09fb6aa3befdf3ea62500981ac68f7f6abc9ed49af17e3a10307a973578b178f

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18/02/2024, 08:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-18_2f57e2372c83a7f62aa6addd709749fb_goldeneye.exe
Size

408KB
MD5

2f57e2372c83a7f62aa6addd709749fb
SHA1

6ed1941fd03305bb6f1e8301d0c26c609a166525
SHA256

09fb6aa3befdf3ea62500981ac68f7f6abc9ed49af17e3a10307a973578b178f
SHA512

5df017c3b634c8cd37c5637e4504e94da51509c55068bdc468a94abc94679bdb04e4e9afa588057db9fb180911d28a46e3838cc0f181aafc73b50d58e6d0d739
SSDEEP

3072:CEGh0oIl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGaldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000600000002323d-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000023247-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002324d-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023247-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002167d-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000021681-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021c58-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000711-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070f-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000711-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006e5-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1A7BD26-6CA9-40fb-A8EB-0C5588195256}	{AC6C4C2B-7DB0-464a-B234-1B09E63DD1D0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D7C3A54-5752-4580-B7B0-FC277E4D5418}	{D8481D7A-AB0A-4a6a-AEF0-87E08489E3DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE71F641-46CD-4c82-90F2-EC4BACFA7A7B}\stubpath = "C:\\Windows\\{DE71F641-46CD-4c82-90F2-EC4BACFA7A7B}.exe"	{EE0FEB20-5190-4740-BD3C-63BA3E75E4E9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D085200-F7B7-4214-AF00-4192B3BA811E}	{31AF476C-FF86-4504-A136-64218911DC33}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1559F626-FB19-4c41-A4F8-81B210E8EF56}	{9CACD054-8369-4e65-AE38-0DF0D7B7BBD9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC6C4C2B-7DB0-464a-B234-1B09E63DD1D0}\stubpath = "C:\\Windows\\{AC6C4C2B-7DB0-464a-B234-1B09E63DD1D0}.exe"	2024-02-18_2f57e2372c83a7f62aa6addd709749fb_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8481D7A-AB0A-4a6a-AEF0-87E08489E3DD}\stubpath = "C:\\Windows\\{D8481D7A-AB0A-4a6a-AEF0-87E08489E3DD}.exe"	{C1A7BD26-6CA9-40fb-A8EB-0C5588195256}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D7C3A54-5752-4580-B7B0-FC277E4D5418}\stubpath = "C:\\Windows\\{0D7C3A54-5752-4580-B7B0-FC277E4D5418}.exe"	{D8481D7A-AB0A-4a6a-AEF0-87E08489E3DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE71F641-46CD-4c82-90F2-EC4BACFA7A7B}	{EE0FEB20-5190-4740-BD3C-63BA3E75E4E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31AF476C-FF86-4504-A136-64218911DC33}\stubpath = "C:\\Windows\\{31AF476C-FF86-4504-A136-64218911DC33}.exe"	{DE71F641-46CD-4c82-90F2-EC4BACFA7A7B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9CACD054-8369-4e65-AE38-0DF0D7B7BBD9}	{5D085200-F7B7-4214-AF00-4192B3BA811E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BAC2BEEC-DA22-4153-9D50-8AC72362D44F}	{1559F626-FB19-4c41-A4F8-81B210E8EF56}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{064D2B39-D6EA-48bb-A07A-743C78794EC3}	{BAC2BEEC-DA22-4153-9D50-8AC72362D44F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8481D7A-AB0A-4a6a-AEF0-87E08489E3DD}	{C1A7BD26-6CA9-40fb-A8EB-0C5588195256}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE0FEB20-5190-4740-BD3C-63BA3E75E4E9}	{0D7C3A54-5752-4580-B7B0-FC277E4D5418}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31AF476C-FF86-4504-A136-64218911DC33}	{DE71F641-46CD-4c82-90F2-EC4BACFA7A7B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D085200-F7B7-4214-AF00-4192B3BA811E}\stubpath = "C:\\Windows\\{5D085200-F7B7-4214-AF00-4192B3BA811E}.exe"	{31AF476C-FF86-4504-A136-64218911DC33}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1559F626-FB19-4c41-A4F8-81B210E8EF56}\stubpath = "C:\\Windows\\{1559F626-FB19-4c41-A4F8-81B210E8EF56}.exe"	{9CACD054-8369-4e65-AE38-0DF0D7B7BBD9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BAC2BEEC-DA22-4153-9D50-8AC72362D44F}\stubpath = "C:\\Windows\\{BAC2BEEC-DA22-4153-9D50-8AC72362D44F}.exe"	{1559F626-FB19-4c41-A4F8-81B210E8EF56}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{064D2B39-D6EA-48bb-A07A-743C78794EC3}\stubpath = "C:\\Windows\\{064D2B39-D6EA-48bb-A07A-743C78794EC3}.exe"	{BAC2BEEC-DA22-4153-9D50-8AC72362D44F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC6C4C2B-7DB0-464a-B234-1B09E63DD1D0}	2024-02-18_2f57e2372c83a7f62aa6addd709749fb_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE0FEB20-5190-4740-BD3C-63BA3E75E4E9}\stubpath = "C:\\Windows\\{EE0FEB20-5190-4740-BD3C-63BA3E75E4E9}.exe"	{0D7C3A54-5752-4580-B7B0-FC277E4D5418}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9CACD054-8369-4e65-AE38-0DF0D7B7BBD9}\stubpath = "C:\\Windows\\{9CACD054-8369-4e65-AE38-0DF0D7B7BBD9}.exe"	{5D085200-F7B7-4214-AF00-4192B3BA811E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1A7BD26-6CA9-40fb-A8EB-0C5588195256}\stubpath = "C:\\Windows\\{C1A7BD26-6CA9-40fb-A8EB-0C5588195256}.exe"	{AC6C4C2B-7DB0-464a-B234-1B09E63DD1D0}.exe

Executes dropped EXE 12 IoCs

pid	Process
4060	{AC6C4C2B-7DB0-464a-B234-1B09E63DD1D0}.exe
4552	{C1A7BD26-6CA9-40fb-A8EB-0C5588195256}.exe
1792	{D8481D7A-AB0A-4a6a-AEF0-87E08489E3DD}.exe
1616	{0D7C3A54-5752-4580-B7B0-FC277E4D5418}.exe
1716	{EE0FEB20-5190-4740-BD3C-63BA3E75E4E9}.exe
3160	{DE71F641-46CD-4c82-90F2-EC4BACFA7A7B}.exe
2320	{31AF476C-FF86-4504-A136-64218911DC33}.exe
4820	{5D085200-F7B7-4214-AF00-4192B3BA811E}.exe
4400	{9CACD054-8369-4e65-AE38-0DF0D7B7BBD9}.exe
4320	{1559F626-FB19-4c41-A4F8-81B210E8EF56}.exe
1464	{BAC2BEEC-DA22-4153-9D50-8AC72362D44F}.exe
3632	{064D2B39-D6EA-48bb-A07A-743C78794EC3}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{31AF476C-FF86-4504-A136-64218911DC33}.exe	{DE71F641-46CD-4c82-90F2-EC4BACFA7A7B}.exe
File created	C:\Windows\{5D085200-F7B7-4214-AF00-4192B3BA811E}.exe	{31AF476C-FF86-4504-A136-64218911DC33}.exe
File created	C:\Windows\{9CACD054-8369-4e65-AE38-0DF0D7B7BBD9}.exe	{5D085200-F7B7-4214-AF00-4192B3BA811E}.exe
File created	C:\Windows\{D8481D7A-AB0A-4a6a-AEF0-87E08489E3DD}.exe	{C1A7BD26-6CA9-40fb-A8EB-0C5588195256}.exe
File created	C:\Windows\{0D7C3A54-5752-4580-B7B0-FC277E4D5418}.exe	{D8481D7A-AB0A-4a6a-AEF0-87E08489E3DD}.exe
File created	C:\Windows\{DE71F641-46CD-4c82-90F2-EC4BACFA7A7B}.exe	{EE0FEB20-5190-4740-BD3C-63BA3E75E4E9}.exe
File created	C:\Windows\{1559F626-FB19-4c41-A4F8-81B210E8EF56}.exe	{9CACD054-8369-4e65-AE38-0DF0D7B7BBD9}.exe
File created	C:\Windows\{BAC2BEEC-DA22-4153-9D50-8AC72362D44F}.exe	{1559F626-FB19-4c41-A4F8-81B210E8EF56}.exe
File created	C:\Windows\{064D2B39-D6EA-48bb-A07A-743C78794EC3}.exe	{BAC2BEEC-DA22-4153-9D50-8AC72362D44F}.exe
File created	C:\Windows\{AC6C4C2B-7DB0-464a-B234-1B09E63DD1D0}.exe	2024-02-18_2f57e2372c83a7f62aa6addd709749fb_goldeneye.exe
File created	C:\Windows\{C1A7BD26-6CA9-40fb-A8EB-0C5588195256}.exe	{AC6C4C2B-7DB0-464a-B234-1B09E63DD1D0}.exe
File created	C:\Windows\{EE0FEB20-5190-4740-BD3C-63BA3E75E4E9}.exe	{0D7C3A54-5752-4580-B7B0-FC277E4D5418}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4616	2024-02-18_2f57e2372c83a7f62aa6addd709749fb_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4060	{AC6C4C2B-7DB0-464a-B234-1B09E63DD1D0}.exe
Token: SeIncBasePriorityPrivilege	4552	{C1A7BD26-6CA9-40fb-A8EB-0C5588195256}.exe
Token: SeIncBasePriorityPrivilege	1792	{D8481D7A-AB0A-4a6a-AEF0-87E08489E3DD}.exe
Token: SeIncBasePriorityPrivilege	1616	{0D7C3A54-5752-4580-B7B0-FC277E4D5418}.exe
Token: SeIncBasePriorityPrivilege	1716	{EE0FEB20-5190-4740-BD3C-63BA3E75E4E9}.exe
Token: SeIncBasePriorityPrivilege	3160	{DE71F641-46CD-4c82-90F2-EC4BACFA7A7B}.exe
Token: SeIncBasePriorityPrivilege	2320	{31AF476C-FF86-4504-A136-64218911DC33}.exe
Token: SeIncBasePriorityPrivilege	4820	{5D085200-F7B7-4214-AF00-4192B3BA811E}.exe
Token: SeIncBasePriorityPrivilege	4400	{9CACD054-8369-4e65-AE38-0DF0D7B7BBD9}.exe
Token: SeIncBasePriorityPrivilege	4320	{1559F626-FB19-4c41-A4F8-81B210E8EF56}.exe
Token: SeIncBasePriorityPrivilege	1464	{BAC2BEEC-DA22-4153-9D50-8AC72362D44F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4616 wrote to memory of 4060	4616	2024-02-18_2f57e2372c83a7f62aa6addd709749fb_goldeneye.exe	88
PID 4616 wrote to memory of 4060	4616	2024-02-18_2f57e2372c83a7f62aa6addd709749fb_goldeneye.exe	88
PID 4616 wrote to memory of 4060	4616	2024-02-18_2f57e2372c83a7f62aa6addd709749fb_goldeneye.exe	88
PID 4616 wrote to memory of 3480	4616	2024-02-18_2f57e2372c83a7f62aa6addd709749fb_goldeneye.exe	89
PID 4616 wrote to memory of 3480	4616	2024-02-18_2f57e2372c83a7f62aa6addd709749fb_goldeneye.exe	89
PID 4616 wrote to memory of 3480	4616	2024-02-18_2f57e2372c83a7f62aa6addd709749fb_goldeneye.exe	89
PID 4060 wrote to memory of 4552	4060	{AC6C4C2B-7DB0-464a-B234-1B09E63DD1D0}.exe	93
PID 4060 wrote to memory of 4552	4060	{AC6C4C2B-7DB0-464a-B234-1B09E63DD1D0}.exe	93
PID 4060 wrote to memory of 4552	4060	{AC6C4C2B-7DB0-464a-B234-1B09E63DD1D0}.exe	93
PID 4060 wrote to memory of 5032	4060	{AC6C4C2B-7DB0-464a-B234-1B09E63DD1D0}.exe	94
PID 4060 wrote to memory of 5032	4060	{AC6C4C2B-7DB0-464a-B234-1B09E63DD1D0}.exe	94
PID 4060 wrote to memory of 5032	4060	{AC6C4C2B-7DB0-464a-B234-1B09E63DD1D0}.exe	94
PID 4552 wrote to memory of 1792	4552	{C1A7BD26-6CA9-40fb-A8EB-0C5588195256}.exe	97
PID 4552 wrote to memory of 1792	4552	{C1A7BD26-6CA9-40fb-A8EB-0C5588195256}.exe	97
PID 4552 wrote to memory of 1792	4552	{C1A7BD26-6CA9-40fb-A8EB-0C5588195256}.exe	97
PID 4552 wrote to memory of 4004	4552	{C1A7BD26-6CA9-40fb-A8EB-0C5588195256}.exe	96
PID 4552 wrote to memory of 4004	4552	{C1A7BD26-6CA9-40fb-A8EB-0C5588195256}.exe	96
PID 4552 wrote to memory of 4004	4552	{C1A7BD26-6CA9-40fb-A8EB-0C5588195256}.exe	96
PID 1792 wrote to memory of 1616	1792	{D8481D7A-AB0A-4a6a-AEF0-87E08489E3DD}.exe	98
PID 1792 wrote to memory of 1616	1792	{D8481D7A-AB0A-4a6a-AEF0-87E08489E3DD}.exe	98
PID 1792 wrote to memory of 1616	1792	{D8481D7A-AB0A-4a6a-AEF0-87E08489E3DD}.exe	98
PID 1792 wrote to memory of 3592	1792	{D8481D7A-AB0A-4a6a-AEF0-87E08489E3DD}.exe	99
PID 1792 wrote to memory of 3592	1792	{D8481D7A-AB0A-4a6a-AEF0-87E08489E3DD}.exe	99
PID 1792 wrote to memory of 3592	1792	{D8481D7A-AB0A-4a6a-AEF0-87E08489E3DD}.exe	99
PID 1616 wrote to memory of 1716	1616	{0D7C3A54-5752-4580-B7B0-FC277E4D5418}.exe	100
PID 1616 wrote to memory of 1716	1616	{0D7C3A54-5752-4580-B7B0-FC277E4D5418}.exe	100
PID 1616 wrote to memory of 1716	1616	{0D7C3A54-5752-4580-B7B0-FC277E4D5418}.exe	100
PID 1616 wrote to memory of 4432	1616	{0D7C3A54-5752-4580-B7B0-FC277E4D5418}.exe	101
PID 1616 wrote to memory of 4432	1616	{0D7C3A54-5752-4580-B7B0-FC277E4D5418}.exe	101
PID 1616 wrote to memory of 4432	1616	{0D7C3A54-5752-4580-B7B0-FC277E4D5418}.exe	101
PID 1716 wrote to memory of 3160	1716	{EE0FEB20-5190-4740-BD3C-63BA3E75E4E9}.exe	102
PID 1716 wrote to memory of 3160	1716	{EE0FEB20-5190-4740-BD3C-63BA3E75E4E9}.exe	102
PID 1716 wrote to memory of 3160	1716	{EE0FEB20-5190-4740-BD3C-63BA3E75E4E9}.exe	102
PID 1716 wrote to memory of 4068	1716	{EE0FEB20-5190-4740-BD3C-63BA3E75E4E9}.exe	103
PID 1716 wrote to memory of 4068	1716	{EE0FEB20-5190-4740-BD3C-63BA3E75E4E9}.exe	103
PID 1716 wrote to memory of 4068	1716	{EE0FEB20-5190-4740-BD3C-63BA3E75E4E9}.exe	103
PID 3160 wrote to memory of 2320	3160	{DE71F641-46CD-4c82-90F2-EC4BACFA7A7B}.exe	104
PID 3160 wrote to memory of 2320	3160	{DE71F641-46CD-4c82-90F2-EC4BACFA7A7B}.exe	104
PID 3160 wrote to memory of 2320	3160	{DE71F641-46CD-4c82-90F2-EC4BACFA7A7B}.exe	104
PID 3160 wrote to memory of 4460	3160	{DE71F641-46CD-4c82-90F2-EC4BACFA7A7B}.exe	105
PID 3160 wrote to memory of 4460	3160	{DE71F641-46CD-4c82-90F2-EC4BACFA7A7B}.exe	105
PID 3160 wrote to memory of 4460	3160	{DE71F641-46CD-4c82-90F2-EC4BACFA7A7B}.exe	105
PID 2320 wrote to memory of 4820	2320	{31AF476C-FF86-4504-A136-64218911DC33}.exe	106
PID 2320 wrote to memory of 4820	2320	{31AF476C-FF86-4504-A136-64218911DC33}.exe	106
PID 2320 wrote to memory of 4820	2320	{31AF476C-FF86-4504-A136-64218911DC33}.exe	106
PID 2320 wrote to memory of 1728	2320	{31AF476C-FF86-4504-A136-64218911DC33}.exe	107
PID 2320 wrote to memory of 1728	2320	{31AF476C-FF86-4504-A136-64218911DC33}.exe	107
PID 2320 wrote to memory of 1728	2320	{31AF476C-FF86-4504-A136-64218911DC33}.exe	107
PID 4820 wrote to memory of 4400	4820	{5D085200-F7B7-4214-AF00-4192B3BA811E}.exe	108
PID 4820 wrote to memory of 4400	4820	{5D085200-F7B7-4214-AF00-4192B3BA811E}.exe	108
PID 4820 wrote to memory of 4400	4820	{5D085200-F7B7-4214-AF00-4192B3BA811E}.exe	108
PID 4820 wrote to memory of 4404	4820	{5D085200-F7B7-4214-AF00-4192B3BA811E}.exe	109
PID 4820 wrote to memory of 4404	4820	{5D085200-F7B7-4214-AF00-4192B3BA811E}.exe	109
PID 4820 wrote to memory of 4404	4820	{5D085200-F7B7-4214-AF00-4192B3BA811E}.exe	109
PID 4400 wrote to memory of 4320	4400	{9CACD054-8369-4e65-AE38-0DF0D7B7BBD9}.exe	110
PID 4400 wrote to memory of 4320	4400	{9CACD054-8369-4e65-AE38-0DF0D7B7BBD9}.exe	110
PID 4400 wrote to memory of 4320	4400	{9CACD054-8369-4e65-AE38-0DF0D7B7BBD9}.exe	110
PID 4400 wrote to memory of 1580	4400	{9CACD054-8369-4e65-AE38-0DF0D7B7BBD9}.exe	111
PID 4400 wrote to memory of 1580	4400	{9CACD054-8369-4e65-AE38-0DF0D7B7BBD9}.exe	111
PID 4400 wrote to memory of 1580	4400	{9CACD054-8369-4e65-AE38-0DF0D7B7BBD9}.exe	111
PID 4320 wrote to memory of 1464	4320	{1559F626-FB19-4c41-A4F8-81B210E8EF56}.exe	112
PID 4320 wrote to memory of 1464	4320	{1559F626-FB19-4c41-A4F8-81B210E8EF56}.exe	112
PID 4320 wrote to memory of 1464	4320	{1559F626-FB19-4c41-A4F8-81B210E8EF56}.exe	112
PID 4320 wrote to memory of 2984	4320	{1559F626-FB19-4c41-A4F8-81B210E8EF56}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-02-18_2f57e2372c83a7f62aa6addd709749fb_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-18_2f57e2372c83a7f62aa6addd709749fb_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4616
- C:\Windows\{AC6C4C2B-7DB0-464a-B234-1B09E63DD1D0}.exe
  C:\Windows\{AC6C4C2B-7DB0-464a-B234-1B09E63DD1D0}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4060
- - C:\Windows\{C1A7BD26-6CA9-40fb-A8EB-0C5588195256}.exe
    C:\Windows\{C1A7BD26-6CA9-40fb-A8EB-0C5588195256}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4552
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C1A7B~1.EXE > nul
      4⤵
      PID:4004
  - - C:\Windows\{D8481D7A-AB0A-4a6a-AEF0-87E08489E3DD}.exe
      C:\Windows\{D8481D7A-AB0A-4a6a-AEF0-87E08489E3DD}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1792
    - - C:\Windows\{0D7C3A54-5752-4580-B7B0-FC277E4D5418}.exe
        
        C:\Windows\{0D7C3A54-5752-4580-B7B0-FC277E4D5418}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1616
      - C:\Windows\{EE0FEB20-5190-4740-BD3C-63BA3E75E4E9}.exe
        
        C:\Windows\{EE0FEB20-5190-4740-BD3C-63BA3E75E4E9}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\{DE71F641-46CD-4c82-90F2-EC4BACFA7A7B}.exe
        
        C:\Windows\{DE71F641-46CD-4c82-90F2-EC4BACFA7A7B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3160
        
        C:\Windows\{31AF476C-FF86-4504-A136-64218911DC33}.exe
        
        C:\Windows\{31AF476C-FF86-4504-A136-64218911DC33}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\{5D085200-F7B7-4214-AF00-4192B3BA811E}.exe
        
        C:\Windows\{5D085200-F7B7-4214-AF00-4192B3BA811E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\{9CACD054-8369-4e65-AE38-0DF0D7B7BBD9}.exe
        
        C:\Windows\{9CACD054-8369-4e65-AE38-0DF0D7B7BBD9}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\{1559F626-FB19-4c41-A4F8-81B210E8EF56}.exe
        
        C:\Windows\{1559F626-FB19-4c41-A4F8-81B210E8EF56}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4320
        
        C:\Windows\{BAC2BEEC-DA22-4153-9D50-8AC72362D44F}.exe
        
        C:\Windows\{BAC2BEEC-DA22-4153-9D50-8AC72362D44F}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1464
        
        C:\Windows\{064D2B39-D6EA-48bb-A07A-743C78794EC3}.exe
        
        C:\Windows\{064D2B39-D6EA-48bb-A07A-743C78794EC3}.exe
        13⤵
        Executes dropped EXE
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BAC2B~1.EXE > nul
        13⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1559F~1.EXE > nul
        12⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9CACD~1.EXE > nul
        11⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5D085~1.EXE > nul
        10⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{31AF4~1.EXE > nul
        9⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DE71F~1.EXE > nul
        8⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EE0FE~1.EXE > nul
        7⤵
        
        PID:4068
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0D7C3~1.EXE > nul
        6⤵
        
        PID:4432
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D8481~1.EXE > nul
        5⤵
        
        PID:3592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{AC6C4~1.EXE > nul
    3⤵
    PID:5032
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{064D2B39-D6EA-48bb-A07A-743C78794EC3}.exe

Filesize
408KB

MD5
d0cc51c958db991d8b05d362235cbf64

SHA1
ec13a62601512d212dc7c05511f87e04a8730c6d

SHA256
d25d17f6909919e08dbed5796c99b79122d1edef4a49148097ade17e512f762e

SHA512
3e6991b90e0120349bd6d6a309c9dbd67a18b53f4abe15b5e1f576867ce322c8b520f3561d240bd2e6d0dfbc0cd9e57627c4c446d2c5e0224f35669163a361be

Download Submit
C:\Windows\{0D7C3A54-5752-4580-B7B0-FC277E4D5418}.exe

Filesize
408KB

MD5
0cef0d95756cc762a3b559ee22bb87cf

SHA1
cfb45b1fb36e82577755348dcfc98ca48fa633df

SHA256
56291b11bc8ee5e37bc4ddd9128b7499b82c8e379bb050ba7a816116a883ca6a

SHA512
9f3154c6b582c612469429e6eef1da05dd42184553d5e1e04140f861ff17d71180b5670e6df21ab17b3a59b62e7e9e23259b11f5dd215aaf5913c58fb6b3a139

Download Submit
C:\Windows\{1559F626-FB19-4c41-A4F8-81B210E8EF56}.exe

Filesize
408KB

MD5
57cc32be3c381596046765dcc2ec4876

SHA1
ad0f4d2563012aec044932d35eb3dadb5da77743

SHA256
905e02f7172ee23b11c7b7b2f21ff6fc02091189487403bd527f7a7e55dbc0ff

SHA512
5a7472990c063ecb82ebc0adc35fbbe30971ac4b62a3810b64db480ff895f461b1815647c5b7c473eea3955dfa118290ef9238299b9bf59bb2119e34c8906671

Download Submit
C:\Windows\{31AF476C-FF86-4504-A136-64218911DC33}.exe

Filesize
408KB

MD5
ae265fd1cc070bba5d5f5b36caa17615

SHA1
c1ba1ec1f200b3249418ae90545f371ba8003fca

SHA256
837da32cffcd3728d53229364feff72a2e3f177797420ecc15959632f472a0e3

SHA512
7ce35ada18f8be38d39e2cc836779c27571e60d7de1e110947afee8c8927b18a3de9c5626943a2099abd788b4ef615b74ab566873876d2ebf23de0deb088c98d

Download Submit
C:\Windows\{5D085200-F7B7-4214-AF00-4192B3BA811E}.exe

Filesize
408KB

MD5
c7b3fcd4fe13ae9fe673c4fa1310ab4f

SHA1
3aed747b5a08366983a7eac37062863b77d2d3c6

SHA256
83c56e698c253fc2e69d0c5542cde56e90d2aa15e27e6c46d725b486b81c44ad

SHA512
e5f55184b6ff0184720bd65582538dac676c637652555a8a5430457850929e958db3c5f3062225ba99d8a13575490c4ab11fb785bdc8f82356f9c2ef3abb1aba

Download Submit
C:\Windows\{9CACD054-8369-4e65-AE38-0DF0D7B7BBD9}.exe

Filesize
408KB

MD5
0ba14a37574f3a22a9e2964d3518f7b0

SHA1
cbb838b158ebfd7d5cdc416d4b417505e55b437a

SHA256
fb7aaa687deb334f0912e4e911bbab10f64086879154c9b96bc3738e45ba4ed8

SHA512
31675026c2e3ce5d8bc7c09cd71f62bc909a8881c8c31406fe27c1183148c8822f952e08f7a8e924f83fc3f721b1a0bb34faf479853556b89480452d23d4552f

Download Submit
C:\Windows\{AC6C4C2B-7DB0-464a-B234-1B09E63DD1D0}.exe

Filesize
408KB

MD5
c3f98dec88c2603320198560b58cfba6

SHA1
85f99e63d8ea52291c96a0f526918fa2b338f11f

SHA256
268fe57583a5dccd4c8e4b9cc5a023c4e410964eff37d2fc8da2d60ff5e4ef49

SHA512
d330a4fff573902484b6f97303191994f748d9e7914098975e6b219c3af84282ae14983765b4bc13e388f233b29576d1333f3f54ebec4521e56b55b2849f2a06

Download Submit
C:\Windows\{BAC2BEEC-DA22-4153-9D50-8AC72362D44F}.exe

Filesize
408KB

MD5
86fb53b635d48d51812c2de89ac6fbad

SHA1
06f7ec4274e324c8df94e956d86d60b12f9580e6

SHA256
829f96123f60b85d86ccb62edaf701744954c8051ea200e0141ea7e22190cedc

SHA512
8ccafd1d420067b7b38464fb175e45a61147bf39af61b0dd1919b5e1b3cc3b74e6da5ec6ef27649082a9c84b2960170cb633182a4322683222fc2749bd8c9338

Download Submit
C:\Windows\{C1A7BD26-6CA9-40fb-A8EB-0C5588195256}.exe

Filesize
408KB

MD5
9f2a9e16c42c556c9b5c90d18161f295

SHA1
ddd25c90778a0c1919214d7feda90b5b44d8b563

SHA256
4985177f042960172e9e94af16f2a26a8ab9ed109ce665c4af189a3c5f7d5511

SHA512
1bca1e87fbf9e75176cf76e1097337fb2a1aff92078f96ba813646e217b5dc0a4ac0acd59947c70386736ec972f80d7359d4956faa63c1cf32c50d63c7badcac

Download Submit
C:\Windows\{D8481D7A-AB0A-4a6a-AEF0-87E08489E3DD}.exe

Filesize
408KB

MD5
0e82a302ee4ff0ac6ff94a5ff8f9f6c0

SHA1
271ffb983b479ebaed767aa16e152e7f0017c487

SHA256
ada186209327014c34edf69b9fd53d9a1abcdaef5ed942d1afd75903515fa7ad

SHA512
0e9b746455c03d2c19850603d5b18edfe9b3b1dec4f550f53b3c9e41df4bb171f53a687f7bf65290d205a745ddcbd9856561280c59b21d84a2b3ec21465215e4

Download Submit
C:\Windows\{DE71F641-46CD-4c82-90F2-EC4BACFA7A7B}.exe

Filesize
408KB

MD5
ff968480de077b84fe5bf82d81f06251

SHA1
29d441d5e2ae7902e4df62a1af7e015b0c8963a1

SHA256
92d4a9ba126b232b63bb2eda4aa4307693d291643962846224489b99bd8bd655

SHA512
310afa5d3678c21cf9bfb79b5ea1e4575e1e48d2488940d0ab3edc11b5bbe50528fee5608f5897841b20a10b310407edcf7e360df83af261eab5bd0eb17e70f4

Download Submit
C:\Windows\{EE0FEB20-5190-4740-BD3C-63BA3E75E4E9}.exe

Filesize
408KB

MD5
aa018a7ced49abfa7782af57085fc913

SHA1
007beb2e2487faa867ff69412bc239df712047b1

SHA256
0d0702ad0e0573a5525ea846175fc298794d176933bd5b273643362747b9570b

SHA512
47717b2ddbd1fff595040f2af287a2ceebc7e5103e49a751e5355cb2e071d24f16631b63eadf85998c2452e36c9f4a576680acd9608dac00c5dc2257d7653740

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads