7641003b0f757d4e3f72f1095d125dfb7bb16f07e7c570acf357045679c16b07

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29/03/2024, 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-29_f4fe7a45c944baad6e917002adc1de6e_goldeneye.exe
Size

344KB
MD5

f4fe7a45c944baad6e917002adc1de6e
SHA1

2b2da970b4c16975d644cc128fbc87c4e2d5b98c
SHA256

7641003b0f757d4e3f72f1095d125dfb7bb16f07e7c570acf357045679c16b07
SHA512

509c9a84ed09efa80e44826b6a3ed32d71965f271edd85f179d99d51b5cf38fa88cfbe2dc873ada41a1b2f70ed86e866c4f4ac0b1b36f9b67a187c2d7dbb911f
SSDEEP

3072:mEGh0oOlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEG4lqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x000b000000018b93-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000019337-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00110000000055a2-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000019337-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00120000000055a2-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000019337-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00130000000055a2-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000019337-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00140000000055a2-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000019337-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00150000000055a2-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000019337-82.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{989C2D66-5A16-4acc-8EF3-A0753648ABD7}\stubpath = "C:\\Windows\\{989C2D66-5A16-4acc-8EF3-A0753648ABD7}.exe"	{44F1307D-AE2D-4623-88A6-4E6B74297F00}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6CFDDCB3-7E39-4eeb-9FD9-2785808130D4}	2024-03-29_f4fe7a45c944baad6e917002adc1de6e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98484933-184A-4318-BBE0-07274D079468}\stubpath = "C:\\Windows\\{98484933-184A-4318-BBE0-07274D079468}.exe"	{6CFDDCB3-7E39-4eeb-9FD9-2785808130D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA43774D-297A-4925-9EE4-7F4B5500B4DC}\stubpath = "C:\\Windows\\{FA43774D-297A-4925-9EE4-7F4B5500B4DC}.exe"	{98484933-184A-4318-BBE0-07274D079468}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{762CE9F5-2DCC-4a6f-B196-2B477CA52FE2}	{3C21D303-B331-44d5-9286-E84ED838EE5B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E59159D1-23DB-4680-8660-75C349EA6BCE}\stubpath = "C:\\Windows\\{E59159D1-23DB-4680-8660-75C349EA6BCE}.exe"	{7EADA759-BC97-4ada-B406-D5B3F4044CD7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44F1307D-AE2D-4623-88A6-4E6B74297F00}	{C9AD435B-3FF8-40f4-B36A-BA79170DF0DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{989C2D66-5A16-4acc-8EF3-A0753648ABD7}	{44F1307D-AE2D-4623-88A6-4E6B74297F00}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA43774D-297A-4925-9EE4-7F4B5500B4DC}	{98484933-184A-4318-BBE0-07274D079468}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C21D303-B331-44d5-9286-E84ED838EE5B}\stubpath = "C:\\Windows\\{3C21D303-B331-44d5-9286-E84ED838EE5B}.exe"	{FA43774D-297A-4925-9EE4-7F4B5500B4DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7EADA759-BC97-4ada-B406-D5B3F4044CD7}	{762CE9F5-2DCC-4a6f-B196-2B477CA52FE2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E59159D1-23DB-4680-8660-75C349EA6BCE}	{7EADA759-BC97-4ada-B406-D5B3F4044CD7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{725FEEC7-3D31-4f39-96E8-89742DC84E8B}\stubpath = "C:\\Windows\\{725FEEC7-3D31-4f39-96E8-89742DC84E8B}.exe"	{E59159D1-23DB-4680-8660-75C349EA6BCE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44F1307D-AE2D-4623-88A6-4E6B74297F00}\stubpath = "C:\\Windows\\{44F1307D-AE2D-4623-88A6-4E6B74297F00}.exe"	{C9AD435B-3FF8-40f4-B36A-BA79170DF0DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A601589-2723-4663-BF2C-C8D8C73CAAE8}\stubpath = "C:\\Windows\\{6A601589-2723-4663-BF2C-C8D8C73CAAE8}.exe"	{989C2D66-5A16-4acc-8EF3-A0753648ABD7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6CFDDCB3-7E39-4eeb-9FD9-2785808130D4}\stubpath = "C:\\Windows\\{6CFDDCB3-7E39-4eeb-9FD9-2785808130D4}.exe"	2024-03-29_f4fe7a45c944baad6e917002adc1de6e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98484933-184A-4318-BBE0-07274D079468}	{6CFDDCB3-7E39-4eeb-9FD9-2785808130D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{762CE9F5-2DCC-4a6f-B196-2B477CA52FE2}\stubpath = "C:\\Windows\\{762CE9F5-2DCC-4a6f-B196-2B477CA52FE2}.exe"	{3C21D303-B331-44d5-9286-E84ED838EE5B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7EADA759-BC97-4ada-B406-D5B3F4044CD7}\stubpath = "C:\\Windows\\{7EADA759-BC97-4ada-B406-D5B3F4044CD7}.exe"	{762CE9F5-2DCC-4a6f-B196-2B477CA52FE2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{725FEEC7-3D31-4f39-96E8-89742DC84E8B}	{E59159D1-23DB-4680-8660-75C349EA6BCE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9AD435B-3FF8-40f4-B36A-BA79170DF0DC}	{725FEEC7-3D31-4f39-96E8-89742DC84E8B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A601589-2723-4663-BF2C-C8D8C73CAAE8}	{989C2D66-5A16-4acc-8EF3-A0753648ABD7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C21D303-B331-44d5-9286-E84ED838EE5B}	{FA43774D-297A-4925-9EE4-7F4B5500B4DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9AD435B-3FF8-40f4-B36A-BA79170DF0DC}\stubpath = "C:\\Windows\\{C9AD435B-3FF8-40f4-B36A-BA79170DF0DC}.exe"	{725FEEC7-3D31-4f39-96E8-89742DC84E8B}.exe

Deletes itself 1 IoCs

pid	Process
2040	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
1096	{6CFDDCB3-7E39-4eeb-9FD9-2785808130D4}.exe
2608	{98484933-184A-4318-BBE0-07274D079468}.exe
2540	{FA43774D-297A-4925-9EE4-7F4B5500B4DC}.exe
792	{3C21D303-B331-44d5-9286-E84ED838EE5B}.exe
768	{762CE9F5-2DCC-4a6f-B196-2B477CA52FE2}.exe
1356	{7EADA759-BC97-4ada-B406-D5B3F4044CD7}.exe
1620	{E59159D1-23DB-4680-8660-75C349EA6BCE}.exe
2764	{725FEEC7-3D31-4f39-96E8-89742DC84E8B}.exe
1644	{C9AD435B-3FF8-40f4-B36A-BA79170DF0DC}.exe
1072	{44F1307D-AE2D-4623-88A6-4E6B74297F00}.exe
2112	{989C2D66-5A16-4acc-8EF3-A0753648ABD7}.exe
948	{6A601589-2723-4663-BF2C-C8D8C73CAAE8}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{725FEEC7-3D31-4f39-96E8-89742DC84E8B}.exe	{E59159D1-23DB-4680-8660-75C349EA6BCE}.exe
File created	C:\Windows\{44F1307D-AE2D-4623-88A6-4E6B74297F00}.exe	{C9AD435B-3FF8-40f4-B36A-BA79170DF0DC}.exe
File created	C:\Windows\{6A601589-2723-4663-BF2C-C8D8C73CAAE8}.exe	{989C2D66-5A16-4acc-8EF3-A0753648ABD7}.exe
File created	C:\Windows\{98484933-184A-4318-BBE0-07274D079468}.exe	{6CFDDCB3-7E39-4eeb-9FD9-2785808130D4}.exe
File created	C:\Windows\{7EADA759-BC97-4ada-B406-D5B3F4044CD7}.exe	{762CE9F5-2DCC-4a6f-B196-2B477CA52FE2}.exe
File created	C:\Windows\{3C21D303-B331-44d5-9286-E84ED838EE5B}.exe	{FA43774D-297A-4925-9EE4-7F4B5500B4DC}.exe
File created	C:\Windows\{762CE9F5-2DCC-4a6f-B196-2B477CA52FE2}.exe	{3C21D303-B331-44d5-9286-E84ED838EE5B}.exe
File created	C:\Windows\{E59159D1-23DB-4680-8660-75C349EA6BCE}.exe	{7EADA759-BC97-4ada-B406-D5B3F4044CD7}.exe
File created	C:\Windows\{C9AD435B-3FF8-40f4-B36A-BA79170DF0DC}.exe	{725FEEC7-3D31-4f39-96E8-89742DC84E8B}.exe
File created	C:\Windows\{989C2D66-5A16-4acc-8EF3-A0753648ABD7}.exe	{44F1307D-AE2D-4623-88A6-4E6B74297F00}.exe
File created	C:\Windows\{6CFDDCB3-7E39-4eeb-9FD9-2785808130D4}.exe	2024-03-29_f4fe7a45c944baad6e917002adc1de6e_goldeneye.exe
File created	C:\Windows\{FA43774D-297A-4925-9EE4-7F4B5500B4DC}.exe	{98484933-184A-4318-BBE0-07274D079468}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1960	2024-03-29_f4fe7a45c944baad6e917002adc1de6e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1096	{6CFDDCB3-7E39-4eeb-9FD9-2785808130D4}.exe
Token: SeIncBasePriorityPrivilege	2608	{98484933-184A-4318-BBE0-07274D079468}.exe
Token: SeIncBasePriorityPrivilege	2540	{FA43774D-297A-4925-9EE4-7F4B5500B4DC}.exe
Token: SeIncBasePriorityPrivilege	792	{3C21D303-B331-44d5-9286-E84ED838EE5B}.exe
Token: SeIncBasePriorityPrivilege	768	{762CE9F5-2DCC-4a6f-B196-2B477CA52FE2}.exe
Token: SeIncBasePriorityPrivilege	1356	{7EADA759-BC97-4ada-B406-D5B3F4044CD7}.exe
Token: SeIncBasePriorityPrivilege	1620	{E59159D1-23DB-4680-8660-75C349EA6BCE}.exe
Token: SeIncBasePriorityPrivilege	2764	{725FEEC7-3D31-4f39-96E8-89742DC84E8B}.exe
Token: SeIncBasePriorityPrivilege	1644	{C9AD435B-3FF8-40f4-B36A-BA79170DF0DC}.exe
Token: SeIncBasePriorityPrivilege	1072	{44F1307D-AE2D-4623-88A6-4E6B74297F00}.exe
Token: SeIncBasePriorityPrivilege	2112	{989C2D66-5A16-4acc-8EF3-A0753648ABD7}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 1096	1960	2024-03-29_f4fe7a45c944baad6e917002adc1de6e_goldeneye.exe	28
PID 1960 wrote to memory of 1096	1960	2024-03-29_f4fe7a45c944baad6e917002adc1de6e_goldeneye.exe	28
PID 1960 wrote to memory of 1096	1960	2024-03-29_f4fe7a45c944baad6e917002adc1de6e_goldeneye.exe	28
PID 1960 wrote to memory of 1096	1960	2024-03-29_f4fe7a45c944baad6e917002adc1de6e_goldeneye.exe	28
PID 1960 wrote to memory of 2040	1960	2024-03-29_f4fe7a45c944baad6e917002adc1de6e_goldeneye.exe	29
PID 1960 wrote to memory of 2040	1960	2024-03-29_f4fe7a45c944baad6e917002adc1de6e_goldeneye.exe	29
PID 1960 wrote to memory of 2040	1960	2024-03-29_f4fe7a45c944baad6e917002adc1de6e_goldeneye.exe	29
PID 1960 wrote to memory of 2040	1960	2024-03-29_f4fe7a45c944baad6e917002adc1de6e_goldeneye.exe	29
PID 1096 wrote to memory of 2608	1096	{6CFDDCB3-7E39-4eeb-9FD9-2785808130D4}.exe	30
PID 1096 wrote to memory of 2608	1096	{6CFDDCB3-7E39-4eeb-9FD9-2785808130D4}.exe	30
PID 1096 wrote to memory of 2608	1096	{6CFDDCB3-7E39-4eeb-9FD9-2785808130D4}.exe	30
PID 1096 wrote to memory of 2608	1096	{6CFDDCB3-7E39-4eeb-9FD9-2785808130D4}.exe	30
PID 1096 wrote to memory of 2636	1096	{6CFDDCB3-7E39-4eeb-9FD9-2785808130D4}.exe	31
PID 1096 wrote to memory of 2636	1096	{6CFDDCB3-7E39-4eeb-9FD9-2785808130D4}.exe	31
PID 1096 wrote to memory of 2636	1096	{6CFDDCB3-7E39-4eeb-9FD9-2785808130D4}.exe	31
PID 1096 wrote to memory of 2636	1096	{6CFDDCB3-7E39-4eeb-9FD9-2785808130D4}.exe	31
PID 2608 wrote to memory of 2540	2608	{98484933-184A-4318-BBE0-07274D079468}.exe	34
PID 2608 wrote to memory of 2540	2608	{98484933-184A-4318-BBE0-07274D079468}.exe	34
PID 2608 wrote to memory of 2540	2608	{98484933-184A-4318-BBE0-07274D079468}.exe	34
PID 2608 wrote to memory of 2540	2608	{98484933-184A-4318-BBE0-07274D079468}.exe	34
PID 2608 wrote to memory of 1924	2608	{98484933-184A-4318-BBE0-07274D079468}.exe	35
PID 2608 wrote to memory of 1924	2608	{98484933-184A-4318-BBE0-07274D079468}.exe	35
PID 2608 wrote to memory of 1924	2608	{98484933-184A-4318-BBE0-07274D079468}.exe	35
PID 2608 wrote to memory of 1924	2608	{98484933-184A-4318-BBE0-07274D079468}.exe	35
PID 2540 wrote to memory of 792	2540	{FA43774D-297A-4925-9EE4-7F4B5500B4DC}.exe	36
PID 2540 wrote to memory of 792	2540	{FA43774D-297A-4925-9EE4-7F4B5500B4DC}.exe	36
PID 2540 wrote to memory of 792	2540	{FA43774D-297A-4925-9EE4-7F4B5500B4DC}.exe	36
PID 2540 wrote to memory of 792	2540	{FA43774D-297A-4925-9EE4-7F4B5500B4DC}.exe	36
PID 2540 wrote to memory of 2940	2540	{FA43774D-297A-4925-9EE4-7F4B5500B4DC}.exe	37
PID 2540 wrote to memory of 2940	2540	{FA43774D-297A-4925-9EE4-7F4B5500B4DC}.exe	37
PID 2540 wrote to memory of 2940	2540	{FA43774D-297A-4925-9EE4-7F4B5500B4DC}.exe	37
PID 2540 wrote to memory of 2940	2540	{FA43774D-297A-4925-9EE4-7F4B5500B4DC}.exe	37
PID 792 wrote to memory of 768	792	{3C21D303-B331-44d5-9286-E84ED838EE5B}.exe	38
PID 792 wrote to memory of 768	792	{3C21D303-B331-44d5-9286-E84ED838EE5B}.exe	38
PID 792 wrote to memory of 768	792	{3C21D303-B331-44d5-9286-E84ED838EE5B}.exe	38
PID 792 wrote to memory of 768	792	{3C21D303-B331-44d5-9286-E84ED838EE5B}.exe	38
PID 792 wrote to memory of 1660	792	{3C21D303-B331-44d5-9286-E84ED838EE5B}.exe	39
PID 792 wrote to memory of 1660	792	{3C21D303-B331-44d5-9286-E84ED838EE5B}.exe	39
PID 792 wrote to memory of 1660	792	{3C21D303-B331-44d5-9286-E84ED838EE5B}.exe	39
PID 792 wrote to memory of 1660	792	{3C21D303-B331-44d5-9286-E84ED838EE5B}.exe	39
PID 768 wrote to memory of 1356	768	{762CE9F5-2DCC-4a6f-B196-2B477CA52FE2}.exe	40
PID 768 wrote to memory of 1356	768	{762CE9F5-2DCC-4a6f-B196-2B477CA52FE2}.exe	40
PID 768 wrote to memory of 1356	768	{762CE9F5-2DCC-4a6f-B196-2B477CA52FE2}.exe	40
PID 768 wrote to memory of 1356	768	{762CE9F5-2DCC-4a6f-B196-2B477CA52FE2}.exe	40
PID 768 wrote to memory of 2708	768	{762CE9F5-2DCC-4a6f-B196-2B477CA52FE2}.exe	41
PID 768 wrote to memory of 2708	768	{762CE9F5-2DCC-4a6f-B196-2B477CA52FE2}.exe	41
PID 768 wrote to memory of 2708	768	{762CE9F5-2DCC-4a6f-B196-2B477CA52FE2}.exe	41
PID 768 wrote to memory of 2708	768	{762CE9F5-2DCC-4a6f-B196-2B477CA52FE2}.exe	41
PID 1356 wrote to memory of 1620	1356	{7EADA759-BC97-4ada-B406-D5B3F4044CD7}.exe	42
PID 1356 wrote to memory of 1620	1356	{7EADA759-BC97-4ada-B406-D5B3F4044CD7}.exe	42
PID 1356 wrote to memory of 1620	1356	{7EADA759-BC97-4ada-B406-D5B3F4044CD7}.exe	42
PID 1356 wrote to memory of 1620	1356	{7EADA759-BC97-4ada-B406-D5B3F4044CD7}.exe	42
PID 1356 wrote to memory of 2700	1356	{7EADA759-BC97-4ada-B406-D5B3F4044CD7}.exe	43
PID 1356 wrote to memory of 2700	1356	{7EADA759-BC97-4ada-B406-D5B3F4044CD7}.exe	43
PID 1356 wrote to memory of 2700	1356	{7EADA759-BC97-4ada-B406-D5B3F4044CD7}.exe	43
PID 1356 wrote to memory of 2700	1356	{7EADA759-BC97-4ada-B406-D5B3F4044CD7}.exe	43
PID 1620 wrote to memory of 2764	1620	{E59159D1-23DB-4680-8660-75C349EA6BCE}.exe	44
PID 1620 wrote to memory of 2764	1620	{E59159D1-23DB-4680-8660-75C349EA6BCE}.exe	44
PID 1620 wrote to memory of 2764	1620	{E59159D1-23DB-4680-8660-75C349EA6BCE}.exe	44
PID 1620 wrote to memory of 2764	1620	{E59159D1-23DB-4680-8660-75C349EA6BCE}.exe	44
PID 1620 wrote to memory of 2504	1620	{E59159D1-23DB-4680-8660-75C349EA6BCE}.exe	45
PID 1620 wrote to memory of 2504	1620	{E59159D1-23DB-4680-8660-75C349EA6BCE}.exe	45
PID 1620 wrote to memory of 2504	1620	{E59159D1-23DB-4680-8660-75C349EA6BCE}.exe	45
PID 1620 wrote to memory of 2504	1620	{E59159D1-23DB-4680-8660-75C349EA6BCE}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-29_f4fe7a45c944baad6e917002adc1de6e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-29_f4fe7a45c944baad6e917002adc1de6e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\{6CFDDCB3-7E39-4eeb-9FD9-2785808130D4}.exe
  C:\Windows\{6CFDDCB3-7E39-4eeb-9FD9-2785808130D4}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Windows\{98484933-184A-4318-BBE0-07274D079468}.exe
    C:\Windows\{98484933-184A-4318-BBE0-07274D079468}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Windows\{FA43774D-297A-4925-9EE4-7F4B5500B4DC}.exe
      C:\Windows\{FA43774D-297A-4925-9EE4-7F4B5500B4DC}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2540
    - - C:\Windows\{3C21D303-B331-44d5-9286-E84ED838EE5B}.exe
        
        C:\Windows\{3C21D303-B331-44d5-9286-E84ED838EE5B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:792
      - C:\Windows\{762CE9F5-2DCC-4a6f-B196-2B477CA52FE2}.exe
        
        C:\Windows\{762CE9F5-2DCC-4a6f-B196-2B477CA52FE2}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\{7EADA759-BC97-4ada-B406-D5B3F4044CD7}.exe
        
        C:\Windows\{7EADA759-BC97-4ada-B406-D5B3F4044CD7}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\{E59159D1-23DB-4680-8660-75C349EA6BCE}.exe
        
        C:\Windows\{E59159D1-23DB-4680-8660-75C349EA6BCE}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\{725FEEC7-3D31-4f39-96E8-89742DC84E8B}.exe
        
        C:\Windows\{725FEEC7-3D31-4f39-96E8-89742DC84E8B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
        
        C:\Windows\{C9AD435B-3FF8-40f4-B36A-BA79170DF0DC}.exe
        
        C:\Windows\{C9AD435B-3FF8-40f4-B36A-BA79170DF0DC}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
        
        C:\Windows\{44F1307D-AE2D-4623-88A6-4E6B74297F00}.exe
        
        C:\Windows\{44F1307D-AE2D-4623-88A6-4E6B74297F00}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1072
        
        C:\Windows\{989C2D66-5A16-4acc-8EF3-A0753648ABD7}.exe
        
        C:\Windows\{989C2D66-5A16-4acc-8EF3-A0753648ABD7}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
        
        C:\Windows\{6A601589-2723-4663-BF2C-C8D8C73CAAE8}.exe
        
        C:\Windows\{6A601589-2723-4663-BF2C-C8D8C73CAAE8}.exe
        13⤵
        Executes dropped EXE
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{989C2~1.EXE > nul
        13⤵
        
        PID:748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44F13~1.EXE > nul
        12⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9AD4~1.EXE > nul
        11⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{725FE~1.EXE > nul
        10⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5915~1.EXE > nul
        9⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7EADA~1.EXE > nul
        8⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{762CE~1.EXE > nul
        7⤵
        
        PID:2708
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C21D~1.EXE > nul
        6⤵
        
        PID:1660
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA437~1.EXE > nul
        5⤵
        
        PID:2940
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{98484~1.EXE > nul
      4⤵
      PID:1924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6CFDD~1.EXE > nul
    3⤵
    PID:2636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3C21D303-B331-44d5-9286-E84ED838EE5B}.exe

Filesize
344KB

MD5
1c2cbed16cc37b54bc2859be09be453f

SHA1
e2a76a7cc4dbb561e086c3805941c9adef3d20a8

SHA256
0c659406fbbe4cd71467a0b3d6c6ae5bc55a1827475aa5e01ffae110bc2c7017

SHA512
6b8cf6aecdea2cce02aebc778313c1c3efc48d0b02b8d6d65f38f0edc74859dc4d48fde3a03317da0a8aca65174ba361c4b9bee4691e3bf5d2736f1ac34abfb7

Download Submit
C:\Windows\{44F1307D-AE2D-4623-88A6-4E6B74297F00}.exe

Filesize
344KB

MD5
531082a1609e0899210dd871eef1ae9b

SHA1
7f5862344c0faba70f7295086d22d91134b18788

SHA256
3634fb25887b871a0359a896a5873c55583b314b036cf0ee0001ba138af78f5a

SHA512
74559dd2d44a0c105cced07ff4b13300d98849a957af293c9457580d49bfa7e7ce47b4faa342b7c756e54570280d1036b68ac85bf0ff2dce2e7a3eba26577e5a

Download Submit
C:\Windows\{6A601589-2723-4663-BF2C-C8D8C73CAAE8}.exe

Filesize
344KB

MD5
fc2fd3e099dca890bccd9082d65aec87

SHA1
dd7e6e6d09bb9dbdfc01f5620d3081b35a6ac256

SHA256
87e667d48e8af7e876cb099b0f97eeed8aed089fbddea1bbe7849dc846f4b7c2

SHA512
24ebc12fff7fad1077ffc93c9b09cacd2d48191245779113c79c5ecfbc39eacd8137167c731edc590847f8b01bbf49e9e3741965debbea320e0caf1e28a8f94c

Download Submit
C:\Windows\{6CFDDCB3-7E39-4eeb-9FD9-2785808130D4}.exe

Filesize
344KB

MD5
d9894130da5460e152458460640a38c8

SHA1
721ce3c45d35e9ada8ab9fe71eeba7ed45ab4994

SHA256
f0ce18574b8b3588f2709998b6d3d0d64b30d2a2dbf0ca77eb645da3f3606a75

SHA512
56e71f8d5da489edbed7cb44b62b04cafb89d0e47173390567cd1a300a054e2b906b57b898e5a8741eb52808ed31ff02245c1ddd54a3771c914c0bb7c750719a

Download Submit
C:\Windows\{725FEEC7-3D31-4f39-96E8-89742DC84E8B}.exe

Filesize
344KB

MD5
9e5d0689cd63307402be263a823595d5

SHA1
e2fa299942c1691bd0e18278d2636659e2a67320

SHA256
eebc930f0663410e29ac88ae0ce48b1af80e7583d0b6eb6d349e5111fbcf4946

SHA512
ecb0d19aed89522a1c44c92f1374869f0d502423199c206794db63a561a936b4429c8e9dcdac1e5933d3b986a175de4911d030f4d543927437a4d71d3ae0426e

Download Submit
C:\Windows\{762CE9F5-2DCC-4a6f-B196-2B477CA52FE2}.exe

Filesize
344KB

MD5
2b77819342735d7d45a9ad3d28147f83

SHA1
d254b59f462f82014ea3627de5559164611c14ba

SHA256
234816121eba64fe64a49cd2f04de7c28e04547cb9ec12f4bbcea8cc6d84591d

SHA512
370ed1e63b12ae244b89ac98f1c996788b11b87f408ae1b782cc5582b1b24ee3081fdaab5867058a5816e58d8f7fc51035e20e13e3acfaea1c4a6fee893b9b76

Download Submit
C:\Windows\{7EADA759-BC97-4ada-B406-D5B3F4044CD7}.exe

Filesize
344KB

MD5
655eb3ece22e3b1e25d4e9ea48f9a5f2

SHA1
5b19202b9de863ab28e10d4fd1141585a8b43512

SHA256
1f8a0a93e16fd515f7b9d0dc54ec004195562ec05f710847ae3ea65a3567c6b8

SHA512
726b08f985969703df1550a691f18ce67da1db9fb0b8f643bac9db5fc6aa04267e56ee23805a197a9b2972d408d182ad960049a8691f6831eecef8369dbb0482

Download Submit
C:\Windows\{98484933-184A-4318-BBE0-07274D079468}.exe

Filesize
344KB

MD5
ec598ccfb47c638a1bdb9259a645f42e

SHA1
9d9ca5fab8555aa79fa61c99059193e1bb48758b

SHA256
e35693773be5eece8ca44b7b3f506d9054a699840ecf961561c9f85d502e02b9

SHA512
9688fb2523f639f6277dbd6d1c6a3ee8d4598d2507d5dad33dc5461e98eb0492971259076fb5efeb7b48de7d28dd13a35d072088ef32ad6fd80d569f40b1fa70

Download Submit
C:\Windows\{989C2D66-5A16-4acc-8EF3-A0753648ABD7}.exe

Filesize
344KB

MD5
677464bde9d98620d47a18bcbd6f76e2

SHA1
16daa0de23cca09703c63ac0cc9d52e2a1ce0d80

SHA256
37f3ea32d99b6ebcc204039b35450acd570ce017192337b0add1ed8d0fb434c5

SHA512
3ff1f4bdc625872627e9fb20526c345667bee52362c842f523255e2451c226e309c169e23ff2a486e782de142ecc0628c023d57e7861164f02245b1783f5f98a

Download Submit
C:\Windows\{C9AD435B-3FF8-40f4-B36A-BA79170DF0DC}.exe

Filesize
344KB

MD5
7e686b2e96b2449243a59aa531cc1fa6

SHA1
e356f6df067a4920e7fe24193feb809859722b7f

SHA256
f59700a86fbdce444abc4c37287dbdcaee678874f70587c6c3f81ff864e13069

SHA512
4620026c13c82d947dfb6ee9dd59aa8199b1c9be762a154182ad0ca80686dfa714c3a74450501708c51b0ace925adcfa42a3e32a7f4e55f4eb9ea2fc5df7ff14

Download Submit
C:\Windows\{E59159D1-23DB-4680-8660-75C349EA6BCE}.exe

Filesize
344KB

MD5
2e7cc688145164f4015359fd61ccdd90

SHA1
024fda7af85d545871811a3f53b471aca80d09ac

SHA256
1e73d2053f33fe31de625df767588ab51e2ddb546425cdfb8b25e5ec9545a406

SHA512
ee36aa0cf0d753c0c9bb3d51c265ee5c9623ba3a2901a99ce99dcfa74eb925e3a4aee31c916df85b910bcb1ef62f99533c3cfd068f436345d8d739d642d42984

Download Submit
C:\Windows\{FA43774D-297A-4925-9EE4-7F4B5500B4DC}.exe

Filesize
344KB

MD5
66babb9ac09e57aefccb7e597961907a

SHA1
f32b7025e9dbbf791490af23e861a6963daedb2c

SHA256
349a84e8462a4d35a17c1119989ee033a305edaba310ef478463c20f2509a75c

SHA512
cad79337159eb613b72e0dac954b4147c65479246fa8ceac468777863cd82dfd7f3846b98d255899f8ecf1862f5c6cac99393e3cfa48088c1c7427747c67f8c1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads