e01181d75f69d9141c17e20f8c60b0e5e06b9296b2bf02ea439cd767ee5e33a4

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/02/2024, 00:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-13_89829e12273db1ebd320d71e05edfe70_goldeneye.exe
Size

216KB
MD5

89829e12273db1ebd320d71e05edfe70
SHA1

1530e40b3018d835b4270391b915eff9383daa46
SHA256

e01181d75f69d9141c17e20f8c60b0e5e06b9296b2bf02ea439cd767ee5e33a4
SHA512

b69ecfa6ac86ce5755b6e065fc163c24a45f0b3d4697765cbc460a2eed2bae15456db57a752f3733e1b017a3aa7f1df1e9709e0fd0327643e3582750d7d798da
SSDEEP

3072:jEGh0oul+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEG4lEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000600000002321c-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023226-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002322c-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023226-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002167d-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000021681-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d00000002167d-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000711-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000719-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000711-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000719-41.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000739-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2840A9C1-F8C5-4337-B171-AEAED1612A5C}	{2AD41B2C-AE5B-4af6-8A8B-9AD6FAFE5BEF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5272AF3B-62B6-42a2-A44D-42D5A154A928}\stubpath = "C:\\Windows\\{5272AF3B-62B6-42a2-A44D-42D5A154A928}.exe"	{E5C2CE6F-844F-40d9-AAC0-3841508A8CDE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A36C002-DEC1-4979-8AA5-57098F97BEE5}\stubpath = "C:\\Windows\\{8A36C002-DEC1-4979-8AA5-57098F97BEE5}.exe"	{396AD709-D98D-4ca1-AC9C-FB7AF3E6C42C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{539F3177-1A99-4504-A56C-D83173F36594}	{8A36C002-DEC1-4979-8AA5-57098F97BEE5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{539F3177-1A99-4504-A56C-D83173F36594}\stubpath = "C:\\Windows\\{539F3177-1A99-4504-A56C-D83173F36594}.exe"	{8A36C002-DEC1-4979-8AA5-57098F97BEE5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A686F9B5-E72E-4af6-92BD-F20CD754BDEF}\stubpath = "C:\\Windows\\{A686F9B5-E72E-4af6-92BD-F20CD754BDEF}.exe"	{EA232FE5-47A5-4f25-A76D-A8FA2905B3B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FADC9885-8D28-4595-9A0F-83ABFEC1D4F3}	{A686F9B5-E72E-4af6-92BD-F20CD754BDEF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2AD41B2C-AE5B-4af6-8A8B-9AD6FAFE5BEF}\stubpath = "C:\\Windows\\{2AD41B2C-AE5B-4af6-8A8B-9AD6FAFE5BEF}.exe"	2024-02-13_89829e12273db1ebd320d71e05edfe70_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2840A9C1-F8C5-4337-B171-AEAED1612A5C}\stubpath = "C:\\Windows\\{2840A9C1-F8C5-4337-B171-AEAED1612A5C}.exe"	{2AD41B2C-AE5B-4af6-8A8B-9AD6FAFE5BEF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8BBB3B7A-9CA7-4abd-B59F-925936BFC2A0}	{2840A9C1-F8C5-4337-B171-AEAED1612A5C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5C2CE6F-844F-40d9-AAC0-3841508A8CDE}\stubpath = "C:\\Windows\\{E5C2CE6F-844F-40d9-AAC0-3841508A8CDE}.exe"	{8BBB3B7A-9CA7-4abd-B59F-925936BFC2A0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{396AD709-D98D-4ca1-AC9C-FB7AF3E6C42C}	{20E0E7C5-6E1C-491f-82A3-467890731E72}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A36C002-DEC1-4979-8AA5-57098F97BEE5}	{396AD709-D98D-4ca1-AC9C-FB7AF3E6C42C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA232FE5-47A5-4f25-A76D-A8FA2905B3B4}\stubpath = "C:\\Windows\\{EA232FE5-47A5-4f25-A76D-A8FA2905B3B4}.exe"	{539F3177-1A99-4504-A56C-D83173F36594}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FADC9885-8D28-4595-9A0F-83ABFEC1D4F3}\stubpath = "C:\\Windows\\{FADC9885-8D28-4595-9A0F-83ABFEC1D4F3}.exe"	{A686F9B5-E72E-4af6-92BD-F20CD754BDEF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2AD41B2C-AE5B-4af6-8A8B-9AD6FAFE5BEF}	2024-02-13_89829e12273db1ebd320d71e05edfe70_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8BBB3B7A-9CA7-4abd-B59F-925936BFC2A0}\stubpath = "C:\\Windows\\{8BBB3B7A-9CA7-4abd-B59F-925936BFC2A0}.exe"	{2840A9C1-F8C5-4337-B171-AEAED1612A5C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20E0E7C5-6E1C-491f-82A3-467890731E72}	{5272AF3B-62B6-42a2-A44D-42D5A154A928}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20E0E7C5-6E1C-491f-82A3-467890731E72}\stubpath = "C:\\Windows\\{20E0E7C5-6E1C-491f-82A3-467890731E72}.exe"	{5272AF3B-62B6-42a2-A44D-42D5A154A928}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{396AD709-D98D-4ca1-AC9C-FB7AF3E6C42C}\stubpath = "C:\\Windows\\{396AD709-D98D-4ca1-AC9C-FB7AF3E6C42C}.exe"	{20E0E7C5-6E1C-491f-82A3-467890731E72}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A686F9B5-E72E-4af6-92BD-F20CD754BDEF}	{EA232FE5-47A5-4f25-A76D-A8FA2905B3B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5C2CE6F-844F-40d9-AAC0-3841508A8CDE}	{8BBB3B7A-9CA7-4abd-B59F-925936BFC2A0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5272AF3B-62B6-42a2-A44D-42D5A154A928}	{E5C2CE6F-844F-40d9-AAC0-3841508A8CDE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA232FE5-47A5-4f25-A76D-A8FA2905B3B4}	{539F3177-1A99-4504-A56C-D83173F36594}.exe

Executes dropped EXE 12 IoCs

pid	Process
2708	{2AD41B2C-AE5B-4af6-8A8B-9AD6FAFE5BEF}.exe
564	{2840A9C1-F8C5-4337-B171-AEAED1612A5C}.exe
3160	{8BBB3B7A-9CA7-4abd-B59F-925936BFC2A0}.exe
3068	{E5C2CE6F-844F-40d9-AAC0-3841508A8CDE}.exe
1552	{5272AF3B-62B6-42a2-A44D-42D5A154A928}.exe
1196	{20E0E7C5-6E1C-491f-82A3-467890731E72}.exe
2968	{396AD709-D98D-4ca1-AC9C-FB7AF3E6C42C}.exe
756	{8A36C002-DEC1-4979-8AA5-57098F97BEE5}.exe
2972	{539F3177-1A99-4504-A56C-D83173F36594}.exe
3372	{EA232FE5-47A5-4f25-A76D-A8FA2905B3B4}.exe
2180	{A686F9B5-E72E-4af6-92BD-F20CD754BDEF}.exe
3944	{FADC9885-8D28-4595-9A0F-83ABFEC1D4F3}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{A686F9B5-E72E-4af6-92BD-F20CD754BDEF}.exe	{EA232FE5-47A5-4f25-A76D-A8FA2905B3B4}.exe
File created	C:\Windows\{8BBB3B7A-9CA7-4abd-B59F-925936BFC2A0}.exe	{2840A9C1-F8C5-4337-B171-AEAED1612A5C}.exe
File created	C:\Windows\{EA232FE5-47A5-4f25-A76D-A8FA2905B3B4}.exe	{539F3177-1A99-4504-A56C-D83173F36594}.exe
File created	C:\Windows\{E5C2CE6F-844F-40d9-AAC0-3841508A8CDE}.exe	{8BBB3B7A-9CA7-4abd-B59F-925936BFC2A0}.exe
File created	C:\Windows\{5272AF3B-62B6-42a2-A44D-42D5A154A928}.exe	{E5C2CE6F-844F-40d9-AAC0-3841508A8CDE}.exe
File created	C:\Windows\{20E0E7C5-6E1C-491f-82A3-467890731E72}.exe	{5272AF3B-62B6-42a2-A44D-42D5A154A928}.exe
File created	C:\Windows\{396AD709-D98D-4ca1-AC9C-FB7AF3E6C42C}.exe	{20E0E7C5-6E1C-491f-82A3-467890731E72}.exe
File created	C:\Windows\{8A36C002-DEC1-4979-8AA5-57098F97BEE5}.exe	{396AD709-D98D-4ca1-AC9C-FB7AF3E6C42C}.exe
File created	C:\Windows\{539F3177-1A99-4504-A56C-D83173F36594}.exe	{8A36C002-DEC1-4979-8AA5-57098F97BEE5}.exe
File created	C:\Windows\{2AD41B2C-AE5B-4af6-8A8B-9AD6FAFE5BEF}.exe	2024-02-13_89829e12273db1ebd320d71e05edfe70_goldeneye.exe
File created	C:\Windows\{2840A9C1-F8C5-4337-B171-AEAED1612A5C}.exe	{2AD41B2C-AE5B-4af6-8A8B-9AD6FAFE5BEF}.exe
File created	C:\Windows\{FADC9885-8D28-4595-9A0F-83ABFEC1D4F3}.exe	{A686F9B5-E72E-4af6-92BD-F20CD754BDEF}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1844	2024-02-13_89829e12273db1ebd320d71e05edfe70_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2708	{2AD41B2C-AE5B-4af6-8A8B-9AD6FAFE5BEF}.exe
Token: SeIncBasePriorityPrivilege	564	{2840A9C1-F8C5-4337-B171-AEAED1612A5C}.exe
Token: SeIncBasePriorityPrivilege	3160	{8BBB3B7A-9CA7-4abd-B59F-925936BFC2A0}.exe
Token: SeIncBasePriorityPrivilege	3068	{E5C2CE6F-844F-40d9-AAC0-3841508A8CDE}.exe
Token: SeIncBasePriorityPrivilege	1552	{5272AF3B-62B6-42a2-A44D-42D5A154A928}.exe
Token: SeIncBasePriorityPrivilege	1196	{20E0E7C5-6E1C-491f-82A3-467890731E72}.exe
Token: SeIncBasePriorityPrivilege	2968	{396AD709-D98D-4ca1-AC9C-FB7AF3E6C42C}.exe
Token: SeIncBasePriorityPrivilege	756	{8A36C002-DEC1-4979-8AA5-57098F97BEE5}.exe
Token: SeIncBasePriorityPrivilege	2972	{539F3177-1A99-4504-A56C-D83173F36594}.exe
Token: SeIncBasePriorityPrivilege	3372	{EA232FE5-47A5-4f25-A76D-A8FA2905B3B4}.exe
Token: SeIncBasePriorityPrivilege	2180	{A686F9B5-E72E-4af6-92BD-F20CD754BDEF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1844 wrote to memory of 2708	1844	2024-02-13_89829e12273db1ebd320d71e05edfe70_goldeneye.exe	88
PID 1844 wrote to memory of 2708	1844	2024-02-13_89829e12273db1ebd320d71e05edfe70_goldeneye.exe	88
PID 1844 wrote to memory of 2708	1844	2024-02-13_89829e12273db1ebd320d71e05edfe70_goldeneye.exe	88
PID 1844 wrote to memory of 4988	1844	2024-02-13_89829e12273db1ebd320d71e05edfe70_goldeneye.exe	89
PID 1844 wrote to memory of 4988	1844	2024-02-13_89829e12273db1ebd320d71e05edfe70_goldeneye.exe	89
PID 1844 wrote to memory of 4988	1844	2024-02-13_89829e12273db1ebd320d71e05edfe70_goldeneye.exe	89
PID 2708 wrote to memory of 564	2708	{2AD41B2C-AE5B-4af6-8A8B-9AD6FAFE5BEF}.exe	93
PID 2708 wrote to memory of 564	2708	{2AD41B2C-AE5B-4af6-8A8B-9AD6FAFE5BEF}.exe	93
PID 2708 wrote to memory of 564	2708	{2AD41B2C-AE5B-4af6-8A8B-9AD6FAFE5BEF}.exe	93
PID 2708 wrote to memory of 1884	2708	{2AD41B2C-AE5B-4af6-8A8B-9AD6FAFE5BEF}.exe	94
PID 2708 wrote to memory of 1884	2708	{2AD41B2C-AE5B-4af6-8A8B-9AD6FAFE5BEF}.exe	94
PID 2708 wrote to memory of 1884	2708	{2AD41B2C-AE5B-4af6-8A8B-9AD6FAFE5BEF}.exe	94
PID 564 wrote to memory of 3160	564	{2840A9C1-F8C5-4337-B171-AEAED1612A5C}.exe	96
PID 564 wrote to memory of 3160	564	{2840A9C1-F8C5-4337-B171-AEAED1612A5C}.exe	96
PID 564 wrote to memory of 3160	564	{2840A9C1-F8C5-4337-B171-AEAED1612A5C}.exe	96
PID 564 wrote to memory of 2636	564	{2840A9C1-F8C5-4337-B171-AEAED1612A5C}.exe	97
PID 564 wrote to memory of 2636	564	{2840A9C1-F8C5-4337-B171-AEAED1612A5C}.exe	97
PID 564 wrote to memory of 2636	564	{2840A9C1-F8C5-4337-B171-AEAED1612A5C}.exe	97
PID 3160 wrote to memory of 3068	3160	{8BBB3B7A-9CA7-4abd-B59F-925936BFC2A0}.exe	98
PID 3160 wrote to memory of 3068	3160	{8BBB3B7A-9CA7-4abd-B59F-925936BFC2A0}.exe	98
PID 3160 wrote to memory of 3068	3160	{8BBB3B7A-9CA7-4abd-B59F-925936BFC2A0}.exe	98
PID 3160 wrote to memory of 4248	3160	{8BBB3B7A-9CA7-4abd-B59F-925936BFC2A0}.exe	99
PID 3160 wrote to memory of 4248	3160	{8BBB3B7A-9CA7-4abd-B59F-925936BFC2A0}.exe	99
PID 3160 wrote to memory of 4248	3160	{8BBB3B7A-9CA7-4abd-B59F-925936BFC2A0}.exe	99
PID 3068 wrote to memory of 1552	3068	{E5C2CE6F-844F-40d9-AAC0-3841508A8CDE}.exe	100
PID 3068 wrote to memory of 1552	3068	{E5C2CE6F-844F-40d9-AAC0-3841508A8CDE}.exe	100
PID 3068 wrote to memory of 1552	3068	{E5C2CE6F-844F-40d9-AAC0-3841508A8CDE}.exe	100
PID 3068 wrote to memory of 1848	3068	{E5C2CE6F-844F-40d9-AAC0-3841508A8CDE}.exe	101
PID 3068 wrote to memory of 1848	3068	{E5C2CE6F-844F-40d9-AAC0-3841508A8CDE}.exe	101
PID 3068 wrote to memory of 1848	3068	{E5C2CE6F-844F-40d9-AAC0-3841508A8CDE}.exe	101
PID 1552 wrote to memory of 1196	1552	{5272AF3B-62B6-42a2-A44D-42D5A154A928}.exe	102
PID 1552 wrote to memory of 1196	1552	{5272AF3B-62B6-42a2-A44D-42D5A154A928}.exe	102
PID 1552 wrote to memory of 1196	1552	{5272AF3B-62B6-42a2-A44D-42D5A154A928}.exe	102
PID 1552 wrote to memory of 2640	1552	{5272AF3B-62B6-42a2-A44D-42D5A154A928}.exe	103
PID 1552 wrote to memory of 2640	1552	{5272AF3B-62B6-42a2-A44D-42D5A154A928}.exe	103
PID 1552 wrote to memory of 2640	1552	{5272AF3B-62B6-42a2-A44D-42D5A154A928}.exe	103
PID 1196 wrote to memory of 2968	1196	{20E0E7C5-6E1C-491f-82A3-467890731E72}.exe	104
PID 1196 wrote to memory of 2968	1196	{20E0E7C5-6E1C-491f-82A3-467890731E72}.exe	104
PID 1196 wrote to memory of 2968	1196	{20E0E7C5-6E1C-491f-82A3-467890731E72}.exe	104
PID 1196 wrote to memory of 1628	1196	{20E0E7C5-6E1C-491f-82A3-467890731E72}.exe	105
PID 1196 wrote to memory of 1628	1196	{20E0E7C5-6E1C-491f-82A3-467890731E72}.exe	105
PID 1196 wrote to memory of 1628	1196	{20E0E7C5-6E1C-491f-82A3-467890731E72}.exe	105
PID 2968 wrote to memory of 756	2968	{396AD709-D98D-4ca1-AC9C-FB7AF3E6C42C}.exe	106
PID 2968 wrote to memory of 756	2968	{396AD709-D98D-4ca1-AC9C-FB7AF3E6C42C}.exe	106
PID 2968 wrote to memory of 756	2968	{396AD709-D98D-4ca1-AC9C-FB7AF3E6C42C}.exe	106
PID 2968 wrote to memory of 2028	2968	{396AD709-D98D-4ca1-AC9C-FB7AF3E6C42C}.exe	107
PID 2968 wrote to memory of 2028	2968	{396AD709-D98D-4ca1-AC9C-FB7AF3E6C42C}.exe	107
PID 2968 wrote to memory of 2028	2968	{396AD709-D98D-4ca1-AC9C-FB7AF3E6C42C}.exe	107
PID 756 wrote to memory of 2972	756	{8A36C002-DEC1-4979-8AA5-57098F97BEE5}.exe	108
PID 756 wrote to memory of 2972	756	{8A36C002-DEC1-4979-8AA5-57098F97BEE5}.exe	108
PID 756 wrote to memory of 2972	756	{8A36C002-DEC1-4979-8AA5-57098F97BEE5}.exe	108
PID 756 wrote to memory of 3416	756	{8A36C002-DEC1-4979-8AA5-57098F97BEE5}.exe	109
PID 756 wrote to memory of 3416	756	{8A36C002-DEC1-4979-8AA5-57098F97BEE5}.exe	109
PID 756 wrote to memory of 3416	756	{8A36C002-DEC1-4979-8AA5-57098F97BEE5}.exe	109
PID 2972 wrote to memory of 3372	2972	{539F3177-1A99-4504-A56C-D83173F36594}.exe	110
PID 2972 wrote to memory of 3372	2972	{539F3177-1A99-4504-A56C-D83173F36594}.exe	110
PID 2972 wrote to memory of 3372	2972	{539F3177-1A99-4504-A56C-D83173F36594}.exe	110
PID 2972 wrote to memory of 824	2972	{539F3177-1A99-4504-A56C-D83173F36594}.exe	111
PID 2972 wrote to memory of 824	2972	{539F3177-1A99-4504-A56C-D83173F36594}.exe	111
PID 2972 wrote to memory of 824	2972	{539F3177-1A99-4504-A56C-D83173F36594}.exe	111
PID 3372 wrote to memory of 2180	3372	{EA232FE5-47A5-4f25-A76D-A8FA2905B3B4}.exe	112
PID 3372 wrote to memory of 2180	3372	{EA232FE5-47A5-4f25-A76D-A8FA2905B3B4}.exe	112
PID 3372 wrote to memory of 2180	3372	{EA232FE5-47A5-4f25-A76D-A8FA2905B3B4}.exe	112
PID 3372 wrote to memory of 3184	3372	{EA232FE5-47A5-4f25-A76D-A8FA2905B3B4}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-02-13_89829e12273db1ebd320d71e05edfe70_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-13_89829e12273db1ebd320d71e05edfe70_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1844
- C:\Windows\{2AD41B2C-AE5B-4af6-8A8B-9AD6FAFE5BEF}.exe
  C:\Windows\{2AD41B2C-AE5B-4af6-8A8B-9AD6FAFE5BEF}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\{2840A9C1-F8C5-4337-B171-AEAED1612A5C}.exe
    C:\Windows\{2840A9C1-F8C5-4337-B171-AEAED1612A5C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:564
  - - C:\Windows\{8BBB3B7A-9CA7-4abd-B59F-925936BFC2A0}.exe
      C:\Windows\{8BBB3B7A-9CA7-4abd-B59F-925936BFC2A0}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3160
    - - C:\Windows\{E5C2CE6F-844F-40d9-AAC0-3841508A8CDE}.exe
        
        C:\Windows\{E5C2CE6F-844F-40d9-AAC0-3841508A8CDE}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3068
      - C:\Windows\{5272AF3B-62B6-42a2-A44D-42D5A154A928}.exe
        
        C:\Windows\{5272AF3B-62B6-42a2-A44D-42D5A154A928}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\{20E0E7C5-6E1C-491f-82A3-467890731E72}.exe
        
        C:\Windows\{20E0E7C5-6E1C-491f-82A3-467890731E72}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1196
        
        C:\Windows\{396AD709-D98D-4ca1-AC9C-FB7AF3E6C42C}.exe
        
        C:\Windows\{396AD709-D98D-4ca1-AC9C-FB7AF3E6C42C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\{8A36C002-DEC1-4979-8AA5-57098F97BEE5}.exe
        
        C:\Windows\{8A36C002-DEC1-4979-8AA5-57098F97BEE5}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:756
        
        C:\Windows\{539F3177-1A99-4504-A56C-D83173F36594}.exe
        
        C:\Windows\{539F3177-1A99-4504-A56C-D83173F36594}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\{EA232FE5-47A5-4f25-A76D-A8FA2905B3B4}.exe
        
        C:\Windows\{EA232FE5-47A5-4f25-A76D-A8FA2905B3B4}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3372
        
        C:\Windows\{A686F9B5-E72E-4af6-92BD-F20CD754BDEF}.exe
        
        C:\Windows\{A686F9B5-E72E-4af6-92BD-F20CD754BDEF}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A686F~1.EXE > nul
        13⤵
        
        PID:3852
        
        C:\Windows\{FADC9885-8D28-4595-9A0F-83ABFEC1D4F3}.exe
        
        C:\Windows\{FADC9885-8D28-4595-9A0F-83ABFEC1D4F3}.exe
        13⤵
        Executes dropped EXE
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA232~1.EXE > nul
        12⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{539F3~1.EXE > nul
        11⤵
        
        PID:824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8A36C~1.EXE > nul
        10⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{396AD~1.EXE > nul
        9⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{20E0E~1.EXE > nul
        8⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5272A~1.EXE > nul
        7⤵
        
        PID:2640
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5C2C~1.EXE > nul
        6⤵
        
        PID:1848
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8BBB3~1.EXE > nul
        5⤵
        
        PID:4248
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2840A~1.EXE > nul
      4⤵
      PID:2636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2AD41~1.EXE > nul
    3⤵
    PID:1884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{20E0E7C5-6E1C-491f-82A3-467890731E72}.exe

Filesize
216KB

MD5
5605563fd15e719d1f57d572fe743994

SHA1
87d3fa894eb2adaf03edf0c6b8705fd98262a72e

SHA256
af2c00a97a2407c530bf1df72dd32923379dc50f899ac9714a6f4915f65faca7

SHA512
8c34a0f2b3bd826218cd4807b003db1e799136bd99f028ad0cab0d42135557bb3a6394c3e5e9b86251a8c6b95bcc64ecc6ee82c41d2c3daf976f032727434390

Download Submit
C:\Windows\{2840A9C1-F8C5-4337-B171-AEAED1612A5C}.exe

Filesize
216KB

MD5
69ab63a5b4d930e827615ecbd28312fa

SHA1
b9ae24873f976d40df955a3ec77cdf8261e14d53

SHA256
4a128e3ad458387161ba4fe8bb94b62752dd98993ea84c9aad216b7c81cc6112

SHA512
aeb18c5dbfb2b5e1cf20116005bf13bb4a3b3b38da130196e6cfc389e18d8f3ed34d44adce60fc6f2904680f588b63c86fec072d371cb149145f59d80236abfd

Download Submit
C:\Windows\{2AD41B2C-AE5B-4af6-8A8B-9AD6FAFE5BEF}.exe

Filesize
216KB

MD5
c4eeadf84c682f2d7e7375c7b8fdefc8

SHA1
a78fe75c9b9574cfc67ab3af10975a5e43f2b74a

SHA256
b85cac3dcfe35f540b637890c401150271cf8ff737030e5fcefe1dcaba5b4f99

SHA512
7eb1109f6e12b7e44694c25e71a1b2d2aa725c847e4e65a723aa9198783f55a89fe6cf26b42c1c8159e5020ef9714ac8442f699a6370f97bb48d11edae438bb3

Download Submit
C:\Windows\{396AD709-D98D-4ca1-AC9C-FB7AF3E6C42C}.exe

Filesize
216KB

MD5
39454722c7a84188d321290ed683076c

SHA1
e28d5f269ece501d9f5f2d1426a4e6bc70405c7c

SHA256
95200eec5e2dc54626a55fdb6cc53e4c342dce2292b242d454c2566f62f67a9a

SHA512
5f416cd332b559207032033b4275c00198bd1844eb9ac229ce2646e424df7c799d63ea2519dc2cc402a94915cf9bda74ee97b40527e3a1fe049596554b42f644

Download Submit
C:\Windows\{5272AF3B-62B6-42a2-A44D-42D5A154A928}.exe

Filesize
216KB

MD5
d39ea1675bf9bb2002bbf7f54d9f84ac

SHA1
22a7551301b52c3d774b0ce3c134d945b3ad4ee8

SHA256
ae4d3483136583fa218c64039b68701ea50ad21feaf3c147739b78d5efca3360

SHA512
be3a1b8c8fc51fae52bf33098df8a856209d70223787f57ef5f663963990c4a54f3787b7b03d33a9862b4953e92f39fdd4f853a9aba9a46c149b4c8517fd6f78

Download Submit
C:\Windows\{539F3177-1A99-4504-A56C-D83173F36594}.exe

Filesize
216KB

MD5
b5dad2ff78a1ccda8d8ce630629d28f4

SHA1
82d3788301b39a10cf23f2150b8017e555777db9

SHA256
05d429b3367ac0099ab6829f22e054b13e32fde5c60cecffb2787b9d079cba5e

SHA512
1fcbebc537e39b67c9c8f9634de1376fb1dbefe9032a43e0d7ca2c467ca8fc1aad2a84318af4ee3f5288efac6cb1a7dd07c414c81172744006c9dd162826e2e6

Download Submit
C:\Windows\{8A36C002-DEC1-4979-8AA5-57098F97BEE5}.exe

Filesize
216KB

MD5
fdff279f3bb619670d400b24ae7ee009

SHA1
71b0a2be3d0a622cf1009e8e8c004bc0f3475761

SHA256
ab65fe619022fab5c9582843e31213deb3665c72e65f9d97507380723b1cb941

SHA512
150cfe063d02c7a3ad04ffb6ebc345f0a16b4ad691bb3cc08f2907f7e1984134a092755f8d15725cb0755f58f18caa730993496006b54c960827c7d5e22f52d0

Download Submit
C:\Windows\{8BBB3B7A-9CA7-4abd-B59F-925936BFC2A0}.exe

Filesize
216KB

MD5
882396c56b8c856616b021acee177d70

SHA1
3f8bf04b6e5341a4d1d654c769bc2e825d5d815d

SHA256
0fed86370349593438f59c3e37934eb19f300ba810dbabf2d974297dbc26c0f8

SHA512
87808ee6bfa06b733b09265ea8a500d2877a2e3bcbb05d1f803b5510dcb46083ac21b6865b27054edf83c8de355a65f2338b5efe063c07a271bba26eb30cba0c

Download Submit
C:\Windows\{A686F9B5-E72E-4af6-92BD-F20CD754BDEF}.exe

Filesize
216KB

MD5
cdbf8c4a205f43d2e718d959ea2559a7

SHA1
e94903fef1274f67eb1796fd511ef7cf9deb02e5

SHA256
c6f85b1a430c75d3291709e75fbf557212091338b859ee2f693bc5b09ea8322c

SHA512
43adc3f9c68500cfd8e4fac2e901801645658bf2dabf15fb9f22bba92c36599d150076d6a5264afabb35eef9eca5829393a87f2b0376458009b00cb76f9136b4

Download Submit
C:\Windows\{E5C2CE6F-844F-40d9-AAC0-3841508A8CDE}.exe

Filesize
216KB

MD5
cc6f754930fabd83fa7ddd4016d0f7f7

SHA1
5887d3a4f6be5d3a89e5945ef004c0436623b2dd

SHA256
b11a7c52bb5c9a28ee1c64aced1c0f8ebb780d136c6255beb71f5bf3561a42cc

SHA512
c908a2a65b07569de55a12afcacc420368bc36243e680bf647f016bab30fdb94fb5a2348c56985f4515cac096f8a5e31203d9b4581de8a008bcfe60df9f4afbe

Download Submit
C:\Windows\{EA232FE5-47A5-4f25-A76D-A8FA2905B3B4}.exe

Filesize
216KB

MD5
276fa8b57ed9afb53af0dc8a2cc7b6ed

SHA1
fad4617d946b692fbc888b30d8e2edeecb85c055

SHA256
9d58d12d0ce809050a1714eb9034c1996c4e2222ddc3a50d954eb2899bd6035a

SHA512
3b2a1f1ce796530112636b499ba731333a019a69ca38b9dfe84130cca8f1530f4cf1e8200b79eb47473af145110e882f008a6389a3c47017e5683d540ed4ae51

Download Submit
C:\Windows\{FADC9885-8D28-4595-9A0F-83ABFEC1D4F3}.exe

Filesize
216KB

MD5
34ce368a47070009c02f7b47eb7781a6

SHA1
9c844b533b14f1ab64e30b76ed08027b0fc6f05f

SHA256
9baa954cf11a7a2bb6a59bf3690c8d7c9a81a36cd14852aceded59307c52ff4d

SHA512
94881bec555fdbf2b8b79adc872594a96835c9544e0faadc90329929b08eef132cc3b530a51a61f16332f810c1fe0dd3ee705ea0b0ece81e1d9d2d69dd6bceb8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads