6df4ed8504be361ace5db56808b47c11f7a88871353c28927df4fb7c0f138cd5

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20-02-2024 01:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-20_1ed189c780670462a4dc314820e5021d_goldeneye.exe
Size

180KB
MD5

1ed189c780670462a4dc314820e5021d
SHA1

ceb0dd552fe6d730640e789336d0d12854e947c0
SHA256

6df4ed8504be361ace5db56808b47c11f7a88871353c28927df4fb7c0f138cd5
SHA512

3e9416b3170839f83e2afd2f194cdacd01d5b6dde99cbf1244c341f32f715f628b42f9daa16eb200f7e0b5a129a0145ff6ca8426badc7b31d1d5f629584dd509
SSDEEP

3072:jEGh0odlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGPl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023228-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000023228-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000001e7e2-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023236-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000001e7e2-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000022043-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000001e7e2-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000022043-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000709-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000715-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10EE897C-33D3-4527-ACAE-571D42DAAA6E}	{B1A82CD8-0B19-4260-90B9-5D55C2C39347}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2AFAA16-1C3B-4bbd-B029-11D42C3CB235}	{EF37FA11-05D1-400d-ACAA-E9833A0CB03C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66DCB280-9201-434e-91A4-763377A7FABB}	{D2AFAA16-1C3B-4bbd-B029-11D42C3CB235}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66DCB280-9201-434e-91A4-763377A7FABB}\stubpath = "C:\\Windows\\{66DCB280-9201-434e-91A4-763377A7FABB}.exe"	{D2AFAA16-1C3B-4bbd-B029-11D42C3CB235}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F386CFC-9AFB-481d-879B-97276757E6B7}	2024-02-20_1ed189c780670462a4dc314820e5021d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD5D0788-4F04-44af-9176-5A3D49B81D45}\stubpath = "C:\\Windows\\{CD5D0788-4F04-44af-9176-5A3D49B81D45}.exe"	{CCC71C0C-4977-4a17-B36F-B0AD4EB2BFDB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1A82CD8-0B19-4260-90B9-5D55C2C39347}	{ABB837C4-BE4F-477d-A371-3789C1D4AA7B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1A82CD8-0B19-4260-90B9-5D55C2C39347}\stubpath = "C:\\Windows\\{B1A82CD8-0B19-4260-90B9-5D55C2C39347}.exe"	{ABB837C4-BE4F-477d-A371-3789C1D4AA7B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDD33899-3CD9-44e5-9B14-E277C559CDE2}\stubpath = "C:\\Windows\\{BDD33899-3CD9-44e5-9B14-E277C559CDE2}.exe"	{66DCB280-9201-434e-91A4-763377A7FABB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F386CFC-9AFB-481d-879B-97276757E6B7}\stubpath = "C:\\Windows\\{6F386CFC-9AFB-481d-879B-97276757E6B7}.exe"	2024-02-20_1ed189c780670462a4dc314820e5021d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ABB837C4-BE4F-477d-A371-3789C1D4AA7B}\stubpath = "C:\\Windows\\{ABB837C4-BE4F-477d-A371-3789C1D4AA7B}.exe"	{CD5D0788-4F04-44af-9176-5A3D49B81D45}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10EE897C-33D3-4527-ACAE-571D42DAAA6E}\stubpath = "C:\\Windows\\{10EE897C-33D3-4527-ACAE-571D42DAAA6E}.exe"	{B1A82CD8-0B19-4260-90B9-5D55C2C39347}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDD33899-3CD9-44e5-9B14-E277C559CDE2}	{66DCB280-9201-434e-91A4-763377A7FABB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{190F5F01-5201-48f7-8DE7-9FAA8E609AA9}\stubpath = "C:\\Windows\\{190F5F01-5201-48f7-8DE7-9FAA8E609AA9}.exe"	{BDD33899-3CD9-44e5-9B14-E277C559CDE2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B986B6E-C29F-47b2-8A88-EADB29039B10}	{190F5F01-5201-48f7-8DE7-9FAA8E609AA9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B986B6E-C29F-47b2-8A88-EADB29039B10}\stubpath = "C:\\Windows\\{7B986B6E-C29F-47b2-8A88-EADB29039B10}.exe"	{190F5F01-5201-48f7-8DE7-9FAA8E609AA9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCC71C0C-4977-4a17-B36F-B0AD4EB2BFDB}	{6F386CFC-9AFB-481d-879B-97276757E6B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD5D0788-4F04-44af-9176-5A3D49B81D45}	{CCC71C0C-4977-4a17-B36F-B0AD4EB2BFDB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ABB837C4-BE4F-477d-A371-3789C1D4AA7B}	{CD5D0788-4F04-44af-9176-5A3D49B81D45}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF37FA11-05D1-400d-ACAA-E9833A0CB03C}	{10EE897C-33D3-4527-ACAE-571D42DAAA6E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCC71C0C-4977-4a17-B36F-B0AD4EB2BFDB}\stubpath = "C:\\Windows\\{CCC71C0C-4977-4a17-B36F-B0AD4EB2BFDB}.exe"	{6F386CFC-9AFB-481d-879B-97276757E6B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF37FA11-05D1-400d-ACAA-E9833A0CB03C}\stubpath = "C:\\Windows\\{EF37FA11-05D1-400d-ACAA-E9833A0CB03C}.exe"	{10EE897C-33D3-4527-ACAE-571D42DAAA6E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2AFAA16-1C3B-4bbd-B029-11D42C3CB235}\stubpath = "C:\\Windows\\{D2AFAA16-1C3B-4bbd-B029-11D42C3CB235}.exe"	{EF37FA11-05D1-400d-ACAA-E9833A0CB03C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{190F5F01-5201-48f7-8DE7-9FAA8E609AA9}	{BDD33899-3CD9-44e5-9B14-E277C559CDE2}.exe

Executes dropped EXE 12 IoCs

pid	Process
1920	{6F386CFC-9AFB-481d-879B-97276757E6B7}.exe
1672	{CCC71C0C-4977-4a17-B36F-B0AD4EB2BFDB}.exe
3016	{CD5D0788-4F04-44af-9176-5A3D49B81D45}.exe
2688	{ABB837C4-BE4F-477d-A371-3789C1D4AA7B}.exe
2880	{B1A82CD8-0B19-4260-90B9-5D55C2C39347}.exe
2012	{10EE897C-33D3-4527-ACAE-571D42DAAA6E}.exe
4000	{EF37FA11-05D1-400d-ACAA-E9833A0CB03C}.exe
4412	{D2AFAA16-1C3B-4bbd-B029-11D42C3CB235}.exe
4392	{66DCB280-9201-434e-91A4-763377A7FABB}.exe
1052	{BDD33899-3CD9-44e5-9B14-E277C559CDE2}.exe
1252	{190F5F01-5201-48f7-8DE7-9FAA8E609AA9}.exe
2308	{7B986B6E-C29F-47b2-8A88-EADB29039B10}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{CD5D0788-4F04-44af-9176-5A3D49B81D45}.exe	{CCC71C0C-4977-4a17-B36F-B0AD4EB2BFDB}.exe
File created	C:\Windows\{B1A82CD8-0B19-4260-90B9-5D55C2C39347}.exe	{ABB837C4-BE4F-477d-A371-3789C1D4AA7B}.exe
File created	C:\Windows\{BDD33899-3CD9-44e5-9B14-E277C559CDE2}.exe	{66DCB280-9201-434e-91A4-763377A7FABB}.exe
File created	C:\Windows\{6F386CFC-9AFB-481d-879B-97276757E6B7}.exe	2024-02-20_1ed189c780670462a4dc314820e5021d_goldeneye.exe
File created	C:\Windows\{CCC71C0C-4977-4a17-B36F-B0AD4EB2BFDB}.exe	{6F386CFC-9AFB-481d-879B-97276757E6B7}.exe
File created	C:\Windows\{EF37FA11-05D1-400d-ACAA-E9833A0CB03C}.exe	{10EE897C-33D3-4527-ACAE-571D42DAAA6E}.exe
File created	C:\Windows\{D2AFAA16-1C3B-4bbd-B029-11D42C3CB235}.exe	{EF37FA11-05D1-400d-ACAA-E9833A0CB03C}.exe
File created	C:\Windows\{66DCB280-9201-434e-91A4-763377A7FABB}.exe	{D2AFAA16-1C3B-4bbd-B029-11D42C3CB235}.exe
File created	C:\Windows\{190F5F01-5201-48f7-8DE7-9FAA8E609AA9}.exe	{BDD33899-3CD9-44e5-9B14-E277C559CDE2}.exe
File created	C:\Windows\{7B986B6E-C29F-47b2-8A88-EADB29039B10}.exe	{190F5F01-5201-48f7-8DE7-9FAA8E609AA9}.exe
File created	C:\Windows\{ABB837C4-BE4F-477d-A371-3789C1D4AA7B}.exe	{CD5D0788-4F04-44af-9176-5A3D49B81D45}.exe
File created	C:\Windows\{10EE897C-33D3-4527-ACAE-571D42DAAA6E}.exe	{B1A82CD8-0B19-4260-90B9-5D55C2C39347}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3376	2024-02-20_1ed189c780670462a4dc314820e5021d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1920	{6F386CFC-9AFB-481d-879B-97276757E6B7}.exe
Token: SeIncBasePriorityPrivilege	1672	{CCC71C0C-4977-4a17-B36F-B0AD4EB2BFDB}.exe
Token: SeIncBasePriorityPrivilege	3016	{CD5D0788-4F04-44af-9176-5A3D49B81D45}.exe
Token: SeIncBasePriorityPrivilege	2688	{ABB837C4-BE4F-477d-A371-3789C1D4AA7B}.exe
Token: SeIncBasePriorityPrivilege	2880	{B1A82CD8-0B19-4260-90B9-5D55C2C39347}.exe
Token: SeIncBasePriorityPrivilege	2012	{10EE897C-33D3-4527-ACAE-571D42DAAA6E}.exe
Token: SeIncBasePriorityPrivilege	4000	{EF37FA11-05D1-400d-ACAA-E9833A0CB03C}.exe
Token: SeIncBasePriorityPrivilege	4412	{D2AFAA16-1C3B-4bbd-B029-11D42C3CB235}.exe
Token: SeIncBasePriorityPrivilege	4392	{66DCB280-9201-434e-91A4-763377A7FABB}.exe
Token: SeIncBasePriorityPrivilege	1052	{BDD33899-3CD9-44e5-9B14-E277C559CDE2}.exe
Token: SeIncBasePriorityPrivilege	1252	{190F5F01-5201-48f7-8DE7-9FAA8E609AA9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3376 wrote to memory of 1920	3376	2024-02-20_1ed189c780670462a4dc314820e5021d_goldeneye.exe	91
PID 3376 wrote to memory of 1920	3376	2024-02-20_1ed189c780670462a4dc314820e5021d_goldeneye.exe	91
PID 3376 wrote to memory of 1920	3376	2024-02-20_1ed189c780670462a4dc314820e5021d_goldeneye.exe	91
PID 3376 wrote to memory of 5004	3376	2024-02-20_1ed189c780670462a4dc314820e5021d_goldeneye.exe	92
PID 3376 wrote to memory of 5004	3376	2024-02-20_1ed189c780670462a4dc314820e5021d_goldeneye.exe	92
PID 3376 wrote to memory of 5004	3376	2024-02-20_1ed189c780670462a4dc314820e5021d_goldeneye.exe	92
PID 1920 wrote to memory of 1672	1920	{6F386CFC-9AFB-481d-879B-97276757E6B7}.exe	95
PID 1920 wrote to memory of 1672	1920	{6F386CFC-9AFB-481d-879B-97276757E6B7}.exe	95
PID 1920 wrote to memory of 1672	1920	{6F386CFC-9AFB-481d-879B-97276757E6B7}.exe	95
PID 1920 wrote to memory of 4536	1920	{6F386CFC-9AFB-481d-879B-97276757E6B7}.exe	96
PID 1920 wrote to memory of 4536	1920	{6F386CFC-9AFB-481d-879B-97276757E6B7}.exe	96
PID 1920 wrote to memory of 4536	1920	{6F386CFC-9AFB-481d-879B-97276757E6B7}.exe	96
PID 1672 wrote to memory of 3016	1672	{CCC71C0C-4977-4a17-B36F-B0AD4EB2BFDB}.exe	98
PID 1672 wrote to memory of 3016	1672	{CCC71C0C-4977-4a17-B36F-B0AD4EB2BFDB}.exe	98
PID 1672 wrote to memory of 3016	1672	{CCC71C0C-4977-4a17-B36F-B0AD4EB2BFDB}.exe	98
PID 1672 wrote to memory of 1660	1672	{CCC71C0C-4977-4a17-B36F-B0AD4EB2BFDB}.exe	99
PID 1672 wrote to memory of 1660	1672	{CCC71C0C-4977-4a17-B36F-B0AD4EB2BFDB}.exe	99
PID 1672 wrote to memory of 1660	1672	{CCC71C0C-4977-4a17-B36F-B0AD4EB2BFDB}.exe	99
PID 3016 wrote to memory of 2688	3016	{CD5D0788-4F04-44af-9176-5A3D49B81D45}.exe	100
PID 3016 wrote to memory of 2688	3016	{CD5D0788-4F04-44af-9176-5A3D49B81D45}.exe	100
PID 3016 wrote to memory of 2688	3016	{CD5D0788-4F04-44af-9176-5A3D49B81D45}.exe	100
PID 3016 wrote to memory of 4888	3016	{CD5D0788-4F04-44af-9176-5A3D49B81D45}.exe	101
PID 3016 wrote to memory of 4888	3016	{CD5D0788-4F04-44af-9176-5A3D49B81D45}.exe	101
PID 3016 wrote to memory of 4888	3016	{CD5D0788-4F04-44af-9176-5A3D49B81D45}.exe	101
PID 2688 wrote to memory of 2880	2688	{ABB837C4-BE4F-477d-A371-3789C1D4AA7B}.exe	102
PID 2688 wrote to memory of 2880	2688	{ABB837C4-BE4F-477d-A371-3789C1D4AA7B}.exe	102
PID 2688 wrote to memory of 2880	2688	{ABB837C4-BE4F-477d-A371-3789C1D4AA7B}.exe	102
PID 2688 wrote to memory of 5092	2688	{ABB837C4-BE4F-477d-A371-3789C1D4AA7B}.exe	103
PID 2688 wrote to memory of 5092	2688	{ABB837C4-BE4F-477d-A371-3789C1D4AA7B}.exe	103
PID 2688 wrote to memory of 5092	2688	{ABB837C4-BE4F-477d-A371-3789C1D4AA7B}.exe	103
PID 2880 wrote to memory of 2012	2880	{B1A82CD8-0B19-4260-90B9-5D55C2C39347}.exe	104
PID 2880 wrote to memory of 2012	2880	{B1A82CD8-0B19-4260-90B9-5D55C2C39347}.exe	104
PID 2880 wrote to memory of 2012	2880	{B1A82CD8-0B19-4260-90B9-5D55C2C39347}.exe	104
PID 2880 wrote to memory of 1200	2880	{B1A82CD8-0B19-4260-90B9-5D55C2C39347}.exe	105
PID 2880 wrote to memory of 1200	2880	{B1A82CD8-0B19-4260-90B9-5D55C2C39347}.exe	105
PID 2880 wrote to memory of 1200	2880	{B1A82CD8-0B19-4260-90B9-5D55C2C39347}.exe	105
PID 2012 wrote to memory of 4000	2012	{10EE897C-33D3-4527-ACAE-571D42DAAA6E}.exe	106
PID 2012 wrote to memory of 4000	2012	{10EE897C-33D3-4527-ACAE-571D42DAAA6E}.exe	106
PID 2012 wrote to memory of 4000	2012	{10EE897C-33D3-4527-ACAE-571D42DAAA6E}.exe	106
PID 2012 wrote to memory of 3276	2012	{10EE897C-33D3-4527-ACAE-571D42DAAA6E}.exe	107
PID 2012 wrote to memory of 3276	2012	{10EE897C-33D3-4527-ACAE-571D42DAAA6E}.exe	107
PID 2012 wrote to memory of 3276	2012	{10EE897C-33D3-4527-ACAE-571D42DAAA6E}.exe	107
PID 4000 wrote to memory of 4412	4000	{EF37FA11-05D1-400d-ACAA-E9833A0CB03C}.exe	108
PID 4000 wrote to memory of 4412	4000	{EF37FA11-05D1-400d-ACAA-E9833A0CB03C}.exe	108
PID 4000 wrote to memory of 4412	4000	{EF37FA11-05D1-400d-ACAA-E9833A0CB03C}.exe	108
PID 4000 wrote to memory of 548	4000	{EF37FA11-05D1-400d-ACAA-E9833A0CB03C}.exe	109
PID 4000 wrote to memory of 548	4000	{EF37FA11-05D1-400d-ACAA-E9833A0CB03C}.exe	109
PID 4000 wrote to memory of 548	4000	{EF37FA11-05D1-400d-ACAA-E9833A0CB03C}.exe	109
PID 4412 wrote to memory of 4392	4412	{D2AFAA16-1C3B-4bbd-B029-11D42C3CB235}.exe	110
PID 4412 wrote to memory of 4392	4412	{D2AFAA16-1C3B-4bbd-B029-11D42C3CB235}.exe	110
PID 4412 wrote to memory of 4392	4412	{D2AFAA16-1C3B-4bbd-B029-11D42C3CB235}.exe	110
PID 4412 wrote to memory of 4404	4412	{D2AFAA16-1C3B-4bbd-B029-11D42C3CB235}.exe	111
PID 4412 wrote to memory of 4404	4412	{D2AFAA16-1C3B-4bbd-B029-11D42C3CB235}.exe	111
PID 4412 wrote to memory of 4404	4412	{D2AFAA16-1C3B-4bbd-B029-11D42C3CB235}.exe	111
PID 4392 wrote to memory of 1052	4392	{66DCB280-9201-434e-91A4-763377A7FABB}.exe	112
PID 4392 wrote to memory of 1052	4392	{66DCB280-9201-434e-91A4-763377A7FABB}.exe	112
PID 4392 wrote to memory of 1052	4392	{66DCB280-9201-434e-91A4-763377A7FABB}.exe	112
PID 4392 wrote to memory of 3148	4392	{66DCB280-9201-434e-91A4-763377A7FABB}.exe	113
PID 4392 wrote to memory of 3148	4392	{66DCB280-9201-434e-91A4-763377A7FABB}.exe	113
PID 4392 wrote to memory of 3148	4392	{66DCB280-9201-434e-91A4-763377A7FABB}.exe	113
PID 1052 wrote to memory of 1252	1052	{BDD33899-3CD9-44e5-9B14-E277C559CDE2}.exe	114
PID 1052 wrote to memory of 1252	1052	{BDD33899-3CD9-44e5-9B14-E277C559CDE2}.exe	114
PID 1052 wrote to memory of 1252	1052	{BDD33899-3CD9-44e5-9B14-E277C559CDE2}.exe	114
PID 1052 wrote to memory of 4200	1052	{BDD33899-3CD9-44e5-9B14-E277C559CDE2}.exe	115

C:\Users\Admin\AppData\Local\Temp\2024-02-20_1ed189c780670462a4dc314820e5021d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-20_1ed189c780670462a4dc314820e5021d_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3376
- C:\Windows\{6F386CFC-9AFB-481d-879B-97276757E6B7}.exe
  C:\Windows\{6F386CFC-9AFB-481d-879B-97276757E6B7}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Windows\{CCC71C0C-4977-4a17-B36F-B0AD4EB2BFDB}.exe
    C:\Windows\{CCC71C0C-4977-4a17-B36F-B0AD4EB2BFDB}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1672
  - - C:\Windows\{CD5D0788-4F04-44af-9176-5A3D49B81D45}.exe
      C:\Windows\{CD5D0788-4F04-44af-9176-5A3D49B81D45}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3016
    - - C:\Windows\{ABB837C4-BE4F-477d-A371-3789C1D4AA7B}.exe
        
        C:\Windows\{ABB837C4-BE4F-477d-A371-3789C1D4AA7B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2688
      - C:\Windows\{B1A82CD8-0B19-4260-90B9-5D55C2C39347}.exe
        
        C:\Windows\{B1A82CD8-0B19-4260-90B9-5D55C2C39347}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\{10EE897C-33D3-4527-ACAE-571D42DAAA6E}.exe
        
        C:\Windows\{10EE897C-33D3-4527-ACAE-571D42DAAA6E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\{EF37FA11-05D1-400d-ACAA-E9833A0CB03C}.exe
        
        C:\Windows\{EF37FA11-05D1-400d-ACAA-E9833A0CB03C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4000
        
        C:\Windows\{D2AFAA16-1C3B-4bbd-B029-11D42C3CB235}.exe
        
        C:\Windows\{D2AFAA16-1C3B-4bbd-B029-11D42C3CB235}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\{66DCB280-9201-434e-91A4-763377A7FABB}.exe
        
        C:\Windows\{66DCB280-9201-434e-91A4-763377A7FABB}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\Windows\{BDD33899-3CD9-44e5-9B14-E277C559CDE2}.exe
        
        C:\Windows\{BDD33899-3CD9-44e5-9B14-E277C559CDE2}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\{190F5F01-5201-48f7-8DE7-9FAA8E609AA9}.exe
        
        C:\Windows\{190F5F01-5201-48f7-8DE7-9FAA8E609AA9}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1252
        
        C:\Windows\{7B986B6E-C29F-47b2-8A88-EADB29039B10}.exe
        
        C:\Windows\{7B986B6E-C29F-47b2-8A88-EADB29039B10}.exe
        13⤵
        Executes dropped EXE
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{190F5~1.EXE > nul
        13⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BDD33~1.EXE > nul
        12⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{66DCB~1.EXE > nul
        11⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D2AFA~1.EXE > nul
        10⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF37F~1.EXE > nul
        9⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{10EE8~1.EXE > nul
        8⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1A82~1.EXE > nul
        7⤵
        
        PID:1200
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ABB83~1.EXE > nul
        6⤵
        
        PID:5092
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CD5D0~1.EXE > nul
        5⤵
        
        PID:4888
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CCC71~1.EXE > nul
      4⤵
      PID:1660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6F386~1.EXE > nul
    3⤵
    PID:4536
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:5004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{10EE897C-33D3-4527-ACAE-571D42DAAA6E}.exe

Filesize
180KB

MD5
e6f5d29470a2aafa9d3de691919ded93

SHA1
67235a8dfb1b76316ec6ba6d3469f453adddef42

SHA256
8fef251704fa82f7387221ceb5871f0711531530c94bedf36c18886712b3425c

SHA512
2768a53361bf3dd4c16655ba3b7e714e92339c3a4ea8fe713ceb8d46d3af6cab93f700667cecf6192bc573372e738d758af1db9d4d05e33168fbe51cddc58d07

Download Submit
C:\Windows\{190F5F01-5201-48f7-8DE7-9FAA8E609AA9}.exe

Filesize
180KB

MD5
3a94f96e96bb1b960399de7d91cfe14b

SHA1
00ca5c779aad456f1cd6f9ac4416c8a63f17f12f

SHA256
368dfe908793a7c66cb7ca838d7532783f914da91c29dcd46f501e71b2e5ea78

SHA512
6c300e0bcb17e2579b9d670d9b6a39b1befc91868f8b17f49ad1b059b4eb6e4845ed210ebabac161edbf2e1a6ee6160dddcdfed7d43219392c74a948398d3cdf

Download Submit
C:\Windows\{66DCB280-9201-434e-91A4-763377A7FABB}.exe

Filesize
180KB

MD5
84058a244aff227bddbfdc8cc3382adb

SHA1
bf022419edec58005c14bf23a9b92534022644ca

SHA256
17f538835e9a164a9b192c111e2af675558c93648a6b6cccd2f6b5ef2f4f4d32

SHA512
ce40515c698bdda04e67f340eacbc0bc3e61d14694e58ec355bb4d883e783ca78d6608f8977218617dd2adc485ffc22df3a1bcd2dc7cf97b9cc2579104c3bbea

Download Submit
C:\Windows\{6F386CFC-9AFB-481d-879B-97276757E6B7}.exe

Filesize
55KB

MD5
3aad7ac9b4485d9b4328ea3a8192153f

SHA1
9954d7614d3a3e9fa4c82d1062bb6e7590a0e8c4

SHA256
b828d53d64391d9ca96c09c7c886c5ebc93ffc089e79ca761e6454ecfa5ab0dd

SHA512
a9c513cce90765c618073906ffc6b0d62cc12d31c9e0cb4670d563dcc94a05d0e503a064eceeb44e5639805d681e4b9136b4b7f01d0480018bf6372ae3c88992

Download Submit
C:\Windows\{6F386CFC-9AFB-481d-879B-97276757E6B7}.exe

Filesize
180KB

MD5
cfd13171588fe5f0140ddc16d811b930

SHA1
f02fc2a6cded0ce624bcb6164f3c5adb7fc04e01

SHA256
839f9abec0ecf7c9e4a6347d8ce4d05fc64f5e9d5e01b2f489a9bf826091e237

SHA512
a39c6591f907ec6d99993d2efbb0cee861eddf58f981f46b92c6e445c8d725cfbe4531cbaf5457aba0945a0689e04fa741dcc7d302c27907ace1dbb22bf20cc7

Download Submit
C:\Windows\{7B986B6E-C29F-47b2-8A88-EADB29039B10}.exe

Filesize
180KB

MD5
7c6aa137c1ba421b9086290b0a24356a

SHA1
ec54a0ecdc89bf996cd83de61f8d6b7602815d1a

SHA256
05b81599b5060f0552539391a7dfd2a71de2d6d764b77d78faac2450babc68cf

SHA512
569f3dd7f91ade2b20be959d8e5a05019dbbbce08c7a3d80f4eb27ee6e1a4bc108b72a545fc2eeaa7c3947511f6472b91cad9188372322377c5cab909ddeec7d

Download Submit
C:\Windows\{ABB837C4-BE4F-477d-A371-3789C1D4AA7B}.exe

Filesize
180KB

MD5
4c573b6482ae7388e9dce99b5308835a

SHA1
069ffb5fe22abfea6b2a757494b8d51f048d0d51

SHA256
71301ac18a93055b89bfe4f868eeb85221fe5ccd539729e1549807355593113c

SHA512
1edac5b27e95de8a70a025d4c9c149edb0198646318406b3aa33617a7c2d4c43a3f37872b5b3a638f70bb59e9770daaec9bbc7e294aed1b1a711fbe93266ca99

Download Submit
C:\Windows\{B1A82CD8-0B19-4260-90B9-5D55C2C39347}.exe

Filesize
180KB

MD5
dc7e408edd1330bad744bcb55d233fe9

SHA1
4a96c76101864e4fbc9b1ba1da3cc835ecdcb18c

SHA256
171c4391bc12411b7f4eabbc347ab648ed127db4eadf798a864be459892cdfda

SHA512
2bb53b507c89f7e069740b3b7c428b66071ccd7f2fafdae663680522ae2aa4acddd049925fc53773512fb9abe8b1ecb7c802a044003e5e10630b5ae0dc738e11

Download Submit
C:\Windows\{BDD33899-3CD9-44e5-9B14-E277C559CDE2}.exe

Filesize
180KB

MD5
4a84ffc0a8626e3505951552d1d08639

SHA1
ef7a3af28703ff08b687c2929388d21679057ad3

SHA256
74f0ef54a111f4985fe3274a95252f5cc81c973e7f3b7f9ec8c2e64f27d0b781

SHA512
b98d61899fb88b386d5aa485fc2158fef1d5b334e4c510165376725b5a989d4ac805a9a97fc0c9d179520e3dace871555e969d6e9431717039d91080f578d0ea

Download Submit
C:\Windows\{CCC71C0C-4977-4a17-B36F-B0AD4EB2BFDB}.exe

Filesize
180KB

MD5
0a3557435b7a45e95f6918fb5e104ff9

SHA1
c6a56e6a257fa472b842ac88375d5a272de47afe

SHA256
ce579a8f26675ed30c4dcc222aff8ec3b93e0484956dc2bd2ba634401a649277

SHA512
29faee9f765fa69dbb484cfb35d70d21e911c1cf89c6cca3f34bb37e539f333c3573ed7d8105fdc8162032ca6dd523e813f226fb6201dd02d4fda366f81b546c

Download Submit
C:\Windows\{CD5D0788-4F04-44af-9176-5A3D49B81D45}.exe

Filesize
180KB

MD5
7694d4d4b2f2fdd803588527e9142092

SHA1
ae0340c6878d643a7e3d0ba368ac94ec12a27e98

SHA256
366281d8b408b9f443082f6e0d7899f168e9ce2f2e8bcbec3cca81a9da1e9be9

SHA512
370218bd92fd2339a5c1fcc6e09da42ecab971187d64a9952f7122df63f495c0615af01821c29ebfb992b544d1f151b0cf4c081bdf6342a00db957d4babd2c4f

Download Submit
C:\Windows\{D2AFAA16-1C3B-4bbd-B029-11D42C3CB235}.exe

Filesize
180KB

MD5
3f6f68636c9c30bf68d200d6ef9a9a8b

SHA1
09d9fc0cb8faf77d9d6e2498e460ef825efdeb94

SHA256
d3e8ce26afda5e55be5ac2270ba93a435850380a1f54046c7bfda131e25c9a91

SHA512
cda48e9f3861aac71b1458fd59f7aba28b95a66bdede042a58f52e177b9104d223355af57098fed086600e488f2a713cfc793f0264dd852b461949cb742b9999

Download Submit
C:\Windows\{EF37FA11-05D1-400d-ACAA-E9833A0CB03C}.exe

Filesize
180KB

MD5
60bf79a59c12ab81671c04eacdd66a10

SHA1
deb8750e8c0221e18e17b1ae8a3730ba66322493

SHA256
14b53fcbc063fc95004c8bfdd1d45f15c05f89f9172487c8de5c812d4d0d87b9

SHA512
b585ef0986397901994ae8438dec71ed6072a2bb9a18bdb21e72461dade569f92baa0f74e7a530034605834583f0ddc31b129b59942a0b4233b7183d8f504795

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads