 2452	4524	{E8E02B9D-B750-42e8-8F4C-6CF9D72614C1}.exe	103
PID 4524 wrote to memory of 2452	4524	{E8E02B9D-B750-42e8-8F4C-6CF9D72614C1}.exe	103
PID 4524 wrote to memory of 4084	4524	{E8E02B9D-B750-42e8-8F4C-6CF9D72614C1}.exe	104
PID 4524 wrote to memory of 4084	4524	{E8E02B9D-B750-42e8-8F4C-6CF9D72614C1}.exe	104
PID 4524 wrote to memory of 4084	4524	{E8E02B9D-B750-42e8-8F4C-6CF9D72614C1}.exe	104
PID 2452 wrote to memory of 1404	2452	{1E4243BD-7C37-48c8-96FA-C0EB6282C991}.exe	106
PID 2452 wrote to memory of 1404	2452	{1E4243BD-7C37-48c8-96FA-C0EB6282C991}.exe	106
PID 2452 wrote to memory of 1404	2452	{1E4243BD-7C37-48c8-96FA-C0EB6282C991}.exe	106
PID 2452 wrote to memory of 1968	2452	{1E4243BD-7C37-48c8-96FA-C0EB6282C991}.exe	105
PID 2452 wrote to memory of 1968	2452	{1E4243BD-7C37-48c8-96FA-C0EB6282C991}.exe	105
PID 2452 wrote to memory of 1968	2452	{1E4243BD-7C37-48c8-96FA-C0EB6282C991}.exe	105
PID 1404 wrote to memory of 4484	1404	{0169F189-72DC-4b22-B419-B2B18B91FF40}.exe	107
PID 1404 wrote to memory of 4484	1404	{0169F189-72DC-4b22-B419-B2B18B91FF40}.exe	107
PID 1404 wrote to memory of 4484	1404	{0169F189-72DC-4b22-B419-B2B18B91FF40}.exe	107
PID 1404 wrote to memory of 4608	1404	{0169F189-72DC-4b22-B419-B2B18B91FF40}.exe	108
PID 1404 wrote to memory of 4608	1404	{0169F189-72DC-4b22-B419-B2B18B91FF40}.exe	108
PID 1404 wrote to memory of 4608	1404	{0169F189-72DC-4b22-B419-B2B18B91FF40}.exe	108
PID 4484 wrote to memory of 3924	4484	{2946F12E-DC0F-4170-9CA7-18F8C57EBF7A}.exe	109
PID 4484 wrote to memory of 3924	4484	{2946F12E-DC0F-4170-9CA7-18F8C57EBF7A}.exe	109
PID 4484 wrote to memory of 3924	4484	{2946F12E-DC0F-4170-9CA7-18F8C57EBF7A}.exe	109
PID 4484 wrote to memory of 3564	4484	{2946F12E-DC0F-4170-9CA7-18F8C57EBF7A}.exe	110
PID 4484 wrote to memory of 3564	4484	{2946F12E-DC0F-4170-9CA7-18F8C57EBF7A}.exe	110
PID 4484 wrote to memory of 3564	4484	{2946F12E-DC0F-4170-9CA7-18F8C57EBF7A}.exe	110
PID 3924 wrote to memory of 1380	3924	{8AE738C7-2039-41e4-992E-D927FC8F3B7A}.exe	111
PID 3924 wrote to memory of 1380	3924	{8AE738C7-2039-41e4-992E-D927FC8F3B7A}.exe	111
PID 3924 wrote to memory of 1380	3924	{8AE738C7-2039-41e4-992E-D927FC8F3B7A}.exe	111
PID 3924 wrote to memory of 4896	3924	{8AE738C7-2039-41e4-992E-D927FC8F3B7A}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-01-28_684522b85e915f9abac20f51ae28c145_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-28_684522b85e915f9abac20f51ae28c145_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:404
- C:\Windows\{DD451D18-80BE-47f2-9AA4-A47AA60CBE22}.exe
  C:\Windows\{DD451D18-80BE-47f2-9AA4-A47AA60CBE22}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Windows\{F27666F4-665B-4738-9199-CB55B7D9C782}.exe
    C:\Windows\{F27666F4-665B-4738-9199-CB55B7D9C782}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4832
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F2766~1.EXE > nul
      4⤵
      PID:4280
  - - C:\Windows\{CBD03A6B-E395-47b3-90DE-169503B63C54}.exe
      C:\Windows\{CBD03A6B-E395-47b3-90DE-169503B63C54}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4548
    - - C:\Windows\{8F5FA215-CB8B-4a94-B2E2-2151CE6A5038}.exe
        
        C:\Windows\{8F5FA215-CB8B-4a94-B2E2-2151CE6A5038}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4088
      - C:\Windows\{B0734083-8250-483e-9DC0-4D76A4B4BF29}.exe
        
        C:\Windows\{B0734083-8250-483e-9DC0-4D76A4B4BF29}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3768
        
        C:\Windows\{E8E02B9D-B750-42e8-8F4C-6CF9D72614C1}.exe
        
        C:\Windows\{E8E02B9D-B750-42e8-8F4C-6CF9D72614C1}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\{1E4243BD-7C37-48c8-96FA-C0EB6282C991}.exe
        
        C:\Windows\{1E4243BD-7C37-48c8-96FA-C0EB6282C991}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E424~1.EXE > nul
        9⤵
        
        PID:1968
        
        C:\Windows\{0169F189-72DC-4b22-B419-B2B18B91FF40}.exe
        
        C:\Windows\{0169F189-72DC-4b22-B419-B2B18B91FF40}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Windows\{2946F12E-DC0F-4170-9CA7-18F8C57EBF7A}.exe
        
        C:\Windows\{2946F12E-DC0F-4170-9CA7-18F8C57EBF7A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\{8AE738C7-2039-41e4-992E-D927FC8F3B7A}.exe
        
        C:\Windows\{8AE738C7-2039-41e4-992E-D927FC8F3B7A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Windows\{F4443E0D-550B-4b91-990B-5DB877D27A29}.exe
        
        C:\Windows\{F4443E0D-550B-4b91-990B-5DB877D27A29}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1380
        
        C:\Windows\{F38A1648-F3F9-493b-AA70-814464C0A43D}.exe
        
        C:\Windows\{F38A1648-F3F9-493b-AA70-814464C0A43D}.exe
        13⤵
        Executes dropped EXE
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F4443~1.EXE > nul
        13⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8AE73~1.EXE > nul
        12⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2946F~1.EXE > nul
        11⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0169F~1.EXE > nul
        10⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E8E02~1.EXE > nul
        8⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B0734~1.EXE > nul
        7⤵
        
        PID:3440
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F5FA~1.EXE > nul
        6⤵
        
        PID:3628
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CBD03~1.EXE > nul
        5⤵
        
        PID:2800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DD451~1.EXE > nul
    3⤵
    PID:660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0169F189-72DC-4b22-B419-B2B18B91FF40}.exe

Filesize
408KB

MD5
a0597f57c74b3884007ec78b7de81a97

SHA1
5a9e44f1633671eb4966ed9e3a3fb26232a17f64

SHA256
8246282deb4bf742e777a67342b0e7dd3f66a7a40f38f96984eb08f974c89891

SHA512
d9d1a9f30f2b67b2f983b51748cab127aae400a5b9d5ca85a3b6c109b4c61b12f781f547de9491ae729fdf93546cf8b10c01d9a0d901a7869586473a719be43c

Download Submit
C:\Windows\{1E4243BD-7C37-48c8-96FA-C0EB6282C991}.exe

Filesize
408KB

MD5
b5dfbdeedf279c69482fa4c2f7ab9e77

SHA1
64aefb67fd65c2362020e763f55488f3eb360620

SHA256
a85716144fd90708bb25e228c0cfda1f42c914053ff9ab0955523958fe2e5f8b

SHA512
eebcf0eb50a504bc72c60167c2adccc1d4f9e4387f3c8beb87c3b8b8927b990105271c70b44efaf06afd9fe979ccd33b61e6c287e0e292e5eb1e264858101e3b

Download Submit
C:\Windows\{2946F12E-DC0F-4170-9CA7-18F8C57EBF7A}.exe

Filesize
408KB

MD5
b10a86e423626667441331a3c93a6fa4

SHA1
8563b1022c3dda0c6023f172beebb3874bffb15c

SHA256
225f192697d4c24085965e742015bc54da944cef6b0d2e6610db8e66611daffe

SHA512
ab4278b278eda3c668d77e312290a5f90796baade0712593b53cc327690c10eccb0790c9b28c9e7d4c503762297c8f34ce46d2ffc84bf2ff51b522ea0b52dd89

Download Submit
C:\Windows\{8AE738C7-2039-41e4-992E-D927FC8F3B7A}.exe

Filesize
408KB

MD5
7d669df89254304d74090ea610e24b01

SHA1
29bc4d3d6055aed84523e5aae3df651b5683f2ee

SHA256
0b1a42839e2a791e1bef364487bcbf515ea83d8f02f2ca8621e26cfa61458a8b

SHA512
8e5b3cd38a4b564c9743f6a83e3a92933798c0fef0eaae978e9c4605ec79423412ff19eca6aabb9fc258d1d33b021cb1c9262c1eb2862c9f28606b212a6fb35e

Download Submit
C:\Windows\{8F5FA215-CB8B-4a94-B2E2-2151CE6A5038}.exe

Filesize
408KB

MD5
43d586e5ae945bb578a7347eebe98c26

SHA1
f407101737e211c11ab2e5dbd0eab4045f6a0870

SHA256
624a190cef3b54e2c795385ca519e49601d0e8a8b58cbacbdeeba46febc626a1

SHA512
fbd1fbc78e9513a06841c8a24bcfe71e20d87c44ff426db580779a3f917457537e1b787fc91b3cbb698fba4013c5f6e291c27d1b7b88db88c5e3faaba138167a

Download Submit
C:\Windows\{B0734083-8250-483e-9DC0-4D76A4B4BF29}.exe

Filesize
384KB

MD5
2bad316f66d4386216779fbdd48b5d64

SHA1
98beac2343249ee6d35e6b4031ba8ea5a4aee4f1

SHA256
6a6482afd148a74613118e64a4e2b525d18b57be8eb24d493a5a8484db352705

SHA512
7269c38619e8eb51d0a9549ec4b0370c65fabb14c7e592b9c554d7ca42206b90f0470d12377b92ac583004875d474502d2b4d07ea9d6c3425670e97106f5adaf

Download Submit
C:\Windows\{B0734083-8250-483e-9DC0-4D76A4B4BF29}.exe

Filesize
192KB

MD5
7d104db6922c9af290c6213828c1303d

SHA1
ba37c719322ef258730a0e6b0f11c712256c32e8

SHA256
6e6aa1f13038bae39c0d7e529f72670a223f29132a03e489b89c4e4b941eecb4

SHA512
4b65561e04205cadaf0bc6398dc3ee1c25042370803edef311cb834fc3fd3bca7fa5ce958cf097d25698f91e970a2b5d9f96bd10c493a60f6f2a93322fca51b2

Download Submit
C:\Windows\{CBD03A6B-E395-47b3-90DE-169503B63C54}.exe

Filesize
408KB

MD5
5be58df8a96ef98ab3c1239c98c8f047

SHA1
0dde1db086af60e603c287e1694a32b5f0236047

SHA256
c8e7212fe6fd745035cd77751141a7cd98244c2b5f136728f38e08a587d8ed83

SHA512
b281b7f83996026433f544aef0dfd5771c7257a4d0ee21083ab9f833868776e94831f94b330c78e6c8db8508fb9ba8cc9009a1c23f0e24107f865db8dc6085a3

Download Submit
C:\Windows\{DD451D18-80BE-47f2-9AA4-A47AA60CBE22}.exe

Filesize
408KB

MD5
4febc23c1f7a73b89cdec1f07585b502

SHA1
6a88fed8b40e3996873d9b420f793cd25fbda83b

SHA256
39cde8c645d46822cb0241ad384da09c13267d5b7d986685c383191b77a5cefd

SHA512
fbbed79889fd41eb7784ec66c6bfca7451642b907a4e30babf93f6f33e36246bec6231242dc0b2c9d881e038036ede01052f96a4496a2fe09fb24ad00b6b9800

Download Submit
C:\Windows\{E8E02B9D-B750-42e8-8F4C-6CF9D72614C1}.exe

Filesize
408KB

MD5
8fc49c53316564be7e0713ec5b8e7a4b

SHA1
dc3b660a55df72ff687e0da827a2a8d55c571a25

SHA256
49cfb2a8153bd0968ded28e8cd2db9583c3b72f832068f7f68f3fb0a7bc0094b

SHA512
304bd2916bb8abe2d4e5f15d8348a0a0f71ceba4d8bdd621c8ebe4dcb3b67b02eb1b74749ac166dbd05d462392c20bc27f070b0cf0b87ebf5e29c3f915f02d7c

Download Submit
C:\Windows\{F27666F4-665B-4738-9199-CB55B7D9C782}.exe

Filesize
408KB

MD5
a1cb13e2e669e91ddb5d5c96699eeeaa

SHA1
a0ce829d20d69ae99dc9939c49378cf515df9529

SHA256
631d69f0304d0bb7a94605bb08ab1d816a77287877abc536b5e92e78a09bff37

SHA512
a802d1cc432a7a3639703b9b5431082daa817a8a19cf8f3a7d3993ced7190f4da1ef8cdaba852a5f0f39d9b0e7710b5032392fc4bdfb018d9c82acb4aff97275

Download Submit
C:\Windows\{F38A1648-F3F9-493b-AA70-814464C0A43D}.exe

Filesize
408KB

MD5
2dcb3fa220d95493e441f9dcba09db93

SHA1
eba004a337dec12c9612ccb3c58801dafa0c8782

SHA256
926d947c8c5240f3d826b550fba104ca58e3dcb39ffe1ce1581dce85573f583b

SHA512
b0051c1780e60edc98678d5e46a59d015da0be8afe49ba421ef1f29fe343c1963c46c97546399817456b93967270b13f445d3a9533b0015188b8239cfd52e6c9

Download Submit
C:\Windows\{F4443E0D-550B-4b91-990B-5DB877D27A29}.exe

Filesize
408KB

MD5
15a2151c6bf6ae1b9c85b41cdee6fc5a

SHA1
9212db34057181b06bacd7a1f41cd33eb62fd7f0

SHA256
e9bc680ece2da13c5243fc0176a1db06d07a78c38bf00de2484a6f5564ecdd78

SHA512
abec7e068f08b34155ac146ffc3f4e36a1e40ea79456c5f7971e47f1cea095c1ebf8ce59857ed959234a3a43094857002b3e031b95b65d6d1ce54608d85a3b6f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads