fb9c0a6ebe76f413d154e446e1ddaab8730f5d0cf354f45759934cfe25c03096

Analysis

max time kernel
149s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19/02/2024, 03:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-19_afd63adf694035162ec7f01823e4c55e_goldeneye.exe
Size

408KB
MD5

afd63adf694035162ec7f01823e4c55e
SHA1

dc6a2ebd4463295ede6c5147ea1c2037de4bb581
SHA256

fb9c0a6ebe76f413d154e446e1ddaab8730f5d0cf354f45759934cfe25c03096
SHA512

173bd0f96f615413063b835cdb7a6feb492d538257baee1f54f3d76596f54d7d382d6d5cc6040a54f073bc841437db11ee1a4867a57f25ca57d2def36170884a
SSDEEP

3072:CEGh0o6l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGgldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023217-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002320c-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002321e-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002320c-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001300000001d887-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000021558-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001400000001d887-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000709-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000707-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B095550-33CE-4c4f-B7D2-BED42C3C98AA}\stubpath = "C:\\Windows\\{0B095550-33CE-4c4f-B7D2-BED42C3C98AA}.exe"	{8C121F21-C00A-4d32-BBCD-569934E33B77}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73FD88AA-C77C-46cf-B25F-96D14F15852C}	{ED370543-D1A9-4495-8480-7604EE5C4F1A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73FD88AA-C77C-46cf-B25F-96D14F15852C}\stubpath = "C:\\Windows\\{73FD88AA-C77C-46cf-B25F-96D14F15852C}.exe"	{ED370543-D1A9-4495-8480-7604EE5C4F1A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D9BF7B3-1748-4d98-906E-91426438232C}	{73FD88AA-C77C-46cf-B25F-96D14F15852C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E60AB136-3C7A-4107-A4B3-2CAB648DDD2B}	{3D9BF7B3-1748-4d98-906E-91426438232C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E60AB136-3C7A-4107-A4B3-2CAB648DDD2B}\stubpath = "C:\\Windows\\{E60AB136-3C7A-4107-A4B3-2CAB648DDD2B}.exe"	{3D9BF7B3-1748-4d98-906E-91426438232C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C121F21-C00A-4d32-BBCD-569934E33B77}	{9D57A3AE-C1E9-4861-BFF5-2FAC5D765C5C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B095550-33CE-4c4f-B7D2-BED42C3C98AA}	{8C121F21-C00A-4d32-BBCD-569934E33B77}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{021A8043-1AF3-4a82-85F5-A9069B8EFDF5}	{0B095550-33CE-4c4f-B7D2-BED42C3C98AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{021A8043-1AF3-4a82-85F5-A9069B8EFDF5}\stubpath = "C:\\Windows\\{021A8043-1AF3-4a82-85F5-A9069B8EFDF5}.exe"	{0B095550-33CE-4c4f-B7D2-BED42C3C98AA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39A72175-ADDB-4c9d-9863-F3C158C7C0BF}	{021A8043-1AF3-4a82-85F5-A9069B8EFDF5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5552DDB6-ACFB-4bc8-93A1-D31453867DDE}	{39A72175-ADDB-4c9d-9863-F3C158C7C0BF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5552DDB6-ACFB-4bc8-93A1-D31453867DDE}\stubpath = "C:\\Windows\\{5552DDB6-ACFB-4bc8-93A1-D31453867DDE}.exe"	{39A72175-ADDB-4c9d-9863-F3C158C7C0BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16643119-6CF2-4c11-B065-DEC5D9A128E4}	2024-02-19_afd63adf694035162ec7f01823e4c55e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2AE29AF-16DB-43b3-9E09-4ABB84AFC11B}	{16643119-6CF2-4c11-B065-DEC5D9A128E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED370543-D1A9-4495-8480-7604EE5C4F1A}\stubpath = "C:\\Windows\\{ED370543-D1A9-4495-8480-7604EE5C4F1A}.exe"	{A2AE29AF-16DB-43b3-9E09-4ABB84AFC11B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D9BF7B3-1748-4d98-906E-91426438232C}\stubpath = "C:\\Windows\\{3D9BF7B3-1748-4d98-906E-91426438232C}.exe"	{73FD88AA-C77C-46cf-B25F-96D14F15852C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16643119-6CF2-4c11-B065-DEC5D9A128E4}\stubpath = "C:\\Windows\\{16643119-6CF2-4c11-B065-DEC5D9A128E4}.exe"	2024-02-19_afd63adf694035162ec7f01823e4c55e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2AE29AF-16DB-43b3-9E09-4ABB84AFC11B}\stubpath = "C:\\Windows\\{A2AE29AF-16DB-43b3-9E09-4ABB84AFC11B}.exe"	{16643119-6CF2-4c11-B065-DEC5D9A128E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D57A3AE-C1E9-4861-BFF5-2FAC5D765C5C}\stubpath = "C:\\Windows\\{9D57A3AE-C1E9-4861-BFF5-2FAC5D765C5C}.exe"	{E60AB136-3C7A-4107-A4B3-2CAB648DDD2B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C121F21-C00A-4d32-BBCD-569934E33B77}\stubpath = "C:\\Windows\\{8C121F21-C00A-4d32-BBCD-569934E33B77}.exe"	{9D57A3AE-C1E9-4861-BFF5-2FAC5D765C5C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED370543-D1A9-4495-8480-7604EE5C4F1A}	{A2AE29AF-16DB-43b3-9E09-4ABB84AFC11B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D57A3AE-C1E9-4861-BFF5-2FAC5D765C5C}	{E60AB136-3C7A-4107-A4B3-2CAB648DDD2B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39A72175-ADDB-4c9d-9863-F3C158C7C0BF}\stubpath = "C:\\Windows\\{39A72175-ADDB-4c9d-9863-F3C158C7C0BF}.exe"	{021A8043-1AF3-4a82-85F5-A9069B8EFDF5}.exe

Executes dropped EXE 12 IoCs

pid	Process
1316	{16643119-6CF2-4c11-B065-DEC5D9A128E4}.exe
2872	{A2AE29AF-16DB-43b3-9E09-4ABB84AFC11B}.exe
4036	{ED370543-D1A9-4495-8480-7604EE5C4F1A}.exe
2108	{73FD88AA-C77C-46cf-B25F-96D14F15852C}.exe
4256	{3D9BF7B3-1748-4d98-906E-91426438232C}.exe
2176	{E60AB136-3C7A-4107-A4B3-2CAB648DDD2B}.exe
5052	{9D57A3AE-C1E9-4861-BFF5-2FAC5D765C5C}.exe
3276	{8C121F21-C00A-4d32-BBCD-569934E33B77}.exe
4184	{0B095550-33CE-4c4f-B7D2-BED42C3C98AA}.exe
968	{021A8043-1AF3-4a82-85F5-A9069B8EFDF5}.exe
4764	{39A72175-ADDB-4c9d-9863-F3C158C7C0BF}.exe
748	{5552DDB6-ACFB-4bc8-93A1-D31453867DDE}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{E60AB136-3C7A-4107-A4B3-2CAB648DDD2B}.exe	{3D9BF7B3-1748-4d98-906E-91426438232C}.exe
File created	C:\Windows\{9D57A3AE-C1E9-4861-BFF5-2FAC5D765C5C}.exe	{E60AB136-3C7A-4107-A4B3-2CAB648DDD2B}.exe
File created	C:\Windows\{8C121F21-C00A-4d32-BBCD-569934E33B77}.exe	{9D57A3AE-C1E9-4861-BFF5-2FAC5D765C5C}.exe
File created	C:\Windows\{0B095550-33CE-4c4f-B7D2-BED42C3C98AA}.exe	{8C121F21-C00A-4d32-BBCD-569934E33B77}.exe
File created	C:\Windows\{39A72175-ADDB-4c9d-9863-F3C158C7C0BF}.exe	{021A8043-1AF3-4a82-85F5-A9069B8EFDF5}.exe
File created	C:\Windows\{ED370543-D1A9-4495-8480-7604EE5C4F1A}.exe	{A2AE29AF-16DB-43b3-9E09-4ABB84AFC11B}.exe
File created	C:\Windows\{73FD88AA-C77C-46cf-B25F-96D14F15852C}.exe	{ED370543-D1A9-4495-8480-7604EE5C4F1A}.exe
File created	C:\Windows\{3D9BF7B3-1748-4d98-906E-91426438232C}.exe	{73FD88AA-C77C-46cf-B25F-96D14F15852C}.exe
File created	C:\Windows\{5552DDB6-ACFB-4bc8-93A1-D31453867DDE}.exe	{39A72175-ADDB-4c9d-9863-F3C158C7C0BF}.exe
File created	C:\Windows\{16643119-6CF2-4c11-B065-DEC5D9A128E4}.exe	2024-02-19_afd63adf694035162ec7f01823e4c55e_goldeneye.exe
File created	C:\Windows\{A2AE29AF-16DB-43b3-9E09-4ABB84AFC11B}.exe	{16643119-6CF2-4c11-B065-DEC5D9A128E4}.exe
File created	C:\Windows\{021A8043-1AF3-4a82-85F5-A9069B8EFDF5}.exe	{0B095550-33CE-4c4f-B7D2-BED42C3C98AA}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2004	2024-02-19_afd63adf694035162ec7f01823e4c55e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1316	{16643119-6CF2-4c11-B065-DEC5D9A128E4}.exe
Token: SeIncBasePriorityPrivilege	2872	{A2AE29AF-16DB-43b3-9E09-4ABB84AFC11B}.exe
Token: SeIncBasePriorityPrivilege	4036	{ED370543-D1A9-4495-8480-7604EE5C4F1A}.exe
Token: SeIncBasePriorityPrivilege	2108	{73FD88AA-C77C-46cf-B25F-96D14F15852C}.exe
Token: SeIncBasePriorityPrivilege	4256	{3D9BF7B3-1748-4d98-906E-91426438232C}.exe
Token: SeIncBasePriorityPrivilege	2176	{E60AB136-3C7A-4107-A4B3-2CAB648DDD2B}.exe
Token: SeIncBasePriorityPrivilege	5052	{9D57A3AE-C1E9-4861-BFF5-2FAC5D765C5C}.exe
Token: SeIncBasePriorityPrivilege	3276	{8C121F21-C00A-4d32-BBCD-569934E33B77}.exe
Token: SeIncBasePriorityPrivilege	4184	{0B095550-33CE-4c4f-B7D2-BED42C3C98AA}.exe
Token: SeIncBasePriorityPrivilege	968	{021A8043-1AF3-4a82-85F5-A9069B8EFDF5}.exe
Token: SeIncBasePriorityPrivilege	4764	{39A72175-ADDB-4c9d-9863-F3C158C7C0BF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 1316	2004	2024-02-19_afd63adf694035162ec7f01823e4c55e_goldeneye.exe	92
PID 2004 wrote to memory of 1316	2004	2024-02-19_afd63adf694035162ec7f01823e4c55e_goldeneye.exe	92
PID 2004 wrote to memory of 1316	2004	2024-02-19_afd63adf694035162ec7f01823e4c55e_goldeneye.exe	92
PID 2004 wrote to memory of 688	2004	2024-02-19_afd63adf694035162ec7f01823e4c55e_goldeneye.exe	93
PID 2004 wrote to memory of 688	2004	2024-02-19_afd63adf694035162ec7f01823e4c55e_goldeneye.exe	93
PID 2004 wrote to memory of 688	2004	2024-02-19_afd63adf694035162ec7f01823e4c55e_goldeneye.exe	93
PID 1316 wrote to memory of 2872	1316	{16643119-6CF2-4c11-B065-DEC5D9A128E4}.exe	94
PID 1316 wrote to memory of 2872	1316	{16643119-6CF2-4c11-B065-DEC5D9A128E4}.exe	94
PID 1316 wrote to memory of 2872	1316	{16643119-6CF2-4c11-B065-DEC5D9A128E4}.exe	94
PID 1316 wrote to memory of 1896	1316	{16643119-6CF2-4c11-B065-DEC5D9A128E4}.exe	95
PID 1316 wrote to memory of 1896	1316	{16643119-6CF2-4c11-B065-DEC5D9A128E4}.exe	95
PID 1316 wrote to memory of 1896	1316	{16643119-6CF2-4c11-B065-DEC5D9A128E4}.exe	95
PID 2872 wrote to memory of 4036	2872	{A2AE29AF-16DB-43b3-9E09-4ABB84AFC11B}.exe	98
PID 2872 wrote to memory of 4036	2872	{A2AE29AF-16DB-43b3-9E09-4ABB84AFC11B}.exe	98
PID 2872 wrote to memory of 4036	2872	{A2AE29AF-16DB-43b3-9E09-4ABB84AFC11B}.exe	98
PID 2872 wrote to memory of 1588	2872	{A2AE29AF-16DB-43b3-9E09-4ABB84AFC11B}.exe	97
PID 2872 wrote to memory of 1588	2872	{A2AE29AF-16DB-43b3-9E09-4ABB84AFC11B}.exe	97
PID 2872 wrote to memory of 1588	2872	{A2AE29AF-16DB-43b3-9E09-4ABB84AFC11B}.exe	97
PID 4036 wrote to memory of 2108	4036	{ED370543-D1A9-4495-8480-7604EE5C4F1A}.exe	99
PID 4036 wrote to memory of 2108	4036	{ED370543-D1A9-4495-8480-7604EE5C4F1A}.exe	99
PID 4036 wrote to memory of 2108	4036	{ED370543-D1A9-4495-8480-7604EE5C4F1A}.exe	99
PID 4036 wrote to memory of 1148	4036	{ED370543-D1A9-4495-8480-7604EE5C4F1A}.exe	100
PID 4036 wrote to memory of 1148	4036	{ED370543-D1A9-4495-8480-7604EE5C4F1A}.exe	100
PID 4036 wrote to memory of 1148	4036	{ED370543-D1A9-4495-8480-7604EE5C4F1A}.exe	100
PID 2108 wrote to memory of 4256	2108	{73FD88AA-C77C-46cf-B25F-96D14F15852C}.exe	101
PID 2108 wrote to memory of 4256	2108	{73FD88AA-C77C-46cf-B25F-96D14F15852C}.exe	101
PID 2108 wrote to memory of 4256	2108	{73FD88AA-C77C-46cf-B25F-96D14F15852C}.exe	101
PID 2108 wrote to memory of 1940	2108	{73FD88AA-C77C-46cf-B25F-96D14F15852C}.exe	102
PID 2108 wrote to memory of 1940	2108	{73FD88AA-C77C-46cf-B25F-96D14F15852C}.exe	102
PID 2108 wrote to memory of 1940	2108	{73FD88AA-C77C-46cf-B25F-96D14F15852C}.exe	102
PID 4256 wrote to memory of 2176	4256	{3D9BF7B3-1748-4d98-906E-91426438232C}.exe	103
PID 4256 wrote to memory of 2176	4256	{3D9BF7B3-1748-4d98-906E-91426438232C}.exe	103
PID 4256 wrote to memory of 2176	4256	{3D9BF7B3-1748-4d98-906E-91426438232C}.exe	103
PID 4256 wrote to memory of 4064	4256	{3D9BF7B3-1748-4d98-906E-91426438232C}.exe	104
PID 4256 wrote to memory of 4064	4256	{3D9BF7B3-1748-4d98-906E-91426438232C}.exe	104
PID 4256 wrote to memory of 4064	4256	{3D9BF7B3-1748-4d98-906E-91426438232C}.exe	104
PID 2176 wrote to memory of 5052	2176	{E60AB136-3C7A-4107-A4B3-2CAB648DDD2B}.exe	105
PID 2176 wrote to memory of 5052	2176	{E60AB136-3C7A-4107-A4B3-2CAB648DDD2B}.exe	105
PID 2176 wrote to memory of 5052	2176	{E60AB136-3C7A-4107-A4B3-2CAB648DDD2B}.exe	105
PID 2176 wrote to memory of 4128	2176	{E60AB136-3C7A-4107-A4B3-2CAB648DDD2B}.exe	106
PID 2176 wrote to memory of 4128	2176	{E60AB136-3C7A-4107-A4B3-2CAB648DDD2B}.exe	106
PID 2176 wrote to memory of 4128	2176	{E60AB136-3C7A-4107-A4B3-2CAB648DDD2B}.exe	106
PID 5052 wrote to memory of 3276	5052	{9D57A3AE-C1E9-4861-BFF5-2FAC5D765C5C}.exe	107
PID 5052 wrote to memory of 3276	5052	{9D57A3AE-C1E9-4861-BFF5-2FAC5D765C5C}.exe	107
PID 5052 wrote to memory of 3276	5052	{9D57A3AE-C1E9-4861-BFF5-2FAC5D765C5C}.exe	107
PID 5052 wrote to memory of 3240	5052	{9D57A3AE-C1E9-4861-BFF5-2FAC5D765C5C}.exe	108
PID 5052 wrote to memory of 3240	5052	{9D57A3AE-C1E9-4861-BFF5-2FAC5D765C5C}.exe	108
PID 5052 wrote to memory of 3240	5052	{9D57A3AE-C1E9-4861-BFF5-2FAC5D765C5C}.exe	108
PID 3276 wrote to memory of 4184	3276	{8C121F21-C00A-4d32-BBCD-569934E33B77}.exe	109
PID 3276 wrote to memory of 4184	3276	{8C121F21-C00A-4d32-BBCD-569934E33B77}.exe	109
PID 3276 wrote to memory of 4184	3276	{8C121F21-C00A-4d32-BBCD-569934E33B77}.exe	109
PID 3276 wrote to memory of 3588	3276	{8C121F21-C00A-4d32-BBCD-569934E33B77}.exe	110
PID 3276 wrote to memory of 3588	3276	{8C121F21-C00A-4d32-BBCD-569934E33B77}.exe	110
PID 3276 wrote to memory of 3588	3276	{8C121F21-C00A-4d32-BBCD-569934E33B77}.exe	110
PID 4184 wrote to memory of 968	4184	{0B095550-33CE-4c4f-B7D2-BED42C3C98AA}.exe	111
PID 4184 wrote to memory of 968	4184	{0B095550-33CE-4c4f-B7D2-BED42C3C98AA}.exe	111
PID 4184 wrote to memory of 968	4184	{0B095550-33CE-4c4f-B7D2-BED42C3C98AA}.exe	111
PID 4184 wrote to memory of 4008	4184	{0B095550-33CE-4c4f-B7D2-BED42C3C98AA}.exe	112
PID 4184 wrote to memory of 4008	4184	{0B095550-33CE-4c4f-B7D2-BED42C3C98AA}.exe	112
PID 4184 wrote to memory of 4008	4184	{0B095550-33CE-4c4f-B7D2-BED42C3C98AA}.exe	112
PID 968 wrote to memory of 4764	968	{021A8043-1AF3-4a82-85F5-A9069B8EFDF5}.exe	113
PID 968 wrote to memory of 4764	968	{021A8043-1AF3-4a82-85F5-A9069B8EFDF5}.exe	113
PID 968 wrote to memory of 4764	968	{021A8043-1AF3-4a82-85F5-A9069B8EFDF5}.exe	113
PID 968 wrote to memory of 116	968	{021A8043-1AF3-4a82-85F5-A9069B8EFDF5}.exe	114

C:\Users\Admin\AppData\Local\Temp\2024-02-19_afd63adf694035162ec7f01823e4c55e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-19_afd63adf694035162ec7f01823e4c55e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\{16643119-6CF2-4c11-B065-DEC5D9A128E4}.exe
  C:\Windows\{16643119-6CF2-4c11-B065-DEC5D9A128E4}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1316
- - C:\Windows\{A2AE29AF-16DB-43b3-9E09-4ABB84AFC11B}.exe
    C:\Windows\{A2AE29AF-16DB-43b3-9E09-4ABB84AFC11B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A2AE2~1.EXE > nul
      4⤵
      PID:1588
  - - C:\Windows\{ED370543-D1A9-4495-8480-7604EE5C4F1A}.exe
      C:\Windows\{ED370543-D1A9-4495-8480-7604EE5C4F1A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4036
    - - C:\Windows\{73FD88AA-C77C-46cf-B25F-96D14F15852C}.exe
        
        C:\Windows\{73FD88AA-C77C-46cf-B25F-96D14F15852C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2108
      - C:\Windows\{3D9BF7B3-1748-4d98-906E-91426438232C}.exe
        
        C:\Windows\{3D9BF7B3-1748-4d98-906E-91426438232C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4256
        
        C:\Windows\{E60AB136-3C7A-4107-A4B3-2CAB648DDD2B}.exe
        
        C:\Windows\{E60AB136-3C7A-4107-A4B3-2CAB648DDD2B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\{9D57A3AE-C1E9-4861-BFF5-2FAC5D765C5C}.exe
        
        C:\Windows\{9D57A3AE-C1E9-4861-BFF5-2FAC5D765C5C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\{8C121F21-C00A-4d32-BBCD-569934E33B77}.exe
        
        C:\Windows\{8C121F21-C00A-4d32-BBCD-569934E33B77}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3276
        
        C:\Windows\{0B095550-33CE-4c4f-B7D2-BED42C3C98AA}.exe
        
        C:\Windows\{0B095550-33CE-4c4f-B7D2-BED42C3C98AA}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4184
        
        C:\Windows\{021A8043-1AF3-4a82-85F5-A9069B8EFDF5}.exe
        
        C:\Windows\{021A8043-1AF3-4a82-85F5-A9069B8EFDF5}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:968
        
        C:\Windows\{39A72175-ADDB-4c9d-9863-F3C158C7C0BF}.exe
        
        C:\Windows\{39A72175-ADDB-4c9d-9863-F3C158C7C0BF}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4764
        
        C:\Windows\{5552DDB6-ACFB-4bc8-93A1-D31453867DDE}.exe
        
        C:\Windows\{5552DDB6-ACFB-4bc8-93A1-D31453867DDE}.exe
        13⤵
        Executes dropped EXE
        
        PID:748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39A72~1.EXE > nul
        13⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{021A8~1.EXE > nul
        12⤵
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0B095~1.EXE > nul
        11⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C121~1.EXE > nul
        10⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9D57A~1.EXE > nul
        9⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E60AB~1.EXE > nul
        8⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3D9BF~1.EXE > nul
        7⤵
        
        PID:4064
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{73FD8~1.EXE > nul
        6⤵
        
        PID:1940
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ED370~1.EXE > nul
        5⤵
        
        PID:1148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{16643~1.EXE > nul
    3⤵
    PID:1896
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{021A8043-1AF3-4a82-85F5-A9069B8EFDF5}.exe

Filesize
408KB

MD5
ea8d8a7c7605aaa905e5cf6a321e7a4a

SHA1
21053f023b43ee28c4acf554e6c7e27497cfce11

SHA256
7e4f9c6a1ab5726f8e743f1f117288beac47adc74ad8dd592dee34cc24186ac5

SHA512
25a3e77a9afae685f67ab1afc1f4dd8578427ed848f427d50923acb45386e89d230c64ce1ead124a3d66e720d02d6b9ee418344dafa2b287928e8d9fbd8dcc68

Download Submit
C:\Windows\{0B095550-33CE-4c4f-B7D2-BED42C3C98AA}.exe

Filesize
408KB

MD5
73075205944f451d9b4f8baa16f22e1f

SHA1
4eb0d79b52d6a827c45c87a92e7caebc8d25d495

SHA256
87da6958fa2349dc7af3cf64edca30c1021237554d7decea8bdfef00058324f1

SHA512
362648fabd3ef65f56bc321e3af91c3793aeed7fd4742d1ffe3b6e477957040c938ed28b2c1dc558094e79714bd4b752f739c34abbc6a31ee73aa637898734cc

Download Submit
C:\Windows\{16643119-6CF2-4c11-B065-DEC5D9A128E4}.exe

Filesize
408KB

MD5
0fb1344238a9f7452bf3ca7495e7cc98

SHA1
c3f9a639afedfdc75af77527c699083454bace79

SHA256
65a786807c8fa6a7a4c3f55c77fd2b91c0495ada15a3dc56c01cce1d2180cd26

SHA512
fdada6a070f25b5c5ab54b2cceb35a33fc47f4839825cfb12fc97e5252048bd00917d5b9fbe5a3105e6ce76c28a8642ad0b9b4e3e40985c7f3f1e937d78e7d5c

Download Submit
C:\Windows\{39A72175-ADDB-4c9d-9863-F3C158C7C0BF}.exe

Filesize
408KB

MD5
bd2e5534f06bdafb4793e3ac6545ebd4

SHA1
4c098b2f694eee6b4e3551233e81fd381e9b5304

SHA256
287c215c4b7af53c2d03d7293741728419a1fe10e49edc938d8cf1d9876fe038

SHA512
0676afe9b0bed94e1630c0cd47bc5a4799ec11d52bdbfdf5be46f83138e7f74e86a1f0df9cb3c030961253dd4298890e7ca64101e879c268dcf292e0c268edd4

Download Submit
C:\Windows\{3D9BF7B3-1748-4d98-906E-91426438232C}.exe

Filesize
408KB

MD5
f97db952b12382fbe3bb7bf1e8db6f6b

SHA1
073e721837056b63d8e5369af0727c1b8cf04fd1

SHA256
5bc1718d8135ee381419a1a45a10ddee91775ff7db946c06e35c9476a18dd5fd

SHA512
3127434465fb3698ee2c687ede07a6bdac17ed242fe899de03d93911a73589314bcd65ea1cfc05ac54b9a4dddb0ace05d832e82dc644075ff93723412f48d29c

Download Submit
C:\Windows\{5552DDB6-ACFB-4bc8-93A1-D31453867DDE}.exe

Filesize
408KB

MD5
49ce4387e5a904806a22aaabc6516d36

SHA1
23bf6022f87bc862b7712cf85f4149113a2c0447

SHA256
0ab44f3c19cd829d58beef71765379f6098fcb95f7908b6c4dff13bf42cbca39

SHA512
5a472e44b1195fcf4cc247f974985f4bfbce61171c87a16cbf117ff59b4d2f205acffa41910213700e09b9186c74343e4d318b141e154343c296a7cda4f45b52

Download Submit
C:\Windows\{73FD88AA-C77C-46cf-B25F-96D14F15852C}.exe

Filesize
408KB

MD5
eaf1ac14916af6fe58d77b4a9d365a4f

SHA1
bd94b34ac4f51146e5f3fd04a8540e8b288f8d2f

SHA256
075cf284f22a353ad6364f60de47df45d3dddd5c29ab9bfdf5e587643b505ddd

SHA512
16e57aee8def7685eb8cd582db9f2835a1c6f622d556af13b814c8af39612e20664c949bd1c169b9ed589f84840ec56f0eee06e4d35cc535df29737e57228ba6

Download Submit
C:\Windows\{8C121F21-C00A-4d32-BBCD-569934E33B77}.exe

Filesize
408KB

MD5
d60d1e297907ca6057d15fca58b8d67c

SHA1
396868e909e2cbbf892a5daf07d0feafbabdee21

SHA256
db6ee5132951784f2a69bde19a3164a239249e4e9c525339f2f06ef61f6e6606

SHA512
e72fc61e4d325056ab107a6eca6058a1a0820fa6df78d2bb8a4e2132d72985821075faa3953245f619367c9e8a9e6a9702084389977a0f3c44641af5305c71b9

Download Submit
C:\Windows\{9D57A3AE-C1E9-4861-BFF5-2FAC5D765C5C}.exe

Filesize
408KB

MD5
dd87075c5689f01b3f11a54e4c49cbf4

SHA1
303a3c28a0f7f38f0acaac12e91c0db0f3809027

SHA256
9a4fd71ca5c4b6ff3cd89cecde29c3aeec553f3421d3438f399e8aaa56c86362

SHA512
207e49460b88306fcf64e220ffcf63dcb328a6dd50146f9046e2aed3e7bfb903cf0cef003b67018af7b62f63d1aa62c797ebb98061c1de18a2d5e623a850b019

Download Submit
C:\Windows\{A2AE29AF-16DB-43b3-9E09-4ABB84AFC11B}.exe

Filesize
408KB

MD5
0d86e6c4704e01db32d162e6c3302f0c

SHA1
7c5fd1ccdd2eaa9b4db1e4a9ddeb7692632db5a0

SHA256
a7b21703508ff702d81d15be0d651be38af0d95e23fe720f1a8b5aae2e79e27e

SHA512
50ebaa85afbb850b7c1658628a78abdb0a22d2eb8882b16719891363fd2db4e72586343eb6764ae96377c1f8fc2af3615cf7de3b259ab6e81c9c05c80ac41da7

Download Submit
C:\Windows\{E60AB136-3C7A-4107-A4B3-2CAB648DDD2B}.exe

Filesize
408KB

MD5
ad164b52be7e7f389003c806089fc4f4

SHA1
eb035f54a1c1d2d82649328af8aa7b9f0060abaa

SHA256
56a02be0e43c70bd838e6f03a64463e258c47f5479bd217b7bab60dd5f43ffc3

SHA512
b841c8d4b8a95165b1c760e340f42109a0b9c99752c833834feda7bcbbcfa63b0c8698caf89f4cb3abb204011a59c3d330ac5e109aa22a6c12342f29f61ed302

Download Submit
C:\Windows\{ED370543-D1A9-4495-8480-7604EE5C4F1A}.exe

Filesize
408KB

MD5
2221d0ac8113442f227a54d8caec3084

SHA1
b7083b123200665ca83985af47eb6e10ba390a6f

SHA256
ec772d6bd18d1bb4ed9deff096306081f6fa11b974b8c2034f1a272909ff9679

SHA512
94378d6702ead8f9eafeefbb79d2991540c95ca6a128a01585eb256e498880dc220cccf087089d8416c8f4472ec2b7d42985b5867134ddd77ec1596bef97e1f3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads