52505143d91cc995066bf962444dd2a645913e5904dc6ba012679c08f3f6c868

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
22/02/2024, 08:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-22_6f360bf34160ce1c1d4eceb2f1b8ebe9_goldeneye.exe
Size

197KB
MD5

6f360bf34160ce1c1d4eceb2f1b8ebe9
SHA1

05dda87170ab591591b3db0a58a89e4f4796d291
SHA256

52505143d91cc995066bf962444dd2a645913e5904dc6ba012679c08f3f6c868
SHA512

516baaf60d332473dbaf50bc529b791af76110d50a97cc49c83d2b42dbf572b43f82813e3b033e65b945960a0c629fbe347dd2f641b067dc7153d7ffb3324dfa
SSDEEP

3072:jEGh0oVl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGvlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x00070000000231fd-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000231f6-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023205-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023205-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000231f6-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023205-17.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000231f6-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023205-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000231f6-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023205-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000231f6-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023202-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000231f6-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98EF6373-BB20-40cb-97F0-5D913AB97052}\stubpath = "C:\\Windows\\{98EF6373-BB20-40cb-97F0-5D913AB97052}.exe"	{6B474DE2-103B-4150-9B59-0ABBB821BB14}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D39ABF90-79DA-47a0-8802-48D4FA95FBBF}	{C8619FAB-BA6F-4fa6-A167-8DB654F7D2E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF43173F-FE23-47e7-AC3D-A6FFCB9DBED0}\stubpath = "C:\\Windows\\{CF43173F-FE23-47e7-AC3D-A6FFCB9DBED0}.exe"	{D39ABF90-79DA-47a0-8802-48D4FA95FBBF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DA44BFB-6104-415f-93D8-79872C69EDD5}\stubpath = "C:\\Windows\\{7DA44BFB-6104-415f-93D8-79872C69EDD5}.exe"	{7F862513-1E7F-4b3c-805B-93E2C18CC4B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{689B322C-A67F-4bb6-A1DC-CAB04807ABDA}	{7DA44BFB-6104-415f-93D8-79872C69EDD5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9E25A74-F426-440e-B640-03275F07333D}	{689B322C-A67F-4bb6-A1DC-CAB04807ABDA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B474DE2-103B-4150-9B59-0ABBB821BB14}\stubpath = "C:\\Windows\\{6B474DE2-103B-4150-9B59-0ABBB821BB14}.exe"	{3D7CD47F-5FCC-4727-9D31-CCD56C569D4C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98EF6373-BB20-40cb-97F0-5D913AB97052}	{6B474DE2-103B-4150-9B59-0ABBB821BB14}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9E25A74-F426-440e-B640-03275F07333D}\stubpath = "C:\\Windows\\{C9E25A74-F426-440e-B640-03275F07333D}.exe"	{689B322C-A67F-4bb6-A1DC-CAB04807ABDA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9490688-B084-4b48-A504-0CDD27500D94}\stubpath = "C:\\Windows\\{D9490688-B084-4b48-A504-0CDD27500D94}.exe"	2024-02-22_6f360bf34160ce1c1d4eceb2f1b8ebe9_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8619FAB-BA6F-4fa6-A167-8DB654F7D2E5}\stubpath = "C:\\Windows\\{C8619FAB-BA6F-4fa6-A167-8DB654F7D2E5}.exe"	{98EF6373-BB20-40cb-97F0-5D913AB97052}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F862513-1E7F-4b3c-805B-93E2C18CC4B1}\stubpath = "C:\\Windows\\{7F862513-1E7F-4b3c-805B-93E2C18CC4B1}.exe"	{CF43173F-FE23-47e7-AC3D-A6FFCB9DBED0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8EA31CC-30A3-4ddc-82CD-3D9F4E29A2B0}	{C9E25A74-F426-440e-B640-03275F07333D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8EA31CC-30A3-4ddc-82CD-3D9F4E29A2B0}\stubpath = "C:\\Windows\\{D8EA31CC-30A3-4ddc-82CD-3D9F4E29A2B0}.exe"	{C9E25A74-F426-440e-B640-03275F07333D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9490688-B084-4b48-A504-0CDD27500D94}	2024-02-22_6f360bf34160ce1c1d4eceb2f1b8ebe9_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D39ABF90-79DA-47a0-8802-48D4FA95FBBF}\stubpath = "C:\\Windows\\{D39ABF90-79DA-47a0-8802-48D4FA95FBBF}.exe"	{C8619FAB-BA6F-4fa6-A167-8DB654F7D2E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B474DE2-103B-4150-9B59-0ABBB821BB14}	{3D7CD47F-5FCC-4727-9D31-CCD56C569D4C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8619FAB-BA6F-4fa6-A167-8DB654F7D2E5}	{98EF6373-BB20-40cb-97F0-5D913AB97052}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF43173F-FE23-47e7-AC3D-A6FFCB9DBED0}	{D39ABF90-79DA-47a0-8802-48D4FA95FBBF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F862513-1E7F-4b3c-805B-93E2C18CC4B1}	{CF43173F-FE23-47e7-AC3D-A6FFCB9DBED0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DA44BFB-6104-415f-93D8-79872C69EDD5}	{7F862513-1E7F-4b3c-805B-93E2C18CC4B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{689B322C-A67F-4bb6-A1DC-CAB04807ABDA}\stubpath = "C:\\Windows\\{689B322C-A67F-4bb6-A1DC-CAB04807ABDA}.exe"	{7DA44BFB-6104-415f-93D8-79872C69EDD5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D7CD47F-5FCC-4727-9D31-CCD56C569D4C}	{D9490688-B084-4b48-A504-0CDD27500D94}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D7CD47F-5FCC-4727-9D31-CCD56C569D4C}\stubpath = "C:\\Windows\\{3D7CD47F-5FCC-4727-9D31-CCD56C569D4C}.exe"	{D9490688-B084-4b48-A504-0CDD27500D94}.exe

Executes dropped EXE 12 IoCs

pid	Process
3468	{D9490688-B084-4b48-A504-0CDD27500D94}.exe
2940	{3D7CD47F-5FCC-4727-9D31-CCD56C569D4C}.exe
864	{6B474DE2-103B-4150-9B59-0ABBB821BB14}.exe
3424	{98EF6373-BB20-40cb-97F0-5D913AB97052}.exe
4952	{C8619FAB-BA6F-4fa6-A167-8DB654F7D2E5}.exe
4188	{D39ABF90-79DA-47a0-8802-48D4FA95FBBF}.exe
4944	{CF43173F-FE23-47e7-AC3D-A6FFCB9DBED0}.exe
564	{7F862513-1E7F-4b3c-805B-93E2C18CC4B1}.exe
2372	{7DA44BFB-6104-415f-93D8-79872C69EDD5}.exe
4080	{689B322C-A67F-4bb6-A1DC-CAB04807ABDA}.exe
4200	{C9E25A74-F426-440e-B640-03275F07333D}.exe
2280	{D8EA31CC-30A3-4ddc-82CD-3D9F4E29A2B0}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{D9490688-B084-4b48-A504-0CDD27500D94}.exe	2024-02-22_6f360bf34160ce1c1d4eceb2f1b8ebe9_goldeneye.exe
File created	C:\Windows\{6B474DE2-103B-4150-9B59-0ABBB821BB14}.exe	{3D7CD47F-5FCC-4727-9D31-CCD56C569D4C}.exe
File created	C:\Windows\{D39ABF90-79DA-47a0-8802-48D4FA95FBBF}.exe	{C8619FAB-BA6F-4fa6-A167-8DB654F7D2E5}.exe
File created	C:\Windows\{CF43173F-FE23-47e7-AC3D-A6FFCB9DBED0}.exe	{D39ABF90-79DA-47a0-8802-48D4FA95FBBF}.exe
File created	C:\Windows\{7F862513-1E7F-4b3c-805B-93E2C18CC4B1}.exe	{CF43173F-FE23-47e7-AC3D-A6FFCB9DBED0}.exe
File created	C:\Windows\{3D7CD47F-5FCC-4727-9D31-CCD56C569D4C}.exe	{D9490688-B084-4b48-A504-0CDD27500D94}.exe
File created	C:\Windows\{98EF6373-BB20-40cb-97F0-5D913AB97052}.exe	{6B474DE2-103B-4150-9B59-0ABBB821BB14}.exe
File created	C:\Windows\{C8619FAB-BA6F-4fa6-A167-8DB654F7D2E5}.exe	{98EF6373-BB20-40cb-97F0-5D913AB97052}.exe
File created	C:\Windows\{7DA44BFB-6104-415f-93D8-79872C69EDD5}.exe	{7F862513-1E7F-4b3c-805B-93E2C18CC4B1}.exe
File created	C:\Windows\{689B322C-A67F-4bb6-A1DC-CAB04807ABDA}.exe	{7DA44BFB-6104-415f-93D8-79872C69EDD5}.exe
File created	C:\Windows\{C9E25A74-F426-440e-B640-03275F07333D}.exe	{689B322C-A67F-4bb6-A1DC-CAB04807ABDA}.exe
File created	C:\Windows\{D8EA31CC-30A3-4ddc-82CD-3D9F4E29A2B0}.exe	{C9E25A74-F426-440e-B640-03275F07333D}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4784	2024-02-22_6f360bf34160ce1c1d4eceb2f1b8ebe9_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3468	{D9490688-B084-4b48-A504-0CDD27500D94}.exe
Token: SeIncBasePriorityPrivilege	2940	{3D7CD47F-5FCC-4727-9D31-CCD56C569D4C}.exe
Token: SeIncBasePriorityPrivilege	864	{6B474DE2-103B-4150-9B59-0ABBB821BB14}.exe
Token: SeIncBasePriorityPrivilege	3424	{98EF6373-BB20-40cb-97F0-5D913AB97052}.exe
Token: SeIncBasePriorityPrivilege	4952	{C8619FAB-BA6F-4fa6-A167-8DB654F7D2E5}.exe
Token: SeIncBasePriorityPrivilege	4188	{D39ABF90-79DA-47a0-8802-48D4FA95FBBF}.exe
Token: SeIncBasePriorityPrivilege	4944	{CF43173F-FE23-47e7-AC3D-A6FFCB9DBED0}.exe
Token: SeIncBasePriorityPrivilege	564	{7F862513-1E7F-4b3c-805B-93E2C18CC4B1}.exe
Token: SeIncBasePriorityPrivilege	2372	{7DA44BFB-6104-415f-93D8-79872C69EDD5}.exe
Token: SeIncBasePriorityPrivilege	4080	{689B322C-A67F-4bb6-A1DC-CAB04807ABDA}.exe
Token: SeIncBasePriorityPrivilege	4200	{C9E25A74-F426-440e-B640-03275F07333D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4784 wrote to memory of 3468	4784	2024-02-22_6f360bf34160ce1c1d4eceb2f1b8ebe9_goldeneye.exe	90
PID 4784 wrote to memory of 3468	4784	2024-02-22_6f360bf34160ce1c1d4eceb2f1b8ebe9_goldeneye.exe	90
PID 4784 wrote to memory of 3468	4784	2024-02-22_6f360bf34160ce1c1d4eceb2f1b8ebe9_goldeneye.exe	90
PID 4784 wrote to memory of 820	4784	2024-02-22_6f360bf34160ce1c1d4eceb2f1b8ebe9_goldeneye.exe	91
PID 4784 wrote to memory of 820	4784	2024-02-22_6f360bf34160ce1c1d4eceb2f1b8ebe9_goldeneye.exe	91
PID 4784 wrote to memory of 820	4784	2024-02-22_6f360bf34160ce1c1d4eceb2f1b8ebe9_goldeneye.exe	91
PID 3468 wrote to memory of 2940	3468	{D9490688-B084-4b48-A504-0CDD27500D94}.exe	92
PID 3468 wrote to memory of 2940	3468	{D9490688-B084-4b48-A504-0CDD27500D94}.exe	92
PID 3468 wrote to memory of 2940	3468	{D9490688-B084-4b48-A504-0CDD27500D94}.exe	92
PID 3468 wrote to memory of 4668	3468	{D9490688-B084-4b48-A504-0CDD27500D94}.exe	93
PID 3468 wrote to memory of 4668	3468	{D9490688-B084-4b48-A504-0CDD27500D94}.exe	93
PID 3468 wrote to memory of 4668	3468	{D9490688-B084-4b48-A504-0CDD27500D94}.exe	93
PID 2940 wrote to memory of 864	2940	{3D7CD47F-5FCC-4727-9D31-CCD56C569D4C}.exe	98
PID 2940 wrote to memory of 864	2940	{3D7CD47F-5FCC-4727-9D31-CCD56C569D4C}.exe	98
PID 2940 wrote to memory of 864	2940	{3D7CD47F-5FCC-4727-9D31-CCD56C569D4C}.exe	98
PID 2940 wrote to memory of 2332	2940	{3D7CD47F-5FCC-4727-9D31-CCD56C569D4C}.exe	97
PID 2940 wrote to memory of 2332	2940	{3D7CD47F-5FCC-4727-9D31-CCD56C569D4C}.exe	97
PID 2940 wrote to memory of 2332	2940	{3D7CD47F-5FCC-4727-9D31-CCD56C569D4C}.exe	97
PID 864 wrote to memory of 3424	864	{6B474DE2-103B-4150-9B59-0ABBB821BB14}.exe	99
PID 864 wrote to memory of 3424	864	{6B474DE2-103B-4150-9B59-0ABBB821BB14}.exe	99
PID 864 wrote to memory of 3424	864	{6B474DE2-103B-4150-9B59-0ABBB821BB14}.exe	99
PID 864 wrote to memory of 2956	864	{6B474DE2-103B-4150-9B59-0ABBB821BB14}.exe	100
PID 864 wrote to memory of 2956	864	{6B474DE2-103B-4150-9B59-0ABBB821BB14}.exe	100
PID 864 wrote to memory of 2956	864	{6B474DE2-103B-4150-9B59-0ABBB821BB14}.exe	100
PID 3424 wrote to memory of 4952	3424	{98EF6373-BB20-40cb-97F0-5D913AB97052}.exe	101
PID 3424 wrote to memory of 4952	3424	{98EF6373-BB20-40cb-97F0-5D913AB97052}.exe	101
PID 3424 wrote to memory of 4952	3424	{98EF6373-BB20-40cb-97F0-5D913AB97052}.exe	101
PID 3424 wrote to memory of 4972	3424	{98EF6373-BB20-40cb-97F0-5D913AB97052}.exe	102
PID 3424 wrote to memory of 4972	3424	{98EF6373-BB20-40cb-97F0-5D913AB97052}.exe	102
PID 3424 wrote to memory of 4972	3424	{98EF6373-BB20-40cb-97F0-5D913AB97052}.exe	102
PID 4952 wrote to memory of 4188	4952	{C8619FAB-BA6F-4fa6-A167-8DB654F7D2E5}.exe	103
PID 4952 wrote to memory of 4188	4952	{C8619FAB-BA6F-4fa6-A167-8DB654F7D2E5}.exe	103
PID 4952 wrote to memory of 4188	4952	{C8619FAB-BA6F-4fa6-A167-8DB654F7D2E5}.exe	103
PID 4952 wrote to memory of 2872	4952	{C8619FAB-BA6F-4fa6-A167-8DB654F7D2E5}.exe	104
PID 4952 wrote to memory of 2872	4952	{C8619FAB-BA6F-4fa6-A167-8DB654F7D2E5}.exe	104
PID 4952 wrote to memory of 2872	4952	{C8619FAB-BA6F-4fa6-A167-8DB654F7D2E5}.exe	104
PID 4188 wrote to memory of 4944	4188	{D39ABF90-79DA-47a0-8802-48D4FA95FBBF}.exe	105
PID 4188 wrote to memory of 4944	4188	{D39ABF90-79DA-47a0-8802-48D4FA95FBBF}.exe	105
PID 4188 wrote to memory of 4944	4188	{D39ABF90-79DA-47a0-8802-48D4FA95FBBF}.exe	105
PID 4188 wrote to memory of 4788	4188	{D39ABF90-79DA-47a0-8802-48D4FA95FBBF}.exe	106
PID 4188 wrote to memory of 4788	4188	{D39ABF90-79DA-47a0-8802-48D4FA95FBBF}.exe	106
PID 4188 wrote to memory of 4788	4188	{D39ABF90-79DA-47a0-8802-48D4FA95FBBF}.exe	106
PID 4944 wrote to memory of 564	4944	{CF43173F-FE23-47e7-AC3D-A6FFCB9DBED0}.exe	107
PID 4944 wrote to memory of 564	4944	{CF43173F-FE23-47e7-AC3D-A6FFCB9DBED0}.exe	107
PID 4944 wrote to memory of 564	4944	{CF43173F-FE23-47e7-AC3D-A6FFCB9DBED0}.exe	107
PID 4944 wrote to memory of 4796	4944	{CF43173F-FE23-47e7-AC3D-A6FFCB9DBED0}.exe	108
PID 4944 wrote to memory of 4796	4944	{CF43173F-FE23-47e7-AC3D-A6FFCB9DBED0}.exe	108
PID 4944 wrote to memory of 4796	4944	{CF43173F-FE23-47e7-AC3D-A6FFCB9DBED0}.exe	108
PID 564 wrote to memory of 2372	564	{7F862513-1E7F-4b3c-805B-93E2C18CC4B1}.exe	109
PID 564 wrote to memory of 2372	564	{7F862513-1E7F-4b3c-805B-93E2C18CC4B1}.exe	109
PID 564 wrote to memory of 2372	564	{7F862513-1E7F-4b3c-805B-93E2C18CC4B1}.exe	109
PID 564 wrote to memory of 4968	564	{7F862513-1E7F-4b3c-805B-93E2C18CC4B1}.exe	110
PID 564 wrote to memory of 4968	564	{7F862513-1E7F-4b3c-805B-93E2C18CC4B1}.exe	110
PID 564 wrote to memory of 4968	564	{7F862513-1E7F-4b3c-805B-93E2C18CC4B1}.exe	110
PID 2372 wrote to memory of 4080	2372	{7DA44BFB-6104-415f-93D8-79872C69EDD5}.exe	111
PID 2372 wrote to memory of 4080	2372	{7DA44BFB-6104-415f-93D8-79872C69EDD5}.exe	111
PID 2372 wrote to memory of 4080	2372	{7DA44BFB-6104-415f-93D8-79872C69EDD5}.exe	111
PID 2372 wrote to memory of 1332	2372	{7DA44BFB-6104-415f-93D8-79872C69EDD5}.exe	112
PID 2372 wrote to memory of 1332	2372	{7DA44BFB-6104-415f-93D8-79872C69EDD5}.exe	112
PID 2372 wrote to memory of 1332	2372	{7DA44BFB-6104-415f-93D8-79872C69EDD5}.exe	112
PID 4080 wrote to memory of 4200	4080	{689B322C-A67F-4bb6-A1DC-CAB04807ABDA}.exe	113
PID 4080 wrote to memory of 4200	4080	{689B322C-A67F-4bb6-A1DC-CAB04807ABDA}.exe	113
PID 4080 wrote to memory of 4200	4080	{689B322C-A67F-4bb6-A1DC-CAB04807ABDA}.exe	113
PID 4080 wrote to memory of 4648	4080	{689B322C-A67F-4bb6-A1DC-CAB04807ABDA}.exe	114

C:\Users\Admin\AppData\Local\Temp\2024-02-22_6f360bf34160ce1c1d4eceb2f1b8ebe9_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-22_6f360bf34160ce1c1d4eceb2f1b8ebe9_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4784
- C:\Windows\{D9490688-B084-4b48-A504-0CDD27500D94}.exe
  C:\Windows\{D9490688-B084-4b48-A504-0CDD27500D94}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3468
- - C:\Windows\{3D7CD47F-5FCC-4727-9D31-CCD56C569D4C}.exe
    C:\Windows\{3D7CD47F-5FCC-4727-9D31-CCD56C569D4C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2940
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3D7CD~1.EXE > nul
      4⤵
      PID:2332
  - - C:\Windows\{6B474DE2-103B-4150-9B59-0ABBB821BB14}.exe
      C:\Windows\{6B474DE2-103B-4150-9B59-0ABBB821BB14}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:864
    - - C:\Windows\{98EF6373-BB20-40cb-97F0-5D913AB97052}.exe
        
        C:\Windows\{98EF6373-BB20-40cb-97F0-5D913AB97052}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3424
      - C:\Windows\{C8619FAB-BA6F-4fa6-A167-8DB654F7D2E5}.exe
        
        C:\Windows\{C8619FAB-BA6F-4fa6-A167-8DB654F7D2E5}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\{D39ABF90-79DA-47a0-8802-48D4FA95FBBF}.exe
        
        C:\Windows\{D39ABF90-79DA-47a0-8802-48D4FA95FBBF}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4188
        
        C:\Windows\{CF43173F-FE23-47e7-AC3D-A6FFCB9DBED0}.exe
        
        C:\Windows\{CF43173F-FE23-47e7-AC3D-A6FFCB9DBED0}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\{7F862513-1E7F-4b3c-805B-93E2C18CC4B1}.exe
        
        C:\Windows\{7F862513-1E7F-4b3c-805B-93E2C18CC4B1}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:564
        
        C:\Windows\{7DA44BFB-6104-415f-93D8-79872C69EDD5}.exe
        
        C:\Windows\{7DA44BFB-6104-415f-93D8-79872C69EDD5}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\{689B322C-A67F-4bb6-A1DC-CAB04807ABDA}.exe
        
        C:\Windows\{689B322C-A67F-4bb6-A1DC-CAB04807ABDA}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4080
        
        C:\Windows\{C9E25A74-F426-440e-B640-03275F07333D}.exe
        
        C:\Windows\{C9E25A74-F426-440e-B640-03275F07333D}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4200
        
        C:\Windows\{D8EA31CC-30A3-4ddc-82CD-3D9F4E29A2B0}.exe
        
        C:\Windows\{D8EA31CC-30A3-4ddc-82CD-3D9F4E29A2B0}.exe
        13⤵
        Executes dropped EXE
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9E25~1.EXE > nul
        13⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{689B3~1.EXE > nul
        12⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7DA44~1.EXE > nul
        11⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F862~1.EXE > nul
        10⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CF431~1.EXE > nul
        9⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D39AB~1.EXE > nul
        8⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8619~1.EXE > nul
        7⤵
        
        PID:2872
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{98EF6~1.EXE > nul
        6⤵
        
        PID:4972
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B474~1.EXE > nul
        5⤵
        
        PID:2956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D9490~1.EXE > nul
    3⤵
    PID:4668
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3D7CD47F-5FCC-4727-9D31-CCD56C569D4C}.exe

Filesize
197KB

MD5
b45910b8024dfe1cc8e739c6992316cd

SHA1
5908f62cc3ddf3dfa231a82946227599ffb30657

SHA256
5ec7572ca311ad8734605b88c4d2bb2630c7725b556df5f14c06637bcc50d9cf

SHA512
713eb01977eba2f01a99642d3c546e51ef683dab93cf98ec88373972d8502968eb140f22b28c6528fd8f650a9739b0caced0b3cadc5a6fb6b0998a0a264f0780

Download Submit
C:\Windows\{689B322C-A67F-4bb6-A1DC-CAB04807ABDA}.exe

Filesize
197KB

MD5
c91b96e6f21f890746e665b500687d3a

SHA1
cd6ccde604b256bbba07ddba00833bf8aa6d6640

SHA256
4a4f09256ea325b3ac291d5938aa998b9b39f103a20bd5c13437659682c8d147

SHA512
24fe60c9137f038b3f97ff0ac1bb41ae43e0974e5ce3b6abcb54d53252993b1638a40159be859edbabd3bac1cb1f401ddcffaa1734bad74da402578639f1bd21

Download Submit
C:\Windows\{6B474DE2-103B-4150-9B59-0ABBB821BB14}.exe

Filesize
197KB

MD5
1a656bae7770032810bec6722811bd26

SHA1
515db367d1fe0789ef20d46f3d8aadffb34048bb

SHA256
fc19284eb1d2f429effe308c0182b80c0b8c2bdf8be01fd2ac05cdd8878292a8

SHA512
8f84526fb8467bf14ca921edf3d102bea742472d37c585e37f9d27e23731d7a534360aa2fe688d3c92ad2ebe084d1848d4f518a59c235614f3ad5eae60497c10

Download Submit
C:\Windows\{6B474DE2-103B-4150-9B59-0ABBB821BB14}.exe

Filesize
102KB

MD5
f70f3f907fb4e8e443bfc705d8b09a64

SHA1
a528423e820814a40cc3f296351e84d254737f39

SHA256
f90ee9a8663c3064037dfd4cab00faa149074fbc77563e3683d86faabbb76b56

SHA512
b779ff7749aae5ba36ae81613944f1919f1eb9b911d6ad95b92e0fec6feef14c62273a58a948c8c9688a2782429db5551079fb9d4a945b7d45397b7e491f11f7

Download Submit
C:\Windows\{7DA44BFB-6104-415f-93D8-79872C69EDD5}.exe

Filesize
197KB

MD5
c1da3c64410eda3b59b795d00de1c0d6

SHA1
1c3d0aa235bcf8bdba2c2340ba9b08a6c17ef66f

SHA256
41621f493f1c0bb2474cb2ff4e24e9f35d97285752044d3854b5504b84b73da7

SHA512
1c843120b23d4c2959f60a32393e88fac8fa085100c04b4dbe9f3447a35c913bc489ef6321d3696387c778f71dd903daf2df10c8aa6ba72ebfcc190998e02c35

Download Submit
C:\Windows\{7F862513-1E7F-4b3c-805B-93E2C18CC4B1}.exe

Filesize
197KB

MD5
28999cb21c7b41dd75efcc3dc9c08eae

SHA1
db20c29bdfc09b95d01a70e71619c0d29174fbf6

SHA256
4fa5639de645ea4c0d6e487ef4dab1e33e890520efbbbc80d72818a8064306da

SHA512
b8d91573a26f0898372398dcb7e620f6d54c08b18e2db7446bbbe6e63bec146773b42fa26ace3359e0f4ab3204324d43ffc8106031e7e3b6f61af74e36bfd3c3

Download Submit
C:\Windows\{98EF6373-BB20-40cb-97F0-5D913AB97052}.exe

Filesize
197KB

MD5
5b20b24f12e12f1b2cbc340ef71b37a7

SHA1
d4f2339f8e71cc52b6b242be2035bd32db8f225d

SHA256
2ca0fbd379a10e2393a457eb69dac218ec8fe0ecd1b3dff848624e87fafc29d3

SHA512
4d07ac5320a2c4a62728f16985ecc505b6462876af7f30be3c8eed2f993acf37739f0a702f4e8b006771eb92511e8f81bc711161f4a128e13db64cf2c12cea46

Download Submit
C:\Windows\{C8619FAB-BA6F-4fa6-A167-8DB654F7D2E5}.exe

Filesize
197KB

MD5
1e5b4fb827ade64d33e77d4301aa9c78

SHA1
8d6b69fbf1c30dbea9c55279e36c4ac22d0d0a00

SHA256
4d1cc5a80c62a4faa8bc9d97eba8f850e5516941cdd2df1b8820a9bd2b29b6ab

SHA512
efc8a4974bad5717d1ac2d451fd0f2ad5d599f70b1e2abc830c413e06b28a0525ee64e9dd63323208547762a6f17d9a4de67f2459dc4054dd75c856a052de4f6

Download Submit
C:\Windows\{C9E25A74-F426-440e-B640-03275F07333D}.exe

Filesize
197KB

MD5
d39787b842f53f08376d9b37204746e2

SHA1
a83f7cca0c99384c0c3486b34193ec410eddc567

SHA256
3603e2fe86612c6700364da01879cfc5d6a15ae6e5bfcb1a167946709badf2aa

SHA512
038b5a8ccaa572f9625007e5f24c69a88132c04f78539141e31c42324f10b901d0ff21dd48d567163733878f89661014e97dc5ea1e12f705d497e705d3eff94f

Download Submit
C:\Windows\{CF43173F-FE23-47e7-AC3D-A6FFCB9DBED0}.exe

Filesize
197KB

MD5
38786dcddf4da01a0426158617ebec0c

SHA1
0b45775eb0db6f650f390bde4a399ab9ed8dcdbf

SHA256
bc2271dbbefe1020b62a6464da643983ea535f22ce68d23e70a0e678e8f21b05

SHA512
51afd70ded21a3f30156021a00940c906de12733b905ad416d931ded20684fa30a4c77ab8ceb433ab1393d4c5fa42fd4b66a13179dec692a0fcd8559e118cedd

Download Submit
C:\Windows\{D39ABF90-79DA-47a0-8802-48D4FA95FBBF}.exe

Filesize
197KB

MD5
cf49599e112b7bc662fdfd024d59a07d

SHA1
b98a054e44351a30b296e879b12d0fb7f9671291

SHA256
397cd549bd22ea3f5a3342cb961d2843c9be5164eb088d5e92b0a3d4c9ed480b

SHA512
ef52fe6e245d37fb636932e1b1cbbe3464d886bc2ce8f052fa12178e23105d2ab3d560338f419b15a3bc6e8a2effae8b17baf56f0489dd7e8d9550f1bac6a2af

Download Submit
C:\Windows\{D8EA31CC-30A3-4ddc-82CD-3D9F4E29A2B0}.exe

Filesize
197KB

MD5
bc5864153ce5b31b5fd4ae70e7776576

SHA1
ae7cd175fa7cf2c04ee996bd5adb8d51f0f897d0

SHA256
33b07ac075d514fbcf6592d681fa7fa9e98704ecc0fff178009d6c39b6130db3

SHA512
7d9652414a57ebd2b20c24cf65993dddc633bc6f84bca65c5c643f8f589a4250056e201365a8d34ce7258c19527076ce5917e619dee7bd905012396a2524d855

Download Submit
C:\Windows\{D9490688-B084-4b48-A504-0CDD27500D94}.exe

Filesize
197KB

MD5
8ae42920379bb90e022a18431269ced0

SHA1
6ac3c666a6e5e3a02dff1a058d719eeed3f1800e

SHA256
9f4e818243cc1e1fea5378bd8a0dd61fabe71b71c204ce4bc257359dddeb083b

SHA512
31c8053024f6c9eef27d66fd583adfc057b215ee101184b069691d8ec89b6387eba49bc870bdd0fbf7b5c15e3de2a1f5ce888a889683aa00fef79b5fb0778d4b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads