93521e466a28b9ebc5e2f2f0d913c831d7ac738bba8ae1fdf78ef86ae5f80714

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
14/02/2024, 16:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-14_f593dd5d1b21d67c3f9fad68d5bfee20_goldeneye.exe
Size

197KB
MD5

f593dd5d1b21d67c3f9fad68d5bfee20
SHA1

37d964ec7552ce27de1d9f03a5a24a515e5a3320
SHA256

93521e466a28b9ebc5e2f2f0d913c831d7ac738bba8ae1fdf78ef86ae5f80714
SHA512

1bd1915876695b75a9c386ed2b368999b7d064b2f9bca1e5f1fe1dcd41ada7e55ec4802f5d6428bb8b5c424d9d1d371dc83bab0ea1ac8c505afb33735f99a982
SSDEEP

3072:jEGh0orl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGdlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023219-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000023219-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023223-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001000000001805f-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023223-13.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001100000001805f-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000021569-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001200000001805f-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000711-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000711-44.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000711-45.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006e5-48.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0FDD758B-C7C8-466a-9F77-A05BB646ED6B}	{8D5F9948-69E3-4676-9581-7F6E3E9A6E5E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E240B2C-4F8E-48c3-B0B3-3DFE30BFABBA}	2024-02-14_f593dd5d1b21d67c3f9fad68d5bfee20_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E240B2C-4F8E-48c3-B0B3-3DFE30BFABBA}\stubpath = "C:\\Windows\\{6E240B2C-4F8E-48c3-B0B3-3DFE30BFABBA}.exe"	2024-02-14_f593dd5d1b21d67c3f9fad68d5bfee20_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F3FA1CF-746B-4f6d-A75E-AE7F77C1960C}\stubpath = "C:\\Windows\\{0F3FA1CF-746B-4f6d-A75E-AE7F77C1960C}.exe"	{6E240B2C-4F8E-48c3-B0B3-3DFE30BFABBA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0820B78B-E632-4f16-8BF7-59F64B0E0B9E}\stubpath = "C:\\Windows\\{0820B78B-E632-4f16-8BF7-59F64B0E0B9E}.exe"	{0F3FA1CF-746B-4f6d-A75E-AE7F77C1960C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4B13857-9608-47aa-8C9C-D695E2EFE7DE}\stubpath = "C:\\Windows\\{A4B13857-9608-47aa-8C9C-D695E2EFE7DE}.exe"	{0820B78B-E632-4f16-8BF7-59F64B0E0B9E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98D5C0A9-C4B0-48ff-B15D-5581A75DE981}\stubpath = "C:\\Windows\\{98D5C0A9-C4B0-48ff-B15D-5581A75DE981}.exe"	{D644D1A1-162A-4ad4-A83A-B1CC12EFEBCE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D5F9948-69E3-4676-9581-7F6E3E9A6E5E}	{98D5C0A9-C4B0-48ff-B15D-5581A75DE981}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82282096-1BF3-49f6-BF3B-993C5D32779B}	{0FDD758B-C7C8-466a-9F77-A05BB646ED6B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{980477AD-EC1F-4edc-B525-F4EF22EDB0FD}	{79519F68-AE18-4f90-BBC4-A2709C783212}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{980477AD-EC1F-4edc-B525-F4EF22EDB0FD}\stubpath = "C:\\Windows\\{980477AD-EC1F-4edc-B525-F4EF22EDB0FD}.exe"	{79519F68-AE18-4f90-BBC4-A2709C783212}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F3FA1CF-746B-4f6d-A75E-AE7F77C1960C}	{6E240B2C-4F8E-48c3-B0B3-3DFE30BFABBA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4B13857-9608-47aa-8C9C-D695E2EFE7DE}	{0820B78B-E632-4f16-8BF7-59F64B0E0B9E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82282096-1BF3-49f6-BF3B-993C5D32779B}\stubpath = "C:\\Windows\\{82282096-1BF3-49f6-BF3B-993C5D32779B}.exe"	{0FDD758B-C7C8-466a-9F77-A05BB646ED6B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0820B78B-E632-4f16-8BF7-59F64B0E0B9E}	{0F3FA1CF-746B-4f6d-A75E-AE7F77C1960C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD03EFAA-460C-44d0-BBF7-7D5007D2994D}	{A4B13857-9608-47aa-8C9C-D695E2EFE7DE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD03EFAA-460C-44d0-BBF7-7D5007D2994D}\stubpath = "C:\\Windows\\{CD03EFAA-460C-44d0-BBF7-7D5007D2994D}.exe"	{A4B13857-9608-47aa-8C9C-D695E2EFE7DE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D644D1A1-162A-4ad4-A83A-B1CC12EFEBCE}\stubpath = "C:\\Windows\\{D644D1A1-162A-4ad4-A83A-B1CC12EFEBCE}.exe"	{CD03EFAA-460C-44d0-BBF7-7D5007D2994D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98D5C0A9-C4B0-48ff-B15D-5581A75DE981}	{D644D1A1-162A-4ad4-A83A-B1CC12EFEBCE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79519F68-AE18-4f90-BBC4-A2709C783212}	{82282096-1BF3-49f6-BF3B-993C5D32779B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D644D1A1-162A-4ad4-A83A-B1CC12EFEBCE}	{CD03EFAA-460C-44d0-BBF7-7D5007D2994D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D5F9948-69E3-4676-9581-7F6E3E9A6E5E}\stubpath = "C:\\Windows\\{8D5F9948-69E3-4676-9581-7F6E3E9A6E5E}.exe"	{98D5C0A9-C4B0-48ff-B15D-5581A75DE981}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0FDD758B-C7C8-466a-9F77-A05BB646ED6B}\stubpath = "C:\\Windows\\{0FDD758B-C7C8-466a-9F77-A05BB646ED6B}.exe"	{8D5F9948-69E3-4676-9581-7F6E3E9A6E5E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79519F68-AE18-4f90-BBC4-A2709C783212}\stubpath = "C:\\Windows\\{79519F68-AE18-4f90-BBC4-A2709C783212}.exe"	{82282096-1BF3-49f6-BF3B-993C5D32779B}.exe

Executes dropped EXE 11 IoCs

pid	Process
1432	{6E240B2C-4F8E-48c3-B0B3-3DFE30BFABBA}.exe
2496	{0F3FA1CF-746B-4f6d-A75E-AE7F77C1960C}.exe
2208	{0820B78B-E632-4f16-8BF7-59F64B0E0B9E}.exe
4500	{A4B13857-9608-47aa-8C9C-D695E2EFE7DE}.exe
1012	{CD03EFAA-460C-44d0-BBF7-7D5007D2994D}.exe
3320	{D644D1A1-162A-4ad4-A83A-B1CC12EFEBCE}.exe
4052	{98D5C0A9-C4B0-48ff-B15D-5581A75DE981}.exe
2296	{8D5F9948-69E3-4676-9581-7F6E3E9A6E5E}.exe
2956	{0FDD758B-C7C8-466a-9F77-A05BB646ED6B}.exe
4892	{79519F68-AE18-4f90-BBC4-A2709C783212}.exe
1868	{980477AD-EC1F-4edc-B525-F4EF22EDB0FD}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{A4B13857-9608-47aa-8C9C-D695E2EFE7DE}.exe	{0820B78B-E632-4f16-8BF7-59F64B0E0B9E}.exe
File created	C:\Windows\{98D5C0A9-C4B0-48ff-B15D-5581A75DE981}.exe	{D644D1A1-162A-4ad4-A83A-B1CC12EFEBCE}.exe
File created	C:\Windows\{79519F68-AE18-4f90-BBC4-A2709C783212}.exe	{82282096-1BF3-49f6-BF3B-993C5D32779B}.exe
File created	C:\Windows\{980477AD-EC1F-4edc-B525-F4EF22EDB0FD}.exe	{79519F68-AE18-4f90-BBC4-A2709C783212}.exe
File created	C:\Windows\{0F3FA1CF-746B-4f6d-A75E-AE7F77C1960C}.exe	{6E240B2C-4F8E-48c3-B0B3-3DFE30BFABBA}.exe
File created	C:\Windows\{0820B78B-E632-4f16-8BF7-59F64B0E0B9E}.exe	{0F3FA1CF-746B-4f6d-A75E-AE7F77C1960C}.exe
File created	C:\Windows\{CD03EFAA-460C-44d0-BBF7-7D5007D2994D}.exe	{A4B13857-9608-47aa-8C9C-D695E2EFE7DE}.exe
File created	C:\Windows\{D644D1A1-162A-4ad4-A83A-B1CC12EFEBCE}.exe	{CD03EFAA-460C-44d0-BBF7-7D5007D2994D}.exe
File created	C:\Windows\{8D5F9948-69E3-4676-9581-7F6E3E9A6E5E}.exe	{98D5C0A9-C4B0-48ff-B15D-5581A75DE981}.exe
File created	C:\Windows\{0FDD758B-C7C8-466a-9F77-A05BB646ED6B}.exe	{8D5F9948-69E3-4676-9581-7F6E3E9A6E5E}.exe
File created	C:\Windows\{6E240B2C-4F8E-48c3-B0B3-3DFE30BFABBA}.exe	2024-02-14_f593dd5d1b21d67c3f9fad68d5bfee20_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4708	2024-02-14_f593dd5d1b21d67c3f9fad68d5bfee20_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1432	{6E240B2C-4F8E-48c3-B0B3-3DFE30BFABBA}.exe
Token: SeIncBasePriorityPrivilege	2496	{0F3FA1CF-746B-4f6d-A75E-AE7F77C1960C}.exe
Token: SeIncBasePriorityPrivilege	2208	{0820B78B-E632-4f16-8BF7-59F64B0E0B9E}.exe
Token: SeIncBasePriorityPrivilege	4500	{A4B13857-9608-47aa-8C9C-D695E2EFE7DE}.exe
Token: SeIncBasePriorityPrivilege	1012	{CD03EFAA-460C-44d0-BBF7-7D5007D2994D}.exe
Token: SeIncBasePriorityPrivilege	3320	{D644D1A1-162A-4ad4-A83A-B1CC12EFEBCE}.exe
Token: SeIncBasePriorityPrivilege	4052	{98D5C0A9-C4B0-48ff-B15D-5581A75DE981}.exe
Token: SeIncBasePriorityPrivilege	2296	{8D5F9948-69E3-4676-9581-7F6E3E9A6E5E}.exe
Token: SeIncBasePriorityPrivilege	4640	{82282096-1BF3-49f6-BF3B-993C5D32779B}.exe
Token: SeIncBasePriorityPrivilege	4892	{79519F68-AE18-4f90-BBC4-A2709C783212}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4708 wrote to memory of 1432	4708	2024-02-14_f593dd5d1b21d67c3f9fad68d5bfee20_goldeneye.exe	88
PID 4708 wrote to memory of 1432	4708	2024-02-14_f593dd5d1b21d67c3f9fad68d5bfee20_goldeneye.exe	88
PID 4708 wrote to memory of 1432	4708	2024-02-14_f593dd5d1b21d67c3f9fad68d5bfee20_goldeneye.exe	88
PID 4708 wrote to memory of 1140	4708	2024-02-14_f593dd5d1b21d67c3f9fad68d5bfee20_goldeneye.exe	89
PID 4708 wrote to memory of 1140	4708	2024-02-14_f593dd5d1b21d67c3f9fad68d5bfee20_goldeneye.exe	89
PID 4708 wrote to memory of 1140	4708	2024-02-14_f593dd5d1b21d67c3f9fad68d5bfee20_goldeneye.exe	89
PID 1432 wrote to memory of 2496	1432	{6E240B2C-4F8E-48c3-B0B3-3DFE30BFABBA}.exe	93
PID 1432 wrote to memory of 2496	1432	{6E240B2C-4F8E-48c3-B0B3-3DFE30BFABBA}.exe	93
PID 1432 wrote to memory of 2496	1432	{6E240B2C-4F8E-48c3-B0B3-3DFE30BFABBA}.exe	93
PID 1432 wrote to memory of 3076	1432	{6E240B2C-4F8E-48c3-B0B3-3DFE30BFABBA}.exe	94
PID 1432 wrote to memory of 3076	1432	{6E240B2C-4F8E-48c3-B0B3-3DFE30BFABBA}.exe	94
PID 1432 wrote to memory of 3076	1432	{6E240B2C-4F8E-48c3-B0B3-3DFE30BFABBA}.exe	94
PID 2496 wrote to memory of 2208	2496	{0F3FA1CF-746B-4f6d-A75E-AE7F77C1960C}.exe	96
PID 2496 wrote to memory of 2208	2496	{0F3FA1CF-746B-4f6d-A75E-AE7F77C1960C}.exe	96
PID 2496 wrote to memory of 2208	2496	{0F3FA1CF-746B-4f6d-A75E-AE7F77C1960C}.exe	96
PID 2496 wrote to memory of 320	2496	{0F3FA1CF-746B-4f6d-A75E-AE7F77C1960C}.exe	97
PID 2496 wrote to memory of 320	2496	{0F3FA1CF-746B-4f6d-A75E-AE7F77C1960C}.exe	97
PID 2496 wrote to memory of 320	2496	{0F3FA1CF-746B-4f6d-A75E-AE7F77C1960C}.exe	97
PID 2208 wrote to memory of 4500	2208	{0820B78B-E632-4f16-8BF7-59F64B0E0B9E}.exe	98
PID 2208 wrote to memory of 4500	2208	{0820B78B-E632-4f16-8BF7-59F64B0E0B9E}.exe	98
PID 2208 wrote to memory of 4500	2208	{0820B78B-E632-4f16-8BF7-59F64B0E0B9E}.exe	98
PID 2208 wrote to memory of 3136	2208	{0820B78B-E632-4f16-8BF7-59F64B0E0B9E}.exe	99
PID 2208 wrote to memory of 3136	2208	{0820B78B-E632-4f16-8BF7-59F64B0E0B9E}.exe	99
PID 2208 wrote to memory of 3136	2208	{0820B78B-E632-4f16-8BF7-59F64B0E0B9E}.exe	99
PID 4500 wrote to memory of 1012	4500	{A4B13857-9608-47aa-8C9C-D695E2EFE7DE}.exe	100
PID 4500 wrote to memory of 1012	4500	{A4B13857-9608-47aa-8C9C-D695E2EFE7DE}.exe	100
PID 4500 wrote to memory of 1012	4500	{A4B13857-9608-47aa-8C9C-D695E2EFE7DE}.exe	100
PID 4500 wrote to memory of 4476	4500	{A4B13857-9608-47aa-8C9C-D695E2EFE7DE}.exe	101
PID 4500 wrote to memory of 4476	4500	{A4B13857-9608-47aa-8C9C-D695E2EFE7DE}.exe	101
PID 4500 wrote to memory of 4476	4500	{A4B13857-9608-47aa-8C9C-D695E2EFE7DE}.exe	101
PID 1012 wrote to memory of 3320	1012	{CD03EFAA-460C-44d0-BBF7-7D5007D2994D}.exe	102
PID 1012 wrote to memory of 3320	1012	{CD03EFAA-460C-44d0-BBF7-7D5007D2994D}.exe	102
PID 1012 wrote to memory of 3320	1012	{CD03EFAA-460C-44d0-BBF7-7D5007D2994D}.exe	102
PID 1012 wrote to memory of 2860	1012	{CD03EFAA-460C-44d0-BBF7-7D5007D2994D}.exe	103
PID 1012 wrote to memory of 2860	1012	{CD03EFAA-460C-44d0-BBF7-7D5007D2994D}.exe	103
PID 1012 wrote to memory of 2860	1012	{CD03EFAA-460C-44d0-BBF7-7D5007D2994D}.exe	103
PID 3320 wrote to memory of 4052	3320	{D644D1A1-162A-4ad4-A83A-B1CC12EFEBCE}.exe	104
PID 3320 wrote to memory of 4052	3320	{D644D1A1-162A-4ad4-A83A-B1CC12EFEBCE}.exe	104
PID 3320 wrote to memory of 4052	3320	{D644D1A1-162A-4ad4-A83A-B1CC12EFEBCE}.exe	104
PID 3320 wrote to memory of 3400	3320	{D644D1A1-162A-4ad4-A83A-B1CC12EFEBCE}.exe	105
PID 3320 wrote to memory of 3400	3320	{D644D1A1-162A-4ad4-A83A-B1CC12EFEBCE}.exe	105
PID 3320 wrote to memory of 3400	3320	{D644D1A1-162A-4ad4-A83A-B1CC12EFEBCE}.exe	105
PID 4052 wrote to memory of 2296	4052	{98D5C0A9-C4B0-48ff-B15D-5581A75DE981}.exe	106
PID 4052 wrote to memory of 2296	4052	{98D5C0A9-C4B0-48ff-B15D-5581A75DE981}.exe	106
PID 4052 wrote to memory of 2296	4052	{98D5C0A9-C4B0-48ff-B15D-5581A75DE981}.exe	106
PID 4052 wrote to memory of 4524	4052	{98D5C0A9-C4B0-48ff-B15D-5581A75DE981}.exe	107
PID 4052 wrote to memory of 4524	4052	{98D5C0A9-C4B0-48ff-B15D-5581A75DE981}.exe	107
PID 4052 wrote to memory of 4524	4052	{98D5C0A9-C4B0-48ff-B15D-5581A75DE981}.exe	107
PID 2296 wrote to memory of 2956	2296	{8D5F9948-69E3-4676-9581-7F6E3E9A6E5E}.exe	108
PID 2296 wrote to memory of 2956	2296	{8D5F9948-69E3-4676-9581-7F6E3E9A6E5E}.exe	108
PID 2296 wrote to memory of 2956	2296	{8D5F9948-69E3-4676-9581-7F6E3E9A6E5E}.exe	108
PID 2296 wrote to memory of 4344	2296	{8D5F9948-69E3-4676-9581-7F6E3E9A6E5E}.exe	109
PID 2296 wrote to memory of 4344	2296	{8D5F9948-69E3-4676-9581-7F6E3E9A6E5E}.exe	109
PID 2296 wrote to memory of 4344	2296	{8D5F9948-69E3-4676-9581-7F6E3E9A6E5E}.exe	109
PID 4640 wrote to memory of 4892	4640	{82282096-1BF3-49f6-BF3B-993C5D32779B}.exe	112
PID 4640 wrote to memory of 4892	4640	{82282096-1BF3-49f6-BF3B-993C5D32779B}.exe	112
PID 4640 wrote to memory of 4892	4640	{82282096-1BF3-49f6-BF3B-993C5D32779B}.exe	112
PID 4640 wrote to memory of 3620	4640	{82282096-1BF3-49f6-BF3B-993C5D32779B}.exe	113
PID 4640 wrote to memory of 3620	4640	{82282096-1BF3-49f6-BF3B-993C5D32779B}.exe	113
PID 4640 wrote to memory of 3620	4640	{82282096-1BF3-49f6-BF3B-993C5D32779B}.exe	113
PID 4892 wrote to memory of 1868	4892	{79519F68-AE18-4f90-BBC4-A2709C783212}.exe	114
PID 4892 wrote to memory of 1868	4892	{79519F68-AE18-4f90-BBC4-A2709C783212}.exe	114
PID 4892 wrote to memory of 1868	4892	{79519F68-AE18-4f90-BBC4-A2709C783212}.exe	114
PID 4892 wrote to memory of 1896	4892	{79519F68-AE18-4f90-BBC4-A2709C783212}.exe	115

C:\Users\Admin\AppData\Local\Temp\2024-02-14_f593dd5d1b21d67c3f9fad68d5bfee20_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-14_f593dd5d1b21d67c3f9fad68d5bfee20_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4708
- C:\Windows\{6E240B2C-4F8E-48c3-B0B3-3DFE30BFABBA}.exe
  C:\Windows\{6E240B2C-4F8E-48c3-B0B3-3DFE30BFABBA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1432
- - C:\Windows\{0F3FA1CF-746B-4f6d-A75E-AE7F77C1960C}.exe
    C:\Windows\{0F3FA1CF-746B-4f6d-A75E-AE7F77C1960C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2496
  - - C:\Windows\{0820B78B-E632-4f16-8BF7-59F64B0E0B9E}.exe
      C:\Windows\{0820B78B-E632-4f16-8BF7-59F64B0E0B9E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2208
    - - C:\Windows\{A4B13857-9608-47aa-8C9C-D695E2EFE7DE}.exe
        
        C:\Windows\{A4B13857-9608-47aa-8C9C-D695E2EFE7DE}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4500
      - C:\Windows\{CD03EFAA-460C-44d0-BBF7-7D5007D2994D}.exe
        
        C:\Windows\{CD03EFAA-460C-44d0-BBF7-7D5007D2994D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Windows\{D644D1A1-162A-4ad4-A83A-B1CC12EFEBCE}.exe
        
        C:\Windows\{D644D1A1-162A-4ad4-A83A-B1CC12EFEBCE}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\{98D5C0A9-C4B0-48ff-B15D-5581A75DE981}.exe
        
        C:\Windows\{98D5C0A9-C4B0-48ff-B15D-5581A75DE981}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4052
        
        C:\Windows\{8D5F9948-69E3-4676-9581-7F6E3E9A6E5E}.exe
        
        C:\Windows\{8D5F9948-69E3-4676-9581-7F6E3E9A6E5E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\{0FDD758B-C7C8-466a-9F77-A05BB646ED6B}.exe
        
        C:\Windows\{0FDD758B-C7C8-466a-9F77-A05BB646ED6B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        
        PID:2956
        
        C:\Windows\{82282096-1BF3-49f6-BF3B-993C5D32779B}.exe
        
        C:\Windows\{82282096-1BF3-49f6-BF3B-993C5D32779B}.exe
        11⤵
        Modifies Installed Components in the registry
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\{79519F68-AE18-4f90-BBC4-A2709C783212}.exe
        
        C:\Windows\{79519F68-AE18-4f90-BBC4-A2709C783212}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\{980477AD-EC1F-4edc-B525-F4EF22EDB0FD}.exe
        
        C:\Windows\{980477AD-EC1F-4edc-B525-F4EF22EDB0FD}.exe
        13⤵
        Executes dropped EXE
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79519~1.EXE > nul
        13⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{82282~1.EXE > nul
        12⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0FDD7~1.EXE > nul
        11⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D5F9~1.EXE > nul
        10⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{98D5C~1.EXE > nul
        9⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D644D~1.EXE > nul
        8⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CD03E~1.EXE > nul
        7⤵
        
        PID:2860
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A4B13~1.EXE > nul
        6⤵
        
        PID:4476
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0820B~1.EXE > nul
        5⤵
        
        PID:3136
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0F3FA~1.EXE > nul
      4⤵
      PID:320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6E240~1.EXE > nul
    3⤵
    PID:3076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0820B78B-E632-4f16-8BF7-59F64B0E0B9E}.exe

Filesize
197KB

MD5
95ac2c4f4af01efb9867ec302cf37503

SHA1
c9e85ef700482a650d43423675174486f696e014

SHA256
f2ace1178d804f24c64870febfb7b31871ff6d627567dfdf54ef90feef98efa0

SHA512
e0c80cbd260687538caa7335620b4ada930aeeb3442faaca3dc7d1c1d7f232c58a5684774a899eb1c41ee7ff273c5394b72da36f3bffe76fd0b34fd95b766fb8

Download Submit
C:\Windows\{0F3FA1CF-746B-4f6d-A75E-AE7F77C1960C}.exe

Filesize
197KB

MD5
2322ac4ec805849cd8602b7db253ad5e

SHA1
774b253773d2c80bda6f39a998535d0045a31ed1

SHA256
60a144e7e208aae445c14748009e2ecbe344d9355f1d0cbfdc609a4c946c310a

SHA512
1e72dc7794af4f4dadadf4db22f7d2242ee285fdfd67977b3774beb2519dec7a3ac31309d6e35980e805054adfaa9b6b0458892dedb60d89aca6045a8e78285a

Download Submit
C:\Windows\{0FDD758B-C7C8-466a-9F77-A05BB646ED6B}.exe

Filesize
197KB

MD5
a3a175e27580def286d0d4f390d75fd4

SHA1
4a2167c85d706d52c8818ef1e553d6c2d4dc6934

SHA256
27b22d72fa31236f68ee48c387d3b987b0e6b95b315506bcc29f805b1b17511c

SHA512
2b3b08e04b2b12780e96a6220519ba13d9a25b990cdea5b8fa069ae7a30974c508b8d0f6b117b6ef17f96369dc6f9d5736f96aad208288383654382768b13ff5

Download Submit
C:\Windows\{6E240B2C-4F8E-48c3-B0B3-3DFE30BFABBA}.exe

Filesize
39KB

MD5
70f8ae5fc7896aac688882415fe7685a

SHA1
5c0d824e0b83219ce04618e2d1d4af80cf294cf1

SHA256
2569b10184f24e476b2769fd29b8951794dc31b434247f796e39b912c95a5f52

SHA512
be7ca246597c3869146a7cd82a7e4c32f87e51d9ca140835d90c99f7c37b92b5d3da454444efd3da78c10b745f960e8ed3d5500119367f501d8ad1fd2067d165

Download Submit
C:\Windows\{6E240B2C-4F8E-48c3-B0B3-3DFE30BFABBA}.exe

Filesize
197KB

MD5
fcb3a6b3cf09ba7ec7e2089ce536ca8c

SHA1
c6af9ed822a86ee39cf449501550b95c8fcb4980

SHA256
48ba6b59598916a601a692e8c04c37429ffdd1afab7c5255ebfda48a9adf7704

SHA512
3d83ce5d36ef855e718feca9cea581e76496afb4b712f51bdd7bd65000070dab88b83d1dec21ef516d8a1ab647dbf736e336bd2cb27e336a7962a00ed528cda3

Download Submit
C:\Windows\{79519F68-AE18-4f90-BBC4-A2709C783212}.exe

Filesize
44KB

MD5
edf6c20019d9e5350db32e6be947f56f

SHA1
c36c48d101ac954018044b86db486d057d5f586c

SHA256
8f018acfb6120dfe84160c03959c9ab86726d5fbae8a3232e5816bb1f9bac292

SHA512
a05d697ac66f7ce7f242744da1a2d6a6104edccf3071bd620764ef66931dfb9682b738ad98f92fcc3238aaabc7f9911f6111d3bbb5614f2181152644b77749ab

Download Submit
C:\Windows\{79519F68-AE18-4f90-BBC4-A2709C783212}.exe

Filesize
197KB

MD5
39cf97a705c8fa701dcfa224ea716672

SHA1
5c749a285fb4e7df7a4637e62e5df3428b6a8d60

SHA256
260a1e0fd28ffd31ee1640922b8002fde3603731bfb52105e7606bfc0b0ddeb2

SHA512
6e010ee9035503a14f3fddec5d35af588a4eff6354ce96bc4402ab5237ec0654a058ee741c18ef8421b139cbcd0521b3b69a92541f5dd0ef646eff5dc3fa0696

Download Submit
C:\Windows\{8D5F9948-69E3-4676-9581-7F6E3E9A6E5E}.exe

Filesize
197KB

MD5
67ec8d4812022769ae6db0dbbb795e82

SHA1
a10fbcf416f991d9365cd7fda3d750f443ae7229

SHA256
c901479e39b228602d58499a6da7f7ae118f69567a93a4589c2fa652c615f470

SHA512
164328b0ae54fc2867e072da74c32ecc6b0d777b9ee90539bba36870dffd3deb1a48094b0518b46467ed90a610cfc55f4e91c7f856ec8bbdb886f08d37062cd4

Download Submit
C:\Windows\{980477AD-EC1F-4edc-B525-F4EF22EDB0FD}.exe

Filesize
197KB

MD5
1a085374f440154c835250e4eb2874c6

SHA1
1a94004e8714145368150303a44a511a14faf7cc

SHA256
b7b1377b5bf73b09e7d9b44b967731ee5986a031c80e21b6d90f7eced4c7e440

SHA512
3bd395ce740aa9fc2ebb2dd45b462815d227dc7884b52f019be907a83092f32c7259b55f3a8b3da7541723807333fac20945e833b931675a278449b94703922e

Download Submit
C:\Windows\{98D5C0A9-C4B0-48ff-B15D-5581A75DE981}.exe

Filesize
197KB

MD5
0ed2fb08d7a9561f696b693e052487d1

SHA1
7729340fcdb49f6f4919804d95666aeed8e2c755

SHA256
ab20f45c6264f86b863c3e8c096c8d5b02e53df9e2eef987c3b8a9b64da3561b

SHA512
fcc9c292162211606231090160c003f4b08b0eb796c669c79aa6fe582b1524b222717de12be2cdc674d78d13ad0c98b215754a2f42d632e444b951a4b8fb32a0

Download Submit
C:\Windows\{A4B13857-9608-47aa-8C9C-D695E2EFE7DE}.exe

Filesize
197KB

MD5
decd63b935fb1350695761050f210001

SHA1
3534149c4bc228f5c28cf6fc4caa72ab443856c0

SHA256
12519b4c3fc77ba569520ecabadc8ce0ff84427aec8e01b0deb9f3c5020b9cf7

SHA512
f628da61f30e0645fcb7642656d9e3862e16a99a708f388c44dd65526913718ca0c909179c2b8597f1ce13734e8b465a5526bfae1867fc005f1d57ebffb3e884

Download Submit
C:\Windows\{CD03EFAA-460C-44d0-BBF7-7D5007D2994D}.exe

Filesize
197KB

MD5
6f6599158599f9fba2153643aa218a6e

SHA1
34465195765043e17bda8cb8ea7f0e903d57538d

SHA256
5b9fde03780e83d7901274a61731c1f1a028bbbe8526717f29ba5d6b2ad8fdab

SHA512
edcf4727413fa87d395bf9492754059c58fd7a6212123aa9f2ce1014bfc1b0134fc23f6a80be7ac653f468fb7438865f8a2df0fa404a826ca45b7bd6d3724986

Download Submit
C:\Windows\{D644D1A1-162A-4ad4-A83A-B1CC12EFEBCE}.exe

Filesize
197KB

MD5
eced893961128cf2e01956e290a8524a

SHA1
7e46a8d9f40ef8410471312f4b88e2417cda6ca2

SHA256
0efcb02f0a1d2c043c75317795c2c6092b856282bcead43daf8e644897f5b99a

SHA512
c6ae6c764d3622bb39cbcc914573e97868cd0b4af12bef31ad5d748cc592071f4e2ddcaeff78dd5be6a9f29b8e13b05136819e85f6fa715a28bb36d943a81a56

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads