f5c77124849f222e202a9e5af4459864eb63d2995b925a1f91292c3beb3acc3c

Analysis

max time kernel
150s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18/02/2024, 19:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-18_6ee06b396bfe2570cac66fc35fbfddc6_goldeneye.exe
Size

216KB
MD5

6ee06b396bfe2570cac66fc35fbfddc6
SHA1

de0d4a0a44fa09e4775aa782128cc7e49a8157b4
SHA256

f5c77124849f222e202a9e5af4459864eb63d2995b925a1f91292c3beb3acc3c
SHA512

6a3136720af726371220f0157e0ecb597e3ed9f270e3090a9565ed4a3eef5e4d6cb7663181af59fb1c6c41eb049e6c906b7377bd4ac03348250815b8d0e0a50f
SSDEEP

3072:jEGh0o4l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGqlEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x000600000002310a-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000023116-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002311c-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023116-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023116-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002311c-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00050000000217fa-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002181f-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000709-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006df-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F4CD0D6-1AE5-4557-ABFB-775CE5A79B4D}\stubpath = "C:\\Windows\\{4F4CD0D6-1AE5-4557-ABFB-775CE5A79B4D}.exe"	{59AD7C27-5D9D-4f21-BBDE-856A4F19FD87}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7901D48F-D82A-40c5-AA28-27EC401B8F28}\stubpath = "C:\\Windows\\{7901D48F-D82A-40c5-AA28-27EC401B8F28}.exe"	{5FE92261-DE9B-4d76-8EE8-D29FB7F82135}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95C03C63-8ED0-46eb-A306-59520CB860A3}	{64C41681-3508-40f6-A2D6-B817ABE8095F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95C03C63-8ED0-46eb-A306-59520CB860A3}\stubpath = "C:\\Windows\\{95C03C63-8ED0-46eb-A306-59520CB860A3}.exe"	{64C41681-3508-40f6-A2D6-B817ABE8095F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22984C94-9C84-4d3b-A781-6DA4B545637C}\stubpath = "C:\\Windows\\{22984C94-9C84-4d3b-A781-6DA4B545637C}.exe"	{95C03C63-8ED0-46eb-A306-59520CB860A3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59AD7C27-5D9D-4f21-BBDE-856A4F19FD87}	{CD7D44F5-CA85-42f5-92AE-3D0B25B7C12D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59AD7C27-5D9D-4f21-BBDE-856A4F19FD87}\stubpath = "C:\\Windows\\{59AD7C27-5D9D-4f21-BBDE-856A4F19FD87}.exe"	{CD7D44F5-CA85-42f5-92AE-3D0B25B7C12D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5FE92261-DE9B-4d76-8EE8-D29FB7F82135}\stubpath = "C:\\Windows\\{5FE92261-DE9B-4d76-8EE8-D29FB7F82135}.exe"	{080824CD-CDA8-41ec-84D6-ACE11DA95302}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD7D44F5-CA85-42f5-92AE-3D0B25B7C12D}\stubpath = "C:\\Windows\\{CD7D44F5-CA85-42f5-92AE-3D0B25B7C12D}.exe"	{13D468DF-CFAD-42d8-89A4-9AC3FBE774AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A305B17D-2C29-401e-9A73-3DDDC6268A17}	{4F4CD0D6-1AE5-4557-ABFB-775CE5A79B4D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A305B17D-2C29-401e-9A73-3DDDC6268A17}\stubpath = "C:\\Windows\\{A305B17D-2C29-401e-9A73-3DDDC6268A17}.exe"	{4F4CD0D6-1AE5-4557-ABFB-775CE5A79B4D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D71E6259-862C-494c-881E-9F119F697B60}\stubpath = "C:\\Windows\\{D71E6259-862C-494c-881E-9F119F697B60}.exe"	{A305B17D-2C29-401e-9A73-3DDDC6268A17}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{080824CD-CDA8-41ec-84D6-ACE11DA95302}\stubpath = "C:\\Windows\\{080824CD-CDA8-41ec-84D6-ACE11DA95302}.exe"	2024-02-18_6ee06b396bfe2570cac66fc35fbfddc6_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7901D48F-D82A-40c5-AA28-27EC401B8F28}	{5FE92261-DE9B-4d76-8EE8-D29FB7F82135}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13D468DF-CFAD-42d8-89A4-9AC3FBE774AE}\stubpath = "C:\\Windows\\{13D468DF-CFAD-42d8-89A4-9AC3FBE774AE}.exe"	{22984C94-9C84-4d3b-A781-6DA4B545637C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD7D44F5-CA85-42f5-92AE-3D0B25B7C12D}	{13D468DF-CFAD-42d8-89A4-9AC3FBE774AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F4CD0D6-1AE5-4557-ABFB-775CE5A79B4D}	{59AD7C27-5D9D-4f21-BBDE-856A4F19FD87}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{080824CD-CDA8-41ec-84D6-ACE11DA95302}	2024-02-18_6ee06b396bfe2570cac66fc35fbfddc6_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5FE92261-DE9B-4d76-8EE8-D29FB7F82135}	{080824CD-CDA8-41ec-84D6-ACE11DA95302}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64C41681-3508-40f6-A2D6-B817ABE8095F}	{7901D48F-D82A-40c5-AA28-27EC401B8F28}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64C41681-3508-40f6-A2D6-B817ABE8095F}\stubpath = "C:\\Windows\\{64C41681-3508-40f6-A2D6-B817ABE8095F}.exe"	{7901D48F-D82A-40c5-AA28-27EC401B8F28}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22984C94-9C84-4d3b-A781-6DA4B545637C}	{95C03C63-8ED0-46eb-A306-59520CB860A3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13D468DF-CFAD-42d8-89A4-9AC3FBE774AE}	{22984C94-9C84-4d3b-A781-6DA4B545637C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D71E6259-862C-494c-881E-9F119F697B60}	{A305B17D-2C29-401e-9A73-3DDDC6268A17}.exe

Executes dropped EXE 12 IoCs

pid	Process
3244	{080824CD-CDA8-41ec-84D6-ACE11DA95302}.exe
1128	{5FE92261-DE9B-4d76-8EE8-D29FB7F82135}.exe
4424	{7901D48F-D82A-40c5-AA28-27EC401B8F28}.exe
3464	{64C41681-3508-40f6-A2D6-B817ABE8095F}.exe
1768	{95C03C63-8ED0-46eb-A306-59520CB860A3}.exe
2800	{22984C94-9C84-4d3b-A781-6DA4B545637C}.exe
956	{13D468DF-CFAD-42d8-89A4-9AC3FBE774AE}.exe
1184	{CD7D44F5-CA85-42f5-92AE-3D0B25B7C12D}.exe
852	{59AD7C27-5D9D-4f21-BBDE-856A4F19FD87}.exe
3816	{4F4CD0D6-1AE5-4557-ABFB-775CE5A79B4D}.exe
2004	{A305B17D-2C29-401e-9A73-3DDDC6268A17}.exe
2968	{D71E6259-862C-494c-881E-9F119F697B60}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{59AD7C27-5D9D-4f21-BBDE-856A4F19FD87}.exe	{CD7D44F5-CA85-42f5-92AE-3D0B25B7C12D}.exe
File created	C:\Windows\{4F4CD0D6-1AE5-4557-ABFB-775CE5A79B4D}.exe	{59AD7C27-5D9D-4f21-BBDE-856A4F19FD87}.exe
File created	C:\Windows\{A305B17D-2C29-401e-9A73-3DDDC6268A17}.exe	{4F4CD0D6-1AE5-4557-ABFB-775CE5A79B4D}.exe
File created	C:\Windows\{080824CD-CDA8-41ec-84D6-ACE11DA95302}.exe	2024-02-18_6ee06b396bfe2570cac66fc35fbfddc6_goldeneye.exe
File created	C:\Windows\{5FE92261-DE9B-4d76-8EE8-D29FB7F82135}.exe	{080824CD-CDA8-41ec-84D6-ACE11DA95302}.exe
File created	C:\Windows\{64C41681-3508-40f6-A2D6-B817ABE8095F}.exe	{7901D48F-D82A-40c5-AA28-27EC401B8F28}.exe
File created	C:\Windows\{22984C94-9C84-4d3b-A781-6DA4B545637C}.exe	{95C03C63-8ED0-46eb-A306-59520CB860A3}.exe
File created	C:\Windows\{CD7D44F5-CA85-42f5-92AE-3D0B25B7C12D}.exe	{13D468DF-CFAD-42d8-89A4-9AC3FBE774AE}.exe
File created	C:\Windows\{D71E6259-862C-494c-881E-9F119F697B60}.exe	{A305B17D-2C29-401e-9A73-3DDDC6268A17}.exe
File created	C:\Windows\{7901D48F-D82A-40c5-AA28-27EC401B8F28}.exe	{5FE92261-DE9B-4d76-8EE8-D29FB7F82135}.exe
File created	C:\Windows\{95C03C63-8ED0-46eb-A306-59520CB860A3}.exe	{64C41681-3508-40f6-A2D6-B817ABE8095F}.exe
File created	C:\Windows\{13D468DF-CFAD-42d8-89A4-9AC3FBE774AE}.exe	{22984C94-9C84-4d3b-A781-6DA4B545637C}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1596	2024-02-18_6ee06b396bfe2570cac66fc35fbfddc6_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3244	{080824CD-CDA8-41ec-84D6-ACE11DA95302}.exe
Token: SeIncBasePriorityPrivilege	1128	{5FE92261-DE9B-4d76-8EE8-D29FB7F82135}.exe
Token: SeIncBasePriorityPrivilege	4424	{7901D48F-D82A-40c5-AA28-27EC401B8F28}.exe
Token: SeIncBasePriorityPrivilege	3464	{64C41681-3508-40f6-A2D6-B817ABE8095F}.exe
Token: SeIncBasePriorityPrivilege	1768	{95C03C63-8ED0-46eb-A306-59520CB860A3}.exe
Token: SeIncBasePriorityPrivilege	2800	{22984C94-9C84-4d3b-A781-6DA4B545637C}.exe
Token: SeIncBasePriorityPrivilege	956	{13D468DF-CFAD-42d8-89A4-9AC3FBE774AE}.exe
Token: SeIncBasePriorityPrivilege	1184	{CD7D44F5-CA85-42f5-92AE-3D0B25B7C12D}.exe
Token: SeIncBasePriorityPrivilege	852	{59AD7C27-5D9D-4f21-BBDE-856A4F19FD87}.exe
Token: SeIncBasePriorityPrivilege	3816	{4F4CD0D6-1AE5-4557-ABFB-775CE5A79B4D}.exe
Token: SeIncBasePriorityPrivilege	2004	{A305B17D-2C29-401e-9A73-3DDDC6268A17}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 3244	1596	2024-02-18_6ee06b396bfe2570cac66fc35fbfddc6_goldeneye.exe	82
PID 1596 wrote to memory of 3244	1596	2024-02-18_6ee06b396bfe2570cac66fc35fbfddc6_goldeneye.exe	82
PID 1596 wrote to memory of 3244	1596	2024-02-18_6ee06b396bfe2570cac66fc35fbfddc6_goldeneye.exe	82
PID 1596 wrote to memory of 3080	1596	2024-02-18_6ee06b396bfe2570cac66fc35fbfddc6_goldeneye.exe	83
PID 1596 wrote to memory of 3080	1596	2024-02-18_6ee06b396bfe2570cac66fc35fbfddc6_goldeneye.exe	83
PID 1596 wrote to memory of 3080	1596	2024-02-18_6ee06b396bfe2570cac66fc35fbfddc6_goldeneye.exe	83
PID 3244 wrote to memory of 1128	3244	{080824CD-CDA8-41ec-84D6-ACE11DA95302}.exe	91
PID 3244 wrote to memory of 1128	3244	{080824CD-CDA8-41ec-84D6-ACE11DA95302}.exe	91
PID 3244 wrote to memory of 1128	3244	{080824CD-CDA8-41ec-84D6-ACE11DA95302}.exe	91
PID 3244 wrote to memory of 2264	3244	{080824CD-CDA8-41ec-84D6-ACE11DA95302}.exe	92
PID 3244 wrote to memory of 2264	3244	{080824CD-CDA8-41ec-84D6-ACE11DA95302}.exe	92
PID 3244 wrote to memory of 2264	3244	{080824CD-CDA8-41ec-84D6-ACE11DA95302}.exe	92
PID 1128 wrote to memory of 4424	1128	{5FE92261-DE9B-4d76-8EE8-D29FB7F82135}.exe	94
PID 1128 wrote to memory of 4424	1128	{5FE92261-DE9B-4d76-8EE8-D29FB7F82135}.exe	94
PID 1128 wrote to memory of 4424	1128	{5FE92261-DE9B-4d76-8EE8-D29FB7F82135}.exe	94
PID 1128 wrote to memory of 4584	1128	{5FE92261-DE9B-4d76-8EE8-D29FB7F82135}.exe	95
PID 1128 wrote to memory of 4584	1128	{5FE92261-DE9B-4d76-8EE8-D29FB7F82135}.exe	95
PID 1128 wrote to memory of 4584	1128	{5FE92261-DE9B-4d76-8EE8-D29FB7F82135}.exe	95
PID 4424 wrote to memory of 3464	4424	{7901D48F-D82A-40c5-AA28-27EC401B8F28}.exe	96
PID 4424 wrote to memory of 3464	4424	{7901D48F-D82A-40c5-AA28-27EC401B8F28}.exe	96
PID 4424 wrote to memory of 3464	4424	{7901D48F-D82A-40c5-AA28-27EC401B8F28}.exe	96
PID 4424 wrote to memory of 3772	4424	{7901D48F-D82A-40c5-AA28-27EC401B8F28}.exe	97
PID 4424 wrote to memory of 3772	4424	{7901D48F-D82A-40c5-AA28-27EC401B8F28}.exe	97
PID 4424 wrote to memory of 3772	4424	{7901D48F-D82A-40c5-AA28-27EC401B8F28}.exe	97
PID 3464 wrote to memory of 1768	3464	{64C41681-3508-40f6-A2D6-B817ABE8095F}.exe	98
PID 3464 wrote to memory of 1768	3464	{64C41681-3508-40f6-A2D6-B817ABE8095F}.exe	98
PID 3464 wrote to memory of 1768	3464	{64C41681-3508-40f6-A2D6-B817ABE8095F}.exe	98
PID 3464 wrote to memory of 1084	3464	{64C41681-3508-40f6-A2D6-B817ABE8095F}.exe	99
PID 3464 wrote to memory of 1084	3464	{64C41681-3508-40f6-A2D6-B817ABE8095F}.exe	99
PID 3464 wrote to memory of 1084	3464	{64C41681-3508-40f6-A2D6-B817ABE8095F}.exe	99
PID 1768 wrote to memory of 2800	1768	{95C03C63-8ED0-46eb-A306-59520CB860A3}.exe	100
PID 1768 wrote to memory of 2800	1768	{95C03C63-8ED0-46eb-A306-59520CB860A3}.exe	100
PID 1768 wrote to memory of 2800	1768	{95C03C63-8ED0-46eb-A306-59520CB860A3}.exe	100
PID 1768 wrote to memory of 2812	1768	{95C03C63-8ED0-46eb-A306-59520CB860A3}.exe	101
PID 1768 wrote to memory of 2812	1768	{95C03C63-8ED0-46eb-A306-59520CB860A3}.exe	101
PID 1768 wrote to memory of 2812	1768	{95C03C63-8ED0-46eb-A306-59520CB860A3}.exe	101
PID 2800 wrote to memory of 956	2800	{22984C94-9C84-4d3b-A781-6DA4B545637C}.exe	102
PID 2800 wrote to memory of 956	2800	{22984C94-9C84-4d3b-A781-6DA4B545637C}.exe	102
PID 2800 wrote to memory of 956	2800	{22984C94-9C84-4d3b-A781-6DA4B545637C}.exe	102
PID 2800 wrote to memory of 1212	2800	{22984C94-9C84-4d3b-A781-6DA4B545637C}.exe	103
PID 2800 wrote to memory of 1212	2800	{22984C94-9C84-4d3b-A781-6DA4B545637C}.exe	103
PID 2800 wrote to memory of 1212	2800	{22984C94-9C84-4d3b-A781-6DA4B545637C}.exe	103
PID 956 wrote to memory of 1184	956	{13D468DF-CFAD-42d8-89A4-9AC3FBE774AE}.exe	104
PID 956 wrote to memory of 1184	956	{13D468DF-CFAD-42d8-89A4-9AC3FBE774AE}.exe	104
PID 956 wrote to memory of 1184	956	{13D468DF-CFAD-42d8-89A4-9AC3FBE774AE}.exe	104
PID 956 wrote to memory of 1312	956	{13D468DF-CFAD-42d8-89A4-9AC3FBE774AE}.exe	105
PID 956 wrote to memory of 1312	956	{13D468DF-CFAD-42d8-89A4-9AC3FBE774AE}.exe	105
PID 956 wrote to memory of 1312	956	{13D468DF-CFAD-42d8-89A4-9AC3FBE774AE}.exe	105
PID 1184 wrote to memory of 852	1184	{CD7D44F5-CA85-42f5-92AE-3D0B25B7C12D}.exe	106
PID 1184 wrote to memory of 852	1184	{CD7D44F5-CA85-42f5-92AE-3D0B25B7C12D}.exe	106
PID 1184 wrote to memory of 852	1184	{CD7D44F5-CA85-42f5-92AE-3D0B25B7C12D}.exe	106
PID 1184 wrote to memory of 4952	1184	{CD7D44F5-CA85-42f5-92AE-3D0B25B7C12D}.exe	107
PID 1184 wrote to memory of 4952	1184	{CD7D44F5-CA85-42f5-92AE-3D0B25B7C12D}.exe	107
PID 1184 wrote to memory of 4952	1184	{CD7D44F5-CA85-42f5-92AE-3D0B25B7C12D}.exe	107
PID 852 wrote to memory of 3816	852	{59AD7C27-5D9D-4f21-BBDE-856A4F19FD87}.exe	108
PID 852 wrote to memory of 3816	852	{59AD7C27-5D9D-4f21-BBDE-856A4F19FD87}.exe	108
PID 852 wrote to memory of 3816	852	{59AD7C27-5D9D-4f21-BBDE-856A4F19FD87}.exe	108
PID 852 wrote to memory of 2516	852	{59AD7C27-5D9D-4f21-BBDE-856A4F19FD87}.exe	109
PID 852 wrote to memory of 2516	852	{59AD7C27-5D9D-4f21-BBDE-856A4F19FD87}.exe	109
PID 852 wrote to memory of 2516	852	{59AD7C27-5D9D-4f21-BBDE-856A4F19FD87}.exe	109
PID 3816 wrote to memory of 2004	3816	{4F4CD0D6-1AE5-4557-ABFB-775CE5A79B4D}.exe	110
PID 3816 wrote to memory of 2004	3816	{4F4CD0D6-1AE5-4557-ABFB-775CE5A79B4D}.exe	110
PID 3816 wrote to memory of 2004	3816	{4F4CD0D6-1AE5-4557-ABFB-775CE5A79B4D}.exe	110
PID 3816 wrote to memory of 2164	3816	{4F4CD0D6-1AE5-4557-ABFB-775CE5A79B4D}.exe	111

C:\Users\Admin\AppData\Local\Temp\2024-02-18_6ee06b396bfe2570cac66fc35fbfddc6_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-18_6ee06b396bfe2570cac66fc35fbfddc6_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Windows\{080824CD-CDA8-41ec-84D6-ACE11DA95302}.exe
  C:\Windows\{080824CD-CDA8-41ec-84D6-ACE11DA95302}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3244
- - C:\Windows\{5FE92261-DE9B-4d76-8EE8-D29FB7F82135}.exe
    C:\Windows\{5FE92261-DE9B-4d76-8EE8-D29FB7F82135}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1128
  - - C:\Windows\{7901D48F-D82A-40c5-AA28-27EC401B8F28}.exe
      C:\Windows\{7901D48F-D82A-40c5-AA28-27EC401B8F28}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4424
    - - C:\Windows\{64C41681-3508-40f6-A2D6-B817ABE8095F}.exe
        
        C:\Windows\{64C41681-3508-40f6-A2D6-B817ABE8095F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3464
      - C:\Windows\{95C03C63-8ED0-46eb-A306-59520CB860A3}.exe
        
        C:\Windows\{95C03C63-8ED0-46eb-A306-59520CB860A3}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\{22984C94-9C84-4d3b-A781-6DA4B545637C}.exe
        
        C:\Windows\{22984C94-9C84-4d3b-A781-6DA4B545637C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\{13D468DF-CFAD-42d8-89A4-9AC3FBE774AE}.exe
        
        C:\Windows\{13D468DF-CFAD-42d8-89A4-9AC3FBE774AE}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:956
        
        C:\Windows\{CD7D44F5-CA85-42f5-92AE-3D0B25B7C12D}.exe
        
        C:\Windows\{CD7D44F5-CA85-42f5-92AE-3D0B25B7C12D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1184
        
        C:\Windows\{59AD7C27-5D9D-4f21-BBDE-856A4F19FD87}.exe
        
        C:\Windows\{59AD7C27-5D9D-4f21-BBDE-856A4F19FD87}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\Windows\{4F4CD0D6-1AE5-4557-ABFB-775CE5A79B4D}.exe
        
        C:\Windows\{4F4CD0D6-1AE5-4557-ABFB-775CE5A79B4D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3816
        
        C:\Windows\{A305B17D-2C29-401e-9A73-3DDDC6268A17}.exe
        
        C:\Windows\{A305B17D-2C29-401e-9A73-3DDDC6268A17}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
        
        C:\Windows\{D71E6259-862C-494c-881E-9F119F697B60}.exe
        
        C:\Windows\{D71E6259-862C-494c-881E-9F119F697B60}.exe
        13⤵
        Executes dropped EXE
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A305B~1.EXE > nul
        13⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4F4CD~1.EXE > nul
        12⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{59AD7~1.EXE > nul
        11⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CD7D4~1.EXE > nul
        10⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{13D46~1.EXE > nul
        9⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{22984~1.EXE > nul
        8⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95C03~1.EXE > nul
        7⤵
        
        PID:2812
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64C41~1.EXE > nul
        6⤵
        
        PID:1084
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7901D~1.EXE > nul
        5⤵
        
        PID:3772
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5FE92~1.EXE > nul
      4⤵
      PID:4584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{08082~1.EXE > nul
    3⤵
    PID:2264
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{080824CD-CDA8-41ec-84D6-ACE11DA95302}.exe

Filesize
216KB

MD5
045723a64e02e26c5464259f41153659

SHA1
dd9fb6133328d738a4a4c30f67a3abfb5b0e378b

SHA256
dcb351f17c7a66e9cf251348e916bb84e68f0706b16bbfaed4c4365a4d432288

SHA512
fc9bd5674ebb9202d19d5238553a0f89c6c3367a20af1a8e9b11fd30dab67147e7cc966a4bcc700633b487539e5343089dbfd876139c6b774f265a0e4c5db455

Download Submit
C:\Windows\{13D468DF-CFAD-42d8-89A4-9AC3FBE774AE}.exe

Filesize
216KB

MD5
a88fe4e875ee506684cfbebff7fb9dc4

SHA1
2a8bd2d52a69ac2811462f69c044dd626608ae66

SHA256
56a3fe69435ad94d065baf7c6f2de1e87670b710b62fc311dd23d4ae49ca6fc1

SHA512
4c817a7c14b27a1a86150a975c8a9b282b3a4e72e70af65d178469eed94e8713f97977c4ebe00d54d2da8b17740548d81e54d636638778f4b8ba451ae42eaa65

Download Submit
C:\Windows\{22984C94-9C84-4d3b-A781-6DA4B545637C}.exe

Filesize
216KB

MD5
3aa1393f3ed65e12a4a17295ff6c187a

SHA1
915cc3acaeedcd8f1d57682a5ca8ec12e68c56c5

SHA256
da766230968118455b41b5bb439c3a5faa7fec23344bcb527efeb22889c13675

SHA512
84a63077c9f9a516e8c715a07de6af5ef15def4ea8193317ab4992de83c4ad2a6cb5a9a2f82c2a3246077d05f0d57a9d515797cf3a79255664d62f8da2e7473d

Download Submit
C:\Windows\{4F4CD0D6-1AE5-4557-ABFB-775CE5A79B4D}.exe

Filesize
216KB

MD5
5a43b4952ed4666d44dbd4f7b9d49a1c

SHA1
0eada3fe94fea9d92d16ec6444c5694b3ed4c7b6

SHA256
2aaa7f3a49b664800c1a6ba8f77171c1ebf1045286a19681f0206a1aa58ee4d2

SHA512
8f37757cec56500a43b1db1545708db3092a91f06094d8268a8d1d7bac6f3c5daf37b3701b2cd09f8206f31f82d320dae181a56b05b48ec66039677ccb596d02

Download Submit
C:\Windows\{59AD7C27-5D9D-4f21-BBDE-856A4F19FD87}.exe

Filesize
216KB

MD5
4b33a15b252524650169668be2582138

SHA1
99fbece92a8dc4b91871bdcf1098db6106240556

SHA256
0ae28d7a703dc75fae431629f7d9f0e796ae6c26189720529d93cbbc8ccb8fac

SHA512
807ce7e2464a7e6ae7244fa72f8343378ad5d09a703835f47be2669823693a6e9b6dd378b2e5aeb3a4493f779558fbfd1617426f9510e262a4f6f24ef97a83bb

Download Submit
C:\Windows\{5FE92261-DE9B-4d76-8EE8-D29FB7F82135}.exe

Filesize
216KB

MD5
d9600225423a84074ee1892909026699

SHA1
1caa43bd9cfe82ecd859053b8d5ba9fd32b34cfb

SHA256
737194fde34b22a224167ee0f83ee58dc89067a1c38e50a8b805492c455a8c9c

SHA512
304278c4b976f46539ce95e4feac99257be40e4ba431e00cebda1d08d050e2adcc83cc6270145a3d5a05299623f18b018482db96121bf05b611ddec8efd7e363

Download Submit
C:\Windows\{64C41681-3508-40f6-A2D6-B817ABE8095F}.exe

Filesize
216KB

MD5
18d250fdbfb93c2db6cceb32a9bd606d

SHA1
2e736f504a610be97f46fdc37037a87e0207156c

SHA256
a1f099a057d56a4522e724f0143484ebe6aee2d69675e61bb2b57daca2ad6229

SHA512
7cde9bf836e30eef36ce50252c8032ba836690506a7e78a5208e6d97fff255289f524000474d515c8a27deebe3f6188c8dd92fc19277d0f92162c4b1b94128b6

Download Submit
C:\Windows\{64C41681-3508-40f6-A2D6-B817ABE8095F}.exe

Filesize
176KB

MD5
535b5eb3c33e44384766737ea737bea8

SHA1
2626166545bfbabe33541c4a824f8087ac84d2e4

SHA256
b9311834ad6a7e45262ecfd50b42c98bfd2c27153d914e7a47c43735d3dd34ac

SHA512
b1a242e8e513c7835828726df65883ad087411f96e8b63db793db190c0dee8cfb1d5ad8e8e34ee2ca1cbf990cb21015c319af1e69092a7240864a01aeb6a7f46

Download Submit
C:\Windows\{7901D48F-D82A-40c5-AA28-27EC401B8F28}.exe

Filesize
216KB

MD5
7853b68076ae4b1a205642f4792d3258

SHA1
dcc300967ed411404d57150606f30c43bd5ed2ef

SHA256
9cd881c05747182b6828abf92ee9fbd2cbbad209170608b304b95530330d45fe

SHA512
c08499b5cba545e22fc67351a80ef899b4ee44b10a38aba4fba46c5a4e87282a664bbb545b7176c40dc98cb6960fcfa712011f96d58c0d0c40362e729f1b0d06

Download Submit
C:\Windows\{95C03C63-8ED0-46eb-A306-59520CB860A3}.exe

Filesize
216KB

MD5
5278af1a598a7b564189283e710f829e

SHA1
3288a7fc12ed31b0e74f7684016f549d09808e36

SHA256
8ab4d813ef245d52349c4f6d5fd267e601db8f712f8fed16dcf66b593f69ef62

SHA512
b01268b4d0ec19c6fae192cda276ebbcb93c6dbf3a91a8ae05ed4a1b758dc147d52c1127f7939cc1d6e41dc486cc1d670540515ec1ba9c84d32225d7d18b3b08

Download Submit
C:\Windows\{A305B17D-2C29-401e-9A73-3DDDC6268A17}.exe

Filesize
216KB

MD5
0df305e26eadcc5f43f531b53fe6f895

SHA1
0feb8b9e67d06c644627ff2dcebf5aea85bb3fbb

SHA256
16073436579ea2457060a7780db752605f44a011516bd52104f5403d36ae33b8

SHA512
db973989a4131a1b7b888007514993a05c7f05f13b144f19f63dc324f66f507a5799b85343f13e5d92c0f5ac6d1a1e51728e983d3cd56e21e0e12d88659a04f3

Download Submit
C:\Windows\{CD7D44F5-CA85-42f5-92AE-3D0B25B7C12D}.exe

Filesize
216KB

MD5
9f84f84cf08dcd5d017d40ce1a1cdef0

SHA1
f6283488adda71a2ee55e402e4850de7533ecb3c

SHA256
3db983b4b562cc069f7aad847acca6adcaec22e19522111452e25c787c2347b3

SHA512
7fc2a5f9de3053454370bc99de8888be42ac47e683f2812e4ec7fbca35ccde4f6dad95dacee34194b8a6da2c410446239f45ec30c86c11a5435f910db0074a8d

Download Submit
C:\Windows\{D71E6259-862C-494c-881E-9F119F697B60}.exe

Filesize
216KB

MD5
f2e041dcbc87c218cc508ce22d1ccfcf

SHA1
53ab690107c07e2bab6b9874996f5a9c07ff8850

SHA256
c3a2519085972fb6889c5978e18aec07487c3053f5848c368556dcb93e486ae8

SHA512
520b2a731d2075d03a0fd511586c351f085f682f84763a652d0569979fbdce65971bc18de81b9f0c82cd65aefcd7ba175c6af32605391271f0e5c84fb447e97f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads