e354af3776eb64d144aa20b2f95edce389197b4d637d8526ff7351aa041f2a97

Analysis

max time kernel
149s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13-02-2024 08:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-13_cf70d1a8f13eceb3f827be4fda424511_goldeneye.exe
Size

372KB
MD5

cf70d1a8f13eceb3f827be4fda424511
SHA1

b0462c297aca9ff3e36fe6c2baf154f187c9af7d
SHA256

e354af3776eb64d144aa20b2f95edce389197b4d637d8526ff7351aa041f2a97
SHA512

0384c1fae206a5a0b7dbd6daa79bebc514a4c4e1f014850ae89c30c04e315048198fb20b2ca804b93c28eae80469f9ce6d9ab75bc69a96927d3cbd068b1d9238
SSDEEP

3072:CEGh0ovmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEG4l/Oe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023207-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000001e771-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023212-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000001e771-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001300000001d887-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000001e771-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001400000001d887-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000709-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000707-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C3831D1-5D9F-4775-9504-5B9459A4C578}	2024-02-13_cf70d1a8f13eceb3f827be4fda424511_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F11213B7-0999-4d2f-800A-C2C8B276C943}	{0F46D6F4-C386-457a-B8D8-54389F47ACA0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04F065F0-43EB-492c-ABBF-7835D2FC8B37}	{F11213B7-0999-4d2f-800A-C2C8B276C943}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E5C6FEE-5B91-498d-A1FA-44F1CC69C2F7}	{5AAFA100-93E1-4cb9-A2BA-9BFA4AB2A8CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F11213B7-0999-4d2f-800A-C2C8B276C943}\stubpath = "C:\\Windows\\{F11213B7-0999-4d2f-800A-C2C8B276C943}.exe"	{0F46D6F4-C386-457a-B8D8-54389F47ACA0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{373B98D3-E34D-450b-9CBA-33AED039E34C}	{A878D7F8-C4C7-4ed9-B70A-7B0D61BD3378}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80582246-5E32-46eb-AC87-DB61B41B8D9E}\stubpath = "C:\\Windows\\{80582246-5E32-46eb-AC87-DB61B41B8D9E}.exe"	{373B98D3-E34D-450b-9CBA-33AED039E34C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E5C6FEE-5B91-498d-A1FA-44F1CC69C2F7}\stubpath = "C:\\Windows\\{5E5C6FEE-5B91-498d-A1FA-44F1CC69C2F7}.exe"	{5AAFA100-93E1-4cb9-A2BA-9BFA4AB2A8CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC9CF0E0-841A-4d63-ACAB-A0F2BACC940C}\stubpath = "C:\\Windows\\{AC9CF0E0-841A-4d63-ACAB-A0F2BACC940C}.exe"	{5E5C6FEE-5B91-498d-A1FA-44F1CC69C2F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9814788E-0921-4ace-9FE0-D62891E9D058}\stubpath = "C:\\Windows\\{9814788E-0921-4ace-9FE0-D62891E9D058}.exe"	{AC9CF0E0-841A-4d63-ACAB-A0F2BACC940C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5AAFA100-93E1-4cb9-A2BA-9BFA4AB2A8CD}\stubpath = "C:\\Windows\\{5AAFA100-93E1-4cb9-A2BA-9BFA4AB2A8CD}.exe"	{65ACB0EE-0EB0-4ee3-B384-0B4CAD7C5446}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9814788E-0921-4ace-9FE0-D62891E9D058}	{AC9CF0E0-841A-4d63-ACAB-A0F2BACC940C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F46D6F4-C386-457a-B8D8-54389F47ACA0}	{8C3831D1-5D9F-4775-9504-5B9459A4C578}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04F065F0-43EB-492c-ABBF-7835D2FC8B37}\stubpath = "C:\\Windows\\{04F065F0-43EB-492c-ABBF-7835D2FC8B37}.exe"	{F11213B7-0999-4d2f-800A-C2C8B276C943}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A878D7F8-C4C7-4ed9-B70A-7B0D61BD3378}	{04F065F0-43EB-492c-ABBF-7835D2FC8B37}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A878D7F8-C4C7-4ed9-B70A-7B0D61BD3378}\stubpath = "C:\\Windows\\{A878D7F8-C4C7-4ed9-B70A-7B0D61BD3378}.exe"	{04F065F0-43EB-492c-ABBF-7835D2FC8B37}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65ACB0EE-0EB0-4ee3-B384-0B4CAD7C5446}	{80582246-5E32-46eb-AC87-DB61B41B8D9E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5AAFA100-93E1-4cb9-A2BA-9BFA4AB2A8CD}	{65ACB0EE-0EB0-4ee3-B384-0B4CAD7C5446}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C3831D1-5D9F-4775-9504-5B9459A4C578}\stubpath = "C:\\Windows\\{8C3831D1-5D9F-4775-9504-5B9459A4C578}.exe"	2024-02-13_cf70d1a8f13eceb3f827be4fda424511_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F46D6F4-C386-457a-B8D8-54389F47ACA0}\stubpath = "C:\\Windows\\{0F46D6F4-C386-457a-B8D8-54389F47ACA0}.exe"	{8C3831D1-5D9F-4775-9504-5B9459A4C578}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{373B98D3-E34D-450b-9CBA-33AED039E34C}\stubpath = "C:\\Windows\\{373B98D3-E34D-450b-9CBA-33AED039E34C}.exe"	{A878D7F8-C4C7-4ed9-B70A-7B0D61BD3378}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80582246-5E32-46eb-AC87-DB61B41B8D9E}	{373B98D3-E34D-450b-9CBA-33AED039E34C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65ACB0EE-0EB0-4ee3-B384-0B4CAD7C5446}\stubpath = "C:\\Windows\\{65ACB0EE-0EB0-4ee3-B384-0B4CAD7C5446}.exe"	{80582246-5E32-46eb-AC87-DB61B41B8D9E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC9CF0E0-841A-4d63-ACAB-A0F2BACC940C}	{5E5C6FEE-5B91-498d-A1FA-44F1CC69C2F7}.exe

Executes dropped EXE 12 IoCs

pid	Process
1472	{8C3831D1-5D9F-4775-9504-5B9459A4C578}.exe
4580	{0F46D6F4-C386-457a-B8D8-54389F47ACA0}.exe
3908	{F11213B7-0999-4d2f-800A-C2C8B276C943}.exe
1768	{04F065F0-43EB-492c-ABBF-7835D2FC8B37}.exe
1016	{A878D7F8-C4C7-4ed9-B70A-7B0D61BD3378}.exe
996	{373B98D3-E34D-450b-9CBA-33AED039E34C}.exe
4936	{80582246-5E32-46eb-AC87-DB61B41B8D9E}.exe
5100	{65ACB0EE-0EB0-4ee3-B384-0B4CAD7C5446}.exe
4196	{5AAFA100-93E1-4cb9-A2BA-9BFA4AB2A8CD}.exe
4376	{5E5C6FEE-5B91-498d-A1FA-44F1CC69C2F7}.exe
3704	{AC9CF0E0-841A-4d63-ACAB-A0F2BACC940C}.exe
4592	{9814788E-0921-4ace-9FE0-D62891E9D058}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{0F46D6F4-C386-457a-B8D8-54389F47ACA0}.exe	{8C3831D1-5D9F-4775-9504-5B9459A4C578}.exe
File created	C:\Windows\{04F065F0-43EB-492c-ABBF-7835D2FC8B37}.exe	{F11213B7-0999-4d2f-800A-C2C8B276C943}.exe
File created	C:\Windows\{A878D7F8-C4C7-4ed9-B70A-7B0D61BD3378}.exe	{04F065F0-43EB-492c-ABBF-7835D2FC8B37}.exe
File created	C:\Windows\{373B98D3-E34D-450b-9CBA-33AED039E34C}.exe	{A878D7F8-C4C7-4ed9-B70A-7B0D61BD3378}.exe
File created	C:\Windows\{AC9CF0E0-841A-4d63-ACAB-A0F2BACC940C}.exe	{5E5C6FEE-5B91-498d-A1FA-44F1CC69C2F7}.exe
File created	C:\Windows\{8C3831D1-5D9F-4775-9504-5B9459A4C578}.exe	2024-02-13_cf70d1a8f13eceb3f827be4fda424511_goldeneye.exe
File created	C:\Windows\{F11213B7-0999-4d2f-800A-C2C8B276C943}.exe	{0F46D6F4-C386-457a-B8D8-54389F47ACA0}.exe
File created	C:\Windows\{80582246-5E32-46eb-AC87-DB61B41B8D9E}.exe	{373B98D3-E34D-450b-9CBA-33AED039E34C}.exe
File created	C:\Windows\{65ACB0EE-0EB0-4ee3-B384-0B4CAD7C5446}.exe	{80582246-5E32-46eb-AC87-DB61B41B8D9E}.exe
File created	C:\Windows\{5AAFA100-93E1-4cb9-A2BA-9BFA4AB2A8CD}.exe	{65ACB0EE-0EB0-4ee3-B384-0B4CAD7C5446}.exe
File created	C:\Windows\{5E5C6FEE-5B91-498d-A1FA-44F1CC69C2F7}.exe	{5AAFA100-93E1-4cb9-A2BA-9BFA4AB2A8CD}.exe
File created	C:\Windows\{9814788E-0921-4ace-9FE0-D62891E9D058}.exe	{AC9CF0E0-841A-4d63-ACAB-A0F2BACC940C}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1292	2024-02-13_cf70d1a8f13eceb3f827be4fda424511_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1472	{8C3831D1-5D9F-4775-9504-5B9459A4C578}.exe
Token: SeIncBasePriorityPrivilege	4580	{0F46D6F4-C386-457a-B8D8-54389F47ACA0}.exe
Token: SeIncBasePriorityPrivilege	3908	{F11213B7-0999-4d2f-800A-C2C8B276C943}.exe
Token: SeIncBasePriorityPrivilege	1768	{04F065F0-43EB-492c-ABBF-7835D2FC8B37}.exe
Token: SeIncBasePriorityPrivilege	1016	{A878D7F8-C4C7-4ed9-B70A-7B0D61BD3378}.exe
Token: SeIncBasePriorityPrivilege	996	{373B98D3-E34D-450b-9CBA-33AED039E34C}.exe
Token: SeIncBasePriorityPrivilege	4936	{80582246-5E32-46eb-AC87-DB61B41B8D9E}.exe
Token: SeIncBasePriorityPrivilege	5100	{65ACB0EE-0EB0-4ee3-B384-0B4CAD7C5446}.exe
Token: SeIncBasePriorityPrivilege	4196	{5AAFA100-93E1-4cb9-A2BA-9BFA4AB2A8CD}.exe
Token: SeIncBasePriorityPrivilege	4376	{5E5C6FEE-5B91-498d-A1FA-44F1CC69C2F7}.exe
Token: SeIncBasePriorityPrivilege	3704	{AC9CF0E0-841A-4d63-ACAB-A0F2BACC940C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 1472	1292	2024-02-13_cf70d1a8f13eceb3f827be4fda424511_goldeneye.exe	92
PID 1292 wrote to memory of 1472	1292	2024-02-13_cf70d1a8f13eceb3f827be4fda424511_goldeneye.exe	92
PID 1292 wrote to memory of 1472	1292	2024-02-13_cf70d1a8f13eceb3f827be4fda424511_goldeneye.exe	92
PID 1292 wrote to memory of 4628	1292	2024-02-13_cf70d1a8f13eceb3f827be4fda424511_goldeneye.exe	93
PID 1292 wrote to memory of 4628	1292	2024-02-13_cf70d1a8f13eceb3f827be4fda424511_goldeneye.exe	93
PID 1292 wrote to memory of 4628	1292	2024-02-13_cf70d1a8f13eceb3f827be4fda424511_goldeneye.exe	93
PID 1472 wrote to memory of 4580	1472	{8C3831D1-5D9F-4775-9504-5B9459A4C578}.exe	94
PID 1472 wrote to memory of 4580	1472	{8C3831D1-5D9F-4775-9504-5B9459A4C578}.exe	94
PID 1472 wrote to memory of 4580	1472	{8C3831D1-5D9F-4775-9504-5B9459A4C578}.exe	94
PID 1472 wrote to memory of 4972	1472	{8C3831D1-5D9F-4775-9504-5B9459A4C578}.exe	95
PID 1472 wrote to memory of 4972	1472	{8C3831D1-5D9F-4775-9504-5B9459A4C578}.exe	95
PID 1472 wrote to memory of 4972	1472	{8C3831D1-5D9F-4775-9504-5B9459A4C578}.exe	95
PID 4580 wrote to memory of 3908	4580	{0F46D6F4-C386-457a-B8D8-54389F47ACA0}.exe	97
PID 4580 wrote to memory of 3908	4580	{0F46D6F4-C386-457a-B8D8-54389F47ACA0}.exe	97
PID 4580 wrote to memory of 3908	4580	{0F46D6F4-C386-457a-B8D8-54389F47ACA0}.exe	97
PID 4580 wrote to memory of 2356	4580	{0F46D6F4-C386-457a-B8D8-54389F47ACA0}.exe	98
PID 4580 wrote to memory of 2356	4580	{0F46D6F4-C386-457a-B8D8-54389F47ACA0}.exe	98
PID 4580 wrote to memory of 2356	4580	{0F46D6F4-C386-457a-B8D8-54389F47ACA0}.exe	98
PID 3908 wrote to memory of 1768	3908	{F11213B7-0999-4d2f-800A-C2C8B276C943}.exe	99
PID 3908 wrote to memory of 1768	3908	{F11213B7-0999-4d2f-800A-C2C8B276C943}.exe	99
PID 3908 wrote to memory of 1768	3908	{F11213B7-0999-4d2f-800A-C2C8B276C943}.exe	99
PID 3908 wrote to memory of 1148	3908	{F11213B7-0999-4d2f-800A-C2C8B276C943}.exe	100
PID 3908 wrote to memory of 1148	3908	{F11213B7-0999-4d2f-800A-C2C8B276C943}.exe	100
PID 3908 wrote to memory of 1148	3908	{F11213B7-0999-4d2f-800A-C2C8B276C943}.exe	100
PID 1768 wrote to memory of 1016	1768	{04F065F0-43EB-492c-ABBF-7835D2FC8B37}.exe	101
PID 1768 wrote to memory of 1016	1768	{04F065F0-43EB-492c-ABBF-7835D2FC8B37}.exe	101
PID 1768 wrote to memory of 1016	1768	{04F065F0-43EB-492c-ABBF-7835D2FC8B37}.exe	101
PID 1768 wrote to memory of 1080	1768	{04F065F0-43EB-492c-ABBF-7835D2FC8B37}.exe	102
PID 1768 wrote to memory of 1080	1768	{04F065F0-43EB-492c-ABBF-7835D2FC8B37}.exe	102
PID 1768 wrote to memory of 1080	1768	{04F065F0-43EB-492c-ABBF-7835D2FC8B37}.exe	102
PID 1016 wrote to memory of 996	1016	{A878D7F8-C4C7-4ed9-B70A-7B0D61BD3378}.exe	103
PID 1016 wrote to memory of 996	1016	{A878D7F8-C4C7-4ed9-B70A-7B0D61BD3378}.exe	103
PID 1016 wrote to memory of 996	1016	{A878D7F8-C4C7-4ed9-B70A-7B0D61BD3378}.exe	103
PID 1016 wrote to memory of 2980	1016	{A878D7F8-C4C7-4ed9-B70A-7B0D61BD3378}.exe	104
PID 1016 wrote to memory of 2980	1016	{A878D7F8-C4C7-4ed9-B70A-7B0D61BD3378}.exe	104
PID 1016 wrote to memory of 2980	1016	{A878D7F8-C4C7-4ed9-B70A-7B0D61BD3378}.exe	104
PID 996 wrote to memory of 4936	996	{373B98D3-E34D-450b-9CBA-33AED039E34C}.exe	105
PID 996 wrote to memory of 4936	996	{373B98D3-E34D-450b-9CBA-33AED039E34C}.exe	105
PID 996 wrote to memory of 4936	996	{373B98D3-E34D-450b-9CBA-33AED039E34C}.exe	105
PID 996 wrote to memory of 2868	996	{373B98D3-E34D-450b-9CBA-33AED039E34C}.exe	106
PID 996 wrote to memory of 2868	996	{373B98D3-E34D-450b-9CBA-33AED039E34C}.exe	106
PID 996 wrote to memory of 2868	996	{373B98D3-E34D-450b-9CBA-33AED039E34C}.exe	106
PID 4936 wrote to memory of 5100	4936	{80582246-5E32-46eb-AC87-DB61B41B8D9E}.exe	107
PID 4936 wrote to memory of 5100	4936	{80582246-5E32-46eb-AC87-DB61B41B8D9E}.exe	107
PID 4936 wrote to memory of 5100	4936	{80582246-5E32-46eb-AC87-DB61B41B8D9E}.exe	107
PID 4936 wrote to memory of 1748	4936	{80582246-5E32-46eb-AC87-DB61B41B8D9E}.exe	108
PID 4936 wrote to memory of 1748	4936	{80582246-5E32-46eb-AC87-DB61B41B8D9E}.exe	108
PID 4936 wrote to memory of 1748	4936	{80582246-5E32-46eb-AC87-DB61B41B8D9E}.exe	108
PID 5100 wrote to memory of 4196	5100	{65ACB0EE-0EB0-4ee3-B384-0B4CAD7C5446}.exe	109
PID 5100 wrote to memory of 4196	5100	{65ACB0EE-0EB0-4ee3-B384-0B4CAD7C5446}.exe	109
PID 5100 wrote to memory of 4196	5100	{65ACB0EE-0EB0-4ee3-B384-0B4CAD7C5446}.exe	109
PID 5100 wrote to memory of 3712	5100	{65ACB0EE-0EB0-4ee3-B384-0B4CAD7C5446}.exe	110
PID 5100 wrote to memory of 3712	5100	{65ACB0EE-0EB0-4ee3-B384-0B4CAD7C5446}.exe	110
PID 5100 wrote to memory of 3712	5100	{65ACB0EE-0EB0-4ee3-B384-0B4CAD7C5446}.exe	110
PID 4196 wrote to memory of 4376	4196	{5AAFA100-93E1-4cb9-A2BA-9BFA4AB2A8CD}.exe	111
PID 4196 wrote to memory of 4376	4196	{5AAFA100-93E1-4cb9-A2BA-9BFA4AB2A8CD}.exe	111
PID 4196 wrote to memory of 4376	4196	{5AAFA100-93E1-4cb9-A2BA-9BFA4AB2A8CD}.exe	111
PID 4196 wrote to memory of 4416	4196	{5AAFA100-93E1-4cb9-A2BA-9BFA4AB2A8CD}.exe	112
PID 4196 wrote to memory of 4416	4196	{5AAFA100-93E1-4cb9-A2BA-9BFA4AB2A8CD}.exe	112
PID 4196 wrote to memory of 4416	4196	{5AAFA100-93E1-4cb9-A2BA-9BFA4AB2A8CD}.exe	112
PID 4376 wrote to memory of 3704	4376	{5E5C6FEE-5B91-498d-A1FA-44F1CC69C2F7}.exe	113
PID 4376 wrote to memory of 3704	4376	{5E5C6FEE-5B91-498d-A1FA-44F1CC69C2F7}.exe	113
PID 4376 wrote to memory of 3704	4376	{5E5C6FEE-5B91-498d-A1FA-44F1CC69C2F7}.exe	113
PID 4376 wrote to memory of 4400	4376	{5E5C6FEE-5B91-498d-A1FA-44F1CC69C2F7}.exe	114

C:\Users\Admin\AppData\Local\Temp\2024-02-13_cf70d1a8f13eceb3f827be4fda424511_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-13_cf70d1a8f13eceb3f827be4fda424511_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Windows\{8C3831D1-5D9F-4775-9504-5B9459A4C578}.exe
  C:\Windows\{8C3831D1-5D9F-4775-9504-5B9459A4C578}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1472
- - C:\Windows\{0F46D6F4-C386-457a-B8D8-54389F47ACA0}.exe
    C:\Windows\{0F46D6F4-C386-457a-B8D8-54389F47ACA0}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4580
  - - C:\Windows\{F11213B7-0999-4d2f-800A-C2C8B276C943}.exe
      C:\Windows\{F11213B7-0999-4d2f-800A-C2C8B276C943}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3908
    - - C:\Windows\{04F065F0-43EB-492c-ABBF-7835D2FC8B37}.exe
        
        C:\Windows\{04F065F0-43EB-492c-ABBF-7835D2FC8B37}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1768
      - C:\Windows\{A878D7F8-C4C7-4ed9-B70A-7B0D61BD3378}.exe
        
        C:\Windows\{A878D7F8-C4C7-4ed9-B70A-7B0D61BD3378}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        C:\Windows\{373B98D3-E34D-450b-9CBA-33AED039E34C}.exe
        
        C:\Windows\{373B98D3-E34D-450b-9CBA-33AED039E34C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:996
        
        C:\Windows\{80582246-5E32-46eb-AC87-DB61B41B8D9E}.exe
        
        C:\Windows\{80582246-5E32-46eb-AC87-DB61B41B8D9E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\{65ACB0EE-0EB0-4ee3-B384-0B4CAD7C5446}.exe
        
        C:\Windows\{65ACB0EE-0EB0-4ee3-B384-0B4CAD7C5446}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\{5AAFA100-93E1-4cb9-A2BA-9BFA4AB2A8CD}.exe
        
        C:\Windows\{5AAFA100-93E1-4cb9-A2BA-9BFA4AB2A8CD}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Windows\{5E5C6FEE-5B91-498d-A1FA-44F1CC69C2F7}.exe
        
        C:\Windows\{5E5C6FEE-5B91-498d-A1FA-44F1CC69C2F7}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Windows\{AC9CF0E0-841A-4d63-ACAB-A0F2BACC940C}.exe
        
        C:\Windows\{AC9CF0E0-841A-4d63-ACAB-A0F2BACC940C}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3704
        
        C:\Windows\{9814788E-0921-4ace-9FE0-D62891E9D058}.exe
        
        C:\Windows\{9814788E-0921-4ace-9FE0-D62891E9D058}.exe
        13⤵
        Executes dropped EXE
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AC9CF~1.EXE > nul
        13⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5E5C6~1.EXE > nul
        12⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5AAFA~1.EXE > nul
        11⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{65ACB~1.EXE > nul
        10⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{80582~1.EXE > nul
        9⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{373B9~1.EXE > nul
        8⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A878D~1.EXE > nul
        7⤵
        
        PID:2980
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{04F06~1.EXE > nul
        6⤵
        
        PID:1080
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F1121~1.EXE > nul
        5⤵
        
        PID:1148
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0F46D~1.EXE > nul
      4⤵
      PID:2356
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8C383~1.EXE > nul
    3⤵
    PID:4972
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04F065F0-43EB-492c-ABBF-7835D2FC8B37}.exe

Filesize
372KB

MD5
111f54c0a8f3f3d59eecc703365f52c9

SHA1
5d9dbbf36194343da84fad40572a227eac054c32

SHA256
c2718c7c84e45feb024a73e0885d0b32f220ae8e7b2813bcc06eab880c1aa610

SHA512
150a7006ba74bb822f9c35ab85a7e7200a89beabeaf9b54dc5aa311abe2f0b6ebf8efb4a87ca9b88c18649f8a103bef1d04ba613810d7581500a7a158dd55408

Download Submit
C:\Windows\{0F46D6F4-C386-457a-B8D8-54389F47ACA0}.exe

Filesize
372KB

MD5
6860e1bcfd24e640911385758d41af3e

SHA1
f6f257210978b072b230b17b40e83d6270fee409

SHA256
b7d5d72b757f7f96ff9584e0c5ceb5a0003e01216082653ee37c5d785b8541a3

SHA512
86769a14d1a8835182264d1993539c32afd4c35f31f3414fd8089ff6bd8df2ce0f11770c6f9502a30b9d3bb2d42d4a805d922909119779a6f392b06a65dfa5a0

Download Submit
C:\Windows\{373B98D3-E34D-450b-9CBA-33AED039E34C}.exe

Filesize
372KB

MD5
c0d0765b7fe40544023de319acc32d68

SHA1
3f757943a75a7b90ab7d687d7ca0be5fbe64cca2

SHA256
663e781ed98f59532e7be5f152d77a74c42b5fb68819c60a6f32008dd4a3d067

SHA512
120d52678da4662435f153c95aa4d39984a8fcc2de552a5ade2f0f7492836ba7b94d9868cd85425aa8ad9e5bb4e75c4748ee3b280c3d4317e0c807be6f6bf4d5

Download Submit
C:\Windows\{5AAFA100-93E1-4cb9-A2BA-9BFA4AB2A8CD}.exe

Filesize
372KB

MD5
bb0424b9416f0bec89d53a4374abeb10

SHA1
d21885dd9484b17985365995239011249a1faefb

SHA256
b81db2337853ddee23eadbd062c060ba729b594ec73efb39a722a5d4ff18f98e

SHA512
a233158911df2af3016f9f3b0bb5284e6c7a6ddbaec4e672f9d461148d44e60da6a6ca157717fcfb5cb578a36377a0cd3c33c8a80c79003b03158086adb25961

Download Submit
C:\Windows\{5E5C6FEE-5B91-498d-A1FA-44F1CC69C2F7}.exe

Filesize
372KB

MD5
d028bcee7de8a39f0a70e68de9d3f2d9

SHA1
3dbb09150101c6a2d76ae1d0d24c5ea94b617d8c

SHA256
722638055c22726c2984629f023f52d2dcf01196331d9a27b1ff07f5a5e044b4

SHA512
cb30ff373e008b69f16aeb2c9d5076c3e68bc5760cf2b4eb59196bce70b62b43f57630fcf941ef6f9bf4098c6c50f92106de5a9dc665cc9d3211ef6ad858dd4a

Download Submit
C:\Windows\{65ACB0EE-0EB0-4ee3-B384-0B4CAD7C5446}.exe

Filesize
372KB

MD5
23cbd08a97cb89404848ddbad93fce10

SHA1
c6c01123fd0ea58deff31ca577502d9175eeee3d

SHA256
660b4551c81d900fc7278ab7ec3d45917381a1f598279e901ca9b59e42cd8ea6

SHA512
77df94b63d45bc9fa4a215917a37dd3b59bbb8ffab855cc6d51ede50c703221ca29c95ee8b78f18bd46f751a341d0e4817299d46e2bbb162d18d1cf0bfa5596a

Download Submit
C:\Windows\{80582246-5E32-46eb-AC87-DB61B41B8D9E}.exe

Filesize
372KB

MD5
2c741ba5fd1b4f7b85e218531efee928

SHA1
b9c6d66e0896f8fc2876fa8c097502c1d511cf05

SHA256
011398f02dce6fda4d24bfa6d19d0e2ace80c444425862d96b5ea3c91b001f7d

SHA512
e81034d0f80cc90544d8a1ffb3ba70b26085a28ad2ff3fe7381a6aec0b97e4998cf6ccabeadae93b55f36e713ca1b72aea117c9fde4a938860aedd8ff5c5c8aa

Download Submit
C:\Windows\{8C3831D1-5D9F-4775-9504-5B9459A4C578}.exe

Filesize
372KB

MD5
f0cb7f99083b1790d9502f8d7959113a

SHA1
51bc15b29d9d8445b9f0f2a2850c189d663e337a

SHA256
962e0c4a1e90647b306173b36be0e5623cbfc1e4f20b2487a99a92e854026144

SHA512
fd8481fdc5bc70c6846effb5c3a44c0a76c91602a4fc9b3be0495dbe2b7b7ba1c7a8dd3eed198fa1f3930c53fb960e5e447da64e1128b67f8bcc9ea2f0b26a1d

Download Submit
C:\Windows\{9814788E-0921-4ace-9FE0-D62891E9D058}.exe

Filesize
372KB

MD5
2289efeb8ac5c771e008218410503096

SHA1
1f5ef89d6c9182dd950367cedd59327d5f05d4a4

SHA256
67d5aa2b6b48a26af15fd367f7df8375718d662b80c8fe014a2dc4c909ef06c7

SHA512
13dcb118f20e9b42beae4ed496ac44423dd945b686836bdf120d6634118feee0487d07cbf698b082a762651221b41a1d90499a1494fdda54fc622c5fa86ac8bb

Download Submit
C:\Windows\{A878D7F8-C4C7-4ed9-B70A-7B0D61BD3378}.exe

Filesize
372KB

MD5
34b7da2dc4d57f00117274c7c4f2ecc2

SHA1
8bc6fb185bd7480c89c99bea9b7940bda5ddee4a

SHA256
3d73fe49bb887c89b5e246c15679d0f26cad2035869f3d613e2ca2b0b511d904

SHA512
4f26a6fefe05fef03dbfa917d4a8c687cb56ed1ef1f7ab084f5a674963a490d23f43ab27b6d4bc9292a05e015fcd75b30cb5a686ac22500a17383d9b91983212

Download Submit
C:\Windows\{AC9CF0E0-841A-4d63-ACAB-A0F2BACC940C}.exe

Filesize
372KB

MD5
4ad8f3016945e6cbe9d43f8bae6daddc

SHA1
a4a0f0cbe76f14f6cb0fea7d5b0b75dcc4bf7bbe

SHA256
cef88dcdb0954b5ca2aa5f95ad0f81df525e83b21ee862d3c58ece9e29d51a67

SHA512
3edc91ae75c95dd3bc13c28ad4cdd2175ff0b3e22952b43dc73e3f7c73b0de8cc90c7bca407bbaf9e20c9636c5a2bec9400775ba572714ce7f6d516a1d0a5439

Download Submit
C:\Windows\{F11213B7-0999-4d2f-800A-C2C8B276C943}.exe

Filesize
372KB

MD5
9f11ccf2210fdfbce7d8d91b2c91dd99

SHA1
2ecedfb4c34130526680c9ca81a5843f4b1d2e9b

SHA256
00f6d60cbbec623c216ad467a9647650dbeebfd8e7624f6bbfaa34e10f9c1ed6

SHA512
fe37d94f0299ec116abd93fadae3ba28b4dc05a341e81c6e032f254dba6b0122d2057d3608a64f056fcefb12ab94914c3dcf7188142ad724d226b8b09a10a2da

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads