29fc545f3ef76fb84802f3d8e41e6d1e3d2d65b00a03de99d7ead48adf6e8daa

Analysis

max time kernel
151s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
17/02/2024, 12:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-17_05d620445f982ac836dfc862039dc831_goldeneye.exe
Size

197KB
MD5

05d620445f982ac836dfc862039dc831
SHA1

bf644a2e476c6369d4ee184b3d093391b96a7d2a
SHA256

29fc545f3ef76fb84802f3d8e41e6d1e3d2d65b00a03de99d7ead48adf6e8daa
SHA512

26b67d3bde51754839587841a0fbfd56088046961eeca4e0b50c2b153218cb2f5c6e4e794b7aa2ba605bd4bdd628cba1cb34376b28d034ff464e27a0f354fe7b
SSDEEP

3072:jEGh0oCl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEG4lEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x008500000001b58d-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000002323f-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023245-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002323f-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023245-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000021569-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000021570-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000711-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070f-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000711-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006e5-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC0793D6-296C-46a0-9106-AE68AC1F92CD}\stubpath = "C:\\Windows\\{FC0793D6-296C-46a0-9106-AE68AC1F92CD}.exe"	{9EBE9DBE-7840-4193-B51C-E8FA8ECF9145}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5D9DCB4-F70F-49c9-9E84-C8412BCBF95C}	{C2BB1E03-74CE-4e2e-88FD-AC54C573F6A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5D9DCB4-F70F-49c9-9E84-C8412BCBF95C}\stubpath = "C:\\Windows\\{B5D9DCB4-F70F-49c9-9E84-C8412BCBF95C}.exe"	{C2BB1E03-74CE-4e2e-88FD-AC54C573F6A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1D89E9F-9170-4846-9165-4D61DD20F213}\stubpath = "C:\\Windows\\{B1D89E9F-9170-4846-9165-4D61DD20F213}.exe"	{B5D9DCB4-F70F-49c9-9E84-C8412BCBF95C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{729F8389-BAC5-4a94-83C9-E0414109EA30}\stubpath = "C:\\Windows\\{729F8389-BAC5-4a94-83C9-E0414109EA30}.exe"	{B1D89E9F-9170-4846-9165-4D61DD20F213}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF223AC0-9DDF-4385-86EC-601F9FA5DD87}	{7A0A0420-1190-4501-B28D-B546ACE5F982}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D1210AFC-F3A0-46fe-BCB5-05C29AC879B2}	{557BB8B1-D5F8-430d-85A7-CA05AC69051C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC0793D6-296C-46a0-9106-AE68AC1F92CD}	{9EBE9DBE-7840-4193-B51C-E8FA8ECF9145}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2BB1E03-74CE-4e2e-88FD-AC54C573F6A7}	{5468C653-66B5-4068-A3A1-790FD36A1E09}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1D89E9F-9170-4846-9165-4D61DD20F213}	{B5D9DCB4-F70F-49c9-9E84-C8412BCBF95C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A0A0420-1190-4501-B28D-B546ACE5F982}\stubpath = "C:\\Windows\\{7A0A0420-1190-4501-B28D-B546ACE5F982}.exe"	{729F8389-BAC5-4a94-83C9-E0414109EA30}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF223AC0-9DDF-4385-86EC-601F9FA5DD87}\stubpath = "C:\\Windows\\{AF223AC0-9DDF-4385-86EC-601F9FA5DD87}.exe"	{7A0A0420-1190-4501-B28D-B546ACE5F982}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5468C653-66B5-4068-A3A1-790FD36A1E09}	{FD609469-F5C0-497d-8047-57F1CD02A0EC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5468C653-66B5-4068-A3A1-790FD36A1E09}\stubpath = "C:\\Windows\\{5468C653-66B5-4068-A3A1-790FD36A1E09}.exe"	{FD609469-F5C0-497d-8047-57F1CD02A0EC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9EBE9DBE-7840-4193-B51C-E8FA8ECF9145}\stubpath = "C:\\Windows\\{9EBE9DBE-7840-4193-B51C-E8FA8ECF9145}.exe"	{D1210AFC-F3A0-46fe-BCB5-05C29AC879B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD609469-F5C0-497d-8047-57F1CD02A0EC}	{FC0793D6-296C-46a0-9106-AE68AC1F92CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{729F8389-BAC5-4a94-83C9-E0414109EA30}	{B1D89E9F-9170-4846-9165-4D61DD20F213}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A0A0420-1190-4501-B28D-B546ACE5F982}	{729F8389-BAC5-4a94-83C9-E0414109EA30}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{557BB8B1-D5F8-430d-85A7-CA05AC69051C}\stubpath = "C:\\Windows\\{557BB8B1-D5F8-430d-85A7-CA05AC69051C}.exe"	2024-02-17_05d620445f982ac836dfc862039dc831_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D1210AFC-F3A0-46fe-BCB5-05C29AC879B2}\stubpath = "C:\\Windows\\{D1210AFC-F3A0-46fe-BCB5-05C29AC879B2}.exe"	{557BB8B1-D5F8-430d-85A7-CA05AC69051C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD609469-F5C0-497d-8047-57F1CD02A0EC}\stubpath = "C:\\Windows\\{FD609469-F5C0-497d-8047-57F1CD02A0EC}.exe"	{FC0793D6-296C-46a0-9106-AE68AC1F92CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2BB1E03-74CE-4e2e-88FD-AC54C573F6A7}\stubpath = "C:\\Windows\\{C2BB1E03-74CE-4e2e-88FD-AC54C573F6A7}.exe"	{5468C653-66B5-4068-A3A1-790FD36A1E09}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{557BB8B1-D5F8-430d-85A7-CA05AC69051C}	2024-02-17_05d620445f982ac836dfc862039dc831_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9EBE9DBE-7840-4193-B51C-E8FA8ECF9145}	{D1210AFC-F3A0-46fe-BCB5-05C29AC879B2}.exe

Executes dropped EXE 12 IoCs

pid	Process
4596	{557BB8B1-D5F8-430d-85A7-CA05AC69051C}.exe
2104	{D1210AFC-F3A0-46fe-BCB5-05C29AC879B2}.exe
3020	{9EBE9DBE-7840-4193-B51C-E8FA8ECF9145}.exe
960	{FC0793D6-296C-46a0-9106-AE68AC1F92CD}.exe
2872	{FD609469-F5C0-497d-8047-57F1CD02A0EC}.exe
2552	{5468C653-66B5-4068-A3A1-790FD36A1E09}.exe
3288	{C2BB1E03-74CE-4e2e-88FD-AC54C573F6A7}.exe
4048	{B5D9DCB4-F70F-49c9-9E84-C8412BCBF95C}.exe
3908	{B1D89E9F-9170-4846-9165-4D61DD20F213}.exe
800	{729F8389-BAC5-4a94-83C9-E0414109EA30}.exe
4416	{7A0A0420-1190-4501-B28D-B546ACE5F982}.exe
3112	{AF223AC0-9DDF-4385-86EC-601F9FA5DD87}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{7A0A0420-1190-4501-B28D-B546ACE5F982}.exe	{729F8389-BAC5-4a94-83C9-E0414109EA30}.exe
File created	C:\Windows\{557BB8B1-D5F8-430d-85A7-CA05AC69051C}.exe	2024-02-17_05d620445f982ac836dfc862039dc831_goldeneye.exe
File created	C:\Windows\{9EBE9DBE-7840-4193-B51C-E8FA8ECF9145}.exe	{D1210AFC-F3A0-46fe-BCB5-05C29AC879B2}.exe
File created	C:\Windows\{C2BB1E03-74CE-4e2e-88FD-AC54C573F6A7}.exe	{5468C653-66B5-4068-A3A1-790FD36A1E09}.exe
File created	C:\Windows\{B5D9DCB4-F70F-49c9-9E84-C8412BCBF95C}.exe	{C2BB1E03-74CE-4e2e-88FD-AC54C573F6A7}.exe
File created	C:\Windows\{B1D89E9F-9170-4846-9165-4D61DD20F213}.exe	{B5D9DCB4-F70F-49c9-9E84-C8412BCBF95C}.exe
File created	C:\Windows\{729F8389-BAC5-4a94-83C9-E0414109EA30}.exe	{B1D89E9F-9170-4846-9165-4D61DD20F213}.exe
File created	C:\Windows\{D1210AFC-F3A0-46fe-BCB5-05C29AC879B2}.exe	{557BB8B1-D5F8-430d-85A7-CA05AC69051C}.exe
File created	C:\Windows\{FC0793D6-296C-46a0-9106-AE68AC1F92CD}.exe	{9EBE9DBE-7840-4193-B51C-E8FA8ECF9145}.exe
File created	C:\Windows\{FD609469-F5C0-497d-8047-57F1CD02A0EC}.exe	{FC0793D6-296C-46a0-9106-AE68AC1F92CD}.exe
File created	C:\Windows\{5468C653-66B5-4068-A3A1-790FD36A1E09}.exe	{FD609469-F5C0-497d-8047-57F1CD02A0EC}.exe
File created	C:\Windows\{AF223AC0-9DDF-4385-86EC-601F9FA5DD87}.exe	{7A0A0420-1190-4501-B28D-B546ACE5F982}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2956	2024-02-17_05d620445f982ac836dfc862039dc831_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4596	{557BB8B1-D5F8-430d-85A7-CA05AC69051C}.exe
Token: SeIncBasePriorityPrivilege	2104	{D1210AFC-F3A0-46fe-BCB5-05C29AC879B2}.exe
Token: SeIncBasePriorityPrivilege	3020	{9EBE9DBE-7840-4193-B51C-E8FA8ECF9145}.exe
Token: SeIncBasePriorityPrivilege	960	{FC0793D6-296C-46a0-9106-AE68AC1F92CD}.exe
Token: SeIncBasePriorityPrivilege	2872	{FD609469-F5C0-497d-8047-57F1CD02A0EC}.exe
Token: SeIncBasePriorityPrivilege	2552	{5468C653-66B5-4068-A3A1-790FD36A1E09}.exe
Token: SeIncBasePriorityPrivilege	3288	{C2BB1E03-74CE-4e2e-88FD-AC54C573F6A7}.exe
Token: SeIncBasePriorityPrivilege	4048	{B5D9DCB4-F70F-49c9-9E84-C8412BCBF95C}.exe
Token: SeIncBasePriorityPrivilege	3908	{B1D89E9F-9170-4846-9165-4D61DD20F213}.exe
Token: SeIncBasePriorityPrivilege	800	{729F8389-BAC5-4a94-83C9-E0414109EA30}.exe
Token: SeIncBasePriorityPrivilege	4416	{7A0A0420-1190-4501-B28D-B546ACE5F982}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 4596	2956	2024-02-17_05d620445f982ac836dfc862039dc831_goldeneye.exe	85
PID 2956 wrote to memory of 4596	2956	2024-02-17_05d620445f982ac836dfc862039dc831_goldeneye.exe	85
PID 2956 wrote to memory of 4596	2956	2024-02-17_05d620445f982ac836dfc862039dc831_goldeneye.exe	85
PID 2956 wrote to memory of 4420	2956	2024-02-17_05d620445f982ac836dfc862039dc831_goldeneye.exe	86
PID 2956 wrote to memory of 4420	2956	2024-02-17_05d620445f982ac836dfc862039dc831_goldeneye.exe	86
PID 2956 wrote to memory of 4420	2956	2024-02-17_05d620445f982ac836dfc862039dc831_goldeneye.exe	86
PID 4596 wrote to memory of 2104	4596	{557BB8B1-D5F8-430d-85A7-CA05AC69051C}.exe	93
PID 4596 wrote to memory of 2104	4596	{557BB8B1-D5F8-430d-85A7-CA05AC69051C}.exe	93
PID 4596 wrote to memory of 2104	4596	{557BB8B1-D5F8-430d-85A7-CA05AC69051C}.exe	93
PID 4596 wrote to memory of 3800	4596	{557BB8B1-D5F8-430d-85A7-CA05AC69051C}.exe	92
PID 4596 wrote to memory of 3800	4596	{557BB8B1-D5F8-430d-85A7-CA05AC69051C}.exe	92
PID 4596 wrote to memory of 3800	4596	{557BB8B1-D5F8-430d-85A7-CA05AC69051C}.exe	92
PID 2104 wrote to memory of 3020	2104	{D1210AFC-F3A0-46fe-BCB5-05C29AC879B2}.exe	96
PID 2104 wrote to memory of 3020	2104	{D1210AFC-F3A0-46fe-BCB5-05C29AC879B2}.exe	96
PID 2104 wrote to memory of 3020	2104	{D1210AFC-F3A0-46fe-BCB5-05C29AC879B2}.exe	96
PID 2104 wrote to memory of 1188	2104	{D1210AFC-F3A0-46fe-BCB5-05C29AC879B2}.exe	95
PID 2104 wrote to memory of 1188	2104	{D1210AFC-F3A0-46fe-BCB5-05C29AC879B2}.exe	95
PID 2104 wrote to memory of 1188	2104	{D1210AFC-F3A0-46fe-BCB5-05C29AC879B2}.exe	95
PID 3020 wrote to memory of 960	3020	{9EBE9DBE-7840-4193-B51C-E8FA8ECF9145}.exe	97
PID 3020 wrote to memory of 960	3020	{9EBE9DBE-7840-4193-B51C-E8FA8ECF9145}.exe	97
PID 3020 wrote to memory of 960	3020	{9EBE9DBE-7840-4193-B51C-E8FA8ECF9145}.exe	97
PID 3020 wrote to memory of 3468	3020	{9EBE9DBE-7840-4193-B51C-E8FA8ECF9145}.exe	98
PID 3020 wrote to memory of 3468	3020	{9EBE9DBE-7840-4193-B51C-E8FA8ECF9145}.exe	98
PID 3020 wrote to memory of 3468	3020	{9EBE9DBE-7840-4193-B51C-E8FA8ECF9145}.exe	98
PID 960 wrote to memory of 2872	960	{FC0793D6-296C-46a0-9106-AE68AC1F92CD}.exe	99
PID 960 wrote to memory of 2872	960	{FC0793D6-296C-46a0-9106-AE68AC1F92CD}.exe	99
PID 960 wrote to memory of 2872	960	{FC0793D6-296C-46a0-9106-AE68AC1F92CD}.exe	99
PID 960 wrote to memory of 4252	960	{FC0793D6-296C-46a0-9106-AE68AC1F92CD}.exe	100
PID 960 wrote to memory of 4252	960	{FC0793D6-296C-46a0-9106-AE68AC1F92CD}.exe	100
PID 960 wrote to memory of 4252	960	{FC0793D6-296C-46a0-9106-AE68AC1F92CD}.exe	100
PID 2872 wrote to memory of 2552	2872	{FD609469-F5C0-497d-8047-57F1CD02A0EC}.exe	101
PID 2872 wrote to memory of 2552	2872	{FD609469-F5C0-497d-8047-57F1CD02A0EC}.exe	101
PID 2872 wrote to memory of 2552	2872	{FD609469-F5C0-497d-8047-57F1CD02A0EC}.exe	101
PID 2872 wrote to memory of 2852	2872	{FD609469-F5C0-497d-8047-57F1CD02A0EC}.exe	102
PID 2872 wrote to memory of 2852	2872	{FD609469-F5C0-497d-8047-57F1CD02A0EC}.exe	102
PID 2872 wrote to memory of 2852	2872	{FD609469-F5C0-497d-8047-57F1CD02A0EC}.exe	102
PID 2552 wrote to memory of 3288	2552	{5468C653-66B5-4068-A3A1-790FD36A1E09}.exe	103
PID 2552 wrote to memory of 3288	2552	{5468C653-66B5-4068-A3A1-790FD36A1E09}.exe	103
PID 2552 wrote to memory of 3288	2552	{5468C653-66B5-4068-A3A1-790FD36A1E09}.exe	103
PID 2552 wrote to memory of 4036	2552	{5468C653-66B5-4068-A3A1-790FD36A1E09}.exe	104
PID 2552 wrote to memory of 4036	2552	{5468C653-66B5-4068-A3A1-790FD36A1E09}.exe	104
PID 2552 wrote to memory of 4036	2552	{5468C653-66B5-4068-A3A1-790FD36A1E09}.exe	104
PID 3288 wrote to memory of 4048	3288	{C2BB1E03-74CE-4e2e-88FD-AC54C573F6A7}.exe	105
PID 3288 wrote to memory of 4048	3288	{C2BB1E03-74CE-4e2e-88FD-AC54C573F6A7}.exe	105
PID 3288 wrote to memory of 4048	3288	{C2BB1E03-74CE-4e2e-88FD-AC54C573F6A7}.exe	105
PID 3288 wrote to memory of 624	3288	{C2BB1E03-74CE-4e2e-88FD-AC54C573F6A7}.exe	106
PID 3288 wrote to memory of 624	3288	{C2BB1E03-74CE-4e2e-88FD-AC54C573F6A7}.exe	106
PID 3288 wrote to memory of 624	3288	{C2BB1E03-74CE-4e2e-88FD-AC54C573F6A7}.exe	106
PID 4048 wrote to memory of 3908	4048	{B5D9DCB4-F70F-49c9-9E84-C8412BCBF95C}.exe	107
PID 4048 wrote to memory of 3908	4048	{B5D9DCB4-F70F-49c9-9E84-C8412BCBF95C}.exe	107
PID 4048 wrote to memory of 3908	4048	{B5D9DCB4-F70F-49c9-9E84-C8412BCBF95C}.exe	107
PID 4048 wrote to memory of 3952	4048	{B5D9DCB4-F70F-49c9-9E84-C8412BCBF95C}.exe	108
PID 4048 wrote to memory of 3952	4048	{B5D9DCB4-F70F-49c9-9E84-C8412BCBF95C}.exe	108
PID 4048 wrote to memory of 3952	4048	{B5D9DCB4-F70F-49c9-9E84-C8412BCBF95C}.exe	108
PID 3908 wrote to memory of 800	3908	{B1D89E9F-9170-4846-9165-4D61DD20F213}.exe	109
PID 3908 wrote to memory of 800	3908	{B1D89E9F-9170-4846-9165-4D61DD20F213}.exe	109
PID 3908 wrote to memory of 800	3908	{B1D89E9F-9170-4846-9165-4D61DD20F213}.exe	109
PID 3908 wrote to memory of 4976	3908	{B1D89E9F-9170-4846-9165-4D61DD20F213}.exe	110
PID 3908 wrote to memory of 4976	3908	{B1D89E9F-9170-4846-9165-4D61DD20F213}.exe	110
PID 3908 wrote to memory of 4976	3908	{B1D89E9F-9170-4846-9165-4D61DD20F213}.exe	110
PID 800 wrote to memory of 4416	800	{729F8389-BAC5-4a94-83C9-E0414109EA30}.exe	111
PID 800 wrote to memory of 4416	800	{729F8389-BAC5-4a94-83C9-E0414109EA30}.exe	111
PID 800 wrote to memory of 4416	800	{729F8389-BAC5-4a94-83C9-E0414109EA30}.exe	111
PID 800 wrote to memory of 3428	800	{729F8389-BAC5-4a94-83C9-E0414109EA30}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-02-17_05d620445f982ac836dfc862039dc831_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-17_05d620445f982ac836dfc862039dc831_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Windows\{557BB8B1-D5F8-430d-85A7-CA05AC69051C}.exe
  C:\Windows\{557BB8B1-D5F8-430d-85A7-CA05AC69051C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{557BB~1.EXE > nul
    3⤵
    PID:3800
- - C:\Windows\{D1210AFC-F3A0-46fe-BCB5-05C29AC879B2}.exe
    C:\Windows\{D1210AFC-F3A0-46fe-BCB5-05C29AC879B2}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2104
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D1210~1.EXE > nul
      4⤵
      PID:1188
  - - C:\Windows\{9EBE9DBE-7840-4193-B51C-E8FA8ECF9145}.exe
      C:\Windows\{9EBE9DBE-7840-4193-B51C-E8FA8ECF9145}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3020
    - - C:\Windows\{FC0793D6-296C-46a0-9106-AE68AC1F92CD}.exe
        
        C:\Windows\{FC0793D6-296C-46a0-9106-AE68AC1F92CD}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:960
      - C:\Windows\{FD609469-F5C0-497d-8047-57F1CD02A0EC}.exe
        
        C:\Windows\{FD609469-F5C0-497d-8047-57F1CD02A0EC}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\{5468C653-66B5-4068-A3A1-790FD36A1E09}.exe
        
        C:\Windows\{5468C653-66B5-4068-A3A1-790FD36A1E09}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\{C2BB1E03-74CE-4e2e-88FD-AC54C573F6A7}.exe
        
        C:\Windows\{C2BB1E03-74CE-4e2e-88FD-AC54C573F6A7}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3288
        
        C:\Windows\{B5D9DCB4-F70F-49c9-9E84-C8412BCBF95C}.exe
        
        C:\Windows\{B5D9DCB4-F70F-49c9-9E84-C8412BCBF95C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Windows\{B1D89E9F-9170-4846-9165-4D61DD20F213}.exe
        
        C:\Windows\{B1D89E9F-9170-4846-9165-4D61DD20F213}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3908
        
        C:\Windows\{729F8389-BAC5-4a94-83C9-E0414109EA30}.exe
        
        C:\Windows\{729F8389-BAC5-4a94-83C9-E0414109EA30}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:800
        
        C:\Windows\{7A0A0420-1190-4501-B28D-B546ACE5F982}.exe
        
        C:\Windows\{7A0A0420-1190-4501-B28D-B546ACE5F982}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4416
        
        C:\Windows\{AF223AC0-9DDF-4385-86EC-601F9FA5DD87}.exe
        
        C:\Windows\{AF223AC0-9DDF-4385-86EC-601F9FA5DD87}.exe
        13⤵
        Executes dropped EXE
        
        PID:3112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7A0A0~1.EXE > nul
        13⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{729F8~1.EXE > nul
        12⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1D89~1.EXE > nul
        11⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B5D9D~1.EXE > nul
        10⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C2BB1~1.EXE > nul
        9⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5468C~1.EXE > nul
        8⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD609~1.EXE > nul
        7⤵
        
        PID:2852
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FC079~1.EXE > nul
        6⤵
        
        PID:4252
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9EBE9~1.EXE > nul
        5⤵
        
        PID:3468
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{5468C653-66B5-4068-A3A1-790FD36A1E09}.exe

Filesize
197KB

MD5
57d9e6cef67d2b38574f9530859095b6

SHA1
52d0eace04e1021c02d3eca1343015e0995513b9

SHA256
9e8caab8e05f9946c3eb35d7d024b758caaa327fa52188f70a49f8a0a406e6bf

SHA512
84d018ce52072f913a7ad8179ac84d1ddbe6cfece6ba8a60553812b3f17cec8c7aba23e02e396af1761d1e5cf583be7496130b3b9dd4642eb77b18539fa54c91

Download Submit
C:\Windows\{557BB8B1-D5F8-430d-85A7-CA05AC69051C}.exe

Filesize
197KB

MD5
cf2e1d9d5993df1c10f9d45f31a1ec99

SHA1
4df681bd30d94c58d4e4e0cb805c30fabe50ece3

SHA256
c06162798e62a565562a9efaa4765bb272225685e13fa0af3f082b40384285d3

SHA512
71c7bb0ef50bbe55804fb2d24f9ac08cb77e8c5de99cd6c020836d81943e05b436a370be30eb2ec4c304a0f28315af2ff7c481e8da6b90536ac3452c77465b14

Download Submit
C:\Windows\{729F8389-BAC5-4a94-83C9-E0414109EA30}.exe

Filesize
197KB

MD5
98d9b0494d2bb8eb8daf045e042ffb22

SHA1
d70202ff09d8a2418f7256c8aec82b15d14cd79c

SHA256
277502162e0128c79270fcc0037a93b5a40c9006c56869af25d3df33bbd9ca9e

SHA512
c2268daf5f79428ec90b96c8e062a3ffe2caa29471b6cbc848634a87d4d78aaaeb4a9b4e8aa3c1494ef23f832b5c65ea8b7a6df41ec00ddcae25b4b9b6c5132d

Download Submit
C:\Windows\{7A0A0420-1190-4501-B28D-B546ACE5F982}.exe

Filesize
197KB

MD5
71052456118bd31e046b3e9974395599

SHA1
1c457751e6afeaf7aa7ab43be6c432523878f0db

SHA256
cb70b90ababc007b4dfc85a7681339a07a409aa4a3495da924e9d8c02493488d

SHA512
6c28090e1e5c4d4fe13abb8ff6c7bed9c2a75bf328156989612aa01eee5f25a831e2a6095c3a78f7c970011c0efa74fb6c421e54e3a3ced5c7f68d0543d06910

Download Submit
C:\Windows\{9EBE9DBE-7840-4193-B51C-E8FA8ECF9145}.exe

Filesize
197KB

MD5
492734e831b60a14200da0fb48b65f7d

SHA1
45124ee812e1e0fd92487ee6bac574261921e9ee

SHA256
caecf506e8910a1d20351f1f23050da247690360419367e110061a5b2180dd9c

SHA512
1d1eb5c8dcc7fb53b280d1a8b5c3ffdc4ee29f3c35cbc9371d6d752f5bd87a7a128446366d99c56c749772fb17ae3f290b6c33908f2aad57ff55f1f81880a562

Download Submit
C:\Windows\{AF223AC0-9DDF-4385-86EC-601F9FA5DD87}.exe

Filesize
197KB

MD5
8b68118071a6a18412cdde65ae2c3b9d

SHA1
601affdbfa53774b222dcdd51aa6fd4e7d04580b

SHA256
24657fbe24fe5668ec1739718f2517d5e8815b62a1986fd2ca41b520ac6c6b07

SHA512
e00ca642e57d84eb687e414b3eede9c85bccdc6888177f98d4bae2d8eaf20c278f8d7de48ac4d0cfffe5ccaf9597dd34b3b2b810377e56be96a26ebb5e335e75

Download Submit
C:\Windows\{B1D89E9F-9170-4846-9165-4D61DD20F213}.exe

Filesize
197KB

MD5
3e423426bf5649648b0c70b611729836

SHA1
cb1a0abfb3c67b6bddc7daa50cd66045e7b6a85f

SHA256
1df0de9b05614303c6cbc790022534dbf6dbb0a3e4b5236d83724243ec34aabb

SHA512
80ac3407cf7285a8a1324ca6a9592aa166199645a6515b69bb6eac58dcfa5fe89011d1bedd875320183b43f79198a363eb2c583a4db2eb3a4c7342708d126460

Download Submit
C:\Windows\{B5D9DCB4-F70F-49c9-9E84-C8412BCBF95C}.exe

Filesize
197KB

MD5
00160ca53520b3aca17e3f2d425a2bde

SHA1
37a24cc777857d0b7e6d29b4a9ffbd86544b098e

SHA256
fcc4def731ffe47a8d442c401c423ca2ec7771e5a4bede39c14d6b592855db81

SHA512
3cb5d807303aaf9588313e22f00c94676fe66de0b96233b16533ca605d839f29c00f7d754f39b0bad324bf9c3453f493ff39110665307e1d64e8c5840fc85732

Download Submit
C:\Windows\{C2BB1E03-74CE-4e2e-88FD-AC54C573F6A7}.exe

Filesize
197KB

MD5
83b9b2eb457fb2150955a8aa21a8952a

SHA1
11d5cd064e801795f56efa4eb0dbbba3ce10314c

SHA256
b2726efb28a7cc1dd2f551e43dd4e47e8e017a6f39f768eaf57bbbf746c8de8e

SHA512
196044863168a093ca3df7316b29fa80949172dc148431978d35d73c328a72fff97008814be317e47bdcb1982d1e5051a5d639614ae24220cdda081ff2e322f5

Download Submit
C:\Windows\{D1210AFC-F3A0-46fe-BCB5-05C29AC879B2}.exe

Filesize
197KB

MD5
8ab7d39441d959c30905dc81894e8653

SHA1
1c0460dc673c70d2130c0cf02fbbbe837a56f71d

SHA256
5b73df0aa44006c23a4b186bc7ed089869708cfdddf2d0488ef93909b3732170

SHA512
d91b181c722e9112a00352cde81467a098b6c763ccbb5436cb37d9f79556aedeba10383fc68def30edc38ebb794fd08700ab6e9d8dc7e97e34e1bffc5905d232

Download Submit
C:\Windows\{FC0793D6-296C-46a0-9106-AE68AC1F92CD}.exe

Filesize
197KB

MD5
c51eaacad9ed43823bbf04f45cfd10eb

SHA1
62060a96455c91b68c15ef51338e643881ce4757

SHA256
794cf1fbf7bd521dad4ed222c5cc3decd392481695f1a2d769eb7c76ac62a65f

SHA512
d69b9435e315405c3752c5ddce7380c8cb9e4836a5f91c3a3229b172ace3c670cfdbf638aceec847674702713dd7454ff78c052fde3e484aab9e992657e4027e

Download Submit
C:\Windows\{FD609469-F5C0-497d-8047-57F1CD02A0EC}.exe

Filesize
197KB

MD5
3b8284c7a6240860cf4202e709b9e5f1

SHA1
f1806739d16c042bd00eeccefa01451d3bcebdc2

SHA256
f25873b1049b619eb17a60142ace5fc554bfa93c35fa26ae673946ed613b8c89

SHA512
ba106b3c57f475736799b711a5b4b496a0f08a20cd3bdfcdb16d51125f98f88d15ca483d209cec20eaa33cef43f3908f862534828ca99732509727dda1b8f64b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads