9be09e02b7ef3931d0cd471c24f3a25b528bae1bc8f73fd21d01f560a1029340

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
14/02/2024, 05:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-14_845f140f50aa287ccafc09fffe2991fd_goldeneye.exe
Size

372KB
MD5

845f140f50aa287ccafc09fffe2991fd
SHA1

ef2ddfb7dec6d90168224a4a20f88a955c338611
SHA256

9be09e02b7ef3931d0cd471c24f3a25b528bae1bc8f73fd21d01f560a1029340
SHA512

a188c2e8c422a24d255ccf8786c1d14efe63125536388d5bbf4acd48a209e154122e82503e365d41ec6ed7390e7a27939fe7b9cd5b6108e82af56f04e7dcb1fe
SSDEEP

3072:CEGh0oWmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGJl/Oe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000600000002322d-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023059-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023238-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023059-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000022008-17.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000022009-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000022008-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000036-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000036-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000715-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7BDD75A-049E-436f-881C-D821457E9B54}\stubpath = "C:\\Windows\\{B7BDD75A-049E-436f-881C-D821457E9B54}.exe"	{A131B8E4-3F7B-4119-B149-4848CAE15958}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48B169C3-0BD8-44cc-93FD-3281C536DCB6}\stubpath = "C:\\Windows\\{48B169C3-0BD8-44cc-93FD-3281C536DCB6}.exe"	{FFB9E993-1B3F-49b0-857D-0C5D80F82E1E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17CAFBB3-A774-4b7e-A815-0369E4FF7829}	{D4A413F6-0FC9-4be3-BF27-F3E16F751730}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1BF719A-2E31-4643-9669-12C9753DB9BD}	{17CAFBB3-A774-4b7e-A815-0369E4FF7829}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B204B70-505B-4f70-8625-A8133E5C3507}	{684DA1E7-2DD2-494b-9C10-2E05EBE6ABA9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B204B70-505B-4f70-8625-A8133E5C3507}\stubpath = "C:\\Windows\\{6B204B70-505B-4f70-8625-A8133E5C3507}.exe"	{684DA1E7-2DD2-494b-9C10-2E05EBE6ABA9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F97AB948-A194-4d57-817B-F94EEC608BB8}	{6B204B70-505B-4f70-8625-A8133E5C3507}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A131B8E4-3F7B-4119-B149-4848CAE15958}\stubpath = "C:\\Windows\\{A131B8E4-3F7B-4119-B149-4848CAE15958}.exe"	{F1BF719A-2E31-4643-9669-12C9753DB9BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98DA3A54-21DD-4baf-A8A6-BAC62827A389}	{150217D6-3F89-4f7e-84F7-1A6AB4F89142}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A131B8E4-3F7B-4119-B149-4848CAE15958}	{F1BF719A-2E31-4643-9669-12C9753DB9BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7BDD75A-049E-436f-881C-D821457E9B54}	{A131B8E4-3F7B-4119-B149-4848CAE15958}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{150217D6-3F89-4f7e-84F7-1A6AB4F89142}\stubpath = "C:\\Windows\\{150217D6-3F89-4f7e-84F7-1A6AB4F89142}.exe"	{48B169C3-0BD8-44cc-93FD-3281C536DCB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4A413F6-0FC9-4be3-BF27-F3E16F751730}	2024-02-14_845f140f50aa287ccafc09fffe2991fd_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17CAFBB3-A774-4b7e-A815-0369E4FF7829}\stubpath = "C:\\Windows\\{17CAFBB3-A774-4b7e-A815-0369E4FF7829}.exe"	{D4A413F6-0FC9-4be3-BF27-F3E16F751730}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FFB9E993-1B3F-49b0-857D-0C5D80F82E1E}	{B7BDD75A-049E-436f-881C-D821457E9B54}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FFB9E993-1B3F-49b0-857D-0C5D80F82E1E}\stubpath = "C:\\Windows\\{FFB9E993-1B3F-49b0-857D-0C5D80F82E1E}.exe"	{B7BDD75A-049E-436f-881C-D821457E9B54}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48B169C3-0BD8-44cc-93FD-3281C536DCB6}	{FFB9E993-1B3F-49b0-857D-0C5D80F82E1E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{150217D6-3F89-4f7e-84F7-1A6AB4F89142}	{48B169C3-0BD8-44cc-93FD-3281C536DCB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98DA3A54-21DD-4baf-A8A6-BAC62827A389}\stubpath = "C:\\Windows\\{98DA3A54-21DD-4baf-A8A6-BAC62827A389}.exe"	{150217D6-3F89-4f7e-84F7-1A6AB4F89142}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{684DA1E7-2DD2-494b-9C10-2E05EBE6ABA9}	{98DA3A54-21DD-4baf-A8A6-BAC62827A389}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4A413F6-0FC9-4be3-BF27-F3E16F751730}\stubpath = "C:\\Windows\\{D4A413F6-0FC9-4be3-BF27-F3E16F751730}.exe"	2024-02-14_845f140f50aa287ccafc09fffe2991fd_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1BF719A-2E31-4643-9669-12C9753DB9BD}\stubpath = "C:\\Windows\\{F1BF719A-2E31-4643-9669-12C9753DB9BD}.exe"	{17CAFBB3-A774-4b7e-A815-0369E4FF7829}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{684DA1E7-2DD2-494b-9C10-2E05EBE6ABA9}\stubpath = "C:\\Windows\\{684DA1E7-2DD2-494b-9C10-2E05EBE6ABA9}.exe"	{98DA3A54-21DD-4baf-A8A6-BAC62827A389}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F97AB948-A194-4d57-817B-F94EEC608BB8}\stubpath = "C:\\Windows\\{F97AB948-A194-4d57-817B-F94EEC608BB8}.exe"	{6B204B70-505B-4f70-8625-A8133E5C3507}.exe

Executes dropped EXE 12 IoCs

pid	Process
2760	{D4A413F6-0FC9-4be3-BF27-F3E16F751730}.exe
1244	{17CAFBB3-A774-4b7e-A815-0369E4FF7829}.exe
1596	{F1BF719A-2E31-4643-9669-12C9753DB9BD}.exe
1996	{A131B8E4-3F7B-4119-B149-4848CAE15958}.exe
1760	{B7BDD75A-049E-436f-881C-D821457E9B54}.exe
4184	{FFB9E993-1B3F-49b0-857D-0C5D80F82E1E}.exe
4108	{48B169C3-0BD8-44cc-93FD-3281C536DCB6}.exe
4824	{150217D6-3F89-4f7e-84F7-1A6AB4F89142}.exe
4724	{98DA3A54-21DD-4baf-A8A6-BAC62827A389}.exe
1832	{684DA1E7-2DD2-494b-9C10-2E05EBE6ABA9}.exe
2636	{6B204B70-505B-4f70-8625-A8133E5C3507}.exe
4076	{F97AB948-A194-4d57-817B-F94EEC608BB8}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{684DA1E7-2DD2-494b-9C10-2E05EBE6ABA9}.exe	{98DA3A54-21DD-4baf-A8A6-BAC62827A389}.exe
File created	C:\Windows\{6B204B70-505B-4f70-8625-A8133E5C3507}.exe	{684DA1E7-2DD2-494b-9C10-2E05EBE6ABA9}.exe
File created	C:\Windows\{F97AB948-A194-4d57-817B-F94EEC608BB8}.exe	{6B204B70-505B-4f70-8625-A8133E5C3507}.exe
File created	C:\Windows\{D4A413F6-0FC9-4be3-BF27-F3E16F751730}.exe	2024-02-14_845f140f50aa287ccafc09fffe2991fd_goldeneye.exe
File created	C:\Windows\{F1BF719A-2E31-4643-9669-12C9753DB9BD}.exe	{17CAFBB3-A774-4b7e-A815-0369E4FF7829}.exe
File created	C:\Windows\{FFB9E993-1B3F-49b0-857D-0C5D80F82E1E}.exe	{B7BDD75A-049E-436f-881C-D821457E9B54}.exe
File created	C:\Windows\{48B169C3-0BD8-44cc-93FD-3281C536DCB6}.exe	{FFB9E993-1B3F-49b0-857D-0C5D80F82E1E}.exe
File created	C:\Windows\{150217D6-3F89-4f7e-84F7-1A6AB4F89142}.exe	{48B169C3-0BD8-44cc-93FD-3281C536DCB6}.exe
File created	C:\Windows\{98DA3A54-21DD-4baf-A8A6-BAC62827A389}.exe	{150217D6-3F89-4f7e-84F7-1A6AB4F89142}.exe
File created	C:\Windows\{17CAFBB3-A774-4b7e-A815-0369E4FF7829}.exe	{D4A413F6-0FC9-4be3-BF27-F3E16F751730}.exe
File created	C:\Windows\{A131B8E4-3F7B-4119-B149-4848CAE15958}.exe	{F1BF719A-2E31-4643-9669-12C9753DB9BD}.exe
File created	C:\Windows\{B7BDD75A-049E-436f-881C-D821457E9B54}.exe	{A131B8E4-3F7B-4119-B149-4848CAE15958}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3492	2024-02-14_845f140f50aa287ccafc09fffe2991fd_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2760	{D4A413F6-0FC9-4be3-BF27-F3E16F751730}.exe
Token: SeIncBasePriorityPrivilege	1244	{17CAFBB3-A774-4b7e-A815-0369E4FF7829}.exe
Token: SeIncBasePriorityPrivilege	1596	{F1BF719A-2E31-4643-9669-12C9753DB9BD}.exe
Token: SeIncBasePriorityPrivilege	1996	{A131B8E4-3F7B-4119-B149-4848CAE15958}.exe
Token: SeIncBasePriorityPrivilege	1760	{B7BDD75A-049E-436f-881C-D821457E9B54}.exe
Token: SeIncBasePriorityPrivilege	4184	{FFB9E993-1B3F-49b0-857D-0C5D80F82E1E}.exe
Token: SeIncBasePriorityPrivilege	4108	{48B169C3-0BD8-44cc-93FD-3281C536DCB6}.exe
Token: SeIncBasePriorityPrivilege	4824	{150217D6-3F89-4f7e-84F7-1A6AB4F89142}.exe
Token: SeIncBasePriorityPrivilege	4724	{98DA3A54-21DD-4baf-A8A6-BAC62827A389}.exe
Token: SeIncBasePriorityPrivilege	1832	{684DA1E7-2DD2-494b-9C10-2E05EBE6ABA9}.exe
Token: SeIncBasePriorityPrivilege	2636	{6B204B70-505B-4f70-8625-A8133E5C3507}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3492 wrote to memory of 2760	3492	2024-02-14_845f140f50aa287ccafc09fffe2991fd_goldeneye.exe	91
PID 3492 wrote to memory of 2760	3492	2024-02-14_845f140f50aa287ccafc09fffe2991fd_goldeneye.exe	91
PID 3492 wrote to memory of 2760	3492	2024-02-14_845f140f50aa287ccafc09fffe2991fd_goldeneye.exe	91
PID 3492 wrote to memory of 3696	3492	2024-02-14_845f140f50aa287ccafc09fffe2991fd_goldeneye.exe	92
PID 3492 wrote to memory of 3696	3492	2024-02-14_845f140f50aa287ccafc09fffe2991fd_goldeneye.exe	92
PID 3492 wrote to memory of 3696	3492	2024-02-14_845f140f50aa287ccafc09fffe2991fd_goldeneye.exe	92
PID 2760 wrote to memory of 1244	2760	{D4A413F6-0FC9-4be3-BF27-F3E16F751730}.exe	93
PID 2760 wrote to memory of 1244	2760	{D4A413F6-0FC9-4be3-BF27-F3E16F751730}.exe	93
PID 2760 wrote to memory of 1244	2760	{D4A413F6-0FC9-4be3-BF27-F3E16F751730}.exe	93
PID 2760 wrote to memory of 2332	2760	{D4A413F6-0FC9-4be3-BF27-F3E16F751730}.exe	94
PID 2760 wrote to memory of 2332	2760	{D4A413F6-0FC9-4be3-BF27-F3E16F751730}.exe	94
PID 2760 wrote to memory of 2332	2760	{D4A413F6-0FC9-4be3-BF27-F3E16F751730}.exe	94
PID 1244 wrote to memory of 1596	1244	{17CAFBB3-A774-4b7e-A815-0369E4FF7829}.exe	97
PID 1244 wrote to memory of 1596	1244	{17CAFBB3-A774-4b7e-A815-0369E4FF7829}.exe	97
PID 1244 wrote to memory of 1596	1244	{17CAFBB3-A774-4b7e-A815-0369E4FF7829}.exe	97
PID 1244 wrote to memory of 2664	1244	{17CAFBB3-A774-4b7e-A815-0369E4FF7829}.exe	96
PID 1244 wrote to memory of 2664	1244	{17CAFBB3-A774-4b7e-A815-0369E4FF7829}.exe	96
PID 1244 wrote to memory of 2664	1244	{17CAFBB3-A774-4b7e-A815-0369E4FF7829}.exe	96
PID 1596 wrote to memory of 1996	1596	{F1BF719A-2E31-4643-9669-12C9753DB9BD}.exe	98
PID 1596 wrote to memory of 1996	1596	{F1BF719A-2E31-4643-9669-12C9753DB9BD}.exe	98
PID 1596 wrote to memory of 1996	1596	{F1BF719A-2E31-4643-9669-12C9753DB9BD}.exe	98
PID 1596 wrote to memory of 436	1596	{F1BF719A-2E31-4643-9669-12C9753DB9BD}.exe	99
PID 1596 wrote to memory of 436	1596	{F1BF719A-2E31-4643-9669-12C9753DB9BD}.exe	99
PID 1596 wrote to memory of 436	1596	{F1BF719A-2E31-4643-9669-12C9753DB9BD}.exe	99
PID 1996 wrote to memory of 1760	1996	{A131B8E4-3F7B-4119-B149-4848CAE15958}.exe	100
PID 1996 wrote to memory of 1760	1996	{A131B8E4-3F7B-4119-B149-4848CAE15958}.exe	100
PID 1996 wrote to memory of 1760	1996	{A131B8E4-3F7B-4119-B149-4848CAE15958}.exe	100
PID 1996 wrote to memory of 3108	1996	{A131B8E4-3F7B-4119-B149-4848CAE15958}.exe	101
PID 1996 wrote to memory of 3108	1996	{A131B8E4-3F7B-4119-B149-4848CAE15958}.exe	101
PID 1996 wrote to memory of 3108	1996	{A131B8E4-3F7B-4119-B149-4848CAE15958}.exe	101
PID 1760 wrote to memory of 4184	1760	{B7BDD75A-049E-436f-881C-D821457E9B54}.exe	102
PID 1760 wrote to memory of 4184	1760	{B7BDD75A-049E-436f-881C-D821457E9B54}.exe	102
PID 1760 wrote to memory of 4184	1760	{B7BDD75A-049E-436f-881C-D821457E9B54}.exe	102
PID 1760 wrote to memory of 4932	1760	{B7BDD75A-049E-436f-881C-D821457E9B54}.exe	103
PID 1760 wrote to memory of 4932	1760	{B7BDD75A-049E-436f-881C-D821457E9B54}.exe	103
PID 1760 wrote to memory of 4932	1760	{B7BDD75A-049E-436f-881C-D821457E9B54}.exe	103
PID 4184 wrote to memory of 4108	4184	{FFB9E993-1B3F-49b0-857D-0C5D80F82E1E}.exe	104
PID 4184 wrote to memory of 4108	4184	{FFB9E993-1B3F-49b0-857D-0C5D80F82E1E}.exe	104
PID 4184 wrote to memory of 4108	4184	{FFB9E993-1B3F-49b0-857D-0C5D80F82E1E}.exe	104
PID 4184 wrote to memory of 3980	4184	{FFB9E993-1B3F-49b0-857D-0C5D80F82E1E}.exe	105
PID 4184 wrote to memory of 3980	4184	{FFB9E993-1B3F-49b0-857D-0C5D80F82E1E}.exe	105
PID 4184 wrote to memory of 3980	4184	{FFB9E993-1B3F-49b0-857D-0C5D80F82E1E}.exe	105
PID 4108 wrote to memory of 4824	4108	{48B169C3-0BD8-44cc-93FD-3281C536DCB6}.exe	106
PID 4108 wrote to memory of 4824	4108	{48B169C3-0BD8-44cc-93FD-3281C536DCB6}.exe	106
PID 4108 wrote to memory of 4824	4108	{48B169C3-0BD8-44cc-93FD-3281C536DCB6}.exe	106
PID 4108 wrote to memory of 4920	4108	{48B169C3-0BD8-44cc-93FD-3281C536DCB6}.exe	107
PID 4108 wrote to memory of 4920	4108	{48B169C3-0BD8-44cc-93FD-3281C536DCB6}.exe	107
PID 4108 wrote to memory of 4920	4108	{48B169C3-0BD8-44cc-93FD-3281C536DCB6}.exe	107
PID 4824 wrote to memory of 4724	4824	{150217D6-3F89-4f7e-84F7-1A6AB4F89142}.exe	108
PID 4824 wrote to memory of 4724	4824	{150217D6-3F89-4f7e-84F7-1A6AB4F89142}.exe	108
PID 4824 wrote to memory of 4724	4824	{150217D6-3F89-4f7e-84F7-1A6AB4F89142}.exe	108
PID 4824 wrote to memory of 3424	4824	{150217D6-3F89-4f7e-84F7-1A6AB4F89142}.exe	109
PID 4824 wrote to memory of 3424	4824	{150217D6-3F89-4f7e-84F7-1A6AB4F89142}.exe	109
PID 4824 wrote to memory of 3424	4824	{150217D6-3F89-4f7e-84F7-1A6AB4F89142}.exe	109
PID 4724 wrote to memory of 1832	4724	{98DA3A54-21DD-4baf-A8A6-BAC62827A389}.exe	110
PID 4724 wrote to memory of 1832	4724	{98DA3A54-21DD-4baf-A8A6-BAC62827A389}.exe	110
PID 4724 wrote to memory of 1832	4724	{98DA3A54-21DD-4baf-A8A6-BAC62827A389}.exe	110
PID 4724 wrote to memory of 3864	4724	{98DA3A54-21DD-4baf-A8A6-BAC62827A389}.exe	111
PID 4724 wrote to memory of 3864	4724	{98DA3A54-21DD-4baf-A8A6-BAC62827A389}.exe	111
PID 4724 wrote to memory of 3864	4724	{98DA3A54-21DD-4baf-A8A6-BAC62827A389}.exe	111
PID 1832 wrote to memory of 2636	1832	{684DA1E7-2DD2-494b-9C10-2E05EBE6ABA9}.exe	112
PID 1832 wrote to memory of 2636	1832	{684DA1E7-2DD2-494b-9C10-2E05EBE6ABA9}.exe	112
PID 1832 wrote to memory of 2636	1832	{684DA1E7-2DD2-494b-9C10-2E05EBE6ABA9}.exe	112
PID 1832 wrote to memory of 2068	1832	{684DA1E7-2DD2-494b-9C10-2E05EBE6ABA9}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-02-14_845f140f50aa287ccafc09fffe2991fd_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-14_845f140f50aa287ccafc09fffe2991fd_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3492
- C:\Windows\{D4A413F6-0FC9-4be3-BF27-F3E16F751730}.exe
  C:\Windows\{D4A413F6-0FC9-4be3-BF27-F3E16F751730}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\{17CAFBB3-A774-4b7e-A815-0369E4FF7829}.exe
    C:\Windows\{17CAFBB3-A774-4b7e-A815-0369E4FF7829}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1244
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{17CAF~1.EXE > nul
      4⤵
      PID:2664
  - - C:\Windows\{F1BF719A-2E31-4643-9669-12C9753DB9BD}.exe
      C:\Windows\{F1BF719A-2E31-4643-9669-12C9753DB9BD}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1596
    - - C:\Windows\{A131B8E4-3F7B-4119-B149-4848CAE15958}.exe
        
        C:\Windows\{A131B8E4-3F7B-4119-B149-4848CAE15958}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1996
      - C:\Windows\{B7BDD75A-049E-436f-881C-D821457E9B54}.exe
        
        C:\Windows\{B7BDD75A-049E-436f-881C-D821457E9B54}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Windows\{FFB9E993-1B3F-49b0-857D-0C5D80F82E1E}.exe
        
        C:\Windows\{FFB9E993-1B3F-49b0-857D-0C5D80F82E1E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4184
        
        C:\Windows\{48B169C3-0BD8-44cc-93FD-3281C536DCB6}.exe
        
        C:\Windows\{48B169C3-0BD8-44cc-93FD-3281C536DCB6}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4108
        
        C:\Windows\{150217D6-3F89-4f7e-84F7-1A6AB4F89142}.exe
        
        C:\Windows\{150217D6-3F89-4f7e-84F7-1A6AB4F89142}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\{98DA3A54-21DD-4baf-A8A6-BAC62827A389}.exe
        
        C:\Windows\{98DA3A54-21DD-4baf-A8A6-BAC62827A389}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Windows\{684DA1E7-2DD2-494b-9C10-2E05EBE6ABA9}.exe
        
        C:\Windows\{684DA1E7-2DD2-494b-9C10-2E05EBE6ABA9}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Windows\{6B204B70-505B-4f70-8625-A8133E5C3507}.exe
        
        C:\Windows\{6B204B70-505B-4f70-8625-A8133E5C3507}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B204~1.EXE > nul
        13⤵
        
        PID:2988
        
        C:\Windows\{F97AB948-A194-4d57-817B-F94EEC608BB8}.exe
        
        C:\Windows\{F97AB948-A194-4d57-817B-F94EEC608BB8}.exe
        13⤵
        Executes dropped EXE
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{684DA~1.EXE > nul
        12⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{98DA3~1.EXE > nul
        11⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{15021~1.EXE > nul
        10⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{48B16~1.EXE > nul
        9⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FFB9E~1.EXE > nul
        8⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7BDD~1.EXE > nul
        7⤵
        
        PID:4932
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A131B~1.EXE > nul
        6⤵
        
        PID:3108
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F1BF7~1.EXE > nul
        5⤵
        
        PID:436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D4A41~1.EXE > nul
    3⤵
    PID:2332
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{150217D6-3F89-4f7e-84F7-1A6AB4F89142}.exe

Filesize
372KB

MD5
0160108e7694f62a0b5af5a318d2205f

SHA1
a3d0853652d9dcff9b50f0106fb03f5c174d0dc1

SHA256
a5de8da10483832b3a94cd9cb3a0c66fb27b35c3ac8c951668450b7a9b4c2261

SHA512
09b590fd71999ddc52cd84cfceb89a8499f8c684684ec9a588e0c7493756eb8b5276e3b589a326c603007dfe8b3c2a94367487a7f653a328d4cb1272dc441cad

Download Submit
C:\Windows\{17CAFBB3-A774-4b7e-A815-0369E4FF7829}.exe

Filesize
372KB

MD5
afc47910e143997835635027a1374c8f

SHA1
3e8afc5abde06775019a5ad3189dc774215c0693

SHA256
593b01b7f7d42408206c4baba444b9f05eb30a47e3f5e7e2cfa7b84366b9dd16

SHA512
2de9034117f4eef567c54b1a3d1d5b2c4b1545bb0865cca7d30dc8156662f8c41eded55653ffb39d1b2ab2249bdfd7a0f1134e6b107fa39aa87329066a917d3b

Download Submit
C:\Windows\{48B169C3-0BD8-44cc-93FD-3281C536DCB6}.exe

Filesize
372KB

MD5
ed0ccd6f09e0226cedc30fe442df6325

SHA1
d8167670a6daec9129ee1b8e337cb78545eeecaf

SHA256
ce067c6c5884b5471804dd02d07e9ac55558a2887fbb287a33ab36115ce5ea6e

SHA512
1300a194a16b328aa9f2bf3169f9a46d7ce4ededeb7bb42b465c3b604d60764362e253dac27e43cfe438a965335dc6abf4c3decec105ce1e8580a08ac3e35220

Download Submit
C:\Windows\{684DA1E7-2DD2-494b-9C10-2E05EBE6ABA9}.exe

Filesize
372KB

MD5
05bf6778fb04991473a0c92a658561af

SHA1
e2205875c2577335d16f15515f3c3da587412891

SHA256
baa0d49c2a1e167a70ec0c02f943242e03c4b101286a9e2115086f0b209bea6f

SHA512
ece67a23a5b78bf58458a65b7e8d225b0ff74ce6c7b526386ee99c519837c2a08c7ea9cd71e0fe23c9eeef4fa790332a9fd6c18fa4d6732cb95fe0482d002cb6

Download Submit
C:\Windows\{6B204B70-505B-4f70-8625-A8133E5C3507}.exe

Filesize
372KB

MD5
fcfd84045f0efaac04db80dff883a742

SHA1
3079cc2d122877301eb65f97d54a9f60da029ab9

SHA256
d3495a2f13b5464ce68774fcfdca508ac779db162059889c72b5f23b4c73a588

SHA512
ec31a603ac1c4867d60ed08a2e07220c60d35feb247b39801e961376946d30f43de2c02e8759c2556a5fad77191212b047942154693d23ac93a9155fb69c6d82

Download Submit
C:\Windows\{98DA3A54-21DD-4baf-A8A6-BAC62827A389}.exe

Filesize
372KB

MD5
4418eff8cc4bd39c7f7314a2722deae5

SHA1
f80de2cba9482b6393dbb0dbe327cce843497ade

SHA256
7e7f3b9c8729bfa9f6ff4e549d87109d33071a23d4f2a0dd59658c6059c20444

SHA512
0455cadd43e84c90399a3f5f3720b8a3cceb811dd65671addb7728a5f6d78c6490f3632715ddcfd109ab903dd6da659138821b221ec17c8da5b00e39c8afb84d

Download Submit
C:\Windows\{A131B8E4-3F7B-4119-B149-4848CAE15958}.exe

Filesize
372KB

MD5
553ca2f8a0fbe5f071dc2befe2bb034b

SHA1
cd06112f70ef2fd52528b5b9e98e8aea06694421

SHA256
28640a6ae800e6895d326110af8ef9f62d20f0eeb8c1be57bb62ddb234f8ceb6

SHA512
6bcf1ce664f2549ebaf50ec9b23155f818cd40f4e600cf887bec04295c5382e51d10a587cb974f0205778f94ff231e3a6045158a0794dcf86864faf6b9c88f56

Download Submit
C:\Windows\{B7BDD75A-049E-436f-881C-D821457E9B54}.exe

Filesize
372KB

MD5
494eaaa6f3983e0b5e9b742533548835

SHA1
4ac81584bb1352c6bd23c1c373048c54b08c080d

SHA256
9deb96920c833c8797d7d6131ffc3ca5c5e5872a31423f89e48ccc6e63a67edb

SHA512
840063325ccb0f0b69fa6d3351b695c41a8c1882643a7a2160cbb1f99ba089e78f1273d2480dbfbe6595ccf98a352f903881621fff3432ed9d19a14b1ebcd176

Download Submit
C:\Windows\{D4A413F6-0FC9-4be3-BF27-F3E16F751730}.exe

Filesize
372KB

MD5
b3ca479501e4730bcf5d70b4b4c2dd5a

SHA1
5f1b6d67e3e451435d41535c1fd09de28a2f8277

SHA256
c94d90a0ee33942280d9cb5e8977aa93f967e373b2b4b521c16aaf09222a5edc

SHA512
899147307c615e83ceeb3f579f905e69e67437774358b03933d5c9d4d5459b6eacb94a0d6373c8976e2e645e1647e74486857789af7a02d9919304e93f76df41

Download Submit
C:\Windows\{F1BF719A-2E31-4643-9669-12C9753DB9BD}.exe

Filesize
372KB

MD5
c98e3e73f7828eadf9edc3365a1e4a99

SHA1
d357afb44a930163ae5f58d1011d007b28bafb57

SHA256
796245ab62835c2f14310a40face520641055c313cf6a950fd7271d72453da10

SHA512
d943458e9c2a245f3923801e6462c374fbfcc93c34a50388caa1873d42969c2241efdd53497eb31a7639301a55be90a2631117aec8f389370f14bcc6adc2d4bf

Download Submit
C:\Windows\{F97AB948-A194-4d57-817B-F94EEC608BB8}.exe

Filesize
372KB

MD5
a148b58841356b5ae37c4d3c9227fad7

SHA1
28fff71170d6962dceab55fe5f81a3a5933c58b0

SHA256
ec3a4767e39e05701e700da5865e482f7576c1ec94f6e1467a0e462aa721a2f7

SHA512
64d6ce7d64a339098f3c0bee8b2c38b61cc885f336d35a022b78245f0305b79c04f2e5db5274d6fce02763a97ca8cd7b500a791c2aec0003af49256fbec50c57

Download Submit
C:\Windows\{FFB9E993-1B3F-49b0-857D-0C5D80F82E1E}.exe

Filesize
372KB

MD5
8b44f445bbe7fd7806f43066883bc106

SHA1
233e021d4809b1de683d8ccff5e90153661dafee

SHA256
d65ff5a5a440b15058aa036dab56e87dc28b792a3b7af5159100d75294f519a5

SHA512
16e962e684ed6a6774efbbb4f40d93061eae0955ea57ed1294fd5b681abe4fea652ffc205772d44c61371a99097f71afe92d3843306b61ce68d08779bd404bd8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads