935cbd20db1942b5a9b16d9efb5c58d2144a9e4679d56fee1ed63f6d4c16fc0e

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2024, 17:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-03_ec7aabc7ef39defeb6692f3c951f9e3e_goldeneye.exe
Size

408KB
MD5

ec7aabc7ef39defeb6692f3c951f9e3e
SHA1

168c436d265be27db982b5b2f5e335b39cd164bb
SHA256

935cbd20db1942b5a9b16d9efb5c58d2144a9e4679d56fee1ed63f6d4c16fc0e
SHA512

97c4a0433ce8e5f5f9ce0935c24b3408bd650f76a183fb3dafb26f6d94bd28ec237138d3287f8a53f550ee05962cd7fbe3fb7da0e173c74c04b078e6c7520c30
SSDEEP

3072:CEGh0oil3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGgldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 15 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023227-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001300000002320b-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002322e-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002322e-11.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002322e-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001400000002320b-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001300000001d887-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000021558-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001400000001d887-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000709-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000713-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8220FBEF-07B8-4fb8-ABFB-F2049691FBF0}	{2086CBFA-8A81-4f80-8614-D3EDA10516EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01EDFD96-7190-4d3f-A451-5FE1FC94F247}	{7286A74A-A69A-49b3-942F-0CA838DD88D3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21A4BE57-F523-445f-8AF2-D1F4497EF5ED}\stubpath = "C:\\Windows\\{21A4BE57-F523-445f-8AF2-D1F4497EF5ED}.exe"	{0037B21E-7357-4c5f-9FDB-6EC7C942C1A5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{828E4765-8A24-4e96-82C3-7ECB6275847A}\stubpath = "C:\\Windows\\{828E4765-8A24-4e96-82C3-7ECB6275847A}.exe"	{7BD25EF0-3E23-4f01-B402-E7607920F968}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C7A449D-D802-4fc3-B3C1-8CA12980584B}	{19020FBA-5EED-4b4c-B1AA-E9BF49EC1CBA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C7A449D-D802-4fc3-B3C1-8CA12980584B}\stubpath = "C:\\Windows\\{8C7A449D-D802-4fc3-B3C1-8CA12980584B}.exe"	{19020FBA-5EED-4b4c-B1AA-E9BF49EC1CBA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19020FBA-5EED-4b4c-B1AA-E9BF49EC1CBA}	{828E4765-8A24-4e96-82C3-7ECB6275847A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19020FBA-5EED-4b4c-B1AA-E9BF49EC1CBA}\stubpath = "C:\\Windows\\{19020FBA-5EED-4b4c-B1AA-E9BF49EC1CBA}.exe"	{828E4765-8A24-4e96-82C3-7ECB6275847A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7286A74A-A69A-49b3-942F-0CA838DD88D3}\stubpath = "C:\\Windows\\{7286A74A-A69A-49b3-942F-0CA838DD88D3}.exe"	{8220FBEF-07B8-4fb8-ABFB-F2049691FBF0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2086CBFA-8A81-4f80-8614-D3EDA10516EA}	{8C7A449D-D802-4fc3-B3C1-8CA12980584B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8220FBEF-07B8-4fb8-ABFB-F2049691FBF0}\stubpath = "C:\\Windows\\{8220FBEF-07B8-4fb8-ABFB-F2049691FBF0}.exe"	{2086CBFA-8A81-4f80-8614-D3EDA10516EA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E327556D-5FB9-47a3-97CA-591F9B61E216}\stubpath = "C:\\Windows\\{E327556D-5FB9-47a3-97CA-591F9B61E216}.exe"	{01EDFD96-7190-4d3f-A451-5FE1FC94F247}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC74CEB5-2227-40a7-88C9-0547C240C430}	2024-02-03_ec7aabc7ef39defeb6692f3c951f9e3e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7BD25EF0-3E23-4f01-B402-E7607920F968}	{FC74CEB5-2227-40a7-88C9-0547C240C430}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7BD25EF0-3E23-4f01-B402-E7607920F968}\stubpath = "C:\\Windows\\{7BD25EF0-3E23-4f01-B402-E7607920F968}.exe"	{FC74CEB5-2227-40a7-88C9-0547C240C430}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7286A74A-A69A-49b3-942F-0CA838DD88D3}	{8220FBEF-07B8-4fb8-ABFB-F2049691FBF0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01EDFD96-7190-4d3f-A451-5FE1FC94F247}\stubpath = "C:\\Windows\\{01EDFD96-7190-4d3f-A451-5FE1FC94F247}.exe"	{7286A74A-A69A-49b3-942F-0CA838DD88D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E327556D-5FB9-47a3-97CA-591F9B61E216}	{01EDFD96-7190-4d3f-A451-5FE1FC94F247}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0037B21E-7357-4c5f-9FDB-6EC7C942C1A5}	{E327556D-5FB9-47a3-97CA-591F9B61E216}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0037B21E-7357-4c5f-9FDB-6EC7C942C1A5}\stubpath = "C:\\Windows\\{0037B21E-7357-4c5f-9FDB-6EC7C942C1A5}.exe"	{E327556D-5FB9-47a3-97CA-591F9B61E216}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC74CEB5-2227-40a7-88C9-0547C240C430}\stubpath = "C:\\Windows\\{FC74CEB5-2227-40a7-88C9-0547C240C430}.exe"	2024-02-03_ec7aabc7ef39defeb6692f3c951f9e3e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{828E4765-8A24-4e96-82C3-7ECB6275847A}	{7BD25EF0-3E23-4f01-B402-E7607920F968}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2086CBFA-8A81-4f80-8614-D3EDA10516EA}\stubpath = "C:\\Windows\\{2086CBFA-8A81-4f80-8614-D3EDA10516EA}.exe"	{8C7A449D-D802-4fc3-B3C1-8CA12980584B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21A4BE57-F523-445f-8AF2-D1F4497EF5ED}	{0037B21E-7357-4c5f-9FDB-6EC7C942C1A5}.exe

Executes dropped EXE 12 IoCs

pid	Process
5116	{FC74CEB5-2227-40a7-88C9-0547C240C430}.exe
4612	{7BD25EF0-3E23-4f01-B402-E7607920F968}.exe
3964	{828E4765-8A24-4e96-82C3-7ECB6275847A}.exe
4008	{19020FBA-5EED-4b4c-B1AA-E9BF49EC1CBA}.exe
2704	{8C7A449D-D802-4fc3-B3C1-8CA12980584B}.exe
4044	{2086CBFA-8A81-4f80-8614-D3EDA10516EA}.exe
3452	{8220FBEF-07B8-4fb8-ABFB-F2049691FBF0}.exe
4040	{7286A74A-A69A-49b3-942F-0CA838DD88D3}.exe
3256	{01EDFD96-7190-4d3f-A451-5FE1FC94F247}.exe
4424	{E327556D-5FB9-47a3-97CA-591F9B61E216}.exe
512	{0037B21E-7357-4c5f-9FDB-6EC7C942C1A5}.exe
1672	{21A4BE57-F523-445f-8AF2-D1F4497EF5ED}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{19020FBA-5EED-4b4c-B1AA-E9BF49EC1CBA}.exe	{828E4765-8A24-4e96-82C3-7ECB6275847A}.exe
File created	C:\Windows\{8C7A449D-D802-4fc3-B3C1-8CA12980584B}.exe	{19020FBA-5EED-4b4c-B1AA-E9BF49EC1CBA}.exe
File created	C:\Windows\{7286A74A-A69A-49b3-942F-0CA838DD88D3}.exe	{8220FBEF-07B8-4fb8-ABFB-F2049691FBF0}.exe
File created	C:\Windows\{01EDFD96-7190-4d3f-A451-5FE1FC94F247}.exe	{7286A74A-A69A-49b3-942F-0CA838DD88D3}.exe
File created	C:\Windows\{E327556D-5FB9-47a3-97CA-591F9B61E216}.exe	{01EDFD96-7190-4d3f-A451-5FE1FC94F247}.exe
File created	C:\Windows\{21A4BE57-F523-445f-8AF2-D1F4497EF5ED}.exe	{0037B21E-7357-4c5f-9FDB-6EC7C942C1A5}.exe
File created	C:\Windows\{FC74CEB5-2227-40a7-88C9-0547C240C430}.exe	2024-02-03_ec7aabc7ef39defeb6692f3c951f9e3e_goldeneye.exe
File created	C:\Windows\{7BD25EF0-3E23-4f01-B402-E7607920F968}.exe	{FC74CEB5-2227-40a7-88C9-0547C240C430}.exe
File created	C:\Windows\{828E4765-8A24-4e96-82C3-7ECB6275847A}.exe	{7BD25EF0-3E23-4f01-B402-E7607920F968}.exe
File created	C:\Windows\{2086CBFA-8A81-4f80-8614-D3EDA10516EA}.exe	{8C7A449D-D802-4fc3-B3C1-8CA12980584B}.exe
File created	C:\Windows\{8220FBEF-07B8-4fb8-ABFB-F2049691FBF0}.exe	{2086CBFA-8A81-4f80-8614-D3EDA10516EA}.exe
File created	C:\Windows\{0037B21E-7357-4c5f-9FDB-6EC7C942C1A5}.exe	{E327556D-5FB9-47a3-97CA-591F9B61E216}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2588	2024-02-03_ec7aabc7ef39defeb6692f3c951f9e3e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	5116	{FC74CEB5-2227-40a7-88C9-0547C240C430}.exe
Token: SeIncBasePriorityPrivilege	4612	{7BD25EF0-3E23-4f01-B402-E7607920F968}.exe
Token: SeIncBasePriorityPrivilege	3964	{828E4765-8A24-4e96-82C3-7ECB6275847A}.exe
Token: SeIncBasePriorityPrivilege	4008	{19020FBA-5EED-4b4c-B1AA-E9BF49EC1CBA}.exe
Token: SeIncBasePriorityPrivilege	2704	{8C7A449D-D802-4fc3-B3C1-8CA12980584B}.exe
Token: SeIncBasePriorityPrivilege	4044	{2086CBFA-8A81-4f80-8614-D3EDA10516EA}.exe
Token: SeIncBasePriorityPrivilege	3452	{8220FBEF-07B8-4fb8-ABFB-F2049691FBF0}.exe
Token: SeIncBasePriorityPrivilege	4040	{7286A74A-A69A-49b3-942F-0CA838DD88D3}.exe
Token: SeIncBasePriorityPrivilege	3256	{01EDFD96-7190-4d3f-A451-5FE1FC94F247}.exe
Token: SeIncBasePriorityPrivilege	4424	{E327556D-5FB9-47a3-97CA-591F9B61E216}.exe
Token: SeIncBasePriorityPrivilege	512	{0037B21E-7357-4c5f-9FDB-6EC7C942C1A5}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2588 wrote to memory of 5116	2588	2024-02-03_ec7aabc7ef39defeb6692f3c951f9e3e_goldeneye.exe	92
PID 2588 wrote to memory of 5116	2588	2024-02-03_ec7aabc7ef39defeb6692f3c951f9e3e_goldeneye.exe	92
PID 2588 wrote to memory of 5116	2588	2024-02-03_ec7aabc7ef39defeb6692f3c951f9e3e_goldeneye.exe	92
PID 2588 wrote to memory of 4580	2588	2024-02-03_ec7aabc7ef39defeb6692f3c951f9e3e_goldeneye.exe	93
PID 2588 wrote to memory of 4580	2588	2024-02-03_ec7aabc7ef39defeb6692f3c951f9e3e_goldeneye.exe	93
PID 2588 wrote to memory of 4580	2588	2024-02-03_ec7aabc7ef39defeb6692f3c951f9e3e_goldeneye.exe	93
PID 5116 wrote to memory of 4612	5116	{FC74CEB5-2227-40a7-88C9-0547C240C430}.exe	94
PID 5116 wrote to memory of 4612	5116	{FC74CEB5-2227-40a7-88C9-0547C240C430}.exe	94
PID 5116 wrote to memory of 4612	5116	{FC74CEB5-2227-40a7-88C9-0547C240C430}.exe	94
PID 5116 wrote to memory of 184	5116	{FC74CEB5-2227-40a7-88C9-0547C240C430}.exe	95
PID 5116 wrote to memory of 184	5116	{FC74CEB5-2227-40a7-88C9-0547C240C430}.exe	95
PID 5116 wrote to memory of 184	5116	{FC74CEB5-2227-40a7-88C9-0547C240C430}.exe	95
PID 4612 wrote to memory of 3964	4612	{7BD25EF0-3E23-4f01-B402-E7607920F968}.exe	98
PID 4612 wrote to memory of 3964	4612	{7BD25EF0-3E23-4f01-B402-E7607920F968}.exe	98
PID 4612 wrote to memory of 3964	4612	{7BD25EF0-3E23-4f01-B402-E7607920F968}.exe	98
PID 4612 wrote to memory of 1952	4612	{7BD25EF0-3E23-4f01-B402-E7607920F968}.exe	97
PID 4612 wrote to memory of 1952	4612	{7BD25EF0-3E23-4f01-B402-E7607920F968}.exe	97
PID 4612 wrote to memory of 1952	4612	{7BD25EF0-3E23-4f01-B402-E7607920F968}.exe	97
PID 3964 wrote to memory of 4008	3964	{828E4765-8A24-4e96-82C3-7ECB6275847A}.exe	99
PID 3964 wrote to memory of 4008	3964	{828E4765-8A24-4e96-82C3-7ECB6275847A}.exe	99
PID 3964 wrote to memory of 4008	3964	{828E4765-8A24-4e96-82C3-7ECB6275847A}.exe	99
PID 3964 wrote to memory of 3952	3964	{828E4765-8A24-4e96-82C3-7ECB6275847A}.exe	100
PID 3964 wrote to memory of 3952	3964	{828E4765-8A24-4e96-82C3-7ECB6275847A}.exe	100
PID 3964 wrote to memory of 3952	3964	{828E4765-8A24-4e96-82C3-7ECB6275847A}.exe	100
PID 4008 wrote to memory of 2704	4008	{19020FBA-5EED-4b4c-B1AA-E9BF49EC1CBA}.exe	101
PID 4008 wrote to memory of 2704	4008	{19020FBA-5EED-4b4c-B1AA-E9BF49EC1CBA}.exe	101
PID 4008 wrote to memory of 2704	4008	{19020FBA-5EED-4b4c-B1AA-E9BF49EC1CBA}.exe	101
PID 4008 wrote to memory of 4508	4008	{19020FBA-5EED-4b4c-B1AA-E9BF49EC1CBA}.exe	102
PID 4008 wrote to memory of 4508	4008	{19020FBA-5EED-4b4c-B1AA-E9BF49EC1CBA}.exe	102
PID 4008 wrote to memory of 4508	4008	{19020FBA-5EED-4b4c-B1AA-E9BF49EC1CBA}.exe	102
PID 2704 wrote to memory of 4044	2704	{8C7A449D-D802-4fc3-B3C1-8CA12980584B}.exe	103
PID 2704 wrote to memory of 4044	2704	{8C7A449D-D802-4fc3-B3C1-8CA12980584B}.exe	103
PID 2704 wrote to memory of 4044	2704	{8C7A449D-D802-4fc3-B3C1-8CA12980584B}.exe	103
PID 2704 wrote to memory of 1784	2704	{8C7A449D-D802-4fc3-B3C1-8CA12980584B}.exe	104
PID 2704 wrote to memory of 1784	2704	{8C7A449D-D802-4fc3-B3C1-8CA12980584B}.exe	104
PID 2704 wrote to memory of 1784	2704	{8C7A449D-D802-4fc3-B3C1-8CA12980584B}.exe	104
PID 4044 wrote to memory of 3452	4044	{2086CBFA-8A81-4f80-8614-D3EDA10516EA}.exe	105
PID 4044 wrote to memory of 3452	4044	{2086CBFA-8A81-4f80-8614-D3EDA10516EA}.exe	105
PID 4044 wrote to memory of 3452	4044	{2086CBFA-8A81-4f80-8614-D3EDA10516EA}.exe	105
PID 4044 wrote to memory of 1768	4044	{2086CBFA-8A81-4f80-8614-D3EDA10516EA}.exe	106
PID 4044 wrote to memory of 1768	4044	{2086CBFA-8A81-4f80-8614-D3EDA10516EA}.exe	106
PID 4044 wrote to memory of 1768	4044	{2086CBFA-8A81-4f80-8614-D3EDA10516EA}.exe	106
PID 3452 wrote to memory of 4040	3452	{8220FBEF-07B8-4fb8-ABFB-F2049691FBF0}.exe	107
PID 3452 wrote to memory of 4040	3452	{8220FBEF-07B8-4fb8-ABFB-F2049691FBF0}.exe	107
PID 3452 wrote to memory of 4040	3452	{8220FBEF-07B8-4fb8-ABFB-F2049691FBF0}.exe	107
PID 3452 wrote to memory of 2036	3452	{8220FBEF-07B8-4fb8-ABFB-F2049691FBF0}.exe	108
PID 3452 wrote to memory of 2036	3452	{8220FBEF-07B8-4fb8-ABFB-F2049691FBF0}.exe	108
PID 3452 wrote to memory of 2036	3452	{8220FBEF-07B8-4fb8-ABFB-F2049691FBF0}.exe	108
PID 4040 wrote to memory of 3256	4040	{7286A74A-A69A-49b3-942F-0CA838DD88D3}.exe	109
PID 4040 wrote to memory of 3256	4040	{7286A74A-A69A-49b3-942F-0CA838DD88D3}.exe	109
PID 4040 wrote to memory of 3256	4040	{7286A74A-A69A-49b3-942F-0CA838DD88D3}.exe	109
PID 4040 wrote to memory of 2860	4040	{7286A74A-A69A-49b3-942F-0CA838DD88D3}.exe	110
PID 4040 wrote to memory of 2860	4040	{7286A74A-A69A-49b3-942F-0CA838DD88D3}.exe	110
PID 4040 wrote to memory of 2860	4040	{7286A74A-A69A-49b3-942F-0CA838DD88D3}.exe	110
PID 3256 wrote to memory of 4424	3256	{01EDFD96-7190-4d3f-A451-5FE1FC94F247}.exe	111
PID 3256 wrote to memory of 4424	3256	{01EDFD96-7190-4d3f-A451-5FE1FC94F247}.exe	111
PID 3256 wrote to memory of 4424	3256	{01EDFD96-7190-4d3f-A451-5FE1FC94F247}.exe	111
PID 3256 wrote to memory of 4456	3256	{01EDFD96-7190-4d3f-A451-5FE1FC94F247}.exe	112
PID 3256 wrote to memory of 4456	3256	{01EDFD96-7190-4d3f-A451-5FE1FC94F247}.exe	112
PID 3256 wrote to memory of 4456	3256	{01EDFD96-7190-4d3f-A451-5FE1FC94F247}.exe	112
PID 4424 wrote to memory of 512	4424	{E327556D-5FB9-47a3-97CA-591F9B61E216}.exe	113
PID 4424 wrote to memory of 512	4424	{E327556D-5FB9-47a3-97CA-591F9B61E216}.exe	113
PID 4424 wrote to memory of 512	4424	{E327556D-5FB9-47a3-97CA-591F9B61E216}.exe	113
PID 4424 wrote to memory of 2492	4424	{E327556D-5FB9-47a3-97CA-591F9B61E216}.exe	114

C:\Users\Admin\AppData\Local\Temp\2024-02-03_ec7aabc7ef39defeb6692f3c951f9e3e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-03_ec7aabc7ef39defeb6692f3c951f9e3e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Windows\{FC74CEB5-2227-40a7-88C9-0547C240C430}.exe
  C:\Windows\{FC74CEB5-2227-40a7-88C9-0547C240C430}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5116
- - C:\Windows\{7BD25EF0-3E23-4f01-B402-E7607920F968}.exe
    C:\Windows\{7BD25EF0-3E23-4f01-B402-E7607920F968}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4612
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7BD25~1.EXE > nul
      4⤵
      PID:1952
  - - C:\Windows\{828E4765-8A24-4e96-82C3-7ECB6275847A}.exe
      C:\Windows\{828E4765-8A24-4e96-82C3-7ECB6275847A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3964
    - - C:\Windows\{19020FBA-5EED-4b4c-B1AA-E9BF49EC1CBA}.exe
        
        C:\Windows\{19020FBA-5EED-4b4c-B1AA-E9BF49EC1CBA}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4008
      - C:\Windows\{8C7A449D-D802-4fc3-B3C1-8CA12980584B}.exe
        
        C:\Windows\{8C7A449D-D802-4fc3-B3C1-8CA12980584B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\{2086CBFA-8A81-4f80-8614-D3EDA10516EA}.exe
        
        C:\Windows\{2086CBFA-8A81-4f80-8614-D3EDA10516EA}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4044
        
        C:\Windows\{8220FBEF-07B8-4fb8-ABFB-F2049691FBF0}.exe
        
        C:\Windows\{8220FBEF-07B8-4fb8-ABFB-F2049691FBF0}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3452
        
        C:\Windows\{7286A74A-A69A-49b3-942F-0CA838DD88D3}.exe
        
        C:\Windows\{7286A74A-A69A-49b3-942F-0CA838DD88D3}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4040
        
        C:\Windows\{01EDFD96-7190-4d3f-A451-5FE1FC94F247}.exe
        
        C:\Windows\{01EDFD96-7190-4d3f-A451-5FE1FC94F247}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3256
        
        C:\Windows\{E327556D-5FB9-47a3-97CA-591F9B61E216}.exe
        
        C:\Windows\{E327556D-5FB9-47a3-97CA-591F9B61E216}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\{0037B21E-7357-4c5f-9FDB-6EC7C942C1A5}.exe
        
        C:\Windows\{0037B21E-7357-4c5f-9FDB-6EC7C942C1A5}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:512
        
        C:\Windows\{21A4BE57-F523-445f-8AF2-D1F4497EF5ED}.exe
        
        C:\Windows\{21A4BE57-F523-445f-8AF2-D1F4497EF5ED}.exe
        13⤵
        Executes dropped EXE
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0037B~1.EXE > nul
        13⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E3275~1.EXE > nul
        12⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{01EDF~1.EXE > nul
        11⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7286A~1.EXE > nul
        10⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8220F~1.EXE > nul
        9⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2086C~1.EXE > nul
        8⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C7A4~1.EXE > nul
        7⤵
        
        PID:1784
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{19020~1.EXE > nul
        6⤵
        
        PID:4508
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{828E4~1.EXE > nul
        5⤵
        
        PID:3952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{FC74C~1.EXE > nul
    3⤵
    PID:184
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0037B21E-7357-4c5f-9FDB-6EC7C942C1A5}.exe

Filesize
408KB

MD5
58e3835d53fc042d307862ff0d83739b

SHA1
c87120c8d6d7098cd48617b8e87c564c53e9eba7

SHA256
fe4752ff8a90c0403d510fc008fe17c97a63407c3bdce7347c6db9ae638a5075

SHA512
1b320b65d4f8f160116f8f53bcbe5f6dd72fd02fd893125c18d01918159cb87b6bb18f3a2ce854725d7ae4625c1a1d2ba6be691070c880c7679fc411ba61aa5c

Download Submit
C:\Windows\{01EDFD96-7190-4d3f-A451-5FE1FC94F247}.exe

Filesize
408KB

MD5
95ffa8108e235f7074fd55a85edc5766

SHA1
d4af84a1e9ab6113e3d9b1623df6bc39a2ad6e63

SHA256
7030683df070d792c43eac56de119bebb4a58ceeb0bd56e01cf6ed4ca49e9839

SHA512
b06e699be4c16fcc2b4ada8b58aa6f0826fd698486ec0dd0cf9c40b64b7b7281fabc6ba8ebb38e64962c2ef535982729b3a0d2cb7a6bdb1a9055852d191176ef

Download Submit
C:\Windows\{19020FBA-5EED-4b4c-B1AA-E9BF49EC1CBA}.exe

Filesize
408KB

MD5
a41164f6c1e740814f11983594d80bfe

SHA1
8653f89ffd6c83a2076961c0baaecc8b4156c43e

SHA256
2438ce62fd43791b45e284326215669cef44758af6db1d3aef6ac5f4d902d9f4

SHA512
f5655a7e66e06b1cd8b2a323d3c86dd5eba24f0748802358eb729b2cfca1b436412a1a9b4ea7d31315584387ebffa6442e94a55e0e743d98cb2981f0c242bab5

Download Submit
C:\Windows\{2086CBFA-8A81-4f80-8614-D3EDA10516EA}.exe

Filesize
408KB

MD5
a184eff50af755330c30480cda2b338c

SHA1
e79ec066e8d352efe8d0be7a13d49cd25607b9fb

SHA256
141152ac3a1249bf1eddc12ce1ae6ed7115f64401c6b1d2aeba14fc12846c120

SHA512
205d7e04e77c6c94d3cf3ac038781e8e60745204d2b700e1710050954f9242211beee2ce03d5631ee0bd373d3f1dea510a0948d7e13abfceb5220113c63c8326

Download Submit
C:\Windows\{21A4BE57-F523-445f-8AF2-D1F4497EF5ED}.exe

Filesize
408KB

MD5
4fec77e71e76ec3422a256b83277e131

SHA1
f8b8d9db5bee2b575808091ee9c04d153c0fdf0a

SHA256
bb8c890f618cf8620d400f3762f56bfba1ce8199cdca42a5051b8b2021d759f9

SHA512
81b4e803b4e9349f014b4f1a788eb38d2de27a3d01f142ca040fed113e51f53a3529ceddf717f52ddb3ab751bbd5569683995bef26981891831ae3b8e3b5dec1

Download Submit
C:\Windows\{7286A74A-A69A-49b3-942F-0CA838DD88D3}.exe

Filesize
320KB

MD5
ed7ae0cde7fff3bf22551b8094d5d078

SHA1
ea20e7ff3af8783fc332069cabe7a91efb480450

SHA256
9f185fc2ca014da3a530617006009bd778836dafdc346b633ae2db5420d8a53e

SHA512
34ee2c593ce7bdd53300908d30a7b52d655a5e19049e80d3d5245427d67ad5d6b9a41944696a2967b858185881e697eb6a1b6fe268680453159924049c0173f6

Download Submit
C:\Windows\{7286A74A-A69A-49b3-942F-0CA838DD88D3}.exe

Filesize
256KB

MD5
2a1007d93be982bc0718ad79854bae1f

SHA1
7ec139feee0a6d6987e8cf4dda7331defc1ca6fd

SHA256
f4f8dbbf3790d82889e0d146c847ea0f71d48cebdf24855eb5eaec21497755ed

SHA512
55f7f9eaa0baf6da575cc18a54085c1ed2187a96df069236c6a7958dce3fe78d9084a8a2c3334e3429f8d516f1da9eb303b35bb344184e6b4e990c9cd49993ad

Download Submit
C:\Windows\{7BD25EF0-3E23-4f01-B402-E7607920F968}.exe

Filesize
408KB

MD5
993111845c7e8d18ac99965a013521da

SHA1
bae7e7f53d97b612e7044b0facb8e1abc5715e9b

SHA256
f3322a6def7cdd97af4eb637fb4a3382f591a21c76622154cd62ee98abd225c7

SHA512
9e1e6958917729de2b9dfeea0e0014c496fb49e4a5cff6c4fe579f5f8ab51cd5e09fdf81696e6f912cb732a093f98bf7cbe09ef6defda687fcb2dad0c90abf81

Download Submit
C:\Windows\{8220FBEF-07B8-4fb8-ABFB-F2049691FBF0}.exe

Filesize
408KB

MD5
e88d0da8da302a6a3dd5613ce41b4843

SHA1
d79f5af29d010925a542f0ad13cef0099250d92c

SHA256
fc5de567dcc592a685afc89eaff8b534d3f224b0dcf33640aa3ec6906890b741

SHA512
01df144a7d1dad845832506726f8228dbcd762428bcce41214a22edf2d93ff717ca6daa36b73ceb4b9c3b379529ebd4440260d9d206b2d03e456c0454159e646

Download Submit
C:\Windows\{828E4765-8A24-4e96-82C3-7ECB6275847A}.exe

Filesize
128KB

MD5
5911e95c24425c86cc79b209cb7752b0

SHA1
b429f175857a26889250449e12098512fa4ef5c8

SHA256
92620a26bf92223d559241240d58842dbf6f580e2ed90d1974a662b70104ba8f

SHA512
b255a0b09641788293e92e88f08fa17ce31b44c02eb4bc42392ea7330ea0cb179dcf4c59d18e20c90bc264f1b9c7833a491bf594f5bc3d773f13c203b4e31437

Download Submit
C:\Windows\{828E4765-8A24-4e96-82C3-7ECB6275847A}.exe

Filesize
256KB

MD5
bcfa67114a3c26cee649bb74f5a60429

SHA1
7814e23bcc6b4e164fef83900e7e472385c30ede

SHA256
8c28cd25abacf574b6b4d5e59cdf043428b23edf332d9a5093c2f41b56cd7efc

SHA512
43fe8671a8e34da43dac17a0f372e110cef96c96cb560a4781b636065853d4aeec0869f58dc876af5671f2a07364676cabd0d2e01f6d0e62ed4e5c4b2166458c

Download Submit
C:\Windows\{828E4765-8A24-4e96-82C3-7ECB6275847A}.exe

Filesize
408KB

MD5
199e31ac2c2dd287f52f41d5848a112b

SHA1
150153db6b4a1f94c75cad143f92cc420ce9ac03

SHA256
aec298672d56c529dfcc79bf7a82011b31c8a7c1bc6cea55837739d4d81e97d9

SHA512
8d4cbf71359caeb3fc84eb31cdb2a08e360a5a643695b1dc6435f1b812752c19ed1c84ab7826280635c2a9142b95fec90ae89fbb3e1dea09947930a33648b7e2

Download Submit
C:\Windows\{8C7A449D-D802-4fc3-B3C1-8CA12980584B}.exe

Filesize
408KB

MD5
36af0d77cb92fad973c37f0c51d6aa94

SHA1
2183273ef4c1547b85fb7fad5ab277dd42328189

SHA256
eb913e6ea758b44aae53538d3710e823c30b21690bb609d1ddad9c4ea0a90e7d

SHA512
7807224022c10ad02e5637cc54055519734eaa667fef19898a1d6a0158d7801656e2442b3da4e954ad8b9ae929650ef59295eb79cdd7d7fa2496b3e3f79c1de0

Download Submit
C:\Windows\{E327556D-5FB9-47a3-97CA-591F9B61E216}.exe

Filesize
408KB

MD5
6e4105a4d168b410a7788c5195c789e1

SHA1
7405d32bc325d4de174e21e749fb6db7b0dcbac5

SHA256
8ba8719cd796ef5b465e84bc9e85d8de87cdff33e10fc696fd8f4e0651e75606

SHA512
778c714e23c8302643667b202ed0efeae0ea12c7ed920bdf3e4605fc345ae461b910a8bb09ae2f6e5913d273d82afbe74d19b202dac93d2ca34f02ab9daae1a6

Download Submit
C:\Windows\{FC74CEB5-2227-40a7-88C9-0547C240C430}.exe

Filesize
408KB

MD5
6121104f1de60a35b132b0a971daa01a

SHA1
472e0fc21324f96679240e5737d29be0df93d36d

SHA256
a56ddc735709d5e905e23f1e784619dc42ef1a28f957e1f994277ca2586047c2

SHA512
f99298feb9662b0d5b1b76464d6de770f2e403ae2480876872cc2cee32951f5b52d7e5fd7909ce521df9c8754945ec7b911aa52738f7c130195098ff1210cdcf

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads