51b22cf2eabce789edfaf4f6c14cf29ba3c7d63a813f5678a0b5b03deb190074

Analysis

max time kernel
149s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
14/02/2024, 00:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-14_cd94d78b38bb12c61b095c57a5d7eeb3_goldeneye.exe
Size

372KB
MD5

cd94d78b38bb12c61b095c57a5d7eeb3
SHA1

e01a532a3d392279cec74edfee58fd8c678c4339
SHA256

51b22cf2eabce789edfaf4f6c14cf29ba3c7d63a813f5678a0b5b03deb190074
SHA512

d7b7ddc552cdf3e86a08f2e9ad393acc2fd586e03473b09c5bc7d8d7285816f8d34f1ce3dbbed58513ecc930ae52b03112989c90f690f5fda5d2e488eb868d54
SSDEEP

3072:CEGh0o2mlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGtl/Oe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023223-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001e2f7-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023232-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023233-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000022043-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000022044-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000022043-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000709-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000006cf-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58CD9056-EEE1-43a9-BC47-05E3CE16D82D}\stubpath = "C:\\Windows\\{58CD9056-EEE1-43a9-BC47-05E3CE16D82D}.exe"	{8DF5DDBB-994A-477f-B31F-B20126BF2B58}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{453DDDA7-E3EA-48f2-9616-A9F12E2D4E12}	{7A1E0B75-10D7-4b31-B24A-37F5DFA4CF57}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00210F69-DA80-442d-B900-202D868F8263}	{453DDDA7-E3EA-48f2-9616-A9F12E2D4E12}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00210F69-DA80-442d-B900-202D868F8263}\stubpath = "C:\\Windows\\{00210F69-DA80-442d-B900-202D868F8263}.exe"	{453DDDA7-E3EA-48f2-9616-A9F12E2D4E12}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6562D00C-8D82-4061-972A-10531555056B}\stubpath = "C:\\Windows\\{6562D00C-8D82-4061-972A-10531555056B}.exe"	{00210F69-DA80-442d-B900-202D868F8263}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8FB36473-238C-40f4-B3F5-AC529B01E14F}\stubpath = "C:\\Windows\\{8FB36473-238C-40f4-B3F5-AC529B01E14F}.exe"	{6562D00C-8D82-4061-972A-10531555056B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8DF5DDBB-994A-477f-B31F-B20126BF2B58}	{FDF3D7D8-2944-4c52-931C-6EBD4715E236}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8DF5DDBB-994A-477f-B31F-B20126BF2B58}\stubpath = "C:\\Windows\\{8DF5DDBB-994A-477f-B31F-B20126BF2B58}.exe"	{FDF3D7D8-2944-4c52-931C-6EBD4715E236}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58CD9056-EEE1-43a9-BC47-05E3CE16D82D}	{8DF5DDBB-994A-477f-B31F-B20126BF2B58}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A1E0B75-10D7-4b31-B24A-37F5DFA4CF57}\stubpath = "C:\\Windows\\{7A1E0B75-10D7-4b31-B24A-37F5DFA4CF57}.exe"	{F6B230E3-CB2E-4bf7-B0FC-9B362B876E89}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6562D00C-8D82-4061-972A-10531555056B}	{00210F69-DA80-442d-B900-202D868F8263}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E3900B4-BFAC-4129-A3AA-9847B15E394D}\stubpath = "C:\\Windows\\{0E3900B4-BFAC-4129-A3AA-9847B15E394D}.exe"	{487E5C80-733B-4dcd-BC72-1C1FCF72134D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7EA787BA-3C9F-4522-9348-F1F0B3C3B8C5}\stubpath = "C:\\Windows\\{7EA787BA-3C9F-4522-9348-F1F0B3C3B8C5}.exe"	{0E3900B4-BFAC-4129-A3AA-9847B15E394D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FDF3D7D8-2944-4c52-931C-6EBD4715E236}\stubpath = "C:\\Windows\\{FDF3D7D8-2944-4c52-931C-6EBD4715E236}.exe"	2024-02-14_cd94d78b38bb12c61b095c57a5d7eeb3_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6B230E3-CB2E-4bf7-B0FC-9B362B876E89}	{58CD9056-EEE1-43a9-BC47-05E3CE16D82D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6B230E3-CB2E-4bf7-B0FC-9B362B876E89}\stubpath = "C:\\Windows\\{F6B230E3-CB2E-4bf7-B0FC-9B362B876E89}.exe"	{58CD9056-EEE1-43a9-BC47-05E3CE16D82D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8FB36473-238C-40f4-B3F5-AC529B01E14F}	{6562D00C-8D82-4061-972A-10531555056B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E3900B4-BFAC-4129-A3AA-9847B15E394D}	{487E5C80-733B-4dcd-BC72-1C1FCF72134D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7EA787BA-3C9F-4522-9348-F1F0B3C3B8C5}	{0E3900B4-BFAC-4129-A3AA-9847B15E394D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FDF3D7D8-2944-4c52-931C-6EBD4715E236}	2024-02-14_cd94d78b38bb12c61b095c57a5d7eeb3_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{453DDDA7-E3EA-48f2-9616-A9F12E2D4E12}\stubpath = "C:\\Windows\\{453DDDA7-E3EA-48f2-9616-A9F12E2D4E12}.exe"	{7A1E0B75-10D7-4b31-B24A-37F5DFA4CF57}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{487E5C80-733B-4dcd-BC72-1C1FCF72134D}	{8FB36473-238C-40f4-B3F5-AC529B01E14F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{487E5C80-733B-4dcd-BC72-1C1FCF72134D}\stubpath = "C:\\Windows\\{487E5C80-733B-4dcd-BC72-1C1FCF72134D}.exe"	{8FB36473-238C-40f4-B3F5-AC529B01E14F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A1E0B75-10D7-4b31-B24A-37F5DFA4CF57}	{F6B230E3-CB2E-4bf7-B0FC-9B362B876E89}.exe

Executes dropped EXE 12 IoCs

pid	Process
4356	{FDF3D7D8-2944-4c52-931C-6EBD4715E236}.exe
2920	{8DF5DDBB-994A-477f-B31F-B20126BF2B58}.exe
1788	{58CD9056-EEE1-43a9-BC47-05E3CE16D82D}.exe
4316	{F6B230E3-CB2E-4bf7-B0FC-9B362B876E89}.exe
3052	{7A1E0B75-10D7-4b31-B24A-37F5DFA4CF57}.exe
3584	{453DDDA7-E3EA-48f2-9616-A9F12E2D4E12}.exe
2740	{00210F69-DA80-442d-B900-202D868F8263}.exe
3248	{6562D00C-8D82-4061-972A-10531555056B}.exe
3520	{8FB36473-238C-40f4-B3F5-AC529B01E14F}.exe
4048	{487E5C80-733B-4dcd-BC72-1C1FCF72134D}.exe
2284	{0E3900B4-BFAC-4129-A3AA-9847B15E394D}.exe
3228	{7EA787BA-3C9F-4522-9348-F1F0B3C3B8C5}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{58CD9056-EEE1-43a9-BC47-05E3CE16D82D}.exe	{8DF5DDBB-994A-477f-B31F-B20126BF2B58}.exe
File created	C:\Windows\{F6B230E3-CB2E-4bf7-B0FC-9B362B876E89}.exe	{58CD9056-EEE1-43a9-BC47-05E3CE16D82D}.exe
File created	C:\Windows\{0E3900B4-BFAC-4129-A3AA-9847B15E394D}.exe	{487E5C80-733B-4dcd-BC72-1C1FCF72134D}.exe
File created	C:\Windows\{7EA787BA-3C9F-4522-9348-F1F0B3C3B8C5}.exe	{0E3900B4-BFAC-4129-A3AA-9847B15E394D}.exe
File created	C:\Windows\{8FB36473-238C-40f4-B3F5-AC529B01E14F}.exe	{6562D00C-8D82-4061-972A-10531555056B}.exe
File created	C:\Windows\{487E5C80-733B-4dcd-BC72-1C1FCF72134D}.exe	{8FB36473-238C-40f4-B3F5-AC529B01E14F}.exe
File created	C:\Windows\{FDF3D7D8-2944-4c52-931C-6EBD4715E236}.exe	2024-02-14_cd94d78b38bb12c61b095c57a5d7eeb3_goldeneye.exe
File created	C:\Windows\{8DF5DDBB-994A-477f-B31F-B20126BF2B58}.exe	{FDF3D7D8-2944-4c52-931C-6EBD4715E236}.exe
File created	C:\Windows\{7A1E0B75-10D7-4b31-B24A-37F5DFA4CF57}.exe	{F6B230E3-CB2E-4bf7-B0FC-9B362B876E89}.exe
File created	C:\Windows\{453DDDA7-E3EA-48f2-9616-A9F12E2D4E12}.exe	{7A1E0B75-10D7-4b31-B24A-37F5DFA4CF57}.exe
File created	C:\Windows\{00210F69-DA80-442d-B900-202D868F8263}.exe	{453DDDA7-E3EA-48f2-9616-A9F12E2D4E12}.exe
File created	C:\Windows\{6562D00C-8D82-4061-972A-10531555056B}.exe	{00210F69-DA80-442d-B900-202D868F8263}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2000	2024-02-14_cd94d78b38bb12c61b095c57a5d7eeb3_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4356	{FDF3D7D8-2944-4c52-931C-6EBD4715E236}.exe
Token: SeIncBasePriorityPrivilege	2920	{8DF5DDBB-994A-477f-B31F-B20126BF2B58}.exe
Token: SeIncBasePriorityPrivilege	1788	{58CD9056-EEE1-43a9-BC47-05E3CE16D82D}.exe
Token: SeIncBasePriorityPrivilege	4316	{F6B230E3-CB2E-4bf7-B0FC-9B362B876E89}.exe
Token: SeIncBasePriorityPrivilege	3052	{7A1E0B75-10D7-4b31-B24A-37F5DFA4CF57}.exe
Token: SeIncBasePriorityPrivilege	3584	{453DDDA7-E3EA-48f2-9616-A9F12E2D4E12}.exe
Token: SeIncBasePriorityPrivilege	2740	{00210F69-DA80-442d-B900-202D868F8263}.exe
Token: SeIncBasePriorityPrivilege	3248	{6562D00C-8D82-4061-972A-10531555056B}.exe
Token: SeIncBasePriorityPrivilege	3520	{8FB36473-238C-40f4-B3F5-AC529B01E14F}.exe
Token: SeIncBasePriorityPrivilege	4048	{487E5C80-733B-4dcd-BC72-1C1FCF72134D}.exe
Token: SeIncBasePriorityPrivilege	2284	{0E3900B4-BFAC-4129-A3AA-9847B15E394D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 4356	2000	2024-02-14_cd94d78b38bb12c61b095c57a5d7eeb3_goldeneye.exe	89
PID 2000 wrote to memory of 4356	2000	2024-02-14_cd94d78b38bb12c61b095c57a5d7eeb3_goldeneye.exe	89
PID 2000 wrote to memory of 4356	2000	2024-02-14_cd94d78b38bb12c61b095c57a5d7eeb3_goldeneye.exe	89
PID 2000 wrote to memory of 3564	2000	2024-02-14_cd94d78b38bb12c61b095c57a5d7eeb3_goldeneye.exe	90
PID 2000 wrote to memory of 3564	2000	2024-02-14_cd94d78b38bb12c61b095c57a5d7eeb3_goldeneye.exe	90
PID 2000 wrote to memory of 3564	2000	2024-02-14_cd94d78b38bb12c61b095c57a5d7eeb3_goldeneye.exe	90
PID 4356 wrote to memory of 2920	4356	{FDF3D7D8-2944-4c52-931C-6EBD4715E236}.exe	94
PID 4356 wrote to memory of 2920	4356	{FDF3D7D8-2944-4c52-931C-6EBD4715E236}.exe	94
PID 4356 wrote to memory of 2920	4356	{FDF3D7D8-2944-4c52-931C-6EBD4715E236}.exe	94
PID 4356 wrote to memory of 4460	4356	{FDF3D7D8-2944-4c52-931C-6EBD4715E236}.exe	95
PID 4356 wrote to memory of 4460	4356	{FDF3D7D8-2944-4c52-931C-6EBD4715E236}.exe	95
PID 4356 wrote to memory of 4460	4356	{FDF3D7D8-2944-4c52-931C-6EBD4715E236}.exe	95
PID 2920 wrote to memory of 1788	2920	{8DF5DDBB-994A-477f-B31F-B20126BF2B58}.exe	98
PID 2920 wrote to memory of 1788	2920	{8DF5DDBB-994A-477f-B31F-B20126BF2B58}.exe	98
PID 2920 wrote to memory of 1788	2920	{8DF5DDBB-994A-477f-B31F-B20126BF2B58}.exe	98
PID 2920 wrote to memory of 4216	2920	{8DF5DDBB-994A-477f-B31F-B20126BF2B58}.exe	97
PID 2920 wrote to memory of 4216	2920	{8DF5DDBB-994A-477f-B31F-B20126BF2B58}.exe	97
PID 2920 wrote to memory of 4216	2920	{8DF5DDBB-994A-477f-B31F-B20126BF2B58}.exe	97
PID 1788 wrote to memory of 4316	1788	{58CD9056-EEE1-43a9-BC47-05E3CE16D82D}.exe	99
PID 1788 wrote to memory of 4316	1788	{58CD9056-EEE1-43a9-BC47-05E3CE16D82D}.exe	99
PID 1788 wrote to memory of 4316	1788	{58CD9056-EEE1-43a9-BC47-05E3CE16D82D}.exe	99
PID 1788 wrote to memory of 2540	1788	{58CD9056-EEE1-43a9-BC47-05E3CE16D82D}.exe	100
PID 1788 wrote to memory of 2540	1788	{58CD9056-EEE1-43a9-BC47-05E3CE16D82D}.exe	100
PID 1788 wrote to memory of 2540	1788	{58CD9056-EEE1-43a9-BC47-05E3CE16D82D}.exe	100
PID 4316 wrote to memory of 3052	4316	{F6B230E3-CB2E-4bf7-B0FC-9B362B876E89}.exe	101
PID 4316 wrote to memory of 3052	4316	{F6B230E3-CB2E-4bf7-B0FC-9B362B876E89}.exe	101
PID 4316 wrote to memory of 3052	4316	{F6B230E3-CB2E-4bf7-B0FC-9B362B876E89}.exe	101
PID 4316 wrote to memory of 568	4316	{F6B230E3-CB2E-4bf7-B0FC-9B362B876E89}.exe	102
PID 4316 wrote to memory of 568	4316	{F6B230E3-CB2E-4bf7-B0FC-9B362B876E89}.exe	102
PID 4316 wrote to memory of 568	4316	{F6B230E3-CB2E-4bf7-B0FC-9B362B876E89}.exe	102
PID 3052 wrote to memory of 3584	3052	{7A1E0B75-10D7-4b31-B24A-37F5DFA4CF57}.exe	103
PID 3052 wrote to memory of 3584	3052	{7A1E0B75-10D7-4b31-B24A-37F5DFA4CF57}.exe	103
PID 3052 wrote to memory of 3584	3052	{7A1E0B75-10D7-4b31-B24A-37F5DFA4CF57}.exe	103
PID 3052 wrote to memory of 2536	3052	{7A1E0B75-10D7-4b31-B24A-37F5DFA4CF57}.exe	104
PID 3052 wrote to memory of 2536	3052	{7A1E0B75-10D7-4b31-B24A-37F5DFA4CF57}.exe	104
PID 3052 wrote to memory of 2536	3052	{7A1E0B75-10D7-4b31-B24A-37F5DFA4CF57}.exe	104
PID 3584 wrote to memory of 2740	3584	{453DDDA7-E3EA-48f2-9616-A9F12E2D4E12}.exe	106
PID 3584 wrote to memory of 2740	3584	{453DDDA7-E3EA-48f2-9616-A9F12E2D4E12}.exe	106
PID 3584 wrote to memory of 2740	3584	{453DDDA7-E3EA-48f2-9616-A9F12E2D4E12}.exe	106
PID 3584 wrote to memory of 4472	3584	{453DDDA7-E3EA-48f2-9616-A9F12E2D4E12}.exe	105
PID 3584 wrote to memory of 4472	3584	{453DDDA7-E3EA-48f2-9616-A9F12E2D4E12}.exe	105
PID 3584 wrote to memory of 4472	3584	{453DDDA7-E3EA-48f2-9616-A9F12E2D4E12}.exe	105
PID 2740 wrote to memory of 3248	2740	{00210F69-DA80-442d-B900-202D868F8263}.exe	107
PID 2740 wrote to memory of 3248	2740	{00210F69-DA80-442d-B900-202D868F8263}.exe	107
PID 2740 wrote to memory of 3248	2740	{00210F69-DA80-442d-B900-202D868F8263}.exe	107
PID 2740 wrote to memory of 4536	2740	{00210F69-DA80-442d-B900-202D868F8263}.exe	108
PID 2740 wrote to memory of 4536	2740	{00210F69-DA80-442d-B900-202D868F8263}.exe	108
PID 2740 wrote to memory of 4536	2740	{00210F69-DA80-442d-B900-202D868F8263}.exe	108
PID 3248 wrote to memory of 3520	3248	{6562D00C-8D82-4061-972A-10531555056B}.exe	109
PID 3248 wrote to memory of 3520	3248	{6562D00C-8D82-4061-972A-10531555056B}.exe	109
PID 3248 wrote to memory of 3520	3248	{6562D00C-8D82-4061-972A-10531555056B}.exe	109
PID 3248 wrote to memory of 1740	3248	{6562D00C-8D82-4061-972A-10531555056B}.exe	110
PID 3248 wrote to memory of 1740	3248	{6562D00C-8D82-4061-972A-10531555056B}.exe	110
PID 3248 wrote to memory of 1740	3248	{6562D00C-8D82-4061-972A-10531555056B}.exe	110
PID 3520 wrote to memory of 4048	3520	{8FB36473-238C-40f4-B3F5-AC529B01E14F}.exe	111
PID 3520 wrote to memory of 4048	3520	{8FB36473-238C-40f4-B3F5-AC529B01E14F}.exe	111
PID 3520 wrote to memory of 4048	3520	{8FB36473-238C-40f4-B3F5-AC529B01E14F}.exe	111
PID 3520 wrote to memory of 1508	3520	{8FB36473-238C-40f4-B3F5-AC529B01E14F}.exe	112
PID 3520 wrote to memory of 1508	3520	{8FB36473-238C-40f4-B3F5-AC529B01E14F}.exe	112
PID 3520 wrote to memory of 1508	3520	{8FB36473-238C-40f4-B3F5-AC529B01E14F}.exe	112
PID 4048 wrote to memory of 2284	4048	{487E5C80-733B-4dcd-BC72-1C1FCF72134D}.exe	113
PID 4048 wrote to memory of 2284	4048	{487E5C80-733B-4dcd-BC72-1C1FCF72134D}.exe	113
PID 4048 wrote to memory of 2284	4048	{487E5C80-733B-4dcd-BC72-1C1FCF72134D}.exe	113
PID 4048 wrote to memory of 112	4048	{487E5C80-733B-4dcd-BC72-1C1FCF72134D}.exe	114

C:\Users\Admin\AppData\Local\Temp\2024-02-14_cd94d78b38bb12c61b095c57a5d7eeb3_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-14_cd94d78b38bb12c61b095c57a5d7eeb3_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\{FDF3D7D8-2944-4c52-931C-6EBD4715E236}.exe
  C:\Windows\{FDF3D7D8-2944-4c52-931C-6EBD4715E236}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4356
- - C:\Windows\{8DF5DDBB-994A-477f-B31F-B20126BF2B58}.exe
    C:\Windows\{8DF5DDBB-994A-477f-B31F-B20126BF2B58}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8DF5D~1.EXE > nul
      4⤵
      PID:4216
  - - C:\Windows\{58CD9056-EEE1-43a9-BC47-05E3CE16D82D}.exe
      C:\Windows\{58CD9056-EEE1-43a9-BC47-05E3CE16D82D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1788
    - - C:\Windows\{F6B230E3-CB2E-4bf7-B0FC-9B362B876E89}.exe
        
        C:\Windows\{F6B230E3-CB2E-4bf7-B0FC-9B362B876E89}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4316
      - C:\Windows\{7A1E0B75-10D7-4b31-B24A-37F5DFA4CF57}.exe
        
        C:\Windows\{7A1E0B75-10D7-4b31-B24A-37F5DFA4CF57}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\{453DDDA7-E3EA-48f2-9616-A9F12E2D4E12}.exe
        
        C:\Windows\{453DDDA7-E3EA-48f2-9616-A9F12E2D4E12}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{453DD~1.EXE > nul
        8⤵
        
        PID:4472
        
        C:\Windows\{00210F69-DA80-442d-B900-202D868F8263}.exe
        
        C:\Windows\{00210F69-DA80-442d-B900-202D868F8263}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\{6562D00C-8D82-4061-972A-10531555056B}.exe
        
        C:\Windows\{6562D00C-8D82-4061-972A-10531555056B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3248
        
        C:\Windows\{8FB36473-238C-40f4-B3F5-AC529B01E14F}.exe
        
        C:\Windows\{8FB36473-238C-40f4-B3F5-AC529B01E14F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\{487E5C80-733B-4dcd-BC72-1C1FCF72134D}.exe
        
        C:\Windows\{487E5C80-733B-4dcd-BC72-1C1FCF72134D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Windows\{0E3900B4-BFAC-4129-A3AA-9847B15E394D}.exe
        
        C:\Windows\{0E3900B4-BFAC-4129-A3AA-9847B15E394D}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2284
        
        C:\Windows\{7EA787BA-3C9F-4522-9348-F1F0B3C3B8C5}.exe
        
        C:\Windows\{7EA787BA-3C9F-4522-9348-F1F0B3C3B8C5}.exe
        13⤵
        Executes dropped EXE
        
        PID:3228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0E390~1.EXE > nul
        13⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{487E5~1.EXE > nul
        12⤵
        
        PID:112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8FB36~1.EXE > nul
        11⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6562D~1.EXE > nul
        10⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{00210~1.EXE > nul
        9⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7A1E0~1.EXE > nul
        7⤵
        
        PID:2536
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F6B23~1.EXE > nul
        6⤵
        
        PID:568
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{58CD9~1.EXE > nul
        5⤵
        
        PID:2540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{FDF3D~1.EXE > nul
    3⤵
    PID:4460
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00210F69-DA80-442d-B900-202D868F8263}.exe

Filesize
372KB

MD5
5a834c094721cf68e0ce0056eb5c4f67

SHA1
7af2334833db09fba5b350ee5b4a2ceca902e860

SHA256
dc56515b5a0c54c10e704bdbcfa4c40ed4b3961f3716faaecfb62cf99c70c749

SHA512
bf6672c38185d7787554a73745566aa9e969e929ea08ea03227edf8bdaa3645eff0140b94d730cb10bcfc3b1580efa9daacefe7916fc29b6d739c85bdee9e1fe

Download Submit
C:\Windows\{0E3900B4-BFAC-4129-A3AA-9847B15E394D}.exe

Filesize
372KB

MD5
ceb55066ec271a87fb8e8233e108ba18

SHA1
f3cdcb305dba655cd1203ea1a0cf62cbff811424

SHA256
00502e450183d21a586d815ea9c41eeb74e84dbf52fd047a359036a947d607ab

SHA512
51c54715528443589b6ee5bd08e855d82f3d6ae05d15a2960bd6d0d9f94eb8d2ccba8627bf149213b654e35ea1e0d46bf2b8a6171fe8de521e4db99ee725a001

Download Submit
C:\Windows\{453DDDA7-E3EA-48f2-9616-A9F12E2D4E12}.exe

Filesize
372KB

MD5
e1c913e512be0c19fe4ba70bbec04d5d

SHA1
b486dc2717c3cd451b0720cf49598a7c0c1e7618

SHA256
d993c54c5f14639dd22e2d7f982b581a8ce379e58121f2007015f0f912521ebe

SHA512
a9ebae9dd4bb6f5735fd79a97570460f8a98c71b3c3d8e6fe906788e2b7890966e401e74657638623f532b93e8b2284ccc7333a20fa0c37678846553eae4ae5d

Download Submit
C:\Windows\{487E5C80-733B-4dcd-BC72-1C1FCF72134D}.exe

Filesize
372KB

MD5
06191b70d8f8d008832ec65ad5af2102

SHA1
9749ddbefaa160b5b4c6a0442fdc99fe56f37796

SHA256
79d8f22bf495bd0826d29c7d22f598b5523b2aec9afb4d35f29c9d173942d959

SHA512
2d7856ad6250369a12b9dd899cb611733ba6d56146e7c66477ece4beedb9f2f26635e528610a6c2119d793ac2b569611f71e3a8806f0fbf86b5172c20e9472b1

Download Submit
C:\Windows\{58CD9056-EEE1-43a9-BC47-05E3CE16D82D}.exe

Filesize
372KB

MD5
c7d63e6fac13f24d425b1046d9ad8e90

SHA1
05c712a7d9c28a418fb60b7feed375bc7604ae9a

SHA256
7918a98bc25d6de69dee3466e26eccb2fdb62c24161a3029e33d0473d895fc7f

SHA512
784fb25ee47a8100a0c9a7a551954c5c7f637dbecef3fe2c260889ce222cd19d91ab7fd1c8cb64dbb0ef3145b30e0c046439a561d1e0ffd48effe01a9ea239ad

Download Submit
C:\Windows\{6562D00C-8D82-4061-972A-10531555056B}.exe

Filesize
372KB

MD5
54aa369f1d19f7c23b25feaadaaf4ed9

SHA1
e4b65766f16d0a13d41d272ea79b7940e0106f3e

SHA256
6b509c4f026719edb996f9f6810574af67ad235c7ee2f86cf970ea79be5fdde2

SHA512
ac1b8fd28247d3ce58aa28772577b5da4cec68c5e75d4c35b1048f2c75a8e20b4ae70ac05eda7d94dd20707f373e70010367604d4afc3f11628d323f6e4a280b

Download Submit
C:\Windows\{7A1E0B75-10D7-4b31-B24A-37F5DFA4CF57}.exe

Filesize
372KB

MD5
5c2ba71f77c6edaea6d4613d79f9c484

SHA1
784e488dae87f953cf9c496b591bfc300833e67e

SHA256
a0dcc19dd540099dd769c7898790104cb30ef4f7a04248ead76e97a608f95729

SHA512
bdb23583403386fd45649d17d6a80a43bec4502d9bc20826bd9b94517322d6a22f58b8b8f10578bc3fe30f922d370cac14b1ee365c53157185864e2702838c7a

Download Submit
C:\Windows\{7EA787BA-3C9F-4522-9348-F1F0B3C3B8C5}.exe

Filesize
372KB

MD5
99359825028774166e9afce0d970b282

SHA1
a1d71b9b5aff07bc23672b3737ef44aa87738910

SHA256
c66eff96be8939f5d209de193cf271b39e6b1c6cb4f1f5adc91be6122f414746

SHA512
01ac9e7c8a3f8d79ae6a104b0af052e79c90525e3d95c2bfe67cdcd5240573151bac57bfa44bf05cdb28cceb91067c2e4ef6b4f9e76a0ec466d2ef895c889403

Download Submit
C:\Windows\{8DF5DDBB-994A-477f-B31F-B20126BF2B58}.exe

Filesize
372KB

MD5
71026f874d4e9b798ffb8c180c379ed3

SHA1
12653c29a12de12d049f4617295ea885132e8f85

SHA256
70a167c14f76aeadb22f2ab3e129e78d093db85183b6e557e6388f87668e964c

SHA512
540d37bcdeeb481d95d500359b38a2d79f11953afee645eada1725437f05f22b78e71135c4ce40048abb46f78418d3579bbf66711c988f9f6b072c82ce123991

Download Submit
C:\Windows\{8FB36473-238C-40f4-B3F5-AC529B01E14F}.exe

Filesize
372KB

MD5
559d064f9a88ace57708502e4a8fb622

SHA1
0140a52e4fd5305b47ecc6f55619a0176da80a2b

SHA256
6af5ffbb5bf118b71a7ced7b942417b6ceae95299df71f57edc772366ac70ffb

SHA512
6e59cba0e9ec1efc5c505d722221db58ba1d4d0c5f9f2deb4f7090cb139ccc55ef10361981470a6f2e8d88ae78ff0bdedad1d2cafa41bb41007c190b4e8486ff

Download Submit
C:\Windows\{F6B230E3-CB2E-4bf7-B0FC-9B362B876E89}.exe

Filesize
372KB

MD5
779e787b2f4cc129ee2838ff3afd85cc

SHA1
e4fc4ed9a38bc7919faa6f8db4e06033474f9f4c

SHA256
81a4d05e0a7af1966ba379111a264a654ee49f5c3be533f55d6f9255451e1d0e

SHA512
be96302dc034d5c6b4aa8911c519679819fefc5f5093d2bcc8ac06fdbe27c0ad85d6ae96e1b5972cf9863fe9b2b2387ecfb6c80d27ab93d7d16b446d5765562e

Download Submit
C:\Windows\{FDF3D7D8-2944-4c52-931C-6EBD4715E236}.exe

Filesize
372KB

MD5
fec1239f7808d387e4e31dbb4ae77e0a

SHA1
83928929fbd3b09efbfd506fb552e33cce2bd2b4

SHA256
d69c5e567e322bf1298bfbf1d5be7b006bcc81f239cab9aed7c25592e90f2d17

SHA512
9ddeff210061512d9019b35f09c8ecc130e6cc6ce0e2bb1aa54286ae2d1351784b3b075f224c8d94041102ea3ca0f6c00c43a572b311f52fd3d1c38558b43026

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads