0bd996147afc8a9d7118a14a30292e5e76a1d90936f835fd5ad674e184e14164

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18/02/2024, 03:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-18_53677e53c1d82111b26a3e98256f54f4_goldeneye.exe
Size

197KB
MD5

53677e53c1d82111b26a3e98256f54f4
SHA1

fd9dd7af39647db49bfd3ef3f7c6a92cbccd562d
SHA256

0bd996147afc8a9d7118a14a30292e5e76a1d90936f835fd5ad674e184e14164
SHA512

11e2f488f409b7091f33913bfe13778cf4d1756f20dccebc547cb8054dc7a4e2146b6433602f412fd53d74982bdf2bce9fa1f57cd73dab367de98477b7545047
SSDEEP

3072:jEGh0oQl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGClEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000700000002321a-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023144-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023240-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023144-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001300000001d887-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000021558-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001400000001d887-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000709-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000713-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{386B6498-3CBE-4b89-8AB2-3558FD913697}\stubpath = "C:\\Windows\\{386B6498-3CBE-4b89-8AB2-3558FD913697}.exe"	{7ADC72E1-0BE9-42db-A976-A018B9624A56}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F2C18B1-3706-4d3d-A91C-3259384F1EB4}\stubpath = "C:\\Windows\\{9F2C18B1-3706-4d3d-A91C-3259384F1EB4}.exe"	2024-02-18_53677e53c1d82111b26a3e98256f54f4_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A76E7C1F-6619-42c9-B7E5-670507C01535}	{9F2C18B1-3706-4d3d-A91C-3259384F1EB4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A76E7C1F-6619-42c9-B7E5-670507C01535}\stubpath = "C:\\Windows\\{A76E7C1F-6619-42c9-B7E5-670507C01535}.exe"	{9F2C18B1-3706-4d3d-A91C-3259384F1EB4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B3BFE80-4B45-4d19-BC01-590F1863C7B5}\stubpath = "C:\\Windows\\{4B3BFE80-4B45-4d19-BC01-590F1863C7B5}.exe"	{A76E7C1F-6619-42c9-B7E5-670507C01535}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C52161A-1D8C-45b8-AF73-1A1308060ED9}	{4B3BFE80-4B45-4d19-BC01-590F1863C7B5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C52161A-1D8C-45b8-AF73-1A1308060ED9}\stubpath = "C:\\Windows\\{8C52161A-1D8C-45b8-AF73-1A1308060ED9}.exe"	{4B3BFE80-4B45-4d19-BC01-590F1863C7B5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F74A996-AE43-4189-8AB3-6E2FA4B2BDF1}\stubpath = "C:\\Windows\\{9F74A996-AE43-4189-8AB3-6E2FA4B2BDF1}.exe"	{41D4D822-C4A1-416e-8BE0-E357C882D136}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F2C18B1-3706-4d3d-A91C-3259384F1EB4}	2024-02-18_53677e53c1d82111b26a3e98256f54f4_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0DC3E55-063D-42be-93B5-2B0160F9C329}\stubpath = "C:\\Windows\\{F0DC3E55-063D-42be-93B5-2B0160F9C329}.exe"	{8C52161A-1D8C-45b8-AF73-1A1308060ED9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B6CAC14-0A96-4308-B05D-EB178139D9B5}	{F0DC3E55-063D-42be-93B5-2B0160F9C329}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41D4D822-C4A1-416e-8BE0-E357C882D136}\stubpath = "C:\\Windows\\{41D4D822-C4A1-416e-8BE0-E357C882D136}.exe"	{7B6CAC14-0A96-4308-B05D-EB178139D9B5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34CFCC1E-D8C1-41a6-A237-4F71ABA3420A}	{9F74A996-AE43-4189-8AB3-6E2FA4B2BDF1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{322E42A5-CECA-43dc-8C8C-A43E832118B6}\stubpath = "C:\\Windows\\{322E42A5-CECA-43dc-8C8C-A43E832118B6}.exe"	{34CFCC1E-D8C1-41a6-A237-4F71ABA3420A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B3BFE80-4B45-4d19-BC01-590F1863C7B5}	{A76E7C1F-6619-42c9-B7E5-670507C01535}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41D4D822-C4A1-416e-8BE0-E357C882D136}	{7B6CAC14-0A96-4308-B05D-EB178139D9B5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34CFCC1E-D8C1-41a6-A237-4F71ABA3420A}\stubpath = "C:\\Windows\\{34CFCC1E-D8C1-41a6-A237-4F71ABA3420A}.exe"	{9F74A996-AE43-4189-8AB3-6E2FA4B2BDF1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7ADC72E1-0BE9-42db-A976-A018B9624A56}	{322E42A5-CECA-43dc-8C8C-A43E832118B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0DC3E55-063D-42be-93B5-2B0160F9C329}	{8C52161A-1D8C-45b8-AF73-1A1308060ED9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B6CAC14-0A96-4308-B05D-EB178139D9B5}\stubpath = "C:\\Windows\\{7B6CAC14-0A96-4308-B05D-EB178139D9B5}.exe"	{F0DC3E55-063D-42be-93B5-2B0160F9C329}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F74A996-AE43-4189-8AB3-6E2FA4B2BDF1}	{41D4D822-C4A1-416e-8BE0-E357C882D136}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{322E42A5-CECA-43dc-8C8C-A43E832118B6}	{34CFCC1E-D8C1-41a6-A237-4F71ABA3420A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7ADC72E1-0BE9-42db-A976-A018B9624A56}\stubpath = "C:\\Windows\\{7ADC72E1-0BE9-42db-A976-A018B9624A56}.exe"	{322E42A5-CECA-43dc-8C8C-A43E832118B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{386B6498-3CBE-4b89-8AB2-3558FD913697}	{7ADC72E1-0BE9-42db-A976-A018B9624A56}.exe

Executes dropped EXE 12 IoCs

pid	Process
4964	{9F2C18B1-3706-4d3d-A91C-3259384F1EB4}.exe
1148	{A76E7C1F-6619-42c9-B7E5-670507C01535}.exe
1016	{4B3BFE80-4B45-4d19-BC01-590F1863C7B5}.exe
1980	{8C52161A-1D8C-45b8-AF73-1A1308060ED9}.exe
4620	{F0DC3E55-063D-42be-93B5-2B0160F9C329}.exe
3972	{7B6CAC14-0A96-4308-B05D-EB178139D9B5}.exe
4004	{41D4D822-C4A1-416e-8BE0-E357C882D136}.exe
424	{9F74A996-AE43-4189-8AB3-6E2FA4B2BDF1}.exe
228	{34CFCC1E-D8C1-41a6-A237-4F71ABA3420A}.exe
4436	{322E42A5-CECA-43dc-8C8C-A43E832118B6}.exe
3740	{7ADC72E1-0BE9-42db-A976-A018B9624A56}.exe
4684	{386B6498-3CBE-4b89-8AB2-3558FD913697}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{34CFCC1E-D8C1-41a6-A237-4F71ABA3420A}.exe	{9F74A996-AE43-4189-8AB3-6E2FA4B2BDF1}.exe
File created	C:\Windows\{322E42A5-CECA-43dc-8C8C-A43E832118B6}.exe	{34CFCC1E-D8C1-41a6-A237-4F71ABA3420A}.exe
File created	C:\Windows\{9F2C18B1-3706-4d3d-A91C-3259384F1EB4}.exe	2024-02-18_53677e53c1d82111b26a3e98256f54f4_goldeneye.exe
File created	C:\Windows\{A76E7C1F-6619-42c9-B7E5-670507C01535}.exe	{9F2C18B1-3706-4d3d-A91C-3259384F1EB4}.exe
File created	C:\Windows\{9F74A996-AE43-4189-8AB3-6E2FA4B2BDF1}.exe	{41D4D822-C4A1-416e-8BE0-E357C882D136}.exe
File created	C:\Windows\{7B6CAC14-0A96-4308-B05D-EB178139D9B5}.exe	{F0DC3E55-063D-42be-93B5-2B0160F9C329}.exe
File created	C:\Windows\{41D4D822-C4A1-416e-8BE0-E357C882D136}.exe	{7B6CAC14-0A96-4308-B05D-EB178139D9B5}.exe
File created	C:\Windows\{7ADC72E1-0BE9-42db-A976-A018B9624A56}.exe	{322E42A5-CECA-43dc-8C8C-A43E832118B6}.exe
File created	C:\Windows\{386B6498-3CBE-4b89-8AB2-3558FD913697}.exe	{7ADC72E1-0BE9-42db-A976-A018B9624A56}.exe
File created	C:\Windows\{4B3BFE80-4B45-4d19-BC01-590F1863C7B5}.exe	{A76E7C1F-6619-42c9-B7E5-670507C01535}.exe
File created	C:\Windows\{8C52161A-1D8C-45b8-AF73-1A1308060ED9}.exe	{4B3BFE80-4B45-4d19-BC01-590F1863C7B5}.exe
File created	C:\Windows\{F0DC3E55-063D-42be-93B5-2B0160F9C329}.exe	{8C52161A-1D8C-45b8-AF73-1A1308060ED9}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1272	2024-02-18_53677e53c1d82111b26a3e98256f54f4_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4964	{9F2C18B1-3706-4d3d-A91C-3259384F1EB4}.exe
Token: SeIncBasePriorityPrivilege	1148	{A76E7C1F-6619-42c9-B7E5-670507C01535}.exe
Token: SeIncBasePriorityPrivilege	1016	{4B3BFE80-4B45-4d19-BC01-590F1863C7B5}.exe
Token: SeIncBasePriorityPrivilege	1980	{8C52161A-1D8C-45b8-AF73-1A1308060ED9}.exe
Token: SeIncBasePriorityPrivilege	4620	{F0DC3E55-063D-42be-93B5-2B0160F9C329}.exe
Token: SeIncBasePriorityPrivilege	3972	{7B6CAC14-0A96-4308-B05D-EB178139D9B5}.exe
Token: SeIncBasePriorityPrivilege	4004	{41D4D822-C4A1-416e-8BE0-E357C882D136}.exe
Token: SeIncBasePriorityPrivilege	424	{9F74A996-AE43-4189-8AB3-6E2FA4B2BDF1}.exe
Token: SeIncBasePriorityPrivilege	228	{34CFCC1E-D8C1-41a6-A237-4F71ABA3420A}.exe
Token: SeIncBasePriorityPrivilege	4436	{322E42A5-CECA-43dc-8C8C-A43E832118B6}.exe
Token: SeIncBasePriorityPrivilege	3740	{7ADC72E1-0BE9-42db-A976-A018B9624A56}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1272 wrote to memory of 4964	1272	2024-02-18_53677e53c1d82111b26a3e98256f54f4_goldeneye.exe	91
PID 1272 wrote to memory of 4964	1272	2024-02-18_53677e53c1d82111b26a3e98256f54f4_goldeneye.exe	91
PID 1272 wrote to memory of 4964	1272	2024-02-18_53677e53c1d82111b26a3e98256f54f4_goldeneye.exe	91
PID 1272 wrote to memory of 4380	1272	2024-02-18_53677e53c1d82111b26a3e98256f54f4_goldeneye.exe	90
PID 1272 wrote to memory of 4380	1272	2024-02-18_53677e53c1d82111b26a3e98256f54f4_goldeneye.exe	90
PID 1272 wrote to memory of 4380	1272	2024-02-18_53677e53c1d82111b26a3e98256f54f4_goldeneye.exe	90
PID 4964 wrote to memory of 1148	4964	{9F2C18B1-3706-4d3d-A91C-3259384F1EB4}.exe	94
PID 4964 wrote to memory of 1148	4964	{9F2C18B1-3706-4d3d-A91C-3259384F1EB4}.exe	94
PID 4964 wrote to memory of 1148	4964	{9F2C18B1-3706-4d3d-A91C-3259384F1EB4}.exe	94
PID 4964 wrote to memory of 4180	4964	{9F2C18B1-3706-4d3d-A91C-3259384F1EB4}.exe	95
PID 4964 wrote to memory of 4180	4964	{9F2C18B1-3706-4d3d-A91C-3259384F1EB4}.exe	95
PID 4964 wrote to memory of 4180	4964	{9F2C18B1-3706-4d3d-A91C-3259384F1EB4}.exe	95
PID 1148 wrote to memory of 1016	1148	{A76E7C1F-6619-42c9-B7E5-670507C01535}.exe	98
PID 1148 wrote to memory of 1016	1148	{A76E7C1F-6619-42c9-B7E5-670507C01535}.exe	98
PID 1148 wrote to memory of 1016	1148	{A76E7C1F-6619-42c9-B7E5-670507C01535}.exe	98
PID 1148 wrote to memory of 5008	1148	{A76E7C1F-6619-42c9-B7E5-670507C01535}.exe	97
PID 1148 wrote to memory of 5008	1148	{A76E7C1F-6619-42c9-B7E5-670507C01535}.exe	97
PID 1148 wrote to memory of 5008	1148	{A76E7C1F-6619-42c9-B7E5-670507C01535}.exe	97
PID 1016 wrote to memory of 1980	1016	{4B3BFE80-4B45-4d19-BC01-590F1863C7B5}.exe	99
PID 1016 wrote to memory of 1980	1016	{4B3BFE80-4B45-4d19-BC01-590F1863C7B5}.exe	99
PID 1016 wrote to memory of 1980	1016	{4B3BFE80-4B45-4d19-BC01-590F1863C7B5}.exe	99
PID 1016 wrote to memory of 1216	1016	{4B3BFE80-4B45-4d19-BC01-590F1863C7B5}.exe	100
PID 1016 wrote to memory of 1216	1016	{4B3BFE80-4B45-4d19-BC01-590F1863C7B5}.exe	100
PID 1016 wrote to memory of 1216	1016	{4B3BFE80-4B45-4d19-BC01-590F1863C7B5}.exe	100
PID 1980 wrote to memory of 4620	1980	{8C52161A-1D8C-45b8-AF73-1A1308060ED9}.exe	101
PID 1980 wrote to memory of 4620	1980	{8C52161A-1D8C-45b8-AF73-1A1308060ED9}.exe	101
PID 1980 wrote to memory of 4620	1980	{8C52161A-1D8C-45b8-AF73-1A1308060ED9}.exe	101
PID 1980 wrote to memory of 4836	1980	{8C52161A-1D8C-45b8-AF73-1A1308060ED9}.exe	102
PID 1980 wrote to memory of 4836	1980	{8C52161A-1D8C-45b8-AF73-1A1308060ED9}.exe	102
PID 1980 wrote to memory of 4836	1980	{8C52161A-1D8C-45b8-AF73-1A1308060ED9}.exe	102
PID 4620 wrote to memory of 3972	4620	{F0DC3E55-063D-42be-93B5-2B0160F9C329}.exe	104
PID 4620 wrote to memory of 3972	4620	{F0DC3E55-063D-42be-93B5-2B0160F9C329}.exe	104
PID 4620 wrote to memory of 3972	4620	{F0DC3E55-063D-42be-93B5-2B0160F9C329}.exe	104
PID 4620 wrote to memory of 2436	4620	{F0DC3E55-063D-42be-93B5-2B0160F9C329}.exe	103
PID 4620 wrote to memory of 2436	4620	{F0DC3E55-063D-42be-93B5-2B0160F9C329}.exe	103
PID 4620 wrote to memory of 2436	4620	{F0DC3E55-063D-42be-93B5-2B0160F9C329}.exe	103
PID 3972 wrote to memory of 4004	3972	{7B6CAC14-0A96-4308-B05D-EB178139D9B5}.exe	105
PID 3972 wrote to memory of 4004	3972	{7B6CAC14-0A96-4308-B05D-EB178139D9B5}.exe	105
PID 3972 wrote to memory of 4004	3972	{7B6CAC14-0A96-4308-B05D-EB178139D9B5}.exe	105
PID 3972 wrote to memory of 3056	3972	{7B6CAC14-0A96-4308-B05D-EB178139D9B5}.exe	106
PID 3972 wrote to memory of 3056	3972	{7B6CAC14-0A96-4308-B05D-EB178139D9B5}.exe	106
PID 3972 wrote to memory of 3056	3972	{7B6CAC14-0A96-4308-B05D-EB178139D9B5}.exe	106
PID 4004 wrote to memory of 424	4004	{41D4D822-C4A1-416e-8BE0-E357C882D136}.exe	107
PID 4004 wrote to memory of 424	4004	{41D4D822-C4A1-416e-8BE0-E357C882D136}.exe	107
PID 4004 wrote to memory of 424	4004	{41D4D822-C4A1-416e-8BE0-E357C882D136}.exe	107
PID 4004 wrote to memory of 3068	4004	{41D4D822-C4A1-416e-8BE0-E357C882D136}.exe	108
PID 4004 wrote to memory of 3068	4004	{41D4D822-C4A1-416e-8BE0-E357C882D136}.exe	108
PID 4004 wrote to memory of 3068	4004	{41D4D822-C4A1-416e-8BE0-E357C882D136}.exe	108
PID 424 wrote to memory of 228	424	{9F74A996-AE43-4189-8AB3-6E2FA4B2BDF1}.exe	109
PID 424 wrote to memory of 228	424	{9F74A996-AE43-4189-8AB3-6E2FA4B2BDF1}.exe	109
PID 424 wrote to memory of 228	424	{9F74A996-AE43-4189-8AB3-6E2FA4B2BDF1}.exe	109
PID 424 wrote to memory of 2000	424	{9F74A996-AE43-4189-8AB3-6E2FA4B2BDF1}.exe	110
PID 424 wrote to memory of 2000	424	{9F74A996-AE43-4189-8AB3-6E2FA4B2BDF1}.exe	110
PID 424 wrote to memory of 2000	424	{9F74A996-AE43-4189-8AB3-6E2FA4B2BDF1}.exe	110
PID 228 wrote to memory of 4436	228	{34CFCC1E-D8C1-41a6-A237-4F71ABA3420A}.exe	111
PID 228 wrote to memory of 4436	228	{34CFCC1E-D8C1-41a6-A237-4F71ABA3420A}.exe	111
PID 228 wrote to memory of 4436	228	{34CFCC1E-D8C1-41a6-A237-4F71ABA3420A}.exe	111
PID 228 wrote to memory of 2280	228	{34CFCC1E-D8C1-41a6-A237-4F71ABA3420A}.exe	112
PID 228 wrote to memory of 2280	228	{34CFCC1E-D8C1-41a6-A237-4F71ABA3420A}.exe	112
PID 228 wrote to memory of 2280	228	{34CFCC1E-D8C1-41a6-A237-4F71ABA3420A}.exe	112
PID 4436 wrote to memory of 3740	4436	{322E42A5-CECA-43dc-8C8C-A43E832118B6}.exe	114
PID 4436 wrote to memory of 3740	4436	{322E42A5-CECA-43dc-8C8C-A43E832118B6}.exe	114
PID 4436 wrote to memory of 3740	4436	{322E42A5-CECA-43dc-8C8C-A43E832118B6}.exe	114
PID 4436 wrote to memory of 2408	4436	{322E42A5-CECA-43dc-8C8C-A43E832118B6}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-02-18_53677e53c1d82111b26a3e98256f54f4_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-18_53677e53c1d82111b26a3e98256f54f4_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4380
- C:\Windows\{9F2C18B1-3706-4d3d-A91C-3259384F1EB4}.exe
  C:\Windows\{9F2C18B1-3706-4d3d-A91C-3259384F1EB4}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Windows\{A76E7C1F-6619-42c9-B7E5-670507C01535}.exe
    C:\Windows\{A76E7C1F-6619-42c9-B7E5-670507C01535}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1148
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A76E7~1.EXE > nul
      4⤵
      PID:5008
  - - C:\Windows\{4B3BFE80-4B45-4d19-BC01-590F1863C7B5}.exe
      C:\Windows\{4B3BFE80-4B45-4d19-BC01-590F1863C7B5}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1016
    - - C:\Windows\{8C52161A-1D8C-45b8-AF73-1A1308060ED9}.exe
        
        C:\Windows\{8C52161A-1D8C-45b8-AF73-1A1308060ED9}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1980
      - C:\Windows\{F0DC3E55-063D-42be-93B5-2B0160F9C329}.exe
        
        C:\Windows\{F0DC3E55-063D-42be-93B5-2B0160F9C329}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F0DC3~1.EXE > nul
        7⤵
        
        PID:2436
        
        C:\Windows\{7B6CAC14-0A96-4308-B05D-EB178139D9B5}.exe
        
        C:\Windows\{7B6CAC14-0A96-4308-B05D-EB178139D9B5}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3972
        
        C:\Windows\{41D4D822-C4A1-416e-8BE0-E357C882D136}.exe
        
        C:\Windows\{41D4D822-C4A1-416e-8BE0-E357C882D136}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4004
        
        C:\Windows\{9F74A996-AE43-4189-8AB3-6E2FA4B2BDF1}.exe
        
        C:\Windows\{9F74A996-AE43-4189-8AB3-6E2FA4B2BDF1}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:424
        
        C:\Windows\{34CFCC1E-D8C1-41a6-A237-4F71ABA3420A}.exe
        
        C:\Windows\{34CFCC1E-D8C1-41a6-A237-4F71ABA3420A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Windows\{322E42A5-CECA-43dc-8C8C-A43E832118B6}.exe
        
        C:\Windows\{322E42A5-CECA-43dc-8C8C-A43E832118B6}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{322E4~1.EXE > nul
        12⤵
        
        PID:2408
        
        C:\Windows\{7ADC72E1-0BE9-42db-A976-A018B9624A56}.exe
        
        C:\Windows\{7ADC72E1-0BE9-42db-A976-A018B9624A56}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3740
        
        C:\Windows\{386B6498-3CBE-4b89-8AB2-3558FD913697}.exe
        
        C:\Windows\{386B6498-3CBE-4b89-8AB2-3558FD913697}.exe
        13⤵
        Executes dropped EXE
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7ADC7~1.EXE > nul
        13⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{34CFC~1.EXE > nul
        11⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9F74A~1.EXE > nul
        10⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{41D4D~1.EXE > nul
        9⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7B6CA~1.EXE > nul
        8⤵
        
        PID:3056
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C521~1.EXE > nul
        6⤵
        
        PID:4836
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4B3BF~1.EXE > nul
        5⤵
        
        PID:1216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9F2C1~1.EXE > nul
    3⤵
    PID:4180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{322E42A5-CECA-43dc-8C8C-A43E832118B6}.exe

Filesize
197KB

MD5
fdd1d6f235ed8f0c55f5b207e9becbc2

SHA1
643bc8f158719eaaec4d4c80fd874a3c92ef05a0

SHA256
c73bd259307cc2ebf7a4e25d211f5f3c392140fd2ed2a865fe03ecb9a997874c

SHA512
2be92b3ccf202ba676869a1a36860f837c0ec7e30b60dbf383652d8f423831db120f3cb9eb479f75ffc3702a4ee3d5d3b762580f83a45e117bc3e70ebb3f9d34

Download Submit
C:\Windows\{34CFCC1E-D8C1-41a6-A237-4F71ABA3420A}.exe

Filesize
197KB

MD5
0ec157e25f5c3e2e6cd1d153d731c2a8

SHA1
924649e6aaf6c4a4483bd0a4b01aebe02beeacff

SHA256
13ed4689d1fb15d0acb3f181c6397c6381c2f0c856a9dc51c53497ec26ebe038

SHA512
483db9ab10ee826911e810c1d191661f57aabba913151cf7fe9f0ad2893cd3047ed58ef1f055fefe496aa9994314af51b02eb4336b9584b10bff2d30728dda42

Download Submit
C:\Windows\{386B6498-3CBE-4b89-8AB2-3558FD913697}.exe

Filesize
197KB

MD5
8e03af047750b5253773a353d1e16069

SHA1
a7498692881c0f64433133c29e24ad903bf7af7c

SHA256
af223bec89d6f1b4a6ec0102661261dea823773cb4b7f7691e8ee9512257cecd

SHA512
a67959d8c1907f9e1e23da2c1b9e27bfd42ba12519476b9373ab81d7e28b22b70cea6fe6c03fc3460dd1e75f9dc1aa9bfe8ad56d5aeccc65058135f6d11e4b6d

Download Submit
C:\Windows\{41D4D822-C4A1-416e-8BE0-E357C882D136}.exe

Filesize
197KB

MD5
97a094739c7803b9d0da35bc8ecf7eb2

SHA1
c1b38a4f888a382c4a8f8bb8e841c47274f0fb5c

SHA256
93f55dc810bed46ca533c4ddce36cbca682e0da76c5d29ecb76d68a4e7d9d4f2

SHA512
3979826d03025493cba631925a93745f677b84228807e5abb3364a2bf9f2488c0726df67f6fe4e9cc52f536d0a0955b169331b262b4c4a7cd15d3ca23d39b71b

Download Submit
C:\Windows\{4B3BFE80-4B45-4d19-BC01-590F1863C7B5}.exe

Filesize
197KB

MD5
9927b825e8aec2cada23475aa946374f

SHA1
5868a527c43fe2e00d653305ce28c877e9786645

SHA256
414b021bc0b681670228aaba2628875ba8fa61259c3571fe9f99b351e1c82156

SHA512
4592de21b6e28f22cbe204d4c07dc113be3ca3ae6b3f2e37ba8dfd34787eb71ac120c40ed8aeebc7bf36db84efc6f03b6846658e8c51889963835e151cd29beb

Download Submit
C:\Windows\{7ADC72E1-0BE9-42db-A976-A018B9624A56}.exe

Filesize
197KB

MD5
65b617f4c307bfaa341350aa367bca16

SHA1
ba06a9ec3fa8c0e805421d1c7045a06752660a96

SHA256
16b9c1589764509aa06f18625a42b32adcf3696004f63d4654cc2fd62b9daeea

SHA512
d31a3636fa5fc3cb1a4d6231421d7ce42da78aeee615b17a0186270305f7ab51ff88e745eb08a899dd42331cd3920222db53054b2c051b89697201104b0f7e3a

Download Submit
C:\Windows\{7B6CAC14-0A96-4308-B05D-EB178139D9B5}.exe

Filesize
197KB

MD5
5c166f266d11afda77df1d1e1f75b2e8

SHA1
b59bc319358f4c0b7e8d01591b0489260463710e

SHA256
c90e39ee10cba8b45f436acc07fb761f596e73e2c3780b5989f0b3b096e58d7e

SHA512
8f33b542a0e7bca163f9dc602a9310c99bb315532da59970599f70536da20a17e89d614e66292242a729b7c0e5fac1af399593fa86fd628053a936dcafdf1142

Download Submit
C:\Windows\{8C52161A-1D8C-45b8-AF73-1A1308060ED9}.exe

Filesize
197KB

MD5
6b271da4a89ed9067c3853e1813ba503

SHA1
02d12629d5a722127a7d17f0ce25fc7b38657b61

SHA256
cadd5b1727666abcef58ce71beb113fc98111d1ff2d335eaa611aa990ed2f1cf

SHA512
02f0f6cdc4567c4e703fe8a5ecbb4dac1f9f98da36e200e01055ee818895263a9ea3bd9f90f1d2695e6623a6f80df4bbf8dd81aec7ee59a11b70e28309e34a8a

Download Submit
C:\Windows\{9F2C18B1-3706-4d3d-A91C-3259384F1EB4}.exe

Filesize
197KB

MD5
66f721f4f2ca4d6f65e1bbddb1518246

SHA1
15316a220633c6c511b3dc38d191e4efe0dead68

SHA256
ec92532b7fc4a250d2e3791fb391f03acb7e0103c3184068b4520d9c8b956fe8

SHA512
ec72fca128d1bf7eda8df187c07c045b88a1aea2ca26b005d9a99ee3e0963c6a7f49c12ebc961a0be2c512f0d0e23b9577aba8bd62a5c0381024270f05eba2d8

Download Submit
C:\Windows\{9F74A996-AE43-4189-8AB3-6E2FA4B2BDF1}.exe

Filesize
197KB

MD5
f7a97e5cd1fdc4973d71bb507818fc6f

SHA1
ea87d46d340bd6d314d57a68f5442027060ba37a

SHA256
2871bcce1433aca85aa6d2a2d57303d712cefd8142907edb528b0ca9340555f0

SHA512
5235731312bc97dc48aef5705e4dbb37dd1ab4b8423e6cd291c70e830ae9bc38048dd9b53180698981336098af941460598f45187901aa0fa567838ef3072133

Download Submit
C:\Windows\{A76E7C1F-6619-42c9-B7E5-670507C01535}.exe

Filesize
197KB

MD5
7f803bf2982ed5c014f58b223bbecafe

SHA1
b9087908b46478de916cc5920dc92965dfc391e0

SHA256
47ef4f87020d56e1804b034ea4153cfa9585996cec15cb898912441bbb1b7e86

SHA512
08012a60e50fbee8eeeb8dbdf4528bec0c52d6ad9af9918220a0ee50e959b16a3d84508700b88ae04e9ed58a4ed6a2e38c8685877393a6a3c4bee09b8f00ceac

Download Submit
C:\Windows\{F0DC3E55-063D-42be-93B5-2B0160F9C329}.exe

Filesize
197KB

MD5
103c075a928b8f050d55ae54c3f138f9

SHA1
e4b3b2057f5940b270a027b2813e8a4c951d6844

SHA256
a7ccffd760e34bbb07bc8c3571bdf2a5395c1e17b1cae48aa5ac4676a63bf79c

SHA512
73b1b44a0bd618865cc46aad0373ffe36d3af4ac8f02a183f7056343623aa9442610d5a83a567c6000adbdd2a56405552b1936e3dd56d18c9e4555a67c47f31c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads