f54fd05835a115a557459c230d4b73171c3b0357de784f08bef61e8ed793dcf2

Analysis

max time kernel
150s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01-02-2024 13:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-01_7e9bb85e5df1665e4c116de8de41937e_goldeneye.exe
Size

372KB
MD5

7e9bb85e5df1665e4c116de8de41937e
SHA1

9e0faafbb59ae46fc33f1dd7c15e9f3e6899fc7c
SHA256

f54fd05835a115a557459c230d4b73171c3b0357de784f08bef61e8ed793dcf2
SHA512

14342e3f09a0795eb56d5e7f4a7735238beba9fbd5a08eebf82d3c94039b230428964a1f560aef79da111f34ce1a2c7a647343378733ac1eebe14840bd0b527e
SSDEEP

3072:CEGh0oYlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGelkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000600000002312e-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023138-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002313f-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023140-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002313f-17.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00050000000217fa-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002181f-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006df-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00040000000006df-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA9084D1-898F-4976-AF41-A40BDF02AFC7}\stubpath = "C:\\Windows\\{FA9084D1-898F-4976-AF41-A40BDF02AFC7}.exe"	{DD53359F-1122-484a-ADEC-514237A9215F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7C7C496-6CA2-4b88-885B-448D7F2CC672}\stubpath = "C:\\Windows\\{C7C7C496-6CA2-4b88-885B-448D7F2CC672}.exe"	{BD452C80-E820-44a5-B9F0-C3598640353E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E0FA8E7-F6A8-4705-99F4-5662520B469A}\stubpath = "C:\\Windows\\{1E0FA8E7-F6A8-4705-99F4-5662520B469A}.exe"	{7639C283-DDDD-4432-AD93-02BDEB1FB7EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15CD351F-5B1A-4514-A9DE-6605C89C9AE9}	{1E0FA8E7-F6A8-4705-99F4-5662520B469A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{946CAD4E-8BE0-4359-8FCB-8211F2676CA4}	{15CD351F-5B1A-4514-A9DE-6605C89C9AE9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{946CAD4E-8BE0-4359-8FCB-8211F2676CA4}\stubpath = "C:\\Windows\\{946CAD4E-8BE0-4359-8FCB-8211F2676CA4}.exe"	{15CD351F-5B1A-4514-A9DE-6605C89C9AE9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91E67C99-653D-4312-BA6E-A48845E517D1}\stubpath = "C:\\Windows\\{91E67C99-653D-4312-BA6E-A48845E517D1}.exe"	{946CAD4E-8BE0-4359-8FCB-8211F2676CA4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA9084D1-898F-4976-AF41-A40BDF02AFC7}	{DD53359F-1122-484a-ADEC-514237A9215F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06930CD3-B7D0-4215-B335-35264785C019}\stubpath = "C:\\Windows\\{06930CD3-B7D0-4215-B335-35264785C019}.exe"	{960937B3-D009-43db-8DEF-8C6D20DC336E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7639C283-DDDD-4432-AD93-02BDEB1FB7EF}	{C7C7C496-6CA2-4b88-885B-448D7F2CC672}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15CD351F-5B1A-4514-A9DE-6605C89C9AE9}\stubpath = "C:\\Windows\\{15CD351F-5B1A-4514-A9DE-6605C89C9AE9}.exe"	{1E0FA8E7-F6A8-4705-99F4-5662520B469A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91E67C99-653D-4312-BA6E-A48845E517D1}	{946CAD4E-8BE0-4359-8FCB-8211F2676CA4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A63AC502-9770-4d9b-A1DC-73B5F07DEF8F}	2024-02-01_7e9bb85e5df1665e4c116de8de41937e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{960937B3-D009-43db-8DEF-8C6D20DC336E}	{91E67C99-653D-4312-BA6E-A48845E517D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E0FA8E7-F6A8-4705-99F4-5662520B469A}	{7639C283-DDDD-4432-AD93-02BDEB1FB7EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD53359F-1122-484a-ADEC-514237A9215F}	{A63AC502-9770-4d9b-A1DC-73B5F07DEF8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD53359F-1122-484a-ADEC-514237A9215F}\stubpath = "C:\\Windows\\{DD53359F-1122-484a-ADEC-514237A9215F}.exe"	{A63AC502-9770-4d9b-A1DC-73B5F07DEF8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD452C80-E820-44a5-B9F0-C3598640353E}	{FA9084D1-898F-4976-AF41-A40BDF02AFC7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD452C80-E820-44a5-B9F0-C3598640353E}\stubpath = "C:\\Windows\\{BD452C80-E820-44a5-B9F0-C3598640353E}.exe"	{FA9084D1-898F-4976-AF41-A40BDF02AFC7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7C7C496-6CA2-4b88-885B-448D7F2CC672}	{BD452C80-E820-44a5-B9F0-C3598640353E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7639C283-DDDD-4432-AD93-02BDEB1FB7EF}\stubpath = "C:\\Windows\\{7639C283-DDDD-4432-AD93-02BDEB1FB7EF}.exe"	{C7C7C496-6CA2-4b88-885B-448D7F2CC672}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{960937B3-D009-43db-8DEF-8C6D20DC336E}\stubpath = "C:\\Windows\\{960937B3-D009-43db-8DEF-8C6D20DC336E}.exe"	{91E67C99-653D-4312-BA6E-A48845E517D1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A63AC502-9770-4d9b-A1DC-73B5F07DEF8F}\stubpath = "C:\\Windows\\{A63AC502-9770-4d9b-A1DC-73B5F07DEF8F}.exe"	2024-02-01_7e9bb85e5df1665e4c116de8de41937e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06930CD3-B7D0-4215-B335-35264785C019}	{960937B3-D009-43db-8DEF-8C6D20DC336E}.exe

Executes dropped EXE 12 IoCs

pid	Process
4004	{A63AC502-9770-4d9b-A1DC-73B5F07DEF8F}.exe
1632	{DD53359F-1122-484a-ADEC-514237A9215F}.exe
316	{FA9084D1-898F-4976-AF41-A40BDF02AFC7}.exe
1764	{BD452C80-E820-44a5-B9F0-C3598640353E}.exe
2448	{C7C7C496-6CA2-4b88-885B-448D7F2CC672}.exe
1384	{7639C283-DDDD-4432-AD93-02BDEB1FB7EF}.exe
4292	{1E0FA8E7-F6A8-4705-99F4-5662520B469A}.exe
4476	{15CD351F-5B1A-4514-A9DE-6605C89C9AE9}.exe
3280	{946CAD4E-8BE0-4359-8FCB-8211F2676CA4}.exe
884	{91E67C99-653D-4312-BA6E-A48845E517D1}.exe
1016	{960937B3-D009-43db-8DEF-8C6D20DC336E}.exe
3144	{06930CD3-B7D0-4215-B335-35264785C019}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{A63AC502-9770-4d9b-A1DC-73B5F07DEF8F}.exe	2024-02-01_7e9bb85e5df1665e4c116de8de41937e_goldeneye.exe
File created	C:\Windows\{DD53359F-1122-484a-ADEC-514237A9215F}.exe	{A63AC502-9770-4d9b-A1DC-73B5F07DEF8F}.exe
File created	C:\Windows\{15CD351F-5B1A-4514-A9DE-6605C89C9AE9}.exe	{1E0FA8E7-F6A8-4705-99F4-5662520B469A}.exe
File created	C:\Windows\{91E67C99-653D-4312-BA6E-A48845E517D1}.exe	{946CAD4E-8BE0-4359-8FCB-8211F2676CA4}.exe
File created	C:\Windows\{946CAD4E-8BE0-4359-8FCB-8211F2676CA4}.exe	{15CD351F-5B1A-4514-A9DE-6605C89C9AE9}.exe
File created	C:\Windows\{960937B3-D009-43db-8DEF-8C6D20DC336E}.exe	{91E67C99-653D-4312-BA6E-A48845E517D1}.exe
File created	C:\Windows\{06930CD3-B7D0-4215-B335-35264785C019}.exe	{960937B3-D009-43db-8DEF-8C6D20DC336E}.exe
File created	C:\Windows\{FA9084D1-898F-4976-AF41-A40BDF02AFC7}.exe	{DD53359F-1122-484a-ADEC-514237A9215F}.exe
File created	C:\Windows\{BD452C80-E820-44a5-B9F0-C3598640353E}.exe	{FA9084D1-898F-4976-AF41-A40BDF02AFC7}.exe
File created	C:\Windows\{C7C7C496-6CA2-4b88-885B-448D7F2CC672}.exe	{BD452C80-E820-44a5-B9F0-C3598640353E}.exe
File created	C:\Windows\{7639C283-DDDD-4432-AD93-02BDEB1FB7EF}.exe	{C7C7C496-6CA2-4b88-885B-448D7F2CC672}.exe
File created	C:\Windows\{1E0FA8E7-F6A8-4705-99F4-5662520B469A}.exe	{7639C283-DDDD-4432-AD93-02BDEB1FB7EF}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2860	2024-02-01_7e9bb85e5df1665e4c116de8de41937e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4004	{A63AC502-9770-4d9b-A1DC-73B5F07DEF8F}.exe
Token: SeIncBasePriorityPrivilege	1632	{DD53359F-1122-484a-ADEC-514237A9215F}.exe
Token: SeIncBasePriorityPrivilege	316	{FA9084D1-898F-4976-AF41-A40BDF02AFC7}.exe
Token: SeIncBasePriorityPrivilege	1764	{BD452C80-E820-44a5-B9F0-C3598640353E}.exe
Token: SeIncBasePriorityPrivilege	2448	{C7C7C496-6CA2-4b88-885B-448D7F2CC672}.exe
Token: SeIncBasePriorityPrivilege	1384	{7639C283-DDDD-4432-AD93-02BDEB1FB7EF}.exe
Token: SeIncBasePriorityPrivilege	4292	{1E0FA8E7-F6A8-4705-99F4-5662520B469A}.exe
Token: SeIncBasePriorityPrivilege	4476	{15CD351F-5B1A-4514-A9DE-6605C89C9AE9}.exe
Token: SeIncBasePriorityPrivilege	3280	{946CAD4E-8BE0-4359-8FCB-8211F2676CA4}.exe
Token: SeIncBasePriorityPrivilege	884	{91E67C99-653D-4312-BA6E-A48845E517D1}.exe
Token: SeIncBasePriorityPrivilege	1016	{960937B3-D009-43db-8DEF-8C6D20DC336E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 4004	2860	2024-02-01_7e9bb85e5df1665e4c116de8de41937e_goldeneye.exe	87
PID 2860 wrote to memory of 4004	2860	2024-02-01_7e9bb85e5df1665e4c116de8de41937e_goldeneye.exe	87
PID 2860 wrote to memory of 4004	2860	2024-02-01_7e9bb85e5df1665e4c116de8de41937e_goldeneye.exe	87
PID 2860 wrote to memory of 500	2860	2024-02-01_7e9bb85e5df1665e4c116de8de41937e_goldeneye.exe	88
PID 2860 wrote to memory of 500	2860	2024-02-01_7e9bb85e5df1665e4c116de8de41937e_goldeneye.exe	88
PID 2860 wrote to memory of 500	2860	2024-02-01_7e9bb85e5df1665e4c116de8de41937e_goldeneye.exe	88
PID 4004 wrote to memory of 1632	4004	{A63AC502-9770-4d9b-A1DC-73B5F07DEF8F}.exe	92
PID 4004 wrote to memory of 1632	4004	{A63AC502-9770-4d9b-A1DC-73B5F07DEF8F}.exe	92
PID 4004 wrote to memory of 1632	4004	{A63AC502-9770-4d9b-A1DC-73B5F07DEF8F}.exe	92
PID 4004 wrote to memory of 3860	4004	{A63AC502-9770-4d9b-A1DC-73B5F07DEF8F}.exe	93
PID 4004 wrote to memory of 3860	4004	{A63AC502-9770-4d9b-A1DC-73B5F07DEF8F}.exe	93
PID 4004 wrote to memory of 3860	4004	{A63AC502-9770-4d9b-A1DC-73B5F07DEF8F}.exe	93
PID 1632 wrote to memory of 316	1632	{DD53359F-1122-484a-ADEC-514237A9215F}.exe	96
PID 1632 wrote to memory of 316	1632	{DD53359F-1122-484a-ADEC-514237A9215F}.exe	96
PID 1632 wrote to memory of 316	1632	{DD53359F-1122-484a-ADEC-514237A9215F}.exe	96
PID 1632 wrote to memory of 2804	1632	{DD53359F-1122-484a-ADEC-514237A9215F}.exe	95
PID 1632 wrote to memory of 2804	1632	{DD53359F-1122-484a-ADEC-514237A9215F}.exe	95
PID 1632 wrote to memory of 2804	1632	{DD53359F-1122-484a-ADEC-514237A9215F}.exe	95
PID 316 wrote to memory of 1764	316	{FA9084D1-898F-4976-AF41-A40BDF02AFC7}.exe	97
PID 316 wrote to memory of 1764	316	{FA9084D1-898F-4976-AF41-A40BDF02AFC7}.exe	97
PID 316 wrote to memory of 1764	316	{FA9084D1-898F-4976-AF41-A40BDF02AFC7}.exe	97
PID 316 wrote to memory of 4984	316	{FA9084D1-898F-4976-AF41-A40BDF02AFC7}.exe	98
PID 316 wrote to memory of 4984	316	{FA9084D1-898F-4976-AF41-A40BDF02AFC7}.exe	98
PID 316 wrote to memory of 4984	316	{FA9084D1-898F-4976-AF41-A40BDF02AFC7}.exe	98
PID 1764 wrote to memory of 2448	1764	{BD452C80-E820-44a5-B9F0-C3598640353E}.exe	99
PID 1764 wrote to memory of 2448	1764	{BD452C80-E820-44a5-B9F0-C3598640353E}.exe	99
PID 1764 wrote to memory of 2448	1764	{BD452C80-E820-44a5-B9F0-C3598640353E}.exe	99
PID 1764 wrote to memory of 2780	1764	{BD452C80-E820-44a5-B9F0-C3598640353E}.exe	100
PID 1764 wrote to memory of 2780	1764	{BD452C80-E820-44a5-B9F0-C3598640353E}.exe	100
PID 1764 wrote to memory of 2780	1764	{BD452C80-E820-44a5-B9F0-C3598640353E}.exe	100
PID 2448 wrote to memory of 1384	2448	{C7C7C496-6CA2-4b88-885B-448D7F2CC672}.exe	101
PID 2448 wrote to memory of 1384	2448	{C7C7C496-6CA2-4b88-885B-448D7F2CC672}.exe	101
PID 2448 wrote to memory of 1384	2448	{C7C7C496-6CA2-4b88-885B-448D7F2CC672}.exe	101
PID 2448 wrote to memory of 4288	2448	{C7C7C496-6CA2-4b88-885B-448D7F2CC672}.exe	102
PID 2448 wrote to memory of 4288	2448	{C7C7C496-6CA2-4b88-885B-448D7F2CC672}.exe	102
PID 2448 wrote to memory of 4288	2448	{C7C7C496-6CA2-4b88-885B-448D7F2CC672}.exe	102
PID 1384 wrote to memory of 4292	1384	{7639C283-DDDD-4432-AD93-02BDEB1FB7EF}.exe	103
PID 1384 wrote to memory of 4292	1384	{7639C283-DDDD-4432-AD93-02BDEB1FB7EF}.exe	103
PID 1384 wrote to memory of 4292	1384	{7639C283-DDDD-4432-AD93-02BDEB1FB7EF}.exe	103
PID 1384 wrote to memory of 3148	1384	{7639C283-DDDD-4432-AD93-02BDEB1FB7EF}.exe	104
PID 1384 wrote to memory of 3148	1384	{7639C283-DDDD-4432-AD93-02BDEB1FB7EF}.exe	104
PID 1384 wrote to memory of 3148	1384	{7639C283-DDDD-4432-AD93-02BDEB1FB7EF}.exe	104
PID 4292 wrote to memory of 4476	4292	{1E0FA8E7-F6A8-4705-99F4-5662520B469A}.exe	105
PID 4292 wrote to memory of 4476	4292	{1E0FA8E7-F6A8-4705-99F4-5662520B469A}.exe	105
PID 4292 wrote to memory of 4476	4292	{1E0FA8E7-F6A8-4705-99F4-5662520B469A}.exe	105
PID 4292 wrote to memory of 1676	4292	{1E0FA8E7-F6A8-4705-99F4-5662520B469A}.exe	106
PID 4292 wrote to memory of 1676	4292	{1E0FA8E7-F6A8-4705-99F4-5662520B469A}.exe	106
PID 4292 wrote to memory of 1676	4292	{1E0FA8E7-F6A8-4705-99F4-5662520B469A}.exe	106
PID 4476 wrote to memory of 3280	4476	{15CD351F-5B1A-4514-A9DE-6605C89C9AE9}.exe	108
PID 4476 wrote to memory of 3280	4476	{15CD351F-5B1A-4514-A9DE-6605C89C9AE9}.exe	108
PID 4476 wrote to memory of 3280	4476	{15CD351F-5B1A-4514-A9DE-6605C89C9AE9}.exe	108
PID 4476 wrote to memory of 4432	4476	{15CD351F-5B1A-4514-A9DE-6605C89C9AE9}.exe	107
PID 4476 wrote to memory of 4432	4476	{15CD351F-5B1A-4514-A9DE-6605C89C9AE9}.exe	107
PID 4476 wrote to memory of 4432	4476	{15CD351F-5B1A-4514-A9DE-6605C89C9AE9}.exe	107
PID 3280 wrote to memory of 884	3280	{946CAD4E-8BE0-4359-8FCB-8211F2676CA4}.exe	110
PID 3280 wrote to memory of 884	3280	{946CAD4E-8BE0-4359-8FCB-8211F2676CA4}.exe	110
PID 3280 wrote to memory of 884	3280	{946CAD4E-8BE0-4359-8FCB-8211F2676CA4}.exe	110
PID 3280 wrote to memory of 4200	3280	{946CAD4E-8BE0-4359-8FCB-8211F2676CA4}.exe	109
PID 3280 wrote to memory of 4200	3280	{946CAD4E-8BE0-4359-8FCB-8211F2676CA4}.exe	109
PID 3280 wrote to memory of 4200	3280	{946CAD4E-8BE0-4359-8FCB-8211F2676CA4}.exe	109
PID 884 wrote to memory of 1016	884	{91E67C99-653D-4312-BA6E-A48845E517D1}.exe	111
PID 884 wrote to memory of 1016	884	{91E67C99-653D-4312-BA6E-A48845E517D1}.exe	111
PID 884 wrote to memory of 1016	884	{91E67C99-653D-4312-BA6E-A48845E517D1}.exe	111
PID 884 wrote to memory of 4392	884	{91E67C99-653D-4312-BA6E-A48845E517D1}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-02-01_7e9bb85e5df1665e4c116de8de41937e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-01_7e9bb85e5df1665e4c116de8de41937e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Windows\{A63AC502-9770-4d9b-A1DC-73B5F07DEF8F}.exe
  C:\Windows\{A63AC502-9770-4d9b-A1DC-73B5F07DEF8F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4004
- - C:\Windows\{DD53359F-1122-484a-ADEC-514237A9215F}.exe
    C:\Windows\{DD53359F-1122-484a-ADEC-514237A9215F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1632
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{DD533~1.EXE > nul
      4⤵
      PID:2804
  - - C:\Windows\{FA9084D1-898F-4976-AF41-A40BDF02AFC7}.exe
      C:\Windows\{FA9084D1-898F-4976-AF41-A40BDF02AFC7}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:316
    - - C:\Windows\{BD452C80-E820-44a5-B9F0-C3598640353E}.exe
        
        C:\Windows\{BD452C80-E820-44a5-B9F0-C3598640353E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1764
      - C:\Windows\{C7C7C496-6CA2-4b88-885B-448D7F2CC672}.exe
        
        C:\Windows\{C7C7C496-6CA2-4b88-885B-448D7F2CC672}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\{7639C283-DDDD-4432-AD93-02BDEB1FB7EF}.exe
        
        C:\Windows\{7639C283-DDDD-4432-AD93-02BDEB1FB7EF}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\{1E0FA8E7-F6A8-4705-99F4-5662520B469A}.exe
        
        C:\Windows\{1E0FA8E7-F6A8-4705-99F4-5662520B469A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Windows\{15CD351F-5B1A-4514-A9DE-6605C89C9AE9}.exe
        
        C:\Windows\{15CD351F-5B1A-4514-A9DE-6605C89C9AE9}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{15CD3~1.EXE > nul
        10⤵
        
        PID:4432
        
        C:\Windows\{946CAD4E-8BE0-4359-8FCB-8211F2676CA4}.exe
        
        C:\Windows\{946CAD4E-8BE0-4359-8FCB-8211F2676CA4}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{946CA~1.EXE > nul
        11⤵
        
        PID:4200
        
        C:\Windows\{91E67C99-653D-4312-BA6E-A48845E517D1}.exe
        
        C:\Windows\{91E67C99-653D-4312-BA6E-A48845E517D1}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\{960937B3-D009-43db-8DEF-8C6D20DC336E}.exe
        
        C:\Windows\{960937B3-D009-43db-8DEF-8C6D20DC336E}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96093~1.EXE > nul
        13⤵
        
        PID:2860
        
        C:\Windows\{06930CD3-B7D0-4215-B335-35264785C019}.exe
        
        C:\Windows\{06930CD3-B7D0-4215-B335-35264785C019}.exe
        13⤵
        Executes dropped EXE
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91E67~1.EXE > nul
        12⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E0FA~1.EXE > nul
        9⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7639C~1.EXE > nul
        8⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C7C7C~1.EXE > nul
        7⤵
        
        PID:4288
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD452~1.EXE > nul
        6⤵
        
        PID:2780
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA908~1.EXE > nul
        5⤵
        
        PID:4984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A63AC~1.EXE > nul
    3⤵
    PID:3860
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{06930CD3-B7D0-4215-B335-35264785C019}.exe

Filesize
372KB

MD5
2ac62ba79a7c9eff5391873d5a767861

SHA1
08205920c3ee50c4c6562d5fc23e4646777f82a4

SHA256
cf3aaa5d3eb202f66a2f178c1cae383409232ca11a10cfe70cb0951584122f3d

SHA512
d6cdf0fc1deefba0f62803d424b20cdbbc1b9847e49d602eb31aa6e3b4360fa6d3d5aca4f741ed5fe996c9a41e039748cd6974c073d3a857149152756d3e6f13

Download Submit
C:\Windows\{15CD351F-5B1A-4514-A9DE-6605C89C9AE9}.exe

Filesize
372KB

MD5
c90e22d18bf2a7e7a2431208dc503b27

SHA1
6089a75e821c7eb1ab3088533a35c706f9f3241b

SHA256
0ef9adbb59ed983f9ce40fec1aa3df236911db75275d75291ca3a017e3f62ede

SHA512
626bfc353afedc0664ecef814fa89b0b2489b97b1ebf78afe0b924a97e63bd9c93aaab6d1f9fe251e2f7ddd9446565ce0a742218fd63ee82d4cb45a651bd72d7

Download Submit
C:\Windows\{1E0FA8E7-F6A8-4705-99F4-5662520B469A}.exe

Filesize
372KB

MD5
2f2c1c34874fed852de7eb2927f440f1

SHA1
994bd2a5824709c2cff1e8e8e100d91beb824b2c

SHA256
fef25aa3a71b36fe5cd96d7ae1dd83cae46eea76aa37597166a193a5a6df906f

SHA512
251db3db8d6b2a3054e51b3eb6d3c86c8b39197152ddcda2d8b5da40ca0e4bac881b524bcf59f5375ac9c24b74fd882812e7bce128fecf735df7d0d7cf1aaebb

Download Submit
C:\Windows\{7639C283-DDDD-4432-AD93-02BDEB1FB7EF}.exe

Filesize
372KB

MD5
cb8995b76841234481c6b5731400a2df

SHA1
bc732f2189cf81ef4bd29954c2772edee83a7221

SHA256
ad1f1b4d3e5d11326eb28f5d46485cc33f20a189cc98966fb40b87e502975870

SHA512
5d1d0fc9ee091d8330a457ddd58df5305fbe526453c39cce18ad813788348682785ab7fd06a4b171b993fc1c3e99a0d2d03742061eaa984af78fca38047c6db8

Download Submit
C:\Windows\{91E67C99-653D-4312-BA6E-A48845E517D1}.exe

Filesize
372KB

MD5
6f1352898be90e409818a16a6db35b96

SHA1
9123f78aa5c41bb9ec94f73a2f928d997c14216e

SHA256
81221d520133dd4c9ef9f9ed297187394a0d2bccdcc0a942bfcfb6463ddd9373

SHA512
1fd9af28d93caaeef7cc4413521eab45141e752433f84ed81509aba6501f58d1d48e5332b199ea580cbbe44cce92b74c0456ba409ea4b2490a3b2174f1d74669

Download Submit
C:\Windows\{946CAD4E-8BE0-4359-8FCB-8211F2676CA4}.exe

Filesize
372KB

MD5
aaab889bd3cdc6e44fe911e167e93ec7

SHA1
4991c0a3701846ead066f9402e4ab74869496c41

SHA256
c69728c1d962d37eca8f699d80d95a234f3f24a4f31293cbd3cdec6900c76c53

SHA512
2524aae8f9d6b3cdafc02a25ca31526c80e71855938954c14941933390d24393b21f02ec8a4e3f3164092d1cb60bd7d61232bfcc8fa5ff1c4523a24b60ae70ab

Download Submit
C:\Windows\{960937B3-D009-43db-8DEF-8C6D20DC336E}.exe

Filesize
372KB

MD5
eabd25dbd134334c8bf43e87bcc59635

SHA1
133c4454ca5f06834c3e3b60f61982022a3257d4

SHA256
c4f004095827b161fccbf5dc30d5c82f7345d2e478529050cae553a56b84f2d6

SHA512
becdfd95925604b897e60c0d1c841ee572d5a30cbc49d0ce85f680f3c77e1a3a01b643c0cfa364afa15571c651649d84ccb568b0bebaf1d4842514b21460e5e5

Download Submit
C:\Windows\{A63AC502-9770-4d9b-A1DC-73B5F07DEF8F}.exe

Filesize
372KB

MD5
2c2a5bba64a1b3d3c8796db855203cd1

SHA1
5216510a478e6a9a8a2bf2a1f5d1c2777c40d326

SHA256
922a3324197ec739a229952ad06f9dd91668efd0b98d6d40ee33ff0fc776d90e

SHA512
0fb8c7f8869718997f9e03ad36fa4505a12ab3ad3d817e34757d20f55b4b9f7aa6ac19558d783f9bc3add0ea6e1cf29c879c7229a396775a26c923a7e4faf37f

Download Submit
C:\Windows\{BD452C80-E820-44a5-B9F0-C3598640353E}.exe

Filesize
372KB

MD5
fa0a2e2ccb17aad16ee8075443dd82fe

SHA1
75fecb5217051b57ae5d92292dff048345c6732b

SHA256
a20d887f5fc5217d601ed4d5f3d2b5dc2e6ce05cd5a4414c9b01d806c5dbb980

SHA512
fe84f7487f1aa6591e499afa0257e03004130314c414f0da3dbf187e3d9d2b98708d2d36a5122524f4396cf69054b9c84769db7346ca41878af7bc53fae32a95

Download Submit
C:\Windows\{C7C7C496-6CA2-4b88-885B-448D7F2CC672}.exe

Filesize
372KB

MD5
228c38df104891c3723ba1f1dad0c664

SHA1
155dc4a00e0a2cd7315d56217029d9c77dfe61cc

SHA256
273f1c5e5fb33781b448d532f1ae39f92266c9bd7bc7c8e6b65c2b33ebeec2aa

SHA512
b20f553ecae849b61ad6df509dda782966fce7d2b4c407d3cb5f0a3a2835a8286beb1e7029a0ac5719b7ef8bb50f9816d3beef15928ad30fb8f9591b61039289

Download Submit
C:\Windows\{DD53359F-1122-484a-ADEC-514237A9215F}.exe

Filesize
372KB

MD5
cdbfb8530b06edbb4d4c686af3e1ef7a

SHA1
d44ba5dccac04918554519b41023f538cd1b47b3

SHA256
d312297a017a340bea72fd5a2e0e577f9a16b1c060c1cce69b2f06f4066f144e

SHA512
740df4817eb897183cb647dddb5a937485c813ca07e9e8600fbc725a7fa64ffd96a4b75eabb530152b91e5b0de013f23c99f72a08fd39601df0e4deb2e01856a

Download Submit
C:\Windows\{FA9084D1-898F-4976-AF41-A40BDF02AFC7}.exe

Filesize
372KB

MD5
c387cc64d0ace25627c00c5c2ae49414

SHA1
1fb2c34783d0a77831178644717b922accbecf27

SHA256
6306c145adbbaa8404c5a96f665278c9f76277d6658328a22ab819aeacca9f1c

SHA512
67da04006337b295afb0a933f59bd7d1e169a6af777f6390caf666629c717f5787181ad73d051fe6d0d1aa0a9931bbb1f8d118da6aa238ca7afa3071265ec242

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads