25dc3bb4893ab9b796c473694ab4ffc1df973134f33c8725452b20b44693306d

Analysis

max time kernel
151s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
02-02-2024 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-02_ac1116f298dfcdc033f2ecafd0f6a5e2_goldeneye.exe
Size

180KB
MD5

ac1116f298dfcdc033f2ecafd0f6a5e2
SHA1

10353a1796232f543a359dcc606379d3ad46b702
SHA256

25dc3bb4893ab9b796c473694ab4ffc1df973134f33c8725452b20b44693306d
SHA512

a0069b570cc21492ffeb4ca27c9f93496bebfb9de8a5fea2c57db6ce7db380337ebde7226f63ba610a7a0d3bd5e9d851385531c3d573288695fffe12f5fed0b1
SSDEEP

3072:jEGh0oulfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGsl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x000c0000000122db-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a0000000142e4-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122db-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000000b1f5-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000000b1f5-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001200000000b1f5-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001300000000b1f5-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000004ed7-82.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41F48B4E-1CC9-4a68-B681-59533FAC034B}	{A37322CF-73E8-470e-AEB6-045590E47200}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41F48B4E-1CC9-4a68-B681-59533FAC034B}\stubpath = "C:\\Windows\\{41F48B4E-1CC9-4a68-B681-59533FAC034B}.exe"	{A37322CF-73E8-470e-AEB6-045590E47200}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36866643-6675-48ac-A9D8-DC14ADB5938C}\stubpath = "C:\\Windows\\{36866643-6675-48ac-A9D8-DC14ADB5938C}.exe"	{E7B5FA1A-B7F1-4b37-BE72-CF4C98B6FD52}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7CEBE409-9F1C-4759-8A6E-FE01A0679391}	{36866643-6675-48ac-A9D8-DC14ADB5938C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA5DE9F6-0481-4506-9CD2-40E784297C19}\stubpath = "C:\\Windows\\{EA5DE9F6-0481-4506-9CD2-40E784297C19}.exe"	{BA485D64-4D6C-4498-80C4-95449A34963E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71A5D01C-1F16-4bf1-A709-88B4AAE49868}\stubpath = "C:\\Windows\\{71A5D01C-1F16-4bf1-A709-88B4AAE49868}.exe"	{2B81A9CC-61AA-4c95-9C4A-464750D14FE9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{151587B8-BE32-420a-B72E-4519AC6B34BB}	{71A5D01C-1F16-4bf1-A709-88B4AAE49868}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EB34123-7FBE-4ebb-AE6A-73DA9C469F80}\stubpath = "C:\\Windows\\{3EB34123-7FBE-4ebb-AE6A-73DA9C469F80}.exe"	{151587B8-BE32-420a-B72E-4519AC6B34BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97E75987-3E60-4ff6-B262-276FD6CD470F}	{41F48B4E-1CC9-4a68-B681-59533FAC034B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97E75987-3E60-4ff6-B262-276FD6CD470F}\stubpath = "C:\\Windows\\{97E75987-3E60-4ff6-B262-276FD6CD470F}.exe"	{41F48B4E-1CC9-4a68-B681-59533FAC034B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7B5FA1A-B7F1-4b37-BE72-CF4C98B6FD52}	{97E75987-3E60-4ff6-B262-276FD6CD470F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7CEBE409-9F1C-4759-8A6E-FE01A0679391}\stubpath = "C:\\Windows\\{7CEBE409-9F1C-4759-8A6E-FE01A0679391}.exe"	{36866643-6675-48ac-A9D8-DC14ADB5938C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA485D64-4D6C-4498-80C4-95449A34963E}	2024-02-02_ac1116f298dfcdc033f2ecafd0f6a5e2_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{151587B8-BE32-420a-B72E-4519AC6B34BB}\stubpath = "C:\\Windows\\{151587B8-BE32-420a-B72E-4519AC6B34BB}.exe"	{71A5D01C-1F16-4bf1-A709-88B4AAE49868}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A37322CF-73E8-470e-AEB6-045590E47200}	{3EB34123-7FBE-4ebb-AE6A-73DA9C469F80}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A37322CF-73E8-470e-AEB6-045590E47200}\stubpath = "C:\\Windows\\{A37322CF-73E8-470e-AEB6-045590E47200}.exe"	{3EB34123-7FBE-4ebb-AE6A-73DA9C469F80}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71A5D01C-1F16-4bf1-A709-88B4AAE49868}	{2B81A9CC-61AA-4c95-9C4A-464750D14FE9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EB34123-7FBE-4ebb-AE6A-73DA9C469F80}	{151587B8-BE32-420a-B72E-4519AC6B34BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7B5FA1A-B7F1-4b37-BE72-CF4C98B6FD52}\stubpath = "C:\\Windows\\{E7B5FA1A-B7F1-4b37-BE72-CF4C98B6FD52}.exe"	{97E75987-3E60-4ff6-B262-276FD6CD470F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36866643-6675-48ac-A9D8-DC14ADB5938C}	{E7B5FA1A-B7F1-4b37-BE72-CF4C98B6FD52}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA485D64-4D6C-4498-80C4-95449A34963E}\stubpath = "C:\\Windows\\{BA485D64-4D6C-4498-80C4-95449A34963E}.exe"	2024-02-02_ac1116f298dfcdc033f2ecafd0f6a5e2_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA5DE9F6-0481-4506-9CD2-40E784297C19}	{BA485D64-4D6C-4498-80C4-95449A34963E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B81A9CC-61AA-4c95-9C4A-464750D14FE9}	{EA5DE9F6-0481-4506-9CD2-40E784297C19}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B81A9CC-61AA-4c95-9C4A-464750D14FE9}\stubpath = "C:\\Windows\\{2B81A9CC-61AA-4c95-9C4A-464750D14FE9}.exe"	{EA5DE9F6-0481-4506-9CD2-40E784297C19}.exe

Deletes itself 1 IoCs

pid	Process
1468	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2440	{BA485D64-4D6C-4498-80C4-95449A34963E}.exe
2584	{EA5DE9F6-0481-4506-9CD2-40E784297C19}.exe
2580	{2B81A9CC-61AA-4c95-9C4A-464750D14FE9}.exe
824	{71A5D01C-1F16-4bf1-A709-88B4AAE49868}.exe
2920	{151587B8-BE32-420a-B72E-4519AC6B34BB}.exe
2028	{3EB34123-7FBE-4ebb-AE6A-73DA9C469F80}.exe
884	{A37322CF-73E8-470e-AEB6-045590E47200}.exe
2372	{41F48B4E-1CC9-4a68-B681-59533FAC034B}.exe
1464	{97E75987-3E60-4ff6-B262-276FD6CD470F}.exe
1288	{E7B5FA1A-B7F1-4b37-BE72-CF4C98B6FD52}.exe
3016	{36866643-6675-48ac-A9D8-DC14ADB5938C}.exe
440	{7CEBE409-9F1C-4759-8A6E-FE01A0679391}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{71A5D01C-1F16-4bf1-A709-88B4AAE49868}.exe	{2B81A9CC-61AA-4c95-9C4A-464750D14FE9}.exe
File created	C:\Windows\{3EB34123-7FBE-4ebb-AE6A-73DA9C469F80}.exe	{151587B8-BE32-420a-B72E-4519AC6B34BB}.exe
File created	C:\Windows\{97E75987-3E60-4ff6-B262-276FD6CD470F}.exe	{41F48B4E-1CC9-4a68-B681-59533FAC034B}.exe
File created	C:\Windows\{E7B5FA1A-B7F1-4b37-BE72-CF4C98B6FD52}.exe	{97E75987-3E60-4ff6-B262-276FD6CD470F}.exe
File created	C:\Windows\{36866643-6675-48ac-A9D8-DC14ADB5938C}.exe	{E7B5FA1A-B7F1-4b37-BE72-CF4C98B6FD52}.exe
File created	C:\Windows\{7CEBE409-9F1C-4759-8A6E-FE01A0679391}.exe	{36866643-6675-48ac-A9D8-DC14ADB5938C}.exe
File created	C:\Windows\{BA485D64-4D6C-4498-80C4-95449A34963E}.exe	2024-02-02_ac1116f298dfcdc033f2ecafd0f6a5e2_goldeneye.exe
File created	C:\Windows\{EA5DE9F6-0481-4506-9CD2-40E784297C19}.exe	{BA485D64-4D6C-4498-80C4-95449A34963E}.exe
File created	C:\Windows\{2B81A9CC-61AA-4c95-9C4A-464750D14FE9}.exe	{EA5DE9F6-0481-4506-9CD2-40E784297C19}.exe
File created	C:\Windows\{151587B8-BE32-420a-B72E-4519AC6B34BB}.exe	{71A5D01C-1F16-4bf1-A709-88B4AAE49868}.exe
File created	C:\Windows\{A37322CF-73E8-470e-AEB6-045590E47200}.exe	{3EB34123-7FBE-4ebb-AE6A-73DA9C469F80}.exe
File created	C:\Windows\{41F48B4E-1CC9-4a68-B681-59533FAC034B}.exe	{A37322CF-73E8-470e-AEB6-045590E47200}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1280	2024-02-02_ac1116f298dfcdc033f2ecafd0f6a5e2_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2440	{BA485D64-4D6C-4498-80C4-95449A34963E}.exe
Token: SeIncBasePriorityPrivilege	2584	{EA5DE9F6-0481-4506-9CD2-40E784297C19}.exe
Token: SeIncBasePriorityPrivilege	2580	{2B81A9CC-61AA-4c95-9C4A-464750D14FE9}.exe
Token: SeIncBasePriorityPrivilege	824	{71A5D01C-1F16-4bf1-A709-88B4AAE49868}.exe
Token: SeIncBasePriorityPrivilege	2920	{151587B8-BE32-420a-B72E-4519AC6B34BB}.exe
Token: SeIncBasePriorityPrivilege	2028	{3EB34123-7FBE-4ebb-AE6A-73DA9C469F80}.exe
Token: SeIncBasePriorityPrivilege	884	{A37322CF-73E8-470e-AEB6-045590E47200}.exe
Token: SeIncBasePriorityPrivilege	2372	{41F48B4E-1CC9-4a68-B681-59533FAC034B}.exe
Token: SeIncBasePriorityPrivilege	1464	{97E75987-3E60-4ff6-B262-276FD6CD470F}.exe
Token: SeIncBasePriorityPrivilege	1288	{E7B5FA1A-B7F1-4b37-BE72-CF4C98B6FD52}.exe
Token: SeIncBasePriorityPrivilege	3016	{36866643-6675-48ac-A9D8-DC14ADB5938C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 2440	1280	2024-02-02_ac1116f298dfcdc033f2ecafd0f6a5e2_goldeneye.exe	28
PID 1280 wrote to memory of 2440	1280	2024-02-02_ac1116f298dfcdc033f2ecafd0f6a5e2_goldeneye.exe	28
PID 1280 wrote to memory of 2440	1280	2024-02-02_ac1116f298dfcdc033f2ecafd0f6a5e2_goldeneye.exe	28
PID 1280 wrote to memory of 2440	1280	2024-02-02_ac1116f298dfcdc033f2ecafd0f6a5e2_goldeneye.exe	28
PID 1280 wrote to memory of 1468	1280	2024-02-02_ac1116f298dfcdc033f2ecafd0f6a5e2_goldeneye.exe	29
PID 1280 wrote to memory of 1468	1280	2024-02-02_ac1116f298dfcdc033f2ecafd0f6a5e2_goldeneye.exe	29
PID 1280 wrote to memory of 1468	1280	2024-02-02_ac1116f298dfcdc033f2ecafd0f6a5e2_goldeneye.exe	29
PID 1280 wrote to memory of 1468	1280	2024-02-02_ac1116f298dfcdc033f2ecafd0f6a5e2_goldeneye.exe	29
PID 2440 wrote to memory of 2584	2440	{BA485D64-4D6C-4498-80C4-95449A34963E}.exe	30
PID 2440 wrote to memory of 2584	2440	{BA485D64-4D6C-4498-80C4-95449A34963E}.exe	30
PID 2440 wrote to memory of 2584	2440	{BA485D64-4D6C-4498-80C4-95449A34963E}.exe	30
PID 2440 wrote to memory of 2584	2440	{BA485D64-4D6C-4498-80C4-95449A34963E}.exe	30
PID 2440 wrote to memory of 2736	2440	{BA485D64-4D6C-4498-80C4-95449A34963E}.exe	31
PID 2440 wrote to memory of 2736	2440	{BA485D64-4D6C-4498-80C4-95449A34963E}.exe	31
PID 2440 wrote to memory of 2736	2440	{BA485D64-4D6C-4498-80C4-95449A34963E}.exe	31
PID 2440 wrote to memory of 2736	2440	{BA485D64-4D6C-4498-80C4-95449A34963E}.exe	31
PID 2584 wrote to memory of 2580	2584	{EA5DE9F6-0481-4506-9CD2-40E784297C19}.exe	33
PID 2584 wrote to memory of 2580	2584	{EA5DE9F6-0481-4506-9CD2-40E784297C19}.exe	33
PID 2584 wrote to memory of 2580	2584	{EA5DE9F6-0481-4506-9CD2-40E784297C19}.exe	33
PID 2584 wrote to memory of 2580	2584	{EA5DE9F6-0481-4506-9CD2-40E784297C19}.exe	33
PID 2584 wrote to memory of 2620	2584	{EA5DE9F6-0481-4506-9CD2-40E784297C19}.exe	34
PID 2584 wrote to memory of 2620	2584	{EA5DE9F6-0481-4506-9CD2-40E784297C19}.exe	34
PID 2584 wrote to memory of 2620	2584	{EA5DE9F6-0481-4506-9CD2-40E784297C19}.exe	34
PID 2584 wrote to memory of 2620	2584	{EA5DE9F6-0481-4506-9CD2-40E784297C19}.exe	34
PID 2580 wrote to memory of 824	2580	{2B81A9CC-61AA-4c95-9C4A-464750D14FE9}.exe	36
PID 2580 wrote to memory of 824	2580	{2B81A9CC-61AA-4c95-9C4A-464750D14FE9}.exe	36
PID 2580 wrote to memory of 824	2580	{2B81A9CC-61AA-4c95-9C4A-464750D14FE9}.exe	36
PID 2580 wrote to memory of 824	2580	{2B81A9CC-61AA-4c95-9C4A-464750D14FE9}.exe	36
PID 2580 wrote to memory of 2792	2580	{2B81A9CC-61AA-4c95-9C4A-464750D14FE9}.exe	37
PID 2580 wrote to memory of 2792	2580	{2B81A9CC-61AA-4c95-9C4A-464750D14FE9}.exe	37
PID 2580 wrote to memory of 2792	2580	{2B81A9CC-61AA-4c95-9C4A-464750D14FE9}.exe	37
PID 2580 wrote to memory of 2792	2580	{2B81A9CC-61AA-4c95-9C4A-464750D14FE9}.exe	37
PID 824 wrote to memory of 2920	824	{71A5D01C-1F16-4bf1-A709-88B4AAE49868}.exe	38
PID 824 wrote to memory of 2920	824	{71A5D01C-1F16-4bf1-A709-88B4AAE49868}.exe	38
PID 824 wrote to memory of 2920	824	{71A5D01C-1F16-4bf1-A709-88B4AAE49868}.exe	38
PID 824 wrote to memory of 2920	824	{71A5D01C-1F16-4bf1-A709-88B4AAE49868}.exe	38
PID 824 wrote to memory of 368	824	{71A5D01C-1F16-4bf1-A709-88B4AAE49868}.exe	39
PID 824 wrote to memory of 368	824	{71A5D01C-1F16-4bf1-A709-88B4AAE49868}.exe	39
PID 824 wrote to memory of 368	824	{71A5D01C-1F16-4bf1-A709-88B4AAE49868}.exe	39
PID 824 wrote to memory of 368	824	{71A5D01C-1F16-4bf1-A709-88B4AAE49868}.exe	39
PID 2920 wrote to memory of 2028	2920	{151587B8-BE32-420a-B72E-4519AC6B34BB}.exe	41
PID 2920 wrote to memory of 2028	2920	{151587B8-BE32-420a-B72E-4519AC6B34BB}.exe	41
PID 2920 wrote to memory of 2028	2920	{151587B8-BE32-420a-B72E-4519AC6B34BB}.exe	41
PID 2920 wrote to memory of 2028	2920	{151587B8-BE32-420a-B72E-4519AC6B34BB}.exe	41
PID 2920 wrote to memory of 1016	2920	{151587B8-BE32-420a-B72E-4519AC6B34BB}.exe	40
PID 2920 wrote to memory of 1016	2920	{151587B8-BE32-420a-B72E-4519AC6B34BB}.exe	40
PID 2920 wrote to memory of 1016	2920	{151587B8-BE32-420a-B72E-4519AC6B34BB}.exe	40
PID 2920 wrote to memory of 1016	2920	{151587B8-BE32-420a-B72E-4519AC6B34BB}.exe	40
PID 2028 wrote to memory of 884	2028	{3EB34123-7FBE-4ebb-AE6A-73DA9C469F80}.exe	42
PID 2028 wrote to memory of 884	2028	{3EB34123-7FBE-4ebb-AE6A-73DA9C469F80}.exe	42
PID 2028 wrote to memory of 884	2028	{3EB34123-7FBE-4ebb-AE6A-73DA9C469F80}.exe	42
PID 2028 wrote to memory of 884	2028	{3EB34123-7FBE-4ebb-AE6A-73DA9C469F80}.exe	42
PID 2028 wrote to memory of 2564	2028	{3EB34123-7FBE-4ebb-AE6A-73DA9C469F80}.exe	43
PID 2028 wrote to memory of 2564	2028	{3EB34123-7FBE-4ebb-AE6A-73DA9C469F80}.exe	43
PID 2028 wrote to memory of 2564	2028	{3EB34123-7FBE-4ebb-AE6A-73DA9C469F80}.exe	43
PID 2028 wrote to memory of 2564	2028	{3EB34123-7FBE-4ebb-AE6A-73DA9C469F80}.exe	43
PID 884 wrote to memory of 2372	884	{A37322CF-73E8-470e-AEB6-045590E47200}.exe	44
PID 884 wrote to memory of 2372	884	{A37322CF-73E8-470e-AEB6-045590E47200}.exe	44
PID 884 wrote to memory of 2372	884	{A37322CF-73E8-470e-AEB6-045590E47200}.exe	44
PID 884 wrote to memory of 2372	884	{A37322CF-73E8-470e-AEB6-045590E47200}.exe	44
PID 884 wrote to memory of 1556	884	{A37322CF-73E8-470e-AEB6-045590E47200}.exe	45
PID 884 wrote to memory of 1556	884	{A37322CF-73E8-470e-AEB6-045590E47200}.exe	45
PID 884 wrote to memory of 1556	884	{A37322CF-73E8-470e-AEB6-045590E47200}.exe	45
PID 884 wrote to memory of 1556	884	{A37322CF-73E8-470e-AEB6-045590E47200}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-02_ac1116f298dfcdc033f2ecafd0f6a5e2_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-02_ac1116f298dfcdc033f2ecafd0f6a5e2_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Windows\{BA485D64-4D6C-4498-80C4-95449A34963E}.exe
  C:\Windows\{BA485D64-4D6C-4498-80C4-95449A34963E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\{EA5DE9F6-0481-4506-9CD2-40E784297C19}.exe
    C:\Windows\{EA5DE9F6-0481-4506-9CD2-40E784297C19}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\{2B81A9CC-61AA-4c95-9C4A-464750D14FE9}.exe
      C:\Windows\{2B81A9CC-61AA-4c95-9C4A-464750D14FE9}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2580
    - - C:\Windows\{71A5D01C-1F16-4bf1-A709-88B4AAE49868}.exe
        
        C:\Windows\{71A5D01C-1F16-4bf1-A709-88B4AAE49868}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:824
      - C:\Windows\{151587B8-BE32-420a-B72E-4519AC6B34BB}.exe
        
        C:\Windows\{151587B8-BE32-420a-B72E-4519AC6B34BB}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{15158~1.EXE > nul
        7⤵
        
        PID:1016
        
        C:\Windows\{3EB34123-7FBE-4ebb-AE6A-73DA9C469F80}.exe
        
        C:\Windows\{3EB34123-7FBE-4ebb-AE6A-73DA9C469F80}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\{A37322CF-73E8-470e-AEB6-045590E47200}.exe
        
        C:\Windows\{A37322CF-73E8-470e-AEB6-045590E47200}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\{41F48B4E-1CC9-4a68-B681-59533FAC034B}.exe
        
        C:\Windows\{41F48B4E-1CC9-4a68-B681-59533FAC034B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
        
        C:\Windows\{97E75987-3E60-4ff6-B262-276FD6CD470F}.exe
        
        C:\Windows\{97E75987-3E60-4ff6-B262-276FD6CD470F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1464
        
        C:\Windows\{E7B5FA1A-B7F1-4b37-BE72-CF4C98B6FD52}.exe
        
        C:\Windows\{E7B5FA1A-B7F1-4b37-BE72-CF4C98B6FD52}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7B5F~1.EXE > nul
        12⤵
        
        PID:536
        
        C:\Windows\{36866643-6675-48ac-A9D8-DC14ADB5938C}.exe
        
        C:\Windows\{36866643-6675-48ac-A9D8-DC14ADB5938C}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
        
        C:\Windows\{7CEBE409-9F1C-4759-8A6E-FE01A0679391}.exe
        
        C:\Windows\{7CEBE409-9F1C-4759-8A6E-FE01A0679391}.exe
        13⤵
        Executes dropped EXE
        
        PID:440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{36866~1.EXE > nul
        13⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{97E75~1.EXE > nul
        11⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{41F48~1.EXE > nul
        10⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A3732~1.EXE > nul
        9⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3EB34~1.EXE > nul
        8⤵
        
        PID:2564
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71A5D~1.EXE > nul
        6⤵
        
        PID:368
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B81A~1.EXE > nul
        5⤵
        
        PID:2792
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EA5DE~1.EXE > nul
      4⤵
      PID:2620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{BA485~1.EXE > nul
    3⤵
    PID:2736
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{151587B8-BE32-420a-B72E-4519AC6B34BB}.exe

Filesize
180KB

MD5
3d1ec6a1ad8ff587e1370eb7372d9b3a

SHA1
30ed733717d686f17e80d90ee734554d251b1e85

SHA256
a584bbd1ebdb82d1cf6d4713452800aa63fcea3e87526c64015912905fc10005

SHA512
c95ef7e11587a20f20c879c8ea8647049d5a786429f9766c79c18dc140f5cb47eec72f7acd0fa7718a02bc66bd6fc32f9bb1ae09c3efeb64a65bc3e39282adc8

Download Submit
C:\Windows\{2B81A9CC-61AA-4c95-9C4A-464750D14FE9}.exe

Filesize
180KB

MD5
4e5f3e046927273b1c8f05cc02707888

SHA1
04745a9bbe750a3c3e76b3f61aaeb8f9927d6e60

SHA256
81715fe8ea230624c38fff7b89ade9e42dc01223656fc007fb5679f7ba99a92d

SHA512
25d5dfbbbf1a1aa993b973512ad6fed56f41e09b5ff7bf89e0a0c515271250751b92d8786af9b376c67a5da9befc39a31c3df7f7056334e4d1613fa3a31bad0e

Download Submit
C:\Windows\{36866643-6675-48ac-A9D8-DC14ADB5938C}.exe

Filesize
180KB

MD5
b12a393cf236ca4688022e1d1cbc4082

SHA1
fb038877e225d44b1f10972ba6425e6ddbeeed6a

SHA256
fb777983921a174fc4541acc99c35cc567d4596debec8371fb35f5f43142bcc4

SHA512
dc08e5087c8e25ab524d72b7d2c2df35294f3e795a04ff59bacaf5007796164b7a3379c78ace1387bb5a1b1a77a7ae434f37940086c1b89bd2bb859d0b28201c

Download Submit
C:\Windows\{3EB34123-7FBE-4ebb-AE6A-73DA9C469F80}.exe

Filesize
180KB

MD5
ce28bc6302056004b11d8a88091b5f71

SHA1
4888bf492c1474e0a8c7ff6bcb004f041c52ef02

SHA256
24f4110b872cf1aaec1c236f2f6cfe9946e3eb9754dbb929b850614b5a0065f6

SHA512
84a572b9c15d7d29bb1a01724006f694170fd91cdcb2be0e6175849114385af5fd05a9a231fc1a984d0e66d29ca92342903d8d97a6076a489d7f49cce550778a

Download Submit
C:\Windows\{41F48B4E-1CC9-4a68-B681-59533FAC034B}.exe

Filesize
180KB

MD5
bf2a80403aef90a7a975a73eae2e4ac0

SHA1
2ea92bc74f3f61b64a4b07a1c46e24198d152672

SHA256
5e52d0af085d7d1af292bbcb6634b5397da8eb1a87b3b9b17489cfd18341b0b3

SHA512
30bb49a499f4b7653d79a4dcedfc4a38a497d8c7f2764342b38edc1273d72d0c051c91da239dd65a70c5bd516a03310fad541d62aaede39bf50b48a540845c8b

Download Submit
C:\Windows\{71A5D01C-1F16-4bf1-A709-88B4AAE49868}.exe

Filesize
180KB

MD5
7ab1f7ffbc3681ad81234578e5d92f4f

SHA1
03434a40139355d8bb2b4e913e900fa0e1e67734

SHA256
aeb5d9f9c61fca2889feecd6d5208d8e6754c52c47286acee8f854b21db231aa

SHA512
9de61dc7248769c24066841c7a4175f24ff92dfce1e09ff929c7f6a999f70d168d35f17460b38f730a111e4e42f80a0c98c8cb7552fb5f300e7086f41b8acfd7

Download Submit
C:\Windows\{7CEBE409-9F1C-4759-8A6E-FE01A0679391}.exe

Filesize
180KB

MD5
50837c7e57c3c9bf803e9e8919c393a3

SHA1
36d6320bbfac960570ccc202eb8ad74b48288cf5

SHA256
2260395302f250c99356ee59e1cd702aaac5b050bac5af6393632657f96da0b9

SHA512
3fac634d5abf3f722c3d2ba262e6dc1cb2c8e8abb1b7fe38589803f5652e7cc144c5b0bf903a3407629d1edb850dd58c263e87f957c7d428532dabda42aceadb

Download Submit
C:\Windows\{97E75987-3E60-4ff6-B262-276FD6CD470F}.exe

Filesize
180KB

MD5
84e969113b29c95ba01fea81e8c30db9

SHA1
ef4f19cc1745113fca61158bbd667c8b9ce4a40a

SHA256
ed89038da0ffdfc72ea3a8dfb8e3ca0226e855a6096de47e4c02182f81ae3306

SHA512
9507303cf3418e1f4b55b5dfc20eae8088e6cff36084db3607d6198fb5ef8bd4d4c663044ecb582d1c40b0b1ec8265e60af068dc8b11129fb2294fc3af2a95b8

Download Submit
C:\Windows\{A37322CF-73E8-470e-AEB6-045590E47200}.exe

Filesize
180KB

MD5
9790540305fcd400f8badd77f2c6037f

SHA1
453eab1cab96c88dc0e8d8f7343fee42a15846a8

SHA256
25f8992d33f2ed33523c44e224c641a605c7fd02ba7749da6d62d8e8d1b7d28a

SHA512
8f153dc3ad63460d7d94be7bd5dd948fc1f5a28179d6f3311caf245edf3eb8b580de3b1cc3608df8d397f7ca03e21ba9306690d11f60144227b6313f5ed442c1

Download Submit
C:\Windows\{BA485D64-4D6C-4498-80C4-95449A34963E}.exe

Filesize
180KB

MD5
5506ecab7a55a4242862f7a0a898c145

SHA1
e7336675e97b39a111378b9886cf89affb638e8b

SHA256
689e733cec8d52ca4d29cdff27a90045d8e75fb4a7e0e6b6b8dd2892e2705cc2

SHA512
a5bd59a3b8ffe4bc916cccd29876e4ed075055081c3af10f9bae24e39fe8fa70b3142e91472d42e8fd49efda2386fbdafd40aefc89f9c1cb853277bf4eb40854

Download Submit
C:\Windows\{E7B5FA1A-B7F1-4b37-BE72-CF4C98B6FD52}.exe

Filesize
180KB

MD5
9b495c6cd1e9d9b5a4b188359723b8d7

SHA1
7363f124cfb25ae0dc067119e6e8f97df584c2d2

SHA256
9ef0d465377abc945d3b9cbbb64fb52f63994da77ee42b6205892bcc7aba4a3d

SHA512
c25b964f91bcaace9a945242d9de8ed81846474dceef652346fc8edd3964217403c7d59ff6a32184d6919649a63f4544d3348efabd5b653056d81c2c077c59b9

Download Submit
C:\Windows\{EA5DE9F6-0481-4506-9CD2-40E784297C19}.exe

Filesize
180KB

MD5
68f127f6036ca45c9b4240d802964940

SHA1
476d5daaeb5ff9bc99020334861a84f436e394f8

SHA256
26e533b1012538b858419f00d946ef258265bd6a5383b346c611cd1232c8cec5

SHA512
a3c2cae83771663790b233c33e5df7fb9a8fdf914915dc2fc1547bd6cb4fff3cb5b6b42b3c4908cf706bc235debd5d21a517f284d58e17c8507adc05a7d6da65

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads