827de4f7d304e8128d7a1b89db5ecdeb8409068189a5e71d025eee1921af347c

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
22/02/2024, 09:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-22_08e1c33f3759e7fbed092ce590c0ac49_goldeneye.exe
Size

180KB
MD5

08e1c33f3759e7fbed092ce590c0ac49
SHA1

caeea6e46b8e3f99b8e946ee7e7ed6380e0cdc28
SHA256

827de4f7d304e8128d7a1b89db5ecdeb8409068189a5e71d025eee1921af347c
SHA512

a5dfcf72fe73cc1bc6a61adc17dffd6731eec75874d8cfca4883bdfd6c71026591fff1c58a69621b4fb2cfe08a34ab33dd98ad8cef8474c593684616e77b15d2
SSDEEP

3072:jEGh0odlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEG3l5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x0003000000022770-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000022772-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000022777-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000022772-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000022772-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000022777-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000022772-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000022777-25.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000022772-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000022777-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000022772-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000022777-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000022772-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69E8478E-B7EC-4b3a-97AD-2276A9D1DD95}	{0995858D-38CD-4f55-A199-797F552CFA82}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59DA94F6-F5EF-48b7-A133-EC26C8E8C7D4}	{69E8478E-B7EC-4b3a-97AD-2276A9D1DD95}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C1D9CC4-D018-4db2-835F-2D5A348553AA}\stubpath = "C:\\Windows\\{6C1D9CC4-D018-4db2-835F-2D5A348553AA}.exe"	{25F8C3B8-0F07-4359-9D59-765D82C370E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B57EC245-7074-4fd2-98A9-7E126BA730F1}	{DF975C79-4E9B-4ce3-B4C0-C6FD535A5016}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B57EC245-7074-4fd2-98A9-7E126BA730F1}\stubpath = "C:\\Windows\\{B57EC245-7074-4fd2-98A9-7E126BA730F1}.exe"	{DF975C79-4E9B-4ce3-B4C0-C6FD535A5016}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FEBADCEA-A1FC-4369-926E-329522B243B3}\stubpath = "C:\\Windows\\{FEBADCEA-A1FC-4369-926E-329522B243B3}.exe"	{E8E3C799-4D96-4383-AE0A-4C7CC42F71E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8AB47D33-9F48-425b-BA0E-30C21B6BF5A0}	{FEBADCEA-A1FC-4369-926E-329522B243B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8AB47D33-9F48-425b-BA0E-30C21B6BF5A0}\stubpath = "C:\\Windows\\{8AB47D33-9F48-425b-BA0E-30C21B6BF5A0}.exe"	{FEBADCEA-A1FC-4369-926E-329522B243B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA547776-89B2-4005-AE25-3FD406ACC934}\stubpath = "C:\\Windows\\{FA547776-89B2-4005-AE25-3FD406ACC934}.exe"	{8AB47D33-9F48-425b-BA0E-30C21B6BF5A0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0995858D-38CD-4f55-A199-797F552CFA82}	{FA547776-89B2-4005-AE25-3FD406ACC934}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69E8478E-B7EC-4b3a-97AD-2276A9D1DD95}\stubpath = "C:\\Windows\\{69E8478E-B7EC-4b3a-97AD-2276A9D1DD95}.exe"	{0995858D-38CD-4f55-A199-797F552CFA82}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3BA78AE-4BC6-4a98-B6AC-FBD5AAC0797C}	2024-02-22_08e1c33f3759e7fbed092ce590c0ac49_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF975C79-4E9B-4ce3-B4C0-C6FD535A5016}	{D3BA78AE-4BC6-4a98-B6AC-FBD5AAC0797C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF975C79-4E9B-4ce3-B4C0-C6FD535A5016}\stubpath = "C:\\Windows\\{DF975C79-4E9B-4ce3-B4C0-C6FD535A5016}.exe"	{D3BA78AE-4BC6-4a98-B6AC-FBD5AAC0797C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FEBADCEA-A1FC-4369-926E-329522B243B3}	{E8E3C799-4D96-4383-AE0A-4C7CC42F71E0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59DA94F6-F5EF-48b7-A133-EC26C8E8C7D4}\stubpath = "C:\\Windows\\{59DA94F6-F5EF-48b7-A133-EC26C8E8C7D4}.exe"	{69E8478E-B7EC-4b3a-97AD-2276A9D1DD95}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25F8C3B8-0F07-4359-9D59-765D82C370E6}\stubpath = "C:\\Windows\\{25F8C3B8-0F07-4359-9D59-765D82C370E6}.exe"	{59DA94F6-F5EF-48b7-A133-EC26C8E8C7D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8E3C799-4D96-4383-AE0A-4C7CC42F71E0}	{B57EC245-7074-4fd2-98A9-7E126BA730F1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA547776-89B2-4005-AE25-3FD406ACC934}	{8AB47D33-9F48-425b-BA0E-30C21B6BF5A0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25F8C3B8-0F07-4359-9D59-765D82C370E6}	{59DA94F6-F5EF-48b7-A133-EC26C8E8C7D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3BA78AE-4BC6-4a98-B6AC-FBD5AAC0797C}\stubpath = "C:\\Windows\\{D3BA78AE-4BC6-4a98-B6AC-FBD5AAC0797C}.exe"	2024-02-22_08e1c33f3759e7fbed092ce590c0ac49_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8E3C799-4D96-4383-AE0A-4C7CC42F71E0}\stubpath = "C:\\Windows\\{E8E3C799-4D96-4383-AE0A-4C7CC42F71E0}.exe"	{B57EC245-7074-4fd2-98A9-7E126BA730F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0995858D-38CD-4f55-A199-797F552CFA82}\stubpath = "C:\\Windows\\{0995858D-38CD-4f55-A199-797F552CFA82}.exe"	{FA547776-89B2-4005-AE25-3FD406ACC934}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C1D9CC4-D018-4db2-835F-2D5A348553AA}	{25F8C3B8-0F07-4359-9D59-765D82C370E6}.exe

Executes dropped EXE 12 IoCs

pid	Process
2708	{D3BA78AE-4BC6-4a98-B6AC-FBD5AAC0797C}.exe
4216	{DF975C79-4E9B-4ce3-B4C0-C6FD535A5016}.exe
1640	{B57EC245-7074-4fd2-98A9-7E126BA730F1}.exe
2008	{E8E3C799-4D96-4383-AE0A-4C7CC42F71E0}.exe
2268	{FEBADCEA-A1FC-4369-926E-329522B243B3}.exe
2292	{8AB47D33-9F48-425b-BA0E-30C21B6BF5A0}.exe
1648	{FA547776-89B2-4005-AE25-3FD406ACC934}.exe
3432	{0995858D-38CD-4f55-A199-797F552CFA82}.exe
544	{69E8478E-B7EC-4b3a-97AD-2276A9D1DD95}.exe
3320	{59DA94F6-F5EF-48b7-A133-EC26C8E8C7D4}.exe
2956	{25F8C3B8-0F07-4359-9D59-765D82C370E6}.exe
876	{6C1D9CC4-D018-4db2-835F-2D5A348553AA}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{B57EC245-7074-4fd2-98A9-7E126BA730F1}.exe	{DF975C79-4E9B-4ce3-B4C0-C6FD535A5016}.exe
File created	C:\Windows\{8AB47D33-9F48-425b-BA0E-30C21B6BF5A0}.exe	{FEBADCEA-A1FC-4369-926E-329522B243B3}.exe
File created	C:\Windows\{69E8478E-B7EC-4b3a-97AD-2276A9D1DD95}.exe	{0995858D-38CD-4f55-A199-797F552CFA82}.exe
File created	C:\Windows\{6C1D9CC4-D018-4db2-835F-2D5A348553AA}.exe	{25F8C3B8-0F07-4359-9D59-765D82C370E6}.exe
File created	C:\Windows\{D3BA78AE-4BC6-4a98-B6AC-FBD5AAC0797C}.exe	2024-02-22_08e1c33f3759e7fbed092ce590c0ac49_goldeneye.exe
File created	C:\Windows\{DF975C79-4E9B-4ce3-B4C0-C6FD535A5016}.exe	{D3BA78AE-4BC6-4a98-B6AC-FBD5AAC0797C}.exe
File created	C:\Windows\{E8E3C799-4D96-4383-AE0A-4C7CC42F71E0}.exe	{B57EC245-7074-4fd2-98A9-7E126BA730F1}.exe
File created	C:\Windows\{FEBADCEA-A1FC-4369-926E-329522B243B3}.exe	{E8E3C799-4D96-4383-AE0A-4C7CC42F71E0}.exe
File created	C:\Windows\{FA547776-89B2-4005-AE25-3FD406ACC934}.exe	{8AB47D33-9F48-425b-BA0E-30C21B6BF5A0}.exe
File created	C:\Windows\{0995858D-38CD-4f55-A199-797F552CFA82}.exe	{FA547776-89B2-4005-AE25-3FD406ACC934}.exe
File created	C:\Windows\{59DA94F6-F5EF-48b7-A133-EC26C8E8C7D4}.exe	{69E8478E-B7EC-4b3a-97AD-2276A9D1DD95}.exe
File created	C:\Windows\{25F8C3B8-0F07-4359-9D59-765D82C370E6}.exe	{59DA94F6-F5EF-48b7-A133-EC26C8E8C7D4}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2236	2024-02-22_08e1c33f3759e7fbed092ce590c0ac49_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2708	{D3BA78AE-4BC6-4a98-B6AC-FBD5AAC0797C}.exe
Token: SeIncBasePriorityPrivilege	4216	{DF975C79-4E9B-4ce3-B4C0-C6FD535A5016}.exe
Token: SeIncBasePriorityPrivilege	1640	{B57EC245-7074-4fd2-98A9-7E126BA730F1}.exe
Token: SeIncBasePriorityPrivilege	2008	{E8E3C799-4D96-4383-AE0A-4C7CC42F71E0}.exe
Token: SeIncBasePriorityPrivilege	2268	{FEBADCEA-A1FC-4369-926E-329522B243B3}.exe
Token: SeIncBasePriorityPrivilege	2292	{8AB47D33-9F48-425b-BA0E-30C21B6BF5A0}.exe
Token: SeIncBasePriorityPrivilege	1648	{FA547776-89B2-4005-AE25-3FD406ACC934}.exe
Token: SeIncBasePriorityPrivilege	3432	{0995858D-38CD-4f55-A199-797F552CFA82}.exe
Token: SeIncBasePriorityPrivilege	544	{69E8478E-B7EC-4b3a-97AD-2276A9D1DD95}.exe
Token: SeIncBasePriorityPrivilege	3320	{59DA94F6-F5EF-48b7-A133-EC26C8E8C7D4}.exe
Token: SeIncBasePriorityPrivilege	2956	{25F8C3B8-0F07-4359-9D59-765D82C370E6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2708	2236	2024-02-22_08e1c33f3759e7fbed092ce590c0ac49_goldeneye.exe	89
PID 2236 wrote to memory of 2708	2236	2024-02-22_08e1c33f3759e7fbed092ce590c0ac49_goldeneye.exe	89
PID 2236 wrote to memory of 2708	2236	2024-02-22_08e1c33f3759e7fbed092ce590c0ac49_goldeneye.exe	89
PID 2236 wrote to memory of 3592	2236	2024-02-22_08e1c33f3759e7fbed092ce590c0ac49_goldeneye.exe	90
PID 2236 wrote to memory of 3592	2236	2024-02-22_08e1c33f3759e7fbed092ce590c0ac49_goldeneye.exe	90
PID 2236 wrote to memory of 3592	2236	2024-02-22_08e1c33f3759e7fbed092ce590c0ac49_goldeneye.exe	90
PID 2708 wrote to memory of 4216	2708	{D3BA78AE-4BC6-4a98-B6AC-FBD5AAC0797C}.exe	91
PID 2708 wrote to memory of 4216	2708	{D3BA78AE-4BC6-4a98-B6AC-FBD5AAC0797C}.exe	91
PID 2708 wrote to memory of 4216	2708	{D3BA78AE-4BC6-4a98-B6AC-FBD5AAC0797C}.exe	91
PID 2708 wrote to memory of 2964	2708	{D3BA78AE-4BC6-4a98-B6AC-FBD5AAC0797C}.exe	92
PID 2708 wrote to memory of 2964	2708	{D3BA78AE-4BC6-4a98-B6AC-FBD5AAC0797C}.exe	92
PID 2708 wrote to memory of 2964	2708	{D3BA78AE-4BC6-4a98-B6AC-FBD5AAC0797C}.exe	92
PID 4216 wrote to memory of 1640	4216	{DF975C79-4E9B-4ce3-B4C0-C6FD535A5016}.exe	94
PID 4216 wrote to memory of 1640	4216	{DF975C79-4E9B-4ce3-B4C0-C6FD535A5016}.exe	94
PID 4216 wrote to memory of 1640	4216	{DF975C79-4E9B-4ce3-B4C0-C6FD535A5016}.exe	94
PID 4216 wrote to memory of 1312	4216	{DF975C79-4E9B-4ce3-B4C0-C6FD535A5016}.exe	95
PID 4216 wrote to memory of 1312	4216	{DF975C79-4E9B-4ce3-B4C0-C6FD535A5016}.exe	95
PID 4216 wrote to memory of 1312	4216	{DF975C79-4E9B-4ce3-B4C0-C6FD535A5016}.exe	95
PID 1640 wrote to memory of 2008	1640	{B57EC245-7074-4fd2-98A9-7E126BA730F1}.exe	96
PID 1640 wrote to memory of 2008	1640	{B57EC245-7074-4fd2-98A9-7E126BA730F1}.exe	96
PID 1640 wrote to memory of 2008	1640	{B57EC245-7074-4fd2-98A9-7E126BA730F1}.exe	96
PID 1640 wrote to memory of 3560	1640	{B57EC245-7074-4fd2-98A9-7E126BA730F1}.exe	97
PID 1640 wrote to memory of 3560	1640	{B57EC245-7074-4fd2-98A9-7E126BA730F1}.exe	97
PID 1640 wrote to memory of 3560	1640	{B57EC245-7074-4fd2-98A9-7E126BA730F1}.exe	97
PID 2008 wrote to memory of 2268	2008	{E8E3C799-4D96-4383-AE0A-4C7CC42F71E0}.exe	98
PID 2008 wrote to memory of 2268	2008	{E8E3C799-4D96-4383-AE0A-4C7CC42F71E0}.exe	98
PID 2008 wrote to memory of 2268	2008	{E8E3C799-4D96-4383-AE0A-4C7CC42F71E0}.exe	98
PID 2008 wrote to memory of 3512	2008	{E8E3C799-4D96-4383-AE0A-4C7CC42F71E0}.exe	99
PID 2008 wrote to memory of 3512	2008	{E8E3C799-4D96-4383-AE0A-4C7CC42F71E0}.exe	99
PID 2008 wrote to memory of 3512	2008	{E8E3C799-4D96-4383-AE0A-4C7CC42F71E0}.exe	99
PID 2268 wrote to memory of 2292	2268	{FEBADCEA-A1FC-4369-926E-329522B243B3}.exe	100
PID 2268 wrote to memory of 2292	2268	{FEBADCEA-A1FC-4369-926E-329522B243B3}.exe	100
PID 2268 wrote to memory of 2292	2268	{FEBADCEA-A1FC-4369-926E-329522B243B3}.exe	100
PID 2268 wrote to memory of 3136	2268	{FEBADCEA-A1FC-4369-926E-329522B243B3}.exe	101
PID 2268 wrote to memory of 3136	2268	{FEBADCEA-A1FC-4369-926E-329522B243B3}.exe	101
PID 2268 wrote to memory of 3136	2268	{FEBADCEA-A1FC-4369-926E-329522B243B3}.exe	101
PID 2292 wrote to memory of 1648	2292	{8AB47D33-9F48-425b-BA0E-30C21B6BF5A0}.exe	102
PID 2292 wrote to memory of 1648	2292	{8AB47D33-9F48-425b-BA0E-30C21B6BF5A0}.exe	102
PID 2292 wrote to memory of 1648	2292	{8AB47D33-9F48-425b-BA0E-30C21B6BF5A0}.exe	102
PID 2292 wrote to memory of 3716	2292	{8AB47D33-9F48-425b-BA0E-30C21B6BF5A0}.exe	103
PID 2292 wrote to memory of 3716	2292	{8AB47D33-9F48-425b-BA0E-30C21B6BF5A0}.exe	103
PID 2292 wrote to memory of 3716	2292	{8AB47D33-9F48-425b-BA0E-30C21B6BF5A0}.exe	103
PID 1648 wrote to memory of 3432	1648	{FA547776-89B2-4005-AE25-3FD406ACC934}.exe	104
PID 1648 wrote to memory of 3432	1648	{FA547776-89B2-4005-AE25-3FD406ACC934}.exe	104
PID 1648 wrote to memory of 3432	1648	{FA547776-89B2-4005-AE25-3FD406ACC934}.exe	104
PID 1648 wrote to memory of 2436	1648	{FA547776-89B2-4005-AE25-3FD406ACC934}.exe	105
PID 1648 wrote to memory of 2436	1648	{FA547776-89B2-4005-AE25-3FD406ACC934}.exe	105
PID 1648 wrote to memory of 2436	1648	{FA547776-89B2-4005-AE25-3FD406ACC934}.exe	105
PID 3432 wrote to memory of 544	3432	{0995858D-38CD-4f55-A199-797F552CFA82}.exe	106
PID 3432 wrote to memory of 544	3432	{0995858D-38CD-4f55-A199-797F552CFA82}.exe	106
PID 3432 wrote to memory of 544	3432	{0995858D-38CD-4f55-A199-797F552CFA82}.exe	106
PID 3432 wrote to memory of 4236	3432	{0995858D-38CD-4f55-A199-797F552CFA82}.exe	107
PID 3432 wrote to memory of 4236	3432	{0995858D-38CD-4f55-A199-797F552CFA82}.exe	107
PID 3432 wrote to memory of 4236	3432	{0995858D-38CD-4f55-A199-797F552CFA82}.exe	107
PID 544 wrote to memory of 3320	544	{69E8478E-B7EC-4b3a-97AD-2276A9D1DD95}.exe	108
PID 544 wrote to memory of 3320	544	{69E8478E-B7EC-4b3a-97AD-2276A9D1DD95}.exe	108
PID 544 wrote to memory of 3320	544	{69E8478E-B7EC-4b3a-97AD-2276A9D1DD95}.exe	108
PID 544 wrote to memory of 4684	544	{69E8478E-B7EC-4b3a-97AD-2276A9D1DD95}.exe	109
PID 544 wrote to memory of 4684	544	{69E8478E-B7EC-4b3a-97AD-2276A9D1DD95}.exe	109
PID 544 wrote to memory of 4684	544	{69E8478E-B7EC-4b3a-97AD-2276A9D1DD95}.exe	109
PID 3320 wrote to memory of 2956	3320	{59DA94F6-F5EF-48b7-A133-EC26C8E8C7D4}.exe	110
PID 3320 wrote to memory of 2956	3320	{59DA94F6-F5EF-48b7-A133-EC26C8E8C7D4}.exe	110
PID 3320 wrote to memory of 2956	3320	{59DA94F6-F5EF-48b7-A133-EC26C8E8C7D4}.exe	110
PID 3320 wrote to memory of 640	3320	{59DA94F6-F5EF-48b7-A133-EC26C8E8C7D4}.exe	111

C:\Users\Admin\AppData\Local\Temp\2024-02-22_08e1c33f3759e7fbed092ce590c0ac49_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-22_08e1c33f3759e7fbed092ce590c0ac49_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\{D3BA78AE-4BC6-4a98-B6AC-FBD5AAC0797C}.exe
  C:\Windows\{D3BA78AE-4BC6-4a98-B6AC-FBD5AAC0797C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\{DF975C79-4E9B-4ce3-B4C0-C6FD535A5016}.exe
    C:\Windows\{DF975C79-4E9B-4ce3-B4C0-C6FD535A5016}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4216
  - - C:\Windows\{B57EC245-7074-4fd2-98A9-7E126BA730F1}.exe
      C:\Windows\{B57EC245-7074-4fd2-98A9-7E126BA730F1}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1640
    - - C:\Windows\{E8E3C799-4D96-4383-AE0A-4C7CC42F71E0}.exe
        
        C:\Windows\{E8E3C799-4D96-4383-AE0A-4C7CC42F71E0}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2008
      - C:\Windows\{FEBADCEA-A1FC-4369-926E-329522B243B3}.exe
        
        C:\Windows\{FEBADCEA-A1FC-4369-926E-329522B243B3}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\{8AB47D33-9F48-425b-BA0E-30C21B6BF5A0}.exe
        
        C:\Windows\{8AB47D33-9F48-425b-BA0E-30C21B6BF5A0}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\{FA547776-89B2-4005-AE25-3FD406ACC934}.exe
        
        C:\Windows\{FA547776-89B2-4005-AE25-3FD406ACC934}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\{0995858D-38CD-4f55-A199-797F552CFA82}.exe
        
        C:\Windows\{0995858D-38CD-4f55-A199-797F552CFA82}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Windows\{69E8478E-B7EC-4b3a-97AD-2276A9D1DD95}.exe
        
        C:\Windows\{69E8478E-B7EC-4b3a-97AD-2276A9D1DD95}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Windows\{59DA94F6-F5EF-48b7-A133-EC26C8E8C7D4}.exe
        
        C:\Windows\{59DA94F6-F5EF-48b7-A133-EC26C8E8C7D4}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\{25F8C3B8-0F07-4359-9D59-765D82C370E6}.exe
        
        C:\Windows\{25F8C3B8-0F07-4359-9D59-765D82C370E6}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
        
        C:\Windows\{6C1D9CC4-D018-4db2-835F-2D5A348553AA}.exe
        
        C:\Windows\{6C1D9CC4-D018-4db2-835F-2D5A348553AA}.exe
        13⤵
        Executes dropped EXE
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{25F8C~1.EXE > nul
        13⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{59DA9~1.EXE > nul
        12⤵
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69E84~1.EXE > nul
        11⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09958~1.EXE > nul
        10⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA547~1.EXE > nul
        9⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8AB47~1.EXE > nul
        8⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FEBAD~1.EXE > nul
        7⤵
        
        PID:3136
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E8E3C~1.EXE > nul
        6⤵
        
        PID:3512
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B57EC~1.EXE > nul
        5⤵
        
        PID:3560
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{DF975~1.EXE > nul
      4⤵
      PID:1312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D3BA7~1.EXE > nul
    3⤵
    PID:2964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0995858D-38CD-4f55-A199-797F552CFA82}.exe

Filesize
180KB

MD5
38ce94505c29680fc52380598b5dca31

SHA1
eab7b8ea75e78f348fcd8f8e4c39f650cf96bf07

SHA256
a345150af12ddca0749c136fa4bb9c239675104719f5c178a1f5cb0e9fdef6d5

SHA512
ddd7a390909c773ce6449305c356e4c0ef17652d0faf0bebee7e654c0848c7f4c8032e897a09c0dd18b0c518e57903591db278d0d9e6b7ab9141209304652cab

Download Submit
C:\Windows\{25F8C3B8-0F07-4359-9D59-765D82C370E6}.exe

Filesize
180KB

MD5
7b95d51eb93426f392e1444649437d71

SHA1
9a0a5c56c7199f881c429943b28f6d8f588ebd1e

SHA256
3dd8395fa30880c2e2c04ddc7c4bb67d27f085990fabeb4daf119b4493bc08dd

SHA512
11a52c16c71bdd70a384c9cccc4e2cca55e1adadc9af9ccd77d896341c0fe65311acec10af60cf6f2aff4bd041235eeab4a32af4cc061caac3fefce41cb37e9f

Download Submit
C:\Windows\{59DA94F6-F5EF-48b7-A133-EC26C8E8C7D4}.exe

Filesize
180KB

MD5
dd301bf45e1a84af5e5dd7daf3f3cfc1

SHA1
edf1f48139ea37483b131ac0ada9c7bd46c585d4

SHA256
b72b2e3adeb790ecdfbd49c65220deb5b819d1d42344fb3728467a541cbc2585

SHA512
1e3a2c50b9268e653a2dedf80b70b73384adb2678206fffe12c02996094590a1168fb92d2f4e5e89082df80c2ce71357405715a6f62a344d32b1a59dc201c819

Download Submit
C:\Windows\{69E8478E-B7EC-4b3a-97AD-2276A9D1DD95}.exe

Filesize
180KB

MD5
ed7ebc550329efa1c10813b8e5a83799

SHA1
0dafbcd4fcd8eb974790e4740ff90f044294772a

SHA256
8fda8a619d6f13687374ab20ad197667c93e7b7c244a081c72ed2d593d03e8cb

SHA512
0bee9d232673e425db6ae8869959769e9f5d8e7001c96a9239a2549bba163b4dbe950b75e856bdcbd5ebc4af4655e46d09f8bd02d50f826f0f66c30755ab1732

Download Submit
C:\Windows\{6C1D9CC4-D018-4db2-835F-2D5A348553AA}.exe

Filesize
180KB

MD5
2c77e6a83c75b608811baaa39dde29df

SHA1
23daf82c4bb6511d0b7e3f6cc425378ce897ffc4

SHA256
797fabf50972db853c368a9a712d33d2235cd413a722e32f393299ee9ac28ce7

SHA512
ff22f06bf51328fdf844dd8cb49b9202f1a438fc046d4364476b2b24776009056e13183114068ea739c9fdfbf4b124cfe260fb9cef7748fdaceae1306eb30f5b

Download Submit
C:\Windows\{8AB47D33-9F48-425b-BA0E-30C21B6BF5A0}.exe

Filesize
180KB

MD5
c550fbe148eae2e3068660a13b949233

SHA1
f78eae8dcf43b0c35c3d4c80a921b9f8ff33380b

SHA256
923d386643be04a3007cc2ecf12b25d7230393eebc62ebada81504fd330318ff

SHA512
e5e96bec15108cf8f243757d1f69e108522a9d0c84b3f341cd693f6db9ff10a677069f02b30cb0a7891dfae212eae752f0376a6553971783294c22de1cd174f2

Download Submit
C:\Windows\{B57EC245-7074-4fd2-98A9-7E126BA730F1}.exe

Filesize
180KB

MD5
948e72c99e7ec33c38c24ce1d738478f

SHA1
16536b0c86bbbdb9af623e53f7436ebda71cb058

SHA256
3d989e342a09e5e535a6637517b7c7966ddb426908d2f0a619b75d012fab085f

SHA512
bac434b324204b7d63e89fddaa8d019c053dda2162e6b7209ab243650d0ec2c7438a28deb425c1439b84ca270544c44df8468659647e1e6f83ab995fd6fd485d

Download Submit
C:\Windows\{D3BA78AE-4BC6-4a98-B6AC-FBD5AAC0797C}.exe

Filesize
180KB

MD5
50bb0c0b140bfd9ba351ff1379072118

SHA1
838168c57e296e8470dc0f641f6e3fc85bf3d299

SHA256
c4d261c644ed4343f86696468d44685e76f90244af3ce5049bf88b2b26998c37

SHA512
6b18080ef26c60edd6fe010432b776435103f0f60610ac0956cae37c0614457053f3d869a13edabe6e70f84b218bab71cee2c13bdc3105ac157afdd60f2b3568

Download Submit
C:\Windows\{DF975C79-4E9B-4ce3-B4C0-C6FD535A5016}.exe

Filesize
180KB

MD5
2560a37486a86c7bf0791e9238b48be0

SHA1
506e1d1dbd23432a177ddaa93e0047532a73b518

SHA256
803b1f48e912dd31dcb869c7e81dd7e4a833ef1ebbeefd430baeb24ab96bcfd2

SHA512
90e5f49fc404e2e7d0dd70e485e6497c2fb63d4b20cbdecd10bf1d51e7aa838da274b974b78af03203c8221242446e5e29887291bca9d1ac1989dbf38fc6e237

Download Submit
C:\Windows\{E8E3C799-4D96-4383-AE0A-4C7CC42F71E0}.exe

Filesize
180KB

MD5
1268eaa7e7a7da259ea79847088cc258

SHA1
809a8445517f6ef3f6574e6694c9fcee1151b028

SHA256
c26b0658fe9b2c0d7b82c384b9695bd41be8b991ec0f7cd999a0efdbcb39e993

SHA512
7f057bbf70474c0871e1d6891aec6404d66ed514ca4de76a355335eb5f0668b350f7688419767ae41ab516565b9c43074db7e4b9de86e4a2743062ddb03499ba

Download Submit
C:\Windows\{E8E3C799-4D96-4383-AE0A-4C7CC42F71E0}.exe

Filesize
128KB

MD5
e55069aba14f327d52d2598da41cff95

SHA1
8e4b513e6afdcb5d0651fcc910db248e5b43c8c6

SHA256
81c1a2a97acc2f0a300a7cef3a10b0dcc8f0325e8661a253664223e252f050d4

SHA512
537d0449e97c4de31536f55e03d3d836fc7a964ab2d87f97dbb2dbc4c7de416adf467063dbd354e86e63426b3b5b9014c8b1dd703bcd970512f64a1af395062d

Download Submit
C:\Windows\{FA547776-89B2-4005-AE25-3FD406ACC934}.exe

Filesize
180KB

MD5
69ca1ef038f4bc6749b8ccb00c069cb9

SHA1
50280e3d8484ab0ea5fc88980596208a60b5764e

SHA256
6283bf2582e6922cc1eab1a88f9a1f0400f55b955183c0ecda07e69d265d4257

SHA512
84259b816e66731c7ef1ed05cd009c6015f3cb501ab8ee037f855acb6234ee96f9bd234ce461dd2cdf96b468d731dc349777cd57405960fbdb6fb0df0afc6f6d

Download Submit
C:\Windows\{FEBADCEA-A1FC-4369-926E-329522B243B3}.exe

Filesize
180KB

MD5
850024bad450740dd95f81048fb90f45

SHA1
3418f312c0574025da66cb6ea0dd0a09d6f91bdb

SHA256
a0860609a4066465869194d3515bd29ddcc65cb861866695ef51fb6c5ff1f823

SHA512
3091ef94a2fda63212a3a8cca039f8d81a01ec8ba816cd2384fa92db7b223704e31fc5059d3d578e1995357eefcb2343185581f2bff834c20c9dcfa3fb2f67a0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads