97a7b359719e9be6bf9d92846a7460e4e4bb732822453cd55ab2348cf3eb2ff1

Analysis

max time kernel
149s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
23/02/2024, 01:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-23_425e78ca4e5cd2ee29bb3d7dd85f9507_goldeneye.exe
Size

380KB
MD5

425e78ca4e5cd2ee29bb3d7dd85f9507
SHA1

c5a38c358a469f3e9d50901c5cc481b5a39d124a
SHA256

97a7b359719e9be6bf9d92846a7460e4e4bb732822453cd55ab2348cf3eb2ff1
SHA512

615547eef61f91607b1e50ba01fa5da0580d90f2394baa0ccdefa0d725e2c2d3ce105fe52e2473c19e7d610ea867048e5660c9d569dd9a216fb4b73e71e2e0e5
SSDEEP

3072:mEGh0o5lPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGjl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00070000000231fe-1.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000231ff-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023114-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000231ff-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023114-17.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000231ff-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f000000023114-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000231ff-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023114-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000231ff-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023114-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d0000000231ff-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD3E156B-BFF1-4212-9E60-2C448F38D105}\stubpath = "C:\\Windows\\{DD3E156B-BFF1-4212-9E60-2C448F38D105}.exe"	{F8449C5E-53EF-4003-8A34-A8E7439A64A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6544C7AE-DD0C-4346-9590-49F61C1D11CB}	{DD3E156B-BFF1-4212-9E60-2C448F38D105}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3720D28E-9916-47cc-B846-DDFF415351DF}\stubpath = "C:\\Windows\\{3720D28E-9916-47cc-B846-DDFF415351DF}.exe"	{3CAAE0C1-73AE-4241-B160-4A197EF9A8E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{386E41EA-8216-4265-B06E-97106A4F86F6}	{72AABE8A-EFC6-424e-A4A4-80929B0CCB23}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9546126-5FE9-4f15-8492-9651EA05D43E}	{386E41EA-8216-4265-B06E-97106A4F86F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9546126-5FE9-4f15-8492-9651EA05D43E}\stubpath = "C:\\Windows\\{D9546126-5FE9-4f15-8492-9651EA05D43E}.exe"	{386E41EA-8216-4265-B06E-97106A4F86F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9E20C48-5613-4eaf-8A34-5EA2B7C32178}	{5E83AD3A-5F57-4f02-BF4D-FFA79A43119F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D03EF92D-159A-4c10-B611-833A3B8F7E46}\stubpath = "C:\\Windows\\{D03EF92D-159A-4c10-B611-833A3B8F7E46}.exe"	2024-02-23_425e78ca4e5cd2ee29bb3d7dd85f9507_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8449C5E-53EF-4003-8A34-A8E7439A64A8}\stubpath = "C:\\Windows\\{F8449C5E-53EF-4003-8A34-A8E7439A64A8}.exe"	{D03EF92D-159A-4c10-B611-833A3B8F7E46}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72AABE8A-EFC6-424e-A4A4-80929B0CCB23}	{3720D28E-9916-47cc-B846-DDFF415351DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72AABE8A-EFC6-424e-A4A4-80929B0CCB23}\stubpath = "C:\\Windows\\{72AABE8A-EFC6-424e-A4A4-80929B0CCB23}.exe"	{3720D28E-9916-47cc-B846-DDFF415351DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83F4846D-4DE3-443e-B89E-8C16B8ED6D8B}	{6544C7AE-DD0C-4346-9590-49F61C1D11CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E83AD3A-5F57-4f02-BF4D-FFA79A43119F}	{D9546126-5FE9-4f15-8492-9651EA05D43E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E83AD3A-5F57-4f02-BF4D-FFA79A43119F}\stubpath = "C:\\Windows\\{5E83AD3A-5F57-4f02-BF4D-FFA79A43119F}.exe"	{D9546126-5FE9-4f15-8492-9651EA05D43E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D03EF92D-159A-4c10-B611-833A3B8F7E46}	2024-02-23_425e78ca4e5cd2ee29bb3d7dd85f9507_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8449C5E-53EF-4003-8A34-A8E7439A64A8}	{D03EF92D-159A-4c10-B611-833A3B8F7E46}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD3E156B-BFF1-4212-9E60-2C448F38D105}	{F8449C5E-53EF-4003-8A34-A8E7439A64A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6544C7AE-DD0C-4346-9590-49F61C1D11CB}\stubpath = "C:\\Windows\\{6544C7AE-DD0C-4346-9590-49F61C1D11CB}.exe"	{DD3E156B-BFF1-4212-9E60-2C448F38D105}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83F4846D-4DE3-443e-B89E-8C16B8ED6D8B}\stubpath = "C:\\Windows\\{83F4846D-4DE3-443e-B89E-8C16B8ED6D8B}.exe"	{6544C7AE-DD0C-4346-9590-49F61C1D11CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CAAE0C1-73AE-4241-B160-4A197EF9A8E3}	{83F4846D-4DE3-443e-B89E-8C16B8ED6D8B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CAAE0C1-73AE-4241-B160-4A197EF9A8E3}\stubpath = "C:\\Windows\\{3CAAE0C1-73AE-4241-B160-4A197EF9A8E3}.exe"	{83F4846D-4DE3-443e-B89E-8C16B8ED6D8B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3720D28E-9916-47cc-B846-DDFF415351DF}	{3CAAE0C1-73AE-4241-B160-4A197EF9A8E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{386E41EA-8216-4265-B06E-97106A4F86F6}\stubpath = "C:\\Windows\\{386E41EA-8216-4265-B06E-97106A4F86F6}.exe"	{72AABE8A-EFC6-424e-A4A4-80929B0CCB23}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9E20C48-5613-4eaf-8A34-5EA2B7C32178}\stubpath = "C:\\Windows\\{D9E20C48-5613-4eaf-8A34-5EA2B7C32178}.exe"	{5E83AD3A-5F57-4f02-BF4D-FFA79A43119F}.exe

Executes dropped EXE 12 IoCs

pid	Process
4936	{D03EF92D-159A-4c10-B611-833A3B8F7E46}.exe
1152	{F8449C5E-53EF-4003-8A34-A8E7439A64A8}.exe
4488	{DD3E156B-BFF1-4212-9E60-2C448F38D105}.exe
2096	{6544C7AE-DD0C-4346-9590-49F61C1D11CB}.exe
4672	{83F4846D-4DE3-443e-B89E-8C16B8ED6D8B}.exe
2748	{3CAAE0C1-73AE-4241-B160-4A197EF9A8E3}.exe
4852	{3720D28E-9916-47cc-B846-DDFF415351DF}.exe
1908	{72AABE8A-EFC6-424e-A4A4-80929B0CCB23}.exe
4080	{386E41EA-8216-4265-B06E-97106A4F86F6}.exe
3900	{D9546126-5FE9-4f15-8492-9651EA05D43E}.exe
940	{5E83AD3A-5F57-4f02-BF4D-FFA79A43119F}.exe
4632	{D9E20C48-5613-4eaf-8A34-5EA2B7C32178}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{5E83AD3A-5F57-4f02-BF4D-FFA79A43119F}.exe	{D9546126-5FE9-4f15-8492-9651EA05D43E}.exe
File created	C:\Windows\{D03EF92D-159A-4c10-B611-833A3B8F7E46}.exe	2024-02-23_425e78ca4e5cd2ee29bb3d7dd85f9507_goldeneye.exe
File created	C:\Windows\{83F4846D-4DE3-443e-B89E-8C16B8ED6D8B}.exe	{6544C7AE-DD0C-4346-9590-49F61C1D11CB}.exe
File created	C:\Windows\{3CAAE0C1-73AE-4241-B160-4A197EF9A8E3}.exe	{83F4846D-4DE3-443e-B89E-8C16B8ED6D8B}.exe
File created	C:\Windows\{386E41EA-8216-4265-B06E-97106A4F86F6}.exe	{72AABE8A-EFC6-424e-A4A4-80929B0CCB23}.exe
File created	C:\Windows\{D9546126-5FE9-4f15-8492-9651EA05D43E}.exe	{386E41EA-8216-4265-B06E-97106A4F86F6}.exe
File created	C:\Windows\{D9E20C48-5613-4eaf-8A34-5EA2B7C32178}.exe	{5E83AD3A-5F57-4f02-BF4D-FFA79A43119F}.exe
File created	C:\Windows\{F8449C5E-53EF-4003-8A34-A8E7439A64A8}.exe	{D03EF92D-159A-4c10-B611-833A3B8F7E46}.exe
File created	C:\Windows\{DD3E156B-BFF1-4212-9E60-2C448F38D105}.exe	{F8449C5E-53EF-4003-8A34-A8E7439A64A8}.exe
File created	C:\Windows\{6544C7AE-DD0C-4346-9590-49F61C1D11CB}.exe	{DD3E156B-BFF1-4212-9E60-2C448F38D105}.exe
File created	C:\Windows\{3720D28E-9916-47cc-B846-DDFF415351DF}.exe	{3CAAE0C1-73AE-4241-B160-4A197EF9A8E3}.exe
File created	C:\Windows\{72AABE8A-EFC6-424e-A4A4-80929B0CCB23}.exe	{3720D28E-9916-47cc-B846-DDFF415351DF}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3428	2024-02-23_425e78ca4e5cd2ee29bb3d7dd85f9507_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4936	{D03EF92D-159A-4c10-B611-833A3B8F7E46}.exe
Token: SeIncBasePriorityPrivilege	1152	{F8449C5E-53EF-4003-8A34-A8E7439A64A8}.exe
Token: SeIncBasePriorityPrivilege	4488	{DD3E156B-BFF1-4212-9E60-2C448F38D105}.exe
Token: SeIncBasePriorityPrivilege	2096	{6544C7AE-DD0C-4346-9590-49F61C1D11CB}.exe
Token: SeIncBasePriorityPrivilege	4672	{83F4846D-4DE3-443e-B89E-8C16B8ED6D8B}.exe
Token: SeIncBasePriorityPrivilege	2748	{3CAAE0C1-73AE-4241-B160-4A197EF9A8E3}.exe
Token: SeIncBasePriorityPrivilege	4852	{3720D28E-9916-47cc-B846-DDFF415351DF}.exe
Token: SeIncBasePriorityPrivilege	1908	{72AABE8A-EFC6-424e-A4A4-80929B0CCB23}.exe
Token: SeIncBasePriorityPrivilege	4080	{386E41EA-8216-4265-B06E-97106A4F86F6}.exe
Token: SeIncBasePriorityPrivilege	3900	{D9546126-5FE9-4f15-8492-9651EA05D43E}.exe
Token: SeIncBasePriorityPrivilege	940	{5E83AD3A-5F57-4f02-BF4D-FFA79A43119F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3428 wrote to memory of 4936	3428	2024-02-23_425e78ca4e5cd2ee29bb3d7dd85f9507_goldeneye.exe	92
PID 3428 wrote to memory of 4936	3428	2024-02-23_425e78ca4e5cd2ee29bb3d7dd85f9507_goldeneye.exe	92
PID 3428 wrote to memory of 4936	3428	2024-02-23_425e78ca4e5cd2ee29bb3d7dd85f9507_goldeneye.exe	92
PID 3428 wrote to memory of 4204	3428	2024-02-23_425e78ca4e5cd2ee29bb3d7dd85f9507_goldeneye.exe	93
PID 3428 wrote to memory of 4204	3428	2024-02-23_425e78ca4e5cd2ee29bb3d7dd85f9507_goldeneye.exe	93
PID 3428 wrote to memory of 4204	3428	2024-02-23_425e78ca4e5cd2ee29bb3d7dd85f9507_goldeneye.exe	93
PID 4936 wrote to memory of 1152	4936	{D03EF92D-159A-4c10-B611-833A3B8F7E46}.exe	94
PID 4936 wrote to memory of 1152	4936	{D03EF92D-159A-4c10-B611-833A3B8F7E46}.exe	94
PID 4936 wrote to memory of 1152	4936	{D03EF92D-159A-4c10-B611-833A3B8F7E46}.exe	94
PID 4936 wrote to memory of 2772	4936	{D03EF92D-159A-4c10-B611-833A3B8F7E46}.exe	95
PID 4936 wrote to memory of 2772	4936	{D03EF92D-159A-4c10-B611-833A3B8F7E46}.exe	95
PID 4936 wrote to memory of 2772	4936	{D03EF92D-159A-4c10-B611-833A3B8F7E46}.exe	95
PID 1152 wrote to memory of 4488	1152	{F8449C5E-53EF-4003-8A34-A8E7439A64A8}.exe	99
PID 1152 wrote to memory of 4488	1152	{F8449C5E-53EF-4003-8A34-A8E7439A64A8}.exe	99
PID 1152 wrote to memory of 4488	1152	{F8449C5E-53EF-4003-8A34-A8E7439A64A8}.exe	99
PID 1152 wrote to memory of 3200	1152	{F8449C5E-53EF-4003-8A34-A8E7439A64A8}.exe	100
PID 1152 wrote to memory of 3200	1152	{F8449C5E-53EF-4003-8A34-A8E7439A64A8}.exe	100
PID 1152 wrote to memory of 3200	1152	{F8449C5E-53EF-4003-8A34-A8E7439A64A8}.exe	100
PID 4488 wrote to memory of 2096	4488	{DD3E156B-BFF1-4212-9E60-2C448F38D105}.exe	101
PID 4488 wrote to memory of 2096	4488	{DD3E156B-BFF1-4212-9E60-2C448F38D105}.exe	101
PID 4488 wrote to memory of 2096	4488	{DD3E156B-BFF1-4212-9E60-2C448F38D105}.exe	101
PID 4488 wrote to memory of 3508	4488	{DD3E156B-BFF1-4212-9E60-2C448F38D105}.exe	102
PID 4488 wrote to memory of 3508	4488	{DD3E156B-BFF1-4212-9E60-2C448F38D105}.exe	102
PID 4488 wrote to memory of 3508	4488	{DD3E156B-BFF1-4212-9E60-2C448F38D105}.exe	102
PID 2096 wrote to memory of 4672	2096	{6544C7AE-DD0C-4346-9590-49F61C1D11CB}.exe	103
PID 2096 wrote to memory of 4672	2096	{6544C7AE-DD0C-4346-9590-49F61C1D11CB}.exe	103
PID 2096 wrote to memory of 4672	2096	{6544C7AE-DD0C-4346-9590-49F61C1D11CB}.exe	103
PID 2096 wrote to memory of 548	2096	{6544C7AE-DD0C-4346-9590-49F61C1D11CB}.exe	104
PID 2096 wrote to memory of 548	2096	{6544C7AE-DD0C-4346-9590-49F61C1D11CB}.exe	104
PID 2096 wrote to memory of 548	2096	{6544C7AE-DD0C-4346-9590-49F61C1D11CB}.exe	104
PID 4672 wrote to memory of 2748	4672	{83F4846D-4DE3-443e-B89E-8C16B8ED6D8B}.exe	105
PID 4672 wrote to memory of 2748	4672	{83F4846D-4DE3-443e-B89E-8C16B8ED6D8B}.exe	105
PID 4672 wrote to memory of 2748	4672	{83F4846D-4DE3-443e-B89E-8C16B8ED6D8B}.exe	105
PID 4672 wrote to memory of 5112	4672	{83F4846D-4DE3-443e-B89E-8C16B8ED6D8B}.exe	106
PID 4672 wrote to memory of 5112	4672	{83F4846D-4DE3-443e-B89E-8C16B8ED6D8B}.exe	106
PID 4672 wrote to memory of 5112	4672	{83F4846D-4DE3-443e-B89E-8C16B8ED6D8B}.exe	106
PID 2748 wrote to memory of 4852	2748	{3CAAE0C1-73AE-4241-B160-4A197EF9A8E3}.exe	107
PID 2748 wrote to memory of 4852	2748	{3CAAE0C1-73AE-4241-B160-4A197EF9A8E3}.exe	107
PID 2748 wrote to memory of 4852	2748	{3CAAE0C1-73AE-4241-B160-4A197EF9A8E3}.exe	107
PID 2748 wrote to memory of 2452	2748	{3CAAE0C1-73AE-4241-B160-4A197EF9A8E3}.exe	108
PID 2748 wrote to memory of 2452	2748	{3CAAE0C1-73AE-4241-B160-4A197EF9A8E3}.exe	108
PID 2748 wrote to memory of 2452	2748	{3CAAE0C1-73AE-4241-B160-4A197EF9A8E3}.exe	108
PID 4852 wrote to memory of 1908	4852	{3720D28E-9916-47cc-B846-DDFF415351DF}.exe	109
PID 4852 wrote to memory of 1908	4852	{3720D28E-9916-47cc-B846-DDFF415351DF}.exe	109
PID 4852 wrote to memory of 1908	4852	{3720D28E-9916-47cc-B846-DDFF415351DF}.exe	109
PID 4852 wrote to memory of 2740	4852	{3720D28E-9916-47cc-B846-DDFF415351DF}.exe	110
PID 4852 wrote to memory of 2740	4852	{3720D28E-9916-47cc-B846-DDFF415351DF}.exe	110
PID 4852 wrote to memory of 2740	4852	{3720D28E-9916-47cc-B846-DDFF415351DF}.exe	110
PID 1908 wrote to memory of 4080	1908	{72AABE8A-EFC6-424e-A4A4-80929B0CCB23}.exe	111
PID 1908 wrote to memory of 4080	1908	{72AABE8A-EFC6-424e-A4A4-80929B0CCB23}.exe	111
PID 1908 wrote to memory of 4080	1908	{72AABE8A-EFC6-424e-A4A4-80929B0CCB23}.exe	111
PID 1908 wrote to memory of 872	1908	{72AABE8A-EFC6-424e-A4A4-80929B0CCB23}.exe	112
PID 1908 wrote to memory of 872	1908	{72AABE8A-EFC6-424e-A4A4-80929B0CCB23}.exe	112
PID 1908 wrote to memory of 872	1908	{72AABE8A-EFC6-424e-A4A4-80929B0CCB23}.exe	112
PID 4080 wrote to memory of 3900	4080	{386E41EA-8216-4265-B06E-97106A4F86F6}.exe	113
PID 4080 wrote to memory of 3900	4080	{386E41EA-8216-4265-B06E-97106A4F86F6}.exe	113
PID 4080 wrote to memory of 3900	4080	{386E41EA-8216-4265-B06E-97106A4F86F6}.exe	113
PID 4080 wrote to memory of 772	4080	{386E41EA-8216-4265-B06E-97106A4F86F6}.exe	114
PID 4080 wrote to memory of 772	4080	{386E41EA-8216-4265-B06E-97106A4F86F6}.exe	114
PID 4080 wrote to memory of 772	4080	{386E41EA-8216-4265-B06E-97106A4F86F6}.exe	114
PID 3900 wrote to memory of 940	3900	{D9546126-5FE9-4f15-8492-9651EA05D43E}.exe	115
PID 3900 wrote to memory of 940	3900	{D9546126-5FE9-4f15-8492-9651EA05D43E}.exe	115
PID 3900 wrote to memory of 940	3900	{D9546126-5FE9-4f15-8492-9651EA05D43E}.exe	115
PID 3900 wrote to memory of 2688	3900	{D9546126-5FE9-4f15-8492-9651EA05D43E}.exe	116

C:\Users\Admin\AppData\Local\Temp\2024-02-23_425e78ca4e5cd2ee29bb3d7dd85f9507_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-23_425e78ca4e5cd2ee29bb3d7dd85f9507_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3428
- C:\Windows\{D03EF92D-159A-4c10-B611-833A3B8F7E46}.exe
  C:\Windows\{D03EF92D-159A-4c10-B611-833A3B8F7E46}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4936
- - C:\Windows\{F8449C5E-53EF-4003-8A34-A8E7439A64A8}.exe
    C:\Windows\{F8449C5E-53EF-4003-8A34-A8E7439A64A8}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1152
  - - C:\Windows\{DD3E156B-BFF1-4212-9E60-2C448F38D105}.exe
      C:\Windows\{DD3E156B-BFF1-4212-9E60-2C448F38D105}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4488
    - - C:\Windows\{6544C7AE-DD0C-4346-9590-49F61C1D11CB}.exe
        
        C:\Windows\{6544C7AE-DD0C-4346-9590-49F61C1D11CB}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2096
      - C:\Windows\{83F4846D-4DE3-443e-B89E-8C16B8ED6D8B}.exe
        
        C:\Windows\{83F4846D-4DE3-443e-B89E-8C16B8ED6D8B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\{3CAAE0C1-73AE-4241-B160-4A197EF9A8E3}.exe
        
        C:\Windows\{3CAAE0C1-73AE-4241-B160-4A197EF9A8E3}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\{3720D28E-9916-47cc-B846-DDFF415351DF}.exe
        
        C:\Windows\{3720D28E-9916-47cc-B846-DDFF415351DF}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4852
        
        C:\Windows\{72AABE8A-EFC6-424e-A4A4-80929B0CCB23}.exe
        
        C:\Windows\{72AABE8A-EFC6-424e-A4A4-80929B0CCB23}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\{386E41EA-8216-4265-B06E-97106A4F86F6}.exe
        
        C:\Windows\{386E41EA-8216-4265-B06E-97106A4F86F6}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4080
        
        C:\Windows\{D9546126-5FE9-4f15-8492-9651EA05D43E}.exe
        
        C:\Windows\{D9546126-5FE9-4f15-8492-9651EA05D43E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3900
        
        C:\Windows\{5E83AD3A-5F57-4f02-BF4D-FFA79A43119F}.exe
        
        C:\Windows\{5E83AD3A-5F57-4f02-BF4D-FFA79A43119F}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:940
        
        C:\Windows\{D9E20C48-5613-4eaf-8A34-5EA2B7C32178}.exe
        
        C:\Windows\{D9E20C48-5613-4eaf-8A34-5EA2B7C32178}.exe
        13⤵
        Executes dropped EXE
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5E83A~1.EXE > nul
        13⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D9546~1.EXE > nul
        12⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{386E4~1.EXE > nul
        11⤵
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{72AAB~1.EXE > nul
        10⤵
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3720D~1.EXE > nul
        9⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3CAAE~1.EXE > nul
        8⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83F48~1.EXE > nul
        7⤵
        
        PID:5112
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6544C~1.EXE > nul
        6⤵
        
        PID:548
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD3E1~1.EXE > nul
        5⤵
        
        PID:3508
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F8449~1.EXE > nul
      4⤵
      PID:3200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D03EF~1.EXE > nul
    3⤵
    PID:2772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3720D28E-9916-47cc-B846-DDFF415351DF}.exe

Filesize
380KB

MD5
5798cee6c08319b372a14185b40fca09

SHA1
0b17979835e15b12aa794c485cdd96af4e9bda48

SHA256
705c26bd8b3cad2a571f2b5d3c85f1f2d4b5f0e8d95332fbb57ad172038c48e9

SHA512
9589713e2d2cbea5cb22359782e9f620d728d129abc97932984f07acfc3a034def9c95282ff75a5d96ba8b338d9eb9dab34caf8b3c2d66945b5667b4e814995f

Download Submit
C:\Windows\{386E41EA-8216-4265-B06E-97106A4F86F6}.exe

Filesize
380KB

MD5
d97ecf62729572a9bfeff38cad34a859

SHA1
800b9698fd73ec1b76688fbc051835026038254f

SHA256
3f25532d5d60df6bf5af99c1dce5c637f4b905f4c75d53dc1c60022e6b71b3c4

SHA512
6513bf1fbdb09f70b105cbe51b1ad1dff9c113099485644ad3647689aa96042f2e9d662e5c3dc6d653205a29185b7dacda227ac478bde98c0ced3f9b65af8af0

Download Submit
C:\Windows\{3CAAE0C1-73AE-4241-B160-4A197EF9A8E3}.exe

Filesize
380KB

MD5
38a03edd2db9056f2abf82fd0daf7c5c

SHA1
dd15c89025a00a03bdbdac1689879da463505f70

SHA256
8d0b4eab7791c4aaeabe33aff2199b26436c8554b50250e522b7624a286ad658

SHA512
6fd3b1a7ed5af030f69cb7b0bb42232f31338a7860b2adf0e153639331a1a28da6220aa9839ee9ed86d26a34dfdb8172aaff25d97a1ca3b45ace14e4258920ee

Download Submit
C:\Windows\{5E83AD3A-5F57-4f02-BF4D-FFA79A43119F}.exe

Filesize
380KB

MD5
58514fbed2639a3b7f4bf38ea307a1ea

SHA1
73963a46fbdd9ebab8f6784d039538b4dac1424a

SHA256
17a79680fab2dc5b60f4e84d5711469b0d1ea43f7e10c01bd7e925513b51bf52

SHA512
763e68dfe28a3b8469b068c7d3c3af7adeddf8e26444b357fa7f14cf1c87638f788b263e451612a12a608a83adcdda18dd95c63e17096f556150dfca0522ea9c

Download Submit
C:\Windows\{6544C7AE-DD0C-4346-9590-49F61C1D11CB}.exe

Filesize
380KB

MD5
e142cd64a52a4f16c3aba71e5631319a

SHA1
9c33932d76189d158e95c7ebad0b73746dd8cf26

SHA256
e11d0593acfc03fbb48c7921aee4ffb248a27e2d97556cc8e80c48de339b161d

SHA512
78e2dac41d88bf35536843f68827a2387315ca6bb479357db6ea9abcc78c24f3b773e1b71812ae3554ac0c029eb3e7869893991782a7c1dd7d37aa0ae0b76537

Download Submit
C:\Windows\{72AABE8A-EFC6-424e-A4A4-80929B0CCB23}.exe

Filesize
380KB

MD5
b8eef12fd3feb2a393381026f116c329

SHA1
82ab139c57f1d8c191958cf6d42e4cd12afb4506

SHA256
020c2d9484f11790d4033c175fde98b65b03403bcdd1a1e67dcbe77321840c7f

SHA512
d593eb30fc646112d0515007a0f27535e7d66bf2f40d4e1b9c8160cc32f7345c7c6564b4d7617276906b774944005a9d921970eef4ef2fcc0051fb3cf5806c59

Download Submit
C:\Windows\{83F4846D-4DE3-443e-B89E-8C16B8ED6D8B}.exe

Filesize
380KB

MD5
4fc8f15bc5fad7527312ff585d51dd5f

SHA1
c670eb18faf5290b5b5bd5096900986ece1ee694

SHA256
d367e3b1657998c5ef891f40b860fae37df76e2e988da36c6169cba807f9c1d8

SHA512
107c393a9166bed807df62282998663f2a10d699bd7cd5b2184ed35cbab813a9f0588e93f02404e9092009a240e41bae1f7475c478dd845edc38b353b5bc189d

Download Submit
C:\Windows\{D03EF92D-159A-4c10-B611-833A3B8F7E46}.exe

Filesize
380KB

MD5
cdc3c57233c58d6979130a015b59203c

SHA1
3973584813ed9e4c1e831dc281dc608df5eb7aac

SHA256
aeeb69d956a78b7dcad753f16f8a5c3af1c2281745bc85fc6957539d6500bf84

SHA512
ab3e9bd34fc29495efad4a5d4c7112e89004d1c413127e304db184fe4bfdf3355c83eae0a48cb53d5133aced877f9e2216f2fbd18d3f4b3211dd1c60a040900a

Download Submit
C:\Windows\{D9546126-5FE9-4f15-8492-9651EA05D43E}.exe

Filesize
380KB

MD5
cc05e1984a61c0a25030c2dc47f2cee9

SHA1
b2e64de83c56b3186d5ec244280c952b514d360e

SHA256
e076f66bca35cab04bd08d3f0d9a575f351d11b5797dbfba464629b5f4e32712

SHA512
7b72c46545931574f6e706cbb4cb25fa2eaca2f2baa6a1863ec134322691589a88c5cca0456995981f4a33a51be271405a68d21eb126f2ec78218e551c835e4d

Download Submit
C:\Windows\{D9E20C48-5613-4eaf-8A34-5EA2B7C32178}.exe

Filesize
380KB

MD5
0bca5f0059afe9faa77d0e833f75f404

SHA1
6254fd49806dc86238dcf3e887cc0f11823078b1

SHA256
f20d6eba11c2eab863e2c7f0575babb54abd0cb65c28f6e756fb6f7e1c1bb0df

SHA512
7e8131d566e8a9af54285095c175e2f8dd91290a672d6de78a591f5eac74823b5df62b6ddb64c52ed2d6cb37429e3a0fcd319e42fd77736d80e27ad19009165e

Download Submit
C:\Windows\{DD3E156B-BFF1-4212-9E60-2C448F38D105}.exe

Filesize
380KB

MD5
16a5b1caf1431337d05ec10644659098

SHA1
40c9ccd93b7975a89c9a59942dcd3afdab522eab

SHA256
637b0597d9e1908918532867e76a5682786687d62777be753654254e8816ee78

SHA512
8f200ad2e1c2226adfdf35f2759f2c25bb7fdc9fff783ffca5741ad08b1ba83c4c5dce0b168a95ea2eb33bd1747efc8c9be19f039d9347e475c7ebfe8b20be7f

Download Submit
C:\Windows\{F8449C5E-53EF-4003-8A34-A8E7439A64A8}.exe

Filesize
380KB

MD5
a78ed6490196da4d825cf971562f1bbd

SHA1
bab898f6fac76258f824bedecf5b74b1e55a2325

SHA256
03e5d5d87b987b7b64e893b25ee5f9d09239bb51751a05e069a4fcd443a3ca65

SHA512
18fb45d5f85f27a4b22932f81c358ba9df5f6dff9157c12eba2c7eb1e9b78bb69874af910fb962cc702e4b5fec22d27a925ba390281d321449230a126c9f9103

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads