c30a19b74e9036e20dfb15e5b85c14910dde8fc4cf0009655d65f0b363d390cc

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
13/02/2024, 00:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-13_e005c6cfb5419206f15ce3cc8feb972a_goldeneye.exe
Size

180KB
MD5

e005c6cfb5419206f15ce3cc8feb972a
SHA1

582bb249b0516d555c205045031833375a25ff65
SHA256

c30a19b74e9036e20dfb15e5b85c14910dde8fc4cf0009655d65f0b363d390cc
SHA512

79def3c24a6b830a1bc9b760897a9df53d498884e12c4e33157048188364fea742b9adf679b89e178ca22669d8455b8f4f0f0d64c0eb53207478c9d8e7de3fc6
SSDEEP

3072:jEGh0o8lfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGql5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x000600000002322e-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023223-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023235-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023223-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000022008-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000022008-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000022009-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000224fe-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000036-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000036-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000036-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90E8C095-D7D7-435e-8751-6DA9536BE436}	{285EE904-4538-47d6-9776-62D73E6CE148}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9D74D44-E091-4aa8-959B-C7C22AF69152}	{1A8FE825-2801-4ad0-BE00-FED40E6B8B05}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0AF181A6-988B-41b6-863F-05B1FDCAAFD9}	2024-02-13_e005c6cfb5419206f15ce3cc8feb972a_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F71C377B-6558-439f-BC71-426F3B7D52E1}\stubpath = "C:\\Windows\\{F71C377B-6558-439f-BC71-426F3B7D52E1}.exe"	{0AF181A6-988B-41b6-863F-05B1FDCAAFD9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1B11D17-E6CB-4087-9C78-9EEE4FCBD34A}\stubpath = "C:\\Windows\\{C1B11D17-E6CB-4087-9C78-9EEE4FCBD34A}.exe"	{F71C377B-6558-439f-BC71-426F3B7D52E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70C610A9-873F-429b-9C2E-BE4D8F106CF6}	{B29B0CE5-3E73-4b1c-B95A-7576CA8B225F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B88A4D6-A694-4c6f-A16A-F0910F89D0E1}	{70C610A9-873F-429b-9C2E-BE4D8F106CF6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{285EE904-4538-47d6-9776-62D73E6CE148}\stubpath = "C:\\Windows\\{285EE904-4538-47d6-9776-62D73E6CE148}.exe"	{7B88A4D6-A694-4c6f-A16A-F0910F89D0E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90E8C095-D7D7-435e-8751-6DA9536BE436}\stubpath = "C:\\Windows\\{90E8C095-D7D7-435e-8751-6DA9536BE436}.exe"	{285EE904-4538-47d6-9776-62D73E6CE148}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D1AC80B-9275-4ec7-8C71-D77FF7BBC300}\stubpath = "C:\\Windows\\{0D1AC80B-9275-4ec7-8C71-D77FF7BBC300}.exe"	{90E8C095-D7D7-435e-8751-6DA9536BE436}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9D74D44-E091-4aa8-959B-C7C22AF69152}\stubpath = "C:\\Windows\\{B9D74D44-E091-4aa8-959B-C7C22AF69152}.exe"	{1A8FE825-2801-4ad0-BE00-FED40E6B8B05}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0AF181A6-988B-41b6-863F-05B1FDCAAFD9}\stubpath = "C:\\Windows\\{0AF181A6-988B-41b6-863F-05B1FDCAAFD9}.exe"	2024-02-13_e005c6cfb5419206f15ce3cc8feb972a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F71C377B-6558-439f-BC71-426F3B7D52E1}	{0AF181A6-988B-41b6-863F-05B1FDCAAFD9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70C610A9-873F-429b-9C2E-BE4D8F106CF6}\stubpath = "C:\\Windows\\{70C610A9-873F-429b-9C2E-BE4D8F106CF6}.exe"	{B29B0CE5-3E73-4b1c-B95A-7576CA8B225F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B88A4D6-A694-4c6f-A16A-F0910F89D0E1}\stubpath = "C:\\Windows\\{7B88A4D6-A694-4c6f-A16A-F0910F89D0E1}.exe"	{70C610A9-873F-429b-9C2E-BE4D8F106CF6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{285EE904-4538-47d6-9776-62D73E6CE148}	{7B88A4D6-A694-4c6f-A16A-F0910F89D0E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D1AC80B-9275-4ec7-8C71-D77FF7BBC300}	{90E8C095-D7D7-435e-8751-6DA9536BE436}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37DBC497-4E13-4d00-A146-7B4B7DD628F1}	{B9D74D44-E091-4aa8-959B-C7C22AF69152}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37DBC497-4E13-4d00-A146-7B4B7DD628F1}\stubpath = "C:\\Windows\\{37DBC497-4E13-4d00-A146-7B4B7DD628F1}.exe"	{B9D74D44-E091-4aa8-959B-C7C22AF69152}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1B11D17-E6CB-4087-9C78-9EEE4FCBD34A}	{F71C377B-6558-439f-BC71-426F3B7D52E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B29B0CE5-3E73-4b1c-B95A-7576CA8B225F}	{C1B11D17-E6CB-4087-9C78-9EEE4FCBD34A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B29B0CE5-3E73-4b1c-B95A-7576CA8B225F}\stubpath = "C:\\Windows\\{B29B0CE5-3E73-4b1c-B95A-7576CA8B225F}.exe"	{C1B11D17-E6CB-4087-9C78-9EEE4FCBD34A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A8FE825-2801-4ad0-BE00-FED40E6B8B05}	{0D1AC80B-9275-4ec7-8C71-D77FF7BBC300}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A8FE825-2801-4ad0-BE00-FED40E6B8B05}\stubpath = "C:\\Windows\\{1A8FE825-2801-4ad0-BE00-FED40E6B8B05}.exe"	{0D1AC80B-9275-4ec7-8C71-D77FF7BBC300}.exe

Executes dropped EXE 12 IoCs

pid	Process
4264	{0AF181A6-988B-41b6-863F-05B1FDCAAFD9}.exe
3188	{F71C377B-6558-439f-BC71-426F3B7D52E1}.exe
4668	{C1B11D17-E6CB-4087-9C78-9EEE4FCBD34A}.exe
384	{B29B0CE5-3E73-4b1c-B95A-7576CA8B225F}.exe
3768	{70C610A9-873F-429b-9C2E-BE4D8F106CF6}.exe
4132	{7B88A4D6-A694-4c6f-A16A-F0910F89D0E1}.exe
3464	{285EE904-4538-47d6-9776-62D73E6CE148}.exe
4216	{90E8C095-D7D7-435e-8751-6DA9536BE436}.exe
1844	{0D1AC80B-9275-4ec7-8C71-D77FF7BBC300}.exe
4336	{1A8FE825-2801-4ad0-BE00-FED40E6B8B05}.exe
3676	{B9D74D44-E091-4aa8-959B-C7C22AF69152}.exe
660	{37DBC497-4E13-4d00-A146-7B4B7DD628F1}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{C1B11D17-E6CB-4087-9C78-9EEE4FCBD34A}.exe	{F71C377B-6558-439f-BC71-426F3B7D52E1}.exe
File created	C:\Windows\{7B88A4D6-A694-4c6f-A16A-F0910F89D0E1}.exe	{70C610A9-873F-429b-9C2E-BE4D8F106CF6}.exe
File created	C:\Windows\{1A8FE825-2801-4ad0-BE00-FED40E6B8B05}.exe	{0D1AC80B-9275-4ec7-8C71-D77FF7BBC300}.exe
File created	C:\Windows\{B9D74D44-E091-4aa8-959B-C7C22AF69152}.exe	{1A8FE825-2801-4ad0-BE00-FED40E6B8B05}.exe
File created	C:\Windows\{90E8C095-D7D7-435e-8751-6DA9536BE436}.exe	{285EE904-4538-47d6-9776-62D73E6CE148}.exe
File created	C:\Windows\{0D1AC80B-9275-4ec7-8C71-D77FF7BBC300}.exe	{90E8C095-D7D7-435e-8751-6DA9536BE436}.exe
File created	C:\Windows\{37DBC497-4E13-4d00-A146-7B4B7DD628F1}.exe	{B9D74D44-E091-4aa8-959B-C7C22AF69152}.exe
File created	C:\Windows\{0AF181A6-988B-41b6-863F-05B1FDCAAFD9}.exe	2024-02-13_e005c6cfb5419206f15ce3cc8feb972a_goldeneye.exe
File created	C:\Windows\{F71C377B-6558-439f-BC71-426F3B7D52E1}.exe	{0AF181A6-988B-41b6-863F-05B1FDCAAFD9}.exe
File created	C:\Windows\{B29B0CE5-3E73-4b1c-B95A-7576CA8B225F}.exe	{C1B11D17-E6CB-4087-9C78-9EEE4FCBD34A}.exe
File created	C:\Windows\{70C610A9-873F-429b-9C2E-BE4D8F106CF6}.exe	{B29B0CE5-3E73-4b1c-B95A-7576CA8B225F}.exe
File created	C:\Windows\{285EE904-4538-47d6-9776-62D73E6CE148}.exe	{7B88A4D6-A694-4c6f-A16A-F0910F89D0E1}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4048	2024-02-13_e005c6cfb5419206f15ce3cc8feb972a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4264	{0AF181A6-988B-41b6-863F-05B1FDCAAFD9}.exe
Token: SeIncBasePriorityPrivilege	3188	{F71C377B-6558-439f-BC71-426F3B7D52E1}.exe
Token: SeIncBasePriorityPrivilege	4668	{C1B11D17-E6CB-4087-9C78-9EEE4FCBD34A}.exe
Token: SeIncBasePriorityPrivilege	384	{B29B0CE5-3E73-4b1c-B95A-7576CA8B225F}.exe
Token: SeIncBasePriorityPrivilege	3768	{70C610A9-873F-429b-9C2E-BE4D8F106CF6}.exe
Token: SeIncBasePriorityPrivilege	4132	{7B88A4D6-A694-4c6f-A16A-F0910F89D0E1}.exe
Token: SeIncBasePriorityPrivilege	3464	{285EE904-4538-47d6-9776-62D73E6CE148}.exe
Token: SeIncBasePriorityPrivilege	4216	{90E8C095-D7D7-435e-8751-6DA9536BE436}.exe
Token: SeIncBasePriorityPrivilege	1844	{0D1AC80B-9275-4ec7-8C71-D77FF7BBC300}.exe
Token: SeIncBasePriorityPrivilege	4336	{1A8FE825-2801-4ad0-BE00-FED40E6B8B05}.exe
Token: SeIncBasePriorityPrivilege	3676	{B9D74D44-E091-4aa8-959B-C7C22AF69152}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4048 wrote to memory of 4264	4048	2024-02-13_e005c6cfb5419206f15ce3cc8feb972a_goldeneye.exe	93
PID 4048 wrote to memory of 4264	4048	2024-02-13_e005c6cfb5419206f15ce3cc8feb972a_goldeneye.exe	93
PID 4048 wrote to memory of 4264	4048	2024-02-13_e005c6cfb5419206f15ce3cc8feb972a_goldeneye.exe	93
PID 4048 wrote to memory of 2648	4048	2024-02-13_e005c6cfb5419206f15ce3cc8feb972a_goldeneye.exe	92
PID 4048 wrote to memory of 2648	4048	2024-02-13_e005c6cfb5419206f15ce3cc8feb972a_goldeneye.exe	92
PID 4048 wrote to memory of 2648	4048	2024-02-13_e005c6cfb5419206f15ce3cc8feb972a_goldeneye.exe	92
PID 4264 wrote to memory of 3188	4264	{0AF181A6-988B-41b6-863F-05B1FDCAAFD9}.exe	94
PID 4264 wrote to memory of 3188	4264	{0AF181A6-988B-41b6-863F-05B1FDCAAFD9}.exe	94
PID 4264 wrote to memory of 3188	4264	{0AF181A6-988B-41b6-863F-05B1FDCAAFD9}.exe	94
PID 4264 wrote to memory of 1116	4264	{0AF181A6-988B-41b6-863F-05B1FDCAAFD9}.exe	95
PID 4264 wrote to memory of 1116	4264	{0AF181A6-988B-41b6-863F-05B1FDCAAFD9}.exe	95
PID 4264 wrote to memory of 1116	4264	{0AF181A6-988B-41b6-863F-05B1FDCAAFD9}.exe	95
PID 3188 wrote to memory of 4668	3188	{F71C377B-6558-439f-BC71-426F3B7D52E1}.exe	98
PID 3188 wrote to memory of 4668	3188	{F71C377B-6558-439f-BC71-426F3B7D52E1}.exe	98
PID 3188 wrote to memory of 4668	3188	{F71C377B-6558-439f-BC71-426F3B7D52E1}.exe	98
PID 3188 wrote to memory of 676	3188	{F71C377B-6558-439f-BC71-426F3B7D52E1}.exe	97
PID 3188 wrote to memory of 676	3188	{F71C377B-6558-439f-BC71-426F3B7D52E1}.exe	97
PID 3188 wrote to memory of 676	3188	{F71C377B-6558-439f-BC71-426F3B7D52E1}.exe	97
PID 4668 wrote to memory of 384	4668	{C1B11D17-E6CB-4087-9C78-9EEE4FCBD34A}.exe	99
PID 4668 wrote to memory of 384	4668	{C1B11D17-E6CB-4087-9C78-9EEE4FCBD34A}.exe	99
PID 4668 wrote to memory of 384	4668	{C1B11D17-E6CB-4087-9C78-9EEE4FCBD34A}.exe	99
PID 4668 wrote to memory of 3492	4668	{C1B11D17-E6CB-4087-9C78-9EEE4FCBD34A}.exe	100
PID 4668 wrote to memory of 3492	4668	{C1B11D17-E6CB-4087-9C78-9EEE4FCBD34A}.exe	100
PID 4668 wrote to memory of 3492	4668	{C1B11D17-E6CB-4087-9C78-9EEE4FCBD34A}.exe	100
PID 384 wrote to memory of 3768	384	{B29B0CE5-3E73-4b1c-B95A-7576CA8B225F}.exe	101
PID 384 wrote to memory of 3768	384	{B29B0CE5-3E73-4b1c-B95A-7576CA8B225F}.exe	101
PID 384 wrote to memory of 3768	384	{B29B0CE5-3E73-4b1c-B95A-7576CA8B225F}.exe	101
PID 384 wrote to memory of 4256	384	{B29B0CE5-3E73-4b1c-B95A-7576CA8B225F}.exe	102
PID 384 wrote to memory of 4256	384	{B29B0CE5-3E73-4b1c-B95A-7576CA8B225F}.exe	102
PID 384 wrote to memory of 4256	384	{B29B0CE5-3E73-4b1c-B95A-7576CA8B225F}.exe	102
PID 3768 wrote to memory of 4132	3768	{70C610A9-873F-429b-9C2E-BE4D8F106CF6}.exe	103
PID 3768 wrote to memory of 4132	3768	{70C610A9-873F-429b-9C2E-BE4D8F106CF6}.exe	103
PID 3768 wrote to memory of 4132	3768	{70C610A9-873F-429b-9C2E-BE4D8F106CF6}.exe	103
PID 3768 wrote to memory of 3064	3768	{70C610A9-873F-429b-9C2E-BE4D8F106CF6}.exe	104
PID 3768 wrote to memory of 3064	3768	{70C610A9-873F-429b-9C2E-BE4D8F106CF6}.exe	104
PID 3768 wrote to memory of 3064	3768	{70C610A9-873F-429b-9C2E-BE4D8F106CF6}.exe	104
PID 4132 wrote to memory of 3464	4132	{7B88A4D6-A694-4c6f-A16A-F0910F89D0E1}.exe	106
PID 4132 wrote to memory of 3464	4132	{7B88A4D6-A694-4c6f-A16A-F0910F89D0E1}.exe	106
PID 4132 wrote to memory of 3464	4132	{7B88A4D6-A694-4c6f-A16A-F0910F89D0E1}.exe	106
PID 4132 wrote to memory of 3932	4132	{7B88A4D6-A694-4c6f-A16A-F0910F89D0E1}.exe	105
PID 4132 wrote to memory of 3932	4132	{7B88A4D6-A694-4c6f-A16A-F0910F89D0E1}.exe	105
PID 4132 wrote to memory of 3932	4132	{7B88A4D6-A694-4c6f-A16A-F0910F89D0E1}.exe	105
PID 3464 wrote to memory of 4216	3464	{285EE904-4538-47d6-9776-62D73E6CE148}.exe	107
PID 3464 wrote to memory of 4216	3464	{285EE904-4538-47d6-9776-62D73E6CE148}.exe	107
PID 3464 wrote to memory of 4216	3464	{285EE904-4538-47d6-9776-62D73E6CE148}.exe	107
PID 3464 wrote to memory of 2968	3464	{285EE904-4538-47d6-9776-62D73E6CE148}.exe	108
PID 3464 wrote to memory of 2968	3464	{285EE904-4538-47d6-9776-62D73E6CE148}.exe	108
PID 3464 wrote to memory of 2968	3464	{285EE904-4538-47d6-9776-62D73E6CE148}.exe	108
PID 4216 wrote to memory of 1844	4216	{90E8C095-D7D7-435e-8751-6DA9536BE436}.exe	110
PID 4216 wrote to memory of 1844	4216	{90E8C095-D7D7-435e-8751-6DA9536BE436}.exe	110
PID 4216 wrote to memory of 1844	4216	{90E8C095-D7D7-435e-8751-6DA9536BE436}.exe	110
PID 4216 wrote to memory of 1372	4216	{90E8C095-D7D7-435e-8751-6DA9536BE436}.exe	109
PID 4216 wrote to memory of 1372	4216	{90E8C095-D7D7-435e-8751-6DA9536BE436}.exe	109
PID 4216 wrote to memory of 1372	4216	{90E8C095-D7D7-435e-8751-6DA9536BE436}.exe	109
PID 1844 wrote to memory of 4336	1844	{0D1AC80B-9275-4ec7-8C71-D77FF7BBC300}.exe	111
PID 1844 wrote to memory of 4336	1844	{0D1AC80B-9275-4ec7-8C71-D77FF7BBC300}.exe	111
PID 1844 wrote to memory of 4336	1844	{0D1AC80B-9275-4ec7-8C71-D77FF7BBC300}.exe	111
PID 1844 wrote to memory of 944	1844	{0D1AC80B-9275-4ec7-8C71-D77FF7BBC300}.exe	112
PID 1844 wrote to memory of 944	1844	{0D1AC80B-9275-4ec7-8C71-D77FF7BBC300}.exe	112
PID 1844 wrote to memory of 944	1844	{0D1AC80B-9275-4ec7-8C71-D77FF7BBC300}.exe	112
PID 4336 wrote to memory of 3676	4336	{1A8FE825-2801-4ad0-BE00-FED40E6B8B05}.exe	113
PID 4336 wrote to memory of 3676	4336	{1A8FE825-2801-4ad0-BE00-FED40E6B8B05}.exe	113
PID 4336 wrote to memory of 3676	4336	{1A8FE825-2801-4ad0-BE00-FED40E6B8B05}.exe	113
PID 4336 wrote to memory of 1304	4336	{1A8FE825-2801-4ad0-BE00-FED40E6B8B05}.exe	114

C:\Users\Admin\AppData\Local\Temp\2024-02-13_e005c6cfb5419206f15ce3cc8feb972a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-13_e005c6cfb5419206f15ce3cc8feb972a_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4048
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2648
- C:\Windows\{0AF181A6-988B-41b6-863F-05B1FDCAAFD9}.exe
  C:\Windows\{0AF181A6-988B-41b6-863F-05B1FDCAAFD9}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4264
- - C:\Windows\{F71C377B-6558-439f-BC71-426F3B7D52E1}.exe
    C:\Windows\{F71C377B-6558-439f-BC71-426F3B7D52E1}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3188
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F71C3~1.EXE > nul
      4⤵
      PID:676
  - - C:\Windows\{C1B11D17-E6CB-4087-9C78-9EEE4FCBD34A}.exe
      C:\Windows\{C1B11D17-E6CB-4087-9C78-9EEE4FCBD34A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4668
    - - C:\Windows\{B29B0CE5-3E73-4b1c-B95A-7576CA8B225F}.exe
        
        C:\Windows\{B29B0CE5-3E73-4b1c-B95A-7576CA8B225F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:384
      - C:\Windows\{70C610A9-873F-429b-9C2E-BE4D8F106CF6}.exe
        
        C:\Windows\{70C610A9-873F-429b-9C2E-BE4D8F106CF6}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3768
        
        C:\Windows\{7B88A4D6-A694-4c6f-A16A-F0910F89D0E1}.exe
        
        C:\Windows\{7B88A4D6-A694-4c6f-A16A-F0910F89D0E1}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7B88A~1.EXE > nul
        8⤵
        
        PID:3932
        
        C:\Windows\{285EE904-4538-47d6-9776-62D73E6CE148}.exe
        
        C:\Windows\{285EE904-4538-47d6-9776-62D73E6CE148}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\Windows\{90E8C095-D7D7-435e-8751-6DA9536BE436}.exe
        
        C:\Windows\{90E8C095-D7D7-435e-8751-6DA9536BE436}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{90E8C~1.EXE > nul
        10⤵
        
        PID:1372
        
        C:\Windows\{0D1AC80B-9275-4ec7-8C71-D77FF7BBC300}.exe
        
        C:\Windows\{0D1AC80B-9275-4ec7-8C71-D77FF7BBC300}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\{1A8FE825-2801-4ad0-BE00-FED40E6B8B05}.exe
        
        C:\Windows\{1A8FE825-2801-4ad0-BE00-FED40E6B8B05}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\{B9D74D44-E091-4aa8-959B-C7C22AF69152}.exe
        
        C:\Windows\{B9D74D44-E091-4aa8-959B-C7C22AF69152}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3676
        
        C:\Windows\{37DBC497-4E13-4d00-A146-7B4B7DD628F1}.exe
        
        C:\Windows\{37DBC497-4E13-4d00-A146-7B4B7DD628F1}.exe
        13⤵
        Executes dropped EXE
        
        PID:660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B9D74~1.EXE > nul
        13⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1A8FE~1.EXE > nul
        12⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0D1AC~1.EXE > nul
        11⤵
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{285EE~1.EXE > nul
        9⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{70C61~1.EXE > nul
        7⤵
        
        PID:3064
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B29B0~1.EXE > nul
        6⤵
        
        PID:4256
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C1B11~1.EXE > nul
        5⤵
        
        PID:3492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0AF18~1.EXE > nul
    3⤵
    PID:1116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0AF181A6-988B-41b6-863F-05B1FDCAAFD9}.exe

Filesize
180KB

MD5
ecb74267daf5e70882165e861675c452

SHA1
ac902cda9bbe3d090444c4630dd35ddb9162a10d

SHA256
e74e0edb3df8a7ef2c667ba37cf793be85d9ad1c746daefa34cde62fad809929

SHA512
ba53a44327651b098a634b2c17cc7e97d76c4ad2d2989788ff883aa2d87c5882a586274e8c7a46ef3d353d568503237f36dc48f9b2a94e25262a40dcaf34eaea

Download Submit
C:\Windows\{0D1AC80B-9275-4ec7-8C71-D77FF7BBC300}.exe

Filesize
180KB

MD5
50c9f7ca336cb1cd92e0a67c2bf1b7e3

SHA1
aaabb357a5412b30d59b4a3ef3fd825ed4420e67

SHA256
1c804ac195de50849d61d8c3108a8fd0340796bf930bc93d691f3c84df83c341

SHA512
621bd71188f63b146201e2bef7319010206bb5dcf9442efec2df7f45a9552381bebe9820ffea08a40608af052675a4b4d113fa294c5123bfb6db4e3ea8ae4745

Download Submit
C:\Windows\{1A8FE825-2801-4ad0-BE00-FED40E6B8B05}.exe

Filesize
180KB

MD5
59f8d6a68efea685a91415218c6a63ab

SHA1
8f02e8ee2bb0b526079d4e59a72363c2766d5c86

SHA256
d8be2f26255aa31c92a4d1ad56ab4a7598bd9f4b9d6e28556be7850e447a2c90

SHA512
2fccb2c5d9479073db9c6ce43cef32bc5af0303a59eb38249a90aea24f547a295b5c00443a106bec41e7e7ede748aae8b554b9b9f83a7543dd1bcedd6dbd8dbd

Download Submit
C:\Windows\{285EE904-4538-47d6-9776-62D73E6CE148}.exe

Filesize
180KB

MD5
efe95d5e813a682ff8c5cb431d25f427

SHA1
70bbc74a5e3c224b3c843b9132646436e8ba2d3a

SHA256
777e072ea3ed16692de5ac070d4d64b39adb5718f686f8ce208ac0be3a35c039

SHA512
b0eb58b4a9a2dc43539fd7b7e9e2a651f574086eabbb59091006216972f4df50b4bc5c054cc0a292ff54051085d504c879d2086bfe4fb59fd8595912c20e4a8c

Download Submit
C:\Windows\{37DBC497-4E13-4d00-A146-7B4B7DD628F1}.exe

Filesize
180KB

MD5
2b0f6a5cdd3cfb96dac7caebd621e1b8

SHA1
447d549a2447d28fc316ef359ae0879a4679b820

SHA256
ebc94dd254d243a4d2541b90ad276c3033ed19501ecbef0cd7b313bc0af74ae8

SHA512
d19504cbd376edf5536866bbe0dae6cfda07c01c357fb17bb871587b975236b1d673dd497116f0e68a0d72fca090cc98ec712c7e751a9eb19f3da4626d60d874

Download Submit
C:\Windows\{70C610A9-873F-429b-9C2E-BE4D8F106CF6}.exe

Filesize
21KB

MD5
7b5b2556e2d0afa39999ee296c736251

SHA1
d7a3f9e7edf2b338a032cf2de60c5619bf09f6c2

SHA256
399b70e6454dfa4ed999e4ebd9f0eff8d36c9abb64f5d6914a04737b124fb445

SHA512
cc90f689b1baf674f0b12b57d39e2ea308d8ba1be7090cd0936526377ba0c92515a15f5e0818e0fa8cbe3457aead5de7870443dffb5d84352d20e6c220850b33

Download Submit
C:\Windows\{70C610A9-873F-429b-9C2E-BE4D8F106CF6}.exe

Filesize
180KB

MD5
59e519e8f3cc4c02dca24e16fc0a7a3d

SHA1
98bf077b4bb3ba5124837b4c659271f218725144

SHA256
39be7ce0e68159fd2e7267180e52b231634ab857b3969c7c48232fbad39dd4b6

SHA512
0a90dd7ee809e556451d826025e96eef3822bbbd8a90134447ababac641f56a01f5207d0050783b95f90ebe3055b65b44dc4de40cacc205f820a418803fba3f3

Download Submit
C:\Windows\{7B88A4D6-A694-4c6f-A16A-F0910F89D0E1}.exe

Filesize
180KB

MD5
f8b2548eff2cd1df4c6db66af51ea39d

SHA1
ebac571d22c85eb016a1649699bac9882ccd0b8f

SHA256
1cab7c37aa2d506790a6742082b2bc9c3c4d2e9646649fb9ab638de1d945f8f5

SHA512
5547070fb55c76ee8f5d43bbd1cce6f75538835dd22b43de4bc5ded3798c40495849f4fccdcaff3064eb3209f3d0d41711b148fe1b133c9f02e17d18cd971249

Download Submit
C:\Windows\{90E8C095-D7D7-435e-8751-6DA9536BE436}.exe

Filesize
180KB

MD5
f9fd9400607d981b0400c04a9ed5e003

SHA1
870af1ecb87850a2f2b1a66620a64879ba33462f

SHA256
1205aeffb833402c0268c5022a81a65b7f6c6b22a36b1e6f0037c99ef171f480

SHA512
887023b72a33089213b9a2f2be9e16794d390b7f0669c42500a9c073d1a79a5dc02fc455e46ee946abc9d570d281a7ed306dccd6b4597ce434ce404361a563bf

Download Submit
C:\Windows\{B29B0CE5-3E73-4b1c-B95A-7576CA8B225F}.exe

Filesize
180KB

MD5
5d70d704c5744c3449bce2c242712e28

SHA1
78a730b3838ad946474cd332f50bb85eb12a5166

SHA256
4de06b59cbba8e90be21d1f21af86dd29b89b34d4c9801d073018a4ee86e5005

SHA512
fa30dfa1ee5dff08e5ec05466be94f6832e08838b312744504e53743671d5ed1094abb87f62a1018c2d4da4521df4370228b282ca8ea60accfb894fc6e570383

Download Submit
C:\Windows\{B9D74D44-E091-4aa8-959B-C7C22AF69152}.exe

Filesize
180KB

MD5
fcf0182308a28cbf744a29f4745ae18e

SHA1
1575f65dda43d07b44418fc23708f7ae47666920

SHA256
51c2c1ed193cbb5788f751ad20b8b5406572f275e04d418c3e60973c54233dd7

SHA512
c25af7135259e8e30a53af2d5cefda2797eaf5a6bbce051bba805cce6f3efd3c77e7fc525b9a0d852c5af4cda3b33b0532f72da47804d05ef6fbe99db456307b

Download Submit
C:\Windows\{C1B11D17-E6CB-4087-9C78-9EEE4FCBD34A}.exe

Filesize
180KB

MD5
8c1e938957782707381610da961bfca4

SHA1
cdb76d00165d794c24a3cd6be7a215805d5cdac3

SHA256
b500f1275463e2057cfb8f99eb1a89d23c3463e8782776dde14343d37b6d01e5

SHA512
8d62e5843668807ca51182bdfc32da1e1d319418d0d19fd5dac3590cbd25e118cb4a54cd390c7b3c08236a33c9f193c39bf5c1a18ddb86a856c440533538400d

Download Submit
C:\Windows\{F71C377B-6558-439f-BC71-426F3B7D52E1}.exe

Filesize
180KB

MD5
a0b513d286931240373ecee696d4ff7c

SHA1
07d2d332f14e825b3a6b3a81ddd8825cfce0cc20

SHA256
34d1e13022a22570d8975d520fae8d9b5d23cfaae3e7ef200266bc6e120637bc

SHA512
0c9d6917b58fb6c81389068ce13de002fa2aeba01410fc0ee9593a2c4a53f7d641b32586ff91ed0d1c4116200b44c9de6373d3f4a71de91d4e2045161306963b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads