fed863d5d08f49c4d74dd78fa45a80b88755dad7f38d5927e3da5f278f7a062d

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2024, 20:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-05_db23bd041360d85948340a1eae5a6903_goldeneye.exe
Size

197KB
MD5

db23bd041360d85948340a1eae5a6903
SHA1

c1fd999d5223c711c782ca5932f76c1a4f12d6f0
SHA256

fed863d5d08f49c4d74dd78fa45a80b88755dad7f38d5927e3da5f278f7a062d
SHA512

bb3d5331ce2a620c14e2cfef3c533fb8b7141e400a2a07baf0a4f39a10c78cfaf3f6d5221ce984ea67f8f40447da3e4c6241184ba7f587e8b9e100fa209cdf0d
SSDEEP

3072:jEGh0ocl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGilEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 14 IoCs

resource	yara_rule
behavioral2/files/0x000600000001e7c7-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000001e7c7-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000231bd-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000231c4-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000231e1-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001e3f9-17.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000232e0-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000232e0-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023341-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000232e0-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023341-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002335b-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023456-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023457-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD792A41-F49B-4a2f-933F-B9B3528E3B87}\stubpath = "C:\\Windows\\{CD792A41-F49B-4a2f-933F-B9B3528E3B87}.exe"	{34892F1F-8E02-4d12-9B05-3AA8F2E243BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24E55D01-25ED-4061-8B56-7390C4EC6038}\stubpath = "C:\\Windows\\{24E55D01-25ED-4061-8B56-7390C4EC6038}.exe"	{CD792A41-F49B-4a2f-933F-B9B3528E3B87}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4261009B-E880-424d-9E5B-63679918FEB3}\stubpath = "C:\\Windows\\{4261009B-E880-424d-9E5B-63679918FEB3}.exe"	{24E55D01-25ED-4061-8B56-7390C4EC6038}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5B43484-C98E-449e-9481-3B5A0DBE8E82}	{D99B6913-890B-4eab-B40B-6E2B37960E41}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61BE1382-71CF-4570-8C78-6C7D896AFE38}	{A2F8EE0B-1E2B-4fd6-8308-F5EB65D49408}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61BE1382-71CF-4570-8C78-6C7D896AFE38}\stubpath = "C:\\Windows\\{61BE1382-71CF-4570-8C78-6C7D896AFE38}.exe"	{A2F8EE0B-1E2B-4fd6-8308-F5EB65D49408}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34892F1F-8E02-4d12-9B05-3AA8F2E243BD}\stubpath = "C:\\Windows\\{34892F1F-8E02-4d12-9B05-3AA8F2E243BD}.exe"	{24B770DC-164D-4786-AB7C-F105A4A3629D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD792A41-F49B-4a2f-933F-B9B3528E3B87}	{34892F1F-8E02-4d12-9B05-3AA8F2E243BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24B770DC-164D-4786-AB7C-F105A4A3629D}	{61BE1382-71CF-4570-8C78-6C7D896AFE38}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A40D0392-82A3-49fb-A1F6-5A6804075EAF}\stubpath = "C:\\Windows\\{A40D0392-82A3-49fb-A1F6-5A6804075EAF}.exe"	{4261009B-E880-424d-9E5B-63679918FEB3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5B43484-C98E-449e-9481-3B5A0DBE8E82}\stubpath = "C:\\Windows\\{C5B43484-C98E-449e-9481-3B5A0DBE8E82}.exe"	{D99B6913-890B-4eab-B40B-6E2B37960E41}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F0B19FF-FB30-4377-81E4-75DC908B9055}\stubpath = "C:\\Windows\\{2F0B19FF-FB30-4377-81E4-75DC908B9055}.exe"	{C5B43484-C98E-449e-9481-3B5A0DBE8E82}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F0B19FF-FB30-4377-81E4-75DC908B9055}	{C5B43484-C98E-449e-9481-3B5A0DBE8E82}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2F8EE0B-1E2B-4fd6-8308-F5EB65D49408}\stubpath = "C:\\Windows\\{A2F8EE0B-1E2B-4fd6-8308-F5EB65D49408}.exe"	2024-03-05_db23bd041360d85948340a1eae5a6903_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4261009B-E880-424d-9E5B-63679918FEB3}	{24E55D01-25ED-4061-8B56-7390C4EC6038}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45385EEC-0C39-4327-931C-4B26EBBC0C50}	{A40D0392-82A3-49fb-A1F6-5A6804075EAF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D99B6913-890B-4eab-B40B-6E2B37960E41}	{45385EEC-0C39-4327-931C-4B26EBBC0C50}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A40D0392-82A3-49fb-A1F6-5A6804075EAF}	{4261009B-E880-424d-9E5B-63679918FEB3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45385EEC-0C39-4327-931C-4B26EBBC0C50}\stubpath = "C:\\Windows\\{45385EEC-0C39-4327-931C-4B26EBBC0C50}.exe"	{A40D0392-82A3-49fb-A1F6-5A6804075EAF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D99B6913-890B-4eab-B40B-6E2B37960E41}\stubpath = "C:\\Windows\\{D99B6913-890B-4eab-B40B-6E2B37960E41}.exe"	{45385EEC-0C39-4327-931C-4B26EBBC0C50}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2F8EE0B-1E2B-4fd6-8308-F5EB65D49408}	2024-03-05_db23bd041360d85948340a1eae5a6903_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24B770DC-164D-4786-AB7C-F105A4A3629D}\stubpath = "C:\\Windows\\{24B770DC-164D-4786-AB7C-F105A4A3629D}.exe"	{61BE1382-71CF-4570-8C78-6C7D896AFE38}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34892F1F-8E02-4d12-9B05-3AA8F2E243BD}	{24B770DC-164D-4786-AB7C-F105A4A3629D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24E55D01-25ED-4061-8B56-7390C4EC6038}	{CD792A41-F49B-4a2f-933F-B9B3528E3B87}.exe

Deletes itself 1 IoCs

pid	Process
448	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
4844	{A2F8EE0B-1E2B-4fd6-8308-F5EB65D49408}.exe
2660	{61BE1382-71CF-4570-8C78-6C7D896AFE38}.exe
2160	{24B770DC-164D-4786-AB7C-F105A4A3629D}.exe
3660	{34892F1F-8E02-4d12-9B05-3AA8F2E243BD}.exe
4024	{CD792A41-F49B-4a2f-933F-B9B3528E3B87}.exe
4804	{24E55D01-25ED-4061-8B56-7390C4EC6038}.exe
2456	{4261009B-E880-424d-9E5B-63679918FEB3}.exe
1036	{A40D0392-82A3-49fb-A1F6-5A6804075EAF}.exe
2344	{45385EEC-0C39-4327-931C-4B26EBBC0C50}.exe
4120	{D99B6913-890B-4eab-B40B-6E2B37960E41}.exe
3808	{C5B43484-C98E-449e-9481-3B5A0DBE8E82}.exe
2972	{2F0B19FF-FB30-4377-81E4-75DC908B9055}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{24E55D01-25ED-4061-8B56-7390C4EC6038}.exe	{CD792A41-F49B-4a2f-933F-B9B3528E3B87}.exe
File created	C:\Windows\{4261009B-E880-424d-9E5B-63679918FEB3}.exe	{24E55D01-25ED-4061-8B56-7390C4EC6038}.exe
File created	C:\Windows\{A40D0392-82A3-49fb-A1F6-5A6804075EAF}.exe	{4261009B-E880-424d-9E5B-63679918FEB3}.exe
File created	C:\Windows\{C5B43484-C98E-449e-9481-3B5A0DBE8E82}.exe	{D99B6913-890B-4eab-B40B-6E2B37960E41}.exe
File created	C:\Windows\{2F0B19FF-FB30-4377-81E4-75DC908B9055}.exe	{C5B43484-C98E-449e-9481-3B5A0DBE8E82}.exe
File created	C:\Windows\{24B770DC-164D-4786-AB7C-F105A4A3629D}.exe	{61BE1382-71CF-4570-8C78-6C7D896AFE38}.exe
File created	C:\Windows\{34892F1F-8E02-4d12-9B05-3AA8F2E243BD}.exe	{24B770DC-164D-4786-AB7C-F105A4A3629D}.exe
File created	C:\Windows\{CD792A41-F49B-4a2f-933F-B9B3528E3B87}.exe	{34892F1F-8E02-4d12-9B05-3AA8F2E243BD}.exe
File created	C:\Windows\{45385EEC-0C39-4327-931C-4B26EBBC0C50}.exe	{A40D0392-82A3-49fb-A1F6-5A6804075EAF}.exe
File created	C:\Windows\{D99B6913-890B-4eab-B40B-6E2B37960E41}.exe	{45385EEC-0C39-4327-931C-4B26EBBC0C50}.exe
File created	C:\Windows\{A2F8EE0B-1E2B-4fd6-8308-F5EB65D49408}.exe	2024-03-05_db23bd041360d85948340a1eae5a6903_goldeneye.exe
File created	C:\Windows\{61BE1382-71CF-4570-8C78-6C7D896AFE38}.exe	{A2F8EE0B-1E2B-4fd6-8308-F5EB65D49408}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4680	2024-03-05_db23bd041360d85948340a1eae5a6903_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4844	{A2F8EE0B-1E2B-4fd6-8308-F5EB65D49408}.exe
Token: SeIncBasePriorityPrivilege	2660	{61BE1382-71CF-4570-8C78-6C7D896AFE38}.exe
Token: SeIncBasePriorityPrivilege	2160	{24B770DC-164D-4786-AB7C-F105A4A3629D}.exe
Token: SeIncBasePriorityPrivilege	3660	{34892F1F-8E02-4d12-9B05-3AA8F2E243BD}.exe
Token: SeIncBasePriorityPrivilege	4024	{CD792A41-F49B-4a2f-933F-B9B3528E3B87}.exe
Token: SeIncBasePriorityPrivilege	4804	{24E55D01-25ED-4061-8B56-7390C4EC6038}.exe
Token: SeIncBasePriorityPrivilege	2456	{4261009B-E880-424d-9E5B-63679918FEB3}.exe
Token: SeIncBasePriorityPrivilege	1036	{A40D0392-82A3-49fb-A1F6-5A6804075EAF}.exe
Token: SeIncBasePriorityPrivilege	2344	{45385EEC-0C39-4327-931C-4B26EBBC0C50}.exe
Token: SeIncBasePriorityPrivilege	4120	{D99B6913-890B-4eab-B40B-6E2B37960E41}.exe
Token: SeIncBasePriorityPrivilege	3808	{C5B43484-C98E-449e-9481-3B5A0DBE8E82}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4680 wrote to memory of 4844	4680	2024-03-05_db23bd041360d85948340a1eae5a6903_goldeneye.exe	93
PID 4680 wrote to memory of 4844	4680	2024-03-05_db23bd041360d85948340a1eae5a6903_goldeneye.exe	93
PID 4680 wrote to memory of 4844	4680	2024-03-05_db23bd041360d85948340a1eae5a6903_goldeneye.exe	93
PID 4680 wrote to memory of 448	4680	2024-03-05_db23bd041360d85948340a1eae5a6903_goldeneye.exe	94
PID 4680 wrote to memory of 448	4680	2024-03-05_db23bd041360d85948340a1eae5a6903_goldeneye.exe	94
PID 4680 wrote to memory of 448	4680	2024-03-05_db23bd041360d85948340a1eae5a6903_goldeneye.exe	94
PID 4844 wrote to memory of 2660	4844	{A2F8EE0B-1E2B-4fd6-8308-F5EB65D49408}.exe	97
PID 4844 wrote to memory of 2660	4844	{A2F8EE0B-1E2B-4fd6-8308-F5EB65D49408}.exe	97
PID 4844 wrote to memory of 2660	4844	{A2F8EE0B-1E2B-4fd6-8308-F5EB65D49408}.exe	97
PID 4844 wrote to memory of 4852	4844	{A2F8EE0B-1E2B-4fd6-8308-F5EB65D49408}.exe	98
PID 4844 wrote to memory of 4852	4844	{A2F8EE0B-1E2B-4fd6-8308-F5EB65D49408}.exe	98
PID 4844 wrote to memory of 4852	4844	{A2F8EE0B-1E2B-4fd6-8308-F5EB65D49408}.exe	98
PID 2660 wrote to memory of 2160	2660	{61BE1382-71CF-4570-8C78-6C7D896AFE38}.exe	100
PID 2660 wrote to memory of 2160	2660	{61BE1382-71CF-4570-8C78-6C7D896AFE38}.exe	100
PID 2660 wrote to memory of 2160	2660	{61BE1382-71CF-4570-8C78-6C7D896AFE38}.exe	100
PID 2660 wrote to memory of 3592	2660	{61BE1382-71CF-4570-8C78-6C7D896AFE38}.exe	101
PID 2660 wrote to memory of 3592	2660	{61BE1382-71CF-4570-8C78-6C7D896AFE38}.exe	101
PID 2660 wrote to memory of 3592	2660	{61BE1382-71CF-4570-8C78-6C7D896AFE38}.exe	101
PID 2160 wrote to memory of 3660	2160	{24B770DC-164D-4786-AB7C-F105A4A3629D}.exe	107
PID 2160 wrote to memory of 3660	2160	{24B770DC-164D-4786-AB7C-F105A4A3629D}.exe	107
PID 2160 wrote to memory of 3660	2160	{24B770DC-164D-4786-AB7C-F105A4A3629D}.exe	107
PID 2160 wrote to memory of 4572	2160	{24B770DC-164D-4786-AB7C-F105A4A3629D}.exe	108
PID 2160 wrote to memory of 4572	2160	{24B770DC-164D-4786-AB7C-F105A4A3629D}.exe	108
PID 2160 wrote to memory of 4572	2160	{24B770DC-164D-4786-AB7C-F105A4A3629D}.exe	108
PID 3660 wrote to memory of 4024	3660	{34892F1F-8E02-4d12-9B05-3AA8F2E243BD}.exe	109
PID 3660 wrote to memory of 4024	3660	{34892F1F-8E02-4d12-9B05-3AA8F2E243BD}.exe	109
PID 3660 wrote to memory of 4024	3660	{34892F1F-8E02-4d12-9B05-3AA8F2E243BD}.exe	109
PID 3660 wrote to memory of 4452	3660	{34892F1F-8E02-4d12-9B05-3AA8F2E243BD}.exe	110
PID 3660 wrote to memory of 4452	3660	{34892F1F-8E02-4d12-9B05-3AA8F2E243BD}.exe	110
PID 3660 wrote to memory of 4452	3660	{34892F1F-8E02-4d12-9B05-3AA8F2E243BD}.exe	110
PID 4024 wrote to memory of 4804	4024	{CD792A41-F49B-4a2f-933F-B9B3528E3B87}.exe	111
PID 4024 wrote to memory of 4804	4024	{CD792A41-F49B-4a2f-933F-B9B3528E3B87}.exe	111
PID 4024 wrote to memory of 4804	4024	{CD792A41-F49B-4a2f-933F-B9B3528E3B87}.exe	111
PID 4024 wrote to memory of 4840	4024	{CD792A41-F49B-4a2f-933F-B9B3528E3B87}.exe	112
PID 4024 wrote to memory of 4840	4024	{CD792A41-F49B-4a2f-933F-B9B3528E3B87}.exe	112
PID 4024 wrote to memory of 4840	4024	{CD792A41-F49B-4a2f-933F-B9B3528E3B87}.exe	112
PID 4804 wrote to memory of 2456	4804	{24E55D01-25ED-4061-8B56-7390C4EC6038}.exe	117
PID 4804 wrote to memory of 2456	4804	{24E55D01-25ED-4061-8B56-7390C4EC6038}.exe	117
PID 4804 wrote to memory of 2456	4804	{24E55D01-25ED-4061-8B56-7390C4EC6038}.exe	117
PID 4804 wrote to memory of 232	4804	{24E55D01-25ED-4061-8B56-7390C4EC6038}.exe	118
PID 4804 wrote to memory of 232	4804	{24E55D01-25ED-4061-8B56-7390C4EC6038}.exe	118
PID 4804 wrote to memory of 232	4804	{24E55D01-25ED-4061-8B56-7390C4EC6038}.exe	118
PID 2456 wrote to memory of 1036	2456	{4261009B-E880-424d-9E5B-63679918FEB3}.exe	119
PID 2456 wrote to memory of 1036	2456	{4261009B-E880-424d-9E5B-63679918FEB3}.exe	119
PID 2456 wrote to memory of 1036	2456	{4261009B-E880-424d-9E5B-63679918FEB3}.exe	119
PID 2456 wrote to memory of 4960	2456	{4261009B-E880-424d-9E5B-63679918FEB3}.exe	120
PID 2456 wrote to memory of 4960	2456	{4261009B-E880-424d-9E5B-63679918FEB3}.exe	120
PID 2456 wrote to memory of 4960	2456	{4261009B-E880-424d-9E5B-63679918FEB3}.exe	120
PID 1036 wrote to memory of 2344	1036	{A40D0392-82A3-49fb-A1F6-5A6804075EAF}.exe	121
PID 1036 wrote to memory of 2344	1036	{A40D0392-82A3-49fb-A1F6-5A6804075EAF}.exe	121
PID 1036 wrote to memory of 2344	1036	{A40D0392-82A3-49fb-A1F6-5A6804075EAF}.exe	121
PID 1036 wrote to memory of 1696	1036	{A40D0392-82A3-49fb-A1F6-5A6804075EAF}.exe	122
PID 1036 wrote to memory of 1696	1036	{A40D0392-82A3-49fb-A1F6-5A6804075EAF}.exe	122
PID 1036 wrote to memory of 1696	1036	{A40D0392-82A3-49fb-A1F6-5A6804075EAF}.exe	122
PID 2344 wrote to memory of 4120	2344	{45385EEC-0C39-4327-931C-4B26EBBC0C50}.exe	123
PID 2344 wrote to memory of 4120	2344	{45385EEC-0C39-4327-931C-4B26EBBC0C50}.exe	123
PID 2344 wrote to memory of 4120	2344	{45385EEC-0C39-4327-931C-4B26EBBC0C50}.exe	123
PID 2344 wrote to memory of 916	2344	{45385EEC-0C39-4327-931C-4B26EBBC0C50}.exe	124
PID 2344 wrote to memory of 916	2344	{45385EEC-0C39-4327-931C-4B26EBBC0C50}.exe	124
PID 2344 wrote to memory of 916	2344	{45385EEC-0C39-4327-931C-4B26EBBC0C50}.exe	124
PID 4120 wrote to memory of 3808	4120	{D99B6913-890B-4eab-B40B-6E2B37960E41}.exe	125
PID 4120 wrote to memory of 3808	4120	{D99B6913-890B-4eab-B40B-6E2B37960E41}.exe	125
PID 4120 wrote to memory of 3808	4120	{D99B6913-890B-4eab-B40B-6E2B37960E41}.exe	125
PID 4120 wrote to memory of 3092	4120	{D99B6913-890B-4eab-B40B-6E2B37960E41}.exe	126

C:\Users\Admin\AppData\Local\Temp\2024-03-05_db23bd041360d85948340a1eae5a6903_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-05_db23bd041360d85948340a1eae5a6903_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4680
- C:\Windows\{A2F8EE0B-1E2B-4fd6-8308-F5EB65D49408}.exe
  C:\Windows\{A2F8EE0B-1E2B-4fd6-8308-F5EB65D49408}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4844
- - C:\Windows\{61BE1382-71CF-4570-8C78-6C7D896AFE38}.exe
    C:\Windows\{61BE1382-71CF-4570-8C78-6C7D896AFE38}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Windows\{24B770DC-164D-4786-AB7C-F105A4A3629D}.exe
      C:\Windows\{24B770DC-164D-4786-AB7C-F105A4A3629D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2160
    - - C:\Windows\{34892F1F-8E02-4d12-9B05-3AA8F2E243BD}.exe
        
        C:\Windows\{34892F1F-8E02-4d12-9B05-3AA8F2E243BD}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3660
      - C:\Windows\{CD792A41-F49B-4a2f-933F-B9B3528E3B87}.exe
        
        C:\Windows\{CD792A41-F49B-4a2f-933F-B9B3528E3B87}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4024
        
        C:\Windows\{24E55D01-25ED-4061-8B56-7390C4EC6038}.exe
        
        C:\Windows\{24E55D01-25ED-4061-8B56-7390C4EC6038}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\{4261009B-E880-424d-9E5B-63679918FEB3}.exe
        
        C:\Windows\{4261009B-E880-424d-9E5B-63679918FEB3}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\{A40D0392-82A3-49fb-A1F6-5A6804075EAF}.exe
        
        C:\Windows\{A40D0392-82A3-49fb-A1F6-5A6804075EAF}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\{45385EEC-0C39-4327-931C-4B26EBBC0C50}.exe
        
        C:\Windows\{45385EEC-0C39-4327-931C-4B26EBBC0C50}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\{D99B6913-890B-4eab-B40B-6E2B37960E41}.exe
        
        C:\Windows\{D99B6913-890B-4eab-B40B-6E2B37960E41}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4120
        
        C:\Windows\{C5B43484-C98E-449e-9481-3B5A0DBE8E82}.exe
        
        C:\Windows\{C5B43484-C98E-449e-9481-3B5A0DBE8E82}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3808
        
        C:\Windows\{2F0B19FF-FB30-4377-81E4-75DC908B9055}.exe
        
        C:\Windows\{2F0B19FF-FB30-4377-81E4-75DC908B9055}.exe
        13⤵
        Executes dropped EXE
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C5B43~1.EXE > nul
        13⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D99B6~1.EXE > nul
        12⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{45385~1.EXE > nul
        11⤵
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A40D0~1.EXE > nul
        10⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{42610~1.EXE > nul
        9⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{24E55~1.EXE > nul
        8⤵
        
        PID:232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CD792~1.EXE > nul
        7⤵
        
        PID:4840
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{34892~1.EXE > nul
        6⤵
        
        PID:4452
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{24B77~1.EXE > nul
        5⤵
        
        PID:4572
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{61BE1~1.EXE > nul
      4⤵
      PID:3592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A2F8E~1.EXE > nul
    3⤵
    PID:4852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{24B770DC-164D-4786-AB7C-F105A4A3629D}.exe

Filesize
197KB

MD5
328a635ba2886426371330e7eb252ff5

SHA1
b888ce55faf51cdcdfbe8197a17fe4cc4055bdab

SHA256
78abfe728834fe033dca615c128e71bbccd976066f0a991d4b723f58338178b4

SHA512
0eef24e3bcc9f98053499a50fe7ae308fae31aab38f02ed1015b0273d74b3654caceae1cc06c809e1185fab24184c9070314303f2bf3aee5b56b67b277af1394

Download Submit
C:\Windows\{24E55D01-25ED-4061-8B56-7390C4EC6038}.exe

Filesize
197KB

MD5
d5adde9afb5096f7d4911ae78298430c

SHA1
a84f302366b0a2ff1ac939a571a512b5ff0e8455

SHA256
ba65be2b38ba40dabdcc8fb9dec28b50b30fc1193e6837969220357a953b52f8

SHA512
901836c3f9512b5b1b1cc30a4fe95f13f8843970ce15f71217558ad363d3566c4cf697e11a20aa6030261ca5a9342061c1b58328e9dc7e47aaf4ab3704fa69fe

Download Submit
C:\Windows\{2F0B19FF-FB30-4377-81E4-75DC908B9055}.exe

Filesize
197KB

MD5
08ac15e26efa0daa2f2dec2f43562c6b

SHA1
4b67a2644cd96a88745bf270928d41eb92c4d09f

SHA256
701ed5d0040f70e060fcfe873685ff35d7bed4ab773331f6422a4267502cc1d0

SHA512
c1cb1a37f3db42d4b6aa55d523d361768a399f8d8ee8b6960b17e4b4cf243bbddc5ee7173dd274fa588697e616daf3518689ba29156933908af77e9ff2624c5d

Download Submit
C:\Windows\{34892F1F-8E02-4d12-9B05-3AA8F2E243BD}.exe

Filesize
197KB

MD5
8d255c9b6b9285060dfc0ba08d15adaa

SHA1
6d0bf28dcd618aa2eb1598c64413268f17bff866

SHA256
34d805f8fe09bdb5e4e696f94742172033f4198cee62fe62fd599334b91cd6cd

SHA512
78e4f3b1ea4f80104919955da39f5ddbdb2653ca555850d17de4313e4af229d423d0832f4cbe71cdf7cae514da7aa273d12446b180dc36f5bdcef13d73fb04f5

Download Submit
C:\Windows\{4261009B-E880-424d-9E5B-63679918FEB3}.exe

Filesize
197KB

MD5
da94f2817cdd970c86060f135196f82d

SHA1
67d298bba64cc298f0e40f541dddd042897150ab

SHA256
42ed74b6b7ab817c39b10566e8a72976552b538b76cd3e42b5f2084ee5d675c8

SHA512
0a7207e9a4bd2244f83f18e9bfb0252a7820f53a899e0a55b2a07e3fc2c218a792177dd557b6f6387d689dd350dcf51b4fff5e1887e2211d295db3d47950e9c8

Download Submit
C:\Windows\{45385EEC-0C39-4327-931C-4B26EBBC0C50}.exe

Filesize
197KB

MD5
60768b8e1397eae2cdeffc3046954b31

SHA1
d678085233382f443fd13d3ef0a132bee4694658

SHA256
f502313797efff448f6b5aa04547bf4ac49772a94741b9756ab2aaae765022e1

SHA512
88be8bae2e85aa19e08d16f5b61fb7af1bab0e7ddfcbf68c659a2eeffc576904827e4aead702e8582260ce98efeeaf543e37fdd3064f2f09a24e2b7c7a610f7c

Download Submit
C:\Windows\{61BE1382-71CF-4570-8C78-6C7D896AFE38}.exe

Filesize
197KB

MD5
85459b0165922fa54555d2bf4bc9a494

SHA1
d5a25609ba9aa69f48530ffd1af4b8d48f7fb353

SHA256
0f7f4ef26b1aa8bd0ea67595348a106d64d613259d4b10f82e117b1a404bb56b

SHA512
8c45f5c319b6c4fc6fff7ad50a3b20da05eddcf455df6d6e55148f9684d0b4be590e02a5082e72ca755d0893d8a46285d24190e00cf8f66d302f9daac7d27ddb

Download Submit
C:\Windows\{A2F8EE0B-1E2B-4fd6-8308-F5EB65D49408}.exe

Filesize
197KB

MD5
721c4b747b529c99602c37cac7063c3e

SHA1
246a9a851ea34d3bd83a5fcd10a3af3c3e5ec95e

SHA256
654d7b08e8a651d9c4c2387fcca8711686080e3c998cc4108b3d97bb0f8d5880

SHA512
cbc19add28160a0b54c678ff1f0647a3a9350e5a79cd210547e0ac548be82822357ebd819a596f2356abe17dffca22aa0342c051fe5f0b76d25e4e088d944653

Download Submit
C:\Windows\{A2F8EE0B-1E2B-4fd6-8308-F5EB65D49408}.exe

Filesize
103KB

MD5
20a8857c16a597ed13e500a6fa346f5a

SHA1
3e8d884be68af54cd7a5b52532d88016566d13c0

SHA256
d030047b6ca9dbf49102db2d321ec75065b539554eaeb38e3a3001492ebd7c04

SHA512
95fac3a704a09d5f962a7985913be3ef39869ec8f0950c090d8430170da58e3e063fa45f5420ab74d4fba86bc900cbf2746bdfc04f362b84d6a795844fdb4e81

Download Submit
C:\Windows\{A40D0392-82A3-49fb-A1F6-5A6804075EAF}.exe

Filesize
197KB

MD5
f32e44986f6276eda95b30429945254b

SHA1
ff2e443df126695163ebab77070bfc21a33a7f03

SHA256
fafed0daa31b4ba1a7b2b449f5b0b6f03c2db321eece00a1386ce8ce6499bb07

SHA512
31f120a43022dbe8849f78087f068b01c0c5779809fede310fb7eb4b125eedb645f586aff86871efe179bfafbd4b86d0bf261389019171ed6d7c3ed47a2fcf63

Download Submit
C:\Windows\{C5B43484-C98E-449e-9481-3B5A0DBE8E82}.exe

Filesize
197KB

MD5
28a6ba57ce9bf5353afa3c4de0efafd9

SHA1
9858fa616e0814fce1c8bf5ddb086e8abc2a4aca

SHA256
815b28e9ce50e27704831f39db3ec190318f2dfb5d5dc4b6366f6a98fefc334a

SHA512
6385e0b1c6180ce86a1373bf2fdbbd15690ab6113562f4416014936cd738be4b2bdb7acad177012a099eea913ed66e40c5a4c9ff37f1d0ecacfeba25615999ca

Download Submit
C:\Windows\{CD792A41-F49B-4a2f-933F-B9B3528E3B87}.exe

Filesize
197KB

MD5
f104ac46f491ea39bbfc9d5da8d8b998

SHA1
9599282cc44fffaed2f21d397ec156cef51c545e

SHA256
5ebb2a53127cf0f0c2e29d1d9ece926019462bad1ed659970a879767615d2148

SHA512
89e5e0c66a33f425fdebdc076e6611f94ee394ed8144ba4b8ef3f4fee313ddcda48054f5d0efa363d0f9add022cad636ce907c19590289eeae78a98a5dca92f6

Download Submit
C:\Windows\{D99B6913-890B-4eab-B40B-6E2B37960E41}.exe

Filesize
197KB

MD5
3776f2cf597c596f3f17eb768162ff1b

SHA1
d4c1b8b8755897b7e9c0a25e84e48f6b86d95385

SHA256
99d55b6f046eaad18b87cc587225fb0b794db9a2996425ec844287ef1f07da20

SHA512
750e0df307035462be24ff0d8e34517952c21f4fc4978389a58bc79017357ba48133982df94f2251c0b4db69ae9a6fe7f4048736a6b83d16aa4c1d09d4c8fd00

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads