113ba559bc178bfe524b756b4373f378647548838ab11007dcc7571b209e021a

Analysis

max time kernel
149s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11/02/2024, 21:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-11_116cdcc3985aaa210782c5000d1bdc68_goldeneye.exe
Size

344KB
MD5

116cdcc3985aaa210782c5000d1bdc68
SHA1

a7ccc72b029687e96ec959ce5f601c56b7fe0ddb
SHA256

113ba559bc178bfe524b756b4373f378647548838ab11007dcc7571b209e021a
SHA512

7719cc3688fd924f2e5af3e6f1128a7920b407eead4296f3d6aa641dd392a338b03cada8ff81dbcb7fc40b9fbb34badc276557bf2af4c25e195681693e41773c
SSDEEP

3072:mEGh0orlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGplqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00060000000231ef-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000001e75f-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000231ff-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000001e75f-13.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021e70-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000001e75f-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021e70-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000705-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0BB19A04-5046-436d-BDA0-09E0DECF7D62}\stubpath = "C:\\Windows\\{0BB19A04-5046-436d-BDA0-09E0DECF7D62}.exe"	{4D507FCD-F8BB-4213-ADD7-1062A876710C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05C8EC6D-ED68-435d-BAD4-101C48B0948A}	{5D12BA12-58B3-4587-A5B9-44CCFB70F9C2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA04FFC2-F9FA-4786-9C9D-A291366980E3}	{BB86B86C-DF22-418a-8485-4F1451BD9388}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA04FFC2-F9FA-4786-9C9D-A291366980E3}\stubpath = "C:\\Windows\\{EA04FFC2-F9FA-4786-9C9D-A291366980E3}.exe"	{BB86B86C-DF22-418a-8485-4F1451BD9388}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{146EEEC1-F311-4f5c-8596-0B0CF461EE25}	{EA04FFC2-F9FA-4786-9C9D-A291366980E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{742BDDA0-DCA9-4039-B9B6-84E7CE91AFE4}\stubpath = "C:\\Windows\\{742BDDA0-DCA9-4039-B9B6-84E7CE91AFE4}.exe"	{146EEEC1-F311-4f5c-8596-0B0CF461EE25}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A37E3569-3F98-4673-9CEF-6D52780F3E70}	2024-02-11_116cdcc3985aaa210782c5000d1bdc68_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0BB19A04-5046-436d-BDA0-09E0DECF7D62}	{4D507FCD-F8BB-4213-ADD7-1062A876710C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DA3A56B-8D89-479d-91C1-2166E7E2C292}	{0BB19A04-5046-436d-BDA0-09E0DECF7D62}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A161DFA2-5366-4f23-84DE-F430A9C126BB}\stubpath = "C:\\Windows\\{A161DFA2-5366-4f23-84DE-F430A9C126BB}.exe"	{9DA3A56B-8D89-479d-91C1-2166E7E2C292}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{146EEEC1-F311-4f5c-8596-0B0CF461EE25}\stubpath = "C:\\Windows\\{146EEEC1-F311-4f5c-8596-0B0CF461EE25}.exe"	{EA04FFC2-F9FA-4786-9C9D-A291366980E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{993BE1B4-3DCF-4209-BD47-9E27C520AF02}\stubpath = "C:\\Windows\\{993BE1B4-3DCF-4209-BD47-9E27C520AF02}.exe"	{A37E3569-3F98-4673-9CEF-6D52780F3E70}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DA3A56B-8D89-479d-91C1-2166E7E2C292}\stubpath = "C:\\Windows\\{9DA3A56B-8D89-479d-91C1-2166E7E2C292}.exe"	{0BB19A04-5046-436d-BDA0-09E0DECF7D62}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A161DFA2-5366-4f23-84DE-F430A9C126BB}	{9DA3A56B-8D89-479d-91C1-2166E7E2C292}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB86B86C-DF22-418a-8485-4F1451BD9388}	{05C8EC6D-ED68-435d-BAD4-101C48B0948A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{742BDDA0-DCA9-4039-B9B6-84E7CE91AFE4}	{146EEEC1-F311-4f5c-8596-0B0CF461EE25}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{993BE1B4-3DCF-4209-BD47-9E27C520AF02}	{A37E3569-3F98-4673-9CEF-6D52780F3E70}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D507FCD-F8BB-4213-ADD7-1062A876710C}	{993BE1B4-3DCF-4209-BD47-9E27C520AF02}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D507FCD-F8BB-4213-ADD7-1062A876710C}\stubpath = "C:\\Windows\\{4D507FCD-F8BB-4213-ADD7-1062A876710C}.exe"	{993BE1B4-3DCF-4209-BD47-9E27C520AF02}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D12BA12-58B3-4587-A5B9-44CCFB70F9C2}	{A161DFA2-5366-4f23-84DE-F430A9C126BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D12BA12-58B3-4587-A5B9-44CCFB70F9C2}\stubpath = "C:\\Windows\\{5D12BA12-58B3-4587-A5B9-44CCFB70F9C2}.exe"	{A161DFA2-5366-4f23-84DE-F430A9C126BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05C8EC6D-ED68-435d-BAD4-101C48B0948A}\stubpath = "C:\\Windows\\{05C8EC6D-ED68-435d-BAD4-101C48B0948A}.exe"	{5D12BA12-58B3-4587-A5B9-44CCFB70F9C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB86B86C-DF22-418a-8485-4F1451BD9388}\stubpath = "C:\\Windows\\{BB86B86C-DF22-418a-8485-4F1451BD9388}.exe"	{05C8EC6D-ED68-435d-BAD4-101C48B0948A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A37E3569-3F98-4673-9CEF-6D52780F3E70}\stubpath = "C:\\Windows\\{A37E3569-3F98-4673-9CEF-6D52780F3E70}.exe"	2024-02-11_116cdcc3985aaa210782c5000d1bdc68_goldeneye.exe

Executes dropped EXE 12 IoCs

pid	Process
3636	{A37E3569-3F98-4673-9CEF-6D52780F3E70}.exe
700	{993BE1B4-3DCF-4209-BD47-9E27C520AF02}.exe
3256	{4D507FCD-F8BB-4213-ADD7-1062A876710C}.exe
3732	{0BB19A04-5046-436d-BDA0-09E0DECF7D62}.exe
1480	{9DA3A56B-8D89-479d-91C1-2166E7E2C292}.exe
4700	{A161DFA2-5366-4f23-84DE-F430A9C126BB}.exe
3484	{5D12BA12-58B3-4587-A5B9-44CCFB70F9C2}.exe
2828	{05C8EC6D-ED68-435d-BAD4-101C48B0948A}.exe
3972	{BB86B86C-DF22-418a-8485-4F1451BD9388}.exe
2620	{EA04FFC2-F9FA-4786-9C9D-A291366980E3}.exe
1384	{146EEEC1-F311-4f5c-8596-0B0CF461EE25}.exe
3656	{742BDDA0-DCA9-4039-B9B6-84E7CE91AFE4}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{A161DFA2-5366-4f23-84DE-F430A9C126BB}.exe	{9DA3A56B-8D89-479d-91C1-2166E7E2C292}.exe
File created	C:\Windows\{5D12BA12-58B3-4587-A5B9-44CCFB70F9C2}.exe	{A161DFA2-5366-4f23-84DE-F430A9C126BB}.exe
File created	C:\Windows\{05C8EC6D-ED68-435d-BAD4-101C48B0948A}.exe	{5D12BA12-58B3-4587-A5B9-44CCFB70F9C2}.exe
File created	C:\Windows\{EA04FFC2-F9FA-4786-9C9D-A291366980E3}.exe	{BB86B86C-DF22-418a-8485-4F1451BD9388}.exe
File created	C:\Windows\{146EEEC1-F311-4f5c-8596-0B0CF461EE25}.exe	{EA04FFC2-F9FA-4786-9C9D-A291366980E3}.exe
File created	C:\Windows\{A37E3569-3F98-4673-9CEF-6D52780F3E70}.exe	2024-02-11_116cdcc3985aaa210782c5000d1bdc68_goldeneye.exe
File created	C:\Windows\{0BB19A04-5046-436d-BDA0-09E0DECF7D62}.exe	{4D507FCD-F8BB-4213-ADD7-1062A876710C}.exe
File created	C:\Windows\{9DA3A56B-8D89-479d-91C1-2166E7E2C292}.exe	{0BB19A04-5046-436d-BDA0-09E0DECF7D62}.exe
File created	C:\Windows\{BB86B86C-DF22-418a-8485-4F1451BD9388}.exe	{05C8EC6D-ED68-435d-BAD4-101C48B0948A}.exe
File created	C:\Windows\{742BDDA0-DCA9-4039-B9B6-84E7CE91AFE4}.exe	{146EEEC1-F311-4f5c-8596-0B0CF461EE25}.exe
File created	C:\Windows\{993BE1B4-3DCF-4209-BD47-9E27C520AF02}.exe	{A37E3569-3F98-4673-9CEF-6D52780F3E70}.exe
File created	C:\Windows\{4D507FCD-F8BB-4213-ADD7-1062A876710C}.exe	{993BE1B4-3DCF-4209-BD47-9E27C520AF02}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3536	2024-02-11_116cdcc3985aaa210782c5000d1bdc68_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3636	{A37E3569-3F98-4673-9CEF-6D52780F3E70}.exe
Token: SeIncBasePriorityPrivilege	700	{993BE1B4-3DCF-4209-BD47-9E27C520AF02}.exe
Token: SeIncBasePriorityPrivilege	3256	{4D507FCD-F8BB-4213-ADD7-1062A876710C}.exe
Token: SeIncBasePriorityPrivilege	3732	{0BB19A04-5046-436d-BDA0-09E0DECF7D62}.exe
Token: SeIncBasePriorityPrivilege	1480	{9DA3A56B-8D89-479d-91C1-2166E7E2C292}.exe
Token: SeIncBasePriorityPrivilege	4700	{A161DFA2-5366-4f23-84DE-F430A9C126BB}.exe
Token: SeIncBasePriorityPrivilege	3484	{5D12BA12-58B3-4587-A5B9-44CCFB70F9C2}.exe
Token: SeIncBasePriorityPrivilege	2828	{05C8EC6D-ED68-435d-BAD4-101C48B0948A}.exe
Token: SeIncBasePriorityPrivilege	3972	{BB86B86C-DF22-418a-8485-4F1451BD9388}.exe
Token: SeIncBasePriorityPrivilege	2620	{EA04FFC2-F9FA-4786-9C9D-A291366980E3}.exe
Token: SeIncBasePriorityPrivilege	1384	{146EEEC1-F311-4f5c-8596-0B0CF461EE25}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3536 wrote to memory of 3636	3536	2024-02-11_116cdcc3985aaa210782c5000d1bdc68_goldeneye.exe	89
PID 3536 wrote to memory of 3636	3536	2024-02-11_116cdcc3985aaa210782c5000d1bdc68_goldeneye.exe	89
PID 3536 wrote to memory of 3636	3536	2024-02-11_116cdcc3985aaa210782c5000d1bdc68_goldeneye.exe	89
PID 3536 wrote to memory of 2232	3536	2024-02-11_116cdcc3985aaa210782c5000d1bdc68_goldeneye.exe	90
PID 3536 wrote to memory of 2232	3536	2024-02-11_116cdcc3985aaa210782c5000d1bdc68_goldeneye.exe	90
PID 3536 wrote to memory of 2232	3536	2024-02-11_116cdcc3985aaa210782c5000d1bdc68_goldeneye.exe	90
PID 3636 wrote to memory of 700	3636	{A37E3569-3F98-4673-9CEF-6D52780F3E70}.exe	94
PID 3636 wrote to memory of 700	3636	{A37E3569-3F98-4673-9CEF-6D52780F3E70}.exe	94
PID 3636 wrote to memory of 700	3636	{A37E3569-3F98-4673-9CEF-6D52780F3E70}.exe	94
PID 3636 wrote to memory of 3664	3636	{A37E3569-3F98-4673-9CEF-6D52780F3E70}.exe	95
PID 3636 wrote to memory of 3664	3636	{A37E3569-3F98-4673-9CEF-6D52780F3E70}.exe	95
PID 3636 wrote to memory of 3664	3636	{A37E3569-3F98-4673-9CEF-6D52780F3E70}.exe	95
PID 700 wrote to memory of 3256	700	{993BE1B4-3DCF-4209-BD47-9E27C520AF02}.exe	98
PID 700 wrote to memory of 3256	700	{993BE1B4-3DCF-4209-BD47-9E27C520AF02}.exe	98
PID 700 wrote to memory of 3256	700	{993BE1B4-3DCF-4209-BD47-9E27C520AF02}.exe	98
PID 700 wrote to memory of 2608	700	{993BE1B4-3DCF-4209-BD47-9E27C520AF02}.exe	97
PID 700 wrote to memory of 2608	700	{993BE1B4-3DCF-4209-BD47-9E27C520AF02}.exe	97
PID 700 wrote to memory of 2608	700	{993BE1B4-3DCF-4209-BD47-9E27C520AF02}.exe	97
PID 3256 wrote to memory of 3732	3256	{4D507FCD-F8BB-4213-ADD7-1062A876710C}.exe	99
PID 3256 wrote to memory of 3732	3256	{4D507FCD-F8BB-4213-ADD7-1062A876710C}.exe	99
PID 3256 wrote to memory of 3732	3256	{4D507FCD-F8BB-4213-ADD7-1062A876710C}.exe	99
PID 3256 wrote to memory of 1064	3256	{4D507FCD-F8BB-4213-ADD7-1062A876710C}.exe	100
PID 3256 wrote to memory of 1064	3256	{4D507FCD-F8BB-4213-ADD7-1062A876710C}.exe	100
PID 3256 wrote to memory of 1064	3256	{4D507FCD-F8BB-4213-ADD7-1062A876710C}.exe	100
PID 3732 wrote to memory of 1480	3732	{0BB19A04-5046-436d-BDA0-09E0DECF7D62}.exe	101
PID 3732 wrote to memory of 1480	3732	{0BB19A04-5046-436d-BDA0-09E0DECF7D62}.exe	101
PID 3732 wrote to memory of 1480	3732	{0BB19A04-5046-436d-BDA0-09E0DECF7D62}.exe	101
PID 3732 wrote to memory of 4816	3732	{0BB19A04-5046-436d-BDA0-09E0DECF7D62}.exe	102
PID 3732 wrote to memory of 4816	3732	{0BB19A04-5046-436d-BDA0-09E0DECF7D62}.exe	102
PID 3732 wrote to memory of 4816	3732	{0BB19A04-5046-436d-BDA0-09E0DECF7D62}.exe	102
PID 1480 wrote to memory of 4700	1480	{9DA3A56B-8D89-479d-91C1-2166E7E2C292}.exe	103
PID 1480 wrote to memory of 4700	1480	{9DA3A56B-8D89-479d-91C1-2166E7E2C292}.exe	103
PID 1480 wrote to memory of 4700	1480	{9DA3A56B-8D89-479d-91C1-2166E7E2C292}.exe	103
PID 1480 wrote to memory of 4392	1480	{9DA3A56B-8D89-479d-91C1-2166E7E2C292}.exe	104
PID 1480 wrote to memory of 4392	1480	{9DA3A56B-8D89-479d-91C1-2166E7E2C292}.exe	104
PID 1480 wrote to memory of 4392	1480	{9DA3A56B-8D89-479d-91C1-2166E7E2C292}.exe	104
PID 4700 wrote to memory of 3484	4700	{A161DFA2-5366-4f23-84DE-F430A9C126BB}.exe	105
PID 4700 wrote to memory of 3484	4700	{A161DFA2-5366-4f23-84DE-F430A9C126BB}.exe	105
PID 4700 wrote to memory of 3484	4700	{A161DFA2-5366-4f23-84DE-F430A9C126BB}.exe	105
PID 4700 wrote to memory of 3276	4700	{A161DFA2-5366-4f23-84DE-F430A9C126BB}.exe	106
PID 4700 wrote to memory of 3276	4700	{A161DFA2-5366-4f23-84DE-F430A9C126BB}.exe	106
PID 4700 wrote to memory of 3276	4700	{A161DFA2-5366-4f23-84DE-F430A9C126BB}.exe	106
PID 3484 wrote to memory of 2828	3484	{5D12BA12-58B3-4587-A5B9-44CCFB70F9C2}.exe	107
PID 3484 wrote to memory of 2828	3484	{5D12BA12-58B3-4587-A5B9-44CCFB70F9C2}.exe	107
PID 3484 wrote to memory of 2828	3484	{5D12BA12-58B3-4587-A5B9-44CCFB70F9C2}.exe	107
PID 3484 wrote to memory of 1560	3484	{5D12BA12-58B3-4587-A5B9-44CCFB70F9C2}.exe	108
PID 3484 wrote to memory of 1560	3484	{5D12BA12-58B3-4587-A5B9-44CCFB70F9C2}.exe	108
PID 3484 wrote to memory of 1560	3484	{5D12BA12-58B3-4587-A5B9-44CCFB70F9C2}.exe	108
PID 2828 wrote to memory of 3972	2828	{05C8EC6D-ED68-435d-BAD4-101C48B0948A}.exe	109
PID 2828 wrote to memory of 3972	2828	{05C8EC6D-ED68-435d-BAD4-101C48B0948A}.exe	109
PID 2828 wrote to memory of 3972	2828	{05C8EC6D-ED68-435d-BAD4-101C48B0948A}.exe	109
PID 2828 wrote to memory of 3952	2828	{05C8EC6D-ED68-435d-BAD4-101C48B0948A}.exe	110
PID 2828 wrote to memory of 3952	2828	{05C8EC6D-ED68-435d-BAD4-101C48B0948A}.exe	110
PID 2828 wrote to memory of 3952	2828	{05C8EC6D-ED68-435d-BAD4-101C48B0948A}.exe	110
PID 3972 wrote to memory of 2620	3972	{BB86B86C-DF22-418a-8485-4F1451BD9388}.exe	111
PID 3972 wrote to memory of 2620	3972	{BB86B86C-DF22-418a-8485-4F1451BD9388}.exe	111
PID 3972 wrote to memory of 2620	3972	{BB86B86C-DF22-418a-8485-4F1451BD9388}.exe	111
PID 3972 wrote to memory of 1380	3972	{BB86B86C-DF22-418a-8485-4F1451BD9388}.exe	112
PID 3972 wrote to memory of 1380	3972	{BB86B86C-DF22-418a-8485-4F1451BD9388}.exe	112
PID 3972 wrote to memory of 1380	3972	{BB86B86C-DF22-418a-8485-4F1451BD9388}.exe	112
PID 2620 wrote to memory of 1384	2620	{EA04FFC2-F9FA-4786-9C9D-A291366980E3}.exe	113
PID 2620 wrote to memory of 1384	2620	{EA04FFC2-F9FA-4786-9C9D-A291366980E3}.exe	113
PID 2620 wrote to memory of 1384	2620	{EA04FFC2-F9FA-4786-9C9D-A291366980E3}.exe	113
PID 2620 wrote to memory of 3108	2620	{EA04FFC2-F9FA-4786-9C9D-A291366980E3}.exe	114

C:\Users\Admin\AppData\Local\Temp\2024-02-11_116cdcc3985aaa210782c5000d1bdc68_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-11_116cdcc3985aaa210782c5000d1bdc68_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3536
- C:\Windows\{A37E3569-3F98-4673-9CEF-6D52780F3E70}.exe
  C:\Windows\{A37E3569-3F98-4673-9CEF-6D52780F3E70}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3636
- - C:\Windows\{993BE1B4-3DCF-4209-BD47-9E27C520AF02}.exe
    C:\Windows\{993BE1B4-3DCF-4209-BD47-9E27C520AF02}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:700
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{993BE~1.EXE > nul
      4⤵
      PID:2608
  - - C:\Windows\{4D507FCD-F8BB-4213-ADD7-1062A876710C}.exe
      C:\Windows\{4D507FCD-F8BB-4213-ADD7-1062A876710C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3256
    - - C:\Windows\{0BB19A04-5046-436d-BDA0-09E0DECF7D62}.exe
        
        C:\Windows\{0BB19A04-5046-436d-BDA0-09E0DECF7D62}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3732
      - C:\Windows\{9DA3A56B-8D89-479d-91C1-2166E7E2C292}.exe
        
        C:\Windows\{9DA3A56B-8D89-479d-91C1-2166E7E2C292}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\{A161DFA2-5366-4f23-84DE-F430A9C126BB}.exe
        
        C:\Windows\{A161DFA2-5366-4f23-84DE-F430A9C126BB}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4700
        
        C:\Windows\{5D12BA12-58B3-4587-A5B9-44CCFB70F9C2}.exe
        
        C:\Windows\{5D12BA12-58B3-4587-A5B9-44CCFB70F9C2}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3484
        
        C:\Windows\{05C8EC6D-ED68-435d-BAD4-101C48B0948A}.exe
        
        C:\Windows\{05C8EC6D-ED68-435d-BAD4-101C48B0948A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\{BB86B86C-DF22-418a-8485-4F1451BD9388}.exe
        
        C:\Windows\{BB86B86C-DF22-418a-8485-4F1451BD9388}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3972
        
        C:\Windows\{EA04FFC2-F9FA-4786-9C9D-A291366980E3}.exe
        
        C:\Windows\{EA04FFC2-F9FA-4786-9C9D-A291366980E3}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\{146EEEC1-F311-4f5c-8596-0B0CF461EE25}.exe
        
        C:\Windows\{146EEEC1-F311-4f5c-8596-0B0CF461EE25}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1384
        
        C:\Windows\{742BDDA0-DCA9-4039-B9B6-84E7CE91AFE4}.exe
        
        C:\Windows\{742BDDA0-DCA9-4039-B9B6-84E7CE91AFE4}.exe
        13⤵
        Executes dropped EXE
        
        PID:3656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{146EE~1.EXE > nul
        13⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA04F~1.EXE > nul
        12⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BB86B~1.EXE > nul
        11⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{05C8E~1.EXE > nul
        10⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5D12B~1.EXE > nul
        9⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A161D~1.EXE > nul
        8⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9DA3A~1.EXE > nul
        7⤵
        
        PID:4392
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0BB19~1.EXE > nul
        6⤵
        
        PID:4816
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D507~1.EXE > nul
        5⤵
        
        PID:1064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A37E3~1.EXE > nul
    3⤵
    PID:3664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{05C8EC6D-ED68-435d-BAD4-101C48B0948A}.exe

Filesize
344KB

MD5
6b743f02dd34d42ace5ec43540ba0188

SHA1
93f039cc4864f0d6c35049d5e9fa563ea59777c6

SHA256
966241ffacb11b0fbe61d1581e5ad3e95d134396f0508840d0c3438689b14e7e

SHA512
b60da65b58b6b6508de4485d619c1ad0c5ebc14e0dbc83f481ad3b57583ab54cb7e0cff0ca6da58096602e3b1a2a0bb77546d6bd3370e579c194524a75dfa0b1

Download Submit
C:\Windows\{0BB19A04-5046-436d-BDA0-09E0DECF7D62}.exe

Filesize
344KB

MD5
55e17dcdcdd389a6bd73fd88f5530c45

SHA1
a07225870668d940864544f8affd8b21bbc6337a

SHA256
2d6fd15ad9ee5c00eb3592487b8d0db34cd86c4d7f935dd5b7d32788db91d20b

SHA512
843c9eb71b31ff9fb92ad8ebef03c2fdd380dd8a019966bd0162a2fd994c0c72e2af921e8afe4384d9f70a664a7939257dc0cac8e6bfef61158045a72c81a773

Download Submit
C:\Windows\{146EEEC1-F311-4f5c-8596-0B0CF461EE25}.exe

Filesize
344KB

MD5
dac6b48a39530ccca622297a679a1555

SHA1
ba226fbab0cac46b71d4a724703ac725a9f36e10

SHA256
3a7ccade70ac6cb2022a335ed944f562ee2ddb97b2459aecab9f1f81a63c2d6e

SHA512
3d2610abbd36affeaec4f2ce79a2c3088f711871be1ee150f2f87590628dc98fb1aa09b4c1ae5045dd74c866ad872a00c6ed1b65ae57c4a00b460869842bdc9e

Download Submit
C:\Windows\{4D507FCD-F8BB-4213-ADD7-1062A876710C}.exe

Filesize
344KB

MD5
1898e62e80ecc77fd48c3e645c76ff25

SHA1
d1d408c28790b81a631de8547f256c9b085f6fb3

SHA256
0eb42acefd9a97463f6c27216dd11b1bc549b8a02cec33d1535ac53584881bcc

SHA512
c9b5139f38590190efdcb45576cb636b2373b7a7c8ee3c0a5367b72f3a4a93843066fff3bba5064529ebccb3411fbccac3d31a4b087d1e84220c1cf1a1e0faa6

Download Submit
C:\Windows\{5D12BA12-58B3-4587-A5B9-44CCFB70F9C2}.exe

Filesize
344KB

MD5
55d819bc7171e36befb9795e16b59abe

SHA1
d1032fbd38888055fb40636a96a0aca4b32f97c1

SHA256
c8b7e6b9af609d196716853b3f31555ef43633552b6e5517250f745ff41e9579

SHA512
a2aea50d03c87e5a6c5cc8df827b67b852f17bade40177e1b4c5899d466c9203727a54109b21d7efd99eaf35efd242554edfb46e627a763c2630ef94e53dfb5a

Download Submit
C:\Windows\{742BDDA0-DCA9-4039-B9B6-84E7CE91AFE4}.exe

Filesize
344KB

MD5
62accd58f94347e907f97884721f324c

SHA1
70741d349e224cd737be9dc9fe7f5d40db375019

SHA256
d3fe21763877339c505979c058852412b83acfd942f9598fbb3ded7b27e76874

SHA512
21b4edceb77f8396849924e3ec9be4dbd632e55baddb4b2252a35929bd6b9f66e7c4db3681a5dfe8b342233ecad7c30fd1f2112bdd0a867b8984040cbd95ca58

Download Submit
C:\Windows\{993BE1B4-3DCF-4209-BD47-9E27C520AF02}.exe

Filesize
344KB

MD5
c486c0f084c5801d4ba0884465d25662

SHA1
80aa2797d497ca02aa3d2c157c41aac6dedcc3fb

SHA256
372c4d8f06cb17769da85a23f2d077121aa181a39268733f3903f993a4377d54

SHA512
03038633ad0f62022a65267f1e09b84890a935b3072fa3aaa25b82d45e30069f2cdbbca180e44d49c6bbb4e2836787e197a36f699d637b98c30a8504faf6700d

Download Submit
C:\Windows\{9DA3A56B-8D89-479d-91C1-2166E7E2C292}.exe

Filesize
344KB

MD5
9c90558ed743e649c530b2f8c2674425

SHA1
638680380d89e58b6fdf14bf1ceff5b8f1cd37a3

SHA256
e5e9e58e083b99468663768bad39f10a43d15aca75fc98239406735f912fe4f3

SHA512
f113e0de065811370ddbde378b727665eb7e0e7599d5ec12fc1d7fe547ed5da3f8d4849966ec95a763c29aa939da6e015fa7881828ce0e3a364106a74bdd6377

Download Submit
C:\Windows\{A161DFA2-5366-4f23-84DE-F430A9C126BB}.exe

Filesize
344KB

MD5
171e1d80709307cf59482f10088cd1b0

SHA1
298256d80a7be516fb1b2d37118bdf4295e56def

SHA256
f2ef299c08b56b7d88e63d174aea160e325261a26266b2597b9c207325288a59

SHA512
42446a47864ce593bf2fdf3e76cb70e2165da43e59000ca9ca450ef7ba6c3a7504b142f0088926377a3a33248e7b9fbfbbb16f78fb0d3a92e0552fe597fb4d0f

Download Submit
C:\Windows\{A37E3569-3F98-4673-9CEF-6D52780F3E70}.exe

Filesize
344KB

MD5
deaf91c5a53277f54140332a6c7c9e49

SHA1
026cbbd2208509b1a204085acd92350369ea7d48

SHA256
7deba1f200ed1f0c989a41789a95e642209a9d08a33a4ec93d2fbe689ae62a0c

SHA512
142da5bf8096f8caf5bdf43e8a0a7c0990230f670fcec15a97eb033fbbaa3eb7c1390997e74f5906896a81a3a5cf0703145b9976c2b4b1e35e25b674c0855a64

Download Submit
C:\Windows\{BB86B86C-DF22-418a-8485-4F1451BD9388}.exe

Filesize
344KB

MD5
74661c926db61d206227575459a5a4a1

SHA1
869732721ed332f9abd4563453c8a978db641aee

SHA256
378a93d0d6f57c12dd30f6501353cc43635c3b801a57c2d369755b9a45cca59b

SHA512
5a4a35957f5f5ec9c655a8d0c741d46bff8fa54d7ed658d3c0cbc941fd7cdea1f438df827b3ccfd1826f373773cbb3aa717c3265312f4e22ccb12fc44e802b1a

Download Submit
C:\Windows\{EA04FFC2-F9FA-4786-9C9D-A291366980E3}.exe

Filesize
344KB

MD5
9f56e0db37a6e68ed2d1860760fb7bcb

SHA1
2f9a2322900f51a93d891ed76f1107b7da062a78

SHA256
b538b98fd930bbb518143dd34d93e5f69b06bab5967462c526885a950d9905e7

SHA512
fdb44ce0a092ed9c8ccec539d4ef22e6268a7a0836d9130c4be57c93e5e1c3a4499b57bdd0b5e1db69cb597752551842ce0ffd0cea70526635da4609e6e35290

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads