66ef52467495a8042844dccfdaefabb7d3c690c3f29b3ec29a2c292ed766e874

Resubmissions

21/02/2024, 11:43

240221-nvrlysef4x 8

21/02/2024, 11:40

240221-nsy81sfb53 10

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
21/02/2024, 11:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-21_9bf351853b70dc260a5baac08d6fbaeb_goldeneye.exe
Size

372KB
MD5

9bf351853b70dc260a5baac08d6fbaeb
SHA1

77430875bf961ab9e1f0c81892476b2164df5287
SHA256

66ef52467495a8042844dccfdaefabb7d3c690c3f29b3ec29a2c292ed766e874
SHA512

d56c700b6424a44b49ec7dad44dfef639c89a6ffc828b2cf9e214ea43184997cdd3a826ad4045b0ceae4deacd1cb8180c6b9441a04800b80d090c41a17f0ed52
SSDEEP

3072:CEGh0oVmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGKl/Oe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023136-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000002313b-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023019-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002313b-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023019-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00050000000217fa-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000021876-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000709-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006df-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79F0AD67-34B7-4647-936F-F4775F924EED}\stubpath = "C:\\Windows\\{79F0AD67-34B7-4647-936F-F4775F924EED}.exe"	{3749ACC9-AD28-4bcd-9A7A-E1B99D41BD6E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24D22EAA-D2C3-4a74-B702-875735F646CE}	{9960975F-2350-4216-963C-23CA5C270CE0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E00468F-089B-4bad-B0D5-4992CFE19066}	{64613905-0A26-4ee3-852D-C9165CC9384D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64613905-0A26-4ee3-852D-C9165CC9384D}	{24D22EAA-D2C3-4a74-B702-875735F646CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADD036E1-EEC1-4baf-9C2B-14948738FEEF}	{7E00468F-089B-4bad-B0D5-4992CFE19066}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B7CEF6A-6B1C-4306-BFC1-3CEC651263EB}\stubpath = "C:\\Windows\\{9B7CEF6A-6B1C-4306-BFC1-3CEC651263EB}.exe"	2024-02-21_9bf351853b70dc260a5baac08d6fbaeb_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B712741-73D6-48b4-BBE2-DEA212DB48FF}	{9B7CEF6A-6B1C-4306-BFC1-3CEC651263EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8126A41E-28BD-41d5-8C4A-2A56677FD755}	{4B712741-73D6-48b4-BBE2-DEA212DB48FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3749ACC9-AD28-4bcd-9A7A-E1B99D41BD6E}	{9008BAD3-6E82-4ec3-A04A-F2C0469DA29C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9960975F-2350-4216-963C-23CA5C270CE0}	{79F0AD67-34B7-4647-936F-F4775F924EED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24D22EAA-D2C3-4a74-B702-875735F646CE}\stubpath = "C:\\Windows\\{24D22EAA-D2C3-4a74-B702-875735F646CE}.exe"	{9960975F-2350-4216-963C-23CA5C270CE0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E00468F-089B-4bad-B0D5-4992CFE19066}\stubpath = "C:\\Windows\\{7E00468F-089B-4bad-B0D5-4992CFE19066}.exe"	{64613905-0A26-4ee3-852D-C9165CC9384D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CA20BEB-537A-442d-9481-CFDDEFD11D50}	{ADD036E1-EEC1-4baf-9C2B-14948738FEEF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B7CEF6A-6B1C-4306-BFC1-3CEC651263EB}	2024-02-21_9bf351853b70dc260a5baac08d6fbaeb_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9008BAD3-6E82-4ec3-A04A-F2C0469DA29C}	{8126A41E-28BD-41d5-8C4A-2A56677FD755}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3749ACC9-AD28-4bcd-9A7A-E1B99D41BD6E}\stubpath = "C:\\Windows\\{3749ACC9-AD28-4bcd-9A7A-E1B99D41BD6E}.exe"	{9008BAD3-6E82-4ec3-A04A-F2C0469DA29C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79F0AD67-34B7-4647-936F-F4775F924EED}	{3749ACC9-AD28-4bcd-9A7A-E1B99D41BD6E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CA20BEB-537A-442d-9481-CFDDEFD11D50}\stubpath = "C:\\Windows\\{5CA20BEB-537A-442d-9481-CFDDEFD11D50}.exe"	{ADD036E1-EEC1-4baf-9C2B-14948738FEEF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64613905-0A26-4ee3-852D-C9165CC9384D}\stubpath = "C:\\Windows\\{64613905-0A26-4ee3-852D-C9165CC9384D}.exe"	{24D22EAA-D2C3-4a74-B702-875735F646CE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADD036E1-EEC1-4baf-9C2B-14948738FEEF}\stubpath = "C:\\Windows\\{ADD036E1-EEC1-4baf-9C2B-14948738FEEF}.exe"	{7E00468F-089B-4bad-B0D5-4992CFE19066}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B712741-73D6-48b4-BBE2-DEA212DB48FF}\stubpath = "C:\\Windows\\{4B712741-73D6-48b4-BBE2-DEA212DB48FF}.exe"	{9B7CEF6A-6B1C-4306-BFC1-3CEC651263EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8126A41E-28BD-41d5-8C4A-2A56677FD755}\stubpath = "C:\\Windows\\{8126A41E-28BD-41d5-8C4A-2A56677FD755}.exe"	{4B712741-73D6-48b4-BBE2-DEA212DB48FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9008BAD3-6E82-4ec3-A04A-F2C0469DA29C}\stubpath = "C:\\Windows\\{9008BAD3-6E82-4ec3-A04A-F2C0469DA29C}.exe"	{8126A41E-28BD-41d5-8C4A-2A56677FD755}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9960975F-2350-4216-963C-23CA5C270CE0}\stubpath = "C:\\Windows\\{9960975F-2350-4216-963C-23CA5C270CE0}.exe"	{79F0AD67-34B7-4647-936F-F4775F924EED}.exe

Executes dropped EXE 12 IoCs

pid	Process
4484	{9B7CEF6A-6B1C-4306-BFC1-3CEC651263EB}.exe
1612	{4B712741-73D6-48b4-BBE2-DEA212DB48FF}.exe
1076	{8126A41E-28BD-41d5-8C4A-2A56677FD755}.exe
500	{9008BAD3-6E82-4ec3-A04A-F2C0469DA29C}.exe
2168	{3749ACC9-AD28-4bcd-9A7A-E1B99D41BD6E}.exe
4160	{79F0AD67-34B7-4647-936F-F4775F924EED}.exe
2156	{9960975F-2350-4216-963C-23CA5C270CE0}.exe
1868	{24D22EAA-D2C3-4a74-B702-875735F646CE}.exe
4232	{64613905-0A26-4ee3-852D-C9165CC9384D}.exe
1324	{7E00468F-089B-4bad-B0D5-4992CFE19066}.exe
2348	{ADD036E1-EEC1-4baf-9C2B-14948738FEEF}.exe
2812	{5CA20BEB-537A-442d-9481-CFDDEFD11D50}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{9B7CEF6A-6B1C-4306-BFC1-3CEC651263EB}.exe	2024-02-21_9bf351853b70dc260a5baac08d6fbaeb_goldeneye.exe
File created	C:\Windows\{4B712741-73D6-48b4-BBE2-DEA212DB48FF}.exe	{9B7CEF6A-6B1C-4306-BFC1-3CEC651263EB}.exe
File created	C:\Windows\{8126A41E-28BD-41d5-8C4A-2A56677FD755}.exe	{4B712741-73D6-48b4-BBE2-DEA212DB48FF}.exe
File created	C:\Windows\{9008BAD3-6E82-4ec3-A04A-F2C0469DA29C}.exe	{8126A41E-28BD-41d5-8C4A-2A56677FD755}.exe
File created	C:\Windows\{79F0AD67-34B7-4647-936F-F4775F924EED}.exe	{3749ACC9-AD28-4bcd-9A7A-E1B99D41BD6E}.exe
File created	C:\Windows\{24D22EAA-D2C3-4a74-B702-875735F646CE}.exe	{9960975F-2350-4216-963C-23CA5C270CE0}.exe
File created	C:\Windows\{ADD036E1-EEC1-4baf-9C2B-14948738FEEF}.exe	{7E00468F-089B-4bad-B0D5-4992CFE19066}.exe
File created	C:\Windows\{3749ACC9-AD28-4bcd-9A7A-E1B99D41BD6E}.exe	{9008BAD3-6E82-4ec3-A04A-F2C0469DA29C}.exe
File created	C:\Windows\{9960975F-2350-4216-963C-23CA5C270CE0}.exe	{79F0AD67-34B7-4647-936F-F4775F924EED}.exe
File created	C:\Windows\{64613905-0A26-4ee3-852D-C9165CC9384D}.exe	{24D22EAA-D2C3-4a74-B702-875735F646CE}.exe
File created	C:\Windows\{7E00468F-089B-4bad-B0D5-4992CFE19066}.exe	{64613905-0A26-4ee3-852D-C9165CC9384D}.exe
File created	C:\Windows\{5CA20BEB-537A-442d-9481-CFDDEFD11D50}.exe	{ADD036E1-EEC1-4baf-9C2B-14948738FEEF}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3412	2024-02-21_9bf351853b70dc260a5baac08d6fbaeb_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4484	{9B7CEF6A-6B1C-4306-BFC1-3CEC651263EB}.exe
Token: SeIncBasePriorityPrivilege	1612	{4B712741-73D6-48b4-BBE2-DEA212DB48FF}.exe
Token: SeIncBasePriorityPrivilege	1076	{8126A41E-28BD-41d5-8C4A-2A56677FD755}.exe
Token: SeIncBasePriorityPrivilege	500	{9008BAD3-6E82-4ec3-A04A-F2C0469DA29C}.exe
Token: SeIncBasePriorityPrivilege	2168	{3749ACC9-AD28-4bcd-9A7A-E1B99D41BD6E}.exe
Token: SeIncBasePriorityPrivilege	4160	{79F0AD67-34B7-4647-936F-F4775F924EED}.exe
Token: SeIncBasePriorityPrivilege	2156	{9960975F-2350-4216-963C-23CA5C270CE0}.exe
Token: SeIncBasePriorityPrivilege	1868	{24D22EAA-D2C3-4a74-B702-875735F646CE}.exe
Token: SeIncBasePriorityPrivilege	4232	{64613905-0A26-4ee3-852D-C9165CC9384D}.exe
Token: SeIncBasePriorityPrivilege	1324	{7E00468F-089B-4bad-B0D5-4992CFE19066}.exe
Token: SeIncBasePriorityPrivilege	2348	{ADD036E1-EEC1-4baf-9C2B-14948738FEEF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3412 wrote to memory of 4484	3412	2024-02-21_9bf351853b70dc260a5baac08d6fbaeb_goldeneye.exe	84
PID 3412 wrote to memory of 4484	3412	2024-02-21_9bf351853b70dc260a5baac08d6fbaeb_goldeneye.exe	84
PID 3412 wrote to memory of 4484	3412	2024-02-21_9bf351853b70dc260a5baac08d6fbaeb_goldeneye.exe	84
PID 3412 wrote to memory of 4928	3412	2024-02-21_9bf351853b70dc260a5baac08d6fbaeb_goldeneye.exe	85
PID 3412 wrote to memory of 4928	3412	2024-02-21_9bf351853b70dc260a5baac08d6fbaeb_goldeneye.exe	85
PID 3412 wrote to memory of 4928	3412	2024-02-21_9bf351853b70dc260a5baac08d6fbaeb_goldeneye.exe	85
PID 4484 wrote to memory of 1612	4484	{9B7CEF6A-6B1C-4306-BFC1-3CEC651263EB}.exe	91
PID 4484 wrote to memory of 1612	4484	{9B7CEF6A-6B1C-4306-BFC1-3CEC651263EB}.exe	91
PID 4484 wrote to memory of 1612	4484	{9B7CEF6A-6B1C-4306-BFC1-3CEC651263EB}.exe	91
PID 4484 wrote to memory of 2344	4484	{9B7CEF6A-6B1C-4306-BFC1-3CEC651263EB}.exe	92
PID 4484 wrote to memory of 2344	4484	{9B7CEF6A-6B1C-4306-BFC1-3CEC651263EB}.exe	92
PID 4484 wrote to memory of 2344	4484	{9B7CEF6A-6B1C-4306-BFC1-3CEC651263EB}.exe	92
PID 1612 wrote to memory of 1076	1612	{4B712741-73D6-48b4-BBE2-DEA212DB48FF}.exe	97
PID 1612 wrote to memory of 1076	1612	{4B712741-73D6-48b4-BBE2-DEA212DB48FF}.exe	97
PID 1612 wrote to memory of 1076	1612	{4B712741-73D6-48b4-BBE2-DEA212DB48FF}.exe	97
PID 1612 wrote to memory of 888	1612	{4B712741-73D6-48b4-BBE2-DEA212DB48FF}.exe	96
PID 1612 wrote to memory of 888	1612	{4B712741-73D6-48b4-BBE2-DEA212DB48FF}.exe	96
PID 1612 wrote to memory of 888	1612	{4B712741-73D6-48b4-BBE2-DEA212DB48FF}.exe	96
PID 1076 wrote to memory of 500	1076	{8126A41E-28BD-41d5-8C4A-2A56677FD755}.exe	98
PID 1076 wrote to memory of 500	1076	{8126A41E-28BD-41d5-8C4A-2A56677FD755}.exe	98
PID 1076 wrote to memory of 500	1076	{8126A41E-28BD-41d5-8C4A-2A56677FD755}.exe	98
PID 1076 wrote to memory of 4284	1076	{8126A41E-28BD-41d5-8C4A-2A56677FD755}.exe	99
PID 1076 wrote to memory of 4284	1076	{8126A41E-28BD-41d5-8C4A-2A56677FD755}.exe	99
PID 1076 wrote to memory of 4284	1076	{8126A41E-28BD-41d5-8C4A-2A56677FD755}.exe	99
PID 500 wrote to memory of 2168	500	{9008BAD3-6E82-4ec3-A04A-F2C0469DA29C}.exe	100
PID 500 wrote to memory of 2168	500	{9008BAD3-6E82-4ec3-A04A-F2C0469DA29C}.exe	100
PID 500 wrote to memory of 2168	500	{9008BAD3-6E82-4ec3-A04A-F2C0469DA29C}.exe	100
PID 500 wrote to memory of 4048	500	{9008BAD3-6E82-4ec3-A04A-F2C0469DA29C}.exe	101
PID 500 wrote to memory of 4048	500	{9008BAD3-6E82-4ec3-A04A-F2C0469DA29C}.exe	101
PID 500 wrote to memory of 4048	500	{9008BAD3-6E82-4ec3-A04A-F2C0469DA29C}.exe	101
PID 2168 wrote to memory of 4160	2168	{3749ACC9-AD28-4bcd-9A7A-E1B99D41BD6E}.exe	102
PID 2168 wrote to memory of 4160	2168	{3749ACC9-AD28-4bcd-9A7A-E1B99D41BD6E}.exe	102
PID 2168 wrote to memory of 4160	2168	{3749ACC9-AD28-4bcd-9A7A-E1B99D41BD6E}.exe	102
PID 2168 wrote to memory of 556	2168	{3749ACC9-AD28-4bcd-9A7A-E1B99D41BD6E}.exe	103
PID 2168 wrote to memory of 556	2168	{3749ACC9-AD28-4bcd-9A7A-E1B99D41BD6E}.exe	103
PID 2168 wrote to memory of 556	2168	{3749ACC9-AD28-4bcd-9A7A-E1B99D41BD6E}.exe	103
PID 4160 wrote to memory of 2156	4160	{79F0AD67-34B7-4647-936F-F4775F924EED}.exe	104
PID 4160 wrote to memory of 2156	4160	{79F0AD67-34B7-4647-936F-F4775F924EED}.exe	104
PID 4160 wrote to memory of 2156	4160	{79F0AD67-34B7-4647-936F-F4775F924EED}.exe	104
PID 4160 wrote to memory of 1732	4160	{79F0AD67-34B7-4647-936F-F4775F924EED}.exe	105
PID 4160 wrote to memory of 1732	4160	{79F0AD67-34B7-4647-936F-F4775F924EED}.exe	105
PID 4160 wrote to memory of 1732	4160	{79F0AD67-34B7-4647-936F-F4775F924EED}.exe	105
PID 2156 wrote to memory of 1868	2156	{9960975F-2350-4216-963C-23CA5C270CE0}.exe	106
PID 2156 wrote to memory of 1868	2156	{9960975F-2350-4216-963C-23CA5C270CE0}.exe	106
PID 2156 wrote to memory of 1868	2156	{9960975F-2350-4216-963C-23CA5C270CE0}.exe	106
PID 2156 wrote to memory of 3032	2156	{9960975F-2350-4216-963C-23CA5C270CE0}.exe	107
PID 2156 wrote to memory of 3032	2156	{9960975F-2350-4216-963C-23CA5C270CE0}.exe	107
PID 2156 wrote to memory of 3032	2156	{9960975F-2350-4216-963C-23CA5C270CE0}.exe	107
PID 1868 wrote to memory of 4232	1868	{24D22EAA-D2C3-4a74-B702-875735F646CE}.exe	108
PID 1868 wrote to memory of 4232	1868	{24D22EAA-D2C3-4a74-B702-875735F646CE}.exe	108
PID 1868 wrote to memory of 4232	1868	{24D22EAA-D2C3-4a74-B702-875735F646CE}.exe	108
PID 1868 wrote to memory of 5040	1868	{24D22EAA-D2C3-4a74-B702-875735F646CE}.exe	109
PID 1868 wrote to memory of 5040	1868	{24D22EAA-D2C3-4a74-B702-875735F646CE}.exe	109
PID 1868 wrote to memory of 5040	1868	{24D22EAA-D2C3-4a74-B702-875735F646CE}.exe	109
PID 4232 wrote to memory of 1324	4232	{64613905-0A26-4ee3-852D-C9165CC9384D}.exe	110
PID 4232 wrote to memory of 1324	4232	{64613905-0A26-4ee3-852D-C9165CC9384D}.exe	110
PID 4232 wrote to memory of 1324	4232	{64613905-0A26-4ee3-852D-C9165CC9384D}.exe	110
PID 4232 wrote to memory of 4620	4232	{64613905-0A26-4ee3-852D-C9165CC9384D}.exe	111
PID 4232 wrote to memory of 4620	4232	{64613905-0A26-4ee3-852D-C9165CC9384D}.exe	111
PID 4232 wrote to memory of 4620	4232	{64613905-0A26-4ee3-852D-C9165CC9384D}.exe	111
PID 1324 wrote to memory of 2348	1324	{7E00468F-089B-4bad-B0D5-4992CFE19066}.exe	113
PID 1324 wrote to memory of 2348	1324	{7E00468F-089B-4bad-B0D5-4992CFE19066}.exe	113
PID 1324 wrote to memory of 2348	1324	{7E00468F-089B-4bad-B0D5-4992CFE19066}.exe	113
PID 1324 wrote to memory of 4108	1324	{7E00468F-089B-4bad-B0D5-4992CFE19066}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-02-21_9bf351853b70dc260a5baac08d6fbaeb_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-21_9bf351853b70dc260a5baac08d6fbaeb_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3412
- C:\Windows\{9B7CEF6A-6B1C-4306-BFC1-3CEC651263EB}.exe
  C:\Windows\{9B7CEF6A-6B1C-4306-BFC1-3CEC651263EB}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4484
- - C:\Windows\{4B712741-73D6-48b4-BBE2-DEA212DB48FF}.exe
    C:\Windows\{4B712741-73D6-48b4-BBE2-DEA212DB48FF}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1612
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4B712~1.EXE > nul
      4⤵
      PID:888
  - - C:\Windows\{8126A41E-28BD-41d5-8C4A-2A56677FD755}.exe
      C:\Windows\{8126A41E-28BD-41d5-8C4A-2A56677FD755}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1076
    - - C:\Windows\{9008BAD3-6E82-4ec3-A04A-F2C0469DA29C}.exe
        
        C:\Windows\{9008BAD3-6E82-4ec3-A04A-F2C0469DA29C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:500
      - C:\Windows\{3749ACC9-AD28-4bcd-9A7A-E1B99D41BD6E}.exe
        
        C:\Windows\{3749ACC9-AD28-4bcd-9A7A-E1B99D41BD6E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\{79F0AD67-34B7-4647-936F-F4775F924EED}.exe
        
        C:\Windows\{79F0AD67-34B7-4647-936F-F4775F924EED}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4160
        
        C:\Windows\{9960975F-2350-4216-963C-23CA5C270CE0}.exe
        
        C:\Windows\{9960975F-2350-4216-963C-23CA5C270CE0}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\{24D22EAA-D2C3-4a74-B702-875735F646CE}.exe
        
        C:\Windows\{24D22EAA-D2C3-4a74-B702-875735F646CE}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\{64613905-0A26-4ee3-852D-C9165CC9384D}.exe
        
        C:\Windows\{64613905-0A26-4ee3-852D-C9165CC9384D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4232
        
        C:\Windows\{7E00468F-089B-4bad-B0D5-4992CFE19066}.exe
        
        C:\Windows\{7E00468F-089B-4bad-B0D5-4992CFE19066}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E004~1.EXE > nul
        12⤵
        
        PID:4108
        
        C:\Windows\{ADD036E1-EEC1-4baf-9C2B-14948738FEEF}.exe
        
        C:\Windows\{ADD036E1-EEC1-4baf-9C2B-14948738FEEF}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
        
        C:\Windows\{5CA20BEB-537A-442d-9481-CFDDEFD11D50}.exe
        
        C:\Windows\{5CA20BEB-537A-442d-9481-CFDDEFD11D50}.exe
        13⤵
        Executes dropped EXE
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ADD03~1.EXE > nul
        13⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64613~1.EXE > nul
        11⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{24D22~1.EXE > nul
        10⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{99609~1.EXE > nul
        9⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79F0A~1.EXE > nul
        8⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3749A~1.EXE > nul
        7⤵
        
        PID:556
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9008B~1.EXE > nul
        6⤵
        
        PID:4048
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8126A~1.EXE > nul
        5⤵
        
        PID:4284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9B7CE~1.EXE > nul
    3⤵
    PID:2344
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{24D22EAA-D2C3-4a74-B702-875735F646CE}.exe

Filesize
372KB

MD5
2a97ed25d615131d7ce4d8f78890e3ee

SHA1
826f156b4ce9474a61cd251a0d65364c33e04962

SHA256
2aaf1397ab0a32c2408ffa49f82836e37b956b730ffa58adecc893960f6fb252

SHA512
7a3818f6c4aef5d5f31d4ff4d2a692d0ccd6cc3c3718b126eb339b3fd0ac3e2e3fff7d33a60e33d8f4e1b2542c72872b3f42e4a51f9d40b2fe15ea1c32b624f3

Download Submit
C:\Windows\{3749ACC9-AD28-4bcd-9A7A-E1B99D41BD6E}.exe

Filesize
372KB

MD5
c7eda68242d8f7ad883b38b6ea2cb373

SHA1
6833a81d26aead696343c44ff36bb7259386a227

SHA256
7891e392772e283625628943aece952a492388dba06672ac95c46741cb206fcd

SHA512
6124b7be0189f6f65d3ea2f57226322830ee0aad502975b09c219336f55890e709668b8cc2b2f2d7027b69ae7edb394b81a8e15aa412ceea745e030370010331

Download Submit
C:\Windows\{4B712741-73D6-48b4-BBE2-DEA212DB48FF}.exe

Filesize
372KB

MD5
ccd21a2282d2e740da418def5e9b763c

SHA1
d1632a77797fd8fb1f31f01d34589dd2d0d4f929

SHA256
f8409021a2f3b6206b3f651b05f67c42755fbd3a1556e89cb2398952bce4f278

SHA512
1e1c4e19b8b9a2bb8d026ec6c982f87827b58afaf67ea67815505e0a3a5955c67e57e33d92f81d7e7630dd4ae04f4af697ee248775b16b714e68e472bd6ffe22

Download Submit
C:\Windows\{5CA20BEB-537A-442d-9481-CFDDEFD11D50}.exe

Filesize
372KB

MD5
5b0dff5a5b80fb6d02e33802e97120e4

SHA1
2f63fa9e27a3c06e8e71ce6c6ef502f7fa6d10f7

SHA256
7cb18e5536b5d56b5df9e373a25f033114f588a245f86c3e21188b5ed69f9791

SHA512
da0a52948632f57f6415db52bda6e2d159f36cb26fdf453a9cba5a657a81fb3eb1b3b528f81065442fbf0c37db05973a4ebb71f3b1fcd0114e3835c37e139df9

Download Submit
C:\Windows\{64613905-0A26-4ee3-852D-C9165CC9384D}.exe

Filesize
372KB

MD5
d3bf470e48b5fa53ca68d233331d7244

SHA1
5529b8657496fdb2329a5b169b33a6e50bd864fb

SHA256
e01002363776760015ded7cf31b234446c9816d624c65eccc98fe70e05e4a476

SHA512
d44e5a0397c9b6f43ada58b469df1996d93f90a36f0990a561113b5f85facc2ab9338b76b13c7b34be62c7eff3fd61975ad698f4e8a5f4cf5c06afc6cd032662

Download Submit
C:\Windows\{79F0AD67-34B7-4647-936F-F4775F924EED}.exe

Filesize
372KB

MD5
3c0a097616a4efe8759b658634db96b7

SHA1
c0cd92ec06b57652a1bd3345a2346ee2a1f6c9e0

SHA256
28a0f1d1811f6c8a7f20e0655809eff7e7f17d7f1c53c5fb5528c1832e1d8d4f

SHA512
ecf5e6ec8b5bf2555b8645a4cc141fe00c633e563edc161175826ae5d7c64fdef30096458802457fd442b0e0bab685f4e9dd0c169db42562953147a9fe71661d

Download Submit
C:\Windows\{7E00468F-089B-4bad-B0D5-4992CFE19066}.exe

Filesize
372KB

MD5
a5faf457bbb2113423ddda28cf3c3dfa

SHA1
a56a2a5fb4e6561b03abba864031bcfab967b24e

SHA256
0f79abc0c05007e85e3a8c4415f4fe0b20cdcf1ac3d67ca2156a9f286e3060c4

SHA512
170881438c013b9e39498c4738d01cb8a6c4626d10fe6f36bb2331586666a9ce2f3e98c6f1f0ef84c202e0b70572f86150b5313d19be976624c44a2e08be0b75

Download Submit
C:\Windows\{8126A41E-28BD-41d5-8C4A-2A56677FD755}.exe

Filesize
372KB

MD5
4226e7ff8c0750363eab50f75e1f3d89

SHA1
6e2c50567206bd1258f840e0d6992e0146dfc7c2

SHA256
efd286298588d50bf359fec2fb13f8ba2f9a6dc12e6b880a2e9d806a91cf5b5e

SHA512
c487c64e8eb551431e1a8a2b9c91d726a8c4be6623a00dff2dd11722450fbe1499e44b083b0875d0bde4ab1d070934b372853763f25e0abe70b51ec90f4a0587

Download Submit
C:\Windows\{9008BAD3-6E82-4ec3-A04A-F2C0469DA29C}.exe

Filesize
372KB

MD5
1651b9b4f533883d00173f5f655c2510

SHA1
c3783e134c71a83a179d85965a715e2b1644e14c

SHA256
a5565a012568929e52c9d2fe5c4c7b58094f4b4e49d0bfbe629d7d7f5a98460d

SHA512
cd3371183d907813776f96cdb293627bc0c5ac89fd7123cd73b44c67c680f5c7f45110fc2d18b1d1d775aa630ae818710148b4263c0813b9bd3edc4eaee6f675

Download Submit
C:\Windows\{9960975F-2350-4216-963C-23CA5C270CE0}.exe

Filesize
372KB

MD5
7c88b3be64682d408e3adb8f5ad168ed

SHA1
e2c6d1fb2d176312492e1b01eea7ffbdd225f705

SHA256
4a02b500caaab53c963c0306b45b4b527cfdbf03e8a8b88b864afaa892dc959d

SHA512
5150bec9d1acea1245907cd15b5df0ac23bfe093fba74e9174649c6cd32178d638fc9fa70ddb783d687ad07733548a48979d48f49ec8f3691fafe63cf8124570

Download Submit
C:\Windows\{9B7CEF6A-6B1C-4306-BFC1-3CEC651263EB}.exe

Filesize
372KB

MD5
3060ca0b35eb39560a6054f569533668

SHA1
72f8f63632e172232c2db6841d2845d7203cb69e

SHA256
b45827f6e0ff38aa5348c7f0114719d87a8933cbcbfea94657e499e6b2726e87

SHA512
43cdf1951f4044d6d5b6d26ffb3ecd2778c304b86668cfeae95aba6106486f6b8a77894085e44836d7329ff83a9d6a071e02c4d10181e875d60507e3484ef41e

Download Submit
C:\Windows\{ADD036E1-EEC1-4baf-9C2B-14948738FEEF}.exe

Filesize
372KB

MD5
62fcf65a24f9c202b242dfb309c54169

SHA1
edaa8bc8cc7d03c2ddacd8e8effb38e5aac78597

SHA256
df07464522b3bc504704b9cb3818146260af513d40cad0ca2562a3c0046e9804

SHA512
adc4ab995e2cb5e3b8fc00b5b263a6848fd931c73143f4fad1800c96cee8d0a058e6a909a16c7eb1e8cac5c7c96790b03e1463aec06d6759dd227131dee8bda3

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads