cdb44972aca2e6c6d3676ddb972dae3c2a8df09079415aed2bc13f961ee02d01

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18/02/2024, 09:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-18_5353669f3b260cac7741983da6e7ad7a_goldeneye.exe
Size

180KB
MD5

5353669f3b260cac7741983da6e7ad7a
SHA1

ba99404ba14b707dc368cad2095a2891e7097b20
SHA256

cdb44972aca2e6c6d3676ddb972dae3c2a8df09079415aed2bc13f961ee02d01
SHA512

04e4fad2357416a691b70ebc38ff3d3fa327dc6a747ba06b4262739b12a23629ad9aafa58d1019604e1eec029f105ece69afde58847d2998575982ffeda16b06
SSDEEP

3072:jEGh0oelfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGcl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x000600000002314b-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000023153-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000023153-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002315e-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023153-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002315e-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00050000000217fa-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002181f-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-29.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006df-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85631982-56B0-41dc-BD9D-BF7F913014BF}	{3E9502DC-5502-48f6-BF30-73F5791E4170}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCE78478-2F38-4bea-B6B1-D3F67710BF58}	{1E47711F-024D-4b57-9D2A-CE0C3F2B5779}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA5C917C-CE05-4cad-BA28-4B06D9090BA8}	{F6FC0131-30EC-4127-8E72-D65C601B4928}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A30F318E-2AAF-4928-8039-088781352F91}\stubpath = "C:\\Windows\\{A30F318E-2AAF-4928-8039-088781352F91}.exe"	{EA5C917C-CE05-4cad-BA28-4B06D9090BA8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4378068-0C99-4309-8BF7-96DECE016474}	2024-02-18_5353669f3b260cac7741983da6e7ad7a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2CFE147-CF87-4eaf-B3E6-575A8A380B18}	{3709BE86-4378-4e99-9DDB-8FE2834A367C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85631982-56B0-41dc-BD9D-BF7F913014BF}\stubpath = "C:\\Windows\\{85631982-56B0-41dc-BD9D-BF7F913014BF}.exe"	{3E9502DC-5502-48f6-BF30-73F5791E4170}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E47711F-024D-4b57-9D2A-CE0C3F2B5779}\stubpath = "C:\\Windows\\{1E47711F-024D-4b57-9D2A-CE0C3F2B5779}.exe"	{85631982-56B0-41dc-BD9D-BF7F913014BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0DDCFB1C-A139-480a-B7CD-18B3F86E7E24}	{BCE78478-2F38-4bea-B6B1-D3F67710BF58}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0DDCFB1C-A139-480a-B7CD-18B3F86E7E24}\stubpath = "C:\\Windows\\{0DDCFB1C-A139-480a-B7CD-18B3F86E7E24}.exe"	{BCE78478-2F38-4bea-B6B1-D3F67710BF58}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3709BE86-4378-4e99-9DDB-8FE2834A367C}	{E69A2AA5-F7F4-4976-A366-6DEC23631E14}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2CFE147-CF87-4eaf-B3E6-575A8A380B18}\stubpath = "C:\\Windows\\{E2CFE147-CF87-4eaf-B3E6-575A8A380B18}.exe"	{3709BE86-4378-4e99-9DDB-8FE2834A367C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3709BE86-4378-4e99-9DDB-8FE2834A367C}\stubpath = "C:\\Windows\\{3709BE86-4378-4e99-9DDB-8FE2834A367C}.exe"	{E69A2AA5-F7F4-4976-A366-6DEC23631E14}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E9502DC-5502-48f6-BF30-73F5791E4170}	{E2CFE147-CF87-4eaf-B3E6-575A8A380B18}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E47711F-024D-4b57-9D2A-CE0C3F2B5779}	{85631982-56B0-41dc-BD9D-BF7F913014BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6FC0131-30EC-4127-8E72-D65C601B4928}	{0DDCFB1C-A139-480a-B7CD-18B3F86E7E24}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6FC0131-30EC-4127-8E72-D65C601B4928}\stubpath = "C:\\Windows\\{F6FC0131-30EC-4127-8E72-D65C601B4928}.exe"	{0DDCFB1C-A139-480a-B7CD-18B3F86E7E24}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA5C917C-CE05-4cad-BA28-4B06D9090BA8}\stubpath = "C:\\Windows\\{EA5C917C-CE05-4cad-BA28-4B06D9090BA8}.exe"	{F6FC0131-30EC-4127-8E72-D65C601B4928}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4378068-0C99-4309-8BF7-96DECE016474}\stubpath = "C:\\Windows\\{B4378068-0C99-4309-8BF7-96DECE016474}.exe"	2024-02-18_5353669f3b260cac7741983da6e7ad7a_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E69A2AA5-F7F4-4976-A366-6DEC23631E14}\stubpath = "C:\\Windows\\{E69A2AA5-F7F4-4976-A366-6DEC23631E14}.exe"	{B4378068-0C99-4309-8BF7-96DECE016474}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A30F318E-2AAF-4928-8039-088781352F91}	{EA5C917C-CE05-4cad-BA28-4B06D9090BA8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCE78478-2F38-4bea-B6B1-D3F67710BF58}\stubpath = "C:\\Windows\\{BCE78478-2F38-4bea-B6B1-D3F67710BF58}.exe"	{1E47711F-024D-4b57-9D2A-CE0C3F2B5779}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E69A2AA5-F7F4-4976-A366-6DEC23631E14}	{B4378068-0C99-4309-8BF7-96DECE016474}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E9502DC-5502-48f6-BF30-73F5791E4170}\stubpath = "C:\\Windows\\{3E9502DC-5502-48f6-BF30-73F5791E4170}.exe"	{E2CFE147-CF87-4eaf-B3E6-575A8A380B18}.exe

Executes dropped EXE 12 IoCs

pid	Process
4952	{B4378068-0C99-4309-8BF7-96DECE016474}.exe
4620	{E69A2AA5-F7F4-4976-A366-6DEC23631E14}.exe
1132	{3709BE86-4378-4e99-9DDB-8FE2834A367C}.exe
4036	{E2CFE147-CF87-4eaf-B3E6-575A8A380B18}.exe
1620	{3E9502DC-5502-48f6-BF30-73F5791E4170}.exe
4844	{85631982-56B0-41dc-BD9D-BF7F913014BF}.exe
3524	{1E47711F-024D-4b57-9D2A-CE0C3F2B5779}.exe
3792	{BCE78478-2F38-4bea-B6B1-D3F67710BF58}.exe
5052	{0DDCFB1C-A139-480a-B7CD-18B3F86E7E24}.exe
4436	{F6FC0131-30EC-4127-8E72-D65C601B4928}.exe
4500	{EA5C917C-CE05-4cad-BA28-4B06D9090BA8}.exe
2620	{A30F318E-2AAF-4928-8039-088781352F91}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{3709BE86-4378-4e99-9DDB-8FE2834A367C}.exe	{E69A2AA5-F7F4-4976-A366-6DEC23631E14}.exe
File created	C:\Windows\{E2CFE147-CF87-4eaf-B3E6-575A8A380B18}.exe	{3709BE86-4378-4e99-9DDB-8FE2834A367C}.exe
File created	C:\Windows\{85631982-56B0-41dc-BD9D-BF7F913014BF}.exe	{3E9502DC-5502-48f6-BF30-73F5791E4170}.exe
File created	C:\Windows\{BCE78478-2F38-4bea-B6B1-D3F67710BF58}.exe	{1E47711F-024D-4b57-9D2A-CE0C3F2B5779}.exe
File created	C:\Windows\{0DDCFB1C-A139-480a-B7CD-18B3F86E7E24}.exe	{BCE78478-2F38-4bea-B6B1-D3F67710BF58}.exe
File created	C:\Windows\{F6FC0131-30EC-4127-8E72-D65C601B4928}.exe	{0DDCFB1C-A139-480a-B7CD-18B3F86E7E24}.exe
File created	C:\Windows\{EA5C917C-CE05-4cad-BA28-4B06D9090BA8}.exe	{F6FC0131-30EC-4127-8E72-D65C601B4928}.exe
File created	C:\Windows\{A30F318E-2AAF-4928-8039-088781352F91}.exe	{EA5C917C-CE05-4cad-BA28-4B06D9090BA8}.exe
File created	C:\Windows\{B4378068-0C99-4309-8BF7-96DECE016474}.exe	2024-02-18_5353669f3b260cac7741983da6e7ad7a_goldeneye.exe
File created	C:\Windows\{E69A2AA5-F7F4-4976-A366-6DEC23631E14}.exe	{B4378068-0C99-4309-8BF7-96DECE016474}.exe
File created	C:\Windows\{3E9502DC-5502-48f6-BF30-73F5791E4170}.exe	{E2CFE147-CF87-4eaf-B3E6-575A8A380B18}.exe
File created	C:\Windows\{1E47711F-024D-4b57-9D2A-CE0C3F2B5779}.exe	{85631982-56B0-41dc-BD9D-BF7F913014BF}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2752	2024-02-18_5353669f3b260cac7741983da6e7ad7a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4952	{B4378068-0C99-4309-8BF7-96DECE016474}.exe
Token: SeIncBasePriorityPrivilege	4620	{E69A2AA5-F7F4-4976-A366-6DEC23631E14}.exe
Token: SeIncBasePriorityPrivilege	1132	{3709BE86-4378-4e99-9DDB-8FE2834A367C}.exe
Token: SeIncBasePriorityPrivilege	4036	{E2CFE147-CF87-4eaf-B3E6-575A8A380B18}.exe
Token: SeIncBasePriorityPrivilege	1620	{3E9502DC-5502-48f6-BF30-73F5791E4170}.exe
Token: SeIncBasePriorityPrivilege	4844	{85631982-56B0-41dc-BD9D-BF7F913014BF}.exe
Token: SeIncBasePriorityPrivilege	3524	{1E47711F-024D-4b57-9D2A-CE0C3F2B5779}.exe
Token: SeIncBasePriorityPrivilege	3792	{BCE78478-2F38-4bea-B6B1-D3F67710BF58}.exe
Token: SeIncBasePriorityPrivilege	5052	{0DDCFB1C-A139-480a-B7CD-18B3F86E7E24}.exe
Token: SeIncBasePriorityPrivilege	4436	{F6FC0131-30EC-4127-8E72-D65C601B4928}.exe
Token: SeIncBasePriorityPrivilege	4500	{EA5C917C-CE05-4cad-BA28-4B06D9090BA8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 4952	2752	2024-02-18_5353669f3b260cac7741983da6e7ad7a_goldeneye.exe	84
PID 2752 wrote to memory of 4952	2752	2024-02-18_5353669f3b260cac7741983da6e7ad7a_goldeneye.exe	84
PID 2752 wrote to memory of 4952	2752	2024-02-18_5353669f3b260cac7741983da6e7ad7a_goldeneye.exe	84
PID 2752 wrote to memory of 4800	2752	2024-02-18_5353669f3b260cac7741983da6e7ad7a_goldeneye.exe	85
PID 2752 wrote to memory of 4800	2752	2024-02-18_5353669f3b260cac7741983da6e7ad7a_goldeneye.exe	85
PID 2752 wrote to memory of 4800	2752	2024-02-18_5353669f3b260cac7741983da6e7ad7a_goldeneye.exe	85
PID 4952 wrote to memory of 4620	4952	{B4378068-0C99-4309-8BF7-96DECE016474}.exe	94
PID 4952 wrote to memory of 4620	4952	{B4378068-0C99-4309-8BF7-96DECE016474}.exe	94
PID 4952 wrote to memory of 4620	4952	{B4378068-0C99-4309-8BF7-96DECE016474}.exe	94
PID 4952 wrote to memory of 2028	4952	{B4378068-0C99-4309-8BF7-96DECE016474}.exe	93
PID 4952 wrote to memory of 2028	4952	{B4378068-0C99-4309-8BF7-96DECE016474}.exe	93
PID 4952 wrote to memory of 2028	4952	{B4378068-0C99-4309-8BF7-96DECE016474}.exe	93
PID 4620 wrote to memory of 1132	4620	{E69A2AA5-F7F4-4976-A366-6DEC23631E14}.exe	97
PID 4620 wrote to memory of 1132	4620	{E69A2AA5-F7F4-4976-A366-6DEC23631E14}.exe	97
PID 4620 wrote to memory of 1132	4620	{E69A2AA5-F7F4-4976-A366-6DEC23631E14}.exe	97
PID 4620 wrote to memory of 3716	4620	{E69A2AA5-F7F4-4976-A366-6DEC23631E14}.exe	96
PID 4620 wrote to memory of 3716	4620	{E69A2AA5-F7F4-4976-A366-6DEC23631E14}.exe	96
PID 4620 wrote to memory of 3716	4620	{E69A2AA5-F7F4-4976-A366-6DEC23631E14}.exe	96
PID 1132 wrote to memory of 4036	1132	{3709BE86-4378-4e99-9DDB-8FE2834A367C}.exe	98
PID 1132 wrote to memory of 4036	1132	{3709BE86-4378-4e99-9DDB-8FE2834A367C}.exe	98
PID 1132 wrote to memory of 4036	1132	{3709BE86-4378-4e99-9DDB-8FE2834A367C}.exe	98
PID 1132 wrote to memory of 4332	1132	{3709BE86-4378-4e99-9DDB-8FE2834A367C}.exe	99
PID 1132 wrote to memory of 4332	1132	{3709BE86-4378-4e99-9DDB-8FE2834A367C}.exe	99
PID 1132 wrote to memory of 4332	1132	{3709BE86-4378-4e99-9DDB-8FE2834A367C}.exe	99
PID 4036 wrote to memory of 1620	4036	{E2CFE147-CF87-4eaf-B3E6-575A8A380B18}.exe	100
PID 4036 wrote to memory of 1620	4036	{E2CFE147-CF87-4eaf-B3E6-575A8A380B18}.exe	100
PID 4036 wrote to memory of 1620	4036	{E2CFE147-CF87-4eaf-B3E6-575A8A380B18}.exe	100
PID 4036 wrote to memory of 1876	4036	{E2CFE147-CF87-4eaf-B3E6-575A8A380B18}.exe	101
PID 4036 wrote to memory of 1876	4036	{E2CFE147-CF87-4eaf-B3E6-575A8A380B18}.exe	101
PID 4036 wrote to memory of 1876	4036	{E2CFE147-CF87-4eaf-B3E6-575A8A380B18}.exe	101
PID 1620 wrote to memory of 4844	1620	{3E9502DC-5502-48f6-BF30-73F5791E4170}.exe	102
PID 1620 wrote to memory of 4844	1620	{3E9502DC-5502-48f6-BF30-73F5791E4170}.exe	102
PID 1620 wrote to memory of 4844	1620	{3E9502DC-5502-48f6-BF30-73F5791E4170}.exe	102
PID 1620 wrote to memory of 1380	1620	{3E9502DC-5502-48f6-BF30-73F5791E4170}.exe	103
PID 1620 wrote to memory of 1380	1620	{3E9502DC-5502-48f6-BF30-73F5791E4170}.exe	103
PID 1620 wrote to memory of 1380	1620	{3E9502DC-5502-48f6-BF30-73F5791E4170}.exe	103
PID 4844 wrote to memory of 3524	4844	{85631982-56B0-41dc-BD9D-BF7F913014BF}.exe	104
PID 4844 wrote to memory of 3524	4844	{85631982-56B0-41dc-BD9D-BF7F913014BF}.exe	104
PID 4844 wrote to memory of 3524	4844	{85631982-56B0-41dc-BD9D-BF7F913014BF}.exe	104
PID 4844 wrote to memory of 3444	4844	{85631982-56B0-41dc-BD9D-BF7F913014BF}.exe	105
PID 4844 wrote to memory of 3444	4844	{85631982-56B0-41dc-BD9D-BF7F913014BF}.exe	105
PID 4844 wrote to memory of 3444	4844	{85631982-56B0-41dc-BD9D-BF7F913014BF}.exe	105
PID 3524 wrote to memory of 3792	3524	{1E47711F-024D-4b57-9D2A-CE0C3F2B5779}.exe	106
PID 3524 wrote to memory of 3792	3524	{1E47711F-024D-4b57-9D2A-CE0C3F2B5779}.exe	106
PID 3524 wrote to memory of 3792	3524	{1E47711F-024D-4b57-9D2A-CE0C3F2B5779}.exe	106
PID 3524 wrote to memory of 1636	3524	{1E47711F-024D-4b57-9D2A-CE0C3F2B5779}.exe	107
PID 3524 wrote to memory of 1636	3524	{1E47711F-024D-4b57-9D2A-CE0C3F2B5779}.exe	107
PID 3524 wrote to memory of 1636	3524	{1E47711F-024D-4b57-9D2A-CE0C3F2B5779}.exe	107
PID 3792 wrote to memory of 5052	3792	{BCE78478-2F38-4bea-B6B1-D3F67710BF58}.exe	108
PID 3792 wrote to memory of 5052	3792	{BCE78478-2F38-4bea-B6B1-D3F67710BF58}.exe	108
PID 3792 wrote to memory of 5052	3792	{BCE78478-2F38-4bea-B6B1-D3F67710BF58}.exe	108
PID 3792 wrote to memory of 3068	3792	{BCE78478-2F38-4bea-B6B1-D3F67710BF58}.exe	109
PID 3792 wrote to memory of 3068	3792	{BCE78478-2F38-4bea-B6B1-D3F67710BF58}.exe	109
PID 3792 wrote to memory of 3068	3792	{BCE78478-2F38-4bea-B6B1-D3F67710BF58}.exe	109
PID 5052 wrote to memory of 4436	5052	{0DDCFB1C-A139-480a-B7CD-18B3F86E7E24}.exe	110
PID 5052 wrote to memory of 4436	5052	{0DDCFB1C-A139-480a-B7CD-18B3F86E7E24}.exe	110
PID 5052 wrote to memory of 4436	5052	{0DDCFB1C-A139-480a-B7CD-18B3F86E7E24}.exe	110
PID 5052 wrote to memory of 4380	5052	{0DDCFB1C-A139-480a-B7CD-18B3F86E7E24}.exe	111
PID 5052 wrote to memory of 4380	5052	{0DDCFB1C-A139-480a-B7CD-18B3F86E7E24}.exe	111
PID 5052 wrote to memory of 4380	5052	{0DDCFB1C-A139-480a-B7CD-18B3F86E7E24}.exe	111
PID 4436 wrote to memory of 4500	4436	{F6FC0131-30EC-4127-8E72-D65C601B4928}.exe	112
PID 4436 wrote to memory of 4500	4436	{F6FC0131-30EC-4127-8E72-D65C601B4928}.exe	112
PID 4436 wrote to memory of 4500	4436	{F6FC0131-30EC-4127-8E72-D65C601B4928}.exe	112
PID 4436 wrote to memory of 772	4436	{F6FC0131-30EC-4127-8E72-D65C601B4928}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-02-18_5353669f3b260cac7741983da6e7ad7a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-18_5353669f3b260cac7741983da6e7ad7a_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Windows\{B4378068-0C99-4309-8BF7-96DECE016474}.exe
  C:\Windows\{B4378068-0C99-4309-8BF7-96DECE016474}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B4378~1.EXE > nul
    3⤵
    PID:2028
- - C:\Windows\{E69A2AA5-F7F4-4976-A366-6DEC23631E14}.exe
    C:\Windows\{E69A2AA5-F7F4-4976-A366-6DEC23631E14}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4620
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E69A2~1.EXE > nul
      4⤵
      PID:3716
  - - C:\Windows\{3709BE86-4378-4e99-9DDB-8FE2834A367C}.exe
      C:\Windows\{3709BE86-4378-4e99-9DDB-8FE2834A367C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1132
    - - C:\Windows\{E2CFE147-CF87-4eaf-B3E6-575A8A380B18}.exe
        
        C:\Windows\{E2CFE147-CF87-4eaf-B3E6-575A8A380B18}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4036
      - C:\Windows\{3E9502DC-5502-48f6-BF30-73F5791E4170}.exe
        
        C:\Windows\{3E9502DC-5502-48f6-BF30-73F5791E4170}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\{85631982-56B0-41dc-BD9D-BF7F913014BF}.exe
        
        C:\Windows\{85631982-56B0-41dc-BD9D-BF7F913014BF}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\{1E47711F-024D-4b57-9D2A-CE0C3F2B5779}.exe
        
        C:\Windows\{1E47711F-024D-4b57-9D2A-CE0C3F2B5779}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3524
        
        C:\Windows\{BCE78478-2F38-4bea-B6B1-D3F67710BF58}.exe
        
        C:\Windows\{BCE78478-2F38-4bea-B6B1-D3F67710BF58}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3792
        
        C:\Windows\{0DDCFB1C-A139-480a-B7CD-18B3F86E7E24}.exe
        
        C:\Windows\{0DDCFB1C-A139-480a-B7CD-18B3F86E7E24}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\{F6FC0131-30EC-4127-8E72-D65C601B4928}.exe
        
        C:\Windows\{F6FC0131-30EC-4127-8E72-D65C601B4928}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\{EA5C917C-CE05-4cad-BA28-4B06D9090BA8}.exe
        
        C:\Windows\{EA5C917C-CE05-4cad-BA28-4B06D9090BA8}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4500
        
        C:\Windows\{A30F318E-2AAF-4928-8039-088781352F91}.exe
        
        C:\Windows\{A30F318E-2AAF-4928-8039-088781352F91}.exe
        13⤵
        Executes dropped EXE
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA5C9~1.EXE > nul
        13⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F6FC0~1.EXE > nul
        12⤵
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0DDCF~1.EXE > nul
        11⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BCE78~1.EXE > nul
        10⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E477~1.EXE > nul
        9⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{85631~1.EXE > nul
        8⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3E950~1.EXE > nul
        7⤵
        
        PID:1380
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2CFE~1.EXE > nul
        6⤵
        
        PID:1876
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3709B~1.EXE > nul
        5⤵
        
        PID:4332
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0DDCFB1C-A139-480a-B7CD-18B3F86E7E24}.exe

Filesize
180KB

MD5
a0224b4e5eaffb50ef1bc961c3ea1365

SHA1
d3ce41d494b69b4ea0cacff6af0945c70876ba27

SHA256
8c438b0e84a593dcaf83a1b797b4a850074a8677b229e5adc4fc28267104e70f

SHA512
d41ecc278a934228e1da3363ac9de54842fbd5c8536b8e289c5c3df1b19c1c64eef727d90a15097c9aa51c06b066a14f2da4042fe54972d7543e2c5e0d7e32c3

Download Submit
C:\Windows\{1E47711F-024D-4b57-9D2A-CE0C3F2B5779}.exe

Filesize
180KB

MD5
0af09727635a1ce433cbbce9e4398ee4

SHA1
4717068cdf099cd8782804441df3cfe0f050983e

SHA256
841ca4e258afcf8fd408c9a5f897ef2083dc8818d10282d933f37a735c09bbb4

SHA512
f1f27473e5ac445b9f3562660e781654f471cd8a5f8d18bf2308a3b5f1d78ff6dad7f6abc240e359c81d2215a97f95724319dfdf7997e3f3f425cd001fdcad6b

Download Submit
C:\Windows\{3709BE86-4378-4e99-9DDB-8FE2834A367C}.exe

Filesize
180KB

MD5
ce038b738012921276f6daa22e6ff4de

SHA1
0dbdf333f83039831d72123d63c963f7076d8722

SHA256
ddd5ba993f5ff579572b6500ded2a069df1f57b69917ba3f68c319537859a680

SHA512
676f3ac67b88d2df556014e46b6c6f33cf57de6737db95da9ce9c4507c935e9ad08baf05392c233d04154af39a1dcbb64a527395704014fa836fd350b08d1c1b

Download Submit
C:\Windows\{3E9502DC-5502-48f6-BF30-73F5791E4170}.exe

Filesize
180KB

MD5
40a29953e3121fb4d2ea8a9c2cdcacf1

SHA1
a99cbd85d323bcfdb1bde5e1d29a1737ce58ac64

SHA256
282ade22c563d92e5334a5a52e1cfd36a4d261a6b859ed0bffbb3148a3e1b46c

SHA512
0c915364f3729c65e6a44fb11e458bbb59967e0409aa505d80fe663e6f6d2bba15d64947ac48e6b44dc1d799f114ded3f1864b6e23a01154ceac0f8017c3acd7

Download Submit
C:\Windows\{85631982-56B0-41dc-BD9D-BF7F913014BF}.exe

Filesize
180KB

MD5
f1b9ddd450ffc254ccd0893326e2fe88

SHA1
43612e72758e2731f1b0ad27720ccce033bbaf2e

SHA256
7bbe9ef30b009bcb505c233f3603aa1a59ddaae972b02dcf4bd789761a47af0d

SHA512
77ad0d823845933d13191a6da2bd4adbf762c3b36886cdd3874cc8ec181978b3926c312f6b29bc3e03883c97fb0abc9a288ae80a47af3a2b293c76c5469d8524

Download Submit
C:\Windows\{A30F318E-2AAF-4928-8039-088781352F91}.exe

Filesize
180KB

MD5
8e4fc7435ebc26f622b3cdc4ae4958bb

SHA1
1d1448a9e5fe9b8631b19004d1967e2f2757add3

SHA256
d6404aab1d19eed7cd658bd4317ef880467186c8aec8e56691c95a981f4f9ea9

SHA512
51c5c04aefc6e6f9aae9195fa91db5e60677d87a8507020e64531ecb8df2902754ca614ea859fb050ba23f999f1317ccd8ee7a0a0de91efa23b9b5e2040e15e8

Download Submit
C:\Windows\{B4378068-0C99-4309-8BF7-96DECE016474}.exe

Filesize
180KB

MD5
0bfd8746dc2df6646a6ef45937d0c1d3

SHA1
30a201c5c4340ba468de5f51321756121ad53e04

SHA256
4268358d6b40b5a98f44adf150b77313df0bdb3b4553ddc66ae11cbfad59afb2

SHA512
bea822477d89a3a1775ce5506f9e9226095fd8007e533ecb388a46e6570ade6851a0f0fef15e51e480eddbe8b5b3929e223df7d6d9c453448ef6de4f1c419256

Download Submit
C:\Windows\{BCE78478-2F38-4bea-B6B1-D3F67710BF58}.exe

Filesize
180KB

MD5
0481200bd0588480559ac6b74553c70a

SHA1
f09a2f39a5abbe1b0ef6d0fd599ade47cab3931c

SHA256
215d461c06ee543944a5236969332c8d793595e89072101de3a18ab85eea6a89

SHA512
5aaf8b6dcdaadce9539d5334502e0f1cb43c50ae02537538e7a3845457de54470d552cfecf0f174ebf77ad799d68edd9f39a5a2199047c11a1d28d4f45589654

Download Submit
C:\Windows\{E2CFE147-CF87-4eaf-B3E6-575A8A380B18}.exe

Filesize
180KB

MD5
2bbbe8d4e3e7ab7702ed85b76acdee9b

SHA1
6676ebb0fdd2d59d3af0fe01174ca77959345dbb

SHA256
4e5193191681837bfaff9c26c60044f52264dfb07c5679e761f9c5092c99afcb

SHA512
d895a76886492d422a906a4c131f77894f55ceda4021451e6f7237ef361facd52c9540473e34b040442c5c9828291e281ee21628d9b951b5685d4e91de421993

Download Submit
C:\Windows\{E69A2AA5-F7F4-4976-A366-6DEC23631E14}.exe

Filesize
180KB

MD5
11203fbf09903a42e7df5d9729a3c151

SHA1
0715da89f256ed0b97d60448962f23e9a150782f

SHA256
d02d835ccd87d2ed91d4a28fc4275c654f8b138cc971afd759a818ce017f1d59

SHA512
813840fb241437a6b35656e5ae061830880430f5df98ae76599add74cfba45db13ca5093735e19730e037233c3c1fab2b370028f0b268380c4b20e89191c3589

Download Submit
C:\Windows\{E69A2AA5-F7F4-4976-A366-6DEC23631E14}.exe

Filesize
64KB

MD5
9885a7942dbb9e6f345673126037ae01

SHA1
6383e3c4a495dc0cce19bf95a55d87a0bd99ef15

SHA256
74ed6f9a68a55d9b0c7fd99931d13f313d9180ec8a43d4605bd46316bfac67fc

SHA512
9daf6c42cfc8c918293e0ec7022d0119f1d0e3501a8809e4f4bf410c37276f18f180e12a989198d8b72987cafb4e267ee0c3cae8a4f3141a112481a34a495b8b

Download Submit
C:\Windows\{EA5C917C-CE05-4cad-BA28-4B06D9090BA8}.exe

Filesize
180KB

MD5
5b1acd49eb97b7c044a91ebec2af9f07

SHA1
4cbdf5d679225605ad3a10ecbae374ab44e57689

SHA256
5a87e92a283176b6324d74c833161f222a0e9dda6d5beb084282aab7b0418c45

SHA512
6dc67180fd3339de06b4507f7c616ec03460505b9aa19e89dfdbbeb1410bc438cb36b4cbcbf48c1b8f8d6cc9f99838f2ade3b4fced7c1aba42aa7e1fa6897909

Download Submit
C:\Windows\{F6FC0131-30EC-4127-8E72-D65C601B4928}.exe

Filesize
180KB

MD5
75df0ca9759622da82b2d9614595ed81

SHA1
e4be39e0134a94542ab606ea37a6cfa1517deec6

SHA256
8ee9288e81e7391b6ac1a64c2de370ded10fca7782fc88d146291ab942245efb

SHA512
018c6a180cde7a416d86d1ea9d76bdf98958c9bf486c426f5b00fa16a22e5c61aad3d49ab08997f1137c17b3ce7193c5c2c87b8d50bc7ba399b3b299b54f4ed8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads