4ca7dcc7ab3e340c3a3c06627fd5fa42121f8314a136b841d29f93e4675d13d1

Analysis

max time kernel
151s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
22-02-2024 00:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-22_7f466e6da60479abb7f8d9d522d4fb30_goldeneye.exe
Size

216KB
MD5

7f466e6da60479abb7f8d9d522d4fb30
SHA1

833fae78477c6fb7daade00258819977f6fc8ccf
SHA256

4ca7dcc7ab3e340c3a3c06627fd5fa42121f8314a136b841d29f93e4675d13d1
SHA512

22a8d6d37a7c68ea719e7d018bbe33b1c4eab9ce43ee2669839a29a01e644db90a819afeb9d9ed2dbd9b5dcc593d0791ca9751a78a496f2c66ee40d524014870
SSDEEP

3072:jEGh0oQl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGmlEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000700000002310b-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002310f-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002310b-11.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002310f-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002310b-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002310f-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002310b-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002310f-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002310b-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002310f-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002310b-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002310f-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{285FDCD8-DB76-4726-AA3F-444C7E619D11}\stubpath = "C:\\Windows\\{285FDCD8-DB76-4726-AA3F-444C7E619D11}.exe"	{E713A3B8-6807-4d67-BBD3-FC871C06AD7D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6CC55BD-0B48-454f-AC49-AD16A86DEFAE}\stubpath = "C:\\Windows\\{D6CC55BD-0B48-454f-AC49-AD16A86DEFAE}.exe"	{FE40DDB0-3C1A-4ca8-8292-987993F1A7FD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E96A38E-0C31-41e9-A696-9BECF01BE295}	{137BC5DA-20F4-4ecb-8B24-593738C8308E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40FAAE65-C415-4cb7-8DD8-8C7076565877}\stubpath = "C:\\Windows\\{40FAAE65-C415-4cb7-8DD8-8C7076565877}.exe"	{5FEE0BF9-9D47-497b-994B-A99CAA4CBD62}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{285FDCD8-DB76-4726-AA3F-444C7E619D11}	{E713A3B8-6807-4d67-BBD3-FC871C06AD7D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE40DDB0-3C1A-4ca8-8292-987993F1A7FD}\stubpath = "C:\\Windows\\{FE40DDB0-3C1A-4ca8-8292-987993F1A7FD}.exe"	{613CEF33-8036-4966-8E31-15B6A1FF5AF9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5FEE0BF9-9D47-497b-994B-A99CAA4CBD62}	{1BE854D5-7DC7-4eb1-9004-7FA0FD908C99}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40FAAE65-C415-4cb7-8DD8-8C7076565877}	{5FEE0BF9-9D47-497b-994B-A99CAA4CBD62}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE40DDB0-3C1A-4ca8-8292-987993F1A7FD}	{613CEF33-8036-4966-8E31-15B6A1FF5AF9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E713A3B8-6807-4d67-BBD3-FC871C06AD7D}	{40FAAE65-C415-4cb7-8DD8-8C7076565877}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{613CEF33-8036-4966-8E31-15B6A1FF5AF9}	{285FDCD8-DB76-4726-AA3F-444C7E619D11}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{613CEF33-8036-4966-8E31-15B6A1FF5AF9}\stubpath = "C:\\Windows\\{613CEF33-8036-4966-8E31-15B6A1FF5AF9}.exe"	{285FDCD8-DB76-4726-AA3F-444C7E619D11}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6CC55BD-0B48-454f-AC49-AD16A86DEFAE}	{FE40DDB0-3C1A-4ca8-8292-987993F1A7FD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6264B12E-A52B-4902-817A-0CE02F985DD9}	{D6CC55BD-0B48-454f-AC49-AD16A86DEFAE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04C64D00-B4CD-4b65-875B-F453214BA43F}\stubpath = "C:\\Windows\\{04C64D00-B4CD-4b65-875B-F453214BA43F}.exe"	{2E96A38E-0C31-41e9-A696-9BECF01BE295}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BE854D5-7DC7-4eb1-9004-7FA0FD908C99}\stubpath = "C:\\Windows\\{1BE854D5-7DC7-4eb1-9004-7FA0FD908C99}.exe"	{04C64D00-B4CD-4b65-875B-F453214BA43F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5FEE0BF9-9D47-497b-994B-A99CAA4CBD62}\stubpath = "C:\\Windows\\{5FEE0BF9-9D47-497b-994B-A99CAA4CBD62}.exe"	{1BE854D5-7DC7-4eb1-9004-7FA0FD908C99}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6264B12E-A52B-4902-817A-0CE02F985DD9}\stubpath = "C:\\Windows\\{6264B12E-A52B-4902-817A-0CE02F985DD9}.exe"	{D6CC55BD-0B48-454f-AC49-AD16A86DEFAE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04C64D00-B4CD-4b65-875B-F453214BA43F}	{2E96A38E-0C31-41e9-A696-9BECF01BE295}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BE854D5-7DC7-4eb1-9004-7FA0FD908C99}	{04C64D00-B4CD-4b65-875B-F453214BA43F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E713A3B8-6807-4d67-BBD3-FC871C06AD7D}\stubpath = "C:\\Windows\\{E713A3B8-6807-4d67-BBD3-FC871C06AD7D}.exe"	{40FAAE65-C415-4cb7-8DD8-8C7076565877}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{137BC5DA-20F4-4ecb-8B24-593738C8308E}	2024-02-22_7f466e6da60479abb7f8d9d522d4fb30_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{137BC5DA-20F4-4ecb-8B24-593738C8308E}\stubpath = "C:\\Windows\\{137BC5DA-20F4-4ecb-8B24-593738C8308E}.exe"	2024-02-22_7f466e6da60479abb7f8d9d522d4fb30_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E96A38E-0C31-41e9-A696-9BECF01BE295}\stubpath = "C:\\Windows\\{2E96A38E-0C31-41e9-A696-9BECF01BE295}.exe"	{137BC5DA-20F4-4ecb-8B24-593738C8308E}.exe

Executes dropped EXE 12 IoCs

pid	Process
484	{137BC5DA-20F4-4ecb-8B24-593738C8308E}.exe
3712	{2E96A38E-0C31-41e9-A696-9BECF01BE295}.exe
3060	{04C64D00-B4CD-4b65-875B-F453214BA43F}.exe
3352	{1BE854D5-7DC7-4eb1-9004-7FA0FD908C99}.exe
2020	{5FEE0BF9-9D47-497b-994B-A99CAA4CBD62}.exe
3576	{40FAAE65-C415-4cb7-8DD8-8C7076565877}.exe
2236	{E713A3B8-6807-4d67-BBD3-FC871C06AD7D}.exe
1948	{285FDCD8-DB76-4726-AA3F-444C7E619D11}.exe
4912	{613CEF33-8036-4966-8E31-15B6A1FF5AF9}.exe
4460	{FE40DDB0-3C1A-4ca8-8292-987993F1A7FD}.exe
4672	{D6CC55BD-0B48-454f-AC49-AD16A86DEFAE}.exe
2044	{6264B12E-A52B-4902-817A-0CE02F985DD9}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{40FAAE65-C415-4cb7-8DD8-8C7076565877}.exe	{5FEE0BF9-9D47-497b-994B-A99CAA4CBD62}.exe
File created	C:\Windows\{2E96A38E-0C31-41e9-A696-9BECF01BE295}.exe	{137BC5DA-20F4-4ecb-8B24-593738C8308E}.exe
File created	C:\Windows\{5FEE0BF9-9D47-497b-994B-A99CAA4CBD62}.exe	{1BE854D5-7DC7-4eb1-9004-7FA0FD908C99}.exe
File created	C:\Windows\{1BE854D5-7DC7-4eb1-9004-7FA0FD908C99}.exe	{04C64D00-B4CD-4b65-875B-F453214BA43F}.exe
File created	C:\Windows\{E713A3B8-6807-4d67-BBD3-FC871C06AD7D}.exe	{40FAAE65-C415-4cb7-8DD8-8C7076565877}.exe
File created	C:\Windows\{285FDCD8-DB76-4726-AA3F-444C7E619D11}.exe	{E713A3B8-6807-4d67-BBD3-FC871C06AD7D}.exe
File created	C:\Windows\{613CEF33-8036-4966-8E31-15B6A1FF5AF9}.exe	{285FDCD8-DB76-4726-AA3F-444C7E619D11}.exe
File created	C:\Windows\{FE40DDB0-3C1A-4ca8-8292-987993F1A7FD}.exe	{613CEF33-8036-4966-8E31-15B6A1FF5AF9}.exe
File created	C:\Windows\{D6CC55BD-0B48-454f-AC49-AD16A86DEFAE}.exe	{FE40DDB0-3C1A-4ca8-8292-987993F1A7FD}.exe
File created	C:\Windows\{137BC5DA-20F4-4ecb-8B24-593738C8308E}.exe	2024-02-22_7f466e6da60479abb7f8d9d522d4fb30_goldeneye.exe
File created	C:\Windows\{04C64D00-B4CD-4b65-875B-F453214BA43F}.exe	{2E96A38E-0C31-41e9-A696-9BECF01BE295}.exe
File created	C:\Windows\{6264B12E-A52B-4902-817A-0CE02F985DD9}.exe	{D6CC55BD-0B48-454f-AC49-AD16A86DEFAE}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	924	2024-02-22_7f466e6da60479abb7f8d9d522d4fb30_goldeneye.exe
Token: SeIncBasePriorityPrivilege	484	{137BC5DA-20F4-4ecb-8B24-593738C8308E}.exe
Token: SeIncBasePriorityPrivilege	3712	{2E96A38E-0C31-41e9-A696-9BECF01BE295}.exe
Token: SeIncBasePriorityPrivilege	3060	{04C64D00-B4CD-4b65-875B-F453214BA43F}.exe
Token: SeIncBasePriorityPrivilege	3352	{1BE854D5-7DC7-4eb1-9004-7FA0FD908C99}.exe
Token: SeIncBasePriorityPrivilege	2020	{5FEE0BF9-9D47-497b-994B-A99CAA4CBD62}.exe
Token: SeIncBasePriorityPrivilege	3576	{40FAAE65-C415-4cb7-8DD8-8C7076565877}.exe
Token: SeIncBasePriorityPrivilege	2236	{E713A3B8-6807-4d67-BBD3-FC871C06AD7D}.exe
Token: SeIncBasePriorityPrivilege	1948	{285FDCD8-DB76-4726-AA3F-444C7E619D11}.exe
Token: SeIncBasePriorityPrivilege	4912	{613CEF33-8036-4966-8E31-15B6A1FF5AF9}.exe
Token: SeIncBasePriorityPrivilege	4460	{FE40DDB0-3C1A-4ca8-8292-987993F1A7FD}.exe
Token: SeIncBasePriorityPrivilege	4672	{D6CC55BD-0B48-454f-AC49-AD16A86DEFAE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 924 wrote to memory of 484	924	2024-02-22_7f466e6da60479abb7f8d9d522d4fb30_goldeneye.exe	80
PID 924 wrote to memory of 484	924	2024-02-22_7f466e6da60479abb7f8d9d522d4fb30_goldeneye.exe	80
PID 924 wrote to memory of 484	924	2024-02-22_7f466e6da60479abb7f8d9d522d4fb30_goldeneye.exe	80
PID 924 wrote to memory of 1204	924	2024-02-22_7f466e6da60479abb7f8d9d522d4fb30_goldeneye.exe	81
PID 924 wrote to memory of 1204	924	2024-02-22_7f466e6da60479abb7f8d9d522d4fb30_goldeneye.exe	81
PID 924 wrote to memory of 1204	924	2024-02-22_7f466e6da60479abb7f8d9d522d4fb30_goldeneye.exe	81
PID 484 wrote to memory of 3712	484	{137BC5DA-20F4-4ecb-8B24-593738C8308E}.exe	82
PID 484 wrote to memory of 3712	484	{137BC5DA-20F4-4ecb-8B24-593738C8308E}.exe	82
PID 484 wrote to memory of 3712	484	{137BC5DA-20F4-4ecb-8B24-593738C8308E}.exe	82
PID 484 wrote to memory of 4952	484	{137BC5DA-20F4-4ecb-8B24-593738C8308E}.exe	83
PID 484 wrote to memory of 4952	484	{137BC5DA-20F4-4ecb-8B24-593738C8308E}.exe	83
PID 484 wrote to memory of 4952	484	{137BC5DA-20F4-4ecb-8B24-593738C8308E}.exe	83
PID 3712 wrote to memory of 3060	3712	{2E96A38E-0C31-41e9-A696-9BECF01BE295}.exe	85
PID 3712 wrote to memory of 3060	3712	{2E96A38E-0C31-41e9-A696-9BECF01BE295}.exe	85
PID 3712 wrote to memory of 3060	3712	{2E96A38E-0C31-41e9-A696-9BECF01BE295}.exe	85
PID 3712 wrote to memory of 3020	3712	{2E96A38E-0C31-41e9-A696-9BECF01BE295}.exe	84
PID 3712 wrote to memory of 3020	3712	{2E96A38E-0C31-41e9-A696-9BECF01BE295}.exe	84
PID 3712 wrote to memory of 3020	3712	{2E96A38E-0C31-41e9-A696-9BECF01BE295}.exe	84
PID 3060 wrote to memory of 3352	3060	{04C64D00-B4CD-4b65-875B-F453214BA43F}.exe	86
PID 3060 wrote to memory of 3352	3060	{04C64D00-B4CD-4b65-875B-F453214BA43F}.exe	86
PID 3060 wrote to memory of 3352	3060	{04C64D00-B4CD-4b65-875B-F453214BA43F}.exe	86
PID 3060 wrote to memory of 3032	3060	{04C64D00-B4CD-4b65-875B-F453214BA43F}.exe	87
PID 3060 wrote to memory of 3032	3060	{04C64D00-B4CD-4b65-875B-F453214BA43F}.exe	87
PID 3060 wrote to memory of 3032	3060	{04C64D00-B4CD-4b65-875B-F453214BA43F}.exe	87
PID 3352 wrote to memory of 2020	3352	{1BE854D5-7DC7-4eb1-9004-7FA0FD908C99}.exe	88
PID 3352 wrote to memory of 2020	3352	{1BE854D5-7DC7-4eb1-9004-7FA0FD908C99}.exe	88
PID 3352 wrote to memory of 2020	3352	{1BE854D5-7DC7-4eb1-9004-7FA0FD908C99}.exe	88
PID 3352 wrote to memory of 416	3352	{1BE854D5-7DC7-4eb1-9004-7FA0FD908C99}.exe	89
PID 3352 wrote to memory of 416	3352	{1BE854D5-7DC7-4eb1-9004-7FA0FD908C99}.exe	89
PID 3352 wrote to memory of 416	3352	{1BE854D5-7DC7-4eb1-9004-7FA0FD908C99}.exe	89
PID 2020 wrote to memory of 3576	2020	{5FEE0BF9-9D47-497b-994B-A99CAA4CBD62}.exe	90
PID 2020 wrote to memory of 3576	2020	{5FEE0BF9-9D47-497b-994B-A99CAA4CBD62}.exe	90
PID 2020 wrote to memory of 3576	2020	{5FEE0BF9-9D47-497b-994B-A99CAA4CBD62}.exe	90
PID 2020 wrote to memory of 3092	2020	{5FEE0BF9-9D47-497b-994B-A99CAA4CBD62}.exe	91
PID 2020 wrote to memory of 3092	2020	{5FEE0BF9-9D47-497b-994B-A99CAA4CBD62}.exe	91
PID 2020 wrote to memory of 3092	2020	{5FEE0BF9-9D47-497b-994B-A99CAA4CBD62}.exe	91
PID 3576 wrote to memory of 2236	3576	{40FAAE65-C415-4cb7-8DD8-8C7076565877}.exe	92
PID 3576 wrote to memory of 2236	3576	{40FAAE65-C415-4cb7-8DD8-8C7076565877}.exe	92
PID 3576 wrote to memory of 2236	3576	{40FAAE65-C415-4cb7-8DD8-8C7076565877}.exe	92
PID 3576 wrote to memory of 1172	3576	{40FAAE65-C415-4cb7-8DD8-8C7076565877}.exe	93
PID 3576 wrote to memory of 1172	3576	{40FAAE65-C415-4cb7-8DD8-8C7076565877}.exe	93
PID 3576 wrote to memory of 1172	3576	{40FAAE65-C415-4cb7-8DD8-8C7076565877}.exe	93
PID 2236 wrote to memory of 1948	2236	{E713A3B8-6807-4d67-BBD3-FC871C06AD7D}.exe	94
PID 2236 wrote to memory of 1948	2236	{E713A3B8-6807-4d67-BBD3-FC871C06AD7D}.exe	94
PID 2236 wrote to memory of 1948	2236	{E713A3B8-6807-4d67-BBD3-FC871C06AD7D}.exe	94
PID 2236 wrote to memory of 3248	2236	{E713A3B8-6807-4d67-BBD3-FC871C06AD7D}.exe	95
PID 2236 wrote to memory of 3248	2236	{E713A3B8-6807-4d67-BBD3-FC871C06AD7D}.exe	95
PID 2236 wrote to memory of 3248	2236	{E713A3B8-6807-4d67-BBD3-FC871C06AD7D}.exe	95
PID 1948 wrote to memory of 4912	1948	{285FDCD8-DB76-4726-AA3F-444C7E619D11}.exe	96
PID 1948 wrote to memory of 4912	1948	{285FDCD8-DB76-4726-AA3F-444C7E619D11}.exe	96
PID 1948 wrote to memory of 4912	1948	{285FDCD8-DB76-4726-AA3F-444C7E619D11}.exe	96
PID 1948 wrote to memory of 3444	1948	{285FDCD8-DB76-4726-AA3F-444C7E619D11}.exe	97
PID 1948 wrote to memory of 3444	1948	{285FDCD8-DB76-4726-AA3F-444C7E619D11}.exe	97
PID 1948 wrote to memory of 3444	1948	{285FDCD8-DB76-4726-AA3F-444C7E619D11}.exe	97
PID 4912 wrote to memory of 4460	4912	{613CEF33-8036-4966-8E31-15B6A1FF5AF9}.exe	98
PID 4912 wrote to memory of 4460	4912	{613CEF33-8036-4966-8E31-15B6A1FF5AF9}.exe	98
PID 4912 wrote to memory of 4460	4912	{613CEF33-8036-4966-8E31-15B6A1FF5AF9}.exe	98
PID 4912 wrote to memory of 4728	4912	{613CEF33-8036-4966-8E31-15B6A1FF5AF9}.exe	99
PID 4912 wrote to memory of 4728	4912	{613CEF33-8036-4966-8E31-15B6A1FF5AF9}.exe	99
PID 4912 wrote to memory of 4728	4912	{613CEF33-8036-4966-8E31-15B6A1FF5AF9}.exe	99
PID 4460 wrote to memory of 4672	4460	{FE40DDB0-3C1A-4ca8-8292-987993F1A7FD}.exe	100
PID 4460 wrote to memory of 4672	4460	{FE40DDB0-3C1A-4ca8-8292-987993F1A7FD}.exe	100
PID 4460 wrote to memory of 4672	4460	{FE40DDB0-3C1A-4ca8-8292-987993F1A7FD}.exe	100
PID 4460 wrote to memory of 1568	4460	{FE40DDB0-3C1A-4ca8-8292-987993F1A7FD}.exe	101

C:\Users\Admin\AppData\Local\Temp\2024-02-22_7f466e6da60479abb7f8d9d522d4fb30_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-22_7f466e6da60479abb7f8d9d522d4fb30_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:924
- C:\Windows\{137BC5DA-20F4-4ecb-8B24-593738C8308E}.exe
  C:\Windows\{137BC5DA-20F4-4ecb-8B24-593738C8308E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:484
- - C:\Windows\{2E96A38E-0C31-41e9-A696-9BECF01BE295}.exe
    C:\Windows\{2E96A38E-0C31-41e9-A696-9BECF01BE295}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3712
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2E96A~1.EXE > nul
      4⤵
      PID:3020
  - - C:\Windows\{04C64D00-B4CD-4b65-875B-F453214BA43F}.exe
      C:\Windows\{04C64D00-B4CD-4b65-875B-F453214BA43F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3060
    - - C:\Windows\{1BE854D5-7DC7-4eb1-9004-7FA0FD908C99}.exe
        
        C:\Windows\{1BE854D5-7DC7-4eb1-9004-7FA0FD908C99}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3352
      - C:\Windows\{5FEE0BF9-9D47-497b-994B-A99CAA4CBD62}.exe
        
        C:\Windows\{5FEE0BF9-9D47-497b-994B-A99CAA4CBD62}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\{40FAAE65-C415-4cb7-8DD8-8C7076565877}.exe
        
        C:\Windows\{40FAAE65-C415-4cb7-8DD8-8C7076565877}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\{E713A3B8-6807-4d67-BBD3-FC871C06AD7D}.exe
        
        C:\Windows\{E713A3B8-6807-4d67-BBD3-FC871C06AD7D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\{285FDCD8-DB76-4726-AA3F-444C7E619D11}.exe
        
        C:\Windows\{285FDCD8-DB76-4726-AA3F-444C7E619D11}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\{613CEF33-8036-4966-8E31-15B6A1FF5AF9}.exe
        
        C:\Windows\{613CEF33-8036-4966-8E31-15B6A1FF5AF9}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\{FE40DDB0-3C1A-4ca8-8292-987993F1A7FD}.exe
        
        C:\Windows\{FE40DDB0-3C1A-4ca8-8292-987993F1A7FD}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\{D6CC55BD-0B48-454f-AC49-AD16A86DEFAE}.exe
        
        C:\Windows\{D6CC55BD-0B48-454f-AC49-AD16A86DEFAE}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4672
        
        C:\Windows\{6264B12E-A52B-4902-817A-0CE02F985DD9}.exe
        
        C:\Windows\{6264B12E-A52B-4902-817A-0CE02F985DD9}.exe
        13⤵
        Executes dropped EXE
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D6CC5~1.EXE > nul
        13⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FE40D~1.EXE > nul
        12⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{613CE~1.EXE > nul
        11⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{285FD~1.EXE > nul
        10⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E713A~1.EXE > nul
        9⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{40FAA~1.EXE > nul
        8⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5FEE0~1.EXE > nul
        7⤵
        
        PID:3092
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1BE85~1.EXE > nul
        6⤵
        
        PID:416
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{04C64~1.EXE > nul
        5⤵
        
        PID:3032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{137BC~1.EXE > nul
    3⤵
    PID:4952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04C64D00-B4CD-4b65-875B-F453214BA43F}.exe

Filesize
216KB

MD5
9570a054154adcad832ad4ef444ddad2

SHA1
dc8277aa9da29894f95ca15e78e48b735e32ec20

SHA256
1a1c157dd8e1a95f64706db33759962eaa083d949a6d2ac81736e594b540b453

SHA512
87417dfe9ef54e44bb00c90c5a7d1b098d7fa552769ad3abe902842c53b05c92207e5da96620d9a5f6ebf5adc34dde00c5f0bdf31ac99c9443da8927fa0ddce1

Download Submit
C:\Windows\{137BC5DA-20F4-4ecb-8B24-593738C8308E}.exe

Filesize
216KB

MD5
4e7ae78ec4b3c317f790a4082cc7324d

SHA1
23f3edb1ab28568451564806a4e50b245d68ba05

SHA256
28dcc0b47fee54b9331e20236f86b4b7839a5588e55c32c10b6fd54938b4989c

SHA512
39ad6f6f9bb9f681c1f93070927b1c083a9ed5447639dadbcdd19d9001ec5139e395e20be3f41d827f939a146fa7a87a5cb779cae9a199af9b2451fbea389e4f

Download Submit
C:\Windows\{1BE854D5-7DC7-4eb1-9004-7FA0FD908C99}.exe

Filesize
216KB

MD5
a712247d31f8c78860f8e6606049b015

SHA1
a1754b1fb5486708dd08da1c3cbaa761c43cae3e

SHA256
8f04aaa882be43391a694f798512578e476ec6143bc97b5aec0d27641738d5ee

SHA512
e39efba3efe1d164e1c07dc3bb19d4a33ebd152d9dca67aa584ea8303c4021a6609c9f3c4cabe1aefb829eecc65186d1c7b1980343c07aaadbdf190d1fc95c94

Download Submit
C:\Windows\{285FDCD8-DB76-4726-AA3F-444C7E619D11}.exe

Filesize
216KB

MD5
e95fb156ad64af907ba6c9aaa2df5cab

SHA1
0aa50368e9e24bc19579f31a47638d7ece041a58

SHA256
69b77e42fbc4082f99f18508aa875f62cfb94f0a0b04981e4ece74c1ded0999b

SHA512
c00c71e5be4d95b526e5b087595b374415a972de7bfd8b7147631b1f531f80a31c296f385ea3ca802fdc81855f49d70763d4055cf88274777816f3753d5841fe

Download Submit
C:\Windows\{2E96A38E-0C31-41e9-A696-9BECF01BE295}.exe

Filesize
216KB

MD5
2672e4f27abcb11266885a917ed61ab2

SHA1
afeaca5fdb51e73d8acd1c7842380449c425fc47

SHA256
08c478fee566c1d4fa26b4dbea2fef521ae8593255895ad30c2897a19e463ab9

SHA512
6f8c978521c1ed86f801f9f8a1c7b8e892c1f2ee92b7377818ba05aef07a42df27e418dc5adff6fcbe20f2b4796986300612dcb3e093e82fd53bee596387b22b

Download Submit
C:\Windows\{40FAAE65-C415-4cb7-8DD8-8C7076565877}.exe

Filesize
216KB

MD5
be05264740cf9e504fc7dd7da3348903

SHA1
4272489506b05565cc9af1fb1bc573829a96aeb8

SHA256
158f310f742687c38370c28bbc7d8724164f71bf6b82dba69ecfd5c532ff1da3

SHA512
141ea43b94663823841917d8b7c7c7ec9a0084653cea68cdacd260917b1553bb934e39d73e2bffc4c3f743317b10d99d8712396f3a830f4628fc084411e2d0b0

Download Submit
C:\Windows\{5FEE0BF9-9D47-497b-994B-A99CAA4CBD62}.exe

Filesize
216KB

MD5
c527b6727d9369760b8db65e768eafaa

SHA1
f6630732c59eecc2bc9af89a1839b892ff86ef20

SHA256
2d0edc93922fe027741bed5d22203053fd524b77963485cce9b95146a214d87e

SHA512
2204ac6c2a933b4b42b3d19a2d69b85d9f60345d7dd9535bad170f704f6762285bf26608f822633faf78de43281e996cf140a1721f07a355a4d336f2c10be5f4

Download Submit
C:\Windows\{613CEF33-8036-4966-8E31-15B6A1FF5AF9}.exe

Filesize
216KB

MD5
4f7c115b31048381ed444b9674ed3732

SHA1
a7886752e7e14d0a72b466d306243df6b3032485

SHA256
e32f3b7ffa1f2044869171a58cab5e2bd90e8cefd6a79d591172f06e8efa8088

SHA512
d815b9e7bb713347a0332ade9515e5e10eb9004035797122ad04d099ab125efe8fb98cf9b8155105c05d9fc3d7d41053199a6b32120ea63cd2ecae246ae33d48

Download Submit
C:\Windows\{6264B12E-A52B-4902-817A-0CE02F985DD9}.exe

Filesize
216KB

MD5
43334e8efacc5e06367c7e4e003813d1

SHA1
8ee72aa95eb682bff2946642f480fa0df03a514e

SHA256
d3e9e23358c99e93625b3410379c2d92b5beb831f513ab6b8787d379059fbf2c

SHA512
41e9a724a38ceef5e283b420554e2652898792fa5933e63780d3019dd76a6183c446be1c1f83accf6616438c783e9b9c60ecd87e3496a74809e9ea4eb3d506cb

Download Submit
C:\Windows\{D6CC55BD-0B48-454f-AC49-AD16A86DEFAE}.exe

Filesize
216KB

MD5
6a6d01d497b2a9864ea815d8878d1261

SHA1
4bcd51e8ad92d66d879695fa84934c9fcc50ce48

SHA256
ba2252e1d238be6a863491e3564f8bd797e16f2519cfb461d3c4b43053d3e4c1

SHA512
ae951385435a87397a1d67d9cef5de7f372ea7c364706bb1b9a565e6369ad5ade93bbaf7342034b5d9fb12bb6b4d41410f37f3335f7974084555fe2eac2af981

Download Submit
C:\Windows\{E713A3B8-6807-4d67-BBD3-FC871C06AD7D}.exe

Filesize
216KB

MD5
92cfa3b9bc6a4bd82b20b538260547d7

SHA1
571e3f742c22d28392a507b3e9604c1685764a62

SHA256
478dc204eca57c45e9b4926a56b75602256f1c347be233c8d8e5c238f62e4634

SHA512
091bc0c2fe4b89bdc58787a7bd52f18d7247c1e68e2d427fcf9f6ab69fb03b33a713691f02a3b34c3445a5a8e992f58d31c1053e0c37597cd6721a0bdf76f0be

Download Submit
C:\Windows\{FE40DDB0-3C1A-4ca8-8292-987993F1A7FD}.exe

Filesize
216KB

MD5
c5b5f75c62dfd89c66adf2a1ff16a273

SHA1
8ef08a49734550cd44bcdd88fb5104affa13bdf9

SHA256
c9a794ddedeb896d8b9ac969c3b9dc73ac5e7e5ec941fd6c7e8fb4b18e1a20cf

SHA512
911cd3452b6b21322a92167a11eecf7ee7b4ab273b2b8598caa6c86f9932528ebbc682613db757b1bafa9e9dcbd2dfc36d10f8ce297d3b7d51a057d33bfc2895

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads