89722c35fbe99a1c82470d4612ede6fcf6a70264712088ca151ae53650e7c895

Analysis

max time kernel
149s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
21-02-2024 17:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-21_e53d2d2a4804ae2092fd3686771f0c08_goldeneye.exe
Size

204KB
MD5

e53d2d2a4804ae2092fd3686771f0c08
SHA1

df0e4c29e78df05f35c8261b5d27b4ad60d7810f
SHA256

89722c35fbe99a1c82470d4612ede6fcf6a70264712088ca151ae53650e7c895
SHA512

6a4d4bea85c095cf8213837612066701447d246fd442cab1d402767634b3ccd931b1906ce38887dad959d5c2b543053c258bcfb8e971d94491e2f5629f8c361a
SSDEEP

1536:1EGh0osl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0osl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023164-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023245-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023192-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023245-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023192-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023245-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023192-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023245-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f000000023192-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023245-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023192-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023245-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25B91775-35AC-4bfd-BFD5-74DB1D388ACC}\stubpath = "C:\\Windows\\{25B91775-35AC-4bfd-BFD5-74DB1D388ACC}.exe"	{E5036D3A-BFED-4c82-B1F2-FB78AFF570F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EAC9822-CD93-49b9-BB8D-FE9AFFA9A5D0}	{144F5217-0485-4cc2-8770-C6B4677DFD77}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C63A104-2D0C-4c31-BE13-6050F1713703}	{3794E60C-02BB-4ee7-A430-D637A3220C9E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38E73445-874C-4d2c-A666-81C307D649B0}\stubpath = "C:\\Windows\\{38E73445-874C-4d2c-A666-81C307D649B0}.exe"	{949D0B8B-F88B-4e19-B719-269A14380E81}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E797FF16-8AA2-4642-888E-A1A8B9EC3773}	{A7A72770-AF48-4974-8E38-F959314A95E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C681BB7-EA8E-4e96-9FA4-9490049F8B60}	{E797FF16-8AA2-4642-888E-A1A8B9EC3773}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25B91775-35AC-4bfd-BFD5-74DB1D388ACC}	{E5036D3A-BFED-4c82-B1F2-FB78AFF570F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{144F5217-0485-4cc2-8770-C6B4677DFD77}\stubpath = "C:\\Windows\\{144F5217-0485-4cc2-8770-C6B4677DFD77}.exe"	{25B91775-35AC-4bfd-BFD5-74DB1D388ACC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EAC9822-CD93-49b9-BB8D-FE9AFFA9A5D0}\stubpath = "C:\\Windows\\{3EAC9822-CD93-49b9-BB8D-FE9AFFA9A5D0}.exe"	{144F5217-0485-4cc2-8770-C6B4677DFD77}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E2C8EEE-776A-48f9-BE48-70DBB2C05558}	{5C63A104-2D0C-4c31-BE13-6050F1713703}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E2C8EEE-776A-48f9-BE48-70DBB2C05558}\stubpath = "C:\\Windows\\{9E2C8EEE-776A-48f9-BE48-70DBB2C05558}.exe"	{5C63A104-2D0C-4c31-BE13-6050F1713703}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{949D0B8B-F88B-4e19-B719-269A14380E81}\stubpath = "C:\\Windows\\{949D0B8B-F88B-4e19-B719-269A14380E81}.exe"	{9E2C8EEE-776A-48f9-BE48-70DBB2C05558}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7A72770-AF48-4974-8E38-F959314A95E3}\stubpath = "C:\\Windows\\{A7A72770-AF48-4974-8E38-F959314A95E3}.exe"	2024-02-21_e53d2d2a4804ae2092fd3686771f0c08_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C681BB7-EA8E-4e96-9FA4-9490049F8B60}\stubpath = "C:\\Windows\\{8C681BB7-EA8E-4e96-9FA4-9490049F8B60}.exe"	{E797FF16-8AA2-4642-888E-A1A8B9EC3773}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{144F5217-0485-4cc2-8770-C6B4677DFD77}	{25B91775-35AC-4bfd-BFD5-74DB1D388ACC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38E73445-874C-4d2c-A666-81C307D649B0}	{949D0B8B-F88B-4e19-B719-269A14380E81}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{949D0B8B-F88B-4e19-B719-269A14380E81}	{9E2C8EEE-776A-48f9-BE48-70DBB2C05558}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5036D3A-BFED-4c82-B1F2-FB78AFF570F9}\stubpath = "C:\\Windows\\{E5036D3A-BFED-4c82-B1F2-FB78AFF570F9}.exe"	{8C681BB7-EA8E-4e96-9FA4-9490049F8B60}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3794E60C-02BB-4ee7-A430-D637A3220C9E}	{3EAC9822-CD93-49b9-BB8D-FE9AFFA9A5D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3794E60C-02BB-4ee7-A430-D637A3220C9E}\stubpath = "C:\\Windows\\{3794E60C-02BB-4ee7-A430-D637A3220C9E}.exe"	{3EAC9822-CD93-49b9-BB8D-FE9AFFA9A5D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C63A104-2D0C-4c31-BE13-6050F1713703}\stubpath = "C:\\Windows\\{5C63A104-2D0C-4c31-BE13-6050F1713703}.exe"	{3794E60C-02BB-4ee7-A430-D637A3220C9E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7A72770-AF48-4974-8E38-F959314A95E3}	2024-02-21_e53d2d2a4804ae2092fd3686771f0c08_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E797FF16-8AA2-4642-888E-A1A8B9EC3773}\stubpath = "C:\\Windows\\{E797FF16-8AA2-4642-888E-A1A8B9EC3773}.exe"	{A7A72770-AF48-4974-8E38-F959314A95E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5036D3A-BFED-4c82-B1F2-FB78AFF570F9}	{8C681BB7-EA8E-4e96-9FA4-9490049F8B60}.exe

Executes dropped EXE 12 IoCs

pid	Process
4708	{A7A72770-AF48-4974-8E38-F959314A95E3}.exe
3856	{E797FF16-8AA2-4642-888E-A1A8B9EC3773}.exe
5092	{8C681BB7-EA8E-4e96-9FA4-9490049F8B60}.exe
624	{E5036D3A-BFED-4c82-B1F2-FB78AFF570F9}.exe
1064	{25B91775-35AC-4bfd-BFD5-74DB1D388ACC}.exe
1404	{144F5217-0485-4cc2-8770-C6B4677DFD77}.exe
2324	{3EAC9822-CD93-49b9-BB8D-FE9AFFA9A5D0}.exe
3548	{3794E60C-02BB-4ee7-A430-D637A3220C9E}.exe
4544	{5C63A104-2D0C-4c31-BE13-6050F1713703}.exe
2944	{9E2C8EEE-776A-48f9-BE48-70DBB2C05558}.exe
1840	{949D0B8B-F88B-4e19-B719-269A14380E81}.exe
960	{38E73445-874C-4d2c-A666-81C307D649B0}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{3EAC9822-CD93-49b9-BB8D-FE9AFFA9A5D0}.exe	{144F5217-0485-4cc2-8770-C6B4677DFD77}.exe
File created	C:\Windows\{9E2C8EEE-776A-48f9-BE48-70DBB2C05558}.exe	{5C63A104-2D0C-4c31-BE13-6050F1713703}.exe
File created	C:\Windows\{38E73445-874C-4d2c-A666-81C307D649B0}.exe	{949D0B8B-F88B-4e19-B719-269A14380E81}.exe
File created	C:\Windows\{8C681BB7-EA8E-4e96-9FA4-9490049F8B60}.exe	{E797FF16-8AA2-4642-888E-A1A8B9EC3773}.exe
File created	C:\Windows\{25B91775-35AC-4bfd-BFD5-74DB1D388ACC}.exe	{E5036D3A-BFED-4c82-B1F2-FB78AFF570F9}.exe
File created	C:\Windows\{E5036D3A-BFED-4c82-B1F2-FB78AFF570F9}.exe	{8C681BB7-EA8E-4e96-9FA4-9490049F8B60}.exe
File created	C:\Windows\{144F5217-0485-4cc2-8770-C6B4677DFD77}.exe	{25B91775-35AC-4bfd-BFD5-74DB1D388ACC}.exe
File created	C:\Windows\{3794E60C-02BB-4ee7-A430-D637A3220C9E}.exe	{3EAC9822-CD93-49b9-BB8D-FE9AFFA9A5D0}.exe
File created	C:\Windows\{5C63A104-2D0C-4c31-BE13-6050F1713703}.exe	{3794E60C-02BB-4ee7-A430-D637A3220C9E}.exe
File created	C:\Windows\{949D0B8B-F88B-4e19-B719-269A14380E81}.exe	{9E2C8EEE-776A-48f9-BE48-70DBB2C05558}.exe
File created	C:\Windows\{A7A72770-AF48-4974-8E38-F959314A95E3}.exe	2024-02-21_e53d2d2a4804ae2092fd3686771f0c08_goldeneye.exe
File created	C:\Windows\{E797FF16-8AA2-4642-888E-A1A8B9EC3773}.exe	{A7A72770-AF48-4974-8E38-F959314A95E3}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4400	2024-02-21_e53d2d2a4804ae2092fd3686771f0c08_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4708	{A7A72770-AF48-4974-8E38-F959314A95E3}.exe
Token: SeIncBasePriorityPrivilege	3856	{E797FF16-8AA2-4642-888E-A1A8B9EC3773}.exe
Token: SeIncBasePriorityPrivilege	5092	{8C681BB7-EA8E-4e96-9FA4-9490049F8B60}.exe
Token: SeIncBasePriorityPrivilege	624	{E5036D3A-BFED-4c82-B1F2-FB78AFF570F9}.exe
Token: SeIncBasePriorityPrivilege	1064	{25B91775-35AC-4bfd-BFD5-74DB1D388ACC}.exe
Token: SeIncBasePriorityPrivilege	1404	{144F5217-0485-4cc2-8770-C6B4677DFD77}.exe
Token: SeIncBasePriorityPrivilege	2324	{3EAC9822-CD93-49b9-BB8D-FE9AFFA9A5D0}.exe
Token: SeIncBasePriorityPrivilege	3548	{3794E60C-02BB-4ee7-A430-D637A3220C9E}.exe
Token: SeIncBasePriorityPrivilege	4544	{5C63A104-2D0C-4c31-BE13-6050F1713703}.exe
Token: SeIncBasePriorityPrivilege	2944	{9E2C8EEE-776A-48f9-BE48-70DBB2C05558}.exe
Token: SeIncBasePriorityPrivilege	1840	{949D0B8B-F88B-4e19-B719-269A14380E81}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4400 wrote to memory of 4708	4400	2024-02-21_e53d2d2a4804ae2092fd3686771f0c08_goldeneye.exe	85
PID 4400 wrote to memory of 4708	4400	2024-02-21_e53d2d2a4804ae2092fd3686771f0c08_goldeneye.exe	85
PID 4400 wrote to memory of 4708	4400	2024-02-21_e53d2d2a4804ae2092fd3686771f0c08_goldeneye.exe	85
PID 4400 wrote to memory of 4592	4400	2024-02-21_e53d2d2a4804ae2092fd3686771f0c08_goldeneye.exe	86
PID 4400 wrote to memory of 4592	4400	2024-02-21_e53d2d2a4804ae2092fd3686771f0c08_goldeneye.exe	86
PID 4400 wrote to memory of 4592	4400	2024-02-21_e53d2d2a4804ae2092fd3686771f0c08_goldeneye.exe	86
PID 4708 wrote to memory of 3856	4708	{A7A72770-AF48-4974-8E38-F959314A95E3}.exe	87
PID 4708 wrote to memory of 3856	4708	{A7A72770-AF48-4974-8E38-F959314A95E3}.exe	87
PID 4708 wrote to memory of 3856	4708	{A7A72770-AF48-4974-8E38-F959314A95E3}.exe	87
PID 4708 wrote to memory of 1972	4708	{A7A72770-AF48-4974-8E38-F959314A95E3}.exe	88
PID 4708 wrote to memory of 1972	4708	{A7A72770-AF48-4974-8E38-F959314A95E3}.exe	88
PID 4708 wrote to memory of 1972	4708	{A7A72770-AF48-4974-8E38-F959314A95E3}.exe	88
PID 3856 wrote to memory of 5092	3856	{E797FF16-8AA2-4642-888E-A1A8B9EC3773}.exe	90
PID 3856 wrote to memory of 5092	3856	{E797FF16-8AA2-4642-888E-A1A8B9EC3773}.exe	90
PID 3856 wrote to memory of 5092	3856	{E797FF16-8AA2-4642-888E-A1A8B9EC3773}.exe	90
PID 3856 wrote to memory of 4040	3856	{E797FF16-8AA2-4642-888E-A1A8B9EC3773}.exe	91
PID 3856 wrote to memory of 4040	3856	{E797FF16-8AA2-4642-888E-A1A8B9EC3773}.exe	91
PID 3856 wrote to memory of 4040	3856	{E797FF16-8AA2-4642-888E-A1A8B9EC3773}.exe	91
PID 5092 wrote to memory of 624	5092	{8C681BB7-EA8E-4e96-9FA4-9490049F8B60}.exe	92
PID 5092 wrote to memory of 624	5092	{8C681BB7-EA8E-4e96-9FA4-9490049F8B60}.exe	92
PID 5092 wrote to memory of 624	5092	{8C681BB7-EA8E-4e96-9FA4-9490049F8B60}.exe	92
PID 5092 wrote to memory of 3112	5092	{8C681BB7-EA8E-4e96-9FA4-9490049F8B60}.exe	93
PID 5092 wrote to memory of 3112	5092	{8C681BB7-EA8E-4e96-9FA4-9490049F8B60}.exe	93
PID 5092 wrote to memory of 3112	5092	{8C681BB7-EA8E-4e96-9FA4-9490049F8B60}.exe	93
PID 624 wrote to memory of 1064	624	{E5036D3A-BFED-4c82-B1F2-FB78AFF570F9}.exe	94
PID 624 wrote to memory of 1064	624	{E5036D3A-BFED-4c82-B1F2-FB78AFF570F9}.exe	94
PID 624 wrote to memory of 1064	624	{E5036D3A-BFED-4c82-B1F2-FB78AFF570F9}.exe	94
PID 624 wrote to memory of 3760	624	{E5036D3A-BFED-4c82-B1F2-FB78AFF570F9}.exe	95
PID 624 wrote to memory of 3760	624	{E5036D3A-BFED-4c82-B1F2-FB78AFF570F9}.exe	95
PID 624 wrote to memory of 3760	624	{E5036D3A-BFED-4c82-B1F2-FB78AFF570F9}.exe	95
PID 1064 wrote to memory of 1404	1064	{25B91775-35AC-4bfd-BFD5-74DB1D388ACC}.exe	96
PID 1064 wrote to memory of 1404	1064	{25B91775-35AC-4bfd-BFD5-74DB1D388ACC}.exe	96
PID 1064 wrote to memory of 1404	1064	{25B91775-35AC-4bfd-BFD5-74DB1D388ACC}.exe	96
PID 1064 wrote to memory of 3488	1064	{25B91775-35AC-4bfd-BFD5-74DB1D388ACC}.exe	97
PID 1064 wrote to memory of 3488	1064	{25B91775-35AC-4bfd-BFD5-74DB1D388ACC}.exe	97
PID 1064 wrote to memory of 3488	1064	{25B91775-35AC-4bfd-BFD5-74DB1D388ACC}.exe	97
PID 1404 wrote to memory of 2324	1404	{144F5217-0485-4cc2-8770-C6B4677DFD77}.exe	99
PID 1404 wrote to memory of 2324	1404	{144F5217-0485-4cc2-8770-C6B4677DFD77}.exe	99
PID 1404 wrote to memory of 2324	1404	{144F5217-0485-4cc2-8770-C6B4677DFD77}.exe	99
PID 1404 wrote to memory of 2876	1404	{144F5217-0485-4cc2-8770-C6B4677DFD77}.exe	98
PID 1404 wrote to memory of 2876	1404	{144F5217-0485-4cc2-8770-C6B4677DFD77}.exe	98
PID 1404 wrote to memory of 2876	1404	{144F5217-0485-4cc2-8770-C6B4677DFD77}.exe	98
PID 2324 wrote to memory of 3548	2324	{3EAC9822-CD93-49b9-BB8D-FE9AFFA9A5D0}.exe	100
PID 2324 wrote to memory of 3548	2324	{3EAC9822-CD93-49b9-BB8D-FE9AFFA9A5D0}.exe	100
PID 2324 wrote to memory of 3548	2324	{3EAC9822-CD93-49b9-BB8D-FE9AFFA9A5D0}.exe	100
PID 2324 wrote to memory of 3732	2324	{3EAC9822-CD93-49b9-BB8D-FE9AFFA9A5D0}.exe	101
PID 2324 wrote to memory of 3732	2324	{3EAC9822-CD93-49b9-BB8D-FE9AFFA9A5D0}.exe	101
PID 2324 wrote to memory of 3732	2324	{3EAC9822-CD93-49b9-BB8D-FE9AFFA9A5D0}.exe	101
PID 3548 wrote to memory of 4544	3548	{3794E60C-02BB-4ee7-A430-D637A3220C9E}.exe	102
PID 3548 wrote to memory of 4544	3548	{3794E60C-02BB-4ee7-A430-D637A3220C9E}.exe	102
PID 3548 wrote to memory of 4544	3548	{3794E60C-02BB-4ee7-A430-D637A3220C9E}.exe	102
PID 3548 wrote to memory of 4072	3548	{3794E60C-02BB-4ee7-A430-D637A3220C9E}.exe	103
PID 3548 wrote to memory of 4072	3548	{3794E60C-02BB-4ee7-A430-D637A3220C9E}.exe	103
PID 3548 wrote to memory of 4072	3548	{3794E60C-02BB-4ee7-A430-D637A3220C9E}.exe	103
PID 4544 wrote to memory of 2944	4544	{5C63A104-2D0C-4c31-BE13-6050F1713703}.exe	104
PID 4544 wrote to memory of 2944	4544	{5C63A104-2D0C-4c31-BE13-6050F1713703}.exe	104
PID 4544 wrote to memory of 2944	4544	{5C63A104-2D0C-4c31-BE13-6050F1713703}.exe	104
PID 4544 wrote to memory of 3716	4544	{5C63A104-2D0C-4c31-BE13-6050F1713703}.exe	105
PID 4544 wrote to memory of 3716	4544	{5C63A104-2D0C-4c31-BE13-6050F1713703}.exe	105
PID 4544 wrote to memory of 3716	4544	{5C63A104-2D0C-4c31-BE13-6050F1713703}.exe	105
PID 2944 wrote to memory of 1840	2944	{9E2C8EEE-776A-48f9-BE48-70DBB2C05558}.exe	106
PID 2944 wrote to memory of 1840	2944	{9E2C8EEE-776A-48f9-BE48-70DBB2C05558}.exe	106
PID 2944 wrote to memory of 1840	2944	{9E2C8EEE-776A-48f9-BE48-70DBB2C05558}.exe	106
PID 2944 wrote to memory of 1728	2944	{9E2C8EEE-776A-48f9-BE48-70DBB2C05558}.exe	107

C:\Users\Admin\AppData\Local\Temp\2024-02-21_e53d2d2a4804ae2092fd3686771f0c08_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-21_e53d2d2a4804ae2092fd3686771f0c08_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4400
- C:\Windows\{A7A72770-AF48-4974-8E38-F959314A95E3}.exe
  C:\Windows\{A7A72770-AF48-4974-8E38-F959314A95E3}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4708
- - C:\Windows\{E797FF16-8AA2-4642-888E-A1A8B9EC3773}.exe
    C:\Windows\{E797FF16-8AA2-4642-888E-A1A8B9EC3773}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3856
  - - C:\Windows\{8C681BB7-EA8E-4e96-9FA4-9490049F8B60}.exe
      C:\Windows\{8C681BB7-EA8E-4e96-9FA4-9490049F8B60}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5092
    - - C:\Windows\{E5036D3A-BFED-4c82-B1F2-FB78AFF570F9}.exe
        
        C:\Windows\{E5036D3A-BFED-4c82-B1F2-FB78AFF570F9}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:624
      - C:\Windows\{25B91775-35AC-4bfd-BFD5-74DB1D388ACC}.exe
        
        C:\Windows\{25B91775-35AC-4bfd-BFD5-74DB1D388ACC}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\{144F5217-0485-4cc2-8770-C6B4677DFD77}.exe
        
        C:\Windows\{144F5217-0485-4cc2-8770-C6B4677DFD77}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{144F5~1.EXE > nul
        8⤵
        
        PID:2876
        
        C:\Windows\{3EAC9822-CD93-49b9-BB8D-FE9AFFA9A5D0}.exe
        
        C:\Windows\{3EAC9822-CD93-49b9-BB8D-FE9AFFA9A5D0}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\{3794E60C-02BB-4ee7-A430-D637A3220C9E}.exe
        
        C:\Windows\{3794E60C-02BB-4ee7-A430-D637A3220C9E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Windows\{5C63A104-2D0C-4c31-BE13-6050F1713703}.exe
        
        C:\Windows\{5C63A104-2D0C-4c31-BE13-6050F1713703}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Windows\{9E2C8EEE-776A-48f9-BE48-70DBB2C05558}.exe
        
        C:\Windows\{9E2C8EEE-776A-48f9-BE48-70DBB2C05558}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\{949D0B8B-F88B-4e19-B719-269A14380E81}.exe
        
        C:\Windows\{949D0B8B-F88B-4e19-B719-269A14380E81}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1840
        
        C:\Windows\{38E73445-874C-4d2c-A666-81C307D649B0}.exe
        
        C:\Windows\{38E73445-874C-4d2c-A666-81C307D649B0}.exe
        13⤵
        Executes dropped EXE
        
        PID:960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{949D0~1.EXE > nul
        13⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E2C8~1.EXE > nul
        12⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5C63A~1.EXE > nul
        11⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3794E~1.EXE > nul
        10⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3EAC9~1.EXE > nul
        9⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{25B91~1.EXE > nul
        7⤵
        
        PID:3488
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5036~1.EXE > nul
        6⤵
        
        PID:3760
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C681~1.EXE > nul
        5⤵
        
        PID:3112
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E797F~1.EXE > nul
      4⤵
      PID:4040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A7A72~1.EXE > nul
    3⤵
    PID:1972
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{144F5217-0485-4cc2-8770-C6B4677DFD77}.exe

Filesize
204KB

MD5
6c56306b6f3369a7c83addf795d31c9b

SHA1
0b5ed441e8d852134f4ded6b956a39bfb5e77dc6

SHA256
7b37b130a4510cd9644f6bca7ed7ba6983c45b75b3c34f2dcb78f63d317eee14

SHA512
0ff832b4b77a176bc6b0a38c1bc1aec297f855528fedbfc017d810484abc1068da97854707661db746d470694df03601270900cdb8475e9ac9b328242c9bed93

Download Submit
C:\Windows\{25B91775-35AC-4bfd-BFD5-74DB1D388ACC}.exe

Filesize
204KB

MD5
221715bc7632ddc6441b6e187434bcc9

SHA1
ba420d46a43368a803d0a9cc8d8fed38da0af999

SHA256
df8a2c000724c4d24bf399a877be74e0ee910efcd79f0e7ba1e04e5211c2d7b2

SHA512
5a1ce9a07fb378c2d6e6e818f2ac59450500f29605035affcdab01ad7168f74b512b4a493c15fb66a7821d88a8653cbf4bcbedf81de4e76446dc94d51431f28c

Download Submit
C:\Windows\{3794E60C-02BB-4ee7-A430-D637A3220C9E}.exe

Filesize
204KB

MD5
f201f71c1057138ce8694e2c073c1bec

SHA1
6e4a233020718275126e2dd6c6a9d4f376502f3e

SHA256
ce766d3514acc22f5f538b12d521964c851d44c21ecb71ff482d66c8439d347a

SHA512
df8b0610094d04ebf68279f29dfe8b5e153ff4953e42f061215bde83d3e277f04335f5d4c37796ac4a92d771f3e71f6cace08b2f4231bba2cc0baaa8bf12acd8

Download Submit
C:\Windows\{38E73445-874C-4d2c-A666-81C307D649B0}.exe

Filesize
204KB

MD5
ed82e8300050800e4a1b35293ca9b18d

SHA1
179c10508140cec273d7077b993579eee7f48f24

SHA256
7fef6722dd6d5760e80891d970bf52e2ab3f422413c80a2bb7121f390e63bb8a

SHA512
cc9e7f5ea5eb1af7d0097fddfdb2506615516a10dbc6bf25c6b01e3566f22b13829941b437050a964a63a542b298e16974958fba34c9d4365e13e8c1fb8dab69

Download Submit
C:\Windows\{3EAC9822-CD93-49b9-BB8D-FE9AFFA9A5D0}.exe

Filesize
204KB

MD5
7f8f32917435872dfeaba3a75610354d

SHA1
50dd878db6fdb2d3ffb34c08968c8964a301d964

SHA256
f99290c4bb6916fed2eff38596f5394c37649737c1866d7d2b5e2f0cbd86cc6c

SHA512
37d25f2f6e35615aaef37494c6529443e7a26ee856198eb8ac2f135fe1485ad3d15efda6fdef5777ae3c326e45d457be72c74b65a20dc8de2c2c83b0db197dc9

Download Submit
C:\Windows\{5C63A104-2D0C-4c31-BE13-6050F1713703}.exe

Filesize
204KB

MD5
477266ca8f218ed3d5ff3de16c05df5f

SHA1
3ff183cad96069cdc2c56c5485640dabe67f98ed

SHA256
977bb208c6d654ac236159d714be8ac28c359dfb03c69b4d16419d20f59cf890

SHA512
06ef9ab054c8754137f48f92e2534187cc5c33a3675521391eb5977db5445c4252c5ef599c2048aa536b1e279d2f6eba9f7ce71af6e28c2be3bd8fa322678162

Download Submit
C:\Windows\{8C681BB7-EA8E-4e96-9FA4-9490049F8B60}.exe

Filesize
204KB

MD5
5b234944e062335701ed3c40cd31d531

SHA1
b92873b90e56ee87f368695c8b70c1fa4a0a211c

SHA256
4d8bcec52cc952670e10017dd772c2db97121e135a219156ba244ce62b2c255a

SHA512
84ea7f42d9d9463b7a2c1985bd32949c3e2ab5537a812cfa5b28adb0dc630794cada3193132d3da2d68f7dca1e6933bd33394b7fb4b53401d2bc846668fbf34e

Download Submit
C:\Windows\{949D0B8B-F88B-4e19-B719-269A14380E81}.exe

Filesize
204KB

MD5
4b31ae7b8d3bc652ef53d3c65efea3a7

SHA1
0ef27aca3677eefeac7a1266c6a1bf59f7753457

SHA256
8a69e3f89a9a21523c6d78f5d3003a572952da832a704ead8a3ee142b9900e79

SHA512
de5e1d15ba7f0f012ad52f7a5b09f8bdc9f741be7f0935a1e207b8204e26928568949d3b9d8b5e167d531d3a1afe3f6d38bda9071904f6470b4760ed43c6646b

Download Submit
C:\Windows\{9E2C8EEE-776A-48f9-BE48-70DBB2C05558}.exe

Filesize
204KB

MD5
c3785c4efc3d290de8b0371fa3185e13

SHA1
ffbf9bf617c683e382fc46c8b6265e83aac6aa0d

SHA256
b735fa181a46fea8834957b6efc1cf29452b7378ae9692b976955920f14af1a2

SHA512
692e0a85661402d5657eea26d6f8e07ba3cee340c40d2b83b07e9423dc78d704c086bc4b8c2bf58714b0012f0b4e488edf6c9feee970151608d898500915cf84

Download Submit
C:\Windows\{A7A72770-AF48-4974-8E38-F959314A95E3}.exe

Filesize
204KB

MD5
34e44120191613b9e35fdd4f898f8791

SHA1
bc41489c38fad7a0c06b96b5daa00eb91556916b

SHA256
bffe5d2c49c6527fa5ce51318a25bc3d6638d0e36f9efdb10b259f761ae8ed53

SHA512
52efa07a7f06b789c2539450f6457746b16998201b37d3720479d987131105257a3d975dbd6da6dd15e4af37658b83251ea45283a25a172217a42614cbede1ed

Download Submit
C:\Windows\{E5036D3A-BFED-4c82-B1F2-FB78AFF570F9}.exe

Filesize
204KB

MD5
d8adc72d1fae9d2688cf09d9ac1174bb

SHA1
f214f3188abca0021fa6b8d986d6c6e18a0c086b

SHA256
a02cf25bd6cd54357b4757be7d204f8ac506e5bd401197338b5513d76e53df1a

SHA512
d46dcc70e46f67280c856be9399458b68b938102510a0f74f4d0271b3551a4bcd9c3477f762123d8e02bdb6f185326338b68b36dee40f098ab93a5ee9a3b8175

Download Submit
C:\Windows\{E797FF16-8AA2-4642-888E-A1A8B9EC3773}.exe

Filesize
204KB

MD5
f5a56542286753c8653a30c8581c74c8

SHA1
b0ba50121d261fce80c45f550d5e5c111fd14bdf

SHA256
a3e13b474d312327630633660b68671be9fe9b708f782edae7ce456209f6357a

SHA512
6ad2d473247d7815942001caae3a4dae0fc2ae4e77ab78c6b8de7dc4425bf11520bba374ff82597214355a7bf755b5d23c171c430ce71f1dd462ee0803067a9c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads