088e03e610949c10112e06f70e88ce44ca738204ceeea16c6bcf3cb8f3c66da3

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18-02-2024 06:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-18_34659c8136b568e9b09b6716181f2edc_goldeneye.exe
Size

372KB
MD5

34659c8136b568e9b09b6716181f2edc
SHA1

d002b98ad28a4719fb8770bcee5a3061c6ff88f6
SHA256

088e03e610949c10112e06f70e88ce44ca738204ceeea16c6bcf3cb8f3c66da3
SHA512

f873258844bac659a589d9eee0a6b2ec582e8ca00aac5dca13c51249711315e23c1f82610534b9d4a7b4c1180fe095be2e5e9c5d4dd603cf6d7e8fdc9f6e7422
SSDEEP

3072:CEGh0oClMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEG0lkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000600000002321e-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000001e354-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002322b-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000001e354-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000215c9-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000001e354-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d0000000215c9-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000711-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000713-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000711-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000071b-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000071f-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{114EB80A-E70D-4205-98A0-4BAFF52B2B34}	{BECC86BA-8333-42d6-A48D-EB386A1DB0C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC76BB01-5460-46d9-AAD5-E5A4739DE86E}	2024-02-18_34659c8136b568e9b09b6716181f2edc_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC76BB01-5460-46d9-AAD5-E5A4739DE86E}\stubpath = "C:\\Windows\\{CC76BB01-5460-46d9-AAD5-E5A4739DE86E}.exe"	2024-02-18_34659c8136b568e9b09b6716181f2edc_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52AC8D6D-300C-4ca1-B4CE-CEB62A3E8794}	{06771C43-51F1-4d7f-9FC4-F7F3947C59D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{944D0EF5-C502-4827-B7AC-D64310E7FDDC}	{4DDADB1D-79FE-4704-A516-C9382D13045D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BECC86BA-8333-42d6-A48D-EB386A1DB0C8}	{2BE4D804-C93D-4bd8-B5F5-2B69235FFEE1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC893D7A-D0A7-4771-9188-370A520A9E2D}	{114EB80A-E70D-4205-98A0-4BAFF52B2B34}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52AC8D6D-300C-4ca1-B4CE-CEB62A3E8794}\stubpath = "C:\\Windows\\{52AC8D6D-300C-4ca1-B4CE-CEB62A3E8794}.exe"	{06771C43-51F1-4d7f-9FC4-F7F3947C59D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A9A6BCF-324C-411a-88F0-74E4AA0DA294}\stubpath = "C:\\Windows\\{2A9A6BCF-324C-411a-88F0-74E4AA0DA294}.exe"	{52AC8D6D-300C-4ca1-B4CE-CEB62A3E8794}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DDADB1D-79FE-4704-A516-C9382D13045D}\stubpath = "C:\\Windows\\{4DDADB1D-79FE-4704-A516-C9382D13045D}.exe"	{2A9A6BCF-324C-411a-88F0-74E4AA0DA294}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BECC86BA-8333-42d6-A48D-EB386A1DB0C8}\stubpath = "C:\\Windows\\{BECC86BA-8333-42d6-A48D-EB386A1DB0C8}.exe"	{2BE4D804-C93D-4bd8-B5F5-2B69235FFEE1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{114EB80A-E70D-4205-98A0-4BAFF52B2B34}\stubpath = "C:\\Windows\\{114EB80A-E70D-4205-98A0-4BAFF52B2B34}.exe"	{BECC86BA-8333-42d6-A48D-EB386A1DB0C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49A5F3A0-C318-4d9a-873C-2767E7B085EA}	{944D0EF5-C502-4827-B7AC-D64310E7FDDC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49A5F3A0-C318-4d9a-873C-2767E7B085EA}\stubpath = "C:\\Windows\\{49A5F3A0-C318-4d9a-873C-2767E7B085EA}.exe"	{944D0EF5-C502-4827-B7AC-D64310E7FDDC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BE4D804-C93D-4bd8-B5F5-2B69235FFEE1}	{49A5F3A0-C318-4d9a-873C-2767E7B085EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1FD2BBB0-45F3-4bc6-80EF-2EFAA2248EF7}	{CC76BB01-5460-46d9-AAD5-E5A4739DE86E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1FD2BBB0-45F3-4bc6-80EF-2EFAA2248EF7}\stubpath = "C:\\Windows\\{1FD2BBB0-45F3-4bc6-80EF-2EFAA2248EF7}.exe"	{CC76BB01-5460-46d9-AAD5-E5A4739DE86E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06771C43-51F1-4d7f-9FC4-F7F3947C59D2}	{1FD2BBB0-45F3-4bc6-80EF-2EFAA2248EF7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A9A6BCF-324C-411a-88F0-74E4AA0DA294}	{52AC8D6D-300C-4ca1-B4CE-CEB62A3E8794}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DDADB1D-79FE-4704-A516-C9382D13045D}	{2A9A6BCF-324C-411a-88F0-74E4AA0DA294}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06771C43-51F1-4d7f-9FC4-F7F3947C59D2}\stubpath = "C:\\Windows\\{06771C43-51F1-4d7f-9FC4-F7F3947C59D2}.exe"	{1FD2BBB0-45F3-4bc6-80EF-2EFAA2248EF7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{944D0EF5-C502-4827-B7AC-D64310E7FDDC}\stubpath = "C:\\Windows\\{944D0EF5-C502-4827-B7AC-D64310E7FDDC}.exe"	{4DDADB1D-79FE-4704-A516-C9382D13045D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BE4D804-C93D-4bd8-B5F5-2B69235FFEE1}\stubpath = "C:\\Windows\\{2BE4D804-C93D-4bd8-B5F5-2B69235FFEE1}.exe"	{49A5F3A0-C318-4d9a-873C-2767E7B085EA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC893D7A-D0A7-4771-9188-370A520A9E2D}\stubpath = "C:\\Windows\\{EC893D7A-D0A7-4771-9188-370A520A9E2D}.exe"	{114EB80A-E70D-4205-98A0-4BAFF52B2B34}.exe

Executes dropped EXE 12 IoCs

pid	Process
2144	{CC76BB01-5460-46d9-AAD5-E5A4739DE86E}.exe
1512	{1FD2BBB0-45F3-4bc6-80EF-2EFAA2248EF7}.exe
2456	{06771C43-51F1-4d7f-9FC4-F7F3947C59D2}.exe
2248	{52AC8D6D-300C-4ca1-B4CE-CEB62A3E8794}.exe
2428	{2A9A6BCF-324C-411a-88F0-74E4AA0DA294}.exe
3252	{4DDADB1D-79FE-4704-A516-C9382D13045D}.exe
4720	{944D0EF5-C502-4827-B7AC-D64310E7FDDC}.exe
556	{49A5F3A0-C318-4d9a-873C-2767E7B085EA}.exe
3948	{2BE4D804-C93D-4bd8-B5F5-2B69235FFEE1}.exe
4628	{BECC86BA-8333-42d6-A48D-EB386A1DB0C8}.exe
1960	{114EB80A-E70D-4205-98A0-4BAFF52B2B34}.exe
4668	{EC893D7A-D0A7-4771-9188-370A520A9E2D}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{1FD2BBB0-45F3-4bc6-80EF-2EFAA2248EF7}.exe	{CC76BB01-5460-46d9-AAD5-E5A4739DE86E}.exe
File created	C:\Windows\{52AC8D6D-300C-4ca1-B4CE-CEB62A3E8794}.exe	{06771C43-51F1-4d7f-9FC4-F7F3947C59D2}.exe
File created	C:\Windows\{4DDADB1D-79FE-4704-A516-C9382D13045D}.exe	{2A9A6BCF-324C-411a-88F0-74E4AA0DA294}.exe
File created	C:\Windows\{49A5F3A0-C318-4d9a-873C-2767E7B085EA}.exe	{944D0EF5-C502-4827-B7AC-D64310E7FDDC}.exe
File created	C:\Windows\{2BE4D804-C93D-4bd8-B5F5-2B69235FFEE1}.exe	{49A5F3A0-C318-4d9a-873C-2767E7B085EA}.exe
File created	C:\Windows\{BECC86BA-8333-42d6-A48D-EB386A1DB0C8}.exe	{2BE4D804-C93D-4bd8-B5F5-2B69235FFEE1}.exe
File created	C:\Windows\{EC893D7A-D0A7-4771-9188-370A520A9E2D}.exe	{114EB80A-E70D-4205-98A0-4BAFF52B2B34}.exe
File created	C:\Windows\{CC76BB01-5460-46d9-AAD5-E5A4739DE86E}.exe	2024-02-18_34659c8136b568e9b09b6716181f2edc_goldeneye.exe
File created	C:\Windows\{2A9A6BCF-324C-411a-88F0-74E4AA0DA294}.exe	{52AC8D6D-300C-4ca1-B4CE-CEB62A3E8794}.exe
File created	C:\Windows\{944D0EF5-C502-4827-B7AC-D64310E7FDDC}.exe	{4DDADB1D-79FE-4704-A516-C9382D13045D}.exe
File created	C:\Windows\{114EB80A-E70D-4205-98A0-4BAFF52B2B34}.exe	{BECC86BA-8333-42d6-A48D-EB386A1DB0C8}.exe
File created	C:\Windows\{06771C43-51F1-4d7f-9FC4-F7F3947C59D2}.exe	{1FD2BBB0-45F3-4bc6-80EF-2EFAA2248EF7}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4668	2024-02-18_34659c8136b568e9b09b6716181f2edc_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2144	{CC76BB01-5460-46d9-AAD5-E5A4739DE86E}.exe
Token: SeIncBasePriorityPrivilege	1512	{1FD2BBB0-45F3-4bc6-80EF-2EFAA2248EF7}.exe
Token: SeIncBasePriorityPrivilege	2456	{06771C43-51F1-4d7f-9FC4-F7F3947C59D2}.exe
Token: SeIncBasePriorityPrivilege	2248	{52AC8D6D-300C-4ca1-B4CE-CEB62A3E8794}.exe
Token: SeIncBasePriorityPrivilege	2428	{2A9A6BCF-324C-411a-88F0-74E4AA0DA294}.exe
Token: SeIncBasePriorityPrivilege	3252	{4DDADB1D-79FE-4704-A516-C9382D13045D}.exe
Token: SeIncBasePriorityPrivilege	4720	{944D0EF5-C502-4827-B7AC-D64310E7FDDC}.exe
Token: SeIncBasePriorityPrivilege	556	{49A5F3A0-C318-4d9a-873C-2767E7B085EA}.exe
Token: SeIncBasePriorityPrivilege	3948	{2BE4D804-C93D-4bd8-B5F5-2B69235FFEE1}.exe
Token: SeIncBasePriorityPrivilege	4628	{BECC86BA-8333-42d6-A48D-EB386A1DB0C8}.exe
Token: SeIncBasePriorityPrivilege	1960	{114EB80A-E70D-4205-98A0-4BAFF52B2B34}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4668 wrote to memory of 2144	4668	2024-02-18_34659c8136b568e9b09b6716181f2edc_goldeneye.exe	89
PID 4668 wrote to memory of 2144	4668	2024-02-18_34659c8136b568e9b09b6716181f2edc_goldeneye.exe	89
PID 4668 wrote to memory of 2144	4668	2024-02-18_34659c8136b568e9b09b6716181f2edc_goldeneye.exe	89
PID 4668 wrote to memory of 2120	4668	2024-02-18_34659c8136b568e9b09b6716181f2edc_goldeneye.exe	90
PID 4668 wrote to memory of 2120	4668	2024-02-18_34659c8136b568e9b09b6716181f2edc_goldeneye.exe	90
PID 4668 wrote to memory of 2120	4668	2024-02-18_34659c8136b568e9b09b6716181f2edc_goldeneye.exe	90
PID 2144 wrote to memory of 1512	2144	{CC76BB01-5460-46d9-AAD5-E5A4739DE86E}.exe	93
PID 2144 wrote to memory of 1512	2144	{CC76BB01-5460-46d9-AAD5-E5A4739DE86E}.exe	93
PID 2144 wrote to memory of 1512	2144	{CC76BB01-5460-46d9-AAD5-E5A4739DE86E}.exe	93
PID 2144 wrote to memory of 1100	2144	{CC76BB01-5460-46d9-AAD5-E5A4739DE86E}.exe	94
PID 2144 wrote to memory of 1100	2144	{CC76BB01-5460-46d9-AAD5-E5A4739DE86E}.exe	94
PID 2144 wrote to memory of 1100	2144	{CC76BB01-5460-46d9-AAD5-E5A4739DE86E}.exe	94
PID 1512 wrote to memory of 2456	1512	{1FD2BBB0-45F3-4bc6-80EF-2EFAA2248EF7}.exe	96
PID 1512 wrote to memory of 2456	1512	{1FD2BBB0-45F3-4bc6-80EF-2EFAA2248EF7}.exe	96
PID 1512 wrote to memory of 2456	1512	{1FD2BBB0-45F3-4bc6-80EF-2EFAA2248EF7}.exe	96
PID 1512 wrote to memory of 4892	1512	{1FD2BBB0-45F3-4bc6-80EF-2EFAA2248EF7}.exe	97
PID 1512 wrote to memory of 4892	1512	{1FD2BBB0-45F3-4bc6-80EF-2EFAA2248EF7}.exe	97
PID 1512 wrote to memory of 4892	1512	{1FD2BBB0-45F3-4bc6-80EF-2EFAA2248EF7}.exe	97
PID 2456 wrote to memory of 2248	2456	{06771C43-51F1-4d7f-9FC4-F7F3947C59D2}.exe	98
PID 2456 wrote to memory of 2248	2456	{06771C43-51F1-4d7f-9FC4-F7F3947C59D2}.exe	98
PID 2456 wrote to memory of 2248	2456	{06771C43-51F1-4d7f-9FC4-F7F3947C59D2}.exe	98
PID 2456 wrote to memory of 1028	2456	{06771C43-51F1-4d7f-9FC4-F7F3947C59D2}.exe	99
PID 2456 wrote to memory of 1028	2456	{06771C43-51F1-4d7f-9FC4-F7F3947C59D2}.exe	99
PID 2456 wrote to memory of 1028	2456	{06771C43-51F1-4d7f-9FC4-F7F3947C59D2}.exe	99
PID 2248 wrote to memory of 2428	2248	{52AC8D6D-300C-4ca1-B4CE-CEB62A3E8794}.exe	100
PID 2248 wrote to memory of 2428	2248	{52AC8D6D-300C-4ca1-B4CE-CEB62A3E8794}.exe	100
PID 2248 wrote to memory of 2428	2248	{52AC8D6D-300C-4ca1-B4CE-CEB62A3E8794}.exe	100
PID 2248 wrote to memory of 2968	2248	{52AC8D6D-300C-4ca1-B4CE-CEB62A3E8794}.exe	101
PID 2248 wrote to memory of 2968	2248	{52AC8D6D-300C-4ca1-B4CE-CEB62A3E8794}.exe	101
PID 2248 wrote to memory of 2968	2248	{52AC8D6D-300C-4ca1-B4CE-CEB62A3E8794}.exe	101
PID 2428 wrote to memory of 3252	2428	{2A9A6BCF-324C-411a-88F0-74E4AA0DA294}.exe	102
PID 2428 wrote to memory of 3252	2428	{2A9A6BCF-324C-411a-88F0-74E4AA0DA294}.exe	102
PID 2428 wrote to memory of 3252	2428	{2A9A6BCF-324C-411a-88F0-74E4AA0DA294}.exe	102
PID 2428 wrote to memory of 572	2428	{2A9A6BCF-324C-411a-88F0-74E4AA0DA294}.exe	103
PID 2428 wrote to memory of 572	2428	{2A9A6BCF-324C-411a-88F0-74E4AA0DA294}.exe	103
PID 2428 wrote to memory of 572	2428	{2A9A6BCF-324C-411a-88F0-74E4AA0DA294}.exe	103
PID 3252 wrote to memory of 4720	3252	{4DDADB1D-79FE-4704-A516-C9382D13045D}.exe	104
PID 3252 wrote to memory of 4720	3252	{4DDADB1D-79FE-4704-A516-C9382D13045D}.exe	104
PID 3252 wrote to memory of 4720	3252	{4DDADB1D-79FE-4704-A516-C9382D13045D}.exe	104
PID 3252 wrote to memory of 4296	3252	{4DDADB1D-79FE-4704-A516-C9382D13045D}.exe	105
PID 3252 wrote to memory of 4296	3252	{4DDADB1D-79FE-4704-A516-C9382D13045D}.exe	105
PID 3252 wrote to memory of 4296	3252	{4DDADB1D-79FE-4704-A516-C9382D13045D}.exe	105
PID 4720 wrote to memory of 556	4720	{944D0EF5-C502-4827-B7AC-D64310E7FDDC}.exe	106
PID 4720 wrote to memory of 556	4720	{944D0EF5-C502-4827-B7AC-D64310E7FDDC}.exe	106
PID 4720 wrote to memory of 556	4720	{944D0EF5-C502-4827-B7AC-D64310E7FDDC}.exe	106
PID 4720 wrote to memory of 1964	4720	{944D0EF5-C502-4827-B7AC-D64310E7FDDC}.exe	107
PID 4720 wrote to memory of 1964	4720	{944D0EF5-C502-4827-B7AC-D64310E7FDDC}.exe	107
PID 4720 wrote to memory of 1964	4720	{944D0EF5-C502-4827-B7AC-D64310E7FDDC}.exe	107
PID 556 wrote to memory of 3948	556	{49A5F3A0-C318-4d9a-873C-2767E7B085EA}.exe	108
PID 556 wrote to memory of 3948	556	{49A5F3A0-C318-4d9a-873C-2767E7B085EA}.exe	108
PID 556 wrote to memory of 3948	556	{49A5F3A0-C318-4d9a-873C-2767E7B085EA}.exe	108
PID 556 wrote to memory of 2676	556	{49A5F3A0-C318-4d9a-873C-2767E7B085EA}.exe	109
PID 556 wrote to memory of 2676	556	{49A5F3A0-C318-4d9a-873C-2767E7B085EA}.exe	109
PID 556 wrote to memory of 2676	556	{49A5F3A0-C318-4d9a-873C-2767E7B085EA}.exe	109
PID 3948 wrote to memory of 4628	3948	{2BE4D804-C93D-4bd8-B5F5-2B69235FFEE1}.exe	110
PID 3948 wrote to memory of 4628	3948	{2BE4D804-C93D-4bd8-B5F5-2B69235FFEE1}.exe	110
PID 3948 wrote to memory of 4628	3948	{2BE4D804-C93D-4bd8-B5F5-2B69235FFEE1}.exe	110
PID 3948 wrote to memory of 644	3948	{2BE4D804-C93D-4bd8-B5F5-2B69235FFEE1}.exe	111
PID 3948 wrote to memory of 644	3948	{2BE4D804-C93D-4bd8-B5F5-2B69235FFEE1}.exe	111
PID 3948 wrote to memory of 644	3948	{2BE4D804-C93D-4bd8-B5F5-2B69235FFEE1}.exe	111
PID 4628 wrote to memory of 1960	4628	{BECC86BA-8333-42d6-A48D-EB386A1DB0C8}.exe	112
PID 4628 wrote to memory of 1960	4628	{BECC86BA-8333-42d6-A48D-EB386A1DB0C8}.exe	112
PID 4628 wrote to memory of 1960	4628	{BECC86BA-8333-42d6-A48D-EB386A1DB0C8}.exe	112
PID 4628 wrote to memory of 1984	4628	{BECC86BA-8333-42d6-A48D-EB386A1DB0C8}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-02-18_34659c8136b568e9b09b6716181f2edc_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-18_34659c8136b568e9b09b6716181f2edc_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4668
- C:\Windows\{CC76BB01-5460-46d9-AAD5-E5A4739DE86E}.exe
  C:\Windows\{CC76BB01-5460-46d9-AAD5-E5A4739DE86E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Windows\{1FD2BBB0-45F3-4bc6-80EF-2EFAA2248EF7}.exe
    C:\Windows\{1FD2BBB0-45F3-4bc6-80EF-2EFAA2248EF7}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1512
  - - C:\Windows\{06771C43-51F1-4d7f-9FC4-F7F3947C59D2}.exe
      C:\Windows\{06771C43-51F1-4d7f-9FC4-F7F3947C59D2}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2456
    - - C:\Windows\{52AC8D6D-300C-4ca1-B4CE-CEB62A3E8794}.exe
        
        C:\Windows\{52AC8D6D-300C-4ca1-B4CE-CEB62A3E8794}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2248
      - C:\Windows\{2A9A6BCF-324C-411a-88F0-74E4AA0DA294}.exe
        
        C:\Windows\{2A9A6BCF-324C-411a-88F0-74E4AA0DA294}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\{4DDADB1D-79FE-4704-A516-C9382D13045D}.exe
        
        C:\Windows\{4DDADB1D-79FE-4704-A516-C9382D13045D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3252
        
        C:\Windows\{944D0EF5-C502-4827-B7AC-D64310E7FDDC}.exe
        
        C:\Windows\{944D0EF5-C502-4827-B7AC-D64310E7FDDC}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4720
        
        C:\Windows\{49A5F3A0-C318-4d9a-873C-2767E7B085EA}.exe
        
        C:\Windows\{49A5F3A0-C318-4d9a-873C-2767E7B085EA}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Windows\{2BE4D804-C93D-4bd8-B5F5-2B69235FFEE1}.exe
        
        C:\Windows\{2BE4D804-C93D-4bd8-B5F5-2B69235FFEE1}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\{BECC86BA-8333-42d6-A48D-EB386A1DB0C8}.exe
        
        C:\Windows\{BECC86BA-8333-42d6-A48D-EB386A1DB0C8}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        C:\Windows\{114EB80A-E70D-4205-98A0-4BAFF52B2B34}.exe
        
        C:\Windows\{114EB80A-E70D-4205-98A0-4BAFF52B2B34}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
        
        C:\Windows\{EC893D7A-D0A7-4771-9188-370A520A9E2D}.exe
        
        C:\Windows\{EC893D7A-D0A7-4771-9188-370A520A9E2D}.exe
        13⤵
        Executes dropped EXE
        
        PID:4668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{114EB~1.EXE > nul
        13⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BECC8~1.EXE > nul
        12⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2BE4D~1.EXE > nul
        11⤵
        
        PID:644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{49A5F~1.EXE > nul
        10⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{944D0~1.EXE > nul
        9⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4DDAD~1.EXE > nul
        8⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A9A6~1.EXE > nul
        7⤵
        
        PID:572
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{52AC8~1.EXE > nul
        6⤵
        
        PID:2968
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{06771~1.EXE > nul
        5⤵
        
        PID:1028
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1FD2B~1.EXE > nul
      4⤵
      PID:4892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CC76B~1.EXE > nul
    3⤵
    PID:1100
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{06771C43-51F1-4d7f-9FC4-F7F3947C59D2}.exe

Filesize
372KB

MD5
649af8ccb777bc35cc165361ea539bc9

SHA1
4768de0aa968117c2e4d77282ef6aa11b058462b

SHA256
8789dd2ada929a37f12873fc4f42c74943bb1b60ebf4213e4d0e6e25639b8e00

SHA512
f2690706112bcb60fe738866c868f2415c9ca38f714e03a40e39113763674fafd1f4593779328a85ebd9b5609e75209319a4175e7084f30f159e4ec895affb3d

Download Submit
C:\Windows\{114EB80A-E70D-4205-98A0-4BAFF52B2B34}.exe

Filesize
372KB

MD5
03dc661b3cbce334fce4eb4d933c0ba4

SHA1
1c0eb88b892c793fd8755710cd7d9dd32fdf0d2b

SHA256
44be57b3c1b09bb9f728549a6fcf5ce77e91ba6aaaa7ef5f5e92cb4a3eb03351

SHA512
6d1d865bf10e915a4f73eed4d95d67f332a996a9599f11628979eec0fb283df203b157834341340f2883ff958222b99d679fcc3208046d019107976af3c55088

Download Submit
C:\Windows\{1FD2BBB0-45F3-4bc6-80EF-2EFAA2248EF7}.exe

Filesize
372KB

MD5
e7ca31641393030771a8f288d6109263

SHA1
2c2f551d4dac270b1e0d926d4607a5b6c4d37890

SHA256
b6dcf3e524f521c99c6ee8bde7dfb0bf7a4b3f5c66b21c8e0a89378e139e45ba

SHA512
2c73651af7fe2bc00836e2204d3c377298c490285bdb864b7ad9c8383e02dd0aec193fed07f32b5ff36216692bcf214f57b7175862442c72b4a47afecec47d7c

Download Submit
C:\Windows\{2A9A6BCF-324C-411a-88F0-74E4AA0DA294}.exe

Filesize
372KB

MD5
a2f1446102ae9ac7f3fe2c2c195d2b16

SHA1
a0a1d3d1c9af266aa53262ff0b815192dfd84ac7

SHA256
95bef845ef03844f4f10dbe0ba48b997bccad13cfa16578b40a51457d0aa90ee

SHA512
62d465420bcf833173f5eb082514a17e34b33f46c606da36214dd4cbe30d801bcbac8b90283812b97991a11cbe46b7faa0d50890d4f8cfc626a4bb639a49f4d5

Download Submit
C:\Windows\{2BE4D804-C93D-4bd8-B5F5-2B69235FFEE1}.exe

Filesize
372KB

MD5
26bcb8a5e47b1ca38c1f9a0fd258b339

SHA1
92e583049277a8dadbd0b73dd11a16d476e0bfe6

SHA256
42dde2409bc19592601124124507f4b2dfcd89afb4960f4865c5a0437cfbd959

SHA512
7d73d3cef9b68f54fb763f24a1a7b2198d3bb885a9f964bf3296674107c4430232d298065f7639ff95fed6677a4fd42adbab704c20878e01ffb2c439b49fd475

Download Submit
C:\Windows\{49A5F3A0-C318-4d9a-873C-2767E7B085EA}.exe

Filesize
372KB

MD5
330e1767a08324607813372d36925609

SHA1
d241fc6353a3b7742669891d17d35d57b4ca5d30

SHA256
2857d819b2e235632d42fa804b60284dfe4656473500062ce33c3d811e617847

SHA512
d3311740c89cc345d7abd49ee78521c0397bed21734a2b355b1f3fadbb3d212d871151d3765cfdfbff72f1f4cd425b872a2b62bf7b1482e2ef815c345692ed56

Download Submit
C:\Windows\{4DDADB1D-79FE-4704-A516-C9382D13045D}.exe

Filesize
372KB

MD5
0b7e26f72654e7805a648e0e1379d4ef

SHA1
4d75f1e9e358dd5d8254f00fce45a8fee5782196

SHA256
03f0d178750f90e7c739ee26ba2363cefd984e4d61a09dc3627bb5666bd02990

SHA512
ee8b3e5b422360a3f43a777e6f735dd4b4b68c228c44f31958b1e2f922883a2abd3c73054708d01f673e5be4e97aab84397c717c1aa0cb97f1b4075dc0722775

Download Submit
C:\Windows\{52AC8D6D-300C-4ca1-B4CE-CEB62A3E8794}.exe

Filesize
372KB

MD5
b6d74f65626bb543247c511f03c543d6

SHA1
013019efdc9813ca194a653cc5fa94eb01b4bd09

SHA256
8af2b8941a6d3eb487c660fe64c12878aafaf2e7fbd5fad23903e819de503557

SHA512
be76baaca616c35c72f51135d0dfbe735706459d26062d578c41ca7eca8a0a8a294744ecafb219722fbadbab7097d64f5d19539780fb141c3b18fa1d0cd54aed

Download Submit
C:\Windows\{944D0EF5-C502-4827-B7AC-D64310E7FDDC}.exe

Filesize
372KB

MD5
87ce873908ae89714fad38e736448373

SHA1
432224465881e5c987d212afea4f290c8d2a50e7

SHA256
f3981a8d9140e4dadb30fd2e84641f7b0d71463cf1265ef5494346669c2f6248

SHA512
c79539cf9df6453e5ce079228484b890ffafbbba05ac2a0f7d4424505de915a25eb973514c26b6ae3e6aae5f97866956618f8181c75ab69d58df3b9c4fc60a22

Download Submit
C:\Windows\{BECC86BA-8333-42d6-A48D-EB386A1DB0C8}.exe

Filesize
372KB

MD5
fe7d52993c1e69e191e2f581cb449e07

SHA1
b6ff8d9d092b86be9b2fdde70a931381834ced0c

SHA256
f158c6426f5c70135b7af1478302ec1f6a9039b8ec7fbbba57f8780831208e36

SHA512
c79355d954206dc730adda2838ae2d3086c9d3fdd8f96e4e2bd5c7db204e1686789d5bd59b318bd99612ca8976792bfe49634a20a20cc37deaf5af43826283dd

Download Submit
C:\Windows\{CC76BB01-5460-46d9-AAD5-E5A4739DE86E}.exe

Filesize
372KB

MD5
5961357499dac21f4cfaeb279d6ab4db

SHA1
71c60140e0bad016091e84dbcbba8a2d8d1cef68

SHA256
ba543a88266923977b6433c96c996d844b637395754af58298b10e81e1b8f22d

SHA512
a1e324044008f1a387809441b902b4ad25efb492cc17b9457685abd1fd011044cab56dac6b7faa17a0f6173619641576176d0707989941dba12040f4df996979

Download Submit
C:\Windows\{EC893D7A-D0A7-4771-9188-370A520A9E2D}.exe

Filesize
372KB

MD5
7fc27b4bd25c8fc38d729d123fd525ac

SHA1
5d2073c72521f4562c293e5b442b6c8784febb3a

SHA256
15ede92a9b72f06ca14d9be8d92bbe37a9fb48b8a17e5a7fc40d88e601fa498c

SHA512
afa0655e5283baeba6c90e4e24a0b53f8ca6ecd82f109b02e7914b0d236d312d2cc0775844182cee657d52a85dfa55f0d7bb0ceeed450b9e20ca13986e8f61e7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads