7bb3594cf8f723474b16c91577c265a7a02af27281b58175f2be5356c2a974f1

Analysis

max time kernel
150s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
16-03-2024 11:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-16_8e895d4e260cbe3f849f54928b14f0f3_goldeneye.exe
Size

168KB
MD5

8e895d4e260cbe3f849f54928b14f0f3
SHA1

147f76bd4bd5194cac8ba2e3bb72b50470e6bbaf
SHA256

7bb3594cf8f723474b16c91577c265a7a02af27281b58175f2be5356c2a974f1
SHA512

58834cceb3111539682223ac25ea39c4a0365407028dfe5f96cda9307c3a27c009d250d4d19f74247a4f9ed5db8100df26b6ca1558ccd91609a5c47f3fffc560
SSDEEP

1536:1EGh0oXli5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oXliOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023221-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002322d-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023240-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002327d-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002327d-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002328c-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000001e6fb-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001200000002323d-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001e6fb-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001e704-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000233c0-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000001e704-41.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000233c1-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{192C8585-F70B-47b9-8DA2-4EE49C81B69A}	{00ABBABA-C867-4452-AA60-41C4FD95267E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{192C8585-F70B-47b9-8DA2-4EE49C81B69A}\stubpath = "C:\\Windows\\{192C8585-F70B-47b9-8DA2-4EE49C81B69A}.exe"	{00ABBABA-C867-4452-AA60-41C4FD95267E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4EA18F87-E2D2-45ab-995C-305068553FDD}\stubpath = "C:\\Windows\\{4EA18F87-E2D2-45ab-995C-305068553FDD}.exe"	{EFA489D5-F477-44f7-B88E-36AA51E29B82}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B49FB52A-CE83-459d-8A05-E4AC89C10D2F}	{DC7087DD-ED71-4af5-BF01-4A451B2D3920}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00ABBABA-C867-4452-AA60-41C4FD95267E}\stubpath = "C:\\Windows\\{00ABBABA-C867-4452-AA60-41C4FD95267E}.exe"	2024-03-16_8e895d4e260cbe3f849f54928b14f0f3_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D56F558-09F9-45c0-9C78-27CC1B0E0271}	{192C8585-F70B-47b9-8DA2-4EE49C81B69A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D56F558-09F9-45c0-9C78-27CC1B0E0271}\stubpath = "C:\\Windows\\{2D56F558-09F9-45c0-9C78-27CC1B0E0271}.exe"	{192C8585-F70B-47b9-8DA2-4EE49C81B69A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26F4FE0E-2B90-49ce-9F62-5E634F79650E}\stubpath = "C:\\Windows\\{26F4FE0E-2B90-49ce-9F62-5E634F79650E}.exe"	{2D56F558-09F9-45c0-9C78-27CC1B0E0271}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83CE1889-D17D-4ed1-8F8E-97627CF1F900}	{26F4FE0E-2B90-49ce-9F62-5E634F79650E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4486EAC-28FD-4dcb-BCC8-1666A8635535}	{DAAFDB04-0FE9-4819-9D73-67902A978AE0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4486EAC-28FD-4dcb-BCC8-1666A8635535}\stubpath = "C:\\Windows\\{B4486EAC-28FD-4dcb-BCC8-1666A8635535}.exe"	{DAAFDB04-0FE9-4819-9D73-67902A978AE0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC7087DD-ED71-4af5-BF01-4A451B2D3920}	{B4486EAC-28FD-4dcb-BCC8-1666A8635535}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83CE1889-D17D-4ed1-8F8E-97627CF1F900}\stubpath = "C:\\Windows\\{83CE1889-D17D-4ed1-8F8E-97627CF1F900}.exe"	{26F4FE0E-2B90-49ce-9F62-5E634F79650E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFA489D5-F477-44f7-B88E-36AA51E29B82}\stubpath = "C:\\Windows\\{EFA489D5-F477-44f7-B88E-36AA51E29B82}.exe"	{83CE1889-D17D-4ed1-8F8E-97627CF1F900}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{115DC3A7-71F1-46a9-B677-2B7B18FE8A83}	{4EA18F87-E2D2-45ab-995C-305068553FDD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{115DC3A7-71F1-46a9-B677-2B7B18FE8A83}\stubpath = "C:\\Windows\\{115DC3A7-71F1-46a9-B677-2B7B18FE8A83}.exe"	{4EA18F87-E2D2-45ab-995C-305068553FDD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DAAFDB04-0FE9-4819-9D73-67902A978AE0}\stubpath = "C:\\Windows\\{DAAFDB04-0FE9-4819-9D73-67902A978AE0}.exe"	{115DC3A7-71F1-46a9-B677-2B7B18FE8A83}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B49FB52A-CE83-459d-8A05-E4AC89C10D2F}\stubpath = "C:\\Windows\\{B49FB52A-CE83-459d-8A05-E4AC89C10D2F}.exe"	{DC7087DD-ED71-4af5-BF01-4A451B2D3920}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC7087DD-ED71-4af5-BF01-4A451B2D3920}\stubpath = "C:\\Windows\\{DC7087DD-ED71-4af5-BF01-4A451B2D3920}.exe"	{B4486EAC-28FD-4dcb-BCC8-1666A8635535}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00ABBABA-C867-4452-AA60-41C4FD95267E}	2024-03-16_8e895d4e260cbe3f849f54928b14f0f3_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26F4FE0E-2B90-49ce-9F62-5E634F79650E}	{2D56F558-09F9-45c0-9C78-27CC1B0E0271}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFA489D5-F477-44f7-B88E-36AA51E29B82}	{83CE1889-D17D-4ed1-8F8E-97627CF1F900}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4EA18F87-E2D2-45ab-995C-305068553FDD}	{EFA489D5-F477-44f7-B88E-36AA51E29B82}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DAAFDB04-0FE9-4819-9D73-67902A978AE0}	{115DC3A7-71F1-46a9-B677-2B7B18FE8A83}.exe

Executes dropped EXE 12 IoCs

pid	Process
4944	{00ABBABA-C867-4452-AA60-41C4FD95267E}.exe
3736	{192C8585-F70B-47b9-8DA2-4EE49C81B69A}.exe
2520	{2D56F558-09F9-45c0-9C78-27CC1B0E0271}.exe
1056	{26F4FE0E-2B90-49ce-9F62-5E634F79650E}.exe
2372	{83CE1889-D17D-4ed1-8F8E-97627CF1F900}.exe
812	{EFA489D5-F477-44f7-B88E-36AA51E29B82}.exe
664	{4EA18F87-E2D2-45ab-995C-305068553FDD}.exe
4892	{115DC3A7-71F1-46a9-B677-2B7B18FE8A83}.exe
1976	{DAAFDB04-0FE9-4819-9D73-67902A978AE0}.exe
2060	{B4486EAC-28FD-4dcb-BCC8-1666A8635535}.exe
2172	{DC7087DD-ED71-4af5-BF01-4A451B2D3920}.exe
2816	{B49FB52A-CE83-459d-8A05-E4AC89C10D2F}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{00ABBABA-C867-4452-AA60-41C4FD95267E}.exe	2024-03-16_8e895d4e260cbe3f849f54928b14f0f3_goldeneye.exe
File created	C:\Windows\{B4486EAC-28FD-4dcb-BCC8-1666A8635535}.exe	{DAAFDB04-0FE9-4819-9D73-67902A978AE0}.exe
File created	C:\Windows\{DC7087DD-ED71-4af5-BF01-4A451B2D3920}.exe	{B4486EAC-28FD-4dcb-BCC8-1666A8635535}.exe
File created	C:\Windows\{192C8585-F70B-47b9-8DA2-4EE49C81B69A}.exe	{00ABBABA-C867-4452-AA60-41C4FD95267E}.exe
File created	C:\Windows\{2D56F558-09F9-45c0-9C78-27CC1B0E0271}.exe	{192C8585-F70B-47b9-8DA2-4EE49C81B69A}.exe
File created	C:\Windows\{26F4FE0E-2B90-49ce-9F62-5E634F79650E}.exe	{2D56F558-09F9-45c0-9C78-27CC1B0E0271}.exe
File created	C:\Windows\{83CE1889-D17D-4ed1-8F8E-97627CF1F900}.exe	{26F4FE0E-2B90-49ce-9F62-5E634F79650E}.exe
File created	C:\Windows\{EFA489D5-F477-44f7-B88E-36AA51E29B82}.exe	{83CE1889-D17D-4ed1-8F8E-97627CF1F900}.exe
File created	C:\Windows\{4EA18F87-E2D2-45ab-995C-305068553FDD}.exe	{EFA489D5-F477-44f7-B88E-36AA51E29B82}.exe
File created	C:\Windows\{115DC3A7-71F1-46a9-B677-2B7B18FE8A83}.exe	{4EA18F87-E2D2-45ab-995C-305068553FDD}.exe
File created	C:\Windows\{DAAFDB04-0FE9-4819-9D73-67902A978AE0}.exe	{115DC3A7-71F1-46a9-B677-2B7B18FE8A83}.exe
File created	C:\Windows\{B49FB52A-CE83-459d-8A05-E4AC89C10D2F}.exe	{DC7087DD-ED71-4af5-BF01-4A451B2D3920}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	468	2024-03-16_8e895d4e260cbe3f849f54928b14f0f3_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4944	{00ABBABA-C867-4452-AA60-41C4FD95267E}.exe
Token: SeIncBasePriorityPrivilege	3736	{192C8585-F70B-47b9-8DA2-4EE49C81B69A}.exe
Token: SeIncBasePriorityPrivilege	2520	{2D56F558-09F9-45c0-9C78-27CC1B0E0271}.exe
Token: SeIncBasePriorityPrivilege	1056	{26F4FE0E-2B90-49ce-9F62-5E634F79650E}.exe
Token: SeIncBasePriorityPrivilege	2372	{83CE1889-D17D-4ed1-8F8E-97627CF1F900}.exe
Token: SeIncBasePriorityPrivilege	812	{EFA489D5-F477-44f7-B88E-36AA51E29B82}.exe
Token: SeIncBasePriorityPrivilege	664	{4EA18F87-E2D2-45ab-995C-305068553FDD}.exe
Token: SeIncBasePriorityPrivilege	4892	{115DC3A7-71F1-46a9-B677-2B7B18FE8A83}.exe
Token: SeIncBasePriorityPrivilege	1976	{DAAFDB04-0FE9-4819-9D73-67902A978AE0}.exe
Token: SeIncBasePriorityPrivilege	2060	{B4486EAC-28FD-4dcb-BCC8-1666A8635535}.exe
Token: SeIncBasePriorityPrivilege	2172	{DC7087DD-ED71-4af5-BF01-4A451B2D3920}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 468 wrote to memory of 4944	468	2024-03-16_8e895d4e260cbe3f849f54928b14f0f3_goldeneye.exe	95
PID 468 wrote to memory of 4944	468	2024-03-16_8e895d4e260cbe3f849f54928b14f0f3_goldeneye.exe	95
PID 468 wrote to memory of 4944	468	2024-03-16_8e895d4e260cbe3f849f54928b14f0f3_goldeneye.exe	95
PID 468 wrote to memory of 1816	468	2024-03-16_8e895d4e260cbe3f849f54928b14f0f3_goldeneye.exe	96
PID 468 wrote to memory of 1816	468	2024-03-16_8e895d4e260cbe3f849f54928b14f0f3_goldeneye.exe	96
PID 468 wrote to memory of 1816	468	2024-03-16_8e895d4e260cbe3f849f54928b14f0f3_goldeneye.exe	96
PID 4944 wrote to memory of 3736	4944	{00ABBABA-C867-4452-AA60-41C4FD95267E}.exe	101
PID 4944 wrote to memory of 3736	4944	{00ABBABA-C867-4452-AA60-41C4FD95267E}.exe	101
PID 4944 wrote to memory of 3736	4944	{00ABBABA-C867-4452-AA60-41C4FD95267E}.exe	101
PID 4944 wrote to memory of 2388	4944	{00ABBABA-C867-4452-AA60-41C4FD95267E}.exe	102
PID 4944 wrote to memory of 2388	4944	{00ABBABA-C867-4452-AA60-41C4FD95267E}.exe	102
PID 4944 wrote to memory of 2388	4944	{00ABBABA-C867-4452-AA60-41C4FD95267E}.exe	102
PID 3736 wrote to memory of 2520	3736	{192C8585-F70B-47b9-8DA2-4EE49C81B69A}.exe	104
PID 3736 wrote to memory of 2520	3736	{192C8585-F70B-47b9-8DA2-4EE49C81B69A}.exe	104
PID 3736 wrote to memory of 2520	3736	{192C8585-F70B-47b9-8DA2-4EE49C81B69A}.exe	104
PID 3736 wrote to memory of 3876	3736	{192C8585-F70B-47b9-8DA2-4EE49C81B69A}.exe	105
PID 3736 wrote to memory of 3876	3736	{192C8585-F70B-47b9-8DA2-4EE49C81B69A}.exe	105
PID 3736 wrote to memory of 3876	3736	{192C8585-F70B-47b9-8DA2-4EE49C81B69A}.exe	105
PID 2520 wrote to memory of 1056	2520	{2D56F558-09F9-45c0-9C78-27CC1B0E0271}.exe	109
PID 2520 wrote to memory of 1056	2520	{2D56F558-09F9-45c0-9C78-27CC1B0E0271}.exe	109
PID 2520 wrote to memory of 1056	2520	{2D56F558-09F9-45c0-9C78-27CC1B0E0271}.exe	109
PID 2520 wrote to memory of 2492	2520	{2D56F558-09F9-45c0-9C78-27CC1B0E0271}.exe	110
PID 2520 wrote to memory of 2492	2520	{2D56F558-09F9-45c0-9C78-27CC1B0E0271}.exe	110
PID 2520 wrote to memory of 2492	2520	{2D56F558-09F9-45c0-9C78-27CC1B0E0271}.exe	110
PID 1056 wrote to memory of 2372	1056	{26F4FE0E-2B90-49ce-9F62-5E634F79650E}.exe	113
PID 1056 wrote to memory of 2372	1056	{26F4FE0E-2B90-49ce-9F62-5E634F79650E}.exe	113
PID 1056 wrote to memory of 2372	1056	{26F4FE0E-2B90-49ce-9F62-5E634F79650E}.exe	113
PID 1056 wrote to memory of 2388	1056	{26F4FE0E-2B90-49ce-9F62-5E634F79650E}.exe	114
PID 1056 wrote to memory of 2388	1056	{26F4FE0E-2B90-49ce-9F62-5E634F79650E}.exe	114
PID 1056 wrote to memory of 2388	1056	{26F4FE0E-2B90-49ce-9F62-5E634F79650E}.exe	114
PID 2372 wrote to memory of 812	2372	{83CE1889-D17D-4ed1-8F8E-97627CF1F900}.exe	118
PID 2372 wrote to memory of 812	2372	{83CE1889-D17D-4ed1-8F8E-97627CF1F900}.exe	118
PID 2372 wrote to memory of 812	2372	{83CE1889-D17D-4ed1-8F8E-97627CF1F900}.exe	118
PID 2372 wrote to memory of 4380	2372	{83CE1889-D17D-4ed1-8F8E-97627CF1F900}.exe	119
PID 2372 wrote to memory of 4380	2372	{83CE1889-D17D-4ed1-8F8E-97627CF1F900}.exe	119
PID 2372 wrote to memory of 4380	2372	{83CE1889-D17D-4ed1-8F8E-97627CF1F900}.exe	119
PID 812 wrote to memory of 664	812	{EFA489D5-F477-44f7-B88E-36AA51E29B82}.exe	121
PID 812 wrote to memory of 664	812	{EFA489D5-F477-44f7-B88E-36AA51E29B82}.exe	121
PID 812 wrote to memory of 664	812	{EFA489D5-F477-44f7-B88E-36AA51E29B82}.exe	121
PID 812 wrote to memory of 3928	812	{EFA489D5-F477-44f7-B88E-36AA51E29B82}.exe	122
PID 812 wrote to memory of 3928	812	{EFA489D5-F477-44f7-B88E-36AA51E29B82}.exe	122
PID 812 wrote to memory of 3928	812	{EFA489D5-F477-44f7-B88E-36AA51E29B82}.exe	122
PID 664 wrote to memory of 4892	664	{4EA18F87-E2D2-45ab-995C-305068553FDD}.exe	123
PID 664 wrote to memory of 4892	664	{4EA18F87-E2D2-45ab-995C-305068553FDD}.exe	123
PID 664 wrote to memory of 4892	664	{4EA18F87-E2D2-45ab-995C-305068553FDD}.exe	123
PID 664 wrote to memory of 3628	664	{4EA18F87-E2D2-45ab-995C-305068553FDD}.exe	124
PID 664 wrote to memory of 3628	664	{4EA18F87-E2D2-45ab-995C-305068553FDD}.exe	124
PID 664 wrote to memory of 3628	664	{4EA18F87-E2D2-45ab-995C-305068553FDD}.exe	124
PID 4892 wrote to memory of 1976	4892	{115DC3A7-71F1-46a9-B677-2B7B18FE8A83}.exe	125
PID 4892 wrote to memory of 1976	4892	{115DC3A7-71F1-46a9-B677-2B7B18FE8A83}.exe	125
PID 4892 wrote to memory of 1976	4892	{115DC3A7-71F1-46a9-B677-2B7B18FE8A83}.exe	125
PID 4892 wrote to memory of 1012	4892	{115DC3A7-71F1-46a9-B677-2B7B18FE8A83}.exe	126
PID 4892 wrote to memory of 1012	4892	{115DC3A7-71F1-46a9-B677-2B7B18FE8A83}.exe	126
PID 4892 wrote to memory of 1012	4892	{115DC3A7-71F1-46a9-B677-2B7B18FE8A83}.exe	126
PID 1976 wrote to memory of 2060	1976	{DAAFDB04-0FE9-4819-9D73-67902A978AE0}.exe	127
PID 1976 wrote to memory of 2060	1976	{DAAFDB04-0FE9-4819-9D73-67902A978AE0}.exe	127
PID 1976 wrote to memory of 2060	1976	{DAAFDB04-0FE9-4819-9D73-67902A978AE0}.exe	127
PID 1976 wrote to memory of 2412	1976	{DAAFDB04-0FE9-4819-9D73-67902A978AE0}.exe	128
PID 1976 wrote to memory of 2412	1976	{DAAFDB04-0FE9-4819-9D73-67902A978AE0}.exe	128
PID 1976 wrote to memory of 2412	1976	{DAAFDB04-0FE9-4819-9D73-67902A978AE0}.exe	128
PID 2060 wrote to memory of 2172	2060	{B4486EAC-28FD-4dcb-BCC8-1666A8635535}.exe	129
PID 2060 wrote to memory of 2172	2060	{B4486EAC-28FD-4dcb-BCC8-1666A8635535}.exe	129
PID 2060 wrote to memory of 2172	2060	{B4486EAC-28FD-4dcb-BCC8-1666A8635535}.exe	129
PID 2060 wrote to memory of 2336	2060	{B4486EAC-28FD-4dcb-BCC8-1666A8635535}.exe	130

C:\Users\Admin\AppData\Local\Temp\2024-03-16_8e895d4e260cbe3f849f54928b14f0f3_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-16_8e895d4e260cbe3f849f54928b14f0f3_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:468
- C:\Windows\{00ABBABA-C867-4452-AA60-41C4FD95267E}.exe
  C:\Windows\{00ABBABA-C867-4452-AA60-41C4FD95267E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4944
- - C:\Windows\{192C8585-F70B-47b9-8DA2-4EE49C81B69A}.exe
    C:\Windows\{192C8585-F70B-47b9-8DA2-4EE49C81B69A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3736
  - - C:\Windows\{2D56F558-09F9-45c0-9C78-27CC1B0E0271}.exe
      C:\Windows\{2D56F558-09F9-45c0-9C78-27CC1B0E0271}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2520
    - - C:\Windows\{26F4FE0E-2B90-49ce-9F62-5E634F79650E}.exe
        
        C:\Windows\{26F4FE0E-2B90-49ce-9F62-5E634F79650E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1056
      - C:\Windows\{83CE1889-D17D-4ed1-8F8E-97627CF1F900}.exe
        
        C:\Windows\{83CE1889-D17D-4ed1-8F8E-97627CF1F900}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\{EFA489D5-F477-44f7-B88E-36AA51E29B82}.exe
        
        C:\Windows\{EFA489D5-F477-44f7-B88E-36AA51E29B82}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:812
        
        C:\Windows\{4EA18F87-E2D2-45ab-995C-305068553FDD}.exe
        
        C:\Windows\{4EA18F87-E2D2-45ab-995C-305068553FDD}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:664
        
        C:\Windows\{115DC3A7-71F1-46a9-B677-2B7B18FE8A83}.exe
        
        C:\Windows\{115DC3A7-71F1-46a9-B677-2B7B18FE8A83}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\{DAAFDB04-0FE9-4819-9D73-67902A978AE0}.exe
        
        C:\Windows\{DAAFDB04-0FE9-4819-9D73-67902A978AE0}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\{B4486EAC-28FD-4dcb-BCC8-1666A8635535}.exe
        
        C:\Windows\{B4486EAC-28FD-4dcb-BCC8-1666A8635535}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\{DC7087DD-ED71-4af5-BF01-4A451B2D3920}.exe
        
        C:\Windows\{DC7087DD-ED71-4af5-BF01-4A451B2D3920}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
        
        C:\Windows\{B49FB52A-CE83-459d-8A05-E4AC89C10D2F}.exe
        
        C:\Windows\{B49FB52A-CE83-459d-8A05-E4AC89C10D2F}.exe
        13⤵
        Executes dropped EXE
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC708~1.EXE > nul
        13⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B4486~1.EXE > nul
        12⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DAAFD~1.EXE > nul
        11⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{115DC~1.EXE > nul
        10⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4EA18~1.EXE > nul
        9⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EFA48~1.EXE > nul
        8⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83CE1~1.EXE > nul
        7⤵
        
        PID:4380
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{26F4F~1.EXE > nul
        6⤵
        
        PID:2388
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D56F~1.EXE > nul
        5⤵
        
        PID:2492
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{192C8~1.EXE > nul
      4⤵
      PID:3876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{00ABB~1.EXE > nul
    3⤵
    PID:2388
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00ABBABA-C867-4452-AA60-41C4FD95267E}.exe

Filesize
168KB

MD5
9c2ca95ea6dc1051a2c3d4b8ba34b3aa

SHA1
1f3d0169d36c89fbca034ecf3653e4b033d230c5

SHA256
9e5c783d5f3c023ede1dfdb1db358712167bf5e29052bf13bf2c722b4aded926

SHA512
9d796cf99f79a84d7cc93264354526ec73e3d1dd697c8cb55567c3d8164be19275535201301a74f115257f3f09a8493a77194fd9d9b260bc1865931e5911b652

Download Submit
C:\Windows\{115DC3A7-71F1-46a9-B677-2B7B18FE8A83}.exe

Filesize
168KB

MD5
04e45eb0b3b0729c5c127035b0d7c0d6

SHA1
c8670349f0890c2aaec0e697d185fcfcd2e0ac55

SHA256
e7fa5b27ab8d36829cc3cf8aaab4bef07b1ec69130d27669f5f90ddd1e3e92f9

SHA512
3c15804df074b8403a91350f235672702b193461f35895d1df58e16d84ba7b9a7dbf1baa90ca0ce27f0e2dade31f0014edb343b139f666928ed33d7f78d0a41d

Download Submit
C:\Windows\{192C8585-F70B-47b9-8DA2-4EE49C81B69A}.exe

Filesize
168KB

MD5
228e553c088158b474d1b1f14ba4d6bf

SHA1
25fafbe1a48c7cbf973c6591e7aec06c27ba6f94

SHA256
e4dd48f9d303ded90fa6e5b022b46ae9080c6c03cba7be5ef7732cc051e80256

SHA512
212d21090b2de9bd882aebdc8688a65204b82e8a4f252e7ff3338825622544b68627d00f092f2ccd75acb6198441ade541bbb18705707f71dd7e4b7028c13607

Download Submit
C:\Windows\{26F4FE0E-2B90-49ce-9F62-5E634F79650E}.exe

Filesize
168KB

MD5
21726333ae8449e4874b679062813c1b

SHA1
83ff65cf4c9387b35b999da80b35f0a327e0521f

SHA256
7d5e8be6e598eedcc5c99a5584e1b22041d83a6d1da031d57d3314a3118bd31d

SHA512
4ba16f4f1bf38f1011e4fe63902810bf7787d4aa5ccf6579388c314a57f0835f7c68e0532f31e2f12103dc98808e6382d665f61dea7c6bb1f858cce7257cb727

Download Submit
C:\Windows\{2D56F558-09F9-45c0-9C78-27CC1B0E0271}.exe

Filesize
168KB

MD5
2470d817bb5b1595d361627901422ea4

SHA1
3ff94c467905c5c469adf1b34585d8bd0423c635

SHA256
fab4612830defa47aa6b7d0810798a465eef032a0c4e6691281423f9836f491c

SHA512
9c92f222d1c04d55ecf80e6361522f24bf0b9126ea0c51e7b773fdbc61c8416783b3cffa05efe12f5ee2c6df146f7b57ea9011f16f5b7095ad98f02fbcb94c6f

Download Submit
C:\Windows\{4EA18F87-E2D2-45ab-995C-305068553FDD}.exe

Filesize
168KB

MD5
b25a303cfdaf1a529b00d872b21156b1

SHA1
f59b8cbdbf94d729d0bdf60b161095d77027a2bd

SHA256
8247b1136b8b1806a09284b592876aec4af5ab050523f3a1b6c743449c562838

SHA512
7eca9c0eb212961915a29598690f70aba54fd1d13b64b59275271ee15badcd76fb22af3bff22b04874058b311ca56bd43b0f7d0704e1879a449968366026a72b

Download Submit
C:\Windows\{83CE1889-D17D-4ed1-8F8E-97627CF1F900}.exe

Filesize
168KB

MD5
34b42e135b9efc3e2a791b71aed31255

SHA1
6f16546a33d4f18856bc18ad9774c3b8620b9c08

SHA256
8b5406352eeb12c860e0b9f687cce14f8fb45cbe65d687d981620c788dc1e904

SHA512
dff867e85ae1c87d8f63c8ba53c5f3cb9930d06fe491a19d0954b4e858f607f3a3bb893c51d7e79d6173169ab7c03c17859a8dd3c3858fb82fc41c16a387eb64

Download Submit
C:\Windows\{B4486EAC-28FD-4dcb-BCC8-1666A8635535}.exe

Filesize
168KB

MD5
007980f87f8fd8b7e1fa64c3adde06ce

SHA1
45fe8771386eafc59eecfc2b2df0710c7f2c5dd3

SHA256
b12981301e6859316f14e2156c5535001a5d0196b96737278e639ff7d6fa191d

SHA512
319938318c11e0d8ad65e67fe302a7cb8221dc013d3e76c357c7ee8a5fde5bd508dde14d14601efb5db3d85785e341759d65752405f5b10fe86d2f3620b3c538

Download Submit
C:\Windows\{B49FB52A-CE83-459d-8A05-E4AC89C10D2F}.exe

Filesize
168KB

MD5
c4b72e310d4e112ca79301f7bcbd0a92

SHA1
a269c0c74b953a14a919e9b207f4cb3fe19a1b17

SHA256
60df191cd6e6c66cd5e6e2d3d558873d43315620946f9365c088c11aad20fe5b

SHA512
182d7b04a0d23a3783df536bc779d9844aab5249d72336198169be4341fec3258925817e67c1e1bdeb32a62e676cd09b8b7329ca0cf326a5111e133fca758873

Download Submit
C:\Windows\{DAAFDB04-0FE9-4819-9D73-67902A978AE0}.exe

Filesize
168KB

MD5
1d4c1bf29c73cd0d8135684959f533ea

SHA1
2f0b3d5d6f70f0f1648daba7970ad41c6906185f

SHA256
92434a1e9c1f84a9c2876dd1c6721164b60f783d0f8b6813e84f065bf833ec8c

SHA512
ca2fce362fb8557f2e3ce79f4f6dc55536fa56c2562f5856494960b5173d4c1bf30deaf40869f84b203f881de93f97f066fed8f6b763a76f21ffe256c4138a6c

Download Submit
C:\Windows\{DC7087DD-ED71-4af5-BF01-4A451B2D3920}.exe

Filesize
168KB

MD5
cce74c3e888468770caccc27b6c7a036

SHA1
cbff9803c724b8a6e651db6d79e411a041b267e2

SHA256
52f8420613ebb17968bda7bbea543f4a978536609f0f7256124676d72a319cce

SHA512
4ad56361c2e88afd0fa942574bafe9f957050ef81c485a3b6e6b3cad433422c231c885e9d641898521d0867215ed47f1eec73e70fbbabf6b60d3fe7d0ec6cc81

Download Submit
C:\Windows\{EFA489D5-F477-44f7-B88E-36AA51E29B82}.exe

Filesize
168KB

MD5
922e5f42a73ac8861a6c112a49a7c0fb

SHA1
84e3faabdbac0eb123eb2513a650f4c980c48fe6

SHA256
dab9f49649b950aa0516cf1c4287909e05109c2ddedc0025edf8ffee3c3e01b3

SHA512
d47607d480c83d8ecb7c2afb18f319d7ac215d64613aeda8b2bd5277f3d7a17b6b3fc9cad874981d7ecd20328884a1ced8a6e100717afb96cc5a5ed7e7fee9d3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads