bbc539793be4e1582d5d4d4e14be6d68932757b3b5443bbf458b84f0488a4318

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
21/02/2024, 16:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-21_0eb16378709e5ae6a1e29f6d633357f0_goldeneye.exe
Size

408KB
MD5

0eb16378709e5ae6a1e29f6d633357f0
SHA1

794a24fbeb3b198468ee911454be19ee0630226e
SHA256

bbc539793be4e1582d5d4d4e14be6d68932757b3b5443bbf458b84f0488a4318
SHA512

3aa86ebef3ec96a0727613dca669db8bd28b9831169a2f643c43555ea90714b6f85e561c1418e95004db57139dde293b258b2955ccaebe76ef3e86a6050b100a
SSDEEP

3072:CEGh0oTl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGNldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023207-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023208-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023207-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023208-13.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023207-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023208-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023207-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023208-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023207-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023208-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023207-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023208-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44C44D2C-C72D-41f3-867C-C3B1FAEED098}\stubpath = "C:\\Windows\\{44C44D2C-C72D-41f3-867C-C3B1FAEED098}.exe"	2024-02-21_0eb16378709e5ae6a1e29f6d633357f0_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20AA3602-A6A5-47d2-B1AE-40DE783FD6A5}\stubpath = "C:\\Windows\\{20AA3602-A6A5-47d2-B1AE-40DE783FD6A5}.exe"	{44C44D2C-C72D-41f3-867C-C3B1FAEED098}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26143077-3A77-4de3-AE41-1169CD8F3016}	{20AA3602-A6A5-47d2-B1AE-40DE783FD6A5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26143077-3A77-4de3-AE41-1169CD8F3016}\stubpath = "C:\\Windows\\{26143077-3A77-4de3-AE41-1169CD8F3016}.exe"	{20AA3602-A6A5-47d2-B1AE-40DE783FD6A5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC5C4F61-F57F-43ea-9ACB-824BE51FAF57}\stubpath = "C:\\Windows\\{CC5C4F61-F57F-43ea-9ACB-824BE51FAF57}.exe"	{CBA9D465-07F7-4a05-AE51-F3101B156B73}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00502C74-6E22-4537-BEB2-561BE45D84CA}	{CC5C4F61-F57F-43ea-9ACB-824BE51FAF57}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73892806-B3DC-4838-AAED-D34E261CF35D}\stubpath = "C:\\Windows\\{73892806-B3DC-4838-AAED-D34E261CF35D}.exe"	{E273A28F-1BC3-4660-A5F8-D9C4AD04ECC9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44C44D2C-C72D-41f3-867C-C3B1FAEED098}	2024-02-21_0eb16378709e5ae6a1e29f6d633357f0_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F67F9F9-5925-445e-941C-B7CCAC6463BE}	{4EAB07E0-59B0-4bb1-9691-A15125524DA0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73892806-B3DC-4838-AAED-D34E261CF35D}	{E273A28F-1BC3-4660-A5F8-D9C4AD04ECC9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71882C87-1B22-4758-BD4D-2EAC781940E3}\stubpath = "C:\\Windows\\{71882C87-1B22-4758-BD4D-2EAC781940E3}.exe"	{73892806-B3DC-4838-AAED-D34E261CF35D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51D92C68-EB08-449a-ABF7-A3E1C5623134}	{71882C87-1B22-4758-BD4D-2EAC781940E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CBA9D465-07F7-4a05-AE51-F3101B156B73}	{0F67F9F9-5925-445e-941C-B7CCAC6463BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CBA9D465-07F7-4a05-AE51-F3101B156B73}\stubpath = "C:\\Windows\\{CBA9D465-07F7-4a05-AE51-F3101B156B73}.exe"	{0F67F9F9-5925-445e-941C-B7CCAC6463BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E273A28F-1BC3-4660-A5F8-D9C4AD04ECC9}	{00502C74-6E22-4537-BEB2-561BE45D84CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51D92C68-EB08-449a-ABF7-A3E1C5623134}\stubpath = "C:\\Windows\\{51D92C68-EB08-449a-ABF7-A3E1C5623134}.exe"	{71882C87-1B22-4758-BD4D-2EAC781940E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20AA3602-A6A5-47d2-B1AE-40DE783FD6A5}	{44C44D2C-C72D-41f3-867C-C3B1FAEED098}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4EAB07E0-59B0-4bb1-9691-A15125524DA0}	{26143077-3A77-4de3-AE41-1169CD8F3016}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4EAB07E0-59B0-4bb1-9691-A15125524DA0}\stubpath = "C:\\Windows\\{4EAB07E0-59B0-4bb1-9691-A15125524DA0}.exe"	{26143077-3A77-4de3-AE41-1169CD8F3016}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F67F9F9-5925-445e-941C-B7CCAC6463BE}\stubpath = "C:\\Windows\\{0F67F9F9-5925-445e-941C-B7CCAC6463BE}.exe"	{4EAB07E0-59B0-4bb1-9691-A15125524DA0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC5C4F61-F57F-43ea-9ACB-824BE51FAF57}	{CBA9D465-07F7-4a05-AE51-F3101B156B73}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00502C74-6E22-4537-BEB2-561BE45D84CA}\stubpath = "C:\\Windows\\{00502C74-6E22-4537-BEB2-561BE45D84CA}.exe"	{CC5C4F61-F57F-43ea-9ACB-824BE51FAF57}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E273A28F-1BC3-4660-A5F8-D9C4AD04ECC9}\stubpath = "C:\\Windows\\{E273A28F-1BC3-4660-A5F8-D9C4AD04ECC9}.exe"	{00502C74-6E22-4537-BEB2-561BE45D84CA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71882C87-1B22-4758-BD4D-2EAC781940E3}	{73892806-B3DC-4838-AAED-D34E261CF35D}.exe

Executes dropped EXE 12 IoCs

pid	Process
812	{44C44D2C-C72D-41f3-867C-C3B1FAEED098}.exe
5000	{20AA3602-A6A5-47d2-B1AE-40DE783FD6A5}.exe
3840	{26143077-3A77-4de3-AE41-1169CD8F3016}.exe
4704	{4EAB07E0-59B0-4bb1-9691-A15125524DA0}.exe
1668	{0F67F9F9-5925-445e-941C-B7CCAC6463BE}.exe
4220	{CBA9D465-07F7-4a05-AE51-F3101B156B73}.exe
1172	{CC5C4F61-F57F-43ea-9ACB-824BE51FAF57}.exe
3740	{00502C74-6E22-4537-BEB2-561BE45D84CA}.exe
4236	{E273A28F-1BC3-4660-A5F8-D9C4AD04ECC9}.exe
2796	{73892806-B3DC-4838-AAED-D34E261CF35D}.exe
4500	{71882C87-1B22-4758-BD4D-2EAC781940E3}.exe
3456	{51D92C68-EB08-449a-ABF7-A3E1C5623134}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{26143077-3A77-4de3-AE41-1169CD8F3016}.exe	{20AA3602-A6A5-47d2-B1AE-40DE783FD6A5}.exe
File created	C:\Windows\{0F67F9F9-5925-445e-941C-B7CCAC6463BE}.exe	{4EAB07E0-59B0-4bb1-9691-A15125524DA0}.exe
File created	C:\Windows\{CBA9D465-07F7-4a05-AE51-F3101B156B73}.exe	{0F67F9F9-5925-445e-941C-B7CCAC6463BE}.exe
File created	C:\Windows\{00502C74-6E22-4537-BEB2-561BE45D84CA}.exe	{CC5C4F61-F57F-43ea-9ACB-824BE51FAF57}.exe
File created	C:\Windows\{51D92C68-EB08-449a-ABF7-A3E1C5623134}.exe	{71882C87-1B22-4758-BD4D-2EAC781940E3}.exe
File created	C:\Windows\{44C44D2C-C72D-41f3-867C-C3B1FAEED098}.exe	2024-02-21_0eb16378709e5ae6a1e29f6d633357f0_goldeneye.exe
File created	C:\Windows\{4EAB07E0-59B0-4bb1-9691-A15125524DA0}.exe	{26143077-3A77-4de3-AE41-1169CD8F3016}.exe
File created	C:\Windows\{CC5C4F61-F57F-43ea-9ACB-824BE51FAF57}.exe	{CBA9D465-07F7-4a05-AE51-F3101B156B73}.exe
File created	C:\Windows\{E273A28F-1BC3-4660-A5F8-D9C4AD04ECC9}.exe	{00502C74-6E22-4537-BEB2-561BE45D84CA}.exe
File created	C:\Windows\{73892806-B3DC-4838-AAED-D34E261CF35D}.exe	{E273A28F-1BC3-4660-A5F8-D9C4AD04ECC9}.exe
File created	C:\Windows\{71882C87-1B22-4758-BD4D-2EAC781940E3}.exe	{73892806-B3DC-4838-AAED-D34E261CF35D}.exe
File created	C:\Windows\{20AA3602-A6A5-47d2-B1AE-40DE783FD6A5}.exe	{44C44D2C-C72D-41f3-867C-C3B1FAEED098}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	5052	2024-02-21_0eb16378709e5ae6a1e29f6d633357f0_goldeneye.exe
Token: SeIncBasePriorityPrivilege	812	{44C44D2C-C72D-41f3-867C-C3B1FAEED098}.exe
Token: SeIncBasePriorityPrivilege	5000	{20AA3602-A6A5-47d2-B1AE-40DE783FD6A5}.exe
Token: SeIncBasePriorityPrivilege	3840	{26143077-3A77-4de3-AE41-1169CD8F3016}.exe
Token: SeIncBasePriorityPrivilege	4704	{4EAB07E0-59B0-4bb1-9691-A15125524DA0}.exe
Token: SeIncBasePriorityPrivilege	1668	{0F67F9F9-5925-445e-941C-B7CCAC6463BE}.exe
Token: SeIncBasePriorityPrivilege	4220	{CBA9D465-07F7-4a05-AE51-F3101B156B73}.exe
Token: SeIncBasePriorityPrivilege	1172	{CC5C4F61-F57F-43ea-9ACB-824BE51FAF57}.exe
Token: SeIncBasePriorityPrivilege	3740	{00502C74-6E22-4537-BEB2-561BE45D84CA}.exe
Token: SeIncBasePriorityPrivilege	4236	{E273A28F-1BC3-4660-A5F8-D9C4AD04ECC9}.exe
Token: SeIncBasePriorityPrivilege	2796	{73892806-B3DC-4838-AAED-D34E261CF35D}.exe
Token: SeIncBasePriorityPrivilege	4500	{71882C87-1B22-4758-BD4D-2EAC781940E3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 812	5052	2024-02-21_0eb16378709e5ae6a1e29f6d633357f0_goldeneye.exe	89
PID 5052 wrote to memory of 812	5052	2024-02-21_0eb16378709e5ae6a1e29f6d633357f0_goldeneye.exe	89
PID 5052 wrote to memory of 812	5052	2024-02-21_0eb16378709e5ae6a1e29f6d633357f0_goldeneye.exe	89
PID 5052 wrote to memory of 4952	5052	2024-02-21_0eb16378709e5ae6a1e29f6d633357f0_goldeneye.exe	90
PID 5052 wrote to memory of 4952	5052	2024-02-21_0eb16378709e5ae6a1e29f6d633357f0_goldeneye.exe	90
PID 5052 wrote to memory of 4952	5052	2024-02-21_0eb16378709e5ae6a1e29f6d633357f0_goldeneye.exe	90
PID 812 wrote to memory of 5000	812	{44C44D2C-C72D-41f3-867C-C3B1FAEED098}.exe	91
PID 812 wrote to memory of 5000	812	{44C44D2C-C72D-41f3-867C-C3B1FAEED098}.exe	91
PID 812 wrote to memory of 5000	812	{44C44D2C-C72D-41f3-867C-C3B1FAEED098}.exe	91
PID 812 wrote to memory of 1728	812	{44C44D2C-C72D-41f3-867C-C3B1FAEED098}.exe	92
PID 812 wrote to memory of 1728	812	{44C44D2C-C72D-41f3-867C-C3B1FAEED098}.exe	92
PID 812 wrote to memory of 1728	812	{44C44D2C-C72D-41f3-867C-C3B1FAEED098}.exe	92
PID 5000 wrote to memory of 3840	5000	{20AA3602-A6A5-47d2-B1AE-40DE783FD6A5}.exe	94
PID 5000 wrote to memory of 3840	5000	{20AA3602-A6A5-47d2-B1AE-40DE783FD6A5}.exe	94
PID 5000 wrote to memory of 3840	5000	{20AA3602-A6A5-47d2-B1AE-40DE783FD6A5}.exe	94
PID 5000 wrote to memory of 2928	5000	{20AA3602-A6A5-47d2-B1AE-40DE783FD6A5}.exe	95
PID 5000 wrote to memory of 2928	5000	{20AA3602-A6A5-47d2-B1AE-40DE783FD6A5}.exe	95
PID 5000 wrote to memory of 2928	5000	{20AA3602-A6A5-47d2-B1AE-40DE783FD6A5}.exe	95
PID 3840 wrote to memory of 4704	3840	{26143077-3A77-4de3-AE41-1169CD8F3016}.exe	96
PID 3840 wrote to memory of 4704	3840	{26143077-3A77-4de3-AE41-1169CD8F3016}.exe	96
PID 3840 wrote to memory of 4704	3840	{26143077-3A77-4de3-AE41-1169CD8F3016}.exe	96
PID 3840 wrote to memory of 4732	3840	{26143077-3A77-4de3-AE41-1169CD8F3016}.exe	97
PID 3840 wrote to memory of 4732	3840	{26143077-3A77-4de3-AE41-1169CD8F3016}.exe	97
PID 3840 wrote to memory of 4732	3840	{26143077-3A77-4de3-AE41-1169CD8F3016}.exe	97
PID 4704 wrote to memory of 1668	4704	{4EAB07E0-59B0-4bb1-9691-A15125524DA0}.exe	99
PID 4704 wrote to memory of 1668	4704	{4EAB07E0-59B0-4bb1-9691-A15125524DA0}.exe	99
PID 4704 wrote to memory of 1668	4704	{4EAB07E0-59B0-4bb1-9691-A15125524DA0}.exe	99
PID 4704 wrote to memory of 1324	4704	{4EAB07E0-59B0-4bb1-9691-A15125524DA0}.exe	98
PID 4704 wrote to memory of 1324	4704	{4EAB07E0-59B0-4bb1-9691-A15125524DA0}.exe	98
PID 4704 wrote to memory of 1324	4704	{4EAB07E0-59B0-4bb1-9691-A15125524DA0}.exe	98
PID 1668 wrote to memory of 4220	1668	{0F67F9F9-5925-445e-941C-B7CCAC6463BE}.exe	100
PID 1668 wrote to memory of 4220	1668	{0F67F9F9-5925-445e-941C-B7CCAC6463BE}.exe	100
PID 1668 wrote to memory of 4220	1668	{0F67F9F9-5925-445e-941C-B7CCAC6463BE}.exe	100
PID 1668 wrote to memory of 700	1668	{0F67F9F9-5925-445e-941C-B7CCAC6463BE}.exe	101
PID 1668 wrote to memory of 700	1668	{0F67F9F9-5925-445e-941C-B7CCAC6463BE}.exe	101
PID 1668 wrote to memory of 700	1668	{0F67F9F9-5925-445e-941C-B7CCAC6463BE}.exe	101
PID 4220 wrote to memory of 1172	4220	{CBA9D465-07F7-4a05-AE51-F3101B156B73}.exe	102
PID 4220 wrote to memory of 1172	4220	{CBA9D465-07F7-4a05-AE51-F3101B156B73}.exe	102
PID 4220 wrote to memory of 1172	4220	{CBA9D465-07F7-4a05-AE51-F3101B156B73}.exe	102
PID 4220 wrote to memory of 736	4220	{CBA9D465-07F7-4a05-AE51-F3101B156B73}.exe	103
PID 4220 wrote to memory of 736	4220	{CBA9D465-07F7-4a05-AE51-F3101B156B73}.exe	103
PID 4220 wrote to memory of 736	4220	{CBA9D465-07F7-4a05-AE51-F3101B156B73}.exe	103
PID 1172 wrote to memory of 3740	1172	{CC5C4F61-F57F-43ea-9ACB-824BE51FAF57}.exe	104
PID 1172 wrote to memory of 3740	1172	{CC5C4F61-F57F-43ea-9ACB-824BE51FAF57}.exe	104
PID 1172 wrote to memory of 3740	1172	{CC5C4F61-F57F-43ea-9ACB-824BE51FAF57}.exe	104
PID 1172 wrote to memory of 3136	1172	{CC5C4F61-F57F-43ea-9ACB-824BE51FAF57}.exe	105
PID 1172 wrote to memory of 3136	1172	{CC5C4F61-F57F-43ea-9ACB-824BE51FAF57}.exe	105
PID 1172 wrote to memory of 3136	1172	{CC5C4F61-F57F-43ea-9ACB-824BE51FAF57}.exe	105
PID 3740 wrote to memory of 4236	3740	{00502C74-6E22-4537-BEB2-561BE45D84CA}.exe	106
PID 3740 wrote to memory of 4236	3740	{00502C74-6E22-4537-BEB2-561BE45D84CA}.exe	106
PID 3740 wrote to memory of 4236	3740	{00502C74-6E22-4537-BEB2-561BE45D84CA}.exe	106
PID 3740 wrote to memory of 2460	3740	{00502C74-6E22-4537-BEB2-561BE45D84CA}.exe	107
PID 3740 wrote to memory of 2460	3740	{00502C74-6E22-4537-BEB2-561BE45D84CA}.exe	107
PID 3740 wrote to memory of 2460	3740	{00502C74-6E22-4537-BEB2-561BE45D84CA}.exe	107
PID 4236 wrote to memory of 2796	4236	{E273A28F-1BC3-4660-A5F8-D9C4AD04ECC9}.exe	108
PID 4236 wrote to memory of 2796	4236	{E273A28F-1BC3-4660-A5F8-D9C4AD04ECC9}.exe	108
PID 4236 wrote to memory of 2796	4236	{E273A28F-1BC3-4660-A5F8-D9C4AD04ECC9}.exe	108
PID 4236 wrote to memory of 2820	4236	{E273A28F-1BC3-4660-A5F8-D9C4AD04ECC9}.exe	109
PID 4236 wrote to memory of 2820	4236	{E273A28F-1BC3-4660-A5F8-D9C4AD04ECC9}.exe	109
PID 4236 wrote to memory of 2820	4236	{E273A28F-1BC3-4660-A5F8-D9C4AD04ECC9}.exe	109
PID 2796 wrote to memory of 4500	2796	{73892806-B3DC-4838-AAED-D34E261CF35D}.exe	110
PID 2796 wrote to memory of 4500	2796	{73892806-B3DC-4838-AAED-D34E261CF35D}.exe	110
PID 2796 wrote to memory of 4500	2796	{73892806-B3DC-4838-AAED-D34E261CF35D}.exe	110
PID 2796 wrote to memory of 2932	2796	{73892806-B3DC-4838-AAED-D34E261CF35D}.exe	111

C:\Users\Admin\AppData\Local\Temp\2024-02-21_0eb16378709e5ae6a1e29f6d633357f0_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-21_0eb16378709e5ae6a1e29f6d633357f0_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Windows\{44C44D2C-C72D-41f3-867C-C3B1FAEED098}.exe
  C:\Windows\{44C44D2C-C72D-41f3-867C-C3B1FAEED098}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:812
- - C:\Windows\{20AA3602-A6A5-47d2-B1AE-40DE783FD6A5}.exe
    C:\Windows\{20AA3602-A6A5-47d2-B1AE-40DE783FD6A5}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5000
  - - C:\Windows\{26143077-3A77-4de3-AE41-1169CD8F3016}.exe
      C:\Windows\{26143077-3A77-4de3-AE41-1169CD8F3016}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3840
    - - C:\Windows\{4EAB07E0-59B0-4bb1-9691-A15125524DA0}.exe
        
        C:\Windows\{4EAB07E0-59B0-4bb1-9691-A15125524DA0}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4704
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4EAB0~1.EXE > nul
        6⤵
        
        PID:1324
      - C:\Windows\{0F67F9F9-5925-445e-941C-B7CCAC6463BE}.exe
        
        C:\Windows\{0F67F9F9-5925-445e-941C-B7CCAC6463BE}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\{CBA9D465-07F7-4a05-AE51-F3101B156B73}.exe
        
        C:\Windows\{CBA9D465-07F7-4a05-AE51-F3101B156B73}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4220
        
        C:\Windows\{CC5C4F61-F57F-43ea-9ACB-824BE51FAF57}.exe
        
        C:\Windows\{CC5C4F61-F57F-43ea-9ACB-824BE51FAF57}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\{00502C74-6E22-4537-BEB2-561BE45D84CA}.exe
        
        C:\Windows\{00502C74-6E22-4537-BEB2-561BE45D84CA}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3740
        
        C:\Windows\{E273A28F-1BC3-4660-A5F8-D9C4AD04ECC9}.exe
        
        C:\Windows\{E273A28F-1BC3-4660-A5F8-D9C4AD04ECC9}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4236
        
        C:\Windows\{73892806-B3DC-4838-AAED-D34E261CF35D}.exe
        
        C:\Windows\{73892806-B3DC-4838-AAED-D34E261CF35D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\{71882C87-1B22-4758-BD4D-2EAC781940E3}.exe
        
        C:\Windows\{71882C87-1B22-4758-BD4D-2EAC781940E3}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4500
        
        C:\Windows\{51D92C68-EB08-449a-ABF7-A3E1C5623134}.exe
        
        C:\Windows\{51D92C68-EB08-449a-ABF7-A3E1C5623134}.exe
        13⤵
        Executes dropped EXE
        
        PID:3456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71882~1.EXE > nul
        13⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{73892~1.EXE > nul
        12⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E273A~1.EXE > nul
        11⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{00502~1.EXE > nul
        10⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CC5C4~1.EXE > nul
        9⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CBA9D~1.EXE > nul
        8⤵
        
        PID:736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F67F~1.EXE > nul
        7⤵
        
        PID:700
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{26143~1.EXE > nul
        5⤵
        
        PID:4732
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{20AA3~1.EXE > nul
      4⤵
      PID:2928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{44C44~1.EXE > nul
    3⤵
    PID:1728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00502C74-6E22-4537-BEB2-561BE45D84CA}.exe

Filesize
408KB

MD5
59a9024c8306917fa33205a4af24ee1c

SHA1
b8013fa19a297f5f5d3e251760b2bdd577fdb648

SHA256
78316618c17984afc0c5ff3431e00bdd84326efbb835dbb9e03fc5e1824e99a0

SHA512
f1149852b04ebe5ceca4a8ffb9ce3d4777343d34671db7a98636e08b22680f80b2873554ded57f822ba6a823f15a73abdadcaa523d95f810237312781b0921dd

Download Submit
C:\Windows\{0F67F9F9-5925-445e-941C-B7CCAC6463BE}.exe

Filesize
408KB

MD5
394205dc5207c2ba4d0b2e5a87ca8ffc

SHA1
c41588359718e19dece5c4b1e18b92d843d37aa2

SHA256
1a59858de2ef2a5ce41fe90cc0ad12c8e0ad0c1d0b148b98535f494f6c6702e9

SHA512
512336c29056ad5c7b35ae151e7d9735c4996ce38d81d72446ec70cd2bda2309ee4c868949db9e684ba2f08bdd3444f62a6bb0e6d1abf36966847f114d783579

Download Submit
C:\Windows\{20AA3602-A6A5-47d2-B1AE-40DE783FD6A5}.exe

Filesize
408KB

MD5
af73ab8b218c614db0f45eda5f92c712

SHA1
89e86d4d5b0bef6d8b615af0bbd2629afa5bc6ea

SHA256
b8a3a271c19603a8dea24f26eb5bddf78479050ae61df759cfe2144fb2334e73

SHA512
b2c0979046dc9f21f74a9efe7e4546b6c230d0e80d9fe61196c03c0b67a4145c05a5dd5950562baa1e5f0e2ed0ce26c5fd625bdaa4cd0cd24912c1145bec7070

Download Submit
C:\Windows\{26143077-3A77-4de3-AE41-1169CD8F3016}.exe

Filesize
408KB

MD5
3e40b222b47f4412c7bb0110ada5741c

SHA1
d2031af114850db3d166e73ce2377b52ba5d529e

SHA256
55df278760f8a605adc50bc005050d56cf818eb887af260d749bd7df60c5c2b6

SHA512
26d0fafaebee60fc36c4bfb1e99e8044ef2c275c51be748c507aa34696769db8e3a5492911ef955f3c70ecb71822b5e8d52ac322636844a6e713f99e9ab47ca8

Download Submit
C:\Windows\{44C44D2C-C72D-41f3-867C-C3B1FAEED098}.exe

Filesize
408KB

MD5
ddd36e95e7e4bfc3f007463f4186e8f4

SHA1
805b29edb2fbd95626bdf5ebc8b80ded074b1112

SHA256
3a315c45107b93bf626e0b07d11d92517acdc1d6dc6eebf9837e643b2ad7818f

SHA512
8a976b905b5473b97198fbc66e010971c7884a406301065c8b89404c88a69f57e7686d717be3175f364e0cee49de2dca737da1939fde06b67e7f1678e409bfec

Download Submit
C:\Windows\{4EAB07E0-59B0-4bb1-9691-A15125524DA0}.exe

Filesize
408KB

MD5
2970b93fa8e9b52316aa925242071995

SHA1
0b904a3b6b5ef1d01c856e49132e373dd0880539

SHA256
0c05fa6f5125663c91a2a5f269b32d69703a2e18660c07072ff700be58d38d28

SHA512
d90f5eacb28c58aef48225b2e522b74787c80c15d682162635acf3d11bf0b7e90b980986f5e6612ee2456f1d68a6ab5108ac55d348fd3177d3d7e9c8f9300cb7

Download Submit
C:\Windows\{51D92C68-EB08-449a-ABF7-A3E1C5623134}.exe

Filesize
408KB

MD5
c786f1289bfe19cdaf73afe630e945a2

SHA1
0916ef884267907b4f889bdb8568b1464c44bba0

SHA256
d1f6beb56654ead7947966d5f9c54ae61e164c153ae2d58c029b4118b0640342

SHA512
ac25e450642f43f7a4f17622b56c56cb944d8f7edb41f1bad65a5782ccb841ddd0b6be1b260d2a642e6c17077485e58667042da5a341c3558137b5bf4b8cdbdf

Download Submit
C:\Windows\{71882C87-1B22-4758-BD4D-2EAC781940E3}.exe

Filesize
408KB

MD5
2404c582ea51928c7220bcbb6ac55c60

SHA1
73241b32a06fa9817a772a7dbac5b7a236ea3c6a

SHA256
05b0584d668f5589703177afbe6d8ca57f3cb5808892d69695fd3674699993f6

SHA512
26f4b47c5eb5b6fd0c7a150739632b8827452f285ae370ade186f12a23dce1bd1d6c5433dde967041cf34b674177252836c1e58b29a6053468cbe038f649828c

Download Submit
C:\Windows\{73892806-B3DC-4838-AAED-D34E261CF35D}.exe

Filesize
408KB

MD5
0edf995f5d9292e4a0bc5c973c85fae9

SHA1
0b12f59bb6a4b313f9a3aad0d1acaf13b3d110a3

SHA256
635ac6ab8e11f4c206193b8fab09c1d6aa42b1633b30e01dfcdfbbdf683cbb39

SHA512
736d520ac2dd11d2b1bd5496d4f65fb06ade519fef177e39c24b65beebd6a5abbbddf01e936445ab684269bd093dcaa686fd960c0e3478269a55ea5b441d6506

Download Submit
C:\Windows\{CBA9D465-07F7-4a05-AE51-F3101B156B73}.exe

Filesize
408KB

MD5
27adb5770b44841ee0da38dbbff6ba33

SHA1
741e3f7dc02628da5f143dc3a3f6df7c714ebe0e

SHA256
6550f80d556bb9dc13b117a699a411413afab3bfc636e74ec633258aeaa6043b

SHA512
fa21b07db4e20d44bf3c0822290b6e1b05fcb804e5c1ad81e1a5acc979f3f7eeb6bbb61dc6f4fec65736caa8a1fe95539df200f310304ae5931e7fcc4031507f

Download Submit
C:\Windows\{CC5C4F61-F57F-43ea-9ACB-824BE51FAF57}.exe

Filesize
408KB

MD5
100b7f0fa6bd8aa58c80edcaa02f7790

SHA1
060a9cff6255e7660907f67c82e9f012ae9f9634

SHA256
f83f6a4a90035574be7cc0e0b8b75fe110c49b34127f7b4669b475b161d7bb96

SHA512
4d764ae5ae5b2a0da88701f9493aa8ec7818434d6d95fe123431b36ed168e164be7099216992380c7d177177d6860c4eb0d66fe44ddd82db5886e44d0cafe5c2

Download Submit
C:\Windows\{E273A28F-1BC3-4660-A5F8-D9C4AD04ECC9}.exe

Filesize
408KB

MD5
32b5a54245d6366978b2b022a333769c

SHA1
fc0b9a01ec82dd4bfaaaabb0bd8890a10aac0570

SHA256
6b498fc0db33b032ccb19c9e63b564a846560fd001ccc81752a6203736e7327f

SHA512
1635bc2332f58b275357078f126b17d4f9b499c6f2b685e6557f8fe20259b829d693750cc452ba01aaf318ee448eba086c8184f7ccefa79dd3eb4b2b7fe1793e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads