be33315be151410b5b07c1975edede05ba2595c3c6bb7314224d8afc55bdaeed

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
14/02/2024, 02:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-14_20044cb9ceb4146700223b0bac616a7d_goldeneye.exe
Size

197KB
MD5

20044cb9ceb4146700223b0bac616a7d
SHA1

b18fd5d2373a34884c5f418652706dd6de676ced
SHA256

be33315be151410b5b07c1975edede05ba2595c3c6bb7314224d8afc55bdaeed
SHA512

fe390ea9988c0a917acf18b859e64b34ae4f35314533973850d2dca407213c119fbd078febbdfd917ab04e0c1aff8a7959f8189ebefd199c26b5d1696ade33fc
SSDEEP

3072:jEGh0o1l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGrlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00060000000231f6-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000001e0b8-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023201-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000001e0b8-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x004600000001e0be-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d00000001e0b8-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x004700000001e0be-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000000070b-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4A3E008-4D6F-4a1d-9C9F-982452973E09}	{33DA965C-F39B-494f-9B59-B3CDD587720C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE76B1F6-D604-4e8f-8F69-5CA590B0BBC0}	{A5597FE5-F796-41ca-ADAD-7E0C5BAD3957}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{010B1AAC-489C-4d43-8324-5B995EFF2294}	{ABD53B1D-E1A3-40a5-86F2-C20705EE3576}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{010B1AAC-489C-4d43-8324-5B995EFF2294}\stubpath = "C:\\Windows\\{010B1AAC-489C-4d43-8324-5B995EFF2294}.exe"	{ABD53B1D-E1A3-40a5-86F2-C20705EE3576}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0832B709-37D3-4087-9AD0-44CE6C99A8CA}\stubpath = "C:\\Windows\\{0832B709-37D3-4087-9AD0-44CE6C99A8CA}.exe"	{010B1AAC-489C-4d43-8324-5B995EFF2294}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9CDB50FF-B86E-4826-A120-98424B93F989}	{0832B709-37D3-4087-9AD0-44CE6C99A8CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33DA965C-F39B-494f-9B59-B3CDD587720C}\stubpath = "C:\\Windows\\{33DA965C-F39B-494f-9B59-B3CDD587720C}.exe"	{19A46163-3F4F-4b13-BCDB-9A0D18D9F936}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5597FE5-F796-41ca-ADAD-7E0C5BAD3957}	{D4A3E008-4D6F-4a1d-9C9F-982452973E09}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ABD53B1D-E1A3-40a5-86F2-C20705EE3576}\stubpath = "C:\\Windows\\{ABD53B1D-E1A3-40a5-86F2-C20705EE3576}.exe"	2024-02-14_20044cb9ceb4146700223b0bac616a7d_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0832B709-37D3-4087-9AD0-44CE6C99A8CA}	{010B1AAC-489C-4d43-8324-5B995EFF2294}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9CDB50FF-B86E-4826-A120-98424B93F989}\stubpath = "C:\\Windows\\{9CDB50FF-B86E-4826-A120-98424B93F989}.exe"	{0832B709-37D3-4087-9AD0-44CE6C99A8CA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5AA0AB73-CB0E-49b9-BCBA-AFE84D8FDDFE}	{9CDB50FF-B86E-4826-A120-98424B93F989}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8BB886EF-F5B5-4e8c-BC57-E06892904B33}	{1F9E90D9-966A-49c7-942E-F3449A107E64}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4A3E008-4D6F-4a1d-9C9F-982452973E09}\stubpath = "C:\\Windows\\{D4A3E008-4D6F-4a1d-9C9F-982452973E09}.exe"	{33DA965C-F39B-494f-9B59-B3CDD587720C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5597FE5-F796-41ca-ADAD-7E0C5BAD3957}\stubpath = "C:\\Windows\\{A5597FE5-F796-41ca-ADAD-7E0C5BAD3957}.exe"	{D4A3E008-4D6F-4a1d-9C9F-982452973E09}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE76B1F6-D604-4e8f-8F69-5CA590B0BBC0}\stubpath = "C:\\Windows\\{FE76B1F6-D604-4e8f-8F69-5CA590B0BBC0}.exe"	{A5597FE5-F796-41ca-ADAD-7E0C5BAD3957}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5AA0AB73-CB0E-49b9-BCBA-AFE84D8FDDFE}\stubpath = "C:\\Windows\\{5AA0AB73-CB0E-49b9-BCBA-AFE84D8FDDFE}.exe"	{9CDB50FF-B86E-4826-A120-98424B93F989}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F9E90D9-966A-49c7-942E-F3449A107E64}	{5AA0AB73-CB0E-49b9-BCBA-AFE84D8FDDFE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F9E90D9-966A-49c7-942E-F3449A107E64}\stubpath = "C:\\Windows\\{1F9E90D9-966A-49c7-942E-F3449A107E64}.exe"	{5AA0AB73-CB0E-49b9-BCBA-AFE84D8FDDFE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8BB886EF-F5B5-4e8c-BC57-E06892904B33}\stubpath = "C:\\Windows\\{8BB886EF-F5B5-4e8c-BC57-E06892904B33}.exe"	{1F9E90D9-966A-49c7-942E-F3449A107E64}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19A46163-3F4F-4b13-BCDB-9A0D18D9F936}	{8BB886EF-F5B5-4e8c-BC57-E06892904B33}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ABD53B1D-E1A3-40a5-86F2-C20705EE3576}	2024-02-14_20044cb9ceb4146700223b0bac616a7d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19A46163-3F4F-4b13-BCDB-9A0D18D9F936}\stubpath = "C:\\Windows\\{19A46163-3F4F-4b13-BCDB-9A0D18D9F936}.exe"	{8BB886EF-F5B5-4e8c-BC57-E06892904B33}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33DA965C-F39B-494f-9B59-B3CDD587720C}	{19A46163-3F4F-4b13-BCDB-9A0D18D9F936}.exe

Executes dropped EXE 12 IoCs

pid	Process
2504	{ABD53B1D-E1A3-40a5-86F2-C20705EE3576}.exe
4260	{010B1AAC-489C-4d43-8324-5B995EFF2294}.exe
540	{0832B709-37D3-4087-9AD0-44CE6C99A8CA}.exe
4424	{9CDB50FF-B86E-4826-A120-98424B93F989}.exe
768	{5AA0AB73-CB0E-49b9-BCBA-AFE84D8FDDFE}.exe
1600	{1F9E90D9-966A-49c7-942E-F3449A107E64}.exe
904	{8BB886EF-F5B5-4e8c-BC57-E06892904B33}.exe
2524	{19A46163-3F4F-4b13-BCDB-9A0D18D9F936}.exe
3216	{33DA965C-F39B-494f-9B59-B3CDD587720C}.exe
3100	{D4A3E008-4D6F-4a1d-9C9F-982452973E09}.exe
1164	{A5597FE5-F796-41ca-ADAD-7E0C5BAD3957}.exe
3812	{FE76B1F6-D604-4e8f-8F69-5CA590B0BBC0}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{A5597FE5-F796-41ca-ADAD-7E0C5BAD3957}.exe	{D4A3E008-4D6F-4a1d-9C9F-982452973E09}.exe
File created	C:\Windows\{ABD53B1D-E1A3-40a5-86F2-C20705EE3576}.exe	2024-02-14_20044cb9ceb4146700223b0bac616a7d_goldeneye.exe
File created	C:\Windows\{010B1AAC-489C-4d43-8324-5B995EFF2294}.exe	{ABD53B1D-E1A3-40a5-86F2-C20705EE3576}.exe
File created	C:\Windows\{0832B709-37D3-4087-9AD0-44CE6C99A8CA}.exe	{010B1AAC-489C-4d43-8324-5B995EFF2294}.exe
File created	C:\Windows\{5AA0AB73-CB0E-49b9-BCBA-AFE84D8FDDFE}.exe	{9CDB50FF-B86E-4826-A120-98424B93F989}.exe
File created	C:\Windows\{8BB886EF-F5B5-4e8c-BC57-E06892904B33}.exe	{1F9E90D9-966A-49c7-942E-F3449A107E64}.exe
File created	C:\Windows\{D4A3E008-4D6F-4a1d-9C9F-982452973E09}.exe	{33DA965C-F39B-494f-9B59-B3CDD587720C}.exe
File created	C:\Windows\{9CDB50FF-B86E-4826-A120-98424B93F989}.exe	{0832B709-37D3-4087-9AD0-44CE6C99A8CA}.exe
File created	C:\Windows\{1F9E90D9-966A-49c7-942E-F3449A107E64}.exe	{5AA0AB73-CB0E-49b9-BCBA-AFE84D8FDDFE}.exe
File created	C:\Windows\{19A46163-3F4F-4b13-BCDB-9A0D18D9F936}.exe	{8BB886EF-F5B5-4e8c-BC57-E06892904B33}.exe
File created	C:\Windows\{33DA965C-F39B-494f-9B59-B3CDD587720C}.exe	{19A46163-3F4F-4b13-BCDB-9A0D18D9F936}.exe
File created	C:\Windows\{FE76B1F6-D604-4e8f-8F69-5CA590B0BBC0}.exe	{A5597FE5-F796-41ca-ADAD-7E0C5BAD3957}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4556	2024-02-14_20044cb9ceb4146700223b0bac616a7d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2504	{ABD53B1D-E1A3-40a5-86F2-C20705EE3576}.exe
Token: SeIncBasePriorityPrivilege	4260	{010B1AAC-489C-4d43-8324-5B995EFF2294}.exe
Token: SeIncBasePriorityPrivilege	540	{0832B709-37D3-4087-9AD0-44CE6C99A8CA}.exe
Token: SeIncBasePriorityPrivilege	4424	{9CDB50FF-B86E-4826-A120-98424B93F989}.exe
Token: SeIncBasePriorityPrivilege	768	{5AA0AB73-CB0E-49b9-BCBA-AFE84D8FDDFE}.exe
Token: SeIncBasePriorityPrivilege	1600	{1F9E90D9-966A-49c7-942E-F3449A107E64}.exe
Token: SeIncBasePriorityPrivilege	904	{8BB886EF-F5B5-4e8c-BC57-E06892904B33}.exe
Token: SeIncBasePriorityPrivilege	2524	{19A46163-3F4F-4b13-BCDB-9A0D18D9F936}.exe
Token: SeIncBasePriorityPrivilege	3216	{33DA965C-F39B-494f-9B59-B3CDD587720C}.exe
Token: SeIncBasePriorityPrivilege	3100	{D4A3E008-4D6F-4a1d-9C9F-982452973E09}.exe
Token: SeIncBasePriorityPrivilege	1164	{A5597FE5-F796-41ca-ADAD-7E0C5BAD3957}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4556 wrote to memory of 2504	4556	2024-02-14_20044cb9ceb4146700223b0bac616a7d_goldeneye.exe	90
PID 4556 wrote to memory of 2504	4556	2024-02-14_20044cb9ceb4146700223b0bac616a7d_goldeneye.exe	90
PID 4556 wrote to memory of 2504	4556	2024-02-14_20044cb9ceb4146700223b0bac616a7d_goldeneye.exe	90
PID 4556 wrote to memory of 3740	4556	2024-02-14_20044cb9ceb4146700223b0bac616a7d_goldeneye.exe	91
PID 4556 wrote to memory of 3740	4556	2024-02-14_20044cb9ceb4146700223b0bac616a7d_goldeneye.exe	91
PID 4556 wrote to memory of 3740	4556	2024-02-14_20044cb9ceb4146700223b0bac616a7d_goldeneye.exe	91
PID 2504 wrote to memory of 4260	2504	{ABD53B1D-E1A3-40a5-86F2-C20705EE3576}.exe	92
PID 2504 wrote to memory of 4260	2504	{ABD53B1D-E1A3-40a5-86F2-C20705EE3576}.exe	92
PID 2504 wrote to memory of 4260	2504	{ABD53B1D-E1A3-40a5-86F2-C20705EE3576}.exe	92
PID 2504 wrote to memory of 4736	2504	{ABD53B1D-E1A3-40a5-86F2-C20705EE3576}.exe	93
PID 2504 wrote to memory of 4736	2504	{ABD53B1D-E1A3-40a5-86F2-C20705EE3576}.exe	93
PID 2504 wrote to memory of 4736	2504	{ABD53B1D-E1A3-40a5-86F2-C20705EE3576}.exe	93
PID 4260 wrote to memory of 540	4260	{010B1AAC-489C-4d43-8324-5B995EFF2294}.exe	96
PID 4260 wrote to memory of 540	4260	{010B1AAC-489C-4d43-8324-5B995EFF2294}.exe	96
PID 4260 wrote to memory of 540	4260	{010B1AAC-489C-4d43-8324-5B995EFF2294}.exe	96
PID 4260 wrote to memory of 2304	4260	{010B1AAC-489C-4d43-8324-5B995EFF2294}.exe	95
PID 4260 wrote to memory of 2304	4260	{010B1AAC-489C-4d43-8324-5B995EFF2294}.exe	95
PID 4260 wrote to memory of 2304	4260	{010B1AAC-489C-4d43-8324-5B995EFF2294}.exe	95
PID 540 wrote to memory of 4424	540	{0832B709-37D3-4087-9AD0-44CE6C99A8CA}.exe	97
PID 540 wrote to memory of 4424	540	{0832B709-37D3-4087-9AD0-44CE6C99A8CA}.exe	97
PID 540 wrote to memory of 4424	540	{0832B709-37D3-4087-9AD0-44CE6C99A8CA}.exe	97
PID 540 wrote to memory of 4692	540	{0832B709-37D3-4087-9AD0-44CE6C99A8CA}.exe	98
PID 540 wrote to memory of 4692	540	{0832B709-37D3-4087-9AD0-44CE6C99A8CA}.exe	98
PID 540 wrote to memory of 4692	540	{0832B709-37D3-4087-9AD0-44CE6C99A8CA}.exe	98
PID 4424 wrote to memory of 768	4424	{9CDB50FF-B86E-4826-A120-98424B93F989}.exe	99
PID 4424 wrote to memory of 768	4424	{9CDB50FF-B86E-4826-A120-98424B93F989}.exe	99
PID 4424 wrote to memory of 768	4424	{9CDB50FF-B86E-4826-A120-98424B93F989}.exe	99
PID 4424 wrote to memory of 2848	4424	{9CDB50FF-B86E-4826-A120-98424B93F989}.exe	100
PID 4424 wrote to memory of 2848	4424	{9CDB50FF-B86E-4826-A120-98424B93F989}.exe	100
PID 4424 wrote to memory of 2848	4424	{9CDB50FF-B86E-4826-A120-98424B93F989}.exe	100
PID 768 wrote to memory of 1600	768	{5AA0AB73-CB0E-49b9-BCBA-AFE84D8FDDFE}.exe	101
PID 768 wrote to memory of 1600	768	{5AA0AB73-CB0E-49b9-BCBA-AFE84D8FDDFE}.exe	101
PID 768 wrote to memory of 1600	768	{5AA0AB73-CB0E-49b9-BCBA-AFE84D8FDDFE}.exe	101
PID 768 wrote to memory of 944	768	{5AA0AB73-CB0E-49b9-BCBA-AFE84D8FDDFE}.exe	102
PID 768 wrote to memory of 944	768	{5AA0AB73-CB0E-49b9-BCBA-AFE84D8FDDFE}.exe	102
PID 768 wrote to memory of 944	768	{5AA0AB73-CB0E-49b9-BCBA-AFE84D8FDDFE}.exe	102
PID 1600 wrote to memory of 904	1600	{1F9E90D9-966A-49c7-942E-F3449A107E64}.exe	103
PID 1600 wrote to memory of 904	1600	{1F9E90D9-966A-49c7-942E-F3449A107E64}.exe	103
PID 1600 wrote to memory of 904	1600	{1F9E90D9-966A-49c7-942E-F3449A107E64}.exe	103
PID 1600 wrote to memory of 3860	1600	{1F9E90D9-966A-49c7-942E-F3449A107E64}.exe	104
PID 1600 wrote to memory of 3860	1600	{1F9E90D9-966A-49c7-942E-F3449A107E64}.exe	104
PID 1600 wrote to memory of 3860	1600	{1F9E90D9-966A-49c7-942E-F3449A107E64}.exe	104
PID 904 wrote to memory of 2524	904	{8BB886EF-F5B5-4e8c-BC57-E06892904B33}.exe	105
PID 904 wrote to memory of 2524	904	{8BB886EF-F5B5-4e8c-BC57-E06892904B33}.exe	105
PID 904 wrote to memory of 2524	904	{8BB886EF-F5B5-4e8c-BC57-E06892904B33}.exe	105
PID 904 wrote to memory of 3468	904	{8BB886EF-F5B5-4e8c-BC57-E06892904B33}.exe	106
PID 904 wrote to memory of 3468	904	{8BB886EF-F5B5-4e8c-BC57-E06892904B33}.exe	106
PID 904 wrote to memory of 3468	904	{8BB886EF-F5B5-4e8c-BC57-E06892904B33}.exe	106
PID 2524 wrote to memory of 3216	2524	{19A46163-3F4F-4b13-BCDB-9A0D18D9F936}.exe	107
PID 2524 wrote to memory of 3216	2524	{19A46163-3F4F-4b13-BCDB-9A0D18D9F936}.exe	107
PID 2524 wrote to memory of 3216	2524	{19A46163-3F4F-4b13-BCDB-9A0D18D9F936}.exe	107
PID 2524 wrote to memory of 4964	2524	{19A46163-3F4F-4b13-BCDB-9A0D18D9F936}.exe	108
PID 2524 wrote to memory of 4964	2524	{19A46163-3F4F-4b13-BCDB-9A0D18D9F936}.exe	108
PID 2524 wrote to memory of 4964	2524	{19A46163-3F4F-4b13-BCDB-9A0D18D9F936}.exe	108
PID 3216 wrote to memory of 3100	3216	{33DA965C-F39B-494f-9B59-B3CDD587720C}.exe	109
PID 3216 wrote to memory of 3100	3216	{33DA965C-F39B-494f-9B59-B3CDD587720C}.exe	109
PID 3216 wrote to memory of 3100	3216	{33DA965C-F39B-494f-9B59-B3CDD587720C}.exe	109
PID 3216 wrote to memory of 2216	3216	{33DA965C-F39B-494f-9B59-B3CDD587720C}.exe	110
PID 3216 wrote to memory of 2216	3216	{33DA965C-F39B-494f-9B59-B3CDD587720C}.exe	110
PID 3216 wrote to memory of 2216	3216	{33DA965C-F39B-494f-9B59-B3CDD587720C}.exe	110
PID 3100 wrote to memory of 1164	3100	{D4A3E008-4D6F-4a1d-9C9F-982452973E09}.exe	112
PID 3100 wrote to memory of 1164	3100	{D4A3E008-4D6F-4a1d-9C9F-982452973E09}.exe	112
PID 3100 wrote to memory of 1164	3100	{D4A3E008-4D6F-4a1d-9C9F-982452973E09}.exe	112
PID 3100 wrote to memory of 2072	3100	{D4A3E008-4D6F-4a1d-9C9F-982452973E09}.exe	111

C:\Users\Admin\AppData\Local\Temp\2024-02-14_20044cb9ceb4146700223b0bac616a7d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-14_20044cb9ceb4146700223b0bac616a7d_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4556
- C:\Windows\{ABD53B1D-E1A3-40a5-86F2-C20705EE3576}.exe
  C:\Windows\{ABD53B1D-E1A3-40a5-86F2-C20705EE3576}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\{010B1AAC-489C-4d43-8324-5B995EFF2294}.exe
    C:\Windows\{010B1AAC-489C-4d43-8324-5B995EFF2294}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4260
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{010B1~1.EXE > nul
      4⤵
      PID:2304
  - - C:\Windows\{0832B709-37D3-4087-9AD0-44CE6C99A8CA}.exe
      C:\Windows\{0832B709-37D3-4087-9AD0-44CE6C99A8CA}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:540
    - - C:\Windows\{9CDB50FF-B86E-4826-A120-98424B93F989}.exe
        
        C:\Windows\{9CDB50FF-B86E-4826-A120-98424B93F989}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4424
      - C:\Windows\{5AA0AB73-CB0E-49b9-BCBA-AFE84D8FDDFE}.exe
        
        C:\Windows\{5AA0AB73-CB0E-49b9-BCBA-AFE84D8FDDFE}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\{1F9E90D9-966A-49c7-942E-F3449A107E64}.exe
        
        C:\Windows\{1F9E90D9-966A-49c7-942E-F3449A107E64}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\{8BB886EF-F5B5-4e8c-BC57-E06892904B33}.exe
        
        C:\Windows\{8BB886EF-F5B5-4e8c-BC57-E06892904B33}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:904
        
        C:\Windows\{19A46163-3F4F-4b13-BCDB-9A0D18D9F936}.exe
        
        C:\Windows\{19A46163-3F4F-4b13-BCDB-9A0D18D9F936}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\{33DA965C-F39B-494f-9B59-B3CDD587720C}.exe
        
        C:\Windows\{33DA965C-F39B-494f-9B59-B3CDD587720C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Windows\{D4A3E008-4D6F-4a1d-9C9F-982452973E09}.exe
        
        C:\Windows\{D4A3E008-4D6F-4a1d-9C9F-982452973E09}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D4A3E~1.EXE > nul
        12⤵
        
        PID:2072
        
        C:\Windows\{A5597FE5-F796-41ca-ADAD-7E0C5BAD3957}.exe
        
        C:\Windows\{A5597FE5-F796-41ca-ADAD-7E0C5BAD3957}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1164
        
        C:\Windows\{FE76B1F6-D604-4e8f-8F69-5CA590B0BBC0}.exe
        
        C:\Windows\{FE76B1F6-D604-4e8f-8F69-5CA590B0BBC0}.exe
        13⤵
        Executes dropped EXE
        
        PID:3812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A5597~1.EXE > nul
        13⤵
        
        PID:656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{33DA9~1.EXE > nul
        11⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{19A46~1.EXE > nul
        10⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8BB88~1.EXE > nul
        9⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1F9E9~1.EXE > nul
        8⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5AA0A~1.EXE > nul
        7⤵
        
        PID:944
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9CDB5~1.EXE > nul
        6⤵
        
        PID:2848
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0832B~1.EXE > nul
        5⤵
        
        PID:4692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{ABD53~1.EXE > nul
    3⤵
    PID:4736
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{010B1AAC-489C-4d43-8324-5B995EFF2294}.exe

Filesize
197KB

MD5
04c6e4718c135d08edbb9aa114d8fbf0

SHA1
3d9bdb341cf8e1c6e4f54782c6e580959dde403d

SHA256
37409e8d3c25433e9f68eb4bff0f03a25f504439309e3e216b7834d2881843f6

SHA512
767ce8835f59895c9871e5e91421e7794ff0dcfe40283420f335177f953f07726ebb6a3d76c5c995badc6fcdc212b1f18947f2e8f18096cffe1fd4b1f65ce4da

Download Submit
C:\Windows\{0832B709-37D3-4087-9AD0-44CE6C99A8CA}.exe

Filesize
197KB

MD5
5e2ea72dcd409ce549e0cb009bd0c3c2

SHA1
33dbff40a0c0bf7bb31c1cd5d7446f1b0ce9e63f

SHA256
b358704b15429e1c14bc95d0b2c4acbb6215c49674c6cd59dce5b180b12b768f

SHA512
3aa32bc0a0db40e08cec63578b73dd361fbf65888a0a1d50468e582e285a8f3ec8abaf71391c7eb4321ccc0b7e6bb505b92e0c242954ee56709920c82de71a21

Download Submit
C:\Windows\{19A46163-3F4F-4b13-BCDB-9A0D18D9F936}.exe

Filesize
197KB

MD5
6d0c649352064318417cb503f2ee04b0

SHA1
89a6e34e449bdc067dc20581ceb73f34a56579fb

SHA256
5ff194d93650bd39d5156cbf8a5dc33feada93492eb0b96f6b91c4f31c582afa

SHA512
51b0f380b1b1500fc5fab2da43785ef81457d994e95161adede09d4a3b8a7b8fa98d019adc3111d9aec0a3c70e470d414437312f8a64de8f7f67b84b427a06a6

Download Submit
C:\Windows\{1F9E90D9-966A-49c7-942E-F3449A107E64}.exe

Filesize
197KB

MD5
93a784c721bb90725e0f43cef521ca9e

SHA1
469e7609d3a4f255619ade5d34a6072e2618f905

SHA256
43696938ed911d26d33c23a5240bdb185ec2e18151b6edc3c425bd2696caca2e

SHA512
5bc8e51ee0172643cb629ff8c2a477794c18c2822c2564a594cec19f9296a63df1f3fcda2df147ee681477607cf28dd303865a7b7e552d681963c68df0c3cb46

Download Submit
C:\Windows\{33DA965C-F39B-494f-9B59-B3CDD587720C}.exe

Filesize
197KB

MD5
52dd43b6910568e9a35fc6ae7b6bb770

SHA1
6d25f650a5baca60cbad5c9914d38691520ac096

SHA256
1baaacdfce22eab9c2547621c2f1f83f1ac7d84571a1fd8f40ac3b8c1a8600fd

SHA512
6758cf015c07ec4cb759cae7b724d36df0bf0aa77cce300c0f60adbf13ab7c9ddd377c3789a582495dbca2037e1b03d5d5a5f74eebc51ae6b087898a55f52f3c

Download Submit
C:\Windows\{5AA0AB73-CB0E-49b9-BCBA-AFE84D8FDDFE}.exe

Filesize
197KB

MD5
43723973680368e5f1f268f32dc5bac1

SHA1
a54e171ea66de970f1a7bdb9930a7567116c0889

SHA256
353374690606abb901aa8c1e8c49ed1528d82ee800fd507b312d5e000c251596

SHA512
1a651d3eb433d5fc21de4e8f1dffdbd1bab52928f640e0afb93e46124ad02202e1f87e18024c2c6a14ac8177a51ff4163f90c49364025e239845b9ccffbdc24e

Download Submit
C:\Windows\{8BB886EF-F5B5-4e8c-BC57-E06892904B33}.exe

Filesize
197KB

MD5
fa2497b76fbe1ce0b682f300e4db6086

SHA1
74643d1fc1365c37d6726bce62dc8bd22cd88744

SHA256
150a341fedd4ccd4e7a69ea60663dd7571034146bdc4cd3b5ccb91c03a74c0da

SHA512
92584a0a938550b7f175b647a12ab72bdc04a49e876a4f4b181d8baf3b06abd867894b48853e1cc3c249f2d8f6e37ceadbb5217f1de8c9a392fc4995591ba286

Download Submit
C:\Windows\{9CDB50FF-B86E-4826-A120-98424B93F989}.exe

Filesize
197KB

MD5
9af5cd644802b73afb08bed99fcc6cf9

SHA1
df4bb4c087d2c9314394e1c521ef12f6dd102d48

SHA256
46113425dc4790f1c58632841848d50ac49cce29b0677c8137b85d3a1ad92b88

SHA512
122e857c044fa180c41ab5c4376274db37975e65e62d042993eb751d93bc12eacc03b103c0ae8e5c0dd9460e037080d2e34f6808f33a841e8f1ca1396e55a7c2

Download Submit
C:\Windows\{A5597FE5-F796-41ca-ADAD-7E0C5BAD3957}.exe

Filesize
197KB

MD5
ab41a94010d944a01e1e74231dcdcf29

SHA1
0adbc486e06d0ff6fe16441cd66858c2240163a7

SHA256
0673ab112f2fc109cf7647e5bea575d509e6250ccb9449168df374ea8d7756b6

SHA512
529afb4de26a19492e2a42314619f2a7c858ca5d4a6fe303a2a4f7ea261fb5bf18200263c4d726b260d74526e5b6a77710922e1558aa557780173c536dc7c5bf

Download Submit
C:\Windows\{ABD53B1D-E1A3-40a5-86F2-C20705EE3576}.exe

Filesize
197KB

MD5
635d015e62b98b0a96ab1a7976fc1099

SHA1
0a45c60196b787452849a7dbf4ed7367d8083e89

SHA256
b40a6dced92725848d70722280c6a5cd9d7e188d4fc227a7dc2e012d7e212aa8

SHA512
a3530adc57397cfbb8e6cff48a74d64a2a752a14ee24ec3b6b67ba07f2c17e25618fb983767fd8fb0be6889618af3cd731661b9059fd96bd8e406f9a4afcd211

Download Submit
C:\Windows\{D4A3E008-4D6F-4a1d-9C9F-982452973E09}.exe

Filesize
197KB

MD5
776f4a6bfaa71d25178b8714f44de652

SHA1
5e0e55b772a968203d3a785c500d1702e81757ce

SHA256
4e6f72320135d63d89547c90033ab2c187fd0842653db68ee612a7acab11fcd3

SHA512
057b279e089c675213c1f7b07f2b6407e7ab497cc75ad45fb9f4eb4e101a3e64e28b64c17ad438396c159a7b42f9c5bf094532e307f5a0ce0a663f4e6aed6fe1

Download Submit
C:\Windows\{FE76B1F6-D604-4e8f-8F69-5CA590B0BBC0}.exe

Filesize
197KB

MD5
5a8363626daeea6cd26684a22e4f608b

SHA1
64963eca23be0de94359e7a1acee92a2266f987d

SHA256
81805546b5b6794cc1448d5cbb49ab2673f9aafc8b307e46277c24641681d5a2

SHA512
eb4c78fe9737d2036c9b7936b7fc193be0a237a7bb21db880e580be7c6c51e35c4a1cf92832f51cf9d90fc4f36e821ea639998fffdede0a0d3a035228118ceca

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads