d3e0d6fa1638b811a57be7fcd16677ab4eab6943ccc847b25d26b08e26502972

Analysis

max time kernel
151s
max time network
128s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04-02-2024 10:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-04_9e0d62ab5eaa88ec136d9911b6781a79_goldeneye.exe
Size

408KB
MD5

9e0d62ab5eaa88ec136d9911b6781a79
SHA1

5ffdb132541bcacff2384ef55fab14980b458122
SHA256

d3e0d6fa1638b811a57be7fcd16677ab4eab6943ccc847b25d26b08e26502972
SHA512

b539a7348d1cff2aa32c1750698f9b780db8e190802bc5df017a14bb58a31796ba4e75c3e881999bec68dbbdb70667f90a400ada264bdbd185a8eba070e0f9e4
SSDEEP

3072:CEGh0ozl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGNldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x000900000001225c-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002600000001529f-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000f6f8-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000015580-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000700000000f6f8-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00070000000155ea-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000800000000f6f8-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000015610-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000015be4-60.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000015610-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000015bfc-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000015dbb-82.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F257A922-1555-4e20-9103-AD8CC4057713}	{E8F82B81-A04A-457b-8C5C-557AE4906B6E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9610E228-5BDF-4cae-87D1-EDADE99E9838}	{F257A922-1555-4e20-9103-AD8CC4057713}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9610E228-5BDF-4cae-87D1-EDADE99E9838}\stubpath = "C:\\Windows\\{9610E228-5BDF-4cae-87D1-EDADE99E9838}.exe"	{F257A922-1555-4e20-9103-AD8CC4057713}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{082647D1-1A66-4d3d-B264-4E31E89446BB}	2024-02-04_9e0d62ab5eaa88ec136d9911b6781a79_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64AC07A0-92AC-4087-945A-9381B97AA388}\stubpath = "C:\\Windows\\{64AC07A0-92AC-4087-945A-9381B97AA388}.exe"	{3E13EA77-0E9A-4f0d-A944-4B00221981FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0DDD953D-89C0-41f1-AB7B-3B2B9C34B7D4}\stubpath = "C:\\Windows\\{0DDD953D-89C0-41f1-AB7B-3B2B9C34B7D4}.exe"	{64AC07A0-92AC-4087-945A-9381B97AA388}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{47A6C55D-5183-46d9-8981-DE8C7814DFF2}\stubpath = "C:\\Windows\\{47A6C55D-5183-46d9-8981-DE8C7814DFF2}.exe"	{AD6C528B-5E9A-4f40-BF8C-76D36D85A01A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{914FC7EE-B209-47e9-A70B-587C4AE7AA60}\stubpath = "C:\\Windows\\{914FC7EE-B209-47e9-A70B-587C4AE7AA60}.exe"	{D38EC8C3-FAB6-40f2-B605-AE5980346EBC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93F80429-9B01-403a-8608-572E264CD368}\stubpath = "C:\\Windows\\{93F80429-9B01-403a-8608-572E264CD368}.exe"	{914FC7EE-B209-47e9-A70B-587C4AE7AA60}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{082647D1-1A66-4d3d-B264-4E31E89446BB}\stubpath = "C:\\Windows\\{082647D1-1A66-4d3d-B264-4E31E89446BB}.exe"	2024-02-04_9e0d62ab5eaa88ec136d9911b6781a79_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E13EA77-0E9A-4f0d-A944-4B00221981FF}	{082647D1-1A66-4d3d-B264-4E31E89446BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8F82B81-A04A-457b-8C5C-557AE4906B6E}	{0DDD953D-89C0-41f1-AB7B-3B2B9C34B7D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F257A922-1555-4e20-9103-AD8CC4057713}\stubpath = "C:\\Windows\\{F257A922-1555-4e20-9103-AD8CC4057713}.exe"	{E8F82B81-A04A-457b-8C5C-557AE4906B6E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD6C528B-5E9A-4f40-BF8C-76D36D85A01A}\stubpath = "C:\\Windows\\{AD6C528B-5E9A-4f40-BF8C-76D36D85A01A}.exe"	{9610E228-5BDF-4cae-87D1-EDADE99E9838}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{47A6C55D-5183-46d9-8981-DE8C7814DFF2}	{AD6C528B-5E9A-4f40-BF8C-76D36D85A01A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{914FC7EE-B209-47e9-A70B-587C4AE7AA60}	{D38EC8C3-FAB6-40f2-B605-AE5980346EBC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93F80429-9B01-403a-8608-572E264CD368}	{914FC7EE-B209-47e9-A70B-587C4AE7AA60}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E13EA77-0E9A-4f0d-A944-4B00221981FF}\stubpath = "C:\\Windows\\{3E13EA77-0E9A-4f0d-A944-4B00221981FF}.exe"	{082647D1-1A66-4d3d-B264-4E31E89446BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64AC07A0-92AC-4087-945A-9381B97AA388}	{3E13EA77-0E9A-4f0d-A944-4B00221981FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0DDD953D-89C0-41f1-AB7B-3B2B9C34B7D4}	{64AC07A0-92AC-4087-945A-9381B97AA388}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D38EC8C3-FAB6-40f2-B605-AE5980346EBC}\stubpath = "C:\\Windows\\{D38EC8C3-FAB6-40f2-B605-AE5980346EBC}.exe"	{47A6C55D-5183-46d9-8981-DE8C7814DFF2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8F82B81-A04A-457b-8C5C-557AE4906B6E}\stubpath = "C:\\Windows\\{E8F82B81-A04A-457b-8C5C-557AE4906B6E}.exe"	{0DDD953D-89C0-41f1-AB7B-3B2B9C34B7D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD6C528B-5E9A-4f40-BF8C-76D36D85A01A}	{9610E228-5BDF-4cae-87D1-EDADE99E9838}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D38EC8C3-FAB6-40f2-B605-AE5980346EBC}	{47A6C55D-5183-46d9-8981-DE8C7814DFF2}.exe

Deletes itself 1 IoCs

pid	Process
2768	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
3032	{082647D1-1A66-4d3d-B264-4E31E89446BB}.exe
2728	{3E13EA77-0E9A-4f0d-A944-4B00221981FF}.exe
2972	{64AC07A0-92AC-4087-945A-9381B97AA388}.exe
1728	{0DDD953D-89C0-41f1-AB7B-3B2B9C34B7D4}.exe
624	{E8F82B81-A04A-457b-8C5C-557AE4906B6E}.exe
2036	{F257A922-1555-4e20-9103-AD8CC4057713}.exe
1732	{9610E228-5BDF-4cae-87D1-EDADE99E9838}.exe
1744	{AD6C528B-5E9A-4f40-BF8C-76D36D85A01A}.exe
1804	{47A6C55D-5183-46d9-8981-DE8C7814DFF2}.exe
2344	{D38EC8C3-FAB6-40f2-B605-AE5980346EBC}.exe
1748	{914FC7EE-B209-47e9-A70B-587C4AE7AA60}.exe
1236	{93F80429-9B01-403a-8608-572E264CD368}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{47A6C55D-5183-46d9-8981-DE8C7814DFF2}.exe	{AD6C528B-5E9A-4f40-BF8C-76D36D85A01A}.exe
File created	C:\Windows\{D38EC8C3-FAB6-40f2-B605-AE5980346EBC}.exe	{47A6C55D-5183-46d9-8981-DE8C7814DFF2}.exe
File created	C:\Windows\{64AC07A0-92AC-4087-945A-9381B97AA388}.exe	{3E13EA77-0E9A-4f0d-A944-4B00221981FF}.exe
File created	C:\Windows\{0DDD953D-89C0-41f1-AB7B-3B2B9C34B7D4}.exe	{64AC07A0-92AC-4087-945A-9381B97AA388}.exe
File created	C:\Windows\{E8F82B81-A04A-457b-8C5C-557AE4906B6E}.exe	{0DDD953D-89C0-41f1-AB7B-3B2B9C34B7D4}.exe
File created	C:\Windows\{F257A922-1555-4e20-9103-AD8CC4057713}.exe	{E8F82B81-A04A-457b-8C5C-557AE4906B6E}.exe
File created	C:\Windows\{9610E228-5BDF-4cae-87D1-EDADE99E9838}.exe	{F257A922-1555-4e20-9103-AD8CC4057713}.exe
File created	C:\Windows\{082647D1-1A66-4d3d-B264-4E31E89446BB}.exe	2024-02-04_9e0d62ab5eaa88ec136d9911b6781a79_goldeneye.exe
File created	C:\Windows\{3E13EA77-0E9A-4f0d-A944-4B00221981FF}.exe	{082647D1-1A66-4d3d-B264-4E31E89446BB}.exe
File created	C:\Windows\{AD6C528B-5E9A-4f40-BF8C-76D36D85A01A}.exe	{9610E228-5BDF-4cae-87D1-EDADE99E9838}.exe
File created	C:\Windows\{914FC7EE-B209-47e9-A70B-587C4AE7AA60}.exe	{D38EC8C3-FAB6-40f2-B605-AE5980346EBC}.exe
File created	C:\Windows\{93F80429-9B01-403a-8608-572E264CD368}.exe	{914FC7EE-B209-47e9-A70B-587C4AE7AA60}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2184	2024-02-04_9e0d62ab5eaa88ec136d9911b6781a79_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3032	{082647D1-1A66-4d3d-B264-4E31E89446BB}.exe
Token: SeIncBasePriorityPrivilege	2728	{3E13EA77-0E9A-4f0d-A944-4B00221981FF}.exe
Token: SeIncBasePriorityPrivilege	2972	{64AC07A0-92AC-4087-945A-9381B97AA388}.exe
Token: SeIncBasePriorityPrivilege	1728	{0DDD953D-89C0-41f1-AB7B-3B2B9C34B7D4}.exe
Token: SeIncBasePriorityPrivilege	624	{E8F82B81-A04A-457b-8C5C-557AE4906B6E}.exe
Token: SeIncBasePriorityPrivilege	2036	{F257A922-1555-4e20-9103-AD8CC4057713}.exe
Token: SeIncBasePriorityPrivilege	1732	{9610E228-5BDF-4cae-87D1-EDADE99E9838}.exe
Token: SeIncBasePriorityPrivilege	1744	{AD6C528B-5E9A-4f40-BF8C-76D36D85A01A}.exe
Token: SeIncBasePriorityPrivilege	1804	{47A6C55D-5183-46d9-8981-DE8C7814DFF2}.exe
Token: SeIncBasePriorityPrivilege	2344	{D38EC8C3-FAB6-40f2-B605-AE5980346EBC}.exe
Token: SeIncBasePriorityPrivilege	1748	{914FC7EE-B209-47e9-A70B-587C4AE7AA60}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 3032	2184	2024-02-04_9e0d62ab5eaa88ec136d9911b6781a79_goldeneye.exe	28
PID 2184 wrote to memory of 3032	2184	2024-02-04_9e0d62ab5eaa88ec136d9911b6781a79_goldeneye.exe	28
PID 2184 wrote to memory of 3032	2184	2024-02-04_9e0d62ab5eaa88ec136d9911b6781a79_goldeneye.exe	28
PID 2184 wrote to memory of 3032	2184	2024-02-04_9e0d62ab5eaa88ec136d9911b6781a79_goldeneye.exe	28
PID 2184 wrote to memory of 2768	2184	2024-02-04_9e0d62ab5eaa88ec136d9911b6781a79_goldeneye.exe	29
PID 2184 wrote to memory of 2768	2184	2024-02-04_9e0d62ab5eaa88ec136d9911b6781a79_goldeneye.exe	29
PID 2184 wrote to memory of 2768	2184	2024-02-04_9e0d62ab5eaa88ec136d9911b6781a79_goldeneye.exe	29
PID 2184 wrote to memory of 2768	2184	2024-02-04_9e0d62ab5eaa88ec136d9911b6781a79_goldeneye.exe	29
PID 3032 wrote to memory of 2728	3032	{082647D1-1A66-4d3d-B264-4E31E89446BB}.exe	32
PID 3032 wrote to memory of 2728	3032	{082647D1-1A66-4d3d-B264-4E31E89446BB}.exe	32
PID 3032 wrote to memory of 2728	3032	{082647D1-1A66-4d3d-B264-4E31E89446BB}.exe	32
PID 3032 wrote to memory of 2728	3032	{082647D1-1A66-4d3d-B264-4E31E89446BB}.exe	32
PID 3032 wrote to memory of 2620	3032	{082647D1-1A66-4d3d-B264-4E31E89446BB}.exe	33
PID 3032 wrote to memory of 2620	3032	{082647D1-1A66-4d3d-B264-4E31E89446BB}.exe	33
PID 3032 wrote to memory of 2620	3032	{082647D1-1A66-4d3d-B264-4E31E89446BB}.exe	33
PID 3032 wrote to memory of 2620	3032	{082647D1-1A66-4d3d-B264-4E31E89446BB}.exe	33
PID 2728 wrote to memory of 2972	2728	{3E13EA77-0E9A-4f0d-A944-4B00221981FF}.exe	34
PID 2728 wrote to memory of 2972	2728	{3E13EA77-0E9A-4f0d-A944-4B00221981FF}.exe	34
PID 2728 wrote to memory of 2972	2728	{3E13EA77-0E9A-4f0d-A944-4B00221981FF}.exe	34
PID 2728 wrote to memory of 2972	2728	{3E13EA77-0E9A-4f0d-A944-4B00221981FF}.exe	34
PID 2728 wrote to memory of 2360	2728	{3E13EA77-0E9A-4f0d-A944-4B00221981FF}.exe	35
PID 2728 wrote to memory of 2360	2728	{3E13EA77-0E9A-4f0d-A944-4B00221981FF}.exe	35
PID 2728 wrote to memory of 2360	2728	{3E13EA77-0E9A-4f0d-A944-4B00221981FF}.exe	35
PID 2728 wrote to memory of 2360	2728	{3E13EA77-0E9A-4f0d-A944-4B00221981FF}.exe	35
PID 2972 wrote to memory of 1728	2972	{64AC07A0-92AC-4087-945A-9381B97AA388}.exe	36
PID 2972 wrote to memory of 1728	2972	{64AC07A0-92AC-4087-945A-9381B97AA388}.exe	36
PID 2972 wrote to memory of 1728	2972	{64AC07A0-92AC-4087-945A-9381B97AA388}.exe	36
PID 2972 wrote to memory of 1728	2972	{64AC07A0-92AC-4087-945A-9381B97AA388}.exe	36
PID 2972 wrote to memory of 1056	2972	{64AC07A0-92AC-4087-945A-9381B97AA388}.exe	37
PID 2972 wrote to memory of 1056	2972	{64AC07A0-92AC-4087-945A-9381B97AA388}.exe	37
PID 2972 wrote to memory of 1056	2972	{64AC07A0-92AC-4087-945A-9381B97AA388}.exe	37
PID 2972 wrote to memory of 1056	2972	{64AC07A0-92AC-4087-945A-9381B97AA388}.exe	37
PID 1728 wrote to memory of 624	1728	{0DDD953D-89C0-41f1-AB7B-3B2B9C34B7D4}.exe	39
PID 1728 wrote to memory of 624	1728	{0DDD953D-89C0-41f1-AB7B-3B2B9C34B7D4}.exe	39
PID 1728 wrote to memory of 624	1728	{0DDD953D-89C0-41f1-AB7B-3B2B9C34B7D4}.exe	39
PID 1728 wrote to memory of 624	1728	{0DDD953D-89C0-41f1-AB7B-3B2B9C34B7D4}.exe	39
PID 1728 wrote to memory of 1096	1728	{0DDD953D-89C0-41f1-AB7B-3B2B9C34B7D4}.exe	38
PID 1728 wrote to memory of 1096	1728	{0DDD953D-89C0-41f1-AB7B-3B2B9C34B7D4}.exe	38
PID 1728 wrote to memory of 1096	1728	{0DDD953D-89C0-41f1-AB7B-3B2B9C34B7D4}.exe	38
PID 1728 wrote to memory of 1096	1728	{0DDD953D-89C0-41f1-AB7B-3B2B9C34B7D4}.exe	38
PID 624 wrote to memory of 2036	624	{E8F82B81-A04A-457b-8C5C-557AE4906B6E}.exe	40
PID 624 wrote to memory of 2036	624	{E8F82B81-A04A-457b-8C5C-557AE4906B6E}.exe	40
PID 624 wrote to memory of 2036	624	{E8F82B81-A04A-457b-8C5C-557AE4906B6E}.exe	40
PID 624 wrote to memory of 2036	624	{E8F82B81-A04A-457b-8C5C-557AE4906B6E}.exe	40
PID 624 wrote to memory of 1216	624	{E8F82B81-A04A-457b-8C5C-557AE4906B6E}.exe	41
PID 624 wrote to memory of 1216	624	{E8F82B81-A04A-457b-8C5C-557AE4906B6E}.exe	41
PID 624 wrote to memory of 1216	624	{E8F82B81-A04A-457b-8C5C-557AE4906B6E}.exe	41
PID 624 wrote to memory of 1216	624	{E8F82B81-A04A-457b-8C5C-557AE4906B6E}.exe	41
PID 2036 wrote to memory of 1732	2036	{F257A922-1555-4e20-9103-AD8CC4057713}.exe	42
PID 2036 wrote to memory of 1732	2036	{F257A922-1555-4e20-9103-AD8CC4057713}.exe	42
PID 2036 wrote to memory of 1732	2036	{F257A922-1555-4e20-9103-AD8CC4057713}.exe	42
PID 2036 wrote to memory of 1732	2036	{F257A922-1555-4e20-9103-AD8CC4057713}.exe	42
PID 2036 wrote to memory of 1656	2036	{F257A922-1555-4e20-9103-AD8CC4057713}.exe	43
PID 2036 wrote to memory of 1656	2036	{F257A922-1555-4e20-9103-AD8CC4057713}.exe	43
PID 2036 wrote to memory of 1656	2036	{F257A922-1555-4e20-9103-AD8CC4057713}.exe	43
PID 2036 wrote to memory of 1656	2036	{F257A922-1555-4e20-9103-AD8CC4057713}.exe	43
PID 1732 wrote to memory of 1744	1732	{9610E228-5BDF-4cae-87D1-EDADE99E9838}.exe	44
PID 1732 wrote to memory of 1744	1732	{9610E228-5BDF-4cae-87D1-EDADE99E9838}.exe	44
PID 1732 wrote to memory of 1744	1732	{9610E228-5BDF-4cae-87D1-EDADE99E9838}.exe	44
PID 1732 wrote to memory of 1744	1732	{9610E228-5BDF-4cae-87D1-EDADE99E9838}.exe	44
PID 1732 wrote to memory of 1828	1732	{9610E228-5BDF-4cae-87D1-EDADE99E9838}.exe	45
PID 1732 wrote to memory of 1828	1732	{9610E228-5BDF-4cae-87D1-EDADE99E9838}.exe	45
PID 1732 wrote to memory of 1828	1732	{9610E228-5BDF-4cae-87D1-EDADE99E9838}.exe	45
PID 1732 wrote to memory of 1828	1732	{9610E228-5BDF-4cae-87D1-EDADE99E9838}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-04_9e0d62ab5eaa88ec136d9911b6781a79_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-04_9e0d62ab5eaa88ec136d9911b6781a79_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\{082647D1-1A66-4d3d-B264-4E31E89446BB}.exe
  C:\Windows\{082647D1-1A66-4d3d-B264-4E31E89446BB}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Windows\{3E13EA77-0E9A-4f0d-A944-4B00221981FF}.exe
    C:\Windows\{3E13EA77-0E9A-4f0d-A944-4B00221981FF}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\{64AC07A0-92AC-4087-945A-9381B97AA388}.exe
      C:\Windows\{64AC07A0-92AC-4087-945A-9381B97AA388}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2972
    - - C:\Windows\{0DDD953D-89C0-41f1-AB7B-3B2B9C34B7D4}.exe
        
        C:\Windows\{0DDD953D-89C0-41f1-AB7B-3B2B9C34B7D4}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1728
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0DDD9~1.EXE > nul
        6⤵
        
        PID:1096
      - C:\Windows\{E8F82B81-A04A-457b-8C5C-557AE4906B6E}.exe
        
        C:\Windows\{E8F82B81-A04A-457b-8C5C-557AE4906B6E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Windows\{F257A922-1555-4e20-9103-AD8CC4057713}.exe
        
        C:\Windows\{F257A922-1555-4e20-9103-AD8CC4057713}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\{9610E228-5BDF-4cae-87D1-EDADE99E9838}.exe
        
        C:\Windows\{9610E228-5BDF-4cae-87D1-EDADE99E9838}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\{AD6C528B-5E9A-4f40-BF8C-76D36D85A01A}.exe
        
        C:\Windows\{AD6C528B-5E9A-4f40-BF8C-76D36D85A01A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1744
        
        C:\Windows\{47A6C55D-5183-46d9-8981-DE8C7814DFF2}.exe
        
        C:\Windows\{47A6C55D-5183-46d9-8981-DE8C7814DFF2}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1804
        
        C:\Windows\{D38EC8C3-FAB6-40f2-B605-AE5980346EBC}.exe
        
        C:\Windows\{D38EC8C3-FAB6-40f2-B605-AE5980346EBC}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
        
        C:\Windows\{914FC7EE-B209-47e9-A70B-587C4AE7AA60}.exe
        
        C:\Windows\{914FC7EE-B209-47e9-A70B-587C4AE7AA60}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748
        
        C:\Windows\{93F80429-9B01-403a-8608-572E264CD368}.exe
        
        C:\Windows\{93F80429-9B01-403a-8608-572E264CD368}.exe
        13⤵
        Executes dropped EXE
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{914FC~1.EXE > nul
        13⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D38EC~1.EXE > nul
        12⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{47A6C~1.EXE > nul
        11⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD6C5~1.EXE > nul
        10⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9610E~1.EXE > nul
        9⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F257A~1.EXE > nul
        8⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E8F82~1.EXE > nul
        7⤵
        
        PID:1216
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64AC0~1.EXE > nul
        5⤵
        
        PID:1056
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3E13E~1.EXE > nul
      4⤵
      PID:2360
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{08264~1.EXE > nul
    3⤵
    PID:2620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{082647D1-1A66-4d3d-B264-4E31E89446BB}.exe

Filesize
408KB

MD5
a8e8c764f7ecac72dc6d828b5a52831e

SHA1
e55fca1075061c9dc1f77e82ac08a70fd32c9459

SHA256
3a721518864c51f81989190e380b3d2a9634117c672313889ba28ab1ae256a7e

SHA512
77cf21dcb13e0b0cb47bce1472aaab4c7e9f6ceac07fd4f23d2ee30bdaa347f760c76567424d40c8af498328a040e5551f9c2214132a7dc34ee04602d25edb9a

Download Submit
C:\Windows\{0DDD953D-89C0-41f1-AB7B-3B2B9C34B7D4}.exe

Filesize
408KB

MD5
081aec9c9d6bb40ae3a66bd97ddd3dff

SHA1
60d31f60330f9f2249a3ef402c3728d46f006abe

SHA256
931f7f0fc91008640884c0af82cd78e13c9c9c6fece67aeecf30b95e38147bb9

SHA512
407e10b2b58c9a2074752bc819243d54f82e0685ad3454a696023da30a2f7f6ca8f47c140b5bba23fcf01d756bfaa385b40b77aa166b2fd0921f541f164cf5f9

Download Submit
C:\Windows\{3E13EA77-0E9A-4f0d-A944-4B00221981FF}.exe

Filesize
408KB

MD5
82cb104f92c54ff29a01aeb1cfecfa9a

SHA1
78144c93167ab88934cff334241060c907d36c6d

SHA256
6c528d06e01196dec93830ad33f62534ed40ab2de2642dde230b392e025de69d

SHA512
1f389632cc1b390715f67e68ffa57971da41733b291db06a05f8247d9a7e556127f493b83fcf12cd5cf9b204b36f3f6bc305db3f67ef231006aed6ba1b6eeba7

Download Submit
C:\Windows\{47A6C55D-5183-46d9-8981-DE8C7814DFF2}.exe

Filesize
408KB

MD5
3903181145a7f51a8f8c60019064b4a8

SHA1
10bb9da007f3c4d41bc2b212724b59a28bcc71f1

SHA256
3dcc395ac1a46c8617c2d4b1459adfbfa1da735b3933f6ec9390514e1e765520

SHA512
84d0e8b5bf2ea300972457d43651e289dfe825f6f8545475a53e3a0d66d45afbfc51d10d64124402dc8551e2e10b49cedda3b0acf7135cda9a6486ef4997b2ac

Download Submit
C:\Windows\{64AC07A0-92AC-4087-945A-9381B97AA388}.exe

Filesize
408KB

MD5
90a8f980e4ae2d62194c10fffd0d4bfd

SHA1
18e3560e315fec5ff59fafd5401009ece0e83287

SHA256
0e5e1e4bbd15232d2e7622f7078e8cac906aace15e64b08dc8fc898b632a934e

SHA512
352c4f877135406f9381faf11a7c89504d235bc202e372e81f92324d1845ffa9286038913ccce1b1e2f6481c10bcf6f90ecb08e16a6e1fd26db96b561f2fb92b

Download Submit
C:\Windows\{914FC7EE-B209-47e9-A70B-587C4AE7AA60}.exe

Filesize
408KB

MD5
734cc6a6d400fc65f28d32e3a1b16450

SHA1
b4bb25f959213a6814b647ca629184d03fde5e59

SHA256
3d660cd85168f7707ab4a2b9f865061a028c6cfb63ba7fb5f41bfe8732df8990

SHA512
924b3d0836e623b2b45c60b8bc047f2325e17f10cc99c1ac7e352847a4bc0c755dc160c3c590a9bfc4d0dc8a51afa2b8f0b54a36e27feddafc192d1cc7655c71

Download Submit
C:\Windows\{93F80429-9B01-403a-8608-572E264CD368}.exe

Filesize
408KB

MD5
6109512f5250ff2bf02d5aa2a749272c

SHA1
70a672c3bf2229fafdf551de6e824517047949ad

SHA256
6d41d5f381a43323b64292850b23552285130ff9f7ff86ba82464f526555c55c

SHA512
696b8e8c29ee8d395097352686dc3ef90ef076f623c62bf9938ade7111ced49bc28619b6ba2195194e0aec2d7ffb74e12c5ef3ca9ab52655ca418321b4d9eace

Download Submit
C:\Windows\{9610E228-5BDF-4cae-87D1-EDADE99E9838}.exe

Filesize
408KB

MD5
dcbe9bbb1845d75d244ebebb3668fcda

SHA1
1f36eb2bc958e4632b37131edac59c9ec3849867

SHA256
999cd0341060ed003377bb9a85e948393d4506e05d34dff3b1d623231f57d2cd

SHA512
b80785112d0836e5cbd5350899a215f6f737c6fad580da4c183d30a9930c5470a06de6fcea5ae0fee482e45da5c8400432fbc629f0b84b460b8fc0bb4febae7f

Download Submit
C:\Windows\{AD6C528B-5E9A-4f40-BF8C-76D36D85A01A}.exe

Filesize
408KB

MD5
7c7024fb4afb9a64df6c66ca1e24000c

SHA1
9e19c24cbd100d269d5c64b8e495b0a2db274dc0

SHA256
70f796e2230322cb2add97a044e6d641a243de97a16d81e31c95a554dbfa6ca8

SHA512
4ec2c325fa0f2c7cd77112b8d8c6a307cf5716dd6868ebc04f004c6261867be67b946cc4908125a8aa3122284cbd0f05f748a351b160d322f05ff6f7e58cdd9c

Download Submit
C:\Windows\{D38EC8C3-FAB6-40f2-B605-AE5980346EBC}.exe

Filesize
408KB

MD5
c0ee589baed0031c3b512099a71415e5

SHA1
676a41dd90a41b7c72c4dba54d88a7baab469980

SHA256
5bf0b1ebfef249a2af11209e430b2a2f19aa7a355cf1eb9c79848c4ea47b3e8f

SHA512
6e07ddbab53480f40023de40016685ce0286b4612226b7ce7d0469884aa471453585c53f1d8d69903464d15f3996ac704a408c2d9bfa83a6b3f35dfcd1e8625e

Download Submit
C:\Windows\{E8F82B81-A04A-457b-8C5C-557AE4906B6E}.exe

Filesize
408KB

MD5
397d1a84b7a411ba50f60347d7e87c39

SHA1
0969bc1ff302a189e8c17fc3c078b7b98aba2f07

SHA256
5054c97bf11bd565b3db39634a3920721ad66a477294cdbec757e4e1225537d8

SHA512
3de6c0e1487e0abf8184779aaadd13b63f670ac4287eea020611e135c317b837c7ad2a089f9685e3d894484fc958bb60bd52c90025b792aa2728259f572a4707

Download Submit
C:\Windows\{F257A922-1555-4e20-9103-AD8CC4057713}.exe

Filesize
408KB

MD5
3e04deee8378751a67402f9dcefc417e

SHA1
15c62b553261d0fef229d54abb859cd8a2f01ee2

SHA256
40c3db1cd12934d9bbb204cc2d2124055424592eebb40d5d0a83db4a17e55e74

SHA512
7ddb3531d444ddb03dbce18769c5958c9523e3308378d413cce4f24fbee68eda29bc5d592a42ab392333c3b73ce49a86815cc60fee13e9bc093cb19e59f5d63a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads