566a6f94c75b8bcb4432c6964fa94f373e7e9b059c9b49ef9cef6b4068537d7d

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12/02/2024, 14:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_7af93560dfe168c250f011a545317e9f_goldeneye.exe
Size

344KB
MD5

7af93560dfe168c250f011a545317e9f
SHA1

c96d46a02263c00dd052444d1fa0f47eab85fa1c
SHA256

566a6f94c75b8bcb4432c6964fa94f373e7e9b059c9b49ef9cef6b4068537d7d
SHA512

9982863b97db4fa25481724641cca1e0b93516cc3fc8c411df39bc2321542edc582d06ec7fe40360b7912172d530e504a2e11bb8085dea8fa955fe6b610022fb
SSDEEP

3072:mEGh0oblEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGplqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x00060000000231fc-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00060000000231fc-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00120000000231f6-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023208-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00130000000231f6-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021f82-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021f83-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021f82-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000705-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AEEF3768-96B5-445a-90BA-9BAEE606E112}	{71A7D6BA-BE68-47e1-8CB5-E96CF4D4CF8E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{316171B8-4D03-4823-8481-FA54476A1E7B}\stubpath = "C:\\Windows\\{316171B8-4D03-4823-8481-FA54476A1E7B}.exe"	{7431CD1C-C50C-497b-BB1C-EC514798915A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45471AC6-F5BF-4aac-AD94-0A84A402BB31}	{316171B8-4D03-4823-8481-FA54476A1E7B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{341C338F-DC1A-4f82-A4CE-045FAF61E0C8}	{3300B959-BE1A-4d00-8B9A-888C4E2741A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB9B3276-E494-4b5f-BFF6-DFC35D9452E0}	{AE6A511A-DAA7-4ee5-9A73-A57E46863F66}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3300B959-BE1A-4d00-8B9A-888C4E2741A1}\stubpath = "C:\\Windows\\{3300B959-BE1A-4d00-8B9A-888C4E2741A1}.exe"	{DB9B3276-E494-4b5f-BFF6-DFC35D9452E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45A8FEB1-5827-4b8e-BC7D-8387F5D0B312}	{341C338F-DC1A-4f82-A4CE-045FAF61E0C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45A8FEB1-5827-4b8e-BC7D-8387F5D0B312}\stubpath = "C:\\Windows\\{45A8FEB1-5827-4b8e-BC7D-8387F5D0B312}.exe"	{341C338F-DC1A-4f82-A4CE-045FAF61E0C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AEEF3768-96B5-445a-90BA-9BAEE606E112}\stubpath = "C:\\Windows\\{AEEF3768-96B5-445a-90BA-9BAEE606E112}.exe"	{71A7D6BA-BE68-47e1-8CB5-E96CF4D4CF8E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF210C2F-DF8A-462a-A41A-D52C2E0C90B1}	{AEEF3768-96B5-445a-90BA-9BAEE606E112}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7431CD1C-C50C-497b-BB1C-EC514798915A}	{BF210C2F-DF8A-462a-A41A-D52C2E0C90B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE6A511A-DAA7-4ee5-9A73-A57E46863F66}	{A96EE9D4-13E0-46af-B857-8073505919CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{316171B8-4D03-4823-8481-FA54476A1E7B}	{7431CD1C-C50C-497b-BB1C-EC514798915A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7431CD1C-C50C-497b-BB1C-EC514798915A}\stubpath = "C:\\Windows\\{7431CD1C-C50C-497b-BB1C-EC514798915A}.exe"	{BF210C2F-DF8A-462a-A41A-D52C2E0C90B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3300B959-BE1A-4d00-8B9A-888C4E2741A1}	{DB9B3276-E494-4b5f-BFF6-DFC35D9452E0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{341C338F-DC1A-4f82-A4CE-045FAF61E0C8}\stubpath = "C:\\Windows\\{341C338F-DC1A-4f82-A4CE-045FAF61E0C8}.exe"	{3300B959-BE1A-4d00-8B9A-888C4E2741A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71A7D6BA-BE68-47e1-8CB5-E96CF4D4CF8E}	{45A8FEB1-5827-4b8e-BC7D-8387F5D0B312}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF210C2F-DF8A-462a-A41A-D52C2E0C90B1}\stubpath = "C:\\Windows\\{BF210C2F-DF8A-462a-A41A-D52C2E0C90B1}.exe"	{AEEF3768-96B5-445a-90BA-9BAEE606E112}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE6A511A-DAA7-4ee5-9A73-A57E46863F66}\stubpath = "C:\\Windows\\{AE6A511A-DAA7-4ee5-9A73-A57E46863F66}.exe"	{A96EE9D4-13E0-46af-B857-8073505919CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A96EE9D4-13E0-46af-B857-8073505919CC}\stubpath = "C:\\Windows\\{A96EE9D4-13E0-46af-B857-8073505919CC}.exe"	2024-02-12_7af93560dfe168c250f011a545317e9f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB9B3276-E494-4b5f-BFF6-DFC35D9452E0}\stubpath = "C:\\Windows\\{DB9B3276-E494-4b5f-BFF6-DFC35D9452E0}.exe"	{AE6A511A-DAA7-4ee5-9A73-A57E46863F66}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71A7D6BA-BE68-47e1-8CB5-E96CF4D4CF8E}\stubpath = "C:\\Windows\\{71A7D6BA-BE68-47e1-8CB5-E96CF4D4CF8E}.exe"	{45A8FEB1-5827-4b8e-BC7D-8387F5D0B312}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45471AC6-F5BF-4aac-AD94-0A84A402BB31}\stubpath = "C:\\Windows\\{45471AC6-F5BF-4aac-AD94-0A84A402BB31}.exe"	{316171B8-4D03-4823-8481-FA54476A1E7B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A96EE9D4-13E0-46af-B857-8073505919CC}	2024-02-12_7af93560dfe168c250f011a545317e9f_goldeneye.exe

Executes dropped EXE 12 IoCs

pid	Process
3036	{A96EE9D4-13E0-46af-B857-8073505919CC}.exe
4532	{AE6A511A-DAA7-4ee5-9A73-A57E46863F66}.exe
5044	{DB9B3276-E494-4b5f-BFF6-DFC35D9452E0}.exe
472	{3300B959-BE1A-4d00-8B9A-888C4E2741A1}.exe
1152	{341C338F-DC1A-4f82-A4CE-045FAF61E0C8}.exe
228	{45A8FEB1-5827-4b8e-BC7D-8387F5D0B312}.exe
3232	{71A7D6BA-BE68-47e1-8CB5-E96CF4D4CF8E}.exe
2472	{AEEF3768-96B5-445a-90BA-9BAEE606E112}.exe
3048	{BF210C2F-DF8A-462a-A41A-D52C2E0C90B1}.exe
4464	{7431CD1C-C50C-497b-BB1C-EC514798915A}.exe
1272	{316171B8-4D03-4823-8481-FA54476A1E7B}.exe
672	{45471AC6-F5BF-4aac-AD94-0A84A402BB31}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{3300B959-BE1A-4d00-8B9A-888C4E2741A1}.exe	{DB9B3276-E494-4b5f-BFF6-DFC35D9452E0}.exe
File created	C:\Windows\{341C338F-DC1A-4f82-A4CE-045FAF61E0C8}.exe	{3300B959-BE1A-4d00-8B9A-888C4E2741A1}.exe
File created	C:\Windows\{7431CD1C-C50C-497b-BB1C-EC514798915A}.exe	{BF210C2F-DF8A-462a-A41A-D52C2E0C90B1}.exe
File created	C:\Windows\{316171B8-4D03-4823-8481-FA54476A1E7B}.exe	{7431CD1C-C50C-497b-BB1C-EC514798915A}.exe
File created	C:\Windows\{AE6A511A-DAA7-4ee5-9A73-A57E46863F66}.exe	{A96EE9D4-13E0-46af-B857-8073505919CC}.exe
File created	C:\Windows\{DB9B3276-E494-4b5f-BFF6-DFC35D9452E0}.exe	{AE6A511A-DAA7-4ee5-9A73-A57E46863F66}.exe
File created	C:\Windows\{45A8FEB1-5827-4b8e-BC7D-8387F5D0B312}.exe	{341C338F-DC1A-4f82-A4CE-045FAF61E0C8}.exe
File created	C:\Windows\{71A7D6BA-BE68-47e1-8CB5-E96CF4D4CF8E}.exe	{45A8FEB1-5827-4b8e-BC7D-8387F5D0B312}.exe
File created	C:\Windows\{AEEF3768-96B5-445a-90BA-9BAEE606E112}.exe	{71A7D6BA-BE68-47e1-8CB5-E96CF4D4CF8E}.exe
File created	C:\Windows\{BF210C2F-DF8A-462a-A41A-D52C2E0C90B1}.exe	{AEEF3768-96B5-445a-90BA-9BAEE606E112}.exe
File created	C:\Windows\{45471AC6-F5BF-4aac-AD94-0A84A402BB31}.exe	{316171B8-4D03-4823-8481-FA54476A1E7B}.exe
File created	C:\Windows\{A96EE9D4-13E0-46af-B857-8073505919CC}.exe	2024-02-12_7af93560dfe168c250f011a545317e9f_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2280	2024-02-12_7af93560dfe168c250f011a545317e9f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3036	{A96EE9D4-13E0-46af-B857-8073505919CC}.exe
Token: SeIncBasePriorityPrivilege	4532	{AE6A511A-DAA7-4ee5-9A73-A57E46863F66}.exe
Token: SeIncBasePriorityPrivilege	5044	{DB9B3276-E494-4b5f-BFF6-DFC35D9452E0}.exe
Token: SeIncBasePriorityPrivilege	472	{3300B959-BE1A-4d00-8B9A-888C4E2741A1}.exe
Token: SeIncBasePriorityPrivilege	1152	{341C338F-DC1A-4f82-A4CE-045FAF61E0C8}.exe
Token: SeIncBasePriorityPrivilege	228	{45A8FEB1-5827-4b8e-BC7D-8387F5D0B312}.exe
Token: SeIncBasePriorityPrivilege	3232	{71A7D6BA-BE68-47e1-8CB5-E96CF4D4CF8E}.exe
Token: SeIncBasePriorityPrivilege	2472	{AEEF3768-96B5-445a-90BA-9BAEE606E112}.exe
Token: SeIncBasePriorityPrivilege	3048	{BF210C2F-DF8A-462a-A41A-D52C2E0C90B1}.exe
Token: SeIncBasePriorityPrivilege	4464	{7431CD1C-C50C-497b-BB1C-EC514798915A}.exe
Token: SeIncBasePriorityPrivilege	1272	{316171B8-4D03-4823-8481-FA54476A1E7B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 3036	2280	2024-02-12_7af93560dfe168c250f011a545317e9f_goldeneye.exe	92
PID 2280 wrote to memory of 3036	2280	2024-02-12_7af93560dfe168c250f011a545317e9f_goldeneye.exe	92
PID 2280 wrote to memory of 3036	2280	2024-02-12_7af93560dfe168c250f011a545317e9f_goldeneye.exe	92
PID 2280 wrote to memory of 4436	2280	2024-02-12_7af93560dfe168c250f011a545317e9f_goldeneye.exe	93
PID 2280 wrote to memory of 4436	2280	2024-02-12_7af93560dfe168c250f011a545317e9f_goldeneye.exe	93
PID 2280 wrote to memory of 4436	2280	2024-02-12_7af93560dfe168c250f011a545317e9f_goldeneye.exe	93
PID 3036 wrote to memory of 4532	3036	{A96EE9D4-13E0-46af-B857-8073505919CC}.exe	94
PID 3036 wrote to memory of 4532	3036	{A96EE9D4-13E0-46af-B857-8073505919CC}.exe	94
PID 3036 wrote to memory of 4532	3036	{A96EE9D4-13E0-46af-B857-8073505919CC}.exe	94
PID 3036 wrote to memory of 2540	3036	{A96EE9D4-13E0-46af-B857-8073505919CC}.exe	95
PID 3036 wrote to memory of 2540	3036	{A96EE9D4-13E0-46af-B857-8073505919CC}.exe	95
PID 3036 wrote to memory of 2540	3036	{A96EE9D4-13E0-46af-B857-8073505919CC}.exe	95
PID 4532 wrote to memory of 5044	4532	{AE6A511A-DAA7-4ee5-9A73-A57E46863F66}.exe	98
PID 4532 wrote to memory of 5044	4532	{AE6A511A-DAA7-4ee5-9A73-A57E46863F66}.exe	98
PID 4532 wrote to memory of 5044	4532	{AE6A511A-DAA7-4ee5-9A73-A57E46863F66}.exe	98
PID 4532 wrote to memory of 3848	4532	{AE6A511A-DAA7-4ee5-9A73-A57E46863F66}.exe	97
PID 4532 wrote to memory of 3848	4532	{AE6A511A-DAA7-4ee5-9A73-A57E46863F66}.exe	97
PID 4532 wrote to memory of 3848	4532	{AE6A511A-DAA7-4ee5-9A73-A57E46863F66}.exe	97
PID 5044 wrote to memory of 472	5044	{DB9B3276-E494-4b5f-BFF6-DFC35D9452E0}.exe	99
PID 5044 wrote to memory of 472	5044	{DB9B3276-E494-4b5f-BFF6-DFC35D9452E0}.exe	99
PID 5044 wrote to memory of 472	5044	{DB9B3276-E494-4b5f-BFF6-DFC35D9452E0}.exe	99
PID 5044 wrote to memory of 4864	5044	{DB9B3276-E494-4b5f-BFF6-DFC35D9452E0}.exe	100
PID 5044 wrote to memory of 4864	5044	{DB9B3276-E494-4b5f-BFF6-DFC35D9452E0}.exe	100
PID 5044 wrote to memory of 4864	5044	{DB9B3276-E494-4b5f-BFF6-DFC35D9452E0}.exe	100
PID 472 wrote to memory of 1152	472	{3300B959-BE1A-4d00-8B9A-888C4E2741A1}.exe	101
PID 472 wrote to memory of 1152	472	{3300B959-BE1A-4d00-8B9A-888C4E2741A1}.exe	101
PID 472 wrote to memory of 1152	472	{3300B959-BE1A-4d00-8B9A-888C4E2741A1}.exe	101
PID 472 wrote to memory of 4536	472	{3300B959-BE1A-4d00-8B9A-888C4E2741A1}.exe	102
PID 472 wrote to memory of 4536	472	{3300B959-BE1A-4d00-8B9A-888C4E2741A1}.exe	102
PID 472 wrote to memory of 4536	472	{3300B959-BE1A-4d00-8B9A-888C4E2741A1}.exe	102
PID 1152 wrote to memory of 228	1152	{341C338F-DC1A-4f82-A4CE-045FAF61E0C8}.exe	104
PID 1152 wrote to memory of 228	1152	{341C338F-DC1A-4f82-A4CE-045FAF61E0C8}.exe	104
PID 1152 wrote to memory of 228	1152	{341C338F-DC1A-4f82-A4CE-045FAF61E0C8}.exe	104
PID 1152 wrote to memory of 4112	1152	{341C338F-DC1A-4f82-A4CE-045FAF61E0C8}.exe	103
PID 1152 wrote to memory of 4112	1152	{341C338F-DC1A-4f82-A4CE-045FAF61E0C8}.exe	103
PID 1152 wrote to memory of 4112	1152	{341C338F-DC1A-4f82-A4CE-045FAF61E0C8}.exe	103
PID 228 wrote to memory of 3232	228	{45A8FEB1-5827-4b8e-BC7D-8387F5D0B312}.exe	105
PID 228 wrote to memory of 3232	228	{45A8FEB1-5827-4b8e-BC7D-8387F5D0B312}.exe	105
PID 228 wrote to memory of 3232	228	{45A8FEB1-5827-4b8e-BC7D-8387F5D0B312}.exe	105
PID 228 wrote to memory of 4924	228	{45A8FEB1-5827-4b8e-BC7D-8387F5D0B312}.exe	106
PID 228 wrote to memory of 4924	228	{45A8FEB1-5827-4b8e-BC7D-8387F5D0B312}.exe	106
PID 228 wrote to memory of 4924	228	{45A8FEB1-5827-4b8e-BC7D-8387F5D0B312}.exe	106
PID 3232 wrote to memory of 2472	3232	{71A7D6BA-BE68-47e1-8CB5-E96CF4D4CF8E}.exe	107
PID 3232 wrote to memory of 2472	3232	{71A7D6BA-BE68-47e1-8CB5-E96CF4D4CF8E}.exe	107
PID 3232 wrote to memory of 2472	3232	{71A7D6BA-BE68-47e1-8CB5-E96CF4D4CF8E}.exe	107
PID 3232 wrote to memory of 2728	3232	{71A7D6BA-BE68-47e1-8CB5-E96CF4D4CF8E}.exe	108
PID 3232 wrote to memory of 2728	3232	{71A7D6BA-BE68-47e1-8CB5-E96CF4D4CF8E}.exe	108
PID 3232 wrote to memory of 2728	3232	{71A7D6BA-BE68-47e1-8CB5-E96CF4D4CF8E}.exe	108
PID 2472 wrote to memory of 3048	2472	{AEEF3768-96B5-445a-90BA-9BAEE606E112}.exe	109
PID 2472 wrote to memory of 3048	2472	{AEEF3768-96B5-445a-90BA-9BAEE606E112}.exe	109
PID 2472 wrote to memory of 3048	2472	{AEEF3768-96B5-445a-90BA-9BAEE606E112}.exe	109
PID 2472 wrote to memory of 852	2472	{AEEF3768-96B5-445a-90BA-9BAEE606E112}.exe	110
PID 2472 wrote to memory of 852	2472	{AEEF3768-96B5-445a-90BA-9BAEE606E112}.exe	110
PID 2472 wrote to memory of 852	2472	{AEEF3768-96B5-445a-90BA-9BAEE606E112}.exe	110
PID 3048 wrote to memory of 4464	3048	{BF210C2F-DF8A-462a-A41A-D52C2E0C90B1}.exe	111
PID 3048 wrote to memory of 4464	3048	{BF210C2F-DF8A-462a-A41A-D52C2E0C90B1}.exe	111
PID 3048 wrote to memory of 4464	3048	{BF210C2F-DF8A-462a-A41A-D52C2E0C90B1}.exe	111
PID 3048 wrote to memory of 4200	3048	{BF210C2F-DF8A-462a-A41A-D52C2E0C90B1}.exe	112
PID 3048 wrote to memory of 4200	3048	{BF210C2F-DF8A-462a-A41A-D52C2E0C90B1}.exe	112
PID 3048 wrote to memory of 4200	3048	{BF210C2F-DF8A-462a-A41A-D52C2E0C90B1}.exe	112
PID 4464 wrote to memory of 1272	4464	{7431CD1C-C50C-497b-BB1C-EC514798915A}.exe	113
PID 4464 wrote to memory of 1272	4464	{7431CD1C-C50C-497b-BB1C-EC514798915A}.exe	113
PID 4464 wrote to memory of 1272	4464	{7431CD1C-C50C-497b-BB1C-EC514798915A}.exe	113
PID 4464 wrote to memory of 2056	4464	{7431CD1C-C50C-497b-BB1C-EC514798915A}.exe	114

C:\Users\Admin\AppData\Local\Temp\2024-02-12_7af93560dfe168c250f011a545317e9f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_7af93560dfe168c250f011a545317e9f_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\{A96EE9D4-13E0-46af-B857-8073505919CC}.exe
  C:\Windows\{A96EE9D4-13E0-46af-B857-8073505919CC}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Windows\{AE6A511A-DAA7-4ee5-9A73-A57E46863F66}.exe
    C:\Windows\{AE6A511A-DAA7-4ee5-9A73-A57E46863F66}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4532
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{AE6A5~1.EXE > nul
      4⤵
      PID:3848
  - - C:\Windows\{DB9B3276-E494-4b5f-BFF6-DFC35D9452E0}.exe
      C:\Windows\{DB9B3276-E494-4b5f-BFF6-DFC35D9452E0}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5044
    - - C:\Windows\{3300B959-BE1A-4d00-8B9A-888C4E2741A1}.exe
        
        C:\Windows\{3300B959-BE1A-4d00-8B9A-888C4E2741A1}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:472
      - C:\Windows\{341C338F-DC1A-4f82-A4CE-045FAF61E0C8}.exe
        
        C:\Windows\{341C338F-DC1A-4f82-A4CE-045FAF61E0C8}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{341C3~1.EXE > nul
        7⤵
        
        PID:4112
        
        C:\Windows\{45A8FEB1-5827-4b8e-BC7D-8387F5D0B312}.exe
        
        C:\Windows\{45A8FEB1-5827-4b8e-BC7D-8387F5D0B312}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Windows\{71A7D6BA-BE68-47e1-8CB5-E96CF4D4CF8E}.exe
        
        C:\Windows\{71A7D6BA-BE68-47e1-8CB5-E96CF4D4CF8E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\Windows\{AEEF3768-96B5-445a-90BA-9BAEE606E112}.exe
        
        C:\Windows\{AEEF3768-96B5-445a-90BA-9BAEE606E112}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\{BF210C2F-DF8A-462a-A41A-D52C2E0C90B1}.exe
        
        C:\Windows\{BF210C2F-DF8A-462a-A41A-D52C2E0C90B1}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\{7431CD1C-C50C-497b-BB1C-EC514798915A}.exe
        
        C:\Windows\{7431CD1C-C50C-497b-BB1C-EC514798915A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\{316171B8-4D03-4823-8481-FA54476A1E7B}.exe
        
        C:\Windows\{316171B8-4D03-4823-8481-FA54476A1E7B}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1272
        
        C:\Windows\{45471AC6-F5BF-4aac-AD94-0A84A402BB31}.exe
        
        C:\Windows\{45471AC6-F5BF-4aac-AD94-0A84A402BB31}.exe
        13⤵
        Executes dropped EXE
        
        PID:672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{31617~1.EXE > nul
        13⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7431C~1.EXE > nul
        12⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BF210~1.EXE > nul
        11⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AEEF3~1.EXE > nul
        10⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71A7D~1.EXE > nul
        9⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{45A8F~1.EXE > nul
        8⤵
        
        PID:4924
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3300B~1.EXE > nul
        6⤵
        
        PID:4536
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DB9B3~1.EXE > nul
        5⤵
        
        PID:4864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A96EE~1.EXE > nul
    3⤵
    PID:2540
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{316171B8-4D03-4823-8481-FA54476A1E7B}.exe

Filesize
344KB

MD5
a3887e6c2488720130b17dc4a944fcbe

SHA1
87c66db8f1f4f55c33ee474613a7dae3ea48d7bc

SHA256
612d2ac40d288f85799ec261d8a472f42fc1ea27481dafb0f1cc02874c2aff77

SHA512
c5555ddd97430b1595b08c2da1dc1d9a3e7c810ce89670ca34b444a7d1dfc4a43452a94da7e2af1e991931d04cb74fb79654cf9d6aa18729275bffcb3b06826a

Download Submit
C:\Windows\{3300B959-BE1A-4d00-8B9A-888C4E2741A1}.exe

Filesize
344KB

MD5
5ddd320d0c542a5481eff9bf1cfcb108

SHA1
4ff0c9c4f3af3d847584848ca48a3f5178333ffa

SHA256
8d56d3662dd8a0caa740920c0d2f759ea3dda341e218270521c6528cdb7ec869

SHA512
4bb165dd8abb806cabe6e194d2781f06d8a483ae410bc222bb888dc759e79b78d14f037785d5d1a66975d5364d1d173dbf8bc24490504b20984c895fb86194d5

Download Submit
C:\Windows\{341C338F-DC1A-4f82-A4CE-045FAF61E0C8}.exe

Filesize
344KB

MD5
ac5c333dbd5aa8a9ac8cbea614b2e76b

SHA1
0d7a40b1266fbd0333aab2a328c4005210cb0809

SHA256
d2d4578071931d706773521c445924a782d9ad41ed281929f0e51c60178c0b9b

SHA512
9da93d541bd45d6f72e365de913e0aac76bb749ab53b77f5672e8b503c7f22d9374ca212a207bb32ef4121e02be9e21d1f2bb743dc1aa829d2cf33bf68cbfe2e

Download Submit
C:\Windows\{45471AC6-F5BF-4aac-AD94-0A84A402BB31}.exe

Filesize
344KB

MD5
5644a3d30096e6459b038b2e7b7b3469

SHA1
9185c284d9310e2cf1bf368799f9c1189361396f

SHA256
752661f7c51f322245c7b759720bc15597af6a96e369374d725206ce9ba72ab4

SHA512
deaedd4f167d3c29ba9827443924ebd7818a9543237096a5b0a396610ddbbc262fd600d1a1ec43f852cffb6c75cf49cf9f046604d533e0eb705bf2df04492c8e

Download Submit
C:\Windows\{45A8FEB1-5827-4b8e-BC7D-8387F5D0B312}.exe

Filesize
344KB

MD5
9d39a27ddf3144c178dd8d8a67f60053

SHA1
35c603c37690623be6c8847c1efc3c76bcdafb2e

SHA256
d038a527ba9f7be7b69a27937cdfe7aaf51e93c2031a86725d2149fcef15a93b

SHA512
d5c7d397c87d65fd13bf1c2ec7088650e72670ab196c211007254b4d0990861524e7f30dc6857fda31fe9378bbb6ef5274b55884ca0120ef0d6bf60cf2210aba

Download Submit
C:\Windows\{71A7D6BA-BE68-47e1-8CB5-E96CF4D4CF8E}.exe

Filesize
344KB

MD5
ddb43779756d7533baecb73475e19168

SHA1
e25f1ace6c8c10629471dbe0279dbf19bbb7cd5f

SHA256
0e41bec3cd35b37e02b04a187ce5597b4da3f7cb0862b29ec98bc39a4023a8e0

SHA512
ec61e01dd3d83f7e69fd0db561b70ce7d31ab8a1f5cb779cd7737f816534e96abdf65e262371c86c66e5ae99c3edb390199e43de1b892a21e967908672e6a8ed

Download Submit
C:\Windows\{7431CD1C-C50C-497b-BB1C-EC514798915A}.exe

Filesize
344KB

MD5
84158088293099018e0161f763aaec63

SHA1
2c333feff9174d895f6bff274444b6600121b9dd

SHA256
309f2b72046f6ca835f4e265a0bacdc499397a6a66d809cc0c5d6d8f0c1f08fe

SHA512
524de4b136a63097d4a282431fb341c2229ea3a34a628daed47b7b944a02d5b118d2e2042a72a623398351b0b836e1f132258d6241143b4ab36d489f0b7ba4b0

Download Submit
C:\Windows\{A96EE9D4-13E0-46af-B857-8073505919CC}.exe

Filesize
344KB

MD5
25a6af10c0a0a9e8224e0a2e2f573d9a

SHA1
45225eb131fc0815a156098666d2660cabe7f46b

SHA256
314bfd60ac5c92202008617efaa914a92ed2111bccd9d4e87388d894f6ade884

SHA512
03c5b91cfd85ee3ddbd50e8711f9834c9cb05c694fb3b78b7a6ec138959f47a5c3a13ee62ca81411fbf9770716b824d1ab9896ec2d52dc1fa478f0c791fcdf9e

Download Submit
C:\Windows\{A96EE9D4-13E0-46af-B857-8073505919CC}.exe

Filesize
249KB

MD5
455b43eefaef2066ea141ec902d554e4

SHA1
1737785ec0fb73576ad6b9cd0843cae08b41a7a1

SHA256
05ae38cfb1f4da2f652fe185c246fde9d8339d0cc53a47b6b37c3b4476d9302d

SHA512
f4278e2e7c2fbb0e34f712ee4f8b81f38d86802403cdd79f5451805298935287996ca4a28e993e350ad68059e54e85e6dc0e92f646ad523d90cd631cd6cfe762

Download Submit
C:\Windows\{AE6A511A-DAA7-4ee5-9A73-A57E46863F66}.exe

Filesize
344KB

MD5
e3cf852e9f95ad812c745737a975c7f0

SHA1
1e1e4aad86274f316691b05401fcc8b09cd73b0b

SHA256
21e33760be28788d730d8fcb2f9b0f47b84b0bb3ad94f56a66674be7505c487b

SHA512
64b5db0769bff7371663475aa97c6c6fa09230001df16402eb152141bc07b79911d2c06edd05e2f58cbf1658cb9a8e0d41e1bec3d98db620b3e36c5db42fee5f

Download Submit
C:\Windows\{AEEF3768-96B5-445a-90BA-9BAEE606E112}.exe

Filesize
344KB

MD5
5bc4d3e228b758b33ffe02dbafe6bd6a

SHA1
3e87811fe49c364b800af5a2cf2f51edd0607641

SHA256
c3b55de9504b7a34463995d429d1969a59d4c26158490e7cb4c6011b6df377b9

SHA512
a312ee97757b33acb6711bb2ecaefd084890f8e38ba9ec01dc8b77127178f6dc82694b1292014870c88edd2d5041ae70f5256fd5acd4bf1a6a526f6d501198ba

Download Submit
C:\Windows\{BF210C2F-DF8A-462a-A41A-D52C2E0C90B1}.exe

Filesize
344KB

MD5
2284a764dbb2db92202f1be218776a1b

SHA1
1a69b6ec72eeeb907e79e56b00a9dad1c005bf3c

SHA256
c49b399aad30729f9cf49ef602e02460d281771503b321f41314fca2fbb1cafe

SHA512
7fda1cf965a777f3bcf98a8fa6f7b1737bcff86452e23ed31582cd635bf9567c038988bd335f5126101969e1b4ab7e66f2dc91089930754be0391d5131da0db1

Download Submit
C:\Windows\{DB9B3276-E494-4b5f-BFF6-DFC35D9452E0}.exe

Filesize
344KB

MD5
19c8b1b12664122337871f277f204fdf

SHA1
df3d5a49b1a163b60c48a5620c03af5e48058e7b

SHA256
539c9404b8ec126a187f451a29716341d2d9eaa844e6ab7076886228e86bfa10

SHA512
f42a70b15d0475c94ba3f113639b744c4771a45f379d8a5332b2464031c00282f7e1ecea64dbec682a6dee8d892d4f4221494faa7cf4b23951c960848667f674

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads