c58246660651d2c2a6f35d5c7e52282c5630cfe15635258e20467f251c7fe565

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19/02/2024, 10:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-19_e32494cc6c4716c6f589d5eb5d2af5e8_goldeneye.exe
Size

180KB
MD5

e32494cc6c4716c6f589d5eb5d2af5e8
SHA1

b29168da82f2fcb39d9b626e90db48fb6fa542b1
SHA256

c58246660651d2c2a6f35d5c7e52282c5630cfe15635258e20467f251c7fe565
SHA512

31abb9852224b36b03fcb9deff3b932c46e24cd6f6aa9fda545aaa101ca763efa5a4313aec09b6caf5fab283dc34e3d0acaac45b862baddd1590036d8c677db9
SSDEEP

3072:jEGh0ollfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGzl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023213-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000001e7e2-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023221-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000001e7e2-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000022043-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000001e7e2-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000022043-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000006cf-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000006cf-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000709-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000713-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{459FDAE1-D6F7-4c07-93F7-08DB040F2741}	{35D05CEB-CCBB-42da-B729-FCBF67B77CBD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58364550-12B1-4103-B682-163F2A692DEF}\stubpath = "C:\\Windows\\{58364550-12B1-4103-B682-163F2A692DEF}.exe"	2024-02-19_e32494cc6c4716c6f589d5eb5d2af5e8_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B25011D0-3675-4137-9EF2-1EA44408C3A2}\stubpath = "C:\\Windows\\{B25011D0-3675-4137-9EF2-1EA44408C3A2}.exe"	{58364550-12B1-4103-B682-163F2A692DEF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F4124E3-EFB3-46a4-B2DD-D23435353C8B}\stubpath = "C:\\Windows\\{2F4124E3-EFB3-46a4-B2DD-D23435353C8B}.exe"	{B25011D0-3675-4137-9EF2-1EA44408C3A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A24EC5A-9102-4613-9909-2F08FA4EB29C}\stubpath = "C:\\Windows\\{2A24EC5A-9102-4613-9909-2F08FA4EB29C}.exe"	{2F4124E3-EFB3-46a4-B2DD-D23435353C8B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4D0B35F-E80B-454d-80E4-85107C21C402}\stubpath = "C:\\Windows\\{B4D0B35F-E80B-454d-80E4-85107C21C402}.exe"	{4D404B6A-7F27-45bb-8155-79A5F3A0F324}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1D948C2-210F-4ac0-B39B-A9A10321B6A6}\stubpath = "C:\\Windows\\{B1D948C2-210F-4ac0-B39B-A9A10321B6A6}.exe"	{B4D0B35F-E80B-454d-80E4-85107C21C402}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35D05CEB-CCBB-42da-B729-FCBF67B77CBD}\stubpath = "C:\\Windows\\{35D05CEB-CCBB-42da-B729-FCBF67B77CBD}.exe"	{71E43B39-4622-4220-8EC9-07EB4CEB2040}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{459FDAE1-D6F7-4c07-93F7-08DB040F2741}\stubpath = "C:\\Windows\\{459FDAE1-D6F7-4c07-93F7-08DB040F2741}.exe"	{35D05CEB-CCBB-42da-B729-FCBF67B77CBD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58364550-12B1-4103-B682-163F2A692DEF}	2024-02-19_e32494cc6c4716c6f589d5eb5d2af5e8_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B25011D0-3675-4137-9EF2-1EA44408C3A2}	{58364550-12B1-4103-B682-163F2A692DEF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F4124E3-EFB3-46a4-B2DD-D23435353C8B}	{B25011D0-3675-4137-9EF2-1EA44408C3A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D404B6A-7F27-45bb-8155-79A5F3A0F324}\stubpath = "C:\\Windows\\{4D404B6A-7F27-45bb-8155-79A5F3A0F324}.exe"	{2A24EC5A-9102-4613-9909-2F08FA4EB29C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4D0B35F-E80B-454d-80E4-85107C21C402}	{4D404B6A-7F27-45bb-8155-79A5F3A0F324}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71E43B39-4622-4220-8EC9-07EB4CEB2040}	{9DBC38E9-1DE9-4803-95B2-205BE81EC237}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60DE6C99-815B-44bd-9600-415035E9B613}	{459FDAE1-D6F7-4c07-93F7-08DB040F2741}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A24EC5A-9102-4613-9909-2F08FA4EB29C}	{2F4124E3-EFB3-46a4-B2DD-D23435353C8B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D404B6A-7F27-45bb-8155-79A5F3A0F324}	{2A24EC5A-9102-4613-9909-2F08FA4EB29C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DBC38E9-1DE9-4803-95B2-205BE81EC237}	{B1D948C2-210F-4ac0-B39B-A9A10321B6A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60DE6C99-815B-44bd-9600-415035E9B613}\stubpath = "C:\\Windows\\{60DE6C99-815B-44bd-9600-415035E9B613}.exe"	{459FDAE1-D6F7-4c07-93F7-08DB040F2741}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1D948C2-210F-4ac0-B39B-A9A10321B6A6}	{B4D0B35F-E80B-454d-80E4-85107C21C402}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DBC38E9-1DE9-4803-95B2-205BE81EC237}\stubpath = "C:\\Windows\\{9DBC38E9-1DE9-4803-95B2-205BE81EC237}.exe"	{B1D948C2-210F-4ac0-B39B-A9A10321B6A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71E43B39-4622-4220-8EC9-07EB4CEB2040}\stubpath = "C:\\Windows\\{71E43B39-4622-4220-8EC9-07EB4CEB2040}.exe"	{9DBC38E9-1DE9-4803-95B2-205BE81EC237}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35D05CEB-CCBB-42da-B729-FCBF67B77CBD}	{71E43B39-4622-4220-8EC9-07EB4CEB2040}.exe

Executes dropped EXE 12 IoCs

pid	Process
1348	{58364550-12B1-4103-B682-163F2A692DEF}.exe
2284	{B25011D0-3675-4137-9EF2-1EA44408C3A2}.exe
1080	{2F4124E3-EFB3-46a4-B2DD-D23435353C8B}.exe
2824	{2A24EC5A-9102-4613-9909-2F08FA4EB29C}.exe
1428	{4D404B6A-7F27-45bb-8155-79A5F3A0F324}.exe
3520	{B4D0B35F-E80B-454d-80E4-85107C21C402}.exe
3628	{B1D948C2-210F-4ac0-B39B-A9A10321B6A6}.exe
4936	{9DBC38E9-1DE9-4803-95B2-205BE81EC237}.exe
2400	{71E43B39-4622-4220-8EC9-07EB4CEB2040}.exe
4064	{35D05CEB-CCBB-42da-B729-FCBF67B77CBD}.exe
1004	{459FDAE1-D6F7-4c07-93F7-08DB040F2741}.exe
2012	{60DE6C99-815B-44bd-9600-415035E9B613}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{35D05CEB-CCBB-42da-B729-FCBF67B77CBD}.exe	{71E43B39-4622-4220-8EC9-07EB4CEB2040}.exe
File created	C:\Windows\{459FDAE1-D6F7-4c07-93F7-08DB040F2741}.exe	{35D05CEB-CCBB-42da-B729-FCBF67B77CBD}.exe
File created	C:\Windows\{60DE6C99-815B-44bd-9600-415035E9B613}.exe	{459FDAE1-D6F7-4c07-93F7-08DB040F2741}.exe
File created	C:\Windows\{B25011D0-3675-4137-9EF2-1EA44408C3A2}.exe	{58364550-12B1-4103-B682-163F2A692DEF}.exe
File created	C:\Windows\{2A24EC5A-9102-4613-9909-2F08FA4EB29C}.exe	{2F4124E3-EFB3-46a4-B2DD-D23435353C8B}.exe
File created	C:\Windows\{B4D0B35F-E80B-454d-80E4-85107C21C402}.exe	{4D404B6A-7F27-45bb-8155-79A5F3A0F324}.exe
File created	C:\Windows\{B1D948C2-210F-4ac0-B39B-A9A10321B6A6}.exe	{B4D0B35F-E80B-454d-80E4-85107C21C402}.exe
File created	C:\Windows\{9DBC38E9-1DE9-4803-95B2-205BE81EC237}.exe	{B1D948C2-210F-4ac0-B39B-A9A10321B6A6}.exe
File created	C:\Windows\{71E43B39-4622-4220-8EC9-07EB4CEB2040}.exe	{9DBC38E9-1DE9-4803-95B2-205BE81EC237}.exe
File created	C:\Windows\{58364550-12B1-4103-B682-163F2A692DEF}.exe	2024-02-19_e32494cc6c4716c6f589d5eb5d2af5e8_goldeneye.exe
File created	C:\Windows\{2F4124E3-EFB3-46a4-B2DD-D23435353C8B}.exe	{B25011D0-3675-4137-9EF2-1EA44408C3A2}.exe
File created	C:\Windows\{4D404B6A-7F27-45bb-8155-79A5F3A0F324}.exe	{2A24EC5A-9102-4613-9909-2F08FA4EB29C}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4932	2024-02-19_e32494cc6c4716c6f589d5eb5d2af5e8_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1348	{58364550-12B1-4103-B682-163F2A692DEF}.exe
Token: SeIncBasePriorityPrivilege	2284	{B25011D0-3675-4137-9EF2-1EA44408C3A2}.exe
Token: SeIncBasePriorityPrivilege	1080	{2F4124E3-EFB3-46a4-B2DD-D23435353C8B}.exe
Token: SeIncBasePriorityPrivilege	2824	{2A24EC5A-9102-4613-9909-2F08FA4EB29C}.exe
Token: SeIncBasePriorityPrivilege	1428	{4D404B6A-7F27-45bb-8155-79A5F3A0F324}.exe
Token: SeIncBasePriorityPrivilege	3520	{B4D0B35F-E80B-454d-80E4-85107C21C402}.exe
Token: SeIncBasePriorityPrivilege	3628	{B1D948C2-210F-4ac0-B39B-A9A10321B6A6}.exe
Token: SeIncBasePriorityPrivilege	4936	{9DBC38E9-1DE9-4803-95B2-205BE81EC237}.exe
Token: SeIncBasePriorityPrivilege	2400	{71E43B39-4622-4220-8EC9-07EB4CEB2040}.exe
Token: SeIncBasePriorityPrivilege	4064	{35D05CEB-CCBB-42da-B729-FCBF67B77CBD}.exe
Token: SeIncBasePriorityPrivilege	1004	{459FDAE1-D6F7-4c07-93F7-08DB040F2741}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4932 wrote to memory of 1348	4932	2024-02-19_e32494cc6c4716c6f589d5eb5d2af5e8_goldeneye.exe	89
PID 4932 wrote to memory of 1348	4932	2024-02-19_e32494cc6c4716c6f589d5eb5d2af5e8_goldeneye.exe	89
PID 4932 wrote to memory of 1348	4932	2024-02-19_e32494cc6c4716c6f589d5eb5d2af5e8_goldeneye.exe	89
PID 4932 wrote to memory of 5112	4932	2024-02-19_e32494cc6c4716c6f589d5eb5d2af5e8_goldeneye.exe	90
PID 4932 wrote to memory of 5112	4932	2024-02-19_e32494cc6c4716c6f589d5eb5d2af5e8_goldeneye.exe	90
PID 4932 wrote to memory of 5112	4932	2024-02-19_e32494cc6c4716c6f589d5eb5d2af5e8_goldeneye.exe	90
PID 1348 wrote to memory of 2284	1348	{58364550-12B1-4103-B682-163F2A692DEF}.exe	93
PID 1348 wrote to memory of 2284	1348	{58364550-12B1-4103-B682-163F2A692DEF}.exe	93
PID 1348 wrote to memory of 2284	1348	{58364550-12B1-4103-B682-163F2A692DEF}.exe	93
PID 1348 wrote to memory of 2484	1348	{58364550-12B1-4103-B682-163F2A692DEF}.exe	94
PID 1348 wrote to memory of 2484	1348	{58364550-12B1-4103-B682-163F2A692DEF}.exe	94
PID 1348 wrote to memory of 2484	1348	{58364550-12B1-4103-B682-163F2A692DEF}.exe	94
PID 2284 wrote to memory of 1080	2284	{B25011D0-3675-4137-9EF2-1EA44408C3A2}.exe	97
PID 2284 wrote to memory of 1080	2284	{B25011D0-3675-4137-9EF2-1EA44408C3A2}.exe	97
PID 2284 wrote to memory of 1080	2284	{B25011D0-3675-4137-9EF2-1EA44408C3A2}.exe	97
PID 2284 wrote to memory of 756	2284	{B25011D0-3675-4137-9EF2-1EA44408C3A2}.exe	96
PID 2284 wrote to memory of 756	2284	{B25011D0-3675-4137-9EF2-1EA44408C3A2}.exe	96
PID 2284 wrote to memory of 756	2284	{B25011D0-3675-4137-9EF2-1EA44408C3A2}.exe	96
PID 1080 wrote to memory of 2824	1080	{2F4124E3-EFB3-46a4-B2DD-D23435353C8B}.exe	98
PID 1080 wrote to memory of 2824	1080	{2F4124E3-EFB3-46a4-B2DD-D23435353C8B}.exe	98
PID 1080 wrote to memory of 2824	1080	{2F4124E3-EFB3-46a4-B2DD-D23435353C8B}.exe	98
PID 1080 wrote to memory of 1280	1080	{2F4124E3-EFB3-46a4-B2DD-D23435353C8B}.exe	99
PID 1080 wrote to memory of 1280	1080	{2F4124E3-EFB3-46a4-B2DD-D23435353C8B}.exe	99
PID 1080 wrote to memory of 1280	1080	{2F4124E3-EFB3-46a4-B2DD-D23435353C8B}.exe	99
PID 2824 wrote to memory of 1428	2824	{2A24EC5A-9102-4613-9909-2F08FA4EB29C}.exe	100
PID 2824 wrote to memory of 1428	2824	{2A24EC5A-9102-4613-9909-2F08FA4EB29C}.exe	100
PID 2824 wrote to memory of 1428	2824	{2A24EC5A-9102-4613-9909-2F08FA4EB29C}.exe	100
PID 2824 wrote to memory of 2832	2824	{2A24EC5A-9102-4613-9909-2F08FA4EB29C}.exe	101
PID 2824 wrote to memory of 2832	2824	{2A24EC5A-9102-4613-9909-2F08FA4EB29C}.exe	101
PID 2824 wrote to memory of 2832	2824	{2A24EC5A-9102-4613-9909-2F08FA4EB29C}.exe	101
PID 1428 wrote to memory of 3520	1428	{4D404B6A-7F27-45bb-8155-79A5F3A0F324}.exe	102
PID 1428 wrote to memory of 3520	1428	{4D404B6A-7F27-45bb-8155-79A5F3A0F324}.exe	102
PID 1428 wrote to memory of 3520	1428	{4D404B6A-7F27-45bb-8155-79A5F3A0F324}.exe	102
PID 1428 wrote to memory of 2360	1428	{4D404B6A-7F27-45bb-8155-79A5F3A0F324}.exe	103
PID 1428 wrote to memory of 2360	1428	{4D404B6A-7F27-45bb-8155-79A5F3A0F324}.exe	103
PID 1428 wrote to memory of 2360	1428	{4D404B6A-7F27-45bb-8155-79A5F3A0F324}.exe	103
PID 3520 wrote to memory of 3628	3520	{B4D0B35F-E80B-454d-80E4-85107C21C402}.exe	104
PID 3520 wrote to memory of 3628	3520	{B4D0B35F-E80B-454d-80E4-85107C21C402}.exe	104
PID 3520 wrote to memory of 3628	3520	{B4D0B35F-E80B-454d-80E4-85107C21C402}.exe	104
PID 3520 wrote to memory of 4124	3520	{B4D0B35F-E80B-454d-80E4-85107C21C402}.exe	105
PID 3520 wrote to memory of 4124	3520	{B4D0B35F-E80B-454d-80E4-85107C21C402}.exe	105
PID 3520 wrote to memory of 4124	3520	{B4D0B35F-E80B-454d-80E4-85107C21C402}.exe	105
PID 3628 wrote to memory of 4936	3628	{B1D948C2-210F-4ac0-B39B-A9A10321B6A6}.exe	106
PID 3628 wrote to memory of 4936	3628	{B1D948C2-210F-4ac0-B39B-A9A10321B6A6}.exe	106
PID 3628 wrote to memory of 4936	3628	{B1D948C2-210F-4ac0-B39B-A9A10321B6A6}.exe	106
PID 3628 wrote to memory of 1320	3628	{B1D948C2-210F-4ac0-B39B-A9A10321B6A6}.exe	107
PID 3628 wrote to memory of 1320	3628	{B1D948C2-210F-4ac0-B39B-A9A10321B6A6}.exe	107
PID 3628 wrote to memory of 1320	3628	{B1D948C2-210F-4ac0-B39B-A9A10321B6A6}.exe	107
PID 4936 wrote to memory of 2400	4936	{9DBC38E9-1DE9-4803-95B2-205BE81EC237}.exe	108
PID 4936 wrote to memory of 2400	4936	{9DBC38E9-1DE9-4803-95B2-205BE81EC237}.exe	108
PID 4936 wrote to memory of 2400	4936	{9DBC38E9-1DE9-4803-95B2-205BE81EC237}.exe	108
PID 4936 wrote to memory of 4312	4936	{9DBC38E9-1DE9-4803-95B2-205BE81EC237}.exe	109
PID 4936 wrote to memory of 4312	4936	{9DBC38E9-1DE9-4803-95B2-205BE81EC237}.exe	109
PID 4936 wrote to memory of 4312	4936	{9DBC38E9-1DE9-4803-95B2-205BE81EC237}.exe	109
PID 2400 wrote to memory of 4064	2400	{71E43B39-4622-4220-8EC9-07EB4CEB2040}.exe	110
PID 2400 wrote to memory of 4064	2400	{71E43B39-4622-4220-8EC9-07EB4CEB2040}.exe	110
PID 2400 wrote to memory of 4064	2400	{71E43B39-4622-4220-8EC9-07EB4CEB2040}.exe	110
PID 2400 wrote to memory of 912	2400	{71E43B39-4622-4220-8EC9-07EB4CEB2040}.exe	111
PID 2400 wrote to memory of 912	2400	{71E43B39-4622-4220-8EC9-07EB4CEB2040}.exe	111
PID 2400 wrote to memory of 912	2400	{71E43B39-4622-4220-8EC9-07EB4CEB2040}.exe	111
PID 4064 wrote to memory of 1004	4064	{35D05CEB-CCBB-42da-B729-FCBF67B77CBD}.exe	112
PID 4064 wrote to memory of 1004	4064	{35D05CEB-CCBB-42da-B729-FCBF67B77CBD}.exe	112
PID 4064 wrote to memory of 1004	4064	{35D05CEB-CCBB-42da-B729-FCBF67B77CBD}.exe	112
PID 4064 wrote to memory of 4400	4064	{35D05CEB-CCBB-42da-B729-FCBF67B77CBD}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-02-19_e32494cc6c4716c6f589d5eb5d2af5e8_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-19_e32494cc6c4716c6f589d5eb5d2af5e8_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4932
- C:\Windows\{58364550-12B1-4103-B682-163F2A692DEF}.exe
  C:\Windows\{58364550-12B1-4103-B682-163F2A692DEF}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1348
- - C:\Windows\{B25011D0-3675-4137-9EF2-1EA44408C3A2}.exe
    C:\Windows\{B25011D0-3675-4137-9EF2-1EA44408C3A2}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2284
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B2501~1.EXE > nul
      4⤵
      PID:756
  - - C:\Windows\{2F4124E3-EFB3-46a4-B2DD-D23435353C8B}.exe
      C:\Windows\{2F4124E3-EFB3-46a4-B2DD-D23435353C8B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1080
    - - C:\Windows\{2A24EC5A-9102-4613-9909-2F08FA4EB29C}.exe
        
        C:\Windows\{2A24EC5A-9102-4613-9909-2F08FA4EB29C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2824
      - C:\Windows\{4D404B6A-7F27-45bb-8155-79A5F3A0F324}.exe
        
        C:\Windows\{4D404B6A-7F27-45bb-8155-79A5F3A0F324}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\{B4D0B35F-E80B-454d-80E4-85107C21C402}.exe
        
        C:\Windows\{B4D0B35F-E80B-454d-80E4-85107C21C402}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\{B1D948C2-210F-4ac0-B39B-A9A10321B6A6}.exe
        
        C:\Windows\{B1D948C2-210F-4ac0-B39B-A9A10321B6A6}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3628
        
        C:\Windows\{9DBC38E9-1DE9-4803-95B2-205BE81EC237}.exe
        
        C:\Windows\{9DBC38E9-1DE9-4803-95B2-205BE81EC237}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\{71E43B39-4622-4220-8EC9-07EB4CEB2040}.exe
        
        C:\Windows\{71E43B39-4622-4220-8EC9-07EB4CEB2040}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\{35D05CEB-CCBB-42da-B729-FCBF67B77CBD}.exe
        
        C:\Windows\{35D05CEB-CCBB-42da-B729-FCBF67B77CBD}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\{459FDAE1-D6F7-4c07-93F7-08DB040F2741}.exe
        
        C:\Windows\{459FDAE1-D6F7-4c07-93F7-08DB040F2741}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1004
        
        C:\Windows\{60DE6C99-815B-44bd-9600-415035E9B613}.exe
        
        C:\Windows\{60DE6C99-815B-44bd-9600-415035E9B613}.exe
        13⤵
        Executes dropped EXE
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{459FD~1.EXE > nul
        13⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{35D05~1.EXE > nul
        12⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71E43~1.EXE > nul
        11⤵
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9DBC3~1.EXE > nul
        10⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1D94~1.EXE > nul
        9⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B4D0B~1.EXE > nul
        8⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D404~1.EXE > nul
        7⤵
        
        PID:2360
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A24E~1.EXE > nul
        6⤵
        
        PID:2832
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2F412~1.EXE > nul
        5⤵
        
        PID:1280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{58364~1.EXE > nul
    3⤵
    PID:2484
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:5112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2A24EC5A-9102-4613-9909-2F08FA4EB29C}.exe

Filesize
180KB

MD5
86e0ca374e6f832a05fd9ebe492277e0

SHA1
6e4cef1040b92bb558713c26e21d7d74e3c1757f

SHA256
dc9a6cf9cd26dedbf4fa242276d56c74221d67beb1d6ae11d56f06f535b546df

SHA512
d8ea3ec38c6ebb6088b14d51d45eeaad881d01359e5a78222c76ad2d4fcc704842e73c3d3489a8d7cbbf6241ff1404b3d2efe37c0a418848530bcd202eae2a02

Download Submit
C:\Windows\{2F4124E3-EFB3-46a4-B2DD-D23435353C8B}.exe

Filesize
180KB

MD5
ffda3df618c32dd0eab7b087ce5d8ba6

SHA1
3aa95242961930bebe693e42982fa9e1f2e2742a

SHA256
e1e8e7e15b9470d4bd8b554b2f09bd926e9a892d550fd81b9f9af9d9690dbf37

SHA512
8d88871cf4a13be995ff0d9097a117e7b1436e55ecc84eaa44cd7f20e5d0f95fbefdce499ef32fc22eda4048f3d3140e1eae2d3c9c5895a858bfb5eb1f7a1c0a

Download Submit
C:\Windows\{35D05CEB-CCBB-42da-B729-FCBF67B77CBD}.exe

Filesize
180KB

MD5
1adeb18ca23b3ffb1c91e05ab0edad3c

SHA1
cfee09d24faa320f0e5984b3b94e50a477de01e2

SHA256
9956a7c46c851f2ebe8839576e238fc2c87505363563668ab510ee1a293377ad

SHA512
55f27cc4f2fea06edbc289510eb3f6cfbce493b50d9755f6d7d637521d5c501e3b9e5138ab1a114974f702729c9b62ad44d96ffa757bac1c9dfd68ab2cf4acc7

Download Submit
C:\Windows\{459FDAE1-D6F7-4c07-93F7-08DB040F2741}.exe

Filesize
180KB

MD5
380fe86c7f22ada008b5423a8623c9c6

SHA1
1387d4e8eac663d6421430b946e3b28b23d66c49

SHA256
8214bfc763fdb8173c1f0720d86b2d21ad8b98b8600514b9da02d09367b4edea

SHA512
4b4c8e1fcd50ba60178c4bf02e0dc0935a7b4710569784a4ec1ac6573673bcca5902c0f22157d4d5a525d7d4b56d0f508c4cdd8c491c9a06823c6d8ea615e153

Download Submit
C:\Windows\{4D404B6A-7F27-45bb-8155-79A5F3A0F324}.exe

Filesize
180KB

MD5
292d063b65bfca2db9bf913a736d2cc0

SHA1
baccb0523159d23c69a870b1f83c28a4b7680da7

SHA256
a6200a2d98c2861713f22c5abed530edd67e8b139bf7691a606a1abcebed9940

SHA512
1c2a11e0468329f6fdfa59f1ecc77f61c8780087eb10ffd0d99e52915609efd939d49dd9be30ab96709080704a368801d3b252e89762378bd2a16649621eb112

Download Submit
C:\Windows\{58364550-12B1-4103-B682-163F2A692DEF}.exe

Filesize
180KB

MD5
63c0b41a9cfdc178b76bdda7def274ef

SHA1
568044778631b7e8f210620b1d48bfcec9336f61

SHA256
da6157f1d84e262c42f2e255f329325644f19fb8495bc911ae16e89c5cb53b2f

SHA512
181df63608b633962598ac1ec3434f3d749fc77afeb05d9e01889b48eed6956f4a47fd8c69af929aa1e9200c26fb53f8b68dd0c7af790b67908ee3265fde65a7

Download Submit
C:\Windows\{60DE6C99-815B-44bd-9600-415035E9B613}.exe

Filesize
180KB

MD5
75bcbe6778a7f30c54b362c00700b7df

SHA1
3fa042f87c03e727fbc65e3c8e81d08b687407c0

SHA256
4894b2af969ed55f09a609e56cd08a444fb9d50f7dd83044d83732595d9cc062

SHA512
efb8483a914915d4eea69eeba759f50d15c9a8d46b61b47029e80f6d0931bdf066d6972e645014e68d4668281c8295d223e015d7b86af1039e09d82cf255e446

Download Submit
C:\Windows\{71E43B39-4622-4220-8EC9-07EB4CEB2040}.exe

Filesize
180KB

MD5
a5c87e78e70629d5530cf1104187f940

SHA1
3a1150f186dc87761db34d617ab7b28d7798839b

SHA256
d2b94f8a8ad57e27de8de297ef6aa874091cbda1120ea168e99726bfd05bf8bf

SHA512
e3e3c2bd1a27f9a771cd828acae8415e5f29d0c27a78eac827fd39425db583bfb9a423dba3c4913ea1532a091d21bdfd5298913c658671a3ad163b612d08ddd5

Download Submit
C:\Windows\{9DBC38E9-1DE9-4803-95B2-205BE81EC237}.exe

Filesize
180KB

MD5
43362db31c8c7a67a1a08b944ec143b5

SHA1
e6fad3ad57dc336c919f7bf3b64d5f24026155c5

SHA256
157266014a063b1454d55c2c5a40ef4f4469f714a6527e3deb5fe79606e4f82b

SHA512
a1b6086821c283a144dc557c77cb44c5548f4555ef5d8406b79402a0ed8111a634b4270ce4f729a159fbd580f1e4f76646b89b9a0f6bc63739291e09e5854049

Download Submit
C:\Windows\{B1D948C2-210F-4ac0-B39B-A9A10321B6A6}.exe

Filesize
180KB

MD5
e60b1387a68718783e7ebf590b7e998d

SHA1
9a752a46aaab9d4b21a80e1a270383b9b133081b

SHA256
37c17121b35818d42bd2e185759b7f30151f9e68a7eb55524b91a868c61c0ee1

SHA512
e47a6c90c45b3905d0725bbcb58b33de2043fd3db90ac2acbb04bb7d4090bd925ab81e1fe126cb17d1af33423d57dad11fbdd1d4755037e9711e49ce96da3dc4

Download Submit
C:\Windows\{B25011D0-3675-4137-9EF2-1EA44408C3A2}.exe

Filesize
180KB

MD5
f26d8dfe3dfc5336c483df127b47b281

SHA1
cf004d7dbe2c55967be26952707c5f05670e25bb

SHA256
9815e404f76c929afd68aa58b86fc162f7a38f8df3301f97ce0e4f72ee7a4f78

SHA512
0e70c2697c709eb9684c74b0c5be7cf0a2776e2f49036fcf0d3015e0e8049827e4ca0c3db36a526a772d94a583aeefe4904c87721cadac82d158c3b17274ddb4

Download Submit
C:\Windows\{B4D0B35F-E80B-454d-80E4-85107C21C402}.exe

Filesize
180KB

MD5
c0b324d26be7d78d898b2131fdd196b2

SHA1
4deba61d543645df1c55faf9accb2ea7a36d47d6

SHA256
a25a8f0ecde4163b3ed8f3ed738bf0e39e6a57d8c6b258f4191df9df87692088

SHA512
6848b978c0df19636e08481fc4c405db650954bac33a3999c7e91b01e0f82a024f14ceb844b7782d6829d1ecf9baa6f703868c6e965ecfcf9eb97734291020e8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads