6161667d6c524900e1e80e39b8f80ca9e096baba50e3a275cb1f1e95b03f8af5

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2024, 19:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-08_0f1a1c037ae7b55f6a8cd6c77b65627c_goldeneye.exe
Size

197KB
MD5

0f1a1c037ae7b55f6a8cd6c77b65627c
SHA1

77541e8cb53e000c036f062e8b713ae285c18cc3
SHA256

6161667d6c524900e1e80e39b8f80ca9e096baba50e3a275cb1f1e95b03f8af5
SHA512

18a7985b6bfa09771b9c481c25673a2b2f0d0333f2e687adc86a324f4891e863e07f48fb1305c6f2e6944e76c9adf70b8c8207b90ccb55773c56293c73687c16
SSDEEP

3072:jEGh0orl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEG9lEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023240-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023248-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023151-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0012000000023248-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f000000023151-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0014000000023248-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023151-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0015000000023248-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e00000002314e-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023154-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f00000002314e-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023156-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2CFC6875-76C2-4c3e-8F2D-2FD926106FF8}	{8BD20246-2DC4-4ad4-8497-A4A55E3F125F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{504EE912-ED70-4999-AD99-3C211D6584D1}	{207AC743-6627-4aef-ACE9-C446F4C48535}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCF87FE0-B023-40ed-916E-62D99DB4D3C6}	2024-03-08_0f1a1c037ae7b55f6a8cd6c77b65627c_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCF87FE0-B023-40ed-916E-62D99DB4D3C6}\stubpath = "C:\\Windows\\{BCF87FE0-B023-40ed-916E-62D99DB4D3C6}.exe"	2024-03-08_0f1a1c037ae7b55f6a8cd6c77b65627c_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5ACAC2E6-CCEB-41e9-9FCD-27F80EE5988F}\stubpath = "C:\\Windows\\{5ACAC2E6-CCEB-41e9-9FCD-27F80EE5988F}.exe"	{8C687780-E879-46fa-9A84-819989F93129}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8BD20246-2DC4-4ad4-8497-A4A55E3F125F}	{5ACAC2E6-CCEB-41e9-9FCD-27F80EE5988F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{865FED2B-CD6F-4764-985E-7C71E6246EBC}	{BCF87FE0-B023-40ed-916E-62D99DB4D3C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{033808F9-93B1-46a8-9552-20BAA9FDDA30}	{865FED2B-CD6F-4764-985E-7C71E6246EBC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{207AC743-6627-4aef-ACE9-C446F4C48535}\stubpath = "C:\\Windows\\{207AC743-6627-4aef-ACE9-C446F4C48535}.exe"	{EAAEE503-3FD9-478c-ABCB-F8970F0EB0F2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75D69832-F2F0-4c15-AD53-29AABB41D817}\stubpath = "C:\\Windows\\{75D69832-F2F0-4c15-AD53-29AABB41D817}.exe"	{504EE912-ED70-4999-AD99-3C211D6584D1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2CFC6875-76C2-4c3e-8F2D-2FD926106FF8}\stubpath = "C:\\Windows\\{2CFC6875-76C2-4c3e-8F2D-2FD926106FF8}.exe"	{8BD20246-2DC4-4ad4-8497-A4A55E3F125F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{457E5C45-68AD-436f-8653-9F17F8964C9D}	{2CFC6875-76C2-4c3e-8F2D-2FD926106FF8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{457E5C45-68AD-436f-8653-9F17F8964C9D}\stubpath = "C:\\Windows\\{457E5C45-68AD-436f-8653-9F17F8964C9D}.exe"	{2CFC6875-76C2-4c3e-8F2D-2FD926106FF8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{504EE912-ED70-4999-AD99-3C211D6584D1}\stubpath = "C:\\Windows\\{504EE912-ED70-4999-AD99-3C211D6584D1}.exe"	{207AC743-6627-4aef-ACE9-C446F4C48535}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{033808F9-93B1-46a8-9552-20BAA9FDDA30}\stubpath = "C:\\Windows\\{033808F9-93B1-46a8-9552-20BAA9FDDA30}.exe"	{865FED2B-CD6F-4764-985E-7C71E6246EBC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C687780-E879-46fa-9A84-819989F93129}\stubpath = "C:\\Windows\\{8C687780-E879-46fa-9A84-819989F93129}.exe"	{033808F9-93B1-46a8-9552-20BAA9FDDA30}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5ACAC2E6-CCEB-41e9-9FCD-27F80EE5988F}	{8C687780-E879-46fa-9A84-819989F93129}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8BD20246-2DC4-4ad4-8497-A4A55E3F125F}\stubpath = "C:\\Windows\\{8BD20246-2DC4-4ad4-8497-A4A55E3F125F}.exe"	{5ACAC2E6-CCEB-41e9-9FCD-27F80EE5988F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{207AC743-6627-4aef-ACE9-C446F4C48535}	{EAAEE503-3FD9-478c-ABCB-F8970F0EB0F2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75D69832-F2F0-4c15-AD53-29AABB41D817}	{504EE912-ED70-4999-AD99-3C211D6584D1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{865FED2B-CD6F-4764-985E-7C71E6246EBC}\stubpath = "C:\\Windows\\{865FED2B-CD6F-4764-985E-7C71E6246EBC}.exe"	{BCF87FE0-B023-40ed-916E-62D99DB4D3C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C687780-E879-46fa-9A84-819989F93129}	{033808F9-93B1-46a8-9552-20BAA9FDDA30}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EAAEE503-3FD9-478c-ABCB-F8970F0EB0F2}	{457E5C45-68AD-436f-8653-9F17F8964C9D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EAAEE503-3FD9-478c-ABCB-F8970F0EB0F2}\stubpath = "C:\\Windows\\{EAAEE503-3FD9-478c-ABCB-F8970F0EB0F2}.exe"	{457E5C45-68AD-436f-8653-9F17F8964C9D}.exe

Executes dropped EXE 12 IoCs

pid	Process
1016	{BCF87FE0-B023-40ed-916E-62D99DB4D3C6}.exe
2900	{865FED2B-CD6F-4764-985E-7C71E6246EBC}.exe
3700	{033808F9-93B1-46a8-9552-20BAA9FDDA30}.exe
4184	{8C687780-E879-46fa-9A84-819989F93129}.exe
5016	{5ACAC2E6-CCEB-41e9-9FCD-27F80EE5988F}.exe
2836	{8BD20246-2DC4-4ad4-8497-A4A55E3F125F}.exe
1552	{2CFC6875-76C2-4c3e-8F2D-2FD926106FF8}.exe
3340	{457E5C45-68AD-436f-8653-9F17F8964C9D}.exe
4684	{EAAEE503-3FD9-478c-ABCB-F8970F0EB0F2}.exe
3580	{207AC743-6627-4aef-ACE9-C446F4C48535}.exe
1604	{504EE912-ED70-4999-AD99-3C211D6584D1}.exe
1620	{75D69832-F2F0-4c15-AD53-29AABB41D817}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{EAAEE503-3FD9-478c-ABCB-F8970F0EB0F2}.exe	{457E5C45-68AD-436f-8653-9F17F8964C9D}.exe
File created	C:\Windows\{75D69832-F2F0-4c15-AD53-29AABB41D817}.exe	{504EE912-ED70-4999-AD99-3C211D6584D1}.exe
File created	C:\Windows\{BCF87FE0-B023-40ed-916E-62D99DB4D3C6}.exe	2024-03-08_0f1a1c037ae7b55f6a8cd6c77b65627c_goldeneye.exe
File created	C:\Windows\{8C687780-E879-46fa-9A84-819989F93129}.exe	{033808F9-93B1-46a8-9552-20BAA9FDDA30}.exe
File created	C:\Windows\{5ACAC2E6-CCEB-41e9-9FCD-27F80EE5988F}.exe	{8C687780-E879-46fa-9A84-819989F93129}.exe
File created	C:\Windows\{8BD20246-2DC4-4ad4-8497-A4A55E3F125F}.exe	{5ACAC2E6-CCEB-41e9-9FCD-27F80EE5988F}.exe
File created	C:\Windows\{2CFC6875-76C2-4c3e-8F2D-2FD926106FF8}.exe	{8BD20246-2DC4-4ad4-8497-A4A55E3F125F}.exe
File created	C:\Windows\{457E5C45-68AD-436f-8653-9F17F8964C9D}.exe	{2CFC6875-76C2-4c3e-8F2D-2FD926106FF8}.exe
File created	C:\Windows\{865FED2B-CD6F-4764-985E-7C71E6246EBC}.exe	{BCF87FE0-B023-40ed-916E-62D99DB4D3C6}.exe
File created	C:\Windows\{033808F9-93B1-46a8-9552-20BAA9FDDA30}.exe	{865FED2B-CD6F-4764-985E-7C71E6246EBC}.exe
File created	C:\Windows\{207AC743-6627-4aef-ACE9-C446F4C48535}.exe	{EAAEE503-3FD9-478c-ABCB-F8970F0EB0F2}.exe
File created	C:\Windows\{504EE912-ED70-4999-AD99-3C211D6584D1}.exe	{207AC743-6627-4aef-ACE9-C446F4C48535}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1232	2024-03-08_0f1a1c037ae7b55f6a8cd6c77b65627c_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1016	{BCF87FE0-B023-40ed-916E-62D99DB4D3C6}.exe
Token: SeIncBasePriorityPrivilege	2900	{865FED2B-CD6F-4764-985E-7C71E6246EBC}.exe
Token: SeIncBasePriorityPrivilege	3700	{033808F9-93B1-46a8-9552-20BAA9FDDA30}.exe
Token: SeIncBasePriorityPrivilege	4184	{8C687780-E879-46fa-9A84-819989F93129}.exe
Token: SeIncBasePriorityPrivilege	5016	{5ACAC2E6-CCEB-41e9-9FCD-27F80EE5988F}.exe
Token: SeIncBasePriorityPrivilege	2836	{8BD20246-2DC4-4ad4-8497-A4A55E3F125F}.exe
Token: SeIncBasePriorityPrivilege	1552	{2CFC6875-76C2-4c3e-8F2D-2FD926106FF8}.exe
Token: SeIncBasePriorityPrivilege	3340	{457E5C45-68AD-436f-8653-9F17F8964C9D}.exe
Token: SeIncBasePriorityPrivilege	4684	{EAAEE503-3FD9-478c-ABCB-F8970F0EB0F2}.exe
Token: SeIncBasePriorityPrivilege	3580	{207AC743-6627-4aef-ACE9-C446F4C48535}.exe
Token: SeIncBasePriorityPrivilege	1604	{504EE912-ED70-4999-AD99-3C211D6584D1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1232 wrote to memory of 1016	1232	2024-03-08_0f1a1c037ae7b55f6a8cd6c77b65627c_goldeneye.exe	99
PID 1232 wrote to memory of 1016	1232	2024-03-08_0f1a1c037ae7b55f6a8cd6c77b65627c_goldeneye.exe	99
PID 1232 wrote to memory of 1016	1232	2024-03-08_0f1a1c037ae7b55f6a8cd6c77b65627c_goldeneye.exe	99
PID 1232 wrote to memory of 4568	1232	2024-03-08_0f1a1c037ae7b55f6a8cd6c77b65627c_goldeneye.exe	100
PID 1232 wrote to memory of 4568	1232	2024-03-08_0f1a1c037ae7b55f6a8cd6c77b65627c_goldeneye.exe	100
PID 1232 wrote to memory of 4568	1232	2024-03-08_0f1a1c037ae7b55f6a8cd6c77b65627c_goldeneye.exe	100
PID 1016 wrote to memory of 2900	1016	{BCF87FE0-B023-40ed-916E-62D99DB4D3C6}.exe	102
PID 1016 wrote to memory of 2900	1016	{BCF87FE0-B023-40ed-916E-62D99DB4D3C6}.exe	102
PID 1016 wrote to memory of 2900	1016	{BCF87FE0-B023-40ed-916E-62D99DB4D3C6}.exe	102
PID 1016 wrote to memory of 4748	1016	{BCF87FE0-B023-40ed-916E-62D99DB4D3C6}.exe	103
PID 1016 wrote to memory of 4748	1016	{BCF87FE0-B023-40ed-916E-62D99DB4D3C6}.exe	103
PID 1016 wrote to memory of 4748	1016	{BCF87FE0-B023-40ed-916E-62D99DB4D3C6}.exe	103
PID 2900 wrote to memory of 3700	2900	{865FED2B-CD6F-4764-985E-7C71E6246EBC}.exe	106
PID 2900 wrote to memory of 3700	2900	{865FED2B-CD6F-4764-985E-7C71E6246EBC}.exe	106
PID 2900 wrote to memory of 3700	2900	{865FED2B-CD6F-4764-985E-7C71E6246EBC}.exe	106
PID 2900 wrote to memory of 4196	2900	{865FED2B-CD6F-4764-985E-7C71E6246EBC}.exe	107
PID 2900 wrote to memory of 4196	2900	{865FED2B-CD6F-4764-985E-7C71E6246EBC}.exe	107
PID 2900 wrote to memory of 4196	2900	{865FED2B-CD6F-4764-985E-7C71E6246EBC}.exe	107
PID 3700 wrote to memory of 4184	3700	{033808F9-93B1-46a8-9552-20BAA9FDDA30}.exe	108
PID 3700 wrote to memory of 4184	3700	{033808F9-93B1-46a8-9552-20BAA9FDDA30}.exe	108
PID 3700 wrote to memory of 4184	3700	{033808F9-93B1-46a8-9552-20BAA9FDDA30}.exe	108
PID 3700 wrote to memory of 3364	3700	{033808F9-93B1-46a8-9552-20BAA9FDDA30}.exe	109
PID 3700 wrote to memory of 3364	3700	{033808F9-93B1-46a8-9552-20BAA9FDDA30}.exe	109
PID 3700 wrote to memory of 3364	3700	{033808F9-93B1-46a8-9552-20BAA9FDDA30}.exe	109
PID 4184 wrote to memory of 5016	4184	{8C687780-E879-46fa-9A84-819989F93129}.exe	110
PID 4184 wrote to memory of 5016	4184	{8C687780-E879-46fa-9A84-819989F93129}.exe	110
PID 4184 wrote to memory of 5016	4184	{8C687780-E879-46fa-9A84-819989F93129}.exe	110
PID 4184 wrote to memory of 1320	4184	{8C687780-E879-46fa-9A84-819989F93129}.exe	111
PID 4184 wrote to memory of 1320	4184	{8C687780-E879-46fa-9A84-819989F93129}.exe	111
PID 4184 wrote to memory of 1320	4184	{8C687780-E879-46fa-9A84-819989F93129}.exe	111
PID 5016 wrote to memory of 2836	5016	{5ACAC2E6-CCEB-41e9-9FCD-27F80EE5988F}.exe	113
PID 5016 wrote to memory of 2836	5016	{5ACAC2E6-CCEB-41e9-9FCD-27F80EE5988F}.exe	113
PID 5016 wrote to memory of 2836	5016	{5ACAC2E6-CCEB-41e9-9FCD-27F80EE5988F}.exe	113
PID 5016 wrote to memory of 4588	5016	{5ACAC2E6-CCEB-41e9-9FCD-27F80EE5988F}.exe	114
PID 5016 wrote to memory of 4588	5016	{5ACAC2E6-CCEB-41e9-9FCD-27F80EE5988F}.exe	114
PID 5016 wrote to memory of 4588	5016	{5ACAC2E6-CCEB-41e9-9FCD-27F80EE5988F}.exe	114
PID 2836 wrote to memory of 1552	2836	{8BD20246-2DC4-4ad4-8497-A4A55E3F125F}.exe	115
PID 2836 wrote to memory of 1552	2836	{8BD20246-2DC4-4ad4-8497-A4A55E3F125F}.exe	115
PID 2836 wrote to memory of 1552	2836	{8BD20246-2DC4-4ad4-8497-A4A55E3F125F}.exe	115
PID 2836 wrote to memory of 4092	2836	{8BD20246-2DC4-4ad4-8497-A4A55E3F125F}.exe	116
PID 2836 wrote to memory of 4092	2836	{8BD20246-2DC4-4ad4-8497-A4A55E3F125F}.exe	116
PID 2836 wrote to memory of 4092	2836	{8BD20246-2DC4-4ad4-8497-A4A55E3F125F}.exe	116
PID 1552 wrote to memory of 3340	1552	{2CFC6875-76C2-4c3e-8F2D-2FD926106FF8}.exe	117
PID 1552 wrote to memory of 3340	1552	{2CFC6875-76C2-4c3e-8F2D-2FD926106FF8}.exe	117
PID 1552 wrote to memory of 3340	1552	{2CFC6875-76C2-4c3e-8F2D-2FD926106FF8}.exe	117
PID 1552 wrote to memory of 3196	1552	{2CFC6875-76C2-4c3e-8F2D-2FD926106FF8}.exe	118
PID 1552 wrote to memory of 3196	1552	{2CFC6875-76C2-4c3e-8F2D-2FD926106FF8}.exe	118
PID 1552 wrote to memory of 3196	1552	{2CFC6875-76C2-4c3e-8F2D-2FD926106FF8}.exe	118
PID 3340 wrote to memory of 4684	3340	{457E5C45-68AD-436f-8653-9F17F8964C9D}.exe	126
PID 3340 wrote to memory of 4684	3340	{457E5C45-68AD-436f-8653-9F17F8964C9D}.exe	126
PID 3340 wrote to memory of 4684	3340	{457E5C45-68AD-436f-8653-9F17F8964C9D}.exe	126
PID 3340 wrote to memory of 3080	3340	{457E5C45-68AD-436f-8653-9F17F8964C9D}.exe	127
PID 3340 wrote to memory of 3080	3340	{457E5C45-68AD-436f-8653-9F17F8964C9D}.exe	127
PID 3340 wrote to memory of 3080	3340	{457E5C45-68AD-436f-8653-9F17F8964C9D}.exe	127
PID 4684 wrote to memory of 3580	4684	{EAAEE503-3FD9-478c-ABCB-F8970F0EB0F2}.exe	128
PID 4684 wrote to memory of 3580	4684	{EAAEE503-3FD9-478c-ABCB-F8970F0EB0F2}.exe	128
PID 4684 wrote to memory of 3580	4684	{EAAEE503-3FD9-478c-ABCB-F8970F0EB0F2}.exe	128
PID 4684 wrote to memory of 2304	4684	{EAAEE503-3FD9-478c-ABCB-F8970F0EB0F2}.exe	129
PID 4684 wrote to memory of 2304	4684	{EAAEE503-3FD9-478c-ABCB-F8970F0EB0F2}.exe	129
PID 4684 wrote to memory of 2304	4684	{EAAEE503-3FD9-478c-ABCB-F8970F0EB0F2}.exe	129
PID 3580 wrote to memory of 1604	3580	{207AC743-6627-4aef-ACE9-C446F4C48535}.exe	130
PID 3580 wrote to memory of 1604	3580	{207AC743-6627-4aef-ACE9-C446F4C48535}.exe	130
PID 3580 wrote to memory of 1604	3580	{207AC743-6627-4aef-ACE9-C446F4C48535}.exe	130
PID 3580 wrote to memory of 1364	3580	{207AC743-6627-4aef-ACE9-C446F4C48535}.exe	131

C:\Users\Admin\AppData\Local\Temp\2024-03-08_0f1a1c037ae7b55f6a8cd6c77b65627c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-08_0f1a1c037ae7b55f6a8cd6c77b65627c_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Windows\{BCF87FE0-B023-40ed-916E-62D99DB4D3C6}.exe
  C:\Windows\{BCF87FE0-B023-40ed-916E-62D99DB4D3C6}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1016
- - C:\Windows\{865FED2B-CD6F-4764-985E-7C71E6246EBC}.exe
    C:\Windows\{865FED2B-CD6F-4764-985E-7C71E6246EBC}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Windows\{033808F9-93B1-46a8-9552-20BAA9FDDA30}.exe
      C:\Windows\{033808F9-93B1-46a8-9552-20BAA9FDDA30}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3700
    - - C:\Windows\{8C687780-E879-46fa-9A84-819989F93129}.exe
        
        C:\Windows\{8C687780-E879-46fa-9A84-819989F93129}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4184
      - C:\Windows\{5ACAC2E6-CCEB-41e9-9FCD-27F80EE5988F}.exe
        
        C:\Windows\{5ACAC2E6-CCEB-41e9-9FCD-27F80EE5988F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\{8BD20246-2DC4-4ad4-8497-A4A55E3F125F}.exe
        
        C:\Windows\{8BD20246-2DC4-4ad4-8497-A4A55E3F125F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\{2CFC6875-76C2-4c3e-8F2D-2FD926106FF8}.exe
        
        C:\Windows\{2CFC6875-76C2-4c3e-8F2D-2FD926106FF8}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\{457E5C45-68AD-436f-8653-9F17F8964C9D}.exe
        
        C:\Windows\{457E5C45-68AD-436f-8653-9F17F8964C9D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3340
        
        C:\Windows\{EAAEE503-3FD9-478c-ABCB-F8970F0EB0F2}.exe
        
        C:\Windows\{EAAEE503-3FD9-478c-ABCB-F8970F0EB0F2}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\{207AC743-6627-4aef-ACE9-C446F4C48535}.exe
        
        C:\Windows\{207AC743-6627-4aef-ACE9-C446F4C48535}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3580
        
        C:\Windows\{504EE912-ED70-4999-AD99-3C211D6584D1}.exe
        
        C:\Windows\{504EE912-ED70-4999-AD99-3C211D6584D1}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
        
        C:\Windows\{75D69832-F2F0-4c15-AD53-29AABB41D817}.exe
        
        C:\Windows\{75D69832-F2F0-4c15-AD53-29AABB41D817}.exe
        13⤵
        Executes dropped EXE
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{504EE~1.EXE > nul
        13⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{207AC~1.EXE > nul
        12⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EAAEE~1.EXE > nul
        11⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{457E5~1.EXE > nul
        10⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2CFC6~1.EXE > nul
        9⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8BD20~1.EXE > nul
        8⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5ACAC~1.EXE > nul
        7⤵
        
        PID:4588
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C687~1.EXE > nul
        6⤵
        
        PID:1320
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{03380~1.EXE > nul
        5⤵
        
        PID:3364
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{865FE~1.EXE > nul
      4⤵
      PID:4196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{BCF87~1.EXE > nul
    3⤵
    PID:4748
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{033808F9-93B1-46a8-9552-20BAA9FDDA30}.exe

Filesize
197KB

MD5
eca11db4e451f9758f49e3811dbb9ce6

SHA1
d676d9ed54d50b07b247898bbaf57760a7dae79a

SHA256
deb8a63ade6fb2a12cc61769b496a6e17a7a9279d92282191e8706eadf892ebb

SHA512
0b3d68ea294bcbbd2ebce390c707832d952f30caf2c2b2265b623193d9dade3e952a1e47b9e8f318510efac518332cdff20df3a027ee40d193193c7d8a802183

Download Submit
C:\Windows\{207AC743-6627-4aef-ACE9-C446F4C48535}.exe

Filesize
197KB

MD5
5c41fb1ae76252765f0505e84f5b9829

SHA1
59d580401ce6012d3fcd664eab9fba6e46c08363

SHA256
f6c61f69642637d8a4f5265e4692d345fd792e6c32dbf85a75067676f741d445

SHA512
e52e23b76080ebfc5138d2be31019766e803fd5873dae6e75c4a5eb6f77458c58d92e04fb1372511076e1bbb462f879b677cd579f3508485a8a1f015b645f58b

Download Submit
C:\Windows\{2CFC6875-76C2-4c3e-8F2D-2FD926106FF8}.exe

Filesize
197KB

MD5
00a44759a1af6254778ae74f254608ea

SHA1
6064920cc23387a8d71411f320460aa6e7c7097e

SHA256
33948fe045a8289184b1a7909aa0f3d5a4eee953f5e04c363e1bc2b590117ac0

SHA512
8006f1048cec57b4a026e1fd00a35253eb79554645d4de53b02ccde18c5a687540d623f80feaf158b8b33e10ba616f5fefd61bc4b2a4193283a79edb67b479d3

Download Submit
C:\Windows\{457E5C45-68AD-436f-8653-9F17F8964C9D}.exe

Filesize
197KB

MD5
a22a8c1b40847a8f86717f4b531a3674

SHA1
6c6c2eaebad51c0df841e9ac9e23cc0fa1c052db

SHA256
e293d43b8bf1441394219d36d1139ba158fe7f67028ca641a30bd395e43a2cbf

SHA512
5b695a3fe607c69f82c2625f08456729ea875c125f77f7b95b154c748792c8e437192b1c0fab3b312361cd0ea792fc30b036b67aeee796989b6ba721e3bb7f13

Download Submit
C:\Windows\{504EE912-ED70-4999-AD99-3C211D6584D1}.exe

Filesize
197KB

MD5
24a1bd4481c77cc621406eb0acf07852

SHA1
b0125e7aab54d98d45d7e1e561455da313c0669a

SHA256
56f2c414325083863ac00c43703005511089a4175ffdf2eec5cfe5c8feebaaac

SHA512
95c194fbae6fe23a5dd49116607511769aafa7ed7abc2997bcc5ab6145519463c8b8d8e05876028c84a3bd034ed18b1ddfa4ccd1ba67c24cfc305412e40a832b

Download Submit
C:\Windows\{5ACAC2E6-CCEB-41e9-9FCD-27F80EE5988F}.exe

Filesize
197KB

MD5
d44c39fbce919c38fa7ab8c9f6e219e6

SHA1
a17c8d16548ca8c3e6cc4017cfb24f4e6fe86237

SHA256
3ce2ecff44a824065ae3b9254e4ae61239fd0dacee8020037455bd473d8255c1

SHA512
f2d428e4ad64ec92b30732e59b0720a9cfe3936dca5fac17b078c589b88962ee5845b386094dee760d91688d01090ccd1d2806357e2c0a572f77c425ba1fbb2d

Download Submit
C:\Windows\{75D69832-F2F0-4c15-AD53-29AABB41D817}.exe

Filesize
197KB

MD5
05f900227f06d6bd1273b799b93ddb6e

SHA1
9608d3eb3c437d58b6a3ea6f51c06efba11dd9d6

SHA256
a0a67ecbec1d0766b2759b7a89a7c13c4789f66e3f3db317342971f4a8935f42

SHA512
020d092012bb9d4510f6f52bd74ba8aa8ee3b5453dafdfdc3bb79ba0fff33236e0358b2dfa20cc62ba7ffa10b0951393197a7c6699976a577179c551dd29181b

Download Submit
C:\Windows\{865FED2B-CD6F-4764-985E-7C71E6246EBC}.exe

Filesize
197KB

MD5
ab34b1ae675bcb9e7a19de7ae7bf83b6

SHA1
a96bf9654ac616559ddf0cd08ce0576376ce16f2

SHA256
ac6bd009f831f5f6741814d74560b3d6dc00e59d4c2c24d20bda752435a65ff6

SHA512
840e8196a663fce7dc0d3aa54175674a07c01c6c99a820122083aad76abca0fcc6a1fd5752fb4ff43726c3b1e8f20716534c49bc5969211a0aa874e4e9dc8cac

Download Submit
C:\Windows\{8BD20246-2DC4-4ad4-8497-A4A55E3F125F}.exe

Filesize
197KB

MD5
2889b255f5c885563b48aba1e6a3618d

SHA1
67d5136b4926aba5109928ce1c2d8af3bc32a0f0

SHA256
6ec3c59b9f8d05525b3361fdfcda0ee89c95816090b22cc7d0ce612174b60d9f

SHA512
740e3069059d4ae04e027f366b027d97f47094096b94fba3b9ceeec1635b43f47780924ac51487494a7d02363d37ccd3d05abd2344ba9b81426cc07d6e3adc1d

Download Submit
C:\Windows\{8C687780-E879-46fa-9A84-819989F93129}.exe

Filesize
197KB

MD5
5f0bc263c786c8964b4ac3cc5e09f244

SHA1
9882ca5fe21405173b85e6895690873e206b3768

SHA256
bf75c264c6b246d03ee9f22e7baad5da75823b555fb2336637faecb06036b31b

SHA512
75a6d6fbee56e776a1d06111c150f89d7c888e81e146849717ce052d895076fcdf0fd9cdcd0eeb38bffb765116d84e0fe76dbbb5dbad7e4726717fceaa33159c

Download Submit
C:\Windows\{BCF87FE0-B023-40ed-916E-62D99DB4D3C6}.exe

Filesize
197KB

MD5
3445c5aff32f0c22d26c70c80fd151e6

SHA1
73cbc57cbc44243c12c408d364da36b4678c8f1e

SHA256
fd8c3fbee6c3cc1e853e819a6e6b765e29705c40fdeef0e2a3b02ccec7c5fa30

SHA512
42d764b96f073aac3cb013f7e3b7635141cf6a462e8697a56fd5bde2e57aaabe3339c56ec9c5f06f905f8030edf7dd51fa2740c3de75d943ee56bba25e1faca8

Download Submit
C:\Windows\{EAAEE503-3FD9-478c-ABCB-F8970F0EB0F2}.exe

Filesize
197KB

MD5
1ccba991d77cbb0fb8d2ef13f5c69819

SHA1
7812198d8d58d1cddd0445953ca75765d4442770

SHA256
eb50fd4cb170a3d791d5105362da6083fbf47026d247d027518935bdda6231b7

SHA512
f4080bac5977d7807b496933a3cd3762f0b7381f2b4a6e947b89d591df430765b0307a8b1d8bf1aa231e6aca029dc27e259d78050f2d11f69f4b25ec80722a1a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads