e6997a4bc477225ba0d81f71453738240ff25beabbe06a10cc3af3beb8635b12

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
21-02-2024 13:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-21_86afcb3c235fe58010f810d671aeae33_goldeneye.exe
Size

192KB
MD5

86afcb3c235fe58010f810d671aeae33
SHA1

95bc3c5cf29a0b09b0a48dc07edd3e2c39746eeb
SHA256

e6997a4bc477225ba0d81f71453738240ff25beabbe06a10cc3af3beb8635b12
SHA512

200ff717f65d7be304f683085aa00e7d711b538888b06a1b99ac22d9693e55122d6f8d6f07fb5a4b799a0f41ceed850b75ebb66b0a28791039fd6b2c6c2ba8f9
SSDEEP

1536:1EGh0o8l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0o8l1OPOe2MUVg3Ve+rXfMUa

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023175-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023175-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023243-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023175-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023243-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023175-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023243-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023175-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023243-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023175-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f000000023243-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023175-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023243-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44EA5E28-DFF9-4c17-81FE-3E50117D7430}	{7ED3C6DE-210C-464d-88A0-905D909EF0DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5EA3FA0-D6E7-4492-A72E-3A2D6A84D652}\stubpath = "C:\\Windows\\{B5EA3FA0-D6E7-4492-A72E-3A2D6A84D652}.exe"	2024-02-21_86afcb3c235fe58010f810d671aeae33_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3973E06-F8A5-4089-9B10-185E9AEAA17A}\stubpath = "C:\\Windows\\{A3973E06-F8A5-4089-9B10-185E9AEAA17A}.exe"	{B5F9A4AA-0C03-4a6c-816E-354227F892CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7ED3C6DE-210C-464d-88A0-905D909EF0DF}	{4FBB1BE7-8190-4722-AE94-441211973612}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9C48DF3-0868-41ad-A0C7-4562E252AE8B}\stubpath = "C:\\Windows\\{B9C48DF3-0868-41ad-A0C7-4562E252AE8B}.exe"	{BDF6B521-224A-4165-8CF6-3DE76F883007}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5F9A4AA-0C03-4a6c-816E-354227F892CB}	{B9C48DF3-0868-41ad-A0C7-4562E252AE8B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3973E06-F8A5-4089-9B10-185E9AEAA17A}	{B5F9A4AA-0C03-4a6c-816E-354227F892CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4FBB1BE7-8190-4722-AE94-441211973612}\stubpath = "C:\\Windows\\{4FBB1BE7-8190-4722-AE94-441211973612}.exe"	{A3973E06-F8A5-4089-9B10-185E9AEAA17A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CB5C549-1CEE-4ab1-92AD-E78C7E002E9D}\stubpath = "C:\\Windows\\{8CB5C549-1CEE-4ab1-92AD-E78C7E002E9D}.exe"	{44EA5E28-DFF9-4c17-81FE-3E50117D7430}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94F5A1D0-24AA-4c4e-9FB5-FFF960B36A42}	{B5EA3FA0-D6E7-4492-A72E-3A2D6A84D652}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94F5A1D0-24AA-4c4e-9FB5-FFF960B36A42}\stubpath = "C:\\Windows\\{94F5A1D0-24AA-4c4e-9FB5-FFF960B36A42}.exe"	{B5EA3FA0-D6E7-4492-A72E-3A2D6A84D652}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDF6B521-224A-4165-8CF6-3DE76F883007}	{94F5A1D0-24AA-4c4e-9FB5-FFF960B36A42}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{455AB3C1-1E08-4ac6-9DAF-5669AA2427E4}	{8CB5C549-1CEE-4ab1-92AD-E78C7E002E9D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{455AB3C1-1E08-4ac6-9DAF-5669AA2427E4}\stubpath = "C:\\Windows\\{455AB3C1-1E08-4ac6-9DAF-5669AA2427E4}.exe"	{8CB5C549-1CEE-4ab1-92AD-E78C7E002E9D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E97C4EBE-3987-4899-A3C4-20916AC37E5B}	{455AB3C1-1E08-4ac6-9DAF-5669AA2427E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDF6B521-224A-4165-8CF6-3DE76F883007}\stubpath = "C:\\Windows\\{BDF6B521-224A-4165-8CF6-3DE76F883007}.exe"	{94F5A1D0-24AA-4c4e-9FB5-FFF960B36A42}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5F9A4AA-0C03-4a6c-816E-354227F892CB}\stubpath = "C:\\Windows\\{B5F9A4AA-0C03-4a6c-816E-354227F892CB}.exe"	{B9C48DF3-0868-41ad-A0C7-4562E252AE8B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7ED3C6DE-210C-464d-88A0-905D909EF0DF}\stubpath = "C:\\Windows\\{7ED3C6DE-210C-464d-88A0-905D909EF0DF}.exe"	{4FBB1BE7-8190-4722-AE94-441211973612}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44EA5E28-DFF9-4c17-81FE-3E50117D7430}\stubpath = "C:\\Windows\\{44EA5E28-DFF9-4c17-81FE-3E50117D7430}.exe"	{7ED3C6DE-210C-464d-88A0-905D909EF0DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CB5C549-1CEE-4ab1-92AD-E78C7E002E9D}	{44EA5E28-DFF9-4c17-81FE-3E50117D7430}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E97C4EBE-3987-4899-A3C4-20916AC37E5B}\stubpath = "C:\\Windows\\{E97C4EBE-3987-4899-A3C4-20916AC37E5B}.exe"	{455AB3C1-1E08-4ac6-9DAF-5669AA2427E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5EA3FA0-D6E7-4492-A72E-3A2D6A84D652}	2024-02-21_86afcb3c235fe58010f810d671aeae33_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9C48DF3-0868-41ad-A0C7-4562E252AE8B}	{BDF6B521-224A-4165-8CF6-3DE76F883007}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4FBB1BE7-8190-4722-AE94-441211973612}	{A3973E06-F8A5-4089-9B10-185E9AEAA17A}.exe

Executes dropped EXE 12 IoCs

pid	Process
1440	{B5EA3FA0-D6E7-4492-A72E-3A2D6A84D652}.exe
4216	{94F5A1D0-24AA-4c4e-9FB5-FFF960B36A42}.exe
1040	{BDF6B521-224A-4165-8CF6-3DE76F883007}.exe
2388	{B9C48DF3-0868-41ad-A0C7-4562E252AE8B}.exe
1460	{B5F9A4AA-0C03-4a6c-816E-354227F892CB}.exe
3232	{A3973E06-F8A5-4089-9B10-185E9AEAA17A}.exe
400	{4FBB1BE7-8190-4722-AE94-441211973612}.exe
3968	{7ED3C6DE-210C-464d-88A0-905D909EF0DF}.exe
2648	{44EA5E28-DFF9-4c17-81FE-3E50117D7430}.exe
4060	{8CB5C549-1CEE-4ab1-92AD-E78C7E002E9D}.exe
4492	{455AB3C1-1E08-4ac6-9DAF-5669AA2427E4}.exe
1048	{E97C4EBE-3987-4899-A3C4-20916AC37E5B}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{94F5A1D0-24AA-4c4e-9FB5-FFF960B36A42}.exe	{B5EA3FA0-D6E7-4492-A72E-3A2D6A84D652}.exe
File created	C:\Windows\{B9C48DF3-0868-41ad-A0C7-4562E252AE8B}.exe	{BDF6B521-224A-4165-8CF6-3DE76F883007}.exe
File created	C:\Windows\{B5F9A4AA-0C03-4a6c-816E-354227F892CB}.exe	{B9C48DF3-0868-41ad-A0C7-4562E252AE8B}.exe
File created	C:\Windows\{A3973E06-F8A5-4089-9B10-185E9AEAA17A}.exe	{B5F9A4AA-0C03-4a6c-816E-354227F892CB}.exe
File created	C:\Windows\{7ED3C6DE-210C-464d-88A0-905D909EF0DF}.exe	{4FBB1BE7-8190-4722-AE94-441211973612}.exe
File created	C:\Windows\{44EA5E28-DFF9-4c17-81FE-3E50117D7430}.exe	{7ED3C6DE-210C-464d-88A0-905D909EF0DF}.exe
File created	C:\Windows\{B5EA3FA0-D6E7-4492-A72E-3A2D6A84D652}.exe	2024-02-21_86afcb3c235fe58010f810d671aeae33_goldeneye.exe
File created	C:\Windows\{4FBB1BE7-8190-4722-AE94-441211973612}.exe	{A3973E06-F8A5-4089-9B10-185E9AEAA17A}.exe
File created	C:\Windows\{8CB5C549-1CEE-4ab1-92AD-E78C7E002E9D}.exe	{44EA5E28-DFF9-4c17-81FE-3E50117D7430}.exe
File created	C:\Windows\{455AB3C1-1E08-4ac6-9DAF-5669AA2427E4}.exe	{8CB5C549-1CEE-4ab1-92AD-E78C7E002E9D}.exe
File created	C:\Windows\{E97C4EBE-3987-4899-A3C4-20916AC37E5B}.exe	{455AB3C1-1E08-4ac6-9DAF-5669AA2427E4}.exe
File created	C:\Windows\{BDF6B521-224A-4165-8CF6-3DE76F883007}.exe	{94F5A1D0-24AA-4c4e-9FB5-FFF960B36A42}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4672	2024-02-21_86afcb3c235fe58010f810d671aeae33_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1440	{B5EA3FA0-D6E7-4492-A72E-3A2D6A84D652}.exe
Token: SeIncBasePriorityPrivilege	4216	{94F5A1D0-24AA-4c4e-9FB5-FFF960B36A42}.exe
Token: SeIncBasePriorityPrivilege	1040	{BDF6B521-224A-4165-8CF6-3DE76F883007}.exe
Token: SeIncBasePriorityPrivilege	2388	{B9C48DF3-0868-41ad-A0C7-4562E252AE8B}.exe
Token: SeIncBasePriorityPrivilege	1460	{B5F9A4AA-0C03-4a6c-816E-354227F892CB}.exe
Token: SeIncBasePriorityPrivilege	3232	{A3973E06-F8A5-4089-9B10-185E9AEAA17A}.exe
Token: SeIncBasePriorityPrivilege	400	{4FBB1BE7-8190-4722-AE94-441211973612}.exe
Token: SeIncBasePriorityPrivilege	3968	{7ED3C6DE-210C-464d-88A0-905D909EF0DF}.exe
Token: SeIncBasePriorityPrivilege	2648	{44EA5E28-DFF9-4c17-81FE-3E50117D7430}.exe
Token: SeIncBasePriorityPrivilege	4060	{8CB5C549-1CEE-4ab1-92AD-E78C7E002E9D}.exe
Token: SeIncBasePriorityPrivilege	4492	{455AB3C1-1E08-4ac6-9DAF-5669AA2427E4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4672 wrote to memory of 1440	4672	2024-02-21_86afcb3c235fe58010f810d671aeae33_goldeneye.exe	85
PID 4672 wrote to memory of 1440	4672	2024-02-21_86afcb3c235fe58010f810d671aeae33_goldeneye.exe	85
PID 4672 wrote to memory of 1440	4672	2024-02-21_86afcb3c235fe58010f810d671aeae33_goldeneye.exe	85
PID 4672 wrote to memory of 4760	4672	2024-02-21_86afcb3c235fe58010f810d671aeae33_goldeneye.exe	86
PID 4672 wrote to memory of 4760	4672	2024-02-21_86afcb3c235fe58010f810d671aeae33_goldeneye.exe	86
PID 4672 wrote to memory of 4760	4672	2024-02-21_86afcb3c235fe58010f810d671aeae33_goldeneye.exe	86
PID 1440 wrote to memory of 4216	1440	{B5EA3FA0-D6E7-4492-A72E-3A2D6A84D652}.exe	87
PID 1440 wrote to memory of 4216	1440	{B5EA3FA0-D6E7-4492-A72E-3A2D6A84D652}.exe	87
PID 1440 wrote to memory of 4216	1440	{B5EA3FA0-D6E7-4492-A72E-3A2D6A84D652}.exe	87
PID 1440 wrote to memory of 3188	1440	{B5EA3FA0-D6E7-4492-A72E-3A2D6A84D652}.exe	88
PID 1440 wrote to memory of 3188	1440	{B5EA3FA0-D6E7-4492-A72E-3A2D6A84D652}.exe	88
PID 1440 wrote to memory of 3188	1440	{B5EA3FA0-D6E7-4492-A72E-3A2D6A84D652}.exe	88
PID 4216 wrote to memory of 1040	4216	{94F5A1D0-24AA-4c4e-9FB5-FFF960B36A42}.exe	90
PID 4216 wrote to memory of 1040	4216	{94F5A1D0-24AA-4c4e-9FB5-FFF960B36A42}.exe	90
PID 4216 wrote to memory of 1040	4216	{94F5A1D0-24AA-4c4e-9FB5-FFF960B36A42}.exe	90
PID 4216 wrote to memory of 2320	4216	{94F5A1D0-24AA-4c4e-9FB5-FFF960B36A42}.exe	91
PID 4216 wrote to memory of 2320	4216	{94F5A1D0-24AA-4c4e-9FB5-FFF960B36A42}.exe	91
PID 4216 wrote to memory of 2320	4216	{94F5A1D0-24AA-4c4e-9FB5-FFF960B36A42}.exe	91
PID 1040 wrote to memory of 2388	1040	{BDF6B521-224A-4165-8CF6-3DE76F883007}.exe	92
PID 1040 wrote to memory of 2388	1040	{BDF6B521-224A-4165-8CF6-3DE76F883007}.exe	92
PID 1040 wrote to memory of 2388	1040	{BDF6B521-224A-4165-8CF6-3DE76F883007}.exe	92
PID 1040 wrote to memory of 3336	1040	{BDF6B521-224A-4165-8CF6-3DE76F883007}.exe	93
PID 1040 wrote to memory of 3336	1040	{BDF6B521-224A-4165-8CF6-3DE76F883007}.exe	93
PID 1040 wrote to memory of 3336	1040	{BDF6B521-224A-4165-8CF6-3DE76F883007}.exe	93
PID 2388 wrote to memory of 1460	2388	{B9C48DF3-0868-41ad-A0C7-4562E252AE8B}.exe	94
PID 2388 wrote to memory of 1460	2388	{B9C48DF3-0868-41ad-A0C7-4562E252AE8B}.exe	94
PID 2388 wrote to memory of 1460	2388	{B9C48DF3-0868-41ad-A0C7-4562E252AE8B}.exe	94
PID 2388 wrote to memory of 1740	2388	{B9C48DF3-0868-41ad-A0C7-4562E252AE8B}.exe	95
PID 2388 wrote to memory of 1740	2388	{B9C48DF3-0868-41ad-A0C7-4562E252AE8B}.exe	95
PID 2388 wrote to memory of 1740	2388	{B9C48DF3-0868-41ad-A0C7-4562E252AE8B}.exe	95
PID 1460 wrote to memory of 3232	1460	{B5F9A4AA-0C03-4a6c-816E-354227F892CB}.exe	97
PID 1460 wrote to memory of 3232	1460	{B5F9A4AA-0C03-4a6c-816E-354227F892CB}.exe	97
PID 1460 wrote to memory of 3232	1460	{B5F9A4AA-0C03-4a6c-816E-354227F892CB}.exe	97
PID 1460 wrote to memory of 3568	1460	{B5F9A4AA-0C03-4a6c-816E-354227F892CB}.exe	96
PID 1460 wrote to memory of 3568	1460	{B5F9A4AA-0C03-4a6c-816E-354227F892CB}.exe	96
PID 1460 wrote to memory of 3568	1460	{B5F9A4AA-0C03-4a6c-816E-354227F892CB}.exe	96
PID 3232 wrote to memory of 400	3232	{A3973E06-F8A5-4089-9B10-185E9AEAA17A}.exe	98
PID 3232 wrote to memory of 400	3232	{A3973E06-F8A5-4089-9B10-185E9AEAA17A}.exe	98
PID 3232 wrote to memory of 400	3232	{A3973E06-F8A5-4089-9B10-185E9AEAA17A}.exe	98
PID 3232 wrote to memory of 3920	3232	{A3973E06-F8A5-4089-9B10-185E9AEAA17A}.exe	99
PID 3232 wrote to memory of 3920	3232	{A3973E06-F8A5-4089-9B10-185E9AEAA17A}.exe	99
PID 3232 wrote to memory of 3920	3232	{A3973E06-F8A5-4089-9B10-185E9AEAA17A}.exe	99
PID 400 wrote to memory of 3968	400	{4FBB1BE7-8190-4722-AE94-441211973612}.exe	100
PID 400 wrote to memory of 3968	400	{4FBB1BE7-8190-4722-AE94-441211973612}.exe	100
PID 400 wrote to memory of 3968	400	{4FBB1BE7-8190-4722-AE94-441211973612}.exe	100
PID 400 wrote to memory of 2256	400	{4FBB1BE7-8190-4722-AE94-441211973612}.exe	101
PID 400 wrote to memory of 2256	400	{4FBB1BE7-8190-4722-AE94-441211973612}.exe	101
PID 400 wrote to memory of 2256	400	{4FBB1BE7-8190-4722-AE94-441211973612}.exe	101
PID 3968 wrote to memory of 2648	3968	{7ED3C6DE-210C-464d-88A0-905D909EF0DF}.exe	102
PID 3968 wrote to memory of 2648	3968	{7ED3C6DE-210C-464d-88A0-905D909EF0DF}.exe	102
PID 3968 wrote to memory of 2648	3968	{7ED3C6DE-210C-464d-88A0-905D909EF0DF}.exe	102
PID 3968 wrote to memory of 1028	3968	{7ED3C6DE-210C-464d-88A0-905D909EF0DF}.exe	103
PID 3968 wrote to memory of 1028	3968	{7ED3C6DE-210C-464d-88A0-905D909EF0DF}.exe	103
PID 3968 wrote to memory of 1028	3968	{7ED3C6DE-210C-464d-88A0-905D909EF0DF}.exe	103
PID 2648 wrote to memory of 4060	2648	{44EA5E28-DFF9-4c17-81FE-3E50117D7430}.exe	104
PID 2648 wrote to memory of 4060	2648	{44EA5E28-DFF9-4c17-81FE-3E50117D7430}.exe	104
PID 2648 wrote to memory of 4060	2648	{44EA5E28-DFF9-4c17-81FE-3E50117D7430}.exe	104
PID 2648 wrote to memory of 2136	2648	{44EA5E28-DFF9-4c17-81FE-3E50117D7430}.exe	105
PID 2648 wrote to memory of 2136	2648	{44EA5E28-DFF9-4c17-81FE-3E50117D7430}.exe	105
PID 2648 wrote to memory of 2136	2648	{44EA5E28-DFF9-4c17-81FE-3E50117D7430}.exe	105
PID 4060 wrote to memory of 4492	4060	{8CB5C549-1CEE-4ab1-92AD-E78C7E002E9D}.exe	106
PID 4060 wrote to memory of 4492	4060	{8CB5C549-1CEE-4ab1-92AD-E78C7E002E9D}.exe	106
PID 4060 wrote to memory of 4492	4060	{8CB5C549-1CEE-4ab1-92AD-E78C7E002E9D}.exe	106
PID 4060 wrote to memory of 2316	4060	{8CB5C549-1CEE-4ab1-92AD-E78C7E002E9D}.exe	107

C:\Users\Admin\AppData\Local\Temp\2024-02-21_86afcb3c235fe58010f810d671aeae33_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-21_86afcb3c235fe58010f810d671aeae33_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4672
- C:\Windows\{B5EA3FA0-D6E7-4492-A72E-3A2D6A84D652}.exe
  C:\Windows\{B5EA3FA0-D6E7-4492-A72E-3A2D6A84D652}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Windows\{94F5A1D0-24AA-4c4e-9FB5-FFF960B36A42}.exe
    C:\Windows\{94F5A1D0-24AA-4c4e-9FB5-FFF960B36A42}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4216
  - - C:\Windows\{BDF6B521-224A-4165-8CF6-3DE76F883007}.exe
      C:\Windows\{BDF6B521-224A-4165-8CF6-3DE76F883007}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1040
    - - C:\Windows\{B9C48DF3-0868-41ad-A0C7-4562E252AE8B}.exe
        
        C:\Windows\{B9C48DF3-0868-41ad-A0C7-4562E252AE8B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2388
      - C:\Windows\{B5F9A4AA-0C03-4a6c-816E-354227F892CB}.exe
        
        C:\Windows\{B5F9A4AA-0C03-4a6c-816E-354227F892CB}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B5F9A~1.EXE > nul
        7⤵
        
        PID:3568
        
        C:\Windows\{A3973E06-F8A5-4089-9B10-185E9AEAA17A}.exe
        
        C:\Windows\{A3973E06-F8A5-4089-9B10-185E9AEAA17A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\Windows\{4FBB1BE7-8190-4722-AE94-441211973612}.exe
        
        C:\Windows\{4FBB1BE7-8190-4722-AE94-441211973612}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\{7ED3C6DE-210C-464d-88A0-905D909EF0DF}.exe
        
        C:\Windows\{7ED3C6DE-210C-464d-88A0-905D909EF0DF}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3968
        
        C:\Windows\{44EA5E28-DFF9-4c17-81FE-3E50117D7430}.exe
        
        C:\Windows\{44EA5E28-DFF9-4c17-81FE-3E50117D7430}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\{8CB5C549-1CEE-4ab1-92AD-E78C7E002E9D}.exe
        
        C:\Windows\{8CB5C549-1CEE-4ab1-92AD-E78C7E002E9D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4060
        
        C:\Windows\{455AB3C1-1E08-4ac6-9DAF-5669AA2427E4}.exe
        
        C:\Windows\{455AB3C1-1E08-4ac6-9DAF-5669AA2427E4}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4492
        
        C:\Windows\{E97C4EBE-3987-4899-A3C4-20916AC37E5B}.exe
        
        C:\Windows\{E97C4EBE-3987-4899-A3C4-20916AC37E5B}.exe
        13⤵
        Executes dropped EXE
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{455AB~1.EXE > nul
        13⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8CB5C~1.EXE > nul
        12⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44EA5~1.EXE > nul
        11⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7ED3C~1.EXE > nul
        10⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4FBB1~1.EXE > nul
        9⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A3973~1.EXE > nul
        8⤵
        
        PID:3920
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B9C48~1.EXE > nul
        6⤵
        
        PID:1740
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BDF6B~1.EXE > nul
        5⤵
        
        PID:3336
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{94F5A~1.EXE > nul
      4⤵
      PID:2320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B5EA3~1.EXE > nul
    3⤵
    PID:3188
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{44EA5E28-DFF9-4c17-81FE-3E50117D7430}.exe

Filesize
192KB

MD5
5aaa0c7ac5ab7d10cc80b6d7e8c38808

SHA1
c747096b14e2869fe0e57051b3570692181873e5

SHA256
c994697d1afb0162f95735bbdc43ef7d6c6b51fa9d26fb9cae9c6b28fd218a2e

SHA512
28f06b7f3b7eccbd9280a6e083296f466da2c8f68e36b1025f9fd73c86e346c15372825f72108fa164a4b43c4cc5a5d3ebe2766908967f8237783501c0665d9b

Download Submit
C:\Windows\{455AB3C1-1E08-4ac6-9DAF-5669AA2427E4}.exe

Filesize
192KB

MD5
41eb0896fae4af85fc938088a895bfc2

SHA1
eaad4a0d2756ae44ed196a8980ec6026fc7c8bd3

SHA256
a81e518686af8f7de54085564e6a5e0da1c8a6b3ad99c5be99df2f666a997301

SHA512
78d006dfcb1268928be62aa9d725e84f6da8b0d5799d5ead1da5534f9dd49740dbdc88138c27d3fbd33eb64d2efb6db4468b5b6590e821e203dacab7afa77c8f

Download Submit
C:\Windows\{4FBB1BE7-8190-4722-AE94-441211973612}.exe

Filesize
192KB

MD5
02b6d771a27a83a0848cf8e88a47d5b6

SHA1
88decfc9ddb51aabaec66e4088cc05997580939c

SHA256
fef2329978904f531aedf335605066b236065cd2e1174d08d10b0cb2a064cba6

SHA512
28361eeac0afd3e838025404827aa5c27021c5816606ceaf5b8751c31c4af574a43ada03ead153ca8aa48f4538bc0945a4ce72a6ef4a246f5b6590b94a0bb36c

Download Submit
C:\Windows\{7ED3C6DE-210C-464d-88A0-905D909EF0DF}.exe

Filesize
192KB

MD5
6ed8dd119a600725443c2752c9e4fddb

SHA1
185c702aba2aeadddb0be7fa2f12cb2420f1f1da

SHA256
aee91ade5d519ef0338fa866bd5b9a557a16a3a4bf92537342fa778628d87fae

SHA512
aaee2be232c3b4edf6d4e6aa62ffea15e091a75c3c77b286f4916e4a789efc75dc09275af1fd6ae34993d5d43d5ac44f0195bb74d6fd929ee77dc5601bed3935

Download Submit
C:\Windows\{8CB5C549-1CEE-4ab1-92AD-E78C7E002E9D}.exe

Filesize
192KB

MD5
9c0b6bb1c05d864580eee60787f2548f

SHA1
eb7d21fc0c14c7c157e4652b1fe4bb56f4514443

SHA256
24425d72e325c35d8e6e1dad802cbe4d9f0dc476ab4740cdb91aa65dc94cf30b

SHA512
94ceaba539d7807f8f54d7649d73253bd3e14fa69d1be1e100e5293646f69dae636d0e6a74a0763fc0a4f8191ee0a52cce654254b4eebe068fb24b1aaa5be12c

Download Submit
C:\Windows\{94F5A1D0-24AA-4c4e-9FB5-FFF960B36A42}.exe

Filesize
192KB

MD5
873ea94a0a078501cba00a81bc2ec26d

SHA1
0ea6ba28c0db0f809ddb215d8eacc692f68741bd

SHA256
f0170e3916c7cacf3428d606dd263be3bd299a022e0f29b2026b9a85e6afe56a

SHA512
b72351cd3e832e0ee2b435ed92d007a2c66e2a072bbf020442d250e38c437b6d309ce54f8c5b56502c41366354c2c9d2046a3a72f937a6611d420b6c0f793f39

Download Submit
C:\Windows\{A3973E06-F8A5-4089-9B10-185E9AEAA17A}.exe

Filesize
192KB

MD5
0fe989f3419175e12698324f16122e78

SHA1
0ae0c1d4f1444b62cae07e45f96535e853f87e07

SHA256
9dac54688077e0e6fe447257b51b4484233fd1290b1c1bad04b1e4041a3f18bc

SHA512
9943dfb859d7edd4de6be70aa617c5ea79abd9161ae9d1fbfbc89ceddf59e5c2eb24e7b2fe802ebff01bf91b1b1fc4c99a1f6e1caabe54ea4274d1c861e74b90

Download Submit
C:\Windows\{B5EA3FA0-D6E7-4492-A72E-3A2D6A84D652}.exe

Filesize
150KB

MD5
b23191ffc950d4a466a170ad4b98b117

SHA1
4d4f85922a1f26d039decb8fd94e2182e91324da

SHA256
e747c980441de42a63be9917683df709ba92a9c0c85bf624a7870cfc2a6e337f

SHA512
8b08e63a40be9b8859bc4e8cdaff7ad464824016ecef5fd1679808902b0a25be194468066979ab3d0860c6aa7c08b273624c21163062fb4d2f1a0abfb2c9ac8a

Download Submit
C:\Windows\{B5EA3FA0-D6E7-4492-A72E-3A2D6A84D652}.exe

Filesize
192KB

MD5
284a2d2c1ab81005d5bee201a35a9120

SHA1
a3d36cc4cdc6d1c55a389f0f488e7f11293c03fa

SHA256
07dab7981319a994b1223ec063d16f00b0b2cef833be5227fdf369e59030b011

SHA512
277f83f37ae027f18071e23417e89bdfcb6fe40b39e97250fe22270eb16d0a2fa9c558316b1b6be42aba5fdc4c328ad2f1c7dcf4b3754981805eedc6fd5a91cc

Download Submit
C:\Windows\{B5F9A4AA-0C03-4a6c-816E-354227F892CB}.exe

Filesize
192KB

MD5
a759ead844c022c90af6dca52da8ee77

SHA1
855806b848498bde6d29b5b96821c77ab44b02f8

SHA256
cc5fb0681173b4a7843272ac377c1bb060b8d2a32c9c2a60a3a4a0302b99fa21

SHA512
026ef8f7687ff7131d8302729b48958a54cdc445252e4b9c6b422cc9fc05c8122b597a3f2f919f808e4dff46ccc3b64133003a95f67e4bc24875010fcd6f8fe1

Download Submit
C:\Windows\{B9C48DF3-0868-41ad-A0C7-4562E252AE8B}.exe

Filesize
192KB

MD5
fd741443b7080851c3f2d9f966a75991

SHA1
f997f74813c8f4d1b061ae31ef25f40f3603210a

SHA256
f552c70ca621b7de9b5c2ce502c52651f0c2cd27a7e28cbf69ddf8c156332aa3

SHA512
2817766d06950c140954319fa9f34539d1504de43ce92579f22b91c686ed0bf62d5bf00b99d73d0f4ccf2751201bb264b15a0e3ba1600d4f26952a9bf4ed0262

Download Submit
C:\Windows\{BDF6B521-224A-4165-8CF6-3DE76F883007}.exe

Filesize
192KB

MD5
c2673dbd76e2180fcfa434e8e48848cf

SHA1
2c7b9feeca487762ad3e8625b08c421c9bf5cfc5

SHA256
70d47826e406a4db407d5937c23b48df23277ee9ded1230c1c23bb6349d6262d

SHA512
7a8bfcf2b270dc95b05b4fa5f7237bfe2a1ee5fa97933270233d004c132f95c81894f31026de96d8d98380a4c37a4747e1f589c38bcbb83953ae2b2f1cb7b888

Download Submit
C:\Windows\{E97C4EBE-3987-4899-A3C4-20916AC37E5B}.exe

Filesize
192KB

MD5
902156d8d423bf79e034a59cca1bc0d3

SHA1
ad92b436a3c648d734be79239f5d59e484518667

SHA256
55dcc0fd50c5493cc75d2d8c06368a3110a0d3bf8b6372f0b9eda55603fe5e37

SHA512
8217c8353769259ed00dca86b9c8c14737adb0f12c55aab3e5f511800fc4e6cc0494f6d9f1843dfc7258d401c9bc25e0c38b4591bd406b9c791a0c479b90b6d6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads