382c9c9f66e4965a5c45be832e1ad9ffa004ffeb405278b7774aa441eefea485

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
20/02/2024, 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-20_86f2e507771e7f0ef93d3a82d3292444_goldeneye.exe
Size

197KB
MD5

86f2e507771e7f0ef93d3a82d3292444
SHA1

bf690dd9242fcdfa3b978ffdf6b5c532cdb48b5e
SHA256

382c9c9f66e4965a5c45be832e1ad9ffa004ffeb405278b7774aa441eefea485
SHA512

f96db401b2ee2cc690bb751bb99196a9267fab00d73d6b1103c25a4614fdb92367a5cad2b4a50ec486c0bb0590c317526171767488e56fb4d55012f5536afc9c
SSDEEP

3072:jEGh0o3l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGFlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000600000002321c-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023115-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023227-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023115-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x004600000001e0be-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000021550-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x004700000001e0be-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000000070b-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E457FFA-949A-48ae-9D0C-3B283FD01F72}	{24606352-08DB-4f1f-8CDD-22BE78C2E821}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{112B3BAB-BD84-484d-AD9D-CB1FF70B1CDF}\stubpath = "C:\\Windows\\{112B3BAB-BD84-484d-AD9D-CB1FF70B1CDF}.exe"	{CD914E27-E3A0-443a-9C89-8073E5BFBABF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F24C260-FCE8-4de4-B25E-E7383338A33A}	{112B3BAB-BD84-484d-AD9D-CB1FF70B1CDF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F24C260-FCE8-4de4-B25E-E7383338A33A}\stubpath = "C:\\Windows\\{4F24C260-FCE8-4de4-B25E-E7383338A33A}.exe"	{112B3BAB-BD84-484d-AD9D-CB1FF70B1CDF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C74A4D0-3656-4af4-AF78-A4E0C5B3621C}	{CB415CA7-0166-4b1e-85E9-0228ED572127}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E457FFA-949A-48ae-9D0C-3B283FD01F72}\stubpath = "C:\\Windows\\{6E457FFA-949A-48ae-9D0C-3B283FD01F72}.exe"	{24606352-08DB-4f1f-8CDD-22BE78C2E821}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0A3FDA4-2983-4e4d-AEBB-9ED40405C948}	{1CDC3389-D46A-4fcc-B6DE-C9F2422431A5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD914E27-E3A0-443a-9C89-8073E5BFBABF}	{C1D2D994-F127-4aad-AB25-0077F29D8004}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB415CA7-0166-4b1e-85E9-0228ED572127}	{C8D26A8C-CA49-42bf-8E3D-6331A90F7612}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB415CA7-0166-4b1e-85E9-0228ED572127}\stubpath = "C:\\Windows\\{CB415CA7-0166-4b1e-85E9-0228ED572127}.exe"	{C8D26A8C-CA49-42bf-8E3D-6331A90F7612}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C74A4D0-3656-4af4-AF78-A4E0C5B3621C}\stubpath = "C:\\Windows\\{3C74A4D0-3656-4af4-AF78-A4E0C5B3621C}.exe"	{CB415CA7-0166-4b1e-85E9-0228ED572127}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CDC3389-D46A-4fcc-B6DE-C9F2422431A5}\stubpath = "C:\\Windows\\{1CDC3389-D46A-4fcc-B6DE-C9F2422431A5}.exe"	{6E457FFA-949A-48ae-9D0C-3B283FD01F72}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0A3FDA4-2983-4e4d-AEBB-9ED40405C948}\stubpath = "C:\\Windows\\{B0A3FDA4-2983-4e4d-AEBB-9ED40405C948}.exe"	{1CDC3389-D46A-4fcc-B6DE-C9F2422431A5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F179AA9D-A8FE-49f2-BFC2-94FBCD9E371F}	{B0A3FDA4-2983-4e4d-AEBB-9ED40405C948}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F179AA9D-A8FE-49f2-BFC2-94FBCD9E371F}\stubpath = "C:\\Windows\\{F179AA9D-A8FE-49f2-BFC2-94FBCD9E371F}.exe"	{B0A3FDA4-2983-4e4d-AEBB-9ED40405C948}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1D2D994-F127-4aad-AB25-0077F29D8004}\stubpath = "C:\\Windows\\{C1D2D994-F127-4aad-AB25-0077F29D8004}.exe"	{F179AA9D-A8FE-49f2-BFC2-94FBCD9E371F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{112B3BAB-BD84-484d-AD9D-CB1FF70B1CDF}	{CD914E27-E3A0-443a-9C89-8073E5BFBABF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8D26A8C-CA49-42bf-8E3D-6331A90F7612}	{4F24C260-FCE8-4de4-B25E-E7383338A33A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8D26A8C-CA49-42bf-8E3D-6331A90F7612}\stubpath = "C:\\Windows\\{C8D26A8C-CA49-42bf-8E3D-6331A90F7612}.exe"	{4F24C260-FCE8-4de4-B25E-E7383338A33A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24606352-08DB-4f1f-8CDD-22BE78C2E821}	2024-02-20_86f2e507771e7f0ef93d3a82d3292444_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24606352-08DB-4f1f-8CDD-22BE78C2E821}\stubpath = "C:\\Windows\\{24606352-08DB-4f1f-8CDD-22BE78C2E821}.exe"	2024-02-20_86f2e507771e7f0ef93d3a82d3292444_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CDC3389-D46A-4fcc-B6DE-C9F2422431A5}	{6E457FFA-949A-48ae-9D0C-3B283FD01F72}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1D2D994-F127-4aad-AB25-0077F29D8004}	{F179AA9D-A8FE-49f2-BFC2-94FBCD9E371F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD914E27-E3A0-443a-9C89-8073E5BFBABF}\stubpath = "C:\\Windows\\{CD914E27-E3A0-443a-9C89-8073E5BFBABF}.exe"	{C1D2D994-F127-4aad-AB25-0077F29D8004}.exe

Executes dropped EXE 12 IoCs

pid	Process
3220	{24606352-08DB-4f1f-8CDD-22BE78C2E821}.exe
3272	{6E457FFA-949A-48ae-9D0C-3B283FD01F72}.exe
1084	{1CDC3389-D46A-4fcc-B6DE-C9F2422431A5}.exe
5004	{B0A3FDA4-2983-4e4d-AEBB-9ED40405C948}.exe
1688	{F179AA9D-A8FE-49f2-BFC2-94FBCD9E371F}.exe
940	{C1D2D994-F127-4aad-AB25-0077F29D8004}.exe
1444	{CD914E27-E3A0-443a-9C89-8073E5BFBABF}.exe
4852	{112B3BAB-BD84-484d-AD9D-CB1FF70B1CDF}.exe
1648	{4F24C260-FCE8-4de4-B25E-E7383338A33A}.exe
4972	{C8D26A8C-CA49-42bf-8E3D-6331A90F7612}.exe
3020	{CB415CA7-0166-4b1e-85E9-0228ED572127}.exe
1996	{3C74A4D0-3656-4af4-AF78-A4E0C5B3621C}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{1CDC3389-D46A-4fcc-B6DE-C9F2422431A5}.exe	{6E457FFA-949A-48ae-9D0C-3B283FD01F72}.exe
File created	C:\Windows\{F179AA9D-A8FE-49f2-BFC2-94FBCD9E371F}.exe	{B0A3FDA4-2983-4e4d-AEBB-9ED40405C948}.exe
File created	C:\Windows\{CD914E27-E3A0-443a-9C89-8073E5BFBABF}.exe	{C1D2D994-F127-4aad-AB25-0077F29D8004}.exe
File created	C:\Windows\{C8D26A8C-CA49-42bf-8E3D-6331A90F7612}.exe	{4F24C260-FCE8-4de4-B25E-E7383338A33A}.exe
File created	C:\Windows\{CB415CA7-0166-4b1e-85E9-0228ED572127}.exe	{C8D26A8C-CA49-42bf-8E3D-6331A90F7612}.exe
File created	C:\Windows\{3C74A4D0-3656-4af4-AF78-A4E0C5B3621C}.exe	{CB415CA7-0166-4b1e-85E9-0228ED572127}.exe
File created	C:\Windows\{24606352-08DB-4f1f-8CDD-22BE78C2E821}.exe	2024-02-20_86f2e507771e7f0ef93d3a82d3292444_goldeneye.exe
File created	C:\Windows\{6E457FFA-949A-48ae-9D0C-3B283FD01F72}.exe	{24606352-08DB-4f1f-8CDD-22BE78C2E821}.exe
File created	C:\Windows\{B0A3FDA4-2983-4e4d-AEBB-9ED40405C948}.exe	{1CDC3389-D46A-4fcc-B6DE-C9F2422431A5}.exe
File created	C:\Windows\{C1D2D994-F127-4aad-AB25-0077F29D8004}.exe	{F179AA9D-A8FE-49f2-BFC2-94FBCD9E371F}.exe
File created	C:\Windows\{112B3BAB-BD84-484d-AD9D-CB1FF70B1CDF}.exe	{CD914E27-E3A0-443a-9C89-8073E5BFBABF}.exe
File created	C:\Windows\{4F24C260-FCE8-4de4-B25E-E7383338A33A}.exe	{112B3BAB-BD84-484d-AD9D-CB1FF70B1CDF}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4452	2024-02-20_86f2e507771e7f0ef93d3a82d3292444_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3220	{24606352-08DB-4f1f-8CDD-22BE78C2E821}.exe
Token: SeIncBasePriorityPrivilege	3272	{6E457FFA-949A-48ae-9D0C-3B283FD01F72}.exe
Token: SeIncBasePriorityPrivilege	1084	{1CDC3389-D46A-4fcc-B6DE-C9F2422431A5}.exe
Token: SeIncBasePriorityPrivilege	5004	{B0A3FDA4-2983-4e4d-AEBB-9ED40405C948}.exe
Token: SeIncBasePriorityPrivilege	1688	{F179AA9D-A8FE-49f2-BFC2-94FBCD9E371F}.exe
Token: SeIncBasePriorityPrivilege	940	{C1D2D994-F127-4aad-AB25-0077F29D8004}.exe
Token: SeIncBasePriorityPrivilege	1444	{CD914E27-E3A0-443a-9C89-8073E5BFBABF}.exe
Token: SeIncBasePriorityPrivilege	4852	{112B3BAB-BD84-484d-AD9D-CB1FF70B1CDF}.exe
Token: SeIncBasePriorityPrivilege	1648	{4F24C260-FCE8-4de4-B25E-E7383338A33A}.exe
Token: SeIncBasePriorityPrivilege	4972	{C8D26A8C-CA49-42bf-8E3D-6331A90F7612}.exe
Token: SeIncBasePriorityPrivilege	3020	{CB415CA7-0166-4b1e-85E9-0228ED572127}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4452 wrote to memory of 3220	4452	2024-02-20_86f2e507771e7f0ef93d3a82d3292444_goldeneye.exe	90
PID 4452 wrote to memory of 3220	4452	2024-02-20_86f2e507771e7f0ef93d3a82d3292444_goldeneye.exe	90
PID 4452 wrote to memory of 3220	4452	2024-02-20_86f2e507771e7f0ef93d3a82d3292444_goldeneye.exe	90
PID 4452 wrote to memory of 5088	4452	2024-02-20_86f2e507771e7f0ef93d3a82d3292444_goldeneye.exe	91
PID 4452 wrote to memory of 5088	4452	2024-02-20_86f2e507771e7f0ef93d3a82d3292444_goldeneye.exe	91
PID 4452 wrote to memory of 5088	4452	2024-02-20_86f2e507771e7f0ef93d3a82d3292444_goldeneye.exe	91
PID 3220 wrote to memory of 3272	3220	{24606352-08DB-4f1f-8CDD-22BE78C2E821}.exe	92
PID 3220 wrote to memory of 3272	3220	{24606352-08DB-4f1f-8CDD-22BE78C2E821}.exe	92
PID 3220 wrote to memory of 3272	3220	{24606352-08DB-4f1f-8CDD-22BE78C2E821}.exe	92
PID 3220 wrote to memory of 4092	3220	{24606352-08DB-4f1f-8CDD-22BE78C2E821}.exe	93
PID 3220 wrote to memory of 4092	3220	{24606352-08DB-4f1f-8CDD-22BE78C2E821}.exe	93
PID 3220 wrote to memory of 4092	3220	{24606352-08DB-4f1f-8CDD-22BE78C2E821}.exe	93
PID 3272 wrote to memory of 1084	3272	{6E457FFA-949A-48ae-9D0C-3B283FD01F72}.exe	96
PID 3272 wrote to memory of 1084	3272	{6E457FFA-949A-48ae-9D0C-3B283FD01F72}.exe	96
PID 3272 wrote to memory of 1084	3272	{6E457FFA-949A-48ae-9D0C-3B283FD01F72}.exe	96
PID 3272 wrote to memory of 644	3272	{6E457FFA-949A-48ae-9D0C-3B283FD01F72}.exe	95
PID 3272 wrote to memory of 644	3272	{6E457FFA-949A-48ae-9D0C-3B283FD01F72}.exe	95
PID 3272 wrote to memory of 644	3272	{6E457FFA-949A-48ae-9D0C-3B283FD01F72}.exe	95
PID 1084 wrote to memory of 5004	1084	{1CDC3389-D46A-4fcc-B6DE-C9F2422431A5}.exe	97
PID 1084 wrote to memory of 5004	1084	{1CDC3389-D46A-4fcc-B6DE-C9F2422431A5}.exe	97
PID 1084 wrote to memory of 5004	1084	{1CDC3389-D46A-4fcc-B6DE-C9F2422431A5}.exe	97
PID 1084 wrote to memory of 5112	1084	{1CDC3389-D46A-4fcc-B6DE-C9F2422431A5}.exe	98
PID 1084 wrote to memory of 5112	1084	{1CDC3389-D46A-4fcc-B6DE-C9F2422431A5}.exe	98
PID 1084 wrote to memory of 5112	1084	{1CDC3389-D46A-4fcc-B6DE-C9F2422431A5}.exe	98
PID 5004 wrote to memory of 1688	5004	{B0A3FDA4-2983-4e4d-AEBB-9ED40405C948}.exe	99
PID 5004 wrote to memory of 1688	5004	{B0A3FDA4-2983-4e4d-AEBB-9ED40405C948}.exe	99
PID 5004 wrote to memory of 1688	5004	{B0A3FDA4-2983-4e4d-AEBB-9ED40405C948}.exe	99
PID 5004 wrote to memory of 2972	5004	{B0A3FDA4-2983-4e4d-AEBB-9ED40405C948}.exe	100
PID 5004 wrote to memory of 2972	5004	{B0A3FDA4-2983-4e4d-AEBB-9ED40405C948}.exe	100
PID 5004 wrote to memory of 2972	5004	{B0A3FDA4-2983-4e4d-AEBB-9ED40405C948}.exe	100
PID 1688 wrote to memory of 940	1688	{F179AA9D-A8FE-49f2-BFC2-94FBCD9E371F}.exe	101
PID 1688 wrote to memory of 940	1688	{F179AA9D-A8FE-49f2-BFC2-94FBCD9E371F}.exe	101
PID 1688 wrote to memory of 940	1688	{F179AA9D-A8FE-49f2-BFC2-94FBCD9E371F}.exe	101
PID 1688 wrote to memory of 1196	1688	{F179AA9D-A8FE-49f2-BFC2-94FBCD9E371F}.exe	102
PID 1688 wrote to memory of 1196	1688	{F179AA9D-A8FE-49f2-BFC2-94FBCD9E371F}.exe	102
PID 1688 wrote to memory of 1196	1688	{F179AA9D-A8FE-49f2-BFC2-94FBCD9E371F}.exe	102
PID 940 wrote to memory of 1444	940	{C1D2D994-F127-4aad-AB25-0077F29D8004}.exe	103
PID 940 wrote to memory of 1444	940	{C1D2D994-F127-4aad-AB25-0077F29D8004}.exe	103
PID 940 wrote to memory of 1444	940	{C1D2D994-F127-4aad-AB25-0077F29D8004}.exe	103
PID 940 wrote to memory of 3616	940	{C1D2D994-F127-4aad-AB25-0077F29D8004}.exe	104
PID 940 wrote to memory of 3616	940	{C1D2D994-F127-4aad-AB25-0077F29D8004}.exe	104
PID 940 wrote to memory of 3616	940	{C1D2D994-F127-4aad-AB25-0077F29D8004}.exe	104
PID 1444 wrote to memory of 4852	1444	{CD914E27-E3A0-443a-9C89-8073E5BFBABF}.exe	105
PID 1444 wrote to memory of 4852	1444	{CD914E27-E3A0-443a-9C89-8073E5BFBABF}.exe	105
PID 1444 wrote to memory of 4852	1444	{CD914E27-E3A0-443a-9C89-8073E5BFBABF}.exe	105
PID 1444 wrote to memory of 2320	1444	{CD914E27-E3A0-443a-9C89-8073E5BFBABF}.exe	106
PID 1444 wrote to memory of 2320	1444	{CD914E27-E3A0-443a-9C89-8073E5BFBABF}.exe	106
PID 1444 wrote to memory of 2320	1444	{CD914E27-E3A0-443a-9C89-8073E5BFBABF}.exe	106
PID 4852 wrote to memory of 1648	4852	{112B3BAB-BD84-484d-AD9D-CB1FF70B1CDF}.exe	107
PID 4852 wrote to memory of 1648	4852	{112B3BAB-BD84-484d-AD9D-CB1FF70B1CDF}.exe	107
PID 4852 wrote to memory of 1648	4852	{112B3BAB-BD84-484d-AD9D-CB1FF70B1CDF}.exe	107
PID 4852 wrote to memory of 4648	4852	{112B3BAB-BD84-484d-AD9D-CB1FF70B1CDF}.exe	108
PID 4852 wrote to memory of 4648	4852	{112B3BAB-BD84-484d-AD9D-CB1FF70B1CDF}.exe	108
PID 4852 wrote to memory of 4648	4852	{112B3BAB-BD84-484d-AD9D-CB1FF70B1CDF}.exe	108
PID 1648 wrote to memory of 4972	1648	{4F24C260-FCE8-4de4-B25E-E7383338A33A}.exe	109
PID 1648 wrote to memory of 4972	1648	{4F24C260-FCE8-4de4-B25E-E7383338A33A}.exe	109
PID 1648 wrote to memory of 4972	1648	{4F24C260-FCE8-4de4-B25E-E7383338A33A}.exe	109
PID 1648 wrote to memory of 4880	1648	{4F24C260-FCE8-4de4-B25E-E7383338A33A}.exe	110
PID 1648 wrote to memory of 4880	1648	{4F24C260-FCE8-4de4-B25E-E7383338A33A}.exe	110
PID 1648 wrote to memory of 4880	1648	{4F24C260-FCE8-4de4-B25E-E7383338A33A}.exe	110
PID 4972 wrote to memory of 3020	4972	{C8D26A8C-CA49-42bf-8E3D-6331A90F7612}.exe	111
PID 4972 wrote to memory of 3020	4972	{C8D26A8C-CA49-42bf-8E3D-6331A90F7612}.exe	111
PID 4972 wrote to memory of 3020	4972	{C8D26A8C-CA49-42bf-8E3D-6331A90F7612}.exe	111
PID 4972 wrote to memory of 4164	4972	{C8D26A8C-CA49-42bf-8E3D-6331A90F7612}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-02-20_86f2e507771e7f0ef93d3a82d3292444_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-20_86f2e507771e7f0ef93d3a82d3292444_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4452
- C:\Windows\{24606352-08DB-4f1f-8CDD-22BE78C2E821}.exe
  C:\Windows\{24606352-08DB-4f1f-8CDD-22BE78C2E821}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3220
- - C:\Windows\{6E457FFA-949A-48ae-9D0C-3B283FD01F72}.exe
    C:\Windows\{6E457FFA-949A-48ae-9D0C-3B283FD01F72}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3272
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6E457~1.EXE > nul
      4⤵
      PID:644
  - - C:\Windows\{1CDC3389-D46A-4fcc-B6DE-C9F2422431A5}.exe
      C:\Windows\{1CDC3389-D46A-4fcc-B6DE-C9F2422431A5}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1084
    - - C:\Windows\{B0A3FDA4-2983-4e4d-AEBB-9ED40405C948}.exe
        
        C:\Windows\{B0A3FDA4-2983-4e4d-AEBB-9ED40405C948}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5004
      - C:\Windows\{F179AA9D-A8FE-49f2-BFC2-94FBCD9E371F}.exe
        
        C:\Windows\{F179AA9D-A8FE-49f2-BFC2-94FBCD9E371F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\{C1D2D994-F127-4aad-AB25-0077F29D8004}.exe
        
        C:\Windows\{C1D2D994-F127-4aad-AB25-0077F29D8004}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:940
        
        C:\Windows\{CD914E27-E3A0-443a-9C89-8073E5BFBABF}.exe
        
        C:\Windows\{CD914E27-E3A0-443a-9C89-8073E5BFBABF}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\{112B3BAB-BD84-484d-AD9D-CB1FF70B1CDF}.exe
        
        C:\Windows\{112B3BAB-BD84-484d-AD9D-CB1FF70B1CDF}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4852
        
        C:\Windows\{4F24C260-FCE8-4de4-B25E-E7383338A33A}.exe
        
        C:\Windows\{4F24C260-FCE8-4de4-B25E-E7383338A33A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\{C8D26A8C-CA49-42bf-8E3D-6331A90F7612}.exe
        
        C:\Windows\{C8D26A8C-CA49-42bf-8E3D-6331A90F7612}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Windows\{CB415CA7-0166-4b1e-85E9-0228ED572127}.exe
        
        C:\Windows\{CB415CA7-0166-4b1e-85E9-0228ED572127}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3020
        
        C:\Windows\{3C74A4D0-3656-4af4-AF78-A4E0C5B3621C}.exe
        
        C:\Windows\{3C74A4D0-3656-4af4-AF78-A4E0C5B3621C}.exe
        13⤵
        Executes dropped EXE
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CB415~1.EXE > nul
        13⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8D26~1.EXE > nul
        12⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4F24C~1.EXE > nul
        11⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{112B3~1.EXE > nul
        10⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CD914~1.EXE > nul
        9⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C1D2D~1.EXE > nul
        8⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F179A~1.EXE > nul
        7⤵
        
        PID:1196
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B0A3F~1.EXE > nul
        6⤵
        
        PID:2972
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1CDC3~1.EXE > nul
        5⤵
        
        PID:5112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{24606~1.EXE > nul
    3⤵
    PID:4092
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:5088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{112B3BAB-BD84-484d-AD9D-CB1FF70B1CDF}.exe

Filesize
197KB

MD5
40c3c36234dde1bb2c80e62091bda21b

SHA1
ad231b49861fac7510917ae885149135845ec168

SHA256
b0734f10016f535b55620c44e238327da5c666f7e74ae97839032aa0f52db9fc

SHA512
254304f248710f5deac551d60fb266192600a2a52758e1b03c15f14d6c12809de0aee0e3d56f5a44ad23d392f0308b2f7f0c1a4b2bc00b77d87976096f069b9e

Download Submit
C:\Windows\{1CDC3389-D46A-4fcc-B6DE-C9F2422431A5}.exe

Filesize
197KB

MD5
55fdd0831e6b5eb91828031a7bb13a85

SHA1
5cf7c1836be131655b883b8cfb413d80c27d3ab2

SHA256
25bae4dc3098cb747ae5d584c156170008e3fe3b1445af45aeb8f3bcb1d58d3b

SHA512
f48abe28df396165f32a45280235b8c2c556ea69540d40103c50c2ae5b05baad09b3e7e644b18343f3337318c1fe6335e3400d887012b45bf3ff7de35c1b5c7b

Download Submit
C:\Windows\{24606352-08DB-4f1f-8CDD-22BE78C2E821}.exe

Filesize
197KB

MD5
d14d6134e1fb82dc7afbae85bc494f50

SHA1
6517c580641b3942806b4192e80f6d5b681bbd3e

SHA256
d9199f2e30dea230109fbdf698265b28208598972fa887e101459b49b4497756

SHA512
353bdea84868c086e7fc7f3346f37b40554702c6c5b47bc18e85c2d7f9697d4ac53eead8fc7aaf61f5bc4e3e14c42e05b693f8521317d79f0656edc5728c0060

Download Submit
C:\Windows\{3C74A4D0-3656-4af4-AF78-A4E0C5B3621C}.exe

Filesize
197KB

MD5
33b0c203e8aab6a1407256a11a1e3ae9

SHA1
d102e95d90db77813a961768b44feb7d32736062

SHA256
2d500ea572f85eadda469bef8503adc6a0560e54d7ae7cf5d69b067aff714bd6

SHA512
d5ffaa214569c026191f3fbb57a57049769603d550c82784f132372b67a753a8d60f4d1cd5861e150d7f2dc7253665e9936c3bd3f305d76b962f07d6eb211908

Download Submit
C:\Windows\{4F24C260-FCE8-4de4-B25E-E7383338A33A}.exe

Filesize
197KB

MD5
9aa5efba7e2cb7bbb06668ea2f47aec0

SHA1
d618990c34d3e87cf8eb6631a5dad7d24385247b

SHA256
6fe572c9c5eb2f10b594610255633dbbf08cf101a60203840d0c9c5f69076d84

SHA512
8a0319b61b39ea07b496461c79ceb94367b728a3271614778746d477575584f32e9b4eeb99015ac0a5762c3e1ba33f02474b093cd8af99fa29eb3747841c5a67

Download Submit
C:\Windows\{6E457FFA-949A-48ae-9D0C-3B283FD01F72}.exe

Filesize
197KB

MD5
a2db795cb5d001b9f530e468b4ef5ea8

SHA1
e814c371cb5931a3f687e7ebaf09b1fc38bcaf3f

SHA256
8bd3af4783833b1fe89e3bece73b9d1d3bdcfbc7ba10390f677bd9627d9d86ad

SHA512
65cfbe2a952d9a3bd579675f17b0ec74999967c9c25235926f57c583060c3519b1fcdde35d7290d4558837d81f452172a115b396db216153e79dd6f5916fdc51

Download Submit
C:\Windows\{B0A3FDA4-2983-4e4d-AEBB-9ED40405C948}.exe

Filesize
197KB

MD5
3002ac9619585c6e9ad04be945b19e27

SHA1
ca7d454f57cac4d3d3469b144375771c89730ccc

SHA256
9dfcafe15489eaf9c4326b8ae3f7edfe51cac44384029bd20ea4ae659a701f50

SHA512
0c02a9a3fd5e56785ab5d7328fce15f0db45ab9ddf445b3b41cf454e38cf36e17a9e89c8572080c9dc4b4ed8daa3806a03b366e2593437a518ae00b46e7c6df2

Download Submit
C:\Windows\{C1D2D994-F127-4aad-AB25-0077F29D8004}.exe

Filesize
197KB

MD5
614a8372a18dfe84e5740c13fbd19147

SHA1
f0862e469684b08821b80b16cd25bb3f186f21a2

SHA256
486b44ea178f7e535de6651203c51e682124fa3e66605aca9a3c592c8ccca4da

SHA512
b2976b2aec0d47730ff7321eab2f93164cd6dd53ac07efba23a6d4afdddc37ad897607d7580204aa9905e1a7e87bc08645175592f3cf750d74803952722286a9

Download Submit
C:\Windows\{C8D26A8C-CA49-42bf-8E3D-6331A90F7612}.exe

Filesize
197KB

MD5
40ea5e9cf2a43c7785978e669d60948a

SHA1
6e030fdbec5d9d0410b121b6609b409aa2caa548

SHA256
cd3d5c144efe261a609d657fb1380fe86c0404b27aa849e7229bfacf2f3f36ab

SHA512
9242cd4fc42d78dbf75d4862494ac97fbdc5b5a3da08940b64dc0261a92bad7a1fbd370ad120cda7df6dbc137381fba29999c4c5426ed591af1907d2f6cea619

Download Submit
C:\Windows\{CB415CA7-0166-4b1e-85E9-0228ED572127}.exe

Filesize
197KB

MD5
9cc04069a1dfda786b6059ee25c4d0db

SHA1
3cfb6c473e0af87809a8faec21497111fb252d75

SHA256
6875a0d680c4e14639d82f8dc2a24a9cdd57544b8c5c30651332e8b39bc6fe4b

SHA512
234f7edb5c953deeb7b83612ddc6cd881b3c9b5d08028e938b2b298077a19bb901155fa57670cfd96ab8c53634e0a5100c1387166aa0d33636996f1d4da3bc63

Download Submit
C:\Windows\{CD914E27-E3A0-443a-9C89-8073E5BFBABF}.exe

Filesize
197KB

MD5
366a069f9b6fef9b8d6d7a7124a83694

SHA1
dde369eb07287b71e51e173693776cfb72b66332

SHA256
a8a3ff07b747d2cbe2258fcaca55cd5fb38d068c614d6c7dedd27f4ccf899dca

SHA512
a7ff8f82d495ac5f162c8395d98e2cad09c935dd823e8d73e0eb81b1c8f1a15b75744e0c1d18c72b38df45bcad06d98f0d66b38a6d37347bb8a145198c0163e8

Download Submit
C:\Windows\{F179AA9D-A8FE-49f2-BFC2-94FBCD9E371F}.exe

Filesize
197KB

MD5
d75da40824b21ba19a24df9a13cff84d

SHA1
460c4f8a56f045801d2074a57045249f0f471efa

SHA256
b36c85313736cdf99d5ba823ffa967658cf74155eb32d2d8edbc49ba226c8c4b

SHA512
d685160d651f8f785f5f1e75998e0e6eaab3c798829cb5338c88c4bb4e8841ed70c970aa3320b222a9a4c6165cc6a46c299d93996de1477878079a3e845f0278

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads