5ea8125435b39ed8ebed4989eae9c9803affecd70917d30d59d9408a221e204a

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-02-2024 09:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-28_97adaab74671504809e24a3664645a12_goldeneye.exe
Size

408KB
MD5

97adaab74671504809e24a3664645a12
SHA1

b483c51c9ff1857bbb56fa75463b750bfc4fb2ff
SHA256

5ea8125435b39ed8ebed4989eae9c9803affecd70917d30d59d9408a221e204a
SHA512

acc2d4a18192138131c86e56ee3d46319a8211abee7490ac0a0742850cd34023d6930446d9d504e02243f65f1c04957f95578d93cbe0e233b42a463f116192e0
SSDEEP

3072:CEGh0osl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGmldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x000800000002320a-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023200-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023212-11.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000230e1-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023212-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000230e1-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023212-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000230e1-29.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023212-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d0000000230e1-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002320f-41.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e0000000230e1-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e0000000230e1-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3508C2E-71E4-4796-94C7-506C57EA182A}	{7CF49685-D83B-4bff-9CA0-D66AEEC954E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8012E1F8-1879-40d6-A1D4-18484D22665B}\stubpath = "C:\\Windows\\{8012E1F8-1879-40d6-A1D4-18484D22665B}.exe"	{528C5230-037E-4b8c-980A-9CACB05CD5EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C70E3070-55F5-47f0-871B-CD6A28939621}\stubpath = "C:\\Windows\\{C70E3070-55F5-47f0-871B-CD6A28939621}.exe"	{8012E1F8-1879-40d6-A1D4-18484D22665B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB9E8C24-2392-45dd-84F0-C5BC8D528F2E}\stubpath = "C:\\Windows\\{FB9E8C24-2392-45dd-84F0-C5BC8D528F2E}.exe"	{C70E3070-55F5-47f0-871B-CD6A28939621}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C11EA4B2-6FCE-43f9-A1BE-17CD6BAB057C}\stubpath = "C:\\Windows\\{C11EA4B2-6FCE-43f9-A1BE-17CD6BAB057C}.exe"	{BFF50B7D-5467-46a8-B3BE-25838267B4C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{102DCB12-0BC5-4477-B36C-80DF47B46F7E}\stubpath = "C:\\Windows\\{102DCB12-0BC5-4477-B36C-80DF47B46F7E}.exe"	2024-02-28_97adaab74671504809e24a3664645a12_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F667C4B-5013-4066-A9EF-D5F242EEB214}	{102DCB12-0BC5-4477-B36C-80DF47B46F7E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F667C4B-5013-4066-A9EF-D5F242EEB214}\stubpath = "C:\\Windows\\{4F667C4B-5013-4066-A9EF-D5F242EEB214}.exe"	{102DCB12-0BC5-4477-B36C-80DF47B46F7E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3AD7303-6C6B-44b9-B84D-D298297D146A}	{4F667C4B-5013-4066-A9EF-D5F242EEB214}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3AD7303-6C6B-44b9-B84D-D298297D146A}\stubpath = "C:\\Windows\\{B3AD7303-6C6B-44b9-B84D-D298297D146A}.exe"	{4F667C4B-5013-4066-A9EF-D5F242EEB214}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7CF49685-D83B-4bff-9CA0-D66AEEC954E9}\stubpath = "C:\\Windows\\{7CF49685-D83B-4bff-9CA0-D66AEEC954E9}.exe"	{B3AD7303-6C6B-44b9-B84D-D298297D146A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{528C5230-037E-4b8c-980A-9CACB05CD5EE}	{A3508C2E-71E4-4796-94C7-506C57EA182A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C70E3070-55F5-47f0-871B-CD6A28939621}	{8012E1F8-1879-40d6-A1D4-18484D22665B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BFF50B7D-5467-46a8-B3BE-25838267B4C3}\stubpath = "C:\\Windows\\{BFF50B7D-5467-46a8-B3BE-25838267B4C3}.exe"	{3C93503C-FD47-4055-8C51-C48C8C7866A5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C11EA4B2-6FCE-43f9-A1BE-17CD6BAB057C}	{BFF50B7D-5467-46a8-B3BE-25838267B4C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{102DCB12-0BC5-4477-B36C-80DF47B46F7E}	2024-02-28_97adaab74671504809e24a3664645a12_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3508C2E-71E4-4796-94C7-506C57EA182A}\stubpath = "C:\\Windows\\{A3508C2E-71E4-4796-94C7-506C57EA182A}.exe"	{7CF49685-D83B-4bff-9CA0-D66AEEC954E9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB9E8C24-2392-45dd-84F0-C5BC8D528F2E}	{C70E3070-55F5-47f0-871B-CD6A28939621}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BFF50B7D-5467-46a8-B3BE-25838267B4C3}	{3C93503C-FD47-4055-8C51-C48C8C7866A5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7CF49685-D83B-4bff-9CA0-D66AEEC954E9}	{B3AD7303-6C6B-44b9-B84D-D298297D146A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{528C5230-037E-4b8c-980A-9CACB05CD5EE}\stubpath = "C:\\Windows\\{528C5230-037E-4b8c-980A-9CACB05CD5EE}.exe"	{A3508C2E-71E4-4796-94C7-506C57EA182A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8012E1F8-1879-40d6-A1D4-18484D22665B}	{528C5230-037E-4b8c-980A-9CACB05CD5EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C93503C-FD47-4055-8C51-C48C8C7866A5}	{FB9E8C24-2392-45dd-84F0-C5BC8D528F2E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C93503C-FD47-4055-8C51-C48C8C7866A5}\stubpath = "C:\\Windows\\{3C93503C-FD47-4055-8C51-C48C8C7866A5}.exe"	{FB9E8C24-2392-45dd-84F0-C5BC8D528F2E}.exe

Executes dropped EXE 12 IoCs

pid	Process
412	{102DCB12-0BC5-4477-B36C-80DF47B46F7E}.exe
2092	{4F667C4B-5013-4066-A9EF-D5F242EEB214}.exe
3752	{B3AD7303-6C6B-44b9-B84D-D298297D146A}.exe
2192	{7CF49685-D83B-4bff-9CA0-D66AEEC954E9}.exe
4584	{A3508C2E-71E4-4796-94C7-506C57EA182A}.exe
5016	{528C5230-037E-4b8c-980A-9CACB05CD5EE}.exe
4336	{8012E1F8-1879-40d6-A1D4-18484D22665B}.exe
3540	{C70E3070-55F5-47f0-871B-CD6A28939621}.exe
1292	{FB9E8C24-2392-45dd-84F0-C5BC8D528F2E}.exe
4684	{3C93503C-FD47-4055-8C51-C48C8C7866A5}.exe
1968	{BFF50B7D-5467-46a8-B3BE-25838267B4C3}.exe
3340	{C11EA4B2-6FCE-43f9-A1BE-17CD6BAB057C}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{102DCB12-0BC5-4477-B36C-80DF47B46F7E}.exe	2024-02-28_97adaab74671504809e24a3664645a12_goldeneye.exe
File created	C:\Windows\{B3AD7303-6C6B-44b9-B84D-D298297D146A}.exe	{4F667C4B-5013-4066-A9EF-D5F242EEB214}.exe
File created	C:\Windows\{A3508C2E-71E4-4796-94C7-506C57EA182A}.exe	{7CF49685-D83B-4bff-9CA0-D66AEEC954E9}.exe
File created	C:\Windows\{FB9E8C24-2392-45dd-84F0-C5BC8D528F2E}.exe	{C70E3070-55F5-47f0-871B-CD6A28939621}.exe
File created	C:\Windows\{3C93503C-FD47-4055-8C51-C48C8C7866A5}.exe	{FB9E8C24-2392-45dd-84F0-C5BC8D528F2E}.exe
File created	C:\Windows\{BFF50B7D-5467-46a8-B3BE-25838267B4C3}.exe	{3C93503C-FD47-4055-8C51-C48C8C7866A5}.exe
File created	C:\Windows\{4F667C4B-5013-4066-A9EF-D5F242EEB214}.exe	{102DCB12-0BC5-4477-B36C-80DF47B46F7E}.exe
File created	C:\Windows\{7CF49685-D83B-4bff-9CA0-D66AEEC954E9}.exe	{B3AD7303-6C6B-44b9-B84D-D298297D146A}.exe
File created	C:\Windows\{528C5230-037E-4b8c-980A-9CACB05CD5EE}.exe	{A3508C2E-71E4-4796-94C7-506C57EA182A}.exe
File created	C:\Windows\{8012E1F8-1879-40d6-A1D4-18484D22665B}.exe	{528C5230-037E-4b8c-980A-9CACB05CD5EE}.exe
File created	C:\Windows\{C70E3070-55F5-47f0-871B-CD6A28939621}.exe	{8012E1F8-1879-40d6-A1D4-18484D22665B}.exe
File created	C:\Windows\{C11EA4B2-6FCE-43f9-A1BE-17CD6BAB057C}.exe	{BFF50B7D-5467-46a8-B3BE-25838267B4C3}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3392	2024-02-28_97adaab74671504809e24a3664645a12_goldeneye.exe
Token: SeIncBasePriorityPrivilege	412	{102DCB12-0BC5-4477-B36C-80DF47B46F7E}.exe
Token: SeIncBasePriorityPrivilege	2092	{4F667C4B-5013-4066-A9EF-D5F242EEB214}.exe
Token: SeIncBasePriorityPrivilege	3752	{B3AD7303-6C6B-44b9-B84D-D298297D146A}.exe
Token: SeIncBasePriorityPrivilege	2192	{7CF49685-D83B-4bff-9CA0-D66AEEC954E9}.exe
Token: SeIncBasePriorityPrivilege	4584	{A3508C2E-71E4-4796-94C7-506C57EA182A}.exe
Token: SeIncBasePriorityPrivilege	5016	{528C5230-037E-4b8c-980A-9CACB05CD5EE}.exe
Token: SeIncBasePriorityPrivilege	4336	{8012E1F8-1879-40d6-A1D4-18484D22665B}.exe
Token: SeIncBasePriorityPrivilege	3540	{C70E3070-55F5-47f0-871B-CD6A28939621}.exe
Token: SeIncBasePriorityPrivilege	1292	{FB9E8C24-2392-45dd-84F0-C5BC8D528F2E}.exe
Token: SeIncBasePriorityPrivilege	4684	{3C93503C-FD47-4055-8C51-C48C8C7866A5}.exe
Token: SeIncBasePriorityPrivilege	1968	{BFF50B7D-5467-46a8-B3BE-25838267B4C3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3392 wrote to memory of 412	3392	2024-02-28_97adaab74671504809e24a3664645a12_goldeneye.exe	92
PID 3392 wrote to memory of 412	3392	2024-02-28_97adaab74671504809e24a3664645a12_goldeneye.exe	92
PID 3392 wrote to memory of 412	3392	2024-02-28_97adaab74671504809e24a3664645a12_goldeneye.exe	92
PID 3392 wrote to memory of 4560	3392	2024-02-28_97adaab74671504809e24a3664645a12_goldeneye.exe	93
PID 3392 wrote to memory of 4560	3392	2024-02-28_97adaab74671504809e24a3664645a12_goldeneye.exe	93
PID 3392 wrote to memory of 4560	3392	2024-02-28_97adaab74671504809e24a3664645a12_goldeneye.exe	93
PID 412 wrote to memory of 2092	412	{102DCB12-0BC5-4477-B36C-80DF47B46F7E}.exe	94
PID 412 wrote to memory of 2092	412	{102DCB12-0BC5-4477-B36C-80DF47B46F7E}.exe	94
PID 412 wrote to memory of 2092	412	{102DCB12-0BC5-4477-B36C-80DF47B46F7E}.exe	94
PID 412 wrote to memory of 4720	412	{102DCB12-0BC5-4477-B36C-80DF47B46F7E}.exe	95
PID 412 wrote to memory of 4720	412	{102DCB12-0BC5-4477-B36C-80DF47B46F7E}.exe	95
PID 412 wrote to memory of 4720	412	{102DCB12-0BC5-4477-B36C-80DF47B46F7E}.exe	95
PID 2092 wrote to memory of 3752	2092	{4F667C4B-5013-4066-A9EF-D5F242EEB214}.exe	98
PID 2092 wrote to memory of 3752	2092	{4F667C4B-5013-4066-A9EF-D5F242EEB214}.exe	98
PID 2092 wrote to memory of 3752	2092	{4F667C4B-5013-4066-A9EF-D5F242EEB214}.exe	98
PID 2092 wrote to memory of 4348	2092	{4F667C4B-5013-4066-A9EF-D5F242EEB214}.exe	99
PID 2092 wrote to memory of 4348	2092	{4F667C4B-5013-4066-A9EF-D5F242EEB214}.exe	99
PID 2092 wrote to memory of 4348	2092	{4F667C4B-5013-4066-A9EF-D5F242EEB214}.exe	99
PID 3752 wrote to memory of 2192	3752	{B3AD7303-6C6B-44b9-B84D-D298297D146A}.exe	102
PID 3752 wrote to memory of 2192	3752	{B3AD7303-6C6B-44b9-B84D-D298297D146A}.exe	102
PID 3752 wrote to memory of 2192	3752	{B3AD7303-6C6B-44b9-B84D-D298297D146A}.exe	102
PID 3752 wrote to memory of 3120	3752	{B3AD7303-6C6B-44b9-B84D-D298297D146A}.exe	103
PID 3752 wrote to memory of 3120	3752	{B3AD7303-6C6B-44b9-B84D-D298297D146A}.exe	103
PID 3752 wrote to memory of 3120	3752	{B3AD7303-6C6B-44b9-B84D-D298297D146A}.exe	103
PID 2192 wrote to memory of 4584	2192	{7CF49685-D83B-4bff-9CA0-D66AEEC954E9}.exe	104
PID 2192 wrote to memory of 4584	2192	{7CF49685-D83B-4bff-9CA0-D66AEEC954E9}.exe	104
PID 2192 wrote to memory of 4584	2192	{7CF49685-D83B-4bff-9CA0-D66AEEC954E9}.exe	104
PID 2192 wrote to memory of 2424	2192	{7CF49685-D83B-4bff-9CA0-D66AEEC954E9}.exe	105
PID 2192 wrote to memory of 2424	2192	{7CF49685-D83B-4bff-9CA0-D66AEEC954E9}.exe	105
PID 2192 wrote to memory of 2424	2192	{7CF49685-D83B-4bff-9CA0-D66AEEC954E9}.exe	105
PID 4584 wrote to memory of 5016	4584	{A3508C2E-71E4-4796-94C7-506C57EA182A}.exe	106
PID 4584 wrote to memory of 5016	4584	{A3508C2E-71E4-4796-94C7-506C57EA182A}.exe	106
PID 4584 wrote to memory of 5016	4584	{A3508C2E-71E4-4796-94C7-506C57EA182A}.exe	106
PID 4584 wrote to memory of 3284	4584	{A3508C2E-71E4-4796-94C7-506C57EA182A}.exe	107
PID 4584 wrote to memory of 3284	4584	{A3508C2E-71E4-4796-94C7-506C57EA182A}.exe	107
PID 4584 wrote to memory of 3284	4584	{A3508C2E-71E4-4796-94C7-506C57EA182A}.exe	107
PID 5016 wrote to memory of 4336	5016	{528C5230-037E-4b8c-980A-9CACB05CD5EE}.exe	108
PID 5016 wrote to memory of 4336	5016	{528C5230-037E-4b8c-980A-9CACB05CD5EE}.exe	108
PID 5016 wrote to memory of 4336	5016	{528C5230-037E-4b8c-980A-9CACB05CD5EE}.exe	108
PID 5016 wrote to memory of 4632	5016	{528C5230-037E-4b8c-980A-9CACB05CD5EE}.exe	109
PID 5016 wrote to memory of 4632	5016	{528C5230-037E-4b8c-980A-9CACB05CD5EE}.exe	109
PID 5016 wrote to memory of 4632	5016	{528C5230-037E-4b8c-980A-9CACB05CD5EE}.exe	109
PID 4336 wrote to memory of 3540	4336	{8012E1F8-1879-40d6-A1D4-18484D22665B}.exe	110
PID 4336 wrote to memory of 3540	4336	{8012E1F8-1879-40d6-A1D4-18484D22665B}.exe	110
PID 4336 wrote to memory of 3540	4336	{8012E1F8-1879-40d6-A1D4-18484D22665B}.exe	110
PID 4336 wrote to memory of 1696	4336	{8012E1F8-1879-40d6-A1D4-18484D22665B}.exe	111
PID 4336 wrote to memory of 1696	4336	{8012E1F8-1879-40d6-A1D4-18484D22665B}.exe	111
PID 4336 wrote to memory of 1696	4336	{8012E1F8-1879-40d6-A1D4-18484D22665B}.exe	111
PID 3540 wrote to memory of 1292	3540	{C70E3070-55F5-47f0-871B-CD6A28939621}.exe	112
PID 3540 wrote to memory of 1292	3540	{C70E3070-55F5-47f0-871B-CD6A28939621}.exe	112
PID 3540 wrote to memory of 1292	3540	{C70E3070-55F5-47f0-871B-CD6A28939621}.exe	112
PID 3540 wrote to memory of 1660	3540	{C70E3070-55F5-47f0-871B-CD6A28939621}.exe	113
PID 3540 wrote to memory of 1660	3540	{C70E3070-55F5-47f0-871B-CD6A28939621}.exe	113
PID 3540 wrote to memory of 1660	3540	{C70E3070-55F5-47f0-871B-CD6A28939621}.exe	113
PID 1292 wrote to memory of 4684	1292	{FB9E8C24-2392-45dd-84F0-C5BC8D528F2E}.exe	114
PID 1292 wrote to memory of 4684	1292	{FB9E8C24-2392-45dd-84F0-C5BC8D528F2E}.exe	114
PID 1292 wrote to memory of 4684	1292	{FB9E8C24-2392-45dd-84F0-C5BC8D528F2E}.exe	114
PID 1292 wrote to memory of 3040	1292	{FB9E8C24-2392-45dd-84F0-C5BC8D528F2E}.exe	115
PID 1292 wrote to memory of 3040	1292	{FB9E8C24-2392-45dd-84F0-C5BC8D528F2E}.exe	115
PID 1292 wrote to memory of 3040	1292	{FB9E8C24-2392-45dd-84F0-C5BC8D528F2E}.exe	115
PID 4684 wrote to memory of 1968	4684	{3C93503C-FD47-4055-8C51-C48C8C7866A5}.exe	116
PID 4684 wrote to memory of 1968	4684	{3C93503C-FD47-4055-8C51-C48C8C7866A5}.exe	116
PID 4684 wrote to memory of 1968	4684	{3C93503C-FD47-4055-8C51-C48C8C7866A5}.exe	116
PID 4684 wrote to memory of 2484	4684	{3C93503C-FD47-4055-8C51-C48C8C7866A5}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-02-28_97adaab74671504809e24a3664645a12_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-28_97adaab74671504809e24a3664645a12_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3392
- C:\Windows\{102DCB12-0BC5-4477-B36C-80DF47B46F7E}.exe
  C:\Windows\{102DCB12-0BC5-4477-B36C-80DF47B46F7E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:412
- - C:\Windows\{4F667C4B-5013-4066-A9EF-D5F242EEB214}.exe
    C:\Windows\{4F667C4B-5013-4066-A9EF-D5F242EEB214}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2092
  - - C:\Windows\{B3AD7303-6C6B-44b9-B84D-D298297D146A}.exe
      C:\Windows\{B3AD7303-6C6B-44b9-B84D-D298297D146A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3752
    - - C:\Windows\{7CF49685-D83B-4bff-9CA0-D66AEEC954E9}.exe
        
        C:\Windows\{7CF49685-D83B-4bff-9CA0-D66AEEC954E9}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2192
      - C:\Windows\{A3508C2E-71E4-4796-94C7-506C57EA182A}.exe
        
        C:\Windows\{A3508C2E-71E4-4796-94C7-506C57EA182A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\{528C5230-037E-4b8c-980A-9CACB05CD5EE}.exe
        
        C:\Windows\{528C5230-037E-4b8c-980A-9CACB05CD5EE}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\{8012E1F8-1879-40d6-A1D4-18484D22665B}.exe
        
        C:\Windows\{8012E1F8-1879-40d6-A1D4-18484D22665B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\{C70E3070-55F5-47f0-871B-CD6A28939621}.exe
        
        C:\Windows\{C70E3070-55F5-47f0-871B-CD6A28939621}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Windows\{FB9E8C24-2392-45dd-84F0-C5BC8D528F2E}.exe
        
        C:\Windows\{FB9E8C24-2392-45dd-84F0-C5BC8D528F2E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\{3C93503C-FD47-4055-8C51-C48C8C7866A5}.exe
        
        C:\Windows\{3C93503C-FD47-4055-8C51-C48C8C7866A5}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\{BFF50B7D-5467-46a8-B3BE-25838267B4C3}.exe
        
        C:\Windows\{BFF50B7D-5467-46a8-B3BE-25838267B4C3}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968
        
        C:\Windows\{C11EA4B2-6FCE-43f9-A1BE-17CD6BAB057C}.exe
        
        C:\Windows\{C11EA4B2-6FCE-43f9-A1BE-17CD6BAB057C}.exe
        13⤵
        Executes dropped EXE
        
        PID:3340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BFF50~1.EXE > nul
        13⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C935~1.EXE > nul
        12⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FB9E8~1.EXE > nul
        11⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C70E3~1.EXE > nul
        10⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8012E~1.EXE > nul
        9⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{528C5~1.EXE > nul
        8⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A3508~1.EXE > nul
        7⤵
        
        PID:3284
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7CF49~1.EXE > nul
        6⤵
        
        PID:2424
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B3AD7~1.EXE > nul
        5⤵
        
        PID:3120
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4F667~1.EXE > nul
      4⤵
      PID:4348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{102DC~1.EXE > nul
    3⤵
    PID:4720
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{102DCB12-0BC5-4477-B36C-80DF47B46F7E}.exe

Filesize
408KB

MD5
db0b9ee6ca06341e59c02e2d01123154

SHA1
67ad16c30102351b776c2b05a242a3d1c67058a0

SHA256
cf864dd2c3b40754d924377a1dbbb6fdc46fd33e7e5b7d236b434a1bd6e99307

SHA512
01f1cb80d833a8c6a73d4488b840bd62e23d412eee68ca1b2b3d166c94203a6adb448c775aebe862421871d623ebb6426a2e05d375567ac2f6b506375c80da2d

Download Submit
C:\Windows\{3C93503C-FD47-4055-8C51-C48C8C7866A5}.exe

Filesize
408KB

MD5
356fb7d18b0bdd19b75aa8371f1c1cdf

SHA1
b6e7222313dcad12f0a1a67bc7fba6f396225eb8

SHA256
a22fe16d307d7907e24022b08587ec51dd0502e267ca17842353e745704fb90e

SHA512
25739de00773175110dc8781e90b6c525302845033403c0ef8354c9134ba24bd0f47917cbdcd5074e3150e140ea72d25cbe062d24de22422329c88d085c8abd6

Download Submit
C:\Windows\{4F667C4B-5013-4066-A9EF-D5F242EEB214}.exe

Filesize
408KB

MD5
46b2d2adcf3caab67b98800d0086e488

SHA1
29b58cce8b420f8cd0b016be7e75eaaa4b167b71

SHA256
a43b2e19860ffc0eb458be5bc0a87bc09110ae6942d18a620d731d58123ee4da

SHA512
fbab3839a6f992a8af2a689ddf0ec23a05a1027f73d4d7311ea010aa250a43690ae6eb974974e3783030ef857680ecc056c85b4ff54d72335a7202540f2c7968

Download Submit
C:\Windows\{528C5230-037E-4b8c-980A-9CACB05CD5EE}.exe

Filesize
408KB

MD5
ba774126b83000b0d2e5f1f36df58b3a

SHA1
b33e46e2a35d267c5ae2103b3ea3a54ee2a8e11b

SHA256
7c8b141b6e16b1821da0786d71eaa1da549741728590fe4f11b59a737ea27082

SHA512
286e2731c7aac9be77eb54316bbe5007d3e1dad6a88ca93ae02fb8fab74dfb1f972a192e04061242d09ce059dc460f966a96fa00d0ed0881afa01d195602b3ec

Download Submit
C:\Windows\{7CF49685-D83B-4bff-9CA0-D66AEEC954E9}.exe

Filesize
408KB

MD5
4e50bcd40020827d6f53709ac3502acf

SHA1
8dad63c224b3cc7bb680d15665701af59cb0b2ef

SHA256
6f998a6f8e216aedb2505c685f257e1a3bdd87b24292c7feedd9d50a81763f1b

SHA512
a9c54027d7085715cd048fc882fcfed3c36a7890639cd759965606b68271bb1c3f7a8401a1c3067ab95e404d4f8528a9033ac00665a849f03b0ad4618f3e7b56

Download Submit
C:\Windows\{8012E1F8-1879-40d6-A1D4-18484D22665B}.exe

Filesize
408KB

MD5
17189469fb869ba7bbb74abfa244e45b

SHA1
bab7936c85cb30aa1f62ed09feedb6bf10a29d94

SHA256
d4e707d5f54692ded8f5de3f1ea8dd1bf588a6a46f0c4ac802a0d91609b261b6

SHA512
a46ae15861bcc4bf44b583a9f872db05f9393d259574441fb6dde1992e2781eb9140bc96f944fe100f083158bfaa7a8d0b84a7090ed178186c3cbcada2ed32b6

Download Submit
C:\Windows\{A3508C2E-71E4-4796-94C7-506C57EA182A}.exe

Filesize
408KB

MD5
7f1a697a76b379f06d2d91dc2fca3e7d

SHA1
fa0913d1c900df9958de303b191ad8be55c62f86

SHA256
3238645c7680e6b57f73a81d9e19895e74bf8a141e71e466d2b782ecd12427f0

SHA512
a395e52df456ebd7b4b93d636746c78053cc1c95d90994469842babe5ebe58020a2326fad100204c9e5cb292e6ad426e148370e49061725f746c9484042d6d0c

Download Submit
C:\Windows\{B3AD7303-6C6B-44b9-B84D-D298297D146A}.exe

Filesize
408KB

MD5
e7f82af62e89e7316cee5c463822299a

SHA1
e69a1232c37bb00bd64b178deab6adf3210b7b9d

SHA256
4e470797dbe5c08d8671c15001ac8642bd80b6446ae6c00f8a2d405d034568e3

SHA512
d779a19a37b854be45ce29a29793acc91ae7abe4507c62f6fbd954a09fac8a5c251f1901ef5b642cfa328cfd1456d41953919e7e450771012ac610e88ee86b89

Download Submit
C:\Windows\{BFF50B7D-5467-46a8-B3BE-25838267B4C3}.exe

Filesize
408KB

MD5
9ebe96c3efb4de548f7604940791ead6

SHA1
1d2424fbb27fda0f0b62fcb88d5cba8a50d16c46

SHA256
a635509762a67ce35fd92476cfb07fea230cba3b8f00f9f99e30d4617f4356ef

SHA512
6ef54576b5ef7d66a068e9c297274b8a15479244b3519e35e32b5782bd9ecd79d2f21bdd785707f6dc84f7afc2d5a23badb5af2b2a3e5ff6e4cd805cbb8c0376

Download Submit
C:\Windows\{C11EA4B2-6FCE-43f9-A1BE-17CD6BAB057C}.exe

Filesize
358KB

MD5
e8621bf0a97b1e79c66f372ba19e8cab

SHA1
c24f93d73ad798d540caaf05ed0304f77f1b7963

SHA256
1baea0b15e1141b7fbd0979d93c6a006e21600b185fc5063cecd9831089a7d87

SHA512
d7d57ee9ebe09913f9192632022bb0f6d3f84933a4da8be531c4a6cd74ebf4b5be09c2b1d12c78043d3acc8ebac873b3823b89112bed57a13e47fc1aef651ffc

Download Submit
C:\Windows\{C11EA4B2-6FCE-43f9-A1BE-17CD6BAB057C}.exe

Filesize
408KB

MD5
f285ed93cac94ec1652e23caf13f0ba0

SHA1
e37bee598ccf7c0478c9f51c4ca7fe8344c0a5ab

SHA256
e223fc8cea325e2368338fa222ddcdd1db38ef5625da27ea0f4520d21ced758f

SHA512
550dc10653d039d615bb8879c5cf4f53636bfb65807cbed4346478a5a781600b35cb06824701d2034bf81f900d46f620d3bdddf491a05604c9679323f336b260

Download Submit
C:\Windows\{C70E3070-55F5-47f0-871B-CD6A28939621}.exe

Filesize
408KB

MD5
5751620648b052f57812060125ce832c

SHA1
fc96820dd80134975acfbde39c211f1f79b27224

SHA256
4834cff867fbca90912e9dbca970eb9d14f2b35411613a3ee4f92ee69959d64a

SHA512
a188260237bf883acfc3f34d555c3747a81dc3e55c03b2f58ef97bc6250567625c511917e44e2f69b909c4ccbcc74fbf9a75209190387f3bf4d063091a2c64d6

Download Submit
C:\Windows\{FB9E8C24-2392-45dd-84F0-C5BC8D528F2E}.exe

Filesize
408KB

MD5
1315efbbd1e3d4709f97148cc4577b4a

SHA1
1eb8263b6f8cc699983855216113601d44302563

SHA256
e98367f9848a36409ab5ffb07fad408cebb1e26d2d8903f9887f6d448b18bce9

SHA512
237c9d39d51e6bfc989e9c95b5eb3a8e8305e819d2180a803b52a7c41de226619e93a9eb9b339cac01b730d9727b980c1403eb3fe1b0278dabcb95bc50b8af01

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads