87e44ff028ac898014de170b2b7d1c65356a1cf8153177e90948dfd0105d0f50

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2024, 17:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-03_f9b29bec109fce193d71cf714e3282f5_goldeneye.exe
Size

180KB
MD5

f9b29bec109fce193d71cf714e3282f5
SHA1

acd80cbda9a7576c42dc658c9060e1f5b195da01
SHA256

87e44ff028ac898014de170b2b7d1c65356a1cf8153177e90948dfd0105d0f50
SHA512

678db706ef8680ba9bb7b9060e64c3b365280ed0262122b47f5fb87394144a98b8d434ae3840787abfb693c83d3dbc11587b1d39b7329c0717bd6845cd7230a2
SSDEEP

3072:jEGh0ozlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGFl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x00060000000231fe-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023203-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002320a-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023203-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021f82-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021f83-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021f82-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-41.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000711-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000711-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4F4A54C-70B7-4722-80EC-100016F668BE}	{5C5431C1-2EF5-48aa-ADFB-ADBBADDFC018}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4F4A54C-70B7-4722-80EC-100016F668BE}\stubpath = "C:\\Windows\\{F4F4A54C-70B7-4722-80EC-100016F668BE}.exe"	{5C5431C1-2EF5-48aa-ADFB-ADBBADDFC018}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE4939CB-BFE4-4753-B00F-1A9F1C8AA103}	{508C76E8-BBE3-4ccc-A7F2-FFAC216F40DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61F03454-9FDF-488b-A637-DF3865D5577C}\stubpath = "C:\\Windows\\{61F03454-9FDF-488b-A637-DF3865D5577C}.exe"	{A0A1D4C9-BC84-44e7-ABC7-F287E3DDEA2A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E98CC63F-285A-434a-A38A-83E16BEEF2CB}\stubpath = "C:\\Windows\\{E98CC63F-285A-434a-A38A-83E16BEEF2CB}.exe"	{AADE9552-8D87-4eb7-A080-F757FA754219}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0A1D4C9-BC84-44e7-ABC7-F287E3DDEA2A}	{2171ECF0-2BCD-4c3e-B093-D4657F7CDFF8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61F03454-9FDF-488b-A637-DF3865D5577C}	{A0A1D4C9-BC84-44e7-ABC7-F287E3DDEA2A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C5431C1-2EF5-48aa-ADFB-ADBBADDFC018}	2024-02-03_f9b29bec109fce193d71cf714e3282f5_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{508C76E8-BBE3-4ccc-A7F2-FFAC216F40DB}	{F4F4A54C-70B7-4722-80EC-100016F668BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE4939CB-BFE4-4753-B00F-1A9F1C8AA103}\stubpath = "C:\\Windows\\{EE4939CB-BFE4-4753-B00F-1A9F1C8AA103}.exe"	{508C76E8-BBE3-4ccc-A7F2-FFAC216F40DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2A37E71-D8DD-49fe-93E5-17E129FA53FB}	{EE4939CB-BFE4-4753-B00F-1A9F1C8AA103}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F21B4D5-FF4F-40f2-9FB8-9B392E31EE9E}	{E98CC63F-285A-434a-A38A-83E16BEEF2CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0A1D4C9-BC84-44e7-ABC7-F287E3DDEA2A}\stubpath = "C:\\Windows\\{A0A1D4C9-BC84-44e7-ABC7-F287E3DDEA2A}.exe"	{2171ECF0-2BCD-4c3e-B093-D4657F7CDFF8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28A9CCDC-9E7E-4ecb-B60B-E7D73D9F6A36}\stubpath = "C:\\Windows\\{28A9CCDC-9E7E-4ecb-B60B-E7D73D9F6A36}.exe"	{61F03454-9FDF-488b-A637-DF3865D5577C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C5431C1-2EF5-48aa-ADFB-ADBBADDFC018}\stubpath = "C:\\Windows\\{5C5431C1-2EF5-48aa-ADFB-ADBBADDFC018}.exe"	2024-02-03_f9b29bec109fce193d71cf714e3282f5_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{508C76E8-BBE3-4ccc-A7F2-FFAC216F40DB}\stubpath = "C:\\Windows\\{508C76E8-BBE3-4ccc-A7F2-FFAC216F40DB}.exe"	{F4F4A54C-70B7-4722-80EC-100016F668BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AADE9552-8D87-4eb7-A080-F757FA754219}\stubpath = "C:\\Windows\\{AADE9552-8D87-4eb7-A080-F757FA754219}.exe"	{C2A37E71-D8DD-49fe-93E5-17E129FA53FB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E98CC63F-285A-434a-A38A-83E16BEEF2CB}	{AADE9552-8D87-4eb7-A080-F757FA754219}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2171ECF0-2BCD-4c3e-B093-D4657F7CDFF8}\stubpath = "C:\\Windows\\{2171ECF0-2BCD-4c3e-B093-D4657F7CDFF8}.exe"	{0F21B4D5-FF4F-40f2-9FB8-9B392E31EE9E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28A9CCDC-9E7E-4ecb-B60B-E7D73D9F6A36}	{61F03454-9FDF-488b-A637-DF3865D5577C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2A37E71-D8DD-49fe-93E5-17E129FA53FB}\stubpath = "C:\\Windows\\{C2A37E71-D8DD-49fe-93E5-17E129FA53FB}.exe"	{EE4939CB-BFE4-4753-B00F-1A9F1C8AA103}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AADE9552-8D87-4eb7-A080-F757FA754219}	{C2A37E71-D8DD-49fe-93E5-17E129FA53FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F21B4D5-FF4F-40f2-9FB8-9B392E31EE9E}\stubpath = "C:\\Windows\\{0F21B4D5-FF4F-40f2-9FB8-9B392E31EE9E}.exe"	{E98CC63F-285A-434a-A38A-83E16BEEF2CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2171ECF0-2BCD-4c3e-B093-D4657F7CDFF8}	{0F21B4D5-FF4F-40f2-9FB8-9B392E31EE9E}.exe

Executes dropped EXE 12 IoCs

pid	Process
1124	{5C5431C1-2EF5-48aa-ADFB-ADBBADDFC018}.exe
1672	{F4F4A54C-70B7-4722-80EC-100016F668BE}.exe
4256	{508C76E8-BBE3-4ccc-A7F2-FFAC216F40DB}.exe
4120	{EE4939CB-BFE4-4753-B00F-1A9F1C8AA103}.exe
3084	{C2A37E71-D8DD-49fe-93E5-17E129FA53FB}.exe
3060	{AADE9552-8D87-4eb7-A080-F757FA754219}.exe
1828	{E98CC63F-285A-434a-A38A-83E16BEEF2CB}.exe
4052	{0F21B4D5-FF4F-40f2-9FB8-9B392E31EE9E}.exe
2572	{2171ECF0-2BCD-4c3e-B093-D4657F7CDFF8}.exe
4380	{A0A1D4C9-BC84-44e7-ABC7-F287E3DDEA2A}.exe
2872	{61F03454-9FDF-488b-A637-DF3865D5577C}.exe
2224	{28A9CCDC-9E7E-4ecb-B60B-E7D73D9F6A36}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{2171ECF0-2BCD-4c3e-B093-D4657F7CDFF8}.exe	{0F21B4D5-FF4F-40f2-9FB8-9B392E31EE9E}.exe
File created	C:\Windows\{A0A1D4C9-BC84-44e7-ABC7-F287E3DDEA2A}.exe	{2171ECF0-2BCD-4c3e-B093-D4657F7CDFF8}.exe
File created	C:\Windows\{61F03454-9FDF-488b-A637-DF3865D5577C}.exe	{A0A1D4C9-BC84-44e7-ABC7-F287E3DDEA2A}.exe
File created	C:\Windows\{5C5431C1-2EF5-48aa-ADFB-ADBBADDFC018}.exe	2024-02-03_f9b29bec109fce193d71cf714e3282f5_goldeneye.exe
File created	C:\Windows\{F4F4A54C-70B7-4722-80EC-100016F668BE}.exe	{5C5431C1-2EF5-48aa-ADFB-ADBBADDFC018}.exe
File created	C:\Windows\{508C76E8-BBE3-4ccc-A7F2-FFAC216F40DB}.exe	{F4F4A54C-70B7-4722-80EC-100016F668BE}.exe
File created	C:\Windows\{EE4939CB-BFE4-4753-B00F-1A9F1C8AA103}.exe	{508C76E8-BBE3-4ccc-A7F2-FFAC216F40DB}.exe
File created	C:\Windows\{0F21B4D5-FF4F-40f2-9FB8-9B392E31EE9E}.exe	{E98CC63F-285A-434a-A38A-83E16BEEF2CB}.exe
File created	C:\Windows\{C2A37E71-D8DD-49fe-93E5-17E129FA53FB}.exe	{EE4939CB-BFE4-4753-B00F-1A9F1C8AA103}.exe
File created	C:\Windows\{AADE9552-8D87-4eb7-A080-F757FA754219}.exe	{C2A37E71-D8DD-49fe-93E5-17E129FA53FB}.exe
File created	C:\Windows\{E98CC63F-285A-434a-A38A-83E16BEEF2CB}.exe	{AADE9552-8D87-4eb7-A080-F757FA754219}.exe
File created	C:\Windows\{28A9CCDC-9E7E-4ecb-B60B-E7D73D9F6A36}.exe	{61F03454-9FDF-488b-A637-DF3865D5577C}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4080	2024-02-03_f9b29bec109fce193d71cf714e3282f5_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1124	{5C5431C1-2EF5-48aa-ADFB-ADBBADDFC018}.exe
Token: SeIncBasePriorityPrivilege	1672	{F4F4A54C-70B7-4722-80EC-100016F668BE}.exe
Token: SeIncBasePriorityPrivilege	4256	{508C76E8-BBE3-4ccc-A7F2-FFAC216F40DB}.exe
Token: SeIncBasePriorityPrivilege	4120	{EE4939CB-BFE4-4753-B00F-1A9F1C8AA103}.exe
Token: SeIncBasePriorityPrivilege	3084	{C2A37E71-D8DD-49fe-93E5-17E129FA53FB}.exe
Token: SeIncBasePriorityPrivilege	3060	{AADE9552-8D87-4eb7-A080-F757FA754219}.exe
Token: SeIncBasePriorityPrivilege	1828	{E98CC63F-285A-434a-A38A-83E16BEEF2CB}.exe
Token: SeIncBasePriorityPrivilege	4052	{0F21B4D5-FF4F-40f2-9FB8-9B392E31EE9E}.exe
Token: SeIncBasePriorityPrivilege	2572	{2171ECF0-2BCD-4c3e-B093-D4657F7CDFF8}.exe
Token: SeIncBasePriorityPrivilege	4380	{A0A1D4C9-BC84-44e7-ABC7-F287E3DDEA2A}.exe
Token: SeIncBasePriorityPrivilege	2872	{61F03454-9FDF-488b-A637-DF3865D5577C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4080 wrote to memory of 1124	4080	2024-02-03_f9b29bec109fce193d71cf714e3282f5_goldeneye.exe	90
PID 4080 wrote to memory of 1124	4080	2024-02-03_f9b29bec109fce193d71cf714e3282f5_goldeneye.exe	90
PID 4080 wrote to memory of 1124	4080	2024-02-03_f9b29bec109fce193d71cf714e3282f5_goldeneye.exe	90
PID 4080 wrote to memory of 412	4080	2024-02-03_f9b29bec109fce193d71cf714e3282f5_goldeneye.exe	91
PID 4080 wrote to memory of 412	4080	2024-02-03_f9b29bec109fce193d71cf714e3282f5_goldeneye.exe	91
PID 4080 wrote to memory of 412	4080	2024-02-03_f9b29bec109fce193d71cf714e3282f5_goldeneye.exe	91
PID 1124 wrote to memory of 1672	1124	{5C5431C1-2EF5-48aa-ADFB-ADBBADDFC018}.exe	92
PID 1124 wrote to memory of 1672	1124	{5C5431C1-2EF5-48aa-ADFB-ADBBADDFC018}.exe	92
PID 1124 wrote to memory of 1672	1124	{5C5431C1-2EF5-48aa-ADFB-ADBBADDFC018}.exe	92
PID 1124 wrote to memory of 512	1124	{5C5431C1-2EF5-48aa-ADFB-ADBBADDFC018}.exe	93
PID 1124 wrote to memory of 512	1124	{5C5431C1-2EF5-48aa-ADFB-ADBBADDFC018}.exe	93
PID 1124 wrote to memory of 512	1124	{5C5431C1-2EF5-48aa-ADFB-ADBBADDFC018}.exe	93
PID 1672 wrote to memory of 4256	1672	{F4F4A54C-70B7-4722-80EC-100016F668BE}.exe	96
PID 1672 wrote to memory of 4256	1672	{F4F4A54C-70B7-4722-80EC-100016F668BE}.exe	96
PID 1672 wrote to memory of 4256	1672	{F4F4A54C-70B7-4722-80EC-100016F668BE}.exe	96
PID 1672 wrote to memory of 2736	1672	{F4F4A54C-70B7-4722-80EC-100016F668BE}.exe	95
PID 1672 wrote to memory of 2736	1672	{F4F4A54C-70B7-4722-80EC-100016F668BE}.exe	95
PID 1672 wrote to memory of 2736	1672	{F4F4A54C-70B7-4722-80EC-100016F668BE}.exe	95
PID 4256 wrote to memory of 4120	4256	{508C76E8-BBE3-4ccc-A7F2-FFAC216F40DB}.exe	97
PID 4256 wrote to memory of 4120	4256	{508C76E8-BBE3-4ccc-A7F2-FFAC216F40DB}.exe	97
PID 4256 wrote to memory of 4120	4256	{508C76E8-BBE3-4ccc-A7F2-FFAC216F40DB}.exe	97
PID 4256 wrote to memory of 2468	4256	{508C76E8-BBE3-4ccc-A7F2-FFAC216F40DB}.exe	98
PID 4256 wrote to memory of 2468	4256	{508C76E8-BBE3-4ccc-A7F2-FFAC216F40DB}.exe	98
PID 4256 wrote to memory of 2468	4256	{508C76E8-BBE3-4ccc-A7F2-FFAC216F40DB}.exe	98
PID 4120 wrote to memory of 3084	4120	{EE4939CB-BFE4-4753-B00F-1A9F1C8AA103}.exe	99
PID 4120 wrote to memory of 3084	4120	{EE4939CB-BFE4-4753-B00F-1A9F1C8AA103}.exe	99
PID 4120 wrote to memory of 3084	4120	{EE4939CB-BFE4-4753-B00F-1A9F1C8AA103}.exe	99
PID 4120 wrote to memory of 1344	4120	{EE4939CB-BFE4-4753-B00F-1A9F1C8AA103}.exe	100
PID 4120 wrote to memory of 1344	4120	{EE4939CB-BFE4-4753-B00F-1A9F1C8AA103}.exe	100
PID 4120 wrote to memory of 1344	4120	{EE4939CB-BFE4-4753-B00F-1A9F1C8AA103}.exe	100
PID 3084 wrote to memory of 3060	3084	{C2A37E71-D8DD-49fe-93E5-17E129FA53FB}.exe	101
PID 3084 wrote to memory of 3060	3084	{C2A37E71-D8DD-49fe-93E5-17E129FA53FB}.exe	101
PID 3084 wrote to memory of 3060	3084	{C2A37E71-D8DD-49fe-93E5-17E129FA53FB}.exe	101
PID 3084 wrote to memory of 1712	3084	{C2A37E71-D8DD-49fe-93E5-17E129FA53FB}.exe	102
PID 3084 wrote to memory of 1712	3084	{C2A37E71-D8DD-49fe-93E5-17E129FA53FB}.exe	102
PID 3084 wrote to memory of 1712	3084	{C2A37E71-D8DD-49fe-93E5-17E129FA53FB}.exe	102
PID 3060 wrote to memory of 1828	3060	{AADE9552-8D87-4eb7-A080-F757FA754219}.exe	103
PID 3060 wrote to memory of 1828	3060	{AADE9552-8D87-4eb7-A080-F757FA754219}.exe	103
PID 3060 wrote to memory of 1828	3060	{AADE9552-8D87-4eb7-A080-F757FA754219}.exe	103
PID 3060 wrote to memory of 2436	3060	{AADE9552-8D87-4eb7-A080-F757FA754219}.exe	104
PID 3060 wrote to memory of 2436	3060	{AADE9552-8D87-4eb7-A080-F757FA754219}.exe	104
PID 3060 wrote to memory of 2436	3060	{AADE9552-8D87-4eb7-A080-F757FA754219}.exe	104
PID 1828 wrote to memory of 4052	1828	{E98CC63F-285A-434a-A38A-83E16BEEF2CB}.exe	105
PID 1828 wrote to memory of 4052	1828	{E98CC63F-285A-434a-A38A-83E16BEEF2CB}.exe	105
PID 1828 wrote to memory of 4052	1828	{E98CC63F-285A-434a-A38A-83E16BEEF2CB}.exe	105
PID 1828 wrote to memory of 2720	1828	{E98CC63F-285A-434a-A38A-83E16BEEF2CB}.exe	106
PID 1828 wrote to memory of 2720	1828	{E98CC63F-285A-434a-A38A-83E16BEEF2CB}.exe	106
PID 1828 wrote to memory of 2720	1828	{E98CC63F-285A-434a-A38A-83E16BEEF2CB}.exe	106
PID 4052 wrote to memory of 2572	4052	{0F21B4D5-FF4F-40f2-9FB8-9B392E31EE9E}.exe	107
PID 4052 wrote to memory of 2572	4052	{0F21B4D5-FF4F-40f2-9FB8-9B392E31EE9E}.exe	107
PID 4052 wrote to memory of 2572	4052	{0F21B4D5-FF4F-40f2-9FB8-9B392E31EE9E}.exe	107
PID 4052 wrote to memory of 2756	4052	{0F21B4D5-FF4F-40f2-9FB8-9B392E31EE9E}.exe	108
PID 4052 wrote to memory of 2756	4052	{0F21B4D5-FF4F-40f2-9FB8-9B392E31EE9E}.exe	108
PID 4052 wrote to memory of 2756	4052	{0F21B4D5-FF4F-40f2-9FB8-9B392E31EE9E}.exe	108
PID 2572 wrote to memory of 4380	2572	{2171ECF0-2BCD-4c3e-B093-D4657F7CDFF8}.exe	109
PID 2572 wrote to memory of 4380	2572	{2171ECF0-2BCD-4c3e-B093-D4657F7CDFF8}.exe	109
PID 2572 wrote to memory of 4380	2572	{2171ECF0-2BCD-4c3e-B093-D4657F7CDFF8}.exe	109
PID 2572 wrote to memory of 3284	2572	{2171ECF0-2BCD-4c3e-B093-D4657F7CDFF8}.exe	110
PID 2572 wrote to memory of 3284	2572	{2171ECF0-2BCD-4c3e-B093-D4657F7CDFF8}.exe	110
PID 2572 wrote to memory of 3284	2572	{2171ECF0-2BCD-4c3e-B093-D4657F7CDFF8}.exe	110
PID 4380 wrote to memory of 2872	4380	{A0A1D4C9-BC84-44e7-ABC7-F287E3DDEA2A}.exe	111
PID 4380 wrote to memory of 2872	4380	{A0A1D4C9-BC84-44e7-ABC7-F287E3DDEA2A}.exe	111
PID 4380 wrote to memory of 2872	4380	{A0A1D4C9-BC84-44e7-ABC7-F287E3DDEA2A}.exe	111
PID 4380 wrote to memory of 1180	4380	{A0A1D4C9-BC84-44e7-ABC7-F287E3DDEA2A}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-02-03_f9b29bec109fce193d71cf714e3282f5_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-03_f9b29bec109fce193d71cf714e3282f5_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4080
- C:\Windows\{5C5431C1-2EF5-48aa-ADFB-ADBBADDFC018}.exe
  C:\Windows\{5C5431C1-2EF5-48aa-ADFB-ADBBADDFC018}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1124
- - C:\Windows\{F4F4A54C-70B7-4722-80EC-100016F668BE}.exe
    C:\Windows\{F4F4A54C-70B7-4722-80EC-100016F668BE}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1672
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F4F4A~1.EXE > nul
      4⤵
      PID:2736
  - - C:\Windows\{508C76E8-BBE3-4ccc-A7F2-FFAC216F40DB}.exe
      C:\Windows\{508C76E8-BBE3-4ccc-A7F2-FFAC216F40DB}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4256
    - - C:\Windows\{EE4939CB-BFE4-4753-B00F-1A9F1C8AA103}.exe
        
        C:\Windows\{EE4939CB-BFE4-4753-B00F-1A9F1C8AA103}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4120
      - C:\Windows\{C2A37E71-D8DD-49fe-93E5-17E129FA53FB}.exe
        
        C:\Windows\{C2A37E71-D8DD-49fe-93E5-17E129FA53FB}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3084
        
        C:\Windows\{AADE9552-8D87-4eb7-A080-F757FA754219}.exe
        
        C:\Windows\{AADE9552-8D87-4eb7-A080-F757FA754219}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\{E98CC63F-285A-434a-A38A-83E16BEEF2CB}.exe
        
        C:\Windows\{E98CC63F-285A-434a-A38A-83E16BEEF2CB}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1828
        
        C:\Windows\{0F21B4D5-FF4F-40f2-9FB8-9B392E31EE9E}.exe
        
        C:\Windows\{0F21B4D5-FF4F-40f2-9FB8-9B392E31EE9E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4052
        
        C:\Windows\{2171ECF0-2BCD-4c3e-B093-D4657F7CDFF8}.exe
        
        C:\Windows\{2171ECF0-2BCD-4c3e-B093-D4657F7CDFF8}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\{A0A1D4C9-BC84-44e7-ABC7-F287E3DDEA2A}.exe
        
        C:\Windows\{A0A1D4C9-BC84-44e7-ABC7-F287E3DDEA2A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Windows\{61F03454-9FDF-488b-A637-DF3865D5577C}.exe
        
        C:\Windows\{61F03454-9FDF-488b-A637-DF3865D5577C}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2872
        
        C:\Windows\{28A9CCDC-9E7E-4ecb-B60B-E7D73D9F6A36}.exe
        
        C:\Windows\{28A9CCDC-9E7E-4ecb-B60B-E7D73D9F6A36}.exe
        13⤵
        Executes dropped EXE
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{61F03~1.EXE > nul
        13⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A0A1D~1.EXE > nul
        12⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2171E~1.EXE > nul
        11⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F21B~1.EXE > nul
        10⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E98CC~1.EXE > nul
        9⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AADE9~1.EXE > nul
        8⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C2A37~1.EXE > nul
        7⤵
        
        PID:1712
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EE493~1.EXE > nul
        6⤵
        
        PID:1344
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{508C7~1.EXE > nul
        5⤵
        
        PID:2468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5C543~1.EXE > nul
    3⤵
    PID:512
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0F21B4D5-FF4F-40f2-9FB8-9B392E31EE9E}.exe

Filesize
180KB

MD5
778e8d935ef0846bf859a1fc607e1f3a

SHA1
75a6b58185cdfa9e6b7f155fc4d0cd6c9093f356

SHA256
997812bab378c76e31396644e92f87110cec6871569e62b7871acda5e8572507

SHA512
776925332635c677b2f8fc7b495491d4398e64171903a82f2e530a9a8ba40121f4b2c8d38163a3dfd6c1c8e26478cd7f8fc1555f51f75e80b2eb0fe4d3f09d90

Download Submit
C:\Windows\{2171ECF0-2BCD-4c3e-B093-D4657F7CDFF8}.exe

Filesize
180KB

MD5
0e339e611a1953f0338a3fe93a6023e4

SHA1
dd446c7f3235702a7edcf451a639de7568a47192

SHA256
ca55e7b2c7431f65f2f73ad9160dfd19b0aa75a95af113666ef58149dd64114b

SHA512
093ef76c0d3fabccbe3bd93e6c6122d7611eb08a14cd6c507dcbb6cb1c29c40241b6bbc047a121ff63ce7b3d96e46797a2c0c9b84aae8a49c072398c953596b6

Download Submit
C:\Windows\{28A9CCDC-9E7E-4ecb-B60B-E7D73D9F6A36}.exe

Filesize
12KB

MD5
992a377828d16d69f86cfa9d270d82cd

SHA1
bdc9bbc48266a964657f391d2d4acde9d7e31cb5

SHA256
8c800169278128140fbd534f290cf89362dc2f5a679e1cd0b6b617412299c5be

SHA512
a89ab36c4bd2971e9a515ee7f237dac9e25495aa4b52040a028a0b1439b38b813b5a004cd4f88434ae5a6cbd874dac1b36d06b4396c7eb2b9ba0145bc7bc2796

Download Submit
C:\Windows\{508C76E8-BBE3-4ccc-A7F2-FFAC216F40DB}.exe

Filesize
180KB

MD5
014197cc10bf2c3bb7e25dde374e0833

SHA1
1f664c7819b454f56f6b2c3f62e89a96654ffb95

SHA256
1a6e6849fcd3fbe2c9f47892126fc2a01169b7f389618e6af272efc9813e36f9

SHA512
c01c0b317874b7d2be8047a3fc19959b306edcda1d1570680bbd0d5006fdc2951d99a3aa135224c64cdbbd377ebd2c767dc1998caf50ff98c9795def8018e7b0

Download Submit
C:\Windows\{5C5431C1-2EF5-48aa-ADFB-ADBBADDFC018}.exe

Filesize
180KB

MD5
88b383e46d423e3a719d668dc15b90f5

SHA1
60cd03781eabf1f86bda011e9bbbc51902de5791

SHA256
897a975316017ffa8c25ba8d849f8621fd94387fd699365cf72bf3965c801175

SHA512
747ac783edd00757d3db91af44d571cd735cb6390e7b96c1168ca4055a4f37f608c651749c04e83299a3d538e80441b6c9396162c06e6197423c1b0eb7b04d78

Download Submit
C:\Windows\{61F03454-9FDF-488b-A637-DF3865D5577C}.exe

Filesize
180KB

MD5
0c61bfc2c5d11c001bea9b743b1a3760

SHA1
04dcc3243b1e631b5409e6b7e58cf6808ac2ae1d

SHA256
352ebcc76353270bd7c1c2488b033d7044f2c7fc727b5897d0f635e002ba1f36

SHA512
f33d8f8f86952c8d71b448a4c818de64aabeae23f682212ec7290ad7ee55f1a8d611267d2c1e30c4e0e826c9f66638b54691ca75e1c41785720b56b9225c11cb

Download Submit
C:\Windows\{A0A1D4C9-BC84-44e7-ABC7-F287E3DDEA2A}.exe

Filesize
180KB

MD5
cb75ca4f7d6dcb6e6ab65d9c2962cf08

SHA1
3e18eb5769d4b3e706017761c5023c9f77ec07ce

SHA256
86b30d0cf42d3208a0614582ae1a43e079d4a3aa8ef25c1082d3164a359e5b84

SHA512
6f4f48abbe2cb4833201f36c60f34b14ce3d8095c44e83f95742daeed499aee1390a56344ca0da58de985c1980e00db2905108dbbe4e49bfe0eff1674849321d

Download Submit
C:\Windows\{AADE9552-8D87-4eb7-A080-F757FA754219}.exe

Filesize
180KB

MD5
fc8cbb9cfad04a5ac8aa5bbd5a797ebe

SHA1
16bbafb755868f9497772ed6bdc53d6213844f64

SHA256
430632a6a48c302f11a5769e66837e4f8661d1867a7172e7bb974f1e6547ac07

SHA512
4ad5a70216306594015814ae2e3bdd827109ceef0e33b79eb5d224c7cfd745a1bb32a2207334403323485b75cf8f5aa858a7dd153ca0896c5612adaeb986ade0

Download Submit
C:\Windows\{C2A37E71-D8DD-49fe-93E5-17E129FA53FB}.exe

Filesize
180KB

MD5
ef1edce732731d02768eeed9fa58eb40

SHA1
78c620ddcefff23360b0071263ea3d817cf9fa12

SHA256
184b64cdcc067d540fb6e583dd30ba4a645e009be3aa1ee852e77bdd3e08103b

SHA512
62e960fe3865f884abb2d46cfbb2182f927054d80ec66f48e98350bab9ddf4ca0958403d6f4573ca13daa320931a9260d9e332e2e66cccc4536a84991e858e44

Download Submit
C:\Windows\{E98CC63F-285A-434a-A38A-83E16BEEF2CB}.exe

Filesize
180KB

MD5
4dc4dd35c3f9beaa8b962ecdaa66b34f

SHA1
9d23ff6cd9330a3770616dbcf42bb8d3ad7d2093

SHA256
ef463d099a6175d734474e8994d88bb5239b9e3c57ec3756e98c23c95bdad33c

SHA512
504cfafcf1c04c72a8e01f78b13b242a8e663777478f9bd8f3105b690a4fe9a350bd87a5de6d0e8ca38a86ecb4c8937db17023e0818c4829e0dc29f6cb0498fd

Download Submit
C:\Windows\{EE4939CB-BFE4-4753-B00F-1A9F1C8AA103}.exe

Filesize
180KB

MD5
d77bec12db6505ddd0b44dd6375de553

SHA1
a952a4ffa6e783fab1aa82b53772c8e538b12eef

SHA256
1316045ae6904917e62d187dcad1873e3e9110469ed8e300a988e27cfb6d47f2

SHA512
6c28c11784f34dd150d217dd5ba5f74aad4addf3620c4c11daa14b7e8d72f2134590e22fbb70aeee4121d250170300275d7ce8546d01508fb5c96cecd8544818

Download Submit
C:\Windows\{F4F4A54C-70B7-4722-80EC-100016F668BE}.exe

Filesize
180KB

MD5
aba5dabd9b62fd332e828bba53c42386

SHA1
5eaaf03d1b86b5fb90db2365247a0b0720279d6c

SHA256
9a9c68f6172590c8ee1d11a943327d64b7bffd3afd71814ae965f290a0675c19

SHA512
85a58f33bb5d1061260150788e4a39106790745772c7963d6dffc2829fb6fa6522e2f55965349996f9119e02c4bfe313db166085d9ce440c854fe689e7123aea

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads