35b55f6af4ff536fbf252954356cb8a78dc07aa681ddae455095969dcf7830d3

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
14-02-2024 00:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-14_5b565c5ea920a1012aff194d0970473a_goldeneye.exe
Size

168KB
MD5

5b565c5ea920a1012aff194d0970473a
SHA1

bec133f194b20f3129a7c2dfbe0f770d1da74433
SHA256

35b55f6af4ff536fbf252954356cb8a78dc07aa681ddae455095969dcf7830d3
SHA512

6fc4738d695cbed95aa136bf8452cf633e663d9f508819dedb3f99e4cdd3b87689b65ffc5a016bc1f96871b2c87ce3253bdbb1da1be7fb8c5359a333bf1e4ed3
SSDEEP

1536:1EGh0oglq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oglqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000600000002323f-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000023241-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002324f-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023241-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002324f-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002167d-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021c58-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000711-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070f-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000711-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006e5-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{224F8CFC-BFF2-42ed-8246-946470CABC2C}\stubpath = "C:\\Windows\\{224F8CFC-BFF2-42ed-8246-946470CABC2C}.exe"	{852161CD-BB25-4cd5-B12F-3B64144AB00D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93C0DE5D-8B31-4519-8F6C-F2F595694C20}\stubpath = "C:\\Windows\\{93C0DE5D-8B31-4519-8F6C-F2F595694C20}.exe"	{224F8CFC-BFF2-42ed-8246-946470CABC2C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7C2DCAD-538B-4f8e-95D4-3DEF72DD2397}	{150DA09F-0F0D-4779-AC3F-F3AAC6A0ECD1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{535CF9E9-A9D3-4e3a-AEAC-0F7E7B4A72C7}	{B7C2DCAD-538B-4f8e-95D4-3DEF72DD2397}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{535CF9E9-A9D3-4e3a-AEAC-0F7E7B4A72C7}\stubpath = "C:\\Windows\\{535CF9E9-A9D3-4e3a-AEAC-0F7E7B4A72C7}.exe"	{B7C2DCAD-538B-4f8e-95D4-3DEF72DD2397}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A92787F-B676-4f5d-84FE-AFB422B8DCE1}\stubpath = "C:\\Windows\\{7A92787F-B676-4f5d-84FE-AFB422B8DCE1}.exe"	{4EFF44BF-FCAC-4089-B462-CC3E18B03EDB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16AF6542-6CD6-4135-B047-948D41D75C4E}\stubpath = "C:\\Windows\\{16AF6542-6CD6-4135-B047-948D41D75C4E}.exe"	{93C0DE5D-8B31-4519-8F6C-F2F595694C20}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D0E7DEA-040E-4582-A083-1A0F239770C1}\stubpath = "C:\\Windows\\{4D0E7DEA-040E-4582-A083-1A0F239770C1}.exe"	{16AF6542-6CD6-4135-B047-948D41D75C4E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D6D68CD-712D-475c-8EA5-580F2B19DF9B}\stubpath = "C:\\Windows\\{2D6D68CD-712D-475c-8EA5-580F2B19DF9B}.exe"	{4D0E7DEA-040E-4582-A083-1A0F239770C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{150DA09F-0F0D-4779-AC3F-F3AAC6A0ECD1}\stubpath = "C:\\Windows\\{150DA09F-0F0D-4779-AC3F-F3AAC6A0ECD1}.exe"	{D430A6D2-B076-4f11-80E3-97B8CCE88667}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4EFF44BF-FCAC-4089-B462-CC3E18B03EDB}\stubpath = "C:\\Windows\\{4EFF44BF-FCAC-4089-B462-CC3E18B03EDB}.exe"	2024-02-14_5b565c5ea920a1012aff194d0970473a_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{852161CD-BB25-4cd5-B12F-3B64144AB00D}\stubpath = "C:\\Windows\\{852161CD-BB25-4cd5-B12F-3B64144AB00D}.exe"	{7A92787F-B676-4f5d-84FE-AFB422B8DCE1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{224F8CFC-BFF2-42ed-8246-946470CABC2C}	{852161CD-BB25-4cd5-B12F-3B64144AB00D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93C0DE5D-8B31-4519-8F6C-F2F595694C20}	{224F8CFC-BFF2-42ed-8246-946470CABC2C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16AF6542-6CD6-4135-B047-948D41D75C4E}	{93C0DE5D-8B31-4519-8F6C-F2F595694C20}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D0E7DEA-040E-4582-A083-1A0F239770C1}	{16AF6542-6CD6-4135-B047-948D41D75C4E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D430A6D2-B076-4f11-80E3-97B8CCE88667}	{2D6D68CD-712D-475c-8EA5-580F2B19DF9B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D430A6D2-B076-4f11-80E3-97B8CCE88667}\stubpath = "C:\\Windows\\{D430A6D2-B076-4f11-80E3-97B8CCE88667}.exe"	{2D6D68CD-712D-475c-8EA5-580F2B19DF9B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4EFF44BF-FCAC-4089-B462-CC3E18B03EDB}	2024-02-14_5b565c5ea920a1012aff194d0970473a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{852161CD-BB25-4cd5-B12F-3B64144AB00D}	{7A92787F-B676-4f5d-84FE-AFB422B8DCE1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D6D68CD-712D-475c-8EA5-580F2B19DF9B}	{4D0E7DEA-040E-4582-A083-1A0F239770C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{150DA09F-0F0D-4779-AC3F-F3AAC6A0ECD1}	{D430A6D2-B076-4f11-80E3-97B8CCE88667}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7C2DCAD-538B-4f8e-95D4-3DEF72DD2397}\stubpath = "C:\\Windows\\{B7C2DCAD-538B-4f8e-95D4-3DEF72DD2397}.exe"	{150DA09F-0F0D-4779-AC3F-F3AAC6A0ECD1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A92787F-B676-4f5d-84FE-AFB422B8DCE1}	{4EFF44BF-FCAC-4089-B462-CC3E18B03EDB}.exe

Executes dropped EXE 12 IoCs

pid	Process
2608	{4EFF44BF-FCAC-4089-B462-CC3E18B03EDB}.exe
4768	{7A92787F-B676-4f5d-84FE-AFB422B8DCE1}.exe
4440	{852161CD-BB25-4cd5-B12F-3B64144AB00D}.exe
4860	{224F8CFC-BFF2-42ed-8246-946470CABC2C}.exe
3812	{93C0DE5D-8B31-4519-8F6C-F2F595694C20}.exe
4068	{16AF6542-6CD6-4135-B047-948D41D75C4E}.exe
1844	{4D0E7DEA-040E-4582-A083-1A0F239770C1}.exe
1048	{2D6D68CD-712D-475c-8EA5-580F2B19DF9B}.exe
4404	{D430A6D2-B076-4f11-80E3-97B8CCE88667}.exe
748	{150DA09F-0F0D-4779-AC3F-F3AAC6A0ECD1}.exe
3164	{B7C2DCAD-538B-4f8e-95D4-3DEF72DD2397}.exe
4588	{535CF9E9-A9D3-4e3a-AEAC-0F7E7B4A72C7}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{224F8CFC-BFF2-42ed-8246-946470CABC2C}.exe	{852161CD-BB25-4cd5-B12F-3B64144AB00D}.exe
File created	C:\Windows\{4D0E7DEA-040E-4582-A083-1A0F239770C1}.exe	{16AF6542-6CD6-4135-B047-948D41D75C4E}.exe
File created	C:\Windows\{535CF9E9-A9D3-4e3a-AEAC-0F7E7B4A72C7}.exe	{B7C2DCAD-538B-4f8e-95D4-3DEF72DD2397}.exe
File created	C:\Windows\{D430A6D2-B076-4f11-80E3-97B8CCE88667}.exe	{2D6D68CD-712D-475c-8EA5-580F2B19DF9B}.exe
File created	C:\Windows\{150DA09F-0F0D-4779-AC3F-F3AAC6A0ECD1}.exe	{D430A6D2-B076-4f11-80E3-97B8CCE88667}.exe
File created	C:\Windows\{4EFF44BF-FCAC-4089-B462-CC3E18B03EDB}.exe	2024-02-14_5b565c5ea920a1012aff194d0970473a_goldeneye.exe
File created	C:\Windows\{7A92787F-B676-4f5d-84FE-AFB422B8DCE1}.exe	{4EFF44BF-FCAC-4089-B462-CC3E18B03EDB}.exe
File created	C:\Windows\{852161CD-BB25-4cd5-B12F-3B64144AB00D}.exe	{7A92787F-B676-4f5d-84FE-AFB422B8DCE1}.exe
File created	C:\Windows\{93C0DE5D-8B31-4519-8F6C-F2F595694C20}.exe	{224F8CFC-BFF2-42ed-8246-946470CABC2C}.exe
File created	C:\Windows\{16AF6542-6CD6-4135-B047-948D41D75C4E}.exe	{93C0DE5D-8B31-4519-8F6C-F2F595694C20}.exe
File created	C:\Windows\{2D6D68CD-712D-475c-8EA5-580F2B19DF9B}.exe	{4D0E7DEA-040E-4582-A083-1A0F239770C1}.exe
File created	C:\Windows\{B7C2DCAD-538B-4f8e-95D4-3DEF72DD2397}.exe	{150DA09F-0F0D-4779-AC3F-F3AAC6A0ECD1}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1424	2024-02-14_5b565c5ea920a1012aff194d0970473a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2608	{4EFF44BF-FCAC-4089-B462-CC3E18B03EDB}.exe
Token: SeIncBasePriorityPrivilege	4768	{7A92787F-B676-4f5d-84FE-AFB422B8DCE1}.exe
Token: SeIncBasePriorityPrivilege	4440	{852161CD-BB25-4cd5-B12F-3B64144AB00D}.exe
Token: SeIncBasePriorityPrivilege	4860	{224F8CFC-BFF2-42ed-8246-946470CABC2C}.exe
Token: SeIncBasePriorityPrivilege	3812	{93C0DE5D-8B31-4519-8F6C-F2F595694C20}.exe
Token: SeIncBasePriorityPrivilege	4068	{16AF6542-6CD6-4135-B047-948D41D75C4E}.exe
Token: SeIncBasePriorityPrivilege	1844	{4D0E7DEA-040E-4582-A083-1A0F239770C1}.exe
Token: SeIncBasePriorityPrivilege	1048	{2D6D68CD-712D-475c-8EA5-580F2B19DF9B}.exe
Token: SeIncBasePriorityPrivilege	4404	{D430A6D2-B076-4f11-80E3-97B8CCE88667}.exe
Token: SeIncBasePriorityPrivilege	748	{150DA09F-0F0D-4779-AC3F-F3AAC6A0ECD1}.exe
Token: SeIncBasePriorityPrivilege	3164	{B7C2DCAD-538B-4f8e-95D4-3DEF72DD2397}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 2608	1424	2024-02-14_5b565c5ea920a1012aff194d0970473a_goldeneye.exe	84
PID 1424 wrote to memory of 2608	1424	2024-02-14_5b565c5ea920a1012aff194d0970473a_goldeneye.exe	84
PID 1424 wrote to memory of 2608	1424	2024-02-14_5b565c5ea920a1012aff194d0970473a_goldeneye.exe	84
PID 1424 wrote to memory of 4040	1424	2024-02-14_5b565c5ea920a1012aff194d0970473a_goldeneye.exe	85
PID 1424 wrote to memory of 4040	1424	2024-02-14_5b565c5ea920a1012aff194d0970473a_goldeneye.exe	85
PID 1424 wrote to memory of 4040	1424	2024-02-14_5b565c5ea920a1012aff194d0970473a_goldeneye.exe	85
PID 2608 wrote to memory of 4768	2608	{4EFF44BF-FCAC-4089-B462-CC3E18B03EDB}.exe	91
PID 2608 wrote to memory of 4768	2608	{4EFF44BF-FCAC-4089-B462-CC3E18B03EDB}.exe	91
PID 2608 wrote to memory of 4768	2608	{4EFF44BF-FCAC-4089-B462-CC3E18B03EDB}.exe	91
PID 2608 wrote to memory of 2444	2608	{4EFF44BF-FCAC-4089-B462-CC3E18B03EDB}.exe	92
PID 2608 wrote to memory of 2444	2608	{4EFF44BF-FCAC-4089-B462-CC3E18B03EDB}.exe	92
PID 2608 wrote to memory of 2444	2608	{4EFF44BF-FCAC-4089-B462-CC3E18B03EDB}.exe	92
PID 4768 wrote to memory of 4440	4768	{7A92787F-B676-4f5d-84FE-AFB422B8DCE1}.exe	97
PID 4768 wrote to memory of 4440	4768	{7A92787F-B676-4f5d-84FE-AFB422B8DCE1}.exe	97
PID 4768 wrote to memory of 4440	4768	{7A92787F-B676-4f5d-84FE-AFB422B8DCE1}.exe	97
PID 4768 wrote to memory of 1108	4768	{7A92787F-B676-4f5d-84FE-AFB422B8DCE1}.exe	96
PID 4768 wrote to memory of 1108	4768	{7A92787F-B676-4f5d-84FE-AFB422B8DCE1}.exe	96
PID 4768 wrote to memory of 1108	4768	{7A92787F-B676-4f5d-84FE-AFB422B8DCE1}.exe	96
PID 4440 wrote to memory of 4860	4440	{852161CD-BB25-4cd5-B12F-3B64144AB00D}.exe	98
PID 4440 wrote to memory of 4860	4440	{852161CD-BB25-4cd5-B12F-3B64144AB00D}.exe	98
PID 4440 wrote to memory of 4860	4440	{852161CD-BB25-4cd5-B12F-3B64144AB00D}.exe	98
PID 4440 wrote to memory of 3644	4440	{852161CD-BB25-4cd5-B12F-3B64144AB00D}.exe	99
PID 4440 wrote to memory of 3644	4440	{852161CD-BB25-4cd5-B12F-3B64144AB00D}.exe	99
PID 4440 wrote to memory of 3644	4440	{852161CD-BB25-4cd5-B12F-3B64144AB00D}.exe	99
PID 4860 wrote to memory of 3812	4860	{224F8CFC-BFF2-42ed-8246-946470CABC2C}.exe	100
PID 4860 wrote to memory of 3812	4860	{224F8CFC-BFF2-42ed-8246-946470CABC2C}.exe	100
PID 4860 wrote to memory of 3812	4860	{224F8CFC-BFF2-42ed-8246-946470CABC2C}.exe	100
PID 4860 wrote to memory of 3540	4860	{224F8CFC-BFF2-42ed-8246-946470CABC2C}.exe	101
PID 4860 wrote to memory of 3540	4860	{224F8CFC-BFF2-42ed-8246-946470CABC2C}.exe	101
PID 4860 wrote to memory of 3540	4860	{224F8CFC-BFF2-42ed-8246-946470CABC2C}.exe	101
PID 3812 wrote to memory of 4068	3812	{93C0DE5D-8B31-4519-8F6C-F2F595694C20}.exe	102
PID 3812 wrote to memory of 4068	3812	{93C0DE5D-8B31-4519-8F6C-F2F595694C20}.exe	102
PID 3812 wrote to memory of 4068	3812	{93C0DE5D-8B31-4519-8F6C-F2F595694C20}.exe	102
PID 3812 wrote to memory of 1688	3812	{93C0DE5D-8B31-4519-8F6C-F2F595694C20}.exe	103
PID 3812 wrote to memory of 1688	3812	{93C0DE5D-8B31-4519-8F6C-F2F595694C20}.exe	103
PID 3812 wrote to memory of 1688	3812	{93C0DE5D-8B31-4519-8F6C-F2F595694C20}.exe	103
PID 4068 wrote to memory of 1844	4068	{16AF6542-6CD6-4135-B047-948D41D75C4E}.exe	104
PID 4068 wrote to memory of 1844	4068	{16AF6542-6CD6-4135-B047-948D41D75C4E}.exe	104
PID 4068 wrote to memory of 1844	4068	{16AF6542-6CD6-4135-B047-948D41D75C4E}.exe	104
PID 4068 wrote to memory of 4804	4068	{16AF6542-6CD6-4135-B047-948D41D75C4E}.exe	105
PID 4068 wrote to memory of 4804	4068	{16AF6542-6CD6-4135-B047-948D41D75C4E}.exe	105
PID 4068 wrote to memory of 4804	4068	{16AF6542-6CD6-4135-B047-948D41D75C4E}.exe	105
PID 1844 wrote to memory of 1048	1844	{4D0E7DEA-040E-4582-A083-1A0F239770C1}.exe	106
PID 1844 wrote to memory of 1048	1844	{4D0E7DEA-040E-4582-A083-1A0F239770C1}.exe	106
PID 1844 wrote to memory of 1048	1844	{4D0E7DEA-040E-4582-A083-1A0F239770C1}.exe	106
PID 1844 wrote to memory of 3840	1844	{4D0E7DEA-040E-4582-A083-1A0F239770C1}.exe	107
PID 1844 wrote to memory of 3840	1844	{4D0E7DEA-040E-4582-A083-1A0F239770C1}.exe	107
PID 1844 wrote to memory of 3840	1844	{4D0E7DEA-040E-4582-A083-1A0F239770C1}.exe	107
PID 1048 wrote to memory of 4404	1048	{2D6D68CD-712D-475c-8EA5-580F2B19DF9B}.exe	108
PID 1048 wrote to memory of 4404	1048	{2D6D68CD-712D-475c-8EA5-580F2B19DF9B}.exe	108
PID 1048 wrote to memory of 4404	1048	{2D6D68CD-712D-475c-8EA5-580F2B19DF9B}.exe	108
PID 1048 wrote to memory of 4384	1048	{2D6D68CD-712D-475c-8EA5-580F2B19DF9B}.exe	109
PID 1048 wrote to memory of 4384	1048	{2D6D68CD-712D-475c-8EA5-580F2B19DF9B}.exe	109
PID 1048 wrote to memory of 4384	1048	{2D6D68CD-712D-475c-8EA5-580F2B19DF9B}.exe	109
PID 4404 wrote to memory of 748	4404	{D430A6D2-B076-4f11-80E3-97B8CCE88667}.exe	110
PID 4404 wrote to memory of 748	4404	{D430A6D2-B076-4f11-80E3-97B8CCE88667}.exe	110
PID 4404 wrote to memory of 748	4404	{D430A6D2-B076-4f11-80E3-97B8CCE88667}.exe	110
PID 4404 wrote to memory of 3696	4404	{D430A6D2-B076-4f11-80E3-97B8CCE88667}.exe	111
PID 4404 wrote to memory of 3696	4404	{D430A6D2-B076-4f11-80E3-97B8CCE88667}.exe	111
PID 4404 wrote to memory of 3696	4404	{D430A6D2-B076-4f11-80E3-97B8CCE88667}.exe	111
PID 748 wrote to memory of 3164	748	{150DA09F-0F0D-4779-AC3F-F3AAC6A0ECD1}.exe	112
PID 748 wrote to memory of 3164	748	{150DA09F-0F0D-4779-AC3F-F3AAC6A0ECD1}.exe	112
PID 748 wrote to memory of 3164	748	{150DA09F-0F0D-4779-AC3F-F3AAC6A0ECD1}.exe	112
PID 748 wrote to memory of 2772	748	{150DA09F-0F0D-4779-AC3F-F3AAC6A0ECD1}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-02-14_5b565c5ea920a1012aff194d0970473a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-14_5b565c5ea920a1012aff194d0970473a_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Windows\{4EFF44BF-FCAC-4089-B462-CC3E18B03EDB}.exe
  C:\Windows\{4EFF44BF-FCAC-4089-B462-CC3E18B03EDB}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\{7A92787F-B676-4f5d-84FE-AFB422B8DCE1}.exe
    C:\Windows\{7A92787F-B676-4f5d-84FE-AFB422B8DCE1}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4768
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7A927~1.EXE > nul
      4⤵
      PID:1108
  - - C:\Windows\{852161CD-BB25-4cd5-B12F-3B64144AB00D}.exe
      C:\Windows\{852161CD-BB25-4cd5-B12F-3B64144AB00D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4440
    - - C:\Windows\{224F8CFC-BFF2-42ed-8246-946470CABC2C}.exe
        
        C:\Windows\{224F8CFC-BFF2-42ed-8246-946470CABC2C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4860
      - C:\Windows\{93C0DE5D-8B31-4519-8F6C-F2F595694C20}.exe
        
        C:\Windows\{93C0DE5D-8B31-4519-8F6C-F2F595694C20}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3812
        
        C:\Windows\{16AF6542-6CD6-4135-B047-948D41D75C4E}.exe
        
        C:\Windows\{16AF6542-6CD6-4135-B047-948D41D75C4E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\{4D0E7DEA-040E-4582-A083-1A0F239770C1}.exe
        
        C:\Windows\{4D0E7DEA-040E-4582-A083-1A0F239770C1}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\{2D6D68CD-712D-475c-8EA5-580F2B19DF9B}.exe
        
        C:\Windows\{2D6D68CD-712D-475c-8EA5-580F2B19DF9B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\{D430A6D2-B076-4f11-80E3-97B8CCE88667}.exe
        
        C:\Windows\{D430A6D2-B076-4f11-80E3-97B8CCE88667}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\{150DA09F-0F0D-4779-AC3F-F3AAC6A0ECD1}.exe
        
        C:\Windows\{150DA09F-0F0D-4779-AC3F-F3AAC6A0ECD1}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:748
        
        C:\Windows\{B7C2DCAD-538B-4f8e-95D4-3DEF72DD2397}.exe
        
        C:\Windows\{B7C2DCAD-538B-4f8e-95D4-3DEF72DD2397}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3164
        
        C:\Windows\{535CF9E9-A9D3-4e3a-AEAC-0F7E7B4A72C7}.exe
        
        C:\Windows\{535CF9E9-A9D3-4e3a-AEAC-0F7E7B4A72C7}.exe
        13⤵
        Executes dropped EXE
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7C2D~1.EXE > nul
        13⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{150DA~1.EXE > nul
        12⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D430A~1.EXE > nul
        11⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D6D6~1.EXE > nul
        10⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D0E7~1.EXE > nul
        9⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16AF6~1.EXE > nul
        8⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{93C0D~1.EXE > nul
        7⤵
        
        PID:1688
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{224F8~1.EXE > nul
        6⤵
        
        PID:3540
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{85216~1.EXE > nul
        5⤵
        
        PID:3644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4EFF4~1.EXE > nul
    3⤵
    PID:2444
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{150DA09F-0F0D-4779-AC3F-F3AAC6A0ECD1}.exe

Filesize
168KB

MD5
3794c25090320fc20d2288e704091e6e

SHA1
be687b26360d4412b576e3c779e84ab8ee9a8be6

SHA256
02f43da53793198796fc9fe1bfaa053a5b83a03cb0d60578452f23e7b95d0fb9

SHA512
3defc2233091d90dab8d0e361f3b1624a23a5dae62f6297f97cb199ce4516abbfd8b0fd4c01bf226bf03f799c9b82104380af9925d6a5bf76946ed8a4b073ded

Download Submit
C:\Windows\{16AF6542-6CD6-4135-B047-948D41D75C4E}.exe

Filesize
168KB

MD5
08adff32c9f7bc127015c0177bd46d9c

SHA1
d5734768f450e4ff7a430f0eb562fb05666eca7b

SHA256
ac9a7dc7ffb5a01c9444dfa7ce1c09dbe62fd19eaf6fa744ff1a7be541cf78a7

SHA512
451f0cdcc80b5a1e9e789149c044781fcfa9aa14a30cc8aba4e518b0decb0505dc7c6c88660cc105b2937905485978ae191c064d71b86c9602894cffdd91a035

Download Submit
C:\Windows\{224F8CFC-BFF2-42ed-8246-946470CABC2C}.exe

Filesize
168KB

MD5
392c18c004592c9ebc06631e91e20d78

SHA1
6f43fa34db8403cc03f81cefe08c934afcd84ef8

SHA256
01757e86775251b464d4af487a0c91792f5065ce97d963c9df5fb65416c9ab95

SHA512
10e0a27d7184f38b9ee2818617613e32ba98bc8e676b7e3cad21871de533a67889466a07e12ae23ad87ccf6ac2c44aaf1a276e34ed2629f220f8291990ff3d8a

Download Submit
C:\Windows\{2D6D68CD-712D-475c-8EA5-580F2B19DF9B}.exe

Filesize
168KB

MD5
d004ca409ffabb17db1e78a243e625c1

SHA1
a0ddd20f134521d3e89254c5ad7c70ce82514486

SHA256
283857b678d18e2f9a0dac7f977bcc5f41c2095bbd28d90125d63b10e4de979f

SHA512
43e5d2b2212229502a4ea3eeafb3487b08080e765d5d1d10f621d86e414081bac97dbc1515613abc64f27d8e3b330a4436c11033ab2e70a447873fa0e07e2242

Download Submit
C:\Windows\{4D0E7DEA-040E-4582-A083-1A0F239770C1}.exe

Filesize
168KB

MD5
933e29ad78685ea13e836bcbc0aff8f1

SHA1
51d2464a11c03ca4e67fa96a092d66dc19f8ce9b

SHA256
397039983b5ffdb9cdf862442ea6084231cdb34038ed8449f2377b2d60404846

SHA512
2d8467b9b15be06f4758323f096c08fc81ee2df0f19114cb2e25be20a3a2354078dd29e8e6e34dbf93b45363d02ee6e9da9525ee4da651ffa24a9aa1d6408b5d

Download Submit
C:\Windows\{4EFF44BF-FCAC-4089-B462-CC3E18B03EDB}.exe

Filesize
168KB

MD5
4f779d38908a61e87ad381f6bd5592c7

SHA1
73d1105cda36491b5b4627dfc4e6a7ea9db87e9e

SHA256
1077c7985328ba527a8427a4b0e3ab9d016e8a9d0498b544eb63c2bac04e165d

SHA512
d8e2e4eaf88452531ecc69021b8eb6a5b3409812dc06521c96e7e29da22fc11d10bc318425d6482acf0f8b3dd2cca8cf022a2b08af7e67b299f465802516dbdd

Download Submit
C:\Windows\{535CF9E9-A9D3-4e3a-AEAC-0F7E7B4A72C7}.exe

Filesize
168KB

MD5
9673adfc4b33094960faa0230fdfa9d5

SHA1
03c68dca0464fe2b3272d773ab60eaa5276f884c

SHA256
43a3dc88a981c6b5d37985d6e91526c4bcfad3d91ce5d17d9497da4d0b34310e

SHA512
e76f7affb47a3a53f3a70870937be98c88ff5b57ad0c46a9f8998149dbb2fc276a530d7f4fb3357208e40e2e7b41db21a24b427c35e29d2f9ef9d6e153245c92

Download Submit
C:\Windows\{7A92787F-B676-4f5d-84FE-AFB422B8DCE1}.exe

Filesize
168KB

MD5
23cd6a52d2e7bc7c0e0391b3e48c01b0

SHA1
0aca32f16fbe454d7bdad42c93039ffad7ff04e9

SHA256
56d5d738010cf18cc3347732410d1cda43f5a3ee1d881abef70684522d68e43c

SHA512
e9a16f1929ed5f6430f88f8756cbd4dd8be24fb8ef1e958644c750f60aa8065afd949a06a2967afd6d37fe2c778f39cb2f80ac66b8be732742f001a846a2f3e4

Download Submit
C:\Windows\{852161CD-BB25-4cd5-B12F-3B64144AB00D}.exe

Filesize
168KB

MD5
1511e25309b94749076b25ee6bbb24a0

SHA1
44fc3bd9184be9a563b7266e1557c4ec5c00bb6c

SHA256
a9b52cadf46d47451e30b4165e007a0eab0c05f858f70216ec61094688a55b1c

SHA512
c229f92af6ef1e61ab33a8f3b60ac5200b9f671af9cbaf343d48a4f6f79aaeb79dfa8578ed2e32b16b490fe32c2621176c2b90341d7c8dcbe6a552f67c06e211

Download Submit
C:\Windows\{93C0DE5D-8B31-4519-8F6C-F2F595694C20}.exe

Filesize
168KB

MD5
e3036089fb852f30eadd3ecb1cb7d6e6

SHA1
46d1951dda87881d3e66017925681e804a48516a

SHA256
235a772e26811cc3e5402249b95afd640f19a63e4f9cdfb311f060deb1c08555

SHA512
11c14d193bd3580d1ea9a4d6e396d4c95ee86e2c75379c7b73eebb67a3d8f4fbb3889f540f932c44c57eff8890e08503c15bd2491d3c938c3134d73442059762

Download Submit
C:\Windows\{B7C2DCAD-538B-4f8e-95D4-3DEF72DD2397}.exe

Filesize
168KB

MD5
b730dab300a8ca30efe26288922bdd5e

SHA1
313a0578773c942540ff3ba44d6cd37c9e5a5a95

SHA256
fd4fe79591186721bd197c08b1802b36ae2a44127335d4c7de377cd2584f0f6f

SHA512
8fe0f18ffd8e84b5736d9f1446f6ff1fb5f3a0a557919d4f71ec0d814e62dcd143a15d83e90129504f65f1ebabef7652ea5b027f55f35ea53b0df88f18ac2450

Download Submit
C:\Windows\{D430A6D2-B076-4f11-80E3-97B8CCE88667}.exe

Filesize
168KB

MD5
9783cb96d7e65e7834057ee850933025

SHA1
880706ccaf5e0701cadad20e7beba6a24b869d98

SHA256
d9ea3a7d919fe87321ba38e0c1fb688e69666341cb493378b15cbab0e1f97e7c

SHA512
ff959baf85f5c31a52783d1bda27ebaa2413ed0decca9984ae1e5e2a99ae2b3b1a4036744c5e4428337e6c2bfa79c214bb614937bbd5bedd814173593afac0a5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads