8fea7d5c32632573a2d4f418e43e4f76f9b37fe150ea637576f609aa8e3a5756

Analysis

max time kernel
149s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27/02/2024, 15:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-27_ac606f4daf1cad27cae379c7523d0a4b_goldeneye.exe
Size

197KB
MD5

ac606f4daf1cad27cae379c7523d0a4b
SHA1

f351f1bcebf20c75906af1c23075c93f893c9c92
SHA256

8fea7d5c32632573a2d4f418e43e4f76f9b37fe150ea637576f609aa8e3a5756
SHA512

c29459f682e8802fecae2e08ad356d82cafda987b00a32c843f7fc3c64a9ddf0e2ab4cc15b460462a65c1c3dc15470d929ae0d3d4bf7a1208abc96de884509df
SSDEEP

3072:jEGh0oMl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGClEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023203-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023206-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e00000002311b-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023206-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f00000002311b-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023206-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001000000002311b-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023206-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001100000002311b-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023211-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001200000002311b-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002320a-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7349FE1E-3634-4126-B409-C35FB2C3AC1C}\stubpath = "C:\\Windows\\{7349FE1E-3634-4126-B409-C35FB2C3AC1C}.exe"	2024-02-27_ac606f4daf1cad27cae379c7523d0a4b_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79D84C4B-1B99-4d42-B143-805E173DDF13}	{5687F832-2ED1-456a-9B6B-9AF10DDE38E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79D84C4B-1B99-4d42-B143-805E173DDF13}\stubpath = "C:\\Windows\\{79D84C4B-1B99-4d42-B143-805E173DDF13}.exe"	{5687F832-2ED1-456a-9B6B-9AF10DDE38E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C185169A-BF53-404b-B97C-5A7C7252989F}\stubpath = "C:\\Windows\\{C185169A-BF53-404b-B97C-5A7C7252989F}.exe"	{FB2471EC-5F7F-435d-9FA6-D14EEA9E6C8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{018DAC15-425F-483c-BFEF-2AC3EA6D5716}	{C185169A-BF53-404b-B97C-5A7C7252989F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09C44658-4A66-4523-A230-F27FE3BD09F0}	{65ABC244-2A7D-4540-9BF9-D2350395FE0F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09C44658-4A66-4523-A230-F27FE3BD09F0}\stubpath = "C:\\Windows\\{09C44658-4A66-4523-A230-F27FE3BD09F0}.exe"	{65ABC244-2A7D-4540-9BF9-D2350395FE0F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7CADF37-5D28-4140-A30E-3D30384FC410}\stubpath = "C:\\Windows\\{D7CADF37-5D28-4140-A30E-3D30384FC410}.exe"	{09C44658-4A66-4523-A230-F27FE3BD09F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC68D9C8-1ACC-4791-8CEB-EB4C3BD7DC68}	{453453DC-DBCE-44d8-B8D3-56004A816A0E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D1CE55B-A5A5-41a9-A739-E0D80324EFCE}\stubpath = "C:\\Windows\\{2D1CE55B-A5A5-41a9-A739-E0D80324EFCE}.exe"	{7349FE1E-3634-4126-B409-C35FB2C3AC1C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65ABC244-2A7D-4540-9BF9-D2350395FE0F}	{018DAC15-425F-483c-BFEF-2AC3EA6D5716}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7CADF37-5D28-4140-A30E-3D30384FC410}	{09C44658-4A66-4523-A230-F27FE3BD09F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{453453DC-DBCE-44d8-B8D3-56004A816A0E}\stubpath = "C:\\Windows\\{453453DC-DBCE-44d8-B8D3-56004A816A0E}.exe"	{D7CADF37-5D28-4140-A30E-3D30384FC410}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC68D9C8-1ACC-4791-8CEB-EB4C3BD7DC68}\stubpath = "C:\\Windows\\{CC68D9C8-1ACC-4791-8CEB-EB4C3BD7DC68}.exe"	{453453DC-DBCE-44d8-B8D3-56004A816A0E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D1CE55B-A5A5-41a9-A739-E0D80324EFCE}	{7349FE1E-3634-4126-B409-C35FB2C3AC1C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5687F832-2ED1-456a-9B6B-9AF10DDE38E2}\stubpath = "C:\\Windows\\{5687F832-2ED1-456a-9B6B-9AF10DDE38E2}.exe"	{2D1CE55B-A5A5-41a9-A739-E0D80324EFCE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{018DAC15-425F-483c-BFEF-2AC3EA6D5716}\stubpath = "C:\\Windows\\{018DAC15-425F-483c-BFEF-2AC3EA6D5716}.exe"	{C185169A-BF53-404b-B97C-5A7C7252989F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65ABC244-2A7D-4540-9BF9-D2350395FE0F}\stubpath = "C:\\Windows\\{65ABC244-2A7D-4540-9BF9-D2350395FE0F}.exe"	{018DAC15-425F-483c-BFEF-2AC3EA6D5716}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{453453DC-DBCE-44d8-B8D3-56004A816A0E}	{D7CADF37-5D28-4140-A30E-3D30384FC410}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7349FE1E-3634-4126-B409-C35FB2C3AC1C}	2024-02-27_ac606f4daf1cad27cae379c7523d0a4b_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5687F832-2ED1-456a-9B6B-9AF10DDE38E2}	{2D1CE55B-A5A5-41a9-A739-E0D80324EFCE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB2471EC-5F7F-435d-9FA6-D14EEA9E6C8F}	{79D84C4B-1B99-4d42-B143-805E173DDF13}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB2471EC-5F7F-435d-9FA6-D14EEA9E6C8F}\stubpath = "C:\\Windows\\{FB2471EC-5F7F-435d-9FA6-D14EEA9E6C8F}.exe"	{79D84C4B-1B99-4d42-B143-805E173DDF13}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C185169A-BF53-404b-B97C-5A7C7252989F}	{FB2471EC-5F7F-435d-9FA6-D14EEA9E6C8F}.exe

Executes dropped EXE 12 IoCs

pid	Process
3384	{7349FE1E-3634-4126-B409-C35FB2C3AC1C}.exe
3524	{2D1CE55B-A5A5-41a9-A739-E0D80324EFCE}.exe
3560	{5687F832-2ED1-456a-9B6B-9AF10DDE38E2}.exe
2784	{79D84C4B-1B99-4d42-B143-805E173DDF13}.exe
2320	{FB2471EC-5F7F-435d-9FA6-D14EEA9E6C8F}.exe
3548	{C185169A-BF53-404b-B97C-5A7C7252989F}.exe
2912	{018DAC15-425F-483c-BFEF-2AC3EA6D5716}.exe
5012	{65ABC244-2A7D-4540-9BF9-D2350395FE0F}.exe
5036	{09C44658-4A66-4523-A230-F27FE3BD09F0}.exe
644	{D7CADF37-5D28-4140-A30E-3D30384FC410}.exe
536	{453453DC-DBCE-44d8-B8D3-56004A816A0E}.exe
5072	{CC68D9C8-1ACC-4791-8CEB-EB4C3BD7DC68}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{7349FE1E-3634-4126-B409-C35FB2C3AC1C}.exe	2024-02-27_ac606f4daf1cad27cae379c7523d0a4b_goldeneye.exe
File created	C:\Windows\{2D1CE55B-A5A5-41a9-A739-E0D80324EFCE}.exe	{7349FE1E-3634-4126-B409-C35FB2C3AC1C}.exe
File created	C:\Windows\{5687F832-2ED1-456a-9B6B-9AF10DDE38E2}.exe	{2D1CE55B-A5A5-41a9-A739-E0D80324EFCE}.exe
File created	C:\Windows\{79D84C4B-1B99-4d42-B143-805E173DDF13}.exe	{5687F832-2ED1-456a-9B6B-9AF10DDE38E2}.exe
File created	C:\Windows\{D7CADF37-5D28-4140-A30E-3D30384FC410}.exe	{09C44658-4A66-4523-A230-F27FE3BD09F0}.exe
File created	C:\Windows\{CC68D9C8-1ACC-4791-8CEB-EB4C3BD7DC68}.exe	{453453DC-DBCE-44d8-B8D3-56004A816A0E}.exe
File created	C:\Windows\{FB2471EC-5F7F-435d-9FA6-D14EEA9E6C8F}.exe	{79D84C4B-1B99-4d42-B143-805E173DDF13}.exe
File created	C:\Windows\{C185169A-BF53-404b-B97C-5A7C7252989F}.exe	{FB2471EC-5F7F-435d-9FA6-D14EEA9E6C8F}.exe
File created	C:\Windows\{018DAC15-425F-483c-BFEF-2AC3EA6D5716}.exe	{C185169A-BF53-404b-B97C-5A7C7252989F}.exe
File created	C:\Windows\{65ABC244-2A7D-4540-9BF9-D2350395FE0F}.exe	{018DAC15-425F-483c-BFEF-2AC3EA6D5716}.exe
File created	C:\Windows\{09C44658-4A66-4523-A230-F27FE3BD09F0}.exe	{65ABC244-2A7D-4540-9BF9-D2350395FE0F}.exe
File created	C:\Windows\{453453DC-DBCE-44d8-B8D3-56004A816A0E}.exe	{D7CADF37-5D28-4140-A30E-3D30384FC410}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3944	2024-02-27_ac606f4daf1cad27cae379c7523d0a4b_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3384	{7349FE1E-3634-4126-B409-C35FB2C3AC1C}.exe
Token: SeIncBasePriorityPrivilege	3524	{2D1CE55B-A5A5-41a9-A739-E0D80324EFCE}.exe
Token: SeIncBasePriorityPrivilege	3560	{5687F832-2ED1-456a-9B6B-9AF10DDE38E2}.exe
Token: SeIncBasePriorityPrivilege	2784	{79D84C4B-1B99-4d42-B143-805E173DDF13}.exe
Token: SeIncBasePriorityPrivilege	2320	{FB2471EC-5F7F-435d-9FA6-D14EEA9E6C8F}.exe
Token: SeIncBasePriorityPrivilege	3548	{C185169A-BF53-404b-B97C-5A7C7252989F}.exe
Token: SeIncBasePriorityPrivilege	2912	{018DAC15-425F-483c-BFEF-2AC3EA6D5716}.exe
Token: SeIncBasePriorityPrivilege	5012	{65ABC244-2A7D-4540-9BF9-D2350395FE0F}.exe
Token: SeIncBasePriorityPrivilege	5036	{09C44658-4A66-4523-A230-F27FE3BD09F0}.exe
Token: SeIncBasePriorityPrivilege	644	{D7CADF37-5D28-4140-A30E-3D30384FC410}.exe
Token: SeIncBasePriorityPrivilege	536	{453453DC-DBCE-44d8-B8D3-56004A816A0E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3944 wrote to memory of 3384	3944	2024-02-27_ac606f4daf1cad27cae379c7523d0a4b_goldeneye.exe	93
PID 3944 wrote to memory of 3384	3944	2024-02-27_ac606f4daf1cad27cae379c7523d0a4b_goldeneye.exe	93
PID 3944 wrote to memory of 3384	3944	2024-02-27_ac606f4daf1cad27cae379c7523d0a4b_goldeneye.exe	93
PID 3944 wrote to memory of 536	3944	2024-02-27_ac606f4daf1cad27cae379c7523d0a4b_goldeneye.exe	94
PID 3944 wrote to memory of 536	3944	2024-02-27_ac606f4daf1cad27cae379c7523d0a4b_goldeneye.exe	94
PID 3944 wrote to memory of 536	3944	2024-02-27_ac606f4daf1cad27cae379c7523d0a4b_goldeneye.exe	94
PID 3384 wrote to memory of 3524	3384	{7349FE1E-3634-4126-B409-C35FB2C3AC1C}.exe	95
PID 3384 wrote to memory of 3524	3384	{7349FE1E-3634-4126-B409-C35FB2C3AC1C}.exe	95
PID 3384 wrote to memory of 3524	3384	{7349FE1E-3634-4126-B409-C35FB2C3AC1C}.exe	95
PID 3384 wrote to memory of 2176	3384	{7349FE1E-3634-4126-B409-C35FB2C3AC1C}.exe	96
PID 3384 wrote to memory of 2176	3384	{7349FE1E-3634-4126-B409-C35FB2C3AC1C}.exe	96
PID 3384 wrote to memory of 2176	3384	{7349FE1E-3634-4126-B409-C35FB2C3AC1C}.exe	96
PID 3524 wrote to memory of 3560	3524	{2D1CE55B-A5A5-41a9-A739-E0D80324EFCE}.exe	100
PID 3524 wrote to memory of 3560	3524	{2D1CE55B-A5A5-41a9-A739-E0D80324EFCE}.exe	100
PID 3524 wrote to memory of 3560	3524	{2D1CE55B-A5A5-41a9-A739-E0D80324EFCE}.exe	100
PID 3524 wrote to memory of 3636	3524	{2D1CE55B-A5A5-41a9-A739-E0D80324EFCE}.exe	101
PID 3524 wrote to memory of 3636	3524	{2D1CE55B-A5A5-41a9-A739-E0D80324EFCE}.exe	101
PID 3524 wrote to memory of 3636	3524	{2D1CE55B-A5A5-41a9-A739-E0D80324EFCE}.exe	101
PID 3560 wrote to memory of 2784	3560	{5687F832-2ED1-456a-9B6B-9AF10DDE38E2}.exe	102
PID 3560 wrote to memory of 2784	3560	{5687F832-2ED1-456a-9B6B-9AF10DDE38E2}.exe	102
PID 3560 wrote to memory of 2784	3560	{5687F832-2ED1-456a-9B6B-9AF10DDE38E2}.exe	102
PID 3560 wrote to memory of 1112	3560	{5687F832-2ED1-456a-9B6B-9AF10DDE38E2}.exe	103
PID 3560 wrote to memory of 1112	3560	{5687F832-2ED1-456a-9B6B-9AF10DDE38E2}.exe	103
PID 3560 wrote to memory of 1112	3560	{5687F832-2ED1-456a-9B6B-9AF10DDE38E2}.exe	103
PID 2784 wrote to memory of 2320	2784	{79D84C4B-1B99-4d42-B143-805E173DDF13}.exe	104
PID 2784 wrote to memory of 2320	2784	{79D84C4B-1B99-4d42-B143-805E173DDF13}.exe	104
PID 2784 wrote to memory of 2320	2784	{79D84C4B-1B99-4d42-B143-805E173DDF13}.exe	104
PID 2784 wrote to memory of 4872	2784	{79D84C4B-1B99-4d42-B143-805E173DDF13}.exe	105
PID 2784 wrote to memory of 4872	2784	{79D84C4B-1B99-4d42-B143-805E173DDF13}.exe	105
PID 2784 wrote to memory of 4872	2784	{79D84C4B-1B99-4d42-B143-805E173DDF13}.exe	105
PID 2320 wrote to memory of 3548	2320	{FB2471EC-5F7F-435d-9FA6-D14EEA9E6C8F}.exe	106
PID 2320 wrote to memory of 3548	2320	{FB2471EC-5F7F-435d-9FA6-D14EEA9E6C8F}.exe	106
PID 2320 wrote to memory of 3548	2320	{FB2471EC-5F7F-435d-9FA6-D14EEA9E6C8F}.exe	106
PID 2320 wrote to memory of 3956	2320	{FB2471EC-5F7F-435d-9FA6-D14EEA9E6C8F}.exe	107
PID 2320 wrote to memory of 3956	2320	{FB2471EC-5F7F-435d-9FA6-D14EEA9E6C8F}.exe	107
PID 2320 wrote to memory of 3956	2320	{FB2471EC-5F7F-435d-9FA6-D14EEA9E6C8F}.exe	107
PID 3548 wrote to memory of 2912	3548	{C185169A-BF53-404b-B97C-5A7C7252989F}.exe	108
PID 3548 wrote to memory of 2912	3548	{C185169A-BF53-404b-B97C-5A7C7252989F}.exe	108
PID 3548 wrote to memory of 2912	3548	{C185169A-BF53-404b-B97C-5A7C7252989F}.exe	108
PID 3548 wrote to memory of 3984	3548	{C185169A-BF53-404b-B97C-5A7C7252989F}.exe	109
PID 3548 wrote to memory of 3984	3548	{C185169A-BF53-404b-B97C-5A7C7252989F}.exe	109
PID 3548 wrote to memory of 3984	3548	{C185169A-BF53-404b-B97C-5A7C7252989F}.exe	109
PID 2912 wrote to memory of 5012	2912	{018DAC15-425F-483c-BFEF-2AC3EA6D5716}.exe	110
PID 2912 wrote to memory of 5012	2912	{018DAC15-425F-483c-BFEF-2AC3EA6D5716}.exe	110
PID 2912 wrote to memory of 5012	2912	{018DAC15-425F-483c-BFEF-2AC3EA6D5716}.exe	110
PID 2912 wrote to memory of 4480	2912	{018DAC15-425F-483c-BFEF-2AC3EA6D5716}.exe	111
PID 2912 wrote to memory of 4480	2912	{018DAC15-425F-483c-BFEF-2AC3EA6D5716}.exe	111
PID 2912 wrote to memory of 4480	2912	{018DAC15-425F-483c-BFEF-2AC3EA6D5716}.exe	111
PID 5012 wrote to memory of 5036	5012	{65ABC244-2A7D-4540-9BF9-D2350395FE0F}.exe	112
PID 5012 wrote to memory of 5036	5012	{65ABC244-2A7D-4540-9BF9-D2350395FE0F}.exe	112
PID 5012 wrote to memory of 5036	5012	{65ABC244-2A7D-4540-9BF9-D2350395FE0F}.exe	112
PID 5012 wrote to memory of 4980	5012	{65ABC244-2A7D-4540-9BF9-D2350395FE0F}.exe	113
PID 5012 wrote to memory of 4980	5012	{65ABC244-2A7D-4540-9BF9-D2350395FE0F}.exe	113
PID 5012 wrote to memory of 4980	5012	{65ABC244-2A7D-4540-9BF9-D2350395FE0F}.exe	113
PID 5036 wrote to memory of 644	5036	{09C44658-4A66-4523-A230-F27FE3BD09F0}.exe	114
PID 5036 wrote to memory of 644	5036	{09C44658-4A66-4523-A230-F27FE3BD09F0}.exe	114
PID 5036 wrote to memory of 644	5036	{09C44658-4A66-4523-A230-F27FE3BD09F0}.exe	114
PID 5036 wrote to memory of 840	5036	{09C44658-4A66-4523-A230-F27FE3BD09F0}.exe	115
PID 5036 wrote to memory of 840	5036	{09C44658-4A66-4523-A230-F27FE3BD09F0}.exe	115
PID 5036 wrote to memory of 840	5036	{09C44658-4A66-4523-A230-F27FE3BD09F0}.exe	115
PID 644 wrote to memory of 536	644	{D7CADF37-5D28-4140-A30E-3D30384FC410}.exe	116
PID 644 wrote to memory of 536	644	{D7CADF37-5D28-4140-A30E-3D30384FC410}.exe	116
PID 644 wrote to memory of 536	644	{D7CADF37-5D28-4140-A30E-3D30384FC410}.exe	116
PID 644 wrote to memory of 3632	644	{D7CADF37-5D28-4140-A30E-3D30384FC410}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-02-27_ac606f4daf1cad27cae379c7523d0a4b_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-27_ac606f4daf1cad27cae379c7523d0a4b_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3944
- C:\Windows\{7349FE1E-3634-4126-B409-C35FB2C3AC1C}.exe
  C:\Windows\{7349FE1E-3634-4126-B409-C35FB2C3AC1C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3384
- - C:\Windows\{2D1CE55B-A5A5-41a9-A739-E0D80324EFCE}.exe
    C:\Windows\{2D1CE55B-A5A5-41a9-A739-E0D80324EFCE}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3524
  - - C:\Windows\{5687F832-2ED1-456a-9B6B-9AF10DDE38E2}.exe
      C:\Windows\{5687F832-2ED1-456a-9B6B-9AF10DDE38E2}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3560
    - - C:\Windows\{79D84C4B-1B99-4d42-B143-805E173DDF13}.exe
        
        C:\Windows\{79D84C4B-1B99-4d42-B143-805E173DDF13}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2784
      - C:\Windows\{FB2471EC-5F7F-435d-9FA6-D14EEA9E6C8F}.exe
        
        C:\Windows\{FB2471EC-5F7F-435d-9FA6-D14EEA9E6C8F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\{C185169A-BF53-404b-B97C-5A7C7252989F}.exe
        
        C:\Windows\{C185169A-BF53-404b-B97C-5A7C7252989F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Windows\{018DAC15-425F-483c-BFEF-2AC3EA6D5716}.exe
        
        C:\Windows\{018DAC15-425F-483c-BFEF-2AC3EA6D5716}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\{65ABC244-2A7D-4540-9BF9-D2350395FE0F}.exe
        
        C:\Windows\{65ABC244-2A7D-4540-9BF9-D2350395FE0F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\{09C44658-4A66-4523-A230-F27FE3BD09F0}.exe
        
        C:\Windows\{09C44658-4A66-4523-A230-F27FE3BD09F0}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\{D7CADF37-5D28-4140-A30E-3D30384FC410}.exe
        
        C:\Windows\{D7CADF37-5D28-4140-A30E-3D30384FC410}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:644
        
        C:\Windows\{453453DC-DBCE-44d8-B8D3-56004A816A0E}.exe
        
        C:\Windows\{453453DC-DBCE-44d8-B8D3-56004A816A0E}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:536
        
        C:\Windows\{CC68D9C8-1ACC-4791-8CEB-EB4C3BD7DC68}.exe
        
        C:\Windows\{CC68D9C8-1ACC-4791-8CEB-EB4C3BD7DC68}.exe
        13⤵
        Executes dropped EXE
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{45345~1.EXE > nul
        13⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D7CAD~1.EXE > nul
        12⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09C44~1.EXE > nul
        11⤵
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{65ABC~1.EXE > nul
        10⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{018DA~1.EXE > nul
        9⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C1851~1.EXE > nul
        8⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FB247~1.EXE > nul
        7⤵
        
        PID:3956
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79D84~1.EXE > nul
        6⤵
        
        PID:4872
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5687F~1.EXE > nul
        5⤵
        
        PID:1112
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2D1CE~1.EXE > nul
      4⤵
      PID:3636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7349F~1.EXE > nul
    3⤵
    PID:2176
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{018DAC15-425F-483c-BFEF-2AC3EA6D5716}.exe

Filesize
197KB

MD5
c8bdd88d249af6557b3e1b2b187a2604

SHA1
c4a534b1af7e21ded700b53190d89b30223ac446

SHA256
b3e6c2f3763309fcd50395377771f868148447c1cb89470551496217ff3adf3c

SHA512
c4a2b76b372cbfb6bcd5fa25eb129e12f8809c32418fef6db09d6e1f6fee583aa735ee088fa7cda962615726812f23954f805a9f3667cf2d971b7851531779e5

Download Submit
C:\Windows\{09C44658-4A66-4523-A230-F27FE3BD09F0}.exe

Filesize
197KB

MD5
578dc7b8b137bcaf274117d2a6fbf550

SHA1
d6297365996a99e323ca4a584b8a9488115afab8

SHA256
3163d3637146d55b82f5e2fc42a5726ed3cc98bfd2264a957179c01e2334b0ff

SHA512
e380b36b282846af2da0d360b08ace1f5a3a79c0fe978fbbcdda17cb3e2a491c6eac8c087b2192e24bbcca394042394f8df77674a5d53f769d7ca137c2a1ec1b

Download Submit
C:\Windows\{2D1CE55B-A5A5-41a9-A739-E0D80324EFCE}.exe

Filesize
197KB

MD5
b11a0d59a12312e6df77674428ad905b

SHA1
994deac31308b54fbe74447f140145103fa7840d

SHA256
20a66d394c047a2fa215275f5b1bb26f27536737b156eb452d673acb47eadcd9

SHA512
aa6682c270e16b83b3255b976b974f31856ed38ed7d9f08a5127660ac09e86f2861b53cd4a17b9af9cc7cab5bed3b66cd6b223ca7d0f786421d9e0344173ca7d

Download Submit
C:\Windows\{453453DC-DBCE-44d8-B8D3-56004A816A0E}.exe

Filesize
197KB

MD5
0cef87bfc275639f487df924573089d2

SHA1
9fe5958829ec9122930cfa0da468362d5b61d35e

SHA256
2c3967fb0c8f9ada8c79bca6bdb2e47eeca0e5ff0a75e066dcb2cbceaf3bd30c

SHA512
e2661a8870383c95b7876cd96e6127ce6f1bcf52f27db454f40ca322869c1149c79df46e541b0adb4314a9e241be3906150973d73d7e8da1cc87fc5e4ee831cc

Download Submit
C:\Windows\{5687F832-2ED1-456a-9B6B-9AF10DDE38E2}.exe

Filesize
197KB

MD5
6f2462c0d6ddcef1a659be7ff3268e65

SHA1
9491dae4eb440d7d6ec02d6128fe042d77ecab48

SHA256
af52788a4e55f43509580dab91fcdcef86d9c1ad7590c70c597ce812266d7eb5

SHA512
1a4d6faeafe077c0af401ed3dc4fe252b4e76719ba0787a57b1a56547b465e8789c4a60798e2f149f3490eccc7a48cba758d37bfdfc72f8daac701a98945ad99

Download Submit
C:\Windows\{65ABC244-2A7D-4540-9BF9-D2350395FE0F}.exe

Filesize
197KB

MD5
75d489e97ae48e817c44fce90bfb0b6f

SHA1
34f075415760018a589e2b23590ba2a1184432de

SHA256
2a5b053208939c06fed969086006a6f904d9c1c006397cbbf7aaa796cd021d63

SHA512
e283ae1d27eb6e3ea0ebd5b3f54adf141848384fc513e1c1a387132f07a050886e55b333d5f5476da838c421848169e2f4aa55967d7143cc6022e22d153d3c56

Download Submit
C:\Windows\{7349FE1E-3634-4126-B409-C35FB2C3AC1C}.exe

Filesize
197KB

MD5
8d1828c610132e26582c5c531f52bd9e

SHA1
d83c32e65d1ada88a9a6017d4a62731b7f6b1057

SHA256
3fdc533ea4fa5141d2233670d948d98b48f634172fad3c98ab108549e24e664e

SHA512
019ee01aa54680d91d25d5a28b1554c782c29d30e81711d6b21741654b230b84768b0f1f3b06ee03d3f57600ce6c718ddbc9b8d74a69914cf64795d023bedfda

Download Submit
C:\Windows\{79D84C4B-1B99-4d42-B143-805E173DDF13}.exe

Filesize
197KB

MD5
f58dc74a5d50185caa1ebf9b313bcf57

SHA1
e79bdcaadeb2044ed465c8bf34d29f51237aef75

SHA256
4dd300cdb8505090d8e7282fb8c2e5c4d9c220c87877345bbe896077a15fd5a1

SHA512
e38658008a8ba6388e5add3a7d9656904a2f8c9c38be780544b0bb0692ec35d6c5f5d0bf50c832bd216273675623d7828df48665691a09d450900ca96e40217e

Download Submit
C:\Windows\{C185169A-BF53-404b-B97C-5A7C7252989F}.exe

Filesize
197KB

MD5
69c9f25d2c701b676ef6d4f365df43e2

SHA1
0025ff6241f9d84db44d4f3f9ab5753ef335404c

SHA256
6ca3ac04c9f509613a9fe8840eb53e57abb518b85435fbf7b9814ab93a1899d6

SHA512
811d6c427bef43ae242991680aef8056796b52ddc9fdfedd89f617fe674220632ebf0a2398f6ceef40b3e61af5824bc8e17353069e4f0bd25bf5c33f226a8fc1

Download Submit
C:\Windows\{CC68D9C8-1ACC-4791-8CEB-EB4C3BD7DC68}.exe

Filesize
197KB

MD5
ab09a7bd24b7f5ef4f906b4efac3ce29

SHA1
ed95d4a0ef411d84360533bcb9d55429735eab7b

SHA256
6057080a8e31f1ed9c0c1461161c951834d30759c29a35cdd02275c22055f5c4

SHA512
1993e9017c83bc311d12b0d31c6bc05b3ebb2d853e54df5fcdf4fb7437a5130c2e9a76d3807b6d7b20c3b51059d77a8043242bf7e55db1674f057e2dbdaa2c4d

Download Submit
C:\Windows\{D7CADF37-5D28-4140-A30E-3D30384FC410}.exe

Filesize
197KB

MD5
a0261bf6f7774a13e807b34d845ecb8f

SHA1
913f30c91920dfc7d58602705f97c40a85c1024a

SHA256
3c5f67e5c80646b15f9a3e8a7a75711acd1e2b71a021590d4da39b28ba5763b1

SHA512
845ebec0e93e3a99c114d57ae6a8893af4450740b8a7cfa636951c7bd66342f3f30a9c3f5c5867431aa16db6f6f4dc4f430bed71d31ab31555ef0691a895d693

Download Submit
C:\Windows\{FB2471EC-5F7F-435d-9FA6-D14EEA9E6C8F}.exe

Filesize
197KB

MD5
d929e376e42940370a5d79d467efbc28

SHA1
49295c8fe220ff78bda2cc38a4fc9177edecd685

SHA256
5bf07e4bb4d1aed9c7f5d656701925df8c3b8e6ee2f6d58cc20f53473686c22a

SHA512
eb022ebdaddfbc304543bd0e2ca2a4fbd20d6b68082234dd7ebf07b7013972152d01df43877aa37886ac4518cb7f00390b7c5b78a774e239424a35cde2e44188

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads