c5d72d41d4534e32e7b58d80b9d70bc0081475f09960417d897dfdfdf7296f05

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06-03-2024 13:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-06_0f1863f60497e9f8226d9f2c057a833a_goldeneye.exe
Size

197KB
MD5

0f1863f60497e9f8226d9f2c057a833a
SHA1

8e5808946ed6e86bfc4c69b1171be79b938ea3f2
SHA256

c5d72d41d4534e32e7b58d80b9d70bc0081475f09960417d897dfdfdf7296f05
SHA512

0924ac0acfe707dca5475819186abc5190bd26e2ee5271cc9cf913f05f2c413f67cff3179371b0de1558cc5ae6b883d1cd6135739d59e39fb16fe66188ba3cf7
SSDEEP

3072:jEGh0oTl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGBlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023222-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023334-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001e36d-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000233a1-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000001e432-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000233ca-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000234b8-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000233ca-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023115-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002311b-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023115-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023117-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4742C07-C90C-4b30-9B87-8FA11531C2ED}	{A43D7000-180A-4c6b-A1E7-838D93092749}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{476064F4-82BC-4465-94D2-B9DECF08FB5A}	{F4742C07-C90C-4b30-9B87-8FA11531C2ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{476064F4-82BC-4465-94D2-B9DECF08FB5A}\stubpath = "C:\\Windows\\{476064F4-82BC-4465-94D2-B9DECF08FB5A}.exe"	{F4742C07-C90C-4b30-9B87-8FA11531C2ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11A0220C-114C-474d-88AC-1086CB6084BB}	{3A8F1223-4330-4f05-B4D0-CBC48DE3C3A4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A6822A6-624F-4cc7-9B3F-6765C5907BA8}\stubpath = "C:\\Windows\\{0A6822A6-624F-4cc7-9B3F-6765C5907BA8}.exe"	2024-03-06_0f1863f60497e9f8226d9f2c057a833a_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BFCF13B2-07CA-4730-8D7F-9F2CCD345056}\stubpath = "C:\\Windows\\{BFCF13B2-07CA-4730-8D7F-9F2CCD345056}.exe"	{0A6822A6-624F-4cc7-9B3F-6765C5907BA8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2ABDBFC-5B0F-4801-AF21-AE736D4D5BB5}\stubpath = "C:\\Windows\\{F2ABDBFC-5B0F-4801-AF21-AE736D4D5BB5}.exe"	{AB81BFAF-82A5-4b2f-A354-472716FB6F0A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A43D7000-180A-4c6b-A1E7-838D93092749}\stubpath = "C:\\Windows\\{A43D7000-180A-4c6b-A1E7-838D93092749}.exe"	{CE1895C9-A5DC-4b77-9D15-F5F63A2B31E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4742C07-C90C-4b30-9B87-8FA11531C2ED}\stubpath = "C:\\Windows\\{F4742C07-C90C-4b30-9B87-8FA11531C2ED}.exe"	{A43D7000-180A-4c6b-A1E7-838D93092749}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01999D87-7538-478d-B303-087461411FA4}\stubpath = "C:\\Windows\\{01999D87-7538-478d-B303-087461411FA4}.exe"	{476064F4-82BC-4465-94D2-B9DECF08FB5A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{937E8A6A-F0B7-458e-BA5D-1530F8959767}	{01999D87-7538-478d-B303-087461411FA4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A8F1223-4330-4f05-B4D0-CBC48DE3C3A4}	{937E8A6A-F0B7-458e-BA5D-1530F8959767}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BFCF13B2-07CA-4730-8D7F-9F2CCD345056}	{0A6822A6-624F-4cc7-9B3F-6765C5907BA8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE1895C9-A5DC-4b77-9D15-F5F63A2B31E6}	{F2ABDBFC-5B0F-4801-AF21-AE736D4D5BB5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE1895C9-A5DC-4b77-9D15-F5F63A2B31E6}\stubpath = "C:\\Windows\\{CE1895C9-A5DC-4b77-9D15-F5F63A2B31E6}.exe"	{F2ABDBFC-5B0F-4801-AF21-AE736D4D5BB5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A8F1223-4330-4f05-B4D0-CBC48DE3C3A4}\stubpath = "C:\\Windows\\{3A8F1223-4330-4f05-B4D0-CBC48DE3C3A4}.exe"	{937E8A6A-F0B7-458e-BA5D-1530F8959767}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{937E8A6A-F0B7-458e-BA5D-1530F8959767}\stubpath = "C:\\Windows\\{937E8A6A-F0B7-458e-BA5D-1530F8959767}.exe"	{01999D87-7538-478d-B303-087461411FA4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2ABDBFC-5B0F-4801-AF21-AE736D4D5BB5}	{AB81BFAF-82A5-4b2f-A354-472716FB6F0A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A43D7000-180A-4c6b-A1E7-838D93092749}	{CE1895C9-A5DC-4b77-9D15-F5F63A2B31E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01999D87-7538-478d-B303-087461411FA4}	{476064F4-82BC-4465-94D2-B9DECF08FB5A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11A0220C-114C-474d-88AC-1086CB6084BB}\stubpath = "C:\\Windows\\{11A0220C-114C-474d-88AC-1086CB6084BB}.exe"	{3A8F1223-4330-4f05-B4D0-CBC48DE3C3A4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A6822A6-624F-4cc7-9B3F-6765C5907BA8}	2024-03-06_0f1863f60497e9f8226d9f2c057a833a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB81BFAF-82A5-4b2f-A354-472716FB6F0A}	{BFCF13B2-07CA-4730-8D7F-9F2CCD345056}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB81BFAF-82A5-4b2f-A354-472716FB6F0A}\stubpath = "C:\\Windows\\{AB81BFAF-82A5-4b2f-A354-472716FB6F0A}.exe"	{BFCF13B2-07CA-4730-8D7F-9F2CCD345056}.exe

Executes dropped EXE 12 IoCs

pid	Process
4784	{0A6822A6-624F-4cc7-9B3F-6765C5907BA8}.exe
3604	{BFCF13B2-07CA-4730-8D7F-9F2CCD345056}.exe
1908	{AB81BFAF-82A5-4b2f-A354-472716FB6F0A}.exe
4656	{F2ABDBFC-5B0F-4801-AF21-AE736D4D5BB5}.exe
3308	{CE1895C9-A5DC-4b77-9D15-F5F63A2B31E6}.exe
3524	{A43D7000-180A-4c6b-A1E7-838D93092749}.exe
464	{F4742C07-C90C-4b30-9B87-8FA11531C2ED}.exe
1248	{476064F4-82BC-4465-94D2-B9DECF08FB5A}.exe
2568	{01999D87-7538-478d-B303-087461411FA4}.exe
1668	{937E8A6A-F0B7-458e-BA5D-1530F8959767}.exe
1836	{3A8F1223-4330-4f05-B4D0-CBC48DE3C3A4}.exe
4120	{11A0220C-114C-474d-88AC-1086CB6084BB}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{BFCF13B2-07CA-4730-8D7F-9F2CCD345056}.exe	{0A6822A6-624F-4cc7-9B3F-6765C5907BA8}.exe
File created	C:\Windows\{F2ABDBFC-5B0F-4801-AF21-AE736D4D5BB5}.exe	{AB81BFAF-82A5-4b2f-A354-472716FB6F0A}.exe
File created	C:\Windows\{A43D7000-180A-4c6b-A1E7-838D93092749}.exe	{CE1895C9-A5DC-4b77-9D15-F5F63A2B31E6}.exe
File created	C:\Windows\{476064F4-82BC-4465-94D2-B9DECF08FB5A}.exe	{F4742C07-C90C-4b30-9B87-8FA11531C2ED}.exe
File created	C:\Windows\{01999D87-7538-478d-B303-087461411FA4}.exe	{476064F4-82BC-4465-94D2-B9DECF08FB5A}.exe
File created	C:\Windows\{937E8A6A-F0B7-458e-BA5D-1530F8959767}.exe	{01999D87-7538-478d-B303-087461411FA4}.exe
File created	C:\Windows\{11A0220C-114C-474d-88AC-1086CB6084BB}.exe	{3A8F1223-4330-4f05-B4D0-CBC48DE3C3A4}.exe
File created	C:\Windows\{0A6822A6-624F-4cc7-9B3F-6765C5907BA8}.exe	2024-03-06_0f1863f60497e9f8226d9f2c057a833a_goldeneye.exe
File created	C:\Windows\{AB81BFAF-82A5-4b2f-A354-472716FB6F0A}.exe	{BFCF13B2-07CA-4730-8D7F-9F2CCD345056}.exe
File created	C:\Windows\{CE1895C9-A5DC-4b77-9D15-F5F63A2B31E6}.exe	{F2ABDBFC-5B0F-4801-AF21-AE736D4D5BB5}.exe
File created	C:\Windows\{F4742C07-C90C-4b30-9B87-8FA11531C2ED}.exe	{A43D7000-180A-4c6b-A1E7-838D93092749}.exe
File created	C:\Windows\{3A8F1223-4330-4f05-B4D0-CBC48DE3C3A4}.exe	{937E8A6A-F0B7-458e-BA5D-1530F8959767}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1180	2024-03-06_0f1863f60497e9f8226d9f2c057a833a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4784	{0A6822A6-624F-4cc7-9B3F-6765C5907BA8}.exe
Token: SeIncBasePriorityPrivilege	3604	{BFCF13B2-07CA-4730-8D7F-9F2CCD345056}.exe
Token: SeIncBasePriorityPrivilege	1908	{AB81BFAF-82A5-4b2f-A354-472716FB6F0A}.exe
Token: SeIncBasePriorityPrivilege	4656	{F2ABDBFC-5B0F-4801-AF21-AE736D4D5BB5}.exe
Token: SeIncBasePriorityPrivilege	3308	{CE1895C9-A5DC-4b77-9D15-F5F63A2B31E6}.exe
Token: SeIncBasePriorityPrivilege	3524	{A43D7000-180A-4c6b-A1E7-838D93092749}.exe
Token: SeIncBasePriorityPrivilege	464	{F4742C07-C90C-4b30-9B87-8FA11531C2ED}.exe
Token: SeIncBasePriorityPrivilege	1248	{476064F4-82BC-4465-94D2-B9DECF08FB5A}.exe
Token: SeIncBasePriorityPrivilege	2568	{01999D87-7538-478d-B303-087461411FA4}.exe
Token: SeIncBasePriorityPrivilege	1668	{937E8A6A-F0B7-458e-BA5D-1530F8959767}.exe
Token: SeIncBasePriorityPrivilege	1836	{3A8F1223-4330-4f05-B4D0-CBC48DE3C3A4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1180 wrote to memory of 4784	1180	2024-03-06_0f1863f60497e9f8226d9f2c057a833a_goldeneye.exe	97
PID 1180 wrote to memory of 4784	1180	2024-03-06_0f1863f60497e9f8226d9f2c057a833a_goldeneye.exe	97
PID 1180 wrote to memory of 4784	1180	2024-03-06_0f1863f60497e9f8226d9f2c057a833a_goldeneye.exe	97
PID 1180 wrote to memory of 636	1180	2024-03-06_0f1863f60497e9f8226d9f2c057a833a_goldeneye.exe	98
PID 1180 wrote to memory of 636	1180	2024-03-06_0f1863f60497e9f8226d9f2c057a833a_goldeneye.exe	98
PID 1180 wrote to memory of 636	1180	2024-03-06_0f1863f60497e9f8226d9f2c057a833a_goldeneye.exe	98
PID 4784 wrote to memory of 3604	4784	{0A6822A6-624F-4cc7-9B3F-6765C5907BA8}.exe	101
PID 4784 wrote to memory of 3604	4784	{0A6822A6-624F-4cc7-9B3F-6765C5907BA8}.exe	101
PID 4784 wrote to memory of 3604	4784	{0A6822A6-624F-4cc7-9B3F-6765C5907BA8}.exe	101
PID 4784 wrote to memory of 4484	4784	{0A6822A6-624F-4cc7-9B3F-6765C5907BA8}.exe	102
PID 4784 wrote to memory of 4484	4784	{0A6822A6-624F-4cc7-9B3F-6765C5907BA8}.exe	102
PID 4784 wrote to memory of 4484	4784	{0A6822A6-624F-4cc7-9B3F-6765C5907BA8}.exe	102
PID 3604 wrote to memory of 1908	3604	{BFCF13B2-07CA-4730-8D7F-9F2CCD345056}.exe	105
PID 3604 wrote to memory of 1908	3604	{BFCF13B2-07CA-4730-8D7F-9F2CCD345056}.exe	105
PID 3604 wrote to memory of 1908	3604	{BFCF13B2-07CA-4730-8D7F-9F2CCD345056}.exe	105
PID 3604 wrote to memory of 1460	3604	{BFCF13B2-07CA-4730-8D7F-9F2CCD345056}.exe	106
PID 3604 wrote to memory of 1460	3604	{BFCF13B2-07CA-4730-8D7F-9F2CCD345056}.exe	106
PID 3604 wrote to memory of 1460	3604	{BFCF13B2-07CA-4730-8D7F-9F2CCD345056}.exe	106
PID 1908 wrote to memory of 4656	1908	{AB81BFAF-82A5-4b2f-A354-472716FB6F0A}.exe	107
PID 1908 wrote to memory of 4656	1908	{AB81BFAF-82A5-4b2f-A354-472716FB6F0A}.exe	107
PID 1908 wrote to memory of 4656	1908	{AB81BFAF-82A5-4b2f-A354-472716FB6F0A}.exe	107
PID 1908 wrote to memory of 4540	1908	{AB81BFAF-82A5-4b2f-A354-472716FB6F0A}.exe	108
PID 1908 wrote to memory of 4540	1908	{AB81BFAF-82A5-4b2f-A354-472716FB6F0A}.exe	108
PID 1908 wrote to memory of 4540	1908	{AB81BFAF-82A5-4b2f-A354-472716FB6F0A}.exe	108
PID 4656 wrote to memory of 3308	4656	{F2ABDBFC-5B0F-4801-AF21-AE736D4D5BB5}.exe	109
PID 4656 wrote to memory of 3308	4656	{F2ABDBFC-5B0F-4801-AF21-AE736D4D5BB5}.exe	109
PID 4656 wrote to memory of 3308	4656	{F2ABDBFC-5B0F-4801-AF21-AE736D4D5BB5}.exe	109
PID 4656 wrote to memory of 3376	4656	{F2ABDBFC-5B0F-4801-AF21-AE736D4D5BB5}.exe	110
PID 4656 wrote to memory of 3376	4656	{F2ABDBFC-5B0F-4801-AF21-AE736D4D5BB5}.exe	110
PID 4656 wrote to memory of 3376	4656	{F2ABDBFC-5B0F-4801-AF21-AE736D4D5BB5}.exe	110
PID 3308 wrote to memory of 3524	3308	{CE1895C9-A5DC-4b77-9D15-F5F63A2B31E6}.exe	112
PID 3308 wrote to memory of 3524	3308	{CE1895C9-A5DC-4b77-9D15-F5F63A2B31E6}.exe	112
PID 3308 wrote to memory of 3524	3308	{CE1895C9-A5DC-4b77-9D15-F5F63A2B31E6}.exe	112
PID 3308 wrote to memory of 4520	3308	{CE1895C9-A5DC-4b77-9D15-F5F63A2B31E6}.exe	113
PID 3308 wrote to memory of 4520	3308	{CE1895C9-A5DC-4b77-9D15-F5F63A2B31E6}.exe	113
PID 3308 wrote to memory of 4520	3308	{CE1895C9-A5DC-4b77-9D15-F5F63A2B31E6}.exe	113
PID 3524 wrote to memory of 464	3524	{A43D7000-180A-4c6b-A1E7-838D93092749}.exe	114
PID 3524 wrote to memory of 464	3524	{A43D7000-180A-4c6b-A1E7-838D93092749}.exe	114
PID 3524 wrote to memory of 464	3524	{A43D7000-180A-4c6b-A1E7-838D93092749}.exe	114
PID 3524 wrote to memory of 868	3524	{A43D7000-180A-4c6b-A1E7-838D93092749}.exe	115
PID 3524 wrote to memory of 868	3524	{A43D7000-180A-4c6b-A1E7-838D93092749}.exe	115
PID 3524 wrote to memory of 868	3524	{A43D7000-180A-4c6b-A1E7-838D93092749}.exe	115
PID 464 wrote to memory of 1248	464	{F4742C07-C90C-4b30-9B87-8FA11531C2ED}.exe	117
PID 464 wrote to memory of 1248	464	{F4742C07-C90C-4b30-9B87-8FA11531C2ED}.exe	117
PID 464 wrote to memory of 1248	464	{F4742C07-C90C-4b30-9B87-8FA11531C2ED}.exe	117
PID 464 wrote to memory of 1540	464	{F4742C07-C90C-4b30-9B87-8FA11531C2ED}.exe	118
PID 464 wrote to memory of 1540	464	{F4742C07-C90C-4b30-9B87-8FA11531C2ED}.exe	118
PID 464 wrote to memory of 1540	464	{F4742C07-C90C-4b30-9B87-8FA11531C2ED}.exe	118
PID 1248 wrote to memory of 2568	1248	{476064F4-82BC-4465-94D2-B9DECF08FB5A}.exe	125
PID 1248 wrote to memory of 2568	1248	{476064F4-82BC-4465-94D2-B9DECF08FB5A}.exe	125
PID 1248 wrote to memory of 2568	1248	{476064F4-82BC-4465-94D2-B9DECF08FB5A}.exe	125
PID 1248 wrote to memory of 1168	1248	{476064F4-82BC-4465-94D2-B9DECF08FB5A}.exe	126
PID 1248 wrote to memory of 1168	1248	{476064F4-82BC-4465-94D2-B9DECF08FB5A}.exe	126
PID 1248 wrote to memory of 1168	1248	{476064F4-82BC-4465-94D2-B9DECF08FB5A}.exe	126
PID 2568 wrote to memory of 1668	2568	{01999D87-7538-478d-B303-087461411FA4}.exe	127
PID 2568 wrote to memory of 1668	2568	{01999D87-7538-478d-B303-087461411FA4}.exe	127
PID 2568 wrote to memory of 1668	2568	{01999D87-7538-478d-B303-087461411FA4}.exe	127
PID 2568 wrote to memory of 1768	2568	{01999D87-7538-478d-B303-087461411FA4}.exe	128
PID 2568 wrote to memory of 1768	2568	{01999D87-7538-478d-B303-087461411FA4}.exe	128
PID 2568 wrote to memory of 1768	2568	{01999D87-7538-478d-B303-087461411FA4}.exe	128
PID 1668 wrote to memory of 1836	1668	{937E8A6A-F0B7-458e-BA5D-1530F8959767}.exe	129
PID 1668 wrote to memory of 1836	1668	{937E8A6A-F0B7-458e-BA5D-1530F8959767}.exe	129
PID 1668 wrote to memory of 1836	1668	{937E8A6A-F0B7-458e-BA5D-1530F8959767}.exe	129
PID 1668 wrote to memory of 2604	1668	{937E8A6A-F0B7-458e-BA5D-1530F8959767}.exe	130

C:\Users\Admin\AppData\Local\Temp\2024-03-06_0f1863f60497e9f8226d9f2c057a833a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-06_0f1863f60497e9f8226d9f2c057a833a_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Windows\{0A6822A6-624F-4cc7-9B3F-6765C5907BA8}.exe
  C:\Windows\{0A6822A6-624F-4cc7-9B3F-6765C5907BA8}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Windows\{BFCF13B2-07CA-4730-8D7F-9F2CCD345056}.exe
    C:\Windows\{BFCF13B2-07CA-4730-8D7F-9F2CCD345056}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3604
  - - C:\Windows\{AB81BFAF-82A5-4b2f-A354-472716FB6F0A}.exe
      C:\Windows\{AB81BFAF-82A5-4b2f-A354-472716FB6F0A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1908
    - - C:\Windows\{F2ABDBFC-5B0F-4801-AF21-AE736D4D5BB5}.exe
        
        C:\Windows\{F2ABDBFC-5B0F-4801-AF21-AE736D4D5BB5}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4656
      - C:\Windows\{CE1895C9-A5DC-4b77-9D15-F5F63A2B31E6}.exe
        
        C:\Windows\{CE1895C9-A5DC-4b77-9D15-F5F63A2B31E6}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\Windows\{A43D7000-180A-4c6b-A1E7-838D93092749}.exe
        
        C:\Windows\{A43D7000-180A-4c6b-A1E7-838D93092749}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3524
        
        C:\Windows\{F4742C07-C90C-4b30-9B87-8FA11531C2ED}.exe
        
        C:\Windows\{F4742C07-C90C-4b30-9B87-8FA11531C2ED}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\{476064F4-82BC-4465-94D2-B9DECF08FB5A}.exe
        
        C:\Windows\{476064F4-82BC-4465-94D2-B9DECF08FB5A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\{01999D87-7538-478d-B303-087461411FA4}.exe
        
        C:\Windows\{01999D87-7538-478d-B303-087461411FA4}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\{937E8A6A-F0B7-458e-BA5D-1530F8959767}.exe
        
        C:\Windows\{937E8A6A-F0B7-458e-BA5D-1530F8959767}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\{3A8F1223-4330-4f05-B4D0-CBC48DE3C3A4}.exe
        
        C:\Windows\{3A8F1223-4330-4f05-B4D0-CBC48DE3C3A4}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1836
        
        C:\Windows\{11A0220C-114C-474d-88AC-1086CB6084BB}.exe
        
        C:\Windows\{11A0220C-114C-474d-88AC-1086CB6084BB}.exe
        13⤵
        Executes dropped EXE
        
        PID:4120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3A8F1~1.EXE > nul
        13⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{937E8~1.EXE > nul
        12⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{01999~1.EXE > nul
        11⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{47606~1.EXE > nul
        10⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F4742~1.EXE > nul
        9⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A43D7~1.EXE > nul
        8⤵
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CE189~1.EXE > nul
        7⤵
        
        PID:4520
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2ABD~1.EXE > nul
        6⤵
        
        PID:3376
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AB81B~1.EXE > nul
        5⤵
        
        PID:4540
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BFCF1~1.EXE > nul
      4⤵
      PID:1460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0A682~1.EXE > nul
    3⤵
    PID:4484
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{01999D87-7538-478d-B303-087461411FA4}.exe

Filesize
197KB

MD5
e2191d1f8eeeac4da4d118c795da6ba3

SHA1
2286f793c2cdf447d0ec50c1b58ba1455446f1f8

SHA256
5f8c9dd5269e8dc5b2d5de9ca3d4100fd1ffe84036c6d2bed2d0603be441372e

SHA512
7d808606b526299da7fb7d48e1a3a5ec9b4bf714980b9b940746f2deb3fe3f6a5aa329359e2c57fb26cda8d3f520cdc40ebd1c7e5105399893b177f2939cc853

Download Submit
C:\Windows\{0A6822A6-624F-4cc7-9B3F-6765C5907BA8}.exe

Filesize
197KB

MD5
4e812f356c481a6675f38935dce954d2

SHA1
c794610462f4a0d43a068d6882074844aee0ddaa

SHA256
438e716b0840a2d59636315ff4c89a6e71f41aa9ac10e487702a2632f6b45138

SHA512
ca8890249e3afe0d88f653e39ec67a4b3904380a9767c30bed99f11b8ef23ccca59634fb5544214620adef57598bdc491c3814398727061edfe7704f030de8bb

Download Submit
C:\Windows\{11A0220C-114C-474d-88AC-1086CB6084BB}.exe

Filesize
197KB

MD5
f9b3eb55c298fd5f11fba38d3461e30b

SHA1
3dc1f2ace3937d8c671623218ded3bb4a466d770

SHA256
5ee276250467792e6ee13c5d3a1d6cee40aefa4636d6bc82dc1866ac51c92533

SHA512
0b54c3a7cf21ca65571a79b9097d23110d1ab27d16af87d328ed6c80706485c003e2e0b31c0feb95632db7e3a6b91444c4cdc3d02e5f6c477c6186f0c3333cb7

Download Submit
C:\Windows\{3A8F1223-4330-4f05-B4D0-CBC48DE3C3A4}.exe

Filesize
197KB

MD5
9bca13f5fc82c4eac23a960d80ded65e

SHA1
41a3b55ed55783371789529cc32e91ecd404c4a0

SHA256
8375f6ad1916cf0fe70c12b5055a89fa59a43e82462ebf3acae11d469a2f98f4

SHA512
27341aa7de665d62a8cdd51c57230237c28bd06ed91d62f47fceaffa03eb1aaa468f8f0cc716e9e168c330f232641b0aafd5e5e068ee214164beaafeb3bcf43a

Download Submit
C:\Windows\{476064F4-82BC-4465-94D2-B9DECF08FB5A}.exe

Filesize
197KB

MD5
baf310b670171abc60cae61de939d6de

SHA1
51edf06dae6a4ff63af508cc127f32b82a9ef919

SHA256
8dcae108a7bb54516fb4008ca8b78c77f5bbe8fafa500e10a895faaf00ee2c49

SHA512
235ca3a0d04c5434a1eefee063b10ed5955b1b21b031835abb03a9bd0a119a474ca8fdaf7a523e8b41cdc48247c12d8d26d9860972c7876b76f24e294e71334e

Download Submit
C:\Windows\{937E8A6A-F0B7-458e-BA5D-1530F8959767}.exe

Filesize
197KB

MD5
297030098efcc67b45ac02d40dc57014

SHA1
f4a70ab89f2afd6659e2a1891984a7ee4bdd38a4

SHA256
5deb61e26fa5d0558fe8503078a59e11d87e20b83dfad18e00f2abf79cfd9292

SHA512
de4a3022861889afeb1101467ce20db49fc74d4a7724e08ad50533f54b7edd320731a577034f89ec8e6c957c8c9b7bacc621127d2b24399682b7809ccd711887

Download Submit
C:\Windows\{A43D7000-180A-4c6b-A1E7-838D93092749}.exe

Filesize
197KB

MD5
7189cff8bd192ff5b0964e15db0e5052

SHA1
2fd15e0f084402d5cf6af4b255e40ed6bfd10256

SHA256
4e3b71488e50b93a91c1cc5934426bda6ce85fe256eac857b1cdae8a19878b56

SHA512
c6bbac032d3df1e3e89c7a6abd03ea0704090b28b56d025087844e1eb440c791bedafa0142756155050ab46c1bd326a03f8a451853b5bebc0a2537c211b83829

Download Submit
C:\Windows\{AB81BFAF-82A5-4b2f-A354-472716FB6F0A}.exe

Filesize
197KB

MD5
22a822317c215ba2651fe96809841b83

SHA1
793f3471d0c09c6d0349884f2727f9db9818e80e

SHA256
f9b3ad374d4af161ec2703e9477445f8891e79d8880afb6ae507bc77e6a073b5

SHA512
0653407a7a5d240cbb54aaa9e836fc661de2fd8e837133e86c4276d25858856f2f624125c57478ab0d2a79fd8bdf0291171b35c9313ec5804aa4533a4025f99e

Download Submit
C:\Windows\{BFCF13B2-07CA-4730-8D7F-9F2CCD345056}.exe

Filesize
197KB

MD5
a8c67e7941b20355fee298deaf1a0383

SHA1
7c18161659fd75c5a68f01755083697a08d90754

SHA256
8500b9e32f4248a95831fefb3c5436b46c4f4dede798116028ebaab9f7821e7c

SHA512
6df96b80e8ab37179b4405efbc121ce3fc646d3b2f580d6ba81ecf9c5e75f6d8a264c04b19f8b520884a0404314ee47ad397426c1180eba089bbd5db40afd305

Download Submit
C:\Windows\{CE1895C9-A5DC-4b77-9D15-F5F63A2B31E6}.exe

Filesize
197KB

MD5
c896d1cb38462bd77347072c8f6b4c82

SHA1
310565267def728a84ac6867365df9cdfc80d0e1

SHA256
84283ae45ec4748334773bb1c7fb8e471c3fc0b253ee51f9f1b1da20d89e9ea1

SHA512
5a6555b12dd9591e421f1c546d195018235b891585a36e113af5cf68f1b7c861868da49c41be891970a093e47bc21a7cd878be8c77901bc45ca48125de23eb1e

Download Submit
C:\Windows\{F2ABDBFC-5B0F-4801-AF21-AE736D4D5BB5}.exe

Filesize
197KB

MD5
c7754a444ce26c69eb14b7f826194edc

SHA1
12208892b3c7537f93008f8f8e8e1cf6b27ca8ee

SHA256
53c39d821f67432ec53da4d6c16a7aba3b91ee73cd93a91bab09eda5d528d05a

SHA512
4341d7ddd2d3c50de6c41721c62f9faf1626e3c3f133ca4ed6ba0844d5d8b3b040d19c8725c7120647fad6b2669617ba41f7460912663a0f984ef6a8efaadaaa

Download Submit
C:\Windows\{F4742C07-C90C-4b30-9B87-8FA11531C2ED}.exe

Filesize
197KB

MD5
40a7d18b8cd321237b11a025eef46172

SHA1
1b472acd6c6dc2696b0874aff271e3eb7b4e818a

SHA256
6d51d36180db880089447dce5b89e76d8d9e098a91397aacb39a74ddbdab39cb

SHA512
d292b7eb10744630f4507733064e0ca54fa5ac106de5f84e4dacb925f31fcca4dc38482823e452a3815845e81fbf9990082c5c09fcc6e28f4b7b3d13fdfd5c8f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads