147eb49c968fb4a12d6805cf978a18f8696d71a33b4cc0fee7f57dc107e415cc

Analysis

max time kernel
151s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
22-02-2024 05:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-22_d5a6933bf904dce7ba800c2a8fabe032_goldeneye.exe
Size

380KB
MD5

d5a6933bf904dce7ba800c2a8fabe032
SHA1

d15143ee8de0c1459344ccc456db8e56a6bb6a0e
SHA256

147eb49c968fb4a12d6805cf978a18f8696d71a33b4cc0fee7f57dc107e415cc
SHA512

ae397a66e2a0381ebd96783075bcbf596c8e01542cc943c5b14baed41b08a6f60eba8e2b33aeeefe740493bb27e4059440ed621014e81ee654c37c5c4cffe5a5
SSDEEP

3072:mEGh0o7lPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGdl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023107-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000002310b-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023112-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002310b-13.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023112-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002310b-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023112-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002310b-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002310b-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023112-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002310b-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023112-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002310b-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{031958F5-9C95-4dd4-86FE-C2C8962BA51B}\stubpath = "C:\\Windows\\{031958F5-9C95-4dd4-86FE-C2C8962BA51B}.exe"	{183D86BC-4A95-43f4-9289-35834F9776F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80789656-9186-4dea-9773-4C7A9C6804FC}\stubpath = "C:\\Windows\\{80789656-9186-4dea-9773-4C7A9C6804FC}.exe"	{B983E213-254B-43e3-A9A5-B64885DFA8E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52D6432C-5260-4601-A3A2-56CDB758F4FC}	{80789656-9186-4dea-9773-4C7A9C6804FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58450D3A-6C84-45e0-A90E-30500B2E00D1}\stubpath = "C:\\Windows\\{58450D3A-6C84-45e0-A90E-30500B2E00D1}.exe"	{82BF97A7-7484-4d18-8167-DDA7C20820E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B940EC06-5A3E-46d4-9868-D410EB3E490A}	{58450D3A-6C84-45e0-A90E-30500B2E00D1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{183D86BC-4A95-43f4-9289-35834F9776F1}\stubpath = "C:\\Windows\\{183D86BC-4A95-43f4-9289-35834F9776F1}.exe"	2024-02-22_d5a6933bf904dce7ba800c2a8fabe032_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80789656-9186-4dea-9773-4C7A9C6804FC}	{B983E213-254B-43e3-A9A5-B64885DFA8E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EF7DDF7-D1D3-4bf9-B0F6-CF0A5D3F0026}	{52D6432C-5260-4601-A3A2-56CDB758F4FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D3778F5-BDAD-46e5-872F-E9C0821B4F51}	{A0D55B31-24D2-4b57-9C6B-3FB72F6FA557}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82D1416F-DA34-4692-88AF-E66A558AC100}\stubpath = "C:\\Windows\\{82D1416F-DA34-4692-88AF-E66A558AC100}.exe"	{4D3778F5-BDAD-46e5-872F-E9C0821B4F51}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58450D3A-6C84-45e0-A90E-30500B2E00D1}	{82BF97A7-7484-4d18-8167-DDA7C20820E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82D1416F-DA34-4692-88AF-E66A558AC100}	{4D3778F5-BDAD-46e5-872F-E9C0821B4F51}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{183D86BC-4A95-43f4-9289-35834F9776F1}	2024-02-22_d5a6933bf904dce7ba800c2a8fabe032_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{031958F5-9C95-4dd4-86FE-C2C8962BA51B}	{183D86BC-4A95-43f4-9289-35834F9776F1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B983E213-254B-43e3-A9A5-B64885DFA8E4}	{031958F5-9C95-4dd4-86FE-C2C8962BA51B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B983E213-254B-43e3-A9A5-B64885DFA8E4}\stubpath = "C:\\Windows\\{B983E213-254B-43e3-A9A5-B64885DFA8E4}.exe"	{031958F5-9C95-4dd4-86FE-C2C8962BA51B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EF7DDF7-D1D3-4bf9-B0F6-CF0A5D3F0026}\stubpath = "C:\\Windows\\{3EF7DDF7-D1D3-4bf9-B0F6-CF0A5D3F0026}.exe"	{52D6432C-5260-4601-A3A2-56CDB758F4FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0D55B31-24D2-4b57-9C6B-3FB72F6FA557}	{3EF7DDF7-D1D3-4bf9-B0F6-CF0A5D3F0026}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0D55B31-24D2-4b57-9C6B-3FB72F6FA557}\stubpath = "C:\\Windows\\{A0D55B31-24D2-4b57-9C6B-3FB72F6FA557}.exe"	{3EF7DDF7-D1D3-4bf9-B0F6-CF0A5D3F0026}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52D6432C-5260-4601-A3A2-56CDB758F4FC}\stubpath = "C:\\Windows\\{52D6432C-5260-4601-A3A2-56CDB758F4FC}.exe"	{80789656-9186-4dea-9773-4C7A9C6804FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D3778F5-BDAD-46e5-872F-E9C0821B4F51}\stubpath = "C:\\Windows\\{4D3778F5-BDAD-46e5-872F-E9C0821B4F51}.exe"	{A0D55B31-24D2-4b57-9C6B-3FB72F6FA557}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82BF97A7-7484-4d18-8167-DDA7C20820E0}	{82D1416F-DA34-4692-88AF-E66A558AC100}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82BF97A7-7484-4d18-8167-DDA7C20820E0}\stubpath = "C:\\Windows\\{82BF97A7-7484-4d18-8167-DDA7C20820E0}.exe"	{82D1416F-DA34-4692-88AF-E66A558AC100}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B940EC06-5A3E-46d4-9868-D410EB3E490A}\stubpath = "C:\\Windows\\{B940EC06-5A3E-46d4-9868-D410EB3E490A}.exe"	{58450D3A-6C84-45e0-A90E-30500B2E00D1}.exe

Executes dropped EXE 12 IoCs

pid	Process
2980	{183D86BC-4A95-43f4-9289-35834F9776F1}.exe
5000	{031958F5-9C95-4dd4-86FE-C2C8962BA51B}.exe
2440	{B983E213-254B-43e3-A9A5-B64885DFA8E4}.exe
2012	{80789656-9186-4dea-9773-4C7A9C6804FC}.exe
3120	{52D6432C-5260-4601-A3A2-56CDB758F4FC}.exe
3608	{3EF7DDF7-D1D3-4bf9-B0F6-CF0A5D3F0026}.exe
4716	{A0D55B31-24D2-4b57-9C6B-3FB72F6FA557}.exe
2032	{4D3778F5-BDAD-46e5-872F-E9C0821B4F51}.exe
3752	{82D1416F-DA34-4692-88AF-E66A558AC100}.exe
4912	{82BF97A7-7484-4d18-8167-DDA7C20820E0}.exe
2896	{58450D3A-6C84-45e0-A90E-30500B2E00D1}.exe
2548	{B940EC06-5A3E-46d4-9868-D410EB3E490A}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{82D1416F-DA34-4692-88AF-E66A558AC100}.exe	{4D3778F5-BDAD-46e5-872F-E9C0821B4F51}.exe
File created	C:\Windows\{82BF97A7-7484-4d18-8167-DDA7C20820E0}.exe	{82D1416F-DA34-4692-88AF-E66A558AC100}.exe
File created	C:\Windows\{B940EC06-5A3E-46d4-9868-D410EB3E490A}.exe	{58450D3A-6C84-45e0-A90E-30500B2E00D1}.exe
File created	C:\Windows\{183D86BC-4A95-43f4-9289-35834F9776F1}.exe	2024-02-22_d5a6933bf904dce7ba800c2a8fabe032_goldeneye.exe
File created	C:\Windows\{80789656-9186-4dea-9773-4C7A9C6804FC}.exe	{B983E213-254B-43e3-A9A5-B64885DFA8E4}.exe
File created	C:\Windows\{3EF7DDF7-D1D3-4bf9-B0F6-CF0A5D3F0026}.exe	{52D6432C-5260-4601-A3A2-56CDB758F4FC}.exe
File created	C:\Windows\{A0D55B31-24D2-4b57-9C6B-3FB72F6FA557}.exe	{3EF7DDF7-D1D3-4bf9-B0F6-CF0A5D3F0026}.exe
File created	C:\Windows\{58450D3A-6C84-45e0-A90E-30500B2E00D1}.exe	{82BF97A7-7484-4d18-8167-DDA7C20820E0}.exe
File created	C:\Windows\{031958F5-9C95-4dd4-86FE-C2C8962BA51B}.exe	{183D86BC-4A95-43f4-9289-35834F9776F1}.exe
File created	C:\Windows\{B983E213-254B-43e3-A9A5-B64885DFA8E4}.exe	{031958F5-9C95-4dd4-86FE-C2C8962BA51B}.exe
File created	C:\Windows\{52D6432C-5260-4601-A3A2-56CDB758F4FC}.exe	{80789656-9186-4dea-9773-4C7A9C6804FC}.exe
File created	C:\Windows\{4D3778F5-BDAD-46e5-872F-E9C0821B4F51}.exe	{A0D55B31-24D2-4b57-9C6B-3FB72F6FA557}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	548	2024-02-22_d5a6933bf904dce7ba800c2a8fabe032_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2980	{183D86BC-4A95-43f4-9289-35834F9776F1}.exe
Token: SeIncBasePriorityPrivilege	5000	{031958F5-9C95-4dd4-86FE-C2C8962BA51B}.exe
Token: SeIncBasePriorityPrivilege	2440	{B983E213-254B-43e3-A9A5-B64885DFA8E4}.exe
Token: SeIncBasePriorityPrivilege	2012	{80789656-9186-4dea-9773-4C7A9C6804FC}.exe
Token: SeIncBasePriorityPrivilege	3120	{52D6432C-5260-4601-A3A2-56CDB758F4FC}.exe
Token: SeIncBasePriorityPrivilege	3608	{3EF7DDF7-D1D3-4bf9-B0F6-CF0A5D3F0026}.exe
Token: SeIncBasePriorityPrivilege	4716	{A0D55B31-24D2-4b57-9C6B-3FB72F6FA557}.exe
Token: SeIncBasePriorityPrivilege	2032	{4D3778F5-BDAD-46e5-872F-E9C0821B4F51}.exe
Token: SeIncBasePriorityPrivilege	3752	{82D1416F-DA34-4692-88AF-E66A558AC100}.exe
Token: SeIncBasePriorityPrivilege	4912	{82BF97A7-7484-4d18-8167-DDA7C20820E0}.exe
Token: SeIncBasePriorityPrivilege	2896	{58450D3A-6C84-45e0-A90E-30500B2E00D1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 548 wrote to memory of 2980	548	2024-02-22_d5a6933bf904dce7ba800c2a8fabe032_goldeneye.exe	83
PID 548 wrote to memory of 2980	548	2024-02-22_d5a6933bf904dce7ba800c2a8fabe032_goldeneye.exe	83
PID 548 wrote to memory of 2980	548	2024-02-22_d5a6933bf904dce7ba800c2a8fabe032_goldeneye.exe	83
PID 548 wrote to memory of 1372	548	2024-02-22_d5a6933bf904dce7ba800c2a8fabe032_goldeneye.exe	84
PID 548 wrote to memory of 1372	548	2024-02-22_d5a6933bf904dce7ba800c2a8fabe032_goldeneye.exe	84
PID 548 wrote to memory of 1372	548	2024-02-22_d5a6933bf904dce7ba800c2a8fabe032_goldeneye.exe	84
PID 2980 wrote to memory of 5000	2980	{183D86BC-4A95-43f4-9289-35834F9776F1}.exe	85
PID 2980 wrote to memory of 5000	2980	{183D86BC-4A95-43f4-9289-35834F9776F1}.exe	85
PID 2980 wrote to memory of 5000	2980	{183D86BC-4A95-43f4-9289-35834F9776F1}.exe	85
PID 2980 wrote to memory of 2016	2980	{183D86BC-4A95-43f4-9289-35834F9776F1}.exe	86
PID 2980 wrote to memory of 2016	2980	{183D86BC-4A95-43f4-9289-35834F9776F1}.exe	86
PID 2980 wrote to memory of 2016	2980	{183D86BC-4A95-43f4-9289-35834F9776F1}.exe	86
PID 5000 wrote to memory of 2440	5000	{031958F5-9C95-4dd4-86FE-C2C8962BA51B}.exe	90
PID 5000 wrote to memory of 2440	5000	{031958F5-9C95-4dd4-86FE-C2C8962BA51B}.exe	90
PID 5000 wrote to memory of 2440	5000	{031958F5-9C95-4dd4-86FE-C2C8962BA51B}.exe	90
PID 5000 wrote to memory of 2776	5000	{031958F5-9C95-4dd4-86FE-C2C8962BA51B}.exe	89
PID 5000 wrote to memory of 2776	5000	{031958F5-9C95-4dd4-86FE-C2C8962BA51B}.exe	89
PID 5000 wrote to memory of 2776	5000	{031958F5-9C95-4dd4-86FE-C2C8962BA51B}.exe	89
PID 2440 wrote to memory of 2012	2440	{B983E213-254B-43e3-A9A5-B64885DFA8E4}.exe	91
PID 2440 wrote to memory of 2012	2440	{B983E213-254B-43e3-A9A5-B64885DFA8E4}.exe	91
PID 2440 wrote to memory of 2012	2440	{B983E213-254B-43e3-A9A5-B64885DFA8E4}.exe	91
PID 2440 wrote to memory of 3328	2440	{B983E213-254B-43e3-A9A5-B64885DFA8E4}.exe	92
PID 2440 wrote to memory of 3328	2440	{B983E213-254B-43e3-A9A5-B64885DFA8E4}.exe	92
PID 2440 wrote to memory of 3328	2440	{B983E213-254B-43e3-A9A5-B64885DFA8E4}.exe	92
PID 2012 wrote to memory of 3120	2012	{80789656-9186-4dea-9773-4C7A9C6804FC}.exe	94
PID 2012 wrote to memory of 3120	2012	{80789656-9186-4dea-9773-4C7A9C6804FC}.exe	94
PID 2012 wrote to memory of 3120	2012	{80789656-9186-4dea-9773-4C7A9C6804FC}.exe	94
PID 2012 wrote to memory of 4496	2012	{80789656-9186-4dea-9773-4C7A9C6804FC}.exe	93
PID 2012 wrote to memory of 4496	2012	{80789656-9186-4dea-9773-4C7A9C6804FC}.exe	93
PID 2012 wrote to memory of 4496	2012	{80789656-9186-4dea-9773-4C7A9C6804FC}.exe	93
PID 3120 wrote to memory of 3608	3120	{52D6432C-5260-4601-A3A2-56CDB758F4FC}.exe	95
PID 3120 wrote to memory of 3608	3120	{52D6432C-5260-4601-A3A2-56CDB758F4FC}.exe	95
PID 3120 wrote to memory of 3608	3120	{52D6432C-5260-4601-A3A2-56CDB758F4FC}.exe	95
PID 3120 wrote to memory of 624	3120	{52D6432C-5260-4601-A3A2-56CDB758F4FC}.exe	96
PID 3120 wrote to memory of 624	3120	{52D6432C-5260-4601-A3A2-56CDB758F4FC}.exe	96
PID 3120 wrote to memory of 624	3120	{52D6432C-5260-4601-A3A2-56CDB758F4FC}.exe	96
PID 3608 wrote to memory of 4716	3608	{3EF7DDF7-D1D3-4bf9-B0F6-CF0A5D3F0026}.exe	97
PID 3608 wrote to memory of 4716	3608	{3EF7DDF7-D1D3-4bf9-B0F6-CF0A5D3F0026}.exe	97
PID 3608 wrote to memory of 4716	3608	{3EF7DDF7-D1D3-4bf9-B0F6-CF0A5D3F0026}.exe	97
PID 3608 wrote to memory of 2592	3608	{3EF7DDF7-D1D3-4bf9-B0F6-CF0A5D3F0026}.exe	98
PID 3608 wrote to memory of 2592	3608	{3EF7DDF7-D1D3-4bf9-B0F6-CF0A5D3F0026}.exe	98
PID 3608 wrote to memory of 2592	3608	{3EF7DDF7-D1D3-4bf9-B0F6-CF0A5D3F0026}.exe	98
PID 4716 wrote to memory of 2032	4716	{A0D55B31-24D2-4b57-9C6B-3FB72F6FA557}.exe	99
PID 4716 wrote to memory of 2032	4716	{A0D55B31-24D2-4b57-9C6B-3FB72F6FA557}.exe	99
PID 4716 wrote to memory of 2032	4716	{A0D55B31-24D2-4b57-9C6B-3FB72F6FA557}.exe	99
PID 4716 wrote to memory of 5108	4716	{A0D55B31-24D2-4b57-9C6B-3FB72F6FA557}.exe	100
PID 4716 wrote to memory of 5108	4716	{A0D55B31-24D2-4b57-9C6B-3FB72F6FA557}.exe	100
PID 4716 wrote to memory of 5108	4716	{A0D55B31-24D2-4b57-9C6B-3FB72F6FA557}.exe	100
PID 2032 wrote to memory of 3752	2032	{4D3778F5-BDAD-46e5-872F-E9C0821B4F51}.exe	101
PID 2032 wrote to memory of 3752	2032	{4D3778F5-BDAD-46e5-872F-E9C0821B4F51}.exe	101
PID 2032 wrote to memory of 3752	2032	{4D3778F5-BDAD-46e5-872F-E9C0821B4F51}.exe	101
PID 2032 wrote to memory of 4904	2032	{4D3778F5-BDAD-46e5-872F-E9C0821B4F51}.exe	102
PID 2032 wrote to memory of 4904	2032	{4D3778F5-BDAD-46e5-872F-E9C0821B4F51}.exe	102
PID 2032 wrote to memory of 4904	2032	{4D3778F5-BDAD-46e5-872F-E9C0821B4F51}.exe	102
PID 3752 wrote to memory of 4912	3752	{82D1416F-DA34-4692-88AF-E66A558AC100}.exe	104
PID 3752 wrote to memory of 4912	3752	{82D1416F-DA34-4692-88AF-E66A558AC100}.exe	104
PID 3752 wrote to memory of 4912	3752	{82D1416F-DA34-4692-88AF-E66A558AC100}.exe	104
PID 3752 wrote to memory of 4668	3752	{82D1416F-DA34-4692-88AF-E66A558AC100}.exe	103
PID 3752 wrote to memory of 4668	3752	{82D1416F-DA34-4692-88AF-E66A558AC100}.exe	103
PID 3752 wrote to memory of 4668	3752	{82D1416F-DA34-4692-88AF-E66A558AC100}.exe	103
PID 4912 wrote to memory of 2896	4912	{82BF97A7-7484-4d18-8167-DDA7C20820E0}.exe	105
PID 4912 wrote to memory of 2896	4912	{82BF97A7-7484-4d18-8167-DDA7C20820E0}.exe	105
PID 4912 wrote to memory of 2896	4912	{82BF97A7-7484-4d18-8167-DDA7C20820E0}.exe	105
PID 4912 wrote to memory of 2388	4912	{82BF97A7-7484-4d18-8167-DDA7C20820E0}.exe	106

C:\Users\Admin\AppData\Local\Temp\2024-02-22_d5a6933bf904dce7ba800c2a8fabe032_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-22_d5a6933bf904dce7ba800c2a8fabe032_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:548
- C:\Windows\{183D86BC-4A95-43f4-9289-35834F9776F1}.exe
  C:\Windows\{183D86BC-4A95-43f4-9289-35834F9776F1}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Windows\{031958F5-9C95-4dd4-86FE-C2C8962BA51B}.exe
    C:\Windows\{031958F5-9C95-4dd4-86FE-C2C8962BA51B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5000
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{03195~1.EXE > nul
      4⤵
      PID:2776
  - - C:\Windows\{B983E213-254B-43e3-A9A5-B64885DFA8E4}.exe
      C:\Windows\{B983E213-254B-43e3-A9A5-B64885DFA8E4}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2440
    - - C:\Windows\{80789656-9186-4dea-9773-4C7A9C6804FC}.exe
        
        C:\Windows\{80789656-9186-4dea-9773-4C7A9C6804FC}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2012
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{80789~1.EXE > nul
        6⤵
        
        PID:4496
      - C:\Windows\{52D6432C-5260-4601-A3A2-56CDB758F4FC}.exe
        
        C:\Windows\{52D6432C-5260-4601-A3A2-56CDB758F4FC}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3120
        
        C:\Windows\{3EF7DDF7-D1D3-4bf9-B0F6-CF0A5D3F0026}.exe
        
        C:\Windows\{3EF7DDF7-D1D3-4bf9-B0F6-CF0A5D3F0026}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3608
        
        C:\Windows\{A0D55B31-24D2-4b57-9C6B-3FB72F6FA557}.exe
        
        C:\Windows\{A0D55B31-24D2-4b57-9C6B-3FB72F6FA557}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\{4D3778F5-BDAD-46e5-872F-E9C0821B4F51}.exe
        
        C:\Windows\{4D3778F5-BDAD-46e5-872F-E9C0821B4F51}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\{82D1416F-DA34-4692-88AF-E66A558AC100}.exe
        
        C:\Windows\{82D1416F-DA34-4692-88AF-E66A558AC100}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{82D14~1.EXE > nul
        11⤵
        
        PID:4668
        
        C:\Windows\{82BF97A7-7484-4d18-8167-DDA7C20820E0}.exe
        
        C:\Windows\{82BF97A7-7484-4d18-8167-DDA7C20820E0}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\{58450D3A-6C84-45e0-A90E-30500B2E00D1}.exe
        
        C:\Windows\{58450D3A-6C84-45e0-A90E-30500B2E00D1}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
        
        C:\Windows\{B940EC06-5A3E-46d4-9868-D410EB3E490A}.exe
        
        C:\Windows\{B940EC06-5A3E-46d4-9868-D410EB3E490A}.exe
        13⤵
        Executes dropped EXE
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{58450~1.EXE > nul
        13⤵
        
        PID:412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{82BF9~1.EXE > nul
        12⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D377~1.EXE > nul
        10⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A0D55~1.EXE > nul
        9⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3EF7D~1.EXE > nul
        8⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{52D64~1.EXE > nul
        7⤵
        
        PID:624
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B983E~1.EXE > nul
        5⤵
        
        PID:3328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{183D8~1.EXE > nul
    3⤵
    PID:2016
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{031958F5-9C95-4dd4-86FE-C2C8962BA51B}.exe

Filesize
380KB

MD5
c1824debc80044589be2d785fb763aa7

SHA1
f6c2cc2bb1f4d560f4e7892134c62d5c7a3efce2

SHA256
da7b086b04b7f8ac37e085f761712d5c4c969a8252881e4f43745df1ce73977e

SHA512
bf957aa342d52468fb005b6ba4c63e3c5391be564431c515ba35f1e68f7f308682609b5d20ffd96fe80e456b986a8e90757f34cdf77d84c6485743cd6a537ff7

Download Submit
C:\Windows\{183D86BC-4A95-43f4-9289-35834F9776F1}.exe

Filesize
380KB

MD5
d4522afaf5f9407993f1dc4d75a3fc04

SHA1
b5d0062fbc77cf20f06f617c4cb67d2ca58bef8e

SHA256
1508f26c32c45e9b1943df9846e60676c909556fb40a02a2091560b380c2ddf2

SHA512
b96c2be1ab17cb4287c3c75058ab825438e5b495e9ed189a0cce30d8875d460ddab6130705af2d4437a500aaccf576adc3f1761243e1e5a25881e49ba48e2d15

Download Submit
C:\Windows\{3EF7DDF7-D1D3-4bf9-B0F6-CF0A5D3F0026}.exe

Filesize
380KB

MD5
ad6afc473e42100b8ca0292218fa57de

SHA1
b15e17e95024c22b18fb27c8733c275fbbae3e79

SHA256
9677c18de942f075253a3cbb653d9c5c0c1e4f0f416e91b4940c1559c31cb695

SHA512
b0956fa5e2d57b14b17aa3ae6d41e48f3b1d825c9cb967caef1df7fb5c3225f653611cdd935b99773717d4f318a5256a6c306ac36b51043605e5731c967512c9

Download Submit
C:\Windows\{4D3778F5-BDAD-46e5-872F-E9C0821B4F51}.exe

Filesize
93KB

MD5
7d0240c4dc576f69803a198aa3a6ae72

SHA1
7be700cd96e3a264f673879c90facc3216efb8ac

SHA256
5c980d3b21fa0527ece5967fe60f58e6a35cdd3cb179d8edf64afcc1c6ff52a8

SHA512
ce8c7f6457ec96065e779f6109183dd1928b7a577f86397c1e50d2b429e4d2557f845663322f104b143f0d248c59cf61cba8da6e335a2f7f95083766bbbe1c3b

Download Submit
C:\Windows\{4D3778F5-BDAD-46e5-872F-E9C0821B4F51}.exe

Filesize
64KB

MD5
77a4c7aff5a93d220ed71ce565cf4bb8

SHA1
fc45c7135311abf1e0390378722e5751876fc8b9

SHA256
90533d6f5e541be2fa02a830e8bb3ca53727892aa694f6b49e01fc6c3a0e6636

SHA512
f50055988318a38d6d129ad3f2c24e94bd129511c2560fd8b6a30ca53f6e31267a6cae9fbe12a36dd66f2a65314787484df2302fc2e0d528c0f984278abaa175

Download Submit
C:\Windows\{52D6432C-5260-4601-A3A2-56CDB758F4FC}.exe

Filesize
380KB

MD5
701d26a0f7a738178df5011c7c192ed5

SHA1
2fcc96e168b3ca05a2f9b483cce3cdf3cb9b6b58

SHA256
ace875097f593464e685887d1a54ffbc7150040821adaf8016c426c1ed5ba018

SHA512
28a6c4eff012ed13b71d79b78f91200c412ba75037eac0085e41c3691648fb4b7bd16eec32a680d6806a1ca40424bb05e87aa0e6367162b764dd89a3804fbb98

Download Submit
C:\Windows\{58450D3A-6C84-45e0-A90E-30500B2E00D1}.exe

Filesize
380KB

MD5
5d80efac041115046d19d8f544ed7a21

SHA1
869c161cdaead061e95fb6c8e0ccca084d90ce98

SHA256
2423e25deaf6c58b9d1aa67d15c4c101ef83eaa743e518cf5018350572feb069

SHA512
cfd6fd85a936f016d5d6c83da6104ef9fe8a62b1218fa7395f5e80c9172844d209e60844b54fbbdf1dac3dd0891634de6d210be8457d9e47fda398790414e57d

Download Submit
C:\Windows\{80789656-9186-4dea-9773-4C7A9C6804FC}.exe

Filesize
380KB

MD5
0985f99186a6109794aa703c55bb7686

SHA1
baf97a862656ee9c1030b55d090311c943470262

SHA256
a2042a966bd787f15170dfaa29b7aa5210a68014b294fa487e5c3d671a84a7f0

SHA512
343d51a9ba8cabdec35d2ce920b959a4ddf943712f2512072c4ed515cb1978f082a95b83be27cce19146e5244121809f5e2616339a58b6c67e0d31864c8d3070

Download Submit
C:\Windows\{82BF97A7-7484-4d18-8167-DDA7C20820E0}.exe

Filesize
380KB

MD5
3e3d72d6f774c4e120151bf6cc267512

SHA1
ddfd5a0ec2a5ba852b0d87d8685ed85054794f1e

SHA256
930ab469df03179dde54f633ab3667e71228a5b3875c3d1b9967781f7d276c85

SHA512
6aa466ebc646b458bf3266352e4e0269b28c9be69ced59423a07fc32d90554fa67cefe6eee9dc96bc2abdd1b6dddc22ca6c1865c8b0bf93c9412880d5104e1f7

Download Submit
C:\Windows\{82D1416F-DA34-4692-88AF-E66A558AC100}.exe

Filesize
380KB

MD5
b97e5083a1327ff3ca1e994c93d809e7

SHA1
8bbf993380b4e7cb38ae60af1bea78dc7bb9fbbc

SHA256
d4d256dfa6a30c1f233e686b2146807f174692d3df42049937e4177c5f6478d3

SHA512
41a5d7d86ea89748daa2d5d7c84ad2ed315aec4e666d934bb2e2848defcba12ad3bf31fcfa828fab1c11b2a672b9635829e768c85acd3f4330e96951079c4b88

Download Submit
C:\Windows\{A0D55B31-24D2-4b57-9C6B-3FB72F6FA557}.exe

Filesize
380KB

MD5
d6ef0ef34ca9fea7578c1c878c8353f3

SHA1
9f09d765efbdd45df799b8e625493e6e7d615a68

SHA256
78c4911b653cc6309c5478f8aaac4fce6193a358adab8e6762286a60d9d77326

SHA512
f4231749237be416413d0f831efab1380eb44325588adf255b334c2aa6d04443e7d0cddb30cd3f4934a74220e5b07605a3384ff426f066bd1375fc02976ac7dd

Download Submit
C:\Windows\{B940EC06-5A3E-46d4-9868-D410EB3E490A}.exe

Filesize
380KB

MD5
e508aec2659088a65954df3ef28fef23

SHA1
1ce443d21ec8de441c7e55138d057bb444079262

SHA256
4cec0b3360c5fee4bc51cf92826ee579d7931e02349439b7b8cd215df55648a6

SHA512
565599cc1c8ed4dc679d18a90e30d758a7977dd35f5e80c660e1db837c32fcda3077e775939ff9361877c68ed34d24f34f54dc71c67bf7b595e0df7008eb3647

Download Submit
C:\Windows\{B983E213-254B-43e3-A9A5-B64885DFA8E4}.exe

Filesize
380KB

MD5
02e4b971f87956eff32fdf04a33e1896

SHA1
66d2084fa6fc637baafecbd8c70395b47d1aee29

SHA256
e680ccf9807af754186ae9870ccdad51bbad88f6056d54a57204d3dd7676797c

SHA512
86cedd92e0c1e3672ef073d7d085f9879b44f4dc5d18e1c6d69fa344b936996adad67a181471c28d130151d41f8f2395ae1e3d5bf414b673f7249d19535471dc

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads