7ff33a48273f34848abe192f7abe02842a040d8519c68f3520c8887672875f56

Analysis

max time kernel
149s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
02/02/2024, 02:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-02_dbf116eade6512a497d7b9e4f6abbb98_goldeneye.exe
Size

408KB
MD5

dbf116eade6512a497d7b9e4f6abbb98
SHA1

fe727422c34cad5791a438390f5fbc90375686ad
SHA256

7ff33a48273f34848abe192f7abe02842a040d8519c68f3520c8887672875f56
SHA512

08ef6893d9f683a06adfd5aeada45b3515123bf04b580a840787e0bcb34cebd0b8bfb695d479c732eb16f0a89f7697ca99f56601d6b07b9c9df5eba18d2a6443
SSDEEP

3072:CEGh0ovl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGBldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x001000000002320e-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023203-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023215-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023203-13.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000022043-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000022044-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000022043-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000709-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000709-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0BD50C4-9245-4aa1-ABDD-1DB836E7BD6B}\stubpath = "C:\\Windows\\{C0BD50C4-9245-4aa1-ABDD-1DB836E7BD6B}.exe"	{7FAECE9A-C9DE-40b4-98B3-03349E10242A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E72B5282-ACB2-49e0-BA71-F4A18AB332F0}\stubpath = "C:\\Windows\\{E72B5282-ACB2-49e0-BA71-F4A18AB332F0}.exe"	{C0BD50C4-9245-4aa1-ABDD-1DB836E7BD6B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75C9FCFB-89BC-4bab-95F3-5321FF9013C0}	{834C3BBB-84E0-41c9-9F34-4877880EEBA4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A9D6AAD-A227-4365-AD84-673EBFE7FCB6}\stubpath = "C:\\Windows\\{7A9D6AAD-A227-4365-AD84-673EBFE7FCB6}.exe"	{75C9FCFB-89BC-4bab-95F3-5321FF9013C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE88CE49-673C-4103-B5C8-1C36DA4220B3}\stubpath = "C:\\Windows\\{CE88CE49-673C-4103-B5C8-1C36DA4220B3}.exe"	{7A9D6AAD-A227-4365-AD84-673EBFE7FCB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0139A2CE-F281-4538-80F4-BB71F324D8F4}\stubpath = "C:\\Windows\\{0139A2CE-F281-4538-80F4-BB71F324D8F4}.exe"	{B6215373-3E9C-4438-BCDC-2694BBFDDF77}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7FAECE9A-C9DE-40b4-98B3-03349E10242A}	2024-02-02_dbf116eade6512a497d7b9e4f6abbb98_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2FC0B962-4990-4b10-A26D-829020EEA6FE}	{CE88CE49-673C-4103-B5C8-1C36DA4220B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{039F42D4-0A70-4928-9E16-5A3077C638E4}	{3B07E1CE-EB12-441c-AFE4-EFEF00B86EAA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{039F42D4-0A70-4928-9E16-5A3077C638E4}\stubpath = "C:\\Windows\\{039F42D4-0A70-4928-9E16-5A3077C638E4}.exe"	{3B07E1CE-EB12-441c-AFE4-EFEF00B86EAA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A9D6AAD-A227-4365-AD84-673EBFE7FCB6}	{75C9FCFB-89BC-4bab-95F3-5321FF9013C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75C9FCFB-89BC-4bab-95F3-5321FF9013C0}\stubpath = "C:\\Windows\\{75C9FCFB-89BC-4bab-95F3-5321FF9013C0}.exe"	{834C3BBB-84E0-41c9-9F34-4877880EEBA4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE88CE49-673C-4103-B5C8-1C36DA4220B3}	{7A9D6AAD-A227-4365-AD84-673EBFE7FCB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B07E1CE-EB12-441c-AFE4-EFEF00B86EAA}	{2FC0B962-4990-4b10-A26D-829020EEA6FE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6215373-3E9C-4438-BCDC-2694BBFDDF77}	{039F42D4-0A70-4928-9E16-5A3077C638E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6215373-3E9C-4438-BCDC-2694BBFDDF77}\stubpath = "C:\\Windows\\{B6215373-3E9C-4438-BCDC-2694BBFDDF77}.exe"	{039F42D4-0A70-4928-9E16-5A3077C638E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0139A2CE-F281-4538-80F4-BB71F324D8F4}	{B6215373-3E9C-4438-BCDC-2694BBFDDF77}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E72B5282-ACB2-49e0-BA71-F4A18AB332F0}	{C0BD50C4-9245-4aa1-ABDD-1DB836E7BD6B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0BD50C4-9245-4aa1-ABDD-1DB836E7BD6B}	{7FAECE9A-C9DE-40b4-98B3-03349E10242A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{834C3BBB-84E0-41c9-9F34-4877880EEBA4}	{E72B5282-ACB2-49e0-BA71-F4A18AB332F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{834C3BBB-84E0-41c9-9F34-4877880EEBA4}\stubpath = "C:\\Windows\\{834C3BBB-84E0-41c9-9F34-4877880EEBA4}.exe"	{E72B5282-ACB2-49e0-BA71-F4A18AB332F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2FC0B962-4990-4b10-A26D-829020EEA6FE}\stubpath = "C:\\Windows\\{2FC0B962-4990-4b10-A26D-829020EEA6FE}.exe"	{CE88CE49-673C-4103-B5C8-1C36DA4220B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B07E1CE-EB12-441c-AFE4-EFEF00B86EAA}\stubpath = "C:\\Windows\\{3B07E1CE-EB12-441c-AFE4-EFEF00B86EAA}.exe"	{2FC0B962-4990-4b10-A26D-829020EEA6FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7FAECE9A-C9DE-40b4-98B3-03349E10242A}\stubpath = "C:\\Windows\\{7FAECE9A-C9DE-40b4-98B3-03349E10242A}.exe"	2024-02-02_dbf116eade6512a497d7b9e4f6abbb98_goldeneye.exe

Executes dropped EXE 12 IoCs

pid	Process
2632	{7FAECE9A-C9DE-40b4-98B3-03349E10242A}.exe
3476	{C0BD50C4-9245-4aa1-ABDD-1DB836E7BD6B}.exe
4432	{E72B5282-ACB2-49e0-BA71-F4A18AB332F0}.exe
4932	{834C3BBB-84E0-41c9-9F34-4877880EEBA4}.exe
2764	{75C9FCFB-89BC-4bab-95F3-5321FF9013C0}.exe
1848	{7A9D6AAD-A227-4365-AD84-673EBFE7FCB6}.exe
3064	{CE88CE49-673C-4103-B5C8-1C36DA4220B3}.exe
2068	{2FC0B962-4990-4b10-A26D-829020EEA6FE}.exe
1136	{3B07E1CE-EB12-441c-AFE4-EFEF00B86EAA}.exe
4860	{039F42D4-0A70-4928-9E16-5A3077C638E4}.exe
1444	{B6215373-3E9C-4438-BCDC-2694BBFDDF77}.exe
2824	{0139A2CE-F281-4538-80F4-BB71F324D8F4}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{75C9FCFB-89BC-4bab-95F3-5321FF9013C0}.exe	{834C3BBB-84E0-41c9-9F34-4877880EEBA4}.exe
File created	C:\Windows\{7A9D6AAD-A227-4365-AD84-673EBFE7FCB6}.exe	{75C9FCFB-89BC-4bab-95F3-5321FF9013C0}.exe
File created	C:\Windows\{CE88CE49-673C-4103-B5C8-1C36DA4220B3}.exe	{7A9D6AAD-A227-4365-AD84-673EBFE7FCB6}.exe
File created	C:\Windows\{2FC0B962-4990-4b10-A26D-829020EEA6FE}.exe	{CE88CE49-673C-4103-B5C8-1C36DA4220B3}.exe
File created	C:\Windows\{3B07E1CE-EB12-441c-AFE4-EFEF00B86EAA}.exe	{2FC0B962-4990-4b10-A26D-829020EEA6FE}.exe
File created	C:\Windows\{B6215373-3E9C-4438-BCDC-2694BBFDDF77}.exe	{039F42D4-0A70-4928-9E16-5A3077C638E4}.exe
File created	C:\Windows\{7FAECE9A-C9DE-40b4-98B3-03349E10242A}.exe	2024-02-02_dbf116eade6512a497d7b9e4f6abbb98_goldeneye.exe
File created	C:\Windows\{C0BD50C4-9245-4aa1-ABDD-1DB836E7BD6B}.exe	{7FAECE9A-C9DE-40b4-98B3-03349E10242A}.exe
File created	C:\Windows\{0139A2CE-F281-4538-80F4-BB71F324D8F4}.exe	{B6215373-3E9C-4438-BCDC-2694BBFDDF77}.exe
File created	C:\Windows\{039F42D4-0A70-4928-9E16-5A3077C638E4}.exe	{3B07E1CE-EB12-441c-AFE4-EFEF00B86EAA}.exe
File created	C:\Windows\{E72B5282-ACB2-49e0-BA71-F4A18AB332F0}.exe	{C0BD50C4-9245-4aa1-ABDD-1DB836E7BD6B}.exe
File created	C:\Windows\{834C3BBB-84E0-41c9-9F34-4877880EEBA4}.exe	{E72B5282-ACB2-49e0-BA71-F4A18AB332F0}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2204	2024-02-02_dbf116eade6512a497d7b9e4f6abbb98_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2632	{7FAECE9A-C9DE-40b4-98B3-03349E10242A}.exe
Token: SeIncBasePriorityPrivilege	3476	{C0BD50C4-9245-4aa1-ABDD-1DB836E7BD6B}.exe
Token: SeIncBasePriorityPrivilege	4432	{E72B5282-ACB2-49e0-BA71-F4A18AB332F0}.exe
Token: SeIncBasePriorityPrivilege	4932	{834C3BBB-84E0-41c9-9F34-4877880EEBA4}.exe
Token: SeIncBasePriorityPrivilege	2764	{75C9FCFB-89BC-4bab-95F3-5321FF9013C0}.exe
Token: SeIncBasePriorityPrivilege	1848	{7A9D6AAD-A227-4365-AD84-673EBFE7FCB6}.exe
Token: SeIncBasePriorityPrivilege	3064	{CE88CE49-673C-4103-B5C8-1C36DA4220B3}.exe
Token: SeIncBasePriorityPrivilege	2068	{2FC0B962-4990-4b10-A26D-829020EEA6FE}.exe
Token: SeIncBasePriorityPrivilege	1136	{3B07E1CE-EB12-441c-AFE4-EFEF00B86EAA}.exe
Token: SeIncBasePriorityPrivilege	4860	{039F42D4-0A70-4928-9E16-5A3077C638E4}.exe
Token: SeIncBasePriorityPrivilege	1444	{B6215373-3E9C-4438-BCDC-2694BBFDDF77}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 2632	2204	2024-02-02_dbf116eade6512a497d7b9e4f6abbb98_goldeneye.exe	91
PID 2204 wrote to memory of 2632	2204	2024-02-02_dbf116eade6512a497d7b9e4f6abbb98_goldeneye.exe	91
PID 2204 wrote to memory of 2632	2204	2024-02-02_dbf116eade6512a497d7b9e4f6abbb98_goldeneye.exe	91
PID 2204 wrote to memory of 1932	2204	2024-02-02_dbf116eade6512a497d7b9e4f6abbb98_goldeneye.exe	92
PID 2204 wrote to memory of 1932	2204	2024-02-02_dbf116eade6512a497d7b9e4f6abbb98_goldeneye.exe	92
PID 2204 wrote to memory of 1932	2204	2024-02-02_dbf116eade6512a497d7b9e4f6abbb98_goldeneye.exe	92
PID 2632 wrote to memory of 3476	2632	{7FAECE9A-C9DE-40b4-98B3-03349E10242A}.exe	93
PID 2632 wrote to memory of 3476	2632	{7FAECE9A-C9DE-40b4-98B3-03349E10242A}.exe	93
PID 2632 wrote to memory of 3476	2632	{7FAECE9A-C9DE-40b4-98B3-03349E10242A}.exe	93
PID 2632 wrote to memory of 616	2632	{7FAECE9A-C9DE-40b4-98B3-03349E10242A}.exe	94
PID 2632 wrote to memory of 616	2632	{7FAECE9A-C9DE-40b4-98B3-03349E10242A}.exe	94
PID 2632 wrote to memory of 616	2632	{7FAECE9A-C9DE-40b4-98B3-03349E10242A}.exe	94
PID 3476 wrote to memory of 4432	3476	{C0BD50C4-9245-4aa1-ABDD-1DB836E7BD6B}.exe	96
PID 3476 wrote to memory of 4432	3476	{C0BD50C4-9245-4aa1-ABDD-1DB836E7BD6B}.exe	96
PID 3476 wrote to memory of 4432	3476	{C0BD50C4-9245-4aa1-ABDD-1DB836E7BD6B}.exe	96
PID 3476 wrote to memory of 5092	3476	{C0BD50C4-9245-4aa1-ABDD-1DB836E7BD6B}.exe	97
PID 3476 wrote to memory of 5092	3476	{C0BD50C4-9245-4aa1-ABDD-1DB836E7BD6B}.exe	97
PID 3476 wrote to memory of 5092	3476	{C0BD50C4-9245-4aa1-ABDD-1DB836E7BD6B}.exe	97
PID 4432 wrote to memory of 4932	4432	{E72B5282-ACB2-49e0-BA71-F4A18AB332F0}.exe	98
PID 4432 wrote to memory of 4932	4432	{E72B5282-ACB2-49e0-BA71-F4A18AB332F0}.exe	98
PID 4432 wrote to memory of 4932	4432	{E72B5282-ACB2-49e0-BA71-F4A18AB332F0}.exe	98
PID 4432 wrote to memory of 3320	4432	{E72B5282-ACB2-49e0-BA71-F4A18AB332F0}.exe	99
PID 4432 wrote to memory of 3320	4432	{E72B5282-ACB2-49e0-BA71-F4A18AB332F0}.exe	99
PID 4432 wrote to memory of 3320	4432	{E72B5282-ACB2-49e0-BA71-F4A18AB332F0}.exe	99
PID 4932 wrote to memory of 2764	4932	{834C3BBB-84E0-41c9-9F34-4877880EEBA4}.exe	101
PID 4932 wrote to memory of 2764	4932	{834C3BBB-84E0-41c9-9F34-4877880EEBA4}.exe	101
PID 4932 wrote to memory of 2764	4932	{834C3BBB-84E0-41c9-9F34-4877880EEBA4}.exe	101
PID 4932 wrote to memory of 2280	4932	{834C3BBB-84E0-41c9-9F34-4877880EEBA4}.exe	100
PID 4932 wrote to memory of 2280	4932	{834C3BBB-84E0-41c9-9F34-4877880EEBA4}.exe	100
PID 4932 wrote to memory of 2280	4932	{834C3BBB-84E0-41c9-9F34-4877880EEBA4}.exe	100
PID 2764 wrote to memory of 1848	2764	{75C9FCFB-89BC-4bab-95F3-5321FF9013C0}.exe	102
PID 2764 wrote to memory of 1848	2764	{75C9FCFB-89BC-4bab-95F3-5321FF9013C0}.exe	102
PID 2764 wrote to memory of 1848	2764	{75C9FCFB-89BC-4bab-95F3-5321FF9013C0}.exe	102
PID 2764 wrote to memory of 1156	2764	{75C9FCFB-89BC-4bab-95F3-5321FF9013C0}.exe	103
PID 2764 wrote to memory of 1156	2764	{75C9FCFB-89BC-4bab-95F3-5321FF9013C0}.exe	103
PID 2764 wrote to memory of 1156	2764	{75C9FCFB-89BC-4bab-95F3-5321FF9013C0}.exe	103
PID 1848 wrote to memory of 3064	1848	{7A9D6AAD-A227-4365-AD84-673EBFE7FCB6}.exe	105
PID 1848 wrote to memory of 3064	1848	{7A9D6AAD-A227-4365-AD84-673EBFE7FCB6}.exe	105
PID 1848 wrote to memory of 3064	1848	{7A9D6AAD-A227-4365-AD84-673EBFE7FCB6}.exe	105
PID 1848 wrote to memory of 3576	1848	{7A9D6AAD-A227-4365-AD84-673EBFE7FCB6}.exe	104
PID 1848 wrote to memory of 3576	1848	{7A9D6AAD-A227-4365-AD84-673EBFE7FCB6}.exe	104
PID 1848 wrote to memory of 3576	1848	{7A9D6AAD-A227-4365-AD84-673EBFE7FCB6}.exe	104
PID 3064 wrote to memory of 2068	3064	{CE88CE49-673C-4103-B5C8-1C36DA4220B3}.exe	106
PID 3064 wrote to memory of 2068	3064	{CE88CE49-673C-4103-B5C8-1C36DA4220B3}.exe	106
PID 3064 wrote to memory of 2068	3064	{CE88CE49-673C-4103-B5C8-1C36DA4220B3}.exe	106
PID 3064 wrote to memory of 1052	3064	{CE88CE49-673C-4103-B5C8-1C36DA4220B3}.exe	107
PID 3064 wrote to memory of 1052	3064	{CE88CE49-673C-4103-B5C8-1C36DA4220B3}.exe	107
PID 3064 wrote to memory of 1052	3064	{CE88CE49-673C-4103-B5C8-1C36DA4220B3}.exe	107
PID 2068 wrote to memory of 1136	2068	{2FC0B962-4990-4b10-A26D-829020EEA6FE}.exe	108
PID 2068 wrote to memory of 1136	2068	{2FC0B962-4990-4b10-A26D-829020EEA6FE}.exe	108
PID 2068 wrote to memory of 1136	2068	{2FC0B962-4990-4b10-A26D-829020EEA6FE}.exe	108
PID 2068 wrote to memory of 4872	2068	{2FC0B962-4990-4b10-A26D-829020EEA6FE}.exe	109
PID 2068 wrote to memory of 4872	2068	{2FC0B962-4990-4b10-A26D-829020EEA6FE}.exe	109
PID 2068 wrote to memory of 4872	2068	{2FC0B962-4990-4b10-A26D-829020EEA6FE}.exe	109
PID 1136 wrote to memory of 4860	1136	{3B07E1CE-EB12-441c-AFE4-EFEF00B86EAA}.exe	110
PID 1136 wrote to memory of 4860	1136	{3B07E1CE-EB12-441c-AFE4-EFEF00B86EAA}.exe	110
PID 1136 wrote to memory of 4860	1136	{3B07E1CE-EB12-441c-AFE4-EFEF00B86EAA}.exe	110
PID 1136 wrote to memory of 4320	1136	{3B07E1CE-EB12-441c-AFE4-EFEF00B86EAA}.exe	111
PID 1136 wrote to memory of 4320	1136	{3B07E1CE-EB12-441c-AFE4-EFEF00B86EAA}.exe	111
PID 1136 wrote to memory of 4320	1136	{3B07E1CE-EB12-441c-AFE4-EFEF00B86EAA}.exe	111
PID 4860 wrote to memory of 1444	4860	{039F42D4-0A70-4928-9E16-5A3077C638E4}.exe	112
PID 4860 wrote to memory of 1444	4860	{039F42D4-0A70-4928-9E16-5A3077C638E4}.exe	112
PID 4860 wrote to memory of 1444	4860	{039F42D4-0A70-4928-9E16-5A3077C638E4}.exe	112
PID 4860 wrote to memory of 2672	4860	{039F42D4-0A70-4928-9E16-5A3077C638E4}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-02-02_dbf116eade6512a497d7b9e4f6abbb98_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-02_dbf116eade6512a497d7b9e4f6abbb98_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\{7FAECE9A-C9DE-40b4-98B3-03349E10242A}.exe
  C:\Windows\{7FAECE9A-C9DE-40b4-98B3-03349E10242A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\{C0BD50C4-9245-4aa1-ABDD-1DB836E7BD6B}.exe
    C:\Windows\{C0BD50C4-9245-4aa1-ABDD-1DB836E7BD6B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3476
  - - C:\Windows\{E72B5282-ACB2-49e0-BA71-F4A18AB332F0}.exe
      C:\Windows\{E72B5282-ACB2-49e0-BA71-F4A18AB332F0}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4432
    - - C:\Windows\{834C3BBB-84E0-41c9-9F34-4877880EEBA4}.exe
        
        C:\Windows\{834C3BBB-84E0-41c9-9F34-4877880EEBA4}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4932
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{834C3~1.EXE > nul
        6⤵
        
        PID:2280
      - C:\Windows\{75C9FCFB-89BC-4bab-95F3-5321FF9013C0}.exe
        
        C:\Windows\{75C9FCFB-89BC-4bab-95F3-5321FF9013C0}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\{7A9D6AAD-A227-4365-AD84-673EBFE7FCB6}.exe
        
        C:\Windows\{7A9D6AAD-A227-4365-AD84-673EBFE7FCB6}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7A9D6~1.EXE > nul
        8⤵
        
        PID:3576
        
        C:\Windows\{CE88CE49-673C-4103-B5C8-1C36DA4220B3}.exe
        
        C:\Windows\{CE88CE49-673C-4103-B5C8-1C36DA4220B3}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\{2FC0B962-4990-4b10-A26D-829020EEA6FE}.exe
        
        C:\Windows\{2FC0B962-4990-4b10-A26D-829020EEA6FE}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\{3B07E1CE-EB12-441c-AFE4-EFEF00B86EAA}.exe
        
        C:\Windows\{3B07E1CE-EB12-441c-AFE4-EFEF00B86EAA}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Windows\{039F42D4-0A70-4928-9E16-5A3077C638E4}.exe
        
        C:\Windows\{039F42D4-0A70-4928-9E16-5A3077C638E4}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Windows\{B6215373-3E9C-4438-BCDC-2694BBFDDF77}.exe
        
        C:\Windows\{B6215373-3E9C-4438-BCDC-2694BBFDDF77}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1444
        
        C:\Windows\{0139A2CE-F281-4538-80F4-BB71F324D8F4}.exe
        
        C:\Windows\{0139A2CE-F281-4538-80F4-BB71F324D8F4}.exe
        13⤵
        Executes dropped EXE
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6215~1.EXE > nul
        13⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{039F4~1.EXE > nul
        12⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3B07E~1.EXE > nul
        11⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2FC0B~1.EXE > nul
        10⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CE88C~1.EXE > nul
        9⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{75C9F~1.EXE > nul
        7⤵
        
        PID:1156
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E72B5~1.EXE > nul
        5⤵
        
        PID:3320
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C0BD5~1.EXE > nul
      4⤵
      PID:5092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7FAEC~1.EXE > nul
    3⤵
    PID:616
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0139A2CE-F281-4538-80F4-BB71F324D8F4}.exe

Filesize
408KB

MD5
894724efdb15d64010b0e4941ecc1a98

SHA1
e52bb998193717ab524fdbb3a569e4afb071c334

SHA256
5e8644b697d91a1ed151aee94bb7b060e17bfc6b02ee29463fa6dc5f54fab73f

SHA512
3eafbd7ccd4d5f2e5253c861c5f70771af63023fc0828e6d82bbed41ceb50dd982d6ee6f391af45f3defaf19914113b804d4c1ebcce267886cccf803d97861cf

Download Submit
C:\Windows\{039F42D4-0A70-4928-9E16-5A3077C638E4}.exe

Filesize
408KB

MD5
7fee7c226af9923155b50c70cfec754c

SHA1
f4ec6581ea7e25ef99a8041b0a8d212a94119050

SHA256
a66b0970b040791e8fc1ae42d1e263024d68d8edbac43599e257773df0722aae

SHA512
13b32bd3552ec547a65c9c2120c7d7b9c97fc0ac4f63ec329e292b7ee9af9d55b193880e5aa4bf577c3a946fc749da1ad7d96bf9f06c692ad14566091fd7f29e

Download Submit
C:\Windows\{2FC0B962-4990-4b10-A26D-829020EEA6FE}.exe

Filesize
408KB

MD5
683851689ba9fc989cecd4cf0cd38d79

SHA1
c961e471a067d19ab2aee803408451e48e653d1a

SHA256
d94872da3e33fe5965dd053f662b4b078709c62dfcec62d5a7a881f25f23f2cb

SHA512
4694e67cf643e222b29d38c6942d11e5badf81d928e1095167f4f8af9f8e99cfadeeac38cc1bb5abf8c2ec0f45a83970d849be162c9f9d9861c0107e69d0d250

Download Submit
C:\Windows\{3B07E1CE-EB12-441c-AFE4-EFEF00B86EAA}.exe

Filesize
408KB

MD5
664172101a695cb61f63a70003a37fcb

SHA1
2c800b82856702d7f60b61e642ddd655357b677b

SHA256
d81b46a7301918c9cbd559d90ac833e782004ca77ea8549ba4b6179ba5f45115

SHA512
ef446201b5da3c71d6dd0a4e11b6fd09f7dd79a21a43f33c5896b118bab48621454320a9d164eddee86cb01dcbfe539885847b2aca644a040b195a065dbc08d3

Download Submit
C:\Windows\{75C9FCFB-89BC-4bab-95F3-5321FF9013C0}.exe

Filesize
408KB

MD5
61cb8d49daf37b68fb8b355a2a32c89f

SHA1
be809d31317802ccfa089f5fafddd834b07ad074

SHA256
7cb362f1286dd2cf330ac659bae07e3a3d955366c25a9a99a905e8ba865aaab5

SHA512
31b70bb81377ebf21f1031405bf5ab902a1b4d6866a8db4f4002ecdc1aee8c98ca3347ea63d2305904c78f390425ec855ca0cbf78420dec03f44c0dec8ecf37a

Download Submit
C:\Windows\{7A9D6AAD-A227-4365-AD84-673EBFE7FCB6}.exe

Filesize
408KB

MD5
4d54069b442fcdcdfd673cd8b1294a04

SHA1
7d9b9402d3d2648e1d38d044d72701ea9d378eef

SHA256
67e560763acb3b2ae9dbe3f4f5553630e292a73b8080367886644ee1acbc8f95

SHA512
00ac82ff5da10b068ac4dd90506ff87a855c216859a9e57a009cb371b4ed6c3b341ad8e6fd65c81c83bbcff3f5df940593c8914be4082bc972ac5668d26d051e

Download Submit
C:\Windows\{7FAECE9A-C9DE-40b4-98B3-03349E10242A}.exe

Filesize
408KB

MD5
fd5975a2e450755c77dedbd5b1b6f81e

SHA1
35b13cc2a728ebb7f3aa27602f6fadeaef8472d3

SHA256
5d0a57749a28efb9101b9b057aa26a0a756cb2130c8aa9260ddf3910545f1c5a

SHA512
29acc6200a146677c8363ed40f53a6d56aee26b3180da5616272dad68aad72dbd1b045612aaca00d6071c534ed99cb52fe6d0cef39a27d4fb8d35204c910c66a

Download Submit
C:\Windows\{834C3BBB-84E0-41c9-9F34-4877880EEBA4}.exe

Filesize
408KB

MD5
b3313d0b464c7946801916cb634eaab0

SHA1
bec42bd749f0580ddc15d10e72b583fec7d28e23

SHA256
97ee72b49246d0835e8fa64dec868da43b3206cc0967135f36b590c3c335bd92

SHA512
91fae130db3d7ebb7b90c62b7935981941609412d761312c4da0bb41bd0e220c5dcf8f4706f76344c6c069297e9fc30e0d5a99b064353d87b4d821f6b4655661

Download Submit
C:\Windows\{B6215373-3E9C-4438-BCDC-2694BBFDDF77}.exe

Filesize
408KB

MD5
367f69917fc1923a01b51145755d10e5

SHA1
36969cbd7c4685c079a93caa158316fc15f18f5e

SHA256
cfb15c9890971175400ee5dad5c3209cf18a884609557f77b181833f476268fa

SHA512
d49d8e51385388b0bc4af66398ca45317f84bee424a2b3b9f48970d51a7490c7ee13bf7579725269f415c85ea5f440d697ec3ccebc18387356e43d98fbc2a220

Download Submit
C:\Windows\{C0BD50C4-9245-4aa1-ABDD-1DB836E7BD6B}.exe

Filesize
408KB

MD5
e11ce456451714d5893a1f0ea8eea5ce

SHA1
b21b8d89071f7fdf693e49bc1e3daaa3b80c5fe6

SHA256
b3e65d0702e44e1e8d523e150ec07203b8cef8be3f82fa4ba9ab75efb234d71f

SHA512
ed2f3a41706fcceb8f123182aacba2eacec95e883707b1d45016d6013580f2abb83c02be5f821762e1e286c46411a0c5f5eb7c7fb64a5cfeafca596b4892d615

Download Submit
C:\Windows\{CE88CE49-673C-4103-B5C8-1C36DA4220B3}.exe

Filesize
408KB

MD5
b86142c1225896189fcbfec4b347893a

SHA1
9c66e58f308082a085e02bf518779d7ef8592903

SHA256
c0287d73859a73be7007f83e8dded89ff64f7d427e0f858f3c1356d0a1a3b724

SHA512
2d867bf2c42a21e6b5dc7276c5b428b43dacf35c1df12ba924395d39e035fdea49abbc44d2cd981a6d643a380d77c00858e0d530f766b5cdec17b73ca50aa7c5

Download Submit
C:\Windows\{E72B5282-ACB2-49e0-BA71-F4A18AB332F0}.exe

Filesize
408KB

MD5
2e026c292b79cc8e4684ca318f0cb21a

SHA1
b5a2a1f12f64ab9c0d23e35b424608fb97c2adc3

SHA256
71b579cc14adfdc7a376394d196f18df3a4114d89c7e249299e42d450d3aa136

SHA512
60edc5c3ab0edfd689ab7bbabc63601a3e584a939025a584cc260a787a41c1fe2333f5e8bb232adf5b72b48f97ba969ab56884e61b81f5c0db4428c0a6b1c081

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads