6b26ff70404dc80879fae711e560d085fe35b5356ec6632cf5812f45fd1b62cf

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-02-2024 18:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-28_419807c225a36a07749867567f9dbf04_goldeneye.exe
Size

372KB
MD5

419807c225a36a07749867567f9dbf04
SHA1

9ebc5ad592f6eb9f41a2785622f4b8642a45b21e
SHA256

6b26ff70404dc80879fae711e560d085fe35b5356ec6632cf5812f45fd1b62cf
SHA512

298a7ed878aa9feebb5d034b010e6a4188321971d6a5cf2c2de7df667a9b6067061fa96ff447d7a26e1eeee71adcd91734f3f3b530bedd9138ad7ccdfb6524d1
SSDEEP

3072:CEGh0oDlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGhlkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x000b000000018b6a-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000019335-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed8-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002500000000b1f4-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed8-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002600000000b1f4-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed8-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002700000000b1f4-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed8-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002800000000b1f4-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000004ed8-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002900000000b1f4-82.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79302D16-1CFE-4c0c-BE62-8A9D74869436}	{122FC503-7B3B-4b94-B918-99188892BFF7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B96A478F-1E7B-44fd-82E9-C407D252EFA3}	{79302D16-1CFE-4c0c-BE62-8A9D74869436}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E214315-A58C-4625-937F-989B6384BAC1}	{9C482142-F3F5-4ad4-978C-CE0E7196050C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7BD06C6-518C-4ea9-9924-424FDA1DAE64}\stubpath = "C:\\Windows\\{C7BD06C6-518C-4ea9-9924-424FDA1DAE64}.exe"	{9E214315-A58C-4625-937F-989B6384BAC1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9658B2FE-3EBE-41f5-A26F-54E9DCB07C79}\stubpath = "C:\\Windows\\{9658B2FE-3EBE-41f5-A26F-54E9DCB07C79}.exe"	{C7BD06C6-518C-4ea9-9924-424FDA1DAE64}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B439EA34-629C-4fcc-AF9B-71035AE39B2E}	{F3099387-5E64-417d-BF02-74E2FD00B3C2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E42B8A15-5AC1-4691-80D0-108D4BDE19F4}	{9658B2FE-3EBE-41f5-A26F-54E9DCB07C79}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E42B8A15-5AC1-4691-80D0-108D4BDE19F4}\stubpath = "C:\\Windows\\{E42B8A15-5AC1-4691-80D0-108D4BDE19F4}.exe"	{9658B2FE-3EBE-41f5-A26F-54E9DCB07C79}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7BD06C6-518C-4ea9-9924-424FDA1DAE64}	{9E214315-A58C-4625-937F-989B6384BAC1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9658B2FE-3EBE-41f5-A26F-54E9DCB07C79}	{C7BD06C6-518C-4ea9-9924-424FDA1DAE64}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{122FC503-7B3B-4b94-B918-99188892BFF7}\stubpath = "C:\\Windows\\{122FC503-7B3B-4b94-B918-99188892BFF7}.exe"	{E42B8A15-5AC1-4691-80D0-108D4BDE19F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1030EEFE-BE97-47bc-9880-56829307E054}\stubpath = "C:\\Windows\\{1030EEFE-BE97-47bc-9880-56829307E054}.exe"	{B96A478F-1E7B-44fd-82E9-C407D252EFA3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21DADBA7-B945-46e2-AC3F-46C3027DE6EC}\stubpath = "C:\\Windows\\{21DADBA7-B945-46e2-AC3F-46C3027DE6EC}.exe"	{1030EEFE-BE97-47bc-9880-56829307E054}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F3099387-5E64-417d-BF02-74E2FD00B3C2}\stubpath = "C:\\Windows\\{F3099387-5E64-417d-BF02-74E2FD00B3C2}.exe"	2024-02-28_419807c225a36a07749867567f9dbf04_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C482142-F3F5-4ad4-978C-CE0E7196050C}	{B439EA34-629C-4fcc-AF9B-71035AE39B2E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C482142-F3F5-4ad4-978C-CE0E7196050C}\stubpath = "C:\\Windows\\{9C482142-F3F5-4ad4-978C-CE0E7196050C}.exe"	{B439EA34-629C-4fcc-AF9B-71035AE39B2E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{122FC503-7B3B-4b94-B918-99188892BFF7}	{E42B8A15-5AC1-4691-80D0-108D4BDE19F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79302D16-1CFE-4c0c-BE62-8A9D74869436}\stubpath = "C:\\Windows\\{79302D16-1CFE-4c0c-BE62-8A9D74869436}.exe"	{122FC503-7B3B-4b94-B918-99188892BFF7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B96A478F-1E7B-44fd-82E9-C407D252EFA3}\stubpath = "C:\\Windows\\{B96A478F-1E7B-44fd-82E9-C407D252EFA3}.exe"	{79302D16-1CFE-4c0c-BE62-8A9D74869436}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1030EEFE-BE97-47bc-9880-56829307E054}	{B96A478F-1E7B-44fd-82E9-C407D252EFA3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21DADBA7-B945-46e2-AC3F-46C3027DE6EC}	{1030EEFE-BE97-47bc-9880-56829307E054}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F3099387-5E64-417d-BF02-74E2FD00B3C2}	2024-02-28_419807c225a36a07749867567f9dbf04_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B439EA34-629C-4fcc-AF9B-71035AE39B2E}\stubpath = "C:\\Windows\\{B439EA34-629C-4fcc-AF9B-71035AE39B2E}.exe"	{F3099387-5E64-417d-BF02-74E2FD00B3C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E214315-A58C-4625-937F-989B6384BAC1}\stubpath = "C:\\Windows\\{9E214315-A58C-4625-937F-989B6384BAC1}.exe"	{9C482142-F3F5-4ad4-978C-CE0E7196050C}.exe

Deletes itself 1 IoCs

pid	Process
1840	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2080	{F3099387-5E64-417d-BF02-74E2FD00B3C2}.exe
2644	{B439EA34-629C-4fcc-AF9B-71035AE39B2E}.exe
2656	{9C482142-F3F5-4ad4-978C-CE0E7196050C}.exe
2592	{9E214315-A58C-4625-937F-989B6384BAC1}.exe
1208	{C7BD06C6-518C-4ea9-9924-424FDA1DAE64}.exe
2776	{9658B2FE-3EBE-41f5-A26F-54E9DCB07C79}.exe
2724	{E42B8A15-5AC1-4691-80D0-108D4BDE19F4}.exe
2520	{122FC503-7B3B-4b94-B918-99188892BFF7}.exe
1384	{79302D16-1CFE-4c0c-BE62-8A9D74869436}.exe
2132	{B96A478F-1E7B-44fd-82E9-C407D252EFA3}.exe
536	{1030EEFE-BE97-47bc-9880-56829307E054}.exe
2060	{21DADBA7-B945-46e2-AC3F-46C3027DE6EC}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{9658B2FE-3EBE-41f5-A26F-54E9DCB07C79}.exe	{C7BD06C6-518C-4ea9-9924-424FDA1DAE64}.exe
File created	C:\Windows\{79302D16-1CFE-4c0c-BE62-8A9D74869436}.exe	{122FC503-7B3B-4b94-B918-99188892BFF7}.exe
File created	C:\Windows\{B96A478F-1E7B-44fd-82E9-C407D252EFA3}.exe	{79302D16-1CFE-4c0c-BE62-8A9D74869436}.exe
File created	C:\Windows\{F3099387-5E64-417d-BF02-74E2FD00B3C2}.exe	2024-02-28_419807c225a36a07749867567f9dbf04_goldeneye.exe
File created	C:\Windows\{9C482142-F3F5-4ad4-978C-CE0E7196050C}.exe	{B439EA34-629C-4fcc-AF9B-71035AE39B2E}.exe
File created	C:\Windows\{C7BD06C6-518C-4ea9-9924-424FDA1DAE64}.exe	{9E214315-A58C-4625-937F-989B6384BAC1}.exe
File created	C:\Windows\{122FC503-7B3B-4b94-B918-99188892BFF7}.exe	{E42B8A15-5AC1-4691-80D0-108D4BDE19F4}.exe
File created	C:\Windows\{1030EEFE-BE97-47bc-9880-56829307E054}.exe	{B96A478F-1E7B-44fd-82E9-C407D252EFA3}.exe
File created	C:\Windows\{21DADBA7-B945-46e2-AC3F-46C3027DE6EC}.exe	{1030EEFE-BE97-47bc-9880-56829307E054}.exe
File created	C:\Windows\{B439EA34-629C-4fcc-AF9B-71035AE39B2E}.exe	{F3099387-5E64-417d-BF02-74E2FD00B3C2}.exe
File created	C:\Windows\{9E214315-A58C-4625-937F-989B6384BAC1}.exe	{9C482142-F3F5-4ad4-978C-CE0E7196050C}.exe
File created	C:\Windows\{E42B8A15-5AC1-4691-80D0-108D4BDE19F4}.exe	{9658B2FE-3EBE-41f5-A26F-54E9DCB07C79}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3004	2024-02-28_419807c225a36a07749867567f9dbf04_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2080	{F3099387-5E64-417d-BF02-74E2FD00B3C2}.exe
Token: SeIncBasePriorityPrivilege	2644	{B439EA34-629C-4fcc-AF9B-71035AE39B2E}.exe
Token: SeIncBasePriorityPrivilege	2656	{9C482142-F3F5-4ad4-978C-CE0E7196050C}.exe
Token: SeIncBasePriorityPrivilege	2592	{9E214315-A58C-4625-937F-989B6384BAC1}.exe
Token: SeIncBasePriorityPrivilege	1208	{C7BD06C6-518C-4ea9-9924-424FDA1DAE64}.exe
Token: SeIncBasePriorityPrivilege	2776	{9658B2FE-3EBE-41f5-A26F-54E9DCB07C79}.exe
Token: SeIncBasePriorityPrivilege	2724	{E42B8A15-5AC1-4691-80D0-108D4BDE19F4}.exe
Token: SeIncBasePriorityPrivilege	2520	{122FC503-7B3B-4b94-B918-99188892BFF7}.exe
Token: SeIncBasePriorityPrivilege	1384	{79302D16-1CFE-4c0c-BE62-8A9D74869436}.exe
Token: SeIncBasePriorityPrivilege	2132	{B96A478F-1E7B-44fd-82E9-C407D252EFA3}.exe
Token: SeIncBasePriorityPrivilege	536	{1030EEFE-BE97-47bc-9880-56829307E054}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 2080	3004	2024-02-28_419807c225a36a07749867567f9dbf04_goldeneye.exe	28
PID 3004 wrote to memory of 2080	3004	2024-02-28_419807c225a36a07749867567f9dbf04_goldeneye.exe	28
PID 3004 wrote to memory of 2080	3004	2024-02-28_419807c225a36a07749867567f9dbf04_goldeneye.exe	28
PID 3004 wrote to memory of 2080	3004	2024-02-28_419807c225a36a07749867567f9dbf04_goldeneye.exe	28
PID 3004 wrote to memory of 1840	3004	2024-02-28_419807c225a36a07749867567f9dbf04_goldeneye.exe	29
PID 3004 wrote to memory of 1840	3004	2024-02-28_419807c225a36a07749867567f9dbf04_goldeneye.exe	29
PID 3004 wrote to memory of 1840	3004	2024-02-28_419807c225a36a07749867567f9dbf04_goldeneye.exe	29
PID 3004 wrote to memory of 1840	3004	2024-02-28_419807c225a36a07749867567f9dbf04_goldeneye.exe	29
PID 2080 wrote to memory of 2644	2080	{F3099387-5E64-417d-BF02-74E2FD00B3C2}.exe	31
PID 2080 wrote to memory of 2644	2080	{F3099387-5E64-417d-BF02-74E2FD00B3C2}.exe	31
PID 2080 wrote to memory of 2644	2080	{F3099387-5E64-417d-BF02-74E2FD00B3C2}.exe	31
PID 2080 wrote to memory of 2644	2080	{F3099387-5E64-417d-BF02-74E2FD00B3C2}.exe	31
PID 2080 wrote to memory of 2628	2080	{F3099387-5E64-417d-BF02-74E2FD00B3C2}.exe	30
PID 2080 wrote to memory of 2628	2080	{F3099387-5E64-417d-BF02-74E2FD00B3C2}.exe	30
PID 2080 wrote to memory of 2628	2080	{F3099387-5E64-417d-BF02-74E2FD00B3C2}.exe	30
PID 2080 wrote to memory of 2628	2080	{F3099387-5E64-417d-BF02-74E2FD00B3C2}.exe	30
PID 2644 wrote to memory of 2656	2644	{B439EA34-629C-4fcc-AF9B-71035AE39B2E}.exe	34
PID 2644 wrote to memory of 2656	2644	{B439EA34-629C-4fcc-AF9B-71035AE39B2E}.exe	34
PID 2644 wrote to memory of 2656	2644	{B439EA34-629C-4fcc-AF9B-71035AE39B2E}.exe	34
PID 2644 wrote to memory of 2656	2644	{B439EA34-629C-4fcc-AF9B-71035AE39B2E}.exe	34
PID 2644 wrote to memory of 2452	2644	{B439EA34-629C-4fcc-AF9B-71035AE39B2E}.exe	35
PID 2644 wrote to memory of 2452	2644	{B439EA34-629C-4fcc-AF9B-71035AE39B2E}.exe	35
PID 2644 wrote to memory of 2452	2644	{B439EA34-629C-4fcc-AF9B-71035AE39B2E}.exe	35
PID 2644 wrote to memory of 2452	2644	{B439EA34-629C-4fcc-AF9B-71035AE39B2E}.exe	35
PID 2656 wrote to memory of 2592	2656	{9C482142-F3F5-4ad4-978C-CE0E7196050C}.exe	37
PID 2656 wrote to memory of 2592	2656	{9C482142-F3F5-4ad4-978C-CE0E7196050C}.exe	37
PID 2656 wrote to memory of 2592	2656	{9C482142-F3F5-4ad4-978C-CE0E7196050C}.exe	37
PID 2656 wrote to memory of 2592	2656	{9C482142-F3F5-4ad4-978C-CE0E7196050C}.exe	37
PID 2656 wrote to memory of 2404	2656	{9C482142-F3F5-4ad4-978C-CE0E7196050C}.exe	36
PID 2656 wrote to memory of 2404	2656	{9C482142-F3F5-4ad4-978C-CE0E7196050C}.exe	36
PID 2656 wrote to memory of 2404	2656	{9C482142-F3F5-4ad4-978C-CE0E7196050C}.exe	36
PID 2656 wrote to memory of 2404	2656	{9C482142-F3F5-4ad4-978C-CE0E7196050C}.exe	36
PID 2592 wrote to memory of 1208	2592	{9E214315-A58C-4625-937F-989B6384BAC1}.exe	38
PID 2592 wrote to memory of 1208	2592	{9E214315-A58C-4625-937F-989B6384BAC1}.exe	38
PID 2592 wrote to memory of 1208	2592	{9E214315-A58C-4625-937F-989B6384BAC1}.exe	38
PID 2592 wrote to memory of 1208	2592	{9E214315-A58C-4625-937F-989B6384BAC1}.exe	38
PID 2592 wrote to memory of 1512	2592	{9E214315-A58C-4625-937F-989B6384BAC1}.exe	39
PID 2592 wrote to memory of 1512	2592	{9E214315-A58C-4625-937F-989B6384BAC1}.exe	39
PID 2592 wrote to memory of 1512	2592	{9E214315-A58C-4625-937F-989B6384BAC1}.exe	39
PID 2592 wrote to memory of 1512	2592	{9E214315-A58C-4625-937F-989B6384BAC1}.exe	39
PID 1208 wrote to memory of 2776	1208	{C7BD06C6-518C-4ea9-9924-424FDA1DAE64}.exe	41
PID 1208 wrote to memory of 2776	1208	{C7BD06C6-518C-4ea9-9924-424FDA1DAE64}.exe	41
PID 1208 wrote to memory of 2776	1208	{C7BD06C6-518C-4ea9-9924-424FDA1DAE64}.exe	41
PID 1208 wrote to memory of 2776	1208	{C7BD06C6-518C-4ea9-9924-424FDA1DAE64}.exe	41
PID 1208 wrote to memory of 1332	1208	{C7BD06C6-518C-4ea9-9924-424FDA1DAE64}.exe	40
PID 1208 wrote to memory of 1332	1208	{C7BD06C6-518C-4ea9-9924-424FDA1DAE64}.exe	40
PID 1208 wrote to memory of 1332	1208	{C7BD06C6-518C-4ea9-9924-424FDA1DAE64}.exe	40
PID 1208 wrote to memory of 1332	1208	{C7BD06C6-518C-4ea9-9924-424FDA1DAE64}.exe	40
PID 2776 wrote to memory of 2724	2776	{9658B2FE-3EBE-41f5-A26F-54E9DCB07C79}.exe	42
PID 2776 wrote to memory of 2724	2776	{9658B2FE-3EBE-41f5-A26F-54E9DCB07C79}.exe	42
PID 2776 wrote to memory of 2724	2776	{9658B2FE-3EBE-41f5-A26F-54E9DCB07C79}.exe	42
PID 2776 wrote to memory of 2724	2776	{9658B2FE-3EBE-41f5-A26F-54E9DCB07C79}.exe	42
PID 2776 wrote to memory of 344	2776	{9658B2FE-3EBE-41f5-A26F-54E9DCB07C79}.exe	43
PID 2776 wrote to memory of 344	2776	{9658B2FE-3EBE-41f5-A26F-54E9DCB07C79}.exe	43
PID 2776 wrote to memory of 344	2776	{9658B2FE-3EBE-41f5-A26F-54E9DCB07C79}.exe	43
PID 2776 wrote to memory of 344	2776	{9658B2FE-3EBE-41f5-A26F-54E9DCB07C79}.exe	43
PID 2724 wrote to memory of 2520	2724	{E42B8A15-5AC1-4691-80D0-108D4BDE19F4}.exe	44
PID 2724 wrote to memory of 2520	2724	{E42B8A15-5AC1-4691-80D0-108D4BDE19F4}.exe	44
PID 2724 wrote to memory of 2520	2724	{E42B8A15-5AC1-4691-80D0-108D4BDE19F4}.exe	44
PID 2724 wrote to memory of 2520	2724	{E42B8A15-5AC1-4691-80D0-108D4BDE19F4}.exe	44
PID 2724 wrote to memory of 1532	2724	{E42B8A15-5AC1-4691-80D0-108D4BDE19F4}.exe	45
PID 2724 wrote to memory of 1532	2724	{E42B8A15-5AC1-4691-80D0-108D4BDE19F4}.exe	45
PID 2724 wrote to memory of 1532	2724	{E42B8A15-5AC1-4691-80D0-108D4BDE19F4}.exe	45
PID 2724 wrote to memory of 1532	2724	{E42B8A15-5AC1-4691-80D0-108D4BDE19F4}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-28_419807c225a36a07749867567f9dbf04_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-28_419807c225a36a07749867567f9dbf04_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Windows\{F3099387-5E64-417d-BF02-74E2FD00B3C2}.exe
  C:\Windows\{F3099387-5E64-417d-BF02-74E2FD00B3C2}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F3099~1.EXE > nul
    3⤵
    PID:2628
- - C:\Windows\{B439EA34-629C-4fcc-AF9B-71035AE39B2E}.exe
    C:\Windows\{B439EA34-629C-4fcc-AF9B-71035AE39B2E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\{9C482142-F3F5-4ad4-978C-CE0E7196050C}.exe
      C:\Windows\{9C482142-F3F5-4ad4-978C-CE0E7196050C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2656
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C482~1.EXE > nul
        5⤵
        
        PID:2404
    - - C:\Windows\{9E214315-A58C-4625-937F-989B6384BAC1}.exe
        
        C:\Windows\{9E214315-A58C-4625-937F-989B6384BAC1}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2592
      - C:\Windows\{C7BD06C6-518C-4ea9-9924-424FDA1DAE64}.exe
        
        C:\Windows\{C7BD06C6-518C-4ea9-9924-424FDA1DAE64}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C7BD0~1.EXE > nul
        7⤵
        
        PID:1332
        
        C:\Windows\{9658B2FE-3EBE-41f5-A26F-54E9DCB07C79}.exe
        
        C:\Windows\{9658B2FE-3EBE-41f5-A26F-54E9DCB07C79}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\{E42B8A15-5AC1-4691-80D0-108D4BDE19F4}.exe
        
        C:\Windows\{E42B8A15-5AC1-4691-80D0-108D4BDE19F4}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\{122FC503-7B3B-4b94-B918-99188892BFF7}.exe
        
        C:\Windows\{122FC503-7B3B-4b94-B918-99188892BFF7}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
        
        C:\Windows\{79302D16-1CFE-4c0c-BE62-8A9D74869436}.exe
        
        C:\Windows\{79302D16-1CFE-4c0c-BE62-8A9D74869436}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1384
        
        C:\Windows\{B96A478F-1E7B-44fd-82E9-C407D252EFA3}.exe
        
        C:\Windows\{B96A478F-1E7B-44fd-82E9-C407D252EFA3}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
        
        C:\Windows\{1030EEFE-BE97-47bc-9880-56829307E054}.exe
        
        C:\Windows\{1030EEFE-BE97-47bc-9880-56829307E054}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1030E~1.EXE > nul
        13⤵
        
        PID:1264
        
        C:\Windows\{21DADBA7-B945-46e2-AC3F-46C3027DE6EC}.exe
        
        C:\Windows\{21DADBA7-B945-46e2-AC3F-46C3027DE6EC}.exe
        13⤵
        Executes dropped EXE
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B96A4~1.EXE > nul
        12⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79302~1.EXE > nul
        11⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{122FC~1.EXE > nul
        10⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E42B8~1.EXE > nul
        9⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9658B~1.EXE > nul
        8⤵
        
        PID:344
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E214~1.EXE > nul
        6⤵
        
        PID:1512
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B439E~1.EXE > nul
      4⤵
      PID:2452
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1030EEFE-BE97-47bc-9880-56829307E054}.exe

Filesize
372KB

MD5
8fd6632c84b8165002c8be127db892b8

SHA1
ed91b62a51cd2795e58fd9d149f295ae63152cdf

SHA256
1169d01f277b375358e8c3cb376a81d42b33deff35fa5c8fb2dd5dee33e3c638

SHA512
e995c10da5d8114ad91fbd11bed03019f0f5ec59ea7fc64aa91634391600657a993f6234eea6341e809d20c24d157fdf7372c7de5a21aea8a0799651434b20e2

Download Submit
C:\Windows\{122FC503-7B3B-4b94-B918-99188892BFF7}.exe

Filesize
372KB

MD5
b2969d917c55811c46ef8ad37307163a

SHA1
09f8a7388d8aaa4a50bb73392a4cbd5e2f6bfb4c

SHA256
1b300303ec59b61bee6041e4c4bf0639ceec50b61bc38a83e9808df7c2c02080

SHA512
67cc31f6ae9364553095a831320211418afcf7d1cb00b4a47686c3a7a12d3eae947c8566185340667e3f97a709d54cd72165fbcdaf6e93eb2c5ebfb399472c10

Download Submit
C:\Windows\{21DADBA7-B945-46e2-AC3F-46C3027DE6EC}.exe

Filesize
372KB

MD5
89a7d079af43a953c8118a33a33cfd33

SHA1
19e798a1f8a12eca0b020fcf8fe7288541b84cc0

SHA256
b96b4c75e2230d9cea8180fddbc6783727aad1505c57181a7563dd247647e5b9

SHA512
73f9d15eaae972a116e25e2109b5071c418e4896afd57fe3fa19518e6123e60207870888a4761892349ba6b69af8d3dfec82b85c7406061cf67bbb42e100da53

Download Submit
C:\Windows\{79302D16-1CFE-4c0c-BE62-8A9D74869436}.exe

Filesize
372KB

MD5
e926280d1c6d6042dd5476d89e81f1e9

SHA1
53fcd0013c63af8092faf30c90b318d29ce818ac

SHA256
7dbfd5fbf3a7b3e82186ec2c6fc1e782e9c509bdc226740427f61919780af6ef

SHA512
ff4cf441625a50d98f1070600fe2692e28b6d6ceb932c71a1d7886d1f81bf8980bcc1390c0b0ef39586c29404e2d1746c58149be9754271e201771accdc8f6ee

Download Submit
C:\Windows\{9658B2FE-3EBE-41f5-A26F-54E9DCB07C79}.exe

Filesize
372KB

MD5
7b140826ce76f67eb84cadc89dc332d3

SHA1
0545361145b2fe7827faff62a5af9511f63a1775

SHA256
a89a4885963edc26a614fcf9c9895f31f67cdea00e922b1898ce2bfe041e3976

SHA512
280a8026b115a00a4cfc6e03ed402b4af1d67a2fb0653bf1d5fcd5dee641a71aab50f96c7bc9249302f1a61bd04036947fe3ae5b590b56d382a69e9b4edc4f45

Download Submit
C:\Windows\{9C482142-F3F5-4ad4-978C-CE0E7196050C}.exe

Filesize
372KB

MD5
f244ffb7a7f53d41f8dba05776aa2df9

SHA1
f7b4e978b91407f80da457298e7ac3c66ad98031

SHA256
ddccae96707069be1e664b80d0b61f896f1d442212369039d0b66e282cd30253

SHA512
8c81fe450ab2e891ec3ea2b1a8eb36c977e935ee77a427071798b5f0e01e7d333d1f120e1e71728fb0fc15e6c2be7d79361ae9e67964e363014017f8ad2149f8

Download Submit
C:\Windows\{9E214315-A58C-4625-937F-989B6384BAC1}.exe

Filesize
372KB

MD5
235313585774404689be56f5e48a9ca6

SHA1
086eb78ceec50fc92feb3aed8569e2a1531a2afa

SHA256
6f1ce0bd68a9b4ade52b71ddc1ec2adafbf30cc6072b31c5cf5e5e6393326e5d

SHA512
e84a2839f2dbe7793a5a37312fde16e3440666b025b7abf94b9772e9467b4981986718b274478462bb37829325b6fde4ec7123b0b413d1953f95286123e47d06

Download Submit
C:\Windows\{B439EA34-629C-4fcc-AF9B-71035AE39B2E}.exe

Filesize
372KB

MD5
b54ec292e4c0e79053272eded69d2e8b

SHA1
0828e9be3b731bf30330c2fc5e61533b59ee6758

SHA256
6f0fccd70824bb078bcb76689113a43f22769282a00c4f47e53171311923f539

SHA512
679c7097dd5ebc8d9d7f71117e4b394460d5b2a944f76b02a2dff5a80752839d2e247363c4abb52f57edd8713bbfa77ec2f469537c83427d9884eb4824d0f3ef

Download Submit
C:\Windows\{B96A478F-1E7B-44fd-82E9-C407D252EFA3}.exe

Filesize
372KB

MD5
d1052ba276b87d1a324e71d7fa8805d8

SHA1
4a1d2e9965caa14678637e85b623c8277cf3e7aa

SHA256
ff4793fd80511a6e7fd706534e0165e825eafac02ccbcac32bb8a3b711781421

SHA512
7c90fc9ca237db818aa2b520fe5d679683f841de787bd886e94df4899aa51b1703d03b67a275fe7bc5ebba8131ef598e43de5d26e587cad6da20f880c4efe931

Download Submit
C:\Windows\{C7BD06C6-518C-4ea9-9924-424FDA1DAE64}.exe

Filesize
372KB

MD5
6bc8bb62e837d0d7eea1d8b599e62baa

SHA1
ce0bdd9663caa3632adb100651e60b11df16f118

SHA256
1d157841e3c96d08b8f1445c99c6e704c1649a2c1045c71456031b5160d99af3

SHA512
e357b96d0260d3ad36ca4438147fdbeca1cb0fef7c4afd8233cbb83ef468cf114739973452a530be2f6692060e9860dde9445cbb4fe9c14916e738b1ae20ecc0

Download Submit
C:\Windows\{E42B8A15-5AC1-4691-80D0-108D4BDE19F4}.exe

Filesize
372KB

MD5
f0008ea4f3885baebf7fc82e1c5b620c

SHA1
8f565da7cbe3eb5a0e534e70fa4b41d50c8c2c26

SHA256
3d33d881c42854037e4511457a5c902307715ee90e5c57b5aba09b7460f806f0

SHA512
089b362964135bb8e90c2fcea82b1675bb939c0286b68b771b34caa1b8b9cc801b42bb1333c5645376a6ee247fbf87f6d663873b19215b989e96490604ec2c13

Download Submit
C:\Windows\{F3099387-5E64-417d-BF02-74E2FD00B3C2}.exe

Filesize
372KB

MD5
5179a2c6dac5b27a454ca26ecc9dd84d

SHA1
a2c9dce347cc356df6b75386b03bca454a112a36

SHA256
f50012a2d2f7ffe04d837cd31be162610e877d0c680d2526499bd05aef7619b9

SHA512
11a7c226a882a5eca566fad447a1a3fb21a96f0b304ced5581eaf7d5ba821ccaefb1844ed413cd907d48e286d59ff3f2d5d942e53eaf2b335c1b5e748c88e2ef

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads