30f9a1bdc935d52bca065d1c408834b639d2f00cbb5b65003867ef8f5609557f

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
11/02/2024, 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-11_5361047b6d6e80ae01ddfb1ba747d45a_goldeneye.exe
Size

344KB
MD5

5361047b6d6e80ae01ddfb1ba747d45a
SHA1

fee28910eb97b73f9bcbbac709b075a005b32a48
SHA256

30f9a1bdc935d52bca065d1c408834b639d2f00cbb5b65003867ef8f5609557f
SHA512

b2cc30e0a4648b3b5c40622b813581fd36f47493d60fe9ecfbaf85da231391e92e94d9a365e9a6c206a27fb2f7471a3ce7d10f1482a9af1cc55db973bfeeb277
SSDEEP

3072:mEGh0oclEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGKlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x000800000002314a-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002314a-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002303c-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002322a-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002303c-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x004600000001e0be-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000021550-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x004700000001e0be-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-29.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000000070b-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5485C3CE-86D2-4463-A593-C91FEE03341D}\stubpath = "C:\\Windows\\{5485C3CE-86D2-4463-A593-C91FEE03341D}.exe"	{B2C554B5-58A6-4032-9571-DC4DDF2FD8E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E2B06D8-6A6B-479a-BFDA-C59BB261EB96}\stubpath = "C:\\Windows\\{6E2B06D8-6A6B-479a-BFDA-C59BB261EB96}.exe"	2024-02-11_5361047b6d6e80ae01ddfb1ba747d45a_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04D70695-A17C-4071-8141-59CBCE355A7B}\stubpath = "C:\\Windows\\{04D70695-A17C-4071-8141-59CBCE355A7B}.exe"	{FF78E021-D07C-4b15-A6D0-4A0173974EC7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF339710-DE67-4b0f-B9E9-8A569D59845D}\stubpath = "C:\\Windows\\{FF339710-DE67-4b0f-B9E9-8A569D59845D}.exe"	{64AF2943-5D66-4982-8426-78A58CBDA094}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2556D142-0E0D-4c7b-8C47-424F621E7C31}	{FF339710-DE67-4b0f-B9E9-8A569D59845D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2C554B5-58A6-4032-9571-DC4DDF2FD8E6}	{2556D142-0E0D-4c7b-8C47-424F621E7C31}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2C554B5-58A6-4032-9571-DC4DDF2FD8E6}\stubpath = "C:\\Windows\\{B2C554B5-58A6-4032-9571-DC4DDF2FD8E6}.exe"	{2556D142-0E0D-4c7b-8C47-424F621E7C31}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5485C3CE-86D2-4463-A593-C91FEE03341D}	{B2C554B5-58A6-4032-9571-DC4DDF2FD8E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F6FE6F2-8F59-4e87-AE0F-1DAD643D771B}	{5485C3CE-86D2-4463-A593-C91FEE03341D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF78E021-D07C-4b15-A6D0-4A0173974EC7}	{6E2B06D8-6A6B-479a-BFDA-C59BB261EB96}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CEB029D-7F37-4f89-A2B2-48F0207E0855}	{E5284E7E-4317-4e4a-A82A-0904080B0C54}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF339710-DE67-4b0f-B9E9-8A569D59845D}	{64AF2943-5D66-4982-8426-78A58CBDA094}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F6FE6F2-8F59-4e87-AE0F-1DAD643D771B}\stubpath = "C:\\Windows\\{5F6FE6F2-8F59-4e87-AE0F-1DAD643D771B}.exe"	{5485C3CE-86D2-4463-A593-C91FEE03341D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E377206-FD59-4129-81EF-553365745434}	{5F6FE6F2-8F59-4e87-AE0F-1DAD643D771B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E377206-FD59-4129-81EF-553365745434}\stubpath = "C:\\Windows\\{7E377206-FD59-4129-81EF-553365745434}.exe"	{5F6FE6F2-8F59-4e87-AE0F-1DAD643D771B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E2B06D8-6A6B-479a-BFDA-C59BB261EB96}	2024-02-11_5361047b6d6e80ae01ddfb1ba747d45a_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF78E021-D07C-4b15-A6D0-4A0173974EC7}\stubpath = "C:\\Windows\\{FF78E021-D07C-4b15-A6D0-4A0173974EC7}.exe"	{6E2B06D8-6A6B-479a-BFDA-C59BB261EB96}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04D70695-A17C-4071-8141-59CBCE355A7B}	{FF78E021-D07C-4b15-A6D0-4A0173974EC7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5284E7E-4317-4e4a-A82A-0904080B0C54}	{04D70695-A17C-4071-8141-59CBCE355A7B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64AF2943-5D66-4982-8426-78A58CBDA094}	{5CEB029D-7F37-4f89-A2B2-48F0207E0855}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64AF2943-5D66-4982-8426-78A58CBDA094}\stubpath = "C:\\Windows\\{64AF2943-5D66-4982-8426-78A58CBDA094}.exe"	{5CEB029D-7F37-4f89-A2B2-48F0207E0855}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5284E7E-4317-4e4a-A82A-0904080B0C54}\stubpath = "C:\\Windows\\{E5284E7E-4317-4e4a-A82A-0904080B0C54}.exe"	{04D70695-A17C-4071-8141-59CBCE355A7B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CEB029D-7F37-4f89-A2B2-48F0207E0855}\stubpath = "C:\\Windows\\{5CEB029D-7F37-4f89-A2B2-48F0207E0855}.exe"	{E5284E7E-4317-4e4a-A82A-0904080B0C54}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2556D142-0E0D-4c7b-8C47-424F621E7C31}\stubpath = "C:\\Windows\\{2556D142-0E0D-4c7b-8C47-424F621E7C31}.exe"	{FF339710-DE67-4b0f-B9E9-8A569D59845D}.exe

Executes dropped EXE 12 IoCs

pid	Process
4312	{6E2B06D8-6A6B-479a-BFDA-C59BB261EB96}.exe
1580	{FF78E021-D07C-4b15-A6D0-4A0173974EC7}.exe
1476	{04D70695-A17C-4071-8141-59CBCE355A7B}.exe
1196	{E5284E7E-4317-4e4a-A82A-0904080B0C54}.exe
2888	{5CEB029D-7F37-4f89-A2B2-48F0207E0855}.exe
4704	{64AF2943-5D66-4982-8426-78A58CBDA094}.exe
3352	{FF339710-DE67-4b0f-B9E9-8A569D59845D}.exe
2948	{2556D142-0E0D-4c7b-8C47-424F621E7C31}.exe
1964	{B2C554B5-58A6-4032-9571-DC4DDF2FD8E6}.exe
2928	{5485C3CE-86D2-4463-A593-C91FEE03341D}.exe
3084	{5F6FE6F2-8F59-4e87-AE0F-1DAD643D771B}.exe
4656	{7E377206-FD59-4129-81EF-553365745434}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{FF339710-DE67-4b0f-B9E9-8A569D59845D}.exe	{64AF2943-5D66-4982-8426-78A58CBDA094}.exe
File created	C:\Windows\{2556D142-0E0D-4c7b-8C47-424F621E7C31}.exe	{FF339710-DE67-4b0f-B9E9-8A569D59845D}.exe
File created	C:\Windows\{5F6FE6F2-8F59-4e87-AE0F-1DAD643D771B}.exe	{5485C3CE-86D2-4463-A593-C91FEE03341D}.exe
File created	C:\Windows\{FF78E021-D07C-4b15-A6D0-4A0173974EC7}.exe	{6E2B06D8-6A6B-479a-BFDA-C59BB261EB96}.exe
File created	C:\Windows\{04D70695-A17C-4071-8141-59CBCE355A7B}.exe	{FF78E021-D07C-4b15-A6D0-4A0173974EC7}.exe
File created	C:\Windows\{E5284E7E-4317-4e4a-A82A-0904080B0C54}.exe	{04D70695-A17C-4071-8141-59CBCE355A7B}.exe
File created	C:\Windows\{5CEB029D-7F37-4f89-A2B2-48F0207E0855}.exe	{E5284E7E-4317-4e4a-A82A-0904080B0C54}.exe
File created	C:\Windows\{64AF2943-5D66-4982-8426-78A58CBDA094}.exe	{5CEB029D-7F37-4f89-A2B2-48F0207E0855}.exe
File created	C:\Windows\{6E2B06D8-6A6B-479a-BFDA-C59BB261EB96}.exe	2024-02-11_5361047b6d6e80ae01ddfb1ba747d45a_goldeneye.exe
File created	C:\Windows\{B2C554B5-58A6-4032-9571-DC4DDF2FD8E6}.exe	{2556D142-0E0D-4c7b-8C47-424F621E7C31}.exe
File created	C:\Windows\{5485C3CE-86D2-4463-A593-C91FEE03341D}.exe	{B2C554B5-58A6-4032-9571-DC4DDF2FD8E6}.exe
File created	C:\Windows\{7E377206-FD59-4129-81EF-553365745434}.exe	{5F6FE6F2-8F59-4e87-AE0F-1DAD643D771B}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	408	2024-02-11_5361047b6d6e80ae01ddfb1ba747d45a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4312	{6E2B06D8-6A6B-479a-BFDA-C59BB261EB96}.exe
Token: SeIncBasePriorityPrivilege	1580	{FF78E021-D07C-4b15-A6D0-4A0173974EC7}.exe
Token: SeIncBasePriorityPrivilege	1476	{04D70695-A17C-4071-8141-59CBCE355A7B}.exe
Token: SeIncBasePriorityPrivilege	1196	{E5284E7E-4317-4e4a-A82A-0904080B0C54}.exe
Token: SeIncBasePriorityPrivilege	2888	{5CEB029D-7F37-4f89-A2B2-48F0207E0855}.exe
Token: SeIncBasePriorityPrivilege	4704	{64AF2943-5D66-4982-8426-78A58CBDA094}.exe
Token: SeIncBasePriorityPrivilege	3352	{FF339710-DE67-4b0f-B9E9-8A569D59845D}.exe
Token: SeIncBasePriorityPrivilege	2948	{2556D142-0E0D-4c7b-8C47-424F621E7C31}.exe
Token: SeIncBasePriorityPrivilege	1964	{B2C554B5-58A6-4032-9571-DC4DDF2FD8E6}.exe
Token: SeIncBasePriorityPrivilege	2928	{5485C3CE-86D2-4463-A593-C91FEE03341D}.exe
Token: SeIncBasePriorityPrivilege	3084	{5F6FE6F2-8F59-4e87-AE0F-1DAD643D771B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 408 wrote to memory of 4312	408	2024-02-11_5361047b6d6e80ae01ddfb1ba747d45a_goldeneye.exe	93
PID 408 wrote to memory of 4312	408	2024-02-11_5361047b6d6e80ae01ddfb1ba747d45a_goldeneye.exe	93
PID 408 wrote to memory of 4312	408	2024-02-11_5361047b6d6e80ae01ddfb1ba747d45a_goldeneye.exe	93
PID 408 wrote to memory of 3516	408	2024-02-11_5361047b6d6e80ae01ddfb1ba747d45a_goldeneye.exe	94
PID 408 wrote to memory of 3516	408	2024-02-11_5361047b6d6e80ae01ddfb1ba747d45a_goldeneye.exe	94
PID 408 wrote to memory of 3516	408	2024-02-11_5361047b6d6e80ae01ddfb1ba747d45a_goldeneye.exe	94
PID 4312 wrote to memory of 1580	4312	{6E2B06D8-6A6B-479a-BFDA-C59BB261EB96}.exe	96
PID 4312 wrote to memory of 1580	4312	{6E2B06D8-6A6B-479a-BFDA-C59BB261EB96}.exe	96
PID 4312 wrote to memory of 1580	4312	{6E2B06D8-6A6B-479a-BFDA-C59BB261EB96}.exe	96
PID 4312 wrote to memory of 3856	4312	{6E2B06D8-6A6B-479a-BFDA-C59BB261EB96}.exe	95
PID 4312 wrote to memory of 3856	4312	{6E2B06D8-6A6B-479a-BFDA-C59BB261EB96}.exe	95
PID 4312 wrote to memory of 3856	4312	{6E2B06D8-6A6B-479a-BFDA-C59BB261EB96}.exe	95
PID 1580 wrote to memory of 1476	1580	{FF78E021-D07C-4b15-A6D0-4A0173974EC7}.exe	99
PID 1580 wrote to memory of 1476	1580	{FF78E021-D07C-4b15-A6D0-4A0173974EC7}.exe	99
PID 1580 wrote to memory of 1476	1580	{FF78E021-D07C-4b15-A6D0-4A0173974EC7}.exe	99
PID 1580 wrote to memory of 4688	1580	{FF78E021-D07C-4b15-A6D0-4A0173974EC7}.exe	98
PID 1580 wrote to memory of 4688	1580	{FF78E021-D07C-4b15-A6D0-4A0173974EC7}.exe	98
PID 1580 wrote to memory of 4688	1580	{FF78E021-D07C-4b15-A6D0-4A0173974EC7}.exe	98
PID 1476 wrote to memory of 1196	1476	{04D70695-A17C-4071-8141-59CBCE355A7B}.exe	101
PID 1476 wrote to memory of 1196	1476	{04D70695-A17C-4071-8141-59CBCE355A7B}.exe	101
PID 1476 wrote to memory of 1196	1476	{04D70695-A17C-4071-8141-59CBCE355A7B}.exe	101
PID 1476 wrote to memory of 4908	1476	{04D70695-A17C-4071-8141-59CBCE355A7B}.exe	100
PID 1476 wrote to memory of 4908	1476	{04D70695-A17C-4071-8141-59CBCE355A7B}.exe	100
PID 1476 wrote to memory of 4908	1476	{04D70695-A17C-4071-8141-59CBCE355A7B}.exe	100
PID 1196 wrote to memory of 2888	1196	{E5284E7E-4317-4e4a-A82A-0904080B0C54}.exe	103
PID 1196 wrote to memory of 2888	1196	{E5284E7E-4317-4e4a-A82A-0904080B0C54}.exe	103
PID 1196 wrote to memory of 2888	1196	{E5284E7E-4317-4e4a-A82A-0904080B0C54}.exe	103
PID 1196 wrote to memory of 2528	1196	{E5284E7E-4317-4e4a-A82A-0904080B0C54}.exe	102
PID 1196 wrote to memory of 2528	1196	{E5284E7E-4317-4e4a-A82A-0904080B0C54}.exe	102
PID 1196 wrote to memory of 2528	1196	{E5284E7E-4317-4e4a-A82A-0904080B0C54}.exe	102
PID 2888 wrote to memory of 4704	2888	{5CEB029D-7F37-4f89-A2B2-48F0207E0855}.exe	104
PID 2888 wrote to memory of 4704	2888	{5CEB029D-7F37-4f89-A2B2-48F0207E0855}.exe	104
PID 2888 wrote to memory of 4704	2888	{5CEB029D-7F37-4f89-A2B2-48F0207E0855}.exe	104
PID 2888 wrote to memory of 5088	2888	{5CEB029D-7F37-4f89-A2B2-48F0207E0855}.exe	105
PID 2888 wrote to memory of 5088	2888	{5CEB029D-7F37-4f89-A2B2-48F0207E0855}.exe	105
PID 2888 wrote to memory of 5088	2888	{5CEB029D-7F37-4f89-A2B2-48F0207E0855}.exe	105
PID 4704 wrote to memory of 3352	4704	{64AF2943-5D66-4982-8426-78A58CBDA094}.exe	106
PID 4704 wrote to memory of 3352	4704	{64AF2943-5D66-4982-8426-78A58CBDA094}.exe	106
PID 4704 wrote to memory of 3352	4704	{64AF2943-5D66-4982-8426-78A58CBDA094}.exe	106
PID 4704 wrote to memory of 3180	4704	{64AF2943-5D66-4982-8426-78A58CBDA094}.exe	107
PID 4704 wrote to memory of 3180	4704	{64AF2943-5D66-4982-8426-78A58CBDA094}.exe	107
PID 4704 wrote to memory of 3180	4704	{64AF2943-5D66-4982-8426-78A58CBDA094}.exe	107
PID 3352 wrote to memory of 2948	3352	{FF339710-DE67-4b0f-B9E9-8A569D59845D}.exe	108
PID 3352 wrote to memory of 2948	3352	{FF339710-DE67-4b0f-B9E9-8A569D59845D}.exe	108
PID 3352 wrote to memory of 2948	3352	{FF339710-DE67-4b0f-B9E9-8A569D59845D}.exe	108
PID 3352 wrote to memory of 4336	3352	{FF339710-DE67-4b0f-B9E9-8A569D59845D}.exe	109
PID 3352 wrote to memory of 4336	3352	{FF339710-DE67-4b0f-B9E9-8A569D59845D}.exe	109
PID 3352 wrote to memory of 4336	3352	{FF339710-DE67-4b0f-B9E9-8A569D59845D}.exe	109
PID 2948 wrote to memory of 1964	2948	{2556D142-0E0D-4c7b-8C47-424F621E7C31}.exe	110
PID 2948 wrote to memory of 1964	2948	{2556D142-0E0D-4c7b-8C47-424F621E7C31}.exe	110
PID 2948 wrote to memory of 1964	2948	{2556D142-0E0D-4c7b-8C47-424F621E7C31}.exe	110
PID 2948 wrote to memory of 3508	2948	{2556D142-0E0D-4c7b-8C47-424F621E7C31}.exe	111
PID 2948 wrote to memory of 3508	2948	{2556D142-0E0D-4c7b-8C47-424F621E7C31}.exe	111
PID 2948 wrote to memory of 3508	2948	{2556D142-0E0D-4c7b-8C47-424F621E7C31}.exe	111
PID 1964 wrote to memory of 2928	1964	{B2C554B5-58A6-4032-9571-DC4DDF2FD8E6}.exe	112
PID 1964 wrote to memory of 2928	1964	{B2C554B5-58A6-4032-9571-DC4DDF2FD8E6}.exe	112
PID 1964 wrote to memory of 2928	1964	{B2C554B5-58A6-4032-9571-DC4DDF2FD8E6}.exe	112
PID 1964 wrote to memory of 2220	1964	{B2C554B5-58A6-4032-9571-DC4DDF2FD8E6}.exe	113
PID 1964 wrote to memory of 2220	1964	{B2C554B5-58A6-4032-9571-DC4DDF2FD8E6}.exe	113
PID 1964 wrote to memory of 2220	1964	{B2C554B5-58A6-4032-9571-DC4DDF2FD8E6}.exe	113
PID 2928 wrote to memory of 3084	2928	{5485C3CE-86D2-4463-A593-C91FEE03341D}.exe	114
PID 2928 wrote to memory of 3084	2928	{5485C3CE-86D2-4463-A593-C91FEE03341D}.exe	114
PID 2928 wrote to memory of 3084	2928	{5485C3CE-86D2-4463-A593-C91FEE03341D}.exe	114
PID 2928 wrote to memory of 3976	2928	{5485C3CE-86D2-4463-A593-C91FEE03341D}.exe	115

C:\Users\Admin\AppData\Local\Temp\2024-02-11_5361047b6d6e80ae01ddfb1ba747d45a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-11_5361047b6d6e80ae01ddfb1ba747d45a_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:408
- C:\Windows\{6E2B06D8-6A6B-479a-BFDA-C59BB261EB96}.exe
  C:\Windows\{6E2B06D8-6A6B-479a-BFDA-C59BB261EB96}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6E2B0~1.EXE > nul
    3⤵
    PID:3856
- - C:\Windows\{FF78E021-D07C-4b15-A6D0-4A0173974EC7}.exe
    C:\Windows\{FF78E021-D07C-4b15-A6D0-4A0173974EC7}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1580
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FF78E~1.EXE > nul
      4⤵
      PID:4688
  - - C:\Windows\{04D70695-A17C-4071-8141-59CBCE355A7B}.exe
      C:\Windows\{04D70695-A17C-4071-8141-59CBCE355A7B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1476
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{04D70~1.EXE > nul
        5⤵
        
        PID:4908
    - - C:\Windows\{E5284E7E-4317-4e4a-A82A-0904080B0C54}.exe
        
        C:\Windows\{E5284E7E-4317-4e4a-A82A-0904080B0C54}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1196
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5284~1.EXE > nul
        6⤵
        
        PID:2528
      - C:\Windows\{5CEB029D-7F37-4f89-A2B2-48F0207E0855}.exe
        
        C:\Windows\{5CEB029D-7F37-4f89-A2B2-48F0207E0855}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\{64AF2943-5D66-4982-8426-78A58CBDA094}.exe
        
        C:\Windows\{64AF2943-5D66-4982-8426-78A58CBDA094}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\{FF339710-DE67-4b0f-B9E9-8A569D59845D}.exe
        
        C:\Windows\{FF339710-DE67-4b0f-B9E9-8A569D59845D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3352
        
        C:\Windows\{2556D142-0E0D-4c7b-8C47-424F621E7C31}.exe
        
        C:\Windows\{2556D142-0E0D-4c7b-8C47-424F621E7C31}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\{B2C554B5-58A6-4032-9571-DC4DDF2FD8E6}.exe
        
        C:\Windows\{B2C554B5-58A6-4032-9571-DC4DDF2FD8E6}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\{5485C3CE-86D2-4463-A593-C91FEE03341D}.exe
        
        C:\Windows\{5485C3CE-86D2-4463-A593-C91FEE03341D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\{5F6FE6F2-8F59-4e87-AE0F-1DAD643D771B}.exe
        
        C:\Windows\{5F6FE6F2-8F59-4e87-AE0F-1DAD643D771B}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3084
        
        C:\Windows\{7E377206-FD59-4129-81EF-553365745434}.exe
        
        C:\Windows\{7E377206-FD59-4129-81EF-553365745434}.exe
        13⤵
        Executes dropped EXE
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5F6FE~1.EXE > nul
        13⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5485C~1.EXE > nul
        12⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B2C55~1.EXE > nul
        11⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2556D~1.EXE > nul
        10⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF339~1.EXE > nul
        9⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64AF2~1.EXE > nul
        8⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5CEB0~1.EXE > nul
        7⤵
        
        PID:5088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04D70695-A17C-4071-8141-59CBCE355A7B}.exe

Filesize
344KB

MD5
4ca633553db50c3037d50dc562609178

SHA1
703f3b53f1f7f86df4eabf8659b416f8f470d88a

SHA256
6fcbc3fe64cebc8348944b22750a030321cef37ea25c398aaaac14dac13cf492

SHA512
fbb49f1fd53bda70b8a2ac3b7cb2902ea3a033737aebb3ab0ce604c564f5c38c1f095dad6b5970619e1e5df97246d3396d66b8b7a9de79e8bc7796ed45174601

Download Submit
C:\Windows\{2556D142-0E0D-4c7b-8C47-424F621E7C31}.exe

Filesize
344KB

MD5
73e4802d7f32a7fed6d5eadaffc0cece

SHA1
b7f65b3e0a2482229cbe291fd86681b8dfdb2e1c

SHA256
55d781334a7ef0d98d33353bfdbe6788ed85827253c6b8fffde9649841026652

SHA512
670b05b913397cf71a35b1194bd24d024aba8c24e5838c5aec0a561e3be66ed60fb6a8fe18b747b11402f5593b7186fa7410c81e0fb6db92edce77fad3fbd5aa

Download Submit
C:\Windows\{5485C3CE-86D2-4463-A593-C91FEE03341D}.exe

Filesize
344KB

MD5
030a4f26803cd22d06670e8bb85bc314

SHA1
5a1ae942b2cc26001b7637b0c089f60de77cd938

SHA256
a7cafe1d3f921dbaba1764e5479f510c12216f985e242d66440b21665ac80dc9

SHA512
1510c421450618d6e54fb7e4c523093d5c30d15b31b2731acbf5eb95e4fdc3af717740f0961d88f5a651305889d22171b807bb669278289bbb981aa478d18c76

Download Submit
C:\Windows\{5CEB029D-7F37-4f89-A2B2-48F0207E0855}.exe

Filesize
344KB

MD5
0fd15ab8dcb315c8d9fbba6bdde17c4b

SHA1
8048dffc7190b33d2464961205acdc4610f46dad

SHA256
2eac092b57c4992c81b994d6b1a7189db55d3e0b1caa3cfee1b9b866b79a2567

SHA512
d295c77312734b1e0708fbf718297c86e2a14ad01ee084ae0cd724070e5249630284d7857c691b94a11154bf8bff56c5d90a1ebf679d6f88cbdb1be278dd2da1

Download Submit
C:\Windows\{5F6FE6F2-8F59-4e87-AE0F-1DAD643D771B}.exe

Filesize
344KB

MD5
68ef0e011414dae947ba59fb269f7c4e

SHA1
3b049b7714ea5977abf36700054b2bda72bcfa73

SHA256
c2a506abe226d953d35f660d2fb41bde5065a816076a63ebafe0e2633919bae7

SHA512
e421a1d11f3fafe974930b965ff49bc25cdd688ee107dc99e7e54f0e8001e5418bdf964eac08ba7fad6670758e1c2f23f34231d232c3cdef16cfc8e2ce7991a2

Download Submit
C:\Windows\{64AF2943-5D66-4982-8426-78A58CBDA094}.exe

Filesize
344KB

MD5
d5d1d8dee98f5abeca02dbe0012e441c

SHA1
a75c33ed1bb0fc33f7b64c9bcd4ef7718c6c6067

SHA256
f03047d462e961124d61cae8bb7b613e19975190ec23fe6fe5179e514970e347

SHA512
9e0b36224db8113304280dc28a3144bd9961d5f02eb15218dd4e59b73f6d62f487b2f2f16dd0a8e0893eb27d60cfa5ac9fa6502aa54ff69958a919ed2121df63

Download Submit
C:\Windows\{6E2B06D8-6A6B-479a-BFDA-C59BB261EB96}.exe

Filesize
344KB

MD5
22bca1c7601e1656da3e0d7445b209d2

SHA1
a28fb9e0822fcc627962e81a7035082a0cee2914

SHA256
89a33faf19368f15de6e75eb38e202dedb8384f900a0f1390cfff6e86d3c5607

SHA512
884b9d7182b07626c3ab20a0139673426b2c3147205c8ee96787c9a6b2faf0e7059a9576b795537ceb732424ab8eef2dd3b3223011c58d547a7e6a0be5555007

Download Submit
C:\Windows\{6E2B06D8-6A6B-479a-BFDA-C59BB261EB96}.exe

Filesize
64KB

MD5
231bb76e21fcca1106dd256d9718ba4e

SHA1
ac7d8d743177fc6d71f61ca919923df5020676e1

SHA256
a28de018a2885a2f2d4deb8083cdfc0b946bd777409e7195f0c17b4b942eca4f

SHA512
3c3e571a6983f8fe01f7f884289e4005cb9351639410a2011ca668d2521f6fa38f6dbc4dfe55c2dd5e96e995e0afb130b5f34619037d4e1a97e5ffaede04dd1f

Download Submit
C:\Windows\{7E377206-FD59-4129-81EF-553365745434}.exe

Filesize
344KB

MD5
a7cecf42e1d055b431ab569e78666deb

SHA1
1a9255b64a4b8960f403da32d1a443f343333e32

SHA256
e5f1f4037c2bcc1888a275abeb016c4cc7e18ebcb4b3ba27a2063acdc8ec029d

SHA512
53d26ad5b6a0d7cf6e45952a4521a2a8e9cec6f6258ad089f7e989aa9a5cbc51ae2459101300072e4cf5b9ae3a22d09afca52764a71d09002dd61750b9bdafd1

Download Submit
C:\Windows\{B2C554B5-58A6-4032-9571-DC4DDF2FD8E6}.exe

Filesize
344KB

MD5
d0c0bea2a20331ec99f5540a06911dce

SHA1
54e9c6cfba62e91b31fd283db35b42b871b7e114

SHA256
261f8559e0e7f91547d7fb499bda7292eb8e2a5b5700e8cbc91d925174218f70

SHA512
7c10b9fde118438446973227860eeaa2551b3a26db1dc9fe3b8d048559aee01dd917ed739a7eda8d8fc24bdf3035238d30d7e57cd211178f9f14acf5a7176ba6

Download Submit
C:\Windows\{E5284E7E-4317-4e4a-A82A-0904080B0C54}.exe

Filesize
344KB

MD5
5c8938bb0c6041f4dcc9aac8c2f78224

SHA1
24b5b2335b26c5091d0719a332d578ab29997ea7

SHA256
9f9ad735bbf95042bbf01974392f63e3dbbe6a5e61e0f59d176d05df5604c104

SHA512
9447fd48ec9bca221ebf98c8f02623d073a18f04ba57571341a5aa803a254a758b73ce191cb613da9f98685734d3ab62d415712dfde3712fbdd84d4849ba168d

Download Submit
C:\Windows\{FF339710-DE67-4b0f-B9E9-8A569D59845D}.exe

Filesize
344KB

MD5
9058cda1f1555ba24884d562a6337cc2

SHA1
8ad935cc36dca2de22018e6a13502c452565ada1

SHA256
0c74cc6cc82d8272d843b5326c7da8cda667f12404ba18bdf1b2cf77bd4d60f4

SHA512
74ac5c0849dac78938e35ca4c84b2fdf66820038d50900f07b591ad31157eb2760cbdfd371412167d5e4806e3744fa2dcf73534561ddb343e8e9e9e405b48ccd

Download Submit
C:\Windows\{FF78E021-D07C-4b15-A6D0-4A0173974EC7}.exe

Filesize
344KB

MD5
0176d5df9b6a2ad7367a3b56bbb19e49

SHA1
6415aacf489a05e277ad56341514108abf8095ae

SHA256
b151fb9f8fd1d450aea500334f7d5f00a2d5b1a559318900a942200a7bc85640

SHA512
2de2b627482d0752dd15ee7cea36b2a481b6f6fda558bb5f2e2d8568816be164187b7890553c56502314fb7f6639c1d9f4a70d5c2bc96d4ca0fbebcdac5353b2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads