9e3b86279c8c2a84675646e21d94d1b99d6610b368c199abdc37fc13d0e21fee

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19/02/2024, 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-19_e8e30d11b3770e6704888e4b5ddf8115_goldeneye.exe
Size

344KB
MD5

e8e30d11b3770e6704888e4b5ddf8115
SHA1

98775ad34e4e47c84766859ca53020120130af02
SHA256

9e3b86279c8c2a84675646e21d94d1b99d6610b368c199abdc37fc13d0e21fee
SHA512

6268252e6a76a5305c291a4b3f50e94af0e9a8272140dcf227826f8da22740b616f22b4f1f2087cd01845ae9e882baf542c4b78788e9a8733abfaa50a56766f7
SSDEEP

3072:mEGh0oolEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGalqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023214-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e00000002311f-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023222-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f00000002311f-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002167d-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000021681-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021c58-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000711-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070f-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000711-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000071b-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F4AF2B3-B8C8-4bd6-AFE5-4DDA255A82DC}	{CD7DFDB6-C92D-4450-AAD8-4485B99A3069}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B34C2A56-1F58-4a27-A65B-645332BC1AA3}\stubpath = "C:\\Windows\\{B34C2A56-1F58-4a27-A65B-645332BC1AA3}.exe"	{B7A28FAF-BD1D-45f4-B3F1-CF6D4EBCDB6F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B34F5BD7-63D2-41ff-9691-E6EEEA3DB7D3}	{B34C2A56-1F58-4a27-A65B-645332BC1AA3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC5E0A25-41BD-4746-8D4D-DFC764BB807B}	{5203A303-C7C1-4c2b-A6D3-CAAD8750EEB4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB0971CE-DCFD-4f54-B2A8-C4D413154220}	{AC5E0A25-41BD-4746-8D4D-DFC764BB807B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB0971CE-DCFD-4f54-B2A8-C4D413154220}\stubpath = "C:\\Windows\\{AB0971CE-DCFD-4f54-B2A8-C4D413154220}.exe"	{AC5E0A25-41BD-4746-8D4D-DFC764BB807B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7A28FAF-BD1D-45f4-B3F1-CF6D4EBCDB6F}\stubpath = "C:\\Windows\\{B7A28FAF-BD1D-45f4-B3F1-CF6D4EBCDB6F}.exe"	{C16B362E-54C4-4dba-9A66-6CB29BB9F70B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5203A303-C7C1-4c2b-A6D3-CAAD8750EEB4}	{B34F5BD7-63D2-41ff-9691-E6EEEA3DB7D3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5203A303-C7C1-4c2b-A6D3-CAAD8750EEB4}\stubpath = "C:\\Windows\\{5203A303-C7C1-4c2b-A6D3-CAAD8750EEB4}.exe"	{B34F5BD7-63D2-41ff-9691-E6EEEA3DB7D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C94F865A-C30A-4629-A984-E30D4BDE19F7}	2024-02-19_e8e30d11b3770e6704888e4b5ddf8115_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C94F865A-C30A-4629-A984-E30D4BDE19F7}\stubpath = "C:\\Windows\\{C94F865A-C30A-4629-A984-E30D4BDE19F7}.exe"	2024-02-19_e8e30d11b3770e6704888e4b5ddf8115_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{587AC964-53A2-429d-9230-A9BF7571248C}\stubpath = "C:\\Windows\\{587AC964-53A2-429d-9230-A9BF7571248C}.exe"	{C94F865A-C30A-4629-A984-E30D4BDE19F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C16B362E-54C4-4dba-9A66-6CB29BB9F70B}\stubpath = "C:\\Windows\\{C16B362E-54C4-4dba-9A66-6CB29BB9F70B}.exe"	{587AC964-53A2-429d-9230-A9BF7571248C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7A28FAF-BD1D-45f4-B3F1-CF6D4EBCDB6F}	{C16B362E-54C4-4dba-9A66-6CB29BB9F70B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45DCA2B0-18D6-44bd-8819-F41629DA15BC}\stubpath = "C:\\Windows\\{45DCA2B0-18D6-44bd-8819-F41629DA15BC}.exe"	{AB0971CE-DCFD-4f54-B2A8-C4D413154220}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD7DFDB6-C92D-4450-AAD8-4485B99A3069}\stubpath = "C:\\Windows\\{CD7DFDB6-C92D-4450-AAD8-4485B99A3069}.exe"	{45DCA2B0-18D6-44bd-8819-F41629DA15BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F4AF2B3-B8C8-4bd6-AFE5-4DDA255A82DC}\stubpath = "C:\\Windows\\{8F4AF2B3-B8C8-4bd6-AFE5-4DDA255A82DC}.exe"	{CD7DFDB6-C92D-4450-AAD8-4485B99A3069}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C16B362E-54C4-4dba-9A66-6CB29BB9F70B}	{587AC964-53A2-429d-9230-A9BF7571248C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC5E0A25-41BD-4746-8D4D-DFC764BB807B}\stubpath = "C:\\Windows\\{AC5E0A25-41BD-4746-8D4D-DFC764BB807B}.exe"	{5203A303-C7C1-4c2b-A6D3-CAAD8750EEB4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{587AC964-53A2-429d-9230-A9BF7571248C}	{C94F865A-C30A-4629-A984-E30D4BDE19F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B34C2A56-1F58-4a27-A65B-645332BC1AA3}	{B7A28FAF-BD1D-45f4-B3F1-CF6D4EBCDB6F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B34F5BD7-63D2-41ff-9691-E6EEEA3DB7D3}\stubpath = "C:\\Windows\\{B34F5BD7-63D2-41ff-9691-E6EEEA3DB7D3}.exe"	{B34C2A56-1F58-4a27-A65B-645332BC1AA3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45DCA2B0-18D6-44bd-8819-F41629DA15BC}	{AB0971CE-DCFD-4f54-B2A8-C4D413154220}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD7DFDB6-C92D-4450-AAD8-4485B99A3069}	{45DCA2B0-18D6-44bd-8819-F41629DA15BC}.exe

Executes dropped EXE 12 IoCs

pid	Process
4052	{C94F865A-C30A-4629-A984-E30D4BDE19F7}.exe
2132	{587AC964-53A2-429d-9230-A9BF7571248C}.exe
2004	{C16B362E-54C4-4dba-9A66-6CB29BB9F70B}.exe
956	{B7A28FAF-BD1D-45f4-B3F1-CF6D4EBCDB6F}.exe
3408	{B34C2A56-1F58-4a27-A65B-645332BC1AA3}.exe
2440	{B34F5BD7-63D2-41ff-9691-E6EEEA3DB7D3}.exe
3780	{5203A303-C7C1-4c2b-A6D3-CAAD8750EEB4}.exe
3024	{AC5E0A25-41BD-4746-8D4D-DFC764BB807B}.exe
552	{AB0971CE-DCFD-4f54-B2A8-C4D413154220}.exe
4472	{45DCA2B0-18D6-44bd-8819-F41629DA15BC}.exe
3400	{CD7DFDB6-C92D-4450-AAD8-4485B99A3069}.exe
2364	{8F4AF2B3-B8C8-4bd6-AFE5-4DDA255A82DC}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{B7A28FAF-BD1D-45f4-B3F1-CF6D4EBCDB6F}.exe	{C16B362E-54C4-4dba-9A66-6CB29BB9F70B}.exe
File created	C:\Windows\{AC5E0A25-41BD-4746-8D4D-DFC764BB807B}.exe	{5203A303-C7C1-4c2b-A6D3-CAAD8750EEB4}.exe
File created	C:\Windows\{AB0971CE-DCFD-4f54-B2A8-C4D413154220}.exe	{AC5E0A25-41BD-4746-8D4D-DFC764BB807B}.exe
File created	C:\Windows\{CD7DFDB6-C92D-4450-AAD8-4485B99A3069}.exe	{45DCA2B0-18D6-44bd-8819-F41629DA15BC}.exe
File created	C:\Windows\{C94F865A-C30A-4629-A984-E30D4BDE19F7}.exe	2024-02-19_e8e30d11b3770e6704888e4b5ddf8115_goldeneye.exe
File created	C:\Windows\{587AC964-53A2-429d-9230-A9BF7571248C}.exe	{C94F865A-C30A-4629-A984-E30D4BDE19F7}.exe
File created	C:\Windows\{C16B362E-54C4-4dba-9A66-6CB29BB9F70B}.exe	{587AC964-53A2-429d-9230-A9BF7571248C}.exe
File created	C:\Windows\{B34C2A56-1F58-4a27-A65B-645332BC1AA3}.exe	{B7A28FAF-BD1D-45f4-B3F1-CF6D4EBCDB6F}.exe
File created	C:\Windows\{B34F5BD7-63D2-41ff-9691-E6EEEA3DB7D3}.exe	{B34C2A56-1F58-4a27-A65B-645332BC1AA3}.exe
File created	C:\Windows\{5203A303-C7C1-4c2b-A6D3-CAAD8750EEB4}.exe	{B34F5BD7-63D2-41ff-9691-E6EEEA3DB7D3}.exe
File created	C:\Windows\{45DCA2B0-18D6-44bd-8819-F41629DA15BC}.exe	{AB0971CE-DCFD-4f54-B2A8-C4D413154220}.exe
File created	C:\Windows\{8F4AF2B3-B8C8-4bd6-AFE5-4DDA255A82DC}.exe	{CD7DFDB6-C92D-4450-AAD8-4485B99A3069}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2728	2024-02-19_e8e30d11b3770e6704888e4b5ddf8115_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4052	{C94F865A-C30A-4629-A984-E30D4BDE19F7}.exe
Token: SeIncBasePriorityPrivilege	2132	{587AC964-53A2-429d-9230-A9BF7571248C}.exe
Token: SeIncBasePriorityPrivilege	2004	{C16B362E-54C4-4dba-9A66-6CB29BB9F70B}.exe
Token: SeIncBasePriorityPrivilege	956	{B7A28FAF-BD1D-45f4-B3F1-CF6D4EBCDB6F}.exe
Token: SeIncBasePriorityPrivilege	3408	{B34C2A56-1F58-4a27-A65B-645332BC1AA3}.exe
Token: SeIncBasePriorityPrivilege	2440	{B34F5BD7-63D2-41ff-9691-E6EEEA3DB7D3}.exe
Token: SeIncBasePriorityPrivilege	3780	{5203A303-C7C1-4c2b-A6D3-CAAD8750EEB4}.exe
Token: SeIncBasePriorityPrivilege	3024	{AC5E0A25-41BD-4746-8D4D-DFC764BB807B}.exe
Token: SeIncBasePriorityPrivilege	552	{AB0971CE-DCFD-4f54-B2A8-C4D413154220}.exe
Token: SeIncBasePriorityPrivilege	4472	{45DCA2B0-18D6-44bd-8819-F41629DA15BC}.exe
Token: SeIncBasePriorityPrivilege	3400	{CD7DFDB6-C92D-4450-AAD8-4485B99A3069}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 4052	2728	2024-02-19_e8e30d11b3770e6704888e4b5ddf8115_goldeneye.exe	89
PID 2728 wrote to memory of 4052	2728	2024-02-19_e8e30d11b3770e6704888e4b5ddf8115_goldeneye.exe	89
PID 2728 wrote to memory of 4052	2728	2024-02-19_e8e30d11b3770e6704888e4b5ddf8115_goldeneye.exe	89
PID 2728 wrote to memory of 3172	2728	2024-02-19_e8e30d11b3770e6704888e4b5ddf8115_goldeneye.exe	90
PID 2728 wrote to memory of 3172	2728	2024-02-19_e8e30d11b3770e6704888e4b5ddf8115_goldeneye.exe	90
PID 2728 wrote to memory of 3172	2728	2024-02-19_e8e30d11b3770e6704888e4b5ddf8115_goldeneye.exe	90
PID 4052 wrote to memory of 2132	4052	{C94F865A-C30A-4629-A984-E30D4BDE19F7}.exe	92
PID 4052 wrote to memory of 2132	4052	{C94F865A-C30A-4629-A984-E30D4BDE19F7}.exe	92
PID 4052 wrote to memory of 2132	4052	{C94F865A-C30A-4629-A984-E30D4BDE19F7}.exe	92
PID 4052 wrote to memory of 1100	4052	{C94F865A-C30A-4629-A984-E30D4BDE19F7}.exe	93
PID 4052 wrote to memory of 1100	4052	{C94F865A-C30A-4629-A984-E30D4BDE19F7}.exe	93
PID 4052 wrote to memory of 1100	4052	{C94F865A-C30A-4629-A984-E30D4BDE19F7}.exe	93
PID 2132 wrote to memory of 2004	2132	{587AC964-53A2-429d-9230-A9BF7571248C}.exe	95
PID 2132 wrote to memory of 2004	2132	{587AC964-53A2-429d-9230-A9BF7571248C}.exe	95
PID 2132 wrote to memory of 2004	2132	{587AC964-53A2-429d-9230-A9BF7571248C}.exe	95
PID 2132 wrote to memory of 4676	2132	{587AC964-53A2-429d-9230-A9BF7571248C}.exe	96
PID 2132 wrote to memory of 4676	2132	{587AC964-53A2-429d-9230-A9BF7571248C}.exe	96
PID 2132 wrote to memory of 4676	2132	{587AC964-53A2-429d-9230-A9BF7571248C}.exe	96
PID 2004 wrote to memory of 956	2004	{C16B362E-54C4-4dba-9A66-6CB29BB9F70B}.exe	97
PID 2004 wrote to memory of 956	2004	{C16B362E-54C4-4dba-9A66-6CB29BB9F70B}.exe	97
PID 2004 wrote to memory of 956	2004	{C16B362E-54C4-4dba-9A66-6CB29BB9F70B}.exe	97
PID 2004 wrote to memory of 1956	2004	{C16B362E-54C4-4dba-9A66-6CB29BB9F70B}.exe	98
PID 2004 wrote to memory of 1956	2004	{C16B362E-54C4-4dba-9A66-6CB29BB9F70B}.exe	98
PID 2004 wrote to memory of 1956	2004	{C16B362E-54C4-4dba-9A66-6CB29BB9F70B}.exe	98
PID 956 wrote to memory of 3408	956	{B7A28FAF-BD1D-45f4-B3F1-CF6D4EBCDB6F}.exe	99
PID 956 wrote to memory of 3408	956	{B7A28FAF-BD1D-45f4-B3F1-CF6D4EBCDB6F}.exe	99
PID 956 wrote to memory of 3408	956	{B7A28FAF-BD1D-45f4-B3F1-CF6D4EBCDB6F}.exe	99
PID 956 wrote to memory of 1188	956	{B7A28FAF-BD1D-45f4-B3F1-CF6D4EBCDB6F}.exe	100
PID 956 wrote to memory of 1188	956	{B7A28FAF-BD1D-45f4-B3F1-CF6D4EBCDB6F}.exe	100
PID 956 wrote to memory of 1188	956	{B7A28FAF-BD1D-45f4-B3F1-CF6D4EBCDB6F}.exe	100
PID 3408 wrote to memory of 2440	3408	{B34C2A56-1F58-4a27-A65B-645332BC1AA3}.exe	101
PID 3408 wrote to memory of 2440	3408	{B34C2A56-1F58-4a27-A65B-645332BC1AA3}.exe	101
PID 3408 wrote to memory of 2440	3408	{B34C2A56-1F58-4a27-A65B-645332BC1AA3}.exe	101
PID 3408 wrote to memory of 4468	3408	{B34C2A56-1F58-4a27-A65B-645332BC1AA3}.exe	102
PID 3408 wrote to memory of 4468	3408	{B34C2A56-1F58-4a27-A65B-645332BC1AA3}.exe	102
PID 3408 wrote to memory of 4468	3408	{B34C2A56-1F58-4a27-A65B-645332BC1AA3}.exe	102
PID 2440 wrote to memory of 3780	2440	{B34F5BD7-63D2-41ff-9691-E6EEEA3DB7D3}.exe	103
PID 2440 wrote to memory of 3780	2440	{B34F5BD7-63D2-41ff-9691-E6EEEA3DB7D3}.exe	103
PID 2440 wrote to memory of 3780	2440	{B34F5BD7-63D2-41ff-9691-E6EEEA3DB7D3}.exe	103
PID 2440 wrote to memory of 4824	2440	{B34F5BD7-63D2-41ff-9691-E6EEEA3DB7D3}.exe	104
PID 2440 wrote to memory of 4824	2440	{B34F5BD7-63D2-41ff-9691-E6EEEA3DB7D3}.exe	104
PID 2440 wrote to memory of 4824	2440	{B34F5BD7-63D2-41ff-9691-E6EEEA3DB7D3}.exe	104
PID 3780 wrote to memory of 3024	3780	{5203A303-C7C1-4c2b-A6D3-CAAD8750EEB4}.exe	105
PID 3780 wrote to memory of 3024	3780	{5203A303-C7C1-4c2b-A6D3-CAAD8750EEB4}.exe	105
PID 3780 wrote to memory of 3024	3780	{5203A303-C7C1-4c2b-A6D3-CAAD8750EEB4}.exe	105
PID 3780 wrote to memory of 4848	3780	{5203A303-C7C1-4c2b-A6D3-CAAD8750EEB4}.exe	106
PID 3780 wrote to memory of 4848	3780	{5203A303-C7C1-4c2b-A6D3-CAAD8750EEB4}.exe	106
PID 3780 wrote to memory of 4848	3780	{5203A303-C7C1-4c2b-A6D3-CAAD8750EEB4}.exe	106
PID 3024 wrote to memory of 552	3024	{AC5E0A25-41BD-4746-8D4D-DFC764BB807B}.exe	107
PID 3024 wrote to memory of 552	3024	{AC5E0A25-41BD-4746-8D4D-DFC764BB807B}.exe	107
PID 3024 wrote to memory of 552	3024	{AC5E0A25-41BD-4746-8D4D-DFC764BB807B}.exe	107
PID 3024 wrote to memory of 1692	3024	{AC5E0A25-41BD-4746-8D4D-DFC764BB807B}.exe	108
PID 3024 wrote to memory of 1692	3024	{AC5E0A25-41BD-4746-8D4D-DFC764BB807B}.exe	108
PID 3024 wrote to memory of 1692	3024	{AC5E0A25-41BD-4746-8D4D-DFC764BB807B}.exe	108
PID 552 wrote to memory of 4472	552	{AB0971CE-DCFD-4f54-B2A8-C4D413154220}.exe	109
PID 552 wrote to memory of 4472	552	{AB0971CE-DCFD-4f54-B2A8-C4D413154220}.exe	109
PID 552 wrote to memory of 4472	552	{AB0971CE-DCFD-4f54-B2A8-C4D413154220}.exe	109
PID 552 wrote to memory of 4400	552	{AB0971CE-DCFD-4f54-B2A8-C4D413154220}.exe	110
PID 552 wrote to memory of 4400	552	{AB0971CE-DCFD-4f54-B2A8-C4D413154220}.exe	110
PID 552 wrote to memory of 4400	552	{AB0971CE-DCFD-4f54-B2A8-C4D413154220}.exe	110
PID 4472 wrote to memory of 3400	4472	{45DCA2B0-18D6-44bd-8819-F41629DA15BC}.exe	111
PID 4472 wrote to memory of 3400	4472	{45DCA2B0-18D6-44bd-8819-F41629DA15BC}.exe	111
PID 4472 wrote to memory of 3400	4472	{45DCA2B0-18D6-44bd-8819-F41629DA15BC}.exe	111
PID 4472 wrote to memory of 4796	4472	{45DCA2B0-18D6-44bd-8819-F41629DA15BC}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-02-19_e8e30d11b3770e6704888e4b5ddf8115_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-19_e8e30d11b3770e6704888e4b5ddf8115_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Windows\{C94F865A-C30A-4629-A984-E30D4BDE19F7}.exe
  C:\Windows\{C94F865A-C30A-4629-A984-E30D4BDE19F7}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4052
- - C:\Windows\{587AC964-53A2-429d-9230-A9BF7571248C}.exe
    C:\Windows\{587AC964-53A2-429d-9230-A9BF7571248C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2132
  - - C:\Windows\{C16B362E-54C4-4dba-9A66-6CB29BB9F70B}.exe
      C:\Windows\{C16B362E-54C4-4dba-9A66-6CB29BB9F70B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2004
    - - C:\Windows\{B7A28FAF-BD1D-45f4-B3F1-CF6D4EBCDB6F}.exe
        
        C:\Windows\{B7A28FAF-BD1D-45f4-B3F1-CF6D4EBCDB6F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:956
      - C:\Windows\{B34C2A56-1F58-4a27-A65B-645332BC1AA3}.exe
        
        C:\Windows\{B34C2A56-1F58-4a27-A65B-645332BC1AA3}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\Windows\{B34F5BD7-63D2-41ff-9691-E6EEEA3DB7D3}.exe
        
        C:\Windows\{B34F5BD7-63D2-41ff-9691-E6EEEA3DB7D3}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\{5203A303-C7C1-4c2b-A6D3-CAAD8750EEB4}.exe
        
        C:\Windows\{5203A303-C7C1-4c2b-A6D3-CAAD8750EEB4}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3780
        
        C:\Windows\{AC5E0A25-41BD-4746-8D4D-DFC764BB807B}.exe
        
        C:\Windows\{AC5E0A25-41BD-4746-8D4D-DFC764BB807B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\{AB0971CE-DCFD-4f54-B2A8-C4D413154220}.exe
        
        C:\Windows\{AB0971CE-DCFD-4f54-B2A8-C4D413154220}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Windows\{45DCA2B0-18D6-44bd-8819-F41629DA15BC}.exe
        
        C:\Windows\{45DCA2B0-18D6-44bd-8819-F41629DA15BC}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\{CD7DFDB6-C92D-4450-AAD8-4485B99A3069}.exe
        
        C:\Windows\{CD7DFDB6-C92D-4450-AAD8-4485B99A3069}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3400
        
        C:\Windows\{8F4AF2B3-B8C8-4bd6-AFE5-4DDA255A82DC}.exe
        
        C:\Windows\{8F4AF2B3-B8C8-4bd6-AFE5-4DDA255A82DC}.exe
        13⤵
        Executes dropped EXE
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CD7DF~1.EXE > nul
        13⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{45DCA~1.EXE > nul
        12⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AB097~1.EXE > nul
        11⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AC5E0~1.EXE > nul
        10⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5203A~1.EXE > nul
        9⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B34F5~1.EXE > nul
        8⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B34C2~1.EXE > nul
        7⤵
        
        PID:4468
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7A28~1.EXE > nul
        6⤵
        
        PID:1188
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C16B3~1.EXE > nul
        5⤵
        
        PID:1956
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{587AC~1.EXE > nul
      4⤵
      PID:4676
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C94F8~1.EXE > nul
    3⤵
    PID:1100
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{45DCA2B0-18D6-44bd-8819-F41629DA15BC}.exe

Filesize
344KB

MD5
1030a289170de978f9c78b6c34db976e

SHA1
2bcfb504c3d8e9b9562f0aa8cd60794af3a6950d

SHA256
2bf5461ea9ef0f4c9eab63d28be782c16f46c366e12bda8ac940b363fd0fb8a4

SHA512
f7f7bce42fba48003a53030cb6a491985326e09d8f7fa18f3158194e2d2a3817959544f27850b24178e44ec40158b18ec84c78b65b51384d4fb4bc54afef8ec8

Download Submit
C:\Windows\{5203A303-C7C1-4c2b-A6D3-CAAD8750EEB4}.exe

Filesize
344KB

MD5
768790f294bc966af85758a1a5dd23fd

SHA1
643c58c2d40d5efa79c371c22fc9848db84a88d5

SHA256
86ab3e329ccacc9435df63ad57f229fa7a1bdd3edf151ac354bf3e11305f1dbc

SHA512
ef4eac292220b43dacb81d8a119a7e58a7fd7ab9eaef1c25ca157bd8a9d0ab44ba7ad8bef8f50e4acd1987a463dfc22b6fdc6319f6c8c6e5956ec9bb47188c32

Download Submit
C:\Windows\{587AC964-53A2-429d-9230-A9BF7571248C}.exe

Filesize
344KB

MD5
33a64575bcc2162388580768b415050f

SHA1
140e508742ed84b7e325e0812f9ac7d9d74bb1ae

SHA256
02a92f52e46ca95d28c7da09d596f19b3799c3c173daea261e0204972d062b18

SHA512
25254fcf666c227a93c14704a1135aec28ad76e94eb6dffbd05044f011ef6b1b231504b274c832d675e8016de76f4e5dba9711b9d42383b0a0bfa225ba7ccae4

Download Submit
C:\Windows\{8F4AF2B3-B8C8-4bd6-AFE5-4DDA255A82DC}.exe

Filesize
344KB

MD5
ffbafa20628cd977c4c58eeeb5774c8f

SHA1
0599e04071bca2ed35d0e48a88946f4be7879b9f

SHA256
aee7548c31411d6d73021bcf9da6b0dde14a1c44ab27dae9555025e6f9c43534

SHA512
0f7eadcd8f7f11e18b077114f16eddcf72d1853b6c57faeadcd3952f985962ceab465925569e841062f10c079138fa87f0da698317226c1bcc75a626ea308eae

Download Submit
C:\Windows\{AB0971CE-DCFD-4f54-B2A8-C4D413154220}.exe

Filesize
344KB

MD5
305cfd6bdc28b0f7525a58e21533159a

SHA1
a08a0f292f17aa5fe0b92fb3ed048905937dd63b

SHA256
aec659ea2d4d04f7c2964afba61a8ef3bbac9937f60653cdda3c5e38c73ba4df

SHA512
e6a204558f30711624a48f89ec0ec8231ac8bb4cdc69ce78cdb4be596957dae2c947e7ed3d8caa69e8ccf478c9c5402caae55c02f3d70dda877b49ffc0001214

Download Submit
C:\Windows\{AC5E0A25-41BD-4746-8D4D-DFC764BB807B}.exe

Filesize
344KB

MD5
68df433b21776a2138c23b9b16bd8813

SHA1
6247633ac3ec8fda8848a7ec0369d796a813600e

SHA256
fbc8d8654282a4ad7c4398991480621dc0b58fdf4400629bf96bc92ed1c04fcf

SHA512
7f25f1fbcedee2ea0f3a63dad3f88541e029d724eac808bbde63b3951a56720c5c30f46dc71913255509671ef6c1cee1a13650e2418f7e26c769e0e492098658

Download Submit
C:\Windows\{B34C2A56-1F58-4a27-A65B-645332BC1AA3}.exe

Filesize
344KB

MD5
f001fe03c3bff68d61e9a0742de25661

SHA1
6cdd5599d8fedb7a8d46ca9a4dbd9ebcfc7ad7ff

SHA256
b8f1b809ec8fd9bf925b67c927a56e55e174d2bdabe1043041e6286e942665ba

SHA512
bdea33bb5dbc53c145f0b7b60eb3bc16b9b135a47c14bcb5768c3afff1a3bbf077c273e7598092abba7673eb4c20df110fd861c1e89768295869ca8331a7b53c

Download Submit
C:\Windows\{B34F5BD7-63D2-41ff-9691-E6EEEA3DB7D3}.exe

Filesize
344KB

MD5
fece2cf5f954cd8f3f1d4c6433f2ed1c

SHA1
bb681e3ba6ce526004ec6f96b28d4a09207dd8d4

SHA256
a2b1dd2c7db38ea851a6ece9d37e9f5f7eaebba988d0f6457d79d320d1e3209d

SHA512
6d3f666b4b1596f2da3cc96e3c8554d69c18611e7cb07aa677b9d11b1ebc04e15318a82b0a1c64b97b6d81bce0aa21376a8e1d45381819c8adc5534dfef47bd2

Download Submit
C:\Windows\{B7A28FAF-BD1D-45f4-B3F1-CF6D4EBCDB6F}.exe

Filesize
344KB

MD5
a8257ec814a8c15719dbf7f669e63c95

SHA1
3445aa0e0d5d0d4315ba49e6b1e9975fa5f40225

SHA256
10de13eac3520512ba23ec24d1d93585548cfaf98edb25997eeef6bb23152dbd

SHA512
a444eefece6ad5e1c74e9193e8fd7fa090e08d3df689b1debf1db12d8cd5f9e55b5580d5a91a0a5bbf4f1b41dbc69d0a993596d7ffced892e584b03f492ef733

Download Submit
C:\Windows\{C16B362E-54C4-4dba-9A66-6CB29BB9F70B}.exe

Filesize
344KB

MD5
75cd4ff0b0cdefcaf13d3f913a363e78

SHA1
21b844cef40a26795359bcacb8b6ccd5927baf58

SHA256
7b0442e9ecb3f8d9705858a59ce99cdf7db7984154f5fc6d2221ab25dce59f97

SHA512
4997a62ce02e725dfa825bc8d44ef0241ee116c05994cd5b4f12e6750ab036e66b751c65895569c36ca07fc878039b384d54748c5f3ba9a480be08f6f0722a1b

Download Submit
C:\Windows\{C94F865A-C30A-4629-A984-E30D4BDE19F7}.exe

Filesize
344KB

MD5
81b609c03aba4d0ed907167a888252f8

SHA1
df74843daa67a52e279ee443aa491646988d4568

SHA256
bb0fba8ff10fdae763ed5bf8b51f04d49827718c829032c3a2f56e176bbc8f92

SHA512
208bc875e27a87309507b025b3b39459ffe6d08814260103e7466e9e91ac77c6bc846f23552d8c4ffbf5e11389ed15ebf9cc2e4fd3a74155f8d737bc9f98e2db

Download Submit
C:\Windows\{CD7DFDB6-C92D-4450-AAD8-4485B99A3069}.exe

Filesize
344KB

MD5
18dca1b9ca8680552c071271f60fd42a

SHA1
4248c1a21e030e961f2d0af25bd05fc3e20a6e0a

SHA256
4d80876e10570fb41a273e3021ca6ab4a5bd7240d5d91bf4300ad95f98697c80

SHA512
939476e63c839ea0088f035b75ae07f0b9d58eeb3ea9632e041d34ba80da3247edaa54f5166968608201e09f1b5333869645b35d47ca0a75866324e992c81aa5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads