4daeb73bb8ad67081a8b7062777a52bc5d4ad3d0bdfc93e1a78959d26e6e5041

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29/02/2024, 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-29_f3b7a8472e24168f3fe449096a1c26ba_goldeneye.exe
Size

372KB
MD5

f3b7a8472e24168f3fe449096a1c26ba
SHA1

56866bbed30eab7f9344211fc7502b401b44fd84
SHA256

4daeb73bb8ad67081a8b7062777a52bc5d4ad3d0bdfc93e1a78959d26e6e5041
SHA512

8956fbba95cead6956d06f2534fe3f1d52c8cef3cab1b868734678b3b31f467c891429bc821f5e3dd7243e58794cf3f3833b783ad2802bef6d6ecaf1c74429ec
SSDEEP

3072:CEGh0oomlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGfl/Oe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023230-1.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023231-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023239-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000001e747-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023239-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000001e747-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000006d5-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001e747-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000006d5-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000001e747-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000006d5-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000001e747-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{869E6BDE-621A-4090-A794-687446EBFE06}	{35C23385-4F0D-4e80-B1D4-C80A3F47E2F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C3F3DB6-4D51-4fa0-B808-25B787C3AB86}	{00221638-36E7-4df9-8735-961C957A1A8E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C3F3DB6-4D51-4fa0-B808-25B787C3AB86}\stubpath = "C:\\Windows\\{3C3F3DB6-4D51-4fa0-B808-25B787C3AB86}.exe"	{00221638-36E7-4df9-8735-961C957A1A8E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{194F5FB3-B34C-4e79-9408-5B61D6634F85}	{5056C49B-533E-45b0-80F1-1721D275D069}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F529D35-493A-4a8c-9A5C-E7304AD9BDBF}\stubpath = "C:\\Windows\\{4F529D35-493A-4a8c-9A5C-E7304AD9BDBF}.exe"	{62A66FAB-02AC-4637-9740-F81F51E0192C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A7FC53D-AF9B-42d2-89C5-1AC0773B6452}\stubpath = "C:\\Windows\\{2A7FC53D-AF9B-42d2-89C5-1AC0773B6452}.exe"	2024-02-29_f3b7a8472e24168f3fe449096a1c26ba_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00221638-36E7-4df9-8735-961C957A1A8E}\stubpath = "C:\\Windows\\{00221638-36E7-4df9-8735-961C957A1A8E}.exe"	{869E6BDE-621A-4090-A794-687446EBFE06}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5056C49B-533E-45b0-80F1-1721D275D069}	{DA6C8261-7574-49e3-9864-8BFAEE2BE7E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5056C49B-533E-45b0-80F1-1721D275D069}\stubpath = "C:\\Windows\\{5056C49B-533E-45b0-80F1-1721D275D069}.exe"	{DA6C8261-7574-49e3-9864-8BFAEE2BE7E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{194F5FB3-B34C-4e79-9408-5B61D6634F85}\stubpath = "C:\\Windows\\{194F5FB3-B34C-4e79-9408-5B61D6634F85}.exe"	{5056C49B-533E-45b0-80F1-1721D275D069}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E3333DB2-1601-42f2-A3C7-BECEA98F5B24}\stubpath = "C:\\Windows\\{E3333DB2-1601-42f2-A3C7-BECEA98F5B24}.exe"	{2A7FC53D-AF9B-42d2-89C5-1AC0773B6452}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E3333DB2-1601-42f2-A3C7-BECEA98F5B24}	{2A7FC53D-AF9B-42d2-89C5-1AC0773B6452}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{869E6BDE-621A-4090-A794-687446EBFE06}\stubpath = "C:\\Windows\\{869E6BDE-621A-4090-A794-687446EBFE06}.exe"	{35C23385-4F0D-4e80-B1D4-C80A3F47E2F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00221638-36E7-4df9-8735-961C957A1A8E}	{869E6BDE-621A-4090-A794-687446EBFE06}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A633C65B-EADB-4b7a-89C5-340C72E45A01}	{194F5FB3-B34C-4e79-9408-5B61D6634F85}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A633C65B-EADB-4b7a-89C5-340C72E45A01}\stubpath = "C:\\Windows\\{A633C65B-EADB-4b7a-89C5-340C72E45A01}.exe"	{194F5FB3-B34C-4e79-9408-5B61D6634F85}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{62A66FAB-02AC-4637-9740-F81F51E0192C}	{A633C65B-EADB-4b7a-89C5-340C72E45A01}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A7FC53D-AF9B-42d2-89C5-1AC0773B6452}	2024-02-29_f3b7a8472e24168f3fe449096a1c26ba_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35C23385-4F0D-4e80-B1D4-C80A3F47E2F4}\stubpath = "C:\\Windows\\{35C23385-4F0D-4e80-B1D4-C80A3F47E2F4}.exe"	{E3333DB2-1601-42f2-A3C7-BECEA98F5B24}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA6C8261-7574-49e3-9864-8BFAEE2BE7E6}	{3C3F3DB6-4D51-4fa0-B808-25B787C3AB86}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA6C8261-7574-49e3-9864-8BFAEE2BE7E6}\stubpath = "C:\\Windows\\{DA6C8261-7574-49e3-9864-8BFAEE2BE7E6}.exe"	{3C3F3DB6-4D51-4fa0-B808-25B787C3AB86}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{62A66FAB-02AC-4637-9740-F81F51E0192C}\stubpath = "C:\\Windows\\{62A66FAB-02AC-4637-9740-F81F51E0192C}.exe"	{A633C65B-EADB-4b7a-89C5-340C72E45A01}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F529D35-493A-4a8c-9A5C-E7304AD9BDBF}	{62A66FAB-02AC-4637-9740-F81F51E0192C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35C23385-4F0D-4e80-B1D4-C80A3F47E2F4}	{E3333DB2-1601-42f2-A3C7-BECEA98F5B24}.exe

Executes dropped EXE 12 IoCs

pid	Process
4188	{2A7FC53D-AF9B-42d2-89C5-1AC0773B6452}.exe
4272	{E3333DB2-1601-42f2-A3C7-BECEA98F5B24}.exe
3592	{35C23385-4F0D-4e80-B1D4-C80A3F47E2F4}.exe
1524	{869E6BDE-621A-4090-A794-687446EBFE06}.exe
408	{00221638-36E7-4df9-8735-961C957A1A8E}.exe
3800	{3C3F3DB6-4D51-4fa0-B808-25B787C3AB86}.exe
5024	{DA6C8261-7574-49e3-9864-8BFAEE2BE7E6}.exe
4092	{5056C49B-533E-45b0-80F1-1721D275D069}.exe
4236	{194F5FB3-B34C-4e79-9408-5B61D6634F85}.exe
4448	{A633C65B-EADB-4b7a-89C5-340C72E45A01}.exe
4444	{62A66FAB-02AC-4637-9740-F81F51E0192C}.exe
4512	{4F529D35-493A-4a8c-9A5C-E7304AD9BDBF}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{2A7FC53D-AF9B-42d2-89C5-1AC0773B6452}.exe	2024-02-29_f3b7a8472e24168f3fe449096a1c26ba_goldeneye.exe
File created	C:\Windows\{869E6BDE-621A-4090-A794-687446EBFE06}.exe	{35C23385-4F0D-4e80-B1D4-C80A3F47E2F4}.exe
File created	C:\Windows\{3C3F3DB6-4D51-4fa0-B808-25B787C3AB86}.exe	{00221638-36E7-4df9-8735-961C957A1A8E}.exe
File created	C:\Windows\{5056C49B-533E-45b0-80F1-1721D275D069}.exe	{DA6C8261-7574-49e3-9864-8BFAEE2BE7E6}.exe
File created	C:\Windows\{62A66FAB-02AC-4637-9740-F81F51E0192C}.exe	{A633C65B-EADB-4b7a-89C5-340C72E45A01}.exe
File created	C:\Windows\{E3333DB2-1601-42f2-A3C7-BECEA98F5B24}.exe	{2A7FC53D-AF9B-42d2-89C5-1AC0773B6452}.exe
File created	C:\Windows\{35C23385-4F0D-4e80-B1D4-C80A3F47E2F4}.exe	{E3333DB2-1601-42f2-A3C7-BECEA98F5B24}.exe
File created	C:\Windows\{00221638-36E7-4df9-8735-961C957A1A8E}.exe	{869E6BDE-621A-4090-A794-687446EBFE06}.exe
File created	C:\Windows\{DA6C8261-7574-49e3-9864-8BFAEE2BE7E6}.exe	{3C3F3DB6-4D51-4fa0-B808-25B787C3AB86}.exe
File created	C:\Windows\{194F5FB3-B34C-4e79-9408-5B61D6634F85}.exe	{5056C49B-533E-45b0-80F1-1721D275D069}.exe
File created	C:\Windows\{A633C65B-EADB-4b7a-89C5-340C72E45A01}.exe	{194F5FB3-B34C-4e79-9408-5B61D6634F85}.exe
File created	C:\Windows\{4F529D35-493A-4a8c-9A5C-E7304AD9BDBF}.exe	{62A66FAB-02AC-4637-9740-F81F51E0192C}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3124	2024-02-29_f3b7a8472e24168f3fe449096a1c26ba_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4188	{2A7FC53D-AF9B-42d2-89C5-1AC0773B6452}.exe
Token: SeIncBasePriorityPrivilege	4272	{E3333DB2-1601-42f2-A3C7-BECEA98F5B24}.exe
Token: SeIncBasePriorityPrivilege	3592	{35C23385-4F0D-4e80-B1D4-C80A3F47E2F4}.exe
Token: SeIncBasePriorityPrivilege	1524	{869E6BDE-621A-4090-A794-687446EBFE06}.exe
Token: SeIncBasePriorityPrivilege	408	{00221638-36E7-4df9-8735-961C957A1A8E}.exe
Token: SeIncBasePriorityPrivilege	3800	{3C3F3DB6-4D51-4fa0-B808-25B787C3AB86}.exe
Token: SeIncBasePriorityPrivilege	5024	{DA6C8261-7574-49e3-9864-8BFAEE2BE7E6}.exe
Token: SeIncBasePriorityPrivilege	4092	{5056C49B-533E-45b0-80F1-1721D275D069}.exe
Token: SeIncBasePriorityPrivilege	4236	{194F5FB3-B34C-4e79-9408-5B61D6634F85}.exe
Token: SeIncBasePriorityPrivilege	4448	{A633C65B-EADB-4b7a-89C5-340C72E45A01}.exe
Token: SeIncBasePriorityPrivilege	4444	{62A66FAB-02AC-4637-9740-F81F51E0192C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3124 wrote to memory of 4188	3124	2024-02-29_f3b7a8472e24168f3fe449096a1c26ba_goldeneye.exe	92
PID 3124 wrote to memory of 4188	3124	2024-02-29_f3b7a8472e24168f3fe449096a1c26ba_goldeneye.exe	92
PID 3124 wrote to memory of 4188	3124	2024-02-29_f3b7a8472e24168f3fe449096a1c26ba_goldeneye.exe	92
PID 3124 wrote to memory of 3120	3124	2024-02-29_f3b7a8472e24168f3fe449096a1c26ba_goldeneye.exe	93
PID 3124 wrote to memory of 3120	3124	2024-02-29_f3b7a8472e24168f3fe449096a1c26ba_goldeneye.exe	93
PID 3124 wrote to memory of 3120	3124	2024-02-29_f3b7a8472e24168f3fe449096a1c26ba_goldeneye.exe	93
PID 4188 wrote to memory of 4272	4188	{2A7FC53D-AF9B-42d2-89C5-1AC0773B6452}.exe	94
PID 4188 wrote to memory of 4272	4188	{2A7FC53D-AF9B-42d2-89C5-1AC0773B6452}.exe	94
PID 4188 wrote to memory of 4272	4188	{2A7FC53D-AF9B-42d2-89C5-1AC0773B6452}.exe	94
PID 4188 wrote to memory of 3232	4188	{2A7FC53D-AF9B-42d2-89C5-1AC0773B6452}.exe	95
PID 4188 wrote to memory of 3232	4188	{2A7FC53D-AF9B-42d2-89C5-1AC0773B6452}.exe	95
PID 4188 wrote to memory of 3232	4188	{2A7FC53D-AF9B-42d2-89C5-1AC0773B6452}.exe	95
PID 4272 wrote to memory of 3592	4272	{E3333DB2-1601-42f2-A3C7-BECEA98F5B24}.exe	98
PID 4272 wrote to memory of 3592	4272	{E3333DB2-1601-42f2-A3C7-BECEA98F5B24}.exe	98
PID 4272 wrote to memory of 3592	4272	{E3333DB2-1601-42f2-A3C7-BECEA98F5B24}.exe	98
PID 4272 wrote to memory of 4348	4272	{E3333DB2-1601-42f2-A3C7-BECEA98F5B24}.exe	99
PID 4272 wrote to memory of 4348	4272	{E3333DB2-1601-42f2-A3C7-BECEA98F5B24}.exe	99
PID 4272 wrote to memory of 4348	4272	{E3333DB2-1601-42f2-A3C7-BECEA98F5B24}.exe	99
PID 3592 wrote to memory of 1524	3592	{35C23385-4F0D-4e80-B1D4-C80A3F47E2F4}.exe	102
PID 3592 wrote to memory of 1524	3592	{35C23385-4F0D-4e80-B1D4-C80A3F47E2F4}.exe	102
PID 3592 wrote to memory of 1524	3592	{35C23385-4F0D-4e80-B1D4-C80A3F47E2F4}.exe	102
PID 3592 wrote to memory of 2844	3592	{35C23385-4F0D-4e80-B1D4-C80A3F47E2F4}.exe	103
PID 3592 wrote to memory of 2844	3592	{35C23385-4F0D-4e80-B1D4-C80A3F47E2F4}.exe	103
PID 3592 wrote to memory of 2844	3592	{35C23385-4F0D-4e80-B1D4-C80A3F47E2F4}.exe	103
PID 1524 wrote to memory of 408	1524	{869E6BDE-621A-4090-A794-687446EBFE06}.exe	104
PID 1524 wrote to memory of 408	1524	{869E6BDE-621A-4090-A794-687446EBFE06}.exe	104
PID 1524 wrote to memory of 408	1524	{869E6BDE-621A-4090-A794-687446EBFE06}.exe	104
PID 1524 wrote to memory of 1504	1524	{869E6BDE-621A-4090-A794-687446EBFE06}.exe	105
PID 1524 wrote to memory of 1504	1524	{869E6BDE-621A-4090-A794-687446EBFE06}.exe	105
PID 1524 wrote to memory of 1504	1524	{869E6BDE-621A-4090-A794-687446EBFE06}.exe	105
PID 408 wrote to memory of 3800	408	{00221638-36E7-4df9-8735-961C957A1A8E}.exe	106
PID 408 wrote to memory of 3800	408	{00221638-36E7-4df9-8735-961C957A1A8E}.exe	106
PID 408 wrote to memory of 3800	408	{00221638-36E7-4df9-8735-961C957A1A8E}.exe	106
PID 408 wrote to memory of 5008	408	{00221638-36E7-4df9-8735-961C957A1A8E}.exe	107
PID 408 wrote to memory of 5008	408	{00221638-36E7-4df9-8735-961C957A1A8E}.exe	107
PID 408 wrote to memory of 5008	408	{00221638-36E7-4df9-8735-961C957A1A8E}.exe	107
PID 3800 wrote to memory of 5024	3800	{3C3F3DB6-4D51-4fa0-B808-25B787C3AB86}.exe	108
PID 3800 wrote to memory of 5024	3800	{3C3F3DB6-4D51-4fa0-B808-25B787C3AB86}.exe	108
PID 3800 wrote to memory of 5024	3800	{3C3F3DB6-4D51-4fa0-B808-25B787C3AB86}.exe	108
PID 3800 wrote to memory of 2384	3800	{3C3F3DB6-4D51-4fa0-B808-25B787C3AB86}.exe	109
PID 3800 wrote to memory of 2384	3800	{3C3F3DB6-4D51-4fa0-B808-25B787C3AB86}.exe	109
PID 3800 wrote to memory of 2384	3800	{3C3F3DB6-4D51-4fa0-B808-25B787C3AB86}.exe	109
PID 5024 wrote to memory of 4092	5024	{DA6C8261-7574-49e3-9864-8BFAEE2BE7E6}.exe	110
PID 5024 wrote to memory of 4092	5024	{DA6C8261-7574-49e3-9864-8BFAEE2BE7E6}.exe	110
PID 5024 wrote to memory of 4092	5024	{DA6C8261-7574-49e3-9864-8BFAEE2BE7E6}.exe	110
PID 5024 wrote to memory of 3244	5024	{DA6C8261-7574-49e3-9864-8BFAEE2BE7E6}.exe	111
PID 5024 wrote to memory of 3244	5024	{DA6C8261-7574-49e3-9864-8BFAEE2BE7E6}.exe	111
PID 5024 wrote to memory of 3244	5024	{DA6C8261-7574-49e3-9864-8BFAEE2BE7E6}.exe	111
PID 4092 wrote to memory of 4236	4092	{5056C49B-533E-45b0-80F1-1721D275D069}.exe	112
PID 4092 wrote to memory of 4236	4092	{5056C49B-533E-45b0-80F1-1721D275D069}.exe	112
PID 4092 wrote to memory of 4236	4092	{5056C49B-533E-45b0-80F1-1721D275D069}.exe	112
PID 4092 wrote to memory of 2084	4092	{5056C49B-533E-45b0-80F1-1721D275D069}.exe	113
PID 4092 wrote to memory of 2084	4092	{5056C49B-533E-45b0-80F1-1721D275D069}.exe	113
PID 4092 wrote to memory of 2084	4092	{5056C49B-533E-45b0-80F1-1721D275D069}.exe	113
PID 4236 wrote to memory of 4448	4236	{194F5FB3-B34C-4e79-9408-5B61D6634F85}.exe	114
PID 4236 wrote to memory of 4448	4236	{194F5FB3-B34C-4e79-9408-5B61D6634F85}.exe	114
PID 4236 wrote to memory of 4448	4236	{194F5FB3-B34C-4e79-9408-5B61D6634F85}.exe	114
PID 4236 wrote to memory of 1452	4236	{194F5FB3-B34C-4e79-9408-5B61D6634F85}.exe	115
PID 4236 wrote to memory of 1452	4236	{194F5FB3-B34C-4e79-9408-5B61D6634F85}.exe	115
PID 4236 wrote to memory of 1452	4236	{194F5FB3-B34C-4e79-9408-5B61D6634F85}.exe	115
PID 4448 wrote to memory of 4444	4448	{A633C65B-EADB-4b7a-89C5-340C72E45A01}.exe	116
PID 4448 wrote to memory of 4444	4448	{A633C65B-EADB-4b7a-89C5-340C72E45A01}.exe	116
PID 4448 wrote to memory of 4444	4448	{A633C65B-EADB-4b7a-89C5-340C72E45A01}.exe	116
PID 4448 wrote to memory of 3572	4448	{A633C65B-EADB-4b7a-89C5-340C72E45A01}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-02-29_f3b7a8472e24168f3fe449096a1c26ba_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-29_f3b7a8472e24168f3fe449096a1c26ba_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3124
- C:\Windows\{2A7FC53D-AF9B-42d2-89C5-1AC0773B6452}.exe
  C:\Windows\{2A7FC53D-AF9B-42d2-89C5-1AC0773B6452}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4188
- - C:\Windows\{E3333DB2-1601-42f2-A3C7-BECEA98F5B24}.exe
    C:\Windows\{E3333DB2-1601-42f2-A3C7-BECEA98F5B24}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4272
  - - C:\Windows\{35C23385-4F0D-4e80-B1D4-C80A3F47E2F4}.exe
      C:\Windows\{35C23385-4F0D-4e80-B1D4-C80A3F47E2F4}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3592
    - - C:\Windows\{869E6BDE-621A-4090-A794-687446EBFE06}.exe
        
        C:\Windows\{869E6BDE-621A-4090-A794-687446EBFE06}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1524
      - C:\Windows\{00221638-36E7-4df9-8735-961C957A1A8E}.exe
        
        C:\Windows\{00221638-36E7-4df9-8735-961C957A1A8E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:408
        
        C:\Windows\{3C3F3DB6-4D51-4fa0-B808-25B787C3AB86}.exe
        
        C:\Windows\{3C3F3DB6-4D51-4fa0-B808-25B787C3AB86}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3800
        
        C:\Windows\{DA6C8261-7574-49e3-9864-8BFAEE2BE7E6}.exe
        
        C:\Windows\{DA6C8261-7574-49e3-9864-8BFAEE2BE7E6}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\{5056C49B-533E-45b0-80F1-1721D275D069}.exe
        
        C:\Windows\{5056C49B-533E-45b0-80F1-1721D275D069}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\{194F5FB3-B34C-4e79-9408-5B61D6634F85}.exe
        
        C:\Windows\{194F5FB3-B34C-4e79-9408-5B61D6634F85}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4236
        
        C:\Windows\{A633C65B-EADB-4b7a-89C5-340C72E45A01}.exe
        
        C:\Windows\{A633C65B-EADB-4b7a-89C5-340C72E45A01}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\{62A66FAB-02AC-4637-9740-F81F51E0192C}.exe
        
        C:\Windows\{62A66FAB-02AC-4637-9740-F81F51E0192C}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4444
        
        C:\Windows\{4F529D35-493A-4a8c-9A5C-E7304AD9BDBF}.exe
        
        C:\Windows\{4F529D35-493A-4a8c-9A5C-E7304AD9BDBF}.exe
        13⤵
        Executes dropped EXE
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{62A66~1.EXE > nul
        13⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A633C~1.EXE > nul
        12⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{194F5~1.EXE > nul
        11⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5056C~1.EXE > nul
        10⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DA6C8~1.EXE > nul
        9⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C3F3~1.EXE > nul
        8⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{00221~1.EXE > nul
        7⤵
        
        PID:5008
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{869E6~1.EXE > nul
        6⤵
        
        PID:1504
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{35C23~1.EXE > nul
        5⤵
        
        PID:2844
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E3333~1.EXE > nul
      4⤵
      PID:4348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2A7FC~1.EXE > nul
    3⤵
    PID:3232
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00221638-36E7-4df9-8735-961C957A1A8E}.exe

Filesize
372KB

MD5
56c9d1d583ccdca9ce19548ece252dc3

SHA1
e87db22f36ad45feae876c5d73270806a0d74e05

SHA256
62cb95662c65fa1ff6cd36d1420578d2ff4618921c7e9746ec5c2f1b794a7061

SHA512
88aed50c04d960a7b417421bda7a977e1686ce04dcb55fc81766b44d0672da018ccb819fcd4ceec6c16e8e28fa01a2ac3bd5ddebc19317d0fdbcbd934cb12e1c

Download Submit
C:\Windows\{194F5FB3-B34C-4e79-9408-5B61D6634F85}.exe

Filesize
372KB

MD5
eaa92a66df401fe197b7e9940d2089e0

SHA1
338442127f2a7e06331ac85ecd44205eb8188a7e

SHA256
463db1884cc7d0b38b165c1a171624b43476fef2448e4007857e1884523a1b6a

SHA512
f3f9cd8d3a5e8ad27cf309c4b524b948a5a20afac81296a74b1d9a45806699fce512fae8aec6d545bdc3b4473c598ef41784929bcca21ae374c61b35b7292b21

Download Submit
C:\Windows\{2A7FC53D-AF9B-42d2-89C5-1AC0773B6452}.exe

Filesize
372KB

MD5
c4b31147ec4655c85d97129b98055fd6

SHA1
45f626bbe59498a405665069025cc11eba753d39

SHA256
4a82bdba811636036f737670557247dd319b1db1c4831753f230001069258986

SHA512
86fc714025fa7f75ea52ddd1a29f9841fbf607a14fcacac766468b0fd49fe0042d651102539e25965124b259da326f1e36ffcda7d0f49b79d4096d0d7f53fe70

Download Submit
C:\Windows\{35C23385-4F0D-4e80-B1D4-C80A3F47E2F4}.exe

Filesize
372KB

MD5
0c139a5dc26154b6526b8cfc1c0e5251

SHA1
e51bff9d1188841a0078fee8a726a82a69e3b6df

SHA256
40cd9838ed90a427230f6db7d7b22d24eb377de3afc0ac7c3a91b611a567859b

SHA512
204734078c0cb7b95417bc8b289cd680243d612b9af9a59a51fb8b2ee32de31e8aa02ed6b3eb0d4c4d8838a045a6b79af8b897b12849699ef6348131637bad12

Download Submit
C:\Windows\{3C3F3DB6-4D51-4fa0-B808-25B787C3AB86}.exe

Filesize
372KB

MD5
25df5f151b2da7cb0ea782a7920a6e4b

SHA1
a482f5548e07718c015d77e772ea58a3fe3e4064

SHA256
22481160da72f41b1dbbf0be38706cd49e4eb5b68a9e1f8edc785cd0609b72e1

SHA512
388eb16af71a1a1e30dc63d624fd28e97cba29a4e308b994d0fa1de8e6cb9e650d91b82cd405576fea8d472e45de3a7cf1bb2c1ea8e011b7c49bf3fb62b345f9

Download Submit
C:\Windows\{4F529D35-493A-4a8c-9A5C-E7304AD9BDBF}.exe

Filesize
372KB

MD5
dbf6e04dbeed276b8aea0913908ea38e

SHA1
695d4812bbd47afcdfbcd1fb1b9c5144f54c9d29

SHA256
1148df32a69566ea5b632f7469cfdb2e597dd3371e76305555227652de584e0d

SHA512
c9a218c2a37a7bf81dee2953155d33c4425c6a07335c7b06dbc97319d1d2e8cc01d707eb09324a75c218259dbd6ddc2d046b61e8d3949c2145766bd26c8a6b5c

Download Submit
C:\Windows\{5056C49B-533E-45b0-80F1-1721D275D069}.exe

Filesize
372KB

MD5
ad88d06d778f418e4d0d46cffac67762

SHA1
07df91d7f0297ed7d47c49c0eb1e689f921aef87

SHA256
3e2bac0f71de6d48a28f8bbf33e80809d2504579579495990bfb22c36139bae4

SHA512
14bf4716c30b109c8d58405e024186da044a44da6c03c6b2e878bc7cbbd7d047d8d46bcd9014341f112ceeb9b2c1d5802e36c77cf93bef8659b2d370c82d3d9f

Download Submit
C:\Windows\{62A66FAB-02AC-4637-9740-F81F51E0192C}.exe

Filesize
372KB

MD5
e75d4276ce2c3c9e99f97940b6af1f7d

SHA1
c193697c4d9febcb432aa041b961a9006a85c3f1

SHA256
d60fa8f2548b099848ff45acaa7b0c17489cfa3bf8b148dbe9d890302edbea84

SHA512
cbedadc6b7dbc450111dcb9e15de51b94199f8afef82d1a0e3c668f936a81a1b7a16156b2b26e6d00a8ec0508850c384644dd3e69a8110b329fb617fce7ddc2e

Download Submit
C:\Windows\{869E6BDE-621A-4090-A794-687446EBFE06}.exe

Filesize
372KB

MD5
9f92b68558bba0bd3f8a9a5ff6bb2b0d

SHA1
6a3a05f39fca2baa72aaee446024aa096f2c91f8

SHA256
c692aa6b7666fdee4f90aeaf8b0c3290f7b6ea318352ea578a5cdcdf574f57e0

SHA512
3e9bf099b9f6d41bbf19b39772586d30d4e98779f468da60bb597249f1379564f80954b7d96c762a006989d82e7568464a0e3885caf3493e468631ef0deadfc0

Download Submit
C:\Windows\{A633C65B-EADB-4b7a-89C5-340C72E45A01}.exe

Filesize
372KB

MD5
7fe4bd9138953875d536f6b2d91543e0

SHA1
9fedfbcb09ed287d9218bf53c5bc835059a04c98

SHA256
6fd0508a6fd71c451bee4ca48573d61b51488a1addb75132ed34d8584b2b96f6

SHA512
638c52126f2e15ae0c668930803c3382e10597e9213486d1e3421c97ba25c3b0b44d1c9d0579f37ce2c6396907e713277bf56ed71249bad9379ceeb5a7ac286a

Download Submit
C:\Windows\{DA6C8261-7574-49e3-9864-8BFAEE2BE7E6}.exe

Filesize
372KB

MD5
d71bf7661e3c9065e3bd7bf1fbf12245

SHA1
db823d657748978db722c470a292205f32a60f24

SHA256
1f07ddfc0b7fa8686789608ea6fca921390e17046a43b5d4ec1ca8a70223c013

SHA512
50495671db043774d97c23783e91d61d3b5f89b1ffec89ef8ee3eb362a38804f62803faa80e4893887b7ddd3ab7e4148757240e39763a2fa6c62f0024d468289

Download Submit
C:\Windows\{E3333DB2-1601-42f2-A3C7-BECEA98F5B24}.exe

Filesize
372KB

MD5
e763fdf49da0618a2ca687892afdf757

SHA1
a4d3b40487b2e2dd1397b04ca23ebd4b8339d182

SHA256
655d1c1a5f4015ea797cfd209671da2274325c3febd878a6d9298bd46472b595

SHA512
5fb2fba6c5486b6d4715a2017222d12f7169af13588b9b7ecea00266dce8a249a99c40516999a0d298883937bcd38979d188f03cb781c2c4970ba450d36794b1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads