7fd8ca70ace33ac55b368e22c7c8db8ef8a063ac2895891747c6540749212321

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19/02/2024, 11:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-19_f38d004e248272f9cf5fbc0dd4b47b6e_goldeneye.exe
Size

180KB
MD5

f38d004e248272f9cf5fbc0dd4b47b6e
SHA1

a9126081e45c200f2dfa82a22464b2761913d5f0
SHA256

7fd8ca70ace33ac55b368e22c7c8db8ef8a063ac2895891747c6540749212321
SHA512

d609e01bd8145b6afd12d2f73c1c6287895195fa42d9d8cdbe0994cf5b83cf83c19208dff4277c0e67e90f4bc185cac1f3d82f7087605b9d2c03cfbe595b06a7
SSDEEP

3072:jEGh0oalfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGYl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000600000002321c-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000023224-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002322a-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023224-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000217f9-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000021805-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d0000000217f9-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006e1-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F13542A-B7A7-4a43-847C-13293ED6E7EC}	{0E08AC90-751E-4069-BED5-0A3DF2CCE2E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBE00D27-9176-4352-B285-A6AB75822A4D}\stubpath = "C:\\Windows\\{EBE00D27-9176-4352-B285-A6AB75822A4D}.exe"	{7F13542A-B7A7-4a43-847C-13293ED6E7EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C89D9742-AB3D-4314-8437-05978C514F51}	{17CDBF20-FCE9-4437-BA5C-76D072C621FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E115E2A-FD4E-4919-A453-E8D3C35256D9}\stubpath = "C:\\Windows\\{7E115E2A-FD4E-4919-A453-E8D3C35256D9}.exe"	{C89D9742-AB3D-4314-8437-05978C514F51}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E08AC90-751E-4069-BED5-0A3DF2CCE2E7}	{7E115E2A-FD4E-4919-A453-E8D3C35256D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E08AC90-751E-4069-BED5-0A3DF2CCE2E7}\stubpath = "C:\\Windows\\{0E08AC90-751E-4069-BED5-0A3DF2CCE2E7}.exe"	{7E115E2A-FD4E-4919-A453-E8D3C35256D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F13542A-B7A7-4a43-847C-13293ED6E7EC}\stubpath = "C:\\Windows\\{7F13542A-B7A7-4a43-847C-13293ED6E7EC}.exe"	{0E08AC90-751E-4069-BED5-0A3DF2CCE2E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92CFCCB1-493B-422d-B31B-81B7F0E0212E}	{EBE00D27-9176-4352-B285-A6AB75822A4D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92CFCCB1-493B-422d-B31B-81B7F0E0212E}\stubpath = "C:\\Windows\\{92CFCCB1-493B-422d-B31B-81B7F0E0212E}.exe"	{EBE00D27-9176-4352-B285-A6AB75822A4D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60BEE7C7-2B0A-4de5-A0F7-51D7E84E7007}	{92CFCCB1-493B-422d-B31B-81B7F0E0212E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9398E97B-12AD-4388-9485-39BC45E94474}\stubpath = "C:\\Windows\\{9398E97B-12AD-4388-9485-39BC45E94474}.exe"	2024-02-19_f38d004e248272f9cf5fbc0dd4b47b6e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C6DBCD8-6DC5-4378-8C55-A9D4F58A9F22}\stubpath = "C:\\Windows\\{3C6DBCD8-6DC5-4378-8C55-A9D4F58A9F22}.exe"	{5969DAC1-BB6B-4ed5-8DBF-2197B39226A4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17CDBF20-FCE9-4437-BA5C-76D072C621FE}\stubpath = "C:\\Windows\\{17CDBF20-FCE9-4437-BA5C-76D072C621FE}.exe"	{3C6DBCD8-6DC5-4378-8C55-A9D4F58A9F22}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17CDBF20-FCE9-4437-BA5C-76D072C621FE}	{3C6DBCD8-6DC5-4378-8C55-A9D4F58A9F22}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C89D9742-AB3D-4314-8437-05978C514F51}\stubpath = "C:\\Windows\\{C89D9742-AB3D-4314-8437-05978C514F51}.exe"	{17CDBF20-FCE9-4437-BA5C-76D072C621FE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBE00D27-9176-4352-B285-A6AB75822A4D}	{7F13542A-B7A7-4a43-847C-13293ED6E7EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9398E97B-12AD-4388-9485-39BC45E94474}	2024-02-19_f38d004e248272f9cf5fbc0dd4b47b6e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{635F816B-C127-4468-B579-4A0CC405F7A8}\stubpath = "C:\\Windows\\{635F816B-C127-4468-B579-4A0CC405F7A8}.exe"	{9398E97B-12AD-4388-9485-39BC45E94474}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C6DBCD8-6DC5-4378-8C55-A9D4F58A9F22}	{5969DAC1-BB6B-4ed5-8DBF-2197B39226A4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E115E2A-FD4E-4919-A453-E8D3C35256D9}	{C89D9742-AB3D-4314-8437-05978C514F51}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60BEE7C7-2B0A-4de5-A0F7-51D7E84E7007}\stubpath = "C:\\Windows\\{60BEE7C7-2B0A-4de5-A0F7-51D7E84E7007}.exe"	{92CFCCB1-493B-422d-B31B-81B7F0E0212E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{635F816B-C127-4468-B579-4A0CC405F7A8}	{9398E97B-12AD-4388-9485-39BC45E94474}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5969DAC1-BB6B-4ed5-8DBF-2197B39226A4}	{635F816B-C127-4468-B579-4A0CC405F7A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5969DAC1-BB6B-4ed5-8DBF-2197B39226A4}\stubpath = "C:\\Windows\\{5969DAC1-BB6B-4ed5-8DBF-2197B39226A4}.exe"	{635F816B-C127-4468-B579-4A0CC405F7A8}.exe

Executes dropped EXE 12 IoCs

pid	Process
3096	{9398E97B-12AD-4388-9485-39BC45E94474}.exe
4028	{635F816B-C127-4468-B579-4A0CC405F7A8}.exe
1464	{5969DAC1-BB6B-4ed5-8DBF-2197B39226A4}.exe
1032	{3C6DBCD8-6DC5-4378-8C55-A9D4F58A9F22}.exe
3292	{17CDBF20-FCE9-4437-BA5C-76D072C621FE}.exe
4236	{C89D9742-AB3D-4314-8437-05978C514F51}.exe
3628	{7E115E2A-FD4E-4919-A453-E8D3C35256D9}.exe
3448	{0E08AC90-751E-4069-BED5-0A3DF2CCE2E7}.exe
2964	{7F13542A-B7A7-4a43-847C-13293ED6E7EC}.exe
4060	{EBE00D27-9176-4352-B285-A6AB75822A4D}.exe
1544	{92CFCCB1-493B-422d-B31B-81B7F0E0212E}.exe
3844	{60BEE7C7-2B0A-4de5-A0F7-51D7E84E7007}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{EBE00D27-9176-4352-B285-A6AB75822A4D}.exe	{7F13542A-B7A7-4a43-847C-13293ED6E7EC}.exe
File created	C:\Windows\{9398E97B-12AD-4388-9485-39BC45E94474}.exe	2024-02-19_f38d004e248272f9cf5fbc0dd4b47b6e_goldeneye.exe
File created	C:\Windows\{635F816B-C127-4468-B579-4A0CC405F7A8}.exe	{9398E97B-12AD-4388-9485-39BC45E94474}.exe
File created	C:\Windows\{3C6DBCD8-6DC5-4378-8C55-A9D4F58A9F22}.exe	{5969DAC1-BB6B-4ed5-8DBF-2197B39226A4}.exe
File created	C:\Windows\{7E115E2A-FD4E-4919-A453-E8D3C35256D9}.exe	{C89D9742-AB3D-4314-8437-05978C514F51}.exe
File created	C:\Windows\{0E08AC90-751E-4069-BED5-0A3DF2CCE2E7}.exe	{7E115E2A-FD4E-4919-A453-E8D3C35256D9}.exe
File created	C:\Windows\{60BEE7C7-2B0A-4de5-A0F7-51D7E84E7007}.exe	{92CFCCB1-493B-422d-B31B-81B7F0E0212E}.exe
File created	C:\Windows\{5969DAC1-BB6B-4ed5-8DBF-2197B39226A4}.exe	{635F816B-C127-4468-B579-4A0CC405F7A8}.exe
File created	C:\Windows\{17CDBF20-FCE9-4437-BA5C-76D072C621FE}.exe	{3C6DBCD8-6DC5-4378-8C55-A9D4F58A9F22}.exe
File created	C:\Windows\{C89D9742-AB3D-4314-8437-05978C514F51}.exe	{17CDBF20-FCE9-4437-BA5C-76D072C621FE}.exe
File created	C:\Windows\{7F13542A-B7A7-4a43-847C-13293ED6E7EC}.exe	{0E08AC90-751E-4069-BED5-0A3DF2CCE2E7}.exe
File created	C:\Windows\{92CFCCB1-493B-422d-B31B-81B7F0E0212E}.exe	{EBE00D27-9176-4352-B285-A6AB75822A4D}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	964	2024-02-19_f38d004e248272f9cf5fbc0dd4b47b6e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3096	{9398E97B-12AD-4388-9485-39BC45E94474}.exe
Token: SeIncBasePriorityPrivilege	4028	{635F816B-C127-4468-B579-4A0CC405F7A8}.exe
Token: SeIncBasePriorityPrivilege	1464	{5969DAC1-BB6B-4ed5-8DBF-2197B39226A4}.exe
Token: SeIncBasePriorityPrivilege	1032	{3C6DBCD8-6DC5-4378-8C55-A9D4F58A9F22}.exe
Token: SeIncBasePriorityPrivilege	3292	{17CDBF20-FCE9-4437-BA5C-76D072C621FE}.exe
Token: SeIncBasePriorityPrivilege	4236	{C89D9742-AB3D-4314-8437-05978C514F51}.exe
Token: SeIncBasePriorityPrivilege	3628	{7E115E2A-FD4E-4919-A453-E8D3C35256D9}.exe
Token: SeIncBasePriorityPrivilege	3448	{0E08AC90-751E-4069-BED5-0A3DF2CCE2E7}.exe
Token: SeIncBasePriorityPrivilege	2964	{7F13542A-B7A7-4a43-847C-13293ED6E7EC}.exe
Token: SeIncBasePriorityPrivilege	4060	{EBE00D27-9176-4352-B285-A6AB75822A4D}.exe
Token: SeIncBasePriorityPrivilege	1544	{92CFCCB1-493B-422d-B31B-81B7F0E0212E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 964 wrote to memory of 3096	964	2024-02-19_f38d004e248272f9cf5fbc0dd4b47b6e_goldeneye.exe	89
PID 964 wrote to memory of 3096	964	2024-02-19_f38d004e248272f9cf5fbc0dd4b47b6e_goldeneye.exe	89
PID 964 wrote to memory of 3096	964	2024-02-19_f38d004e248272f9cf5fbc0dd4b47b6e_goldeneye.exe	89
PID 964 wrote to memory of 1148	964	2024-02-19_f38d004e248272f9cf5fbc0dd4b47b6e_goldeneye.exe	90
PID 964 wrote to memory of 1148	964	2024-02-19_f38d004e248272f9cf5fbc0dd4b47b6e_goldeneye.exe	90
PID 964 wrote to memory of 1148	964	2024-02-19_f38d004e248272f9cf5fbc0dd4b47b6e_goldeneye.exe	90
PID 3096 wrote to memory of 4028	3096	{9398E97B-12AD-4388-9485-39BC45E94474}.exe	93
PID 3096 wrote to memory of 4028	3096	{9398E97B-12AD-4388-9485-39BC45E94474}.exe	93
PID 3096 wrote to memory of 4028	3096	{9398E97B-12AD-4388-9485-39BC45E94474}.exe	93
PID 3096 wrote to memory of 2784	3096	{9398E97B-12AD-4388-9485-39BC45E94474}.exe	94
PID 3096 wrote to memory of 2784	3096	{9398E97B-12AD-4388-9485-39BC45E94474}.exe	94
PID 3096 wrote to memory of 2784	3096	{9398E97B-12AD-4388-9485-39BC45E94474}.exe	94
PID 4028 wrote to memory of 1464	4028	{635F816B-C127-4468-B579-4A0CC405F7A8}.exe	96
PID 4028 wrote to memory of 1464	4028	{635F816B-C127-4468-B579-4A0CC405F7A8}.exe	96
PID 4028 wrote to memory of 1464	4028	{635F816B-C127-4468-B579-4A0CC405F7A8}.exe	96
PID 4028 wrote to memory of 1556	4028	{635F816B-C127-4468-B579-4A0CC405F7A8}.exe	97
PID 4028 wrote to memory of 1556	4028	{635F816B-C127-4468-B579-4A0CC405F7A8}.exe	97
PID 4028 wrote to memory of 1556	4028	{635F816B-C127-4468-B579-4A0CC405F7A8}.exe	97
PID 1464 wrote to memory of 1032	1464	{5969DAC1-BB6B-4ed5-8DBF-2197B39226A4}.exe	98
PID 1464 wrote to memory of 1032	1464	{5969DAC1-BB6B-4ed5-8DBF-2197B39226A4}.exe	98
PID 1464 wrote to memory of 1032	1464	{5969DAC1-BB6B-4ed5-8DBF-2197B39226A4}.exe	98
PID 1464 wrote to memory of 3944	1464	{5969DAC1-BB6B-4ed5-8DBF-2197B39226A4}.exe	99
PID 1464 wrote to memory of 3944	1464	{5969DAC1-BB6B-4ed5-8DBF-2197B39226A4}.exe	99
PID 1464 wrote to memory of 3944	1464	{5969DAC1-BB6B-4ed5-8DBF-2197B39226A4}.exe	99
PID 1032 wrote to memory of 3292	1032	{3C6DBCD8-6DC5-4378-8C55-A9D4F58A9F22}.exe	100
PID 1032 wrote to memory of 3292	1032	{3C6DBCD8-6DC5-4378-8C55-A9D4F58A9F22}.exe	100
PID 1032 wrote to memory of 3292	1032	{3C6DBCD8-6DC5-4378-8C55-A9D4F58A9F22}.exe	100
PID 1032 wrote to memory of 936	1032	{3C6DBCD8-6DC5-4378-8C55-A9D4F58A9F22}.exe	101
PID 1032 wrote to memory of 936	1032	{3C6DBCD8-6DC5-4378-8C55-A9D4F58A9F22}.exe	101
PID 1032 wrote to memory of 936	1032	{3C6DBCD8-6DC5-4378-8C55-A9D4F58A9F22}.exe	101
PID 3292 wrote to memory of 4236	3292	{17CDBF20-FCE9-4437-BA5C-76D072C621FE}.exe	102
PID 3292 wrote to memory of 4236	3292	{17CDBF20-FCE9-4437-BA5C-76D072C621FE}.exe	102
PID 3292 wrote to memory of 4236	3292	{17CDBF20-FCE9-4437-BA5C-76D072C621FE}.exe	102
PID 3292 wrote to memory of 5036	3292	{17CDBF20-FCE9-4437-BA5C-76D072C621FE}.exe	103
PID 3292 wrote to memory of 5036	3292	{17CDBF20-FCE9-4437-BA5C-76D072C621FE}.exe	103
PID 3292 wrote to memory of 5036	3292	{17CDBF20-FCE9-4437-BA5C-76D072C621FE}.exe	103
PID 4236 wrote to memory of 3628	4236	{C89D9742-AB3D-4314-8437-05978C514F51}.exe	104
PID 4236 wrote to memory of 3628	4236	{C89D9742-AB3D-4314-8437-05978C514F51}.exe	104
PID 4236 wrote to memory of 3628	4236	{C89D9742-AB3D-4314-8437-05978C514F51}.exe	104
PID 4236 wrote to memory of 3484	4236	{C89D9742-AB3D-4314-8437-05978C514F51}.exe	105
PID 4236 wrote to memory of 3484	4236	{C89D9742-AB3D-4314-8437-05978C514F51}.exe	105
PID 4236 wrote to memory of 3484	4236	{C89D9742-AB3D-4314-8437-05978C514F51}.exe	105
PID 3628 wrote to memory of 3448	3628	{7E115E2A-FD4E-4919-A453-E8D3C35256D9}.exe	106
PID 3628 wrote to memory of 3448	3628	{7E115E2A-FD4E-4919-A453-E8D3C35256D9}.exe	106
PID 3628 wrote to memory of 3448	3628	{7E115E2A-FD4E-4919-A453-E8D3C35256D9}.exe	106
PID 3628 wrote to memory of 880	3628	{7E115E2A-FD4E-4919-A453-E8D3C35256D9}.exe	107
PID 3628 wrote to memory of 880	3628	{7E115E2A-FD4E-4919-A453-E8D3C35256D9}.exe	107
PID 3628 wrote to memory of 880	3628	{7E115E2A-FD4E-4919-A453-E8D3C35256D9}.exe	107
PID 3448 wrote to memory of 2964	3448	{0E08AC90-751E-4069-BED5-0A3DF2CCE2E7}.exe	108
PID 3448 wrote to memory of 2964	3448	{0E08AC90-751E-4069-BED5-0A3DF2CCE2E7}.exe	108
PID 3448 wrote to memory of 2964	3448	{0E08AC90-751E-4069-BED5-0A3DF2CCE2E7}.exe	108
PID 3448 wrote to memory of 4040	3448	{0E08AC90-751E-4069-BED5-0A3DF2CCE2E7}.exe	109
PID 3448 wrote to memory of 4040	3448	{0E08AC90-751E-4069-BED5-0A3DF2CCE2E7}.exe	109
PID 3448 wrote to memory of 4040	3448	{0E08AC90-751E-4069-BED5-0A3DF2CCE2E7}.exe	109
PID 2964 wrote to memory of 4060	2964	{7F13542A-B7A7-4a43-847C-13293ED6E7EC}.exe	110
PID 2964 wrote to memory of 4060	2964	{7F13542A-B7A7-4a43-847C-13293ED6E7EC}.exe	110
PID 2964 wrote to memory of 4060	2964	{7F13542A-B7A7-4a43-847C-13293ED6E7EC}.exe	110
PID 2964 wrote to memory of 5060	2964	{7F13542A-B7A7-4a43-847C-13293ED6E7EC}.exe	111
PID 2964 wrote to memory of 5060	2964	{7F13542A-B7A7-4a43-847C-13293ED6E7EC}.exe	111
PID 2964 wrote to memory of 5060	2964	{7F13542A-B7A7-4a43-847C-13293ED6E7EC}.exe	111
PID 4060 wrote to memory of 1544	4060	{EBE00D27-9176-4352-B285-A6AB75822A4D}.exe	112
PID 4060 wrote to memory of 1544	4060	{EBE00D27-9176-4352-B285-A6AB75822A4D}.exe	112
PID 4060 wrote to memory of 1544	4060	{EBE00D27-9176-4352-B285-A6AB75822A4D}.exe	112
PID 4060 wrote to memory of 2824	4060	{EBE00D27-9176-4352-B285-A6AB75822A4D}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-02-19_f38d004e248272f9cf5fbc0dd4b47b6e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-19_f38d004e248272f9cf5fbc0dd4b47b6e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:964
- C:\Windows\{9398E97B-12AD-4388-9485-39BC45E94474}.exe
  C:\Windows\{9398E97B-12AD-4388-9485-39BC45E94474}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3096
- - C:\Windows\{635F816B-C127-4468-B579-4A0CC405F7A8}.exe
    C:\Windows\{635F816B-C127-4468-B579-4A0CC405F7A8}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4028
  - - C:\Windows\{5969DAC1-BB6B-4ed5-8DBF-2197B39226A4}.exe
      C:\Windows\{5969DAC1-BB6B-4ed5-8DBF-2197B39226A4}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1464
    - - C:\Windows\{3C6DBCD8-6DC5-4378-8C55-A9D4F58A9F22}.exe
        
        C:\Windows\{3C6DBCD8-6DC5-4378-8C55-A9D4F58A9F22}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1032
      - C:\Windows\{17CDBF20-FCE9-4437-BA5C-76D072C621FE}.exe
        
        C:\Windows\{17CDBF20-FCE9-4437-BA5C-76D072C621FE}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3292
        
        C:\Windows\{C89D9742-AB3D-4314-8437-05978C514F51}.exe
        
        C:\Windows\{C89D9742-AB3D-4314-8437-05978C514F51}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4236
        
        C:\Windows\{7E115E2A-FD4E-4919-A453-E8D3C35256D9}.exe
        
        C:\Windows\{7E115E2A-FD4E-4919-A453-E8D3C35256D9}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3628
        
        C:\Windows\{0E08AC90-751E-4069-BED5-0A3DF2CCE2E7}.exe
        
        C:\Windows\{0E08AC90-751E-4069-BED5-0A3DF2CCE2E7}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3448
        
        C:\Windows\{7F13542A-B7A7-4a43-847C-13293ED6E7EC}.exe
        
        C:\Windows\{7F13542A-B7A7-4a43-847C-13293ED6E7EC}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\{EBE00D27-9176-4352-B285-A6AB75822A4D}.exe
        
        C:\Windows\{EBE00D27-9176-4352-B285-A6AB75822A4D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4060
        
        C:\Windows\{92CFCCB1-493B-422d-B31B-81B7F0E0212E}.exe
        
        C:\Windows\{92CFCCB1-493B-422d-B31B-81B7F0E0212E}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1544
        
        C:\Windows\{60BEE7C7-2B0A-4de5-A0F7-51D7E84E7007}.exe
        
        C:\Windows\{60BEE7C7-2B0A-4de5-A0F7-51D7E84E7007}.exe
        13⤵
        Executes dropped EXE
        
        PID:3844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92CFC~1.EXE > nul
        13⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EBE00~1.EXE > nul
        12⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F135~1.EXE > nul
        11⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0E08A~1.EXE > nul
        10⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E115~1.EXE > nul
        9⤵
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C89D9~1.EXE > nul
        8⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{17CDB~1.EXE > nul
        7⤵
        
        PID:5036
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C6DB~1.EXE > nul
        6⤵
        
        PID:936
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5969D~1.EXE > nul
        5⤵
        
        PID:3944
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{635F8~1.EXE > nul
      4⤵
      PID:1556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9398E~1.EXE > nul
    3⤵
    PID:2784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0E08AC90-751E-4069-BED5-0A3DF2CCE2E7}.exe

Filesize
180KB

MD5
7a9ac8fc7d2b1153b1b21dabcde08d6e

SHA1
7458c384de6a2b8e3a2ba8be92084632f3a55f54

SHA256
0ce3281ba6bfd9eb1bd4ac6357d4613027f170c778fcd9f5e06564c011a66ea9

SHA512
e3d086a2d6d28f72fb1ec8e80d0ecd86b4da99383dda3d0be734085ef98b27b3218112db56f8856fd96e8acc9bd7dda43543410cee09221d2895b46a853015c1

Download Submit
C:\Windows\{17CDBF20-FCE9-4437-BA5C-76D072C621FE}.exe

Filesize
180KB

MD5
9d53ea94999f3385c5919c393cb6fa27

SHA1
5e7f93cb2b23810ec1dd12aea97937f3b7859654

SHA256
ab9c9da5755b86e5c4076099040cf84b9f0a1f1a3bc5f165987fa489b568f85c

SHA512
76dfdea990aac58dfe4b06e4310ece93bc832e052da5d34e5902f7f042694aada2865d78818ce01d2df877116f3faa5cae8874f10d38898ae546e9f3910d21f4

Download Submit
C:\Windows\{3C6DBCD8-6DC5-4378-8C55-A9D4F58A9F22}.exe

Filesize
180KB

MD5
f753baaecc69b0b3d3ad0bdb8a3c9ce3

SHA1
f9bd1ada9eb5dbf97b8d1072a7daf6bf422c0be6

SHA256
650d8a73ea0506f4be4914ea054e7c4a6faf538d4c8c4582d11ba399c57bde9a

SHA512
03984539b6dd8373268677239eb2725406cacb5ef59bd1b58e567a5eb8663283924ef40811b854231b49223c63972cc13975565b23c23354f4cb6a5ca4394de4

Download Submit
C:\Windows\{5969DAC1-BB6B-4ed5-8DBF-2197B39226A4}.exe

Filesize
180KB

MD5
dd05fdcfa1a96a81e6b093dfc34bc1a5

SHA1
aee770c8a07e2936f0ec2a3d424afd8cceda67b6

SHA256
384d531b2279d5090613be97eb7eb675ac5634beb9cfc2160c172591ed776b56

SHA512
170c1c452b6d52225ef9991973c22bf52d143d45c6effac71e70c8cd88e77136c30d348416f4151d19b4dfbbb1bce9bb38d511e29447927de7473a223fafc5b2

Download Submit
C:\Windows\{60BEE7C7-2B0A-4de5-A0F7-51D7E84E7007}.exe

Filesize
180KB

MD5
4f92fbe57f24c8404375c0814a39b85b

SHA1
5746c897d65ed1a01ed251107523d3877b218573

SHA256
b19a8441f79092be00723cd045574508ffc3deebeafb09c8b20f59cb87ab627b

SHA512
a944ed8b1275d4ba8257efd955d12b477ff2ffe34f26aef904022a0f5f0cb2de6a3d8c6a36910dd2ae02a0bc99f70d75437c10a2245a9fadec1dfe3934ee412d

Download Submit
C:\Windows\{635F816B-C127-4468-B579-4A0CC405F7A8}.exe

Filesize
180KB

MD5
d834718dfb7373fc16b6f7707ce14398

SHA1
d8b2f4b2b911f72335657812bbdadd4d01b19892

SHA256
da5f86194efa0fc40019ee79ce22880904d5dd51a9b5fd2e3f0fb03e05643364

SHA512
2adec2b8b3047985871657399e583b85d7f0ffc61dc57d647926b1ffed5ce7972a235751667ec6c54fcdaec30bd0947c4aa98fb01813e85df0e9d10371609b2b

Download Submit
C:\Windows\{7E115E2A-FD4E-4919-A453-E8D3C35256D9}.exe

Filesize
180KB

MD5
03aa29d0f476872af36612fe870c66b8

SHA1
9bf09fd93bc7372b7ab5992dc2b097fb02ead50f

SHA256
eb7a7b4fe986d063ed752dee4d1239ded71d8e14fa213e8f3024871111f7bfe8

SHA512
e85c06b96c911a4bde6b76c91bcba698884408c2e938dc4f5871b6a860e3b4c0479a67475ea4328d1d319c57f6167d07fa0f2d0d906edfa20acb8d37b39114c7

Download Submit
C:\Windows\{7F13542A-B7A7-4a43-847C-13293ED6E7EC}.exe

Filesize
180KB

MD5
4bfb42ca6bf0e84229272fafff19612d

SHA1
f13aaf9f02c54010c49aefefbfc988d369bccdb6

SHA256
43ce191fc98969477fdd964742614e4c9dd83818a33be91313e2a1df7e3f7da8

SHA512
bc6f82cc9d14c24a58c72ce4f35006b3a4ba0fd03e14697351403ac63e20b398014fec45fe9bb84ab096838d28cb3347b749a8397dd4e03b1856747d90c02961

Download Submit
C:\Windows\{92CFCCB1-493B-422d-B31B-81B7F0E0212E}.exe

Filesize
180KB

MD5
566d2a3f41a98df0abc940c4c24d22a6

SHA1
2cd30d9fc0c739f7f8e534d4d53c809807e2ee88

SHA256
90543a6e286a67eab39041bd572e82649120c1e0f8644e277428e139706d4497

SHA512
d2bd17e6fd66b57e61f2124e9ccc08aeed2da929fdda59b36fdbb8b5a1df4548ccab056c80855ce54575782f4b09f6c19711749e75d085a92f6837033127f122

Download Submit
C:\Windows\{9398E97B-12AD-4388-9485-39BC45E94474}.exe

Filesize
180KB

MD5
6fae4f356ae88b854c244771d0b42caa

SHA1
5ae80a6af4c7b3abf76119a93b9ad766ada922c1

SHA256
b9639c4840f5329a2032dccd438dced764753e039664e28599b7fc766f8d6987

SHA512
54340de299785ea6804088488b6041177b1cd567ddb4c09c6bbe3390fa9040848f338fa3411cbb7b754c56b1cfba9b2c107afcbeff5426af386b5330d30fe9ae

Download Submit
C:\Windows\{C89D9742-AB3D-4314-8437-05978C514F51}.exe

Filesize
180KB

MD5
e322d6f47438eb17e1d86fcac5df1d24

SHA1
be36cb89ee01888ade3bdc96633e94f13195f94c

SHA256
7cea053479c98cdb88a4f7b862215ee62032c937f52f1cbf54995558fac9ab1a

SHA512
64f738f2e213916979fddf724cb92f7c2780ff0d89facd7674768d293b3111c7eac7d8b82f4e695c3cb92580e03acb436a0b893a876ecbb6e67fb646b4b8d5aa

Download Submit
C:\Windows\{EBE00D27-9176-4352-B285-A6AB75822A4D}.exe

Filesize
180KB

MD5
1a84233e82551c4ecf28003a844bda0b

SHA1
f364f706741e660d194b3eb4d93e23b436073a76

SHA256
3bc145e91bce05b3de332da976cba335f6d0beeec9d3da0362d67d9e81c5f70a

SHA512
968b3f13c7200c6bc0f442d01117ad7a6ca1f99d98a8b80ad9e3a442d882c96559dc55b2d00686f0ba8fe6615b6528a6b558c36ffb261cedc7319e6629c209ce

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads