5d54f4b09f09df2856d90273357542a98f7c029a56aac65da1914a2d055a2a8a

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18/02/2024, 03:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-18_1291db24b89cb4ec023f28662ac14d78_goldeneye.exe
Size

380KB
MD5

1291db24b89cb4ec023f28662ac14d78
SHA1

24d012529be21c465db7d142be43971240fe32b6
SHA256

5d54f4b09f09df2856d90273357542a98f7c029a56aac65da1914a2d055a2a8a
SHA512

738a5de078e940e996bf8e3d40ca9808d3b9d924e66f3fa8ba2cd1b2641ab6e0816d7472429dc9b89a47c72cae20ac2001599f25103c099b36ed29264c495f06
SSDEEP

3072:mEGh0o/lPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEG5l7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000600000002322b-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023129-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023238-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023129-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000215c9-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000215d0-21.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d0000000215c9-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000711-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000713-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000711-37.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000713-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006e7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FC57180-409D-4e03-9BE2-477F65A1F59F}	{63F368D3-DCDB-40ec-8C9E-7929370AF223}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89A151E5-F6E8-4be5-B3CF-D463D1599359}	{3FC57180-409D-4e03-9BE2-477F65A1F59F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0338239-DF92-4f18-B45A-C5A3D11CBF8E}	{89A151E5-F6E8-4be5-B3CF-D463D1599359}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E1D049F-F47E-4b3b-BFC4-E6B58F7F60D9}	{D0338239-DF92-4f18-B45A-C5A3D11CBF8E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FFE56973-DD35-40a0-B478-109E2D0A91A9}	{9E1D049F-F47E-4b3b-BFC4-E6B58F7F60D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43295957-8F06-4a6d-89F2-A3D0E79713BB}\stubpath = "C:\\Windows\\{43295957-8F06-4a6d-89F2-A3D0E79713BB}.exe"	{FFE56973-DD35-40a0-B478-109E2D0A91A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C20AC244-4E7B-426b-BFF0-8CD8163E18D1}	{43295957-8F06-4a6d-89F2-A3D0E79713BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1B9864B-277B-4a26-8ED3-88A18639857A}	2024-02-18_1291db24b89cb4ec023f28662ac14d78_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0338239-DF92-4f18-B45A-C5A3D11CBF8E}\stubpath = "C:\\Windows\\{D0338239-DF92-4f18-B45A-C5A3D11CBF8E}.exe"	{89A151E5-F6E8-4be5-B3CF-D463D1599359}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E1D049F-F47E-4b3b-BFC4-E6B58F7F60D9}\stubpath = "C:\\Windows\\{9E1D049F-F47E-4b3b-BFC4-E6B58F7F60D9}.exe"	{D0338239-DF92-4f18-B45A-C5A3D11CBF8E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C20AC244-4E7B-426b-BFF0-8CD8163E18D1}\stubpath = "C:\\Windows\\{C20AC244-4E7B-426b-BFF0-8CD8163E18D1}.exe"	{43295957-8F06-4a6d-89F2-A3D0E79713BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{643D01B2-9369-4317-86D6-1CBFB10167A0}\stubpath = "C:\\Windows\\{643D01B2-9369-4317-86D6-1CBFB10167A0}.exe"	{867158B1-2F87-4169-9EBF-5AB156C409A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1B9864B-277B-4a26-8ED3-88A18639857A}\stubpath = "C:\\Windows\\{E1B9864B-277B-4a26-8ED3-88A18639857A}.exe"	2024-02-18_1291db24b89cb4ec023f28662ac14d78_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43295957-8F06-4a6d-89F2-A3D0E79713BB}	{FFE56973-DD35-40a0-B478-109E2D0A91A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{867158B1-2F87-4169-9EBF-5AB156C409A9}	{C20AC244-4E7B-426b-BFF0-8CD8163E18D1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{867158B1-2F87-4169-9EBF-5AB156C409A9}\stubpath = "C:\\Windows\\{867158B1-2F87-4169-9EBF-5AB156C409A9}.exe"	{C20AC244-4E7B-426b-BFF0-8CD8163E18D1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63F368D3-DCDB-40ec-8C9E-7929370AF223}\stubpath = "C:\\Windows\\{63F368D3-DCDB-40ec-8C9E-7929370AF223}.exe"	{23503773-E77B-4319-B5EC-7C086DDA9AB1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23503773-E77B-4319-B5EC-7C086DDA9AB1}\stubpath = "C:\\Windows\\{23503773-E77B-4319-B5EC-7C086DDA9AB1}.exe"	{E1B9864B-277B-4a26-8ED3-88A18639857A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63F368D3-DCDB-40ec-8C9E-7929370AF223}	{23503773-E77B-4319-B5EC-7C086DDA9AB1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FC57180-409D-4e03-9BE2-477F65A1F59F}\stubpath = "C:\\Windows\\{3FC57180-409D-4e03-9BE2-477F65A1F59F}.exe"	{63F368D3-DCDB-40ec-8C9E-7929370AF223}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89A151E5-F6E8-4be5-B3CF-D463D1599359}\stubpath = "C:\\Windows\\{89A151E5-F6E8-4be5-B3CF-D463D1599359}.exe"	{3FC57180-409D-4e03-9BE2-477F65A1F59F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FFE56973-DD35-40a0-B478-109E2D0A91A9}\stubpath = "C:\\Windows\\{FFE56973-DD35-40a0-B478-109E2D0A91A9}.exe"	{9E1D049F-F47E-4b3b-BFC4-E6B58F7F60D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{643D01B2-9369-4317-86D6-1CBFB10167A0}	{867158B1-2F87-4169-9EBF-5AB156C409A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23503773-E77B-4319-B5EC-7C086DDA9AB1}	{E1B9864B-277B-4a26-8ED3-88A18639857A}.exe

Executes dropped EXE 12 IoCs

pid	Process
4388	{E1B9864B-277B-4a26-8ED3-88A18639857A}.exe
4008	{23503773-E77B-4319-B5EC-7C086DDA9AB1}.exe
3540	{63F368D3-DCDB-40ec-8C9E-7929370AF223}.exe
776	{3FC57180-409D-4e03-9BE2-477F65A1F59F}.exe
1156	{89A151E5-F6E8-4be5-B3CF-D463D1599359}.exe
1288	{D0338239-DF92-4f18-B45A-C5A3D11CBF8E}.exe
4620	{9E1D049F-F47E-4b3b-BFC4-E6B58F7F60D9}.exe
2772	{FFE56973-DD35-40a0-B478-109E2D0A91A9}.exe
4352	{43295957-8F06-4a6d-89F2-A3D0E79713BB}.exe
1184	{C20AC244-4E7B-426b-BFF0-8CD8163E18D1}.exe
3548	{867158B1-2F87-4169-9EBF-5AB156C409A9}.exe
3904	{643D01B2-9369-4317-86D6-1CBFB10167A0}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{63F368D3-DCDB-40ec-8C9E-7929370AF223}.exe	{23503773-E77B-4319-B5EC-7C086DDA9AB1}.exe
File created	C:\Windows\{3FC57180-409D-4e03-9BE2-477F65A1F59F}.exe	{63F368D3-DCDB-40ec-8C9E-7929370AF223}.exe
File created	C:\Windows\{D0338239-DF92-4f18-B45A-C5A3D11CBF8E}.exe	{89A151E5-F6E8-4be5-B3CF-D463D1599359}.exe
File created	C:\Windows\{FFE56973-DD35-40a0-B478-109E2D0A91A9}.exe	{9E1D049F-F47E-4b3b-BFC4-E6B58F7F60D9}.exe
File created	C:\Windows\{C20AC244-4E7B-426b-BFF0-8CD8163E18D1}.exe	{43295957-8F06-4a6d-89F2-A3D0E79713BB}.exe
File created	C:\Windows\{867158B1-2F87-4169-9EBF-5AB156C409A9}.exe	{C20AC244-4E7B-426b-BFF0-8CD8163E18D1}.exe
File created	C:\Windows\{643D01B2-9369-4317-86D6-1CBFB10167A0}.exe	{867158B1-2F87-4169-9EBF-5AB156C409A9}.exe
File created	C:\Windows\{E1B9864B-277B-4a26-8ED3-88A18639857A}.exe	2024-02-18_1291db24b89cb4ec023f28662ac14d78_goldeneye.exe
File created	C:\Windows\{89A151E5-F6E8-4be5-B3CF-D463D1599359}.exe	{3FC57180-409D-4e03-9BE2-477F65A1F59F}.exe
File created	C:\Windows\{9E1D049F-F47E-4b3b-BFC4-E6B58F7F60D9}.exe	{D0338239-DF92-4f18-B45A-C5A3D11CBF8E}.exe
File created	C:\Windows\{43295957-8F06-4a6d-89F2-A3D0E79713BB}.exe	{FFE56973-DD35-40a0-B478-109E2D0A91A9}.exe
File created	C:\Windows\{23503773-E77B-4319-B5EC-7C086DDA9AB1}.exe	{E1B9864B-277B-4a26-8ED3-88A18639857A}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1280	2024-02-18_1291db24b89cb4ec023f28662ac14d78_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4388	{E1B9864B-277B-4a26-8ED3-88A18639857A}.exe
Token: SeIncBasePriorityPrivilege	4008	{23503773-E77B-4319-B5EC-7C086DDA9AB1}.exe
Token: SeIncBasePriorityPrivilege	3540	{63F368D3-DCDB-40ec-8C9E-7929370AF223}.exe
Token: SeIncBasePriorityPrivilege	776	{3FC57180-409D-4e03-9BE2-477F65A1F59F}.exe
Token: SeIncBasePriorityPrivilege	1156	{89A151E5-F6E8-4be5-B3CF-D463D1599359}.exe
Token: SeIncBasePriorityPrivilege	1288	{D0338239-DF92-4f18-B45A-C5A3D11CBF8E}.exe
Token: SeIncBasePriorityPrivilege	4620	{9E1D049F-F47E-4b3b-BFC4-E6B58F7F60D9}.exe
Token: SeIncBasePriorityPrivilege	2772	{FFE56973-DD35-40a0-B478-109E2D0A91A9}.exe
Token: SeIncBasePriorityPrivilege	4352	{43295957-8F06-4a6d-89F2-A3D0E79713BB}.exe
Token: SeIncBasePriorityPrivilege	1184	{C20AC244-4E7B-426b-BFF0-8CD8163E18D1}.exe
Token: SeIncBasePriorityPrivilege	3548	{867158B1-2F87-4169-9EBF-5AB156C409A9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 4388	1280	2024-02-18_1291db24b89cb4ec023f28662ac14d78_goldeneye.exe	89
PID 1280 wrote to memory of 4388	1280	2024-02-18_1291db24b89cb4ec023f28662ac14d78_goldeneye.exe	89
PID 1280 wrote to memory of 4388	1280	2024-02-18_1291db24b89cb4ec023f28662ac14d78_goldeneye.exe	89
PID 1280 wrote to memory of 5008	1280	2024-02-18_1291db24b89cb4ec023f28662ac14d78_goldeneye.exe	90
PID 1280 wrote to memory of 5008	1280	2024-02-18_1291db24b89cb4ec023f28662ac14d78_goldeneye.exe	90
PID 1280 wrote to memory of 5008	1280	2024-02-18_1291db24b89cb4ec023f28662ac14d78_goldeneye.exe	90
PID 4388 wrote to memory of 4008	4388	{E1B9864B-277B-4a26-8ED3-88A18639857A}.exe	93
PID 4388 wrote to memory of 4008	4388	{E1B9864B-277B-4a26-8ED3-88A18639857A}.exe	93
PID 4388 wrote to memory of 4008	4388	{E1B9864B-277B-4a26-8ED3-88A18639857A}.exe	93
PID 4388 wrote to memory of 3820	4388	{E1B9864B-277B-4a26-8ED3-88A18639857A}.exe	94
PID 4388 wrote to memory of 3820	4388	{E1B9864B-277B-4a26-8ED3-88A18639857A}.exe	94
PID 4388 wrote to memory of 3820	4388	{E1B9864B-277B-4a26-8ED3-88A18639857A}.exe	94
PID 4008 wrote to memory of 3540	4008	{23503773-E77B-4319-B5EC-7C086DDA9AB1}.exe	96
PID 4008 wrote to memory of 3540	4008	{23503773-E77B-4319-B5EC-7C086DDA9AB1}.exe	96
PID 4008 wrote to memory of 3540	4008	{23503773-E77B-4319-B5EC-7C086DDA9AB1}.exe	96
PID 4008 wrote to memory of 3408	4008	{23503773-E77B-4319-B5EC-7C086DDA9AB1}.exe	97
PID 4008 wrote to memory of 3408	4008	{23503773-E77B-4319-B5EC-7C086DDA9AB1}.exe	97
PID 4008 wrote to memory of 3408	4008	{23503773-E77B-4319-B5EC-7C086DDA9AB1}.exe	97
PID 3540 wrote to memory of 776	3540	{63F368D3-DCDB-40ec-8C9E-7929370AF223}.exe	98
PID 3540 wrote to memory of 776	3540	{63F368D3-DCDB-40ec-8C9E-7929370AF223}.exe	98
PID 3540 wrote to memory of 776	3540	{63F368D3-DCDB-40ec-8C9E-7929370AF223}.exe	98
PID 3540 wrote to memory of 972	3540	{63F368D3-DCDB-40ec-8C9E-7929370AF223}.exe	99
PID 3540 wrote to memory of 972	3540	{63F368D3-DCDB-40ec-8C9E-7929370AF223}.exe	99
PID 3540 wrote to memory of 972	3540	{63F368D3-DCDB-40ec-8C9E-7929370AF223}.exe	99
PID 776 wrote to memory of 1156	776	{3FC57180-409D-4e03-9BE2-477F65A1F59F}.exe	100
PID 776 wrote to memory of 1156	776	{3FC57180-409D-4e03-9BE2-477F65A1F59F}.exe	100
PID 776 wrote to memory of 1156	776	{3FC57180-409D-4e03-9BE2-477F65A1F59F}.exe	100
PID 776 wrote to memory of 3776	776	{3FC57180-409D-4e03-9BE2-477F65A1F59F}.exe	101
PID 776 wrote to memory of 3776	776	{3FC57180-409D-4e03-9BE2-477F65A1F59F}.exe	101
PID 776 wrote to memory of 3776	776	{3FC57180-409D-4e03-9BE2-477F65A1F59F}.exe	101
PID 1156 wrote to memory of 1288	1156	{89A151E5-F6E8-4be5-B3CF-D463D1599359}.exe	102
PID 1156 wrote to memory of 1288	1156	{89A151E5-F6E8-4be5-B3CF-D463D1599359}.exe	102
PID 1156 wrote to memory of 1288	1156	{89A151E5-F6E8-4be5-B3CF-D463D1599359}.exe	102
PID 1156 wrote to memory of 840	1156	{89A151E5-F6E8-4be5-B3CF-D463D1599359}.exe	103
PID 1156 wrote to memory of 840	1156	{89A151E5-F6E8-4be5-B3CF-D463D1599359}.exe	103
PID 1156 wrote to memory of 840	1156	{89A151E5-F6E8-4be5-B3CF-D463D1599359}.exe	103
PID 1288 wrote to memory of 4620	1288	{D0338239-DF92-4f18-B45A-C5A3D11CBF8E}.exe	104
PID 1288 wrote to memory of 4620	1288	{D0338239-DF92-4f18-B45A-C5A3D11CBF8E}.exe	104
PID 1288 wrote to memory of 4620	1288	{D0338239-DF92-4f18-B45A-C5A3D11CBF8E}.exe	104
PID 1288 wrote to memory of 3556	1288	{D0338239-DF92-4f18-B45A-C5A3D11CBF8E}.exe	105
PID 1288 wrote to memory of 3556	1288	{D0338239-DF92-4f18-B45A-C5A3D11CBF8E}.exe	105
PID 1288 wrote to memory of 3556	1288	{D0338239-DF92-4f18-B45A-C5A3D11CBF8E}.exe	105
PID 4620 wrote to memory of 2772	4620	{9E1D049F-F47E-4b3b-BFC4-E6B58F7F60D9}.exe	106
PID 4620 wrote to memory of 2772	4620	{9E1D049F-F47E-4b3b-BFC4-E6B58F7F60D9}.exe	106
PID 4620 wrote to memory of 2772	4620	{9E1D049F-F47E-4b3b-BFC4-E6B58F7F60D9}.exe	106
PID 4620 wrote to memory of 4424	4620	{9E1D049F-F47E-4b3b-BFC4-E6B58F7F60D9}.exe	107
PID 4620 wrote to memory of 4424	4620	{9E1D049F-F47E-4b3b-BFC4-E6B58F7F60D9}.exe	107
PID 4620 wrote to memory of 4424	4620	{9E1D049F-F47E-4b3b-BFC4-E6B58F7F60D9}.exe	107
PID 2772 wrote to memory of 4352	2772	{FFE56973-DD35-40a0-B478-109E2D0A91A9}.exe	108
PID 2772 wrote to memory of 4352	2772	{FFE56973-DD35-40a0-B478-109E2D0A91A9}.exe	108
PID 2772 wrote to memory of 4352	2772	{FFE56973-DD35-40a0-B478-109E2D0A91A9}.exe	108
PID 2772 wrote to memory of 4356	2772	{FFE56973-DD35-40a0-B478-109E2D0A91A9}.exe	109
PID 2772 wrote to memory of 4356	2772	{FFE56973-DD35-40a0-B478-109E2D0A91A9}.exe	109
PID 2772 wrote to memory of 4356	2772	{FFE56973-DD35-40a0-B478-109E2D0A91A9}.exe	109
PID 4352 wrote to memory of 1184	4352	{43295957-8F06-4a6d-89F2-A3D0E79713BB}.exe	110
PID 4352 wrote to memory of 1184	4352	{43295957-8F06-4a6d-89F2-A3D0E79713BB}.exe	110
PID 4352 wrote to memory of 1184	4352	{43295957-8F06-4a6d-89F2-A3D0E79713BB}.exe	110
PID 4352 wrote to memory of 3704	4352	{43295957-8F06-4a6d-89F2-A3D0E79713BB}.exe	111
PID 4352 wrote to memory of 3704	4352	{43295957-8F06-4a6d-89F2-A3D0E79713BB}.exe	111
PID 4352 wrote to memory of 3704	4352	{43295957-8F06-4a6d-89F2-A3D0E79713BB}.exe	111
PID 1184 wrote to memory of 3548	1184	{C20AC244-4E7B-426b-BFF0-8CD8163E18D1}.exe	112
PID 1184 wrote to memory of 3548	1184	{C20AC244-4E7B-426b-BFF0-8CD8163E18D1}.exe	112
PID 1184 wrote to memory of 3548	1184	{C20AC244-4E7B-426b-BFF0-8CD8163E18D1}.exe	112
PID 1184 wrote to memory of 1620	1184	{C20AC244-4E7B-426b-BFF0-8CD8163E18D1}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-02-18_1291db24b89cb4ec023f28662ac14d78_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-18_1291db24b89cb4ec023f28662ac14d78_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Windows\{E1B9864B-277B-4a26-8ED3-88A18639857A}.exe
  C:\Windows\{E1B9864B-277B-4a26-8ED3-88A18639857A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4388
- - C:\Windows\{23503773-E77B-4319-B5EC-7C086DDA9AB1}.exe
    C:\Windows\{23503773-E77B-4319-B5EC-7C086DDA9AB1}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4008
  - - C:\Windows\{63F368D3-DCDB-40ec-8C9E-7929370AF223}.exe
      C:\Windows\{63F368D3-DCDB-40ec-8C9E-7929370AF223}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3540
    - - C:\Windows\{3FC57180-409D-4e03-9BE2-477F65A1F59F}.exe
        
        C:\Windows\{3FC57180-409D-4e03-9BE2-477F65A1F59F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:776
      - C:\Windows\{89A151E5-F6E8-4be5-B3CF-D463D1599359}.exe
        
        C:\Windows\{89A151E5-F6E8-4be5-B3CF-D463D1599359}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1156
        
        C:\Windows\{D0338239-DF92-4f18-B45A-C5A3D11CBF8E}.exe
        
        C:\Windows\{D0338239-DF92-4f18-B45A-C5A3D11CBF8E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\{9E1D049F-F47E-4b3b-BFC4-E6B58F7F60D9}.exe
        
        C:\Windows\{9E1D049F-F47E-4b3b-BFC4-E6B58F7F60D9}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4620
        
        C:\Windows\{FFE56973-DD35-40a0-B478-109E2D0A91A9}.exe
        
        C:\Windows\{FFE56973-DD35-40a0-B478-109E2D0A91A9}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\{43295957-8F06-4a6d-89F2-A3D0E79713BB}.exe
        
        C:\Windows\{43295957-8F06-4a6d-89F2-A3D0E79713BB}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\{C20AC244-4E7B-426b-BFF0-8CD8163E18D1}.exe
        
        C:\Windows\{C20AC244-4E7B-426b-BFF0-8CD8163E18D1}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1184
        
        C:\Windows\{867158B1-2F87-4169-9EBF-5AB156C409A9}.exe
        
        C:\Windows\{867158B1-2F87-4169-9EBF-5AB156C409A9}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3548
        
        C:\Windows\{643D01B2-9369-4317-86D6-1CBFB10167A0}.exe
        
        C:\Windows\{643D01B2-9369-4317-86D6-1CBFB10167A0}.exe
        13⤵
        Executes dropped EXE
        
        PID:3904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86715~1.EXE > nul
        13⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C20AC~1.EXE > nul
        12⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{43295~1.EXE > nul
        11⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FFE56~1.EXE > nul
        10⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E1D0~1.EXE > nul
        9⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D0338~1.EXE > nul
        8⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{89A15~1.EXE > nul
        7⤵
        
        PID:840
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3FC57~1.EXE > nul
        6⤵
        
        PID:3776
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{63F36~1.EXE > nul
        5⤵
        
        PID:972
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{23503~1.EXE > nul
      4⤵
      PID:3408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E1B98~1.EXE > nul
    3⤵
    PID:3820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:5008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{23503773-E77B-4319-B5EC-7C086DDA9AB1}.exe

Filesize
380KB

MD5
de93bd07356d97190fcadab386b85368

SHA1
fe0e280b1c6daeb6e247c710e5f29760f20f69d1

SHA256
2569d05a5a22fbcb603204e862c3fab780e8574528a5c734ce30c5864c347b73

SHA512
da600d700669e28f5c0f9754667bc936b958ddbf88894030dcabb6a49a3af3a8243eaeaf09b20ff1a24736c9870a20b1abb26eb17dde5fdd96d0dda3b4a8039a

Download Submit
C:\Windows\{3FC57180-409D-4e03-9BE2-477F65A1F59F}.exe

Filesize
380KB

MD5
c5e710ebfc235c5c8885364ea05fcf98

SHA1
ad959c7d86afc04afb241e3cb6dc9df6bfc306cf

SHA256
99802ca1e9df439d9de837dc8e2eee09071d907bcd9efa5714033e27428c715a

SHA512
639e7a6be33ff6afbde16e76e7c2fd322e93cb115b14a9abd7794ee1b3ab96ae5ed8f54a1745de0a5f0da7a8a42a9a540308b9fa5cf27b2ce7afe6f4d922b8a8

Download Submit
C:\Windows\{43295957-8F06-4a6d-89F2-A3D0E79713BB}.exe

Filesize
380KB

MD5
ffa908e9e987b4543aecda43d29fca0f

SHA1
30fc1ed79e2f2d7be1856d5745a1f098222bce85

SHA256
2bde4ffd9e3f40045147c88f40ac79a85294e081ae4f00b2268cf4643c99e5fc

SHA512
33b159e6f257f79204f5eaab495b3ea1d6cd277529b992723fc04ddf726d5d946cc7287c5bbe8cd920cab43ce16814bef953487b3b2dc8b38cc681fe8754b426

Download Submit
C:\Windows\{63F368D3-DCDB-40ec-8C9E-7929370AF223}.exe

Filesize
380KB

MD5
89124e84c519cae9cb98ea60776888d7

SHA1
b176c0830095fd04b51e1d6c57dc114eff133939

SHA256
a6ff6a7892e590afe7a4339b39efb79aaf45eff6b88b45e86e61c806f15c3b0a

SHA512
2b437d10e599c947aef84c503db07b9ba431036f5337d05aa6991731a6af6cab6ec462675a549e6c3d946dccc3feb24cdf5de5767fada7ddba2c9035cb6eeaf4

Download Submit
C:\Windows\{643D01B2-9369-4317-86D6-1CBFB10167A0}.exe

Filesize
380KB

MD5
9f04e7edc2835e77092f538ff02ff66d

SHA1
69b532cd643c705195c0b186d9f32ade8043df4f

SHA256
d70fa8e8cd407f84881b53e1e81032537b15d613e110085d9574431c0e5119e5

SHA512
907e9c8a52b8255643164df9975fea95c92bec11d3a1d759aa7e0e22ff237b4d0477e096b9bdce246f023c98698b6f0f9584f62444278143447a497d9f60f684

Download Submit
C:\Windows\{867158B1-2F87-4169-9EBF-5AB156C409A9}.exe

Filesize
380KB

MD5
c92c7bfe22bb016e8b5e22cd24d6b77e

SHA1
998ba611ba18190a294de30570cfc41861593021

SHA256
408a1462a0f9a56027333752b34ab34ec44cb55422b28b8b732664ee14e0ab5c

SHA512
f7db755508c2184b5042c6edc1e3ff09ce319632a82191f734a0ae2f42c2890c47bd6bdb6cd5ad2d77295ad48f6b08e02f9718e2acdd1237ba7abf4e2cbdbc1a

Download Submit
C:\Windows\{89A151E5-F6E8-4be5-B3CF-D463D1599359}.exe

Filesize
380KB

MD5
b55aa070b159fa24378530a9251869b6

SHA1
be8799f14e991d2b729e2194d9d6c7fe5fc4c0be

SHA256
b644528f195750e4a9bbb5c9fa3d82dccb1a4d4c0281e292ea3312e4a1834791

SHA512
8ba79b9a153980f1ca0b9bddc7653ce50da8efd9df45da4b2b3c4208e694177317209967a5e3b3d1b17e10fd118a0332328d16b5a71efbf5aab161cff34a23f5

Download Submit
C:\Windows\{9E1D049F-F47E-4b3b-BFC4-E6B58F7F60D9}.exe

Filesize
380KB

MD5
6d0bd4ee29e188a3e1155fa8405c5acc

SHA1
1b6c4f194874217fac28f56e14a6af4edfbe894d

SHA256
c9ac192fd317870f1c323e585bbf67f208e24900a1ac881bf19dcdde9e9e5e29

SHA512
baf4d9cc54f89271979232972a6313586d5a8348779782ce25a92cd2399792fe4afd5768f07b05fee02e65442383c97c9c8c5bc3f903d23bf64f1858cbab285f

Download Submit
C:\Windows\{C20AC244-4E7B-426b-BFF0-8CD8163E18D1}.exe

Filesize
380KB

MD5
539a91e7eef80f92825b5e3c7b4d110a

SHA1
1786184f12d6c5a155bd005d12bf9fca2cb1ffac

SHA256
14e9e283761b58a3b98c8b3fb802156524a5af9072165f1ddc88d9561636385a

SHA512
230c19407e26f22c4181ea18b17843562c2dc5b33f8fa3b832b719c19d5fbc2f310bd4f7e65b9371c422d4f7a6429c712d845d0ef8d2268325825b7d6705654a

Download Submit
C:\Windows\{D0338239-DF92-4f18-B45A-C5A3D11CBF8E}.exe

Filesize
380KB

MD5
07cd5923d8f73d2d32b310d8dcec7a11

SHA1
3e117a2aa1a842a6389deeb8373897347ca93861

SHA256
d2ec8a996970a54d58415a1f3788aad4d7992e7689c78ea996de55de04ab624b

SHA512
0aa44bf76bedf5ea65e0ed805bef2d042ec5146b5c2d9589ed0a96c2d6c08de6923ab03c22b3e813e7800a6c75e47d8904360ce58569f79d9a83c1878b729a72

Download Submit
C:\Windows\{E1B9864B-277B-4a26-8ED3-88A18639857A}.exe

Filesize
380KB

MD5
b5fba3450b24c2119133f38432497e7d

SHA1
4a78e005ab87fba6c6ccff2e1c8b9db40c831bf7

SHA256
84ae30fb0592fc2acf6290be470315f56be66277fdf26af09c271723be6236c1

SHA512
e8a41910433180ffbe9e6aa9e2c4301ea7bc6d19aeb5b2e37a4e9c665476c48c8a9c563e679205bf0c8d85c531205c62b29d7fec1f9c806e9075a520be0b3f3a

Download Submit
C:\Windows\{FFE56973-DD35-40a0-B478-109E2D0A91A9}.exe

Filesize
380KB

MD5
4b702cdafb5126e00d2302c6acfa5ce0

SHA1
377f18778920c37ff40fa866758a6dc6738e921e

SHA256
6dd36bc3dd2e17a741ded7563b5dc74561ad55aee5b170f1e82a4af325b5741c

SHA512
b829cb1ed032c6c82f85d472ee4fd09fe04a908d8b1ae60a5d1e41adc18098d65608546339c790258f04c646a707f5d8c3e30302aa5fba125811e05d0dd2f9c5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads