046a17bfac09f58d41c62ebdfe914bdffd2b080923fab7ae9ccb3dce91c8f82b

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
17/02/2024, 20:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-17_aa06f55fb547e0c70256d0aeb8e0117f_goldeneye.exe
Size

180KB
MD5

aa06f55fb547e0c70256d0aeb8e0117f
SHA1

2dde9b7db50c79f22c1ec4aa802e887cc0cb6beb
SHA256

046a17bfac09f58d41c62ebdfe914bdffd2b080923fab7ae9ccb3dce91c8f82b
SHA512

6273ddd33c4d6d6a23be1aa43aff46cf3336461440bb88eeeb4ace302b07013735f1c447fe6951b4d35c52a4b51d501c240498c3833bd01595dd06e0f9a4fb6b
SSDEEP

3072:jEGh0oilfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGEl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023135-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000002313a-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023018-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002313a-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023018-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00050000000217fa-21.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002181f-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000709-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006df-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42B8AC05-B7FE-4033-9AC0-ED0A507A5839}\stubpath = "C:\\Windows\\{42B8AC05-B7FE-4033-9AC0-ED0A507A5839}.exe"	{42EA1613-5FDC-495a-A381-73B652E2D866}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF01F57D-9D0F-4c82-AEF0-6AF258D9CFDF}	{0068B97E-9BD2-4c30-8EDD-71AC03C5C496}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B582CB5B-F208-465a-A763-EEF7E73DAA73}	{E20192E0-70A1-457b-89FE-3EAC21030ACF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4679AADE-EA60-4b41-8A04-8FAC5B9C3B9D}\stubpath = "C:\\Windows\\{4679AADE-EA60-4b41-8A04-8FAC5B9C3B9D}.exe"	{B582CB5B-F208-465a-A763-EEF7E73DAA73}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42EA1613-5FDC-495a-A381-73B652E2D866}	{4679AADE-EA60-4b41-8A04-8FAC5B9C3B9D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42EA1613-5FDC-495a-A381-73B652E2D866}\stubpath = "C:\\Windows\\{42EA1613-5FDC-495a-A381-73B652E2D866}.exe"	{4679AADE-EA60-4b41-8A04-8FAC5B9C3B9D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42B8AC05-B7FE-4033-9AC0-ED0A507A5839}	{42EA1613-5FDC-495a-A381-73B652E2D866}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0068B97E-9BD2-4c30-8EDD-71AC03C5C496}	{42B8AC05-B7FE-4033-9AC0-ED0A507A5839}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{084E558E-650A-498c-A50F-16911C505B4E}	2024-02-17_aa06f55fb547e0c70256d0aeb8e0117f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75DF12E8-6351-4b2b-B2A6-FE8BEBB3F65B}\stubpath = "C:\\Windows\\{75DF12E8-6351-4b2b-B2A6-FE8BEBB3F65B}.exe"	{54F97B1B-C258-404e-831A-076A5364A481}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76303C2B-57CF-4a32-920F-4BD2F533A1FA}\stubpath = "C:\\Windows\\{76303C2B-57CF-4a32-920F-4BD2F533A1FA}.exe"	{CF01F57D-9D0F-4c82-AEF0-6AF258D9CFDF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75DF12E8-6351-4b2b-B2A6-FE8BEBB3F65B}	{54F97B1B-C258-404e-831A-076A5364A481}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B582CB5B-F208-465a-A763-EEF7E73DAA73}\stubpath = "C:\\Windows\\{B582CB5B-F208-465a-A763-EEF7E73DAA73}.exe"	{E20192E0-70A1-457b-89FE-3EAC21030ACF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D215C21-3FCE-4711-817F-986048F3BB0C}\stubpath = "C:\\Windows\\{4D215C21-3FCE-4711-817F-986048F3BB0C}.exe"	{76303C2B-57CF-4a32-920F-4BD2F533A1FA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{084E558E-650A-498c-A50F-16911C505B4E}\stubpath = "C:\\Windows\\{084E558E-650A-498c-A50F-16911C505B4E}.exe"	2024-02-17_aa06f55fb547e0c70256d0aeb8e0117f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54F97B1B-C258-404e-831A-076A5364A481}\stubpath = "C:\\Windows\\{54F97B1B-C258-404e-831A-076A5364A481}.exe"	{084E558E-650A-498c-A50F-16911C505B4E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E20192E0-70A1-457b-89FE-3EAC21030ACF}\stubpath = "C:\\Windows\\{E20192E0-70A1-457b-89FE-3EAC21030ACF}.exe"	{75DF12E8-6351-4b2b-B2A6-FE8BEBB3F65B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4679AADE-EA60-4b41-8A04-8FAC5B9C3B9D}	{B582CB5B-F208-465a-A763-EEF7E73DAA73}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0068B97E-9BD2-4c30-8EDD-71AC03C5C496}\stubpath = "C:\\Windows\\{0068B97E-9BD2-4c30-8EDD-71AC03C5C496}.exe"	{42B8AC05-B7FE-4033-9AC0-ED0A507A5839}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF01F57D-9D0F-4c82-AEF0-6AF258D9CFDF}\stubpath = "C:\\Windows\\{CF01F57D-9D0F-4c82-AEF0-6AF258D9CFDF}.exe"	{0068B97E-9BD2-4c30-8EDD-71AC03C5C496}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76303C2B-57CF-4a32-920F-4BD2F533A1FA}	{CF01F57D-9D0F-4c82-AEF0-6AF258D9CFDF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D215C21-3FCE-4711-817F-986048F3BB0C}	{76303C2B-57CF-4a32-920F-4BD2F533A1FA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54F97B1B-C258-404e-831A-076A5364A481}	{084E558E-650A-498c-A50F-16911C505B4E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E20192E0-70A1-457b-89FE-3EAC21030ACF}	{75DF12E8-6351-4b2b-B2A6-FE8BEBB3F65B}.exe

Executes dropped EXE 12 IoCs

pid	Process
232	{084E558E-650A-498c-A50F-16911C505B4E}.exe
1544	{54F97B1B-C258-404e-831A-076A5364A481}.exe
4688	{75DF12E8-6351-4b2b-B2A6-FE8BEBB3F65B}.exe
4400	{E20192E0-70A1-457b-89FE-3EAC21030ACF}.exe
4396	{B582CB5B-F208-465a-A763-EEF7E73DAA73}.exe
1808	{4679AADE-EA60-4b41-8A04-8FAC5B9C3B9D}.exe
2248	{42EA1613-5FDC-495a-A381-73B652E2D866}.exe
4880	{42B8AC05-B7FE-4033-9AC0-ED0A507A5839}.exe
2964	{0068B97E-9BD2-4c30-8EDD-71AC03C5C496}.exe
1336	{CF01F57D-9D0F-4c82-AEF0-6AF258D9CFDF}.exe
4212	{76303C2B-57CF-4a32-920F-4BD2F533A1FA}.exe
636	{4D215C21-3FCE-4711-817F-986048F3BB0C}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{CF01F57D-9D0F-4c82-AEF0-6AF258D9CFDF}.exe	{0068B97E-9BD2-4c30-8EDD-71AC03C5C496}.exe
File created	C:\Windows\{76303C2B-57CF-4a32-920F-4BD2F533A1FA}.exe	{CF01F57D-9D0F-4c82-AEF0-6AF258D9CFDF}.exe
File created	C:\Windows\{4D215C21-3FCE-4711-817F-986048F3BB0C}.exe	{76303C2B-57CF-4a32-920F-4BD2F533A1FA}.exe
File created	C:\Windows\{084E558E-650A-498c-A50F-16911C505B4E}.exe	2024-02-17_aa06f55fb547e0c70256d0aeb8e0117f_goldeneye.exe
File created	C:\Windows\{E20192E0-70A1-457b-89FE-3EAC21030ACF}.exe	{75DF12E8-6351-4b2b-B2A6-FE8BEBB3F65B}.exe
File created	C:\Windows\{B582CB5B-F208-465a-A763-EEF7E73DAA73}.exe	{E20192E0-70A1-457b-89FE-3EAC21030ACF}.exe
File created	C:\Windows\{4679AADE-EA60-4b41-8A04-8FAC5B9C3B9D}.exe	{B582CB5B-F208-465a-A763-EEF7E73DAA73}.exe
File created	C:\Windows\{42EA1613-5FDC-495a-A381-73B652E2D866}.exe	{4679AADE-EA60-4b41-8A04-8FAC5B9C3B9D}.exe
File created	C:\Windows\{54F97B1B-C258-404e-831A-076A5364A481}.exe	{084E558E-650A-498c-A50F-16911C505B4E}.exe
File created	C:\Windows\{75DF12E8-6351-4b2b-B2A6-FE8BEBB3F65B}.exe	{54F97B1B-C258-404e-831A-076A5364A481}.exe
File created	C:\Windows\{42B8AC05-B7FE-4033-9AC0-ED0A507A5839}.exe	{42EA1613-5FDC-495a-A381-73B652E2D866}.exe
File created	C:\Windows\{0068B97E-9BD2-4c30-8EDD-71AC03C5C496}.exe	{42B8AC05-B7FE-4033-9AC0-ED0A507A5839}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4124	2024-02-17_aa06f55fb547e0c70256d0aeb8e0117f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	232	{084E558E-650A-498c-A50F-16911C505B4E}.exe
Token: SeIncBasePriorityPrivilege	1544	{54F97B1B-C258-404e-831A-076A5364A481}.exe
Token: SeIncBasePriorityPrivilege	4688	{75DF12E8-6351-4b2b-B2A6-FE8BEBB3F65B}.exe
Token: SeIncBasePriorityPrivilege	4400	{E20192E0-70A1-457b-89FE-3EAC21030ACF}.exe
Token: SeIncBasePriorityPrivilege	4396	{B582CB5B-F208-465a-A763-EEF7E73DAA73}.exe
Token: SeIncBasePriorityPrivilege	1808	{4679AADE-EA60-4b41-8A04-8FAC5B9C3B9D}.exe
Token: SeIncBasePriorityPrivilege	2248	{42EA1613-5FDC-495a-A381-73B652E2D866}.exe
Token: SeIncBasePriorityPrivilege	4880	{42B8AC05-B7FE-4033-9AC0-ED0A507A5839}.exe
Token: SeIncBasePriorityPrivilege	2964	{0068B97E-9BD2-4c30-8EDD-71AC03C5C496}.exe
Token: SeIncBasePriorityPrivilege	1336	{CF01F57D-9D0F-4c82-AEF0-6AF258D9CFDF}.exe
Token: SeIncBasePriorityPrivilege	4212	{76303C2B-57CF-4a32-920F-4BD2F533A1FA}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4124 wrote to memory of 232	4124	2024-02-17_aa06f55fb547e0c70256d0aeb8e0117f_goldeneye.exe	84
PID 4124 wrote to memory of 232	4124	2024-02-17_aa06f55fb547e0c70256d0aeb8e0117f_goldeneye.exe	84
PID 4124 wrote to memory of 232	4124	2024-02-17_aa06f55fb547e0c70256d0aeb8e0117f_goldeneye.exe	84
PID 4124 wrote to memory of 452	4124	2024-02-17_aa06f55fb547e0c70256d0aeb8e0117f_goldeneye.exe	85
PID 4124 wrote to memory of 452	4124	2024-02-17_aa06f55fb547e0c70256d0aeb8e0117f_goldeneye.exe	85
PID 4124 wrote to memory of 452	4124	2024-02-17_aa06f55fb547e0c70256d0aeb8e0117f_goldeneye.exe	85
PID 232 wrote to memory of 1544	232	{084E558E-650A-498c-A50F-16911C505B4E}.exe	91
PID 232 wrote to memory of 1544	232	{084E558E-650A-498c-A50F-16911C505B4E}.exe	91
PID 232 wrote to memory of 1544	232	{084E558E-650A-498c-A50F-16911C505B4E}.exe	91
PID 232 wrote to memory of 564	232	{084E558E-650A-498c-A50F-16911C505B4E}.exe	92
PID 232 wrote to memory of 564	232	{084E558E-650A-498c-A50F-16911C505B4E}.exe	92
PID 232 wrote to memory of 564	232	{084E558E-650A-498c-A50F-16911C505B4E}.exe	92
PID 1544 wrote to memory of 4688	1544	{54F97B1B-C258-404e-831A-076A5364A481}.exe	97
PID 1544 wrote to memory of 4688	1544	{54F97B1B-C258-404e-831A-076A5364A481}.exe	97
PID 1544 wrote to memory of 4688	1544	{54F97B1B-C258-404e-831A-076A5364A481}.exe	97
PID 1544 wrote to memory of 1700	1544	{54F97B1B-C258-404e-831A-076A5364A481}.exe	96
PID 1544 wrote to memory of 1700	1544	{54F97B1B-C258-404e-831A-076A5364A481}.exe	96
PID 1544 wrote to memory of 1700	1544	{54F97B1B-C258-404e-831A-076A5364A481}.exe	96
PID 4688 wrote to memory of 4400	4688	{75DF12E8-6351-4b2b-B2A6-FE8BEBB3F65B}.exe	98
PID 4688 wrote to memory of 4400	4688	{75DF12E8-6351-4b2b-B2A6-FE8BEBB3F65B}.exe	98
PID 4688 wrote to memory of 4400	4688	{75DF12E8-6351-4b2b-B2A6-FE8BEBB3F65B}.exe	98
PID 4688 wrote to memory of 4896	4688	{75DF12E8-6351-4b2b-B2A6-FE8BEBB3F65B}.exe	99
PID 4688 wrote to memory of 4896	4688	{75DF12E8-6351-4b2b-B2A6-FE8BEBB3F65B}.exe	99
PID 4688 wrote to memory of 4896	4688	{75DF12E8-6351-4b2b-B2A6-FE8BEBB3F65B}.exe	99
PID 4400 wrote to memory of 4396	4400	{E20192E0-70A1-457b-89FE-3EAC21030ACF}.exe	100
PID 4400 wrote to memory of 4396	4400	{E20192E0-70A1-457b-89FE-3EAC21030ACF}.exe	100
PID 4400 wrote to memory of 4396	4400	{E20192E0-70A1-457b-89FE-3EAC21030ACF}.exe	100
PID 4400 wrote to memory of 2820	4400	{E20192E0-70A1-457b-89FE-3EAC21030ACF}.exe	101
PID 4400 wrote to memory of 2820	4400	{E20192E0-70A1-457b-89FE-3EAC21030ACF}.exe	101
PID 4400 wrote to memory of 2820	4400	{E20192E0-70A1-457b-89FE-3EAC21030ACF}.exe	101
PID 4396 wrote to memory of 1808	4396	{B582CB5B-F208-465a-A763-EEF7E73DAA73}.exe	102
PID 4396 wrote to memory of 1808	4396	{B582CB5B-F208-465a-A763-EEF7E73DAA73}.exe	102
PID 4396 wrote to memory of 1808	4396	{B582CB5B-F208-465a-A763-EEF7E73DAA73}.exe	102
PID 4396 wrote to memory of 2988	4396	{B582CB5B-F208-465a-A763-EEF7E73DAA73}.exe	103
PID 4396 wrote to memory of 2988	4396	{B582CB5B-F208-465a-A763-EEF7E73DAA73}.exe	103
PID 4396 wrote to memory of 2988	4396	{B582CB5B-F208-465a-A763-EEF7E73DAA73}.exe	103
PID 1808 wrote to memory of 2248	1808	{4679AADE-EA60-4b41-8A04-8FAC5B9C3B9D}.exe	104
PID 1808 wrote to memory of 2248	1808	{4679AADE-EA60-4b41-8A04-8FAC5B9C3B9D}.exe	104
PID 1808 wrote to memory of 2248	1808	{4679AADE-EA60-4b41-8A04-8FAC5B9C3B9D}.exe	104
PID 1808 wrote to memory of 3772	1808	{4679AADE-EA60-4b41-8A04-8FAC5B9C3B9D}.exe	105
PID 1808 wrote to memory of 3772	1808	{4679AADE-EA60-4b41-8A04-8FAC5B9C3B9D}.exe	105
PID 1808 wrote to memory of 3772	1808	{4679AADE-EA60-4b41-8A04-8FAC5B9C3B9D}.exe	105
PID 2248 wrote to memory of 4880	2248	{42EA1613-5FDC-495a-A381-73B652E2D866}.exe	106
PID 2248 wrote to memory of 4880	2248	{42EA1613-5FDC-495a-A381-73B652E2D866}.exe	106
PID 2248 wrote to memory of 4880	2248	{42EA1613-5FDC-495a-A381-73B652E2D866}.exe	106
PID 2248 wrote to memory of 1212	2248	{42EA1613-5FDC-495a-A381-73B652E2D866}.exe	107
PID 2248 wrote to memory of 1212	2248	{42EA1613-5FDC-495a-A381-73B652E2D866}.exe	107
PID 2248 wrote to memory of 1212	2248	{42EA1613-5FDC-495a-A381-73B652E2D866}.exe	107
PID 4880 wrote to memory of 2964	4880	{42B8AC05-B7FE-4033-9AC0-ED0A507A5839}.exe	108
PID 4880 wrote to memory of 2964	4880	{42B8AC05-B7FE-4033-9AC0-ED0A507A5839}.exe	108
PID 4880 wrote to memory of 2964	4880	{42B8AC05-B7FE-4033-9AC0-ED0A507A5839}.exe	108
PID 4880 wrote to memory of 3112	4880	{42B8AC05-B7FE-4033-9AC0-ED0A507A5839}.exe	109
PID 4880 wrote to memory of 3112	4880	{42B8AC05-B7FE-4033-9AC0-ED0A507A5839}.exe	109
PID 4880 wrote to memory of 3112	4880	{42B8AC05-B7FE-4033-9AC0-ED0A507A5839}.exe	109
PID 2964 wrote to memory of 1336	2964	{0068B97E-9BD2-4c30-8EDD-71AC03C5C496}.exe	110
PID 2964 wrote to memory of 1336	2964	{0068B97E-9BD2-4c30-8EDD-71AC03C5C496}.exe	110
PID 2964 wrote to memory of 1336	2964	{0068B97E-9BD2-4c30-8EDD-71AC03C5C496}.exe	110
PID 2964 wrote to memory of 2204	2964	{0068B97E-9BD2-4c30-8EDD-71AC03C5C496}.exe	111
PID 2964 wrote to memory of 2204	2964	{0068B97E-9BD2-4c30-8EDD-71AC03C5C496}.exe	111
PID 2964 wrote to memory of 2204	2964	{0068B97E-9BD2-4c30-8EDD-71AC03C5C496}.exe	111
PID 1336 wrote to memory of 4212	1336	{CF01F57D-9D0F-4c82-AEF0-6AF258D9CFDF}.exe	112
PID 1336 wrote to memory of 4212	1336	{CF01F57D-9D0F-4c82-AEF0-6AF258D9CFDF}.exe	112
PID 1336 wrote to memory of 4212	1336	{CF01F57D-9D0F-4c82-AEF0-6AF258D9CFDF}.exe	112
PID 1336 wrote to memory of 3612	1336	{CF01F57D-9D0F-4c82-AEF0-6AF258D9CFDF}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-02-17_aa06f55fb547e0c70256d0aeb8e0117f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-17_aa06f55fb547e0c70256d0aeb8e0117f_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4124
- C:\Windows\{084E558E-650A-498c-A50F-16911C505B4E}.exe
  C:\Windows\{084E558E-650A-498c-A50F-16911C505B4E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:232
- - C:\Windows\{54F97B1B-C258-404e-831A-076A5364A481}.exe
    C:\Windows\{54F97B1B-C258-404e-831A-076A5364A481}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1544
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{54F97~1.EXE > nul
      4⤵
      PID:1700
  - - C:\Windows\{75DF12E8-6351-4b2b-B2A6-FE8BEBB3F65B}.exe
      C:\Windows\{75DF12E8-6351-4b2b-B2A6-FE8BEBB3F65B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4688
    - - C:\Windows\{E20192E0-70A1-457b-89FE-3EAC21030ACF}.exe
        
        C:\Windows\{E20192E0-70A1-457b-89FE-3EAC21030ACF}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4400
      - C:\Windows\{B582CB5B-F208-465a-A763-EEF7E73DAA73}.exe
        
        C:\Windows\{B582CB5B-F208-465a-A763-EEF7E73DAA73}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4396
        
        C:\Windows\{4679AADE-EA60-4b41-8A04-8FAC5B9C3B9D}.exe
        
        C:\Windows\{4679AADE-EA60-4b41-8A04-8FAC5B9C3B9D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\{42EA1613-5FDC-495a-A381-73B652E2D866}.exe
        
        C:\Windows\{42EA1613-5FDC-495a-A381-73B652E2D866}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\{42B8AC05-B7FE-4033-9AC0-ED0A507A5839}.exe
        
        C:\Windows\{42B8AC05-B7FE-4033-9AC0-ED0A507A5839}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\{0068B97E-9BD2-4c30-8EDD-71AC03C5C496}.exe
        
        C:\Windows\{0068B97E-9BD2-4c30-8EDD-71AC03C5C496}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\{CF01F57D-9D0F-4c82-AEF0-6AF258D9CFDF}.exe
        
        C:\Windows\{CF01F57D-9D0F-4c82-AEF0-6AF258D9CFDF}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\{76303C2B-57CF-4a32-920F-4BD2F533A1FA}.exe
        
        C:\Windows\{76303C2B-57CF-4a32-920F-4BD2F533A1FA}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4212
        
        C:\Windows\{4D215C21-3FCE-4711-817F-986048F3BB0C}.exe
        
        C:\Windows\{4D215C21-3FCE-4711-817F-986048F3BB0C}.exe
        13⤵
        Executes dropped EXE
        
        PID:636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76303~1.EXE > nul
        13⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CF01F~1.EXE > nul
        12⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0068B~1.EXE > nul
        11⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{42B8A~1.EXE > nul
        10⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{42EA1~1.EXE > nul
        9⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4679A~1.EXE > nul
        8⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B582C~1.EXE > nul
        7⤵
        
        PID:2988
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2019~1.EXE > nul
        6⤵
        
        PID:2820
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{75DF1~1.EXE > nul
        5⤵
        
        PID:4896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{084E5~1.EXE > nul
    3⤵
    PID:564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0068B97E-9BD2-4c30-8EDD-71AC03C5C496}.exe

Filesize
180KB

MD5
cd0f2cd52e998e4926cf6debd120c8de

SHA1
a82f983fdc669f463536e4dd9ade4171fa70cf41

SHA256
b286dd61e765645bf6af4e9b43cd24fabe0d5c31bafc5d21f2bc6f9c208981dc

SHA512
fc077709b28cfd4fb3cafb5d1e5b65586a70b863d0266051c1babbe221bae32808159309e4d4d64063d6c6d7fc69edecb0b1fd51e80f2e474564bb7a645fb90e

Download Submit
C:\Windows\{084E558E-650A-498c-A50F-16911C505B4E}.exe

Filesize
180KB

MD5
2de58959699118581ca404ea61d68d21

SHA1
0baabfdf06de459b95e2425ab67d18e9f1df9c16

SHA256
90e1f14070e1e19d8b3e1c42cb4b8bcc8aa20ad58c0caa71e9aecb8c67d45bc5

SHA512
7e54d67df75edfdd860bc19feaf2e31c106a0a204abea59e5c9624116cb314665a38e1e9f8537dcde03ee420eba4d8909b6edd3d5cc90d3e17efe12b8400c14d

Download Submit
C:\Windows\{42B8AC05-B7FE-4033-9AC0-ED0A507A5839}.exe

Filesize
180KB

MD5
d647f295d126f133dcabb69af77065a8

SHA1
836381c96ec2681c744a0c2019845ce54b259f25

SHA256
3ce08ac2371da2eb4c8d80a82788eeabde0d434baf3eda8895adee115eb80619

SHA512
6b06118770fa7f0ca8fd5da88e0f0f28fe08b6eb2acc69906a360f7cf77cc0eaadaa988c5835eb01cbc16d6c901d3f695674c7105c3dd5bd05aee4fa6f2cdf5f

Download Submit
C:\Windows\{42EA1613-5FDC-495a-A381-73B652E2D866}.exe

Filesize
180KB

MD5
3fb8dba9fb46141d971da85e36df286c

SHA1
867641a7b7daeabfd84779674e29f23964dda7b3

SHA256
24958668955eb63379b1715cfca70b6ba56e24f27529c88c57b976df141bfba1

SHA512
2af67977e356bb0a5900c2ddaef608e1e4a8e0373455a66ecf3dea69999858c6ac40b28e6b47280e22273824db6bf944cb3cd83bfe644ae0388d6839496de509

Download Submit
C:\Windows\{4679AADE-EA60-4b41-8A04-8FAC5B9C3B9D}.exe

Filesize
180KB

MD5
fd1af7cec7222fb22b08ff2a90e0969a

SHA1
a45a43d7c0beb58c41ef859f2a6b8d4abd6ed58a

SHA256
24ccd2de8363e4e7c6960ac1754e6dde16048e5b3352af4d9820dc7344c068ac

SHA512
cf3bda02ba9a1818461f8f25ee6e4a486b2a997accf3707e3cd4d2fdf76026db6368ebbfc162a2ae51204e2769115320b1784c3b48fc33ae9f112773c3f8b941

Download Submit
C:\Windows\{4D215C21-3FCE-4711-817F-986048F3BB0C}.exe

Filesize
180KB

MD5
d0f87041dd8583e3ddbdfb965708d014

SHA1
ba7b85ce65ca941dfd72082a858a8072408c4a18

SHA256
88453beea68ecc14b8a8f6c49ff2c875c3fe0f581525a477f9c538c42a150c01

SHA512
63617f6baa28e9c4571697f5ef527db0af9ec082338dd9cfab8ee56d19db91c7612aa2ba435e86ae48f0e66d110521ab47294ec935d3246a70c6e25cf126ea47

Download Submit
C:\Windows\{54F97B1B-C258-404e-831A-076A5364A481}.exe

Filesize
180KB

MD5
f4044515d69eae4d1a92fae5ee9d8574

SHA1
c7ffdbd3c1c08ccc0553e75508e9b8d7c6d4fd15

SHA256
96530ac0e444a84a50f82b4caccb252b69575b541f68f280d02e033d87e5b100

SHA512
a5cd173318ab7334d693381056b97d8e3c4ab422fcdd335cda9c983023ac8ddd2d4cb51595c20ac08cf1c9e615f325734603d0d5e23aa2a71b42558ad823a61a

Download Submit
C:\Windows\{75DF12E8-6351-4b2b-B2A6-FE8BEBB3F65B}.exe

Filesize
180KB

MD5
498421cd1db18a71573825172fc247ac

SHA1
86297f2db352f8a2947e01a86cc22afd57714876

SHA256
64555bf9180f79898f44313cc1419dc1132deaa551f663e8e5c2d5db34183882

SHA512
bf717f8239c59a3dc55e794687fb7d8662cf1a1f2f6ef72bdd3e23113d4e2a8edf31868453901123027bafcd6d1e90f8e196567f20e19c79e9dd62e547688509

Download Submit
C:\Windows\{76303C2B-57CF-4a32-920F-4BD2F533A1FA}.exe

Filesize
180KB

MD5
251ceeb1cb91389ed497b5dc7ab0c807

SHA1
7acd9dac2bb09af576177429756bbc5248373b45

SHA256
548fe3f4a355447c6d4c1b1e6960755d5b5efeada8c577a73572914338935f58

SHA512
789566ba9d358b4b980057ecb591dd65fbcde2f2c94bea26a8f1c3141eb1bfeab3a6afd75e066393180aa295ac0bb9aea594dca886036ec47d1d0dfedc5393bc

Download Submit
C:\Windows\{B582CB5B-F208-465a-A763-EEF7E73DAA73}.exe

Filesize
180KB

MD5
14c0a001d18422c78fbfd4727f6dd391

SHA1
5f7069cf86ca4dab966a56e7783d010386cc2962

SHA256
a956c1b8511ce934e27a439977e425a574d667d592990693deae2eb12acf3733

SHA512
2ee3fa6b42f97155cbeeb11c3aab47264870877077f7fcd8bd05ee4d7adafcea53a8a0c0b2ebbb48021afdd143e343e80de2b3f492a7575cef61d1e2b5b260a2

Download Submit
C:\Windows\{CF01F57D-9D0F-4c82-AEF0-6AF258D9CFDF}.exe

Filesize
180KB

MD5
88ee1c4a07fcf10101cef2df02c6d398

SHA1
309567c415f45fbac2986fc05df88d8ba5881abb

SHA256
981b0d0357aac8d607a0ecb15d66fb60aa2251449ee89c4ac053dd8fc4797432

SHA512
076def0efbc1d66a617a65d0c6cb51a1e131f5ff3de7fa5f3e13af9967cf7fab06a4e64b84aed530379145417ad29cefb56cc8e4a0ba13e95670a2b723be56a8

Download Submit
C:\Windows\{E20192E0-70A1-457b-89FE-3EAC21030ACF}.exe

Filesize
180KB

MD5
7a98672f7c554956f032a6a6c189a8db

SHA1
e8c82869a351bec0908a7e35df2c7104b5b183b3

SHA256
7fb1ba6be1e6c4821d0415836a1ea44a5799a341a604261e740e2b9fb487a724

SHA512
9145944ee61b4accaa7efa9a0138afb003bbf30b0d656b95b11f828ffb5d9364f88735dbb1a2e21d98982357f8eb6faad36d9fcabcb5545d993bbebe34d27d29

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads