8191f547bdd0427432b61f5113ae3cebe9cf499d704bf7de1a1d87e03605d99d

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
19/02/2024, 08:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-19_4fb61422520bf75476643055e70d62cb_goldeneye.exe
Size

204KB
MD5

4fb61422520bf75476643055e70d62cb
SHA1

c54a9a96b802439fa103f06af05d47a36521e8ca
SHA256

8191f547bdd0427432b61f5113ae3cebe9cf499d704bf7de1a1d87e03605d99d
SHA512

cce3ae025bcda82ad24b4b796c463b1e6cad9954482445d01c5c50d6ab2a8ee27e383735249c842a226a0ecae51f43768196710bac67ae1551ffe920b0d74853
SSDEEP

1536:1EGh0oWl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oWl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023154-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023162-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023169-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0012000000023162-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x004600000001e0be-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000021550-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x004700000001e0be-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000000070b-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B3D61D1-73F3-4b12-8889-1BD93C71B0E1}	{182408F0-D63E-4469-9D7F-095F04FD9703}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EEBAF0AB-673C-4089-BC10-D9737F9B5A9C}	2024-02-19_4fb61422520bf75476643055e70d62cb_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C98ADDE-21C2-4e95-890D-9F78BA434158}	{EEBAF0AB-673C-4089-BC10-D9737F9B5A9C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75E66263-1D41-4a24-B5B9-B4A228F16600}\stubpath = "C:\\Windows\\{75E66263-1D41-4a24-B5B9-B4A228F16600}.exe"	{0D713D7C-49E1-4fff-943C-ECEEB7B542B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2D8F3C6-6D00-4fd1-A9C5-0C5E6D460580}	{E4AC0A4C-7F9E-4e46-82E6-BA2AD6DBB576}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2D8F3C6-6D00-4fd1-A9C5-0C5E6D460580}\stubpath = "C:\\Windows\\{D2D8F3C6-6D00-4fd1-A9C5-0C5E6D460580}.exe"	{E4AC0A4C-7F9E-4e46-82E6-BA2AD6DBB576}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97C31999-C9FF-4de4-A160-B8022AE02A07}	{A046E379-FD19-40ad-A818-F2D096AEF51E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{182408F0-D63E-4469-9D7F-095F04FD9703}\stubpath = "C:\\Windows\\{182408F0-D63E-4469-9D7F-095F04FD9703}.exe"	{97C31999-C9FF-4de4-A160-B8022AE02A07}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C98ADDE-21C2-4e95-890D-9F78BA434158}\stubpath = "C:\\Windows\\{6C98ADDE-21C2-4e95-890D-9F78BA434158}.exe"	{EEBAF0AB-673C-4089-BC10-D9737F9B5A9C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4AC0A4C-7F9E-4e46-82E6-BA2AD6DBB576}\stubpath = "C:\\Windows\\{E4AC0A4C-7F9E-4e46-82E6-BA2AD6DBB576}.exe"	{75E66263-1D41-4a24-B5B9-B4A228F16600}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{182408F0-D63E-4469-9D7F-095F04FD9703}	{97C31999-C9FF-4de4-A160-B8022AE02A07}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D713D7C-49E1-4fff-943C-ECEEB7B542B4}\stubpath = "C:\\Windows\\{0D713D7C-49E1-4fff-943C-ECEEB7B542B4}.exe"	{F9A0A22D-D15C-41c4-AC2A-DC35C5BFAB7C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75E66263-1D41-4a24-B5B9-B4A228F16600}	{0D713D7C-49E1-4fff-943C-ECEEB7B542B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4AC0A4C-7F9E-4e46-82E6-BA2AD6DBB576}	{75E66263-1D41-4a24-B5B9-B4A228F16600}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A046E379-FD19-40ad-A818-F2D096AEF51E}\stubpath = "C:\\Windows\\{A046E379-FD19-40ad-A818-F2D096AEF51E}.exe"	{D2D8F3C6-6D00-4fd1-A9C5-0C5E6D460580}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97C31999-C9FF-4de4-A160-B8022AE02A07}\stubpath = "C:\\Windows\\{97C31999-C9FF-4de4-A160-B8022AE02A07}.exe"	{A046E379-FD19-40ad-A818-F2D096AEF51E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B3D61D1-73F3-4b12-8889-1BD93C71B0E1}\stubpath = "C:\\Windows\\{5B3D61D1-73F3-4b12-8889-1BD93C71B0E1}.exe"	{182408F0-D63E-4469-9D7F-095F04FD9703}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83B9212D-2BA7-4a87-9094-119CD30EACA3}	{5B3D61D1-73F3-4b12-8889-1BD93C71B0E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EEBAF0AB-673C-4089-BC10-D9737F9B5A9C}\stubpath = "C:\\Windows\\{EEBAF0AB-673C-4089-BC10-D9737F9B5A9C}.exe"	2024-02-19_4fb61422520bf75476643055e70d62cb_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9A0A22D-D15C-41c4-AC2A-DC35C5BFAB7C}	{6C98ADDE-21C2-4e95-890D-9F78BA434158}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9A0A22D-D15C-41c4-AC2A-DC35C5BFAB7C}\stubpath = "C:\\Windows\\{F9A0A22D-D15C-41c4-AC2A-DC35C5BFAB7C}.exe"	{6C98ADDE-21C2-4e95-890D-9F78BA434158}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D713D7C-49E1-4fff-943C-ECEEB7B542B4}	{F9A0A22D-D15C-41c4-AC2A-DC35C5BFAB7C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A046E379-FD19-40ad-A818-F2D096AEF51E}	{D2D8F3C6-6D00-4fd1-A9C5-0C5E6D460580}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83B9212D-2BA7-4a87-9094-119CD30EACA3}\stubpath = "C:\\Windows\\{83B9212D-2BA7-4a87-9094-119CD30EACA3}.exe"	{5B3D61D1-73F3-4b12-8889-1BD93C71B0E1}.exe

Executes dropped EXE 12 IoCs

pid	Process
3956	{EEBAF0AB-673C-4089-BC10-D9737F9B5A9C}.exe
4908	{6C98ADDE-21C2-4e95-890D-9F78BA434158}.exe
8	{F9A0A22D-D15C-41c4-AC2A-DC35C5BFAB7C}.exe
3708	{0D713D7C-49E1-4fff-943C-ECEEB7B542B4}.exe
4928	{75E66263-1D41-4a24-B5B9-B4A228F16600}.exe
2204	{E4AC0A4C-7F9E-4e46-82E6-BA2AD6DBB576}.exe
3012	{D2D8F3C6-6D00-4fd1-A9C5-0C5E6D460580}.exe
4476	{A046E379-FD19-40ad-A818-F2D096AEF51E}.exe
4384	{97C31999-C9FF-4de4-A160-B8022AE02A07}.exe
4348	{182408F0-D63E-4469-9D7F-095F04FD9703}.exe
3972	{5B3D61D1-73F3-4b12-8889-1BD93C71B0E1}.exe
4552	{83B9212D-2BA7-4a87-9094-119CD30EACA3}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{E4AC0A4C-7F9E-4e46-82E6-BA2AD6DBB576}.exe	{75E66263-1D41-4a24-B5B9-B4A228F16600}.exe
File created	C:\Windows\{D2D8F3C6-6D00-4fd1-A9C5-0C5E6D460580}.exe	{E4AC0A4C-7F9E-4e46-82E6-BA2AD6DBB576}.exe
File created	C:\Windows\{97C31999-C9FF-4de4-A160-B8022AE02A07}.exe	{A046E379-FD19-40ad-A818-F2D096AEF51E}.exe
File created	C:\Windows\{5B3D61D1-73F3-4b12-8889-1BD93C71B0E1}.exe	{182408F0-D63E-4469-9D7F-095F04FD9703}.exe
File created	C:\Windows\{83B9212D-2BA7-4a87-9094-119CD30EACA3}.exe	{5B3D61D1-73F3-4b12-8889-1BD93C71B0E1}.exe
File created	C:\Windows\{6C98ADDE-21C2-4e95-890D-9F78BA434158}.exe	{EEBAF0AB-673C-4089-BC10-D9737F9B5A9C}.exe
File created	C:\Windows\{0D713D7C-49E1-4fff-943C-ECEEB7B542B4}.exe	{F9A0A22D-D15C-41c4-AC2A-DC35C5BFAB7C}.exe
File created	C:\Windows\{75E66263-1D41-4a24-B5B9-B4A228F16600}.exe	{0D713D7C-49E1-4fff-943C-ECEEB7B542B4}.exe
File created	C:\Windows\{A046E379-FD19-40ad-A818-F2D096AEF51E}.exe	{D2D8F3C6-6D00-4fd1-A9C5-0C5E6D460580}.exe
File created	C:\Windows\{182408F0-D63E-4469-9D7F-095F04FD9703}.exe	{97C31999-C9FF-4de4-A160-B8022AE02A07}.exe
File created	C:\Windows\{EEBAF0AB-673C-4089-BC10-D9737F9B5A9C}.exe	2024-02-19_4fb61422520bf75476643055e70d62cb_goldeneye.exe
File created	C:\Windows\{F9A0A22D-D15C-41c4-AC2A-DC35C5BFAB7C}.exe	{6C98ADDE-21C2-4e95-890D-9F78BA434158}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4352	2024-02-19_4fb61422520bf75476643055e70d62cb_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3956	{EEBAF0AB-673C-4089-BC10-D9737F9B5A9C}.exe
Token: SeIncBasePriorityPrivilege	4908	{6C98ADDE-21C2-4e95-890D-9F78BA434158}.exe
Token: SeIncBasePriorityPrivilege	8	{F9A0A22D-D15C-41c4-AC2A-DC35C5BFAB7C}.exe
Token: SeIncBasePriorityPrivilege	3708	{0D713D7C-49E1-4fff-943C-ECEEB7B542B4}.exe
Token: SeIncBasePriorityPrivilege	4928	{75E66263-1D41-4a24-B5B9-B4A228F16600}.exe
Token: SeIncBasePriorityPrivilege	2204	{E4AC0A4C-7F9E-4e46-82E6-BA2AD6DBB576}.exe
Token: SeIncBasePriorityPrivilege	3012	{D2D8F3C6-6D00-4fd1-A9C5-0C5E6D460580}.exe
Token: SeIncBasePriorityPrivilege	4476	{A046E379-FD19-40ad-A818-F2D096AEF51E}.exe
Token: SeIncBasePriorityPrivilege	4384	{97C31999-C9FF-4de4-A160-B8022AE02A07}.exe
Token: SeIncBasePriorityPrivilege	4348	{182408F0-D63E-4469-9D7F-095F04FD9703}.exe
Token: SeIncBasePriorityPrivilege	3972	{5B3D61D1-73F3-4b12-8889-1BD93C71B0E1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4352 wrote to memory of 3956	4352	2024-02-19_4fb61422520bf75476643055e70d62cb_goldeneye.exe	89
PID 4352 wrote to memory of 3956	4352	2024-02-19_4fb61422520bf75476643055e70d62cb_goldeneye.exe	89
PID 4352 wrote to memory of 3956	4352	2024-02-19_4fb61422520bf75476643055e70d62cb_goldeneye.exe	89
PID 4352 wrote to memory of 468	4352	2024-02-19_4fb61422520bf75476643055e70d62cb_goldeneye.exe	90
PID 4352 wrote to memory of 468	4352	2024-02-19_4fb61422520bf75476643055e70d62cb_goldeneye.exe	90
PID 4352 wrote to memory of 468	4352	2024-02-19_4fb61422520bf75476643055e70d62cb_goldeneye.exe	90
PID 3956 wrote to memory of 4908	3956	{EEBAF0AB-673C-4089-BC10-D9737F9B5A9C}.exe	93
PID 3956 wrote to memory of 4908	3956	{EEBAF0AB-673C-4089-BC10-D9737F9B5A9C}.exe	93
PID 3956 wrote to memory of 4908	3956	{EEBAF0AB-673C-4089-BC10-D9737F9B5A9C}.exe	93
PID 3956 wrote to memory of 3192	3956	{EEBAF0AB-673C-4089-BC10-D9737F9B5A9C}.exe	94
PID 3956 wrote to memory of 3192	3956	{EEBAF0AB-673C-4089-BC10-D9737F9B5A9C}.exe	94
PID 3956 wrote to memory of 3192	3956	{EEBAF0AB-673C-4089-BC10-D9737F9B5A9C}.exe	94
PID 4908 wrote to memory of 8	4908	{6C98ADDE-21C2-4e95-890D-9F78BA434158}.exe	97
PID 4908 wrote to memory of 8	4908	{6C98ADDE-21C2-4e95-890D-9F78BA434158}.exe	97
PID 4908 wrote to memory of 8	4908	{6C98ADDE-21C2-4e95-890D-9F78BA434158}.exe	97
PID 4908 wrote to memory of 3048	4908	{6C98ADDE-21C2-4e95-890D-9F78BA434158}.exe	96
PID 4908 wrote to memory of 3048	4908	{6C98ADDE-21C2-4e95-890D-9F78BA434158}.exe	96
PID 4908 wrote to memory of 3048	4908	{6C98ADDE-21C2-4e95-890D-9F78BA434158}.exe	96
PID 8 wrote to memory of 3708	8	{F9A0A22D-D15C-41c4-AC2A-DC35C5BFAB7C}.exe	98
PID 8 wrote to memory of 3708	8	{F9A0A22D-D15C-41c4-AC2A-DC35C5BFAB7C}.exe	98
PID 8 wrote to memory of 3708	8	{F9A0A22D-D15C-41c4-AC2A-DC35C5BFAB7C}.exe	98
PID 8 wrote to memory of 3276	8	{F9A0A22D-D15C-41c4-AC2A-DC35C5BFAB7C}.exe	99
PID 8 wrote to memory of 3276	8	{F9A0A22D-D15C-41c4-AC2A-DC35C5BFAB7C}.exe	99
PID 8 wrote to memory of 3276	8	{F9A0A22D-D15C-41c4-AC2A-DC35C5BFAB7C}.exe	99
PID 3708 wrote to memory of 4928	3708	{0D713D7C-49E1-4fff-943C-ECEEB7B542B4}.exe	100
PID 3708 wrote to memory of 4928	3708	{0D713D7C-49E1-4fff-943C-ECEEB7B542B4}.exe	100
PID 3708 wrote to memory of 4928	3708	{0D713D7C-49E1-4fff-943C-ECEEB7B542B4}.exe	100
PID 3708 wrote to memory of 1980	3708	{0D713D7C-49E1-4fff-943C-ECEEB7B542B4}.exe	101
PID 3708 wrote to memory of 1980	3708	{0D713D7C-49E1-4fff-943C-ECEEB7B542B4}.exe	101
PID 3708 wrote to memory of 1980	3708	{0D713D7C-49E1-4fff-943C-ECEEB7B542B4}.exe	101
PID 4928 wrote to memory of 2204	4928	{75E66263-1D41-4a24-B5B9-B4A228F16600}.exe	102
PID 4928 wrote to memory of 2204	4928	{75E66263-1D41-4a24-B5B9-B4A228F16600}.exe	102
PID 4928 wrote to memory of 2204	4928	{75E66263-1D41-4a24-B5B9-B4A228F16600}.exe	102
PID 4928 wrote to memory of 2132	4928	{75E66263-1D41-4a24-B5B9-B4A228F16600}.exe	103
PID 4928 wrote to memory of 2132	4928	{75E66263-1D41-4a24-B5B9-B4A228F16600}.exe	103
PID 4928 wrote to memory of 2132	4928	{75E66263-1D41-4a24-B5B9-B4A228F16600}.exe	103
PID 2204 wrote to memory of 3012	2204	{E4AC0A4C-7F9E-4e46-82E6-BA2AD6DBB576}.exe	104
PID 2204 wrote to memory of 3012	2204	{E4AC0A4C-7F9E-4e46-82E6-BA2AD6DBB576}.exe	104
PID 2204 wrote to memory of 3012	2204	{E4AC0A4C-7F9E-4e46-82E6-BA2AD6DBB576}.exe	104
PID 2204 wrote to memory of 2448	2204	{E4AC0A4C-7F9E-4e46-82E6-BA2AD6DBB576}.exe	105
PID 2204 wrote to memory of 2448	2204	{E4AC0A4C-7F9E-4e46-82E6-BA2AD6DBB576}.exe	105
PID 2204 wrote to memory of 2448	2204	{E4AC0A4C-7F9E-4e46-82E6-BA2AD6DBB576}.exe	105
PID 3012 wrote to memory of 4476	3012	{D2D8F3C6-6D00-4fd1-A9C5-0C5E6D460580}.exe	106
PID 3012 wrote to memory of 4476	3012	{D2D8F3C6-6D00-4fd1-A9C5-0C5E6D460580}.exe	106
PID 3012 wrote to memory of 4476	3012	{D2D8F3C6-6D00-4fd1-A9C5-0C5E6D460580}.exe	106
PID 3012 wrote to memory of 5076	3012	{D2D8F3C6-6D00-4fd1-A9C5-0C5E6D460580}.exe	107
PID 3012 wrote to memory of 5076	3012	{D2D8F3C6-6D00-4fd1-A9C5-0C5E6D460580}.exe	107
PID 3012 wrote to memory of 5076	3012	{D2D8F3C6-6D00-4fd1-A9C5-0C5E6D460580}.exe	107
PID 4476 wrote to memory of 4384	4476	{A046E379-FD19-40ad-A818-F2D096AEF51E}.exe	108
PID 4476 wrote to memory of 4384	4476	{A046E379-FD19-40ad-A818-F2D096AEF51E}.exe	108
PID 4476 wrote to memory of 4384	4476	{A046E379-FD19-40ad-A818-F2D096AEF51E}.exe	108
PID 4476 wrote to memory of 4404	4476	{A046E379-FD19-40ad-A818-F2D096AEF51E}.exe	109
PID 4476 wrote to memory of 4404	4476	{A046E379-FD19-40ad-A818-F2D096AEF51E}.exe	109
PID 4476 wrote to memory of 4404	4476	{A046E379-FD19-40ad-A818-F2D096AEF51E}.exe	109
PID 4384 wrote to memory of 4348	4384	{97C31999-C9FF-4de4-A160-B8022AE02A07}.exe	111
PID 4384 wrote to memory of 4348	4384	{97C31999-C9FF-4de4-A160-B8022AE02A07}.exe	111
PID 4384 wrote to memory of 4348	4384	{97C31999-C9FF-4de4-A160-B8022AE02A07}.exe	111
PID 4384 wrote to memory of 1376	4384	{97C31999-C9FF-4de4-A160-B8022AE02A07}.exe	110
PID 4384 wrote to memory of 1376	4384	{97C31999-C9FF-4de4-A160-B8022AE02A07}.exe	110
PID 4384 wrote to memory of 1376	4384	{97C31999-C9FF-4de4-A160-B8022AE02A07}.exe	110
PID 4348 wrote to memory of 3972	4348	{182408F0-D63E-4469-9D7F-095F04FD9703}.exe	112
PID 4348 wrote to memory of 3972	4348	{182408F0-D63E-4469-9D7F-095F04FD9703}.exe	112
PID 4348 wrote to memory of 3972	4348	{182408F0-D63E-4469-9D7F-095F04FD9703}.exe	112
PID 4348 wrote to memory of 3436	4348	{182408F0-D63E-4469-9D7F-095F04FD9703}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-02-19_4fb61422520bf75476643055e70d62cb_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-19_4fb61422520bf75476643055e70d62cb_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4352
- C:\Windows\{EEBAF0AB-673C-4089-BC10-D9737F9B5A9C}.exe
  C:\Windows\{EEBAF0AB-673C-4089-BC10-D9737F9B5A9C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3956
- - C:\Windows\{6C98ADDE-21C2-4e95-890D-9F78BA434158}.exe
    C:\Windows\{6C98ADDE-21C2-4e95-890D-9F78BA434158}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4908
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6C98A~1.EXE > nul
      4⤵
      PID:3048
  - - C:\Windows\{F9A0A22D-D15C-41c4-AC2A-DC35C5BFAB7C}.exe
      C:\Windows\{F9A0A22D-D15C-41c4-AC2A-DC35C5BFAB7C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:8
    - - C:\Windows\{0D713D7C-49E1-4fff-943C-ECEEB7B542B4}.exe
        
        C:\Windows\{0D713D7C-49E1-4fff-943C-ECEEB7B542B4}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3708
      - C:\Windows\{75E66263-1D41-4a24-B5B9-B4A228F16600}.exe
        
        C:\Windows\{75E66263-1D41-4a24-B5B9-B4A228F16600}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\{E4AC0A4C-7F9E-4e46-82E6-BA2AD6DBB576}.exe
        
        C:\Windows\{E4AC0A4C-7F9E-4e46-82E6-BA2AD6DBB576}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\{D2D8F3C6-6D00-4fd1-A9C5-0C5E6D460580}.exe
        
        C:\Windows\{D2D8F3C6-6D00-4fd1-A9C5-0C5E6D460580}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\{A046E379-FD19-40ad-A818-F2D096AEF51E}.exe
        
        C:\Windows\{A046E379-FD19-40ad-A818-F2D096AEF51E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4476
        
        C:\Windows\{97C31999-C9FF-4de4-A160-B8022AE02A07}.exe
        
        C:\Windows\{97C31999-C9FF-4de4-A160-B8022AE02A07}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{97C31~1.EXE > nul
        11⤵
        
        PID:1376
        
        C:\Windows\{182408F0-D63E-4469-9D7F-095F04FD9703}.exe
        
        C:\Windows\{182408F0-D63E-4469-9D7F-095F04FD9703}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4348
        
        C:\Windows\{5B3D61D1-73F3-4b12-8889-1BD93C71B0E1}.exe
        
        C:\Windows\{5B3D61D1-73F3-4b12-8889-1BD93C71B0E1}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3972
        
        C:\Windows\{83B9212D-2BA7-4a87-9094-119CD30EACA3}.exe
        
        C:\Windows\{83B9212D-2BA7-4a87-9094-119CD30EACA3}.exe
        13⤵
        Executes dropped EXE
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5B3D6~1.EXE > nul
        13⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{18240~1.EXE > nul
        12⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A046E~1.EXE > nul
        10⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D2D8F~1.EXE > nul
        9⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E4AC0~1.EXE > nul
        8⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{75E66~1.EXE > nul
        7⤵
        
        PID:2132
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0D713~1.EXE > nul
        6⤵
        
        PID:1980
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F9A0A~1.EXE > nul
        5⤵
        
        PID:3276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{EEBAF~1.EXE > nul
    3⤵
    PID:3192
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0D713D7C-49E1-4fff-943C-ECEEB7B542B4}.exe

Filesize
204KB

MD5
fd28c82a34cd46aa6809405409b3b27c

SHA1
2b9cadc11a34c6c4cc562da8aedf5291c98cab8c

SHA256
be79d34cf7f3282e9dba6ada16ebdab2e89de8ba9640a0e71ab4d13a7ecec7d1

SHA512
a6801d992ecbbc73e4ae272ed79b272b8d2eb8ad08861abb8adcb15d76393d80faed3ea08c0a26041e2f07d977d39aacb61c52454430bc4947577145968183fa

Download Submit
C:\Windows\{182408F0-D63E-4469-9D7F-095F04FD9703}.exe

Filesize
204KB

MD5
e502737b298af903856caa1da8cb72d9

SHA1
8c7eb4cd218dc7e7870e33cd981927226559003c

SHA256
2809ac755b56b40765acef555ec9a6b7b97fc693c204d3621516660b27044909

SHA512
ab515de189ce849ae018cb2f09c53e68761cfb3043c9e591f0a6376cf963a5b5a536c76246cbf64db03ea321565b5bfc7a25cbe3d940b753602fe028f994bb91

Download Submit
C:\Windows\{5B3D61D1-73F3-4b12-8889-1BD93C71B0E1}.exe

Filesize
204KB

MD5
b3bbd0e7ab6bb8cef1a2d349cde0d94a

SHA1
9853ee769bc891196d8f7d1b6f9a508e10e926bf

SHA256
30f29f874c4b7926935e38122cb34531741b369955eb08ddffceab6a25850be3

SHA512
80af3c2b7a9028b0602fb0e482b775e672b2acf09240355370c0b8ee65bf35fcf4287b82075cbae5b978e6374a47400a8394036b67ef7e6aba1909b2d8cc4042

Download Submit
C:\Windows\{6C98ADDE-21C2-4e95-890D-9F78BA434158}.exe

Filesize
204KB

MD5
c72276ef215404ba33b8f01508140d6f

SHA1
0a0291a0ac8734e6b1b6b64e9bff3df24fee0b2a

SHA256
dd9c856802396c6e3f2595c068c8eea0521bf0528d965df8ebf4d1f3052d431f

SHA512
c2360ab35cfd81bc7854e228adfeb96792b548ad0a8b7b0c997cd27f2acc82f1ce2808fe5eaf50decdc2cc7d9eca195fd5cf9be4140a53184004a14be1920138

Download Submit
C:\Windows\{75E66263-1D41-4a24-B5B9-B4A228F16600}.exe

Filesize
204KB

MD5
4c76804e6dca628ae8d674aece2a5d51

SHA1
77ed0c339642aee818dbdbd301f965b5b5cb3782

SHA256
14c556dc5ed0abdec415eeaba7867d2d23106d33c90fd0db3be3222472fbbddd

SHA512
6146b3c9c49a7ceb6cf79aa9bada5d72be1633c1fbccacdb27710c37f8a0d2b2e19c11e10db16c59c1bcd63d20cdd4007885ccf4aaaa026b14588fcf1e3f983a

Download Submit
C:\Windows\{83B9212D-2BA7-4a87-9094-119CD30EACA3}.exe

Filesize
204KB

MD5
8828461cae2993c95e4e11fca0b9a65c

SHA1
f691bfc9eac57d2fecb3057b6702acfc856922b9

SHA256
a43a540bcf64f18062aa9c13c2756ed38d4b6d3d8f12bc9707164e3ff8811ba6

SHA512
4c7bf82d92d3880d3fe9f5562c62562fced87983e7cdf8f95f769de4dd5ac5ad659ca96a706fe55d6233a2aaf2113179777c37a23899b5a77c16b55b3d806a33

Download Submit
C:\Windows\{97C31999-C9FF-4de4-A160-B8022AE02A07}.exe

Filesize
204KB

MD5
a380f52d013a2906843f299c735686b2

SHA1
7f76930f0b4cc8bd1f6a391014d222e8353d3d97

SHA256
aee06811e2056cfe29f357d1222b56edf3379709080cc2194a8bfd50026ff079

SHA512
0c7c68978e1ba6b66dfb01ab3c2c359f914a943ed9ede4bd3131e0b836985da1b0610976fc0d5b6d3f5fbf159190a9cda260bbf4c296290985a97ad96c4d7f20

Download Submit
C:\Windows\{A046E379-FD19-40ad-A818-F2D096AEF51E}.exe

Filesize
204KB

MD5
bf9668e9b05f5769a15e2c4a455c41ad

SHA1
48c019bb73b5944d3d10bf491968f40203c46847

SHA256
134f2b8c424d61d756b3d598789c218f699bbaf2e96f10ba3fe31343fc6a7705

SHA512
19e3049c2920d50ad164c3a98134b484f80cb5d5f0f7aabd5125fb9cb94daf39f169c477e5f6a26d872eb38148a14a3e640f20d5234560b09aa2fa16c730b18f

Download Submit
C:\Windows\{D2D8F3C6-6D00-4fd1-A9C5-0C5E6D460580}.exe

Filesize
204KB

MD5
14746babb33f96db750e61aea9be873a

SHA1
3ba024d6f57e99f7ab8ebb2761f97c12b72a0ca4

SHA256
026e292bef3014b8e468a766fc0918f99cc98d3f7e4ba5658ccd61355a262fa0

SHA512
488998a20a2dee4092a0b58d29b4c9736c91ebe8c7af056d75b1a3ae1610d417bcda825f2e4f78095960b77a246b53c9f76ed79426460030243da6c949575ff2

Download Submit
C:\Windows\{E4AC0A4C-7F9E-4e46-82E6-BA2AD6DBB576}.exe

Filesize
204KB

MD5
a2dba3d744a7cd7f389f78ae7c506de1

SHA1
fbc63e73531a4a3e87306b451a779e005d60db45

SHA256
ecd8186463578ce5b8155bf1817d15cb80ae31eaf8141da079f1c416b29d1987

SHA512
8d5284c20732954189158cdfbdcae9f9ac0f6fdd65e80552c88c48123fd991c0a2bfc41ab7a7b2176ef7a32303aea3000ecdee0b9beb8b05b1e79a81ffd47cd2

Download Submit
C:\Windows\{EEBAF0AB-673C-4089-BC10-D9737F9B5A9C}.exe

Filesize
204KB

MD5
fc58cf33d34caa013ba1b309e5ed09ff

SHA1
57acff1aee23905604c030dc55dcd6bfe4086c43

SHA256
858c126d0316b94a7d0fbc30f41060865af1b37264173c935c1de186144152ef

SHA512
eaf8e615f64114590667fcb1f3d9f9963d3fb126cf93d51d786b0e37dbd81f3ae7528f309e6863d056f39d476432ce2a6548b07471a937d5e0c1a763a88e3a33

Download Submit
C:\Windows\{F9A0A22D-D15C-41c4-AC2A-DC35C5BFAB7C}.exe

Filesize
204KB

MD5
9e51085349d8fe59597bac020a6c7fee

SHA1
678451de532a74920896bfe67fa5cc769bc9344c

SHA256
4e3e63ba406ecff3a6ea69b0af4980b647b1f3572e850d55aca8e33f4a7235b3

SHA512
63ff74c7e07fec7a2a21b3a53b62375b8743e22937aa38b8ec1df0b610c1dbcbe2fe57d451bced2a6b960d5514d6f43cdc873327e647cd8f3d48b2e85f3fc2f6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads