319e1190a43ab6ab118fc2cd3af5903ba142272a9278453ddb1aecb5a1909065

Analysis

max time kernel
149s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-02-2024 03:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-28_de3c3c404f19366bdf36ebd7fcbe6df0_goldeneye.exe
Size

344KB
MD5

de3c3c404f19366bdf36ebd7fcbe6df0
SHA1

179cf0c7e9a9c2d0ab3e5b8ad94202595129c676
SHA256

319e1190a43ab6ab118fc2cd3af5903ba142272a9278453ddb1aecb5a1909065
SHA512

e256024843d516f800733d8b484307a488c3d1113d6a6cff0cec087eb26aac91011d46572f99fb79d24241354096c8371e701b6dcc0829003c24e165e15e769a
SSDEEP

3072:mEGh0oelEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGwlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000800000002322a-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002322b-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000001e743-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002322b-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000001e743-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002322b-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001e743-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002322b-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000001e743-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d00000002322b-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000001e743-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e00000002322b-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA94B3FF-DBF8-4843-B562-B72C5ACBDE05}\stubpath = "C:\\Windows\\{CA94B3FF-DBF8-4843-B562-B72C5ACBDE05}.exe"	{1D6885D7-0683-4667-8B0D-97DA3C89FAC4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9BEF7C9C-0CEA-4163-9AD4-827A499FD6BC}\stubpath = "C:\\Windows\\{9BEF7C9C-0CEA-4163-9AD4-827A499FD6BC}.exe"	{CA94B3FF-DBF8-4843-B562-B72C5ACBDE05}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3DC2053-3980-456f-8705-A079077355B1}	{9BEF7C9C-0CEA-4163-9AD4-827A499FD6BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BBB2A898-ADCF-4026-BEFD-A29D110B4691}\stubpath = "C:\\Windows\\{BBB2A898-ADCF-4026-BEFD-A29D110B4691}.exe"	2024-02-28_de3c3c404f19366bdf36ebd7fcbe6df0_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66DC7578-AFAD-4c25-83DD-E7726F42B96C}\stubpath = "C:\\Windows\\{66DC7578-AFAD-4c25-83DD-E7726F42B96C}.exe"	{E9F7D8FB-CF95-4047-8F55-9052473D8B90}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97F4415C-90D5-48d9-AACF-531544969B67}	{DE844B59-5A7B-439b-B383-A02086F2D266}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A74DEB13-9689-4633-ADE7-F6530E3D3C08}\stubpath = "C:\\Windows\\{A74DEB13-9689-4633-ADE7-F6530E3D3C08}.exe"	{05EB004E-4D12-4ce9-80A7-DF63A29A4A9C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97F4415C-90D5-48d9-AACF-531544969B67}\stubpath = "C:\\Windows\\{97F4415C-90D5-48d9-AACF-531544969B67}.exe"	{DE844B59-5A7B-439b-B383-A02086F2D266}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D6885D7-0683-4667-8B0D-97DA3C89FAC4}\stubpath = "C:\\Windows\\{1D6885D7-0683-4667-8B0D-97DA3C89FAC4}.exe"	{97F4415C-90D5-48d9-AACF-531544969B67}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A74DEB13-9689-4633-ADE7-F6530E3D3C08}	{05EB004E-4D12-4ce9-80A7-DF63A29A4A9C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D6885D7-0683-4667-8B0D-97DA3C89FAC4}	{97F4415C-90D5-48d9-AACF-531544969B67}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9BEF7C9C-0CEA-4163-9AD4-827A499FD6BC}	{CA94B3FF-DBF8-4843-B562-B72C5ACBDE05}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3DC2053-3980-456f-8705-A079077355B1}\stubpath = "C:\\Windows\\{D3DC2053-3980-456f-8705-A079077355B1}.exe"	{9BEF7C9C-0CEA-4163-9AD4-827A499FD6BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C322010F-48A1-48cd-B7C5-3D90E0BE53DA}\stubpath = "C:\\Windows\\{C322010F-48A1-48cd-B7C5-3D90E0BE53DA}.exe"	{D3DC2053-3980-456f-8705-A079077355B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05EB004E-4D12-4ce9-80A7-DF63A29A4A9C}	{C322010F-48A1-48cd-B7C5-3D90E0BE53DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9F7D8FB-CF95-4047-8F55-9052473D8B90}	{BBB2A898-ADCF-4026-BEFD-A29D110B4691}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9F7D8FB-CF95-4047-8F55-9052473D8B90}\stubpath = "C:\\Windows\\{E9F7D8FB-CF95-4047-8F55-9052473D8B90}.exe"	{BBB2A898-ADCF-4026-BEFD-A29D110B4691}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE844B59-5A7B-439b-B383-A02086F2D266}	{66DC7578-AFAD-4c25-83DD-E7726F42B96C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05EB004E-4D12-4ce9-80A7-DF63A29A4A9C}\stubpath = "C:\\Windows\\{05EB004E-4D12-4ce9-80A7-DF63A29A4A9C}.exe"	{C322010F-48A1-48cd-B7C5-3D90E0BE53DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA94B3FF-DBF8-4843-B562-B72C5ACBDE05}	{1D6885D7-0683-4667-8B0D-97DA3C89FAC4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C322010F-48A1-48cd-B7C5-3D90E0BE53DA}	{D3DC2053-3980-456f-8705-A079077355B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BBB2A898-ADCF-4026-BEFD-A29D110B4691}	2024-02-28_de3c3c404f19366bdf36ebd7fcbe6df0_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66DC7578-AFAD-4c25-83DD-E7726F42B96C}	{E9F7D8FB-CF95-4047-8F55-9052473D8B90}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE844B59-5A7B-439b-B383-A02086F2D266}\stubpath = "C:\\Windows\\{DE844B59-5A7B-439b-B383-A02086F2D266}.exe"	{66DC7578-AFAD-4c25-83DD-E7726F42B96C}.exe

Executes dropped EXE 12 IoCs

pid	Process
4488	{BBB2A898-ADCF-4026-BEFD-A29D110B4691}.exe
3180	{E9F7D8FB-CF95-4047-8F55-9052473D8B90}.exe
1436	{66DC7578-AFAD-4c25-83DD-E7726F42B96C}.exe
3644	{DE844B59-5A7B-439b-B383-A02086F2D266}.exe
1588	{97F4415C-90D5-48d9-AACF-531544969B67}.exe
5012	{1D6885D7-0683-4667-8B0D-97DA3C89FAC4}.exe
3336	{CA94B3FF-DBF8-4843-B562-B72C5ACBDE05}.exe
548	{9BEF7C9C-0CEA-4163-9AD4-827A499FD6BC}.exe
1636	{D3DC2053-3980-456f-8705-A079077355B1}.exe
3016	{C322010F-48A1-48cd-B7C5-3D90E0BE53DA}.exe
3852	{05EB004E-4D12-4ce9-80A7-DF63A29A4A9C}.exe
2296	{A74DEB13-9689-4633-ADE7-F6530E3D3C08}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{BBB2A898-ADCF-4026-BEFD-A29D110B4691}.exe	2024-02-28_de3c3c404f19366bdf36ebd7fcbe6df0_goldeneye.exe
File created	C:\Windows\{DE844B59-5A7B-439b-B383-A02086F2D266}.exe	{66DC7578-AFAD-4c25-83DD-E7726F42B96C}.exe
File created	C:\Windows\{A74DEB13-9689-4633-ADE7-F6530E3D3C08}.exe	{05EB004E-4D12-4ce9-80A7-DF63A29A4A9C}.exe
File created	C:\Windows\{D3DC2053-3980-456f-8705-A079077355B1}.exe	{9BEF7C9C-0CEA-4163-9AD4-827A499FD6BC}.exe
File created	C:\Windows\{C322010F-48A1-48cd-B7C5-3D90E0BE53DA}.exe	{D3DC2053-3980-456f-8705-A079077355B1}.exe
File created	C:\Windows\{E9F7D8FB-CF95-4047-8F55-9052473D8B90}.exe	{BBB2A898-ADCF-4026-BEFD-A29D110B4691}.exe
File created	C:\Windows\{66DC7578-AFAD-4c25-83DD-E7726F42B96C}.exe	{E9F7D8FB-CF95-4047-8F55-9052473D8B90}.exe
File created	C:\Windows\{97F4415C-90D5-48d9-AACF-531544969B67}.exe	{DE844B59-5A7B-439b-B383-A02086F2D266}.exe
File created	C:\Windows\{1D6885D7-0683-4667-8B0D-97DA3C89FAC4}.exe	{97F4415C-90D5-48d9-AACF-531544969B67}.exe
File created	C:\Windows\{CA94B3FF-DBF8-4843-B562-B72C5ACBDE05}.exe	{1D6885D7-0683-4667-8B0D-97DA3C89FAC4}.exe
File created	C:\Windows\{9BEF7C9C-0CEA-4163-9AD4-827A499FD6BC}.exe	{CA94B3FF-DBF8-4843-B562-B72C5ACBDE05}.exe
File created	C:\Windows\{05EB004E-4D12-4ce9-80A7-DF63A29A4A9C}.exe	{C322010F-48A1-48cd-B7C5-3D90E0BE53DA}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3412	2024-02-28_de3c3c404f19366bdf36ebd7fcbe6df0_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4488	{BBB2A898-ADCF-4026-BEFD-A29D110B4691}.exe
Token: SeIncBasePriorityPrivilege	3180	{E9F7D8FB-CF95-4047-8F55-9052473D8B90}.exe
Token: SeIncBasePriorityPrivilege	1436	{66DC7578-AFAD-4c25-83DD-E7726F42B96C}.exe
Token: SeIncBasePriorityPrivilege	3644	{DE844B59-5A7B-439b-B383-A02086F2D266}.exe
Token: SeIncBasePriorityPrivilege	1588	{97F4415C-90D5-48d9-AACF-531544969B67}.exe
Token: SeIncBasePriorityPrivilege	5012	{1D6885D7-0683-4667-8B0D-97DA3C89FAC4}.exe
Token: SeIncBasePriorityPrivilege	3336	{CA94B3FF-DBF8-4843-B562-B72C5ACBDE05}.exe
Token: SeIncBasePriorityPrivilege	548	{9BEF7C9C-0CEA-4163-9AD4-827A499FD6BC}.exe
Token: SeIncBasePriorityPrivilege	1636	{D3DC2053-3980-456f-8705-A079077355B1}.exe
Token: SeIncBasePriorityPrivilege	3016	{C322010F-48A1-48cd-B7C5-3D90E0BE53DA}.exe
Token: SeIncBasePriorityPrivilege	3852	{05EB004E-4D12-4ce9-80A7-DF63A29A4A9C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3412 wrote to memory of 4488	3412	2024-02-28_de3c3c404f19366bdf36ebd7fcbe6df0_goldeneye.exe	93
PID 3412 wrote to memory of 4488	3412	2024-02-28_de3c3c404f19366bdf36ebd7fcbe6df0_goldeneye.exe	93
PID 3412 wrote to memory of 4488	3412	2024-02-28_de3c3c404f19366bdf36ebd7fcbe6df0_goldeneye.exe	93
PID 3412 wrote to memory of 1140	3412	2024-02-28_de3c3c404f19366bdf36ebd7fcbe6df0_goldeneye.exe	94
PID 3412 wrote to memory of 1140	3412	2024-02-28_de3c3c404f19366bdf36ebd7fcbe6df0_goldeneye.exe	94
PID 3412 wrote to memory of 1140	3412	2024-02-28_de3c3c404f19366bdf36ebd7fcbe6df0_goldeneye.exe	94
PID 4488 wrote to memory of 3180	4488	{BBB2A898-ADCF-4026-BEFD-A29D110B4691}.exe	95
PID 4488 wrote to memory of 3180	4488	{BBB2A898-ADCF-4026-BEFD-A29D110B4691}.exe	95
PID 4488 wrote to memory of 3180	4488	{BBB2A898-ADCF-4026-BEFD-A29D110B4691}.exe	95
PID 4488 wrote to memory of 2220	4488	{BBB2A898-ADCF-4026-BEFD-A29D110B4691}.exe	96
PID 4488 wrote to memory of 2220	4488	{BBB2A898-ADCF-4026-BEFD-A29D110B4691}.exe	96
PID 4488 wrote to memory of 2220	4488	{BBB2A898-ADCF-4026-BEFD-A29D110B4691}.exe	96
PID 3180 wrote to memory of 1436	3180	{E9F7D8FB-CF95-4047-8F55-9052473D8B90}.exe	100
PID 3180 wrote to memory of 1436	3180	{E9F7D8FB-CF95-4047-8F55-9052473D8B90}.exe	100
PID 3180 wrote to memory of 1436	3180	{E9F7D8FB-CF95-4047-8F55-9052473D8B90}.exe	100
PID 3180 wrote to memory of 3372	3180	{E9F7D8FB-CF95-4047-8F55-9052473D8B90}.exe	101
PID 3180 wrote to memory of 3372	3180	{E9F7D8FB-CF95-4047-8F55-9052473D8B90}.exe	101
PID 3180 wrote to memory of 3372	3180	{E9F7D8FB-CF95-4047-8F55-9052473D8B90}.exe	101
PID 1436 wrote to memory of 3644	1436	{66DC7578-AFAD-4c25-83DD-E7726F42B96C}.exe	102
PID 1436 wrote to memory of 3644	1436	{66DC7578-AFAD-4c25-83DD-E7726F42B96C}.exe	102
PID 1436 wrote to memory of 3644	1436	{66DC7578-AFAD-4c25-83DD-E7726F42B96C}.exe	102
PID 1436 wrote to memory of 4696	1436	{66DC7578-AFAD-4c25-83DD-E7726F42B96C}.exe	103
PID 1436 wrote to memory of 4696	1436	{66DC7578-AFAD-4c25-83DD-E7726F42B96C}.exe	103
PID 1436 wrote to memory of 4696	1436	{66DC7578-AFAD-4c25-83DD-E7726F42B96C}.exe	103
PID 3644 wrote to memory of 1588	3644	{DE844B59-5A7B-439b-B383-A02086F2D266}.exe	104
PID 3644 wrote to memory of 1588	3644	{DE844B59-5A7B-439b-B383-A02086F2D266}.exe	104
PID 3644 wrote to memory of 1588	3644	{DE844B59-5A7B-439b-B383-A02086F2D266}.exe	104
PID 3644 wrote to memory of 3100	3644	{DE844B59-5A7B-439b-B383-A02086F2D266}.exe	105
PID 3644 wrote to memory of 3100	3644	{DE844B59-5A7B-439b-B383-A02086F2D266}.exe	105
PID 3644 wrote to memory of 3100	3644	{DE844B59-5A7B-439b-B383-A02086F2D266}.exe	105
PID 1588 wrote to memory of 5012	1588	{97F4415C-90D5-48d9-AACF-531544969B67}.exe	106
PID 1588 wrote to memory of 5012	1588	{97F4415C-90D5-48d9-AACF-531544969B67}.exe	106
PID 1588 wrote to memory of 5012	1588	{97F4415C-90D5-48d9-AACF-531544969B67}.exe	106
PID 1588 wrote to memory of 1148	1588	{97F4415C-90D5-48d9-AACF-531544969B67}.exe	107
PID 1588 wrote to memory of 1148	1588	{97F4415C-90D5-48d9-AACF-531544969B67}.exe	107
PID 1588 wrote to memory of 1148	1588	{97F4415C-90D5-48d9-AACF-531544969B67}.exe	107
PID 5012 wrote to memory of 3336	5012	{1D6885D7-0683-4667-8B0D-97DA3C89FAC4}.exe	108
PID 5012 wrote to memory of 3336	5012	{1D6885D7-0683-4667-8B0D-97DA3C89FAC4}.exe	108
PID 5012 wrote to memory of 3336	5012	{1D6885D7-0683-4667-8B0D-97DA3C89FAC4}.exe	108
PID 5012 wrote to memory of 2340	5012	{1D6885D7-0683-4667-8B0D-97DA3C89FAC4}.exe	109
PID 5012 wrote to memory of 2340	5012	{1D6885D7-0683-4667-8B0D-97DA3C89FAC4}.exe	109
PID 5012 wrote to memory of 2340	5012	{1D6885D7-0683-4667-8B0D-97DA3C89FAC4}.exe	109
PID 3336 wrote to memory of 548	3336	{CA94B3FF-DBF8-4843-B562-B72C5ACBDE05}.exe	110
PID 3336 wrote to memory of 548	3336	{CA94B3FF-DBF8-4843-B562-B72C5ACBDE05}.exe	110
PID 3336 wrote to memory of 548	3336	{CA94B3FF-DBF8-4843-B562-B72C5ACBDE05}.exe	110
PID 3336 wrote to memory of 1776	3336	{CA94B3FF-DBF8-4843-B562-B72C5ACBDE05}.exe	111
PID 3336 wrote to memory of 1776	3336	{CA94B3FF-DBF8-4843-B562-B72C5ACBDE05}.exe	111
PID 3336 wrote to memory of 1776	3336	{CA94B3FF-DBF8-4843-B562-B72C5ACBDE05}.exe	111
PID 548 wrote to memory of 1636	548	{9BEF7C9C-0CEA-4163-9AD4-827A499FD6BC}.exe	112
PID 548 wrote to memory of 1636	548	{9BEF7C9C-0CEA-4163-9AD4-827A499FD6BC}.exe	112
PID 548 wrote to memory of 1636	548	{9BEF7C9C-0CEA-4163-9AD4-827A499FD6BC}.exe	112
PID 548 wrote to memory of 220	548	{9BEF7C9C-0CEA-4163-9AD4-827A499FD6BC}.exe	113
PID 548 wrote to memory of 220	548	{9BEF7C9C-0CEA-4163-9AD4-827A499FD6BC}.exe	113
PID 548 wrote to memory of 220	548	{9BEF7C9C-0CEA-4163-9AD4-827A499FD6BC}.exe	113
PID 1636 wrote to memory of 3016	1636	{D3DC2053-3980-456f-8705-A079077355B1}.exe	114
PID 1636 wrote to memory of 3016	1636	{D3DC2053-3980-456f-8705-A079077355B1}.exe	114
PID 1636 wrote to memory of 3016	1636	{D3DC2053-3980-456f-8705-A079077355B1}.exe	114
PID 1636 wrote to memory of 3760	1636	{D3DC2053-3980-456f-8705-A079077355B1}.exe	115
PID 1636 wrote to memory of 3760	1636	{D3DC2053-3980-456f-8705-A079077355B1}.exe	115
PID 1636 wrote to memory of 3760	1636	{D3DC2053-3980-456f-8705-A079077355B1}.exe	115
PID 3016 wrote to memory of 3852	3016	{C322010F-48A1-48cd-B7C5-3D90E0BE53DA}.exe	116
PID 3016 wrote to memory of 3852	3016	{C322010F-48A1-48cd-B7C5-3D90E0BE53DA}.exe	116
PID 3016 wrote to memory of 3852	3016	{C322010F-48A1-48cd-B7C5-3D90E0BE53DA}.exe	116
PID 3016 wrote to memory of 3976	3016	{C322010F-48A1-48cd-B7C5-3D90E0BE53DA}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-02-28_de3c3c404f19366bdf36ebd7fcbe6df0_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-28_de3c3c404f19366bdf36ebd7fcbe6df0_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3412
- C:\Windows\{BBB2A898-ADCF-4026-BEFD-A29D110B4691}.exe
  C:\Windows\{BBB2A898-ADCF-4026-BEFD-A29D110B4691}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4488
- - C:\Windows\{E9F7D8FB-CF95-4047-8F55-9052473D8B90}.exe
    C:\Windows\{E9F7D8FB-CF95-4047-8F55-9052473D8B90}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3180
  - - C:\Windows\{66DC7578-AFAD-4c25-83DD-E7726F42B96C}.exe
      C:\Windows\{66DC7578-AFAD-4c25-83DD-E7726F42B96C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1436
    - - C:\Windows\{DE844B59-5A7B-439b-B383-A02086F2D266}.exe
        
        C:\Windows\{DE844B59-5A7B-439b-B383-A02086F2D266}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3644
      - C:\Windows\{97F4415C-90D5-48d9-AACF-531544969B67}.exe
        
        C:\Windows\{97F4415C-90D5-48d9-AACF-531544969B67}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\{1D6885D7-0683-4667-8B0D-97DA3C89FAC4}.exe
        
        C:\Windows\{1D6885D7-0683-4667-8B0D-97DA3C89FAC4}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\{CA94B3FF-DBF8-4843-B562-B72C5ACBDE05}.exe
        
        C:\Windows\{CA94B3FF-DBF8-4843-B562-B72C5ACBDE05}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3336
        
        C:\Windows\{9BEF7C9C-0CEA-4163-9AD4-827A499FD6BC}.exe
        
        C:\Windows\{9BEF7C9C-0CEA-4163-9AD4-827A499FD6BC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Windows\{D3DC2053-3980-456f-8705-A079077355B1}.exe
        
        C:\Windows\{D3DC2053-3980-456f-8705-A079077355B1}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\{C322010F-48A1-48cd-B7C5-3D90E0BE53DA}.exe
        
        C:\Windows\{C322010F-48A1-48cd-B7C5-3D90E0BE53DA}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\{05EB004E-4D12-4ce9-80A7-DF63A29A4A9C}.exe
        
        C:\Windows\{05EB004E-4D12-4ce9-80A7-DF63A29A4A9C}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3852
        
        C:\Windows\{A74DEB13-9689-4633-ADE7-F6530E3D3C08}.exe
        
        C:\Windows\{A74DEB13-9689-4633-ADE7-F6530E3D3C08}.exe
        13⤵
        Executes dropped EXE
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{05EB0~1.EXE > nul
        13⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3220~1.EXE > nul
        12⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D3DC2~1.EXE > nul
        11⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9BEF7~1.EXE > nul
        10⤵
        
        PID:220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA94B~1.EXE > nul
        9⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1D688~1.EXE > nul
        8⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{97F44~1.EXE > nul
        7⤵
        
        PID:1148
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DE844~1.EXE > nul
        6⤵
        
        PID:3100
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{66DC7~1.EXE > nul
        5⤵
        
        PID:4696
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E9F7D~1.EXE > nul
      4⤵
      PID:3372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{BBB2A~1.EXE > nul
    3⤵
    PID:2220
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{05EB004E-4D12-4ce9-80A7-DF63A29A4A9C}.exe

Filesize
344KB

MD5
6309dbc8b974210fc50983f12f2c4e23

SHA1
36d31128fadee696acbe5aa54eff58b2baca0567

SHA256
fca4107b58d9702efa93e7828da1277a62325925c99d0a0626253c6fe0a053d9

SHA512
3266cc46fd948697bac2e98e8f5d6a5f3f705508ae9ac9ac51a09065cc6af149355a58703aa08de4e76a0c146af9b932049f3971d5aeb33e8014f46631d5fb08

Download Submit
C:\Windows\{1D6885D7-0683-4667-8B0D-97DA3C89FAC4}.exe

Filesize
344KB

MD5
42a2537f6a3df159934b028b29880f63

SHA1
5fdd72715956da5c7ddb87eb210a4fc0ffcec6be

SHA256
50fdffe11cd4f05bd0e6e93f88ee34b3c1f853935219aca0fd2607b171ce474a

SHA512
3e62a9dd0dcb74a9238c84087e5cd435cd924094c7e8bde67b8ed400df9bf81cc650ec4b3348229935e2e4e105006c5f1384f7cae818d4bf9b16c85f48f7a043

Download Submit
C:\Windows\{66DC7578-AFAD-4c25-83DD-E7726F42B96C}.exe

Filesize
344KB

MD5
1187fe51cc4a3c974f5f4d8d7176e8cd

SHA1
e32edc32b638832c83228c49a5763f752ef5d46c

SHA256
5ea3229d7a4aaa0813d30701aa54e7ae73ac84790bdc28de2dd2333300698f67

SHA512
0be82c97be808201f16ec0fe0bfd15053494be28a31c3eeaf9dfad402b282c149fe67203acfc9316cda499f80e1255edc5f514aa36844dd412e55a456b7d3d23

Download Submit
C:\Windows\{97F4415C-90D5-48d9-AACF-531544969B67}.exe

Filesize
344KB

MD5
d6795cb35a7463a4562653620e1bf7e1

SHA1
ee660131df0aefd10f4dc57303a9c01f41c81b0b

SHA256
972b3e3b6a4159092a096591000bac9c934f526ad9ba8e3d2c51bb03791ab6fe

SHA512
acb80f765bb4ea64fd4170cbc354502eb0b51f4f5d18f110a901adfbb33daa6790bacefade19a28c997dd3f89d7e3e2cec6b19b3b85a7dc32ad09ee0d1bed9f9

Download Submit
C:\Windows\{9BEF7C9C-0CEA-4163-9AD4-827A499FD6BC}.exe

Filesize
344KB

MD5
7e9ebdd3398e331ad2463102e07b4dbc

SHA1
e7800c56b48a03ec8d59f2dc0676ce200583c0f1

SHA256
0f6049d998ebb06d929d60639c8ecc866554a5c3729dd696216f35d04c532fe0

SHA512
fdc523768b4c0ea2f0a5b1edc59a508b7ae48bfc1beaa4995fd86dd8503719501246d82634585a8dcbe579f99e03697eec4f3fdf17b57387e3521cdbc658651b

Download Submit
C:\Windows\{A74DEB13-9689-4633-ADE7-F6530E3D3C08}.exe

Filesize
344KB

MD5
e5d1e569dc5e6cc9380f642092ecc325

SHA1
43071f2b63549101356f51d6f69d231ecd1dfa47

SHA256
b56094eeb18f40c7c3d285f1735c67bc11d19042eb46f65253fbb648e83f7c24

SHA512
b41a7708c18519f135de69329ecdac5aeee19b75f2fc750b9a9f97ec8226aa34cbc2bf3b8ac80878e28371620435d25e8c2b6e1dacfceadab5eccb8f0838113e

Download Submit
C:\Windows\{BBB2A898-ADCF-4026-BEFD-A29D110B4691}.exe

Filesize
344KB

MD5
58e1e4754a6fe7a3cf788a5edae9601c

SHA1
bea532ee6e2beefc5767700ee101cacaa5b267b6

SHA256
a826ab158945025249558b18d4424b931c4569a4d3b33095b213aee066fb4cbc

SHA512
d840199ce9688fb185bc77ac3b2d7f620a68887f53d47aaf667af8c9817941cf74da5cfd8a232c259d66da65b7a7553862c532871d84c257a5a497f7c981de0a

Download Submit
C:\Windows\{C322010F-48A1-48cd-B7C5-3D90E0BE53DA}.exe

Filesize
344KB

MD5
05fefaadbc114fc0ca640b214ddecd64

SHA1
a958302ffdcd1bf87d665e69317d1bca6080dda6

SHA256
58be7f5fc9b8d1c8cba0ac721301038cd31c98a73fa7252e8619ee66ae9175f9

SHA512
3aa4d27b3c8c9e368c6ec1955e6e74d49c3261799f3c539ad3a322fe9892bfda96288b4237182d28b0b6d76b7113e881a4ae82bff8ecc6067ecc51f9f9fc6168

Download Submit
C:\Windows\{CA94B3FF-DBF8-4843-B562-B72C5ACBDE05}.exe

Filesize
344KB

MD5
05a45cd631645ab7e4af6104087f3c2c

SHA1
51206f8d7257f9169a9b94617f8cec29985db3c9

SHA256
5bf31b8d1147e0aca83e0013fe7ce6b9d60f102fb45320cfad729392aecde685

SHA512
4072113b96016de6569ffb4394035b720edfcff497c0a954d5fd5bca83b15e06c0269e488a9eb2cee9f160903c8250a3663403393c35bdbbe9e7dbf8314812ac

Download Submit
C:\Windows\{D3DC2053-3980-456f-8705-A079077355B1}.exe

Filesize
344KB

MD5
3ac4f1dcd3a3329239d7978536ff56e5

SHA1
039d858e54256fb38b1004d2f4e4f3c4ec2a932d

SHA256
88c9531b44f006968c9d18d73a546865d4e08c960b008db120b64a1bbf335bdf

SHA512
127d9b73a6f9e0e699b10d3291177d3750875f9df682e36acddacc6342956db1912e2dc9bbe902b01a99a6c378f0773d5a3c1bffa69108e68afdddbc740ae941

Download Submit
C:\Windows\{DE844B59-5A7B-439b-B383-A02086F2D266}.exe

Filesize
344KB

MD5
1786f3f1f3cf533c1398d1c7e9cafe40

SHA1
ef42769b19444a3b491501ee084388ef0f38cd05

SHA256
45e25594284b531b95cfa9a34985b6e892c04b776075348778dd5ded547266ed

SHA512
65c4c7d00fcecd3ffcb75373ae04710763db7256e0fb96383e3d788a1ea7fa334e6adf4e0d851c97d28440568292e6850471d1e670f41640d32fa6e696854595

Download Submit
C:\Windows\{E9F7D8FB-CF95-4047-8F55-9052473D8B90}.exe

Filesize
344KB

MD5
eef760951f034957925aa7fc60805cad

SHA1
6056a4fb9efcb90d1605d57cc507ecd9700a1ec9

SHA256
74d8f976855db840b1ec90f6b221fc58d08af8eddc7db39c8aeb1c3ae20e7c79

SHA512
12f9c4e9fbc01641633cd8a248164c33f42d6ebd9b6296b3e01cac18517b910fa1c3614d745aa869f833f51eac5c6d836f09a7a5f15d148e91a56291e10b4531

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads