7907f56cd1c2f67b169a3dc35a2730d5a894b3fba6ef4d683ab2ac013cc8684c

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19/02/2024, 17:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-19_3726b20e32a2111f0c6a135155c9567a_goldeneye.exe
Size

197KB
MD5

3726b20e32a2111f0c6a135155c9567a
SHA1

da3fd42e329e11f070c298e50e2e552ad38d5130
SHA256

7907f56cd1c2f67b169a3dc35a2730d5a894b3fba6ef4d683ab2ac013cc8684c
SHA512

9208516f1a9b752580f13adf401c51bc1e992b4d90d1f9f944f20d9e1b4eeeb20411d290c20ac537e43db948f062dbd23de0bd86145fbfbf25af4b4aa5627f72
SSDEEP

3072:jEGh0oul+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGglEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00060000000231ef-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00060000000231f8-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000023200-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000231f8-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000231fe-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021d92-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000001db1b-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006e1-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FBCE7640-B6EF-4601-9424-9F5E6404386A}	{5783769D-835D-429c-A4D1-E6DBFD9EFB95}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5977606C-CE57-403b-8734-D14D0A86C668}\stubpath = "C:\\Windows\\{5977606C-CE57-403b-8734-D14D0A86C668}.exe"	{0AD0ADAC-E9B6-436e-B3AD-76B6E8D42C39}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B7D888E-5A10-4757-AEC8-51A9528D7BA2}\stubpath = "C:\\Windows\\{1B7D888E-5A10-4757-AEC8-51A9528D7BA2}.exe"	{B9CC0619-FF45-4d06-9FA1-1E82957C5B13}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{473BC383-425E-4f58-B065-56D3983D8354}	2024-02-19_3726b20e32a2111f0c6a135155c9567a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7F05EA8-A8F2-4cb5-ADA5-839B8EE7B1BE}	{FBCE7640-B6EF-4601-9424-9F5E6404386A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5977606C-CE57-403b-8734-D14D0A86C668}	{0AD0ADAC-E9B6-436e-B3AD-76B6E8D42C39}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0EF7067F-E2A9-49af-9457-073DD6E3C42A}	{5977606C-CE57-403b-8734-D14D0A86C668}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47A1E492-7BB3-4f49-832C-2C701895DB18}\stubpath = "C:\\Windows\\{47A1E492-7BB3-4f49-832C-2C701895DB18}.exe"	{0EF7067F-E2A9-49af-9457-073DD6E3C42A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{791C6F7E-C253-4690-8017-B7BBA9E82C25}\stubpath = "C:\\Windows\\{791C6F7E-C253-4690-8017-B7BBA9E82C25}.exe"	{6ACE9040-F51B-41a0-BCD1-276C4818BAEE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9CC0619-FF45-4d06-9FA1-1E82957C5B13}\stubpath = "C:\\Windows\\{B9CC0619-FF45-4d06-9FA1-1E82957C5B13}.exe"	{791C6F7E-C253-4690-8017-B7BBA9E82C25}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B7D888E-5A10-4757-AEC8-51A9528D7BA2}	{B9CC0619-FF45-4d06-9FA1-1E82957C5B13}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5783769D-835D-429c-A4D1-E6DBFD9EFB95}\stubpath = "C:\\Windows\\{5783769D-835D-429c-A4D1-E6DBFD9EFB95}.exe"	{473BC383-425E-4f58-B065-56D3983D8354}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FBCE7640-B6EF-4601-9424-9F5E6404386A}\stubpath = "C:\\Windows\\{FBCE7640-B6EF-4601-9424-9F5E6404386A}.exe"	{5783769D-835D-429c-A4D1-E6DBFD9EFB95}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7F05EA8-A8F2-4cb5-ADA5-839B8EE7B1BE}\stubpath = "C:\\Windows\\{F7F05EA8-A8F2-4cb5-ADA5-839B8EE7B1BE}.exe"	{FBCE7640-B6EF-4601-9424-9F5E6404386A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6ACE9040-F51B-41a0-BCD1-276C4818BAEE}	{47A1E492-7BB3-4f49-832C-2C701895DB18}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9CC0619-FF45-4d06-9FA1-1E82957C5B13}	{791C6F7E-C253-4690-8017-B7BBA9E82C25}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5783769D-835D-429c-A4D1-E6DBFD9EFB95}	{473BC383-425E-4f58-B065-56D3983D8354}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0AD0ADAC-E9B6-436e-B3AD-76B6E8D42C39}	{F7F05EA8-A8F2-4cb5-ADA5-839B8EE7B1BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0AD0ADAC-E9B6-436e-B3AD-76B6E8D42C39}\stubpath = "C:\\Windows\\{0AD0ADAC-E9B6-436e-B3AD-76B6E8D42C39}.exe"	{F7F05EA8-A8F2-4cb5-ADA5-839B8EE7B1BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0EF7067F-E2A9-49af-9457-073DD6E3C42A}\stubpath = "C:\\Windows\\{0EF7067F-E2A9-49af-9457-073DD6E3C42A}.exe"	{5977606C-CE57-403b-8734-D14D0A86C668}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47A1E492-7BB3-4f49-832C-2C701895DB18}	{0EF7067F-E2A9-49af-9457-073DD6E3C42A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6ACE9040-F51B-41a0-BCD1-276C4818BAEE}\stubpath = "C:\\Windows\\{6ACE9040-F51B-41a0-BCD1-276C4818BAEE}.exe"	{47A1E492-7BB3-4f49-832C-2C701895DB18}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{791C6F7E-C253-4690-8017-B7BBA9E82C25}	{6ACE9040-F51B-41a0-BCD1-276C4818BAEE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{473BC383-425E-4f58-B065-56D3983D8354}\stubpath = "C:\\Windows\\{473BC383-425E-4f58-B065-56D3983D8354}.exe"	2024-02-19_3726b20e32a2111f0c6a135155c9567a_goldeneye.exe

Executes dropped EXE 12 IoCs

pid	Process
1832	{473BC383-425E-4f58-B065-56D3983D8354}.exe
2484	{5783769D-835D-429c-A4D1-E6DBFD9EFB95}.exe
3672	{FBCE7640-B6EF-4601-9424-9F5E6404386A}.exe
3020	{F7F05EA8-A8F2-4cb5-ADA5-839B8EE7B1BE}.exe
4756	{0AD0ADAC-E9B6-436e-B3AD-76B6E8D42C39}.exe
2468	{5977606C-CE57-403b-8734-D14D0A86C668}.exe
3048	{0EF7067F-E2A9-49af-9457-073DD6E3C42A}.exe
4524	{47A1E492-7BB3-4f49-832C-2C701895DB18}.exe
4084	{6ACE9040-F51B-41a0-BCD1-276C4818BAEE}.exe
2540	{791C6F7E-C253-4690-8017-B7BBA9E82C25}.exe
3028	{B9CC0619-FF45-4d06-9FA1-1E82957C5B13}.exe
2116	{1B7D888E-5A10-4757-AEC8-51A9528D7BA2}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{0AD0ADAC-E9B6-436e-B3AD-76B6E8D42C39}.exe	{F7F05EA8-A8F2-4cb5-ADA5-839B8EE7B1BE}.exe
File created	C:\Windows\{5977606C-CE57-403b-8734-D14D0A86C668}.exe	{0AD0ADAC-E9B6-436e-B3AD-76B6E8D42C39}.exe
File created	C:\Windows\{0EF7067F-E2A9-49af-9457-073DD6E3C42A}.exe	{5977606C-CE57-403b-8734-D14D0A86C668}.exe
File created	C:\Windows\{6ACE9040-F51B-41a0-BCD1-276C4818BAEE}.exe	{47A1E492-7BB3-4f49-832C-2C701895DB18}.exe
File created	C:\Windows\{B9CC0619-FF45-4d06-9FA1-1E82957C5B13}.exe	{791C6F7E-C253-4690-8017-B7BBA9E82C25}.exe
File created	C:\Windows\{1B7D888E-5A10-4757-AEC8-51A9528D7BA2}.exe	{B9CC0619-FF45-4d06-9FA1-1E82957C5B13}.exe
File created	C:\Windows\{473BC383-425E-4f58-B065-56D3983D8354}.exe	2024-02-19_3726b20e32a2111f0c6a135155c9567a_goldeneye.exe
File created	C:\Windows\{F7F05EA8-A8F2-4cb5-ADA5-839B8EE7B1BE}.exe	{FBCE7640-B6EF-4601-9424-9F5E6404386A}.exe
File created	C:\Windows\{47A1E492-7BB3-4f49-832C-2C701895DB18}.exe	{0EF7067F-E2A9-49af-9457-073DD6E3C42A}.exe
File created	C:\Windows\{791C6F7E-C253-4690-8017-B7BBA9E82C25}.exe	{6ACE9040-F51B-41a0-BCD1-276C4818BAEE}.exe
File created	C:\Windows\{5783769D-835D-429c-A4D1-E6DBFD9EFB95}.exe	{473BC383-425E-4f58-B065-56D3983D8354}.exe
File created	C:\Windows\{FBCE7640-B6EF-4601-9424-9F5E6404386A}.exe	{5783769D-835D-429c-A4D1-E6DBFD9EFB95}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1872	2024-02-19_3726b20e32a2111f0c6a135155c9567a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1832	{473BC383-425E-4f58-B065-56D3983D8354}.exe
Token: SeIncBasePriorityPrivilege	2484	{5783769D-835D-429c-A4D1-E6DBFD9EFB95}.exe
Token: SeIncBasePriorityPrivilege	3672	{FBCE7640-B6EF-4601-9424-9F5E6404386A}.exe
Token: SeIncBasePriorityPrivilege	3020	{F7F05EA8-A8F2-4cb5-ADA5-839B8EE7B1BE}.exe
Token: SeIncBasePriorityPrivilege	4756	{0AD0ADAC-E9B6-436e-B3AD-76B6E8D42C39}.exe
Token: SeIncBasePriorityPrivilege	2468	{5977606C-CE57-403b-8734-D14D0A86C668}.exe
Token: SeIncBasePriorityPrivilege	3048	{0EF7067F-E2A9-49af-9457-073DD6E3C42A}.exe
Token: SeIncBasePriorityPrivilege	4524	{47A1E492-7BB3-4f49-832C-2C701895DB18}.exe
Token: SeIncBasePriorityPrivilege	4084	{6ACE9040-F51B-41a0-BCD1-276C4818BAEE}.exe
Token: SeIncBasePriorityPrivilege	2540	{791C6F7E-C253-4690-8017-B7BBA9E82C25}.exe
Token: SeIncBasePriorityPrivilege	3028	{B9CC0619-FF45-4d06-9FA1-1E82957C5B13}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 1832	1872	2024-02-19_3726b20e32a2111f0c6a135155c9567a_goldeneye.exe	88
PID 1872 wrote to memory of 1832	1872	2024-02-19_3726b20e32a2111f0c6a135155c9567a_goldeneye.exe	88
PID 1872 wrote to memory of 1832	1872	2024-02-19_3726b20e32a2111f0c6a135155c9567a_goldeneye.exe	88
PID 1872 wrote to memory of 3544	1872	2024-02-19_3726b20e32a2111f0c6a135155c9567a_goldeneye.exe	89
PID 1872 wrote to memory of 3544	1872	2024-02-19_3726b20e32a2111f0c6a135155c9567a_goldeneye.exe	89
PID 1872 wrote to memory of 3544	1872	2024-02-19_3726b20e32a2111f0c6a135155c9567a_goldeneye.exe	89
PID 1832 wrote to memory of 2484	1832	{473BC383-425E-4f58-B065-56D3983D8354}.exe	93
PID 1832 wrote to memory of 2484	1832	{473BC383-425E-4f58-B065-56D3983D8354}.exe	93
PID 1832 wrote to memory of 2484	1832	{473BC383-425E-4f58-B065-56D3983D8354}.exe	93
PID 1832 wrote to memory of 3296	1832	{473BC383-425E-4f58-B065-56D3983D8354}.exe	94
PID 1832 wrote to memory of 3296	1832	{473BC383-425E-4f58-B065-56D3983D8354}.exe	94
PID 1832 wrote to memory of 3296	1832	{473BC383-425E-4f58-B065-56D3983D8354}.exe	94
PID 2484 wrote to memory of 3672	2484	{5783769D-835D-429c-A4D1-E6DBFD9EFB95}.exe	96
PID 2484 wrote to memory of 3672	2484	{5783769D-835D-429c-A4D1-E6DBFD9EFB95}.exe	96
PID 2484 wrote to memory of 3672	2484	{5783769D-835D-429c-A4D1-E6DBFD9EFB95}.exe	96
PID 2484 wrote to memory of 4296	2484	{5783769D-835D-429c-A4D1-E6DBFD9EFB95}.exe	97
PID 2484 wrote to memory of 4296	2484	{5783769D-835D-429c-A4D1-E6DBFD9EFB95}.exe	97
PID 2484 wrote to memory of 4296	2484	{5783769D-835D-429c-A4D1-E6DBFD9EFB95}.exe	97
PID 3672 wrote to memory of 3020	3672	{FBCE7640-B6EF-4601-9424-9F5E6404386A}.exe	98
PID 3672 wrote to memory of 3020	3672	{FBCE7640-B6EF-4601-9424-9F5E6404386A}.exe	98
PID 3672 wrote to memory of 3020	3672	{FBCE7640-B6EF-4601-9424-9F5E6404386A}.exe	98
PID 3672 wrote to memory of 3868	3672	{FBCE7640-B6EF-4601-9424-9F5E6404386A}.exe	99
PID 3672 wrote to memory of 3868	3672	{FBCE7640-B6EF-4601-9424-9F5E6404386A}.exe	99
PID 3672 wrote to memory of 3868	3672	{FBCE7640-B6EF-4601-9424-9F5E6404386A}.exe	99
PID 3020 wrote to memory of 4756	3020	{F7F05EA8-A8F2-4cb5-ADA5-839B8EE7B1BE}.exe	100
PID 3020 wrote to memory of 4756	3020	{F7F05EA8-A8F2-4cb5-ADA5-839B8EE7B1BE}.exe	100
PID 3020 wrote to memory of 4756	3020	{F7F05EA8-A8F2-4cb5-ADA5-839B8EE7B1BE}.exe	100
PID 3020 wrote to memory of 948	3020	{F7F05EA8-A8F2-4cb5-ADA5-839B8EE7B1BE}.exe	101
PID 3020 wrote to memory of 948	3020	{F7F05EA8-A8F2-4cb5-ADA5-839B8EE7B1BE}.exe	101
PID 3020 wrote to memory of 948	3020	{F7F05EA8-A8F2-4cb5-ADA5-839B8EE7B1BE}.exe	101
PID 4756 wrote to memory of 2468	4756	{0AD0ADAC-E9B6-436e-B3AD-76B6E8D42C39}.exe	102
PID 4756 wrote to memory of 2468	4756	{0AD0ADAC-E9B6-436e-B3AD-76B6E8D42C39}.exe	102
PID 4756 wrote to memory of 2468	4756	{0AD0ADAC-E9B6-436e-B3AD-76B6E8D42C39}.exe	102
PID 4756 wrote to memory of 3264	4756	{0AD0ADAC-E9B6-436e-B3AD-76B6E8D42C39}.exe	103
PID 4756 wrote to memory of 3264	4756	{0AD0ADAC-E9B6-436e-B3AD-76B6E8D42C39}.exe	103
PID 4756 wrote to memory of 3264	4756	{0AD0ADAC-E9B6-436e-B3AD-76B6E8D42C39}.exe	103
PID 2468 wrote to memory of 3048	2468	{5977606C-CE57-403b-8734-D14D0A86C668}.exe	104
PID 2468 wrote to memory of 3048	2468	{5977606C-CE57-403b-8734-D14D0A86C668}.exe	104
PID 2468 wrote to memory of 3048	2468	{5977606C-CE57-403b-8734-D14D0A86C668}.exe	104
PID 2468 wrote to memory of 3280	2468	{5977606C-CE57-403b-8734-D14D0A86C668}.exe	105
PID 2468 wrote to memory of 3280	2468	{5977606C-CE57-403b-8734-D14D0A86C668}.exe	105
PID 2468 wrote to memory of 3280	2468	{5977606C-CE57-403b-8734-D14D0A86C668}.exe	105
PID 3048 wrote to memory of 4524	3048	{0EF7067F-E2A9-49af-9457-073DD6E3C42A}.exe	106
PID 3048 wrote to memory of 4524	3048	{0EF7067F-E2A9-49af-9457-073DD6E3C42A}.exe	106
PID 3048 wrote to memory of 4524	3048	{0EF7067F-E2A9-49af-9457-073DD6E3C42A}.exe	106
PID 3048 wrote to memory of 212	3048	{0EF7067F-E2A9-49af-9457-073DD6E3C42A}.exe	107
PID 3048 wrote to memory of 212	3048	{0EF7067F-E2A9-49af-9457-073DD6E3C42A}.exe	107
PID 3048 wrote to memory of 212	3048	{0EF7067F-E2A9-49af-9457-073DD6E3C42A}.exe	107
PID 4524 wrote to memory of 4084	4524	{47A1E492-7BB3-4f49-832C-2C701895DB18}.exe	108
PID 4524 wrote to memory of 4084	4524	{47A1E492-7BB3-4f49-832C-2C701895DB18}.exe	108
PID 4524 wrote to memory of 4084	4524	{47A1E492-7BB3-4f49-832C-2C701895DB18}.exe	108
PID 4524 wrote to memory of 1276	4524	{47A1E492-7BB3-4f49-832C-2C701895DB18}.exe	109
PID 4524 wrote to memory of 1276	4524	{47A1E492-7BB3-4f49-832C-2C701895DB18}.exe	109
PID 4524 wrote to memory of 1276	4524	{47A1E492-7BB3-4f49-832C-2C701895DB18}.exe	109
PID 4084 wrote to memory of 2540	4084	{6ACE9040-F51B-41a0-BCD1-276C4818BAEE}.exe	111
PID 4084 wrote to memory of 2540	4084	{6ACE9040-F51B-41a0-BCD1-276C4818BAEE}.exe	111
PID 4084 wrote to memory of 2540	4084	{6ACE9040-F51B-41a0-BCD1-276C4818BAEE}.exe	111
PID 4084 wrote to memory of 3896	4084	{6ACE9040-F51B-41a0-BCD1-276C4818BAEE}.exe	110
PID 4084 wrote to memory of 3896	4084	{6ACE9040-F51B-41a0-BCD1-276C4818BAEE}.exe	110
PID 4084 wrote to memory of 3896	4084	{6ACE9040-F51B-41a0-BCD1-276C4818BAEE}.exe	110
PID 2540 wrote to memory of 3028	2540	{791C6F7E-C253-4690-8017-B7BBA9E82C25}.exe	112
PID 2540 wrote to memory of 3028	2540	{791C6F7E-C253-4690-8017-B7BBA9E82C25}.exe	112
PID 2540 wrote to memory of 3028	2540	{791C6F7E-C253-4690-8017-B7BBA9E82C25}.exe	112
PID 2540 wrote to memory of 4700	2540	{791C6F7E-C253-4690-8017-B7BBA9E82C25}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-02-19_3726b20e32a2111f0c6a135155c9567a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-19_3726b20e32a2111f0c6a135155c9567a_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Windows\{473BC383-425E-4f58-B065-56D3983D8354}.exe
  C:\Windows\{473BC383-425E-4f58-B065-56D3983D8354}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Windows\{5783769D-835D-429c-A4D1-E6DBFD9EFB95}.exe
    C:\Windows\{5783769D-835D-429c-A4D1-E6DBFD9EFB95}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2484
  - - C:\Windows\{FBCE7640-B6EF-4601-9424-9F5E6404386A}.exe
      C:\Windows\{FBCE7640-B6EF-4601-9424-9F5E6404386A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3672
    - - C:\Windows\{F7F05EA8-A8F2-4cb5-ADA5-839B8EE7B1BE}.exe
        
        C:\Windows\{F7F05EA8-A8F2-4cb5-ADA5-839B8EE7B1BE}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3020
      - C:\Windows\{0AD0ADAC-E9B6-436e-B3AD-76B6E8D42C39}.exe
        
        C:\Windows\{0AD0ADAC-E9B6-436e-B3AD-76B6E8D42C39}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4756
        
        C:\Windows\{5977606C-CE57-403b-8734-D14D0A86C668}.exe
        
        C:\Windows\{5977606C-CE57-403b-8734-D14D0A86C668}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\{0EF7067F-E2A9-49af-9457-073DD6E3C42A}.exe
        
        C:\Windows\{0EF7067F-E2A9-49af-9457-073DD6E3C42A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\{47A1E492-7BB3-4f49-832C-2C701895DB18}.exe
        
        C:\Windows\{47A1E492-7BB3-4f49-832C-2C701895DB18}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\{6ACE9040-F51B-41a0-BCD1-276C4818BAEE}.exe
        
        C:\Windows\{6ACE9040-F51B-41a0-BCD1-276C4818BAEE}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6ACE9~1.EXE > nul
        11⤵
        
        PID:3896
        
        C:\Windows\{791C6F7E-C253-4690-8017-B7BBA9E82C25}.exe
        
        C:\Windows\{791C6F7E-C253-4690-8017-B7BBA9E82C25}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\{B9CC0619-FF45-4d06-9FA1-1E82957C5B13}.exe
        
        C:\Windows\{B9CC0619-FF45-4d06-9FA1-1E82957C5B13}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
        
        C:\Windows\{1B7D888E-5A10-4757-AEC8-51A9528D7BA2}.exe
        
        C:\Windows\{1B7D888E-5A10-4757-AEC8-51A9528D7BA2}.exe
        13⤵
        Executes dropped EXE
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B9CC0~1.EXE > nul
        13⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{791C6~1.EXE > nul
        12⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{47A1E~1.EXE > nul
        10⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0EF70~1.EXE > nul
        9⤵
        
        PID:212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{59776~1.EXE > nul
        8⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0AD0A~1.EXE > nul
        7⤵
        
        PID:3264
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F7F05~1.EXE > nul
        6⤵
        
        PID:948
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FBCE7~1.EXE > nul
        5⤵
        
        PID:3868
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{57837~1.EXE > nul
      4⤵
      PID:4296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{473BC~1.EXE > nul
    3⤵
    PID:3296
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0AD0ADAC-E9B6-436e-B3AD-76B6E8D42C39}.exe

Filesize
197KB

MD5
f6776f37b6859a87b0e6324db46f7af3

SHA1
13649af8cded5ebc32307aec05df0b6940138879

SHA256
30ed59a0e718e8190e707cd9f313915200b9d687dc2b22fff6d31d4c1891dd96

SHA512
ff34c01d04e68b2fad3009eaf7b8e96ab70848e5bc069f09f0b0532b5ca2d24a925d96288212fefb8d34eb052f40d849a612d9abbc54b5da5cf15e476d593886

Download Submit
C:\Windows\{0EF7067F-E2A9-49af-9457-073DD6E3C42A}.exe

Filesize
197KB

MD5
8d6c362030878d4d00ded9746876aed5

SHA1
759164d19837cb632c15b3b9f95c4a4927115d7f

SHA256
3658c020a49cbd51ba83cd358940cc087d151fab3d55af676f44398489f2aca6

SHA512
fe68343dbac1d2adc2e763cd39c475174ed0c4c14181d746c34b2d8f872acad081c890dd372930a303457da3741750710f53f733c78f9399d87740a6688a3539

Download Submit
C:\Windows\{1B7D888E-5A10-4757-AEC8-51A9528D7BA2}.exe

Filesize
197KB

MD5
0680c19701e72d14f2ed461a5fb93a31

SHA1
18a64bfd8c3f5828ca0a1bcd707455c572449e2a

SHA256
fd6bf40703d562cb503aede8702a485fbcd876810d701d1e787962f8df189226

SHA512
986a15186b1d841bef4819d204976281c75b1278cb4fcc8015ddafc61fb5fea59e347a201a8ddb8f423f0d0953da23dc948afd0c3c005290263a9d1964cf05b6

Download Submit
C:\Windows\{473BC383-425E-4f58-B065-56D3983D8354}.exe

Filesize
197KB

MD5
e2f804fb5232047956d1ef2e982b0f24

SHA1
c6b05acd38fa4042197dc84001ba6deccc675e7d

SHA256
180e0a676bb71475bf8f924ae6280ed071bcb68133b952f5dcd5021d6f79f438

SHA512
8b8157f278bb571040090e10f93f5120d03c3c70d5ee14311ae8fc5b2260061234973b7c1b40b345837a19421e4e5c19a46db15acd7fd25fd34b1b302c63c24c

Download Submit
C:\Windows\{47A1E492-7BB3-4f49-832C-2C701895DB18}.exe

Filesize
197KB

MD5
7a5d67e49c67b6256b7a5b77594bdbf0

SHA1
41c3dd279c507fd6467ffd5039e7f29ee42a33dc

SHA256
76804d86026b953fefa2b3e3e41c653528f0502a672bb42b67e6c426c02a71f3

SHA512
72ee58e45795d61260372540c6e55fdab51500fac915ff38620cf423d5a4ed43c1da72f3faf8b684c2ab64790c89315a7ad7f12a31190710c0f993d7548c0ea8

Download Submit
C:\Windows\{5783769D-835D-429c-A4D1-E6DBFD9EFB95}.exe

Filesize
197KB

MD5
ad2ee0cbc9fc1f69aa9bfec3da210032

SHA1
28a0f9678af4e8650e78ee2a0b20dd3e2eacd5a5

SHA256
d5b01fac86bdbe7c3e27e130cd52531561b66d4c40c14adf06769f5c783521e6

SHA512
efbea2ebbf8a6bdbd8b00c99b564b5a3c697da47303c777f99b4719d71ca8f00f7f39b2d645888e6d44155e570e98249ac9fc975d5c1d9c17df4f7521967e6d6

Download Submit
C:\Windows\{5977606C-CE57-403b-8734-D14D0A86C668}.exe

Filesize
197KB

MD5
3b359b65d3579787bb3d7f0d64e55bb9

SHA1
371e8765318d09c58030aff7d130410251ce21f0

SHA256
77f7de18c9393463d23885d36de4b10d4803cde074c1aa519a5e3744d9d1dd34

SHA512
1d71a287c1b933d1ea014fecfff8cdac3d83dd36652c4f4024cec44d709f18358bf0342f4c8ffa96a945d00326353cf429653e357429f993702db0641b06c58e

Download Submit
C:\Windows\{6ACE9040-F51B-41a0-BCD1-276C4818BAEE}.exe

Filesize
197KB

MD5
118f02aa29e9e271ed33252d23765c8e

SHA1
df0d16b62d5f27b9ba583b84beffac9e331047f6

SHA256
4801d62d6b64582453817008c73a0eff4dce2bafa76fc4d0cec4698677043a34

SHA512
f076eaee7f68867d2fb10dc6ab6abcd14c171294945276f7dfd8645dc2a4dddf5d47caefe31f3939fdb2ca4a3daa32b37b975c98fc8c6a0108f0a024ae1fb5ae

Download Submit
C:\Windows\{791C6F7E-C253-4690-8017-B7BBA9E82C25}.exe

Filesize
197KB

MD5
7a373556d8e63f330d8f6576d7f81ce0

SHA1
f14770b5bde634061594e17fceb2d56138377ad9

SHA256
f8c242a08e10046c97e298e6b52ade02b8f23e057da9b95873369de7213c4664

SHA512
811a80c3827843f25550df113e859fa521aab09abc778f450471945ebf4dc5eda0181d9771c95a63bbecc64d9986f13802d0a1da5fe5b945fafe83a6d905a3a9

Download Submit
C:\Windows\{B9CC0619-FF45-4d06-9FA1-1E82957C5B13}.exe

Filesize
197KB

MD5
6288530eaacd9f7926d32f9818d0c28f

SHA1
33f0facea47a9b0959e076d7a2b0bbaf5b5bf7b7

SHA256
eb5dd73d8419758fb9971cc44028ca88be468ba648e14a09806485a2a283398d

SHA512
0074252e9f4cd183fc81e79fbd403299091d7f47c2fe8873afac97919b231bc93ea5f56e800f2c40360e1637042a52529d90bf3b824e12ac91c43c17460a4198

Download Submit
C:\Windows\{F7F05EA8-A8F2-4cb5-ADA5-839B8EE7B1BE}.exe

Filesize
197KB

MD5
910e1963eb72f93a366c20df741d7514

SHA1
422be33a37e409ef4886d017cfff094fcee5db4a

SHA256
f299e209cfab1fe622c2c87b3fdcae324cc20e76783a47bc41601ab20c9447f4

SHA512
2c3766a2f3062dbee3f9cbd13188f4f1c9c90094d554cb79d262ee6109a015648ef2b5f526d3c49131d7a2ac4c8c19fc131a64ae89ba5062404a4be301b13656

Download Submit
C:\Windows\{FBCE7640-B6EF-4601-9424-9F5E6404386A}.exe

Filesize
197KB

MD5
87b11d6b2bdc9f9770c9575dc670659c

SHA1
da0de9ea75b5aca4c3ef85db722ac7046ef899a4

SHA256
3420e517e04a8c090021af0bb2778e282b637b670da0e489e8b3d93e56d85ca3

SHA512
29600af835e975fe7d6d774c40e14fdbfc658c74722e2cd0874386a57b9dd753a25a799873d146bbad8628cf7b8a657c0687831f1a39f2599334dd163eab8720

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads