4bdd08111a81a78be786b92d72a3f1bd4a9ad9ca809b5884d436f6422f4c2248

Analysis

max time kernel
150s
max time network
128s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-02-2024 16:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-28_ef6dec01330953c607ab3ce3c52790ee_goldeneye.exe
Size

408KB
MD5

ef6dec01330953c607ab3ce3c52790ee
SHA1

263ef5a31766854b957bf2a999b317fb58390853
SHA256

4bdd08111a81a78be786b92d72a3f1bd4a9ad9ca809b5884d436f6422f4c2248
SHA512

42aca68c2cf625a6f03aef3faf82fd7d49fb46cf0b822e594a19510e4cdd556aac7dd036091d0d78a64d31d7d794c00d19d70284f86fd88028224fe645ce85f5
SSDEEP

3072:CEGh0oTl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGBldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x000e000000012110-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000012252-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002e0000000139d9-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00120000000055a2-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000012252-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00130000000055a2-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002f0000000139d9-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00140000000055a2-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000139fa-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00150000000055a2-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000139fa-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00160000000055a2-82.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD8C62A9-6989-47db-BF16-E3D784D60807}\stubpath = "C:\\Windows\\{DD8C62A9-6989-47db-BF16-E3D784D60807}.exe"	{3692AE57-15A5-4dc8-8A1B-533C1441CBE2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{868B71B9-AC54-4728-A532-75DA6AB61ABE}	{4964BBB6-AAD6-4435-8954-5027B72A7EA5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6D224D5-AAAC-47e5-A224-2C9D26486090}	{0ECE25BD-12F7-40c5-B462-000078C812BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{049F5C08-4419-45c2-818C-230C1D8D14D3}	{D6D224D5-AAAC-47e5-A224-2C9D26486090}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{049F5C08-4419-45c2-818C-230C1D8D14D3}\stubpath = "C:\\Windows\\{049F5C08-4419-45c2-818C-230C1D8D14D3}.exe"	{D6D224D5-AAAC-47e5-A224-2C9D26486090}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA5EE67E-723F-49c5-9273-88436B86B0B6}	{5201DE25-1390-4491-B00A-67A03DA7B918}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F780152-B1E1-4d7c-947F-1D7C87EC6741}\stubpath = "C:\\Windows\\{1F780152-B1E1-4d7c-947F-1D7C87EC6741}.exe"	{FA5EE67E-723F-49c5-9273-88436B86B0B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3692AE57-15A5-4dc8-8A1B-533C1441CBE2}\stubpath = "C:\\Windows\\{3692AE57-15A5-4dc8-8A1B-533C1441CBE2}.exe"	{1F780152-B1E1-4d7c-947F-1D7C87EC6741}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4964BBB6-AAD6-4435-8954-5027B72A7EA5}\stubpath = "C:\\Windows\\{4964BBB6-AAD6-4435-8954-5027B72A7EA5}.exe"	{DD8C62A9-6989-47db-BF16-E3D784D60807}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD8DEC25-264F-4df4-9D17-B440FBDB59ED}\stubpath = "C:\\Windows\\{BD8DEC25-264F-4df4-9D17-B440FBDB59ED}.exe"	{7936F2E7-8665-418d-8C7B-DEE1A2C948DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F780152-B1E1-4d7c-947F-1D7C87EC6741}	{FA5EE67E-723F-49c5-9273-88436B86B0B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4964BBB6-AAD6-4435-8954-5027B72A7EA5}	{DD8C62A9-6989-47db-BF16-E3D784D60807}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{868B71B9-AC54-4728-A532-75DA6AB61ABE}\stubpath = "C:\\Windows\\{868B71B9-AC54-4728-A532-75DA6AB61ABE}.exe"	{4964BBB6-AAD6-4435-8954-5027B72A7EA5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5201DE25-1390-4491-B00A-67A03DA7B918}\stubpath = "C:\\Windows\\{5201DE25-1390-4491-B00A-67A03DA7B918}.exe"	{BD8DEC25-264F-4df4-9D17-B440FBDB59ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA5EE67E-723F-49c5-9273-88436B86B0B6}\stubpath = "C:\\Windows\\{FA5EE67E-723F-49c5-9273-88436B86B0B6}.exe"	{5201DE25-1390-4491-B00A-67A03DA7B918}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD8C62A9-6989-47db-BF16-E3D784D60807}	{3692AE57-15A5-4dc8-8A1B-533C1441CBE2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5201DE25-1390-4491-B00A-67A03DA7B918}	{BD8DEC25-264F-4df4-9D17-B440FBDB59ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3692AE57-15A5-4dc8-8A1B-533C1441CBE2}	{1F780152-B1E1-4d7c-947F-1D7C87EC6741}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0ECE25BD-12F7-40c5-B462-000078C812BB}	{868B71B9-AC54-4728-A532-75DA6AB61ABE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0ECE25BD-12F7-40c5-B462-000078C812BB}\stubpath = "C:\\Windows\\{0ECE25BD-12F7-40c5-B462-000078C812BB}.exe"	{868B71B9-AC54-4728-A532-75DA6AB61ABE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6D224D5-AAAC-47e5-A224-2C9D26486090}\stubpath = "C:\\Windows\\{D6D224D5-AAAC-47e5-A224-2C9D26486090}.exe"	{0ECE25BD-12F7-40c5-B462-000078C812BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7936F2E7-8665-418d-8C7B-DEE1A2C948DB}	2024-02-28_ef6dec01330953c607ab3ce3c52790ee_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7936F2E7-8665-418d-8C7B-DEE1A2C948DB}\stubpath = "C:\\Windows\\{7936F2E7-8665-418d-8C7B-DEE1A2C948DB}.exe"	2024-02-28_ef6dec01330953c607ab3ce3c52790ee_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD8DEC25-264F-4df4-9D17-B440FBDB59ED}	{7936F2E7-8665-418d-8C7B-DEE1A2C948DB}.exe

Deletes itself 1 IoCs

pid	Process
2496	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2992	{7936F2E7-8665-418d-8C7B-DEE1A2C948DB}.exe
2712	{BD8DEC25-264F-4df4-9D17-B440FBDB59ED}.exe
2248	{5201DE25-1390-4491-B00A-67A03DA7B918}.exe
2368	{FA5EE67E-723F-49c5-9273-88436B86B0B6}.exe
2728	{1F780152-B1E1-4d7c-947F-1D7C87EC6741}.exe
788	{3692AE57-15A5-4dc8-8A1B-533C1441CBE2}.exe
1332	{DD8C62A9-6989-47db-BF16-E3D784D60807}.exe
972	{4964BBB6-AAD6-4435-8954-5027B72A7EA5}.exe
1380	{868B71B9-AC54-4728-A532-75DA6AB61ABE}.exe
1308	{0ECE25BD-12F7-40c5-B462-000078C812BB}.exe
2172	{D6D224D5-AAAC-47e5-A224-2C9D26486090}.exe
744	{049F5C08-4419-45c2-818C-230C1D8D14D3}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{1F780152-B1E1-4d7c-947F-1D7C87EC6741}.exe	{FA5EE67E-723F-49c5-9273-88436B86B0B6}.exe
File created	C:\Windows\{3692AE57-15A5-4dc8-8A1B-533C1441CBE2}.exe	{1F780152-B1E1-4d7c-947F-1D7C87EC6741}.exe
File created	C:\Windows\{DD8C62A9-6989-47db-BF16-E3D784D60807}.exe	{3692AE57-15A5-4dc8-8A1B-533C1441CBE2}.exe
File created	C:\Windows\{0ECE25BD-12F7-40c5-B462-000078C812BB}.exe	{868B71B9-AC54-4728-A532-75DA6AB61ABE}.exe
File created	C:\Windows\{5201DE25-1390-4491-B00A-67A03DA7B918}.exe	{BD8DEC25-264F-4df4-9D17-B440FBDB59ED}.exe
File created	C:\Windows\{FA5EE67E-723F-49c5-9273-88436B86B0B6}.exe	{5201DE25-1390-4491-B00A-67A03DA7B918}.exe
File created	C:\Windows\{4964BBB6-AAD6-4435-8954-5027B72A7EA5}.exe	{DD8C62A9-6989-47db-BF16-E3D784D60807}.exe
File created	C:\Windows\{868B71B9-AC54-4728-A532-75DA6AB61ABE}.exe	{4964BBB6-AAD6-4435-8954-5027B72A7EA5}.exe
File created	C:\Windows\{D6D224D5-AAAC-47e5-A224-2C9D26486090}.exe	{0ECE25BD-12F7-40c5-B462-000078C812BB}.exe
File created	C:\Windows\{049F5C08-4419-45c2-818C-230C1D8D14D3}.exe	{D6D224D5-AAAC-47e5-A224-2C9D26486090}.exe
File created	C:\Windows\{7936F2E7-8665-418d-8C7B-DEE1A2C948DB}.exe	2024-02-28_ef6dec01330953c607ab3ce3c52790ee_goldeneye.exe
File created	C:\Windows\{BD8DEC25-264F-4df4-9D17-B440FBDB59ED}.exe	{7936F2E7-8665-418d-8C7B-DEE1A2C948DB}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1704	2024-02-28_ef6dec01330953c607ab3ce3c52790ee_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2992	{7936F2E7-8665-418d-8C7B-DEE1A2C948DB}.exe
Token: SeIncBasePriorityPrivilege	2712	{BD8DEC25-264F-4df4-9D17-B440FBDB59ED}.exe
Token: SeIncBasePriorityPrivilege	2248	{5201DE25-1390-4491-B00A-67A03DA7B918}.exe
Token: SeIncBasePriorityPrivilege	2368	{FA5EE67E-723F-49c5-9273-88436B86B0B6}.exe
Token: SeIncBasePriorityPrivilege	2728	{1F780152-B1E1-4d7c-947F-1D7C87EC6741}.exe
Token: SeIncBasePriorityPrivilege	788	{3692AE57-15A5-4dc8-8A1B-533C1441CBE2}.exe
Token: SeIncBasePriorityPrivilege	1332	{DD8C62A9-6989-47db-BF16-E3D784D60807}.exe
Token: SeIncBasePriorityPrivilege	972	{4964BBB6-AAD6-4435-8954-5027B72A7EA5}.exe
Token: SeIncBasePriorityPrivilege	1380	{868B71B9-AC54-4728-A532-75DA6AB61ABE}.exe
Token: SeIncBasePriorityPrivilege	1308	{0ECE25BD-12F7-40c5-B462-000078C812BB}.exe
Token: SeIncBasePriorityPrivilege	2172	{D6D224D5-AAAC-47e5-A224-2C9D26486090}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 2992	1704	2024-02-28_ef6dec01330953c607ab3ce3c52790ee_goldeneye.exe	28
PID 1704 wrote to memory of 2992	1704	2024-02-28_ef6dec01330953c607ab3ce3c52790ee_goldeneye.exe	28
PID 1704 wrote to memory of 2992	1704	2024-02-28_ef6dec01330953c607ab3ce3c52790ee_goldeneye.exe	28
PID 1704 wrote to memory of 2992	1704	2024-02-28_ef6dec01330953c607ab3ce3c52790ee_goldeneye.exe	28
PID 1704 wrote to memory of 2496	1704	2024-02-28_ef6dec01330953c607ab3ce3c52790ee_goldeneye.exe	29
PID 1704 wrote to memory of 2496	1704	2024-02-28_ef6dec01330953c607ab3ce3c52790ee_goldeneye.exe	29
PID 1704 wrote to memory of 2496	1704	2024-02-28_ef6dec01330953c607ab3ce3c52790ee_goldeneye.exe	29
PID 1704 wrote to memory of 2496	1704	2024-02-28_ef6dec01330953c607ab3ce3c52790ee_goldeneye.exe	29
PID 2992 wrote to memory of 2712	2992	{7936F2E7-8665-418d-8C7B-DEE1A2C948DB}.exe	30
PID 2992 wrote to memory of 2712	2992	{7936F2E7-8665-418d-8C7B-DEE1A2C948DB}.exe	30
PID 2992 wrote to memory of 2712	2992	{7936F2E7-8665-418d-8C7B-DEE1A2C948DB}.exe	30
PID 2992 wrote to memory of 2712	2992	{7936F2E7-8665-418d-8C7B-DEE1A2C948DB}.exe	30
PID 2992 wrote to memory of 2640	2992	{7936F2E7-8665-418d-8C7B-DEE1A2C948DB}.exe	31
PID 2992 wrote to memory of 2640	2992	{7936F2E7-8665-418d-8C7B-DEE1A2C948DB}.exe	31
PID 2992 wrote to memory of 2640	2992	{7936F2E7-8665-418d-8C7B-DEE1A2C948DB}.exe	31
PID 2992 wrote to memory of 2640	2992	{7936F2E7-8665-418d-8C7B-DEE1A2C948DB}.exe	31
PID 2712 wrote to memory of 2248	2712	{BD8DEC25-264F-4df4-9D17-B440FBDB59ED}.exe	34
PID 2712 wrote to memory of 2248	2712	{BD8DEC25-264F-4df4-9D17-B440FBDB59ED}.exe	34
PID 2712 wrote to memory of 2248	2712	{BD8DEC25-264F-4df4-9D17-B440FBDB59ED}.exe	34
PID 2712 wrote to memory of 2248	2712	{BD8DEC25-264F-4df4-9D17-B440FBDB59ED}.exe	34
PID 2712 wrote to memory of 2460	2712	{BD8DEC25-264F-4df4-9D17-B440FBDB59ED}.exe	35
PID 2712 wrote to memory of 2460	2712	{BD8DEC25-264F-4df4-9D17-B440FBDB59ED}.exe	35
PID 2712 wrote to memory of 2460	2712	{BD8DEC25-264F-4df4-9D17-B440FBDB59ED}.exe	35
PID 2712 wrote to memory of 2460	2712	{BD8DEC25-264F-4df4-9D17-B440FBDB59ED}.exe	35
PID 2248 wrote to memory of 2368	2248	{5201DE25-1390-4491-B00A-67A03DA7B918}.exe	36
PID 2248 wrote to memory of 2368	2248	{5201DE25-1390-4491-B00A-67A03DA7B918}.exe	36
PID 2248 wrote to memory of 2368	2248	{5201DE25-1390-4491-B00A-67A03DA7B918}.exe	36
PID 2248 wrote to memory of 2368	2248	{5201DE25-1390-4491-B00A-67A03DA7B918}.exe	36
PID 2248 wrote to memory of 1372	2248	{5201DE25-1390-4491-B00A-67A03DA7B918}.exe	37
PID 2248 wrote to memory of 1372	2248	{5201DE25-1390-4491-B00A-67A03DA7B918}.exe	37
PID 2248 wrote to memory of 1372	2248	{5201DE25-1390-4491-B00A-67A03DA7B918}.exe	37
PID 2248 wrote to memory of 1372	2248	{5201DE25-1390-4491-B00A-67A03DA7B918}.exe	37
PID 2368 wrote to memory of 2728	2368	{FA5EE67E-723F-49c5-9273-88436B86B0B6}.exe	38
PID 2368 wrote to memory of 2728	2368	{FA5EE67E-723F-49c5-9273-88436B86B0B6}.exe	38
PID 2368 wrote to memory of 2728	2368	{FA5EE67E-723F-49c5-9273-88436B86B0B6}.exe	38
PID 2368 wrote to memory of 2728	2368	{FA5EE67E-723F-49c5-9273-88436B86B0B6}.exe	38
PID 2368 wrote to memory of 580	2368	{FA5EE67E-723F-49c5-9273-88436B86B0B6}.exe	39
PID 2368 wrote to memory of 580	2368	{FA5EE67E-723F-49c5-9273-88436B86B0B6}.exe	39
PID 2368 wrote to memory of 580	2368	{FA5EE67E-723F-49c5-9273-88436B86B0B6}.exe	39
PID 2368 wrote to memory of 580	2368	{FA5EE67E-723F-49c5-9273-88436B86B0B6}.exe	39
PID 2728 wrote to memory of 788	2728	{1F780152-B1E1-4d7c-947F-1D7C87EC6741}.exe	40
PID 2728 wrote to memory of 788	2728	{1F780152-B1E1-4d7c-947F-1D7C87EC6741}.exe	40
PID 2728 wrote to memory of 788	2728	{1F780152-B1E1-4d7c-947F-1D7C87EC6741}.exe	40
PID 2728 wrote to memory of 788	2728	{1F780152-B1E1-4d7c-947F-1D7C87EC6741}.exe	40
PID 2728 wrote to memory of 1716	2728	{1F780152-B1E1-4d7c-947F-1D7C87EC6741}.exe	41
PID 2728 wrote to memory of 1716	2728	{1F780152-B1E1-4d7c-947F-1D7C87EC6741}.exe	41
PID 2728 wrote to memory of 1716	2728	{1F780152-B1E1-4d7c-947F-1D7C87EC6741}.exe	41
PID 2728 wrote to memory of 1716	2728	{1F780152-B1E1-4d7c-947F-1D7C87EC6741}.exe	41
PID 788 wrote to memory of 1332	788	{3692AE57-15A5-4dc8-8A1B-533C1441CBE2}.exe	42
PID 788 wrote to memory of 1332	788	{3692AE57-15A5-4dc8-8A1B-533C1441CBE2}.exe	42
PID 788 wrote to memory of 1332	788	{3692AE57-15A5-4dc8-8A1B-533C1441CBE2}.exe	42
PID 788 wrote to memory of 1332	788	{3692AE57-15A5-4dc8-8A1B-533C1441CBE2}.exe	42
PID 788 wrote to memory of 660	788	{3692AE57-15A5-4dc8-8A1B-533C1441CBE2}.exe	43
PID 788 wrote to memory of 660	788	{3692AE57-15A5-4dc8-8A1B-533C1441CBE2}.exe	43
PID 788 wrote to memory of 660	788	{3692AE57-15A5-4dc8-8A1B-533C1441CBE2}.exe	43
PID 788 wrote to memory of 660	788	{3692AE57-15A5-4dc8-8A1B-533C1441CBE2}.exe	43
PID 1332 wrote to memory of 972	1332	{DD8C62A9-6989-47db-BF16-E3D784D60807}.exe	45
PID 1332 wrote to memory of 972	1332	{DD8C62A9-6989-47db-BF16-E3D784D60807}.exe	45
PID 1332 wrote to memory of 972	1332	{DD8C62A9-6989-47db-BF16-E3D784D60807}.exe	45
PID 1332 wrote to memory of 972	1332	{DD8C62A9-6989-47db-BF16-E3D784D60807}.exe	45
PID 1332 wrote to memory of 1104	1332	{DD8C62A9-6989-47db-BF16-E3D784D60807}.exe	44
PID 1332 wrote to memory of 1104	1332	{DD8C62A9-6989-47db-BF16-E3D784D60807}.exe	44
PID 1332 wrote to memory of 1104	1332	{DD8C62A9-6989-47db-BF16-E3D784D60807}.exe	44
PID 1332 wrote to memory of 1104	1332	{DD8C62A9-6989-47db-BF16-E3D784D60807}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-02-28_ef6dec01330953c607ab3ce3c52790ee_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-28_ef6dec01330953c607ab3ce3c52790ee_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Windows\{7936F2E7-8665-418d-8C7B-DEE1A2C948DB}.exe
  C:\Windows\{7936F2E7-8665-418d-8C7B-DEE1A2C948DB}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\{BD8DEC25-264F-4df4-9D17-B440FBDB59ED}.exe
    C:\Windows\{BD8DEC25-264F-4df4-9D17-B440FBDB59ED}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\{5201DE25-1390-4491-B00A-67A03DA7B918}.exe
      C:\Windows\{5201DE25-1390-4491-B00A-67A03DA7B918}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2248
    - - C:\Windows\{FA5EE67E-723F-49c5-9273-88436B86B0B6}.exe
        
        C:\Windows\{FA5EE67E-723F-49c5-9273-88436B86B0B6}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2368
      - C:\Windows\{1F780152-B1E1-4d7c-947F-1D7C87EC6741}.exe
        
        C:\Windows\{1F780152-B1E1-4d7c-947F-1D7C87EC6741}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\{3692AE57-15A5-4dc8-8A1B-533C1441CBE2}.exe
        
        C:\Windows\{3692AE57-15A5-4dc8-8A1B-533C1441CBE2}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:788
        
        C:\Windows\{DD8C62A9-6989-47db-BF16-E3D784D60807}.exe
        
        C:\Windows\{DD8C62A9-6989-47db-BF16-E3D784D60807}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD8C6~1.EXE > nul
        9⤵
        
        PID:1104
        
        C:\Windows\{4964BBB6-AAD6-4435-8954-5027B72A7EA5}.exe
        
        C:\Windows\{4964BBB6-AAD6-4435-8954-5027B72A7EA5}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:972
        
        C:\Windows\{868B71B9-AC54-4728-A532-75DA6AB61ABE}.exe
        
        C:\Windows\{868B71B9-AC54-4728-A532-75DA6AB61ABE}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1380
        
        C:\Windows\{0ECE25BD-12F7-40c5-B462-000078C812BB}.exe
        
        C:\Windows\{0ECE25BD-12F7-40c5-B462-000078C812BB}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1308
        
        C:\Windows\{D6D224D5-AAAC-47e5-A224-2C9D26486090}.exe
        
        C:\Windows\{D6D224D5-AAAC-47e5-A224-2C9D26486090}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D6D22~1.EXE > nul
        13⤵
        
        PID:2096
        
        C:\Windows\{049F5C08-4419-45c2-818C-230C1D8D14D3}.exe
        
        C:\Windows\{049F5C08-4419-45c2-818C-230C1D8D14D3}.exe
        13⤵
        Executes dropped EXE
        
        PID:744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0ECE2~1.EXE > nul
        12⤵
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{868B7~1.EXE > nul
        11⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4964B~1.EXE > nul
        10⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3692A~1.EXE > nul
        8⤵
        
        PID:660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1F780~1.EXE > nul
        7⤵
        
        PID:1716
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA5EE~1.EXE > nul
        6⤵
        
        PID:580
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5201D~1.EXE > nul
        5⤵
        
        PID:1372
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BD8DE~1.EXE > nul
      4⤵
      PID:2460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7936F~1.EXE > nul
    3⤵
    PID:2640
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{049F5C08-4419-45c2-818C-230C1D8D14D3}.exe

Filesize
408KB

MD5
7803243abf9cbdece8e9bdc6405cefbe

SHA1
9f8ed95bb10a0c018e299c7cffd6173ae9a75911

SHA256
f67c11f0cd6b6109abc2a622e9745797af0afe431b8808f0c0bafe21d8796a93

SHA512
f9352b3b5c5076d69d5904acf84eff7d46129d5c6df23ea831c1b8b26523d13616a1c889febaebd959440b8ac81448cfb500aac7f62da43e8ea0ab52cab78d0c

Download Submit
C:\Windows\{0ECE25BD-12F7-40c5-B462-000078C812BB}.exe

Filesize
408KB

MD5
392705b589a97530b2a31e5a57fd6193

SHA1
0f52d8113d2df237260bcbed8e24bcd432fb8c72

SHA256
18ccb555656f94b161f05e060ffbc15ae1e295eaece00ec554fa8c5bbab5290d

SHA512
0d53206ab3c81eee13c0ad4bc88d09ec6f916957b473fd379cd57141fd422dd53f92fce416437adad71b9b08a99256b4d53948fc5a6b13ddf22c871bd1412dd1

Download Submit
C:\Windows\{1F780152-B1E1-4d7c-947F-1D7C87EC6741}.exe

Filesize
408KB

MD5
29c87d44f18f4cbd5c539bdc6169d079

SHA1
49729a92b016a4a7eaf22501cac78642768f4922

SHA256
794e660d8971c8db4ed4c3fd0f4f7c358767b82ee9f937a089d4a3badcb1c4d3

SHA512
a81a596d7c0af7da54d8bb04bc9d5a5fb22c720b881227bda9078ba7cf1337dca790cde7904df7650402d27eb676485f371408a2937703b8d7b1ae653eb5c0b6

Download Submit
C:\Windows\{3692AE57-15A5-4dc8-8A1B-533C1441CBE2}.exe

Filesize
408KB

MD5
78f1da70539c56c262949d256400bb96

SHA1
cc711f1d3e29d9c209410a1d7cc48bf6decd9288

SHA256
00c6add7feafaeea283c07230e5419cf557ba4aea0db42e14b340401f706dc9c

SHA512
bfe235810327e8a5b84fa4ebf969e0ce2e826f6bad0c91273e4e43d3a1a8fe92c63d674b4f874a6c032fd15d3999e19087ac9b4a2e4b29aafe291971ddf4f27b

Download Submit
C:\Windows\{4964BBB6-AAD6-4435-8954-5027B72A7EA5}.exe

Filesize
408KB

MD5
be29b4ea01059bb8d4fc8e85426be1c8

SHA1
8eaf077e1f597c422c3ad425226d5c4f23a6285a

SHA256
703ccfb246367d3870a26db74d7431cf828c6c1f1bad4c4c0f342bf24cfc6a9a

SHA512
c2e70638f43af64c2759aaf324687c62f3c52490e66f75943644bf54b023c4daed0f6abbd85a282b5b506842294406ebd826d60100e44c53df0abfaa738db5d5

Download Submit
C:\Windows\{5201DE25-1390-4491-B00A-67A03DA7B918}.exe

Filesize
408KB

MD5
52ddc5c8dde651c0906907db9f701982

SHA1
f21b140084f5a4ed9bcc7dd171821cfbed075718

SHA256
b697db8eef63626e1cce146c2655ee9c79cf96cb5b036ca629dbcf8377e98f2a

SHA512
6252ef9e29459d2646836e27debe41c41d0c08691ae44eb15594edea0d1d8da2344ef9fd89ba0865ce42b5095918c955bf202653965af885fb9e60a75bce3e6c

Download Submit
C:\Windows\{7936F2E7-8665-418d-8C7B-DEE1A2C948DB}.exe

Filesize
408KB

MD5
9c6fa0dc38bf87d8a8a65d10c24e11d6

SHA1
3d7ae6eec902c8e2ac94f6336edb3d2fb87ff892

SHA256
8b90dfbba05c2ae1406ed7bcf16f0b1cb71d38f268a9f20a339af8d9f618a0f9

SHA512
c5cb1cc6d62da420cccf66d3aa77ec5ab90255084cb1e14a4126094e0610d112dd6f4de25b928c6d92df5ceb30e7b4219ba618422f041fdc179ec4bdeecc1e26

Download Submit
C:\Windows\{868B71B9-AC54-4728-A532-75DA6AB61ABE}.exe

Filesize
408KB

MD5
cfd36a0e264cb9e87a20de8265ea1e3e

SHA1
886eec470dfc6db785cd06ff1fa12240222562c2

SHA256
2ee425609a58d7962bcdc08b3410a11976cd679bf6f036592c1cf0a6c8ece1bd

SHA512
b9da65939aa3a50286a03c0ba97682f3a9ffe6fe0f09a676bb766054b4e80bce308ef9518014eba74aecc9428a89f6f54c3e33e8587715397db9655b2569989e

Download Submit
C:\Windows\{BD8DEC25-264F-4df4-9D17-B440FBDB59ED}.exe

Filesize
408KB

MD5
63bf84fcf3b404ad18a99980a9891365

SHA1
230745fc646f3ec20cc2e926a65906af6a6ce211

SHA256
a238e6c00efec6d5490755dcfa112b9d5332dfce9a68b6a3edae2241fbd72653

SHA512
f5c345da84beee3b311c05fdb0913e1f256c3fe152ef3bb353bf456f6ea127e63bcf1b17c07862a36799fb0dc563bd1d87cf2ac364ac878f54935975363bfebf

Download Submit
C:\Windows\{D6D224D5-AAAC-47e5-A224-2C9D26486090}.exe

Filesize
408KB

MD5
86c094289da777721192725af8f48c0e

SHA1
b10d79927128e7a18bdb129bfd9ce7e1f7022d02

SHA256
38b459b3f392caa48b4b3c4485a253f35cc1de456cb0563998c03a1b105e18a3

SHA512
f815bef03a88243db99193e64e27bb964b8009dbf660b17ab5c6c80b19fe48fe68bcac5856aea8456a7a673fdb27765a6ebc0310aa7898a71a4e84c814c83664

Download Submit
C:\Windows\{DD8C62A9-6989-47db-BF16-E3D784D60807}.exe

Filesize
408KB

MD5
f1af71a8345e9ba62a04e3be4410e162

SHA1
048eb0f9ec9b0b97e297edd7108d1524445a6861

SHA256
595ccb33484ec4473fa8dc3b54f2fe47bc756c57b2139b3c7c0f70176d6558ae

SHA512
62588f8dc207e722f5bafbc4bb5f0c3e630220dca0d9f5e81c293969a02980914257cac5671d5ff464a561bc2470f8b447b071d86e3949847a2d29dbc04db3f4

Download Submit
C:\Windows\{FA5EE67E-723F-49c5-9273-88436B86B0B6}.exe

Filesize
408KB

MD5
6711d362d58e5a463b8f06b5c06545dd

SHA1
4c75b18e8f3799526d767aacd66450f845515a36

SHA256
ebbb6b24aa93f6faf58ae9e7eb906aae76c9f45e2e88104dd6c3d0f92fc3fe99

SHA512
19f6b1fea4b8bc320e63458ea4e36a83f08e9d56373db6d9e47df3ca7702c54a01a546716ddddba7caad067281f043d75ac3d65455375b85459d930e922f9f24

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads