afd4fa36e4650b9b55ef7fd28de23394ec3b60758637e7ce04e70de0dac7d304

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
23-02-2024 01:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-23_209cee592d123b00861687a32242b75b_goldeneye.exe
Size

344KB
MD5

209cee592d123b00861687a32242b75b
SHA1

49b0ae7f2e57ac2edb14dbbe06a2d452109a7f15
SHA256

afd4fa36e4650b9b55ef7fd28de23394ec3b60758637e7ce04e70de0dac7d304
SHA512

7fa6de22baa9b4a29359b2fedb39b88300977b58ceab49ebbce7ddd9d0bd3fa0e3348f350e98d76328cdebfae09f6fe5c71000c5c4230dbcb49ea52a9af5496f
SSDEEP

3072:mEGh0oAlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGWlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x00080000000230fc-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023102-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023109-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000022feb-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023109-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000022feb-21.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023109-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000022feb-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023109-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000022feb-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000022feb-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023109-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000022feb-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{932262C1-CEB5-4b29-A1BC-58068FD8E6C0}\stubpath = "C:\\Windows\\{932262C1-CEB5-4b29-A1BC-58068FD8E6C0}.exe"	{651301FA-CDF8-47bd-8639-F555888C9062}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99080F73-A76D-47cb-8AB4-E2CF0FA8F284}	{932262C1-CEB5-4b29-A1BC-58068FD8E6C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{810B8073-C0B7-4ced-8BF6-A62CFCE81760}\stubpath = "C:\\Windows\\{810B8073-C0B7-4ced-8BF6-A62CFCE81760}.exe"	{1EF62278-73F5-40fb-9853-F967ABCEEFEE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4146EBF9-762E-4664-B118-C1E7B80730BC}\stubpath = "C:\\Windows\\{4146EBF9-762E-4664-B118-C1E7B80730BC}.exe"	{A7C2B7FD-3365-4538-9BEF-0117DF80821C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A25D5A59-FAD0-4df3-AC55-5FC64B9BF7BC}\stubpath = "C:\\Windows\\{A25D5A59-FAD0-4df3-AC55-5FC64B9BF7BC}.exe"	{C6C1F97D-257F-4f7c-B451-0E8FFB30DE4C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25FF657D-70EC-458f-9CDD-80F5D233780A}	2024-02-23_209cee592d123b00861687a32242b75b_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F40CD16-0DCD-4d34-9AEE-2115370D6998}	{C1BAE79B-DB96-4bb7-A037-455FEFC00463}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{651301FA-CDF8-47bd-8639-F555888C9062}	{0F40CD16-0DCD-4d34-9AEE-2115370D6998}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{932262C1-CEB5-4b29-A1BC-58068FD8E6C0}	{651301FA-CDF8-47bd-8639-F555888C9062}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6C1F97D-257F-4f7c-B451-0E8FFB30DE4C}	{4146EBF9-762E-4664-B118-C1E7B80730BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6C1F97D-257F-4f7c-B451-0E8FFB30DE4C}\stubpath = "C:\\Windows\\{C6C1F97D-257F-4f7c-B451-0E8FFB30DE4C}.exe"	{4146EBF9-762E-4664-B118-C1E7B80730BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1EF62278-73F5-40fb-9853-F967ABCEEFEE}\stubpath = "C:\\Windows\\{1EF62278-73F5-40fb-9853-F967ABCEEFEE}.exe"	{99080F73-A76D-47cb-8AB4-E2CF0FA8F284}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7C2B7FD-3365-4538-9BEF-0117DF80821C}	{810B8073-C0B7-4ced-8BF6-A62CFCE81760}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7C2B7FD-3365-4538-9BEF-0117DF80821C}\stubpath = "C:\\Windows\\{A7C2B7FD-3365-4538-9BEF-0117DF80821C}.exe"	{810B8073-C0B7-4ced-8BF6-A62CFCE81760}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4146EBF9-762E-4664-B118-C1E7B80730BC}	{A7C2B7FD-3365-4538-9BEF-0117DF80821C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25FF657D-70EC-458f-9CDD-80F5D233780A}\stubpath = "C:\\Windows\\{25FF657D-70EC-458f-9CDD-80F5D233780A}.exe"	2024-02-23_209cee592d123b00861687a32242b75b_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F40CD16-0DCD-4d34-9AEE-2115370D6998}\stubpath = "C:\\Windows\\{0F40CD16-0DCD-4d34-9AEE-2115370D6998}.exe"	{C1BAE79B-DB96-4bb7-A037-455FEFC00463}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1EF62278-73F5-40fb-9853-F967ABCEEFEE}	{99080F73-A76D-47cb-8AB4-E2CF0FA8F284}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99080F73-A76D-47cb-8AB4-E2CF0FA8F284}\stubpath = "C:\\Windows\\{99080F73-A76D-47cb-8AB4-E2CF0FA8F284}.exe"	{932262C1-CEB5-4b29-A1BC-58068FD8E6C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{810B8073-C0B7-4ced-8BF6-A62CFCE81760}	{1EF62278-73F5-40fb-9853-F967ABCEEFEE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A25D5A59-FAD0-4df3-AC55-5FC64B9BF7BC}	{C6C1F97D-257F-4f7c-B451-0E8FFB30DE4C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1BAE79B-DB96-4bb7-A037-455FEFC00463}	{25FF657D-70EC-458f-9CDD-80F5D233780A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1BAE79B-DB96-4bb7-A037-455FEFC00463}\stubpath = "C:\\Windows\\{C1BAE79B-DB96-4bb7-A037-455FEFC00463}.exe"	{25FF657D-70EC-458f-9CDD-80F5D233780A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{651301FA-CDF8-47bd-8639-F555888C9062}\stubpath = "C:\\Windows\\{651301FA-CDF8-47bd-8639-F555888C9062}.exe"	{0F40CD16-0DCD-4d34-9AEE-2115370D6998}.exe

Executes dropped EXE 12 IoCs

pid	Process
4652	{25FF657D-70EC-458f-9CDD-80F5D233780A}.exe
3084	{C1BAE79B-DB96-4bb7-A037-455FEFC00463}.exe
4404	{0F40CD16-0DCD-4d34-9AEE-2115370D6998}.exe
772	{651301FA-CDF8-47bd-8639-F555888C9062}.exe
3796	{932262C1-CEB5-4b29-A1BC-58068FD8E6C0}.exe
3620	{99080F73-A76D-47cb-8AB4-E2CF0FA8F284}.exe
4400	{1EF62278-73F5-40fb-9853-F967ABCEEFEE}.exe
756	{810B8073-C0B7-4ced-8BF6-A62CFCE81760}.exe
744	{A7C2B7FD-3365-4538-9BEF-0117DF80821C}.exe
3720	{4146EBF9-762E-4664-B118-C1E7B80730BC}.exe
4900	{C6C1F97D-257F-4f7c-B451-0E8FFB30DE4C}.exe
488	{A25D5A59-FAD0-4df3-AC55-5FC64B9BF7BC}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{810B8073-C0B7-4ced-8BF6-A62CFCE81760}.exe	{1EF62278-73F5-40fb-9853-F967ABCEEFEE}.exe
File created	C:\Windows\{A7C2B7FD-3365-4538-9BEF-0117DF80821C}.exe	{810B8073-C0B7-4ced-8BF6-A62CFCE81760}.exe
File created	C:\Windows\{25FF657D-70EC-458f-9CDD-80F5D233780A}.exe	2024-02-23_209cee592d123b00861687a32242b75b_goldeneye.exe
File created	C:\Windows\{C1BAE79B-DB96-4bb7-A037-455FEFC00463}.exe	{25FF657D-70EC-458f-9CDD-80F5D233780A}.exe
File created	C:\Windows\{651301FA-CDF8-47bd-8639-F555888C9062}.exe	{0F40CD16-0DCD-4d34-9AEE-2115370D6998}.exe
File created	C:\Windows\{932262C1-CEB5-4b29-A1BC-58068FD8E6C0}.exe	{651301FA-CDF8-47bd-8639-F555888C9062}.exe
File created	C:\Windows\{99080F73-A76D-47cb-8AB4-E2CF0FA8F284}.exe	{932262C1-CEB5-4b29-A1BC-58068FD8E6C0}.exe
File created	C:\Windows\{1EF62278-73F5-40fb-9853-F967ABCEEFEE}.exe	{99080F73-A76D-47cb-8AB4-E2CF0FA8F284}.exe
File created	C:\Windows\{C6C1F97D-257F-4f7c-B451-0E8FFB30DE4C}.exe	{4146EBF9-762E-4664-B118-C1E7B80730BC}.exe
File created	C:\Windows\{A25D5A59-FAD0-4df3-AC55-5FC64B9BF7BC}.exe	{C6C1F97D-257F-4f7c-B451-0E8FFB30DE4C}.exe
File created	C:\Windows\{0F40CD16-0DCD-4d34-9AEE-2115370D6998}.exe	{C1BAE79B-DB96-4bb7-A037-455FEFC00463}.exe
File created	C:\Windows\{4146EBF9-762E-4664-B118-C1E7B80730BC}.exe	{A7C2B7FD-3365-4538-9BEF-0117DF80821C}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3636	2024-02-23_209cee592d123b00861687a32242b75b_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4652	{25FF657D-70EC-458f-9CDD-80F5D233780A}.exe
Token: SeIncBasePriorityPrivilege	3084	{C1BAE79B-DB96-4bb7-A037-455FEFC00463}.exe
Token: SeIncBasePriorityPrivilege	4404	{0F40CD16-0DCD-4d34-9AEE-2115370D6998}.exe
Token: SeIncBasePriorityPrivilege	772	{651301FA-CDF8-47bd-8639-F555888C9062}.exe
Token: SeIncBasePriorityPrivilege	3796	{932262C1-CEB5-4b29-A1BC-58068FD8E6C0}.exe
Token: SeIncBasePriorityPrivilege	3620	{99080F73-A76D-47cb-8AB4-E2CF0FA8F284}.exe
Token: SeIncBasePriorityPrivilege	4400	{1EF62278-73F5-40fb-9853-F967ABCEEFEE}.exe
Token: SeIncBasePriorityPrivilege	756	{810B8073-C0B7-4ced-8BF6-A62CFCE81760}.exe
Token: SeIncBasePriorityPrivilege	744	{A7C2B7FD-3365-4538-9BEF-0117DF80821C}.exe
Token: SeIncBasePriorityPrivilege	3720	{4146EBF9-762E-4664-B118-C1E7B80730BC}.exe
Token: SeIncBasePriorityPrivilege	4900	{C6C1F97D-257F-4f7c-B451-0E8FFB30DE4C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3636 wrote to memory of 4652	3636	2024-02-23_209cee592d123b00861687a32242b75b_goldeneye.exe	87
PID 3636 wrote to memory of 4652	3636	2024-02-23_209cee592d123b00861687a32242b75b_goldeneye.exe	87
PID 3636 wrote to memory of 4652	3636	2024-02-23_209cee592d123b00861687a32242b75b_goldeneye.exe	87
PID 3636 wrote to memory of 3880	3636	2024-02-23_209cee592d123b00861687a32242b75b_goldeneye.exe	88
PID 3636 wrote to memory of 3880	3636	2024-02-23_209cee592d123b00861687a32242b75b_goldeneye.exe	88
PID 3636 wrote to memory of 3880	3636	2024-02-23_209cee592d123b00861687a32242b75b_goldeneye.exe	88
PID 4652 wrote to memory of 3084	4652	{25FF657D-70EC-458f-9CDD-80F5D233780A}.exe	89
PID 4652 wrote to memory of 3084	4652	{25FF657D-70EC-458f-9CDD-80F5D233780A}.exe	89
PID 4652 wrote to memory of 3084	4652	{25FF657D-70EC-458f-9CDD-80F5D233780A}.exe	89
PID 4652 wrote to memory of 4244	4652	{25FF657D-70EC-458f-9CDD-80F5D233780A}.exe	90
PID 4652 wrote to memory of 4244	4652	{25FF657D-70EC-458f-9CDD-80F5D233780A}.exe	90
PID 4652 wrote to memory of 4244	4652	{25FF657D-70EC-458f-9CDD-80F5D233780A}.exe	90
PID 3084 wrote to memory of 4404	3084	{C1BAE79B-DB96-4bb7-A037-455FEFC00463}.exe	94
PID 3084 wrote to memory of 4404	3084	{C1BAE79B-DB96-4bb7-A037-455FEFC00463}.exe	94
PID 3084 wrote to memory of 4404	3084	{C1BAE79B-DB96-4bb7-A037-455FEFC00463}.exe	94
PID 3084 wrote to memory of 3960	3084	{C1BAE79B-DB96-4bb7-A037-455FEFC00463}.exe	93
PID 3084 wrote to memory of 3960	3084	{C1BAE79B-DB96-4bb7-A037-455FEFC00463}.exe	93
PID 3084 wrote to memory of 3960	3084	{C1BAE79B-DB96-4bb7-A037-455FEFC00463}.exe	93
PID 4404 wrote to memory of 772	4404	{0F40CD16-0DCD-4d34-9AEE-2115370D6998}.exe	97
PID 4404 wrote to memory of 772	4404	{0F40CD16-0DCD-4d34-9AEE-2115370D6998}.exe	97
PID 4404 wrote to memory of 772	4404	{0F40CD16-0DCD-4d34-9AEE-2115370D6998}.exe	97
PID 4404 wrote to memory of 4760	4404	{0F40CD16-0DCD-4d34-9AEE-2115370D6998}.exe	98
PID 4404 wrote to memory of 4760	4404	{0F40CD16-0DCD-4d34-9AEE-2115370D6998}.exe	98
PID 4404 wrote to memory of 4760	4404	{0F40CD16-0DCD-4d34-9AEE-2115370D6998}.exe	98
PID 772 wrote to memory of 3796	772	{651301FA-CDF8-47bd-8639-F555888C9062}.exe	99
PID 772 wrote to memory of 3796	772	{651301FA-CDF8-47bd-8639-F555888C9062}.exe	99
PID 772 wrote to memory of 3796	772	{651301FA-CDF8-47bd-8639-F555888C9062}.exe	99
PID 772 wrote to memory of 2520	772	{651301FA-CDF8-47bd-8639-F555888C9062}.exe	100
PID 772 wrote to memory of 2520	772	{651301FA-CDF8-47bd-8639-F555888C9062}.exe	100
PID 772 wrote to memory of 2520	772	{651301FA-CDF8-47bd-8639-F555888C9062}.exe	100
PID 3796 wrote to memory of 3620	3796	{932262C1-CEB5-4b29-A1BC-58068FD8E6C0}.exe	101
PID 3796 wrote to memory of 3620	3796	{932262C1-CEB5-4b29-A1BC-58068FD8E6C0}.exe	101
PID 3796 wrote to memory of 3620	3796	{932262C1-CEB5-4b29-A1BC-58068FD8E6C0}.exe	101
PID 3796 wrote to memory of 3076	3796	{932262C1-CEB5-4b29-A1BC-58068FD8E6C0}.exe	102
PID 3796 wrote to memory of 3076	3796	{932262C1-CEB5-4b29-A1BC-58068FD8E6C0}.exe	102
PID 3796 wrote to memory of 3076	3796	{932262C1-CEB5-4b29-A1BC-58068FD8E6C0}.exe	102
PID 3620 wrote to memory of 4400	3620	{99080F73-A76D-47cb-8AB4-E2CF0FA8F284}.exe	103
PID 3620 wrote to memory of 4400	3620	{99080F73-A76D-47cb-8AB4-E2CF0FA8F284}.exe	103
PID 3620 wrote to memory of 4400	3620	{99080F73-A76D-47cb-8AB4-E2CF0FA8F284}.exe	103
PID 3620 wrote to memory of 3176	3620	{99080F73-A76D-47cb-8AB4-E2CF0FA8F284}.exe	104
PID 3620 wrote to memory of 3176	3620	{99080F73-A76D-47cb-8AB4-E2CF0FA8F284}.exe	104
PID 3620 wrote to memory of 3176	3620	{99080F73-A76D-47cb-8AB4-E2CF0FA8F284}.exe	104
PID 4400 wrote to memory of 756	4400	{1EF62278-73F5-40fb-9853-F967ABCEEFEE}.exe	105
PID 4400 wrote to memory of 756	4400	{1EF62278-73F5-40fb-9853-F967ABCEEFEE}.exe	105
PID 4400 wrote to memory of 756	4400	{1EF62278-73F5-40fb-9853-F967ABCEEFEE}.exe	105
PID 4400 wrote to memory of 3600	4400	{1EF62278-73F5-40fb-9853-F967ABCEEFEE}.exe	106
PID 4400 wrote to memory of 3600	4400	{1EF62278-73F5-40fb-9853-F967ABCEEFEE}.exe	106
PID 4400 wrote to memory of 3600	4400	{1EF62278-73F5-40fb-9853-F967ABCEEFEE}.exe	106
PID 756 wrote to memory of 744	756	{810B8073-C0B7-4ced-8BF6-A62CFCE81760}.exe	107
PID 756 wrote to memory of 744	756	{810B8073-C0B7-4ced-8BF6-A62CFCE81760}.exe	107
PID 756 wrote to memory of 744	756	{810B8073-C0B7-4ced-8BF6-A62CFCE81760}.exe	107
PID 756 wrote to memory of 2460	756	{810B8073-C0B7-4ced-8BF6-A62CFCE81760}.exe	108
PID 756 wrote to memory of 2460	756	{810B8073-C0B7-4ced-8BF6-A62CFCE81760}.exe	108
PID 756 wrote to memory of 2460	756	{810B8073-C0B7-4ced-8BF6-A62CFCE81760}.exe	108
PID 744 wrote to memory of 3720	744	{A7C2B7FD-3365-4538-9BEF-0117DF80821C}.exe	110
PID 744 wrote to memory of 3720	744	{A7C2B7FD-3365-4538-9BEF-0117DF80821C}.exe	110
PID 744 wrote to memory of 3720	744	{A7C2B7FD-3365-4538-9BEF-0117DF80821C}.exe	110
PID 744 wrote to memory of 5072	744	{A7C2B7FD-3365-4538-9BEF-0117DF80821C}.exe	109
PID 744 wrote to memory of 5072	744	{A7C2B7FD-3365-4538-9BEF-0117DF80821C}.exe	109
PID 744 wrote to memory of 5072	744	{A7C2B7FD-3365-4538-9BEF-0117DF80821C}.exe	109
PID 3720 wrote to memory of 4900	3720	{4146EBF9-762E-4664-B118-C1E7B80730BC}.exe	111
PID 3720 wrote to memory of 4900	3720	{4146EBF9-762E-4664-B118-C1E7B80730BC}.exe	111
PID 3720 wrote to memory of 4900	3720	{4146EBF9-762E-4664-B118-C1E7B80730BC}.exe	111
PID 3720 wrote to memory of 2564	3720	{4146EBF9-762E-4664-B118-C1E7B80730BC}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-02-23_209cee592d123b00861687a32242b75b_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-23_209cee592d123b00861687a32242b75b_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3636
- C:\Windows\{25FF657D-70EC-458f-9CDD-80F5D233780A}.exe
  C:\Windows\{25FF657D-70EC-458f-9CDD-80F5D233780A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4652
- - C:\Windows\{C1BAE79B-DB96-4bb7-A037-455FEFC00463}.exe
    C:\Windows\{C1BAE79B-DB96-4bb7-A037-455FEFC00463}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3084
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C1BAE~1.EXE > nul
      4⤵
      PID:3960
  - - C:\Windows\{0F40CD16-0DCD-4d34-9AEE-2115370D6998}.exe
      C:\Windows\{0F40CD16-0DCD-4d34-9AEE-2115370D6998}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4404
    - - C:\Windows\{651301FA-CDF8-47bd-8639-F555888C9062}.exe
        
        C:\Windows\{651301FA-CDF8-47bd-8639-F555888C9062}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:772
      - C:\Windows\{932262C1-CEB5-4b29-A1BC-58068FD8E6C0}.exe
        
        C:\Windows\{932262C1-CEB5-4b29-A1BC-58068FD8E6C0}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3796
        
        C:\Windows\{99080F73-A76D-47cb-8AB4-E2CF0FA8F284}.exe
        
        C:\Windows\{99080F73-A76D-47cb-8AB4-E2CF0FA8F284}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\{1EF62278-73F5-40fb-9853-F967ABCEEFEE}.exe
        
        C:\Windows\{1EF62278-73F5-40fb-9853-F967ABCEEFEE}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\{810B8073-C0B7-4ced-8BF6-A62CFCE81760}.exe
        
        C:\Windows\{810B8073-C0B7-4ced-8BF6-A62CFCE81760}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:756
        
        C:\Windows\{A7C2B7FD-3365-4538-9BEF-0117DF80821C}.exe
        
        C:\Windows\{A7C2B7FD-3365-4538-9BEF-0117DF80821C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7C2B~1.EXE > nul
        11⤵
        
        PID:5072
        
        C:\Windows\{4146EBF9-762E-4664-B118-C1E7B80730BC}.exe
        
        C:\Windows\{4146EBF9-762E-4664-B118-C1E7B80730BC}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3720
        
        C:\Windows\{C6C1F97D-257F-4f7c-B451-0E8FFB30DE4C}.exe
        
        C:\Windows\{C6C1F97D-257F-4f7c-B451-0E8FFB30DE4C}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4900
        
        C:\Windows\{A25D5A59-FAD0-4df3-AC55-5FC64B9BF7BC}.exe
        
        C:\Windows\{A25D5A59-FAD0-4df3-AC55-5FC64B9BF7BC}.exe
        13⤵
        Executes dropped EXE
        
        PID:488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C6C1F~1.EXE > nul
        13⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4146E~1.EXE > nul
        12⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{810B8~1.EXE > nul
        10⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1EF62~1.EXE > nul
        9⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{99080~1.EXE > nul
        8⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{93226~1.EXE > nul
        7⤵
        
        PID:3076
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{65130~1.EXE > nul
        6⤵
        
        PID:2520
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F40C~1.EXE > nul
        5⤵
        
        PID:4760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{25FF6~1.EXE > nul
    3⤵
    PID:4244
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0F40CD16-0DCD-4d34-9AEE-2115370D6998}.exe

Filesize
344KB

MD5
8d4855928a550dd2bdc5dc384fd1e6ce

SHA1
1b77688377ffd54d10e9b8b6448b2ad51e27f298

SHA256
4bf47d28a810f5fc3dbffee5a6c3ffe3a8be7a7abd11d3f31019627b8131910c

SHA512
73b309141d3fc33a0aa0ac57d3abacbc0cc979221dfa390dc3ebab138a5c7b1ec2c874f901f98c6db59a4e5e87dd5642fd02d59c7a9e024cd14d2d38b6c9125d

Download Submit
C:\Windows\{1EF62278-73F5-40fb-9853-F967ABCEEFEE}.exe

Filesize
344KB

MD5
41ba61a6a13dab5de59c0e6c8aeac4c0

SHA1
82c734fa666267133c01a3db9f33411e2721ce20

SHA256
eb047e8a233ee910a443b5d9f792b48a6dc2503f97f9e174d4078768d6f97578

SHA512
36f257c5cff7f2838c1cefbfc2265b6b6e0bf0e2946cdb225cb481a9aa45a3298a11e628621f982eb50cb28980c29faa60fbde7e4e104bf648468cef9a8b5316

Download Submit
C:\Windows\{25FF657D-70EC-458f-9CDD-80F5D233780A}.exe

Filesize
344KB

MD5
d650b16ffc3d8ae53e17f736862f9f95

SHA1
29e678f3ca3e263009bad163ee64107063de50a3

SHA256
30173261ebd91b55c4fd0eb81c5a838a227f715e1ca28e284e1c4a0b17f124cf

SHA512
b7557f1e986db710f8896476fece2b3a0b009ffcdf854ff1e899276540cba66e1bc91cb5d09417445c64f189756a584a5d150a344a159a2b06c9e99c3e9bcdae

Download Submit
C:\Windows\{4146EBF9-762E-4664-B118-C1E7B80730BC}.exe

Filesize
344KB

MD5
ecacc3d4234276899118841c3bd14ab5

SHA1
4a71fd985a1efa47948e07cd924aceb9bb92b7b5

SHA256
12d215b0d8f05df78795d45620a5ef5d4af3816a610decfcd56e57eee0b0df37

SHA512
361884fe761787c9801b602a0acacf5841b50f6a1989a33209619b836402416f9f33342b9be3cae5b0200b9df4c17df392313ab065088379dc2676e837236706

Download Submit
C:\Windows\{4146EBF9-762E-4664-B118-C1E7B80730BC}.exe

Filesize
258KB

MD5
da46f18607236b9db4b727808070b831

SHA1
15fe9354cf05a42d9d64f2cc68694d95984ad231

SHA256
3c5cfa616c1d2443199f0ca9ed0b9815fe17d2c81cf26ee6da3bae8c5bd1f667

SHA512
c6c226e5ce28fa8fe13edf136809a3759c24fd819a4380b55ec20f2f8ac22d84642c6b277374b8b30ea7d4220ae20ea597e0806072946b74c4d19c53cdffddfe

Download Submit
C:\Windows\{651301FA-CDF8-47bd-8639-F555888C9062}.exe

Filesize
344KB

MD5
793b79522c60eeb41a1fc56f3b2564e9

SHA1
04b9d6429e6cfbb8ec1667037cf9aaf7a62b5711

SHA256
f8939786da570d6cadeacdbb68cda3ee997e8a8ea69a87d30a34c4bf9a724e91

SHA512
24f04be4c1a400c407067ba4176e52ca1375e5ac5b19ef10b8184010b460108b5a0ad3ed151076ea1a5342dc6f27801d2e3031fdea45daf91cb50a1b078b05a9

Download Submit
C:\Windows\{810B8073-C0B7-4ced-8BF6-A62CFCE81760}.exe

Filesize
344KB

MD5
13e16cab3d82c4ad9f4c79d0630da9b3

SHA1
0a8bf14f5ea530efa134c17d8e83c821328e6d78

SHA256
dc54cf0b3bdcc96964c41452636006adc4bbee06bd7bc4e48bb0f3bc3ab2a7ed

SHA512
14275e6948af0d0b7d8f02edb34ac5a634249ea68a9b536445f121d64b0ddb969a132280be27c5fb0111fec0ca2072b42e19b349e20fa7b838f5bf6014000237

Download Submit
C:\Windows\{932262C1-CEB5-4b29-A1BC-58068FD8E6C0}.exe

Filesize
344KB

MD5
4e135a36be597c1c89c59d1752f38683

SHA1
dc0ce7d219f0632dbbdb56b334268a8272ee1903

SHA256
1911513a03dd435465ac30e955bc3a82cb2e3352b866cdb2f9a97a6dc1f05db9

SHA512
915b71e7086bb79e5aba8f53558daf343cd1a9ed28899d3288390a074b70f7715dc3c321f25ac5d76b51cac57ff248a3743b0e999f9de6ebbb5e9e192af34097

Download Submit
C:\Windows\{99080F73-A76D-47cb-8AB4-E2CF0FA8F284}.exe

Filesize
344KB

MD5
006122581dcc377270f07eb14b1a3963

SHA1
10fb7300483538d5739279df13be2f1c0e17323b

SHA256
47f8cbf0434db21128a2803ecd90971880e2afb1642085d478088cc6084be18f

SHA512
ba3a9536a1dbd2ba78e51120e42d1d376e6f19a620d366bb047d7eb8db001438bb9f370c7f1c1af09a60aa8f8d4a6461cd49a984e46043cd0c94618d4f0f6f39

Download Submit
C:\Windows\{A25D5A59-FAD0-4df3-AC55-5FC64B9BF7BC}.exe

Filesize
344KB

MD5
7e660f2eaa965a5f2becbc4e8a4e0707

SHA1
977175b6cac1e5643f53c56b6c2060d3a2d17c78

SHA256
ce9a243bc5a0d4fee848bfb0963be878d0a8d1684db9680e52636cef776f5b9c

SHA512
7686b53f45ed170a7ca96f1f62800b8608f80b1e13226c88b36d8ba1ef7825f7c0655685080be1eccdf4466c1d9053a7f43e5ac4a1b2e7791794f5a18a7567cc

Download Submit
C:\Windows\{A7C2B7FD-3365-4538-9BEF-0117DF80821C}.exe

Filesize
344KB

MD5
cdd57ee35544951ca0c1f15a4ffe68ab

SHA1
33aa148433bf66f28670390c25731b4fd39a553b

SHA256
79b57be497eec01a5c0723b67e7e3f4cc850ab3948a7166e0d7b24ae037c0b17

SHA512
8847d792d7562098fd328693f5d8d229e046b6ac4372f7bac31628f42a833a76be0544c8b284f89e1055ec93715a3528965bea34b986bf5dbf18c786f7856948

Download Submit
C:\Windows\{C1BAE79B-DB96-4bb7-A037-455FEFC00463}.exe

Filesize
344KB

MD5
aeffff5fa2b0300a0f78683cfdeeddb3

SHA1
383837ed8de1876985ed01377f9b07a2aba547a7

SHA256
5a5d071bef56c09ffa2bc2462d6edced5630f7ffa91fdb9455af07c5f8afed4f

SHA512
8ec3f795bc2ac4cfb034cf509bddfb56b4ed3617cdc9790d9f30506f9e4ec4e008794b97c198776fa6f76b8cb454125d36550a71b806c8aa57b29486396660d5

Download Submit
C:\Windows\{C6C1F97D-257F-4f7c-B451-0E8FFB30DE4C}.exe

Filesize
344KB

MD5
0c5f3348950627ea7a83be38b1438111

SHA1
e1c3a3174d734215a2d1ab12be5d18443275727c

SHA256
19b5c16395b84acbb408a8d72b8d8ddcb819e9b4ff831e0c2a6b3f82c87565a7

SHA512
284f7037f34714d52ac8f7fce689c1d4625d381ae0d535ef680b05160e80808334ddddfaa0d134b931f30d27780987d9c994c47b26eef66ecaf807c0e9d5398b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads