277898bd874784c57c4af0e38543f6a612d31c35cb7440040befa0241c2eb4eb

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15/03/2024, 17:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-15_5ad8914d6d3ed7057504143014ae4a02_goldeneye.exe
Size

216KB
MD5

5ad8914d6d3ed7057504143014ae4a02
SHA1

0bc2f3654a2a4c1bd87ad443abf61f24937f0b95
SHA256

277898bd874784c57c4af0e38543f6a612d31c35cb7440040befa0241c2eb4eb
SHA512

47ff74d32d52c5148607e1b42b3e0b2104fc4dc5777bb5d8563e6d4826aadda3888aca6fdc3c8c3ba3d5a6fcacf8531564c2b172aa8d51da7212635647725170
SSDEEP

3072:jEGh0oLl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGNlEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00040000000228c0-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002323a-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023244-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002326e-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023253-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001e302-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023365-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000233ce-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023365-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023161-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000233fa-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000234e3-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3969E117-4A34-4afa-AC9C-269F1C0BABFE}\stubpath = "C:\\Windows\\{3969E117-4A34-4afa-AC9C-269F1C0BABFE}.exe"	{CADECF4D-96A2-4385-A300-9FF3ED0FDDBE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF31A50B-BCE6-4bc2-8257-B10CB44CAB44}	{47983378-E071-40e2-AF40-37D63EDAB7C5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF31A50B-BCE6-4bc2-8257-B10CB44CAB44}\stubpath = "C:\\Windows\\{BF31A50B-BCE6-4bc2-8257-B10CB44CAB44}.exe"	{47983378-E071-40e2-AF40-37D63EDAB7C5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44393CAD-0D1E-452a-A582-A1222B21C6A7}\stubpath = "C:\\Windows\\{44393CAD-0D1E-452a-A582-A1222B21C6A7}.exe"	{AA46DCEE-3FBD-46b9-A950-31F0696B82B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{675C10ED-8F15-4628-964E-418359D28F3D}\stubpath = "C:\\Windows\\{675C10ED-8F15-4628-964E-418359D28F3D}.exe"	{71321CC1-05AC-442e-B2A0-4F3B7D680A95}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CADECF4D-96A2-4385-A300-9FF3ED0FDDBE}\stubpath = "C:\\Windows\\{CADECF4D-96A2-4385-A300-9FF3ED0FDDBE}.exe"	{675C10ED-8F15-4628-964E-418359D28F3D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47983378-E071-40e2-AF40-37D63EDAB7C5}	{3969E117-4A34-4afa-AC9C-269F1C0BABFE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5D80F30-F9B8-482e-97BC-37D90280F295}	{CDC614F4-DF86-4d26-AEB9-0576B8AC21D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF2DFA7A-3973-402f-AD95-3D772A828AA7}\stubpath = "C:\\Windows\\{CF2DFA7A-3973-402f-AD95-3D772A828AA7}.exe"	{E1F46B29-D11D-4410-8F32-14B2B8DA9823}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CADECF4D-96A2-4385-A300-9FF3ED0FDDBE}	{675C10ED-8F15-4628-964E-418359D28F3D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44393CAD-0D1E-452a-A582-A1222B21C6A7}	{AA46DCEE-3FBD-46b9-A950-31F0696B82B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71321CC1-05AC-442e-B2A0-4F3B7D680A95}	{44393CAD-0D1E-452a-A582-A1222B21C6A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{675C10ED-8F15-4628-964E-418359D28F3D}	{71321CC1-05AC-442e-B2A0-4F3B7D680A95}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1F46B29-D11D-4410-8F32-14B2B8DA9823}\stubpath = "C:\\Windows\\{E1F46B29-D11D-4410-8F32-14B2B8DA9823}.exe"	{A5D80F30-F9B8-482e-97BC-37D90280F295}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF2DFA7A-3973-402f-AD95-3D772A828AA7}	{E1F46B29-D11D-4410-8F32-14B2B8DA9823}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA46DCEE-3FBD-46b9-A950-31F0696B82B2}\stubpath = "C:\\Windows\\{AA46DCEE-3FBD-46b9-A950-31F0696B82B2}.exe"	{CF2DFA7A-3973-402f-AD95-3D772A828AA7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1F46B29-D11D-4410-8F32-14B2B8DA9823}	{A5D80F30-F9B8-482e-97BC-37D90280F295}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA46DCEE-3FBD-46b9-A950-31F0696B82B2}	{CF2DFA7A-3973-402f-AD95-3D772A828AA7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71321CC1-05AC-442e-B2A0-4F3B7D680A95}\stubpath = "C:\\Windows\\{71321CC1-05AC-442e-B2A0-4F3B7D680A95}.exe"	{44393CAD-0D1E-452a-A582-A1222B21C6A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3969E117-4A34-4afa-AC9C-269F1C0BABFE}	{CADECF4D-96A2-4385-A300-9FF3ED0FDDBE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47983378-E071-40e2-AF40-37D63EDAB7C5}\stubpath = "C:\\Windows\\{47983378-E071-40e2-AF40-37D63EDAB7C5}.exe"	{3969E117-4A34-4afa-AC9C-269F1C0BABFE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CDC614F4-DF86-4d26-AEB9-0576B8AC21D9}	2024-03-15_5ad8914d6d3ed7057504143014ae4a02_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CDC614F4-DF86-4d26-AEB9-0576B8AC21D9}\stubpath = "C:\\Windows\\{CDC614F4-DF86-4d26-AEB9-0576B8AC21D9}.exe"	2024-03-15_5ad8914d6d3ed7057504143014ae4a02_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5D80F30-F9B8-482e-97BC-37D90280F295}\stubpath = "C:\\Windows\\{A5D80F30-F9B8-482e-97BC-37D90280F295}.exe"	{CDC614F4-DF86-4d26-AEB9-0576B8AC21D9}.exe

Executes dropped EXE 12 IoCs

pid	Process
3296	{CDC614F4-DF86-4d26-AEB9-0576B8AC21D9}.exe
4812	{A5D80F30-F9B8-482e-97BC-37D90280F295}.exe
5044	{E1F46B29-D11D-4410-8F32-14B2B8DA9823}.exe
444	{CF2DFA7A-3973-402f-AD95-3D772A828AA7}.exe
5032	{AA46DCEE-3FBD-46b9-A950-31F0696B82B2}.exe
3084	{44393CAD-0D1E-452a-A582-A1222B21C6A7}.exe
1480	{71321CC1-05AC-442e-B2A0-4F3B7D680A95}.exe
1900	{675C10ED-8F15-4628-964E-418359D28F3D}.exe
4156	{CADECF4D-96A2-4385-A300-9FF3ED0FDDBE}.exe
3180	{3969E117-4A34-4afa-AC9C-269F1C0BABFE}.exe
996	{47983378-E071-40e2-AF40-37D63EDAB7C5}.exe
3748	{BF31A50B-BCE6-4bc2-8257-B10CB44CAB44}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{CDC614F4-DF86-4d26-AEB9-0576B8AC21D9}.exe	2024-03-15_5ad8914d6d3ed7057504143014ae4a02_goldeneye.exe
File created	C:\Windows\{CF2DFA7A-3973-402f-AD95-3D772A828AA7}.exe	{E1F46B29-D11D-4410-8F32-14B2B8DA9823}.exe
File created	C:\Windows\{44393CAD-0D1E-452a-A582-A1222B21C6A7}.exe	{AA46DCEE-3FBD-46b9-A950-31F0696B82B2}.exe
File created	C:\Windows\{71321CC1-05AC-442e-B2A0-4F3B7D680A95}.exe	{44393CAD-0D1E-452a-A582-A1222B21C6A7}.exe
File created	C:\Windows\{3969E117-4A34-4afa-AC9C-269F1C0BABFE}.exe	{CADECF4D-96A2-4385-A300-9FF3ED0FDDBE}.exe
File created	C:\Windows\{BF31A50B-BCE6-4bc2-8257-B10CB44CAB44}.exe	{47983378-E071-40e2-AF40-37D63EDAB7C5}.exe
File created	C:\Windows\{A5D80F30-F9B8-482e-97BC-37D90280F295}.exe	{CDC614F4-DF86-4d26-AEB9-0576B8AC21D9}.exe
File created	C:\Windows\{E1F46B29-D11D-4410-8F32-14B2B8DA9823}.exe	{A5D80F30-F9B8-482e-97BC-37D90280F295}.exe
File created	C:\Windows\{AA46DCEE-3FBD-46b9-A950-31F0696B82B2}.exe	{CF2DFA7A-3973-402f-AD95-3D772A828AA7}.exe
File created	C:\Windows\{675C10ED-8F15-4628-964E-418359D28F3D}.exe	{71321CC1-05AC-442e-B2A0-4F3B7D680A95}.exe
File created	C:\Windows\{CADECF4D-96A2-4385-A300-9FF3ED0FDDBE}.exe	{675C10ED-8F15-4628-964E-418359D28F3D}.exe
File created	C:\Windows\{47983378-E071-40e2-AF40-37D63EDAB7C5}.exe	{3969E117-4A34-4afa-AC9C-269F1C0BABFE}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1512	2024-03-15_5ad8914d6d3ed7057504143014ae4a02_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3296	{CDC614F4-DF86-4d26-AEB9-0576B8AC21D9}.exe
Token: SeIncBasePriorityPrivilege	4812	{A5D80F30-F9B8-482e-97BC-37D90280F295}.exe
Token: SeIncBasePriorityPrivilege	5044	{E1F46B29-D11D-4410-8F32-14B2B8DA9823}.exe
Token: SeIncBasePriorityPrivilege	444	{CF2DFA7A-3973-402f-AD95-3D772A828AA7}.exe
Token: SeIncBasePriorityPrivilege	5032	{AA46DCEE-3FBD-46b9-A950-31F0696B82B2}.exe
Token: SeIncBasePriorityPrivilege	3084	{44393CAD-0D1E-452a-A582-A1222B21C6A7}.exe
Token: SeIncBasePriorityPrivilege	1480	{71321CC1-05AC-442e-B2A0-4F3B7D680A95}.exe
Token: SeIncBasePriorityPrivilege	1900	{675C10ED-8F15-4628-964E-418359D28F3D}.exe
Token: SeIncBasePriorityPrivilege	4156	{CADECF4D-96A2-4385-A300-9FF3ED0FDDBE}.exe
Token: SeIncBasePriorityPrivilege	3180	{3969E117-4A34-4afa-AC9C-269F1C0BABFE}.exe
Token: SeIncBasePriorityPrivilege	996	{47983378-E071-40e2-AF40-37D63EDAB7C5}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 3296	1512	2024-03-15_5ad8914d6d3ed7057504143014ae4a02_goldeneye.exe	97
PID 1512 wrote to memory of 3296	1512	2024-03-15_5ad8914d6d3ed7057504143014ae4a02_goldeneye.exe	97
PID 1512 wrote to memory of 3296	1512	2024-03-15_5ad8914d6d3ed7057504143014ae4a02_goldeneye.exe	97
PID 1512 wrote to memory of 4196	1512	2024-03-15_5ad8914d6d3ed7057504143014ae4a02_goldeneye.exe	98
PID 1512 wrote to memory of 4196	1512	2024-03-15_5ad8914d6d3ed7057504143014ae4a02_goldeneye.exe	98
PID 1512 wrote to memory of 4196	1512	2024-03-15_5ad8914d6d3ed7057504143014ae4a02_goldeneye.exe	98
PID 3296 wrote to memory of 4812	3296	{CDC614F4-DF86-4d26-AEB9-0576B8AC21D9}.exe	100
PID 3296 wrote to memory of 4812	3296	{CDC614F4-DF86-4d26-AEB9-0576B8AC21D9}.exe	100
PID 3296 wrote to memory of 4812	3296	{CDC614F4-DF86-4d26-AEB9-0576B8AC21D9}.exe	100
PID 3296 wrote to memory of 3552	3296	{CDC614F4-DF86-4d26-AEB9-0576B8AC21D9}.exe	101
PID 3296 wrote to memory of 3552	3296	{CDC614F4-DF86-4d26-AEB9-0576B8AC21D9}.exe	101
PID 3296 wrote to memory of 3552	3296	{CDC614F4-DF86-4d26-AEB9-0576B8AC21D9}.exe	101
PID 4812 wrote to memory of 5044	4812	{A5D80F30-F9B8-482e-97BC-37D90280F295}.exe	103
PID 4812 wrote to memory of 5044	4812	{A5D80F30-F9B8-482e-97BC-37D90280F295}.exe	103
PID 4812 wrote to memory of 5044	4812	{A5D80F30-F9B8-482e-97BC-37D90280F295}.exe	103
PID 4812 wrote to memory of 4692	4812	{A5D80F30-F9B8-482e-97BC-37D90280F295}.exe	104
PID 4812 wrote to memory of 4692	4812	{A5D80F30-F9B8-482e-97BC-37D90280F295}.exe	104
PID 4812 wrote to memory of 4692	4812	{A5D80F30-F9B8-482e-97BC-37D90280F295}.exe	104
PID 5044 wrote to memory of 444	5044	{E1F46B29-D11D-4410-8F32-14B2B8DA9823}.exe	110
PID 5044 wrote to memory of 444	5044	{E1F46B29-D11D-4410-8F32-14B2B8DA9823}.exe	110
PID 5044 wrote to memory of 444	5044	{E1F46B29-D11D-4410-8F32-14B2B8DA9823}.exe	110
PID 5044 wrote to memory of 4556	5044	{E1F46B29-D11D-4410-8F32-14B2B8DA9823}.exe	111
PID 5044 wrote to memory of 4556	5044	{E1F46B29-D11D-4410-8F32-14B2B8DA9823}.exe	111
PID 5044 wrote to memory of 4556	5044	{E1F46B29-D11D-4410-8F32-14B2B8DA9823}.exe	111
PID 444 wrote to memory of 5032	444	{CF2DFA7A-3973-402f-AD95-3D772A828AA7}.exe	118
PID 444 wrote to memory of 5032	444	{CF2DFA7A-3973-402f-AD95-3D772A828AA7}.exe	118
PID 444 wrote to memory of 5032	444	{CF2DFA7A-3973-402f-AD95-3D772A828AA7}.exe	118
PID 444 wrote to memory of 964	444	{CF2DFA7A-3973-402f-AD95-3D772A828AA7}.exe	119
PID 444 wrote to memory of 964	444	{CF2DFA7A-3973-402f-AD95-3D772A828AA7}.exe	119
PID 444 wrote to memory of 964	444	{CF2DFA7A-3973-402f-AD95-3D772A828AA7}.exe	119
PID 5032 wrote to memory of 3084	5032	{AA46DCEE-3FBD-46b9-A950-31F0696B82B2}.exe	120
PID 5032 wrote to memory of 3084	5032	{AA46DCEE-3FBD-46b9-A950-31F0696B82B2}.exe	120
PID 5032 wrote to memory of 3084	5032	{AA46DCEE-3FBD-46b9-A950-31F0696B82B2}.exe	120
PID 5032 wrote to memory of 5052	5032	{AA46DCEE-3FBD-46b9-A950-31F0696B82B2}.exe	121
PID 5032 wrote to memory of 5052	5032	{AA46DCEE-3FBD-46b9-A950-31F0696B82B2}.exe	121
PID 5032 wrote to memory of 5052	5032	{AA46DCEE-3FBD-46b9-A950-31F0696B82B2}.exe	121
PID 3084 wrote to memory of 1480	3084	{44393CAD-0D1E-452a-A582-A1222B21C6A7}.exe	123
PID 3084 wrote to memory of 1480	3084	{44393CAD-0D1E-452a-A582-A1222B21C6A7}.exe	123
PID 3084 wrote to memory of 1480	3084	{44393CAD-0D1E-452a-A582-A1222B21C6A7}.exe	123
PID 3084 wrote to memory of 5016	3084	{44393CAD-0D1E-452a-A582-A1222B21C6A7}.exe	124
PID 3084 wrote to memory of 5016	3084	{44393CAD-0D1E-452a-A582-A1222B21C6A7}.exe	124
PID 3084 wrote to memory of 5016	3084	{44393CAD-0D1E-452a-A582-A1222B21C6A7}.exe	124
PID 1480 wrote to memory of 1900	1480	{71321CC1-05AC-442e-B2A0-4F3B7D680A95}.exe	125
PID 1480 wrote to memory of 1900	1480	{71321CC1-05AC-442e-B2A0-4F3B7D680A95}.exe	125
PID 1480 wrote to memory of 1900	1480	{71321CC1-05AC-442e-B2A0-4F3B7D680A95}.exe	125
PID 1480 wrote to memory of 2000	1480	{71321CC1-05AC-442e-B2A0-4F3B7D680A95}.exe	126
PID 1480 wrote to memory of 2000	1480	{71321CC1-05AC-442e-B2A0-4F3B7D680A95}.exe	126
PID 1480 wrote to memory of 2000	1480	{71321CC1-05AC-442e-B2A0-4F3B7D680A95}.exe	126
PID 1900 wrote to memory of 4156	1900	{675C10ED-8F15-4628-964E-418359D28F3D}.exe	127
PID 1900 wrote to memory of 4156	1900	{675C10ED-8F15-4628-964E-418359D28F3D}.exe	127
PID 1900 wrote to memory of 4156	1900	{675C10ED-8F15-4628-964E-418359D28F3D}.exe	127
PID 1900 wrote to memory of 532	1900	{675C10ED-8F15-4628-964E-418359D28F3D}.exe	128
PID 1900 wrote to memory of 532	1900	{675C10ED-8F15-4628-964E-418359D28F3D}.exe	128
PID 1900 wrote to memory of 532	1900	{675C10ED-8F15-4628-964E-418359D28F3D}.exe	128
PID 4156 wrote to memory of 3180	4156	{CADECF4D-96A2-4385-A300-9FF3ED0FDDBE}.exe	129
PID 4156 wrote to memory of 3180	4156	{CADECF4D-96A2-4385-A300-9FF3ED0FDDBE}.exe	129
PID 4156 wrote to memory of 3180	4156	{CADECF4D-96A2-4385-A300-9FF3ED0FDDBE}.exe	129
PID 4156 wrote to memory of 3136	4156	{CADECF4D-96A2-4385-A300-9FF3ED0FDDBE}.exe	130
PID 4156 wrote to memory of 3136	4156	{CADECF4D-96A2-4385-A300-9FF3ED0FDDBE}.exe	130
PID 4156 wrote to memory of 3136	4156	{CADECF4D-96A2-4385-A300-9FF3ED0FDDBE}.exe	130
PID 3180 wrote to memory of 996	3180	{3969E117-4A34-4afa-AC9C-269F1C0BABFE}.exe	131
PID 3180 wrote to memory of 996	3180	{3969E117-4A34-4afa-AC9C-269F1C0BABFE}.exe	131
PID 3180 wrote to memory of 996	3180	{3969E117-4A34-4afa-AC9C-269F1C0BABFE}.exe	131
PID 3180 wrote to memory of 3940	3180	{3969E117-4A34-4afa-AC9C-269F1C0BABFE}.exe	132

C:\Users\Admin\AppData\Local\Temp\2024-03-15_5ad8914d6d3ed7057504143014ae4a02_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-15_5ad8914d6d3ed7057504143014ae4a02_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Windows\{CDC614F4-DF86-4d26-AEB9-0576B8AC21D9}.exe
  C:\Windows\{CDC614F4-DF86-4d26-AEB9-0576B8AC21D9}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3296
- - C:\Windows\{A5D80F30-F9B8-482e-97BC-37D90280F295}.exe
    C:\Windows\{A5D80F30-F9B8-482e-97BC-37D90280F295}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4812
  - - C:\Windows\{E1F46B29-D11D-4410-8F32-14B2B8DA9823}.exe
      C:\Windows\{E1F46B29-D11D-4410-8F32-14B2B8DA9823}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5044
    - - C:\Windows\{CF2DFA7A-3973-402f-AD95-3D772A828AA7}.exe
        
        C:\Windows\{CF2DFA7A-3973-402f-AD95-3D772A828AA7}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:444
      - C:\Windows\{AA46DCEE-3FBD-46b9-A950-31F0696B82B2}.exe
        
        C:\Windows\{AA46DCEE-3FBD-46b9-A950-31F0696B82B2}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\{44393CAD-0D1E-452a-A582-A1222B21C6A7}.exe
        
        C:\Windows\{44393CAD-0D1E-452a-A582-A1222B21C6A7}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3084
        
        C:\Windows\{71321CC1-05AC-442e-B2A0-4F3B7D680A95}.exe
        
        C:\Windows\{71321CC1-05AC-442e-B2A0-4F3B7D680A95}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\{675C10ED-8F15-4628-964E-418359D28F3D}.exe
        
        C:\Windows\{675C10ED-8F15-4628-964E-418359D28F3D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\{CADECF4D-96A2-4385-A300-9FF3ED0FDDBE}.exe
        
        C:\Windows\{CADECF4D-96A2-4385-A300-9FF3ED0FDDBE}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4156
        
        C:\Windows\{3969E117-4A34-4afa-AC9C-269F1C0BABFE}.exe
        
        C:\Windows\{3969E117-4A34-4afa-AC9C-269F1C0BABFE}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Windows\{47983378-E071-40e2-AF40-37D63EDAB7C5}.exe
        
        C:\Windows\{47983378-E071-40e2-AF40-37D63EDAB7C5}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:996
        
        C:\Windows\{BF31A50B-BCE6-4bc2-8257-B10CB44CAB44}.exe
        
        C:\Windows\{BF31A50B-BCE6-4bc2-8257-B10CB44CAB44}.exe
        13⤵
        Executes dropped EXE
        
        PID:3748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{47983~1.EXE > nul
        13⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3969E~1.EXE > nul
        12⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CADEC~1.EXE > nul
        11⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{675C1~1.EXE > nul
        10⤵
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71321~1.EXE > nul
        9⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44393~1.EXE > nul
        8⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AA46D~1.EXE > nul
        7⤵
        
        PID:5052
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CF2DF~1.EXE > nul
        6⤵
        
        PID:964
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E1F46~1.EXE > nul
        5⤵
        
        PID:4556
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A5D80~1.EXE > nul
      4⤵
      PID:4692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CDC61~1.EXE > nul
    3⤵
    PID:3552
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3969E117-4A34-4afa-AC9C-269F1C0BABFE}.exe

Filesize
216KB

MD5
b8d67f104a30bc9df0459b1919c4cb79

SHA1
e8764dc0c3a3632747d33518f0f330cd13511cd7

SHA256
8910ea7a2708e57fb14d86db44e0fa4d9a00c375779933bd1b0234269d9996a9

SHA512
b4af34bfc0bb15b9bf6a835d394c89775197cdf789e7bdc10d9c8f881110634fed72e7094551d9d42d5effa7e23569de7f78403f1db245c945d50e6b165296cf

Download Submit
C:\Windows\{44393CAD-0D1E-452a-A582-A1222B21C6A7}.exe

Filesize
216KB

MD5
7b1f2148bef4c532183085b71614b510

SHA1
bf0b1ddb3ecd4389735c7812aad84e9fca95fdf7

SHA256
202f9a701cf2b098b89a3cd61b9047cb71671fa8acf7c67ae1e73c26d888a625

SHA512
ec8a2fa725ff4536f28ea712b5272cd44dd9bafd1bde4a1e84ccf276c931e72de525765bbf05586f8daf9746d4edc57671ff04510444800cef38cb80356aabf2

Download Submit
C:\Windows\{47983378-E071-40e2-AF40-37D63EDAB7C5}.exe

Filesize
216KB

MD5
6ef389ee24da2ae66775897a2b979e07

SHA1
e47c2e56c30652b62ba607ab4ae3b28d9639ad62

SHA256
f447f656d29d8ce445310963c81bfc001ecddad651277043164e7c7be2f523fc

SHA512
0a3df86715170105659592c782ab46e9834dbdf2fb1d7c4c6c9217a10ddf427c029f340db34a9bf79004f62c4f7a0010510a8247ce6b8e2b0e8c35f474e25800

Download Submit
C:\Windows\{675C10ED-8F15-4628-964E-418359D28F3D}.exe

Filesize
216KB

MD5
10ddfdd172d4046ca9a9c60144c83a38

SHA1
b9b37e8374180cd717f9c18b766d63a1d63796ae

SHA256
01c9aa95f21665becc926ebd27170a809666bad2d8581f673369d0a095260cf9

SHA512
7571787919d2551d2421ca6fc08612e55f618ee22dab9d1b05ef6fb4cf14cbea6f23d6f70b7b2347d157fa559a752672fd388b19d9cdabd5e92c79eaacbc0a68

Download Submit
C:\Windows\{71321CC1-05AC-442e-B2A0-4F3B7D680A95}.exe

Filesize
216KB

MD5
433572511c157e4159873aa5128d8b6b

SHA1
420e03defe12a3328f1fdcba16a2ada4dd390b1b

SHA256
f0b92a4ff794f51a4eeabe0ffe291cb7f77dc72fbe0f9d0fb7fe6d33189f35fd

SHA512
164e392fc067d0cbfb676b1057b42f24e14e5e356b99326fddbafae38340e11af0fdc918f2b98c52b80826cc366c21085dba66731c8e5d4827419d6c9bafac21

Download Submit
C:\Windows\{A5D80F30-F9B8-482e-97BC-37D90280F295}.exe

Filesize
216KB

MD5
5978fd1e43edc092de32ec32715484ee

SHA1
4a939ecd6a0fce497643ff64d6a46f84b6126f41

SHA256
57a04b327a4794c399af7307cbfa2d47392ff00b3360a069d699a1701cde196e

SHA512
0a3427991636ddc2d2e6e29513a74ed17a3b230de7338b7f798284a6bc88b0d68297b4965ffd2324c0e67b6da638a6afee58f0ac95fad0ac816fc3d4cc7e0488

Download Submit
C:\Windows\{AA46DCEE-3FBD-46b9-A950-31F0696B82B2}.exe

Filesize
216KB

MD5
30cd19c2aa73e6f9ea9226b38fed7dbe

SHA1
14e99c44b43f0d7910ff9ee9bcce326f0abc5f5c

SHA256
96e8ad9df30a60930656fffe9df7fceae9e43a7eb1e242c563db4afc422f7419

SHA512
f6163d87930c9bcc92aa506a21a34256088d88fba1eea8d08980a0d59bdc0a4919c58dc62682bfcfb0507fcd0290f8b2f1cf07753746de873db7909262c8513d

Download Submit
C:\Windows\{BF31A50B-BCE6-4bc2-8257-B10CB44CAB44}.exe

Filesize
216KB

MD5
71c1c9abd1880c7e897bbfefcd1f5c1d

SHA1
99cefb76e6b1e8b00cafa580ea199311231fab0f

SHA256
f7e90e55bede03b1802d436948600396c1c6cebc2500377915f212d1c7a9a5e2

SHA512
25f21a5f1c6c9ad5e856f76b8324183938d811a01a173264c20b962d3e50a794fa39716dce38e9bee56f2978b45f350c244f9764405959db88c2823064677c19

Download Submit
C:\Windows\{CADECF4D-96A2-4385-A300-9FF3ED0FDDBE}.exe

Filesize
216KB

MD5
1411f43b840ef46cdd1e8a51b05c7eba

SHA1
a1f667554839c774849035819d1d6ba3e5085e72

SHA256
2d91aa0e7b6d3bfa596c61b8cf9511547db424f5deeb46871de27bdd1785c408

SHA512
5c2482b47c699f012aa712149de17755656fd7771290596e976799bf09c1d4510dceed5beb7e36044ab82846deefe89a3a15e172c6bf7a24d9b53f30cb29a84a

Download Submit
C:\Windows\{CDC614F4-DF86-4d26-AEB9-0576B8AC21D9}.exe

Filesize
216KB

MD5
8ccab8353a79498b0ee3b876bf5fc748

SHA1
279a6dcdb81911ccb7e79c0463df757d38cb1af6

SHA256
97f6fc0b246ca3b7e85d6b464fadf9d1acc9d8eba6a903938d6dde6e0ec40e97

SHA512
494753e2d120aa6f02d6789c2636989f2203ead99686e2528dba8f9b06ff595792a2a58d7d34657d4112e20ca917a679cdf3093f6a1e42a59d4c4c346b2db124

Download Submit
C:\Windows\{CF2DFA7A-3973-402f-AD95-3D772A828AA7}.exe

Filesize
216KB

MD5
c327aff9b275c14e0b54cf3b5e42f04b

SHA1
e3dadcd138d1ee667b55335ece6422b5de063475

SHA256
23be7e3bba0461fc335f6db94b17daf51252c89ed44dd274931c08d72e9a9ae4

SHA512
c0358abf046fd4b4435a9bcd47a0d018b665ed0b161cbe4b22553c02a5d648405641288aaacce19eba8b09bfefeedfef2413c68b9cfbaaa5e92b09f4e613315f

Download Submit
C:\Windows\{E1F46B29-D11D-4410-8F32-14B2B8DA9823}.exe

Filesize
216KB

MD5
58ce3ef1244a8ed85603778d2f55e875

SHA1
16ad51b1afbc34cbc73bb3cb1bd0b10e545c6195

SHA256
6ed4ff25b259ecccc5a607a8ab1e3c3222759cb1a78ed7e9e05d541612856454

SHA512
49f1332cb371b092edaf8eb93aea3c4db1a38131246daba1bb8b437e83def1126d85b12cd1ce1af59938d63433a1488cd686073261b3d16f240bbef1e91fc471

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads