f54fd05835a115a557459c230d4b73171c3b0357de784f08bef61e8ed793dcf2

Analysis

max time kernel
150s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01/02/2024, 13:29 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-01_7e9bb85e5df1665e4c116de8de41937e_goldeneye.exe
Size

372KB
MD5

7e9bb85e5df1665e4c116de8de41937e
SHA1

9e0faafbb59ae46fc33f1dd7c15e9f3e6899fc7c
SHA256

f54fd05835a115a557459c230d4b73171c3b0357de784f08bef61e8ed793dcf2
SHA512

14342e3f09a0795eb56d5e7f4a7735238beba9fbd5a08eebf82d3c94039b230428964a1f560aef79da111f34ce1a2c7a647343378733ac1eebe14840bd0b527e
SSDEEP

3072:CEGh0oYlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGelkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000600000002312e-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023138-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002313f-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023140-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002313f-17.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00050000000217fa-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002181f-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006df-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00040000000006df-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA9084D1-898F-4976-AF41-A40BDF02AFC7}\stubpath = "C:\\Windows\\{FA9084D1-898F-4976-AF41-A40BDF02AFC7}.exe"	{DD53359F-1122-484a-ADEC-514237A9215F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7C7C496-6CA2-4b88-885B-448D7F2CC672}\stubpath = "C:\\Windows\\{C7C7C496-6CA2-4b88-885B-448D7F2CC672}.exe"	{BD452C80-E820-44a5-B9F0-C3598640353E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E0FA8E7-F6A8-4705-99F4-5662520B469A}\stubpath = "C:\\Windows\\{1E0FA8E7-F6A8-4705-99F4-5662520B469A}.exe"	{7639C283-DDDD-4432-AD93-02BDEB1FB7EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15CD351F-5B1A-4514-A9DE-6605C89C9AE9}	{1E0FA8E7-F6A8-4705-99F4-5662520B469A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{946CAD4E-8BE0-4359-8FCB-8211F2676CA4}	{15CD351F-5B1A-4514-A9DE-6605C89C9AE9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{946CAD4E-8BE0-4359-8FCB-8211F2676CA4}\stubpath = "C:\\Windows\\{946CAD4E-8BE0-4359-8FCB-8211F2676CA4}.exe"	{15CD351F-5B1A-4514-A9DE-6605C89C9AE9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91E67C99-653D-4312-BA6E-A48845E517D1}\stubpath = "C:\\Windows\\{91E67C99-653D-4312-BA6E-A48845E517D1}.exe"	{946CAD4E-8BE0-4359-8FCB-8211F2676CA4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA9084D1-898F-4976-AF41-A40BDF02AFC7}	{DD53359F-1122-484a-ADEC-514237A9215F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06930CD3-B7D0-4215-B335-35264785C019}\stubpath = "C:\\Windows\\{06930CD3-B7D0-4215-B335-35264785C019}.exe"	{960937B3-D009-43db-8DEF-8C6D20DC336E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7639C283-DDDD-4432-AD93-02BDEB1FB7EF}	{C7C7C496-6CA2-4b88-885B-448D7F2CC672}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15CD351F-5B1A-4514-A9DE-6605C89C9AE9}\stubpath = "C:\\Windows\\{15CD351F-5B1A-4514-A9DE-6605C89C9AE9}.exe"	{1E0FA8E7-F6A8-4705-99F4-5662520B469A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91E67C99-653D-4312-BA6E-A48845E517D1}	{946CAD4E-8BE0-4359-8FCB-8211F2676CA4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A63AC502-9770-4d9b-A1DC-73B5F07DEF8F}	2024-02-01_7e9bb85e5df1665e4c116de8de41937e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{960937B3-D009-43db-8DEF-8C6D20DC336E}	{91E67C99-653D-4312-BA6E-A48845E517D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E0FA8E7-F6A8-4705-99F4-5662520B469A}	{7639C283-DDDD-4432-AD93-02BDEB1FB7EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD53359F-1122-484a-ADEC-514237A9215F}	{A63AC502-9770-4d9b-A1DC-73B5F07DEF8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD53359F-1122-484a-ADEC-514237A9215F}\stubpath = "C:\\Windows\\{DD53359F-1122-484a-ADEC-514237A9215F}.exe"	{A63AC502-9770-4d9b-A1DC-73B5F07DEF8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD452C80-E820-44a5-B9F0-C3598640353E}	{FA9084D1-898F-4976-AF41-A40BDF02AFC7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD452C80-E820-44a5-B9F0-C3598640353E}\stubpath = "C:\\Windows\\{BD452C80-E820-44a5-B9F0-C3598640353E}.exe"	{FA9084D1-898F-4976-AF41-A40BDF02AFC7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7C7C496-6CA2-4b88-885B-448D7F2CC672}	{BD452C80-E820-44a5-B9F0-C3598640353E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7639C283-DDDD-4432-AD93-02BDEB1FB7EF}\stubpath = "C:\\Windows\\{7639C283-DDDD-4432-AD93-02BDEB1FB7EF}.exe"	{C7C7C496-6CA2-4b88-885B-448D7F2CC672}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{960937B3-D009-43db-8DEF-8C6D20DC336E}\stubpath = "C:\\Windows\\{960937B3-D009-43db-8DEF-8C6D20DC336E}.exe"	{91E67C99-653D-4312-BA6E-A48845E517D1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A63AC502-9770-4d9b-A1DC-73B5F07DEF8F}\stubpath = "C:\\Windows\\{A63AC502-9770-4d9b-A1DC-73B5F07DEF8F}.exe"	2024-02-01_7e9bb85e5df1665e4c116de8de41937e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06930CD3-B7D0-4215-B335-35264785C019}	{960937B3-D009-43db-8DEF-8C6D20DC336E}.exe

Executes dropped EXE 12 IoCs

pid	Process
4004	{A63AC502-9770-4d9b-A1DC-73B5F07DEF8F}.exe
1632	{DD53359F-1122-484a-ADEC-514237A9215F}.exe
316	{FA9084D1-898F-4976-AF41-A40BDF02AFC7}.exe
1764	{BD452C80-E820-44a5-B9F0-C3598640353E}.exe
2448	{C7C7C496-6CA2-4b88-885B-448D7F2CC672}.exe
1384	{7639C283-DDDD-4432-AD93-02BDEB1FB7EF}.exe
4292	{1E0FA8E7-F6A8-4705-99F4-5662520B469A}.exe
4476	{15CD351F-5B1A-4514-A9DE-6605C89C9AE9}.exe
3280	{946CAD4E-8BE0-4359-8FCB-8211F2676CA4}.exe
884	{91E67C99-653D-4312-BA6E-A48845E517D1}.exe
1016	{960937B3-D009-43db-8DEF-8C6D20DC336E}.exe
3144	{06930CD3-B7D0-4215-B335-35264785C019}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{A63AC502-9770-4d9b-A1DC-73B5F07DEF8F}.exe	2024-02-01_7e9bb85e5df1665e4c116de8de41937e_goldeneye.exe
File created	C:\Windows\{DD53359F-1122-484a-ADEC-514237A9215F}.exe	{A63AC502-9770-4d9b-A1DC-73B5F07DEF8F}.exe
File created	C:\Windows\{15CD351F-5B1A-4514-A9DE-6605C89C9AE9}.exe	{1E0FA8E7-F6A8-4705-99F4-5662520B469A}.exe
File created	C:\Windows\{91E67C99-653D-4312-BA6E-A48845E517D1}.exe	{946CAD4E-8BE0-4359-8FCB-8211F2676CA4}.exe
File created	C:\Windows\{946CAD4E-8BE0-4359-8FCB-8211F2676CA4}.exe	{15CD351F-5B1A-4514-A9DE-6605C89C9AE9}.exe
File created	C:\Windows\{960937B3-D009-43db-8DEF-8C6D20DC336E}.exe	{91E67C99-653D-4312-BA6E-A48845E517D1}.exe
File created	C:\Windows\{06930CD3-B7D0-4215-B335-35264785C019}.exe	{960937B3-D009-43db-8DEF-8C6D20DC336E}.exe
File created	C:\Windows\{FA9084D1-898F-4976-AF41-A40BDF02AFC7}.exe	{DD53359F-1122-484a-ADEC-514237A9215F}.exe
File created	C:\Windows\{BD452C80-E820-44a5-B9F0-C3598640353E}.exe	{FA9084D1-898F-4976-AF41-A40BDF02AFC7}.exe
File created	C:\Windows\{C7C7C496-6CA2-4b88-885B-448D7F2CC672}.exe	{BD452C80-E820-44a5-B9F0-C3598640353E}.exe
File created	C:\Windows\{7639C283-DDDD-4432-AD93-02BDEB1FB7EF}.exe	{C7C7C496-6CA2-4b88-885B-448D7F2CC672}.exe
File created	C:\Windows\{1E0FA8E7-F6A8-4705-99F4-5662520B469A}.exe	{7639C283-DDDD-4432-AD93-02BDEB1FB7EF}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2860	2024-02-01_7e9bb85e5df1665e4c116de8de41937e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4004	{A63AC502-9770-4d9b-A1DC-73B5F07DEF8F}.exe
Token: SeIncBasePriorityPrivilege	1632	{DD53359F-1122-484a-ADEC-514237A9215F}.exe
Token: SeIncBasePriorityPrivilege	316	{FA9084D1-898F-4976-AF41-A40BDF02AFC7}.exe
Token: SeIncBasePriorityPrivilege	1764	{BD452C80-E820-44a5-B9F0-C3598640353E}.exe
Token: SeIncBasePriorityPrivilege	2448	{C7C7C496-6CA2-4b88-885B-448D7F2CC672}.exe
Token: SeIncBasePriorityPrivilege	1384	{7639C283-DDDD-4432-AD93-02BDEB1FB7EF}.exe
Token: SeIncBasePriorityPrivilege	4292	{1E0FA8E7-F6A8-4705-99F4-5662520B469A}.exe
Token: SeIncBasePriorityPrivilege	4476	{15CD351F-5B1A-4514-A9DE-6605C89C9AE9}.exe
Token: SeIncBasePriorityPrivilege	3280	{946CAD4E-8BE0-4359-8FCB-8211F2676CA4}.exe
Token: SeIncBasePriorityPrivilege	884	{91E67C99-653D-4312-BA6E-A48845E517D1}.exe
Token: SeIncBasePriorityPrivilege	1016	{960937B3-D009-43db-8DEF-8C6D20DC336E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 4004	2860	2024-02-01_7e9bb85e5df1665e4c116de8de41937e_goldeneye.exe	87
PID 2860 wrote to memory of 4004	2860	2024-02-01_7e9bb85e5df1665e4c116de8de41937e_goldeneye.exe	87
PID 2860 wrote to memory of 4004	2860	2024-02-01_7e9bb85e5df1665e4c116de8de41937e_goldeneye.exe	87
PID 2860 wrote to memory of 500	2860	2024-02-01_7e9bb85e5df1665e4c116de8de41937e_goldeneye.exe	88
PID 2860 wrote to memory of 500	2860	2024-02-01_7e9bb85e5df1665e4c116de8de41937e_goldeneye.exe	88
PID 2860 wrote to memory of 500	2860	2024-02-01_7e9bb85e5df1665e4c116de8de41937e_goldeneye.exe	88
PID 4004 wrote to memory of 1632	4004	{A63AC502-9770-4d9b-A1DC-73B5F07DEF8F}.exe	92
PID 4004 wrote to memory of 1632	4004	{A63AC502-9770-4d9b-A1DC-73B5F07DEF8F}.exe	92
PID 4004 wrote to memory of 1632	4004	{A63AC502-9770-4d9b-A1DC-73B5F07DEF8F}.exe	92
PID 4004 wrote to memory of 3860	4004	{A63AC502-9770-4d9b-A1DC-73B5F07DEF8F}.exe	93
PID 4004 wrote to memory of 3860	4004	{A63AC502-9770-4d9b-A1DC-73B5F07DEF8F}.exe	93
PID 4004 wrote to memory of 3860	4004	{A63AC502-9770-4d9b-A1DC-73B5F07DEF8F}.exe	93
PID 1632 wrote to memory of 316	1632	{DD53359F-1122-484a-ADEC-514237A9215F}.exe	96
PID 1632 wrote to memory of 316	1632	{DD53359F-1122-484a-ADEC-514237A9215F}.exe	96
PID 1632 wrote to memory of 316	1632	{DD53359F-1122-484a-ADEC-514237A9215F}.exe	96
PID 1632 wrote to memory of 2804	1632	{DD53359F-1122-484a-ADEC-514237A9215F}.exe	95
PID 1632 wrote to memory of 2804	1632	{DD53359F-1122-484a-ADEC-514237A9215F}.exe	95
PID 1632 wrote to memory of 2804	1632	{DD53359F-1122-484a-ADEC-514237A9215F}.exe	95
PID 316 wrote to memory of 1764	316	{FA9084D1-898F-4976-AF41-A40BDF02AFC7}.exe	97
PID 316 wrote to memory of 1764	316	{FA9084D1-898F-4976-AF41-A40BDF02AFC7}.exe	97
PID 316 wrote to memory of 1764	316	{FA9084D1-898F-4976-AF41-A40BDF02AFC7}.exe	97
PID 316 wrote to memory of 4984	316	{FA9084D1-898F-4976-AF41-A40BDF02AFC7}.exe	98
PID 316 wrote to memory of 4984	316	{FA9084D1-898F-4976-AF41-A40BDF02AFC7}.exe	98
PID 316 wrote to memory of 4984	316	{FA9084D1-898F-4976-AF41-A40BDF02AFC7}.exe	98
PID 1764 wrote to memory of 2448	1764	{BD452C80-E820-44a5-B9F0-C3598640353E}.exe	99
PID 1764 wrote to memory of 2448	1764	{BD452C80-E820-44a5-B9F0-C3598640353E}.exe	99
PID 1764 wrote to memory of 2448	1764	{BD452C80-E820-44a5-B9F0-C3598640353E}.exe	99
PID 1764 wrote to memory of 2780	1764	{BD452C80-E820-44a5-B9F0-C3598640353E}.exe	100
PID 1764 wrote to memory of 2780	1764	{BD452C80-E820-44a5-B9F0-C3598640353E}.exe	100
PID 1764 wrote to memory of 2780	1764	{BD452C80-E820-44a5-B9F0-C3598640353E}.exe	100
PID 2448 wrote to memory of 1384	2448	{C7C7C496-6CA2-4b88-885B-448D7F2CC672}.exe	101
PID 2448 wrote to memory of 1384	2448	{C7C7C496-6CA2-4b88-885B-448D7F2CC672}.exe	101
PID 2448 wrote to memory of 1384	2448	{C7C7C496-6CA2-4b88-885B-448D7F2CC672}.exe	101
PID 2448 wrote to memory of 4288	2448	{C7C7C496-6CA2-4b88-885B-448D7F2CC672}.exe	102
PID 2448 wrote to memory of 4288	2448	{C7C7C496-6CA2-4b88-885B-448D7F2CC672}.exe	102
PID 2448 wrote to memory of 4288	2448	{C7C7C496-6CA2-4b88-885B-448D7F2CC672}.exe	102
PID 1384 wrote to memory of 4292	1384	{7639C283-DDDD-4432-AD93-02BDEB1FB7EF}.exe	103
PID 1384 wrote to memory of 4292	1384	{7639C283-DDDD-4432-AD93-02BDEB1FB7EF}.exe	103
PID 1384 wrote to memory of 4292	1384	{7639C283-DDDD-4432-AD93-02BDEB1FB7EF}.exe	103
PID 1384 wrote to memory of 3148	1384	{7639C283-DDDD-4432-AD93-02BDEB1FB7EF}.exe	104
PID 1384 wrote to memory of 3148	1384	{7639C283-DDDD-4432-AD93-02BDEB1FB7EF}.exe	104
PID 1384 wrote to memory of 3148	1384	{7639C283-DDDD-4432-AD93-02BDEB1FB7EF}.exe	104
PID 4292 wrote to memory of 4476	4292	{1E0FA8E7-F6A8-4705-99F4-5662520B469A}.exe	105
PID 4292 wrote to memory of 4476	4292	{1E0FA8E7-F6A8-4705-99F4-5662520B469A}.exe	105
PID 4292 wrote to memory of 4476	4292	{1E0FA8E7-F6A8-4705-99F4-5662520B469A}.exe	105
PID 4292 wrote to memory of 1676	4292	{1E0FA8E7-F6A8-4705-99F4-5662520B469A}.exe	106
PID 4292 wrote to memory of 1676	4292	{1E0FA8E7-F6A8-4705-99F4-5662520B469A}.exe	106
PID 4292 wrote to memory of 1676	4292	{1E0FA8E7-F6A8-4705-99F4-5662520B469A}.exe	106
PID 4476 wrote to memory of 3280	4476	{15CD351F-5B1A-4514-A9DE-6605C89C9AE9}.exe	108
PID 4476 wrote to memory of 3280	4476	{15CD351F-5B1A-4514-A9DE-6605C89C9AE9}.exe	108
PID 4476 wrote to memory of 3280	4476	{15CD351F-5B1A-4514-A9DE-6605C89C9AE9}.exe	108
PID 4476 wrote to memory of 4432	4476	{15CD351F-5B1A-4514-A9DE-6605C89C9AE9}.exe	107
PID 4476 wrote to memory of 4432	4476	{15CD351F-5B1A-4514-A9DE-6605C89C9AE9}.exe	107
PID 4476 wrote to memory of 4432	4476	{15CD351F-5B1A-4514-A9DE-6605C89C9AE9}.exe	107
PID 3280 wrote to memory of 884	3280	{946CAD4E-8BE0-4359-8FCB-8211F2676CA4}.exe	110
PID 3280 wrote to memory of 884	3280	{946CAD4E-8BE0-4359-8FCB-8211F2676CA4}.exe	110
PID 3280 wrote to memory of 884	3280	{946CAD4E-8BE0-4359-8FCB-8211F2676CA4}.exe	110
PID 3280 wrote to memory of 4200	3280	{946CAD4E-8BE0-4359-8FCB-8211F2676CA4}.exe	109
PID 3280 wrote to memory of 4200	3280	{946CAD4E-8BE0-4359-8FCB-8211F2676CA4}.exe	109
PID 3280 wrote to memory of 4200	3280	{946CAD4E-8BE0-4359-8FCB-8211F2676CA4}.exe	109
PID 884 wrote to memory of 1016	884	{91E67C99-653D-4312-BA6E-A48845E517D1}.exe	111
PID 884 wrote to memory of 1016	884	{91E67C99-653D-4312-BA6E-A48845E517D1}.exe	111
PID 884 wrote to memory of 1016	884	{91E67C99-653D-4312-BA6E-A48845E517D1}.exe	111
PID 884 wrote to memory of 4392	884	{91E67C99-653D-4312-BA6E-A48845E517D1}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-02-01_7e9bb85e5df1665e4c116de8de41937e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-01_7e9bb85e5df1665e4c116de8de41937e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Windows\{A63AC502-9770-4d9b-A1DC-73B5F07DEF8F}.exe
  C:\Windows\{A63AC502-9770-4d9b-A1DC-73B5F07DEF8F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4004
- - C:\Windows\{DD53359F-1122-484a-ADEC-514237A9215F}.exe
    C:\Windows\{DD53359F-1122-484a-ADEC-514237A9215F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1632
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{DD533~1.EXE > nul
      4⤵
      PID:2804
  - - C:\Windows\{FA9084D1-898F-4976-AF41-A40BDF02AFC7}.exe
      C:\Windows\{FA9084D1-898F-4976-AF41-A40BDF02AFC7}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:316
    - - C:\Windows\{BD452C80-E820-44a5-B9F0-C3598640353E}.exe
        
        C:\Windows\{BD452C80-E820-44a5-B9F0-C3598640353E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1764
      - C:\Windows\{C7C7C496-6CA2-4b88-885B-448D7F2CC672}.exe
        
        C:\Windows\{C7C7C496-6CA2-4b88-885B-448D7F2CC672}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\{7639C283-DDDD-4432-AD93-02BDEB1FB7EF}.exe
        
        C:\Windows\{7639C283-DDDD-4432-AD93-02BDEB1FB7EF}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\{1E0FA8E7-F6A8-4705-99F4-5662520B469A}.exe
        
        C:\Windows\{1E0FA8E7-F6A8-4705-99F4-5662520B469A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Windows\{15CD351F-5B1A-4514-A9DE-6605C89C9AE9}.exe
        
        C:\Windows\{15CD351F-5B1A-4514-A9DE-6605C89C9AE9}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{15CD3~1.EXE > nul
        10⤵
        
        PID:4432
        
        C:\Windows\{946CAD4E-8BE0-4359-8FCB-8211F2676CA4}.exe
        
        C:\Windows\{946CAD4E-8BE0-4359-8FCB-8211F2676CA4}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{946CA~1.EXE > nul
        11⤵
        
        PID:4200
        
        C:\Windows\{91E67C99-653D-4312-BA6E-A48845E517D1}.exe
        
        C:\Windows\{91E67C99-653D-4312-BA6E-A48845E517D1}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\{960937B3-D009-43db-8DEF-8C6D20DC336E}.exe
        
        C:\Windows\{960937B3-D009-43db-8DEF-8C6D20DC336E}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96093~1.EXE > nul
        13⤵
        
        PID:2860
        
        C:\Windows\{06930CD3-B7D0-4215-B335-35264785C019}.exe
        
        C:\Windows\{06930CD3-B7D0-4215-B335-35264785C019}.exe
        13⤵
        Executes dropped EXE
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91E67~1.EXE > nul
        12⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E0FA~1.EXE > nul
        9⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7639C~1.EXE > nul
        8⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C7C7C~1.EXE > nul
        7⤵
        
        PID:4288
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD452~1.EXE > nul
        6⤵
        
        PID:2780
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA908~1.EXE > nul
        5⤵
        
        PID:4984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A63AC~1.EXE > nul
    3⤵
    PID:3860
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:500

Network

DNS

154.239.44.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

154.239.44.20.in-addr.arpa

IN PTR

Response
DNS

0.205.248.87.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.205.248.87.in-addr.arpa

IN PTR

Response

0.205.248.87.in-addr.arpa

IN PTR

https-87-248-205-0lgwllnwnet
DNS

68.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

68.32.126.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

217.106.137.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.106.137.52.in-addr.arpa

IN PTR

Response
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

114.110.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

114.110.16.96.in-addr.arpa

IN PTR

Response

114.110.16.96.in-addr.arpa

IN PTR

a96-16-110-114deploystaticakamaitechnologiescom
DNS

194.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

194.178.17.96.in-addr.arpa

IN PTR

Response

194.178.17.96.in-addr.arpa

IN PTR

a96-17-178-194deploystaticakamaitechnologiescom
DNS

173.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

173.178.17.96.in-addr.arpa

IN PTR

Response

173.178.17.96.in-addr.arpa

IN PTR

a96-17-178-173deploystaticakamaitechnologiescom
DNS

234.17.178.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

234.17.178.52.in-addr.arpa

IN PTR

Response

No results found

8.8.8.8:53

154.239.44.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

154.239.44.20.in-addr.arpa
8.8.8.8:53

0.205.248.87.in-addr.arpa

dns

71 B
116 B
1
1

DNS Request

0.205.248.87.in-addr.arpa
8.8.8.8:53

68.32.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

68.32.126.40.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

217.106.137.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

217.106.137.52.in-addr.arpa
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

114.110.16.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

114.110.16.96.in-addr.arpa
8.8.8.8:53

194.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

194.178.17.96.in-addr.arpa
8.8.8.8:53

173.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

173.178.17.96.in-addr.arpa
8.8.8.8:53

234.17.178.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

234.17.178.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{06930CD3-B7D0-4215-B335-35264785C019}.exe

Filesize
372KB

MD5
2ac62ba79a7c9eff5391873d5a767861

SHA1
08205920c3ee50c4c6562d5fc23e4646777f82a4

SHA256
cf3aaa5d3eb202f66a2f178c1cae383409232ca11a10cfe70cb0951584122f3d

SHA512
d6cdf0fc1deefba0f62803d424b20cdbbc1b9847e49d602eb31aa6e3b4360fa6d3d5aca4f741ed5fe996c9a41e039748cd6974c073d3a857149152756d3e6f13

Download Submit
C:\Windows\{15CD351F-5B1A-4514-A9DE-6605C89C9AE9}.exe

Filesize
372KB

MD5
c90e22d18bf2a7e7a2431208dc503b27

SHA1
6089a75e821c7eb1ab3088533a35c706f9f3241b

SHA256
0ef9adbb59ed983f9ce40fec1aa3df236911db75275d75291ca3a017e3f62ede

SHA512
626bfc353afedc0664ecef814fa89b0b2489b97b1ebf78afe0b924a97e63bd9c93aaab6d1f9fe251e2f7ddd9446565ce0a742218fd63ee82d4cb45a651bd72d7

Download Submit
C:\Windows\{1E0FA8E7-F6A8-4705-99F4-5662520B469A}.exe

Filesize
372KB

MD5
2f2c1c34874fed852de7eb2927f440f1

SHA1
994bd2a5824709c2cff1e8e8e100d91beb824b2c

SHA256
fef25aa3a71b36fe5cd96d7ae1dd83cae46eea76aa37597166a193a5a6df906f

SHA512
251db3db8d6b2a3054e51b3eb6d3c86c8b39197152ddcda2d8b5da40ca0e4bac881b524bcf59f5375ac9c24b74fd882812e7bce128fecf735df7d0d7cf1aaebb

Download Submit
C:\Windows\{7639C283-DDDD-4432-AD93-02BDEB1FB7EF}.exe

Filesize
372KB

MD5
cb8995b76841234481c6b5731400a2df

SHA1
bc732f2189cf81ef4bd29954c2772edee83a7221

SHA256
ad1f1b4d3e5d11326eb28f5d46485cc33f20a189cc98966fb40b87e502975870

SHA512
5d1d0fc9ee091d8330a457ddd58df5305fbe526453c39cce18ad813788348682785ab7fd06a4b171b993fc1c3e99a0d2d03742061eaa984af78fca38047c6db8

Download Submit
C:\Windows\{91E67C99-653D-4312-BA6E-A48845E517D1}.exe

Filesize
372KB

MD5
6f1352898be90e409818a16a6db35b96

SHA1
9123f78aa5c41bb9ec94f73a2f928d997c14216e

SHA256
81221d520133dd4c9ef9f9ed297187394a0d2bccdcc0a942bfcfb6463ddd9373

SHA512
1fd9af28d93caaeef7cc4413521eab45141e752433f84ed81509aba6501f58d1d48e5332b199ea580cbbe44cce92b74c0456ba409ea4b2490a3b2174f1d74669

Download Submit
C:\Windows\{946CAD4E-8BE0-4359-8FCB-8211F2676CA4}.exe

Filesize
372KB

MD5
aaab889bd3cdc6e44fe911e167e93ec7

SHA1
4991c0a3701846ead066f9402e4ab74869496c41

SHA256
c69728c1d962d37eca8f699d80d95a234f3f24a4f31293cbd3cdec6900c76c53

SHA512
2524aae8f9d6b3cdafc02a25ca31526c80e71855938954c14941933390d24393b21f02ec8a4e3f3164092d1cb60bd7d61232bfcc8fa5ff1c4523a24b60ae70ab

Download Submit
C:\Windows\{960937B3-D009-43db-8DEF-8C6D20DC336E}.exe

Filesize
372KB

MD5
eabd25dbd134334c8bf43e87bcc59635

SHA1
133c4454ca5f06834c3e3b60f61982022a3257d4

SHA256
c4f004095827b161fccbf5dc30d5c82f7345d2e478529050cae553a56b84f2d6

SHA512
becdfd95925604b897e60c0d1c841ee572d5a30cbc49d0ce85f680f3c77e1a3a01b643c0cfa364afa15571c651649d84ccb568b0bebaf1d4842514b21460e5e5

Download Submit
C:\Windows\{A63AC502-9770-4d9b-A1DC-73B5F07DEF8F}.exe

Filesize
372KB

MD5
2c2a5bba64a1b3d3c8796db855203cd1

SHA1
5216510a478e6a9a8a2bf2a1f5d1c2777c40d326

SHA256
922a3324197ec739a229952ad06f9dd91668efd0b98d6d40ee33ff0fc776d90e

SHA512
0fb8c7f8869718997f9e03ad36fa4505a12ab3ad3d817e34757d20f55b4b9f7aa6ac19558d783f9bc3add0ea6e1cf29c879c7229a396775a26c923a7e4faf37f

Download Submit
C:\Windows\{BD452C80-E820-44a5-B9F0-C3598640353E}.exe

Filesize
372KB

MD5
fa0a2e2ccb17aad16ee8075443dd82fe

SHA1
75fecb5217051b57ae5d92292dff048345c6732b

SHA256
a20d887f5fc5217d601ed4d5f3d2b5dc2e6ce05cd5a4414c9b01d806c5dbb980

SHA512
fe84f7487f1aa6591e499afa0257e03004130314c414f0da3dbf187e3d9d2b98708d2d36a5122524f4396cf69054b9c84769db7346ca41878af7bc53fae32a95

Download Submit
C:\Windows\{C7C7C496-6CA2-4b88-885B-448D7F2CC672}.exe

Filesize
372KB

MD5
228c38df104891c3723ba1f1dad0c664

SHA1
155dc4a00e0a2cd7315d56217029d9c77dfe61cc

SHA256
273f1c5e5fb33781b448d532f1ae39f92266c9bd7bc7c8e6b65c2b33ebeec2aa

SHA512
b20f553ecae849b61ad6df509dda782966fce7d2b4c407d3cb5f0a3a2835a8286beb1e7029a0ac5719b7ef8bb50f9816d3beef15928ad30fb8f9591b61039289

Download Submit
C:\Windows\{DD53359F-1122-484a-ADEC-514237A9215F}.exe

Filesize
372KB

MD5
cdbfb8530b06edbb4d4c686af3e1ef7a

SHA1
d44ba5dccac04918554519b41023f538cd1b47b3

SHA256
d312297a017a340bea72fd5a2e0e577f9a16b1c060c1cce69b2f06f4066f144e

SHA512
740df4817eb897183cb647dddb5a937485c813ca07e9e8600fbc725a7fa64ffd96a4b75eabb530152b91e5b0de013f23c99f72a08fd39601df0e4deb2e01856a

Download Submit
C:\Windows\{FA9084D1-898F-4976-AF41-A40BDF02AFC7}.exe

Filesize
372KB

MD5
c387cc64d0ace25627c00c5c2ae49414

SHA1
1fb2c34783d0a77831178644717b922accbecf27

SHA256
6306c145adbbaa8404c5a96f665278c9f76277d6658328a22ab819aeacca9f1c

SHA512
67da04006337b295afb0a933f59bd7d1e169a6af777f6390caf666629c717f5787181ad73d051fe6d0d1aa0a9931bbb1f8d118da6aa238ca7afa3071265ec242

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.