e170590c78ef43039c630428b193c03d3eb1b9fb09c4c80648f2142712570017

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
22/02/2024, 00:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-22_d61b56d195a6fa70713ae1952ba10143_goldeneye.exe
Size

344KB
MD5

d61b56d195a6fa70713ae1952ba10143
SHA1

af93c01bc78c3e08b73db23eefdde40ff074141b
SHA256

e170590c78ef43039c630428b193c03d3eb1b9fb09c4c80648f2142712570017
SHA512

ab800baa4836195e70431ae8830e92fbd42d17b638dbfc716e29499cefce6850360a05e25e58dc9bbdfbd5db91b340f0f0ab6e423cc9467b96142cafb3b84991
SSDEEP

3072:mEGh0otlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGnlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 14 IoCs

resource	yara_rule
behavioral2/files/0x00080000000231e4-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000231e6-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000231e4-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000231e6-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000231e4-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000231e6-21.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000231e4-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000231e4-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000231e6-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000231e4-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d0000000231e6-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d0000000231e4-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e0000000231e6-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e0000000231e6-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50FB6E18-A19A-4576-8903-1AD7DA9E03DD}	{1B31A3C4-0275-4be1-8BB0-EFFE42D5BAA3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11BE5310-D7E0-4479-BB07-DC0551A47399}	{50FB6E18-A19A-4576-8903-1AD7DA9E03DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{137F5504-49CA-4e0f-896E-B931C7FA4C64}	{DC79449A-F146-46af-A110-4C4B1103B9AF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{137F5504-49CA-4e0f-896E-B931C7FA4C64}\stubpath = "C:\\Windows\\{137F5504-49CA-4e0f-896E-B931C7FA4C64}.exe"	{DC79449A-F146-46af-A110-4C4B1103B9AF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4628A2A0-76CB-4c3e-A4DD-E5CA2AC4B916}\stubpath = "C:\\Windows\\{4628A2A0-76CB-4c3e-A4DD-E5CA2AC4B916}.exe"	{137F5504-49CA-4e0f-896E-B931C7FA4C64}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F736A8EA-5424-45a8-A7F4-8D42D744C8D6}	{F48A410D-7DB9-48e8-8C15-E66AEEFB5E75}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15B3CAD1-8BEA-4ff4-998D-E1BFEC21589A}\stubpath = "C:\\Windows\\{15B3CAD1-8BEA-4ff4-998D-E1BFEC21589A}.exe"	{D47DC943-4BBB-4a6e-A5E7-766A0D8D1D96}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15B3CAD1-8BEA-4ff4-998D-E1BFEC21589A}	{D47DC943-4BBB-4a6e-A5E7-766A0D8D1D96}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9BCE47FD-8A81-4bdb-8A4A-7D2597CED2C5}	{F736A8EA-5424-45a8-A7F4-8D42D744C8D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9BCE47FD-8A81-4bdb-8A4A-7D2597CED2C5}\stubpath = "C:\\Windows\\{9BCE47FD-8A81-4bdb-8A4A-7D2597CED2C5}.exe"	{F736A8EA-5424-45a8-A7F4-8D42D744C8D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B31A3C4-0275-4be1-8BB0-EFFE42D5BAA3}\stubpath = "C:\\Windows\\{1B31A3C4-0275-4be1-8BB0-EFFE42D5BAA3}.exe"	{9BCE47FD-8A81-4bdb-8A4A-7D2597CED2C5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50FB6E18-A19A-4576-8903-1AD7DA9E03DD}\stubpath = "C:\\Windows\\{50FB6E18-A19A-4576-8903-1AD7DA9E03DD}.exe"	{1B31A3C4-0275-4be1-8BB0-EFFE42D5BAA3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD9A372F-2858-44b3-8347-2124068F7C3F}	{11BE5310-D7E0-4479-BB07-DC0551A47399}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC79449A-F146-46af-A110-4C4B1103B9AF}\stubpath = "C:\\Windows\\{DC79449A-F146-46af-A110-4C4B1103B9AF}.exe"	{BD9A372F-2858-44b3-8347-2124068F7C3F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D47DC943-4BBB-4a6e-A5E7-766A0D8D1D96}	{4628A2A0-76CB-4c3e-A4DD-E5CA2AC4B916}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F48A410D-7DB9-48e8-8C15-E66AEEFB5E75}\stubpath = "C:\\Windows\\{F48A410D-7DB9-48e8-8C15-E66AEEFB5E75}.exe"	2024-02-22_d61b56d195a6fa70713ae1952ba10143_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D47DC943-4BBB-4a6e-A5E7-766A0D8D1D96}\stubpath = "C:\\Windows\\{D47DC943-4BBB-4a6e-A5E7-766A0D8D1D96}.exe"	{4628A2A0-76CB-4c3e-A4DD-E5CA2AC4B916}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F736A8EA-5424-45a8-A7F4-8D42D744C8D6}\stubpath = "C:\\Windows\\{F736A8EA-5424-45a8-A7F4-8D42D744C8D6}.exe"	{F48A410D-7DB9-48e8-8C15-E66AEEFB5E75}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B31A3C4-0275-4be1-8BB0-EFFE42D5BAA3}	{9BCE47FD-8A81-4bdb-8A4A-7D2597CED2C5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11BE5310-D7E0-4479-BB07-DC0551A47399}\stubpath = "C:\\Windows\\{11BE5310-D7E0-4479-BB07-DC0551A47399}.exe"	{50FB6E18-A19A-4576-8903-1AD7DA9E03DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD9A372F-2858-44b3-8347-2124068F7C3F}\stubpath = "C:\\Windows\\{BD9A372F-2858-44b3-8347-2124068F7C3F}.exe"	{11BE5310-D7E0-4479-BB07-DC0551A47399}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC79449A-F146-46af-A110-4C4B1103B9AF}	{BD9A372F-2858-44b3-8347-2124068F7C3F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4628A2A0-76CB-4c3e-A4DD-E5CA2AC4B916}	{137F5504-49CA-4e0f-896E-B931C7FA4C64}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F48A410D-7DB9-48e8-8C15-E66AEEFB5E75}	2024-02-22_d61b56d195a6fa70713ae1952ba10143_goldeneye.exe

Executes dropped EXE 12 IoCs

pid	Process
932	{F48A410D-7DB9-48e8-8C15-E66AEEFB5E75}.exe
1096	{F736A8EA-5424-45a8-A7F4-8D42D744C8D6}.exe
3792	{9BCE47FD-8A81-4bdb-8A4A-7D2597CED2C5}.exe
3620	{1B31A3C4-0275-4be1-8BB0-EFFE42D5BAA3}.exe
2616	{50FB6E18-A19A-4576-8903-1AD7DA9E03DD}.exe
3044	{11BE5310-D7E0-4479-BB07-DC0551A47399}.exe
1812	{BD9A372F-2858-44b3-8347-2124068F7C3F}.exe
3544	{DC79449A-F146-46af-A110-4C4B1103B9AF}.exe
3568	{137F5504-49CA-4e0f-896E-B931C7FA4C64}.exe
1964	{4628A2A0-76CB-4c3e-A4DD-E5CA2AC4B916}.exe
3460	{D47DC943-4BBB-4a6e-A5E7-766A0D8D1D96}.exe
3720	{15B3CAD1-8BEA-4ff4-998D-E1BFEC21589A}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{137F5504-49CA-4e0f-896E-B931C7FA4C64}.exe	{DC79449A-F146-46af-A110-4C4B1103B9AF}.exe
File created	C:\Windows\{F48A410D-7DB9-48e8-8C15-E66AEEFB5E75}.exe	2024-02-22_d61b56d195a6fa70713ae1952ba10143_goldeneye.exe
File created	C:\Windows\{F736A8EA-5424-45a8-A7F4-8D42D744C8D6}.exe	{F48A410D-7DB9-48e8-8C15-E66AEEFB5E75}.exe
File created	C:\Windows\{9BCE47FD-8A81-4bdb-8A4A-7D2597CED2C5}.exe	{F736A8EA-5424-45a8-A7F4-8D42D744C8D6}.exe
File created	C:\Windows\{1B31A3C4-0275-4be1-8BB0-EFFE42D5BAA3}.exe	{9BCE47FD-8A81-4bdb-8A4A-7D2597CED2C5}.exe
File created	C:\Windows\{50FB6E18-A19A-4576-8903-1AD7DA9E03DD}.exe	{1B31A3C4-0275-4be1-8BB0-EFFE42D5BAA3}.exe
File created	C:\Windows\{BD9A372F-2858-44b3-8347-2124068F7C3F}.exe	{11BE5310-D7E0-4479-BB07-DC0551A47399}.exe
File created	C:\Windows\{DC79449A-F146-46af-A110-4C4B1103B9AF}.exe	{BD9A372F-2858-44b3-8347-2124068F7C3F}.exe
File created	C:\Windows\{4628A2A0-76CB-4c3e-A4DD-E5CA2AC4B916}.exe	{137F5504-49CA-4e0f-896E-B931C7FA4C64}.exe
File created	C:\Windows\{D47DC943-4BBB-4a6e-A5E7-766A0D8D1D96}.exe	{4628A2A0-76CB-4c3e-A4DD-E5CA2AC4B916}.exe
File created	C:\Windows\{15B3CAD1-8BEA-4ff4-998D-E1BFEC21589A}.exe	{D47DC943-4BBB-4a6e-A5E7-766A0D8D1D96}.exe
File created	C:\Windows\{11BE5310-D7E0-4479-BB07-DC0551A47399}.exe	{50FB6E18-A19A-4576-8903-1AD7DA9E03DD}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4796	2024-02-22_d61b56d195a6fa70713ae1952ba10143_goldeneye.exe
Token: SeIncBasePriorityPrivilege	932	{F48A410D-7DB9-48e8-8C15-E66AEEFB5E75}.exe
Token: SeIncBasePriorityPrivilege	1096	{F736A8EA-5424-45a8-A7F4-8D42D744C8D6}.exe
Token: SeIncBasePriorityPrivilege	3792	{9BCE47FD-8A81-4bdb-8A4A-7D2597CED2C5}.exe
Token: SeIncBasePriorityPrivilege	3620	{1B31A3C4-0275-4be1-8BB0-EFFE42D5BAA3}.exe
Token: SeIncBasePriorityPrivilege	2616	{50FB6E18-A19A-4576-8903-1AD7DA9E03DD}.exe
Token: SeIncBasePriorityPrivilege	3044	{11BE5310-D7E0-4479-BB07-DC0551A47399}.exe
Token: SeIncBasePriorityPrivilege	1812	{BD9A372F-2858-44b3-8347-2124068F7C3F}.exe
Token: SeIncBasePriorityPrivilege	3544	{DC79449A-F146-46af-A110-4C4B1103B9AF}.exe
Token: SeIncBasePriorityPrivilege	3568	{137F5504-49CA-4e0f-896E-B931C7FA4C64}.exe
Token: SeIncBasePriorityPrivilege	1964	{4628A2A0-76CB-4c3e-A4DD-E5CA2AC4B916}.exe
Token: SeIncBasePriorityPrivilege	3460	{D47DC943-4BBB-4a6e-A5E7-766A0D8D1D96}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4796 wrote to memory of 932	4796	2024-02-22_d61b56d195a6fa70713ae1952ba10143_goldeneye.exe	88
PID 4796 wrote to memory of 932	4796	2024-02-22_d61b56d195a6fa70713ae1952ba10143_goldeneye.exe	88
PID 4796 wrote to memory of 932	4796	2024-02-22_d61b56d195a6fa70713ae1952ba10143_goldeneye.exe	88
PID 4796 wrote to memory of 5100	4796	2024-02-22_d61b56d195a6fa70713ae1952ba10143_goldeneye.exe	89
PID 4796 wrote to memory of 5100	4796	2024-02-22_d61b56d195a6fa70713ae1952ba10143_goldeneye.exe	89
PID 4796 wrote to memory of 5100	4796	2024-02-22_d61b56d195a6fa70713ae1952ba10143_goldeneye.exe	89
PID 932 wrote to memory of 1096	932	{F48A410D-7DB9-48e8-8C15-E66AEEFB5E75}.exe	90
PID 932 wrote to memory of 1096	932	{F48A410D-7DB9-48e8-8C15-E66AEEFB5E75}.exe	90
PID 932 wrote to memory of 1096	932	{F48A410D-7DB9-48e8-8C15-E66AEEFB5E75}.exe	90
PID 932 wrote to memory of 4084	932	{F48A410D-7DB9-48e8-8C15-E66AEEFB5E75}.exe	91
PID 932 wrote to memory of 4084	932	{F48A410D-7DB9-48e8-8C15-E66AEEFB5E75}.exe	91
PID 932 wrote to memory of 4084	932	{F48A410D-7DB9-48e8-8C15-E66AEEFB5E75}.exe	91
PID 1096 wrote to memory of 3792	1096	{F736A8EA-5424-45a8-A7F4-8D42D744C8D6}.exe	93
PID 1096 wrote to memory of 3792	1096	{F736A8EA-5424-45a8-A7F4-8D42D744C8D6}.exe	93
PID 1096 wrote to memory of 3792	1096	{F736A8EA-5424-45a8-A7F4-8D42D744C8D6}.exe	93
PID 1096 wrote to memory of 4652	1096	{F736A8EA-5424-45a8-A7F4-8D42D744C8D6}.exe	94
PID 1096 wrote to memory of 4652	1096	{F736A8EA-5424-45a8-A7F4-8D42D744C8D6}.exe	94
PID 1096 wrote to memory of 4652	1096	{F736A8EA-5424-45a8-A7F4-8D42D744C8D6}.exe	94
PID 3792 wrote to memory of 3620	3792	{9BCE47FD-8A81-4bdb-8A4A-7D2597CED2C5}.exe	95
PID 3792 wrote to memory of 3620	3792	{9BCE47FD-8A81-4bdb-8A4A-7D2597CED2C5}.exe	95
PID 3792 wrote to memory of 3620	3792	{9BCE47FD-8A81-4bdb-8A4A-7D2597CED2C5}.exe	95
PID 3792 wrote to memory of 4448	3792	{9BCE47FD-8A81-4bdb-8A4A-7D2597CED2C5}.exe	96
PID 3792 wrote to memory of 4448	3792	{9BCE47FD-8A81-4bdb-8A4A-7D2597CED2C5}.exe	96
PID 3792 wrote to memory of 4448	3792	{9BCE47FD-8A81-4bdb-8A4A-7D2597CED2C5}.exe	96
PID 3620 wrote to memory of 2616	3620	{1B31A3C4-0275-4be1-8BB0-EFFE42D5BAA3}.exe	97
PID 3620 wrote to memory of 2616	3620	{1B31A3C4-0275-4be1-8BB0-EFFE42D5BAA3}.exe	97
PID 3620 wrote to memory of 2616	3620	{1B31A3C4-0275-4be1-8BB0-EFFE42D5BAA3}.exe	97
PID 3620 wrote to memory of 4728	3620	{1B31A3C4-0275-4be1-8BB0-EFFE42D5BAA3}.exe	98
PID 3620 wrote to memory of 4728	3620	{1B31A3C4-0275-4be1-8BB0-EFFE42D5BAA3}.exe	98
PID 3620 wrote to memory of 4728	3620	{1B31A3C4-0275-4be1-8BB0-EFFE42D5BAA3}.exe	98
PID 2616 wrote to memory of 3044	2616	{50FB6E18-A19A-4576-8903-1AD7DA9E03DD}.exe	99
PID 2616 wrote to memory of 3044	2616	{50FB6E18-A19A-4576-8903-1AD7DA9E03DD}.exe	99
PID 2616 wrote to memory of 3044	2616	{50FB6E18-A19A-4576-8903-1AD7DA9E03DD}.exe	99
PID 2616 wrote to memory of 1572	2616	{50FB6E18-A19A-4576-8903-1AD7DA9E03DD}.exe	100
PID 2616 wrote to memory of 1572	2616	{50FB6E18-A19A-4576-8903-1AD7DA9E03DD}.exe	100
PID 2616 wrote to memory of 1572	2616	{50FB6E18-A19A-4576-8903-1AD7DA9E03DD}.exe	100
PID 3044 wrote to memory of 1812	3044	{11BE5310-D7E0-4479-BB07-DC0551A47399}.exe	101
PID 3044 wrote to memory of 1812	3044	{11BE5310-D7E0-4479-BB07-DC0551A47399}.exe	101
PID 3044 wrote to memory of 1812	3044	{11BE5310-D7E0-4479-BB07-DC0551A47399}.exe	101
PID 3044 wrote to memory of 2368	3044	{11BE5310-D7E0-4479-BB07-DC0551A47399}.exe	102
PID 3044 wrote to memory of 2368	3044	{11BE5310-D7E0-4479-BB07-DC0551A47399}.exe	102
PID 3044 wrote to memory of 2368	3044	{11BE5310-D7E0-4479-BB07-DC0551A47399}.exe	102
PID 1812 wrote to memory of 3544	1812	{BD9A372F-2858-44b3-8347-2124068F7C3F}.exe	103
PID 1812 wrote to memory of 3544	1812	{BD9A372F-2858-44b3-8347-2124068F7C3F}.exe	103
PID 1812 wrote to memory of 3544	1812	{BD9A372F-2858-44b3-8347-2124068F7C3F}.exe	103
PID 1812 wrote to memory of 1420	1812	{BD9A372F-2858-44b3-8347-2124068F7C3F}.exe	104
PID 1812 wrote to memory of 1420	1812	{BD9A372F-2858-44b3-8347-2124068F7C3F}.exe	104
PID 1812 wrote to memory of 1420	1812	{BD9A372F-2858-44b3-8347-2124068F7C3F}.exe	104
PID 3544 wrote to memory of 3568	3544	{DC79449A-F146-46af-A110-4C4B1103B9AF}.exe	105
PID 3544 wrote to memory of 3568	3544	{DC79449A-F146-46af-A110-4C4B1103B9AF}.exe	105
PID 3544 wrote to memory of 3568	3544	{DC79449A-F146-46af-A110-4C4B1103B9AF}.exe	105
PID 3544 wrote to memory of 396	3544	{DC79449A-F146-46af-A110-4C4B1103B9AF}.exe	106
PID 3544 wrote to memory of 396	3544	{DC79449A-F146-46af-A110-4C4B1103B9AF}.exe	106
PID 3544 wrote to memory of 396	3544	{DC79449A-F146-46af-A110-4C4B1103B9AF}.exe	106
PID 3568 wrote to memory of 1964	3568	{137F5504-49CA-4e0f-896E-B931C7FA4C64}.exe	107
PID 3568 wrote to memory of 1964	3568	{137F5504-49CA-4e0f-896E-B931C7FA4C64}.exe	107
PID 3568 wrote to memory of 1964	3568	{137F5504-49CA-4e0f-896E-B931C7FA4C64}.exe	107
PID 3568 wrote to memory of 2496	3568	{137F5504-49CA-4e0f-896E-B931C7FA4C64}.exe	108
PID 3568 wrote to memory of 2496	3568	{137F5504-49CA-4e0f-896E-B931C7FA4C64}.exe	108
PID 3568 wrote to memory of 2496	3568	{137F5504-49CA-4e0f-896E-B931C7FA4C64}.exe	108
PID 1964 wrote to memory of 3460	1964	{4628A2A0-76CB-4c3e-A4DD-E5CA2AC4B916}.exe	109
PID 1964 wrote to memory of 3460	1964	{4628A2A0-76CB-4c3e-A4DD-E5CA2AC4B916}.exe	109
PID 1964 wrote to memory of 3460	1964	{4628A2A0-76CB-4c3e-A4DD-E5CA2AC4B916}.exe	109
PID 1964 wrote to memory of 4520	1964	{4628A2A0-76CB-4c3e-A4DD-E5CA2AC4B916}.exe	110

C:\Users\Admin\AppData\Local\Temp\2024-02-22_d61b56d195a6fa70713ae1952ba10143_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-22_d61b56d195a6fa70713ae1952ba10143_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Windows\{F48A410D-7DB9-48e8-8C15-E66AEEFB5E75}.exe
  C:\Windows\{F48A410D-7DB9-48e8-8C15-E66AEEFB5E75}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:932
- - C:\Windows\{F736A8EA-5424-45a8-A7F4-8D42D744C8D6}.exe
    C:\Windows\{F736A8EA-5424-45a8-A7F4-8D42D744C8D6}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1096
  - - C:\Windows\{9BCE47FD-8A81-4bdb-8A4A-7D2597CED2C5}.exe
      C:\Windows\{9BCE47FD-8A81-4bdb-8A4A-7D2597CED2C5}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3792
    - - C:\Windows\{1B31A3C4-0275-4be1-8BB0-EFFE42D5BAA3}.exe
        
        C:\Windows\{1B31A3C4-0275-4be1-8BB0-EFFE42D5BAA3}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3620
      - C:\Windows\{50FB6E18-A19A-4576-8903-1AD7DA9E03DD}.exe
        
        C:\Windows\{50FB6E18-A19A-4576-8903-1AD7DA9E03DD}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\{11BE5310-D7E0-4479-BB07-DC0551A47399}.exe
        
        C:\Windows\{11BE5310-D7E0-4479-BB07-DC0551A47399}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\{BD9A372F-2858-44b3-8347-2124068F7C3F}.exe
        
        C:\Windows\{BD9A372F-2858-44b3-8347-2124068F7C3F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\{DC79449A-F146-46af-A110-4C4B1103B9AF}.exe
        
        C:\Windows\{DC79449A-F146-46af-A110-4C4B1103B9AF}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3544
        
        C:\Windows\{137F5504-49CA-4e0f-896E-B931C7FA4C64}.exe
        
        C:\Windows\{137F5504-49CA-4e0f-896E-B931C7FA4C64}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3568
        
        C:\Windows\{4628A2A0-76CB-4c3e-A4DD-E5CA2AC4B916}.exe
        
        C:\Windows\{4628A2A0-76CB-4c3e-A4DD-E5CA2AC4B916}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\{D47DC943-4BBB-4a6e-A5E7-766A0D8D1D96}.exe
        
        C:\Windows\{D47DC943-4BBB-4a6e-A5E7-766A0D8D1D96}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3460
        
        C:\Windows\{15B3CAD1-8BEA-4ff4-998D-E1BFEC21589A}.exe
        
        C:\Windows\{15B3CAD1-8BEA-4ff4-998D-E1BFEC21589A}.exe
        13⤵
        Executes dropped EXE
        
        PID:3720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D47DC~1.EXE > nul
        13⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4628A~1.EXE > nul
        12⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{137F5~1.EXE > nul
        11⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC794~1.EXE > nul
        10⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD9A3~1.EXE > nul
        9⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{11BE5~1.EXE > nul
        8⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{50FB6~1.EXE > nul
        7⤵
        
        PID:1572
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1B31A~1.EXE > nul
        6⤵
        
        PID:4728
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9BCE4~1.EXE > nul
        5⤵
        
        PID:4448
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F736A~1.EXE > nul
      4⤵
      PID:4652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F48A4~1.EXE > nul
    3⤵
    PID:4084
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:5100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{11BE5310-D7E0-4479-BB07-DC0551A47399}.exe

Filesize
344KB

MD5
b041651f896498d817c41913219c6b20

SHA1
565478681c3fe840f4f048e6d6ee25336ca3f3d7

SHA256
09152c4cde29caace921d18bf05dec700863eb3ef92eff8085960a9c1671c446

SHA512
1d905c3915c89ef88b4aa80d92f5dd1b68c6d1df31b54c644da03e35a598f52b8ab7742011e4e8a4ce493021f7dc451a2d1590a4ea7e924517247622b033eb9d

Download Submit
C:\Windows\{137F5504-49CA-4e0f-896E-B931C7FA4C64}.exe

Filesize
344KB

MD5
4d4c197712807d4fd80283fd9532bf57

SHA1
f395a25a6682f07030b8c35c4adee4cd20362555

SHA256
673eb8a95d44c4af50af9efd2f8145d369957233fdc428b04d686cab40aab654

SHA512
5122228403cde1fee08655eaaaa45a79fc722507135461dfe1651938df1f7006afddae497a88589ec759fa89fac163d0cce7c7d7e3f764e9f7d85b02c551c1ce

Download Submit
C:\Windows\{15B3CAD1-8BEA-4ff4-998D-E1BFEC21589A}.exe

Filesize
128KB

MD5
cba1562b068a3af4904d353a214b7fc2

SHA1
1821b10ad9ce1b2ced81d3eb270343fe670f3e9f

SHA256
c2c0212a0c471c9a77db83b4661fb5ea632212cca9c5ec6d0f6bc6e0301218a3

SHA512
028bb20d7ef001aeda2efe8c5488fa7a1a958df22e300f8b74fc13b3f883ae809124d9e446b3623b2979adb8e782f6c0dbf9f743fb944d582a36a26f8ec4e99a

Download Submit
C:\Windows\{15B3CAD1-8BEA-4ff4-998D-E1BFEC21589A}.exe

Filesize
167KB

MD5
c07d8c3538ca9c7cb5e104bd5571a9af

SHA1
7334a4c48f002851198a3d12fe7208c656d41b63

SHA256
38394df00ba9b06740198b8a52946dc6645a65a718f4618a41dc625e9c7d96f2

SHA512
b1cfe3a1dab4f7843b06e029bcef0126c1b21b4ecbe2b75859f73262fc16bc6f1d017bebbf3a3224348188db38a07ca2c714aa6855cdb357d4fc7ff3fef98cd6

Download Submit
C:\Windows\{1B31A3C4-0275-4be1-8BB0-EFFE42D5BAA3}.exe

Filesize
344KB

MD5
e34e4c98e6b0f4e79aba12ce6d0b0a54

SHA1
e14833a325d6016a0c35590b55595cf65bfa3f36

SHA256
7285c7f617f2352c714f4ec55d37968b76e1708607950d3a4e89ba507e678af9

SHA512
92b506e834f24700206a85fdc9e3d0b126b103a77fe18da519592724cf34ff59d07a3bcf333326bd6757d34c63a038120d8a1015d22286ad52a3dd6fb10bef17

Download Submit
C:\Windows\{4628A2A0-76CB-4c3e-A4DD-E5CA2AC4B916}.exe

Filesize
344KB

MD5
c9bc35799558892d54f2710f39b0a19d

SHA1
5680fdc5373564781d317baada433cb8f8fd3977

SHA256
ca2515abcdefe646b8ba75f6c80d2c93a25551b919c22399e4ad2c73fc4f2880

SHA512
7efd2164f2c7fa82ecb2abb3286d9b6b0de0b395f8d9508ad4a2c0554c02bcadb21fe59e227fa91b1685d1a2d45dcc89d4d6b3001591e458a3acd376c19e9979

Download Submit
C:\Windows\{50FB6E18-A19A-4576-8903-1AD7DA9E03DD}.exe

Filesize
344KB

MD5
4fa2445a6ba5f87609e2063d96eb0837

SHA1
c7112d0800b4d3d9966317ded51ce825fac728f2

SHA256
9b372b957b56aee1fc6cfebce0a860b410091853c71e3c9ef484f2f6c75e923f

SHA512
59a67cc7ee8e720ffe9fd03243c84b7bb67bb194f6e2ac645d01d233923c209b3e22362366de47fd0e9172070fdccf8ac347c57e2baf7f2454ff2393c0acc32f

Download Submit
C:\Windows\{9BCE47FD-8A81-4bdb-8A4A-7D2597CED2C5}.exe

Filesize
344KB

MD5
ab4358979ca2a56210bff869c88778bf

SHA1
e41f88e30dff9a1747e0861896881b4033c20550

SHA256
afd9113ffd48d89cdd0578f48509b3285dc722858bfcc2c968cc0d0620ea2669

SHA512
5f29d572e3cdfde4035fc04be0f984ebdfb857d8bc60e7dbab9ab852a9058c26d46989d0bc4bb026af278536a008905e9606445c874bef350fa61e5f5049f14f

Download Submit
C:\Windows\{BD9A372F-2858-44b3-8347-2124068F7C3F}.exe

Filesize
344KB

MD5
d4195ffd1536d109c22257e8b3456ade

SHA1
49b076f262bb4c4bcb9779c588b183a03c0bae6f

SHA256
61548ebf2b3dc76dd6dcd8f373afb0fb1e366991332207a34754495e8d767be4

SHA512
a53f1046247accabd8edb4cc5b591b4a144a89aee8b8f8191b9e5ea601744d04f193311e66241abe4d67b6861e80e2f1e932f2f3144a9b01a86286dcb4d04c48

Download Submit
C:\Windows\{BD9A372F-2858-44b3-8347-2124068F7C3F}.exe

Filesize
192KB

MD5
ed2043551849af5cd370587ec8619cf1

SHA1
aa5c0f66100c04571a63c3533fd15f82fe6343af

SHA256
8b372c3e27b1e02f8a25519bfd6074ab700fc098e19f64180136ad421127a5fd

SHA512
d130173a3fe77b473cbe0d953d6c9a853365ba1b48f8d985651a0d8dbdbcaadc4e656f32ec594ccbcde5e6fbd7cb518a024978d1d3a9af70a10f320aefc2c171

Download Submit
C:\Windows\{D47DC943-4BBB-4a6e-A5E7-766A0D8D1D96}.exe

Filesize
344KB

MD5
be132bf5b6af5b06c5af06d10a33d6ce

SHA1
0f5ebf9fe950d0d530e3897de222fa22e3337948

SHA256
ecb5280f79507d41fe7b9056dd76aa23105dae8e27abd469be28167b6b6e3277

SHA512
4595b7fc75d888f0aa235b6fa093db4d993c91df679c9a4807cbbbd8f876f8d223aeb52df041ccb962a736e61d8e77bea3bc3174b0f2b4ff4b720392ff80e6a2

Download Submit
C:\Windows\{DC79449A-F146-46af-A110-4C4B1103B9AF}.exe

Filesize
344KB

MD5
e4b94199f68f9714640177d4b7072fbb

SHA1
fc2b9fc95941eccc8f36100887b75769020a051e

SHA256
c14c2f0b404849618896ce0a33a10f74f32f0c0b6caef5cbe991f6821f71d99d

SHA512
1a73690b10c40827977299d7f0b4b6a0635348c53a6c0b80d8f0d51d27cc5fcf398ebc40b8e053000d2ed11afdd40f053e8d59a618560cadee3810ecfd89dec0

Download Submit
C:\Windows\{F48A410D-7DB9-48e8-8C15-E66AEEFB5E75}.exe

Filesize
344KB

MD5
8dffdc92e14a7b9a347f738367233637

SHA1
f347bcaae283ec19495e77f7a95606729b6b14c1

SHA256
68ce4a0b65013b608a50dae99d87e241bacddcd1b9b459363478c9aa12517888

SHA512
9ddcbcc2cd12e9ee839dc8abe4e56aea54e90ad2c35d5a03236d421bfddd871afd4f9b69b46523cf4868f24785c51a6a383cb6373043a7934b6fd22a799541b5

Download Submit
C:\Windows\{F736A8EA-5424-45a8-A7F4-8D42D744C8D6}.exe

Filesize
344KB

MD5
e4f917bdbbef03bc697321879ba69776

SHA1
f361a1feced6aa05937edf2ec903bf11f75ca54a

SHA256
0aee9098641de996ce2daefbfd3cc0f77dad346993331a4682e495261ef7e97f

SHA512
46d4aff07391b7c5b4874245c5ee86b0d52e21c20e2d63b1b27596390fd4f5d2358fb326178e5f634397b143140e63d92c31285396ce787b2c9221063454faff

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads