3f0c3fe0604e9f25694a9a8ad802fc3b07c86cdfd9207ab4434c93ba2a3ef79f

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
14/02/2024, 17:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-14_de6248344ac739013058adcef5998d16_goldeneye.exe
Size

180KB
MD5

de6248344ac739013058adcef5998d16
SHA1

9341208eb0dac6148f283f350683bd87f6c196ed
SHA256

3f0c3fe0604e9f25694a9a8ad802fc3b07c86cdfd9207ab4434c93ba2a3ef79f
SHA512

d9d058def566fca0eefb62d08bb8fee2b381dce8177bf4fd022c6ed8a7e4d7e4a43103f938fd81d74c0df54f0ca5300a3e32582521eee1fbe849040d9abb8d49
SSDEEP

3072:jEGh0oqlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGwl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000600000002321e-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023113-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002322d-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023113-13.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x004600000001e0be-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000021550-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x004700000001e0be-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-37.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000000070b-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA01BBDD-67CF-4abc-A1C1-D33216E2BD45}\stubpath = "C:\\Windows\\{EA01BBDD-67CF-4abc-A1C1-D33216E2BD45}.exe"	{8A680590-5F80-4d4d-A2A5-90650B4EF5BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{228E0025-95AD-49c0-8F57-61C00AE323C1}	{0539F715-CD8E-47c7-A365-AFD65EADEADB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{228E0025-95AD-49c0-8F57-61C00AE323C1}\stubpath = "C:\\Windows\\{228E0025-95AD-49c0-8F57-61C00AE323C1}.exe"	{0539F715-CD8E-47c7-A365-AFD65EADEADB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4689B526-4D60-4346-A7AC-0B8A57D3CF21}\stubpath = "C:\\Windows\\{4689B526-4D60-4346-A7AC-0B8A57D3CF21}.exe"	{8DEDF83F-30AE-483e-9EBD-912A5D7DCB26}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA01BBDD-67CF-4abc-A1C1-D33216E2BD45}	{8A680590-5F80-4d4d-A2A5-90650B4EF5BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0539F715-CD8E-47c7-A365-AFD65EADEADB}	{F6614AA2-7169-407c-9D2F-3959E6FE896F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0539F715-CD8E-47c7-A365-AFD65EADEADB}\stubpath = "C:\\Windows\\{0539F715-CD8E-47c7-A365-AFD65EADEADB}.exe"	{F6614AA2-7169-407c-9D2F-3959E6FE896F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8DEDF83F-30AE-483e-9EBD-912A5D7DCB26}	{F6BF5C12-724F-41a1-8007-4B350C0DF3F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4689B526-4D60-4346-A7AC-0B8A57D3CF21}	{8DEDF83F-30AE-483e-9EBD-912A5D7DCB26}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2BB3774-8CB2-47b0-BAB7-3F617FB30FB3}\stubpath = "C:\\Windows\\{C2BB3774-8CB2-47b0-BAB7-3F617FB30FB3}.exe"	{94E1B4EB-5EB5-4be2-8D51-DD897D91FDD3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B60B25F7-203A-4905-86E6-607010CC46DD}	{C2BB3774-8CB2-47b0-BAB7-3F617FB30FB3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B60B25F7-203A-4905-86E6-607010CC46DD}\stubpath = "C:\\Windows\\{B60B25F7-203A-4905-86E6-607010CC46DD}.exe"	{C2BB3774-8CB2-47b0-BAB7-3F617FB30FB3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6614AA2-7169-407c-9D2F-3959E6FE896F}	{B60B25F7-203A-4905-86E6-607010CC46DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6614AA2-7169-407c-9D2F-3959E6FE896F}\stubpath = "C:\\Windows\\{F6614AA2-7169-407c-9D2F-3959E6FE896F}.exe"	{B60B25F7-203A-4905-86E6-607010CC46DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A680590-5F80-4d4d-A2A5-90650B4EF5BC}	{4689B526-4D60-4346-A7AC-0B8A57D3CF21}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94E1B4EB-5EB5-4be2-8D51-DD897D91FDD3}\stubpath = "C:\\Windows\\{94E1B4EB-5EB5-4be2-8D51-DD897D91FDD3}.exe"	{EA01BBDD-67CF-4abc-A1C1-D33216E2BD45}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6BF5C12-724F-41a1-8007-4B350C0DF3F6}	{D30AC888-ED3D-4434-A20B-42F98DCCDF26}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6BF5C12-724F-41a1-8007-4B350C0DF3F6}\stubpath = "C:\\Windows\\{F6BF5C12-724F-41a1-8007-4B350C0DF3F6}.exe"	{D30AC888-ED3D-4434-A20B-42F98DCCDF26}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8DEDF83F-30AE-483e-9EBD-912A5D7DCB26}\stubpath = "C:\\Windows\\{8DEDF83F-30AE-483e-9EBD-912A5D7DCB26}.exe"	{F6BF5C12-724F-41a1-8007-4B350C0DF3F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A680590-5F80-4d4d-A2A5-90650B4EF5BC}\stubpath = "C:\\Windows\\{8A680590-5F80-4d4d-A2A5-90650B4EF5BC}.exe"	{4689B526-4D60-4346-A7AC-0B8A57D3CF21}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94E1B4EB-5EB5-4be2-8D51-DD897D91FDD3}	{EA01BBDD-67CF-4abc-A1C1-D33216E2BD45}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2BB3774-8CB2-47b0-BAB7-3F617FB30FB3}	{94E1B4EB-5EB5-4be2-8D51-DD897D91FDD3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D30AC888-ED3D-4434-A20B-42F98DCCDF26}	2024-02-14_de6248344ac739013058adcef5998d16_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D30AC888-ED3D-4434-A20B-42F98DCCDF26}\stubpath = "C:\\Windows\\{D30AC888-ED3D-4434-A20B-42F98DCCDF26}.exe"	2024-02-14_de6248344ac739013058adcef5998d16_goldeneye.exe

Executes dropped EXE 12 IoCs

pid	Process
2944	{D30AC888-ED3D-4434-A20B-42F98DCCDF26}.exe
4588	{F6BF5C12-724F-41a1-8007-4B350C0DF3F6}.exe
5116	{8DEDF83F-30AE-483e-9EBD-912A5D7DCB26}.exe
1540	{4689B526-4D60-4346-A7AC-0B8A57D3CF21}.exe
3520	{8A680590-5F80-4d4d-A2A5-90650B4EF5BC}.exe
3880	{EA01BBDD-67CF-4abc-A1C1-D33216E2BD45}.exe
3032	{94E1B4EB-5EB5-4be2-8D51-DD897D91FDD3}.exe
4308	{C2BB3774-8CB2-47b0-BAB7-3F617FB30FB3}.exe
1924	{B60B25F7-203A-4905-86E6-607010CC46DD}.exe
3972	{F6614AA2-7169-407c-9D2F-3959E6FE896F}.exe
1220	{0539F715-CD8E-47c7-A365-AFD65EADEADB}.exe
2896	{228E0025-95AD-49c0-8F57-61C00AE323C1}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{D30AC888-ED3D-4434-A20B-42F98DCCDF26}.exe	2024-02-14_de6248344ac739013058adcef5998d16_goldeneye.exe
File created	C:\Windows\{F6BF5C12-724F-41a1-8007-4B350C0DF3F6}.exe	{D30AC888-ED3D-4434-A20B-42F98DCCDF26}.exe
File created	C:\Windows\{8DEDF83F-30AE-483e-9EBD-912A5D7DCB26}.exe	{F6BF5C12-724F-41a1-8007-4B350C0DF3F6}.exe
File created	C:\Windows\{4689B526-4D60-4346-A7AC-0B8A57D3CF21}.exe	{8DEDF83F-30AE-483e-9EBD-912A5D7DCB26}.exe
File created	C:\Windows\{EA01BBDD-67CF-4abc-A1C1-D33216E2BD45}.exe	{8A680590-5F80-4d4d-A2A5-90650B4EF5BC}.exe
File created	C:\Windows\{C2BB3774-8CB2-47b0-BAB7-3F617FB30FB3}.exe	{94E1B4EB-5EB5-4be2-8D51-DD897D91FDD3}.exe
File created	C:\Windows\{B60B25F7-203A-4905-86E6-607010CC46DD}.exe	{C2BB3774-8CB2-47b0-BAB7-3F617FB30FB3}.exe
File created	C:\Windows\{F6614AA2-7169-407c-9D2F-3959E6FE896F}.exe	{B60B25F7-203A-4905-86E6-607010CC46DD}.exe
File created	C:\Windows\{0539F715-CD8E-47c7-A365-AFD65EADEADB}.exe	{F6614AA2-7169-407c-9D2F-3959E6FE896F}.exe
File created	C:\Windows\{8A680590-5F80-4d4d-A2A5-90650B4EF5BC}.exe	{4689B526-4D60-4346-A7AC-0B8A57D3CF21}.exe
File created	C:\Windows\{94E1B4EB-5EB5-4be2-8D51-DD897D91FDD3}.exe	{EA01BBDD-67CF-4abc-A1C1-D33216E2BD45}.exe
File created	C:\Windows\{228E0025-95AD-49c0-8F57-61C00AE323C1}.exe	{0539F715-CD8E-47c7-A365-AFD65EADEADB}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1916	2024-02-14_de6248344ac739013058adcef5998d16_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2944	{D30AC888-ED3D-4434-A20B-42F98DCCDF26}.exe
Token: SeIncBasePriorityPrivilege	4588	{F6BF5C12-724F-41a1-8007-4B350C0DF3F6}.exe
Token: SeIncBasePriorityPrivilege	5116	{8DEDF83F-30AE-483e-9EBD-912A5D7DCB26}.exe
Token: SeIncBasePriorityPrivilege	1540	{4689B526-4D60-4346-A7AC-0B8A57D3CF21}.exe
Token: SeIncBasePriorityPrivilege	3520	{8A680590-5F80-4d4d-A2A5-90650B4EF5BC}.exe
Token: SeIncBasePriorityPrivilege	3880	{EA01BBDD-67CF-4abc-A1C1-D33216E2BD45}.exe
Token: SeIncBasePriorityPrivilege	3032	{94E1B4EB-5EB5-4be2-8D51-DD897D91FDD3}.exe
Token: SeIncBasePriorityPrivilege	4308	{C2BB3774-8CB2-47b0-BAB7-3F617FB30FB3}.exe
Token: SeIncBasePriorityPrivilege	1924	{B60B25F7-203A-4905-86E6-607010CC46DD}.exe
Token: SeIncBasePriorityPrivilege	3972	{F6614AA2-7169-407c-9D2F-3959E6FE896F}.exe
Token: SeIncBasePriorityPrivilege	1220	{0539F715-CD8E-47c7-A365-AFD65EADEADB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 2944	1916	2024-02-14_de6248344ac739013058adcef5998d16_goldeneye.exe	89
PID 1916 wrote to memory of 2944	1916	2024-02-14_de6248344ac739013058adcef5998d16_goldeneye.exe	89
PID 1916 wrote to memory of 2944	1916	2024-02-14_de6248344ac739013058adcef5998d16_goldeneye.exe	89
PID 1916 wrote to memory of 4872	1916	2024-02-14_de6248344ac739013058adcef5998d16_goldeneye.exe	90
PID 1916 wrote to memory of 4872	1916	2024-02-14_de6248344ac739013058adcef5998d16_goldeneye.exe	90
PID 1916 wrote to memory of 4872	1916	2024-02-14_de6248344ac739013058adcef5998d16_goldeneye.exe	90
PID 2944 wrote to memory of 4588	2944	{D30AC888-ED3D-4434-A20B-42F98DCCDF26}.exe	93
PID 2944 wrote to memory of 4588	2944	{D30AC888-ED3D-4434-A20B-42F98DCCDF26}.exe	93
PID 2944 wrote to memory of 4588	2944	{D30AC888-ED3D-4434-A20B-42F98DCCDF26}.exe	93
PID 2944 wrote to memory of 4052	2944	{D30AC888-ED3D-4434-A20B-42F98DCCDF26}.exe	94
PID 2944 wrote to memory of 4052	2944	{D30AC888-ED3D-4434-A20B-42F98DCCDF26}.exe	94
PID 2944 wrote to memory of 4052	2944	{D30AC888-ED3D-4434-A20B-42F98DCCDF26}.exe	94
PID 4588 wrote to memory of 5116	4588	{F6BF5C12-724F-41a1-8007-4B350C0DF3F6}.exe	97
PID 4588 wrote to memory of 5116	4588	{F6BF5C12-724F-41a1-8007-4B350C0DF3F6}.exe	97
PID 4588 wrote to memory of 5116	4588	{F6BF5C12-724F-41a1-8007-4B350C0DF3F6}.exe	97
PID 4588 wrote to memory of 1964	4588	{F6BF5C12-724F-41a1-8007-4B350C0DF3F6}.exe	96
PID 4588 wrote to memory of 1964	4588	{F6BF5C12-724F-41a1-8007-4B350C0DF3F6}.exe	96
PID 4588 wrote to memory of 1964	4588	{F6BF5C12-724F-41a1-8007-4B350C0DF3F6}.exe	96
PID 5116 wrote to memory of 1540	5116	{8DEDF83F-30AE-483e-9EBD-912A5D7DCB26}.exe	98
PID 5116 wrote to memory of 1540	5116	{8DEDF83F-30AE-483e-9EBD-912A5D7DCB26}.exe	98
PID 5116 wrote to memory of 1540	5116	{8DEDF83F-30AE-483e-9EBD-912A5D7DCB26}.exe	98
PID 5116 wrote to memory of 1708	5116	{8DEDF83F-30AE-483e-9EBD-912A5D7DCB26}.exe	99
PID 5116 wrote to memory of 1708	5116	{8DEDF83F-30AE-483e-9EBD-912A5D7DCB26}.exe	99
PID 5116 wrote to memory of 1708	5116	{8DEDF83F-30AE-483e-9EBD-912A5D7DCB26}.exe	99
PID 1540 wrote to memory of 3520	1540	{4689B526-4D60-4346-A7AC-0B8A57D3CF21}.exe	100
PID 1540 wrote to memory of 3520	1540	{4689B526-4D60-4346-A7AC-0B8A57D3CF21}.exe	100
PID 1540 wrote to memory of 3520	1540	{4689B526-4D60-4346-A7AC-0B8A57D3CF21}.exe	100
PID 1540 wrote to memory of 1040	1540	{4689B526-4D60-4346-A7AC-0B8A57D3CF21}.exe	101
PID 1540 wrote to memory of 1040	1540	{4689B526-4D60-4346-A7AC-0B8A57D3CF21}.exe	101
PID 1540 wrote to memory of 1040	1540	{4689B526-4D60-4346-A7AC-0B8A57D3CF21}.exe	101
PID 3520 wrote to memory of 3880	3520	{8A680590-5F80-4d4d-A2A5-90650B4EF5BC}.exe	102
PID 3520 wrote to memory of 3880	3520	{8A680590-5F80-4d4d-A2A5-90650B4EF5BC}.exe	102
PID 3520 wrote to memory of 3880	3520	{8A680590-5F80-4d4d-A2A5-90650B4EF5BC}.exe	102
PID 3520 wrote to memory of 2036	3520	{8A680590-5F80-4d4d-A2A5-90650B4EF5BC}.exe	103
PID 3520 wrote to memory of 2036	3520	{8A680590-5F80-4d4d-A2A5-90650B4EF5BC}.exe	103
PID 3520 wrote to memory of 2036	3520	{8A680590-5F80-4d4d-A2A5-90650B4EF5BC}.exe	103
PID 3880 wrote to memory of 3032	3880	{EA01BBDD-67CF-4abc-A1C1-D33216E2BD45}.exe	104
PID 3880 wrote to memory of 3032	3880	{EA01BBDD-67CF-4abc-A1C1-D33216E2BD45}.exe	104
PID 3880 wrote to memory of 3032	3880	{EA01BBDD-67CF-4abc-A1C1-D33216E2BD45}.exe	104
PID 3880 wrote to memory of 4964	3880	{EA01BBDD-67CF-4abc-A1C1-D33216E2BD45}.exe	105
PID 3880 wrote to memory of 4964	3880	{EA01BBDD-67CF-4abc-A1C1-D33216E2BD45}.exe	105
PID 3880 wrote to memory of 4964	3880	{EA01BBDD-67CF-4abc-A1C1-D33216E2BD45}.exe	105
PID 3032 wrote to memory of 4308	3032	{94E1B4EB-5EB5-4be2-8D51-DD897D91FDD3}.exe	106
PID 3032 wrote to memory of 4308	3032	{94E1B4EB-5EB5-4be2-8D51-DD897D91FDD3}.exe	106
PID 3032 wrote to memory of 4308	3032	{94E1B4EB-5EB5-4be2-8D51-DD897D91FDD3}.exe	106
PID 3032 wrote to memory of 4224	3032	{94E1B4EB-5EB5-4be2-8D51-DD897D91FDD3}.exe	107
PID 3032 wrote to memory of 4224	3032	{94E1B4EB-5EB5-4be2-8D51-DD897D91FDD3}.exe	107
PID 3032 wrote to memory of 4224	3032	{94E1B4EB-5EB5-4be2-8D51-DD897D91FDD3}.exe	107
PID 4308 wrote to memory of 1924	4308	{C2BB3774-8CB2-47b0-BAB7-3F617FB30FB3}.exe	108
PID 4308 wrote to memory of 1924	4308	{C2BB3774-8CB2-47b0-BAB7-3F617FB30FB3}.exe	108
PID 4308 wrote to memory of 1924	4308	{C2BB3774-8CB2-47b0-BAB7-3F617FB30FB3}.exe	108
PID 4308 wrote to memory of 3264	4308	{C2BB3774-8CB2-47b0-BAB7-3F617FB30FB3}.exe	109
PID 4308 wrote to memory of 3264	4308	{C2BB3774-8CB2-47b0-BAB7-3F617FB30FB3}.exe	109
PID 4308 wrote to memory of 3264	4308	{C2BB3774-8CB2-47b0-BAB7-3F617FB30FB3}.exe	109
PID 1924 wrote to memory of 3972	1924	{B60B25F7-203A-4905-86E6-607010CC46DD}.exe	110
PID 1924 wrote to memory of 3972	1924	{B60B25F7-203A-4905-86E6-607010CC46DD}.exe	110
PID 1924 wrote to memory of 3972	1924	{B60B25F7-203A-4905-86E6-607010CC46DD}.exe	110
PID 1924 wrote to memory of 1980	1924	{B60B25F7-203A-4905-86E6-607010CC46DD}.exe	111
PID 1924 wrote to memory of 1980	1924	{B60B25F7-203A-4905-86E6-607010CC46DD}.exe	111
PID 1924 wrote to memory of 1980	1924	{B60B25F7-203A-4905-86E6-607010CC46DD}.exe	111
PID 3972 wrote to memory of 1220	3972	{F6614AA2-7169-407c-9D2F-3959E6FE896F}.exe	113
PID 3972 wrote to memory of 1220	3972	{F6614AA2-7169-407c-9D2F-3959E6FE896F}.exe	113
PID 3972 wrote to memory of 1220	3972	{F6614AA2-7169-407c-9D2F-3959E6FE896F}.exe	113
PID 3972 wrote to memory of 748	3972	{F6614AA2-7169-407c-9D2F-3959E6FE896F}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-02-14_de6248344ac739013058adcef5998d16_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-14_de6248344ac739013058adcef5998d16_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Windows\{D30AC888-ED3D-4434-A20B-42F98DCCDF26}.exe
  C:\Windows\{D30AC888-ED3D-4434-A20B-42F98DCCDF26}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\{F6BF5C12-724F-41a1-8007-4B350C0DF3F6}.exe
    C:\Windows\{F6BF5C12-724F-41a1-8007-4B350C0DF3F6}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4588
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F6BF5~1.EXE > nul
      4⤵
      PID:1964
  - - C:\Windows\{8DEDF83F-30AE-483e-9EBD-912A5D7DCB26}.exe
      C:\Windows\{8DEDF83F-30AE-483e-9EBD-912A5D7DCB26}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5116
    - - C:\Windows\{4689B526-4D60-4346-A7AC-0B8A57D3CF21}.exe
        
        C:\Windows\{4689B526-4D60-4346-A7AC-0B8A57D3CF21}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1540
      - C:\Windows\{8A680590-5F80-4d4d-A2A5-90650B4EF5BC}.exe
        
        C:\Windows\{8A680590-5F80-4d4d-A2A5-90650B4EF5BC}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\{EA01BBDD-67CF-4abc-A1C1-D33216E2BD45}.exe
        
        C:\Windows\{EA01BBDD-67CF-4abc-A1C1-D33216E2BD45}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3880
        
        C:\Windows\{94E1B4EB-5EB5-4be2-8D51-DD897D91FDD3}.exe
        
        C:\Windows\{94E1B4EB-5EB5-4be2-8D51-DD897D91FDD3}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\{C2BB3774-8CB2-47b0-BAB7-3F617FB30FB3}.exe
        
        C:\Windows\{C2BB3774-8CB2-47b0-BAB7-3F617FB30FB3}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4308
        
        C:\Windows\{B60B25F7-203A-4905-86E6-607010CC46DD}.exe
        
        C:\Windows\{B60B25F7-203A-4905-86E6-607010CC46DD}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\{F6614AA2-7169-407c-9D2F-3959E6FE896F}.exe
        
        C:\Windows\{F6614AA2-7169-407c-9D2F-3959E6FE896F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F6614~1.EXE > nul
        12⤵
        
        PID:748
        
        C:\Windows\{0539F715-CD8E-47c7-A365-AFD65EADEADB}.exe
        
        C:\Windows\{0539F715-CD8E-47c7-A365-AFD65EADEADB}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1220
        
        C:\Windows\{228E0025-95AD-49c0-8F57-61C00AE323C1}.exe
        
        C:\Windows\{228E0025-95AD-49c0-8F57-61C00AE323C1}.exe
        13⤵
        Executes dropped EXE
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0539F~1.EXE > nul
        13⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B60B2~1.EXE > nul
        11⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C2BB3~1.EXE > nul
        10⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94E1B~1.EXE > nul
        9⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA01B~1.EXE > nul
        8⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8A680~1.EXE > nul
        7⤵
        
        PID:2036
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4689B~1.EXE > nul
        6⤵
        
        PID:1040
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8DEDF~1.EXE > nul
        5⤵
        
        PID:1708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D30AC~1.EXE > nul
    3⤵
    PID:4052
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0539F715-CD8E-47c7-A365-AFD65EADEADB}.exe

Filesize
128KB

MD5
61533ace36221bc7a4aea12116013179

SHA1
dc5938b9a41520cab715ce99e9ad05cbd67c54d1

SHA256
bc043639e69a8cfedf2bd0301ea03ac697aab29c051edaa8a1c737d35fa7b170

SHA512
278df93fab02e056cc8d65941e95dfc1633e503e859dadc1f379e7ca5c3c45678e36cbdb99730e68543751f03b5d4bce8a492d76498a8c052778937c15ff8e63

Download Submit
C:\Windows\{228E0025-95AD-49c0-8F57-61C00AE323C1}.exe

Filesize
180KB

MD5
4f7d29adebe6169f2558d47e4af12df5

SHA1
36e508b0fcc2129db6b9aad094448dbcf0aab16f

SHA256
32878736465b4bd659f82307a3e24123e1281facf8cc2275beb087f3ad32eb0f

SHA512
4e80010ddf6458c4ac7722f35b22b2d429ae932c9637d073c7bb064868698b0e43ed74803b0daede18f5156bf59cb07274f5469686aefef092cf131db3363da3

Download Submit
C:\Windows\{4689B526-4D60-4346-A7AC-0B8A57D3CF21}.exe

Filesize
180KB

MD5
e469412c8dba09844396e7d38c3d74f1

SHA1
d47693d3ead04874b2e6207174907ee95e065b06

SHA256
fd9286068f24270da4268a8cc8d70417f07fee7a1d59fb664decde050ef6fe55

SHA512
b1985af52aaef4497317bff0b58265cf9f2df3ad06521ef0ef62aa55a949a272fe7b87a1691a3786c815511d62b74e76597a76df7456b2502c2b0c67b4016905

Download Submit
C:\Windows\{8A680590-5F80-4d4d-A2A5-90650B4EF5BC}.exe

Filesize
180KB

MD5
b757a9b04ca4640dc83785f26a27446b

SHA1
9d6dbf79ce3258539175de2403856542b57188e6

SHA256
f45e44b2c0e4cf8470cdb057f569f95188bd27408ab76625b8b9e080dfe26b9e

SHA512
f15428ffc995a28063792ee17836f83e0a393ae09204debc0b5249a7eb82c19e18d47de9d71af72000ff9e2bb6dbea93dfe28517d665f9488214c6b0246e33a1

Download Submit
C:\Windows\{8DEDF83F-30AE-483e-9EBD-912A5D7DCB26}.exe

Filesize
180KB

MD5
6795a898dcca0a2291dfc1f0128495e7

SHA1
71c7f4b6778e0bb64fe614c69290e0fba0cf2a03

SHA256
f999fe087b071ddb7eddb21506b7089c0bec04766acdd77ef324bccb0c0b477d

SHA512
b7a280ee3b3864b257da407ab4dbf5aaa58a39fbaea5cd4a43f05944fdab413318f877909ea693b57c53be6023943a8e5b2d9664a23e9012c7c4aeb0fdd3f11a

Download Submit
C:\Windows\{94E1B4EB-5EB5-4be2-8D51-DD897D91FDD3}.exe

Filesize
180KB

MD5
42fe3617fe190eaa1ec18ce7795984c3

SHA1
6281236c22cb77620fd460e1a06ee99992410424

SHA256
b36f1b48cd3d270c4f9dc7b415d8b0dac78677c44da83572e405b59b50ff7779

SHA512
4c4ce161ad71dbade32dac549a37a9553df36c882b54e056bb8f2bfa76377be89628411d295acca78c6f54cd7b4c686e27a7cfdef92a4b587c4ef3fb7079cd1c

Download Submit
C:\Windows\{B60B25F7-203A-4905-86E6-607010CC46DD}.exe

Filesize
180KB

MD5
9aa0f973bc50695e6227282c1fd9d842

SHA1
a607d7343659d1041ca9aad747299d9251fe8df2

SHA256
d14ad4eaadee20fd37aa9cbe516b52e64b1c644cab45123bb8fd2ed695e05568

SHA512
102e84d99d2d57e80afb9c0b41b7acb44b49f125138c286a4351b4fabde5bb2e620392e49c274d5fb2fa35d5e35ed04a42cfb2eb7ab88a70f5b53458512af86f

Download Submit
C:\Windows\{C2BB3774-8CB2-47b0-BAB7-3F617FB30FB3}.exe

Filesize
180KB

MD5
e0af4d0f7636d5013d357a8615920662

SHA1
81dbec0ec5fc12a3280c5f675898ce6662e2a4b1

SHA256
ff6d51edf7b721c0ecd8f8d6e4fafcdf8dc05f18c659586480fc4bb27aa4f19a

SHA512
3dc6ab4656a3f1d2752408a0f96ac68bc22ef9e9159f8d9db909d401fed32b00df4bbe0d5c954e625161414b084b276990f999a22cc786e8b1c29f765a6f0fc1

Download Submit
C:\Windows\{D30AC888-ED3D-4434-A20B-42F98DCCDF26}.exe

Filesize
180KB

MD5
677ef1319df9dd230dfbd517ad16eb0b

SHA1
1a91f9a1808f810d8a8b52e24c065310f82ea149

SHA256
a686010bbdb209d25fe5657e725a543692986acfc9b111675af3b7b6de9b8ef2

SHA512
197e41712106dad4b7ce41cb99ce486f4dcb57042df56e3294580a65499e36d80e60a7ea10af57dccbc68ccfcf2bbf03e89d2fede6536ae998d7a320152f2592

Download Submit
C:\Windows\{EA01BBDD-67CF-4abc-A1C1-D33216E2BD45}.exe

Filesize
180KB

MD5
e492575b927b97724f0bce10f3c2af9e

SHA1
aca6ef53424cc4a41a2dc301fb608bbf9c41e703

SHA256
c08606c811c12c4f6fcebaf6a4cce4e499f2e40da6c25f4343af7fbff26a3fc6

SHA512
77373a49a135f246d5aafedb1d1f7eb554c9f4fa4297c2b63b4ae5e3fc1ac124f24304df6c7b1eea516d08977a0c6f9efb3823244a4cc9e092027a1ab708fafe

Download Submit
C:\Windows\{F6614AA2-7169-407c-9D2F-3959E6FE896F}.exe

Filesize
180KB

MD5
0d45e4b95b82a0aa70a64f8376b074d8

SHA1
90f5ee5aae5847c1e46e7101880c5d48732c7b76

SHA256
242e97a53581b22384c122430edf5013389677b70b8fdcd5532e9be40446bac8

SHA512
e61256a27829737eb7ad6ee2b31d5c808ec439aa141bb7dc0be7a5378330319c41b91b54bf6b024590ccdebfe342290643f8a7af8271800ce69115e441e0235f

Download Submit
C:\Windows\{F6BF5C12-724F-41a1-8007-4B350C0DF3F6}.exe

Filesize
180KB

MD5
5f98174f2e80048ec111e77bf8af632d

SHA1
7cdda19b9cc4d70f3acaed4df5827cc2341c4772

SHA256
adbe6a5083b74592d271ddbaf465e1c5b2235551d534264282237935da54db63

SHA512
6521c9aaf4a9eb50ea8232a2efe18545b7e27d40e74ed925f68829b72d18043fe2109703a86218951bb3ebbea1caee14d06b440b905f089b26d90af5ab719ab6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads