77c561c59149faa979eb7ac434bf28aee1df84c840d7f1f47a5d6ccb29670878

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
19/02/2024, 07:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-19_3af88b3d8fc125b822efe6cc7129902f_goldeneye.exe
Size

344KB
MD5

3af88b3d8fc125b822efe6cc7129902f
SHA1

73fe0a2ae6404838ea0a66cd674e815fcc017c7f
SHA256

77c561c59149faa979eb7ac434bf28aee1df84c840d7f1f47a5d6ccb29670878
SHA512

f0534272c18ccd9230c0de9f079e0a7e02928745eeff76278f99dda60e308460d45754608da1707a500064408eb63d6af6c3fb91c303e4ebc5092d3cbb2bfca5
SSDEEP

3072:mEGh0oNlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGblqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000600000002322f-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000001e0b8-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002323d-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000001e0b8-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x004600000001e0be-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d00000001e0b8-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x004700000001e0be-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000717-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1554E766-D8AD-4ee7-B381-31696365B00D}\stubpath = "C:\\Windows\\{1554E766-D8AD-4ee7-B381-31696365B00D}.exe"	2024-02-19_3af88b3d8fc125b822efe6cc7129902f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97CC8948-4C52-4440-830C-838B0FCF93CF}	{CD9FE563-690C-42c8-9543-14F9F328561B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97CC8948-4C52-4440-830C-838B0FCF93CF}\stubpath = "C:\\Windows\\{97CC8948-4C52-4440-830C-838B0FCF93CF}.exe"	{CD9FE563-690C-42c8-9543-14F9F328561B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{809E52AC-2F9B-4a9b-9D87-AA38D37D159A}	{F5CC8CA6-FCA5-437b-A757-62C68E5B9209}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8807DDD8-F8DF-4665-A8A4-81BA9B3B0DC7}	{809E52AC-2F9B-4a9b-9D87-AA38D37D159A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4CD499B6-A414-4629-AC46-AB9408A0248B}\stubpath = "C:\\Windows\\{4CD499B6-A414-4629-AC46-AB9408A0248B}.exe"	{C5E18F42-2B92-4b3b-BE3B-11C5F255BC37}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5E18F42-2B92-4b3b-BE3B-11C5F255BC37}	{1BEDA9F6-5954-429a-AF72-BBDFD48D0DFF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1554E766-D8AD-4ee7-B381-31696365B00D}	2024-02-19_3af88b3d8fc125b822efe6cc7129902f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C437E32-D8EB-46c3-87FD-E74B1795A5DF}\stubpath = "C:\\Windows\\{3C437E32-D8EB-46c3-87FD-E74B1795A5DF}.exe"	{1554E766-D8AD-4ee7-B381-31696365B00D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD9FE563-690C-42c8-9543-14F9F328561B}	{3C437E32-D8EB-46c3-87FD-E74B1795A5DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD9FE563-690C-42c8-9543-14F9F328561B}\stubpath = "C:\\Windows\\{CD9FE563-690C-42c8-9543-14F9F328561B}.exe"	{3C437E32-D8EB-46c3-87FD-E74B1795A5DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB822CE8-AE01-45cb-BE66-7931E4A81D55}\stubpath = "C:\\Windows\\{FB822CE8-AE01-45cb-BE66-7931E4A81D55}.exe"	{97CC8948-4C52-4440-830C-838B0FCF93CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5CC8CA6-FCA5-437b-A757-62C68E5B9209}	{FB822CE8-AE01-45cb-BE66-7931E4A81D55}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BEDA9F6-5954-429a-AF72-BBDFD48D0DFF}	{8807DDD8-F8DF-4665-A8A4-81BA9B3B0DC7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5E18F42-2B92-4b3b-BE3B-11C5F255BC37}\stubpath = "C:\\Windows\\{C5E18F42-2B92-4b3b-BE3B-11C5F255BC37}.exe"	{1BEDA9F6-5954-429a-AF72-BBDFD48D0DFF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4CD499B6-A414-4629-AC46-AB9408A0248B}	{C5E18F42-2B92-4b3b-BE3B-11C5F255BC37}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C437E32-D8EB-46c3-87FD-E74B1795A5DF}	{1554E766-D8AD-4ee7-B381-31696365B00D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB822CE8-AE01-45cb-BE66-7931E4A81D55}	{97CC8948-4C52-4440-830C-838B0FCF93CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5CC8CA6-FCA5-437b-A757-62C68E5B9209}\stubpath = "C:\\Windows\\{F5CC8CA6-FCA5-437b-A757-62C68E5B9209}.exe"	{FB822CE8-AE01-45cb-BE66-7931E4A81D55}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{809E52AC-2F9B-4a9b-9D87-AA38D37D159A}\stubpath = "C:\\Windows\\{809E52AC-2F9B-4a9b-9D87-AA38D37D159A}.exe"	{F5CC8CA6-FCA5-437b-A757-62C68E5B9209}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8807DDD8-F8DF-4665-A8A4-81BA9B3B0DC7}\stubpath = "C:\\Windows\\{8807DDD8-F8DF-4665-A8A4-81BA9B3B0DC7}.exe"	{809E52AC-2F9B-4a9b-9D87-AA38D37D159A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7CC9F325-180A-401a-9470-0C74C0DC6205}\stubpath = "C:\\Windows\\{7CC9F325-180A-401a-9470-0C74C0DC6205}.exe"	{4CD499B6-A414-4629-AC46-AB9408A0248B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BEDA9F6-5954-429a-AF72-BBDFD48D0DFF}\stubpath = "C:\\Windows\\{1BEDA9F6-5954-429a-AF72-BBDFD48D0DFF}.exe"	{8807DDD8-F8DF-4665-A8A4-81BA9B3B0DC7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7CC9F325-180A-401a-9470-0C74C0DC6205}	{4CD499B6-A414-4629-AC46-AB9408A0248B}.exe

Executes dropped EXE 12 IoCs

pid	Process
2420	{1554E766-D8AD-4ee7-B381-31696365B00D}.exe
5368	{3C437E32-D8EB-46c3-87FD-E74B1795A5DF}.exe
1256	{CD9FE563-690C-42c8-9543-14F9F328561B}.exe
4856	{97CC8948-4C52-4440-830C-838B0FCF93CF}.exe
5776	{FB822CE8-AE01-45cb-BE66-7931E4A81D55}.exe
6020	{F5CC8CA6-FCA5-437b-A757-62C68E5B9209}.exe
4996	{809E52AC-2F9B-4a9b-9D87-AA38D37D159A}.exe
5996	{8807DDD8-F8DF-4665-A8A4-81BA9B3B0DC7}.exe
1128	{1BEDA9F6-5954-429a-AF72-BBDFD48D0DFF}.exe
5084	{C5E18F42-2B92-4b3b-BE3B-11C5F255BC37}.exe
2252	{4CD499B6-A414-4629-AC46-AB9408A0248B}.exe
5512	{7CC9F325-180A-401a-9470-0C74C0DC6205}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{8807DDD8-F8DF-4665-A8A4-81BA9B3B0DC7}.exe	{809E52AC-2F9B-4a9b-9D87-AA38D37D159A}.exe
File created	C:\Windows\{C5E18F42-2B92-4b3b-BE3B-11C5F255BC37}.exe	{1BEDA9F6-5954-429a-AF72-BBDFD48D0DFF}.exe
File created	C:\Windows\{7CC9F325-180A-401a-9470-0C74C0DC6205}.exe	{4CD499B6-A414-4629-AC46-AB9408A0248B}.exe
File created	C:\Windows\{1554E766-D8AD-4ee7-B381-31696365B00D}.exe	2024-02-19_3af88b3d8fc125b822efe6cc7129902f_goldeneye.exe
File created	C:\Windows\{3C437E32-D8EB-46c3-87FD-E74B1795A5DF}.exe	{1554E766-D8AD-4ee7-B381-31696365B00D}.exe
File created	C:\Windows\{97CC8948-4C52-4440-830C-838B0FCF93CF}.exe	{CD9FE563-690C-42c8-9543-14F9F328561B}.exe
File created	C:\Windows\{FB822CE8-AE01-45cb-BE66-7931E4A81D55}.exe	{97CC8948-4C52-4440-830C-838B0FCF93CF}.exe
File created	C:\Windows\{4CD499B6-A414-4629-AC46-AB9408A0248B}.exe	{C5E18F42-2B92-4b3b-BE3B-11C5F255BC37}.exe
File created	C:\Windows\{CD9FE563-690C-42c8-9543-14F9F328561B}.exe	{3C437E32-D8EB-46c3-87FD-E74B1795A5DF}.exe
File created	C:\Windows\{F5CC8CA6-FCA5-437b-A757-62C68E5B9209}.exe	{FB822CE8-AE01-45cb-BE66-7931E4A81D55}.exe
File created	C:\Windows\{809E52AC-2F9B-4a9b-9D87-AA38D37D159A}.exe	{F5CC8CA6-FCA5-437b-A757-62C68E5B9209}.exe
File created	C:\Windows\{1BEDA9F6-5954-429a-AF72-BBDFD48D0DFF}.exe	{8807DDD8-F8DF-4665-A8A4-81BA9B3B0DC7}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3592	2024-02-19_3af88b3d8fc125b822efe6cc7129902f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2420	{1554E766-D8AD-4ee7-B381-31696365B00D}.exe
Token: SeIncBasePriorityPrivilege	5368	{3C437E32-D8EB-46c3-87FD-E74B1795A5DF}.exe
Token: SeIncBasePriorityPrivilege	1256	{CD9FE563-690C-42c8-9543-14F9F328561B}.exe
Token: SeIncBasePriorityPrivilege	4856	{97CC8948-4C52-4440-830C-838B0FCF93CF}.exe
Token: SeIncBasePriorityPrivilege	5776	{FB822CE8-AE01-45cb-BE66-7931E4A81D55}.exe
Token: SeIncBasePriorityPrivilege	6020	{F5CC8CA6-FCA5-437b-A757-62C68E5B9209}.exe
Token: SeIncBasePriorityPrivilege	4996	{809E52AC-2F9B-4a9b-9D87-AA38D37D159A}.exe
Token: SeIncBasePriorityPrivilege	5996	{8807DDD8-F8DF-4665-A8A4-81BA9B3B0DC7}.exe
Token: SeIncBasePriorityPrivilege	1128	{1BEDA9F6-5954-429a-AF72-BBDFD48D0DFF}.exe
Token: SeIncBasePriorityPrivilege	5084	{C5E18F42-2B92-4b3b-BE3B-11C5F255BC37}.exe
Token: SeIncBasePriorityPrivilege	2252	{4CD499B6-A414-4629-AC46-AB9408A0248B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3592 wrote to memory of 2420	3592	2024-02-19_3af88b3d8fc125b822efe6cc7129902f_goldeneye.exe	90
PID 3592 wrote to memory of 2420	3592	2024-02-19_3af88b3d8fc125b822efe6cc7129902f_goldeneye.exe	90
PID 3592 wrote to memory of 2420	3592	2024-02-19_3af88b3d8fc125b822efe6cc7129902f_goldeneye.exe	90
PID 3592 wrote to memory of 4832	3592	2024-02-19_3af88b3d8fc125b822efe6cc7129902f_goldeneye.exe	91
PID 3592 wrote to memory of 4832	3592	2024-02-19_3af88b3d8fc125b822efe6cc7129902f_goldeneye.exe	91
PID 3592 wrote to memory of 4832	3592	2024-02-19_3af88b3d8fc125b822efe6cc7129902f_goldeneye.exe	91
PID 2420 wrote to memory of 5368	2420	{1554E766-D8AD-4ee7-B381-31696365B00D}.exe	93
PID 2420 wrote to memory of 5368	2420	{1554E766-D8AD-4ee7-B381-31696365B00D}.exe	93
PID 2420 wrote to memory of 5368	2420	{1554E766-D8AD-4ee7-B381-31696365B00D}.exe	93
PID 2420 wrote to memory of 5356	2420	{1554E766-D8AD-4ee7-B381-31696365B00D}.exe	94
PID 2420 wrote to memory of 5356	2420	{1554E766-D8AD-4ee7-B381-31696365B00D}.exe	94
PID 2420 wrote to memory of 5356	2420	{1554E766-D8AD-4ee7-B381-31696365B00D}.exe	94
PID 5368 wrote to memory of 1256	5368	{3C437E32-D8EB-46c3-87FD-E74B1795A5DF}.exe	97
PID 5368 wrote to memory of 1256	5368	{3C437E32-D8EB-46c3-87FD-E74B1795A5DF}.exe	97
PID 5368 wrote to memory of 1256	5368	{3C437E32-D8EB-46c3-87FD-E74B1795A5DF}.exe	97
PID 5368 wrote to memory of 1476	5368	{3C437E32-D8EB-46c3-87FD-E74B1795A5DF}.exe	96
PID 5368 wrote to memory of 1476	5368	{3C437E32-D8EB-46c3-87FD-E74B1795A5DF}.exe	96
PID 5368 wrote to memory of 1476	5368	{3C437E32-D8EB-46c3-87FD-E74B1795A5DF}.exe	96
PID 1256 wrote to memory of 4856	1256	{CD9FE563-690C-42c8-9543-14F9F328561B}.exe	98
PID 1256 wrote to memory of 4856	1256	{CD9FE563-690C-42c8-9543-14F9F328561B}.exe	98
PID 1256 wrote to memory of 4856	1256	{CD9FE563-690C-42c8-9543-14F9F328561B}.exe	98
PID 1256 wrote to memory of 4536	1256	{CD9FE563-690C-42c8-9543-14F9F328561B}.exe	99
PID 1256 wrote to memory of 4536	1256	{CD9FE563-690C-42c8-9543-14F9F328561B}.exe	99
PID 1256 wrote to memory of 4536	1256	{CD9FE563-690C-42c8-9543-14F9F328561B}.exe	99
PID 4856 wrote to memory of 5776	4856	{97CC8948-4C52-4440-830C-838B0FCF93CF}.exe	100
PID 4856 wrote to memory of 5776	4856	{97CC8948-4C52-4440-830C-838B0FCF93CF}.exe	100
PID 4856 wrote to memory of 5776	4856	{97CC8948-4C52-4440-830C-838B0FCF93CF}.exe	100
PID 4856 wrote to memory of 6012	4856	{97CC8948-4C52-4440-830C-838B0FCF93CF}.exe	101
PID 4856 wrote to memory of 6012	4856	{97CC8948-4C52-4440-830C-838B0FCF93CF}.exe	101
PID 4856 wrote to memory of 6012	4856	{97CC8948-4C52-4440-830C-838B0FCF93CF}.exe	101
PID 5776 wrote to memory of 6020	5776	{FB822CE8-AE01-45cb-BE66-7931E4A81D55}.exe	103
PID 5776 wrote to memory of 6020	5776	{FB822CE8-AE01-45cb-BE66-7931E4A81D55}.exe	103
PID 5776 wrote to memory of 6020	5776	{FB822CE8-AE01-45cb-BE66-7931E4A81D55}.exe	103
PID 5776 wrote to memory of 740	5776	{FB822CE8-AE01-45cb-BE66-7931E4A81D55}.exe	102
PID 5776 wrote to memory of 740	5776	{FB822CE8-AE01-45cb-BE66-7931E4A81D55}.exe	102
PID 5776 wrote to memory of 740	5776	{FB822CE8-AE01-45cb-BE66-7931E4A81D55}.exe	102
PID 6020 wrote to memory of 4996	6020	{F5CC8CA6-FCA5-437b-A757-62C68E5B9209}.exe	104
PID 6020 wrote to memory of 4996	6020	{F5CC8CA6-FCA5-437b-A757-62C68E5B9209}.exe	104
PID 6020 wrote to memory of 4996	6020	{F5CC8CA6-FCA5-437b-A757-62C68E5B9209}.exe	104
PID 6020 wrote to memory of 5220	6020	{F5CC8CA6-FCA5-437b-A757-62C68E5B9209}.exe	105
PID 6020 wrote to memory of 5220	6020	{F5CC8CA6-FCA5-437b-A757-62C68E5B9209}.exe	105
PID 6020 wrote to memory of 5220	6020	{F5CC8CA6-FCA5-437b-A757-62C68E5B9209}.exe	105
PID 4996 wrote to memory of 5996	4996	{809E52AC-2F9B-4a9b-9D87-AA38D37D159A}.exe	106
PID 4996 wrote to memory of 5996	4996	{809E52AC-2F9B-4a9b-9D87-AA38D37D159A}.exe	106
PID 4996 wrote to memory of 5996	4996	{809E52AC-2F9B-4a9b-9D87-AA38D37D159A}.exe	106
PID 4996 wrote to memory of 1372	4996	{809E52AC-2F9B-4a9b-9D87-AA38D37D159A}.exe	107
PID 4996 wrote to memory of 1372	4996	{809E52AC-2F9B-4a9b-9D87-AA38D37D159A}.exe	107
PID 4996 wrote to memory of 1372	4996	{809E52AC-2F9B-4a9b-9D87-AA38D37D159A}.exe	107
PID 5996 wrote to memory of 1128	5996	{8807DDD8-F8DF-4665-A8A4-81BA9B3B0DC7}.exe	108
PID 5996 wrote to memory of 1128	5996	{8807DDD8-F8DF-4665-A8A4-81BA9B3B0DC7}.exe	108
PID 5996 wrote to memory of 1128	5996	{8807DDD8-F8DF-4665-A8A4-81BA9B3B0DC7}.exe	108
PID 5996 wrote to memory of 4420	5996	{8807DDD8-F8DF-4665-A8A4-81BA9B3B0DC7}.exe	109
PID 5996 wrote to memory of 4420	5996	{8807DDD8-F8DF-4665-A8A4-81BA9B3B0DC7}.exe	109
PID 5996 wrote to memory of 4420	5996	{8807DDD8-F8DF-4665-A8A4-81BA9B3B0DC7}.exe	109
PID 1128 wrote to memory of 5084	1128	{1BEDA9F6-5954-429a-AF72-BBDFD48D0DFF}.exe	110
PID 1128 wrote to memory of 5084	1128	{1BEDA9F6-5954-429a-AF72-BBDFD48D0DFF}.exe	110
PID 1128 wrote to memory of 5084	1128	{1BEDA9F6-5954-429a-AF72-BBDFD48D0DFF}.exe	110
PID 1128 wrote to memory of 3664	1128	{1BEDA9F6-5954-429a-AF72-BBDFD48D0DFF}.exe	111
PID 1128 wrote to memory of 3664	1128	{1BEDA9F6-5954-429a-AF72-BBDFD48D0DFF}.exe	111
PID 1128 wrote to memory of 3664	1128	{1BEDA9F6-5954-429a-AF72-BBDFD48D0DFF}.exe	111
PID 5084 wrote to memory of 2252	5084	{C5E18F42-2B92-4b3b-BE3B-11C5F255BC37}.exe	112
PID 5084 wrote to memory of 2252	5084	{C5E18F42-2B92-4b3b-BE3B-11C5F255BC37}.exe	112
PID 5084 wrote to memory of 2252	5084	{C5E18F42-2B92-4b3b-BE3B-11C5F255BC37}.exe	112
PID 5084 wrote to memory of 4596	5084	{C5E18F42-2B92-4b3b-BE3B-11C5F255BC37}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-02-19_3af88b3d8fc125b822efe6cc7129902f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-19_3af88b3d8fc125b822efe6cc7129902f_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3592
- C:\Windows\{1554E766-D8AD-4ee7-B381-31696365B00D}.exe
  C:\Windows\{1554E766-D8AD-4ee7-B381-31696365B00D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Windows\{3C437E32-D8EB-46c3-87FD-E74B1795A5DF}.exe
    C:\Windows\{3C437E32-D8EB-46c3-87FD-E74B1795A5DF}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5368
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3C437~1.EXE > nul
      4⤵
      PID:1476
  - - C:\Windows\{CD9FE563-690C-42c8-9543-14F9F328561B}.exe
      C:\Windows\{CD9FE563-690C-42c8-9543-14F9F328561B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1256
    - - C:\Windows\{97CC8948-4C52-4440-830C-838B0FCF93CF}.exe
        
        C:\Windows\{97CC8948-4C52-4440-830C-838B0FCF93CF}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4856
      - C:\Windows\{FB822CE8-AE01-45cb-BE66-7931E4A81D55}.exe
        
        C:\Windows\{FB822CE8-AE01-45cb-BE66-7931E4A81D55}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FB822~1.EXE > nul
        7⤵
        
        PID:740
        
        C:\Windows\{F5CC8CA6-FCA5-437b-A757-62C68E5B9209}.exe
        
        C:\Windows\{F5CC8CA6-FCA5-437b-A757-62C68E5B9209}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:6020
        
        C:\Windows\{809E52AC-2F9B-4a9b-9D87-AA38D37D159A}.exe
        
        C:\Windows\{809E52AC-2F9B-4a9b-9D87-AA38D37D159A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\{8807DDD8-F8DF-4665-A8A4-81BA9B3B0DC7}.exe
        
        C:\Windows\{8807DDD8-F8DF-4665-A8A4-81BA9B3B0DC7}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5996
        
        C:\Windows\{1BEDA9F6-5954-429a-AF72-BBDFD48D0DFF}.exe
        
        C:\Windows\{1BEDA9F6-5954-429a-AF72-BBDFD48D0DFF}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Windows\{C5E18F42-2B92-4b3b-BE3B-11C5F255BC37}.exe
        
        C:\Windows\{C5E18F42-2B92-4b3b-BE3B-11C5F255BC37}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\{4CD499B6-A414-4629-AC46-AB9408A0248B}.exe
        
        C:\Windows\{4CD499B6-A414-4629-AC46-AB9408A0248B}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
        
        C:\Windows\{7CC9F325-180A-401a-9470-0C74C0DC6205}.exe
        
        C:\Windows\{7CC9F325-180A-401a-9470-0C74C0DC6205}.exe
        13⤵
        Executes dropped EXE
        
        PID:5512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4CD49~1.EXE > nul
        13⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C5E18~1.EXE > nul
        12⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1BEDA~1.EXE > nul
        11⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8807D~1.EXE > nul
        10⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{809E5~1.EXE > nul
        9⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F5CC8~1.EXE > nul
        8⤵
        
        PID:5220
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{97CC8~1.EXE > nul
        6⤵
        
        PID:6012
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CD9FE~1.EXE > nul
        5⤵
        
        PID:4536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1554E~1.EXE > nul
    3⤵
    PID:5356
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1554E766-D8AD-4ee7-B381-31696365B00D}.exe

Filesize
344KB

MD5
08bd6ce9064c13f6772b2589a88bdd5e

SHA1
b4c2b90601512c7adbf4b312630ef0e8eff782ef

SHA256
3253087706f75ff122fafb48423a817dcb12a4bf07fd826805b1befd8f6f6199

SHA512
51d8d6e4eec69eb1443daf02dcd8cf848a1eb77ee57a229cfa32d0b3b9c2838078624841407116261500d445a8d5a9727cc474b4e7d0e4f9c902104c166aa22e

Download Submit
C:\Windows\{1BEDA9F6-5954-429a-AF72-BBDFD48D0DFF}.exe

Filesize
344KB

MD5
5aeb6f89f7cfdf6c098587490133078e

SHA1
162b8cb271bbd2a6b0a78387044f661e2f727a8a

SHA256
f15b226170d4f7951925bc1522b5be10802a0b47c6855539374f997fc68f6cfa

SHA512
e3c946560754984db200b8335fe73866c05c006e5232e439d0d4526897e1bfee7cd263aaf6a58e659c29812a01298fc122abbeb732a480e1281a2546c0625fab

Download Submit
C:\Windows\{3C437E32-D8EB-46c3-87FD-E74B1795A5DF}.exe

Filesize
344KB

MD5
29392a64652475d905d4ba0760ce1f27

SHA1
5a0b140df806751fb68daf66b80c5bc10cc04ace

SHA256
8928cc065e74b568a37101f34b1569399545411f7747778fc243b2e12c43ec5e

SHA512
6b94f96401b25f8406468fddfc512c8d422eb429d81f2fc0ed21224e6321a3b577df3782c86fa42b85d6de48314ca7b1ef52b55b27a0c1e9ae37209c874a7886

Download Submit
C:\Windows\{4CD499B6-A414-4629-AC46-AB9408A0248B}.exe

Filesize
344KB

MD5
d2866fa749ec7766b314f7c225fb3938

SHA1
ff2afb7ffe22199083f26b6c6faa8a9ad5c0a4dd

SHA256
dba86a0d1bb95207bde0b8c65e405105e3dae6e58f62a21e8b84acf8a74eb8cb

SHA512
94c6ab7325f86f0ae007178bfecaa1e2141c68ecb49234321c64ecf3670a93926e279b498712047d3b68f13c7e384702011f30e696018449e9d9899121499d60

Download Submit
C:\Windows\{7CC9F325-180A-401a-9470-0C74C0DC6205}.exe

Filesize
344KB

MD5
83a92e18553cc38443d886cc20e35fe4

SHA1
1283a3c9dc20becc54c90920793a4885ed83aa0c

SHA256
6dd0480e26bdfdb2dd454a608409e41fc261648a76617629c470265e3afd653d

SHA512
96d3a696658920fdb80c0d7748672e4b0584d9367682bd2288614e340c016e7748b105555b66dcad11d471349aa19b8c6d146274cfadda42d703e501d1dcdf25

Download Submit
C:\Windows\{809E52AC-2F9B-4a9b-9D87-AA38D37D159A}.exe

Filesize
344KB

MD5
c7a7f142b82db89666deaa3f812bc26c

SHA1
32aae4575ff82c50470342bd247a3667e5ff5a88

SHA256
48f43e309193d45585b1f79fbf18b53eab048edae25c6f2f150f6bd689b79264

SHA512
16b85b40be476b13ad8dd6faba0694e8e98954d012b76a01780bdfcd9abe3e8210585b8e1653e10ad6ee753019f8a7bf90dab9f49bf9340f54427776326fa00f

Download Submit
C:\Windows\{8807DDD8-F8DF-4665-A8A4-81BA9B3B0DC7}.exe

Filesize
344KB

MD5
e339675718fe9c31e1677be17209ace0

SHA1
9d5cafe0e5fb712cbb6d1253c7641a880c67cca6

SHA256
a2fae35b59b8146ae382648300ebdae2a9ff51450383c8afecbddbbbaa39f379

SHA512
03de906447ed3b7e040542bbbebebf23f88871516ad66cff6111b2dab07d5d051c5be3ce1c60e8ce850037a6af87bb25f65650ea281b3f40cc18a2a3eb128cbd

Download Submit
C:\Windows\{97CC8948-4C52-4440-830C-838B0FCF93CF}.exe

Filesize
344KB

MD5
8a3d0c07d6f32bc6654e191934ac643a

SHA1
1c40f987e6471616fe24464a6edd3e57c68ffb58

SHA256
d428d50bf626dde35bfd07d41dbfb745cdc5ac1c331f31f71e08b1e2e46e1ca8

SHA512
d4f0ed7ed968ded9d7f8fdfeb3ba93503411d40711ba15e46b0992d859c2b72f34605d030931a5e0972174984d4b596f77cb24b74b93f4d320fa54b8adab1670

Download Submit
C:\Windows\{C5E18F42-2B92-4b3b-BE3B-11C5F255BC37}.exe

Filesize
344KB

MD5
ca37ec51f093359e114a3c1ee4ee6324

SHA1
8d9cc2b3a39b83c6725bf3298f8bf444eb0a0767

SHA256
43ce25a111e1acba5fdc3975e186751599417aaecd757fc240f1b7f484f062eb

SHA512
cc14beb81637a8482763b324a720b731c1f4b865d761b82f726d67e49d74d5ef65756a36ab8c0d8d897408a074f5dacc139b40aa8d03c49ab324adf9d444089a

Download Submit
C:\Windows\{CD9FE563-690C-42c8-9543-14F9F328561B}.exe

Filesize
344KB

MD5
ea2d9011f0ddf071df39db2422894c59

SHA1
2e0dbd7037c172e61f5be7f4702a8114dd955f38

SHA256
26e4b18c30e4825538bfce5e26b4adf588486af00c0bb01077e8b33f73648c33

SHA512
630a0fe2e14c778fd2b44f0b44a753f06792b714387d2a3a944657b89fc5954a7f9fbe155d42e8668a39ad6864fb5954b58e5fc83830ae08a68c308d946c94ed

Download Submit
C:\Windows\{F5CC8CA6-FCA5-437b-A757-62C68E5B9209}.exe

Filesize
344KB

MD5
a6481095b2a619c5bfd8ad0bde9b53e5

SHA1
8ab247ad2cc67ae692dd76fa15b50ca468b781c2

SHA256
84a93e735d07ae58a51c49007653cbb3febc0dd563197669901855579c494a44

SHA512
e93dc950cba4e6d67ddf93811fb0f991bdee371244debab52950628439a74ca83a2fac69b864d77e20358f0a544e9a53cc37620469630d6e7ade808c6a4c6396

Download Submit
C:\Windows\{FB822CE8-AE01-45cb-BE66-7931E4A81D55}.exe

Filesize
344KB

MD5
5b69b85710be723418f3f17062dec9e5

SHA1
63846977885dae8544b187047bdcc70dc1df2f07

SHA256
fb0109ddbc865ba8977451f6dc6a4dea3f83c000f5e829288a34594781a5a82e

SHA512
c3dbd6a8f27c7e9b64b231a00da3bebf1bfb954d388580bfe5a66fb21867f3edc8deb24b2a8de238ac2c549eee034764e7abd41101ff6731fb30dd754f5b29c5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads