e2554e12fab39f62c699419a6243e70a4181d8fc932542258886cdf8b4627a1f

Analysis

max time kernel
149s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
14/02/2024, 01:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-14_e02cc5b504d42790ffc3c0638f307d95_goldeneye.exe
Size

372KB
MD5

e02cc5b504d42790ffc3c0638f307d95
SHA1

e4b3434e3d8004880cfbe10c596cb399d20e3604
SHA256

e2554e12fab39f62c699419a6243e70a4181d8fc932542258886cdf8b4627a1f
SHA512

ec6157ec42971744c8057d6780f5c168e97ab81121e9c8fd39896654250d94810328a629ef663a0a4b1002ce3d2233292bfd09c15911eb1aca180639f7e10e5a
SSDEEP

3072:CEGh0oMlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEG+lkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000600000002326a-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000002326b-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023272-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023054-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000022008-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000022009-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000022008-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000036-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000036-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000036-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DBA87F74-A444-4eb7-B75A-37752D32D78D}	{FBC98F62-32A8-4e51-8CBB-0CFB6C71C9CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BFAFFD8E-F556-44d7-A59A-351123F62308}	{5457F7FD-29D8-478b-B519-B8A6AD3F0AC4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BFAFFD8E-F556-44d7-A59A-351123F62308}\stubpath = "C:\\Windows\\{BFAFFD8E-F556-44d7-A59A-351123F62308}.exe"	{5457F7FD-29D8-478b-B519-B8A6AD3F0AC4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C053708E-1E88-43a5-8EAF-2D4DC2E8CA59}	2024-02-14_e02cc5b504d42790ffc3c0638f307d95_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC379010-E434-4d26-9556-788C2F7D2A55}	{C053708E-1E88-43a5-8EAF-2D4DC2E8CA59}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC379010-E434-4d26-9556-788C2F7D2A55}\stubpath = "C:\\Windows\\{BC379010-E434-4d26-9556-788C2F7D2A55}.exe"	{C053708E-1E88-43a5-8EAF-2D4DC2E8CA59}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FBC98F62-32A8-4e51-8CBB-0CFB6C71C9CD}	{C862DF91-7599-4fd3-BC57-8C2EA45AA45C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74173210-AD91-4500-AD29-2DF3070D0621}	{DBA87F74-A444-4eb7-B75A-37752D32D78D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F339D00E-300D-4991-A085-9B5DE593FD03}\stubpath = "C:\\Windows\\{F339D00E-300D-4991-A085-9B5DE593FD03}.exe"	{BFAFFD8E-F556-44d7-A59A-351123F62308}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C053708E-1E88-43a5-8EAF-2D4DC2E8CA59}\stubpath = "C:\\Windows\\{C053708E-1E88-43a5-8EAF-2D4DC2E8CA59}.exe"	2024-02-14_e02cc5b504d42790ffc3c0638f307d95_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FBC98F62-32A8-4e51-8CBB-0CFB6C71C9CD}\stubpath = "C:\\Windows\\{FBC98F62-32A8-4e51-8CBB-0CFB6C71C9CD}.exe"	{C862DF91-7599-4fd3-BC57-8C2EA45AA45C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DBA87F74-A444-4eb7-B75A-37752D32D78D}\stubpath = "C:\\Windows\\{DBA87F74-A444-4eb7-B75A-37752D32D78D}.exe"	{FBC98F62-32A8-4e51-8CBB-0CFB6C71C9CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25F83441-FFC5-4b4c-B50F-A5AC86605869}	{74173210-AD91-4500-AD29-2DF3070D0621}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25F83441-FFC5-4b4c-B50F-A5AC86605869}\stubpath = "C:\\Windows\\{25F83441-FFC5-4b4c-B50F-A5AC86605869}.exe"	{74173210-AD91-4500-AD29-2DF3070D0621}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65E3EF88-430C-4c00-932E-A6F845BE2FB8}	{25F83441-FFC5-4b4c-B50F-A5AC86605869}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5457F7FD-29D8-478b-B519-B8A6AD3F0AC4}	{65E3EF88-430C-4c00-932E-A6F845BE2FB8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EE98C3F-D6AD-4ab9-97E9-36DDE255DC47}\stubpath = "C:\\Windows\\{6EE98C3F-D6AD-4ab9-97E9-36DDE255DC47}.exe"	{F339D00E-300D-4991-A085-9B5DE593FD03}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C862DF91-7599-4fd3-BC57-8C2EA45AA45C}	{BC379010-E434-4d26-9556-788C2F7D2A55}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C862DF91-7599-4fd3-BC57-8C2EA45AA45C}\stubpath = "C:\\Windows\\{C862DF91-7599-4fd3-BC57-8C2EA45AA45C}.exe"	{BC379010-E434-4d26-9556-788C2F7D2A55}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74173210-AD91-4500-AD29-2DF3070D0621}\stubpath = "C:\\Windows\\{74173210-AD91-4500-AD29-2DF3070D0621}.exe"	{DBA87F74-A444-4eb7-B75A-37752D32D78D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65E3EF88-430C-4c00-932E-A6F845BE2FB8}\stubpath = "C:\\Windows\\{65E3EF88-430C-4c00-932E-A6F845BE2FB8}.exe"	{25F83441-FFC5-4b4c-B50F-A5AC86605869}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5457F7FD-29D8-478b-B519-B8A6AD3F0AC4}\stubpath = "C:\\Windows\\{5457F7FD-29D8-478b-B519-B8A6AD3F0AC4}.exe"	{65E3EF88-430C-4c00-932E-A6F845BE2FB8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F339D00E-300D-4991-A085-9B5DE593FD03}	{BFAFFD8E-F556-44d7-A59A-351123F62308}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EE98C3F-D6AD-4ab9-97E9-36DDE255DC47}	{F339D00E-300D-4991-A085-9B5DE593FD03}.exe

Executes dropped EXE 12 IoCs

pid	Process
1456	{C053708E-1E88-43a5-8EAF-2D4DC2E8CA59}.exe
3180	{BC379010-E434-4d26-9556-788C2F7D2A55}.exe
4156	{C862DF91-7599-4fd3-BC57-8C2EA45AA45C}.exe
3536	{FBC98F62-32A8-4e51-8CBB-0CFB6C71C9CD}.exe
4972	{DBA87F74-A444-4eb7-B75A-37752D32D78D}.exe
2056	{74173210-AD91-4500-AD29-2DF3070D0621}.exe
5032	{25F83441-FFC5-4b4c-B50F-A5AC86605869}.exe
2928	{65E3EF88-430C-4c00-932E-A6F845BE2FB8}.exe
4572	{5457F7FD-29D8-478b-B519-B8A6AD3F0AC4}.exe
4520	{BFAFFD8E-F556-44d7-A59A-351123F62308}.exe
4536	{F339D00E-300D-4991-A085-9B5DE593FD03}.exe
2756	{6EE98C3F-D6AD-4ab9-97E9-36DDE255DC47}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{74173210-AD91-4500-AD29-2DF3070D0621}.exe	{DBA87F74-A444-4eb7-B75A-37752D32D78D}.exe
File created	C:\Windows\{25F83441-FFC5-4b4c-B50F-A5AC86605869}.exe	{74173210-AD91-4500-AD29-2DF3070D0621}.exe
File created	C:\Windows\{5457F7FD-29D8-478b-B519-B8A6AD3F0AC4}.exe	{65E3EF88-430C-4c00-932E-A6F845BE2FB8}.exe
File created	C:\Windows\{BFAFFD8E-F556-44d7-A59A-351123F62308}.exe	{5457F7FD-29D8-478b-B519-B8A6AD3F0AC4}.exe
File created	C:\Windows\{C053708E-1E88-43a5-8EAF-2D4DC2E8CA59}.exe	2024-02-14_e02cc5b504d42790ffc3c0638f307d95_goldeneye.exe
File created	C:\Windows\{BC379010-E434-4d26-9556-788C2F7D2A55}.exe	{C053708E-1E88-43a5-8EAF-2D4DC2E8CA59}.exe
File created	C:\Windows\{C862DF91-7599-4fd3-BC57-8C2EA45AA45C}.exe	{BC379010-E434-4d26-9556-788C2F7D2A55}.exe
File created	C:\Windows\{FBC98F62-32A8-4e51-8CBB-0CFB6C71C9CD}.exe	{C862DF91-7599-4fd3-BC57-8C2EA45AA45C}.exe
File created	C:\Windows\{DBA87F74-A444-4eb7-B75A-37752D32D78D}.exe	{FBC98F62-32A8-4e51-8CBB-0CFB6C71C9CD}.exe
File created	C:\Windows\{65E3EF88-430C-4c00-932E-A6F845BE2FB8}.exe	{25F83441-FFC5-4b4c-B50F-A5AC86605869}.exe
File created	C:\Windows\{F339D00E-300D-4991-A085-9B5DE593FD03}.exe	{BFAFFD8E-F556-44d7-A59A-351123F62308}.exe
File created	C:\Windows\{6EE98C3F-D6AD-4ab9-97E9-36DDE255DC47}.exe	{F339D00E-300D-4991-A085-9B5DE593FD03}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2756	2024-02-14_e02cc5b504d42790ffc3c0638f307d95_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1456	{C053708E-1E88-43a5-8EAF-2D4DC2E8CA59}.exe
Token: SeIncBasePriorityPrivilege	3180	{BC379010-E434-4d26-9556-788C2F7D2A55}.exe
Token: SeIncBasePriorityPrivilege	4156	{C862DF91-7599-4fd3-BC57-8C2EA45AA45C}.exe
Token: SeIncBasePriorityPrivilege	3536	{FBC98F62-32A8-4e51-8CBB-0CFB6C71C9CD}.exe
Token: SeIncBasePriorityPrivilege	4972	{DBA87F74-A444-4eb7-B75A-37752D32D78D}.exe
Token: SeIncBasePriorityPrivilege	2056	{74173210-AD91-4500-AD29-2DF3070D0621}.exe
Token: SeIncBasePriorityPrivilege	5032	{25F83441-FFC5-4b4c-B50F-A5AC86605869}.exe
Token: SeIncBasePriorityPrivilege	2928	{65E3EF88-430C-4c00-932E-A6F845BE2FB8}.exe
Token: SeIncBasePriorityPrivilege	4572	{5457F7FD-29D8-478b-B519-B8A6AD3F0AC4}.exe
Token: SeIncBasePriorityPrivilege	4520	{BFAFFD8E-F556-44d7-A59A-351123F62308}.exe
Token: SeIncBasePriorityPrivilege	4536	{F339D00E-300D-4991-A085-9B5DE593FD03}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 1456	2756	2024-02-14_e02cc5b504d42790ffc3c0638f307d95_goldeneye.exe	92
PID 2756 wrote to memory of 1456	2756	2024-02-14_e02cc5b504d42790ffc3c0638f307d95_goldeneye.exe	92
PID 2756 wrote to memory of 1456	2756	2024-02-14_e02cc5b504d42790ffc3c0638f307d95_goldeneye.exe	92
PID 2756 wrote to memory of 4100	2756	2024-02-14_e02cc5b504d42790ffc3c0638f307d95_goldeneye.exe	93
PID 2756 wrote to memory of 4100	2756	2024-02-14_e02cc5b504d42790ffc3c0638f307d95_goldeneye.exe	93
PID 2756 wrote to memory of 4100	2756	2024-02-14_e02cc5b504d42790ffc3c0638f307d95_goldeneye.exe	93
PID 1456 wrote to memory of 3180	1456	{C053708E-1E88-43a5-8EAF-2D4DC2E8CA59}.exe	94
PID 1456 wrote to memory of 3180	1456	{C053708E-1E88-43a5-8EAF-2D4DC2E8CA59}.exe	94
PID 1456 wrote to memory of 3180	1456	{C053708E-1E88-43a5-8EAF-2D4DC2E8CA59}.exe	94
PID 1456 wrote to memory of 4316	1456	{C053708E-1E88-43a5-8EAF-2D4DC2E8CA59}.exe	95
PID 1456 wrote to memory of 4316	1456	{C053708E-1E88-43a5-8EAF-2D4DC2E8CA59}.exe	95
PID 1456 wrote to memory of 4316	1456	{C053708E-1E88-43a5-8EAF-2D4DC2E8CA59}.exe	95
PID 3180 wrote to memory of 4156	3180	{BC379010-E434-4d26-9556-788C2F7D2A55}.exe	98
PID 3180 wrote to memory of 4156	3180	{BC379010-E434-4d26-9556-788C2F7D2A55}.exe	98
PID 3180 wrote to memory of 4156	3180	{BC379010-E434-4d26-9556-788C2F7D2A55}.exe	98
PID 3180 wrote to memory of 1712	3180	{BC379010-E434-4d26-9556-788C2F7D2A55}.exe	97
PID 3180 wrote to memory of 1712	3180	{BC379010-E434-4d26-9556-788C2F7D2A55}.exe	97
PID 3180 wrote to memory of 1712	3180	{BC379010-E434-4d26-9556-788C2F7D2A55}.exe	97
PID 4156 wrote to memory of 3536	4156	{C862DF91-7599-4fd3-BC57-8C2EA45AA45C}.exe	99
PID 4156 wrote to memory of 3536	4156	{C862DF91-7599-4fd3-BC57-8C2EA45AA45C}.exe	99
PID 4156 wrote to memory of 3536	4156	{C862DF91-7599-4fd3-BC57-8C2EA45AA45C}.exe	99
PID 4156 wrote to memory of 4104	4156	{C862DF91-7599-4fd3-BC57-8C2EA45AA45C}.exe	100
PID 4156 wrote to memory of 4104	4156	{C862DF91-7599-4fd3-BC57-8C2EA45AA45C}.exe	100
PID 4156 wrote to memory of 4104	4156	{C862DF91-7599-4fd3-BC57-8C2EA45AA45C}.exe	100
PID 3536 wrote to memory of 4972	3536	{FBC98F62-32A8-4e51-8CBB-0CFB6C71C9CD}.exe	101
PID 3536 wrote to memory of 4972	3536	{FBC98F62-32A8-4e51-8CBB-0CFB6C71C9CD}.exe	101
PID 3536 wrote to memory of 4972	3536	{FBC98F62-32A8-4e51-8CBB-0CFB6C71C9CD}.exe	101
PID 3536 wrote to memory of 2712	3536	{FBC98F62-32A8-4e51-8CBB-0CFB6C71C9CD}.exe	102
PID 3536 wrote to memory of 2712	3536	{FBC98F62-32A8-4e51-8CBB-0CFB6C71C9CD}.exe	102
PID 3536 wrote to memory of 2712	3536	{FBC98F62-32A8-4e51-8CBB-0CFB6C71C9CD}.exe	102
PID 4972 wrote to memory of 2056	4972	{DBA87F74-A444-4eb7-B75A-37752D32D78D}.exe	103
PID 4972 wrote to memory of 2056	4972	{DBA87F74-A444-4eb7-B75A-37752D32D78D}.exe	103
PID 4972 wrote to memory of 2056	4972	{DBA87F74-A444-4eb7-B75A-37752D32D78D}.exe	103
PID 4972 wrote to memory of 3472	4972	{DBA87F74-A444-4eb7-B75A-37752D32D78D}.exe	104
PID 4972 wrote to memory of 3472	4972	{DBA87F74-A444-4eb7-B75A-37752D32D78D}.exe	104
PID 4972 wrote to memory of 3472	4972	{DBA87F74-A444-4eb7-B75A-37752D32D78D}.exe	104
PID 2056 wrote to memory of 5032	2056	{74173210-AD91-4500-AD29-2DF3070D0621}.exe	105
PID 2056 wrote to memory of 5032	2056	{74173210-AD91-4500-AD29-2DF3070D0621}.exe	105
PID 2056 wrote to memory of 5032	2056	{74173210-AD91-4500-AD29-2DF3070D0621}.exe	105
PID 2056 wrote to memory of 1220	2056	{74173210-AD91-4500-AD29-2DF3070D0621}.exe	106
PID 2056 wrote to memory of 1220	2056	{74173210-AD91-4500-AD29-2DF3070D0621}.exe	106
PID 2056 wrote to memory of 1220	2056	{74173210-AD91-4500-AD29-2DF3070D0621}.exe	106
PID 5032 wrote to memory of 2928	5032	{25F83441-FFC5-4b4c-B50F-A5AC86605869}.exe	107
PID 5032 wrote to memory of 2928	5032	{25F83441-FFC5-4b4c-B50F-A5AC86605869}.exe	107
PID 5032 wrote to memory of 2928	5032	{25F83441-FFC5-4b4c-B50F-A5AC86605869}.exe	107
PID 5032 wrote to memory of 2612	5032	{25F83441-FFC5-4b4c-B50F-A5AC86605869}.exe	108
PID 5032 wrote to memory of 2612	5032	{25F83441-FFC5-4b4c-B50F-A5AC86605869}.exe	108
PID 5032 wrote to memory of 2612	5032	{25F83441-FFC5-4b4c-B50F-A5AC86605869}.exe	108
PID 2928 wrote to memory of 4572	2928	{65E3EF88-430C-4c00-932E-A6F845BE2FB8}.exe	109
PID 2928 wrote to memory of 4572	2928	{65E3EF88-430C-4c00-932E-A6F845BE2FB8}.exe	109
PID 2928 wrote to memory of 4572	2928	{65E3EF88-430C-4c00-932E-A6F845BE2FB8}.exe	109
PID 2928 wrote to memory of 5056	2928	{65E3EF88-430C-4c00-932E-A6F845BE2FB8}.exe	110
PID 2928 wrote to memory of 5056	2928	{65E3EF88-430C-4c00-932E-A6F845BE2FB8}.exe	110
PID 2928 wrote to memory of 5056	2928	{65E3EF88-430C-4c00-932E-A6F845BE2FB8}.exe	110
PID 4572 wrote to memory of 4520	4572	{5457F7FD-29D8-478b-B519-B8A6AD3F0AC4}.exe	111
PID 4572 wrote to memory of 4520	4572	{5457F7FD-29D8-478b-B519-B8A6AD3F0AC4}.exe	111
PID 4572 wrote to memory of 4520	4572	{5457F7FD-29D8-478b-B519-B8A6AD3F0AC4}.exe	111
PID 4572 wrote to memory of 2704	4572	{5457F7FD-29D8-478b-B519-B8A6AD3F0AC4}.exe	112
PID 4572 wrote to memory of 2704	4572	{5457F7FD-29D8-478b-B519-B8A6AD3F0AC4}.exe	112
PID 4572 wrote to memory of 2704	4572	{5457F7FD-29D8-478b-B519-B8A6AD3F0AC4}.exe	112
PID 4520 wrote to memory of 4536	4520	{BFAFFD8E-F556-44d7-A59A-351123F62308}.exe	113
PID 4520 wrote to memory of 4536	4520	{BFAFFD8E-F556-44d7-A59A-351123F62308}.exe	113
PID 4520 wrote to memory of 4536	4520	{BFAFFD8E-F556-44d7-A59A-351123F62308}.exe	113
PID 4520 wrote to memory of 1732	4520	{BFAFFD8E-F556-44d7-A59A-351123F62308}.exe	114

C:\Users\Admin\AppData\Local\Temp\2024-02-14_e02cc5b504d42790ffc3c0638f307d95_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-14_e02cc5b504d42790ffc3c0638f307d95_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\{C053708E-1E88-43a5-8EAF-2D4DC2E8CA59}.exe
  C:\Windows\{C053708E-1E88-43a5-8EAF-2D4DC2E8CA59}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1456
- - C:\Windows\{BC379010-E434-4d26-9556-788C2F7D2A55}.exe
    C:\Windows\{BC379010-E434-4d26-9556-788C2F7D2A55}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3180
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BC379~1.EXE > nul
      4⤵
      PID:1712
  - - C:\Windows\{C862DF91-7599-4fd3-BC57-8C2EA45AA45C}.exe
      C:\Windows\{C862DF91-7599-4fd3-BC57-8C2EA45AA45C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4156
    - - C:\Windows\{FBC98F62-32A8-4e51-8CBB-0CFB6C71C9CD}.exe
        
        C:\Windows\{FBC98F62-32A8-4e51-8CBB-0CFB6C71C9CD}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3536
      - C:\Windows\{DBA87F74-A444-4eb7-B75A-37752D32D78D}.exe
        
        C:\Windows\{DBA87F74-A444-4eb7-B75A-37752D32D78D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Windows\{74173210-AD91-4500-AD29-2DF3070D0621}.exe
        
        C:\Windows\{74173210-AD91-4500-AD29-2DF3070D0621}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\{25F83441-FFC5-4b4c-B50F-A5AC86605869}.exe
        
        C:\Windows\{25F83441-FFC5-4b4c-B50F-A5AC86605869}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\{65E3EF88-430C-4c00-932E-A6F845BE2FB8}.exe
        
        C:\Windows\{65E3EF88-430C-4c00-932E-A6F845BE2FB8}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\{5457F7FD-29D8-478b-B519-B8A6AD3F0AC4}.exe
        
        C:\Windows\{5457F7FD-29D8-478b-B519-B8A6AD3F0AC4}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\Windows\{BFAFFD8E-F556-44d7-A59A-351123F62308}.exe
        
        C:\Windows\{BFAFFD8E-F556-44d7-A59A-351123F62308}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4520
        
        C:\Windows\{F339D00E-300D-4991-A085-9B5DE593FD03}.exe
        
        C:\Windows\{F339D00E-300D-4991-A085-9B5DE593FD03}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4536
        
        C:\Windows\{6EE98C3F-D6AD-4ab9-97E9-36DDE255DC47}.exe
        
        C:\Windows\{6EE98C3F-D6AD-4ab9-97E9-36DDE255DC47}.exe
        13⤵
        Executes dropped EXE
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F339D~1.EXE > nul
        13⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BFAFF~1.EXE > nul
        12⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5457F~1.EXE > nul
        11⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{65E3E~1.EXE > nul
        10⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{25F83~1.EXE > nul
        9⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74173~1.EXE > nul
        8⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DBA87~1.EXE > nul
        7⤵
        
        PID:3472
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FBC98~1.EXE > nul
        6⤵
        
        PID:2712
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C862D~1.EXE > nul
        5⤵
        
        PID:4104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C0537~1.EXE > nul
    3⤵
    PID:4316
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{25F83441-FFC5-4b4c-B50F-A5AC86605869}.exe

Filesize
372KB

MD5
6afd5707c0fb29e7f68f373dcca93599

SHA1
d68536519e563798fa89c2da95bd31df8ab5e5d6

SHA256
879d11988aa55d91af7e0ddbde278e4881be69c7299600766dec142e962a8f8f

SHA512
8338d280830dc66e804deca947420917f440edee73b0aa64669af85a6a72e64d7e8f1cda1fc06b7b1ed71d43855889e2a138884cf26143c35cc6823aaab698de

Download Submit
C:\Windows\{5457F7FD-29D8-478b-B519-B8A6AD3F0AC4}.exe

Filesize
372KB

MD5
a3ddbcfa7c72762462a56549f26c685c

SHA1
d28d4d02421919c6fc922f5343b47524a6310647

SHA256
d774d75e2f41e9c4a4cc2e3a316dec61e92b3b1398765a4b0f6082b27636626f

SHA512
87808a3a99e0c925224f0cc2f639e89130dbc2d73176e8048555ef0b7988250a6ad717b4b50e7115fc33960dd6d8a7e776455f0ec1a1c469be97ee61475b31a5

Download Submit
C:\Windows\{65E3EF88-430C-4c00-932E-A6F845BE2FB8}.exe

Filesize
372KB

MD5
05d8574fe8ea66f8615d2f7a61f1553d

SHA1
9cc2e5f112f6801734fcc86d71b57119544a4cfb

SHA256
a739b4bf718b1bc7ec53e6e0caed53b1be3be63b1e00636794e5baf7ab6c36ef

SHA512
88161bf823dd35f156494d847d6cc31e7833fe18f4dcf14c5ca753a765eb8ab26beefa8503fcc8b58451a0a3cccb030ae4b3e760fafe6e863575530a806ef3e7

Download Submit
C:\Windows\{6EE98C3F-D6AD-4ab9-97E9-36DDE255DC47}.exe

Filesize
372KB

MD5
2c5be2d8b405c6d4cc3b77e3ab82f196

SHA1
bc8a16f11a504e7efb657d50022d193899ebe591

SHA256
d12e680979361f9706099d61fcdd9d082499c268d69469ad6f70722f941d6d73

SHA512
deecf68c24cbc5d9fb390f27044dc581ca0c19e8b0b83fb97ac8af9981dd9f87a0e196da89f0471c2c138ad410a7d9ccbc7ffacf935fe4b78aabc8df281ec399

Download Submit
C:\Windows\{74173210-AD91-4500-AD29-2DF3070D0621}.exe

Filesize
372KB

MD5
387772622cc439a7fb1e8699a2b03be5

SHA1
6b24510890e5b0f01e6f01aa4735729e50cbda57

SHA256
cd78d8416ca382dea56a43dd1c3cdc87d488a98874fcb2e27cced0c815ceba49

SHA512
2d3337fe4984e94a386d1354faf7d9f49f8cab694db5a4897b2638c04bc3c21764fcc3908bc8f3af5135d2b3c673551089b3698edb21840c8dccbc4aab74ca6b

Download Submit
C:\Windows\{BC379010-E434-4d26-9556-788C2F7D2A55}.exe

Filesize
372KB

MD5
9f1e9f5e2ec2288af44879ed49c2f246

SHA1
f386ea517acd701663c28f66097a55edf06d782a

SHA256
3ee57fb0904234e234131634bbc8edddebdd27852eb080eaee3050d69a5a9383

SHA512
0e8287fb047a95a466a160c3f0330144da96a6ebf9caa934a548c4b7764d0de71e892e23c050d75d9e6304c1760ad5745e26ba0edcd145cce4d17d717d6dfe9e

Download Submit
C:\Windows\{BFAFFD8E-F556-44d7-A59A-351123F62308}.exe

Filesize
372KB

MD5
436beed997c1d42a27ebd916b1101550

SHA1
cbcb02a2c876a9535d305f517def7cb68be15288

SHA256
c53f28cfc2facd2cfdde4da83fb8ded6c0efcaf0f4d5ee85fdacbeb401949c3c

SHA512
d06da5d80d8ae45dfbf265f24d61772d1573726223c4bdc65cc7555eedaf790819d911ee1c5ce87037177f610d182b2673b4d6418d107dc315d72a6af7c1b26b

Download Submit
C:\Windows\{C053708E-1E88-43a5-8EAF-2D4DC2E8CA59}.exe

Filesize
372KB

MD5
95128a417443ac66e8248ce766e380ca

SHA1
04d2c232188e633330d188c7a3c0df823bc2eef0

SHA256
e44bc29f1a4a1e2bfa31f7dc64c3472afa751c9673dff0c6215699e0c5e06c3f

SHA512
df24cd926c9d7b845e84ad713551bdde62e0e1aca2a5c985854de15d5302eff04f31ce7814c3c78a7cac13776b43b9620fa78297fa09033448220faafcada2c0

Download Submit
C:\Windows\{C862DF91-7599-4fd3-BC57-8C2EA45AA45C}.exe

Filesize
372KB

MD5
38f0b40df5e081d28317b9429bd49088

SHA1
ca323cfb524576818dea9ab0b12b7bc0360c6227

SHA256
d68cf0a6767a9ca7620ca62586831c3ddedcf4f42274de9625e9f01eae15acb8

SHA512
71c14c4bf3d1db7c51a0b1abd7da0ffe2a8be8d9514f9e99f8b91ec926320711bd19249e526b79da09c189f31059a07d9d1c1c4b4ee3de3c0ddfa808ca2f01d1

Download Submit
C:\Windows\{DBA87F74-A444-4eb7-B75A-37752D32D78D}.exe

Filesize
372KB

MD5
311c26082c971f344f846f9eaaa7fd92

SHA1
19787ffa8dc535a058bbbffa92ee17963950a333

SHA256
9bb97fd73c091a6845dab560fc9ff84b86afbf7f62c03f06983d3aa68b6a03a9

SHA512
480997d4d759e04cf0c3eaae9f75c67db54b8a26ee3d758a34b89f474212173687ecb915475aebfe9aead378b694565b3e32f500ef80bad2bc7639a273f1dac6

Download Submit
C:\Windows\{F339D00E-300D-4991-A085-9B5DE593FD03}.exe

Filesize
372KB

MD5
8c063a9dbedf0fa693b2e8ff0c891d84

SHA1
0e9497e58067a4933217809c4ce2c2f45abc6f0f

SHA256
1415de2a0a6fe725a5423c40dbce31454d2c1e79a08430bd218223e753b7771e

SHA512
b9189839f790d854c55e1a48ee8eac24048da47c33032de3d820e4d4f74105af4f55f0f076f5522151b946a90796a9723769c0cbca550f99d3cdd7faecc93c8d

Download Submit
C:\Windows\{FBC98F62-32A8-4e51-8CBB-0CFB6C71C9CD}.exe

Filesize
372KB

MD5
b1fa9e2ce78b867e813fe19457a59b6e

SHA1
3c43a77465fdd2b464d6ee40d4fae9aa7b74c532

SHA256
6e51d0e98a30896568676dec102b38e11205a5bfb4234b22b53c0c3d6bfb5207

SHA512
2e9c651844b349fde14f1ae059d8f0f3d98e473fad65dba12f631f88b4053cb0de2658b8f165969b64eef7ba15e722b8903af2c1923a5a0cd8401573601daa1d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads