6f516f4178f4d5ed7b1d95c1fb2801405d6396e601bd732f30245ff850c335d4

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
17/02/2024, 12:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-17_5e509bada466cce600ffc6dd8b820f61_goldeneye.exe
Size

180KB
MD5

5e509bada466cce600ffc6dd8b820f61
SHA1

bf7bc95d349695c1b70d86c6983852b6a5381113
SHA256

6f516f4178f4d5ed7b1d95c1fb2801405d6396e601bd732f30245ff850c335d4
SHA512

032caac73b44d7efa4277c7190cf2fa06236d1775578d20391e204e2b3e74b5d3165950dddfe3b4e7cd77141b6cb6c8507505ca0f0bc2174416d2eb372b75987
SSDEEP

3072:jEGh0oMlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEG6l5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023201-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000002320c-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023211-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002320c-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021d92-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021d93-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021d92-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006e1-45.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F5D76AC-35CC-4919-A2C5-EBFF6C29CA44}\stubpath = "C:\\Windows\\{1F5D76AC-35CC-4919-A2C5-EBFF6C29CA44}.exe"	2024-02-17_5e509bada466cce600ffc6dd8b820f61_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0400835A-F382-4ae9-A300-17FD96F96B78}	{E647F916-479F-4f6a-A302-16FC1BC0C71B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40E44293-D27B-4c89-AF2B-BF08D111F7EF}	{0400835A-F382-4ae9-A300-17FD96F96B78}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{005BF2DA-ADE0-4ddf-8861-1657A9D8BFFA}\stubpath = "C:\\Windows\\{005BF2DA-ADE0-4ddf-8861-1657A9D8BFFA}.exe"	{40E44293-D27B-4c89-AF2B-BF08D111F7EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36A25534-43FC-4f47-A14C-B3B48DC3A468}	{005BF2DA-ADE0-4ddf-8861-1657A9D8BFFA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36A25534-43FC-4f47-A14C-B3B48DC3A468}\stubpath = "C:\\Windows\\{36A25534-43FC-4f47-A14C-B3B48DC3A468}.exe"	{005BF2DA-ADE0-4ddf-8861-1657A9D8BFFA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F474CB13-EDBC-42bd-8974-58197F802C29}	{36A25534-43FC-4f47-A14C-B3B48DC3A468}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0568A4F7-8649-4bfa-8DAC-5D20F7E70470}	{F474CB13-EDBC-42bd-8974-58197F802C29}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0568A4F7-8649-4bfa-8DAC-5D20F7E70470}\stubpath = "C:\\Windows\\{0568A4F7-8649-4bfa-8DAC-5D20F7E70470}.exe"	{F474CB13-EDBC-42bd-8974-58197F802C29}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3A763D8-8396-4eed-8F0E-7345004557BF}\stubpath = "C:\\Windows\\{D3A763D8-8396-4eed-8F0E-7345004557BF}.exe"	{1F5D76AC-35CC-4919-A2C5-EBFF6C29CA44}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25FE64B2-197A-4e0d-BC9F-CE6059D6C2B8}	{D3A763D8-8396-4eed-8F0E-7345004557BF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25FE64B2-197A-4e0d-BC9F-CE6059D6C2B8}\stubpath = "C:\\Windows\\{25FE64B2-197A-4e0d-BC9F-CE6059D6C2B8}.exe"	{D3A763D8-8396-4eed-8F0E-7345004557BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA0AF11E-EAEE-4e12-AE7C-375FAD5686BE}	{25FE64B2-197A-4e0d-BC9F-CE6059D6C2B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B183373-65CD-4ace-91B6-136DBD511067}	{DA0AF11E-EAEE-4e12-AE7C-375FAD5686BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B183373-65CD-4ace-91B6-136DBD511067}\stubpath = "C:\\Windows\\{2B183373-65CD-4ace-91B6-136DBD511067}.exe"	{DA0AF11E-EAEE-4e12-AE7C-375FAD5686BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0400835A-F382-4ae9-A300-17FD96F96B78}\stubpath = "C:\\Windows\\{0400835A-F382-4ae9-A300-17FD96F96B78}.exe"	{E647F916-479F-4f6a-A302-16FC1BC0C71B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F5D76AC-35CC-4919-A2C5-EBFF6C29CA44}	2024-02-17_5e509bada466cce600ffc6dd8b820f61_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA0AF11E-EAEE-4e12-AE7C-375FAD5686BE}\stubpath = "C:\\Windows\\{DA0AF11E-EAEE-4e12-AE7C-375FAD5686BE}.exe"	{25FE64B2-197A-4e0d-BC9F-CE6059D6C2B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E647F916-479F-4f6a-A302-16FC1BC0C71B}	{2B183373-65CD-4ace-91B6-136DBD511067}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F474CB13-EDBC-42bd-8974-58197F802C29}\stubpath = "C:\\Windows\\{F474CB13-EDBC-42bd-8974-58197F802C29}.exe"	{36A25534-43FC-4f47-A14C-B3B48DC3A468}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3A763D8-8396-4eed-8F0E-7345004557BF}	{1F5D76AC-35CC-4919-A2C5-EBFF6C29CA44}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E647F916-479F-4f6a-A302-16FC1BC0C71B}\stubpath = "C:\\Windows\\{E647F916-479F-4f6a-A302-16FC1BC0C71B}.exe"	{2B183373-65CD-4ace-91B6-136DBD511067}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40E44293-D27B-4c89-AF2B-BF08D111F7EF}\stubpath = "C:\\Windows\\{40E44293-D27B-4c89-AF2B-BF08D111F7EF}.exe"	{0400835A-F382-4ae9-A300-17FD96F96B78}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{005BF2DA-ADE0-4ddf-8861-1657A9D8BFFA}	{40E44293-D27B-4c89-AF2B-BF08D111F7EF}.exe

Executes dropped EXE 12 IoCs

pid	Process
4048	{1F5D76AC-35CC-4919-A2C5-EBFF6C29CA44}.exe
4072	{D3A763D8-8396-4eed-8F0E-7345004557BF}.exe
2812	{25FE64B2-197A-4e0d-BC9F-CE6059D6C2B8}.exe
2876	{DA0AF11E-EAEE-4e12-AE7C-375FAD5686BE}.exe
3868	{2B183373-65CD-4ace-91B6-136DBD511067}.exe
484	{E647F916-479F-4f6a-A302-16FC1BC0C71B}.exe
1120	{0400835A-F382-4ae9-A300-17FD96F96B78}.exe
3792	{40E44293-D27B-4c89-AF2B-BF08D111F7EF}.exe
1728	{005BF2DA-ADE0-4ddf-8861-1657A9D8BFFA}.exe
4560	{36A25534-43FC-4f47-A14C-B3B48DC3A468}.exe
3676	{F474CB13-EDBC-42bd-8974-58197F802C29}.exe
3408	{0568A4F7-8649-4bfa-8DAC-5D20F7E70470}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{005BF2DA-ADE0-4ddf-8861-1657A9D8BFFA}.exe	{40E44293-D27B-4c89-AF2B-BF08D111F7EF}.exe
File created	C:\Windows\{36A25534-43FC-4f47-A14C-B3B48DC3A468}.exe	{005BF2DA-ADE0-4ddf-8861-1657A9D8BFFA}.exe
File created	C:\Windows\{1F5D76AC-35CC-4919-A2C5-EBFF6C29CA44}.exe	2024-02-17_5e509bada466cce600ffc6dd8b820f61_goldeneye.exe
File created	C:\Windows\{2B183373-65CD-4ace-91B6-136DBD511067}.exe	{DA0AF11E-EAEE-4e12-AE7C-375FAD5686BE}.exe
File created	C:\Windows\{0400835A-F382-4ae9-A300-17FD96F96B78}.exe	{E647F916-479F-4f6a-A302-16FC1BC0C71B}.exe
File created	C:\Windows\{E647F916-479F-4f6a-A302-16FC1BC0C71B}.exe	{2B183373-65CD-4ace-91B6-136DBD511067}.exe
File created	C:\Windows\{40E44293-D27B-4c89-AF2B-BF08D111F7EF}.exe	{0400835A-F382-4ae9-A300-17FD96F96B78}.exe
File created	C:\Windows\{F474CB13-EDBC-42bd-8974-58197F802C29}.exe	{36A25534-43FC-4f47-A14C-B3B48DC3A468}.exe
File created	C:\Windows\{0568A4F7-8649-4bfa-8DAC-5D20F7E70470}.exe	{F474CB13-EDBC-42bd-8974-58197F802C29}.exe
File created	C:\Windows\{D3A763D8-8396-4eed-8F0E-7345004557BF}.exe	{1F5D76AC-35CC-4919-A2C5-EBFF6C29CA44}.exe
File created	C:\Windows\{25FE64B2-197A-4e0d-BC9F-CE6059D6C2B8}.exe	{D3A763D8-8396-4eed-8F0E-7345004557BF}.exe
File created	C:\Windows\{DA0AF11E-EAEE-4e12-AE7C-375FAD5686BE}.exe	{25FE64B2-197A-4e0d-BC9F-CE6059D6C2B8}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	5052	2024-02-17_5e509bada466cce600ffc6dd8b820f61_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4048	{1F5D76AC-35CC-4919-A2C5-EBFF6C29CA44}.exe
Token: SeIncBasePriorityPrivilege	4072	{D3A763D8-8396-4eed-8F0E-7345004557BF}.exe
Token: SeIncBasePriorityPrivilege	2812	{25FE64B2-197A-4e0d-BC9F-CE6059D6C2B8}.exe
Token: SeIncBasePriorityPrivilege	2876	{DA0AF11E-EAEE-4e12-AE7C-375FAD5686BE}.exe
Token: SeIncBasePriorityPrivilege	3868	{2B183373-65CD-4ace-91B6-136DBD511067}.exe
Token: SeIncBasePriorityPrivilege	484	{E647F916-479F-4f6a-A302-16FC1BC0C71B}.exe
Token: SeIncBasePriorityPrivilege	1120	{0400835A-F382-4ae9-A300-17FD96F96B78}.exe
Token: SeIncBasePriorityPrivilege	3792	{40E44293-D27B-4c89-AF2B-BF08D111F7EF}.exe
Token: SeIncBasePriorityPrivilege	1728	{005BF2DA-ADE0-4ddf-8861-1657A9D8BFFA}.exe
Token: SeIncBasePriorityPrivilege	4560	{36A25534-43FC-4f47-A14C-B3B48DC3A468}.exe
Token: SeIncBasePriorityPrivilege	3676	{F474CB13-EDBC-42bd-8974-58197F802C29}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 4048	5052	2024-02-17_5e509bada466cce600ffc6dd8b820f61_goldeneye.exe	84
PID 5052 wrote to memory of 4048	5052	2024-02-17_5e509bada466cce600ffc6dd8b820f61_goldeneye.exe	84
PID 5052 wrote to memory of 4048	5052	2024-02-17_5e509bada466cce600ffc6dd8b820f61_goldeneye.exe	84
PID 5052 wrote to memory of 3532	5052	2024-02-17_5e509bada466cce600ffc6dd8b820f61_goldeneye.exe	85
PID 5052 wrote to memory of 3532	5052	2024-02-17_5e509bada466cce600ffc6dd8b820f61_goldeneye.exe	85
PID 5052 wrote to memory of 3532	5052	2024-02-17_5e509bada466cce600ffc6dd8b820f61_goldeneye.exe	85
PID 4048 wrote to memory of 4072	4048	{1F5D76AC-35CC-4919-A2C5-EBFF6C29CA44}.exe	93
PID 4048 wrote to memory of 4072	4048	{1F5D76AC-35CC-4919-A2C5-EBFF6C29CA44}.exe	93
PID 4048 wrote to memory of 4072	4048	{1F5D76AC-35CC-4919-A2C5-EBFF6C29CA44}.exe	93
PID 4048 wrote to memory of 4644	4048	{1F5D76AC-35CC-4919-A2C5-EBFF6C29CA44}.exe	94
PID 4048 wrote to memory of 4644	4048	{1F5D76AC-35CC-4919-A2C5-EBFF6C29CA44}.exe	94
PID 4048 wrote to memory of 4644	4048	{1F5D76AC-35CC-4919-A2C5-EBFF6C29CA44}.exe	94
PID 4072 wrote to memory of 2812	4072	{D3A763D8-8396-4eed-8F0E-7345004557BF}.exe	96
PID 4072 wrote to memory of 2812	4072	{D3A763D8-8396-4eed-8F0E-7345004557BF}.exe	96
PID 4072 wrote to memory of 2812	4072	{D3A763D8-8396-4eed-8F0E-7345004557BF}.exe	96
PID 4072 wrote to memory of 4300	4072	{D3A763D8-8396-4eed-8F0E-7345004557BF}.exe	97
PID 4072 wrote to memory of 4300	4072	{D3A763D8-8396-4eed-8F0E-7345004557BF}.exe	97
PID 4072 wrote to memory of 4300	4072	{D3A763D8-8396-4eed-8F0E-7345004557BF}.exe	97
PID 2812 wrote to memory of 2876	2812	{25FE64B2-197A-4e0d-BC9F-CE6059D6C2B8}.exe	98
PID 2812 wrote to memory of 2876	2812	{25FE64B2-197A-4e0d-BC9F-CE6059D6C2B8}.exe	98
PID 2812 wrote to memory of 2876	2812	{25FE64B2-197A-4e0d-BC9F-CE6059D6C2B8}.exe	98
PID 2812 wrote to memory of 3488	2812	{25FE64B2-197A-4e0d-BC9F-CE6059D6C2B8}.exe	99
PID 2812 wrote to memory of 3488	2812	{25FE64B2-197A-4e0d-BC9F-CE6059D6C2B8}.exe	99
PID 2812 wrote to memory of 3488	2812	{25FE64B2-197A-4e0d-BC9F-CE6059D6C2B8}.exe	99
PID 2876 wrote to memory of 3868	2876	{DA0AF11E-EAEE-4e12-AE7C-375FAD5686BE}.exe	100
PID 2876 wrote to memory of 3868	2876	{DA0AF11E-EAEE-4e12-AE7C-375FAD5686BE}.exe	100
PID 2876 wrote to memory of 3868	2876	{DA0AF11E-EAEE-4e12-AE7C-375FAD5686BE}.exe	100
PID 2876 wrote to memory of 2444	2876	{DA0AF11E-EAEE-4e12-AE7C-375FAD5686BE}.exe	101
PID 2876 wrote to memory of 2444	2876	{DA0AF11E-EAEE-4e12-AE7C-375FAD5686BE}.exe	101
PID 2876 wrote to memory of 2444	2876	{DA0AF11E-EAEE-4e12-AE7C-375FAD5686BE}.exe	101
PID 3868 wrote to memory of 484	3868	{2B183373-65CD-4ace-91B6-136DBD511067}.exe	102
PID 3868 wrote to memory of 484	3868	{2B183373-65CD-4ace-91B6-136DBD511067}.exe	102
PID 3868 wrote to memory of 484	3868	{2B183373-65CD-4ace-91B6-136DBD511067}.exe	102
PID 3868 wrote to memory of 2004	3868	{2B183373-65CD-4ace-91B6-136DBD511067}.exe	103
PID 3868 wrote to memory of 2004	3868	{2B183373-65CD-4ace-91B6-136DBD511067}.exe	103
PID 3868 wrote to memory of 2004	3868	{2B183373-65CD-4ace-91B6-136DBD511067}.exe	103
PID 484 wrote to memory of 1120	484	{E647F916-479F-4f6a-A302-16FC1BC0C71B}.exe	105
PID 484 wrote to memory of 1120	484	{E647F916-479F-4f6a-A302-16FC1BC0C71B}.exe	105
PID 484 wrote to memory of 1120	484	{E647F916-479F-4f6a-A302-16FC1BC0C71B}.exe	105
PID 484 wrote to memory of 316	484	{E647F916-479F-4f6a-A302-16FC1BC0C71B}.exe	104
PID 484 wrote to memory of 316	484	{E647F916-479F-4f6a-A302-16FC1BC0C71B}.exe	104
PID 484 wrote to memory of 316	484	{E647F916-479F-4f6a-A302-16FC1BC0C71B}.exe	104
PID 1120 wrote to memory of 3792	1120	{0400835A-F382-4ae9-A300-17FD96F96B78}.exe	106
PID 1120 wrote to memory of 3792	1120	{0400835A-F382-4ae9-A300-17FD96F96B78}.exe	106
PID 1120 wrote to memory of 3792	1120	{0400835A-F382-4ae9-A300-17FD96F96B78}.exe	106
PID 1120 wrote to memory of 2260	1120	{0400835A-F382-4ae9-A300-17FD96F96B78}.exe	107
PID 1120 wrote to memory of 2260	1120	{0400835A-F382-4ae9-A300-17FD96F96B78}.exe	107
PID 1120 wrote to memory of 2260	1120	{0400835A-F382-4ae9-A300-17FD96F96B78}.exe	107
PID 3792 wrote to memory of 1728	3792	{40E44293-D27B-4c89-AF2B-BF08D111F7EF}.exe	108
PID 3792 wrote to memory of 1728	3792	{40E44293-D27B-4c89-AF2B-BF08D111F7EF}.exe	108
PID 3792 wrote to memory of 1728	3792	{40E44293-D27B-4c89-AF2B-BF08D111F7EF}.exe	108
PID 3792 wrote to memory of 32	3792	{40E44293-D27B-4c89-AF2B-BF08D111F7EF}.exe	109
PID 3792 wrote to memory of 32	3792	{40E44293-D27B-4c89-AF2B-BF08D111F7EF}.exe	109
PID 3792 wrote to memory of 32	3792	{40E44293-D27B-4c89-AF2B-BF08D111F7EF}.exe	109
PID 1728 wrote to memory of 4560	1728	{005BF2DA-ADE0-4ddf-8861-1657A9D8BFFA}.exe	110
PID 1728 wrote to memory of 4560	1728	{005BF2DA-ADE0-4ddf-8861-1657A9D8BFFA}.exe	110
PID 1728 wrote to memory of 4560	1728	{005BF2DA-ADE0-4ddf-8861-1657A9D8BFFA}.exe	110
PID 1728 wrote to memory of 4468	1728	{005BF2DA-ADE0-4ddf-8861-1657A9D8BFFA}.exe	111
PID 1728 wrote to memory of 4468	1728	{005BF2DA-ADE0-4ddf-8861-1657A9D8BFFA}.exe	111
PID 1728 wrote to memory of 4468	1728	{005BF2DA-ADE0-4ddf-8861-1657A9D8BFFA}.exe	111
PID 4560 wrote to memory of 3676	4560	{36A25534-43FC-4f47-A14C-B3B48DC3A468}.exe	112
PID 4560 wrote to memory of 3676	4560	{36A25534-43FC-4f47-A14C-B3B48DC3A468}.exe	112
PID 4560 wrote to memory of 3676	4560	{36A25534-43FC-4f47-A14C-B3B48DC3A468}.exe	112
PID 4560 wrote to memory of 2788	4560	{36A25534-43FC-4f47-A14C-B3B48DC3A468}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-02-17_5e509bada466cce600ffc6dd8b820f61_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-17_5e509bada466cce600ffc6dd8b820f61_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Windows\{1F5D76AC-35CC-4919-A2C5-EBFF6C29CA44}.exe
  C:\Windows\{1F5D76AC-35CC-4919-A2C5-EBFF6C29CA44}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4048
- - C:\Windows\{D3A763D8-8396-4eed-8F0E-7345004557BF}.exe
    C:\Windows\{D3A763D8-8396-4eed-8F0E-7345004557BF}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4072
  - - C:\Windows\{25FE64B2-197A-4e0d-BC9F-CE6059D6C2B8}.exe
      C:\Windows\{25FE64B2-197A-4e0d-BC9F-CE6059D6C2B8}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2812
    - - C:\Windows\{DA0AF11E-EAEE-4e12-AE7C-375FAD5686BE}.exe
        
        C:\Windows\{DA0AF11E-EAEE-4e12-AE7C-375FAD5686BE}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2876
      - C:\Windows\{2B183373-65CD-4ace-91B6-136DBD511067}.exe
        
        C:\Windows\{2B183373-65CD-4ace-91B6-136DBD511067}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3868
        
        C:\Windows\{E647F916-479F-4f6a-A302-16FC1BC0C71B}.exe
        
        C:\Windows\{E647F916-479F-4f6a-A302-16FC1BC0C71B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E647F~1.EXE > nul
        8⤵
        
        PID:316
        
        C:\Windows\{0400835A-F382-4ae9-A300-17FD96F96B78}.exe
        
        C:\Windows\{0400835A-F382-4ae9-A300-17FD96F96B78}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1120
        
        C:\Windows\{40E44293-D27B-4c89-AF2B-BF08D111F7EF}.exe
        
        C:\Windows\{40E44293-D27B-4c89-AF2B-BF08D111F7EF}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3792
        
        C:\Windows\{005BF2DA-ADE0-4ddf-8861-1657A9D8BFFA}.exe
        
        C:\Windows\{005BF2DA-ADE0-4ddf-8861-1657A9D8BFFA}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\{36A25534-43FC-4f47-A14C-B3B48DC3A468}.exe
        
        C:\Windows\{36A25534-43FC-4f47-A14C-B3B48DC3A468}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\{F474CB13-EDBC-42bd-8974-58197F802C29}.exe
        
        C:\Windows\{F474CB13-EDBC-42bd-8974-58197F802C29}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3676
        
        C:\Windows\{0568A4F7-8649-4bfa-8DAC-5D20F7E70470}.exe
        
        C:\Windows\{0568A4F7-8649-4bfa-8DAC-5D20F7E70470}.exe
        13⤵
        Executes dropped EXE
        
        PID:3408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F474C~1.EXE > nul
        13⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{36A25~1.EXE > nul
        12⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{005BF~1.EXE > nul
        11⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{40E44~1.EXE > nul
        10⤵
        
        PID:32
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{04008~1.EXE > nul
        9⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B183~1.EXE > nul
        7⤵
        
        PID:2004
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DA0AF~1.EXE > nul
        6⤵
        
        PID:2444
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{25FE6~1.EXE > nul
        5⤵
        
        PID:3488
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D3A76~1.EXE > nul
      4⤵
      PID:4300
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1F5D7~1.EXE > nul
    3⤵
    PID:4644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{005BF2DA-ADE0-4ddf-8861-1657A9D8BFFA}.exe

Filesize
180KB

MD5
1389db1e993a800b8f0837e0caa07cfc

SHA1
291a71d0f735062a77be29347b5020677b63f043

SHA256
74ad7511e900f68b1bc8ad757de34d44d726d86d06899b8eca22d9c0d71fc5f5

SHA512
b108db56ab8a388dfa25e5107084df2167661d104ec76b133a4bd24d75e02f7fed3ed63fb53dbee7c76f1f51ca3313dcb7ad6a9cf5e14ad46e67eeaf532469b8

Download Submit
C:\Windows\{0400835A-F382-4ae9-A300-17FD96F96B78}.exe

Filesize
180KB

MD5
7b1d80c10c2688dc84179cbc8b513945

SHA1
01893da12fce575bd5710f40fe35c39185f1856c

SHA256
973c49397a5c83e1cd7c77b1539579f8983880f45c80f483caa70e00c2e3f410

SHA512
07b44c11590510f0d9360635525f7a3a54f224d5449c17baaa5de00f2a599e851c11e4531ecce93311a7214478234e903aa8c50f739d19550da22a74ec62f579

Download Submit
C:\Windows\{0568A4F7-8649-4bfa-8DAC-5D20F7E70470}.exe

Filesize
180KB

MD5
3e25893c229809b134cc91d404dab781

SHA1
6c1124a8216f6b777d46ab101498b2b9e778f6bf

SHA256
d3c85fbf9420a91063bf52157c5f5eb5cbcfe454b18ae31e5c7d1134a0bb56b0

SHA512
8af7b37e878fd1270cfc5408153e00915516f6581c989fd0487b5f5ad7df1f7e0e5f30d620ef53b623ee7912d39fc1814123e7a541a2cda14a4de3b26c2a8a46

Download Submit
C:\Windows\{1F5D76AC-35CC-4919-A2C5-EBFF6C29CA44}.exe

Filesize
180KB

MD5
be720753228cf122ebdaa97f3283d704

SHA1
6359212824ebfae67b2d2e26830dd5873d91a521

SHA256
f6e3cb4822d37b75c8b53fd81532a989d10575276d2e05468c248d91ab576002

SHA512
066f910782eb6ebc42aee868691636f9e547d5ea5439e7d4bf80c372e4709b4cd40416d9f5048895cbec3f0ca285fa2d525cbf450463361f37f8615e82e8fb62

Download Submit
C:\Windows\{25FE64B2-197A-4e0d-BC9F-CE6059D6C2B8}.exe

Filesize
180KB

MD5
ce6f5cec2a4f6fae1df0421efd4a40ef

SHA1
689a6b5b1c26623b4e05fdd0e78465f699776378

SHA256
82067574890d166fba585c8f82c338125864f0c6ad7da68881bd0856bd62be62

SHA512
027d356120f028d815bed86a8c3589bba80a26981195be3726d3e275a065d449d0f49542535268c13fe3e12cd62bf392778f96486ec3e9e23d5658b129afb9cb

Download Submit
C:\Windows\{2B183373-65CD-4ace-91B6-136DBD511067}.exe

Filesize
180KB

MD5
d34382580e2983b81be0db17dc63f15d

SHA1
d2a1b54a6e2632f5d49a5a3ca6e997685047641f

SHA256
f19ed3aae6d3ca577bb9feb8708625b8a8feddd77327ebd1431b6eb44ebfb111

SHA512
90d0ce7e6d8e93fa1ba8fd8e59a1d8aa638ac43235d24b1441881d3182ab6d8633ef88757248fe31e42a760b90ce9a306be28c22b1535e92cd499ca8b78d6cdf

Download Submit
C:\Windows\{36A25534-43FC-4f47-A14C-B3B48DC3A468}.exe

Filesize
180KB

MD5
a932becda0c34387b3e960f1d9419bf4

SHA1
b494262b4d1dac3f846c059650061abbc6706f45

SHA256
d1dadd4e393a1b7460d728ca5abcc0714e1f6c52f0069cde165e666904ad74ee

SHA512
9deeba7b2332b51c6f08b2c146ceb2bd0a15ca9cd88b9048d73e57e614427cb22a6b1f51502b6c0e46c82dd79efdffc45dcb27d757e9f3b8a7e6e7d15d05e9e2

Download Submit
C:\Windows\{40E44293-D27B-4c89-AF2B-BF08D111F7EF}.exe

Filesize
180KB

MD5
a479262a9c875d6c2f8fc1a6108ce17a

SHA1
b355c88dff62dcdadfddece7c811ff56387fb14c

SHA256
0e22d86e8aa592609a4250fecaa05925f8222142422c2cfd7aa83b399885f7de

SHA512
545c8beb942eac05a6109e9867bdee5eebb1f49e1b7c90466f7ad44c18ccfd30c39892c4360761d65e439a61c6fd95e01c3be4795cb37d72c5b5ea5cfa17e60d

Download Submit
C:\Windows\{D3A763D8-8396-4eed-8F0E-7345004557BF}.exe

Filesize
180KB

MD5
a101d70303b8c3983198299468d8a3d3

SHA1
feedfa428e08c77015a65e41b0fc0152c36e364c

SHA256
8c32987eadc9d871881eb5c9111577a8980c8f165ae698cab1f88810370d9088

SHA512
e7ac451551c05bbd252ea5975908b7c08ea1ebdb7d009028b9f1ec1b427f5c96998d9a2df35fd8a2548a8039bcff9b5db43632c518c3257c457f2aaf6914d921

Download Submit
C:\Windows\{DA0AF11E-EAEE-4e12-AE7C-375FAD5686BE}.exe

Filesize
180KB

MD5
61e0fb91bdefbfb46894ad387912d517

SHA1
9cfdef63667e5f01aa4be41ba1b1ff39a1f9e1b3

SHA256
080ca5ccc7d2f7e31b1d320502d57fc12094c699be62f6eaa9db12db778568d6

SHA512
8e1d92273a17a8bbf3eb629a85807b1c6a0a3f582725250805d06c38982840e8164a9e1f480a500dd5b3e09d66560e3b50ae7cbeeeffeabaa8d6711924f9b810

Download Submit
C:\Windows\{E647F916-479F-4f6a-A302-16FC1BC0C71B}.exe

Filesize
180KB

MD5
9dfdc5e015a5602b67b2af11815bb1f5

SHA1
2e90a0322de334cffb910026e18006f3bf0a5278

SHA256
4375c27e9c9b859f9926a792c6499522c7a0d8ff60af970fe9c73c54437928dc

SHA512
735758049e78dab9fcf7f92d604e9c876792100ee89491558e62e3ddd024dbd5155418732695925f559cf958c7040e5a6e629dd7deb754e086f02e9a394cc0fb

Download Submit
C:\Windows\{F474CB13-EDBC-42bd-8974-58197F802C29}.exe

Filesize
180KB

MD5
38859e1c980f371b9625a0134f0c40df

SHA1
d18660f737c570f95a74c8c8664f5790549eb2ad

SHA256
95098ffbb9ed28db2c1dc38639e41cb498ceae6d5a4af6a46bd870363298c7f3

SHA512
4f3f7be7964f3a5d787e186f812761d54a09df46dd1902892c75fb32f062a0ffb4f5cd6e9184bbaea5230fd09499cd911d4285b868caf91b646a36c3578f6578

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads