f809475b080a75b226bf7eb91a11fdb6eaec7073929fbe85837d4c94b81b707f

Analysis

max time kernel
149s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
21-02-2024 17:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-21_186119dce7506ccefe49a256b1709d1d_goldeneye.exe
Size

204KB
MD5

186119dce7506ccefe49a256b1709d1d
SHA1

5d9243102cf53c8eb8087d723bc607c2eac67784
SHA256

f809475b080a75b226bf7eb91a11fdb6eaec7073929fbe85837d4c94b81b707f
SHA512

984c2339a49c0da14528b654d2cae98b4052a9aa52fe240c4141bcc3a8f7fd1e3680af6c91b5cb62609fedc9e212b8ead1212f6e9a5030c8d4d3c635ae251150
SSDEEP

1536:1EGh0o9l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0o9l1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00070000000231e4-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000231e0-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000231e4-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000231e0-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000231e4-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000231e0-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000231e4-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000231e0-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000231e4-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000231e0-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000231e4-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000231e0-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC03E250-B94B-4087-B6D0-82FE5F63F6E0}	{A6607B88-34C8-4e3c-88C4-DD11CE9D335C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0529BD1-DB4B-45ea-AA31-09B333493E66}\stubpath = "C:\\Windows\\{E0529BD1-DB4B-45ea-AA31-09B333493E66}.exe"	{EA7FD485-0A1C-44a5-AE66-0B2C9977FD0C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{167C5C3B-EA23-41fb-A14E-B1F4747D0706}\stubpath = "C:\\Windows\\{167C5C3B-EA23-41fb-A14E-B1F4747D0706}.exe"	{DC03E250-B94B-4087-B6D0-82FE5F63F6E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4220B788-79B7-40e1-8025-AF5ABC34288E}	{167C5C3B-EA23-41fb-A14E-B1F4747D0706}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37687588-7B13-43fa-B0E9-FD5AD6FD7E14}	{4220B788-79B7-40e1-8025-AF5ABC34288E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF9C9416-E4A3-48e5-97E0-9914BCD2C315}	{37687588-7B13-43fa-B0E9-FD5AD6FD7E14}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6607B88-34C8-4e3c-88C4-DD11CE9D335C}\stubpath = "C:\\Windows\\{A6607B88-34C8-4e3c-88C4-DD11CE9D335C}.exe"	2024-02-21_186119dce7506ccefe49a256b1709d1d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC03E250-B94B-4087-B6D0-82FE5F63F6E0}\stubpath = "C:\\Windows\\{DC03E250-B94B-4087-B6D0-82FE5F63F6E0}.exe"	{A6607B88-34C8-4e3c-88C4-DD11CE9D335C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA7FD485-0A1C-44a5-AE66-0B2C9977FD0C}\stubpath = "C:\\Windows\\{EA7FD485-0A1C-44a5-AE66-0B2C9977FD0C}.exe"	{D13FA6AD-9D91-4354-9A2C-19AE13012BB1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07E0E7B9-7D2E-40f3-9D94-B01C8C77D6A6}\stubpath = "C:\\Windows\\{07E0E7B9-7D2E-40f3-9D94-B01C8C77D6A6}.exe"	{E0529BD1-DB4B-45ea-AA31-09B333493E66}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F415534D-E012-47d3-B32F-DDA8FB95D942}	{C7F874D3-D321-4c64-851F-A9E8AD18817C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F415534D-E012-47d3-B32F-DDA8FB95D942}\stubpath = "C:\\Windows\\{F415534D-E012-47d3-B32F-DDA8FB95D942}.exe"	{C7F874D3-D321-4c64-851F-A9E8AD18817C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6607B88-34C8-4e3c-88C4-DD11CE9D335C}	2024-02-21_186119dce7506ccefe49a256b1709d1d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37687588-7B13-43fa-B0E9-FD5AD6FD7E14}\stubpath = "C:\\Windows\\{37687588-7B13-43fa-B0E9-FD5AD6FD7E14}.exe"	{4220B788-79B7-40e1-8025-AF5ABC34288E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF9C9416-E4A3-48e5-97E0-9914BCD2C315}\stubpath = "C:\\Windows\\{DF9C9416-E4A3-48e5-97E0-9914BCD2C315}.exe"	{37687588-7B13-43fa-B0E9-FD5AD6FD7E14}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D13FA6AD-9D91-4354-9A2C-19AE13012BB1}	{DF9C9416-E4A3-48e5-97E0-9914BCD2C315}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D13FA6AD-9D91-4354-9A2C-19AE13012BB1}\stubpath = "C:\\Windows\\{D13FA6AD-9D91-4354-9A2C-19AE13012BB1}.exe"	{DF9C9416-E4A3-48e5-97E0-9914BCD2C315}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA7FD485-0A1C-44a5-AE66-0B2C9977FD0C}	{D13FA6AD-9D91-4354-9A2C-19AE13012BB1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0529BD1-DB4B-45ea-AA31-09B333493E66}	{EA7FD485-0A1C-44a5-AE66-0B2C9977FD0C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07E0E7B9-7D2E-40f3-9D94-B01C8C77D6A6}	{E0529BD1-DB4B-45ea-AA31-09B333493E66}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{167C5C3B-EA23-41fb-A14E-B1F4747D0706}	{DC03E250-B94B-4087-B6D0-82FE5F63F6E0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4220B788-79B7-40e1-8025-AF5ABC34288E}\stubpath = "C:\\Windows\\{4220B788-79B7-40e1-8025-AF5ABC34288E}.exe"	{167C5C3B-EA23-41fb-A14E-B1F4747D0706}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7F874D3-D321-4c64-851F-A9E8AD18817C}	{07E0E7B9-7D2E-40f3-9D94-B01C8C77D6A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7F874D3-D321-4c64-851F-A9E8AD18817C}\stubpath = "C:\\Windows\\{C7F874D3-D321-4c64-851F-A9E8AD18817C}.exe"	{07E0E7B9-7D2E-40f3-9D94-B01C8C77D6A6}.exe

Executes dropped EXE 12 IoCs

pid	Process
404	{A6607B88-34C8-4e3c-88C4-DD11CE9D335C}.exe
2440	{DC03E250-B94B-4087-B6D0-82FE5F63F6E0}.exe
3312	{167C5C3B-EA23-41fb-A14E-B1F4747D0706}.exe
4672	{4220B788-79B7-40e1-8025-AF5ABC34288E}.exe
2064	{37687588-7B13-43fa-B0E9-FD5AD6FD7E14}.exe
2432	{DF9C9416-E4A3-48e5-97E0-9914BCD2C315}.exe
3356	{D13FA6AD-9D91-4354-9A2C-19AE13012BB1}.exe
4480	{EA7FD485-0A1C-44a5-AE66-0B2C9977FD0C}.exe
3744	{E0529BD1-DB4B-45ea-AA31-09B333493E66}.exe
4532	{07E0E7B9-7D2E-40f3-9D94-B01C8C77D6A6}.exe
5088	{C7F874D3-D321-4c64-851F-A9E8AD18817C}.exe
2508	{F415534D-E012-47d3-B32F-DDA8FB95D942}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{F415534D-E012-47d3-B32F-DDA8FB95D942}.exe	{C7F874D3-D321-4c64-851F-A9E8AD18817C}.exe
File created	C:\Windows\{DC03E250-B94B-4087-B6D0-82FE5F63F6E0}.exe	{A6607B88-34C8-4e3c-88C4-DD11CE9D335C}.exe
File created	C:\Windows\{37687588-7B13-43fa-B0E9-FD5AD6FD7E14}.exe	{4220B788-79B7-40e1-8025-AF5ABC34288E}.exe
File created	C:\Windows\{07E0E7B9-7D2E-40f3-9D94-B01C8C77D6A6}.exe	{E0529BD1-DB4B-45ea-AA31-09B333493E66}.exe
File created	C:\Windows\{DF9C9416-E4A3-48e5-97E0-9914BCD2C315}.exe	{37687588-7B13-43fa-B0E9-FD5AD6FD7E14}.exe
File created	C:\Windows\{D13FA6AD-9D91-4354-9A2C-19AE13012BB1}.exe	{DF9C9416-E4A3-48e5-97E0-9914BCD2C315}.exe
File created	C:\Windows\{EA7FD485-0A1C-44a5-AE66-0B2C9977FD0C}.exe	{D13FA6AD-9D91-4354-9A2C-19AE13012BB1}.exe
File created	C:\Windows\{E0529BD1-DB4B-45ea-AA31-09B333493E66}.exe	{EA7FD485-0A1C-44a5-AE66-0B2C9977FD0C}.exe
File created	C:\Windows\{C7F874D3-D321-4c64-851F-A9E8AD18817C}.exe	{07E0E7B9-7D2E-40f3-9D94-B01C8C77D6A6}.exe
File created	C:\Windows\{A6607B88-34C8-4e3c-88C4-DD11CE9D335C}.exe	2024-02-21_186119dce7506ccefe49a256b1709d1d_goldeneye.exe
File created	C:\Windows\{167C5C3B-EA23-41fb-A14E-B1F4747D0706}.exe	{DC03E250-B94B-4087-B6D0-82FE5F63F6E0}.exe
File created	C:\Windows\{4220B788-79B7-40e1-8025-AF5ABC34288E}.exe	{167C5C3B-EA23-41fb-A14E-B1F4747D0706}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2928	2024-02-21_186119dce7506ccefe49a256b1709d1d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	404	{A6607B88-34C8-4e3c-88C4-DD11CE9D335C}.exe
Token: SeIncBasePriorityPrivilege	2440	{DC03E250-B94B-4087-B6D0-82FE5F63F6E0}.exe
Token: SeIncBasePriorityPrivilege	3312	{167C5C3B-EA23-41fb-A14E-B1F4747D0706}.exe
Token: SeIncBasePriorityPrivilege	4672	{4220B788-79B7-40e1-8025-AF5ABC34288E}.exe
Token: SeIncBasePriorityPrivilege	2064	{37687588-7B13-43fa-B0E9-FD5AD6FD7E14}.exe
Token: SeIncBasePriorityPrivilege	2432	{DF9C9416-E4A3-48e5-97E0-9914BCD2C315}.exe
Token: SeIncBasePriorityPrivilege	3356	{D13FA6AD-9D91-4354-9A2C-19AE13012BB1}.exe
Token: SeIncBasePriorityPrivilege	4480	{EA7FD485-0A1C-44a5-AE66-0B2C9977FD0C}.exe
Token: SeIncBasePriorityPrivilege	3744	{E0529BD1-DB4B-45ea-AA31-09B333493E66}.exe
Token: SeIncBasePriorityPrivilege	4532	{07E0E7B9-7D2E-40f3-9D94-B01C8C77D6A6}.exe
Token: SeIncBasePriorityPrivilege	5088	{C7F874D3-D321-4c64-851F-A9E8AD18817C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 404	2928	2024-02-21_186119dce7506ccefe49a256b1709d1d_goldeneye.exe	89
PID 2928 wrote to memory of 404	2928	2024-02-21_186119dce7506ccefe49a256b1709d1d_goldeneye.exe	89
PID 2928 wrote to memory of 404	2928	2024-02-21_186119dce7506ccefe49a256b1709d1d_goldeneye.exe	89
PID 2928 wrote to memory of 1068	2928	2024-02-21_186119dce7506ccefe49a256b1709d1d_goldeneye.exe	90
PID 2928 wrote to memory of 1068	2928	2024-02-21_186119dce7506ccefe49a256b1709d1d_goldeneye.exe	90
PID 2928 wrote to memory of 1068	2928	2024-02-21_186119dce7506ccefe49a256b1709d1d_goldeneye.exe	90
PID 404 wrote to memory of 2440	404	{A6607B88-34C8-4e3c-88C4-DD11CE9D335C}.exe	91
PID 404 wrote to memory of 2440	404	{A6607B88-34C8-4e3c-88C4-DD11CE9D335C}.exe	91
PID 404 wrote to memory of 2440	404	{A6607B88-34C8-4e3c-88C4-DD11CE9D335C}.exe	91
PID 404 wrote to memory of 2880	404	{A6607B88-34C8-4e3c-88C4-DD11CE9D335C}.exe	92
PID 404 wrote to memory of 2880	404	{A6607B88-34C8-4e3c-88C4-DD11CE9D335C}.exe	92
PID 404 wrote to memory of 2880	404	{A6607B88-34C8-4e3c-88C4-DD11CE9D335C}.exe	92
PID 2440 wrote to memory of 3312	2440	{DC03E250-B94B-4087-B6D0-82FE5F63F6E0}.exe	95
PID 2440 wrote to memory of 3312	2440	{DC03E250-B94B-4087-B6D0-82FE5F63F6E0}.exe	95
PID 2440 wrote to memory of 3312	2440	{DC03E250-B94B-4087-B6D0-82FE5F63F6E0}.exe	95
PID 2440 wrote to memory of 3292	2440	{DC03E250-B94B-4087-B6D0-82FE5F63F6E0}.exe	94
PID 2440 wrote to memory of 3292	2440	{DC03E250-B94B-4087-B6D0-82FE5F63F6E0}.exe	94
PID 2440 wrote to memory of 3292	2440	{DC03E250-B94B-4087-B6D0-82FE5F63F6E0}.exe	94
PID 3312 wrote to memory of 4672	3312	{167C5C3B-EA23-41fb-A14E-B1F4747D0706}.exe	96
PID 3312 wrote to memory of 4672	3312	{167C5C3B-EA23-41fb-A14E-B1F4747D0706}.exe	96
PID 3312 wrote to memory of 4672	3312	{167C5C3B-EA23-41fb-A14E-B1F4747D0706}.exe	96
PID 3312 wrote to memory of 1772	3312	{167C5C3B-EA23-41fb-A14E-B1F4747D0706}.exe	97
PID 3312 wrote to memory of 1772	3312	{167C5C3B-EA23-41fb-A14E-B1F4747D0706}.exe	97
PID 3312 wrote to memory of 1772	3312	{167C5C3B-EA23-41fb-A14E-B1F4747D0706}.exe	97
PID 4672 wrote to memory of 2064	4672	{4220B788-79B7-40e1-8025-AF5ABC34288E}.exe	98
PID 4672 wrote to memory of 2064	4672	{4220B788-79B7-40e1-8025-AF5ABC34288E}.exe	98
PID 4672 wrote to memory of 2064	4672	{4220B788-79B7-40e1-8025-AF5ABC34288E}.exe	98
PID 4672 wrote to memory of 1128	4672	{4220B788-79B7-40e1-8025-AF5ABC34288E}.exe	99
PID 4672 wrote to memory of 1128	4672	{4220B788-79B7-40e1-8025-AF5ABC34288E}.exe	99
PID 4672 wrote to memory of 1128	4672	{4220B788-79B7-40e1-8025-AF5ABC34288E}.exe	99
PID 2064 wrote to memory of 2432	2064	{37687588-7B13-43fa-B0E9-FD5AD6FD7E14}.exe	100
PID 2064 wrote to memory of 2432	2064	{37687588-7B13-43fa-B0E9-FD5AD6FD7E14}.exe	100
PID 2064 wrote to memory of 2432	2064	{37687588-7B13-43fa-B0E9-FD5AD6FD7E14}.exe	100
PID 2064 wrote to memory of 1880	2064	{37687588-7B13-43fa-B0E9-FD5AD6FD7E14}.exe	101
PID 2064 wrote to memory of 1880	2064	{37687588-7B13-43fa-B0E9-FD5AD6FD7E14}.exe	101
PID 2064 wrote to memory of 1880	2064	{37687588-7B13-43fa-B0E9-FD5AD6FD7E14}.exe	101
PID 2432 wrote to memory of 3356	2432	{DF9C9416-E4A3-48e5-97E0-9914BCD2C315}.exe	102
PID 2432 wrote to memory of 3356	2432	{DF9C9416-E4A3-48e5-97E0-9914BCD2C315}.exe	102
PID 2432 wrote to memory of 3356	2432	{DF9C9416-E4A3-48e5-97E0-9914BCD2C315}.exe	102
PID 2432 wrote to memory of 312	2432	{DF9C9416-E4A3-48e5-97E0-9914BCD2C315}.exe	103
PID 2432 wrote to memory of 312	2432	{DF9C9416-E4A3-48e5-97E0-9914BCD2C315}.exe	103
PID 2432 wrote to memory of 312	2432	{DF9C9416-E4A3-48e5-97E0-9914BCD2C315}.exe	103
PID 3356 wrote to memory of 4480	3356	{D13FA6AD-9D91-4354-9A2C-19AE13012BB1}.exe	104
PID 3356 wrote to memory of 4480	3356	{D13FA6AD-9D91-4354-9A2C-19AE13012BB1}.exe	104
PID 3356 wrote to memory of 4480	3356	{D13FA6AD-9D91-4354-9A2C-19AE13012BB1}.exe	104
PID 3356 wrote to memory of 3920	3356	{D13FA6AD-9D91-4354-9A2C-19AE13012BB1}.exe	105
PID 3356 wrote to memory of 3920	3356	{D13FA6AD-9D91-4354-9A2C-19AE13012BB1}.exe	105
PID 3356 wrote to memory of 3920	3356	{D13FA6AD-9D91-4354-9A2C-19AE13012BB1}.exe	105
PID 4480 wrote to memory of 3744	4480	{EA7FD485-0A1C-44a5-AE66-0B2C9977FD0C}.exe	106
PID 4480 wrote to memory of 3744	4480	{EA7FD485-0A1C-44a5-AE66-0B2C9977FD0C}.exe	106
PID 4480 wrote to memory of 3744	4480	{EA7FD485-0A1C-44a5-AE66-0B2C9977FD0C}.exe	106
PID 4480 wrote to memory of 4488	4480	{EA7FD485-0A1C-44a5-AE66-0B2C9977FD0C}.exe	107
PID 4480 wrote to memory of 4488	4480	{EA7FD485-0A1C-44a5-AE66-0B2C9977FD0C}.exe	107
PID 4480 wrote to memory of 4488	4480	{EA7FD485-0A1C-44a5-AE66-0B2C9977FD0C}.exe	107
PID 3744 wrote to memory of 4532	3744	{E0529BD1-DB4B-45ea-AA31-09B333493E66}.exe	108
PID 3744 wrote to memory of 4532	3744	{E0529BD1-DB4B-45ea-AA31-09B333493E66}.exe	108
PID 3744 wrote to memory of 4532	3744	{E0529BD1-DB4B-45ea-AA31-09B333493E66}.exe	108
PID 3744 wrote to memory of 3184	3744	{E0529BD1-DB4B-45ea-AA31-09B333493E66}.exe	109
PID 3744 wrote to memory of 3184	3744	{E0529BD1-DB4B-45ea-AA31-09B333493E66}.exe	109
PID 3744 wrote to memory of 3184	3744	{E0529BD1-DB4B-45ea-AA31-09B333493E66}.exe	109
PID 4532 wrote to memory of 5088	4532	{07E0E7B9-7D2E-40f3-9D94-B01C8C77D6A6}.exe	110
PID 4532 wrote to memory of 5088	4532	{07E0E7B9-7D2E-40f3-9D94-B01C8C77D6A6}.exe	110
PID 4532 wrote to memory of 5088	4532	{07E0E7B9-7D2E-40f3-9D94-B01C8C77D6A6}.exe	110
PID 4532 wrote to memory of 1688	4532	{07E0E7B9-7D2E-40f3-9D94-B01C8C77D6A6}.exe	111

C:\Users\Admin\AppData\Local\Temp\2024-02-21_186119dce7506ccefe49a256b1709d1d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-21_186119dce7506ccefe49a256b1709d1d_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Windows\{A6607B88-34C8-4e3c-88C4-DD11CE9D335C}.exe
  C:\Windows\{A6607B88-34C8-4e3c-88C4-DD11CE9D335C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:404
- - C:\Windows\{DC03E250-B94B-4087-B6D0-82FE5F63F6E0}.exe
    C:\Windows\{DC03E250-B94B-4087-B6D0-82FE5F63F6E0}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2440
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{DC03E~1.EXE > nul
      4⤵
      PID:3292
  - - C:\Windows\{167C5C3B-EA23-41fb-A14E-B1F4747D0706}.exe
      C:\Windows\{167C5C3B-EA23-41fb-A14E-B1F4747D0706}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3312
    - - C:\Windows\{4220B788-79B7-40e1-8025-AF5ABC34288E}.exe
        
        C:\Windows\{4220B788-79B7-40e1-8025-AF5ABC34288E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4672
      - C:\Windows\{37687588-7B13-43fa-B0E9-FD5AD6FD7E14}.exe
        
        C:\Windows\{37687588-7B13-43fa-B0E9-FD5AD6FD7E14}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\{DF9C9416-E4A3-48e5-97E0-9914BCD2C315}.exe
        
        C:\Windows\{DF9C9416-E4A3-48e5-97E0-9914BCD2C315}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\{D13FA6AD-9D91-4354-9A2C-19AE13012BB1}.exe
        
        C:\Windows\{D13FA6AD-9D91-4354-9A2C-19AE13012BB1}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3356
        
        C:\Windows\{EA7FD485-0A1C-44a5-AE66-0B2C9977FD0C}.exe
        
        C:\Windows\{EA7FD485-0A1C-44a5-AE66-0B2C9977FD0C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\{E0529BD1-DB4B-45ea-AA31-09B333493E66}.exe
        
        C:\Windows\{E0529BD1-DB4B-45ea-AA31-09B333493E66}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3744
        
        C:\Windows\{07E0E7B9-7D2E-40f3-9D94-B01C8C77D6A6}.exe
        
        C:\Windows\{07E0E7B9-7D2E-40f3-9D94-B01C8C77D6A6}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\{C7F874D3-D321-4c64-851F-A9E8AD18817C}.exe
        
        C:\Windows\{C7F874D3-D321-4c64-851F-A9E8AD18817C}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5088
        
        C:\Windows\{F415534D-E012-47d3-B32F-DDA8FB95D942}.exe
        
        C:\Windows\{F415534D-E012-47d3-B32F-DDA8FB95D942}.exe
        13⤵
        Executes dropped EXE
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C7F87~1.EXE > nul
        13⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{07E0E~1.EXE > nul
        12⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E0529~1.EXE > nul
        11⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA7FD~1.EXE > nul
        10⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D13FA~1.EXE > nul
        9⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF9C9~1.EXE > nul
        8⤵
        
        PID:312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37687~1.EXE > nul
        7⤵
        
        PID:1880
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4220B~1.EXE > nul
        6⤵
        
        PID:1128
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{167C5~1.EXE > nul
        5⤵
        
        PID:1772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A6607~1.EXE > nul
    3⤵
    PID:2880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{07E0E7B9-7D2E-40f3-9D94-B01C8C77D6A6}.exe

Filesize
204KB

MD5
ab97e4988de29e6823c46c1a07b12ed6

SHA1
6726862ef03a252d59e9d74a66da2cec8db638c1

SHA256
5567a4edaf5e1044ac706a7b85ae51b950d31feaf77a267883b307318bbde06b

SHA512
e1634bec381120c3776756593dfe03acab80d24875ef8318e1c8bd05fb38c6c47254948466c05c61601638e7edc792baf0da4b76d2e47e7de0951890ec3bb932

Download Submit
C:\Windows\{167C5C3B-EA23-41fb-A14E-B1F4747D0706}.exe

Filesize
204KB

MD5
f86a283dd723a68d022e094c6f0efacb

SHA1
01eaf5ea7a3a665c91589469ad0c75e612e43a87

SHA256
87f3b5e07b94ddac9172250a95fbd897cca3375604707ecc6b307334e82e8fe2

SHA512
75749dab8f9b3846b35bda88b9e1938bb2c8dab90214b03726c87a016a49f61fea468a5d2410dc990994bc1f934876acc34cb91b0d8695c8020146502914705b

Download Submit
C:\Windows\{37687588-7B13-43fa-B0E9-FD5AD6FD7E14}.exe

Filesize
204KB

MD5
d72244d3c52c11968de44189f9cd1ac7

SHA1
a7a0d2be4e00ea79a0bfcf26211f0a6be7cec60b

SHA256
88769b2e09202d30d006b5f4e809f8e9e2591f98f62360dc5c1982d48337de96

SHA512
9061eff33660a727807b2094f87565cf941137e951c63022df394dca1776657803ca30bd3a519c293ea00acacb6709288cf1448eff4452afc4c4197fdc8b81ef

Download Submit
C:\Windows\{4220B788-79B7-40e1-8025-AF5ABC34288E}.exe

Filesize
204KB

MD5
573312e516179d8a14d577d842013111

SHA1
6268ad340a3a92cf177251c9f7f3c3959227f2d8

SHA256
0f7c9856a0bb29fa0d766e2039b6ace8f8cf997ee335a32805ebbc9ca0b7c4c5

SHA512
1fb48a051434c30f5690f87de61ba4bb9d4da4b05e1867f14df73116d7683334d975790d35a007f9a65bc465b565ebd717dc08e537858e983c4c96e09168168e

Download Submit
C:\Windows\{A6607B88-34C8-4e3c-88C4-DD11CE9D335C}.exe

Filesize
204KB

MD5
06b2f53c4bed381ba1d7369e35e9af9e

SHA1
65ccb03328728ba96ce56758ccd6eb9e208beeca

SHA256
c87328101ea3ef4e327947cf1ee05564627855f9fc74a30684baf6df9c789506

SHA512
63df6b9fe2f32aa4fc57f664becc344f049452109c5e92536214c6529e086ed302781298b5cfc75800df6adfbeb25039eec112369cf397905d83175b92523efa

Download Submit
C:\Windows\{C7F874D3-D321-4c64-851F-A9E8AD18817C}.exe

Filesize
204KB

MD5
c52483b0ec4a4b287982e84778110cc9

SHA1
ed57f9f9a1e8cb52d7add0ddd0f684dac1a45583

SHA256
8d7c372c25f52d15018d4d0bcb1ee2f961d36606250a704be425828977a0fd4b

SHA512
245d2491240210b01364c7364dd4c48300f8d805e3848686c8004c1e296221a7b4772b091b910a93a059311535f7b68e56f9b1c0a7381fb36e8df1af84eb8bd0

Download Submit
C:\Windows\{D13FA6AD-9D91-4354-9A2C-19AE13012BB1}.exe

Filesize
204KB

MD5
8a99d1dc7e2bfaf0f5481433139e3558

SHA1
a01dd7b54ca4f47ea04b536bceb27837e07ffd82

SHA256
ac7d015531d9bb7646712b784274f450937c774d1830ebc5f663356b7d01ac8e

SHA512
f202f2c9223bf66f3ef4d132400cadaeddc5cf7b5093eb9abaa939dd557d855e3b89535164fd56b35c35c892f92fbe6bcf5311c3c1c4bd44e337acd40d10bbc9

Download Submit
C:\Windows\{DC03E250-B94B-4087-B6D0-82FE5F63F6E0}.exe

Filesize
204KB

MD5
0ec1c534f3fae8be51eb05e256ad8f4c

SHA1
39b8ebfdf341cd3cb5f999ea8028f014033251cf

SHA256
2f7c1f2f63330e5d18bf06f239aa552d9ab977b8d06365ea24c8672042f4b1fa

SHA512
4d21f75f4caaf93d073df0aabf1e7294577dab63ee7f82710c937a8632eaad9555b128aed25b9e6950d3d66955bd4fc23764439ce6639702d7eed877c95afcc1

Download Submit
C:\Windows\{DF9C9416-E4A3-48e5-97E0-9914BCD2C315}.exe

Filesize
204KB

MD5
b876ebd89a35cd7e7f88246fbe0955b6

SHA1
fb318e1ec15c8be3aac7c32405f301bf87d38c54

SHA256
baa46ba92e3ae8f9e27730e051709ff2dd11becbd533c8490ca732126d5950e0

SHA512
85a8d5dc7976df205de7b17e734856746227f4676a251ab2ee32a6a55f1cc444007b2eb6edf6d586c74d6ccc88aac71b12c03f557516b8e94dc39a2ce16f73b6

Download Submit
C:\Windows\{E0529BD1-DB4B-45ea-AA31-09B333493E66}.exe

Filesize
204KB

MD5
5c8cbaf2166f8ff7f61d578f21de69c8

SHA1
d40c36b61ce34d229a954cf8c7f45735ade0c122

SHA256
b786261b105b5b856d71e2001589ba6d56dc6809a054c7ef54c034772fea7b07

SHA512
2012830120aac70105242608601d4587a6e1eba8e616b9f74d0c0bd4621572c1da18c3667dbe538e0756e1b4a59e8f720db5c7b2c33282098d0dacd534ebb1fb

Download Submit
C:\Windows\{EA7FD485-0A1C-44a5-AE66-0B2C9977FD0C}.exe

Filesize
204KB

MD5
b1730404dd6d55af8305415030fe7158

SHA1
8061fe9282838894ad49b3dcfd87343a39e097d6

SHA256
d22d4fefb73492ff808496308c606634d84df591ea24bbf421a389ea76100846

SHA512
aa17f42bf24fe2e04bd101ff39ee4d357a5fbc9bc20fa25fef8d0befc2ed8fe1427a8e6710979bfcbda0d5813f4d8fabd911d7714a41f6a464dac61c3600bf81

Download Submit
C:\Windows\{F415534D-E012-47d3-B32F-DDA8FB95D942}.exe

Filesize
204KB

MD5
0cef4f6357118de8cd8b60e356db8d07

SHA1
7c60f70e000d7ebfd559915c9f33bfef505e9488

SHA256
d2971e5f03d158c2d5c1c37c219db519a482a7508471f856d4ec00837ab89d3e

SHA512
5ee7ee6de8573cb9c28b64883e5696c9aa2338677f818b511ae375a3d65612085053ebfc909281be889e8ad27878f0958496ead36973dae555cd004ffe0082bc

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads