31d7f2ee1c13ecf334764a4d0e0e57fec167c0104b3d753e50980fa29da63d5f

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18-02-2024 12:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-18_4f4c0cdb0aa8e4464dda8833320d2839_goldeneye.exe
Size

180KB
MD5

4f4c0cdb0aa8e4464dda8833320d2839
SHA1

47883e23fc1be462a4b885cff02c5e0e18fb92ae
SHA256

31d7f2ee1c13ecf334764a4d0e0e57fec167c0104b3d753e50980fa29da63d5f
SHA512

8f62eb3ff1e9fbc86ef6f2f3538caa6f63b7f304faed50f700bd16ff9ad0d94c46e125afa1f8d9e99fe1681c880b4740f0fdacb8a36f3aa5f18e17cc4a741e79
SSDEEP

3072:jEGh0o3lfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGNl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x000600000002321e-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000002321e-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023226-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002322c-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023226-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000217f9-17.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000021805-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d0000000217f9-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000715-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000715-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006e1-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D271C26-C1FE-49e8-9D5F-6043AB075382}\stubpath = "C:\\Windows\\{1D271C26-C1FE-49e8-9D5F-6043AB075382}.exe"	2024-02-18_4f4c0cdb0aa8e4464dda8833320d2839_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A979D8F7-646E-4c8d-AF87-3D6E4CFD2BD9}	{B3AD2133-14C8-4dfe-80AA-C3AFD723B4D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A979D8F7-646E-4c8d-AF87-3D6E4CFD2BD9}\stubpath = "C:\\Windows\\{A979D8F7-646E-4c8d-AF87-3D6E4CFD2BD9}.exe"	{B3AD2133-14C8-4dfe-80AA-C3AFD723B4D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E76DC4F-F982-4ce8-A71C-1B17B2E10191}\stubpath = "C:\\Windows\\{8E76DC4F-F982-4ce8-A71C-1B17B2E10191}.exe"	{A979D8F7-646E-4c8d-AF87-3D6E4CFD2BD9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9052E4F-0F47-4506-ACBC-03A313543550}	{1D271C26-C1FE-49e8-9D5F-6043AB075382}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F927BABD-7661-4fb4-8A1D-C4D5B611BE45}	{F9052E4F-0F47-4506-ACBC-03A313543550}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E76DC4F-F982-4ce8-A71C-1B17B2E10191}	{A979D8F7-646E-4c8d-AF87-3D6E4CFD2BD9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{540C54BD-FB77-4956-90CD-FC367073375F}	{8E76DC4F-F982-4ce8-A71C-1B17B2E10191}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{047BAB2A-8E60-4eda-9699-56C9581F9C93}\stubpath = "C:\\Windows\\{047BAB2A-8E60-4eda-9699-56C9581F9C93}.exe"	{540C54BD-FB77-4956-90CD-FC367073375F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7560838-7A3A-499f-8DA7-0C6015C39605}	{047BAB2A-8E60-4eda-9699-56C9581F9C93}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7560838-7A3A-499f-8DA7-0C6015C39605}\stubpath = "C:\\Windows\\{E7560838-7A3A-499f-8DA7-0C6015C39605}.exe"	{047BAB2A-8E60-4eda-9699-56C9581F9C93}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D271C26-C1FE-49e8-9D5F-6043AB075382}	2024-02-18_4f4c0cdb0aa8e4464dda8833320d2839_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F927BABD-7661-4fb4-8A1D-C4D5B611BE45}\stubpath = "C:\\Windows\\{F927BABD-7661-4fb4-8A1D-C4D5B611BE45}.exe"	{F9052E4F-0F47-4506-ACBC-03A313543550}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31F53166-1281-439a-B587-CC3F8D91EDF6}	{F927BABD-7661-4fb4-8A1D-C4D5B611BE45}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3AD2133-14C8-4dfe-80AA-C3AFD723B4D8}	{31F53166-1281-439a-B587-CC3F8D91EDF6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{047BAB2A-8E60-4eda-9699-56C9581F9C93}	{540C54BD-FB77-4956-90CD-FC367073375F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E085AC2C-3C57-409e-AB43-2E7B52A6985B}	{E7560838-7A3A-499f-8DA7-0C6015C39605}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9052E4F-0F47-4506-ACBC-03A313543550}\stubpath = "C:\\Windows\\{F9052E4F-0F47-4506-ACBC-03A313543550}.exe"	{1D271C26-C1FE-49e8-9D5F-6043AB075382}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31F53166-1281-439a-B587-CC3F8D91EDF6}\stubpath = "C:\\Windows\\{31F53166-1281-439a-B587-CC3F8D91EDF6}.exe"	{F927BABD-7661-4fb4-8A1D-C4D5B611BE45}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3AD2133-14C8-4dfe-80AA-C3AFD723B4D8}\stubpath = "C:\\Windows\\{B3AD2133-14C8-4dfe-80AA-C3AFD723B4D8}.exe"	{31F53166-1281-439a-B587-CC3F8D91EDF6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{540C54BD-FB77-4956-90CD-FC367073375F}\stubpath = "C:\\Windows\\{540C54BD-FB77-4956-90CD-FC367073375F}.exe"	{8E76DC4F-F982-4ce8-A71C-1B17B2E10191}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E085AC2C-3C57-409e-AB43-2E7B52A6985B}\stubpath = "C:\\Windows\\{E085AC2C-3C57-409e-AB43-2E7B52A6985B}.exe"	{E7560838-7A3A-499f-8DA7-0C6015C39605}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0ECE2C8F-BD5B-4cd0-B73D-D864C2EB486C}	{E085AC2C-3C57-409e-AB43-2E7B52A6985B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0ECE2C8F-BD5B-4cd0-B73D-D864C2EB486C}\stubpath = "C:\\Windows\\{0ECE2C8F-BD5B-4cd0-B73D-D864C2EB486C}.exe"	{E085AC2C-3C57-409e-AB43-2E7B52A6985B}.exe

Executes dropped EXE 12 IoCs

pid	Process
1916	{1D271C26-C1FE-49e8-9D5F-6043AB075382}.exe
1716	{F9052E4F-0F47-4506-ACBC-03A313543550}.exe
1572	{F927BABD-7661-4fb4-8A1D-C4D5B611BE45}.exe
4628	{31F53166-1281-439a-B587-CC3F8D91EDF6}.exe
2032	{B3AD2133-14C8-4dfe-80AA-C3AFD723B4D8}.exe
3420	{A979D8F7-646E-4c8d-AF87-3D6E4CFD2BD9}.exe
116	{8E76DC4F-F982-4ce8-A71C-1B17B2E10191}.exe
2572	{540C54BD-FB77-4956-90CD-FC367073375F}.exe
3208	{047BAB2A-8E60-4eda-9699-56C9581F9C93}.exe
4608	{E7560838-7A3A-499f-8DA7-0C6015C39605}.exe
1612	{E085AC2C-3C57-409e-AB43-2E7B52A6985B}.exe
3440	{0ECE2C8F-BD5B-4cd0-B73D-D864C2EB486C}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{31F53166-1281-439a-B587-CC3F8D91EDF6}.exe	{F927BABD-7661-4fb4-8A1D-C4D5B611BE45}.exe
File created	C:\Windows\{B3AD2133-14C8-4dfe-80AA-C3AFD723B4D8}.exe	{31F53166-1281-439a-B587-CC3F8D91EDF6}.exe
File created	C:\Windows\{540C54BD-FB77-4956-90CD-FC367073375F}.exe	{8E76DC4F-F982-4ce8-A71C-1B17B2E10191}.exe
File created	C:\Windows\{E085AC2C-3C57-409e-AB43-2E7B52A6985B}.exe	{E7560838-7A3A-499f-8DA7-0C6015C39605}.exe
File created	C:\Windows\{0ECE2C8F-BD5B-4cd0-B73D-D864C2EB486C}.exe	{E085AC2C-3C57-409e-AB43-2E7B52A6985B}.exe
File created	C:\Windows\{047BAB2A-8E60-4eda-9699-56C9581F9C93}.exe	{540C54BD-FB77-4956-90CD-FC367073375F}.exe
File created	C:\Windows\{E7560838-7A3A-499f-8DA7-0C6015C39605}.exe	{047BAB2A-8E60-4eda-9699-56C9581F9C93}.exe
File created	C:\Windows\{1D271C26-C1FE-49e8-9D5F-6043AB075382}.exe	2024-02-18_4f4c0cdb0aa8e4464dda8833320d2839_goldeneye.exe
File created	C:\Windows\{F9052E4F-0F47-4506-ACBC-03A313543550}.exe	{1D271C26-C1FE-49e8-9D5F-6043AB075382}.exe
File created	C:\Windows\{F927BABD-7661-4fb4-8A1D-C4D5B611BE45}.exe	{F9052E4F-0F47-4506-ACBC-03A313543550}.exe
File created	C:\Windows\{A979D8F7-646E-4c8d-AF87-3D6E4CFD2BD9}.exe	{B3AD2133-14C8-4dfe-80AA-C3AFD723B4D8}.exe
File created	C:\Windows\{8E76DC4F-F982-4ce8-A71C-1B17B2E10191}.exe	{A979D8F7-646E-4c8d-AF87-3D6E4CFD2BD9}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2464	2024-02-18_4f4c0cdb0aa8e4464dda8833320d2839_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1916	{1D271C26-C1FE-49e8-9D5F-6043AB075382}.exe
Token: SeIncBasePriorityPrivilege	1716	{F9052E4F-0F47-4506-ACBC-03A313543550}.exe
Token: SeIncBasePriorityPrivilege	1572	{F927BABD-7661-4fb4-8A1D-C4D5B611BE45}.exe
Token: SeIncBasePriorityPrivilege	4628	{31F53166-1281-439a-B587-CC3F8D91EDF6}.exe
Token: SeIncBasePriorityPrivilege	2032	{B3AD2133-14C8-4dfe-80AA-C3AFD723B4D8}.exe
Token: SeIncBasePriorityPrivilege	3420	{A979D8F7-646E-4c8d-AF87-3D6E4CFD2BD9}.exe
Token: SeIncBasePriorityPrivilege	116	{8E76DC4F-F982-4ce8-A71C-1B17B2E10191}.exe
Token: SeIncBasePriorityPrivilege	2572	{540C54BD-FB77-4956-90CD-FC367073375F}.exe
Token: SeIncBasePriorityPrivilege	3208	{047BAB2A-8E60-4eda-9699-56C9581F9C93}.exe
Token: SeIncBasePriorityPrivilege	4608	{E7560838-7A3A-499f-8DA7-0C6015C39605}.exe
Token: SeIncBasePriorityPrivilege	1612	{E085AC2C-3C57-409e-AB43-2E7B52A6985B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 1916	2464	2024-02-18_4f4c0cdb0aa8e4464dda8833320d2839_goldeneye.exe	89
PID 2464 wrote to memory of 1916	2464	2024-02-18_4f4c0cdb0aa8e4464dda8833320d2839_goldeneye.exe	89
PID 2464 wrote to memory of 1916	2464	2024-02-18_4f4c0cdb0aa8e4464dda8833320d2839_goldeneye.exe	89
PID 2464 wrote to memory of 3196	2464	2024-02-18_4f4c0cdb0aa8e4464dda8833320d2839_goldeneye.exe	90
PID 2464 wrote to memory of 3196	2464	2024-02-18_4f4c0cdb0aa8e4464dda8833320d2839_goldeneye.exe	90
PID 2464 wrote to memory of 3196	2464	2024-02-18_4f4c0cdb0aa8e4464dda8833320d2839_goldeneye.exe	90
PID 1916 wrote to memory of 1716	1916	{1D271C26-C1FE-49e8-9D5F-6043AB075382}.exe	93
PID 1916 wrote to memory of 1716	1916	{1D271C26-C1FE-49e8-9D5F-6043AB075382}.exe	93
PID 1916 wrote to memory of 1716	1916	{1D271C26-C1FE-49e8-9D5F-6043AB075382}.exe	93
PID 1916 wrote to memory of 2984	1916	{1D271C26-C1FE-49e8-9D5F-6043AB075382}.exe	94
PID 1916 wrote to memory of 2984	1916	{1D271C26-C1FE-49e8-9D5F-6043AB075382}.exe	94
PID 1916 wrote to memory of 2984	1916	{1D271C26-C1FE-49e8-9D5F-6043AB075382}.exe	94
PID 1716 wrote to memory of 1572	1716	{F9052E4F-0F47-4506-ACBC-03A313543550}.exe	97
PID 1716 wrote to memory of 1572	1716	{F9052E4F-0F47-4506-ACBC-03A313543550}.exe	97
PID 1716 wrote to memory of 1572	1716	{F9052E4F-0F47-4506-ACBC-03A313543550}.exe	97
PID 1716 wrote to memory of 4120	1716	{F9052E4F-0F47-4506-ACBC-03A313543550}.exe	96
PID 1716 wrote to memory of 4120	1716	{F9052E4F-0F47-4506-ACBC-03A313543550}.exe	96
PID 1716 wrote to memory of 4120	1716	{F9052E4F-0F47-4506-ACBC-03A313543550}.exe	96
PID 1572 wrote to memory of 4628	1572	{F927BABD-7661-4fb4-8A1D-C4D5B611BE45}.exe	98
PID 1572 wrote to memory of 4628	1572	{F927BABD-7661-4fb4-8A1D-C4D5B611BE45}.exe	98
PID 1572 wrote to memory of 4628	1572	{F927BABD-7661-4fb4-8A1D-C4D5B611BE45}.exe	98
PID 1572 wrote to memory of 4124	1572	{F927BABD-7661-4fb4-8A1D-C4D5B611BE45}.exe	99
PID 1572 wrote to memory of 4124	1572	{F927BABD-7661-4fb4-8A1D-C4D5B611BE45}.exe	99
PID 1572 wrote to memory of 4124	1572	{F927BABD-7661-4fb4-8A1D-C4D5B611BE45}.exe	99
PID 4628 wrote to memory of 2032	4628	{31F53166-1281-439a-B587-CC3F8D91EDF6}.exe	100
PID 4628 wrote to memory of 2032	4628	{31F53166-1281-439a-B587-CC3F8D91EDF6}.exe	100
PID 4628 wrote to memory of 2032	4628	{31F53166-1281-439a-B587-CC3F8D91EDF6}.exe	100
PID 4628 wrote to memory of 1364	4628	{31F53166-1281-439a-B587-CC3F8D91EDF6}.exe	101
PID 4628 wrote to memory of 1364	4628	{31F53166-1281-439a-B587-CC3F8D91EDF6}.exe	101
PID 4628 wrote to memory of 1364	4628	{31F53166-1281-439a-B587-CC3F8D91EDF6}.exe	101
PID 2032 wrote to memory of 3420	2032	{B3AD2133-14C8-4dfe-80AA-C3AFD723B4D8}.exe	102
PID 2032 wrote to memory of 3420	2032	{B3AD2133-14C8-4dfe-80AA-C3AFD723B4D8}.exe	102
PID 2032 wrote to memory of 3420	2032	{B3AD2133-14C8-4dfe-80AA-C3AFD723B4D8}.exe	102
PID 2032 wrote to memory of 3136	2032	{B3AD2133-14C8-4dfe-80AA-C3AFD723B4D8}.exe	103
PID 2032 wrote to memory of 3136	2032	{B3AD2133-14C8-4dfe-80AA-C3AFD723B4D8}.exe	103
PID 2032 wrote to memory of 3136	2032	{B3AD2133-14C8-4dfe-80AA-C3AFD723B4D8}.exe	103
PID 3420 wrote to memory of 116	3420	{A979D8F7-646E-4c8d-AF87-3D6E4CFD2BD9}.exe	104
PID 3420 wrote to memory of 116	3420	{A979D8F7-646E-4c8d-AF87-3D6E4CFD2BD9}.exe	104
PID 3420 wrote to memory of 116	3420	{A979D8F7-646E-4c8d-AF87-3D6E4CFD2BD9}.exe	104
PID 3420 wrote to memory of 5060	3420	{A979D8F7-646E-4c8d-AF87-3D6E4CFD2BD9}.exe	105
PID 3420 wrote to memory of 5060	3420	{A979D8F7-646E-4c8d-AF87-3D6E4CFD2BD9}.exe	105
PID 3420 wrote to memory of 5060	3420	{A979D8F7-646E-4c8d-AF87-3D6E4CFD2BD9}.exe	105
PID 116 wrote to memory of 2572	116	{8E76DC4F-F982-4ce8-A71C-1B17B2E10191}.exe	106
PID 116 wrote to memory of 2572	116	{8E76DC4F-F982-4ce8-A71C-1B17B2E10191}.exe	106
PID 116 wrote to memory of 2572	116	{8E76DC4F-F982-4ce8-A71C-1B17B2E10191}.exe	106
PID 116 wrote to memory of 4440	116	{8E76DC4F-F982-4ce8-A71C-1B17B2E10191}.exe	107
PID 116 wrote to memory of 4440	116	{8E76DC4F-F982-4ce8-A71C-1B17B2E10191}.exe	107
PID 116 wrote to memory of 4440	116	{8E76DC4F-F982-4ce8-A71C-1B17B2E10191}.exe	107
PID 2572 wrote to memory of 3208	2572	{540C54BD-FB77-4956-90CD-FC367073375F}.exe	108
PID 2572 wrote to memory of 3208	2572	{540C54BD-FB77-4956-90CD-FC367073375F}.exe	108
PID 2572 wrote to memory of 3208	2572	{540C54BD-FB77-4956-90CD-FC367073375F}.exe	108
PID 2572 wrote to memory of 4864	2572	{540C54BD-FB77-4956-90CD-FC367073375F}.exe	109
PID 2572 wrote to memory of 4864	2572	{540C54BD-FB77-4956-90CD-FC367073375F}.exe	109
PID 2572 wrote to memory of 4864	2572	{540C54BD-FB77-4956-90CD-FC367073375F}.exe	109
PID 3208 wrote to memory of 4608	3208	{047BAB2A-8E60-4eda-9699-56C9581F9C93}.exe	110
PID 3208 wrote to memory of 4608	3208	{047BAB2A-8E60-4eda-9699-56C9581F9C93}.exe	110
PID 3208 wrote to memory of 4608	3208	{047BAB2A-8E60-4eda-9699-56C9581F9C93}.exe	110
PID 3208 wrote to memory of 3756	3208	{047BAB2A-8E60-4eda-9699-56C9581F9C93}.exe	111
PID 3208 wrote to memory of 3756	3208	{047BAB2A-8E60-4eda-9699-56C9581F9C93}.exe	111
PID 3208 wrote to memory of 3756	3208	{047BAB2A-8E60-4eda-9699-56C9581F9C93}.exe	111
PID 4608 wrote to memory of 1612	4608	{E7560838-7A3A-499f-8DA7-0C6015C39605}.exe	112
PID 4608 wrote to memory of 1612	4608	{E7560838-7A3A-499f-8DA7-0C6015C39605}.exe	112
PID 4608 wrote to memory of 1612	4608	{E7560838-7A3A-499f-8DA7-0C6015C39605}.exe	112
PID 4608 wrote to memory of 4540	4608	{E7560838-7A3A-499f-8DA7-0C6015C39605}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-02-18_4f4c0cdb0aa8e4464dda8833320d2839_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-18_4f4c0cdb0aa8e4464dda8833320d2839_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Windows\{1D271C26-C1FE-49e8-9D5F-6043AB075382}.exe
  C:\Windows\{1D271C26-C1FE-49e8-9D5F-6043AB075382}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Windows\{F9052E4F-0F47-4506-ACBC-03A313543550}.exe
    C:\Windows\{F9052E4F-0F47-4506-ACBC-03A313543550}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1716
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F9052~1.EXE > nul
      4⤵
      PID:4120
  - - C:\Windows\{F927BABD-7661-4fb4-8A1D-C4D5B611BE45}.exe
      C:\Windows\{F927BABD-7661-4fb4-8A1D-C4D5B611BE45}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1572
    - - C:\Windows\{31F53166-1281-439a-B587-CC3F8D91EDF6}.exe
        
        C:\Windows\{31F53166-1281-439a-B587-CC3F8D91EDF6}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4628
      - C:\Windows\{B3AD2133-14C8-4dfe-80AA-C3AFD723B4D8}.exe
        
        C:\Windows\{B3AD2133-14C8-4dfe-80AA-C3AFD723B4D8}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\{A979D8F7-646E-4c8d-AF87-3D6E4CFD2BD9}.exe
        
        C:\Windows\{A979D8F7-646E-4c8d-AF87-3D6E4CFD2BD9}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3420
        
        C:\Windows\{8E76DC4F-F982-4ce8-A71C-1B17B2E10191}.exe
        
        C:\Windows\{8E76DC4F-F982-4ce8-A71C-1B17B2E10191}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Windows\{540C54BD-FB77-4956-90CD-FC367073375F}.exe
        
        C:\Windows\{540C54BD-FB77-4956-90CD-FC367073375F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\{047BAB2A-8E60-4eda-9699-56C9581F9C93}.exe
        
        C:\Windows\{047BAB2A-8E60-4eda-9699-56C9581F9C93}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\{E7560838-7A3A-499f-8DA7-0C6015C39605}.exe
        
        C:\Windows\{E7560838-7A3A-499f-8DA7-0C6015C39605}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\{E085AC2C-3C57-409e-AB43-2E7B52A6985B}.exe
        
        C:\Windows\{E085AC2C-3C57-409e-AB43-2E7B52A6985B}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
        
        C:\Windows\{0ECE2C8F-BD5B-4cd0-B73D-D864C2EB486C}.exe
        
        C:\Windows\{0ECE2C8F-BD5B-4cd0-B73D-D864C2EB486C}.exe
        13⤵
        Executes dropped EXE
        
        PID:3440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E085A~1.EXE > nul
        13⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7560~1.EXE > nul
        12⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{047BA~1.EXE > nul
        11⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{540C5~1.EXE > nul
        10⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8E76D~1.EXE > nul
        9⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A979D~1.EXE > nul
        8⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B3AD2~1.EXE > nul
        7⤵
        
        PID:3136
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{31F53~1.EXE > nul
        6⤵
        
        PID:1364
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F927B~1.EXE > nul
        5⤵
        
        PID:4124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1D271~1.EXE > nul
    3⤵
    PID:2984
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{047BAB2A-8E60-4eda-9699-56C9581F9C93}.exe

Filesize
180KB

MD5
a11d7a80d06f42049efbcd00c2fd7f7d

SHA1
9a1de581c5334132ccbd6a28639a1b6d00062c5c

SHA256
3e1c3f3ce97a057016f553f8bd247c4798c67020d4aedd6193d8b92c7a19e1d7

SHA512
3b95fb9d355f0e06cf6a2a45ef68cc71775e392d3781f80026a3e98423d0fc06991cfaac4435aa63c1aa94ddba2f4788b77e67798fac3b029f3c8bca5b7ed339

Download Submit
C:\Windows\{0ECE2C8F-BD5B-4cd0-B73D-D864C2EB486C}.exe

Filesize
180KB

MD5
c1e647cb5b453eab1418ff5e3b98de95

SHA1
9ae2e8df67db78dd6c03c4db76a1006628e1054e

SHA256
1c51a77ae7758add0d61ca537a2ec40e6091ece065253de43e63a9f9b39828a1

SHA512
11396cdd32f5d6fbb5721d68c67b55a5706fbdec0be509c27d75545d88692d01ebe72d0d7f23d71ad9902b83ba1684b12963d4c7ac2195ff8f2634e12ee441ee

Download Submit
C:\Windows\{1D271C26-C1FE-49e8-9D5F-6043AB075382}.exe

Filesize
180KB

MD5
53bb14b30e779a66ba3c35ca17d39132

SHA1
848a9aa7ebb0840b763c286c832cec59a49212bc

SHA256
051d9f8bb1f0b817f52d56b980d9ddfed4c23ca45eb6f80c1470c0dfa032e77b

SHA512
22257ff708d675a105891ab15ab02e030cf4e59e2de0f9625b7a619b7f2f9cfe7c1dc6bd388834bdd42b83ed1b5f73ac825deff8c7aae0c673b12d7b83a98bc4

Download Submit
C:\Windows\{1D271C26-C1FE-49e8-9D5F-6043AB075382}.exe

Filesize
150KB

MD5
c5474814cc9b72bf89ac62559899a700

SHA1
467555f3f2784e291d6839836de42733f924ed19

SHA256
6329e3574b8f3c1aa9641e3ac514ecfc55bd011be9dba460e4298a151be69ce8

SHA512
35782337928d0e00a96dc94ba421f42401ea88388b6b1b0c1d7596768ad6e111638bb7bc33093a937d02bd3eab60c6923acbdc6bc0bcf352c5d437c51f0af917

Download Submit
C:\Windows\{31F53166-1281-439a-B587-CC3F8D91EDF6}.exe

Filesize
180KB

MD5
4cfa40b10f9f7ff47e6a2c2067902e61

SHA1
7a74430be4e8505e9283017f029e2380c2fc482e

SHA256
f2af430a9d2038c0b525ee98022681e24087e94aaadf89f0b41965f995e0b702

SHA512
9cc37a3134af4fbfceb742d7a90146edc367cceb2e71b81899c4d3497dbb1bc96e2ef4f5f3c56032c611dd446532df40e755ed232ba6f90221041d0970161094

Download Submit
C:\Windows\{540C54BD-FB77-4956-90CD-FC367073375F}.exe

Filesize
180KB

MD5
642f8870e4dbf713ffbbe2bc0326c99c

SHA1
750ce22a74fcdc9868224bba59491da112fa79bc

SHA256
68872b4a756fb128271e35ce9d556f5aaefa5fe2418c5825fc3728244dfc6de1

SHA512
4f94a59bacf6c2669d8642112fbaff0518e3ab1b876bd912ff4775a53e4a20d43fc577a1759a40ffcfaf08e2583473543760e81a0d2d90e9c32d035dc80af1af

Download Submit
C:\Windows\{8E76DC4F-F982-4ce8-A71C-1B17B2E10191}.exe

Filesize
180KB

MD5
993dee7d0ad4da2f63e815ea8a93978f

SHA1
03ddee8517f72a5dd8ac2dab80653bc7c6ac1f5a

SHA256
078564f42d25787dfb858142482f9894c33405535ec3bca02a582a24cb98e85f

SHA512
a7540a5e6c12b5f133cc534c83dc7fb1a0642678bcf35390f0d1794d1f2159dcfe2b619384187cd525e1561e794fa71f91fc4ce957101b2ea82d0d6163dc0254

Download Submit
C:\Windows\{A979D8F7-646E-4c8d-AF87-3D6E4CFD2BD9}.exe

Filesize
180KB

MD5
67d1916652017603633e0fda98b18337

SHA1
05b95ce7278b5e9899914190c5c49fe1837d922e

SHA256
6fdef53a2af0f53439c1415d256071e535e1db535ec8b5d04e957b4111daf2c8

SHA512
b8a10c7a0c565f8f4809030fb4ed5ca0eee6ac35aabace5733ba792ab6e02634bbad08a601491e98b0d48b52612a5b42941d8c2fe3029a86c0dbb327b69f067e

Download Submit
C:\Windows\{B3AD2133-14C8-4dfe-80AA-C3AFD723B4D8}.exe

Filesize
180KB

MD5
6f5dad71e2fdc1a9df3a7786a6bc1a8a

SHA1
a6e066381a490538d67e470e1da8a3e6ef767d6f

SHA256
92333ea494b2a5cc6cfcc35a1ea98630bbf3cd3842bfb8965f82d0e31e3fea08

SHA512
3751e16756d35cdad7436e50c8a998a7fbc237f1b5a19c2dff322a351f7af636414b95607ea043f53a2fefe9c0a8f25f0d54b8784a7a4397a92b2de8c70e05fb

Download Submit
C:\Windows\{E085AC2C-3C57-409e-AB43-2E7B52A6985B}.exe

Filesize
180KB

MD5
abccdfaf5db8a5a2aaf3b7c683f2037c

SHA1
aee630660f96c9fea5c8a10dcc99b0289bb633f2

SHA256
24fdc1713eb460fe0515fbfded229006056a13f60baf49746a0f22256136553b

SHA512
09bfd835b3c94dd2084aed19aec0470d9a924918fed5e1224d730c03ee8d7b6e6795d822bad56132e848d6faee61d0464c7052d20112ad9539b9e8b81165e031

Download Submit
C:\Windows\{E7560838-7A3A-499f-8DA7-0C6015C39605}.exe

Filesize
180KB

MD5
568f19b8a122bfc081b19dc604f213ca

SHA1
00a213123505da0d4b21f55daf02597ec18c28d6

SHA256
d3afb4ed6a179092b83660784e60ff25272afeecc1efc0714f22a92814464680

SHA512
5743860525ec89c0866976f0fbe7a37b6557a5056c2d32034109eb7491a7fa752ee3d3ba1e13bf111cb078e5cb6c08472e270c17b1c4526a6afb47650542aec3

Download Submit
C:\Windows\{F9052E4F-0F47-4506-ACBC-03A313543550}.exe

Filesize
180KB

MD5
13ba6a073eb9165a21caad0e628cf1c4

SHA1
4e602e6eb0f9ea1cdda7097a6e54182f7d8a1f27

SHA256
41f4ef6de30dc4fe5dc62688c446a0e6c0e4ffb802076e64b68044a2bede0ddf

SHA512
4e07b080d3c55a888462929163984c16abcce7ee8f0aea9363ef973e91723a0b73f56e033edfde52e25d6327845811cde1f8729033e4634e3ce55d0fcec7cbc0

Download Submit
C:\Windows\{F927BABD-7661-4fb4-8A1D-C4D5B611BE45}.exe

Filesize
180KB

MD5
28436a958c8ea687bb14bfe80a96708a

SHA1
9188809776f32ca17a6b1b4531d8a8f96d313ea0

SHA256
d9a98aaf7cf47dce01097e8167477f6c73f5ec758831acb0a68a23b7d5c19ae9

SHA512
82c2305630fcf93500d96a44339adf5adc98613367547438e0d2b8e7ff9c2d5c99a86786e4eb46af8a53a06600c8c1b14593c93577ba1f84fc4db84fccdf2f8b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads