a480fe4497f84dee8ad98b03b9c08797e602033b51305de1d580385ef96dd0aa

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2024, 21:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-07_c7866b37d5713a574f64fcba06163cd1_goldeneye.exe
Size

168KB
MD5

c7866b37d5713a574f64fcba06163cd1
SHA1

78e61ab87c64ab6ab040a3e07af7be3de7991a15
SHA256

a480fe4497f84dee8ad98b03b9c08797e602033b51305de1d580385ef96dd0aa
SHA512

3711756914dd54cabd29c7f718782960017c2cdb797c3d6eb64be96df3389fbb75bb3bb968e5e3cc6814144bc3555075636f42562273279dfa0c4190810c1b4b
SSDEEP

1536:1EGh0ozlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0ozlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023215-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023229-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000016923-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000016976-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023397-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000016976-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000234ad-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000016976-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000001e30d-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000016976-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000001e30d-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e00000002312c-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5C0D798-00B6-44c3-9B96-A0A727304734}\stubpath = "C:\\Windows\\{F5C0D798-00B6-44c3-9B96-A0A727304734}.exe"	{B73C6E34-CDED-4f74-AD10-024B57593D7C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{437A097B-21A3-4625-990A-AE9512270077}	{F5C0D798-00B6-44c3-9B96-A0A727304734}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AEC6B2A4-C5B6-49ac-8A5C-4EECE70576D6}	{437A097B-21A3-4625-990A-AE9512270077}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ECF6AFAC-F4D3-4e38-A051-4A2D20A7E942}	2024-03-07_c7866b37d5713a574f64fcba06163cd1_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C68600F-C8CB-4693-936B-642F7F58E9A2}\stubpath = "C:\\Windows\\{8C68600F-C8CB-4693-936B-642F7F58E9A2}.exe"	{3A164C4F-C2F6-4c32-A736-4FC4C19C2F10}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5C0D798-00B6-44c3-9B96-A0A727304734}	{B73C6E34-CDED-4f74-AD10-024B57593D7C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E941E0E-BC3D-4394-8E4A-3D6B1535685D}	{8C68600F-C8CB-4693-936B-642F7F58E9A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AEC6B2A4-C5B6-49ac-8A5C-4EECE70576D6}\stubpath = "C:\\Windows\\{AEC6B2A4-C5B6-49ac-8A5C-4EECE70576D6}.exe"	{437A097B-21A3-4625-990A-AE9512270077}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E23151E7-E06D-4596-ADF7-D6A5758878EB}	{AEC6B2A4-C5B6-49ac-8A5C-4EECE70576D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFB2E070-07FD-4aca-9AFD-FAE13E35211A}	{E23151E7-E06D-4596-ADF7-D6A5758878EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFB2E070-07FD-4aca-9AFD-FAE13E35211A}\stubpath = "C:\\Windows\\{AFB2E070-07FD-4aca-9AFD-FAE13E35211A}.exe"	{E23151E7-E06D-4596-ADF7-D6A5758878EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ECF6AFAC-F4D3-4e38-A051-4A2D20A7E942}\stubpath = "C:\\Windows\\{ECF6AFAC-F4D3-4e38-A051-4A2D20A7E942}.exe"	2024-03-07_c7866b37d5713a574f64fcba06163cd1_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8012B81E-544F-4aed-B61D-F83FD26999C6}	{ECF6AFAC-F4D3-4e38-A051-4A2D20A7E942}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A164C4F-C2F6-4c32-A736-4FC4C19C2F10}\stubpath = "C:\\Windows\\{3A164C4F-C2F6-4c32-A736-4FC4C19C2F10}.exe"	{8012B81E-544F-4aed-B61D-F83FD26999C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{437A097B-21A3-4625-990A-AE9512270077}\stubpath = "C:\\Windows\\{437A097B-21A3-4625-990A-AE9512270077}.exe"	{F5C0D798-00B6-44c3-9B96-A0A727304734}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E23151E7-E06D-4596-ADF7-D6A5758878EB}\stubpath = "C:\\Windows\\{E23151E7-E06D-4596-ADF7-D6A5758878EB}.exe"	{AEC6B2A4-C5B6-49ac-8A5C-4EECE70576D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8012B81E-544F-4aed-B61D-F83FD26999C6}\stubpath = "C:\\Windows\\{8012B81E-544F-4aed-B61D-F83FD26999C6}.exe"	{ECF6AFAC-F4D3-4e38-A051-4A2D20A7E942}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C68600F-C8CB-4693-936B-642F7F58E9A2}	{3A164C4F-C2F6-4c32-A736-4FC4C19C2F10}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9FAB5CF6-77D3-4213-A9B9-888272244428}\stubpath = "C:\\Windows\\{9FAB5CF6-77D3-4213-A9B9-888272244428}.exe"	{0E941E0E-BC3D-4394-8E4A-3D6B1535685D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B73C6E34-CDED-4f74-AD10-024B57593D7C}	{9FAB5CF6-77D3-4213-A9B9-888272244428}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B73C6E34-CDED-4f74-AD10-024B57593D7C}\stubpath = "C:\\Windows\\{B73C6E34-CDED-4f74-AD10-024B57593D7C}.exe"	{9FAB5CF6-77D3-4213-A9B9-888272244428}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A164C4F-C2F6-4c32-A736-4FC4C19C2F10}	{8012B81E-544F-4aed-B61D-F83FD26999C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E941E0E-BC3D-4394-8E4A-3D6B1535685D}\stubpath = "C:\\Windows\\{0E941E0E-BC3D-4394-8E4A-3D6B1535685D}.exe"	{8C68600F-C8CB-4693-936B-642F7F58E9A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9FAB5CF6-77D3-4213-A9B9-888272244428}	{0E941E0E-BC3D-4394-8E4A-3D6B1535685D}.exe

Executes dropped EXE 12 IoCs

pid	Process
3416	{ECF6AFAC-F4D3-4e38-A051-4A2D20A7E942}.exe
4768	{8012B81E-544F-4aed-B61D-F83FD26999C6}.exe
4596	{3A164C4F-C2F6-4c32-A736-4FC4C19C2F10}.exe
3480	{8C68600F-C8CB-4693-936B-642F7F58E9A2}.exe
2884	{0E941E0E-BC3D-4394-8E4A-3D6B1535685D}.exe
4640	{9FAB5CF6-77D3-4213-A9B9-888272244428}.exe
4996	{B73C6E34-CDED-4f74-AD10-024B57593D7C}.exe
1368	{F5C0D798-00B6-44c3-9B96-A0A727304734}.exe
4828	{437A097B-21A3-4625-990A-AE9512270077}.exe
4316	{AEC6B2A4-C5B6-49ac-8A5C-4EECE70576D6}.exe
3476	{E23151E7-E06D-4596-ADF7-D6A5758878EB}.exe
972	{AFB2E070-07FD-4aca-9AFD-FAE13E35211A}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{9FAB5CF6-77D3-4213-A9B9-888272244428}.exe	{0E941E0E-BC3D-4394-8E4A-3D6B1535685D}.exe
File created	C:\Windows\{AFB2E070-07FD-4aca-9AFD-FAE13E35211A}.exe	{E23151E7-E06D-4596-ADF7-D6A5758878EB}.exe
File created	C:\Windows\{ECF6AFAC-F4D3-4e38-A051-4A2D20A7E942}.exe	2024-03-07_c7866b37d5713a574f64fcba06163cd1_goldeneye.exe
File created	C:\Windows\{8012B81E-544F-4aed-B61D-F83FD26999C6}.exe	{ECF6AFAC-F4D3-4e38-A051-4A2D20A7E942}.exe
File created	C:\Windows\{8C68600F-C8CB-4693-936B-642F7F58E9A2}.exe	{3A164C4F-C2F6-4c32-A736-4FC4C19C2F10}.exe
File created	C:\Windows\{0E941E0E-BC3D-4394-8E4A-3D6B1535685D}.exe	{8C68600F-C8CB-4693-936B-642F7F58E9A2}.exe
File created	C:\Windows\{AEC6B2A4-C5B6-49ac-8A5C-4EECE70576D6}.exe	{437A097B-21A3-4625-990A-AE9512270077}.exe
File created	C:\Windows\{E23151E7-E06D-4596-ADF7-D6A5758878EB}.exe	{AEC6B2A4-C5B6-49ac-8A5C-4EECE70576D6}.exe
File created	C:\Windows\{3A164C4F-C2F6-4c32-A736-4FC4C19C2F10}.exe	{8012B81E-544F-4aed-B61D-F83FD26999C6}.exe
File created	C:\Windows\{B73C6E34-CDED-4f74-AD10-024B57593D7C}.exe	{9FAB5CF6-77D3-4213-A9B9-888272244428}.exe
File created	C:\Windows\{F5C0D798-00B6-44c3-9B96-A0A727304734}.exe	{B73C6E34-CDED-4f74-AD10-024B57593D7C}.exe
File created	C:\Windows\{437A097B-21A3-4625-990A-AE9512270077}.exe	{F5C0D798-00B6-44c3-9B96-A0A727304734}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2124	2024-03-07_c7866b37d5713a574f64fcba06163cd1_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3416	{ECF6AFAC-F4D3-4e38-A051-4A2D20A7E942}.exe
Token: SeIncBasePriorityPrivilege	4768	{8012B81E-544F-4aed-B61D-F83FD26999C6}.exe
Token: SeIncBasePriorityPrivilege	4596	{3A164C4F-C2F6-4c32-A736-4FC4C19C2F10}.exe
Token: SeIncBasePriorityPrivilege	3480	{8C68600F-C8CB-4693-936B-642F7F58E9A2}.exe
Token: SeIncBasePriorityPrivilege	2884	{0E941E0E-BC3D-4394-8E4A-3D6B1535685D}.exe
Token: SeIncBasePriorityPrivilege	4640	{9FAB5CF6-77D3-4213-A9B9-888272244428}.exe
Token: SeIncBasePriorityPrivilege	4996	{B73C6E34-CDED-4f74-AD10-024B57593D7C}.exe
Token: SeIncBasePriorityPrivilege	1368	{F5C0D798-00B6-44c3-9B96-A0A727304734}.exe
Token: SeIncBasePriorityPrivilege	4828	{437A097B-21A3-4625-990A-AE9512270077}.exe
Token: SeIncBasePriorityPrivilege	4316	{AEC6B2A4-C5B6-49ac-8A5C-4EECE70576D6}.exe
Token: SeIncBasePriorityPrivilege	3476	{E23151E7-E06D-4596-ADF7-D6A5758878EB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 3416	2124	2024-03-07_c7866b37d5713a574f64fcba06163cd1_goldeneye.exe	98
PID 2124 wrote to memory of 3416	2124	2024-03-07_c7866b37d5713a574f64fcba06163cd1_goldeneye.exe	98
PID 2124 wrote to memory of 3416	2124	2024-03-07_c7866b37d5713a574f64fcba06163cd1_goldeneye.exe	98
PID 2124 wrote to memory of 2748	2124	2024-03-07_c7866b37d5713a574f64fcba06163cd1_goldeneye.exe	99
PID 2124 wrote to memory of 2748	2124	2024-03-07_c7866b37d5713a574f64fcba06163cd1_goldeneye.exe	99
PID 2124 wrote to memory of 2748	2124	2024-03-07_c7866b37d5713a574f64fcba06163cd1_goldeneye.exe	99
PID 3416 wrote to memory of 4768	3416	{ECF6AFAC-F4D3-4e38-A051-4A2D20A7E942}.exe	102
PID 3416 wrote to memory of 4768	3416	{ECF6AFAC-F4D3-4e38-A051-4A2D20A7E942}.exe	102
PID 3416 wrote to memory of 4768	3416	{ECF6AFAC-F4D3-4e38-A051-4A2D20A7E942}.exe	102
PID 3416 wrote to memory of 4792	3416	{ECF6AFAC-F4D3-4e38-A051-4A2D20A7E942}.exe	103
PID 3416 wrote to memory of 4792	3416	{ECF6AFAC-F4D3-4e38-A051-4A2D20A7E942}.exe	103
PID 3416 wrote to memory of 4792	3416	{ECF6AFAC-F4D3-4e38-A051-4A2D20A7E942}.exe	103
PID 4768 wrote to memory of 4596	4768	{8012B81E-544F-4aed-B61D-F83FD26999C6}.exe	107
PID 4768 wrote to memory of 4596	4768	{8012B81E-544F-4aed-B61D-F83FD26999C6}.exe	107
PID 4768 wrote to memory of 4596	4768	{8012B81E-544F-4aed-B61D-F83FD26999C6}.exe	107
PID 4768 wrote to memory of 5060	4768	{8012B81E-544F-4aed-B61D-F83FD26999C6}.exe	108
PID 4768 wrote to memory of 5060	4768	{8012B81E-544F-4aed-B61D-F83FD26999C6}.exe	108
PID 4768 wrote to memory of 5060	4768	{8012B81E-544F-4aed-B61D-F83FD26999C6}.exe	108
PID 4596 wrote to memory of 3480	4596	{3A164C4F-C2F6-4c32-A736-4FC4C19C2F10}.exe	109
PID 4596 wrote to memory of 3480	4596	{3A164C4F-C2F6-4c32-A736-4FC4C19C2F10}.exe	109
PID 4596 wrote to memory of 3480	4596	{3A164C4F-C2F6-4c32-A736-4FC4C19C2F10}.exe	109
PID 4596 wrote to memory of 696	4596	{3A164C4F-C2F6-4c32-A736-4FC4C19C2F10}.exe	110
PID 4596 wrote to memory of 696	4596	{3A164C4F-C2F6-4c32-A736-4FC4C19C2F10}.exe	110
PID 4596 wrote to memory of 696	4596	{3A164C4F-C2F6-4c32-A736-4FC4C19C2F10}.exe	110
PID 3480 wrote to memory of 2884	3480	{8C68600F-C8CB-4693-936B-642F7F58E9A2}.exe	111
PID 3480 wrote to memory of 2884	3480	{8C68600F-C8CB-4693-936B-642F7F58E9A2}.exe	111
PID 3480 wrote to memory of 2884	3480	{8C68600F-C8CB-4693-936B-642F7F58E9A2}.exe	111
PID 3480 wrote to memory of 4300	3480	{8C68600F-C8CB-4693-936B-642F7F58E9A2}.exe	112
PID 3480 wrote to memory of 4300	3480	{8C68600F-C8CB-4693-936B-642F7F58E9A2}.exe	112
PID 3480 wrote to memory of 4300	3480	{8C68600F-C8CB-4693-936B-642F7F58E9A2}.exe	112
PID 2884 wrote to memory of 4640	2884	{0E941E0E-BC3D-4394-8E4A-3D6B1535685D}.exe	114
PID 2884 wrote to memory of 4640	2884	{0E941E0E-BC3D-4394-8E4A-3D6B1535685D}.exe	114
PID 2884 wrote to memory of 4640	2884	{0E941E0E-BC3D-4394-8E4A-3D6B1535685D}.exe	114
PID 2884 wrote to memory of 3400	2884	{0E941E0E-BC3D-4394-8E4A-3D6B1535685D}.exe	115
PID 2884 wrote to memory of 3400	2884	{0E941E0E-BC3D-4394-8E4A-3D6B1535685D}.exe	115
PID 2884 wrote to memory of 3400	2884	{0E941E0E-BC3D-4394-8E4A-3D6B1535685D}.exe	115
PID 4640 wrote to memory of 4996	4640	{9FAB5CF6-77D3-4213-A9B9-888272244428}.exe	116
PID 4640 wrote to memory of 4996	4640	{9FAB5CF6-77D3-4213-A9B9-888272244428}.exe	116
PID 4640 wrote to memory of 4996	4640	{9FAB5CF6-77D3-4213-A9B9-888272244428}.exe	116
PID 4640 wrote to memory of 4156	4640	{9FAB5CF6-77D3-4213-A9B9-888272244428}.exe	117
PID 4640 wrote to memory of 4156	4640	{9FAB5CF6-77D3-4213-A9B9-888272244428}.exe	117
PID 4640 wrote to memory of 4156	4640	{9FAB5CF6-77D3-4213-A9B9-888272244428}.exe	117
PID 4996 wrote to memory of 1368	4996	{B73C6E34-CDED-4f74-AD10-024B57593D7C}.exe	118
PID 4996 wrote to memory of 1368	4996	{B73C6E34-CDED-4f74-AD10-024B57593D7C}.exe	118
PID 4996 wrote to memory of 1368	4996	{B73C6E34-CDED-4f74-AD10-024B57593D7C}.exe	118
PID 4996 wrote to memory of 2948	4996	{B73C6E34-CDED-4f74-AD10-024B57593D7C}.exe	119
PID 4996 wrote to memory of 2948	4996	{B73C6E34-CDED-4f74-AD10-024B57593D7C}.exe	119
PID 4996 wrote to memory of 2948	4996	{B73C6E34-CDED-4f74-AD10-024B57593D7C}.exe	119
PID 1368 wrote to memory of 4828	1368	{F5C0D798-00B6-44c3-9B96-A0A727304734}.exe	127
PID 1368 wrote to memory of 4828	1368	{F5C0D798-00B6-44c3-9B96-A0A727304734}.exe	127
PID 1368 wrote to memory of 4828	1368	{F5C0D798-00B6-44c3-9B96-A0A727304734}.exe	127
PID 1368 wrote to memory of 4660	1368	{F5C0D798-00B6-44c3-9B96-A0A727304734}.exe	128
PID 1368 wrote to memory of 4660	1368	{F5C0D798-00B6-44c3-9B96-A0A727304734}.exe	128
PID 1368 wrote to memory of 4660	1368	{F5C0D798-00B6-44c3-9B96-A0A727304734}.exe	128
PID 4828 wrote to memory of 4316	4828	{437A097B-21A3-4625-990A-AE9512270077}.exe	129
PID 4828 wrote to memory of 4316	4828	{437A097B-21A3-4625-990A-AE9512270077}.exe	129
PID 4828 wrote to memory of 4316	4828	{437A097B-21A3-4625-990A-AE9512270077}.exe	129
PID 4828 wrote to memory of 4764	4828	{437A097B-21A3-4625-990A-AE9512270077}.exe	130
PID 4828 wrote to memory of 4764	4828	{437A097B-21A3-4625-990A-AE9512270077}.exe	130
PID 4828 wrote to memory of 4764	4828	{437A097B-21A3-4625-990A-AE9512270077}.exe	130
PID 4316 wrote to memory of 3476	4316	{AEC6B2A4-C5B6-49ac-8A5C-4EECE70576D6}.exe	131
PID 4316 wrote to memory of 3476	4316	{AEC6B2A4-C5B6-49ac-8A5C-4EECE70576D6}.exe	131
PID 4316 wrote to memory of 3476	4316	{AEC6B2A4-C5B6-49ac-8A5C-4EECE70576D6}.exe	131
PID 4316 wrote to memory of 3672	4316	{AEC6B2A4-C5B6-49ac-8A5C-4EECE70576D6}.exe	132

C:\Users\Admin\AppData\Local\Temp\2024-03-07_c7866b37d5713a574f64fcba06163cd1_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-07_c7866b37d5713a574f64fcba06163cd1_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\{ECF6AFAC-F4D3-4e38-A051-4A2D20A7E942}.exe
  C:\Windows\{ECF6AFAC-F4D3-4e38-A051-4A2D20A7E942}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3416
- - C:\Windows\{8012B81E-544F-4aed-B61D-F83FD26999C6}.exe
    C:\Windows\{8012B81E-544F-4aed-B61D-F83FD26999C6}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4768
  - - C:\Windows\{3A164C4F-C2F6-4c32-A736-4FC4C19C2F10}.exe
      C:\Windows\{3A164C4F-C2F6-4c32-A736-4FC4C19C2F10}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4596
    - - C:\Windows\{8C68600F-C8CB-4693-936B-642F7F58E9A2}.exe
        
        C:\Windows\{8C68600F-C8CB-4693-936B-642F7F58E9A2}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3480
      - C:\Windows\{0E941E0E-BC3D-4394-8E4A-3D6B1535685D}.exe
        
        C:\Windows\{0E941E0E-BC3D-4394-8E4A-3D6B1535685D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\{9FAB5CF6-77D3-4213-A9B9-888272244428}.exe
        
        C:\Windows\{9FAB5CF6-77D3-4213-A9B9-888272244428}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\{B73C6E34-CDED-4f74-AD10-024B57593D7C}.exe
        
        C:\Windows\{B73C6E34-CDED-4f74-AD10-024B57593D7C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\{F5C0D798-00B6-44c3-9B96-A0A727304734}.exe
        
        C:\Windows\{F5C0D798-00B6-44c3-9B96-A0A727304734}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Windows\{437A097B-21A3-4625-990A-AE9512270077}.exe
        
        C:\Windows\{437A097B-21A3-4625-990A-AE9512270077}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4828
        
        C:\Windows\{AEC6B2A4-C5B6-49ac-8A5C-4EECE70576D6}.exe
        
        C:\Windows\{AEC6B2A4-C5B6-49ac-8A5C-4EECE70576D6}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4316
        
        C:\Windows\{E23151E7-E06D-4596-ADF7-D6A5758878EB}.exe
        
        C:\Windows\{E23151E7-E06D-4596-ADF7-D6A5758878EB}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3476
        
        C:\Windows\{AFB2E070-07FD-4aca-9AFD-FAE13E35211A}.exe
        
        C:\Windows\{AFB2E070-07FD-4aca-9AFD-FAE13E35211A}.exe
        13⤵
        Executes dropped EXE
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2315~1.EXE > nul
        13⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AEC6B~1.EXE > nul
        12⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{437A0~1.EXE > nul
        11⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F5C0D~1.EXE > nul
        10⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B73C6~1.EXE > nul
        9⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9FAB5~1.EXE > nul
        8⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0E941~1.EXE > nul
        7⤵
        
        PID:3400
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C686~1.EXE > nul
        6⤵
        
        PID:4300
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3A164~1.EXE > nul
        5⤵
        
        PID:696
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8012B~1.EXE > nul
      4⤵
      PID:5060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{ECF6A~1.EXE > nul
    3⤵
    PID:4792
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0E941E0E-BC3D-4394-8E4A-3D6B1535685D}.exe

Filesize
168KB

MD5
4fa562aa19c128f295883976ab1e4c12

SHA1
8e942a0e890331578d869d9e18c1cba165ee3124

SHA256
5689464bc3e99bd4aef03d9cabe11d7fbcc06d1029600690ffcfec93192aa184

SHA512
97afa3017beea6263a780c6a854caface5eac3956761143b193a29cfa995ef46af7976e8506283540f84809dd5b1125ca9e98e701c9e647b03085b13c4f482ee

Download Submit
C:\Windows\{3A164C4F-C2F6-4c32-A736-4FC4C19C2F10}.exe

Filesize
168KB

MD5
66b554a387e94f87bcf8450986edb9c2

SHA1
03c503d23c5d68367774f69077e26d3ed64f0d14

SHA256
43a03f7d305bf97cda013a72cca8d8524a0b5059f4ea285c240bdf0151553ee7

SHA512
c7a5063c5f56aec626d2bd585a1c22254d1dfd21673615cc779f10afbf6a4cc56c0f2c80ea8173c0500007c118582988938139ab0c9ad4655ff11738ca8341ab

Download Submit
C:\Windows\{437A097B-21A3-4625-990A-AE9512270077}.exe

Filesize
168KB

MD5
2805df3597800a77b2096674060f59d0

SHA1
821b477c0ac049c035516308edb2b0ee167123a5

SHA256
1f033eda7fb87baf0dfa61b10b7ff4180753b391a95f3d5793509d63c37d9a27

SHA512
79e2d24ddd74a2eab0bf9ce8c59aceb4c76339cd8d37febae6647ae8b3513614b8989ed57b33585a8aa8b0a70ef722250736b06f02f996c8538fcf84ce5b4219

Download Submit
C:\Windows\{8012B81E-544F-4aed-B61D-F83FD26999C6}.exe

Filesize
168KB

MD5
29f55d7188c92939c70919f8fc4466c7

SHA1
d6f00a4303184ae6b39afd6d95c90f3eb2f993a7

SHA256
aa3ad37ebdbac32a61d0bedc45ba7bc9271a02a4272dc1e074035373041c8ab6

SHA512
0e388fb28de3a6ab2b20162eacc705760a9d253be2463bf2fdbba917d5322f6de17b868e2bba488fc6f4c1377b44e28ce2f544324268a1832181da8dcdfac9c8

Download Submit
C:\Windows\{8C68600F-C8CB-4693-936B-642F7F58E9A2}.exe

Filesize
168KB

MD5
e0ea6c5372eb0fec5f5c3fd858d9813a

SHA1
5310f21b7656442cab730e852ef266e319dac8e2

SHA256
fb770a1cb90c52a129c42f23cf8e386f3df18ab64b5d21a05f5626ae6b0a0d1b

SHA512
92ae15d12be73781880277a35671ee8cd185c5fbd7ee8d55803a5b8582730164b984ed3a0b1efd4e346461fbb848ede8e0f52edf9a605fbfa7e71b0afad490a6

Download Submit
C:\Windows\{9FAB5CF6-77D3-4213-A9B9-888272244428}.exe

Filesize
168KB

MD5
31d6f70655bc2146b0b26d0db2a4268e

SHA1
8faee16a59301713818ebca85442c9da7e0f22f6

SHA256
484e30583003d5d5d7856452980672895c8e0272a6002fa42e85450829e1abfa

SHA512
989674c5405054dff52b6dd686de16beb460e1b551648374b1e6e084fbafe1e47a030767fac5ef3147d856e4379fea6a1cb954eca5295c80bd178c39ada5163b

Download Submit
C:\Windows\{AEC6B2A4-C5B6-49ac-8A5C-4EECE70576D6}.exe

Filesize
168KB

MD5
27ce4de84d4a1bfe167a948b734bd59b

SHA1
5ca48c8785afaa52a80077a28bad51f5561acb66

SHA256
b035422c4cc0637d650f2d3a62e166a2c5ee50fbc59000b03bec40d3ed77561e

SHA512
a97e664a86349825508af8d29d2048f44ab1ca8954eb5720f4d4081606a5fff099aa22f95f027f0c354ba934b307a06bbef18694fd374d57b3e355a2a5f3db88

Download Submit
C:\Windows\{AFB2E070-07FD-4aca-9AFD-FAE13E35211A}.exe

Filesize
168KB

MD5
a75e5781d4a4fc882be384cc10489ba5

SHA1
c16ec61ceac0c70fb1e8c1497d38270ad05be534

SHA256
62fbc149d5da0744c64b61c32738121a4034be8c3168701ce8684694696b4a71

SHA512
b1c3de8c571374be030291531d7c34a86daf7d5efac2649e6abfa65db01d5f5a6f80bf1ebfa3c4be93be8b46b88cf3ca8bdfbc4ab1f9b26a7853c953d647b53c

Download Submit
C:\Windows\{B73C6E34-CDED-4f74-AD10-024B57593D7C}.exe

Filesize
168KB

MD5
f854b72821c02a1507225fa52ebad4e3

SHA1
f4e18397ac0e8d4259d06ff7de9b91ee328c159f

SHA256
1a7754ac2d7286b40fd622341e9eeb6ea7a883fe5a33680997e873b865976ba1

SHA512
320d33976dae514011470024f2723f0698a9db1ff72c9c412a781b5229689e8ba6241bffa3ec7c3d46f8989d6fbb812ec03175ea83344187539a38b3f9b15741

Download Submit
C:\Windows\{E23151E7-E06D-4596-ADF7-D6A5758878EB}.exe

Filesize
168KB

MD5
86c87847055c73bca43ff1af72e2649b

SHA1
07e2517a1850bb6e477962af5634c14723034505

SHA256
e375a94c412894341e4e10f2697aa665d7319ebeec1d2d34931559a59b03ea24

SHA512
64ede075310d826bb86a9e54f6815d6827ebfe005aa209a4ca3e6012566e8989d4039935d229beabfd8838447de89bfbe68d09864e9acca4dc1b52890485ea7c

Download Submit
C:\Windows\{ECF6AFAC-F4D3-4e38-A051-4A2D20A7E942}.exe

Filesize
168KB

MD5
4ea62a74ebb5a90e72b40ee13e5e4d06

SHA1
422da16d67825be15235e31a3ba30b9bcc32f158

SHA256
e7a243e51304b41004e2947a0d65db61702be8078fb6aca40d8e313a76afca17

SHA512
343006f3c973af29ff6d76998eae70534ed2c678867a4b531fe508512b5e8aa9b90f2067b2fcd92c439a66a0474034100ea9f5b926dc84bf550f7d5bcbf1b947

Download Submit
C:\Windows\{F5C0D798-00B6-44c3-9B96-A0A727304734}.exe

Filesize
168KB

MD5
734c7b0aeeffe7f301b14e9d48e43e04

SHA1
5378a6570bc8bc12e5e08ea6bd7edd184f179bc0

SHA256
6b73dc52d25a9581fe68a4ce33c45dcf0a12b22dd9388e30574502066100e8ea

SHA512
23c39b7428272394dc19a317b0580fdbc4f73195cf69725257b3bcb3f81a0cdf9c6019d0097ab198ee5b1c7fd425acdd50178f29052bc2bc8ca31c40aa7739c3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads