6e4ed7797a45f70598437e9e02bc2516616dd791ca80c016f63531c246b57af2

Analysis

max time kernel
149s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
02/02/2024, 07:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-02_42921ce932ac734df4a7e06c9718ad10_goldeneye.exe
Size

408KB
MD5

42921ce932ac734df4a7e06c9718ad10
SHA1

0ee07b827aa16e65c6f735dd6d3fa2f33682c6e5
SHA256

6e4ed7797a45f70598437e9e02bc2516616dd791ca80c016f63531c246b57af2
SHA512

6b225fb84284ed3a9b16b8613c12c3cead0052ed72eb7c7806a8a52c0dc94487b27c484442ec77a8041c602edf46f80c7bae91e5120e720482a40722019295ec
SSDEEP

3072:CEGh0oHl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGBldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 14 IoCs

resource	yara_rule
behavioral2/files/0x000600000002322f-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023229-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023236-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023229-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000022008-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000022008-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000022009-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000022008-25.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000036-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000036-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000036-45.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06947DE3-F35E-4306-A288-F82B33E9F651}\stubpath = "C:\\Windows\\{06947DE3-F35E-4306-A288-F82B33E9F651}.exe"	{9767B1C0-A53D-4003-9D34-881B60C3518F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AAF0F682-65B5-4d73-A0C1-4EE8BD4820F5}	{0CEB29B9-1D26-4c49-8649-D67BCAA041A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48448274-2A42-490c-A860-1C5C215B21D6}	2024-02-02_42921ce932ac734df4a7e06c9718ad10_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48448274-2A42-490c-A860-1C5C215B21D6}\stubpath = "C:\\Windows\\{48448274-2A42-490c-A860-1C5C215B21D6}.exe"	2024-02-02_42921ce932ac734df4a7e06c9718ad10_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82EC2629-4E00-48ed-9690-A12D993CCB31}	{239572A1-B2C2-472c-BAD6-150E46E13FDC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{979DA0FA-B91A-4efc-822F-60D51D4CFA6D}	{82EC2629-4E00-48ed-9690-A12D993CCB31}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9767B1C0-A53D-4003-9D34-881B60C3518F}	{3124959E-336C-43a1-9E04-678C8DD3A603}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06947DE3-F35E-4306-A288-F82B33E9F651}	{9767B1C0-A53D-4003-9D34-881B60C3518F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AAF0F682-65B5-4d73-A0C1-4EE8BD4820F5}\stubpath = "C:\\Windows\\{AAF0F682-65B5-4d73-A0C1-4EE8BD4820F5}.exe"	{0CEB29B9-1D26-4c49-8649-D67BCAA041A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0CEB29B9-1D26-4c49-8649-D67BCAA041A9}\stubpath = "C:\\Windows\\{0CEB29B9-1D26-4c49-8649-D67BCAA041A9}.exe"	{ADD80F9D-CEFF-42a0-AA82-17CB144A9E3A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{239572A1-B2C2-472c-BAD6-150E46E13FDC}\stubpath = "C:\\Windows\\{239572A1-B2C2-472c-BAD6-150E46E13FDC}.exe"	{48448274-2A42-490c-A860-1C5C215B21D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3124959E-336C-43a1-9E04-678C8DD3A603}	{D085EC49-9CB0-4ad0-BFDD-03C62C06EFC3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3124959E-336C-43a1-9E04-678C8DD3A603}\stubpath = "C:\\Windows\\{3124959E-336C-43a1-9E04-678C8DD3A603}.exe"	{D085EC49-9CB0-4ad0-BFDD-03C62C06EFC3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9767B1C0-A53D-4003-9D34-881B60C3518F}\stubpath = "C:\\Windows\\{9767B1C0-A53D-4003-9D34-881B60C3518F}.exe"	{3124959E-336C-43a1-9E04-678C8DD3A603}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0D928A9-D423-4100-AFA4-4C5FB354699D}\stubpath = "C:\\Windows\\{B0D928A9-D423-4100-AFA4-4C5FB354699D}.exe"	{06947DE3-F35E-4306-A288-F82B33E9F651}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADD80F9D-CEFF-42a0-AA82-17CB144A9E3A}\stubpath = "C:\\Windows\\{ADD80F9D-CEFF-42a0-AA82-17CB144A9E3A}.exe"	{B0D928A9-D423-4100-AFA4-4C5FB354699D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82EC2629-4E00-48ed-9690-A12D993CCB31}\stubpath = "C:\\Windows\\{82EC2629-4E00-48ed-9690-A12D993CCB31}.exe"	{239572A1-B2C2-472c-BAD6-150E46E13FDC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{979DA0FA-B91A-4efc-822F-60D51D4CFA6D}\stubpath = "C:\\Windows\\{979DA0FA-B91A-4efc-822F-60D51D4CFA6D}.exe"	{82EC2629-4E00-48ed-9690-A12D993CCB31}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D085EC49-9CB0-4ad0-BFDD-03C62C06EFC3}	{979DA0FA-B91A-4efc-822F-60D51D4CFA6D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0D928A9-D423-4100-AFA4-4C5FB354699D}	{06947DE3-F35E-4306-A288-F82B33E9F651}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADD80F9D-CEFF-42a0-AA82-17CB144A9E3A}	{B0D928A9-D423-4100-AFA4-4C5FB354699D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0CEB29B9-1D26-4c49-8649-D67BCAA041A9}	{ADD80F9D-CEFF-42a0-AA82-17CB144A9E3A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{239572A1-B2C2-472c-BAD6-150E46E13FDC}	{48448274-2A42-490c-A860-1C5C215B21D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D085EC49-9CB0-4ad0-BFDD-03C62C06EFC3}\stubpath = "C:\\Windows\\{D085EC49-9CB0-4ad0-BFDD-03C62C06EFC3}.exe"	{979DA0FA-B91A-4efc-822F-60D51D4CFA6D}.exe

Executes dropped EXE 12 IoCs

pid	Process
1828	{48448274-2A42-490c-A860-1C5C215B21D6}.exe
772	{239572A1-B2C2-472c-BAD6-150E46E13FDC}.exe
4712	{82EC2629-4E00-48ed-9690-A12D993CCB31}.exe
4276	{979DA0FA-B91A-4efc-822F-60D51D4CFA6D}.exe
3644	{D085EC49-9CB0-4ad0-BFDD-03C62C06EFC3}.exe
3572	{3124959E-336C-43a1-9E04-678C8DD3A603}.exe
4676	{9767B1C0-A53D-4003-9D34-881B60C3518F}.exe
3456	{06947DE3-F35E-4306-A288-F82B33E9F651}.exe
3796	{B0D928A9-D423-4100-AFA4-4C5FB354699D}.exe
1520	{ADD80F9D-CEFF-42a0-AA82-17CB144A9E3A}.exe
1308	{0CEB29B9-1D26-4c49-8649-D67BCAA041A9}.exe
4896	{AAF0F682-65B5-4d73-A0C1-4EE8BD4820F5}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{0CEB29B9-1D26-4c49-8649-D67BCAA041A9}.exe	{ADD80F9D-CEFF-42a0-AA82-17CB144A9E3A}.exe
File created	C:\Windows\{AAF0F682-65B5-4d73-A0C1-4EE8BD4820F5}.exe	{0CEB29B9-1D26-4c49-8649-D67BCAA041A9}.exe
File created	C:\Windows\{239572A1-B2C2-472c-BAD6-150E46E13FDC}.exe	{48448274-2A42-490c-A860-1C5C215B21D6}.exe
File created	C:\Windows\{3124959E-336C-43a1-9E04-678C8DD3A603}.exe	{D085EC49-9CB0-4ad0-BFDD-03C62C06EFC3}.exe
File created	C:\Windows\{06947DE3-F35E-4306-A288-F82B33E9F651}.exe	{9767B1C0-A53D-4003-9D34-881B60C3518F}.exe
File created	C:\Windows\{D085EC49-9CB0-4ad0-BFDD-03C62C06EFC3}.exe	{979DA0FA-B91A-4efc-822F-60D51D4CFA6D}.exe
File created	C:\Windows\{9767B1C0-A53D-4003-9D34-881B60C3518F}.exe	{3124959E-336C-43a1-9E04-678C8DD3A603}.exe
File created	C:\Windows\{B0D928A9-D423-4100-AFA4-4C5FB354699D}.exe	{06947DE3-F35E-4306-A288-F82B33E9F651}.exe
File created	C:\Windows\{ADD80F9D-CEFF-42a0-AA82-17CB144A9E3A}.exe	{B0D928A9-D423-4100-AFA4-4C5FB354699D}.exe
File created	C:\Windows\{48448274-2A42-490c-A860-1C5C215B21D6}.exe	2024-02-02_42921ce932ac734df4a7e06c9718ad10_goldeneye.exe
File created	C:\Windows\{82EC2629-4E00-48ed-9690-A12D993CCB31}.exe	{239572A1-B2C2-472c-BAD6-150E46E13FDC}.exe
File created	C:\Windows\{979DA0FA-B91A-4efc-822F-60D51D4CFA6D}.exe	{82EC2629-4E00-48ed-9690-A12D993CCB31}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3736	2024-02-02_42921ce932ac734df4a7e06c9718ad10_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1828	{48448274-2A42-490c-A860-1C5C215B21D6}.exe
Token: SeIncBasePriorityPrivilege	772	{239572A1-B2C2-472c-BAD6-150E46E13FDC}.exe
Token: SeIncBasePriorityPrivilege	4712	{82EC2629-4E00-48ed-9690-A12D993CCB31}.exe
Token: SeIncBasePriorityPrivilege	4276	{979DA0FA-B91A-4efc-822F-60D51D4CFA6D}.exe
Token: SeIncBasePriorityPrivilege	3644	{D085EC49-9CB0-4ad0-BFDD-03C62C06EFC3}.exe
Token: SeIncBasePriorityPrivilege	3572	{3124959E-336C-43a1-9E04-678C8DD3A603}.exe
Token: SeIncBasePriorityPrivilege	4676	{9767B1C0-A53D-4003-9D34-881B60C3518F}.exe
Token: SeIncBasePriorityPrivilege	3456	{06947DE3-F35E-4306-A288-F82B33E9F651}.exe
Token: SeIncBasePriorityPrivilege	3796	{B0D928A9-D423-4100-AFA4-4C5FB354699D}.exe
Token: SeIncBasePriorityPrivilege	1520	{ADD80F9D-CEFF-42a0-AA82-17CB144A9E3A}.exe
Token: SeIncBasePriorityPrivilege	1308	{0CEB29B9-1D26-4c49-8649-D67BCAA041A9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3736 wrote to memory of 1828	3736	2024-02-02_42921ce932ac734df4a7e06c9718ad10_goldeneye.exe	97
PID 3736 wrote to memory of 1828	3736	2024-02-02_42921ce932ac734df4a7e06c9718ad10_goldeneye.exe	97
PID 3736 wrote to memory of 1828	3736	2024-02-02_42921ce932ac734df4a7e06c9718ad10_goldeneye.exe	97
PID 3736 wrote to memory of 2104	3736	2024-02-02_42921ce932ac734df4a7e06c9718ad10_goldeneye.exe	98
PID 3736 wrote to memory of 2104	3736	2024-02-02_42921ce932ac734df4a7e06c9718ad10_goldeneye.exe	98
PID 3736 wrote to memory of 2104	3736	2024-02-02_42921ce932ac734df4a7e06c9718ad10_goldeneye.exe	98
PID 1828 wrote to memory of 772	1828	{48448274-2A42-490c-A860-1C5C215B21D6}.exe	99
PID 1828 wrote to memory of 772	1828	{48448274-2A42-490c-A860-1C5C215B21D6}.exe	99
PID 1828 wrote to memory of 772	1828	{48448274-2A42-490c-A860-1C5C215B21D6}.exe	99
PID 1828 wrote to memory of 2044	1828	{48448274-2A42-490c-A860-1C5C215B21D6}.exe	100
PID 1828 wrote to memory of 2044	1828	{48448274-2A42-490c-A860-1C5C215B21D6}.exe	100
PID 1828 wrote to memory of 2044	1828	{48448274-2A42-490c-A860-1C5C215B21D6}.exe	100
PID 772 wrote to memory of 4712	772	{239572A1-B2C2-472c-BAD6-150E46E13FDC}.exe	102
PID 772 wrote to memory of 4712	772	{239572A1-B2C2-472c-BAD6-150E46E13FDC}.exe	102
PID 772 wrote to memory of 4712	772	{239572A1-B2C2-472c-BAD6-150E46E13FDC}.exe	102
PID 772 wrote to memory of 4320	772	{239572A1-B2C2-472c-BAD6-150E46E13FDC}.exe	103
PID 772 wrote to memory of 4320	772	{239572A1-B2C2-472c-BAD6-150E46E13FDC}.exe	103
PID 772 wrote to memory of 4320	772	{239572A1-B2C2-472c-BAD6-150E46E13FDC}.exe	103
PID 4712 wrote to memory of 4276	4712	{82EC2629-4E00-48ed-9690-A12D993CCB31}.exe	104
PID 4712 wrote to memory of 4276	4712	{82EC2629-4E00-48ed-9690-A12D993CCB31}.exe	104
PID 4712 wrote to memory of 4276	4712	{82EC2629-4E00-48ed-9690-A12D993CCB31}.exe	104
PID 4712 wrote to memory of 3672	4712	{82EC2629-4E00-48ed-9690-A12D993CCB31}.exe	105
PID 4712 wrote to memory of 3672	4712	{82EC2629-4E00-48ed-9690-A12D993CCB31}.exe	105
PID 4712 wrote to memory of 3672	4712	{82EC2629-4E00-48ed-9690-A12D993CCB31}.exe	105
PID 4276 wrote to memory of 3644	4276	{979DA0FA-B91A-4efc-822F-60D51D4CFA6D}.exe	106
PID 4276 wrote to memory of 3644	4276	{979DA0FA-B91A-4efc-822F-60D51D4CFA6D}.exe	106
PID 4276 wrote to memory of 3644	4276	{979DA0FA-B91A-4efc-822F-60D51D4CFA6D}.exe	106
PID 4276 wrote to memory of 260	4276	{979DA0FA-B91A-4efc-822F-60D51D4CFA6D}.exe	107
PID 4276 wrote to memory of 260	4276	{979DA0FA-B91A-4efc-822F-60D51D4CFA6D}.exe	107
PID 4276 wrote to memory of 260	4276	{979DA0FA-B91A-4efc-822F-60D51D4CFA6D}.exe	107
PID 3644 wrote to memory of 3572	3644	{D085EC49-9CB0-4ad0-BFDD-03C62C06EFC3}.exe	108
PID 3644 wrote to memory of 3572	3644	{D085EC49-9CB0-4ad0-BFDD-03C62C06EFC3}.exe	108
PID 3644 wrote to memory of 3572	3644	{D085EC49-9CB0-4ad0-BFDD-03C62C06EFC3}.exe	108
PID 3644 wrote to memory of 1588	3644	{D085EC49-9CB0-4ad0-BFDD-03C62C06EFC3}.exe	109
PID 3644 wrote to memory of 1588	3644	{D085EC49-9CB0-4ad0-BFDD-03C62C06EFC3}.exe	109
PID 3644 wrote to memory of 1588	3644	{D085EC49-9CB0-4ad0-BFDD-03C62C06EFC3}.exe	109
PID 3572 wrote to memory of 4676	3572	{3124959E-336C-43a1-9E04-678C8DD3A603}.exe	110
PID 3572 wrote to memory of 4676	3572	{3124959E-336C-43a1-9E04-678C8DD3A603}.exe	110
PID 3572 wrote to memory of 4676	3572	{3124959E-336C-43a1-9E04-678C8DD3A603}.exe	110
PID 3572 wrote to memory of 1500	3572	{3124959E-336C-43a1-9E04-678C8DD3A603}.exe	111
PID 3572 wrote to memory of 1500	3572	{3124959E-336C-43a1-9E04-678C8DD3A603}.exe	111
PID 3572 wrote to memory of 1500	3572	{3124959E-336C-43a1-9E04-678C8DD3A603}.exe	111
PID 4676 wrote to memory of 3456	4676	{9767B1C0-A53D-4003-9D34-881B60C3518F}.exe	112
PID 4676 wrote to memory of 3456	4676	{9767B1C0-A53D-4003-9D34-881B60C3518F}.exe	112
PID 4676 wrote to memory of 3456	4676	{9767B1C0-A53D-4003-9D34-881B60C3518F}.exe	112
PID 4676 wrote to memory of 2332	4676	{9767B1C0-A53D-4003-9D34-881B60C3518F}.exe	113
PID 4676 wrote to memory of 2332	4676	{9767B1C0-A53D-4003-9D34-881B60C3518F}.exe	113
PID 4676 wrote to memory of 2332	4676	{9767B1C0-A53D-4003-9D34-881B60C3518F}.exe	113
PID 3456 wrote to memory of 3796	3456	{06947DE3-F35E-4306-A288-F82B33E9F651}.exe	115
PID 3456 wrote to memory of 3796	3456	{06947DE3-F35E-4306-A288-F82B33E9F651}.exe	115
PID 3456 wrote to memory of 3796	3456	{06947DE3-F35E-4306-A288-F82B33E9F651}.exe	115
PID 3456 wrote to memory of 4628	3456	{06947DE3-F35E-4306-A288-F82B33E9F651}.exe	114
PID 3456 wrote to memory of 4628	3456	{06947DE3-F35E-4306-A288-F82B33E9F651}.exe	114
PID 3456 wrote to memory of 4628	3456	{06947DE3-F35E-4306-A288-F82B33E9F651}.exe	114
PID 3796 wrote to memory of 1520	3796	{B0D928A9-D423-4100-AFA4-4C5FB354699D}.exe	116
PID 3796 wrote to memory of 1520	3796	{B0D928A9-D423-4100-AFA4-4C5FB354699D}.exe	116
PID 3796 wrote to memory of 1520	3796	{B0D928A9-D423-4100-AFA4-4C5FB354699D}.exe	116
PID 3796 wrote to memory of 4088	3796	{B0D928A9-D423-4100-AFA4-4C5FB354699D}.exe	117
PID 3796 wrote to memory of 4088	3796	{B0D928A9-D423-4100-AFA4-4C5FB354699D}.exe	117
PID 3796 wrote to memory of 4088	3796	{B0D928A9-D423-4100-AFA4-4C5FB354699D}.exe	117
PID 1520 wrote to memory of 1308	1520	{ADD80F9D-CEFF-42a0-AA82-17CB144A9E3A}.exe	118
PID 1520 wrote to memory of 1308	1520	{ADD80F9D-CEFF-42a0-AA82-17CB144A9E3A}.exe	118
PID 1520 wrote to memory of 1308	1520	{ADD80F9D-CEFF-42a0-AA82-17CB144A9E3A}.exe	118
PID 1520 wrote to memory of 4548	1520	{ADD80F9D-CEFF-42a0-AA82-17CB144A9E3A}.exe	119

C:\Users\Admin\AppData\Local\Temp\2024-02-02_42921ce932ac734df4a7e06c9718ad10_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-02_42921ce932ac734df4a7e06c9718ad10_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3736
- C:\Windows\{48448274-2A42-490c-A860-1C5C215B21D6}.exe
  C:\Windows\{48448274-2A42-490c-A860-1C5C215B21D6}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\Windows\{239572A1-B2C2-472c-BAD6-150E46E13FDC}.exe
    C:\Windows\{239572A1-B2C2-472c-BAD6-150E46E13FDC}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:772
  - - C:\Windows\{82EC2629-4E00-48ed-9690-A12D993CCB31}.exe
      C:\Windows\{82EC2629-4E00-48ed-9690-A12D993CCB31}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4712
    - - C:\Windows\{979DA0FA-B91A-4efc-822F-60D51D4CFA6D}.exe
        
        C:\Windows\{979DA0FA-B91A-4efc-822F-60D51D4CFA6D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4276
      - C:\Windows\{D085EC49-9CB0-4ad0-BFDD-03C62C06EFC3}.exe
        
        C:\Windows\{D085EC49-9CB0-4ad0-BFDD-03C62C06EFC3}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3644
        
        C:\Windows\{3124959E-336C-43a1-9E04-678C8DD3A603}.exe
        
        C:\Windows\{3124959E-336C-43a1-9E04-678C8DD3A603}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3572
        
        C:\Windows\{9767B1C0-A53D-4003-9D34-881B60C3518F}.exe
        
        C:\Windows\{9767B1C0-A53D-4003-9D34-881B60C3518F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Windows\{06947DE3-F35E-4306-A288-F82B33E9F651}.exe
        
        C:\Windows\{06947DE3-F35E-4306-A288-F82B33E9F651}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{06947~1.EXE > nul
        10⤵
        
        PID:4628
        
        C:\Windows\{B0D928A9-D423-4100-AFA4-4C5FB354699D}.exe
        
        C:\Windows\{B0D928A9-D423-4100-AFA4-4C5FB354699D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3796
        
        C:\Windows\{ADD80F9D-CEFF-42a0-AA82-17CB144A9E3A}.exe
        
        C:\Windows\{ADD80F9D-CEFF-42a0-AA82-17CB144A9E3A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\{0CEB29B9-1D26-4c49-8649-D67BCAA041A9}.exe
        
        C:\Windows\{0CEB29B9-1D26-4c49-8649-D67BCAA041A9}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1308
        
        C:\Windows\{AAF0F682-65B5-4d73-A0C1-4EE8BD4820F5}.exe
        
        C:\Windows\{AAF0F682-65B5-4d73-A0C1-4EE8BD4820F5}.exe
        13⤵
        Executes dropped EXE
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0CEB2~1.EXE > nul
        13⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ADD80~1.EXE > nul
        12⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B0D92~1.EXE > nul
        11⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9767B~1.EXE > nul
        9⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{31249~1.EXE > nul
        8⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D085E~1.EXE > nul
        7⤵
        
        PID:1588
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{979DA~1.EXE > nul
        6⤵
        
        PID:260
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{82EC2~1.EXE > nul
        5⤵
        
        PID:3672
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{23957~1.EXE > nul
      4⤵
      PID:4320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{48448~1.EXE > nul
    3⤵
    PID:2044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{06947DE3-F35E-4306-A288-F82B33E9F651}.exe

Filesize
408KB

MD5
96f1e42aa40994acb094eef5b9b7122d

SHA1
6a829d046ece66af0df8960b0cfe83e08e06ff54

SHA256
866de5da71e6bf750767fabad2a40d423afb7910200eb1710cc0a9b188aa2fc9

SHA512
06f568d8d9b95030ed9898227554c837450b935a5ff0bbfe2e578cce0d60d6642fcba7ae9347b6a1e03ddafe87fb8bf5ffa20fdb8d4a1fdaf35bb638caf5e10c

Download Submit
C:\Windows\{0CEB29B9-1D26-4c49-8649-D67BCAA041A9}.exe

Filesize
256KB

MD5
47e8c4c79ea08f883814bdc8c51d3316

SHA1
e1985b9376f56b51ddbd0bc0e27919b910d843c1

SHA256
36525a1f43e2c47f5abc309e97fbcd1621ff0fb1e3b3c6230ea38e6b1142e103

SHA512
157d2e2c39a4c5812a933e16c8a34f20eaa5e6cd991f0d120b26116ff2a070419a1a66cb1c65d59bfdfde9356f93d83c032276ce6d193a06eb6896886fa51c85

Download Submit
C:\Windows\{0CEB29B9-1D26-4c49-8649-D67BCAA041A9}.exe

Filesize
128KB

MD5
2f392f2c8d258fd07a011e13adb9ef64

SHA1
0cae2c6e576c83156034fa17c4eb79ef30b95f05

SHA256
90453a1d419dee87b3783dfe59462f26f6c586e0b32dff5f69fc2d094c99e2f0

SHA512
99a7af81f62cf2d12a6179afb8c51a99de362fae2c2dec91b031f3649198cddbe8d036abb14470056ce63b0a0bf7338fb945d434724293fd3bce906be70e1bb7

Download Submit
C:\Windows\{239572A1-B2C2-472c-BAD6-150E46E13FDC}.exe

Filesize
408KB

MD5
bdbc08c8ca3adda3c4827a90757e5731

SHA1
ca54492e6b9141449dca13c831d440492d7fbd5e

SHA256
81dd1aed65fcf24c300c00880bdd3951ad2003b769193bbc15b1e20f30389e85

SHA512
ee29eb1c15582ea22d3132edd0f0f2f05ee5877b978bc46434c9f52114b6d5081f9ef7ab4dfa70fe60fc07ca6ac8b3adb9748c842c7cf6915c8f43d363c14743

Download Submit
C:\Windows\{3124959E-336C-43a1-9E04-678C8DD3A603}.exe

Filesize
408KB

MD5
0cf469a8ca1ea215b466d836298ee7e4

SHA1
d122682a16156c34a4e120a58cb6476634bf91fb

SHA256
b62094b6fb4d6722e62a4341df0b06c613de6c40e88353a17662bb81fac87b86

SHA512
78a86c367ae8ebf41bccdca16cad5c8f015ef5e7cbef10d03c28bf4d087e98619b30f4f79f90a1874da7b23866f86d9f47e8ff1c224a7379c4e4274fbdfd8815

Download Submit
C:\Windows\{48448274-2A42-490c-A860-1C5C215B21D6}.exe

Filesize
408KB

MD5
45a1e3f92d613de6e50693c53a07659b

SHA1
299936cc4db61e56d4263099e3019ad7b57cbaa9

SHA256
9371f2182f32b5be893098f01b97dce633dea97ecd9fa775dbcee20e9ee06b25

SHA512
77567cddc7bae239baf6b770dcfbae360f7b2736bb967ccd921f773a45dea12c7aa706802e54a22523863ebde3d91b7f61b7d32992a51a6e1705c208e1a5c8fc

Download Submit
C:\Windows\{82EC2629-4E00-48ed-9690-A12D993CCB31}.exe

Filesize
408KB

MD5
c7a328f7f183e35176789cdf0dce307f

SHA1
923ec6647359b0f4c5f10af3f67a8f7004870089

SHA256
5e75ad7b9443010b15984b4c26b9d3cfba7c932897e60cb7a5b2e07f5f2eb619

SHA512
eb8edc89362c280de3db16c934f5da358c42e773e2f4a369dda5d604957a6aabdb16dd0680d768cb4769a082a127f8ae1ff19de4f6ebbfd8430efc6c49c11631

Download Submit
C:\Windows\{9767B1C0-A53D-4003-9D34-881B60C3518F}.exe

Filesize
408KB

MD5
7ccab6a499cd70a9670dbc169b59cdca

SHA1
bce5089de6bc1f36f6773e3ebd98a86c8c123982

SHA256
ff38b08fb958ab62153020eceea6c6371d260d3999f82380d45c8ea7716b1533

SHA512
f2b28d4d2d640f02a2488bd6759f0034efed0e928c2a74e69545b93038179b550ba412c89a0c480b870248788c7d621fe24421329d088929b2270ec6bafc9810

Download Submit
C:\Windows\{979DA0FA-B91A-4efc-822F-60D51D4CFA6D}.exe

Filesize
408KB

MD5
e9b0d8f7f4e0ab96449fea3750970936

SHA1
ad1369f5ff0358a78321ddb4f91065d0a2a6f67d

SHA256
96e17d454abc7f6ca8085862b77c747ddac8485bf882c948d09a177ebc826f5f

SHA512
97a02cee55700ee5638561c68d9f20f73c9455daa9a18c319deb6427b59ac74bd4bbfe1a556b129e50ff1dba5a98cbbf96cf7f31a73ef249931eed2c649ca141

Download Submit
C:\Windows\{AAF0F682-65B5-4d73-A0C1-4EE8BD4820F5}.exe

Filesize
408KB

MD5
1533f9293aa60c6628763f66eb525691

SHA1
dfdff0687486b5f356435294e2fb78c2ed60bf5d

SHA256
a5db70553ee637d68232b4484fcebfb096ff2866edcc65f61bb9584abbcf29c7

SHA512
04b046381571f6b5be15ca9e976b1637d1b7e4daf8e591541961daf3f442e35dca0fc263b9f2bf8c1368c49bcbc32961e45d0e297d14a778518b65cbb9e38b75

Download Submit
C:\Windows\{ADD80F9D-CEFF-42a0-AA82-17CB144A9E3A}.exe

Filesize
408KB

MD5
94442119c9c274b8754f1542d7538fb2

SHA1
5a67b950279fb976a8369d5b8b681dddbf7f3b1a

SHA256
2a4e371c5a4263ecb9de16334d538452a0d765ef28e3999e7899f81e5e38f12e

SHA512
4a2efb2accf6cc350d13e311be882b738e4969c857b4bc52a1929b927d95a08fed251bbdb6e69e0a2485befb9121e058b20747c2036e46eaf2ebd3f281e92c14

Download Submit
C:\Windows\{B0D928A9-D423-4100-AFA4-4C5FB354699D}.exe

Filesize
408KB

MD5
de2fd6aed5d73f3cf23b01deff287d43

SHA1
bceea62cec0b4114df901a31394c61e6d6c18bc4

SHA256
dc5a068b9f80ec666efc860a36e9f583283820684c0ddbc81003d68350de90a8

SHA512
31059ba2e0f6c7b2b589596548ef1a0492852356404ec410dab34a8b9faa7df1e4809ec9eed2dbea02449503608c636cefbd5be29beab99e5949a24650fd67b8

Download Submit
C:\Windows\{D085EC49-9CB0-4ad0-BFDD-03C62C06EFC3}.exe

Filesize
47KB

MD5
d12f46066e4d3fcdde9880f6c0c45e4c

SHA1
901f968f6edff8a6b69c4a135349e8663d087d73

SHA256
29343553f72def42fbc497a38507881046362faa9ba9e6eca702353b0bfc0073

SHA512
2996fe3533d6b609ddd75fa98aeb312e9acc587f2aa81f777399a9a50d60b10f6184bc68d9a8ce6e36cae34e8f6f1f7582faf56743faf2d22d415958bd0730cd

Download Submit
C:\Windows\{D085EC49-9CB0-4ad0-BFDD-03C62C06EFC3}.exe

Filesize
14KB

MD5
1351624a7089afb2714e7eccf2f9a00c

SHA1
cf207c56d4641ef41995472ee48a6f978a437bf6

SHA256
9be467322d3546fc5356cc9f5037e427b7e8e3e437b3ac0464674803c7c67ce1

SHA512
9d63026591584291c4c72b9604a6a9e784564f606750828af4aa836fd27f9ac495808662bbd08ff7ffd2866b6c2c02ee3c8a556b2fe26e3fd1d3fdfe0e69fc0e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads