17cf783625db848bec7b69db30ca23548dce74daccd29a12bf3baa2337155f92

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
17/02/2024, 18:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-17_053d3d9d73dae942303cda04014f3964_goldeneye.exe
Size

408KB
MD5

053d3d9d73dae942303cda04014f3964
SHA1

7a7baebf8bf3a86ced5757d0fd7f6efee1cd8b81
SHA256

17cf783625db848bec7b69db30ca23548dce74daccd29a12bf3baa2337155f92
SHA512

9023babb8cec16ee2c31a760c12d452c6a9acdaeaf961914f2c59694b608e89c5df56ca5ce41d7b5bcc87aa29ae94c96dee86bd7aa9df7f47506348f17b5df40
SSDEEP

3072:CEGh0o+l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGwldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023228-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023231-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023237-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023231-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000217f9-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000021805-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d0000000217f9-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006e1-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2C2CBD1-6590-4bd7-9071-F877428D27D3}	{E7186640-176D-4113-86D5-A3B4CBF518E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A74CBF0B-6A98-4e72-AAF6-B057D52A0294}\stubpath = "C:\\Windows\\{A74CBF0B-6A98-4e72-AAF6-B057D52A0294}.exe"	2024-02-17_053d3d9d73dae942303cda04014f3964_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BAF748CF-7883-436a-B598-9B1AEA21A1BB}	{38AF5606-DA00-45fe-B2CD-D26DC1C81E93}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7CA4F7D6-BBF9-44ad-AF5C-E661AB5A3F9F}\stubpath = "C:\\Windows\\{7CA4F7D6-BBF9-44ad-AF5C-E661AB5A3F9F}.exe"	{AE9084A9-CD78-493f-BACD-D2C04C42BCEC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9984AB4A-4B26-4124-A991-310AC7406E2E}	{BAF748CF-7883-436a-B598-9B1AEA21A1BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D42C78B-2CE5-48ec-9C34-B5DC0856CB1C}	{9984AB4A-4B26-4124-A991-310AC7406E2E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7CA4F7D6-BBF9-44ad-AF5C-E661AB5A3F9F}	{AE9084A9-CD78-493f-BACD-D2C04C42BCEC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC441A4A-2817-4f4f-ACDD-D4C8ECB3D23B}	{CD506EB2-5E64-4e72-B963-59D67AC53DAD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC441A4A-2817-4f4f-ACDD-D4C8ECB3D23B}\stubpath = "C:\\Windows\\{CC441A4A-2817-4f4f-ACDD-D4C8ECB3D23B}.exe"	{CD506EB2-5E64-4e72-B963-59D67AC53DAD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38AF5606-DA00-45fe-B2CD-D26DC1C81E93}\stubpath = "C:\\Windows\\{38AF5606-DA00-45fe-B2CD-D26DC1C81E93}.exe"	{CC441A4A-2817-4f4f-ACDD-D4C8ECB3D23B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE9084A9-CD78-493f-BACD-D2C04C42BCEC}	{1D42C78B-2CE5-48ec-9C34-B5DC0856CB1C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE9084A9-CD78-493f-BACD-D2C04C42BCEC}\stubpath = "C:\\Windows\\{AE9084A9-CD78-493f-BACD-D2C04C42BCEC}.exe"	{1D42C78B-2CE5-48ec-9C34-B5DC0856CB1C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7186640-176D-4113-86D5-A3B4CBF518E4}\stubpath = "C:\\Windows\\{E7186640-176D-4113-86D5-A3B4CBF518E4}.exe"	{7CA4F7D6-BBF9-44ad-AF5C-E661AB5A3F9F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3AC9FA1E-6A0C-4047-B585-9AC6E6501BB4}	{E2C2CBD1-6590-4bd7-9071-F877428D27D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38AF5606-DA00-45fe-B2CD-D26DC1C81E93}	{CC441A4A-2817-4f4f-ACDD-D4C8ECB3D23B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9984AB4A-4B26-4124-A991-310AC7406E2E}\stubpath = "C:\\Windows\\{9984AB4A-4B26-4124-A991-310AC7406E2E}.exe"	{BAF748CF-7883-436a-B598-9B1AEA21A1BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D42C78B-2CE5-48ec-9C34-B5DC0856CB1C}\stubpath = "C:\\Windows\\{1D42C78B-2CE5-48ec-9C34-B5DC0856CB1C}.exe"	{9984AB4A-4B26-4124-A991-310AC7406E2E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BAF748CF-7883-436a-B598-9B1AEA21A1BB}\stubpath = "C:\\Windows\\{BAF748CF-7883-436a-B598-9B1AEA21A1BB}.exe"	{38AF5606-DA00-45fe-B2CD-D26DC1C81E93}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7186640-176D-4113-86D5-A3B4CBF518E4}	{7CA4F7D6-BBF9-44ad-AF5C-E661AB5A3F9F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2C2CBD1-6590-4bd7-9071-F877428D27D3}\stubpath = "C:\\Windows\\{E2C2CBD1-6590-4bd7-9071-F877428D27D3}.exe"	{E7186640-176D-4113-86D5-A3B4CBF518E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3AC9FA1E-6A0C-4047-B585-9AC6E6501BB4}\stubpath = "C:\\Windows\\{3AC9FA1E-6A0C-4047-B585-9AC6E6501BB4}.exe"	{E2C2CBD1-6590-4bd7-9071-F877428D27D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A74CBF0B-6A98-4e72-AAF6-B057D52A0294}	2024-02-17_053d3d9d73dae942303cda04014f3964_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD506EB2-5E64-4e72-B963-59D67AC53DAD}	{A74CBF0B-6A98-4e72-AAF6-B057D52A0294}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD506EB2-5E64-4e72-B963-59D67AC53DAD}\stubpath = "C:\\Windows\\{CD506EB2-5E64-4e72-B963-59D67AC53DAD}.exe"	{A74CBF0B-6A98-4e72-AAF6-B057D52A0294}.exe

Executes dropped EXE 12 IoCs

pid	Process
2816	{A74CBF0B-6A98-4e72-AAF6-B057D52A0294}.exe
2968	{CD506EB2-5E64-4e72-B963-59D67AC53DAD}.exe
4820	{CC441A4A-2817-4f4f-ACDD-D4C8ECB3D23B}.exe
3644	{38AF5606-DA00-45fe-B2CD-D26DC1C81E93}.exe
4888	{BAF748CF-7883-436a-B598-9B1AEA21A1BB}.exe
804	{9984AB4A-4B26-4124-A991-310AC7406E2E}.exe
1664	{1D42C78B-2CE5-48ec-9C34-B5DC0856CB1C}.exe
1076	{AE9084A9-CD78-493f-BACD-D2C04C42BCEC}.exe
720	{7CA4F7D6-BBF9-44ad-AF5C-E661AB5A3F9F}.exe
1164	{E7186640-176D-4113-86D5-A3B4CBF518E4}.exe
1860	{E2C2CBD1-6590-4bd7-9071-F877428D27D3}.exe
748	{3AC9FA1E-6A0C-4047-B585-9AC6E6501BB4}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{E2C2CBD1-6590-4bd7-9071-F877428D27D3}.exe	{E7186640-176D-4113-86D5-A3B4CBF518E4}.exe
File created	C:\Windows\{38AF5606-DA00-45fe-B2CD-D26DC1C81E93}.exe	{CC441A4A-2817-4f4f-ACDD-D4C8ECB3D23B}.exe
File created	C:\Windows\{BAF748CF-7883-436a-B598-9B1AEA21A1BB}.exe	{38AF5606-DA00-45fe-B2CD-D26DC1C81E93}.exe
File created	C:\Windows\{1D42C78B-2CE5-48ec-9C34-B5DC0856CB1C}.exe	{9984AB4A-4B26-4124-A991-310AC7406E2E}.exe
File created	C:\Windows\{9984AB4A-4B26-4124-A991-310AC7406E2E}.exe	{BAF748CF-7883-436a-B598-9B1AEA21A1BB}.exe
File created	C:\Windows\{AE9084A9-CD78-493f-BACD-D2C04C42BCEC}.exe	{1D42C78B-2CE5-48ec-9C34-B5DC0856CB1C}.exe
File created	C:\Windows\{7CA4F7D6-BBF9-44ad-AF5C-E661AB5A3F9F}.exe	{AE9084A9-CD78-493f-BACD-D2C04C42BCEC}.exe
File created	C:\Windows\{E7186640-176D-4113-86D5-A3B4CBF518E4}.exe	{7CA4F7D6-BBF9-44ad-AF5C-E661AB5A3F9F}.exe
File created	C:\Windows\{3AC9FA1E-6A0C-4047-B585-9AC6E6501BB4}.exe	{E2C2CBD1-6590-4bd7-9071-F877428D27D3}.exe
File created	C:\Windows\{A74CBF0B-6A98-4e72-AAF6-B057D52A0294}.exe	2024-02-17_053d3d9d73dae942303cda04014f3964_goldeneye.exe
File created	C:\Windows\{CD506EB2-5E64-4e72-B963-59D67AC53DAD}.exe	{A74CBF0B-6A98-4e72-AAF6-B057D52A0294}.exe
File created	C:\Windows\{CC441A4A-2817-4f4f-ACDD-D4C8ECB3D23B}.exe	{CD506EB2-5E64-4e72-B963-59D67AC53DAD}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	924	2024-02-17_053d3d9d73dae942303cda04014f3964_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2816	{A74CBF0B-6A98-4e72-AAF6-B057D52A0294}.exe
Token: SeIncBasePriorityPrivilege	2968	{CD506EB2-5E64-4e72-B963-59D67AC53DAD}.exe
Token: SeIncBasePriorityPrivilege	4820	{CC441A4A-2817-4f4f-ACDD-D4C8ECB3D23B}.exe
Token: SeIncBasePriorityPrivilege	3644	{38AF5606-DA00-45fe-B2CD-D26DC1C81E93}.exe
Token: SeIncBasePriorityPrivilege	4888	{BAF748CF-7883-436a-B598-9B1AEA21A1BB}.exe
Token: SeIncBasePriorityPrivilege	804	{9984AB4A-4B26-4124-A991-310AC7406E2E}.exe
Token: SeIncBasePriorityPrivilege	1664	{1D42C78B-2CE5-48ec-9C34-B5DC0856CB1C}.exe
Token: SeIncBasePriorityPrivilege	1076	{AE9084A9-CD78-493f-BACD-D2C04C42BCEC}.exe
Token: SeIncBasePriorityPrivilege	720	{7CA4F7D6-BBF9-44ad-AF5C-E661AB5A3F9F}.exe
Token: SeIncBasePriorityPrivilege	1164	{E7186640-176D-4113-86D5-A3B4CBF518E4}.exe
Token: SeIncBasePriorityPrivilege	1860	{E2C2CBD1-6590-4bd7-9071-F877428D27D3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 924 wrote to memory of 2816	924	2024-02-17_053d3d9d73dae942303cda04014f3964_goldeneye.exe	88
PID 924 wrote to memory of 2816	924	2024-02-17_053d3d9d73dae942303cda04014f3964_goldeneye.exe	88
PID 924 wrote to memory of 2816	924	2024-02-17_053d3d9d73dae942303cda04014f3964_goldeneye.exe	88
PID 924 wrote to memory of 2676	924	2024-02-17_053d3d9d73dae942303cda04014f3964_goldeneye.exe	89
PID 924 wrote to memory of 2676	924	2024-02-17_053d3d9d73dae942303cda04014f3964_goldeneye.exe	89
PID 924 wrote to memory of 2676	924	2024-02-17_053d3d9d73dae942303cda04014f3964_goldeneye.exe	89
PID 2816 wrote to memory of 2968	2816	{A74CBF0B-6A98-4e72-AAF6-B057D52A0294}.exe	93
PID 2816 wrote to memory of 2968	2816	{A74CBF0B-6A98-4e72-AAF6-B057D52A0294}.exe	93
PID 2816 wrote to memory of 2968	2816	{A74CBF0B-6A98-4e72-AAF6-B057D52A0294}.exe	93
PID 2816 wrote to memory of 4972	2816	{A74CBF0B-6A98-4e72-AAF6-B057D52A0294}.exe	94
PID 2816 wrote to memory of 4972	2816	{A74CBF0B-6A98-4e72-AAF6-B057D52A0294}.exe	94
PID 2816 wrote to memory of 4972	2816	{A74CBF0B-6A98-4e72-AAF6-B057D52A0294}.exe	94
PID 2968 wrote to memory of 4820	2968	{CD506EB2-5E64-4e72-B963-59D67AC53DAD}.exe	97
PID 2968 wrote to memory of 4820	2968	{CD506EB2-5E64-4e72-B963-59D67AC53DAD}.exe	97
PID 2968 wrote to memory of 4820	2968	{CD506EB2-5E64-4e72-B963-59D67AC53DAD}.exe	97
PID 2968 wrote to memory of 4356	2968	{CD506EB2-5E64-4e72-B963-59D67AC53DAD}.exe	96
PID 2968 wrote to memory of 4356	2968	{CD506EB2-5E64-4e72-B963-59D67AC53DAD}.exe	96
PID 2968 wrote to memory of 4356	2968	{CD506EB2-5E64-4e72-B963-59D67AC53DAD}.exe	96
PID 4820 wrote to memory of 3644	4820	{CC441A4A-2817-4f4f-ACDD-D4C8ECB3D23B}.exe	98
PID 4820 wrote to memory of 3644	4820	{CC441A4A-2817-4f4f-ACDD-D4C8ECB3D23B}.exe	98
PID 4820 wrote to memory of 3644	4820	{CC441A4A-2817-4f4f-ACDD-D4C8ECB3D23B}.exe	98
PID 4820 wrote to memory of 4952	4820	{CC441A4A-2817-4f4f-ACDD-D4C8ECB3D23B}.exe	99
PID 4820 wrote to memory of 4952	4820	{CC441A4A-2817-4f4f-ACDD-D4C8ECB3D23B}.exe	99
PID 4820 wrote to memory of 4952	4820	{CC441A4A-2817-4f4f-ACDD-D4C8ECB3D23B}.exe	99
PID 3644 wrote to memory of 4888	3644	{38AF5606-DA00-45fe-B2CD-D26DC1C81E93}.exe	100
PID 3644 wrote to memory of 4888	3644	{38AF5606-DA00-45fe-B2CD-D26DC1C81E93}.exe	100
PID 3644 wrote to memory of 4888	3644	{38AF5606-DA00-45fe-B2CD-D26DC1C81E93}.exe	100
PID 3644 wrote to memory of 3212	3644	{38AF5606-DA00-45fe-B2CD-D26DC1C81E93}.exe	101
PID 3644 wrote to memory of 3212	3644	{38AF5606-DA00-45fe-B2CD-D26DC1C81E93}.exe	101
PID 3644 wrote to memory of 3212	3644	{38AF5606-DA00-45fe-B2CD-D26DC1C81E93}.exe	101
PID 4888 wrote to memory of 804	4888	{BAF748CF-7883-436a-B598-9B1AEA21A1BB}.exe	102
PID 4888 wrote to memory of 804	4888	{BAF748CF-7883-436a-B598-9B1AEA21A1BB}.exe	102
PID 4888 wrote to memory of 804	4888	{BAF748CF-7883-436a-B598-9B1AEA21A1BB}.exe	102
PID 4888 wrote to memory of 3588	4888	{BAF748CF-7883-436a-B598-9B1AEA21A1BB}.exe	103
PID 4888 wrote to memory of 3588	4888	{BAF748CF-7883-436a-B598-9B1AEA21A1BB}.exe	103
PID 4888 wrote to memory of 3588	4888	{BAF748CF-7883-436a-B598-9B1AEA21A1BB}.exe	103
PID 804 wrote to memory of 1664	804	{9984AB4A-4B26-4124-A991-310AC7406E2E}.exe	104
PID 804 wrote to memory of 1664	804	{9984AB4A-4B26-4124-A991-310AC7406E2E}.exe	104
PID 804 wrote to memory of 1664	804	{9984AB4A-4B26-4124-A991-310AC7406E2E}.exe	104
PID 804 wrote to memory of 2004	804	{9984AB4A-4B26-4124-A991-310AC7406E2E}.exe	105
PID 804 wrote to memory of 2004	804	{9984AB4A-4B26-4124-A991-310AC7406E2E}.exe	105
PID 804 wrote to memory of 2004	804	{9984AB4A-4B26-4124-A991-310AC7406E2E}.exe	105
PID 1664 wrote to memory of 1076	1664	{1D42C78B-2CE5-48ec-9C34-B5DC0856CB1C}.exe	106
PID 1664 wrote to memory of 1076	1664	{1D42C78B-2CE5-48ec-9C34-B5DC0856CB1C}.exe	106
PID 1664 wrote to memory of 1076	1664	{1D42C78B-2CE5-48ec-9C34-B5DC0856CB1C}.exe	106
PID 1664 wrote to memory of 4012	1664	{1D42C78B-2CE5-48ec-9C34-B5DC0856CB1C}.exe	107
PID 1664 wrote to memory of 4012	1664	{1D42C78B-2CE5-48ec-9C34-B5DC0856CB1C}.exe	107
PID 1664 wrote to memory of 4012	1664	{1D42C78B-2CE5-48ec-9C34-B5DC0856CB1C}.exe	107
PID 1076 wrote to memory of 720	1076	{AE9084A9-CD78-493f-BACD-D2C04C42BCEC}.exe	108
PID 1076 wrote to memory of 720	1076	{AE9084A9-CD78-493f-BACD-D2C04C42BCEC}.exe	108
PID 1076 wrote to memory of 720	1076	{AE9084A9-CD78-493f-BACD-D2C04C42BCEC}.exe	108
PID 1076 wrote to memory of 2628	1076	{AE9084A9-CD78-493f-BACD-D2C04C42BCEC}.exe	109
PID 1076 wrote to memory of 2628	1076	{AE9084A9-CD78-493f-BACD-D2C04C42BCEC}.exe	109
PID 1076 wrote to memory of 2628	1076	{AE9084A9-CD78-493f-BACD-D2C04C42BCEC}.exe	109
PID 720 wrote to memory of 1164	720	{7CA4F7D6-BBF9-44ad-AF5C-E661AB5A3F9F}.exe	110
PID 720 wrote to memory of 1164	720	{7CA4F7D6-BBF9-44ad-AF5C-E661AB5A3F9F}.exe	110
PID 720 wrote to memory of 1164	720	{7CA4F7D6-BBF9-44ad-AF5C-E661AB5A3F9F}.exe	110
PID 720 wrote to memory of 3244	720	{7CA4F7D6-BBF9-44ad-AF5C-E661AB5A3F9F}.exe	111
PID 720 wrote to memory of 3244	720	{7CA4F7D6-BBF9-44ad-AF5C-E661AB5A3F9F}.exe	111
PID 720 wrote to memory of 3244	720	{7CA4F7D6-BBF9-44ad-AF5C-E661AB5A3F9F}.exe	111
PID 1164 wrote to memory of 1860	1164	{E7186640-176D-4113-86D5-A3B4CBF518E4}.exe	112
PID 1164 wrote to memory of 1860	1164	{E7186640-176D-4113-86D5-A3B4CBF518E4}.exe	112
PID 1164 wrote to memory of 1860	1164	{E7186640-176D-4113-86D5-A3B4CBF518E4}.exe	112
PID 1164 wrote to memory of 2812	1164	{E7186640-176D-4113-86D5-A3B4CBF518E4}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-02-17_053d3d9d73dae942303cda04014f3964_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-17_053d3d9d73dae942303cda04014f3964_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:924
- C:\Windows\{A74CBF0B-6A98-4e72-AAF6-B057D52A0294}.exe
  C:\Windows\{A74CBF0B-6A98-4e72-AAF6-B057D52A0294}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\{CD506EB2-5E64-4e72-B963-59D67AC53DAD}.exe
    C:\Windows\{CD506EB2-5E64-4e72-B963-59D67AC53DAD}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CD506~1.EXE > nul
      4⤵
      PID:4356
  - - C:\Windows\{CC441A4A-2817-4f4f-ACDD-D4C8ECB3D23B}.exe
      C:\Windows\{CC441A4A-2817-4f4f-ACDD-D4C8ECB3D23B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4820
    - - C:\Windows\{38AF5606-DA00-45fe-B2CD-D26DC1C81E93}.exe
        
        C:\Windows\{38AF5606-DA00-45fe-B2CD-D26DC1C81E93}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3644
      - C:\Windows\{BAF748CF-7883-436a-B598-9B1AEA21A1BB}.exe
        
        C:\Windows\{BAF748CF-7883-436a-B598-9B1AEA21A1BB}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\{9984AB4A-4B26-4124-A991-310AC7406E2E}.exe
        
        C:\Windows\{9984AB4A-4B26-4124-A991-310AC7406E2E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:804
        
        C:\Windows\{1D42C78B-2CE5-48ec-9C34-B5DC0856CB1C}.exe
        
        C:\Windows\{1D42C78B-2CE5-48ec-9C34-B5DC0856CB1C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\{AE9084A9-CD78-493f-BACD-D2C04C42BCEC}.exe
        
        C:\Windows\{AE9084A9-CD78-493f-BACD-D2C04C42BCEC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\{7CA4F7D6-BBF9-44ad-AF5C-E661AB5A3F9F}.exe
        
        C:\Windows\{7CA4F7D6-BBF9-44ad-AF5C-E661AB5A3F9F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:720
        
        C:\Windows\{E7186640-176D-4113-86D5-A3B4CBF518E4}.exe
        
        C:\Windows\{E7186640-176D-4113-86D5-A3B4CBF518E4}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Windows\{E2C2CBD1-6590-4bd7-9071-F877428D27D3}.exe
        
        C:\Windows\{E2C2CBD1-6590-4bd7-9071-F877428D27D3}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1860
        
        C:\Windows\{3AC9FA1E-6A0C-4047-B585-9AC6E6501BB4}.exe
        
        C:\Windows\{3AC9FA1E-6A0C-4047-B585-9AC6E6501BB4}.exe
        13⤵
        Executes dropped EXE
        
        PID:748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2C2C~1.EXE > nul
        13⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7186~1.EXE > nul
        12⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7CA4F~1.EXE > nul
        11⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE908~1.EXE > nul
        10⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1D42C~1.EXE > nul
        9⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9984A~1.EXE > nul
        8⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BAF74~1.EXE > nul
        7⤵
        
        PID:3588
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{38AF5~1.EXE > nul
        6⤵
        
        PID:3212
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CC441~1.EXE > nul
        5⤵
        
        PID:4952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A74CB~1.EXE > nul
    3⤵
    PID:4972
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1D42C78B-2CE5-48ec-9C34-B5DC0856CB1C}.exe

Filesize
408KB

MD5
31c1d9017b9a9c0722e73445b2ea39ab

SHA1
61c70c16561833f1066ed9bbbea53ae6092d1817

SHA256
45ee23b3a4a44b471262456564935f2d481742c06df1fe2da0e6816219f69146

SHA512
cbe080a58d5a8ca5eb056e0d34a89725341e6a743d57c32fcd9bb93256632b5ccc64981e71532cd7e0158903e324d6573bcdb2d22693b1ca30fb102af6690246

Download Submit
C:\Windows\{38AF5606-DA00-45fe-B2CD-D26DC1C81E93}.exe

Filesize
408KB

MD5
702226dde897f31d2109ee23182c8c4d

SHA1
380c27025c5be51a304b41e7bf0173bd7015a580

SHA256
0a1c253f4adee6ae8006d8745de21af5f295ad090ae7fd3fc337795e9465e70f

SHA512
5c8fee5296be0c9d88f0b546bedc26a2ff5c6a2618a4651219921c954439229b2aba2bb54b6c0b476efc0a9c113a9aeec7155d5ec50a28ad6936eea108963318

Download Submit
C:\Windows\{3AC9FA1E-6A0C-4047-B585-9AC6E6501BB4}.exe

Filesize
408KB

MD5
d2b9c233e37b1293349de242bddf27bf

SHA1
752fbf9c84ddd7f36b849e90efa431574c128045

SHA256
432d56fb194ce4b9351946becbd1482e5b84f0ada7ac441b34d897cedf9728c1

SHA512
eefb09a88a6522ebfadef41aaa411170290268be61c65dbec658aca331502e0d539f3c0cf9a13d134c83d01ab399f8f5d4fd121f572fea2c6c424a2a59a30fc6

Download Submit
C:\Windows\{7CA4F7D6-BBF9-44ad-AF5C-E661AB5A3F9F}.exe

Filesize
408KB

MD5
ba0683c1068af0866f9b7a146a9ef3e4

SHA1
3a6c4ccb59b50d775712b0673bf2dcc3b75d90f1

SHA256
37d59d222f3cf7692f3fae3b29920136002c03aea18c7e587ae600a681f05a37

SHA512
4eda96e18cf09cf515a6c9fe17c3ee032ea974be84fa37ce2232fff867cb6c023934abd05e82516224b86d3ece716fdaab7b37e07f7b39bfa4b7a6cdb01333bb

Download Submit
C:\Windows\{9984AB4A-4B26-4124-A991-310AC7406E2E}.exe

Filesize
408KB

MD5
d54bd087b3bb8e8c1200c1ae2f1c4010

SHA1
8f36ddee0d8e6bb1748178ad088e13ef76fcd90d

SHA256
40d7ea25465f65f6bc7e45692a269d5f130defdd0ee5746e19e1513e9cfdbc80

SHA512
c46a84316209af5c1014aeb3b7eaeed4679c04786c8438c9a1daeec3b0e624a462ce8eee536d96a250d88d846f9884acc6f9754126bf1c00e050fe6df08789d8

Download Submit
C:\Windows\{A74CBF0B-6A98-4e72-AAF6-B057D52A0294}.exe

Filesize
408KB

MD5
3687af26ef25eb49331a4698094e7846

SHA1
edfaf1582cd034cbeb4d0f6d40a053bb6eac283b

SHA256
c2eecba2d248d4482ec47cec8af7c5a7b95736d725bfd1288982020da18e4df2

SHA512
9c462686516f2fa4b34bdfe562e56e6a3016c521e8f81764affeb84da38335003139494cfab26a6405ed3234568b0113a0a0fe19afa570da2d0057492498548f

Download Submit
C:\Windows\{AE9084A9-CD78-493f-BACD-D2C04C42BCEC}.exe

Filesize
408KB

MD5
1f46f45d8a1760e41cedaa5cd820fbf7

SHA1
dc4c94c92684f411cd1a70048b8979b0aa00406a

SHA256
4473fbd90d7ee36be22cf0e1e1be3dac3e8e4863cdf2c1bd5739bfa9fc32ca90

SHA512
41260414658035eaab1f641596a85b1a51f7b657c117d28a8d5bfcaffe855157cf6711c85cfedefc484602332cc82ee772db4243de502208bda9f1ee70875461

Download Submit
C:\Windows\{BAF748CF-7883-436a-B598-9B1AEA21A1BB}.exe

Filesize
408KB

MD5
0d09270170d630d801415ed83c9e711f

SHA1
3ee779a02de4f3627706d600ef378633975ed5d3

SHA256
d16e9fe6ed8f1159283e314e2fd8bc169132925893a0a723eed61db4556870c2

SHA512
6115f1d8b01551c8c0dc21cfafd996c340d6fef834be008d5fb194c052d57b03fc62e93938af7e9d1e456d1d131066c19e0dfa2b4aba61920f02cf0448e16523

Download Submit
C:\Windows\{CC441A4A-2817-4f4f-ACDD-D4C8ECB3D23B}.exe

Filesize
408KB

MD5
b7d9a109c179455c954fa59adda51b91

SHA1
d19498fc09e173c774a0daac789c48058d8bee35

SHA256
840eac0c48701922882b406e77012a167da44a721d9d87bcc4f18a801624ce66

SHA512
7c1c17dcc574fb69355fd15820cc230cc4fabf0f4cf33fb341929eead2c5450c50f9fa13dff2cec31e3cc3db389022a975a97c0379774b125559b87229fbb22c

Download Submit
C:\Windows\{CD506EB2-5E64-4e72-B963-59D67AC53DAD}.exe

Filesize
408KB

MD5
484aa2507ac1667b781784803efb178c

SHA1
f1f5afbdf582567ea0b5c95bc155bd1b7856ee3b

SHA256
2f4bd491b9910db0bdf04b2e439175bf6d5ec2fd348e8c0714c7e1a8744a76cc

SHA512
ef7550e808d65fd25521c9b2c697e3042faa219e67dd3256c3d86f78127b51e6c9036c2e47b1ab57f48f848b27c2e3a008b3665ef1d73befbd418a2e3b19433a

Download Submit
C:\Windows\{E2C2CBD1-6590-4bd7-9071-F877428D27D3}.exe

Filesize
408KB

MD5
9e7ce44d2a36a7bfab3cd77355cd3816

SHA1
1ed54f284ffa64e70b301c97bad7dc2a7dc2c798

SHA256
90810560bc485aa137a68ff31093d30fb7de56b649040726330f9c4a1a6990e1

SHA512
1cec6c6172b6ab6d7130e5aa63fc6fcf200a88b388a76c1472ac4ce8252a8ee28140ab6e943edcc69e5d1250a2e7a311531df844f3f7cb808a6e0a292760400b

Download Submit
C:\Windows\{E7186640-176D-4113-86D5-A3B4CBF518E4}.exe

Filesize
408KB

MD5
9abb5c0df2207989b9299265abd3aca3

SHA1
04e473084bb0b28093f1a42dbe4d1385fe56eb78

SHA256
7247f807a4420e2b1b8a1bbdc96f17f1ba74f7968d9ad0f31d1b697b70bfef08

SHA512
901ce5176bcd7f45363eec21892e1a3b0870bb51ff972460adea27735d41af83ecb809ef7daee75c82fdeef65f597750a97c9e4f20bc58ab446930532d26cc3a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads