69c13b096febacfda5e6f4ee730e3632c7d70dc07659e18a0b007be99a84608c

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
21/02/2024, 11:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-21_448e6b2689e3aca2fbdd48be8a569153_goldeneye.exe
Size

408KB
MD5

448e6b2689e3aca2fbdd48be8a569153
SHA1

6b1c7d623baef190289cfede79add7da68067ecc
SHA256

69c13b096febacfda5e6f4ee730e3632c7d70dc07659e18a0b007be99a84608c
SHA512

cf02cb8e677a8baa22dbc9c33912c77e9ab9482d95c6352c0c522dea884ac1b857221ba4a0d490ec3ecb2f2be1cd9dc2e94847727eea6a826479ba357f399ece
SSDEEP

3072:CEGh0oWl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGAldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x000200000001e6c3-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002314d-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023247-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d00000002314d-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001300000001d887-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000021558-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000006cf-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000006cf-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000006cf-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000707-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BFAEDA0F-6CD5-4eb2-A3F9-6E57C378D28C}	2024-02-21_448e6b2689e3aca2fbdd48be8a569153_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B942562-DE74-4214-8BD6-2F359C50AC9D}\stubpath = "C:\\Windows\\{6B942562-DE74-4214-8BD6-2F359C50AC9D}.exe"	{BFAEDA0F-6CD5-4eb2-A3F9-6E57C378D28C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE40A807-D2FD-4a4a-AF01-52F56E2DD3F7}\stubpath = "C:\\Windows\\{CE40A807-D2FD-4a4a-AF01-52F56E2DD3F7}.exe"	{6B942562-DE74-4214-8BD6-2F359C50AC9D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48523615-7B43-4dc9-BEE5-E1A71E51D0FA}\stubpath = "C:\\Windows\\{48523615-7B43-4dc9-BEE5-E1A71E51D0FA}.exe"	{D2ED9FB3-E3CA-420d-9B8B-0533F5F27D84}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B72F8E86-921E-40b8-A0EB-423B35756EC4}	{6AB81222-C3F5-45d8-97C6-C42492459534}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0851AC7A-A2FE-45f4-8199-69A9B27D59A0}\stubpath = "C:\\Windows\\{0851AC7A-A2FE-45f4-8199-69A9B27D59A0}.exe"	{B72F8E86-921E-40b8-A0EB-423B35756EC4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BFAEDA0F-6CD5-4eb2-A3F9-6E57C378D28C}\stubpath = "C:\\Windows\\{BFAEDA0F-6CD5-4eb2-A3F9-6E57C378D28C}.exe"	2024-02-21_448e6b2689e3aca2fbdd48be8a569153_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2ED9FB3-E3CA-420d-9B8B-0533F5F27D84}	{CE40A807-D2FD-4a4a-AF01-52F56E2DD3F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2ED9FB3-E3CA-420d-9B8B-0533F5F27D84}\stubpath = "C:\\Windows\\{D2ED9FB3-E3CA-420d-9B8B-0533F5F27D84}.exe"	{CE40A807-D2FD-4a4a-AF01-52F56E2DD3F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{127EAD1F-7E70-43e3-BDBC-D2043095756F}	{0851AC7A-A2FE-45f4-8199-69A9B27D59A0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2CE3501-EB97-411a-8643-3448EBB9C60B}	{127EAD1F-7E70-43e3-BDBC-D2043095756F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2CE3501-EB97-411a-8643-3448EBB9C60B}\stubpath = "C:\\Windows\\{B2CE3501-EB97-411a-8643-3448EBB9C60B}.exe"	{127EAD1F-7E70-43e3-BDBC-D2043095756F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48523615-7B43-4dc9-BEE5-E1A71E51D0FA}	{D2ED9FB3-E3CA-420d-9B8B-0533F5F27D84}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DAEE1930-AD14-42fb-8B58-9AA3B163452A}	{48523615-7B43-4dc9-BEE5-E1A71E51D0FA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DAEE1930-AD14-42fb-8B58-9AA3B163452A}\stubpath = "C:\\Windows\\{DAEE1930-AD14-42fb-8B58-9AA3B163452A}.exe"	{48523615-7B43-4dc9-BEE5-E1A71E51D0FA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{127EAD1F-7E70-43e3-BDBC-D2043095756F}\stubpath = "C:\\Windows\\{127EAD1F-7E70-43e3-BDBC-D2043095756F}.exe"	{0851AC7A-A2FE-45f4-8199-69A9B27D59A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D45FF4F8-5373-4623-BCAA-F588811CB6E6}\stubpath = "C:\\Windows\\{D45FF4F8-5373-4623-BCAA-F588811CB6E6}.exe"	{B2CE3501-EB97-411a-8643-3448EBB9C60B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D45FF4F8-5373-4623-BCAA-F588811CB6E6}	{B2CE3501-EB97-411a-8643-3448EBB9C60B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B942562-DE74-4214-8BD6-2F359C50AC9D}	{BFAEDA0F-6CD5-4eb2-A3F9-6E57C378D28C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE40A807-D2FD-4a4a-AF01-52F56E2DD3F7}	{6B942562-DE74-4214-8BD6-2F359C50AC9D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6AB81222-C3F5-45d8-97C6-C42492459534}	{DAEE1930-AD14-42fb-8B58-9AA3B163452A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6AB81222-C3F5-45d8-97C6-C42492459534}\stubpath = "C:\\Windows\\{6AB81222-C3F5-45d8-97C6-C42492459534}.exe"	{DAEE1930-AD14-42fb-8B58-9AA3B163452A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B72F8E86-921E-40b8-A0EB-423B35756EC4}\stubpath = "C:\\Windows\\{B72F8E86-921E-40b8-A0EB-423B35756EC4}.exe"	{6AB81222-C3F5-45d8-97C6-C42492459534}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0851AC7A-A2FE-45f4-8199-69A9B27D59A0}	{B72F8E86-921E-40b8-A0EB-423B35756EC4}.exe

Executes dropped EXE 12 IoCs

pid	Process
4060	{BFAEDA0F-6CD5-4eb2-A3F9-6E57C378D28C}.exe
3524	{6B942562-DE74-4214-8BD6-2F359C50AC9D}.exe
3144	{CE40A807-D2FD-4a4a-AF01-52F56E2DD3F7}.exe
1136	{D2ED9FB3-E3CA-420d-9B8B-0533F5F27D84}.exe
1016	{48523615-7B43-4dc9-BEE5-E1A71E51D0FA}.exe
3332	{DAEE1930-AD14-42fb-8B58-9AA3B163452A}.exe
4332	{6AB81222-C3F5-45d8-97C6-C42492459534}.exe
2000	{B72F8E86-921E-40b8-A0EB-423B35756EC4}.exe
2064	{0851AC7A-A2FE-45f4-8199-69A9B27D59A0}.exe
2324	{127EAD1F-7E70-43e3-BDBC-D2043095756F}.exe
2596	{B2CE3501-EB97-411a-8643-3448EBB9C60B}.exe
896	{D45FF4F8-5373-4623-BCAA-F588811CB6E6}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{6B942562-DE74-4214-8BD6-2F359C50AC9D}.exe	{BFAEDA0F-6CD5-4eb2-A3F9-6E57C378D28C}.exe
File created	C:\Windows\{DAEE1930-AD14-42fb-8B58-9AA3B163452A}.exe	{48523615-7B43-4dc9-BEE5-E1A71E51D0FA}.exe
File created	C:\Windows\{B72F8E86-921E-40b8-A0EB-423B35756EC4}.exe	{6AB81222-C3F5-45d8-97C6-C42492459534}.exe
File created	C:\Windows\{0851AC7A-A2FE-45f4-8199-69A9B27D59A0}.exe	{B72F8E86-921E-40b8-A0EB-423B35756EC4}.exe
File created	C:\Windows\{127EAD1F-7E70-43e3-BDBC-D2043095756F}.exe	{0851AC7A-A2FE-45f4-8199-69A9B27D59A0}.exe
File created	C:\Windows\{B2CE3501-EB97-411a-8643-3448EBB9C60B}.exe	{127EAD1F-7E70-43e3-BDBC-D2043095756F}.exe
File created	C:\Windows\{D45FF4F8-5373-4623-BCAA-F588811CB6E6}.exe	{B2CE3501-EB97-411a-8643-3448EBB9C60B}.exe
File created	C:\Windows\{BFAEDA0F-6CD5-4eb2-A3F9-6E57C378D28C}.exe	2024-02-21_448e6b2689e3aca2fbdd48be8a569153_goldeneye.exe
File created	C:\Windows\{D2ED9FB3-E3CA-420d-9B8B-0533F5F27D84}.exe	{CE40A807-D2FD-4a4a-AF01-52F56E2DD3F7}.exe
File created	C:\Windows\{48523615-7B43-4dc9-BEE5-E1A71E51D0FA}.exe	{D2ED9FB3-E3CA-420d-9B8B-0533F5F27D84}.exe
File created	C:\Windows\{6AB81222-C3F5-45d8-97C6-C42492459534}.exe	{DAEE1930-AD14-42fb-8B58-9AA3B163452A}.exe
File created	C:\Windows\{CE40A807-D2FD-4a4a-AF01-52F56E2DD3F7}.exe	{6B942562-DE74-4214-8BD6-2F359C50AC9D}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3832	2024-02-21_448e6b2689e3aca2fbdd48be8a569153_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4060	{BFAEDA0F-6CD5-4eb2-A3F9-6E57C378D28C}.exe
Token: SeIncBasePriorityPrivilege	3524	{6B942562-DE74-4214-8BD6-2F359C50AC9D}.exe
Token: SeIncBasePriorityPrivilege	3144	{CE40A807-D2FD-4a4a-AF01-52F56E2DD3F7}.exe
Token: SeIncBasePriorityPrivilege	1136	{D2ED9FB3-E3CA-420d-9B8B-0533F5F27D84}.exe
Token: SeIncBasePriorityPrivilege	1016	{48523615-7B43-4dc9-BEE5-E1A71E51D0FA}.exe
Token: SeIncBasePriorityPrivilege	3332	{DAEE1930-AD14-42fb-8B58-9AA3B163452A}.exe
Token: SeIncBasePriorityPrivilege	4332	{6AB81222-C3F5-45d8-97C6-C42492459534}.exe
Token: SeIncBasePriorityPrivilege	2000	{B72F8E86-921E-40b8-A0EB-423B35756EC4}.exe
Token: SeIncBasePriorityPrivilege	2064	{0851AC7A-A2FE-45f4-8199-69A9B27D59A0}.exe
Token: SeIncBasePriorityPrivilege	2324	{127EAD1F-7E70-43e3-BDBC-D2043095756F}.exe
Token: SeIncBasePriorityPrivilege	2596	{B2CE3501-EB97-411a-8643-3448EBB9C60B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3832 wrote to memory of 4060	3832	2024-02-21_448e6b2689e3aca2fbdd48be8a569153_goldeneye.exe	92
PID 3832 wrote to memory of 4060	3832	2024-02-21_448e6b2689e3aca2fbdd48be8a569153_goldeneye.exe	92
PID 3832 wrote to memory of 4060	3832	2024-02-21_448e6b2689e3aca2fbdd48be8a569153_goldeneye.exe	92
PID 3832 wrote to memory of 1836	3832	2024-02-21_448e6b2689e3aca2fbdd48be8a569153_goldeneye.exe	93
PID 3832 wrote to memory of 1836	3832	2024-02-21_448e6b2689e3aca2fbdd48be8a569153_goldeneye.exe	93
PID 3832 wrote to memory of 1836	3832	2024-02-21_448e6b2689e3aca2fbdd48be8a569153_goldeneye.exe	93
PID 4060 wrote to memory of 3524	4060	{BFAEDA0F-6CD5-4eb2-A3F9-6E57C378D28C}.exe	96
PID 4060 wrote to memory of 3524	4060	{BFAEDA0F-6CD5-4eb2-A3F9-6E57C378D28C}.exe	96
PID 4060 wrote to memory of 3524	4060	{BFAEDA0F-6CD5-4eb2-A3F9-6E57C378D28C}.exe	96
PID 4060 wrote to memory of 5000	4060	{BFAEDA0F-6CD5-4eb2-A3F9-6E57C378D28C}.exe	97
PID 4060 wrote to memory of 5000	4060	{BFAEDA0F-6CD5-4eb2-A3F9-6E57C378D28C}.exe	97
PID 4060 wrote to memory of 5000	4060	{BFAEDA0F-6CD5-4eb2-A3F9-6E57C378D28C}.exe	97
PID 3524 wrote to memory of 3144	3524	{6B942562-DE74-4214-8BD6-2F359C50AC9D}.exe	99
PID 3524 wrote to memory of 3144	3524	{6B942562-DE74-4214-8BD6-2F359C50AC9D}.exe	99
PID 3524 wrote to memory of 3144	3524	{6B942562-DE74-4214-8BD6-2F359C50AC9D}.exe	99
PID 3524 wrote to memory of 2732	3524	{6B942562-DE74-4214-8BD6-2F359C50AC9D}.exe	100
PID 3524 wrote to memory of 2732	3524	{6B942562-DE74-4214-8BD6-2F359C50AC9D}.exe	100
PID 3524 wrote to memory of 2732	3524	{6B942562-DE74-4214-8BD6-2F359C50AC9D}.exe	100
PID 3144 wrote to memory of 1136	3144	{CE40A807-D2FD-4a4a-AF01-52F56E2DD3F7}.exe	101
PID 3144 wrote to memory of 1136	3144	{CE40A807-D2FD-4a4a-AF01-52F56E2DD3F7}.exe	101
PID 3144 wrote to memory of 1136	3144	{CE40A807-D2FD-4a4a-AF01-52F56E2DD3F7}.exe	101
PID 3144 wrote to memory of 4368	3144	{CE40A807-D2FD-4a4a-AF01-52F56E2DD3F7}.exe	102
PID 3144 wrote to memory of 4368	3144	{CE40A807-D2FD-4a4a-AF01-52F56E2DD3F7}.exe	102
PID 3144 wrote to memory of 4368	3144	{CE40A807-D2FD-4a4a-AF01-52F56E2DD3F7}.exe	102
PID 1136 wrote to memory of 1016	1136	{D2ED9FB3-E3CA-420d-9B8B-0533F5F27D84}.exe	103
PID 1136 wrote to memory of 1016	1136	{D2ED9FB3-E3CA-420d-9B8B-0533F5F27D84}.exe	103
PID 1136 wrote to memory of 1016	1136	{D2ED9FB3-E3CA-420d-9B8B-0533F5F27D84}.exe	103
PID 1136 wrote to memory of 3000	1136	{D2ED9FB3-E3CA-420d-9B8B-0533F5F27D84}.exe	104
PID 1136 wrote to memory of 3000	1136	{D2ED9FB3-E3CA-420d-9B8B-0533F5F27D84}.exe	104
PID 1136 wrote to memory of 3000	1136	{D2ED9FB3-E3CA-420d-9B8B-0533F5F27D84}.exe	104
PID 1016 wrote to memory of 3332	1016	{48523615-7B43-4dc9-BEE5-E1A71E51D0FA}.exe	105
PID 1016 wrote to memory of 3332	1016	{48523615-7B43-4dc9-BEE5-E1A71E51D0FA}.exe	105
PID 1016 wrote to memory of 3332	1016	{48523615-7B43-4dc9-BEE5-E1A71E51D0FA}.exe	105
PID 1016 wrote to memory of 4992	1016	{48523615-7B43-4dc9-BEE5-E1A71E51D0FA}.exe	106
PID 1016 wrote to memory of 4992	1016	{48523615-7B43-4dc9-BEE5-E1A71E51D0FA}.exe	106
PID 1016 wrote to memory of 4992	1016	{48523615-7B43-4dc9-BEE5-E1A71E51D0FA}.exe	106
PID 3332 wrote to memory of 4332	3332	{DAEE1930-AD14-42fb-8B58-9AA3B163452A}.exe	107
PID 3332 wrote to memory of 4332	3332	{DAEE1930-AD14-42fb-8B58-9AA3B163452A}.exe	107
PID 3332 wrote to memory of 4332	3332	{DAEE1930-AD14-42fb-8B58-9AA3B163452A}.exe	107
PID 3332 wrote to memory of 2500	3332	{DAEE1930-AD14-42fb-8B58-9AA3B163452A}.exe	108
PID 3332 wrote to memory of 2500	3332	{DAEE1930-AD14-42fb-8B58-9AA3B163452A}.exe	108
PID 3332 wrote to memory of 2500	3332	{DAEE1930-AD14-42fb-8B58-9AA3B163452A}.exe	108
PID 4332 wrote to memory of 2000	4332	{6AB81222-C3F5-45d8-97C6-C42492459534}.exe	109
PID 4332 wrote to memory of 2000	4332	{6AB81222-C3F5-45d8-97C6-C42492459534}.exe	109
PID 4332 wrote to memory of 2000	4332	{6AB81222-C3F5-45d8-97C6-C42492459534}.exe	109
PID 4332 wrote to memory of 1312	4332	{6AB81222-C3F5-45d8-97C6-C42492459534}.exe	110
PID 4332 wrote to memory of 1312	4332	{6AB81222-C3F5-45d8-97C6-C42492459534}.exe	110
PID 4332 wrote to memory of 1312	4332	{6AB81222-C3F5-45d8-97C6-C42492459534}.exe	110
PID 2000 wrote to memory of 2064	2000	{B72F8E86-921E-40b8-A0EB-423B35756EC4}.exe	111
PID 2000 wrote to memory of 2064	2000	{B72F8E86-921E-40b8-A0EB-423B35756EC4}.exe	111
PID 2000 wrote to memory of 2064	2000	{B72F8E86-921E-40b8-A0EB-423B35756EC4}.exe	111
PID 2000 wrote to memory of 3832	2000	{B72F8E86-921E-40b8-A0EB-423B35756EC4}.exe	112
PID 2000 wrote to memory of 3832	2000	{B72F8E86-921E-40b8-A0EB-423B35756EC4}.exe	112
PID 2000 wrote to memory of 3832	2000	{B72F8E86-921E-40b8-A0EB-423B35756EC4}.exe	112
PID 2064 wrote to memory of 2324	2064	{0851AC7A-A2FE-45f4-8199-69A9B27D59A0}.exe	113
PID 2064 wrote to memory of 2324	2064	{0851AC7A-A2FE-45f4-8199-69A9B27D59A0}.exe	113
PID 2064 wrote to memory of 2324	2064	{0851AC7A-A2FE-45f4-8199-69A9B27D59A0}.exe	113
PID 2064 wrote to memory of 4160	2064	{0851AC7A-A2FE-45f4-8199-69A9B27D59A0}.exe	114
PID 2064 wrote to memory of 4160	2064	{0851AC7A-A2FE-45f4-8199-69A9B27D59A0}.exe	114
PID 2064 wrote to memory of 4160	2064	{0851AC7A-A2FE-45f4-8199-69A9B27D59A0}.exe	114
PID 2324 wrote to memory of 2596	2324	{127EAD1F-7E70-43e3-BDBC-D2043095756F}.exe	115
PID 2324 wrote to memory of 2596	2324	{127EAD1F-7E70-43e3-BDBC-D2043095756F}.exe	115
PID 2324 wrote to memory of 2596	2324	{127EAD1F-7E70-43e3-BDBC-D2043095756F}.exe	115
PID 2324 wrote to memory of 3168	2324	{127EAD1F-7E70-43e3-BDBC-D2043095756F}.exe	116

C:\Users\Admin\AppData\Local\Temp\2024-02-21_448e6b2689e3aca2fbdd48be8a569153_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-21_448e6b2689e3aca2fbdd48be8a569153_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3832
- C:\Windows\{BFAEDA0F-6CD5-4eb2-A3F9-6E57C378D28C}.exe
  C:\Windows\{BFAEDA0F-6CD5-4eb2-A3F9-6E57C378D28C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4060
- - C:\Windows\{6B942562-DE74-4214-8BD6-2F359C50AC9D}.exe
    C:\Windows\{6B942562-DE74-4214-8BD6-2F359C50AC9D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3524
  - - C:\Windows\{CE40A807-D2FD-4a4a-AF01-52F56E2DD3F7}.exe
      C:\Windows\{CE40A807-D2FD-4a4a-AF01-52F56E2DD3F7}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3144
    - - C:\Windows\{D2ED9FB3-E3CA-420d-9B8B-0533F5F27D84}.exe
        
        C:\Windows\{D2ED9FB3-E3CA-420d-9B8B-0533F5F27D84}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1136
      - C:\Windows\{48523615-7B43-4dc9-BEE5-E1A71E51D0FA}.exe
        
        C:\Windows\{48523615-7B43-4dc9-BEE5-E1A71E51D0FA}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        C:\Windows\{DAEE1930-AD14-42fb-8B58-9AA3B163452A}.exe
        
        C:\Windows\{DAEE1930-AD14-42fb-8B58-9AA3B163452A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3332
        
        C:\Windows\{6AB81222-C3F5-45d8-97C6-C42492459534}.exe
        
        C:\Windows\{6AB81222-C3F5-45d8-97C6-C42492459534}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Windows\{B72F8E86-921E-40b8-A0EB-423B35756EC4}.exe
        
        C:\Windows\{B72F8E86-921E-40b8-A0EB-423B35756EC4}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\{0851AC7A-A2FE-45f4-8199-69A9B27D59A0}.exe
        
        C:\Windows\{0851AC7A-A2FE-45f4-8199-69A9B27D59A0}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\{127EAD1F-7E70-43e3-BDBC-D2043095756F}.exe
        
        C:\Windows\{127EAD1F-7E70-43e3-BDBC-D2043095756F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\{B2CE3501-EB97-411a-8643-3448EBB9C60B}.exe
        
        C:\Windows\{B2CE3501-EB97-411a-8643-3448EBB9C60B}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596
        
        C:\Windows\{D45FF4F8-5373-4623-BCAA-F588811CB6E6}.exe
        
        C:\Windows\{D45FF4F8-5373-4623-BCAA-F588811CB6E6}.exe
        13⤵
        Executes dropped EXE
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B2CE3~1.EXE > nul
        13⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{127EA~1.EXE > nul
        12⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0851A~1.EXE > nul
        11⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B72F8~1.EXE > nul
        10⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6AB81~1.EXE > nul
        9⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DAEE1~1.EXE > nul
        8⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{48523~1.EXE > nul
        7⤵
        
        PID:4992
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D2ED9~1.EXE > nul
        6⤵
        
        PID:3000
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CE40A~1.EXE > nul
        5⤵
        
        PID:4368
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6B942~1.EXE > nul
      4⤵
      PID:2732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{BFAED~1.EXE > nul
    3⤵
    PID:5000
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0851AC7A-A2FE-45f4-8199-69A9B27D59A0}.exe

Filesize
408KB

MD5
c41ff9bf465df4e1748d4663c74bf7e3

SHA1
4a30a58005959d2572e094f4498bd10058efa8a9

SHA256
643cd62ee00d78c1ec97d45eced13a35c78dbf1722a563e39ea2329208c022fc

SHA512
aabe075ddad3428b9301bffcf5e68cd4d1eb597c727104e849c671a4cd7fcf04cccce1e0f9fb027f6eb45ce8e915bcd8e00d8bc836459540fb58dd1db2a2bdd0

Download Submit
C:\Windows\{127EAD1F-7E70-43e3-BDBC-D2043095756F}.exe

Filesize
48KB

MD5
8c11742c23d4145450c4d1e6e55e4f81

SHA1
5f50f0e9ac181233f7df106ce8be157038834ada

SHA256
6ce84bcafea2b2230a2e0b3f20365d9ea6756e69286e43597014920efbf61743

SHA512
eccfa318162efc50a715070cbdc36a95f50599683e900602f6d9dacd5239d7f266145103a5b717a92e4a6593142f83388d637904a21d5fa7b8dd217532d67bed

Download Submit
C:\Windows\{127EAD1F-7E70-43e3-BDBC-D2043095756F}.exe

Filesize
408KB

MD5
e128aec393115b744e1766b0283b696f

SHA1
60638b1a1274c5b054d410924713a747f5d5ab96

SHA256
9ba0436fa4ea790ef8671f191c4766825589c8aff689a87f2c25e6ddff767ea4

SHA512
c8be593c1a2ae69dfadf7093fec5798490f127367d4ca17aad76ee200877ac780337dd01024f8a7fda403be5db5e075a504f0872f2f529be9191f80603877069

Download Submit
C:\Windows\{48523615-7B43-4dc9-BEE5-E1A71E51D0FA}.exe

Filesize
408KB

MD5
a7c4738f179be7d459a543063dd923fc

SHA1
c60079f32b498982f98c9387f131b312c6e6b918

SHA256
3268622be160f5e0d45894ce9b620c45103f388a678e9a20bcedd28fb361870f

SHA512
029905bc56644fe766ec4fbf4084a930e527d098928a78c12cd4548f20ff82e3b7934ef8a681c997631923ee5b11680b03011b151eb66f04c99aaed57032718e

Download Submit
C:\Windows\{6AB81222-C3F5-45d8-97C6-C42492459534}.exe

Filesize
408KB

MD5
a59abded24881498e0c42957eec7ca62

SHA1
67ae6adbc19a4af49888dbbdc09878ab50dc7664

SHA256
9701871f2350e33c557454890f4b093c3e3c3de9d7007245af10f510b9db89fd

SHA512
1ea27b84eb27273bc28c260b30916daf33ba34c2c1fa3eb08b1a6da2f295a158d74c66927b3dd277a2a5fb4459a870653bde42a9bfff724e918a1b10dcba80db

Download Submit
C:\Windows\{6B942562-DE74-4214-8BD6-2F359C50AC9D}.exe

Filesize
408KB

MD5
eafcd770d1af08c491a066825fa30f7a

SHA1
fba3ab13cfa5f58565148dccf82ae76ff4059dc0

SHA256
7bf1766295f71cb227af67b42bb7e100486ac1bc36c40f57c71255411ddfafe1

SHA512
a50f6f77add29a0b79506c20745f9db46602267481bd6ac9e5bb88bc3f5ea1d2c927065cdc49f3d3a94eaa3269c7c47ad9b33e99d4ec769988cef15ebe717b95

Download Submit
C:\Windows\{B2CE3501-EB97-411a-8643-3448EBB9C60B}.exe

Filesize
408KB

MD5
ba5197ca36cebc51832bc981507c974e

SHA1
eb8e7998fca55babc5f1e3fca2ef0f69061d4702

SHA256
abda7eeef962327cf069ac50ee869b36213d8a5058234fcee325be518db40b3d

SHA512
3ef3f9141cd8cbfe8bae5bc6056075d03ffa1b0e42c7a17983df96838c1c1dee1fd6fb8e9b2d6aac7fb6bc21cd037f52957cce55913587ef56d88a0e8ca1e3bd

Download Submit
C:\Windows\{B72F8E86-921E-40b8-A0EB-423B35756EC4}.exe

Filesize
408KB

MD5
9107ab68d4f8e8eca9f676f4037cbf59

SHA1
44b32b73b02bf978dec9575a9396de463fe19329

SHA256
c6fe25fc6d9da94deb53aa06beb1d0385ebcb62333610bd91b7b770983b2f723

SHA512
bb13ff6d545bc673253a38fc1aab0593f509457ec3eccf693060016934c3134d1e59e344fbe4724e935417f591c2e306f0780764f364674daa09d5b4f594d25a

Download Submit
C:\Windows\{BFAEDA0F-6CD5-4eb2-A3F9-6E57C378D28C}.exe

Filesize
408KB

MD5
812a461451cbc953995700c7f35326ed

SHA1
11016038863ce2e49882904e7453beb17a596749

SHA256
b45d090cf889d49616b6bd9f09024af4c89933bc82a816c25daa9616d678d74a

SHA512
10ca521dae82144aef097799360ed1c479dac07a1f5acc069e45ea85ab826757d0517bf1bd2f77a4c586bdf192361aec1dbfc3dea7aea2e188ad2accd51387e3

Download Submit
C:\Windows\{CE40A807-D2FD-4a4a-AF01-52F56E2DD3F7}.exe

Filesize
408KB

MD5
df61933ecd34b7e08463a21d4fcc6c51

SHA1
ab6e3c3615ea019c77351c1663cac392be8f9b66

SHA256
220bc096e0c9f811c854c598a8f167fa291f5991733ab7433b08ea7cc2ea2f0f

SHA512
2c4d7a21f66a5f96be62620037b5eb1558db48c92d7e46a279b5ed6f325b8fc4cbb22df157ce4db03e945d3e91fe96d6ced5badc13876b9c8326c0fead41d6e8

Download Submit
C:\Windows\{D2ED9FB3-E3CA-420d-9B8B-0533F5F27D84}.exe

Filesize
408KB

MD5
5118515ce17d26e3b3568d6b2b0de2bc

SHA1
39e40975b38091c3b27999f77bd71357c54f2333

SHA256
a24f236c41f866c63194e917da64526e5bf9f180549d37318464b41eaa0162ed

SHA512
008938129a4e39089c562a92401b685aa6ce3dffd92ef68d3f169ee24db7fc8d0131118c29bf1e532cbd36648b382bd8f8fe872b47e252b9ad16a379b287cd8b

Download Submit
C:\Windows\{D45FF4F8-5373-4623-BCAA-F588811CB6E6}.exe

Filesize
408KB

MD5
cc782e654bf5af2ced812fbdcfa4ddaf

SHA1
2b3b2dc07a16af7c1d1a97b611a5b47100cd2922

SHA256
2410e2e9e1b7fec28d42d537393a247e1b60bf5f8afaf3ed8a0aaedcc48e1a94

SHA512
df57aeda17e8cf00fb8f2c3d2222bc8a19562bb9a698c27a858f70795990c13e6596deb544894dd97ae01e45a383c759949dcea650287378488b1697484af4f1

Download Submit
C:\Windows\{DAEE1930-AD14-42fb-8B58-9AA3B163452A}.exe

Filesize
408KB

MD5
efa338c9115c3eb364f409f3d97a4828

SHA1
5ac07e5d91dcf3aca6bb847aeee46b4d385f11e0

SHA256
fdfbf91bd067c2edc9aeb3c256dc0afca681ce026c063108cee597c85115e095

SHA512
a8794714004fb540c6753d65fbd17c7ffa4cd37951427d163d12437b16dca0e2fd58d65d853f2075c7c911813447229de571ad0d36c550428e7d90908f5d826d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads