aa35a84ccc17675771fca9f8f1ee0a3f3092a2162d161a1600d49f60421b928d

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20/03/2024, 00:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-20_c05a7dbe5008c75a318741128bf59fee_goldeneye.exe
Size

197KB
MD5

c05a7dbe5008c75a318741128bf59fee
SHA1

0534db6c5a6c2c817c349152877521c4e86e227e
SHA256

aa35a84ccc17675771fca9f8f1ee0a3f3092a2162d161a1600d49f60421b928d
SHA512

f2ad6cd9343deee0643fb74715ca70ca05888f6ada175aca92f75e70f3884e4770abf42cc8eefcbb4e21287c970c30e882c361d3441f5ba7f56e51b372a0b34c
SSDEEP

3072:jEGh0o9Tl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGXlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x000400000001e3d9-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00060000000231ee-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000231fc-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000006c5-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000231fc-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000231fc-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000006c5-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021f82-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000006c5-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d0000000006c5-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e0000000006c5-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{941A914D-F822-4849-A5AB-E7D1F83C9415}	{F54363FA-27DC-4a28-9D1F-26253A5449ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F24F483-685C-4606-884D-CCE27128E828}	{941A914D-F822-4849-A5AB-E7D1F83C9415}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC242E0B-9913-4154-814E-DC39092B5F08}\stubpath = "C:\\Windows\\{CC242E0B-9913-4154-814E-DC39092B5F08}.exe"	{9C9CE9A1-96E7-425c-A3BE-A4971DA28805}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{524E99D0-BD27-49cb-A0F5-790878BBEFB2}	{F59C62D5-4DEC-49b1-822D-73270C39D490}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{524E99D0-BD27-49cb-A0F5-790878BBEFB2}\stubpath = "C:\\Windows\\{524E99D0-BD27-49cb-A0F5-790878BBEFB2}.exe"	{F59C62D5-4DEC-49b1-822D-73270C39D490}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0F20A98-3CA9-47e7-A425-536375B068FF}	{524E99D0-BD27-49cb-A0F5-790878BBEFB2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C628A11-3A00-4533-BCB7-FCD2A55E24B2}	{FBE2DC3A-C3F8-4bab-8985-84FB6E6EC3AA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F54363FA-27DC-4a28-9D1F-26253A5449ED}	{7C628A11-3A00-4533-BCB7-FCD2A55E24B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BC8C5D6-54FE-4645-ADBD-D58ACA3A2F27}	{C7914DFE-F7D7-445d-9AB5-769432E40CEE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F24F483-685C-4606-884D-CCE27128E828}\stubpath = "C:\\Windows\\{2F24F483-685C-4606-884D-CCE27128E828}.exe"	{941A914D-F822-4849-A5AB-E7D1F83C9415}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C9CE9A1-96E7-425c-A3BE-A4971DA28805}\stubpath = "C:\\Windows\\{9C9CE9A1-96E7-425c-A3BE-A4971DA28805}.exe"	{2F24F483-685C-4606-884D-CCE27128E828}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F54363FA-27DC-4a28-9D1F-26253A5449ED}\stubpath = "C:\\Windows\\{F54363FA-27DC-4a28-9D1F-26253A5449ED}.exe"	{7C628A11-3A00-4533-BCB7-FCD2A55E24B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{941A914D-F822-4849-A5AB-E7D1F83C9415}\stubpath = "C:\\Windows\\{941A914D-F822-4849-A5AB-E7D1F83C9415}.exe"	{F54363FA-27DC-4a28-9D1F-26253A5449ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7914DFE-F7D7-445d-9AB5-769432E40CEE}	{CC242E0B-9913-4154-814E-DC39092B5F08}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F59C62D5-4DEC-49b1-822D-73270C39D490}	2024-03-20_c05a7dbe5008c75a318741128bf59fee_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F59C62D5-4DEC-49b1-822D-73270C39D490}\stubpath = "C:\\Windows\\{F59C62D5-4DEC-49b1-822D-73270C39D490}.exe"	2024-03-20_c05a7dbe5008c75a318741128bf59fee_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0F20A98-3CA9-47e7-A425-536375B068FF}\stubpath = "C:\\Windows\\{B0F20A98-3CA9-47e7-A425-536375B068FF}.exe"	{524E99D0-BD27-49cb-A0F5-790878BBEFB2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FBE2DC3A-C3F8-4bab-8985-84FB6E6EC3AA}	{B0F20A98-3CA9-47e7-A425-536375B068FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C628A11-3A00-4533-BCB7-FCD2A55E24B2}\stubpath = "C:\\Windows\\{7C628A11-3A00-4533-BCB7-FCD2A55E24B2}.exe"	{FBE2DC3A-C3F8-4bab-8985-84FB6E6EC3AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FBE2DC3A-C3F8-4bab-8985-84FB6E6EC3AA}\stubpath = "C:\\Windows\\{FBE2DC3A-C3F8-4bab-8985-84FB6E6EC3AA}.exe"	{B0F20A98-3CA9-47e7-A425-536375B068FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C9CE9A1-96E7-425c-A3BE-A4971DA28805}	{2F24F483-685C-4606-884D-CCE27128E828}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC242E0B-9913-4154-814E-DC39092B5F08}	{9C9CE9A1-96E7-425c-A3BE-A4971DA28805}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7914DFE-F7D7-445d-9AB5-769432E40CEE}\stubpath = "C:\\Windows\\{C7914DFE-F7D7-445d-9AB5-769432E40CEE}.exe"	{CC242E0B-9913-4154-814E-DC39092B5F08}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BC8C5D6-54FE-4645-ADBD-D58ACA3A2F27}\stubpath = "C:\\Windows\\{2BC8C5D6-54FE-4645-ADBD-D58ACA3A2F27}.exe"	{C7914DFE-F7D7-445d-9AB5-769432E40CEE}.exe

Executes dropped EXE 12 IoCs

pid	Process
1900	{F59C62D5-4DEC-49b1-822D-73270C39D490}.exe
1672	{524E99D0-BD27-49cb-A0F5-790878BBEFB2}.exe
4520	{B0F20A98-3CA9-47e7-A425-536375B068FF}.exe
408	{FBE2DC3A-C3F8-4bab-8985-84FB6E6EC3AA}.exe
4068	{7C628A11-3A00-4533-BCB7-FCD2A55E24B2}.exe
4572	{F54363FA-27DC-4a28-9D1F-26253A5449ED}.exe
3220	{941A914D-F822-4849-A5AB-E7D1F83C9415}.exe
464	{2F24F483-685C-4606-884D-CCE27128E828}.exe
1836	{9C9CE9A1-96E7-425c-A3BE-A4971DA28805}.exe
2108	{CC242E0B-9913-4154-814E-DC39092B5F08}.exe
3540	{C7914DFE-F7D7-445d-9AB5-769432E40CEE}.exe
1344	{2BC8C5D6-54FE-4645-ADBD-D58ACA3A2F27}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{941A914D-F822-4849-A5AB-E7D1F83C9415}.exe	{F54363FA-27DC-4a28-9D1F-26253A5449ED}.exe
File created	C:\Windows\{2F24F483-685C-4606-884D-CCE27128E828}.exe	{941A914D-F822-4849-A5AB-E7D1F83C9415}.exe
File created	C:\Windows\{CC242E0B-9913-4154-814E-DC39092B5F08}.exe	{9C9CE9A1-96E7-425c-A3BE-A4971DA28805}.exe
File created	C:\Windows\{B0F20A98-3CA9-47e7-A425-536375B068FF}.exe	{524E99D0-BD27-49cb-A0F5-790878BBEFB2}.exe
File created	C:\Windows\{FBE2DC3A-C3F8-4bab-8985-84FB6E6EC3AA}.exe	{B0F20A98-3CA9-47e7-A425-536375B068FF}.exe
File created	C:\Windows\{7C628A11-3A00-4533-BCB7-FCD2A55E24B2}.exe	{FBE2DC3A-C3F8-4bab-8985-84FB6E6EC3AA}.exe
File created	C:\Windows\{F54363FA-27DC-4a28-9D1F-26253A5449ED}.exe	{7C628A11-3A00-4533-BCB7-FCD2A55E24B2}.exe
File created	C:\Windows\{9C9CE9A1-96E7-425c-A3BE-A4971DA28805}.exe	{2F24F483-685C-4606-884D-CCE27128E828}.exe
File created	C:\Windows\{C7914DFE-F7D7-445d-9AB5-769432E40CEE}.exe	{CC242E0B-9913-4154-814E-DC39092B5F08}.exe
File created	C:\Windows\{2BC8C5D6-54FE-4645-ADBD-D58ACA3A2F27}.exe	{C7914DFE-F7D7-445d-9AB5-769432E40CEE}.exe
File created	C:\Windows\{F59C62D5-4DEC-49b1-822D-73270C39D490}.exe	2024-03-20_c05a7dbe5008c75a318741128bf59fee_goldeneye.exe
File created	C:\Windows\{524E99D0-BD27-49cb-A0F5-790878BBEFB2}.exe	{F59C62D5-4DEC-49b1-822D-73270C39D490}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2348	2024-03-20_c05a7dbe5008c75a318741128bf59fee_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1900	{F59C62D5-4DEC-49b1-822D-73270C39D490}.exe
Token: SeIncBasePriorityPrivilege	1672	{524E99D0-BD27-49cb-A0F5-790878BBEFB2}.exe
Token: SeIncBasePriorityPrivilege	4520	{B0F20A98-3CA9-47e7-A425-536375B068FF}.exe
Token: SeIncBasePriorityPrivilege	408	{FBE2DC3A-C3F8-4bab-8985-84FB6E6EC3AA}.exe
Token: SeIncBasePriorityPrivilege	4068	{7C628A11-3A00-4533-BCB7-FCD2A55E24B2}.exe
Token: SeIncBasePriorityPrivilege	4572	{F54363FA-27DC-4a28-9D1F-26253A5449ED}.exe
Token: SeIncBasePriorityPrivilege	3220	{941A914D-F822-4849-A5AB-E7D1F83C9415}.exe
Token: SeIncBasePriorityPrivilege	464	{2F24F483-685C-4606-884D-CCE27128E828}.exe
Token: SeIncBasePriorityPrivilege	1836	{9C9CE9A1-96E7-425c-A3BE-A4971DA28805}.exe
Token: SeIncBasePriorityPrivilege	2108	{CC242E0B-9913-4154-814E-DC39092B5F08}.exe
Token: SeIncBasePriorityPrivilege	3540	{C7914DFE-F7D7-445d-9AB5-769432E40CEE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 1900	2348	2024-03-20_c05a7dbe5008c75a318741128bf59fee_goldeneye.exe	85
PID 2348 wrote to memory of 1900	2348	2024-03-20_c05a7dbe5008c75a318741128bf59fee_goldeneye.exe	85
PID 2348 wrote to memory of 1900	2348	2024-03-20_c05a7dbe5008c75a318741128bf59fee_goldeneye.exe	85
PID 2348 wrote to memory of 2576	2348	2024-03-20_c05a7dbe5008c75a318741128bf59fee_goldeneye.exe	86
PID 2348 wrote to memory of 2576	2348	2024-03-20_c05a7dbe5008c75a318741128bf59fee_goldeneye.exe	86
PID 2348 wrote to memory of 2576	2348	2024-03-20_c05a7dbe5008c75a318741128bf59fee_goldeneye.exe	86
PID 1900 wrote to memory of 1672	1900	{F59C62D5-4DEC-49b1-822D-73270C39D490}.exe	92
PID 1900 wrote to memory of 1672	1900	{F59C62D5-4DEC-49b1-822D-73270C39D490}.exe	92
PID 1900 wrote to memory of 1672	1900	{F59C62D5-4DEC-49b1-822D-73270C39D490}.exe	92
PID 1900 wrote to memory of 3684	1900	{F59C62D5-4DEC-49b1-822D-73270C39D490}.exe	93
PID 1900 wrote to memory of 3684	1900	{F59C62D5-4DEC-49b1-822D-73270C39D490}.exe	93
PID 1900 wrote to memory of 3684	1900	{F59C62D5-4DEC-49b1-822D-73270C39D490}.exe	93
PID 1672 wrote to memory of 4520	1672	{524E99D0-BD27-49cb-A0F5-790878BBEFB2}.exe	97
PID 1672 wrote to memory of 4520	1672	{524E99D0-BD27-49cb-A0F5-790878BBEFB2}.exe	97
PID 1672 wrote to memory of 4520	1672	{524E99D0-BD27-49cb-A0F5-790878BBEFB2}.exe	97
PID 1672 wrote to memory of 2628	1672	{524E99D0-BD27-49cb-A0F5-790878BBEFB2}.exe	98
PID 1672 wrote to memory of 2628	1672	{524E99D0-BD27-49cb-A0F5-790878BBEFB2}.exe	98
PID 1672 wrote to memory of 2628	1672	{524E99D0-BD27-49cb-A0F5-790878BBEFB2}.exe	98
PID 4520 wrote to memory of 408	4520	{B0F20A98-3CA9-47e7-A425-536375B068FF}.exe	99
PID 4520 wrote to memory of 408	4520	{B0F20A98-3CA9-47e7-A425-536375B068FF}.exe	99
PID 4520 wrote to memory of 408	4520	{B0F20A98-3CA9-47e7-A425-536375B068FF}.exe	99
PID 4520 wrote to memory of 720	4520	{B0F20A98-3CA9-47e7-A425-536375B068FF}.exe	100
PID 4520 wrote to memory of 720	4520	{B0F20A98-3CA9-47e7-A425-536375B068FF}.exe	100
PID 4520 wrote to memory of 720	4520	{B0F20A98-3CA9-47e7-A425-536375B068FF}.exe	100
PID 408 wrote to memory of 4068	408	{FBE2DC3A-C3F8-4bab-8985-84FB6E6EC3AA}.exe	101
PID 408 wrote to memory of 4068	408	{FBE2DC3A-C3F8-4bab-8985-84FB6E6EC3AA}.exe	101
PID 408 wrote to memory of 4068	408	{FBE2DC3A-C3F8-4bab-8985-84FB6E6EC3AA}.exe	101
PID 408 wrote to memory of 1592	408	{FBE2DC3A-C3F8-4bab-8985-84FB6E6EC3AA}.exe	102
PID 408 wrote to memory of 1592	408	{FBE2DC3A-C3F8-4bab-8985-84FB6E6EC3AA}.exe	102
PID 408 wrote to memory of 1592	408	{FBE2DC3A-C3F8-4bab-8985-84FB6E6EC3AA}.exe	102
PID 4068 wrote to memory of 4572	4068	{7C628A11-3A00-4533-BCB7-FCD2A55E24B2}.exe	103
PID 4068 wrote to memory of 4572	4068	{7C628A11-3A00-4533-BCB7-FCD2A55E24B2}.exe	103
PID 4068 wrote to memory of 4572	4068	{7C628A11-3A00-4533-BCB7-FCD2A55E24B2}.exe	103
PID 4068 wrote to memory of 1680	4068	{7C628A11-3A00-4533-BCB7-FCD2A55E24B2}.exe	104
PID 4068 wrote to memory of 1680	4068	{7C628A11-3A00-4533-BCB7-FCD2A55E24B2}.exe	104
PID 4068 wrote to memory of 1680	4068	{7C628A11-3A00-4533-BCB7-FCD2A55E24B2}.exe	104
PID 4572 wrote to memory of 3220	4572	{F54363FA-27DC-4a28-9D1F-26253A5449ED}.exe	105
PID 4572 wrote to memory of 3220	4572	{F54363FA-27DC-4a28-9D1F-26253A5449ED}.exe	105
PID 4572 wrote to memory of 3220	4572	{F54363FA-27DC-4a28-9D1F-26253A5449ED}.exe	105
PID 4572 wrote to memory of 2372	4572	{F54363FA-27DC-4a28-9D1F-26253A5449ED}.exe	106
PID 4572 wrote to memory of 2372	4572	{F54363FA-27DC-4a28-9D1F-26253A5449ED}.exe	106
PID 4572 wrote to memory of 2372	4572	{F54363FA-27DC-4a28-9D1F-26253A5449ED}.exe	106
PID 3220 wrote to memory of 464	3220	{941A914D-F822-4849-A5AB-E7D1F83C9415}.exe	107
PID 3220 wrote to memory of 464	3220	{941A914D-F822-4849-A5AB-E7D1F83C9415}.exe	107
PID 3220 wrote to memory of 464	3220	{941A914D-F822-4849-A5AB-E7D1F83C9415}.exe	107
PID 3220 wrote to memory of 856	3220	{941A914D-F822-4849-A5AB-E7D1F83C9415}.exe	108
PID 3220 wrote to memory of 856	3220	{941A914D-F822-4849-A5AB-E7D1F83C9415}.exe	108
PID 3220 wrote to memory of 856	3220	{941A914D-F822-4849-A5AB-E7D1F83C9415}.exe	108
PID 464 wrote to memory of 1836	464	{2F24F483-685C-4606-884D-CCE27128E828}.exe	109
PID 464 wrote to memory of 1836	464	{2F24F483-685C-4606-884D-CCE27128E828}.exe	109
PID 464 wrote to memory of 1836	464	{2F24F483-685C-4606-884D-CCE27128E828}.exe	109
PID 464 wrote to memory of 2992	464	{2F24F483-685C-4606-884D-CCE27128E828}.exe	110
PID 464 wrote to memory of 2992	464	{2F24F483-685C-4606-884D-CCE27128E828}.exe	110
PID 464 wrote to memory of 2992	464	{2F24F483-685C-4606-884D-CCE27128E828}.exe	110
PID 1836 wrote to memory of 2108	1836	{9C9CE9A1-96E7-425c-A3BE-A4971DA28805}.exe	111
PID 1836 wrote to memory of 2108	1836	{9C9CE9A1-96E7-425c-A3BE-A4971DA28805}.exe	111
PID 1836 wrote to memory of 2108	1836	{9C9CE9A1-96E7-425c-A3BE-A4971DA28805}.exe	111
PID 1836 wrote to memory of 3964	1836	{9C9CE9A1-96E7-425c-A3BE-A4971DA28805}.exe	112
PID 1836 wrote to memory of 3964	1836	{9C9CE9A1-96E7-425c-A3BE-A4971DA28805}.exe	112
PID 1836 wrote to memory of 3964	1836	{9C9CE9A1-96E7-425c-A3BE-A4971DA28805}.exe	112
PID 2108 wrote to memory of 3540	2108	{CC242E0B-9913-4154-814E-DC39092B5F08}.exe	113
PID 2108 wrote to memory of 3540	2108	{CC242E0B-9913-4154-814E-DC39092B5F08}.exe	113
PID 2108 wrote to memory of 3540	2108	{CC242E0B-9913-4154-814E-DC39092B5F08}.exe	113
PID 2108 wrote to memory of 4928	2108	{CC242E0B-9913-4154-814E-DC39092B5F08}.exe	114

C:\Users\Admin\AppData\Local\Temp\2024-03-20_c05a7dbe5008c75a318741128bf59fee_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-20_c05a7dbe5008c75a318741128bf59fee_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\{F59C62D5-4DEC-49b1-822D-73270C39D490}.exe
  C:\Windows\{F59C62D5-4DEC-49b1-822D-73270C39D490}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Windows\{524E99D0-BD27-49cb-A0F5-790878BBEFB2}.exe
    C:\Windows\{524E99D0-BD27-49cb-A0F5-790878BBEFB2}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1672
  - - C:\Windows\{B0F20A98-3CA9-47e7-A425-536375B068FF}.exe
      C:\Windows\{B0F20A98-3CA9-47e7-A425-536375B068FF}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4520
    - - C:\Windows\{FBE2DC3A-C3F8-4bab-8985-84FB6E6EC3AA}.exe
        
        C:\Windows\{FBE2DC3A-C3F8-4bab-8985-84FB6E6EC3AA}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:408
      - C:\Windows\{7C628A11-3A00-4533-BCB7-FCD2A55E24B2}.exe
        
        C:\Windows\{7C628A11-3A00-4533-BCB7-FCD2A55E24B2}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\{F54363FA-27DC-4a28-9D1F-26253A5449ED}.exe
        
        C:\Windows\{F54363FA-27DC-4a28-9D1F-26253A5449ED}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\Windows\{941A914D-F822-4849-A5AB-E7D1F83C9415}.exe
        
        C:\Windows\{941A914D-F822-4849-A5AB-E7D1F83C9415}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3220
        
        C:\Windows\{2F24F483-685C-4606-884D-CCE27128E828}.exe
        
        C:\Windows\{2F24F483-685C-4606-884D-CCE27128E828}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\{9C9CE9A1-96E7-425c-A3BE-A4971DA28805}.exe
        
        C:\Windows\{9C9CE9A1-96E7-425c-A3BE-A4971DA28805}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Windows\{CC242E0B-9913-4154-814E-DC39092B5F08}.exe
        
        C:\Windows\{CC242E0B-9913-4154-814E-DC39092B5F08}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\{C7914DFE-F7D7-445d-9AB5-769432E40CEE}.exe
        
        C:\Windows\{C7914DFE-F7D7-445d-9AB5-769432E40CEE}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3540
        
        C:\Windows\{2BC8C5D6-54FE-4645-ADBD-D58ACA3A2F27}.exe
        
        C:\Windows\{2BC8C5D6-54FE-4645-ADBD-D58ACA3A2F27}.exe
        13⤵
        Executes dropped EXE
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C7914~1.EXE > nul
        13⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CC242~1.EXE > nul
        12⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C9CE~1.EXE > nul
        11⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2F24F~1.EXE > nul
        10⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{941A9~1.EXE > nul
        9⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F5436~1.EXE > nul
        8⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7C628~1.EXE > nul
        7⤵
        
        PID:1680
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FBE2D~1.EXE > nul
        6⤵
        
        PID:1592
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B0F20~1.EXE > nul
        5⤵
        
        PID:720
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{524E9~1.EXE > nul
      4⤵
      PID:2628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F59C6~1.EXE > nul
    3⤵
    PID:3684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2BC8C5D6-54FE-4645-ADBD-D58ACA3A2F27}.exe

Filesize
197KB

MD5
5b987f74735cdf4fe22c3c9ecdbac964

SHA1
35af008b4705a881182e1e288ef1d38bdd9394d4

SHA256
3855bf1e8b7110e185f371fc906ddf0e3c7e424584b5561a0ce5b12d50b6abfd

SHA512
06af043cc4efa219bee77fdf2cf7a26ca4eb290b5c811c660ec8de952cd5905a96b5096227a2406386dc09d91a2673c4c9123283b7a88099e2ba42526add41ce

Download Submit
C:\Windows\{2F24F483-685C-4606-884D-CCE27128E828}.exe

Filesize
197KB

MD5
d7a0a99ba15623016aa3261d8f60ff32

SHA1
8104408abe120e66c3a4266f97bfdc14e194e2d7

SHA256
8c1fc75cc2c01104ec563b3d2e78dcdca852a99bbc77eca8f05ec96569e5f706

SHA512
da9aff75726566e1e2dc69468a5c1c4192ae742907d4e4b33cd04bd4f26f560086d52f69a9f728c3128521eeb6b008bcce2168b7814ff78cb9ee90e541e13098

Download Submit
C:\Windows\{524E99D0-BD27-49cb-A0F5-790878BBEFB2}.exe

Filesize
197KB

MD5
3ef80012f7d80d14b5c358a1de56ac6f

SHA1
98362a813e434d54033e8073bd7287fa8fd9d741

SHA256
35ce0886a113db92f55f885c6b715926712cd3b6ee4b8b5240586273a877f1e9

SHA512
aaf07061397b6f684c0ef06d067710cca72ea9c1d28a19d834bc1de44f2e0aca2f314171dcc4f9a230ea930e0dbf418648589c2b02da403eea1f6c59678ef42b

Download Submit
C:\Windows\{7C628A11-3A00-4533-BCB7-FCD2A55E24B2}.exe

Filesize
147KB

MD5
6af385d99ac21ab8669de674304e44fa

SHA1
e65d0aa5c8e58d87c6c7219461be0e2c1d3d4435

SHA256
becaf565fc7e7503912962593731ab14ba066c3f6a42364b426e74cbc44b4988

SHA512
3faa97b8b3954e7cd5baf83b047cb5a5da15bedd77fdd27e0032fe28bc31c1dabc69aa8543d8cba89f2fc298d792a02967cff6d8b295dafa12ae39c7f0ecd4bc

Download Submit
C:\Windows\{7C628A11-3A00-4533-BCB7-FCD2A55E24B2}.exe

Filesize
48KB

MD5
69c6fc33705926b7b61281a0b16ad697

SHA1
ee92f54f4e85a1ef120544269607fb747b516969

SHA256
45677f8bc4dd09b43ed82e6bf7435bf11679680b58492e2c069a3ae115c13ef1

SHA512
58f5682d0c131dd3643fa2fb9c7b9d71ec5b7a509f3cf0765eccbb9e9e59b578b64b3b5a5ae82d45b1a33beee6c5b5cf2b111f06ff908447d032ecf1b0eef418

Download Submit
C:\Windows\{941A914D-F822-4849-A5AB-E7D1F83C9415}.exe

Filesize
197KB

MD5
87e9d130c1861e65135f34c19c69a8a4

SHA1
475262ced0b563f98a331553c7e1df55924e3e00

SHA256
6ec72e1add224f59079cc1911c2be06052055931891f0d8beefe878ef32d3412

SHA512
fbc6ef5a1a59de238b74151450956b634f8671c4ee2cc9a20f1bdeabd8ca36605b3e41f2e1031299df957d5b03a171c4e85b950443b83435932cf439342c9ac8

Download Submit
C:\Windows\{9C9CE9A1-96E7-425c-A3BE-A4971DA28805}.exe

Filesize
197KB

MD5
41ac4dd695d8ed4f2084a897d859762f

SHA1
58007ebe3c7124ee59653b1aeef72c4c76de9c3d

SHA256
3e1c4bd5d9ba4bea175d8575329c7a39584c783d0a4c0f1d93e84e8fa29f7b8f

SHA512
ec7e5010a58e50a793cbae2334afe04271694b6f7848cdfba2f58d61b6340e34d07aa06b7babd370c2ae5fcfef3c2d655eb10f9725962fa9747cad8a869d335b

Download Submit
C:\Windows\{B0F20A98-3CA9-47e7-A425-536375B068FF}.exe

Filesize
197KB

MD5
f37859ca080e6a92e59b0737e4e06b89

SHA1
ba8791dea131950dd12fcc6d46ccff4e84f7371f

SHA256
4c7b37257c0532b7fe742fc00cb701f498db4c3bce3aef6bbf9f59c6b5712773

SHA512
e869dbe19cc2fdfbf9030c320a1b80fe8e5875ade6660bdc676c0e82735df9dfb4c28642c4fafb670da8045a29c5bc98098e8df4390b30a1d0c6ca24653cf912

Download Submit
C:\Windows\{C7914DFE-F7D7-445d-9AB5-769432E40CEE}.exe

Filesize
197KB

MD5
722cc8aed6ed66150937c9f9feda0e00

SHA1
b19af2c0a74e626ab712c8b85425b5423d8961bd

SHA256
4d1565924f8681c65d35a78df180e872c90ea250fe5f417605109a0054825692

SHA512
09647bd890f6e2ceed71d364ce54b2317d04e83abda9e8ce1d1dba690f48f9bfbb96111d61dfc8568f08d4cf0de08772c4a0899ef25b9398d9d3658512ff0559

Download Submit
C:\Windows\{CC242E0B-9913-4154-814E-DC39092B5F08}.exe

Filesize
197KB

MD5
76eb5554f0b9694ecfdeee0aba432de4

SHA1
8e4e21275cadb9a8ad7d45cf414a7bfe5c21c500

SHA256
84f9c9a4d76142da1f8b3740ac1607e75cc3f78ec0bd3c406c65f9150c260368

SHA512
108e5de91bf63133547ca0eedb3e34bdb62f6e2262a6e2ba4ecd293dc84a4154766f7b482ec7b7aae22a9a9de22d8c848f0cc5bd1609b6aa9e48a2050f9e1f9e

Download Submit
C:\Windows\{F54363FA-27DC-4a28-9D1F-26253A5449ED}.exe

Filesize
197KB

MD5
f48e7d15f9bc9a5e36a60433268f0328

SHA1
38177129a36b63d4abdd6e419a478c494adc1ca4

SHA256
74b4c9f9a75a5116e00dcb969ee111d892576c78e5c86ec58cad68b4a79d221f

SHA512
a154fb9d6debcec65a199b8bc3be04a8fb472fce14fb898b7f37918025d2530d41f4caf40937f450e9427ad528a5b35e5b5627dc4c5acf0595fa180b2e08526a

Download Submit
C:\Windows\{F59C62D5-4DEC-49b1-822D-73270C39D490}.exe

Filesize
197KB

MD5
44edb1abf0315461bd4c489a31a1e0c9

SHA1
4b0f870fe1708c39f4223ef7cd5b18ee21829200

SHA256
5ce7b9afc9acf68f16641a12e0c5f1bffbf3bd1be483b90d3edc1012b72c78b2

SHA512
d9a3e939f544d7c9bb872d79d4359ac4e3d50bf479ca10e467701a032a1715930c6e5b264b7290ea02b87b27566cb9d9274b08b843d301c895e57126608943a4

Download Submit
C:\Windows\{FBE2DC3A-C3F8-4bab-8985-84FB6E6EC3AA}.exe

Filesize
197KB

MD5
cc69b930edaf4da51b528f6c2a69e617

SHA1
7c4eff48b8d296c5f807a4929e5469a53a742d53

SHA256
f3f58cd07508e38b194aad05114b5e8bd3b28869e8339fb607e250813317830a

SHA512
3d56c27b2c746e89288b256095addf05a81a01549d46ceb5a53de4304d348439f4a5107a13bf3e109c40ea4bb81b211d70855c6fe6c0bd95639dd8e66115d6eb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads