1ee146840412cdf718a25bf1f0ce08babe87124643593e9ef26d99c5450694dd

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
02/02/2024, 11:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-02_eda21308aadfb77a38ffd876a829cb34_goldeneye.exe
Size

380KB
MD5

eda21308aadfb77a38ffd876a829cb34
SHA1

4efcf69ac11b3b5764b67d2cd5ff9753c11fc8fa
SHA256

1ee146840412cdf718a25bf1f0ce08babe87124643593e9ef26d99c5450694dd
SHA512

e8c9dfdadfff621d59fb9f981786bd4478b3ed82342ebf128387403d046cf9b47f4ee1da3166fc152a6a35d4a0c57ef8ee0891463157c8fb04ecf076db30c424
SSDEEP

3072:mEGh0oElPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGml7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 14 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023204-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000023204-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023209-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023210-11.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023209-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021e70-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021e71-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021e71-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021e70-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000006c1-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000006c1-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-41.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000711-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{503EC0B3-84D9-4e94-BC4F-9F4F43E41738}	{75D54287-44C7-42cc-853D-51326DD4B21C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25403350-CF2A-4ac5-87C1-AD83BBA9803B}\stubpath = "C:\\Windows\\{25403350-CF2A-4ac5-87C1-AD83BBA9803B}.exe"	{4F313B3E-C1AB-4aa3-8902-C7E17E4AE13C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B158D28-A00B-4784-9FF4-1D16671109B3}	{25403350-CF2A-4ac5-87C1-AD83BBA9803B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B158D28-A00B-4784-9FF4-1D16671109B3}\stubpath = "C:\\Windows\\{6B158D28-A00B-4784-9FF4-1D16671109B3}.exe"	{25403350-CF2A-4ac5-87C1-AD83BBA9803B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8EA50C26-AD15-4655-88DF-AA3F8C1C3B1A}	{6B158D28-A00B-4784-9FF4-1D16671109B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8694CD7B-AE39-49bf-B3F2-104BA95E6279}	{C3DDF39E-A17D-4a62-8DD3-508BE9BDFC40}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02CC7D3C-DAB6-4d30-A55A-855BE06A1111}	{73AA1602-64B5-4cd7-AE14-9B824999A90E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75D54287-44C7-42cc-853D-51326DD4B21C}	{02CC7D3C-DAB6-4d30-A55A-855BE06A1111}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7663152-2E28-4241-89CA-AE0F1E98C5DF}\stubpath = "C:\\Windows\\{A7663152-2E28-4241-89CA-AE0F1E98C5DF}.exe"	{1BBD2106-9DD5-4664-8DC6-0F4DD4C6EF30}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8EA50C26-AD15-4655-88DF-AA3F8C1C3B1A}\stubpath = "C:\\Windows\\{8EA50C26-AD15-4655-88DF-AA3F8C1C3B1A}.exe"	{6B158D28-A00B-4784-9FF4-1D16671109B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BBD2106-9DD5-4664-8DC6-0F4DD4C6EF30}	{8EA50C26-AD15-4655-88DF-AA3F8C1C3B1A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7663152-2E28-4241-89CA-AE0F1E98C5DF}	{1BBD2106-9DD5-4664-8DC6-0F4DD4C6EF30}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75D54287-44C7-42cc-853D-51326DD4B21C}\stubpath = "C:\\Windows\\{75D54287-44C7-42cc-853D-51326DD4B21C}.exe"	{02CC7D3C-DAB6-4d30-A55A-855BE06A1111}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8694CD7B-AE39-49bf-B3F2-104BA95E6279}\stubpath = "C:\\Windows\\{8694CD7B-AE39-49bf-B3F2-104BA95E6279}.exe"	{C3DDF39E-A17D-4a62-8DD3-508BE9BDFC40}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73AA1602-64B5-4cd7-AE14-9B824999A90E}	{8694CD7B-AE39-49bf-B3F2-104BA95E6279}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73AA1602-64B5-4cd7-AE14-9B824999A90E}\stubpath = "C:\\Windows\\{73AA1602-64B5-4cd7-AE14-9B824999A90E}.exe"	{8694CD7B-AE39-49bf-B3F2-104BA95E6279}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F313B3E-C1AB-4aa3-8902-C7E17E4AE13C}	{503EC0B3-84D9-4e94-BC4F-9F4F43E41738}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F313B3E-C1AB-4aa3-8902-C7E17E4AE13C}\stubpath = "C:\\Windows\\{4F313B3E-C1AB-4aa3-8902-C7E17E4AE13C}.exe"	{503EC0B3-84D9-4e94-BC4F-9F4F43E41738}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25403350-CF2A-4ac5-87C1-AD83BBA9803B}	{4F313B3E-C1AB-4aa3-8902-C7E17E4AE13C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3DDF39E-A17D-4a62-8DD3-508BE9BDFC40}	2024-02-02_eda21308aadfb77a38ffd876a829cb34_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02CC7D3C-DAB6-4d30-A55A-855BE06A1111}\stubpath = "C:\\Windows\\{02CC7D3C-DAB6-4d30-A55A-855BE06A1111}.exe"	{73AA1602-64B5-4cd7-AE14-9B824999A90E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{503EC0B3-84D9-4e94-BC4F-9F4F43E41738}\stubpath = "C:\\Windows\\{503EC0B3-84D9-4e94-BC4F-9F4F43E41738}.exe"	{75D54287-44C7-42cc-853D-51326DD4B21C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3DDF39E-A17D-4a62-8DD3-508BE9BDFC40}\stubpath = "C:\\Windows\\{C3DDF39E-A17D-4a62-8DD3-508BE9BDFC40}.exe"	2024-02-02_eda21308aadfb77a38ffd876a829cb34_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BBD2106-9DD5-4664-8DC6-0F4DD4C6EF30}\stubpath = "C:\\Windows\\{1BBD2106-9DD5-4664-8DC6-0F4DD4C6EF30}.exe"	{8EA50C26-AD15-4655-88DF-AA3F8C1C3B1A}.exe

Executes dropped EXE 12 IoCs

pid	Process
2504	{C3DDF39E-A17D-4a62-8DD3-508BE9BDFC40}.exe
4736	{8694CD7B-AE39-49bf-B3F2-104BA95E6279}.exe
3692	{73AA1602-64B5-4cd7-AE14-9B824999A90E}.exe
2920	{02CC7D3C-DAB6-4d30-A55A-855BE06A1111}.exe
2728	{75D54287-44C7-42cc-853D-51326DD4B21C}.exe
5092	{503EC0B3-84D9-4e94-BC4F-9F4F43E41738}.exe
376	{4F313B3E-C1AB-4aa3-8902-C7E17E4AE13C}.exe
1416	{25403350-CF2A-4ac5-87C1-AD83BBA9803B}.exe
1904	{6B158D28-A00B-4784-9FF4-1D16671109B3}.exe
3248	{8EA50C26-AD15-4655-88DF-AA3F8C1C3B1A}.exe
4896	{1BBD2106-9DD5-4664-8DC6-0F4DD4C6EF30}.exe
1564	{A7663152-2E28-4241-89CA-AE0F1E98C5DF}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{8EA50C26-AD15-4655-88DF-AA3F8C1C3B1A}.exe	{6B158D28-A00B-4784-9FF4-1D16671109B3}.exe
File created	C:\Windows\{C3DDF39E-A17D-4a62-8DD3-508BE9BDFC40}.exe	2024-02-02_eda21308aadfb77a38ffd876a829cb34_goldeneye.exe
File created	C:\Windows\{73AA1602-64B5-4cd7-AE14-9B824999A90E}.exe	{8694CD7B-AE39-49bf-B3F2-104BA95E6279}.exe
File created	C:\Windows\{75D54287-44C7-42cc-853D-51326DD4B21C}.exe	{02CC7D3C-DAB6-4d30-A55A-855BE06A1111}.exe
File created	C:\Windows\{503EC0B3-84D9-4e94-BC4F-9F4F43E41738}.exe	{75D54287-44C7-42cc-853D-51326DD4B21C}.exe
File created	C:\Windows\{4F313B3E-C1AB-4aa3-8902-C7E17E4AE13C}.exe	{503EC0B3-84D9-4e94-BC4F-9F4F43E41738}.exe
File created	C:\Windows\{25403350-CF2A-4ac5-87C1-AD83BBA9803B}.exe	{4F313B3E-C1AB-4aa3-8902-C7E17E4AE13C}.exe
File created	C:\Windows\{6B158D28-A00B-4784-9FF4-1D16671109B3}.exe	{25403350-CF2A-4ac5-87C1-AD83BBA9803B}.exe
File created	C:\Windows\{A7663152-2E28-4241-89CA-AE0F1E98C5DF}.exe	{1BBD2106-9DD5-4664-8DC6-0F4DD4C6EF30}.exe
File created	C:\Windows\{8694CD7B-AE39-49bf-B3F2-104BA95E6279}.exe	{C3DDF39E-A17D-4a62-8DD3-508BE9BDFC40}.exe
File created	C:\Windows\{02CC7D3C-DAB6-4d30-A55A-855BE06A1111}.exe	{73AA1602-64B5-4cd7-AE14-9B824999A90E}.exe
File created	C:\Windows\{1BBD2106-9DD5-4664-8DC6-0F4DD4C6EF30}.exe	{8EA50C26-AD15-4655-88DF-AA3F8C1C3B1A}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3604	2024-02-02_eda21308aadfb77a38ffd876a829cb34_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2504	{C3DDF39E-A17D-4a62-8DD3-508BE9BDFC40}.exe
Token: SeIncBasePriorityPrivilege	4736	{8694CD7B-AE39-49bf-B3F2-104BA95E6279}.exe
Token: SeIncBasePriorityPrivilege	3692	{73AA1602-64B5-4cd7-AE14-9B824999A90E}.exe
Token: SeIncBasePriorityPrivilege	2920	{02CC7D3C-DAB6-4d30-A55A-855BE06A1111}.exe
Token: SeIncBasePriorityPrivilege	2728	{75D54287-44C7-42cc-853D-51326DD4B21C}.exe
Token: SeIncBasePriorityPrivilege	5092	{503EC0B3-84D9-4e94-BC4F-9F4F43E41738}.exe
Token: SeIncBasePriorityPrivilege	376	{4F313B3E-C1AB-4aa3-8902-C7E17E4AE13C}.exe
Token: SeIncBasePriorityPrivilege	1416	{25403350-CF2A-4ac5-87C1-AD83BBA9803B}.exe
Token: SeIncBasePriorityPrivilege	1904	{6B158D28-A00B-4784-9FF4-1D16671109B3}.exe
Token: SeIncBasePriorityPrivilege	3248	{8EA50C26-AD15-4655-88DF-AA3F8C1C3B1A}.exe
Token: SeIncBasePriorityPrivilege	4896	{1BBD2106-9DD5-4664-8DC6-0F4DD4C6EF30}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3604 wrote to memory of 2504	3604	2024-02-02_eda21308aadfb77a38ffd876a829cb34_goldeneye.exe	92
PID 3604 wrote to memory of 2504	3604	2024-02-02_eda21308aadfb77a38ffd876a829cb34_goldeneye.exe	92
PID 3604 wrote to memory of 2504	3604	2024-02-02_eda21308aadfb77a38ffd876a829cb34_goldeneye.exe	92
PID 3604 wrote to memory of 1248	3604	2024-02-02_eda21308aadfb77a38ffd876a829cb34_goldeneye.exe	93
PID 3604 wrote to memory of 1248	3604	2024-02-02_eda21308aadfb77a38ffd876a829cb34_goldeneye.exe	93
PID 3604 wrote to memory of 1248	3604	2024-02-02_eda21308aadfb77a38ffd876a829cb34_goldeneye.exe	93
PID 2504 wrote to memory of 4736	2504	{C3DDF39E-A17D-4a62-8DD3-508BE9BDFC40}.exe	94
PID 2504 wrote to memory of 4736	2504	{C3DDF39E-A17D-4a62-8DD3-508BE9BDFC40}.exe	94
PID 2504 wrote to memory of 4736	2504	{C3DDF39E-A17D-4a62-8DD3-508BE9BDFC40}.exe	94
PID 2504 wrote to memory of 1644	2504	{C3DDF39E-A17D-4a62-8DD3-508BE9BDFC40}.exe	95
PID 2504 wrote to memory of 1644	2504	{C3DDF39E-A17D-4a62-8DD3-508BE9BDFC40}.exe	95
PID 2504 wrote to memory of 1644	2504	{C3DDF39E-A17D-4a62-8DD3-508BE9BDFC40}.exe	95
PID 4736 wrote to memory of 3692	4736	{8694CD7B-AE39-49bf-B3F2-104BA95E6279}.exe	97
PID 4736 wrote to memory of 3692	4736	{8694CD7B-AE39-49bf-B3F2-104BA95E6279}.exe	97
PID 4736 wrote to memory of 3692	4736	{8694CD7B-AE39-49bf-B3F2-104BA95E6279}.exe	97
PID 4736 wrote to memory of 4940	4736	{8694CD7B-AE39-49bf-B3F2-104BA95E6279}.exe	98
PID 4736 wrote to memory of 4940	4736	{8694CD7B-AE39-49bf-B3F2-104BA95E6279}.exe	98
PID 4736 wrote to memory of 4940	4736	{8694CD7B-AE39-49bf-B3F2-104BA95E6279}.exe	98
PID 3692 wrote to memory of 2920	3692	{73AA1602-64B5-4cd7-AE14-9B824999A90E}.exe	99
PID 3692 wrote to memory of 2920	3692	{73AA1602-64B5-4cd7-AE14-9B824999A90E}.exe	99
PID 3692 wrote to memory of 2920	3692	{73AA1602-64B5-4cd7-AE14-9B824999A90E}.exe	99
PID 3692 wrote to memory of 4124	3692	{73AA1602-64B5-4cd7-AE14-9B824999A90E}.exe	100
PID 3692 wrote to memory of 4124	3692	{73AA1602-64B5-4cd7-AE14-9B824999A90E}.exe	100
PID 3692 wrote to memory of 4124	3692	{73AA1602-64B5-4cd7-AE14-9B824999A90E}.exe	100
PID 2920 wrote to memory of 2728	2920	{02CC7D3C-DAB6-4d30-A55A-855BE06A1111}.exe	101
PID 2920 wrote to memory of 2728	2920	{02CC7D3C-DAB6-4d30-A55A-855BE06A1111}.exe	101
PID 2920 wrote to memory of 2728	2920	{02CC7D3C-DAB6-4d30-A55A-855BE06A1111}.exe	101
PID 2920 wrote to memory of 1680	2920	{02CC7D3C-DAB6-4d30-A55A-855BE06A1111}.exe	102
PID 2920 wrote to memory of 1680	2920	{02CC7D3C-DAB6-4d30-A55A-855BE06A1111}.exe	102
PID 2920 wrote to memory of 1680	2920	{02CC7D3C-DAB6-4d30-A55A-855BE06A1111}.exe	102
PID 2728 wrote to memory of 5092	2728	{75D54287-44C7-42cc-853D-51326DD4B21C}.exe	103
PID 2728 wrote to memory of 5092	2728	{75D54287-44C7-42cc-853D-51326DD4B21C}.exe	103
PID 2728 wrote to memory of 5092	2728	{75D54287-44C7-42cc-853D-51326DD4B21C}.exe	103
PID 2728 wrote to memory of 4000	2728	{75D54287-44C7-42cc-853D-51326DD4B21C}.exe	104
PID 2728 wrote to memory of 4000	2728	{75D54287-44C7-42cc-853D-51326DD4B21C}.exe	104
PID 2728 wrote to memory of 4000	2728	{75D54287-44C7-42cc-853D-51326DD4B21C}.exe	104
PID 5092 wrote to memory of 376	5092	{503EC0B3-84D9-4e94-BC4F-9F4F43E41738}.exe	105
PID 5092 wrote to memory of 376	5092	{503EC0B3-84D9-4e94-BC4F-9F4F43E41738}.exe	105
PID 5092 wrote to memory of 376	5092	{503EC0B3-84D9-4e94-BC4F-9F4F43E41738}.exe	105
PID 5092 wrote to memory of 3428	5092	{503EC0B3-84D9-4e94-BC4F-9F4F43E41738}.exe	106
PID 5092 wrote to memory of 3428	5092	{503EC0B3-84D9-4e94-BC4F-9F4F43E41738}.exe	106
PID 5092 wrote to memory of 3428	5092	{503EC0B3-84D9-4e94-BC4F-9F4F43E41738}.exe	106
PID 376 wrote to memory of 1416	376	{4F313B3E-C1AB-4aa3-8902-C7E17E4AE13C}.exe	107
PID 376 wrote to memory of 1416	376	{4F313B3E-C1AB-4aa3-8902-C7E17E4AE13C}.exe	107
PID 376 wrote to memory of 1416	376	{4F313B3E-C1AB-4aa3-8902-C7E17E4AE13C}.exe	107
PID 376 wrote to memory of 3480	376	{4F313B3E-C1AB-4aa3-8902-C7E17E4AE13C}.exe	108
PID 376 wrote to memory of 3480	376	{4F313B3E-C1AB-4aa3-8902-C7E17E4AE13C}.exe	108
PID 376 wrote to memory of 3480	376	{4F313B3E-C1AB-4aa3-8902-C7E17E4AE13C}.exe	108
PID 1416 wrote to memory of 1904	1416	{25403350-CF2A-4ac5-87C1-AD83BBA9803B}.exe	109
PID 1416 wrote to memory of 1904	1416	{25403350-CF2A-4ac5-87C1-AD83BBA9803B}.exe	109
PID 1416 wrote to memory of 1904	1416	{25403350-CF2A-4ac5-87C1-AD83BBA9803B}.exe	109
PID 1416 wrote to memory of 4440	1416	{25403350-CF2A-4ac5-87C1-AD83BBA9803B}.exe	110
PID 1416 wrote to memory of 4440	1416	{25403350-CF2A-4ac5-87C1-AD83BBA9803B}.exe	110
PID 1416 wrote to memory of 4440	1416	{25403350-CF2A-4ac5-87C1-AD83BBA9803B}.exe	110
PID 1904 wrote to memory of 3248	1904	{6B158D28-A00B-4784-9FF4-1D16671109B3}.exe	111
PID 1904 wrote to memory of 3248	1904	{6B158D28-A00B-4784-9FF4-1D16671109B3}.exe	111
PID 1904 wrote to memory of 3248	1904	{6B158D28-A00B-4784-9FF4-1D16671109B3}.exe	111
PID 1904 wrote to memory of 1012	1904	{6B158D28-A00B-4784-9FF4-1D16671109B3}.exe	112
PID 1904 wrote to memory of 1012	1904	{6B158D28-A00B-4784-9FF4-1D16671109B3}.exe	112
PID 1904 wrote to memory of 1012	1904	{6B158D28-A00B-4784-9FF4-1D16671109B3}.exe	112
PID 3248 wrote to memory of 4896	3248	{8EA50C26-AD15-4655-88DF-AA3F8C1C3B1A}.exe	113
PID 3248 wrote to memory of 4896	3248	{8EA50C26-AD15-4655-88DF-AA3F8C1C3B1A}.exe	113
PID 3248 wrote to memory of 4896	3248	{8EA50C26-AD15-4655-88DF-AA3F8C1C3B1A}.exe	113
PID 3248 wrote to memory of 2320	3248	{8EA50C26-AD15-4655-88DF-AA3F8C1C3B1A}.exe	114

C:\Users\Admin\AppData\Local\Temp\2024-02-02_eda21308aadfb77a38ffd876a829cb34_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-02_eda21308aadfb77a38ffd876a829cb34_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3604
- C:\Windows\{C3DDF39E-A17D-4a62-8DD3-508BE9BDFC40}.exe
  C:\Windows\{C3DDF39E-A17D-4a62-8DD3-508BE9BDFC40}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\{8694CD7B-AE39-49bf-B3F2-104BA95E6279}.exe
    C:\Windows\{8694CD7B-AE39-49bf-B3F2-104BA95E6279}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4736
  - - C:\Windows\{73AA1602-64B5-4cd7-AE14-9B824999A90E}.exe
      C:\Windows\{73AA1602-64B5-4cd7-AE14-9B824999A90E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3692
    - - C:\Windows\{02CC7D3C-DAB6-4d30-A55A-855BE06A1111}.exe
        
        C:\Windows\{02CC7D3C-DAB6-4d30-A55A-855BE06A1111}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2920
      - C:\Windows\{75D54287-44C7-42cc-853D-51326DD4B21C}.exe
        
        C:\Windows\{75D54287-44C7-42cc-853D-51326DD4B21C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\{503EC0B3-84D9-4e94-BC4F-9F4F43E41738}.exe
        
        C:\Windows\{503EC0B3-84D9-4e94-BC4F-9F4F43E41738}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\{4F313B3E-C1AB-4aa3-8902-C7E17E4AE13C}.exe
        
        C:\Windows\{4F313B3E-C1AB-4aa3-8902-C7E17E4AE13C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:376
        
        C:\Windows\{25403350-CF2A-4ac5-87C1-AD83BBA9803B}.exe
        
        C:\Windows\{25403350-CF2A-4ac5-87C1-AD83BBA9803B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Windows\{6B158D28-A00B-4784-9FF4-1D16671109B3}.exe
        
        C:\Windows\{6B158D28-A00B-4784-9FF4-1D16671109B3}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\{8EA50C26-AD15-4655-88DF-AA3F8C1C3B1A}.exe
        
        C:\Windows\{8EA50C26-AD15-4655-88DF-AA3F8C1C3B1A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3248
        
        C:\Windows\{1BBD2106-9DD5-4664-8DC6-0F4DD4C6EF30}.exe
        
        C:\Windows\{1BBD2106-9DD5-4664-8DC6-0F4DD4C6EF30}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4896
        
        C:\Windows\{A7663152-2E28-4241-89CA-AE0F1E98C5DF}.exe
        
        C:\Windows\{A7663152-2E28-4241-89CA-AE0F1E98C5DF}.exe
        13⤵
        Executes dropped EXE
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1BBD2~1.EXE > nul
        13⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8EA50~1.EXE > nul
        12⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B158~1.EXE > nul
        11⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{25403~1.EXE > nul
        10⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4F313~1.EXE > nul
        9⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{503EC~1.EXE > nul
        8⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{75D54~1.EXE > nul
        7⤵
        
        PID:4000
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{02CC7~1.EXE > nul
        6⤵
        
        PID:1680
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{73AA1~1.EXE > nul
        5⤵
        
        PID:4124
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8694C~1.EXE > nul
      4⤵
      PID:4940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C3DDF~1.EXE > nul
    3⤵
    PID:1644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02CC7D3C-DAB6-4d30-A55A-855BE06A1111}.exe

Filesize
380KB

MD5
71d5b15bcec524f81a54df334004d5ae

SHA1
7bdda810574e86dd778c231d52ab66bcd956d742

SHA256
dc43cd11a2b7fb7df9d0abba7a71fe767b29f78c73e013544556716b000bb707

SHA512
da128ca44e0a37b9b88d56260e71d006f99249ee9259c245d298fc1276d29b540f4b1dcf9789ea329c409765c9ebdcbb59a67ad1c77ccce12d821b07c8012496

Download Submit
C:\Windows\{1BBD2106-9DD5-4664-8DC6-0F4DD4C6EF30}.exe

Filesize
380KB

MD5
79eb42025e8e73f391813538b4341dd7

SHA1
4e21dce360bfb69b1a723ac1fd3042ced061cb16

SHA256
f70c989deca767e84d44367b1f1dab5ae30f844263b035c71f673f60c6cb1d85

SHA512
9b4b9e0d62be9641bdb6a162d65b1d78ddf102ee9b88f30c988b6ea488e0373be905aa971c7f83ed82e7d8d7ed0f20b9fb62938d0ea4d5717786c8817890b064

Download Submit
C:\Windows\{25403350-CF2A-4ac5-87C1-AD83BBA9803B}.exe

Filesize
380KB

MD5
1cc4bc59aa46642d3a217697e2bccf40

SHA1
e11dbd8ae063b6308089335181326dfe6dc4ad47

SHA256
0e010fff41687d63249e85e244da2c0b24c21d87a632721c4a2e7f9f38f00c5a

SHA512
1d8ba3dd6872046747a5e988ae459df64159adeeea089e8d3fcc3afd501aed5ffc045c5f7c2cb724efc879180ec757aef2997832ca1a5d705079d0403310c42f

Download Submit
C:\Windows\{4F313B3E-C1AB-4aa3-8902-C7E17E4AE13C}.exe

Filesize
380KB

MD5
3d2f2ce09bbf24080cc01784dc856aad

SHA1
ed55d1cd92a64106749d858e2642eb3c32b8459e

SHA256
76230a79286a0ad2296b19d0e4986949828ece001ad490fb50e7476be12f9efd

SHA512
612ce2e0e7f6922363d1c79ad144ca49cfe058696aff7c8180edd8597a92310950c01e4fdba85f424eedbb90ea4f0300b6000f226d398012f12e4e2ca4aa454e

Download Submit
C:\Windows\{503EC0B3-84D9-4e94-BC4F-9F4F43E41738}.exe

Filesize
380KB

MD5
20a752b4284c9c4659feec77021d5969

SHA1
a2e43186b06f8821356731f4fa8049e468d2d1cc

SHA256
eb8563a965703372a268fe72c34265397c8df5257befcba4d8831e74aaf6de3e

SHA512
0e35e6520f6b1c856faa9453b392c8bf8f50e9650e474ba4f6dddcdac83c489c17626b74ab7b312e2f558a8ebd6c44ba56b39d77aab5aa967e97b8903c712751

Download Submit
C:\Windows\{503EC0B3-84D9-4e94-BC4F-9F4F43E41738}.exe

Filesize
334KB

MD5
bdddbb3931b2c10f1aeac8eb10208b4e

SHA1
d84d8c3ddd2d95e3d785acd5883e9074df9532f6

SHA256
6312fea299fe5cffb4e92dd0302515c2ffe2d36190b2fe80911218e8ec767b55

SHA512
68a1a551aae49a2626005ecdf4a0f26377830e8e00bbeb99f2a48045ae3c7ab8b5b0b0c14f2d1396f134177e8d2cef73272533a67e874cde4f74b4c069fd99e9

Download Submit
C:\Windows\{6B158D28-A00B-4784-9FF4-1D16671109B3}.exe

Filesize
380KB

MD5
bc306eab05eb3d4eb9df3be129916892

SHA1
4bb4eb8992c7987944d4ad547c3300814f3ed2ed

SHA256
0f98a24ec9b9a9960b84c7c182a3c00f28d3524c5d82a8fd3fa768cf2757b9c9

SHA512
876c09a3c7cfc427f4160c12561dfa8b32923af9db1356d870e02dfc9a9bb7223baa843fb8561b96e4fdbbf7608d7a85a0dc044180a04bdc08f8bdbb047f9a47

Download Submit
C:\Windows\{73AA1602-64B5-4cd7-AE14-9B824999A90E}.exe

Filesize
380KB

MD5
267220a302af422963392938e36f87ed

SHA1
c6fec6d8a31ba319e57494c3b57946a9d0c71dcb

SHA256
f0cd74e64a32d6344dcd1d2b112713355508b51cb71a984a4bd5426e3cebe9dd

SHA512
647ca0fb23712b6d7d5203b591a50e10887237a6beb0d5e210fb71c6246ecd23651b96ff0a96a6d91783af14acae3f7bb165a792ae45e7e0f65fa7ac67be119f

Download Submit
C:\Windows\{75D54287-44C7-42cc-853D-51326DD4B21C}.exe

Filesize
380KB

MD5
1ca6fa6eacd4a08e5b5f09ffb80637dc

SHA1
f79bc340e557989a28628c77df46fca71c31e2be

SHA256
a451250d4e167861b6e80a343eef45c553fa206daeb3c166e01bba0ea473566f

SHA512
7c03b2ee969be28dfc9c346acce44e0dfab202e21f48abd2d9069ff27e08e178d0d9c3367c9e97ea48754076469766d6cb7dd0b0f0a24a55c244d2c11e8ff077

Download Submit
C:\Windows\{8694CD7B-AE39-49bf-B3F2-104BA95E6279}.exe

Filesize
380KB

MD5
87cfb1a5a197ac73c2b9162f945632e6

SHA1
1c03b669ef86291dd86c43f3ef3b06cc2e2b6300

SHA256
074fdc3215562c8ab2c6f79bb0d143982e010faab615bcdbf87aebcccffa4f2f

SHA512
7e66263b120b1937f7bbd638075f4461905a3d20e37b07b26175193d7aa5657965d19ef299c28e06d18bf5bde5941043fdf84da66df1411dda5d02a580d8fa39

Download Submit
C:\Windows\{8EA50C26-AD15-4655-88DF-AA3F8C1C3B1A}.exe

Filesize
380KB

MD5
d1b6c9d7c38a4040da6d8bcfcc16e084

SHA1
8bf8085ad09a820e421725e1525a36a136cd9d8b

SHA256
94c704ce67fc8151b72e0baeb61b70b7380a20a622ba50ee87a3c9c677887658

SHA512
6ec8416bd56050129ec463df304f3d2bc4743d719bfb44a00c3a5c90354d7ce9a88041ee9dfff90108889e3f7a36b64ca6dd5a9fda6daf8bb934fa6ae2fd7cc7

Download Submit
C:\Windows\{A7663152-2E28-4241-89CA-AE0F1E98C5DF}.exe

Filesize
380KB

MD5
2ba9ff7709bfb9325ebe640f6d8e60da

SHA1
71b143266b366105182641f13bfc1b3fd2a3f4c1

SHA256
33445ef88a526fbfe8f8f48ead445179dffe7f621f3f12f0283b53069218364c

SHA512
903a3e7a706e3a0930511c7435158f2eef559b8bbcfc9aebd5c62f3709a968af9a76ce4afdaec78e6a0348260718ce58caa6ce67a821dea547262be73deb6c11

Download Submit
C:\Windows\{C3DDF39E-A17D-4a62-8DD3-508BE9BDFC40}.exe

Filesize
99KB

MD5
f0b76c313cc8112a2b97989621a3d7bb

SHA1
02ac5db903d0645ed42710ed4008e818e748484a

SHA256
9a93c69aef86f1e33e280d94f5758c3f7912ecf649f1343ba0d210cac9aa8fbc

SHA512
d4fb2979672fc9d659a3d96b44f4cb86800723da0d97f9265c2830c33b9869f1c3e65641d11167ecfb9f4f7cb24ae8499c07afe1008b571efec8efc22801216d

Download Submit
C:\Windows\{C3DDF39E-A17D-4a62-8DD3-508BE9BDFC40}.exe

Filesize
380KB

MD5
c39c1932ad7fea7b144189227c0c753d

SHA1
b66fb56e30f2b7a704237c88471d20c48036414e

SHA256
e1dcd72a99e8cbef5c9263569dcdd6f17f4229076fc1abc0ea73d76da2db1515

SHA512
e49a00cb0937cf53201937f4ac3b20116b6ddf50b53eabdda21ef6a67294e686cbc2b72fbc88f26afa990914f18d7c5d3ca8adf3f13e58df7d6bec74680e9d9e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads