e8c145bff035fb0138727df0641ec496256f98a4745978097763bc395754a4ac

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11-02-2024 17:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-11_edb97fb23228e6125056ba1ab97ece68_goldeneye.exe
Size

408KB
MD5

edb97fb23228e6125056ba1ab97ece68
SHA1

5c2442d2a177a62832c456b305e0aa7e8b92f4b7
SHA256

e8c145bff035fb0138727df0641ec496256f98a4745978097763bc395754a4ac
SHA512

9ee4efe15b9289901f249ee65135a189a077d9834ddc4044e52de0f78e2b8f816b4337c8f76d235f9fb510c50d17da202033fd1a1b9824b3cb3767d9cb5e2820
SSDEEP

3072:CEGh0oEl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGCldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 14 IoCs

resource	yara_rule
behavioral2/files/0x000400000001e413-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000001e413-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000023223-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023229-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023223-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021e70-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021e71-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021e71-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021e70-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000705-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D9179A7-E0FA-4d40-9B5B-33CEC8D3CF45}	{0AD6359B-0030-4dc8-BED3-6DCB1E87E189}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD679D59-2360-4b09-A125-9B05F8671091}	{BBB4AF54-3D7E-40da-A28C-A1C3252BCB5C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DF35D92-DAC6-496b-B378-00C8CF79478F}\stubpath = "C:\\Windows\\{3DF35D92-DAC6-496b-B378-00C8CF79478F}.exe"	{18148869-A66D-487d-89EA-173676DE5BF6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9996D5A-C68F-4f26-AFC3-D9D3633DE8C2}	{9C399A99-F185-4ed8-9DEC-10EE8F16F99C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9996D5A-C68F-4f26-AFC3-D9D3633DE8C2}\stubpath = "C:\\Windows\\{F9996D5A-C68F-4f26-AFC3-D9D3633DE8C2}.exe"	{9C399A99-F185-4ed8-9DEC-10EE8F16F99C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BBB4AF54-3D7E-40da-A28C-A1C3252BCB5C}\stubpath = "C:\\Windows\\{BBB4AF54-3D7E-40da-A28C-A1C3252BCB5C}.exe"	{2C1FAFE5-C57F-4d1b-9A7E-834F01FAB2F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0EDA063-7B4E-4b82-9682-AD703E7F1F03}	{FD679D59-2360-4b09-A125-9B05F8671091}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0EDA063-7B4E-4b82-9682-AD703E7F1F03}\stubpath = "C:\\Windows\\{E0EDA063-7B4E-4b82-9682-AD703E7F1F03}.exe"	{FD679D59-2360-4b09-A125-9B05F8671091}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18148869-A66D-487d-89EA-173676DE5BF6}	2024-02-11_edb97fb23228e6125056ba1ab97ece68_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DF35D92-DAC6-496b-B378-00C8CF79478F}	{18148869-A66D-487d-89EA-173676DE5BF6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21B49257-6AD1-45b1-B330-6AA8F635B9C9}	{3DF35D92-DAC6-496b-B378-00C8CF79478F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D29E0D9-BCF9-4540-BF22-9123A222972C}	{21B49257-6AD1-45b1-B330-6AA8F635B9C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C399A99-F185-4ed8-9DEC-10EE8F16F99C}	{1D9179A7-E0FA-4d40-9B5B-33CEC8D3CF45}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C399A99-F185-4ed8-9DEC-10EE8F16F99C}\stubpath = "C:\\Windows\\{9C399A99-F185-4ed8-9DEC-10EE8F16F99C}.exe"	{1D9179A7-E0FA-4d40-9B5B-33CEC8D3CF45}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C1FAFE5-C57F-4d1b-9A7E-834F01FAB2F5}	{F9996D5A-C68F-4f26-AFC3-D9D3633DE8C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C1FAFE5-C57F-4d1b-9A7E-834F01FAB2F5}\stubpath = "C:\\Windows\\{2C1FAFE5-C57F-4d1b-9A7E-834F01FAB2F5}.exe"	{F9996D5A-C68F-4f26-AFC3-D9D3633DE8C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18148869-A66D-487d-89EA-173676DE5BF6}\stubpath = "C:\\Windows\\{18148869-A66D-487d-89EA-173676DE5BF6}.exe"	2024-02-11_edb97fb23228e6125056ba1ab97ece68_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21B49257-6AD1-45b1-B330-6AA8F635B9C9}\stubpath = "C:\\Windows\\{21B49257-6AD1-45b1-B330-6AA8F635B9C9}.exe"	{3DF35D92-DAC6-496b-B378-00C8CF79478F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D29E0D9-BCF9-4540-BF22-9123A222972C}\stubpath = "C:\\Windows\\{6D29E0D9-BCF9-4540-BF22-9123A222972C}.exe"	{21B49257-6AD1-45b1-B330-6AA8F635B9C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0AD6359B-0030-4dc8-BED3-6DCB1E87E189}	{6D29E0D9-BCF9-4540-BF22-9123A222972C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0AD6359B-0030-4dc8-BED3-6DCB1E87E189}\stubpath = "C:\\Windows\\{0AD6359B-0030-4dc8-BED3-6DCB1E87E189}.exe"	{6D29E0D9-BCF9-4540-BF22-9123A222972C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D9179A7-E0FA-4d40-9B5B-33CEC8D3CF45}\stubpath = "C:\\Windows\\{1D9179A7-E0FA-4d40-9B5B-33CEC8D3CF45}.exe"	{0AD6359B-0030-4dc8-BED3-6DCB1E87E189}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BBB4AF54-3D7E-40da-A28C-A1C3252BCB5C}	{2C1FAFE5-C57F-4d1b-9A7E-834F01FAB2F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD679D59-2360-4b09-A125-9B05F8671091}\stubpath = "C:\\Windows\\{FD679D59-2360-4b09-A125-9B05F8671091}.exe"	{BBB4AF54-3D7E-40da-A28C-A1C3252BCB5C}.exe

Executes dropped EXE 12 IoCs

pid	Process
3016	{18148869-A66D-487d-89EA-173676DE5BF6}.exe
1632	{3DF35D92-DAC6-496b-B378-00C8CF79478F}.exe
4196	{21B49257-6AD1-45b1-B330-6AA8F635B9C9}.exe
4540	{6D29E0D9-BCF9-4540-BF22-9123A222972C}.exe
4084	{0AD6359B-0030-4dc8-BED3-6DCB1E87E189}.exe
2160	{1D9179A7-E0FA-4d40-9B5B-33CEC8D3CF45}.exe
2332	{9C399A99-F185-4ed8-9DEC-10EE8F16F99C}.exe
2736	{F9996D5A-C68F-4f26-AFC3-D9D3633DE8C2}.exe
3136	{2C1FAFE5-C57F-4d1b-9A7E-834F01FAB2F5}.exe
816	{BBB4AF54-3D7E-40da-A28C-A1C3252BCB5C}.exe
4656	{FD679D59-2360-4b09-A125-9B05F8671091}.exe
3620	{E0EDA063-7B4E-4b82-9682-AD703E7F1F03}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{6D29E0D9-BCF9-4540-BF22-9123A222972C}.exe	{21B49257-6AD1-45b1-B330-6AA8F635B9C9}.exe
File created	C:\Windows\{1D9179A7-E0FA-4d40-9B5B-33CEC8D3CF45}.exe	{0AD6359B-0030-4dc8-BED3-6DCB1E87E189}.exe
File created	C:\Windows\{F9996D5A-C68F-4f26-AFC3-D9D3633DE8C2}.exe	{9C399A99-F185-4ed8-9DEC-10EE8F16F99C}.exe
File created	C:\Windows\{2C1FAFE5-C57F-4d1b-9A7E-834F01FAB2F5}.exe	{F9996D5A-C68F-4f26-AFC3-D9D3633DE8C2}.exe
File created	C:\Windows\{FD679D59-2360-4b09-A125-9B05F8671091}.exe	{BBB4AF54-3D7E-40da-A28C-A1C3252BCB5C}.exe
File created	C:\Windows\{E0EDA063-7B4E-4b82-9682-AD703E7F1F03}.exe	{FD679D59-2360-4b09-A125-9B05F8671091}.exe
File created	C:\Windows\{18148869-A66D-487d-89EA-173676DE5BF6}.exe	2024-02-11_edb97fb23228e6125056ba1ab97ece68_goldeneye.exe
File created	C:\Windows\{3DF35D92-DAC6-496b-B378-00C8CF79478F}.exe	{18148869-A66D-487d-89EA-173676DE5BF6}.exe
File created	C:\Windows\{21B49257-6AD1-45b1-B330-6AA8F635B9C9}.exe	{3DF35D92-DAC6-496b-B378-00C8CF79478F}.exe
File created	C:\Windows\{0AD6359B-0030-4dc8-BED3-6DCB1E87E189}.exe	{6D29E0D9-BCF9-4540-BF22-9123A222972C}.exe
File created	C:\Windows\{9C399A99-F185-4ed8-9DEC-10EE8F16F99C}.exe	{1D9179A7-E0FA-4d40-9B5B-33CEC8D3CF45}.exe
File created	C:\Windows\{BBB4AF54-3D7E-40da-A28C-A1C3252BCB5C}.exe	{2C1FAFE5-C57F-4d1b-9A7E-834F01FAB2F5}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4908	2024-02-11_edb97fb23228e6125056ba1ab97ece68_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3016	{18148869-A66D-487d-89EA-173676DE5BF6}.exe
Token: SeIncBasePriorityPrivilege	1632	{3DF35D92-DAC6-496b-B378-00C8CF79478F}.exe
Token: SeIncBasePriorityPrivilege	4196	{21B49257-6AD1-45b1-B330-6AA8F635B9C9}.exe
Token: SeIncBasePriorityPrivilege	4540	{6D29E0D9-BCF9-4540-BF22-9123A222972C}.exe
Token: SeIncBasePriorityPrivilege	4084	{0AD6359B-0030-4dc8-BED3-6DCB1E87E189}.exe
Token: SeIncBasePriorityPrivilege	2160	{1D9179A7-E0FA-4d40-9B5B-33CEC8D3CF45}.exe
Token: SeIncBasePriorityPrivilege	2332	{9C399A99-F185-4ed8-9DEC-10EE8F16F99C}.exe
Token: SeIncBasePriorityPrivilege	2736	{F9996D5A-C68F-4f26-AFC3-D9D3633DE8C2}.exe
Token: SeIncBasePriorityPrivilege	3136	{2C1FAFE5-C57F-4d1b-9A7E-834F01FAB2F5}.exe
Token: SeIncBasePriorityPrivilege	816	{BBB4AF54-3D7E-40da-A28C-A1C3252BCB5C}.exe
Token: SeIncBasePriorityPrivilege	4656	{FD679D59-2360-4b09-A125-9B05F8671091}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4908 wrote to memory of 3016	4908	2024-02-11_edb97fb23228e6125056ba1ab97ece68_goldeneye.exe	84
PID 4908 wrote to memory of 3016	4908	2024-02-11_edb97fb23228e6125056ba1ab97ece68_goldeneye.exe	84
PID 4908 wrote to memory of 3016	4908	2024-02-11_edb97fb23228e6125056ba1ab97ece68_goldeneye.exe	84
PID 4908 wrote to memory of 4460	4908	2024-02-11_edb97fb23228e6125056ba1ab97ece68_goldeneye.exe	85
PID 4908 wrote to memory of 4460	4908	2024-02-11_edb97fb23228e6125056ba1ab97ece68_goldeneye.exe	85
PID 4908 wrote to memory of 4460	4908	2024-02-11_edb97fb23228e6125056ba1ab97ece68_goldeneye.exe	85
PID 3016 wrote to memory of 1632	3016	{18148869-A66D-487d-89EA-173676DE5BF6}.exe	93
PID 3016 wrote to memory of 1632	3016	{18148869-A66D-487d-89EA-173676DE5BF6}.exe	93
PID 3016 wrote to memory of 1632	3016	{18148869-A66D-487d-89EA-173676DE5BF6}.exe	93
PID 3016 wrote to memory of 4736	3016	{18148869-A66D-487d-89EA-173676DE5BF6}.exe	94
PID 3016 wrote to memory of 4736	3016	{18148869-A66D-487d-89EA-173676DE5BF6}.exe	94
PID 3016 wrote to memory of 4736	3016	{18148869-A66D-487d-89EA-173676DE5BF6}.exe	94
PID 1632 wrote to memory of 4196	1632	{3DF35D92-DAC6-496b-B378-00C8CF79478F}.exe	96
PID 1632 wrote to memory of 4196	1632	{3DF35D92-DAC6-496b-B378-00C8CF79478F}.exe	96
PID 1632 wrote to memory of 4196	1632	{3DF35D92-DAC6-496b-B378-00C8CF79478F}.exe	96
PID 1632 wrote to memory of 3908	1632	{3DF35D92-DAC6-496b-B378-00C8CF79478F}.exe	97
PID 1632 wrote to memory of 3908	1632	{3DF35D92-DAC6-496b-B378-00C8CF79478F}.exe	97
PID 1632 wrote to memory of 3908	1632	{3DF35D92-DAC6-496b-B378-00C8CF79478F}.exe	97
PID 4196 wrote to memory of 4540	4196	{21B49257-6AD1-45b1-B330-6AA8F635B9C9}.exe	98
PID 4196 wrote to memory of 4540	4196	{21B49257-6AD1-45b1-B330-6AA8F635B9C9}.exe	98
PID 4196 wrote to memory of 4540	4196	{21B49257-6AD1-45b1-B330-6AA8F635B9C9}.exe	98
PID 4196 wrote to memory of 376	4196	{21B49257-6AD1-45b1-B330-6AA8F635B9C9}.exe	99
PID 4196 wrote to memory of 376	4196	{21B49257-6AD1-45b1-B330-6AA8F635B9C9}.exe	99
PID 4196 wrote to memory of 376	4196	{21B49257-6AD1-45b1-B330-6AA8F635B9C9}.exe	99
PID 4540 wrote to memory of 4084	4540	{6D29E0D9-BCF9-4540-BF22-9123A222972C}.exe	100
PID 4540 wrote to memory of 4084	4540	{6D29E0D9-BCF9-4540-BF22-9123A222972C}.exe	100
PID 4540 wrote to memory of 4084	4540	{6D29E0D9-BCF9-4540-BF22-9123A222972C}.exe	100
PID 4540 wrote to memory of 2216	4540	{6D29E0D9-BCF9-4540-BF22-9123A222972C}.exe	101
PID 4540 wrote to memory of 2216	4540	{6D29E0D9-BCF9-4540-BF22-9123A222972C}.exe	101
PID 4540 wrote to memory of 2216	4540	{6D29E0D9-BCF9-4540-BF22-9123A222972C}.exe	101
PID 4084 wrote to memory of 2160	4084	{0AD6359B-0030-4dc8-BED3-6DCB1E87E189}.exe	102
PID 4084 wrote to memory of 2160	4084	{0AD6359B-0030-4dc8-BED3-6DCB1E87E189}.exe	102
PID 4084 wrote to memory of 2160	4084	{0AD6359B-0030-4dc8-BED3-6DCB1E87E189}.exe	102
PID 4084 wrote to memory of 4512	4084	{0AD6359B-0030-4dc8-BED3-6DCB1E87E189}.exe	103
PID 4084 wrote to memory of 4512	4084	{0AD6359B-0030-4dc8-BED3-6DCB1E87E189}.exe	103
PID 4084 wrote to memory of 4512	4084	{0AD6359B-0030-4dc8-BED3-6DCB1E87E189}.exe	103
PID 2160 wrote to memory of 2332	2160	{1D9179A7-E0FA-4d40-9B5B-33CEC8D3CF45}.exe	105
PID 2160 wrote to memory of 2332	2160	{1D9179A7-E0FA-4d40-9B5B-33CEC8D3CF45}.exe	105
PID 2160 wrote to memory of 2332	2160	{1D9179A7-E0FA-4d40-9B5B-33CEC8D3CF45}.exe	105
PID 2160 wrote to memory of 3984	2160	{1D9179A7-E0FA-4d40-9B5B-33CEC8D3CF45}.exe	104
PID 2160 wrote to memory of 3984	2160	{1D9179A7-E0FA-4d40-9B5B-33CEC8D3CF45}.exe	104
PID 2160 wrote to memory of 3984	2160	{1D9179A7-E0FA-4d40-9B5B-33CEC8D3CF45}.exe	104
PID 2332 wrote to memory of 2736	2332	{9C399A99-F185-4ed8-9DEC-10EE8F16F99C}.exe	106
PID 2332 wrote to memory of 2736	2332	{9C399A99-F185-4ed8-9DEC-10EE8F16F99C}.exe	106
PID 2332 wrote to memory of 2736	2332	{9C399A99-F185-4ed8-9DEC-10EE8F16F99C}.exe	106
PID 2332 wrote to memory of 3416	2332	{9C399A99-F185-4ed8-9DEC-10EE8F16F99C}.exe	107
PID 2332 wrote to memory of 3416	2332	{9C399A99-F185-4ed8-9DEC-10EE8F16F99C}.exe	107
PID 2332 wrote to memory of 3416	2332	{9C399A99-F185-4ed8-9DEC-10EE8F16F99C}.exe	107
PID 2736 wrote to memory of 3136	2736	{F9996D5A-C68F-4f26-AFC3-D9D3633DE8C2}.exe	108
PID 2736 wrote to memory of 3136	2736	{F9996D5A-C68F-4f26-AFC3-D9D3633DE8C2}.exe	108
PID 2736 wrote to memory of 3136	2736	{F9996D5A-C68F-4f26-AFC3-D9D3633DE8C2}.exe	108
PID 2736 wrote to memory of 2360	2736	{F9996D5A-C68F-4f26-AFC3-D9D3633DE8C2}.exe	109
PID 2736 wrote to memory of 2360	2736	{F9996D5A-C68F-4f26-AFC3-D9D3633DE8C2}.exe	109
PID 2736 wrote to memory of 2360	2736	{F9996D5A-C68F-4f26-AFC3-D9D3633DE8C2}.exe	109
PID 3136 wrote to memory of 816	3136	{2C1FAFE5-C57F-4d1b-9A7E-834F01FAB2F5}.exe	110
PID 3136 wrote to memory of 816	3136	{2C1FAFE5-C57F-4d1b-9A7E-834F01FAB2F5}.exe	110
PID 3136 wrote to memory of 816	3136	{2C1FAFE5-C57F-4d1b-9A7E-834F01FAB2F5}.exe	110
PID 3136 wrote to memory of 3900	3136	{2C1FAFE5-C57F-4d1b-9A7E-834F01FAB2F5}.exe	111
PID 3136 wrote to memory of 3900	3136	{2C1FAFE5-C57F-4d1b-9A7E-834F01FAB2F5}.exe	111
PID 3136 wrote to memory of 3900	3136	{2C1FAFE5-C57F-4d1b-9A7E-834F01FAB2F5}.exe	111
PID 816 wrote to memory of 4656	816	{BBB4AF54-3D7E-40da-A28C-A1C3252BCB5C}.exe	112
PID 816 wrote to memory of 4656	816	{BBB4AF54-3D7E-40da-A28C-A1C3252BCB5C}.exe	112
PID 816 wrote to memory of 4656	816	{BBB4AF54-3D7E-40da-A28C-A1C3252BCB5C}.exe	112
PID 816 wrote to memory of 1360	816	{BBB4AF54-3D7E-40da-A28C-A1C3252BCB5C}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-02-11_edb97fb23228e6125056ba1ab97ece68_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-11_edb97fb23228e6125056ba1ab97ece68_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4908
- C:\Windows\{18148869-A66D-487d-89EA-173676DE5BF6}.exe
  C:\Windows\{18148869-A66D-487d-89EA-173676DE5BF6}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\{3DF35D92-DAC6-496b-B378-00C8CF79478F}.exe
    C:\Windows\{3DF35D92-DAC6-496b-B378-00C8CF79478F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1632
  - - C:\Windows\{21B49257-6AD1-45b1-B330-6AA8F635B9C9}.exe
      C:\Windows\{21B49257-6AD1-45b1-B330-6AA8F635B9C9}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4196
    - - C:\Windows\{6D29E0D9-BCF9-4540-BF22-9123A222972C}.exe
        
        C:\Windows\{6D29E0D9-BCF9-4540-BF22-9123A222972C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4540
      - C:\Windows\{0AD6359B-0030-4dc8-BED3-6DCB1E87E189}.exe
        
        C:\Windows\{0AD6359B-0030-4dc8-BED3-6DCB1E87E189}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Windows\{1D9179A7-E0FA-4d40-9B5B-33CEC8D3CF45}.exe
        
        C:\Windows\{1D9179A7-E0FA-4d40-9B5B-33CEC8D3CF45}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1D917~1.EXE > nul
        8⤵
        
        PID:3984
        
        C:\Windows\{9C399A99-F185-4ed8-9DEC-10EE8F16F99C}.exe
        
        C:\Windows\{9C399A99-F185-4ed8-9DEC-10EE8F16F99C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\{F9996D5A-C68F-4f26-AFC3-D9D3633DE8C2}.exe
        
        C:\Windows\{F9996D5A-C68F-4f26-AFC3-D9D3633DE8C2}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\{2C1FAFE5-C57F-4d1b-9A7E-834F01FAB2F5}.exe
        
        C:\Windows\{2C1FAFE5-C57F-4d1b-9A7E-834F01FAB2F5}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3136
        
        C:\Windows\{BBB4AF54-3D7E-40da-A28C-A1C3252BCB5C}.exe
        
        C:\Windows\{BBB4AF54-3D7E-40da-A28C-A1C3252BCB5C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:816
        
        C:\Windows\{FD679D59-2360-4b09-A125-9B05F8671091}.exe
        
        C:\Windows\{FD679D59-2360-4b09-A125-9B05F8671091}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4656
        
        C:\Windows\{E0EDA063-7B4E-4b82-9682-AD703E7F1F03}.exe
        
        C:\Windows\{E0EDA063-7B4E-4b82-9682-AD703E7F1F03}.exe
        13⤵
        Executes dropped EXE
        
        PID:3620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD679~1.EXE > nul
        13⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BBB4A~1.EXE > nul
        12⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2C1FA~1.EXE > nul
        11⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F9996~1.EXE > nul
        10⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C399~1.EXE > nul
        9⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0AD63~1.EXE > nul
        7⤵
        
        PID:4512
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6D29E~1.EXE > nul
        6⤵
        
        PID:2216
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{21B49~1.EXE > nul
        5⤵
        
        PID:376
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3DF35~1.EXE > nul
      4⤵
      PID:3908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{18148~1.EXE > nul
    3⤵
    PID:4736
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0AD6359B-0030-4dc8-BED3-6DCB1E87E189}.exe

Filesize
408KB

MD5
c012c95deccb0a54590908ed89043f30

SHA1
c63903019cc35267ff81c118995037ecc9dd61f7

SHA256
c50cbe4e4414d6e5294e8e7146d17601153da5fe24d959994232d7955a42b9e4

SHA512
acf81624558460acd86dca35a8f1964b3ec8e2e53d76cacf49f9f1371cd03f3532e2509580c13e1d506f8c15fb786ca94cbdeebcaf0f50990639d5cc087cc16a

Download Submit
C:\Windows\{18148869-A66D-487d-89EA-173676DE5BF6}.exe

Filesize
408KB

MD5
ab36b869afc944864077690216243d28

SHA1
fd3587ca539783129a5a43f178dd674109a732e6

SHA256
53db7ba84ab1e7352507396ce9d05d9882bef59f16f74723f9d933668212e84a

SHA512
653911daab84c8c888ea4e2672db5292ad25ba6d19b47748562de5d3095880658907b068ffd160299f0bf5fb3e6284ac1bbf78b7ce7c3cde48cc0a97b7f0dac8

Download Submit
C:\Windows\{18148869-A66D-487d-89EA-173676DE5BF6}.exe

Filesize
322KB

MD5
1bf81884580bb3b07cb0e1efd7f2c595

SHA1
eecfce803cb6f5a1befca34d2bbb3c663e8a5233

SHA256
bbf43a7871d49af29d13463dd4d630e71baa311eedc5598ad1933d1d708957e3

SHA512
6103c7c1f31a6eb0231490a70b1b5e2b7321418903547c903bc57ff131b9c6b3c2c964a28c4bba30d841468b2063d81b82888262e4a7545b4cb888cc8272fe12

Download Submit
C:\Windows\{1D9179A7-E0FA-4d40-9B5B-33CEC8D3CF45}.exe

Filesize
408KB

MD5
df27b72dcabbd56fd1ea713142f6040e

SHA1
a83ef797329487c5b0d4cb4e886b7429bccb2d2e

SHA256
3f1f8fe7f2a9628f4ae92dc2e62674246fbb5b29a1a43f23aec58c96d61a2c1d

SHA512
a32cc5a6215de6c89d243eb2f5d36d0f679cc1da4ca0ec92c0defce1d2a05ced3e42575fc2e333fffe17898208f6d3690d2f4cfb8efbc737dbcb484b3b52dc01

Download Submit
C:\Windows\{1D9179A7-E0FA-4d40-9B5B-33CEC8D3CF45}.exe

Filesize
375KB

MD5
8d0a191e3554313f2fe42912582f02fb

SHA1
c79f47b6cebfa707fa9a593e3cee3d2aee8bdb27

SHA256
a90f1e927a94748564ab7d6fdc74cce36b339d327b7faf86cdf0a97babffb2ac

SHA512
2abf713edc027a655485c9691cc1fee2a3e65131c55add23576560f85ae1c5b736dc87cbba31323bdfe302d7ac155b2851710e5e7655dd2e26cf0fcdc367f465

Download Submit
C:\Windows\{21B49257-6AD1-45b1-B330-6AA8F635B9C9}.exe

Filesize
408KB

MD5
0cc9cd646e31835ee63f72f18cafbc4b

SHA1
46a0b37420ced1b458e77e58b0b1ae79707c8951

SHA256
77cb6d88f8adb18f97b77d00c4904c893103d5863e055da220d8a5a35f467aa2

SHA512
3157a61d7315d490b25413733c9b2b06c958bd985190afc8ea7305f53ba5572cd4c05a877edf5f9cc6a0848011e5972e57ef37bd8c01326fb04f181740e2107a

Download Submit
C:\Windows\{2C1FAFE5-C57F-4d1b-9A7E-834F01FAB2F5}.exe

Filesize
408KB

MD5
4854f460350249fec8ec08962bc42403

SHA1
a88a8bdc49ef621333f2ee70536ee4d6e318943f

SHA256
758e4f2a2e2760a5fde4ccec9b63ef9e17b7ab50c71f3fa08ff97ca8ed7749a7

SHA512
ef312ce340b3e895eeec363f325607eb8f06887c8cea4a2ffef613f7174bdaea72b80fe15e88b5f3c4b1650a7ec70afa5468fb79bfdc5f60e429f32a5ca1dd0c

Download Submit
C:\Windows\{3DF35D92-DAC6-496b-B378-00C8CF79478F}.exe

Filesize
408KB

MD5
3db8d783cfee6a502ca21d62ecd4e35b

SHA1
d24f2d44f34a3a601101f8edcd1879e34376614b

SHA256
f236d573fd352970090be9ab9cd257ce4be1eb250bafb0536f7fd3d0718b9a10

SHA512
0217a6795ae89116e31c4039f23e6c4dff901840caf09fd393a408123ac61b49bd0122e2687e805ebfe944c84dd65fcc138dba62e3d73b9e32cdb34c925a03ad

Download Submit
C:\Windows\{6D29E0D9-BCF9-4540-BF22-9123A222972C}.exe

Filesize
408KB

MD5
a5934a229b3416736f4cd63d12738ba4

SHA1
5acee48e01f80b779fb1d360f67363c1a2cf56cf

SHA256
ff28dcd496661de1e1a2b3c23702127e5b0019aa5c9b3e5e647b40e440063a48

SHA512
a699d86f5a5b096659bc0e9ebf8279d0871ec29f775fc1e84e62a5407f3958f1014b5dc8803ae82fa4e5de3f2cfa953968a6abde802af03ae4cb12a7b1967eb5

Download Submit
C:\Windows\{9C399A99-F185-4ed8-9DEC-10EE8F16F99C}.exe

Filesize
408KB

MD5
ff705103ea97b2b2270895bb6785926f

SHA1
92d2f81a27cb458ae0983207949fb12bc86707fe

SHA256
3cc2e2b36f0e874da276fe42e28af0dc0f326449f5609d2459890cc0055a879f

SHA512
8e081a5a5f0e8adf530e2cec962a0aca91edfb9ea641a31fabd5b27abac529d4a61e684b5e407c23b6febc72752d376172eff6bcf6f0f56aeb81a3f06b9b2bb9

Download Submit
C:\Windows\{BBB4AF54-3D7E-40da-A28C-A1C3252BCB5C}.exe

Filesize
408KB

MD5
9a70eb4fbbe33c8eba5e1ed78b8e78fb

SHA1
e3bac9997d81d5932c281053cf17d9307ea9f001

SHA256
8092ab019903e2175ae10b4e9dd83a102fdc352fcab0dae082df710a228f4bd6

SHA512
4ac86baf25b8dc9c35ae55ce7aef02010c6bff39d89d7ab1777361733d0734712c69f04449fc55e613a50c365f2ad7cae2b751abdce5eefbdc7c335d79f73219

Download Submit
C:\Windows\{E0EDA063-7B4E-4b82-9682-AD703E7F1F03}.exe

Filesize
408KB

MD5
3c1165cbebc2ddc3245d2dd743f17180

SHA1
6b23ae930276016086f672d45a01b3c0408f6228

SHA256
bbeb7bf5f45d6e0c24333ab9e7e97fbca312eef1e515aabc93a44bdc7f6047a7

SHA512
059c2df61b8f71435a87adbdf3621247304b2fc34555efb8d0e9103534f6d0966884a089f590dfbc87d9d5895ae84ba203ae43a053bf038d242c8315de56a571

Download Submit
C:\Windows\{F9996D5A-C68F-4f26-AFC3-D9D3633DE8C2}.exe

Filesize
408KB

MD5
6238bfd4095f592a2b84de53412769a8

SHA1
483ef3a5399b48bb0ca6ec16a81ae43f76149325

SHA256
8dfa2305e09152c050b7b789cf0fa8fd3dde6e6a601fbc7efdac273b0bf8a326

SHA512
446cc7098d057f9f3faf555de70a06ea32dd02e70f7767ff185217676b9a27fea1cf6c89841cf879a86a3cd7a6c5dc48b09c02b98398837d7f3e5fa858029285

Download Submit
C:\Windows\{FD679D59-2360-4b09-A125-9B05F8671091}.exe

Filesize
408KB

MD5
dacb78290a853daf600b633544258804

SHA1
5a3e5bbd57517e8f789e7e498ffecbdedfbcabdc

SHA256
93da430fce691bcc340316d445a6681e91dd8b021ebcc3c0df616c69047897dd

SHA512
efe9b9e698c57b4f4a737846ccdddc5989a11bb237ee4144887ab043aa6ae94029f56987001982ae9adbc3d91a4abe271b287f2436c5fc0601ab9338ba87a795

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads