f7abe3dd451d75aebfc8aa47eb53002e33a7781ba8e34478635d71d51fbe2610

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
21/02/2024, 15:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-21_eb8bb63ed8f9e11abd72155afc57db49_goldeneye.exe
Size

408KB
MD5

eb8bb63ed8f9e11abd72155afc57db49
SHA1

7e8096a79bf86d0a9ff75c53280ade377496f1a9
SHA256

f7abe3dd451d75aebfc8aa47eb53002e33a7781ba8e34478635d71d51fbe2610
SHA512

f6476b339d3a4ea450e4cffd7eb6210b4be9562895e26f432bfacd90effbdbd08e72ea6b7b46d08315becf9807798041fab18f18419f05b2181659e2ffefdfd7
SSDEEP

3072:CEGh0oVl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGjldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00070000000231ee-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000231ea-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000231ee-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000231ea-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000231ee-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000231ea-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000231ee-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000231ea-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000231ee-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d0000000231ea-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000231ee-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e0000000231ea-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14CA1A63-23E7-48d8-ABE6-F67D3C60BBDA}	{45C8BB95-E4B1-4ef1-9BD6-161CAFBB3AD3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D85C6BC-7653-416f-A0CD-08948418D2C7}	{156BFEA9-3022-4547-A71E-F806C9A35CA9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D85C6BC-7653-416f-A0CD-08948418D2C7}\stubpath = "C:\\Windows\\{4D85C6BC-7653-416f-A0CD-08948418D2C7}.exe"	{156BFEA9-3022-4547-A71E-F806C9A35CA9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2476FFAB-4E4D-472d-A43D-EE011E706B75}\stubpath = "C:\\Windows\\{2476FFAB-4E4D-472d-A43D-EE011E706B75}.exe"	{1BC47F7F-CE90-4744-9F06-0ADE26A32E3C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA59990C-41FB-4e8a-BD13-C70BE6E5255B}	{2476FFAB-4E4D-472d-A43D-EE011E706B75}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA59990C-41FB-4e8a-BD13-C70BE6E5255B}\stubpath = "C:\\Windows\\{CA59990C-41FB-4e8a-BD13-C70BE6E5255B}.exe"	{2476FFAB-4E4D-472d-A43D-EE011E706B75}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8262804-99F2-49d6-8DF0-DCC56D2F0CD4}	{CA59990C-41FB-4e8a-BD13-C70BE6E5255B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{156BFEA9-3022-4547-A71E-F806C9A35CA9}	{03832A19-8284-4fa8-9484-B519B7995895}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{156BFEA9-3022-4547-A71E-F806C9A35CA9}\stubpath = "C:\\Windows\\{156BFEA9-3022-4547-A71E-F806C9A35CA9}.exe"	{03832A19-8284-4fa8-9484-B519B7995895}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45C8BB95-E4B1-4ef1-9BD6-161CAFBB3AD3}	{9A4AFFBA-ED55-47f5-9759-7CB183EA0739}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14CA1A63-23E7-48d8-ABE6-F67D3C60BBDA}\stubpath = "C:\\Windows\\{14CA1A63-23E7-48d8-ABE6-F67D3C60BBDA}.exe"	{45C8BB95-E4B1-4ef1-9BD6-161CAFBB3AD3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A4AFFBA-ED55-47f5-9759-7CB183EA0739}	{4D85C6BC-7653-416f-A0CD-08948418D2C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FB63602-D7E9-417f-A209-A42246A451DF}\stubpath = "C:\\Windows\\{3FB63602-D7E9-417f-A209-A42246A451DF}.exe"	{14CA1A63-23E7-48d8-ABE6-F67D3C60BBDA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E37A8499-DE04-4b8d-8AF5-635D41F5A59F}	2024-02-21_eb8bb63ed8f9e11abd72155afc57db49_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E37A8499-DE04-4b8d-8AF5-635D41F5A59F}\stubpath = "C:\\Windows\\{E37A8499-DE04-4b8d-8AF5-635D41F5A59F}.exe"	2024-02-21_eb8bb63ed8f9e11abd72155afc57db49_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BC47F7F-CE90-4744-9F06-0ADE26A32E3C}	{E37A8499-DE04-4b8d-8AF5-635D41F5A59F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2476FFAB-4E4D-472d-A43D-EE011E706B75}	{1BC47F7F-CE90-4744-9F06-0ADE26A32E3C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03832A19-8284-4fa8-9484-B519B7995895}	{F8262804-99F2-49d6-8DF0-DCC56D2F0CD4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03832A19-8284-4fa8-9484-B519B7995895}\stubpath = "C:\\Windows\\{03832A19-8284-4fa8-9484-B519B7995895}.exe"	{F8262804-99F2-49d6-8DF0-DCC56D2F0CD4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BC47F7F-CE90-4744-9F06-0ADE26A32E3C}\stubpath = "C:\\Windows\\{1BC47F7F-CE90-4744-9F06-0ADE26A32E3C}.exe"	{E37A8499-DE04-4b8d-8AF5-635D41F5A59F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8262804-99F2-49d6-8DF0-DCC56D2F0CD4}\stubpath = "C:\\Windows\\{F8262804-99F2-49d6-8DF0-DCC56D2F0CD4}.exe"	{CA59990C-41FB-4e8a-BD13-C70BE6E5255B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A4AFFBA-ED55-47f5-9759-7CB183EA0739}\stubpath = "C:\\Windows\\{9A4AFFBA-ED55-47f5-9759-7CB183EA0739}.exe"	{4D85C6BC-7653-416f-A0CD-08948418D2C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45C8BB95-E4B1-4ef1-9BD6-161CAFBB3AD3}\stubpath = "C:\\Windows\\{45C8BB95-E4B1-4ef1-9BD6-161CAFBB3AD3}.exe"	{9A4AFFBA-ED55-47f5-9759-7CB183EA0739}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FB63602-D7E9-417f-A209-A42246A451DF}	{14CA1A63-23E7-48d8-ABE6-F67D3C60BBDA}.exe

Executes dropped EXE 12 IoCs

pid	Process
848	{E37A8499-DE04-4b8d-8AF5-635D41F5A59F}.exe
2564	{1BC47F7F-CE90-4744-9F06-0ADE26A32E3C}.exe
4240	{2476FFAB-4E4D-472d-A43D-EE011E706B75}.exe
4428	{CA59990C-41FB-4e8a-BD13-C70BE6E5255B}.exe
2216	{F8262804-99F2-49d6-8DF0-DCC56D2F0CD4}.exe
2892	{03832A19-8284-4fa8-9484-B519B7995895}.exe
1152	{156BFEA9-3022-4547-A71E-F806C9A35CA9}.exe
464	{4D85C6BC-7653-416f-A0CD-08948418D2C7}.exe
4484	{9A4AFFBA-ED55-47f5-9759-7CB183EA0739}.exe
936	{45C8BB95-E4B1-4ef1-9BD6-161CAFBB3AD3}.exe
2276	{14CA1A63-23E7-48d8-ABE6-F67D3C60BBDA}.exe
4692	{3FB63602-D7E9-417f-A209-A42246A451DF}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{3FB63602-D7E9-417f-A209-A42246A451DF}.exe	{14CA1A63-23E7-48d8-ABE6-F67D3C60BBDA}.exe
File created	C:\Windows\{2476FFAB-4E4D-472d-A43D-EE011E706B75}.exe	{1BC47F7F-CE90-4744-9F06-0ADE26A32E3C}.exe
File created	C:\Windows\{03832A19-8284-4fa8-9484-B519B7995895}.exe	{F8262804-99F2-49d6-8DF0-DCC56D2F0CD4}.exe
File created	C:\Windows\{156BFEA9-3022-4547-A71E-F806C9A35CA9}.exe	{03832A19-8284-4fa8-9484-B519B7995895}.exe
File created	C:\Windows\{4D85C6BC-7653-416f-A0CD-08948418D2C7}.exe	{156BFEA9-3022-4547-A71E-F806C9A35CA9}.exe
File created	C:\Windows\{9A4AFFBA-ED55-47f5-9759-7CB183EA0739}.exe	{4D85C6BC-7653-416f-A0CD-08948418D2C7}.exe
File created	C:\Windows\{45C8BB95-E4B1-4ef1-9BD6-161CAFBB3AD3}.exe	{9A4AFFBA-ED55-47f5-9759-7CB183EA0739}.exe
File created	C:\Windows\{14CA1A63-23E7-48d8-ABE6-F67D3C60BBDA}.exe	{45C8BB95-E4B1-4ef1-9BD6-161CAFBB3AD3}.exe
File created	C:\Windows\{E37A8499-DE04-4b8d-8AF5-635D41F5A59F}.exe	2024-02-21_eb8bb63ed8f9e11abd72155afc57db49_goldeneye.exe
File created	C:\Windows\{1BC47F7F-CE90-4744-9F06-0ADE26A32E3C}.exe	{E37A8499-DE04-4b8d-8AF5-635D41F5A59F}.exe
File created	C:\Windows\{CA59990C-41FB-4e8a-BD13-C70BE6E5255B}.exe	{2476FFAB-4E4D-472d-A43D-EE011E706B75}.exe
File created	C:\Windows\{F8262804-99F2-49d6-8DF0-DCC56D2F0CD4}.exe	{CA59990C-41FB-4e8a-BD13-C70BE6E5255B}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1248	2024-02-21_eb8bb63ed8f9e11abd72155afc57db49_goldeneye.exe
Token: SeIncBasePriorityPrivilege	848	{E37A8499-DE04-4b8d-8AF5-635D41F5A59F}.exe
Token: SeIncBasePriorityPrivilege	2564	{1BC47F7F-CE90-4744-9F06-0ADE26A32E3C}.exe
Token: SeIncBasePriorityPrivilege	4240	{2476FFAB-4E4D-472d-A43D-EE011E706B75}.exe
Token: SeIncBasePriorityPrivilege	4428	{CA59990C-41FB-4e8a-BD13-C70BE6E5255B}.exe
Token: SeIncBasePriorityPrivilege	2216	{F8262804-99F2-49d6-8DF0-DCC56D2F0CD4}.exe
Token: SeIncBasePriorityPrivilege	2892	{03832A19-8284-4fa8-9484-B519B7995895}.exe
Token: SeIncBasePriorityPrivilege	1152	{156BFEA9-3022-4547-A71E-F806C9A35CA9}.exe
Token: SeIncBasePriorityPrivilege	464	{4D85C6BC-7653-416f-A0CD-08948418D2C7}.exe
Token: SeIncBasePriorityPrivilege	4484	{9A4AFFBA-ED55-47f5-9759-7CB183EA0739}.exe
Token: SeIncBasePriorityPrivilege	936	{45C8BB95-E4B1-4ef1-9BD6-161CAFBB3AD3}.exe
Token: SeIncBasePriorityPrivilege	2276	{14CA1A63-23E7-48d8-ABE6-F67D3C60BBDA}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1248 wrote to memory of 848	1248	2024-02-21_eb8bb63ed8f9e11abd72155afc57db49_goldeneye.exe	90
PID 1248 wrote to memory of 848	1248	2024-02-21_eb8bb63ed8f9e11abd72155afc57db49_goldeneye.exe	90
PID 1248 wrote to memory of 848	1248	2024-02-21_eb8bb63ed8f9e11abd72155afc57db49_goldeneye.exe	90
PID 1248 wrote to memory of 4996	1248	2024-02-21_eb8bb63ed8f9e11abd72155afc57db49_goldeneye.exe	91
PID 1248 wrote to memory of 4996	1248	2024-02-21_eb8bb63ed8f9e11abd72155afc57db49_goldeneye.exe	91
PID 1248 wrote to memory of 4996	1248	2024-02-21_eb8bb63ed8f9e11abd72155afc57db49_goldeneye.exe	91
PID 848 wrote to memory of 2564	848	{E37A8499-DE04-4b8d-8AF5-635D41F5A59F}.exe	92
PID 848 wrote to memory of 2564	848	{E37A8499-DE04-4b8d-8AF5-635D41F5A59F}.exe	92
PID 848 wrote to memory of 2564	848	{E37A8499-DE04-4b8d-8AF5-635D41F5A59F}.exe	92
PID 848 wrote to memory of 4704	848	{E37A8499-DE04-4b8d-8AF5-635D41F5A59F}.exe	93
PID 848 wrote to memory of 4704	848	{E37A8499-DE04-4b8d-8AF5-635D41F5A59F}.exe	93
PID 848 wrote to memory of 4704	848	{E37A8499-DE04-4b8d-8AF5-635D41F5A59F}.exe	93
PID 2564 wrote to memory of 4240	2564	{1BC47F7F-CE90-4744-9F06-0ADE26A32E3C}.exe	96
PID 2564 wrote to memory of 4240	2564	{1BC47F7F-CE90-4744-9F06-0ADE26A32E3C}.exe	96
PID 2564 wrote to memory of 4240	2564	{1BC47F7F-CE90-4744-9F06-0ADE26A32E3C}.exe	96
PID 2564 wrote to memory of 1712	2564	{1BC47F7F-CE90-4744-9F06-0ADE26A32E3C}.exe	97
PID 2564 wrote to memory of 1712	2564	{1BC47F7F-CE90-4744-9F06-0ADE26A32E3C}.exe	97
PID 2564 wrote to memory of 1712	2564	{1BC47F7F-CE90-4744-9F06-0ADE26A32E3C}.exe	97
PID 4240 wrote to memory of 4428	4240	{2476FFAB-4E4D-472d-A43D-EE011E706B75}.exe	98
PID 4240 wrote to memory of 4428	4240	{2476FFAB-4E4D-472d-A43D-EE011E706B75}.exe	98
PID 4240 wrote to memory of 4428	4240	{2476FFAB-4E4D-472d-A43D-EE011E706B75}.exe	98
PID 4240 wrote to memory of 1960	4240	{2476FFAB-4E4D-472d-A43D-EE011E706B75}.exe	99
PID 4240 wrote to memory of 1960	4240	{2476FFAB-4E4D-472d-A43D-EE011E706B75}.exe	99
PID 4240 wrote to memory of 1960	4240	{2476FFAB-4E4D-472d-A43D-EE011E706B75}.exe	99
PID 4428 wrote to memory of 2216	4428	{CA59990C-41FB-4e8a-BD13-C70BE6E5255B}.exe	100
PID 4428 wrote to memory of 2216	4428	{CA59990C-41FB-4e8a-BD13-C70BE6E5255B}.exe	100
PID 4428 wrote to memory of 2216	4428	{CA59990C-41FB-4e8a-BD13-C70BE6E5255B}.exe	100
PID 4428 wrote to memory of 2236	4428	{CA59990C-41FB-4e8a-BD13-C70BE6E5255B}.exe	101
PID 4428 wrote to memory of 2236	4428	{CA59990C-41FB-4e8a-BD13-C70BE6E5255B}.exe	101
PID 4428 wrote to memory of 2236	4428	{CA59990C-41FB-4e8a-BD13-C70BE6E5255B}.exe	101
PID 2216 wrote to memory of 2892	2216	{F8262804-99F2-49d6-8DF0-DCC56D2F0CD4}.exe	102
PID 2216 wrote to memory of 2892	2216	{F8262804-99F2-49d6-8DF0-DCC56D2F0CD4}.exe	102
PID 2216 wrote to memory of 2892	2216	{F8262804-99F2-49d6-8DF0-DCC56D2F0CD4}.exe	102
PID 2216 wrote to memory of 4556	2216	{F8262804-99F2-49d6-8DF0-DCC56D2F0CD4}.exe	103
PID 2216 wrote to memory of 4556	2216	{F8262804-99F2-49d6-8DF0-DCC56D2F0CD4}.exe	103
PID 2216 wrote to memory of 4556	2216	{F8262804-99F2-49d6-8DF0-DCC56D2F0CD4}.exe	103
PID 2892 wrote to memory of 1152	2892	{03832A19-8284-4fa8-9484-B519B7995895}.exe	104
PID 2892 wrote to memory of 1152	2892	{03832A19-8284-4fa8-9484-B519B7995895}.exe	104
PID 2892 wrote to memory of 1152	2892	{03832A19-8284-4fa8-9484-B519B7995895}.exe	104
PID 2892 wrote to memory of 1364	2892	{03832A19-8284-4fa8-9484-B519B7995895}.exe	105
PID 2892 wrote to memory of 1364	2892	{03832A19-8284-4fa8-9484-B519B7995895}.exe	105
PID 2892 wrote to memory of 1364	2892	{03832A19-8284-4fa8-9484-B519B7995895}.exe	105
PID 1152 wrote to memory of 464	1152	{156BFEA9-3022-4547-A71E-F806C9A35CA9}.exe	106
PID 1152 wrote to memory of 464	1152	{156BFEA9-3022-4547-A71E-F806C9A35CA9}.exe	106
PID 1152 wrote to memory of 464	1152	{156BFEA9-3022-4547-A71E-F806C9A35CA9}.exe	106
PID 1152 wrote to memory of 3816	1152	{156BFEA9-3022-4547-A71E-F806C9A35CA9}.exe	107
PID 1152 wrote to memory of 3816	1152	{156BFEA9-3022-4547-A71E-F806C9A35CA9}.exe	107
PID 1152 wrote to memory of 3816	1152	{156BFEA9-3022-4547-A71E-F806C9A35CA9}.exe	107
PID 464 wrote to memory of 4484	464	{4D85C6BC-7653-416f-A0CD-08948418D2C7}.exe	108
PID 464 wrote to memory of 4484	464	{4D85C6BC-7653-416f-A0CD-08948418D2C7}.exe	108
PID 464 wrote to memory of 4484	464	{4D85C6BC-7653-416f-A0CD-08948418D2C7}.exe	108
PID 464 wrote to memory of 1784	464	{4D85C6BC-7653-416f-A0CD-08948418D2C7}.exe	109
PID 464 wrote to memory of 1784	464	{4D85C6BC-7653-416f-A0CD-08948418D2C7}.exe	109
PID 464 wrote to memory of 1784	464	{4D85C6BC-7653-416f-A0CD-08948418D2C7}.exe	109
PID 4484 wrote to memory of 936	4484	{9A4AFFBA-ED55-47f5-9759-7CB183EA0739}.exe	114
PID 4484 wrote to memory of 936	4484	{9A4AFFBA-ED55-47f5-9759-7CB183EA0739}.exe	114
PID 4484 wrote to memory of 936	4484	{9A4AFFBA-ED55-47f5-9759-7CB183EA0739}.exe	114
PID 4484 wrote to memory of 1880	4484	{9A4AFFBA-ED55-47f5-9759-7CB183EA0739}.exe	115
PID 4484 wrote to memory of 1880	4484	{9A4AFFBA-ED55-47f5-9759-7CB183EA0739}.exe	115
PID 4484 wrote to memory of 1880	4484	{9A4AFFBA-ED55-47f5-9759-7CB183EA0739}.exe	115
PID 936 wrote to memory of 2276	936	{45C8BB95-E4B1-4ef1-9BD6-161CAFBB3AD3}.exe	116
PID 936 wrote to memory of 2276	936	{45C8BB95-E4B1-4ef1-9BD6-161CAFBB3AD3}.exe	116
PID 936 wrote to memory of 2276	936	{45C8BB95-E4B1-4ef1-9BD6-161CAFBB3AD3}.exe	116
PID 936 wrote to memory of 1856	936	{45C8BB95-E4B1-4ef1-9BD6-161CAFBB3AD3}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-02-21_eb8bb63ed8f9e11abd72155afc57db49_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-21_eb8bb63ed8f9e11abd72155afc57db49_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Windows\{E37A8499-DE04-4b8d-8AF5-635D41F5A59F}.exe
  C:\Windows\{E37A8499-DE04-4b8d-8AF5-635D41F5A59F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:848
- - C:\Windows\{1BC47F7F-CE90-4744-9F06-0ADE26A32E3C}.exe
    C:\Windows\{1BC47F7F-CE90-4744-9F06-0ADE26A32E3C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Windows\{2476FFAB-4E4D-472d-A43D-EE011E706B75}.exe
      C:\Windows\{2476FFAB-4E4D-472d-A43D-EE011E706B75}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4240
    - - C:\Windows\{CA59990C-41FB-4e8a-BD13-C70BE6E5255B}.exe
        
        C:\Windows\{CA59990C-41FB-4e8a-BD13-C70BE6E5255B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4428
      - C:\Windows\{F8262804-99F2-49d6-8DF0-DCC56D2F0CD4}.exe
        
        C:\Windows\{F8262804-99F2-49d6-8DF0-DCC56D2F0CD4}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\{03832A19-8284-4fa8-9484-B519B7995895}.exe
        
        C:\Windows\{03832A19-8284-4fa8-9484-B519B7995895}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\{156BFEA9-3022-4547-A71E-F806C9A35CA9}.exe
        
        C:\Windows\{156BFEA9-3022-4547-A71E-F806C9A35CA9}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\{4D85C6BC-7653-416f-A0CD-08948418D2C7}.exe
        
        C:\Windows\{4D85C6BC-7653-416f-A0CD-08948418D2C7}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\{9A4AFFBA-ED55-47f5-9759-7CB183EA0739}.exe
        
        C:\Windows\{9A4AFFBA-ED55-47f5-9759-7CB183EA0739}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\{45C8BB95-E4B1-4ef1-9BD6-161CAFBB3AD3}.exe
        
        C:\Windows\{45C8BB95-E4B1-4ef1-9BD6-161CAFBB3AD3}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:936
        
        C:\Windows\{14CA1A63-23E7-48d8-ABE6-F67D3C60BBDA}.exe
        
        C:\Windows\{14CA1A63-23E7-48d8-ABE6-F67D3C60BBDA}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276
        
        C:\Windows\{3FB63602-D7E9-417f-A209-A42246A451DF}.exe
        
        C:\Windows\{3FB63602-D7E9-417f-A209-A42246A451DF}.exe
        13⤵
        Executes dropped EXE
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{14CA1~1.EXE > nul
        13⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{45C8B~1.EXE > nul
        12⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9A4AF~1.EXE > nul
        11⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D85C~1.EXE > nul
        10⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{156BF~1.EXE > nul
        9⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{03832~1.EXE > nul
        8⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F8262~1.EXE > nul
        7⤵
        
        PID:4556
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA599~1.EXE > nul
        6⤵
        
        PID:2236
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2476F~1.EXE > nul
        5⤵
        
        PID:1960
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1BC47~1.EXE > nul
      4⤵
      PID:1712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E37A8~1.EXE > nul
    3⤵
    PID:4704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{03832A19-8284-4fa8-9484-B519B7995895}.exe

Filesize
408KB

MD5
3e5d1ec30d47afd6f2f35a3f53d91a08

SHA1
223ab44c4d9a5671a123b907eaab31fc95b99ee3

SHA256
5ff706f6d86ebc7cd65af0a38fba6a43c1bd8ce7d0e01bbc35afd4e6b8389ac3

SHA512
c7ca3d2803854c0d041d563ed8ba920730848acc7024b5e107d7a84ac65d983be9518995cb159d1790be6d09bb66cd54e366f481a37ad34da5108c140a5c403d

Download Submit
C:\Windows\{14CA1A63-23E7-48d8-ABE6-F67D3C60BBDA}.exe

Filesize
408KB

MD5
a018bcb68bc935808175eaeeea862022

SHA1
cf71ad1c97e712ab008d6b3a108f1db8fd7e7b14

SHA256
58b4b86e78197349d5081f1df10b9821c3d17264e48454512bd6ea6f09fd8261

SHA512
b577612ced6bd653a4a946fa4b9ba378b215141c1cfb79d163314b4467abb7f4c6eea04365bcbd65bb345235ea9fa9d151c48b3800f654cd8d62108d5b77fca6

Download Submit
C:\Windows\{156BFEA9-3022-4547-A71E-F806C9A35CA9}.exe

Filesize
408KB

MD5
d42ef179271da0fbe7d156086888bd35

SHA1
4f104c195cdf6de1f4bdff542ed4874129b75add

SHA256
9cec1502227fadf23ec14c60a39b4dd13357faf15e9069f337fb4a8928c66246

SHA512
cb565a68881d924269f0c46e335b0be0d1fe78b2385dbbe1e42283f096cf4508da6eae321d2c4f77316dee48cd9ac602a0d3556562743abebe8363874be21409

Download Submit
C:\Windows\{1BC47F7F-CE90-4744-9F06-0ADE26A32E3C}.exe

Filesize
408KB

MD5
416e7964e36685593787e33dca5613e3

SHA1
7ece039b373b7fc7bb52571ba2bddc443c2fe5e8

SHA256
deebeaaa4d95fc4e6bc16da6ea3888e3066b353c56f9b83b140aa6cf0c950a36

SHA512
5ad96a7ea5a1a20842c7061b13a3ac88cfc093d67f41e1d0265fcc4a70c673e2cd23a0f0bdb2f210c77d8ccdb55d7136595786c179ab0a2e7bca650547717c7f

Download Submit
C:\Windows\{2476FFAB-4E4D-472d-A43D-EE011E706B75}.exe

Filesize
408KB

MD5
cb14616d485e0e6f66a706ab8a1e8e52

SHA1
4f8901aacba3064693983bdad33a394c58a2dbe9

SHA256
1fa3cfe4a2204be12d0d0f2af075e8b56062579cd8af9845bd154de887173724

SHA512
5eb8e11036c15b32a059714545620c172f8168080bafef3f2f985f3c63e40d0a77059946b65dc2b9bd91d95cde87b410269157bea687614d118ee199e7f556aa

Download Submit
C:\Windows\{3FB63602-D7E9-417f-A209-A42246A451DF}.exe

Filesize
408KB

MD5
110ec01ec6f7f10408cc3db5fc91f884

SHA1
59d57ef6f416ee287f0bb99bdc797c3dd0d1b5a2

SHA256
436b290acf61d0bf5894e0aed67d455e3dca8402d1513b56c1931c4793316045

SHA512
0f392dab46a8e2e79088f1c75f8f93d068c9db1162381935ed08657e93959de3a107bcc43680768d4332b485a4276161ae58c8fcdd2b7a7e035b5bb3361e44bc

Download Submit
C:\Windows\{45C8BB95-E4B1-4ef1-9BD6-161CAFBB3AD3}.exe

Filesize
408KB

MD5
f42f7e8c2d1f176aec6f77854947a0be

SHA1
d9701da76ee64f77f9124ecea498ef883ec5fc99

SHA256
e812014153f7ea9c3ecbc758267619b66b791b347000053c67039fb33fab401c

SHA512
ae9b8fc88f6ce0b89f1f512471607f64f597eb886e22437b8b05586ff2b2024c89d945cbf0829eddebcc3a247db2cf865449588bcbd95a0b151c3f9cbb173abe

Download Submit
C:\Windows\{4D85C6BC-7653-416f-A0CD-08948418D2C7}.exe

Filesize
408KB

MD5
224efcc97a88e20c14afc919efe3ca0f

SHA1
d9101b1c2418c5ff8072478ed87258919186af17

SHA256
47da6b9586ccc6c92639c0b9f2a2b5960f97c4985a51b2c7b4de7df3ee14ea64

SHA512
59467c88d264c1ce425205153fe4c16d4cf19b200fd343c08d0f95ee8de50e8cfb7198cdd6a2af5d3f6e5eace554a2c428b4e6b2fcf3fd25e544167588f3b3f9

Download Submit
C:\Windows\{9A4AFFBA-ED55-47f5-9759-7CB183EA0739}.exe

Filesize
408KB

MD5
9d14ee392de8141201536a5ebd5aa686

SHA1
234cace996d28d75fc4ddc1bece7d9ee70d0ddf2

SHA256
aeb77062a183d2f772c1b005d6532a1a61cd0167ae54ab9e1058c443bb12f628

SHA512
1dd664b369bb980d5517e5674ea5e4127dca8b835f10d660f747d549c7ce2707875553784672d683c0f1387ec982a2d1c29f8c6706529cf82dde47daf5ad5ca6

Download Submit
C:\Windows\{CA59990C-41FB-4e8a-BD13-C70BE6E5255B}.exe

Filesize
408KB

MD5
8d81d07ccdbf401f9ac3f302d1421301

SHA1
c2ae791acb32240932b42808cd57000a72327dae

SHA256
50059096be1571284b6802d29591fadb4c43d30893b8642d78e3a0c485aeaaa2

SHA512
73a4fc46a99c9ae4aaab4a14d4f59e89f75b4f960db45f3f9fe7137482187d8f1e5e29b0bc284a6be4ea5d4549f5c0f611c2c34207b0d16f35ec0557200748d4

Download Submit
C:\Windows\{E37A8499-DE04-4b8d-8AF5-635D41F5A59F}.exe

Filesize
408KB

MD5
7c3ad57670145d1eb820727fbc0ccd3d

SHA1
965b0a31de67eb6ddb970821f4e05ca333bf4abc

SHA256
15004622d6430a8322aa3ccfc9ac2402d2bb0533f0bc7df3f416a350f82f160c

SHA512
d83bff5b0964dff5d70fb75d947e1cc1cf7965c20e571e50c7eca309851d9738e3c697c9fedf67f93911b9ec9dc898a55e7cc823d408f43590d724393dcc219f

Download Submit
C:\Windows\{F8262804-99F2-49d6-8DF0-DCC56D2F0CD4}.exe

Filesize
408KB

MD5
700ba6c9a464262ae0719ae1cddc1780

SHA1
2977e38d98616cc12d39ceec7d029ae81cac9919

SHA256
68cb1ad23dc2394a9b59c06ce64f94b01eb6adfd9276aa3a85d3bef30bb5207b

SHA512
c1de4c55d3314a59cbc1a288a4ccec90b924f5df358885ff8dbd6c6cf7417d745c304a138061a7041a7a502da9e819e881a9f502826f568a745f0a45797963ea

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads