cda173f045a287255880fd3c233e62ad50ac6c6dadccce515053841d1216bd1b

Analysis

max time kernel
150s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
17/02/2024, 13:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-17_dd633f0d01b4cff73dc7e94617c3394a_goldeneye.exe
Size

180KB
MD5

dd633f0d01b4cff73dc7e94617c3394a
SHA1

ef6be6dae3f1fb963bf0dfce5b1d39c2eaa1b408
SHA256

cda173f045a287255880fd3c233e62ad50ac6c6dadccce515053841d1216bd1b
SHA512

8e69c539aa391bce8779c3cc969e9b84ea8d51f22e95780bd9438a2c95b2e39d9be555dbb77c38dfb2eb1efcc5d88fc58cac84b80b50f98d7a604501b237f459
SSDEEP

3072:jEGh0oxlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGbl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x000200000001e2c0-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000023122-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023008-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023122-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0012000000023008-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00050000000217fa-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002181f-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006df-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00040000000006df-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9BD86B93-948A-4898-AFDC-4FBCDC9EEA5F}	{646E80AC-A6DA-4ea6-B9CC-DD301C57F336}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15CC3382-DACD-4dd2-8608-68E6749E8E0D}\stubpath = "C:\\Windows\\{15CC3382-DACD-4dd2-8608-68E6749E8E0D}.exe"	{3EC146B2-3E9F-4ab0-87B1-8FD59172D5A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A619B369-0DF1-4eff-B1AB-709EF2B7B32C}\stubpath = "C:\\Windows\\{A619B369-0DF1-4eff-B1AB-709EF2B7B32C}.exe"	{9BD86B93-948A-4898-AFDC-4FBCDC9EEA5F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB3E0AE9-E7FA-4e80-A07F-AE3E19112747}\stubpath = "C:\\Windows\\{EB3E0AE9-E7FA-4e80-A07F-AE3E19112747}.exe"	{A619B369-0DF1-4eff-B1AB-709EF2B7B32C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EC146B2-3E9F-4ab0-87B1-8FD59172D5A7}\stubpath = "C:\\Windows\\{3EC146B2-3E9F-4ab0-87B1-8FD59172D5A7}.exe"	{DC10F932-10B8-4e09-A3F2-0A28CFE25F7C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EED0E7F4-0017-435c-8B1A-F9DE56A8D02C}	2024-02-17_dd633f0d01b4cff73dc7e94617c3394a_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EED0E7F4-0017-435c-8B1A-F9DE56A8D02C}\stubpath = "C:\\Windows\\{EED0E7F4-0017-435c-8B1A-F9DE56A8D02C}.exe"	2024-02-17_dd633f0d01b4cff73dc7e94617c3394a_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85674534-982D-4918-9DB4-B51079CDE4C4}\stubpath = "C:\\Windows\\{85674534-982D-4918-9DB4-B51079CDE4C4}.exe"	{AFC75515-531C-4870-B9D1-805B27BE4088}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{414FD44F-9147-47de-9D11-A776879CFFDC}\stubpath = "C:\\Windows\\{414FD44F-9147-47de-9D11-A776879CFFDC}.exe"	{85674534-982D-4918-9DB4-B51079CDE4C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9BD86B93-948A-4898-AFDC-4FBCDC9EEA5F}\stubpath = "C:\\Windows\\{9BD86B93-948A-4898-AFDC-4FBCDC9EEA5F}.exe"	{646E80AC-A6DA-4ea6-B9CC-DD301C57F336}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB3E0AE9-E7FA-4e80-A07F-AE3E19112747}	{A619B369-0DF1-4eff-B1AB-709EF2B7B32C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EC146B2-3E9F-4ab0-87B1-8FD59172D5A7}	{DC10F932-10B8-4e09-A3F2-0A28CFE25F7C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{067668DC-BCC2-4645-AB26-FCAC639FF403}	{EED0E7F4-0017-435c-8B1A-F9DE56A8D02C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{067668DC-BCC2-4645-AB26-FCAC639FF403}\stubpath = "C:\\Windows\\{067668DC-BCC2-4645-AB26-FCAC639FF403}.exe"	{EED0E7F4-0017-435c-8B1A-F9DE56A8D02C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFC75515-531C-4870-B9D1-805B27BE4088}	{067668DC-BCC2-4645-AB26-FCAC639FF403}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{646E80AC-A6DA-4ea6-B9CC-DD301C57F336}	{414FD44F-9147-47de-9D11-A776879CFFDC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A619B369-0DF1-4eff-B1AB-709EF2B7B32C}	{9BD86B93-948A-4898-AFDC-4FBCDC9EEA5F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC10F932-10B8-4e09-A3F2-0A28CFE25F7C}	{EB3E0AE9-E7FA-4e80-A07F-AE3E19112747}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC10F932-10B8-4e09-A3F2-0A28CFE25F7C}\stubpath = "C:\\Windows\\{DC10F932-10B8-4e09-A3F2-0A28CFE25F7C}.exe"	{EB3E0AE9-E7FA-4e80-A07F-AE3E19112747}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15CC3382-DACD-4dd2-8608-68E6749E8E0D}	{3EC146B2-3E9F-4ab0-87B1-8FD59172D5A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFC75515-531C-4870-B9D1-805B27BE4088}\stubpath = "C:\\Windows\\{AFC75515-531C-4870-B9D1-805B27BE4088}.exe"	{067668DC-BCC2-4645-AB26-FCAC639FF403}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85674534-982D-4918-9DB4-B51079CDE4C4}	{AFC75515-531C-4870-B9D1-805B27BE4088}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{414FD44F-9147-47de-9D11-A776879CFFDC}	{85674534-982D-4918-9DB4-B51079CDE4C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{646E80AC-A6DA-4ea6-B9CC-DD301C57F336}\stubpath = "C:\\Windows\\{646E80AC-A6DA-4ea6-B9CC-DD301C57F336}.exe"	{414FD44F-9147-47de-9D11-A776879CFFDC}.exe

Executes dropped EXE 12 IoCs

pid	Process
3368	{EED0E7F4-0017-435c-8B1A-F9DE56A8D02C}.exe
4172	{067668DC-BCC2-4645-AB26-FCAC639FF403}.exe
1428	{AFC75515-531C-4870-B9D1-805B27BE4088}.exe
4360	{85674534-982D-4918-9DB4-B51079CDE4C4}.exe
4556	{414FD44F-9147-47de-9D11-A776879CFFDC}.exe
4152	{646E80AC-A6DA-4ea6-B9CC-DD301C57F336}.exe
1644	{9BD86B93-948A-4898-AFDC-4FBCDC9EEA5F}.exe
4196	{A619B369-0DF1-4eff-B1AB-709EF2B7B32C}.exe
4404	{EB3E0AE9-E7FA-4e80-A07F-AE3E19112747}.exe
4024	{DC10F932-10B8-4e09-A3F2-0A28CFE25F7C}.exe
4352	{3EC146B2-3E9F-4ab0-87B1-8FD59172D5A7}.exe
1348	{15CC3382-DACD-4dd2-8608-68E6749E8E0D}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{AFC75515-531C-4870-B9D1-805B27BE4088}.exe	{067668DC-BCC2-4645-AB26-FCAC639FF403}.exe
File created	C:\Windows\{414FD44F-9147-47de-9D11-A776879CFFDC}.exe	{85674534-982D-4918-9DB4-B51079CDE4C4}.exe
File created	C:\Windows\{646E80AC-A6DA-4ea6-B9CC-DD301C57F336}.exe	{414FD44F-9147-47de-9D11-A776879CFFDC}.exe
File created	C:\Windows\{9BD86B93-948A-4898-AFDC-4FBCDC9EEA5F}.exe	{646E80AC-A6DA-4ea6-B9CC-DD301C57F336}.exe
File created	C:\Windows\{EB3E0AE9-E7FA-4e80-A07F-AE3E19112747}.exe	{A619B369-0DF1-4eff-B1AB-709EF2B7B32C}.exe
File created	C:\Windows\{DC10F932-10B8-4e09-A3F2-0A28CFE25F7C}.exe	{EB3E0AE9-E7FA-4e80-A07F-AE3E19112747}.exe
File created	C:\Windows\{EED0E7F4-0017-435c-8B1A-F9DE56A8D02C}.exe	2024-02-17_dd633f0d01b4cff73dc7e94617c3394a_goldeneye.exe
File created	C:\Windows\{067668DC-BCC2-4645-AB26-FCAC639FF403}.exe	{EED0E7F4-0017-435c-8B1A-F9DE56A8D02C}.exe
File created	C:\Windows\{3EC146B2-3E9F-4ab0-87B1-8FD59172D5A7}.exe	{DC10F932-10B8-4e09-A3F2-0A28CFE25F7C}.exe
File created	C:\Windows\{15CC3382-DACD-4dd2-8608-68E6749E8E0D}.exe	{3EC146B2-3E9F-4ab0-87B1-8FD59172D5A7}.exe
File created	C:\Windows\{85674534-982D-4918-9DB4-B51079CDE4C4}.exe	{AFC75515-531C-4870-B9D1-805B27BE4088}.exe
File created	C:\Windows\{A619B369-0DF1-4eff-B1AB-709EF2B7B32C}.exe	{9BD86B93-948A-4898-AFDC-4FBCDC9EEA5F}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4528	2024-02-17_dd633f0d01b4cff73dc7e94617c3394a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3368	{EED0E7F4-0017-435c-8B1A-F9DE56A8D02C}.exe
Token: SeIncBasePriorityPrivilege	4172	{067668DC-BCC2-4645-AB26-FCAC639FF403}.exe
Token: SeIncBasePriorityPrivilege	1428	{AFC75515-531C-4870-B9D1-805B27BE4088}.exe
Token: SeIncBasePriorityPrivilege	4360	{85674534-982D-4918-9DB4-B51079CDE4C4}.exe
Token: SeIncBasePriorityPrivilege	4556	{414FD44F-9147-47de-9D11-A776879CFFDC}.exe
Token: SeIncBasePriorityPrivilege	4152	{646E80AC-A6DA-4ea6-B9CC-DD301C57F336}.exe
Token: SeIncBasePriorityPrivilege	1644	{9BD86B93-948A-4898-AFDC-4FBCDC9EEA5F}.exe
Token: SeIncBasePriorityPrivilege	4196	{A619B369-0DF1-4eff-B1AB-709EF2B7B32C}.exe
Token: SeIncBasePriorityPrivilege	4404	{EB3E0AE9-E7FA-4e80-A07F-AE3E19112747}.exe
Token: SeIncBasePriorityPrivilege	4024	{DC10F932-10B8-4e09-A3F2-0A28CFE25F7C}.exe
Token: SeIncBasePriorityPrivilege	4352	{3EC146B2-3E9F-4ab0-87B1-8FD59172D5A7}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4528 wrote to memory of 3368	4528	2024-02-17_dd633f0d01b4cff73dc7e94617c3394a_goldeneye.exe	84
PID 4528 wrote to memory of 3368	4528	2024-02-17_dd633f0d01b4cff73dc7e94617c3394a_goldeneye.exe	84
PID 4528 wrote to memory of 3368	4528	2024-02-17_dd633f0d01b4cff73dc7e94617c3394a_goldeneye.exe	84
PID 4528 wrote to memory of 1256	4528	2024-02-17_dd633f0d01b4cff73dc7e94617c3394a_goldeneye.exe	85
PID 4528 wrote to memory of 1256	4528	2024-02-17_dd633f0d01b4cff73dc7e94617c3394a_goldeneye.exe	85
PID 4528 wrote to memory of 1256	4528	2024-02-17_dd633f0d01b4cff73dc7e94617c3394a_goldeneye.exe	85
PID 3368 wrote to memory of 4172	3368	{EED0E7F4-0017-435c-8B1A-F9DE56A8D02C}.exe	91
PID 3368 wrote to memory of 4172	3368	{EED0E7F4-0017-435c-8B1A-F9DE56A8D02C}.exe	91
PID 3368 wrote to memory of 4172	3368	{EED0E7F4-0017-435c-8B1A-F9DE56A8D02C}.exe	91
PID 3368 wrote to memory of 4248	3368	{EED0E7F4-0017-435c-8B1A-F9DE56A8D02C}.exe	92
PID 3368 wrote to memory of 4248	3368	{EED0E7F4-0017-435c-8B1A-F9DE56A8D02C}.exe	92
PID 3368 wrote to memory of 4248	3368	{EED0E7F4-0017-435c-8B1A-F9DE56A8D02C}.exe	92
PID 4172 wrote to memory of 1428	4172	{067668DC-BCC2-4645-AB26-FCAC639FF403}.exe	96
PID 4172 wrote to memory of 1428	4172	{067668DC-BCC2-4645-AB26-FCAC639FF403}.exe	96
PID 4172 wrote to memory of 1428	4172	{067668DC-BCC2-4645-AB26-FCAC639FF403}.exe	96
PID 4172 wrote to memory of 4720	4172	{067668DC-BCC2-4645-AB26-FCAC639FF403}.exe	97
PID 4172 wrote to memory of 4720	4172	{067668DC-BCC2-4645-AB26-FCAC639FF403}.exe	97
PID 4172 wrote to memory of 4720	4172	{067668DC-BCC2-4645-AB26-FCAC639FF403}.exe	97
PID 1428 wrote to memory of 4360	1428	{AFC75515-531C-4870-B9D1-805B27BE4088}.exe	98
PID 1428 wrote to memory of 4360	1428	{AFC75515-531C-4870-B9D1-805B27BE4088}.exe	98
PID 1428 wrote to memory of 4360	1428	{AFC75515-531C-4870-B9D1-805B27BE4088}.exe	98
PID 1428 wrote to memory of 3740	1428	{AFC75515-531C-4870-B9D1-805B27BE4088}.exe	99
PID 1428 wrote to memory of 3740	1428	{AFC75515-531C-4870-B9D1-805B27BE4088}.exe	99
PID 1428 wrote to memory of 3740	1428	{AFC75515-531C-4870-B9D1-805B27BE4088}.exe	99
PID 4360 wrote to memory of 4556	4360	{85674534-982D-4918-9DB4-B51079CDE4C4}.exe	100
PID 4360 wrote to memory of 4556	4360	{85674534-982D-4918-9DB4-B51079CDE4C4}.exe	100
PID 4360 wrote to memory of 4556	4360	{85674534-982D-4918-9DB4-B51079CDE4C4}.exe	100
PID 4360 wrote to memory of 2036	4360	{85674534-982D-4918-9DB4-B51079CDE4C4}.exe	101
PID 4360 wrote to memory of 2036	4360	{85674534-982D-4918-9DB4-B51079CDE4C4}.exe	101
PID 4360 wrote to memory of 2036	4360	{85674534-982D-4918-9DB4-B51079CDE4C4}.exe	101
PID 4556 wrote to memory of 4152	4556	{414FD44F-9147-47de-9D11-A776879CFFDC}.exe	102
PID 4556 wrote to memory of 4152	4556	{414FD44F-9147-47de-9D11-A776879CFFDC}.exe	102
PID 4556 wrote to memory of 4152	4556	{414FD44F-9147-47de-9D11-A776879CFFDC}.exe	102
PID 4556 wrote to memory of 3532	4556	{414FD44F-9147-47de-9D11-A776879CFFDC}.exe	103
PID 4556 wrote to memory of 3532	4556	{414FD44F-9147-47de-9D11-A776879CFFDC}.exe	103
PID 4556 wrote to memory of 3532	4556	{414FD44F-9147-47de-9D11-A776879CFFDC}.exe	103
PID 4152 wrote to memory of 1644	4152	{646E80AC-A6DA-4ea6-B9CC-DD301C57F336}.exe	104
PID 4152 wrote to memory of 1644	4152	{646E80AC-A6DA-4ea6-B9CC-DD301C57F336}.exe	104
PID 4152 wrote to memory of 1644	4152	{646E80AC-A6DA-4ea6-B9CC-DD301C57F336}.exe	104
PID 4152 wrote to memory of 1840	4152	{646E80AC-A6DA-4ea6-B9CC-DD301C57F336}.exe	105
PID 4152 wrote to memory of 1840	4152	{646E80AC-A6DA-4ea6-B9CC-DD301C57F336}.exe	105
PID 4152 wrote to memory of 1840	4152	{646E80AC-A6DA-4ea6-B9CC-DD301C57F336}.exe	105
PID 1644 wrote to memory of 4196	1644	{9BD86B93-948A-4898-AFDC-4FBCDC9EEA5F}.exe	106
PID 1644 wrote to memory of 4196	1644	{9BD86B93-948A-4898-AFDC-4FBCDC9EEA5F}.exe	106
PID 1644 wrote to memory of 4196	1644	{9BD86B93-948A-4898-AFDC-4FBCDC9EEA5F}.exe	106
PID 1644 wrote to memory of 1608	1644	{9BD86B93-948A-4898-AFDC-4FBCDC9EEA5F}.exe	107
PID 1644 wrote to memory of 1608	1644	{9BD86B93-948A-4898-AFDC-4FBCDC9EEA5F}.exe	107
PID 1644 wrote to memory of 1608	1644	{9BD86B93-948A-4898-AFDC-4FBCDC9EEA5F}.exe	107
PID 4196 wrote to memory of 4404	4196	{A619B369-0DF1-4eff-B1AB-709EF2B7B32C}.exe	108
PID 4196 wrote to memory of 4404	4196	{A619B369-0DF1-4eff-B1AB-709EF2B7B32C}.exe	108
PID 4196 wrote to memory of 4404	4196	{A619B369-0DF1-4eff-B1AB-709EF2B7B32C}.exe	108
PID 4196 wrote to memory of 4508	4196	{A619B369-0DF1-4eff-B1AB-709EF2B7B32C}.exe	109
PID 4196 wrote to memory of 4508	4196	{A619B369-0DF1-4eff-B1AB-709EF2B7B32C}.exe	109
PID 4196 wrote to memory of 4508	4196	{A619B369-0DF1-4eff-B1AB-709EF2B7B32C}.exe	109
PID 4404 wrote to memory of 4024	4404	{EB3E0AE9-E7FA-4e80-A07F-AE3E19112747}.exe	110
PID 4404 wrote to memory of 4024	4404	{EB3E0AE9-E7FA-4e80-A07F-AE3E19112747}.exe	110
PID 4404 wrote to memory of 4024	4404	{EB3E0AE9-E7FA-4e80-A07F-AE3E19112747}.exe	110
PID 4404 wrote to memory of 636	4404	{EB3E0AE9-E7FA-4e80-A07F-AE3E19112747}.exe	111
PID 4404 wrote to memory of 636	4404	{EB3E0AE9-E7FA-4e80-A07F-AE3E19112747}.exe	111
PID 4404 wrote to memory of 636	4404	{EB3E0AE9-E7FA-4e80-A07F-AE3E19112747}.exe	111
PID 4024 wrote to memory of 4352	4024	{DC10F932-10B8-4e09-A3F2-0A28CFE25F7C}.exe	112
PID 4024 wrote to memory of 4352	4024	{DC10F932-10B8-4e09-A3F2-0A28CFE25F7C}.exe	112
PID 4024 wrote to memory of 4352	4024	{DC10F932-10B8-4e09-A3F2-0A28CFE25F7C}.exe	112
PID 4024 wrote to memory of 2304	4024	{DC10F932-10B8-4e09-A3F2-0A28CFE25F7C}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-02-17_dd633f0d01b4cff73dc7e94617c3394a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-17_dd633f0d01b4cff73dc7e94617c3394a_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Windows\{EED0E7F4-0017-435c-8B1A-F9DE56A8D02C}.exe
  C:\Windows\{EED0E7F4-0017-435c-8B1A-F9DE56A8D02C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3368
- - C:\Windows\{067668DC-BCC2-4645-AB26-FCAC639FF403}.exe
    C:\Windows\{067668DC-BCC2-4645-AB26-FCAC639FF403}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4172
  - - C:\Windows\{AFC75515-531C-4870-B9D1-805B27BE4088}.exe
      C:\Windows\{AFC75515-531C-4870-B9D1-805B27BE4088}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1428
    - - C:\Windows\{85674534-982D-4918-9DB4-B51079CDE4C4}.exe
        
        C:\Windows\{85674534-982D-4918-9DB4-B51079CDE4C4}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4360
      - C:\Windows\{414FD44F-9147-47de-9D11-A776879CFFDC}.exe
        
        C:\Windows\{414FD44F-9147-47de-9D11-A776879CFFDC}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\{646E80AC-A6DA-4ea6-B9CC-DD301C57F336}.exe
        
        C:\Windows\{646E80AC-A6DA-4ea6-B9CC-DD301C57F336}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4152
        
        C:\Windows\{9BD86B93-948A-4898-AFDC-4FBCDC9EEA5F}.exe
        
        C:\Windows\{9BD86B93-948A-4898-AFDC-4FBCDC9EEA5F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\{A619B369-0DF1-4eff-B1AB-709EF2B7B32C}.exe
        
        C:\Windows\{A619B369-0DF1-4eff-B1AB-709EF2B7B32C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Windows\{EB3E0AE9-E7FA-4e80-A07F-AE3E19112747}.exe
        
        C:\Windows\{EB3E0AE9-E7FA-4e80-A07F-AE3E19112747}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\{DC10F932-10B8-4e09-A3F2-0A28CFE25F7C}.exe
        
        C:\Windows\{DC10F932-10B8-4e09-A3F2-0A28CFE25F7C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4024
        
        C:\Windows\{3EC146B2-3E9F-4ab0-87B1-8FD59172D5A7}.exe
        
        C:\Windows\{3EC146B2-3E9F-4ab0-87B1-8FD59172D5A7}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4352
        
        C:\Windows\{15CC3382-DACD-4dd2-8608-68E6749E8E0D}.exe
        
        C:\Windows\{15CC3382-DACD-4dd2-8608-68E6749E8E0D}.exe
        13⤵
        Executes dropped EXE
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3EC14~1.EXE > nul
        13⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC10F~1.EXE > nul
        12⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EB3E0~1.EXE > nul
        11⤵
        
        PID:636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A619B~1.EXE > nul
        10⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9BD86~1.EXE > nul
        9⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{646E8~1.EXE > nul
        8⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{414FD~1.EXE > nul
        7⤵
        
        PID:3532
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{85674~1.EXE > nul
        6⤵
        
        PID:2036
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AFC75~1.EXE > nul
        5⤵
        
        PID:3740
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{06766~1.EXE > nul
      4⤵
      PID:4720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{EED0E~1.EXE > nul
    3⤵
    PID:4248
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{067668DC-BCC2-4645-AB26-FCAC639FF403}.exe

Filesize
180KB

MD5
8008b05fa8d3b11b37afa41fd5d6c41d

SHA1
d5b97748573949595ae9a676c4d0b35bffd74593

SHA256
ad3714d35d46371e43ef5c500ad64330e08fbb9410e7e6cd851f67f53e6ccf82

SHA512
1ecea9279a5a0af3b4554b1ac573b1114e70c8276192e14966077501921bc433592184d4a05a98109b5af2ac1eab1edecfdd7214df879b616136c3d9738020cb

Download Submit
C:\Windows\{15CC3382-DACD-4dd2-8608-68E6749E8E0D}.exe

Filesize
180KB

MD5
468dd8ab163f915b6e750d114115af64

SHA1
feb8ef76bd60c422de0983aae39a7b9b8ade1c0d

SHA256
4ce17ef669b9fc344e029b373404b261c7604d886fe92b3fbeba4e2a2fad227b

SHA512
c3f3263ed836190ccb84d9f0ae77d439206d3e4417ad08f4ece365f0d3459240d27c25610df6def0ab27c40838b6e47be86b3bd47a9843ae54118ccaf31969b2

Download Submit
C:\Windows\{3EC146B2-3E9F-4ab0-87B1-8FD59172D5A7}.exe

Filesize
180KB

MD5
169ee2589a2e9e7f3c2b9e2c8fed7bf6

SHA1
55722d39dee21073f4ad332795d1295c28ec0b78

SHA256
43278c01d719e32f734bd5235fd08f27624869ebca4630691c06050a2d72273d

SHA512
a7929f2d7265bd23befba03f8f995f71e70b46753777f030de074e2b0371312928dee6842149dd6d37ccf67e67f83f9e04db7b7fb97a9f12ee39fadfd2eea1df

Download Submit
C:\Windows\{414FD44F-9147-47de-9D11-A776879CFFDC}.exe

Filesize
180KB

MD5
e5a955fdb44c184205402f41fb616d27

SHA1
aca875e394312ec1cbd485815dfab3e8383d12b4

SHA256
d68605a5061b222475ca865310c1326527c2342e43407853b5288d5c4ea17851

SHA512
b8714e3505761cd35753a42b4ea5058ca415671929908e8cec58c8ea7afb5dbb6d66a50494a49d3e693254c92ab91d3dfe624b530b11ded7b0019ed2a6485086

Download Submit
C:\Windows\{646E80AC-A6DA-4ea6-B9CC-DD301C57F336}.exe

Filesize
180KB

MD5
e0f96b0e09917aad1d4aa777018dc70c

SHA1
e5e013efe7c82d0c9a3759abaa38531e39b59686

SHA256
6833a4c94828495324a939eaac89d9a345d117dca35da4a9bb301bd081248ff4

SHA512
1f4b8870da773bdf1301c1b2735a4ddd002c3f49d32ca3dd21db2bad6b6849062994151818a03db89e446f8ca0348ba1528b0a6a1ce896abe4a752e84def37ac

Download Submit
C:\Windows\{85674534-982D-4918-9DB4-B51079CDE4C4}.exe

Filesize
180KB

MD5
609fb94e0dc3bb9bf517b45710d3ec31

SHA1
c53546a40907151a482659b13febfe30f6582066

SHA256
5c3f5ec2d200ed60f192c2fa5b307a9a9fd04d0142f45493ce33840e44eb51e9

SHA512
a1d10f89b0ad1feb8a5a1c369d8469eb58156ce7d051f4bc11ba07386e7154865e33a8afb2835a39c3030657109f599ac5a02f0ee2e16f13190304985e99d101

Download Submit
C:\Windows\{9BD86B93-948A-4898-AFDC-4FBCDC9EEA5F}.exe

Filesize
180KB

MD5
bc764182945a380c39c08b1b7c402834

SHA1
8d16a8f722beb6d8ea6a5f105c5edf52b61d1f9a

SHA256
22dd9b1e966ac87023b8daf73e44fed6d832f506b9d0d30be308fab364d721c5

SHA512
72b5077690b15b62e6afa11f5646afd86a6b982cab8a124e82e95580ce4ac523d51354e5f64d24897bbe528a558d63665b9f9db084d8d8388530b3f49e6a9d27

Download Submit
C:\Windows\{A619B369-0DF1-4eff-B1AB-709EF2B7B32C}.exe

Filesize
146KB

MD5
2e10428ce934c51d33f46c937c4f5885

SHA1
08ee10c77682895f6a92f571851f310820d738b6

SHA256
329b33e3910fe2bcd4010717c45eebf64a30be7f34ae44367b76538f4c343b76

SHA512
f1d2153c206ce39bdc18e8b936b586e65bf1d2702bbdea481896c2ad2c6f09738a1d16b18b37420bf3c251cf8e46ccc2f4d00a1ad912a8926c75a531e65a8542

Download Submit
C:\Windows\{A619B369-0DF1-4eff-B1AB-709EF2B7B32C}.exe

Filesize
180KB

MD5
97e2ab8aff6c1c60e5368df700d28fc4

SHA1
c45bb067d3f88c3cd1d10b3d0f18b2635aef8454

SHA256
584f263cc0c17c537e71eac591bea160b77d08a5e203b5c9ea096d7d775b8e4d

SHA512
2828c5545331e63a7848b47d5dda30dfeb22adecf1abf27a9092c1842a446818657750881be2f8e8cf242f203a0a29251818cc2348b7bf8e6e0e30f746ca1702

Download Submit
C:\Windows\{AFC75515-531C-4870-B9D1-805B27BE4088}.exe

Filesize
180KB

MD5
fba9fbd9a9bd089d1b623a493ab9f32c

SHA1
3c4000f5c8d46fb52e9874af557d9e62174e5249

SHA256
c5130d3ab3497c466e41ea31c36c3c2bff0b8c2e716c2e00c8b239b2690db1ed

SHA512
71fa9e65c6613c64f50e23c187dafa84b4c0e9fb640054285c9d279c9d35cee69aeb7b30875abbd1e38b8b9db4bb8bf0eeb5626f4999c3c87596e296307adeb3

Download Submit
C:\Windows\{DC10F932-10B8-4e09-A3F2-0A28CFE25F7C}.exe

Filesize
180KB

MD5
01fc2f3ce5edbb4b18a29c48d24751f8

SHA1
4f73f6e61c68e8f1da352f3850e56db9acdddae6

SHA256
d3d1ac2b0c917c63b1a07cb3bfc4b1c0f447e20ec411c925151bfb41539a090e

SHA512
4adfdb3a4fc07c27e5944c814bf9ec3f9722eb54e470781c180ca0de24576206cf2b3d66ac75a70425fec7cd32c982bf0ccdde7220c17855a6011cb52be6dfbe

Download Submit
C:\Windows\{EB3E0AE9-E7FA-4e80-A07F-AE3E19112747}.exe

Filesize
180KB

MD5
2b557224c88a8a8070ee103834a04494

SHA1
5b5e25850b1f1ba900e680a99e4beeade0ebac18

SHA256
949a77145f1f7cd5b4b88485af9f433d48e526f78b5c34a75a9eda521b194dd9

SHA512
107a21f25da762d87690fa57193f13101523b956113cb6a2a0a1a015e0aad429a34ba54f3f78aa5ebee715482850a93439bacec7c3d95dad9b046663ced41472

Download Submit
C:\Windows\{EED0E7F4-0017-435c-8B1A-F9DE56A8D02C}.exe

Filesize
180KB

MD5
0150efc369e07dbf291ca5932649276c

SHA1
9b8f522999b308e92c14c578d80b35a89c57123a

SHA256
4a32c01fa75dd0cefc8f2157fd1d5f70df7841fc75a8a43f1818b74247fd49b4

SHA512
6fcd01782918bd3ba5b5b8af39d64a3c49276b3dfafe404cbe5ddca439bcea7b49cf4c22b32f7a220a12b8cf9b00c2b807ae2ac3ed0fb830c982f053b7fb9f42

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads