635f65820661cf61e0ec391da3d26ce6a3b62263e3644c3d963b0e3ea6d7ff28

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
23/02/2024, 09:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-23_9034592ec0a41b6fa89c54b3b9e484c3_goldeneye.exe
Size

197KB
MD5

9034592ec0a41b6fa89c54b3b9e484c3
SHA1

0b4217e5921dbb0484d1b60a5abe63376be0d28d
SHA256

635f65820661cf61e0ec391da3d26ce6a3b62263e3644c3d963b0e3ea6d7ff28
SHA512

4dd70f1dd0b79553ffda48b8026da0bbcbb5a7e410fb8908ed20db3f5b308466c552bbe618e1f3a1bd8299e64d209642a295240831446cbeb31c562871f0e63e
SSDEEP

3072:jEGh0oil+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGclEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023139-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002313a-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000231f8-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002313a-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000231f8-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002313a-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000231f8-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000001e74e-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000231f8-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000001e74e-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023140-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001e74e-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C6980C4-0491-4203-A9DE-695E6A5F5E3C}	{A422AB46-123C-4f5d-89BF-85E008518D2F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26938500-FCAB-4efe-A577-7949DE5F29C0}\stubpath = "C:\\Windows\\{26938500-FCAB-4efe-A577-7949DE5F29C0}.exe"	{5C6980C4-0491-4203-A9DE-695E6A5F5E3C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4A5A3EF-0AC8-4a27-BC85-4167A5A74169}	{F0209D73-4C11-4777-AA39-8627848F4E61}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9BCDA86-F203-4959-8F7B-D400BA222FE4}	{E5273AEA-4E48-40aa-99E4-5EB3491BCC34}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C6980C4-0491-4203-A9DE-695E6A5F5E3C}\stubpath = "C:\\Windows\\{5C6980C4-0491-4203-A9DE-695E6A5F5E3C}.exe"	{A422AB46-123C-4f5d-89BF-85E008518D2F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4BB33E31-3001-4104-8985-550C050CAFAE}	{C9BCDA86-F203-4959-8F7B-D400BA222FE4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4BB33E31-3001-4104-8985-550C050CAFAE}\stubpath = "C:\\Windows\\{4BB33E31-3001-4104-8985-550C050CAFAE}.exe"	{C9BCDA86-F203-4959-8F7B-D400BA222FE4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4A5A3EF-0AC8-4a27-BC85-4167A5A74169}\stubpath = "C:\\Windows\\{D4A5A3EF-0AC8-4a27-BC85-4167A5A74169}.exe"	{F0209D73-4C11-4777-AA39-8627848F4E61}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9BCDA86-F203-4959-8F7B-D400BA222FE4}\stubpath = "C:\\Windows\\{C9BCDA86-F203-4959-8F7B-D400BA222FE4}.exe"	{E5273AEA-4E48-40aa-99E4-5EB3491BCC34}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5BDAC13-FA61-4514-8A72-2A73EC431889}\stubpath = "C:\\Windows\\{F5BDAC13-FA61-4514-8A72-2A73EC431889}.exe"	{4BB33E31-3001-4104-8985-550C050CAFAE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6447E08B-8C78-4675-A1EF-8DC86F14616B}	{F5BDAC13-FA61-4514-8A72-2A73EC431889}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26938500-FCAB-4efe-A577-7949DE5F29C0}	{5C6980C4-0491-4203-A9DE-695E6A5F5E3C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25C4E60C-DC88-4767-8C6A-AC11D9822D7B}	{26938500-FCAB-4efe-A577-7949DE5F29C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25C4E60C-DC88-4767-8C6A-AC11D9822D7B}\stubpath = "C:\\Windows\\{25C4E60C-DC88-4767-8C6A-AC11D9822D7B}.exe"	{26938500-FCAB-4efe-A577-7949DE5F29C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0209D73-4C11-4777-AA39-8627848F4E61}\stubpath = "C:\\Windows\\{F0209D73-4C11-4777-AA39-8627848F4E61}.exe"	{25C4E60C-DC88-4767-8C6A-AC11D9822D7B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6447E08B-8C78-4675-A1EF-8DC86F14616B}\stubpath = "C:\\Windows\\{6447E08B-8C78-4675-A1EF-8DC86F14616B}.exe"	{F5BDAC13-FA61-4514-8A72-2A73EC431889}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{577D86D0-4A20-44cc-8DC6-423D5061B641}\stubpath = "C:\\Windows\\{577D86D0-4A20-44cc-8DC6-423D5061B641}.exe"	{D4A5A3EF-0AC8-4a27-BC85-4167A5A74169}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5273AEA-4E48-40aa-99E4-5EB3491BCC34}	{577D86D0-4A20-44cc-8DC6-423D5061B641}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5273AEA-4E48-40aa-99E4-5EB3491BCC34}\stubpath = "C:\\Windows\\{E5273AEA-4E48-40aa-99E4-5EB3491BCC34}.exe"	{577D86D0-4A20-44cc-8DC6-423D5061B641}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5BDAC13-FA61-4514-8A72-2A73EC431889}	{4BB33E31-3001-4104-8985-550C050CAFAE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A422AB46-123C-4f5d-89BF-85E008518D2F}	2024-02-23_9034592ec0a41b6fa89c54b3b9e484c3_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A422AB46-123C-4f5d-89BF-85E008518D2F}\stubpath = "C:\\Windows\\{A422AB46-123C-4f5d-89BF-85E008518D2F}.exe"	2024-02-23_9034592ec0a41b6fa89c54b3b9e484c3_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0209D73-4C11-4777-AA39-8627848F4E61}	{25C4E60C-DC88-4767-8C6A-AC11D9822D7B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{577D86D0-4A20-44cc-8DC6-423D5061B641}	{D4A5A3EF-0AC8-4a27-BC85-4167A5A74169}.exe

Executes dropped EXE 12 IoCs

pid	Process
4792	{A422AB46-123C-4f5d-89BF-85E008518D2F}.exe
6056	{5C6980C4-0491-4203-A9DE-695E6A5F5E3C}.exe
3688	{26938500-FCAB-4efe-A577-7949DE5F29C0}.exe
1336	{25C4E60C-DC88-4767-8C6A-AC11D9822D7B}.exe
3772	{F0209D73-4C11-4777-AA39-8627848F4E61}.exe
4920	{D4A5A3EF-0AC8-4a27-BC85-4167A5A74169}.exe
4448	{577D86D0-4A20-44cc-8DC6-423D5061B641}.exe
2176	{E5273AEA-4E48-40aa-99E4-5EB3491BCC34}.exe
4892	{C9BCDA86-F203-4959-8F7B-D400BA222FE4}.exe
2292	{4BB33E31-3001-4104-8985-550C050CAFAE}.exe
2468	{F5BDAC13-FA61-4514-8A72-2A73EC431889}.exe
3624	{6447E08B-8C78-4675-A1EF-8DC86F14616B}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{26938500-FCAB-4efe-A577-7949DE5F29C0}.exe	{5C6980C4-0491-4203-A9DE-695E6A5F5E3C}.exe
File created	C:\Windows\{D4A5A3EF-0AC8-4a27-BC85-4167A5A74169}.exe	{F0209D73-4C11-4777-AA39-8627848F4E61}.exe
File created	C:\Windows\{577D86D0-4A20-44cc-8DC6-423D5061B641}.exe	{D4A5A3EF-0AC8-4a27-BC85-4167A5A74169}.exe
File created	C:\Windows\{C9BCDA86-F203-4959-8F7B-D400BA222FE4}.exe	{E5273AEA-4E48-40aa-99E4-5EB3491BCC34}.exe
File created	C:\Windows\{6447E08B-8C78-4675-A1EF-8DC86F14616B}.exe	{F5BDAC13-FA61-4514-8A72-2A73EC431889}.exe
File created	C:\Windows\{5C6980C4-0491-4203-A9DE-695E6A5F5E3C}.exe	{A422AB46-123C-4f5d-89BF-85E008518D2F}.exe
File created	C:\Windows\{25C4E60C-DC88-4767-8C6A-AC11D9822D7B}.exe	{26938500-FCAB-4efe-A577-7949DE5F29C0}.exe
File created	C:\Windows\{F0209D73-4C11-4777-AA39-8627848F4E61}.exe	{25C4E60C-DC88-4767-8C6A-AC11D9822D7B}.exe
File created	C:\Windows\{E5273AEA-4E48-40aa-99E4-5EB3491BCC34}.exe	{577D86D0-4A20-44cc-8DC6-423D5061B641}.exe
File created	C:\Windows\{4BB33E31-3001-4104-8985-550C050CAFAE}.exe	{C9BCDA86-F203-4959-8F7B-D400BA222FE4}.exe
File created	C:\Windows\{F5BDAC13-FA61-4514-8A72-2A73EC431889}.exe	{4BB33E31-3001-4104-8985-550C050CAFAE}.exe
File created	C:\Windows\{A422AB46-123C-4f5d-89BF-85E008518D2F}.exe	2024-02-23_9034592ec0a41b6fa89c54b3b9e484c3_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1860	2024-02-23_9034592ec0a41b6fa89c54b3b9e484c3_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4792	{A422AB46-123C-4f5d-89BF-85E008518D2F}.exe
Token: SeIncBasePriorityPrivilege	6056	{5C6980C4-0491-4203-A9DE-695E6A5F5E3C}.exe
Token: SeIncBasePriorityPrivilege	3688	{26938500-FCAB-4efe-A577-7949DE5F29C0}.exe
Token: SeIncBasePriorityPrivilege	1336	{25C4E60C-DC88-4767-8C6A-AC11D9822D7B}.exe
Token: SeIncBasePriorityPrivilege	3772	{F0209D73-4C11-4777-AA39-8627848F4E61}.exe
Token: SeIncBasePriorityPrivilege	4920	{D4A5A3EF-0AC8-4a27-BC85-4167A5A74169}.exe
Token: SeIncBasePriorityPrivilege	4448	{577D86D0-4A20-44cc-8DC6-423D5061B641}.exe
Token: SeIncBasePriorityPrivilege	2176	{E5273AEA-4E48-40aa-99E4-5EB3491BCC34}.exe
Token: SeIncBasePriorityPrivilege	4892	{C9BCDA86-F203-4959-8F7B-D400BA222FE4}.exe
Token: SeIncBasePriorityPrivilege	2292	{4BB33E31-3001-4104-8985-550C050CAFAE}.exe
Token: SeIncBasePriorityPrivilege	2468	{F5BDAC13-FA61-4514-8A72-2A73EC431889}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 4792	1860	2024-02-23_9034592ec0a41b6fa89c54b3b9e484c3_goldeneye.exe	93
PID 1860 wrote to memory of 4792	1860	2024-02-23_9034592ec0a41b6fa89c54b3b9e484c3_goldeneye.exe	93
PID 1860 wrote to memory of 4792	1860	2024-02-23_9034592ec0a41b6fa89c54b3b9e484c3_goldeneye.exe	93
PID 1860 wrote to memory of 2380	1860	2024-02-23_9034592ec0a41b6fa89c54b3b9e484c3_goldeneye.exe	94
PID 1860 wrote to memory of 2380	1860	2024-02-23_9034592ec0a41b6fa89c54b3b9e484c3_goldeneye.exe	94
PID 1860 wrote to memory of 2380	1860	2024-02-23_9034592ec0a41b6fa89c54b3b9e484c3_goldeneye.exe	94
PID 4792 wrote to memory of 6056	4792	{A422AB46-123C-4f5d-89BF-85E008518D2F}.exe	95
PID 4792 wrote to memory of 6056	4792	{A422AB46-123C-4f5d-89BF-85E008518D2F}.exe	95
PID 4792 wrote to memory of 6056	4792	{A422AB46-123C-4f5d-89BF-85E008518D2F}.exe	95
PID 4792 wrote to memory of 5476	4792	{A422AB46-123C-4f5d-89BF-85E008518D2F}.exe	96
PID 4792 wrote to memory of 5476	4792	{A422AB46-123C-4f5d-89BF-85E008518D2F}.exe	96
PID 4792 wrote to memory of 5476	4792	{A422AB46-123C-4f5d-89BF-85E008518D2F}.exe	96
PID 6056 wrote to memory of 3688	6056	{5C6980C4-0491-4203-A9DE-695E6A5F5E3C}.exe	101
PID 6056 wrote to memory of 3688	6056	{5C6980C4-0491-4203-A9DE-695E6A5F5E3C}.exe	101
PID 6056 wrote to memory of 3688	6056	{5C6980C4-0491-4203-A9DE-695E6A5F5E3C}.exe	101
PID 6056 wrote to memory of 5372	6056	{5C6980C4-0491-4203-A9DE-695E6A5F5E3C}.exe	100
PID 6056 wrote to memory of 5372	6056	{5C6980C4-0491-4203-A9DE-695E6A5F5E3C}.exe	100
PID 6056 wrote to memory of 5372	6056	{5C6980C4-0491-4203-A9DE-695E6A5F5E3C}.exe	100
PID 3688 wrote to memory of 1336	3688	{26938500-FCAB-4efe-A577-7949DE5F29C0}.exe	102
PID 3688 wrote to memory of 1336	3688	{26938500-FCAB-4efe-A577-7949DE5F29C0}.exe	102
PID 3688 wrote to memory of 1336	3688	{26938500-FCAB-4efe-A577-7949DE5F29C0}.exe	102
PID 3688 wrote to memory of 3248	3688	{26938500-FCAB-4efe-A577-7949DE5F29C0}.exe	103
PID 3688 wrote to memory of 3248	3688	{26938500-FCAB-4efe-A577-7949DE5F29C0}.exe	103
PID 3688 wrote to memory of 3248	3688	{26938500-FCAB-4efe-A577-7949DE5F29C0}.exe	103
PID 1336 wrote to memory of 3772	1336	{25C4E60C-DC88-4767-8C6A-AC11D9822D7B}.exe	104
PID 1336 wrote to memory of 3772	1336	{25C4E60C-DC88-4767-8C6A-AC11D9822D7B}.exe	104
PID 1336 wrote to memory of 3772	1336	{25C4E60C-DC88-4767-8C6A-AC11D9822D7B}.exe	104
PID 1336 wrote to memory of 6092	1336	{25C4E60C-DC88-4767-8C6A-AC11D9822D7B}.exe	105
PID 1336 wrote to memory of 6092	1336	{25C4E60C-DC88-4767-8C6A-AC11D9822D7B}.exe	105
PID 1336 wrote to memory of 6092	1336	{25C4E60C-DC88-4767-8C6A-AC11D9822D7B}.exe	105
PID 3772 wrote to memory of 4920	3772	{F0209D73-4C11-4777-AA39-8627848F4E61}.exe	106
PID 3772 wrote to memory of 4920	3772	{F0209D73-4C11-4777-AA39-8627848F4E61}.exe	106
PID 3772 wrote to memory of 4920	3772	{F0209D73-4C11-4777-AA39-8627848F4E61}.exe	106
PID 3772 wrote to memory of 5284	3772	{F0209D73-4C11-4777-AA39-8627848F4E61}.exe	107
PID 3772 wrote to memory of 5284	3772	{F0209D73-4C11-4777-AA39-8627848F4E61}.exe	107
PID 3772 wrote to memory of 5284	3772	{F0209D73-4C11-4777-AA39-8627848F4E61}.exe	107
PID 4920 wrote to memory of 4448	4920	{D4A5A3EF-0AC8-4a27-BC85-4167A5A74169}.exe	108
PID 4920 wrote to memory of 4448	4920	{D4A5A3EF-0AC8-4a27-BC85-4167A5A74169}.exe	108
PID 4920 wrote to memory of 4448	4920	{D4A5A3EF-0AC8-4a27-BC85-4167A5A74169}.exe	108
PID 4920 wrote to memory of 3404	4920	{D4A5A3EF-0AC8-4a27-BC85-4167A5A74169}.exe	109
PID 4920 wrote to memory of 3404	4920	{D4A5A3EF-0AC8-4a27-BC85-4167A5A74169}.exe	109
PID 4920 wrote to memory of 3404	4920	{D4A5A3EF-0AC8-4a27-BC85-4167A5A74169}.exe	109
PID 4448 wrote to memory of 2176	4448	{577D86D0-4A20-44cc-8DC6-423D5061B641}.exe	113
PID 4448 wrote to memory of 2176	4448	{577D86D0-4A20-44cc-8DC6-423D5061B641}.exe	113
PID 4448 wrote to memory of 2176	4448	{577D86D0-4A20-44cc-8DC6-423D5061B641}.exe	113
PID 4448 wrote to memory of 1736	4448	{577D86D0-4A20-44cc-8DC6-423D5061B641}.exe	114
PID 4448 wrote to memory of 1736	4448	{577D86D0-4A20-44cc-8DC6-423D5061B641}.exe	114
PID 4448 wrote to memory of 1736	4448	{577D86D0-4A20-44cc-8DC6-423D5061B641}.exe	114
PID 2176 wrote to memory of 4892	2176	{E5273AEA-4E48-40aa-99E4-5EB3491BCC34}.exe	115
PID 2176 wrote to memory of 4892	2176	{E5273AEA-4E48-40aa-99E4-5EB3491BCC34}.exe	115
PID 2176 wrote to memory of 4892	2176	{E5273AEA-4E48-40aa-99E4-5EB3491BCC34}.exe	115
PID 2176 wrote to memory of 2908	2176	{E5273AEA-4E48-40aa-99E4-5EB3491BCC34}.exe	116
PID 2176 wrote to memory of 2908	2176	{E5273AEA-4E48-40aa-99E4-5EB3491BCC34}.exe	116
PID 2176 wrote to memory of 2908	2176	{E5273AEA-4E48-40aa-99E4-5EB3491BCC34}.exe	116
PID 4892 wrote to memory of 2292	4892	{C9BCDA86-F203-4959-8F7B-D400BA222FE4}.exe	117
PID 4892 wrote to memory of 2292	4892	{C9BCDA86-F203-4959-8F7B-D400BA222FE4}.exe	117
PID 4892 wrote to memory of 2292	4892	{C9BCDA86-F203-4959-8F7B-D400BA222FE4}.exe	117
PID 4892 wrote to memory of 808	4892	{C9BCDA86-F203-4959-8F7B-D400BA222FE4}.exe	118
PID 4892 wrote to memory of 808	4892	{C9BCDA86-F203-4959-8F7B-D400BA222FE4}.exe	118
PID 4892 wrote to memory of 808	4892	{C9BCDA86-F203-4959-8F7B-D400BA222FE4}.exe	118
PID 2292 wrote to memory of 2468	2292	{4BB33E31-3001-4104-8985-550C050CAFAE}.exe	119
PID 2292 wrote to memory of 2468	2292	{4BB33E31-3001-4104-8985-550C050CAFAE}.exe	119
PID 2292 wrote to memory of 2468	2292	{4BB33E31-3001-4104-8985-550C050CAFAE}.exe	119
PID 2292 wrote to memory of 1984	2292	{4BB33E31-3001-4104-8985-550C050CAFAE}.exe	120

C:\Users\Admin\AppData\Local\Temp\2024-02-23_9034592ec0a41b6fa89c54b3b9e484c3_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-23_9034592ec0a41b6fa89c54b3b9e484c3_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Windows\{A422AB46-123C-4f5d-89BF-85E008518D2F}.exe
  C:\Windows\{A422AB46-123C-4f5d-89BF-85E008518D2F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4792
- - C:\Windows\{5C6980C4-0491-4203-A9DE-695E6A5F5E3C}.exe
    C:\Windows\{5C6980C4-0491-4203-A9DE-695E6A5F5E3C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:6056
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5C698~1.EXE > nul
      4⤵
      PID:5372
  - - C:\Windows\{26938500-FCAB-4efe-A577-7949DE5F29C0}.exe
      C:\Windows\{26938500-FCAB-4efe-A577-7949DE5F29C0}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3688
    - - C:\Windows\{25C4E60C-DC88-4767-8C6A-AC11D9822D7B}.exe
        
        C:\Windows\{25C4E60C-DC88-4767-8C6A-AC11D9822D7B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1336
      - C:\Windows\{F0209D73-4C11-4777-AA39-8627848F4E61}.exe
        
        C:\Windows\{F0209D73-4C11-4777-AA39-8627848F4E61}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3772
        
        C:\Windows\{D4A5A3EF-0AC8-4a27-BC85-4167A5A74169}.exe
        
        C:\Windows\{D4A5A3EF-0AC8-4a27-BC85-4167A5A74169}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\{577D86D0-4A20-44cc-8DC6-423D5061B641}.exe
        
        C:\Windows\{577D86D0-4A20-44cc-8DC6-423D5061B641}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\{E5273AEA-4E48-40aa-99E4-5EB3491BCC34}.exe
        
        C:\Windows\{E5273AEA-4E48-40aa-99E4-5EB3491BCC34}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\{C9BCDA86-F203-4959-8F7B-D400BA222FE4}.exe
        
        C:\Windows\{C9BCDA86-F203-4959-8F7B-D400BA222FE4}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\{4BB33E31-3001-4104-8985-550C050CAFAE}.exe
        
        C:\Windows\{4BB33E31-3001-4104-8985-550C050CAFAE}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\{F5BDAC13-FA61-4514-8A72-2A73EC431889}.exe
        
        C:\Windows\{F5BDAC13-FA61-4514-8A72-2A73EC431889}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2468
        
        C:\Windows\{6447E08B-8C78-4675-A1EF-8DC86F14616B}.exe
        
        C:\Windows\{6447E08B-8C78-4675-A1EF-8DC86F14616B}.exe
        13⤵
        Executes dropped EXE
        
        PID:3624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F5BDA~1.EXE > nul
        13⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4BB33~1.EXE > nul
        12⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9BCD~1.EXE > nul
        11⤵
        
        PID:808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5273~1.EXE > nul
        10⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{577D8~1.EXE > nul
        9⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D4A5A~1.EXE > nul
        8⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F0209~1.EXE > nul
        7⤵
        
        PID:5284
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{25C4E~1.EXE > nul
        6⤵
        
        PID:6092
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{26938~1.EXE > nul
        5⤵
        
        PID:3248
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A422A~1.EXE > nul
    3⤵
    PID:5476
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{25C4E60C-DC88-4767-8C6A-AC11D9822D7B}.exe

Filesize
197KB

MD5
04ae22a89255606878d31744d4e0323d

SHA1
390ffd55c313bf63dac374309b297b1e298da840

SHA256
1d34c88f3b355181d183ae0c993839b22089d4ab38578af05c19de832d8be177

SHA512
a0361e7d4073ee2c2d4146c09ef389e6f5ed2bd6f1f08a18067f082c00abccbd755488bb197710c4576342c5c1c8cb3ccf37e8c3aeb96d85b3dfdf6df6f2d9b7

Download Submit
C:\Windows\{26938500-FCAB-4efe-A577-7949DE5F29C0}.exe

Filesize
197KB

MD5
d9253d087d3f95489f331999131514eb

SHA1
d14a4d0ff7decdc3c7a71c0dcdd708e5130dc846

SHA256
99ac5979ffbb75c6028f1a8ba576859ff2c8cd56ad64bfe7dbe44e83c14e9931

SHA512
e23daf918135bf5a571a345d1136357f43a2f5ae3c1189cf3fb8793ca23a034091db2e8a23aa6e7f3885c55adcb5e731504b99f2c49eee7da918ecf5a7a13474

Download Submit
C:\Windows\{4BB33E31-3001-4104-8985-550C050CAFAE}.exe

Filesize
197KB

MD5
f485d24fb06be24ec4cd22ecb97934a5

SHA1
492f02b489c53749b82d85f25857512db2bb0f62

SHA256
91cc4a394f577ecce2ebf14ce229bd507905a9671bab95e64c97d55b78413c44

SHA512
e67c2adb842ec8a3f0b6a45e3428fa2bc931df67d8593c823dac73dd8d070a0ff314497e6d4d873d8803c77541e184c0d44e9f5d9579dc8e7b28be21c94dc77d

Download Submit
C:\Windows\{577D86D0-4A20-44cc-8DC6-423D5061B641}.exe

Filesize
197KB

MD5
03b6659eeded21dc5e9334eb1427d21c

SHA1
64124f347ba52a0947acafae5c5294f21f2d9b04

SHA256
03c296f53e772e0d5ecb924781d4a7aa122a912f0b410b9c2a98cde4d1b8f1bb

SHA512
311c9e5688f7c1c8004dfe8f5ad544b12fd634e2c7b3aad3c4b0fddc21745de928731ae62682b8138cc17366172edeccd0b3343796fbd4b1acf19af4494fce67

Download Submit
C:\Windows\{5C6980C4-0491-4203-A9DE-695E6A5F5E3C}.exe

Filesize
197KB

MD5
c703123a2aeca9da6d8c55d063e10804

SHA1
5aea84e0765ade480a7d20b8dd6e5bbc26ecf126

SHA256
9880f88274319a549fd79689f2e24d80c57541435e5f0a0ab52485d81ccb2c18

SHA512
098f780a023247ca0e3ec2e897367324623db8785a270cb1515da0288b6212cca2703effffd590c9008c1d12c7ac2c0c23a76cefe2b5e2ac051ab12176569dc7

Download Submit
C:\Windows\{6447E08B-8C78-4675-A1EF-8DC86F14616B}.exe

Filesize
197KB

MD5
38597fea50dd98271a39d647993478e0

SHA1
cda0c470bfac6e4b8069d5d0fa91cebd1f82f029

SHA256
06ea21752d2de44f9efa81cb58d7bd1403fca04a5d74f0ed47db3982552ca82d

SHA512
63435cf0b50573c657fdfc7122fae13a062a391bde98d51c024d4dec53ccc5cf42ea6f1c7ec8fab40a58e25a694bb244a42ff86cc99a9f56397aebf71e277bc8

Download Submit
C:\Windows\{A422AB46-123C-4f5d-89BF-85E008518D2F}.exe

Filesize
197KB

MD5
bdeb9a10644829240479d37ed7404db3

SHA1
cdf141b3cf0c05b4902db6a9231da85990f500d4

SHA256
f2e9dda635d6095590fa971a0dce9e357ab8e5a0519481079264789d79526014

SHA512
014ee6d184f42ed9155e5af7509e6fc8db5dc6f2640d9621cfff352b5f13c570e34011d63ee44c380a1d566e3a83afb9de956c32119e9ba3ea0a3067a9678918

Download Submit
C:\Windows\{C9BCDA86-F203-4959-8F7B-D400BA222FE4}.exe

Filesize
197KB

MD5
64bdc05c47d975afa94a3db56a044bdb

SHA1
816166e76303415795dc6d439e037e3a5db55210

SHA256
cfaee57071b231b7dd368c2d41921e40190a31e8ee67fe1fbb9a32dab3c889e3

SHA512
7b3422591fbfb90702134477d41bfde4095e3b5a6097081ccc67f4c1ce395092c6ec7cc1d2fced350f8cd4350f2bb97dd41e0277fec1f80dfbd057d265dff0a8

Download Submit
C:\Windows\{D4A5A3EF-0AC8-4a27-BC85-4167A5A74169}.exe

Filesize
197KB

MD5
633ddcc329ee85f0e177828c8550717c

SHA1
f436fbbba603dbf133d46c097db489f85d4d3ed8

SHA256
cb834bf9b8651ed4753605f2b41473b6624e3f94e1a5b95be777dc968fa2b045

SHA512
30f23d231616a8e3b0157fa1cfae702e86830b984edab7ce8ed0c848338be1a47e021a4017fc3156c29cb35a25359b47b5a0a1a4b6c7f5af506e140a2edf340c

Download Submit
C:\Windows\{E5273AEA-4E48-40aa-99E4-5EB3491BCC34}.exe

Filesize
197KB

MD5
bf318da6ecdb3540c52a5c66f8408380

SHA1
bae0be80bb8381f1ae416c22426639043914960b

SHA256
bda338e5b2eae050706c36f9a3e448a0f8da2b43d12c5cfaa9fd75e6ce519d18

SHA512
623b3dfdb671db57b21fea3aa634410cb503ffdf022970b97cbad0e4f20e8e05d1b60d2673b6c4468efcd70edfc2ee0b86ebf5e2df07ff90c8a7ecf2297fc349

Download Submit
C:\Windows\{F0209D73-4C11-4777-AA39-8627848F4E61}.exe

Filesize
197KB

MD5
e52345e2b4b14baea8dbba2a37dd49b9

SHA1
4f8da25fb89fc5091aa5cd8587045e6423db0415

SHA256
749e26c7472444ff7b7fbe92c580d65ffc1376b795e5f19636522b4e7d6ede1a

SHA512
caa0834644fc07f2e5cd6e836291832876b3e92158be17c75e2f21db6aad8e05c65e2bba1b145c5dd1232c6a8167de3cc22948f4f061e3bfbf40dc2fc02b51a3

Download Submit
C:\Windows\{F5BDAC13-FA61-4514-8A72-2A73EC431889}.exe

Filesize
197KB

MD5
34f97e2ec0acfd201056150e6bec9e54

SHA1
874686699efcc06b90c115305cdb387030e77a2c

SHA256
3a0e37edbbcf528555e952508acf18e465291bbd0998f99f432d89712a3d0b3e

SHA512
f81ebfc6ed8abb9234966ab9fbbf7ede7867fc547097c1da103a3d4ce189973dd319735d9cd8eed782dd05fba4716b8f24433237ecc6998c7277f2afcff937f8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads