f44c7cd33f6ea5991555c9a3b0ef660b553fce2b27513cc860262d4c59a8ae23

Analysis

max time kernel
156s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04/02/2024, 05:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-04_375b370e8111f0e435083b45f6e68365_goldeneye.exe
Size

197KB
MD5

375b370e8111f0e435083b45f6e68365
SHA1

0d9db2d848abc8c2e864c48d42254e50dad9e70b
SHA256

f44c7cd33f6ea5991555c9a3b0ef660b553fce2b27513cc860262d4c59a8ae23
SHA512

e233c4be6766dcadba859fa45d33eb11b7f184abff331b48779c24c8fd33f87a745160e1b55d66ec9537114e4a351b29ed9288ffec02242e4dcc199a31afde8a
SSDEEP

3072:jEGh0osl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGSlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023224-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000023231-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023233-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023231-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021d92-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021d93-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000000070d-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D627CE09-17EC-4a6d-BF12-8A8C2C312F5E}	2024-02-04_375b370e8111f0e435083b45f6e68365_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73E170C0-54AF-4a58-8568-168161BAEADD}\stubpath = "C:\\Windows\\{73E170C0-54AF-4a58-8568-168161BAEADD}.exe"	{5A6337C1-42CC-4947-8210-8C0277CC56BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D8CD0F0-499E-4cc5-A2C2-565ADC7CFB7D}	{BDD5FF3D-D3D5-41bd-B5B2-9863B837DC25}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E14471D-BEE6-4571-B76A-E3F7DFBE78EE}\stubpath = "C:\\Windows\\{9E14471D-BEE6-4571-B76A-E3F7DFBE78EE}.exe"	{8D8CD0F0-499E-4cc5-A2C2-565ADC7CFB7D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA8CD1E0-32E9-4246-B70C-39D8A1E3A7C3}	{7DFBE29A-FD1B-4620-A988-0A51FB312F7F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DFBE29A-FD1B-4620-A988-0A51FB312F7F}\stubpath = "C:\\Windows\\{7DFBE29A-FD1B-4620-A988-0A51FB312F7F}.exe"	{D34A0207-0133-4f95-A93E-2AD17BE7902E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA8CD1E0-32E9-4246-B70C-39D8A1E3A7C3}\stubpath = "C:\\Windows\\{AA8CD1E0-32E9-4246-B70C-39D8A1E3A7C3}.exe"	{7DFBE29A-FD1B-4620-A988-0A51FB312F7F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D627CE09-17EC-4a6d-BF12-8A8C2C312F5E}\stubpath = "C:\\Windows\\{D627CE09-17EC-4a6d-BF12-8A8C2C312F5E}.exe"	2024-02-04_375b370e8111f0e435083b45f6e68365_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A6337C1-42CC-4947-8210-8C0277CC56BB}\stubpath = "C:\\Windows\\{5A6337C1-42CC-4947-8210-8C0277CC56BB}.exe"	{D627CE09-17EC-4a6d-BF12-8A8C2C312F5E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDD5FF3D-D3D5-41bd-B5B2-9863B837DC25}	{73E170C0-54AF-4a58-8568-168161BAEADD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDD5FF3D-D3D5-41bd-B5B2-9863B837DC25}\stubpath = "C:\\Windows\\{BDD5FF3D-D3D5-41bd-B5B2-9863B837DC25}.exe"	{73E170C0-54AF-4a58-8568-168161BAEADD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{907A3CE5-6341-4855-BBFA-174C222BFD51}	{381C73D4-7033-4ad5-B23D-B589C888D339}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{907A3CE5-6341-4855-BBFA-174C222BFD51}\stubpath = "C:\\Windows\\{907A3CE5-6341-4855-BBFA-174C222BFD51}.exe"	{381C73D4-7033-4ad5-B23D-B589C888D339}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C503A7E-42E1-4a11-83C1-5D3B4AD4F291}	{907A3CE5-6341-4855-BBFA-174C222BFD51}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D34A0207-0133-4f95-A93E-2AD17BE7902E}	{3C503A7E-42E1-4a11-83C1-5D3B4AD4F291}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A6337C1-42CC-4947-8210-8C0277CC56BB}	{D627CE09-17EC-4a6d-BF12-8A8C2C312F5E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73E170C0-54AF-4a58-8568-168161BAEADD}	{5A6337C1-42CC-4947-8210-8C0277CC56BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D8CD0F0-499E-4cc5-A2C2-565ADC7CFB7D}\stubpath = "C:\\Windows\\{8D8CD0F0-499E-4cc5-A2C2-565ADC7CFB7D}.exe"	{BDD5FF3D-D3D5-41bd-B5B2-9863B837DC25}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E14471D-BEE6-4571-B76A-E3F7DFBE78EE}	{8D8CD0F0-499E-4cc5-A2C2-565ADC7CFB7D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{381C73D4-7033-4ad5-B23D-B589C888D339}	{9E14471D-BEE6-4571-B76A-E3F7DFBE78EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D34A0207-0133-4f95-A93E-2AD17BE7902E}\stubpath = "C:\\Windows\\{D34A0207-0133-4f95-A93E-2AD17BE7902E}.exe"	{3C503A7E-42E1-4a11-83C1-5D3B4AD4F291}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{381C73D4-7033-4ad5-B23D-B589C888D339}\stubpath = "C:\\Windows\\{381C73D4-7033-4ad5-B23D-B589C888D339}.exe"	{9E14471D-BEE6-4571-B76A-E3F7DFBE78EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C503A7E-42E1-4a11-83C1-5D3B4AD4F291}\stubpath = "C:\\Windows\\{3C503A7E-42E1-4a11-83C1-5D3B4AD4F291}.exe"	{907A3CE5-6341-4855-BBFA-174C222BFD51}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DFBE29A-FD1B-4620-A988-0A51FB312F7F}	{D34A0207-0133-4f95-A93E-2AD17BE7902E}.exe

Executes dropped EXE 12 IoCs

pid	Process
1804	{D627CE09-17EC-4a6d-BF12-8A8C2C312F5E}.exe
1496	{5A6337C1-42CC-4947-8210-8C0277CC56BB}.exe
812	{73E170C0-54AF-4a58-8568-168161BAEADD}.exe
840	{BDD5FF3D-D3D5-41bd-B5B2-9863B837DC25}.exe
1436	{8D8CD0F0-499E-4cc5-A2C2-565ADC7CFB7D}.exe
4132	{9E14471D-BEE6-4571-B76A-E3F7DFBE78EE}.exe
4944	{381C73D4-7033-4ad5-B23D-B589C888D339}.exe
2480	{907A3CE5-6341-4855-BBFA-174C222BFD51}.exe
4728	{3C503A7E-42E1-4a11-83C1-5D3B4AD4F291}.exe
100	{D34A0207-0133-4f95-A93E-2AD17BE7902E}.exe
4936	{7DFBE29A-FD1B-4620-A988-0A51FB312F7F}.exe
2840	{AA8CD1E0-32E9-4246-B70C-39D8A1E3A7C3}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{3C503A7E-42E1-4a11-83C1-5D3B4AD4F291}.exe	{907A3CE5-6341-4855-BBFA-174C222BFD51}.exe
File created	C:\Windows\{381C73D4-7033-4ad5-B23D-B589C888D339}.exe	{9E14471D-BEE6-4571-B76A-E3F7DFBE78EE}.exe
File created	C:\Windows\{907A3CE5-6341-4855-BBFA-174C222BFD51}.exe	{381C73D4-7033-4ad5-B23D-B589C888D339}.exe
File created	C:\Windows\{D627CE09-17EC-4a6d-BF12-8A8C2C312F5E}.exe	2024-02-04_375b370e8111f0e435083b45f6e68365_goldeneye.exe
File created	C:\Windows\{5A6337C1-42CC-4947-8210-8C0277CC56BB}.exe	{D627CE09-17EC-4a6d-BF12-8A8C2C312F5E}.exe
File created	C:\Windows\{73E170C0-54AF-4a58-8568-168161BAEADD}.exe	{5A6337C1-42CC-4947-8210-8C0277CC56BB}.exe
File created	C:\Windows\{BDD5FF3D-D3D5-41bd-B5B2-9863B837DC25}.exe	{73E170C0-54AF-4a58-8568-168161BAEADD}.exe
File created	C:\Windows\{8D8CD0F0-499E-4cc5-A2C2-565ADC7CFB7D}.exe	{BDD5FF3D-D3D5-41bd-B5B2-9863B837DC25}.exe
File created	C:\Windows\{9E14471D-BEE6-4571-B76A-E3F7DFBE78EE}.exe	{8D8CD0F0-499E-4cc5-A2C2-565ADC7CFB7D}.exe
File created	C:\Windows\{D34A0207-0133-4f95-A93E-2AD17BE7902E}.exe	{3C503A7E-42E1-4a11-83C1-5D3B4AD4F291}.exe
File created	C:\Windows\{7DFBE29A-FD1B-4620-A988-0A51FB312F7F}.exe	{D34A0207-0133-4f95-A93E-2AD17BE7902E}.exe
File created	C:\Windows\{AA8CD1E0-32E9-4246-B70C-39D8A1E3A7C3}.exe	{7DFBE29A-FD1B-4620-A988-0A51FB312F7F}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3924	2024-02-04_375b370e8111f0e435083b45f6e68365_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1804	{D627CE09-17EC-4a6d-BF12-8A8C2C312F5E}.exe
Token: SeIncBasePriorityPrivilege	1496	{5A6337C1-42CC-4947-8210-8C0277CC56BB}.exe
Token: SeIncBasePriorityPrivilege	812	{73E170C0-54AF-4a58-8568-168161BAEADD}.exe
Token: SeIncBasePriorityPrivilege	840	{BDD5FF3D-D3D5-41bd-B5B2-9863B837DC25}.exe
Token: SeIncBasePriorityPrivilege	1436	{8D8CD0F0-499E-4cc5-A2C2-565ADC7CFB7D}.exe
Token: SeIncBasePriorityPrivilege	4132	{9E14471D-BEE6-4571-B76A-E3F7DFBE78EE}.exe
Token: SeIncBasePriorityPrivilege	4944	{381C73D4-7033-4ad5-B23D-B589C888D339}.exe
Token: SeIncBasePriorityPrivilege	2480	{907A3CE5-6341-4855-BBFA-174C222BFD51}.exe
Token: SeIncBasePriorityPrivilege	4728	{3C503A7E-42E1-4a11-83C1-5D3B4AD4F291}.exe
Token: SeIncBasePriorityPrivilege	100	{D34A0207-0133-4f95-A93E-2AD17BE7902E}.exe
Token: SeIncBasePriorityPrivilege	4936	{7DFBE29A-FD1B-4620-A988-0A51FB312F7F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3924 wrote to memory of 1804	3924	2024-02-04_375b370e8111f0e435083b45f6e68365_goldeneye.exe	89
PID 3924 wrote to memory of 1804	3924	2024-02-04_375b370e8111f0e435083b45f6e68365_goldeneye.exe	89
PID 3924 wrote to memory of 1804	3924	2024-02-04_375b370e8111f0e435083b45f6e68365_goldeneye.exe	89
PID 3924 wrote to memory of 2832	3924	2024-02-04_375b370e8111f0e435083b45f6e68365_goldeneye.exe	90
PID 3924 wrote to memory of 2832	3924	2024-02-04_375b370e8111f0e435083b45f6e68365_goldeneye.exe	90
PID 3924 wrote to memory of 2832	3924	2024-02-04_375b370e8111f0e435083b45f6e68365_goldeneye.exe	90
PID 1804 wrote to memory of 1496	1804	{D627CE09-17EC-4a6d-BF12-8A8C2C312F5E}.exe	94
PID 1804 wrote to memory of 1496	1804	{D627CE09-17EC-4a6d-BF12-8A8C2C312F5E}.exe	94
PID 1804 wrote to memory of 1496	1804	{D627CE09-17EC-4a6d-BF12-8A8C2C312F5E}.exe	94
PID 1804 wrote to memory of 4532	1804	{D627CE09-17EC-4a6d-BF12-8A8C2C312F5E}.exe	95
PID 1804 wrote to memory of 4532	1804	{D627CE09-17EC-4a6d-BF12-8A8C2C312F5E}.exe	95
PID 1804 wrote to memory of 4532	1804	{D627CE09-17EC-4a6d-BF12-8A8C2C312F5E}.exe	95
PID 1496 wrote to memory of 812	1496	{5A6337C1-42CC-4947-8210-8C0277CC56BB}.exe	97
PID 1496 wrote to memory of 812	1496	{5A6337C1-42CC-4947-8210-8C0277CC56BB}.exe	97
PID 1496 wrote to memory of 812	1496	{5A6337C1-42CC-4947-8210-8C0277CC56BB}.exe	97
PID 1496 wrote to memory of 2652	1496	{5A6337C1-42CC-4947-8210-8C0277CC56BB}.exe	96
PID 1496 wrote to memory of 2652	1496	{5A6337C1-42CC-4947-8210-8C0277CC56BB}.exe	96
PID 1496 wrote to memory of 2652	1496	{5A6337C1-42CC-4947-8210-8C0277CC56BB}.exe	96
PID 812 wrote to memory of 840	812	{73E170C0-54AF-4a58-8568-168161BAEADD}.exe	98
PID 812 wrote to memory of 840	812	{73E170C0-54AF-4a58-8568-168161BAEADD}.exe	98
PID 812 wrote to memory of 840	812	{73E170C0-54AF-4a58-8568-168161BAEADD}.exe	98
PID 812 wrote to memory of 3448	812	{73E170C0-54AF-4a58-8568-168161BAEADD}.exe	99
PID 812 wrote to memory of 3448	812	{73E170C0-54AF-4a58-8568-168161BAEADD}.exe	99
PID 812 wrote to memory of 3448	812	{73E170C0-54AF-4a58-8568-168161BAEADD}.exe	99
PID 840 wrote to memory of 1436	840	{BDD5FF3D-D3D5-41bd-B5B2-9863B837DC25}.exe	100
PID 840 wrote to memory of 1436	840	{BDD5FF3D-D3D5-41bd-B5B2-9863B837DC25}.exe	100
PID 840 wrote to memory of 1436	840	{BDD5FF3D-D3D5-41bd-B5B2-9863B837DC25}.exe	100
PID 840 wrote to memory of 1740	840	{BDD5FF3D-D3D5-41bd-B5B2-9863B837DC25}.exe	101
PID 840 wrote to memory of 1740	840	{BDD5FF3D-D3D5-41bd-B5B2-9863B837DC25}.exe	101
PID 840 wrote to memory of 1740	840	{BDD5FF3D-D3D5-41bd-B5B2-9863B837DC25}.exe	101
PID 1436 wrote to memory of 4132	1436	{8D8CD0F0-499E-4cc5-A2C2-565ADC7CFB7D}.exe	102
PID 1436 wrote to memory of 4132	1436	{8D8CD0F0-499E-4cc5-A2C2-565ADC7CFB7D}.exe	102
PID 1436 wrote to memory of 4132	1436	{8D8CD0F0-499E-4cc5-A2C2-565ADC7CFB7D}.exe	102
PID 1436 wrote to memory of 2348	1436	{8D8CD0F0-499E-4cc5-A2C2-565ADC7CFB7D}.exe	103
PID 1436 wrote to memory of 2348	1436	{8D8CD0F0-499E-4cc5-A2C2-565ADC7CFB7D}.exe	103
PID 1436 wrote to memory of 2348	1436	{8D8CD0F0-499E-4cc5-A2C2-565ADC7CFB7D}.exe	103
PID 4132 wrote to memory of 4944	4132	{9E14471D-BEE6-4571-B76A-E3F7DFBE78EE}.exe	104
PID 4132 wrote to memory of 4944	4132	{9E14471D-BEE6-4571-B76A-E3F7DFBE78EE}.exe	104
PID 4132 wrote to memory of 4944	4132	{9E14471D-BEE6-4571-B76A-E3F7DFBE78EE}.exe	104
PID 4132 wrote to memory of 1536	4132	{9E14471D-BEE6-4571-B76A-E3F7DFBE78EE}.exe	105
PID 4132 wrote to memory of 1536	4132	{9E14471D-BEE6-4571-B76A-E3F7DFBE78EE}.exe	105
PID 4132 wrote to memory of 1536	4132	{9E14471D-BEE6-4571-B76A-E3F7DFBE78EE}.exe	105
PID 4944 wrote to memory of 2480	4944	{381C73D4-7033-4ad5-B23D-B589C888D339}.exe	106
PID 4944 wrote to memory of 2480	4944	{381C73D4-7033-4ad5-B23D-B589C888D339}.exe	106
PID 4944 wrote to memory of 2480	4944	{381C73D4-7033-4ad5-B23D-B589C888D339}.exe	106
PID 4944 wrote to memory of 5048	4944	{381C73D4-7033-4ad5-B23D-B589C888D339}.exe	107
PID 4944 wrote to memory of 5048	4944	{381C73D4-7033-4ad5-B23D-B589C888D339}.exe	107
PID 4944 wrote to memory of 5048	4944	{381C73D4-7033-4ad5-B23D-B589C888D339}.exe	107
PID 2480 wrote to memory of 4728	2480	{907A3CE5-6341-4855-BBFA-174C222BFD51}.exe	108
PID 2480 wrote to memory of 4728	2480	{907A3CE5-6341-4855-BBFA-174C222BFD51}.exe	108
PID 2480 wrote to memory of 4728	2480	{907A3CE5-6341-4855-BBFA-174C222BFD51}.exe	108
PID 2480 wrote to memory of 3972	2480	{907A3CE5-6341-4855-BBFA-174C222BFD51}.exe	109
PID 2480 wrote to memory of 3972	2480	{907A3CE5-6341-4855-BBFA-174C222BFD51}.exe	109
PID 2480 wrote to memory of 3972	2480	{907A3CE5-6341-4855-BBFA-174C222BFD51}.exe	109
PID 4728 wrote to memory of 100	4728	{3C503A7E-42E1-4a11-83C1-5D3B4AD4F291}.exe	110
PID 4728 wrote to memory of 100	4728	{3C503A7E-42E1-4a11-83C1-5D3B4AD4F291}.exe	110
PID 4728 wrote to memory of 100	4728	{3C503A7E-42E1-4a11-83C1-5D3B4AD4F291}.exe	110
PID 4728 wrote to memory of 2868	4728	{3C503A7E-42E1-4a11-83C1-5D3B4AD4F291}.exe	111
PID 4728 wrote to memory of 2868	4728	{3C503A7E-42E1-4a11-83C1-5D3B4AD4F291}.exe	111
PID 4728 wrote to memory of 2868	4728	{3C503A7E-42E1-4a11-83C1-5D3B4AD4F291}.exe	111
PID 100 wrote to memory of 4936	100	{D34A0207-0133-4f95-A93E-2AD17BE7902E}.exe	112
PID 100 wrote to memory of 4936	100	{D34A0207-0133-4f95-A93E-2AD17BE7902E}.exe	112
PID 100 wrote to memory of 4936	100	{D34A0207-0133-4f95-A93E-2AD17BE7902E}.exe	112
PID 100 wrote to memory of 3568	100	{D34A0207-0133-4f95-A93E-2AD17BE7902E}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-02-04_375b370e8111f0e435083b45f6e68365_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-04_375b370e8111f0e435083b45f6e68365_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3924
- C:\Windows\{D627CE09-17EC-4a6d-BF12-8A8C2C312F5E}.exe
  C:\Windows\{D627CE09-17EC-4a6d-BF12-8A8C2C312F5E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Windows\{5A6337C1-42CC-4947-8210-8C0277CC56BB}.exe
    C:\Windows\{5A6337C1-42CC-4947-8210-8C0277CC56BB}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1496
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5A633~1.EXE > nul
      4⤵
      PID:2652
  - - C:\Windows\{73E170C0-54AF-4a58-8568-168161BAEADD}.exe
      C:\Windows\{73E170C0-54AF-4a58-8568-168161BAEADD}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:812
    - - C:\Windows\{BDD5FF3D-D3D5-41bd-B5B2-9863B837DC25}.exe
        
        C:\Windows\{BDD5FF3D-D3D5-41bd-B5B2-9863B837DC25}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:840
      - C:\Windows\{8D8CD0F0-499E-4cc5-A2C2-565ADC7CFB7D}.exe
        
        C:\Windows\{8D8CD0F0-499E-4cc5-A2C2-565ADC7CFB7D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\{9E14471D-BEE6-4571-B76A-E3F7DFBE78EE}.exe
        
        C:\Windows\{9E14471D-BEE6-4571-B76A-E3F7DFBE78EE}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4132
        
        C:\Windows\{381C73D4-7033-4ad5-B23D-B589C888D339}.exe
        
        C:\Windows\{381C73D4-7033-4ad5-B23D-B589C888D339}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\{907A3CE5-6341-4855-BBFA-174C222BFD51}.exe
        
        C:\Windows\{907A3CE5-6341-4855-BBFA-174C222BFD51}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Windows\{3C503A7E-42E1-4a11-83C1-5D3B4AD4F291}.exe
        
        C:\Windows\{3C503A7E-42E1-4a11-83C1-5D3B4AD4F291}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\{D34A0207-0133-4f95-A93E-2AD17BE7902E}.exe
        
        C:\Windows\{D34A0207-0133-4f95-A93E-2AD17BE7902E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:100
        
        C:\Windows\{7DFBE29A-FD1B-4620-A988-0A51FB312F7F}.exe
        
        C:\Windows\{7DFBE29A-FD1B-4620-A988-0A51FB312F7F}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4936
        
        C:\Windows\{AA8CD1E0-32E9-4246-B70C-39D8A1E3A7C3}.exe
        
        C:\Windows\{AA8CD1E0-32E9-4246-B70C-39D8A1E3A7C3}.exe
        13⤵
        Executes dropped EXE
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7DFBE~1.EXE > nul
        13⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D34A0~1.EXE > nul
        12⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C503~1.EXE > nul
        11⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{907A3~1.EXE > nul
        10⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{381C7~1.EXE > nul
        9⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E144~1.EXE > nul
        8⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D8CD~1.EXE > nul
        7⤵
        
        PID:2348
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BDD5F~1.EXE > nul
        6⤵
        
        PID:1740
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{73E17~1.EXE > nul
        5⤵
        
        PID:3448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D627C~1.EXE > nul
    3⤵
    PID:4532
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{381C73D4-7033-4ad5-B23D-B589C888D339}.exe

Filesize
197KB

MD5
3360199d61c0e99ebc3802b43294021f

SHA1
0ea20e7867fd1287aa8d604b4b9cd7e8c369f979

SHA256
54976ea86b79b97bd17d80aa557d7fd62b9cddfe5106639d121248e365a9e11f

SHA512
c56c63ef99a856b2318d4dc4a871d9496e771ed76c261057a014e7d6136927611c23c13c33643b1626781e41aa9cc763b53aaf3b5caec14ab88423ffc09cddff

Download Submit
C:\Windows\{3C503A7E-42E1-4a11-83C1-5D3B4AD4F291}.exe

Filesize
197KB

MD5
8e62130d451aa19ef3f1258edcfe9d2a

SHA1
1e5891fdc9a8e9f4c974571d95a067696aa31713

SHA256
df1ec330bd7f758d34588e69b525726d10ebb93c028c45b438db3ac9b8e8a12e

SHA512
5525bfd635108aaa1b613ce75638cfbc912c2bce4c8a803c043805ed377eb0b3b4ee58ca54528be73137edd878ba2965b2517de756341667e4cd64bb388f67c9

Download Submit
C:\Windows\{5A6337C1-42CC-4947-8210-8C0277CC56BB}.exe

Filesize
197KB

MD5
4f002035912b211408811a96c01d538b

SHA1
11a17b13452b1d5ef3435703dcd4cdd078da5dd3

SHA256
4494c42851c99b4746fd5965a158615011bab85af4de9cc30e97e45769dc71d5

SHA512
263fca0a6f2c57db2b6c2250c9ec4c35b9577be721006e0331ec32cb368223b81f86e4aa21bc487ab8bd0c035375f79cc0a906de423c9fa4025edd06b3a4db67

Download Submit
C:\Windows\{73E170C0-54AF-4a58-8568-168161BAEADD}.exe

Filesize
197KB

MD5
28ef0fc49c57e7d84c758be98219585c

SHA1
226e8219c483d8cb25939535c66bea1b247bd53c

SHA256
2fc95154f74c7bb814f99045869f9417da8b49fe7941899069175bb5db6be27f

SHA512
eb80bde2cba91d6d1719514825546961c156372aebb0b31b4a0e1fa1c11a0e59dd5d15934eb9ede36a52f092bca99b81d38fcb3fdff2e30e948ca8c665fafed7

Download Submit
C:\Windows\{7DFBE29A-FD1B-4620-A988-0A51FB312F7F}.exe

Filesize
197KB

MD5
cba28158de5c53702b414203657f169b

SHA1
659261687ec8dac02d5c3b1ae220dad277005613

SHA256
be505d0ff633db333c8a79f5f58a14da218bbe76c246874ee224199db6a4f5e7

SHA512
72fc89f6454b9e7c59fb21bf044be14f81d6f2c62dfe4b66a55166f1572b93acc6239204367bf1ce57281c97a74a21e9d1f5e3ea35bc676719e2f2f413a50138

Download Submit
C:\Windows\{8D8CD0F0-499E-4cc5-A2C2-565ADC7CFB7D}.exe

Filesize
197KB

MD5
5c474276df79f8caea31f3bbb21a039b

SHA1
d7754d3c6c1661b6654cc72002ae9732893515d6

SHA256
352cfa0e79be6569ba79b6d6f936a83cf2ef278d6e57c8d07f6555a278ce3c6f

SHA512
215336369626d6e239c695f3ab856e8fec9a5c153c5f216a794221ec823fc50e5b053ba3ac5e5addc465cb13ce696ea4242be8f7adcd4f9d9378811d49140e21

Download Submit
C:\Windows\{907A3CE5-6341-4855-BBFA-174C222BFD51}.exe

Filesize
197KB

MD5
ee06699fae1deefaf5ea0043c8d807f7

SHA1
63a93a9b698e1fb3516adcdfcc006d159ce7d6cc

SHA256
95c1515a0be713e2717bd2a62c25bc32cde52eda0eb8290465228804e411f9ab

SHA512
96c43b47cf1b23669ec169a2a736c07cb7ad6448cdd94a2f51e9eeb55766f8655c890ed53fa477ff331381f62316d81994a2b397b47278c3020d4c4d79320c76

Download Submit
C:\Windows\{9E14471D-BEE6-4571-B76A-E3F7DFBE78EE}.exe

Filesize
197KB

MD5
b6d208b8d881b058296bc5af2dd75b3f

SHA1
832d8c9471638095a30ed49fce8d57aeed4db619

SHA256
9a0dac0d9e1b88ed768b139e9540040e0005e9eff0f20b8bc2e5167fcc47a50f

SHA512
24cb4f47f26c741af5f2c791b5f731a4eb509e6c77cc735ea93a14b65e1712a93bb25bd030342f1fa992107e3123cc282a0db79f054aa4c255e70c8870100f17

Download Submit
C:\Windows\{AA8CD1E0-32E9-4246-B70C-39D8A1E3A7C3}.exe

Filesize
197KB

MD5
b17e92328f16208803d4627ffa1aa8bb

SHA1
b27687a5a446f833a287c6631da11f981e1afbd1

SHA256
6b95eb5769d2f63159f454bfc55ea6e21a8bab4b650beb089cc88f590c5565bf

SHA512
b0cdbe350a37f1d1fdb8dde46d7c0649a1842a487d1d0185c9a7352342a992045e68889a5903abe8e08d8431ff6c5b5693cde6370707f5ee1267cbddb1ee1e11

Download Submit
C:\Windows\{BDD5FF3D-D3D5-41bd-B5B2-9863B837DC25}.exe

Filesize
197KB

MD5
1fa4f0a8ac0658b2b6a52fa1a37c8099

SHA1
27e915bebb52d427a3e971cad606497692c99724

SHA256
81b94a8e24a0c2a1c2d02f72ee2c492aa772aa3a4270d72330d824985c29c8f3

SHA512
0e55ce39360fb7d4df0529c4eb4c62499a5f1ea9fc819531f59b99b685855c6d9a7036d8195f0da4afedc72d12d3f5fe36e50a7420f959babb6e413ae5fd6600

Download Submit
C:\Windows\{D34A0207-0133-4f95-A93E-2AD17BE7902E}.exe

Filesize
197KB

MD5
da359c2c8a4723adeded10b0a7fef6f0

SHA1
b09ade86bc837fc781856fc0f8e050bea64f6e16

SHA256
2fe70eba6d51b393e18738dc35185a5c436bfb2603f6a10a1436eb186dcddbe5

SHA512
fb3f1f4d48b19cd20ff1a1d32e0dac52d30925f70eaeb85310d506ef75b26db0dd0e1b806d16aa7601989842dc915acab44415942dd0318a1cbd3ff8dca0206f

Download Submit
C:\Windows\{D627CE09-17EC-4a6d-BF12-8A8C2C312F5E}.exe

Filesize
197KB

MD5
7d4d9987f1c60dbd2136f800059a8469

SHA1
8f7b355dbcae167bb0212f992bb08b1c43939af9

SHA256
5026859d6b3990797d40905e0ea04ccddcbcfa6427c492d14c51894967cbdd75

SHA512
1e79367039e3db14cd6aeb03344902b3d65f0629de05e77d7fa91cff07c5ff5ccd079c4470fa9d33505e315c7e754d20d4676c82dcb9a88cf646ea2e8e6966b1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads