8be62f5445c27ddf6f28c68f524377fa1fd7801bca0dcea71bb7e5ed46336a94

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
19/02/2024, 21:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-19_09f7d941f77ab2ab067eab1fc0e08989_goldeneye.exe
Size

216KB
MD5

09f7d941f77ab2ab067eab1fc0e08989
SHA1

39e8a2274029eac1867271872d1bfaa16eaf473c
SHA256

8be62f5445c27ddf6f28c68f524377fa1fd7801bca0dcea71bb7e5ed46336a94
SHA512

9740214327092df31da129d872a2c8945e534360f70c48d22d4feb359a0408d5e5c68700a10f524b2a546dfd57da151fbcec041073ce393a51d68bfeaa69a48d
SSDEEP

3072:jEGh0o1l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEG/lEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000600000002324b-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000001e68a-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023256-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000001e68a-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000022008-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000001e68a-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000022008-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000036-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000036-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000036-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2592048B-5BAF-47d7-95EC-F271BE987113}\stubpath = "C:\\Windows\\{2592048B-5BAF-47d7-95EC-F271BE987113}.exe"	{CA89C8D0-FF69-40e3-B5E7-D336C323BEC8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63B800FE-6AFD-4e02-937A-6E24FC578093}	{2592048B-5BAF-47d7-95EC-F271BE987113}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63B800FE-6AFD-4e02-937A-6E24FC578093}\stubpath = "C:\\Windows\\{63B800FE-6AFD-4e02-937A-6E24FC578093}.exe"	{2592048B-5BAF-47d7-95EC-F271BE987113}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D06AEB19-BF1F-4845-980F-D9A8CFC2210D}	{12730446-251E-4a25-8F4A-7138FD2DE0D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{622E1C8D-2C9F-4bbf-B80D-B103FABCD486}\stubpath = "C:\\Windows\\{622E1C8D-2C9F-4bbf-B80D-B103FABCD486}.exe"	{D06AEB19-BF1F-4845-980F-D9A8CFC2210D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5EA41148-55D9-4253-998D-7F26956565EB}	{07DD4CFB-8936-4b78-AA54-E0DA9110A998}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA89C8D0-FF69-40e3-B5E7-D336C323BEC8}	{5EA41148-55D9-4253-998D-7F26956565EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA89C8D0-FF69-40e3-B5E7-D336C323BEC8}\stubpath = "C:\\Windows\\{CA89C8D0-FF69-40e3-B5E7-D336C323BEC8}.exe"	{5EA41148-55D9-4253-998D-7F26956565EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F73BB7A7-EE3F-45ab-9FC0-0EC56CAE4C41}	{E99319BF-AE5D-439c-BDCA-391E2E0DAB6A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D82DE82A-1A77-411d-8EBE-F5C3698968EE}	{F73BB7A7-EE3F-45ab-9FC0-0EC56CAE4C41}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{622E1C8D-2C9F-4bbf-B80D-B103FABCD486}	{D06AEB19-BF1F-4845-980F-D9A8CFC2210D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07DD4CFB-8936-4b78-AA54-E0DA9110A998}\stubpath = "C:\\Windows\\{07DD4CFB-8936-4b78-AA54-E0DA9110A998}.exe"	2024-02-19_09f7d941f77ab2ab067eab1fc0e08989_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5EA41148-55D9-4253-998D-7F26956565EB}\stubpath = "C:\\Windows\\{5EA41148-55D9-4253-998D-7F26956565EB}.exe"	{07DD4CFB-8936-4b78-AA54-E0DA9110A998}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2592048B-5BAF-47d7-95EC-F271BE987113}	{CA89C8D0-FF69-40e3-B5E7-D336C323BEC8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12730446-251E-4a25-8F4A-7138FD2DE0D0}	{D82DE82A-1A77-411d-8EBE-F5C3698968EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D06AEB19-BF1F-4845-980F-D9A8CFC2210D}\stubpath = "C:\\Windows\\{D06AEB19-BF1F-4845-980F-D9A8CFC2210D}.exe"	{12730446-251E-4a25-8F4A-7138FD2DE0D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12730446-251E-4a25-8F4A-7138FD2DE0D0}\stubpath = "C:\\Windows\\{12730446-251E-4a25-8F4A-7138FD2DE0D0}.exe"	{D82DE82A-1A77-411d-8EBE-F5C3698968EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E3F393A-B1CB-4fa6-8C81-313989B9E134}	{622E1C8D-2C9F-4bbf-B80D-B103FABCD486}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E3F393A-B1CB-4fa6-8C81-313989B9E134}\stubpath = "C:\\Windows\\{8E3F393A-B1CB-4fa6-8C81-313989B9E134}.exe"	{622E1C8D-2C9F-4bbf-B80D-B103FABCD486}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07DD4CFB-8936-4b78-AA54-E0DA9110A998}	2024-02-19_09f7d941f77ab2ab067eab1fc0e08989_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E99319BF-AE5D-439c-BDCA-391E2E0DAB6A}	{63B800FE-6AFD-4e02-937A-6E24FC578093}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E99319BF-AE5D-439c-BDCA-391E2E0DAB6A}\stubpath = "C:\\Windows\\{E99319BF-AE5D-439c-BDCA-391E2E0DAB6A}.exe"	{63B800FE-6AFD-4e02-937A-6E24FC578093}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F73BB7A7-EE3F-45ab-9FC0-0EC56CAE4C41}\stubpath = "C:\\Windows\\{F73BB7A7-EE3F-45ab-9FC0-0EC56CAE4C41}.exe"	{E99319BF-AE5D-439c-BDCA-391E2E0DAB6A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D82DE82A-1A77-411d-8EBE-F5C3698968EE}\stubpath = "C:\\Windows\\{D82DE82A-1A77-411d-8EBE-F5C3698968EE}.exe"	{F73BB7A7-EE3F-45ab-9FC0-0EC56CAE4C41}.exe

Executes dropped EXE 12 IoCs

pid	Process
3916	{07DD4CFB-8936-4b78-AA54-E0DA9110A998}.exe
1636	{5EA41148-55D9-4253-998D-7F26956565EB}.exe
1068	{CA89C8D0-FF69-40e3-B5E7-D336C323BEC8}.exe
1800	{2592048B-5BAF-47d7-95EC-F271BE987113}.exe
436	{63B800FE-6AFD-4e02-937A-6E24FC578093}.exe
4852	{E99319BF-AE5D-439c-BDCA-391E2E0DAB6A}.exe
3712	{F73BB7A7-EE3F-45ab-9FC0-0EC56CAE4C41}.exe
3280	{D82DE82A-1A77-411d-8EBE-F5C3698968EE}.exe
232	{12730446-251E-4a25-8F4A-7138FD2DE0D0}.exe
1116	{D06AEB19-BF1F-4845-980F-D9A8CFC2210D}.exe
1548	{622E1C8D-2C9F-4bbf-B80D-B103FABCD486}.exe
4272	{8E3F393A-B1CB-4fa6-8C81-313989B9E134}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{8E3F393A-B1CB-4fa6-8C81-313989B9E134}.exe	{622E1C8D-2C9F-4bbf-B80D-B103FABCD486}.exe
File created	C:\Windows\{F73BB7A7-EE3F-45ab-9FC0-0EC56CAE4C41}.exe	{E99319BF-AE5D-439c-BDCA-391E2E0DAB6A}.exe
File created	C:\Windows\{D82DE82A-1A77-411d-8EBE-F5C3698968EE}.exe	{F73BB7A7-EE3F-45ab-9FC0-0EC56CAE4C41}.exe
File created	C:\Windows\{622E1C8D-2C9F-4bbf-B80D-B103FABCD486}.exe	{D06AEB19-BF1F-4845-980F-D9A8CFC2210D}.exe
File created	C:\Windows\{2592048B-5BAF-47d7-95EC-F271BE987113}.exe	{CA89C8D0-FF69-40e3-B5E7-D336C323BEC8}.exe
File created	C:\Windows\{63B800FE-6AFD-4e02-937A-6E24FC578093}.exe	{2592048B-5BAF-47d7-95EC-F271BE987113}.exe
File created	C:\Windows\{E99319BF-AE5D-439c-BDCA-391E2E0DAB6A}.exe	{63B800FE-6AFD-4e02-937A-6E24FC578093}.exe
File created	C:\Windows\{12730446-251E-4a25-8F4A-7138FD2DE0D0}.exe	{D82DE82A-1A77-411d-8EBE-F5C3698968EE}.exe
File created	C:\Windows\{D06AEB19-BF1F-4845-980F-D9A8CFC2210D}.exe	{12730446-251E-4a25-8F4A-7138FD2DE0D0}.exe
File created	C:\Windows\{07DD4CFB-8936-4b78-AA54-E0DA9110A998}.exe	2024-02-19_09f7d941f77ab2ab067eab1fc0e08989_goldeneye.exe
File created	C:\Windows\{5EA41148-55D9-4253-998D-7F26956565EB}.exe	{07DD4CFB-8936-4b78-AA54-E0DA9110A998}.exe
File created	C:\Windows\{CA89C8D0-FF69-40e3-B5E7-D336C323BEC8}.exe	{5EA41148-55D9-4253-998D-7F26956565EB}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4604	2024-02-19_09f7d941f77ab2ab067eab1fc0e08989_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3916	{07DD4CFB-8936-4b78-AA54-E0DA9110A998}.exe
Token: SeIncBasePriorityPrivilege	1636	{5EA41148-55D9-4253-998D-7F26956565EB}.exe
Token: SeIncBasePriorityPrivilege	1068	{CA89C8D0-FF69-40e3-B5E7-D336C323BEC8}.exe
Token: SeIncBasePriorityPrivilege	1800	{2592048B-5BAF-47d7-95EC-F271BE987113}.exe
Token: SeIncBasePriorityPrivilege	436	{63B800FE-6AFD-4e02-937A-6E24FC578093}.exe
Token: SeIncBasePriorityPrivilege	4852	{E99319BF-AE5D-439c-BDCA-391E2E0DAB6A}.exe
Token: SeIncBasePriorityPrivilege	3712	{F73BB7A7-EE3F-45ab-9FC0-0EC56CAE4C41}.exe
Token: SeIncBasePriorityPrivilege	3280	{D82DE82A-1A77-411d-8EBE-F5C3698968EE}.exe
Token: SeIncBasePriorityPrivilege	232	{12730446-251E-4a25-8F4A-7138FD2DE0D0}.exe
Token: SeIncBasePriorityPrivilege	1116	{D06AEB19-BF1F-4845-980F-D9A8CFC2210D}.exe
Token: SeIncBasePriorityPrivilege	1548	{622E1C8D-2C9F-4bbf-B80D-B103FABCD486}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4604 wrote to memory of 3916	4604	2024-02-19_09f7d941f77ab2ab067eab1fc0e08989_goldeneye.exe	91
PID 4604 wrote to memory of 3916	4604	2024-02-19_09f7d941f77ab2ab067eab1fc0e08989_goldeneye.exe	91
PID 4604 wrote to memory of 3916	4604	2024-02-19_09f7d941f77ab2ab067eab1fc0e08989_goldeneye.exe	91
PID 4604 wrote to memory of 1524	4604	2024-02-19_09f7d941f77ab2ab067eab1fc0e08989_goldeneye.exe	90
PID 4604 wrote to memory of 1524	4604	2024-02-19_09f7d941f77ab2ab067eab1fc0e08989_goldeneye.exe	90
PID 4604 wrote to memory of 1524	4604	2024-02-19_09f7d941f77ab2ab067eab1fc0e08989_goldeneye.exe	90
PID 3916 wrote to memory of 1636	3916	{07DD4CFB-8936-4b78-AA54-E0DA9110A998}.exe	93
PID 3916 wrote to memory of 1636	3916	{07DD4CFB-8936-4b78-AA54-E0DA9110A998}.exe	93
PID 3916 wrote to memory of 1636	3916	{07DD4CFB-8936-4b78-AA54-E0DA9110A998}.exe	93
PID 3916 wrote to memory of 832	3916	{07DD4CFB-8936-4b78-AA54-E0DA9110A998}.exe	92
PID 3916 wrote to memory of 832	3916	{07DD4CFB-8936-4b78-AA54-E0DA9110A998}.exe	92
PID 3916 wrote to memory of 832	3916	{07DD4CFB-8936-4b78-AA54-E0DA9110A998}.exe	92
PID 1636 wrote to memory of 1068	1636	{5EA41148-55D9-4253-998D-7F26956565EB}.exe	95
PID 1636 wrote to memory of 1068	1636	{5EA41148-55D9-4253-998D-7F26956565EB}.exe	95
PID 1636 wrote to memory of 1068	1636	{5EA41148-55D9-4253-998D-7F26956565EB}.exe	95
PID 1636 wrote to memory of 2056	1636	{5EA41148-55D9-4253-998D-7F26956565EB}.exe	96
PID 1636 wrote to memory of 2056	1636	{5EA41148-55D9-4253-998D-7F26956565EB}.exe	96
PID 1636 wrote to memory of 2056	1636	{5EA41148-55D9-4253-998D-7F26956565EB}.exe	96
PID 1068 wrote to memory of 1800	1068	{CA89C8D0-FF69-40e3-B5E7-D336C323BEC8}.exe	97
PID 1068 wrote to memory of 1800	1068	{CA89C8D0-FF69-40e3-B5E7-D336C323BEC8}.exe	97
PID 1068 wrote to memory of 1800	1068	{CA89C8D0-FF69-40e3-B5E7-D336C323BEC8}.exe	97
PID 1068 wrote to memory of 4892	1068	{CA89C8D0-FF69-40e3-B5E7-D336C323BEC8}.exe	98
PID 1068 wrote to memory of 4892	1068	{CA89C8D0-FF69-40e3-B5E7-D336C323BEC8}.exe	98
PID 1068 wrote to memory of 4892	1068	{CA89C8D0-FF69-40e3-B5E7-D336C323BEC8}.exe	98
PID 1800 wrote to memory of 436	1800	{2592048B-5BAF-47d7-95EC-F271BE987113}.exe	99
PID 1800 wrote to memory of 436	1800	{2592048B-5BAF-47d7-95EC-F271BE987113}.exe	99
PID 1800 wrote to memory of 436	1800	{2592048B-5BAF-47d7-95EC-F271BE987113}.exe	99
PID 1800 wrote to memory of 1064	1800	{2592048B-5BAF-47d7-95EC-F271BE987113}.exe	100
PID 1800 wrote to memory of 1064	1800	{2592048B-5BAF-47d7-95EC-F271BE987113}.exe	100
PID 1800 wrote to memory of 1064	1800	{2592048B-5BAF-47d7-95EC-F271BE987113}.exe	100
PID 436 wrote to memory of 4852	436	{63B800FE-6AFD-4e02-937A-6E24FC578093}.exe	101
PID 436 wrote to memory of 4852	436	{63B800FE-6AFD-4e02-937A-6E24FC578093}.exe	101
PID 436 wrote to memory of 4852	436	{63B800FE-6AFD-4e02-937A-6E24FC578093}.exe	101
PID 436 wrote to memory of 3304	436	{63B800FE-6AFD-4e02-937A-6E24FC578093}.exe	102
PID 436 wrote to memory of 3304	436	{63B800FE-6AFD-4e02-937A-6E24FC578093}.exe	102
PID 436 wrote to memory of 3304	436	{63B800FE-6AFD-4e02-937A-6E24FC578093}.exe	102
PID 4852 wrote to memory of 3712	4852	{E99319BF-AE5D-439c-BDCA-391E2E0DAB6A}.exe	103
PID 4852 wrote to memory of 3712	4852	{E99319BF-AE5D-439c-BDCA-391E2E0DAB6A}.exe	103
PID 4852 wrote to memory of 3712	4852	{E99319BF-AE5D-439c-BDCA-391E2E0DAB6A}.exe	103
PID 4852 wrote to memory of 60	4852	{E99319BF-AE5D-439c-BDCA-391E2E0DAB6A}.exe	104
PID 4852 wrote to memory of 60	4852	{E99319BF-AE5D-439c-BDCA-391E2E0DAB6A}.exe	104
PID 4852 wrote to memory of 60	4852	{E99319BF-AE5D-439c-BDCA-391E2E0DAB6A}.exe	104
PID 3712 wrote to memory of 3280	3712	{F73BB7A7-EE3F-45ab-9FC0-0EC56CAE4C41}.exe	105
PID 3712 wrote to memory of 3280	3712	{F73BB7A7-EE3F-45ab-9FC0-0EC56CAE4C41}.exe	105
PID 3712 wrote to memory of 3280	3712	{F73BB7A7-EE3F-45ab-9FC0-0EC56CAE4C41}.exe	105
PID 3712 wrote to memory of 3468	3712	{F73BB7A7-EE3F-45ab-9FC0-0EC56CAE4C41}.exe	106
PID 3712 wrote to memory of 3468	3712	{F73BB7A7-EE3F-45ab-9FC0-0EC56CAE4C41}.exe	106
PID 3712 wrote to memory of 3468	3712	{F73BB7A7-EE3F-45ab-9FC0-0EC56CAE4C41}.exe	106
PID 3280 wrote to memory of 232	3280	{D82DE82A-1A77-411d-8EBE-F5C3698968EE}.exe	107
PID 3280 wrote to memory of 232	3280	{D82DE82A-1A77-411d-8EBE-F5C3698968EE}.exe	107
PID 3280 wrote to memory of 232	3280	{D82DE82A-1A77-411d-8EBE-F5C3698968EE}.exe	107
PID 3280 wrote to memory of 1568	3280	{D82DE82A-1A77-411d-8EBE-F5C3698968EE}.exe	108
PID 3280 wrote to memory of 1568	3280	{D82DE82A-1A77-411d-8EBE-F5C3698968EE}.exe	108
PID 3280 wrote to memory of 1568	3280	{D82DE82A-1A77-411d-8EBE-F5C3698968EE}.exe	108
PID 232 wrote to memory of 1116	232	{12730446-251E-4a25-8F4A-7138FD2DE0D0}.exe	109
PID 232 wrote to memory of 1116	232	{12730446-251E-4a25-8F4A-7138FD2DE0D0}.exe	109
PID 232 wrote to memory of 1116	232	{12730446-251E-4a25-8F4A-7138FD2DE0D0}.exe	109
PID 232 wrote to memory of 4376	232	{12730446-251E-4a25-8F4A-7138FD2DE0D0}.exe	110
PID 232 wrote to memory of 4376	232	{12730446-251E-4a25-8F4A-7138FD2DE0D0}.exe	110
PID 232 wrote to memory of 4376	232	{12730446-251E-4a25-8F4A-7138FD2DE0D0}.exe	110
PID 1116 wrote to memory of 1548	1116	{D06AEB19-BF1F-4845-980F-D9A8CFC2210D}.exe	111
PID 1116 wrote to memory of 1548	1116	{D06AEB19-BF1F-4845-980F-D9A8CFC2210D}.exe	111
PID 1116 wrote to memory of 1548	1116	{D06AEB19-BF1F-4845-980F-D9A8CFC2210D}.exe	111
PID 1116 wrote to memory of 3332	1116	{D06AEB19-BF1F-4845-980F-D9A8CFC2210D}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-02-19_09f7d941f77ab2ab067eab1fc0e08989_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-19_09f7d941f77ab2ab067eab1fc0e08989_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1524
- C:\Windows\{07DD4CFB-8936-4b78-AA54-E0DA9110A998}.exe
  C:\Windows\{07DD4CFB-8936-4b78-AA54-E0DA9110A998}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{07DD4~1.EXE > nul
    3⤵
    PID:832
- - C:\Windows\{5EA41148-55D9-4253-998D-7F26956565EB}.exe
    C:\Windows\{5EA41148-55D9-4253-998D-7F26956565EB}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1636
  - - C:\Windows\{CA89C8D0-FF69-40e3-B5E7-D336C323BEC8}.exe
      C:\Windows\{CA89C8D0-FF69-40e3-B5E7-D336C323BEC8}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1068
    - - C:\Windows\{2592048B-5BAF-47d7-95EC-F271BE987113}.exe
        
        C:\Windows\{2592048B-5BAF-47d7-95EC-F271BE987113}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1800
      - C:\Windows\{63B800FE-6AFD-4e02-937A-6E24FC578093}.exe
        
        C:\Windows\{63B800FE-6AFD-4e02-937A-6E24FC578093}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Windows\{E99319BF-AE5D-439c-BDCA-391E2E0DAB6A}.exe
        
        C:\Windows\{E99319BF-AE5D-439c-BDCA-391E2E0DAB6A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4852
        
        C:\Windows\{F73BB7A7-EE3F-45ab-9FC0-0EC56CAE4C41}.exe
        
        C:\Windows\{F73BB7A7-EE3F-45ab-9FC0-0EC56CAE4C41}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3712
        
        C:\Windows\{D82DE82A-1A77-411d-8EBE-F5C3698968EE}.exe
        
        C:\Windows\{D82DE82A-1A77-411d-8EBE-F5C3698968EE}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3280
        
        C:\Windows\{12730446-251E-4a25-8F4A-7138FD2DE0D0}.exe
        
        C:\Windows\{12730446-251E-4a25-8F4A-7138FD2DE0D0}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:232
        
        C:\Windows\{D06AEB19-BF1F-4845-980F-D9A8CFC2210D}.exe
        
        C:\Windows\{D06AEB19-BF1F-4845-980F-D9A8CFC2210D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1116
        
        C:\Windows\{622E1C8D-2C9F-4bbf-B80D-B103FABCD486}.exe
        
        C:\Windows\{622E1C8D-2C9F-4bbf-B80D-B103FABCD486}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1548
        
        C:\Windows\{8E3F393A-B1CB-4fa6-8C81-313989B9E134}.exe
        
        C:\Windows\{8E3F393A-B1CB-4fa6-8C81-313989B9E134}.exe
        13⤵
        Executes dropped EXE
        
        PID:4272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{622E1~1.EXE > nul
        13⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D06AE~1.EXE > nul
        12⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{12730~1.EXE > nul
        11⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D82DE~1.EXE > nul
        10⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F73BB~1.EXE > nul
        9⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E9931~1.EXE > nul
        8⤵
        
        PID:60
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{63B80~1.EXE > nul
        7⤵
        
        PID:3304
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{25920~1.EXE > nul
        6⤵
        
        PID:1064
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA89C~1.EXE > nul
        5⤵
        
        PID:4892
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5EA41~1.EXE > nul
      4⤵
      PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{07DD4CFB-8936-4b78-AA54-E0DA9110A998}.exe

Filesize
216KB

MD5
47a802129ab80861703911b58ccb94e6

SHA1
b441300a21c54e7efaadf05558b9d077cc3af947

SHA256
2a550c3235096bd4892e11b5b484ff26cc123e33e67fc63b655f3530dd812e7b

SHA512
08a61f4dda8ff8f3b90613602f56ebaac1c7e082276a1fd76c7f7e69ba063494a3a41f9d430a6a29138959a948f6ae51cdf653a172769519d3dacb637646ea8e

Download Submit
C:\Windows\{12730446-251E-4a25-8F4A-7138FD2DE0D0}.exe

Filesize
216KB

MD5
7ff480a40e7391fa9f5297c6eabbcbbf

SHA1
80114760ca5ee48ac8d5fb3b35858a1eb788adf8

SHA256
efdf7d5b8363fb983e93f2601c15ff0ceb6e72290e72a47b76739233913f86a6

SHA512
5d2a09ee892bf94be8955850bf8c29bf07107b6e082e3a754aa0230feb176fdaa404300789f94d88bd375f3b0c48bd5fef6e6cb46f60bae1aca7a7b67767f053

Download Submit
C:\Windows\{2592048B-5BAF-47d7-95EC-F271BE987113}.exe

Filesize
216KB

MD5
440cb2091dfe96298f57fccc4ef10f38

SHA1
4bd7ff711fae32a89de778b4352350342ed0bd5a

SHA256
0edfc7aa04309889ada72e3534c2f578e5ce76a06546431978922308880d0d90

SHA512
909dfa3652a27dce4b387680d093740613b26ee6b6959ef3cb50ec9014e51f05eb0f08e6fe87a5249fa9c4baac54f519c80232119b03755fdc2d814f164a4308

Download Submit
C:\Windows\{5EA41148-55D9-4253-998D-7F26956565EB}.exe

Filesize
216KB

MD5
febca7e95bd6a003bd78bf3739fe1600

SHA1
6cbb67d9d8a2abea574b53f11831ce2707e7d429

SHA256
2ddd654ebfcc60c2fbd8c939ca61270cf373c745b5c9f20b437191a257dcc39a

SHA512
b2aab534055832b94a1cc1bcd70867e9acdca6ab5af8b4a86b3aa0ac4b04200d5456ded73c5db0ccd0f8ddd26802c291f4c426142f6432d72b6eb36abbc185b2

Download Submit
C:\Windows\{622E1C8D-2C9F-4bbf-B80D-B103FABCD486}.exe

Filesize
216KB

MD5
e1d21f3cd6a690e7813760494ade29db

SHA1
e3d6d50418f643db6beb30507986124b31cc930d

SHA256
79b2d188b4cf926231e2b5adb33e8b2614e482749c3b18330096d37ef0439247

SHA512
f1f67cb5ae6d92cb8f3c0b4a4a5c0ea4006cdd5f296981d91f2406b28eee6dc901297e189d06a7302c130379534c662a0225b935cd3a78bae35694a1bba9e3c6

Download Submit
C:\Windows\{63B800FE-6AFD-4e02-937A-6E24FC578093}.exe

Filesize
216KB

MD5
23d44accffee801c58f02a5493e84a3d

SHA1
37892b9d5391de40852ce012ac8ba19b94451892

SHA256
8d6e08691463203f68f1659ed775a362558b5d9459ec125ef8b888f5e95d6dc9

SHA512
8ddc0a4e00a7d96de81cff7b725fb65b3bf93f568b9f5b7dfcba4ef15211e6572af7d59db170c00d46853ae64415f0d5d497e7b6f4c10e1c5b45722d2f68e514

Download Submit
C:\Windows\{8E3F393A-B1CB-4fa6-8C81-313989B9E134}.exe

Filesize
216KB

MD5
7071bfeca00759bf960f688b752e8a29

SHA1
7d77a85464d2c1b4d381e7bfc72f24b199ef0987

SHA256
c6e0cb0392b2985c3d149af3d819204e7b1945b4bbbcf20f3eae9b9b637c4a47

SHA512
a9581a3d35f748a5fb16daaacc5c11dcb0fb1c687db817068fbe78a78d01b9fa15fe8d3f97b750f511c8328c165b7b25801f959c5df449143bd672bc2bd0ed12

Download Submit
C:\Windows\{CA89C8D0-FF69-40e3-B5E7-D336C323BEC8}.exe

Filesize
216KB

MD5
7f49b3fa2c6397b1d64268c9a5799dfd

SHA1
89d97dd28015ac4bb8db3300d560e29253eb4bcc

SHA256
87a80e088f6f981014309d267f63fa1981b85835522cac8b4b6dda1d1dde3a45

SHA512
fab0f41feb365cf9121ca60250215359872146a0b86eee1bf324cfe02757febfc43e45164137c19d0bb79faf01a7ff804a46467d5d45f6289144d276c6362e4b

Download Submit
C:\Windows\{D06AEB19-BF1F-4845-980F-D9A8CFC2210D}.exe

Filesize
216KB

MD5
63c037ab713f1d391c55bfbeeb63ddf9

SHA1
c687ee909b43fcb830fd7772d3515298af3ebf5c

SHA256
3533c97071870e569327081c721f24c28e0c36f99ff5e6b73b5375df5028cf1b

SHA512
4383903efd3197a7ae620d4756051a1ac10c172a7d337216b8a859549024feb2eaff3dfc2946e9e40288a65c5cc9aacc85dd780d58f77586054e68256512ae5e

Download Submit
C:\Windows\{D82DE82A-1A77-411d-8EBE-F5C3698968EE}.exe

Filesize
216KB

MD5
87eaabb7769566501239628b28f0bb67

SHA1
15865fc883a4c1aa0f813617a8d2a1b823c1cb96

SHA256
d77f6b2a02f3c9770f3a0d41006f364e676022b23c4bc5562e5b36762c83351b

SHA512
5824e6ddd29d89bbd03ec0faa649a8eddc450b4834c694e2b9efd2f0e2ee1a7a9ed0cfaad720112929db072fa5bfb450133927fd45a3da9ccedbf56eeb70becb

Download Submit
C:\Windows\{E99319BF-AE5D-439c-BDCA-391E2E0DAB6A}.exe

Filesize
216KB

MD5
a392f7c4ae34552fcb749edde2a31f80

SHA1
666f4187bc264aaf0f694282a42ac73aa88f4c63

SHA256
a2ff1819c73181c7fd3509e65ccd7aad0b3313ce0edf4b84009c998778016c92

SHA512
c824b9d08e75815b214c8a836bb09ddc8d6197189756de9dbdc3adc97d1077a92248a920b6f0f1dc0eaabc8e455445d6d5b058eee46ef8460947cdc0116e06f9

Download Submit
C:\Windows\{F73BB7A7-EE3F-45ab-9FC0-0EC56CAE4C41}.exe

Filesize
216KB

MD5
0607b381a17e903efa50e699e6b38acc

SHA1
eaed8fc1de47921b8890051860b522a055e2c39a

SHA256
8e51d1a212f674c50a9c0a035b47ac644de84c8f217d207337994a81af887dad

SHA512
e0760756e048cdc3db533e8d4bd6934f1a41c36ea5accf2682635e6304a3c7593f262e9117e8d97e01a258ecdeb922695db3f828308a21563db03c4b073c6ea7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads