9a8308ec3e82bdac8f2156a597e73890243b1e7ff51d1e9fdd76734a9f0e6b96

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
12/02/2024, 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_5e1766617cd68aa91cacdb5907e49a05_goldeneye.exe
Size

180KB
MD5

5e1766617cd68aa91cacdb5907e49a05
SHA1

9f5b528a121be43ddbe6feb8f5491e0247db2cb4
SHA256

9a8308ec3e82bdac8f2156a597e73890243b1e7ff51d1e9fdd76734a9f0e6b96
SHA512

33b0a37379458ff2a9c8e6d07f2a08bdc53e7574e129856376966c75031cde75693bee6997b7ab5ce4d9c8142fbca153c503aaf9985ff1ed921cda8dea31d0b4
SSDEEP

3072:jEGh0oelfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGgl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023212-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023054-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023219-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023054-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000022008-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000022009-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000022008-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000036-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000036-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000036-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68C1D09C-A55A-459a-AC91-3BB0676CE42A}	{50F4DDF0-5436-480c-BE7A-A60F420D90B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{253E8926-1B21-4944-A576-8BE0CBE9E845}\stubpath = "C:\\Windows\\{253E8926-1B21-4944-A576-8BE0CBE9E845}.exe"	{7A9E9CD4-A2F1-411e-9657-8777E416F7B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{155A1C3C-A8EB-4d62-80F1-DCDC45315A18}	{253E8926-1B21-4944-A576-8BE0CBE9E845}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7992E250-EB22-406b-AA0C-F5B258AA8761}\stubpath = "C:\\Windows\\{7992E250-EB22-406b-AA0C-F5B258AA8761}.exe"	{155A1C3C-A8EB-4d62-80F1-DCDC45315A18}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01D8BF79-0015-42d9-A581-F4DD6FD9A941}\stubpath = "C:\\Windows\\{01D8BF79-0015-42d9-A581-F4DD6FD9A941}.exe"	{7992E250-EB22-406b-AA0C-F5B258AA8761}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36E56014-EF33-4bf4-821D-BE2B8CBF1FA4}	{A81E4701-F6CA-4a98-B3E4-B3DB7770CBFD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50F4DDF0-5436-480c-BE7A-A60F420D90B9}\stubpath = "C:\\Windows\\{50F4DDF0-5436-480c-BE7A-A60F420D90B9}.exe"	{F2FAC6B9-9926-498a-B5B9-0BAA0E003CEA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A9E9CD4-A2F1-411e-9657-8777E416F7B8}\stubpath = "C:\\Windows\\{7A9E9CD4-A2F1-411e-9657-8777E416F7B8}.exe"	{68C1D09C-A55A-459a-AC91-3BB0676CE42A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{253E8926-1B21-4944-A576-8BE0CBE9E845}	{7A9E9CD4-A2F1-411e-9657-8777E416F7B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7992E250-EB22-406b-AA0C-F5B258AA8761}	{155A1C3C-A8EB-4d62-80F1-DCDC45315A18}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBCFB297-B300-4a53-88D9-BE9D44E6E8D0}	{45709653-FE69-42ef-9E32-FD20512FEBF5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBCFB297-B300-4a53-88D9-BE9D44E6E8D0}\stubpath = "C:\\Windows\\{EBCFB297-B300-4a53-88D9-BE9D44E6E8D0}.exe"	{45709653-FE69-42ef-9E32-FD20512FEBF5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A81E4701-F6CA-4a98-B3E4-B3DB7770CBFD}\stubpath = "C:\\Windows\\{A81E4701-F6CA-4a98-B3E4-B3DB7770CBFD}.exe"	{EBCFB297-B300-4a53-88D9-BE9D44E6E8D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36E56014-EF33-4bf4-821D-BE2B8CBF1FA4}\stubpath = "C:\\Windows\\{36E56014-EF33-4bf4-821D-BE2B8CBF1FA4}.exe"	{A81E4701-F6CA-4a98-B3E4-B3DB7770CBFD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01D8BF79-0015-42d9-A581-F4DD6FD9A941}	{7992E250-EB22-406b-AA0C-F5B258AA8761}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45709653-FE69-42ef-9E32-FD20512FEBF5}\stubpath = "C:\\Windows\\{45709653-FE69-42ef-9E32-FD20512FEBF5}.exe"	{01D8BF79-0015-42d9-A581-F4DD6FD9A941}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2FAC6B9-9926-498a-B5B9-0BAA0E003CEA}	2024-02-12_5e1766617cd68aa91cacdb5907e49a05_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2FAC6B9-9926-498a-B5B9-0BAA0E003CEA}\stubpath = "C:\\Windows\\{F2FAC6B9-9926-498a-B5B9-0BAA0E003CEA}.exe"	2024-02-12_5e1766617cd68aa91cacdb5907e49a05_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50F4DDF0-5436-480c-BE7A-A60F420D90B9}	{F2FAC6B9-9926-498a-B5B9-0BAA0E003CEA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68C1D09C-A55A-459a-AC91-3BB0676CE42A}\stubpath = "C:\\Windows\\{68C1D09C-A55A-459a-AC91-3BB0676CE42A}.exe"	{50F4DDF0-5436-480c-BE7A-A60F420D90B9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A9E9CD4-A2F1-411e-9657-8777E416F7B8}	{68C1D09C-A55A-459a-AC91-3BB0676CE42A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{155A1C3C-A8EB-4d62-80F1-DCDC45315A18}\stubpath = "C:\\Windows\\{155A1C3C-A8EB-4d62-80F1-DCDC45315A18}.exe"	{253E8926-1B21-4944-A576-8BE0CBE9E845}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45709653-FE69-42ef-9E32-FD20512FEBF5}	{01D8BF79-0015-42d9-A581-F4DD6FD9A941}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A81E4701-F6CA-4a98-B3E4-B3DB7770CBFD}	{EBCFB297-B300-4a53-88D9-BE9D44E6E8D0}.exe

Executes dropped EXE 12 IoCs

pid	Process
1348	{F2FAC6B9-9926-498a-B5B9-0BAA0E003CEA}.exe
4560	{50F4DDF0-5436-480c-BE7A-A60F420D90B9}.exe
2912	{68C1D09C-A55A-459a-AC91-3BB0676CE42A}.exe
3912	{7A9E9CD4-A2F1-411e-9657-8777E416F7B8}.exe
620	{253E8926-1B21-4944-A576-8BE0CBE9E845}.exe
2068	{155A1C3C-A8EB-4d62-80F1-DCDC45315A18}.exe
1200	{7992E250-EB22-406b-AA0C-F5B258AA8761}.exe
3048	{01D8BF79-0015-42d9-A581-F4DD6FD9A941}.exe
828	{45709653-FE69-42ef-9E32-FD20512FEBF5}.exe
2268	{EBCFB297-B300-4a53-88D9-BE9D44E6E8D0}.exe
1576	{A81E4701-F6CA-4a98-B3E4-B3DB7770CBFD}.exe
5004	{36E56014-EF33-4bf4-821D-BE2B8CBF1FA4}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{F2FAC6B9-9926-498a-B5B9-0BAA0E003CEA}.exe	2024-02-12_5e1766617cd68aa91cacdb5907e49a05_goldeneye.exe
File created	C:\Windows\{68C1D09C-A55A-459a-AC91-3BB0676CE42A}.exe	{50F4DDF0-5436-480c-BE7A-A60F420D90B9}.exe
File created	C:\Windows\{7A9E9CD4-A2F1-411e-9657-8777E416F7B8}.exe	{68C1D09C-A55A-459a-AC91-3BB0676CE42A}.exe
File created	C:\Windows\{01D8BF79-0015-42d9-A581-F4DD6FD9A941}.exe	{7992E250-EB22-406b-AA0C-F5B258AA8761}.exe
File created	C:\Windows\{45709653-FE69-42ef-9E32-FD20512FEBF5}.exe	{01D8BF79-0015-42d9-A581-F4DD6FD9A941}.exe
File created	C:\Windows\{EBCFB297-B300-4a53-88D9-BE9D44E6E8D0}.exe	{45709653-FE69-42ef-9E32-FD20512FEBF5}.exe
File created	C:\Windows\{A81E4701-F6CA-4a98-B3E4-B3DB7770CBFD}.exe	{EBCFB297-B300-4a53-88D9-BE9D44E6E8D0}.exe
File created	C:\Windows\{36E56014-EF33-4bf4-821D-BE2B8CBF1FA4}.exe	{A81E4701-F6CA-4a98-B3E4-B3DB7770CBFD}.exe
File created	C:\Windows\{50F4DDF0-5436-480c-BE7A-A60F420D90B9}.exe	{F2FAC6B9-9926-498a-B5B9-0BAA0E003CEA}.exe
File created	C:\Windows\{253E8926-1B21-4944-A576-8BE0CBE9E845}.exe	{7A9E9CD4-A2F1-411e-9657-8777E416F7B8}.exe
File created	C:\Windows\{155A1C3C-A8EB-4d62-80F1-DCDC45315A18}.exe	{253E8926-1B21-4944-A576-8BE0CBE9E845}.exe
File created	C:\Windows\{7992E250-EB22-406b-AA0C-F5B258AA8761}.exe	{155A1C3C-A8EB-4d62-80F1-DCDC45315A18}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3716	2024-02-12_5e1766617cd68aa91cacdb5907e49a05_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1348	{F2FAC6B9-9926-498a-B5B9-0BAA0E003CEA}.exe
Token: SeIncBasePriorityPrivilege	4560	{50F4DDF0-5436-480c-BE7A-A60F420D90B9}.exe
Token: SeIncBasePriorityPrivilege	2912	{68C1D09C-A55A-459a-AC91-3BB0676CE42A}.exe
Token: SeIncBasePriorityPrivilege	3912	{7A9E9CD4-A2F1-411e-9657-8777E416F7B8}.exe
Token: SeIncBasePriorityPrivilege	620	{253E8926-1B21-4944-A576-8BE0CBE9E845}.exe
Token: SeIncBasePriorityPrivilege	2068	{155A1C3C-A8EB-4d62-80F1-DCDC45315A18}.exe
Token: SeIncBasePriorityPrivilege	1200	{7992E250-EB22-406b-AA0C-F5B258AA8761}.exe
Token: SeIncBasePriorityPrivilege	3048	{01D8BF79-0015-42d9-A581-F4DD6FD9A941}.exe
Token: SeIncBasePriorityPrivilege	828	{45709653-FE69-42ef-9E32-FD20512FEBF5}.exe
Token: SeIncBasePriorityPrivilege	2268	{EBCFB297-B300-4a53-88D9-BE9D44E6E8D0}.exe
Token: SeIncBasePriorityPrivilege	1576	{A81E4701-F6CA-4a98-B3E4-B3DB7770CBFD}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3716 wrote to memory of 1348	3716	2024-02-12_5e1766617cd68aa91cacdb5907e49a05_goldeneye.exe	93
PID 3716 wrote to memory of 1348	3716	2024-02-12_5e1766617cd68aa91cacdb5907e49a05_goldeneye.exe	93
PID 3716 wrote to memory of 1348	3716	2024-02-12_5e1766617cd68aa91cacdb5907e49a05_goldeneye.exe	93
PID 3716 wrote to memory of 3228	3716	2024-02-12_5e1766617cd68aa91cacdb5907e49a05_goldeneye.exe	94
PID 3716 wrote to memory of 3228	3716	2024-02-12_5e1766617cd68aa91cacdb5907e49a05_goldeneye.exe	94
PID 3716 wrote to memory of 3228	3716	2024-02-12_5e1766617cd68aa91cacdb5907e49a05_goldeneye.exe	94
PID 1348 wrote to memory of 4560	1348	{F2FAC6B9-9926-498a-B5B9-0BAA0E003CEA}.exe	95
PID 1348 wrote to memory of 4560	1348	{F2FAC6B9-9926-498a-B5B9-0BAA0E003CEA}.exe	95
PID 1348 wrote to memory of 4560	1348	{F2FAC6B9-9926-498a-B5B9-0BAA0E003CEA}.exe	95
PID 1348 wrote to memory of 2312	1348	{F2FAC6B9-9926-498a-B5B9-0BAA0E003CEA}.exe	96
PID 1348 wrote to memory of 2312	1348	{F2FAC6B9-9926-498a-B5B9-0BAA0E003CEA}.exe	96
PID 1348 wrote to memory of 2312	1348	{F2FAC6B9-9926-498a-B5B9-0BAA0E003CEA}.exe	96
PID 4560 wrote to memory of 2912	4560	{50F4DDF0-5436-480c-BE7A-A60F420D90B9}.exe	99
PID 4560 wrote to memory of 2912	4560	{50F4DDF0-5436-480c-BE7A-A60F420D90B9}.exe	99
PID 4560 wrote to memory of 2912	4560	{50F4DDF0-5436-480c-BE7A-A60F420D90B9}.exe	99
PID 4560 wrote to memory of 2524	4560	{50F4DDF0-5436-480c-BE7A-A60F420D90B9}.exe	98
PID 4560 wrote to memory of 2524	4560	{50F4DDF0-5436-480c-BE7A-A60F420D90B9}.exe	98
PID 4560 wrote to memory of 2524	4560	{50F4DDF0-5436-480c-BE7A-A60F420D90B9}.exe	98
PID 2912 wrote to memory of 3912	2912	{68C1D09C-A55A-459a-AC91-3BB0676CE42A}.exe	100
PID 2912 wrote to memory of 3912	2912	{68C1D09C-A55A-459a-AC91-3BB0676CE42A}.exe	100
PID 2912 wrote to memory of 3912	2912	{68C1D09C-A55A-459a-AC91-3BB0676CE42A}.exe	100
PID 2912 wrote to memory of 4948	2912	{68C1D09C-A55A-459a-AC91-3BB0676CE42A}.exe	101
PID 2912 wrote to memory of 4948	2912	{68C1D09C-A55A-459a-AC91-3BB0676CE42A}.exe	101
PID 2912 wrote to memory of 4948	2912	{68C1D09C-A55A-459a-AC91-3BB0676CE42A}.exe	101
PID 3912 wrote to memory of 620	3912	{7A9E9CD4-A2F1-411e-9657-8777E416F7B8}.exe	102
PID 3912 wrote to memory of 620	3912	{7A9E9CD4-A2F1-411e-9657-8777E416F7B8}.exe	102
PID 3912 wrote to memory of 620	3912	{7A9E9CD4-A2F1-411e-9657-8777E416F7B8}.exe	102
PID 3912 wrote to memory of 1076	3912	{7A9E9CD4-A2F1-411e-9657-8777E416F7B8}.exe	103
PID 3912 wrote to memory of 1076	3912	{7A9E9CD4-A2F1-411e-9657-8777E416F7B8}.exe	103
PID 3912 wrote to memory of 1076	3912	{7A9E9CD4-A2F1-411e-9657-8777E416F7B8}.exe	103
PID 620 wrote to memory of 2068	620	{253E8926-1B21-4944-A576-8BE0CBE9E845}.exe	104
PID 620 wrote to memory of 2068	620	{253E8926-1B21-4944-A576-8BE0CBE9E845}.exe	104
PID 620 wrote to memory of 2068	620	{253E8926-1B21-4944-A576-8BE0CBE9E845}.exe	104
PID 620 wrote to memory of 1880	620	{253E8926-1B21-4944-A576-8BE0CBE9E845}.exe	105
PID 620 wrote to memory of 1880	620	{253E8926-1B21-4944-A576-8BE0CBE9E845}.exe	105
PID 620 wrote to memory of 1880	620	{253E8926-1B21-4944-A576-8BE0CBE9E845}.exe	105
PID 2068 wrote to memory of 1200	2068	{155A1C3C-A8EB-4d62-80F1-DCDC45315A18}.exe	106
PID 2068 wrote to memory of 1200	2068	{155A1C3C-A8EB-4d62-80F1-DCDC45315A18}.exe	106
PID 2068 wrote to memory of 1200	2068	{155A1C3C-A8EB-4d62-80F1-DCDC45315A18}.exe	106
PID 2068 wrote to memory of 4808	2068	{155A1C3C-A8EB-4d62-80F1-DCDC45315A18}.exe	107
PID 2068 wrote to memory of 4808	2068	{155A1C3C-A8EB-4d62-80F1-DCDC45315A18}.exe	107
PID 2068 wrote to memory of 4808	2068	{155A1C3C-A8EB-4d62-80F1-DCDC45315A18}.exe	107
PID 1200 wrote to memory of 3048	1200	{7992E250-EB22-406b-AA0C-F5B258AA8761}.exe	108
PID 1200 wrote to memory of 3048	1200	{7992E250-EB22-406b-AA0C-F5B258AA8761}.exe	108
PID 1200 wrote to memory of 3048	1200	{7992E250-EB22-406b-AA0C-F5B258AA8761}.exe	108
PID 1200 wrote to memory of 2212	1200	{7992E250-EB22-406b-AA0C-F5B258AA8761}.exe	109
PID 1200 wrote to memory of 2212	1200	{7992E250-EB22-406b-AA0C-F5B258AA8761}.exe	109
PID 1200 wrote to memory of 2212	1200	{7992E250-EB22-406b-AA0C-F5B258AA8761}.exe	109
PID 3048 wrote to memory of 828	3048	{01D8BF79-0015-42d9-A581-F4DD6FD9A941}.exe	110
PID 3048 wrote to memory of 828	3048	{01D8BF79-0015-42d9-A581-F4DD6FD9A941}.exe	110
PID 3048 wrote to memory of 828	3048	{01D8BF79-0015-42d9-A581-F4DD6FD9A941}.exe	110
PID 3048 wrote to memory of 4692	3048	{01D8BF79-0015-42d9-A581-F4DD6FD9A941}.exe	111
PID 3048 wrote to memory of 4692	3048	{01D8BF79-0015-42d9-A581-F4DD6FD9A941}.exe	111
PID 3048 wrote to memory of 4692	3048	{01D8BF79-0015-42d9-A581-F4DD6FD9A941}.exe	111
PID 828 wrote to memory of 2268	828	{45709653-FE69-42ef-9E32-FD20512FEBF5}.exe	112
PID 828 wrote to memory of 2268	828	{45709653-FE69-42ef-9E32-FD20512FEBF5}.exe	112
PID 828 wrote to memory of 2268	828	{45709653-FE69-42ef-9E32-FD20512FEBF5}.exe	112
PID 828 wrote to memory of 2192	828	{45709653-FE69-42ef-9E32-FD20512FEBF5}.exe	113
PID 828 wrote to memory of 2192	828	{45709653-FE69-42ef-9E32-FD20512FEBF5}.exe	113
PID 828 wrote to memory of 2192	828	{45709653-FE69-42ef-9E32-FD20512FEBF5}.exe	113
PID 2268 wrote to memory of 1576	2268	{EBCFB297-B300-4a53-88D9-BE9D44E6E8D0}.exe	114
PID 2268 wrote to memory of 1576	2268	{EBCFB297-B300-4a53-88D9-BE9D44E6E8D0}.exe	114
PID 2268 wrote to memory of 1576	2268	{EBCFB297-B300-4a53-88D9-BE9D44E6E8D0}.exe	114
PID 2268 wrote to memory of 1512	2268	{EBCFB297-B300-4a53-88D9-BE9D44E6E8D0}.exe	115

C:\Users\Admin\AppData\Local\Temp\2024-02-12_5e1766617cd68aa91cacdb5907e49a05_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_5e1766617cd68aa91cacdb5907e49a05_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3716
- C:\Windows\{F2FAC6B9-9926-498a-B5B9-0BAA0E003CEA}.exe
  C:\Windows\{F2FAC6B9-9926-498a-B5B9-0BAA0E003CEA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1348
- - C:\Windows\{50F4DDF0-5436-480c-BE7A-A60F420D90B9}.exe
    C:\Windows\{50F4DDF0-5436-480c-BE7A-A60F420D90B9}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4560
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{50F4D~1.EXE > nul
      4⤵
      PID:2524
  - - C:\Windows\{68C1D09C-A55A-459a-AC91-3BB0676CE42A}.exe
      C:\Windows\{68C1D09C-A55A-459a-AC91-3BB0676CE42A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2912
    - - C:\Windows\{7A9E9CD4-A2F1-411e-9657-8777E416F7B8}.exe
        
        C:\Windows\{7A9E9CD4-A2F1-411e-9657-8777E416F7B8}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3912
      - C:\Windows\{253E8926-1B21-4944-A576-8BE0CBE9E845}.exe
        
        C:\Windows\{253E8926-1B21-4944-A576-8BE0CBE9E845}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:620
        
        C:\Windows\{155A1C3C-A8EB-4d62-80F1-DCDC45315A18}.exe
        
        C:\Windows\{155A1C3C-A8EB-4d62-80F1-DCDC45315A18}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\{7992E250-EB22-406b-AA0C-F5B258AA8761}.exe
        
        C:\Windows\{7992E250-EB22-406b-AA0C-F5B258AA8761}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1200
        
        C:\Windows\{01D8BF79-0015-42d9-A581-F4DD6FD9A941}.exe
        
        C:\Windows\{01D8BF79-0015-42d9-A581-F4DD6FD9A941}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\{45709653-FE69-42ef-9E32-FD20512FEBF5}.exe
        
        C:\Windows\{45709653-FE69-42ef-9E32-FD20512FEBF5}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:828
        
        C:\Windows\{EBCFB297-B300-4a53-88D9-BE9D44E6E8D0}.exe
        
        C:\Windows\{EBCFB297-B300-4a53-88D9-BE9D44E6E8D0}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\{A81E4701-F6CA-4a98-B3E4-B3DB7770CBFD}.exe
        
        C:\Windows\{A81E4701-F6CA-4a98-B3E4-B3DB7770CBFD}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1576
        
        C:\Windows\{36E56014-EF33-4bf4-821D-BE2B8CBF1FA4}.exe
        
        C:\Windows\{36E56014-EF33-4bf4-821D-BE2B8CBF1FA4}.exe
        13⤵
        Executes dropped EXE
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A81E4~1.EXE > nul
        13⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EBCFB~1.EXE > nul
        12⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{45709~1.EXE > nul
        11⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{01D8B~1.EXE > nul
        10⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7992E~1.EXE > nul
        9⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{155A1~1.EXE > nul
        8⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{253E8~1.EXE > nul
        7⤵
        
        PID:1880
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7A9E9~1.EXE > nul
        6⤵
        
        PID:1076
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{68C1D~1.EXE > nul
        5⤵
        
        PID:4948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F2FAC~1.EXE > nul
    3⤵
    PID:2312
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{01D8BF79-0015-42d9-A581-F4DD6FD9A941}.exe

Filesize
180KB

MD5
f7fb44485d790ed077774d3c091652a1

SHA1
db9cf0c36fb8971adc524e894055b70d172b778e

SHA256
fc95a9db672871d92689ece7e7f2695d5389b3e5999281bea664e103cd1bb70a

SHA512
11384740b9ba579787913d1e7c6ef169be13adeeae0ebaabd9d9bd318c6303263fd7e249ff2a2156f1bf49f92f7f52999780201f8c6cdcd05e0a17d437de54c5

Download Submit
C:\Windows\{155A1C3C-A8EB-4d62-80F1-DCDC45315A18}.exe

Filesize
180KB

MD5
125ccea6cd40807f0643d110a314b4a4

SHA1
4f572d62079b878e0d04dfb6ad885a2afdb3ad62

SHA256
465d2e19192727306c9fb6bb0b27599c9d2d54d85c2cf63217d26d60c292d513

SHA512
7e7a39f173e334f3a0428f053d7b887442734afdfb19a696088255e4565f570cf3c1778afce44e2c6f8d9482dc332b87bd8a5e41ee258e9ca0a57f95c2aedbde

Download Submit
C:\Windows\{253E8926-1B21-4944-A576-8BE0CBE9E845}.exe

Filesize
180KB

MD5
15f0522828437765e76250f055e9077c

SHA1
b548683818f54527c40d5750f0ec5c6b18138f96

SHA256
0dcb7f9b17a8406d5656a54d6c25cfdc08b61c2ae080f8f3853733106d96618b

SHA512
0fdb8762368b321b757d0dc30c346da0ac19a160035acbf8f3f3f839e8de13edb30d47cab0491cf8eb8f0798f662908eaac107a4740d8b908550d8bf81bf71a3

Download Submit
C:\Windows\{36E56014-EF33-4bf4-821D-BE2B8CBF1FA4}.exe

Filesize
180KB

MD5
dab31d5467149dd945a061621925fcb9

SHA1
d25593a212f939826ec7fdd3d95a7e23dc3672c0

SHA256
5f9ebff8814f754921399915d7e7d6651c5594eb44e40c5ab5e16e95f716a106

SHA512
5f168fc11f07b55ca24dbf05e55cfd858d7b830cf72ac3927cc75516cc57a19c9cbfc577aee5b31615515a52cf40762758ee87408e3d9293248dc466aeb2553c

Download Submit
C:\Windows\{45709653-FE69-42ef-9E32-FD20512FEBF5}.exe

Filesize
180KB

MD5
141fdef0a6b4e1968ca986fcc87e2999

SHA1
c78af07b776a82279efe055f715283492cae88e4

SHA256
00c40a98bd0a9ed520ca7859bf0719fe2b23cd20365f8a7cba46fe41daeaa9a7

SHA512
f5e8ca3717defcc7b54867e911250f9396a7ba6119d031da174f2056f0b0eaa741d0dd3726740d6a27ceb73b6a60e17602fc7d678dd08c7cbe990895ff6c3564

Download Submit
C:\Windows\{50F4DDF0-5436-480c-BE7A-A60F420D90B9}.exe

Filesize
180KB

MD5
7449a5d5f2b826bf80b6b17a3aadef35

SHA1
62218e54ba75b60d008ada0c98edf659857c1067

SHA256
601f7e765f00ae7218e97d01f90dd37d3d01f90588dc5814adea8274da2bc3e4

SHA512
0072f82caefada6ad5829d0409442725b5bcf91ebf95dcbac4dcca24e5651b180ca1c05b657a014270aa56ed49ca4666c87c72f31a5b04892671fe30278a6b57

Download Submit
C:\Windows\{68C1D09C-A55A-459a-AC91-3BB0676CE42A}.exe

Filesize
180KB

MD5
2c9d09347890cd9f6ba2ca920067248a

SHA1
6a20c7c9311844f8a6719e0e46e1f5c84738593f

SHA256
9692b81e81e14ef6b112805fd2b4c848ff853631995201f7081502e50d798660

SHA512
6c6b348659fe7a931f29d5e290dab260b460377c109821fb4b664e18d009bed4cbf36d3537a700ed6c24f3e7d562e8323ee48491ddbecc7723808f6a6d1cddf2

Download Submit
C:\Windows\{7992E250-EB22-406b-AA0C-F5B258AA8761}.exe

Filesize
180KB

MD5
fe69d17b8a801ea7f0dbd6a6d9a78934

SHA1
68246f7e42e104c31c9d6af9b234cf1fd3ef9120

SHA256
c1162eafb934b5e47de71edf8980414f3e02d0a41e9e379738a0988edc911052

SHA512
dd3096eb64c97400d2764ba623656b06f0a5b001beaeb6e713251e72954280250cd3b894207f3697cc390509be329b11e3ca7650f447ac4c28fc9f27dcbc640c

Download Submit
C:\Windows\{7A9E9CD4-A2F1-411e-9657-8777E416F7B8}.exe

Filesize
180KB

MD5
006cbd3b683cdd8b75697ac0c7068669

SHA1
9272394065eccccc057ca177f57cc48b37af544d

SHA256
61c5eaa6743dfe52f213af32cc95e3880ca2155e088453add69a803718a61a50

SHA512
45ce10f79fc477b093d9a52a1ef2205be0a74d02dc960b25adc5bcc7d1d2ac4780933f99c223af96d284b4d69513afb07f622cd7c4782db1375fcd05db8ad5a1

Download Submit
C:\Windows\{A81E4701-F6CA-4a98-B3E4-B3DB7770CBFD}.exe

Filesize
180KB

MD5
a6f6150982c9479b69988b7336c9acdc

SHA1
33ac8d51db0ce79bf151f9ffd2852cd556101e63

SHA256
2ca542bca529f6471710cbed7bbe230e00f64e8f1b02d858c5d73d2a723cc0bc

SHA512
230d42d2f0cf8f61f81b3b5c99346b9b67bad618321415ebd0ed28b8d3716283ecf05344bfcfc7fede1df94b75432fca254a8bc0d133e050a397c22587209a39

Download Submit
C:\Windows\{EBCFB297-B300-4a53-88D9-BE9D44E6E8D0}.exe

Filesize
180KB

MD5
f498750ec50550b978f0cc0f3201c229

SHA1
f63af5a160d0404af70e55e7d67e2c320039858d

SHA256
1f73f0a3d2860a3bc5e9799d4d53f6f3f867894e51a69147819b3bf3b4e9bd27

SHA512
8191802312ffe555f864b77dc87ce8e7dd47986a305f7d6e5eb4487a477b7a992a45727d246ef65a7a882d3430b31f8b31c2b21eada1d85992cc179e58d0f766

Download Submit
C:\Windows\{F2FAC6B9-9926-498a-B5B9-0BAA0E003CEA}.exe

Filesize
180KB

MD5
5f3d4a0e877fa99ad5ba5934a63516f2

SHA1
36f13fd56fb9f42a1cfaa20a8292aba139e68d21

SHA256
e9995ba38a66bcf3b2db141a04d4b06bc19ec5f4e6d5258c6d73adac3dfe75ba

SHA512
a9c89830e9795676a8ef64371656e067071ccb2c6ed96b25313f8f847ee13bba5f21cc2feab52a27162b53f8429d055c453d4319b4409b8fdd2a11a1d523d0d9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads