9f45b969c0cf639c63420fc32dd732ef2234281b7e716b1d69edd3f33d213bb4

Analysis

max time kernel
162s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20240220-en
resource tags

arch:x64arch:x86image:win10v2004-20240220-enlocale:en-usos:windows10-2004-x64system
submitted
21/02/2024, 14:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-21_6a9af0b6e639d9980880308b947e7d8f_goldeneye.exe
Size

380KB
MD5

6a9af0b6e639d9980880308b947e7d8f
SHA1

b2daa996d4643c047d99bfa7b24702d5eae2767b
SHA256

9f45b969c0cf639c63420fc32dd732ef2234281b7e716b1d69edd3f33d213bb4
SHA512

c288bfd66784c26c04186f2a1f3be24796bfa52493031aff6ea59fd23f2bd3af8da62d30b7599e9334e8370377b2e04baa320338db05d36da47349ee88b0b196
SSDEEP

3072:mEGh0oIlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGOl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023245-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002324a-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002324e-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002324a-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000001e760-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002324a-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000001e760-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002324a-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001e760-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d00000002324a-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000001e760-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e00000002324a-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47CD645A-D79B-4a92-B44B-4B06362228DF}	2024-02-21_6a9af0b6e639d9980880308b947e7d8f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{104F4DCD-8D5B-4899-B43C-65359BE6E977}	{3BDB1564-7B9A-42eb-B41E-4EC17B97CE15}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5B491F0-9BB3-4771-9ACF-AAB18F2D54D2}	{104F4DCD-8D5B-4899-B43C-65359BE6E977}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5B491F0-9BB3-4771-9ACF-AAB18F2D54D2}\stubpath = "C:\\Windows\\{E5B491F0-9BB3-4771-9ACF-AAB18F2D54D2}.exe"	{104F4DCD-8D5B-4899-B43C-65359BE6E977}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{453796C1-1476-4261-8E0A-A806CF13EA71}	{8B01A7A5-12D7-4d10-910C-CAC400879EBA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D32A66DE-1CE6-42df-B11A-157B9D52202B}	{97E231B6-72C4-46e9-A588-8755A8CF668F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81CC9984-D239-4003-B847-C81DA534F0B8}	{D32A66DE-1CE6-42df-B11A-157B9D52202B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81CC9984-D239-4003-B847-C81DA534F0B8}\stubpath = "C:\\Windows\\{81CC9984-D239-4003-B847-C81DA534F0B8}.exe"	{D32A66DE-1CE6-42df-B11A-157B9D52202B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA28F2F2-F0FE-4fa7-BFE1-FF97C35FCBC0}\stubpath = "C:\\Windows\\{EA28F2F2-F0FE-4fa7-BFE1-FF97C35FCBC0}.exe"	{E5B491F0-9BB3-4771-9ACF-AAB18F2D54D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0FAE959D-B7CC-4aad-B777-0D9E371A8802}	{EA28F2F2-F0FE-4fa7-BFE1-FF97C35FCBC0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3CDD7D7-8928-43b0-A9FA-976037F99136}	{0FAE959D-B7CC-4aad-B777-0D9E371A8802}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B01A7A5-12D7-4d10-910C-CAC400879EBA}	{D3CDD7D7-8928-43b0-A9FA-976037F99136}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{453796C1-1476-4261-8E0A-A806CF13EA71}\stubpath = "C:\\Windows\\{453796C1-1476-4261-8E0A-A806CF13EA71}.exe"	{8B01A7A5-12D7-4d10-910C-CAC400879EBA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97E231B6-72C4-46e9-A588-8755A8CF668F}	{47CD645A-D79B-4a92-B44B-4B06362228DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D32A66DE-1CE6-42df-B11A-157B9D52202B}\stubpath = "C:\\Windows\\{D32A66DE-1CE6-42df-B11A-157B9D52202B}.exe"	{97E231B6-72C4-46e9-A588-8755A8CF668F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3BDB1564-7B9A-42eb-B41E-4EC17B97CE15}	{81CC9984-D239-4003-B847-C81DA534F0B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3CDD7D7-8928-43b0-A9FA-976037F99136}\stubpath = "C:\\Windows\\{D3CDD7D7-8928-43b0-A9FA-976037F99136}.exe"	{0FAE959D-B7CC-4aad-B777-0D9E371A8802}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B01A7A5-12D7-4d10-910C-CAC400879EBA}\stubpath = "C:\\Windows\\{8B01A7A5-12D7-4d10-910C-CAC400879EBA}.exe"	{D3CDD7D7-8928-43b0-A9FA-976037F99136}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47CD645A-D79B-4a92-B44B-4B06362228DF}\stubpath = "C:\\Windows\\{47CD645A-D79B-4a92-B44B-4B06362228DF}.exe"	2024-02-21_6a9af0b6e639d9980880308b947e7d8f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97E231B6-72C4-46e9-A588-8755A8CF668F}\stubpath = "C:\\Windows\\{97E231B6-72C4-46e9-A588-8755A8CF668F}.exe"	{47CD645A-D79B-4a92-B44B-4B06362228DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3BDB1564-7B9A-42eb-B41E-4EC17B97CE15}\stubpath = "C:\\Windows\\{3BDB1564-7B9A-42eb-B41E-4EC17B97CE15}.exe"	{81CC9984-D239-4003-B847-C81DA534F0B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{104F4DCD-8D5B-4899-B43C-65359BE6E977}\stubpath = "C:\\Windows\\{104F4DCD-8D5B-4899-B43C-65359BE6E977}.exe"	{3BDB1564-7B9A-42eb-B41E-4EC17B97CE15}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA28F2F2-F0FE-4fa7-BFE1-FF97C35FCBC0}	{E5B491F0-9BB3-4771-9ACF-AAB18F2D54D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0FAE959D-B7CC-4aad-B777-0D9E371A8802}\stubpath = "C:\\Windows\\{0FAE959D-B7CC-4aad-B777-0D9E371A8802}.exe"	{EA28F2F2-F0FE-4fa7-BFE1-FF97C35FCBC0}.exe

Executes dropped EXE 12 IoCs

pid	Process
860	{47CD645A-D79B-4a92-B44B-4B06362228DF}.exe
2660	{97E231B6-72C4-46e9-A588-8755A8CF668F}.exe
4652	{D32A66DE-1CE6-42df-B11A-157B9D52202B}.exe
1452	{81CC9984-D239-4003-B847-C81DA534F0B8}.exe
2412	{3BDB1564-7B9A-42eb-B41E-4EC17B97CE15}.exe
4892	{104F4DCD-8D5B-4899-B43C-65359BE6E977}.exe
3160	{E5B491F0-9BB3-4771-9ACF-AAB18F2D54D2}.exe
4296	{EA28F2F2-F0FE-4fa7-BFE1-FF97C35FCBC0}.exe
228	{0FAE959D-B7CC-4aad-B777-0D9E371A8802}.exe
4992	{D3CDD7D7-8928-43b0-A9FA-976037F99136}.exe
1576	{8B01A7A5-12D7-4d10-910C-CAC400879EBA}.exe
5096	{453796C1-1476-4261-8E0A-A806CF13EA71}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{8B01A7A5-12D7-4d10-910C-CAC400879EBA}.exe	{D3CDD7D7-8928-43b0-A9FA-976037F99136}.exe
File created	C:\Windows\{453796C1-1476-4261-8E0A-A806CF13EA71}.exe	{8B01A7A5-12D7-4d10-910C-CAC400879EBA}.exe
File created	C:\Windows\{D32A66DE-1CE6-42df-B11A-157B9D52202B}.exe	{97E231B6-72C4-46e9-A588-8755A8CF668F}.exe
File created	C:\Windows\{81CC9984-D239-4003-B847-C81DA534F0B8}.exe	{D32A66DE-1CE6-42df-B11A-157B9D52202B}.exe
File created	C:\Windows\{104F4DCD-8D5B-4899-B43C-65359BE6E977}.exe	{3BDB1564-7B9A-42eb-B41E-4EC17B97CE15}.exe
File created	C:\Windows\{0FAE959D-B7CC-4aad-B777-0D9E371A8802}.exe	{EA28F2F2-F0FE-4fa7-BFE1-FF97C35FCBC0}.exe
File created	C:\Windows\{D3CDD7D7-8928-43b0-A9FA-976037F99136}.exe	{0FAE959D-B7CC-4aad-B777-0D9E371A8802}.exe
File created	C:\Windows\{47CD645A-D79B-4a92-B44B-4B06362228DF}.exe	2024-02-21_6a9af0b6e639d9980880308b947e7d8f_goldeneye.exe
File created	C:\Windows\{97E231B6-72C4-46e9-A588-8755A8CF668F}.exe	{47CD645A-D79B-4a92-B44B-4B06362228DF}.exe
File created	C:\Windows\{3BDB1564-7B9A-42eb-B41E-4EC17B97CE15}.exe	{81CC9984-D239-4003-B847-C81DA534F0B8}.exe
File created	C:\Windows\{E5B491F0-9BB3-4771-9ACF-AAB18F2D54D2}.exe	{104F4DCD-8D5B-4899-B43C-65359BE6E977}.exe
File created	C:\Windows\{EA28F2F2-F0FE-4fa7-BFE1-FF97C35FCBC0}.exe	{E5B491F0-9BB3-4771-9ACF-AAB18F2D54D2}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4908	2024-02-21_6a9af0b6e639d9980880308b947e7d8f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	860	{47CD645A-D79B-4a92-B44B-4B06362228DF}.exe
Token: SeIncBasePriorityPrivilege	2660	{97E231B6-72C4-46e9-A588-8755A8CF668F}.exe
Token: SeIncBasePriorityPrivilege	4652	{D32A66DE-1CE6-42df-B11A-157B9D52202B}.exe
Token: SeIncBasePriorityPrivilege	1452	{81CC9984-D239-4003-B847-C81DA534F0B8}.exe
Token: SeIncBasePriorityPrivilege	2412	{3BDB1564-7B9A-42eb-B41E-4EC17B97CE15}.exe
Token: SeIncBasePriorityPrivilege	4892	{104F4DCD-8D5B-4899-B43C-65359BE6E977}.exe
Token: SeIncBasePriorityPrivilege	3160	{E5B491F0-9BB3-4771-9ACF-AAB18F2D54D2}.exe
Token: SeIncBasePriorityPrivilege	4296	{EA28F2F2-F0FE-4fa7-BFE1-FF97C35FCBC0}.exe
Token: SeIncBasePriorityPrivilege	228	{0FAE959D-B7CC-4aad-B777-0D9E371A8802}.exe
Token: SeIncBasePriorityPrivilege	4992	{D3CDD7D7-8928-43b0-A9FA-976037F99136}.exe
Token: SeIncBasePriorityPrivilege	1576	{8B01A7A5-12D7-4d10-910C-CAC400879EBA}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4908 wrote to memory of 860	4908	2024-02-21_6a9af0b6e639d9980880308b947e7d8f_goldeneye.exe	89
PID 4908 wrote to memory of 860	4908	2024-02-21_6a9af0b6e639d9980880308b947e7d8f_goldeneye.exe	89
PID 4908 wrote to memory of 860	4908	2024-02-21_6a9af0b6e639d9980880308b947e7d8f_goldeneye.exe	89
PID 4908 wrote to memory of 2952	4908	2024-02-21_6a9af0b6e639d9980880308b947e7d8f_goldeneye.exe	90
PID 4908 wrote to memory of 2952	4908	2024-02-21_6a9af0b6e639d9980880308b947e7d8f_goldeneye.exe	90
PID 4908 wrote to memory of 2952	4908	2024-02-21_6a9af0b6e639d9980880308b947e7d8f_goldeneye.exe	90
PID 860 wrote to memory of 2660	860	{47CD645A-D79B-4a92-B44B-4B06362228DF}.exe	94
PID 860 wrote to memory of 2660	860	{47CD645A-D79B-4a92-B44B-4B06362228DF}.exe	94
PID 860 wrote to memory of 2660	860	{47CD645A-D79B-4a92-B44B-4B06362228DF}.exe	94
PID 860 wrote to memory of 4144	860	{47CD645A-D79B-4a92-B44B-4B06362228DF}.exe	95
PID 860 wrote to memory of 4144	860	{47CD645A-D79B-4a92-B44B-4B06362228DF}.exe	95
PID 860 wrote to memory of 4144	860	{47CD645A-D79B-4a92-B44B-4B06362228DF}.exe	95
PID 2660 wrote to memory of 4652	2660	{97E231B6-72C4-46e9-A588-8755A8CF668F}.exe	96
PID 2660 wrote to memory of 4652	2660	{97E231B6-72C4-46e9-A588-8755A8CF668F}.exe	96
PID 2660 wrote to memory of 4652	2660	{97E231B6-72C4-46e9-A588-8755A8CF668F}.exe	96
PID 2660 wrote to memory of 2876	2660	{97E231B6-72C4-46e9-A588-8755A8CF668F}.exe	97
PID 2660 wrote to memory of 2876	2660	{97E231B6-72C4-46e9-A588-8755A8CF668F}.exe	97
PID 2660 wrote to memory of 2876	2660	{97E231B6-72C4-46e9-A588-8755A8CF668F}.exe	97
PID 4652 wrote to memory of 1452	4652	{D32A66DE-1CE6-42df-B11A-157B9D52202B}.exe	98
PID 4652 wrote to memory of 1452	4652	{D32A66DE-1CE6-42df-B11A-157B9D52202B}.exe	98
PID 4652 wrote to memory of 1452	4652	{D32A66DE-1CE6-42df-B11A-157B9D52202B}.exe	98
PID 4652 wrote to memory of 1040	4652	{D32A66DE-1CE6-42df-B11A-157B9D52202B}.exe	99
PID 4652 wrote to memory of 1040	4652	{D32A66DE-1CE6-42df-B11A-157B9D52202B}.exe	99
PID 4652 wrote to memory of 1040	4652	{D32A66DE-1CE6-42df-B11A-157B9D52202B}.exe	99
PID 1452 wrote to memory of 2412	1452	{81CC9984-D239-4003-B847-C81DA534F0B8}.exe	102
PID 1452 wrote to memory of 2412	1452	{81CC9984-D239-4003-B847-C81DA534F0B8}.exe	102
PID 1452 wrote to memory of 2412	1452	{81CC9984-D239-4003-B847-C81DA534F0B8}.exe	102
PID 1452 wrote to memory of 2080	1452	{81CC9984-D239-4003-B847-C81DA534F0B8}.exe	103
PID 1452 wrote to memory of 2080	1452	{81CC9984-D239-4003-B847-C81DA534F0B8}.exe	103
PID 1452 wrote to memory of 2080	1452	{81CC9984-D239-4003-B847-C81DA534F0B8}.exe	103
PID 2412 wrote to memory of 4892	2412	{3BDB1564-7B9A-42eb-B41E-4EC17B97CE15}.exe	104
PID 2412 wrote to memory of 4892	2412	{3BDB1564-7B9A-42eb-B41E-4EC17B97CE15}.exe	104
PID 2412 wrote to memory of 4892	2412	{3BDB1564-7B9A-42eb-B41E-4EC17B97CE15}.exe	104
PID 2412 wrote to memory of 3892	2412	{3BDB1564-7B9A-42eb-B41E-4EC17B97CE15}.exe	105
PID 2412 wrote to memory of 3892	2412	{3BDB1564-7B9A-42eb-B41E-4EC17B97CE15}.exe	105
PID 2412 wrote to memory of 3892	2412	{3BDB1564-7B9A-42eb-B41E-4EC17B97CE15}.exe	105
PID 4892 wrote to memory of 3160	4892	{104F4DCD-8D5B-4899-B43C-65359BE6E977}.exe	106
PID 4892 wrote to memory of 3160	4892	{104F4DCD-8D5B-4899-B43C-65359BE6E977}.exe	106
PID 4892 wrote to memory of 3160	4892	{104F4DCD-8D5B-4899-B43C-65359BE6E977}.exe	106
PID 4892 wrote to memory of 2576	4892	{104F4DCD-8D5B-4899-B43C-65359BE6E977}.exe	107
PID 4892 wrote to memory of 2576	4892	{104F4DCD-8D5B-4899-B43C-65359BE6E977}.exe	107
PID 4892 wrote to memory of 2576	4892	{104F4DCD-8D5B-4899-B43C-65359BE6E977}.exe	107
PID 3160 wrote to memory of 4296	3160	{E5B491F0-9BB3-4771-9ACF-AAB18F2D54D2}.exe	108
PID 3160 wrote to memory of 4296	3160	{E5B491F0-9BB3-4771-9ACF-AAB18F2D54D2}.exe	108
PID 3160 wrote to memory of 4296	3160	{E5B491F0-9BB3-4771-9ACF-AAB18F2D54D2}.exe	108
PID 3160 wrote to memory of 4292	3160	{E5B491F0-9BB3-4771-9ACF-AAB18F2D54D2}.exe	109
PID 3160 wrote to memory of 4292	3160	{E5B491F0-9BB3-4771-9ACF-AAB18F2D54D2}.exe	109
PID 3160 wrote to memory of 4292	3160	{E5B491F0-9BB3-4771-9ACF-AAB18F2D54D2}.exe	109
PID 4296 wrote to memory of 228	4296	{EA28F2F2-F0FE-4fa7-BFE1-FF97C35FCBC0}.exe	110
PID 4296 wrote to memory of 228	4296	{EA28F2F2-F0FE-4fa7-BFE1-FF97C35FCBC0}.exe	110
PID 4296 wrote to memory of 228	4296	{EA28F2F2-F0FE-4fa7-BFE1-FF97C35FCBC0}.exe	110
PID 4296 wrote to memory of 4868	4296	{EA28F2F2-F0FE-4fa7-BFE1-FF97C35FCBC0}.exe	111
PID 4296 wrote to memory of 4868	4296	{EA28F2F2-F0FE-4fa7-BFE1-FF97C35FCBC0}.exe	111
PID 4296 wrote to memory of 4868	4296	{EA28F2F2-F0FE-4fa7-BFE1-FF97C35FCBC0}.exe	111
PID 228 wrote to memory of 4992	228	{0FAE959D-B7CC-4aad-B777-0D9E371A8802}.exe	112
PID 228 wrote to memory of 4992	228	{0FAE959D-B7CC-4aad-B777-0D9E371A8802}.exe	112
PID 228 wrote to memory of 4992	228	{0FAE959D-B7CC-4aad-B777-0D9E371A8802}.exe	112
PID 228 wrote to memory of 464	228	{0FAE959D-B7CC-4aad-B777-0D9E371A8802}.exe	113
PID 228 wrote to memory of 464	228	{0FAE959D-B7CC-4aad-B777-0D9E371A8802}.exe	113
PID 228 wrote to memory of 464	228	{0FAE959D-B7CC-4aad-B777-0D9E371A8802}.exe	113
PID 4992 wrote to memory of 1576	4992	{D3CDD7D7-8928-43b0-A9FA-976037F99136}.exe	114
PID 4992 wrote to memory of 1576	4992	{D3CDD7D7-8928-43b0-A9FA-976037F99136}.exe	114
PID 4992 wrote to memory of 1576	4992	{D3CDD7D7-8928-43b0-A9FA-976037F99136}.exe	114
PID 4992 wrote to memory of 4524	4992	{D3CDD7D7-8928-43b0-A9FA-976037F99136}.exe	115

C:\Users\Admin\AppData\Local\Temp\2024-02-21_6a9af0b6e639d9980880308b947e7d8f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-21_6a9af0b6e639d9980880308b947e7d8f_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4908
- C:\Windows\{47CD645A-D79B-4a92-B44B-4B06362228DF}.exe
  C:\Windows\{47CD645A-D79B-4a92-B44B-4B06362228DF}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\Windows\{97E231B6-72C4-46e9-A588-8755A8CF668F}.exe
    C:\Windows\{97E231B6-72C4-46e9-A588-8755A8CF668F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Windows\{D32A66DE-1CE6-42df-B11A-157B9D52202B}.exe
      C:\Windows\{D32A66DE-1CE6-42df-B11A-157B9D52202B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4652
    - - C:\Windows\{81CC9984-D239-4003-B847-C81DA534F0B8}.exe
        
        C:\Windows\{81CC9984-D239-4003-B847-C81DA534F0B8}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1452
      - C:\Windows\{3BDB1564-7B9A-42eb-B41E-4EC17B97CE15}.exe
        
        C:\Windows\{3BDB1564-7B9A-42eb-B41E-4EC17B97CE15}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\{104F4DCD-8D5B-4899-B43C-65359BE6E977}.exe
        
        C:\Windows\{104F4DCD-8D5B-4899-B43C-65359BE6E977}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\{E5B491F0-9BB3-4771-9ACF-AAB18F2D54D2}.exe
        
        C:\Windows\{E5B491F0-9BB3-4771-9ACF-AAB18F2D54D2}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3160
        
        C:\Windows\{EA28F2F2-F0FE-4fa7-BFE1-FF97C35FCBC0}.exe
        
        C:\Windows\{EA28F2F2-F0FE-4fa7-BFE1-FF97C35FCBC0}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4296
        
        C:\Windows\{0FAE959D-B7CC-4aad-B777-0D9E371A8802}.exe
        
        C:\Windows\{0FAE959D-B7CC-4aad-B777-0D9E371A8802}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Windows\{D3CDD7D7-8928-43b0-A9FA-976037F99136}.exe
        
        C:\Windows\{D3CDD7D7-8928-43b0-A9FA-976037F99136}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\{8B01A7A5-12D7-4d10-910C-CAC400879EBA}.exe
        
        C:\Windows\{8B01A7A5-12D7-4d10-910C-CAC400879EBA}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1576
        
        C:\Windows\{453796C1-1476-4261-8E0A-A806CF13EA71}.exe
        
        C:\Windows\{453796C1-1476-4261-8E0A-A806CF13EA71}.exe
        13⤵
        Executes dropped EXE
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B01A~1.EXE > nul
        13⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D3CDD~1.EXE > nul
        12⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0FAE9~1.EXE > nul
        11⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA28F~1.EXE > nul
        10⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5B49~1.EXE > nul
        9⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{104F4~1.EXE > nul
        8⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3BDB1~1.EXE > nul
        7⤵
        
        PID:3892
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{81CC9~1.EXE > nul
        6⤵
        
        PID:2080
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D32A6~1.EXE > nul
        5⤵
        
        PID:1040
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{97E23~1.EXE > nul
      4⤵
      PID:2876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{47CD6~1.EXE > nul
    3⤵
    PID:4144
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0FAE959D-B7CC-4aad-B777-0D9E371A8802}.exe

Filesize
380KB

MD5
bf8e84b0f0a7f45a65d9e074e9ee3d2b

SHA1
dfe0d4631a814bdb7d57606f08da726c79bbf152

SHA256
9c557b58bd2817b026d1be751cc584eb1772f57fea9127445e6a61c787a371ca

SHA512
3e9c92749871e44b55e7bdfc4f8cb29b8ed6d453615022bf389e6dc2ed75621cf1e327b48b964132475c5799b7a17af832dd2e0f12d83b163a9ecda27eaa3e5a

Download Submit
C:\Windows\{104F4DCD-8D5B-4899-B43C-65359BE6E977}.exe

Filesize
380KB

MD5
90c3dea12b66f52595c75a4c557fae5d

SHA1
5179b515830265b0d4dbfc27161736ffebc3cc0f

SHA256
f77a9b3c9b379a346df9f9f5ec07200f873e948eba42a4737f4c4a4f02e0e7ee

SHA512
858076afe889984dab008800fbc275f77921b1ca23995aacd015b85953ab4a506a8a0bfed064fe83ef3cb13adc9d15038d8a0e49ea3ca9073c77c32ffd234963

Download Submit
C:\Windows\{3BDB1564-7B9A-42eb-B41E-4EC17B97CE15}.exe

Filesize
380KB

MD5
c59b279a01859d3ae16c7d46cc9c6aff

SHA1
a380b3dc026e3610cf5c18a86f1abd67bee78522

SHA256
228d04e1f8d7020601a1559e6f6903e02c3e22f094add9dd8692cabc9527dd96

SHA512
b25d6f478200aa35058c912d041e15120324128687934192fe5fc86ffdf26c4cdd6646b6bd2f9f6ec0e01b4ebebb64267bd4e03c76d38c4403804b568624ac30

Download Submit
C:\Windows\{453796C1-1476-4261-8E0A-A806CF13EA71}.exe

Filesize
380KB

MD5
9c44a0ad71a2213c50180873ed26d67b

SHA1
2ca9133521118b67d16e31fbd9a8a997e715d241

SHA256
21ef717573e75905aa495812f725e2c6b316b4a5ca193b4ebcce49bb320a95f9

SHA512
e6829dd2e822a519d7d0658d03ab802c8b080906f41453b1a7e3bba70232a524b2c74e176e29e1f08a9b6e1ff0fccc98dedbf2c9043981dcb10adf6bd9fa8c60

Download Submit
C:\Windows\{47CD645A-D79B-4a92-B44B-4B06362228DF}.exe

Filesize
380KB

MD5
1f238ce674457e7867fa1c2b6bdd846b

SHA1
908b4060921525f9f7411acfd4e51e4e7df3c0fd

SHA256
be465f2f034ae5fe62be516a3f06b12a23baa6fa3e3a9e996e30f4e8844551df

SHA512
aea841ccf17eeea5919f49160c26cd29c98da778181709dc1d88991a44524475b052e96beb1b8bd1e6071a802860d22fd05b28c35cf199ec3dd52cbc26ff3328

Download Submit
C:\Windows\{81CC9984-D239-4003-B847-C81DA534F0B8}.exe

Filesize
380KB

MD5
61caa13cdab5579b1fecd7997bdf59c1

SHA1
91ca414081c2128c1964b34160ece14b8666a1e7

SHA256
db12d0bc7b8cb90b12c6e079780b4bce047266ae45a9f53276b489d68764b2ca

SHA512
91034c955a35be7da5adeb1be4f045b8bf0cbb80f8f47125b3b03d47d5b4ad05af9034c04082715e43faf8e18d9b0c4819c3438c169c627740a692c54bf0bed4

Download Submit
C:\Windows\{8B01A7A5-12D7-4d10-910C-CAC400879EBA}.exe

Filesize
380KB

MD5
60e737695fe88aeee8ce7d84664c8775

SHA1
e0e33731d78172b3fdd85ed08b9f054e11c1dda1

SHA256
7337417264eff61887d915eff268c20aa76c54e7bb53f563eb78aa3f2dd761e4

SHA512
b107314ce3cf72f371152abc6efaf37af9c266ba9e86c7530edab4d015053c86ece888a042e75e5d8c128876693e1bca64c00779b7e70bedd5b04a62152d09e1

Download Submit
C:\Windows\{97E231B6-72C4-46e9-A588-8755A8CF668F}.exe

Filesize
380KB

MD5
d04b88957b16e1a8114323727d2fae42

SHA1
cba45c9f55b5560cd3efeacadddfd6610f16faa4

SHA256
b85a8b6dc0716f8ecf941460371f5c8a08d51056187cd2ad172bd60e8430fb30

SHA512
73ed5162a240875f24dda3256bc38228827c2495bd9a0c8d309436da14d5e6bc0decb1e9a4801161e7ffaee597cc29d6e911b3827cd22b45b6964448fcb12182

Download Submit
C:\Windows\{D32A66DE-1CE6-42df-B11A-157B9D52202B}.exe

Filesize
380KB

MD5
9176270b7597a8271495374295b7be51

SHA1
7ad954a0d1cc062440477b4ae57d6ac61f4f8ca6

SHA256
df92b8653ad105576ceb0d9a2fd795f9e4109dbb18e94de518ec945f14438562

SHA512
4155cfbbdf989eeeca2329f1f4566c8375abb775a7f7528dfc3b9cb29f81a19ea1fc630164c8eb4aa764dab408c2dfd6bb649d17768b60677f028486fa853e03

Download Submit
C:\Windows\{D3CDD7D7-8928-43b0-A9FA-976037F99136}.exe

Filesize
380KB

MD5
4c8089043083357265991e5a56b4a405

SHA1
ba2cdda9c8f5b8f72cf37f44d8cbca9540f539fd

SHA256
73c462ae2d6be663b61c406f17e0112224ea129a31f4444c36033af52df3e55c

SHA512
c991ba3066e9816b9f207a1fc9f7fc7bbf7c7d2fc9e0a86ce82162e60dcf4f3f19325c6eafa3225309b2a06543708f643a859284bc0f7751adb9caf8eed4517a

Download Submit
C:\Windows\{E5B491F0-9BB3-4771-9ACF-AAB18F2D54D2}.exe

Filesize
380KB

MD5
f66a601015fcd38397524ee0d37fe880

SHA1
3c2558d840fd119fa0b05e7a83713b6a767fa63f

SHA256
04231ffc8b493e811e4b07619eb21fd3599a2fbd9b683c24038ec7a81d6d34f2

SHA512
bd3ae6ca92c7517ab1102346bd85a4fd0324b215cf96cf6d1d3661a81d1ded95f163b73319d1d387bfce3fc4f6c535b9c451d9905cffd9ed323dc57b98fb7122

Download Submit
C:\Windows\{EA28F2F2-F0FE-4fa7-BFE1-FF97C35FCBC0}.exe

Filesize
380KB

MD5
62fc37c2fed28edc841e72e02a61a79f

SHA1
98147aa82c101c841ab1489627c5c74dcf47e657

SHA256
3970e8b1cb8dabe6755120e04afcc8f71c10f37e5305467b921c66ec9b450349

SHA512
1ddb1f2f3c085a2f6fa0c53cc59caa21b79346a95c18b6621d9074f906906ed01b32dc603a8c8f0c29b941a31a8a6afebf272953213cea7f246e687f6642608a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads