ad1e9414bcbfb48493e0d7a3daf48caf5f6cf11262b43ce3143c1d37742ac13a

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
29/04/2024, 16:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-29_53c5caea0fcb28fe3e6142dfa2d01d77_goldeneye.exe
Size

180KB
MD5

53c5caea0fcb28fe3e6142dfa2d01d77
SHA1

de470816f85b07bd4c7000abfefe71d48061d202
SHA256

ad1e9414bcbfb48493e0d7a3daf48caf5f6cf11262b43ce3143c1d37742ac13a
SHA512

ec6dbf337b78548b46b5c39db18c9982c8dee86935813931defbcba4d24031221a20a30fbbc17d7cc0bcaca62f9bac842b2726d054d88a48b0f1fbb8d33e096e
SSDEEP

3072:jEGh0orlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGxl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001342e-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0030000000013adc-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001342e-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002f000000013f2c-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001342e-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001342e-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001342e-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F96EC6E9-0D5C-4e25-8996-4DFBE6FE72BB}\stubpath = "C:\\Windows\\{F96EC6E9-0D5C-4e25-8996-4DFBE6FE72BB}.exe"	{2238E9EE-1A11-4300-9C34-ED1CD96F1ACA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0BAC9A35-FC9E-4732-AF64-A60FDE4FC0BB}	{69182290-5749-4e99-8E51-D75C4BB9DFD9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0BAC9A35-FC9E-4732-AF64-A60FDE4FC0BB}\stubpath = "C:\\Windows\\{0BAC9A35-FC9E-4732-AF64-A60FDE4FC0BB}.exe"	{69182290-5749-4e99-8E51-D75C4BB9DFD9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6A17DB6-1E5B-49db-9202-2FC01F3064FC}	{0BAC9A35-FC9E-4732-AF64-A60FDE4FC0BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF0CF89F-5B7B-4df0-94A9-02F624B12F73}	{B6A17DB6-1E5B-49db-9202-2FC01F3064FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF0CF89F-5B7B-4df0-94A9-02F624B12F73}\stubpath = "C:\\Windows\\{EF0CF89F-5B7B-4df0-94A9-02F624B12F73}.exe"	{B6A17DB6-1E5B-49db-9202-2FC01F3064FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B657B61-A4D1-4f96-98AE-471491C6AFF1}\stubpath = "C:\\Windows\\{8B657B61-A4D1-4f96-98AE-471491C6AFF1}.exe"	{EF0CF89F-5B7B-4df0-94A9-02F624B12F73}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{894BC9AE-5C9D-4f12-ACB8-025D6F3A8638}	{8FCB3E26-11E1-488e-85AD-9FA8DB2082CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2E10B1C-EE4F-404e-AE1F-E650DCD4C65F}	2024-04-29_53c5caea0fcb28fe3e6142dfa2d01d77_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69182290-5749-4e99-8E51-D75C4BB9DFD9}	{F96EC6E9-0D5C-4e25-8996-4DFBE6FE72BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69182290-5749-4e99-8E51-D75C4BB9DFD9}\stubpath = "C:\\Windows\\{69182290-5749-4e99-8E51-D75C4BB9DFD9}.exe"	{F96EC6E9-0D5C-4e25-8996-4DFBE6FE72BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8FCB3E26-11E1-488e-85AD-9FA8DB2082CB}	{8B657B61-A4D1-4f96-98AE-471491C6AFF1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64F51840-E242-4d8d-9D34-E20E9AECA99C}\stubpath = "C:\\Windows\\{64F51840-E242-4d8d-9D34-E20E9AECA99C}.exe"	{894BC9AE-5C9D-4f12-ACB8-025D6F3A8638}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2E10B1C-EE4F-404e-AE1F-E650DCD4C65F}\stubpath = "C:\\Windows\\{C2E10B1C-EE4F-404e-AE1F-E650DCD4C65F}.exe"	2024-04-29_53c5caea0fcb28fe3e6142dfa2d01d77_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8FCB3E26-11E1-488e-85AD-9FA8DB2082CB}\stubpath = "C:\\Windows\\{8FCB3E26-11E1-488e-85AD-9FA8DB2082CB}.exe"	{8B657B61-A4D1-4f96-98AE-471491C6AFF1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2238E9EE-1A11-4300-9C34-ED1CD96F1ACA}	{C2E10B1C-EE4F-404e-AE1F-E650DCD4C65F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2238E9EE-1A11-4300-9C34-ED1CD96F1ACA}\stubpath = "C:\\Windows\\{2238E9EE-1A11-4300-9C34-ED1CD96F1ACA}.exe"	{C2E10B1C-EE4F-404e-AE1F-E650DCD4C65F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F96EC6E9-0D5C-4e25-8996-4DFBE6FE72BB}	{2238E9EE-1A11-4300-9C34-ED1CD96F1ACA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6A17DB6-1E5B-49db-9202-2FC01F3064FC}\stubpath = "C:\\Windows\\{B6A17DB6-1E5B-49db-9202-2FC01F3064FC}.exe"	{0BAC9A35-FC9E-4732-AF64-A60FDE4FC0BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B657B61-A4D1-4f96-98AE-471491C6AFF1}	{EF0CF89F-5B7B-4df0-94A9-02F624B12F73}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{894BC9AE-5C9D-4f12-ACB8-025D6F3A8638}\stubpath = "C:\\Windows\\{894BC9AE-5C9D-4f12-ACB8-025D6F3A8638}.exe"	{8FCB3E26-11E1-488e-85AD-9FA8DB2082CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64F51840-E242-4d8d-9D34-E20E9AECA99C}	{894BC9AE-5C9D-4f12-ACB8-025D6F3A8638}.exe

Deletes itself 1 IoCs

pid	Process
2636	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2192	{C2E10B1C-EE4F-404e-AE1F-E650DCD4C65F}.exe
2720	{2238E9EE-1A11-4300-9C34-ED1CD96F1ACA}.exe
2648	{F96EC6E9-0D5C-4e25-8996-4DFBE6FE72BB}.exe
2624	{69182290-5749-4e99-8E51-D75C4BB9DFD9}.exe
2556	{0BAC9A35-FC9E-4732-AF64-A60FDE4FC0BB}.exe
2024	{B6A17DB6-1E5B-49db-9202-2FC01F3064FC}.exe
1620	{EF0CF89F-5B7B-4df0-94A9-02F624B12F73}.exe
2432	{8B657B61-A4D1-4f96-98AE-471491C6AFF1}.exe
2308	{8FCB3E26-11E1-488e-85AD-9FA8DB2082CB}.exe
1232	{894BC9AE-5C9D-4f12-ACB8-025D6F3A8638}.exe
1352	{64F51840-E242-4d8d-9D34-E20E9AECA99C}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{EF0CF89F-5B7B-4df0-94A9-02F624B12F73}.exe	{B6A17DB6-1E5B-49db-9202-2FC01F3064FC}.exe
File created	C:\Windows\{8B657B61-A4D1-4f96-98AE-471491C6AFF1}.exe	{EF0CF89F-5B7B-4df0-94A9-02F624B12F73}.exe
File created	C:\Windows\{894BC9AE-5C9D-4f12-ACB8-025D6F3A8638}.exe	{8FCB3E26-11E1-488e-85AD-9FA8DB2082CB}.exe
File created	C:\Windows\{64F51840-E242-4d8d-9D34-E20E9AECA99C}.exe	{894BC9AE-5C9D-4f12-ACB8-025D6F3A8638}.exe
File created	C:\Windows\{2238E9EE-1A11-4300-9C34-ED1CD96F1ACA}.exe	{C2E10B1C-EE4F-404e-AE1F-E650DCD4C65F}.exe
File created	C:\Windows\{F96EC6E9-0D5C-4e25-8996-4DFBE6FE72BB}.exe	{2238E9EE-1A11-4300-9C34-ED1CD96F1ACA}.exe
File created	C:\Windows\{69182290-5749-4e99-8E51-D75C4BB9DFD9}.exe	{F96EC6E9-0D5C-4e25-8996-4DFBE6FE72BB}.exe
File created	C:\Windows\{8FCB3E26-11E1-488e-85AD-9FA8DB2082CB}.exe	{8B657B61-A4D1-4f96-98AE-471491C6AFF1}.exe
File created	C:\Windows\{C2E10B1C-EE4F-404e-AE1F-E650DCD4C65F}.exe	2024-04-29_53c5caea0fcb28fe3e6142dfa2d01d77_goldeneye.exe
File created	C:\Windows\{0BAC9A35-FC9E-4732-AF64-A60FDE4FC0BB}.exe	{69182290-5749-4e99-8E51-D75C4BB9DFD9}.exe
File created	C:\Windows\{B6A17DB6-1E5B-49db-9202-2FC01F3064FC}.exe	{0BAC9A35-FC9E-4732-AF64-A60FDE4FC0BB}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2364	2024-04-29_53c5caea0fcb28fe3e6142dfa2d01d77_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2192	{C2E10B1C-EE4F-404e-AE1F-E650DCD4C65F}.exe
Token: SeIncBasePriorityPrivilege	2720	{2238E9EE-1A11-4300-9C34-ED1CD96F1ACA}.exe
Token: SeIncBasePriorityPrivilege	2648	{F96EC6E9-0D5C-4e25-8996-4DFBE6FE72BB}.exe
Token: SeIncBasePriorityPrivilege	2624	{69182290-5749-4e99-8E51-D75C4BB9DFD9}.exe
Token: SeIncBasePriorityPrivilege	2556	{0BAC9A35-FC9E-4732-AF64-A60FDE4FC0BB}.exe
Token: SeIncBasePriorityPrivilege	2024	{B6A17DB6-1E5B-49db-9202-2FC01F3064FC}.exe
Token: SeIncBasePriorityPrivilege	1620	{EF0CF89F-5B7B-4df0-94A9-02F624B12F73}.exe
Token: SeIncBasePriorityPrivilege	2432	{8B657B61-A4D1-4f96-98AE-471491C6AFF1}.exe
Token: SeIncBasePriorityPrivilege	2308	{8FCB3E26-11E1-488e-85AD-9FA8DB2082CB}.exe
Token: SeIncBasePriorityPrivilege	1232	{894BC9AE-5C9D-4f12-ACB8-025D6F3A8638}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2192	2364	2024-04-29_53c5caea0fcb28fe3e6142dfa2d01d77_goldeneye.exe	28
PID 2364 wrote to memory of 2192	2364	2024-04-29_53c5caea0fcb28fe3e6142dfa2d01d77_goldeneye.exe	28
PID 2364 wrote to memory of 2192	2364	2024-04-29_53c5caea0fcb28fe3e6142dfa2d01d77_goldeneye.exe	28
PID 2364 wrote to memory of 2192	2364	2024-04-29_53c5caea0fcb28fe3e6142dfa2d01d77_goldeneye.exe	28
PID 2364 wrote to memory of 2636	2364	2024-04-29_53c5caea0fcb28fe3e6142dfa2d01d77_goldeneye.exe	29
PID 2364 wrote to memory of 2636	2364	2024-04-29_53c5caea0fcb28fe3e6142dfa2d01d77_goldeneye.exe	29
PID 2364 wrote to memory of 2636	2364	2024-04-29_53c5caea0fcb28fe3e6142dfa2d01d77_goldeneye.exe	29
PID 2364 wrote to memory of 2636	2364	2024-04-29_53c5caea0fcb28fe3e6142dfa2d01d77_goldeneye.exe	29
PID 2192 wrote to memory of 2720	2192	{C2E10B1C-EE4F-404e-AE1F-E650DCD4C65F}.exe	30
PID 2192 wrote to memory of 2720	2192	{C2E10B1C-EE4F-404e-AE1F-E650DCD4C65F}.exe	30
PID 2192 wrote to memory of 2720	2192	{C2E10B1C-EE4F-404e-AE1F-E650DCD4C65F}.exe	30
PID 2192 wrote to memory of 2720	2192	{C2E10B1C-EE4F-404e-AE1F-E650DCD4C65F}.exe	30
PID 2192 wrote to memory of 1296	2192	{C2E10B1C-EE4F-404e-AE1F-E650DCD4C65F}.exe	31
PID 2192 wrote to memory of 1296	2192	{C2E10B1C-EE4F-404e-AE1F-E650DCD4C65F}.exe	31
PID 2192 wrote to memory of 1296	2192	{C2E10B1C-EE4F-404e-AE1F-E650DCD4C65F}.exe	31
PID 2192 wrote to memory of 1296	2192	{C2E10B1C-EE4F-404e-AE1F-E650DCD4C65F}.exe	31
PID 2720 wrote to memory of 2648	2720	{2238E9EE-1A11-4300-9C34-ED1CD96F1ACA}.exe	32
PID 2720 wrote to memory of 2648	2720	{2238E9EE-1A11-4300-9C34-ED1CD96F1ACA}.exe	32
PID 2720 wrote to memory of 2648	2720	{2238E9EE-1A11-4300-9C34-ED1CD96F1ACA}.exe	32
PID 2720 wrote to memory of 2648	2720	{2238E9EE-1A11-4300-9C34-ED1CD96F1ACA}.exe	32
PID 2720 wrote to memory of 2480	2720	{2238E9EE-1A11-4300-9C34-ED1CD96F1ACA}.exe	33
PID 2720 wrote to memory of 2480	2720	{2238E9EE-1A11-4300-9C34-ED1CD96F1ACA}.exe	33
PID 2720 wrote to memory of 2480	2720	{2238E9EE-1A11-4300-9C34-ED1CD96F1ACA}.exe	33
PID 2720 wrote to memory of 2480	2720	{2238E9EE-1A11-4300-9C34-ED1CD96F1ACA}.exe	33
PID 2648 wrote to memory of 2624	2648	{F96EC6E9-0D5C-4e25-8996-4DFBE6FE72BB}.exe	36
PID 2648 wrote to memory of 2624	2648	{F96EC6E9-0D5C-4e25-8996-4DFBE6FE72BB}.exe	36
PID 2648 wrote to memory of 2624	2648	{F96EC6E9-0D5C-4e25-8996-4DFBE6FE72BB}.exe	36
PID 2648 wrote to memory of 2624	2648	{F96EC6E9-0D5C-4e25-8996-4DFBE6FE72BB}.exe	36
PID 2648 wrote to memory of 1960	2648	{F96EC6E9-0D5C-4e25-8996-4DFBE6FE72BB}.exe	37
PID 2648 wrote to memory of 1960	2648	{F96EC6E9-0D5C-4e25-8996-4DFBE6FE72BB}.exe	37
PID 2648 wrote to memory of 1960	2648	{F96EC6E9-0D5C-4e25-8996-4DFBE6FE72BB}.exe	37
PID 2648 wrote to memory of 1960	2648	{F96EC6E9-0D5C-4e25-8996-4DFBE6FE72BB}.exe	37
PID 2624 wrote to memory of 2556	2624	{69182290-5749-4e99-8E51-D75C4BB9DFD9}.exe	38
PID 2624 wrote to memory of 2556	2624	{69182290-5749-4e99-8E51-D75C4BB9DFD9}.exe	38
PID 2624 wrote to memory of 2556	2624	{69182290-5749-4e99-8E51-D75C4BB9DFD9}.exe	38
PID 2624 wrote to memory of 2556	2624	{69182290-5749-4e99-8E51-D75C4BB9DFD9}.exe	38
PID 2624 wrote to memory of 2820	2624	{69182290-5749-4e99-8E51-D75C4BB9DFD9}.exe	39
PID 2624 wrote to memory of 2820	2624	{69182290-5749-4e99-8E51-D75C4BB9DFD9}.exe	39
PID 2624 wrote to memory of 2820	2624	{69182290-5749-4e99-8E51-D75C4BB9DFD9}.exe	39
PID 2624 wrote to memory of 2820	2624	{69182290-5749-4e99-8E51-D75C4BB9DFD9}.exe	39
PID 2556 wrote to memory of 2024	2556	{0BAC9A35-FC9E-4732-AF64-A60FDE4FC0BB}.exe	40
PID 2556 wrote to memory of 2024	2556	{0BAC9A35-FC9E-4732-AF64-A60FDE4FC0BB}.exe	40
PID 2556 wrote to memory of 2024	2556	{0BAC9A35-FC9E-4732-AF64-A60FDE4FC0BB}.exe	40
PID 2556 wrote to memory of 2024	2556	{0BAC9A35-FC9E-4732-AF64-A60FDE4FC0BB}.exe	40
PID 2556 wrote to memory of 1860	2556	{0BAC9A35-FC9E-4732-AF64-A60FDE4FC0BB}.exe	41
PID 2556 wrote to memory of 1860	2556	{0BAC9A35-FC9E-4732-AF64-A60FDE4FC0BB}.exe	41
PID 2556 wrote to memory of 1860	2556	{0BAC9A35-FC9E-4732-AF64-A60FDE4FC0BB}.exe	41
PID 2556 wrote to memory of 1860	2556	{0BAC9A35-FC9E-4732-AF64-A60FDE4FC0BB}.exe	41
PID 2024 wrote to memory of 1620	2024	{B6A17DB6-1E5B-49db-9202-2FC01F3064FC}.exe	42
PID 2024 wrote to memory of 1620	2024	{B6A17DB6-1E5B-49db-9202-2FC01F3064FC}.exe	42
PID 2024 wrote to memory of 1620	2024	{B6A17DB6-1E5B-49db-9202-2FC01F3064FC}.exe	42
PID 2024 wrote to memory of 1620	2024	{B6A17DB6-1E5B-49db-9202-2FC01F3064FC}.exe	42
PID 2024 wrote to memory of 1760	2024	{B6A17DB6-1E5B-49db-9202-2FC01F3064FC}.exe	43
PID 2024 wrote to memory of 1760	2024	{B6A17DB6-1E5B-49db-9202-2FC01F3064FC}.exe	43
PID 2024 wrote to memory of 1760	2024	{B6A17DB6-1E5B-49db-9202-2FC01F3064FC}.exe	43
PID 2024 wrote to memory of 1760	2024	{B6A17DB6-1E5B-49db-9202-2FC01F3064FC}.exe	43
PID 1620 wrote to memory of 2432	1620	{EF0CF89F-5B7B-4df0-94A9-02F624B12F73}.exe	44
PID 1620 wrote to memory of 2432	1620	{EF0CF89F-5B7B-4df0-94A9-02F624B12F73}.exe	44
PID 1620 wrote to memory of 2432	1620	{EF0CF89F-5B7B-4df0-94A9-02F624B12F73}.exe	44
PID 1620 wrote to memory of 2432	1620	{EF0CF89F-5B7B-4df0-94A9-02F624B12F73}.exe	44
PID 1620 wrote to memory of 2120	1620	{EF0CF89F-5B7B-4df0-94A9-02F624B12F73}.exe	45
PID 1620 wrote to memory of 2120	1620	{EF0CF89F-5B7B-4df0-94A9-02F624B12F73}.exe	45
PID 1620 wrote to memory of 2120	1620	{EF0CF89F-5B7B-4df0-94A9-02F624B12F73}.exe	45
PID 1620 wrote to memory of 2120	1620	{EF0CF89F-5B7B-4df0-94A9-02F624B12F73}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-29_53c5caea0fcb28fe3e6142dfa2d01d77_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-29_53c5caea0fcb28fe3e6142dfa2d01d77_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\{C2E10B1C-EE4F-404e-AE1F-E650DCD4C65F}.exe
  C:\Windows\{C2E10B1C-EE4F-404e-AE1F-E650DCD4C65F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\{2238E9EE-1A11-4300-9C34-ED1CD96F1ACA}.exe
    C:\Windows\{2238E9EE-1A11-4300-9C34-ED1CD96F1ACA}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\{F96EC6E9-0D5C-4e25-8996-4DFBE6FE72BB}.exe
      C:\Windows\{F96EC6E9-0D5C-4e25-8996-4DFBE6FE72BB}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2648
    - - C:\Windows\{69182290-5749-4e99-8E51-D75C4BB9DFD9}.exe
        
        C:\Windows\{69182290-5749-4e99-8E51-D75C4BB9DFD9}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2624
      - C:\Windows\{0BAC9A35-FC9E-4732-AF64-A60FDE4FC0BB}.exe
        
        C:\Windows\{0BAC9A35-FC9E-4732-AF64-A60FDE4FC0BB}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\{B6A17DB6-1E5B-49db-9202-2FC01F3064FC}.exe
        
        C:\Windows\{B6A17DB6-1E5B-49db-9202-2FC01F3064FC}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\{EF0CF89F-5B7B-4df0-94A9-02F624B12F73}.exe
        
        C:\Windows\{EF0CF89F-5B7B-4df0-94A9-02F624B12F73}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\{8B657B61-A4D1-4f96-98AE-471491C6AFF1}.exe
        
        C:\Windows\{8B657B61-A4D1-4f96-98AE-471491C6AFF1}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
        
        C:\Windows\{8FCB3E26-11E1-488e-85AD-9FA8DB2082CB}.exe
        
        C:\Windows\{8FCB3E26-11E1-488e-85AD-9FA8DB2082CB}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
        
        C:\Windows\{894BC9AE-5C9D-4f12-ACB8-025D6F3A8638}.exe
        
        C:\Windows\{894BC9AE-5C9D-4f12-ACB8-025D6F3A8638}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1232
        
        C:\Windows\{64F51840-E242-4d8d-9D34-E20E9AECA99C}.exe
        
        C:\Windows\{64F51840-E242-4d8d-9D34-E20E9AECA99C}.exe
        12⤵
        Executes dropped EXE
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{894BC~1.EXE > nul
        12⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8FCB3~1.EXE > nul
        11⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B657~1.EXE > nul
        10⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF0CF~1.EXE > nul
        9⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6A17~1.EXE > nul
        8⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0BAC9~1.EXE > nul
        7⤵
        
        PID:1860
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69182~1.EXE > nul
        6⤵
        
        PID:2820
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F96EC~1.EXE > nul
        5⤵
        
        PID:1960
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2238E~1.EXE > nul
      4⤵
      PID:2480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C2E10~1.EXE > nul
    3⤵
    PID:1296
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0BAC9A35-FC9E-4732-AF64-A60FDE4FC0BB}.exe

Filesize
180KB

MD5
f0f9956040b58f8effbf793fa29c2dc4

SHA1
ebc4ec5af5d7e64b19da8dcfa28ec506a6b2859d

SHA256
6633240859c8bb4916c02a48665c9aa06267118981e18ecf20738323aa999cec

SHA512
ac7a319312a30315b91470c6860d100e5a04e26dfd9a90fbbdb4e20e80d7790c7d3e5b583b0bc727301776c7cf37da1d266575b294daa410e4f3755fbe1f523c

Download Submit
C:\Windows\{2238E9EE-1A11-4300-9C34-ED1CD96F1ACA}.exe

Filesize
180KB

MD5
afbcbfb22e587b7ce5d18fe06f77630e

SHA1
9ebddfe02499fbabe2ba06167f0c1b68eb85bf67

SHA256
4977a76256293929e8d9ee8d97e95e835d01fe46140e7d7e31375123e7359e27

SHA512
4b0c87b0751c2b3e19c951cb7f1eef1e7fd06c03a76a05581ffbeef6dfb79111ee89836925d006d822f4caaf24bb65d8ec70e13739d79d468068960cd4ff529f

Download Submit
C:\Windows\{64F51840-E242-4d8d-9D34-E20E9AECA99C}.exe

Filesize
180KB

MD5
60f45f2dc2e0dc6eebddcbadefb9b615

SHA1
c0e0982a8998f98a7373642907682fcb618620b1

SHA256
a8602df98f65e43ff24d3bfe29e30049e49bb9b3d16b854fa40c1d384de550e6

SHA512
d46ea4a5d0f7333c68a9ab15a3346ef9bce1c691b2026c8b7c95450d27b2ecfb8cfebd6875e58fbe810d5bf7d07a6676541bc136225314df556b80e588049a8e

Download Submit
C:\Windows\{69182290-5749-4e99-8E51-D75C4BB9DFD9}.exe

Filesize
180KB

MD5
52d365fdbd4e4aa61336f297662be9aa

SHA1
a2a93f1604c5b0c249024799fb97d7d9479ad403

SHA256
0a5c3bff557974842615eac72d7ae050b00c4cd028985d9a90cc898d0055e4dd

SHA512
d845055db61741f62cbee899265d6e36aa69dea5273157697dad6a2db75e51e98322c2a1f833e314d5038f9ba403651da294d8020a9aa0301ca595e5e7f5d621

Download Submit
C:\Windows\{894BC9AE-5C9D-4f12-ACB8-025D6F3A8638}.exe

Filesize
180KB

MD5
60cd40e7daf3fc703cb3593119bbc003

SHA1
3351c859d251e7cf024f1f8e00858b88dd3a2868

SHA256
6766cb721aae8e7b38eeb5f24d33d44a8c806f8742f0d7222ce4ea7274324c23

SHA512
32f0b6453f22d038240c6fea621654e716e35c2a905e4dd37756cf1cc6af2096c91757ec7669dc6bd1227d5bbaf06c57481f3be3684799f56044e0ba7c902d52

Download Submit
C:\Windows\{8B657B61-A4D1-4f96-98AE-471491C6AFF1}.exe

Filesize
180KB

MD5
452309f535556c2b29054ad1a4047a66

SHA1
ad9b2ad71dfbc4e4c5516e5f29d736cfb72042d5

SHA256
d3ea98e8a590440e006addb3d53581eedbf33d8b66c69dc4f3e2bfa090e36e23

SHA512
dc6955243728f74611920b5cbfc13a7e1a46cb5868a8b2c63998b87d4eb3bab9684785d92f02fdfa556a1209f1768741a834cf8eb5138bdfe343f308f886760e

Download Submit
C:\Windows\{8FCB3E26-11E1-488e-85AD-9FA8DB2082CB}.exe

Filesize
180KB

MD5
30254f443f2a6cbc838b878b360f225c

SHA1
f3b9a27913aecf8cec093bbecc255731056d23a8

SHA256
cbeaa93cf73967aa362d0562e26ff8d1ed34f2ce50d3e60a95f3447ed71ca1d0

SHA512
7b88012cbe99d73053889d78c2e958912df2a4e7b8554fc7436eb5ea5d493748faac0bf5a83443e37965392852f01cc21de3118dfec9536a9586187b29da57e6

Download Submit
C:\Windows\{B6A17DB6-1E5B-49db-9202-2FC01F3064FC}.exe

Filesize
180KB

MD5
4581fbe5413d0884f223e12624a73693

SHA1
0c065c098361e426703e22058448aba07f1e16cb

SHA256
d0d106614716ee78a34a0aade069efe8ae6b4a952f0b969851f2f60d9dea07b7

SHA512
2eeb0bca419cdd2f9f8f72383cf6cf5db330e6aa3c06452e98ecda5971b0aa566843a0db12b8f28a395c29e0d3e7a5400cfec62f660d3a292402d38dbe6d536f

Download Submit
C:\Windows\{C2E10B1C-EE4F-404e-AE1F-E650DCD4C65F}.exe

Filesize
180KB

MD5
d6b1b8b40ba5fd4e7e04a9d4d2d8eaff

SHA1
a902e2b2e1197997542de6ee9e6f0ddf7b1eefa8

SHA256
50ef613f7f3d88dcfae4f0d2d4beac068931ff18d4ac7e559699c69b98c5b1b3

SHA512
ccbaac342eba0918ecb8a8c4e423457c5b231a8699242c0d7d6338213945215b9bdcc66a4668997b13e227295ef2cb3ea7cbc788fb5f832686f33bdc669275ad

Download Submit
C:\Windows\{EF0CF89F-5B7B-4df0-94A9-02F624B12F73}.exe

Filesize
180KB

MD5
f8872424eadc9aa86bc2ecebc2daa9a4

SHA1
31ea049399c697b355d9dc61c3c9e0bc95790802

SHA256
ef52625a35e15a12cbd236fc9a0b4e790e3e2a4a42c13674aca1b5b36cf16b87

SHA512
738453bf62d33eb94af5c0a155308efc9db027796916fda9d608cf146bd19156b74b07896c9a0fb3a441265ee2272962d15c9d3900c5ac5680fb8f61f4f17567

Download Submit
C:\Windows\{F96EC6E9-0D5C-4e25-8996-4DFBE6FE72BB}.exe

Filesize
180KB

MD5
a6537f0d031e485218a57ebf0f952122

SHA1
92fd1275b02da2acc752b9f1754e123fced6ce88

SHA256
b68951476d02e20642fb3a33b2287badbcdbf2aefcef875dd6f36df3825eabb0

SHA512
e7d23b98e0d084b83960aa56204092b92862c0a45cb1a0dc810e288176aa18e694d4242888e20ef7e8ebb07ed0007fedcd1d3bc040480223e6c56cbbc2533136

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads