1ee146840412cdf718a25bf1f0ce08babe87124643593e9ef26d99c5450694dd

Analysis

max time kernel
151s
max time network
134s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
02/02/2024, 11:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-02_eda21308aadfb77a38ffd876a829cb34_goldeneye.exe
Size

380KB
MD5

eda21308aadfb77a38ffd876a829cb34
SHA1

4efcf69ac11b3b5764b67d2cd5ff9753c11fc8fa
SHA256

1ee146840412cdf718a25bf1f0ce08babe87124643593e9ef26d99c5450694dd
SHA512

e8c9dfdadfff621d59fb9f981786bd4478b3ed82342ebf128387403d046cf9b47f4ee1da3166fc152a6a35d4a0c57ef8ee0891463157c8fb04ecf076db30c424
SSDEEP

3072:mEGh0oElPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGml7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x000b00000001468c-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00370000000170ef-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000300000000b1f7-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0003000000010f1d-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000400000000b1f7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000010f1d-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000500000000b1f7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000010f1d-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000b1f7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000010f1d-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000700000000b1f7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000010f1d-82.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9E0619C-EE03-4534-A46F-425A59C6B388}	{E5DB177F-AC56-4f42-B1B3-27C27F573104}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0661FA89-09D7-4ff1-AB50-1F84EAED0482}	{C9E0619C-EE03-4534-A46F-425A59C6B388}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C839CE62-D0B6-4747-95A0-E209A9F21BA0}	2024-02-02_eda21308aadfb77a38ffd876a829cb34_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6E9DCD9-18B4-4d85-BE90-074729F69336}	{D489DC84-4F17-4817-A6DB-F0724227BA88}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6E9DCD9-18B4-4d85-BE90-074729F69336}\stubpath = "C:\\Windows\\{B6E9DCD9-18B4-4d85-BE90-074729F69336}.exe"	{D489DC84-4F17-4817-A6DB-F0724227BA88}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E5DB177F-AC56-4f42-B1B3-27C27F573104}	{B6E9DCD9-18B4-4d85-BE90-074729F69336}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E5DB177F-AC56-4f42-B1B3-27C27F573104}\stubpath = "C:\\Windows\\{E5DB177F-AC56-4f42-B1B3-27C27F573104}.exe"	{B6E9DCD9-18B4-4d85-BE90-074729F69336}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0FCF4BC-27A4-492e-8D4F-81F81335B4B0}	{136A4B95-AD60-48a4-82A3-AE3867029499}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B841E8A0-3F2F-4e65-83DB-5F1D1EF05F02}\stubpath = "C:\\Windows\\{B841E8A0-3F2F-4e65-83DB-5F1D1EF05F02}.exe"	{04B7FF40-F720-4373-BAD5-577C0487463F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F43F11DD-5D23-443a-B14E-7E85BFC7D4A2}	{B841E8A0-3F2F-4e65-83DB-5F1D1EF05F02}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F43F11DD-5D23-443a-B14E-7E85BFC7D4A2}\stubpath = "C:\\Windows\\{F43F11DD-5D23-443a-B14E-7E85BFC7D4A2}.exe"	{B841E8A0-3F2F-4e65-83DB-5F1D1EF05F02}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B0A5EC4-B902-44d9-881F-7604FFB8AC85}	{F43F11DD-5D23-443a-B14E-7E85BFC7D4A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{136A4B95-AD60-48a4-82A3-AE3867029499}\stubpath = "C:\\Windows\\{136A4B95-AD60-48a4-82A3-AE3867029499}.exe"	{C839CE62-D0B6-4747-95A0-E209A9F21BA0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0FCF4BC-27A4-492e-8D4F-81F81335B4B0}\stubpath = "C:\\Windows\\{D0FCF4BC-27A4-492e-8D4F-81F81335B4B0}.exe"	{136A4B95-AD60-48a4-82A3-AE3867029499}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04B7FF40-F720-4373-BAD5-577C0487463F}	{D0FCF4BC-27A4-492e-8D4F-81F81335B4B0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04B7FF40-F720-4373-BAD5-577C0487463F}\stubpath = "C:\\Windows\\{04B7FF40-F720-4373-BAD5-577C0487463F}.exe"	{D0FCF4BC-27A4-492e-8D4F-81F81335B4B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B841E8A0-3F2F-4e65-83DB-5F1D1EF05F02}	{04B7FF40-F720-4373-BAD5-577C0487463F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B0A5EC4-B902-44d9-881F-7604FFB8AC85}\stubpath = "C:\\Windows\\{5B0A5EC4-B902-44d9-881F-7604FFB8AC85}.exe"	{F43F11DD-5D23-443a-B14E-7E85BFC7D4A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D489DC84-4F17-4817-A6DB-F0724227BA88}	{5B0A5EC4-B902-44d9-881F-7604FFB8AC85}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9E0619C-EE03-4534-A46F-425A59C6B388}\stubpath = "C:\\Windows\\{C9E0619C-EE03-4534-A46F-425A59C6B388}.exe"	{E5DB177F-AC56-4f42-B1B3-27C27F573104}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C839CE62-D0B6-4747-95A0-E209A9F21BA0}\stubpath = "C:\\Windows\\{C839CE62-D0B6-4747-95A0-E209A9F21BA0}.exe"	2024-02-02_eda21308aadfb77a38ffd876a829cb34_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{136A4B95-AD60-48a4-82A3-AE3867029499}	{C839CE62-D0B6-4747-95A0-E209A9F21BA0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D489DC84-4F17-4817-A6DB-F0724227BA88}\stubpath = "C:\\Windows\\{D489DC84-4F17-4817-A6DB-F0724227BA88}.exe"	{5B0A5EC4-B902-44d9-881F-7604FFB8AC85}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0661FA89-09D7-4ff1-AB50-1F84EAED0482}\stubpath = "C:\\Windows\\{0661FA89-09D7-4ff1-AB50-1F84EAED0482}.exe"	{C9E0619C-EE03-4534-A46F-425A59C6B388}.exe

Deletes itself 1 IoCs

pid	Process
2780	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2788	{C839CE62-D0B6-4747-95A0-E209A9F21BA0}.exe
2600	{136A4B95-AD60-48a4-82A3-AE3867029499}.exe
1824	{D0FCF4BC-27A4-492e-8D4F-81F81335B4B0}.exe
1348	{04B7FF40-F720-4373-BAD5-577C0487463F}.exe
1520	{B841E8A0-3F2F-4e65-83DB-5F1D1EF05F02}.exe
1660	{F43F11DD-5D23-443a-B14E-7E85BFC7D4A2}.exe
2628	{5B0A5EC4-B902-44d9-881F-7604FFB8AC85}.exe
1536	{D489DC84-4F17-4817-A6DB-F0724227BA88}.exe
1772	{B6E9DCD9-18B4-4d85-BE90-074729F69336}.exe
1076	{E5DB177F-AC56-4f42-B1B3-27C27F573104}.exe
1912	{C9E0619C-EE03-4534-A46F-425A59C6B388}.exe
1492	{0661FA89-09D7-4ff1-AB50-1F84EAED0482}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{C839CE62-D0B6-4747-95A0-E209A9F21BA0}.exe	2024-02-02_eda21308aadfb77a38ffd876a829cb34_goldeneye.exe
File created	C:\Windows\{136A4B95-AD60-48a4-82A3-AE3867029499}.exe	{C839CE62-D0B6-4747-95A0-E209A9F21BA0}.exe
File created	C:\Windows\{D0FCF4BC-27A4-492e-8D4F-81F81335B4B0}.exe	{136A4B95-AD60-48a4-82A3-AE3867029499}.exe
File created	C:\Windows\{B841E8A0-3F2F-4e65-83DB-5F1D1EF05F02}.exe	{04B7FF40-F720-4373-BAD5-577C0487463F}.exe
File created	C:\Windows\{5B0A5EC4-B902-44d9-881F-7604FFB8AC85}.exe	{F43F11DD-5D23-443a-B14E-7E85BFC7D4A2}.exe
File created	C:\Windows\{D489DC84-4F17-4817-A6DB-F0724227BA88}.exe	{5B0A5EC4-B902-44d9-881F-7604FFB8AC85}.exe
File created	C:\Windows\{04B7FF40-F720-4373-BAD5-577C0487463F}.exe	{D0FCF4BC-27A4-492e-8D4F-81F81335B4B0}.exe
File created	C:\Windows\{F43F11DD-5D23-443a-B14E-7E85BFC7D4A2}.exe	{B841E8A0-3F2F-4e65-83DB-5F1D1EF05F02}.exe
File created	C:\Windows\{B6E9DCD9-18B4-4d85-BE90-074729F69336}.exe	{D489DC84-4F17-4817-A6DB-F0724227BA88}.exe
File created	C:\Windows\{E5DB177F-AC56-4f42-B1B3-27C27F573104}.exe	{B6E9DCD9-18B4-4d85-BE90-074729F69336}.exe
File created	C:\Windows\{C9E0619C-EE03-4534-A46F-425A59C6B388}.exe	{E5DB177F-AC56-4f42-B1B3-27C27F573104}.exe
File created	C:\Windows\{0661FA89-09D7-4ff1-AB50-1F84EAED0482}.exe	{C9E0619C-EE03-4534-A46F-425A59C6B388}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2060	2024-02-02_eda21308aadfb77a38ffd876a829cb34_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2788	{C839CE62-D0B6-4747-95A0-E209A9F21BA0}.exe
Token: SeIncBasePriorityPrivilege	2600	{136A4B95-AD60-48a4-82A3-AE3867029499}.exe
Token: SeIncBasePriorityPrivilege	1824	{D0FCF4BC-27A4-492e-8D4F-81F81335B4B0}.exe
Token: SeIncBasePriorityPrivilege	1348	{04B7FF40-F720-4373-BAD5-577C0487463F}.exe
Token: SeIncBasePriorityPrivilege	1520	{B841E8A0-3F2F-4e65-83DB-5F1D1EF05F02}.exe
Token: SeIncBasePriorityPrivilege	1660	{F43F11DD-5D23-443a-B14E-7E85BFC7D4A2}.exe
Token: SeIncBasePriorityPrivilege	2628	{5B0A5EC4-B902-44d9-881F-7604FFB8AC85}.exe
Token: SeIncBasePriorityPrivilege	1536	{D489DC84-4F17-4817-A6DB-F0724227BA88}.exe
Token: SeIncBasePriorityPrivilege	1772	{B6E9DCD9-18B4-4d85-BE90-074729F69336}.exe
Token: SeIncBasePriorityPrivilege	1076	{E5DB177F-AC56-4f42-B1B3-27C27F573104}.exe
Token: SeIncBasePriorityPrivilege	1912	{C9E0619C-EE03-4534-A46F-425A59C6B388}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 2788	2060	2024-02-02_eda21308aadfb77a38ffd876a829cb34_goldeneye.exe	28
PID 2060 wrote to memory of 2788	2060	2024-02-02_eda21308aadfb77a38ffd876a829cb34_goldeneye.exe	28
PID 2060 wrote to memory of 2788	2060	2024-02-02_eda21308aadfb77a38ffd876a829cb34_goldeneye.exe	28
PID 2060 wrote to memory of 2788	2060	2024-02-02_eda21308aadfb77a38ffd876a829cb34_goldeneye.exe	28
PID 2060 wrote to memory of 2780	2060	2024-02-02_eda21308aadfb77a38ffd876a829cb34_goldeneye.exe	29
PID 2060 wrote to memory of 2780	2060	2024-02-02_eda21308aadfb77a38ffd876a829cb34_goldeneye.exe	29
PID 2060 wrote to memory of 2780	2060	2024-02-02_eda21308aadfb77a38ffd876a829cb34_goldeneye.exe	29
PID 2060 wrote to memory of 2780	2060	2024-02-02_eda21308aadfb77a38ffd876a829cb34_goldeneye.exe	29
PID 2788 wrote to memory of 2600	2788	{C839CE62-D0B6-4747-95A0-E209A9F21BA0}.exe	31
PID 2788 wrote to memory of 2600	2788	{C839CE62-D0B6-4747-95A0-E209A9F21BA0}.exe	31
PID 2788 wrote to memory of 2600	2788	{C839CE62-D0B6-4747-95A0-E209A9F21BA0}.exe	31
PID 2788 wrote to memory of 2600	2788	{C839CE62-D0B6-4747-95A0-E209A9F21BA0}.exe	31
PID 2788 wrote to memory of 2872	2788	{C839CE62-D0B6-4747-95A0-E209A9F21BA0}.exe	30
PID 2788 wrote to memory of 2872	2788	{C839CE62-D0B6-4747-95A0-E209A9F21BA0}.exe	30
PID 2788 wrote to memory of 2872	2788	{C839CE62-D0B6-4747-95A0-E209A9F21BA0}.exe	30
PID 2788 wrote to memory of 2872	2788	{C839CE62-D0B6-4747-95A0-E209A9F21BA0}.exe	30
PID 2600 wrote to memory of 1824	2600	{136A4B95-AD60-48a4-82A3-AE3867029499}.exe	35
PID 2600 wrote to memory of 1824	2600	{136A4B95-AD60-48a4-82A3-AE3867029499}.exe	35
PID 2600 wrote to memory of 1824	2600	{136A4B95-AD60-48a4-82A3-AE3867029499}.exe	35
PID 2600 wrote to memory of 1824	2600	{136A4B95-AD60-48a4-82A3-AE3867029499}.exe	35
PID 2600 wrote to memory of 1888	2600	{136A4B95-AD60-48a4-82A3-AE3867029499}.exe	34
PID 2600 wrote to memory of 1888	2600	{136A4B95-AD60-48a4-82A3-AE3867029499}.exe	34
PID 2600 wrote to memory of 1888	2600	{136A4B95-AD60-48a4-82A3-AE3867029499}.exe	34
PID 2600 wrote to memory of 1888	2600	{136A4B95-AD60-48a4-82A3-AE3867029499}.exe	34
PID 1824 wrote to memory of 1348	1824	{D0FCF4BC-27A4-492e-8D4F-81F81335B4B0}.exe	37
PID 1824 wrote to memory of 1348	1824	{D0FCF4BC-27A4-492e-8D4F-81F81335B4B0}.exe	37
PID 1824 wrote to memory of 1348	1824	{D0FCF4BC-27A4-492e-8D4F-81F81335B4B0}.exe	37
PID 1824 wrote to memory of 1348	1824	{D0FCF4BC-27A4-492e-8D4F-81F81335B4B0}.exe	37
PID 1824 wrote to memory of 1652	1824	{D0FCF4BC-27A4-492e-8D4F-81F81335B4B0}.exe	36
PID 1824 wrote to memory of 1652	1824	{D0FCF4BC-27A4-492e-8D4F-81F81335B4B0}.exe	36
PID 1824 wrote to memory of 1652	1824	{D0FCF4BC-27A4-492e-8D4F-81F81335B4B0}.exe	36
PID 1824 wrote to memory of 1652	1824	{D0FCF4BC-27A4-492e-8D4F-81F81335B4B0}.exe	36
PID 1348 wrote to memory of 1520	1348	{04B7FF40-F720-4373-BAD5-577C0487463F}.exe	39
PID 1348 wrote to memory of 1520	1348	{04B7FF40-F720-4373-BAD5-577C0487463F}.exe	39
PID 1348 wrote to memory of 1520	1348	{04B7FF40-F720-4373-BAD5-577C0487463F}.exe	39
PID 1348 wrote to memory of 1520	1348	{04B7FF40-F720-4373-BAD5-577C0487463F}.exe	39
PID 1348 wrote to memory of 1500	1348	{04B7FF40-F720-4373-BAD5-577C0487463F}.exe	38
PID 1348 wrote to memory of 1500	1348	{04B7FF40-F720-4373-BAD5-577C0487463F}.exe	38
PID 1348 wrote to memory of 1500	1348	{04B7FF40-F720-4373-BAD5-577C0487463F}.exe	38
PID 1348 wrote to memory of 1500	1348	{04B7FF40-F720-4373-BAD5-577C0487463F}.exe	38
PID 1520 wrote to memory of 1660	1520	{B841E8A0-3F2F-4e65-83DB-5F1D1EF05F02}.exe	41
PID 1520 wrote to memory of 1660	1520	{B841E8A0-3F2F-4e65-83DB-5F1D1EF05F02}.exe	41
PID 1520 wrote to memory of 1660	1520	{B841E8A0-3F2F-4e65-83DB-5F1D1EF05F02}.exe	41
PID 1520 wrote to memory of 1660	1520	{B841E8A0-3F2F-4e65-83DB-5F1D1EF05F02}.exe	41
PID 1520 wrote to memory of 460	1520	{B841E8A0-3F2F-4e65-83DB-5F1D1EF05F02}.exe	40
PID 1520 wrote to memory of 460	1520	{B841E8A0-3F2F-4e65-83DB-5F1D1EF05F02}.exe	40
PID 1520 wrote to memory of 460	1520	{B841E8A0-3F2F-4e65-83DB-5F1D1EF05F02}.exe	40
PID 1520 wrote to memory of 460	1520	{B841E8A0-3F2F-4e65-83DB-5F1D1EF05F02}.exe	40
PID 1660 wrote to memory of 2628	1660	{F43F11DD-5D23-443a-B14E-7E85BFC7D4A2}.exe	43
PID 1660 wrote to memory of 2628	1660	{F43F11DD-5D23-443a-B14E-7E85BFC7D4A2}.exe	43
PID 1660 wrote to memory of 2628	1660	{F43F11DD-5D23-443a-B14E-7E85BFC7D4A2}.exe	43
PID 1660 wrote to memory of 2628	1660	{F43F11DD-5D23-443a-B14E-7E85BFC7D4A2}.exe	43
PID 1660 wrote to memory of 2868	1660	{F43F11DD-5D23-443a-B14E-7E85BFC7D4A2}.exe	42
PID 1660 wrote to memory of 2868	1660	{F43F11DD-5D23-443a-B14E-7E85BFC7D4A2}.exe	42
PID 1660 wrote to memory of 2868	1660	{F43F11DD-5D23-443a-B14E-7E85BFC7D4A2}.exe	42
PID 1660 wrote to memory of 2868	1660	{F43F11DD-5D23-443a-B14E-7E85BFC7D4A2}.exe	42
PID 2628 wrote to memory of 1536	2628	{5B0A5EC4-B902-44d9-881F-7604FFB8AC85}.exe	44
PID 2628 wrote to memory of 1536	2628	{5B0A5EC4-B902-44d9-881F-7604FFB8AC85}.exe	44
PID 2628 wrote to memory of 1536	2628	{5B0A5EC4-B902-44d9-881F-7604FFB8AC85}.exe	44
PID 2628 wrote to memory of 1536	2628	{5B0A5EC4-B902-44d9-881F-7604FFB8AC85}.exe	44
PID 2628 wrote to memory of 1908	2628	{5B0A5EC4-B902-44d9-881F-7604FFB8AC85}.exe	45
PID 2628 wrote to memory of 1908	2628	{5B0A5EC4-B902-44d9-881F-7604FFB8AC85}.exe	45
PID 2628 wrote to memory of 1908	2628	{5B0A5EC4-B902-44d9-881F-7604FFB8AC85}.exe	45
PID 2628 wrote to memory of 1908	2628	{5B0A5EC4-B902-44d9-881F-7604FFB8AC85}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-02_eda21308aadfb77a38ffd876a829cb34_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-02_eda21308aadfb77a38ffd876a829cb34_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Windows\{C839CE62-D0B6-4747-95A0-E209A9F21BA0}.exe
  C:\Windows\{C839CE62-D0B6-4747-95A0-E209A9F21BA0}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C839C~1.EXE > nul
    3⤵
    PID:2872
- - C:\Windows\{136A4B95-AD60-48a4-82A3-AE3867029499}.exe
    C:\Windows\{136A4B95-AD60-48a4-82A3-AE3867029499}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{136A4~1.EXE > nul
      4⤵
      PID:1888
  - - C:\Windows\{D0FCF4BC-27A4-492e-8D4F-81F81335B4B0}.exe
      C:\Windows\{D0FCF4BC-27A4-492e-8D4F-81F81335B4B0}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1824
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D0FCF~1.EXE > nul
        5⤵
        
        PID:1652
    - - C:\Windows\{04B7FF40-F720-4373-BAD5-577C0487463F}.exe
        
        C:\Windows\{04B7FF40-F720-4373-BAD5-577C0487463F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1348
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{04B7F~1.EXE > nul
        6⤵
        
        PID:1500
      - C:\Windows\{B841E8A0-3F2F-4e65-83DB-5F1D1EF05F02}.exe
        
        C:\Windows\{B841E8A0-3F2F-4e65-83DB-5F1D1EF05F02}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B841E~1.EXE > nul
        7⤵
        
        PID:460
        
        C:\Windows\{F43F11DD-5D23-443a-B14E-7E85BFC7D4A2}.exe
        
        C:\Windows\{F43F11DD-5D23-443a-B14E-7E85BFC7D4A2}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F43F1~1.EXE > nul
        8⤵
        
        PID:2868
        
        C:\Windows\{5B0A5EC4-B902-44d9-881F-7604FFB8AC85}.exe
        
        C:\Windows\{5B0A5EC4-B902-44d9-881F-7604FFB8AC85}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\{D489DC84-4F17-4817-A6DB-F0724227BA88}.exe
        
        C:\Windows\{D489DC84-4F17-4817-A6DB-F0724227BA88}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
        
        C:\Windows\{B6E9DCD9-18B4-4d85-BE90-074729F69336}.exe
        
        C:\Windows\{B6E9DCD9-18B4-4d85-BE90-074729F69336}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6E9D~1.EXE > nul
        11⤵
        
        PID:2360
        
        C:\Windows\{E5DB177F-AC56-4f42-B1B3-27C27F573104}.exe
        
        C:\Windows\{E5DB177F-AC56-4f42-B1B3-27C27F573104}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1076
        
        C:\Windows\{C9E0619C-EE03-4534-A46F-425A59C6B388}.exe
        
        C:\Windows\{C9E0619C-EE03-4534-A46F-425A59C6B388}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9E06~1.EXE > nul
        13⤵
        
        PID:1928
        
        C:\Windows\{0661FA89-09D7-4ff1-AB50-1F84EAED0482}.exe
        
        C:\Windows\{0661FA89-09D7-4ff1-AB50-1F84EAED0482}.exe
        13⤵
        Executes dropped EXE
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5DB1~1.EXE > nul
        12⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D489D~1.EXE > nul
        10⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5B0A5~1.EXE > nul
        9⤵
        
        PID:1908
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04B7FF40-F720-4373-BAD5-577C0487463F}.exe

Filesize
380KB

MD5
5e1d9a008fd4227ea346c2e7a7c36c07

SHA1
4ef059824079543906d8577079a309889d4a623f

SHA256
c88a2c74d9daadc1015d858a2d104743f652e90ee673f8da34f713177c673e34

SHA512
6b267a8a201728dac63a93b2b766d8cc92255875e4958af2c3f10f8e607817becdfd75c0da380a9ea0d46003af21f426c47d96a52a81cf1ebb7059b124c76a26

Download Submit
C:\Windows\{0661FA89-09D7-4ff1-AB50-1F84EAED0482}.exe

Filesize
380KB

MD5
bac903053c59ee45ba8c17d234124441

SHA1
f5c2392a18efb36bfdeee70d6f05f8c53ec0d775

SHA256
ecc01af97df205472289ef112f7f787eaea7d93d45ea51d560ac1450f948c713

SHA512
5610f2bb9a962ebe4170be435f6a0557062115caefe7fb80c90dcce6ecb0c883357cda38249109c2b4bb27bd6d75e7cf4c56a09da12c488bd7d261df685336b3

Download Submit
C:\Windows\{136A4B95-AD60-48a4-82A3-AE3867029499}.exe

Filesize
380KB

MD5
2506aa64e0b13a048ca44b67ca089af2

SHA1
98d4d00439f14287959104d32e95f1f6b27861e7

SHA256
851667519eacced91c5c846bd81d835159769f176c24c40b30a30f43d42b478b

SHA512
1afc59b41b9e76f16a1fed9d6ea945c87b8f5e80040df6d646031fbc8c48cccd62fb504feb2fa50334db96dbd77657331cd31166e8bd9219a8e1f3277f9c9154

Download Submit
C:\Windows\{5B0A5EC4-B902-44d9-881F-7604FFB8AC85}.exe

Filesize
380KB

MD5
7b17217c84b0f90f02eef4da1c847a8b

SHA1
25908bc6aafdcf77aa4f0f5c079abe1911ca6380

SHA256
9b2a67a6405f611245be3906719cf3c2b1c89d27239f1a66f256d4e2646dcabb

SHA512
9824e8a466e27651d38f1913f46c5f6200f2cfae1061ba467f069ae08ad41ce53b75d9484f894dca1d31b20b6b990be07ac49a487d1e4dfd3ee3ccc9183f4674

Download Submit
C:\Windows\{B6E9DCD9-18B4-4d85-BE90-074729F69336}.exe

Filesize
380KB

MD5
5fd2ad122a6bad0ff6b149d170c9b563

SHA1
6f191dd094eed7db1f89a6d6ca2874be3513bb6b

SHA256
93c3700d55849da8d85fc33279c5f0b50422c1ccfe1b0a2294414138f09f1a5d

SHA512
1e4793def836e978cee8d16fe79874b301c0bb606b2a649530a6616b99bba7dc346f4878bf9d463c9d09383d9aa709b164351f3d23d1b10ce6a25cae16149675

Download Submit
C:\Windows\{B841E8A0-3F2F-4e65-83DB-5F1D1EF05F02}.exe

Filesize
380KB

MD5
77142d79ed4ea0ee262562ccbf8063b6

SHA1
a186e5d2e5e1f8809b2da3d440bfdcb150b717b6

SHA256
dcaf091c53a5829fc08da19f556d184c755a7cb9fa684f6e4302d1666987173b

SHA512
889b7d67ad1031c6ce57db72b412627259d5649ed82c8b8d347c709cb8a28c2afdc73e204e8128df2c2a51231c2ce011253dec0b9649b9023a3367b257301988

Download Submit
C:\Windows\{C839CE62-D0B6-4747-95A0-E209A9F21BA0}.exe

Filesize
380KB

MD5
8be01f4645bdaa09d64096cbb2e43d78

SHA1
b04ba5332fdcb97fb64a58e05a9010242835ddf1

SHA256
4b360ae76679876e31364de7ff6c31b800493127b20406fb4553b918c752dab7

SHA512
35e22f781995a42eb6354f1a29c2b78db78535fe45da87d555956067fc800a4cde3182c58ccb8f1036d53afb1446f116570e8242c54906b07799860efc97b836

Download Submit
C:\Windows\{C9E0619C-EE03-4534-A46F-425A59C6B388}.exe

Filesize
380KB

MD5
e431537100b3ec7a893748f12a8851f9

SHA1
c14800912cb297935f91da60a52852d2a7cc5af1

SHA256
832925a2a91630d0437b6d9497d17f12750b849f0fbbe04f02a91de208e79c36

SHA512
e384455830697f57159a1c824db71a7ea9a680b811d89bdf938363149834c1414dd312e277f49be610b6e6e4c2b9676c912122cc015d603e76988d377159141f

Download Submit
C:\Windows\{D0FCF4BC-27A4-492e-8D4F-81F81335B4B0}.exe

Filesize
380KB

MD5
5d01735cfc78879848f59621d3443dff

SHA1
3e0353ca08d34d27ca1298d1e004196a08267dd3

SHA256
476f1f72e0ae72eb8bcef941a2a81e5322898e24e70a45c46fb16add2ea795f9

SHA512
acc1efb28d0785c36bdac1cad6e696af0a5d1ed76a40db211b738dd3fb517fdd67ec9344844f5fd9db3c16baf54cb3d8ae82d3e560d9cc6290ea713d82573da0

Download Submit
C:\Windows\{D489DC84-4F17-4817-A6DB-F0724227BA88}.exe

Filesize
380KB

MD5
764aefc72124bcff988836dff77c0944

SHA1
1871e0f1011bf68880448a072c1b8ddaa70bfce9

SHA256
7e4e79c2a02e93f1893c815ba735edee0df3c7c95f65d1f01087d3fff63452b0

SHA512
7ab45743f89626acdf768be6c799be45b582a1e1b4c2ba9c20dffe4b115ab94940ae27bb4cb739c741252d6f8e7fb5f48158134922b92975d91db16a28f4394a

Download Submit
C:\Windows\{E5DB177F-AC56-4f42-B1B3-27C27F573104}.exe

Filesize
380KB

MD5
2ff8943eaac44dcc5693740602acb97b

SHA1
c383febd2d51c5833034ab4b4cd46f863875000a

SHA256
66a5de08c7b592d6fade4df774765cbd5a1b2c6f1139547302a73ceab1158085

SHA512
1882d434450b5c98742748fe054deb62ea778504d68f15956dd56993c7e4225a6f94a245a8713f473bd44e620f9cc99a8bcb71c2807403c4825ba6ee04fe200b

Download Submit
C:\Windows\{F43F11DD-5D23-443a-B14E-7E85BFC7D4A2}.exe

Filesize
380KB

MD5
39068b3b5a73a809ba1f85aabcd16b7e

SHA1
60b35f3c7f4788a54a55c09bbe0c9e57bbf5bed5

SHA256
09a95b5306857ebe586ea9d947eb8d44c85e2750f00e81548ab77992d1a1391f

SHA512
854de0afabb4056403b4b8597fdc4e87775d9cef2563f69093ae70cb263069f993a0c43997e8848cfc6321b5f8d0cd81bf5da4764751cc9b9cd50cda80cf6e4e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads