489e6e867522af4bbb5feb033f7081ec433d5a5d132fa59409247a9cc7361d98

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11/02/2024, 15:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-11_97ce071f4c4dd2bc1fe64af47d2850ab_goldeneye.exe
Size

197KB
MD5

97ce071f4c4dd2bc1fe64af47d2850ab
SHA1

ddae7d486d4d83117da7856769b21055c1f5efa1
SHA256

489e6e867522af4bbb5feb033f7081ec433d5a5d132fa59409247a9cc7361d98
SHA512

353b43a6c5340152d68fb3a28d8f9a6260fa814bfd2c1b81cb1c4e5cda1ecf0281afaa65400dcdea06916e0efc0d0e0cb069663ef2fcb110969fb06de64cdca8
SSDEEP

3072:jEGh0oOl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGclEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x000300000001e7bf-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0012000000023143-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002321e-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0013000000023143-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002321e-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002167d-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000021681-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000711-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070f-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070f-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000711-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000071b-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1C6FDCA-DBC1-4a82-9414-6CB1C60A3CF0}	{EB1B7E28-0938-4995-A09F-65A7DDFF0788}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1C6FDCA-DBC1-4a82-9414-6CB1C60A3CF0}\stubpath = "C:\\Windows\\{C1C6FDCA-DBC1-4a82-9414-6CB1C60A3CF0}.exe"	{EB1B7E28-0938-4995-A09F-65A7DDFF0788}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{917FC679-D1B1-455f-9AF6-C183D38D598A}\stubpath = "C:\\Windows\\{917FC679-D1B1-455f-9AF6-C183D38D598A}.exe"	{60AA74D1-E2D8-44f6-B897-EC364575B2AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3CCC91E-6F9C-4f41-B421-F8C83C634741}	{B9D1E138-97F0-45e5-B74A-D0D43C82D511}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5161F7B5-302A-4301-9647-C60595273545}	{DA554212-2AE5-4d73-954F-5A90C404F681}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E07D1DAF-E050-42a8-BED5-AADFFA06300E}	{5161F7B5-302A-4301-9647-C60595273545}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E07D1DAF-E050-42a8-BED5-AADFFA06300E}\stubpath = "C:\\Windows\\{E07D1DAF-E050-42a8-BED5-AADFFA06300E}.exe"	{5161F7B5-302A-4301-9647-C60595273545}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB27FD72-8730-4070-9024-2B6230828CD4}	{76D80B8F-3EC3-42fe-8804-76A159D524F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60AA74D1-E2D8-44f6-B897-EC364575B2AB}	{C1C6FDCA-DBC1-4a82-9414-6CB1C60A3CF0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A57FF84D-656C-422b-9329-7243CFB2F4C3}	2024-02-11_97ce071f4c4dd2bc1fe64af47d2850ab_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA554212-2AE5-4d73-954F-5A90C404F681}	{B3CCC91E-6F9C-4f41-B421-F8C83C634741}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5161F7B5-302A-4301-9647-C60595273545}\stubpath = "C:\\Windows\\{5161F7B5-302A-4301-9647-C60595273545}.exe"	{DA554212-2AE5-4d73-954F-5A90C404F681}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76D80B8F-3EC3-42fe-8804-76A159D524F6}	{E07D1DAF-E050-42a8-BED5-AADFFA06300E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB1B7E28-0938-4995-A09F-65A7DDFF0788}\stubpath = "C:\\Windows\\{EB1B7E28-0938-4995-A09F-65A7DDFF0788}.exe"	{BB27FD72-8730-4070-9024-2B6230828CD4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9D1E138-97F0-45e5-B74A-D0D43C82D511}	{A57FF84D-656C-422b-9329-7243CFB2F4C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9D1E138-97F0-45e5-B74A-D0D43C82D511}\stubpath = "C:\\Windows\\{B9D1E138-97F0-45e5-B74A-D0D43C82D511}.exe"	{A57FF84D-656C-422b-9329-7243CFB2F4C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA554212-2AE5-4d73-954F-5A90C404F681}\stubpath = "C:\\Windows\\{DA554212-2AE5-4d73-954F-5A90C404F681}.exe"	{B3CCC91E-6F9C-4f41-B421-F8C83C634741}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76D80B8F-3EC3-42fe-8804-76A159D524F6}\stubpath = "C:\\Windows\\{76D80B8F-3EC3-42fe-8804-76A159D524F6}.exe"	{E07D1DAF-E050-42a8-BED5-AADFFA06300E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{917FC679-D1B1-455f-9AF6-C183D38D598A}	{60AA74D1-E2D8-44f6-B897-EC364575B2AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A57FF84D-656C-422b-9329-7243CFB2F4C3}\stubpath = "C:\\Windows\\{A57FF84D-656C-422b-9329-7243CFB2F4C3}.exe"	2024-02-11_97ce071f4c4dd2bc1fe64af47d2850ab_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3CCC91E-6F9C-4f41-B421-F8C83C634741}\stubpath = "C:\\Windows\\{B3CCC91E-6F9C-4f41-B421-F8C83C634741}.exe"	{B9D1E138-97F0-45e5-B74A-D0D43C82D511}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB27FD72-8730-4070-9024-2B6230828CD4}\stubpath = "C:\\Windows\\{BB27FD72-8730-4070-9024-2B6230828CD4}.exe"	{76D80B8F-3EC3-42fe-8804-76A159D524F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB1B7E28-0938-4995-A09F-65A7DDFF0788}	{BB27FD72-8730-4070-9024-2B6230828CD4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60AA74D1-E2D8-44f6-B897-EC364575B2AB}\stubpath = "C:\\Windows\\{60AA74D1-E2D8-44f6-B897-EC364575B2AB}.exe"	{C1C6FDCA-DBC1-4a82-9414-6CB1C60A3CF0}.exe

Executes dropped EXE 12 IoCs

pid	Process
416	{A57FF84D-656C-422b-9329-7243CFB2F4C3}.exe
3816	{B9D1E138-97F0-45e5-B74A-D0D43C82D511}.exe
2972	{B3CCC91E-6F9C-4f41-B421-F8C83C634741}.exe
4156	{DA554212-2AE5-4d73-954F-5A90C404F681}.exe
3248	{5161F7B5-302A-4301-9647-C60595273545}.exe
2284	{E07D1DAF-E050-42a8-BED5-AADFFA06300E}.exe
1016	{76D80B8F-3EC3-42fe-8804-76A159D524F6}.exe
4368	{BB27FD72-8730-4070-9024-2B6230828CD4}.exe
4464	{EB1B7E28-0938-4995-A09F-65A7DDFF0788}.exe
2504	{C1C6FDCA-DBC1-4a82-9414-6CB1C60A3CF0}.exe
4244	{60AA74D1-E2D8-44f6-B897-EC364575B2AB}.exe
1096	{917FC679-D1B1-455f-9AF6-C183D38D598A}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{B9D1E138-97F0-45e5-B74A-D0D43C82D511}.exe	{A57FF84D-656C-422b-9329-7243CFB2F4C3}.exe
File created	C:\Windows\{DA554212-2AE5-4d73-954F-5A90C404F681}.exe	{B3CCC91E-6F9C-4f41-B421-F8C83C634741}.exe
File created	C:\Windows\{5161F7B5-302A-4301-9647-C60595273545}.exe	{DA554212-2AE5-4d73-954F-5A90C404F681}.exe
File created	C:\Windows\{E07D1DAF-E050-42a8-BED5-AADFFA06300E}.exe	{5161F7B5-302A-4301-9647-C60595273545}.exe
File created	C:\Windows\{EB1B7E28-0938-4995-A09F-65A7DDFF0788}.exe	{BB27FD72-8730-4070-9024-2B6230828CD4}.exe
File created	C:\Windows\{C1C6FDCA-DBC1-4a82-9414-6CB1C60A3CF0}.exe	{EB1B7E28-0938-4995-A09F-65A7DDFF0788}.exe
File created	C:\Windows\{60AA74D1-E2D8-44f6-B897-EC364575B2AB}.exe	{C1C6FDCA-DBC1-4a82-9414-6CB1C60A3CF0}.exe
File created	C:\Windows\{917FC679-D1B1-455f-9AF6-C183D38D598A}.exe	{60AA74D1-E2D8-44f6-B897-EC364575B2AB}.exe
File created	C:\Windows\{A57FF84D-656C-422b-9329-7243CFB2F4C3}.exe	2024-02-11_97ce071f4c4dd2bc1fe64af47d2850ab_goldeneye.exe
File created	C:\Windows\{B3CCC91E-6F9C-4f41-B421-F8C83C634741}.exe	{B9D1E138-97F0-45e5-B74A-D0D43C82D511}.exe
File created	C:\Windows\{76D80B8F-3EC3-42fe-8804-76A159D524F6}.exe	{E07D1DAF-E050-42a8-BED5-AADFFA06300E}.exe
File created	C:\Windows\{BB27FD72-8730-4070-9024-2B6230828CD4}.exe	{76D80B8F-3EC3-42fe-8804-76A159D524F6}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2068	2024-02-11_97ce071f4c4dd2bc1fe64af47d2850ab_goldeneye.exe
Token: SeIncBasePriorityPrivilege	416	{A57FF84D-656C-422b-9329-7243CFB2F4C3}.exe
Token: SeIncBasePriorityPrivilege	3816	{B9D1E138-97F0-45e5-B74A-D0D43C82D511}.exe
Token: SeIncBasePriorityPrivilege	2972	{B3CCC91E-6F9C-4f41-B421-F8C83C634741}.exe
Token: SeIncBasePriorityPrivilege	4156	{DA554212-2AE5-4d73-954F-5A90C404F681}.exe
Token: SeIncBasePriorityPrivilege	3248	{5161F7B5-302A-4301-9647-C60595273545}.exe
Token: SeIncBasePriorityPrivilege	2284	{E07D1DAF-E050-42a8-BED5-AADFFA06300E}.exe
Token: SeIncBasePriorityPrivilege	1016	{76D80B8F-3EC3-42fe-8804-76A159D524F6}.exe
Token: SeIncBasePriorityPrivilege	4368	{BB27FD72-8730-4070-9024-2B6230828CD4}.exe
Token: SeIncBasePriorityPrivilege	4464	{EB1B7E28-0938-4995-A09F-65A7DDFF0788}.exe
Token: SeIncBasePriorityPrivilege	2504	{C1C6FDCA-DBC1-4a82-9414-6CB1C60A3CF0}.exe
Token: SeIncBasePriorityPrivilege	4244	{60AA74D1-E2D8-44f6-B897-EC364575B2AB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 416	2068	2024-02-11_97ce071f4c4dd2bc1fe64af47d2850ab_goldeneye.exe	88
PID 2068 wrote to memory of 416	2068	2024-02-11_97ce071f4c4dd2bc1fe64af47d2850ab_goldeneye.exe	88
PID 2068 wrote to memory of 416	2068	2024-02-11_97ce071f4c4dd2bc1fe64af47d2850ab_goldeneye.exe	88
PID 2068 wrote to memory of 4956	2068	2024-02-11_97ce071f4c4dd2bc1fe64af47d2850ab_goldeneye.exe	89
PID 2068 wrote to memory of 4956	2068	2024-02-11_97ce071f4c4dd2bc1fe64af47d2850ab_goldeneye.exe	89
PID 2068 wrote to memory of 4956	2068	2024-02-11_97ce071f4c4dd2bc1fe64af47d2850ab_goldeneye.exe	89
PID 416 wrote to memory of 3816	416	{A57FF84D-656C-422b-9329-7243CFB2F4C3}.exe	95
PID 416 wrote to memory of 3816	416	{A57FF84D-656C-422b-9329-7243CFB2F4C3}.exe	95
PID 416 wrote to memory of 3816	416	{A57FF84D-656C-422b-9329-7243CFB2F4C3}.exe	95
PID 416 wrote to memory of 2668	416	{A57FF84D-656C-422b-9329-7243CFB2F4C3}.exe	96
PID 416 wrote to memory of 2668	416	{A57FF84D-656C-422b-9329-7243CFB2F4C3}.exe	96
PID 416 wrote to memory of 2668	416	{A57FF84D-656C-422b-9329-7243CFB2F4C3}.exe	96
PID 3816 wrote to memory of 2972	3816	{B9D1E138-97F0-45e5-B74A-D0D43C82D511}.exe	98
PID 3816 wrote to memory of 2972	3816	{B9D1E138-97F0-45e5-B74A-D0D43C82D511}.exe	98
PID 3816 wrote to memory of 2972	3816	{B9D1E138-97F0-45e5-B74A-D0D43C82D511}.exe	98
PID 3816 wrote to memory of 4500	3816	{B9D1E138-97F0-45e5-B74A-D0D43C82D511}.exe	99
PID 3816 wrote to memory of 4500	3816	{B9D1E138-97F0-45e5-B74A-D0D43C82D511}.exe	99
PID 3816 wrote to memory of 4500	3816	{B9D1E138-97F0-45e5-B74A-D0D43C82D511}.exe	99
PID 2972 wrote to memory of 4156	2972	{B3CCC91E-6F9C-4f41-B421-F8C83C634741}.exe	100
PID 2972 wrote to memory of 4156	2972	{B3CCC91E-6F9C-4f41-B421-F8C83C634741}.exe	100
PID 2972 wrote to memory of 4156	2972	{B3CCC91E-6F9C-4f41-B421-F8C83C634741}.exe	100
PID 2972 wrote to memory of 2780	2972	{B3CCC91E-6F9C-4f41-B421-F8C83C634741}.exe	101
PID 2972 wrote to memory of 2780	2972	{B3CCC91E-6F9C-4f41-B421-F8C83C634741}.exe	101
PID 2972 wrote to memory of 2780	2972	{B3CCC91E-6F9C-4f41-B421-F8C83C634741}.exe	101
PID 4156 wrote to memory of 3248	4156	{DA554212-2AE5-4d73-954F-5A90C404F681}.exe	102
PID 4156 wrote to memory of 3248	4156	{DA554212-2AE5-4d73-954F-5A90C404F681}.exe	102
PID 4156 wrote to memory of 3248	4156	{DA554212-2AE5-4d73-954F-5A90C404F681}.exe	102
PID 4156 wrote to memory of 1540	4156	{DA554212-2AE5-4d73-954F-5A90C404F681}.exe	103
PID 4156 wrote to memory of 1540	4156	{DA554212-2AE5-4d73-954F-5A90C404F681}.exe	103
PID 4156 wrote to memory of 1540	4156	{DA554212-2AE5-4d73-954F-5A90C404F681}.exe	103
PID 3248 wrote to memory of 2284	3248	{5161F7B5-302A-4301-9647-C60595273545}.exe	104
PID 3248 wrote to memory of 2284	3248	{5161F7B5-302A-4301-9647-C60595273545}.exe	104
PID 3248 wrote to memory of 2284	3248	{5161F7B5-302A-4301-9647-C60595273545}.exe	104
PID 3248 wrote to memory of 1500	3248	{5161F7B5-302A-4301-9647-C60595273545}.exe	105
PID 3248 wrote to memory of 1500	3248	{5161F7B5-302A-4301-9647-C60595273545}.exe	105
PID 3248 wrote to memory of 1500	3248	{5161F7B5-302A-4301-9647-C60595273545}.exe	105
PID 2284 wrote to memory of 1016	2284	{E07D1DAF-E050-42a8-BED5-AADFFA06300E}.exe	106
PID 2284 wrote to memory of 1016	2284	{E07D1DAF-E050-42a8-BED5-AADFFA06300E}.exe	106
PID 2284 wrote to memory of 1016	2284	{E07D1DAF-E050-42a8-BED5-AADFFA06300E}.exe	106
PID 2284 wrote to memory of 3704	2284	{E07D1DAF-E050-42a8-BED5-AADFFA06300E}.exe	107
PID 2284 wrote to memory of 3704	2284	{E07D1DAF-E050-42a8-BED5-AADFFA06300E}.exe	107
PID 2284 wrote to memory of 3704	2284	{E07D1DAF-E050-42a8-BED5-AADFFA06300E}.exe	107
PID 1016 wrote to memory of 4368	1016	{76D80B8F-3EC3-42fe-8804-76A159D524F6}.exe	108
PID 1016 wrote to memory of 4368	1016	{76D80B8F-3EC3-42fe-8804-76A159D524F6}.exe	108
PID 1016 wrote to memory of 4368	1016	{76D80B8F-3EC3-42fe-8804-76A159D524F6}.exe	108
PID 1016 wrote to memory of 4352	1016	{76D80B8F-3EC3-42fe-8804-76A159D524F6}.exe	109
PID 1016 wrote to memory of 4352	1016	{76D80B8F-3EC3-42fe-8804-76A159D524F6}.exe	109
PID 1016 wrote to memory of 4352	1016	{76D80B8F-3EC3-42fe-8804-76A159D524F6}.exe	109
PID 4368 wrote to memory of 4464	4368	{BB27FD72-8730-4070-9024-2B6230828CD4}.exe	110
PID 4368 wrote to memory of 4464	4368	{BB27FD72-8730-4070-9024-2B6230828CD4}.exe	110
PID 4368 wrote to memory of 4464	4368	{BB27FD72-8730-4070-9024-2B6230828CD4}.exe	110
PID 4368 wrote to memory of 2836	4368	{BB27FD72-8730-4070-9024-2B6230828CD4}.exe	111
PID 4368 wrote to memory of 2836	4368	{BB27FD72-8730-4070-9024-2B6230828CD4}.exe	111
PID 4368 wrote to memory of 2836	4368	{BB27FD72-8730-4070-9024-2B6230828CD4}.exe	111
PID 4464 wrote to memory of 2504	4464	{EB1B7E28-0938-4995-A09F-65A7DDFF0788}.exe	112
PID 4464 wrote to memory of 2504	4464	{EB1B7E28-0938-4995-A09F-65A7DDFF0788}.exe	112
PID 4464 wrote to memory of 2504	4464	{EB1B7E28-0938-4995-A09F-65A7DDFF0788}.exe	112
PID 4464 wrote to memory of 4108	4464	{EB1B7E28-0938-4995-A09F-65A7DDFF0788}.exe	113
PID 4464 wrote to memory of 4108	4464	{EB1B7E28-0938-4995-A09F-65A7DDFF0788}.exe	113
PID 4464 wrote to memory of 4108	4464	{EB1B7E28-0938-4995-A09F-65A7DDFF0788}.exe	113
PID 2504 wrote to memory of 4244	2504	{C1C6FDCA-DBC1-4a82-9414-6CB1C60A3CF0}.exe	114
PID 2504 wrote to memory of 4244	2504	{C1C6FDCA-DBC1-4a82-9414-6CB1C60A3CF0}.exe	114
PID 2504 wrote to memory of 4244	2504	{C1C6FDCA-DBC1-4a82-9414-6CB1C60A3CF0}.exe	114
PID 2504 wrote to memory of 3372	2504	{C1C6FDCA-DBC1-4a82-9414-6CB1C60A3CF0}.exe	115

C:\Users\Admin\AppData\Local\Temp\2024-02-11_97ce071f4c4dd2bc1fe64af47d2850ab_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-11_97ce071f4c4dd2bc1fe64af47d2850ab_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Windows\{A57FF84D-656C-422b-9329-7243CFB2F4C3}.exe
  C:\Windows\{A57FF84D-656C-422b-9329-7243CFB2F4C3}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:416
- - C:\Windows\{B9D1E138-97F0-45e5-B74A-D0D43C82D511}.exe
    C:\Windows\{B9D1E138-97F0-45e5-B74A-D0D43C82D511}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3816
  - - C:\Windows\{B3CCC91E-6F9C-4f41-B421-F8C83C634741}.exe
      C:\Windows\{B3CCC91E-6F9C-4f41-B421-F8C83C634741}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2972
    - - C:\Windows\{DA554212-2AE5-4d73-954F-5A90C404F681}.exe
        
        C:\Windows\{DA554212-2AE5-4d73-954F-5A90C404F681}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4156
      - C:\Windows\{5161F7B5-302A-4301-9647-C60595273545}.exe
        
        C:\Windows\{5161F7B5-302A-4301-9647-C60595273545}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3248
        
        C:\Windows\{E07D1DAF-E050-42a8-BED5-AADFFA06300E}.exe
        
        C:\Windows\{E07D1DAF-E050-42a8-BED5-AADFFA06300E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\{76D80B8F-3EC3-42fe-8804-76A159D524F6}.exe
        
        C:\Windows\{76D80B8F-3EC3-42fe-8804-76A159D524F6}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        C:\Windows\{BB27FD72-8730-4070-9024-2B6230828CD4}.exe
        
        C:\Windows\{BB27FD72-8730-4070-9024-2B6230828CD4}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Windows\{EB1B7E28-0938-4995-A09F-65A7DDFF0788}.exe
        
        C:\Windows\{EB1B7E28-0938-4995-A09F-65A7DDFF0788}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\{C1C6FDCA-DBC1-4a82-9414-6CB1C60A3CF0}.exe
        
        C:\Windows\{C1C6FDCA-DBC1-4a82-9414-6CB1C60A3CF0}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\{60AA74D1-E2D8-44f6-B897-EC364575B2AB}.exe
        
        C:\Windows\{60AA74D1-E2D8-44f6-B897-EC364575B2AB}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4244
        
        C:\Windows\{917FC679-D1B1-455f-9AF6-C183D38D598A}.exe
        
        C:\Windows\{917FC679-D1B1-455f-9AF6-C183D38D598A}.exe
        13⤵
        Executes dropped EXE
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{60AA7~1.EXE > nul
        13⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C1C6F~1.EXE > nul
        12⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EB1B7~1.EXE > nul
        11⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BB27F~1.EXE > nul
        10⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76D80~1.EXE > nul
        9⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E07D1~1.EXE > nul
        8⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5161F~1.EXE > nul
        7⤵
        
        PID:1500
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DA554~1.EXE > nul
        6⤵
        
        PID:1540
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B3CCC~1.EXE > nul
        5⤵
        
        PID:2780
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B9D1E~1.EXE > nul
      4⤵
      PID:4500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A57FF~1.EXE > nul
    3⤵
    PID:2668
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{5161F7B5-302A-4301-9647-C60595273545}.exe

Filesize
197KB

MD5
017cfa8c56b28c9e9bea99e5507ea529

SHA1
1d5258e521a0a05b3ecdce6b4779b7def85f4fb0

SHA256
344f8e2cf342814f33f01b7e30cddc62d25743eee87f038d425d59426b77a174

SHA512
07bd7b99cb4a4f18e18d35b078fab6163f873109fb84332894dcdd3c43741cd4b500e08ee9c72374a0fa5e67a2c2d6e5a939b95187985f96030ed69cda22f0b3

Download Submit
C:\Windows\{60AA74D1-E2D8-44f6-B897-EC364575B2AB}.exe

Filesize
197KB

MD5
46d3c7eb13dea23ebc1784b1462dbe3f

SHA1
cd723d9394b029038c9876061f4837a4d56329ec

SHA256
f11999e114622f3a67b439e3946539987f540c990ae31abc84a58a5a756be9fd

SHA512
6bfad75a9f5a2a16b3fb9ca4091980d018854f6dfc7e96066920c35fd412efb81f47ae12debd2d99564653e08824ebabeae7b56b7c8141712dbc8aa5d5c04222

Download Submit
C:\Windows\{76D80B8F-3EC3-42fe-8804-76A159D524F6}.exe

Filesize
197KB

MD5
f898757b089131abadf982eea859fbbc

SHA1
3917f465cb3d182f9233d2d37d0071949cf393a8

SHA256
bf3d6e836a4fa31caeb610d82ca25f9399a28d073f6924773ae9a81d949e98a3

SHA512
9031cf9ca848ef8596f82fde0a12935fddd3cdb80bf2d04fe05a29a9ae82979d8bddc0a666ddb802fb4c3c103cae6917460a1ca6f83e52fd3e530f691371e732

Download Submit
C:\Windows\{917FC679-D1B1-455f-9AF6-C183D38D598A}.exe

Filesize
197KB

MD5
89e8c8ee431f0dd795a9f9c388982c98

SHA1
5cd41c9df4ca31530f716b47aafa6bb883288b6c

SHA256
fdae49f716e6cd7a9ebff7779834c678b676b3ead22cbdafec41415f3aad84e8

SHA512
6136c65f5ddc1612c68e212bd6dff6a7f6534d5adf967148093f22d80bc08181a6a230ba831336e4031a5e6cb1bfdda218e278fb065e3134c69eceae7e2e84b8

Download Submit
C:\Windows\{A57FF84D-656C-422b-9329-7243CFB2F4C3}.exe

Filesize
197KB

MD5
5b30b16ce90e310fee7f4a7ee00b360b

SHA1
774163a56dabfb5a2ec9ec6f406ee6277362803d

SHA256
9f65ecca3f216048ce716f1532b12e52ae0e4317e7c79e9794b71df3909a2d03

SHA512
5033103b7f50e77849a4a902fe875672357370f7f230ac6b86e0bba36ea2c398469123afb8cdd9c5c678392bd3564148b1fdebd98511baf7e393c836cd1f16f2

Download Submit
C:\Windows\{B3CCC91E-6F9C-4f41-B421-F8C83C634741}.exe

Filesize
197KB

MD5
f00eb6ee471fefb137bac74c041ae817

SHA1
e0ac9c708a5867342df094c4c5bbca698e784b96

SHA256
aa941e8ece6fa3256dbd7fcbf7b76af5d3ab9017aea8736b7bb8badb9de64fd8

SHA512
231190498dc6bd653a93815b721af8699e531a4f8201cc6edd517dd26f53631e3b2cec08c58787a039c91375c05580a162bb0b5c40987fe59ae72d48d0a1b969

Download Submit
C:\Windows\{B9D1E138-97F0-45e5-B74A-D0D43C82D511}.exe

Filesize
197KB

MD5
e05f1a10092452715e61e058acd50829

SHA1
cca9e3289216ce0cfa87a146071d229c9640f25c

SHA256
9d40dcbc05b276be1997d29b18baf7172c641439f59f674e5269a56f14937638

SHA512
d854d96431e2f761e1e7d316ccea13e3f42b00c83fa99d644482443a3dfcb4ab9fac1c76fa97528bc4f410f4962e6385bb6944d6695ae0295b97d756e4639650

Download Submit
C:\Windows\{BB27FD72-8730-4070-9024-2B6230828CD4}.exe

Filesize
197KB

MD5
6a8cfcaf733996702e88c72cbcb822ae

SHA1
214d4aeedf0b9664a97c8009cef3869600ffc316

SHA256
e81f01f163c4be7f56475c7be08ff2aa857f009a1104c8ffb797e8390df41924

SHA512
916bf11c50b85a4cf0763c03ccbd635acb760f47d1b9b3bfb9e6e48d24a566a07be03baa40749cadf40b9fb022dd52945901a740bde7d388f859d694f3e51881

Download Submit
C:\Windows\{C1C6FDCA-DBC1-4a82-9414-6CB1C60A3CF0}.exe

Filesize
128KB

MD5
41b41466f6a5db4502d231758d5e9ea2

SHA1
13d2f8a5617c17f94d2885960e169d68cf4df88e

SHA256
402124f74f34ac31bdfadaed8d19a265cd816a4d2c3a3cf6b9a4142e59bc37a2

SHA512
fe16899fb8e2350826ff0229a8ad46f60e97ce042335e6378e0f919166feae3b3c5f533ebfec059e8b678e5ad0fdfe1146e14fbc778fcfba9dfaba9293002039

Download Submit
C:\Windows\{C1C6FDCA-DBC1-4a82-9414-6CB1C60A3CF0}.exe

Filesize
64KB

MD5
c45d09c738dce0d4b1d322bbd40f47c9

SHA1
10f79c00909754c749b3c6a47257be39b7cf3afd

SHA256
9f71cb6bf2d166f7e995b690d0858d2e2075c81b762400fa7aacf965cf752b44

SHA512
c92dadcabcc7d466313342350b20936f622056b83ed7d75d7d7a202e114379c6f0163a8a6a121783e6aa34246b7fbaf649ef9cab1cb026dea6b4bff0ba97d6a1

Download Submit
C:\Windows\{DA554212-2AE5-4d73-954F-5A90C404F681}.exe

Filesize
197KB

MD5
f905e01413dad6445a1f2f7f9b56836c

SHA1
5bc87b644e2b47ba01a6a787dcbc4068cf9edd9b

SHA256
6f97d9f6ae54676e9837634628e225a01286d613f1201cd52b6f8068f5bf4475

SHA512
f23b2330eb6d34d936fe50e68906743f75427aad6df66dbd91111d5c52fd9479bd5d1433c5158765164c39f86163919ea5a7f45c8cfb662acb0bd69c36933a9d

Download Submit
C:\Windows\{E07D1DAF-E050-42a8-BED5-AADFFA06300E}.exe

Filesize
197KB

MD5
ef1ba69e9d4e69269827d598c8fd0a32

SHA1
f29e43b0d0b5754f3ba8484e652cd4ed9f577fe6

SHA256
a6a6abb9ca2798a012f7a1b58070b3391792de84bd6cd81909d4eac7091bf57e

SHA512
aeca26fa8e3dda9fe6298dc1e022537d20d7e65cd7e0b19a19e10d7eece05a3c531b81b2b9662ab113e3c000c9420cc08c3ce478d1488d2243ce5e52aa06707a

Download Submit
C:\Windows\{EB1B7E28-0938-4995-A09F-65A7DDFF0788}.exe

Filesize
197KB

MD5
7aaaa22a4933e5d8e04fe10a061ef3c6

SHA1
18e8dd3b4e0a47ce48751b12a1ed57fd40f20056

SHA256
47361b9d26e989847d426d545d6e66d890c54d1ee062f55af435433e3cc821c9

SHA512
e38b726fd6ad9ca219122b3546ba882410498f5fe41a338326058a2ac125a4dacbf115682fcbe9e754bd66c0eab3e2e0c8e4bc8367c72579e3b36778c347e985

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads