69b8593f1239f8450e433391b19415e5097922293a4e89bfff29e32a647338a9

Analysis

max time kernel
149s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
12/02/2024, 16:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_22d143f4e3a1228a8c9b83cc3e27e085_goldeneye.exe
Size

197KB
MD5

22d143f4e3a1228a8c9b83cc3e27e085
SHA1

b3488ae67d7c54edb64443d51516cc15df10cdc3
SHA256

69b8593f1239f8450e433391b19415e5097922293a4e89bfff29e32a647338a9
SHA512

43bd4c30e7d03ce0cfe99606bcf82abee315907d4b3c2461a0f05e75d4d9625c68365818fdf22eb8f3cb122ff86118acdffb0c93e740896c3c21ab46a92471aa
SSDEEP

3072:jEGh0oNl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGrlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x001000000002323f-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001000000002323f-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023234-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023246-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023234-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000022008-17.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000022009-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000022008-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000036-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000036-37.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000036-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{120D2460-401C-41b0-BFAF-B147A2FCF588}\stubpath = "C:\\Windows\\{120D2460-401C-41b0-BFAF-B147A2FCF588}.exe"	{4F624C74-DC79-4586-94E2-1624D143CCB1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A433BCF8-601C-440c-B6C1-F2BED0FF3E25}\stubpath = "C:\\Windows\\{A433BCF8-601C-440c-B6C1-F2BED0FF3E25}.exe"	{120D2460-401C-41b0-BFAF-B147A2FCF588}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3ED18F92-E040-4e59-99AA-EFE52F1E3A57}	2024-02-12_22d143f4e3a1228a8c9b83cc3e27e085_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{144E233C-D937-4fe6-B960-2AEA83E25C72}	{A54F441B-4827-406b-B09D-D2320A347D37}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{144E233C-D937-4fe6-B960-2AEA83E25C72}\stubpath = "C:\\Windows\\{144E233C-D937-4fe6-B960-2AEA83E25C72}.exe"	{A54F441B-4827-406b-B09D-D2320A347D37}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F624C74-DC79-4586-94E2-1624D143CCB1}\stubpath = "C:\\Windows\\{4F624C74-DC79-4586-94E2-1624D143CCB1}.exe"	{8869CB27-9577-44e3-894A-61A7EAD01D64}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A433BCF8-601C-440c-B6C1-F2BED0FF3E25}	{120D2460-401C-41b0-BFAF-B147A2FCF588}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{736CC8E2-1D9E-471c-908D-FC7130D42048}	{A433BCF8-601C-440c-B6C1-F2BED0FF3E25}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95187887-F740-490a-9328-F7DDF5453151}	{F4AFEE09-C361-48a1-8F5A-A824DDF10F8B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9CCD91B-95EE-42a2-BACB-79F4B6131D76}\stubpath = "C:\\Windows\\{D9CCD91B-95EE-42a2-BACB-79F4B6131D76}.exe"	{144E233C-D937-4fe6-B960-2AEA83E25C72}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8869CB27-9577-44e3-894A-61A7EAD01D64}	{D9CCD91B-95EE-42a2-BACB-79F4B6131D76}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8869CB27-9577-44e3-894A-61A7EAD01D64}\stubpath = "C:\\Windows\\{8869CB27-9577-44e3-894A-61A7EAD01D64}.exe"	{D9CCD91B-95EE-42a2-BACB-79F4B6131D76}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BFF5E9F3-0EE2-43f1-9B0B-4A630E29684E}	{3ED18F92-E040-4e59-99AA-EFE52F1E3A57}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BFF5E9F3-0EE2-43f1-9B0B-4A630E29684E}\stubpath = "C:\\Windows\\{BFF5E9F3-0EE2-43f1-9B0B-4A630E29684E}.exe"	{3ED18F92-E040-4e59-99AA-EFE52F1E3A57}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95187887-F740-490a-9328-F7DDF5453151}\stubpath = "C:\\Windows\\{95187887-F740-490a-9328-F7DDF5453151}.exe"	{F4AFEE09-C361-48a1-8F5A-A824DDF10F8B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F624C74-DC79-4586-94E2-1624D143CCB1}	{8869CB27-9577-44e3-894A-61A7EAD01D64}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A54F441B-4827-406b-B09D-D2320A347D37}\stubpath = "C:\\Windows\\{A54F441B-4827-406b-B09D-D2320A347D37}.exe"	{95187887-F740-490a-9328-F7DDF5453151}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9CCD91B-95EE-42a2-BACB-79F4B6131D76}	{144E233C-D937-4fe6-B960-2AEA83E25C72}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{120D2460-401C-41b0-BFAF-B147A2FCF588}	{4F624C74-DC79-4586-94E2-1624D143CCB1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{736CC8E2-1D9E-471c-908D-FC7130D42048}\stubpath = "C:\\Windows\\{736CC8E2-1D9E-471c-908D-FC7130D42048}.exe"	{A433BCF8-601C-440c-B6C1-F2BED0FF3E25}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3ED18F92-E040-4e59-99AA-EFE52F1E3A57}\stubpath = "C:\\Windows\\{3ED18F92-E040-4e59-99AA-EFE52F1E3A57}.exe"	2024-02-12_22d143f4e3a1228a8c9b83cc3e27e085_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4AFEE09-C361-48a1-8F5A-A824DDF10F8B}	{BFF5E9F3-0EE2-43f1-9B0B-4A630E29684E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4AFEE09-C361-48a1-8F5A-A824DDF10F8B}\stubpath = "C:\\Windows\\{F4AFEE09-C361-48a1-8F5A-A824DDF10F8B}.exe"	{BFF5E9F3-0EE2-43f1-9B0B-4A630E29684E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A54F441B-4827-406b-B09D-D2320A347D37}	{95187887-F740-490a-9328-F7DDF5453151}.exe

Executes dropped EXE 12 IoCs

pid	Process
3160	{3ED18F92-E040-4e59-99AA-EFE52F1E3A57}.exe
2320	{BFF5E9F3-0EE2-43f1-9B0B-4A630E29684E}.exe
2488	{F4AFEE09-C361-48a1-8F5A-A824DDF10F8B}.exe
3756	{95187887-F740-490a-9328-F7DDF5453151}.exe
3236	{A54F441B-4827-406b-B09D-D2320A347D37}.exe
3156	{144E233C-D937-4fe6-B960-2AEA83E25C72}.exe
1020	{D9CCD91B-95EE-42a2-BACB-79F4B6131D76}.exe
2280	{8869CB27-9577-44e3-894A-61A7EAD01D64}.exe
1408	{4F624C74-DC79-4586-94E2-1624D143CCB1}.exe
1576	{120D2460-401C-41b0-BFAF-B147A2FCF588}.exe
1988	{A433BCF8-601C-440c-B6C1-F2BED0FF3E25}.exe
4980	{736CC8E2-1D9E-471c-908D-FC7130D42048}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{F4AFEE09-C361-48a1-8F5A-A824DDF10F8B}.exe	{BFF5E9F3-0EE2-43f1-9B0B-4A630E29684E}.exe
File created	C:\Windows\{95187887-F740-490a-9328-F7DDF5453151}.exe	{F4AFEE09-C361-48a1-8F5A-A824DDF10F8B}.exe
File created	C:\Windows\{D9CCD91B-95EE-42a2-BACB-79F4B6131D76}.exe	{144E233C-D937-4fe6-B960-2AEA83E25C72}.exe
File created	C:\Windows\{8869CB27-9577-44e3-894A-61A7EAD01D64}.exe	{D9CCD91B-95EE-42a2-BACB-79F4B6131D76}.exe
File created	C:\Windows\{4F624C74-DC79-4586-94E2-1624D143CCB1}.exe	{8869CB27-9577-44e3-894A-61A7EAD01D64}.exe
File created	C:\Windows\{A433BCF8-601C-440c-B6C1-F2BED0FF3E25}.exe	{120D2460-401C-41b0-BFAF-B147A2FCF588}.exe
File created	C:\Windows\{3ED18F92-E040-4e59-99AA-EFE52F1E3A57}.exe	2024-02-12_22d143f4e3a1228a8c9b83cc3e27e085_goldeneye.exe
File created	C:\Windows\{BFF5E9F3-0EE2-43f1-9B0B-4A630E29684E}.exe	{3ED18F92-E040-4e59-99AA-EFE52F1E3A57}.exe
File created	C:\Windows\{736CC8E2-1D9E-471c-908D-FC7130D42048}.exe	{A433BCF8-601C-440c-B6C1-F2BED0FF3E25}.exe
File created	C:\Windows\{120D2460-401C-41b0-BFAF-B147A2FCF588}.exe	{4F624C74-DC79-4586-94E2-1624D143CCB1}.exe
File created	C:\Windows\{A54F441B-4827-406b-B09D-D2320A347D37}.exe	{95187887-F740-490a-9328-F7DDF5453151}.exe
File created	C:\Windows\{144E233C-D937-4fe6-B960-2AEA83E25C72}.exe	{A54F441B-4827-406b-B09D-D2320A347D37}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3916	2024-02-12_22d143f4e3a1228a8c9b83cc3e27e085_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3160	{3ED18F92-E040-4e59-99AA-EFE52F1E3A57}.exe
Token: SeIncBasePriorityPrivilege	2320	{BFF5E9F3-0EE2-43f1-9B0B-4A630E29684E}.exe
Token: SeIncBasePriorityPrivilege	2488	{F4AFEE09-C361-48a1-8F5A-A824DDF10F8B}.exe
Token: SeIncBasePriorityPrivilege	3756	{95187887-F740-490a-9328-F7DDF5453151}.exe
Token: SeIncBasePriorityPrivilege	3236	{A54F441B-4827-406b-B09D-D2320A347D37}.exe
Token: SeIncBasePriorityPrivilege	3156	{144E233C-D937-4fe6-B960-2AEA83E25C72}.exe
Token: SeIncBasePriorityPrivilege	1020	{D9CCD91B-95EE-42a2-BACB-79F4B6131D76}.exe
Token: SeIncBasePriorityPrivilege	2280	{8869CB27-9577-44e3-894A-61A7EAD01D64}.exe
Token: SeIncBasePriorityPrivilege	1408	{4F624C74-DC79-4586-94E2-1624D143CCB1}.exe
Token: SeIncBasePriorityPrivilege	1576	{120D2460-401C-41b0-BFAF-B147A2FCF588}.exe
Token: SeIncBasePriorityPrivilege	1988	{A433BCF8-601C-440c-B6C1-F2BED0FF3E25}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3916 wrote to memory of 3160	3916	2024-02-12_22d143f4e3a1228a8c9b83cc3e27e085_goldeneye.exe	90
PID 3916 wrote to memory of 3160	3916	2024-02-12_22d143f4e3a1228a8c9b83cc3e27e085_goldeneye.exe	90
PID 3916 wrote to memory of 3160	3916	2024-02-12_22d143f4e3a1228a8c9b83cc3e27e085_goldeneye.exe	90
PID 3916 wrote to memory of 2752	3916	2024-02-12_22d143f4e3a1228a8c9b83cc3e27e085_goldeneye.exe	91
PID 3916 wrote to memory of 2752	3916	2024-02-12_22d143f4e3a1228a8c9b83cc3e27e085_goldeneye.exe	91
PID 3916 wrote to memory of 2752	3916	2024-02-12_22d143f4e3a1228a8c9b83cc3e27e085_goldeneye.exe	91
PID 3160 wrote to memory of 2320	3160	{3ED18F92-E040-4e59-99AA-EFE52F1E3A57}.exe	92
PID 3160 wrote to memory of 2320	3160	{3ED18F92-E040-4e59-99AA-EFE52F1E3A57}.exe	92
PID 3160 wrote to memory of 2320	3160	{3ED18F92-E040-4e59-99AA-EFE52F1E3A57}.exe	92
PID 3160 wrote to memory of 3824	3160	{3ED18F92-E040-4e59-99AA-EFE52F1E3A57}.exe	93
PID 3160 wrote to memory of 3824	3160	{3ED18F92-E040-4e59-99AA-EFE52F1E3A57}.exe	93
PID 3160 wrote to memory of 3824	3160	{3ED18F92-E040-4e59-99AA-EFE52F1E3A57}.exe	93
PID 2320 wrote to memory of 2488	2320	{BFF5E9F3-0EE2-43f1-9B0B-4A630E29684E}.exe	96
PID 2320 wrote to memory of 2488	2320	{BFF5E9F3-0EE2-43f1-9B0B-4A630E29684E}.exe	96
PID 2320 wrote to memory of 2488	2320	{BFF5E9F3-0EE2-43f1-9B0B-4A630E29684E}.exe	96
PID 2320 wrote to memory of 4140	2320	{BFF5E9F3-0EE2-43f1-9B0B-4A630E29684E}.exe	95
PID 2320 wrote to memory of 4140	2320	{BFF5E9F3-0EE2-43f1-9B0B-4A630E29684E}.exe	95
PID 2320 wrote to memory of 4140	2320	{BFF5E9F3-0EE2-43f1-9B0B-4A630E29684E}.exe	95
PID 2488 wrote to memory of 3756	2488	{F4AFEE09-C361-48a1-8F5A-A824DDF10F8B}.exe	97
PID 2488 wrote to memory of 3756	2488	{F4AFEE09-C361-48a1-8F5A-A824DDF10F8B}.exe	97
PID 2488 wrote to memory of 3756	2488	{F4AFEE09-C361-48a1-8F5A-A824DDF10F8B}.exe	97
PID 2488 wrote to memory of 2188	2488	{F4AFEE09-C361-48a1-8F5A-A824DDF10F8B}.exe	98
PID 2488 wrote to memory of 2188	2488	{F4AFEE09-C361-48a1-8F5A-A824DDF10F8B}.exe	98
PID 2488 wrote to memory of 2188	2488	{F4AFEE09-C361-48a1-8F5A-A824DDF10F8B}.exe	98
PID 3756 wrote to memory of 3236	3756	{95187887-F740-490a-9328-F7DDF5453151}.exe	99
PID 3756 wrote to memory of 3236	3756	{95187887-F740-490a-9328-F7DDF5453151}.exe	99
PID 3756 wrote to memory of 3236	3756	{95187887-F740-490a-9328-F7DDF5453151}.exe	99
PID 3756 wrote to memory of 2004	3756	{95187887-F740-490a-9328-F7DDF5453151}.exe	100
PID 3756 wrote to memory of 2004	3756	{95187887-F740-490a-9328-F7DDF5453151}.exe	100
PID 3756 wrote to memory of 2004	3756	{95187887-F740-490a-9328-F7DDF5453151}.exe	100
PID 3236 wrote to memory of 3156	3236	{A54F441B-4827-406b-B09D-D2320A347D37}.exe	102
PID 3236 wrote to memory of 3156	3236	{A54F441B-4827-406b-B09D-D2320A347D37}.exe	102
PID 3236 wrote to memory of 3156	3236	{A54F441B-4827-406b-B09D-D2320A347D37}.exe	102
PID 3236 wrote to memory of 4392	3236	{A54F441B-4827-406b-B09D-D2320A347D37}.exe	101
PID 3236 wrote to memory of 4392	3236	{A54F441B-4827-406b-B09D-D2320A347D37}.exe	101
PID 3236 wrote to memory of 4392	3236	{A54F441B-4827-406b-B09D-D2320A347D37}.exe	101
PID 3156 wrote to memory of 1020	3156	{144E233C-D937-4fe6-B960-2AEA83E25C72}.exe	103
PID 3156 wrote to memory of 1020	3156	{144E233C-D937-4fe6-B960-2AEA83E25C72}.exe	103
PID 3156 wrote to memory of 1020	3156	{144E233C-D937-4fe6-B960-2AEA83E25C72}.exe	103
PID 3156 wrote to memory of 1172	3156	{144E233C-D937-4fe6-B960-2AEA83E25C72}.exe	104
PID 3156 wrote to memory of 1172	3156	{144E233C-D937-4fe6-B960-2AEA83E25C72}.exe	104
PID 3156 wrote to memory of 1172	3156	{144E233C-D937-4fe6-B960-2AEA83E25C72}.exe	104
PID 1020 wrote to memory of 2280	1020	{D9CCD91B-95EE-42a2-BACB-79F4B6131D76}.exe	105
PID 1020 wrote to memory of 2280	1020	{D9CCD91B-95EE-42a2-BACB-79F4B6131D76}.exe	105
PID 1020 wrote to memory of 2280	1020	{D9CCD91B-95EE-42a2-BACB-79F4B6131D76}.exe	105
PID 1020 wrote to memory of 1772	1020	{D9CCD91B-95EE-42a2-BACB-79F4B6131D76}.exe	106
PID 1020 wrote to memory of 1772	1020	{D9CCD91B-95EE-42a2-BACB-79F4B6131D76}.exe	106
PID 1020 wrote to memory of 1772	1020	{D9CCD91B-95EE-42a2-BACB-79F4B6131D76}.exe	106
PID 2280 wrote to memory of 1408	2280	{8869CB27-9577-44e3-894A-61A7EAD01D64}.exe	107
PID 2280 wrote to memory of 1408	2280	{8869CB27-9577-44e3-894A-61A7EAD01D64}.exe	107
PID 2280 wrote to memory of 1408	2280	{8869CB27-9577-44e3-894A-61A7EAD01D64}.exe	107
PID 2280 wrote to memory of 2508	2280	{8869CB27-9577-44e3-894A-61A7EAD01D64}.exe	108
PID 2280 wrote to memory of 2508	2280	{8869CB27-9577-44e3-894A-61A7EAD01D64}.exe	108
PID 2280 wrote to memory of 2508	2280	{8869CB27-9577-44e3-894A-61A7EAD01D64}.exe	108
PID 1408 wrote to memory of 1576	1408	{4F624C74-DC79-4586-94E2-1624D143CCB1}.exe	109
PID 1408 wrote to memory of 1576	1408	{4F624C74-DC79-4586-94E2-1624D143CCB1}.exe	109
PID 1408 wrote to memory of 1576	1408	{4F624C74-DC79-4586-94E2-1624D143CCB1}.exe	109
PID 1408 wrote to memory of 2624	1408	{4F624C74-DC79-4586-94E2-1624D143CCB1}.exe	110
PID 1408 wrote to memory of 2624	1408	{4F624C74-DC79-4586-94E2-1624D143CCB1}.exe	110
PID 1408 wrote to memory of 2624	1408	{4F624C74-DC79-4586-94E2-1624D143CCB1}.exe	110
PID 1576 wrote to memory of 1988	1576	{120D2460-401C-41b0-BFAF-B147A2FCF588}.exe	111
PID 1576 wrote to memory of 1988	1576	{120D2460-401C-41b0-BFAF-B147A2FCF588}.exe	111
PID 1576 wrote to memory of 1988	1576	{120D2460-401C-41b0-BFAF-B147A2FCF588}.exe	111
PID 1576 wrote to memory of 4564	1576	{120D2460-401C-41b0-BFAF-B147A2FCF588}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-02-12_22d143f4e3a1228a8c9b83cc3e27e085_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_22d143f4e3a1228a8c9b83cc3e27e085_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3916
- C:\Windows\{3ED18F92-E040-4e59-99AA-EFE52F1E3A57}.exe
  C:\Windows\{3ED18F92-E040-4e59-99AA-EFE52F1E3A57}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3160
- - C:\Windows\{BFF5E9F3-0EE2-43f1-9B0B-4A630E29684E}.exe
    C:\Windows\{BFF5E9F3-0EE2-43f1-9B0B-4A630E29684E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2320
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BFF5E~1.EXE > nul
      4⤵
      PID:4140
  - - C:\Windows\{F4AFEE09-C361-48a1-8F5A-A824DDF10F8B}.exe
      C:\Windows\{F4AFEE09-C361-48a1-8F5A-A824DDF10F8B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2488
    - - C:\Windows\{95187887-F740-490a-9328-F7DDF5453151}.exe
        
        C:\Windows\{95187887-F740-490a-9328-F7DDF5453151}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3756
      - C:\Windows\{A54F441B-4827-406b-B09D-D2320A347D37}.exe
        
        C:\Windows\{A54F441B-4827-406b-B09D-D2320A347D37}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A54F4~1.EXE > nul
        7⤵
        
        PID:4392
        
        C:\Windows\{144E233C-D937-4fe6-B960-2AEA83E25C72}.exe
        
        C:\Windows\{144E233C-D937-4fe6-B960-2AEA83E25C72}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3156
        
        C:\Windows\{D9CCD91B-95EE-42a2-BACB-79F4B6131D76}.exe
        
        C:\Windows\{D9CCD91B-95EE-42a2-BACB-79F4B6131D76}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\{8869CB27-9577-44e3-894A-61A7EAD01D64}.exe
        
        C:\Windows\{8869CB27-9577-44e3-894A-61A7EAD01D64}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\{4F624C74-DC79-4586-94E2-1624D143CCB1}.exe
        
        C:\Windows\{4F624C74-DC79-4586-94E2-1624D143CCB1}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\{120D2460-401C-41b0-BFAF-B147A2FCF588}.exe
        
        C:\Windows\{120D2460-401C-41b0-BFAF-B147A2FCF588}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Windows\{A433BCF8-601C-440c-B6C1-F2BED0FF3E25}.exe
        
        C:\Windows\{A433BCF8-601C-440c-B6C1-F2BED0FF3E25}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
        
        C:\Windows\{736CC8E2-1D9E-471c-908D-FC7130D42048}.exe
        
        C:\Windows\{736CC8E2-1D9E-471c-908D-FC7130D42048}.exe
        13⤵
        Executes dropped EXE
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A433B~1.EXE > nul
        13⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{120D2~1.EXE > nul
        12⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4F624~1.EXE > nul
        11⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8869C~1.EXE > nul
        10⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D9CCD~1.EXE > nul
        9⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{144E2~1.EXE > nul
        8⤵
        
        PID:1172
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95187~1.EXE > nul
        6⤵
        
        PID:2004
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F4AFE~1.EXE > nul
        5⤵
        
        PID:2188
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3ED18~1.EXE > nul
    3⤵
    PID:3824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{120D2460-401C-41b0-BFAF-B147A2FCF588}.exe

Filesize
197KB

MD5
433af0b74db9e2542533ed4d619ee578

SHA1
cd1f5e61d27faee3a721f5ab0a991fbf07e59557

SHA256
0825c0ed3c4a348d774987c44edcc27a723b1a4e2222f90c597426b565808a27

SHA512
1790f712b909efce53ee328f9511ac4329f11e47ab792ec799aa9b96725c1a71e0349434d7c872034773574e4863fd8ceba9efabe3b220bab04f7512d8644d8e

Download Submit
C:\Windows\{144E233C-D937-4fe6-B960-2AEA83E25C72}.exe

Filesize
197KB

MD5
b24f8bd69c3e17d1aec496b425f9b5c6

SHA1
3f8e13c4e5a98c303e83529ef38e25a2c16f87bf

SHA256
4d3f9dbca0178733a2fee449bd4d003121fb15c3e5482cc2759f1f6a450318f3

SHA512
1e266d2304849ab1b454dc86b2ae368f725f25b013e63c233dcab42e9d1ed725107888b0d386ab4071e62bd72dd81db343e6ebe00ac21dac90d125ca077099d9

Download Submit
C:\Windows\{3ED18F92-E040-4e59-99AA-EFE52F1E3A57}.exe

Filesize
197KB

MD5
38493e4548d4b766004017b3d726b762

SHA1
c5d05db24e5181332f23efbab026ad844869f75e

SHA256
bb83df5ca11ef58396fa0fbb02319cfccdcb69ed47668d5d78c74e03d97620fd

SHA512
f1c7dd640ed43f5314a92b1f6b26d5b7c793a6e6adb3e0ea4fa60335747533b28e0eb0b3006078361239f9f013f9bfb1336d9b2cfad619a54861b52ec3108944

Download Submit
C:\Windows\{3ED18F92-E040-4e59-99AA-EFE52F1E3A57}.exe

Filesize
166KB

MD5
f72b352a93cf1a9deb18dd046b0b35c5

SHA1
a4c8f7f87ed15787eb0695259872d080ffa3be86

SHA256
3bb9980e81f5207c41e8c161a1a9e6ce41f2ccbdbf469850afb0b087204aa383

SHA512
2b730312ea665d27975a9ec1251022dbb1a03947a6c1a937e8f0b57383cf185d6fa0c7f02fd27e49660122407bde0a1931ae48540d36cf48673cf21c1cf4dbcf

Download Submit
C:\Windows\{4F624C74-DC79-4586-94E2-1624D143CCB1}.exe

Filesize
197KB

MD5
5a65aa5acd33c6d4c136459cb797ba6f

SHA1
24a4a4c7d189b960cfb47ff2b515ed734429e4c2

SHA256
2c30feb7751d1a366dc7b55c5c774c87bfd0f781d962f0d295b5a0565b87fb6a

SHA512
eb7264cf56908406023a06bc8d3990f4a1e95548fc027cc08df531e2eb8afe6c4a1a93085a479c2e99c5de14a9b60b229acaaa9dfd3ebeaf0a613d0bcdb03415

Download Submit
C:\Windows\{736CC8E2-1D9E-471c-908D-FC7130D42048}.exe

Filesize
197KB

MD5
5fba0b8c19d68a3a7bd84c278d7d81f9

SHA1
06afa23e33c15887d1574f6db341da500bbb0ae8

SHA256
8b0353da68e4d00511c14e617538ca0407ad9f93fc3fedfe01fa730b4ef54787

SHA512
0f5ca90e745ba43470345852f0644b636764fe900a9ae530310678150dade9eb4cfadaaf8af0277c936a55e3dafcba3a076ce49e7b887e3fff4ba5d800c00407

Download Submit
C:\Windows\{8869CB27-9577-44e3-894A-61A7EAD01D64}.exe

Filesize
197KB

MD5
c5e5e5f31feea67d5141ede4485c4094

SHA1
7452226fe9ea1396b4f20a022a663eacc1025c51

SHA256
a87e189128acd44a42b54cd9f3eb24f62126765abb62ef1d8ba0bf6aa7a75d43

SHA512
3bfc4510dc7320e6d53d65ebd7a46ea4e61b4ac11fe55e8ec5de2b79651dab63326957f06db13c305aeacf0780205a9a5fb48d01b6f3a48155f12995469cc01f

Download Submit
C:\Windows\{95187887-F740-490a-9328-F7DDF5453151}.exe

Filesize
197KB

MD5
97dee705b0aba5a38bca96c5630659fb

SHA1
a583cca63880860493874b5d14df353c219bddca

SHA256
33f42598d74c77a929e57fafad55e63bb75bc6d3fb25cd4795d1f11b8a7c857a

SHA512
a6b23e76f75f49ac3b3779eec7c7a7bcf37b6de7d25e38319b79636d0b7febe7c4150fa39d5a466fd87edc082639f1c6c3054a50614a01a69d87e5a343366d19

Download Submit
C:\Windows\{A433BCF8-601C-440c-B6C1-F2BED0FF3E25}.exe

Filesize
197KB

MD5
910dbaee08ba01565a7a26a1ff45ccdd

SHA1
577f89a6a74825bb4cb21bbfd8bb2f4be91ac019

SHA256
d8d691182a73b450cdcfeb9cff9f4ba2abcf8c51b72ac81e304055977897c580

SHA512
007bafd60760b0b0e1e12417b584f98d9eb84ae58e253d4ff342683a6b45328d65727c7b21118650bd2958bd0a87d7079a01c484d49f8ac908b31e0bb00e05db

Download Submit
C:\Windows\{A54F441B-4827-406b-B09D-D2320A347D37}.exe

Filesize
197KB

MD5
03caf45bd6eacb5f750d5350d39f2917

SHA1
83e5e027a37658350a0eac6435330b18fe1575c3

SHA256
d55098e16623b366816b387601b656d841215fe0cb87797d7eb99efaecadf3e2

SHA512
8098fbe854d4385c7e27ff95c44ecf4f766fc945b5a05f1eff7bcc6e126fe94aee047e82be72399dbb14e435208400cc144dd245d5c6b14753ea90a7c5a2f891

Download Submit
C:\Windows\{BFF5E9F3-0EE2-43f1-9B0B-4A630E29684E}.exe

Filesize
197KB

MD5
a926d4761939e19988b15120e1b86ebc

SHA1
9ad8b855bb12e61e405019a1e4596428bd134c6b

SHA256
2f8904ef8f8272a628a10aa19c9a4b3eb2a865185e52f6f4c370e3647f37ad6f

SHA512
74785b57136dded9f5a1b5ddff522b9a6e57962da4e50fce1430c974aef320b1186de684f032b48ab78600704954e58f08a30d52b9b13f5e8d4b98a97d54b162

Download Submit
C:\Windows\{D9CCD91B-95EE-42a2-BACB-79F4B6131D76}.exe

Filesize
197KB

MD5
03f50f4457a6436413a6912bd93bbfb7

SHA1
3014b12ae636a2ef3cc47f870235d7c11c4c921e

SHA256
1a36752a86d4a39441ca002361391ee77bf797f1b44fa8c178ac46f569321d9a

SHA512
1a0aaddb161241bc9d7f3bbd9059882ccc8c938cd9a135da853c2c163e20984fe9457f28d1bf56e743729943709b3b1f6e284eb41f443e0ff57fde8313f656ff

Download Submit
C:\Windows\{F4AFEE09-C361-48a1-8F5A-A824DDF10F8B}.exe

Filesize
197KB

MD5
69f51d8bcc987777686d951148fca4cc

SHA1
5fa274f66d3da88a7d95557768e639ff259ad0b9

SHA256
97bd5c82f7e83dbd3841b9b794859ee1fafe6b8139aca400f4e3681cc4302cc1

SHA512
f894f7c17dc891ea0a8b54c09f76d3e2024abedf176b1018ae989fd64eedfb8d17479f7e29f1927624f9be68f5ee040e724f54dd06198d81b46230c395f77085

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads