0ed04466b3c358a575506f48d8e3e7a0e1ca0e10fe542e336b66d025d91838ad

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12/02/2024, 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_c5557a9afbd4214c779ff467d044e4ed_goldeneye.exe
Size

408KB
MD5

c5557a9afbd4214c779ff467d044e4ed
SHA1

29efb0b393c83188c3d93c25fee37333cd5b6754
SHA256

0ed04466b3c358a575506f48d8e3e7a0e1ca0e10fe542e336b66d025d91838ad
SHA512

a8e9c27af48b5b5d423388d59f9f32252da51815da2aae4ed7068330a09943fc039524dd4393842c79e13e91cfee1064d9b09c50d3734116ecc9b5d8d1e6aae7
SSDEEP

3072:CEGh0oil3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGQldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x000200000001e6af-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000002321e-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023224-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023225-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021e70-17.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021e71-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021e71-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021e70-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000705-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D35DF80D-A326-443e-ACA4-3EDB6A0D2041}\stubpath = "C:\\Windows\\{D35DF80D-A326-443e-ACA4-3EDB6A0D2041}.exe"	2024-02-12_c5557a9afbd4214c779ff467d044e4ed_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E894136-AABB-4719-8F19-00E6F94FD5B7}\stubpath = "C:\\Windows\\{8E894136-AABB-4719-8F19-00E6F94FD5B7}.exe"	{90A7D54C-81D9-41d9-878D-8DC70E7F39EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB0340E2-8F0C-456a-98DC-D5B2E6C4E28D}\stubpath = "C:\\Windows\\{FB0340E2-8F0C-456a-98DC-D5B2E6C4E28D}.exe"	{A9EB0B79-9075-440c-A96E-AE4BADDEED79}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C09BC8D6-4E26-48cc-A2C3-CE399C254FE6}\stubpath = "C:\\Windows\\{C09BC8D6-4E26-48cc-A2C3-CE399C254FE6}.exe"	{FB0340E2-8F0C-456a-98DC-D5B2E6C4E28D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90A7D54C-81D9-41d9-878D-8DC70E7F39EF}\stubpath = "C:\\Windows\\{90A7D54C-81D9-41d9-878D-8DC70E7F39EF}.exe"	{CBBF33B5-49EB-475c-A065-904387BBDE12}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBFA1F1E-F358-476f-AE0D-890420A180B7}	{8E894136-AABB-4719-8F19-00E6F94FD5B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBFA1F1E-F358-476f-AE0D-890420A180B7}\stubpath = "C:\\Windows\\{EBFA1F1E-F358-476f-AE0D-890420A180B7}.exe"	{8E894136-AABB-4719-8F19-00E6F94FD5B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{558FFB10-D073-465b-9065-798E7327BCA2}	{EBFA1F1E-F358-476f-AE0D-890420A180B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{057AA086-8318-417c-BBEC-0DE585DF4D74}	{D35DF80D-A326-443e-ACA4-3EDB6A0D2041}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{057AA086-8318-417c-BBEC-0DE585DF4D74}\stubpath = "C:\\Windows\\{057AA086-8318-417c-BBEC-0DE585DF4D74}.exe"	{D35DF80D-A326-443e-ACA4-3EDB6A0D2041}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CBBF33B5-49EB-475c-A065-904387BBDE12}	{D3179190-2D32-4ca3-904F-FCDFC3FA8410}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CBBF33B5-49EB-475c-A065-904387BBDE12}\stubpath = "C:\\Windows\\{CBBF33B5-49EB-475c-A065-904387BBDE12}.exe"	{D3179190-2D32-4ca3-904F-FCDFC3FA8410}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{558FFB10-D073-465b-9065-798E7327BCA2}\stubpath = "C:\\Windows\\{558FFB10-D073-465b-9065-798E7327BCA2}.exe"	{EBFA1F1E-F358-476f-AE0D-890420A180B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9EB0B79-9075-440c-A96E-AE4BADDEED79}\stubpath = "C:\\Windows\\{A9EB0B79-9075-440c-A96E-AE4BADDEED79}.exe"	{558FFB10-D073-465b-9065-798E7327BCA2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB0340E2-8F0C-456a-98DC-D5B2E6C4E28D}	{A9EB0B79-9075-440c-A96E-AE4BADDEED79}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C09BC8D6-4E26-48cc-A2C3-CE399C254FE6}	{FB0340E2-8F0C-456a-98DC-D5B2E6C4E28D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D35DF80D-A326-443e-ACA4-3EDB6A0D2041}	2024-02-12_c5557a9afbd4214c779ff467d044e4ed_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E894136-AABB-4719-8F19-00E6F94FD5B7}	{90A7D54C-81D9-41d9-878D-8DC70E7F39EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64B4B289-9EDA-4100-989D-F3322C742868}	{C09BC8D6-4E26-48cc-A2C3-CE399C254FE6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64B4B289-9EDA-4100-989D-F3322C742868}\stubpath = "C:\\Windows\\{64B4B289-9EDA-4100-989D-F3322C742868}.exe"	{C09BC8D6-4E26-48cc-A2C3-CE399C254FE6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3179190-2D32-4ca3-904F-FCDFC3FA8410}	{057AA086-8318-417c-BBEC-0DE585DF4D74}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3179190-2D32-4ca3-904F-FCDFC3FA8410}\stubpath = "C:\\Windows\\{D3179190-2D32-4ca3-904F-FCDFC3FA8410}.exe"	{057AA086-8318-417c-BBEC-0DE585DF4D74}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90A7D54C-81D9-41d9-878D-8DC70E7F39EF}	{CBBF33B5-49EB-475c-A065-904387BBDE12}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9EB0B79-9075-440c-A96E-AE4BADDEED79}	{558FFB10-D073-465b-9065-798E7327BCA2}.exe

Executes dropped EXE 12 IoCs

pid	Process
5032	{D35DF80D-A326-443e-ACA4-3EDB6A0D2041}.exe
1672	{057AA086-8318-417c-BBEC-0DE585DF4D74}.exe
3852	{D3179190-2D32-4ca3-904F-FCDFC3FA8410}.exe
2884	{CBBF33B5-49EB-475c-A065-904387BBDE12}.exe
920	{90A7D54C-81D9-41d9-878D-8DC70E7F39EF}.exe
2196	{8E894136-AABB-4719-8F19-00E6F94FD5B7}.exe
1572	{EBFA1F1E-F358-476f-AE0D-890420A180B7}.exe
4796	{558FFB10-D073-465b-9065-798E7327BCA2}.exe
5008	{A9EB0B79-9075-440c-A96E-AE4BADDEED79}.exe
1780	{FB0340E2-8F0C-456a-98DC-D5B2E6C4E28D}.exe
2896	{C09BC8D6-4E26-48cc-A2C3-CE399C254FE6}.exe
2324	{64B4B289-9EDA-4100-989D-F3322C742868}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{D35DF80D-A326-443e-ACA4-3EDB6A0D2041}.exe	2024-02-12_c5557a9afbd4214c779ff467d044e4ed_goldeneye.exe
File created	C:\Windows\{CBBF33B5-49EB-475c-A065-904387BBDE12}.exe	{D3179190-2D32-4ca3-904F-FCDFC3FA8410}.exe
File created	C:\Windows\{90A7D54C-81D9-41d9-878D-8DC70E7F39EF}.exe	{CBBF33B5-49EB-475c-A065-904387BBDE12}.exe
File created	C:\Windows\{8E894136-AABB-4719-8F19-00E6F94FD5B7}.exe	{90A7D54C-81D9-41d9-878D-8DC70E7F39EF}.exe
File created	C:\Windows\{EBFA1F1E-F358-476f-AE0D-890420A180B7}.exe	{8E894136-AABB-4719-8F19-00E6F94FD5B7}.exe
File created	C:\Windows\{A9EB0B79-9075-440c-A96E-AE4BADDEED79}.exe	{558FFB10-D073-465b-9065-798E7327BCA2}.exe
File created	C:\Windows\{FB0340E2-8F0C-456a-98DC-D5B2E6C4E28D}.exe	{A9EB0B79-9075-440c-A96E-AE4BADDEED79}.exe
File created	C:\Windows\{64B4B289-9EDA-4100-989D-F3322C742868}.exe	{C09BC8D6-4E26-48cc-A2C3-CE399C254FE6}.exe
File created	C:\Windows\{057AA086-8318-417c-BBEC-0DE585DF4D74}.exe	{D35DF80D-A326-443e-ACA4-3EDB6A0D2041}.exe
File created	C:\Windows\{D3179190-2D32-4ca3-904F-FCDFC3FA8410}.exe	{057AA086-8318-417c-BBEC-0DE585DF4D74}.exe
File created	C:\Windows\{558FFB10-D073-465b-9065-798E7327BCA2}.exe	{EBFA1F1E-F358-476f-AE0D-890420A180B7}.exe
File created	C:\Windows\{C09BC8D6-4E26-48cc-A2C3-CE399C254FE6}.exe	{FB0340E2-8F0C-456a-98DC-D5B2E6C4E28D}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2204	2024-02-12_c5557a9afbd4214c779ff467d044e4ed_goldeneye.exe
Token: SeIncBasePriorityPrivilege	5032	{D35DF80D-A326-443e-ACA4-3EDB6A0D2041}.exe
Token: SeIncBasePriorityPrivilege	1672	{057AA086-8318-417c-BBEC-0DE585DF4D74}.exe
Token: SeIncBasePriorityPrivilege	3852	{D3179190-2D32-4ca3-904F-FCDFC3FA8410}.exe
Token: SeIncBasePriorityPrivilege	2884	{CBBF33B5-49EB-475c-A065-904387BBDE12}.exe
Token: SeIncBasePriorityPrivilege	920	{90A7D54C-81D9-41d9-878D-8DC70E7F39EF}.exe
Token: SeIncBasePriorityPrivilege	2196	{8E894136-AABB-4719-8F19-00E6F94FD5B7}.exe
Token: SeIncBasePriorityPrivilege	1572	{EBFA1F1E-F358-476f-AE0D-890420A180B7}.exe
Token: SeIncBasePriorityPrivilege	4796	{558FFB10-D073-465b-9065-798E7327BCA2}.exe
Token: SeIncBasePriorityPrivilege	5008	{A9EB0B79-9075-440c-A96E-AE4BADDEED79}.exe
Token: SeIncBasePriorityPrivilege	1780	{FB0340E2-8F0C-456a-98DC-D5B2E6C4E28D}.exe
Token: SeIncBasePriorityPrivilege	2896	{C09BC8D6-4E26-48cc-A2C3-CE399C254FE6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 5032	2204	2024-02-12_c5557a9afbd4214c779ff467d044e4ed_goldeneye.exe	92
PID 2204 wrote to memory of 5032	2204	2024-02-12_c5557a9afbd4214c779ff467d044e4ed_goldeneye.exe	92
PID 2204 wrote to memory of 5032	2204	2024-02-12_c5557a9afbd4214c779ff467d044e4ed_goldeneye.exe	92
PID 2204 wrote to memory of 3220	2204	2024-02-12_c5557a9afbd4214c779ff467d044e4ed_goldeneye.exe	93
PID 2204 wrote to memory of 3220	2204	2024-02-12_c5557a9afbd4214c779ff467d044e4ed_goldeneye.exe	93
PID 2204 wrote to memory of 3220	2204	2024-02-12_c5557a9afbd4214c779ff467d044e4ed_goldeneye.exe	93
PID 5032 wrote to memory of 1672	5032	{D35DF80D-A326-443e-ACA4-3EDB6A0D2041}.exe	96
PID 5032 wrote to memory of 1672	5032	{D35DF80D-A326-443e-ACA4-3EDB6A0D2041}.exe	96
PID 5032 wrote to memory of 1672	5032	{D35DF80D-A326-443e-ACA4-3EDB6A0D2041}.exe	96
PID 5032 wrote to memory of 3344	5032	{D35DF80D-A326-443e-ACA4-3EDB6A0D2041}.exe	97
PID 5032 wrote to memory of 3344	5032	{D35DF80D-A326-443e-ACA4-3EDB6A0D2041}.exe	97
PID 5032 wrote to memory of 3344	5032	{D35DF80D-A326-443e-ACA4-3EDB6A0D2041}.exe	97
PID 1672 wrote to memory of 3852	1672	{057AA086-8318-417c-BBEC-0DE585DF4D74}.exe	100
PID 1672 wrote to memory of 3852	1672	{057AA086-8318-417c-BBEC-0DE585DF4D74}.exe	100
PID 1672 wrote to memory of 3852	1672	{057AA086-8318-417c-BBEC-0DE585DF4D74}.exe	100
PID 1672 wrote to memory of 768	1672	{057AA086-8318-417c-BBEC-0DE585DF4D74}.exe	99
PID 1672 wrote to memory of 768	1672	{057AA086-8318-417c-BBEC-0DE585DF4D74}.exe	99
PID 1672 wrote to memory of 768	1672	{057AA086-8318-417c-BBEC-0DE585DF4D74}.exe	99
PID 3852 wrote to memory of 2884	3852	{D3179190-2D32-4ca3-904F-FCDFC3FA8410}.exe	102
PID 3852 wrote to memory of 2884	3852	{D3179190-2D32-4ca3-904F-FCDFC3FA8410}.exe	102
PID 3852 wrote to memory of 2884	3852	{D3179190-2D32-4ca3-904F-FCDFC3FA8410}.exe	102
PID 3852 wrote to memory of 4584	3852	{D3179190-2D32-4ca3-904F-FCDFC3FA8410}.exe	101
PID 3852 wrote to memory of 4584	3852	{D3179190-2D32-4ca3-904F-FCDFC3FA8410}.exe	101
PID 3852 wrote to memory of 4584	3852	{D3179190-2D32-4ca3-904F-FCDFC3FA8410}.exe	101
PID 2884 wrote to memory of 920	2884	{CBBF33B5-49EB-475c-A065-904387BBDE12}.exe	103
PID 2884 wrote to memory of 920	2884	{CBBF33B5-49EB-475c-A065-904387BBDE12}.exe	103
PID 2884 wrote to memory of 920	2884	{CBBF33B5-49EB-475c-A065-904387BBDE12}.exe	103
PID 2884 wrote to memory of 4952	2884	{CBBF33B5-49EB-475c-A065-904387BBDE12}.exe	104
PID 2884 wrote to memory of 4952	2884	{CBBF33B5-49EB-475c-A065-904387BBDE12}.exe	104
PID 2884 wrote to memory of 4952	2884	{CBBF33B5-49EB-475c-A065-904387BBDE12}.exe	104
PID 920 wrote to memory of 2196	920	{90A7D54C-81D9-41d9-878D-8DC70E7F39EF}.exe	105
PID 920 wrote to memory of 2196	920	{90A7D54C-81D9-41d9-878D-8DC70E7F39EF}.exe	105
PID 920 wrote to memory of 2196	920	{90A7D54C-81D9-41d9-878D-8DC70E7F39EF}.exe	105
PID 920 wrote to memory of 1872	920	{90A7D54C-81D9-41d9-878D-8DC70E7F39EF}.exe	106
PID 920 wrote to memory of 1872	920	{90A7D54C-81D9-41d9-878D-8DC70E7F39EF}.exe	106
PID 920 wrote to memory of 1872	920	{90A7D54C-81D9-41d9-878D-8DC70E7F39EF}.exe	106
PID 2196 wrote to memory of 1572	2196	{8E894136-AABB-4719-8F19-00E6F94FD5B7}.exe	107
PID 2196 wrote to memory of 1572	2196	{8E894136-AABB-4719-8F19-00E6F94FD5B7}.exe	107
PID 2196 wrote to memory of 1572	2196	{8E894136-AABB-4719-8F19-00E6F94FD5B7}.exe	107
PID 2196 wrote to memory of 4028	2196	{8E894136-AABB-4719-8F19-00E6F94FD5B7}.exe	108
PID 2196 wrote to memory of 4028	2196	{8E894136-AABB-4719-8F19-00E6F94FD5B7}.exe	108
PID 2196 wrote to memory of 4028	2196	{8E894136-AABB-4719-8F19-00E6F94FD5B7}.exe	108
PID 1572 wrote to memory of 4796	1572	{EBFA1F1E-F358-476f-AE0D-890420A180B7}.exe	110
PID 1572 wrote to memory of 4796	1572	{EBFA1F1E-F358-476f-AE0D-890420A180B7}.exe	110
PID 1572 wrote to memory of 4796	1572	{EBFA1F1E-F358-476f-AE0D-890420A180B7}.exe	110
PID 1572 wrote to memory of 2428	1572	{EBFA1F1E-F358-476f-AE0D-890420A180B7}.exe	109
PID 1572 wrote to memory of 2428	1572	{EBFA1F1E-F358-476f-AE0D-890420A180B7}.exe	109
PID 1572 wrote to memory of 2428	1572	{EBFA1F1E-F358-476f-AE0D-890420A180B7}.exe	109
PID 4796 wrote to memory of 5008	4796	{558FFB10-D073-465b-9065-798E7327BCA2}.exe	111
PID 4796 wrote to memory of 5008	4796	{558FFB10-D073-465b-9065-798E7327BCA2}.exe	111
PID 4796 wrote to memory of 5008	4796	{558FFB10-D073-465b-9065-798E7327BCA2}.exe	111
PID 4796 wrote to memory of 4980	4796	{558FFB10-D073-465b-9065-798E7327BCA2}.exe	112
PID 4796 wrote to memory of 4980	4796	{558FFB10-D073-465b-9065-798E7327BCA2}.exe	112
PID 4796 wrote to memory of 4980	4796	{558FFB10-D073-465b-9065-798E7327BCA2}.exe	112
PID 5008 wrote to memory of 1780	5008	{A9EB0B79-9075-440c-A96E-AE4BADDEED79}.exe	113
PID 5008 wrote to memory of 1780	5008	{A9EB0B79-9075-440c-A96E-AE4BADDEED79}.exe	113
PID 5008 wrote to memory of 1780	5008	{A9EB0B79-9075-440c-A96E-AE4BADDEED79}.exe	113
PID 5008 wrote to memory of 2328	5008	{A9EB0B79-9075-440c-A96E-AE4BADDEED79}.exe	114
PID 5008 wrote to memory of 2328	5008	{A9EB0B79-9075-440c-A96E-AE4BADDEED79}.exe	114
PID 5008 wrote to memory of 2328	5008	{A9EB0B79-9075-440c-A96E-AE4BADDEED79}.exe	114
PID 1780 wrote to memory of 2896	1780	{FB0340E2-8F0C-456a-98DC-D5B2E6C4E28D}.exe	115
PID 1780 wrote to memory of 2896	1780	{FB0340E2-8F0C-456a-98DC-D5B2E6C4E28D}.exe	115
PID 1780 wrote to memory of 2896	1780	{FB0340E2-8F0C-456a-98DC-D5B2E6C4E28D}.exe	115
PID 1780 wrote to memory of 1476	1780	{FB0340E2-8F0C-456a-98DC-D5B2E6C4E28D}.exe	116

C:\Users\Admin\AppData\Local\Temp\2024-02-12_c5557a9afbd4214c779ff467d044e4ed_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_c5557a9afbd4214c779ff467d044e4ed_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\{D35DF80D-A326-443e-ACA4-3EDB6A0D2041}.exe
  C:\Windows\{D35DF80D-A326-443e-ACA4-3EDB6A0D2041}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5032
- - C:\Windows\{057AA086-8318-417c-BBEC-0DE585DF4D74}.exe
    C:\Windows\{057AA086-8318-417c-BBEC-0DE585DF4D74}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1672
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{057AA~1.EXE > nul
      4⤵
      PID:768
  - - C:\Windows\{D3179190-2D32-4ca3-904F-FCDFC3FA8410}.exe
      C:\Windows\{D3179190-2D32-4ca3-904F-FCDFC3FA8410}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3852
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D3179~1.EXE > nul
        5⤵
        
        PID:4584
    - - C:\Windows\{CBBF33B5-49EB-475c-A065-904387BBDE12}.exe
        
        C:\Windows\{CBBF33B5-49EB-475c-A065-904387BBDE12}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2884
      - C:\Windows\{90A7D54C-81D9-41d9-878D-8DC70E7F39EF}.exe
        
        C:\Windows\{90A7D54C-81D9-41d9-878D-8DC70E7F39EF}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\Windows\{8E894136-AABB-4719-8F19-00E6F94FD5B7}.exe
        
        C:\Windows\{8E894136-AABB-4719-8F19-00E6F94FD5B7}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\{EBFA1F1E-F358-476f-AE0D-890420A180B7}.exe
        
        C:\Windows\{EBFA1F1E-F358-476f-AE0D-890420A180B7}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EBFA1~1.EXE > nul
        9⤵
        
        PID:2428
        
        C:\Windows\{558FFB10-D073-465b-9065-798E7327BCA2}.exe
        
        C:\Windows\{558FFB10-D073-465b-9065-798E7327BCA2}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\{A9EB0B79-9075-440c-A96E-AE4BADDEED79}.exe
        
        C:\Windows\{A9EB0B79-9075-440c-A96E-AE4BADDEED79}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\{FB0340E2-8F0C-456a-98DC-D5B2E6C4E28D}.exe
        
        C:\Windows\{FB0340E2-8F0C-456a-98DC-D5B2E6C4E28D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\{C09BC8D6-4E26-48cc-A2C3-CE399C254FE6}.exe
        
        C:\Windows\{C09BC8D6-4E26-48cc-A2C3-CE399C254FE6}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
        
        C:\Windows\{64B4B289-9EDA-4100-989D-F3322C742868}.exe
        
        C:\Windows\{64B4B289-9EDA-4100-989D-F3322C742868}.exe
        13⤵
        Executes dropped EXE
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C09BC~1.EXE > nul
        13⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FB034~1.EXE > nul
        12⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A9EB0~1.EXE > nul
        11⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{558FF~1.EXE > nul
        10⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8E894~1.EXE > nul
        8⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{90A7D~1.EXE > nul
        7⤵
        
        PID:1872
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CBBF3~1.EXE > nul
        6⤵
        
        PID:4952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D35DF~1.EXE > nul
    3⤵
    PID:3344
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{057AA086-8318-417c-BBEC-0DE585DF4D74}.exe

Filesize
408KB

MD5
250a28e1f43afbb40eadded306ba3d31

SHA1
b6588c7d4b831441f8e34ad07315a35b42fa38c5

SHA256
c6fcc4b2b2721b07581fb92d469c88fc6ff223332cb47c88b583922db945e685

SHA512
e575fc754e0929a8a9ac3aea2f747a9ad141e269a638f25d404b8a598ed0dff9e5b03c9b74007b5f59f21e47bae5af3d0e82093d80f538b9a4971dc2316ae98d

Download Submit
C:\Windows\{558FFB10-D073-465b-9065-798E7327BCA2}.exe

Filesize
408KB

MD5
e2ad3b4a0186b38b4949e63772b5acf8

SHA1
9e87ac0d87a1e7c3e5203ac5b9603fa1a25196f8

SHA256
e47c53ed9cdee5f242fe902cc3ae98d2e1dee28c3f18f56231208cdd4da2cb25

SHA512
f6501ec8765fe13372c886aee5d8913b4079f6fd09900fb273804f802083cd15bb7a46ad9cb17ec0446649a46ca6912dcde2ad6f8519b471775fc42e8a052d87

Download Submit
C:\Windows\{64B4B289-9EDA-4100-989D-F3322C742868}.exe

Filesize
408KB

MD5
b89762ee7337b7664131003f830bf464

SHA1
d7b8690362f4738ca078cce2dfb6cd8a3b5ba460

SHA256
cd0c7b10c8ec70c5bab1852b9f8ef8e92445139dcd777dc6dd9446f39081b81e

SHA512
fad60436631b0234220da7059af72fe72b89b3811623fdd6695f0b0a39b217a5af7d9c0a11bb16d70e2f25b388561aebed8fa0be0371fcf2f2c1fd1c0c836d66

Download Submit
C:\Windows\{8E894136-AABB-4719-8F19-00E6F94FD5B7}.exe

Filesize
408KB

MD5
c2a703fa35ae9fb49798980e826555bc

SHA1
cc3277a5da4ee842f5c3f7d2d98cda6f92907dd5

SHA256
78069a301411575f4c2b7c5474e7a6455b558ddbea9f3b0d3e5f92afeec8fa3b

SHA512
36f0a05b3e00def533163aa88ece02a44dc3685f5aeed3f84733b33e40f355fc46467b2bad674d2084895d08a6e8c88909e1324743c8b165e792063c2b60ed34

Download Submit
C:\Windows\{8E894136-AABB-4719-8F19-00E6F94FD5B7}.exe

Filesize
388KB

MD5
fa45b31bd02fd7b1cb8116c183f7d37a

SHA1
7201c1248c3cebd51cb2a4338984481b258cdcba

SHA256
43dc4c130ca9aeeb0fdcfe4f9542bfa294322bc170f8212d88c48c2864a31de2

SHA512
43c121569f564c9762788ad2184124ddd211ac969a4796e14701e21841c86c9545a754af17b65406670d0d35f8be31839a6989810605e796268b6c38f55ea2d6

Download Submit
C:\Windows\{90A7D54C-81D9-41d9-878D-8DC70E7F39EF}.exe

Filesize
408KB

MD5
b18845d0c96166b3365a1fe9de58e409

SHA1
513084d031e5b14b505b73e1370a74977078eae0

SHA256
e75134c3d08e3773d6b0275647857a7d3a98c47c867001b6a97ae3a55ea4cabe

SHA512
209f7ee23f4da568bcc6fa119ba07585aaaa870c108a8875bf29039e3c5b7f19d8a92658ba6ed5d4f62d7121e9a8312e3ed5aa7a50dad0cbccea0e3795b767ed

Download Submit
C:\Windows\{A9EB0B79-9075-440c-A96E-AE4BADDEED79}.exe

Filesize
408KB

MD5
81fe75239e5706cb645536faf7c50e16

SHA1
69fc10a9dcf4a9fdd80f7e812dfccf08ef1f95c8

SHA256
55727d6c4549e5ad708b6bf60fc422176cad75d41738020b2e811ed02029d99f

SHA512
f1b8d223bda2924f4672516ae878b6d37aefbfb43f685ee03d63b705c0455c5b0f368e502ab4fd3229debb87aeac1663b6d1ef77a59b25661108deace1d3ce3d

Download Submit
C:\Windows\{C09BC8D6-4E26-48cc-A2C3-CE399C254FE6}.exe

Filesize
408KB

MD5
42c4761ae9dbb1096dc989ccc30a8e2a

SHA1
9cb57648a0223dc0e1713ec2710619625d33faf9

SHA256
52081ed270bafb38581005b83f5bf1510fe59588d4fdd16cfafc358e24e9e5a5

SHA512
ac68fdab6fcb65e612a56d4fef8643a475f15df9d80f05187ceafdd441e38dba475443503365e665a8d97341b44854f2f5128bb25ca2f2a0d5add257d25ebfe1

Download Submit
C:\Windows\{CBBF33B5-49EB-475c-A065-904387BBDE12}.exe

Filesize
408KB

MD5
2c38ae5fa69f7889b0fa8934d14d8116

SHA1
f1157b6626bf02c4644f2746adaf0f60c95c24f3

SHA256
75f07e8dfe0728dc40923225a02633b64289ef68278ac50af669f3756dfaaead

SHA512
82acef658e51816dada393e84f8fcc6bb9848b8842303f528867b05d5e1915b314bbf18293d05c71774848eb5bd09045fc43fa6e99127d7cbda48699c139dde8

Download Submit
C:\Windows\{D3179190-2D32-4ca3-904F-FCDFC3FA8410}.exe

Filesize
408KB

MD5
c18451b1e6234cc1302441bcaf6eb3e5

SHA1
269976923b1ec44e65febb57d7e764b78bfb5d97

SHA256
59ea67602ffe0735473a0559842c4350ac93a0cbae1446849ce8ad89d5821e4f

SHA512
ef7e2236c41b836229c6611db10fb1d81459c49c582ff2c70f3b341381dccbb1f26edf3cbc214f805a0036975ebfba5ba624ae030b08dac4dd0cd3d3999e5d8a

Download Submit
C:\Windows\{D35DF80D-A326-443e-ACA4-3EDB6A0D2041}.exe

Filesize
408KB

MD5
051ef318a97512268f43eac39277b238

SHA1
bc4c57e25833f18cc591e8d42682c51d715cfc25

SHA256
90fcaed264aabe191fe0fbd2f8eb4dee5dc051fb0467828277d36fc0879d1861

SHA512
8c96b8cf089a062cb641e23e4032f3f8a54c5c634532ed6fe82e22c85765bc483a75b347638e8cf4edbde59bc7d9603ec7764d1d47d2abe65970e2f971aba6cd

Download Submit
C:\Windows\{EBFA1F1E-F358-476f-AE0D-890420A180B7}.exe

Filesize
408KB

MD5
d406188b9dd7df0c2c2d75b86e6d439b

SHA1
e5390d77aded0e973828485e6d1cd83bbcdf968a

SHA256
e44175df48d1e223a6d291a07aa43745f13d7af9657d710e04820ee6ec11c49b

SHA512
c7d5cb8a1782c1c7274e4ef7275cb2ae1b731190130223a4031b8bf8fad08ea2c6fa495e34ab471cdc8db484f5200b51d9809d1c599099425e164ac8c6f6c914

Download Submit
C:\Windows\{FB0340E2-8F0C-456a-98DC-D5B2E6C4E28D}.exe

Filesize
408KB

MD5
5bc6bc21ea78e5a29430d8c555d0d28a

SHA1
9d6ad0c3c5c0bb1aec103b9ef52b1b2d4c74b5c5

SHA256
0921a00222f52cf17d06ca55a7673446879dc6ef755bd1e242f0aaacf5b64949

SHA512
1c7e5c8e1af2884fa6093e2b4e5726eb9c9beb53b82e4e17385363dd6eb2d505e5b75e6d11e91e123494b8ad65c0ffcbc53d67addf0f11b4cb06db6ee2d7f9e7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads