caabdde5c8eca05dddc7bfb0e3015e321c0e986d73b8bf14acba9d838fb3c365

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240220-en
resource tags

arch:x64arch:x86image:win10v2004-20240220-enlocale:en-usos:windows10-2004-x64system
submitted
20/02/2024, 12:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-20_dd4627035ed06bdf52ca66e868c7a0f5_goldeneye.exe
Size

168KB
MD5

dd4627035ed06bdf52ca66e868c7a0f5
SHA1

b3842853996b0972549ded70dfb31a6da26aa7a5
SHA256

caabdde5c8eca05dddc7bfb0e3015e321c0e986d73b8bf14acba9d838fb3c365
SHA512

c72c53534ccf0c719b99f19072ca1bc7c7dda997dedb95ad6fe117e3dbc1a87b5832832efd092187cac57aa629ed048f6da54c808299e1e793ccfd22a941dcb2
SSDEEP

1536:1EGh0oWlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oWlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000700000002322f-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023228-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002322f-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023228-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002322f-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023228-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002322f-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023228-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002322f-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023228-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002322f-41.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023228-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E20B18A-915B-4a55-98FC-51AE6F1CCD76}	{33C4891F-AB49-4015-B03A-7FDDA65E9885}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6319541-F911-4ec6-89DA-D1304C24B2BE}	{695E3957-A2AF-48db-90F4-4B5430B044B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B622B7A-FEFE-4be5-8935-CB0D42CFEEBB}	{A6319541-F911-4ec6-89DA-D1304C24B2BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CAA77DCC-53DA-405d-AA03-1BF2AF3FF500}	{474087C0-13B3-40e4-BFCD-C62F37A8386C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BE51B83-E01B-4a67-BC0E-23F9EDCF1EF4}\stubpath = "C:\\Windows\\{6BE51B83-E01B-4a67-BC0E-23F9EDCF1EF4}.exe"	{803ACCF6-9E6B-4861-8E1C-2B9EBCD6A0B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{521BB0E4-909E-4e21-B4C9-89EA5548A355}\stubpath = "C:\\Windows\\{521BB0E4-909E-4e21-B4C9-89EA5548A355}.exe"	{6E54DB6E-39BD-43e2-9FFC-0C6804FFC5B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{803ACCF6-9E6B-4861-8E1C-2B9EBCD6A0B9}	{521BB0E4-909E-4e21-B4C9-89EA5548A355}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{695E3957-A2AF-48db-90F4-4B5430B044B3}\stubpath = "C:\\Windows\\{695E3957-A2AF-48db-90F4-4B5430B044B3}.exe"	{6E20B18A-915B-4a55-98FC-51AE6F1CCD76}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B622B7A-FEFE-4be5-8935-CB0D42CFEEBB}\stubpath = "C:\\Windows\\{2B622B7A-FEFE-4be5-8935-CB0D42CFEEBB}.exe"	{A6319541-F911-4ec6-89DA-D1304C24B2BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53C174B8-4CCC-4bf0-9281-09ABDDDE88E3}	{2B622B7A-FEFE-4be5-8935-CB0D42CFEEBB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{474087C0-13B3-40e4-BFCD-C62F37A8386C}\stubpath = "C:\\Windows\\{474087C0-13B3-40e4-BFCD-C62F37A8386C}.exe"	2024-02-20_dd4627035ed06bdf52ca66e868c7a0f5_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{521BB0E4-909E-4e21-B4C9-89EA5548A355}	{6E54DB6E-39BD-43e2-9FFC-0C6804FFC5B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{803ACCF6-9E6B-4861-8E1C-2B9EBCD6A0B9}\stubpath = "C:\\Windows\\{803ACCF6-9E6B-4861-8E1C-2B9EBCD6A0B9}.exe"	{521BB0E4-909E-4e21-B4C9-89EA5548A355}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BE51B83-E01B-4a67-BC0E-23F9EDCF1EF4}	{803ACCF6-9E6B-4861-8E1C-2B9EBCD6A0B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E20B18A-915B-4a55-98FC-51AE6F1CCD76}\stubpath = "C:\\Windows\\{6E20B18A-915B-4a55-98FC-51AE6F1CCD76}.exe"	{33C4891F-AB49-4015-B03A-7FDDA65E9885}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6319541-F911-4ec6-89DA-D1304C24B2BE}\stubpath = "C:\\Windows\\{A6319541-F911-4ec6-89DA-D1304C24B2BE}.exe"	{695E3957-A2AF-48db-90F4-4B5430B044B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CAA77DCC-53DA-405d-AA03-1BF2AF3FF500}\stubpath = "C:\\Windows\\{CAA77DCC-53DA-405d-AA03-1BF2AF3FF500}.exe"	{474087C0-13B3-40e4-BFCD-C62F37A8386C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E54DB6E-39BD-43e2-9FFC-0C6804FFC5B8}\stubpath = "C:\\Windows\\{6E54DB6E-39BD-43e2-9FFC-0C6804FFC5B8}.exe"	{CAA77DCC-53DA-405d-AA03-1BF2AF3FF500}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33C4891F-AB49-4015-B03A-7FDDA65E9885}	{6BE51B83-E01B-4a67-BC0E-23F9EDCF1EF4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33C4891F-AB49-4015-B03A-7FDDA65E9885}\stubpath = "C:\\Windows\\{33C4891F-AB49-4015-B03A-7FDDA65E9885}.exe"	{6BE51B83-E01B-4a67-BC0E-23F9EDCF1EF4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{695E3957-A2AF-48db-90F4-4B5430B044B3}	{6E20B18A-915B-4a55-98FC-51AE6F1CCD76}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53C174B8-4CCC-4bf0-9281-09ABDDDE88E3}\stubpath = "C:\\Windows\\{53C174B8-4CCC-4bf0-9281-09ABDDDE88E3}.exe"	{2B622B7A-FEFE-4be5-8935-CB0D42CFEEBB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{474087C0-13B3-40e4-BFCD-C62F37A8386C}	2024-02-20_dd4627035ed06bdf52ca66e868c7a0f5_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E54DB6E-39BD-43e2-9FFC-0C6804FFC5B8}	{CAA77DCC-53DA-405d-AA03-1BF2AF3FF500}.exe

Executes dropped EXE 12 IoCs

pid	Process
4968	{474087C0-13B3-40e4-BFCD-C62F37A8386C}.exe
988	{CAA77DCC-53DA-405d-AA03-1BF2AF3FF500}.exe
2840	{6E54DB6E-39BD-43e2-9FFC-0C6804FFC5B8}.exe
3952	{521BB0E4-909E-4e21-B4C9-89EA5548A355}.exe
4512	{803ACCF6-9E6B-4861-8E1C-2B9EBCD6A0B9}.exe
2916	{6BE51B83-E01B-4a67-BC0E-23F9EDCF1EF4}.exe
4444	{33C4891F-AB49-4015-B03A-7FDDA65E9885}.exe
4984	{6E20B18A-915B-4a55-98FC-51AE6F1CCD76}.exe
1788	{695E3957-A2AF-48db-90F4-4B5430B044B3}.exe
3104	{A6319541-F911-4ec6-89DA-D1304C24B2BE}.exe
4668	{2B622B7A-FEFE-4be5-8935-CB0D42CFEEBB}.exe
4364	{53C174B8-4CCC-4bf0-9281-09ABDDDE88E3}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{6E54DB6E-39BD-43e2-9FFC-0C6804FFC5B8}.exe	{CAA77DCC-53DA-405d-AA03-1BF2AF3FF500}.exe
File created	C:\Windows\{33C4891F-AB49-4015-B03A-7FDDA65E9885}.exe	{6BE51B83-E01B-4a67-BC0E-23F9EDCF1EF4}.exe
File created	C:\Windows\{6E20B18A-915B-4a55-98FC-51AE6F1CCD76}.exe	{33C4891F-AB49-4015-B03A-7FDDA65E9885}.exe
File created	C:\Windows\{2B622B7A-FEFE-4be5-8935-CB0D42CFEEBB}.exe	{A6319541-F911-4ec6-89DA-D1304C24B2BE}.exe
File created	C:\Windows\{6BE51B83-E01B-4a67-BC0E-23F9EDCF1EF4}.exe	{803ACCF6-9E6B-4861-8E1C-2B9EBCD6A0B9}.exe
File created	C:\Windows\{695E3957-A2AF-48db-90F4-4B5430B044B3}.exe	{6E20B18A-915B-4a55-98FC-51AE6F1CCD76}.exe
File created	C:\Windows\{A6319541-F911-4ec6-89DA-D1304C24B2BE}.exe	{695E3957-A2AF-48db-90F4-4B5430B044B3}.exe
File created	C:\Windows\{53C174B8-4CCC-4bf0-9281-09ABDDDE88E3}.exe	{2B622B7A-FEFE-4be5-8935-CB0D42CFEEBB}.exe
File created	C:\Windows\{474087C0-13B3-40e4-BFCD-C62F37A8386C}.exe	2024-02-20_dd4627035ed06bdf52ca66e868c7a0f5_goldeneye.exe
File created	C:\Windows\{CAA77DCC-53DA-405d-AA03-1BF2AF3FF500}.exe	{474087C0-13B3-40e4-BFCD-C62F37A8386C}.exe
File created	C:\Windows\{521BB0E4-909E-4e21-B4C9-89EA5548A355}.exe	{6E54DB6E-39BD-43e2-9FFC-0C6804FFC5B8}.exe
File created	C:\Windows\{803ACCF6-9E6B-4861-8E1C-2B9EBCD6A0B9}.exe	{521BB0E4-909E-4e21-B4C9-89EA5548A355}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4172	2024-02-20_dd4627035ed06bdf52ca66e868c7a0f5_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4968	{474087C0-13B3-40e4-BFCD-C62F37A8386C}.exe
Token: SeIncBasePriorityPrivilege	988	{CAA77DCC-53DA-405d-AA03-1BF2AF3FF500}.exe
Token: SeIncBasePriorityPrivilege	2840	{6E54DB6E-39BD-43e2-9FFC-0C6804FFC5B8}.exe
Token: SeIncBasePriorityPrivilege	3952	{521BB0E4-909E-4e21-B4C9-89EA5548A355}.exe
Token: SeIncBasePriorityPrivilege	4512	{803ACCF6-9E6B-4861-8E1C-2B9EBCD6A0B9}.exe
Token: SeIncBasePriorityPrivilege	2916	{6BE51B83-E01B-4a67-BC0E-23F9EDCF1EF4}.exe
Token: SeIncBasePriorityPrivilege	4444	{33C4891F-AB49-4015-B03A-7FDDA65E9885}.exe
Token: SeIncBasePriorityPrivilege	4984	{6E20B18A-915B-4a55-98FC-51AE6F1CCD76}.exe
Token: SeIncBasePriorityPrivilege	1788	{695E3957-A2AF-48db-90F4-4B5430B044B3}.exe
Token: SeIncBasePriorityPrivilege	3104	{A6319541-F911-4ec6-89DA-D1304C24B2BE}.exe
Token: SeIncBasePriorityPrivilege	4668	{2B622B7A-FEFE-4be5-8935-CB0D42CFEEBB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4172 wrote to memory of 4968	4172	2024-02-20_dd4627035ed06bdf52ca66e868c7a0f5_goldeneye.exe	86
PID 4172 wrote to memory of 4968	4172	2024-02-20_dd4627035ed06bdf52ca66e868c7a0f5_goldeneye.exe	86
PID 4172 wrote to memory of 4968	4172	2024-02-20_dd4627035ed06bdf52ca66e868c7a0f5_goldeneye.exe	86
PID 4172 wrote to memory of 2984	4172	2024-02-20_dd4627035ed06bdf52ca66e868c7a0f5_goldeneye.exe	87
PID 4172 wrote to memory of 2984	4172	2024-02-20_dd4627035ed06bdf52ca66e868c7a0f5_goldeneye.exe	87
PID 4172 wrote to memory of 2984	4172	2024-02-20_dd4627035ed06bdf52ca66e868c7a0f5_goldeneye.exe	87
PID 4968 wrote to memory of 988	4968	{474087C0-13B3-40e4-BFCD-C62F37A8386C}.exe	88
PID 4968 wrote to memory of 988	4968	{474087C0-13B3-40e4-BFCD-C62F37A8386C}.exe	88
PID 4968 wrote to memory of 988	4968	{474087C0-13B3-40e4-BFCD-C62F37A8386C}.exe	88
PID 4968 wrote to memory of 3500	4968	{474087C0-13B3-40e4-BFCD-C62F37A8386C}.exe	89
PID 4968 wrote to memory of 3500	4968	{474087C0-13B3-40e4-BFCD-C62F37A8386C}.exe	89
PID 4968 wrote to memory of 3500	4968	{474087C0-13B3-40e4-BFCD-C62F37A8386C}.exe	89
PID 988 wrote to memory of 2840	988	{CAA77DCC-53DA-405d-AA03-1BF2AF3FF500}.exe	90
PID 988 wrote to memory of 2840	988	{CAA77DCC-53DA-405d-AA03-1BF2AF3FF500}.exe	90
PID 988 wrote to memory of 2840	988	{CAA77DCC-53DA-405d-AA03-1BF2AF3FF500}.exe	90
PID 988 wrote to memory of 940	988	{CAA77DCC-53DA-405d-AA03-1BF2AF3FF500}.exe	91
PID 988 wrote to memory of 940	988	{CAA77DCC-53DA-405d-AA03-1BF2AF3FF500}.exe	91
PID 988 wrote to memory of 940	988	{CAA77DCC-53DA-405d-AA03-1BF2AF3FF500}.exe	91
PID 2840 wrote to memory of 3952	2840	{6E54DB6E-39BD-43e2-9FFC-0C6804FFC5B8}.exe	92
PID 2840 wrote to memory of 3952	2840	{6E54DB6E-39BD-43e2-9FFC-0C6804FFC5B8}.exe	92
PID 2840 wrote to memory of 3952	2840	{6E54DB6E-39BD-43e2-9FFC-0C6804FFC5B8}.exe	92
PID 2840 wrote to memory of 2624	2840	{6E54DB6E-39BD-43e2-9FFC-0C6804FFC5B8}.exe	93
PID 2840 wrote to memory of 2624	2840	{6E54DB6E-39BD-43e2-9FFC-0C6804FFC5B8}.exe	93
PID 2840 wrote to memory of 2624	2840	{6E54DB6E-39BD-43e2-9FFC-0C6804FFC5B8}.exe	93
PID 3952 wrote to memory of 4512	3952	{521BB0E4-909E-4e21-B4C9-89EA5548A355}.exe	94
PID 3952 wrote to memory of 4512	3952	{521BB0E4-909E-4e21-B4C9-89EA5548A355}.exe	94
PID 3952 wrote to memory of 4512	3952	{521BB0E4-909E-4e21-B4C9-89EA5548A355}.exe	94
PID 3952 wrote to memory of 1116	3952	{521BB0E4-909E-4e21-B4C9-89EA5548A355}.exe	95
PID 3952 wrote to memory of 1116	3952	{521BB0E4-909E-4e21-B4C9-89EA5548A355}.exe	95
PID 3952 wrote to memory of 1116	3952	{521BB0E4-909E-4e21-B4C9-89EA5548A355}.exe	95
PID 4512 wrote to memory of 2916	4512	{803ACCF6-9E6B-4861-8E1C-2B9EBCD6A0B9}.exe	96
PID 4512 wrote to memory of 2916	4512	{803ACCF6-9E6B-4861-8E1C-2B9EBCD6A0B9}.exe	96
PID 4512 wrote to memory of 2916	4512	{803ACCF6-9E6B-4861-8E1C-2B9EBCD6A0B9}.exe	96
PID 4512 wrote to memory of 2344	4512	{803ACCF6-9E6B-4861-8E1C-2B9EBCD6A0B9}.exe	97
PID 4512 wrote to memory of 2344	4512	{803ACCF6-9E6B-4861-8E1C-2B9EBCD6A0B9}.exe	97
PID 4512 wrote to memory of 2344	4512	{803ACCF6-9E6B-4861-8E1C-2B9EBCD6A0B9}.exe	97
PID 2916 wrote to memory of 4444	2916	{6BE51B83-E01B-4a67-BC0E-23F9EDCF1EF4}.exe	98
PID 2916 wrote to memory of 4444	2916	{6BE51B83-E01B-4a67-BC0E-23F9EDCF1EF4}.exe	98
PID 2916 wrote to memory of 4444	2916	{6BE51B83-E01B-4a67-BC0E-23F9EDCF1EF4}.exe	98
PID 2916 wrote to memory of 716	2916	{6BE51B83-E01B-4a67-BC0E-23F9EDCF1EF4}.exe	99
PID 2916 wrote to memory of 716	2916	{6BE51B83-E01B-4a67-BC0E-23F9EDCF1EF4}.exe	99
PID 2916 wrote to memory of 716	2916	{6BE51B83-E01B-4a67-BC0E-23F9EDCF1EF4}.exe	99
PID 4444 wrote to memory of 4984	4444	{33C4891F-AB49-4015-B03A-7FDDA65E9885}.exe	100
PID 4444 wrote to memory of 4984	4444	{33C4891F-AB49-4015-B03A-7FDDA65E9885}.exe	100
PID 4444 wrote to memory of 4984	4444	{33C4891F-AB49-4015-B03A-7FDDA65E9885}.exe	100
PID 4444 wrote to memory of 2900	4444	{33C4891F-AB49-4015-B03A-7FDDA65E9885}.exe	101
PID 4444 wrote to memory of 2900	4444	{33C4891F-AB49-4015-B03A-7FDDA65E9885}.exe	101
PID 4444 wrote to memory of 2900	4444	{33C4891F-AB49-4015-B03A-7FDDA65E9885}.exe	101
PID 4984 wrote to memory of 1788	4984	{6E20B18A-915B-4a55-98FC-51AE6F1CCD76}.exe	102
PID 4984 wrote to memory of 1788	4984	{6E20B18A-915B-4a55-98FC-51AE6F1CCD76}.exe	102
PID 4984 wrote to memory of 1788	4984	{6E20B18A-915B-4a55-98FC-51AE6F1CCD76}.exe	102
PID 4984 wrote to memory of 232	4984	{6E20B18A-915B-4a55-98FC-51AE6F1CCD76}.exe	103
PID 4984 wrote to memory of 232	4984	{6E20B18A-915B-4a55-98FC-51AE6F1CCD76}.exe	103
PID 4984 wrote to memory of 232	4984	{6E20B18A-915B-4a55-98FC-51AE6F1CCD76}.exe	103
PID 1788 wrote to memory of 3104	1788	{695E3957-A2AF-48db-90F4-4B5430B044B3}.exe	104
PID 1788 wrote to memory of 3104	1788	{695E3957-A2AF-48db-90F4-4B5430B044B3}.exe	104
PID 1788 wrote to memory of 3104	1788	{695E3957-A2AF-48db-90F4-4B5430B044B3}.exe	104
PID 1788 wrote to memory of 2552	1788	{695E3957-A2AF-48db-90F4-4B5430B044B3}.exe	105
PID 1788 wrote to memory of 2552	1788	{695E3957-A2AF-48db-90F4-4B5430B044B3}.exe	105
PID 1788 wrote to memory of 2552	1788	{695E3957-A2AF-48db-90F4-4B5430B044B3}.exe	105
PID 3104 wrote to memory of 4668	3104	{A6319541-F911-4ec6-89DA-D1304C24B2BE}.exe	106
PID 3104 wrote to memory of 4668	3104	{A6319541-F911-4ec6-89DA-D1304C24B2BE}.exe	106
PID 3104 wrote to memory of 4668	3104	{A6319541-F911-4ec6-89DA-D1304C24B2BE}.exe	106
PID 3104 wrote to memory of 2276	3104	{A6319541-F911-4ec6-89DA-D1304C24B2BE}.exe	107

C:\Users\Admin\AppData\Local\Temp\2024-02-20_dd4627035ed06bdf52ca66e868c7a0f5_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-20_dd4627035ed06bdf52ca66e868c7a0f5_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4172
- C:\Windows\{474087C0-13B3-40e4-BFCD-C62F37A8386C}.exe
  C:\Windows\{474087C0-13B3-40e4-BFCD-C62F37A8386C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4968
- - C:\Windows\{CAA77DCC-53DA-405d-AA03-1BF2AF3FF500}.exe
    C:\Windows\{CAA77DCC-53DA-405d-AA03-1BF2AF3FF500}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:988
  - - C:\Windows\{6E54DB6E-39BD-43e2-9FFC-0C6804FFC5B8}.exe
      C:\Windows\{6E54DB6E-39BD-43e2-9FFC-0C6804FFC5B8}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2840
    - - C:\Windows\{521BB0E4-909E-4e21-B4C9-89EA5548A355}.exe
        
        C:\Windows\{521BB0E4-909E-4e21-B4C9-89EA5548A355}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3952
      - C:\Windows\{803ACCF6-9E6B-4861-8E1C-2B9EBCD6A0B9}.exe
        
        C:\Windows\{803ACCF6-9E6B-4861-8E1C-2B9EBCD6A0B9}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4512
        
        C:\Windows\{6BE51B83-E01B-4a67-BC0E-23F9EDCF1EF4}.exe
        
        C:\Windows\{6BE51B83-E01B-4a67-BC0E-23F9EDCF1EF4}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\{33C4891F-AB49-4015-B03A-7FDDA65E9885}.exe
        
        C:\Windows\{33C4891F-AB49-4015-B03A-7FDDA65E9885}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\{6E20B18A-915B-4a55-98FC-51AE6F1CCD76}.exe
        
        C:\Windows\{6E20B18A-915B-4a55-98FC-51AE6F1CCD76}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\{695E3957-A2AF-48db-90F4-4B5430B044B3}.exe
        
        C:\Windows\{695E3957-A2AF-48db-90F4-4B5430B044B3}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\{A6319541-F911-4ec6-89DA-D1304C24B2BE}.exe
        
        C:\Windows\{A6319541-F911-4ec6-89DA-D1304C24B2BE}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3104
        
        C:\Windows\{2B622B7A-FEFE-4be5-8935-CB0D42CFEEBB}.exe
        
        C:\Windows\{2B622B7A-FEFE-4be5-8935-CB0D42CFEEBB}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4668
        
        C:\Windows\{53C174B8-4CCC-4bf0-9281-09ABDDDE88E3}.exe
        
        C:\Windows\{53C174B8-4CCC-4bf0-9281-09ABDDDE88E3}.exe
        13⤵
        Executes dropped EXE
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B622~1.EXE > nul
        13⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6319~1.EXE > nul
        12⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{695E3~1.EXE > nul
        11⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6E20B~1.EXE > nul
        10⤵
        
        PID:232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{33C48~1.EXE > nul
        9⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6BE51~1.EXE > nul
        8⤵
        
        PID:716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{803AC~1.EXE > nul
        7⤵
        
        PID:2344
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{521BB~1.EXE > nul
        6⤵
        
        PID:1116
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6E54D~1.EXE > nul
        5⤵
        
        PID:2624
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CAA77~1.EXE > nul
      4⤵
      PID:940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{47408~1.EXE > nul
    3⤵
    PID:3500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2B622B7A-FEFE-4be5-8935-CB0D42CFEEBB}.exe

Filesize
168KB

MD5
5ca6d649cd8ebea3d6a043f7fc0554cb

SHA1
dfdac7d0559d5caa306366d1cba51e586de11a1d

SHA256
38cae699ca6ceac89cc9effc4e7bc42ef5305fe4489736dbace4aae593209efa

SHA512
6a07b4a0d591808a0396f37965ac61f1c7adbd88227b1373640af2e18a35222e85e69606229f53b6d0b3a6bd96603b959ead16cba81deac1f6d17fd1dfecb021

Download Submit
C:\Windows\{33C4891F-AB49-4015-B03A-7FDDA65E9885}.exe

Filesize
168KB

MD5
7283906c533b1db39ab248267d02ae90

SHA1
03c6dadb2df50935527f59f9f152a960cd404d8d

SHA256
0b443c611d5e94c630f9e47e930483ad9aeb37422b855f01e43ba446d6ba8bc7

SHA512
140edb3271f565f65c7b73e60f5053153dd9d41485b51b8f22c328871a8da577dff574218b13b7b389bfa08e83fb2a82e63c01666b3c21c429352ded74959913

Download Submit
C:\Windows\{474087C0-13B3-40e4-BFCD-C62F37A8386C}.exe

Filesize
168KB

MD5
69ab32509a5408e76def1b5c2eac2cd8

SHA1
9211deaf8c7cfb7c3b5b9437b4946455436686b2

SHA256
ba60c40dc223b76a94697df17e1f5fddbc8263cefdeb8abfb5284627173416d5

SHA512
d609db9084b7c93839598d9eaefb31ca5f6a0ae61e45a00dffd9f35bd4d36c070ebc68ae8d8bb4174639acdc7d4ed480a06ca7184dc0877cb5b85ba34dc7ec6c

Download Submit
C:\Windows\{521BB0E4-909E-4e21-B4C9-89EA5548A355}.exe

Filesize
168KB

MD5
710bc63272efdf232c835c732e32680f

SHA1
2a21e15939513ffe7a2e330f45c68969c61c2805

SHA256
88783ec786563a502d29860219ef83b2607753a601a317af3adc09135dd2253f

SHA512
310e4dc16344be71f48b7cd9512669f9b33cbcd2446911b3be7116833eda4114def2567277b4fb8468bd7937ba3c15d17e9fb374dd599768f007ea5b90fe2617

Download Submit
C:\Windows\{53C174B8-4CCC-4bf0-9281-09ABDDDE88E3}.exe

Filesize
168KB

MD5
2dac37169d7b871233d9cf829f45ca5d

SHA1
7f5459719a3c36db95479cef00609522a09b331e

SHA256
fe6ebcfdee38fe4dcfa8ef1323b75f90a986068a163fbd777b67710fac1e9987

SHA512
6ea673c4deb8c06ad65964a14399ab1a404256570cec825039a777f9f7ca95c29ecaea9e00939ae6a1bc608b37ef903e5f46ada1f1f035173a6395e2eb171ed1

Download Submit
C:\Windows\{695E3957-A2AF-48db-90F4-4B5430B044B3}.exe

Filesize
168KB

MD5
0d7897f5f5dd956c63f2c50c2437d4f4

SHA1
8da280eb91af46d09fa1638ad8025014dfd90e77

SHA256
ca799b31e8f30d92ea1ae7436b53ecd7b41e6abe21c8b3a422fba46f95622b83

SHA512
6e4fe1f45f6b30ce05bcef8bc45c0d65abf8316bfb6827a5f50b82b48db86c2949f4804d42f6ff470b43b29f27737537332f5ea70785e016d1fa01fd3e8e6b6a

Download Submit
C:\Windows\{6BE51B83-E01B-4a67-BC0E-23F9EDCF1EF4}.exe

Filesize
168KB

MD5
31a6cc374077b2f07cea3702cb2d285b

SHA1
4cbb80be59975b5b3a4e7abc085973e8517fe1d6

SHA256
7c49c08e3b9e6e2a26ab0df635554bde57600509cfa3cb13f86bac7639cc9a22

SHA512
7228a56f9b933e9be8eb22ec5cca144b2a4a47388bd173b0c04b63afa460108fe87e724dae0b2ca414d35998dc7462027c15d1453c2a757b2c72f3b2e5c444b5

Download Submit
C:\Windows\{6E20B18A-915B-4a55-98FC-51AE6F1CCD76}.exe

Filesize
168KB

MD5
63a59b665d7c312274aa16cd0d33e583

SHA1
1c4fe655285742e9a66ae5b54a06b2e3eb644856

SHA256
327068c26265eeacbbdcf0d5d1496df8775dcb6b41d56020beae7099bb450e4a

SHA512
ef03a3456cc3f43665361bb0ad2b324e4701f92640b3e706c9e027a7d2e549f1ddd25215e897c72adbe14c65b0c12ac8925efd7bffee2f8b7c684b5772d68d9d

Download Submit
C:\Windows\{6E54DB6E-39BD-43e2-9FFC-0C6804FFC5B8}.exe

Filesize
168KB

MD5
9805b8bd1e5bd09f70d148e31b6436cd

SHA1
9bd8c8d1ba6b1c77900285f4b6101a1f4df79be2

SHA256
e6503655c9ad348b85540976b5994257efac2d97ce0c071851314516c6589938

SHA512
a26e7783a7566a223e47ec6b5ae618ede18cf749c026013f52702e75347c5dc931abd3fc3823ee8a25448a0bb62f3c578e259a03b3c7b52e4738b9ec8c82dda4

Download Submit
C:\Windows\{803ACCF6-9E6B-4861-8E1C-2B9EBCD6A0B9}.exe

Filesize
168KB

MD5
552142b00615948f9b716312327e8fd1

SHA1
477f351dac6c9d50875ce8c0b3c2713fed09ab53

SHA256
8ab9594b70ac0765d229edaa5c479274a74ab64fe70ed9707e5e3e3340eb428c

SHA512
0eefd9b9726e4800782da9a4f71d4fb506b9652b3622dffec68949ced1cc8cda4c2b748cfa72421f24015b5290109daa1e08c5c88dc292f4317f21f4650d9f1b

Download Submit
C:\Windows\{A6319541-F911-4ec6-89DA-D1304C24B2BE}.exe

Filesize
168KB

MD5
5491238388595d8a0967b0646e372da7

SHA1
62fa1b4a333d9ba6ddbff7b6b6c7a9ca5faaf19f

SHA256
36590e81ccd70b463e27d4f6e19a2d6ced0a98428f20541378ce101334987c29

SHA512
102547ac5ffc6bfd229d9b0e8bd8038fa2683c879da0c1fe3f92b259b080b420710b0f807690eb89f6c04670985d8360de343f051bad8ee19071b34362f5f812

Download Submit
C:\Windows\{CAA77DCC-53DA-405d-AA03-1BF2AF3FF500}.exe

Filesize
168KB

MD5
d93b7d9d57f9718b0dcceed450372022

SHA1
9d278307a673018bc43b7e3beda6802d5ed9b58f

SHA256
69121be88507aed6d0d647e5f671da9e496cc3085ecc449ec0252ac9817d2b1c

SHA512
c3879b7800d41d4fe49f9ba71ed8fe9ad80bc7ddff8cd6db4f39e5a8af656d3a0e9420e8abf825e28fecdc49426cbf7dbbca8b7a948962894278e039e70d0852

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads