d3e0d6fa1638b811a57be7fcd16677ab4eab6943ccc847b25d26b08e26502972

Analysis

max time kernel
149s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04/02/2024, 10:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-04_9e0d62ab5eaa88ec136d9911b6781a79_goldeneye.exe
Size

408KB
MD5

9e0d62ab5eaa88ec136d9911b6781a79
SHA1

5ffdb132541bcacff2384ef55fab14980b458122
SHA256

d3e0d6fa1638b811a57be7fcd16677ab4eab6943ccc847b25d26b08e26502972
SHA512

b539a7348d1cff2aa32c1750698f9b780db8e190802bc5df017a14bb58a31796ba4e75c3e881999bec68dbbdb70667f90a400ada264bdbd185a8eba070e0f9e4
SSDEEP

3072:CEGh0ozl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGNldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x000600000002322a-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001100000002321f-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023231-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001200000002321f-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000022043-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000022043-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000022044-21.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000022043-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-29.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000709-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000709-45.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA379923-FBFE-47be-9577-17851943D6C6}\stubpath = "C:\\Windows\\{AA379923-FBFE-47be-9577-17851943D6C6}.exe"	{387551BF-CBE5-4e46-9216-C74F82212D71}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5FE2E6FB-C804-4005-9BDC-685D729EBCA7}	{BE48A90D-A72F-4050-9915-7E938A2A4B8E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1760E411-4A99-4774-979A-351D03FCF2F0}\stubpath = "C:\\Windows\\{1760E411-4A99-4774-979A-351D03FCF2F0}.exe"	{5FE2E6FB-C804-4005-9BDC-685D729EBCA7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A28B00C-5D07-4e26-8AD8-A9445570EE7C}	{1760E411-4A99-4774-979A-351D03FCF2F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{734AB9A9-ED70-427e-B1C7-782936BC007A}	{8DB61A35-8E37-412b-8D1F-E3F565D21285}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{734AB9A9-ED70-427e-B1C7-782936BC007A}\stubpath = "C:\\Windows\\{734AB9A9-ED70-427e-B1C7-782936BC007A}.exe"	{8DB61A35-8E37-412b-8D1F-E3F565D21285}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6621E3B3-4671-4743-B0F9-D8B91BA610AF}	2024-02-04_9e0d62ab5eaa88ec136d9911b6781a79_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE48A90D-A72F-4050-9915-7E938A2A4B8E}	{0FDDA9B6-5034-4b9b-BB5F-3C3EFB255214}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE48A90D-A72F-4050-9915-7E938A2A4B8E}\stubpath = "C:\\Windows\\{BE48A90D-A72F-4050-9915-7E938A2A4B8E}.exe"	{0FDDA9B6-5034-4b9b-BB5F-3C3EFB255214}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1760E411-4A99-4774-979A-351D03FCF2F0}	{5FE2E6FB-C804-4005-9BDC-685D729EBCA7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4C0FE3D-D2A4-4a89-B0AF-23CD96D163B5}	{5A28B00C-5D07-4e26-8AD8-A9445570EE7C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8DB61A35-8E37-412b-8D1F-E3F565D21285}	{1860C55B-D7E1-4f5c-A431-963459583748}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8DB61A35-8E37-412b-8D1F-E3F565D21285}\stubpath = "C:\\Windows\\{8DB61A35-8E37-412b-8D1F-E3F565D21285}.exe"	{1860C55B-D7E1-4f5c-A431-963459583748}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{387551BF-CBE5-4e46-9216-C74F82212D71}	{734AB9A9-ED70-427e-B1C7-782936BC007A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6621E3B3-4671-4743-B0F9-D8B91BA610AF}\stubpath = "C:\\Windows\\{6621E3B3-4671-4743-B0F9-D8B91BA610AF}.exe"	2024-02-04_9e0d62ab5eaa88ec136d9911b6781a79_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5FE2E6FB-C804-4005-9BDC-685D729EBCA7}\stubpath = "C:\\Windows\\{5FE2E6FB-C804-4005-9BDC-685D729EBCA7}.exe"	{BE48A90D-A72F-4050-9915-7E938A2A4B8E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A28B00C-5D07-4e26-8AD8-A9445570EE7C}\stubpath = "C:\\Windows\\{5A28B00C-5D07-4e26-8AD8-A9445570EE7C}.exe"	{1760E411-4A99-4774-979A-351D03FCF2F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4C0FE3D-D2A4-4a89-B0AF-23CD96D163B5}\stubpath = "C:\\Windows\\{B4C0FE3D-D2A4-4a89-B0AF-23CD96D163B5}.exe"	{5A28B00C-5D07-4e26-8AD8-A9445570EE7C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1860C55B-D7E1-4f5c-A431-963459583748}\stubpath = "C:\\Windows\\{1860C55B-D7E1-4f5c-A431-963459583748}.exe"	{B4C0FE3D-D2A4-4a89-B0AF-23CD96D163B5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{387551BF-CBE5-4e46-9216-C74F82212D71}\stubpath = "C:\\Windows\\{387551BF-CBE5-4e46-9216-C74F82212D71}.exe"	{734AB9A9-ED70-427e-B1C7-782936BC007A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0FDDA9B6-5034-4b9b-BB5F-3C3EFB255214}	{6621E3B3-4671-4743-B0F9-D8B91BA610AF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0FDDA9B6-5034-4b9b-BB5F-3C3EFB255214}\stubpath = "C:\\Windows\\{0FDDA9B6-5034-4b9b-BB5F-3C3EFB255214}.exe"	{6621E3B3-4671-4743-B0F9-D8B91BA610AF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1860C55B-D7E1-4f5c-A431-963459583748}	{B4C0FE3D-D2A4-4a89-B0AF-23CD96D163B5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA379923-FBFE-47be-9577-17851943D6C6}	{387551BF-CBE5-4e46-9216-C74F82212D71}.exe

Executes dropped EXE 12 IoCs

pid	Process
3372	{6621E3B3-4671-4743-B0F9-D8B91BA610AF}.exe
1680	{0FDDA9B6-5034-4b9b-BB5F-3C3EFB255214}.exe
3908	{BE48A90D-A72F-4050-9915-7E938A2A4B8E}.exe
3720	{5FE2E6FB-C804-4005-9BDC-685D729EBCA7}.exe
1012	{1760E411-4A99-4774-979A-351D03FCF2F0}.exe
2520	{5A28B00C-5D07-4e26-8AD8-A9445570EE7C}.exe
4076	{B4C0FE3D-D2A4-4a89-B0AF-23CD96D163B5}.exe
4300	{1860C55B-D7E1-4f5c-A431-963459583748}.exe
4992	{8DB61A35-8E37-412b-8D1F-E3F565D21285}.exe
4400	{734AB9A9-ED70-427e-B1C7-782936BC007A}.exe
4768	{387551BF-CBE5-4e46-9216-C74F82212D71}.exe
4552	{AA379923-FBFE-47be-9577-17851943D6C6}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{6621E3B3-4671-4743-B0F9-D8B91BA610AF}.exe	2024-02-04_9e0d62ab5eaa88ec136d9911b6781a79_goldeneye.exe
File created	C:\Windows\{B4C0FE3D-D2A4-4a89-B0AF-23CD96D163B5}.exe	{5A28B00C-5D07-4e26-8AD8-A9445570EE7C}.exe
File created	C:\Windows\{1860C55B-D7E1-4f5c-A431-963459583748}.exe	{B4C0FE3D-D2A4-4a89-B0AF-23CD96D163B5}.exe
File created	C:\Windows\{734AB9A9-ED70-427e-B1C7-782936BC007A}.exe	{8DB61A35-8E37-412b-8D1F-E3F565D21285}.exe
File created	C:\Windows\{387551BF-CBE5-4e46-9216-C74F82212D71}.exe	{734AB9A9-ED70-427e-B1C7-782936BC007A}.exe
File created	C:\Windows\{AA379923-FBFE-47be-9577-17851943D6C6}.exe	{387551BF-CBE5-4e46-9216-C74F82212D71}.exe
File created	C:\Windows\{0FDDA9B6-5034-4b9b-BB5F-3C3EFB255214}.exe	{6621E3B3-4671-4743-B0F9-D8B91BA610AF}.exe
File created	C:\Windows\{BE48A90D-A72F-4050-9915-7E938A2A4B8E}.exe	{0FDDA9B6-5034-4b9b-BB5F-3C3EFB255214}.exe
File created	C:\Windows\{5FE2E6FB-C804-4005-9BDC-685D729EBCA7}.exe	{BE48A90D-A72F-4050-9915-7E938A2A4B8E}.exe
File created	C:\Windows\{1760E411-4A99-4774-979A-351D03FCF2F0}.exe	{5FE2E6FB-C804-4005-9BDC-685D729EBCA7}.exe
File created	C:\Windows\{5A28B00C-5D07-4e26-8AD8-A9445570EE7C}.exe	{1760E411-4A99-4774-979A-351D03FCF2F0}.exe
File created	C:\Windows\{8DB61A35-8E37-412b-8D1F-E3F565D21285}.exe	{1860C55B-D7E1-4f5c-A431-963459583748}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4104	2024-02-04_9e0d62ab5eaa88ec136d9911b6781a79_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3372	{6621E3B3-4671-4743-B0F9-D8B91BA610AF}.exe
Token: SeIncBasePriorityPrivilege	1680	{0FDDA9B6-5034-4b9b-BB5F-3C3EFB255214}.exe
Token: SeIncBasePriorityPrivilege	3908	{BE48A90D-A72F-4050-9915-7E938A2A4B8E}.exe
Token: SeIncBasePriorityPrivilege	3720	{5FE2E6FB-C804-4005-9BDC-685D729EBCA7}.exe
Token: SeIncBasePriorityPrivilege	1012	{1760E411-4A99-4774-979A-351D03FCF2F0}.exe
Token: SeIncBasePriorityPrivilege	2520	{5A28B00C-5D07-4e26-8AD8-A9445570EE7C}.exe
Token: SeIncBasePriorityPrivilege	4076	{B4C0FE3D-D2A4-4a89-B0AF-23CD96D163B5}.exe
Token: SeIncBasePriorityPrivilege	4300	{1860C55B-D7E1-4f5c-A431-963459583748}.exe
Token: SeIncBasePriorityPrivilege	4992	{8DB61A35-8E37-412b-8D1F-E3F565D21285}.exe
Token: SeIncBasePriorityPrivilege	4400	{734AB9A9-ED70-427e-B1C7-782936BC007A}.exe
Token: SeIncBasePriorityPrivilege	4768	{387551BF-CBE5-4e46-9216-C74F82212D71}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4104 wrote to memory of 3372	4104	2024-02-04_9e0d62ab5eaa88ec136d9911b6781a79_goldeneye.exe	93
PID 4104 wrote to memory of 3372	4104	2024-02-04_9e0d62ab5eaa88ec136d9911b6781a79_goldeneye.exe	93
PID 4104 wrote to memory of 3372	4104	2024-02-04_9e0d62ab5eaa88ec136d9911b6781a79_goldeneye.exe	93
PID 4104 wrote to memory of 1724	4104	2024-02-04_9e0d62ab5eaa88ec136d9911b6781a79_goldeneye.exe	92
PID 4104 wrote to memory of 1724	4104	2024-02-04_9e0d62ab5eaa88ec136d9911b6781a79_goldeneye.exe	92
PID 4104 wrote to memory of 1724	4104	2024-02-04_9e0d62ab5eaa88ec136d9911b6781a79_goldeneye.exe	92
PID 3372 wrote to memory of 1680	3372	{6621E3B3-4671-4743-B0F9-D8B91BA610AF}.exe	94
PID 3372 wrote to memory of 1680	3372	{6621E3B3-4671-4743-B0F9-D8B91BA610AF}.exe	94
PID 3372 wrote to memory of 1680	3372	{6621E3B3-4671-4743-B0F9-D8B91BA610AF}.exe	94
PID 3372 wrote to memory of 1104	3372	{6621E3B3-4671-4743-B0F9-D8B91BA610AF}.exe	95
PID 3372 wrote to memory of 1104	3372	{6621E3B3-4671-4743-B0F9-D8B91BA610AF}.exe	95
PID 3372 wrote to memory of 1104	3372	{6621E3B3-4671-4743-B0F9-D8B91BA610AF}.exe	95
PID 1680 wrote to memory of 3908	1680	{0FDDA9B6-5034-4b9b-BB5F-3C3EFB255214}.exe	98
PID 1680 wrote to memory of 3908	1680	{0FDDA9B6-5034-4b9b-BB5F-3C3EFB255214}.exe	98
PID 1680 wrote to memory of 3908	1680	{0FDDA9B6-5034-4b9b-BB5F-3C3EFB255214}.exe	98
PID 1680 wrote to memory of 1548	1680	{0FDDA9B6-5034-4b9b-BB5F-3C3EFB255214}.exe	97
PID 1680 wrote to memory of 1548	1680	{0FDDA9B6-5034-4b9b-BB5F-3C3EFB255214}.exe	97
PID 1680 wrote to memory of 1548	1680	{0FDDA9B6-5034-4b9b-BB5F-3C3EFB255214}.exe	97
PID 3908 wrote to memory of 3720	3908	{BE48A90D-A72F-4050-9915-7E938A2A4B8E}.exe	99
PID 3908 wrote to memory of 3720	3908	{BE48A90D-A72F-4050-9915-7E938A2A4B8E}.exe	99
PID 3908 wrote to memory of 3720	3908	{BE48A90D-A72F-4050-9915-7E938A2A4B8E}.exe	99
PID 3908 wrote to memory of 2636	3908	{BE48A90D-A72F-4050-9915-7E938A2A4B8E}.exe	100
PID 3908 wrote to memory of 2636	3908	{BE48A90D-A72F-4050-9915-7E938A2A4B8E}.exe	100
PID 3908 wrote to memory of 2636	3908	{BE48A90D-A72F-4050-9915-7E938A2A4B8E}.exe	100
PID 3720 wrote to memory of 1012	3720	{5FE2E6FB-C804-4005-9BDC-685D729EBCA7}.exe	101
PID 3720 wrote to memory of 1012	3720	{5FE2E6FB-C804-4005-9BDC-685D729EBCA7}.exe	101
PID 3720 wrote to memory of 1012	3720	{5FE2E6FB-C804-4005-9BDC-685D729EBCA7}.exe	101
PID 3720 wrote to memory of 1444	3720	{5FE2E6FB-C804-4005-9BDC-685D729EBCA7}.exe	102
PID 3720 wrote to memory of 1444	3720	{5FE2E6FB-C804-4005-9BDC-685D729EBCA7}.exe	102
PID 3720 wrote to memory of 1444	3720	{5FE2E6FB-C804-4005-9BDC-685D729EBCA7}.exe	102
PID 1012 wrote to memory of 2520	1012	{1760E411-4A99-4774-979A-351D03FCF2F0}.exe	103
PID 1012 wrote to memory of 2520	1012	{1760E411-4A99-4774-979A-351D03FCF2F0}.exe	103
PID 1012 wrote to memory of 2520	1012	{1760E411-4A99-4774-979A-351D03FCF2F0}.exe	103
PID 1012 wrote to memory of 4800	1012	{1760E411-4A99-4774-979A-351D03FCF2F0}.exe	104
PID 1012 wrote to memory of 4800	1012	{1760E411-4A99-4774-979A-351D03FCF2F0}.exe	104
PID 1012 wrote to memory of 4800	1012	{1760E411-4A99-4774-979A-351D03FCF2F0}.exe	104
PID 2520 wrote to memory of 4076	2520	{5A28B00C-5D07-4e26-8AD8-A9445570EE7C}.exe	105
PID 2520 wrote to memory of 4076	2520	{5A28B00C-5D07-4e26-8AD8-A9445570EE7C}.exe	105
PID 2520 wrote to memory of 4076	2520	{5A28B00C-5D07-4e26-8AD8-A9445570EE7C}.exe	105
PID 2520 wrote to memory of 4588	2520	{5A28B00C-5D07-4e26-8AD8-A9445570EE7C}.exe	106
PID 2520 wrote to memory of 4588	2520	{5A28B00C-5D07-4e26-8AD8-A9445570EE7C}.exe	106
PID 2520 wrote to memory of 4588	2520	{5A28B00C-5D07-4e26-8AD8-A9445570EE7C}.exe	106
PID 4076 wrote to memory of 4300	4076	{B4C0FE3D-D2A4-4a89-B0AF-23CD96D163B5}.exe	107
PID 4076 wrote to memory of 4300	4076	{B4C0FE3D-D2A4-4a89-B0AF-23CD96D163B5}.exe	107
PID 4076 wrote to memory of 4300	4076	{B4C0FE3D-D2A4-4a89-B0AF-23CD96D163B5}.exe	107
PID 4076 wrote to memory of 1904	4076	{B4C0FE3D-D2A4-4a89-B0AF-23CD96D163B5}.exe	108
PID 4076 wrote to memory of 1904	4076	{B4C0FE3D-D2A4-4a89-B0AF-23CD96D163B5}.exe	108
PID 4076 wrote to memory of 1904	4076	{B4C0FE3D-D2A4-4a89-B0AF-23CD96D163B5}.exe	108
PID 4300 wrote to memory of 4992	4300	{1860C55B-D7E1-4f5c-A431-963459583748}.exe	109
PID 4300 wrote to memory of 4992	4300	{1860C55B-D7E1-4f5c-A431-963459583748}.exe	109
PID 4300 wrote to memory of 4992	4300	{1860C55B-D7E1-4f5c-A431-963459583748}.exe	109
PID 4300 wrote to memory of 980	4300	{1860C55B-D7E1-4f5c-A431-963459583748}.exe	110
PID 4300 wrote to memory of 980	4300	{1860C55B-D7E1-4f5c-A431-963459583748}.exe	110
PID 4300 wrote to memory of 980	4300	{1860C55B-D7E1-4f5c-A431-963459583748}.exe	110
PID 4992 wrote to memory of 4400	4992	{8DB61A35-8E37-412b-8D1F-E3F565D21285}.exe	111
PID 4992 wrote to memory of 4400	4992	{8DB61A35-8E37-412b-8D1F-E3F565D21285}.exe	111
PID 4992 wrote to memory of 4400	4992	{8DB61A35-8E37-412b-8D1F-E3F565D21285}.exe	111
PID 4992 wrote to memory of 3060	4992	{8DB61A35-8E37-412b-8D1F-E3F565D21285}.exe	112
PID 4992 wrote to memory of 3060	4992	{8DB61A35-8E37-412b-8D1F-E3F565D21285}.exe	112
PID 4992 wrote to memory of 3060	4992	{8DB61A35-8E37-412b-8D1F-E3F565D21285}.exe	112
PID 4400 wrote to memory of 4768	4400	{734AB9A9-ED70-427e-B1C7-782936BC007A}.exe	113
PID 4400 wrote to memory of 4768	4400	{734AB9A9-ED70-427e-B1C7-782936BC007A}.exe	113
PID 4400 wrote to memory of 4768	4400	{734AB9A9-ED70-427e-B1C7-782936BC007A}.exe	113
PID 4400 wrote to memory of 2964	4400	{734AB9A9-ED70-427e-B1C7-782936BC007A}.exe	114

C:\Users\Admin\AppData\Local\Temp\2024-02-04_9e0d62ab5eaa88ec136d9911b6781a79_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-04_9e0d62ab5eaa88ec136d9911b6781a79_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4104
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1724
- C:\Windows\{6621E3B3-4671-4743-B0F9-D8B91BA610AF}.exe
  C:\Windows\{6621E3B3-4671-4743-B0F9-D8B91BA610AF}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3372
- - C:\Windows\{0FDDA9B6-5034-4b9b-BB5F-3C3EFB255214}.exe
    C:\Windows\{0FDDA9B6-5034-4b9b-BB5F-3C3EFB255214}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1680
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0FDDA~1.EXE > nul
      4⤵
      PID:1548
  - - C:\Windows\{BE48A90D-A72F-4050-9915-7E938A2A4B8E}.exe
      C:\Windows\{BE48A90D-A72F-4050-9915-7E938A2A4B8E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3908
    - - C:\Windows\{5FE2E6FB-C804-4005-9BDC-685D729EBCA7}.exe
        
        C:\Windows\{5FE2E6FB-C804-4005-9BDC-685D729EBCA7}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3720
      - C:\Windows\{1760E411-4A99-4774-979A-351D03FCF2F0}.exe
        
        C:\Windows\{1760E411-4A99-4774-979A-351D03FCF2F0}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Windows\{5A28B00C-5D07-4e26-8AD8-A9445570EE7C}.exe
        
        C:\Windows\{5A28B00C-5D07-4e26-8AD8-A9445570EE7C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\{B4C0FE3D-D2A4-4a89-B0AF-23CD96D163B5}.exe
        
        C:\Windows\{B4C0FE3D-D2A4-4a89-B0AF-23CD96D163B5}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\{1860C55B-D7E1-4f5c-A431-963459583748}.exe
        
        C:\Windows\{1860C55B-D7E1-4f5c-A431-963459583748}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4300
        
        C:\Windows\{8DB61A35-8E37-412b-8D1F-E3F565D21285}.exe
        
        C:\Windows\{8DB61A35-8E37-412b-8D1F-E3F565D21285}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\{734AB9A9-ED70-427e-B1C7-782936BC007A}.exe
        
        C:\Windows\{734AB9A9-ED70-427e-B1C7-782936BC007A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\{387551BF-CBE5-4e46-9216-C74F82212D71}.exe
        
        C:\Windows\{387551BF-CBE5-4e46-9216-C74F82212D71}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4768
        
        C:\Windows\{AA379923-FBFE-47be-9577-17851943D6C6}.exe
        
        C:\Windows\{AA379923-FBFE-47be-9577-17851943D6C6}.exe
        13⤵
        Executes dropped EXE
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{38755~1.EXE > nul
        13⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{734AB~1.EXE > nul
        12⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8DB61~1.EXE > nul
        11⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1860C~1.EXE > nul
        10⤵
        
        PID:980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B4C0F~1.EXE > nul
        9⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5A28B~1.EXE > nul
        8⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1760E~1.EXE > nul
        7⤵
        
        PID:4800
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5FE2E~1.EXE > nul
        6⤵
        
        PID:1444
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE48A~1.EXE > nul
        5⤵
        
        PID:2636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6621E~1.EXE > nul
    3⤵
    PID:1104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0FDDA9B6-5034-4b9b-BB5F-3C3EFB255214}.exe

Filesize
408KB

MD5
8d67addb06c27772ef28c8ad2a33a5b6

SHA1
161581552115ca093f26262706f40427d62ceb24

SHA256
2a8a9b7c2aa5928113d59790b73ed4149c6d42b5dc44ef1057d6082cb7351083

SHA512
f6d988ee347c7f56edb508cb5bb9c3510b69c19eed9881b252da129df773b6f61e4bc111668068d631a411eec599d80b488e3822ab2296a02dd5849fc7e3e373

Download Submit
C:\Windows\{1760E411-4A99-4774-979A-351D03FCF2F0}.exe

Filesize
408KB

MD5
948b5752cdee26238d7b963022a8e810

SHA1
6dc5515569362e4259dc2dfedc96785b15c94806

SHA256
dbc3987ae8810c09f9b54c8045e350e4fdcf21dc04c45e6f5c8b06749062f28c

SHA512
208e8b294e14c64bd55dd09bf87482c6bda850e764e4ffb58f38ff256208bac067ada3e7a94a3915d7cfa2ffba3c95e23e1532dd7daf7711f85c3ff55d2785ff

Download Submit
C:\Windows\{1760E411-4A99-4774-979A-351D03FCF2F0}.exe

Filesize
384KB

MD5
1284ea5dae7eaeed56cb6052207623bc

SHA1
0fd30fc15ac85cdfadcbccf6d40ce7833060f664

SHA256
5e4d32c01b61a58db87a4da99b2b5e6a51da73965a81fd7b714f44eb565f4f14

SHA512
95d4b53c546b795bcaf48e23bc837565c9d36c4dda4edf9c4e5819786c395156cf9b203214d7e7f8431a558c7469de6248c42fd894cdd29abe7e7d283d888b08

Download Submit
C:\Windows\{1860C55B-D7E1-4f5c-A431-963459583748}.exe

Filesize
408KB

MD5
24672767c38a82b9fc0e68cc1fb392e2

SHA1
a33179684445885a9196981cf31ec339d2c436c8

SHA256
56b00713ba62a6cd8ebd96b6a56c0f5a60939df595f28466b9a882dd6a9c97b3

SHA512
129b17927d80d99cd7cb6fa6dfd93ffb4efc7e4ff57e57a60df894c181753fbcd9577fc90d39dd62bbf3b386faf59d41019e6c68ca6e263ad7b52f7b9a05d093

Download Submit
C:\Windows\{387551BF-CBE5-4e46-9216-C74F82212D71}.exe

Filesize
408KB

MD5
6aed6a141b206ceae725ae57efa65595

SHA1
2b977a5b42c166ed0332731ca6cbb41f15fcfccd

SHA256
bf7ef06ac482a2386066bf48077621c1bff15b287d462c64a4648644762d50fc

SHA512
0ec9d80eb634c20b0dbb2f7af08a889bf2160d5883ca05486473ff310e74ce6d8d8ced2387f9d0aac90e500e07edfa49b0fb8deffdfbe800d89c8feb6835b5d0

Download Submit
C:\Windows\{5A28B00C-5D07-4e26-8AD8-A9445570EE7C}.exe

Filesize
408KB

MD5
4cd0bca77a939cfcae56db3d87083ede

SHA1
84275014e0b69f0e738911eeb03de59419b56bc1

SHA256
ecef58b2bd8e1cbf6462366ab323d7dcf03b7495e62f68ce44fc70c0c3a1c165

SHA512
801de922f24e6846aeff7bae19b43f972c3f7ca16732f92eac5ec35a791d9ddadd79d63f680b712b220558282269c57e58bf04feabfc703e7eb648c887889192

Download Submit
C:\Windows\{5FE2E6FB-C804-4005-9BDC-685D729EBCA7}.exe

Filesize
408KB

MD5
bd5af5f403f6e6657e316d58f35c902e

SHA1
fea8b99b6b31a7f9b2b6b58ad76e3758dbd87d85

SHA256
613417de8278a3e3c628c259b84a0d95414930fe05e64fa1f0f0bc5ff20f4a35

SHA512
b21327bd539f07df95e76a6715286048c4a99cffb477904aa985356915fb7480bdde992f22875950b5f2260f526d6d751bda14025c5fe2fa3871265ad0c6cf69

Download Submit
C:\Windows\{6621E3B3-4671-4743-B0F9-D8B91BA610AF}.exe

Filesize
408KB

MD5
1badd1ca64f1e17e213e0345f5ed6b81

SHA1
4236cf5f1c976ae70a05cb67260b66c70c9126e2

SHA256
65978b8f3dcc37416e573a97e66076147b7b4c119990dadc0464897d93b19679

SHA512
e079e621cfa175d4a6cdd526410caa5284739e4debfe191cffcd076a484fc5f9f1dcc70a87530e4ace6f62653bc28c5b41311d12647a70d8d20c237444e0495c

Download Submit
C:\Windows\{734AB9A9-ED70-427e-B1C7-782936BC007A}.exe

Filesize
408KB

MD5
9ca350f7de936f5a500059ca096cec72

SHA1
67e513f61c07d1c127c94e9c88944beb4841e14f

SHA256
1a5361fe7beeb8bafc20cda1c8d027913db0acd0d4b50043a83a72b30df9151e

SHA512
820c0d985186ec59f5fd50ac5a3bc3605387b732b7686af06a67da66fe7ba560635fd666cb4b36aab4066935508c93f33f464d1bc86396398c3516cddf2c6c15

Download Submit
C:\Windows\{8DB61A35-8E37-412b-8D1F-E3F565D21285}.exe

Filesize
408KB

MD5
8395e254bdae457dfdd221a0378a5a79

SHA1
5e5c0ee06777372009e967d178ca9b3cc877b159

SHA256
ac3f504c21fe325f966cf7677b4f3ba1741899aae2df28650ee2537c292cd05e

SHA512
31e1aff05771351ae085fa67e111e856374bb25054350a79fdb95033ff3594a8ce9c769099755dfe0765c0c04dde917e4e9bff6bcccd9abf750f90118f9c80dc

Download Submit
C:\Windows\{AA379923-FBFE-47be-9577-17851943D6C6}.exe

Filesize
408KB

MD5
b8fa82e74aa5dca35b2e13c905fd894a

SHA1
f278cf75c11c1f5359b4485ffff7ab588c4c2305

SHA256
53fe712a7bea38203ce13d95d36e7a35ad1aaffea371bcc0d9d0d9fe01d2a6aa

SHA512
9f0c8d2e221c19fed1a39cb7f625f7852be9ca96e472ee04f080cfccc69639ff2953764bd022f707c492010b867adf79e812dd1e770c9a5ed84e9e83672e319c

Download Submit
C:\Windows\{B4C0FE3D-D2A4-4a89-B0AF-23CD96D163B5}.exe

Filesize
408KB

MD5
b2147fd1bd22c9eae1efad6f508362d5

SHA1
0cf2b4b839986b2af205c781f3815accb7b5a0f8

SHA256
b59eab4eb74d79fd69d2d4a94684b40431c7ddd66a7cfde9db8ea2f1853d55a8

SHA512
13b22bf03648a979e5e3fb9e8e2e05562d697a63ea828dcfe3dfb398ebb4768972aea89d354f78dd8c2e3eb4e5231c32544db30ed2a9a12b4e543c8710f28f32

Download Submit
C:\Windows\{BE48A90D-A72F-4050-9915-7E938A2A4B8E}.exe

Filesize
408KB

MD5
f448fc3fbe22c56d3451d90f39c35aec

SHA1
0de47e6a8c4c3d8edf228c82ddac1d898525478a

SHA256
ff58caaefbeb139d0540d7ca78b1adb84c3168c8dce9278c5a8011129d5c9c05

SHA512
b9f016231e16e2991dfa105a59d14699637b64bcae86feaa7beddbcb7335c68dd1df7934958e80e46523ff5c2252d8db61b14ae5419970a12744c12f13da768f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads