cefe367ecf5ebc8acecd85ca402b419f361fbc6e61fa21a024c491ae84c7bf39

Analysis

max time kernel
149s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
01-02-2024 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-01_af5021b6d57bedd6e34a4a3e6c08f1cf_goldeneye.exe
Size

180KB
MD5

af5021b6d57bedd6e34a4a3e6c08f1cf
SHA1

9b89844a0a781c88f3dd5ee6e5b0496d4f0d4e03
SHA256

cefe367ecf5ebc8acecd85ca402b419f361fbc6e61fa21a024c491ae84c7bf39
SHA512

ae0ce7138a203b5aadbe0362f0fd568914f8827be2cec1cb01ef7a65184cce36759d81322455b1b525b97dd28595cfad658991a9b59e892ba48098cfc7936c74
SSDEEP

3072:jEGh0ollfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGTl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0010000000023264-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002325f-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002326b-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023054-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000022008-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000022009-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000022008-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000036-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000036-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000036-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56B7567D-A4F9-4294-8A9D-F05BBCF07220}\stubpath = "C:\\Windows\\{56B7567D-A4F9-4294-8A9D-F05BBCF07220}.exe"	{D16F39BF-EE46-496b-BB8B-8FC2367375DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4337CE5-4D70-4343-96C7-58ED89924E99}\stubpath = "C:\\Windows\\{C4337CE5-4D70-4343-96C7-58ED89924E99}.exe"	{56B7567D-A4F9-4294-8A9D-F05BBCF07220}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65BAFEDA-71BF-465a-B514-47B8EB055536}	{11BBA2F3-E5C6-443d-8E2F-4792EF206297}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D12F4BC1-F4B1-4119-AC8B-1EA105F02046}\stubpath = "C:\\Windows\\{D12F4BC1-F4B1-4119-AC8B-1EA105F02046}.exe"	{65BAFEDA-71BF-465a-B514-47B8EB055536}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14E434BC-B76D-4485-A813-69173F61A18A}\stubpath = "C:\\Windows\\{14E434BC-B76D-4485-A813-69173F61A18A}.exe"	{D12F4BC1-F4B1-4119-AC8B-1EA105F02046}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D16F39BF-EE46-496b-BB8B-8FC2367375DD}	{14E434BC-B76D-4485-A813-69173F61A18A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D16F39BF-EE46-496b-BB8B-8FC2367375DD}\stubpath = "C:\\Windows\\{D16F39BF-EE46-496b-BB8B-8FC2367375DD}.exe"	{14E434BC-B76D-4485-A813-69173F61A18A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56B7567D-A4F9-4294-8A9D-F05BBCF07220}	{D16F39BF-EE46-496b-BB8B-8FC2367375DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47C3FAA8-CE21-4e93-B0D3-7A309C440B31}	{C4337CE5-4D70-4343-96C7-58ED89924E99}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{769EA581-0D6A-4e55-8499-4B205B4B5FB6}	{47C3FAA8-CE21-4e93-B0D3-7A309C440B31}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11BBA2F3-E5C6-443d-8E2F-4792EF206297}	2024-02-01_af5021b6d57bedd6e34a4a3e6c08f1cf_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47C3FAA8-CE21-4e93-B0D3-7A309C440B31}\stubpath = "C:\\Windows\\{47C3FAA8-CE21-4e93-B0D3-7A309C440B31}.exe"	{C4337CE5-4D70-4343-96C7-58ED89924E99}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24D77668-C9A3-4c95-AFF8-CBF046E7B5DF}	{769EA581-0D6A-4e55-8499-4B205B4B5FB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E618989-891B-4a7e-9DB8-967F85D90A67}	{24D77668-C9A3-4c95-AFF8-CBF046E7B5DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24D77668-C9A3-4c95-AFF8-CBF046E7B5DF}\stubpath = "C:\\Windows\\{24D77668-C9A3-4c95-AFF8-CBF046E7B5DF}.exe"	{769EA581-0D6A-4e55-8499-4B205B4B5FB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E618989-891B-4a7e-9DB8-967F85D90A67}\stubpath = "C:\\Windows\\{4E618989-891B-4a7e-9DB8-967F85D90A67}.exe"	{24D77668-C9A3-4c95-AFF8-CBF046E7B5DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11BBA2F3-E5C6-443d-8E2F-4792EF206297}\stubpath = "C:\\Windows\\{11BBA2F3-E5C6-443d-8E2F-4792EF206297}.exe"	2024-02-01_af5021b6d57bedd6e34a4a3e6c08f1cf_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65BAFEDA-71BF-465a-B514-47B8EB055536}\stubpath = "C:\\Windows\\{65BAFEDA-71BF-465a-B514-47B8EB055536}.exe"	{11BBA2F3-E5C6-443d-8E2F-4792EF206297}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D12F4BC1-F4B1-4119-AC8B-1EA105F02046}	{65BAFEDA-71BF-465a-B514-47B8EB055536}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14E434BC-B76D-4485-A813-69173F61A18A}	{D12F4BC1-F4B1-4119-AC8B-1EA105F02046}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4337CE5-4D70-4343-96C7-58ED89924E99}	{56B7567D-A4F9-4294-8A9D-F05BBCF07220}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{769EA581-0D6A-4e55-8499-4B205B4B5FB6}\stubpath = "C:\\Windows\\{769EA581-0D6A-4e55-8499-4B205B4B5FB6}.exe"	{47C3FAA8-CE21-4e93-B0D3-7A309C440B31}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0966E3C-9FB4-4b0c-8C59-6AF5E7B5033F}	{4E618989-891B-4a7e-9DB8-967F85D90A67}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0966E3C-9FB4-4b0c-8C59-6AF5E7B5033F}\stubpath = "C:\\Windows\\{A0966E3C-9FB4-4b0c-8C59-6AF5E7B5033F}.exe"	{4E618989-891B-4a7e-9DB8-967F85D90A67}.exe

Executes dropped EXE 12 IoCs

pid	Process
2624	{11BBA2F3-E5C6-443d-8E2F-4792EF206297}.exe
1700	{65BAFEDA-71BF-465a-B514-47B8EB055536}.exe
2652	{D12F4BC1-F4B1-4119-AC8B-1EA105F02046}.exe
1448	{14E434BC-B76D-4485-A813-69173F61A18A}.exe
4696	{D16F39BF-EE46-496b-BB8B-8FC2367375DD}.exe
4712	{56B7567D-A4F9-4294-8A9D-F05BBCF07220}.exe
3004	{C4337CE5-4D70-4343-96C7-58ED89924E99}.exe
1232	{47C3FAA8-CE21-4e93-B0D3-7A309C440B31}.exe
1652	{769EA581-0D6A-4e55-8499-4B205B4B5FB6}.exe
784	{24D77668-C9A3-4c95-AFF8-CBF046E7B5DF}.exe
4048	{4E618989-891B-4a7e-9DB8-967F85D90A67}.exe
4052	{A0966E3C-9FB4-4b0c-8C59-6AF5E7B5033F}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{65BAFEDA-71BF-465a-B514-47B8EB055536}.exe	{11BBA2F3-E5C6-443d-8E2F-4792EF206297}.exe
File created	C:\Windows\{14E434BC-B76D-4485-A813-69173F61A18A}.exe	{D12F4BC1-F4B1-4119-AC8B-1EA105F02046}.exe
File created	C:\Windows\{D16F39BF-EE46-496b-BB8B-8FC2367375DD}.exe	{14E434BC-B76D-4485-A813-69173F61A18A}.exe
File created	C:\Windows\{47C3FAA8-CE21-4e93-B0D3-7A309C440B31}.exe	{C4337CE5-4D70-4343-96C7-58ED89924E99}.exe
File created	C:\Windows\{24D77668-C9A3-4c95-AFF8-CBF046E7B5DF}.exe	{769EA581-0D6A-4e55-8499-4B205B4B5FB6}.exe
File created	C:\Windows\{A0966E3C-9FB4-4b0c-8C59-6AF5E7B5033F}.exe	{4E618989-891B-4a7e-9DB8-967F85D90A67}.exe
File created	C:\Windows\{11BBA2F3-E5C6-443d-8E2F-4792EF206297}.exe	2024-02-01_af5021b6d57bedd6e34a4a3e6c08f1cf_goldeneye.exe
File created	C:\Windows\{D12F4BC1-F4B1-4119-AC8B-1EA105F02046}.exe	{65BAFEDA-71BF-465a-B514-47B8EB055536}.exe
File created	C:\Windows\{56B7567D-A4F9-4294-8A9D-F05BBCF07220}.exe	{D16F39BF-EE46-496b-BB8B-8FC2367375DD}.exe
File created	C:\Windows\{C4337CE5-4D70-4343-96C7-58ED89924E99}.exe	{56B7567D-A4F9-4294-8A9D-F05BBCF07220}.exe
File created	C:\Windows\{769EA581-0D6A-4e55-8499-4B205B4B5FB6}.exe	{47C3FAA8-CE21-4e93-B0D3-7A309C440B31}.exe
File created	C:\Windows\{4E618989-891B-4a7e-9DB8-967F85D90A67}.exe	{24D77668-C9A3-4c95-AFF8-CBF046E7B5DF}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3864	2024-02-01_af5021b6d57bedd6e34a4a3e6c08f1cf_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2624	{11BBA2F3-E5C6-443d-8E2F-4792EF206297}.exe
Token: SeIncBasePriorityPrivilege	1700	{65BAFEDA-71BF-465a-B514-47B8EB055536}.exe
Token: SeIncBasePriorityPrivilege	2652	{D12F4BC1-F4B1-4119-AC8B-1EA105F02046}.exe
Token: SeIncBasePriorityPrivilege	1448	{14E434BC-B76D-4485-A813-69173F61A18A}.exe
Token: SeIncBasePriorityPrivilege	4696	{D16F39BF-EE46-496b-BB8B-8FC2367375DD}.exe
Token: SeIncBasePriorityPrivilege	4712	{56B7567D-A4F9-4294-8A9D-F05BBCF07220}.exe
Token: SeIncBasePriorityPrivilege	3004	{C4337CE5-4D70-4343-96C7-58ED89924E99}.exe
Token: SeIncBasePriorityPrivilege	1232	{47C3FAA8-CE21-4e93-B0D3-7A309C440B31}.exe
Token: SeIncBasePriorityPrivilege	1652	{769EA581-0D6A-4e55-8499-4B205B4B5FB6}.exe
Token: SeIncBasePriorityPrivilege	784	{24D77668-C9A3-4c95-AFF8-CBF046E7B5DF}.exe
Token: SeIncBasePriorityPrivilege	4048	{4E618989-891B-4a7e-9DB8-967F85D90A67}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3864 wrote to memory of 2624	3864	2024-02-01_af5021b6d57bedd6e34a4a3e6c08f1cf_goldeneye.exe	97
PID 3864 wrote to memory of 2624	3864	2024-02-01_af5021b6d57bedd6e34a4a3e6c08f1cf_goldeneye.exe	97
PID 3864 wrote to memory of 2624	3864	2024-02-01_af5021b6d57bedd6e34a4a3e6c08f1cf_goldeneye.exe	97
PID 3864 wrote to memory of 5048	3864	2024-02-01_af5021b6d57bedd6e34a4a3e6c08f1cf_goldeneye.exe	98
PID 3864 wrote to memory of 5048	3864	2024-02-01_af5021b6d57bedd6e34a4a3e6c08f1cf_goldeneye.exe	98
PID 3864 wrote to memory of 5048	3864	2024-02-01_af5021b6d57bedd6e34a4a3e6c08f1cf_goldeneye.exe	98
PID 2624 wrote to memory of 1700	2624	{11BBA2F3-E5C6-443d-8E2F-4792EF206297}.exe	99
PID 2624 wrote to memory of 1700	2624	{11BBA2F3-E5C6-443d-8E2F-4792EF206297}.exe	99
PID 2624 wrote to memory of 1700	2624	{11BBA2F3-E5C6-443d-8E2F-4792EF206297}.exe	99
PID 2624 wrote to memory of 2152	2624	{11BBA2F3-E5C6-443d-8E2F-4792EF206297}.exe	100
PID 2624 wrote to memory of 2152	2624	{11BBA2F3-E5C6-443d-8E2F-4792EF206297}.exe	100
PID 2624 wrote to memory of 2152	2624	{11BBA2F3-E5C6-443d-8E2F-4792EF206297}.exe	100
PID 1700 wrote to memory of 2652	1700	{65BAFEDA-71BF-465a-B514-47B8EB055536}.exe	103
PID 1700 wrote to memory of 2652	1700	{65BAFEDA-71BF-465a-B514-47B8EB055536}.exe	103
PID 1700 wrote to memory of 2652	1700	{65BAFEDA-71BF-465a-B514-47B8EB055536}.exe	103
PID 1700 wrote to memory of 2056	1700	{65BAFEDA-71BF-465a-B514-47B8EB055536}.exe	102
PID 1700 wrote to memory of 2056	1700	{65BAFEDA-71BF-465a-B514-47B8EB055536}.exe	102
PID 1700 wrote to memory of 2056	1700	{65BAFEDA-71BF-465a-B514-47B8EB055536}.exe	102
PID 2652 wrote to memory of 1448	2652	{D12F4BC1-F4B1-4119-AC8B-1EA105F02046}.exe	104
PID 2652 wrote to memory of 1448	2652	{D12F4BC1-F4B1-4119-AC8B-1EA105F02046}.exe	104
PID 2652 wrote to memory of 1448	2652	{D12F4BC1-F4B1-4119-AC8B-1EA105F02046}.exe	104
PID 2652 wrote to memory of 4288	2652	{D12F4BC1-F4B1-4119-AC8B-1EA105F02046}.exe	105
PID 2652 wrote to memory of 4288	2652	{D12F4BC1-F4B1-4119-AC8B-1EA105F02046}.exe	105
PID 2652 wrote to memory of 4288	2652	{D12F4BC1-F4B1-4119-AC8B-1EA105F02046}.exe	105
PID 1448 wrote to memory of 4696	1448	{14E434BC-B76D-4485-A813-69173F61A18A}.exe	106
PID 1448 wrote to memory of 4696	1448	{14E434BC-B76D-4485-A813-69173F61A18A}.exe	106
PID 1448 wrote to memory of 4696	1448	{14E434BC-B76D-4485-A813-69173F61A18A}.exe	106
PID 1448 wrote to memory of 3240	1448	{14E434BC-B76D-4485-A813-69173F61A18A}.exe	107
PID 1448 wrote to memory of 3240	1448	{14E434BC-B76D-4485-A813-69173F61A18A}.exe	107
PID 1448 wrote to memory of 3240	1448	{14E434BC-B76D-4485-A813-69173F61A18A}.exe	107
PID 4696 wrote to memory of 4712	4696	{D16F39BF-EE46-496b-BB8B-8FC2367375DD}.exe	108
PID 4696 wrote to memory of 4712	4696	{D16F39BF-EE46-496b-BB8B-8FC2367375DD}.exe	108
PID 4696 wrote to memory of 4712	4696	{D16F39BF-EE46-496b-BB8B-8FC2367375DD}.exe	108
PID 4696 wrote to memory of 2756	4696	{D16F39BF-EE46-496b-BB8B-8FC2367375DD}.exe	109
PID 4696 wrote to memory of 2756	4696	{D16F39BF-EE46-496b-BB8B-8FC2367375DD}.exe	109
PID 4696 wrote to memory of 2756	4696	{D16F39BF-EE46-496b-BB8B-8FC2367375DD}.exe	109
PID 4712 wrote to memory of 3004	4712	{56B7567D-A4F9-4294-8A9D-F05BBCF07220}.exe	110
PID 4712 wrote to memory of 3004	4712	{56B7567D-A4F9-4294-8A9D-F05BBCF07220}.exe	110
PID 4712 wrote to memory of 3004	4712	{56B7567D-A4F9-4294-8A9D-F05BBCF07220}.exe	110
PID 4712 wrote to memory of 2244	4712	{56B7567D-A4F9-4294-8A9D-F05BBCF07220}.exe	111
PID 4712 wrote to memory of 2244	4712	{56B7567D-A4F9-4294-8A9D-F05BBCF07220}.exe	111
PID 4712 wrote to memory of 2244	4712	{56B7567D-A4F9-4294-8A9D-F05BBCF07220}.exe	111
PID 3004 wrote to memory of 1232	3004	{C4337CE5-4D70-4343-96C7-58ED89924E99}.exe	113
PID 3004 wrote to memory of 1232	3004	{C4337CE5-4D70-4343-96C7-58ED89924E99}.exe	113
PID 3004 wrote to memory of 1232	3004	{C4337CE5-4D70-4343-96C7-58ED89924E99}.exe	113
PID 3004 wrote to memory of 3452	3004	{C4337CE5-4D70-4343-96C7-58ED89924E99}.exe	112
PID 3004 wrote to memory of 3452	3004	{C4337CE5-4D70-4343-96C7-58ED89924E99}.exe	112
PID 3004 wrote to memory of 3452	3004	{C4337CE5-4D70-4343-96C7-58ED89924E99}.exe	112
PID 1232 wrote to memory of 1652	1232	{47C3FAA8-CE21-4e93-B0D3-7A309C440B31}.exe	114
PID 1232 wrote to memory of 1652	1232	{47C3FAA8-CE21-4e93-B0D3-7A309C440B31}.exe	114
PID 1232 wrote to memory of 1652	1232	{47C3FAA8-CE21-4e93-B0D3-7A309C440B31}.exe	114
PID 1232 wrote to memory of 3700	1232	{47C3FAA8-CE21-4e93-B0D3-7A309C440B31}.exe	115
PID 1232 wrote to memory of 3700	1232	{47C3FAA8-CE21-4e93-B0D3-7A309C440B31}.exe	115
PID 1232 wrote to memory of 3700	1232	{47C3FAA8-CE21-4e93-B0D3-7A309C440B31}.exe	115
PID 1652 wrote to memory of 784	1652	{769EA581-0D6A-4e55-8499-4B205B4B5FB6}.exe	116
PID 1652 wrote to memory of 784	1652	{769EA581-0D6A-4e55-8499-4B205B4B5FB6}.exe	116
PID 1652 wrote to memory of 784	1652	{769EA581-0D6A-4e55-8499-4B205B4B5FB6}.exe	116
PID 1652 wrote to memory of 3412	1652	{769EA581-0D6A-4e55-8499-4B205B4B5FB6}.exe	117
PID 1652 wrote to memory of 3412	1652	{769EA581-0D6A-4e55-8499-4B205B4B5FB6}.exe	117
PID 1652 wrote to memory of 3412	1652	{769EA581-0D6A-4e55-8499-4B205B4B5FB6}.exe	117
PID 784 wrote to memory of 4048	784	{24D77668-C9A3-4c95-AFF8-CBF046E7B5DF}.exe	118
PID 784 wrote to memory of 4048	784	{24D77668-C9A3-4c95-AFF8-CBF046E7B5DF}.exe	118
PID 784 wrote to memory of 4048	784	{24D77668-C9A3-4c95-AFF8-CBF046E7B5DF}.exe	118
PID 784 wrote to memory of 3076	784	{24D77668-C9A3-4c95-AFF8-CBF046E7B5DF}.exe	119

C:\Users\Admin\AppData\Local\Temp\2024-02-01_af5021b6d57bedd6e34a4a3e6c08f1cf_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-01_af5021b6d57bedd6e34a4a3e6c08f1cf_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3864
- C:\Windows\{11BBA2F3-E5C6-443d-8E2F-4792EF206297}.exe
  C:\Windows\{11BBA2F3-E5C6-443d-8E2F-4792EF206297}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Windows\{65BAFEDA-71BF-465a-B514-47B8EB055536}.exe
    C:\Windows\{65BAFEDA-71BF-465a-B514-47B8EB055536}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1700
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{65BAF~1.EXE > nul
      4⤵
      PID:2056
  - - C:\Windows\{D12F4BC1-F4B1-4119-AC8B-1EA105F02046}.exe
      C:\Windows\{D12F4BC1-F4B1-4119-AC8B-1EA105F02046}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2652
    - - C:\Windows\{14E434BC-B76D-4485-A813-69173F61A18A}.exe
        
        C:\Windows\{14E434BC-B76D-4485-A813-69173F61A18A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1448
      - C:\Windows\{D16F39BF-EE46-496b-BB8B-8FC2367375DD}.exe
        
        C:\Windows\{D16F39BF-EE46-496b-BB8B-8FC2367375DD}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\{56B7567D-A4F9-4294-8A9D-F05BBCF07220}.exe
        
        C:\Windows\{56B7567D-A4F9-4294-8A9D-F05BBCF07220}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4712
        
        C:\Windows\{C4337CE5-4D70-4343-96C7-58ED89924E99}.exe
        
        C:\Windows\{C4337CE5-4D70-4343-96C7-58ED89924E99}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4337~1.EXE > nul
        9⤵
        
        PID:3452
        
        C:\Windows\{47C3FAA8-CE21-4e93-B0D3-7A309C440B31}.exe
        
        C:\Windows\{47C3FAA8-CE21-4e93-B0D3-7A309C440B31}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\{769EA581-0D6A-4e55-8499-4B205B4B5FB6}.exe
        
        C:\Windows\{769EA581-0D6A-4e55-8499-4B205B4B5FB6}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\{24D77668-C9A3-4c95-AFF8-CBF046E7B5DF}.exe
        
        C:\Windows\{24D77668-C9A3-4c95-AFF8-CBF046E7B5DF}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:784
        
        C:\Windows\{4E618989-891B-4a7e-9DB8-967F85D90A67}.exe
        
        C:\Windows\{4E618989-891B-4a7e-9DB8-967F85D90A67}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4E618~1.EXE > nul
        13⤵
        
        PID:5116
        
        C:\Windows\{A0966E3C-9FB4-4b0c-8C59-6AF5E7B5033F}.exe
        
        C:\Windows\{A0966E3C-9FB4-4b0c-8C59-6AF5E7B5033F}.exe
        13⤵
        Executes dropped EXE
        
        PID:4052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{24D77~1.EXE > nul
        12⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{769EA~1.EXE > nul
        11⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{47C3F~1.EXE > nul
        10⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{56B75~1.EXE > nul
        8⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D16F3~1.EXE > nul
        7⤵
        
        PID:2756
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{14E43~1.EXE > nul
        6⤵
        
        PID:3240
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D12F4~1.EXE > nul
        5⤵
        
        PID:4288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{11BBA~1.EXE > nul
    3⤵
    PID:2152
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:5048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{11BBA2F3-E5C6-443d-8E2F-4792EF206297}.exe

Filesize
180KB

MD5
8b724415f349bae606c3a8aec4f35beb

SHA1
b48abeb196676d2cd44c37b18fceb675fe901149

SHA256
4c4ddb7e0b15171e8e2e99d9b89a6366f10585b97d8c6f7f9a57bf25e9745095

SHA512
2cc4029a8b1ff247560cebf57e5da813b0319292fe181b326fad8c5558edcee15d1fa7452d9298fb4f365287718279a38e304d17ada8799833d5037813065aa1

Download Submit
C:\Windows\{14E434BC-B76D-4485-A813-69173F61A18A}.exe

Filesize
180KB

MD5
8f6d22a459302d928d83f0d74a07f3f4

SHA1
0e643ddd955e871bcedf0a31eea601f0733a93db

SHA256
5cc609ed581d2c5c759c038a2298f01dd1f2be09e87a3d4ea0f554d3202c4cf5

SHA512
a0bf92d99a03ce7e7b9f8c60f31b21d3aac4a7b926b0cea35e5e996b841fe7210d10ba48c7442e8fbe910d2c8f42fc3ae6e626e7b41bac56d63ac9a7832ee1f6

Download Submit
C:\Windows\{24D77668-C9A3-4c95-AFF8-CBF046E7B5DF}.exe

Filesize
180KB

MD5
ccea8e5a08fb2cdd0471bc0b239f99cb

SHA1
7200ac53a349f0fe1ffccc6e3aae714aecf3b10d

SHA256
a9adbbbfad704f67e285e800d50c2085cb112914cb920e5c5ba86edc96796a5a

SHA512
2458ee7e3c9b727c32bbabfee8b7ca4a6c3b258b85a145dd007d1cce68a302d4cc6dd454f1619ff053f9194a82ac045b7972e7a2e66d9bdb605098f38d288a81

Download Submit
C:\Windows\{47C3FAA8-CE21-4e93-B0D3-7A309C440B31}.exe

Filesize
180KB

MD5
d9f072eb2cf0293d7145c186607a4c64

SHA1
640f4959716109329f45b6d25b832cd78935462c

SHA256
89987172fc80502b13d13f201f7cc4cba6ff2a33144c9861f13e5d82affc47a5

SHA512
0af6737606045a9549e4e2af2ea2aadb2d459d75ee7de3b67290bbf8a50e10ac60c7ad1a363454ced3b764ec6b3fed618bc714da442a85cda83fc0414c105316

Download Submit
C:\Windows\{4E618989-891B-4a7e-9DB8-967F85D90A67}.exe

Filesize
180KB

MD5
5e9494b78c102e84700e2aa84c62a10a

SHA1
f9d83261bc70bbde36bbae8c5282fb1084ee12a3

SHA256
033d040be3518cdf949614c37c371e8d7c82001998eedbb6949267ecfee0fb8a

SHA512
8a0cf9087ac31dc106e3e7f907ee42193567bba737d324b91c519ac33330d78aaf7dba53b199a27903f58e04401a72b9bd3b462e17940828c51ee336b5e74aa3

Download Submit
C:\Windows\{56B7567D-A4F9-4294-8A9D-F05BBCF07220}.exe

Filesize
180KB

MD5
2f8d0c58228c3be0192c72d7243f6915

SHA1
b1f1ad87d96ceaf67fe768ecf8652d7fbab94e8a

SHA256
ac6d332a8b4b1bddde784447a4ac5a85a7b2d0644cf9fb56566d914ba486f4fe

SHA512
052b74d5f323f764d304c3fdcf4a14deec4e6299e9672de416f0507925cc3df98feac70975ddb97c84fa0fe83f057ebf4b5be7fb1a41954e08cc0efb318dc6e6

Download Submit
C:\Windows\{65BAFEDA-71BF-465a-B514-47B8EB055536}.exe

Filesize
180KB

MD5
2f27da5ad7dadb64dcd72f05980c4c23

SHA1
16958ce24cb036ebe333336fa3dda39ccdc6f4e8

SHA256
ba4c4a936a049d1e37079f50a609746abd298389baa0fd02a305ce52bc70493f

SHA512
fc1d9c7f8340b34284f9b1a720c3568cda41f63fcf065c7de876f54a1b772a86e4d362e572fd4f68a488044814ff5a14001cba1b33dd4e3c5e58238d87bba264

Download Submit
C:\Windows\{769EA581-0D6A-4e55-8499-4B205B4B5FB6}.exe

Filesize
180KB

MD5
e80957101e46dac47048f095361cc792

SHA1
ad670dff18267356fca22e5a3df1f7f1be43e1b4

SHA256
61ad110e759736544b5b72f97774b26866330273f02b9dc57d3ff34d94d29692

SHA512
191eb64f8803ef30a9fa7a94f82679b124c410881ef9261d7b18e09575eb9f14a4753a252ef50b90bd7cd2a65d9176962d6e0ec49ba88d3078672924ac93cbc4

Download Submit
C:\Windows\{A0966E3C-9FB4-4b0c-8C59-6AF5E7B5033F}.exe

Filesize
180KB

MD5
e404162a26d3e14b9a045c561c9585ee

SHA1
e71950373fc6fff0d398253f5e6fd06c052cd014

SHA256
6ff76ac3849fc4bc3aab9059c9668baed4d7aaa8846fe2bcbae4649e75bf30b8

SHA512
dc5d487d0d31f9b5ac94014b046ad42ec5fc6ac4509d1960996272362b3aa4c5ea0f12c3630c6fd3f459e2cbd1fc9cf3b3697cc7ad73bf992208d570b262a1ae

Download Submit
C:\Windows\{C4337CE5-4D70-4343-96C7-58ED89924E99}.exe

Filesize
180KB

MD5
78afddb9756b32aaebd73a6c41fe1c6d

SHA1
fd0f297fb05929c7a61dbce5c01f96076b915ff6

SHA256
2beaa3a5d48944325447b31e088f67b1fa52b54e39d4347c18ad998552a72726

SHA512
788f86e674dc5b2ebfca14d829fe264afc425853103d1bca03b82a36a088cd62031e215c5619789fc882668521eda00cbf666f3fa280eacf6f313bae97c1524f

Download Submit
C:\Windows\{D12F4BC1-F4B1-4119-AC8B-1EA105F02046}.exe

Filesize
180KB

MD5
6325f5aac496491cfefbe624ec7440c5

SHA1
6bab07cc6d4c47bd92eafc9f03a8960b24fcbe41

SHA256
18bd9cecaef9e9a766afd2645b00e194e56f0aacd39b99840d38098c941c15a0

SHA512
a8d9312def9628f1f6fa99b388bb8c13da4b94b7e65964328d56769ddabc235d3be5c8e8c6fe2c90aaef0518137091525b6f41a5ee530d1af638d7fe43a2ae7a

Download Submit
C:\Windows\{D16F39BF-EE46-496b-BB8B-8FC2367375DD}.exe

Filesize
180KB

MD5
c37ee85fefa7506f762f0c48c7fdc901

SHA1
bb215063fda31a6a47d4078991b70a66e96562e2

SHA256
6b2048afd90b944ba3a2b629313423a87bda0555d3ab340df8b1565281e0f597

SHA512
1f65d8f56449889c914df2647e568bb656b98aaac898d545c0a2018d978fef17dc1b29420396cad085b023ac78fd5052b5e67d3aa11c617b8a860d07bfef3c7f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads