0c9057675ac72e3033f51acaf4317fe6c4417f38e7c68d75e0f266a053815639

Analysis

max time kernel
149s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
18/02/2024, 17:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-18_60963c9fe998a92198f04daae00c2d77_goldeneye.exe
Size

344KB
MD5

60963c9fe998a92198f04daae00c2d77
SHA1

39b2ae023e5ea9c54b1332a581e6cd996d3b37fc
SHA256

0c9057675ac72e3033f51acaf4317fe6c4417f38e7c68d75e0f266a053815639
SHA512

bc2bd2f2107efcdc7ee8435241f1a98de69b8385ea4327e137e3547c73d6271f2ecc881f2e9736f3c2eb3f967de45d661c00fb5383f7cd12d4934e9c3220738c
SSDEEP

3072:mEGh0omlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEG8lqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 14 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023217-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000023221-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023227-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023221-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x004600000001e0be-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000021550-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x004700000001e0be-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x004700000001e0be-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000000070b-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000000070b-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87D77B6E-BF87-4c35-A9D6-CB2BD8225CB4}	{9E7A336A-D55F-40b0-AE60-C4966073DE01}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E529D7B8-3C00-4a85-AACD-4E3F7C60B8C4}	{87D77B6E-BF87-4c35-A9D6-CB2BD8225CB4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E5BE76D-BE34-4f7f-86BE-8CF990B4B6BE}\stubpath = "C:\\Windows\\{1E5BE76D-BE34-4f7f-86BE-8CF990B4B6BE}.exe"	{C3E6734C-977F-4ab4-8609-E03F62DAFBF7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05FC1FDC-D7F0-45a7-AE53-1ED17CD7E522}	2024-02-18_60963c9fe998a92198f04daae00c2d77_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C9B1B1D-5343-4f42-8DAD-2F1B9B408BC5}\stubpath = "C:\\Windows\\{6C9B1B1D-5343-4f42-8DAD-2F1B9B408BC5}.exe"	{67C1F96D-4909-4fe6-AD00-AF34A35C44D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8F30BD4-CF71-430c-A56F-367C4A10BD7A}\stubpath = "C:\\Windows\\{C8F30BD4-CF71-430c-A56F-367C4A10BD7A}.exe"	{6C9B1B1D-5343-4f42-8DAD-2F1B9B408BC5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5AE59FF-7BC1-49ed-95DB-0EA7797E938F}	{C8F30BD4-CF71-430c-A56F-367C4A10BD7A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5AE59FF-7BC1-49ed-95DB-0EA7797E938F}\stubpath = "C:\\Windows\\{F5AE59FF-7BC1-49ed-95DB-0EA7797E938F}.exe"	{C8F30BD4-CF71-430c-A56F-367C4A10BD7A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87D77B6E-BF87-4c35-A9D6-CB2BD8225CB4}\stubpath = "C:\\Windows\\{87D77B6E-BF87-4c35-A9D6-CB2BD8225CB4}.exe"	{9E7A336A-D55F-40b0-AE60-C4966073DE01}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0D23F21-EDB8-4f35-B2C3-A0B8ACC5E36A}\stubpath = "C:\\Windows\\{F0D23F21-EDB8-4f35-B2C3-A0B8ACC5E36A}.exe"	{1E5BE76D-BE34-4f7f-86BE-8CF990B4B6BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E5BE76D-BE34-4f7f-86BE-8CF990B4B6BE}	{C3E6734C-977F-4ab4-8609-E03F62DAFBF7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05FC1FDC-D7F0-45a7-AE53-1ED17CD7E522}\stubpath = "C:\\Windows\\{05FC1FDC-D7F0-45a7-AE53-1ED17CD7E522}.exe"	2024-02-18_60963c9fe998a92198f04daae00c2d77_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67C1F96D-4909-4fe6-AD00-AF34A35C44D7}\stubpath = "C:\\Windows\\{67C1F96D-4909-4fe6-AD00-AF34A35C44D7}.exe"	{05FC1FDC-D7F0-45a7-AE53-1ED17CD7E522}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C9B1B1D-5343-4f42-8DAD-2F1B9B408BC5}	{67C1F96D-4909-4fe6-AD00-AF34A35C44D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8604A599-08AB-4a8e-A83B-6C150CD4A8BD}	{F5AE59FF-7BC1-49ed-95DB-0EA7797E938F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8604A599-08AB-4a8e-A83B-6C150CD4A8BD}\stubpath = "C:\\Windows\\{8604A599-08AB-4a8e-A83B-6C150CD4A8BD}.exe"	{F5AE59FF-7BC1-49ed-95DB-0EA7797E938F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E7A336A-D55F-40b0-AE60-C4966073DE01}	{8604A599-08AB-4a8e-A83B-6C150CD4A8BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3E6734C-977F-4ab4-8609-E03F62DAFBF7}	{E529D7B8-3C00-4a85-AACD-4E3F7C60B8C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0D23F21-EDB8-4f35-B2C3-A0B8ACC5E36A}	{1E5BE76D-BE34-4f7f-86BE-8CF990B4B6BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67C1F96D-4909-4fe6-AD00-AF34A35C44D7}	{05FC1FDC-D7F0-45a7-AE53-1ED17CD7E522}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8F30BD4-CF71-430c-A56F-367C4A10BD7A}	{6C9B1B1D-5343-4f42-8DAD-2F1B9B408BC5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E7A336A-D55F-40b0-AE60-C4966073DE01}\stubpath = "C:\\Windows\\{9E7A336A-D55F-40b0-AE60-C4966073DE01}.exe"	{8604A599-08AB-4a8e-A83B-6C150CD4A8BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E529D7B8-3C00-4a85-AACD-4E3F7C60B8C4}\stubpath = "C:\\Windows\\{E529D7B8-3C00-4a85-AACD-4E3F7C60B8C4}.exe"	{87D77B6E-BF87-4c35-A9D6-CB2BD8225CB4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3E6734C-977F-4ab4-8609-E03F62DAFBF7}\stubpath = "C:\\Windows\\{C3E6734C-977F-4ab4-8609-E03F62DAFBF7}.exe"	{E529D7B8-3C00-4a85-AACD-4E3F7C60B8C4}.exe

Executes dropped EXE 12 IoCs

pid	Process
4212	{05FC1FDC-D7F0-45a7-AE53-1ED17CD7E522}.exe
5008	{67C1F96D-4909-4fe6-AD00-AF34A35C44D7}.exe
3412	{6C9B1B1D-5343-4f42-8DAD-2F1B9B408BC5}.exe
1236	{C8F30BD4-CF71-430c-A56F-367C4A10BD7A}.exe
2540	{F5AE59FF-7BC1-49ed-95DB-0EA7797E938F}.exe
4640	{8604A599-08AB-4a8e-A83B-6C150CD4A8BD}.exe
2740	{9E7A336A-D55F-40b0-AE60-C4966073DE01}.exe
2880	{87D77B6E-BF87-4c35-A9D6-CB2BD8225CB4}.exe
1944	{E529D7B8-3C00-4a85-AACD-4E3F7C60B8C4}.exe
4524	{C3E6734C-977F-4ab4-8609-E03F62DAFBF7}.exe
636	{1E5BE76D-BE34-4f7f-86BE-8CF990B4B6BE}.exe
1884	{F0D23F21-EDB8-4f35-B2C3-A0B8ACC5E36A}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{9E7A336A-D55F-40b0-AE60-C4966073DE01}.exe	{8604A599-08AB-4a8e-A83B-6C150CD4A8BD}.exe
File created	C:\Windows\{1E5BE76D-BE34-4f7f-86BE-8CF990B4B6BE}.exe	{C3E6734C-977F-4ab4-8609-E03F62DAFBF7}.exe
File created	C:\Windows\{F0D23F21-EDB8-4f35-B2C3-A0B8ACC5E36A}.exe	{1E5BE76D-BE34-4f7f-86BE-8CF990B4B6BE}.exe
File created	C:\Windows\{05FC1FDC-D7F0-45a7-AE53-1ED17CD7E522}.exe	2024-02-18_60963c9fe998a92198f04daae00c2d77_goldeneye.exe
File created	C:\Windows\{67C1F96D-4909-4fe6-AD00-AF34A35C44D7}.exe	{05FC1FDC-D7F0-45a7-AE53-1ED17CD7E522}.exe
File created	C:\Windows\{C8F30BD4-CF71-430c-A56F-367C4A10BD7A}.exe	{6C9B1B1D-5343-4f42-8DAD-2F1B9B408BC5}.exe
File created	C:\Windows\{F5AE59FF-7BC1-49ed-95DB-0EA7797E938F}.exe	{C8F30BD4-CF71-430c-A56F-367C4A10BD7A}.exe
File created	C:\Windows\{8604A599-08AB-4a8e-A83B-6C150CD4A8BD}.exe	{F5AE59FF-7BC1-49ed-95DB-0EA7797E938F}.exe
File created	C:\Windows\{6C9B1B1D-5343-4f42-8DAD-2F1B9B408BC5}.exe	{67C1F96D-4909-4fe6-AD00-AF34A35C44D7}.exe
File created	C:\Windows\{87D77B6E-BF87-4c35-A9D6-CB2BD8225CB4}.exe	{9E7A336A-D55F-40b0-AE60-C4966073DE01}.exe
File created	C:\Windows\{E529D7B8-3C00-4a85-AACD-4E3F7C60B8C4}.exe	{87D77B6E-BF87-4c35-A9D6-CB2BD8225CB4}.exe
File created	C:\Windows\{C3E6734C-977F-4ab4-8609-E03F62DAFBF7}.exe	{E529D7B8-3C00-4a85-AACD-4E3F7C60B8C4}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1996	2024-02-18_60963c9fe998a92198f04daae00c2d77_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4212	{05FC1FDC-D7F0-45a7-AE53-1ED17CD7E522}.exe
Token: SeIncBasePriorityPrivilege	5008	{67C1F96D-4909-4fe6-AD00-AF34A35C44D7}.exe
Token: SeIncBasePriorityPrivilege	3412	{6C9B1B1D-5343-4f42-8DAD-2F1B9B408BC5}.exe
Token: SeIncBasePriorityPrivilege	1236	{C8F30BD4-CF71-430c-A56F-367C4A10BD7A}.exe
Token: SeIncBasePriorityPrivilege	2540	{F5AE59FF-7BC1-49ed-95DB-0EA7797E938F}.exe
Token: SeIncBasePriorityPrivilege	4640	{8604A599-08AB-4a8e-A83B-6C150CD4A8BD}.exe
Token: SeIncBasePriorityPrivilege	2740	{9E7A336A-D55F-40b0-AE60-C4966073DE01}.exe
Token: SeIncBasePriorityPrivilege	2880	{87D77B6E-BF87-4c35-A9D6-CB2BD8225CB4}.exe
Token: SeIncBasePriorityPrivilege	1944	{E529D7B8-3C00-4a85-AACD-4E3F7C60B8C4}.exe
Token: SeIncBasePriorityPrivilege	4524	{C3E6734C-977F-4ab4-8609-E03F62DAFBF7}.exe
Token: SeIncBasePriorityPrivilege	636	{1E5BE76D-BE34-4f7f-86BE-8CF990B4B6BE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 4212	1996	2024-02-18_60963c9fe998a92198f04daae00c2d77_goldeneye.exe	86
PID 1996 wrote to memory of 4212	1996	2024-02-18_60963c9fe998a92198f04daae00c2d77_goldeneye.exe	86
PID 1996 wrote to memory of 4212	1996	2024-02-18_60963c9fe998a92198f04daae00c2d77_goldeneye.exe	86
PID 1996 wrote to memory of 3608	1996	2024-02-18_60963c9fe998a92198f04daae00c2d77_goldeneye.exe	87
PID 1996 wrote to memory of 3608	1996	2024-02-18_60963c9fe998a92198f04daae00c2d77_goldeneye.exe	87
PID 1996 wrote to memory of 3608	1996	2024-02-18_60963c9fe998a92198f04daae00c2d77_goldeneye.exe	87
PID 4212 wrote to memory of 5008	4212	{05FC1FDC-D7F0-45a7-AE53-1ED17CD7E522}.exe	93
PID 4212 wrote to memory of 5008	4212	{05FC1FDC-D7F0-45a7-AE53-1ED17CD7E522}.exe	93
PID 4212 wrote to memory of 5008	4212	{05FC1FDC-D7F0-45a7-AE53-1ED17CD7E522}.exe	93
PID 4212 wrote to memory of 2376	4212	{05FC1FDC-D7F0-45a7-AE53-1ED17CD7E522}.exe	94
PID 4212 wrote to memory of 2376	4212	{05FC1FDC-D7F0-45a7-AE53-1ED17CD7E522}.exe	94
PID 4212 wrote to memory of 2376	4212	{05FC1FDC-D7F0-45a7-AE53-1ED17CD7E522}.exe	94
PID 5008 wrote to memory of 3412	5008	{67C1F96D-4909-4fe6-AD00-AF34A35C44D7}.exe	97
PID 5008 wrote to memory of 3412	5008	{67C1F96D-4909-4fe6-AD00-AF34A35C44D7}.exe	97
PID 5008 wrote to memory of 3412	5008	{67C1F96D-4909-4fe6-AD00-AF34A35C44D7}.exe	97
PID 5008 wrote to memory of 4448	5008	{67C1F96D-4909-4fe6-AD00-AF34A35C44D7}.exe	96
PID 5008 wrote to memory of 4448	5008	{67C1F96D-4909-4fe6-AD00-AF34A35C44D7}.exe	96
PID 5008 wrote to memory of 4448	5008	{67C1F96D-4909-4fe6-AD00-AF34A35C44D7}.exe	96
PID 3412 wrote to memory of 1236	3412	{6C9B1B1D-5343-4f42-8DAD-2F1B9B408BC5}.exe	99
PID 3412 wrote to memory of 1236	3412	{6C9B1B1D-5343-4f42-8DAD-2F1B9B408BC5}.exe	99
PID 3412 wrote to memory of 1236	3412	{6C9B1B1D-5343-4f42-8DAD-2F1B9B408BC5}.exe	99
PID 3412 wrote to memory of 1192	3412	{6C9B1B1D-5343-4f42-8DAD-2F1B9B408BC5}.exe	98
PID 3412 wrote to memory of 1192	3412	{6C9B1B1D-5343-4f42-8DAD-2F1B9B408BC5}.exe	98
PID 3412 wrote to memory of 1192	3412	{6C9B1B1D-5343-4f42-8DAD-2F1B9B408BC5}.exe	98
PID 1236 wrote to memory of 2540	1236	{C8F30BD4-CF71-430c-A56F-367C4A10BD7A}.exe	100
PID 1236 wrote to memory of 2540	1236	{C8F30BD4-CF71-430c-A56F-367C4A10BD7A}.exe	100
PID 1236 wrote to memory of 2540	1236	{C8F30BD4-CF71-430c-A56F-367C4A10BD7A}.exe	100
PID 1236 wrote to memory of 3532	1236	{C8F30BD4-CF71-430c-A56F-367C4A10BD7A}.exe	101
PID 1236 wrote to memory of 3532	1236	{C8F30BD4-CF71-430c-A56F-367C4A10BD7A}.exe	101
PID 1236 wrote to memory of 3532	1236	{C8F30BD4-CF71-430c-A56F-367C4A10BD7A}.exe	101
PID 2540 wrote to memory of 4640	2540	{F5AE59FF-7BC1-49ed-95DB-0EA7797E938F}.exe	102
PID 2540 wrote to memory of 4640	2540	{F5AE59FF-7BC1-49ed-95DB-0EA7797E938F}.exe	102
PID 2540 wrote to memory of 4640	2540	{F5AE59FF-7BC1-49ed-95DB-0EA7797E938F}.exe	102
PID 2540 wrote to memory of 4356	2540	{F5AE59FF-7BC1-49ed-95DB-0EA7797E938F}.exe	103
PID 2540 wrote to memory of 4356	2540	{F5AE59FF-7BC1-49ed-95DB-0EA7797E938F}.exe	103
PID 2540 wrote to memory of 4356	2540	{F5AE59FF-7BC1-49ed-95DB-0EA7797E938F}.exe	103
PID 4640 wrote to memory of 2740	4640	{8604A599-08AB-4a8e-A83B-6C150CD4A8BD}.exe	104
PID 4640 wrote to memory of 2740	4640	{8604A599-08AB-4a8e-A83B-6C150CD4A8BD}.exe	104
PID 4640 wrote to memory of 2740	4640	{8604A599-08AB-4a8e-A83B-6C150CD4A8BD}.exe	104
PID 4640 wrote to memory of 1736	4640	{8604A599-08AB-4a8e-A83B-6C150CD4A8BD}.exe	105
PID 4640 wrote to memory of 1736	4640	{8604A599-08AB-4a8e-A83B-6C150CD4A8BD}.exe	105
PID 4640 wrote to memory of 1736	4640	{8604A599-08AB-4a8e-A83B-6C150CD4A8BD}.exe	105
PID 2740 wrote to memory of 2880	2740	{9E7A336A-D55F-40b0-AE60-C4966073DE01}.exe	106
PID 2740 wrote to memory of 2880	2740	{9E7A336A-D55F-40b0-AE60-C4966073DE01}.exe	106
PID 2740 wrote to memory of 2880	2740	{9E7A336A-D55F-40b0-AE60-C4966073DE01}.exe	106
PID 2740 wrote to memory of 1584	2740	{9E7A336A-D55F-40b0-AE60-C4966073DE01}.exe	107
PID 2740 wrote to memory of 1584	2740	{9E7A336A-D55F-40b0-AE60-C4966073DE01}.exe	107
PID 2740 wrote to memory of 1584	2740	{9E7A336A-D55F-40b0-AE60-C4966073DE01}.exe	107
PID 2880 wrote to memory of 1944	2880	{87D77B6E-BF87-4c35-A9D6-CB2BD8225CB4}.exe	108
PID 2880 wrote to memory of 1944	2880	{87D77B6E-BF87-4c35-A9D6-CB2BD8225CB4}.exe	108
PID 2880 wrote to memory of 1944	2880	{87D77B6E-BF87-4c35-A9D6-CB2BD8225CB4}.exe	108
PID 2880 wrote to memory of 2980	2880	{87D77B6E-BF87-4c35-A9D6-CB2BD8225CB4}.exe	109
PID 2880 wrote to memory of 2980	2880	{87D77B6E-BF87-4c35-A9D6-CB2BD8225CB4}.exe	109
PID 2880 wrote to memory of 2980	2880	{87D77B6E-BF87-4c35-A9D6-CB2BD8225CB4}.exe	109
PID 1944 wrote to memory of 4524	1944	{E529D7B8-3C00-4a85-AACD-4E3F7C60B8C4}.exe	110
PID 1944 wrote to memory of 4524	1944	{E529D7B8-3C00-4a85-AACD-4E3F7C60B8C4}.exe	110
PID 1944 wrote to memory of 4524	1944	{E529D7B8-3C00-4a85-AACD-4E3F7C60B8C4}.exe	110
PID 1944 wrote to memory of 2432	1944	{E529D7B8-3C00-4a85-AACD-4E3F7C60B8C4}.exe	111
PID 1944 wrote to memory of 2432	1944	{E529D7B8-3C00-4a85-AACD-4E3F7C60B8C4}.exe	111
PID 1944 wrote to memory of 2432	1944	{E529D7B8-3C00-4a85-AACD-4E3F7C60B8C4}.exe	111
PID 4524 wrote to memory of 636	4524	{C3E6734C-977F-4ab4-8609-E03F62DAFBF7}.exe	112
PID 4524 wrote to memory of 636	4524	{C3E6734C-977F-4ab4-8609-E03F62DAFBF7}.exe	112
PID 4524 wrote to memory of 636	4524	{C3E6734C-977F-4ab4-8609-E03F62DAFBF7}.exe	112
PID 4524 wrote to memory of 4036	4524	{C3E6734C-977F-4ab4-8609-E03F62DAFBF7}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-02-18_60963c9fe998a92198f04daae00c2d77_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-18_60963c9fe998a92198f04daae00c2d77_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\{05FC1FDC-D7F0-45a7-AE53-1ED17CD7E522}.exe
  C:\Windows\{05FC1FDC-D7F0-45a7-AE53-1ED17CD7E522}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4212
- - C:\Windows\{67C1F96D-4909-4fe6-AD00-AF34A35C44D7}.exe
    C:\Windows\{67C1F96D-4909-4fe6-AD00-AF34A35C44D7}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5008
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{67C1F~1.EXE > nul
      4⤵
      PID:4448
  - - C:\Windows\{6C9B1B1D-5343-4f42-8DAD-2F1B9B408BC5}.exe
      C:\Windows\{6C9B1B1D-5343-4f42-8DAD-2F1B9B408BC5}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3412
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6C9B1~1.EXE > nul
        5⤵
        
        PID:1192
    - - C:\Windows\{C8F30BD4-CF71-430c-A56F-367C4A10BD7A}.exe
        
        C:\Windows\{C8F30BD4-CF71-430c-A56F-367C4A10BD7A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1236
      - C:\Windows\{F5AE59FF-7BC1-49ed-95DB-0EA7797E938F}.exe
        
        C:\Windows\{F5AE59FF-7BC1-49ed-95DB-0EA7797E938F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\{8604A599-08AB-4a8e-A83B-6C150CD4A8BD}.exe
        
        C:\Windows\{8604A599-08AB-4a8e-A83B-6C150CD4A8BD}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\{9E7A336A-D55F-40b0-AE60-C4966073DE01}.exe
        
        C:\Windows\{9E7A336A-D55F-40b0-AE60-C4966073DE01}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\{87D77B6E-BF87-4c35-A9D6-CB2BD8225CB4}.exe
        
        C:\Windows\{87D77B6E-BF87-4c35-A9D6-CB2BD8225CB4}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\{E529D7B8-3C00-4a85-AACD-4E3F7C60B8C4}.exe
        
        C:\Windows\{E529D7B8-3C00-4a85-AACD-4E3F7C60B8C4}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\{C3E6734C-977F-4ab4-8609-E03F62DAFBF7}.exe
        
        C:\Windows\{C3E6734C-977F-4ab4-8609-E03F62DAFBF7}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\{1E5BE76D-BE34-4f7f-86BE-8CF990B4B6BE}.exe
        
        C:\Windows\{1E5BE76D-BE34-4f7f-86BE-8CF990B4B6BE}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:636
        
        C:\Windows\{F0D23F21-EDB8-4f35-B2C3-A0B8ACC5E36A}.exe
        
        C:\Windows\{F0D23F21-EDB8-4f35-B2C3-A0B8ACC5E36A}.exe
        13⤵
        Executes dropped EXE
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E5BE~1.EXE > nul
        13⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3E67~1.EXE > nul
        12⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E529D~1.EXE > nul
        11⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{87D77~1.EXE > nul
        10⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E7A3~1.EXE > nul
        9⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8604A~1.EXE > nul
        8⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F5AE5~1.EXE > nul
        7⤵
        
        PID:4356
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8F30~1.EXE > nul
        6⤵
        
        PID:3532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{05FC1~1.EXE > nul
    3⤵
    PID:2376
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{05FC1FDC-D7F0-45a7-AE53-1ED17CD7E522}.exe

Filesize
344KB

MD5
beb94c034a9c5120d430483f106f6205

SHA1
9f5cd7f0c27dbfd5d66d47f24d6b605ee9bb8222

SHA256
14e836e46c809711614549c57702dd58bfe073271092c2b5edd777f1226db211

SHA512
fe27f6acceeb5802c65ee0b19a65321a54cf5f5aa1b7620652ca5035f955c6a65d732ae62332cad6a3212a0f90560b101997e71e9186f8be391cc8a4e6c148a9

Download Submit
C:\Windows\{1E5BE76D-BE34-4f7f-86BE-8CF990B4B6BE}.exe

Filesize
344KB

MD5
3a9ed551d8b19c5d3a891011e3cb1c76

SHA1
757f0954307d1332df90a15bd710304e9b1ba2a9

SHA256
297def37255be5a041e8e6048c27aa85f9d492d960421180d85705cfe7ec5149

SHA512
9cf3d97b504e2a26e71eb26630b3594a432995ebe6974f1e55fb1854e7c457a77639ce3ce1df1ab19ecd4e8e87359d1b46b06b9b9cc40ae6022dfae5115e5cd0

Download Submit
C:\Windows\{67C1F96D-4909-4fe6-AD00-AF34A35C44D7}.exe

Filesize
344KB

MD5
5ff64af372ed5b84bf459062a396b2fe

SHA1
bfb235def1d6ca22cdb79716cf473c960ba4d2b5

SHA256
5d571e87d74b0886b2f5ff5ef0546ac70aa79c461b399f8dcbf6c598f25470f7

SHA512
aafc071ee6b0f9ece2a141941cb9a07d79e5dd99ad346719ba31c1cd2dd6d9c1526b9b2ea465195193133be16acaa6874d321c335c7001c6c32aaaa70d7b31a1

Download Submit
C:\Windows\{6C9B1B1D-5343-4f42-8DAD-2F1B9B408BC5}.exe

Filesize
344KB

MD5
8a2be68ef01e115e4ac8f62df19cd879

SHA1
478224f2e380444a0348dc0526ea7ee8a18a9e09

SHA256
0591a04b5b2aab85e32d41fff83f578fcb9f1964c7d597eacf1a6d73436b74f9

SHA512
1eb2ff07872ab230b224b6dbfaf609077d58bdb3fa7bbe2320ae35e59dd27dd7921baf1c7d1f67e9357d0371e8b4ded3f7029591595398c631effcc291edfc0d

Download Submit
C:\Windows\{8604A599-08AB-4a8e-A83B-6C150CD4A8BD}.exe

Filesize
344KB

MD5
ee308beb3c91b49a8c21d9f6bba707b8

SHA1
a0e3f0db84e18d7255970a5955cfdae5f0e36749

SHA256
534854a36500d31f223b1c5eac7685db3b5654e2258aa3bd85d05ef41aca8468

SHA512
05588ffd6242959777f08b4fa4fb6ea053674cea35ef4139ef7009acf8f870cdc7152bcb13d592e76da695f067a0f19ede22e0d4e6ac44c59ec2f24fb8b79cb7

Download Submit
C:\Windows\{87D77B6E-BF87-4c35-A9D6-CB2BD8225CB4}.exe

Filesize
344KB

MD5
633bbcd65a5b518859883a2ebd57fc04

SHA1
373569639f6da251f06135b099aa56e534399f93

SHA256
9dbe924a8f00ca9da88a79f64ec2099967ba2b52832badfce79d7fbf139f2fed

SHA512
fa5ada42f4fb55206372bb7935260c1480054d38071f49c373c72e2f4bd233a9979549d95fff2d69b07e61706e2bc0fb7b56dd6b47f3c195dbee9e2917190659

Download Submit
C:\Windows\{9E7A336A-D55F-40b0-AE60-C4966073DE01}.exe

Filesize
128KB

MD5
9e292cd02dfc61d278b678927cc1ccb1

SHA1
1123fce0e615d0483cb32918ad32382f02dcb21f

SHA256
5f0be7e63b5fabbbf748bfd928066987dc189c43a29cb28e7f9eef499d180b3a

SHA512
cd7ea71728728c174672ab61fd55c6ac4b8363f3f806df40597d012231ff86a8c3326953c49c48e086ca2dc1748d5bc74dc4c2575fe8c8698d3686840564acd3

Download Submit
C:\Windows\{9E7A336A-D55F-40b0-AE60-C4966073DE01}.exe

Filesize
179KB

MD5
c75de28cb089b6cb8717759e0c3b7fc9

SHA1
c36c20ca80956a144b85a43fab20c9e1d7631c81

SHA256
56ee2849e3c7745c9c00fa0b2dfb5a1c6bca45209ba501ea260077c85ba9a63f

SHA512
dcc79732fdbff54f1e495e68da1828bbaee07f0cf78c6823a33951741357aab7e0f7f8e3627fceb985e37ab5eb8bafd8a8ce753ffb8cf3138161e06f873227f9

Download Submit
C:\Windows\{C3E6734C-977F-4ab4-8609-E03F62DAFBF7}.exe

Filesize
344KB

MD5
19c387233806cf2a3d157b908b7982e3

SHA1
eabcc8fa8372c5a01bb456c73e96b3c869c329cc

SHA256
a24448c8fba93a176a3bbb6be13162f68ef1c77d23ee6c4a61187c6ab0cece5b

SHA512
5e48363f1e475fb0ebcace1f827bd8739989513270b091a6480ab160301a759c4569f26ba34911acfe727b857605bf140baf52318a09aeafd8dc15ef0b69ab6d

Download Submit
C:\Windows\{C8F30BD4-CF71-430c-A56F-367C4A10BD7A}.exe

Filesize
344KB

MD5
70a4f011de62f7fa801f7d33e8ca15e1

SHA1
631503447bda7dd7ea9da19b56de0c9e2bb356d9

SHA256
bd36f0145b3f4cb966aa134572b8e5d9137cc94be8016f367cffb5c704b59524

SHA512
c914e737f1a323f587f28d2dcb1d0c4ab74ffeb97e64531f551a3dd278dd1b8bd9b7e917502eb498d4e68c84570c19c79a0463f0ffbfbb2a5b131470e62c2692

Download Submit
C:\Windows\{E529D7B8-3C00-4a85-AACD-4E3F7C60B8C4}.exe

Filesize
344KB

MD5
554433d6aafa9d26b9d1b19f824acf89

SHA1
34acde14e6ddaf5ddd1a0ce435d043999f2c68ae

SHA256
f3d40bdfe25cb395b6de7ec072e80c7bc101147cfa8e43c5d553ce4aa8710336

SHA512
012e0911e14d65e854a88461dcd2257904aa61f6b97777122fb405dd990192a7c5bcd245adf67632f890dddfd22b75ba9a37b12624a53ec5153c0d204b114e1f

Download Submit
C:\Windows\{F0D23F21-EDB8-4f35-B2C3-A0B8ACC5E36A}.exe

Filesize
200KB

MD5
9a3f681ae2962f7db00feea9d3d74052

SHA1
35592273a66dadec3e5b373e0e8eb68342d4e4b9

SHA256
39def7a4450f483ba8607f6a4419dc90eb22afa7bfb1dcd2798093bae7705d6c

SHA512
95fc76d03bd9b8e9598f911951a5a15f66c8e8cc84acd5c311f451eafe046c17c08e7278c021a685511293b5748f6758ade70991a14442a55a19806060f87861

Download Submit
C:\Windows\{F0D23F21-EDB8-4f35-B2C3-A0B8ACC5E36A}.exe

Filesize
344KB

MD5
65c776155cce67bb6f9ff26b7c31a659

SHA1
ba59ab60d69abd5cc6460815ba3d77b05eb67546

SHA256
236a9e0b093142ab1b99a1439c17b9c4324454e7d7bb15e4e813ecc8ec8064bd

SHA512
0ac0031c19796a0edf985e3fb0bf84ea591dc322e4df308d170d32053bfd221e8191af4d12d544c47adae0c8c42943e286eca175d221db51c2db0dd1ee31ae6e

Download Submit
C:\Windows\{F5AE59FF-7BC1-49ed-95DB-0EA7797E938F}.exe

Filesize
344KB

MD5
d5edb3d291bac8e55367d45635beca13

SHA1
e8fc2569526f1c4027fd9e4c05f7947c45b30f7a

SHA256
a5854e6ce985534490ce84580c677348bbe271b34c5ceb6465a2598e2dfcae4b

SHA512
5eb5d7a4aa88929a02aa62e197e0d93a7eb1421992721210e57f067df92e1352a06cef5885eaee00deecfac8a41fdac98ea66b44d5a451ccb3ebaca9b9451a7a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads