2c2a2fb770897e71eb15e7ed9441a196f18112d4c8f11ed5b77475af39bfc452

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
23/02/2024, 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-23_6be0c56305dec263b8fc35e66ff8219d_goldeneye.exe
Size

168KB
MD5

6be0c56305dec263b8fc35e66ff8219d
SHA1

a43ccf20b0bee6f8de6b3a7aa54f6c2fe5082477
SHA256

2c2a2fb770897e71eb15e7ed9441a196f18112d4c8f11ed5b77475af39bfc452
SHA512

86e1cf7cdecec60fc76e89c27d24bdf63bd854d9bdf4b1f6e4db8930b961afdf91d5b891b2c656adee80ba8fb8bda2bb2397adc46c49e3d4ca7f219780b259d6
SSDEEP

1536:1EGh0ozlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0ozlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000700000002321a-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002320a-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023222-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000022777-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023222-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000022777-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023222-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000022777-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023222-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000022777-37.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002321f-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000022777-45.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F69E6B0-2F9F-40a9-B4F9-41207E18557A}\stubpath = "C:\\Windows\\{1F69E6B0-2F9F-40a9-B4F9-41207E18557A}.exe"	{A08A58C0-66EA-4282-AD7F-9759BCA556CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6642E29-49D6-4edc-B088-268FE084667F}	{1F69E6B0-2F9F-40a9-B4F9-41207E18557A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6642E29-49D6-4edc-B088-268FE084667F}\stubpath = "C:\\Windows\\{D6642E29-49D6-4edc-B088-268FE084667F}.exe"	{1F69E6B0-2F9F-40a9-B4F9-41207E18557A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F02A727F-0B64-42db-BF1A-36797F5D7D2E}\stubpath = "C:\\Windows\\{F02A727F-0B64-42db-BF1A-36797F5D7D2E}.exe"	{D6642E29-49D6-4edc-B088-268FE084667F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7AA1320-7B27-4806-94B4-59883B6FE954}\stubpath = "C:\\Windows\\{B7AA1320-7B27-4806-94B4-59883B6FE954}.exe"	2024-02-23_6be0c56305dec263b8fc35e66ff8219d_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{916524CC-CD44-4ce1-8FB2-CE2F5B980D95}	{B7AA1320-7B27-4806-94B4-59883B6FE954}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A08A58C0-66EA-4282-AD7F-9759BCA556CF}\stubpath = "C:\\Windows\\{A08A58C0-66EA-4282-AD7F-9759BCA556CF}.exe"	{F38ABC46-80F1-4a72-8518-3C4FC43557F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2271FBF-DA9A-4eb2-88A5-2FA7F86EC875}	{8797D374-E29E-4fc4-BBAC-371D171AA0CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2271FBF-DA9A-4eb2-88A5-2FA7F86EC875}\stubpath = "C:\\Windows\\{E2271FBF-DA9A-4eb2-88A5-2FA7F86EC875}.exe"	{8797D374-E29E-4fc4-BBAC-371D171AA0CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7221AA6-9687-48d6-8875-556C33B74EB6}	{E2271FBF-DA9A-4eb2-88A5-2FA7F86EC875}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6E9BD2E-A803-4f6e-8BAC-D07463E75950}\stubpath = "C:\\Windows\\{A6E9BD2E-A803-4f6e-8BAC-D07463E75950}.exe"	{A7221AA6-9687-48d6-8875-556C33B74EB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{916524CC-CD44-4ce1-8FB2-CE2F5B980D95}\stubpath = "C:\\Windows\\{916524CC-CD44-4ce1-8FB2-CE2F5B980D95}.exe"	{B7AA1320-7B27-4806-94B4-59883B6FE954}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F69E6B0-2F9F-40a9-B4F9-41207E18557A}	{A08A58C0-66EA-4282-AD7F-9759BCA556CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F02A727F-0B64-42db-BF1A-36797F5D7D2E}	{D6642E29-49D6-4edc-B088-268FE084667F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F38ABC46-80F1-4a72-8518-3C4FC43557F7}	{F3F54971-2BAB-43e5-B0DB-570F582E1989}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8797D374-E29E-4fc4-BBAC-371D171AA0CB}	{F02A727F-0B64-42db-BF1A-36797F5D7D2E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F38ABC46-80F1-4a72-8518-3C4FC43557F7}\stubpath = "C:\\Windows\\{F38ABC46-80F1-4a72-8518-3C4FC43557F7}.exe"	{F3F54971-2BAB-43e5-B0DB-570F582E1989}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A08A58C0-66EA-4282-AD7F-9759BCA556CF}	{F38ABC46-80F1-4a72-8518-3C4FC43557F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8797D374-E29E-4fc4-BBAC-371D171AA0CB}\stubpath = "C:\\Windows\\{8797D374-E29E-4fc4-BBAC-371D171AA0CB}.exe"	{F02A727F-0B64-42db-BF1A-36797F5D7D2E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7221AA6-9687-48d6-8875-556C33B74EB6}\stubpath = "C:\\Windows\\{A7221AA6-9687-48d6-8875-556C33B74EB6}.exe"	{E2271FBF-DA9A-4eb2-88A5-2FA7F86EC875}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6E9BD2E-A803-4f6e-8BAC-D07463E75950}	{A7221AA6-9687-48d6-8875-556C33B74EB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7AA1320-7B27-4806-94B4-59883B6FE954}	2024-02-23_6be0c56305dec263b8fc35e66ff8219d_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3F54971-2BAB-43e5-B0DB-570F582E1989}	{916524CC-CD44-4ce1-8FB2-CE2F5B980D95}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3F54971-2BAB-43e5-B0DB-570F582E1989}\stubpath = "C:\\Windows\\{F3F54971-2BAB-43e5-B0DB-570F582E1989}.exe"	{916524CC-CD44-4ce1-8FB2-CE2F5B980D95}.exe

Executes dropped EXE 12 IoCs

pid	Process
1948	{B7AA1320-7B27-4806-94B4-59883B6FE954}.exe
864	{916524CC-CD44-4ce1-8FB2-CE2F5B980D95}.exe
1700	{F3F54971-2BAB-43e5-B0DB-570F582E1989}.exe
3696	{F38ABC46-80F1-4a72-8518-3C4FC43557F7}.exe
1584	{A08A58C0-66EA-4282-AD7F-9759BCA556CF}.exe
2420	{1F69E6B0-2F9F-40a9-B4F9-41207E18557A}.exe
5032	{D6642E29-49D6-4edc-B088-268FE084667F}.exe
4536	{F02A727F-0B64-42db-BF1A-36797F5D7D2E}.exe
4996	{8797D374-E29E-4fc4-BBAC-371D171AA0CB}.exe
628	{E2271FBF-DA9A-4eb2-88A5-2FA7F86EC875}.exe
2324	{A7221AA6-9687-48d6-8875-556C33B74EB6}.exe
4676	{A6E9BD2E-A803-4f6e-8BAC-D07463E75950}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{F3F54971-2BAB-43e5-B0DB-570F582E1989}.exe	{916524CC-CD44-4ce1-8FB2-CE2F5B980D95}.exe
File created	C:\Windows\{F38ABC46-80F1-4a72-8518-3C4FC43557F7}.exe	{F3F54971-2BAB-43e5-B0DB-570F582E1989}.exe
File created	C:\Windows\{A08A58C0-66EA-4282-AD7F-9759BCA556CF}.exe	{F38ABC46-80F1-4a72-8518-3C4FC43557F7}.exe
File created	C:\Windows\{1F69E6B0-2F9F-40a9-B4F9-41207E18557A}.exe	{A08A58C0-66EA-4282-AD7F-9759BCA556CF}.exe
File created	C:\Windows\{D6642E29-49D6-4edc-B088-268FE084667F}.exe	{1F69E6B0-2F9F-40a9-B4F9-41207E18557A}.exe
File created	C:\Windows\{A7221AA6-9687-48d6-8875-556C33B74EB6}.exe	{E2271FBF-DA9A-4eb2-88A5-2FA7F86EC875}.exe
File created	C:\Windows\{A6E9BD2E-A803-4f6e-8BAC-D07463E75950}.exe	{A7221AA6-9687-48d6-8875-556C33B74EB6}.exe
File created	C:\Windows\{B7AA1320-7B27-4806-94B4-59883B6FE954}.exe	2024-02-23_6be0c56305dec263b8fc35e66ff8219d_goldeneye.exe
File created	C:\Windows\{F02A727F-0B64-42db-BF1A-36797F5D7D2E}.exe	{D6642E29-49D6-4edc-B088-268FE084667F}.exe
File created	C:\Windows\{8797D374-E29E-4fc4-BBAC-371D171AA0CB}.exe	{F02A727F-0B64-42db-BF1A-36797F5D7D2E}.exe
File created	C:\Windows\{E2271FBF-DA9A-4eb2-88A5-2FA7F86EC875}.exe	{8797D374-E29E-4fc4-BBAC-371D171AA0CB}.exe
File created	C:\Windows\{916524CC-CD44-4ce1-8FB2-CE2F5B980D95}.exe	{B7AA1320-7B27-4806-94B4-59883B6FE954}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3860	2024-02-23_6be0c56305dec263b8fc35e66ff8219d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1948	{B7AA1320-7B27-4806-94B4-59883B6FE954}.exe
Token: SeIncBasePriorityPrivilege	864	{916524CC-CD44-4ce1-8FB2-CE2F5B980D95}.exe
Token: SeIncBasePriorityPrivilege	1700	{F3F54971-2BAB-43e5-B0DB-570F582E1989}.exe
Token: SeIncBasePriorityPrivilege	3696	{F38ABC46-80F1-4a72-8518-3C4FC43557F7}.exe
Token: SeIncBasePriorityPrivilege	1584	{A08A58C0-66EA-4282-AD7F-9759BCA556CF}.exe
Token: SeIncBasePriorityPrivilege	2420	{1F69E6B0-2F9F-40a9-B4F9-41207E18557A}.exe
Token: SeIncBasePriorityPrivilege	5032	{D6642E29-49D6-4edc-B088-268FE084667F}.exe
Token: SeIncBasePriorityPrivilege	4536	{F02A727F-0B64-42db-BF1A-36797F5D7D2E}.exe
Token: SeIncBasePriorityPrivilege	4996	{8797D374-E29E-4fc4-BBAC-371D171AA0CB}.exe
Token: SeIncBasePriorityPrivilege	628	{E2271FBF-DA9A-4eb2-88A5-2FA7F86EC875}.exe
Token: SeIncBasePriorityPrivilege	2324	{A7221AA6-9687-48d6-8875-556C33B74EB6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3860 wrote to memory of 1948	3860	2024-02-23_6be0c56305dec263b8fc35e66ff8219d_goldeneye.exe	94
PID 3860 wrote to memory of 1948	3860	2024-02-23_6be0c56305dec263b8fc35e66ff8219d_goldeneye.exe	94
PID 3860 wrote to memory of 1948	3860	2024-02-23_6be0c56305dec263b8fc35e66ff8219d_goldeneye.exe	94
PID 3860 wrote to memory of 3476	3860	2024-02-23_6be0c56305dec263b8fc35e66ff8219d_goldeneye.exe	95
PID 3860 wrote to memory of 3476	3860	2024-02-23_6be0c56305dec263b8fc35e66ff8219d_goldeneye.exe	95
PID 3860 wrote to memory of 3476	3860	2024-02-23_6be0c56305dec263b8fc35e66ff8219d_goldeneye.exe	95
PID 1948 wrote to memory of 864	1948	{B7AA1320-7B27-4806-94B4-59883B6FE954}.exe	96
PID 1948 wrote to memory of 864	1948	{B7AA1320-7B27-4806-94B4-59883B6FE954}.exe	96
PID 1948 wrote to memory of 864	1948	{B7AA1320-7B27-4806-94B4-59883B6FE954}.exe	96
PID 1948 wrote to memory of 3180	1948	{B7AA1320-7B27-4806-94B4-59883B6FE954}.exe	97
PID 1948 wrote to memory of 3180	1948	{B7AA1320-7B27-4806-94B4-59883B6FE954}.exe	97
PID 1948 wrote to memory of 3180	1948	{B7AA1320-7B27-4806-94B4-59883B6FE954}.exe	97
PID 864 wrote to memory of 1700	864	{916524CC-CD44-4ce1-8FB2-CE2F5B980D95}.exe	101
PID 864 wrote to memory of 1700	864	{916524CC-CD44-4ce1-8FB2-CE2F5B980D95}.exe	101
PID 864 wrote to memory of 1700	864	{916524CC-CD44-4ce1-8FB2-CE2F5B980D95}.exe	101
PID 864 wrote to memory of 3160	864	{916524CC-CD44-4ce1-8FB2-CE2F5B980D95}.exe	100
PID 864 wrote to memory of 3160	864	{916524CC-CD44-4ce1-8FB2-CE2F5B980D95}.exe	100
PID 864 wrote to memory of 3160	864	{916524CC-CD44-4ce1-8FB2-CE2F5B980D95}.exe	100
PID 1700 wrote to memory of 3696	1700	{F3F54971-2BAB-43e5-B0DB-570F582E1989}.exe	103
PID 1700 wrote to memory of 3696	1700	{F3F54971-2BAB-43e5-B0DB-570F582E1989}.exe	103
PID 1700 wrote to memory of 3696	1700	{F3F54971-2BAB-43e5-B0DB-570F582E1989}.exe	103
PID 1700 wrote to memory of 2532	1700	{F3F54971-2BAB-43e5-B0DB-570F582E1989}.exe	104
PID 1700 wrote to memory of 2532	1700	{F3F54971-2BAB-43e5-B0DB-570F582E1989}.exe	104
PID 1700 wrote to memory of 2532	1700	{F3F54971-2BAB-43e5-B0DB-570F582E1989}.exe	104
PID 3696 wrote to memory of 1584	3696	{F38ABC46-80F1-4a72-8518-3C4FC43557F7}.exe	105
PID 3696 wrote to memory of 1584	3696	{F38ABC46-80F1-4a72-8518-3C4FC43557F7}.exe	105
PID 3696 wrote to memory of 1584	3696	{F38ABC46-80F1-4a72-8518-3C4FC43557F7}.exe	105
PID 3696 wrote to memory of 2624	3696	{F38ABC46-80F1-4a72-8518-3C4FC43557F7}.exe	106
PID 3696 wrote to memory of 2624	3696	{F38ABC46-80F1-4a72-8518-3C4FC43557F7}.exe	106
PID 3696 wrote to memory of 2624	3696	{F38ABC46-80F1-4a72-8518-3C4FC43557F7}.exe	106
PID 1584 wrote to memory of 2420	1584	{A08A58C0-66EA-4282-AD7F-9759BCA556CF}.exe	107
PID 1584 wrote to memory of 2420	1584	{A08A58C0-66EA-4282-AD7F-9759BCA556CF}.exe	107
PID 1584 wrote to memory of 2420	1584	{A08A58C0-66EA-4282-AD7F-9759BCA556CF}.exe	107
PID 1584 wrote to memory of 1448	1584	{A08A58C0-66EA-4282-AD7F-9759BCA556CF}.exe	108
PID 1584 wrote to memory of 1448	1584	{A08A58C0-66EA-4282-AD7F-9759BCA556CF}.exe	108
PID 1584 wrote to memory of 1448	1584	{A08A58C0-66EA-4282-AD7F-9759BCA556CF}.exe	108
PID 2420 wrote to memory of 5032	2420	{1F69E6B0-2F9F-40a9-B4F9-41207E18557A}.exe	109
PID 2420 wrote to memory of 5032	2420	{1F69E6B0-2F9F-40a9-B4F9-41207E18557A}.exe	109
PID 2420 wrote to memory of 5032	2420	{1F69E6B0-2F9F-40a9-B4F9-41207E18557A}.exe	109
PID 2420 wrote to memory of 384	2420	{1F69E6B0-2F9F-40a9-B4F9-41207E18557A}.exe	110
PID 2420 wrote to memory of 384	2420	{1F69E6B0-2F9F-40a9-B4F9-41207E18557A}.exe	110
PID 2420 wrote to memory of 384	2420	{1F69E6B0-2F9F-40a9-B4F9-41207E18557A}.exe	110
PID 5032 wrote to memory of 4536	5032	{D6642E29-49D6-4edc-B088-268FE084667F}.exe	111
PID 5032 wrote to memory of 4536	5032	{D6642E29-49D6-4edc-B088-268FE084667F}.exe	111
PID 5032 wrote to memory of 4536	5032	{D6642E29-49D6-4edc-B088-268FE084667F}.exe	111
PID 5032 wrote to memory of 4988	5032	{D6642E29-49D6-4edc-B088-268FE084667F}.exe	112
PID 5032 wrote to memory of 4988	5032	{D6642E29-49D6-4edc-B088-268FE084667F}.exe	112
PID 5032 wrote to memory of 4988	5032	{D6642E29-49D6-4edc-B088-268FE084667F}.exe	112
PID 4536 wrote to memory of 4996	4536	{F02A727F-0B64-42db-BF1A-36797F5D7D2E}.exe	113
PID 4536 wrote to memory of 4996	4536	{F02A727F-0B64-42db-BF1A-36797F5D7D2E}.exe	113
PID 4536 wrote to memory of 4996	4536	{F02A727F-0B64-42db-BF1A-36797F5D7D2E}.exe	113
PID 4536 wrote to memory of 1152	4536	{F02A727F-0B64-42db-BF1A-36797F5D7D2E}.exe	114
PID 4536 wrote to memory of 1152	4536	{F02A727F-0B64-42db-BF1A-36797F5D7D2E}.exe	114
PID 4536 wrote to memory of 1152	4536	{F02A727F-0B64-42db-BF1A-36797F5D7D2E}.exe	114
PID 4996 wrote to memory of 628	4996	{8797D374-E29E-4fc4-BBAC-371D171AA0CB}.exe	115
PID 4996 wrote to memory of 628	4996	{8797D374-E29E-4fc4-BBAC-371D171AA0CB}.exe	115
PID 4996 wrote to memory of 628	4996	{8797D374-E29E-4fc4-BBAC-371D171AA0CB}.exe	115
PID 4996 wrote to memory of 3520	4996	{8797D374-E29E-4fc4-BBAC-371D171AA0CB}.exe	116
PID 4996 wrote to memory of 3520	4996	{8797D374-E29E-4fc4-BBAC-371D171AA0CB}.exe	116
PID 4996 wrote to memory of 3520	4996	{8797D374-E29E-4fc4-BBAC-371D171AA0CB}.exe	116
PID 628 wrote to memory of 2324	628	{E2271FBF-DA9A-4eb2-88A5-2FA7F86EC875}.exe	117
PID 628 wrote to memory of 2324	628	{E2271FBF-DA9A-4eb2-88A5-2FA7F86EC875}.exe	117
PID 628 wrote to memory of 2324	628	{E2271FBF-DA9A-4eb2-88A5-2FA7F86EC875}.exe	117
PID 628 wrote to memory of 3236	628	{E2271FBF-DA9A-4eb2-88A5-2FA7F86EC875}.exe	118

C:\Users\Admin\AppData\Local\Temp\2024-02-23_6be0c56305dec263b8fc35e66ff8219d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-23_6be0c56305dec263b8fc35e66ff8219d_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3860
- C:\Windows\{B7AA1320-7B27-4806-94B4-59883B6FE954}.exe
  C:\Windows\{B7AA1320-7B27-4806-94B4-59883B6FE954}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Windows\{916524CC-CD44-4ce1-8FB2-CE2F5B980D95}.exe
    C:\Windows\{916524CC-CD44-4ce1-8FB2-CE2F5B980D95}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:864
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{91652~1.EXE > nul
      4⤵
      PID:3160
  - - C:\Windows\{F3F54971-2BAB-43e5-B0DB-570F582E1989}.exe
      C:\Windows\{F3F54971-2BAB-43e5-B0DB-570F582E1989}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1700
    - - C:\Windows\{F38ABC46-80F1-4a72-8518-3C4FC43557F7}.exe
        
        C:\Windows\{F38ABC46-80F1-4a72-8518-3C4FC43557F7}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3696
      - C:\Windows\{A08A58C0-66EA-4282-AD7F-9759BCA556CF}.exe
        
        C:\Windows\{A08A58C0-66EA-4282-AD7F-9759BCA556CF}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\{1F69E6B0-2F9F-40a9-B4F9-41207E18557A}.exe
        
        C:\Windows\{1F69E6B0-2F9F-40a9-B4F9-41207E18557A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\{D6642E29-49D6-4edc-B088-268FE084667F}.exe
        
        C:\Windows\{D6642E29-49D6-4edc-B088-268FE084667F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\{F02A727F-0B64-42db-BF1A-36797F5D7D2E}.exe
        
        C:\Windows\{F02A727F-0B64-42db-BF1A-36797F5D7D2E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4536
        
        C:\Windows\{8797D374-E29E-4fc4-BBAC-371D171AA0CB}.exe
        
        C:\Windows\{8797D374-E29E-4fc4-BBAC-371D171AA0CB}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\{E2271FBF-DA9A-4eb2-88A5-2FA7F86EC875}.exe
        
        C:\Windows\{E2271FBF-DA9A-4eb2-88A5-2FA7F86EC875}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Windows\{A7221AA6-9687-48d6-8875-556C33B74EB6}.exe
        
        C:\Windows\{A7221AA6-9687-48d6-8875-556C33B74EB6}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
        
        C:\Windows\{A6E9BD2E-A803-4f6e-8BAC-D07463E75950}.exe
        
        C:\Windows\{A6E9BD2E-A803-4f6e-8BAC-D07463E75950}.exe
        13⤵
        Executes dropped EXE
        
        PID:4676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7221~1.EXE > nul
        13⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2271~1.EXE > nul
        12⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8797D~1.EXE > nul
        11⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F02A7~1.EXE > nul
        10⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D6642~1.EXE > nul
        9⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1F69E~1.EXE > nul
        8⤵
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A08A5~1.EXE > nul
        7⤵
        
        PID:1448
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F38AB~1.EXE > nul
        6⤵
        
        PID:2624
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F3F54~1.EXE > nul
        5⤵
        
        PID:2532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B7AA1~1.EXE > nul
    3⤵
    PID:3180
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1F69E6B0-2F9F-40a9-B4F9-41207E18557A}.exe

Filesize
168KB

MD5
46f34e4ef33a98c4c9751ff20b188503

SHA1
af2fe1cbc62782219b517615c81fa5d4790311ca

SHA256
8f8a23dec5883ed50cdcdd4984ff1e0e6114e2e6f694d08b1c06f39fd4fe0769

SHA512
1608f9cbfc9a4d5837da43f8b640fe398bf4448f132ae0c414bf07aeca65431daa6b56456f52884bf09c1384c74ab77ce45025a93ddd31e9abb7d3725f5c59c3

Download Submit
C:\Windows\{8797D374-E29E-4fc4-BBAC-371D171AA0CB}.exe

Filesize
168KB

MD5
81fe3f79dc589812ab87b41947d6b260

SHA1
3782410faded7f88a43be8c8883c0138921eb176

SHA256
b53b5da75e8947d12864f9e7a9ce991f5ec70b3623156626d51acd98ed34babb

SHA512
1787d5860755e38a7ea605d3454eb794114ee4875f3d82e93d7dd8b4210d73054382bd533c0e6fbd6269b34aeaa9acc77beada395d4090f3acf1de2fd3e78d66

Download Submit
C:\Windows\{916524CC-CD44-4ce1-8FB2-CE2F5B980D95}.exe

Filesize
168KB

MD5
acb39c90f8469676b26446e759663119

SHA1
29086b84eaad42bee7cc742b2f96c223c2aab784

SHA256
379f1363a59f715bbd9fd33a2d19938c64301c6db07fe9d26761a3e4c1eb2c21

SHA512
36a85e02332a54804554b0d309af7b9a819962749fe11e3b46c7ea1a6cf7d3049be6d280326c6c0996f102c1d1130a1248cabe65a945dfb74b1370e3f9476cf4

Download Submit
C:\Windows\{A08A58C0-66EA-4282-AD7F-9759BCA556CF}.exe

Filesize
168KB

MD5
03f2c5df73bd61f88b546a673ab2e7a1

SHA1
0f849d2edba989898c8a78b90c75a9b96503d608

SHA256
07120501b524ee9a763cf743a991ddd7bdf7ab5ea70ca5455eff3011f9f3c386

SHA512
02f54ee46c30d7ae3f310fb53f63985d03e7f51aec791c022f14277d21d2325d28ab6cda64777b07bb64e392ef246e7b6719886649c356dea02facf7755deffc

Download Submit
C:\Windows\{A6E9BD2E-A803-4f6e-8BAC-D07463E75950}.exe

Filesize
168KB

MD5
431b1607c900b82a9a4fb744ff1f4a5d

SHA1
fc57319465c1b98a049c4737d38527657e8bb958

SHA256
492d473e136f3ffd3d0a1f031b927ea3fdc06479f37c3939f879cba4b206fd23

SHA512
b60bb601e28ca7944c68ae745d3d020487c27d1ef04d30033c773cb2b5513aecf0ee39a27f2d1bb21ff14023d53d7e505551ca52ad5593c25e7c6f726d5b78a7

Download Submit
C:\Windows\{A7221AA6-9687-48d6-8875-556C33B74EB6}.exe

Filesize
168KB

MD5
ba6458fb5af85af044a64d311199dc93

SHA1
0a73e1a384661b758764304835ef1db46afb88eb

SHA256
63cf8e64d809d7b37d8c68b97b32db7fac16ee815f7a4e46b3541c19d6566faa

SHA512
eea6e5fd696bb00f5f8bc87aa84a99ad51bcd13d39dc67fd71d7b7fe5395837306edaf8cfc781441432238210f8d50ed0ea38dfdb5fb2a205d4572239ea7fb29

Download Submit
C:\Windows\{B7AA1320-7B27-4806-94B4-59883B6FE954}.exe

Filesize
168KB

MD5
4b6a4f9d6b0ec497f13126e7642a34ba

SHA1
d6a7a6222f11c07d1fc480ba66b8f50d75e48ece

SHA256
20668af062644e4580bc916a2fc9d35ff7393d540d50563164ebd72ac987e2d8

SHA512
8f686b5c9f8740fff81dee4f3e919b0bde06a2eef9fb355c4fc1cdbae597fc7021d831e0d1ca597025b8d3a02b95c413d3500cefb10a7006d6c7affc2353a317

Download Submit
C:\Windows\{D6642E29-49D6-4edc-B088-268FE084667F}.exe

Filesize
168KB

MD5
5be202961ecf148597dc9d3fd9f7d880

SHA1
4d5cac3ff8dd9ec2fd48c1def079abb16a4db6d3

SHA256
e04c4e14bef8b38e141fe825ab3b9e39b80d555ff1b725118b8e31d68ce6d616

SHA512
7ba2d491447b1c035bd011bc7385c3486ef80aeabf9cb2d20b8ca9de688456b4f8ac70f8cf01b1097fa01f6ca72db19d79d9b2023fe177929514c52e2461f098

Download Submit
C:\Windows\{E2271FBF-DA9A-4eb2-88A5-2FA7F86EC875}.exe

Filesize
168KB

MD5
cf71c231259ee4b404dbea0f5a2514d1

SHA1
acd6269b2c890aa93fb0e77d3d8f74caecadb85c

SHA256
2748663d6e75514b0e58ca6f95b11b278122455f50dcc93812890d8818a52db2

SHA512
78c6ac3cd3f9962a008b989c8380d60474aa29218a5b0e21f6a112e16b15d1c976bcff0c6a58be3ce809fa100e1fc9ae2a60af895b83fef8b2544f314b1d7109

Download Submit
C:\Windows\{F02A727F-0B64-42db-BF1A-36797F5D7D2E}.exe

Filesize
168KB

MD5
d519d6889127a0ca70fb20e9263fd0b7

SHA1
76a95645a32eb10ea1e61aba663bb86753d5ef58

SHA256
4f136b6abd17aa7c88f84fc5fe806a689080cf000590283448f383a546db13be

SHA512
5df05e17a7827e18d730ee9a8d053e6e5cf27a4c2b7887d6d84f386c09490ac1e1a8302c2659b2278d179c5bb0e2bcdb1afd3ab27da03dece6b7b1ec2e6d292b

Download Submit
C:\Windows\{F38ABC46-80F1-4a72-8518-3C4FC43557F7}.exe

Filesize
168KB

MD5
4ce7f5353bb5105261ba12e3dcc18f77

SHA1
7b98b2c18784ccf71d07520eb517bfc43e975f30

SHA256
3d9f73fbcd7c785da469297c1a67fddbe42cd4003757e6c5bef416b0193653e5

SHA512
b667d7d1bf900c65b1e932740e1ba856139a4aa218339af0ffce8c0b95123124bb7b591e29b9625fc98eaace7735dd1ba6a78bd90f139789c642dc3214cfc2be

Download Submit
C:\Windows\{F3F54971-2BAB-43e5-B0DB-570F582E1989}.exe

Filesize
168KB

MD5
214694b15adef7e16038262f285ddc4d

SHA1
f1342c964cf91d1901e3237e77d981f104471b1b

SHA256
44d6689cd96ef5c61805d2f1ada9e7d3d75ebe18a2cdaa79e71fe7da71b72bf9

SHA512
255e8887cfd728f4fdc02478d00fd591d0c30ee4a875a104133fb7d5fb48cc91374f5b8f47d63606b9b4ce3e813b8e31b0c61fff2d7e707f118932ec176964ab

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads