0ecef894cd96afcabfc7fa328e1189d0aa8611187173e653a186d2074c16f8a2

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/01/2024, 03:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-29_da0fb411e56fb352f7fd23f020579acf_goldeneye.exe
Size

180KB
MD5

da0fb411e56fb352f7fd23f020579acf
SHA1

a4eb740edf77f25a96f07abccdfb66f62bd500f2
SHA256

0ecef894cd96afcabfc7fa328e1189d0aa8611187173e653a186d2074c16f8a2
SHA512

a8b1f005f216a6fb8824c7ce1d84d863ec4ebba23138a8b28725e4be5ca3f706c9096b1db467cfecb70b5564e106a62967d7688401924c44af8094bb48dadc51
SSDEEP

3072:jEGh0oAlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGSl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023218-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000002321d-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023224-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002321d-13.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000021569-17.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000021570-21.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000021569-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000711-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070f-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000711-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006e5-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4A210A5-8410-41a1-BD28-2918D6D6E107}\stubpath = "C:\\Windows\\{C4A210A5-8410-41a1-BD28-2918D6D6E107}.exe"	{CEACD415-FE12-47b6-8A24-89580191362F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7445EB33-EA86-4b58-8B74-FA4F6E5F601D}\stubpath = "C:\\Windows\\{7445EB33-EA86-4b58-8B74-FA4F6E5F601D}.exe"	{8610FAE0-B941-4a11-BA49-F0DF26B7C684}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF433895-EE2F-40f0-8C53-0CC6F9CB1E37}	2024-01-29_da0fb411e56fb352f7fd23f020579acf_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF433895-EE2F-40f0-8C53-0CC6F9CB1E37}\stubpath = "C:\\Windows\\{DF433895-EE2F-40f0-8C53-0CC6F9CB1E37}.exe"	2024-01-29_da0fb411e56fb352f7fd23f020579acf_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{762DB4E3-BAF0-45b5-88F6-D5432CB3ED40}	{65B01496-108F-459d-A90A-E59F8766A5C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A5C98BC-1B1F-44c8-B5F3-8CB7F7292E53}	{762DB4E3-BAF0-45b5-88F6-D5432CB3ED40}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86BABF27-66F8-4c89-9C3E-EC686823887C}	{5EF0E142-9494-43e8-8C41-A7D40F3962BF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86BABF27-66F8-4c89-9C3E-EC686823887C}\stubpath = "C:\\Windows\\{86BABF27-66F8-4c89-9C3E-EC686823887C}.exe"	{5EF0E142-9494-43e8-8C41-A7D40F3962BF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8610FAE0-B941-4a11-BA49-F0DF26B7C684}\stubpath = "C:\\Windows\\{8610FAE0-B941-4a11-BA49-F0DF26B7C684}.exe"	{75231B6C-9157-4130-9184-EF52142C8DD2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7445EB33-EA86-4b58-8B74-FA4F6E5F601D}	{8610FAE0-B941-4a11-BA49-F0DF26B7C684}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB3C9AE9-EC9C-415a-8B0F-B8B0C154F606}\stubpath = "C:\\Windows\\{AB3C9AE9-EC9C-415a-8B0F-B8B0C154F606}.exe"	{DF433895-EE2F-40f0-8C53-0CC6F9CB1E37}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65B01496-108F-459d-A90A-E59F8766A5C9}	{AB3C9AE9-EC9C-415a-8B0F-B8B0C154F606}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65B01496-108F-459d-A90A-E59F8766A5C9}\stubpath = "C:\\Windows\\{65B01496-108F-459d-A90A-E59F8766A5C9}.exe"	{AB3C9AE9-EC9C-415a-8B0F-B8B0C154F606}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A5C98BC-1B1F-44c8-B5F3-8CB7F7292E53}\stubpath = "C:\\Windows\\{7A5C98BC-1B1F-44c8-B5F3-8CB7F7292E53}.exe"	{762DB4E3-BAF0-45b5-88F6-D5432CB3ED40}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75231B6C-9157-4130-9184-EF52142C8DD2}\stubpath = "C:\\Windows\\{75231B6C-9157-4130-9184-EF52142C8DD2}.exe"	{C4A210A5-8410-41a1-BD28-2918D6D6E107}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8610FAE0-B941-4a11-BA49-F0DF26B7C684}	{75231B6C-9157-4130-9184-EF52142C8DD2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{762DB4E3-BAF0-45b5-88F6-D5432CB3ED40}\stubpath = "C:\\Windows\\{762DB4E3-BAF0-45b5-88F6-D5432CB3ED40}.exe"	{65B01496-108F-459d-A90A-E59F8766A5C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4A210A5-8410-41a1-BD28-2918D6D6E107}	{CEACD415-FE12-47b6-8A24-89580191362F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75231B6C-9157-4130-9184-EF52142C8DD2}	{C4A210A5-8410-41a1-BD28-2918D6D6E107}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB3C9AE9-EC9C-415a-8B0F-B8B0C154F606}	{DF433895-EE2F-40f0-8C53-0CC6F9CB1E37}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5EF0E142-9494-43e8-8C41-A7D40F3962BF}	{7A5C98BC-1B1F-44c8-B5F3-8CB7F7292E53}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5EF0E142-9494-43e8-8C41-A7D40F3962BF}\stubpath = "C:\\Windows\\{5EF0E142-9494-43e8-8C41-A7D40F3962BF}.exe"	{7A5C98BC-1B1F-44c8-B5F3-8CB7F7292E53}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CEACD415-FE12-47b6-8A24-89580191362F}	{86BABF27-66F8-4c89-9C3E-EC686823887C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CEACD415-FE12-47b6-8A24-89580191362F}\stubpath = "C:\\Windows\\{CEACD415-FE12-47b6-8A24-89580191362F}.exe"	{86BABF27-66F8-4c89-9C3E-EC686823887C}.exe

Executes dropped EXE 12 IoCs

pid	Process
1612	{DF433895-EE2F-40f0-8C53-0CC6F9CB1E37}.exe
1660	{AB3C9AE9-EC9C-415a-8B0F-B8B0C154F606}.exe
3620	{65B01496-108F-459d-A90A-E59F8766A5C9}.exe
4712	{762DB4E3-BAF0-45b5-88F6-D5432CB3ED40}.exe
1976	{7A5C98BC-1B1F-44c8-B5F3-8CB7F7292E53}.exe
4264	{5EF0E142-9494-43e8-8C41-A7D40F3962BF}.exe
744	{86BABF27-66F8-4c89-9C3E-EC686823887C}.exe
3980	{CEACD415-FE12-47b6-8A24-89580191362F}.exe
628	{C4A210A5-8410-41a1-BD28-2918D6D6E107}.exe
1596	{75231B6C-9157-4130-9184-EF52142C8DD2}.exe
2152	{8610FAE0-B941-4a11-BA49-F0DF26B7C684}.exe
3956	{7445EB33-EA86-4b58-8B74-FA4F6E5F601D}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{AB3C9AE9-EC9C-415a-8B0F-B8B0C154F606}.exe	{DF433895-EE2F-40f0-8C53-0CC6F9CB1E37}.exe
File created	C:\Windows\{65B01496-108F-459d-A90A-E59F8766A5C9}.exe	{AB3C9AE9-EC9C-415a-8B0F-B8B0C154F606}.exe
File created	C:\Windows\{762DB4E3-BAF0-45b5-88F6-D5432CB3ED40}.exe	{65B01496-108F-459d-A90A-E59F8766A5C9}.exe
File created	C:\Windows\{75231B6C-9157-4130-9184-EF52142C8DD2}.exe	{C4A210A5-8410-41a1-BD28-2918D6D6E107}.exe
File created	C:\Windows\{8610FAE0-B941-4a11-BA49-F0DF26B7C684}.exe	{75231B6C-9157-4130-9184-EF52142C8DD2}.exe
File created	C:\Windows\{7445EB33-EA86-4b58-8B74-FA4F6E5F601D}.exe	{8610FAE0-B941-4a11-BA49-F0DF26B7C684}.exe
File created	C:\Windows\{DF433895-EE2F-40f0-8C53-0CC6F9CB1E37}.exe	2024-01-29_da0fb411e56fb352f7fd23f020579acf_goldeneye.exe
File created	C:\Windows\{5EF0E142-9494-43e8-8C41-A7D40F3962BF}.exe	{7A5C98BC-1B1F-44c8-B5F3-8CB7F7292E53}.exe
File created	C:\Windows\{86BABF27-66F8-4c89-9C3E-EC686823887C}.exe	{5EF0E142-9494-43e8-8C41-A7D40F3962BF}.exe
File created	C:\Windows\{CEACD415-FE12-47b6-8A24-89580191362F}.exe	{86BABF27-66F8-4c89-9C3E-EC686823887C}.exe
File created	C:\Windows\{C4A210A5-8410-41a1-BD28-2918D6D6E107}.exe	{CEACD415-FE12-47b6-8A24-89580191362F}.exe
File created	C:\Windows\{7A5C98BC-1B1F-44c8-B5F3-8CB7F7292E53}.exe	{762DB4E3-BAF0-45b5-88F6-D5432CB3ED40}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4268	2024-01-29_da0fb411e56fb352f7fd23f020579acf_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1612	{DF433895-EE2F-40f0-8C53-0CC6F9CB1E37}.exe
Token: SeIncBasePriorityPrivilege	1660	{AB3C9AE9-EC9C-415a-8B0F-B8B0C154F606}.exe
Token: SeIncBasePriorityPrivilege	3620	{65B01496-108F-459d-A90A-E59F8766A5C9}.exe
Token: SeIncBasePriorityPrivilege	4712	{762DB4E3-BAF0-45b5-88F6-D5432CB3ED40}.exe
Token: SeIncBasePriorityPrivilege	1976	{7A5C98BC-1B1F-44c8-B5F3-8CB7F7292E53}.exe
Token: SeIncBasePriorityPrivilege	4264	{5EF0E142-9494-43e8-8C41-A7D40F3962BF}.exe
Token: SeIncBasePriorityPrivilege	744	{86BABF27-66F8-4c89-9C3E-EC686823887C}.exe
Token: SeIncBasePriorityPrivilege	3980	{CEACD415-FE12-47b6-8A24-89580191362F}.exe
Token: SeIncBasePriorityPrivilege	628	{C4A210A5-8410-41a1-BD28-2918D6D6E107}.exe
Token: SeIncBasePriorityPrivilege	1596	{75231B6C-9157-4130-9184-EF52142C8DD2}.exe
Token: SeIncBasePriorityPrivilege	2152	{8610FAE0-B941-4a11-BA49-F0DF26B7C684}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4268 wrote to memory of 1612	4268	2024-01-29_da0fb411e56fb352f7fd23f020579acf_goldeneye.exe	90
PID 4268 wrote to memory of 1612	4268	2024-01-29_da0fb411e56fb352f7fd23f020579acf_goldeneye.exe	90
PID 4268 wrote to memory of 1612	4268	2024-01-29_da0fb411e56fb352f7fd23f020579acf_goldeneye.exe	90
PID 4268 wrote to memory of 4132	4268	2024-01-29_da0fb411e56fb352f7fd23f020579acf_goldeneye.exe	91
PID 4268 wrote to memory of 4132	4268	2024-01-29_da0fb411e56fb352f7fd23f020579acf_goldeneye.exe	91
PID 4268 wrote to memory of 4132	4268	2024-01-29_da0fb411e56fb352f7fd23f020579acf_goldeneye.exe	91
PID 1612 wrote to memory of 1660	1612	{DF433895-EE2F-40f0-8C53-0CC6F9CB1E37}.exe	92
PID 1612 wrote to memory of 1660	1612	{DF433895-EE2F-40f0-8C53-0CC6F9CB1E37}.exe	92
PID 1612 wrote to memory of 1660	1612	{DF433895-EE2F-40f0-8C53-0CC6F9CB1E37}.exe	92
PID 1612 wrote to memory of 4056	1612	{DF433895-EE2F-40f0-8C53-0CC6F9CB1E37}.exe	93
PID 1612 wrote to memory of 4056	1612	{DF433895-EE2F-40f0-8C53-0CC6F9CB1E37}.exe	93
PID 1612 wrote to memory of 4056	1612	{DF433895-EE2F-40f0-8C53-0CC6F9CB1E37}.exe	93
PID 1660 wrote to memory of 3620	1660	{AB3C9AE9-EC9C-415a-8B0F-B8B0C154F606}.exe	96
PID 1660 wrote to memory of 3620	1660	{AB3C9AE9-EC9C-415a-8B0F-B8B0C154F606}.exe	96
PID 1660 wrote to memory of 3620	1660	{AB3C9AE9-EC9C-415a-8B0F-B8B0C154F606}.exe	96
PID 1660 wrote to memory of 2328	1660	{AB3C9AE9-EC9C-415a-8B0F-B8B0C154F606}.exe	95
PID 1660 wrote to memory of 2328	1660	{AB3C9AE9-EC9C-415a-8B0F-B8B0C154F606}.exe	95
PID 1660 wrote to memory of 2328	1660	{AB3C9AE9-EC9C-415a-8B0F-B8B0C154F606}.exe	95
PID 3620 wrote to memory of 4712	3620	{65B01496-108F-459d-A90A-E59F8766A5C9}.exe	97
PID 3620 wrote to memory of 4712	3620	{65B01496-108F-459d-A90A-E59F8766A5C9}.exe	97
PID 3620 wrote to memory of 4712	3620	{65B01496-108F-459d-A90A-E59F8766A5C9}.exe	97
PID 3620 wrote to memory of 4932	3620	{65B01496-108F-459d-A90A-E59F8766A5C9}.exe	98
PID 3620 wrote to memory of 4932	3620	{65B01496-108F-459d-A90A-E59F8766A5C9}.exe	98
PID 3620 wrote to memory of 4932	3620	{65B01496-108F-459d-A90A-E59F8766A5C9}.exe	98
PID 4712 wrote to memory of 1976	4712	{762DB4E3-BAF0-45b5-88F6-D5432CB3ED40}.exe	99
PID 4712 wrote to memory of 1976	4712	{762DB4E3-BAF0-45b5-88F6-D5432CB3ED40}.exe	99
PID 4712 wrote to memory of 1976	4712	{762DB4E3-BAF0-45b5-88F6-D5432CB3ED40}.exe	99
PID 4712 wrote to memory of 5036	4712	{762DB4E3-BAF0-45b5-88F6-D5432CB3ED40}.exe	100
PID 4712 wrote to memory of 5036	4712	{762DB4E3-BAF0-45b5-88F6-D5432CB3ED40}.exe	100
PID 4712 wrote to memory of 5036	4712	{762DB4E3-BAF0-45b5-88F6-D5432CB3ED40}.exe	100
PID 1976 wrote to memory of 4264	1976	{7A5C98BC-1B1F-44c8-B5F3-8CB7F7292E53}.exe	101
PID 1976 wrote to memory of 4264	1976	{7A5C98BC-1B1F-44c8-B5F3-8CB7F7292E53}.exe	101
PID 1976 wrote to memory of 4264	1976	{7A5C98BC-1B1F-44c8-B5F3-8CB7F7292E53}.exe	101
PID 1976 wrote to memory of 5032	1976	{7A5C98BC-1B1F-44c8-B5F3-8CB7F7292E53}.exe	102
PID 1976 wrote to memory of 5032	1976	{7A5C98BC-1B1F-44c8-B5F3-8CB7F7292E53}.exe	102
PID 1976 wrote to memory of 5032	1976	{7A5C98BC-1B1F-44c8-B5F3-8CB7F7292E53}.exe	102
PID 4264 wrote to memory of 744	4264	{5EF0E142-9494-43e8-8C41-A7D40F3962BF}.exe	103
PID 4264 wrote to memory of 744	4264	{5EF0E142-9494-43e8-8C41-A7D40F3962BF}.exe	103
PID 4264 wrote to memory of 744	4264	{5EF0E142-9494-43e8-8C41-A7D40F3962BF}.exe	103
PID 4264 wrote to memory of 3164	4264	{5EF0E142-9494-43e8-8C41-A7D40F3962BF}.exe	104
PID 4264 wrote to memory of 3164	4264	{5EF0E142-9494-43e8-8C41-A7D40F3962BF}.exe	104
PID 4264 wrote to memory of 3164	4264	{5EF0E142-9494-43e8-8C41-A7D40F3962BF}.exe	104
PID 744 wrote to memory of 3980	744	{86BABF27-66F8-4c89-9C3E-EC686823887C}.exe	105
PID 744 wrote to memory of 3980	744	{86BABF27-66F8-4c89-9C3E-EC686823887C}.exe	105
PID 744 wrote to memory of 3980	744	{86BABF27-66F8-4c89-9C3E-EC686823887C}.exe	105
PID 744 wrote to memory of 3096	744	{86BABF27-66F8-4c89-9C3E-EC686823887C}.exe	106
PID 744 wrote to memory of 3096	744	{86BABF27-66F8-4c89-9C3E-EC686823887C}.exe	106
PID 744 wrote to memory of 3096	744	{86BABF27-66F8-4c89-9C3E-EC686823887C}.exe	106
PID 3980 wrote to memory of 628	3980	{CEACD415-FE12-47b6-8A24-89580191362F}.exe	107
PID 3980 wrote to memory of 628	3980	{CEACD415-FE12-47b6-8A24-89580191362F}.exe	107
PID 3980 wrote to memory of 628	3980	{CEACD415-FE12-47b6-8A24-89580191362F}.exe	107
PID 3980 wrote to memory of 228	3980	{CEACD415-FE12-47b6-8A24-89580191362F}.exe	108
PID 3980 wrote to memory of 228	3980	{CEACD415-FE12-47b6-8A24-89580191362F}.exe	108
PID 3980 wrote to memory of 228	3980	{CEACD415-FE12-47b6-8A24-89580191362F}.exe	108
PID 628 wrote to memory of 1596	628	{C4A210A5-8410-41a1-BD28-2918D6D6E107}.exe	110
PID 628 wrote to memory of 1596	628	{C4A210A5-8410-41a1-BD28-2918D6D6E107}.exe	110
PID 628 wrote to memory of 1596	628	{C4A210A5-8410-41a1-BD28-2918D6D6E107}.exe	110
PID 628 wrote to memory of 4300	628	{C4A210A5-8410-41a1-BD28-2918D6D6E107}.exe	109
PID 628 wrote to memory of 4300	628	{C4A210A5-8410-41a1-BD28-2918D6D6E107}.exe	109
PID 628 wrote to memory of 4300	628	{C4A210A5-8410-41a1-BD28-2918D6D6E107}.exe	109
PID 1596 wrote to memory of 2152	1596	{75231B6C-9157-4130-9184-EF52142C8DD2}.exe	111
PID 1596 wrote to memory of 2152	1596	{75231B6C-9157-4130-9184-EF52142C8DD2}.exe	111
PID 1596 wrote to memory of 2152	1596	{75231B6C-9157-4130-9184-EF52142C8DD2}.exe	111
PID 1596 wrote to memory of 928	1596	{75231B6C-9157-4130-9184-EF52142C8DD2}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-01-29_da0fb411e56fb352f7fd23f020579acf_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-29_da0fb411e56fb352f7fd23f020579acf_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4268
- C:\Windows\{DF433895-EE2F-40f0-8C53-0CC6F9CB1E37}.exe
  C:\Windows\{DF433895-EE2F-40f0-8C53-0CC6F9CB1E37}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Windows\{AB3C9AE9-EC9C-415a-8B0F-B8B0C154F606}.exe
    C:\Windows\{AB3C9AE9-EC9C-415a-8B0F-B8B0C154F606}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1660
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{AB3C9~1.EXE > nul
      4⤵
      PID:2328
  - - C:\Windows\{65B01496-108F-459d-A90A-E59F8766A5C9}.exe
      C:\Windows\{65B01496-108F-459d-A90A-E59F8766A5C9}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3620
    - - C:\Windows\{762DB4E3-BAF0-45b5-88F6-D5432CB3ED40}.exe
        
        C:\Windows\{762DB4E3-BAF0-45b5-88F6-D5432CB3ED40}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4712
      - C:\Windows\{7A5C98BC-1B1F-44c8-B5F3-8CB7F7292E53}.exe
        
        C:\Windows\{7A5C98BC-1B1F-44c8-B5F3-8CB7F7292E53}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\{5EF0E142-9494-43e8-8C41-A7D40F3962BF}.exe
        
        C:\Windows\{5EF0E142-9494-43e8-8C41-A7D40F3962BF}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4264
        
        C:\Windows\{86BABF27-66F8-4c89-9C3E-EC686823887C}.exe
        
        C:\Windows\{86BABF27-66F8-4c89-9C3E-EC686823887C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\Windows\{CEACD415-FE12-47b6-8A24-89580191362F}.exe
        
        C:\Windows\{CEACD415-FE12-47b6-8A24-89580191362F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3980
        
        C:\Windows\{C4A210A5-8410-41a1-BD28-2918D6D6E107}.exe
        
        C:\Windows\{C4A210A5-8410-41a1-BD28-2918D6D6E107}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4A21~1.EXE > nul
        11⤵
        
        PID:4300
        
        C:\Windows\{75231B6C-9157-4130-9184-EF52142C8DD2}.exe
        
        C:\Windows\{75231B6C-9157-4130-9184-EF52142C8DD2}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\{8610FAE0-B941-4a11-BA49-F0DF26B7C684}.exe
        
        C:\Windows\{8610FAE0-B941-4a11-BA49-F0DF26B7C684}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
        
        C:\Windows\{7445EB33-EA86-4b58-8B74-FA4F6E5F601D}.exe
        
        C:\Windows\{7445EB33-EA86-4b58-8B74-FA4F6E5F601D}.exe
        13⤵
        Executes dropped EXE
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8610F~1.EXE > nul
        13⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{75231~1.EXE > nul
        12⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CEACD~1.EXE > nul
        10⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86BAB~1.EXE > nul
        9⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5EF0E~1.EXE > nul
        8⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7A5C9~1.EXE > nul
        7⤵
        
        PID:5032
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{762DB~1.EXE > nul
        6⤵
        
        PID:5036
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{65B01~1.EXE > nul
        5⤵
        
        PID:4932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DF433~1.EXE > nul
    3⤵
    PID:4056
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{5EF0E142-9494-43e8-8C41-A7D40F3962BF}.exe

Filesize
180KB

MD5
cc0dcfa2bff02e4a147997d1dfbd1cbd

SHA1
36b9e6fa0cba15f3d50e1c6805e8d85f5cae88d1

SHA256
2b57725bc2dd2bedc0814f59efe7803df0673706a9313d8b7fc6571cea23bc33

SHA512
888bee1d57015841f8b6efc74dffbac657ab9c728c623cb9fbc37a7889faadc7614e48cd3ca97075694bc4d3734756ee868a954f84285ef323b5720bbaf51d65

Download Submit
C:\Windows\{65B01496-108F-459d-A90A-E59F8766A5C9}.exe

Filesize
180KB

MD5
b89281869e846f1cc6d8690b7ca9fd3d

SHA1
1d3cd5cabd88631954f180ec355a523e45e135d7

SHA256
6434de8f2e8b29ac0627072a609bb5c70352fb58ef3240dd3553339d1c4a0502

SHA512
bce7bca2e5cc94ef4900bf39af6a4b14f09776453af583ce470c899aca8f34a6f6280e78e0cc473a34f947ddac4232695a2d6bbf1df4131073a2a99737a8d1e7

Download Submit
C:\Windows\{7445EB33-EA86-4b58-8B74-FA4F6E5F601D}.exe

Filesize
180KB

MD5
81188c3c2e1329dbc11aff58aed9c97c

SHA1
0d47102736f7606030de6e495b658f2ab91916ee

SHA256
fce66ebff14e1e67dd62c6eef2d89d7b4addcd48448d2973782eaa77fea06ecd

SHA512
33b7e3bbf5b73378cccd091b984638a2f014a2c5d97f24c7e15a33a34bac010f6ac50041101835ca2ea0748f6bd27da78ab5be331555c066f7b4e9bef919514f

Download Submit
C:\Windows\{75231B6C-9157-4130-9184-EF52142C8DD2}.exe

Filesize
180KB

MD5
8cd1cd00669c5110fd8dd2ee5e4c4c32

SHA1
bd3eea3d2f0d373fa96a0b2e60eb31b379d08d65

SHA256
755d2fe0a5553ed279d77e6c254bd7b6b857c7e07600cd1f5f26a9d0c20b8da7

SHA512
e20a78565fb485a2839e8849e036e42af0e446e7abf5b653b39eba0808aa56f72800561871c9653e49f567f1eb98577189dd43752e953287ac975e7da0f9ccf3

Download Submit
C:\Windows\{762DB4E3-BAF0-45b5-88F6-D5432CB3ED40}.exe

Filesize
180KB

MD5
68488c9f70824f8ca89d6b71286bbc31

SHA1
2eb2994ac843672c89cde2eea323457ca53c42a1

SHA256
3e19f1d9e3a2bd12ca33b8b83f3398695fbf5a30bdfe3f5365859ce2e1a772d2

SHA512
7a3188ea9df214542bbebc0817ecbfdd4507283419efc69ebc4cd2237b3dbd7bc19e2f477621fdaca4de12ad05bcb385a5e905b08fa48f6f498245fa56bf17c5

Download Submit
C:\Windows\{7A5C98BC-1B1F-44c8-B5F3-8CB7F7292E53}.exe

Filesize
180KB

MD5
91fe1df0ec80b691b4e621b8291d8ef0

SHA1
ce6280fb3d4daa52e903bb2f46258e6439e42e37

SHA256
6fd8f65419dca29c99a373a6d94297c631b51dceb9af88778d97596f471ab825

SHA512
56a5043d249bd34f117badf7dc394f65055a38e526e7afb1d3ec3c0135c5ad616a87826b34fd682b92cc2422fd23351e125e44da5ba18a6c1a1b24c01a277afa

Download Submit
C:\Windows\{8610FAE0-B941-4a11-BA49-F0DF26B7C684}.exe

Filesize
180KB

MD5
4b8389a7e45bca6c30a40c037a030a77

SHA1
0cdf854eed5d9d4d247197dc144dc3ceac8edafe

SHA256
7f20357d821ce343bffdac401e5e29e9a71656b265b0919fc91f778a6e994d03

SHA512
12ee22a5bc5a6323632af44f43dbbf68d7e7cde4429305afbc9062e90663ac523c47974d86901562a2d29acdfd2ec99c9a6b13d3ff33bb837f4dc2c0936332c2

Download Submit
C:\Windows\{86BABF27-66F8-4c89-9C3E-EC686823887C}.exe

Filesize
180KB

MD5
e18bf1160f1b6f2b352d3b34a31acdb7

SHA1
51ea61efd410a0c500b4102a97b9f722b132e4c1

SHA256
14868dd6a3de4b1c17986432892a26b91c26f57354a3aa7f266102332f537bb4

SHA512
25f41be276b697372c2d078bd3acc260cc23b71aa88115dcad9e06ee7a798d03d1e7af4b22bc961b185ad6daeed18de5ff53875935da63eba13c407f08cd97f6

Download Submit
C:\Windows\{AB3C9AE9-EC9C-415a-8B0F-B8B0C154F606}.exe

Filesize
180KB

MD5
dbe673f0ec8d5ae37ed690b2f61b8f6d

SHA1
badce3a2e8b3720ca7c5536d15aef958b4065745

SHA256
e304722df2508247fec3fe5df0cbf36092c8527c65ab20a0ef1f3f247e7ef2c1

SHA512
09cffa484b9aa115e660ed8e2363da182dd7ccc803e53755ffaa5acfc6605959945a800da1d4ae14c9f1744dffbb6c0696a464d3ac0ee1ebc6fb2a9a56b6d6db

Download Submit
C:\Windows\{C4A210A5-8410-41a1-BD28-2918D6D6E107}.exe

Filesize
180KB

MD5
9b09b6c9d9626eb24f982dc3d5a01dcb

SHA1
8991de89277ea676094eefc6cc286e567d9bda93

SHA256
2782312a21fe9f69f21640ad5fa47551bb6850d5b26315bd485cb7ce9a1e0f50

SHA512
e4e36fbe46644b95589cc1a38dfdb206dc67c7dc88d773d1a9278dc39bafdd52339c419ad7a6e204faaf1fa749f971c8cbb4bc4aa974d90b577a52eec575041e

Download Submit
C:\Windows\{CEACD415-FE12-47b6-8A24-89580191362F}.exe

Filesize
180KB

MD5
59f097c8484be6cb15f931ea88d266ef

SHA1
3d219e0ef31598202ee211f804d8ce7959ed8bba

SHA256
1fb7e386bfe0779f1d455174dc1baf4dd1f3a971a35f407047e1180dac0794d2

SHA512
7738f8f674d38f06f92588f907e968a51959d221600df01567483bbcba5681c40b05c00b0b64575278ae45129ac87bb25e16f88a5a3156a247049e3cbb6aec61

Download Submit
C:\Windows\{DF433895-EE2F-40f0-8C53-0CC6F9CB1E37}.exe

Filesize
180KB

MD5
89949bea4996b52b4a568eeeab53d332

SHA1
e5b7229b661276e34ce28d889ae04abde5d81cb2

SHA256
be9eedeb49c18fc4f049ec07a82ea4be170101ba216674ed8187d516a159096a

SHA512
047774516d06a403b92db1f68ebbbea5562481586c87621817cb2afef813b17d03cf5558942992c4cef975ce46ade5fc2a19f4b92ad5df33b266130521dc4117

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads