7bdd4f2471e13e4b3da3ea883a0475358d426160712f4a877e1b838b8a89bfdd

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
22/02/2024, 00:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-22_3d301fc4956d18fcc31ed3cba65c191f_goldeneye.exe
Size

408KB
MD5

3d301fc4956d18fcc31ed3cba65c191f
SHA1

4fb3ea50eea4ad7ba7bb4f5dae42862cbbe4ce6a
SHA256

7bdd4f2471e13e4b3da3ea883a0475358d426160712f4a877e1b838b8a89bfdd
SHA512

aa91c9a58eac8521aeb36efb272587e058e56a20ad9fa8a2cca243960b63b01ae194aecaa8438f7a2af94494c5ae4715abc859d31b02ff4e453da543f665bb4b
SSDEEP

3072:CEGh0oMl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGWldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x00080000000231e7-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000231e2-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023132-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000231e2-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023132-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000231e2-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023132-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000231e2-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023132-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000231e2-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000231e2-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f000000023132-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000231e2-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A70675E-BC34-42c5-913A-160E742D6B3E}	{FE6EB105-0099-4d19-A955-38A8816C992C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D04CBF0-AACD-4e66-B11B-D34A4959914C}\stubpath = "C:\\Windows\\{3D04CBF0-AACD-4e66-B11B-D34A4959914C}.exe"	{A3693C0A-B69B-4e5e-8B5B-6FD63440FCE9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A51A879-68F7-4939-A633-8FCB3A193BB1}\stubpath = "C:\\Windows\\{7A51A879-68F7-4939-A633-8FCB3A193BB1}.exe"	{3D04CBF0-AACD-4e66-B11B-D34A4959914C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8FD616D-7771-4b00-A45D-FEFA8BE1A9C3}\stubpath = "C:\\Windows\\{E8FD616D-7771-4b00-A45D-FEFA8BE1A9C3}.exe"	{C9C3232C-1D7B-47f4-B5E9-6608615C5C2E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36156AB5-3625-41a7-88A6-A878B4E15C72}\stubpath = "C:\\Windows\\{36156AB5-3625-41a7-88A6-A878B4E15C72}.exe"	{E8FD616D-7771-4b00-A45D-FEFA8BE1A9C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE402F82-145E-4e94-9E20-1CAFD094F9DA}	{62C6EC6F-B306-40e8-B030-7FC5C4DAB401}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE402F82-145E-4e94-9E20-1CAFD094F9DA}\stubpath = "C:\\Windows\\{BE402F82-145E-4e94-9E20-1CAFD094F9DA}.exe"	{62C6EC6F-B306-40e8-B030-7FC5C4DAB401}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE6EB105-0099-4d19-A955-38A8816C992C}	{BE402F82-145E-4e94-9E20-1CAFD094F9DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{003E9D99-A213-40a3-93CC-8080454008DC}	{6A70675E-BC34-42c5-913A-160E742D6B3E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3693C0A-B69B-4e5e-8B5B-6FD63440FCE9}	2024-02-22_3d301fc4956d18fcc31ed3cba65c191f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3693C0A-B69B-4e5e-8B5B-6FD63440FCE9}\stubpath = "C:\\Windows\\{A3693C0A-B69B-4e5e-8B5B-6FD63440FCE9}.exe"	2024-02-22_3d301fc4956d18fcc31ed3cba65c191f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A51A879-68F7-4939-A633-8FCB3A193BB1}	{3D04CBF0-AACD-4e66-B11B-D34A4959914C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8FD616D-7771-4b00-A45D-FEFA8BE1A9C3}	{C9C3232C-1D7B-47f4-B5E9-6608615C5C2E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{62C6EC6F-B306-40e8-B030-7FC5C4DAB401}\stubpath = "C:\\Windows\\{62C6EC6F-B306-40e8-B030-7FC5C4DAB401}.exe"	{36156AB5-3625-41a7-88A6-A878B4E15C72}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE6EB105-0099-4d19-A955-38A8816C992C}\stubpath = "C:\\Windows\\{FE6EB105-0099-4d19-A955-38A8816C992C}.exe"	{BE402F82-145E-4e94-9E20-1CAFD094F9DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{003E9D99-A213-40a3-93CC-8080454008DC}\stubpath = "C:\\Windows\\{003E9D99-A213-40a3-93CC-8080454008DC}.exe"	{6A70675E-BC34-42c5-913A-160E742D6B3E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D04CBF0-AACD-4e66-B11B-D34A4959914C}	{A3693C0A-B69B-4e5e-8B5B-6FD63440FCE9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{62C6EC6F-B306-40e8-B030-7FC5C4DAB401}	{36156AB5-3625-41a7-88A6-A878B4E15C72}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70DB4F7D-5388-4ea1-BD3D-73D5F883DC4D}	{003E9D99-A213-40a3-93CC-8080454008DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9C3232C-1D7B-47f4-B5E9-6608615C5C2E}	{7A51A879-68F7-4939-A633-8FCB3A193BB1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9C3232C-1D7B-47f4-B5E9-6608615C5C2E}\stubpath = "C:\\Windows\\{C9C3232C-1D7B-47f4-B5E9-6608615C5C2E}.exe"	{7A51A879-68F7-4939-A633-8FCB3A193BB1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36156AB5-3625-41a7-88A6-A878B4E15C72}	{E8FD616D-7771-4b00-A45D-FEFA8BE1A9C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A70675E-BC34-42c5-913A-160E742D6B3E}\stubpath = "C:\\Windows\\{6A70675E-BC34-42c5-913A-160E742D6B3E}.exe"	{FE6EB105-0099-4d19-A955-38A8816C992C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70DB4F7D-5388-4ea1-BD3D-73D5F883DC4D}\stubpath = "C:\\Windows\\{70DB4F7D-5388-4ea1-BD3D-73D5F883DC4D}.exe"	{003E9D99-A213-40a3-93CC-8080454008DC}.exe

Executes dropped EXE 12 IoCs

pid	Process
2436	{A3693C0A-B69B-4e5e-8B5B-6FD63440FCE9}.exe
628	{3D04CBF0-AACD-4e66-B11B-D34A4959914C}.exe
4460	{7A51A879-68F7-4939-A633-8FCB3A193BB1}.exe
5692	{C9C3232C-1D7B-47f4-B5E9-6608615C5C2E}.exe
5496	{E8FD616D-7771-4b00-A45D-FEFA8BE1A9C3}.exe
5396	{36156AB5-3625-41a7-88A6-A878B4E15C72}.exe
5088	{62C6EC6F-B306-40e8-B030-7FC5C4DAB401}.exe
2876	{BE402F82-145E-4e94-9E20-1CAFD094F9DA}.exe
3436	{FE6EB105-0099-4d19-A955-38A8816C992C}.exe
632	{6A70675E-BC34-42c5-913A-160E742D6B3E}.exe
2456	{003E9D99-A213-40a3-93CC-8080454008DC}.exe
2360	{70DB4F7D-5388-4ea1-BD3D-73D5F883DC4D}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{3D04CBF0-AACD-4e66-B11B-D34A4959914C}.exe	{A3693C0A-B69B-4e5e-8B5B-6FD63440FCE9}.exe
File created	C:\Windows\{E8FD616D-7771-4b00-A45D-FEFA8BE1A9C3}.exe	{C9C3232C-1D7B-47f4-B5E9-6608615C5C2E}.exe
File created	C:\Windows\{62C6EC6F-B306-40e8-B030-7FC5C4DAB401}.exe	{36156AB5-3625-41a7-88A6-A878B4E15C72}.exe
File created	C:\Windows\{BE402F82-145E-4e94-9E20-1CAFD094F9DA}.exe	{62C6EC6F-B306-40e8-B030-7FC5C4DAB401}.exe
File created	C:\Windows\{70DB4F7D-5388-4ea1-BD3D-73D5F883DC4D}.exe	{003E9D99-A213-40a3-93CC-8080454008DC}.exe
File created	C:\Windows\{A3693C0A-B69B-4e5e-8B5B-6FD63440FCE9}.exe	2024-02-22_3d301fc4956d18fcc31ed3cba65c191f_goldeneye.exe
File created	C:\Windows\{7A51A879-68F7-4939-A633-8FCB3A193BB1}.exe	{3D04CBF0-AACD-4e66-B11B-D34A4959914C}.exe
File created	C:\Windows\{C9C3232C-1D7B-47f4-B5E9-6608615C5C2E}.exe	{7A51A879-68F7-4939-A633-8FCB3A193BB1}.exe
File created	C:\Windows\{36156AB5-3625-41a7-88A6-A878B4E15C72}.exe	{E8FD616D-7771-4b00-A45D-FEFA8BE1A9C3}.exe
File created	C:\Windows\{FE6EB105-0099-4d19-A955-38A8816C992C}.exe	{BE402F82-145E-4e94-9E20-1CAFD094F9DA}.exe
File created	C:\Windows\{6A70675E-BC34-42c5-913A-160E742D6B3E}.exe	{FE6EB105-0099-4d19-A955-38A8816C992C}.exe
File created	C:\Windows\{003E9D99-A213-40a3-93CC-8080454008DC}.exe	{6A70675E-BC34-42c5-913A-160E742D6B3E}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	5784	2024-02-22_3d301fc4956d18fcc31ed3cba65c191f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2436	{A3693C0A-B69B-4e5e-8B5B-6FD63440FCE9}.exe
Token: SeIncBasePriorityPrivilege	628	{3D04CBF0-AACD-4e66-B11B-D34A4959914C}.exe
Token: SeIncBasePriorityPrivilege	4460	{7A51A879-68F7-4939-A633-8FCB3A193BB1}.exe
Token: SeIncBasePriorityPrivilege	5692	{C9C3232C-1D7B-47f4-B5E9-6608615C5C2E}.exe
Token: SeIncBasePriorityPrivilege	5496	{E8FD616D-7771-4b00-A45D-FEFA8BE1A9C3}.exe
Token: SeIncBasePriorityPrivilege	5396	{36156AB5-3625-41a7-88A6-A878B4E15C72}.exe
Token: SeIncBasePriorityPrivilege	5088	{62C6EC6F-B306-40e8-B030-7FC5C4DAB401}.exe
Token: SeIncBasePriorityPrivilege	2876	{BE402F82-145E-4e94-9E20-1CAFD094F9DA}.exe
Token: SeIncBasePriorityPrivilege	3436	{FE6EB105-0099-4d19-A955-38A8816C992C}.exe
Token: SeIncBasePriorityPrivilege	632	{6A70675E-BC34-42c5-913A-160E742D6B3E}.exe
Token: SeIncBasePriorityPrivilege	2456	{003E9D99-A213-40a3-93CC-8080454008DC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5784 wrote to memory of 2436	5784	2024-02-22_3d301fc4956d18fcc31ed3cba65c191f_goldeneye.exe	90
PID 5784 wrote to memory of 2436	5784	2024-02-22_3d301fc4956d18fcc31ed3cba65c191f_goldeneye.exe	90
PID 5784 wrote to memory of 2436	5784	2024-02-22_3d301fc4956d18fcc31ed3cba65c191f_goldeneye.exe	90
PID 5784 wrote to memory of 3316	5784	2024-02-22_3d301fc4956d18fcc31ed3cba65c191f_goldeneye.exe	91
PID 5784 wrote to memory of 3316	5784	2024-02-22_3d301fc4956d18fcc31ed3cba65c191f_goldeneye.exe	91
PID 5784 wrote to memory of 3316	5784	2024-02-22_3d301fc4956d18fcc31ed3cba65c191f_goldeneye.exe	91
PID 2436 wrote to memory of 628	2436	{A3693C0A-B69B-4e5e-8B5B-6FD63440FCE9}.exe	92
PID 2436 wrote to memory of 628	2436	{A3693C0A-B69B-4e5e-8B5B-6FD63440FCE9}.exe	92
PID 2436 wrote to memory of 628	2436	{A3693C0A-B69B-4e5e-8B5B-6FD63440FCE9}.exe	92
PID 2436 wrote to memory of 5176	2436	{A3693C0A-B69B-4e5e-8B5B-6FD63440FCE9}.exe	93
PID 2436 wrote to memory of 5176	2436	{A3693C0A-B69B-4e5e-8B5B-6FD63440FCE9}.exe	93
PID 2436 wrote to memory of 5176	2436	{A3693C0A-B69B-4e5e-8B5B-6FD63440FCE9}.exe	93
PID 628 wrote to memory of 4460	628	{3D04CBF0-AACD-4e66-B11B-D34A4959914C}.exe	95
PID 628 wrote to memory of 4460	628	{3D04CBF0-AACD-4e66-B11B-D34A4959914C}.exe	95
PID 628 wrote to memory of 4460	628	{3D04CBF0-AACD-4e66-B11B-D34A4959914C}.exe	95
PID 628 wrote to memory of 4728	628	{3D04CBF0-AACD-4e66-B11B-D34A4959914C}.exe	96
PID 628 wrote to memory of 4728	628	{3D04CBF0-AACD-4e66-B11B-D34A4959914C}.exe	96
PID 628 wrote to memory of 4728	628	{3D04CBF0-AACD-4e66-B11B-D34A4959914C}.exe	96
PID 4460 wrote to memory of 5692	4460	{7A51A879-68F7-4939-A633-8FCB3A193BB1}.exe	97
PID 4460 wrote to memory of 5692	4460	{7A51A879-68F7-4939-A633-8FCB3A193BB1}.exe	97
PID 4460 wrote to memory of 5692	4460	{7A51A879-68F7-4939-A633-8FCB3A193BB1}.exe	97
PID 4460 wrote to memory of 712	4460	{7A51A879-68F7-4939-A633-8FCB3A193BB1}.exe	98
PID 4460 wrote to memory of 712	4460	{7A51A879-68F7-4939-A633-8FCB3A193BB1}.exe	98
PID 4460 wrote to memory of 712	4460	{7A51A879-68F7-4939-A633-8FCB3A193BB1}.exe	98
PID 5692 wrote to memory of 5496	5692	{C9C3232C-1D7B-47f4-B5E9-6608615C5C2E}.exe	99
PID 5692 wrote to memory of 5496	5692	{C9C3232C-1D7B-47f4-B5E9-6608615C5C2E}.exe	99
PID 5692 wrote to memory of 5496	5692	{C9C3232C-1D7B-47f4-B5E9-6608615C5C2E}.exe	99
PID 5692 wrote to memory of 1824	5692	{C9C3232C-1D7B-47f4-B5E9-6608615C5C2E}.exe	100
PID 5692 wrote to memory of 1824	5692	{C9C3232C-1D7B-47f4-B5E9-6608615C5C2E}.exe	100
PID 5692 wrote to memory of 1824	5692	{C9C3232C-1D7B-47f4-B5E9-6608615C5C2E}.exe	100
PID 5496 wrote to memory of 5396	5496	{E8FD616D-7771-4b00-A45D-FEFA8BE1A9C3}.exe	101
PID 5496 wrote to memory of 5396	5496	{E8FD616D-7771-4b00-A45D-FEFA8BE1A9C3}.exe	101
PID 5496 wrote to memory of 5396	5496	{E8FD616D-7771-4b00-A45D-FEFA8BE1A9C3}.exe	101
PID 5496 wrote to memory of 5268	5496	{E8FD616D-7771-4b00-A45D-FEFA8BE1A9C3}.exe	102
PID 5496 wrote to memory of 5268	5496	{E8FD616D-7771-4b00-A45D-FEFA8BE1A9C3}.exe	102
PID 5496 wrote to memory of 5268	5496	{E8FD616D-7771-4b00-A45D-FEFA8BE1A9C3}.exe	102
PID 5396 wrote to memory of 5088	5396	{36156AB5-3625-41a7-88A6-A878B4E15C72}.exe	103
PID 5396 wrote to memory of 5088	5396	{36156AB5-3625-41a7-88A6-A878B4E15C72}.exe	103
PID 5396 wrote to memory of 5088	5396	{36156AB5-3625-41a7-88A6-A878B4E15C72}.exe	103
PID 5396 wrote to memory of 5260	5396	{36156AB5-3625-41a7-88A6-A878B4E15C72}.exe	104
PID 5396 wrote to memory of 5260	5396	{36156AB5-3625-41a7-88A6-A878B4E15C72}.exe	104
PID 5396 wrote to memory of 5260	5396	{36156AB5-3625-41a7-88A6-A878B4E15C72}.exe	104
PID 5088 wrote to memory of 2876	5088	{62C6EC6F-B306-40e8-B030-7FC5C4DAB401}.exe	105
PID 5088 wrote to memory of 2876	5088	{62C6EC6F-B306-40e8-B030-7FC5C4DAB401}.exe	105
PID 5088 wrote to memory of 2876	5088	{62C6EC6F-B306-40e8-B030-7FC5C4DAB401}.exe	105
PID 5088 wrote to memory of 5056	5088	{62C6EC6F-B306-40e8-B030-7FC5C4DAB401}.exe	106
PID 5088 wrote to memory of 5056	5088	{62C6EC6F-B306-40e8-B030-7FC5C4DAB401}.exe	106
PID 5088 wrote to memory of 5056	5088	{62C6EC6F-B306-40e8-B030-7FC5C4DAB401}.exe	106
PID 2876 wrote to memory of 3436	2876	{BE402F82-145E-4e94-9E20-1CAFD094F9DA}.exe	107
PID 2876 wrote to memory of 3436	2876	{BE402F82-145E-4e94-9E20-1CAFD094F9DA}.exe	107
PID 2876 wrote to memory of 3436	2876	{BE402F82-145E-4e94-9E20-1CAFD094F9DA}.exe	107
PID 2876 wrote to memory of 2324	2876	{BE402F82-145E-4e94-9E20-1CAFD094F9DA}.exe	108
PID 2876 wrote to memory of 2324	2876	{BE402F82-145E-4e94-9E20-1CAFD094F9DA}.exe	108
PID 2876 wrote to memory of 2324	2876	{BE402F82-145E-4e94-9E20-1CAFD094F9DA}.exe	108
PID 3436 wrote to memory of 632	3436	{FE6EB105-0099-4d19-A955-38A8816C992C}.exe	109
PID 3436 wrote to memory of 632	3436	{FE6EB105-0099-4d19-A955-38A8816C992C}.exe	109
PID 3436 wrote to memory of 632	3436	{FE6EB105-0099-4d19-A955-38A8816C992C}.exe	109
PID 3436 wrote to memory of 3944	3436	{FE6EB105-0099-4d19-A955-38A8816C992C}.exe	110
PID 3436 wrote to memory of 3944	3436	{FE6EB105-0099-4d19-A955-38A8816C992C}.exe	110
PID 3436 wrote to memory of 3944	3436	{FE6EB105-0099-4d19-A955-38A8816C992C}.exe	110
PID 632 wrote to memory of 2456	632	{6A70675E-BC34-42c5-913A-160E742D6B3E}.exe	111
PID 632 wrote to memory of 2456	632	{6A70675E-BC34-42c5-913A-160E742D6B3E}.exe	111
PID 632 wrote to memory of 2456	632	{6A70675E-BC34-42c5-913A-160E742D6B3E}.exe	111
PID 632 wrote to memory of 5408	632	{6A70675E-BC34-42c5-913A-160E742D6B3E}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-02-22_3d301fc4956d18fcc31ed3cba65c191f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-22_3d301fc4956d18fcc31ed3cba65c191f_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5784
- C:\Windows\{A3693C0A-B69B-4e5e-8B5B-6FD63440FCE9}.exe
  C:\Windows\{A3693C0A-B69B-4e5e-8B5B-6FD63440FCE9}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\{3D04CBF0-AACD-4e66-B11B-D34A4959914C}.exe
    C:\Windows\{3D04CBF0-AACD-4e66-B11B-D34A4959914C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:628
  - - C:\Windows\{7A51A879-68F7-4939-A633-8FCB3A193BB1}.exe
      C:\Windows\{7A51A879-68F7-4939-A633-8FCB3A193BB1}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4460
    - - C:\Windows\{C9C3232C-1D7B-47f4-B5E9-6608615C5C2E}.exe
        
        C:\Windows\{C9C3232C-1D7B-47f4-B5E9-6608615C5C2E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5692
      - C:\Windows\{E8FD616D-7771-4b00-A45D-FEFA8BE1A9C3}.exe
        
        C:\Windows\{E8FD616D-7771-4b00-A45D-FEFA8BE1A9C3}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5496
        
        C:\Windows\{36156AB5-3625-41a7-88A6-A878B4E15C72}.exe
        
        C:\Windows\{36156AB5-3625-41a7-88A6-A878B4E15C72}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5396
        
        C:\Windows\{62C6EC6F-B306-40e8-B030-7FC5C4DAB401}.exe
        
        C:\Windows\{62C6EC6F-B306-40e8-B030-7FC5C4DAB401}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Windows\{BE402F82-145E-4e94-9E20-1CAFD094F9DA}.exe
        
        C:\Windows\{BE402F82-145E-4e94-9E20-1CAFD094F9DA}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\{FE6EB105-0099-4d19-A955-38A8816C992C}.exe
        
        C:\Windows\{FE6EB105-0099-4d19-A955-38A8816C992C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3436
        
        C:\Windows\{6A70675E-BC34-42c5-913A-160E742D6B3E}.exe
        
        C:\Windows\{6A70675E-BC34-42c5-913A-160E742D6B3E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\{003E9D99-A213-40a3-93CC-8080454008DC}.exe
        
        C:\Windows\{003E9D99-A213-40a3-93CC-8080454008DC}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2456
        
        C:\Windows\{70DB4F7D-5388-4ea1-BD3D-73D5F883DC4D}.exe
        
        C:\Windows\{70DB4F7D-5388-4ea1-BD3D-73D5F883DC4D}.exe
        13⤵
        Executes dropped EXE
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{003E9~1.EXE > nul
        13⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6A706~1.EXE > nul
        12⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FE6EB~1.EXE > nul
        11⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE402~1.EXE > nul
        10⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{62C6E~1.EXE > nul
        9⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{36156~1.EXE > nul
        8⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E8FD6~1.EXE > nul
        7⤵
        
        PID:5268
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9C32~1.EXE > nul
        6⤵
        
        PID:1824
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7A51A~1.EXE > nul
        5⤵
        
        PID:712
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3D04C~1.EXE > nul
      4⤵
      PID:4728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A3693~1.EXE > nul
    3⤵
    PID:5176
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{003E9D99-A213-40a3-93CC-8080454008DC}.exe

Filesize
408KB

MD5
7738811856ed049a8abedb60a2e879d7

SHA1
361c9df4dfbc3b60bdeff08f3ffd1a30452bdd19

SHA256
d835c529d2f4387e2f347ab7577c4dc4b7cc67f58541ca16dff8dfc19f58343c

SHA512
195ccc52f0b4d714b28ec7715da54bbb70901135b9f09e0d418ea6e524cee3bf5dd59c0d4ad76838e71cfb17a9ef38d11979e4ef3fdf62fded296e5b522e6da0

Download Submit
C:\Windows\{36156AB5-3625-41a7-88A6-A878B4E15C72}.exe

Filesize
408KB

MD5
dcf49993cafeeba97b20942798176f76

SHA1
1de98ac0a9db41db3b762dd1a9bc955ae0118e86

SHA256
163be8304df8f21e6863b804e33448f6c0b9a6522a58e55af4169a840d6b5a32

SHA512
8c654857ee3d6da5e03782ba05e3ef90bb1a3e11e52070cafb0718f21a83a32ce782590f9ef97baab5dfb671f7fac3c89569d2555e605e45be5e7345ca07d132

Download Submit
C:\Windows\{3D04CBF0-AACD-4e66-B11B-D34A4959914C}.exe

Filesize
408KB

MD5
fb7dc89bceba178164e3a182d607f36b

SHA1
6bc427b71bc56390fa674b95c6a5689cddf126d2

SHA256
f3e3c88f725ca236b98d364f92abfb483660dd3728256a72cb9d2863376c4e2a

SHA512
53b12c20587b876f4273727da4721409c3e53c4f65a3ff46959499f224217b8f58bbbaed6949ce8ce62349451da3469443c93ff8fe024cf8d9d88eef3fe63491

Download Submit
C:\Windows\{62C6EC6F-B306-40e8-B030-7FC5C4DAB401}.exe

Filesize
408KB

MD5
3230e7be1959b55d6f30cf03394d8119

SHA1
679cceb2663baa5f52663d751649aa14d37ea900

SHA256
dfac042c72fa9c8476f9dc029753910cab0a6f55f2470fc68dadd2a56984f6a9

SHA512
60e7cf1eedec8c97098be7172099545e3b73338ed0186604850d99f2dc82e7b04ecb769d292deea17432f0362a2832559fc1115fb8678bea07d731151f77e40c

Download Submit
C:\Windows\{6A70675E-BC34-42c5-913A-160E742D6B3E}.exe

Filesize
68KB

MD5
8129417dd97631db50c88ff3c4d42f5a

SHA1
32341d7e39a6a8ca3d45e2825a5f1360ec37b9e0

SHA256
b9be3faf08e00cb7fb441d0272203b6d0cae440739475a900adaa6730b83ab22

SHA512
38482a4a4ee6c0edc3cd26917dec90c42e689faba5749f34f48c5fd2243353f1b6b8f1a5480e6159d9e530d167d23391300661a304996804b28431bb70e2b401

Download Submit
C:\Windows\{6A70675E-BC34-42c5-913A-160E742D6B3E}.exe

Filesize
42KB

MD5
47e18744f687ca5252c97ad2da800fd7

SHA1
680f51641ad696975529efa670cace27841a6241

SHA256
3c79fafd885fe00e881bd85db16f81e95d2bc9193dd2e65dc203dfe40834f986

SHA512
87f70cb275346af353ae3a08ac200f27b97c474ba406831c5fa83d67bc75c5ffa132dbfe459b056ea9220b5ac23f5965ada0065fff1bb6e2634e12b14f035c2f

Download Submit
C:\Windows\{70DB4F7D-5388-4ea1-BD3D-73D5F883DC4D}.exe

Filesize
408KB

MD5
4b9cd114b011b2d613202f470f0f44e5

SHA1
667aef1260a0e77be8948f853e6bfffea3e4cd59

SHA256
374f418f981af52e21f973ac56043b4df91657ad84b28ee5889fc48a514e2889

SHA512
475555938e4f16ea25862262337b6a6e7d61e1e839f00233d9df5c1bb1fcd3d5c6f4e18144aba5be67cdedabe21efebfa81b45b03a0f7baa510c0b53648f8081

Download Submit
C:\Windows\{7A51A879-68F7-4939-A633-8FCB3A193BB1}.exe

Filesize
408KB

MD5
eb1dbe7a3c63624927b9a459fff2fd73

SHA1
3d64f2661c65a0ce758a1a006cdb3c4e1c4b762e

SHA256
c95c4afe0f8f0435b27ef03ea59223f8cd57949a8aeb49b3445168d8764ef5fd

SHA512
fe011819b63019e2d5a851b3938b5f31518393e444a905317a09336a760cb5fd5c7f967309328109512cc413ea0a5bb24eb6236943cca85b900d70e6c9fb2984

Download Submit
C:\Windows\{A3693C0A-B69B-4e5e-8B5B-6FD63440FCE9}.exe

Filesize
408KB

MD5
05484bf3b17cb5a0dd966e577940bb8d

SHA1
9dc359677e2df969d59076b6f09517f81494b535

SHA256
799021385ec6b29605cf9272e30ab1c4c93a91d0b9f75cc3f1d7fc970bca89ba

SHA512
fa1d803ad6808a370c03af25b2225bf3fffa83aa0a1ae37b906fbf52a920e4e26a113b530d79ce090ccc65daf0bed474d8b3bddbfb19c91325d671546413e6ab

Download Submit
C:\Windows\{BE402F82-145E-4e94-9E20-1CAFD094F9DA}.exe

Filesize
408KB

MD5
d195f96950cc961c5166e83aeab8cbb7

SHA1
8adb3ce71a3e25379ee8ac3eda27bbfde9dc2a88

SHA256
23ece12d52827df1472f0ed2b20369a4cbe6a2907c370538c9ceca4acd09b15d

SHA512
fce219946647893d5092e88ddda433e233fcdf0d365eef6fa6d50cd75a5fb8ceb96f1f9929778e78452aad4bec5879c8b47e72857429f4e8cd082725ebcdef35

Download Submit
C:\Windows\{C9C3232C-1D7B-47f4-B5E9-6608615C5C2E}.exe

Filesize
408KB

MD5
87189eacae7d8769bb6b67b718fdc1d7

SHA1
15d3c3cb9cbb3a5e7af9ff1c53b90c7dfbf64876

SHA256
aa6bc2caeeaf15d17f0ffa05e002cd8bb29ca18ad1cc5db31e9e3fb24ac58511

SHA512
e031c328ceb1c19d72b6e42549bf2e386b084e09aea81d4940785b251fdfc4dbabf68364db95783edfd22a24ced5395a7bb00d55d19dd0d8760deb2c0e7d382c

Download Submit
C:\Windows\{E8FD616D-7771-4b00-A45D-FEFA8BE1A9C3}.exe

Filesize
408KB

MD5
290343729ed8c8b1611095410984acac

SHA1
842fb5ddc0c6efd64581b536eeaa2b31d23af06c

SHA256
04635d2aeb82513e8f11df501873994580047058edceaf2a74de60215e5af51d

SHA512
a90c7f8525e4ec013a37f5b1de6a0d33760819271392c1d31fbe2d818f62915cf5c095dabddc397d603a4d701156a0f60bdd569b557860ee983b2a730d6a7eb4

Download Submit
C:\Windows\{FE6EB105-0099-4d19-A955-38A8816C992C}.exe

Filesize
408KB

MD5
5d6603bebe9583da5bea0c7c34513f0d

SHA1
d88aa65ee8f73e38b5e9cc5387c0f3438c546497

SHA256
2a16516bde445e264445de37e5914c7585a5fa14c4f91f2afdc2858d72f421f0

SHA512
77a687f1433048d4c32a523397367f4e1a062c5f5ce6eb32f357d0a5a5c5d849a2b6b23a2605c53e4d5d7eeb04bb09ab37cbb05e77e982b36c5a08c783e804c1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads