83f8b141275cd64ad53a513754dbcf52ae20d3069e2fa628ac6ff12eaea5bcac

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2024, 01:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-11_3dd66ec3f5e840a710fe8bb2baf9d81a_goldeneye.exe
Size

344KB
MD5

3dd66ec3f5e840a710fe8bb2baf9d81a
SHA1

f7e04477d1d85d7f61972ecdac5b095e3bae110a
SHA256

83f8b141275cd64ad53a513754dbcf52ae20d3069e2fa628ac6ff12eaea5bcac
SHA512

bb69cfd8ae3a6f16513eb3b7335bf11df34986cbbfff26ce66f388847229365bf04b22c9922af3ad165a7e087e32fa966943ae2ebcab8d20761551c2215cadc4
SSDEEP

3072:mEGh0ohlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGLlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023203-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023219-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002322b-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000016923-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000016976-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002338b-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000016976-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000001db1f-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023224-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023123-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023126-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002313c-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7525BBE2-136F-4645-8ABD-738BFE50D892}\stubpath = "C:\\Windows\\{7525BBE2-136F-4645-8ABD-738BFE50D892}.exe"	2024-03-11_3dd66ec3f5e840a710fe8bb2baf9d81a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E68FAE99-2E06-400a-B0EC-2966C5ED02E0}	{7525BBE2-136F-4645-8ABD-738BFE50D892}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E68FAE99-2E06-400a-B0EC-2966C5ED02E0}\stubpath = "C:\\Windows\\{E68FAE99-2E06-400a-B0EC-2966C5ED02E0}.exe"	{7525BBE2-136F-4645-8ABD-738BFE50D892}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A7CAD77-11FD-4309-9191-8AE64C07E351}\stubpath = "C:\\Windows\\{7A7CAD77-11FD-4309-9191-8AE64C07E351}.exe"	{6204651F-B4FE-46d6-A9DE-2DC05E869A2D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9525775E-A8F8-4c12-AC9D-65DF2A36052D}	{1620429C-84ED-4f95-9723-332EC8DB1A49}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9525775E-A8F8-4c12-AC9D-65DF2A36052D}\stubpath = "C:\\Windows\\{9525775E-A8F8-4c12-AC9D-65DF2A36052D}.exe"	{1620429C-84ED-4f95-9723-332EC8DB1A49}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F4B40BD-F15E-4563-A8A9-5305549744EF}\stubpath = "C:\\Windows\\{9F4B40BD-F15E-4563-A8A9-5305549744EF}.exe"	{9525775E-A8F8-4c12-AC9D-65DF2A36052D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2946773-A3CA-4b8b-9440-8D23780A9B05}\stubpath = "C:\\Windows\\{A2946773-A3CA-4b8b-9440-8D23780A9B05}.exe"	{C33CEE12-8BDD-495d-9ACA-D9584F12489D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6204651F-B4FE-46d6-A9DE-2DC05E869A2D}	{E68FAE99-2E06-400a-B0EC-2966C5ED02E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2467BFC-6E86-409f-B1C4-72A0DE437A85}	{7A7CAD77-11FD-4309-9191-8AE64C07E351}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1620429C-84ED-4f95-9723-332EC8DB1A49}\stubpath = "C:\\Windows\\{1620429C-84ED-4f95-9723-332EC8DB1A49}.exe"	{C2467BFC-6E86-409f-B1C4-72A0DE437A85}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70E6A754-D2C7-4569-B635-63500F79C545}\stubpath = "C:\\Windows\\{70E6A754-D2C7-4569-B635-63500F79C545}.exe"	{9F4B40BD-F15E-4563-A8A9-5305549744EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C33CEE12-8BDD-495d-9ACA-D9584F12489D}	{70E6A754-D2C7-4569-B635-63500F79C545}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17D8786D-FED0-412d-8735-F73DEB1CB7FB}	{A2946773-A3CA-4b8b-9440-8D23780A9B05}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2467BFC-6E86-409f-B1C4-72A0DE437A85}\stubpath = "C:\\Windows\\{C2467BFC-6E86-409f-B1C4-72A0DE437A85}.exe"	{7A7CAD77-11FD-4309-9191-8AE64C07E351}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70E6A754-D2C7-4569-B635-63500F79C545}	{9F4B40BD-F15E-4563-A8A9-5305549744EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2946773-A3CA-4b8b-9440-8D23780A9B05}	{C33CEE12-8BDD-495d-9ACA-D9584F12489D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7525BBE2-136F-4645-8ABD-738BFE50D892}	2024-03-11_3dd66ec3f5e840a710fe8bb2baf9d81a_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6204651F-B4FE-46d6-A9DE-2DC05E869A2D}\stubpath = "C:\\Windows\\{6204651F-B4FE-46d6-A9DE-2DC05E869A2D}.exe"	{E68FAE99-2E06-400a-B0EC-2966C5ED02E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A7CAD77-11FD-4309-9191-8AE64C07E351}	{6204651F-B4FE-46d6-A9DE-2DC05E869A2D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1620429C-84ED-4f95-9723-332EC8DB1A49}	{C2467BFC-6E86-409f-B1C4-72A0DE437A85}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F4B40BD-F15E-4563-A8A9-5305549744EF}	{9525775E-A8F8-4c12-AC9D-65DF2A36052D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C33CEE12-8BDD-495d-9ACA-D9584F12489D}\stubpath = "C:\\Windows\\{C33CEE12-8BDD-495d-9ACA-D9584F12489D}.exe"	{70E6A754-D2C7-4569-B635-63500F79C545}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17D8786D-FED0-412d-8735-F73DEB1CB7FB}\stubpath = "C:\\Windows\\{17D8786D-FED0-412d-8735-F73DEB1CB7FB}.exe"	{A2946773-A3CA-4b8b-9440-8D23780A9B05}.exe

Executes dropped EXE 12 IoCs

pid	Process
532	{7525BBE2-136F-4645-8ABD-738BFE50D892}.exe
2720	{E68FAE99-2E06-400a-B0EC-2966C5ED02E0}.exe
1112	{6204651F-B4FE-46d6-A9DE-2DC05E869A2D}.exe
3644	{7A7CAD77-11FD-4309-9191-8AE64C07E351}.exe
5092	{C2467BFC-6E86-409f-B1C4-72A0DE437A85}.exe
1124	{1620429C-84ED-4f95-9723-332EC8DB1A49}.exe
1304	{9525775E-A8F8-4c12-AC9D-65DF2A36052D}.exe
2864	{9F4B40BD-F15E-4563-A8A9-5305549744EF}.exe
4296	{70E6A754-D2C7-4569-B635-63500F79C545}.exe
4960	{C33CEE12-8BDD-495d-9ACA-D9584F12489D}.exe
3540	{A2946773-A3CA-4b8b-9440-8D23780A9B05}.exe
436	{17D8786D-FED0-412d-8735-F73DEB1CB7FB}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{E68FAE99-2E06-400a-B0EC-2966C5ED02E0}.exe	{7525BBE2-136F-4645-8ABD-738BFE50D892}.exe
File created	C:\Windows\{6204651F-B4FE-46d6-A9DE-2DC05E869A2D}.exe	{E68FAE99-2E06-400a-B0EC-2966C5ED02E0}.exe
File created	C:\Windows\{9525775E-A8F8-4c12-AC9D-65DF2A36052D}.exe	{1620429C-84ED-4f95-9723-332EC8DB1A49}.exe
File created	C:\Windows\{9F4B40BD-F15E-4563-A8A9-5305549744EF}.exe	{9525775E-A8F8-4c12-AC9D-65DF2A36052D}.exe
File created	C:\Windows\{C33CEE12-8BDD-495d-9ACA-D9584F12489D}.exe	{70E6A754-D2C7-4569-B635-63500F79C545}.exe
File created	C:\Windows\{A2946773-A3CA-4b8b-9440-8D23780A9B05}.exe	{C33CEE12-8BDD-495d-9ACA-D9584F12489D}.exe
File created	C:\Windows\{7525BBE2-136F-4645-8ABD-738BFE50D892}.exe	2024-03-11_3dd66ec3f5e840a710fe8bb2baf9d81a_goldeneye.exe
File created	C:\Windows\{7A7CAD77-11FD-4309-9191-8AE64C07E351}.exe	{6204651F-B4FE-46d6-A9DE-2DC05E869A2D}.exe
File created	C:\Windows\{C2467BFC-6E86-409f-B1C4-72A0DE437A85}.exe	{7A7CAD77-11FD-4309-9191-8AE64C07E351}.exe
File created	C:\Windows\{1620429C-84ED-4f95-9723-332EC8DB1A49}.exe	{C2467BFC-6E86-409f-B1C4-72A0DE437A85}.exe
File created	C:\Windows\{70E6A754-D2C7-4569-B635-63500F79C545}.exe	{9F4B40BD-F15E-4563-A8A9-5305549744EF}.exe
File created	C:\Windows\{17D8786D-FED0-412d-8735-F73DEB1CB7FB}.exe	{A2946773-A3CA-4b8b-9440-8D23780A9B05}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2848	2024-03-11_3dd66ec3f5e840a710fe8bb2baf9d81a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	532	{7525BBE2-136F-4645-8ABD-738BFE50D892}.exe
Token: SeIncBasePriorityPrivilege	2720	{E68FAE99-2E06-400a-B0EC-2966C5ED02E0}.exe
Token: SeIncBasePriorityPrivilege	1112	{6204651F-B4FE-46d6-A9DE-2DC05E869A2D}.exe
Token: SeIncBasePriorityPrivilege	3644	{7A7CAD77-11FD-4309-9191-8AE64C07E351}.exe
Token: SeIncBasePriorityPrivilege	5092	{C2467BFC-6E86-409f-B1C4-72A0DE437A85}.exe
Token: SeIncBasePriorityPrivilege	1124	{1620429C-84ED-4f95-9723-332EC8DB1A49}.exe
Token: SeIncBasePriorityPrivilege	1304	{9525775E-A8F8-4c12-AC9D-65DF2A36052D}.exe
Token: SeIncBasePriorityPrivilege	2864	{9F4B40BD-F15E-4563-A8A9-5305549744EF}.exe
Token: SeIncBasePriorityPrivilege	4296	{70E6A754-D2C7-4569-B635-63500F79C545}.exe
Token: SeIncBasePriorityPrivilege	4960	{C33CEE12-8BDD-495d-9ACA-D9584F12489D}.exe
Token: SeIncBasePriorityPrivilege	3540	{A2946773-A3CA-4b8b-9440-8D23780A9B05}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 532	2848	2024-03-11_3dd66ec3f5e840a710fe8bb2baf9d81a_goldeneye.exe	97
PID 2848 wrote to memory of 532	2848	2024-03-11_3dd66ec3f5e840a710fe8bb2baf9d81a_goldeneye.exe	97
PID 2848 wrote to memory of 532	2848	2024-03-11_3dd66ec3f5e840a710fe8bb2baf9d81a_goldeneye.exe	97
PID 2848 wrote to memory of 1672	2848	2024-03-11_3dd66ec3f5e840a710fe8bb2baf9d81a_goldeneye.exe	98
PID 2848 wrote to memory of 1672	2848	2024-03-11_3dd66ec3f5e840a710fe8bb2baf9d81a_goldeneye.exe	98
PID 2848 wrote to memory of 1672	2848	2024-03-11_3dd66ec3f5e840a710fe8bb2baf9d81a_goldeneye.exe	98
PID 532 wrote to memory of 2720	532	{7525BBE2-136F-4645-8ABD-738BFE50D892}.exe	100
PID 532 wrote to memory of 2720	532	{7525BBE2-136F-4645-8ABD-738BFE50D892}.exe	100
PID 532 wrote to memory of 2720	532	{7525BBE2-136F-4645-8ABD-738BFE50D892}.exe	100
PID 532 wrote to memory of 3660	532	{7525BBE2-136F-4645-8ABD-738BFE50D892}.exe	101
PID 532 wrote to memory of 3660	532	{7525BBE2-136F-4645-8ABD-738BFE50D892}.exe	101
PID 532 wrote to memory of 3660	532	{7525BBE2-136F-4645-8ABD-738BFE50D892}.exe	101
PID 2720 wrote to memory of 1112	2720	{E68FAE99-2E06-400a-B0EC-2966C5ED02E0}.exe	104
PID 2720 wrote to memory of 1112	2720	{E68FAE99-2E06-400a-B0EC-2966C5ED02E0}.exe	104
PID 2720 wrote to memory of 1112	2720	{E68FAE99-2E06-400a-B0EC-2966C5ED02E0}.exe	104
PID 2720 wrote to memory of 4116	2720	{E68FAE99-2E06-400a-B0EC-2966C5ED02E0}.exe	105
PID 2720 wrote to memory of 4116	2720	{E68FAE99-2E06-400a-B0EC-2966C5ED02E0}.exe	105
PID 2720 wrote to memory of 4116	2720	{E68FAE99-2E06-400a-B0EC-2966C5ED02E0}.exe	105
PID 1112 wrote to memory of 3644	1112	{6204651F-B4FE-46d6-A9DE-2DC05E869A2D}.exe	108
PID 1112 wrote to memory of 3644	1112	{6204651F-B4FE-46d6-A9DE-2DC05E869A2D}.exe	108
PID 1112 wrote to memory of 3644	1112	{6204651F-B4FE-46d6-A9DE-2DC05E869A2D}.exe	108
PID 1112 wrote to memory of 4248	1112	{6204651F-B4FE-46d6-A9DE-2DC05E869A2D}.exe	109
PID 1112 wrote to memory of 4248	1112	{6204651F-B4FE-46d6-A9DE-2DC05E869A2D}.exe	109
PID 1112 wrote to memory of 4248	1112	{6204651F-B4FE-46d6-A9DE-2DC05E869A2D}.exe	109
PID 3644 wrote to memory of 5092	3644	{7A7CAD77-11FD-4309-9191-8AE64C07E351}.exe	110
PID 3644 wrote to memory of 5092	3644	{7A7CAD77-11FD-4309-9191-8AE64C07E351}.exe	110
PID 3644 wrote to memory of 5092	3644	{7A7CAD77-11FD-4309-9191-8AE64C07E351}.exe	110
PID 3644 wrote to memory of 4328	3644	{7A7CAD77-11FD-4309-9191-8AE64C07E351}.exe	111
PID 3644 wrote to memory of 4328	3644	{7A7CAD77-11FD-4309-9191-8AE64C07E351}.exe	111
PID 3644 wrote to memory of 4328	3644	{7A7CAD77-11FD-4309-9191-8AE64C07E351}.exe	111
PID 5092 wrote to memory of 1124	5092	{C2467BFC-6E86-409f-B1C4-72A0DE437A85}.exe	112
PID 5092 wrote to memory of 1124	5092	{C2467BFC-6E86-409f-B1C4-72A0DE437A85}.exe	112
PID 5092 wrote to memory of 1124	5092	{C2467BFC-6E86-409f-B1C4-72A0DE437A85}.exe	112
PID 5092 wrote to memory of 3704	5092	{C2467BFC-6E86-409f-B1C4-72A0DE437A85}.exe	113
PID 5092 wrote to memory of 3704	5092	{C2467BFC-6E86-409f-B1C4-72A0DE437A85}.exe	113
PID 5092 wrote to memory of 3704	5092	{C2467BFC-6E86-409f-B1C4-72A0DE437A85}.exe	113
PID 1124 wrote to memory of 1304	1124	{1620429C-84ED-4f95-9723-332EC8DB1A49}.exe	115
PID 1124 wrote to memory of 1304	1124	{1620429C-84ED-4f95-9723-332EC8DB1A49}.exe	115
PID 1124 wrote to memory of 1304	1124	{1620429C-84ED-4f95-9723-332EC8DB1A49}.exe	115
PID 1124 wrote to memory of 2528	1124	{1620429C-84ED-4f95-9723-332EC8DB1A49}.exe	116
PID 1124 wrote to memory of 2528	1124	{1620429C-84ED-4f95-9723-332EC8DB1A49}.exe	116
PID 1124 wrote to memory of 2528	1124	{1620429C-84ED-4f95-9723-332EC8DB1A49}.exe	116
PID 1304 wrote to memory of 2864	1304	{9525775E-A8F8-4c12-AC9D-65DF2A36052D}.exe	117
PID 1304 wrote to memory of 2864	1304	{9525775E-A8F8-4c12-AC9D-65DF2A36052D}.exe	117
PID 1304 wrote to memory of 2864	1304	{9525775E-A8F8-4c12-AC9D-65DF2A36052D}.exe	117
PID 1304 wrote to memory of 1380	1304	{9525775E-A8F8-4c12-AC9D-65DF2A36052D}.exe	118
PID 1304 wrote to memory of 1380	1304	{9525775E-A8F8-4c12-AC9D-65DF2A36052D}.exe	118
PID 1304 wrote to memory of 1380	1304	{9525775E-A8F8-4c12-AC9D-65DF2A36052D}.exe	118
PID 2864 wrote to memory of 4296	2864	{9F4B40BD-F15E-4563-A8A9-5305549744EF}.exe	123
PID 2864 wrote to memory of 4296	2864	{9F4B40BD-F15E-4563-A8A9-5305549744EF}.exe	123
PID 2864 wrote to memory of 4296	2864	{9F4B40BD-F15E-4563-A8A9-5305549744EF}.exe	123
PID 2864 wrote to memory of 408	2864	{9F4B40BD-F15E-4563-A8A9-5305549744EF}.exe	124
PID 2864 wrote to memory of 408	2864	{9F4B40BD-F15E-4563-A8A9-5305549744EF}.exe	124
PID 2864 wrote to memory of 408	2864	{9F4B40BD-F15E-4563-A8A9-5305549744EF}.exe	124
PID 4296 wrote to memory of 4960	4296	{70E6A754-D2C7-4569-B635-63500F79C545}.exe	130
PID 4296 wrote to memory of 4960	4296	{70E6A754-D2C7-4569-B635-63500F79C545}.exe	130
PID 4296 wrote to memory of 4960	4296	{70E6A754-D2C7-4569-B635-63500F79C545}.exe	130
PID 4296 wrote to memory of 5080	4296	{70E6A754-D2C7-4569-B635-63500F79C545}.exe	131
PID 4296 wrote to memory of 5080	4296	{70E6A754-D2C7-4569-B635-63500F79C545}.exe	131
PID 4296 wrote to memory of 5080	4296	{70E6A754-D2C7-4569-B635-63500F79C545}.exe	131
PID 4960 wrote to memory of 3540	4960	{C33CEE12-8BDD-495d-9ACA-D9584F12489D}.exe	132
PID 4960 wrote to memory of 3540	4960	{C33CEE12-8BDD-495d-9ACA-D9584F12489D}.exe	132
PID 4960 wrote to memory of 3540	4960	{C33CEE12-8BDD-495d-9ACA-D9584F12489D}.exe	132
PID 4960 wrote to memory of 1276	4960	{C33CEE12-8BDD-495d-9ACA-D9584F12489D}.exe	133

C:\Users\Admin\AppData\Local\Temp\2024-03-11_3dd66ec3f5e840a710fe8bb2baf9d81a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-11_3dd66ec3f5e840a710fe8bb2baf9d81a_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\{7525BBE2-136F-4645-8ABD-738BFE50D892}.exe
  C:\Windows\{7525BBE2-136F-4645-8ABD-738BFE50D892}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:532
- - C:\Windows\{E68FAE99-2E06-400a-B0EC-2966C5ED02E0}.exe
    C:\Windows\{E68FAE99-2E06-400a-B0EC-2966C5ED02E0}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\{6204651F-B4FE-46d6-A9DE-2DC05E869A2D}.exe
      C:\Windows\{6204651F-B4FE-46d6-A9DE-2DC05E869A2D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1112
    - - C:\Windows\{7A7CAD77-11FD-4309-9191-8AE64C07E351}.exe
        
        C:\Windows\{7A7CAD77-11FD-4309-9191-8AE64C07E351}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3644
      - C:\Windows\{C2467BFC-6E86-409f-B1C4-72A0DE437A85}.exe
        
        C:\Windows\{C2467BFC-6E86-409f-B1C4-72A0DE437A85}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\{1620429C-84ED-4f95-9723-332EC8DB1A49}.exe
        
        C:\Windows\{1620429C-84ED-4f95-9723-332EC8DB1A49}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1124
        
        C:\Windows\{9525775E-A8F8-4c12-AC9D-65DF2A36052D}.exe
        
        C:\Windows\{9525775E-A8F8-4c12-AC9D-65DF2A36052D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1304
        
        C:\Windows\{9F4B40BD-F15E-4563-A8A9-5305549744EF}.exe
        
        C:\Windows\{9F4B40BD-F15E-4563-A8A9-5305549744EF}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\{70E6A754-D2C7-4569-B635-63500F79C545}.exe
        
        C:\Windows\{70E6A754-D2C7-4569-B635-63500F79C545}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4296
        
        C:\Windows\{C33CEE12-8BDD-495d-9ACA-D9584F12489D}.exe
        
        C:\Windows\{C33CEE12-8BDD-495d-9ACA-D9584F12489D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\{A2946773-A3CA-4b8b-9440-8D23780A9B05}.exe
        
        C:\Windows\{A2946773-A3CA-4b8b-9440-8D23780A9B05}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3540
        
        C:\Windows\{17D8786D-FED0-412d-8735-F73DEB1CB7FB}.exe
        
        C:\Windows\{17D8786D-FED0-412d-8735-F73DEB1CB7FB}.exe
        13⤵
        Executes dropped EXE
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A2946~1.EXE > nul
        13⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C33CE~1.EXE > nul
        12⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{70E6A~1.EXE > nul
        11⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9F4B4~1.EXE > nul
        10⤵
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95257~1.EXE > nul
        9⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16204~1.EXE > nul
        8⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C2467~1.EXE > nul
        7⤵
        
        PID:3704
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7A7CA~1.EXE > nul
        6⤵
        
        PID:4328
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{62046~1.EXE > nul
        5⤵
        
        PID:4248
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E68FA~1.EXE > nul
      4⤵
      PID:4116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7525B~1.EXE > nul
    3⤵
    PID:3660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1620429C-84ED-4f95-9723-332EC8DB1A49}.exe

Filesize
344KB

MD5
4292bc7ddf5857861f8fceb20b03a209

SHA1
8eb4951eb53599542584942bfb1b6b2dffa609b0

SHA256
af2031deb2c06b5d23a6c69da988c4a1f3009e4bdfe94911bb7fab2cf40aaecc

SHA512
f2b5d49316b5b07e4ff557dd81fa35f07c8ce361a09559e0057cdb73a42ffa32f25cb8ce4f9ff8262e2d4107e6cfb930f2b6d7ba18f4c5872eebff7c982496e4

Download Submit
C:\Windows\{17D8786D-FED0-412d-8735-F73DEB1CB7FB}.exe

Filesize
344KB

MD5
29cd90f705bd015eabc25bdcbb4335e0

SHA1
c6e08984505b1d345f4bd2112206cf48ecc1c764

SHA256
46fcff2e658b08becf049965ba44a9fe2112a192f6a462f0cad0ce6b7713386c

SHA512
67b8abcefd813d17aeeb808ae2d706f60beeb7b0ba5cc40b9d73940465a951d3135e67343a1386b69b7e691facd2ba830af5aed4235d51a895765640e59a14fa

Download Submit
C:\Windows\{6204651F-B4FE-46d6-A9DE-2DC05E869A2D}.exe

Filesize
344KB

MD5
4275cf88604db631c425187f4f770715

SHA1
261d82fd3c3727ed3e9b13bf6ec714fbd47033a9

SHA256
b61c0279d46ca3d9a42e7256a6bdb8854e313ab2d79311c3c2dd598b0ae42252

SHA512
ce6677117ea9db938dfd95040f0d8029614494574272ae8811d40b0416a0ababade93aa36e77a7f524c0959808f03873538359bb5d8c0210c5b5d954ef05d28c

Download Submit
C:\Windows\{70E6A754-D2C7-4569-B635-63500F79C545}.exe

Filesize
344KB

MD5
133efc2e75293b2d69e8f6b9fcdab88d

SHA1
3c539d3639a9d0d4f3dc3822829cbc91b269c7cd

SHA256
c06ca03a855b17793b692443133fc58bc59c62a50ac49e96973665c4bbc7d6c3

SHA512
d19e6fd137dca119969d5f71f74079ace0ebad80ca35192f7f94f666d531332426d1d077400976db05ab20c18f68f75b29e62b8eddb00a96ff8aa4d847d6edbb

Download Submit
C:\Windows\{7525BBE2-136F-4645-8ABD-738BFE50D892}.exe

Filesize
344KB

MD5
3b247e161a2ca46c51963c5b6f1fec4b

SHA1
7af4b41b57caa4e1ca586be794f3afdf3722042a

SHA256
dc276a9aa2db6b72f05387853c920ddbd5ffd0af3365c36dc42d5a429986a3db

SHA512
55ee7b2c76812ab571672d442a8838680ef1f3f0d1559842438e0fe98a954328c729ae4da304b13c2e97834e89b15a06ba0ac01a5f20c133dbd187454066fdc9

Download Submit
C:\Windows\{7A7CAD77-11FD-4309-9191-8AE64C07E351}.exe

Filesize
344KB

MD5
0a85e0e1e521aa013bb619aea80b466f

SHA1
68ffd5007236b78de360c2e71ddde0fe42489db5

SHA256
24b03eeaf77286d7febf04234b953d4834f446782b033718daee9969bd30d1df

SHA512
235b13d06ab7879660e481e13affbc9a661097ef9324019658e19b7a723c00513066fc3fc68b7d3fd2fa0c7a7efb25bbf79289850d3ca76679505aac9806c34c

Download Submit
C:\Windows\{9525775E-A8F8-4c12-AC9D-65DF2A36052D}.exe

Filesize
344KB

MD5
1b4fe8cfaba1d372cd59d2e7d96ea301

SHA1
1cdadb2110868cee13249564869f444d3c63f082

SHA256
18fc4e0f400d02eb2d963f2786b2db281c3ee47f48485501cd791188ed520524

SHA512
c711b9fd642f735cc71fe7f2517ddb8b58867379360900ff8a029a7fabc669e59c1c783064beecf88a3dc594682a4df2b1c63f26e099093f9a0d10884f885838

Download Submit
C:\Windows\{9F4B40BD-F15E-4563-A8A9-5305549744EF}.exe

Filesize
344KB

MD5
c858c1e38d452eca4da9b2023a461001

SHA1
b6ab64594872bcf0c54550547c7850ac880eb974

SHA256
4e68a24f8f01f78a455ce5ed91999a5ffe44e8671f9f66524d9301d2d9363d84

SHA512
3b82b41ecd5e2e7c446616d9d05f317bd3204a44d4e2e09305d24b36dd60627ff5efc00e6e963565fd0174f1343d2ef0011799690a116b5ac5307d6a01c5ad20

Download Submit
C:\Windows\{A2946773-A3CA-4b8b-9440-8D23780A9B05}.exe

Filesize
344KB

MD5
78c3dd2fcc950208b68ccb0a8aa2a794

SHA1
cd2dcba1f728bd1888a6adc059add713c5d9a3ba

SHA256
cb7b41156ac00c316799e44593ecf9b1f28f146ea141ac4f7b0f4011f83eec52

SHA512
4e0c8d4e94b69596bc40ff87856f49ea1e74d1ac5f7183558548114b77a598cb76098ad9c5bbc994c3ce8b907f58003c92c316b7c04d5187e9652e20636820be

Download Submit
C:\Windows\{C2467BFC-6E86-409f-B1C4-72A0DE437A85}.exe

Filesize
344KB

MD5
a8cb89cd822c44ba2c7fd5252c71a31f

SHA1
ec28af606c324c3788c692bf7d31bc89022d0e64

SHA256
36ab02e9d49b5e180b7d194327d96fc2c783fae5febdecd0c1ea9f3a7c1834ac

SHA512
19945414170743c4be633d3aaf552e9ef891b539b426acca773b017cfd889c1d94bc9cf3184579a6030e05144d030178a87489711119406f610e82cc9581b71e

Download Submit
C:\Windows\{C33CEE12-8BDD-495d-9ACA-D9584F12489D}.exe

Filesize
344KB

MD5
5671090ff9ac6d2c852437fb70592339

SHA1
707dfa59974bbd14c8fd74da4fd5bdfff0b92e90

SHA256
7cb3444ac90efd7f2d4ccf16de23a409e6956115190f534de68fc7d7dc6cb6b5

SHA512
a91f0150cf8618fe0df48bdc1c2090dded1180fb38c5942c335d3dd1caa2bdf32c579ce2db0d17564b2c97b97d66dde53d689a3b735152013309969d82c494d4

Download Submit
C:\Windows\{E68FAE99-2E06-400a-B0EC-2966C5ED02E0}.exe

Filesize
344KB

MD5
ccdb6f0e9ff29e8b186643a10ea204b3

SHA1
b84974fd1bc539366c06159e7f474c715219730a

SHA256
8fca354d4ee4986babac6bf1b76d320a2caf7db3369b4464fa17a34f96e387cb

SHA512
ee0bfaac1c563a7e1a6e88fed51619a35f36a74773f9a950f45e3c1f9bec65145a3e12048f325b2c1cae6e4c1917d12bec6fb41244e8f3f0835f2b439904f58d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads