66fe3726a85eb757f7504633880f8df344ca92524519167f1cf62f86cc477a89

Analysis

max time kernel
149s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
17-02-2024 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-17_28cdddfa524bf1f88aafa9dc90ed29da_goldeneye.exe
Size

408KB
MD5

28cdddfa524bf1f88aafa9dc90ed29da
SHA1

a78d204116a6e3a412e260fb249b68d2e3695723
SHA256

66fe3726a85eb757f7504633880f8df344ca92524519167f1cf62f86cc477a89
SHA512

5155d81963fddbe0639be2f91bbc6fbd2454ccf378c1ae69541fc73c6ee5f1c2f185d6ca706fffb0e6e784e12b31889ad9c10a52aefad049f0ff574df43b3a2c
SSDEEP

3072:CEGh0oQl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGuldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023247-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000023247-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023250-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023256-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023250-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001300000001d887-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000021558-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001400000001d887-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000006cf-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000709-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000006cf-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9B5CFB6-6C5C-4529-8BDF-48E5F621EF79}\stubpath = "C:\\Windows\\{D9B5CFB6-6C5C-4529-8BDF-48E5F621EF79}.exe"	{1506E74D-23DE-41cf-B3A8-0FCE074E32EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{054AD306-DDFB-468e-B336-2527B3A14D96}\stubpath = "C:\\Windows\\{054AD306-DDFB-468e-B336-2527B3A14D96}.exe"	{D9B5CFB6-6C5C-4529-8BDF-48E5F621EF79}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D977E14-7C82-47be-AFEF-65F989B0285E}	{D5D93590-A3EA-4f35-8FF8-110A83FAB79D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73DD565F-F5F7-4b2f-9DF4-1BC19DDA1A55}\stubpath = "C:\\Windows\\{73DD565F-F5F7-4b2f-9DF4-1BC19DDA1A55}.exe"	{170BFDE3-4640-4d1d-A79F-667757E88E6D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9418DBFB-2A41-471b-9A68-4EF842543DA3}\stubpath = "C:\\Windows\\{9418DBFB-2A41-471b-9A68-4EF842543DA3}.exe"	{73DD565F-F5F7-4b2f-9DF4-1BC19DDA1A55}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1506E74D-23DE-41cf-B3A8-0FCE074E32EE}\stubpath = "C:\\Windows\\{1506E74D-23DE-41cf-B3A8-0FCE074E32EE}.exe"	{7EADBF04-5D89-4dee-B77B-022A1C4D3BE5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D977E14-7C82-47be-AFEF-65F989B0285E}\stubpath = "C:\\Windows\\{8D977E14-7C82-47be-AFEF-65F989B0285E}.exe"	{D5D93590-A3EA-4f35-8FF8-110A83FAB79D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B71A40C7-EFDD-4462-9BD5-DA5CB74D5921}\stubpath = "C:\\Windows\\{B71A40C7-EFDD-4462-9BD5-DA5CB74D5921}.exe"	{8D977E14-7C82-47be-AFEF-65F989B0285E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B5F6FE7-E03C-4f17-98A3-481DA4D929B7}	{B71A40C7-EFDD-4462-9BD5-DA5CB74D5921}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B5F6FE7-E03C-4f17-98A3-481DA4D929B7}\stubpath = "C:\\Windows\\{6B5F6FE7-E03C-4f17-98A3-481DA4D929B7}.exe"	{B71A40C7-EFDD-4462-9BD5-DA5CB74D5921}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{170BFDE3-4640-4d1d-A79F-667757E88E6D}	{6B5F6FE7-E03C-4f17-98A3-481DA4D929B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{170BFDE3-4640-4d1d-A79F-667757E88E6D}\stubpath = "C:\\Windows\\{170BFDE3-4640-4d1d-A79F-667757E88E6D}.exe"	{6B5F6FE7-E03C-4f17-98A3-481DA4D929B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7EADBF04-5D89-4dee-B77B-022A1C4D3BE5}	2024-02-17_28cdddfa524bf1f88aafa9dc90ed29da_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7EADBF04-5D89-4dee-B77B-022A1C4D3BE5}\stubpath = "C:\\Windows\\{7EADBF04-5D89-4dee-B77B-022A1C4D3BE5}.exe"	2024-02-17_28cdddfa524bf1f88aafa9dc90ed29da_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1506E74D-23DE-41cf-B3A8-0FCE074E32EE}	{7EADBF04-5D89-4dee-B77B-022A1C4D3BE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5D93590-A3EA-4f35-8FF8-110A83FAB79D}	{054AD306-DDFB-468e-B336-2527B3A14D96}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5D93590-A3EA-4f35-8FF8-110A83FAB79D}\stubpath = "C:\\Windows\\{D5D93590-A3EA-4f35-8FF8-110A83FAB79D}.exe"	{054AD306-DDFB-468e-B336-2527B3A14D96}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73DD565F-F5F7-4b2f-9DF4-1BC19DDA1A55}	{170BFDE3-4640-4d1d-A79F-667757E88E6D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35DD1AB0-4AE9-4e60-9F95-1590AEBA1D19}\stubpath = "C:\\Windows\\{35DD1AB0-4AE9-4e60-9F95-1590AEBA1D19}.exe"	{9418DBFB-2A41-471b-9A68-4EF842543DA3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9B5CFB6-6C5C-4529-8BDF-48E5F621EF79}	{1506E74D-23DE-41cf-B3A8-0FCE074E32EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{054AD306-DDFB-468e-B336-2527B3A14D96}	{D9B5CFB6-6C5C-4529-8BDF-48E5F621EF79}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B71A40C7-EFDD-4462-9BD5-DA5CB74D5921}	{8D977E14-7C82-47be-AFEF-65F989B0285E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9418DBFB-2A41-471b-9A68-4EF842543DA3}	{73DD565F-F5F7-4b2f-9DF4-1BC19DDA1A55}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35DD1AB0-4AE9-4e60-9F95-1590AEBA1D19}	{9418DBFB-2A41-471b-9A68-4EF842543DA3}.exe

Executes dropped EXE 12 IoCs

pid	Process
4900	{7EADBF04-5D89-4dee-B77B-022A1C4D3BE5}.exe
1504	{1506E74D-23DE-41cf-B3A8-0FCE074E32EE}.exe
5072	{D9B5CFB6-6C5C-4529-8BDF-48E5F621EF79}.exe
1200	{054AD306-DDFB-468e-B336-2527B3A14D96}.exe
2704	{D5D93590-A3EA-4f35-8FF8-110A83FAB79D}.exe
3124	{8D977E14-7C82-47be-AFEF-65F989B0285E}.exe
4364	{B71A40C7-EFDD-4462-9BD5-DA5CB74D5921}.exe
1272	{6B5F6FE7-E03C-4f17-98A3-481DA4D929B7}.exe
3604	{170BFDE3-4640-4d1d-A79F-667757E88E6D}.exe
1916	{73DD565F-F5F7-4b2f-9DF4-1BC19DDA1A55}.exe
1724	{9418DBFB-2A41-471b-9A68-4EF842543DA3}.exe
4704	{35DD1AB0-4AE9-4e60-9F95-1590AEBA1D19}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{35DD1AB0-4AE9-4e60-9F95-1590AEBA1D19}.exe	{9418DBFB-2A41-471b-9A68-4EF842543DA3}.exe
File created	C:\Windows\{1506E74D-23DE-41cf-B3A8-0FCE074E32EE}.exe	{7EADBF04-5D89-4dee-B77B-022A1C4D3BE5}.exe
File created	C:\Windows\{D9B5CFB6-6C5C-4529-8BDF-48E5F621EF79}.exe	{1506E74D-23DE-41cf-B3A8-0FCE074E32EE}.exe
File created	C:\Windows\{054AD306-DDFB-468e-B336-2527B3A14D96}.exe	{D9B5CFB6-6C5C-4529-8BDF-48E5F621EF79}.exe
File created	C:\Windows\{D5D93590-A3EA-4f35-8FF8-110A83FAB79D}.exe	{054AD306-DDFB-468e-B336-2527B3A14D96}.exe
File created	C:\Windows\{8D977E14-7C82-47be-AFEF-65F989B0285E}.exe	{D5D93590-A3EA-4f35-8FF8-110A83FAB79D}.exe
File created	C:\Windows\{170BFDE3-4640-4d1d-A79F-667757E88E6D}.exe	{6B5F6FE7-E03C-4f17-98A3-481DA4D929B7}.exe
File created	C:\Windows\{73DD565F-F5F7-4b2f-9DF4-1BC19DDA1A55}.exe	{170BFDE3-4640-4d1d-A79F-667757E88E6D}.exe
File created	C:\Windows\{7EADBF04-5D89-4dee-B77B-022A1C4D3BE5}.exe	2024-02-17_28cdddfa524bf1f88aafa9dc90ed29da_goldeneye.exe
File created	C:\Windows\{B71A40C7-EFDD-4462-9BD5-DA5CB74D5921}.exe	{8D977E14-7C82-47be-AFEF-65F989B0285E}.exe
File created	C:\Windows\{6B5F6FE7-E03C-4f17-98A3-481DA4D929B7}.exe	{B71A40C7-EFDD-4462-9BD5-DA5CB74D5921}.exe
File created	C:\Windows\{9418DBFB-2A41-471b-9A68-4EF842543DA3}.exe	{73DD565F-F5F7-4b2f-9DF4-1BC19DDA1A55}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4240	2024-02-17_28cdddfa524bf1f88aafa9dc90ed29da_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4900	{7EADBF04-5D89-4dee-B77B-022A1C4D3BE5}.exe
Token: SeIncBasePriorityPrivilege	1504	{1506E74D-23DE-41cf-B3A8-0FCE074E32EE}.exe
Token: SeIncBasePriorityPrivilege	5072	{D9B5CFB6-6C5C-4529-8BDF-48E5F621EF79}.exe
Token: SeIncBasePriorityPrivilege	1200	{054AD306-DDFB-468e-B336-2527B3A14D96}.exe
Token: SeIncBasePriorityPrivilege	2704	{D5D93590-A3EA-4f35-8FF8-110A83FAB79D}.exe
Token: SeIncBasePriorityPrivilege	3124	{8D977E14-7C82-47be-AFEF-65F989B0285E}.exe
Token: SeIncBasePriorityPrivilege	4364	{B71A40C7-EFDD-4462-9BD5-DA5CB74D5921}.exe
Token: SeIncBasePriorityPrivilege	1272	{6B5F6FE7-E03C-4f17-98A3-481DA4D929B7}.exe
Token: SeIncBasePriorityPrivilege	3604	{170BFDE3-4640-4d1d-A79F-667757E88E6D}.exe
Token: SeIncBasePriorityPrivilege	1916	{73DD565F-F5F7-4b2f-9DF4-1BC19DDA1A55}.exe
Token: SeIncBasePriorityPrivilege	1724	{9418DBFB-2A41-471b-9A68-4EF842543DA3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4240 wrote to memory of 4900	4240	2024-02-17_28cdddfa524bf1f88aafa9dc90ed29da_goldeneye.exe	91
PID 4240 wrote to memory of 4900	4240	2024-02-17_28cdddfa524bf1f88aafa9dc90ed29da_goldeneye.exe	91
PID 4240 wrote to memory of 4900	4240	2024-02-17_28cdddfa524bf1f88aafa9dc90ed29da_goldeneye.exe	91
PID 4240 wrote to memory of 4848	4240	2024-02-17_28cdddfa524bf1f88aafa9dc90ed29da_goldeneye.exe	92
PID 4240 wrote to memory of 4848	4240	2024-02-17_28cdddfa524bf1f88aafa9dc90ed29da_goldeneye.exe	92
PID 4240 wrote to memory of 4848	4240	2024-02-17_28cdddfa524bf1f88aafa9dc90ed29da_goldeneye.exe	92
PID 4900 wrote to memory of 1504	4900	{7EADBF04-5D89-4dee-B77B-022A1C4D3BE5}.exe	95
PID 4900 wrote to memory of 1504	4900	{7EADBF04-5D89-4dee-B77B-022A1C4D3BE5}.exe	95
PID 4900 wrote to memory of 1504	4900	{7EADBF04-5D89-4dee-B77B-022A1C4D3BE5}.exe	95
PID 4900 wrote to memory of 2016	4900	{7EADBF04-5D89-4dee-B77B-022A1C4D3BE5}.exe	96
PID 4900 wrote to memory of 2016	4900	{7EADBF04-5D89-4dee-B77B-022A1C4D3BE5}.exe	96
PID 4900 wrote to memory of 2016	4900	{7EADBF04-5D89-4dee-B77B-022A1C4D3BE5}.exe	96
PID 1504 wrote to memory of 5072	1504	{1506E74D-23DE-41cf-B3A8-0FCE074E32EE}.exe	98
PID 1504 wrote to memory of 5072	1504	{1506E74D-23DE-41cf-B3A8-0FCE074E32EE}.exe	98
PID 1504 wrote to memory of 5072	1504	{1506E74D-23DE-41cf-B3A8-0FCE074E32EE}.exe	98
PID 1504 wrote to memory of 3392	1504	{1506E74D-23DE-41cf-B3A8-0FCE074E32EE}.exe	99
PID 1504 wrote to memory of 3392	1504	{1506E74D-23DE-41cf-B3A8-0FCE074E32EE}.exe	99
PID 1504 wrote to memory of 3392	1504	{1506E74D-23DE-41cf-B3A8-0FCE074E32EE}.exe	99
PID 5072 wrote to memory of 1200	5072	{D9B5CFB6-6C5C-4529-8BDF-48E5F621EF79}.exe	100
PID 5072 wrote to memory of 1200	5072	{D9B5CFB6-6C5C-4529-8BDF-48E5F621EF79}.exe	100
PID 5072 wrote to memory of 1200	5072	{D9B5CFB6-6C5C-4529-8BDF-48E5F621EF79}.exe	100
PID 5072 wrote to memory of 3952	5072	{D9B5CFB6-6C5C-4529-8BDF-48E5F621EF79}.exe	101
PID 5072 wrote to memory of 3952	5072	{D9B5CFB6-6C5C-4529-8BDF-48E5F621EF79}.exe	101
PID 5072 wrote to memory of 3952	5072	{D9B5CFB6-6C5C-4529-8BDF-48E5F621EF79}.exe	101
PID 1200 wrote to memory of 2704	1200	{054AD306-DDFB-468e-B336-2527B3A14D96}.exe	102
PID 1200 wrote to memory of 2704	1200	{054AD306-DDFB-468e-B336-2527B3A14D96}.exe	102
PID 1200 wrote to memory of 2704	1200	{054AD306-DDFB-468e-B336-2527B3A14D96}.exe	102
PID 1200 wrote to memory of 3036	1200	{054AD306-DDFB-468e-B336-2527B3A14D96}.exe	103
PID 1200 wrote to memory of 3036	1200	{054AD306-DDFB-468e-B336-2527B3A14D96}.exe	103
PID 1200 wrote to memory of 3036	1200	{054AD306-DDFB-468e-B336-2527B3A14D96}.exe	103
PID 2704 wrote to memory of 3124	2704	{D5D93590-A3EA-4f35-8FF8-110A83FAB79D}.exe	104
PID 2704 wrote to memory of 3124	2704	{D5D93590-A3EA-4f35-8FF8-110A83FAB79D}.exe	104
PID 2704 wrote to memory of 3124	2704	{D5D93590-A3EA-4f35-8FF8-110A83FAB79D}.exe	104
PID 2704 wrote to memory of 2884	2704	{D5D93590-A3EA-4f35-8FF8-110A83FAB79D}.exe	105
PID 2704 wrote to memory of 2884	2704	{D5D93590-A3EA-4f35-8FF8-110A83FAB79D}.exe	105
PID 2704 wrote to memory of 2884	2704	{D5D93590-A3EA-4f35-8FF8-110A83FAB79D}.exe	105
PID 3124 wrote to memory of 4364	3124	{8D977E14-7C82-47be-AFEF-65F989B0285E}.exe	106
PID 3124 wrote to memory of 4364	3124	{8D977E14-7C82-47be-AFEF-65F989B0285E}.exe	106
PID 3124 wrote to memory of 4364	3124	{8D977E14-7C82-47be-AFEF-65F989B0285E}.exe	106
PID 3124 wrote to memory of 2252	3124	{8D977E14-7C82-47be-AFEF-65F989B0285E}.exe	107
PID 3124 wrote to memory of 2252	3124	{8D977E14-7C82-47be-AFEF-65F989B0285E}.exe	107
PID 3124 wrote to memory of 2252	3124	{8D977E14-7C82-47be-AFEF-65F989B0285E}.exe	107
PID 4364 wrote to memory of 1272	4364	{B71A40C7-EFDD-4462-9BD5-DA5CB74D5921}.exe	108
PID 4364 wrote to memory of 1272	4364	{B71A40C7-EFDD-4462-9BD5-DA5CB74D5921}.exe	108
PID 4364 wrote to memory of 1272	4364	{B71A40C7-EFDD-4462-9BD5-DA5CB74D5921}.exe	108
PID 4364 wrote to memory of 3016	4364	{B71A40C7-EFDD-4462-9BD5-DA5CB74D5921}.exe	109
PID 4364 wrote to memory of 3016	4364	{B71A40C7-EFDD-4462-9BD5-DA5CB74D5921}.exe	109
PID 4364 wrote to memory of 3016	4364	{B71A40C7-EFDD-4462-9BD5-DA5CB74D5921}.exe	109
PID 1272 wrote to memory of 3604	1272	{6B5F6FE7-E03C-4f17-98A3-481DA4D929B7}.exe	110
PID 1272 wrote to memory of 3604	1272	{6B5F6FE7-E03C-4f17-98A3-481DA4D929B7}.exe	110
PID 1272 wrote to memory of 3604	1272	{6B5F6FE7-E03C-4f17-98A3-481DA4D929B7}.exe	110
PID 1272 wrote to memory of 2892	1272	{6B5F6FE7-E03C-4f17-98A3-481DA4D929B7}.exe	111
PID 1272 wrote to memory of 2892	1272	{6B5F6FE7-E03C-4f17-98A3-481DA4D929B7}.exe	111
PID 1272 wrote to memory of 2892	1272	{6B5F6FE7-E03C-4f17-98A3-481DA4D929B7}.exe	111
PID 3604 wrote to memory of 1916	3604	{170BFDE3-4640-4d1d-A79F-667757E88E6D}.exe	112
PID 3604 wrote to memory of 1916	3604	{170BFDE3-4640-4d1d-A79F-667757E88E6D}.exe	112
PID 3604 wrote to memory of 1916	3604	{170BFDE3-4640-4d1d-A79F-667757E88E6D}.exe	112
PID 3604 wrote to memory of 1556	3604	{170BFDE3-4640-4d1d-A79F-667757E88E6D}.exe	113
PID 3604 wrote to memory of 1556	3604	{170BFDE3-4640-4d1d-A79F-667757E88E6D}.exe	113
PID 3604 wrote to memory of 1556	3604	{170BFDE3-4640-4d1d-A79F-667757E88E6D}.exe	113
PID 1916 wrote to memory of 1724	1916	{73DD565F-F5F7-4b2f-9DF4-1BC19DDA1A55}.exe	114
PID 1916 wrote to memory of 1724	1916	{73DD565F-F5F7-4b2f-9DF4-1BC19DDA1A55}.exe	114
PID 1916 wrote to memory of 1724	1916	{73DD565F-F5F7-4b2f-9DF4-1BC19DDA1A55}.exe	114
PID 1916 wrote to memory of 4988	1916	{73DD565F-F5F7-4b2f-9DF4-1BC19DDA1A55}.exe	115

C:\Users\Admin\AppData\Local\Temp\2024-02-17_28cdddfa524bf1f88aafa9dc90ed29da_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-17_28cdddfa524bf1f88aafa9dc90ed29da_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4240
- C:\Windows\{7EADBF04-5D89-4dee-B77B-022A1C4D3BE5}.exe
  C:\Windows\{7EADBF04-5D89-4dee-B77B-022A1C4D3BE5}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4900
- - C:\Windows\{1506E74D-23DE-41cf-B3A8-0FCE074E32EE}.exe
    C:\Windows\{1506E74D-23DE-41cf-B3A8-0FCE074E32EE}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1504
  - - C:\Windows\{D9B5CFB6-6C5C-4529-8BDF-48E5F621EF79}.exe
      C:\Windows\{D9B5CFB6-6C5C-4529-8BDF-48E5F621EF79}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5072
    - - C:\Windows\{054AD306-DDFB-468e-B336-2527B3A14D96}.exe
        
        C:\Windows\{054AD306-DDFB-468e-B336-2527B3A14D96}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1200
      - C:\Windows\{D5D93590-A3EA-4f35-8FF8-110A83FAB79D}.exe
        
        C:\Windows\{D5D93590-A3EA-4f35-8FF8-110A83FAB79D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\{8D977E14-7C82-47be-AFEF-65F989B0285E}.exe
        
        C:\Windows\{8D977E14-7C82-47be-AFEF-65F989B0285E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Windows\{B71A40C7-EFDD-4462-9BD5-DA5CB74D5921}.exe
        
        C:\Windows\{B71A40C7-EFDD-4462-9BD5-DA5CB74D5921}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4364
        
        C:\Windows\{6B5F6FE7-E03C-4f17-98A3-481DA4D929B7}.exe
        
        C:\Windows\{6B5F6FE7-E03C-4f17-98A3-481DA4D929B7}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1272
        
        C:\Windows\{170BFDE3-4640-4d1d-A79F-667757E88E6D}.exe
        
        C:\Windows\{170BFDE3-4640-4d1d-A79F-667757E88E6D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3604
        
        C:\Windows\{73DD565F-F5F7-4b2f-9DF4-1BC19DDA1A55}.exe
        
        C:\Windows\{73DD565F-F5F7-4b2f-9DF4-1BC19DDA1A55}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\{9418DBFB-2A41-471b-9A68-4EF842543DA3}.exe
        
        C:\Windows\{9418DBFB-2A41-471b-9A68-4EF842543DA3}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
        
        C:\Windows\{35DD1AB0-4AE9-4e60-9F95-1590AEBA1D19}.exe
        
        C:\Windows\{35DD1AB0-4AE9-4e60-9F95-1590AEBA1D19}.exe
        13⤵
        Executes dropped EXE
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9418D~1.EXE > nul
        13⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{73DD5~1.EXE > nul
        12⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{170BF~1.EXE > nul
        11⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B5F6~1.EXE > nul
        10⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B71A4~1.EXE > nul
        9⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D977~1.EXE > nul
        8⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D5D93~1.EXE > nul
        7⤵
        
        PID:2884
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{054AD~1.EXE > nul
        6⤵
        
        PID:3036
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D9B5C~1.EXE > nul
        5⤵
        
        PID:3952
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1506E~1.EXE > nul
      4⤵
      PID:3392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7EADB~1.EXE > nul
    3⤵
    PID:2016
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{054AD306-DDFB-468e-B336-2527B3A14D96}.exe

Filesize
408KB

MD5
494417f664d4cc00972c14da3f1c2189

SHA1
d3ab6e14a05009441e2382afc3099c3851ea3d74

SHA256
99ea2a3cb99d3b13b87c4a67229b9cf41462da0c4a8cce4b4b4c4c6e10aa6851

SHA512
4020c2b4aebf7af8568657e4c353e63791c0c460a83a94323046c315589f14fb9022aef94a9f0ddb8cd716893f9dae5f0fac3f9d6b6b44a28f9145834374def5

Download Submit
C:\Windows\{1506E74D-23DE-41cf-B3A8-0FCE074E32EE}.exe

Filesize
408KB

MD5
6250c0cd9f6dd4812f2051f7e129be90

SHA1
ce0bb26765079a6e43627af58c61238a3c59eae2

SHA256
3e4c3edf02a80c21b96440cbb3d4bd19f48249c88d59c430e3d5f1974f49970b

SHA512
358bc11ff46c7b97e46f835d484c2370b99ef0d63116861691dd6cc131bf1b690f5655e6ebf4991d11af875e01daa4c6c1bd3df2a3491662d4afa2e8ba3c680c

Download Submit
C:\Windows\{170BFDE3-4640-4d1d-A79F-667757E88E6D}.exe

Filesize
408KB

MD5
42bf98170bbcef0cf1174d9f9898a0ab

SHA1
902a9a553c575662bb2b71c9e5a109b2308be604

SHA256
d0bc3f6b135ca1d5500ed6e9a19f3fdf4fa271ae85f824b47ec2fbd89d1a9a30

SHA512
065f8bed5468b49f774f700abf7226af0c7210a162c140a3a659da260bf0b5eefce64f7692592f5b238a4ae1482dd3b6194d66dd4918bbd84ee4966d55496964

Download Submit
C:\Windows\{35DD1AB0-4AE9-4e60-9F95-1590AEBA1D19}.exe

Filesize
408KB

MD5
77796859f12dd020bb43424450fcea74

SHA1
08301c7edb5f8f49d7a1b9c1b4fd2eab689ba1dc

SHA256
1d205bcfe62b3276d673d88c7255a9dac7af0131cc8875d9d299747ac4de7e40

SHA512
be5c1b6f4200bb9104ec9e8a69e270f90c6d9a82265d6f1f26dbf3544c22d0d962ab8163483b8ce8bf0e72a0a44f7cfe348dd443c25e2c6005ef074b36be59ec

Download Submit
C:\Windows\{6B5F6FE7-E03C-4f17-98A3-481DA4D929B7}.exe

Filesize
408KB

MD5
d918cb5d0b925fc97b569f2cfc16cbd2

SHA1
3dd5ac59c2fcea43c28f3a0c0832a71106a9e636

SHA256
e8bcfaae13757a013faf899f1cf7d507dd14fb3976ca2c32e6b3766a2842ed40

SHA512
1c76286d99cbb09a530f5d00453567c7a9ac3be1351f4b98976348616898c11daf7bec375e590cfb55cb3e7bddf978fd08ef5f0e4bbbb4a7a712d120e0afb3b3

Download Submit
C:\Windows\{73DD565F-F5F7-4b2f-9DF4-1BC19DDA1A55}.exe

Filesize
408KB

MD5
a45dfa645172db2a68eea49dfc532186

SHA1
6173e4874aa5b085349a6faefaf355823b6c546b

SHA256
66a836b4cc89f2f6aaaeea658ccb691d67a0ab2df77c130de3faea9b09eada72

SHA512
d1daf72483f17eb0e335b4a779b12b2537b18704add687e09c8374885378af1872a137240858f8d2d45ef9f1a0ae008af5f5c1b7f12ff5f020ded0332c23b8b9

Download Submit
C:\Windows\{7EADBF04-5D89-4dee-B77B-022A1C4D3BE5}.exe

Filesize
73KB

MD5
950eb2a1e4edca5769fef7c1895391e5

SHA1
4a9f5ed3df0b07f75f5ee73295456c76bd65b8a0

SHA256
795c56a007a1a48b080849c7f40192da356d1d7b614f892c8e50cb1705c420ce

SHA512
8f035d1d9ec700d06da69ff28def936a029c496a6254f87f966034a9396b1d521f21063ef15ae60a997f5a2426684aebba3d922abc8e736166d0fdca4a7592ef

Download Submit
C:\Windows\{7EADBF04-5D89-4dee-B77B-022A1C4D3BE5}.exe

Filesize
408KB

MD5
784793389557a28863cdd458a371bdf9

SHA1
4b1616c7acd2bff756e841757d9177f7aa583d6b

SHA256
279931a92d7293ea56283b0e09addf1cf47885eb99482de5d238dc7a7ae74c06

SHA512
7e08036b607c6686142fe3fa31bc1939928ab20c34fa0fe5d5f4ea59ea540fc0fa0b9fe1e4f7a18864cd7871058ef67602d9f6d8c2f2726934002857a7c76494

Download Submit
C:\Windows\{8D977E14-7C82-47be-AFEF-65F989B0285E}.exe

Filesize
408KB

MD5
294488fd907c63aac6090241264e5758

SHA1
723d2a4974c5c26ad1551df6c7043eedf26a1ce9

SHA256
0b8a8e611615bac507381cd797fc2e662d0af7daab9f35d33ab36b09886c2559

SHA512
3bf04182eade44e83d7a1a7107395060a08da16b2bf73bc07025f2ab50236dbdddeed1929fb9fdf1d19196bffe08499c277dde0555a88c637c8d066eb6c6ae40

Download Submit
C:\Windows\{9418DBFB-2A41-471b-9A68-4EF842543DA3}.exe

Filesize
408KB

MD5
d121ca7b3382d69c7486b58cf5479231

SHA1
2fd32d1ecb9bb5a6ef07244eb04434f3a5c3e9d9

SHA256
3d19273d88e7fb14a857f9933bec8b40713bf7924f3c8d1e83cdc301020c2601

SHA512
045d443c0e3d8303aaaec8961b871157c226ee9a80b2fdb4db23ebc2b15ee2c46b78005b8127b8ff72940cc73fd804dba839ed2edc830bb4b3ff901667dd5185

Download Submit
C:\Windows\{B71A40C7-EFDD-4462-9BD5-DA5CB74D5921}.exe

Filesize
408KB

MD5
2e120f2bb0b63e7dbd616a66aa0c0793

SHA1
2a2e302ef5de4b7e8843e3cace24de2634903bba

SHA256
8779ef4676aa3a1362dcb33d6636dc0298396c5d8af7a856fad07cc55d342abc

SHA512
d3656c0706d3a12d4a43a3e6c61a48585e21af3adcff7e9b4aaab00c248719ca3c489b0b4c3617309cd43c73d8b210be97c66bba5ab39ef6fd478bbbc228789b

Download Submit
C:\Windows\{D5D93590-A3EA-4f35-8FF8-110A83FAB79D}.exe

Filesize
408KB

MD5
d1283f995a8fb2aa41c8eca8a8c7dd61

SHA1
d14bbef945f66e32b7ec8260349283dd7ba64ee3

SHA256
cd6069c5ab7ff876289c79282bd686e707cab327db5a65dca097fa5a6bf2ba43

SHA512
f6228e79bd0862d46bd4eb41df9a61a644a46fb6a22cc882994cc51a02b9722f8a57caf9d9a729857cfedbce7bec414af735316334c5773ae351e56d98a8a113

Download Submit
C:\Windows\{D9B5CFB6-6C5C-4529-8BDF-48E5F621EF79}.exe

Filesize
408KB

MD5
3ace65fa66c7116805eccd9adeab473a

SHA1
74511884a42127cb2bfcebc7d8f11be6af9860f2

SHA256
0d7f4fffc2af728c31d870821d072d8489ca0c89053c9e61ab67847e3dac4f9e

SHA512
3b03825a57669a3e9325e4e40c147098d5c3ef609d543db09b00f132d95bb9b730d985e7ed4223fe9b2850b2d9245a6401ccf36dc621815a9c20f54d27710cab

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads