1ee7387805bdfdb6d145033d4c5df25235eb204f81699ff69613b840922f8c52

Analysis

max time kernel
184s
max time network
198s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2024, 12:26 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-19_19ff94abde1f2f976ede0fb076ba666d_goldeneye.exe
Size

197KB
MD5

19ff94abde1f2f976ede0fb076ba666d
SHA1

30d997c7010e392248833444410a3680f8a80b71
SHA256

1ee7387805bdfdb6d145033d4c5df25235eb204f81699ff69613b840922f8c52
SHA512

2890da9ceddbc6528107eb161f876cfaed015e1e1084320d4e4254cc5cc02559927e252d5494db366e61f155e6f8965415bb074c5bc43814809a4202eca87865
SSDEEP

3072:jEGh0orl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEG5lEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000400000001e827-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001e828-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00160000000006c5-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000001e748-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00170000000006c5-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000001e748-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00180000000006c5-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001e748-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00190000000006c5-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000001e748-37.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001a0000000006c5-41.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000001e748-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F7111A3-46E4-4f5b-A7C7-9ACF72E84180}\stubpath = "C:\\Windows\\{3F7111A3-46E4-4f5b-A7C7-9ACF72E84180}.exe"	{9A0CAE39-2449-451d-AE4A-6E5D864D8F53}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{980DB619-CA53-4e06-948D-65CF7FDD0D4E}	{C6E9C362-9604-4c7c-A314-79C4AEF14A49}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F4E9740-C2CB-4b8c-8031-0788DC952F2E}	{980DB619-CA53-4e06-948D-65CF7FDD0D4E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D8EDDEC-F1DB-478f-A169-E1163CD7D4AA}	{C98680E7-A790-4e4d-A23C-3B7DF7F08700}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6E9C362-9604-4c7c-A314-79C4AEF14A49}	{3F7111A3-46E4-4f5b-A7C7-9ACF72E84180}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{980DB619-CA53-4e06-948D-65CF7FDD0D4E}\stubpath = "C:\\Windows\\{980DB619-CA53-4e06-948D-65CF7FDD0D4E}.exe"	{C6E9C362-9604-4c7c-A314-79C4AEF14A49}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{094980D5-1F39-4db5-9A85-BBDCE5B09747}\stubpath = "C:\\Windows\\{094980D5-1F39-4db5-9A85-BBDCE5B09747}.exe"	{C0A4B8F7-CF71-49f4-B27C-AD6900E31301}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18C202B6-181B-4b02-8D9A-ED6E6E97B850}\stubpath = "C:\\Windows\\{18C202B6-181B-4b02-8D9A-ED6E6E97B850}.exe"	{094980D5-1F39-4db5-9A85-BBDCE5B09747}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C211656F-0786-4e1b-8FCA-FBB822549A1D}\stubpath = "C:\\Windows\\{C211656F-0786-4e1b-8FCA-FBB822549A1D}.exe"	{18C202B6-181B-4b02-8D9A-ED6E6E97B850}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18C202B6-181B-4b02-8D9A-ED6E6E97B850}	{094980D5-1F39-4db5-9A85-BBDCE5B09747}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C211656F-0786-4e1b-8FCA-FBB822549A1D}	{18C202B6-181B-4b02-8D9A-ED6E6E97B850}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A0CAE39-2449-451d-AE4A-6E5D864D8F53}\stubpath = "C:\\Windows\\{9A0CAE39-2449-451d-AE4A-6E5D864D8F53}.exe"	2024-04-19_19ff94abde1f2f976ede0fb076ba666d_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F7111A3-46E4-4f5b-A7C7-9ACF72E84180}	{9A0CAE39-2449-451d-AE4A-6E5D864D8F53}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F4E9740-C2CB-4b8c-8031-0788DC952F2E}\stubpath = "C:\\Windows\\{1F4E9740-C2CB-4b8c-8031-0788DC952F2E}.exe"	{980DB619-CA53-4e06-948D-65CF7FDD0D4E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0A4B8F7-CF71-49f4-B27C-AD6900E31301}	{1F4E9740-C2CB-4b8c-8031-0788DC952F2E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0A4B8F7-CF71-49f4-B27C-AD6900E31301}\stubpath = "C:\\Windows\\{C0A4B8F7-CF71-49f4-B27C-AD6900E31301}.exe"	{1F4E9740-C2CB-4b8c-8031-0788DC952F2E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{094980D5-1F39-4db5-9A85-BBDCE5B09747}	{C0A4B8F7-CF71-49f4-B27C-AD6900E31301}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C98680E7-A790-4e4d-A23C-3B7DF7F08700}\stubpath = "C:\\Windows\\{C98680E7-A790-4e4d-A23C-3B7DF7F08700}.exe"	{98DB313B-9256-495f-93F3-D5D708E97724}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A0CAE39-2449-451d-AE4A-6E5D864D8F53}	2024-04-19_19ff94abde1f2f976ede0fb076ba666d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6E9C362-9604-4c7c-A314-79C4AEF14A49}\stubpath = "C:\\Windows\\{C6E9C362-9604-4c7c-A314-79C4AEF14A49}.exe"	{3F7111A3-46E4-4f5b-A7C7-9ACF72E84180}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98DB313B-9256-495f-93F3-D5D708E97724}	{C211656F-0786-4e1b-8FCA-FBB822549A1D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98DB313B-9256-495f-93F3-D5D708E97724}\stubpath = "C:\\Windows\\{98DB313B-9256-495f-93F3-D5D708E97724}.exe"	{C211656F-0786-4e1b-8FCA-FBB822549A1D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C98680E7-A790-4e4d-A23C-3B7DF7F08700}	{98DB313B-9256-495f-93F3-D5D708E97724}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D8EDDEC-F1DB-478f-A169-E1163CD7D4AA}\stubpath = "C:\\Windows\\{6D8EDDEC-F1DB-478f-A169-E1163CD7D4AA}.exe"	{C98680E7-A790-4e4d-A23C-3B7DF7F08700}.exe

Executes dropped EXE 12 IoCs

pid	Process
2332	{9A0CAE39-2449-451d-AE4A-6E5D864D8F53}.exe
1212	{3F7111A3-46E4-4f5b-A7C7-9ACF72E84180}.exe
1452	{C6E9C362-9604-4c7c-A314-79C4AEF14A49}.exe
4672	{980DB619-CA53-4e06-948D-65CF7FDD0D4E}.exe
2616	{1F4E9740-C2CB-4b8c-8031-0788DC952F2E}.exe
2476	{C0A4B8F7-CF71-49f4-B27C-AD6900E31301}.exe
3676	{094980D5-1F39-4db5-9A85-BBDCE5B09747}.exe
4288	{18C202B6-181B-4b02-8D9A-ED6E6E97B850}.exe
1652	{C211656F-0786-4e1b-8FCA-FBB822549A1D}.exe
436	{98DB313B-9256-495f-93F3-D5D708E97724}.exe
4884	{C98680E7-A790-4e4d-A23C-3B7DF7F08700}.exe
2252	{6D8EDDEC-F1DB-478f-A169-E1163CD7D4AA}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{9A0CAE39-2449-451d-AE4A-6E5D864D8F53}.exe	2024-04-19_19ff94abde1f2f976ede0fb076ba666d_goldeneye.exe
File created	C:\Windows\{980DB619-CA53-4e06-948D-65CF7FDD0D4E}.exe	{C6E9C362-9604-4c7c-A314-79C4AEF14A49}.exe
File created	C:\Windows\{C0A4B8F7-CF71-49f4-B27C-AD6900E31301}.exe	{1F4E9740-C2CB-4b8c-8031-0788DC952F2E}.exe
File created	C:\Windows\{094980D5-1F39-4db5-9A85-BBDCE5B09747}.exe	{C0A4B8F7-CF71-49f4-B27C-AD6900E31301}.exe
File created	C:\Windows\{18C202B6-181B-4b02-8D9A-ED6E6E97B850}.exe	{094980D5-1F39-4db5-9A85-BBDCE5B09747}.exe
File created	C:\Windows\{C211656F-0786-4e1b-8FCA-FBB822549A1D}.exe	{18C202B6-181B-4b02-8D9A-ED6E6E97B850}.exe
File created	C:\Windows\{3F7111A3-46E4-4f5b-A7C7-9ACF72E84180}.exe	{9A0CAE39-2449-451d-AE4A-6E5D864D8F53}.exe
File created	C:\Windows\{C6E9C362-9604-4c7c-A314-79C4AEF14A49}.exe	{3F7111A3-46E4-4f5b-A7C7-9ACF72E84180}.exe
File created	C:\Windows\{1F4E9740-C2CB-4b8c-8031-0788DC952F2E}.exe	{980DB619-CA53-4e06-948D-65CF7FDD0D4E}.exe
File created	C:\Windows\{98DB313B-9256-495f-93F3-D5D708E97724}.exe	{C211656F-0786-4e1b-8FCA-FBB822549A1D}.exe
File created	C:\Windows\{C98680E7-A790-4e4d-A23C-3B7DF7F08700}.exe	{98DB313B-9256-495f-93F3-D5D708E97724}.exe
File created	C:\Windows\{6D8EDDEC-F1DB-478f-A169-E1163CD7D4AA}.exe	{C98680E7-A790-4e4d-A23C-3B7DF7F08700}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1576	2024-04-19_19ff94abde1f2f976ede0fb076ba666d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2332	{9A0CAE39-2449-451d-AE4A-6E5D864D8F53}.exe
Token: SeIncBasePriorityPrivilege	1212	{3F7111A3-46E4-4f5b-A7C7-9ACF72E84180}.exe
Token: SeIncBasePriorityPrivilege	1452	{C6E9C362-9604-4c7c-A314-79C4AEF14A49}.exe
Token: SeIncBasePriorityPrivilege	4672	{980DB619-CA53-4e06-948D-65CF7FDD0D4E}.exe
Token: SeIncBasePriorityPrivilege	2616	{1F4E9740-C2CB-4b8c-8031-0788DC952F2E}.exe
Token: SeIncBasePriorityPrivilege	2476	{C0A4B8F7-CF71-49f4-B27C-AD6900E31301}.exe
Token: SeIncBasePriorityPrivilege	3676	{094980D5-1F39-4db5-9A85-BBDCE5B09747}.exe
Token: SeIncBasePriorityPrivilege	4288	{18C202B6-181B-4b02-8D9A-ED6E6E97B850}.exe
Token: SeIncBasePriorityPrivilege	1652	{C211656F-0786-4e1b-8FCA-FBB822549A1D}.exe
Token: SeIncBasePriorityPrivilege	436	{98DB313B-9256-495f-93F3-D5D708E97724}.exe
Token: SeIncBasePriorityPrivilege	4884	{C98680E7-A790-4e4d-A23C-3B7DF7F08700}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1576 wrote to memory of 2332	1576	2024-04-19_19ff94abde1f2f976ede0fb076ba666d_goldeneye.exe	89
PID 1576 wrote to memory of 2332	1576	2024-04-19_19ff94abde1f2f976ede0fb076ba666d_goldeneye.exe	89
PID 1576 wrote to memory of 2332	1576	2024-04-19_19ff94abde1f2f976ede0fb076ba666d_goldeneye.exe	89
PID 1576 wrote to memory of 432	1576	2024-04-19_19ff94abde1f2f976ede0fb076ba666d_goldeneye.exe	90
PID 1576 wrote to memory of 432	1576	2024-04-19_19ff94abde1f2f976ede0fb076ba666d_goldeneye.exe	90
PID 1576 wrote to memory of 432	1576	2024-04-19_19ff94abde1f2f976ede0fb076ba666d_goldeneye.exe	90
PID 2332 wrote to memory of 1212	2332	{9A0CAE39-2449-451d-AE4A-6E5D864D8F53}.exe	91
PID 2332 wrote to memory of 1212	2332	{9A0CAE39-2449-451d-AE4A-6E5D864D8F53}.exe	91
PID 2332 wrote to memory of 1212	2332	{9A0CAE39-2449-451d-AE4A-6E5D864D8F53}.exe	91
PID 2332 wrote to memory of 2252	2332	{9A0CAE39-2449-451d-AE4A-6E5D864D8F53}.exe	92
PID 2332 wrote to memory of 2252	2332	{9A0CAE39-2449-451d-AE4A-6E5D864D8F53}.exe	92
PID 2332 wrote to memory of 2252	2332	{9A0CAE39-2449-451d-AE4A-6E5D864D8F53}.exe	92
PID 1212 wrote to memory of 1452	1212	{3F7111A3-46E4-4f5b-A7C7-9ACF72E84180}.exe	93
PID 1212 wrote to memory of 1452	1212	{3F7111A3-46E4-4f5b-A7C7-9ACF72E84180}.exe	93
PID 1212 wrote to memory of 1452	1212	{3F7111A3-46E4-4f5b-A7C7-9ACF72E84180}.exe	93
PID 1212 wrote to memory of 3380	1212	{3F7111A3-46E4-4f5b-A7C7-9ACF72E84180}.exe	94
PID 1212 wrote to memory of 3380	1212	{3F7111A3-46E4-4f5b-A7C7-9ACF72E84180}.exe	94
PID 1212 wrote to memory of 3380	1212	{3F7111A3-46E4-4f5b-A7C7-9ACF72E84180}.exe	94
PID 1452 wrote to memory of 4672	1452	{C6E9C362-9604-4c7c-A314-79C4AEF14A49}.exe	96
PID 1452 wrote to memory of 4672	1452	{C6E9C362-9604-4c7c-A314-79C4AEF14A49}.exe	96
PID 1452 wrote to memory of 4672	1452	{C6E9C362-9604-4c7c-A314-79C4AEF14A49}.exe	96
PID 1452 wrote to memory of 4080	1452	{C6E9C362-9604-4c7c-A314-79C4AEF14A49}.exe	97
PID 1452 wrote to memory of 4080	1452	{C6E9C362-9604-4c7c-A314-79C4AEF14A49}.exe	97
PID 1452 wrote to memory of 4080	1452	{C6E9C362-9604-4c7c-A314-79C4AEF14A49}.exe	97
PID 4672 wrote to memory of 2616	4672	{980DB619-CA53-4e06-948D-65CF7FDD0D4E}.exe	98
PID 4672 wrote to memory of 2616	4672	{980DB619-CA53-4e06-948D-65CF7FDD0D4E}.exe	98
PID 4672 wrote to memory of 2616	4672	{980DB619-CA53-4e06-948D-65CF7FDD0D4E}.exe	98
PID 4672 wrote to memory of 1196	4672	{980DB619-CA53-4e06-948D-65CF7FDD0D4E}.exe	99
PID 4672 wrote to memory of 1196	4672	{980DB619-CA53-4e06-948D-65CF7FDD0D4E}.exe	99
PID 4672 wrote to memory of 1196	4672	{980DB619-CA53-4e06-948D-65CF7FDD0D4E}.exe	99
PID 2616 wrote to memory of 2476	2616	{1F4E9740-C2CB-4b8c-8031-0788DC952F2E}.exe	100
PID 2616 wrote to memory of 2476	2616	{1F4E9740-C2CB-4b8c-8031-0788DC952F2E}.exe	100
PID 2616 wrote to memory of 2476	2616	{1F4E9740-C2CB-4b8c-8031-0788DC952F2E}.exe	100
PID 2616 wrote to memory of 4196	2616	{1F4E9740-C2CB-4b8c-8031-0788DC952F2E}.exe	101
PID 2616 wrote to memory of 4196	2616	{1F4E9740-C2CB-4b8c-8031-0788DC952F2E}.exe	101
PID 2616 wrote to memory of 4196	2616	{1F4E9740-C2CB-4b8c-8031-0788DC952F2E}.exe	101
PID 2476 wrote to memory of 3676	2476	{C0A4B8F7-CF71-49f4-B27C-AD6900E31301}.exe	102
PID 2476 wrote to memory of 3676	2476	{C0A4B8F7-CF71-49f4-B27C-AD6900E31301}.exe	102
PID 2476 wrote to memory of 3676	2476	{C0A4B8F7-CF71-49f4-B27C-AD6900E31301}.exe	102
PID 2476 wrote to memory of 4236	2476	{C0A4B8F7-CF71-49f4-B27C-AD6900E31301}.exe	103
PID 2476 wrote to memory of 4236	2476	{C0A4B8F7-CF71-49f4-B27C-AD6900E31301}.exe	103
PID 2476 wrote to memory of 4236	2476	{C0A4B8F7-CF71-49f4-B27C-AD6900E31301}.exe	103
PID 3676 wrote to memory of 4288	3676	{094980D5-1F39-4db5-9A85-BBDCE5B09747}.exe	104
PID 3676 wrote to memory of 4288	3676	{094980D5-1F39-4db5-9A85-BBDCE5B09747}.exe	104
PID 3676 wrote to memory of 4288	3676	{094980D5-1F39-4db5-9A85-BBDCE5B09747}.exe	104
PID 3676 wrote to memory of 2360	3676	{094980D5-1F39-4db5-9A85-BBDCE5B09747}.exe	105
PID 3676 wrote to memory of 2360	3676	{094980D5-1F39-4db5-9A85-BBDCE5B09747}.exe	105
PID 3676 wrote to memory of 2360	3676	{094980D5-1F39-4db5-9A85-BBDCE5B09747}.exe	105
PID 4288 wrote to memory of 1652	4288	{18C202B6-181B-4b02-8D9A-ED6E6E97B850}.exe	106
PID 4288 wrote to memory of 1652	4288	{18C202B6-181B-4b02-8D9A-ED6E6E97B850}.exe	106
PID 4288 wrote to memory of 1652	4288	{18C202B6-181B-4b02-8D9A-ED6E6E97B850}.exe	106
PID 4288 wrote to memory of 4040	4288	{18C202B6-181B-4b02-8D9A-ED6E6E97B850}.exe	107
PID 4288 wrote to memory of 4040	4288	{18C202B6-181B-4b02-8D9A-ED6E6E97B850}.exe	107
PID 4288 wrote to memory of 4040	4288	{18C202B6-181B-4b02-8D9A-ED6E6E97B850}.exe	107
PID 1652 wrote to memory of 436	1652	{C211656F-0786-4e1b-8FCA-FBB822549A1D}.exe	108
PID 1652 wrote to memory of 436	1652	{C211656F-0786-4e1b-8FCA-FBB822549A1D}.exe	108
PID 1652 wrote to memory of 436	1652	{C211656F-0786-4e1b-8FCA-FBB822549A1D}.exe	108
PID 1652 wrote to memory of 3200	1652	{C211656F-0786-4e1b-8FCA-FBB822549A1D}.exe	109
PID 1652 wrote to memory of 3200	1652	{C211656F-0786-4e1b-8FCA-FBB822549A1D}.exe	109
PID 1652 wrote to memory of 3200	1652	{C211656F-0786-4e1b-8FCA-FBB822549A1D}.exe	109
PID 436 wrote to memory of 4884	436	{98DB313B-9256-495f-93F3-D5D708E97724}.exe	110
PID 436 wrote to memory of 4884	436	{98DB313B-9256-495f-93F3-D5D708E97724}.exe	110
PID 436 wrote to memory of 4884	436	{98DB313B-9256-495f-93F3-D5D708E97724}.exe	110
PID 436 wrote to memory of 1576	436	{98DB313B-9256-495f-93F3-D5D708E97724}.exe	111

C:\Users\Admin\AppData\Local\Temp\2024-04-19_19ff94abde1f2f976ede0fb076ba666d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-19_19ff94abde1f2f976ede0fb076ba666d_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Windows\{9A0CAE39-2449-451d-AE4A-6E5D864D8F53}.exe
  C:\Windows\{9A0CAE39-2449-451d-AE4A-6E5D864D8F53}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\{3F7111A3-46E4-4f5b-A7C7-9ACF72E84180}.exe
    C:\Windows\{3F7111A3-46E4-4f5b-A7C7-9ACF72E84180}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1212
  - - C:\Windows\{C6E9C362-9604-4c7c-A314-79C4AEF14A49}.exe
      C:\Windows\{C6E9C362-9604-4c7c-A314-79C4AEF14A49}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1452
    - - C:\Windows\{980DB619-CA53-4e06-948D-65CF7FDD0D4E}.exe
        
        C:\Windows\{980DB619-CA53-4e06-948D-65CF7FDD0D4E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4672
      - C:\Windows\{1F4E9740-C2CB-4b8c-8031-0788DC952F2E}.exe
        
        C:\Windows\{1F4E9740-C2CB-4b8c-8031-0788DC952F2E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\{C0A4B8F7-CF71-49f4-B27C-AD6900E31301}.exe
        
        C:\Windows\{C0A4B8F7-CF71-49f4-B27C-AD6900E31301}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\{094980D5-1F39-4db5-9A85-BBDCE5B09747}.exe
        
        C:\Windows\{094980D5-1F39-4db5-9A85-BBDCE5B09747}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3676
        
        C:\Windows\{18C202B6-181B-4b02-8D9A-ED6E6E97B850}.exe
        
        C:\Windows\{18C202B6-181B-4b02-8D9A-ED6E6E97B850}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4288
        
        C:\Windows\{C211656F-0786-4e1b-8FCA-FBB822549A1D}.exe
        
        C:\Windows\{C211656F-0786-4e1b-8FCA-FBB822549A1D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\{98DB313B-9256-495f-93F3-D5D708E97724}.exe
        
        C:\Windows\{98DB313B-9256-495f-93F3-D5D708E97724}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Windows\{C98680E7-A790-4e4d-A23C-3B7DF7F08700}.exe
        
        C:\Windows\{C98680E7-A790-4e4d-A23C-3B7DF7F08700}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4884
        
        C:\Windows\{6D8EDDEC-F1DB-478f-A169-E1163CD7D4AA}.exe
        
        C:\Windows\{6D8EDDEC-F1DB-478f-A169-E1163CD7D4AA}.exe
        13⤵
        Executes dropped EXE
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9868~1.EXE > nul
        13⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{98DB3~1.EXE > nul
        12⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C2116~1.EXE > nul
        11⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{18C20~1.EXE > nul
        10⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09498~1.EXE > nul
        9⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C0A4B~1.EXE > nul
        8⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1F4E9~1.EXE > nul
        7⤵
        
        PID:4196
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{980DB~1.EXE > nul
        6⤵
        
        PID:1196
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C6E9C~1.EXE > nul
        5⤵
        
        PID:4080
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3F711~1.EXE > nul
      4⤵
      PID:3380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9A0CA~1.EXE > nul
    3⤵
    PID:2252
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:432

Network

DNS

79.121.231.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

79.121.231.20.in-addr.arpa

IN PTR

Response
DNS

86.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.23.85.13.in-addr.arpa

IN PTR

Response
DNS

82.90.14.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

82.90.14.23.in-addr.arpa

IN PTR

Response

82.90.14.23.in-addr.arpa

IN PTR

a23-14-90-82deploystaticakamaitechnologiescom
DNS

84.177.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

84.177.190.20.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

9.228.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

9.228.82.20.in-addr.arpa

IN PTR

Response
DNS

132.250.30.184.in-addr.arpa

Remote address:

8.8.8.8:53

Request

132.250.30.184.in-addr.arpa

IN PTR

Response

132.250.30.184.in-addr.arpa

IN PTR

a184-30-250-132deploystaticakamaitechnologiescom
DNS

24.139.73.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

24.139.73.23.in-addr.arpa

IN PTR

Response

24.139.73.23.in-addr.arpa

IN PTR

a23-73-139-24deploystaticakamaitechnologiescom
DNS

13.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.227.111.52.in-addr.arpa

IN PTR

Response
DNS

88.16.208.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.16.208.104.in-addr.arpa

IN PTR

Response

23.53.113.159:80

138 B
3

8.8.8.8:53

79.121.231.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

79.121.231.20.in-addr.arpa
8.8.8.8:53

86.23.85.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

86.23.85.13.in-addr.arpa
8.8.8.8:53

82.90.14.23.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

82.90.14.23.in-addr.arpa
8.8.8.8:53

84.177.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

84.177.190.20.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

9.228.82.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

9.228.82.20.in-addr.arpa
8.8.8.8:53

132.250.30.184.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

132.250.30.184.in-addr.arpa
8.8.8.8:53

24.139.73.23.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

24.139.73.23.in-addr.arpa
8.8.8.8:53

13.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

13.227.111.52.in-addr.arpa
8.8.8.8:53

88.16.208.104.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

88.16.208.104.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{094980D5-1F39-4db5-9A85-BBDCE5B09747}.exe

Filesize
197KB

MD5
827303aaafe6b70ea01ab16c806ff622

SHA1
4a4d661548bfc7a48fa2907f44a9c56e1aee0761

SHA256
e743dc711fe3f348538ce67dd6282735f3b6ca1194a0196bb4d4cff081a462aa

SHA512
9999e46b453cafc9f6029e4ca35bb233c867ceade1e55ce7d9f2d697a585fa38dfa9de15acf7e20ab4a117648faa11f0a3213e020e09384e040e63b844a405c4

Download Submit
C:\Windows\{18C202B6-181B-4b02-8D9A-ED6E6E97B850}.exe

Filesize
197KB

MD5
28d539f404840bea1206ef34dd67d597

SHA1
8531b3b6da5bb0ae64a2b627e26a428475dfc9ea

SHA256
ffceb64774c8e808a96e8dd085d0e03b1f4227eeaf0b938b379926e8896f0d36

SHA512
82cd39d2f8817f55de98b75a928e784ef93731144759aa114929338fb8aa2f872bed92604d2ef4a07c41dd5feae06612436392fe9b3cc7236cabb8f32189c4a8

Download Submit
C:\Windows\{1F4E9740-C2CB-4b8c-8031-0788DC952F2E}.exe

Filesize
197KB

MD5
9a9bbb3cf7956289a39e26fc938dc9a6

SHA1
eb7c64231c23105246d3347aa6078a239c009a4f

SHA256
74f1634519deefeac7a13e87ec5675a10b8539eb157cbf74c1607fde9617917f

SHA512
1bf9278bc2f16d09c25fef119ca01985af14fe7b7a0f044362fac13108adcc07e3f0d9a39c2edbd86759219c8a1f8b90eea05e540126aae03dbcb9e401593bd5

Download Submit
C:\Windows\{3F7111A3-46E4-4f5b-A7C7-9ACF72E84180}.exe

Filesize
197KB

MD5
2973ae9df8de3944391e001380ecd325

SHA1
9e184350a37b7bd7f62ff8d489bc76dc176bfe51

SHA256
539f46a1ac5d92330e061849923f2d8a6fe1a2c58f2f6d0f2ec6c6812ce76655

SHA512
c269794d6812d498b6d3e08118f471f43b52d578f56b09f1b6536668d76f1eb63d4a861c96b406570669df6b6e123502b2fd685ef3fd431d87d3a1078f32fbef

Download Submit
C:\Windows\{6D8EDDEC-F1DB-478f-A169-E1163CD7D4AA}.exe

Filesize
197KB

MD5
7571ee91d37360c49829b59845f38185

SHA1
1428aeada647c101f9801d36d5a0a17640fa2aab

SHA256
b77db16ff3bd31f0fa3e132015b63e4ef26bbd471d0b546260a4d0b25a4adf38

SHA512
06c8138ea87fdae1cd18b61c46611b100b88176d081856d03ccabebc9ca5e8c41a23bad739a2bce37ca282ae6ead32c5ec64e8c452780ae64f8fc3e0a37ba8f4

Download Submit
C:\Windows\{980DB619-CA53-4e06-948D-65CF7FDD0D4E}.exe

Filesize
197KB

MD5
cfbf8f84c9c4efd9c8c400ab62196a3a

SHA1
db696d319733e911f75a603032867d9a91da2f7a

SHA256
90aa3c18714936809158603298f47341b7e3d35ffbef99b8546d31747d1654ed

SHA512
3b4f05c2da90fbda89cdae18428c5d82d1524c66bcc17d0050028e3edd42d9d70645fca4a74200587c7c7925815a75b5aae8cca77f28900fff47c1696e3a9baa

Download Submit
C:\Windows\{98DB313B-9256-495f-93F3-D5D708E97724}.exe

Filesize
197KB

MD5
c3bba18e7c1416930bbe74aeb48f9493

SHA1
12ff3f9f0c1c05a21660c4c64d463ea6dd06b6c6

SHA256
856b87f07978362fc4f590526fcda1af2d03cb395039789fe399b7f41d3b2911

SHA512
f3039b247fbd05b64f2a01ba55f898143b077a96cef6959dafb1d652f9b1cbe08d44edb3c001c9c11604be6d3911a784f6746c0b2406acfdf7276ffa4cc53d8d

Download Submit
C:\Windows\{9A0CAE39-2449-451d-AE4A-6E5D864D8F53}.exe

Filesize
197KB

MD5
76791d9464b1e05dd454d09e24ab2f98

SHA1
cafc2df067a80a0e701a918deaf6e1f0ce770aa7

SHA256
d84b319177b6733a5f04bc68e152955c52ea1c479d8faf48b29449a0517e038d

SHA512
daf4f707124928ae6ef0c01aa4d777ceb7a31c48a4aaf981e91973fd1134703091e0507f248ef1d18ff6a6ea0d296ca2fba5cc9c9c037b7ea25465fc8115a237

Download Submit
C:\Windows\{C0A4B8F7-CF71-49f4-B27C-AD6900E31301}.exe

Filesize
197KB

MD5
966d00944a946fc4ec08f0d4c981dc97

SHA1
ea21b0e78710f8cacc2f6d13aa9a9b040830c791

SHA256
456e32d7246122985280bfbf62545516909ee8f309fe6523e143a2f0d97364aa

SHA512
31e5175f43c3c7f4d9f7f010a7d724e0d7bb483bd3d60f31da5070b9edff64e5fb7259ac73d901847491873dcbe697f50f1d7baee2b368d6a5dbd5e00d6d91fe

Download Submit
C:\Windows\{C211656F-0786-4e1b-8FCA-FBB822549A1D}.exe

Filesize
197KB

MD5
e82235eeb66e0b8f81a2548a0d6063c6

SHA1
ce5f4d6b1e85ef06510c54141089d4e4aacf6c49

SHA256
b7445819529b717ac28d7ec70baa2997ea0c8cc863f1a072c90b447ebd15fb53

SHA512
eef698ad04f5a0ba1336498a56193aebdf71f2f97f7a6ad9b4255f2c568e7e7e230ac5edf68334945ebbb14cfcc503801de1d374e0f579885b42d2542035992e

Download Submit
C:\Windows\{C6E9C362-9604-4c7c-A314-79C4AEF14A49}.exe

Filesize
197KB

MD5
282d311e01faaa037f0c99ca7c7b87f3

SHA1
5e3bd006f7fb5bb75b8db24958a9d6526bea5418

SHA256
ef9a12b3b04dda1092be2719ef4824641559585eb7363ce26b9401339bb2ff61

SHA512
0d14332cd8cd50b6b5bf546084e6a3c94a5be53eeb150d8e182fbf8ba78f4174ab307192ae63f06ccf1e80b8a319cabd9df53d1172babcf93ada711baf1fbd95

Download Submit
C:\Windows\{C98680E7-A790-4e4d-A23C-3B7DF7F08700}.exe

Filesize
197KB

MD5
4bcbc135edb87626e766d364fe684b45

SHA1
6be0e25651a3cbeebb672abdb73bbec809d61b02

SHA256
155e6ff609614aa9d7d61f657b20e98fc9038419102f3e255a4315b5b57cc1b7

SHA512
7957dd9506d1b2a5514d55db3c77ff487422ff4f2f7b7c44d1b9a80a9fcda9ca51ebeddf44afc4012738d502208f99eaeac158a0614d07cefd93b121ea32f44d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.