91a99719bda4a09c546cf9388771322ef0b8ee6b8e3db1cf2738254439ac4222

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04-02-2024 14:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-04_6af9763b32d21533cdf2217cc8059899_goldeneye.exe
Size

197KB
MD5

6af9763b32d21533cdf2217cc8059899
SHA1

39466f020686a0ed2b64b4a8e59b29124a2b8cf9
SHA256

91a99719bda4a09c546cf9388771322ef0b8ee6b8e3db1cf2738254439ac4222
SHA512

742d73bb50d1eb4629499bbc9524d3229af77c07445010b9985d6a4b40ceb15fe8f416ea84ba4b16f37b844a9b58d820709f6fa2aacfc69421c9332aad5c9a03
SSDEEP

3072:jEGh0oVl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEG3lEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00090000000231f7-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000002320c-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023213-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002320c-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001300000001d887-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000021558-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001400000001d887-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000006cf-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000006cf-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000713-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14B6EB37-31EC-45b7-B677-C2F1BAD2ED27}	2024-02-04_6af9763b32d21533cdf2217cc8059899_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A731412-976D-4fbb-B00C-CD41EB9C95E5}	{14B6EB37-31EC-45b7-B677-C2F1BAD2ED27}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10E900F8-824A-4ff9-81FB-C1D233E4B9C0}\stubpath = "C:\\Windows\\{10E900F8-824A-4ff9-81FB-C1D233E4B9C0}.exe"	{F5A372D4-392B-4a32-ABF1-EF1A137AD1B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA7F96FF-3C1D-4732-8D89-264CC030F8D6}	{FA92D5E7-7EAB-4582-9CEE-5C0C8AFECCAE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA7F96FF-3C1D-4732-8D89-264CC030F8D6}\stubpath = "C:\\Windows\\{AA7F96FF-3C1D-4732-8D89-264CC030F8D6}.exe"	{FA92D5E7-7EAB-4582-9CEE-5C0C8AFECCAE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{297F028B-0400-4db8-85C1-CB748751DAB9}	{B1160B89-4F42-4f18-B457-429EADE546F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5A372D4-392B-4a32-ABF1-EF1A137AD1B7}	{6A731412-976D-4fbb-B00C-CD41EB9C95E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA92D5E7-7EAB-4582-9CEE-5C0C8AFECCAE}	{10E900F8-824A-4ff9-81FB-C1D233E4B9C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA92D5E7-7EAB-4582-9CEE-5C0C8AFECCAE}\stubpath = "C:\\Windows\\{FA92D5E7-7EAB-4582-9CEE-5C0C8AFECCAE}.exe"	{10E900F8-824A-4ff9-81FB-C1D233E4B9C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09D931DC-AA27-4902-9660-66C95FDB4DD3}	{49D05EA1-57B2-4335-9DC7-14F5ACED30D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1160B89-4F42-4f18-B457-429EADE546F6}	{09D931DC-AA27-4902-9660-66C95FDB4DD3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D0A6573-6DEE-48a5-B6C9-386081758310}\stubpath = "C:\\Windows\\{8D0A6573-6DEE-48a5-B6C9-386081758310}.exe"	{297F028B-0400-4db8-85C1-CB748751DAB9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14B6EB37-31EC-45b7-B677-C2F1BAD2ED27}\stubpath = "C:\\Windows\\{14B6EB37-31EC-45b7-B677-C2F1BAD2ED27}.exe"	2024-02-04_6af9763b32d21533cdf2217cc8059899_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09D931DC-AA27-4902-9660-66C95FDB4DD3}\stubpath = "C:\\Windows\\{09D931DC-AA27-4902-9660-66C95FDB4DD3}.exe"	{49D05EA1-57B2-4335-9DC7-14F5ACED30D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{297F028B-0400-4db8-85C1-CB748751DAB9}\stubpath = "C:\\Windows\\{297F028B-0400-4db8-85C1-CB748751DAB9}.exe"	{B1160B89-4F42-4f18-B457-429EADE546F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D0A6573-6DEE-48a5-B6C9-386081758310}	{297F028B-0400-4db8-85C1-CB748751DAB9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{715079E9-2436-4d4c-8228-5B76ADAD5007}	{8D0A6573-6DEE-48a5-B6C9-386081758310}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{715079E9-2436-4d4c-8228-5B76ADAD5007}\stubpath = "C:\\Windows\\{715079E9-2436-4d4c-8228-5B76ADAD5007}.exe"	{8D0A6573-6DEE-48a5-B6C9-386081758310}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A731412-976D-4fbb-B00C-CD41EB9C95E5}\stubpath = "C:\\Windows\\{6A731412-976D-4fbb-B00C-CD41EB9C95E5}.exe"	{14B6EB37-31EC-45b7-B677-C2F1BAD2ED27}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5A372D4-392B-4a32-ABF1-EF1A137AD1B7}\stubpath = "C:\\Windows\\{F5A372D4-392B-4a32-ABF1-EF1A137AD1B7}.exe"	{6A731412-976D-4fbb-B00C-CD41EB9C95E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10E900F8-824A-4ff9-81FB-C1D233E4B9C0}	{F5A372D4-392B-4a32-ABF1-EF1A137AD1B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49D05EA1-57B2-4335-9DC7-14F5ACED30D8}	{AA7F96FF-3C1D-4732-8D89-264CC030F8D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49D05EA1-57B2-4335-9DC7-14F5ACED30D8}\stubpath = "C:\\Windows\\{49D05EA1-57B2-4335-9DC7-14F5ACED30D8}.exe"	{AA7F96FF-3C1D-4732-8D89-264CC030F8D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1160B89-4F42-4f18-B457-429EADE546F6}\stubpath = "C:\\Windows\\{B1160B89-4F42-4f18-B457-429EADE546F6}.exe"	{09D931DC-AA27-4902-9660-66C95FDB4DD3}.exe

Executes dropped EXE 12 IoCs

pid	Process
1000	{14B6EB37-31EC-45b7-B677-C2F1BAD2ED27}.exe
5072	{6A731412-976D-4fbb-B00C-CD41EB9C95E5}.exe
1560	{F5A372D4-392B-4a32-ABF1-EF1A137AD1B7}.exe
4604	{10E900F8-824A-4ff9-81FB-C1D233E4B9C0}.exe
1588	{FA92D5E7-7EAB-4582-9CEE-5C0C8AFECCAE}.exe
1136	{AA7F96FF-3C1D-4732-8D89-264CC030F8D6}.exe
1096	{49D05EA1-57B2-4335-9DC7-14F5ACED30D8}.exe
2852	{09D931DC-AA27-4902-9660-66C95FDB4DD3}.exe
2368	{B1160B89-4F42-4f18-B457-429EADE546F6}.exe
2520	{297F028B-0400-4db8-85C1-CB748751DAB9}.exe
1180	{8D0A6573-6DEE-48a5-B6C9-386081758310}.exe
4932	{715079E9-2436-4d4c-8228-5B76ADAD5007}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{FA92D5E7-7EAB-4582-9CEE-5C0C8AFECCAE}.exe	{10E900F8-824A-4ff9-81FB-C1D233E4B9C0}.exe
File created	C:\Windows\{09D931DC-AA27-4902-9660-66C95FDB4DD3}.exe	{49D05EA1-57B2-4335-9DC7-14F5ACED30D8}.exe
File created	C:\Windows\{B1160B89-4F42-4f18-B457-429EADE546F6}.exe	{09D931DC-AA27-4902-9660-66C95FDB4DD3}.exe
File created	C:\Windows\{297F028B-0400-4db8-85C1-CB748751DAB9}.exe	{B1160B89-4F42-4f18-B457-429EADE546F6}.exe
File created	C:\Windows\{6A731412-976D-4fbb-B00C-CD41EB9C95E5}.exe	{14B6EB37-31EC-45b7-B677-C2F1BAD2ED27}.exe
File created	C:\Windows\{F5A372D4-392B-4a32-ABF1-EF1A137AD1B7}.exe	{6A731412-976D-4fbb-B00C-CD41EB9C95E5}.exe
File created	C:\Windows\{10E900F8-824A-4ff9-81FB-C1D233E4B9C0}.exe	{F5A372D4-392B-4a32-ABF1-EF1A137AD1B7}.exe
File created	C:\Windows\{8D0A6573-6DEE-48a5-B6C9-386081758310}.exe	{297F028B-0400-4db8-85C1-CB748751DAB9}.exe
File created	C:\Windows\{715079E9-2436-4d4c-8228-5B76ADAD5007}.exe	{8D0A6573-6DEE-48a5-B6C9-386081758310}.exe
File created	C:\Windows\{14B6EB37-31EC-45b7-B677-C2F1BAD2ED27}.exe	2024-02-04_6af9763b32d21533cdf2217cc8059899_goldeneye.exe
File created	C:\Windows\{AA7F96FF-3C1D-4732-8D89-264CC030F8D6}.exe	{FA92D5E7-7EAB-4582-9CEE-5C0C8AFECCAE}.exe
File created	C:\Windows\{49D05EA1-57B2-4335-9DC7-14F5ACED30D8}.exe	{AA7F96FF-3C1D-4732-8D89-264CC030F8D6}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3916	2024-02-04_6af9763b32d21533cdf2217cc8059899_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1000	{14B6EB37-31EC-45b7-B677-C2F1BAD2ED27}.exe
Token: SeIncBasePriorityPrivilege	5072	{6A731412-976D-4fbb-B00C-CD41EB9C95E5}.exe
Token: SeIncBasePriorityPrivilege	1560	{F5A372D4-392B-4a32-ABF1-EF1A137AD1B7}.exe
Token: SeIncBasePriorityPrivilege	4604	{10E900F8-824A-4ff9-81FB-C1D233E4B9C0}.exe
Token: SeIncBasePriorityPrivilege	1588	{FA92D5E7-7EAB-4582-9CEE-5C0C8AFECCAE}.exe
Token: SeIncBasePriorityPrivilege	1136	{AA7F96FF-3C1D-4732-8D89-264CC030F8D6}.exe
Token: SeIncBasePriorityPrivilege	1096	{49D05EA1-57B2-4335-9DC7-14F5ACED30D8}.exe
Token: SeIncBasePriorityPrivilege	2852	{09D931DC-AA27-4902-9660-66C95FDB4DD3}.exe
Token: SeIncBasePriorityPrivilege	2368	{B1160B89-4F42-4f18-B457-429EADE546F6}.exe
Token: SeIncBasePriorityPrivilege	2520	{297F028B-0400-4db8-85C1-CB748751DAB9}.exe
Token: SeIncBasePriorityPrivilege	1180	{8D0A6573-6DEE-48a5-B6C9-386081758310}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3916 wrote to memory of 1000	3916	2024-02-04_6af9763b32d21533cdf2217cc8059899_goldeneye.exe	91
PID 3916 wrote to memory of 1000	3916	2024-02-04_6af9763b32d21533cdf2217cc8059899_goldeneye.exe	91
PID 3916 wrote to memory of 1000	3916	2024-02-04_6af9763b32d21533cdf2217cc8059899_goldeneye.exe	91
PID 3916 wrote to memory of 2308	3916	2024-02-04_6af9763b32d21533cdf2217cc8059899_goldeneye.exe	92
PID 3916 wrote to memory of 2308	3916	2024-02-04_6af9763b32d21533cdf2217cc8059899_goldeneye.exe	92
PID 3916 wrote to memory of 2308	3916	2024-02-04_6af9763b32d21533cdf2217cc8059899_goldeneye.exe	92
PID 1000 wrote to memory of 5072	1000	{14B6EB37-31EC-45b7-B677-C2F1BAD2ED27}.exe	93
PID 1000 wrote to memory of 5072	1000	{14B6EB37-31EC-45b7-B677-C2F1BAD2ED27}.exe	93
PID 1000 wrote to memory of 5072	1000	{14B6EB37-31EC-45b7-B677-C2F1BAD2ED27}.exe	93
PID 1000 wrote to memory of 656	1000	{14B6EB37-31EC-45b7-B677-C2F1BAD2ED27}.exe	94
PID 1000 wrote to memory of 656	1000	{14B6EB37-31EC-45b7-B677-C2F1BAD2ED27}.exe	94
PID 1000 wrote to memory of 656	1000	{14B6EB37-31EC-45b7-B677-C2F1BAD2ED27}.exe	94
PID 5072 wrote to memory of 1560	5072	{6A731412-976D-4fbb-B00C-CD41EB9C95E5}.exe	97
PID 5072 wrote to memory of 1560	5072	{6A731412-976D-4fbb-B00C-CD41EB9C95E5}.exe	97
PID 5072 wrote to memory of 1560	5072	{6A731412-976D-4fbb-B00C-CD41EB9C95E5}.exe	97
PID 5072 wrote to memory of 2352	5072	{6A731412-976D-4fbb-B00C-CD41EB9C95E5}.exe	96
PID 5072 wrote to memory of 2352	5072	{6A731412-976D-4fbb-B00C-CD41EB9C95E5}.exe	96
PID 5072 wrote to memory of 2352	5072	{6A731412-976D-4fbb-B00C-CD41EB9C95E5}.exe	96
PID 1560 wrote to memory of 4604	1560	{F5A372D4-392B-4a32-ABF1-EF1A137AD1B7}.exe	98
PID 1560 wrote to memory of 4604	1560	{F5A372D4-392B-4a32-ABF1-EF1A137AD1B7}.exe	98
PID 1560 wrote to memory of 4604	1560	{F5A372D4-392B-4a32-ABF1-EF1A137AD1B7}.exe	98
PID 1560 wrote to memory of 3396	1560	{F5A372D4-392B-4a32-ABF1-EF1A137AD1B7}.exe	99
PID 1560 wrote to memory of 3396	1560	{F5A372D4-392B-4a32-ABF1-EF1A137AD1B7}.exe	99
PID 1560 wrote to memory of 3396	1560	{F5A372D4-392B-4a32-ABF1-EF1A137AD1B7}.exe	99
PID 4604 wrote to memory of 1588	4604	{10E900F8-824A-4ff9-81FB-C1D233E4B9C0}.exe	100
PID 4604 wrote to memory of 1588	4604	{10E900F8-824A-4ff9-81FB-C1D233E4B9C0}.exe	100
PID 4604 wrote to memory of 1588	4604	{10E900F8-824A-4ff9-81FB-C1D233E4B9C0}.exe	100
PID 4604 wrote to memory of 4396	4604	{10E900F8-824A-4ff9-81FB-C1D233E4B9C0}.exe	101
PID 4604 wrote to memory of 4396	4604	{10E900F8-824A-4ff9-81FB-C1D233E4B9C0}.exe	101
PID 4604 wrote to memory of 4396	4604	{10E900F8-824A-4ff9-81FB-C1D233E4B9C0}.exe	101
PID 1588 wrote to memory of 1136	1588	{FA92D5E7-7EAB-4582-9CEE-5C0C8AFECCAE}.exe	102
PID 1588 wrote to memory of 1136	1588	{FA92D5E7-7EAB-4582-9CEE-5C0C8AFECCAE}.exe	102
PID 1588 wrote to memory of 1136	1588	{FA92D5E7-7EAB-4582-9CEE-5C0C8AFECCAE}.exe	102
PID 1588 wrote to memory of 4040	1588	{FA92D5E7-7EAB-4582-9CEE-5C0C8AFECCAE}.exe	103
PID 1588 wrote to memory of 4040	1588	{FA92D5E7-7EAB-4582-9CEE-5C0C8AFECCAE}.exe	103
PID 1588 wrote to memory of 4040	1588	{FA92D5E7-7EAB-4582-9CEE-5C0C8AFECCAE}.exe	103
PID 1136 wrote to memory of 1096	1136	{AA7F96FF-3C1D-4732-8D89-264CC030F8D6}.exe	104
PID 1136 wrote to memory of 1096	1136	{AA7F96FF-3C1D-4732-8D89-264CC030F8D6}.exe	104
PID 1136 wrote to memory of 1096	1136	{AA7F96FF-3C1D-4732-8D89-264CC030F8D6}.exe	104
PID 1136 wrote to memory of 3424	1136	{AA7F96FF-3C1D-4732-8D89-264CC030F8D6}.exe	105
PID 1136 wrote to memory of 3424	1136	{AA7F96FF-3C1D-4732-8D89-264CC030F8D6}.exe	105
PID 1136 wrote to memory of 3424	1136	{AA7F96FF-3C1D-4732-8D89-264CC030F8D6}.exe	105
PID 1096 wrote to memory of 2852	1096	{49D05EA1-57B2-4335-9DC7-14F5ACED30D8}.exe	106
PID 1096 wrote to memory of 2852	1096	{49D05EA1-57B2-4335-9DC7-14F5ACED30D8}.exe	106
PID 1096 wrote to memory of 2852	1096	{49D05EA1-57B2-4335-9DC7-14F5ACED30D8}.exe	106
PID 1096 wrote to memory of 2424	1096	{49D05EA1-57B2-4335-9DC7-14F5ACED30D8}.exe	107
PID 1096 wrote to memory of 2424	1096	{49D05EA1-57B2-4335-9DC7-14F5ACED30D8}.exe	107
PID 1096 wrote to memory of 2424	1096	{49D05EA1-57B2-4335-9DC7-14F5ACED30D8}.exe	107
PID 2852 wrote to memory of 2368	2852	{09D931DC-AA27-4902-9660-66C95FDB4DD3}.exe	108
PID 2852 wrote to memory of 2368	2852	{09D931DC-AA27-4902-9660-66C95FDB4DD3}.exe	108
PID 2852 wrote to memory of 2368	2852	{09D931DC-AA27-4902-9660-66C95FDB4DD3}.exe	108
PID 2852 wrote to memory of 4200	2852	{09D931DC-AA27-4902-9660-66C95FDB4DD3}.exe	109
PID 2852 wrote to memory of 4200	2852	{09D931DC-AA27-4902-9660-66C95FDB4DD3}.exe	109
PID 2852 wrote to memory of 4200	2852	{09D931DC-AA27-4902-9660-66C95FDB4DD3}.exe	109
PID 2368 wrote to memory of 2520	2368	{B1160B89-4F42-4f18-B457-429EADE546F6}.exe	110
PID 2368 wrote to memory of 2520	2368	{B1160B89-4F42-4f18-B457-429EADE546F6}.exe	110
PID 2368 wrote to memory of 2520	2368	{B1160B89-4F42-4f18-B457-429EADE546F6}.exe	110
PID 2368 wrote to memory of 4968	2368	{B1160B89-4F42-4f18-B457-429EADE546F6}.exe	111
PID 2368 wrote to memory of 4968	2368	{B1160B89-4F42-4f18-B457-429EADE546F6}.exe	111
PID 2368 wrote to memory of 4968	2368	{B1160B89-4F42-4f18-B457-429EADE546F6}.exe	111
PID 2520 wrote to memory of 1180	2520	{297F028B-0400-4db8-85C1-CB748751DAB9}.exe	113
PID 2520 wrote to memory of 1180	2520	{297F028B-0400-4db8-85C1-CB748751DAB9}.exe	113
PID 2520 wrote to memory of 1180	2520	{297F028B-0400-4db8-85C1-CB748751DAB9}.exe	113
PID 2520 wrote to memory of 3096	2520	{297F028B-0400-4db8-85C1-CB748751DAB9}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-02-04_6af9763b32d21533cdf2217cc8059899_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-04_6af9763b32d21533cdf2217cc8059899_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3916
- C:\Windows\{14B6EB37-31EC-45b7-B677-C2F1BAD2ED27}.exe
  C:\Windows\{14B6EB37-31EC-45b7-B677-C2F1BAD2ED27}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1000
- - C:\Windows\{6A731412-976D-4fbb-B00C-CD41EB9C95E5}.exe
    C:\Windows\{6A731412-976D-4fbb-B00C-CD41EB9C95E5}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5072
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6A731~1.EXE > nul
      4⤵
      PID:2352
  - - C:\Windows\{F5A372D4-392B-4a32-ABF1-EF1A137AD1B7}.exe
      C:\Windows\{F5A372D4-392B-4a32-ABF1-EF1A137AD1B7}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1560
    - - C:\Windows\{10E900F8-824A-4ff9-81FB-C1D233E4B9C0}.exe
        
        C:\Windows\{10E900F8-824A-4ff9-81FB-C1D233E4B9C0}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4604
      - C:\Windows\{FA92D5E7-7EAB-4582-9CEE-5C0C8AFECCAE}.exe
        
        C:\Windows\{FA92D5E7-7EAB-4582-9CEE-5C0C8AFECCAE}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\{AA7F96FF-3C1D-4732-8D89-264CC030F8D6}.exe
        
        C:\Windows\{AA7F96FF-3C1D-4732-8D89-264CC030F8D6}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Windows\{49D05EA1-57B2-4335-9DC7-14F5ACED30D8}.exe
        
        C:\Windows\{49D05EA1-57B2-4335-9DC7-14F5ACED30D8}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1096
        
        C:\Windows\{09D931DC-AA27-4902-9660-66C95FDB4DD3}.exe
        
        C:\Windows\{09D931DC-AA27-4902-9660-66C95FDB4DD3}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\{B1160B89-4F42-4f18-B457-429EADE546F6}.exe
        
        C:\Windows\{B1160B89-4F42-4f18-B457-429EADE546F6}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\{297F028B-0400-4db8-85C1-CB748751DAB9}.exe
        
        C:\Windows\{297F028B-0400-4db8-85C1-CB748751DAB9}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{297F0~1.EXE > nul
        12⤵
        
        PID:3096
        
        C:\Windows\{8D0A6573-6DEE-48a5-B6C9-386081758310}.exe
        
        C:\Windows\{8D0A6573-6DEE-48a5-B6C9-386081758310}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1180
        
        C:\Windows\{715079E9-2436-4d4c-8228-5B76ADAD5007}.exe
        
        C:\Windows\{715079E9-2436-4d4c-8228-5B76ADAD5007}.exe
        13⤵
        Executes dropped EXE
        
        PID:4932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D0A6~1.EXE > nul
        13⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1160~1.EXE > nul
        11⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09D93~1.EXE > nul
        10⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{49D05~1.EXE > nul
        9⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AA7F9~1.EXE > nul
        8⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA92D~1.EXE > nul
        7⤵
        
        PID:4040
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{10E90~1.EXE > nul
        6⤵
        
        PID:4396
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F5A37~1.EXE > nul
        5⤵
        
        PID:3396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{14B6E~1.EXE > nul
    3⤵
    PID:656
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{09D931DC-AA27-4902-9660-66C95FDB4DD3}.exe

Filesize
197KB

MD5
d83b846523828c158dbd597d1a6320e6

SHA1
bf172c7f5ae1a9ceba4e335e70f5a62a52761595

SHA256
43a0a9c6c089634baf34a190e7c05f75e6ff6ab7f5d20d74cff8878dbc7f5fd0

SHA512
272e3913953f70afece69292ad1a41b00c9156d97d34b56c1ed55cc8e9d286216cefc4f219f49ddb323e0bce0ee83caad7afd92a8a33c98e69de3fe0c165c1ec

Download Submit
C:\Windows\{10E900F8-824A-4ff9-81FB-C1D233E4B9C0}.exe

Filesize
197KB

MD5
e994ca8aac935d0e4c2c5f31ddecf1a6

SHA1
941b25c5a0a376aa6a66a8a6cff72d888435bfa8

SHA256
f2c094f98f2055bc031f751a54103775aed2d1115f3a133015924d1af1e5d95d

SHA512
89d56109e52a56d08fa3fe63b3c70b4cfb06d47bed4773fb6594d1fb2d366525b1dcc2f5998a255ee4dcb7f0315c704ec08175f9027b1fea89272199877f59d3

Download Submit
C:\Windows\{14B6EB37-31EC-45b7-B677-C2F1BAD2ED27}.exe

Filesize
197KB

MD5
639b61850bbf4bd626e76a9dc60aab40

SHA1
b56fb7f4d3fb3fbb29ed70907182dd593b67e037

SHA256
903a3a52cbcf3dad07dd6972baa88706d0bf816c6e34d364ec877094c848eac2

SHA512
1d695a8611bf9be9fbb39bc40be278b04912229f7ffa8c5baf7c146898d1bddb695af9c7f1c167a1e01f3920a0348fab810d778791068263d7f04871af634aae

Download Submit
C:\Windows\{297F028B-0400-4db8-85C1-CB748751DAB9}.exe

Filesize
197KB

MD5
ce673a38b32825d4051da0fd04981c0a

SHA1
77e1f03fc930447717d7d8df88fb999f3328f291

SHA256
88bbf2aa40a48257e362374768d66e5247823ae6334ec5c0fdce5017bba996d7

SHA512
151bc5e0cd032a5d6a8720d07f614f07cdbe56565e45ea0e38378f2ec84630ce34ad0d3fc5ef10fb97eb02ee1b6ce299618f717acaf11c6ae0b7f2a6e6329948

Download Submit
C:\Windows\{49D05EA1-57B2-4335-9DC7-14F5ACED30D8}.exe

Filesize
197KB

MD5
b7b0510bca0ebe7a363fc2bd0de56284

SHA1
3a94e00583f0448af396931f017e3f1bb7152470

SHA256
ee510e53e8901709fed5b24d49019b4c7a4508b2b351f8a463b7dca775725c15

SHA512
89e7e6c2f052ff19a30ed50c29dd2d35e675f93e4f7ca90530418f74c22c436eacd1f7d08f2c136548091cb18ca50049305a663018d028d55371493f14e0e276

Download Submit
C:\Windows\{6A731412-976D-4fbb-B00C-CD41EB9C95E5}.exe

Filesize
197KB

MD5
3f5218d145d86bc24447a22140c2d94a

SHA1
63b72aa7a07db078be3be6e4b3d14524f32380ad

SHA256
068bb85fea69dbfb38e24102307f14ab0d16a782b5a3c7f32c995ecb121da561

SHA512
8d302f4ffb279656661ee9c5aec3d928f96cb639f5ae02033fb1f54f3cf312df6dac65368f1f17ec917201c7fe238e2a1a09b0dcab10bf32fae0a16295936c6c

Download Submit
C:\Windows\{715079E9-2436-4d4c-8228-5B76ADAD5007}.exe

Filesize
197KB

MD5
2bd93cb9aa510589b7a51402f23a0cf0

SHA1
ef280a23a0c7e34337c7976027bd16a06a62d141

SHA256
a7747a6cd5ebcd501c7115fdad4f732efeaf976988acd0e8c23c5f800414e382

SHA512
f4cf543334851ce071e37283c1d8900f13e71b92fca2595b391658468de8786236d785baadde3a28558ec1a7a04e3adbadb14843e4b3ff5434e234d562c14fad

Download Submit
C:\Windows\{8D0A6573-6DEE-48a5-B6C9-386081758310}.exe

Filesize
197KB

MD5
56284baddd785cd515ade92408c0fa75

SHA1
49968a39ec76bc62ce16142b6466da27899c6f2d

SHA256
e181294912fa55832c4a792f74b33c79f18a47c5b7c45dc3cea2abb870d3208a

SHA512
4605b6b85a66248a01dd128b9e6b478b00caeefcd0ac4c1bb486a9cc2985efce4634fd1294034c73a719d1818659ef298c602f2b6e66b1ff5acd3a384db89a13

Download Submit
C:\Windows\{AA7F96FF-3C1D-4732-8D89-264CC030F8D6}.exe

Filesize
197KB

MD5
2aba53c1ba2db8ef087dff2593d2f0cb

SHA1
fd5736125096fe809f05c6dbd7a10e6c6ff7a5e7

SHA256
cc117c6e49b2fc2d2370a9971e2bac9b8a941a13cc7fd7b5815e83e70d7aba00

SHA512
52dd13c3a8f71070a88213d44d07c6ec61eddf3eef2c8f12c4ae11f318a4e5a165580cd1f982ba69150be9b7354c8585072effaeab89cfb12352b3cf44496eda

Download Submit
C:\Windows\{B1160B89-4F42-4f18-B457-429EADE546F6}.exe

Filesize
197KB

MD5
5ad9b0eb08fd89d51952d694a7d3f8f5

SHA1
bac3be6cf195455ed5cc9433e4f6cf3cffce56ed

SHA256
152a268cf95cb2d7cd4c3585e724cfbca904a688003401d6068535f7aea5a452

SHA512
145e6de93c35ec9b8ed58536892fd06e969ef19b2e0ff010dfd5a58da25b51be9a0afa536e448ce62de6cc0986e0a4944d2b4fa9d141b1bf79fc1dd28bc41660

Download Submit
C:\Windows\{F5A372D4-392B-4a32-ABF1-EF1A137AD1B7}.exe

Filesize
197KB

MD5
009ed918583ab9f59827707e53d302fc

SHA1
078030ffcec4185f9384370db9ffc058726dcfd0

SHA256
1d3b92294851c2edc7583300b780e3921ef2601f4dffc54c2da219dab56125a7

SHA512
8ecf343054809084b4b6f21f447260842eb4c776cee3c8c621a00bc2302090ead0636bbd8d42cff5ef622e13a72770c4e2532c5d8ac735113d66103464e8a04c

Download Submit
C:\Windows\{FA92D5E7-7EAB-4582-9CEE-5C0C8AFECCAE}.exe

Filesize
197KB

MD5
0dccbf0d95fbbdf1deb3635d8ba59eaa

SHA1
075afe068a891b827b4002a435ec822733b2964b

SHA256
9c5acdb5716fb60b546d8f38563a100a904b013e402a97ed29e9e0e8942b4407

SHA512
f708c58a90af8d2753e091d3cf3043a1a684bad5e695c91fbec4aa8ed95e926a4125c9e29cba339a56b60742b319f5a7acaa5b7d4a60393567a6ca4386b5cbd9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads