3a8281f442800c29bc5841bac38c24507a35176462494a17ab3e3dc3fe81574d

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18/02/2024, 02:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-18_a239dba153944c5338940cc3f6b9a1ac_goldeneye.exe
Size

180KB
MD5

a239dba153944c5338940cc3f6b9a1ac
SHA1

52228fad7651229c4bb6124eade660eab4977ec6
SHA256

3a8281f442800c29bc5841bac38c24507a35176462494a17ab3e3dc3fe81574d
SHA512

a2b7c0db23779eadd10e68f39ea03c2ff1de17dd813e9409ace544f63dd4053f7e54fa53a3383e4346ffc9dd743f42e56abc87243b94984182ad97fdb7eb4559
SSDEEP

3072:jEGh0oYlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGyl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000900000002320c-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000001e804-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023220-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000001e804-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021f82-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000001e804-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021f82-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000705-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DBCEF292-8BE2-474f-A306-9F40F3582956}\stubpath = "C:\\Windows\\{DBCEF292-8BE2-474f-A306-9F40F3582956}.exe"	{EE35ED8C-21DB-41a9-84D3-D4F5CE188F36}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D005E853-D104-4357-98A8-9E8FD0A27CAB}	{E293996D-74F9-4e95-9B37-1A2765C6BC46}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D005E853-D104-4357-98A8-9E8FD0A27CAB}\stubpath = "C:\\Windows\\{D005E853-D104-4357-98A8-9E8FD0A27CAB}.exe"	{E293996D-74F9-4e95-9B37-1A2765C6BC46}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D670C140-6C79-44fb-9038-3EA61B58C72C}	{D005E853-D104-4357-98A8-9E8FD0A27CAB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1657EE50-172B-4f1b-A5CB-184B71BFB890}\stubpath = "C:\\Windows\\{1657EE50-172B-4f1b-A5CB-184B71BFB890}.exe"	2024-02-18_a239dba153944c5338940cc3f6b9a1ac_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52294240-4BF4-426b-B0F7-D6D18B829EA2}	{C3DFC4C9-DFC0-41f0-8AB9-7B4C2B357D2B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0D6C926-6263-489e-84C1-65044DCACAB6}	{52294240-4BF4-426b-B0F7-D6D18B829EA2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0D6C926-6263-489e-84C1-65044DCACAB6}\stubpath = "C:\\Windows\\{C0D6C926-6263-489e-84C1-65044DCACAB6}.exe"	{52294240-4BF4-426b-B0F7-D6D18B829EA2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D670C140-6C79-44fb-9038-3EA61B58C72C}\stubpath = "C:\\Windows\\{D670C140-6C79-44fb-9038-3EA61B58C72C}.exe"	{D005E853-D104-4357-98A8-9E8FD0A27CAB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E293996D-74F9-4e95-9B37-1A2765C6BC46}\stubpath = "C:\\Windows\\{E293996D-74F9-4e95-9B37-1A2765C6BC46}.exe"	{FF1BE59C-CBC5-4168-85E9-40CFACB1F622}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1657EE50-172B-4f1b-A5CB-184B71BFB890}	2024-02-18_a239dba153944c5338940cc3f6b9a1ac_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D19BEFF0-857C-4f1d-8985-775D2348EB9B}	{1657EE50-172B-4f1b-A5CB-184B71BFB890}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE35ED8C-21DB-41a9-84D3-D4F5CE188F36}\stubpath = "C:\\Windows\\{EE35ED8C-21DB-41a9-84D3-D4F5CE188F36}.exe"	{C0D6C926-6263-489e-84C1-65044DCACAB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF1BE59C-CBC5-4168-85E9-40CFACB1F622}\stubpath = "C:\\Windows\\{FF1BE59C-CBC5-4168-85E9-40CFACB1F622}.exe"	{DBCEF292-8BE2-474f-A306-9F40F3582956}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BAE09D29-3370-46f4-AD68-7B87FC0BE4F7}	{D19BEFF0-857C-4f1d-8985-775D2348EB9B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BAE09D29-3370-46f4-AD68-7B87FC0BE4F7}\stubpath = "C:\\Windows\\{BAE09D29-3370-46f4-AD68-7B87FC0BE4F7}.exe"	{D19BEFF0-857C-4f1d-8985-775D2348EB9B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DBCEF292-8BE2-474f-A306-9F40F3582956}	{EE35ED8C-21DB-41a9-84D3-D4F5CE188F36}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E293996D-74F9-4e95-9B37-1A2765C6BC46}	{FF1BE59C-CBC5-4168-85E9-40CFACB1F622}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE35ED8C-21DB-41a9-84D3-D4F5CE188F36}	{C0D6C926-6263-489e-84C1-65044DCACAB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF1BE59C-CBC5-4168-85E9-40CFACB1F622}	{DBCEF292-8BE2-474f-A306-9F40F3582956}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D19BEFF0-857C-4f1d-8985-775D2348EB9B}\stubpath = "C:\\Windows\\{D19BEFF0-857C-4f1d-8985-775D2348EB9B}.exe"	{1657EE50-172B-4f1b-A5CB-184B71BFB890}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3DFC4C9-DFC0-41f0-8AB9-7B4C2B357D2B}	{BAE09D29-3370-46f4-AD68-7B87FC0BE4F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3DFC4C9-DFC0-41f0-8AB9-7B4C2B357D2B}\stubpath = "C:\\Windows\\{C3DFC4C9-DFC0-41f0-8AB9-7B4C2B357D2B}.exe"	{BAE09D29-3370-46f4-AD68-7B87FC0BE4F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52294240-4BF4-426b-B0F7-D6D18B829EA2}\stubpath = "C:\\Windows\\{52294240-4BF4-426b-B0F7-D6D18B829EA2}.exe"	{C3DFC4C9-DFC0-41f0-8AB9-7B4C2B357D2B}.exe

Executes dropped EXE 12 IoCs

pid	Process
1632	{1657EE50-172B-4f1b-A5CB-184B71BFB890}.exe
3828	{D19BEFF0-857C-4f1d-8985-775D2348EB9B}.exe
4280	{BAE09D29-3370-46f4-AD68-7B87FC0BE4F7}.exe
1628	{C3DFC4C9-DFC0-41f0-8AB9-7B4C2B357D2B}.exe
2440	{52294240-4BF4-426b-B0F7-D6D18B829EA2}.exe
3320	{C0D6C926-6263-489e-84C1-65044DCACAB6}.exe
2924	{EE35ED8C-21DB-41a9-84D3-D4F5CE188F36}.exe
4388	{DBCEF292-8BE2-474f-A306-9F40F3582956}.exe
4868	{FF1BE59C-CBC5-4168-85E9-40CFACB1F622}.exe
1876	{E293996D-74F9-4e95-9B37-1A2765C6BC46}.exe
4996	{D005E853-D104-4357-98A8-9E8FD0A27CAB}.exe
1612	{D670C140-6C79-44fb-9038-3EA61B58C72C}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{BAE09D29-3370-46f4-AD68-7B87FC0BE4F7}.exe	{D19BEFF0-857C-4f1d-8985-775D2348EB9B}.exe
File created	C:\Windows\{52294240-4BF4-426b-B0F7-D6D18B829EA2}.exe	{C3DFC4C9-DFC0-41f0-8AB9-7B4C2B357D2B}.exe
File created	C:\Windows\{EE35ED8C-21DB-41a9-84D3-D4F5CE188F36}.exe	{C0D6C926-6263-489e-84C1-65044DCACAB6}.exe
File created	C:\Windows\{FF1BE59C-CBC5-4168-85E9-40CFACB1F622}.exe	{DBCEF292-8BE2-474f-A306-9F40F3582956}.exe
File created	C:\Windows\{D670C140-6C79-44fb-9038-3EA61B58C72C}.exe	{D005E853-D104-4357-98A8-9E8FD0A27CAB}.exe
File created	C:\Windows\{1657EE50-172B-4f1b-A5CB-184B71BFB890}.exe	2024-02-18_a239dba153944c5338940cc3f6b9a1ac_goldeneye.exe
File created	C:\Windows\{D19BEFF0-857C-4f1d-8985-775D2348EB9B}.exe	{1657EE50-172B-4f1b-A5CB-184B71BFB890}.exe
File created	C:\Windows\{DBCEF292-8BE2-474f-A306-9F40F3582956}.exe	{EE35ED8C-21DB-41a9-84D3-D4F5CE188F36}.exe
File created	C:\Windows\{E293996D-74F9-4e95-9B37-1A2765C6BC46}.exe	{FF1BE59C-CBC5-4168-85E9-40CFACB1F622}.exe
File created	C:\Windows\{D005E853-D104-4357-98A8-9E8FD0A27CAB}.exe	{E293996D-74F9-4e95-9B37-1A2765C6BC46}.exe
File created	C:\Windows\{C3DFC4C9-DFC0-41f0-8AB9-7B4C2B357D2B}.exe	{BAE09D29-3370-46f4-AD68-7B87FC0BE4F7}.exe
File created	C:\Windows\{C0D6C926-6263-489e-84C1-65044DCACAB6}.exe	{52294240-4BF4-426b-B0F7-D6D18B829EA2}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3672	2024-02-18_a239dba153944c5338940cc3f6b9a1ac_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1632	{1657EE50-172B-4f1b-A5CB-184B71BFB890}.exe
Token: SeIncBasePriorityPrivilege	3828	{D19BEFF0-857C-4f1d-8985-775D2348EB9B}.exe
Token: SeIncBasePriorityPrivilege	4280	{BAE09D29-3370-46f4-AD68-7B87FC0BE4F7}.exe
Token: SeIncBasePriorityPrivilege	1628	{C3DFC4C9-DFC0-41f0-8AB9-7B4C2B357D2B}.exe
Token: SeIncBasePriorityPrivilege	2440	{52294240-4BF4-426b-B0F7-D6D18B829EA2}.exe
Token: SeIncBasePriorityPrivilege	3320	{C0D6C926-6263-489e-84C1-65044DCACAB6}.exe
Token: SeIncBasePriorityPrivilege	2924	{EE35ED8C-21DB-41a9-84D3-D4F5CE188F36}.exe
Token: SeIncBasePriorityPrivilege	4388	{DBCEF292-8BE2-474f-A306-9F40F3582956}.exe
Token: SeIncBasePriorityPrivilege	4868	{FF1BE59C-CBC5-4168-85E9-40CFACB1F622}.exe
Token: SeIncBasePriorityPrivilege	1876	{E293996D-74F9-4e95-9B37-1A2765C6BC46}.exe
Token: SeIncBasePriorityPrivilege	4996	{D005E853-D104-4357-98A8-9E8FD0A27CAB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3672 wrote to memory of 1632	3672	2024-02-18_a239dba153944c5338940cc3f6b9a1ac_goldeneye.exe	93
PID 3672 wrote to memory of 1632	3672	2024-02-18_a239dba153944c5338940cc3f6b9a1ac_goldeneye.exe	93
PID 3672 wrote to memory of 1632	3672	2024-02-18_a239dba153944c5338940cc3f6b9a1ac_goldeneye.exe	93
PID 3672 wrote to memory of 1920	3672	2024-02-18_a239dba153944c5338940cc3f6b9a1ac_goldeneye.exe	94
PID 3672 wrote to memory of 1920	3672	2024-02-18_a239dba153944c5338940cc3f6b9a1ac_goldeneye.exe	94
PID 3672 wrote to memory of 1920	3672	2024-02-18_a239dba153944c5338940cc3f6b9a1ac_goldeneye.exe	94
PID 1632 wrote to memory of 3828	1632	{1657EE50-172B-4f1b-A5CB-184B71BFB890}.exe	95
PID 1632 wrote to memory of 3828	1632	{1657EE50-172B-4f1b-A5CB-184B71BFB890}.exe	95
PID 1632 wrote to memory of 3828	1632	{1657EE50-172B-4f1b-A5CB-184B71BFB890}.exe	95
PID 1632 wrote to memory of 4288	1632	{1657EE50-172B-4f1b-A5CB-184B71BFB890}.exe	96
PID 1632 wrote to memory of 4288	1632	{1657EE50-172B-4f1b-A5CB-184B71BFB890}.exe	96
PID 1632 wrote to memory of 4288	1632	{1657EE50-172B-4f1b-A5CB-184B71BFB890}.exe	96
PID 3828 wrote to memory of 4280	3828	{D19BEFF0-857C-4f1d-8985-775D2348EB9B}.exe	99
PID 3828 wrote to memory of 4280	3828	{D19BEFF0-857C-4f1d-8985-775D2348EB9B}.exe	99
PID 3828 wrote to memory of 4280	3828	{D19BEFF0-857C-4f1d-8985-775D2348EB9B}.exe	99
PID 3828 wrote to memory of 1500	3828	{D19BEFF0-857C-4f1d-8985-775D2348EB9B}.exe	98
PID 3828 wrote to memory of 1500	3828	{D19BEFF0-857C-4f1d-8985-775D2348EB9B}.exe	98
PID 3828 wrote to memory of 1500	3828	{D19BEFF0-857C-4f1d-8985-775D2348EB9B}.exe	98
PID 4280 wrote to memory of 1628	4280	{BAE09D29-3370-46f4-AD68-7B87FC0BE4F7}.exe	100
PID 4280 wrote to memory of 1628	4280	{BAE09D29-3370-46f4-AD68-7B87FC0BE4F7}.exe	100
PID 4280 wrote to memory of 1628	4280	{BAE09D29-3370-46f4-AD68-7B87FC0BE4F7}.exe	100
PID 4280 wrote to memory of 1644	4280	{BAE09D29-3370-46f4-AD68-7B87FC0BE4F7}.exe	101
PID 4280 wrote to memory of 1644	4280	{BAE09D29-3370-46f4-AD68-7B87FC0BE4F7}.exe	101
PID 4280 wrote to memory of 1644	4280	{BAE09D29-3370-46f4-AD68-7B87FC0BE4F7}.exe	101
PID 1628 wrote to memory of 2440	1628	{C3DFC4C9-DFC0-41f0-8AB9-7B4C2B357D2B}.exe	102
PID 1628 wrote to memory of 2440	1628	{C3DFC4C9-DFC0-41f0-8AB9-7B4C2B357D2B}.exe	102
PID 1628 wrote to memory of 2440	1628	{C3DFC4C9-DFC0-41f0-8AB9-7B4C2B357D2B}.exe	102
PID 1628 wrote to memory of 2104	1628	{C3DFC4C9-DFC0-41f0-8AB9-7B4C2B357D2B}.exe	103
PID 1628 wrote to memory of 2104	1628	{C3DFC4C9-DFC0-41f0-8AB9-7B4C2B357D2B}.exe	103
PID 1628 wrote to memory of 2104	1628	{C3DFC4C9-DFC0-41f0-8AB9-7B4C2B357D2B}.exe	103
PID 2440 wrote to memory of 3320	2440	{52294240-4BF4-426b-B0F7-D6D18B829EA2}.exe	104
PID 2440 wrote to memory of 3320	2440	{52294240-4BF4-426b-B0F7-D6D18B829EA2}.exe	104
PID 2440 wrote to memory of 3320	2440	{52294240-4BF4-426b-B0F7-D6D18B829EA2}.exe	104
PID 2440 wrote to memory of 2804	2440	{52294240-4BF4-426b-B0F7-D6D18B829EA2}.exe	105
PID 2440 wrote to memory of 2804	2440	{52294240-4BF4-426b-B0F7-D6D18B829EA2}.exe	105
PID 2440 wrote to memory of 2804	2440	{52294240-4BF4-426b-B0F7-D6D18B829EA2}.exe	105
PID 3320 wrote to memory of 2924	3320	{C0D6C926-6263-489e-84C1-65044DCACAB6}.exe	106
PID 3320 wrote to memory of 2924	3320	{C0D6C926-6263-489e-84C1-65044DCACAB6}.exe	106
PID 3320 wrote to memory of 2924	3320	{C0D6C926-6263-489e-84C1-65044DCACAB6}.exe	106
PID 3320 wrote to memory of 3176	3320	{C0D6C926-6263-489e-84C1-65044DCACAB6}.exe	107
PID 3320 wrote to memory of 3176	3320	{C0D6C926-6263-489e-84C1-65044DCACAB6}.exe	107
PID 3320 wrote to memory of 3176	3320	{C0D6C926-6263-489e-84C1-65044DCACAB6}.exe	107
PID 2924 wrote to memory of 4388	2924	{EE35ED8C-21DB-41a9-84D3-D4F5CE188F36}.exe	108
PID 2924 wrote to memory of 4388	2924	{EE35ED8C-21DB-41a9-84D3-D4F5CE188F36}.exe	108
PID 2924 wrote to memory of 4388	2924	{EE35ED8C-21DB-41a9-84D3-D4F5CE188F36}.exe	108
PID 2924 wrote to memory of 2888	2924	{EE35ED8C-21DB-41a9-84D3-D4F5CE188F36}.exe	109
PID 2924 wrote to memory of 2888	2924	{EE35ED8C-21DB-41a9-84D3-D4F5CE188F36}.exe	109
PID 2924 wrote to memory of 2888	2924	{EE35ED8C-21DB-41a9-84D3-D4F5CE188F36}.exe	109
PID 4388 wrote to memory of 4868	4388	{DBCEF292-8BE2-474f-A306-9F40F3582956}.exe	110
PID 4388 wrote to memory of 4868	4388	{DBCEF292-8BE2-474f-A306-9F40F3582956}.exe	110
PID 4388 wrote to memory of 4868	4388	{DBCEF292-8BE2-474f-A306-9F40F3582956}.exe	110
PID 4388 wrote to memory of 1988	4388	{DBCEF292-8BE2-474f-A306-9F40F3582956}.exe	111
PID 4388 wrote to memory of 1988	4388	{DBCEF292-8BE2-474f-A306-9F40F3582956}.exe	111
PID 4388 wrote to memory of 1988	4388	{DBCEF292-8BE2-474f-A306-9F40F3582956}.exe	111
PID 4868 wrote to memory of 1876	4868	{FF1BE59C-CBC5-4168-85E9-40CFACB1F622}.exe	112
PID 4868 wrote to memory of 1876	4868	{FF1BE59C-CBC5-4168-85E9-40CFACB1F622}.exe	112
PID 4868 wrote to memory of 1876	4868	{FF1BE59C-CBC5-4168-85E9-40CFACB1F622}.exe	112
PID 4868 wrote to memory of 2060	4868	{FF1BE59C-CBC5-4168-85E9-40CFACB1F622}.exe	113
PID 4868 wrote to memory of 2060	4868	{FF1BE59C-CBC5-4168-85E9-40CFACB1F622}.exe	113
PID 4868 wrote to memory of 2060	4868	{FF1BE59C-CBC5-4168-85E9-40CFACB1F622}.exe	113
PID 1876 wrote to memory of 4996	1876	{E293996D-74F9-4e95-9B37-1A2765C6BC46}.exe	114
PID 1876 wrote to memory of 4996	1876	{E293996D-74F9-4e95-9B37-1A2765C6BC46}.exe	114
PID 1876 wrote to memory of 4996	1876	{E293996D-74F9-4e95-9B37-1A2765C6BC46}.exe	114
PID 1876 wrote to memory of 3872	1876	{E293996D-74F9-4e95-9B37-1A2765C6BC46}.exe	115

C:\Users\Admin\AppData\Local\Temp\2024-02-18_a239dba153944c5338940cc3f6b9a1ac_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-18_a239dba153944c5338940cc3f6b9a1ac_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3672
- C:\Windows\{1657EE50-172B-4f1b-A5CB-184B71BFB890}.exe
  C:\Windows\{1657EE50-172B-4f1b-A5CB-184B71BFB890}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Windows\{D19BEFF0-857C-4f1d-8985-775D2348EB9B}.exe
    C:\Windows\{D19BEFF0-857C-4f1d-8985-775D2348EB9B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3828
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D19BE~1.EXE > nul
      4⤵
      PID:1500
  - - C:\Windows\{BAE09D29-3370-46f4-AD68-7B87FC0BE4F7}.exe
      C:\Windows\{BAE09D29-3370-46f4-AD68-7B87FC0BE4F7}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4280
    - - C:\Windows\{C3DFC4C9-DFC0-41f0-8AB9-7B4C2B357D2B}.exe
        
        C:\Windows\{C3DFC4C9-DFC0-41f0-8AB9-7B4C2B357D2B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1628
      - C:\Windows\{52294240-4BF4-426b-B0F7-D6D18B829EA2}.exe
        
        C:\Windows\{52294240-4BF4-426b-B0F7-D6D18B829EA2}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\{C0D6C926-6263-489e-84C1-65044DCACAB6}.exe
        
        C:\Windows\{C0D6C926-6263-489e-84C1-65044DCACAB6}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\{EE35ED8C-21DB-41a9-84D3-D4F5CE188F36}.exe
        
        C:\Windows\{EE35ED8C-21DB-41a9-84D3-D4F5CE188F36}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\{DBCEF292-8BE2-474f-A306-9F40F3582956}.exe
        
        C:\Windows\{DBCEF292-8BE2-474f-A306-9F40F3582956}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Windows\{FF1BE59C-CBC5-4168-85E9-40CFACB1F622}.exe
        
        C:\Windows\{FF1BE59C-CBC5-4168-85E9-40CFACB1F622}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Windows\{E293996D-74F9-4e95-9B37-1A2765C6BC46}.exe
        
        C:\Windows\{E293996D-74F9-4e95-9B37-1A2765C6BC46}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        C:\Windows\{D005E853-D104-4357-98A8-9E8FD0A27CAB}.exe
        
        C:\Windows\{D005E853-D104-4357-98A8-9E8FD0A27CAB}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D005E~1.EXE > nul
        13⤵
        
        PID:3480
        
        C:\Windows\{D670C140-6C79-44fb-9038-3EA61B58C72C}.exe
        
        C:\Windows\{D670C140-6C79-44fb-9038-3EA61B58C72C}.exe
        13⤵
        Executes dropped EXE
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2939~1.EXE > nul
        12⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF1BE~1.EXE > nul
        11⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DBCEF~1.EXE > nul
        10⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EE35E~1.EXE > nul
        9⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C0D6C~1.EXE > nul
        8⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{52294~1.EXE > nul
        7⤵
        
        PID:2804
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3DFC~1.EXE > nul
        6⤵
        
        PID:2104
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BAE09~1.EXE > nul
        5⤵
        
        PID:1644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1657E~1.EXE > nul
    3⤵
    PID:4288
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1657EE50-172B-4f1b-A5CB-184B71BFB890}.exe

Filesize
180KB

MD5
7da5377c0113f600598b5cf6af460bff

SHA1
56c69a83fab02153a0477d4bb4d945d19af0001a

SHA256
8fdcbd5385b4c3397c4df854b57f5425cd388860ea2d77b37389f89071d2c45b

SHA512
13fcee3dd06b2800f837d38705418656c1ca4a3ddd30ef5c802277d33daf42730b33803a0eda5ba432809814a073028d561236e1c5daa1fd04c6da2ae3470602

Download Submit
C:\Windows\{52294240-4BF4-426b-B0F7-D6D18B829EA2}.exe

Filesize
180KB

MD5
9d74ea2a4f966cdc2e714f7e834b1515

SHA1
dea11b5c78c2603cacda128809ea49e1136f251f

SHA256
1d373fc79603bc30e9ea82fe96af6a539ea6bd22840961f723cf8e93295eca41

SHA512
d2658417dbcfef918fc6548a6de096b8aea7b888adebd07e120a855d80a402e7c541140fb011ffecebb06c962b0d93a1a2ed7b2b3d5e9a742abfec2d7dbe4d9d

Download Submit
C:\Windows\{BAE09D29-3370-46f4-AD68-7B87FC0BE4F7}.exe

Filesize
180KB

MD5
ae62e31f1b640a4e3a85d888dbe3b928

SHA1
7eb2cd12736e24ab4008febff6dad2d56547d961

SHA256
e371b05e24b27b5579d6c511481973a7706f6864493744b6393e47a380c69004

SHA512
419c55dccd75b01af310a7bf863071291677d5cf6b07a7889c38956864a361af1798f19711718b565b728597f78264c4db3dde7e10e69c6724d61af1516d0906

Download Submit
C:\Windows\{C0D6C926-6263-489e-84C1-65044DCACAB6}.exe

Filesize
180KB

MD5
391ef894e22be309e574df49635cfb48

SHA1
e7c0103bc3645f63c46ff186972d6da15d0aa39b

SHA256
01329a731680e1b9b18a8773d201f6f8b30fc398f579abbb31c0d08f4fb1a9ad

SHA512
64bea38511ccb48f5b8c3939c1234f9598352d21619aaee2ed679e1ff308a5845a2960d981adaa7c4e68cb136d3a28d7a10fd02e7895aff099d26a2321036338

Download Submit
C:\Windows\{C3DFC4C9-DFC0-41f0-8AB9-7B4C2B357D2B}.exe

Filesize
180KB

MD5
9757456f6a08534aca35f351893d9053

SHA1
a852b2074ed9137aac4cfdbfc47cf623e8f9d54b

SHA256
96314ecda696da114ad2a525f95f3b816208abdfddf6946921d167c0b51dc27e

SHA512
6aa15d872c7df027f44a5b0aee03942cccfc75ae856046a5c8b15b1968b871bc05fe509a51849133b9d749e3bf93009c5d5eb588d2c7cf701adc637a4f8e10ae

Download Submit
C:\Windows\{D005E853-D104-4357-98A8-9E8FD0A27CAB}.exe

Filesize
180KB

MD5
e0a3fa0e1e9b6542effe766f05496141

SHA1
84f1a47b52d308e2df1b8903d5821af136c5c5a8

SHA256
d1886c8711e42592b77753f68a84d645c24ffd50e16c176a0aec959230926c67

SHA512
b3ff773071b0ba33241f6003c509a220bf75430f1f5fb50536e5c6e29af991a285493eef924a5cbee1158640a7f5692a32f532bd9043946ce19970d877f24188

Download Submit
C:\Windows\{D19BEFF0-857C-4f1d-8985-775D2348EB9B}.exe

Filesize
180KB

MD5
a1cd35365b1aa9018930683e1d72af99

SHA1
747be978607ab7e2c85d4b7ce247c25c584c0f97

SHA256
1e3e549cd12a47008c4f2fdeaa5d503e4d9ea749419cee7c103c242cf8633caf

SHA512
c55b625faafa1a61cd7aae2d116ef1d6bc0db98a2be1ac1bef3b49d1368d5e8c85c46f198eb3fb9e2f98df39387e1e8ddc9a2ac3377c6ad4ca55ba418f8e0cee

Download Submit
C:\Windows\{D670C140-6C79-44fb-9038-3EA61B58C72C}.exe

Filesize
180KB

MD5
04795fabad33e0162af43adfaaa020ae

SHA1
eda435f2e9c93d870f5595e698c49aa9855ff844

SHA256
8e4eaae11dd0f379c56c0b513bb9fb1256836cd6fb0c8a858eb6ff0e95791714

SHA512
63a24bdb4171d72fc27f898059d0dc859222d65c03d892f29b3dd9ef4fdd7ed25473e05646a220d85f926fb85ab5dc48e303dc59ab4750753ff3479e9b04243c

Download Submit
C:\Windows\{DBCEF292-8BE2-474f-A306-9F40F3582956}.exe

Filesize
180KB

MD5
fd0001db29d8b74d28670c21e4fd228d

SHA1
5ecdb235d5d10dbcba912cd6ef51731ab6d358d4

SHA256
7b28dd78919220fddff0b740b4c7fcf8d5c7d40ace311b2d0fdb38bf252eea72

SHA512
b1f7f41b5ea0b09a606aae9f79b8684ad67ea3b98b10850d842e4c925e8ee1be362f405e149d13295166d4ef6e752e7d8c504ed57567ab95d4594cc6db5eacd6

Download Submit
C:\Windows\{E293996D-74F9-4e95-9B37-1A2765C6BC46}.exe

Filesize
180KB

MD5
0f8261bdb8ce7649480018bc240cb93d

SHA1
ae2211b83c16a2638d38bb83e2629d580978c61f

SHA256
5019d9a6c8fba35b6dc2e2d8f743cbf7db301e5884c99369c32ecb5c8497f629

SHA512
90cdf4dc601ce4462e908f2cbc1039fd350eb0597f9ce4a9573889569c9aa442f246fe0b6b32b36d3cd2f98ee3250a541ac1d73f76851353347610df74422b32

Download Submit
C:\Windows\{EE35ED8C-21DB-41a9-84D3-D4F5CE188F36}.exe

Filesize
180KB

MD5
86c2955b18b8c96d1375a7524891b0e5

SHA1
096400397ff3674019525aab8b8d9063830ff202

SHA256
a2ca4f0a8882aaed667195534ce93b706213346f082ecd2661d3125a43c9e478

SHA512
c2e73b65f8da2fb8bd42665b5009a9f67b6adf5c587ef86128bcebe45ba05a3a9b87f03ed1b5057febab6fca40cf8c0d50cc852ea501c618ee226a626337c784

Download Submit
C:\Windows\{FF1BE59C-CBC5-4168-85E9-40CFACB1F622}.exe

Filesize
180KB

MD5
2cccad346caedc754301b0c1e9e00481

SHA1
fc27f287b8e8d2dbc019c59acca85314b43399b9

SHA256
456cece53bc7b9db5fc7b9065500a62948e963d3c422d7b4794c209ac085657e

SHA512
1e9eda1b4d46c8cba680af798c92a9795164b277001bb0f7d5ce6e967318d7b1ee67307b893af365be335abe9bfaf6de7454e6d256088fe17adb9cdaa1e6945b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads