84cbba6745152aa42f084d8414a2737b67c23862e40f56e515aaa9cdea24f84f

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
17-02-2024 20:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-17_99d98447c75fe4a88d1cad4bc65f13a9_goldeneye.exe
Size

408KB
MD5

99d98447c75fe4a88d1cad4bc65f13a9
SHA1

1bbe9bd4c354a286ae4ec0c2b0d4fcdb420a8df4
SHA256

84cbba6745152aa42f084d8414a2737b67c23862e40f56e515aaa9cdea24f84f
SHA512

f6e5c3aa2a13b7c9183367b76a9b10fcc925b6a957cbbb991d340e2380a90bd945b49586ca93be2ed93b2498c788e2158e4776fd1503d2c0681f923326469376
SSDEEP

3072:CEGh0o5l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEG/ldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023120-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023129-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023132-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023129-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023132-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00050000000217fa-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002181f-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006df-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00040000000006df-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0CD191DB-E5DB-4df3-B7C7-83010C0CFC3B}	{E64913E2-A024-433b-BC78-C719A41970CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48990610-5FD2-427e-901A-DDCC421AF315}	2024-02-17_99d98447c75fe4a88d1cad4bc65f13a9_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48990610-5FD2-427e-901A-DDCC421AF315}\stubpath = "C:\\Windows\\{48990610-5FD2-427e-901A-DDCC421AF315}.exe"	2024-02-17_99d98447c75fe4a88d1cad4bc65f13a9_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5490763-9F5C-40eb-AF33-CEFA51B8D164}	{EDA1896D-68B9-44ad-8D83-4C170A1B6CC6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F494FBD4-2D37-471a-9E21-697ACA5DED10}\stubpath = "C:\\Windows\\{F494FBD4-2D37-471a-9E21-697ACA5DED10}.exe"	{A5490763-9F5C-40eb-AF33-CEFA51B8D164}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6C3C81E-2574-43c1-9A82-4A94948A3DF3}\stubpath = "C:\\Windows\\{C6C3C81E-2574-43c1-9A82-4A94948A3DF3}.exe"	{35464B2E-ADE1-4091-AD60-CFC362ED3399}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E07B28D6-02E4-442a-A052-CA3FAD2E9A69}\stubpath = "C:\\Windows\\{E07B28D6-02E4-442a-A052-CA3FAD2E9A69}.exe"	{C6C3C81E-2574-43c1-9A82-4A94948A3DF3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9335B457-B67F-426a-AE9E-518BCD9507E7}	{E07B28D6-02E4-442a-A052-CA3FAD2E9A69}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B630C960-1A8C-4ba5-A5FA-B32F775F956B}	{0CD191DB-E5DB-4df3-B7C7-83010C0CFC3B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EDA1896D-68B9-44ad-8D83-4C170A1B6CC6}\stubpath = "C:\\Windows\\{EDA1896D-68B9-44ad-8D83-4C170A1B6CC6}.exe"	{48990610-5FD2-427e-901A-DDCC421AF315}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9335B457-B67F-426a-AE9E-518BCD9507E7}\stubpath = "C:\\Windows\\{9335B457-B67F-426a-AE9E-518BCD9507E7}.exe"	{E07B28D6-02E4-442a-A052-CA3FAD2E9A69}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E64913E2-A024-433b-BC78-C719A41970CC}	{A7EB4865-DA6F-4eb6-97A8-990E807496C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E64913E2-A024-433b-BC78-C719A41970CC}\stubpath = "C:\\Windows\\{E64913E2-A024-433b-BC78-C719A41970CC}.exe"	{A7EB4865-DA6F-4eb6-97A8-990E807496C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0CD191DB-E5DB-4df3-B7C7-83010C0CFC3B}\stubpath = "C:\\Windows\\{0CD191DB-E5DB-4df3-B7C7-83010C0CFC3B}.exe"	{E64913E2-A024-433b-BC78-C719A41970CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B630C960-1A8C-4ba5-A5FA-B32F775F956B}\stubpath = "C:\\Windows\\{B630C960-1A8C-4ba5-A5FA-B32F775F956B}.exe"	{0CD191DB-E5DB-4df3-B7C7-83010C0CFC3B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EDA1896D-68B9-44ad-8D83-4C170A1B6CC6}	{48990610-5FD2-427e-901A-DDCC421AF315}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5490763-9F5C-40eb-AF33-CEFA51B8D164}\stubpath = "C:\\Windows\\{A5490763-9F5C-40eb-AF33-CEFA51B8D164}.exe"	{EDA1896D-68B9-44ad-8D83-4C170A1B6CC6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35464B2E-ADE1-4091-AD60-CFC362ED3399}\stubpath = "C:\\Windows\\{35464B2E-ADE1-4091-AD60-CFC362ED3399}.exe"	{F494FBD4-2D37-471a-9E21-697ACA5DED10}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6C3C81E-2574-43c1-9A82-4A94948A3DF3}	{35464B2E-ADE1-4091-AD60-CFC362ED3399}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E07B28D6-02E4-442a-A052-CA3FAD2E9A69}	{C6C3C81E-2574-43c1-9A82-4A94948A3DF3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7EB4865-DA6F-4eb6-97A8-990E807496C4}	{9335B457-B67F-426a-AE9E-518BCD9507E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7EB4865-DA6F-4eb6-97A8-990E807496C4}\stubpath = "C:\\Windows\\{A7EB4865-DA6F-4eb6-97A8-990E807496C4}.exe"	{9335B457-B67F-426a-AE9E-518BCD9507E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F494FBD4-2D37-471a-9E21-697ACA5DED10}	{A5490763-9F5C-40eb-AF33-CEFA51B8D164}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35464B2E-ADE1-4091-AD60-CFC362ED3399}	{F494FBD4-2D37-471a-9E21-697ACA5DED10}.exe

Executes dropped EXE 12 IoCs

pid	Process
4236	{48990610-5FD2-427e-901A-DDCC421AF315}.exe
1528	{EDA1896D-68B9-44ad-8D83-4C170A1B6CC6}.exe
4920	{A5490763-9F5C-40eb-AF33-CEFA51B8D164}.exe
4508	{F494FBD4-2D37-471a-9E21-697ACA5DED10}.exe
1308	{35464B2E-ADE1-4091-AD60-CFC362ED3399}.exe
3952	{C6C3C81E-2574-43c1-9A82-4A94948A3DF3}.exe
2960	{E07B28D6-02E4-442a-A052-CA3FAD2E9A69}.exe
3304	{9335B457-B67F-426a-AE9E-518BCD9507E7}.exe
4144	{A7EB4865-DA6F-4eb6-97A8-990E807496C4}.exe
4540	{E64913E2-A024-433b-BC78-C719A41970CC}.exe
1004	{0CD191DB-E5DB-4df3-B7C7-83010C0CFC3B}.exe
2336	{B630C960-1A8C-4ba5-A5FA-B32F775F956B}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{48990610-5FD2-427e-901A-DDCC421AF315}.exe	2024-02-17_99d98447c75fe4a88d1cad4bc65f13a9_goldeneye.exe
File created	C:\Windows\{F494FBD4-2D37-471a-9E21-697ACA5DED10}.exe	{A5490763-9F5C-40eb-AF33-CEFA51B8D164}.exe
File created	C:\Windows\{C6C3C81E-2574-43c1-9A82-4A94948A3DF3}.exe	{35464B2E-ADE1-4091-AD60-CFC362ED3399}.exe
File created	C:\Windows\{E07B28D6-02E4-442a-A052-CA3FAD2E9A69}.exe	{C6C3C81E-2574-43c1-9A82-4A94948A3DF3}.exe
File created	C:\Windows\{A7EB4865-DA6F-4eb6-97A8-990E807496C4}.exe	{9335B457-B67F-426a-AE9E-518BCD9507E7}.exe
File created	C:\Windows\{B630C960-1A8C-4ba5-A5FA-B32F775F956B}.exe	{0CD191DB-E5DB-4df3-B7C7-83010C0CFC3B}.exe
File created	C:\Windows\{EDA1896D-68B9-44ad-8D83-4C170A1B6CC6}.exe	{48990610-5FD2-427e-901A-DDCC421AF315}.exe
File created	C:\Windows\{A5490763-9F5C-40eb-AF33-CEFA51B8D164}.exe	{EDA1896D-68B9-44ad-8D83-4C170A1B6CC6}.exe
File created	C:\Windows\{35464B2E-ADE1-4091-AD60-CFC362ED3399}.exe	{F494FBD4-2D37-471a-9E21-697ACA5DED10}.exe
File created	C:\Windows\{9335B457-B67F-426a-AE9E-518BCD9507E7}.exe	{E07B28D6-02E4-442a-A052-CA3FAD2E9A69}.exe
File created	C:\Windows\{E64913E2-A024-433b-BC78-C719A41970CC}.exe	{A7EB4865-DA6F-4eb6-97A8-990E807496C4}.exe
File created	C:\Windows\{0CD191DB-E5DB-4df3-B7C7-83010C0CFC3B}.exe	{E64913E2-A024-433b-BC78-C719A41970CC}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2580	2024-02-17_99d98447c75fe4a88d1cad4bc65f13a9_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4236	{48990610-5FD2-427e-901A-DDCC421AF315}.exe
Token: SeIncBasePriorityPrivilege	1528	{EDA1896D-68B9-44ad-8D83-4C170A1B6CC6}.exe
Token: SeIncBasePriorityPrivilege	4920	{A5490763-9F5C-40eb-AF33-CEFA51B8D164}.exe
Token: SeIncBasePriorityPrivilege	4508	{F494FBD4-2D37-471a-9E21-697ACA5DED10}.exe
Token: SeIncBasePriorityPrivilege	1308	{35464B2E-ADE1-4091-AD60-CFC362ED3399}.exe
Token: SeIncBasePriorityPrivilege	3952	{C6C3C81E-2574-43c1-9A82-4A94948A3DF3}.exe
Token: SeIncBasePriorityPrivilege	2960	{E07B28D6-02E4-442a-A052-CA3FAD2E9A69}.exe
Token: SeIncBasePriorityPrivilege	3304	{9335B457-B67F-426a-AE9E-518BCD9507E7}.exe
Token: SeIncBasePriorityPrivilege	4144	{A7EB4865-DA6F-4eb6-97A8-990E807496C4}.exe
Token: SeIncBasePriorityPrivilege	4540	{E64913E2-A024-433b-BC78-C719A41970CC}.exe
Token: SeIncBasePriorityPrivilege	1004	{0CD191DB-E5DB-4df3-B7C7-83010C0CFC3B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 4236	2580	2024-02-17_99d98447c75fe4a88d1cad4bc65f13a9_goldeneye.exe	87
PID 2580 wrote to memory of 4236	2580	2024-02-17_99d98447c75fe4a88d1cad4bc65f13a9_goldeneye.exe	87
PID 2580 wrote to memory of 4236	2580	2024-02-17_99d98447c75fe4a88d1cad4bc65f13a9_goldeneye.exe	87
PID 2580 wrote to memory of 1636	2580	2024-02-17_99d98447c75fe4a88d1cad4bc65f13a9_goldeneye.exe	88
PID 2580 wrote to memory of 1636	2580	2024-02-17_99d98447c75fe4a88d1cad4bc65f13a9_goldeneye.exe	88
PID 2580 wrote to memory of 1636	2580	2024-02-17_99d98447c75fe4a88d1cad4bc65f13a9_goldeneye.exe	88
PID 4236 wrote to memory of 1528	4236	{48990610-5FD2-427e-901A-DDCC421AF315}.exe	92
PID 4236 wrote to memory of 1528	4236	{48990610-5FD2-427e-901A-DDCC421AF315}.exe	92
PID 4236 wrote to memory of 1528	4236	{48990610-5FD2-427e-901A-DDCC421AF315}.exe	92
PID 4236 wrote to memory of 4088	4236	{48990610-5FD2-427e-901A-DDCC421AF315}.exe	93
PID 4236 wrote to memory of 4088	4236	{48990610-5FD2-427e-901A-DDCC421AF315}.exe	93
PID 4236 wrote to memory of 4088	4236	{48990610-5FD2-427e-901A-DDCC421AF315}.exe	93
PID 1528 wrote to memory of 4920	1528	{EDA1896D-68B9-44ad-8D83-4C170A1B6CC6}.exe	95
PID 1528 wrote to memory of 4920	1528	{EDA1896D-68B9-44ad-8D83-4C170A1B6CC6}.exe	95
PID 1528 wrote to memory of 4920	1528	{EDA1896D-68B9-44ad-8D83-4C170A1B6CC6}.exe	95
PID 1528 wrote to memory of 4392	1528	{EDA1896D-68B9-44ad-8D83-4C170A1B6CC6}.exe	96
PID 1528 wrote to memory of 4392	1528	{EDA1896D-68B9-44ad-8D83-4C170A1B6CC6}.exe	96
PID 1528 wrote to memory of 4392	1528	{EDA1896D-68B9-44ad-8D83-4C170A1B6CC6}.exe	96
PID 4920 wrote to memory of 4508	4920	{A5490763-9F5C-40eb-AF33-CEFA51B8D164}.exe	97
PID 4920 wrote to memory of 4508	4920	{A5490763-9F5C-40eb-AF33-CEFA51B8D164}.exe	97
PID 4920 wrote to memory of 4508	4920	{A5490763-9F5C-40eb-AF33-CEFA51B8D164}.exe	97
PID 4920 wrote to memory of 2120	4920	{A5490763-9F5C-40eb-AF33-CEFA51B8D164}.exe	98
PID 4920 wrote to memory of 2120	4920	{A5490763-9F5C-40eb-AF33-CEFA51B8D164}.exe	98
PID 4920 wrote to memory of 2120	4920	{A5490763-9F5C-40eb-AF33-CEFA51B8D164}.exe	98
PID 4508 wrote to memory of 1308	4508	{F494FBD4-2D37-471a-9E21-697ACA5DED10}.exe	99
PID 4508 wrote to memory of 1308	4508	{F494FBD4-2D37-471a-9E21-697ACA5DED10}.exe	99
PID 4508 wrote to memory of 1308	4508	{F494FBD4-2D37-471a-9E21-697ACA5DED10}.exe	99
PID 4508 wrote to memory of 1200	4508	{F494FBD4-2D37-471a-9E21-697ACA5DED10}.exe	100
PID 4508 wrote to memory of 1200	4508	{F494FBD4-2D37-471a-9E21-697ACA5DED10}.exe	100
PID 4508 wrote to memory of 1200	4508	{F494FBD4-2D37-471a-9E21-697ACA5DED10}.exe	100
PID 1308 wrote to memory of 3952	1308	{35464B2E-ADE1-4091-AD60-CFC362ED3399}.exe	101
PID 1308 wrote to memory of 3952	1308	{35464B2E-ADE1-4091-AD60-CFC362ED3399}.exe	101
PID 1308 wrote to memory of 3952	1308	{35464B2E-ADE1-4091-AD60-CFC362ED3399}.exe	101
PID 1308 wrote to memory of 2108	1308	{35464B2E-ADE1-4091-AD60-CFC362ED3399}.exe	102
PID 1308 wrote to memory of 2108	1308	{35464B2E-ADE1-4091-AD60-CFC362ED3399}.exe	102
PID 1308 wrote to memory of 2108	1308	{35464B2E-ADE1-4091-AD60-CFC362ED3399}.exe	102
PID 3952 wrote to memory of 2960	3952	{C6C3C81E-2574-43c1-9A82-4A94948A3DF3}.exe	104
PID 3952 wrote to memory of 2960	3952	{C6C3C81E-2574-43c1-9A82-4A94948A3DF3}.exe	104
PID 3952 wrote to memory of 2960	3952	{C6C3C81E-2574-43c1-9A82-4A94948A3DF3}.exe	104
PID 3952 wrote to memory of 4220	3952	{C6C3C81E-2574-43c1-9A82-4A94948A3DF3}.exe	103
PID 3952 wrote to memory of 4220	3952	{C6C3C81E-2574-43c1-9A82-4A94948A3DF3}.exe	103
PID 3952 wrote to memory of 4220	3952	{C6C3C81E-2574-43c1-9A82-4A94948A3DF3}.exe	103
PID 2960 wrote to memory of 3304	2960	{E07B28D6-02E4-442a-A052-CA3FAD2E9A69}.exe	105
PID 2960 wrote to memory of 3304	2960	{E07B28D6-02E4-442a-A052-CA3FAD2E9A69}.exe	105
PID 2960 wrote to memory of 3304	2960	{E07B28D6-02E4-442a-A052-CA3FAD2E9A69}.exe	105
PID 2960 wrote to memory of 1468	2960	{E07B28D6-02E4-442a-A052-CA3FAD2E9A69}.exe	106
PID 2960 wrote to memory of 1468	2960	{E07B28D6-02E4-442a-A052-CA3FAD2E9A69}.exe	106
PID 2960 wrote to memory of 1468	2960	{E07B28D6-02E4-442a-A052-CA3FAD2E9A69}.exe	106
PID 3304 wrote to memory of 4144	3304	{9335B457-B67F-426a-AE9E-518BCD9507E7}.exe	107
PID 3304 wrote to memory of 4144	3304	{9335B457-B67F-426a-AE9E-518BCD9507E7}.exe	107
PID 3304 wrote to memory of 4144	3304	{9335B457-B67F-426a-AE9E-518BCD9507E7}.exe	107
PID 3304 wrote to memory of 5104	3304	{9335B457-B67F-426a-AE9E-518BCD9507E7}.exe	108
PID 3304 wrote to memory of 5104	3304	{9335B457-B67F-426a-AE9E-518BCD9507E7}.exe	108
PID 3304 wrote to memory of 5104	3304	{9335B457-B67F-426a-AE9E-518BCD9507E7}.exe	108
PID 4144 wrote to memory of 4540	4144	{A7EB4865-DA6F-4eb6-97A8-990E807496C4}.exe	110
PID 4144 wrote to memory of 4540	4144	{A7EB4865-DA6F-4eb6-97A8-990E807496C4}.exe	110
PID 4144 wrote to memory of 4540	4144	{A7EB4865-DA6F-4eb6-97A8-990E807496C4}.exe	110
PID 4144 wrote to memory of 3704	4144	{A7EB4865-DA6F-4eb6-97A8-990E807496C4}.exe	109
PID 4144 wrote to memory of 3704	4144	{A7EB4865-DA6F-4eb6-97A8-990E807496C4}.exe	109
PID 4144 wrote to memory of 3704	4144	{A7EB4865-DA6F-4eb6-97A8-990E807496C4}.exe	109
PID 4540 wrote to memory of 1004	4540	{E64913E2-A024-433b-BC78-C719A41970CC}.exe	111
PID 4540 wrote to memory of 1004	4540	{E64913E2-A024-433b-BC78-C719A41970CC}.exe	111
PID 4540 wrote to memory of 1004	4540	{E64913E2-A024-433b-BC78-C719A41970CC}.exe	111
PID 4540 wrote to memory of 4000	4540	{E64913E2-A024-433b-BC78-C719A41970CC}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-02-17_99d98447c75fe4a88d1cad4bc65f13a9_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-17_99d98447c75fe4a88d1cad4bc65f13a9_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Windows\{48990610-5FD2-427e-901A-DDCC421AF315}.exe
  C:\Windows\{48990610-5FD2-427e-901A-DDCC421AF315}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4236
- - C:\Windows\{EDA1896D-68B9-44ad-8D83-4C170A1B6CC6}.exe
    C:\Windows\{EDA1896D-68B9-44ad-8D83-4C170A1B6CC6}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1528
  - - C:\Windows\{A5490763-9F5C-40eb-AF33-CEFA51B8D164}.exe
      C:\Windows\{A5490763-9F5C-40eb-AF33-CEFA51B8D164}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4920
    - - C:\Windows\{F494FBD4-2D37-471a-9E21-697ACA5DED10}.exe
        
        C:\Windows\{F494FBD4-2D37-471a-9E21-697ACA5DED10}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4508
      - C:\Windows\{35464B2E-ADE1-4091-AD60-CFC362ED3399}.exe
        
        C:\Windows\{35464B2E-ADE1-4091-AD60-CFC362ED3399}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1308
        
        C:\Windows\{C6C3C81E-2574-43c1-9A82-4A94948A3DF3}.exe
        
        C:\Windows\{C6C3C81E-2574-43c1-9A82-4A94948A3DF3}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C6C3C~1.EXE > nul
        8⤵
        
        PID:4220
        
        C:\Windows\{E07B28D6-02E4-442a-A052-CA3FAD2E9A69}.exe
        
        C:\Windows\{E07B28D6-02E4-442a-A052-CA3FAD2E9A69}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\{9335B457-B67F-426a-AE9E-518BCD9507E7}.exe
        
        C:\Windows\{9335B457-B67F-426a-AE9E-518BCD9507E7}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3304
        
        C:\Windows\{A7EB4865-DA6F-4eb6-97A8-990E807496C4}.exe
        
        C:\Windows\{A7EB4865-DA6F-4eb6-97A8-990E807496C4}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7EB4~1.EXE > nul
        11⤵
        
        PID:3704
        
        C:\Windows\{E64913E2-A024-433b-BC78-C719A41970CC}.exe
        
        C:\Windows\{E64913E2-A024-433b-BC78-C719A41970CC}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\{0CD191DB-E5DB-4df3-B7C7-83010C0CFC3B}.exe
        
        C:\Windows\{0CD191DB-E5DB-4df3-B7C7-83010C0CFC3B}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1004
        
        C:\Windows\{B630C960-1A8C-4ba5-A5FA-B32F775F956B}.exe
        
        C:\Windows\{B630C960-1A8C-4ba5-A5FA-B32F775F956B}.exe
        13⤵
        Executes dropped EXE
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0CD19~1.EXE > nul
        13⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6491~1.EXE > nul
        12⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9335B~1.EXE > nul
        10⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E07B2~1.EXE > nul
        9⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{35464~1.EXE > nul
        7⤵
        
        PID:2108
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F494F~1.EXE > nul
        6⤵
        
        PID:1200
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A5490~1.EXE > nul
        5⤵
        
        PID:2120
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EDA18~1.EXE > nul
      4⤵
      PID:4392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{48990~1.EXE > nul
    3⤵
    PID:4088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0CD191DB-E5DB-4df3-B7C7-83010C0CFC3B}.exe

Filesize
408KB

MD5
2107f5ac518a90950970dac1cacefcd0

SHA1
279ca7d2ca4f4ed044457b2fb21b8c747d3878d4

SHA256
e8eaea1e8b7b8ee28c6c3bdee4057ed327cfce3336b2b3b54320be72565a99f6

SHA512
9916bf66ac2c80d2adc28d0316b42645e81212f55e53fb7a249112f9ffd6dbf06d1a64b2dbafdd50d862a28f0a60367bb395b3f950a4de62da64789ad218c19e

Download Submit
C:\Windows\{35464B2E-ADE1-4091-AD60-CFC362ED3399}.exe

Filesize
408KB

MD5
5575951d1ed76140747066310b43d5b6

SHA1
0684d6a38519c93c22c16077b616a7c3b5f69fb6

SHA256
f4086d8c68e7334a24c4e3c8fcf1d7357871e247531ba8c8501fdcde1f58bbb7

SHA512
038ac235c0ad73ff4ac8e4c9b9a2fe078001014053de332e48a6b2160c2c5c29ee82cf8f44384bb8872a08683d1316c383546cd8eaeee907e79146ef114e9746

Download Submit
C:\Windows\{48990610-5FD2-427e-901A-DDCC421AF315}.exe

Filesize
408KB

MD5
b6a95b7620d6ad152bc927deb0ea60af

SHA1
6e348a743ede25360456a0910f542d8b80360fd8

SHA256
36e30c0af15536028c000e7a7079b7e6c02db504360f532f27e13b2ed29c9999

SHA512
a823d92654c4879eaadb2aa95768571d0c07913f16bb423a6afb62190df8ae09519939df5ae6f458d480ec6d30d949a1b7d9e7d2a7fa0353053f5231d9195b72

Download Submit
C:\Windows\{9335B457-B67F-426a-AE9E-518BCD9507E7}.exe

Filesize
408KB

MD5
c25990efa26cca30ff3da0f980f2cf28

SHA1
00c8e2944e6577e2cbdec516d8239de50e2630b2

SHA256
31adb4e3b073e336d320ca85288e322286fd0a2f4f5cce035e6fa120b0b0aabb

SHA512
2474fed63d4eed6bb8b91d65cde1304f13f8741876e54721e599990333a47391f880770fcb043c89889f2c6960428393f92107fb1f7095800d26c75f4c6ac2c7

Download Submit
C:\Windows\{A5490763-9F5C-40eb-AF33-CEFA51B8D164}.exe

Filesize
408KB

MD5
ac312071efb5a54e6f243d30b2f43507

SHA1
b35700ba8898458f35aa502f6e131d869282f654

SHA256
d4ec74cb76ddaf91c0eecc79fa4b94a45ff7d9593278e77f364f0e2d12f39bd8

SHA512
2243b080f0489811aec40c9e5eb090d0a3c186f080fb9324e3bbd7d21904f7a51581a87bb41792d77ce5cd6b2afba68cdf4c1188507ea8f3dabf0bac6042cd6d

Download Submit
C:\Windows\{A7EB4865-DA6F-4eb6-97A8-990E807496C4}.exe

Filesize
408KB

MD5
747f80a642e3ed6c77c3384fe555693e

SHA1
5177d393cec03143464d70cfad1ab36e1c19067e

SHA256
40fbf7d86bfce5ad457f3a89bb23146b64e420fd2969e289681f3768752bd03b

SHA512
fc926bc40c5863922282fed017d4fb4da9775b107120b93d56f87c6f81499c408adb75d881c8714c98a5e83d35fb0bb468f0b310d55cfe6ed9dcbdb9cccf390b

Download Submit
C:\Windows\{B630C960-1A8C-4ba5-A5FA-B32F775F956B}.exe

Filesize
408KB

MD5
b5d311fe5ffe66ba92e6325df7f44dd1

SHA1
2f5867adac5a95e9749d3c1a52aa76f664ad2619

SHA256
5f2b8e5d208a129ca78145d04ff0a66d10af92a78efb2df2c91b321976340ce3

SHA512
d3afe063805d110e517841e461632e5c4bc2d326974cca9d056049ac9832aea0b76074c7edba13849d9c2f5d40c9a6d90474247345a7125d5b708bdedba6b294

Download Submit
C:\Windows\{C6C3C81E-2574-43c1-9A82-4A94948A3DF3}.exe

Filesize
408KB

MD5
b2f529d5f2da0180de42991c63702b96

SHA1
48c3b4e26d867e09fcc6b467be2c92c665bb0f54

SHA256
14025665ad6b7a0712dc81a55673314cec7eeb954e8458ad8523764726958ad7

SHA512
fd6b19fc603f863343465e2a9ea014110085a6c07488044382672ca0682b281c30e03d759b6bbfe589bb9c25fc70b5a2c95513bd25cd25d93a57feea8491cd46

Download Submit
C:\Windows\{E07B28D6-02E4-442a-A052-CA3FAD2E9A69}.exe

Filesize
408KB

MD5
e3ebaf3d2bdaebcabdaf8eaf349b1a4b

SHA1
96c8b9e6c3f4df9da67fa1e1765b02b5e01bbfec

SHA256
6eaa594dce8300ccd4440e00ab5d91e602defdab048e08a4f64c027ad190ac3c

SHA512
e664b333fe8d97b13198031a63c7e5555f1c1fff14ac66bce41796c8a0eb0598c6fe1b7f7bbbd7c52605576e48f8c724aaee639028b5e513186e80b1c61b08f4

Download Submit
C:\Windows\{E64913E2-A024-433b-BC78-C719A41970CC}.exe

Filesize
408KB

MD5
6fdd4f188c91e8d74a7c653d43a7ec81

SHA1
15ed018690ea180084c38dbed40d8aa0b0668984

SHA256
6329b5be8c28c29c1caf61140c2a1c68b17236cbdaa19cb409fdf16577a71c95

SHA512
7678b90de1d0ed86b8f10d96891f491c95f5c5b605fc6ed23be24b8147ea4a4c464ca63f9f07a7b63bc1f0effd9e92e2ce07ae35b287a548998aa711412e9059

Download Submit
C:\Windows\{EDA1896D-68B9-44ad-8D83-4C170A1B6CC6}.exe

Filesize
408KB

MD5
c42260c0e80725430a9a86390a6fa90c

SHA1
108be9c5c2d89d378bb4a30a4f6fb6172b9504a7

SHA256
2036043d571afbc9e28eefde06f0f78429f94e7f4ec0459368deffcfffc4d0a1

SHA512
050735847294f69bbc5f53e84091d8c66880b0d3ac54d5bad8e52eca90e712495e1ff890d3533590d0e7546ee87bf20459efefec7c816b9265a4de0e10617fb5

Download Submit
C:\Windows\{F494FBD4-2D37-471a-9E21-697ACA5DED10}.exe

Filesize
408KB

MD5
3961617b6285e3647ae11300a516ebdd

SHA1
af651681a3f6b8bc7bc2086bc8f622eefae73748

SHA256
d170fdd48d270c5d863bd0956f2b21563067e498bb3506d13fb61ce1f4cd40cb

SHA512
da24f948bf6fdd614f6fa130646e402412b64c124c6db5a701b24b268e6b94c3391d71515b6f638cf1be584ab1898752e556ecb805abe6acccd0b6a81fea71c1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads