8fdb2abe8efebff6a37d1eb2fcb164c50c3a9eccbc531f707a69762eb0b0d3fe

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
02/02/2024, 02:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-02_2b99e45316370ade84add779536e9e58_goldeneye.exe
Size

180KB
MD5

2b99e45316370ade84add779536e9e58
SHA1

e2f583aa0549566214f0de2f2ea3a71e456b07b6
SHA256

8fdb2abe8efebff6a37d1eb2fcb164c50c3a9eccbc531f707a69762eb0b0d3fe
SHA512

17876c4f914a81772c03b2c818c30b5df4263096d39a5178cfe55658c5651eeaa48a8f089c7f4313cdff711e450dbcf5a7e321132ab73118b6b551b0628bd90b
SSDEEP

3072:jEGh0oLlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGZl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 14 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023231-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023237-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002323e-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023237-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001300000001d887-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001300000001d887-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000021558-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001400000001d887-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000709-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000713-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{299E8156-7FAD-4d9e-B42B-A1ECDC25D1FC}	{FE08D6DB-B3F3-4934-933A-ED198DCB580F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64065D54-A182-4f43-BF21-B9C31E6F77C3}	{299E8156-7FAD-4d9e-B42B-A1ECDC25D1FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B06E824-FC9E-4376-9474-CE6DA3D68346}\stubpath = "C:\\Windows\\{5B06E824-FC9E-4376-9474-CE6DA3D68346}.exe"	{0356A61F-8F8B-4c9c-84F7-A7C589B7D399}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78599DB1-DD55-41b0-99A5-EE5024CF3BD0}	{5B06E824-FC9E-4376-9474-CE6DA3D68346}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15B75ED8-2EC7-4959-B4A6-EA689B08A6E7}\stubpath = "C:\\Windows\\{15B75ED8-2EC7-4959-B4A6-EA689B08A6E7}.exe"	{78599DB1-DD55-41b0-99A5-EE5024CF3BD0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64DF8CD1-E4C2-4d6c-97E7-EBC5F92B67FB}	{15B75ED8-2EC7-4959-B4A6-EA689B08A6E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64DF8CD1-E4C2-4d6c-97E7-EBC5F92B67FB}\stubpath = "C:\\Windows\\{64DF8CD1-E4C2-4d6c-97E7-EBC5F92B67FB}.exe"	{15B75ED8-2EC7-4959-B4A6-EA689B08A6E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE08D6DB-B3F3-4934-933A-ED198DCB580F}\stubpath = "C:\\Windows\\{FE08D6DB-B3F3-4934-933A-ED198DCB580F}.exe"	{64DF8CD1-E4C2-4d6c-97E7-EBC5F92B67FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D28C1D63-F0D7-4eb3-806B-14A842C7A023}\stubpath = "C:\\Windows\\{D28C1D63-F0D7-4eb3-806B-14A842C7A023}.exe"	{1BE65920-D716-4a76-B7F8-723A46B778E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0356A61F-8F8B-4c9c-84F7-A7C589B7D399}	2024-02-02_2b99e45316370ade84add779536e9e58_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0356A61F-8F8B-4c9c-84F7-A7C589B7D399}\stubpath = "C:\\Windows\\{0356A61F-8F8B-4c9c-84F7-A7C589B7D399}.exe"	2024-02-02_2b99e45316370ade84add779536e9e58_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B06E824-FC9E-4376-9474-CE6DA3D68346}	{0356A61F-8F8B-4c9c-84F7-A7C589B7D399}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE08D6DB-B3F3-4934-933A-ED198DCB580F}	{64DF8CD1-E4C2-4d6c-97E7-EBC5F92B67FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64065D54-A182-4f43-BF21-B9C31E6F77C3}\stubpath = "C:\\Windows\\{64065D54-A182-4f43-BF21-B9C31E6F77C3}.exe"	{299E8156-7FAD-4d9e-B42B-A1ECDC25D1FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98D1DD1C-1938-4def-B19C-F842C7B7D169}\stubpath = "C:\\Windows\\{98D1DD1C-1938-4def-B19C-F842C7B7D169}.exe"	{D28C1D63-F0D7-4eb3-806B-14A842C7A023}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{299E8156-7FAD-4d9e-B42B-A1ECDC25D1FC}\stubpath = "C:\\Windows\\{299E8156-7FAD-4d9e-B42B-A1ECDC25D1FC}.exe"	{FE08D6DB-B3F3-4934-933A-ED198DCB580F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98D1DD1C-1938-4def-B19C-F842C7B7D169}	{D28C1D63-F0D7-4eb3-806B-14A842C7A023}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D28C1D63-F0D7-4eb3-806B-14A842C7A023}	{1BE65920-D716-4a76-B7F8-723A46B778E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78599DB1-DD55-41b0-99A5-EE5024CF3BD0}\stubpath = "C:\\Windows\\{78599DB1-DD55-41b0-99A5-EE5024CF3BD0}.exe"	{5B06E824-FC9E-4376-9474-CE6DA3D68346}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15B75ED8-2EC7-4959-B4A6-EA689B08A6E7}	{78599DB1-DD55-41b0-99A5-EE5024CF3BD0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7B9A239-586B-4439-9757-51E7ED24A780}	{64065D54-A182-4f43-BF21-B9C31E6F77C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7B9A239-586B-4439-9757-51E7ED24A780}\stubpath = "C:\\Windows\\{A7B9A239-586B-4439-9757-51E7ED24A780}.exe"	{64065D54-A182-4f43-BF21-B9C31E6F77C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BE65920-D716-4a76-B7F8-723A46B778E5}	{A7B9A239-586B-4439-9757-51E7ED24A780}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BE65920-D716-4a76-B7F8-723A46B778E5}\stubpath = "C:\\Windows\\{1BE65920-D716-4a76-B7F8-723A46B778E5}.exe"	{A7B9A239-586B-4439-9757-51E7ED24A780}.exe

Executes dropped EXE 12 IoCs

pid	Process
3844	{0356A61F-8F8B-4c9c-84F7-A7C589B7D399}.exe
4928	{5B06E824-FC9E-4376-9474-CE6DA3D68346}.exe
3044	{78599DB1-DD55-41b0-99A5-EE5024CF3BD0}.exe
4500	{15B75ED8-2EC7-4959-B4A6-EA689B08A6E7}.exe
804	{64DF8CD1-E4C2-4d6c-97E7-EBC5F92B67FB}.exe
4360	{FE08D6DB-B3F3-4934-933A-ED198DCB580F}.exe
4608	{299E8156-7FAD-4d9e-B42B-A1ECDC25D1FC}.exe
2296	{64065D54-A182-4f43-BF21-B9C31E6F77C3}.exe
2956	{A7B9A239-586B-4439-9757-51E7ED24A780}.exe
5040	{1BE65920-D716-4a76-B7F8-723A46B778E5}.exe
3332	{D28C1D63-F0D7-4eb3-806B-14A842C7A023}.exe
632	{98D1DD1C-1938-4def-B19C-F842C7B7D169}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{64DF8CD1-E4C2-4d6c-97E7-EBC5F92B67FB}.exe	{15B75ED8-2EC7-4959-B4A6-EA689B08A6E7}.exe
File created	C:\Windows\{FE08D6DB-B3F3-4934-933A-ED198DCB580F}.exe	{64DF8CD1-E4C2-4d6c-97E7-EBC5F92B67FB}.exe
File created	C:\Windows\{299E8156-7FAD-4d9e-B42B-A1ECDC25D1FC}.exe	{FE08D6DB-B3F3-4934-933A-ED198DCB580F}.exe
File created	C:\Windows\{A7B9A239-586B-4439-9757-51E7ED24A780}.exe	{64065D54-A182-4f43-BF21-B9C31E6F77C3}.exe
File created	C:\Windows\{0356A61F-8F8B-4c9c-84F7-A7C589B7D399}.exe	2024-02-02_2b99e45316370ade84add779536e9e58_goldeneye.exe
File created	C:\Windows\{5B06E824-FC9E-4376-9474-CE6DA3D68346}.exe	{0356A61F-8F8B-4c9c-84F7-A7C589B7D399}.exe
File created	C:\Windows\{78599DB1-DD55-41b0-99A5-EE5024CF3BD0}.exe	{5B06E824-FC9E-4376-9474-CE6DA3D68346}.exe
File created	C:\Windows\{15B75ED8-2EC7-4959-B4A6-EA689B08A6E7}.exe	{78599DB1-DD55-41b0-99A5-EE5024CF3BD0}.exe
File created	C:\Windows\{1BE65920-D716-4a76-B7F8-723A46B778E5}.exe	{A7B9A239-586B-4439-9757-51E7ED24A780}.exe
File created	C:\Windows\{98D1DD1C-1938-4def-B19C-F842C7B7D169}.exe	{D28C1D63-F0D7-4eb3-806B-14A842C7A023}.exe
File created	C:\Windows\{64065D54-A182-4f43-BF21-B9C31E6F77C3}.exe	{299E8156-7FAD-4d9e-B42B-A1ECDC25D1FC}.exe
File created	C:\Windows\{D28C1D63-F0D7-4eb3-806B-14A842C7A023}.exe	{1BE65920-D716-4a76-B7F8-723A46B778E5}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1628	2024-02-02_2b99e45316370ade84add779536e9e58_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3844	{0356A61F-8F8B-4c9c-84F7-A7C589B7D399}.exe
Token: SeIncBasePriorityPrivilege	4928	{5B06E824-FC9E-4376-9474-CE6DA3D68346}.exe
Token: SeIncBasePriorityPrivilege	3044	{78599DB1-DD55-41b0-99A5-EE5024CF3BD0}.exe
Token: SeIncBasePriorityPrivilege	4500	{15B75ED8-2EC7-4959-B4A6-EA689B08A6E7}.exe
Token: SeIncBasePriorityPrivilege	804	{64DF8CD1-E4C2-4d6c-97E7-EBC5F92B67FB}.exe
Token: SeIncBasePriorityPrivilege	4360	{FE08D6DB-B3F3-4934-933A-ED198DCB580F}.exe
Token: SeIncBasePriorityPrivilege	4608	{299E8156-7FAD-4d9e-B42B-A1ECDC25D1FC}.exe
Token: SeIncBasePriorityPrivilege	2296	{64065D54-A182-4f43-BF21-B9C31E6F77C3}.exe
Token: SeIncBasePriorityPrivilege	2956	{A7B9A239-586B-4439-9757-51E7ED24A780}.exe
Token: SeIncBasePriorityPrivilege	5040	{1BE65920-D716-4a76-B7F8-723A46B778E5}.exe
Token: SeIncBasePriorityPrivilege	3332	{D28C1D63-F0D7-4eb3-806B-14A842C7A023}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 3844	1628	2024-02-02_2b99e45316370ade84add779536e9e58_goldeneye.exe	92
PID 1628 wrote to memory of 3844	1628	2024-02-02_2b99e45316370ade84add779536e9e58_goldeneye.exe	92
PID 1628 wrote to memory of 3844	1628	2024-02-02_2b99e45316370ade84add779536e9e58_goldeneye.exe	92
PID 1628 wrote to memory of 4760	1628	2024-02-02_2b99e45316370ade84add779536e9e58_goldeneye.exe	93
PID 1628 wrote to memory of 4760	1628	2024-02-02_2b99e45316370ade84add779536e9e58_goldeneye.exe	93
PID 1628 wrote to memory of 4760	1628	2024-02-02_2b99e45316370ade84add779536e9e58_goldeneye.exe	93
PID 3844 wrote to memory of 4928	3844	{0356A61F-8F8B-4c9c-84F7-A7C589B7D399}.exe	94
PID 3844 wrote to memory of 4928	3844	{0356A61F-8F8B-4c9c-84F7-A7C589B7D399}.exe	94
PID 3844 wrote to memory of 4928	3844	{0356A61F-8F8B-4c9c-84F7-A7C589B7D399}.exe	94
PID 3844 wrote to memory of 4808	3844	{0356A61F-8F8B-4c9c-84F7-A7C589B7D399}.exe	95
PID 3844 wrote to memory of 4808	3844	{0356A61F-8F8B-4c9c-84F7-A7C589B7D399}.exe	95
PID 3844 wrote to memory of 4808	3844	{0356A61F-8F8B-4c9c-84F7-A7C589B7D399}.exe	95
PID 4928 wrote to memory of 3044	4928	{5B06E824-FC9E-4376-9474-CE6DA3D68346}.exe	97
PID 4928 wrote to memory of 3044	4928	{5B06E824-FC9E-4376-9474-CE6DA3D68346}.exe	97
PID 4928 wrote to memory of 3044	4928	{5B06E824-FC9E-4376-9474-CE6DA3D68346}.exe	97
PID 4928 wrote to memory of 752	4928	{5B06E824-FC9E-4376-9474-CE6DA3D68346}.exe	98
PID 4928 wrote to memory of 752	4928	{5B06E824-FC9E-4376-9474-CE6DA3D68346}.exe	98
PID 4928 wrote to memory of 752	4928	{5B06E824-FC9E-4376-9474-CE6DA3D68346}.exe	98
PID 3044 wrote to memory of 4500	3044	{78599DB1-DD55-41b0-99A5-EE5024CF3BD0}.exe	100
PID 3044 wrote to memory of 4500	3044	{78599DB1-DD55-41b0-99A5-EE5024CF3BD0}.exe	100
PID 3044 wrote to memory of 4500	3044	{78599DB1-DD55-41b0-99A5-EE5024CF3BD0}.exe	100
PID 3044 wrote to memory of 3392	3044	{78599DB1-DD55-41b0-99A5-EE5024CF3BD0}.exe	99
PID 3044 wrote to memory of 3392	3044	{78599DB1-DD55-41b0-99A5-EE5024CF3BD0}.exe	99
PID 3044 wrote to memory of 3392	3044	{78599DB1-DD55-41b0-99A5-EE5024CF3BD0}.exe	99
PID 4500 wrote to memory of 804	4500	{15B75ED8-2EC7-4959-B4A6-EA689B08A6E7}.exe	101
PID 4500 wrote to memory of 804	4500	{15B75ED8-2EC7-4959-B4A6-EA689B08A6E7}.exe	101
PID 4500 wrote to memory of 804	4500	{15B75ED8-2EC7-4959-B4A6-EA689B08A6E7}.exe	101
PID 4500 wrote to memory of 368	4500	{15B75ED8-2EC7-4959-B4A6-EA689B08A6E7}.exe	102
PID 4500 wrote to memory of 368	4500	{15B75ED8-2EC7-4959-B4A6-EA689B08A6E7}.exe	102
PID 4500 wrote to memory of 368	4500	{15B75ED8-2EC7-4959-B4A6-EA689B08A6E7}.exe	102
PID 804 wrote to memory of 4360	804	{64DF8CD1-E4C2-4d6c-97E7-EBC5F92B67FB}.exe	104
PID 804 wrote to memory of 4360	804	{64DF8CD1-E4C2-4d6c-97E7-EBC5F92B67FB}.exe	104
PID 804 wrote to memory of 4360	804	{64DF8CD1-E4C2-4d6c-97E7-EBC5F92B67FB}.exe	104
PID 804 wrote to memory of 4048	804	{64DF8CD1-E4C2-4d6c-97E7-EBC5F92B67FB}.exe	103
PID 804 wrote to memory of 4048	804	{64DF8CD1-E4C2-4d6c-97E7-EBC5F92B67FB}.exe	103
PID 804 wrote to memory of 4048	804	{64DF8CD1-E4C2-4d6c-97E7-EBC5F92B67FB}.exe	103
PID 4360 wrote to memory of 4608	4360	{FE08D6DB-B3F3-4934-933A-ED198DCB580F}.exe	105
PID 4360 wrote to memory of 4608	4360	{FE08D6DB-B3F3-4934-933A-ED198DCB580F}.exe	105
PID 4360 wrote to memory of 4608	4360	{FE08D6DB-B3F3-4934-933A-ED198DCB580F}.exe	105
PID 4360 wrote to memory of 1136	4360	{FE08D6DB-B3F3-4934-933A-ED198DCB580F}.exe	106
PID 4360 wrote to memory of 1136	4360	{FE08D6DB-B3F3-4934-933A-ED198DCB580F}.exe	106
PID 4360 wrote to memory of 1136	4360	{FE08D6DB-B3F3-4934-933A-ED198DCB580F}.exe	106
PID 4608 wrote to memory of 2296	4608	{299E8156-7FAD-4d9e-B42B-A1ECDC25D1FC}.exe	107
PID 4608 wrote to memory of 2296	4608	{299E8156-7FAD-4d9e-B42B-A1ECDC25D1FC}.exe	107
PID 4608 wrote to memory of 2296	4608	{299E8156-7FAD-4d9e-B42B-A1ECDC25D1FC}.exe	107
PID 4608 wrote to memory of 3028	4608	{299E8156-7FAD-4d9e-B42B-A1ECDC25D1FC}.exe	108
PID 4608 wrote to memory of 3028	4608	{299E8156-7FAD-4d9e-B42B-A1ECDC25D1FC}.exe	108
PID 4608 wrote to memory of 3028	4608	{299E8156-7FAD-4d9e-B42B-A1ECDC25D1FC}.exe	108
PID 2296 wrote to memory of 2956	2296	{64065D54-A182-4f43-BF21-B9C31E6F77C3}.exe	110
PID 2296 wrote to memory of 2956	2296	{64065D54-A182-4f43-BF21-B9C31E6F77C3}.exe	110
PID 2296 wrote to memory of 2956	2296	{64065D54-A182-4f43-BF21-B9C31E6F77C3}.exe	110
PID 2296 wrote to memory of 4944	2296	{64065D54-A182-4f43-BF21-B9C31E6F77C3}.exe	109
PID 2296 wrote to memory of 4944	2296	{64065D54-A182-4f43-BF21-B9C31E6F77C3}.exe	109
PID 2296 wrote to memory of 4944	2296	{64065D54-A182-4f43-BF21-B9C31E6F77C3}.exe	109
PID 2956 wrote to memory of 5040	2956	{A7B9A239-586B-4439-9757-51E7ED24A780}.exe	112
PID 2956 wrote to memory of 5040	2956	{A7B9A239-586B-4439-9757-51E7ED24A780}.exe	112
PID 2956 wrote to memory of 5040	2956	{A7B9A239-586B-4439-9757-51E7ED24A780}.exe	112
PID 2956 wrote to memory of 5076	2956	{A7B9A239-586B-4439-9757-51E7ED24A780}.exe	111
PID 2956 wrote to memory of 5076	2956	{A7B9A239-586B-4439-9757-51E7ED24A780}.exe	111
PID 2956 wrote to memory of 5076	2956	{A7B9A239-586B-4439-9757-51E7ED24A780}.exe	111
PID 5040 wrote to memory of 3332	5040	{1BE65920-D716-4a76-B7F8-723A46B778E5}.exe	113
PID 5040 wrote to memory of 3332	5040	{1BE65920-D716-4a76-B7F8-723A46B778E5}.exe	113
PID 5040 wrote to memory of 3332	5040	{1BE65920-D716-4a76-B7F8-723A46B778E5}.exe	113
PID 5040 wrote to memory of 4440	5040	{1BE65920-D716-4a76-B7F8-723A46B778E5}.exe	114

C:\Users\Admin\AppData\Local\Temp\2024-02-02_2b99e45316370ade84add779536e9e58_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-02_2b99e45316370ade84add779536e9e58_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Windows\{0356A61F-8F8B-4c9c-84F7-A7C589B7D399}.exe
  C:\Windows\{0356A61F-8F8B-4c9c-84F7-A7C589B7D399}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3844
- - C:\Windows\{5B06E824-FC9E-4376-9474-CE6DA3D68346}.exe
    C:\Windows\{5B06E824-FC9E-4376-9474-CE6DA3D68346}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4928
  - - C:\Windows\{78599DB1-DD55-41b0-99A5-EE5024CF3BD0}.exe
      C:\Windows\{78599DB1-DD55-41b0-99A5-EE5024CF3BD0}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3044
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{78599~1.EXE > nul
        5⤵
        
        PID:3392
    - - C:\Windows\{15B75ED8-2EC7-4959-B4A6-EA689B08A6E7}.exe
        
        C:\Windows\{15B75ED8-2EC7-4959-B4A6-EA689B08A6E7}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4500
      - C:\Windows\{64DF8CD1-E4C2-4d6c-97E7-EBC5F92B67FB}.exe
        
        C:\Windows\{64DF8CD1-E4C2-4d6c-97E7-EBC5F92B67FB}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64DF8~1.EXE > nul
        7⤵
        
        PID:4048
        
        C:\Windows\{FE08D6DB-B3F3-4934-933A-ED198DCB580F}.exe
        
        C:\Windows\{FE08D6DB-B3F3-4934-933A-ED198DCB580F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Windows\{299E8156-7FAD-4d9e-B42B-A1ECDC25D1FC}.exe
        
        C:\Windows\{299E8156-7FAD-4d9e-B42B-A1ECDC25D1FC}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\{64065D54-A182-4f43-BF21-B9C31E6F77C3}.exe
        
        C:\Windows\{64065D54-A182-4f43-BF21-B9C31E6F77C3}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64065~1.EXE > nul
        10⤵
        
        PID:4944
        
        C:\Windows\{A7B9A239-586B-4439-9757-51E7ED24A780}.exe
        
        C:\Windows\{A7B9A239-586B-4439-9757-51E7ED24A780}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7B9A~1.EXE > nul
        11⤵
        
        PID:5076
        
        C:\Windows\{1BE65920-D716-4a76-B7F8-723A46B778E5}.exe
        
        C:\Windows\{1BE65920-D716-4a76-B7F8-723A46B778E5}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\{D28C1D63-F0D7-4eb3-806B-14A842C7A023}.exe
        
        C:\Windows\{D28C1D63-F0D7-4eb3-806B-14A842C7A023}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3332
        
        C:\Windows\{98D1DD1C-1938-4def-B19C-F842C7B7D169}.exe
        
        C:\Windows\{98D1DD1C-1938-4def-B19C-F842C7B7D169}.exe
        13⤵
        Executes dropped EXE
        
        PID:632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D28C1~1.EXE > nul
        13⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1BE65~1.EXE > nul
        12⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{299E8~1.EXE > nul
        9⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FE08D~1.EXE > nul
        8⤵
        
        PID:1136
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{15B75~1.EXE > nul
        6⤵
        
        PID:368
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5B06E~1.EXE > nul
      4⤵
      PID:752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0356A~1.EXE > nul
    3⤵
    PID:4808
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0356A61F-8F8B-4c9c-84F7-A7C589B7D399}.exe

Filesize
180KB

MD5
768042e88cea82affcc95cb317008cd6

SHA1
055a9ea3ca2c5a5c6f5ec5019072fd3712c35d26

SHA256
27f28e495ab212abd2b84d5d40f27533464f74c8b2a96c5ca849c16c4910d447

SHA512
dcc8c97eb09eb9ee7fa921c41bb3b2ff3ca287abbb83a987bc33d45974cbd35d80b2c97e864ee710a4d1dbc2e7d07831bca01d85f33bb5868f26395b01e318c2

Download Submit
C:\Windows\{15B75ED8-2EC7-4959-B4A6-EA689B08A6E7}.exe

Filesize
180KB

MD5
80d8e18077c5bf2189c0839fe0c0f0e5

SHA1
2ad55fc0bed2a137f7c5f8e89795a1ede1b2ae1d

SHA256
9cc3fbdec0f78bca214b075bf73fe5b13d5e59c1fb85fefe720890be521b703b

SHA512
6a59d23d7653df1b5c7a205be2d6829d45ef1b9248a3d826db41b2e3bb975d5811381e99960d72b88ca2fc310cba89bb29eae224b005fea2519729f11ba9a01d

Download Submit
C:\Windows\{1BE65920-D716-4a76-B7F8-723A46B778E5}.exe

Filesize
109KB

MD5
34c28a5943dae572cbd48602aa7d805f

SHA1
ffe3bad02925d6ce444a7603bc36d833a76191a4

SHA256
bca124728aa7963b9f133f80a299236e004cfcd9aaf9f9c503bb29c7ce052d5c

SHA512
6d1a81182530ef63b734ea48f35981602e8bd2806606176da56b106aa16660fdd4c782da8fb1ee6b0d3a87c9c4ac25ab35aefa9c675180b16e5fcd1633b1107f

Download Submit
C:\Windows\{1BE65920-D716-4a76-B7F8-723A46B778E5}.exe

Filesize
75KB

MD5
fa56c564730784b507c0be21c1a77406

SHA1
144d9e303b53c53968c0ca670fde9cf5813fdf06

SHA256
86046023da535d45565f4b0ef959d2bce8fa02383bad2bb78d565879cf33fa91

SHA512
e19235844f1dadbc6f886900d3c8c423b670148ab1d74b2a8227871963d7af95d13e0e96c79388d6d4f1577d67662f58d768beaf68ae19727ac04b81beb09277

Download Submit
C:\Windows\{299E8156-7FAD-4d9e-B42B-A1ECDC25D1FC}.exe

Filesize
180KB

MD5
0c3b4d444d68df9b251457ad682a58b3

SHA1
ee67c30d50058d93562c6fdb142b6a69757bfd37

SHA256
c70d6f11a1d2592e2e9403739e02ce001b71664b09b5e6361a94e8a7f5b280ad

SHA512
d4bb13c8844de5b77d22d295fc117c03aba3e24d7ca8cce1ec8b306f05880820c4f11571c779b1896cc92fee3ba8309a65884a30a68d2bd18237e36f54098041

Download Submit
C:\Windows\{5B06E824-FC9E-4376-9474-CE6DA3D68346}.exe

Filesize
180KB

MD5
74400b3295c440cce711f3b4dd3bce13

SHA1
ef5563f69cc0eb3d6755e38245aea9e8ffc8c55d

SHA256
b67b3fa524ff18dd5607564fc96e932109ec0a973046fc9f6c8913a5e230bc38

SHA512
043898b52b3baaeb1e40c5865044ba28a7347e228ff155dffe2bb71fb03717708a7af315d4e3da52c6da668c35bf31eca052463e3645c297c313b9fd631b8a76

Download Submit
C:\Windows\{64065D54-A182-4f43-BF21-B9C31E6F77C3}.exe

Filesize
180KB

MD5
a785fa8c02e03db9b1fbce44eb6d0499

SHA1
aa373b753d42f710968e9fef2867db8e405d9851

SHA256
1fddd372b61f724efef89de2ffe7edce726e1b23ce22f08757426be7cb5cdf3b

SHA512
53506c8c7384cdbb79e775d2d3bcc1f4fac0f05ed3d9cd3ae51d26073356b8a9d22b6749e6770af935171d10ef3d05ef2260c5618ed06015db1b339ad9de90f2

Download Submit
C:\Windows\{64DF8CD1-E4C2-4d6c-97E7-EBC5F92B67FB}.exe

Filesize
128KB

MD5
76ef7f34e343ddcf7c517f28379e13d5

SHA1
e415e86852e82607efc589127b9d02e43a90499c

SHA256
1628fd0dcb227a72137f5529070a3f8d5e3b56b462ded96bbc6c5ccd97d0bf57

SHA512
7169430adeebbdce62950019c225c6b6b5656642d8c24288be84662f199ec4d051e6dc278c7062a46c8383210c7829819fc149165d48e173ac0085117550182d

Download Submit
C:\Windows\{64DF8CD1-E4C2-4d6c-97E7-EBC5F92B67FB}.exe

Filesize
95KB

MD5
6cd75e04284334db742589ec370ffeab

SHA1
c014249e1110d777cf4f2aae1d5f2d9cb9cb4232

SHA256
7ea46e9dee63f975b0339408ece428a1d97b3e2dbbc62aff46fc03ed144bf0e7

SHA512
de843b85909f1aad8b5c563599f2951b0825a21342d0ad94b363687270b2c3695848c8de1dae0449de8447db34e649d3c36438cccdfbb15fb767fd09c3cc22a0

Download Submit
C:\Windows\{78599DB1-DD55-41b0-99A5-EE5024CF3BD0}.exe

Filesize
180KB

MD5
1c22dca5897935ab5eec4b65a1a3806d

SHA1
339034a32d8ec0f625bc58f36c5acf2fb87890db

SHA256
ddef7d4d5a32e1e6f14aa03cb4d28f7883dc43721e5b5ff03c57b73bb0cb0351

SHA512
f849f20e5e15b94f1455adebce8b3468d7d15a915b7ec133ba84d743c69049b24e20939f7a618f4d02db4b191c34a1f358d95fbaad19f8203895645051f4146d

Download Submit
C:\Windows\{98D1DD1C-1938-4def-B19C-F842C7B7D169}.exe

Filesize
180KB

MD5
e6371b71ab552a85bd475e98eac3abd5

SHA1
aa32a8f8823f27c2a48fae6c671705aeea78d2b9

SHA256
d82f57cbae93b95af66151864367d12d05b926920c8378f2a382e1e8f1c71ddc

SHA512
79f833881829a083c64147f9866ac9a695784ead69b217266bc11a0223b899fc3955cfff3c579fc4fe4e3ca4d46e95d86d7f638b134326c1f8dafcbb0bda8111

Download Submit
C:\Windows\{A7B9A239-586B-4439-9757-51E7ED24A780}.exe

Filesize
180KB

MD5
97f720ecf8b5bf97d2992b6fa1e1eefc

SHA1
faa0c47cfe71a67893f4736dd2c5d07aa4bfafc8

SHA256
48ef84a3992018e83a210e1d95665e12b2e0f7259b7e75e38a83cd9d6a18c275

SHA512
78a8de747d08e99b7f95b7ce8b749915b33dddcf7a14186efd25da79a236c49362181848b609becf81404b129924bcdfdc45ca8c7ec7d16d287cb570c8024462

Download Submit
C:\Windows\{D28C1D63-F0D7-4eb3-806B-14A842C7A023}.exe

Filesize
180KB

MD5
8ce58660e6d0926deb532f218d715305

SHA1
02eb6344b6a9782808bc1ab3ca227196a6f9297f

SHA256
a5859268732bd278beeb797aabb8ac5685ea7cfdc49072a2976b787dd53a4934

SHA512
5e88e09a7fbe4cd63b255da9b34a444ca603937a27fa3856bf734572c8a50c8976e6655c6fde7cdc70742453c8b206e7a028338917021bc2c8ca7db46cb21f61

Download Submit
C:\Windows\{FE08D6DB-B3F3-4934-933A-ED198DCB580F}.exe

Filesize
180KB

MD5
839af18c9c6c932c1fbe79e5a49b25fa

SHA1
f39e3bc61f6ebaa653fe5080af6ce1389e7b07a0

SHA256
db3980f464abf5567b58dffc95cd394da40af54b75e07f9235c1aa6ee67eeeb1

SHA512
e7ace4a908f5f865d363a4e84fa967043f9e3760279045ab28dcb5a67ad906112bf390ffb48b3a890abd20c1bf04006a9c77b5629ffb6cf728119bdf27d0dd44

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads