ffdedd4d5c15beafb0cf018b71e159340300c7df31a0face94b95022f81a4f18

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12/02/2024, 07:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_691ef980cd9dcbabb34ef666a8ae7c76_goldeneye.exe
Size

204KB
MD5

691ef980cd9dcbabb34ef666a8ae7c76
SHA1

659ecc1d4020b865c0547fa4625e5e45056e9b81
SHA256

ffdedd4d5c15beafb0cf018b71e159340300c7df31a0face94b95022f81a4f18
SHA512

0d10685fe381194581e1701c9ffa52d7e668cdf9d48fc5356a5884eab223bbfded7e730dda2878d22c8479755538e426cc49bf08263ec55f94ddb7220012a9d9
SSDEEP

1536:1EGh0oDGl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oql1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00060000000231fa-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023106-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023208-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023106-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021d92-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021d93-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021d92-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-29.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006e1-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA3C416B-CE71-45d4-A5D2-8EAF24C7CC11}\stubpath = "C:\\Windows\\{EA3C416B-CE71-45d4-A5D2-8EAF24C7CC11}.exe"	{ADF8D946-DB73-40f3-9830-E1704741DC85}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFC31819-0071-4dc5-9A9A-C9BAF1905330}\stubpath = "C:\\Windows\\{DFC31819-0071-4dc5-9A9A-C9BAF1905330}.exe"	{EA3C416B-CE71-45d4-A5D2-8EAF24C7CC11}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A131BD5E-C72F-4f8d-8F1B-DF568E3CF325}	{47DE3DB0-323A-4ca8-96C0-B9B51DFF2E80}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5017B4F0-D2EE-422d-B9C2-A450BD9FF49F}\stubpath = "C:\\Windows\\{5017B4F0-D2EE-422d-B9C2-A450BD9FF49F}.exe"	{A131BD5E-C72F-4f8d-8F1B-DF568E3CF325}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EDC38EC7-5CB1-4346-8D6C-17F788FE0437}\stubpath = "C:\\Windows\\{EDC38EC7-5CB1-4346-8D6C-17F788FE0437}.exe"	{1026374E-563B-41c6-BB58-EFB2D0087E0C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD1BEB03-120B-40bc-9492-7B638F512ABF}\stubpath = "C:\\Windows\\{BD1BEB03-120B-40bc-9492-7B638F512ABF}.exe"	{EDC38EC7-5CB1-4346-8D6C-17F788FE0437}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6283D70-CA42-43bc-AE30-25E47B0D0C6D}\stubpath = "C:\\Windows\\{B6283D70-CA42-43bc-AE30-25E47B0D0C6D}.exe"	{BD1BEB03-120B-40bc-9492-7B638F512ABF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADF8D946-DB73-40f3-9830-E1704741DC85}\stubpath = "C:\\Windows\\{ADF8D946-DB73-40f3-9830-E1704741DC85}.exe"	{B6283D70-CA42-43bc-AE30-25E47B0D0C6D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF9874DF-AD23-4b2d-A2F7-B8F4B07DD999}	{5017B4F0-D2EE-422d-B9C2-A450BD9FF49F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1551D4C5-2641-4ae9-8020-7B9096079242}	{BF9874DF-AD23-4b2d-A2F7-B8F4B07DD999}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1551D4C5-2641-4ae9-8020-7B9096079242}\stubpath = "C:\\Windows\\{1551D4C5-2641-4ae9-8020-7B9096079242}.exe"	{BF9874DF-AD23-4b2d-A2F7-B8F4B07DD999}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5017B4F0-D2EE-422d-B9C2-A450BD9FF49F}	{A131BD5E-C72F-4f8d-8F1B-DF568E3CF325}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A131BD5E-C72F-4f8d-8F1B-DF568E3CF325}\stubpath = "C:\\Windows\\{A131BD5E-C72F-4f8d-8F1B-DF568E3CF325}.exe"	{47DE3DB0-323A-4ca8-96C0-B9B51DFF2E80}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF9874DF-AD23-4b2d-A2F7-B8F4B07DD999}\stubpath = "C:\\Windows\\{BF9874DF-AD23-4b2d-A2F7-B8F4B07DD999}.exe"	{5017B4F0-D2EE-422d-B9C2-A450BD9FF49F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1026374E-563B-41c6-BB58-EFB2D0087E0C}	2024-02-12_691ef980cd9dcbabb34ef666a8ae7c76_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD1BEB03-120B-40bc-9492-7B638F512ABF}	{EDC38EC7-5CB1-4346-8D6C-17F788FE0437}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6283D70-CA42-43bc-AE30-25E47B0D0C6D}	{BD1BEB03-120B-40bc-9492-7B638F512ABF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47DE3DB0-323A-4ca8-96C0-B9B51DFF2E80}	{DFC31819-0071-4dc5-9A9A-C9BAF1905330}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFC31819-0071-4dc5-9A9A-C9BAF1905330}	{EA3C416B-CE71-45d4-A5D2-8EAF24C7CC11}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47DE3DB0-323A-4ca8-96C0-B9B51DFF2E80}\stubpath = "C:\\Windows\\{47DE3DB0-323A-4ca8-96C0-B9B51DFF2E80}.exe"	{DFC31819-0071-4dc5-9A9A-C9BAF1905330}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1026374E-563B-41c6-BB58-EFB2D0087E0C}\stubpath = "C:\\Windows\\{1026374E-563B-41c6-BB58-EFB2D0087E0C}.exe"	2024-02-12_691ef980cd9dcbabb34ef666a8ae7c76_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EDC38EC7-5CB1-4346-8D6C-17F788FE0437}	{1026374E-563B-41c6-BB58-EFB2D0087E0C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADF8D946-DB73-40f3-9830-E1704741DC85}	{B6283D70-CA42-43bc-AE30-25E47B0D0C6D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA3C416B-CE71-45d4-A5D2-8EAF24C7CC11}	{ADF8D946-DB73-40f3-9830-E1704741DC85}.exe

Executes dropped EXE 12 IoCs

pid	Process
5076	{1026374E-563B-41c6-BB58-EFB2D0087E0C}.exe
3384	{EDC38EC7-5CB1-4346-8D6C-17F788FE0437}.exe
1608	{BD1BEB03-120B-40bc-9492-7B638F512ABF}.exe
3404	{B6283D70-CA42-43bc-AE30-25E47B0D0C6D}.exe
5040	{ADF8D946-DB73-40f3-9830-E1704741DC85}.exe
3600	{EA3C416B-CE71-45d4-A5D2-8EAF24C7CC11}.exe
4472	{DFC31819-0071-4dc5-9A9A-C9BAF1905330}.exe
2936	{47DE3DB0-323A-4ca8-96C0-B9B51DFF2E80}.exe
3096	{A131BD5E-C72F-4f8d-8F1B-DF568E3CF325}.exe
4808	{5017B4F0-D2EE-422d-B9C2-A450BD9FF49F}.exe
5088	{BF9874DF-AD23-4b2d-A2F7-B8F4B07DD999}.exe
4404	{1551D4C5-2641-4ae9-8020-7B9096079242}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{1551D4C5-2641-4ae9-8020-7B9096079242}.exe	{BF9874DF-AD23-4b2d-A2F7-B8F4B07DD999}.exe
File created	C:\Windows\{BD1BEB03-120B-40bc-9492-7B638F512ABF}.exe	{EDC38EC7-5CB1-4346-8D6C-17F788FE0437}.exe
File created	C:\Windows\{EA3C416B-CE71-45d4-A5D2-8EAF24C7CC11}.exe	{ADF8D946-DB73-40f3-9830-E1704741DC85}.exe
File created	C:\Windows\{DFC31819-0071-4dc5-9A9A-C9BAF1905330}.exe	{EA3C416B-CE71-45d4-A5D2-8EAF24C7CC11}.exe
File created	C:\Windows\{47DE3DB0-323A-4ca8-96C0-B9B51DFF2E80}.exe	{DFC31819-0071-4dc5-9A9A-C9BAF1905330}.exe
File created	C:\Windows\{A131BD5E-C72F-4f8d-8F1B-DF568E3CF325}.exe	{47DE3DB0-323A-4ca8-96C0-B9B51DFF2E80}.exe
File created	C:\Windows\{BF9874DF-AD23-4b2d-A2F7-B8F4B07DD999}.exe	{5017B4F0-D2EE-422d-B9C2-A450BD9FF49F}.exe
File created	C:\Windows\{1026374E-563B-41c6-BB58-EFB2D0087E0C}.exe	2024-02-12_691ef980cd9dcbabb34ef666a8ae7c76_goldeneye.exe
File created	C:\Windows\{EDC38EC7-5CB1-4346-8D6C-17F788FE0437}.exe	{1026374E-563B-41c6-BB58-EFB2D0087E0C}.exe
File created	C:\Windows\{B6283D70-CA42-43bc-AE30-25E47B0D0C6D}.exe	{BD1BEB03-120B-40bc-9492-7B638F512ABF}.exe
File created	C:\Windows\{ADF8D946-DB73-40f3-9830-E1704741DC85}.exe	{B6283D70-CA42-43bc-AE30-25E47B0D0C6D}.exe
File created	C:\Windows\{5017B4F0-D2EE-422d-B9C2-A450BD9FF49F}.exe	{A131BD5E-C72F-4f8d-8F1B-DF568E3CF325}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4260	2024-02-12_691ef980cd9dcbabb34ef666a8ae7c76_goldeneye.exe
Token: SeIncBasePriorityPrivilege	5076	{1026374E-563B-41c6-BB58-EFB2D0087E0C}.exe
Token: SeIncBasePriorityPrivilege	3384	{EDC38EC7-5CB1-4346-8D6C-17F788FE0437}.exe
Token: SeIncBasePriorityPrivilege	1608	{BD1BEB03-120B-40bc-9492-7B638F512ABF}.exe
Token: SeIncBasePriorityPrivilege	3404	{B6283D70-CA42-43bc-AE30-25E47B0D0C6D}.exe
Token: SeIncBasePriorityPrivilege	5040	{ADF8D946-DB73-40f3-9830-E1704741DC85}.exe
Token: SeIncBasePriorityPrivilege	3600	{EA3C416B-CE71-45d4-A5D2-8EAF24C7CC11}.exe
Token: SeIncBasePriorityPrivilege	4472	{DFC31819-0071-4dc5-9A9A-C9BAF1905330}.exe
Token: SeIncBasePriorityPrivilege	2936	{47DE3DB0-323A-4ca8-96C0-B9B51DFF2E80}.exe
Token: SeIncBasePriorityPrivilege	3096	{A131BD5E-C72F-4f8d-8F1B-DF568E3CF325}.exe
Token: SeIncBasePriorityPrivilege	4808	{5017B4F0-D2EE-422d-B9C2-A450BD9FF49F}.exe
Token: SeIncBasePriorityPrivilege	5088	{BF9874DF-AD23-4b2d-A2F7-B8F4B07DD999}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4260 wrote to memory of 5076	4260	2024-02-12_691ef980cd9dcbabb34ef666a8ae7c76_goldeneye.exe	89
PID 4260 wrote to memory of 5076	4260	2024-02-12_691ef980cd9dcbabb34ef666a8ae7c76_goldeneye.exe	89
PID 4260 wrote to memory of 5076	4260	2024-02-12_691ef980cd9dcbabb34ef666a8ae7c76_goldeneye.exe	89
PID 4260 wrote to memory of 5032	4260	2024-02-12_691ef980cd9dcbabb34ef666a8ae7c76_goldeneye.exe	90
PID 4260 wrote to memory of 5032	4260	2024-02-12_691ef980cd9dcbabb34ef666a8ae7c76_goldeneye.exe	90
PID 4260 wrote to memory of 5032	4260	2024-02-12_691ef980cd9dcbabb34ef666a8ae7c76_goldeneye.exe	90
PID 5076 wrote to memory of 3384	5076	{1026374E-563B-41c6-BB58-EFB2D0087E0C}.exe	93
PID 5076 wrote to memory of 3384	5076	{1026374E-563B-41c6-BB58-EFB2D0087E0C}.exe	93
PID 5076 wrote to memory of 3384	5076	{1026374E-563B-41c6-BB58-EFB2D0087E0C}.exe	93
PID 5076 wrote to memory of 1116	5076	{1026374E-563B-41c6-BB58-EFB2D0087E0C}.exe	94
PID 5076 wrote to memory of 1116	5076	{1026374E-563B-41c6-BB58-EFB2D0087E0C}.exe	94
PID 5076 wrote to memory of 1116	5076	{1026374E-563B-41c6-BB58-EFB2D0087E0C}.exe	94
PID 3384 wrote to memory of 1608	3384	{EDC38EC7-5CB1-4346-8D6C-17F788FE0437}.exe	97
PID 3384 wrote to memory of 1608	3384	{EDC38EC7-5CB1-4346-8D6C-17F788FE0437}.exe	97
PID 3384 wrote to memory of 1608	3384	{EDC38EC7-5CB1-4346-8D6C-17F788FE0437}.exe	97
PID 3384 wrote to memory of 5056	3384	{EDC38EC7-5CB1-4346-8D6C-17F788FE0437}.exe	96
PID 3384 wrote to memory of 5056	3384	{EDC38EC7-5CB1-4346-8D6C-17F788FE0437}.exe	96
PID 3384 wrote to memory of 5056	3384	{EDC38EC7-5CB1-4346-8D6C-17F788FE0437}.exe	96
PID 1608 wrote to memory of 3404	1608	{BD1BEB03-120B-40bc-9492-7B638F512ABF}.exe	99
PID 1608 wrote to memory of 3404	1608	{BD1BEB03-120B-40bc-9492-7B638F512ABF}.exe	99
PID 1608 wrote to memory of 3404	1608	{BD1BEB03-120B-40bc-9492-7B638F512ABF}.exe	99
PID 1608 wrote to memory of 3320	1608	{BD1BEB03-120B-40bc-9492-7B638F512ABF}.exe	98
PID 1608 wrote to memory of 3320	1608	{BD1BEB03-120B-40bc-9492-7B638F512ABF}.exe	98
PID 1608 wrote to memory of 3320	1608	{BD1BEB03-120B-40bc-9492-7B638F512ABF}.exe	98
PID 3404 wrote to memory of 5040	3404	{B6283D70-CA42-43bc-AE30-25E47B0D0C6D}.exe	100
PID 3404 wrote to memory of 5040	3404	{B6283D70-CA42-43bc-AE30-25E47B0D0C6D}.exe	100
PID 3404 wrote to memory of 5040	3404	{B6283D70-CA42-43bc-AE30-25E47B0D0C6D}.exe	100
PID 3404 wrote to memory of 2364	3404	{B6283D70-CA42-43bc-AE30-25E47B0D0C6D}.exe	101
PID 3404 wrote to memory of 2364	3404	{B6283D70-CA42-43bc-AE30-25E47B0D0C6D}.exe	101
PID 3404 wrote to memory of 2364	3404	{B6283D70-CA42-43bc-AE30-25E47B0D0C6D}.exe	101
PID 5040 wrote to memory of 3600	5040	{ADF8D946-DB73-40f3-9830-E1704741DC85}.exe	102
PID 5040 wrote to memory of 3600	5040	{ADF8D946-DB73-40f3-9830-E1704741DC85}.exe	102
PID 5040 wrote to memory of 3600	5040	{ADF8D946-DB73-40f3-9830-E1704741DC85}.exe	102
PID 5040 wrote to memory of 2524	5040	{ADF8D946-DB73-40f3-9830-E1704741DC85}.exe	103
PID 5040 wrote to memory of 2524	5040	{ADF8D946-DB73-40f3-9830-E1704741DC85}.exe	103
PID 5040 wrote to memory of 2524	5040	{ADF8D946-DB73-40f3-9830-E1704741DC85}.exe	103
PID 3600 wrote to memory of 4472	3600	{EA3C416B-CE71-45d4-A5D2-8EAF24C7CC11}.exe	104
PID 3600 wrote to memory of 4472	3600	{EA3C416B-CE71-45d4-A5D2-8EAF24C7CC11}.exe	104
PID 3600 wrote to memory of 4472	3600	{EA3C416B-CE71-45d4-A5D2-8EAF24C7CC11}.exe	104
PID 3600 wrote to memory of 4676	3600	{EA3C416B-CE71-45d4-A5D2-8EAF24C7CC11}.exe	105
PID 3600 wrote to memory of 4676	3600	{EA3C416B-CE71-45d4-A5D2-8EAF24C7CC11}.exe	105
PID 3600 wrote to memory of 4676	3600	{EA3C416B-CE71-45d4-A5D2-8EAF24C7CC11}.exe	105
PID 4472 wrote to memory of 2936	4472	{DFC31819-0071-4dc5-9A9A-C9BAF1905330}.exe	106
PID 4472 wrote to memory of 2936	4472	{DFC31819-0071-4dc5-9A9A-C9BAF1905330}.exe	106
PID 4472 wrote to memory of 2936	4472	{DFC31819-0071-4dc5-9A9A-C9BAF1905330}.exe	106
PID 4472 wrote to memory of 3012	4472	{DFC31819-0071-4dc5-9A9A-C9BAF1905330}.exe	107
PID 4472 wrote to memory of 3012	4472	{DFC31819-0071-4dc5-9A9A-C9BAF1905330}.exe	107
PID 4472 wrote to memory of 3012	4472	{DFC31819-0071-4dc5-9A9A-C9BAF1905330}.exe	107
PID 2936 wrote to memory of 3096	2936	{47DE3DB0-323A-4ca8-96C0-B9B51DFF2E80}.exe	108
PID 2936 wrote to memory of 3096	2936	{47DE3DB0-323A-4ca8-96C0-B9B51DFF2E80}.exe	108
PID 2936 wrote to memory of 3096	2936	{47DE3DB0-323A-4ca8-96C0-B9B51DFF2E80}.exe	108
PID 2936 wrote to memory of 4880	2936	{47DE3DB0-323A-4ca8-96C0-B9B51DFF2E80}.exe	109
PID 2936 wrote to memory of 4880	2936	{47DE3DB0-323A-4ca8-96C0-B9B51DFF2E80}.exe	109
PID 2936 wrote to memory of 4880	2936	{47DE3DB0-323A-4ca8-96C0-B9B51DFF2E80}.exe	109
PID 3096 wrote to memory of 4808	3096	{A131BD5E-C72F-4f8d-8F1B-DF568E3CF325}.exe	110
PID 3096 wrote to memory of 4808	3096	{A131BD5E-C72F-4f8d-8F1B-DF568E3CF325}.exe	110
PID 3096 wrote to memory of 4808	3096	{A131BD5E-C72F-4f8d-8F1B-DF568E3CF325}.exe	110
PID 3096 wrote to memory of 2912	3096	{A131BD5E-C72F-4f8d-8F1B-DF568E3CF325}.exe	111
PID 3096 wrote to memory of 2912	3096	{A131BD5E-C72F-4f8d-8F1B-DF568E3CF325}.exe	111
PID 3096 wrote to memory of 2912	3096	{A131BD5E-C72F-4f8d-8F1B-DF568E3CF325}.exe	111
PID 4808 wrote to memory of 5088	4808	{5017B4F0-D2EE-422d-B9C2-A450BD9FF49F}.exe	112
PID 4808 wrote to memory of 5088	4808	{5017B4F0-D2EE-422d-B9C2-A450BD9FF49F}.exe	112
PID 4808 wrote to memory of 5088	4808	{5017B4F0-D2EE-422d-B9C2-A450BD9FF49F}.exe	112
PID 4808 wrote to memory of 1312	4808	{5017B4F0-D2EE-422d-B9C2-A450BD9FF49F}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-02-12_691ef980cd9dcbabb34ef666a8ae7c76_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_691ef980cd9dcbabb34ef666a8ae7c76_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4260
- C:\Windows\{1026374E-563B-41c6-BB58-EFB2D0087E0C}.exe
  C:\Windows\{1026374E-563B-41c6-BB58-EFB2D0087E0C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5076
- - C:\Windows\{EDC38EC7-5CB1-4346-8D6C-17F788FE0437}.exe
    C:\Windows\{EDC38EC7-5CB1-4346-8D6C-17F788FE0437}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3384
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EDC38~1.EXE > nul
      4⤵
      PID:5056
  - - C:\Windows\{BD1BEB03-120B-40bc-9492-7B638F512ABF}.exe
      C:\Windows\{BD1BEB03-120B-40bc-9492-7B638F512ABF}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1608
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD1BE~1.EXE > nul
        5⤵
        
        PID:3320
    - - C:\Windows\{B6283D70-CA42-43bc-AE30-25E47B0D0C6D}.exe
        
        C:\Windows\{B6283D70-CA42-43bc-AE30-25E47B0D0C6D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3404
      - C:\Windows\{ADF8D946-DB73-40f3-9830-E1704741DC85}.exe
        
        C:\Windows\{ADF8D946-DB73-40f3-9830-E1704741DC85}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\{EA3C416B-CE71-45d4-A5D2-8EAF24C7CC11}.exe
        
        C:\Windows\{EA3C416B-CE71-45d4-A5D2-8EAF24C7CC11}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        C:\Windows\{DFC31819-0071-4dc5-9A9A-C9BAF1905330}.exe
        
        C:\Windows\{DFC31819-0071-4dc5-9A9A-C9BAF1905330}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\{47DE3DB0-323A-4ca8-96C0-B9B51DFF2E80}.exe
        
        C:\Windows\{47DE3DB0-323A-4ca8-96C0-B9B51DFF2E80}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\{A131BD5E-C72F-4f8d-8F1B-DF568E3CF325}.exe
        
        C:\Windows\{A131BD5E-C72F-4f8d-8F1B-DF568E3CF325}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3096
        
        C:\Windows\{5017B4F0-D2EE-422d-B9C2-A450BD9FF49F}.exe
        
        C:\Windows\{5017B4F0-D2EE-422d-B9C2-A450BD9FF49F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Windows\{BF9874DF-AD23-4b2d-A2F7-B8F4B07DD999}.exe
        
        C:\Windows\{BF9874DF-AD23-4b2d-A2F7-B8F4B07DD999}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5088
        
        C:\Windows\{1551D4C5-2641-4ae9-8020-7B9096079242}.exe
        
        C:\Windows\{1551D4C5-2641-4ae9-8020-7B9096079242}.exe
        13⤵
        Executes dropped EXE
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BF987~1.EXE > nul
        13⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5017B~1.EXE > nul
        12⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A131B~1.EXE > nul
        11⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{47DE3~1.EXE > nul
        10⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DFC31~1.EXE > nul
        9⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA3C4~1.EXE > nul
        8⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ADF8D~1.EXE > nul
        7⤵
        
        PID:2524
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6283~1.EXE > nul
        6⤵
        
        PID:2364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{10263~1.EXE > nul
    3⤵
    PID:1116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:5032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1026374E-563B-41c6-BB58-EFB2D0087E0C}.exe

Filesize
204KB

MD5
d9690d5e1ea0c6a9b635946302f41203

SHA1
e59c9d5c2b9cf13b0185d33a316eaed6227b548f

SHA256
c9413b951b34b9c0363f6e494b6eda4c661040b51074889f2039bea41cb3e6ec

SHA512
094a09e96d9e5450180af010190ef36e5722ddcfcd187abb06a2a8756d4a6501ca3638994700d2169b3303ba290ad7c0aff3d97be402726ac175560700cdae99

Download Submit
C:\Windows\{1551D4C5-2641-4ae9-8020-7B9096079242}.exe

Filesize
204KB

MD5
21f00c9cf701763b22fb9982462f7f87

SHA1
8ef00bac6b32420d7d6608df28473deca7d226df

SHA256
5d329b091f3c52a2c31c75c412c7096f04ab9444d39f340f258dba038dc92efe

SHA512
d7aa9c0c210dcdf9c698a6d3e4def26bd3c9493912e66dfe60023c92f818ff2f0bbbab0acbdc2368fddf81e96c56edadd03c2e4b68ec92d314c2bed086fb512c

Download Submit
C:\Windows\{47DE3DB0-323A-4ca8-96C0-B9B51DFF2E80}.exe

Filesize
204KB

MD5
284e6cc2df83988a580367705f32aa04

SHA1
ce97dc0cbdb528a4b8abb5285e00462d32cde433

SHA256
59c1aecfffaff57e84792d3eb051e89eac3cc4ccabcae73b5082ef6894871dbb

SHA512
4b8f7dd56d1572d66e77ba2f70f0740d9ec6866050209847df69186d5adacaf2e0b75ddfa82501beaf4f9360159c7484b1abaf593597e69ffd11b3b9db336254

Download Submit
C:\Windows\{5017B4F0-D2EE-422d-B9C2-A450BD9FF49F}.exe

Filesize
204KB

MD5
6a7c84b91458ebe8364d3aaf1cde96ea

SHA1
f07204e7ae649be1a25fb9faed624c8bdd0f3e01

SHA256
3840cd9299a4fed2bd02bbb03b880fd5c66e937ba58ad619efb060b7aaf6a95d

SHA512
b8215c490d6ba7a0ef9b319a7ffde223c2e34084212eca83df815ad590d4d19262e3134be4fd0a9504a64b746323f2703d46cfbf8aacabca7409583f6745018a

Download Submit
C:\Windows\{A131BD5E-C72F-4f8d-8F1B-DF568E3CF325}.exe

Filesize
204KB

MD5
2e80b8c429811bf9191829c9797224cc

SHA1
f0bf4be6f124338681a1941954f1f3fb0546ffda

SHA256
fb03e4ae74209c9ba11a0ad37d9b834996c25afd6db306e0b76f10e9911f8b85

SHA512
d956f70cc8ad91d88559261014f2533706ea441188d17c04dd83ef675403fefd95bc04e23f1f81d68b2f6608dc030411b6b2d30cdd0c39cc48b517aefee396b8

Download Submit
C:\Windows\{ADF8D946-DB73-40f3-9830-E1704741DC85}.exe

Filesize
204KB

MD5
38f25bf4953df26ec69bb6132df9bb38

SHA1
148cd307835c7654b82747e7e9c48f788812e189

SHA256
41dacfc151f0a5d130224457547e057c8c1f6eb21025817277174aa1b322dc0e

SHA512
1703f301c7024e5131149f6cc2c946e19d0913422139560334e95d04c156acef264f85dfb1ce8c2e8c08b31618ae3d7ad5729c5826d95a531137e24b26f9df16

Download Submit
C:\Windows\{B6283D70-CA42-43bc-AE30-25E47B0D0C6D}.exe

Filesize
204KB

MD5
6f744105a5406a046d969404c32a9229

SHA1
2b17c344e41a3830a59ed497937e1e03e6763fe5

SHA256
b32d79af4e3d32485a077339f18f0ca1df3e24a56c9920fc3e2a949a85fadd43

SHA512
261ab4929858c3466e71d0b498b2e8cdf29f5b8c3fb59f23cf24ebde9ba91b82b3a552746aaf31f25493cfa0de86193f26818ef7ce59b01004973ae96210a817

Download Submit
C:\Windows\{BD1BEB03-120B-40bc-9492-7B638F512ABF}.exe

Filesize
204KB

MD5
e8b9a90fe2dc424061a084f82630535b

SHA1
6a7aa60d348fecd628c9fbe565c1ba639e055d98

SHA256
c3eefa21de0e790ee2be79c19e9f5937d8e78ea9c07c1909dc4575c15f6c01a2

SHA512
dbefb8753e13d3a68e7bcb58ab61aff411bbe6773c4f66d3606a99adc1e5be545bef74ecdb1bbfba11fbcfdf679516a477302889252d2601f7444f5246b075ee

Download Submit
C:\Windows\{BF9874DF-AD23-4b2d-A2F7-B8F4B07DD999}.exe

Filesize
204KB

MD5
773348c46ffdedda205d33d47305588d

SHA1
b1e8f5d6d361014c3f449f0b7e2f1bc2911a4496

SHA256
40866d1bfb1def34a0482c879d26834bfe3c5f3eaf84c709cd304e89d81689ec

SHA512
38a654e613e5a90b9d5e16e4741ca0a4a59ee3ad427aacbac04a3d291a2d5552f0a19c4f2615c03b8adca2f1add4ef495e0fc28c4686f7a88a829655b3e4ed23

Download Submit
C:\Windows\{DFC31819-0071-4dc5-9A9A-C9BAF1905330}.exe

Filesize
204KB

MD5
d31c435941d5d4eeae9b473630c8c9eb

SHA1
da42b7a22e4061bbe5eaa495a316d1b2df0e3dae

SHA256
306b81833acb94901d2a8696872d0fb5f5e54d0c21b0ea11f39d2d38cbd7da51

SHA512
ac7c4b3c20795ffd05f2f279925383ec487a13bd184a791097dc38b66772c36a4a2f6f4f738e7dc7e966239e8e242968fc6cdb89b5dc12821eac6542b8ec8682

Download Submit
C:\Windows\{EA3C416B-CE71-45d4-A5D2-8EAF24C7CC11}.exe

Filesize
204KB

MD5
988c1e7491ebc6264a0dbd7cad10fa2b

SHA1
c50e7f7aa6b9cd7450697fe4ed03302748c61479

SHA256
ac057d2a77429a492d670630b1afb398df412869224e00e9f41098ce4a887d25

SHA512
787e2d596ed67a20c3b09e1ab9ee6b2ee18ababe8f27e9055210494b5329fa35b86f7cd4353a790a7c603953f629472fc8fb4ca3d96c99effd11315b153e6ace

Download Submit
C:\Windows\{EDC38EC7-5CB1-4346-8D6C-17F788FE0437}.exe

Filesize
204KB

MD5
237c017b472ad142c83b2d17fab46b1d

SHA1
4ebc21c4cee94b9f78206409913746c159c4718d

SHA256
8a1a5368acf79f07ce3a6b97c7fda104a4d59bfd46c8be331eeee188ddf5196e

SHA512
c43a44ebcfcf4729654add796f980aa98e15f0ea5463f9422ed56a355b582dfc9368ae164368d8060b547d4abe76eadd3f44316f8aed30f6bd59f4b5d965fd24

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads