2b385f70c92c5c69e7ed79051a2e2c5e0e290b10e5ea51f674f11f73b3e80859

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04/02/2024, 06:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-04_0583eb5a530b0ae98b2e89237156364d_goldeneye.exe
Size

204KB
MD5

0583eb5a530b0ae98b2e89237156364d
SHA1

43ade7db220edd7cc433b975d9f7c54885e8d73e
SHA256

2b385f70c92c5c69e7ed79051a2e2c5e0e290b10e5ea51f674f11f73b3e80859
SHA512

7c725e8c2020a892a2327c10063c4d00726588415bbee9f1a3b5e69d4c82abe08392749b8c753530860592088a689c2347a659424910a67fe74fb23cec882240
SSDEEP

1536:1EGh0oZl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oZl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x00080000000120dc-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000012266-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0032000000015c40-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003300000000b1f4-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003400000000b1f4-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003500000000b1f4-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003600000000b1f4-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F353EA5-4C56-440b-843C-933F479A0A09}	2024-02-04_0583eb5a530b0ae98b2e89237156364d_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51DBE741-03C3-4f7d-BA6E-27FA848E316C}	{8F353EA5-4C56-440b-843C-933F479A0A09}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51DBE741-03C3-4f7d-BA6E-27FA848E316C}\stubpath = "C:\\Windows\\{51DBE741-03C3-4f7d-BA6E-27FA848E316C}.exe"	{8F353EA5-4C56-440b-843C-933F479A0A09}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCD8DE3C-6E02-420c-B6BA-6DDAF4DCEB59}\stubpath = "C:\\Windows\\{CCD8DE3C-6E02-420c-B6BA-6DDAF4DCEB59}.exe"	{51DBE741-03C3-4f7d-BA6E-27FA848E316C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{107CFEA1-4AF7-424a-AD4A-95644FEE362A}\stubpath = "C:\\Windows\\{107CFEA1-4AF7-424a-AD4A-95644FEE362A}.exe"	{AB884416-B713-4329-AFA3-A6885589A6BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5CD4F584-7CBA-4bbb-80C6-F9FCEF82AFFF}	{107CFEA1-4AF7-424a-AD4A-95644FEE362A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1528420A-85B1-4506-8A37-54B3DC69EE8D}	{5CD4F584-7CBA-4bbb-80C6-F9FCEF82AFFF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E59E1DE-AF62-4db8-BAAE-27EA8C368DE0}\stubpath = "C:\\Windows\\{6E59E1DE-AF62-4db8-BAAE-27EA8C368DE0}.exe"	{1528420A-85B1-4506-8A37-54B3DC69EE8D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED0EEF09-C650-4cac-B1A5-E7F469709E87}\stubpath = "C:\\Windows\\{ED0EEF09-C650-4cac-B1A5-E7F469709E87}.exe"	{6E59E1DE-AF62-4db8-BAAE-27EA8C368DE0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8DE9630-225E-4543-AF50-13F6CD96E812}	{26943403-57B3-4adb-8410-41BF378B4FB7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F353EA5-4C56-440b-843C-933F479A0A09}\stubpath = "C:\\Windows\\{8F353EA5-4C56-440b-843C-933F479A0A09}.exe"	2024-02-04_0583eb5a530b0ae98b2e89237156364d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5CD4F584-7CBA-4bbb-80C6-F9FCEF82AFFF}\stubpath = "C:\\Windows\\{5CD4F584-7CBA-4bbb-80C6-F9FCEF82AFFF}.exe"	{107CFEA1-4AF7-424a-AD4A-95644FEE362A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1528420A-85B1-4506-8A37-54B3DC69EE8D}\stubpath = "C:\\Windows\\{1528420A-85B1-4506-8A37-54B3DC69EE8D}.exe"	{5CD4F584-7CBA-4bbb-80C6-F9FCEF82AFFF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F224C81-25E3-4e4e-8A7C-0BBA23DF0C5A}	{CCD8DE3C-6E02-420c-B6BA-6DDAF4DCEB59}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB884416-B713-4329-AFA3-A6885589A6BF}	{1F224C81-25E3-4e4e-8A7C-0BBA23DF0C5A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E59E1DE-AF62-4db8-BAAE-27EA8C368DE0}	{1528420A-85B1-4506-8A37-54B3DC69EE8D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED0EEF09-C650-4cac-B1A5-E7F469709E87}	{6E59E1DE-AF62-4db8-BAAE-27EA8C368DE0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26943403-57B3-4adb-8410-41BF378B4FB7}	{ED0EEF09-C650-4cac-B1A5-E7F469709E87}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8DE9630-225E-4543-AF50-13F6CD96E812}\stubpath = "C:\\Windows\\{D8DE9630-225E-4543-AF50-13F6CD96E812}.exe"	{26943403-57B3-4adb-8410-41BF378B4FB7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCD8DE3C-6E02-420c-B6BA-6DDAF4DCEB59}	{51DBE741-03C3-4f7d-BA6E-27FA848E316C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F224C81-25E3-4e4e-8A7C-0BBA23DF0C5A}\stubpath = "C:\\Windows\\{1F224C81-25E3-4e4e-8A7C-0BBA23DF0C5A}.exe"	{CCD8DE3C-6E02-420c-B6BA-6DDAF4DCEB59}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB884416-B713-4329-AFA3-A6885589A6BF}\stubpath = "C:\\Windows\\{AB884416-B713-4329-AFA3-A6885589A6BF}.exe"	{1F224C81-25E3-4e4e-8A7C-0BBA23DF0C5A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{107CFEA1-4AF7-424a-AD4A-95644FEE362A}	{AB884416-B713-4329-AFA3-A6885589A6BF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26943403-57B3-4adb-8410-41BF378B4FB7}\stubpath = "C:\\Windows\\{26943403-57B3-4adb-8410-41BF378B4FB7}.exe"	{ED0EEF09-C650-4cac-B1A5-E7F469709E87}.exe

Deletes itself 1 IoCs

pid	Process
2744	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2240	{8F353EA5-4C56-440b-843C-933F479A0A09}.exe
2644	{51DBE741-03C3-4f7d-BA6E-27FA848E316C}.exe
2608	{CCD8DE3C-6E02-420c-B6BA-6DDAF4DCEB59}.exe
1540	{1F224C81-25E3-4e4e-8A7C-0BBA23DF0C5A}.exe
648	{AB884416-B713-4329-AFA3-A6885589A6BF}.exe
1668	{107CFEA1-4AF7-424a-AD4A-95644FEE362A}.exe
1916	{5CD4F584-7CBA-4bbb-80C6-F9FCEF82AFFF}.exe
2844	{1528420A-85B1-4506-8A37-54B3DC69EE8D}.exe
1376	{6E59E1DE-AF62-4db8-BAAE-27EA8C368DE0}.exe
2200	{ED0EEF09-C650-4cac-B1A5-E7F469709E87}.exe
2504	{26943403-57B3-4adb-8410-41BF378B4FB7}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{D8DE9630-225E-4543-AF50-13F6CD96E812}.exe	{26943403-57B3-4adb-8410-41BF378B4FB7}.exe
File created	C:\Windows\{5CD4F584-7CBA-4bbb-80C6-F9FCEF82AFFF}.exe	{107CFEA1-4AF7-424a-AD4A-95644FEE362A}.exe
File created	C:\Windows\{26943403-57B3-4adb-8410-41BF378B4FB7}.exe	{ED0EEF09-C650-4cac-B1A5-E7F469709E87}.exe
File created	C:\Windows\{CCD8DE3C-6E02-420c-B6BA-6DDAF4DCEB59}.exe	{51DBE741-03C3-4f7d-BA6E-27FA848E316C}.exe
File created	C:\Windows\{1F224C81-25E3-4e4e-8A7C-0BBA23DF0C5A}.exe	{CCD8DE3C-6E02-420c-B6BA-6DDAF4DCEB59}.exe
File created	C:\Windows\{AB884416-B713-4329-AFA3-A6885589A6BF}.exe	{1F224C81-25E3-4e4e-8A7C-0BBA23DF0C5A}.exe
File created	C:\Windows\{107CFEA1-4AF7-424a-AD4A-95644FEE362A}.exe	{AB884416-B713-4329-AFA3-A6885589A6BF}.exe
File created	C:\Windows\{1528420A-85B1-4506-8A37-54B3DC69EE8D}.exe	{5CD4F584-7CBA-4bbb-80C6-F9FCEF82AFFF}.exe
File created	C:\Windows\{6E59E1DE-AF62-4db8-BAAE-27EA8C368DE0}.exe	{1528420A-85B1-4506-8A37-54B3DC69EE8D}.exe
File created	C:\Windows\{8F353EA5-4C56-440b-843C-933F479A0A09}.exe	2024-02-04_0583eb5a530b0ae98b2e89237156364d_goldeneye.exe
File created	C:\Windows\{51DBE741-03C3-4f7d-BA6E-27FA848E316C}.exe	{8F353EA5-4C56-440b-843C-933F479A0A09}.exe
File created	C:\Windows\{ED0EEF09-C650-4cac-B1A5-E7F469709E87}.exe	{6E59E1DE-AF62-4db8-BAAE-27EA8C368DE0}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2464	2024-02-04_0583eb5a530b0ae98b2e89237156364d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2240	{8F353EA5-4C56-440b-843C-933F479A0A09}.exe
Token: SeIncBasePriorityPrivilege	2644	{51DBE741-03C3-4f7d-BA6E-27FA848E316C}.exe
Token: SeIncBasePriorityPrivilege	2608	{CCD8DE3C-6E02-420c-B6BA-6DDAF4DCEB59}.exe
Token: SeIncBasePriorityPrivilege	1540	{1F224C81-25E3-4e4e-8A7C-0BBA23DF0C5A}.exe
Token: SeIncBasePriorityPrivilege	648	{AB884416-B713-4329-AFA3-A6885589A6BF}.exe
Token: SeIncBasePriorityPrivilege	1668	{107CFEA1-4AF7-424a-AD4A-95644FEE362A}.exe
Token: SeIncBasePriorityPrivilege	1916	{5CD4F584-7CBA-4bbb-80C6-F9FCEF82AFFF}.exe
Token: SeIncBasePriorityPrivilege	2844	{1528420A-85B1-4506-8A37-54B3DC69EE8D}.exe
Token: SeIncBasePriorityPrivilege	1376	{6E59E1DE-AF62-4db8-BAAE-27EA8C368DE0}.exe
Token: SeIncBasePriorityPrivilege	2200	{ED0EEF09-C650-4cac-B1A5-E7F469709E87}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 2240	2464	2024-02-04_0583eb5a530b0ae98b2e89237156364d_goldeneye.exe	28
PID 2464 wrote to memory of 2240	2464	2024-02-04_0583eb5a530b0ae98b2e89237156364d_goldeneye.exe	28
PID 2464 wrote to memory of 2240	2464	2024-02-04_0583eb5a530b0ae98b2e89237156364d_goldeneye.exe	28
PID 2464 wrote to memory of 2240	2464	2024-02-04_0583eb5a530b0ae98b2e89237156364d_goldeneye.exe	28
PID 2464 wrote to memory of 2744	2464	2024-02-04_0583eb5a530b0ae98b2e89237156364d_goldeneye.exe	29
PID 2464 wrote to memory of 2744	2464	2024-02-04_0583eb5a530b0ae98b2e89237156364d_goldeneye.exe	29
PID 2464 wrote to memory of 2744	2464	2024-02-04_0583eb5a530b0ae98b2e89237156364d_goldeneye.exe	29
PID 2464 wrote to memory of 2744	2464	2024-02-04_0583eb5a530b0ae98b2e89237156364d_goldeneye.exe	29
PID 2240 wrote to memory of 2644	2240	{8F353EA5-4C56-440b-843C-933F479A0A09}.exe	30
PID 2240 wrote to memory of 2644	2240	{8F353EA5-4C56-440b-843C-933F479A0A09}.exe	30
PID 2240 wrote to memory of 2644	2240	{8F353EA5-4C56-440b-843C-933F479A0A09}.exe	30
PID 2240 wrote to memory of 2644	2240	{8F353EA5-4C56-440b-843C-933F479A0A09}.exe	30
PID 2240 wrote to memory of 2980	2240	{8F353EA5-4C56-440b-843C-933F479A0A09}.exe	31
PID 2240 wrote to memory of 2980	2240	{8F353EA5-4C56-440b-843C-933F479A0A09}.exe	31
PID 2240 wrote to memory of 2980	2240	{8F353EA5-4C56-440b-843C-933F479A0A09}.exe	31
PID 2240 wrote to memory of 2980	2240	{8F353EA5-4C56-440b-843C-933F479A0A09}.exe	31
PID 2644 wrote to memory of 2608	2644	{51DBE741-03C3-4f7d-BA6E-27FA848E316C}.exe	35
PID 2644 wrote to memory of 2608	2644	{51DBE741-03C3-4f7d-BA6E-27FA848E316C}.exe	35
PID 2644 wrote to memory of 2608	2644	{51DBE741-03C3-4f7d-BA6E-27FA848E316C}.exe	35
PID 2644 wrote to memory of 2608	2644	{51DBE741-03C3-4f7d-BA6E-27FA848E316C}.exe	35
PID 2644 wrote to memory of 2228	2644	{51DBE741-03C3-4f7d-BA6E-27FA848E316C}.exe	34
PID 2644 wrote to memory of 2228	2644	{51DBE741-03C3-4f7d-BA6E-27FA848E316C}.exe	34
PID 2644 wrote to memory of 2228	2644	{51DBE741-03C3-4f7d-BA6E-27FA848E316C}.exe	34
PID 2644 wrote to memory of 2228	2644	{51DBE741-03C3-4f7d-BA6E-27FA848E316C}.exe	34
PID 2608 wrote to memory of 1540	2608	{CCD8DE3C-6E02-420c-B6BA-6DDAF4DCEB59}.exe	36
PID 2608 wrote to memory of 1540	2608	{CCD8DE3C-6E02-420c-B6BA-6DDAF4DCEB59}.exe	36
PID 2608 wrote to memory of 1540	2608	{CCD8DE3C-6E02-420c-B6BA-6DDAF4DCEB59}.exe	36
PID 2608 wrote to memory of 1540	2608	{CCD8DE3C-6E02-420c-B6BA-6DDAF4DCEB59}.exe	36
PID 2608 wrote to memory of 2924	2608	{CCD8DE3C-6E02-420c-B6BA-6DDAF4DCEB59}.exe	37
PID 2608 wrote to memory of 2924	2608	{CCD8DE3C-6E02-420c-B6BA-6DDAF4DCEB59}.exe	37
PID 2608 wrote to memory of 2924	2608	{CCD8DE3C-6E02-420c-B6BA-6DDAF4DCEB59}.exe	37
PID 2608 wrote to memory of 2924	2608	{CCD8DE3C-6E02-420c-B6BA-6DDAF4DCEB59}.exe	37
PID 1540 wrote to memory of 648	1540	{1F224C81-25E3-4e4e-8A7C-0BBA23DF0C5A}.exe	38
PID 1540 wrote to memory of 648	1540	{1F224C81-25E3-4e4e-8A7C-0BBA23DF0C5A}.exe	38
PID 1540 wrote to memory of 648	1540	{1F224C81-25E3-4e4e-8A7C-0BBA23DF0C5A}.exe	38
PID 1540 wrote to memory of 648	1540	{1F224C81-25E3-4e4e-8A7C-0BBA23DF0C5A}.exe	38
PID 1540 wrote to memory of 2408	1540	{1F224C81-25E3-4e4e-8A7C-0BBA23DF0C5A}.exe	39
PID 1540 wrote to memory of 2408	1540	{1F224C81-25E3-4e4e-8A7C-0BBA23DF0C5A}.exe	39
PID 1540 wrote to memory of 2408	1540	{1F224C81-25E3-4e4e-8A7C-0BBA23DF0C5A}.exe	39
PID 1540 wrote to memory of 2408	1540	{1F224C81-25E3-4e4e-8A7C-0BBA23DF0C5A}.exe	39
PID 648 wrote to memory of 1668	648	{AB884416-B713-4329-AFA3-A6885589A6BF}.exe	40
PID 648 wrote to memory of 1668	648	{AB884416-B713-4329-AFA3-A6885589A6BF}.exe	40
PID 648 wrote to memory of 1668	648	{AB884416-B713-4329-AFA3-A6885589A6BF}.exe	40
PID 648 wrote to memory of 1668	648	{AB884416-B713-4329-AFA3-A6885589A6BF}.exe	40
PID 648 wrote to memory of 1092	648	{AB884416-B713-4329-AFA3-A6885589A6BF}.exe	41
PID 648 wrote to memory of 1092	648	{AB884416-B713-4329-AFA3-A6885589A6BF}.exe	41
PID 648 wrote to memory of 1092	648	{AB884416-B713-4329-AFA3-A6885589A6BF}.exe	41
PID 648 wrote to memory of 1092	648	{AB884416-B713-4329-AFA3-A6885589A6BF}.exe	41
PID 1668 wrote to memory of 1916	1668	{107CFEA1-4AF7-424a-AD4A-95644FEE362A}.exe	42
PID 1668 wrote to memory of 1916	1668	{107CFEA1-4AF7-424a-AD4A-95644FEE362A}.exe	42
PID 1668 wrote to memory of 1916	1668	{107CFEA1-4AF7-424a-AD4A-95644FEE362A}.exe	42
PID 1668 wrote to memory of 1916	1668	{107CFEA1-4AF7-424a-AD4A-95644FEE362A}.exe	42
PID 1668 wrote to memory of 436	1668	{107CFEA1-4AF7-424a-AD4A-95644FEE362A}.exe	43
PID 1668 wrote to memory of 436	1668	{107CFEA1-4AF7-424a-AD4A-95644FEE362A}.exe	43
PID 1668 wrote to memory of 436	1668	{107CFEA1-4AF7-424a-AD4A-95644FEE362A}.exe	43
PID 1668 wrote to memory of 436	1668	{107CFEA1-4AF7-424a-AD4A-95644FEE362A}.exe	43
PID 1916 wrote to memory of 2844	1916	{5CD4F584-7CBA-4bbb-80C6-F9FCEF82AFFF}.exe	44
PID 1916 wrote to memory of 2844	1916	{5CD4F584-7CBA-4bbb-80C6-F9FCEF82AFFF}.exe	44
PID 1916 wrote to memory of 2844	1916	{5CD4F584-7CBA-4bbb-80C6-F9FCEF82AFFF}.exe	44
PID 1916 wrote to memory of 2844	1916	{5CD4F584-7CBA-4bbb-80C6-F9FCEF82AFFF}.exe	44
PID 1916 wrote to memory of 2904	1916	{5CD4F584-7CBA-4bbb-80C6-F9FCEF82AFFF}.exe	45
PID 1916 wrote to memory of 2904	1916	{5CD4F584-7CBA-4bbb-80C6-F9FCEF82AFFF}.exe	45
PID 1916 wrote to memory of 2904	1916	{5CD4F584-7CBA-4bbb-80C6-F9FCEF82AFFF}.exe	45
PID 1916 wrote to memory of 2904	1916	{5CD4F584-7CBA-4bbb-80C6-F9FCEF82AFFF}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-04_0583eb5a530b0ae98b2e89237156364d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-04_0583eb5a530b0ae98b2e89237156364d_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Windows\{8F353EA5-4C56-440b-843C-933F479A0A09}.exe
  C:\Windows\{8F353EA5-4C56-440b-843C-933F479A0A09}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Windows\{51DBE741-03C3-4f7d-BA6E-27FA848E316C}.exe
    C:\Windows\{51DBE741-03C3-4f7d-BA6E-27FA848E316C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{51DBE~1.EXE > nul
      4⤵
      PID:2228
  - - C:\Windows\{CCD8DE3C-6E02-420c-B6BA-6DDAF4DCEB59}.exe
      C:\Windows\{CCD8DE3C-6E02-420c-B6BA-6DDAF4DCEB59}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2608
    - - C:\Windows\{1F224C81-25E3-4e4e-8A7C-0BBA23DF0C5A}.exe
        
        C:\Windows\{1F224C81-25E3-4e4e-8A7C-0BBA23DF0C5A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1540
      - C:\Windows\{AB884416-B713-4329-AFA3-A6885589A6BF}.exe
        
        C:\Windows\{AB884416-B713-4329-AFA3-A6885589A6BF}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:648
        
        C:\Windows\{107CFEA1-4AF7-424a-AD4A-95644FEE362A}.exe
        
        C:\Windows\{107CFEA1-4AF7-424a-AD4A-95644FEE362A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\{5CD4F584-7CBA-4bbb-80C6-F9FCEF82AFFF}.exe
        
        C:\Windows\{5CD4F584-7CBA-4bbb-80C6-F9FCEF82AFFF}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\{1528420A-85B1-4506-8A37-54B3DC69EE8D}.exe
        
        C:\Windows\{1528420A-85B1-4506-8A37-54B3DC69EE8D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{15284~1.EXE > nul
        10⤵
        
        PID:2068
        
        C:\Windows\{6E59E1DE-AF62-4db8-BAAE-27EA8C368DE0}.exe
        
        C:\Windows\{6E59E1DE-AF62-4db8-BAAE-27EA8C368DE0}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1376
        
        C:\Windows\{ED0EEF09-C650-4cac-B1A5-E7F469709E87}.exe
        
        C:\Windows\{ED0EEF09-C650-4cac-B1A5-E7F469709E87}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ED0EE~1.EXE > nul
        12⤵
        
        PID:768
        
        C:\Windows\{26943403-57B3-4adb-8410-41BF378B4FB7}.exe
        
        C:\Windows\{26943403-57B3-4adb-8410-41BF378B4FB7}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{26943~1.EXE > nul
        13⤵
        
        PID:432
        
        C:\Windows\{D8DE9630-225E-4543-AF50-13F6CD96E812}.exe
        
        C:\Windows\{D8DE9630-225E-4543-AF50-13F6CD96E812}.exe
        13⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6E59E~1.EXE > nul
        11⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5CD4F~1.EXE > nul
        9⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{107CF~1.EXE > nul
        8⤵
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AB884~1.EXE > nul
        7⤵
        
        PID:1092
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1F224~1.EXE > nul
        6⤵
        
        PID:2408
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CCD8D~1.EXE > nul
        5⤵
        
        PID:2924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8F353~1.EXE > nul
    3⤵
    PID:2980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{107CFEA1-4AF7-424a-AD4A-95644FEE362A}.exe

Filesize
204KB

MD5
7d1502b6597a5ac38572383a54efa962

SHA1
6c1db325f28c5b056b9b5da687af16a21b025411

SHA256
badd5026d23a61c810f1f71d6462a8ea8f0108cf7b615aef4980ee8ea8ab1d0c

SHA512
5946519e970900aacaf821c9bf8c02d1db1462c0062d0e7a7665d82b73bb8774e036483fa392dbeb5c35ab034b171f1204da6bb3731a2c0de442173d7e1b32de

Download Submit
C:\Windows\{1528420A-85B1-4506-8A37-54B3DC69EE8D}.exe

Filesize
204KB

MD5
70d6678f04bf16c0935adc33669d93ef

SHA1
888b5ccec52df154efecb42701993de4ef0a946e

SHA256
b1e9d9ccf5b17b89f1dcfce91d6ab971642dc7e63e1dddc0da5e0ccd067fb031

SHA512
968cf0b63bfdfa82ce777fc9ff95ccfca9d84adf303484ccb3a1da1b3174c445d87a03a2243786fc2d54550c22edef040148df155606bbf65b9cd94d7aa5c94c

Download Submit
C:\Windows\{1F224C81-25E3-4e4e-8A7C-0BBA23DF0C5A}.exe

Filesize
204KB

MD5
834a81e94bc8796e72d9956667952de6

SHA1
2135bc1b4e5a92be4d447e5f56dac1acbc8dcec9

SHA256
374fc18e9c6130f2b18e3971406b8112dbcc5c51c86a19d4bf4a9eca6b08c014

SHA512
a91293848895e0e6493aaaa49c6d182bab0016b5b8ba18f9ce1a21f55f8bcc9c893119e81566796becc3d87bf215668cfac3f6a9b46f7003812b62f3d2ecd711

Download Submit
C:\Windows\{26943403-57B3-4adb-8410-41BF378B4FB7}.exe

Filesize
204KB

MD5
9da725c1e00c9f306b4b3ffb0a11fcbb

SHA1
7614ca84b07079e41e370568feaadb9bc4f65378

SHA256
944fd73b19eea00c28b76c4f9a2a6260803a527c65f5577c399decae93718498

SHA512
d1f2894cfe2337c5c52be26946d8c7ff7c029e52c04bc6ab30cf9186c744cb3f8925cef7b0c8f270b9798a8aa1209a430e86a4a2686317754ccffd538909414c

Download Submit
C:\Windows\{51DBE741-03C3-4f7d-BA6E-27FA848E316C}.exe

Filesize
204KB

MD5
a0e6d582a60d5f0169a3396b14955dbf

SHA1
d6eab16b9424763f08050cb18f2b383c0c42ce8d

SHA256
210d3ba2bab42e00f086abb9ef4daa28c3cb220b8d9f3f2b85f3ef840bbf39c1

SHA512
121df8f4f68249a0ea5fb3ea2b0b00412db3049e4f7ded29d018ea30d87c0e3f2daa9cc994d95010feb168fd088c9ffad249a5b98d65cea6834bb9e01f6f6194

Download Submit
C:\Windows\{5CD4F584-7CBA-4bbb-80C6-F9FCEF82AFFF}.exe

Filesize
204KB

MD5
50556d5bc4bd47230c90ff73087cb064

SHA1
8f8fb52797622780475a2807e4ade2489f19b1f5

SHA256
88cb9a58bcd952498ab843b6b78e395765f7a7d6c94d2d0aa0617b662b25e37c

SHA512
d43c1fccd409db9d2d7d08aea69bdc1bdf4375ea5cb74663426a017c24edc8d69840df1370a1a9874780a8dc2c731aff996f153481f6b109f7941d16561a8eb0

Download Submit
C:\Windows\{6E59E1DE-AF62-4db8-BAAE-27EA8C368DE0}.exe

Filesize
204KB

MD5
3282d1073e83accdaeb093dc0210656a

SHA1
a91e903a83e2c8cb49af2cb8232742f87d1bfee8

SHA256
3ebf13880b8c5ad39adf3a25a20fa21385f8e54baedbfb88a87830907e5dbd42

SHA512
7e9186215bf45f079d2b632e919ebe80cd392e7192c41c70b9cef1b38c4466df60c3c30a109e1b4eaf542b3600c468295656381e86495a1db8320ce886ab8b7e

Download Submit
C:\Windows\{8F353EA5-4C56-440b-843C-933F479A0A09}.exe

Filesize
204KB

MD5
8a06801ec65332a1305b8314d07f2e2a

SHA1
623b714e6261e679381e7894d22bf60431d53862

SHA256
51357f2c7a0736adae35a1c6b1afe6ca5e2629d5546ba770af10264eea6ee413

SHA512
629dbfcc1f4835681f109eb58d181e41582d98b531163e8d5546bc37ba56e54270eeba845540b5d52c37b7ad9fe0921c2fc16253aecb8d5157b6be074664fd78

Download Submit
C:\Windows\{AB884416-B713-4329-AFA3-A6885589A6BF}.exe

Filesize
204KB

MD5
14b39c385bac4f204d9d1f2b5d972941

SHA1
b679b9cfb6bda26f6ce6efd3dddd45f0eca67ef2

SHA256
8dce44bc0420dc17d3ac63d7b73607a801f50d02b66c0c9f913385b3cd677a30

SHA512
c98e652fecb201c065af0b3b35d6d73946e60302ca991599e86747cda85ab168fb8bf9b919e55464c4dc4549c9b3134b96f7df3c7b60efb5f94446bf409782a8

Download Submit
C:\Windows\{CCD8DE3C-6E02-420c-B6BA-6DDAF4DCEB59}.exe

Filesize
204KB

MD5
62ef36336664b9a3e2f4f9374d5fc024

SHA1
4d9c8ab9851f97abcc804ca5aaf0c7f393526da4

SHA256
a504aae924f9851b0f86cc47579cd36fb2a88607cf9031bbdc46c6c67d7235bb

SHA512
0261acb3d100b6275a72ba35be577782573c80b1e6b1e760347ae3b5ec3af96110b7edec9633ea5d70abb4ca11ac6c0cedb309096e4f5db7a76b8658dacf07dc

Download Submit
C:\Windows\{ED0EEF09-C650-4cac-B1A5-E7F469709E87}.exe

Filesize
204KB

MD5
83161135c8fc371a94687fa41e421a4c

SHA1
7f3c6b834f6f661ec2c1ee87e4705fc00cefb5fc

SHA256
905068860b1f41a35859be1f12f139608b61d5044904e10684e8672469b8262e

SHA512
c4c62bf8ac9747ad4108a87f7e7d8d532664e8fef86a1a9f93e0d83a3f716c9eefddd7a5c68b9af1ce649685816268129d85660f369a8a71140c00355995e95d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads