53346b3dfbf4139dd9b91a9612ec97c507956f7a179611743341fd038a2e8a16

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
12/02/2024, 05:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_690a67fc2df940c9c5ee07f6d93f127f_goldeneye.exe
Size

180KB
MD5

690a67fc2df940c9c5ee07f6d93f127f
SHA1

3863a4daaa24b797fd8567080c80a2177f48fced
SHA256

53346b3dfbf4139dd9b91a9612ec97c507956f7a179611743341fd038a2e8a16
SHA512

74229fab8c8628ad4e64d2771a6d8f7498d1321e037be5877e30537cdcdb3cc9e2d9c3232bafc5100fa0277e0644742bf3638a91f59d97d77e6fc071dfa780ff
SSDEEP

3072:jEGh0oclfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEG+l5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0010000000023220-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023215-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023227-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023215-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x004600000001e0be-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000021550-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x004700000001e0be-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000000070b-45.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{095A6EBF-B96F-4853-AC36-5CF617488852}\stubpath = "C:\\Windows\\{095A6EBF-B96F-4853-AC36-5CF617488852}.exe"	{740BC33D-AC9A-4d9d-ADC1-6DEC54CEE208}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E2CC931-6E02-4481-9318-F8D1B3CEF775}	{095A6EBF-B96F-4853-AC36-5CF617488852}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59A4DB67-5674-4a89-A0A1-0424D0C5245A}	{1E2CC931-6E02-4481-9318-F8D1B3CEF775}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC4D5DB0-5C07-4ef9-8C72-EE7285E95EE5}\stubpath = "C:\\Windows\\{AC4D5DB0-5C07-4ef9-8C72-EE7285E95EE5}.exe"	{8F2F20DD-F573-4818-A668-C24F086B4E48}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD4C0CB3-504B-4eb3-B66C-9F713D95B571}	{AC4D5DB0-5C07-4ef9-8C72-EE7285E95EE5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD4C0CB3-504B-4eb3-B66C-9F713D95B571}\stubpath = "C:\\Windows\\{CD4C0CB3-504B-4eb3-B66C-9F713D95B571}.exe"	{AC4D5DB0-5C07-4ef9-8C72-EE7285E95EE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6755F037-8FF1-46aa-AB6B-F1EBE517A51D}	{CD4C0CB3-504B-4eb3-B66C-9F713D95B571}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32686D78-CD8E-46b1-BAF5-A81BB643F6EE}	{6755F037-8FF1-46aa-AB6B-F1EBE517A51D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{740BC33D-AC9A-4d9d-ADC1-6DEC54CEE208}	2024-02-12_690a67fc2df940c9c5ee07f6d93f127f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59A4DB67-5674-4a89-A0A1-0424D0C5245A}\stubpath = "C:\\Windows\\{59A4DB67-5674-4a89-A0A1-0424D0C5245A}.exe"	{1E2CC931-6E02-4481-9318-F8D1B3CEF775}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57E29F86-1BE7-4bd6-A796-D02666D8F6EC}\stubpath = "C:\\Windows\\{57E29F86-1BE7-4bd6-A796-D02666D8F6EC}.exe"	{59A4DB67-5674-4a89-A0A1-0424D0C5245A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F2F20DD-F573-4818-A668-C24F086B4E48}\stubpath = "C:\\Windows\\{8F2F20DD-F573-4818-A668-C24F086B4E48}.exe"	{57E29F86-1BE7-4bd6-A796-D02666D8F6EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC4D5DB0-5C07-4ef9-8C72-EE7285E95EE5}	{8F2F20DD-F573-4818-A668-C24F086B4E48}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7A103AC-AF94-4375-A249-34A01ED79E9A}	{32686D78-CD8E-46b1-BAF5-A81BB643F6EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A40F57E8-C791-4c49-9C00-67966C62979A}	{E7A103AC-AF94-4375-A249-34A01ED79E9A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57E29F86-1BE7-4bd6-A796-D02666D8F6EC}	{59A4DB67-5674-4a89-A0A1-0424D0C5245A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F2F20DD-F573-4818-A668-C24F086B4E48}	{57E29F86-1BE7-4bd6-A796-D02666D8F6EC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{740BC33D-AC9A-4d9d-ADC1-6DEC54CEE208}\stubpath = "C:\\Windows\\{740BC33D-AC9A-4d9d-ADC1-6DEC54CEE208}.exe"	2024-02-12_690a67fc2df940c9c5ee07f6d93f127f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{095A6EBF-B96F-4853-AC36-5CF617488852}	{740BC33D-AC9A-4d9d-ADC1-6DEC54CEE208}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E2CC931-6E02-4481-9318-F8D1B3CEF775}\stubpath = "C:\\Windows\\{1E2CC931-6E02-4481-9318-F8D1B3CEF775}.exe"	{095A6EBF-B96F-4853-AC36-5CF617488852}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6755F037-8FF1-46aa-AB6B-F1EBE517A51D}\stubpath = "C:\\Windows\\{6755F037-8FF1-46aa-AB6B-F1EBE517A51D}.exe"	{CD4C0CB3-504B-4eb3-B66C-9F713D95B571}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32686D78-CD8E-46b1-BAF5-A81BB643F6EE}\stubpath = "C:\\Windows\\{32686D78-CD8E-46b1-BAF5-A81BB643F6EE}.exe"	{6755F037-8FF1-46aa-AB6B-F1EBE517A51D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7A103AC-AF94-4375-A249-34A01ED79E9A}\stubpath = "C:\\Windows\\{E7A103AC-AF94-4375-A249-34A01ED79E9A}.exe"	{32686D78-CD8E-46b1-BAF5-A81BB643F6EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A40F57E8-C791-4c49-9C00-67966C62979A}\stubpath = "C:\\Windows\\{A40F57E8-C791-4c49-9C00-67966C62979A}.exe"	{E7A103AC-AF94-4375-A249-34A01ED79E9A}.exe

Executes dropped EXE 12 IoCs

pid	Process
1960	{740BC33D-AC9A-4d9d-ADC1-6DEC54CEE208}.exe
4688	{095A6EBF-B96F-4853-AC36-5CF617488852}.exe
4700	{1E2CC931-6E02-4481-9318-F8D1B3CEF775}.exe
4484	{59A4DB67-5674-4a89-A0A1-0424D0C5245A}.exe
400	{57E29F86-1BE7-4bd6-A796-D02666D8F6EC}.exe
316	{8F2F20DD-F573-4818-A668-C24F086B4E48}.exe
4788	{AC4D5DB0-5C07-4ef9-8C72-EE7285E95EE5}.exe
748	{CD4C0CB3-504B-4eb3-B66C-9F713D95B571}.exe
4584	{6755F037-8FF1-46aa-AB6B-F1EBE517A51D}.exe
64	{32686D78-CD8E-46b1-BAF5-A81BB643F6EE}.exe
3832	{E7A103AC-AF94-4375-A249-34A01ED79E9A}.exe
4252	{A40F57E8-C791-4c49-9C00-67966C62979A}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{1E2CC931-6E02-4481-9318-F8D1B3CEF775}.exe	{095A6EBF-B96F-4853-AC36-5CF617488852}.exe
File created	C:\Windows\{59A4DB67-5674-4a89-A0A1-0424D0C5245A}.exe	{1E2CC931-6E02-4481-9318-F8D1B3CEF775}.exe
File created	C:\Windows\{AC4D5DB0-5C07-4ef9-8C72-EE7285E95EE5}.exe	{8F2F20DD-F573-4818-A668-C24F086B4E48}.exe
File created	C:\Windows\{CD4C0CB3-504B-4eb3-B66C-9F713D95B571}.exe	{AC4D5DB0-5C07-4ef9-8C72-EE7285E95EE5}.exe
File created	C:\Windows\{095A6EBF-B96F-4853-AC36-5CF617488852}.exe	{740BC33D-AC9A-4d9d-ADC1-6DEC54CEE208}.exe
File created	C:\Windows\{57E29F86-1BE7-4bd6-A796-D02666D8F6EC}.exe	{59A4DB67-5674-4a89-A0A1-0424D0C5245A}.exe
File created	C:\Windows\{8F2F20DD-F573-4818-A668-C24F086B4E48}.exe	{57E29F86-1BE7-4bd6-A796-D02666D8F6EC}.exe
File created	C:\Windows\{6755F037-8FF1-46aa-AB6B-F1EBE517A51D}.exe	{CD4C0CB3-504B-4eb3-B66C-9F713D95B571}.exe
File created	C:\Windows\{32686D78-CD8E-46b1-BAF5-A81BB643F6EE}.exe	{6755F037-8FF1-46aa-AB6B-F1EBE517A51D}.exe
File created	C:\Windows\{E7A103AC-AF94-4375-A249-34A01ED79E9A}.exe	{32686D78-CD8E-46b1-BAF5-A81BB643F6EE}.exe
File created	C:\Windows\{A40F57E8-C791-4c49-9C00-67966C62979A}.exe	{E7A103AC-AF94-4375-A249-34A01ED79E9A}.exe
File created	C:\Windows\{740BC33D-AC9A-4d9d-ADC1-6DEC54CEE208}.exe	2024-02-12_690a67fc2df940c9c5ee07f6d93f127f_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1540	2024-02-12_690a67fc2df940c9c5ee07f6d93f127f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1960	{740BC33D-AC9A-4d9d-ADC1-6DEC54CEE208}.exe
Token: SeIncBasePriorityPrivilege	4688	{095A6EBF-B96F-4853-AC36-5CF617488852}.exe
Token: SeIncBasePriorityPrivilege	4700	{1E2CC931-6E02-4481-9318-F8D1B3CEF775}.exe
Token: SeIncBasePriorityPrivilege	4484	{59A4DB67-5674-4a89-A0A1-0424D0C5245A}.exe
Token: SeIncBasePriorityPrivilege	400	{57E29F86-1BE7-4bd6-A796-D02666D8F6EC}.exe
Token: SeIncBasePriorityPrivilege	316	{8F2F20DD-F573-4818-A668-C24F086B4E48}.exe
Token: SeIncBasePriorityPrivilege	4788	{AC4D5DB0-5C07-4ef9-8C72-EE7285E95EE5}.exe
Token: SeIncBasePriorityPrivilege	748	{CD4C0CB3-504B-4eb3-B66C-9F713D95B571}.exe
Token: SeIncBasePriorityPrivilege	4584	{6755F037-8FF1-46aa-AB6B-F1EBE517A51D}.exe
Token: SeIncBasePriorityPrivilege	64	{32686D78-CD8E-46b1-BAF5-A81BB643F6EE}.exe
Token: SeIncBasePriorityPrivilege	3832	{E7A103AC-AF94-4375-A249-34A01ED79E9A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 1960	1540	2024-02-12_690a67fc2df940c9c5ee07f6d93f127f_goldeneye.exe	90
PID 1540 wrote to memory of 1960	1540	2024-02-12_690a67fc2df940c9c5ee07f6d93f127f_goldeneye.exe	90
PID 1540 wrote to memory of 1960	1540	2024-02-12_690a67fc2df940c9c5ee07f6d93f127f_goldeneye.exe	90
PID 1540 wrote to memory of 336	1540	2024-02-12_690a67fc2df940c9c5ee07f6d93f127f_goldeneye.exe	91
PID 1540 wrote to memory of 336	1540	2024-02-12_690a67fc2df940c9c5ee07f6d93f127f_goldeneye.exe	91
PID 1540 wrote to memory of 336	1540	2024-02-12_690a67fc2df940c9c5ee07f6d93f127f_goldeneye.exe	91
PID 1960 wrote to memory of 4688	1960	{740BC33D-AC9A-4d9d-ADC1-6DEC54CEE208}.exe	92
PID 1960 wrote to memory of 4688	1960	{740BC33D-AC9A-4d9d-ADC1-6DEC54CEE208}.exe	92
PID 1960 wrote to memory of 4688	1960	{740BC33D-AC9A-4d9d-ADC1-6DEC54CEE208}.exe	92
PID 1960 wrote to memory of 4996	1960	{740BC33D-AC9A-4d9d-ADC1-6DEC54CEE208}.exe	93
PID 1960 wrote to memory of 4996	1960	{740BC33D-AC9A-4d9d-ADC1-6DEC54CEE208}.exe	93
PID 1960 wrote to memory of 4996	1960	{740BC33D-AC9A-4d9d-ADC1-6DEC54CEE208}.exe	93
PID 4688 wrote to memory of 4700	4688	{095A6EBF-B96F-4853-AC36-5CF617488852}.exe	96
PID 4688 wrote to memory of 4700	4688	{095A6EBF-B96F-4853-AC36-5CF617488852}.exe	96
PID 4688 wrote to memory of 4700	4688	{095A6EBF-B96F-4853-AC36-5CF617488852}.exe	96
PID 4688 wrote to memory of 3928	4688	{095A6EBF-B96F-4853-AC36-5CF617488852}.exe	95
PID 4688 wrote to memory of 3928	4688	{095A6EBF-B96F-4853-AC36-5CF617488852}.exe	95
PID 4688 wrote to memory of 3928	4688	{095A6EBF-B96F-4853-AC36-5CF617488852}.exe	95
PID 4700 wrote to memory of 4484	4700	{1E2CC931-6E02-4481-9318-F8D1B3CEF775}.exe	97
PID 4700 wrote to memory of 4484	4700	{1E2CC931-6E02-4481-9318-F8D1B3CEF775}.exe	97
PID 4700 wrote to memory of 4484	4700	{1E2CC931-6E02-4481-9318-F8D1B3CEF775}.exe	97
PID 4700 wrote to memory of 2024	4700	{1E2CC931-6E02-4481-9318-F8D1B3CEF775}.exe	98
PID 4700 wrote to memory of 2024	4700	{1E2CC931-6E02-4481-9318-F8D1B3CEF775}.exe	98
PID 4700 wrote to memory of 2024	4700	{1E2CC931-6E02-4481-9318-F8D1B3CEF775}.exe	98
PID 4484 wrote to memory of 400	4484	{59A4DB67-5674-4a89-A0A1-0424D0C5245A}.exe	99
PID 4484 wrote to memory of 400	4484	{59A4DB67-5674-4a89-A0A1-0424D0C5245A}.exe	99
PID 4484 wrote to memory of 400	4484	{59A4DB67-5674-4a89-A0A1-0424D0C5245A}.exe	99
PID 4484 wrote to memory of 4960	4484	{59A4DB67-5674-4a89-A0A1-0424D0C5245A}.exe	100
PID 4484 wrote to memory of 4960	4484	{59A4DB67-5674-4a89-A0A1-0424D0C5245A}.exe	100
PID 4484 wrote to memory of 4960	4484	{59A4DB67-5674-4a89-A0A1-0424D0C5245A}.exe	100
PID 400 wrote to memory of 316	400	{57E29F86-1BE7-4bd6-A796-D02666D8F6EC}.exe	102
PID 400 wrote to memory of 316	400	{57E29F86-1BE7-4bd6-A796-D02666D8F6EC}.exe	102
PID 400 wrote to memory of 316	400	{57E29F86-1BE7-4bd6-A796-D02666D8F6EC}.exe	102
PID 400 wrote to memory of 4952	400	{57E29F86-1BE7-4bd6-A796-D02666D8F6EC}.exe	101
PID 400 wrote to memory of 4952	400	{57E29F86-1BE7-4bd6-A796-D02666D8F6EC}.exe	101
PID 400 wrote to memory of 4952	400	{57E29F86-1BE7-4bd6-A796-D02666D8F6EC}.exe	101
PID 316 wrote to memory of 4788	316	{8F2F20DD-F573-4818-A668-C24F086B4E48}.exe	103
PID 316 wrote to memory of 4788	316	{8F2F20DD-F573-4818-A668-C24F086B4E48}.exe	103
PID 316 wrote to memory of 4788	316	{8F2F20DD-F573-4818-A668-C24F086B4E48}.exe	103
PID 316 wrote to memory of 4732	316	{8F2F20DD-F573-4818-A668-C24F086B4E48}.exe	104
PID 316 wrote to memory of 4732	316	{8F2F20DD-F573-4818-A668-C24F086B4E48}.exe	104
PID 316 wrote to memory of 4732	316	{8F2F20DD-F573-4818-A668-C24F086B4E48}.exe	104
PID 4788 wrote to memory of 748	4788	{AC4D5DB0-5C07-4ef9-8C72-EE7285E95EE5}.exe	105
PID 4788 wrote to memory of 748	4788	{AC4D5DB0-5C07-4ef9-8C72-EE7285E95EE5}.exe	105
PID 4788 wrote to memory of 748	4788	{AC4D5DB0-5C07-4ef9-8C72-EE7285E95EE5}.exe	105
PID 4788 wrote to memory of 2512	4788	{AC4D5DB0-5C07-4ef9-8C72-EE7285E95EE5}.exe	106
PID 4788 wrote to memory of 2512	4788	{AC4D5DB0-5C07-4ef9-8C72-EE7285E95EE5}.exe	106
PID 4788 wrote to memory of 2512	4788	{AC4D5DB0-5C07-4ef9-8C72-EE7285E95EE5}.exe	106
PID 748 wrote to memory of 4584	748	{CD4C0CB3-504B-4eb3-B66C-9F713D95B571}.exe	107
PID 748 wrote to memory of 4584	748	{CD4C0CB3-504B-4eb3-B66C-9F713D95B571}.exe	107
PID 748 wrote to memory of 4584	748	{CD4C0CB3-504B-4eb3-B66C-9F713D95B571}.exe	107
PID 748 wrote to memory of 3268	748	{CD4C0CB3-504B-4eb3-B66C-9F713D95B571}.exe	108
PID 748 wrote to memory of 3268	748	{CD4C0CB3-504B-4eb3-B66C-9F713D95B571}.exe	108
PID 748 wrote to memory of 3268	748	{CD4C0CB3-504B-4eb3-B66C-9F713D95B571}.exe	108
PID 4584 wrote to memory of 64	4584	{6755F037-8FF1-46aa-AB6B-F1EBE517A51D}.exe	110
PID 4584 wrote to memory of 64	4584	{6755F037-8FF1-46aa-AB6B-F1EBE517A51D}.exe	110
PID 4584 wrote to memory of 64	4584	{6755F037-8FF1-46aa-AB6B-F1EBE517A51D}.exe	110
PID 4584 wrote to memory of 776	4584	{6755F037-8FF1-46aa-AB6B-F1EBE517A51D}.exe	109
PID 4584 wrote to memory of 776	4584	{6755F037-8FF1-46aa-AB6B-F1EBE517A51D}.exe	109
PID 4584 wrote to memory of 776	4584	{6755F037-8FF1-46aa-AB6B-F1EBE517A51D}.exe	109
PID 64 wrote to memory of 3832	64	{32686D78-CD8E-46b1-BAF5-A81BB643F6EE}.exe	111
PID 64 wrote to memory of 3832	64	{32686D78-CD8E-46b1-BAF5-A81BB643F6EE}.exe	111
PID 64 wrote to memory of 3832	64	{32686D78-CD8E-46b1-BAF5-A81BB643F6EE}.exe	111
PID 64 wrote to memory of 2968	64	{32686D78-CD8E-46b1-BAF5-A81BB643F6EE}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-02-12_690a67fc2df940c9c5ee07f6d93f127f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_690a67fc2df940c9c5ee07f6d93f127f_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Windows\{740BC33D-AC9A-4d9d-ADC1-6DEC54CEE208}.exe
  C:\Windows\{740BC33D-AC9A-4d9d-ADC1-6DEC54CEE208}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Windows\{095A6EBF-B96F-4853-AC36-5CF617488852}.exe
    C:\Windows\{095A6EBF-B96F-4853-AC36-5CF617488852}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4688
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{095A6~1.EXE > nul
      4⤵
      PID:3928
  - - C:\Windows\{1E2CC931-6E02-4481-9318-F8D1B3CEF775}.exe
      C:\Windows\{1E2CC931-6E02-4481-9318-F8D1B3CEF775}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4700
    - - C:\Windows\{59A4DB67-5674-4a89-A0A1-0424D0C5245A}.exe
        
        C:\Windows\{59A4DB67-5674-4a89-A0A1-0424D0C5245A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4484
      - C:\Windows\{57E29F86-1BE7-4bd6-A796-D02666D8F6EC}.exe
        
        C:\Windows\{57E29F86-1BE7-4bd6-A796-D02666D8F6EC}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{57E29~1.EXE > nul
        7⤵
        
        PID:4952
        
        C:\Windows\{8F2F20DD-F573-4818-A668-C24F086B4E48}.exe
        
        C:\Windows\{8F2F20DD-F573-4818-A668-C24F086B4E48}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:316
        
        C:\Windows\{AC4D5DB0-5C07-4ef9-8C72-EE7285E95EE5}.exe
        
        C:\Windows\{AC4D5DB0-5C07-4ef9-8C72-EE7285E95EE5}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4788
        
        C:\Windows\{CD4C0CB3-504B-4eb3-B66C-9F713D95B571}.exe
        
        C:\Windows\{CD4C0CB3-504B-4eb3-B66C-9F713D95B571}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:748
        
        C:\Windows\{6755F037-8FF1-46aa-AB6B-F1EBE517A51D}.exe
        
        C:\Windows\{6755F037-8FF1-46aa-AB6B-F1EBE517A51D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6755F~1.EXE > nul
        11⤵
        
        PID:776
        
        C:\Windows\{32686D78-CD8E-46b1-BAF5-A81BB643F6EE}.exe
        
        C:\Windows\{32686D78-CD8E-46b1-BAF5-A81BB643F6EE}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:64
        
        C:\Windows\{E7A103AC-AF94-4375-A249-34A01ED79E9A}.exe
        
        C:\Windows\{E7A103AC-AF94-4375-A249-34A01ED79E9A}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3832
        
        C:\Windows\{A40F57E8-C791-4c49-9C00-67966C62979A}.exe
        
        C:\Windows\{A40F57E8-C791-4c49-9C00-67966C62979A}.exe
        13⤵
        Executes dropped EXE
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7A10~1.EXE > nul
        13⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{32686~1.EXE > nul
        12⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CD4C0~1.EXE > nul
        10⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AC4D5~1.EXE > nul
        9⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F2F2~1.EXE > nul
        8⤵
        
        PID:4732
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{59A4D~1.EXE > nul
        6⤵
        
        PID:4960
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E2CC~1.EXE > nul
        5⤵
        
        PID:2024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{740BC~1.EXE > nul
    3⤵
    PID:4996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{095A6EBF-B96F-4853-AC36-5CF617488852}.exe

Filesize
180KB

MD5
87a8bbff164702cb1d9ae1f5f1b93a2b

SHA1
86156390f6097d077ed3d1be0cfec56854345a6c

SHA256
8d908ec9e216364b421493ce0a5c479549220affa336b5394ca681a805d71a59

SHA512
f582df79affae80cd21e84f648e6f8c6196516ba9b32d2e14e27d258b84af4df9b23394680e56540343b37f362d1496ba38872778d1e2e59f14c45d5d044ec61

Download Submit
C:\Windows\{1E2CC931-6E02-4481-9318-F8D1B3CEF775}.exe

Filesize
180KB

MD5
87fc638e9b4ec9ffae89246eb8119544

SHA1
a59050f7309250489622e70e4e539d5474041caa

SHA256
180546b6b05fb40bda1e515af3371031f0bfe4633570cc36e61f9f045e2f3da5

SHA512
4d8d88af5900415275833affd54c1f0b5b28d6cde85e58112a4211cf4bc57934fd7203fbedacd962726333d92449aed2d3760c6c3a634e3bcc8188a0a78aef80

Download Submit
C:\Windows\{32686D78-CD8E-46b1-BAF5-A81BB643F6EE}.exe

Filesize
180KB

MD5
7c92f21fa451637345e0637719246caa

SHA1
4980fd4dce463a0cdec11d540155105178928981

SHA256
fcb91c7c2ba8d87fdea8b81f263c75e0a6f60be5522f5ce16dc45400a13a1efe

SHA512
02aa3ca9145103d5d25ab0540cf251ce032d8ee8b1d9b19c888c948622ea3ca963b113bfd8b46e310718d1a22efc53490fbd9020aad917528f99db04ad53481f

Download Submit
C:\Windows\{57E29F86-1BE7-4bd6-A796-D02666D8F6EC}.exe

Filesize
180KB

MD5
7dde7eb51a833615adb1aeb63a5ebd04

SHA1
e11e963d2638185e6784a640f1d31687385068bf

SHA256
eaac999312aedf281b4d86a9607b55b72c7ac986f8edb94361f34c0b5bcf2b0d

SHA512
5ea875ef1efb8d18deefb42f7aa3cc6ddcca3b76c1c5f3fdbf412ec16c2100c8169c1e2db8386a8786944ac24e8f47776e99707223d4314f4f2dd3627c93dd72

Download Submit
C:\Windows\{59A4DB67-5674-4a89-A0A1-0424D0C5245A}.exe

Filesize
180KB

MD5
f00f6e90dc71c96046dbff666eb570f0

SHA1
ebfbecdf1a072390738722583781a6b47441d779

SHA256
d0ed84b656fbfd692d15dfb5d1933b8ed22d09cf0f17da59d94e85ec4761c145

SHA512
469f626d6cb4684d4e33ae34756d9ce62eac903b17843b2fba114e567b72579304eab0d8ff5f62f92f4ce0bf101f92f674f622210cc6c05d33777846da777258

Download Submit
C:\Windows\{6755F037-8FF1-46aa-AB6B-F1EBE517A51D}.exe

Filesize
180KB

MD5
ca52f8b8280668710cab280f3bd8f2cf

SHA1
c059d3cd6aaf2b3b348a057ca058f70755bf9201

SHA256
df284bd6ade4c4b718fe51be4ba36110c0b06cf4bc9d9a34aaa60cc63f529e8f

SHA512
6d468561a4a5061f23a0451f7ac4cd3d817eb15bb87b16f54bb6ca7d9fe40303957b9e0d4b39c1f249e6a95e777793fef162b8a605d47181e1921a4c70e66048

Download Submit
C:\Windows\{740BC33D-AC9A-4d9d-ADC1-6DEC54CEE208}.exe

Filesize
180KB

MD5
5eea8df7b4b58888e0628941c3b6e974

SHA1
39edd0f69cbbacf3ebe41e07af9f7a667849e101

SHA256
c943bc9b2838d6092dcbaf4d9025751cd5784593c1bd9a35e693428118f257d5

SHA512
f9310e232558dac5ed19475a8349165b4b88ce49a69b35958ab903cd7abd2f76b0b731b096911ddf030a2796b67c5fffd479d350219517d4bf4220ac866f3ab9

Download Submit
C:\Windows\{8F2F20DD-F573-4818-A668-C24F086B4E48}.exe

Filesize
180KB

MD5
852cd6a6bd3522f7aac2d5e3737ccae0

SHA1
aef3c3604f3287b6bdcc2aa453b2538da337045f

SHA256
bcfa235f61fcff61bd785e8413b2f103318d5c206d6a29ecd15e86c571fa0c8e

SHA512
49212209873922b0a81a4d88ae6a1379e3dbd9f3edb840e124a0d8c520349eb8622ccb8a0bea5bbfd923e99701de354458ccb1dc00960fe48ddb0e544fe23345

Download Submit
C:\Windows\{A40F57E8-C791-4c49-9C00-67966C62979A}.exe

Filesize
180KB

MD5
d80c02cb573c7e9e373276fa03967f00

SHA1
5363c47065dda05122d68c20ebecf672a8cabf58

SHA256
a21175b66c74f737d6bb97b24655a2bef65b5f7afd4626e58a9688ec3e16715a

SHA512
fe4d2dcd8a798061d1a38d46c7045016a8ed838f28aff6811eaf79d27a11210de510cdef28f2baf33ec72da1308766e5f43864bff3eeda9b62c10b93c00f1757

Download Submit
C:\Windows\{AC4D5DB0-5C07-4ef9-8C72-EE7285E95EE5}.exe

Filesize
180KB

MD5
03c559f3d30cef4145df9f3ae1d6eeda

SHA1
bb74d1119b2d98533238ae57f8245545cdde5796

SHA256
7b795851c679ca3d97e8dd4091866c1cf19f73b1e20f32fce2214737c9dfd0be

SHA512
829d9dd693f630f76da7c974997c63652b4f1bb677f6a4ab321a837e71e56005eafdfb23ab7491ef4aee252518f52ba42bb305e17b7d34c113f3cc951625bae0

Download Submit
C:\Windows\{CD4C0CB3-504B-4eb3-B66C-9F713D95B571}.exe

Filesize
180KB

MD5
0b654aa00283b01ce322926c53ad95e3

SHA1
02e48a2e2450701297583920b5bcb757d9935de7

SHA256
0869d5eb4f8f11f00d605ccd14e22057476f60737e2e537adf0ab343b92c4756

SHA512
a5c15535ac9eeeeef4686c328f082498954fdcb3d3ab72ba9435d9b798a4a3df9a10554cc9ae0861ae2ef964f632d5e5ec16f9967b3490bdb014d7aa4864f2b6

Download Submit
C:\Windows\{E7A103AC-AF94-4375-A249-34A01ED79E9A}.exe

Filesize
180KB

MD5
bc82df7cc8d0147a39e2b147ae770e49

SHA1
379bacca9e49c8af3953acf8ebf6a1ef4fedf07d

SHA256
1a385065d437889f4a48bed5a4dc5bd3cf8e86ab121e2224d0ac51551f1c58e9

SHA512
a3a6894815c814d4644e7d0e212a6e1d08b13506ab91f7e06ebb50335c7aacb765e2454a386a03cb6cc3189a61eee3373120688c6454cac37dfc7420ac70b3e4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads