179cf98d0d63e295a0cb64646bbce64019cab2c965550fbf53cd4a733f954ca3

Analysis

max time kernel
151s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18/02/2024, 16:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-18_dd54c12867ad188735f3eed6eb2809c9_goldeneye.exe
Size

197KB
MD5

dd54c12867ad188735f3eed6eb2809c9
SHA1

835fd7fab20bdef6350d77ba3af8188632bcea7a
SHA256

179cf98d0d63e295a0cb64646bbce64019cab2c965550fbf53cd4a733f954ca3
SHA512

143d336ec9a0103aced41f9fcc037eb3b21f6cc5625ca39acc7b0b1dff6c1c3c2ad4c188444bb60349c4f2790e9aa103fa429f5c0eb7e114013a7e63ec805885
SSDEEP

3072:jEGh0oyl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGQlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000200000001e2c0-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000023121-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023008-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023121-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023008-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00050000000217fa-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002181f-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006df-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00040000000006df-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFE7A262-0139-4743-9C79-740225292A32}	{E6B79D42-38BF-43c8-9256-38CD5E75E3C5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0C054EA-4CA7-4afe-948C-1EF1A655F381}\stubpath = "C:\\Windows\\{B0C054EA-4CA7-4afe-948C-1EF1A655F381}.exe"	{EFE7A262-0139-4743-9C79-740225292A32}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2CE7D9D-9AAA-407b-875F-9F7FD3F62127}	{B0C054EA-4CA7-4afe-948C-1EF1A655F381}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30C0DA2D-9CDE-4801-9ADF-C94067DC9AC3}\stubpath = "C:\\Windows\\{30C0DA2D-9CDE-4801-9ADF-C94067DC9AC3}.exe"	{D2CE7D9D-9AAA-407b-875F-9F7FD3F62127}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{799F2F04-F93C-4c3d-9807-023608037F2F}	{30C0DA2D-9CDE-4801-9ADF-C94067DC9AC3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5984EC9-EC89-4fcb-BA05-3DFF3BF4D970}\stubpath = "C:\\Windows\\{D5984EC9-EC89-4fcb-BA05-3DFF3BF4D970}.exe"	{CC8AF1F5-0041-46d4-8F14-383FAE6EEA61}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13165C56-9EE4-4538-B85F-B3366D8F71B9}	{534B23AF-4548-4647-A1CC-37704F64B04A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13165C56-9EE4-4538-B85F-B3366D8F71B9}\stubpath = "C:\\Windows\\{13165C56-9EE4-4538-B85F-B3366D8F71B9}.exe"	{534B23AF-4548-4647-A1CC-37704F64B04A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30C0DA2D-9CDE-4801-9ADF-C94067DC9AC3}	{D2CE7D9D-9AAA-407b-875F-9F7FD3F62127}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{799F2F04-F93C-4c3d-9807-023608037F2F}\stubpath = "C:\\Windows\\{799F2F04-F93C-4c3d-9807-023608037F2F}.exe"	{30C0DA2D-9CDE-4801-9ADF-C94067DC9AC3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69F733F0-BD4D-4b3c-9B08-0F9D832FB00E}\stubpath = "C:\\Windows\\{69F733F0-BD4D-4b3c-9B08-0F9D832FB00E}.exe"	2024-02-18_dd54c12867ad188735f3eed6eb2809c9_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFE7A262-0139-4743-9C79-740225292A32}\stubpath = "C:\\Windows\\{EFE7A262-0139-4743-9C79-740225292A32}.exe"	{E6B79D42-38BF-43c8-9256-38CD5E75E3C5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2CE7D9D-9AAA-407b-875F-9F7FD3F62127}\stubpath = "C:\\Windows\\{D2CE7D9D-9AAA-407b-875F-9F7FD3F62127}.exe"	{B0C054EA-4CA7-4afe-948C-1EF1A655F381}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0C054EA-4CA7-4afe-948C-1EF1A655F381}	{EFE7A262-0139-4743-9C79-740225292A32}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5573EDBC-8C5B-4bf1-99EF-32338F3E0677}	{799F2F04-F93C-4c3d-9807-023608037F2F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC8AF1F5-0041-46d4-8F14-383FAE6EEA61}	{69F733F0-BD4D-4b3c-9B08-0F9D832FB00E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{534B23AF-4548-4647-A1CC-37704F64B04A}	{D5984EC9-EC89-4fcb-BA05-3DFF3BF4D970}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{534B23AF-4548-4647-A1CC-37704F64B04A}\stubpath = "C:\\Windows\\{534B23AF-4548-4647-A1CC-37704F64B04A}.exe"	{D5984EC9-EC89-4fcb-BA05-3DFF3BF4D970}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6B79D42-38BF-43c8-9256-38CD5E75E3C5}	{13165C56-9EE4-4538-B85F-B3366D8F71B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6B79D42-38BF-43c8-9256-38CD5E75E3C5}\stubpath = "C:\\Windows\\{E6B79D42-38BF-43c8-9256-38CD5E75E3C5}.exe"	{13165C56-9EE4-4538-B85F-B3366D8F71B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5573EDBC-8C5B-4bf1-99EF-32338F3E0677}\stubpath = "C:\\Windows\\{5573EDBC-8C5B-4bf1-99EF-32338F3E0677}.exe"	{799F2F04-F93C-4c3d-9807-023608037F2F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69F733F0-BD4D-4b3c-9B08-0F9D832FB00E}	2024-02-18_dd54c12867ad188735f3eed6eb2809c9_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC8AF1F5-0041-46d4-8F14-383FAE6EEA61}\stubpath = "C:\\Windows\\{CC8AF1F5-0041-46d4-8F14-383FAE6EEA61}.exe"	{69F733F0-BD4D-4b3c-9B08-0F9D832FB00E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5984EC9-EC89-4fcb-BA05-3DFF3BF4D970}	{CC8AF1F5-0041-46d4-8F14-383FAE6EEA61}.exe

Executes dropped EXE 12 IoCs

pid	Process
1032	{69F733F0-BD4D-4b3c-9B08-0F9D832FB00E}.exe
4912	{CC8AF1F5-0041-46d4-8F14-383FAE6EEA61}.exe
1040	{D5984EC9-EC89-4fcb-BA05-3DFF3BF4D970}.exe
1068	{534B23AF-4548-4647-A1CC-37704F64B04A}.exe
3624	{13165C56-9EE4-4538-B85F-B3366D8F71B9}.exe
1712	{E6B79D42-38BF-43c8-9256-38CD5E75E3C5}.exe
1904	{EFE7A262-0139-4743-9C79-740225292A32}.exe
3152	{B0C054EA-4CA7-4afe-948C-1EF1A655F381}.exe
1944	{D2CE7D9D-9AAA-407b-875F-9F7FD3F62127}.exe
4024	{30C0DA2D-9CDE-4801-9ADF-C94067DC9AC3}.exe
3500	{799F2F04-F93C-4c3d-9807-023608037F2F}.exe
440	{5573EDBC-8C5B-4bf1-99EF-32338F3E0677}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{69F733F0-BD4D-4b3c-9B08-0F9D832FB00E}.exe	2024-02-18_dd54c12867ad188735f3eed6eb2809c9_goldeneye.exe
File created	C:\Windows\{D5984EC9-EC89-4fcb-BA05-3DFF3BF4D970}.exe	{CC8AF1F5-0041-46d4-8F14-383FAE6EEA61}.exe
File created	C:\Windows\{B0C054EA-4CA7-4afe-948C-1EF1A655F381}.exe	{EFE7A262-0139-4743-9C79-740225292A32}.exe
File created	C:\Windows\{30C0DA2D-9CDE-4801-9ADF-C94067DC9AC3}.exe	{D2CE7D9D-9AAA-407b-875F-9F7FD3F62127}.exe
File created	C:\Windows\{799F2F04-F93C-4c3d-9807-023608037F2F}.exe	{30C0DA2D-9CDE-4801-9ADF-C94067DC9AC3}.exe
File created	C:\Windows\{CC8AF1F5-0041-46d4-8F14-383FAE6EEA61}.exe	{69F733F0-BD4D-4b3c-9B08-0F9D832FB00E}.exe
File created	C:\Windows\{534B23AF-4548-4647-A1CC-37704F64B04A}.exe	{D5984EC9-EC89-4fcb-BA05-3DFF3BF4D970}.exe
File created	C:\Windows\{13165C56-9EE4-4538-B85F-B3366D8F71B9}.exe	{534B23AF-4548-4647-A1CC-37704F64B04A}.exe
File created	C:\Windows\{E6B79D42-38BF-43c8-9256-38CD5E75E3C5}.exe	{13165C56-9EE4-4538-B85F-B3366D8F71B9}.exe
File created	C:\Windows\{EFE7A262-0139-4743-9C79-740225292A32}.exe	{E6B79D42-38BF-43c8-9256-38CD5E75E3C5}.exe
File created	C:\Windows\{D2CE7D9D-9AAA-407b-875F-9F7FD3F62127}.exe	{B0C054EA-4CA7-4afe-948C-1EF1A655F381}.exe
File created	C:\Windows\{5573EDBC-8C5B-4bf1-99EF-32338F3E0677}.exe	{799F2F04-F93C-4c3d-9807-023608037F2F}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1388	2024-02-18_dd54c12867ad188735f3eed6eb2809c9_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1032	{69F733F0-BD4D-4b3c-9B08-0F9D832FB00E}.exe
Token: SeIncBasePriorityPrivilege	4912	{CC8AF1F5-0041-46d4-8F14-383FAE6EEA61}.exe
Token: SeIncBasePriorityPrivilege	1040	{D5984EC9-EC89-4fcb-BA05-3DFF3BF4D970}.exe
Token: SeIncBasePriorityPrivilege	1068	{534B23AF-4548-4647-A1CC-37704F64B04A}.exe
Token: SeIncBasePriorityPrivilege	3624	{13165C56-9EE4-4538-B85F-B3366D8F71B9}.exe
Token: SeIncBasePriorityPrivilege	1712	{E6B79D42-38BF-43c8-9256-38CD5E75E3C5}.exe
Token: SeIncBasePriorityPrivilege	1904	{EFE7A262-0139-4743-9C79-740225292A32}.exe
Token: SeIncBasePriorityPrivilege	3152	{B0C054EA-4CA7-4afe-948C-1EF1A655F381}.exe
Token: SeIncBasePriorityPrivilege	1944	{D2CE7D9D-9AAA-407b-875F-9F7FD3F62127}.exe
Token: SeIncBasePriorityPrivilege	4024	{30C0DA2D-9CDE-4801-9ADF-C94067DC9AC3}.exe
Token: SeIncBasePriorityPrivilege	3500	{799F2F04-F93C-4c3d-9807-023608037F2F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 1032	1388	2024-02-18_dd54c12867ad188735f3eed6eb2809c9_goldeneye.exe	84
PID 1388 wrote to memory of 1032	1388	2024-02-18_dd54c12867ad188735f3eed6eb2809c9_goldeneye.exe	84
PID 1388 wrote to memory of 1032	1388	2024-02-18_dd54c12867ad188735f3eed6eb2809c9_goldeneye.exe	84
PID 1388 wrote to memory of 2680	1388	2024-02-18_dd54c12867ad188735f3eed6eb2809c9_goldeneye.exe	85
PID 1388 wrote to memory of 2680	1388	2024-02-18_dd54c12867ad188735f3eed6eb2809c9_goldeneye.exe	85
PID 1388 wrote to memory of 2680	1388	2024-02-18_dd54c12867ad188735f3eed6eb2809c9_goldeneye.exe	85
PID 1032 wrote to memory of 4912	1032	{69F733F0-BD4D-4b3c-9B08-0F9D832FB00E}.exe	90
PID 1032 wrote to memory of 4912	1032	{69F733F0-BD4D-4b3c-9B08-0F9D832FB00E}.exe	90
PID 1032 wrote to memory of 4912	1032	{69F733F0-BD4D-4b3c-9B08-0F9D832FB00E}.exe	90
PID 1032 wrote to memory of 1408	1032	{69F733F0-BD4D-4b3c-9B08-0F9D832FB00E}.exe	91
PID 1032 wrote to memory of 1408	1032	{69F733F0-BD4D-4b3c-9B08-0F9D832FB00E}.exe	91
PID 1032 wrote to memory of 1408	1032	{69F733F0-BD4D-4b3c-9B08-0F9D832FB00E}.exe	91
PID 4912 wrote to memory of 1040	4912	{CC8AF1F5-0041-46d4-8F14-383FAE6EEA61}.exe	97
PID 4912 wrote to memory of 1040	4912	{CC8AF1F5-0041-46d4-8F14-383FAE6EEA61}.exe	97
PID 4912 wrote to memory of 1040	4912	{CC8AF1F5-0041-46d4-8F14-383FAE6EEA61}.exe	97
PID 4912 wrote to memory of 1560	4912	{CC8AF1F5-0041-46d4-8F14-383FAE6EEA61}.exe	96
PID 4912 wrote to memory of 1560	4912	{CC8AF1F5-0041-46d4-8F14-383FAE6EEA61}.exe	96
PID 4912 wrote to memory of 1560	4912	{CC8AF1F5-0041-46d4-8F14-383FAE6EEA61}.exe	96
PID 1040 wrote to memory of 1068	1040	{D5984EC9-EC89-4fcb-BA05-3DFF3BF4D970}.exe	98
PID 1040 wrote to memory of 1068	1040	{D5984EC9-EC89-4fcb-BA05-3DFF3BF4D970}.exe	98
PID 1040 wrote to memory of 1068	1040	{D5984EC9-EC89-4fcb-BA05-3DFF3BF4D970}.exe	98
PID 1040 wrote to memory of 4360	1040	{D5984EC9-EC89-4fcb-BA05-3DFF3BF4D970}.exe	99
PID 1040 wrote to memory of 4360	1040	{D5984EC9-EC89-4fcb-BA05-3DFF3BF4D970}.exe	99
PID 1040 wrote to memory of 4360	1040	{D5984EC9-EC89-4fcb-BA05-3DFF3BF4D970}.exe	99
PID 1068 wrote to memory of 3624	1068	{534B23AF-4548-4647-A1CC-37704F64B04A}.exe	100
PID 1068 wrote to memory of 3624	1068	{534B23AF-4548-4647-A1CC-37704F64B04A}.exe	100
PID 1068 wrote to memory of 3624	1068	{534B23AF-4548-4647-A1CC-37704F64B04A}.exe	100
PID 1068 wrote to memory of 4556	1068	{534B23AF-4548-4647-A1CC-37704F64B04A}.exe	101
PID 1068 wrote to memory of 4556	1068	{534B23AF-4548-4647-A1CC-37704F64B04A}.exe	101
PID 1068 wrote to memory of 4556	1068	{534B23AF-4548-4647-A1CC-37704F64B04A}.exe	101
PID 3624 wrote to memory of 1712	3624	{13165C56-9EE4-4538-B85F-B3366D8F71B9}.exe	102
PID 3624 wrote to memory of 1712	3624	{13165C56-9EE4-4538-B85F-B3366D8F71B9}.exe	102
PID 3624 wrote to memory of 1712	3624	{13165C56-9EE4-4538-B85F-B3366D8F71B9}.exe	102
PID 3624 wrote to memory of 4548	3624	{13165C56-9EE4-4538-B85F-B3366D8F71B9}.exe	103
PID 3624 wrote to memory of 4548	3624	{13165C56-9EE4-4538-B85F-B3366D8F71B9}.exe	103
PID 3624 wrote to memory of 4548	3624	{13165C56-9EE4-4538-B85F-B3366D8F71B9}.exe	103
PID 1712 wrote to memory of 1904	1712	{E6B79D42-38BF-43c8-9256-38CD5E75E3C5}.exe	104
PID 1712 wrote to memory of 1904	1712	{E6B79D42-38BF-43c8-9256-38CD5E75E3C5}.exe	104
PID 1712 wrote to memory of 1904	1712	{E6B79D42-38BF-43c8-9256-38CD5E75E3C5}.exe	104
PID 1712 wrote to memory of 1644	1712	{E6B79D42-38BF-43c8-9256-38CD5E75E3C5}.exe	105
PID 1712 wrote to memory of 1644	1712	{E6B79D42-38BF-43c8-9256-38CD5E75E3C5}.exe	105
PID 1712 wrote to memory of 1644	1712	{E6B79D42-38BF-43c8-9256-38CD5E75E3C5}.exe	105
PID 1904 wrote to memory of 3152	1904	{EFE7A262-0139-4743-9C79-740225292A32}.exe	106
PID 1904 wrote to memory of 3152	1904	{EFE7A262-0139-4743-9C79-740225292A32}.exe	106
PID 1904 wrote to memory of 3152	1904	{EFE7A262-0139-4743-9C79-740225292A32}.exe	106
PID 1904 wrote to memory of 4196	1904	{EFE7A262-0139-4743-9C79-740225292A32}.exe	107
PID 1904 wrote to memory of 4196	1904	{EFE7A262-0139-4743-9C79-740225292A32}.exe	107
PID 1904 wrote to memory of 4196	1904	{EFE7A262-0139-4743-9C79-740225292A32}.exe	107
PID 3152 wrote to memory of 1944	3152	{B0C054EA-4CA7-4afe-948C-1EF1A655F381}.exe	108
PID 3152 wrote to memory of 1944	3152	{B0C054EA-4CA7-4afe-948C-1EF1A655F381}.exe	108
PID 3152 wrote to memory of 1944	3152	{B0C054EA-4CA7-4afe-948C-1EF1A655F381}.exe	108
PID 3152 wrote to memory of 2056	3152	{B0C054EA-4CA7-4afe-948C-1EF1A655F381}.exe	109
PID 3152 wrote to memory of 2056	3152	{B0C054EA-4CA7-4afe-948C-1EF1A655F381}.exe	109
PID 3152 wrote to memory of 2056	3152	{B0C054EA-4CA7-4afe-948C-1EF1A655F381}.exe	109
PID 1944 wrote to memory of 4024	1944	{D2CE7D9D-9AAA-407b-875F-9F7FD3F62127}.exe	110
PID 1944 wrote to memory of 4024	1944	{D2CE7D9D-9AAA-407b-875F-9F7FD3F62127}.exe	110
PID 1944 wrote to memory of 4024	1944	{D2CE7D9D-9AAA-407b-875F-9F7FD3F62127}.exe	110
PID 1944 wrote to memory of 3504	1944	{D2CE7D9D-9AAA-407b-875F-9F7FD3F62127}.exe	111
PID 1944 wrote to memory of 3504	1944	{D2CE7D9D-9AAA-407b-875F-9F7FD3F62127}.exe	111
PID 1944 wrote to memory of 3504	1944	{D2CE7D9D-9AAA-407b-875F-9F7FD3F62127}.exe	111
PID 4024 wrote to memory of 3500	4024	{30C0DA2D-9CDE-4801-9ADF-C94067DC9AC3}.exe	112
PID 4024 wrote to memory of 3500	4024	{30C0DA2D-9CDE-4801-9ADF-C94067DC9AC3}.exe	112
PID 4024 wrote to memory of 3500	4024	{30C0DA2D-9CDE-4801-9ADF-C94067DC9AC3}.exe	112
PID 4024 wrote to memory of 1072	4024	{30C0DA2D-9CDE-4801-9ADF-C94067DC9AC3}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-02-18_dd54c12867ad188735f3eed6eb2809c9_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-18_dd54c12867ad188735f3eed6eb2809c9_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Windows\{69F733F0-BD4D-4b3c-9B08-0F9D832FB00E}.exe
  C:\Windows\{69F733F0-BD4D-4b3c-9B08-0F9D832FB00E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1032
- - C:\Windows\{CC8AF1F5-0041-46d4-8F14-383FAE6EEA61}.exe
    C:\Windows\{CC8AF1F5-0041-46d4-8F14-383FAE6EEA61}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4912
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CC8AF~1.EXE > nul
      4⤵
      PID:1560
  - - C:\Windows\{D5984EC9-EC89-4fcb-BA05-3DFF3BF4D970}.exe
      C:\Windows\{D5984EC9-EC89-4fcb-BA05-3DFF3BF4D970}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1040
    - - C:\Windows\{534B23AF-4548-4647-A1CC-37704F64B04A}.exe
        
        C:\Windows\{534B23AF-4548-4647-A1CC-37704F64B04A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1068
      - C:\Windows\{13165C56-9EE4-4538-B85F-B3366D8F71B9}.exe
        
        C:\Windows\{13165C56-9EE4-4538-B85F-B3366D8F71B9}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3624
        
        C:\Windows\{E6B79D42-38BF-43c8-9256-38CD5E75E3C5}.exe
        
        C:\Windows\{E6B79D42-38BF-43c8-9256-38CD5E75E3C5}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\{EFE7A262-0139-4743-9C79-740225292A32}.exe
        
        C:\Windows\{EFE7A262-0139-4743-9C79-740225292A32}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\{B0C054EA-4CA7-4afe-948C-1EF1A655F381}.exe
        
        C:\Windows\{B0C054EA-4CA7-4afe-948C-1EF1A655F381}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3152
        
        C:\Windows\{D2CE7D9D-9AAA-407b-875F-9F7FD3F62127}.exe
        
        C:\Windows\{D2CE7D9D-9AAA-407b-875F-9F7FD3F62127}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\{30C0DA2D-9CDE-4801-9ADF-C94067DC9AC3}.exe
        
        C:\Windows\{30C0DA2D-9CDE-4801-9ADF-C94067DC9AC3}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4024
        
        C:\Windows\{799F2F04-F93C-4c3d-9807-023608037F2F}.exe
        
        C:\Windows\{799F2F04-F93C-4c3d-9807-023608037F2F}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3500
        
        C:\Windows\{5573EDBC-8C5B-4bf1-99EF-32338F3E0677}.exe
        
        C:\Windows\{5573EDBC-8C5B-4bf1-99EF-32338F3E0677}.exe
        13⤵
        Executes dropped EXE
        
        PID:440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{799F2~1.EXE > nul
        13⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{30C0D~1.EXE > nul
        12⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D2CE7~1.EXE > nul
        11⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B0C05~1.EXE > nul
        10⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EFE7A~1.EXE > nul
        9⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6B79~1.EXE > nul
        8⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{13165~1.EXE > nul
        7⤵
        
        PID:4548
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{534B2~1.EXE > nul
        6⤵
        
        PID:4556
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D5984~1.EXE > nul
        5⤵
        
        PID:4360
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{69F73~1.EXE > nul
    3⤵
    PID:1408
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{13165C56-9EE4-4538-B85F-B3366D8F71B9}.exe

Filesize
197KB

MD5
7580cee5e2b9422df8a01488750995d7

SHA1
7a0ec11d474ae44b5108c101b71c2fa22316bed6

SHA256
59131901756832a0ec3ca66adf8760e3f1622cc104161beaef393f56771a9165

SHA512
ea28d7bdb4eb2d54481c3f76c6a0d5787d5a5e1d23c016206e46308b170d284f5c145c0fe3a572cbe04b0025312d907978217661402dac60baedb7b5d15e024f

Download Submit
C:\Windows\{30C0DA2D-9CDE-4801-9ADF-C94067DC9AC3}.exe

Filesize
197KB

MD5
3e8a9b49b2f84ab5c248a166255249ed

SHA1
f566fcb513bc6c07fda43b43f57e802207b4f027

SHA256
01e0f48596c61e48d2a355c572a41ae0499a7c5ecd3dd4fe0457d100e7ed4a01

SHA512
cc7bab4181759a150a26ace1d4975be2487477c16afd1b74485770dc8abf307bbe94dae00b07ea5c24e42095ecbcc32bc724e70ac023632ef1870aa4e8b6aabd

Download Submit
C:\Windows\{534B23AF-4548-4647-A1CC-37704F64B04A}.exe

Filesize
197KB

MD5
73cb1f73f6583583975f68a53d02559b

SHA1
fd5c1adcbbc7b381c96c5f0f620c4d1a2b612ba6

SHA256
e6802f20a1648af48d9286aba901945b6f7edcf7faaf6de9594cf2dceaf061bc

SHA512
ad7306ff401867ddd8e314a9275916e9d708ba5162387a7dca0cf3a8b00e1fc602126df48ff7b54f0868b973607236a252620059e1b88698b78cdde3ebe6f159

Download Submit
C:\Windows\{5573EDBC-8C5B-4bf1-99EF-32338F3E0677}.exe

Filesize
197KB

MD5
e348a63042f2dac6b42966855e15a61b

SHA1
9048f7e23a87863c439639746b87277165d31ae1

SHA256
88e6f565825aa7552c1b81cdd08d84855405e274376ad6b2f1c72c68f6342133

SHA512
1cb7a4d0448645fd0e98185e1317a13d5f51416d589f5d6c458b94adf3b7566894f09f985df8df566241baca225d8d96d83e30b241abb3631e9a718e82d2035b

Download Submit
C:\Windows\{69F733F0-BD4D-4b3c-9B08-0F9D832FB00E}.exe

Filesize
197KB

MD5
00d645f4394b0c71b0909838bed4be43

SHA1
53b6de1f3746daca6dd096837939c2f13c33cfe3

SHA256
ce32a0b92724f3faaf2a6d69610ca4fe1e73482348ffec504a00256543b3fc70

SHA512
f12aef450338b2762a10741d917696ae933e5c398e93170fe5a8b3a0d8d8be28c9a3a988da0da687734621b1151233f6e082967832eb0771fa84c15be1910e1d

Download Submit
C:\Windows\{799F2F04-F93C-4c3d-9807-023608037F2F}.exe

Filesize
197KB

MD5
5b952ee1cf937435c8104dae36d0cb8a

SHA1
77ca6105d677f18b6f2f68631fc979765e766af9

SHA256
2f56cdd8900d3f0c415856d84a2bd98f1dfa756e264d3a76abd10734f58752a9

SHA512
e60d2524383162191b72624c5f7235cb0eb277768388b3ad20e7a4112d85bc6a0a996366a42402e8ba8c8a047848248b16a591aa54380a5fd22b645b839f0e68

Download Submit
C:\Windows\{B0C054EA-4CA7-4afe-948C-1EF1A655F381}.exe

Filesize
197KB

MD5
ea92d2b4141dd1961065967bcf682505

SHA1
b14998595c94d6fdc73193fb03f05dafd2d1b780

SHA256
c88f779e47a0b844d6db94a71c45fd4a68cb12f2c69630040af8ee93bed2a6ee

SHA512
95f9cec8f3e4d924f6a2c68ecc152b41cd2c6f1a5504100b593e3d38b304c8f940016c3b6ceda6ee956e61d2c262ceebffee1faa91167c118b292ada7469b2a4

Download Submit
C:\Windows\{CC8AF1F5-0041-46d4-8F14-383FAE6EEA61}.exe

Filesize
197KB

MD5
dd49c4d05282b2183a52895f860e52eb

SHA1
c60f22f1597f721fe9e7f2a165260c35cab3e5ac

SHA256
ead38eade051593a2ed8fa7ebe8bc5d5f60706c3bc7cdc2f09d619e1eaed31c8

SHA512
88e158f1521e0fc99174cf242e5df7b49c276d21c035fed29a89af3018c6d5dd61c1c9fc7eca445adb640448653f7b069892c2b769e8d2ebaabd67674ac18648

Download Submit
C:\Windows\{D2CE7D9D-9AAA-407b-875F-9F7FD3F62127}.exe

Filesize
197KB

MD5
91c73d660c09bbc95612967307d0088b

SHA1
c4bb31993353f4b9e6926cd4e18c881dc03bba49

SHA256
efa8544513653e9b8e107436f4a1085b8fd0f5fd9ccb0b3eea6f73d28220734d

SHA512
a91f428b87f9ebaa5e745059a27a75c10c3d6147f56115799428f7d3a2b2208b7de9d9608e3326e8ca1f7e8ec155bddc6b24e9a312e5559b86448e18d5cb8533

Download Submit
C:\Windows\{D5984EC9-EC89-4fcb-BA05-3DFF3BF4D970}.exe

Filesize
197KB

MD5
965c6a0b9af2dd5dae1282bba71c912c

SHA1
5404f2a2c83978096526879756d0511320e2d8be

SHA256
ca702124c458997b34ec644246426db61f52ca2751566d917c2d472062a3f1e2

SHA512
ce4250c397135157dc290d3852cde036d8712c3057cde4083c43a4f26ee70d7bd7fe38d20e4d788d1e475c4b1d77bb8be06a531e2485f210234fc33ce84803ff

Download Submit
C:\Windows\{E6B79D42-38BF-43c8-9256-38CD5E75E3C5}.exe

Filesize
197KB

MD5
0d5f034cc914cb97eca1759a1ade5d6d

SHA1
a436e3b2676d02af84966dea971008e34fcfbe3f

SHA256
fb2db38047a68c8970a44392b99006e732d285184121eece814a0102054b9d10

SHA512
1940566bd309d2d55cb4886f358af971712724013c033e5e1801294918dc0d4a0353863daaadc9a57f984444c0cb486bed615caca7ba5eed6002ba7eafd7f145

Download Submit
C:\Windows\{EFE7A262-0139-4743-9C79-740225292A32}.exe

Filesize
197KB

MD5
72ffc1a704652fb68a6b0334f5b6bc00

SHA1
bdbd8327183cc6071d515b5b2ae49a87c6819c3c

SHA256
252cfb9c9004b946419ce6c549148e268a89e61afe130075cfbd2063ffd17115

SHA512
c2fe0233c5b0535eef96d1fbf3387b04528b18eedb668945b78eb754f1a1e57bfcbd5b01785ded698cb25d16acf65af0a7f1e6af8f305350b86870dda0b08074

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads