2dcfe08e3305803f7c253aa644c97143a937a00711e311c5274325c550cc3aec

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
19/02/2024, 22:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-19_489728ae15e396cdc45425e9e5bd8635_goldeneye.exe
Size

408KB
MD5

489728ae15e396cdc45425e9e5bd8635
SHA1

9126e4d023b7f4cfc9d03e24ca9520eb5f36406b
SHA256

2dcfe08e3305803f7c253aa644c97143a937a00711e311c5274325c550cc3aec
SHA512

95a91238adb4e89082e4728e0f4f03b36cd09158ad24142afb20a9838fd9bcc4643a09ca7ec5f19192047dd115db33c9f60b17fe31838faeaa559393ab21911d
SSDEEP

3072:CEGh0oYl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEG+ldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x000700000002320f-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002320f-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023219-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002321f-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023219-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x004600000001e0be-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000021550-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x004700000001e0be-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000717-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{141A4B7E-82B8-4a93-9B4C-815B0857C9D7}	{15386D15-159E-4a87-8E72-09B498BE86B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{141A4B7E-82B8-4a93-9B4C-815B0857C9D7}\stubpath = "C:\\Windows\\{141A4B7E-82B8-4a93-9B4C-815B0857C9D7}.exe"	{15386D15-159E-4a87-8E72-09B498BE86B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{856CE792-AF04-4c35-A71A-843D04CDBF8D}\stubpath = "C:\\Windows\\{856CE792-AF04-4c35-A71A-843D04CDBF8D}.exe"	{141A4B7E-82B8-4a93-9B4C-815B0857C9D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3BFE559E-AA1E-4170-A042-78AD30F62196}	{0B28475F-1C81-434d-B4B5-A2873A77693C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DFCFBFA-81B9-41d2-9617-7CBED6D7DC4A}	{0F6E2E84-4DB6-4c3d-9AE4-C85C708E757B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0336414E-4F51-446c-A9B4-401A17A58E03}\stubpath = "C:\\Windows\\{0336414E-4F51-446c-A9B4-401A17A58E03}.exe"	{2309063F-EF19-4c9e-B692-F4A84D9FADBE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A3AFD75-09A8-4054-A631-25C65DB3B32E}\stubpath = "C:\\Windows\\{7A3AFD75-09A8-4054-A631-25C65DB3B32E}.exe"	{7DFCFBFA-81B9-41d2-9617-7CBED6D7DC4A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9546AC4E-14F5-4c6a-A62A-039277D079E6}\stubpath = "C:\\Windows\\{9546AC4E-14F5-4c6a-A62A-039277D079E6}.exe"	{7A3AFD75-09A8-4054-A631-25C65DB3B32E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F6E2E84-4DB6-4c3d-9AE4-C85C708E757B}	{3BFE559E-AA1E-4170-A042-78AD30F62196}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F6E2E84-4DB6-4c3d-9AE4-C85C708E757B}\stubpath = "C:\\Windows\\{0F6E2E84-4DB6-4c3d-9AE4-C85C708E757B}.exe"	{3BFE559E-AA1E-4170-A042-78AD30F62196}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DFCFBFA-81B9-41d2-9617-7CBED6D7DC4A}\stubpath = "C:\\Windows\\{7DFCFBFA-81B9-41d2-9617-7CBED6D7DC4A}.exe"	{0F6E2E84-4DB6-4c3d-9AE4-C85C708E757B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A3AFD75-09A8-4054-A631-25C65DB3B32E}	{7DFCFBFA-81B9-41d2-9617-7CBED6D7DC4A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2309063F-EF19-4c9e-B692-F4A84D9FADBE}	{9546AC4E-14F5-4c6a-A62A-039277D079E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{856CE792-AF04-4c35-A71A-843D04CDBF8D}	{141A4B7E-82B8-4a93-9B4C-815B0857C9D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F552750-F0B1-46c6-AC2B-59018A172491}\stubpath = "C:\\Windows\\{5F552750-F0B1-46c6-AC2B-59018A172491}.exe"	2024-02-19_489728ae15e396cdc45425e9e5bd8635_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B28475F-1C81-434d-B4B5-A2873A77693C}	{5F552750-F0B1-46c6-AC2B-59018A172491}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3BFE559E-AA1E-4170-A042-78AD30F62196}\stubpath = "C:\\Windows\\{3BFE559E-AA1E-4170-A042-78AD30F62196}.exe"	{0B28475F-1C81-434d-B4B5-A2873A77693C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2309063F-EF19-4c9e-B692-F4A84D9FADBE}\stubpath = "C:\\Windows\\{2309063F-EF19-4c9e-B692-F4A84D9FADBE}.exe"	{9546AC4E-14F5-4c6a-A62A-039277D079E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0336414E-4F51-446c-A9B4-401A17A58E03}	{2309063F-EF19-4c9e-B692-F4A84D9FADBE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15386D15-159E-4a87-8E72-09B498BE86B6}	{0336414E-4F51-446c-A9B4-401A17A58E03}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15386D15-159E-4a87-8E72-09B498BE86B6}\stubpath = "C:\\Windows\\{15386D15-159E-4a87-8E72-09B498BE86B6}.exe"	{0336414E-4F51-446c-A9B4-401A17A58E03}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F552750-F0B1-46c6-AC2B-59018A172491}	2024-02-19_489728ae15e396cdc45425e9e5bd8635_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B28475F-1C81-434d-B4B5-A2873A77693C}\stubpath = "C:\\Windows\\{0B28475F-1C81-434d-B4B5-A2873A77693C}.exe"	{5F552750-F0B1-46c6-AC2B-59018A172491}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9546AC4E-14F5-4c6a-A62A-039277D079E6}	{7A3AFD75-09A8-4054-A631-25C65DB3B32E}.exe

Executes dropped EXE 12 IoCs

pid	Process
2892	{5F552750-F0B1-46c6-AC2B-59018A172491}.exe
3396	{0B28475F-1C81-434d-B4B5-A2873A77693C}.exe
1148	{3BFE559E-AA1E-4170-A042-78AD30F62196}.exe
2388	{0F6E2E84-4DB6-4c3d-9AE4-C85C708E757B}.exe
2084	{7DFCFBFA-81B9-41d2-9617-7CBED6D7DC4A}.exe
3524	{7A3AFD75-09A8-4054-A631-25C65DB3B32E}.exe
3224	{9546AC4E-14F5-4c6a-A62A-039277D079E6}.exe
2524	{2309063F-EF19-4c9e-B692-F4A84D9FADBE}.exe
3292	{0336414E-4F51-446c-A9B4-401A17A58E03}.exe
1352	{15386D15-159E-4a87-8E72-09B498BE86B6}.exe
532	{141A4B7E-82B8-4a93-9B4C-815B0857C9D7}.exe
3084	{856CE792-AF04-4c35-A71A-843D04CDBF8D}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{5F552750-F0B1-46c6-AC2B-59018A172491}.exe	2024-02-19_489728ae15e396cdc45425e9e5bd8635_goldeneye.exe
File created	C:\Windows\{0F6E2E84-4DB6-4c3d-9AE4-C85C708E757B}.exe	{3BFE559E-AA1E-4170-A042-78AD30F62196}.exe
File created	C:\Windows\{7DFCFBFA-81B9-41d2-9617-7CBED6D7DC4A}.exe	{0F6E2E84-4DB6-4c3d-9AE4-C85C708E757B}.exe
File created	C:\Windows\{9546AC4E-14F5-4c6a-A62A-039277D079E6}.exe	{7A3AFD75-09A8-4054-A631-25C65DB3B32E}.exe
File created	C:\Windows\{2309063F-EF19-4c9e-B692-F4A84D9FADBE}.exe	{9546AC4E-14F5-4c6a-A62A-039277D079E6}.exe
File created	C:\Windows\{0336414E-4F51-446c-A9B4-401A17A58E03}.exe	{2309063F-EF19-4c9e-B692-F4A84D9FADBE}.exe
File created	C:\Windows\{141A4B7E-82B8-4a93-9B4C-815B0857C9D7}.exe	{15386D15-159E-4a87-8E72-09B498BE86B6}.exe
File created	C:\Windows\{0B28475F-1C81-434d-B4B5-A2873A77693C}.exe	{5F552750-F0B1-46c6-AC2B-59018A172491}.exe
File created	C:\Windows\{3BFE559E-AA1E-4170-A042-78AD30F62196}.exe	{0B28475F-1C81-434d-B4B5-A2873A77693C}.exe
File created	C:\Windows\{7A3AFD75-09A8-4054-A631-25C65DB3B32E}.exe	{7DFCFBFA-81B9-41d2-9617-7CBED6D7DC4A}.exe
File created	C:\Windows\{15386D15-159E-4a87-8E72-09B498BE86B6}.exe	{0336414E-4F51-446c-A9B4-401A17A58E03}.exe
File created	C:\Windows\{856CE792-AF04-4c35-A71A-843D04CDBF8D}.exe	{141A4B7E-82B8-4a93-9B4C-815B0857C9D7}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4820	2024-02-19_489728ae15e396cdc45425e9e5bd8635_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2892	{5F552750-F0B1-46c6-AC2B-59018A172491}.exe
Token: SeIncBasePriorityPrivilege	3396	{0B28475F-1C81-434d-B4B5-A2873A77693C}.exe
Token: SeIncBasePriorityPrivilege	1148	{3BFE559E-AA1E-4170-A042-78AD30F62196}.exe
Token: SeIncBasePriorityPrivilege	2388	{0F6E2E84-4DB6-4c3d-9AE4-C85C708E757B}.exe
Token: SeIncBasePriorityPrivilege	2084	{7DFCFBFA-81B9-41d2-9617-7CBED6D7DC4A}.exe
Token: SeIncBasePriorityPrivilege	3524	{7A3AFD75-09A8-4054-A631-25C65DB3B32E}.exe
Token: SeIncBasePriorityPrivilege	3224	{9546AC4E-14F5-4c6a-A62A-039277D079E6}.exe
Token: SeIncBasePriorityPrivilege	2524	{2309063F-EF19-4c9e-B692-F4A84D9FADBE}.exe
Token: SeIncBasePriorityPrivilege	3292	{0336414E-4F51-446c-A9B4-401A17A58E03}.exe
Token: SeIncBasePriorityPrivilege	1352	{15386D15-159E-4a87-8E72-09B498BE86B6}.exe
Token: SeIncBasePriorityPrivilege	532	{141A4B7E-82B8-4a93-9B4C-815B0857C9D7}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4820 wrote to memory of 2892	4820	2024-02-19_489728ae15e396cdc45425e9e5bd8635_goldeneye.exe	87
PID 4820 wrote to memory of 2892	4820	2024-02-19_489728ae15e396cdc45425e9e5bd8635_goldeneye.exe	87
PID 4820 wrote to memory of 2892	4820	2024-02-19_489728ae15e396cdc45425e9e5bd8635_goldeneye.exe	87
PID 4820 wrote to memory of 2884	4820	2024-02-19_489728ae15e396cdc45425e9e5bd8635_goldeneye.exe	88
PID 4820 wrote to memory of 2884	4820	2024-02-19_489728ae15e396cdc45425e9e5bd8635_goldeneye.exe	88
PID 4820 wrote to memory of 2884	4820	2024-02-19_489728ae15e396cdc45425e9e5bd8635_goldeneye.exe	88
PID 2892 wrote to memory of 3396	2892	{5F552750-F0B1-46c6-AC2B-59018A172491}.exe	92
PID 2892 wrote to memory of 3396	2892	{5F552750-F0B1-46c6-AC2B-59018A172491}.exe	92
PID 2892 wrote to memory of 3396	2892	{5F552750-F0B1-46c6-AC2B-59018A172491}.exe	92
PID 2892 wrote to memory of 4184	2892	{5F552750-F0B1-46c6-AC2B-59018A172491}.exe	93
PID 2892 wrote to memory of 4184	2892	{5F552750-F0B1-46c6-AC2B-59018A172491}.exe	93
PID 2892 wrote to memory of 4184	2892	{5F552750-F0B1-46c6-AC2B-59018A172491}.exe	93
PID 3396 wrote to memory of 1148	3396	{0B28475F-1C81-434d-B4B5-A2873A77693C}.exe	96
PID 3396 wrote to memory of 1148	3396	{0B28475F-1C81-434d-B4B5-A2873A77693C}.exe	96
PID 3396 wrote to memory of 1148	3396	{0B28475F-1C81-434d-B4B5-A2873A77693C}.exe	96
PID 3396 wrote to memory of 3164	3396	{0B28475F-1C81-434d-B4B5-A2873A77693C}.exe	95
PID 3396 wrote to memory of 3164	3396	{0B28475F-1C81-434d-B4B5-A2873A77693C}.exe	95
PID 3396 wrote to memory of 3164	3396	{0B28475F-1C81-434d-B4B5-A2873A77693C}.exe	95
PID 1148 wrote to memory of 2388	1148	{3BFE559E-AA1E-4170-A042-78AD30F62196}.exe	97
PID 1148 wrote to memory of 2388	1148	{3BFE559E-AA1E-4170-A042-78AD30F62196}.exe	97
PID 1148 wrote to memory of 2388	1148	{3BFE559E-AA1E-4170-A042-78AD30F62196}.exe	97
PID 1148 wrote to memory of 2760	1148	{3BFE559E-AA1E-4170-A042-78AD30F62196}.exe	98
PID 1148 wrote to memory of 2760	1148	{3BFE559E-AA1E-4170-A042-78AD30F62196}.exe	98
PID 1148 wrote to memory of 2760	1148	{3BFE559E-AA1E-4170-A042-78AD30F62196}.exe	98
PID 2388 wrote to memory of 2084	2388	{0F6E2E84-4DB6-4c3d-9AE4-C85C708E757B}.exe	99
PID 2388 wrote to memory of 2084	2388	{0F6E2E84-4DB6-4c3d-9AE4-C85C708E757B}.exe	99
PID 2388 wrote to memory of 2084	2388	{0F6E2E84-4DB6-4c3d-9AE4-C85C708E757B}.exe	99
PID 2388 wrote to memory of 3760	2388	{0F6E2E84-4DB6-4c3d-9AE4-C85C708E757B}.exe	100
PID 2388 wrote to memory of 3760	2388	{0F6E2E84-4DB6-4c3d-9AE4-C85C708E757B}.exe	100
PID 2388 wrote to memory of 3760	2388	{0F6E2E84-4DB6-4c3d-9AE4-C85C708E757B}.exe	100
PID 2084 wrote to memory of 3524	2084	{7DFCFBFA-81B9-41d2-9617-7CBED6D7DC4A}.exe	101
PID 2084 wrote to memory of 3524	2084	{7DFCFBFA-81B9-41d2-9617-7CBED6D7DC4A}.exe	101
PID 2084 wrote to memory of 3524	2084	{7DFCFBFA-81B9-41d2-9617-7CBED6D7DC4A}.exe	101
PID 2084 wrote to memory of 4424	2084	{7DFCFBFA-81B9-41d2-9617-7CBED6D7DC4A}.exe	102
PID 2084 wrote to memory of 4424	2084	{7DFCFBFA-81B9-41d2-9617-7CBED6D7DC4A}.exe	102
PID 2084 wrote to memory of 4424	2084	{7DFCFBFA-81B9-41d2-9617-7CBED6D7DC4A}.exe	102
PID 3524 wrote to memory of 3224	3524	{7A3AFD75-09A8-4054-A631-25C65DB3B32E}.exe	103
PID 3524 wrote to memory of 3224	3524	{7A3AFD75-09A8-4054-A631-25C65DB3B32E}.exe	103
PID 3524 wrote to memory of 3224	3524	{7A3AFD75-09A8-4054-A631-25C65DB3B32E}.exe	103
PID 3524 wrote to memory of 4880	3524	{7A3AFD75-09A8-4054-A631-25C65DB3B32E}.exe	104
PID 3524 wrote to memory of 4880	3524	{7A3AFD75-09A8-4054-A631-25C65DB3B32E}.exe	104
PID 3524 wrote to memory of 4880	3524	{7A3AFD75-09A8-4054-A631-25C65DB3B32E}.exe	104
PID 3224 wrote to memory of 2524	3224	{9546AC4E-14F5-4c6a-A62A-039277D079E6}.exe	106
PID 3224 wrote to memory of 2524	3224	{9546AC4E-14F5-4c6a-A62A-039277D079E6}.exe	106
PID 3224 wrote to memory of 2524	3224	{9546AC4E-14F5-4c6a-A62A-039277D079E6}.exe	106
PID 3224 wrote to memory of 3484	3224	{9546AC4E-14F5-4c6a-A62A-039277D079E6}.exe	105
PID 3224 wrote to memory of 3484	3224	{9546AC4E-14F5-4c6a-A62A-039277D079E6}.exe	105
PID 3224 wrote to memory of 3484	3224	{9546AC4E-14F5-4c6a-A62A-039277D079E6}.exe	105
PID 2524 wrote to memory of 3292	2524	{2309063F-EF19-4c9e-B692-F4A84D9FADBE}.exe	107
PID 2524 wrote to memory of 3292	2524	{2309063F-EF19-4c9e-B692-F4A84D9FADBE}.exe	107
PID 2524 wrote to memory of 3292	2524	{2309063F-EF19-4c9e-B692-F4A84D9FADBE}.exe	107
PID 2524 wrote to memory of 724	2524	{2309063F-EF19-4c9e-B692-F4A84D9FADBE}.exe	108
PID 2524 wrote to memory of 724	2524	{2309063F-EF19-4c9e-B692-F4A84D9FADBE}.exe	108
PID 2524 wrote to memory of 724	2524	{2309063F-EF19-4c9e-B692-F4A84D9FADBE}.exe	108
PID 3292 wrote to memory of 1352	3292	{0336414E-4F51-446c-A9B4-401A17A58E03}.exe	109
PID 3292 wrote to memory of 1352	3292	{0336414E-4F51-446c-A9B4-401A17A58E03}.exe	109
PID 3292 wrote to memory of 1352	3292	{0336414E-4F51-446c-A9B4-401A17A58E03}.exe	109
PID 3292 wrote to memory of 4416	3292	{0336414E-4F51-446c-A9B4-401A17A58E03}.exe	110
PID 3292 wrote to memory of 4416	3292	{0336414E-4F51-446c-A9B4-401A17A58E03}.exe	110
PID 3292 wrote to memory of 4416	3292	{0336414E-4F51-446c-A9B4-401A17A58E03}.exe	110
PID 1352 wrote to memory of 532	1352	{15386D15-159E-4a87-8E72-09B498BE86B6}.exe	111
PID 1352 wrote to memory of 532	1352	{15386D15-159E-4a87-8E72-09B498BE86B6}.exe	111
PID 1352 wrote to memory of 532	1352	{15386D15-159E-4a87-8E72-09B498BE86B6}.exe	111
PID 1352 wrote to memory of 2912	1352	{15386D15-159E-4a87-8E72-09B498BE86B6}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-02-19_489728ae15e396cdc45425e9e5bd8635_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-19_489728ae15e396cdc45425e9e5bd8635_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Windows\{5F552750-F0B1-46c6-AC2B-59018A172491}.exe
  C:\Windows\{5F552750-F0B1-46c6-AC2B-59018A172491}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\{0B28475F-1C81-434d-B4B5-A2873A77693C}.exe
    C:\Windows\{0B28475F-1C81-434d-B4B5-A2873A77693C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3396
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0B284~1.EXE > nul
      4⤵
      PID:3164
  - - C:\Windows\{3BFE559E-AA1E-4170-A042-78AD30F62196}.exe
      C:\Windows\{3BFE559E-AA1E-4170-A042-78AD30F62196}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1148
    - - C:\Windows\{0F6E2E84-4DB6-4c3d-9AE4-C85C708E757B}.exe
        
        C:\Windows\{0F6E2E84-4DB6-4c3d-9AE4-C85C708E757B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2388
      - C:\Windows\{7DFCFBFA-81B9-41d2-9617-7CBED6D7DC4A}.exe
        
        C:\Windows\{7DFCFBFA-81B9-41d2-9617-7CBED6D7DC4A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\{7A3AFD75-09A8-4054-A631-25C65DB3B32E}.exe
        
        C:\Windows\{7A3AFD75-09A8-4054-A631-25C65DB3B32E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3524
        
        C:\Windows\{9546AC4E-14F5-4c6a-A62A-039277D079E6}.exe
        
        C:\Windows\{9546AC4E-14F5-4c6a-A62A-039277D079E6}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9546A~1.EXE > nul
        9⤵
        
        PID:3484
        
        C:\Windows\{2309063F-EF19-4c9e-B692-F4A84D9FADBE}.exe
        
        C:\Windows\{2309063F-EF19-4c9e-B692-F4A84D9FADBE}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\{0336414E-4F51-446c-A9B4-401A17A58E03}.exe
        
        C:\Windows\{0336414E-4F51-446c-A9B4-401A17A58E03}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3292
        
        C:\Windows\{15386D15-159E-4a87-8E72-09B498BE86B6}.exe
        
        C:\Windows\{15386D15-159E-4a87-8E72-09B498BE86B6}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\{141A4B7E-82B8-4a93-9B4C-815B0857C9D7}.exe
        
        C:\Windows\{141A4B7E-82B8-4a93-9B4C-815B0857C9D7}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:532
        
        C:\Windows\{856CE792-AF04-4c35-A71A-843D04CDBF8D}.exe
        
        C:\Windows\{856CE792-AF04-4c35-A71A-843D04CDBF8D}.exe
        13⤵
        Executes dropped EXE
        
        PID:3084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{141A4~1.EXE > nul
        13⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{15386~1.EXE > nul
        12⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{03364~1.EXE > nul
        11⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{23090~1.EXE > nul
        10⤵
        
        PID:724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7A3AF~1.EXE > nul
        8⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7DFCF~1.EXE > nul
        7⤵
        
        PID:4424
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F6E2~1.EXE > nul
        6⤵
        
        PID:3760
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3BFE5~1.EXE > nul
        5⤵
        
        PID:2760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5F552~1.EXE > nul
    3⤵
    PID:4184
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0336414E-4F51-446c-A9B4-401A17A58E03}.exe

Filesize
408KB

MD5
217365317393cfca6cef0e7d03307f63

SHA1
38670d1e8952ba4197f45e32e868867cfa014bd9

SHA256
f88be84e7a5825fa46a1538a393273aa9b97518466a1efa90ad37a826a4bfba4

SHA512
c8f5b609b569de21a182c5d8619847916cc05ab21da0f2eace7c29cb80d9124e8db41f71d71eea7b6e00f8dcf7a95de63b46697ec20a9d43b4e5b107acd8afbd

Download Submit
C:\Windows\{0B28475F-1C81-434d-B4B5-A2873A77693C}.exe

Filesize
408KB

MD5
bf4a4002f83a9f747593d0abceae776a

SHA1
ceb65e08923539e7b069e150667cc75cc9166946

SHA256
7864f5a5e247ead75320b9abdfc93f6bcef0276e96d87fca8211a054f4f1a596

SHA512
de7995ca1d6e22c07cc75542f8e34d88b6d93902d6c3b7834dfe7f4ac001f87a74802c6f47ea55a85eceec737124675d8c0f4a8a803f64e798a38eb6ad834333

Download Submit
C:\Windows\{0F6E2E84-4DB6-4c3d-9AE4-C85C708E757B}.exe

Filesize
408KB

MD5
7ca3de6a9bd01b9499e36524f11141e9

SHA1
60ed84bff1b9807b2b1428c3b4ad1b3c6a92d416

SHA256
9d137476ebc86fc02b728f88e017535ac75e4f4894243bd75ea4c0fd3ade4080

SHA512
7569e539719b95700d20660b26642bdf00bc613227dc4d53523c1917efd1f69a8535403475e3ffba75bafc45ba2a007a27039553b82df252c557420527d62ab4

Download Submit
C:\Windows\{141A4B7E-82B8-4a93-9B4C-815B0857C9D7}.exe

Filesize
408KB

MD5
6a085c521a56806b2569cc2b979044a6

SHA1
824021d87e3c06b89606b541bf868b1c71e4b113

SHA256
56d9212daff533283384788084768a1871057396cdc08a560309ec4bb378be36

SHA512
0cb6837375d1e59f1068a0b6fcc2c92813bb43f08999c50425f3c638e6a5ce1791a927b7b7092ff085b0153a7897a50167463e29dc9c2692c62f9ccda37b9a37

Download Submit
C:\Windows\{15386D15-159E-4a87-8E72-09B498BE86B6}.exe

Filesize
408KB

MD5
06cabbb78a9762db4b27f58e9d582d1d

SHA1
433d4c27027302ec385867487c0f62cf1824c54f

SHA256
cf99420bae1523c5dc440f7c2fad261e5d2f99d6e04e51e974f11a9c3acb1372

SHA512
dca11e2a72aba1114747851acc1291dc5df081b2117018b795bc2e186d323c51e67bde9af9ffd958cf6afd4369f4cd1eb5e165b3e2f59f5b3cc941ab65eeda75

Download Submit
C:\Windows\{2309063F-EF19-4c9e-B692-F4A84D9FADBE}.exe

Filesize
408KB

MD5
fd1317e987246fdcd0ad9ed622523a42

SHA1
eb7e80043f48e2a966eb4f406445af0cee27675a

SHA256
00583a7f2d780c34205de2518cd1efe52f785c30fe26b024c349a60233e0909e

SHA512
c1c4c213f7540a3e4e4f9555ed0c56414dc4f43d73f3355047471da2f06f5fdcecfa6d071a482048e0d7753be553aa9eaefc4f96e33e4c859b86fa85a1858c03

Download Submit
C:\Windows\{3BFE559E-AA1E-4170-A042-78AD30F62196}.exe

Filesize
408KB

MD5
55d16327ea56e7a5cc16e0c2657b986d

SHA1
247f8797ef3a81062b450002adf4b924ad61e397

SHA256
b2dbb06c7ac0aa9e336b46009dd71d379293be5f48ac59369571e60bfbc0b7b8

SHA512
5223817cd6729d7966cf4174fd82f02fc490bc09c3299d7ebf6a5c611e9462d5db0c20e186b091bc6b450ee92664778802f3a97fb00fcfeced8bdddb57773ec2

Download Submit
C:\Windows\{5F552750-F0B1-46c6-AC2B-59018A172491}.exe

Filesize
76KB

MD5
7440706510c3bba7d73130ff68b2c760

SHA1
41a4ab4c7354f89be5fe4c8d41636fcce2f11644

SHA256
161e406eba5df2f9ad48cc90ebfa316729775b09be297254c7c33d4b01f26566

SHA512
59d3e3f8b44518cb2a554b4dcb3f2a439bd8e2733bb02e5834e1628da7aff4ce1ff5dd3420887c3ca16dd296d2b9cfafa3e9769d597b476f7fa5ead080cc09b4

Download Submit
C:\Windows\{5F552750-F0B1-46c6-AC2B-59018A172491}.exe

Filesize
408KB

MD5
3f297b78362dc9e02486e432150e75a9

SHA1
d4d72f7bff4ab833f26b5a099d71c65bb309b26a

SHA256
021204634b997f14d675761383f8b230aad0b8d17c63ffaceac376e9e6811074

SHA512
9f38654acf35fb6fbdfec76ba786621dbf8325afcb4d0314fc7eb5bc2e694e0af0e0bea924f3046b437491de5a92ab5930232c1f1de264a0e032e5885ece6157

Download Submit
C:\Windows\{7A3AFD75-09A8-4054-A631-25C65DB3B32E}.exe

Filesize
408KB

MD5
a364bc9cc27e3659347c4d55eb3626a9

SHA1
aae09333203bbfdd87c9619d9f995ffe18dfafb3

SHA256
7689e7a79d05097609f52c39d1c44790eab6059e9c652bc79f87430dda52fefd

SHA512
664112e7d7dd0e363d277bc0904bc8097c01dfe9fb7c3c3a1cfd45339cc392921aecf474c13942351bc6e59c6a43607fea93a6fd40c679693479fb058aadc1cf

Download Submit
C:\Windows\{7DFCFBFA-81B9-41d2-9617-7CBED6D7DC4A}.exe

Filesize
408KB

MD5
791a60468e57eebb4d0890c3180e3b1d

SHA1
e66ea8dd05d67b791243c4d022e53ba65b6e6839

SHA256
5fdee0e2bdfbebbb1d24b533c97079372fcc8769774784422c40e0b1f07e9c24

SHA512
529e54dce88dcb289e529813a6519a10ea052e68f5deb079cfc2e4a881c0b07dada8c992e15aa89f63c0ec54f7527994ad648a6e394c7ef18da84332bba276c9

Download Submit
C:\Windows\{856CE792-AF04-4c35-A71A-843D04CDBF8D}.exe

Filesize
408KB

MD5
eef79471a502b5a8b0efe5d4589d14e6

SHA1
c953363239cda67a07b5f43093b92d7658cf6316

SHA256
79b56bc7116ec60c754bbca9dd37f6fdd4e26c4ee601acdd29586c8cce271bc8

SHA512
ff5f651a5944d4cb3006ed804ef0abd5d27a42f1d69e9057fde4511213c338196c22cc867ae4de129e0493f87a385ca5e35068ed2a5b27776292a65add2cbe19

Download Submit
C:\Windows\{9546AC4E-14F5-4c6a-A62A-039277D079E6}.exe

Filesize
408KB

MD5
697959a1f5bc59ac7e1cbdf2e6e86ee8

SHA1
abfd3cca8dc8a9ebc76c751e204b76be5716acea

SHA256
5c4882e34d0986884cd68997eaeb3d234b7b029be42bc5e53aa31dcbe61b54ed

SHA512
0e218ecbc953c3bd17f63df4a5b484733e139113c56dd8d3b3f51308aaa624ff512d0f82e214f46697ad91b54fa0ebc808e527847e9a11061663bf66340fbc82

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads