ead1c1be9af8396f66fd161f2c91b07c542d9174df516327fa7a1aeff1b60e3c

Analysis

max time kernel
151s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18/02/2024, 20:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-18_ebde00a8d2cb913906981af18ef09ec1_goldeneye.exe
Size

408KB
MD5

ebde00a8d2cb913906981af18ef09ec1
SHA1

cc8bc14d768772428701970d5f13ccf4af650e0d
SHA256

ead1c1be9af8396f66fd161f2c91b07c542d9174df516327fa7a1aeff1b60e3c
SHA512

6ecff9d22abce2fedf0b52156b9c39bc57fb69271ffb213c80a5405568c31a3147d6b83db23e7d6e49794d2a5ba13269325db3b50da50ff7a3cb70e24eb57ad7
SSDEEP

3072:CEGh0oUl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGuldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 14 IoCs

resource	yara_rule
behavioral2/files/0x000600000002311d-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000002311f-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f000000023130-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f000000023130-11.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f000000023130-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023008-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002311f-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00050000000217fa-21.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002181f-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000707-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28D7ACDC-FD74-4537-8B5A-A507EE0D08EC}	2024-02-18_ebde00a8d2cb913906981af18ef09ec1_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28D7ACDC-FD74-4537-8B5A-A507EE0D08EC}\stubpath = "C:\\Windows\\{28D7ACDC-FD74-4537-8B5A-A507EE0D08EC}.exe"	2024-02-18_ebde00a8d2cb913906981af18ef09ec1_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2E3DAA4-3467-4f66-9E16-2FA2E9358346}	{E562C7A4-4C45-4da8-B653-4D32B03EE960}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A94A96DA-5320-4721-B264-3730E969CCBA}\stubpath = "C:\\Windows\\{A94A96DA-5320-4721-B264-3730E969CCBA}.exe"	{E90302FD-E7FC-4f9b-9A62-497E5F95A378}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24D933B6-0C77-4154-804A-F91B65F7D579}	{72C76B50-BC9C-4d3c-B4CA-D66DEE5957CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A218D252-8788-4b8f-AD65-7DAD684825BB}	{F004CAB8-A384-4a87-AF23-658CD93653E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E562C7A4-4C45-4da8-B653-4D32B03EE960}	{28D7ACDC-FD74-4537-8B5A-A507EE0D08EC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E562C7A4-4C45-4da8-B653-4D32B03EE960}\stubpath = "C:\\Windows\\{E562C7A4-4C45-4da8-B653-4D32B03EE960}.exe"	{28D7ACDC-FD74-4537-8B5A-A507EE0D08EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E90302FD-E7FC-4f9b-9A62-497E5F95A378}	{D2E3DAA4-3467-4f66-9E16-2FA2E9358346}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72C76B50-BC9C-4d3c-B4CA-D66DEE5957CD}\stubpath = "C:\\Windows\\{72C76B50-BC9C-4d3c-B4CA-D66DEE5957CD}.exe"	{A94A96DA-5320-4721-B264-3730E969CCBA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91E36DC1-D5FE-44bf-BF3C-464C41C9EC2D}	{76108225-1ED8-4c07-A074-88E8175E583A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91E36DC1-D5FE-44bf-BF3C-464C41C9EC2D}\stubpath = "C:\\Windows\\{91E36DC1-D5FE-44bf-BF3C-464C41C9EC2D}.exe"	{76108225-1ED8-4c07-A074-88E8175E583A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A94A96DA-5320-4721-B264-3730E969CCBA}	{E90302FD-E7FC-4f9b-9A62-497E5F95A378}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72C76B50-BC9C-4d3c-B4CA-D66DEE5957CD}	{A94A96DA-5320-4721-B264-3730E969CCBA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8E9BC8D-3121-47cb-9B93-04CD61DFC61D}	{24D933B6-0C77-4154-804A-F91B65F7D579}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F004CAB8-A384-4a87-AF23-658CD93653E7}	{91E36DC1-D5FE-44bf-BF3C-464C41C9EC2D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A218D252-8788-4b8f-AD65-7DAD684825BB}\stubpath = "C:\\Windows\\{A218D252-8788-4b8f-AD65-7DAD684825BB}.exe"	{F004CAB8-A384-4a87-AF23-658CD93653E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2E3DAA4-3467-4f66-9E16-2FA2E9358346}\stubpath = "C:\\Windows\\{D2E3DAA4-3467-4f66-9E16-2FA2E9358346}.exe"	{E562C7A4-4C45-4da8-B653-4D32B03EE960}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E90302FD-E7FC-4f9b-9A62-497E5F95A378}\stubpath = "C:\\Windows\\{E90302FD-E7FC-4f9b-9A62-497E5F95A378}.exe"	{D2E3DAA4-3467-4f66-9E16-2FA2E9358346}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24D933B6-0C77-4154-804A-F91B65F7D579}\stubpath = "C:\\Windows\\{24D933B6-0C77-4154-804A-F91B65F7D579}.exe"	{72C76B50-BC9C-4d3c-B4CA-D66DEE5957CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8E9BC8D-3121-47cb-9B93-04CD61DFC61D}\stubpath = "C:\\Windows\\{C8E9BC8D-3121-47cb-9B93-04CD61DFC61D}.exe"	{24D933B6-0C77-4154-804A-F91B65F7D579}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76108225-1ED8-4c07-A074-88E8175E583A}	{C8E9BC8D-3121-47cb-9B93-04CD61DFC61D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76108225-1ED8-4c07-A074-88E8175E583A}\stubpath = "C:\\Windows\\{76108225-1ED8-4c07-A074-88E8175E583A}.exe"	{C8E9BC8D-3121-47cb-9B93-04CD61DFC61D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F004CAB8-A384-4a87-AF23-658CD93653E7}\stubpath = "C:\\Windows\\{F004CAB8-A384-4a87-AF23-658CD93653E7}.exe"	{91E36DC1-D5FE-44bf-BF3C-464C41C9EC2D}.exe

Executes dropped EXE 12 IoCs

pid	Process
3296	{28D7ACDC-FD74-4537-8B5A-A507EE0D08EC}.exe
1120	{E562C7A4-4C45-4da8-B653-4D32B03EE960}.exe
4616	{D2E3DAA4-3467-4f66-9E16-2FA2E9358346}.exe
924	{E90302FD-E7FC-4f9b-9A62-497E5F95A378}.exe
1784	{A94A96DA-5320-4721-B264-3730E969CCBA}.exe
3184	{72C76B50-BC9C-4d3c-B4CA-D66DEE5957CD}.exe
116	{24D933B6-0C77-4154-804A-F91B65F7D579}.exe
4992	{C8E9BC8D-3121-47cb-9B93-04CD61DFC61D}.exe
4076	{76108225-1ED8-4c07-A074-88E8175E583A}.exe
2328	{91E36DC1-D5FE-44bf-BF3C-464C41C9EC2D}.exe
3752	{F004CAB8-A384-4a87-AF23-658CD93653E7}.exe
3728	{A218D252-8788-4b8f-AD65-7DAD684825BB}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{28D7ACDC-FD74-4537-8B5A-A507EE0D08EC}.exe	2024-02-18_ebde00a8d2cb913906981af18ef09ec1_goldeneye.exe
File created	C:\Windows\{E90302FD-E7FC-4f9b-9A62-497E5F95A378}.exe	{D2E3DAA4-3467-4f66-9E16-2FA2E9358346}.exe
File created	C:\Windows\{A94A96DA-5320-4721-B264-3730E969CCBA}.exe	{E90302FD-E7FC-4f9b-9A62-497E5F95A378}.exe
File created	C:\Windows\{24D933B6-0C77-4154-804A-F91B65F7D579}.exe	{72C76B50-BC9C-4d3c-B4CA-D66DEE5957CD}.exe
File created	C:\Windows\{C8E9BC8D-3121-47cb-9B93-04CD61DFC61D}.exe	{24D933B6-0C77-4154-804A-F91B65F7D579}.exe
File created	C:\Windows\{76108225-1ED8-4c07-A074-88E8175E583A}.exe	{C8E9BC8D-3121-47cb-9B93-04CD61DFC61D}.exe
File created	C:\Windows\{91E36DC1-D5FE-44bf-BF3C-464C41C9EC2D}.exe	{76108225-1ED8-4c07-A074-88E8175E583A}.exe
File created	C:\Windows\{F004CAB8-A384-4a87-AF23-658CD93653E7}.exe	{91E36DC1-D5FE-44bf-BF3C-464C41C9EC2D}.exe
File created	C:\Windows\{E562C7A4-4C45-4da8-B653-4D32B03EE960}.exe	{28D7ACDC-FD74-4537-8B5A-A507EE0D08EC}.exe
File created	C:\Windows\{D2E3DAA4-3467-4f66-9E16-2FA2E9358346}.exe	{E562C7A4-4C45-4da8-B653-4D32B03EE960}.exe
File created	C:\Windows\{72C76B50-BC9C-4d3c-B4CA-D66DEE5957CD}.exe	{A94A96DA-5320-4721-B264-3730E969CCBA}.exe
File created	C:\Windows\{A218D252-8788-4b8f-AD65-7DAD684825BB}.exe	{F004CAB8-A384-4a87-AF23-658CD93653E7}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2572	2024-02-18_ebde00a8d2cb913906981af18ef09ec1_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3296	{28D7ACDC-FD74-4537-8B5A-A507EE0D08EC}.exe
Token: SeIncBasePriorityPrivilege	1120	{E562C7A4-4C45-4da8-B653-4D32B03EE960}.exe
Token: SeIncBasePriorityPrivilege	4616	{D2E3DAA4-3467-4f66-9E16-2FA2E9358346}.exe
Token: SeIncBasePriorityPrivilege	924	{E90302FD-E7FC-4f9b-9A62-497E5F95A378}.exe
Token: SeIncBasePriorityPrivilege	1784	{A94A96DA-5320-4721-B264-3730E969CCBA}.exe
Token: SeIncBasePriorityPrivilege	3184	{72C76B50-BC9C-4d3c-B4CA-D66DEE5957CD}.exe
Token: SeIncBasePriorityPrivilege	116	{24D933B6-0C77-4154-804A-F91B65F7D579}.exe
Token: SeIncBasePriorityPrivilege	4992	{C8E9BC8D-3121-47cb-9B93-04CD61DFC61D}.exe
Token: SeIncBasePriorityPrivilege	4076	{76108225-1ED8-4c07-A074-88E8175E583A}.exe
Token: SeIncBasePriorityPrivilege	2328	{91E36DC1-D5FE-44bf-BF3C-464C41C9EC2D}.exe
Token: SeIncBasePriorityPrivilege	3752	{F004CAB8-A384-4a87-AF23-658CD93653E7}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2572 wrote to memory of 3296	2572	2024-02-18_ebde00a8d2cb913906981af18ef09ec1_goldeneye.exe	84
PID 2572 wrote to memory of 3296	2572	2024-02-18_ebde00a8d2cb913906981af18ef09ec1_goldeneye.exe	84
PID 2572 wrote to memory of 3296	2572	2024-02-18_ebde00a8d2cb913906981af18ef09ec1_goldeneye.exe	84
PID 2572 wrote to memory of 4932	2572	2024-02-18_ebde00a8d2cb913906981af18ef09ec1_goldeneye.exe	85
PID 2572 wrote to memory of 4932	2572	2024-02-18_ebde00a8d2cb913906981af18ef09ec1_goldeneye.exe	85
PID 2572 wrote to memory of 4932	2572	2024-02-18_ebde00a8d2cb913906981af18ef09ec1_goldeneye.exe	85
PID 3296 wrote to memory of 1120	3296	{28D7ACDC-FD74-4537-8B5A-A507EE0D08EC}.exe	88
PID 3296 wrote to memory of 1120	3296	{28D7ACDC-FD74-4537-8B5A-A507EE0D08EC}.exe	88
PID 3296 wrote to memory of 1120	3296	{28D7ACDC-FD74-4537-8B5A-A507EE0D08EC}.exe	88
PID 3296 wrote to memory of 1800	3296	{28D7ACDC-FD74-4537-8B5A-A507EE0D08EC}.exe	89
PID 3296 wrote to memory of 1800	3296	{28D7ACDC-FD74-4537-8B5A-A507EE0D08EC}.exe	89
PID 3296 wrote to memory of 1800	3296	{28D7ACDC-FD74-4537-8B5A-A507EE0D08EC}.exe	89
PID 1120 wrote to memory of 4616	1120	{E562C7A4-4C45-4da8-B653-4D32B03EE960}.exe	97
PID 1120 wrote to memory of 4616	1120	{E562C7A4-4C45-4da8-B653-4D32B03EE960}.exe	97
PID 1120 wrote to memory of 4616	1120	{E562C7A4-4C45-4da8-B653-4D32B03EE960}.exe	97
PID 1120 wrote to memory of 3444	1120	{E562C7A4-4C45-4da8-B653-4D32B03EE960}.exe	96
PID 1120 wrote to memory of 3444	1120	{E562C7A4-4C45-4da8-B653-4D32B03EE960}.exe	96
PID 1120 wrote to memory of 3444	1120	{E562C7A4-4C45-4da8-B653-4D32B03EE960}.exe	96
PID 4616 wrote to memory of 924	4616	{D2E3DAA4-3467-4f66-9E16-2FA2E9358346}.exe	99
PID 4616 wrote to memory of 924	4616	{D2E3DAA4-3467-4f66-9E16-2FA2E9358346}.exe	99
PID 4616 wrote to memory of 924	4616	{D2E3DAA4-3467-4f66-9E16-2FA2E9358346}.exe	99
PID 4616 wrote to memory of 1068	4616	{D2E3DAA4-3467-4f66-9E16-2FA2E9358346}.exe	98
PID 4616 wrote to memory of 1068	4616	{D2E3DAA4-3467-4f66-9E16-2FA2E9358346}.exe	98
PID 4616 wrote to memory of 1068	4616	{D2E3DAA4-3467-4f66-9E16-2FA2E9358346}.exe	98
PID 924 wrote to memory of 1784	924	{E90302FD-E7FC-4f9b-9A62-497E5F95A378}.exe	101
PID 924 wrote to memory of 1784	924	{E90302FD-E7FC-4f9b-9A62-497E5F95A378}.exe	101
PID 924 wrote to memory of 1784	924	{E90302FD-E7FC-4f9b-9A62-497E5F95A378}.exe	101
PID 924 wrote to memory of 3624	924	{E90302FD-E7FC-4f9b-9A62-497E5F95A378}.exe	100
PID 924 wrote to memory of 3624	924	{E90302FD-E7FC-4f9b-9A62-497E5F95A378}.exe	100
PID 924 wrote to memory of 3624	924	{E90302FD-E7FC-4f9b-9A62-497E5F95A378}.exe	100
PID 1784 wrote to memory of 3184	1784	{A94A96DA-5320-4721-B264-3730E969CCBA}.exe	102
PID 1784 wrote to memory of 3184	1784	{A94A96DA-5320-4721-B264-3730E969CCBA}.exe	102
PID 1784 wrote to memory of 3184	1784	{A94A96DA-5320-4721-B264-3730E969CCBA}.exe	102
PID 1784 wrote to memory of 3904	1784	{A94A96DA-5320-4721-B264-3730E969CCBA}.exe	103
PID 1784 wrote to memory of 3904	1784	{A94A96DA-5320-4721-B264-3730E969CCBA}.exe	103
PID 1784 wrote to memory of 3904	1784	{A94A96DA-5320-4721-B264-3730E969CCBA}.exe	103
PID 3184 wrote to memory of 116	3184	{72C76B50-BC9C-4d3c-B4CA-D66DEE5957CD}.exe	104
PID 3184 wrote to memory of 116	3184	{72C76B50-BC9C-4d3c-B4CA-D66DEE5957CD}.exe	104
PID 3184 wrote to memory of 116	3184	{72C76B50-BC9C-4d3c-B4CA-D66DEE5957CD}.exe	104
PID 3184 wrote to memory of 1508	3184	{72C76B50-BC9C-4d3c-B4CA-D66DEE5957CD}.exe	105
PID 3184 wrote to memory of 1508	3184	{72C76B50-BC9C-4d3c-B4CA-D66DEE5957CD}.exe	105
PID 3184 wrote to memory of 1508	3184	{72C76B50-BC9C-4d3c-B4CA-D66DEE5957CD}.exe	105
PID 116 wrote to memory of 4992	116	{24D933B6-0C77-4154-804A-F91B65F7D579}.exe	106
PID 116 wrote to memory of 4992	116	{24D933B6-0C77-4154-804A-F91B65F7D579}.exe	106
PID 116 wrote to memory of 4992	116	{24D933B6-0C77-4154-804A-F91B65F7D579}.exe	106
PID 116 wrote to memory of 2804	116	{24D933B6-0C77-4154-804A-F91B65F7D579}.exe	107
PID 116 wrote to memory of 2804	116	{24D933B6-0C77-4154-804A-F91B65F7D579}.exe	107
PID 116 wrote to memory of 2804	116	{24D933B6-0C77-4154-804A-F91B65F7D579}.exe	107
PID 4992 wrote to memory of 4076	4992	{C8E9BC8D-3121-47cb-9B93-04CD61DFC61D}.exe	108
PID 4992 wrote to memory of 4076	4992	{C8E9BC8D-3121-47cb-9B93-04CD61DFC61D}.exe	108
PID 4992 wrote to memory of 4076	4992	{C8E9BC8D-3121-47cb-9B93-04CD61DFC61D}.exe	108
PID 4992 wrote to memory of 1376	4992	{C8E9BC8D-3121-47cb-9B93-04CD61DFC61D}.exe	109
PID 4992 wrote to memory of 1376	4992	{C8E9BC8D-3121-47cb-9B93-04CD61DFC61D}.exe	109
PID 4992 wrote to memory of 1376	4992	{C8E9BC8D-3121-47cb-9B93-04CD61DFC61D}.exe	109
PID 4076 wrote to memory of 2328	4076	{76108225-1ED8-4c07-A074-88E8175E583A}.exe	110
PID 4076 wrote to memory of 2328	4076	{76108225-1ED8-4c07-A074-88E8175E583A}.exe	110
PID 4076 wrote to memory of 2328	4076	{76108225-1ED8-4c07-A074-88E8175E583A}.exe	110
PID 4076 wrote to memory of 1600	4076	{76108225-1ED8-4c07-A074-88E8175E583A}.exe	111
PID 4076 wrote to memory of 1600	4076	{76108225-1ED8-4c07-A074-88E8175E583A}.exe	111
PID 4076 wrote to memory of 1600	4076	{76108225-1ED8-4c07-A074-88E8175E583A}.exe	111
PID 2328 wrote to memory of 3752	2328	{91E36DC1-D5FE-44bf-BF3C-464C41C9EC2D}.exe	112
PID 2328 wrote to memory of 3752	2328	{91E36DC1-D5FE-44bf-BF3C-464C41C9EC2D}.exe	112
PID 2328 wrote to memory of 3752	2328	{91E36DC1-D5FE-44bf-BF3C-464C41C9EC2D}.exe	112
PID 2328 wrote to memory of 2680	2328	{91E36DC1-D5FE-44bf-BF3C-464C41C9EC2D}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-02-18_ebde00a8d2cb913906981af18ef09ec1_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-18_ebde00a8d2cb913906981af18ef09ec1_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Windows\{28D7ACDC-FD74-4537-8B5A-A507EE0D08EC}.exe
  C:\Windows\{28D7ACDC-FD74-4537-8B5A-A507EE0D08EC}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3296
- - C:\Windows\{E562C7A4-4C45-4da8-B653-4D32B03EE960}.exe
    C:\Windows\{E562C7A4-4C45-4da8-B653-4D32B03EE960}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1120
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E562C~1.EXE > nul
      4⤵
      PID:3444
  - - C:\Windows\{D2E3DAA4-3467-4f66-9E16-2FA2E9358346}.exe
      C:\Windows\{D2E3DAA4-3467-4f66-9E16-2FA2E9358346}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4616
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D2E3D~1.EXE > nul
        5⤵
        
        PID:1068
    - - C:\Windows\{E90302FD-E7FC-4f9b-9A62-497E5F95A378}.exe
        
        C:\Windows\{E90302FD-E7FC-4f9b-9A62-497E5F95A378}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:924
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E9030~1.EXE > nul
        6⤵
        
        PID:3624
      - C:\Windows\{A94A96DA-5320-4721-B264-3730E969CCBA}.exe
        
        C:\Windows\{A94A96DA-5320-4721-B264-3730E969CCBA}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\{72C76B50-BC9C-4d3c-B4CA-D66DEE5957CD}.exe
        
        C:\Windows\{72C76B50-BC9C-4d3c-B4CA-D66DEE5957CD}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3184
        
        C:\Windows\{24D933B6-0C77-4154-804A-F91B65F7D579}.exe
        
        C:\Windows\{24D933B6-0C77-4154-804A-F91B65F7D579}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Windows\{C8E9BC8D-3121-47cb-9B93-04CD61DFC61D}.exe
        
        C:\Windows\{C8E9BC8D-3121-47cb-9B93-04CD61DFC61D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\{76108225-1ED8-4c07-A074-88E8175E583A}.exe
        
        C:\Windows\{76108225-1ED8-4c07-A074-88E8175E583A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\{91E36DC1-D5FE-44bf-BF3C-464C41C9EC2D}.exe
        
        C:\Windows\{91E36DC1-D5FE-44bf-BF3C-464C41C9EC2D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\{F004CAB8-A384-4a87-AF23-658CD93653E7}.exe
        
        C:\Windows\{F004CAB8-A384-4a87-AF23-658CD93653E7}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3752
        
        C:\Windows\{A218D252-8788-4b8f-AD65-7DAD684825BB}.exe
        
        C:\Windows\{A218D252-8788-4b8f-AD65-7DAD684825BB}.exe
        13⤵
        Executes dropped EXE
        
        PID:3728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F004C~1.EXE > nul
        13⤵
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91E36~1.EXE > nul
        12⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76108~1.EXE > nul
        11⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8E9B~1.EXE > nul
        10⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{24D93~1.EXE > nul
        9⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{72C76~1.EXE > nul
        8⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A94A9~1.EXE > nul
        7⤵
        
        PID:3904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{28D7A~1.EXE > nul
    3⤵
    PID:1800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{24D933B6-0C77-4154-804A-F91B65F7D579}.exe

Filesize
408KB

MD5
806c94ce13f63033d53423a6dcdb5200

SHA1
f591317ad9975fe51a2c54a7f5c7d47af5aeefa4

SHA256
151e6ec53d8a1a942718785e2946b3c7c800ad702bfad3387627b501953fb97b

SHA512
2b01e02fdf00489c46cd01134b2d901a654ff7460d49c09a6cf99e28838426704aa3745e8e87228ea3e57ce7747a57c123e2146311db5036857d39042b1e7dcf

Download Submit
C:\Windows\{28D7ACDC-FD74-4537-8B5A-A507EE0D08EC}.exe

Filesize
408KB

MD5
790163d544e49999f82d7ea7ac83e848

SHA1
6b41d5152d2e059b857f8cccc9897f4de1709a76

SHA256
f4b1af3aa868b69e540c1438dc65392e8390f4c8e38c5954afc5eede4986b666

SHA512
0d10470121634f25465250536a436d77b547a622f486d602c7e5d714e216ab9b064ceb0463aa8bd699131c3297f7a25ae4cbaa339fa29a5822cce9a067ff6049

Download Submit
C:\Windows\{72C76B50-BC9C-4d3c-B4CA-D66DEE5957CD}.exe

Filesize
408KB

MD5
2c078e4e9a12742d1a77e302b1b0988f

SHA1
cc3f3e8dcab34e1ff177355f774e8cf601321c25

SHA256
48f53f3627f68a285201e59864ecd3ae992add72ee6ff897c49a59804ed858ea

SHA512
f899b794699cc25a0d050485ebe1354f7cfc8c8f92e9dd587a2219150d34f6b2371b410cbf8f32c54a6457a3fb7421b602b1987a57427325359d9a9a15bb9218

Download Submit
C:\Windows\{76108225-1ED8-4c07-A074-88E8175E583A}.exe

Filesize
408KB

MD5
8c828a68ab4a211acaee9625f416394d

SHA1
62d3303af932e713cef164e8984813d22fd36413

SHA256
36a355b4483ac26d90a68647c98bdff6530d1fb0fdf67130f810495518aa1e95

SHA512
246403647c0472c184a18c75be7e4ad674ecb00a1626a891116dfc8f56058a2b2b1f0a089d71d7b2e474030fea7f6eb7f95fbd47ff2c93a239d742c75979cb52

Download Submit
C:\Windows\{91E36DC1-D5FE-44bf-BF3C-464C41C9EC2D}.exe

Filesize
408KB

MD5
460b6f9c3e10af40414a2ad456e5c5be

SHA1
351552c4e8e92cad185437562c0cb981da1d7a2f

SHA256
59832f597d0ebbbe49cd845d3b697650e5af87fb295106466a594af0f236ad01

SHA512
1e6f00cdae8342fd1c07f49e6f8c886b70765378006168c3df9860b03b748cf7361761c92d13db5c5c8d98c0b48cb0dde287b63f119043ccd0e15e93f3618835

Download Submit
C:\Windows\{A218D252-8788-4b8f-AD65-7DAD684825BB}.exe

Filesize
408KB

MD5
0355552b3efc2c0b1708e6e251f41e9e

SHA1
e2638646a2d801d74d0c4b4ad3aabba0bd5ac2c1

SHA256
93b4d0c72384f4a4f2d8ec0e9cea3e478c01efaa42ce739a6d9fe4289d61a3a4

SHA512
f477206467632608f8d6b5d518672c567fadda324998e333248883cb5738dc40742137f1039126543d890bce06e23300ab249a40f2f6dec8fd37218a1b3ed04c

Download Submit
C:\Windows\{A94A96DA-5320-4721-B264-3730E969CCBA}.exe

Filesize
408KB

MD5
9f26aa70ae89a50cf12b577d4541e576

SHA1
ddf5d7919c7fc5d58e29bcde52ee5a567243840d

SHA256
a76173203efaaffc289a197d2a09244e8c7cbba3e847ad77cd33722e88baa372

SHA512
2cce544207d74af71840d6d5fdb7ef608515f7ee3f9d5cef6d714f3b844e717e97864de36ea364ee605acc70cbbc286a4bcb6a6481f2b975d08da9fefc939498

Download Submit
C:\Windows\{C8E9BC8D-3121-47cb-9B93-04CD61DFC61D}.exe

Filesize
408KB

MD5
96472cda6f1434ad068029bc2da7f28f

SHA1
aa6f080e864a8203e521903351f4237c3ca3dc84

SHA256
7961d640b508dee35d78d2315606f3235ac62789e2be08d2cf80bb5e271dba69

SHA512
ecb3dd5d931b16097f4cff01323d3be57fc2e31dc452153c01f75a2bda726257ed5904d5da15743151b481f39f7ae708dda79bbdf81eb83870b0dd3ed103f066

Download Submit
C:\Windows\{D2E3DAA4-3467-4f66-9E16-2FA2E9358346}.exe

Filesize
17KB

MD5
59c55d08d6754f4916dd1dda2d78c075

SHA1
6a300a5bad26c92487aa727783e14e2d256f8589

SHA256
3f73b9aac400e242a53ccddabb3c50cde537df1c18e2080b42fe98dadd918ebe

SHA512
3183811dcde8ada3ae2381e976ebae86a7360ef14a698a1f24a8d8bfc0b7e832e64918d2208b5e99a4979fe5f2cc8e7a1a84370d830fc785b8fb49082911cd17

Download Submit
C:\Windows\{D2E3DAA4-3467-4f66-9E16-2FA2E9358346}.exe

Filesize
5KB

MD5
dced0a3c1d041f2fcb706e6f962b402a

SHA1
6797bc1f4a8baed184c85735ddad0a23090eb837

SHA256
e52366a6556982967a3c8aaf1ded9e8a542cd439cbea425956e1e99cfd6fa3d4

SHA512
c20acdfff30caecf2b3f36c1b351e1ce1d07772c94c3f9007d6dfce7217d51054af3563cb1d8084456fafc3a47351ccc77fab4e1b697b12813f301ecfafb3544

Download Submit
C:\Windows\{D2E3DAA4-3467-4f66-9E16-2FA2E9358346}.exe

Filesize
408KB

MD5
a1ef90c62b5d9061bb4fe92fe949cbd4

SHA1
576b30d53298f85ff714b527b9fc70e02e051d75

SHA256
660fc2d8ab10f440ebca0cac01732143dedd829db622bf9bea62e46d2c192e10

SHA512
91fba24dc8adbfbfc76714f5aa79b94c511d768e3c9fd56c4c0e699eb0f7a20728fcf909d26a1a59a855136f6345562d7071c39876297ee2a708b88cc6c5fd56

Download Submit
C:\Windows\{E562C7A4-4C45-4da8-B653-4D32B03EE960}.exe

Filesize
408KB

MD5
fdc0f4ddd093a759ab153b129982f5f8

SHA1
30b8be5b578ebe0d3214aa72c47768fb4748289b

SHA256
6f5125d10fed009181debcd751a6dfa2a672fd91b811837ca1b46f54f1e8f030

SHA512
31511b5b6716cf6dd2bc7dd46925def555c4c1e2bbd33d716b7cccf4ccac66bd9815ca91b25e974313a0c6b0787d27069de46b736e062e60af2561d01920f1e7

Download Submit
C:\Windows\{E90302FD-E7FC-4f9b-9A62-497E5F95A378}.exe

Filesize
408KB

MD5
e59d1aa4008d18921766518ce762240c

SHA1
20a8c8b05f4930e046454a822f6a377ca39b1ec0

SHA256
fb02d4f95831732513a506456ed01192619b81b5a17fa9eb3328fd870f5118c5

SHA512
ca4045ee9f056531b15f454dfaeb016b935402c46bdb329d2a7c5ed1f4b010ecef2de8bc75d006f6a1f86b6e15c92ce8556a37cbe083b40c0e9fe53e4b7c27b6

Download Submit
C:\Windows\{F004CAB8-A384-4a87-AF23-658CD93653E7}.exe

Filesize
408KB

MD5
588b2d48e1b467a87ea330e1736c50d5

SHA1
979acf786936bc9ebf068de3e8c4122055d61ea0

SHA256
04384a302e6a076bee7f2d4a575bac96ea5ab757c57243fc9a14e925660f7aab

SHA512
e30c814eb6dd14e7e8f3d8ac09665cf9d8ecfcfef3fb208794cf6759823347ebd29fa99424f24eb1b7134a58afd992e130efe7d3989439bbd42010b8796a3c6f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads