872c1ffe565a916e957599c267f600aa53811e83b633047136c870d3b2588555

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2024, 12:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-08_8ff467b51d281abfb34288558fb2faaa_goldeneye.exe
Size

180KB
MD5

8ff467b51d281abfb34288558fb2faaa
SHA1

623ebea791ea19790eb989ea8e7b14d761503735
SHA256

872c1ffe565a916e957599c267f600aa53811e83b633047136c870d3b2588555
SHA512

a01998977b0cc71ef5d5874d6dc2d1a35c21fa13db922084d3d86aace4937afdfe3539d59990905409dafa9eb225c035e2d238b8a0164c6399e895e3e49d3b57
SSDEEP

3072:jEGh0o5lfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGDl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00090000000231f8-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023204-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002320e-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000016923-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002320b-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000016923-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e00000002320b-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000016923-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023224-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002322d-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000016923-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000231fd-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{682C57B1-0A2F-4e26-B2F6-839161877BE1}\stubpath = "C:\\Windows\\{682C57B1-0A2F-4e26-B2F6-839161877BE1}.exe"	{927ED3A6-8C9C-4563-882C-968F0BBA4E47}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{186031C9-10D3-48ab-868A-FFA2994C3B23}	2024-03-08_8ff467b51d281abfb34288558fb2faaa_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{186031C9-10D3-48ab-868A-FFA2994C3B23}\stubpath = "C:\\Windows\\{186031C9-10D3-48ab-868A-FFA2994C3B23}.exe"	2024-03-08_8ff467b51d281abfb34288558fb2faaa_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E7BB4AF-57D7-40ec-9DEC-851B62DD4632}	{186031C9-10D3-48ab-868A-FFA2994C3B23}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E7BB4AF-57D7-40ec-9DEC-851B62DD4632}\stubpath = "C:\\Windows\\{9E7BB4AF-57D7-40ec-9DEC-851B62DD4632}.exe"	{186031C9-10D3-48ab-868A-FFA2994C3B23}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF06F3CC-C4DF-472b-B480-8A1B06361B56}\stubpath = "C:\\Windows\\{DF06F3CC-C4DF-472b-B480-8A1B06361B56}.exe"	{5AF6C0CE-C543-448a-B3AD-E2299B1BFF2E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{927ED3A6-8C9C-4563-882C-968F0BBA4E47}\stubpath = "C:\\Windows\\{927ED3A6-8C9C-4563-882C-968F0BBA4E47}.exe"	{DF06F3CC-C4DF-472b-B480-8A1B06361B56}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03D43D0D-0B32-408d-89B6-273335D78536}	{682C57B1-0A2F-4e26-B2F6-839161877BE1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7E01F0E-64DF-41c3-81F4-CAF119408806}	{3EE98EE7-50F5-44fa-A273-629AC51D9C5C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4068C757-3217-4b1f-B1C2-609F2A2ECFF8}\stubpath = "C:\\Windows\\{4068C757-3217-4b1f-B1C2-609F2A2ECFF8}.exe"	{79B5B120-F12C-41b2-BA37-9300463E44F8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5AF6C0CE-C543-448a-B3AD-E2299B1BFF2E}\stubpath = "C:\\Windows\\{5AF6C0CE-C543-448a-B3AD-E2299B1BFF2E}.exe"	{9E7BB4AF-57D7-40ec-9DEC-851B62DD4632}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF06F3CC-C4DF-472b-B480-8A1B06361B56}	{5AF6C0CE-C543-448a-B3AD-E2299B1BFF2E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03D43D0D-0B32-408d-89B6-273335D78536}\stubpath = "C:\\Windows\\{03D43D0D-0B32-408d-89B6-273335D78536}.exe"	{682C57B1-0A2F-4e26-B2F6-839161877BE1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79B5B120-F12C-41b2-BA37-9300463E44F8}	{F7E01F0E-64DF-41c3-81F4-CAF119408806}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79B5B120-F12C-41b2-BA37-9300463E44F8}\stubpath = "C:\\Windows\\{79B5B120-F12C-41b2-BA37-9300463E44F8}.exe"	{F7E01F0E-64DF-41c3-81F4-CAF119408806}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4068C757-3217-4b1f-B1C2-609F2A2ECFF8}	{79B5B120-F12C-41b2-BA37-9300463E44F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0FEE292-CED6-4d4c-A407-272408CE380E}	{4068C757-3217-4b1f-B1C2-609F2A2ECFF8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0FEE292-CED6-4d4c-A407-272408CE380E}\stubpath = "C:\\Windows\\{C0FEE292-CED6-4d4c-A407-272408CE380E}.exe"	{4068C757-3217-4b1f-B1C2-609F2A2ECFF8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5AF6C0CE-C543-448a-B3AD-E2299B1BFF2E}	{9E7BB4AF-57D7-40ec-9DEC-851B62DD4632}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{927ED3A6-8C9C-4563-882C-968F0BBA4E47}	{DF06F3CC-C4DF-472b-B480-8A1B06361B56}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{682C57B1-0A2F-4e26-B2F6-839161877BE1}	{927ED3A6-8C9C-4563-882C-968F0BBA4E47}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EE98EE7-50F5-44fa-A273-629AC51D9C5C}	{03D43D0D-0B32-408d-89B6-273335D78536}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EE98EE7-50F5-44fa-A273-629AC51D9C5C}\stubpath = "C:\\Windows\\{3EE98EE7-50F5-44fa-A273-629AC51D9C5C}.exe"	{03D43D0D-0B32-408d-89B6-273335D78536}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7E01F0E-64DF-41c3-81F4-CAF119408806}\stubpath = "C:\\Windows\\{F7E01F0E-64DF-41c3-81F4-CAF119408806}.exe"	{3EE98EE7-50F5-44fa-A273-629AC51D9C5C}.exe

Executes dropped EXE 12 IoCs

pid	Process
3156	{186031C9-10D3-48ab-868A-FFA2994C3B23}.exe
1612	{9E7BB4AF-57D7-40ec-9DEC-851B62DD4632}.exe
4740	{5AF6C0CE-C543-448a-B3AD-E2299B1BFF2E}.exe
2900	{DF06F3CC-C4DF-472b-B480-8A1B06361B56}.exe
1924	{927ED3A6-8C9C-4563-882C-968F0BBA4E47}.exe
2928	{682C57B1-0A2F-4e26-B2F6-839161877BE1}.exe
4948	{03D43D0D-0B32-408d-89B6-273335D78536}.exe
3216	{3EE98EE7-50F5-44fa-A273-629AC51D9C5C}.exe
3256	{F7E01F0E-64DF-41c3-81F4-CAF119408806}.exe
1316	{79B5B120-F12C-41b2-BA37-9300463E44F8}.exe
512	{4068C757-3217-4b1f-B1C2-609F2A2ECFF8}.exe
4820	{C0FEE292-CED6-4d4c-A407-272408CE380E}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{F7E01F0E-64DF-41c3-81F4-CAF119408806}.exe	{3EE98EE7-50F5-44fa-A273-629AC51D9C5C}.exe
File created	C:\Windows\{186031C9-10D3-48ab-868A-FFA2994C3B23}.exe	2024-03-08_8ff467b51d281abfb34288558fb2faaa_goldeneye.exe
File created	C:\Windows\{5AF6C0CE-C543-448a-B3AD-E2299B1BFF2E}.exe	{9E7BB4AF-57D7-40ec-9DEC-851B62DD4632}.exe
File created	C:\Windows\{DF06F3CC-C4DF-472b-B480-8A1B06361B56}.exe	{5AF6C0CE-C543-448a-B3AD-E2299B1BFF2E}.exe
File created	C:\Windows\{927ED3A6-8C9C-4563-882C-968F0BBA4E47}.exe	{DF06F3CC-C4DF-472b-B480-8A1B06361B56}.exe
File created	C:\Windows\{3EE98EE7-50F5-44fa-A273-629AC51D9C5C}.exe	{03D43D0D-0B32-408d-89B6-273335D78536}.exe
File created	C:\Windows\{C0FEE292-CED6-4d4c-A407-272408CE380E}.exe	{4068C757-3217-4b1f-B1C2-609F2A2ECFF8}.exe
File created	C:\Windows\{9E7BB4AF-57D7-40ec-9DEC-851B62DD4632}.exe	{186031C9-10D3-48ab-868A-FFA2994C3B23}.exe
File created	C:\Windows\{682C57B1-0A2F-4e26-B2F6-839161877BE1}.exe	{927ED3A6-8C9C-4563-882C-968F0BBA4E47}.exe
File created	C:\Windows\{03D43D0D-0B32-408d-89B6-273335D78536}.exe	{682C57B1-0A2F-4e26-B2F6-839161877BE1}.exe
File created	C:\Windows\{79B5B120-F12C-41b2-BA37-9300463E44F8}.exe	{F7E01F0E-64DF-41c3-81F4-CAF119408806}.exe
File created	C:\Windows\{4068C757-3217-4b1f-B1C2-609F2A2ECFF8}.exe	{79B5B120-F12C-41b2-BA37-9300463E44F8}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	756	2024-03-08_8ff467b51d281abfb34288558fb2faaa_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3156	{186031C9-10D3-48ab-868A-FFA2994C3B23}.exe
Token: SeIncBasePriorityPrivilege	1612	{9E7BB4AF-57D7-40ec-9DEC-851B62DD4632}.exe
Token: SeIncBasePriorityPrivilege	4740	{5AF6C0CE-C543-448a-B3AD-E2299B1BFF2E}.exe
Token: SeIncBasePriorityPrivilege	2900	{DF06F3CC-C4DF-472b-B480-8A1B06361B56}.exe
Token: SeIncBasePriorityPrivilege	1924	{927ED3A6-8C9C-4563-882C-968F0BBA4E47}.exe
Token: SeIncBasePriorityPrivilege	2928	{682C57B1-0A2F-4e26-B2F6-839161877BE1}.exe
Token: SeIncBasePriorityPrivilege	4948	{03D43D0D-0B32-408d-89B6-273335D78536}.exe
Token: SeIncBasePriorityPrivilege	3216	{3EE98EE7-50F5-44fa-A273-629AC51D9C5C}.exe
Token: SeIncBasePriorityPrivilege	3256	{F7E01F0E-64DF-41c3-81F4-CAF119408806}.exe
Token: SeIncBasePriorityPrivilege	1316	{79B5B120-F12C-41b2-BA37-9300463E44F8}.exe
Token: SeIncBasePriorityPrivilege	512	{4068C757-3217-4b1f-B1C2-609F2A2ECFF8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 756 wrote to memory of 3156	756	2024-03-08_8ff467b51d281abfb34288558fb2faaa_goldeneye.exe	97
PID 756 wrote to memory of 3156	756	2024-03-08_8ff467b51d281abfb34288558fb2faaa_goldeneye.exe	97
PID 756 wrote to memory of 3156	756	2024-03-08_8ff467b51d281abfb34288558fb2faaa_goldeneye.exe	97
PID 756 wrote to memory of 4980	756	2024-03-08_8ff467b51d281abfb34288558fb2faaa_goldeneye.exe	98
PID 756 wrote to memory of 4980	756	2024-03-08_8ff467b51d281abfb34288558fb2faaa_goldeneye.exe	98
PID 756 wrote to memory of 4980	756	2024-03-08_8ff467b51d281abfb34288558fb2faaa_goldeneye.exe	98
PID 3156 wrote to memory of 1612	3156	{186031C9-10D3-48ab-868A-FFA2994C3B23}.exe	103
PID 3156 wrote to memory of 1612	3156	{186031C9-10D3-48ab-868A-FFA2994C3B23}.exe	103
PID 3156 wrote to memory of 1612	3156	{186031C9-10D3-48ab-868A-FFA2994C3B23}.exe	103
PID 3156 wrote to memory of 1856	3156	{186031C9-10D3-48ab-868A-FFA2994C3B23}.exe	104
PID 3156 wrote to memory of 1856	3156	{186031C9-10D3-48ab-868A-FFA2994C3B23}.exe	104
PID 3156 wrote to memory of 1856	3156	{186031C9-10D3-48ab-868A-FFA2994C3B23}.exe	104
PID 1612 wrote to memory of 4740	1612	{9E7BB4AF-57D7-40ec-9DEC-851B62DD4632}.exe	106
PID 1612 wrote to memory of 4740	1612	{9E7BB4AF-57D7-40ec-9DEC-851B62DD4632}.exe	106
PID 1612 wrote to memory of 4740	1612	{9E7BB4AF-57D7-40ec-9DEC-851B62DD4632}.exe	106
PID 1612 wrote to memory of 5000	1612	{9E7BB4AF-57D7-40ec-9DEC-851B62DD4632}.exe	107
PID 1612 wrote to memory of 5000	1612	{9E7BB4AF-57D7-40ec-9DEC-851B62DD4632}.exe	107
PID 1612 wrote to memory of 5000	1612	{9E7BB4AF-57D7-40ec-9DEC-851B62DD4632}.exe	107
PID 4740 wrote to memory of 2900	4740	{5AF6C0CE-C543-448a-B3AD-E2299B1BFF2E}.exe	110
PID 4740 wrote to memory of 2900	4740	{5AF6C0CE-C543-448a-B3AD-E2299B1BFF2E}.exe	110
PID 4740 wrote to memory of 2900	4740	{5AF6C0CE-C543-448a-B3AD-E2299B1BFF2E}.exe	110
PID 4740 wrote to memory of 4100	4740	{5AF6C0CE-C543-448a-B3AD-E2299B1BFF2E}.exe	111
PID 4740 wrote to memory of 4100	4740	{5AF6C0CE-C543-448a-B3AD-E2299B1BFF2E}.exe	111
PID 4740 wrote to memory of 4100	4740	{5AF6C0CE-C543-448a-B3AD-E2299B1BFF2E}.exe	111
PID 2900 wrote to memory of 1924	2900	{DF06F3CC-C4DF-472b-B480-8A1B06361B56}.exe	112
PID 2900 wrote to memory of 1924	2900	{DF06F3CC-C4DF-472b-B480-8A1B06361B56}.exe	112
PID 2900 wrote to memory of 1924	2900	{DF06F3CC-C4DF-472b-B480-8A1B06361B56}.exe	112
PID 2900 wrote to memory of 3692	2900	{DF06F3CC-C4DF-472b-B480-8A1B06361B56}.exe	113
PID 2900 wrote to memory of 3692	2900	{DF06F3CC-C4DF-472b-B480-8A1B06361B56}.exe	113
PID 2900 wrote to memory of 3692	2900	{DF06F3CC-C4DF-472b-B480-8A1B06361B56}.exe	113
PID 1924 wrote to memory of 2928	1924	{927ED3A6-8C9C-4563-882C-968F0BBA4E47}.exe	114
PID 1924 wrote to memory of 2928	1924	{927ED3A6-8C9C-4563-882C-968F0BBA4E47}.exe	114
PID 1924 wrote to memory of 2928	1924	{927ED3A6-8C9C-4563-882C-968F0BBA4E47}.exe	114
PID 1924 wrote to memory of 3536	1924	{927ED3A6-8C9C-4563-882C-968F0BBA4E47}.exe	115
PID 1924 wrote to memory of 3536	1924	{927ED3A6-8C9C-4563-882C-968F0BBA4E47}.exe	115
PID 1924 wrote to memory of 3536	1924	{927ED3A6-8C9C-4563-882C-968F0BBA4E47}.exe	115
PID 2928 wrote to memory of 4948	2928	{682C57B1-0A2F-4e26-B2F6-839161877BE1}.exe	117
PID 2928 wrote to memory of 4948	2928	{682C57B1-0A2F-4e26-B2F6-839161877BE1}.exe	117
PID 2928 wrote to memory of 4948	2928	{682C57B1-0A2F-4e26-B2F6-839161877BE1}.exe	117
PID 2928 wrote to memory of 1088	2928	{682C57B1-0A2F-4e26-B2F6-839161877BE1}.exe	118
PID 2928 wrote to memory of 1088	2928	{682C57B1-0A2F-4e26-B2F6-839161877BE1}.exe	118
PID 2928 wrote to memory of 1088	2928	{682C57B1-0A2F-4e26-B2F6-839161877BE1}.exe	118
PID 4948 wrote to memory of 3216	4948	{03D43D0D-0B32-408d-89B6-273335D78536}.exe	119
PID 4948 wrote to memory of 3216	4948	{03D43D0D-0B32-408d-89B6-273335D78536}.exe	119
PID 4948 wrote to memory of 3216	4948	{03D43D0D-0B32-408d-89B6-273335D78536}.exe	119
PID 4948 wrote to memory of 1600	4948	{03D43D0D-0B32-408d-89B6-273335D78536}.exe	120
PID 4948 wrote to memory of 1600	4948	{03D43D0D-0B32-408d-89B6-273335D78536}.exe	120
PID 4948 wrote to memory of 1600	4948	{03D43D0D-0B32-408d-89B6-273335D78536}.exe	120
PID 3216 wrote to memory of 3256	3216	{3EE98EE7-50F5-44fa-A273-629AC51D9C5C}.exe	124
PID 3216 wrote to memory of 3256	3216	{3EE98EE7-50F5-44fa-A273-629AC51D9C5C}.exe	124
PID 3216 wrote to memory of 3256	3216	{3EE98EE7-50F5-44fa-A273-629AC51D9C5C}.exe	124
PID 3216 wrote to memory of 3044	3216	{3EE98EE7-50F5-44fa-A273-629AC51D9C5C}.exe	125
PID 3216 wrote to memory of 3044	3216	{3EE98EE7-50F5-44fa-A273-629AC51D9C5C}.exe	125
PID 3216 wrote to memory of 3044	3216	{3EE98EE7-50F5-44fa-A273-629AC51D9C5C}.exe	125
PID 3256 wrote to memory of 1316	3256	{F7E01F0E-64DF-41c3-81F4-CAF119408806}.exe	126
PID 3256 wrote to memory of 1316	3256	{F7E01F0E-64DF-41c3-81F4-CAF119408806}.exe	126
PID 3256 wrote to memory of 1316	3256	{F7E01F0E-64DF-41c3-81F4-CAF119408806}.exe	126
PID 3256 wrote to memory of 3356	3256	{F7E01F0E-64DF-41c3-81F4-CAF119408806}.exe	127
PID 3256 wrote to memory of 3356	3256	{F7E01F0E-64DF-41c3-81F4-CAF119408806}.exe	127
PID 3256 wrote to memory of 3356	3256	{F7E01F0E-64DF-41c3-81F4-CAF119408806}.exe	127
PID 1316 wrote to memory of 512	1316	{79B5B120-F12C-41b2-BA37-9300463E44F8}.exe	133
PID 1316 wrote to memory of 512	1316	{79B5B120-F12C-41b2-BA37-9300463E44F8}.exe	133
PID 1316 wrote to memory of 512	1316	{79B5B120-F12C-41b2-BA37-9300463E44F8}.exe	133
PID 1316 wrote to memory of 544	1316	{79B5B120-F12C-41b2-BA37-9300463E44F8}.exe	134

C:\Users\Admin\AppData\Local\Temp\2024-03-08_8ff467b51d281abfb34288558fb2faaa_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-08_8ff467b51d281abfb34288558fb2faaa_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:756
- C:\Windows\{186031C9-10D3-48ab-868A-FFA2994C3B23}.exe
  C:\Windows\{186031C9-10D3-48ab-868A-FFA2994C3B23}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3156
- - C:\Windows\{9E7BB4AF-57D7-40ec-9DEC-851B62DD4632}.exe
    C:\Windows\{9E7BB4AF-57D7-40ec-9DEC-851B62DD4632}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1612
  - - C:\Windows\{5AF6C0CE-C543-448a-B3AD-E2299B1BFF2E}.exe
      C:\Windows\{5AF6C0CE-C543-448a-B3AD-E2299B1BFF2E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4740
    - - C:\Windows\{DF06F3CC-C4DF-472b-B480-8A1B06361B56}.exe
        
        C:\Windows\{DF06F3CC-C4DF-472b-B480-8A1B06361B56}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2900
      - C:\Windows\{927ED3A6-8C9C-4563-882C-968F0BBA4E47}.exe
        
        C:\Windows\{927ED3A6-8C9C-4563-882C-968F0BBA4E47}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\{682C57B1-0A2F-4e26-B2F6-839161877BE1}.exe
        
        C:\Windows\{682C57B1-0A2F-4e26-B2F6-839161877BE1}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\{03D43D0D-0B32-408d-89B6-273335D78536}.exe
        
        C:\Windows\{03D43D0D-0B32-408d-89B6-273335D78536}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\{3EE98EE7-50F5-44fa-A273-629AC51D9C5C}.exe
        
        C:\Windows\{3EE98EE7-50F5-44fa-A273-629AC51D9C5C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Windows\{F7E01F0E-64DF-41c3-81F4-CAF119408806}.exe
        
        C:\Windows\{F7E01F0E-64DF-41c3-81F4-CAF119408806}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3256
        
        C:\Windows\{79B5B120-F12C-41b2-BA37-9300463E44F8}.exe
        
        C:\Windows\{79B5B120-F12C-41b2-BA37-9300463E44F8}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Windows\{4068C757-3217-4b1f-B1C2-609F2A2ECFF8}.exe
        
        C:\Windows\{4068C757-3217-4b1f-B1C2-609F2A2ECFF8}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:512
        
        C:\Windows\{C0FEE292-CED6-4d4c-A407-272408CE380E}.exe
        
        C:\Windows\{C0FEE292-CED6-4d4c-A407-272408CE380E}.exe
        13⤵
        Executes dropped EXE
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4068C~1.EXE > nul
        13⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79B5B~1.EXE > nul
        12⤵
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F7E01~1.EXE > nul
        11⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3EE98~1.EXE > nul
        10⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{03D43~1.EXE > nul
        9⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{682C5~1.EXE > nul
        8⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{927ED~1.EXE > nul
        7⤵
        
        PID:3536
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF06F~1.EXE > nul
        6⤵
        
        PID:3692
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5AF6C~1.EXE > nul
        5⤵
        
        PID:4100
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9E7BB~1.EXE > nul
      4⤵
      PID:5000
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{18603~1.EXE > nul
    3⤵
    PID:1856
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{03D43D0D-0B32-408d-89B6-273335D78536}.exe

Filesize
180KB

MD5
a36f7cde22fe6b0a28b5b1c7c1b925db

SHA1
24b366b69e300c1f49e094a66803033f41faa3c3

SHA256
07ab2240c18c8d6c6e478fc53d5cece2f4093286c11508479fe0dcc21374f1d5

SHA512
ee659eb94b404bc370489b6bed3e2531c9b9e7c068274d15e928f11e03467e3fac3e4783f71f0bba35488cf7771c1ad6a71f378b7309fd9d8f912b825b434f73

Download Submit
C:\Windows\{186031C9-10D3-48ab-868A-FFA2994C3B23}.exe

Filesize
180KB

MD5
8f9ff0902f2cdd894b6190ee5b3bac85

SHA1
628e1039bb6d3af2de33a795874d2412ec9e5aa1

SHA256
0873b239313d3e430c0faf52e8cf6227b2213aec84598c63fb994968e7b531dc

SHA512
77e4d5ba42e584bae0e09ec0cbf2419f06a0a4fc5621f1c6bb52730d0127e9188418bf0b01247da7630b18b90b6a52ea5e42f8736b74f6858dda4504521cb465

Download Submit
C:\Windows\{3EE98EE7-50F5-44fa-A273-629AC51D9C5C}.exe

Filesize
180KB

MD5
518e03d32b867a56e331b9f0512c32a4

SHA1
73536a7843f4c9ca0c1d02f228b6545509a456b8

SHA256
b86883b60b88a65fef774990d075eee88cbb40c857512c728f7eff3184598a21

SHA512
7e32f99510582af6fcfcd2da0d39a5ad011112566801085840165ac670de604c9edc6c14ba9b59b946b2047535accb4c1d89aba46f4911d43cf2307184a4e023

Download Submit
C:\Windows\{4068C757-3217-4b1f-B1C2-609F2A2ECFF8}.exe

Filesize
180KB

MD5
7c0ef30fee609a6681815980699b5ec5

SHA1
6fb08101071f1d15a6c04adf62185474ea493118

SHA256
52cd8f27ea3ed764c128143b8bf9763b7df76f00f9aed029068eeda98752c25b

SHA512
efde0d02cbb7549080503d091de15273b777df282c441eda72b3b00dc7774bd9e4b28a1a643be0dc08fc7465237a3349a5b9ccc8b91de0eec9874f5c7e68b19e

Download Submit
C:\Windows\{5AF6C0CE-C543-448a-B3AD-E2299B1BFF2E}.exe

Filesize
180KB

MD5
a2bc6cacdde770996d97cb280da6ded5

SHA1
d5c304aba8a73a5dbbd1e2a11374197cbdd5f3c2

SHA256
4f3ad596e6b99b45ad1ac981ad38ab40bfee36d5d83f79c975861acc28792136

SHA512
31f2d2e5faed9526c391e083a507ee741cf048bfbfbac23a4d3149adc9fd2b4d0d8878a970e79a0b2f2c1d7a8e961ab5a7da0cb354370d058f21c731b45540f9

Download Submit
C:\Windows\{682C57B1-0A2F-4e26-B2F6-839161877BE1}.exe

Filesize
180KB

MD5
b4a8d67b348f8ff4b1cb12d06d2effbb

SHA1
80430a3dd9e20a47c75dd8fbaddebcf654fb7df7

SHA256
d590499c6e89f7c0bc1c8b0701a9a2aef184c9d863fc3641c6591ead9457ff94

SHA512
524aa4448eef57453889d21bb03e8c2c85f93d39ac99fa1a97c55482f77de776c39ddcdd28846d5be37b21d10ff9562bea9deffa57d5a42e7e837decd39ca038

Download Submit
C:\Windows\{79B5B120-F12C-41b2-BA37-9300463E44F8}.exe

Filesize
180KB

MD5
4384ae62be2d83980ebb864b78b63bff

SHA1
ffa736b106c6a33a9480511c797f2e1c8374c81e

SHA256
3b05bd76b574e17dc0d0a82c958b6973a4c08afc76f9d3c620f224a182230440

SHA512
42df2fcddf641d2feaa1b9c55e45369b99b3336668c8bdf90faa44b8045d0c31e92b321522a8ce975ab268dee6b2b819fcb02abc2b5996902f4108657040fcbd

Download Submit
C:\Windows\{927ED3A6-8C9C-4563-882C-968F0BBA4E47}.exe

Filesize
180KB

MD5
9735fd4fa1f68de097ff678f51196f0e

SHA1
d61ac5d35d2adcf7643d3b0cef2103c5fba2a4ef

SHA256
ebd92cd932833eb5b8b11bd9527eb33d49ae558385a33a86347169890dd9b656

SHA512
ea41a09147b45c7685f1cf169e1d0d20fd0c35e7c405294c0e048af2d7b3d1892de8f4ebc9a8e2959896ba00115233e8a0fee2aac8bd035594779a5759ce9b76

Download Submit
C:\Windows\{9E7BB4AF-57D7-40ec-9DEC-851B62DD4632}.exe

Filesize
180KB

MD5
1d3cb507768fde8bf6cb76acb961290c

SHA1
61e691e9db08d94530655fccd8f4be48116023c0

SHA256
3fd362e5adc538a8052dbc93ca70fb3f75f0763c59bf19d9e9553e9fca00e127

SHA512
5512404d258cdfa35a02e7bfc18238adf0f08280d7071cb229ebba04d9986c89f696777d55377f951a4aa60462d07ccf29a8c180b6bfe5740365fcc4832ea487

Download Submit
C:\Windows\{C0FEE292-CED6-4d4c-A407-272408CE380E}.exe

Filesize
180KB

MD5
83d48a0ee6b1baded7e8a894c294e416

SHA1
62aa38fa2a69417fc6ecf80f5c373379a532d6c9

SHA256
c6032b4c21bfa34f7ed6ad35a1dfbf169a87b66f653fd8bcd2b8a5410f508d86

SHA512
953bea784026f79bc9d66b4a0170a1cb0044742f36016aa3676f1c79567f262a01432f120e1e7d632b476396fbb6ce10de806e1603475a4ba0c64cc997f19682

Download Submit
C:\Windows\{DF06F3CC-C4DF-472b-B480-8A1B06361B56}.exe

Filesize
180KB

MD5
a3f02d0fb5b7db5805b8780ac5932349

SHA1
989cb7db0f6c405e28a4f0bea33d286919ca5298

SHA256
6847bcb5853a30ee15e96e4d6e00de18e37d23423cb49c8352341b86b2ac1ab9

SHA512
296cbb60121468aa8108a450d537c1a4747445df833c7c96115939a87aeb6ccd284906fb379ffec9f1dce64a57bfb434298939b59912bd455981bafe08f9f7e3

Download Submit
C:\Windows\{F7E01F0E-64DF-41c3-81F4-CAF119408806}.exe

Filesize
180KB

MD5
30a3d1541a858caba17a8fe6e357fae8

SHA1
aa40d8cf7af7ec1501f36288bee84f8ce9e75066

SHA256
952328db1a9d2d78e27eced6174149ffa401a008ebeeb1f97c6fa2b7abe03c0d

SHA512
e3f7492d7e29ba6030d39e488a99b5d9b4a96564585be265de959aaec55dfa66bb078c9150a37f1daf7b2306b46f68e43498ed59d6142b44d528fad7e4dbb4ba

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads