c549b35afb493509d723ad489dd01aadaf24972d26ce45971ebb4e3e650d80d9

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13-02-2024 12:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-13_97c95f5f9e3de6f4555f53ab1ff941bd_goldeneye.exe
Size

408KB
MD5

97c95f5f9e3de6f4555f53ab1ff941bd
SHA1

c54c0119a90d046828f641c2d85c90b5cd6f8fa2
SHA256

c549b35afb493509d723ad489dd01aadaf24972d26ce45971ebb4e3e650d80d9
SHA512

43d850f6670b8119841be0077abc4cbef7a399467c07bde5b805a7cf8e6d456a08385e7b842a64337bb92d8eab2b28115255ee4cb06ac37eb6716e7201fa00fb
SSDEEP

3072:CEGh0ot8l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTB1:CEGr8ldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000600000002321f-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023226-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002322c-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f000000023226-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000215c9-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000215d0-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d0000000215c9-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000711-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000713-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000711-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000713-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006e7-45.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DDF2773B-A6AD-4cde-9343-736CA4974655}	2024-02-13_97c95f5f9e3de6f4555f53ab1ff941bd_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC5CC4AE-3358-4b53-AEEE-43A7EF0C3086}	{DDF2773B-A6AD-4cde-9343-736CA4974655}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC5CC4AE-3358-4b53-AEEE-43A7EF0C3086}\stubpath = "C:\\Windows\\{EC5CC4AE-3358-4b53-AEEE-43A7EF0C3086}.exe"	{DDF2773B-A6AD-4cde-9343-736CA4974655}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D1CAB1E9-7FA5-40e5-9D75-178FCF4FBFF2}\stubpath = "C:\\Windows\\{D1CAB1E9-7FA5-40e5-9D75-178FCF4FBFF2}.exe"	{EC5CC4AE-3358-4b53-AEEE-43A7EF0C3086}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DAD88E6-8A6E-45fe-BC3C-8F7B934E9025}\stubpath = "C:\\Windows\\{3DAD88E6-8A6E-45fe-BC3C-8F7B934E9025}.exe"	{63F6A440-4314-400d-AB96-BAAC48677A46}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B120D2DA-9582-44b2-9F74-7BC0ED6D9CE9}\stubpath = "C:\\Windows\\{B120D2DA-9582-44b2-9F74-7BC0ED6D9CE9}.exe"	{3DAD88E6-8A6E-45fe-BC3C-8F7B934E9025}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{508904E9-AFEE-4a87-82DF-A09FB8E96CA1}	{770CB083-F6E0-4b6e-8B09-075C73DB06A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81C24944-15C9-408b-8FB2-200EC18C7F0C}	{508904E9-AFEE-4a87-82DF-A09FB8E96CA1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8BF2552-DFDA-4703-8212-855575E33A2A}	{81C24944-15C9-408b-8FB2-200EC18C7F0C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63F6A440-4314-400d-AB96-BAAC48677A46}\stubpath = "C:\\Windows\\{63F6A440-4314-400d-AB96-BAAC48677A46}.exe"	{D1CAB1E9-7FA5-40e5-9D75-178FCF4FBFF2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{770CB083-F6E0-4b6e-8B09-075C73DB06A2}	{B120D2DA-9582-44b2-9F74-7BC0ED6D9CE9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8BF2552-DFDA-4703-8212-855575E33A2A}\stubpath = "C:\\Windows\\{C8BF2552-DFDA-4703-8212-855575E33A2A}.exe"	{81C24944-15C9-408b-8FB2-200EC18C7F0C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6DBA980F-9B26-4e5e-B706-8CAD4335B1A1}\stubpath = "C:\\Windows\\{6DBA980F-9B26-4e5e-B706-8CAD4335B1A1}.exe"	{C8BF2552-DFDA-4703-8212-855575E33A2A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CDE5B8E1-ED90-4cdd-A450-ECA214F77E55}	{6DBA980F-9B26-4e5e-B706-8CAD4335B1A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DDF2773B-A6AD-4cde-9343-736CA4974655}\stubpath = "C:\\Windows\\{DDF2773B-A6AD-4cde-9343-736CA4974655}.exe"	2024-02-13_97c95f5f9e3de6f4555f53ab1ff941bd_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D1CAB1E9-7FA5-40e5-9D75-178FCF4FBFF2}	{EC5CC4AE-3358-4b53-AEEE-43A7EF0C3086}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63F6A440-4314-400d-AB96-BAAC48677A46}	{D1CAB1E9-7FA5-40e5-9D75-178FCF4FBFF2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DAD88E6-8A6E-45fe-BC3C-8F7B934E9025}	{63F6A440-4314-400d-AB96-BAAC48677A46}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B120D2DA-9582-44b2-9F74-7BC0ED6D9CE9}	{3DAD88E6-8A6E-45fe-BC3C-8F7B934E9025}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{770CB083-F6E0-4b6e-8B09-075C73DB06A2}\stubpath = "C:\\Windows\\{770CB083-F6E0-4b6e-8B09-075C73DB06A2}.exe"	{B120D2DA-9582-44b2-9F74-7BC0ED6D9CE9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{508904E9-AFEE-4a87-82DF-A09FB8E96CA1}\stubpath = "C:\\Windows\\{508904E9-AFEE-4a87-82DF-A09FB8E96CA1}.exe"	{770CB083-F6E0-4b6e-8B09-075C73DB06A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81C24944-15C9-408b-8FB2-200EC18C7F0C}\stubpath = "C:\\Windows\\{81C24944-15C9-408b-8FB2-200EC18C7F0C}.exe"	{508904E9-AFEE-4a87-82DF-A09FB8E96CA1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6DBA980F-9B26-4e5e-B706-8CAD4335B1A1}	{C8BF2552-DFDA-4703-8212-855575E33A2A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CDE5B8E1-ED90-4cdd-A450-ECA214F77E55}\stubpath = "C:\\Windows\\{CDE5B8E1-ED90-4cdd-A450-ECA214F77E55}.exe"	{6DBA980F-9B26-4e5e-B706-8CAD4335B1A1}.exe

Executes dropped EXE 12 IoCs

pid	Process
1028	{DDF2773B-A6AD-4cde-9343-736CA4974655}.exe
3092	{EC5CC4AE-3358-4b53-AEEE-43A7EF0C3086}.exe
4796	{D1CAB1E9-7FA5-40e5-9D75-178FCF4FBFF2}.exe
3488	{63F6A440-4314-400d-AB96-BAAC48677A46}.exe
5112	{3DAD88E6-8A6E-45fe-BC3C-8F7B934E9025}.exe
1712	{B120D2DA-9582-44b2-9F74-7BC0ED6D9CE9}.exe
3472	{770CB083-F6E0-4b6e-8B09-075C73DB06A2}.exe
1980	{508904E9-AFEE-4a87-82DF-A09FB8E96CA1}.exe
4348	{81C24944-15C9-408b-8FB2-200EC18C7F0C}.exe
2452	{C8BF2552-DFDA-4703-8212-855575E33A2A}.exe
3824	{6DBA980F-9B26-4e5e-B706-8CAD4335B1A1}.exe
2820	{CDE5B8E1-ED90-4cdd-A450-ECA214F77E55}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{63F6A440-4314-400d-AB96-BAAC48677A46}.exe	{D1CAB1E9-7FA5-40e5-9D75-178FCF4FBFF2}.exe
File created	C:\Windows\{B120D2DA-9582-44b2-9F74-7BC0ED6D9CE9}.exe	{3DAD88E6-8A6E-45fe-BC3C-8F7B934E9025}.exe
File created	C:\Windows\{81C24944-15C9-408b-8FB2-200EC18C7F0C}.exe	{508904E9-AFEE-4a87-82DF-A09FB8E96CA1}.exe
File created	C:\Windows\{6DBA980F-9B26-4e5e-B706-8CAD4335B1A1}.exe	{C8BF2552-DFDA-4703-8212-855575E33A2A}.exe
File created	C:\Windows\{CDE5B8E1-ED90-4cdd-A450-ECA214F77E55}.exe	{6DBA980F-9B26-4e5e-B706-8CAD4335B1A1}.exe
File created	C:\Windows\{DDF2773B-A6AD-4cde-9343-736CA4974655}.exe	2024-02-13_97c95f5f9e3de6f4555f53ab1ff941bd_goldeneye.exe
File created	C:\Windows\{EC5CC4AE-3358-4b53-AEEE-43A7EF0C3086}.exe	{DDF2773B-A6AD-4cde-9343-736CA4974655}.exe
File created	C:\Windows\{D1CAB1E9-7FA5-40e5-9D75-178FCF4FBFF2}.exe	{EC5CC4AE-3358-4b53-AEEE-43A7EF0C3086}.exe
File created	C:\Windows\{C8BF2552-DFDA-4703-8212-855575E33A2A}.exe	{81C24944-15C9-408b-8FB2-200EC18C7F0C}.exe
File created	C:\Windows\{3DAD88E6-8A6E-45fe-BC3C-8F7B934E9025}.exe	{63F6A440-4314-400d-AB96-BAAC48677A46}.exe
File created	C:\Windows\{770CB083-F6E0-4b6e-8B09-075C73DB06A2}.exe	{B120D2DA-9582-44b2-9F74-7BC0ED6D9CE9}.exe
File created	C:\Windows\{508904E9-AFEE-4a87-82DF-A09FB8E96CA1}.exe	{770CB083-F6E0-4b6e-8B09-075C73DB06A2}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2308	2024-02-13_97c95f5f9e3de6f4555f53ab1ff941bd_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1028	{DDF2773B-A6AD-4cde-9343-736CA4974655}.exe
Token: SeIncBasePriorityPrivilege	3092	{EC5CC4AE-3358-4b53-AEEE-43A7EF0C3086}.exe
Token: SeIncBasePriorityPrivilege	4796	{D1CAB1E9-7FA5-40e5-9D75-178FCF4FBFF2}.exe
Token: SeIncBasePriorityPrivilege	3488	{63F6A440-4314-400d-AB96-BAAC48677A46}.exe
Token: SeIncBasePriorityPrivilege	5112	{3DAD88E6-8A6E-45fe-BC3C-8F7B934E9025}.exe
Token: SeIncBasePriorityPrivilege	1712	{B120D2DA-9582-44b2-9F74-7BC0ED6D9CE9}.exe
Token: SeIncBasePriorityPrivilege	3472	{770CB083-F6E0-4b6e-8B09-075C73DB06A2}.exe
Token: SeIncBasePriorityPrivilege	1980	{508904E9-AFEE-4a87-82DF-A09FB8E96CA1}.exe
Token: SeIncBasePriorityPrivilege	4348	{81C24944-15C9-408b-8FB2-200EC18C7F0C}.exe
Token: SeIncBasePriorityPrivilege	2452	{C8BF2552-DFDA-4703-8212-855575E33A2A}.exe
Token: SeIncBasePriorityPrivilege	3824	{6DBA980F-9B26-4e5e-B706-8CAD4335B1A1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 1028	2308	2024-02-13_97c95f5f9e3de6f4555f53ab1ff941bd_goldeneye.exe	89
PID 2308 wrote to memory of 1028	2308	2024-02-13_97c95f5f9e3de6f4555f53ab1ff941bd_goldeneye.exe	89
PID 2308 wrote to memory of 1028	2308	2024-02-13_97c95f5f9e3de6f4555f53ab1ff941bd_goldeneye.exe	89
PID 2308 wrote to memory of 4692	2308	2024-02-13_97c95f5f9e3de6f4555f53ab1ff941bd_goldeneye.exe	90
PID 2308 wrote to memory of 4692	2308	2024-02-13_97c95f5f9e3de6f4555f53ab1ff941bd_goldeneye.exe	90
PID 2308 wrote to memory of 4692	2308	2024-02-13_97c95f5f9e3de6f4555f53ab1ff941bd_goldeneye.exe	90
PID 1028 wrote to memory of 3092	1028	{DDF2773B-A6AD-4cde-9343-736CA4974655}.exe	93
PID 1028 wrote to memory of 3092	1028	{DDF2773B-A6AD-4cde-9343-736CA4974655}.exe	93
PID 1028 wrote to memory of 3092	1028	{DDF2773B-A6AD-4cde-9343-736CA4974655}.exe	93
PID 1028 wrote to memory of 4916	1028	{DDF2773B-A6AD-4cde-9343-736CA4974655}.exe	94
PID 1028 wrote to memory of 4916	1028	{DDF2773B-A6AD-4cde-9343-736CA4974655}.exe	94
PID 1028 wrote to memory of 4916	1028	{DDF2773B-A6AD-4cde-9343-736CA4974655}.exe	94
PID 3092 wrote to memory of 4796	3092	{EC5CC4AE-3358-4b53-AEEE-43A7EF0C3086}.exe	96
PID 3092 wrote to memory of 4796	3092	{EC5CC4AE-3358-4b53-AEEE-43A7EF0C3086}.exe	96
PID 3092 wrote to memory of 4796	3092	{EC5CC4AE-3358-4b53-AEEE-43A7EF0C3086}.exe	96
PID 3092 wrote to memory of 4428	3092	{EC5CC4AE-3358-4b53-AEEE-43A7EF0C3086}.exe	97
PID 3092 wrote to memory of 4428	3092	{EC5CC4AE-3358-4b53-AEEE-43A7EF0C3086}.exe	97
PID 3092 wrote to memory of 4428	3092	{EC5CC4AE-3358-4b53-AEEE-43A7EF0C3086}.exe	97
PID 4796 wrote to memory of 3488	4796	{D1CAB1E9-7FA5-40e5-9D75-178FCF4FBFF2}.exe	98
PID 4796 wrote to memory of 3488	4796	{D1CAB1E9-7FA5-40e5-9D75-178FCF4FBFF2}.exe	98
PID 4796 wrote to memory of 3488	4796	{D1CAB1E9-7FA5-40e5-9D75-178FCF4FBFF2}.exe	98
PID 4796 wrote to memory of 1560	4796	{D1CAB1E9-7FA5-40e5-9D75-178FCF4FBFF2}.exe	99
PID 4796 wrote to memory of 1560	4796	{D1CAB1E9-7FA5-40e5-9D75-178FCF4FBFF2}.exe	99
PID 4796 wrote to memory of 1560	4796	{D1CAB1E9-7FA5-40e5-9D75-178FCF4FBFF2}.exe	99
PID 3488 wrote to memory of 5112	3488	{63F6A440-4314-400d-AB96-BAAC48677A46}.exe	100
PID 3488 wrote to memory of 5112	3488	{63F6A440-4314-400d-AB96-BAAC48677A46}.exe	100
PID 3488 wrote to memory of 5112	3488	{63F6A440-4314-400d-AB96-BAAC48677A46}.exe	100
PID 3488 wrote to memory of 524	3488	{63F6A440-4314-400d-AB96-BAAC48677A46}.exe	101
PID 3488 wrote to memory of 524	3488	{63F6A440-4314-400d-AB96-BAAC48677A46}.exe	101
PID 3488 wrote to memory of 524	3488	{63F6A440-4314-400d-AB96-BAAC48677A46}.exe	101
PID 5112 wrote to memory of 1712	5112	{3DAD88E6-8A6E-45fe-BC3C-8F7B934E9025}.exe	102
PID 5112 wrote to memory of 1712	5112	{3DAD88E6-8A6E-45fe-BC3C-8F7B934E9025}.exe	102
PID 5112 wrote to memory of 1712	5112	{3DAD88E6-8A6E-45fe-BC3C-8F7B934E9025}.exe	102
PID 5112 wrote to memory of 1156	5112	{3DAD88E6-8A6E-45fe-BC3C-8F7B934E9025}.exe	103
PID 5112 wrote to memory of 1156	5112	{3DAD88E6-8A6E-45fe-BC3C-8F7B934E9025}.exe	103
PID 5112 wrote to memory of 1156	5112	{3DAD88E6-8A6E-45fe-BC3C-8F7B934E9025}.exe	103
PID 1712 wrote to memory of 3472	1712	{B120D2DA-9582-44b2-9F74-7BC0ED6D9CE9}.exe	104
PID 1712 wrote to memory of 3472	1712	{B120D2DA-9582-44b2-9F74-7BC0ED6D9CE9}.exe	104
PID 1712 wrote to memory of 3472	1712	{B120D2DA-9582-44b2-9F74-7BC0ED6D9CE9}.exe	104
PID 1712 wrote to memory of 1468	1712	{B120D2DA-9582-44b2-9F74-7BC0ED6D9CE9}.exe	105
PID 1712 wrote to memory of 1468	1712	{B120D2DA-9582-44b2-9F74-7BC0ED6D9CE9}.exe	105
PID 1712 wrote to memory of 1468	1712	{B120D2DA-9582-44b2-9F74-7BC0ED6D9CE9}.exe	105
PID 3472 wrote to memory of 1980	3472	{770CB083-F6E0-4b6e-8B09-075C73DB06A2}.exe	106
PID 3472 wrote to memory of 1980	3472	{770CB083-F6E0-4b6e-8B09-075C73DB06A2}.exe	106
PID 3472 wrote to memory of 1980	3472	{770CB083-F6E0-4b6e-8B09-075C73DB06A2}.exe	106
PID 3472 wrote to memory of 212	3472	{770CB083-F6E0-4b6e-8B09-075C73DB06A2}.exe	107
PID 3472 wrote to memory of 212	3472	{770CB083-F6E0-4b6e-8B09-075C73DB06A2}.exe	107
PID 3472 wrote to memory of 212	3472	{770CB083-F6E0-4b6e-8B09-075C73DB06A2}.exe	107
PID 1980 wrote to memory of 4348	1980	{508904E9-AFEE-4a87-82DF-A09FB8E96CA1}.exe	108
PID 1980 wrote to memory of 4348	1980	{508904E9-AFEE-4a87-82DF-A09FB8E96CA1}.exe	108
PID 1980 wrote to memory of 4348	1980	{508904E9-AFEE-4a87-82DF-A09FB8E96CA1}.exe	108
PID 1980 wrote to memory of 1828	1980	{508904E9-AFEE-4a87-82DF-A09FB8E96CA1}.exe	109
PID 1980 wrote to memory of 1828	1980	{508904E9-AFEE-4a87-82DF-A09FB8E96CA1}.exe	109
PID 1980 wrote to memory of 1828	1980	{508904E9-AFEE-4a87-82DF-A09FB8E96CA1}.exe	109
PID 4348 wrote to memory of 2452	4348	{81C24944-15C9-408b-8FB2-200EC18C7F0C}.exe	110
PID 4348 wrote to memory of 2452	4348	{81C24944-15C9-408b-8FB2-200EC18C7F0C}.exe	110
PID 4348 wrote to memory of 2452	4348	{81C24944-15C9-408b-8FB2-200EC18C7F0C}.exe	110
PID 4348 wrote to memory of 3108	4348	{81C24944-15C9-408b-8FB2-200EC18C7F0C}.exe	111
PID 4348 wrote to memory of 3108	4348	{81C24944-15C9-408b-8FB2-200EC18C7F0C}.exe	111
PID 4348 wrote to memory of 3108	4348	{81C24944-15C9-408b-8FB2-200EC18C7F0C}.exe	111
PID 2452 wrote to memory of 3824	2452	{C8BF2552-DFDA-4703-8212-855575E33A2A}.exe	112
PID 2452 wrote to memory of 3824	2452	{C8BF2552-DFDA-4703-8212-855575E33A2A}.exe	112
PID 2452 wrote to memory of 3824	2452	{C8BF2552-DFDA-4703-8212-855575E33A2A}.exe	112
PID 2452 wrote to memory of 3224	2452	{C8BF2552-DFDA-4703-8212-855575E33A2A}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-02-13_97c95f5f9e3de6f4555f53ab1ff941bd_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-13_97c95f5f9e3de6f4555f53ab1ff941bd_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Windows\{DDF2773B-A6AD-4cde-9343-736CA4974655}.exe
  C:\Windows\{DDF2773B-A6AD-4cde-9343-736CA4974655}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1028
- - C:\Windows\{EC5CC4AE-3358-4b53-AEEE-43A7EF0C3086}.exe
    C:\Windows\{EC5CC4AE-3358-4b53-AEEE-43A7EF0C3086}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3092
  - - C:\Windows\{D1CAB1E9-7FA5-40e5-9D75-178FCF4FBFF2}.exe
      C:\Windows\{D1CAB1E9-7FA5-40e5-9D75-178FCF4FBFF2}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4796
    - - C:\Windows\{63F6A440-4314-400d-AB96-BAAC48677A46}.exe
        
        C:\Windows\{63F6A440-4314-400d-AB96-BAAC48677A46}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3488
      - C:\Windows\{3DAD88E6-8A6E-45fe-BC3C-8F7B934E9025}.exe
        
        C:\Windows\{3DAD88E6-8A6E-45fe-BC3C-8F7B934E9025}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\{B120D2DA-9582-44b2-9F74-7BC0ED6D9CE9}.exe
        
        C:\Windows\{B120D2DA-9582-44b2-9F74-7BC0ED6D9CE9}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\{770CB083-F6E0-4b6e-8B09-075C73DB06A2}.exe
        
        C:\Windows\{770CB083-F6E0-4b6e-8B09-075C73DB06A2}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3472
        
        C:\Windows\{508904E9-AFEE-4a87-82DF-A09FB8E96CA1}.exe
        
        C:\Windows\{508904E9-AFEE-4a87-82DF-A09FB8E96CA1}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\{81C24944-15C9-408b-8FB2-200EC18C7F0C}.exe
        
        C:\Windows\{81C24944-15C9-408b-8FB2-200EC18C7F0C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4348
        
        C:\Windows\{C8BF2552-DFDA-4703-8212-855575E33A2A}.exe
        
        C:\Windows\{C8BF2552-DFDA-4703-8212-855575E33A2A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\{6DBA980F-9B26-4e5e-B706-8CAD4335B1A1}.exe
        
        C:\Windows\{6DBA980F-9B26-4e5e-B706-8CAD4335B1A1}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3824
        
        C:\Windows\{CDE5B8E1-ED90-4cdd-A450-ECA214F77E55}.exe
        
        C:\Windows\{CDE5B8E1-ED90-4cdd-A450-ECA214F77E55}.exe
        13⤵
        Executes dropped EXE
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6DBA9~1.EXE > nul
        13⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8BF2~1.EXE > nul
        12⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{81C24~1.EXE > nul
        11⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{50890~1.EXE > nul
        10⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{770CB~1.EXE > nul
        9⤵
        
        PID:212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B120D~1.EXE > nul
        8⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3DAD8~1.EXE > nul
        7⤵
        
        PID:1156
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{63F6A~1.EXE > nul
        6⤵
        
        PID:524
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D1CAB~1.EXE > nul
        5⤵
        
        PID:1560
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EC5CC~1.EXE > nul
      4⤵
      PID:4428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DDF27~1.EXE > nul
    3⤵
    PID:4916
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3DAD88E6-8A6E-45fe-BC3C-8F7B934E9025}.exe

Filesize
408KB

MD5
1602fbcdeb8483e1bb79e416342a2ae7

SHA1
e927e2554bc212bf2c6c7b45e1b75d5da26cfb2b

SHA256
aea71b5bfe60db8e915da7bf01b946ad0802194e45ddfd2137d9fd794249019d

SHA512
6e17a113cd1b7a32cf9aa4ff6bcfb579bbc01ed600c262404cd164a50aefb78754d589a0b28a6bf3bf96ec2f75e81f748134ff905f3f7d2b0c9e44618c2e2229

Download Submit
C:\Windows\{508904E9-AFEE-4a87-82DF-A09FB8E96CA1}.exe

Filesize
408KB

MD5
893c505537e9c407b9621bc6711640b3

SHA1
9b50f0e2757a6ea16e3b2ed599736529be617c74

SHA256
0fe6187eda97fcda7b65cbecf906db00c7f29559e58c084b4fa7a6b15e732928

SHA512
366a5a09127bc090dd76566f6d028ba6b6a839e4c8692c1a2120af5bf3c1187f7fd63251f21955ea2f8189edefafa176395882dfee9c2f072dd5f1ef495b3d8a

Download Submit
C:\Windows\{63F6A440-4314-400d-AB96-BAAC48677A46}.exe

Filesize
408KB

MD5
9dc0268e0d1a5db7d7d46e37fae63775

SHA1
b25217067254f73ca492105b46a6c1e6bae6c727

SHA256
4986b534ed3cc60418ea5d786b57587e51173d38eeab319896dfddf03ad641cb

SHA512
3ee4a3accbc0c442aa8cd5f4bf8d308ea7c15c6e538991f78d953c5a79a6e2af2b98c93e26788d570edf30804b900875238b60582746d9de714d87b2a526c5f6

Download Submit
C:\Windows\{6DBA980F-9B26-4e5e-B706-8CAD4335B1A1}.exe

Filesize
408KB

MD5
0b9410156bdfc5b318ca954220a552fd

SHA1
17212495a2132310e5758de8898daf8b8d1145ea

SHA256
550955d5c16ad7190216b71eeee94c4974f2ff6c0fe23fb51562cadb2f678fda

SHA512
756434f6b9de9544f3d8590c57a87e266cbab3905efcc99338aef336a6f279b168495e0df61167a03b3df156d42c2de56c47de9902cf7f8fb462c66bd1bbba22

Download Submit
C:\Windows\{770CB083-F6E0-4b6e-8B09-075C73DB06A2}.exe

Filesize
408KB

MD5
21b529ee56b57ca4cadaccfb7dc488c0

SHA1
3f9adec76e09b4a0fb767d2c4eca9dddefc1c910

SHA256
432f64c321e72598f2d529c0ee4f56f1499003c4a8668e032569de2308b68d33

SHA512
5db9d815b4ad4387e427430ae0d95582cd7ac7dd9c2090a6d75ee8ce4290c679ef5bd4c0295aab6f79cb8e8031a008b27532dfa8d4d4f2bcebd391e29869b6db

Download Submit
C:\Windows\{81C24944-15C9-408b-8FB2-200EC18C7F0C}.exe

Filesize
408KB

MD5
cde37c3e4fb2fb2bb87f85bb37bba891

SHA1
d3e65b389884baa80860ff4ab4c5b6aba892def3

SHA256
7e33cef3f65d0e590d2ce93fde9b7bbc9bb9e205945b4e5b106ac33097b76d60

SHA512
899920f59a431bd57c51d25cf9313e084fe9f3b495eeff968133c3310a864cba0bed39177027a38f2d78dae34708b70bb5617b3dcb0af5f02f2a28c8745930ce

Download Submit
C:\Windows\{B120D2DA-9582-44b2-9F74-7BC0ED6D9CE9}.exe

Filesize
408KB

MD5
ac7b423979d51d7028f1e84086b4d09a

SHA1
59911276c898f749eaae3865a9b29cf8b1d1a7ee

SHA256
100783a2fe5779b3c40548fb46b7a5aa6c1a1e3786db1249a2c3090bc079da6d

SHA512
a6ea319e27dd3e3b8eb90e83f8ee892fe993161662c5a31be607681c34568b38f7daaff4951f02f81f48438720a3c9b6dfe4744966ae4346f16fd198eda057aa

Download Submit
C:\Windows\{C8BF2552-DFDA-4703-8212-855575E33A2A}.exe

Filesize
408KB

MD5
f665b96da4aa8ab0627120e43ba8e612

SHA1
f0c55efbe809d0745b62e14a852771b53b7eb259

SHA256
06e3047eb18e098fd1b925d454a046b540933f7b8cce999b36aad3789e266c22

SHA512
9facac3d1927319f43c5e3255282eda6bfab3d4867984e6434d9b425332c02a90072a0b2dcdacadb51569cfc73c7e7883b02334f6bb7ec56001431dae8fa2a18

Download Submit
C:\Windows\{CDE5B8E1-ED90-4cdd-A450-ECA214F77E55}.exe

Filesize
408KB

MD5
048f987496dd6477cfc8a414b35e3e3a

SHA1
fc5f8610ed4deb018e0cf65a40c930ebe38a7153

SHA256
4377e35d0e025b06b8fd554c46ef88f974564b0976f5e1e50c3bcb3c09501e9c

SHA512
8dbe9840c432f5707520d674f7695e794988089c8ec15b84e644c22b2d4055771e6459c2ea53e1ae0a025a750c8a78333daaa011537d2af8b7be3e9d0bba8dc1

Download Submit
C:\Windows\{D1CAB1E9-7FA5-40e5-9D75-178FCF4FBFF2}.exe

Filesize
408KB

MD5
269aa7321f117de69272e669f142896c

SHA1
7d54decffa3d835678763410b134607f977f543c

SHA256
44c7db5b621bc2c660c80cbfc868dd3da2241b02cf7d48d5f8f733f5ad8ebf94

SHA512
57b4537203ce8a19f02b2bed2a8369dd2b94bba9294e6d4793862cb57064bbf461dfe3687d769d082938050441fd2df5658280a153c4cdd24c0ad6a16536755d

Download Submit
C:\Windows\{DDF2773B-A6AD-4cde-9343-736CA4974655}.exe

Filesize
408KB

MD5
0d2bf1c87fe525b13b9d0f050c7d5a8e

SHA1
8645f038a03a6954abe08386bc1731a72dbb31d2

SHA256
4072432f9082a8f7ec2c02d205c22bc37fb3faf7a7e9dfe17bce1889d8e780a1

SHA512
6e3d6d80bdda11a419420e87d0fd71dee3e43e62143c974b503a5d335309189935b83079b93414b75f680f47222558293fcfdd1c96b08167b57d58c246bc4204

Download Submit
C:\Windows\{EC5CC4AE-3358-4b53-AEEE-43A7EF0C3086}.exe

Filesize
408KB

MD5
bf870bcf38c1ee1a12526208b6005364

SHA1
02f3800a64cc0523f0fc67dd22b0070f30ba3771

SHA256
3091bf5afce061f884d6cd69d1a7ee3e6d12ae1d65bb1ccea14d3d820a317fe3

SHA512
632ccda53a99189f25abc616d507f44e9dc2bcc7885636351cc722f2f5cfb4f0a2cb9b9770ace5dedb344fd9323995a7ef7e4402d82375c692072b153e011e16

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads