b8a2a6bf53cd309a98d49c193f3bf556e166f2751d57c52fa62afd31961d45bc

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
14/02/2024, 13:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-14_6af6b36873b2fcc921e8ec14a31c6ba8_goldeneye.exe
Size

408KB
MD5

6af6b36873b2fcc921e8ec14a31c6ba8
SHA1

e916b3c2de86a6967d52386004c66167bbe52a0f
SHA256

b8a2a6bf53cd309a98d49c193f3bf556e166f2751d57c52fa62afd31961d45bc
SHA512

6b6a7a30900487f1fbc1910e565034e7c735157d69be47f03ce2da05c7b9dfdbd18cb4445ed2be07b1c809d7a1b013f14fd980df88f71f0089b5c901218b7a40
SSDEEP

3072:CEGh0obl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGJldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023225-1.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001100000002321a-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002322d-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001200000002321a-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000021569-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000021570-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000021569-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000711-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070f-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000719-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000739-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39C349A4-5400-4bf5-8AF2-8715272608FF}	{B6D6D932-61F6-4c66-8013-C5565E9CFDA9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4BAF99C-45E2-4f6d-8F15-0614804FB6AE}\stubpath = "C:\\Windows\\{B4BAF99C-45E2-4f6d-8F15-0614804FB6AE}.exe"	{2EF9258D-C37B-4533-8315-755D275ADD82}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7346822-56DD-449b-83D6-B9C7011B1C50}\stubpath = "C:\\Windows\\{B7346822-56DD-449b-83D6-B9C7011B1C50}.exe"	{5D666A6F-F985-4a5e-BB67-C1457E0CC8A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A34342EE-CBB5-418e-89FD-CBC2307C6250}\stubpath = "C:\\Windows\\{A34342EE-CBB5-418e-89FD-CBC2307C6250}.exe"	{EEC845E8-16A6-40f8-845F-28FAF1FB6AD6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A53D090-D108-4ea1-ABA2-16F8FF05567A}\stubpath = "C:\\Windows\\{9A53D090-D108-4ea1-ABA2-16F8FF05567A}.exe"	2024-02-14_6af6b36873b2fcc921e8ec14a31c6ba8_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2EF9258D-C37B-4533-8315-755D275ADD82}	{DD3DAB8D-B26C-47d7-BB25-61CF6B1EECA4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D666A6F-F985-4a5e-BB67-C1457E0CC8A8}	{B4BAF99C-45E2-4f6d-8F15-0614804FB6AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D666A6F-F985-4a5e-BB67-C1457E0CC8A8}\stubpath = "C:\\Windows\\{5D666A6F-F985-4a5e-BB67-C1457E0CC8A8}.exe"	{B4BAF99C-45E2-4f6d-8F15-0614804FB6AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0D14677-5C5A-4685-8A05-56D371CAEE0C}	{B7346822-56DD-449b-83D6-B9C7011B1C50}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0D14677-5C5A-4685-8A05-56D371CAEE0C}\stubpath = "C:\\Windows\\{D0D14677-5C5A-4685-8A05-56D371CAEE0C}.exe"	{B7346822-56DD-449b-83D6-B9C7011B1C50}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EEC845E8-16A6-40f8-845F-28FAF1FB6AD6}	{D0D14677-5C5A-4685-8A05-56D371CAEE0C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A34342EE-CBB5-418e-89FD-CBC2307C6250}	{EEC845E8-16A6-40f8-845F-28FAF1FB6AD6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6D6D932-61F6-4c66-8013-C5565E9CFDA9}	{9A53D090-D108-4ea1-ABA2-16F8FF05567A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4BAF99C-45E2-4f6d-8F15-0614804FB6AE}	{2EF9258D-C37B-4533-8315-755D275ADD82}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7CB52D5-B39A-4d5f-9E87-3C4D45E1BC9A}	{A34342EE-CBB5-418e-89FD-CBC2307C6250}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A53D090-D108-4ea1-ABA2-16F8FF05567A}	2024-02-14_6af6b36873b2fcc921e8ec14a31c6ba8_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39C349A4-5400-4bf5-8AF2-8715272608FF}\stubpath = "C:\\Windows\\{39C349A4-5400-4bf5-8AF2-8715272608FF}.exe"	{B6D6D932-61F6-4c66-8013-C5565E9CFDA9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD3DAB8D-B26C-47d7-BB25-61CF6B1EECA4}	{39C349A4-5400-4bf5-8AF2-8715272608FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD3DAB8D-B26C-47d7-BB25-61CF6B1EECA4}\stubpath = "C:\\Windows\\{DD3DAB8D-B26C-47d7-BB25-61CF6B1EECA4}.exe"	{39C349A4-5400-4bf5-8AF2-8715272608FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2EF9258D-C37B-4533-8315-755D275ADD82}\stubpath = "C:\\Windows\\{2EF9258D-C37B-4533-8315-755D275ADD82}.exe"	{DD3DAB8D-B26C-47d7-BB25-61CF6B1EECA4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7346822-56DD-449b-83D6-B9C7011B1C50}	{5D666A6F-F985-4a5e-BB67-C1457E0CC8A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EEC845E8-16A6-40f8-845F-28FAF1FB6AD6}\stubpath = "C:\\Windows\\{EEC845E8-16A6-40f8-845F-28FAF1FB6AD6}.exe"	{D0D14677-5C5A-4685-8A05-56D371CAEE0C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7CB52D5-B39A-4d5f-9E87-3C4D45E1BC9A}\stubpath = "C:\\Windows\\{D7CB52D5-B39A-4d5f-9E87-3C4D45E1BC9A}.exe"	{A34342EE-CBB5-418e-89FD-CBC2307C6250}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6D6D932-61F6-4c66-8013-C5565E9CFDA9}\stubpath = "C:\\Windows\\{B6D6D932-61F6-4c66-8013-C5565E9CFDA9}.exe"	{9A53D090-D108-4ea1-ABA2-16F8FF05567A}.exe

Executes dropped EXE 12 IoCs

pid	Process
2884	{9A53D090-D108-4ea1-ABA2-16F8FF05567A}.exe
4708	{B6D6D932-61F6-4c66-8013-C5565E9CFDA9}.exe
4800	{39C349A4-5400-4bf5-8AF2-8715272608FF}.exe
3060	{DD3DAB8D-B26C-47d7-BB25-61CF6B1EECA4}.exe
4516	{2EF9258D-C37B-4533-8315-755D275ADD82}.exe
4580	{B4BAF99C-45E2-4f6d-8F15-0614804FB6AE}.exe
2888	{5D666A6F-F985-4a5e-BB67-C1457E0CC8A8}.exe
3452	{B7346822-56DD-449b-83D6-B9C7011B1C50}.exe
2544	{D0D14677-5C5A-4685-8A05-56D371CAEE0C}.exe
3672	{EEC845E8-16A6-40f8-845F-28FAF1FB6AD6}.exe
5096	{A34342EE-CBB5-418e-89FD-CBC2307C6250}.exe
4912	{D7CB52D5-B39A-4d5f-9E87-3C4D45E1BC9A}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{9A53D090-D108-4ea1-ABA2-16F8FF05567A}.exe	2024-02-14_6af6b36873b2fcc921e8ec14a31c6ba8_goldeneye.exe
File created	C:\Windows\{DD3DAB8D-B26C-47d7-BB25-61CF6B1EECA4}.exe	{39C349A4-5400-4bf5-8AF2-8715272608FF}.exe
File created	C:\Windows\{B4BAF99C-45E2-4f6d-8F15-0614804FB6AE}.exe	{2EF9258D-C37B-4533-8315-755D275ADD82}.exe
File created	C:\Windows\{5D666A6F-F985-4a5e-BB67-C1457E0CC8A8}.exe	{B4BAF99C-45E2-4f6d-8F15-0614804FB6AE}.exe
File created	C:\Windows\{B7346822-56DD-449b-83D6-B9C7011B1C50}.exe	{5D666A6F-F985-4a5e-BB67-C1457E0CC8A8}.exe
File created	C:\Windows\{D0D14677-5C5A-4685-8A05-56D371CAEE0C}.exe	{B7346822-56DD-449b-83D6-B9C7011B1C50}.exe
File created	C:\Windows\{D7CB52D5-B39A-4d5f-9E87-3C4D45E1BC9A}.exe	{A34342EE-CBB5-418e-89FD-CBC2307C6250}.exe
File created	C:\Windows\{B6D6D932-61F6-4c66-8013-C5565E9CFDA9}.exe	{9A53D090-D108-4ea1-ABA2-16F8FF05567A}.exe
File created	C:\Windows\{39C349A4-5400-4bf5-8AF2-8715272608FF}.exe	{B6D6D932-61F6-4c66-8013-C5565E9CFDA9}.exe
File created	C:\Windows\{2EF9258D-C37B-4533-8315-755D275ADD82}.exe	{DD3DAB8D-B26C-47d7-BB25-61CF6B1EECA4}.exe
File created	C:\Windows\{EEC845E8-16A6-40f8-845F-28FAF1FB6AD6}.exe	{D0D14677-5C5A-4685-8A05-56D371CAEE0C}.exe
File created	C:\Windows\{A34342EE-CBB5-418e-89FD-CBC2307C6250}.exe	{EEC845E8-16A6-40f8-845F-28FAF1FB6AD6}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4152	2024-02-14_6af6b36873b2fcc921e8ec14a31c6ba8_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2884	{9A53D090-D108-4ea1-ABA2-16F8FF05567A}.exe
Token: SeIncBasePriorityPrivilege	4708	{B6D6D932-61F6-4c66-8013-C5565E9CFDA9}.exe
Token: SeIncBasePriorityPrivilege	4800	{39C349A4-5400-4bf5-8AF2-8715272608FF}.exe
Token: SeIncBasePriorityPrivilege	3060	{DD3DAB8D-B26C-47d7-BB25-61CF6B1EECA4}.exe
Token: SeIncBasePriorityPrivilege	4516	{2EF9258D-C37B-4533-8315-755D275ADD82}.exe
Token: SeIncBasePriorityPrivilege	4580	{B4BAF99C-45E2-4f6d-8F15-0614804FB6AE}.exe
Token: SeIncBasePriorityPrivilege	2888	{5D666A6F-F985-4a5e-BB67-C1457E0CC8A8}.exe
Token: SeIncBasePriorityPrivilege	3452	{B7346822-56DD-449b-83D6-B9C7011B1C50}.exe
Token: SeIncBasePriorityPrivilege	2544	{D0D14677-5C5A-4685-8A05-56D371CAEE0C}.exe
Token: SeIncBasePriorityPrivilege	3672	{EEC845E8-16A6-40f8-845F-28FAF1FB6AD6}.exe
Token: SeIncBasePriorityPrivilege	5096	{A34342EE-CBB5-418e-89FD-CBC2307C6250}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4152 wrote to memory of 2884	4152	2024-02-14_6af6b36873b2fcc921e8ec14a31c6ba8_goldeneye.exe	91
PID 4152 wrote to memory of 2884	4152	2024-02-14_6af6b36873b2fcc921e8ec14a31c6ba8_goldeneye.exe	91
PID 4152 wrote to memory of 2884	4152	2024-02-14_6af6b36873b2fcc921e8ec14a31c6ba8_goldeneye.exe	91
PID 4152 wrote to memory of 4952	4152	2024-02-14_6af6b36873b2fcc921e8ec14a31c6ba8_goldeneye.exe	92
PID 4152 wrote to memory of 4952	4152	2024-02-14_6af6b36873b2fcc921e8ec14a31c6ba8_goldeneye.exe	92
PID 4152 wrote to memory of 4952	4152	2024-02-14_6af6b36873b2fcc921e8ec14a31c6ba8_goldeneye.exe	92
PID 2884 wrote to memory of 4708	2884	{9A53D090-D108-4ea1-ABA2-16F8FF05567A}.exe	93
PID 2884 wrote to memory of 4708	2884	{9A53D090-D108-4ea1-ABA2-16F8FF05567A}.exe	93
PID 2884 wrote to memory of 4708	2884	{9A53D090-D108-4ea1-ABA2-16F8FF05567A}.exe	93
PID 2884 wrote to memory of 544	2884	{9A53D090-D108-4ea1-ABA2-16F8FF05567A}.exe	94
PID 2884 wrote to memory of 544	2884	{9A53D090-D108-4ea1-ABA2-16F8FF05567A}.exe	94
PID 2884 wrote to memory of 544	2884	{9A53D090-D108-4ea1-ABA2-16F8FF05567A}.exe	94
PID 4708 wrote to memory of 4800	4708	{B6D6D932-61F6-4c66-8013-C5565E9CFDA9}.exe	97
PID 4708 wrote to memory of 4800	4708	{B6D6D932-61F6-4c66-8013-C5565E9CFDA9}.exe	97
PID 4708 wrote to memory of 4800	4708	{B6D6D932-61F6-4c66-8013-C5565E9CFDA9}.exe	97
PID 4708 wrote to memory of 1900	4708	{B6D6D932-61F6-4c66-8013-C5565E9CFDA9}.exe	96
PID 4708 wrote to memory of 1900	4708	{B6D6D932-61F6-4c66-8013-C5565E9CFDA9}.exe	96
PID 4708 wrote to memory of 1900	4708	{B6D6D932-61F6-4c66-8013-C5565E9CFDA9}.exe	96
PID 4800 wrote to memory of 3060	4800	{39C349A4-5400-4bf5-8AF2-8715272608FF}.exe	98
PID 4800 wrote to memory of 3060	4800	{39C349A4-5400-4bf5-8AF2-8715272608FF}.exe	98
PID 4800 wrote to memory of 3060	4800	{39C349A4-5400-4bf5-8AF2-8715272608FF}.exe	98
PID 4800 wrote to memory of 2216	4800	{39C349A4-5400-4bf5-8AF2-8715272608FF}.exe	99
PID 4800 wrote to memory of 2216	4800	{39C349A4-5400-4bf5-8AF2-8715272608FF}.exe	99
PID 4800 wrote to memory of 2216	4800	{39C349A4-5400-4bf5-8AF2-8715272608FF}.exe	99
PID 3060 wrote to memory of 4516	3060	{DD3DAB8D-B26C-47d7-BB25-61CF6B1EECA4}.exe	100
PID 3060 wrote to memory of 4516	3060	{DD3DAB8D-B26C-47d7-BB25-61CF6B1EECA4}.exe	100
PID 3060 wrote to memory of 4516	3060	{DD3DAB8D-B26C-47d7-BB25-61CF6B1EECA4}.exe	100
PID 3060 wrote to memory of 3600	3060	{DD3DAB8D-B26C-47d7-BB25-61CF6B1EECA4}.exe	101
PID 3060 wrote to memory of 3600	3060	{DD3DAB8D-B26C-47d7-BB25-61CF6B1EECA4}.exe	101
PID 3060 wrote to memory of 3600	3060	{DD3DAB8D-B26C-47d7-BB25-61CF6B1EECA4}.exe	101
PID 4516 wrote to memory of 4580	4516	{2EF9258D-C37B-4533-8315-755D275ADD82}.exe	102
PID 4516 wrote to memory of 4580	4516	{2EF9258D-C37B-4533-8315-755D275ADD82}.exe	102
PID 4516 wrote to memory of 4580	4516	{2EF9258D-C37B-4533-8315-755D275ADD82}.exe	102
PID 4516 wrote to memory of 4024	4516	{2EF9258D-C37B-4533-8315-755D275ADD82}.exe	103
PID 4516 wrote to memory of 4024	4516	{2EF9258D-C37B-4533-8315-755D275ADD82}.exe	103
PID 4516 wrote to memory of 4024	4516	{2EF9258D-C37B-4533-8315-755D275ADD82}.exe	103
PID 4580 wrote to memory of 2888	4580	{B4BAF99C-45E2-4f6d-8F15-0614804FB6AE}.exe	104
PID 4580 wrote to memory of 2888	4580	{B4BAF99C-45E2-4f6d-8F15-0614804FB6AE}.exe	104
PID 4580 wrote to memory of 2888	4580	{B4BAF99C-45E2-4f6d-8F15-0614804FB6AE}.exe	104
PID 4580 wrote to memory of 3924	4580	{B4BAF99C-45E2-4f6d-8F15-0614804FB6AE}.exe	105
PID 4580 wrote to memory of 3924	4580	{B4BAF99C-45E2-4f6d-8F15-0614804FB6AE}.exe	105
PID 4580 wrote to memory of 3924	4580	{B4BAF99C-45E2-4f6d-8F15-0614804FB6AE}.exe	105
PID 2888 wrote to memory of 3452	2888	{5D666A6F-F985-4a5e-BB67-C1457E0CC8A8}.exe	106
PID 2888 wrote to memory of 3452	2888	{5D666A6F-F985-4a5e-BB67-C1457E0CC8A8}.exe	106
PID 2888 wrote to memory of 3452	2888	{5D666A6F-F985-4a5e-BB67-C1457E0CC8A8}.exe	106
PID 2888 wrote to memory of 4036	2888	{5D666A6F-F985-4a5e-BB67-C1457E0CC8A8}.exe	107
PID 2888 wrote to memory of 4036	2888	{5D666A6F-F985-4a5e-BB67-C1457E0CC8A8}.exe	107
PID 2888 wrote to memory of 4036	2888	{5D666A6F-F985-4a5e-BB67-C1457E0CC8A8}.exe	107
PID 3452 wrote to memory of 2544	3452	{B7346822-56DD-449b-83D6-B9C7011B1C50}.exe	108
PID 3452 wrote to memory of 2544	3452	{B7346822-56DD-449b-83D6-B9C7011B1C50}.exe	108
PID 3452 wrote to memory of 2544	3452	{B7346822-56DD-449b-83D6-B9C7011B1C50}.exe	108
PID 3452 wrote to memory of 4876	3452	{B7346822-56DD-449b-83D6-B9C7011B1C50}.exe	109
PID 3452 wrote to memory of 4876	3452	{B7346822-56DD-449b-83D6-B9C7011B1C50}.exe	109
PID 3452 wrote to memory of 4876	3452	{B7346822-56DD-449b-83D6-B9C7011B1C50}.exe	109
PID 2544 wrote to memory of 3672	2544	{D0D14677-5C5A-4685-8A05-56D371CAEE0C}.exe	110
PID 2544 wrote to memory of 3672	2544	{D0D14677-5C5A-4685-8A05-56D371CAEE0C}.exe	110
PID 2544 wrote to memory of 3672	2544	{D0D14677-5C5A-4685-8A05-56D371CAEE0C}.exe	110
PID 2544 wrote to memory of 4452	2544	{D0D14677-5C5A-4685-8A05-56D371CAEE0C}.exe	111
PID 2544 wrote to memory of 4452	2544	{D0D14677-5C5A-4685-8A05-56D371CAEE0C}.exe	111
PID 2544 wrote to memory of 4452	2544	{D0D14677-5C5A-4685-8A05-56D371CAEE0C}.exe	111
PID 3672 wrote to memory of 5096	3672	{EEC845E8-16A6-40f8-845F-28FAF1FB6AD6}.exe	112
PID 3672 wrote to memory of 5096	3672	{EEC845E8-16A6-40f8-845F-28FAF1FB6AD6}.exe	112
PID 3672 wrote to memory of 5096	3672	{EEC845E8-16A6-40f8-845F-28FAF1FB6AD6}.exe	112
PID 3672 wrote to memory of 264	3672	{EEC845E8-16A6-40f8-845F-28FAF1FB6AD6}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-02-14_6af6b36873b2fcc921e8ec14a31c6ba8_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-14_6af6b36873b2fcc921e8ec14a31c6ba8_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4152
- C:\Windows\{9A53D090-D108-4ea1-ABA2-16F8FF05567A}.exe
  C:\Windows\{9A53D090-D108-4ea1-ABA2-16F8FF05567A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\{B6D6D932-61F6-4c66-8013-C5565E9CFDA9}.exe
    C:\Windows\{B6D6D932-61F6-4c66-8013-C5565E9CFDA9}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4708
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B6D6D~1.EXE > nul
      4⤵
      PID:1900
  - - C:\Windows\{39C349A4-5400-4bf5-8AF2-8715272608FF}.exe
      C:\Windows\{39C349A4-5400-4bf5-8AF2-8715272608FF}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4800
    - - C:\Windows\{DD3DAB8D-B26C-47d7-BB25-61CF6B1EECA4}.exe
        
        C:\Windows\{DD3DAB8D-B26C-47d7-BB25-61CF6B1EECA4}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3060
      - C:\Windows\{2EF9258D-C37B-4533-8315-755D275ADD82}.exe
        
        C:\Windows\{2EF9258D-C37B-4533-8315-755D275ADD82}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\{B4BAF99C-45E2-4f6d-8F15-0614804FB6AE}.exe
        
        C:\Windows\{B4BAF99C-45E2-4f6d-8F15-0614804FB6AE}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Windows\{5D666A6F-F985-4a5e-BB67-C1457E0CC8A8}.exe
        
        C:\Windows\{5D666A6F-F985-4a5e-BB67-C1457E0CC8A8}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\{B7346822-56DD-449b-83D6-B9C7011B1C50}.exe
        
        C:\Windows\{B7346822-56DD-449b-83D6-B9C7011B1C50}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3452
        
        C:\Windows\{D0D14677-5C5A-4685-8A05-56D371CAEE0C}.exe
        
        C:\Windows\{D0D14677-5C5A-4685-8A05-56D371CAEE0C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\{EEC845E8-16A6-40f8-845F-28FAF1FB6AD6}.exe
        
        C:\Windows\{EEC845E8-16A6-40f8-845F-28FAF1FB6AD6}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3672
        
        C:\Windows\{A34342EE-CBB5-418e-89FD-CBC2307C6250}.exe
        
        C:\Windows\{A34342EE-CBB5-418e-89FD-CBC2307C6250}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5096
        
        C:\Windows\{D7CB52D5-B39A-4d5f-9E87-3C4D45E1BC9A}.exe
        
        C:\Windows\{D7CB52D5-B39A-4d5f-9E87-3C4D45E1BC9A}.exe
        13⤵
        Executes dropped EXE
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A3434~1.EXE > nul
        13⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EEC84~1.EXE > nul
        12⤵
        
        PID:264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D0D14~1.EXE > nul
        11⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7346~1.EXE > nul
        10⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5D666~1.EXE > nul
        9⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B4BAF~1.EXE > nul
        8⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2EF92~1.EXE > nul
        7⤵
        
        PID:4024
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD3DA~1.EXE > nul
        6⤵
        
        PID:3600
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39C34~1.EXE > nul
        5⤵
        
        PID:2216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9A53D~1.EXE > nul
    3⤵
    PID:544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2EF9258D-C37B-4533-8315-755D275ADD82}.exe

Filesize
408KB

MD5
1670fee08fd443ae8e17e6ae4bfcd441

SHA1
d0bb59918e6567755eb9610a8516e3dd420f3444

SHA256
274d0ca5f13e0833dd38994122db6ee8fbac6a5c7262cae71f309fd5bf323607

SHA512
1110b6a2e8a951250cb0366fc83da9082f5bf7a0634909755d7556179bb5e295c3cb75f7bdc123775ff37ce8e0e09b4834d8f3e79e299794b2c0a09506a3f2c2

Download Submit
C:\Windows\{39C349A4-5400-4bf5-8AF2-8715272608FF}.exe

Filesize
408KB

MD5
9204e70c3e49250677805e24fa47d284

SHA1
8afa716e2b8702a59ed2d481614459f456928214

SHA256
89a18eadf0e19f37e47546249e638107f5ce19f3bcf28fbbc2ea0e9a35f4fe31

SHA512
3174b9b83ee23009c8d29f32ec7006a995083f8d8b5d98de04f3b86af6d78bf606b5030751d141d1444075473cb2991e8785b9bbb6cedf8ba19ecaac0a752607

Download Submit
C:\Windows\{5D666A6F-F985-4a5e-BB67-C1457E0CC8A8}.exe

Filesize
408KB

MD5
3c7b4d840fda09a9e82553425b82171d

SHA1
a41825cb8c60b3bfb85d701da7251f091cafb522

SHA256
6623c3934467237ebd4a866214562929dc721172c1995266b62e6e11978eea42

SHA512
1775a5e00663c662be8ba68056401d53f8adad72a83c2f9efb09b401bec2d8cb5bc46fe982813106f78108b4aa6ab626e0f39c11bd7431ef11f9681e5020a2b3

Download Submit
C:\Windows\{9A53D090-D108-4ea1-ABA2-16F8FF05567A}.exe

Filesize
408KB

MD5
e605c0d8f8e98d14e587cfe7eacac45b

SHA1
d2397e72db3208df83388b3635a07f184406236a

SHA256
220185291ad2e764b2b721bfef7301d86e8bcbbfd4b231f2464eab5b436bf082

SHA512
df91c62704673009b22b60edabc43e4486581f74ed4d3c4245220f11ac910a392b3d81fc413abfe6880426d8e71af9038b3de380dc6e6dad62ba7331ebdeea41

Download Submit
C:\Windows\{A34342EE-CBB5-418e-89FD-CBC2307C6250}.exe

Filesize
408KB

MD5
0a58c3b7529ca47bb00e9eeb28e0bd18

SHA1
bcdd101134606d9995025cca7bb4cd05aa6fe3c0

SHA256
004aa21de382db8efa1ff5c380fe9987f9a14d256eb8a0728da39874135445b1

SHA512
722499e70f44a3ffd4dc87a41e8813194160edbe6ae7dccf6b246c4bfd748e0b83bebda012e8ae8df7fd40d43d6bbb57c22789af25309d336447dc1a2a094dda

Download Submit
C:\Windows\{B4BAF99C-45E2-4f6d-8F15-0614804FB6AE}.exe

Filesize
408KB

MD5
ce5a1ecff1e38cc43b204cc85eb420a2

SHA1
f0f509703b3c7ee9e2007afa045b11377a4eae0e

SHA256
aa93636334173231b465c19b66aea02c8bd542e9834d0d58551e4e79af67e7b2

SHA512
a9c2e5f7760bc7776d68ed0fe45278ec1a765bf98e9bb06cf0a92effcdd05a88ba74e119d0b400dc59ae9d4d218d697b11ff0dd8dad30266fc8800cd51ebcdcd

Download Submit
C:\Windows\{B6D6D932-61F6-4c66-8013-C5565E9CFDA9}.exe

Filesize
408KB

MD5
03513852274c35cba0c2f5496388a492

SHA1
b703e4e0d29a2d885715a3b77ed415549d2d8e63

SHA256
60a1050ab7e8c9446cdbb7ccfe84e24abca225a21e8b0fd52ebc8d6628a4922e

SHA512
e0e5c7c9c79ceefef11f65daf93b75f7e1542b1cc46c3fa7b21551c10d51b78b136aa34bfc1ad0a1dce7551d767db450671e31fa0486c350af713f47412edbe3

Download Submit
C:\Windows\{B7346822-56DD-449b-83D6-B9C7011B1C50}.exe

Filesize
408KB

MD5
ba1409468e8e2c6b97613ee9376bad88

SHA1
ad142000e5b5aa5f1004c5add190b079c179f4f4

SHA256
02ad752a90ee454fa53439396ad92ed2cc7a0ba896fdc4f821a1f34f537aed98

SHA512
8043ab735d5b6faf11ee023d68c0b0fbb16b8e665e0b69f24247ed68432bae7c5a14a8d1717cc292db29ac47b555e26d0226da814256fa4f9fbec2a3ea982c17

Download Submit
C:\Windows\{D0D14677-5C5A-4685-8A05-56D371CAEE0C}.exe

Filesize
408KB

MD5
007b3a75bf606b35a5182b7344e4cc5c

SHA1
19199632922dff3a8648ef59d5a68532a3efe711

SHA256
5f27b7925ead47e0005a93b6c4cf4d0231c57e7c58b74e7de995e23c1234bd9a

SHA512
32e77a7bd2ad370f019ac9c6d169235628ede503d60010081a9e8ce37b5e9516f2c700fa17a03ebedee4aa902c446cf21ebd28e095b72c1761ab5b14555a9f01

Download Submit
C:\Windows\{D7CB52D5-B39A-4d5f-9E87-3C4D45E1BC9A}.exe

Filesize
408KB

MD5
518e1dbc67b28bc27a2eca70ae4f61b0

SHA1
d2433af4658ad9fa2256f3e92c7d4763731ffc30

SHA256
2fabb0cff88e406ea9af324d8db2f516d1e7e6c09ee519ff15e34da372a84b63

SHA512
a0915c7af04f05c987a11080d8fc03847dc3029415fd1cb70f75b02bdba3844e7c3e447a3f538698a01134825a94fe0d45ce79738f2a3f1581fbf1bf25859cf3

Download Submit
C:\Windows\{DD3DAB8D-B26C-47d7-BB25-61CF6B1EECA4}.exe

Filesize
408KB

MD5
e67e921c3c4421a3a5245e748cd85995

SHA1
f118928571e39b46ff02e4d68e7fa51461ed6a09

SHA256
96bf3614dfc7d302f097de0b27bc05b7fcb9b5ca565ba26785c7dda218f5dc13

SHA512
910129e5adbf2e92e4c91ca9f0ecb69c71e41b34e0766573409a23a33d1b5ec9b785ec38b72d00875772e3625817ffd780887ba4cc7062d6549eb28680008664

Download Submit
C:\Windows\{EEC845E8-16A6-40f8-845F-28FAF1FB6AD6}.exe

Filesize
408KB

MD5
cecb522eb4a1bb04273c993f512c5890

SHA1
9c05478a0da090f37a32ae2dbced1aa14d04a129

SHA256
628afcd0476477c66ac50dfec293d26896a7a4ef4fd4b5772a90a55658ba5a50

SHA512
83e759047623db694d6e88690720d73390cb2384ea01ddad4d8e0a54db3d11ef6930b64c4feea8ca3718582618c3fcad28e4c38311d83c9ac5cb56299432e810

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads