6fbd76019a55044047d456a5783e76d2aa48d306c0cfad51dceb83765ce85718

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
21/02/2024, 14:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-21_cb17c0f2f45c8acd19427cb8a3eba5b4_goldeneye.exe
Size

372KB
MD5

cb17c0f2f45c8acd19427cb8a3eba5b4
SHA1

01a76537d2737a9a876fcb9c41e046f345ab4043
SHA256

6fbd76019a55044047d456a5783e76d2aa48d306c0cfad51dceb83765ce85718
SHA512

1000a1bf69431133ce0a8c54a13e4a6182abfec2a0ac872da4371fbf44366fc5ff66eb67e2bddfde13a83d2adad063e0edf77d4ebb426a056201d70c0e8dc127
SSDEEP

3072:CEGh0oFlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGjlkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023003-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002301f-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023003-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023003-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002301f-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023003-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002301f-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023003-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002301f-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023003-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d00000002301f-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023003-41.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e00000002301f-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DE8A43C-C980-44d1-9AF9-8F39B9B35125}	{FFA21580-11C2-4b51-8DB1-43D39E74BB83}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9469412-01D6-4b64-B779-DE158D3679FE}	{3DE8A43C-C980-44d1-9AF9-8F39B9B35125}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32609DAD-5080-4dcb-91D4-1350DF712883}\stubpath = "C:\\Windows\\{32609DAD-5080-4dcb-91D4-1350DF712883}.exe"	{A9469412-01D6-4b64-B779-DE158D3679FE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DE7BC68-647F-4a3e-A36A-27BDF88EF05D}	{32609DAD-5080-4dcb-91D4-1350DF712883}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DE7BC68-647F-4a3e-A36A-27BDF88EF05D}\stubpath = "C:\\Windows\\{5DE7BC68-647F-4a3e-A36A-27BDF88EF05D}.exe"	{32609DAD-5080-4dcb-91D4-1350DF712883}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9FCD6CE8-9563-4860-8B15-6E776D2F93BA}	{4CD53980-6B53-49af-AA78-3D5D28D4E586}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A461E32-DB07-44d3-8951-7CDC6FDA7B80}\stubpath = "C:\\Windows\\{1A461E32-DB07-44d3-8951-7CDC6FDA7B80}.exe"	2024-02-21_cb17c0f2f45c8acd19427cb8a3eba5b4_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FFA21580-11C2-4b51-8DB1-43D39E74BB83}	{1A461E32-DB07-44d3-8951-7CDC6FDA7B80}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB0E0041-EF7E-4951-BD63-50BDB2DF24BC}	{9FCD6CE8-9563-4860-8B15-6E776D2F93BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AEC9BC7-5C2B-4336-B761-1226263610C6}\stubpath = "C:\\Windows\\{4AEC9BC7-5C2B-4336-B761-1226263610C6}.exe"	{F8B2A3A5-AE19-4b06-AD43-F38A4226375C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB0E0041-EF7E-4951-BD63-50BDB2DF24BC}\stubpath = "C:\\Windows\\{AB0E0041-EF7E-4951-BD63-50BDB2DF24BC}.exe"	{9FCD6CE8-9563-4860-8B15-6E776D2F93BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AEC9BC7-5C2B-4336-B761-1226263610C6}	{F8B2A3A5-AE19-4b06-AD43-F38A4226375C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F716E31-0F4E-417f-856D-B8E60D0F655C}	{4AEC9BC7-5C2B-4336-B761-1226263610C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A461E32-DB07-44d3-8951-7CDC6FDA7B80}	2024-02-21_cb17c0f2f45c8acd19427cb8a3eba5b4_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9469412-01D6-4b64-B779-DE158D3679FE}\stubpath = "C:\\Windows\\{A9469412-01D6-4b64-B779-DE158D3679FE}.exe"	{3DE8A43C-C980-44d1-9AF9-8F39B9B35125}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4CD53980-6B53-49af-AA78-3D5D28D4E586}	{5DE7BC68-647F-4a3e-A36A-27BDF88EF05D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4CD53980-6B53-49af-AA78-3D5D28D4E586}\stubpath = "C:\\Windows\\{4CD53980-6B53-49af-AA78-3D5D28D4E586}.exe"	{5DE7BC68-647F-4a3e-A36A-27BDF88EF05D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9FCD6CE8-9563-4860-8B15-6E776D2F93BA}\stubpath = "C:\\Windows\\{9FCD6CE8-9563-4860-8B15-6E776D2F93BA}.exe"	{4CD53980-6B53-49af-AA78-3D5D28D4E586}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8B2A3A5-AE19-4b06-AD43-F38A4226375C}	{AB0E0041-EF7E-4951-BD63-50BDB2DF24BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F716E31-0F4E-417f-856D-B8E60D0F655C}\stubpath = "C:\\Windows\\{9F716E31-0F4E-417f-856D-B8E60D0F655C}.exe"	{4AEC9BC7-5C2B-4336-B761-1226263610C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FFA21580-11C2-4b51-8DB1-43D39E74BB83}\stubpath = "C:\\Windows\\{FFA21580-11C2-4b51-8DB1-43D39E74BB83}.exe"	{1A461E32-DB07-44d3-8951-7CDC6FDA7B80}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32609DAD-5080-4dcb-91D4-1350DF712883}	{A9469412-01D6-4b64-B779-DE158D3679FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DE8A43C-C980-44d1-9AF9-8F39B9B35125}\stubpath = "C:\\Windows\\{3DE8A43C-C980-44d1-9AF9-8F39B9B35125}.exe"	{FFA21580-11C2-4b51-8DB1-43D39E74BB83}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8B2A3A5-AE19-4b06-AD43-F38A4226375C}\stubpath = "C:\\Windows\\{F8B2A3A5-AE19-4b06-AD43-F38A4226375C}.exe"	{AB0E0041-EF7E-4951-BD63-50BDB2DF24BC}.exe

Executes dropped EXE 12 IoCs

pid	Process
2604	{1A461E32-DB07-44d3-8951-7CDC6FDA7B80}.exe
732	{FFA21580-11C2-4b51-8DB1-43D39E74BB83}.exe
4772	{3DE8A43C-C980-44d1-9AF9-8F39B9B35125}.exe
2716	{A9469412-01D6-4b64-B779-DE158D3679FE}.exe
3904	{32609DAD-5080-4dcb-91D4-1350DF712883}.exe
1688	{5DE7BC68-647F-4a3e-A36A-27BDF88EF05D}.exe
2912	{4CD53980-6B53-49af-AA78-3D5D28D4E586}.exe
1740	{9FCD6CE8-9563-4860-8B15-6E776D2F93BA}.exe
1712	{AB0E0041-EF7E-4951-BD63-50BDB2DF24BC}.exe
4076	{F8B2A3A5-AE19-4b06-AD43-F38A4226375C}.exe
2880	{4AEC9BC7-5C2B-4336-B761-1226263610C6}.exe
1380	{9F716E31-0F4E-417f-856D-B8E60D0F655C}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{4AEC9BC7-5C2B-4336-B761-1226263610C6}.exe	{F8B2A3A5-AE19-4b06-AD43-F38A4226375C}.exe
File created	C:\Windows\{9F716E31-0F4E-417f-856D-B8E60D0F655C}.exe	{4AEC9BC7-5C2B-4336-B761-1226263610C6}.exe
File created	C:\Windows\{32609DAD-5080-4dcb-91D4-1350DF712883}.exe	{A9469412-01D6-4b64-B779-DE158D3679FE}.exe
File created	C:\Windows\{5DE7BC68-647F-4a3e-A36A-27BDF88EF05D}.exe	{32609DAD-5080-4dcb-91D4-1350DF712883}.exe
File created	C:\Windows\{9FCD6CE8-9563-4860-8B15-6E776D2F93BA}.exe	{4CD53980-6B53-49af-AA78-3D5D28D4E586}.exe
File created	C:\Windows\{F8B2A3A5-AE19-4b06-AD43-F38A4226375C}.exe	{AB0E0041-EF7E-4951-BD63-50BDB2DF24BC}.exe
File created	C:\Windows\{4CD53980-6B53-49af-AA78-3D5D28D4E586}.exe	{5DE7BC68-647F-4a3e-A36A-27BDF88EF05D}.exe
File created	C:\Windows\{AB0E0041-EF7E-4951-BD63-50BDB2DF24BC}.exe	{9FCD6CE8-9563-4860-8B15-6E776D2F93BA}.exe
File created	C:\Windows\{1A461E32-DB07-44d3-8951-7CDC6FDA7B80}.exe	2024-02-21_cb17c0f2f45c8acd19427cb8a3eba5b4_goldeneye.exe
File created	C:\Windows\{FFA21580-11C2-4b51-8DB1-43D39E74BB83}.exe	{1A461E32-DB07-44d3-8951-7CDC6FDA7B80}.exe
File created	C:\Windows\{3DE8A43C-C980-44d1-9AF9-8F39B9B35125}.exe	{FFA21580-11C2-4b51-8DB1-43D39E74BB83}.exe
File created	C:\Windows\{A9469412-01D6-4b64-B779-DE158D3679FE}.exe	{3DE8A43C-C980-44d1-9AF9-8F39B9B35125}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3360	2024-02-21_cb17c0f2f45c8acd19427cb8a3eba5b4_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2604	{1A461E32-DB07-44d3-8951-7CDC6FDA7B80}.exe
Token: SeIncBasePriorityPrivilege	732	{FFA21580-11C2-4b51-8DB1-43D39E74BB83}.exe
Token: SeIncBasePriorityPrivilege	4772	{3DE8A43C-C980-44d1-9AF9-8F39B9B35125}.exe
Token: SeIncBasePriorityPrivilege	2716	{A9469412-01D6-4b64-B779-DE158D3679FE}.exe
Token: SeIncBasePriorityPrivilege	3904	{32609DAD-5080-4dcb-91D4-1350DF712883}.exe
Token: SeIncBasePriorityPrivilege	1688	{5DE7BC68-647F-4a3e-A36A-27BDF88EF05D}.exe
Token: SeIncBasePriorityPrivilege	2912	{4CD53980-6B53-49af-AA78-3D5D28D4E586}.exe
Token: SeIncBasePriorityPrivilege	1740	{9FCD6CE8-9563-4860-8B15-6E776D2F93BA}.exe
Token: SeIncBasePriorityPrivilege	1712	{AB0E0041-EF7E-4951-BD63-50BDB2DF24BC}.exe
Token: SeIncBasePriorityPrivilege	4076	{F8B2A3A5-AE19-4b06-AD43-F38A4226375C}.exe
Token: SeIncBasePriorityPrivilege	2880	{4AEC9BC7-5C2B-4336-B761-1226263610C6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3360 wrote to memory of 2604	3360	2024-02-21_cb17c0f2f45c8acd19427cb8a3eba5b4_goldeneye.exe	85
PID 3360 wrote to memory of 2604	3360	2024-02-21_cb17c0f2f45c8acd19427cb8a3eba5b4_goldeneye.exe	85
PID 3360 wrote to memory of 2604	3360	2024-02-21_cb17c0f2f45c8acd19427cb8a3eba5b4_goldeneye.exe	85
PID 3360 wrote to memory of 1540	3360	2024-02-21_cb17c0f2f45c8acd19427cb8a3eba5b4_goldeneye.exe	86
PID 3360 wrote to memory of 1540	3360	2024-02-21_cb17c0f2f45c8acd19427cb8a3eba5b4_goldeneye.exe	86
PID 3360 wrote to memory of 1540	3360	2024-02-21_cb17c0f2f45c8acd19427cb8a3eba5b4_goldeneye.exe	86
PID 2604 wrote to memory of 732	2604	{1A461E32-DB07-44d3-8951-7CDC6FDA7B80}.exe	87
PID 2604 wrote to memory of 732	2604	{1A461E32-DB07-44d3-8951-7CDC6FDA7B80}.exe	87
PID 2604 wrote to memory of 732	2604	{1A461E32-DB07-44d3-8951-7CDC6FDA7B80}.exe	87
PID 2604 wrote to memory of 3236	2604	{1A461E32-DB07-44d3-8951-7CDC6FDA7B80}.exe	88
PID 2604 wrote to memory of 3236	2604	{1A461E32-DB07-44d3-8951-7CDC6FDA7B80}.exe	88
PID 2604 wrote to memory of 3236	2604	{1A461E32-DB07-44d3-8951-7CDC6FDA7B80}.exe	88
PID 732 wrote to memory of 4772	732	{FFA21580-11C2-4b51-8DB1-43D39E74BB83}.exe	91
PID 732 wrote to memory of 4772	732	{FFA21580-11C2-4b51-8DB1-43D39E74BB83}.exe	91
PID 732 wrote to memory of 4772	732	{FFA21580-11C2-4b51-8DB1-43D39E74BB83}.exe	91
PID 732 wrote to memory of 1552	732	{FFA21580-11C2-4b51-8DB1-43D39E74BB83}.exe	92
PID 732 wrote to memory of 1552	732	{FFA21580-11C2-4b51-8DB1-43D39E74BB83}.exe	92
PID 732 wrote to memory of 1552	732	{FFA21580-11C2-4b51-8DB1-43D39E74BB83}.exe	92
PID 4772 wrote to memory of 2716	4772	{3DE8A43C-C980-44d1-9AF9-8F39B9B35125}.exe	93
PID 4772 wrote to memory of 2716	4772	{3DE8A43C-C980-44d1-9AF9-8F39B9B35125}.exe	93
PID 4772 wrote to memory of 2716	4772	{3DE8A43C-C980-44d1-9AF9-8F39B9B35125}.exe	93
PID 4772 wrote to memory of 4848	4772	{3DE8A43C-C980-44d1-9AF9-8F39B9B35125}.exe	94
PID 4772 wrote to memory of 4848	4772	{3DE8A43C-C980-44d1-9AF9-8F39B9B35125}.exe	94
PID 4772 wrote to memory of 4848	4772	{3DE8A43C-C980-44d1-9AF9-8F39B9B35125}.exe	94
PID 2716 wrote to memory of 3904	2716	{A9469412-01D6-4b64-B779-DE158D3679FE}.exe	95
PID 2716 wrote to memory of 3904	2716	{A9469412-01D6-4b64-B779-DE158D3679FE}.exe	95
PID 2716 wrote to memory of 3904	2716	{A9469412-01D6-4b64-B779-DE158D3679FE}.exe	95
PID 2716 wrote to memory of 2400	2716	{A9469412-01D6-4b64-B779-DE158D3679FE}.exe	96
PID 2716 wrote to memory of 2400	2716	{A9469412-01D6-4b64-B779-DE158D3679FE}.exe	96
PID 2716 wrote to memory of 2400	2716	{A9469412-01D6-4b64-B779-DE158D3679FE}.exe	96
PID 3904 wrote to memory of 1688	3904	{32609DAD-5080-4dcb-91D4-1350DF712883}.exe	97
PID 3904 wrote to memory of 1688	3904	{32609DAD-5080-4dcb-91D4-1350DF712883}.exe	97
PID 3904 wrote to memory of 1688	3904	{32609DAD-5080-4dcb-91D4-1350DF712883}.exe	97
PID 3904 wrote to memory of 2156	3904	{32609DAD-5080-4dcb-91D4-1350DF712883}.exe	98
PID 3904 wrote to memory of 2156	3904	{32609DAD-5080-4dcb-91D4-1350DF712883}.exe	98
PID 3904 wrote to memory of 2156	3904	{32609DAD-5080-4dcb-91D4-1350DF712883}.exe	98
PID 1688 wrote to memory of 2912	1688	{5DE7BC68-647F-4a3e-A36A-27BDF88EF05D}.exe	99
PID 1688 wrote to memory of 2912	1688	{5DE7BC68-647F-4a3e-A36A-27BDF88EF05D}.exe	99
PID 1688 wrote to memory of 2912	1688	{5DE7BC68-647F-4a3e-A36A-27BDF88EF05D}.exe	99
PID 1688 wrote to memory of 1556	1688	{5DE7BC68-647F-4a3e-A36A-27BDF88EF05D}.exe	100
PID 1688 wrote to memory of 1556	1688	{5DE7BC68-647F-4a3e-A36A-27BDF88EF05D}.exe	100
PID 1688 wrote to memory of 1556	1688	{5DE7BC68-647F-4a3e-A36A-27BDF88EF05D}.exe	100
PID 2912 wrote to memory of 1740	2912	{4CD53980-6B53-49af-AA78-3D5D28D4E586}.exe	101
PID 2912 wrote to memory of 1740	2912	{4CD53980-6B53-49af-AA78-3D5D28D4E586}.exe	101
PID 2912 wrote to memory of 1740	2912	{4CD53980-6B53-49af-AA78-3D5D28D4E586}.exe	101
PID 2912 wrote to memory of 4232	2912	{4CD53980-6B53-49af-AA78-3D5D28D4E586}.exe	102
PID 2912 wrote to memory of 4232	2912	{4CD53980-6B53-49af-AA78-3D5D28D4E586}.exe	102
PID 2912 wrote to memory of 4232	2912	{4CD53980-6B53-49af-AA78-3D5D28D4E586}.exe	102
PID 1740 wrote to memory of 1712	1740	{9FCD6CE8-9563-4860-8B15-6E776D2F93BA}.exe	103
PID 1740 wrote to memory of 1712	1740	{9FCD6CE8-9563-4860-8B15-6E776D2F93BA}.exe	103
PID 1740 wrote to memory of 1712	1740	{9FCD6CE8-9563-4860-8B15-6E776D2F93BA}.exe	103
PID 1740 wrote to memory of 2208	1740	{9FCD6CE8-9563-4860-8B15-6E776D2F93BA}.exe	104
PID 1740 wrote to memory of 2208	1740	{9FCD6CE8-9563-4860-8B15-6E776D2F93BA}.exe	104
PID 1740 wrote to memory of 2208	1740	{9FCD6CE8-9563-4860-8B15-6E776D2F93BA}.exe	104
PID 1712 wrote to memory of 4076	1712	{AB0E0041-EF7E-4951-BD63-50BDB2DF24BC}.exe	109
PID 1712 wrote to memory of 4076	1712	{AB0E0041-EF7E-4951-BD63-50BDB2DF24BC}.exe	109
PID 1712 wrote to memory of 4076	1712	{AB0E0041-EF7E-4951-BD63-50BDB2DF24BC}.exe	109
PID 1712 wrote to memory of 4944	1712	{AB0E0041-EF7E-4951-BD63-50BDB2DF24BC}.exe	110
PID 1712 wrote to memory of 4944	1712	{AB0E0041-EF7E-4951-BD63-50BDB2DF24BC}.exe	110
PID 1712 wrote to memory of 4944	1712	{AB0E0041-EF7E-4951-BD63-50BDB2DF24BC}.exe	110
PID 4076 wrote to memory of 2880	4076	{F8B2A3A5-AE19-4b06-AD43-F38A4226375C}.exe	111
PID 4076 wrote to memory of 2880	4076	{F8B2A3A5-AE19-4b06-AD43-F38A4226375C}.exe	111
PID 4076 wrote to memory of 2880	4076	{F8B2A3A5-AE19-4b06-AD43-F38A4226375C}.exe	111
PID 4076 wrote to memory of 4460	4076	{F8B2A3A5-AE19-4b06-AD43-F38A4226375C}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-02-21_cb17c0f2f45c8acd19427cb8a3eba5b4_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-21_cb17c0f2f45c8acd19427cb8a3eba5b4_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3360
- C:\Windows\{1A461E32-DB07-44d3-8951-7CDC6FDA7B80}.exe
  C:\Windows\{1A461E32-DB07-44d3-8951-7CDC6FDA7B80}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\{FFA21580-11C2-4b51-8DB1-43D39E74BB83}.exe
    C:\Windows\{FFA21580-11C2-4b51-8DB1-43D39E74BB83}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:732
  - - C:\Windows\{3DE8A43C-C980-44d1-9AF9-8F39B9B35125}.exe
      C:\Windows\{3DE8A43C-C980-44d1-9AF9-8F39B9B35125}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4772
    - - C:\Windows\{A9469412-01D6-4b64-B779-DE158D3679FE}.exe
        
        C:\Windows\{A9469412-01D6-4b64-B779-DE158D3679FE}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2716
      - C:\Windows\{32609DAD-5080-4dcb-91D4-1350DF712883}.exe
        
        C:\Windows\{32609DAD-5080-4dcb-91D4-1350DF712883}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3904
        
        C:\Windows\{5DE7BC68-647F-4a3e-A36A-27BDF88EF05D}.exe
        
        C:\Windows\{5DE7BC68-647F-4a3e-A36A-27BDF88EF05D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\{4CD53980-6B53-49af-AA78-3D5D28D4E586}.exe
        
        C:\Windows\{4CD53980-6B53-49af-AA78-3D5D28D4E586}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\{9FCD6CE8-9563-4860-8B15-6E776D2F93BA}.exe
        
        C:\Windows\{9FCD6CE8-9563-4860-8B15-6E776D2F93BA}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\{AB0E0041-EF7E-4951-BD63-50BDB2DF24BC}.exe
        
        C:\Windows\{AB0E0041-EF7E-4951-BD63-50BDB2DF24BC}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\{F8B2A3A5-AE19-4b06-AD43-F38A4226375C}.exe
        
        C:\Windows\{F8B2A3A5-AE19-4b06-AD43-F38A4226375C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\{4AEC9BC7-5C2B-4336-B761-1226263610C6}.exe
        
        C:\Windows\{4AEC9BC7-5C2B-4336-B761-1226263610C6}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
        
        C:\Windows\{9F716E31-0F4E-417f-856D-B8E60D0F655C}.exe
        
        C:\Windows\{9F716E31-0F4E-417f-856D-B8E60D0F655C}.exe
        13⤵
        Executes dropped EXE
        
        PID:1380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4AEC9~1.EXE > nul
        13⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F8B2A~1.EXE > nul
        12⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AB0E0~1.EXE > nul
        11⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9FCD6~1.EXE > nul
        10⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4CD53~1.EXE > nul
        9⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5DE7B~1.EXE > nul
        8⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{32609~1.EXE > nul
        7⤵
        
        PID:2156
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A9469~1.EXE > nul
        6⤵
        
        PID:2400
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3DE8A~1.EXE > nul
        5⤵
        
        PID:4848
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FFA21~1.EXE > nul
      4⤵
      PID:1552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1A461~1.EXE > nul
    3⤵
    PID:3236
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1A461E32-DB07-44d3-8951-7CDC6FDA7B80}.exe

Filesize
372KB

MD5
9e2965b915ac0429707de0bf23f95cfb

SHA1
b93a95c59f31dedbd59f3bcf321f7dec7e9aef89

SHA256
efa0676ff28852da95d5233159cc6966d6004ea92ef884ccbf3096bb88980741

SHA512
0df4597000adffab7d2ee678e7d1e6d97052dc473b0471e9cb8cae6413344a67af511b94910831f95822f058ea31d7d4dd6ac1ad6a53b168dfaa102f9604071c

Download Submit
C:\Windows\{32609DAD-5080-4dcb-91D4-1350DF712883}.exe

Filesize
372KB

MD5
b6af86a15c9fbd8b7e5284dc8dd440a2

SHA1
c705c7df153d12a9b7501a3e038e3469430b0243

SHA256
be0eac510341614038562c3e9636807cb5549737897052cd33750f3925b57bf9

SHA512
26a61ad002f97e783822ce46feeeb2a667e96294196f75580df4d518217502bcb2fd2514c180b5adcfea9f4b3291eff661fee59ab8ba04b1f3939ed31258a4d5

Download Submit
C:\Windows\{3DE8A43C-C980-44d1-9AF9-8F39B9B35125}.exe

Filesize
76KB

MD5
d8544f92be149676ba28e9a9ef880894

SHA1
e17a184a241e0922567932ac5d3f2ee4b3f1e545

SHA256
39d11afdd17a756b0e239d0e265063cd3cf0bc7f2431ea5847dcf6935868287e

SHA512
a0ef4cdeaf4c141d4d1b78d1aeea235cb947072e358b1bc5cbe7e3b3cbab7b41bc215837d1cd970da8e691f51e7cac6064424aee5f26a136b7060addb1e2b60f

Download Submit
C:\Windows\{3DE8A43C-C980-44d1-9AF9-8F39B9B35125}.exe

Filesize
372KB

MD5
6046cdf7ecfd0a7d5671919e38746be5

SHA1
b1bff937cf0c55ce4a4bb2fd07a175e95b1fc042

SHA256
a00adb1ddad4614b72bd1b36aba6c8420abfee9f5ed47b6cf1b7f7f719c23015

SHA512
7185fda1c7f16fa24f0f678f7268829be0d8a1f7ca2bc9a83b1b66b9cf12be0d93beab5275e4b1a3b286c214d422200c3a75588d04f6aa40586f3b51d37cf9f5

Download Submit
C:\Windows\{4AEC9BC7-5C2B-4336-B761-1226263610C6}.exe

Filesize
372KB

MD5
6f15e4257ec50d6578762cadd1d92f37

SHA1
c37e222df1af2e3596de4329400e6f984f526509

SHA256
926df7a64442b774544efc5e88e17b39c04c3a9f0611c88a17de7d224830a7f2

SHA512
94358d2fce70af4fa927f5e10b0c90a0a7dd155370e9a40f913f516fa0fe6a11ee1a26af197a1984c29137ac72d1c570cba1153511bfa4842c8ab4cf99db967d

Download Submit
C:\Windows\{4CD53980-6B53-49af-AA78-3D5D28D4E586}.exe

Filesize
372KB

MD5
296a48a2d3004b3cf5f5afe0064992f9

SHA1
3b85297480a62070be3273371763e95e1f5a0968

SHA256
fe8becba092c6f02810e857c83217656da63438f599366abd24b893f89b37515

SHA512
511f51e296c5d06877ed46e61322b6e8244b387138f42ed382f86674c69a45cbc970932b7d3b431d26482e59149f94823f9ea967e6b225295cadd8b8dd0cdbbd

Download Submit
C:\Windows\{5DE7BC68-647F-4a3e-A36A-27BDF88EF05D}.exe

Filesize
372KB

MD5
31dfbe105519b98ff65dbd5263df0848

SHA1
004d4e9d2096b0aa80ee1c43be06a79a44c09579

SHA256
0b4c9865a9193aa73ef353d4de059b54807107f81ef5d45a42b58e846238fb75

SHA512
fea579c422d14d0766851ee64c8e6a0da5508fe239561a75b2a885ca058a8e6063dac486adb2ddd2ce6fcb432f0e1f85a14f6febb662b736b2b9e3d9ed13dba3

Download Submit
C:\Windows\{9F716E31-0F4E-417f-856D-B8E60D0F655C}.exe

Filesize
372KB

MD5
1f356073c719da8b9d13fd066e521887

SHA1
d7e89c51e96d6e4733d86138624c8654af2add85

SHA256
7d614b05e64b8779078867baf7ca58762441399a741a0dcf96266592ac16488b

SHA512
223efb920af00f345f137fdf3254f4741c99135da0039f4411d96d01c286f3e772a03ff10257aebf005f453e5f944f0286532dac0315f623f16d178fcf7b8321

Download Submit
C:\Windows\{9FCD6CE8-9563-4860-8B15-6E776D2F93BA}.exe

Filesize
372KB

MD5
4e51329792663379a8e48a76ca6618bd

SHA1
e137650e517b2c5db21823e24e99d45468a09010

SHA256
17af08b088d66df1050b95ef22a561830c8dce810aed8cac5bad665a1cf8091b

SHA512
6783559a85c2f66058fa6ae6e791546c43e1a78f996c12b542988dad81647411d634d5ed2d16bf49e93e2f6d83fbfd71a4490cb62357aa2a66fb8b51473c8eef

Download Submit
C:\Windows\{A9469412-01D6-4b64-B779-DE158D3679FE}.exe

Filesize
372KB

MD5
057ddf1b7a94fc1084c37f3eb333f623

SHA1
b8b4f404d4547d1a5e8a0172942b8c712b1f932f

SHA256
1a90a1d7b955b15448872964a09556e3cdf60b5f4cd0a6b62e6b560f47e2d159

SHA512
be42635dbfab07a47d50f04ead66989754d3f1f35e96be7ac8128ebc6ad044fe70ebeb393094703dbc77e44ba1d905d51a4da6a8282985db4b20a933cc7c4e60

Download Submit
C:\Windows\{AB0E0041-EF7E-4951-BD63-50BDB2DF24BC}.exe

Filesize
372KB

MD5
c00f50d92128b868ee47f8c73762e67f

SHA1
dec1bcab528182ee9d19d2b729df8448a6de7432

SHA256
3779df217829ccb66a7da1b9fab905ab245c78f25a9dd6098691ac6d29004e81

SHA512
b3cc4e3cf802924476843e5f2b3caf7f6acca1586beb64cadefb41e8fe457612b0d573a1cd19d7c596530746e7ad5e00553f8210ec1dd1fd2e5a99261cff0580

Download Submit
C:\Windows\{F8B2A3A5-AE19-4b06-AD43-F38A4226375C}.exe

Filesize
372KB

MD5
314382be99905cecab797674ac5383e0

SHA1
ff5872a2d3cffc0206d5f2582d14cf5494d09fd1

SHA256
5f80f46f118e3b29e7bf98ef12dfc753c042f6ca426d2eddc084c2e8724d9b9f

SHA512
eb54239771766a25153dcf7b5bfdcc3362c4f5a6985928fe1ee090aa543e12de4499b60f3fef476c97c1e75dceebe6b16581676116b8c1500ffb79b1a5b114e3

Download Submit
C:\Windows\{FFA21580-11C2-4b51-8DB1-43D39E74BB83}.exe

Filesize
372KB

MD5
6e56cd3617db34405ef7ebe4db22f0cf

SHA1
d5a70b3179e7f7c638ac09fcc58362becc4a0a6f

SHA256
da3fb54c718de844f2e61f9cedf71b12ce42ff60dbe7cc300c9dee17e53e02d9

SHA512
0b8b1f7fa8df7cbbb03beea39e0740029e6f28968643509a048094fcdd322cbdeb4a7911d2ff14811176e36686f0d3647d7fccd7177d7ad9ccff9e8b41e1c947

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads