f0852c0880c5acf8173e3b61ad6e439404ce52de71bfea97d0982e742502a8e4

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
22/02/2024, 19:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-22_501b7db51c4712a706cbfc003c389412_goldeneye.exe
Size

192KB
MD5

501b7db51c4712a706cbfc003c389412
SHA1

d60c754e84f811e7d3c633bde1143a42f95ed4ff
SHA256

f0852c0880c5acf8173e3b61ad6e439404ce52de71bfea97d0982e742502a8e4
SHA512

040d091a67dddc2a590bad89706942aaaa765f18057d125bcd0036431f0ad14a9de844e54f938f6ef14c08440c6a547e3fb31442e3b9544eccd9d8cbae230543
SSDEEP

1536:1EGh0onl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0onl1OPOe2MUVg3Ve+rXfMUa

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00070000000231f4-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000231f5-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000016930-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000231f5-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000016930-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000231f5-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000016930-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000231f5-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000016930-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000231f5-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000016930-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d0000000231f5-45.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC898704-846C-410f-9CA9-F18962BE7EAA}	2024-02-22_501b7db51c4712a706cbfc003c389412_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79536F8B-E0A9-4a8d-8EDA-86A395B65988}	{CCC148CA-9FD4-4b58-A932-C18175B2AE79}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3C29392-546A-482c-8C80-72F8E97B86F9}\stubpath = "C:\\Windows\\{B3C29392-546A-482c-8C80-72F8E97B86F9}.exe"	{79536F8B-E0A9-4a8d-8EDA-86A395B65988}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43D08E91-C261-46eb-980D-D5F5D0C992C2}\stubpath = "C:\\Windows\\{43D08E91-C261-46eb-980D-D5F5D0C992C2}.exe"	{629AEFE2-8627-4fdf-8A6A-07B9106EF557}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5863E324-B4B2-491b-9CCD-F7DF57380A5E}\stubpath = "C:\\Windows\\{5863E324-B4B2-491b-9CCD-F7DF57380A5E}.exe"	{9DC29DAF-6C5D-4f02-B76A-4C2CF14BCF0A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{414C9048-EC9F-496b-9958-109659267CB6}	{15FE0B90-9EB1-445f-A5B4-6B8F1F946090}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{414C9048-EC9F-496b-9958-109659267CB6}\stubpath = "C:\\Windows\\{414C9048-EC9F-496b-9958-109659267CB6}.exe"	{15FE0B90-9EB1-445f-A5B4-6B8F1F946090}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AAA85EC1-7A63-4ede-840A-16A68610A5B2}	{BC898704-846C-410f-9CA9-F18962BE7EAA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D93823F-F2FC-44eb-92E9-26C5FEFA9705}	{AAA85EC1-7A63-4ede-840A-16A68610A5B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{629AEFE2-8627-4fdf-8A6A-07B9106EF557}	{6D93823F-F2FC-44eb-92E9-26C5FEFA9705}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DC29DAF-6C5D-4f02-B76A-4C2CF14BCF0A}\stubpath = "C:\\Windows\\{9DC29DAF-6C5D-4f02-B76A-4C2CF14BCF0A}.exe"	{43D08E91-C261-46eb-980D-D5F5D0C992C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCC148CA-9FD4-4b58-A932-C18175B2AE79}\stubpath = "C:\\Windows\\{CCC148CA-9FD4-4b58-A932-C18175B2AE79}.exe"	{414C9048-EC9F-496b-9958-109659267CB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3C29392-546A-482c-8C80-72F8E97B86F9}	{79536F8B-E0A9-4a8d-8EDA-86A395B65988}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC898704-846C-410f-9CA9-F18962BE7EAA}\stubpath = "C:\\Windows\\{BC898704-846C-410f-9CA9-F18962BE7EAA}.exe"	2024-02-22_501b7db51c4712a706cbfc003c389412_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AAA85EC1-7A63-4ede-840A-16A68610A5B2}\stubpath = "C:\\Windows\\{AAA85EC1-7A63-4ede-840A-16A68610A5B2}.exe"	{BC898704-846C-410f-9CA9-F18962BE7EAA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D93823F-F2FC-44eb-92E9-26C5FEFA9705}\stubpath = "C:\\Windows\\{6D93823F-F2FC-44eb-92E9-26C5FEFA9705}.exe"	{AAA85EC1-7A63-4ede-840A-16A68610A5B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5863E324-B4B2-491b-9CCD-F7DF57380A5E}	{9DC29DAF-6C5D-4f02-B76A-4C2CF14BCF0A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15FE0B90-9EB1-445f-A5B4-6B8F1F946090}	{5863E324-B4B2-491b-9CCD-F7DF57380A5E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15FE0B90-9EB1-445f-A5B4-6B8F1F946090}\stubpath = "C:\\Windows\\{15FE0B90-9EB1-445f-A5B4-6B8F1F946090}.exe"	{5863E324-B4B2-491b-9CCD-F7DF57380A5E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCC148CA-9FD4-4b58-A932-C18175B2AE79}	{414C9048-EC9F-496b-9958-109659267CB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79536F8B-E0A9-4a8d-8EDA-86A395B65988}\stubpath = "C:\\Windows\\{79536F8B-E0A9-4a8d-8EDA-86A395B65988}.exe"	{CCC148CA-9FD4-4b58-A932-C18175B2AE79}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{629AEFE2-8627-4fdf-8A6A-07B9106EF557}\stubpath = "C:\\Windows\\{629AEFE2-8627-4fdf-8A6A-07B9106EF557}.exe"	{6D93823F-F2FC-44eb-92E9-26C5FEFA9705}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43D08E91-C261-46eb-980D-D5F5D0C992C2}	{629AEFE2-8627-4fdf-8A6A-07B9106EF557}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DC29DAF-6C5D-4f02-B76A-4C2CF14BCF0A}	{43D08E91-C261-46eb-980D-D5F5D0C992C2}.exe

Executes dropped EXE 12 IoCs

pid	Process
3452	{BC898704-846C-410f-9CA9-F18962BE7EAA}.exe
3096	{AAA85EC1-7A63-4ede-840A-16A68610A5B2}.exe
3580	{6D93823F-F2FC-44eb-92E9-26C5FEFA9705}.exe
3996	{629AEFE2-8627-4fdf-8A6A-07B9106EF557}.exe
5008	{43D08E91-C261-46eb-980D-D5F5D0C992C2}.exe
3992	{9DC29DAF-6C5D-4f02-B76A-4C2CF14BCF0A}.exe
2436	{5863E324-B4B2-491b-9CCD-F7DF57380A5E}.exe
2824	{15FE0B90-9EB1-445f-A5B4-6B8F1F946090}.exe
816	{414C9048-EC9F-496b-9958-109659267CB6}.exe
3600	{CCC148CA-9FD4-4b58-A932-C18175B2AE79}.exe
1312	{79536F8B-E0A9-4a8d-8EDA-86A395B65988}.exe
4848	{B3C29392-546A-482c-8C80-72F8E97B86F9}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{BC898704-846C-410f-9CA9-F18962BE7EAA}.exe	2024-02-22_501b7db51c4712a706cbfc003c389412_goldeneye.exe
File created	C:\Windows\{629AEFE2-8627-4fdf-8A6A-07B9106EF557}.exe	{6D93823F-F2FC-44eb-92E9-26C5FEFA9705}.exe
File created	C:\Windows\{15FE0B90-9EB1-445f-A5B4-6B8F1F946090}.exe	{5863E324-B4B2-491b-9CCD-F7DF57380A5E}.exe
File created	C:\Windows\{414C9048-EC9F-496b-9958-109659267CB6}.exe	{15FE0B90-9EB1-445f-A5B4-6B8F1F946090}.exe
File created	C:\Windows\{CCC148CA-9FD4-4b58-A932-C18175B2AE79}.exe	{414C9048-EC9F-496b-9958-109659267CB6}.exe
File created	C:\Windows\{79536F8B-E0A9-4a8d-8EDA-86A395B65988}.exe	{CCC148CA-9FD4-4b58-A932-C18175B2AE79}.exe
File created	C:\Windows\{AAA85EC1-7A63-4ede-840A-16A68610A5B2}.exe	{BC898704-846C-410f-9CA9-F18962BE7EAA}.exe
File created	C:\Windows\{6D93823F-F2FC-44eb-92E9-26C5FEFA9705}.exe	{AAA85EC1-7A63-4ede-840A-16A68610A5B2}.exe
File created	C:\Windows\{43D08E91-C261-46eb-980D-D5F5D0C992C2}.exe	{629AEFE2-8627-4fdf-8A6A-07B9106EF557}.exe
File created	C:\Windows\{9DC29DAF-6C5D-4f02-B76A-4C2CF14BCF0A}.exe	{43D08E91-C261-46eb-980D-D5F5D0C992C2}.exe
File created	C:\Windows\{5863E324-B4B2-491b-9CCD-F7DF57380A5E}.exe	{9DC29DAF-6C5D-4f02-B76A-4C2CF14BCF0A}.exe
File created	C:\Windows\{B3C29392-546A-482c-8C80-72F8E97B86F9}.exe	{79536F8B-E0A9-4a8d-8EDA-86A395B65988}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3932	2024-02-22_501b7db51c4712a706cbfc003c389412_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3452	{BC898704-846C-410f-9CA9-F18962BE7EAA}.exe
Token: SeIncBasePriorityPrivilege	3096	{AAA85EC1-7A63-4ede-840A-16A68610A5B2}.exe
Token: SeIncBasePriorityPrivilege	3580	{6D93823F-F2FC-44eb-92E9-26C5FEFA9705}.exe
Token: SeIncBasePriorityPrivilege	3996	{629AEFE2-8627-4fdf-8A6A-07B9106EF557}.exe
Token: SeIncBasePriorityPrivilege	5008	{43D08E91-C261-46eb-980D-D5F5D0C992C2}.exe
Token: SeIncBasePriorityPrivilege	3992	{9DC29DAF-6C5D-4f02-B76A-4C2CF14BCF0A}.exe
Token: SeIncBasePriorityPrivilege	2436	{5863E324-B4B2-491b-9CCD-F7DF57380A5E}.exe
Token: SeIncBasePriorityPrivilege	2824	{15FE0B90-9EB1-445f-A5B4-6B8F1F946090}.exe
Token: SeIncBasePriorityPrivilege	816	{414C9048-EC9F-496b-9958-109659267CB6}.exe
Token: SeIncBasePriorityPrivilege	3600	{CCC148CA-9FD4-4b58-A932-C18175B2AE79}.exe
Token: SeIncBasePriorityPrivilege	1312	{79536F8B-E0A9-4a8d-8EDA-86A395B65988}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3932 wrote to memory of 3452	3932	2024-02-22_501b7db51c4712a706cbfc003c389412_goldeneye.exe	93
PID 3932 wrote to memory of 3452	3932	2024-02-22_501b7db51c4712a706cbfc003c389412_goldeneye.exe	93
PID 3932 wrote to memory of 3452	3932	2024-02-22_501b7db51c4712a706cbfc003c389412_goldeneye.exe	93
PID 3932 wrote to memory of 4276	3932	2024-02-22_501b7db51c4712a706cbfc003c389412_goldeneye.exe	94
PID 3932 wrote to memory of 4276	3932	2024-02-22_501b7db51c4712a706cbfc003c389412_goldeneye.exe	94
PID 3932 wrote to memory of 4276	3932	2024-02-22_501b7db51c4712a706cbfc003c389412_goldeneye.exe	94
PID 3452 wrote to memory of 3096	3452	{BC898704-846C-410f-9CA9-F18962BE7EAA}.exe	95
PID 3452 wrote to memory of 3096	3452	{BC898704-846C-410f-9CA9-F18962BE7EAA}.exe	95
PID 3452 wrote to memory of 3096	3452	{BC898704-846C-410f-9CA9-F18962BE7EAA}.exe	95
PID 3452 wrote to memory of 5084	3452	{BC898704-846C-410f-9CA9-F18962BE7EAA}.exe	96
PID 3452 wrote to memory of 5084	3452	{BC898704-846C-410f-9CA9-F18962BE7EAA}.exe	96
PID 3452 wrote to memory of 5084	3452	{BC898704-846C-410f-9CA9-F18962BE7EAA}.exe	96
PID 3096 wrote to memory of 3580	3096	{AAA85EC1-7A63-4ede-840A-16A68610A5B2}.exe	100
PID 3096 wrote to memory of 3580	3096	{AAA85EC1-7A63-4ede-840A-16A68610A5B2}.exe	100
PID 3096 wrote to memory of 3580	3096	{AAA85EC1-7A63-4ede-840A-16A68610A5B2}.exe	100
PID 3096 wrote to memory of 1616	3096	{AAA85EC1-7A63-4ede-840A-16A68610A5B2}.exe	101
PID 3096 wrote to memory of 1616	3096	{AAA85EC1-7A63-4ede-840A-16A68610A5B2}.exe	101
PID 3096 wrote to memory of 1616	3096	{AAA85EC1-7A63-4ede-840A-16A68610A5B2}.exe	101
PID 3580 wrote to memory of 3996	3580	{6D93823F-F2FC-44eb-92E9-26C5FEFA9705}.exe	102
PID 3580 wrote to memory of 3996	3580	{6D93823F-F2FC-44eb-92E9-26C5FEFA9705}.exe	102
PID 3580 wrote to memory of 3996	3580	{6D93823F-F2FC-44eb-92E9-26C5FEFA9705}.exe	102
PID 3580 wrote to memory of 3796	3580	{6D93823F-F2FC-44eb-92E9-26C5FEFA9705}.exe	103
PID 3580 wrote to memory of 3796	3580	{6D93823F-F2FC-44eb-92E9-26C5FEFA9705}.exe	103
PID 3580 wrote to memory of 3796	3580	{6D93823F-F2FC-44eb-92E9-26C5FEFA9705}.exe	103
PID 3996 wrote to memory of 5008	3996	{629AEFE2-8627-4fdf-8A6A-07B9106EF557}.exe	104
PID 3996 wrote to memory of 5008	3996	{629AEFE2-8627-4fdf-8A6A-07B9106EF557}.exe	104
PID 3996 wrote to memory of 5008	3996	{629AEFE2-8627-4fdf-8A6A-07B9106EF557}.exe	104
PID 3996 wrote to memory of 3604	3996	{629AEFE2-8627-4fdf-8A6A-07B9106EF557}.exe	105
PID 3996 wrote to memory of 3604	3996	{629AEFE2-8627-4fdf-8A6A-07B9106EF557}.exe	105
PID 3996 wrote to memory of 3604	3996	{629AEFE2-8627-4fdf-8A6A-07B9106EF557}.exe	105
PID 5008 wrote to memory of 3992	5008	{43D08E91-C261-46eb-980D-D5F5D0C992C2}.exe	106
PID 5008 wrote to memory of 3992	5008	{43D08E91-C261-46eb-980D-D5F5D0C992C2}.exe	106
PID 5008 wrote to memory of 3992	5008	{43D08E91-C261-46eb-980D-D5F5D0C992C2}.exe	106
PID 5008 wrote to memory of 2756	5008	{43D08E91-C261-46eb-980D-D5F5D0C992C2}.exe	107
PID 5008 wrote to memory of 2756	5008	{43D08E91-C261-46eb-980D-D5F5D0C992C2}.exe	107
PID 5008 wrote to memory of 2756	5008	{43D08E91-C261-46eb-980D-D5F5D0C992C2}.exe	107
PID 3992 wrote to memory of 2436	3992	{9DC29DAF-6C5D-4f02-B76A-4C2CF14BCF0A}.exe	108
PID 3992 wrote to memory of 2436	3992	{9DC29DAF-6C5D-4f02-B76A-4C2CF14BCF0A}.exe	108
PID 3992 wrote to memory of 2436	3992	{9DC29DAF-6C5D-4f02-B76A-4C2CF14BCF0A}.exe	108
PID 3992 wrote to memory of 4284	3992	{9DC29DAF-6C5D-4f02-B76A-4C2CF14BCF0A}.exe	109
PID 3992 wrote to memory of 4284	3992	{9DC29DAF-6C5D-4f02-B76A-4C2CF14BCF0A}.exe	109
PID 3992 wrote to memory of 4284	3992	{9DC29DAF-6C5D-4f02-B76A-4C2CF14BCF0A}.exe	109
PID 2436 wrote to memory of 2824	2436	{5863E324-B4B2-491b-9CCD-F7DF57380A5E}.exe	110
PID 2436 wrote to memory of 2824	2436	{5863E324-B4B2-491b-9CCD-F7DF57380A5E}.exe	110
PID 2436 wrote to memory of 2824	2436	{5863E324-B4B2-491b-9CCD-F7DF57380A5E}.exe	110
PID 2436 wrote to memory of 388	2436	{5863E324-B4B2-491b-9CCD-F7DF57380A5E}.exe	111
PID 2436 wrote to memory of 388	2436	{5863E324-B4B2-491b-9CCD-F7DF57380A5E}.exe	111
PID 2436 wrote to memory of 388	2436	{5863E324-B4B2-491b-9CCD-F7DF57380A5E}.exe	111
PID 2824 wrote to memory of 816	2824	{15FE0B90-9EB1-445f-A5B4-6B8F1F946090}.exe	113
PID 2824 wrote to memory of 816	2824	{15FE0B90-9EB1-445f-A5B4-6B8F1F946090}.exe	113
PID 2824 wrote to memory of 816	2824	{15FE0B90-9EB1-445f-A5B4-6B8F1F946090}.exe	113
PID 2824 wrote to memory of 408	2824	{15FE0B90-9EB1-445f-A5B4-6B8F1F946090}.exe	112
PID 2824 wrote to memory of 408	2824	{15FE0B90-9EB1-445f-A5B4-6B8F1F946090}.exe	112
PID 2824 wrote to memory of 408	2824	{15FE0B90-9EB1-445f-A5B4-6B8F1F946090}.exe	112
PID 816 wrote to memory of 3600	816	{414C9048-EC9F-496b-9958-109659267CB6}.exe	114
PID 816 wrote to memory of 3600	816	{414C9048-EC9F-496b-9958-109659267CB6}.exe	114
PID 816 wrote to memory of 3600	816	{414C9048-EC9F-496b-9958-109659267CB6}.exe	114
PID 816 wrote to memory of 2768	816	{414C9048-EC9F-496b-9958-109659267CB6}.exe	115
PID 816 wrote to memory of 2768	816	{414C9048-EC9F-496b-9958-109659267CB6}.exe	115
PID 816 wrote to memory of 2768	816	{414C9048-EC9F-496b-9958-109659267CB6}.exe	115
PID 3600 wrote to memory of 1312	3600	{CCC148CA-9FD4-4b58-A932-C18175B2AE79}.exe	117
PID 3600 wrote to memory of 1312	3600	{CCC148CA-9FD4-4b58-A932-C18175B2AE79}.exe	117
PID 3600 wrote to memory of 1312	3600	{CCC148CA-9FD4-4b58-A932-C18175B2AE79}.exe	117
PID 3600 wrote to memory of 468	3600	{CCC148CA-9FD4-4b58-A932-C18175B2AE79}.exe	116

C:\Users\Admin\AppData\Local\Temp\2024-02-22_501b7db51c4712a706cbfc003c389412_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-22_501b7db51c4712a706cbfc003c389412_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3932
- C:\Windows\{BC898704-846C-410f-9CA9-F18962BE7EAA}.exe
  C:\Windows\{BC898704-846C-410f-9CA9-F18962BE7EAA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3452
- - C:\Windows\{AAA85EC1-7A63-4ede-840A-16A68610A5B2}.exe
    C:\Windows\{AAA85EC1-7A63-4ede-840A-16A68610A5B2}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3096
  - - C:\Windows\{6D93823F-F2FC-44eb-92E9-26C5FEFA9705}.exe
      C:\Windows\{6D93823F-F2FC-44eb-92E9-26C5FEFA9705}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3580
    - - C:\Windows\{629AEFE2-8627-4fdf-8A6A-07B9106EF557}.exe
        
        C:\Windows\{629AEFE2-8627-4fdf-8A6A-07B9106EF557}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3996
      - C:\Windows\{43D08E91-C261-46eb-980D-D5F5D0C992C2}.exe
        
        C:\Windows\{43D08E91-C261-46eb-980D-D5F5D0C992C2}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\{9DC29DAF-6C5D-4f02-B76A-4C2CF14BCF0A}.exe
        
        C:\Windows\{9DC29DAF-6C5D-4f02-B76A-4C2CF14BCF0A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\Windows\{5863E324-B4B2-491b-9CCD-F7DF57380A5E}.exe
        
        C:\Windows\{5863E324-B4B2-491b-9CCD-F7DF57380A5E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\{15FE0B90-9EB1-445f-A5B4-6B8F1F946090}.exe
        
        C:\Windows\{15FE0B90-9EB1-445f-A5B4-6B8F1F946090}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{15FE0~1.EXE > nul
        10⤵
        
        PID:408
        
        C:\Windows\{414C9048-EC9F-496b-9958-109659267CB6}.exe
        
        C:\Windows\{414C9048-EC9F-496b-9958-109659267CB6}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:816
        
        C:\Windows\{CCC148CA-9FD4-4b58-A932-C18175B2AE79}.exe
        
        C:\Windows\{CCC148CA-9FD4-4b58-A932-C18175B2AE79}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CCC14~1.EXE > nul
        12⤵
        
        PID:468
        
        C:\Windows\{79536F8B-E0A9-4a8d-8EDA-86A395B65988}.exe
        
        C:\Windows\{79536F8B-E0A9-4a8d-8EDA-86A395B65988}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1312
        
        C:\Windows\{B3C29392-546A-482c-8C80-72F8E97B86F9}.exe
        
        C:\Windows\{B3C29392-546A-482c-8C80-72F8E97B86F9}.exe
        13⤵
        Executes dropped EXE
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79536~1.EXE > nul
        13⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{414C9~1.EXE > nul
        11⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5863E~1.EXE > nul
        9⤵
        
        PID:388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9DC29~1.EXE > nul
        8⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{43D08~1.EXE > nul
        7⤵
        
        PID:2756
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{629AE~1.EXE > nul
        6⤵
        
        PID:3604
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6D938~1.EXE > nul
        5⤵
        
        PID:3796
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{AAA85~1.EXE > nul
      4⤵
      PID:1616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{BC898~1.EXE > nul
    3⤵
    PID:5084
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{15FE0B90-9EB1-445f-A5B4-6B8F1F946090}.exe

Filesize
192KB

MD5
bfc31e97caf00bca4fbce0f422e43210

SHA1
5ba57a0bf97c612cda7baaa4acff536197d48216

SHA256
6f413f74657487096071b8a011205a751c21a36a955826191518a78db4575dd0

SHA512
372ab40bf55ab6427f0b4b5af5107cd133d2db3cd855b0056b7dcce553637321088a17079bed7a22635ce4fa62b9c730e436fab7be6dd86262280f818bb714b2

Download Submit
C:\Windows\{414C9048-EC9F-496b-9958-109659267CB6}.exe

Filesize
192KB

MD5
655f2247545a7b877a1b24e7c5ee9041

SHA1
317352e64bf4734e93a23f3c92d467feb56ef771

SHA256
740be1949f1facbfc58922789e6286ce5c8d0a2d1a590bbe5506e407d22f5679

SHA512
b485b84721ea0d1ee8321737b75dbbd490462cc4daaaadea9dff5cc05cc39efe7a37a343f743d197ba354d6bff8df7b922035d695e22b4522bc7e5ac9b088b06

Download Submit
C:\Windows\{43D08E91-C261-46eb-980D-D5F5D0C992C2}.exe

Filesize
192KB

MD5
b2f924df9bfd073431fb89617f5b5bea

SHA1
cf233300124877120fbaa2488049a659b0cd49f6

SHA256
d45046498182dcdbe4882a59c90bfe189c7542d7d8df5c019b1f42c6c46fe6d9

SHA512
d373a78fcdf67ec10d702535dfe4df993719147680c7df18fc12cae93f4c2e0a12941aae6e37473941bf78183ea91553c59b0f01ade66b0026a9f2cc2e941673

Download Submit
C:\Windows\{5863E324-B4B2-491b-9CCD-F7DF57380A5E}.exe

Filesize
192KB

MD5
229218690b5e57db8d480467d7a74656

SHA1
7e6923ce3a94c5dfeccfc4d280b3350e3c88511c

SHA256
005c50f52533cba89b49572ec0c3124cdc4b5904086dda7b4559b010da83948b

SHA512
76187faf679e643c604d1eb7cd59c84e410d79fce430f71f90e5b34f15087b4ad66a09016207d3d4cab525411ec4e7fb350ab4f16b0795e3aa520599723476b1

Download Submit
C:\Windows\{629AEFE2-8627-4fdf-8A6A-07B9106EF557}.exe

Filesize
192KB

MD5
b9f7c48684b02c48dd1f8d856bce9d33

SHA1
7f0c86f1ddae3062e2c3cfb3bf5594f87119fd36

SHA256
aa51c9fd6ea231211e16ac19b5f1f10ebcebb646941898f740977445dce91ed1

SHA512
11fc64e1ecb253e98048f873e4c5c9c29d2494fc9ac569eb57d91c957c0dd6dc86f194f1c47b3504dc96cd43817972dee11caf47b434a3918dabed45647e72f9

Download Submit
C:\Windows\{6D93823F-F2FC-44eb-92E9-26C5FEFA9705}.exe

Filesize
192KB

MD5
c65e7bbf08c7c6f23aa60ac314401a1d

SHA1
1e033100cf3f1f7e9091eeec7f3529f8e7bab220

SHA256
fe6fb1e72ee911fea41fce4239c41240a8180a67597ccef75acb357441626225

SHA512
92be51113fccc21bd5cb7889231f948ca76b7c165170f82a30934e3cbed24712750322f548905bcbcddce3b9766ea160e8f9237c35fad728e65414306db2a193

Download Submit
C:\Windows\{79536F8B-E0A9-4a8d-8EDA-86A395B65988}.exe

Filesize
192KB

MD5
2f40a6c32d4c9765e4908a70428e1257

SHA1
6be96a8ffdc5a3237c3a4fddd08f5b4f8aafa83c

SHA256
4220c9ebd3489ee1a200a18b3fa2d7bb0b54fb98eae47ed3141ceadefa9d80e6

SHA512
ab884e2ae1bc16fb11a2c7e3a29072f3f035d7b222f0a811705dcd21988c702d3f9191e8a1d1f6176e9ca46232cc533396a2e8d8e76aacf44695478a8c628621

Download Submit
C:\Windows\{9DC29DAF-6C5D-4f02-B76A-4C2CF14BCF0A}.exe

Filesize
192KB

MD5
334c11e31b85498f1b3586c7ca1c9ef0

SHA1
715858ee9fc16bbacaeba27145c5351df1ad472f

SHA256
d7ded40133659681b119e2d6991dcf695aea450d790bfc11ac66b11d387bb7c2

SHA512
f46b86cf4696a19cec05798a5bc5e4dc09108ccf1c090d020dea06f7d412d2105d076101fc50633bb24e9710cb7a7297d7fae68fd10db07ac5654704c2aa9798

Download Submit
C:\Windows\{AAA85EC1-7A63-4ede-840A-16A68610A5B2}.exe

Filesize
192KB

MD5
42e32d0464056f4786874f63389803d4

SHA1
43d7ade53076bfdc3b8eaacd4e7d642ae58f9462

SHA256
d4ff576a52554d91fe6762d1c495b8e3da6abca503d3aff4258ae08e856118a0

SHA512
c705415c93f4b94cf61fcc9fff2f3c322afb0a5ca2b6be0d299e445419f752c9a51523d9d6285d0353d24fe963ba8a11394415cbf25a0cf3b53ab1f74a152945

Download Submit
C:\Windows\{B3C29392-546A-482c-8C80-72F8E97B86F9}.exe

Filesize
192KB

MD5
11562980c6b2f798b34de7e338204937

SHA1
f4bd79c1098682a52e1905020d163221607cff58

SHA256
a211ac62b5fcce521721a86b6adf56c335a547c290644d1d9240fad22ca2f195

SHA512
013beee7a55cec86cf2d643124b8f4e9b7f3bdf51eb178c342f963698c0a28715cf6c5674e7e2cb73281b75194eac86f9d37b0fe4c984650b8fe07e51e79db8a

Download Submit
C:\Windows\{BC898704-846C-410f-9CA9-F18962BE7EAA}.exe

Filesize
192KB

MD5
750b2f8be6770d7200b27a5b22956f8f

SHA1
80c94991330172924b5dffe46eff7023cfd71529

SHA256
b9994b73ba098cc7ef91dd6cc8874fa0016947a058d1353e6c5f3de604133a1e

SHA512
efd0dd67daa7c9d3ae76c33ea1ba2879810149c736e56a182538a63205366779ad004b4b8529ff0b6b6121d54812286f9fbdb14827aec817ef89aebdc12270aa

Download Submit
C:\Windows\{CCC148CA-9FD4-4b58-A932-C18175B2AE79}.exe

Filesize
192KB

MD5
f3468f09313dd14cc8a98b22045c8de4

SHA1
e5c337018d05792e421390ce61cd5583758f4828

SHA256
172a8be908e1d7309ba5e514bbbf95120f3ec1d4a468071427e34e5db7f85d16

SHA512
3f0ab48cd5cc0746868438e44ef39c921f286beb60da24020f2e75bbffefbbf9f7e5a18b98115e14593d41a46eb6d36c957cded9028ecf818aabe22ebcd33f62

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads