440b1a184bf04b5c30f505ed4ec0d092484c28f76bda46134f550c3ca1fcd229

Analysis

max time kernel
151s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
21/02/2024, 20:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-21_c0bc669b29f51f95a768d801e536e4bf_goldeneye.exe
Size

372KB
MD5

c0bc669b29f51f95a768d801e536e4bf
SHA1

36c16f73de626692e5a00813733428d57d0024b8
SHA256

440b1a184bf04b5c30f505ed4ec0d092484c28f76bda46134f550c3ca1fcd229
SHA512

9419b97b256ebb3a058ca5fb1e580b022fe4bbb5631435dd0587a090c8ad6235059c381689eb5660fd2ae38cf0f7b6c535fa97924ba3f14e18d54742c1efb6d9
SSDEEP

3072:CEGh0ollMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGTlkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 14 IoCs

resource	yara_rule
behavioral2/files/0x00070000000230f6-1.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00060000000230f9-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00060000000230f9-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000230f6-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000230f9-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000230f6-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000230f9-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000230f9-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000230f6-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000230f9-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000230f6-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000230f9-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000230f6-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000230f9-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F9A82E5-143C-43ab-A379-406E47AD930A}\stubpath = "C:\\Windows\\{7F9A82E5-143C-43ab-A379-406E47AD930A}.exe"	2024-02-21_c0bc669b29f51f95a768d801e536e4bf_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A30872F3-522E-4e66-BCCD-BA0A9A4BB3B8}	{00381A99-2ABD-4f51-B072-066045807746}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF31F063-61D0-4ca4-B353-F792098C3439}	{E4880725-05D4-4d81-AC46-A892A0976396}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE60B8F0-3840-47f2-A00E-56E8326720A9}	{FF31F063-61D0-4ca4-B353-F792098C3439}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F47C38A-5987-4360-B773-947245172952}	{C894C9A9-86CB-442d-A3C6-03E1EA1B3DDC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66711FC1-25DE-43f9-81E7-8D642018C2C6}\stubpath = "C:\\Windows\\{66711FC1-25DE-43f9-81E7-8D642018C2C6}.exe"	{5F47C38A-5987-4360-B773-947245172952}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F9A82E5-143C-43ab-A379-406E47AD930A}	2024-02-21_c0bc669b29f51f95a768d801e536e4bf_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D9B9775-0528-4290-A9F1-487ECD9D221E}	{7F9A82E5-143C-43ab-A379-406E47AD930A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00381A99-2ABD-4f51-B072-066045807746}\stubpath = "C:\\Windows\\{00381A99-2ABD-4f51-B072-066045807746}.exe"	{7D9B9775-0528-4290-A9F1-487ECD9D221E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96CA6B1B-C4EA-4152-85B1-811CF14D5A61}\stubpath = "C:\\Windows\\{96CA6B1B-C4EA-4152-85B1-811CF14D5A61}.exe"	{A30872F3-522E-4e66-BCCD-BA0A9A4BB3B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E13D4ACB-9DDF-4bb2-B386-E0CD491D7012}	{EE60B8F0-3840-47f2-A00E-56E8326720A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00381A99-2ABD-4f51-B072-066045807746}	{7D9B9775-0528-4290-A9F1-487ECD9D221E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A30872F3-522E-4e66-BCCD-BA0A9A4BB3B8}\stubpath = "C:\\Windows\\{A30872F3-522E-4e66-BCCD-BA0A9A4BB3B8}.exe"	{00381A99-2ABD-4f51-B072-066045807746}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4880725-05D4-4d81-AC46-A892A0976396}\stubpath = "C:\\Windows\\{E4880725-05D4-4d81-AC46-A892A0976396}.exe"	{96CA6B1B-C4EA-4152-85B1-811CF14D5A61}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C894C9A9-86CB-442d-A3C6-03E1EA1B3DDC}\stubpath = "C:\\Windows\\{C894C9A9-86CB-442d-A3C6-03E1EA1B3DDC}.exe"	{E13D4ACB-9DDF-4bb2-B386-E0CD491D7012}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D9B9775-0528-4290-A9F1-487ECD9D221E}\stubpath = "C:\\Windows\\{7D9B9775-0528-4290-A9F1-487ECD9D221E}.exe"	{7F9A82E5-143C-43ab-A379-406E47AD930A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96CA6B1B-C4EA-4152-85B1-811CF14D5A61}	{A30872F3-522E-4e66-BCCD-BA0A9A4BB3B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4880725-05D4-4d81-AC46-A892A0976396}	{96CA6B1B-C4EA-4152-85B1-811CF14D5A61}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF31F063-61D0-4ca4-B353-F792098C3439}\stubpath = "C:\\Windows\\{FF31F063-61D0-4ca4-B353-F792098C3439}.exe"	{E4880725-05D4-4d81-AC46-A892A0976396}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE60B8F0-3840-47f2-A00E-56E8326720A9}\stubpath = "C:\\Windows\\{EE60B8F0-3840-47f2-A00E-56E8326720A9}.exe"	{FF31F063-61D0-4ca4-B353-F792098C3439}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E13D4ACB-9DDF-4bb2-B386-E0CD491D7012}\stubpath = "C:\\Windows\\{E13D4ACB-9DDF-4bb2-B386-E0CD491D7012}.exe"	{EE60B8F0-3840-47f2-A00E-56E8326720A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C894C9A9-86CB-442d-A3C6-03E1EA1B3DDC}	{E13D4ACB-9DDF-4bb2-B386-E0CD491D7012}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F47C38A-5987-4360-B773-947245172952}\stubpath = "C:\\Windows\\{5F47C38A-5987-4360-B773-947245172952}.exe"	{C894C9A9-86CB-442d-A3C6-03E1EA1B3DDC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66711FC1-25DE-43f9-81E7-8D642018C2C6}	{5F47C38A-5987-4360-B773-947245172952}.exe

Executes dropped EXE 12 IoCs

pid	Process
2132	{7F9A82E5-143C-43ab-A379-406E47AD930A}.exe
3992	{7D9B9775-0528-4290-A9F1-487ECD9D221E}.exe
5056	{00381A99-2ABD-4f51-B072-066045807746}.exe
5112	{A30872F3-522E-4e66-BCCD-BA0A9A4BB3B8}.exe
4488	{96CA6B1B-C4EA-4152-85B1-811CF14D5A61}.exe
4012	{E4880725-05D4-4d81-AC46-A892A0976396}.exe
4500	{FF31F063-61D0-4ca4-B353-F792098C3439}.exe
3696	{EE60B8F0-3840-47f2-A00E-56E8326720A9}.exe
3260	{E13D4ACB-9DDF-4bb2-B386-E0CD491D7012}.exe
3044	{C894C9A9-86CB-442d-A3C6-03E1EA1B3DDC}.exe
3168	{5F47C38A-5987-4360-B773-947245172952}.exe
1576	{66711FC1-25DE-43f9-81E7-8D642018C2C6}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{FF31F063-61D0-4ca4-B353-F792098C3439}.exe	{E4880725-05D4-4d81-AC46-A892A0976396}.exe
File created	C:\Windows\{EE60B8F0-3840-47f2-A00E-56E8326720A9}.exe	{FF31F063-61D0-4ca4-B353-F792098C3439}.exe
File created	C:\Windows\{C894C9A9-86CB-442d-A3C6-03E1EA1B3DDC}.exe	{E13D4ACB-9DDF-4bb2-B386-E0CD491D7012}.exe
File created	C:\Windows\{7D9B9775-0528-4290-A9F1-487ECD9D221E}.exe	{7F9A82E5-143C-43ab-A379-406E47AD930A}.exe
File created	C:\Windows\{A30872F3-522E-4e66-BCCD-BA0A9A4BB3B8}.exe	{00381A99-2ABD-4f51-B072-066045807746}.exe
File created	C:\Windows\{96CA6B1B-C4EA-4152-85B1-811CF14D5A61}.exe	{A30872F3-522E-4e66-BCCD-BA0A9A4BB3B8}.exe
File created	C:\Windows\{E4880725-05D4-4d81-AC46-A892A0976396}.exe	{96CA6B1B-C4EA-4152-85B1-811CF14D5A61}.exe
File created	C:\Windows\{E13D4ACB-9DDF-4bb2-B386-E0CD491D7012}.exe	{EE60B8F0-3840-47f2-A00E-56E8326720A9}.exe
File created	C:\Windows\{5F47C38A-5987-4360-B773-947245172952}.exe	{C894C9A9-86CB-442d-A3C6-03E1EA1B3DDC}.exe
File created	C:\Windows\{66711FC1-25DE-43f9-81E7-8D642018C2C6}.exe	{5F47C38A-5987-4360-B773-947245172952}.exe
File created	C:\Windows\{7F9A82E5-143C-43ab-A379-406E47AD930A}.exe	2024-02-21_c0bc669b29f51f95a768d801e536e4bf_goldeneye.exe
File created	C:\Windows\{00381A99-2ABD-4f51-B072-066045807746}.exe	{7D9B9775-0528-4290-A9F1-487ECD9D221E}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1108	2024-02-21_c0bc669b29f51f95a768d801e536e4bf_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2132	{7F9A82E5-143C-43ab-A379-406E47AD930A}.exe
Token: SeIncBasePriorityPrivilege	3992	{7D9B9775-0528-4290-A9F1-487ECD9D221E}.exe
Token: SeIncBasePriorityPrivilege	5056	{00381A99-2ABD-4f51-B072-066045807746}.exe
Token: SeIncBasePriorityPrivilege	5112	{A30872F3-522E-4e66-BCCD-BA0A9A4BB3B8}.exe
Token: SeIncBasePriorityPrivilege	4488	{96CA6B1B-C4EA-4152-85B1-811CF14D5A61}.exe
Token: SeIncBasePriorityPrivilege	4012	{E4880725-05D4-4d81-AC46-A892A0976396}.exe
Token: SeIncBasePriorityPrivilege	4500	{FF31F063-61D0-4ca4-B353-F792098C3439}.exe
Token: SeIncBasePriorityPrivilege	3696	{EE60B8F0-3840-47f2-A00E-56E8326720A9}.exe
Token: SeIncBasePriorityPrivilege	3260	{E13D4ACB-9DDF-4bb2-B386-E0CD491D7012}.exe
Token: SeIncBasePriorityPrivilege	3044	{C894C9A9-86CB-442d-A3C6-03E1EA1B3DDC}.exe
Token: SeIncBasePriorityPrivilege	3168	{5F47C38A-5987-4360-B773-947245172952}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1108 wrote to memory of 2132	1108	2024-02-21_c0bc669b29f51f95a768d801e536e4bf_goldeneye.exe	81
PID 1108 wrote to memory of 2132	1108	2024-02-21_c0bc669b29f51f95a768d801e536e4bf_goldeneye.exe	81
PID 1108 wrote to memory of 2132	1108	2024-02-21_c0bc669b29f51f95a768d801e536e4bf_goldeneye.exe	81
PID 1108 wrote to memory of 1668	1108	2024-02-21_c0bc669b29f51f95a768d801e536e4bf_goldeneye.exe	82
PID 1108 wrote to memory of 1668	1108	2024-02-21_c0bc669b29f51f95a768d801e536e4bf_goldeneye.exe	82
PID 1108 wrote to memory of 1668	1108	2024-02-21_c0bc669b29f51f95a768d801e536e4bf_goldeneye.exe	82
PID 2132 wrote to memory of 3992	2132	{7F9A82E5-143C-43ab-A379-406E47AD930A}.exe	83
PID 2132 wrote to memory of 3992	2132	{7F9A82E5-143C-43ab-A379-406E47AD930A}.exe	83
PID 2132 wrote to memory of 3992	2132	{7F9A82E5-143C-43ab-A379-406E47AD930A}.exe	83
PID 2132 wrote to memory of 4152	2132	{7F9A82E5-143C-43ab-A379-406E47AD930A}.exe	84
PID 2132 wrote to memory of 4152	2132	{7F9A82E5-143C-43ab-A379-406E47AD930A}.exe	84
PID 2132 wrote to memory of 4152	2132	{7F9A82E5-143C-43ab-A379-406E47AD930A}.exe	84
PID 3992 wrote to memory of 5056	3992	{7D9B9775-0528-4290-A9F1-487ECD9D221E}.exe	85
PID 3992 wrote to memory of 5056	3992	{7D9B9775-0528-4290-A9F1-487ECD9D221E}.exe	85
PID 3992 wrote to memory of 5056	3992	{7D9B9775-0528-4290-A9F1-487ECD9D221E}.exe	85
PID 3992 wrote to memory of 5116	3992	{7D9B9775-0528-4290-A9F1-487ECD9D221E}.exe	86
PID 3992 wrote to memory of 5116	3992	{7D9B9775-0528-4290-A9F1-487ECD9D221E}.exe	86
PID 3992 wrote to memory of 5116	3992	{7D9B9775-0528-4290-A9F1-487ECD9D221E}.exe	86
PID 5056 wrote to memory of 5112	5056	{00381A99-2ABD-4f51-B072-066045807746}.exe	87
PID 5056 wrote to memory of 5112	5056	{00381A99-2ABD-4f51-B072-066045807746}.exe	87
PID 5056 wrote to memory of 5112	5056	{00381A99-2ABD-4f51-B072-066045807746}.exe	87
PID 5056 wrote to memory of 260	5056	{00381A99-2ABD-4f51-B072-066045807746}.exe	88
PID 5056 wrote to memory of 260	5056	{00381A99-2ABD-4f51-B072-066045807746}.exe	88
PID 5056 wrote to memory of 260	5056	{00381A99-2ABD-4f51-B072-066045807746}.exe	88
PID 5112 wrote to memory of 4488	5112	{A30872F3-522E-4e66-BCCD-BA0A9A4BB3B8}.exe	89
PID 5112 wrote to memory of 4488	5112	{A30872F3-522E-4e66-BCCD-BA0A9A4BB3B8}.exe	89
PID 5112 wrote to memory of 4488	5112	{A30872F3-522E-4e66-BCCD-BA0A9A4BB3B8}.exe	89
PID 5112 wrote to memory of 484	5112	{A30872F3-522E-4e66-BCCD-BA0A9A4BB3B8}.exe	90
PID 5112 wrote to memory of 484	5112	{A30872F3-522E-4e66-BCCD-BA0A9A4BB3B8}.exe	90
PID 5112 wrote to memory of 484	5112	{A30872F3-522E-4e66-BCCD-BA0A9A4BB3B8}.exe	90
PID 4488 wrote to memory of 4012	4488	{96CA6B1B-C4EA-4152-85B1-811CF14D5A61}.exe	91
PID 4488 wrote to memory of 4012	4488	{96CA6B1B-C4EA-4152-85B1-811CF14D5A61}.exe	91
PID 4488 wrote to memory of 4012	4488	{96CA6B1B-C4EA-4152-85B1-811CF14D5A61}.exe	91
PID 4488 wrote to memory of 5092	4488	{96CA6B1B-C4EA-4152-85B1-811CF14D5A61}.exe	92
PID 4488 wrote to memory of 5092	4488	{96CA6B1B-C4EA-4152-85B1-811CF14D5A61}.exe	92
PID 4488 wrote to memory of 5092	4488	{96CA6B1B-C4EA-4152-85B1-811CF14D5A61}.exe	92
PID 4012 wrote to memory of 4500	4012	{E4880725-05D4-4d81-AC46-A892A0976396}.exe	93
PID 4012 wrote to memory of 4500	4012	{E4880725-05D4-4d81-AC46-A892A0976396}.exe	93
PID 4012 wrote to memory of 4500	4012	{E4880725-05D4-4d81-AC46-A892A0976396}.exe	93
PID 4012 wrote to memory of 1540	4012	{E4880725-05D4-4d81-AC46-A892A0976396}.exe	94
PID 4012 wrote to memory of 1540	4012	{E4880725-05D4-4d81-AC46-A892A0976396}.exe	94
PID 4012 wrote to memory of 1540	4012	{E4880725-05D4-4d81-AC46-A892A0976396}.exe	94
PID 4500 wrote to memory of 3696	4500	{FF31F063-61D0-4ca4-B353-F792098C3439}.exe	95
PID 4500 wrote to memory of 3696	4500	{FF31F063-61D0-4ca4-B353-F792098C3439}.exe	95
PID 4500 wrote to memory of 3696	4500	{FF31F063-61D0-4ca4-B353-F792098C3439}.exe	95
PID 4500 wrote to memory of 1448	4500	{FF31F063-61D0-4ca4-B353-F792098C3439}.exe	96
PID 4500 wrote to memory of 1448	4500	{FF31F063-61D0-4ca4-B353-F792098C3439}.exe	96
PID 4500 wrote to memory of 1448	4500	{FF31F063-61D0-4ca4-B353-F792098C3439}.exe	96
PID 3696 wrote to memory of 3260	3696	{EE60B8F0-3840-47f2-A00E-56E8326720A9}.exe	97
PID 3696 wrote to memory of 3260	3696	{EE60B8F0-3840-47f2-A00E-56E8326720A9}.exe	97
PID 3696 wrote to memory of 3260	3696	{EE60B8F0-3840-47f2-A00E-56E8326720A9}.exe	97
PID 3696 wrote to memory of 2388	3696	{EE60B8F0-3840-47f2-A00E-56E8326720A9}.exe	98
PID 3696 wrote to memory of 2388	3696	{EE60B8F0-3840-47f2-A00E-56E8326720A9}.exe	98
PID 3696 wrote to memory of 2388	3696	{EE60B8F0-3840-47f2-A00E-56E8326720A9}.exe	98
PID 3260 wrote to memory of 3044	3260	{E13D4ACB-9DDF-4bb2-B386-E0CD491D7012}.exe	99
PID 3260 wrote to memory of 3044	3260	{E13D4ACB-9DDF-4bb2-B386-E0CD491D7012}.exe	99
PID 3260 wrote to memory of 3044	3260	{E13D4ACB-9DDF-4bb2-B386-E0CD491D7012}.exe	99
PID 3260 wrote to memory of 2888	3260	{E13D4ACB-9DDF-4bb2-B386-E0CD491D7012}.exe	100
PID 3260 wrote to memory of 2888	3260	{E13D4ACB-9DDF-4bb2-B386-E0CD491D7012}.exe	100
PID 3260 wrote to memory of 2888	3260	{E13D4ACB-9DDF-4bb2-B386-E0CD491D7012}.exe	100
PID 3044 wrote to memory of 3168	3044	{C894C9A9-86CB-442d-A3C6-03E1EA1B3DDC}.exe	101
PID 3044 wrote to memory of 3168	3044	{C894C9A9-86CB-442d-A3C6-03E1EA1B3DDC}.exe	101
PID 3044 wrote to memory of 3168	3044	{C894C9A9-86CB-442d-A3C6-03E1EA1B3DDC}.exe	101
PID 3044 wrote to memory of 3160	3044	{C894C9A9-86CB-442d-A3C6-03E1EA1B3DDC}.exe	102

C:\Users\Admin\AppData\Local\Temp\2024-02-21_c0bc669b29f51f95a768d801e536e4bf_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-21_c0bc669b29f51f95a768d801e536e4bf_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Windows\{7F9A82E5-143C-43ab-A379-406E47AD930A}.exe
  C:\Windows\{7F9A82E5-143C-43ab-A379-406E47AD930A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Windows\{7D9B9775-0528-4290-A9F1-487ECD9D221E}.exe
    C:\Windows\{7D9B9775-0528-4290-A9F1-487ECD9D221E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3992
  - - C:\Windows\{00381A99-2ABD-4f51-B072-066045807746}.exe
      C:\Windows\{00381A99-2ABD-4f51-B072-066045807746}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5056
    - - C:\Windows\{A30872F3-522E-4e66-BCCD-BA0A9A4BB3B8}.exe
        
        C:\Windows\{A30872F3-522E-4e66-BCCD-BA0A9A4BB3B8}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5112
      - C:\Windows\{96CA6B1B-C4EA-4152-85B1-811CF14D5A61}.exe
        
        C:\Windows\{96CA6B1B-C4EA-4152-85B1-811CF14D5A61}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\{E4880725-05D4-4d81-AC46-A892A0976396}.exe
        
        C:\Windows\{E4880725-05D4-4d81-AC46-A892A0976396}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4012
        
        C:\Windows\{FF31F063-61D0-4ca4-B353-F792098C3439}.exe
        
        C:\Windows\{FF31F063-61D0-4ca4-B353-F792098C3439}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\{EE60B8F0-3840-47f2-A00E-56E8326720A9}.exe
        
        C:\Windows\{EE60B8F0-3840-47f2-A00E-56E8326720A9}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3696
        
        C:\Windows\{E13D4ACB-9DDF-4bb2-B386-E0CD491D7012}.exe
        
        C:\Windows\{E13D4ACB-9DDF-4bb2-B386-E0CD491D7012}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Windows\{C894C9A9-86CB-442d-A3C6-03E1EA1B3DDC}.exe
        
        C:\Windows\{C894C9A9-86CB-442d-A3C6-03E1EA1B3DDC}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\{5F47C38A-5987-4360-B773-947245172952}.exe
        
        C:\Windows\{5F47C38A-5987-4360-B773-947245172952}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3168
        
        C:\Windows\{66711FC1-25DE-43f9-81E7-8D642018C2C6}.exe
        
        C:\Windows\{66711FC1-25DE-43f9-81E7-8D642018C2C6}.exe
        13⤵
        Executes dropped EXE
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5F47C~1.EXE > nul
        13⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C894C~1.EXE > nul
        12⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E13D4~1.EXE > nul
        11⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EE60B~1.EXE > nul
        10⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF31F~1.EXE > nul
        9⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E4880~1.EXE > nul
        8⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96CA6~1.EXE > nul
        7⤵
        
        PID:5092
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A3087~1.EXE > nul
        6⤵
        
        PID:484
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{00381~1.EXE > nul
        5⤵
        
        PID:260
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7D9B9~1.EXE > nul
      4⤵
      PID:5116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7F9A8~1.EXE > nul
    3⤵
    PID:4152
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00381A99-2ABD-4f51-B072-066045807746}.exe

Filesize
372KB

MD5
7726b8457d88dd4c307b7a9ebe888402

SHA1
a2848c4fb1813371f6c09a9d4d74c87b111a42d0

SHA256
a57b50d4f3e327b221717b39f0aecf65b5c32bba3b18f6498fb258be15c15076

SHA512
9c8cf416ca5d0dc6847c0696dbdbf7d38cfeab91f6719facf2522ea3905f6d1646ff5aa2686272736eea4d77b0f50b6fb2d89a5c00e17e60163a50dbc9953024

Download Submit
C:\Windows\{5F47C38A-5987-4360-B773-947245172952}.exe

Filesize
372KB

MD5
1babd40d89e4751f5b36352a6af8f1c9

SHA1
67d9a658bc704a41f342f6653a81928b636ff342

SHA256
45599252438785021aee62f2e6e5a1dcbb359822f8a1f31af76c550352be9a77

SHA512
6f18c9127d470b990d24eb7f2bce6fdbfd06c1529dc2ab016a5fc1287d6e7a541cd6bef2f76da9ab06d531905952cc557d1a91845afc636e4de84af18df7e6f5

Download Submit
C:\Windows\{66711FC1-25DE-43f9-81E7-8D642018C2C6}.exe

Filesize
372KB

MD5
05a01bf9a7e6aa259212f79382c2b5a5

SHA1
e05f3cc8be5232631cdb068abbb9f8ef7b16e93a

SHA256
51ace75b2469d049f973d9810f44764606a6bacd7e82c0113764dc94914da44e

SHA512
bd6371ba9c740c84ac8a9edb629cd3e0b1040ff1e63a89c586fe0569851901f7e0bd1aeb45d36b4756f1bc1465ae7091694a8a037ab3cef6db1ff9ae406aba63

Download Submit
C:\Windows\{7D9B9775-0528-4290-A9F1-487ECD9D221E}.exe

Filesize
109KB

MD5
f90150b447ca4dfebfdf60e559fd9995

SHA1
33cf6edb2df851ed54df59b333934c0eba232f62

SHA256
dcb2f7edb1e0418d7730ccbab90f2a09166d3d06eb7c18523a3836af24fb0112

SHA512
ce4496a8004c78cdbb8d1932e228352a86523fae83dcda715cd661c6c0b8553bfef87862253d29103d62bba15f050d1f572bc806ec080a88a6bf61072278323b

Download Submit
C:\Windows\{7D9B9775-0528-4290-A9F1-487ECD9D221E}.exe

Filesize
48KB

MD5
0168084475983b076f18a579b0d9313a

SHA1
1faf2f6293ff2928584784f35c11b6f1fd7e15df

SHA256
317f41d9ef9e427ef86421122c0c143d54c98e8a5c3abbae49b5ebb881ac4798

SHA512
2e8121022d211dbbfb85f8f2dd06f8ef2bd6dc46f86ba9e4092425f44c070ce39b950dbb6eedd14c2a36a900fd28c574b13a89d9e5b1a0f18a26c71ceb4a2f4a

Download Submit
C:\Windows\{7F9A82E5-143C-43ab-A379-406E47AD930A}.exe

Filesize
372KB

MD5
4049f28812a4ec011d16ee41816b90e6

SHA1
480f9a46b757cefc9c3bf9f1c596a1753cf120d8

SHA256
01c3071d1b0ef16dcd2e5daf39a561d443386c910862b65bd54dd02597548093

SHA512
4901893d3ad5a0b1e1d55a75b7e20a4114c1ad4cc896c4dbd170d9bab4c06ba386e2014698686e180932d874ed66f82f0255482612b994cabc2b05d1e0954a21

Download Submit
C:\Windows\{96CA6B1B-C4EA-4152-85B1-811CF14D5A61}.exe

Filesize
372KB

MD5
d9950a300ea37933198e8b9d4993c967

SHA1
c39b3f7a35230fa9e95a8c12b62b42b37a8e3e9f

SHA256
7e69c53443b6d2a5d385c30b53a7a3cbd8b83998442469c49892ecc444d9fe8e

SHA512
574f46366722c94529e591175b4eba5f90f7b748f4b92293e22915aae7657306e8cdc5ac99099602a8215a125a7757224546ad9ebd4639b91062ee6ba59b4fbb

Download Submit
C:\Windows\{A30872F3-522E-4e66-BCCD-BA0A9A4BB3B8}.exe

Filesize
372KB

MD5
2b40cebde88f51da62dd1b8d57745716

SHA1
454d154c78b6c64ab35f52befc17bb94f794714d

SHA256
3f99b4b3e5593db1ec6f0c82110126a68f31d7650ce479dcd5d060b3cacba2fb

SHA512
b0349311b2b167dc207c30c1238d8a8a26cf8145e1156fe65c1a293f68f1fc6b28529499d5e0452e0114f2dcd44a0321e527c9b7c04308c438c93a15abc41f10

Download Submit
C:\Windows\{C894C9A9-86CB-442d-A3C6-03E1EA1B3DDC}.exe

Filesize
372KB

MD5
9cfc4cde0538d1b7fbf9e1db89637b8c

SHA1
7394c11099eb3ad4af497ac7f2ff958f43fdf3cd

SHA256
b05ad2fd5c7e9e5c5b3d24bcb7d216d1f422332362f63d9ad2b1970554d91c83

SHA512
fd603557a178e2f9336bb30a6763324c5ffb0675cdd925b40de8771598b0a4a60b160253e40fb6bf541eaeb1e57a1a988e9dbe771d8c58d7be82c3b1c821d096

Download Submit
C:\Windows\{E13D4ACB-9DDF-4bb2-B386-E0CD491D7012}.exe

Filesize
372KB

MD5
55e0d829a4f39d5f9d65845ad4457d5e

SHA1
5feb9e4a508eca41f9f26511fe6223258a61c241

SHA256
e9a730f39291ec238ec3f3702b2bbb35273409407a77e567d6cda235ad5e4189

SHA512
06af63103477d02c575ee0100e02224e2873f11234b029d30ef0fca2413a61a3416b093ad1208c89e58cf5cbed69596348489059cdae6274ff7dd2740bd0b271

Download Submit
C:\Windows\{E4880725-05D4-4d81-AC46-A892A0976396}.exe

Filesize
317KB

MD5
406e51f2522cba3278e94a930d2e1d16

SHA1
bc2d4ff2028ec31d07600c07554b23a843c7af58

SHA256
d94053c48bb0e3af3f25bb0a1d132c0925b0acadc11b2e8f67023746570411bf

SHA512
dd9ddd951f4e67ff7f6f584f3bfca825e91d07d2676ac7e895203812eba62b3c3550628d26c232392dabbc6fd95c60c5a54e7df0dc4e09f8c147fc6b7931bbc0

Download Submit
C:\Windows\{E4880725-05D4-4d81-AC46-A892A0976396}.exe

Filesize
192KB

MD5
4abcdf936c70d2f135b042e2b572b4d1

SHA1
f4b2da9654d41c53be2e35c32694a15d6db3c136

SHA256
58503c1721094e2f0829df93bc69716e88604be0bf11fbafe5c5bfec790bdd0d

SHA512
84dcffa8eca21002a4647cf58a4d8488148e9c1548524ff759c86be270ba3f3d9ed0d60ae5aa877ccd894bd3b6793f5b06b963fd9cb72450d24495f5c2a7b634

Download Submit
C:\Windows\{EE60B8F0-3840-47f2-A00E-56E8326720A9}.exe

Filesize
372KB

MD5
60edb301b641c1cbfff548de51cbed7c

SHA1
4d760e2d32cd1a91e97ea13123f814d16f5c045d

SHA256
4a75574fc333db3b10d89917c31b08a325093b1767222b5b04f100205582464d

SHA512
50408c2b4b608b4551098fb50775bc68042a74f0f09481735739aa3ca141335dee2f19f31430f2e623f6c1a82f069da5783b51b1e07b8277ca7072946faa1ccf

Download Submit
C:\Windows\{FF31F063-61D0-4ca4-B353-F792098C3439}.exe

Filesize
372KB

MD5
12429cc32a59c80e749da70e42e1e336

SHA1
998257dc3b97b744ee97c8d4088736f25773bdfe

SHA256
9dfd735167b360e80f9ef63ee0157373da51c2e033976e6cd7b0b2af6db1aed6

SHA512
9a65e9bead5c21c843cb0d1cafda3d384e0f922298407161960493791695e9b364bb559803225302dba7e4e1bac725b840955fc605da082783591565b5c43a28

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads