0d0bdcf2fee770d60719e9a5378f171e9f903e5ab176d63f2ba8b304d3c666ec

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
17/02/2024, 14:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-17_047cb09bf916b529e3bbf8866bbd2134_goldeneye.exe
Size

216KB
MD5

047cb09bf916b529e3bbf8866bbd2134
SHA1

1ede60e2d213f71b0dd3f7d0b55b8e088df4ce9d
SHA256

0d0bdcf2fee770d60719e9a5378f171e9f903e5ab176d63f2ba8b304d3c666ec
SHA512

f043b9dc8fd64c09e3b1115001020f430e33c31308e77394c2a56a83429a47be1ea8e5f52936a005d7a1f085590d5e5bb0f8e0172d71ec2f808fb676bf338a40
SSDEEP

3072:jEGh0opl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEG7lEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000400000001e3d9-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023219-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002321f-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023219-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021f82-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021f83-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021f82-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000711-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4311DE9-F07F-4715-96DD-69E9891AD03E}	{E1665A2F-627B-40e8-B861-2A3D2CF7E32F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63BD833A-08FE-4cb3-A301-3625611D5D9D}	{E4311DE9-F07F-4715-96DD-69E9891AD03E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63BD833A-08FE-4cb3-A301-3625611D5D9D}\stubpath = "C:\\Windows\\{63BD833A-08FE-4cb3-A301-3625611D5D9D}.exe"	{E4311DE9-F07F-4715-96DD-69E9891AD03E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB32BC2B-2B80-4d73-841C-44C43A86A4AC}\stubpath = "C:\\Windows\\{FB32BC2B-2B80-4d73-841C-44C43A86A4AC}.exe"	{63BD833A-08FE-4cb3-A301-3625611D5D9D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70F0BBD4-0F94-4d43-9BA7-72612053E4C3}	{34FC89A6-BF5D-476d-B7EF-A6019F21FF4E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{032624AF-9F4F-4b9d-B0B2-D4E536520EE4}	{70F0BBD4-0F94-4d43-9BA7-72612053E4C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69C81A0A-031A-4d02-ABC7-23B9AC76D472}\stubpath = "C:\\Windows\\{69C81A0A-031A-4d02-ABC7-23B9AC76D472}.exe"	2024-02-17_047cb09bf916b529e3bbf8866bbd2134_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1665A2F-627B-40e8-B861-2A3D2CF7E32F}\stubpath = "C:\\Windows\\{E1665A2F-627B-40e8-B861-2A3D2CF7E32F}.exe"	{D8F09997-61EB-496c-8A20-03E14E0172F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5AC9378F-1D15-425f-9B77-73480CCD7908}	{ADDB119F-7F4E-4092-BDCD-FC08B7F4ACB3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5AC9378F-1D15-425f-9B77-73480CCD7908}\stubpath = "C:\\Windows\\{5AC9378F-1D15-425f-9B77-73480CCD7908}.exe"	{ADDB119F-7F4E-4092-BDCD-FC08B7F4ACB3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB32BC2B-2B80-4d73-841C-44C43A86A4AC}	{63BD833A-08FE-4cb3-A301-3625611D5D9D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70F0BBD4-0F94-4d43-9BA7-72612053E4C3}\stubpath = "C:\\Windows\\{70F0BBD4-0F94-4d43-9BA7-72612053E4C3}.exe"	{34FC89A6-BF5D-476d-B7EF-A6019F21FF4E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA12A407-72E2-45c6-B48D-F6D0831146DD}	{FB32BC2B-2B80-4d73-841C-44C43A86A4AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA12A407-72E2-45c6-B48D-F6D0831146DD}\stubpath = "C:\\Windows\\{BA12A407-72E2-45c6-B48D-F6D0831146DD}.exe"	{FB32BC2B-2B80-4d73-841C-44C43A86A4AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{032624AF-9F4F-4b9d-B0B2-D4E536520EE4}\stubpath = "C:\\Windows\\{032624AF-9F4F-4b9d-B0B2-D4E536520EE4}.exe"	{70F0BBD4-0F94-4d43-9BA7-72612053E4C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADDB119F-7F4E-4092-BDCD-FC08B7F4ACB3}	{032624AF-9F4F-4b9d-B0B2-D4E536520EE4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8F09997-61EB-496c-8A20-03E14E0172F6}\stubpath = "C:\\Windows\\{D8F09997-61EB-496c-8A20-03E14E0172F6}.exe"	{69C81A0A-031A-4d02-ABC7-23B9AC76D472}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1665A2F-627B-40e8-B861-2A3D2CF7E32F}	{D8F09997-61EB-496c-8A20-03E14E0172F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4311DE9-F07F-4715-96DD-69E9891AD03E}\stubpath = "C:\\Windows\\{E4311DE9-F07F-4715-96DD-69E9891AD03E}.exe"	{E1665A2F-627B-40e8-B861-2A3D2CF7E32F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34FC89A6-BF5D-476d-B7EF-A6019F21FF4E}	{BA12A407-72E2-45c6-B48D-F6D0831146DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34FC89A6-BF5D-476d-B7EF-A6019F21FF4E}\stubpath = "C:\\Windows\\{34FC89A6-BF5D-476d-B7EF-A6019F21FF4E}.exe"	{BA12A407-72E2-45c6-B48D-F6D0831146DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADDB119F-7F4E-4092-BDCD-FC08B7F4ACB3}\stubpath = "C:\\Windows\\{ADDB119F-7F4E-4092-BDCD-FC08B7F4ACB3}.exe"	{032624AF-9F4F-4b9d-B0B2-D4E536520EE4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69C81A0A-031A-4d02-ABC7-23B9AC76D472}	2024-02-17_047cb09bf916b529e3bbf8866bbd2134_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8F09997-61EB-496c-8A20-03E14E0172F6}	{69C81A0A-031A-4d02-ABC7-23B9AC76D472}.exe

Executes dropped EXE 12 IoCs

pid	Process
2576	{69C81A0A-031A-4d02-ABC7-23B9AC76D472}.exe
4888	{D8F09997-61EB-496c-8A20-03E14E0172F6}.exe
1452	{E1665A2F-627B-40e8-B861-2A3D2CF7E32F}.exe
4580	{E4311DE9-F07F-4715-96DD-69E9891AD03E}.exe
2324	{63BD833A-08FE-4cb3-A301-3625611D5D9D}.exe
4956	{FB32BC2B-2B80-4d73-841C-44C43A86A4AC}.exe
4340	{BA12A407-72E2-45c6-B48D-F6D0831146DD}.exe
3052	{34FC89A6-BF5D-476d-B7EF-A6019F21FF4E}.exe
1348	{70F0BBD4-0F94-4d43-9BA7-72612053E4C3}.exe
736	{032624AF-9F4F-4b9d-B0B2-D4E536520EE4}.exe
1544	{ADDB119F-7F4E-4092-BDCD-FC08B7F4ACB3}.exe
1688	{5AC9378F-1D15-425f-9B77-73480CCD7908}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{E1665A2F-627B-40e8-B861-2A3D2CF7E32F}.exe	{D8F09997-61EB-496c-8A20-03E14E0172F6}.exe
File created	C:\Windows\{63BD833A-08FE-4cb3-A301-3625611D5D9D}.exe	{E4311DE9-F07F-4715-96DD-69E9891AD03E}.exe
File created	C:\Windows\{34FC89A6-BF5D-476d-B7EF-A6019F21FF4E}.exe	{BA12A407-72E2-45c6-B48D-F6D0831146DD}.exe
File created	C:\Windows\{70F0BBD4-0F94-4d43-9BA7-72612053E4C3}.exe	{34FC89A6-BF5D-476d-B7EF-A6019F21FF4E}.exe
File created	C:\Windows\{ADDB119F-7F4E-4092-BDCD-FC08B7F4ACB3}.exe	{032624AF-9F4F-4b9d-B0B2-D4E536520EE4}.exe
File created	C:\Windows\{D8F09997-61EB-496c-8A20-03E14E0172F6}.exe	{69C81A0A-031A-4d02-ABC7-23B9AC76D472}.exe
File created	C:\Windows\{E4311DE9-F07F-4715-96DD-69E9891AD03E}.exe	{E1665A2F-627B-40e8-B861-2A3D2CF7E32F}.exe
File created	C:\Windows\{FB32BC2B-2B80-4d73-841C-44C43A86A4AC}.exe	{63BD833A-08FE-4cb3-A301-3625611D5D9D}.exe
File created	C:\Windows\{BA12A407-72E2-45c6-B48D-F6D0831146DD}.exe	{FB32BC2B-2B80-4d73-841C-44C43A86A4AC}.exe
File created	C:\Windows\{032624AF-9F4F-4b9d-B0B2-D4E536520EE4}.exe	{70F0BBD4-0F94-4d43-9BA7-72612053E4C3}.exe
File created	C:\Windows\{5AC9378F-1D15-425f-9B77-73480CCD7908}.exe	{ADDB119F-7F4E-4092-BDCD-FC08B7F4ACB3}.exe
File created	C:\Windows\{69C81A0A-031A-4d02-ABC7-23B9AC76D472}.exe	2024-02-17_047cb09bf916b529e3bbf8866bbd2134_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1580	2024-02-17_047cb09bf916b529e3bbf8866bbd2134_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2576	{69C81A0A-031A-4d02-ABC7-23B9AC76D472}.exe
Token: SeIncBasePriorityPrivilege	4888	{D8F09997-61EB-496c-8A20-03E14E0172F6}.exe
Token: SeIncBasePriorityPrivilege	1452	{E1665A2F-627B-40e8-B861-2A3D2CF7E32F}.exe
Token: SeIncBasePriorityPrivilege	4580	{E4311DE9-F07F-4715-96DD-69E9891AD03E}.exe
Token: SeIncBasePriorityPrivilege	2324	{63BD833A-08FE-4cb3-A301-3625611D5D9D}.exe
Token: SeIncBasePriorityPrivilege	4956	{FB32BC2B-2B80-4d73-841C-44C43A86A4AC}.exe
Token: SeIncBasePriorityPrivilege	4340	{BA12A407-72E2-45c6-B48D-F6D0831146DD}.exe
Token: SeIncBasePriorityPrivilege	3052	{34FC89A6-BF5D-476d-B7EF-A6019F21FF4E}.exe
Token: SeIncBasePriorityPrivilege	1348	{70F0BBD4-0F94-4d43-9BA7-72612053E4C3}.exe
Token: SeIncBasePriorityPrivilege	736	{032624AF-9F4F-4b9d-B0B2-D4E536520EE4}.exe
Token: SeIncBasePriorityPrivilege	1544	{ADDB119F-7F4E-4092-BDCD-FC08B7F4ACB3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1580 wrote to memory of 2576	1580	2024-02-17_047cb09bf916b529e3bbf8866bbd2134_goldeneye.exe	91
PID 1580 wrote to memory of 2576	1580	2024-02-17_047cb09bf916b529e3bbf8866bbd2134_goldeneye.exe	91
PID 1580 wrote to memory of 2576	1580	2024-02-17_047cb09bf916b529e3bbf8866bbd2134_goldeneye.exe	91
PID 1580 wrote to memory of 2548	1580	2024-02-17_047cb09bf916b529e3bbf8866bbd2134_goldeneye.exe	92
PID 1580 wrote to memory of 2548	1580	2024-02-17_047cb09bf916b529e3bbf8866bbd2134_goldeneye.exe	92
PID 1580 wrote to memory of 2548	1580	2024-02-17_047cb09bf916b529e3bbf8866bbd2134_goldeneye.exe	92
PID 2576 wrote to memory of 4888	2576	{69C81A0A-031A-4d02-ABC7-23B9AC76D472}.exe	96
PID 2576 wrote to memory of 4888	2576	{69C81A0A-031A-4d02-ABC7-23B9AC76D472}.exe	96
PID 2576 wrote to memory of 4888	2576	{69C81A0A-031A-4d02-ABC7-23B9AC76D472}.exe	96
PID 2576 wrote to memory of 4260	2576	{69C81A0A-031A-4d02-ABC7-23B9AC76D472}.exe	97
PID 2576 wrote to memory of 4260	2576	{69C81A0A-031A-4d02-ABC7-23B9AC76D472}.exe	97
PID 2576 wrote to memory of 4260	2576	{69C81A0A-031A-4d02-ABC7-23B9AC76D472}.exe	97
PID 4888 wrote to memory of 1452	4888	{D8F09997-61EB-496c-8A20-03E14E0172F6}.exe	100
PID 4888 wrote to memory of 1452	4888	{D8F09997-61EB-496c-8A20-03E14E0172F6}.exe	100
PID 4888 wrote to memory of 1452	4888	{D8F09997-61EB-496c-8A20-03E14E0172F6}.exe	100
PID 4888 wrote to memory of 3632	4888	{D8F09997-61EB-496c-8A20-03E14E0172F6}.exe	99
PID 4888 wrote to memory of 3632	4888	{D8F09997-61EB-496c-8A20-03E14E0172F6}.exe	99
PID 4888 wrote to memory of 3632	4888	{D8F09997-61EB-496c-8A20-03E14E0172F6}.exe	99
PID 1452 wrote to memory of 4580	1452	{E1665A2F-627B-40e8-B861-2A3D2CF7E32F}.exe	102
PID 1452 wrote to memory of 4580	1452	{E1665A2F-627B-40e8-B861-2A3D2CF7E32F}.exe	102
PID 1452 wrote to memory of 4580	1452	{E1665A2F-627B-40e8-B861-2A3D2CF7E32F}.exe	102
PID 1452 wrote to memory of 4328	1452	{E1665A2F-627B-40e8-B861-2A3D2CF7E32F}.exe	101
PID 1452 wrote to memory of 4328	1452	{E1665A2F-627B-40e8-B861-2A3D2CF7E32F}.exe	101
PID 1452 wrote to memory of 4328	1452	{E1665A2F-627B-40e8-B861-2A3D2CF7E32F}.exe	101
PID 4580 wrote to memory of 2324	4580	{E4311DE9-F07F-4715-96DD-69E9891AD03E}.exe	103
PID 4580 wrote to memory of 2324	4580	{E4311DE9-F07F-4715-96DD-69E9891AD03E}.exe	103
PID 4580 wrote to memory of 2324	4580	{E4311DE9-F07F-4715-96DD-69E9891AD03E}.exe	103
PID 4580 wrote to memory of 4536	4580	{E4311DE9-F07F-4715-96DD-69E9891AD03E}.exe	104
PID 4580 wrote to memory of 4536	4580	{E4311DE9-F07F-4715-96DD-69E9891AD03E}.exe	104
PID 4580 wrote to memory of 4536	4580	{E4311DE9-F07F-4715-96DD-69E9891AD03E}.exe	104
PID 2324 wrote to memory of 4956	2324	{63BD833A-08FE-4cb3-A301-3625611D5D9D}.exe	105
PID 2324 wrote to memory of 4956	2324	{63BD833A-08FE-4cb3-A301-3625611D5D9D}.exe	105
PID 2324 wrote to memory of 4956	2324	{63BD833A-08FE-4cb3-A301-3625611D5D9D}.exe	105
PID 2324 wrote to memory of 1344	2324	{63BD833A-08FE-4cb3-A301-3625611D5D9D}.exe	106
PID 2324 wrote to memory of 1344	2324	{63BD833A-08FE-4cb3-A301-3625611D5D9D}.exe	106
PID 2324 wrote to memory of 1344	2324	{63BD833A-08FE-4cb3-A301-3625611D5D9D}.exe	106
PID 4956 wrote to memory of 4340	4956	{FB32BC2B-2B80-4d73-841C-44C43A86A4AC}.exe	107
PID 4956 wrote to memory of 4340	4956	{FB32BC2B-2B80-4d73-841C-44C43A86A4AC}.exe	107
PID 4956 wrote to memory of 4340	4956	{FB32BC2B-2B80-4d73-841C-44C43A86A4AC}.exe	107
PID 4956 wrote to memory of 2424	4956	{FB32BC2B-2B80-4d73-841C-44C43A86A4AC}.exe	108
PID 4956 wrote to memory of 2424	4956	{FB32BC2B-2B80-4d73-841C-44C43A86A4AC}.exe	108
PID 4956 wrote to memory of 2424	4956	{FB32BC2B-2B80-4d73-841C-44C43A86A4AC}.exe	108
PID 4340 wrote to memory of 3052	4340	{BA12A407-72E2-45c6-B48D-F6D0831146DD}.exe	109
PID 4340 wrote to memory of 3052	4340	{BA12A407-72E2-45c6-B48D-F6D0831146DD}.exe	109
PID 4340 wrote to memory of 3052	4340	{BA12A407-72E2-45c6-B48D-F6D0831146DD}.exe	109
PID 4340 wrote to memory of 4968	4340	{BA12A407-72E2-45c6-B48D-F6D0831146DD}.exe	110
PID 4340 wrote to memory of 4968	4340	{BA12A407-72E2-45c6-B48D-F6D0831146DD}.exe	110
PID 4340 wrote to memory of 4968	4340	{BA12A407-72E2-45c6-B48D-F6D0831146DD}.exe	110
PID 3052 wrote to memory of 1348	3052	{34FC89A6-BF5D-476d-B7EF-A6019F21FF4E}.exe	111
PID 3052 wrote to memory of 1348	3052	{34FC89A6-BF5D-476d-B7EF-A6019F21FF4E}.exe	111
PID 3052 wrote to memory of 1348	3052	{34FC89A6-BF5D-476d-B7EF-A6019F21FF4E}.exe	111
PID 3052 wrote to memory of 1496	3052	{34FC89A6-BF5D-476d-B7EF-A6019F21FF4E}.exe	112
PID 3052 wrote to memory of 1496	3052	{34FC89A6-BF5D-476d-B7EF-A6019F21FF4E}.exe	112
PID 3052 wrote to memory of 1496	3052	{34FC89A6-BF5D-476d-B7EF-A6019F21FF4E}.exe	112
PID 1348 wrote to memory of 736	1348	{70F0BBD4-0F94-4d43-9BA7-72612053E4C3}.exe	113
PID 1348 wrote to memory of 736	1348	{70F0BBD4-0F94-4d43-9BA7-72612053E4C3}.exe	113
PID 1348 wrote to memory of 736	1348	{70F0BBD4-0F94-4d43-9BA7-72612053E4C3}.exe	113
PID 1348 wrote to memory of 2260	1348	{70F0BBD4-0F94-4d43-9BA7-72612053E4C3}.exe	114
PID 1348 wrote to memory of 2260	1348	{70F0BBD4-0F94-4d43-9BA7-72612053E4C3}.exe	114
PID 1348 wrote to memory of 2260	1348	{70F0BBD4-0F94-4d43-9BA7-72612053E4C3}.exe	114
PID 736 wrote to memory of 1544	736	{032624AF-9F4F-4b9d-B0B2-D4E536520EE4}.exe	115
PID 736 wrote to memory of 1544	736	{032624AF-9F4F-4b9d-B0B2-D4E536520EE4}.exe	115
PID 736 wrote to memory of 1544	736	{032624AF-9F4F-4b9d-B0B2-D4E536520EE4}.exe	115
PID 736 wrote to memory of 1504	736	{032624AF-9F4F-4b9d-B0B2-D4E536520EE4}.exe	116

C:\Users\Admin\AppData\Local\Temp\2024-02-17_047cb09bf916b529e3bbf8866bbd2134_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-17_047cb09bf916b529e3bbf8866bbd2134_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Windows\{69C81A0A-031A-4d02-ABC7-23B9AC76D472}.exe
  C:\Windows\{69C81A0A-031A-4d02-ABC7-23B9AC76D472}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Windows\{D8F09997-61EB-496c-8A20-03E14E0172F6}.exe
    C:\Windows\{D8F09997-61EB-496c-8A20-03E14E0172F6}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4888
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D8F09~1.EXE > nul
      4⤵
      PID:3632
  - - C:\Windows\{E1665A2F-627B-40e8-B861-2A3D2CF7E32F}.exe
      C:\Windows\{E1665A2F-627B-40e8-B861-2A3D2CF7E32F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1452
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E1665~1.EXE > nul
        5⤵
        
        PID:4328
    - - C:\Windows\{E4311DE9-F07F-4715-96DD-69E9891AD03E}.exe
        
        C:\Windows\{E4311DE9-F07F-4715-96DD-69E9891AD03E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4580
      - C:\Windows\{63BD833A-08FE-4cb3-A301-3625611D5D9D}.exe
        
        C:\Windows\{63BD833A-08FE-4cb3-A301-3625611D5D9D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\{FB32BC2B-2B80-4d73-841C-44C43A86A4AC}.exe
        
        C:\Windows\{FB32BC2B-2B80-4d73-841C-44C43A86A4AC}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\{BA12A407-72E2-45c6-B48D-F6D0831146DD}.exe
        
        C:\Windows\{BA12A407-72E2-45c6-B48D-F6D0831146DD}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Windows\{34FC89A6-BF5D-476d-B7EF-A6019F21FF4E}.exe
        
        C:\Windows\{34FC89A6-BF5D-476d-B7EF-A6019F21FF4E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\{70F0BBD4-0F94-4d43-9BA7-72612053E4C3}.exe
        
        C:\Windows\{70F0BBD4-0F94-4d43-9BA7-72612053E4C3}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1348
        
        C:\Windows\{032624AF-9F4F-4b9d-B0B2-D4E536520EE4}.exe
        
        C:\Windows\{032624AF-9F4F-4b9d-B0B2-D4E536520EE4}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:736
        
        C:\Windows\{ADDB119F-7F4E-4092-BDCD-FC08B7F4ACB3}.exe
        
        C:\Windows\{ADDB119F-7F4E-4092-BDCD-FC08B7F4ACB3}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1544
        
        C:\Windows\{5AC9378F-1D15-425f-9B77-73480CCD7908}.exe
        
        C:\Windows\{5AC9378F-1D15-425f-9B77-73480CCD7908}.exe
        13⤵
        Executes dropped EXE
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ADDB1~1.EXE > nul
        13⤵
        
        PID:32
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{03262~1.EXE > nul
        12⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{70F0B~1.EXE > nul
        11⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{34FC8~1.EXE > nul
        10⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BA12A~1.EXE > nul
        9⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FB32B~1.EXE > nul
        8⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{63BD8~1.EXE > nul
        7⤵
        
        PID:1344
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E4311~1.EXE > nul
        6⤵
        
        PID:4536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{69C81~1.EXE > nul
    3⤵
    PID:4260
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{032624AF-9F4F-4b9d-B0B2-D4E536520EE4}.exe

Filesize
216KB

MD5
0c5edccf41bf41255e2826f8d07de62b

SHA1
43a7d0b7569afaf94e867bcae1a6373a2217c76a

SHA256
e133f1f04fd7e544e90047e1853d436381d6d968db6c3787a16e29388206c917

SHA512
ae8b697029bd05b81d6f85b275c02f0fcdec4e0c6ce0ebbdc18df482346f8fe9d2409e02f5efd31bd2b9c6d774084de18d0dd688b7b6ee785b812fbaf58c3dd3

Download Submit
C:\Windows\{34FC89A6-BF5D-476d-B7EF-A6019F21FF4E}.exe

Filesize
216KB

MD5
c905ebd5328088731d9427b6cc22927f

SHA1
ef13eb7d3532cf5840baaf9e392c90093b84854e

SHA256
0851f41383a6e7e8deee3c4c981651e9306e72f4ad9e65e810856366eb36d808

SHA512
bbef3a879a7d455ba910a36e39e70477de4d3384b87fa1da32e7d297967f84223674c322bdf071146f057e8aff8426ac8e0a096d3992bd88ee7e3b4121f291ca

Download Submit
C:\Windows\{5AC9378F-1D15-425f-9B77-73480CCD7908}.exe

Filesize
216KB

MD5
2fc968a084c276aa4a1297ec872d803b

SHA1
0a7db13ce01f8ab17b08386cd5c768fa68216743

SHA256
c81baffddd88dd8ffdefed93ee5cd3a10e737baa2749547a13e62b8f70fbf55c

SHA512
ec23a5cb58df42154f38efa3211b228e6d8206c8b62703bfaaab04881f9e6b263e4248e1b4d420b8054e635619e3f439209711fdc0fadc53551c27567dd9d48b

Download Submit
C:\Windows\{63BD833A-08FE-4cb3-A301-3625611D5D9D}.exe

Filesize
216KB

MD5
dc0a1118d1922782810a6764ccc00345

SHA1
94f2e86271963fdbd999ecd8210d6a9f309c5d27

SHA256
4ee92834a54ea7f912b9092bad00b0ffd2f9bb26f8dba259971205a9ddd2b742

SHA512
6c853aa140e0215d2d50be9fc9a3f0b6df463d4699e603ed80b7d81e7c5e8fe3682b7bba57f062a0584cdae39ad0f98e4898f0ca2569dd8e7cb7f9fbfec10b6c

Download Submit
C:\Windows\{69C81A0A-031A-4d02-ABC7-23B9AC76D472}.exe

Filesize
216KB

MD5
14ef98818d0aa2a75a3f5a900e0c64b3

SHA1
6781d72973f3bae6e09949463879b6030ce34d62

SHA256
4066b11293ff36247800fe2822e1e7b6f170198a8fa8c257d3b058ce3ed94d64

SHA512
d8cf87bc616238e985d334843aa9a547e0df28d952644140122d2686391b4147e51e847e887f1556f70ff9201f94aedda45d3db08b206dddfc02285f3f9ed5ff

Download Submit
C:\Windows\{70F0BBD4-0F94-4d43-9BA7-72612053E4C3}.exe

Filesize
216KB

MD5
3723b570a15a5f9d484915d00059ba3e

SHA1
ce729afd107351fb1ddf23356112b90ae45348a3

SHA256
bf2d5caa23ae3d0c39bd9872d98e71757e3bbf0fb1b31499e03274c9d689f644

SHA512
15e0554224e0e94f670e6f7c55e7a19c52ec597e8ac3a5a4162a7ce7d512d87a72ac5a236e4f59d3267101ad2b25b0cb9d179b641114240e80150d22ff7619e9

Download Submit
C:\Windows\{ADDB119F-7F4E-4092-BDCD-FC08B7F4ACB3}.exe

Filesize
216KB

MD5
1280303c00f91a8bf300507e0ae6fc69

SHA1
3c0def497a4cf5e36a0ac2efaa1b9ac3d9f3daac

SHA256
aa1411ff8b59582646548f3d4ebeee72470fce269f49dd9444a61ffe5b73e2cb

SHA512
805b0794d4874ca5a3b8740f77a13f5db12050b70b4b09edbddd718ce44ac77b11c6661263b409496b073a60380126cd906f4363d8032a6b727cf320fa6c1653

Download Submit
C:\Windows\{BA12A407-72E2-45c6-B48D-F6D0831146DD}.exe

Filesize
216KB

MD5
b73e046b42d8b8e4295c7d04d178ca1e

SHA1
370d920c7f69d3dc46624106dc6ea25afb16cb89

SHA256
591179b6ebfe2dd237df8bedab40424af02aeaad4f2776a214cb6dad3542dd27

SHA512
ccf09d92966d00040407da528a8c1474beb260807f3b10eb08e999ffc53c8c8bdd0b7e887f00c98c07bb7e83759075dc665764541bd7bbdc098257beae0ce71c

Download Submit
C:\Windows\{D8F09997-61EB-496c-8A20-03E14E0172F6}.exe

Filesize
216KB

MD5
a80234f3f402601777bb982a1cc07a72

SHA1
d91b29dfedaa291bb494b1abeb2b9dd9e05494c3

SHA256
52284c7ac84772c6448bad5973becc5b192c8684d976cffd3387c8a94a9842f1

SHA512
64059416650337dcca191872823c4a62eaa8934b737afdf9df80b479d85820a28caeaf7051347d38a06ec76fa929b83d9471a3a54a4d404684e5640206350875

Download Submit
C:\Windows\{E1665A2F-627B-40e8-B861-2A3D2CF7E32F}.exe

Filesize
216KB

MD5
d035d1fbccd2b99ded8eb1ab2eb1cd27

SHA1
5b456a2e4b8125a0af583d0893caa28df46d01bb

SHA256
132425ad564977a46e9f3a2591295ed8764ee9f4593139fe3ab410239bd76b99

SHA512
230922e76c044582e97929fd17c1aed2cda32068a483bed6755ae18e277b1beb2978ff7e258b9f79251b467f5034288237f29945c08fe544d4b280584c71211a

Download Submit
C:\Windows\{E4311DE9-F07F-4715-96DD-69E9891AD03E}.exe

Filesize
216KB

MD5
c0abf061276884e3ff469ef3668c4819

SHA1
f2e79ff04d96401ffd7363e781ab93a0d9edad61

SHA256
bc4aa0307623e66068395bdc6ca165c001680775b2e93500af5d6d5a0bc54e4c

SHA512
8d3e576b8aa9c21005d3dc9ed6fba531c8a3380df21fa1cacd4a6d7929f16a75cd21f579df0d82e53828afcbd7e293be858ea3f3e525b984a301306e9b0c7e4c

Download Submit
C:\Windows\{FB32BC2B-2B80-4d73-841C-44C43A86A4AC}.exe

Filesize
216KB

MD5
a59309ce04c7df8b7e53f35ba0e34fc8

SHA1
cb9a50f291cad8ea0b44136907e65b88b8695862

SHA256
0793a1b23e71ebaa50c86fdef1e8e2df483d143714e9aff439c817449e31f633

SHA512
84063a1980af833905a41febeed872c7dd93d362800acb4c88cf6e0da8e9d8f3d6ef9a15afe0de4675d8d9d6e4351f53a455e81425891b9c4aed598122b57103

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads