d7bd488042bde55a15a7fb47e01d5297aac315c09909abe5eb4cea2c1cbebae5

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01-02-2024 09:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-01_8e37f8d1e991c0bb64597d7e1a19cff6_goldeneye.exe
Size

344KB
MD5

8e37f8d1e991c0bb64597d7e1a19cff6
SHA1

643385a3fff9d34ec320011e36523e67bd8d8372
SHA256

d7bd488042bde55a15a7fb47e01d5297aac315c09909abe5eb4cea2c1cbebae5
SHA512

c3b305ce8c715880f9a75e328f56da56fd55d4dd323b0e1f55dcf91690a347694b903ea4cc69a02a1c55d0b262bd2ee0e95c1d37a581160091e59a940f373739
SSDEEP

3072:mEGh0oblEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGplqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000600000002324f-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023253-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002325a-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023253-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000215c9-17.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000215d0-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d0000000215c9-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000711-29.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000713-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000711-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000713-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006e7-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7ED05203-2932-42c8-8E13-D433F6A5115D}	{80EF53A1-E9BC-4f4a-B71E-3B164DA79CD7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3974D498-3B43-466c-B992-6014768E829B}\stubpath = "C:\\Windows\\{3974D498-3B43-466c-B992-6014768E829B}.exe"	{0955F6F0-1B6A-4aeb-86C2-E637C0A11EDC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{261CBC4C-60C7-4c81-86A4-058F94034DA5}	{3F8040AC-C90B-4f7d-AE9B-2DD936858E04}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E25B726C-4FD0-437a-B07E-EF21834F0482}\stubpath = "C:\\Windows\\{E25B726C-4FD0-437a-B07E-EF21834F0482}.exe"	{261CBC4C-60C7-4c81-86A4-058F94034DA5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20EAE8B7-FCDA-4b7b-BE64-742F876C14D0}\stubpath = "C:\\Windows\\{20EAE8B7-FCDA-4b7b-BE64-742F876C14D0}.exe"	{E25B726C-4FD0-437a-B07E-EF21834F0482}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5ADAB127-AA15-4740-A0C8-E62099BB31C8}	{7CC840FF-0A60-47d1-8EAA-B61238F66B19}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5ADAB127-AA15-4740-A0C8-E62099BB31C8}\stubpath = "C:\\Windows\\{5ADAB127-AA15-4740-A0C8-E62099BB31C8}.exe"	{7CC840FF-0A60-47d1-8EAA-B61238F66B19}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80EF53A1-E9BC-4f4a-B71E-3B164DA79CD7}	2024-02-01_8e37f8d1e991c0bb64597d7e1a19cff6_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80EF53A1-E9BC-4f4a-B71E-3B164DA79CD7}\stubpath = "C:\\Windows\\{80EF53A1-E9BC-4f4a-B71E-3B164DA79CD7}.exe"	2024-02-01_8e37f8d1e991c0bb64597d7e1a19cff6_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0955F6F0-1B6A-4aeb-86C2-E637C0A11EDC}\stubpath = "C:\\Windows\\{0955F6F0-1B6A-4aeb-86C2-E637C0A11EDC}.exe"	{7ED05203-2932-42c8-8E13-D433F6A5115D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F8040AC-C90B-4f7d-AE9B-2DD936858E04}	{3974D498-3B43-466c-B992-6014768E829B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F8040AC-C90B-4f7d-AE9B-2DD936858E04}\stubpath = "C:\\Windows\\{3F8040AC-C90B-4f7d-AE9B-2DD936858E04}.exe"	{3974D498-3B43-466c-B992-6014768E829B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{111B4D77-9531-4dec-975F-8FCF4399D208}	{28A31865-1C54-45fb-9C68-891B3AA87872}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7ED05203-2932-42c8-8E13-D433F6A5115D}\stubpath = "C:\\Windows\\{7ED05203-2932-42c8-8E13-D433F6A5115D}.exe"	{80EF53A1-E9BC-4f4a-B71E-3B164DA79CD7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20EAE8B7-FCDA-4b7b-BE64-742F876C14D0}	{E25B726C-4FD0-437a-B07E-EF21834F0482}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28A31865-1C54-45fb-9C68-891B3AA87872}\stubpath = "C:\\Windows\\{28A31865-1C54-45fb-9C68-891B3AA87872}.exe"	{20EAE8B7-FCDA-4b7b-BE64-742F876C14D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{111B4D77-9531-4dec-975F-8FCF4399D208}\stubpath = "C:\\Windows\\{111B4D77-9531-4dec-975F-8FCF4399D208}.exe"	{28A31865-1C54-45fb-9C68-891B3AA87872}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7CC840FF-0A60-47d1-8EAA-B61238F66B19}	{111B4D77-9531-4dec-975F-8FCF4399D208}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0955F6F0-1B6A-4aeb-86C2-E637C0A11EDC}	{7ED05203-2932-42c8-8E13-D433F6A5115D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3974D498-3B43-466c-B992-6014768E829B}	{0955F6F0-1B6A-4aeb-86C2-E637C0A11EDC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{261CBC4C-60C7-4c81-86A4-058F94034DA5}\stubpath = "C:\\Windows\\{261CBC4C-60C7-4c81-86A4-058F94034DA5}.exe"	{3F8040AC-C90B-4f7d-AE9B-2DD936858E04}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E25B726C-4FD0-437a-B07E-EF21834F0482}	{261CBC4C-60C7-4c81-86A4-058F94034DA5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28A31865-1C54-45fb-9C68-891B3AA87872}	{20EAE8B7-FCDA-4b7b-BE64-742F876C14D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7CC840FF-0A60-47d1-8EAA-B61238F66B19}\stubpath = "C:\\Windows\\{7CC840FF-0A60-47d1-8EAA-B61238F66B19}.exe"	{111B4D77-9531-4dec-975F-8FCF4399D208}.exe

Executes dropped EXE 12 IoCs

pid	Process
1052	{80EF53A1-E9BC-4f4a-B71E-3B164DA79CD7}.exe
2312	{7ED05203-2932-42c8-8E13-D433F6A5115D}.exe
364	{0955F6F0-1B6A-4aeb-86C2-E637C0A11EDC}.exe
3912	{3974D498-3B43-466c-B992-6014768E829B}.exe
3172	{3F8040AC-C90B-4f7d-AE9B-2DD936858E04}.exe
752	{261CBC4C-60C7-4c81-86A4-058F94034DA5}.exe
2968	{E25B726C-4FD0-437a-B07E-EF21834F0482}.exe
2836	{20EAE8B7-FCDA-4b7b-BE64-742F876C14D0}.exe
1580	{28A31865-1C54-45fb-9C68-891B3AA87872}.exe
3656	{111B4D77-9531-4dec-975F-8FCF4399D208}.exe
2224	{7CC840FF-0A60-47d1-8EAA-B61238F66B19}.exe
2496	{5ADAB127-AA15-4740-A0C8-E62099BB31C8}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{261CBC4C-60C7-4c81-86A4-058F94034DA5}.exe	{3F8040AC-C90B-4f7d-AE9B-2DD936858E04}.exe
File created	C:\Windows\{E25B726C-4FD0-437a-B07E-EF21834F0482}.exe	{261CBC4C-60C7-4c81-86A4-058F94034DA5}.exe
File created	C:\Windows\{5ADAB127-AA15-4740-A0C8-E62099BB31C8}.exe	{7CC840FF-0A60-47d1-8EAA-B61238F66B19}.exe
File created	C:\Windows\{80EF53A1-E9BC-4f4a-B71E-3B164DA79CD7}.exe	2024-02-01_8e37f8d1e991c0bb64597d7e1a19cff6_goldeneye.exe
File created	C:\Windows\{3974D498-3B43-466c-B992-6014768E829B}.exe	{0955F6F0-1B6A-4aeb-86C2-E637C0A11EDC}.exe
File created	C:\Windows\{3F8040AC-C90B-4f7d-AE9B-2DD936858E04}.exe	{3974D498-3B43-466c-B992-6014768E829B}.exe
File created	C:\Windows\{28A31865-1C54-45fb-9C68-891B3AA87872}.exe	{20EAE8B7-FCDA-4b7b-BE64-742F876C14D0}.exe
File created	C:\Windows\{111B4D77-9531-4dec-975F-8FCF4399D208}.exe	{28A31865-1C54-45fb-9C68-891B3AA87872}.exe
File created	C:\Windows\{7CC840FF-0A60-47d1-8EAA-B61238F66B19}.exe	{111B4D77-9531-4dec-975F-8FCF4399D208}.exe
File created	C:\Windows\{7ED05203-2932-42c8-8E13-D433F6A5115D}.exe	{80EF53A1-E9BC-4f4a-B71E-3B164DA79CD7}.exe
File created	C:\Windows\{0955F6F0-1B6A-4aeb-86C2-E637C0A11EDC}.exe	{7ED05203-2932-42c8-8E13-D433F6A5115D}.exe
File created	C:\Windows\{20EAE8B7-FCDA-4b7b-BE64-742F876C14D0}.exe	{E25B726C-4FD0-437a-B07E-EF21834F0482}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3988	2024-02-01_8e37f8d1e991c0bb64597d7e1a19cff6_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1052	{80EF53A1-E9BC-4f4a-B71E-3B164DA79CD7}.exe
Token: SeIncBasePriorityPrivilege	2312	{7ED05203-2932-42c8-8E13-D433F6A5115D}.exe
Token: SeIncBasePriorityPrivilege	364	{0955F6F0-1B6A-4aeb-86C2-E637C0A11EDC}.exe
Token: SeIncBasePriorityPrivilege	3912	{3974D498-3B43-466c-B992-6014768E829B}.exe
Token: SeIncBasePriorityPrivilege	3172	{3F8040AC-C90B-4f7d-AE9B-2DD936858E04}.exe
Token: SeIncBasePriorityPrivilege	752	{261CBC4C-60C7-4c81-86A4-058F94034DA5}.exe
Token: SeIncBasePriorityPrivilege	2968	{E25B726C-4FD0-437a-B07E-EF21834F0482}.exe
Token: SeIncBasePriorityPrivilege	2836	{20EAE8B7-FCDA-4b7b-BE64-742F876C14D0}.exe
Token: SeIncBasePriorityPrivilege	1580	{28A31865-1C54-45fb-9C68-891B3AA87872}.exe
Token: SeIncBasePriorityPrivilege	3656	{111B4D77-9531-4dec-975F-8FCF4399D208}.exe
Token: SeIncBasePriorityPrivilege	2224	{7CC840FF-0A60-47d1-8EAA-B61238F66B19}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3988 wrote to memory of 1052	3988	2024-02-01_8e37f8d1e991c0bb64597d7e1a19cff6_goldeneye.exe	91
PID 3988 wrote to memory of 1052	3988	2024-02-01_8e37f8d1e991c0bb64597d7e1a19cff6_goldeneye.exe	91
PID 3988 wrote to memory of 1052	3988	2024-02-01_8e37f8d1e991c0bb64597d7e1a19cff6_goldeneye.exe	91
PID 3988 wrote to memory of 1748	3988	2024-02-01_8e37f8d1e991c0bb64597d7e1a19cff6_goldeneye.exe	92
PID 3988 wrote to memory of 1748	3988	2024-02-01_8e37f8d1e991c0bb64597d7e1a19cff6_goldeneye.exe	92
PID 3988 wrote to memory of 1748	3988	2024-02-01_8e37f8d1e991c0bb64597d7e1a19cff6_goldeneye.exe	92
PID 1052 wrote to memory of 2312	1052	{80EF53A1-E9BC-4f4a-B71E-3B164DA79CD7}.exe	93
PID 1052 wrote to memory of 2312	1052	{80EF53A1-E9BC-4f4a-B71E-3B164DA79CD7}.exe	93
PID 1052 wrote to memory of 2312	1052	{80EF53A1-E9BC-4f4a-B71E-3B164DA79CD7}.exe	93
PID 1052 wrote to memory of 4564	1052	{80EF53A1-E9BC-4f4a-B71E-3B164DA79CD7}.exe	94
PID 1052 wrote to memory of 4564	1052	{80EF53A1-E9BC-4f4a-B71E-3B164DA79CD7}.exe	94
PID 1052 wrote to memory of 4564	1052	{80EF53A1-E9BC-4f4a-B71E-3B164DA79CD7}.exe	94
PID 2312 wrote to memory of 364	2312	{7ED05203-2932-42c8-8E13-D433F6A5115D}.exe	97
PID 2312 wrote to memory of 364	2312	{7ED05203-2932-42c8-8E13-D433F6A5115D}.exe	97
PID 2312 wrote to memory of 364	2312	{7ED05203-2932-42c8-8E13-D433F6A5115D}.exe	97
PID 2312 wrote to memory of 1756	2312	{7ED05203-2932-42c8-8E13-D433F6A5115D}.exe	96
PID 2312 wrote to memory of 1756	2312	{7ED05203-2932-42c8-8E13-D433F6A5115D}.exe	96
PID 2312 wrote to memory of 1756	2312	{7ED05203-2932-42c8-8E13-D433F6A5115D}.exe	96
PID 364 wrote to memory of 3912	364	{0955F6F0-1B6A-4aeb-86C2-E637C0A11EDC}.exe	98
PID 364 wrote to memory of 3912	364	{0955F6F0-1B6A-4aeb-86C2-E637C0A11EDC}.exe	98
PID 364 wrote to memory of 3912	364	{0955F6F0-1B6A-4aeb-86C2-E637C0A11EDC}.exe	98
PID 364 wrote to memory of 3408	364	{0955F6F0-1B6A-4aeb-86C2-E637C0A11EDC}.exe	99
PID 364 wrote to memory of 3408	364	{0955F6F0-1B6A-4aeb-86C2-E637C0A11EDC}.exe	99
PID 364 wrote to memory of 3408	364	{0955F6F0-1B6A-4aeb-86C2-E637C0A11EDC}.exe	99
PID 3912 wrote to memory of 3172	3912	{3974D498-3B43-466c-B992-6014768E829B}.exe	100
PID 3912 wrote to memory of 3172	3912	{3974D498-3B43-466c-B992-6014768E829B}.exe	100
PID 3912 wrote to memory of 3172	3912	{3974D498-3B43-466c-B992-6014768E829B}.exe	100
PID 3912 wrote to memory of 3620	3912	{3974D498-3B43-466c-B992-6014768E829B}.exe	101
PID 3912 wrote to memory of 3620	3912	{3974D498-3B43-466c-B992-6014768E829B}.exe	101
PID 3912 wrote to memory of 3620	3912	{3974D498-3B43-466c-B992-6014768E829B}.exe	101
PID 3172 wrote to memory of 752	3172	{3F8040AC-C90B-4f7d-AE9B-2DD936858E04}.exe	102
PID 3172 wrote to memory of 752	3172	{3F8040AC-C90B-4f7d-AE9B-2DD936858E04}.exe	102
PID 3172 wrote to memory of 752	3172	{3F8040AC-C90B-4f7d-AE9B-2DD936858E04}.exe	102
PID 3172 wrote to memory of 2704	3172	{3F8040AC-C90B-4f7d-AE9B-2DD936858E04}.exe	103
PID 3172 wrote to memory of 2704	3172	{3F8040AC-C90B-4f7d-AE9B-2DD936858E04}.exe	103
PID 3172 wrote to memory of 2704	3172	{3F8040AC-C90B-4f7d-AE9B-2DD936858E04}.exe	103
PID 752 wrote to memory of 2968	752	{261CBC4C-60C7-4c81-86A4-058F94034DA5}.exe	104
PID 752 wrote to memory of 2968	752	{261CBC4C-60C7-4c81-86A4-058F94034DA5}.exe	104
PID 752 wrote to memory of 2968	752	{261CBC4C-60C7-4c81-86A4-058F94034DA5}.exe	104
PID 752 wrote to memory of 3500	752	{261CBC4C-60C7-4c81-86A4-058F94034DA5}.exe	105
PID 752 wrote to memory of 3500	752	{261CBC4C-60C7-4c81-86A4-058F94034DA5}.exe	105
PID 752 wrote to memory of 3500	752	{261CBC4C-60C7-4c81-86A4-058F94034DA5}.exe	105
PID 2968 wrote to memory of 2836	2968	{E25B726C-4FD0-437a-B07E-EF21834F0482}.exe	106
PID 2968 wrote to memory of 2836	2968	{E25B726C-4FD0-437a-B07E-EF21834F0482}.exe	106
PID 2968 wrote to memory of 2836	2968	{E25B726C-4FD0-437a-B07E-EF21834F0482}.exe	106
PID 2968 wrote to memory of 5108	2968	{E25B726C-4FD0-437a-B07E-EF21834F0482}.exe	107
PID 2968 wrote to memory of 5108	2968	{E25B726C-4FD0-437a-B07E-EF21834F0482}.exe	107
PID 2968 wrote to memory of 5108	2968	{E25B726C-4FD0-437a-B07E-EF21834F0482}.exe	107
PID 2836 wrote to memory of 1580	2836	{20EAE8B7-FCDA-4b7b-BE64-742F876C14D0}.exe	108
PID 2836 wrote to memory of 1580	2836	{20EAE8B7-FCDA-4b7b-BE64-742F876C14D0}.exe	108
PID 2836 wrote to memory of 1580	2836	{20EAE8B7-FCDA-4b7b-BE64-742F876C14D0}.exe	108
PID 2836 wrote to memory of 3672	2836	{20EAE8B7-FCDA-4b7b-BE64-742F876C14D0}.exe	109
PID 2836 wrote to memory of 3672	2836	{20EAE8B7-FCDA-4b7b-BE64-742F876C14D0}.exe	109
PID 2836 wrote to memory of 3672	2836	{20EAE8B7-FCDA-4b7b-BE64-742F876C14D0}.exe	109
PID 1580 wrote to memory of 3656	1580	{28A31865-1C54-45fb-9C68-891B3AA87872}.exe	110
PID 1580 wrote to memory of 3656	1580	{28A31865-1C54-45fb-9C68-891B3AA87872}.exe	110
PID 1580 wrote to memory of 3656	1580	{28A31865-1C54-45fb-9C68-891B3AA87872}.exe	110
PID 1580 wrote to memory of 1952	1580	{28A31865-1C54-45fb-9C68-891B3AA87872}.exe	111
PID 1580 wrote to memory of 1952	1580	{28A31865-1C54-45fb-9C68-891B3AA87872}.exe	111
PID 1580 wrote to memory of 1952	1580	{28A31865-1C54-45fb-9C68-891B3AA87872}.exe	111
PID 3656 wrote to memory of 2224	3656	{111B4D77-9531-4dec-975F-8FCF4399D208}.exe	112
PID 3656 wrote to memory of 2224	3656	{111B4D77-9531-4dec-975F-8FCF4399D208}.exe	112
PID 3656 wrote to memory of 2224	3656	{111B4D77-9531-4dec-975F-8FCF4399D208}.exe	112
PID 3656 wrote to memory of 1984	3656	{111B4D77-9531-4dec-975F-8FCF4399D208}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-02-01_8e37f8d1e991c0bb64597d7e1a19cff6_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-01_8e37f8d1e991c0bb64597d7e1a19cff6_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3988
- C:\Windows\{80EF53A1-E9BC-4f4a-B71E-3B164DA79CD7}.exe
  C:\Windows\{80EF53A1-E9BC-4f4a-B71E-3B164DA79CD7}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Windows\{7ED05203-2932-42c8-8E13-D433F6A5115D}.exe
    C:\Windows\{7ED05203-2932-42c8-8E13-D433F6A5115D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2312
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7ED05~1.EXE > nul
      4⤵
      PID:1756
  - - C:\Windows\{0955F6F0-1B6A-4aeb-86C2-E637C0A11EDC}.exe
      C:\Windows\{0955F6F0-1B6A-4aeb-86C2-E637C0A11EDC}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:364
    - - C:\Windows\{3974D498-3B43-466c-B992-6014768E829B}.exe
        
        C:\Windows\{3974D498-3B43-466c-B992-6014768E829B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3912
      - C:\Windows\{3F8040AC-C90B-4f7d-AE9B-2DD936858E04}.exe
        
        C:\Windows\{3F8040AC-C90B-4f7d-AE9B-2DD936858E04}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3172
        
        C:\Windows\{261CBC4C-60C7-4c81-86A4-058F94034DA5}.exe
        
        C:\Windows\{261CBC4C-60C7-4c81-86A4-058F94034DA5}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Windows\{E25B726C-4FD0-437a-B07E-EF21834F0482}.exe
        
        C:\Windows\{E25B726C-4FD0-437a-B07E-EF21834F0482}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\{20EAE8B7-FCDA-4b7b-BE64-742F876C14D0}.exe
        
        C:\Windows\{20EAE8B7-FCDA-4b7b-BE64-742F876C14D0}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\{28A31865-1C54-45fb-9C68-891B3AA87872}.exe
        
        C:\Windows\{28A31865-1C54-45fb-9C68-891B3AA87872}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\{111B4D77-9531-4dec-975F-8FCF4399D208}.exe
        
        C:\Windows\{111B4D77-9531-4dec-975F-8FCF4399D208}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3656
        
        C:\Windows\{7CC840FF-0A60-47d1-8EAA-B61238F66B19}.exe
        
        C:\Windows\{7CC840FF-0A60-47d1-8EAA-B61238F66B19}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2224
        
        C:\Windows\{5ADAB127-AA15-4740-A0C8-E62099BB31C8}.exe
        
        C:\Windows\{5ADAB127-AA15-4740-A0C8-E62099BB31C8}.exe
        13⤵
        Executes dropped EXE
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7CC84~1.EXE > nul
        13⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{111B4~1.EXE > nul
        12⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{28A31~1.EXE > nul
        11⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{20EAE~1.EXE > nul
        10⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E25B7~1.EXE > nul
        9⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{261CB~1.EXE > nul
        8⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3F804~1.EXE > nul
        7⤵
        
        PID:2704
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3974D~1.EXE > nul
        6⤵
        
        PID:3620
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0955F~1.EXE > nul
        5⤵
        
        PID:3408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{80EF5~1.EXE > nul
    3⤵
    PID:4564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0955F6F0-1B6A-4aeb-86C2-E637C0A11EDC}.exe

Filesize
344KB

MD5
3a56e43841739d433a5c8550a352bdee

SHA1
a03999ae5e2ccf1a625276f2201d3341ebe588ad

SHA256
173d898bfc9112ddf8162f3112144f1d65a5da6dc99c1cdc2bb3cf759447c9fc

SHA512
ee2550d10476a5c0c8da7f4c76b71d13f7147ad4749005f64085ef47ab86ce9cd36f5187b8f9c0d92e64582db5233ad7c3e9645c7d9f71ffad35e9568edf1400

Download Submit
C:\Windows\{111B4D77-9531-4dec-975F-8FCF4399D208}.exe

Filesize
344KB

MD5
bd5403fd27bb17e424cfd6e2077abacc

SHA1
d96fec812cdf9aacbdae4a0462db30c50937e864

SHA256
17bc5da47cb11e99aa3c30340746216c4df07b92d9c1f63bb0754d3a505aaa18

SHA512
d7b778874321ac5c0a8716571647f7ac1eabe53af40b05b3b4a122ff24dbac850199c2c21d40b039147b5b0503b2b791b8a293ccb3dfbd0d96c23e5e7af38cbf

Download Submit
C:\Windows\{20EAE8B7-FCDA-4b7b-BE64-742F876C14D0}.exe

Filesize
344KB

MD5
452aa11ea79ce232aa02e60b76b41e88

SHA1
b9f8a5970b6e57d4a25bb8b77ed08481f57378c8

SHA256
426bdce04b6edf53ef071694e8c586b8c7b37eae52edbf10b853c4631f18a7ab

SHA512
9bed949f21578854b294c6fdb7289500025f35d4d7dc4159d38b84923607397f8c6b49e613b0f2d43be079e7dbe7e066cade8680e0fec75fbfe0fafabcbb4ff9

Download Submit
C:\Windows\{261CBC4C-60C7-4c81-86A4-058F94034DA5}.exe

Filesize
344KB

MD5
3a78760e1b8c23ff19834fd4593820bb

SHA1
32cce55c84d220f9c0e3885bcb8bdd6badf42718

SHA256
69979043630abcf5b27f7ebe89f34e75e47c234b51bcf71eecdba7b2df42917d

SHA512
6e9e017588d59e38f42328189dd533d736ccbea95aa64024e117ca81964489b2df897d88d3e849de82debc7c6dcc11cd9c39ae62d1d0807227994019e8c3a5ee

Download Submit
C:\Windows\{28A31865-1C54-45fb-9C68-891B3AA87872}.exe

Filesize
344KB

MD5
811736c86e6d52df73716fe9677b0dab

SHA1
92c197c8b69055d959748f87845cb306d031fc91

SHA256
38fe20a90b303696d611bea7381f209140aafc1e070c56935a5e335638015148

SHA512
c2492306ece91f65a7cf97750c9c410815036f5538262c5cd3c67ef3a83455a4b38ded095bf8b7e781d04f27f10de81b152470b43a3dfa2e6ca87bc4bece637c

Download Submit
C:\Windows\{3974D498-3B43-466c-B992-6014768E829B}.exe

Filesize
344KB

MD5
4d6b79bb89fdab863bfe61eb90a4ae90

SHA1
4c17604a3ce4da6796b4ad6cfb525793bccc03f4

SHA256
d4fc62cefb321e24ccbfdfb13e6d37b9165c9476e3b1b491a778e768090b6f4e

SHA512
4b2c5bcf2c0309cc1e97d6e3d5a9fd0eb3cbcb143110c670be0a5cf927045b9f1479943954ffd85ee5a30d9622f807e628f5c70a4b485f34c85da900af74b505

Download Submit
C:\Windows\{3F8040AC-C90B-4f7d-AE9B-2DD936858E04}.exe

Filesize
344KB

MD5
d7ba7b748c22a1694618730d2d77a566

SHA1
f52b18a96f7bd67188b248a580e683d5ffd7f01d

SHA256
b5e2ea15bbbdf91168256a92ee52483cf081d0c3cd7fbe7dbcfd8ad1f8413744

SHA512
642de322f4bf2ed34f9e7ab42fb60ce1e3750debcca41287fdd63f43879cc3c7f10f4e01cb10f7bd45c22420da03938978c11ea29ba117adf78843885dc229dc

Download Submit
C:\Windows\{5ADAB127-AA15-4740-A0C8-E62099BB31C8}.exe

Filesize
344KB

MD5
ee205b8c7e6cead4673bd68777cff2e4

SHA1
f6caa4c36f5deeb11fc7e5f319d5a437c446d5bf

SHA256
5f88218403456bd8aa27df8c37c39c92f57b1fdc2d975ed9e8996f91fab482cf

SHA512
70d6fc6f2dba76ba002076c682f6c973d964d971d18b6bd31f025ef50d4bf78144117544f0f071f0e4722afa5bfc3209eef8ef7534fff37eaf36fa69c09cec33

Download Submit
C:\Windows\{7CC840FF-0A60-47d1-8EAA-B61238F66B19}.exe

Filesize
344KB

MD5
1cf67b6e84d39e8044ec0fc20aed6ec1

SHA1
4b37b19b3e4042659cb622c167da232c2d7699b1

SHA256
691d4a236bb73a57f7a88b1c8c6bd41bb93c1f90ba42e2effe4abdd1e38cad11

SHA512
a464cd63ed942a80bc39258c83d3e042e62acacf695b114e10eefccddf9411da25f4724a21ab48f55c5a021b32c5a5f539ba8266de532ad6af7baf640777170c

Download Submit
C:\Windows\{7ED05203-2932-42c8-8E13-D433F6A5115D}.exe

Filesize
344KB

MD5
57b4a882865066959f04ddea7fe90c18

SHA1
50ced5d3a1be67263ade9c06aa3e1b9baad274d1

SHA256
736ce9385e6fa26e0c908543d6ac7f7ee2a13ab1365d1ddb03a85b5d2f81f382

SHA512
42c606e5d9f21f0030d10e366edde8019637a360172960855701371a51f528955c7fda76e747e142b6c68c5cc48301c2569527d5095eb0b13ba7f028371d6f93

Download Submit
C:\Windows\{80EF53A1-E9BC-4f4a-B71E-3B164DA79CD7}.exe

Filesize
344KB

MD5
eab39d14bc4a5bff1255364d929a40fd

SHA1
fea2bf6eafcb2d9b3415ff7cd5583ea99b10ea98

SHA256
c4731c6df6a4a868ee7c0d291f7efc4ee9da78ab91024282d6404a2cee1ecae2

SHA512
eca686cb290bdb6f8c59852ffba3cf3918ff10c0cd817a713c52c4d84ffc37d7cd68bd4181214bff40e53a154f985a638c1529852b7c0b40ed394212eea8853b

Download Submit
C:\Windows\{E25B726C-4FD0-437a-B07E-EF21834F0482}.exe

Filesize
344KB

MD5
315780f2d7246e0da005abc42ec639c5

SHA1
75ddc32771df8590aabb0a67081b8558a4aa542a

SHA256
dd0c351f514283a6b438b660062ad7d300890eef151e995b782ea9383f8c547a

SHA512
764a2845778d29ad4f19674827a87b8ee512faece553559aebb3c8b9dbaadf0bda48cb1950768cce8ce415f665c575be8d740c57b86748b28c4c936dce62e547

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads