bd2cba23cec112cae45f61c1f762a668a776f60ad1935cfedf425df2e034ba7f

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18/02/2024, 07:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-18_60a6673391cc62d419422fed3451d48d_goldeneye.exe
Size

408KB
MD5

60a6673391cc62d419422fed3451d48d
SHA1

7333a968cf44eeccb4d6487313f8c8977f158e68
SHA256

bd2cba23cec112cae45f61c1f762a668a776f60ad1935cfedf425df2e034ba7f
SHA512

f6fe7e4a1686a5222a103026e799dcde552763d25080ff20ba365679f3833d2920b766fb3a697685dec75bebd04e18c43443b678d3c45c9a831f749042df44a7
SSDEEP

3072:CEGh0oGl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGAldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023229-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002310b-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023237-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002310b-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000217f9-17.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000021805-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d0000000217f9-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d0000000217f9-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-29.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006e1-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DC7415F-4B83-4f26-9F5A-0C8E75B774D3}	{6C4EAA8D-5E3E-4d5c-8F4F-BBB78BE01BF0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73D19586-083D-4ada-B3A6-2F27E3F52C61}	{5DC7415F-4B83-4f26-9F5A-0C8E75B774D3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73D19586-083D-4ada-B3A6-2F27E3F52C61}\stubpath = "C:\\Windows\\{73D19586-083D-4ada-B3A6-2F27E3F52C61}.exe"	{5DC7415F-4B83-4f26-9F5A-0C8E75B774D3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EEE4567E-B4B9-4e26-AE0E-FBA0D7603C9F}\stubpath = "C:\\Windows\\{EEE4567E-B4B9-4e26-AE0E-FBA0D7603C9F}.exe"	{73D19586-083D-4ada-B3A6-2F27E3F52C61}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{602BF2D2-2BAE-459f-B0C8-F1CDCDAB31C4}	{024A765B-2CDA-4a4c-9BAA-BA98D4286609}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3128E92B-A74F-4030-A73C-C2AC1BF7A616}	{602BF2D2-2BAE-459f-B0C8-F1CDCDAB31C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{977A25EF-8709-4d30-8CD5-721A04AB3F2F}\stubpath = "C:\\Windows\\{977A25EF-8709-4d30-8CD5-721A04AB3F2F}.exe"	{3128E92B-A74F-4030-A73C-C2AC1BF7A616}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44C03F70-531D-4690-AC5C-994E686E503E}\stubpath = "C:\\Windows\\{44C03F70-531D-4690-AC5C-994E686E503E}.exe"	{96EEA430-D12D-4ce1-A0BF-53B8ACB6155F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{356F5816-24E8-4845-A953-FC4C07A281A1}\stubpath = "C:\\Windows\\{356F5816-24E8-4845-A953-FC4C07A281A1}.exe"	{44C03F70-531D-4690-AC5C-994E686E503E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96EEA430-D12D-4ce1-A0BF-53B8ACB6155F}\stubpath = "C:\\Windows\\{96EEA430-D12D-4ce1-A0BF-53B8ACB6155F}.exe"	2024-02-18_60a6673391cc62d419422fed3451d48d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DC7415F-4B83-4f26-9F5A-0C8E75B774D3}\stubpath = "C:\\Windows\\{5DC7415F-4B83-4f26-9F5A-0C8E75B774D3}.exe"	{6C4EAA8D-5E3E-4d5c-8F4F-BBB78BE01BF0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{024A765B-2CDA-4a4c-9BAA-BA98D4286609}	{EEE4567E-B4B9-4e26-AE0E-FBA0D7603C9F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{024A765B-2CDA-4a4c-9BAA-BA98D4286609}\stubpath = "C:\\Windows\\{024A765B-2CDA-4a4c-9BAA-BA98D4286609}.exe"	{EEE4567E-B4B9-4e26-AE0E-FBA0D7603C9F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{977A25EF-8709-4d30-8CD5-721A04AB3F2F}	{3128E92B-A74F-4030-A73C-C2AC1BF7A616}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96EEA430-D12D-4ce1-A0BF-53B8ACB6155F}	2024-02-18_60a6673391cc62d419422fed3451d48d_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44C03F70-531D-4690-AC5C-994E686E503E}	{96EEA430-D12D-4ce1-A0BF-53B8ACB6155F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{356F5816-24E8-4845-A953-FC4C07A281A1}	{44C03F70-531D-4690-AC5C-994E686E503E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E21A7ED-7D5F-46d4-A0F0-4330EF36B008}	{356F5816-24E8-4845-A953-FC4C07A281A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E21A7ED-7D5F-46d4-A0F0-4330EF36B008}\stubpath = "C:\\Windows\\{6E21A7ED-7D5F-46d4-A0F0-4330EF36B008}.exe"	{356F5816-24E8-4845-A953-FC4C07A281A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C4EAA8D-5E3E-4d5c-8F4F-BBB78BE01BF0}	{6E21A7ED-7D5F-46d4-A0F0-4330EF36B008}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C4EAA8D-5E3E-4d5c-8F4F-BBB78BE01BF0}\stubpath = "C:\\Windows\\{6C4EAA8D-5E3E-4d5c-8F4F-BBB78BE01BF0}.exe"	{6E21A7ED-7D5F-46d4-A0F0-4330EF36B008}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EEE4567E-B4B9-4e26-AE0E-FBA0D7603C9F}	{73D19586-083D-4ada-B3A6-2F27E3F52C61}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{602BF2D2-2BAE-459f-B0C8-F1CDCDAB31C4}\stubpath = "C:\\Windows\\{602BF2D2-2BAE-459f-B0C8-F1CDCDAB31C4}.exe"	{024A765B-2CDA-4a4c-9BAA-BA98D4286609}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3128E92B-A74F-4030-A73C-C2AC1BF7A616}\stubpath = "C:\\Windows\\{3128E92B-A74F-4030-A73C-C2AC1BF7A616}.exe"	{602BF2D2-2BAE-459f-B0C8-F1CDCDAB31C4}.exe

Executes dropped EXE 12 IoCs

pid	Process
3284	{96EEA430-D12D-4ce1-A0BF-53B8ACB6155F}.exe
3688	{44C03F70-531D-4690-AC5C-994E686E503E}.exe
1620	{356F5816-24E8-4845-A953-FC4C07A281A1}.exe
3248	{6E21A7ED-7D5F-46d4-A0F0-4330EF36B008}.exe
4812	{6C4EAA8D-5E3E-4d5c-8F4F-BBB78BE01BF0}.exe
2420	{5DC7415F-4B83-4f26-9F5A-0C8E75B774D3}.exe
4816	{73D19586-083D-4ada-B3A6-2F27E3F52C61}.exe
1340	{EEE4567E-B4B9-4e26-AE0E-FBA0D7603C9F}.exe
1932	{024A765B-2CDA-4a4c-9BAA-BA98D4286609}.exe
2428	{602BF2D2-2BAE-459f-B0C8-F1CDCDAB31C4}.exe
4360	{3128E92B-A74F-4030-A73C-C2AC1BF7A616}.exe
4972	{977A25EF-8709-4d30-8CD5-721A04AB3F2F}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{602BF2D2-2BAE-459f-B0C8-F1CDCDAB31C4}.exe	{024A765B-2CDA-4a4c-9BAA-BA98D4286609}.exe
File created	C:\Windows\{3128E92B-A74F-4030-A73C-C2AC1BF7A616}.exe	{602BF2D2-2BAE-459f-B0C8-F1CDCDAB31C4}.exe
File created	C:\Windows\{96EEA430-D12D-4ce1-A0BF-53B8ACB6155F}.exe	2024-02-18_60a6673391cc62d419422fed3451d48d_goldeneye.exe
File created	C:\Windows\{356F5816-24E8-4845-A953-FC4C07A281A1}.exe	{44C03F70-531D-4690-AC5C-994E686E503E}.exe
File created	C:\Windows\{6C4EAA8D-5E3E-4d5c-8F4F-BBB78BE01BF0}.exe	{6E21A7ED-7D5F-46d4-A0F0-4330EF36B008}.exe
File created	C:\Windows\{73D19586-083D-4ada-B3A6-2F27E3F52C61}.exe	{5DC7415F-4B83-4f26-9F5A-0C8E75B774D3}.exe
File created	C:\Windows\{EEE4567E-B4B9-4e26-AE0E-FBA0D7603C9F}.exe	{73D19586-083D-4ada-B3A6-2F27E3F52C61}.exe
File created	C:\Windows\{024A765B-2CDA-4a4c-9BAA-BA98D4286609}.exe	{EEE4567E-B4B9-4e26-AE0E-FBA0D7603C9F}.exe
File created	C:\Windows\{44C03F70-531D-4690-AC5C-994E686E503E}.exe	{96EEA430-D12D-4ce1-A0BF-53B8ACB6155F}.exe
File created	C:\Windows\{6E21A7ED-7D5F-46d4-A0F0-4330EF36B008}.exe	{356F5816-24E8-4845-A953-FC4C07A281A1}.exe
File created	C:\Windows\{5DC7415F-4B83-4f26-9F5A-0C8E75B774D3}.exe	{6C4EAA8D-5E3E-4d5c-8F4F-BBB78BE01BF0}.exe
File created	C:\Windows\{977A25EF-8709-4d30-8CD5-721A04AB3F2F}.exe	{3128E92B-A74F-4030-A73C-C2AC1BF7A616}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2560	2024-02-18_60a6673391cc62d419422fed3451d48d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3284	{96EEA430-D12D-4ce1-A0BF-53B8ACB6155F}.exe
Token: SeIncBasePriorityPrivilege	3688	{44C03F70-531D-4690-AC5C-994E686E503E}.exe
Token: SeIncBasePriorityPrivilege	1620	{356F5816-24E8-4845-A953-FC4C07A281A1}.exe
Token: SeIncBasePriorityPrivilege	3248	{6E21A7ED-7D5F-46d4-A0F0-4330EF36B008}.exe
Token: SeIncBasePriorityPrivilege	4812	{6C4EAA8D-5E3E-4d5c-8F4F-BBB78BE01BF0}.exe
Token: SeIncBasePriorityPrivilege	2420	{5DC7415F-4B83-4f26-9F5A-0C8E75B774D3}.exe
Token: SeIncBasePriorityPrivilege	4816	{73D19586-083D-4ada-B3A6-2F27E3F52C61}.exe
Token: SeIncBasePriorityPrivilege	1340	{EEE4567E-B4B9-4e26-AE0E-FBA0D7603C9F}.exe
Token: SeIncBasePriorityPrivilege	1932	{024A765B-2CDA-4a4c-9BAA-BA98D4286609}.exe
Token: SeIncBasePriorityPrivilege	2428	{602BF2D2-2BAE-459f-B0C8-F1CDCDAB31C4}.exe
Token: SeIncBasePriorityPrivilege	4360	{3128E92B-A74F-4030-A73C-C2AC1BF7A616}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2560 wrote to memory of 3284	2560	2024-02-18_60a6673391cc62d419422fed3451d48d_goldeneye.exe	89
PID 2560 wrote to memory of 3284	2560	2024-02-18_60a6673391cc62d419422fed3451d48d_goldeneye.exe	89
PID 2560 wrote to memory of 3284	2560	2024-02-18_60a6673391cc62d419422fed3451d48d_goldeneye.exe	89
PID 2560 wrote to memory of 468	2560	2024-02-18_60a6673391cc62d419422fed3451d48d_goldeneye.exe	90
PID 2560 wrote to memory of 468	2560	2024-02-18_60a6673391cc62d419422fed3451d48d_goldeneye.exe	90
PID 2560 wrote to memory of 468	2560	2024-02-18_60a6673391cc62d419422fed3451d48d_goldeneye.exe	90
PID 3284 wrote to memory of 3688	3284	{96EEA430-D12D-4ce1-A0BF-53B8ACB6155F}.exe	93
PID 3284 wrote to memory of 3688	3284	{96EEA430-D12D-4ce1-A0BF-53B8ACB6155F}.exe	93
PID 3284 wrote to memory of 3688	3284	{96EEA430-D12D-4ce1-A0BF-53B8ACB6155F}.exe	93
PID 3284 wrote to memory of 4644	3284	{96EEA430-D12D-4ce1-A0BF-53B8ACB6155F}.exe	94
PID 3284 wrote to memory of 4644	3284	{96EEA430-D12D-4ce1-A0BF-53B8ACB6155F}.exe	94
PID 3284 wrote to memory of 4644	3284	{96EEA430-D12D-4ce1-A0BF-53B8ACB6155F}.exe	94
PID 3688 wrote to memory of 1620	3688	{44C03F70-531D-4690-AC5C-994E686E503E}.exe	96
PID 3688 wrote to memory of 1620	3688	{44C03F70-531D-4690-AC5C-994E686E503E}.exe	96
PID 3688 wrote to memory of 1620	3688	{44C03F70-531D-4690-AC5C-994E686E503E}.exe	96
PID 3688 wrote to memory of 624	3688	{44C03F70-531D-4690-AC5C-994E686E503E}.exe	97
PID 3688 wrote to memory of 624	3688	{44C03F70-531D-4690-AC5C-994E686E503E}.exe	97
PID 3688 wrote to memory of 624	3688	{44C03F70-531D-4690-AC5C-994E686E503E}.exe	97
PID 1620 wrote to memory of 3248	1620	{356F5816-24E8-4845-A953-FC4C07A281A1}.exe	98
PID 1620 wrote to memory of 3248	1620	{356F5816-24E8-4845-A953-FC4C07A281A1}.exe	98
PID 1620 wrote to memory of 3248	1620	{356F5816-24E8-4845-A953-FC4C07A281A1}.exe	98
PID 1620 wrote to memory of 3360	1620	{356F5816-24E8-4845-A953-FC4C07A281A1}.exe	99
PID 1620 wrote to memory of 3360	1620	{356F5816-24E8-4845-A953-FC4C07A281A1}.exe	99
PID 1620 wrote to memory of 3360	1620	{356F5816-24E8-4845-A953-FC4C07A281A1}.exe	99
PID 3248 wrote to memory of 4812	3248	{6E21A7ED-7D5F-46d4-A0F0-4330EF36B008}.exe	100
PID 3248 wrote to memory of 4812	3248	{6E21A7ED-7D5F-46d4-A0F0-4330EF36B008}.exe	100
PID 3248 wrote to memory of 4812	3248	{6E21A7ED-7D5F-46d4-A0F0-4330EF36B008}.exe	100
PID 3248 wrote to memory of 2384	3248	{6E21A7ED-7D5F-46d4-A0F0-4330EF36B008}.exe	101
PID 3248 wrote to memory of 2384	3248	{6E21A7ED-7D5F-46d4-A0F0-4330EF36B008}.exe	101
PID 3248 wrote to memory of 2384	3248	{6E21A7ED-7D5F-46d4-A0F0-4330EF36B008}.exe	101
PID 4812 wrote to memory of 2420	4812	{6C4EAA8D-5E3E-4d5c-8F4F-BBB78BE01BF0}.exe	102
PID 4812 wrote to memory of 2420	4812	{6C4EAA8D-5E3E-4d5c-8F4F-BBB78BE01BF0}.exe	102
PID 4812 wrote to memory of 2420	4812	{6C4EAA8D-5E3E-4d5c-8F4F-BBB78BE01BF0}.exe	102
PID 4812 wrote to memory of 1868	4812	{6C4EAA8D-5E3E-4d5c-8F4F-BBB78BE01BF0}.exe	103
PID 4812 wrote to memory of 1868	4812	{6C4EAA8D-5E3E-4d5c-8F4F-BBB78BE01BF0}.exe	103
PID 4812 wrote to memory of 1868	4812	{6C4EAA8D-5E3E-4d5c-8F4F-BBB78BE01BF0}.exe	103
PID 2420 wrote to memory of 4816	2420	{5DC7415F-4B83-4f26-9F5A-0C8E75B774D3}.exe	105
PID 2420 wrote to memory of 4816	2420	{5DC7415F-4B83-4f26-9F5A-0C8E75B774D3}.exe	105
PID 2420 wrote to memory of 4816	2420	{5DC7415F-4B83-4f26-9F5A-0C8E75B774D3}.exe	105
PID 2420 wrote to memory of 3088	2420	{5DC7415F-4B83-4f26-9F5A-0C8E75B774D3}.exe	104
PID 2420 wrote to memory of 3088	2420	{5DC7415F-4B83-4f26-9F5A-0C8E75B774D3}.exe	104
PID 2420 wrote to memory of 3088	2420	{5DC7415F-4B83-4f26-9F5A-0C8E75B774D3}.exe	104
PID 4816 wrote to memory of 1340	4816	{73D19586-083D-4ada-B3A6-2F27E3F52C61}.exe	106
PID 4816 wrote to memory of 1340	4816	{73D19586-083D-4ada-B3A6-2F27E3F52C61}.exe	106
PID 4816 wrote to memory of 1340	4816	{73D19586-083D-4ada-B3A6-2F27E3F52C61}.exe	106
PID 4816 wrote to memory of 4280	4816	{73D19586-083D-4ada-B3A6-2F27E3F52C61}.exe	107
PID 4816 wrote to memory of 4280	4816	{73D19586-083D-4ada-B3A6-2F27E3F52C61}.exe	107
PID 4816 wrote to memory of 4280	4816	{73D19586-083D-4ada-B3A6-2F27E3F52C61}.exe	107
PID 1340 wrote to memory of 1932	1340	{EEE4567E-B4B9-4e26-AE0E-FBA0D7603C9F}.exe	108
PID 1340 wrote to memory of 1932	1340	{EEE4567E-B4B9-4e26-AE0E-FBA0D7603C9F}.exe	108
PID 1340 wrote to memory of 1932	1340	{EEE4567E-B4B9-4e26-AE0E-FBA0D7603C9F}.exe	108
PID 1340 wrote to memory of 224	1340	{EEE4567E-B4B9-4e26-AE0E-FBA0D7603C9F}.exe	109
PID 1340 wrote to memory of 224	1340	{EEE4567E-B4B9-4e26-AE0E-FBA0D7603C9F}.exe	109
PID 1340 wrote to memory of 224	1340	{EEE4567E-B4B9-4e26-AE0E-FBA0D7603C9F}.exe	109
PID 1932 wrote to memory of 2428	1932	{024A765B-2CDA-4a4c-9BAA-BA98D4286609}.exe	110
PID 1932 wrote to memory of 2428	1932	{024A765B-2CDA-4a4c-9BAA-BA98D4286609}.exe	110
PID 1932 wrote to memory of 2428	1932	{024A765B-2CDA-4a4c-9BAA-BA98D4286609}.exe	110
PID 1932 wrote to memory of 412	1932	{024A765B-2CDA-4a4c-9BAA-BA98D4286609}.exe	111
PID 1932 wrote to memory of 412	1932	{024A765B-2CDA-4a4c-9BAA-BA98D4286609}.exe	111
PID 1932 wrote to memory of 412	1932	{024A765B-2CDA-4a4c-9BAA-BA98D4286609}.exe	111
PID 2428 wrote to memory of 4360	2428	{602BF2D2-2BAE-459f-B0C8-F1CDCDAB31C4}.exe	112
PID 2428 wrote to memory of 4360	2428	{602BF2D2-2BAE-459f-B0C8-F1CDCDAB31C4}.exe	112
PID 2428 wrote to memory of 4360	2428	{602BF2D2-2BAE-459f-B0C8-F1CDCDAB31C4}.exe	112
PID 2428 wrote to memory of 2056	2428	{602BF2D2-2BAE-459f-B0C8-F1CDCDAB31C4}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-02-18_60a6673391cc62d419422fed3451d48d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-18_60a6673391cc62d419422fed3451d48d_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Windows\{96EEA430-D12D-4ce1-A0BF-53B8ACB6155F}.exe
  C:\Windows\{96EEA430-D12D-4ce1-A0BF-53B8ACB6155F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3284
- - C:\Windows\{44C03F70-531D-4690-AC5C-994E686E503E}.exe
    C:\Windows\{44C03F70-531D-4690-AC5C-994E686E503E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3688
  - - C:\Windows\{356F5816-24E8-4845-A953-FC4C07A281A1}.exe
      C:\Windows\{356F5816-24E8-4845-A953-FC4C07A281A1}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1620
    - - C:\Windows\{6E21A7ED-7D5F-46d4-A0F0-4330EF36B008}.exe
        
        C:\Windows\{6E21A7ED-7D5F-46d4-A0F0-4330EF36B008}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3248
      - C:\Windows\{6C4EAA8D-5E3E-4d5c-8F4F-BBB78BE01BF0}.exe
        
        C:\Windows\{6C4EAA8D-5E3E-4d5c-8F4F-BBB78BE01BF0}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4812
        
        C:\Windows\{5DC7415F-4B83-4f26-9F5A-0C8E75B774D3}.exe
        
        C:\Windows\{5DC7415F-4B83-4f26-9F5A-0C8E75B774D3}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5DC74~1.EXE > nul
        8⤵
        
        PID:3088
        
        C:\Windows\{73D19586-083D-4ada-B3A6-2F27E3F52C61}.exe
        
        C:\Windows\{73D19586-083D-4ada-B3A6-2F27E3F52C61}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\{EEE4567E-B4B9-4e26-AE0E-FBA0D7603C9F}.exe
        
        C:\Windows\{EEE4567E-B4B9-4e26-AE0E-FBA0D7603C9F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Windows\{024A765B-2CDA-4a4c-9BAA-BA98D4286609}.exe
        
        C:\Windows\{024A765B-2CDA-4a4c-9BAA-BA98D4286609}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\{602BF2D2-2BAE-459f-B0C8-F1CDCDAB31C4}.exe
        
        C:\Windows\{602BF2D2-2BAE-459f-B0C8-F1CDCDAB31C4}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\{3128E92B-A74F-4030-A73C-C2AC1BF7A616}.exe
        
        C:\Windows\{3128E92B-A74F-4030-A73C-C2AC1BF7A616}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4360
        
        C:\Windows\{977A25EF-8709-4d30-8CD5-721A04AB3F2F}.exe
        
        C:\Windows\{977A25EF-8709-4d30-8CD5-721A04AB3F2F}.exe
        13⤵
        Executes dropped EXE
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3128E~1.EXE > nul
        13⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{602BF~1.EXE > nul
        12⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{024A7~1.EXE > nul
        11⤵
        
        PID:412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EEE45~1.EXE > nul
        10⤵
        
        PID:224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{73D19~1.EXE > nul
        9⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6C4EA~1.EXE > nul
        7⤵
        
        PID:1868
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6E21A~1.EXE > nul
        6⤵
        
        PID:2384
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{356F5~1.EXE > nul
        5⤵
        
        PID:3360
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{44C03~1.EXE > nul
      4⤵
      PID:624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{96EEA~1.EXE > nul
    3⤵
    PID:4644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{024A765B-2CDA-4a4c-9BAA-BA98D4286609}.exe

Filesize
408KB

MD5
a04790dbf3a1d8dac0e5230e3bf3a335

SHA1
9c26d146a6fa3ff46a078f4ba261c06239288263

SHA256
7b2fe42c8c523bdc82d9f5e92c4b16ab69673d96d82f4185fe43b5a39619e0db

SHA512
bb631ef83728c8fb0a33764c1776e08dadc46f237a53a4b91142a286f8389aa565ef758682fca9912213285af3166e1a4ffde95a2fc7cd7e17bfbc20c63736ad

Download Submit
C:\Windows\{3128E92B-A74F-4030-A73C-C2AC1BF7A616}.exe

Filesize
408KB

MD5
7751cab1cbcc1883886e92804eabf8e6

SHA1
9a5e7326e3d7fbe783c72149f44f886a0965f59a

SHA256
3b30b22579dd65fdb07e480c0c8b3d96aa8500f18af72d444e54bd91fc1af58e

SHA512
6e208d21304472eecc1b64ee3544aa5d22cd98328b3f6ceda9a883abc9313d0f1562c0e26b27845f5a07691da802bba74f396f51fde85213c3c81f4c049549b6

Download Submit
C:\Windows\{356F5816-24E8-4845-A953-FC4C07A281A1}.exe

Filesize
408KB

MD5
eae71733e1621e31da1663f1a5c3e9ac

SHA1
e8bdf7fcea6974d61eb89a6df85fa17b543f985c

SHA256
c12ff403a2c03ef7129ac0a4dce580e2821ec1a28dbdfcb54f505248ee46a7fa

SHA512
d764c0aa9e218f44c0a52d716e2101acacc536b3080ed923e139bf28e179661de1435bd60c96d8c8c336df58d6f7a1546a74c8f1e78cd7509c4c07c6104a3dc0

Download Submit
C:\Windows\{44C03F70-531D-4690-AC5C-994E686E503E}.exe

Filesize
408KB

MD5
760a3f4c108b75431674f1b0ae6425e5

SHA1
aaa20d8f987bc6a5174b8c81f425f029933acccf

SHA256
e255d751a1a7e53342ebbe1a047cfb3563bbdbc34366bdc4751a9e699cd3aa69

SHA512
3c1cf9132de4b604cc20ed24f36ceb435eff90e69f44420ca7eeba97c85e7dcd6abd2278b04c615ad3bc8df66ddc163dc26153d34f25d8a24b804dd1c312f30d

Download Submit
C:\Windows\{5DC7415F-4B83-4f26-9F5A-0C8E75B774D3}.exe

Filesize
408KB

MD5
9808ea49d81d6c90e7097a0332ad7a39

SHA1
b00d7552464573c33b857e1c0532ec5f266fd434

SHA256
f3f1ace9d3fecbb260d6f5c48afc3005168f52cf8ea5b79a8b04e17771901b1d

SHA512
bbe0073292babd1a566878b8715895c61ef3d9401c4c7aeab96564288432bfe415f2868c1473c0b918410ff3223f11452e98ec94d09eee51d66fde005ea33051

Download Submit
C:\Windows\{602BF2D2-2BAE-459f-B0C8-F1CDCDAB31C4}.exe

Filesize
408KB

MD5
d109c7d44e4e9732fd526fd1b42a3daf

SHA1
4e7c29babc42d18a2646dc63a0766024ae440de1

SHA256
69af581428667ea1f025d75dfd981c1fdadfdb431c7853f33eb1fd84ed3b02f6

SHA512
813f5b60de4fc0b4a59f2680dbb639dcfb154bd61789b8e551d839b8a552c564db2fc056c79a917ac4e019f3fa99db4f3c5f895a075adf2dcaa4bcf5de0e66ba

Download Submit
C:\Windows\{6C4EAA8D-5E3E-4d5c-8F4F-BBB78BE01BF0}.exe

Filesize
408KB

MD5
36a6f509b7f463861b075a46e0ebcaf7

SHA1
564a3190d8959f1e22eed398027066f7b07fffdc

SHA256
aacc62edadb8876145ed54f9186fbbef4cf91b541642ab7e569cd6316fd8c988

SHA512
cbb6e68d9ec01befd076468893bc74ba9816e262dcd73067001084fee0cab83d63e2e2f65216bfd63ccef1bf5b98706dd7a712fd88bbe4f1ee98f9cae1955b08

Download Submit
C:\Windows\{6E21A7ED-7D5F-46d4-A0F0-4330EF36B008}.exe

Filesize
408KB

MD5
9d6bbbb7d23a35d07424e88439dbdb85

SHA1
f040ed369cb0e79099347679a0790de993f63824

SHA256
7598c5254d5c542e08ed91116847189106e3df467a529aa2cba1033fbaefbab0

SHA512
eca99079e5f11a131517b0625075691dbe1498d4d1c8a670877b5d432dda55f7952f987659c7c3af94c4b0d572941327c336e46dda3fddc3e9809b299169733f

Download Submit
C:\Windows\{73D19586-083D-4ada-B3A6-2F27E3F52C61}.exe

Filesize
211KB

MD5
adf9d00e23b84d511a24aab8abd02009

SHA1
c339b5f2cf756dfbd6597913c1bfd50f1251bbee

SHA256
0ab03873fb9b099f991de94d75b8b480da3d40f43b95d17248ba89ba0ce3d123

SHA512
d37b69207797a97a3a9e0233b5c5b775e4fb5d67cf322a756fe6a9b941427c0d34781e32adeaf1e636baf0ed47491fc2e504d4b4b3974f0736ab3b04e4ef4a29

Download Submit
C:\Windows\{73D19586-083D-4ada-B3A6-2F27E3F52C61}.exe

Filesize
249KB

MD5
ac0cc074e9b59702a97e0a3c9bb6824d

SHA1
15125fb95a4881d1022debd03dd9ebcc9306a3a2

SHA256
7d170fae7e84854a9b8b54ba60016b24ba7d6b70a1163f152f97e555e41904c8

SHA512
be35c8e4640d74aeeb21a955a0b806974a90b65df4e4355af0a915ff8b82e95a8e0e3328f7de01ea77c4af752831f5f84158ea30826e4d39976135ba7d25b937

Download Submit
C:\Windows\{96EEA430-D12D-4ce1-A0BF-53B8ACB6155F}.exe

Filesize
408KB

MD5
8bea164bc6e94a11d56cd222ce9e0bf4

SHA1
a321832ae0adb2daca5af8481cd2cb470f3b777f

SHA256
bb74d280ba4e6bc3d46adc59623a68566b2fcf955672f0b20089babdebef9d73

SHA512
9ceb6a82c1a1099e8a6e151d98a14b69191db4df93bba3e225866cc692d943259353c1a760ac8348500ed1f3eca0579d6248c1fd4d31ba8648432e461569b11e

Download Submit
C:\Windows\{977A25EF-8709-4d30-8CD5-721A04AB3F2F}.exe

Filesize
408KB

MD5
9f6fd7fd86f7210674d3bae2bdf255fc

SHA1
8d4e15dface8f0544e800eb3daf2284be98d4e1f

SHA256
0ed531e4e4ac1f5aa6a50f6fd0984313e0a28b43279eb119b5f7090c6afd7ded

SHA512
f5017e7ebf4e424db276a28e36a0b7c4f85227f2ee1f9281f861c870e967f5362d12d1f3413b938a3e86448275541d0cd10518102408a0dc72d8e083fdc13611

Download Submit
C:\Windows\{EEE4567E-B4B9-4e26-AE0E-FBA0D7603C9F}.exe

Filesize
408KB

MD5
d8a5ec6654cd4247931d650e9ef7690a

SHA1
d29b576a5bfd72f45872e2eea0ac0f6ecece9f96

SHA256
cc8ac65e32d9e3485be9cc20b5d95f5dc37d24d7c074388cfdfc738a3caabab9

SHA512
a748fd0fd20e30a16aebb63ed6ac514a5d1d28b78be81d9ccd123808228c2012814dab96f8218969e56772fbc9f01bee164efcd26c05ae542408be30223a3e00

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads