17624809b8c0103c7a64bab12e25e8c7cb22780e54c97013e2335687d9aa42d3

Analysis

max time kernel
149s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
17-02-2024 19:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-17_f96eebc86234d8bc844406ea05581ceb_goldeneye.exe
Size

180KB
MD5

f96eebc86234d8bc844406ea05581ceb
SHA1

5f70de3395b68176edd9769269888866fcfaafbc
SHA256

17624809b8c0103c7a64bab12e25e8c7cb22780e54c97013e2335687d9aa42d3
SHA512

b41aac0b0778cb7ed0d10e466f1e01cb2bbec93b4f9bf5f9650048530749cd13c1d458c2ce79dc097026b4544580f1efc9122783a95c92583f8dda098e2ffbe2
SSDEEP

3072:jEGh0oslfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEG+l5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x000600000002321c-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000001db8d-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023227-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000001db8d-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x004600000001e0be-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000001db8d-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x004700000001e0be-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000000070b-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F61F268-86D0-4b45-BBF9-F5FA46E1EB34}	{74CDFA12-E3FC-4bf5-9B37-A37A0E280397}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92A9EB7D-7B4F-46c0-A505-3AE3D4AE25F7}	{1E9EFEAB-E678-4452-A096-5B21A23BA50C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95E88739-B9CB-4f41-924B-2850A98E5288}\stubpath = "C:\\Windows\\{95E88739-B9CB-4f41-924B-2850A98E5288}.exe"	{4F0BE9EA-2992-410c-9155-AE14F3106A17}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8C0FE81-0F3E-441c-9E19-B37E30AB2F21}	2024-02-17_f96eebc86234d8bc844406ea05581ceb_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F45F1F47-8724-4526-9457-5A523423E767}\stubpath = "C:\\Windows\\{F45F1F47-8724-4526-9457-5A523423E767}.exe"	{B8C0FE81-0F3E-441c-9E19-B37E30AB2F21}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72B7E2C4-8996-41d4-BAD8-62CA5CE32710}	{C3D91478-5382-468e-AF4F-CB2286B17429}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76270DC1-43E3-4d4d-A30E-024C2E24BF44}	{3F61F268-86D0-4b45-BBF9-F5FA46E1EB34}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC26B73A-F9EB-4692-A36A-781A6CA54C3F}	{76270DC1-43E3-4d4d-A30E-024C2E24BF44}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F45F1F47-8724-4526-9457-5A523423E767}	{B8C0FE81-0F3E-441c-9E19-B37E30AB2F21}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3D91478-5382-468e-AF4F-CB2286B17429}\stubpath = "C:\\Windows\\{C3D91478-5382-468e-AF4F-CB2286B17429}.exe"	{F45F1F47-8724-4526-9457-5A523423E767}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74CDFA12-E3FC-4bf5-9B37-A37A0E280397}\stubpath = "C:\\Windows\\{74CDFA12-E3FC-4bf5-9B37-A37A0E280397}.exe"	{72B7E2C4-8996-41d4-BAD8-62CA5CE32710}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76270DC1-43E3-4d4d-A30E-024C2E24BF44}\stubpath = "C:\\Windows\\{76270DC1-43E3-4d4d-A30E-024C2E24BF44}.exe"	{3F61F268-86D0-4b45-BBF9-F5FA46E1EB34}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC26B73A-F9EB-4692-A36A-781A6CA54C3F}\stubpath = "C:\\Windows\\{CC26B73A-F9EB-4692-A36A-781A6CA54C3F}.exe"	{76270DC1-43E3-4d4d-A30E-024C2E24BF44}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E9EFEAB-E678-4452-A096-5B21A23BA50C}	{CC26B73A-F9EB-4692-A36A-781A6CA54C3F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E9EFEAB-E678-4452-A096-5B21A23BA50C}\stubpath = "C:\\Windows\\{1E9EFEAB-E678-4452-A096-5B21A23BA50C}.exe"	{CC26B73A-F9EB-4692-A36A-781A6CA54C3F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F0BE9EA-2992-410c-9155-AE14F3106A17}\stubpath = "C:\\Windows\\{4F0BE9EA-2992-410c-9155-AE14F3106A17}.exe"	{92A9EB7D-7B4F-46c0-A505-3AE3D4AE25F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72B7E2C4-8996-41d4-BAD8-62CA5CE32710}\stubpath = "C:\\Windows\\{72B7E2C4-8996-41d4-BAD8-62CA5CE32710}.exe"	{C3D91478-5382-468e-AF4F-CB2286B17429}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74CDFA12-E3FC-4bf5-9B37-A37A0E280397}	{72B7E2C4-8996-41d4-BAD8-62CA5CE32710}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95E88739-B9CB-4f41-924B-2850A98E5288}	{4F0BE9EA-2992-410c-9155-AE14F3106A17}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F61F268-86D0-4b45-BBF9-F5FA46E1EB34}\stubpath = "C:\\Windows\\{3F61F268-86D0-4b45-BBF9-F5FA46E1EB34}.exe"	{74CDFA12-E3FC-4bf5-9B37-A37A0E280397}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92A9EB7D-7B4F-46c0-A505-3AE3D4AE25F7}\stubpath = "C:\\Windows\\{92A9EB7D-7B4F-46c0-A505-3AE3D4AE25F7}.exe"	{1E9EFEAB-E678-4452-A096-5B21A23BA50C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F0BE9EA-2992-410c-9155-AE14F3106A17}	{92A9EB7D-7B4F-46c0-A505-3AE3D4AE25F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8C0FE81-0F3E-441c-9E19-B37E30AB2F21}\stubpath = "C:\\Windows\\{B8C0FE81-0F3E-441c-9E19-B37E30AB2F21}.exe"	2024-02-17_f96eebc86234d8bc844406ea05581ceb_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3D91478-5382-468e-AF4F-CB2286B17429}	{F45F1F47-8724-4526-9457-5A523423E767}.exe

Executes dropped EXE 12 IoCs

pid	Process
2100	{B8C0FE81-0F3E-441c-9E19-B37E30AB2F21}.exe
3520	{F45F1F47-8724-4526-9457-5A523423E767}.exe
4180	{C3D91478-5382-468e-AF4F-CB2286B17429}.exe
4320	{72B7E2C4-8996-41d4-BAD8-62CA5CE32710}.exe
4472	{74CDFA12-E3FC-4bf5-9B37-A37A0E280397}.exe
1196	{3F61F268-86D0-4b45-BBF9-F5FA46E1EB34}.exe
5072	{76270DC1-43E3-4d4d-A30E-024C2E24BF44}.exe
3440	{CC26B73A-F9EB-4692-A36A-781A6CA54C3F}.exe
1984	{1E9EFEAB-E678-4452-A096-5B21A23BA50C}.exe
4252	{92A9EB7D-7B4F-46c0-A505-3AE3D4AE25F7}.exe
2420	{4F0BE9EA-2992-410c-9155-AE14F3106A17}.exe
4080	{95E88739-B9CB-4f41-924B-2850A98E5288}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{F45F1F47-8724-4526-9457-5A523423E767}.exe	{B8C0FE81-0F3E-441c-9E19-B37E30AB2F21}.exe
File created	C:\Windows\{C3D91478-5382-468e-AF4F-CB2286B17429}.exe	{F45F1F47-8724-4526-9457-5A523423E767}.exe
File created	C:\Windows\{3F61F268-86D0-4b45-BBF9-F5FA46E1EB34}.exe	{74CDFA12-E3FC-4bf5-9B37-A37A0E280397}.exe
File created	C:\Windows\{CC26B73A-F9EB-4692-A36A-781A6CA54C3F}.exe	{76270DC1-43E3-4d4d-A30E-024C2E24BF44}.exe
File created	C:\Windows\{95E88739-B9CB-4f41-924B-2850A98E5288}.exe	{4F0BE9EA-2992-410c-9155-AE14F3106A17}.exe
File created	C:\Windows\{B8C0FE81-0F3E-441c-9E19-B37E30AB2F21}.exe	2024-02-17_f96eebc86234d8bc844406ea05581ceb_goldeneye.exe
File created	C:\Windows\{72B7E2C4-8996-41d4-BAD8-62CA5CE32710}.exe	{C3D91478-5382-468e-AF4F-CB2286B17429}.exe
File created	C:\Windows\{74CDFA12-E3FC-4bf5-9B37-A37A0E280397}.exe	{72B7E2C4-8996-41d4-BAD8-62CA5CE32710}.exe
File created	C:\Windows\{76270DC1-43E3-4d4d-A30E-024C2E24BF44}.exe	{3F61F268-86D0-4b45-BBF9-F5FA46E1EB34}.exe
File created	C:\Windows\{1E9EFEAB-E678-4452-A096-5B21A23BA50C}.exe	{CC26B73A-F9EB-4692-A36A-781A6CA54C3F}.exe
File created	C:\Windows\{92A9EB7D-7B4F-46c0-A505-3AE3D4AE25F7}.exe	{1E9EFEAB-E678-4452-A096-5B21A23BA50C}.exe
File created	C:\Windows\{4F0BE9EA-2992-410c-9155-AE14F3106A17}.exe	{92A9EB7D-7B4F-46c0-A505-3AE3D4AE25F7}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2628	2024-02-17_f96eebc86234d8bc844406ea05581ceb_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2100	{B8C0FE81-0F3E-441c-9E19-B37E30AB2F21}.exe
Token: SeIncBasePriorityPrivilege	3520	{F45F1F47-8724-4526-9457-5A523423E767}.exe
Token: SeIncBasePriorityPrivilege	4180	{C3D91478-5382-468e-AF4F-CB2286B17429}.exe
Token: SeIncBasePriorityPrivilege	4320	{72B7E2C4-8996-41d4-BAD8-62CA5CE32710}.exe
Token: SeIncBasePriorityPrivilege	4472	{74CDFA12-E3FC-4bf5-9B37-A37A0E280397}.exe
Token: SeIncBasePriorityPrivilege	1196	{3F61F268-86D0-4b45-BBF9-F5FA46E1EB34}.exe
Token: SeIncBasePriorityPrivilege	5072	{76270DC1-43E3-4d4d-A30E-024C2E24BF44}.exe
Token: SeIncBasePriorityPrivilege	3440	{CC26B73A-F9EB-4692-A36A-781A6CA54C3F}.exe
Token: SeIncBasePriorityPrivilege	1984	{1E9EFEAB-E678-4452-A096-5B21A23BA50C}.exe
Token: SeIncBasePriorityPrivilege	4252	{92A9EB7D-7B4F-46c0-A505-3AE3D4AE25F7}.exe
Token: SeIncBasePriorityPrivilege	2420	{4F0BE9EA-2992-410c-9155-AE14F3106A17}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2628 wrote to memory of 2100	2628	2024-02-17_f96eebc86234d8bc844406ea05581ceb_goldeneye.exe	91
PID 2628 wrote to memory of 2100	2628	2024-02-17_f96eebc86234d8bc844406ea05581ceb_goldeneye.exe	91
PID 2628 wrote to memory of 2100	2628	2024-02-17_f96eebc86234d8bc844406ea05581ceb_goldeneye.exe	91
PID 2628 wrote to memory of 456	2628	2024-02-17_f96eebc86234d8bc844406ea05581ceb_goldeneye.exe	92
PID 2628 wrote to memory of 456	2628	2024-02-17_f96eebc86234d8bc844406ea05581ceb_goldeneye.exe	92
PID 2628 wrote to memory of 456	2628	2024-02-17_f96eebc86234d8bc844406ea05581ceb_goldeneye.exe	92
PID 2100 wrote to memory of 3520	2100	{B8C0FE81-0F3E-441c-9E19-B37E30AB2F21}.exe	93
PID 2100 wrote to memory of 3520	2100	{B8C0FE81-0F3E-441c-9E19-B37E30AB2F21}.exe	93
PID 2100 wrote to memory of 3520	2100	{B8C0FE81-0F3E-441c-9E19-B37E30AB2F21}.exe	93
PID 2100 wrote to memory of 628	2100	{B8C0FE81-0F3E-441c-9E19-B37E30AB2F21}.exe	94
PID 2100 wrote to memory of 628	2100	{B8C0FE81-0F3E-441c-9E19-B37E30AB2F21}.exe	94
PID 2100 wrote to memory of 628	2100	{B8C0FE81-0F3E-441c-9E19-B37E30AB2F21}.exe	94
PID 3520 wrote to memory of 4180	3520	{F45F1F47-8724-4526-9457-5A523423E767}.exe	97
PID 3520 wrote to memory of 4180	3520	{F45F1F47-8724-4526-9457-5A523423E767}.exe	97
PID 3520 wrote to memory of 4180	3520	{F45F1F47-8724-4526-9457-5A523423E767}.exe	97
PID 3520 wrote to memory of 3044	3520	{F45F1F47-8724-4526-9457-5A523423E767}.exe	96
PID 3520 wrote to memory of 3044	3520	{F45F1F47-8724-4526-9457-5A523423E767}.exe	96
PID 3520 wrote to memory of 3044	3520	{F45F1F47-8724-4526-9457-5A523423E767}.exe	96
PID 4180 wrote to memory of 4320	4180	{C3D91478-5382-468e-AF4F-CB2286B17429}.exe	98
PID 4180 wrote to memory of 4320	4180	{C3D91478-5382-468e-AF4F-CB2286B17429}.exe	98
PID 4180 wrote to memory of 4320	4180	{C3D91478-5382-468e-AF4F-CB2286B17429}.exe	98
PID 4180 wrote to memory of 440	4180	{C3D91478-5382-468e-AF4F-CB2286B17429}.exe	99
PID 4180 wrote to memory of 440	4180	{C3D91478-5382-468e-AF4F-CB2286B17429}.exe	99
PID 4180 wrote to memory of 440	4180	{C3D91478-5382-468e-AF4F-CB2286B17429}.exe	99
PID 4320 wrote to memory of 4472	4320	{72B7E2C4-8996-41d4-BAD8-62CA5CE32710}.exe	101
PID 4320 wrote to memory of 4472	4320	{72B7E2C4-8996-41d4-BAD8-62CA5CE32710}.exe	101
PID 4320 wrote to memory of 4472	4320	{72B7E2C4-8996-41d4-BAD8-62CA5CE32710}.exe	101
PID 4320 wrote to memory of 4532	4320	{72B7E2C4-8996-41d4-BAD8-62CA5CE32710}.exe	100
PID 4320 wrote to memory of 4532	4320	{72B7E2C4-8996-41d4-BAD8-62CA5CE32710}.exe	100
PID 4320 wrote to memory of 4532	4320	{72B7E2C4-8996-41d4-BAD8-62CA5CE32710}.exe	100
PID 4472 wrote to memory of 1196	4472	{74CDFA12-E3FC-4bf5-9B37-A37A0E280397}.exe	102
PID 4472 wrote to memory of 1196	4472	{74CDFA12-E3FC-4bf5-9B37-A37A0E280397}.exe	102
PID 4472 wrote to memory of 1196	4472	{74CDFA12-E3FC-4bf5-9B37-A37A0E280397}.exe	102
PID 4472 wrote to memory of 4376	4472	{74CDFA12-E3FC-4bf5-9B37-A37A0E280397}.exe	103
PID 4472 wrote to memory of 4376	4472	{74CDFA12-E3FC-4bf5-9B37-A37A0E280397}.exe	103
PID 4472 wrote to memory of 4376	4472	{74CDFA12-E3FC-4bf5-9B37-A37A0E280397}.exe	103
PID 1196 wrote to memory of 5072	1196	{3F61F268-86D0-4b45-BBF9-F5FA46E1EB34}.exe	104
PID 1196 wrote to memory of 5072	1196	{3F61F268-86D0-4b45-BBF9-F5FA46E1EB34}.exe	104
PID 1196 wrote to memory of 5072	1196	{3F61F268-86D0-4b45-BBF9-F5FA46E1EB34}.exe	104
PID 1196 wrote to memory of 5064	1196	{3F61F268-86D0-4b45-BBF9-F5FA46E1EB34}.exe	105
PID 1196 wrote to memory of 5064	1196	{3F61F268-86D0-4b45-BBF9-F5FA46E1EB34}.exe	105
PID 1196 wrote to memory of 5064	1196	{3F61F268-86D0-4b45-BBF9-F5FA46E1EB34}.exe	105
PID 5072 wrote to memory of 3440	5072	{76270DC1-43E3-4d4d-A30E-024C2E24BF44}.exe	106
PID 5072 wrote to memory of 3440	5072	{76270DC1-43E3-4d4d-A30E-024C2E24BF44}.exe	106
PID 5072 wrote to memory of 3440	5072	{76270DC1-43E3-4d4d-A30E-024C2E24BF44}.exe	106
PID 5072 wrote to memory of 4836	5072	{76270DC1-43E3-4d4d-A30E-024C2E24BF44}.exe	107
PID 5072 wrote to memory of 4836	5072	{76270DC1-43E3-4d4d-A30E-024C2E24BF44}.exe	107
PID 5072 wrote to memory of 4836	5072	{76270DC1-43E3-4d4d-A30E-024C2E24BF44}.exe	107
PID 3440 wrote to memory of 1984	3440	{CC26B73A-F9EB-4692-A36A-781A6CA54C3F}.exe	109
PID 3440 wrote to memory of 1984	3440	{CC26B73A-F9EB-4692-A36A-781A6CA54C3F}.exe	109
PID 3440 wrote to memory of 1984	3440	{CC26B73A-F9EB-4692-A36A-781A6CA54C3F}.exe	109
PID 3440 wrote to memory of 116	3440	{CC26B73A-F9EB-4692-A36A-781A6CA54C3F}.exe	108
PID 3440 wrote to memory of 116	3440	{CC26B73A-F9EB-4692-A36A-781A6CA54C3F}.exe	108
PID 3440 wrote to memory of 116	3440	{CC26B73A-F9EB-4692-A36A-781A6CA54C3F}.exe	108
PID 1984 wrote to memory of 4252	1984	{1E9EFEAB-E678-4452-A096-5B21A23BA50C}.exe	110
PID 1984 wrote to memory of 4252	1984	{1E9EFEAB-E678-4452-A096-5B21A23BA50C}.exe	110
PID 1984 wrote to memory of 4252	1984	{1E9EFEAB-E678-4452-A096-5B21A23BA50C}.exe	110
PID 1984 wrote to memory of 4248	1984	{1E9EFEAB-E678-4452-A096-5B21A23BA50C}.exe	111
PID 1984 wrote to memory of 4248	1984	{1E9EFEAB-E678-4452-A096-5B21A23BA50C}.exe	111
PID 1984 wrote to memory of 4248	1984	{1E9EFEAB-E678-4452-A096-5B21A23BA50C}.exe	111
PID 4252 wrote to memory of 2420	4252	{92A9EB7D-7B4F-46c0-A505-3AE3D4AE25F7}.exe	112
PID 4252 wrote to memory of 2420	4252	{92A9EB7D-7B4F-46c0-A505-3AE3D4AE25F7}.exe	112
PID 4252 wrote to memory of 2420	4252	{92A9EB7D-7B4F-46c0-A505-3AE3D4AE25F7}.exe	112
PID 4252 wrote to memory of 1756	4252	{92A9EB7D-7B4F-46c0-A505-3AE3D4AE25F7}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-02-17_f96eebc86234d8bc844406ea05581ceb_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-17_f96eebc86234d8bc844406ea05581ceb_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Windows\{B8C0FE81-0F3E-441c-9E19-B37E30AB2F21}.exe
  C:\Windows\{B8C0FE81-0F3E-441c-9E19-B37E30AB2F21}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Windows\{F45F1F47-8724-4526-9457-5A523423E767}.exe
    C:\Windows\{F45F1F47-8724-4526-9457-5A523423E767}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3520
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F45F1~1.EXE > nul
      4⤵
      PID:3044
  - - C:\Windows\{C3D91478-5382-468e-AF4F-CB2286B17429}.exe
      C:\Windows\{C3D91478-5382-468e-AF4F-CB2286B17429}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4180
    - - C:\Windows\{72B7E2C4-8996-41d4-BAD8-62CA5CE32710}.exe
        
        C:\Windows\{72B7E2C4-8996-41d4-BAD8-62CA5CE32710}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4320
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{72B7E~1.EXE > nul
        6⤵
        
        PID:4532
      - C:\Windows\{74CDFA12-E3FC-4bf5-9B37-A37A0E280397}.exe
        
        C:\Windows\{74CDFA12-E3FC-4bf5-9B37-A37A0E280397}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\{3F61F268-86D0-4b45-BBF9-F5FA46E1EB34}.exe
        
        C:\Windows\{3F61F268-86D0-4b45-BBF9-F5FA46E1EB34}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1196
        
        C:\Windows\{76270DC1-43E3-4d4d-A30E-024C2E24BF44}.exe
        
        C:\Windows\{76270DC1-43E3-4d4d-A30E-024C2E24BF44}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\{CC26B73A-F9EB-4692-A36A-781A6CA54C3F}.exe
        
        C:\Windows\{CC26B73A-F9EB-4692-A36A-781A6CA54C3F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CC26B~1.EXE > nul
        10⤵
        
        PID:116
        
        C:\Windows\{1E9EFEAB-E678-4452-A096-5B21A23BA50C}.exe
        
        C:\Windows\{1E9EFEAB-E678-4452-A096-5B21A23BA50C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\{92A9EB7D-7B4F-46c0-A505-3AE3D4AE25F7}.exe
        
        C:\Windows\{92A9EB7D-7B4F-46c0-A505-3AE3D4AE25F7}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4252
        
        C:\Windows\{4F0BE9EA-2992-410c-9155-AE14F3106A17}.exe
        
        C:\Windows\{4F0BE9EA-2992-410c-9155-AE14F3106A17}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
        
        C:\Windows\{95E88739-B9CB-4f41-924B-2850A98E5288}.exe
        
        C:\Windows\{95E88739-B9CB-4f41-924B-2850A98E5288}.exe
        13⤵
        Executes dropped EXE
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4F0BE~1.EXE > nul
        13⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92A9E~1.EXE > nul
        12⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E9EF~1.EXE > nul
        11⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76270~1.EXE > nul
        9⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3F61F~1.EXE > nul
        8⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74CDF~1.EXE > nul
        7⤵
        
        PID:4376
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3D91~1.EXE > nul
        5⤵
        
        PID:440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B8C0F~1.EXE > nul
    3⤵
    PID:628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1E9EFEAB-E678-4452-A096-5B21A23BA50C}.exe

Filesize
180KB

MD5
3b912249078c95ca88eeafb6dc0b6f27

SHA1
8e0d37903fd5d55e7df75bd033a99e10f3043697

SHA256
8473c65f7f6f37c89c7f07ae32c7f4799d05956e7b5d8a355a1a4f13b542d097

SHA512
73e06bd93189d88231bcaf88c5499f43b5d63af85c31353abb9c652985020247a0d3a61782592f4523b8b2619c5bf88028e4344c2408e9bb483c304bfbf63918

Download Submit
C:\Windows\{3F61F268-86D0-4b45-BBF9-F5FA46E1EB34}.exe

Filesize
180KB

MD5
f3cdbc86a2d79a2d8a9bad9c84ae8fdc

SHA1
674cd56895dc01d0a09099c806fb0dda64cf55cc

SHA256
6654c2366433975220b583741033f15040f9fe62425aa532fb89251fcc49bb8a

SHA512
3fe8ef48d900fe39c722d4e2b87d4a6c9e91356f15a8e90f629d63cad5b2533147027d976f2e571da73225406489756ea7d7eea4a25ca7a7a5d9104bcb7a4801

Download Submit
C:\Windows\{4F0BE9EA-2992-410c-9155-AE14F3106A17}.exe

Filesize
150KB

MD5
adfd25d8cf769c435188e6d7820792df

SHA1
54000c04f929f4799f6f5b263fec404a99d1871a

SHA256
5f1848ec2317fe52891144dc1f4f92e1deb8b4e20c290c491ffae5ddd54502b8

SHA512
e270ebb095e4698f7ba24501e9a70558ca7e0d6f0cdae8963f5045c18f115319698f4729c5cf19fecdb85159522d53dc9b043a5bed33be00ca8ef72b5c0b2aef

Download Submit
C:\Windows\{4F0BE9EA-2992-410c-9155-AE14F3106A17}.exe

Filesize
180KB

MD5
d9c0ae702cda73e2eb21d89ed5c4342f

SHA1
6e64c59f94f4ec9c5b2b8c1e73a67a111946dbff

SHA256
012fd855c28a879d5cad47ae1eb7b9fe8d4eb857894fea2b85e9b7badd7011b6

SHA512
6fc7475bd5cb4f40595113f46edf1e4ca238d152255d144cb6947f73010b6680dd3a33aef0623335bf55f26eb2aab08fb21bf75b277ef8d9c8b4ec82bac53f92

Download Submit
C:\Windows\{72B7E2C4-8996-41d4-BAD8-62CA5CE32710}.exe

Filesize
180KB

MD5
af252ffb74b5b633f82553450aa5c95d

SHA1
e93929168507ea7e258e9a91511852076782d34c

SHA256
15a98b2b492f98d8271a023b1992077bfdcfb5e0cd8730077418276cc787b998

SHA512
e6f865cd9240897778d0280136f11534ccb263bd3dcdd21b92e7099068240e0e8fe74572eccd0b95be1fb1a3404afbfc402c0c411887af0449a75c87b577a81e

Download Submit
C:\Windows\{74CDFA12-E3FC-4bf5-9B37-A37A0E280397}.exe

Filesize
180KB

MD5
37910597e2e72553120cfa6f39595ae2

SHA1
d10e0569e7fd05ec6d278b16ea035f3f64129b1c

SHA256
08eb0edd44d9e0f50a17e46dcba17050a5922db4367d0df3ebc4aa1c75cd5c95

SHA512
58c4498fc14ea7c7543c6b15b1c39acfb1c1c757e71accff82cb5340e07a93ca399bc8860d08547c4f6e5e298088c3bf536131051c70422905368aaea9df9852

Download Submit
C:\Windows\{76270DC1-43E3-4d4d-A30E-024C2E24BF44}.exe

Filesize
180KB

MD5
c38d38df5a8ed5ec62ba7f4bfdd28d9a

SHA1
61696ec0711121537de447801a1324f5464a124b

SHA256
9b5094edbf336484a749a198c89fe0615216a84acd32b42e701bf6a3fb41e0bc

SHA512
190d946c6247ee1145ea3df3771a9d0d99f039d7fe187481e64365c97a445f26a1e290b876b9b42c55b6261db47f71b0baaae9c57a8bfdc8fcc5ca63cb3a7e3b

Download Submit
C:\Windows\{92A9EB7D-7B4F-46c0-A505-3AE3D4AE25F7}.exe

Filesize
180KB

MD5
b321aa7abe91d2bf229b50936389f18d

SHA1
6db33138764963be4a67a34f11af7c99b3be19f3

SHA256
7423de3333eb5df4dff8e2a68d5c40aa3a5e3354ce2705163f027583817d1d12

SHA512
6e80c690760341797e6b89fd0a0d3fe2fa46b49c2e202f0944e58986baefa4136026350dfbe366c27852b14abf4c01fbbf4bb9e3da129cdd686dbd3eb746edfb

Download Submit
C:\Windows\{95E88739-B9CB-4f41-924B-2850A98E5288}.exe

Filesize
180KB

MD5
99a89fe7c99f5b6fd4b14e7f9c11510b

SHA1
fa93007711d6401368454469d7f2c06591d073d3

SHA256
8b76d349d4c4137d0fc13081d372d7eeb944b2ff6190fcb1fa4b74db3f9765a5

SHA512
f48143f517e6f2271e0eb2e9412231ea5067a91fb63692bc37db0f38bfe284eb4c5458b3d9b04bc60cad473dd59311210b06bd5e995b003bfc621ce693d0e25c

Download Submit
C:\Windows\{B8C0FE81-0F3E-441c-9E19-B37E30AB2F21}.exe

Filesize
180KB

MD5
94bbb75e0f3e6ee27d109a957f9d8aa2

SHA1
892edd4df9f17aeca2911e3c7a94ae59a7e58bf9

SHA256
c4a745b66b816646bd6bd639db42bd65bab2c13208695059752a01f6409fcd20

SHA512
e3d07f07c96590b3f5a9a4affa65d97e1a94fe4ca67f7196e8b9ddce4c17938176dc854f60e303c506b55df864035716c14beb9a7169c33449ccab22bb4c9d72

Download Submit
C:\Windows\{C3D91478-5382-468e-AF4F-CB2286B17429}.exe

Filesize
180KB

MD5
3855578c25f6167714c6e4c3585d45bc

SHA1
c3a215007241ae578bff65de1312808b1f6edc13

SHA256
4ae7196fcfd5078b7e8c1701c89e76e0c02fffcc07917dd519600a978467a829

SHA512
2463809388e5eedb975a6b6371a91f2c7e3df8cb28697df32d576b9c677210b89267ffde9624a6dedcf4aaa6b1c45f2a7f45e9e748ea913e9d388367ca911ef3

Download Submit
C:\Windows\{CC26B73A-F9EB-4692-A36A-781A6CA54C3F}.exe

Filesize
180KB

MD5
e096ffc07ec4f5269617a6651ec201d6

SHA1
85f9f026a815fdf5b9fbf0dc64924d3c0ffe936e

SHA256
9f56d0177f3df8e25a4d694f94af647c1de88696ea9e4424787215d1177bae34

SHA512
23c0971ee4cfe0c20518dd3d9d7880cbaffcd1d436effb17121d0723b30c220373ce5b65621aead8577b22f903878506733f6f54eb899fac7b4cd75c6f774074

Download Submit
C:\Windows\{F45F1F47-8724-4526-9457-5A523423E767}.exe

Filesize
180KB

MD5
d313b50341958d6b2ba83e1471d33860

SHA1
c77f74c5226ad8df99586929c611fb023919d3cf

SHA256
9774d9a2e04dfb2b5a74e80de17087f3bd6a5b13b841ed3bbfcd694b1322a57a

SHA512
4a598703a0dd1405d8d1049a81f52ac20f97a9b0f5154af1dc984f83732934b9ec196d5fb5ded2b09e0eaf311c05d1a9e798005e6f047ab947e743b6ea274058

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads