27c5c1359062d74db18eb6016eeacf9353b1d947fb999970485418003498a246

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
11/02/2024, 20:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-11_9658e0d58bd8127d42e2598f9331ab02_goldeneye.exe
Size

408KB
MD5

9658e0d58bd8127d42e2598f9331ab02
SHA1

f37c3c2802f59b27cec19943f33576ab8663670d
SHA256

27c5c1359062d74db18eb6016eeacf9353b1d947fb999970485418003498a246
SHA512

a3ee60a013943f21de5c9d504b3d3ed9aadfe31db06c2c02cccbdcfaf36fe5b0ebe67ab5b4d72561e76f021eb0f0fe3065c011507296c28402c7f15e251861d3
SSDEEP

3072:CEGh0orl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEG1ldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000e000000023214-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000023215-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002321c-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023215-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000022008-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000022009-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000022008-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-37.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000000070b-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82F37170-0A94-48ce-BB84-55FB27619156}\stubpath = "C:\\Windows\\{82F37170-0A94-48ce-BB84-55FB27619156}.exe"	{5A5C5A24-372E-4258-A0C3-CF7D684BBCC3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{388EFD44-2D3E-423b-8863-24F4636AE7A2}	{BFC6F225-8E68-45ee-A91C-DE9152B50997}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4FA4DD9C-EFDC-413e-B543-C58F4EA8CD95}	2024-02-11_9658e0d58bd8127d42e2598f9331ab02_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5A7EA6F-6466-4d32-BAD7-0C85638B01DD}\stubpath = "C:\\Windows\\{F5A7EA6F-6466-4d32-BAD7-0C85638B01DD}.exe"	{4FA4DD9C-EFDC-413e-B543-C58F4EA8CD95}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09E6E862-E3C5-4c76-B9F4-531184AC11DE}	{900E7BA6-CA6A-4747-A38B-52714909D4A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E806558-3A94-45e2-9A0E-DA4CF6600AD0}	{09E6E862-E3C5-4c76-B9F4-531184AC11DE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E806558-3A94-45e2-9A0E-DA4CF6600AD0}\stubpath = "C:\\Windows\\{2E806558-3A94-45e2-9A0E-DA4CF6600AD0}.exe"	{09E6E862-E3C5-4c76-B9F4-531184AC11DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A5C5A24-372E-4258-A0C3-CF7D684BBCC3}	{2E806558-3A94-45e2-9A0E-DA4CF6600AD0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82F37170-0A94-48ce-BB84-55FB27619156}	{5A5C5A24-372E-4258-A0C3-CF7D684BBCC3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DDD551C-64C6-4993-A81F-576709459FE5}	{82F37170-0A94-48ce-BB84-55FB27619156}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BFC6F225-8E68-45ee-A91C-DE9152B50997}	{CFA68BA1-874B-4288-97C7-126229F44DE3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DDD551C-64C6-4993-A81F-576709459FE5}\stubpath = "C:\\Windows\\{2DDD551C-64C6-4993-A81F-576709459FE5}.exe"	{82F37170-0A94-48ce-BB84-55FB27619156}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4FA4DD9C-EFDC-413e-B543-C58F4EA8CD95}\stubpath = "C:\\Windows\\{4FA4DD9C-EFDC-413e-B543-C58F4EA8CD95}.exe"	2024-02-11_9658e0d58bd8127d42e2598f9331ab02_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA9E6A79-E7AB-4f8c-B36E-00CF8CFE2606}\stubpath = "C:\\Windows\\{AA9E6A79-E7AB-4f8c-B36E-00CF8CFE2606}.exe"	{F5A7EA6F-6466-4d32-BAD7-0C85638B01DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{900E7BA6-CA6A-4747-A38B-52714909D4A1}	{AA9E6A79-E7AB-4f8c-B36E-00CF8CFE2606}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{900E7BA6-CA6A-4747-A38B-52714909D4A1}\stubpath = "C:\\Windows\\{900E7BA6-CA6A-4747-A38B-52714909D4A1}.exe"	{AA9E6A79-E7AB-4f8c-B36E-00CF8CFE2606}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09E6E862-E3C5-4c76-B9F4-531184AC11DE}\stubpath = "C:\\Windows\\{09E6E862-E3C5-4c76-B9F4-531184AC11DE}.exe"	{900E7BA6-CA6A-4747-A38B-52714909D4A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A5C5A24-372E-4258-A0C3-CF7D684BBCC3}\stubpath = "C:\\Windows\\{5A5C5A24-372E-4258-A0C3-CF7D684BBCC3}.exe"	{2E806558-3A94-45e2-9A0E-DA4CF6600AD0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5A7EA6F-6466-4d32-BAD7-0C85638B01DD}	{4FA4DD9C-EFDC-413e-B543-C58F4EA8CD95}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA9E6A79-E7AB-4f8c-B36E-00CF8CFE2606}	{F5A7EA6F-6466-4d32-BAD7-0C85638B01DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFA68BA1-874B-4288-97C7-126229F44DE3}	{2DDD551C-64C6-4993-A81F-576709459FE5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFA68BA1-874B-4288-97C7-126229F44DE3}\stubpath = "C:\\Windows\\{CFA68BA1-874B-4288-97C7-126229F44DE3}.exe"	{2DDD551C-64C6-4993-A81F-576709459FE5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BFC6F225-8E68-45ee-A91C-DE9152B50997}\stubpath = "C:\\Windows\\{BFC6F225-8E68-45ee-A91C-DE9152B50997}.exe"	{CFA68BA1-874B-4288-97C7-126229F44DE3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{388EFD44-2D3E-423b-8863-24F4636AE7A2}\stubpath = "C:\\Windows\\{388EFD44-2D3E-423b-8863-24F4636AE7A2}.exe"	{BFC6F225-8E68-45ee-A91C-DE9152B50997}.exe

Executes dropped EXE 12 IoCs

pid	Process
4620	{4FA4DD9C-EFDC-413e-B543-C58F4EA8CD95}.exe
2992	{F5A7EA6F-6466-4d32-BAD7-0C85638B01DD}.exe
3176	{AA9E6A79-E7AB-4f8c-B36E-00CF8CFE2606}.exe
1924	{900E7BA6-CA6A-4747-A38B-52714909D4A1}.exe
4656	{09E6E862-E3C5-4c76-B9F4-531184AC11DE}.exe
4820	{2E806558-3A94-45e2-9A0E-DA4CF6600AD0}.exe
1840	{5A5C5A24-372E-4258-A0C3-CF7D684BBCC3}.exe
4460	{82F37170-0A94-48ce-BB84-55FB27619156}.exe
1808	{2DDD551C-64C6-4993-A81F-576709459FE5}.exe
4384	{CFA68BA1-874B-4288-97C7-126229F44DE3}.exe
4092	{BFC6F225-8E68-45ee-A91C-DE9152B50997}.exe
1148	{388EFD44-2D3E-423b-8863-24F4636AE7A2}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{4FA4DD9C-EFDC-413e-B543-C58F4EA8CD95}.exe	2024-02-11_9658e0d58bd8127d42e2598f9331ab02_goldeneye.exe
File created	C:\Windows\{F5A7EA6F-6466-4d32-BAD7-0C85638B01DD}.exe	{4FA4DD9C-EFDC-413e-B543-C58F4EA8CD95}.exe
File created	C:\Windows\{2E806558-3A94-45e2-9A0E-DA4CF6600AD0}.exe	{09E6E862-E3C5-4c76-B9F4-531184AC11DE}.exe
File created	C:\Windows\{82F37170-0A94-48ce-BB84-55FB27619156}.exe	{5A5C5A24-372E-4258-A0C3-CF7D684BBCC3}.exe
File created	C:\Windows\{2DDD551C-64C6-4993-A81F-576709459FE5}.exe	{82F37170-0A94-48ce-BB84-55FB27619156}.exe
File created	C:\Windows\{BFC6F225-8E68-45ee-A91C-DE9152B50997}.exe	{CFA68BA1-874B-4288-97C7-126229F44DE3}.exe
File created	C:\Windows\{388EFD44-2D3E-423b-8863-24F4636AE7A2}.exe	{BFC6F225-8E68-45ee-A91C-DE9152B50997}.exe
File created	C:\Windows\{AA9E6A79-E7AB-4f8c-B36E-00CF8CFE2606}.exe	{F5A7EA6F-6466-4d32-BAD7-0C85638B01DD}.exe
File created	C:\Windows\{900E7BA6-CA6A-4747-A38B-52714909D4A1}.exe	{AA9E6A79-E7AB-4f8c-B36E-00CF8CFE2606}.exe
File created	C:\Windows\{09E6E862-E3C5-4c76-B9F4-531184AC11DE}.exe	{900E7BA6-CA6A-4747-A38B-52714909D4A1}.exe
File created	C:\Windows\{5A5C5A24-372E-4258-A0C3-CF7D684BBCC3}.exe	{2E806558-3A94-45e2-9A0E-DA4CF6600AD0}.exe
File created	C:\Windows\{CFA68BA1-874B-4288-97C7-126229F44DE3}.exe	{2DDD551C-64C6-4993-A81F-576709459FE5}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3684	2024-02-11_9658e0d58bd8127d42e2598f9331ab02_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4620	{4FA4DD9C-EFDC-413e-B543-C58F4EA8CD95}.exe
Token: SeIncBasePriorityPrivilege	2992	{F5A7EA6F-6466-4d32-BAD7-0C85638B01DD}.exe
Token: SeIncBasePriorityPrivilege	3176	{AA9E6A79-E7AB-4f8c-B36E-00CF8CFE2606}.exe
Token: SeIncBasePriorityPrivilege	1924	{900E7BA6-CA6A-4747-A38B-52714909D4A1}.exe
Token: SeIncBasePriorityPrivilege	4656	{09E6E862-E3C5-4c76-B9F4-531184AC11DE}.exe
Token: SeIncBasePriorityPrivilege	4820	{2E806558-3A94-45e2-9A0E-DA4CF6600AD0}.exe
Token: SeIncBasePriorityPrivilege	1840	{5A5C5A24-372E-4258-A0C3-CF7D684BBCC3}.exe
Token: SeIncBasePriorityPrivilege	4460	{82F37170-0A94-48ce-BB84-55FB27619156}.exe
Token: SeIncBasePriorityPrivilege	1808	{2DDD551C-64C6-4993-A81F-576709459FE5}.exe
Token: SeIncBasePriorityPrivilege	4384	{CFA68BA1-874B-4288-97C7-126229F44DE3}.exe
Token: SeIncBasePriorityPrivilege	4092	{BFC6F225-8E68-45ee-A91C-DE9152B50997}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3684 wrote to memory of 4620	3684	2024-02-11_9658e0d58bd8127d42e2598f9331ab02_goldeneye.exe	91
PID 3684 wrote to memory of 4620	3684	2024-02-11_9658e0d58bd8127d42e2598f9331ab02_goldeneye.exe	91
PID 3684 wrote to memory of 4620	3684	2024-02-11_9658e0d58bd8127d42e2598f9331ab02_goldeneye.exe	91
PID 3684 wrote to memory of 1328	3684	2024-02-11_9658e0d58bd8127d42e2598f9331ab02_goldeneye.exe	92
PID 3684 wrote to memory of 1328	3684	2024-02-11_9658e0d58bd8127d42e2598f9331ab02_goldeneye.exe	92
PID 3684 wrote to memory of 1328	3684	2024-02-11_9658e0d58bd8127d42e2598f9331ab02_goldeneye.exe	92
PID 4620 wrote to memory of 2992	4620	{4FA4DD9C-EFDC-413e-B543-C58F4EA8CD95}.exe	93
PID 4620 wrote to memory of 2992	4620	{4FA4DD9C-EFDC-413e-B543-C58F4EA8CD95}.exe	93
PID 4620 wrote to memory of 2992	4620	{4FA4DD9C-EFDC-413e-B543-C58F4EA8CD95}.exe	93
PID 4620 wrote to memory of 4276	4620	{4FA4DD9C-EFDC-413e-B543-C58F4EA8CD95}.exe	94
PID 4620 wrote to memory of 4276	4620	{4FA4DD9C-EFDC-413e-B543-C58F4EA8CD95}.exe	94
PID 4620 wrote to memory of 4276	4620	{4FA4DD9C-EFDC-413e-B543-C58F4EA8CD95}.exe	94
PID 2992 wrote to memory of 3176	2992	{F5A7EA6F-6466-4d32-BAD7-0C85638B01DD}.exe	96
PID 2992 wrote to memory of 3176	2992	{F5A7EA6F-6466-4d32-BAD7-0C85638B01DD}.exe	96
PID 2992 wrote to memory of 3176	2992	{F5A7EA6F-6466-4d32-BAD7-0C85638B01DD}.exe	96
PID 2992 wrote to memory of 2296	2992	{F5A7EA6F-6466-4d32-BAD7-0C85638B01DD}.exe	97
PID 2992 wrote to memory of 2296	2992	{F5A7EA6F-6466-4d32-BAD7-0C85638B01DD}.exe	97
PID 2992 wrote to memory of 2296	2992	{F5A7EA6F-6466-4d32-BAD7-0C85638B01DD}.exe	97
PID 3176 wrote to memory of 1924	3176	{AA9E6A79-E7AB-4f8c-B36E-00CF8CFE2606}.exe	98
PID 3176 wrote to memory of 1924	3176	{AA9E6A79-E7AB-4f8c-B36E-00CF8CFE2606}.exe	98
PID 3176 wrote to memory of 1924	3176	{AA9E6A79-E7AB-4f8c-B36E-00CF8CFE2606}.exe	98
PID 3176 wrote to memory of 4892	3176	{AA9E6A79-E7AB-4f8c-B36E-00CF8CFE2606}.exe	99
PID 3176 wrote to memory of 4892	3176	{AA9E6A79-E7AB-4f8c-B36E-00CF8CFE2606}.exe	99
PID 3176 wrote to memory of 4892	3176	{AA9E6A79-E7AB-4f8c-B36E-00CF8CFE2606}.exe	99
PID 1924 wrote to memory of 4656	1924	{900E7BA6-CA6A-4747-A38B-52714909D4A1}.exe	100
PID 1924 wrote to memory of 4656	1924	{900E7BA6-CA6A-4747-A38B-52714909D4A1}.exe	100
PID 1924 wrote to memory of 4656	1924	{900E7BA6-CA6A-4747-A38B-52714909D4A1}.exe	100
PID 1924 wrote to memory of 1640	1924	{900E7BA6-CA6A-4747-A38B-52714909D4A1}.exe	101
PID 1924 wrote to memory of 1640	1924	{900E7BA6-CA6A-4747-A38B-52714909D4A1}.exe	101
PID 1924 wrote to memory of 1640	1924	{900E7BA6-CA6A-4747-A38B-52714909D4A1}.exe	101
PID 4656 wrote to memory of 4820	4656	{09E6E862-E3C5-4c76-B9F4-531184AC11DE}.exe	102
PID 4656 wrote to memory of 4820	4656	{09E6E862-E3C5-4c76-B9F4-531184AC11DE}.exe	102
PID 4656 wrote to memory of 4820	4656	{09E6E862-E3C5-4c76-B9F4-531184AC11DE}.exe	102
PID 4656 wrote to memory of 2512	4656	{09E6E862-E3C5-4c76-B9F4-531184AC11DE}.exe	103
PID 4656 wrote to memory of 2512	4656	{09E6E862-E3C5-4c76-B9F4-531184AC11DE}.exe	103
PID 4656 wrote to memory of 2512	4656	{09E6E862-E3C5-4c76-B9F4-531184AC11DE}.exe	103
PID 4820 wrote to memory of 1840	4820	{2E806558-3A94-45e2-9A0E-DA4CF6600AD0}.exe	104
PID 4820 wrote to memory of 1840	4820	{2E806558-3A94-45e2-9A0E-DA4CF6600AD0}.exe	104
PID 4820 wrote to memory of 1840	4820	{2E806558-3A94-45e2-9A0E-DA4CF6600AD0}.exe	104
PID 4820 wrote to memory of 3540	4820	{2E806558-3A94-45e2-9A0E-DA4CF6600AD0}.exe	105
PID 4820 wrote to memory of 3540	4820	{2E806558-3A94-45e2-9A0E-DA4CF6600AD0}.exe	105
PID 4820 wrote to memory of 3540	4820	{2E806558-3A94-45e2-9A0E-DA4CF6600AD0}.exe	105
PID 1840 wrote to memory of 4460	1840	{5A5C5A24-372E-4258-A0C3-CF7D684BBCC3}.exe	106
PID 1840 wrote to memory of 4460	1840	{5A5C5A24-372E-4258-A0C3-CF7D684BBCC3}.exe	106
PID 1840 wrote to memory of 4460	1840	{5A5C5A24-372E-4258-A0C3-CF7D684BBCC3}.exe	106
PID 1840 wrote to memory of 3476	1840	{5A5C5A24-372E-4258-A0C3-CF7D684BBCC3}.exe	107
PID 1840 wrote to memory of 3476	1840	{5A5C5A24-372E-4258-A0C3-CF7D684BBCC3}.exe	107
PID 1840 wrote to memory of 3476	1840	{5A5C5A24-372E-4258-A0C3-CF7D684BBCC3}.exe	107
PID 4460 wrote to memory of 1808	4460	{82F37170-0A94-48ce-BB84-55FB27619156}.exe	108
PID 4460 wrote to memory of 1808	4460	{82F37170-0A94-48ce-BB84-55FB27619156}.exe	108
PID 4460 wrote to memory of 1808	4460	{82F37170-0A94-48ce-BB84-55FB27619156}.exe	108
PID 4460 wrote to memory of 3992	4460	{82F37170-0A94-48ce-BB84-55FB27619156}.exe	109
PID 4460 wrote to memory of 3992	4460	{82F37170-0A94-48ce-BB84-55FB27619156}.exe	109
PID 4460 wrote to memory of 3992	4460	{82F37170-0A94-48ce-BB84-55FB27619156}.exe	109
PID 1808 wrote to memory of 4384	1808	{2DDD551C-64C6-4993-A81F-576709459FE5}.exe	110
PID 1808 wrote to memory of 4384	1808	{2DDD551C-64C6-4993-A81F-576709459FE5}.exe	110
PID 1808 wrote to memory of 4384	1808	{2DDD551C-64C6-4993-A81F-576709459FE5}.exe	110
PID 1808 wrote to memory of 1288	1808	{2DDD551C-64C6-4993-A81F-576709459FE5}.exe	111
PID 1808 wrote to memory of 1288	1808	{2DDD551C-64C6-4993-A81F-576709459FE5}.exe	111
PID 1808 wrote to memory of 1288	1808	{2DDD551C-64C6-4993-A81F-576709459FE5}.exe	111
PID 4384 wrote to memory of 4092	4384	{CFA68BA1-874B-4288-97C7-126229F44DE3}.exe	112
PID 4384 wrote to memory of 4092	4384	{CFA68BA1-874B-4288-97C7-126229F44DE3}.exe	112
PID 4384 wrote to memory of 4092	4384	{CFA68BA1-874B-4288-97C7-126229F44DE3}.exe	112
PID 4384 wrote to memory of 3256	4384	{CFA68BA1-874B-4288-97C7-126229F44DE3}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-02-11_9658e0d58bd8127d42e2598f9331ab02_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-11_9658e0d58bd8127d42e2598f9331ab02_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3684
- C:\Windows\{4FA4DD9C-EFDC-413e-B543-C58F4EA8CD95}.exe
  C:\Windows\{4FA4DD9C-EFDC-413e-B543-C58F4EA8CD95}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4620
- - C:\Windows\{F5A7EA6F-6466-4d32-BAD7-0C85638B01DD}.exe
    C:\Windows\{F5A7EA6F-6466-4d32-BAD7-0C85638B01DD}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Windows\{AA9E6A79-E7AB-4f8c-B36E-00CF8CFE2606}.exe
      C:\Windows\{AA9E6A79-E7AB-4f8c-B36E-00CF8CFE2606}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3176
    - - C:\Windows\{900E7BA6-CA6A-4747-A38B-52714909D4A1}.exe
        
        C:\Windows\{900E7BA6-CA6A-4747-A38B-52714909D4A1}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1924
      - C:\Windows\{09E6E862-E3C5-4c76-B9F4-531184AC11DE}.exe
        
        C:\Windows\{09E6E862-E3C5-4c76-B9F4-531184AC11DE}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Windows\{2E806558-3A94-45e2-9A0E-DA4CF6600AD0}.exe
        
        C:\Windows\{2E806558-3A94-45e2-9A0E-DA4CF6600AD0}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\{5A5C5A24-372E-4258-A0C3-CF7D684BBCC3}.exe
        
        C:\Windows\{5A5C5A24-372E-4258-A0C3-CF7D684BBCC3}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Windows\{82F37170-0A94-48ce-BB84-55FB27619156}.exe
        
        C:\Windows\{82F37170-0A94-48ce-BB84-55FB27619156}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\{2DDD551C-64C6-4993-A81F-576709459FE5}.exe
        
        C:\Windows\{2DDD551C-64C6-4993-A81F-576709459FE5}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\{CFA68BA1-874B-4288-97C7-126229F44DE3}.exe
        
        C:\Windows\{CFA68BA1-874B-4288-97C7-126229F44DE3}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Windows\{BFC6F225-8E68-45ee-A91C-DE9152B50997}.exe
        
        C:\Windows\{BFC6F225-8E68-45ee-A91C-DE9152B50997}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4092
        
        C:\Windows\{388EFD44-2D3E-423b-8863-24F4636AE7A2}.exe
        
        C:\Windows\{388EFD44-2D3E-423b-8863-24F4636AE7A2}.exe
        13⤵
        Executes dropped EXE
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BFC6F~1.EXE > nul
        13⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CFA68~1.EXE > nul
        12⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2DDD5~1.EXE > nul
        11⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{82F37~1.EXE > nul
        10⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5A5C5~1.EXE > nul
        9⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E806~1.EXE > nul
        8⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09E6E~1.EXE > nul
        7⤵
        
        PID:2512
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{900E7~1.EXE > nul
        6⤵
        
        PID:1640
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AA9E6~1.EXE > nul
        5⤵
        
        PID:4892
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F5A7E~1.EXE > nul
      4⤵
      PID:2296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4FA4D~1.EXE > nul
    3⤵
    PID:4276
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{09E6E862-E3C5-4c76-B9F4-531184AC11DE}.exe

Filesize
408KB

MD5
e7988481f5974ebed403655c884d9f7b

SHA1
c5cc6749beb1ca5b913e87e35270344499cc7aa4

SHA256
4101e7b27d4cc2988fd488921239992ff20b899eab74ad19611947211f55669b

SHA512
3f97c628514283fd480405d9dca077a51041a5fe874cf291c759b1f5735224929ea629b4a0c568759a357a9340c02b9ee7b226e0dd9d4b7eeb426164ecbb052c

Download Submit
C:\Windows\{2DDD551C-64C6-4993-A81F-576709459FE5}.exe

Filesize
408KB

MD5
79569ae1c373523cdf76b75a78438d31

SHA1
0dc44cb4457db2b9e1ae8eeae7c10f05abf112bf

SHA256
837192db467ef0ffb1d95fcffcbe7ef927c4b73575d44370dcd1c975a93949fd

SHA512
701d9c6b3372f3ebf36ab0c142b56300be5f1049596d154fb5fb8cae059a4ad466c01f4041c706981bbcc77e5ec774c8f64449679f983555eaa25027044d70a0

Download Submit
C:\Windows\{2E806558-3A94-45e2-9A0E-DA4CF6600AD0}.exe

Filesize
408KB

MD5
00c9b601c288a38fffe77996999a2058

SHA1
1d54438229a4e8d4a6c73c15f1a15907340cc1c2

SHA256
7ca4b588e5aa4394479b3c393869094cec41a315bba5d0bc736cad1ee7319052

SHA512
a744d47c4e6911a8b1236f0c361c034b9c2481419509a8feebdf7e19ece4c5cf07d3df55aaec0cee2f254984574381e29d7f636bf54fc0a8f4d7de92eeb6fd51

Download Submit
C:\Windows\{388EFD44-2D3E-423b-8863-24F4636AE7A2}.exe

Filesize
408KB

MD5
da877b026b3df6e1774caf6b16d30ba1

SHA1
c835b93ed8f675b1a9eb92a1052b73eb63566a68

SHA256
5245f983a8b6b4f8f579cb372d501a07ad45240b3cfa607d186116a82a8bd72b

SHA512
ef6be3ae35b3b81eaa7b62b62efdad21d01fc043b46f8728ccc3f0be4170dd372f29ccb4bfa37d585f50077abe6e40a9c4c309055a69bc5455bd3d85ee2c3b09

Download Submit
C:\Windows\{4FA4DD9C-EFDC-413e-B543-C58F4EA8CD95}.exe

Filesize
408KB

MD5
9f7c2ad29b246311bd878fae4fad0c27

SHA1
f9e42b61b2c5be357be7144fead3adba761d4c32

SHA256
e2c2858395bec66f7cf1be9aa05eadf8590a059a7e275f4fa6e3331ae9847e3b

SHA512
32dd1d6655c7aad82eac5ad212f1f5eba2efff0b5d792d7081c2e57c9eec0ef40159591e4b67b80068bf66eba9ec60bb7e9c6428b84f55b370e53f788a594d12

Download Submit
C:\Windows\{5A5C5A24-372E-4258-A0C3-CF7D684BBCC3}.exe

Filesize
408KB

MD5
c3bb13d3a5dd3035fc3622d991d948e2

SHA1
01e8f693d7879fb3b47ebab0f6d042d4fbb12246

SHA256
f3375f3132bcf0acf554dd9d8761de70453c9870113989f66c66299305e026c5

SHA512
b1568aadfc3edebc7828cc5b40000edc2935448500498ccd3bd750a136a733c2a64da7b9be952d7ed3625df3279674382cd7e742f2edc4f07aeb6e9691cc0ca6

Download Submit
C:\Windows\{82F37170-0A94-48ce-BB84-55FB27619156}.exe

Filesize
408KB

MD5
a7bd9ae236c81130c1d1f70c19da735e

SHA1
0e86aae28b14aec7ca61f99d9106c2a17eac4c65

SHA256
de77797088097befb276697fdeb51b6304b894fe17f1e7755071b611faa82795

SHA512
edad5866be45fed570a997cb440d234eed5508da0ee85bc0ded20e0ea4eadaedc624de0f3e188558a8f8712a671f4f22ffde21229066fff065375361a4b6f673

Download Submit
C:\Windows\{900E7BA6-CA6A-4747-A38B-52714909D4A1}.exe

Filesize
408KB

MD5
fdd55a6aafd132b4041c8149b5267b45

SHA1
e68455ac2a1abeff454a4b811524bb7a140b50c2

SHA256
8725f44decf36bbe1640fad4ada14cfb40d20ac9dea2cd0e009c762858b9599a

SHA512
21a78258b23e8bd4ba39b4dcb2cb03ce53de3fc9ed1dcd8c16d23ff0bcb90bd78293cff9ff673c1af83f4727a27add77975660fd8e24580036cfcd19abaf1663

Download Submit
C:\Windows\{AA9E6A79-E7AB-4f8c-B36E-00CF8CFE2606}.exe

Filesize
408KB

MD5
677e47631f1520c7174b7d0cc49def8f

SHA1
87a310d4b4f7d123eaadb4dcc8e6fd4fac8b721f

SHA256
f2e76ff70d75097fe987a3e07208ed602b2bae87051817ce121597c4ff0db810

SHA512
35d94e5678fe2bed4fb3216e2536e1aff3846e6ad476a983106f29312ce522237ab2dd01fea1caef70bc7aa4b14164fd023f7b3ee7c913fd6a45865156de96ba

Download Submit
C:\Windows\{BFC6F225-8E68-45ee-A91C-DE9152B50997}.exe

Filesize
408KB

MD5
c83a726bca922c424f322cf7efff9957

SHA1
bcab103f70855713519ecc3bcc0e9f60c9dc8680

SHA256
5ea15051ada8a526e9bb9619e3ce57105a81addfb5839ff453b72243d80174cc

SHA512
d139dc20e5b5d193953a66406b9a0bf0049978fdb1210cc7049db45ee20605d8276974a4b521941425cf9370468b5a72b952747a49aa55010abae2d72337af95

Download Submit
C:\Windows\{CFA68BA1-874B-4288-97C7-126229F44DE3}.exe

Filesize
408KB

MD5
c36c6603779f7fb498745cda094b1530

SHA1
71ee273f93a99e88d6523bb38137786c9a742313

SHA256
8cbee9fed1cf71034db2287df7df0df7cfc003ed6ef823e3599a9da9a4b87b7b

SHA512
8b5beffa27db98993c8e2790335ed8ca0d14c8eb11052f3b357688604fadf3b28bd5ccce449a88e8c9c2fba8f9e31688d96ff2c6e73877a9d3e0351f11a38585

Download Submit
C:\Windows\{F5A7EA6F-6466-4d32-BAD7-0C85638B01DD}.exe

Filesize
408KB

MD5
8d6f2f2da1f37307be6bc1aba949c1f8

SHA1
e6a0f2754c2424ce7a28502fe92a31bb4e2952dc

SHA256
4e7d12defffa79f6bd3fc445a21a66522902ef4db5e51f798b8ff5650dce4c2b

SHA512
4300c4adeafb7971b900f51646adc5d380edcbc264554faf0d39acf101fb141ce28658e0b9e910690216f2050c506da7d1c73391d88500e35aa761619ae51931

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads