53ea4235f02cf81067ed12e5c614c9a2e503632eb8601484412de770da03ae70

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11-02-2024 17:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-11_e781313969b78840fadeee43cbf0fc66_goldeneye.exe
Size

180KB
MD5

e781313969b78840fadeee43cbf0fc66
SHA1

34f3c89f2b3b5843b2f4afcb32b9cd0d6625f2f5
SHA256

53ea4235f02cf81067ed12e5c614c9a2e503632eb8601484412de770da03ae70
SHA512

227f59bb015f7dd71104ea58a114cc781c39bc0369c5b8d4b29d5262ff577437dcd0716ec8b1ac7c5a5d0f2d6616dbc4034838fe9f406c9c487aeacb6c6153fe
SSDEEP

3072:jEGh0o/lfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGtl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023234-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001000000002323d-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023243-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001100000002323d-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000021569-17.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000021570-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000021569-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000711-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070f-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000711-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006e5-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{417D6592-2D6B-401a-8394-17F550916999}	{E56B556E-58AB-4988-904C-3D9F31254C2E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E10EBD6-F09D-4ff8-8827-9FEF0125E801}\stubpath = "C:\\Windows\\{6E10EBD6-F09D-4ff8-8827-9FEF0125E801}.exe"	{417D6592-2D6B-401a-8394-17F550916999}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D13F0DFC-09E0-4e0d-9CE8-37D23701DCF7}	{C5F4C2E4-DF8F-45ed-A38E-FBFE37132646}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BEF21742-BF65-4157-9D1A-9D579EEDC7B1}\stubpath = "C:\\Windows\\{BEF21742-BF65-4157-9D1A-9D579EEDC7B1}.exe"	2024-02-11_e781313969b78840fadeee43cbf0fc66_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E56B556E-58AB-4988-904C-3D9F31254C2E}	{BEF21742-BF65-4157-9D1A-9D579EEDC7B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E56B556E-58AB-4988-904C-3D9F31254C2E}\stubpath = "C:\\Windows\\{E56B556E-58AB-4988-904C-3D9F31254C2E}.exe"	{BEF21742-BF65-4157-9D1A-9D579EEDC7B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E10EBD6-F09D-4ff8-8827-9FEF0125E801}	{417D6592-2D6B-401a-8394-17F550916999}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22B9B64B-97DE-49d6-B6D0-198B3D264B78}	{6E10EBD6-F09D-4ff8-8827-9FEF0125E801}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22B9B64B-97DE-49d6-B6D0-198B3D264B78}\stubpath = "C:\\Windows\\{22B9B64B-97DE-49d6-B6D0-198B3D264B78}.exe"	{6E10EBD6-F09D-4ff8-8827-9FEF0125E801}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC8443EE-4EDC-4818-AEDE-C77553936EB6}	{D13F0DFC-09E0-4e0d-9CE8-37D23701DCF7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1EA2544B-48E5-4b94-BB44-D205B0CA2A3F}\stubpath = "C:\\Windows\\{1EA2544B-48E5-4b94-BB44-D205B0CA2A3F}.exe"	{4BF498F2-7E9C-4194-BA90-1C4CFDB39A28}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A10B185-4722-4196-B4BB-C3B6B9840AB9}	{F17DA165-D92B-4c3d-9BBC-5ACFCEE7F818}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A10B185-4722-4196-B4BB-C3B6B9840AB9}\stubpath = "C:\\Windows\\{7A10B185-4722-4196-B4BB-C3B6B9840AB9}.exe"	{F17DA165-D92B-4c3d-9BBC-5ACFCEE7F818}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5F4C2E4-DF8F-45ed-A38E-FBFE37132646}	{7A10B185-4722-4196-B4BB-C3B6B9840AB9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5F4C2E4-DF8F-45ed-A38E-FBFE37132646}\stubpath = "C:\\Windows\\{C5F4C2E4-DF8F-45ed-A38E-FBFE37132646}.exe"	{7A10B185-4722-4196-B4BB-C3B6B9840AB9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D13F0DFC-09E0-4e0d-9CE8-37D23701DCF7}\stubpath = "C:\\Windows\\{D13F0DFC-09E0-4e0d-9CE8-37D23701DCF7}.exe"	{C5F4C2E4-DF8F-45ed-A38E-FBFE37132646}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4BF498F2-7E9C-4194-BA90-1C4CFDB39A28}	{FC8443EE-4EDC-4818-AEDE-C77553936EB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4BF498F2-7E9C-4194-BA90-1C4CFDB39A28}\stubpath = "C:\\Windows\\{4BF498F2-7E9C-4194-BA90-1C4CFDB39A28}.exe"	{FC8443EE-4EDC-4818-AEDE-C77553936EB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BEF21742-BF65-4157-9D1A-9D579EEDC7B1}	2024-02-11_e781313969b78840fadeee43cbf0fc66_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{417D6592-2D6B-401a-8394-17F550916999}\stubpath = "C:\\Windows\\{417D6592-2D6B-401a-8394-17F550916999}.exe"	{E56B556E-58AB-4988-904C-3D9F31254C2E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F17DA165-D92B-4c3d-9BBC-5ACFCEE7F818}	{22B9B64B-97DE-49d6-B6D0-198B3D264B78}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F17DA165-D92B-4c3d-9BBC-5ACFCEE7F818}\stubpath = "C:\\Windows\\{F17DA165-D92B-4c3d-9BBC-5ACFCEE7F818}.exe"	{22B9B64B-97DE-49d6-B6D0-198B3D264B78}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC8443EE-4EDC-4818-AEDE-C77553936EB6}\stubpath = "C:\\Windows\\{FC8443EE-4EDC-4818-AEDE-C77553936EB6}.exe"	{D13F0DFC-09E0-4e0d-9CE8-37D23701DCF7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1EA2544B-48E5-4b94-BB44-D205B0CA2A3F}	{4BF498F2-7E9C-4194-BA90-1C4CFDB39A28}.exe

Executes dropped EXE 12 IoCs

pid	Process
1008	{BEF21742-BF65-4157-9D1A-9D579EEDC7B1}.exe
4188	{E56B556E-58AB-4988-904C-3D9F31254C2E}.exe
464	{417D6592-2D6B-401a-8394-17F550916999}.exe
2136	{6E10EBD6-F09D-4ff8-8827-9FEF0125E801}.exe
4872	{22B9B64B-97DE-49d6-B6D0-198B3D264B78}.exe
4072	{F17DA165-D92B-4c3d-9BBC-5ACFCEE7F818}.exe
4456	{7A10B185-4722-4196-B4BB-C3B6B9840AB9}.exe
1488	{C5F4C2E4-DF8F-45ed-A38E-FBFE37132646}.exe
892	{D13F0DFC-09E0-4e0d-9CE8-37D23701DCF7}.exe
2052	{FC8443EE-4EDC-4818-AEDE-C77553936EB6}.exe
3816	{4BF498F2-7E9C-4194-BA90-1C4CFDB39A28}.exe
1424	{1EA2544B-48E5-4b94-BB44-D205B0CA2A3F}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{E56B556E-58AB-4988-904C-3D9F31254C2E}.exe	{BEF21742-BF65-4157-9D1A-9D579EEDC7B1}.exe
File created	C:\Windows\{417D6592-2D6B-401a-8394-17F550916999}.exe	{E56B556E-58AB-4988-904C-3D9F31254C2E}.exe
File created	C:\Windows\{6E10EBD6-F09D-4ff8-8827-9FEF0125E801}.exe	{417D6592-2D6B-401a-8394-17F550916999}.exe
File created	C:\Windows\{22B9B64B-97DE-49d6-B6D0-198B3D264B78}.exe	{6E10EBD6-F09D-4ff8-8827-9FEF0125E801}.exe
File created	C:\Windows\{F17DA165-D92B-4c3d-9BBC-5ACFCEE7F818}.exe	{22B9B64B-97DE-49d6-B6D0-198B3D264B78}.exe
File created	C:\Windows\{7A10B185-4722-4196-B4BB-C3B6B9840AB9}.exe	{F17DA165-D92B-4c3d-9BBC-5ACFCEE7F818}.exe
File created	C:\Windows\{C5F4C2E4-DF8F-45ed-A38E-FBFE37132646}.exe	{7A10B185-4722-4196-B4BB-C3B6B9840AB9}.exe
File created	C:\Windows\{BEF21742-BF65-4157-9D1A-9D579EEDC7B1}.exe	2024-02-11_e781313969b78840fadeee43cbf0fc66_goldeneye.exe
File created	C:\Windows\{FC8443EE-4EDC-4818-AEDE-C77553936EB6}.exe	{D13F0DFC-09E0-4e0d-9CE8-37D23701DCF7}.exe
File created	C:\Windows\{4BF498F2-7E9C-4194-BA90-1C4CFDB39A28}.exe	{FC8443EE-4EDC-4818-AEDE-C77553936EB6}.exe
File created	C:\Windows\{D13F0DFC-09E0-4e0d-9CE8-37D23701DCF7}.exe	{C5F4C2E4-DF8F-45ed-A38E-FBFE37132646}.exe
File created	C:\Windows\{1EA2544B-48E5-4b94-BB44-D205B0CA2A3F}.exe	{4BF498F2-7E9C-4194-BA90-1C4CFDB39A28}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1280	2024-02-11_e781313969b78840fadeee43cbf0fc66_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1008	{BEF21742-BF65-4157-9D1A-9D579EEDC7B1}.exe
Token: SeIncBasePriorityPrivilege	4188	{E56B556E-58AB-4988-904C-3D9F31254C2E}.exe
Token: SeIncBasePriorityPrivilege	464	{417D6592-2D6B-401a-8394-17F550916999}.exe
Token: SeIncBasePriorityPrivilege	2136	{6E10EBD6-F09D-4ff8-8827-9FEF0125E801}.exe
Token: SeIncBasePriorityPrivilege	4872	{22B9B64B-97DE-49d6-B6D0-198B3D264B78}.exe
Token: SeIncBasePriorityPrivilege	4072	{F17DA165-D92B-4c3d-9BBC-5ACFCEE7F818}.exe
Token: SeIncBasePriorityPrivilege	4456	{7A10B185-4722-4196-B4BB-C3B6B9840AB9}.exe
Token: SeIncBasePriorityPrivilege	1488	{C5F4C2E4-DF8F-45ed-A38E-FBFE37132646}.exe
Token: SeIncBasePriorityPrivilege	892	{D13F0DFC-09E0-4e0d-9CE8-37D23701DCF7}.exe
Token: SeIncBasePriorityPrivilege	2052	{FC8443EE-4EDC-4818-AEDE-C77553936EB6}.exe
Token: SeIncBasePriorityPrivilege	3816	{4BF498F2-7E9C-4194-BA90-1C4CFDB39A28}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 1008	1280	2024-02-11_e781313969b78840fadeee43cbf0fc66_goldeneye.exe	87
PID 1280 wrote to memory of 1008	1280	2024-02-11_e781313969b78840fadeee43cbf0fc66_goldeneye.exe	87
PID 1280 wrote to memory of 1008	1280	2024-02-11_e781313969b78840fadeee43cbf0fc66_goldeneye.exe	87
PID 1280 wrote to memory of 1424	1280	2024-02-11_e781313969b78840fadeee43cbf0fc66_goldeneye.exe	88
PID 1280 wrote to memory of 1424	1280	2024-02-11_e781313969b78840fadeee43cbf0fc66_goldeneye.exe	88
PID 1280 wrote to memory of 1424	1280	2024-02-11_e781313969b78840fadeee43cbf0fc66_goldeneye.exe	88
PID 1008 wrote to memory of 4188	1008	{BEF21742-BF65-4157-9D1A-9D579EEDC7B1}.exe	92
PID 1008 wrote to memory of 4188	1008	{BEF21742-BF65-4157-9D1A-9D579EEDC7B1}.exe	92
PID 1008 wrote to memory of 4188	1008	{BEF21742-BF65-4157-9D1A-9D579EEDC7B1}.exe	92
PID 1008 wrote to memory of 5004	1008	{BEF21742-BF65-4157-9D1A-9D579EEDC7B1}.exe	93
PID 1008 wrote to memory of 5004	1008	{BEF21742-BF65-4157-9D1A-9D579EEDC7B1}.exe	93
PID 1008 wrote to memory of 5004	1008	{BEF21742-BF65-4157-9D1A-9D579EEDC7B1}.exe	93
PID 4188 wrote to memory of 464	4188	{E56B556E-58AB-4988-904C-3D9F31254C2E}.exe	95
PID 4188 wrote to memory of 464	4188	{E56B556E-58AB-4988-904C-3D9F31254C2E}.exe	95
PID 4188 wrote to memory of 464	4188	{E56B556E-58AB-4988-904C-3D9F31254C2E}.exe	95
PID 4188 wrote to memory of 3076	4188	{E56B556E-58AB-4988-904C-3D9F31254C2E}.exe	96
PID 4188 wrote to memory of 3076	4188	{E56B556E-58AB-4988-904C-3D9F31254C2E}.exe	96
PID 4188 wrote to memory of 3076	4188	{E56B556E-58AB-4988-904C-3D9F31254C2E}.exe	96
PID 464 wrote to memory of 2136	464	{417D6592-2D6B-401a-8394-17F550916999}.exe	97
PID 464 wrote to memory of 2136	464	{417D6592-2D6B-401a-8394-17F550916999}.exe	97
PID 464 wrote to memory of 2136	464	{417D6592-2D6B-401a-8394-17F550916999}.exe	97
PID 464 wrote to memory of 2964	464	{417D6592-2D6B-401a-8394-17F550916999}.exe	98
PID 464 wrote to memory of 2964	464	{417D6592-2D6B-401a-8394-17F550916999}.exe	98
PID 464 wrote to memory of 2964	464	{417D6592-2D6B-401a-8394-17F550916999}.exe	98
PID 2136 wrote to memory of 4872	2136	{6E10EBD6-F09D-4ff8-8827-9FEF0125E801}.exe	99
PID 2136 wrote to memory of 4872	2136	{6E10EBD6-F09D-4ff8-8827-9FEF0125E801}.exe	99
PID 2136 wrote to memory of 4872	2136	{6E10EBD6-F09D-4ff8-8827-9FEF0125E801}.exe	99
PID 2136 wrote to memory of 2196	2136	{6E10EBD6-F09D-4ff8-8827-9FEF0125E801}.exe	100
PID 2136 wrote to memory of 2196	2136	{6E10EBD6-F09D-4ff8-8827-9FEF0125E801}.exe	100
PID 2136 wrote to memory of 2196	2136	{6E10EBD6-F09D-4ff8-8827-9FEF0125E801}.exe	100
PID 4872 wrote to memory of 4072	4872	{22B9B64B-97DE-49d6-B6D0-198B3D264B78}.exe	101
PID 4872 wrote to memory of 4072	4872	{22B9B64B-97DE-49d6-B6D0-198B3D264B78}.exe	101
PID 4872 wrote to memory of 4072	4872	{22B9B64B-97DE-49d6-B6D0-198B3D264B78}.exe	101
PID 4872 wrote to memory of 884	4872	{22B9B64B-97DE-49d6-B6D0-198B3D264B78}.exe	102
PID 4872 wrote to memory of 884	4872	{22B9B64B-97DE-49d6-B6D0-198B3D264B78}.exe	102
PID 4872 wrote to memory of 884	4872	{22B9B64B-97DE-49d6-B6D0-198B3D264B78}.exe	102
PID 4072 wrote to memory of 4456	4072	{F17DA165-D92B-4c3d-9BBC-5ACFCEE7F818}.exe	103
PID 4072 wrote to memory of 4456	4072	{F17DA165-D92B-4c3d-9BBC-5ACFCEE7F818}.exe	103
PID 4072 wrote to memory of 4456	4072	{F17DA165-D92B-4c3d-9BBC-5ACFCEE7F818}.exe	103
PID 4072 wrote to memory of 4728	4072	{F17DA165-D92B-4c3d-9BBC-5ACFCEE7F818}.exe	104
PID 4072 wrote to memory of 4728	4072	{F17DA165-D92B-4c3d-9BBC-5ACFCEE7F818}.exe	104
PID 4072 wrote to memory of 4728	4072	{F17DA165-D92B-4c3d-9BBC-5ACFCEE7F818}.exe	104
PID 4456 wrote to memory of 1488	4456	{7A10B185-4722-4196-B4BB-C3B6B9840AB9}.exe	105
PID 4456 wrote to memory of 1488	4456	{7A10B185-4722-4196-B4BB-C3B6B9840AB9}.exe	105
PID 4456 wrote to memory of 1488	4456	{7A10B185-4722-4196-B4BB-C3B6B9840AB9}.exe	105
PID 4456 wrote to memory of 2348	4456	{7A10B185-4722-4196-B4BB-C3B6B9840AB9}.exe	106
PID 4456 wrote to memory of 2348	4456	{7A10B185-4722-4196-B4BB-C3B6B9840AB9}.exe	106
PID 4456 wrote to memory of 2348	4456	{7A10B185-4722-4196-B4BB-C3B6B9840AB9}.exe	106
PID 1488 wrote to memory of 892	1488	{C5F4C2E4-DF8F-45ed-A38E-FBFE37132646}.exe	107
PID 1488 wrote to memory of 892	1488	{C5F4C2E4-DF8F-45ed-A38E-FBFE37132646}.exe	107
PID 1488 wrote to memory of 892	1488	{C5F4C2E4-DF8F-45ed-A38E-FBFE37132646}.exe	107
PID 1488 wrote to memory of 4116	1488	{C5F4C2E4-DF8F-45ed-A38E-FBFE37132646}.exe	108
PID 1488 wrote to memory of 4116	1488	{C5F4C2E4-DF8F-45ed-A38E-FBFE37132646}.exe	108
PID 1488 wrote to memory of 4116	1488	{C5F4C2E4-DF8F-45ed-A38E-FBFE37132646}.exe	108
PID 892 wrote to memory of 2052	892	{D13F0DFC-09E0-4e0d-9CE8-37D23701DCF7}.exe	109
PID 892 wrote to memory of 2052	892	{D13F0DFC-09E0-4e0d-9CE8-37D23701DCF7}.exe	109
PID 892 wrote to memory of 2052	892	{D13F0DFC-09E0-4e0d-9CE8-37D23701DCF7}.exe	109
PID 892 wrote to memory of 816	892	{D13F0DFC-09E0-4e0d-9CE8-37D23701DCF7}.exe	110
PID 892 wrote to memory of 816	892	{D13F0DFC-09E0-4e0d-9CE8-37D23701DCF7}.exe	110
PID 892 wrote to memory of 816	892	{D13F0DFC-09E0-4e0d-9CE8-37D23701DCF7}.exe	110
PID 2052 wrote to memory of 3816	2052	{FC8443EE-4EDC-4818-AEDE-C77553936EB6}.exe	111
PID 2052 wrote to memory of 3816	2052	{FC8443EE-4EDC-4818-AEDE-C77553936EB6}.exe	111
PID 2052 wrote to memory of 3816	2052	{FC8443EE-4EDC-4818-AEDE-C77553936EB6}.exe	111
PID 2052 wrote to memory of 3644	2052	{FC8443EE-4EDC-4818-AEDE-C77553936EB6}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-02-11_e781313969b78840fadeee43cbf0fc66_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-11_e781313969b78840fadeee43cbf0fc66_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Windows\{BEF21742-BF65-4157-9D1A-9D579EEDC7B1}.exe
  C:\Windows\{BEF21742-BF65-4157-9D1A-9D579EEDC7B1}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1008
- - C:\Windows\{E56B556E-58AB-4988-904C-3D9F31254C2E}.exe
    C:\Windows\{E56B556E-58AB-4988-904C-3D9F31254C2E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4188
  - - C:\Windows\{417D6592-2D6B-401a-8394-17F550916999}.exe
      C:\Windows\{417D6592-2D6B-401a-8394-17F550916999}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:464
    - - C:\Windows\{6E10EBD6-F09D-4ff8-8827-9FEF0125E801}.exe
        
        C:\Windows\{6E10EBD6-F09D-4ff8-8827-9FEF0125E801}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2136
      - C:\Windows\{22B9B64B-97DE-49d6-B6D0-198B3D264B78}.exe
        
        C:\Windows\{22B9B64B-97DE-49d6-B6D0-198B3D264B78}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Windows\{F17DA165-D92B-4c3d-9BBC-5ACFCEE7F818}.exe
        
        C:\Windows\{F17DA165-D92B-4c3d-9BBC-5ACFCEE7F818}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4072
        
        C:\Windows\{7A10B185-4722-4196-B4BB-C3B6B9840AB9}.exe
        
        C:\Windows\{7A10B185-4722-4196-B4BB-C3B6B9840AB9}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\{C5F4C2E4-DF8F-45ed-A38E-FBFE37132646}.exe
        
        C:\Windows\{C5F4C2E4-DF8F-45ed-A38E-FBFE37132646}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\{D13F0DFC-09E0-4e0d-9CE8-37D23701DCF7}.exe
        
        C:\Windows\{D13F0DFC-09E0-4e0d-9CE8-37D23701DCF7}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:892
        
        C:\Windows\{FC8443EE-4EDC-4818-AEDE-C77553936EB6}.exe
        
        C:\Windows\{FC8443EE-4EDC-4818-AEDE-C77553936EB6}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\{4BF498F2-7E9C-4194-BA90-1C4CFDB39A28}.exe
        
        C:\Windows\{4BF498F2-7E9C-4194-BA90-1C4CFDB39A28}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3816
        
        C:\Windows\{1EA2544B-48E5-4b94-BB44-D205B0CA2A3F}.exe
        
        C:\Windows\{1EA2544B-48E5-4b94-BB44-D205B0CA2A3F}.exe
        13⤵
        Executes dropped EXE
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4BF49~1.EXE > nul
        13⤵
        
        PID:420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FC844~1.EXE > nul
        12⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D13F0~1.EXE > nul
        11⤵
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C5F4C~1.EXE > nul
        10⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7A10B~1.EXE > nul
        9⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F17DA~1.EXE > nul
        8⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{22B9B~1.EXE > nul
        7⤵
        
        PID:884
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6E10E~1.EXE > nul
        6⤵
        
        PID:2196
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{417D6~1.EXE > nul
        5⤵
        
        PID:2964
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E56B5~1.EXE > nul
      4⤵
      PID:3076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{BEF21~1.EXE > nul
    3⤵
    PID:5004
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1EA2544B-48E5-4b94-BB44-D205B0CA2A3F}.exe

Filesize
180KB

MD5
5ea66f99028186ddb16096dbfbb3afd7

SHA1
235a7d7173bb76d5c19e87bbdbfc9d38d473c398

SHA256
daa8c46654a21b9057ef22a0e566324be33515b17daaff0d35ebcc5556ff42b6

SHA512
8a1af1d0959a220520b1aff2d851a8d1fa6a97e47b8abced58c263b660793a2e56fe4f0c8ef298b293d9eeea38b82491b29c705ced3822c1e4aad174276f1fda

Download Submit
C:\Windows\{22B9B64B-97DE-49d6-B6D0-198B3D264B78}.exe

Filesize
180KB

MD5
13f09296e101e61789af4c6210f12df7

SHA1
4a1431e174977b436c9e221dd12580a0dd740408

SHA256
ffc217f5c9c380c7054cebb59817f95b3f2599c202012d2ebb9d298b6ec1108a

SHA512
e1f25d224e9a6ce5dc16c8c0bdcac9593eaed9ce6d9ba505a4cde62ba56f980f0b9afdfdff9568a000afc2aec14ac14c3a782e3816ea5b3dc4dbdaefe8530e25

Download Submit
C:\Windows\{417D6592-2D6B-401a-8394-17F550916999}.exe

Filesize
180KB

MD5
6ff80e1a04c8bef58dc574e583bf5217

SHA1
f7d66fd91c030870b0b44ba4c17333145508e805

SHA256
588bed586f94e9d9200626b6543b0d729682ce58547e23c51551d176932290a7

SHA512
7dce788bcfcb548da502f69fb313af03b4a39ee94ff2c264681896619fdc8b001dce5b7db8e0947df872c7a5a102d7cdf13c1e48a47b3d9ca8af726f99f01448

Download Submit
C:\Windows\{4BF498F2-7E9C-4194-BA90-1C4CFDB39A28}.exe

Filesize
180KB

MD5
dc9a3d31573efcbe21808f038aa932b6

SHA1
0ddb5639f5e1db9d96a5181082265191cf6bbadc

SHA256
5dde70de7f34bb153525bd46d3604b19d6619f3a10d27ccfecbddc1344184d01

SHA512
0fd8f0634fa04d1f64cb66ec7d115476998ab5697652eebe785e96eca6f7984f93c3a8e72640217aa7db38a382ab613832310677a8c28f2e28a2c5d30cc1163b

Download Submit
C:\Windows\{6E10EBD6-F09D-4ff8-8827-9FEF0125E801}.exe

Filesize
180KB

MD5
a2999943e470dcf7a76b5b1e824fd166

SHA1
e60ceacbe3102a51b3588a493a5852bd57840ec0

SHA256
8438cdb63fa74bf2d51d86c51eb47537ed170339401a834cdd3af30893e757e3

SHA512
9eaa3fd2d90e56cb6b7f475149b5233242087f798046b919e4a3a117936855a71be6f9149f59bcba2f869aa69904e001de536b132e05ff8928a701d9079acf03

Download Submit
C:\Windows\{7A10B185-4722-4196-B4BB-C3B6B9840AB9}.exe

Filesize
180KB

MD5
8ad5dc8305daeb2f255421239760090e

SHA1
0549c1fceb3cd95fbe1348af61a756eb0f3d195b

SHA256
a39fb18767dcb832c525d60eaa3d0f49668527d1cd6f18324035bae5e181e9f6

SHA512
eee422877c9fea2594c4589909b8ae76ec24ede390845ee962414b71f255a7934e27572c69c0f6fe39349eef6f9636d9597c76aea31cff5bc8a688d69fd0ff84

Download Submit
C:\Windows\{BEF21742-BF65-4157-9D1A-9D579EEDC7B1}.exe

Filesize
180KB

MD5
29492ffd6372c39ee58ff5a1255c586f

SHA1
c7f5bcfd1df379e73b3392874ef7ea09d9a165f4

SHA256
ced8475f1eae0b36ccbc9f5b984539090a2d4672a990f9199b1fe5dadfbc3b53

SHA512
cf206b9b6bafe23c266d0e2f000808296792f32e24968718e9ce444ce97c9b61f94c01fae25949cca65e91eaa384c4acf6459caf841ba14cf44fb5af6cb71ee8

Download Submit
C:\Windows\{C5F4C2E4-DF8F-45ed-A38E-FBFE37132646}.exe

Filesize
180KB

MD5
6d36dfbbed65553786c751ef19a1e892

SHA1
10a7505545df1b1c7bf6028bf154a59ff3ba91e1

SHA256
579c053a3985eeee3724347c9687c02379010e879683724fd500782ec252e15f

SHA512
1cb6897b75ad5d1e1a956970804eb9d3828a2b1e16f0a12cbe24b116eeaab6e109e7f0553aa7e07038f6deed9205a3400108b503d7351de032d1396dcb803c0f

Download Submit
C:\Windows\{D13F0DFC-09E0-4e0d-9CE8-37D23701DCF7}.exe

Filesize
180KB

MD5
826d83dbe43dd745dd25641dbf72c82a

SHA1
d245fa1596cce0e23e08d054fa33dbb44731c6fe

SHA256
c66a27fc9714969e5f662a6462413436b7cb2a2080dabd5467a530f934d449e9

SHA512
97f13341d88248851b5ff94e54222a4f1ed3d6eae1fc53475fda70d2c09060ce349291ebd353bffb0d178704a08b84646d910454ad905aad1fcf020756617028

Download Submit
C:\Windows\{E56B556E-58AB-4988-904C-3D9F31254C2E}.exe

Filesize
180KB

MD5
e3f62f774f5178618a1996c00d53f6cb

SHA1
57a0b2e589126aa15fb964460e58e43246c11555

SHA256
9a64a35520993442f398571194f6be31339a4731a52aa285c3a2c472d834933c

SHA512
1054fe19b165753c7f42ae5f876af14112f46c64058d70086b743720d9eeba163f28e2fe6896278491392075cf8da63919b044e019ac4a5121da8a9c69d9ae85

Download Submit
C:\Windows\{F17DA165-D92B-4c3d-9BBC-5ACFCEE7F818}.exe

Filesize
180KB

MD5
421789cf16f68ab0ee286aa26df3751f

SHA1
6c9d1f889938bbd2f523431a82679a0d3f4c71f6

SHA256
bbd22b67e0f4f066d4857621e8b561fffa15811d0927dbf3f46314d752e50d3b

SHA512
49f5bc88b3700093c19650dc45f0e008eca604940084546c22e3780a98a0390ed434dd4b1943cd24829dc7edb09b3e7269dfb5dd3b9d9fe90d97f5125900a757

Download Submit
C:\Windows\{FC8443EE-4EDC-4818-AEDE-C77553936EB6}.exe

Filesize
180KB

MD5
8dfc935647c0caaba7abcab19e7ad06d

SHA1
187e49aefe953d62908702ee1a8901e259abcc2d

SHA256
0be2738b8bc1c78faa0596e448ef424c918faea8866e58656c0df0d7ae0b5ada

SHA512
fd879f672db01a3f789766defd990011b7716e135a4f064ce28b9ef76d07fad054f4fad6f7ec57007bfc1b8a2c3e2108ef8cf739b1b4120cdcfb540984f611e5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads