151ebb2cb543bc2898fee0b38d7ddff345bd80a7471af00709fa80fef83ed764

Analysis

max time kernel
149s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
18/02/2024, 10:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-18_fda654ae3da061bffb7acd922e0d424e_goldeneye.exe
Size

180KB
MD5

fda654ae3da061bffb7acd922e0d424e
SHA1

c8e67241b4ff900a5acd417cf16228c8f6c42b55
SHA256

151ebb2cb543bc2898fee0b38d7ddff345bd80a7471af00709fa80fef83ed764
SHA512

4851fb7f8afe650e63fd9baa18812037ec73d6e4bc5349df38bb5d951b1236c8489fd7335cc9a30dade5da161dbe8ccdcc7ea2f1628b393b6e75799d63bdcf07
SSDEEP

3072:jEGh0o3lfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGFl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023217-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000001db8d-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023225-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000001db8d-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x004600000001e0be-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000001db8d-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x004700000001e0be-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000000070b-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26A4AC9C-F95B-49af-AC59-C6BEFC1D3802}	{1C73198C-B6E5-433f-A00D-7AE1634C5CE2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E57FBD05-F83A-44d8-A09A-DA684B04B037}\stubpath = "C:\\Windows\\{E57FBD05-F83A-44d8-A09A-DA684B04B037}.exe"	{5998C085-F49B-40a0-B2F5-447095AC0BA4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7E7E704-7E60-467a-BBCE-E7A04901E076}\stubpath = "C:\\Windows\\{E7E7E704-7E60-467a-BBCE-E7A04901E076}.exe"	{0BA438E7-50CA-47e6-89DD-F4EA020BA593}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB9F7300-B5AA-4fcc-8847-0D9338FB2103}	{707EE731-F959-45d5-A8D4-5FED609E8DFE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB0517B1-6E3D-436a-BDCB-2AD32F11DA3A}\stubpath = "C:\\Windows\\{FB0517B1-6E3D-436a-BDCB-2AD32F11DA3A}.exe"	{A1F2218D-FDE3-46db-8395-A886547E0D26}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5998C085-F49B-40a0-B2F5-447095AC0BA4}	{26A4AC9C-F95B-49af-AC59-C6BEFC1D3802}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E57FBD05-F83A-44d8-A09A-DA684B04B037}	{5998C085-F49B-40a0-B2F5-447095AC0BA4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B74D3239-27FD-4c66-98E2-D53CB6E891F0}	{E57FBD05-F83A-44d8-A09A-DA684B04B037}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0BA438E7-50CA-47e6-89DD-F4EA020BA593}\stubpath = "C:\\Windows\\{0BA438E7-50CA-47e6-89DD-F4EA020BA593}.exe"	{B74D3239-27FD-4c66-98E2-D53CB6E891F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7E7E704-7E60-467a-BBCE-E7A04901E076}	{0BA438E7-50CA-47e6-89DD-F4EA020BA593}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1F2218D-FDE3-46db-8395-A886547E0D26}	{7D3733E5-B991-4acf-96C9-B43ACD8A11C2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB0517B1-6E3D-436a-BDCB-2AD32F11DA3A}	{A1F2218D-FDE3-46db-8395-A886547E0D26}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{707EE731-F959-45d5-A8D4-5FED609E8DFE}\stubpath = "C:\\Windows\\{707EE731-F959-45d5-A8D4-5FED609E8DFE}.exe"	{FB0517B1-6E3D-436a-BDCB-2AD32F11DA3A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB9F7300-B5AA-4fcc-8847-0D9338FB2103}\stubpath = "C:\\Windows\\{EB9F7300-B5AA-4fcc-8847-0D9338FB2103}.exe"	{707EE731-F959-45d5-A8D4-5FED609E8DFE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C73198C-B6E5-433f-A00D-7AE1634C5CE2}	2024-02-18_fda654ae3da061bffb7acd922e0d424e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26A4AC9C-F95B-49af-AC59-C6BEFC1D3802}\stubpath = "C:\\Windows\\{26A4AC9C-F95B-49af-AC59-C6BEFC1D3802}.exe"	{1C73198C-B6E5-433f-A00D-7AE1634C5CE2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B74D3239-27FD-4c66-98E2-D53CB6E891F0}\stubpath = "C:\\Windows\\{B74D3239-27FD-4c66-98E2-D53CB6E891F0}.exe"	{E57FBD05-F83A-44d8-A09A-DA684B04B037}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0BA438E7-50CA-47e6-89DD-F4EA020BA593}	{B74D3239-27FD-4c66-98E2-D53CB6E891F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D3733E5-B991-4acf-96C9-B43ACD8A11C2}	{E7E7E704-7E60-467a-BBCE-E7A04901E076}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{707EE731-F959-45d5-A8D4-5FED609E8DFE}	{FB0517B1-6E3D-436a-BDCB-2AD32F11DA3A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C73198C-B6E5-433f-A00D-7AE1634C5CE2}\stubpath = "C:\\Windows\\{1C73198C-B6E5-433f-A00D-7AE1634C5CE2}.exe"	2024-02-18_fda654ae3da061bffb7acd922e0d424e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5998C085-F49B-40a0-B2F5-447095AC0BA4}\stubpath = "C:\\Windows\\{5998C085-F49B-40a0-B2F5-447095AC0BA4}.exe"	{26A4AC9C-F95B-49af-AC59-C6BEFC1D3802}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D3733E5-B991-4acf-96C9-B43ACD8A11C2}\stubpath = "C:\\Windows\\{7D3733E5-B991-4acf-96C9-B43ACD8A11C2}.exe"	{E7E7E704-7E60-467a-BBCE-E7A04901E076}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1F2218D-FDE3-46db-8395-A886547E0D26}\stubpath = "C:\\Windows\\{A1F2218D-FDE3-46db-8395-A886547E0D26}.exe"	{7D3733E5-B991-4acf-96C9-B43ACD8A11C2}.exe

Executes dropped EXE 12 IoCs

pid	Process
3284	{1C73198C-B6E5-433f-A00D-7AE1634C5CE2}.exe
4968	{26A4AC9C-F95B-49af-AC59-C6BEFC1D3802}.exe
2944	{5998C085-F49B-40a0-B2F5-447095AC0BA4}.exe
4688	{E57FBD05-F83A-44d8-A09A-DA684B04B037}.exe
2832	{B74D3239-27FD-4c66-98E2-D53CB6E891F0}.exe
4452	{0BA438E7-50CA-47e6-89DD-F4EA020BA593}.exe
2548	{E7E7E704-7E60-467a-BBCE-E7A04901E076}.exe
4476	{7D3733E5-B991-4acf-96C9-B43ACD8A11C2}.exe
4960	{A1F2218D-FDE3-46db-8395-A886547E0D26}.exe
2412	{FB0517B1-6E3D-436a-BDCB-2AD32F11DA3A}.exe
4460	{707EE731-F959-45d5-A8D4-5FED609E8DFE}.exe
412	{EB9F7300-B5AA-4fcc-8847-0D9338FB2103}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{7D3733E5-B991-4acf-96C9-B43ACD8A11C2}.exe	{E7E7E704-7E60-467a-BBCE-E7A04901E076}.exe
File created	C:\Windows\{A1F2218D-FDE3-46db-8395-A886547E0D26}.exe	{7D3733E5-B991-4acf-96C9-B43ACD8A11C2}.exe
File created	C:\Windows\{707EE731-F959-45d5-A8D4-5FED609E8DFE}.exe	{FB0517B1-6E3D-436a-BDCB-2AD32F11DA3A}.exe
File created	C:\Windows\{EB9F7300-B5AA-4fcc-8847-0D9338FB2103}.exe	{707EE731-F959-45d5-A8D4-5FED609E8DFE}.exe
File created	C:\Windows\{26A4AC9C-F95B-49af-AC59-C6BEFC1D3802}.exe	{1C73198C-B6E5-433f-A00D-7AE1634C5CE2}.exe
File created	C:\Windows\{B74D3239-27FD-4c66-98E2-D53CB6E891F0}.exe	{E57FBD05-F83A-44d8-A09A-DA684B04B037}.exe
File created	C:\Windows\{0BA438E7-50CA-47e6-89DD-F4EA020BA593}.exe	{B74D3239-27FD-4c66-98E2-D53CB6E891F0}.exe
File created	C:\Windows\{E7E7E704-7E60-467a-BBCE-E7A04901E076}.exe	{0BA438E7-50CA-47e6-89DD-F4EA020BA593}.exe
File created	C:\Windows\{1C73198C-B6E5-433f-A00D-7AE1634C5CE2}.exe	2024-02-18_fda654ae3da061bffb7acd922e0d424e_goldeneye.exe
File created	C:\Windows\{5998C085-F49B-40a0-B2F5-447095AC0BA4}.exe	{26A4AC9C-F95B-49af-AC59-C6BEFC1D3802}.exe
File created	C:\Windows\{E57FBD05-F83A-44d8-A09A-DA684B04B037}.exe	{5998C085-F49B-40a0-B2F5-447095AC0BA4}.exe
File created	C:\Windows\{FB0517B1-6E3D-436a-BDCB-2AD32F11DA3A}.exe	{A1F2218D-FDE3-46db-8395-A886547E0D26}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4460	2024-02-18_fda654ae3da061bffb7acd922e0d424e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3284	{1C73198C-B6E5-433f-A00D-7AE1634C5CE2}.exe
Token: SeIncBasePriorityPrivilege	4968	{26A4AC9C-F95B-49af-AC59-C6BEFC1D3802}.exe
Token: SeIncBasePriorityPrivilege	2944	{5998C085-F49B-40a0-B2F5-447095AC0BA4}.exe
Token: SeIncBasePriorityPrivilege	4688	{E57FBD05-F83A-44d8-A09A-DA684B04B037}.exe
Token: SeIncBasePriorityPrivilege	2832	{B74D3239-27FD-4c66-98E2-D53CB6E891F0}.exe
Token: SeIncBasePriorityPrivilege	4452	{0BA438E7-50CA-47e6-89DD-F4EA020BA593}.exe
Token: SeIncBasePriorityPrivilege	2548	{E7E7E704-7E60-467a-BBCE-E7A04901E076}.exe
Token: SeIncBasePriorityPrivilege	4476	{7D3733E5-B991-4acf-96C9-B43ACD8A11C2}.exe
Token: SeIncBasePriorityPrivilege	4960	{A1F2218D-FDE3-46db-8395-A886547E0D26}.exe
Token: SeIncBasePriorityPrivilege	2412	{FB0517B1-6E3D-436a-BDCB-2AD32F11DA3A}.exe
Token: SeIncBasePriorityPrivilege	4460	{707EE731-F959-45d5-A8D4-5FED609E8DFE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4460 wrote to memory of 3284	4460	2024-02-18_fda654ae3da061bffb7acd922e0d424e_goldeneye.exe	92
PID 4460 wrote to memory of 3284	4460	2024-02-18_fda654ae3da061bffb7acd922e0d424e_goldeneye.exe	92
PID 4460 wrote to memory of 3284	4460	2024-02-18_fda654ae3da061bffb7acd922e0d424e_goldeneye.exe	92
PID 4460 wrote to memory of 2608	4460	2024-02-18_fda654ae3da061bffb7acd922e0d424e_goldeneye.exe	93
PID 4460 wrote to memory of 2608	4460	2024-02-18_fda654ae3da061bffb7acd922e0d424e_goldeneye.exe	93
PID 4460 wrote to memory of 2608	4460	2024-02-18_fda654ae3da061bffb7acd922e0d424e_goldeneye.exe	93
PID 3284 wrote to memory of 4968	3284	{1C73198C-B6E5-433f-A00D-7AE1634C5CE2}.exe	95
PID 3284 wrote to memory of 4968	3284	{1C73198C-B6E5-433f-A00D-7AE1634C5CE2}.exe	95
PID 3284 wrote to memory of 4968	3284	{1C73198C-B6E5-433f-A00D-7AE1634C5CE2}.exe	95
PID 3284 wrote to memory of 4172	3284	{1C73198C-B6E5-433f-A00D-7AE1634C5CE2}.exe	96
PID 3284 wrote to memory of 4172	3284	{1C73198C-B6E5-433f-A00D-7AE1634C5CE2}.exe	96
PID 3284 wrote to memory of 4172	3284	{1C73198C-B6E5-433f-A00D-7AE1634C5CE2}.exe	96
PID 4968 wrote to memory of 2944	4968	{26A4AC9C-F95B-49af-AC59-C6BEFC1D3802}.exe	98
PID 4968 wrote to memory of 2944	4968	{26A4AC9C-F95B-49af-AC59-C6BEFC1D3802}.exe	98
PID 4968 wrote to memory of 2944	4968	{26A4AC9C-F95B-49af-AC59-C6BEFC1D3802}.exe	98
PID 4968 wrote to memory of 1920	4968	{26A4AC9C-F95B-49af-AC59-C6BEFC1D3802}.exe	99
PID 4968 wrote to memory of 1920	4968	{26A4AC9C-F95B-49af-AC59-C6BEFC1D3802}.exe	99
PID 4968 wrote to memory of 1920	4968	{26A4AC9C-F95B-49af-AC59-C6BEFC1D3802}.exe	99
PID 2944 wrote to memory of 4688	2944	{5998C085-F49B-40a0-B2F5-447095AC0BA4}.exe	101
PID 2944 wrote to memory of 4688	2944	{5998C085-F49B-40a0-B2F5-447095AC0BA4}.exe	101
PID 2944 wrote to memory of 4688	2944	{5998C085-F49B-40a0-B2F5-447095AC0BA4}.exe	101
PID 2944 wrote to memory of 4740	2944	{5998C085-F49B-40a0-B2F5-447095AC0BA4}.exe	100
PID 2944 wrote to memory of 4740	2944	{5998C085-F49B-40a0-B2F5-447095AC0BA4}.exe	100
PID 2944 wrote to memory of 4740	2944	{5998C085-F49B-40a0-B2F5-447095AC0BA4}.exe	100
PID 4688 wrote to memory of 2832	4688	{E57FBD05-F83A-44d8-A09A-DA684B04B037}.exe	102
PID 4688 wrote to memory of 2832	4688	{E57FBD05-F83A-44d8-A09A-DA684B04B037}.exe	102
PID 4688 wrote to memory of 2832	4688	{E57FBD05-F83A-44d8-A09A-DA684B04B037}.exe	102
PID 4688 wrote to memory of 3016	4688	{E57FBD05-F83A-44d8-A09A-DA684B04B037}.exe	103
PID 4688 wrote to memory of 3016	4688	{E57FBD05-F83A-44d8-A09A-DA684B04B037}.exe	103
PID 4688 wrote to memory of 3016	4688	{E57FBD05-F83A-44d8-A09A-DA684B04B037}.exe	103
PID 2832 wrote to memory of 4452	2832	{B74D3239-27FD-4c66-98E2-D53CB6E891F0}.exe	104
PID 2832 wrote to memory of 4452	2832	{B74D3239-27FD-4c66-98E2-D53CB6E891F0}.exe	104
PID 2832 wrote to memory of 4452	2832	{B74D3239-27FD-4c66-98E2-D53CB6E891F0}.exe	104
PID 2832 wrote to memory of 2828	2832	{B74D3239-27FD-4c66-98E2-D53CB6E891F0}.exe	105
PID 2832 wrote to memory of 2828	2832	{B74D3239-27FD-4c66-98E2-D53CB6E891F0}.exe	105
PID 2832 wrote to memory of 2828	2832	{B74D3239-27FD-4c66-98E2-D53CB6E891F0}.exe	105
PID 4452 wrote to memory of 2548	4452	{0BA438E7-50CA-47e6-89DD-F4EA020BA593}.exe	106
PID 4452 wrote to memory of 2548	4452	{0BA438E7-50CA-47e6-89DD-F4EA020BA593}.exe	106
PID 4452 wrote to memory of 2548	4452	{0BA438E7-50CA-47e6-89DD-F4EA020BA593}.exe	106
PID 4452 wrote to memory of 4376	4452	{0BA438E7-50CA-47e6-89DD-F4EA020BA593}.exe	107
PID 4452 wrote to memory of 4376	4452	{0BA438E7-50CA-47e6-89DD-F4EA020BA593}.exe	107
PID 4452 wrote to memory of 4376	4452	{0BA438E7-50CA-47e6-89DD-F4EA020BA593}.exe	107
PID 2548 wrote to memory of 4476	2548	{E7E7E704-7E60-467a-BBCE-E7A04901E076}.exe	109
PID 2548 wrote to memory of 4476	2548	{E7E7E704-7E60-467a-BBCE-E7A04901E076}.exe	109
PID 2548 wrote to memory of 4476	2548	{E7E7E704-7E60-467a-BBCE-E7A04901E076}.exe	109
PID 2548 wrote to memory of 4344	2548	{E7E7E704-7E60-467a-BBCE-E7A04901E076}.exe	108
PID 2548 wrote to memory of 4344	2548	{E7E7E704-7E60-467a-BBCE-E7A04901E076}.exe	108
PID 2548 wrote to memory of 4344	2548	{E7E7E704-7E60-467a-BBCE-E7A04901E076}.exe	108
PID 4476 wrote to memory of 4960	4476	{7D3733E5-B991-4acf-96C9-B43ACD8A11C2}.exe	110
PID 4476 wrote to memory of 4960	4476	{7D3733E5-B991-4acf-96C9-B43ACD8A11C2}.exe	110
PID 4476 wrote to memory of 4960	4476	{7D3733E5-B991-4acf-96C9-B43ACD8A11C2}.exe	110
PID 4476 wrote to memory of 4288	4476	{7D3733E5-B991-4acf-96C9-B43ACD8A11C2}.exe	111
PID 4476 wrote to memory of 4288	4476	{7D3733E5-B991-4acf-96C9-B43ACD8A11C2}.exe	111
PID 4476 wrote to memory of 4288	4476	{7D3733E5-B991-4acf-96C9-B43ACD8A11C2}.exe	111
PID 4960 wrote to memory of 2412	4960	{A1F2218D-FDE3-46db-8395-A886547E0D26}.exe	112
PID 4960 wrote to memory of 2412	4960	{A1F2218D-FDE3-46db-8395-A886547E0D26}.exe	112
PID 4960 wrote to memory of 2412	4960	{A1F2218D-FDE3-46db-8395-A886547E0D26}.exe	112
PID 4960 wrote to memory of 2544	4960	{A1F2218D-FDE3-46db-8395-A886547E0D26}.exe	113
PID 4960 wrote to memory of 2544	4960	{A1F2218D-FDE3-46db-8395-A886547E0D26}.exe	113
PID 4960 wrote to memory of 2544	4960	{A1F2218D-FDE3-46db-8395-A886547E0D26}.exe	113
PID 2412 wrote to memory of 4460	2412	{FB0517B1-6E3D-436a-BDCB-2AD32F11DA3A}.exe	114
PID 2412 wrote to memory of 4460	2412	{FB0517B1-6E3D-436a-BDCB-2AD32F11DA3A}.exe	114
PID 2412 wrote to memory of 4460	2412	{FB0517B1-6E3D-436a-BDCB-2AD32F11DA3A}.exe	114
PID 2412 wrote to memory of 4864	2412	{FB0517B1-6E3D-436a-BDCB-2AD32F11DA3A}.exe	115

C:\Users\Admin\AppData\Local\Temp\2024-02-18_fda654ae3da061bffb7acd922e0d424e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-18_fda654ae3da061bffb7acd922e0d424e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4460
- C:\Windows\{1C73198C-B6E5-433f-A00D-7AE1634C5CE2}.exe
  C:\Windows\{1C73198C-B6E5-433f-A00D-7AE1634C5CE2}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3284
- - C:\Windows\{26A4AC9C-F95B-49af-AC59-C6BEFC1D3802}.exe
    C:\Windows\{26A4AC9C-F95B-49af-AC59-C6BEFC1D3802}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4968
  - - C:\Windows\{5998C085-F49B-40a0-B2F5-447095AC0BA4}.exe
      C:\Windows\{5998C085-F49B-40a0-B2F5-447095AC0BA4}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2944
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5998C~1.EXE > nul
        5⤵
        
        PID:4740
    - - C:\Windows\{E57FBD05-F83A-44d8-A09A-DA684B04B037}.exe
        
        C:\Windows\{E57FBD05-F83A-44d8-A09A-DA684B04B037}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4688
      - C:\Windows\{B74D3239-27FD-4c66-98E2-D53CB6E891F0}.exe
        
        C:\Windows\{B74D3239-27FD-4c66-98E2-D53CB6E891F0}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\{0BA438E7-50CA-47e6-89DD-F4EA020BA593}.exe
        
        C:\Windows\{0BA438E7-50CA-47e6-89DD-F4EA020BA593}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\{E7E7E704-7E60-467a-BBCE-E7A04901E076}.exe
        
        C:\Windows\{E7E7E704-7E60-467a-BBCE-E7A04901E076}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7E7E~1.EXE > nul
        9⤵
        
        PID:4344
        
        C:\Windows\{7D3733E5-B991-4acf-96C9-B43ACD8A11C2}.exe
        
        C:\Windows\{7D3733E5-B991-4acf-96C9-B43ACD8A11C2}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4476
        
        C:\Windows\{A1F2218D-FDE3-46db-8395-A886547E0D26}.exe
        
        C:\Windows\{A1F2218D-FDE3-46db-8395-A886547E0D26}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\{FB0517B1-6E3D-436a-BDCB-2AD32F11DA3A}.exe
        
        C:\Windows\{FB0517B1-6E3D-436a-BDCB-2AD32F11DA3A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\{707EE731-F959-45d5-A8D4-5FED609E8DFE}.exe
        
        C:\Windows\{707EE731-F959-45d5-A8D4-5FED609E8DFE}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4460
        
        C:\Windows\{EB9F7300-B5AA-4fcc-8847-0D9338FB2103}.exe
        
        C:\Windows\{EB9F7300-B5AA-4fcc-8847-0D9338FB2103}.exe
        13⤵
        Executes dropped EXE
        
        PID:412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{707EE~1.EXE > nul
        13⤵
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FB051~1.EXE > nul
        12⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A1F22~1.EXE > nul
        11⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D373~1.EXE > nul
        10⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0BA43~1.EXE > nul
        8⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B74D3~1.EXE > nul
        7⤵
        
        PID:2828
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E57FB~1.EXE > nul
        6⤵
        
        PID:3016
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{26A4A~1.EXE > nul
      4⤵
      PID:1920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1C731~1.EXE > nul
    3⤵
    PID:4172
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0BA438E7-50CA-47e6-89DD-F4EA020BA593}.exe

Filesize
180KB

MD5
a37e028cb00296eeb2071b4c2cde16bc

SHA1
e02b16b6bae86c74378e92a653f804966a2496d3

SHA256
50ce0612da0bc450a118807b15ac2727703d2af9ba0689e298783bfca5a197b5

SHA512
2fcf5c7597f01805542116f0f0d3b991d2046922e5a0fcb665436f86c8768d9c0bfd281199c2aa05f591fee918bc19ba8a151e70478b2a53c4a9706b24dd38e2

Download Submit
C:\Windows\{1C73198C-B6E5-433f-A00D-7AE1634C5CE2}.exe

Filesize
180KB

MD5
8d2ba3ef2a402e8d5043c549dc28fdbf

SHA1
ed2606a3a4fa4e9884c40aef7265c2a029c5dd04

SHA256
0f669da54d9fadb73c25757ee28ed4a20b7cd85db266bb1965322131a0189b64

SHA512
dcbdcaca679ae8c8847b0ad4e6bec7198ac62aefc69660f74f02de27dc6f8eb1a384a171b42695e62e4ce3afbef8ec125166b19e1552ba9e3798a308017d962e

Download Submit
C:\Windows\{26A4AC9C-F95B-49af-AC59-C6BEFC1D3802}.exe

Filesize
180KB

MD5
97636fadc63ff467ebad05c4f6902c99

SHA1
183233a19b1225fcb797502efbe3697e5d891fa9

SHA256
0a1efc802ceb5845d1b303394e277ba8375b40c172966af0e1b5359915295d87

SHA512
8f1cc15a879e95e07be7cb760b114f1ab616dcb28edf4a5b6179a7b5be5a9d00ff98210deebee153b0e910377093c1566dc49e4d28118f7e8449d353892b5c20

Download Submit
C:\Windows\{5998C085-F49B-40a0-B2F5-447095AC0BA4}.exe

Filesize
180KB

MD5
e779e1bd3afe54736d1d5a4a197bfbc6

SHA1
b2695eb8b6861845e84c46c40fda456d778e18f7

SHA256
571551d054074c655c3f0c6f15e5ffdb51b71767ad1b5505a7fa341fb8b6e1f2

SHA512
e6df86c20511d5b85dc31aed7a542e22aa6ebd0f012690fd85cbe44fcaed1741048811f108d941c18c4d05627b87e6a267926337ec3fe828369620107baa0fae

Download Submit
C:\Windows\{707EE731-F959-45d5-A8D4-5FED609E8DFE}.exe

Filesize
180KB

MD5
2ef693e8e61c05ac56684f64414f0b24

SHA1
da34926bdbf2997d32bff422d00d1ec6ab20c956

SHA256
7ea4b9665046c8de8ba20a82f8a16c1ffdb747bdabf2d54555a77277cdc4cd2a

SHA512
b9f9694566745d25c4e97db97271f89ce291b48807a8bec413b298a2b3d6fb3e99eb49686416bd466fdc08ddd1cdf9e8916037df066d9c3f6b04c33d59f1bf9a

Download Submit
C:\Windows\{7D3733E5-B991-4acf-96C9-B43ACD8A11C2}.exe

Filesize
180KB

MD5
7345674ac3318899468c4d45b2e38ab4

SHA1
18c3c87cfa0f46d10399467b2f21e93d832762d1

SHA256
0abcccb59520e8648ac3ad7ed9924e73cf0d7608d8ff888cc21ebc0e31ec2614

SHA512
8b2c617295cd30a3c8912bcecf83e61facf38f82d078cca8a4a8ef46a0df1619cf1ac1aba2cbba7c96c82b87334668bf653fa8812c7496e7debe83c5d71519a7

Download Submit
C:\Windows\{A1F2218D-FDE3-46db-8395-A886547E0D26}.exe

Filesize
180KB

MD5
d0d53a70fb4a52cc7ace5a0c4ee79e3f

SHA1
2ab20fce3b5f13e5334ab99819ab4bb063a641b4

SHA256
924300e6e45cd29ae25cdce3ca364ee12ae64b3033b9b9058c7311f4f77ecac2

SHA512
c498b8b1849e377edb6738ad847361cd1583a06e2e5257da42ac70ba29afa61ce5fbbf42b6b73e0401cdc4d1dcfc890e9b1d0d2dd6f86c2d532f497aefe6a999

Download Submit
C:\Windows\{B74D3239-27FD-4c66-98E2-D53CB6E891F0}.exe

Filesize
180KB

MD5
735dbace57e7054e4fc7336b84b2410c

SHA1
3e1c25607e32981f607dfc046d2a76450fb4eeec

SHA256
9833935a455b6f519b7dcce2c111b7e0c3b94daff74e2d2e01ca709418fe69a3

SHA512
bbddad39324dca4d25daccb0146d6b3adb20146a5952c22386a12dd83b097ed848be84270a040e2fd9c2df19dc262f42a5ae78b983d0b7863bec35a0da92326b

Download Submit
C:\Windows\{E57FBD05-F83A-44d8-A09A-DA684B04B037}.exe

Filesize
180KB

MD5
4a4471bb5cd94eba51621ffa99e6c9b6

SHA1
1465c2bf1a05a128440922edb99d132f32bd65c7

SHA256
1306752bc97fc036298fbcd74caaea6f16711529ded317eef8ea10245686d0c4

SHA512
2bc5797e4e447494881e2b55b96a277926280c581c3f1c139772784fae6dc5642c7fe42f44db308dfb5a9898aee5e1db74c8e8e8bb62242a15b81c8b0e063205

Download Submit
C:\Windows\{E7E7E704-7E60-467a-BBCE-E7A04901E076}.exe

Filesize
180KB

MD5
5bd12b5790fad826e133926ab769736f

SHA1
fb005829d337998377acd772179b3fd004e5930f

SHA256
bc4c26e53acff5d4a54e4960d61b606fd0925257f52f0b9446d3c45231935c50

SHA512
77b04eccffcdacd7f0bf8416bf4637795947d0564846ac4c5174003eaadbc12691f9004589212b9df028e0e7d2aefa35f61a2f6a86c1436edd8ff599d4ba88d3

Download Submit
C:\Windows\{EB9F7300-B5AA-4fcc-8847-0D9338FB2103}.exe

Filesize
180KB

MD5
667a7d567f785e8d35a1e0291d76be2d

SHA1
4cae833190fc55a1ea38085752252019203b8e24

SHA256
e983c10b7df32f80dd861eb7f7648b4b2788377cc2feb52aa986428df0b88586

SHA512
1082f44fdc5cdfa1fdf087eac7a0beb1e5d5d624d56ca48554eb59f33f2f020818d83e2939c64bf56756de6eb9fb19009f97c073994add9fce8255107f98114a

Download Submit
C:\Windows\{FB0517B1-6E3D-436a-BDCB-2AD32F11DA3A}.exe

Filesize
180KB

MD5
507131b88b14dbbc34c334e7e6e8575b

SHA1
9452d35601472e97b6a2f3f45849364564698bed

SHA256
c2159d45e8e5d676f640932ba00abda373f77eed9f95132e378592ce170ebebd

SHA512
9563e748b6b53bf93f70a291171bede0531a7ec39c9f3761635d03ba88adb18e4f54077c23e54b07777af9647ce7c1e37e5ec0cc82d0eccd3ef6d24b0ef708c6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads