192c384d910f442f1a8969223d0abc2f6f18360d453d0de6476cd3501c7f5798

Analysis

max time kernel
149s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
23/02/2024, 07:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-23_4f6c09e04013bf5246d5d2b728161717_goldeneye.exe
Size

197KB
MD5

4f6c09e04013bf5246d5d2b728161717
SHA1

58f618fd92edbc8825b3043f8b617df33f277396
SHA256

192c384d910f442f1a8969223d0abc2f6f18360d453d0de6476cd3501c7f5798
SHA512

b44678e9d57765be335502fb68ff2f5ca1addbc684abfbfcbc31a307dce10094a9c001b50608608dbabde48cec765259e8bc10de35bd088348eeca336e7914f5
SSDEEP

3072:jEGh0okl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGmlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000700000002322b-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023224-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000001693a-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e00000002311b-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000001693a-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f00000002311b-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000001693a-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001000000002311b-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000001693a-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001100000002311b-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000001693a-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001200000002311b-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BBBF6288-5AC0-4603-9383-BE691ADDCD9C}	{03F9F5FB-BD37-4fc3-8D5E-342D5054ABF2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B930F001-2C6D-47a9-B3D8-67EB5EFA5AEA}\stubpath = "C:\\Windows\\{B930F001-2C6D-47a9-B3D8-67EB5EFA5AEA}.exe"	{BBBF6288-5AC0-4603-9383-BE691ADDCD9C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A875EBA-0366-4b4a-8EA2-D59A3E14E6A7}\stubpath = "C:\\Windows\\{2A875EBA-0366-4b4a-8EA2-D59A3E14E6A7}.exe"	{2D56E609-F4A8-42e1-8D29-10A555346B7C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E32145B-EA26-49cc-A51E-15FBA490E481}	{1B1E49EE-67E7-4486-AEBB-FCD18000E79E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0F6755E-AC68-4816-A152-2F4735A764CC}	{C074CFCF-CBEE-4d6d-BEFF-64B49E704BA1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC425C83-6800-4aa6-BC24-29DB8ABBF7D9}	2024-02-23_4f6c09e04013bf5246d5d2b728161717_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D56E609-F4A8-42e1-8D29-10A555346B7C}\stubpath = "C:\\Windows\\{2D56E609-F4A8-42e1-8D29-10A555346B7C}.exe"	{B930F001-2C6D-47a9-B3D8-67EB5EFA5AEA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A875EBA-0366-4b4a-8EA2-D59A3E14E6A7}	{2D56E609-F4A8-42e1-8D29-10A555346B7C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E32145B-EA26-49cc-A51E-15FBA490E481}\stubpath = "C:\\Windows\\{6E32145B-EA26-49cc-A51E-15FBA490E481}.exe"	{1B1E49EE-67E7-4486-AEBB-FCD18000E79E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD80CEDC-734F-46c0-BB49-6365F120B816}	{D9E68AE0-2B70-49ec-9564-0E6EFE956EA5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C074CFCF-CBEE-4d6d-BEFF-64B49E704BA1}	{AD80CEDC-734F-46c0-BB49-6365F120B816}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0F6755E-AC68-4816-A152-2F4735A764CC}\stubpath = "C:\\Windows\\{F0F6755E-AC68-4816-A152-2F4735A764CC}.exe"	{C074CFCF-CBEE-4d6d-BEFF-64B49E704BA1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03F9F5FB-BD37-4fc3-8D5E-342D5054ABF2}	{EC425C83-6800-4aa6-BC24-29DB8ABBF7D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B930F001-2C6D-47a9-B3D8-67EB5EFA5AEA}	{BBBF6288-5AC0-4603-9383-BE691ADDCD9C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B1E49EE-67E7-4486-AEBB-FCD18000E79E}	{2A875EBA-0366-4b4a-8EA2-D59A3E14E6A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9E68AE0-2B70-49ec-9564-0E6EFE956EA5}	{6E32145B-EA26-49cc-A51E-15FBA490E481}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C074CFCF-CBEE-4d6d-BEFF-64B49E704BA1}\stubpath = "C:\\Windows\\{C074CFCF-CBEE-4d6d-BEFF-64B49E704BA1}.exe"	{AD80CEDC-734F-46c0-BB49-6365F120B816}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC425C83-6800-4aa6-BC24-29DB8ABBF7D9}\stubpath = "C:\\Windows\\{EC425C83-6800-4aa6-BC24-29DB8ABBF7D9}.exe"	2024-02-23_4f6c09e04013bf5246d5d2b728161717_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03F9F5FB-BD37-4fc3-8D5E-342D5054ABF2}\stubpath = "C:\\Windows\\{03F9F5FB-BD37-4fc3-8D5E-342D5054ABF2}.exe"	{EC425C83-6800-4aa6-BC24-29DB8ABBF7D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BBBF6288-5AC0-4603-9383-BE691ADDCD9C}\stubpath = "C:\\Windows\\{BBBF6288-5AC0-4603-9383-BE691ADDCD9C}.exe"	{03F9F5FB-BD37-4fc3-8D5E-342D5054ABF2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D56E609-F4A8-42e1-8D29-10A555346B7C}	{B930F001-2C6D-47a9-B3D8-67EB5EFA5AEA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B1E49EE-67E7-4486-AEBB-FCD18000E79E}\stubpath = "C:\\Windows\\{1B1E49EE-67E7-4486-AEBB-FCD18000E79E}.exe"	{2A875EBA-0366-4b4a-8EA2-D59A3E14E6A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9E68AE0-2B70-49ec-9564-0E6EFE956EA5}\stubpath = "C:\\Windows\\{D9E68AE0-2B70-49ec-9564-0E6EFE956EA5}.exe"	{6E32145B-EA26-49cc-A51E-15FBA490E481}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD80CEDC-734F-46c0-BB49-6365F120B816}\stubpath = "C:\\Windows\\{AD80CEDC-734F-46c0-BB49-6365F120B816}.exe"	{D9E68AE0-2B70-49ec-9564-0E6EFE956EA5}.exe

Executes dropped EXE 12 IoCs

pid	Process
5064	{EC425C83-6800-4aa6-BC24-29DB8ABBF7D9}.exe
688	{03F9F5FB-BD37-4fc3-8D5E-342D5054ABF2}.exe
1348	{BBBF6288-5AC0-4603-9383-BE691ADDCD9C}.exe
2752	{B930F001-2C6D-47a9-B3D8-67EB5EFA5AEA}.exe
3140	{2D56E609-F4A8-42e1-8D29-10A555346B7C}.exe
4968	{2A875EBA-0366-4b4a-8EA2-D59A3E14E6A7}.exe
3472	{1B1E49EE-67E7-4486-AEBB-FCD18000E79E}.exe
1916	{6E32145B-EA26-49cc-A51E-15FBA490E481}.exe
4072	{D9E68AE0-2B70-49ec-9564-0E6EFE956EA5}.exe
4876	{AD80CEDC-734F-46c0-BB49-6365F120B816}.exe
4616	{C074CFCF-CBEE-4d6d-BEFF-64B49E704BA1}.exe
1976	{F0F6755E-AC68-4816-A152-2F4735A764CC}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{D9E68AE0-2B70-49ec-9564-0E6EFE956EA5}.exe	{6E32145B-EA26-49cc-A51E-15FBA490E481}.exe
File created	C:\Windows\{F0F6755E-AC68-4816-A152-2F4735A764CC}.exe	{C074CFCF-CBEE-4d6d-BEFF-64B49E704BA1}.exe
File created	C:\Windows\{03F9F5FB-BD37-4fc3-8D5E-342D5054ABF2}.exe	{EC425C83-6800-4aa6-BC24-29DB8ABBF7D9}.exe
File created	C:\Windows\{BBBF6288-5AC0-4603-9383-BE691ADDCD9C}.exe	{03F9F5FB-BD37-4fc3-8D5E-342D5054ABF2}.exe
File created	C:\Windows\{B930F001-2C6D-47a9-B3D8-67EB5EFA5AEA}.exe	{BBBF6288-5AC0-4603-9383-BE691ADDCD9C}.exe
File created	C:\Windows\{2D56E609-F4A8-42e1-8D29-10A555346B7C}.exe	{B930F001-2C6D-47a9-B3D8-67EB5EFA5AEA}.exe
File created	C:\Windows\{1B1E49EE-67E7-4486-AEBB-FCD18000E79E}.exe	{2A875EBA-0366-4b4a-8EA2-D59A3E14E6A7}.exe
File created	C:\Windows\{6E32145B-EA26-49cc-A51E-15FBA490E481}.exe	{1B1E49EE-67E7-4486-AEBB-FCD18000E79E}.exe
File created	C:\Windows\{EC425C83-6800-4aa6-BC24-29DB8ABBF7D9}.exe	2024-02-23_4f6c09e04013bf5246d5d2b728161717_goldeneye.exe
File created	C:\Windows\{2A875EBA-0366-4b4a-8EA2-D59A3E14E6A7}.exe	{2D56E609-F4A8-42e1-8D29-10A555346B7C}.exe
File created	C:\Windows\{AD80CEDC-734F-46c0-BB49-6365F120B816}.exe	{D9E68AE0-2B70-49ec-9564-0E6EFE956EA5}.exe
File created	C:\Windows\{C074CFCF-CBEE-4d6d-BEFF-64B49E704BA1}.exe	{AD80CEDC-734F-46c0-BB49-6365F120B816}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4108	2024-02-23_4f6c09e04013bf5246d5d2b728161717_goldeneye.exe
Token: SeIncBasePriorityPrivilege	5064	{EC425C83-6800-4aa6-BC24-29DB8ABBF7D9}.exe
Token: SeIncBasePriorityPrivilege	688	{03F9F5FB-BD37-4fc3-8D5E-342D5054ABF2}.exe
Token: SeIncBasePriorityPrivilege	1348	{BBBF6288-5AC0-4603-9383-BE691ADDCD9C}.exe
Token: SeIncBasePriorityPrivilege	2752	{B930F001-2C6D-47a9-B3D8-67EB5EFA5AEA}.exe
Token: SeIncBasePriorityPrivilege	3140	{2D56E609-F4A8-42e1-8D29-10A555346B7C}.exe
Token: SeIncBasePriorityPrivilege	4968	{2A875EBA-0366-4b4a-8EA2-D59A3E14E6A7}.exe
Token: SeIncBasePriorityPrivilege	3472	{1B1E49EE-67E7-4486-AEBB-FCD18000E79E}.exe
Token: SeIncBasePriorityPrivilege	1916	{6E32145B-EA26-49cc-A51E-15FBA490E481}.exe
Token: SeIncBasePriorityPrivilege	4072	{D9E68AE0-2B70-49ec-9564-0E6EFE956EA5}.exe
Token: SeIncBasePriorityPrivilege	4876	{AD80CEDC-734F-46c0-BB49-6365F120B816}.exe
Token: SeIncBasePriorityPrivilege	4616	{C074CFCF-CBEE-4d6d-BEFF-64B49E704BA1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4108 wrote to memory of 5064	4108	2024-02-23_4f6c09e04013bf5246d5d2b728161717_goldeneye.exe	91
PID 4108 wrote to memory of 5064	4108	2024-02-23_4f6c09e04013bf5246d5d2b728161717_goldeneye.exe	91
PID 4108 wrote to memory of 5064	4108	2024-02-23_4f6c09e04013bf5246d5d2b728161717_goldeneye.exe	91
PID 4108 wrote to memory of 3676	4108	2024-02-23_4f6c09e04013bf5246d5d2b728161717_goldeneye.exe	92
PID 4108 wrote to memory of 3676	4108	2024-02-23_4f6c09e04013bf5246d5d2b728161717_goldeneye.exe	92
PID 4108 wrote to memory of 3676	4108	2024-02-23_4f6c09e04013bf5246d5d2b728161717_goldeneye.exe	92
PID 5064 wrote to memory of 688	5064	{EC425C83-6800-4aa6-BC24-29DB8ABBF7D9}.exe	93
PID 5064 wrote to memory of 688	5064	{EC425C83-6800-4aa6-BC24-29DB8ABBF7D9}.exe	93
PID 5064 wrote to memory of 688	5064	{EC425C83-6800-4aa6-BC24-29DB8ABBF7D9}.exe	93
PID 5064 wrote to memory of 532	5064	{EC425C83-6800-4aa6-BC24-29DB8ABBF7D9}.exe	94
PID 5064 wrote to memory of 532	5064	{EC425C83-6800-4aa6-BC24-29DB8ABBF7D9}.exe	94
PID 5064 wrote to memory of 532	5064	{EC425C83-6800-4aa6-BC24-29DB8ABBF7D9}.exe	94
PID 688 wrote to memory of 1348	688	{03F9F5FB-BD37-4fc3-8D5E-342D5054ABF2}.exe	99
PID 688 wrote to memory of 1348	688	{03F9F5FB-BD37-4fc3-8D5E-342D5054ABF2}.exe	99
PID 688 wrote to memory of 1348	688	{03F9F5FB-BD37-4fc3-8D5E-342D5054ABF2}.exe	99
PID 688 wrote to memory of 1508	688	{03F9F5FB-BD37-4fc3-8D5E-342D5054ABF2}.exe	98
PID 688 wrote to memory of 1508	688	{03F9F5FB-BD37-4fc3-8D5E-342D5054ABF2}.exe	98
PID 688 wrote to memory of 1508	688	{03F9F5FB-BD37-4fc3-8D5E-342D5054ABF2}.exe	98
PID 1348 wrote to memory of 2752	1348	{BBBF6288-5AC0-4603-9383-BE691ADDCD9C}.exe	100
PID 1348 wrote to memory of 2752	1348	{BBBF6288-5AC0-4603-9383-BE691ADDCD9C}.exe	100
PID 1348 wrote to memory of 2752	1348	{BBBF6288-5AC0-4603-9383-BE691ADDCD9C}.exe	100
PID 1348 wrote to memory of 4560	1348	{BBBF6288-5AC0-4603-9383-BE691ADDCD9C}.exe	101
PID 1348 wrote to memory of 4560	1348	{BBBF6288-5AC0-4603-9383-BE691ADDCD9C}.exe	101
PID 1348 wrote to memory of 4560	1348	{BBBF6288-5AC0-4603-9383-BE691ADDCD9C}.exe	101
PID 2752 wrote to memory of 3140	2752	{B930F001-2C6D-47a9-B3D8-67EB5EFA5AEA}.exe	102
PID 2752 wrote to memory of 3140	2752	{B930F001-2C6D-47a9-B3D8-67EB5EFA5AEA}.exe	102
PID 2752 wrote to memory of 3140	2752	{B930F001-2C6D-47a9-B3D8-67EB5EFA5AEA}.exe	102
PID 2752 wrote to memory of 628	2752	{B930F001-2C6D-47a9-B3D8-67EB5EFA5AEA}.exe	103
PID 2752 wrote to memory of 628	2752	{B930F001-2C6D-47a9-B3D8-67EB5EFA5AEA}.exe	103
PID 2752 wrote to memory of 628	2752	{B930F001-2C6D-47a9-B3D8-67EB5EFA5AEA}.exe	103
PID 3140 wrote to memory of 4968	3140	{2D56E609-F4A8-42e1-8D29-10A555346B7C}.exe	104
PID 3140 wrote to memory of 4968	3140	{2D56E609-F4A8-42e1-8D29-10A555346B7C}.exe	104
PID 3140 wrote to memory of 4968	3140	{2D56E609-F4A8-42e1-8D29-10A555346B7C}.exe	104
PID 3140 wrote to memory of 2060	3140	{2D56E609-F4A8-42e1-8D29-10A555346B7C}.exe	105
PID 3140 wrote to memory of 2060	3140	{2D56E609-F4A8-42e1-8D29-10A555346B7C}.exe	105
PID 3140 wrote to memory of 2060	3140	{2D56E609-F4A8-42e1-8D29-10A555346B7C}.exe	105
PID 4968 wrote to memory of 3472	4968	{2A875EBA-0366-4b4a-8EA2-D59A3E14E6A7}.exe	106
PID 4968 wrote to memory of 3472	4968	{2A875EBA-0366-4b4a-8EA2-D59A3E14E6A7}.exe	106
PID 4968 wrote to memory of 3472	4968	{2A875EBA-0366-4b4a-8EA2-D59A3E14E6A7}.exe	106
PID 4968 wrote to memory of 3476	4968	{2A875EBA-0366-4b4a-8EA2-D59A3E14E6A7}.exe	107
PID 4968 wrote to memory of 3476	4968	{2A875EBA-0366-4b4a-8EA2-D59A3E14E6A7}.exe	107
PID 4968 wrote to memory of 3476	4968	{2A875EBA-0366-4b4a-8EA2-D59A3E14E6A7}.exe	107
PID 3472 wrote to memory of 1916	3472	{1B1E49EE-67E7-4486-AEBB-FCD18000E79E}.exe	108
PID 3472 wrote to memory of 1916	3472	{1B1E49EE-67E7-4486-AEBB-FCD18000E79E}.exe	108
PID 3472 wrote to memory of 1916	3472	{1B1E49EE-67E7-4486-AEBB-FCD18000E79E}.exe	108
PID 3472 wrote to memory of 4260	3472	{1B1E49EE-67E7-4486-AEBB-FCD18000E79E}.exe	109
PID 3472 wrote to memory of 4260	3472	{1B1E49EE-67E7-4486-AEBB-FCD18000E79E}.exe	109
PID 3472 wrote to memory of 4260	3472	{1B1E49EE-67E7-4486-AEBB-FCD18000E79E}.exe	109
PID 1916 wrote to memory of 4072	1916	{6E32145B-EA26-49cc-A51E-15FBA490E481}.exe	110
PID 1916 wrote to memory of 4072	1916	{6E32145B-EA26-49cc-A51E-15FBA490E481}.exe	110
PID 1916 wrote to memory of 4072	1916	{6E32145B-EA26-49cc-A51E-15FBA490E481}.exe	110
PID 1916 wrote to memory of 2960	1916	{6E32145B-EA26-49cc-A51E-15FBA490E481}.exe	111
PID 1916 wrote to memory of 2960	1916	{6E32145B-EA26-49cc-A51E-15FBA490E481}.exe	111
PID 1916 wrote to memory of 2960	1916	{6E32145B-EA26-49cc-A51E-15FBA490E481}.exe	111
PID 4072 wrote to memory of 4876	4072	{D9E68AE0-2B70-49ec-9564-0E6EFE956EA5}.exe	112
PID 4072 wrote to memory of 4876	4072	{D9E68AE0-2B70-49ec-9564-0E6EFE956EA5}.exe	112
PID 4072 wrote to memory of 4876	4072	{D9E68AE0-2B70-49ec-9564-0E6EFE956EA5}.exe	112
PID 4072 wrote to memory of 3552	4072	{D9E68AE0-2B70-49ec-9564-0E6EFE956EA5}.exe	113
PID 4072 wrote to memory of 3552	4072	{D9E68AE0-2B70-49ec-9564-0E6EFE956EA5}.exe	113
PID 4072 wrote to memory of 3552	4072	{D9E68AE0-2B70-49ec-9564-0E6EFE956EA5}.exe	113
PID 4876 wrote to memory of 4616	4876	{AD80CEDC-734F-46c0-BB49-6365F120B816}.exe	114
PID 4876 wrote to memory of 4616	4876	{AD80CEDC-734F-46c0-BB49-6365F120B816}.exe	114
PID 4876 wrote to memory of 4616	4876	{AD80CEDC-734F-46c0-BB49-6365F120B816}.exe	114
PID 4876 wrote to memory of 3492	4876	{AD80CEDC-734F-46c0-BB49-6365F120B816}.exe	115

C:\Users\Admin\AppData\Local\Temp\2024-02-23_4f6c09e04013bf5246d5d2b728161717_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-23_4f6c09e04013bf5246d5d2b728161717_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4108
- C:\Windows\{EC425C83-6800-4aa6-BC24-29DB8ABBF7D9}.exe
  C:\Windows\{EC425C83-6800-4aa6-BC24-29DB8ABBF7D9}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5064
- - C:\Windows\{03F9F5FB-BD37-4fc3-8D5E-342D5054ABF2}.exe
    C:\Windows\{03F9F5FB-BD37-4fc3-8D5E-342D5054ABF2}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:688
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{03F9F~1.EXE > nul
      4⤵
      PID:1508
  - - C:\Windows\{BBBF6288-5AC0-4603-9383-BE691ADDCD9C}.exe
      C:\Windows\{BBBF6288-5AC0-4603-9383-BE691ADDCD9C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1348
    - - C:\Windows\{B930F001-2C6D-47a9-B3D8-67EB5EFA5AEA}.exe
        
        C:\Windows\{B930F001-2C6D-47a9-B3D8-67EB5EFA5AEA}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2752
      - C:\Windows\{2D56E609-F4A8-42e1-8D29-10A555346B7C}.exe
        
        C:\Windows\{2D56E609-F4A8-42e1-8D29-10A555346B7C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3140
        
        C:\Windows\{2A875EBA-0366-4b4a-8EA2-D59A3E14E6A7}.exe
        
        C:\Windows\{2A875EBA-0366-4b4a-8EA2-D59A3E14E6A7}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\{1B1E49EE-67E7-4486-AEBB-FCD18000E79E}.exe
        
        C:\Windows\{1B1E49EE-67E7-4486-AEBB-FCD18000E79E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3472
        
        C:\Windows\{6E32145B-EA26-49cc-A51E-15FBA490E481}.exe
        
        C:\Windows\{6E32145B-EA26-49cc-A51E-15FBA490E481}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\{D9E68AE0-2B70-49ec-9564-0E6EFE956EA5}.exe
        
        C:\Windows\{D9E68AE0-2B70-49ec-9564-0E6EFE956EA5}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4072
        
        C:\Windows\{AD80CEDC-734F-46c0-BB49-6365F120B816}.exe
        
        C:\Windows\{AD80CEDC-734F-46c0-BB49-6365F120B816}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Windows\{C074CFCF-CBEE-4d6d-BEFF-64B49E704BA1}.exe
        
        C:\Windows\{C074CFCF-CBEE-4d6d-BEFF-64B49E704BA1}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4616
        
        C:\Windows\{F0F6755E-AC68-4816-A152-2F4735A764CC}.exe
        
        C:\Windows\{F0F6755E-AC68-4816-A152-2F4735A764CC}.exe
        13⤵
        Executes dropped EXE
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C074C~1.EXE > nul
        13⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD80C~1.EXE > nul
        12⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D9E68~1.EXE > nul
        11⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6E321~1.EXE > nul
        10⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1B1E4~1.EXE > nul
        9⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A875~1.EXE > nul
        8⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D56E~1.EXE > nul
        7⤵
        
        PID:2060
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B930F~1.EXE > nul
        6⤵
        
        PID:628
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BBBF6~1.EXE > nul
        5⤵
        
        PID:4560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{EC425~1.EXE > nul
    3⤵
    PID:532
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{03F9F5FB-BD37-4fc3-8D5E-342D5054ABF2}.exe

Filesize
197KB

MD5
d13cf0ab77cdcf31297cc601f4bed0c6

SHA1
9d10bf62e7a32e74b1f91e00a48e8c3998c3af61

SHA256
2b326ef565c76c3897d721ca200f6e1376d94abe0238b0ce18cf3328a5b49d48

SHA512
1c3511e0402af9952faaaf948c02a4a19dfa7f0bd36e390ef6c1e88964b1a055feeeba0cfd885da8697bc388f24d78cd858f39bc26b139ec871bb055dffa2eda

Download Submit
C:\Windows\{1B1E49EE-67E7-4486-AEBB-FCD18000E79E}.exe

Filesize
197KB

MD5
65d2b87802041982ce6e1d6e90f0272c

SHA1
fce64838231ea2042745b612062cf96bc603ea0e

SHA256
e2362725a7fd685c14aab0bba4cc86f6857f91ef30c0fe20d63c35c1fcf08261

SHA512
d1972b9d39b919f18c2efd321250b97b2462a798380abba1e81a6c08db623999e33898572a51a3dca622cf0f129bc11ca206d7e1eb59ce551418f3d53b07a949

Download Submit
C:\Windows\{2A875EBA-0366-4b4a-8EA2-D59A3E14E6A7}.exe

Filesize
197KB

MD5
79c951c52b84157bda13cbec281b797d

SHA1
c7497b571a75d3c84c73f17acf5f70739ec6c6ab

SHA256
82c092aaf8dcdb87efb5f574fa9da7a682bbd16dcd4708cbdb52db426173f991

SHA512
7d7860fc44014deb165062c5285ac47d995b9a30acbcb3675a7a0535e4559f8c156d512d84ac1580fed4ebd064622e48481928974c2fc9789f2544c046e02bc1

Download Submit
C:\Windows\{2D56E609-F4A8-42e1-8D29-10A555346B7C}.exe

Filesize
197KB

MD5
32b197f2e337f6cce8b75025605945e7

SHA1
94351477508f1a3b1c54fdc09cb5374b0edee957

SHA256
70b9d8a406a69645c17867416f03e3864a1b854b64e7a236da776fb16be5cddc

SHA512
cb5ece37b57a89dd7e0a3e5a8ce8c7dbfc7d82d7d0e1e1e11766d9e60f8a2fcbef440834123aa13aa1a67b70e7b8d4d3637f7ef93784309346ffeae1980fe872

Download Submit
C:\Windows\{6E32145B-EA26-49cc-A51E-15FBA490E481}.exe

Filesize
197KB

MD5
818fe6536064ea839fccc2e2a4186300

SHA1
65a7de5a6322cdc742e18b29aa139354a50f53b2

SHA256
1841975b93127d0058160246e608ff19c44b94006f0850a3c46ac1f60305a20e

SHA512
55a7f7c38d3388bdbe700c34d23661a602695ee75ff390e09e36cffc3cf80763a22e040024b20d6e165b5b935bd79ffd25896f8d36aa67324a5d9f7c5b1a671d

Download Submit
C:\Windows\{AD80CEDC-734F-46c0-BB49-6365F120B816}.exe

Filesize
197KB

MD5
59dbddcdd21aaf914e194c9a6a67b584

SHA1
495402e10f9aa91a2c076a0ea9ffa9a2677ab733

SHA256
b111eb7b622b4ff610bca15996f9f0f0c45e2fb25e63fcf89481b4b8015051ac

SHA512
2f201b2f49ec1bb95e2fb2f91a681ca4a846ce1529b90fba956563fd43d47d615fe5c27fb765ceeeb58057a1ebee5a0269715170bc940904a26e01f0e1596fd1

Download Submit
C:\Windows\{B930F001-2C6D-47a9-B3D8-67EB5EFA5AEA}.exe

Filesize
197KB

MD5
d1807bbaf3cf9d6cdd491c0cbdf24b3b

SHA1
675bfc4932c8f27214eddc3b4509323e1e51b26e

SHA256
d2912a4827eeeda659910db963956d1fab186deeb80d794e27708b10441b4c5d

SHA512
eb0335ddead9b96ffda51e4357b59898e570fd057d099e089d46dd6879b2cb6e0820c9b8134b0f3cc5ea039d4cbd230f32bbf6586434c38954edf2d3514b530d

Download Submit
C:\Windows\{BBBF6288-5AC0-4603-9383-BE691ADDCD9C}.exe

Filesize
197KB

MD5
7a324040c1043e00b214a93d9135acc5

SHA1
15152f5a9f4b4c85e2c4193bf61b4223fb5a3e4c

SHA256
fab7581d83052121abbdbab6f4a40dbd6045ddacdd876087e484cc2bdfa30c88

SHA512
a1aeb3a68abf117b61263051eed2aa309ec6eb7985c6d094ad19820f88462b9abf7930f9d706fb4b9963248f830a0db8353dc1523154c5a639d84588fd344f94

Download Submit
C:\Windows\{C074CFCF-CBEE-4d6d-BEFF-64B49E704BA1}.exe

Filesize
197KB

MD5
81e6a0f52529d4e79d353ff97caed246

SHA1
4bc46e2ecbdb9c5ffa2d50585119fc2300e1452b

SHA256
ae957969fa1a87f3c6ac2cdf96466736a72f4e216a5dc6320d5d3d6349d670a2

SHA512
eee6378550567d6caa8920d8bd0223747c35b03273a16ac04489eef22faa9594d4f376e173869d88c7b3ea809280476084741b679627e2b979503be2cc3dbd89

Download Submit
C:\Windows\{D9E68AE0-2B70-49ec-9564-0E6EFE956EA5}.exe

Filesize
197KB

MD5
eb0ebb46647d41453ca9211a82ceba16

SHA1
47f65c5dd2a8e2317f928e40b11ff9ab6afa5662

SHA256
743acbcf946911444293980ac9ee6bf8a774a63e04d1c1ab936c800e827889a3

SHA512
4e8bb745c6164fd5bbd31d913ee79931980ec7c61b965dc247cc83816bfbd2bb37992023edba57f9f9048e41256ecfbd99c2cec4c00d892ae1f64b2aef68c1a0

Download Submit
C:\Windows\{EC425C83-6800-4aa6-BC24-29DB8ABBF7D9}.exe

Filesize
197KB

MD5
d6625da8c888d3cbc285a3590466315b

SHA1
e37c553eaf9cc617f607592559f3ecabae7c89a7

SHA256
5b35dfc7dc4bc3112a6b2cf4ff8c552c5608666b793415665e241bc45a413ac3

SHA512
b327c6f7e89c09759592692ba4ff735145affa0630184fe39b04fba5d627bded1830da69f70d2b3333f444536d1569542d1015b1b2843c5e0ea6b9fe3fa4502c

Download Submit
C:\Windows\{F0F6755E-AC68-4816-A152-2F4735A764CC}.exe

Filesize
197KB

MD5
ed2027754abf7017ccf831e18a6658b1

SHA1
3939fdffd5fea491b646de7409c6643ac173a61a

SHA256
402546bc2184af050cedfdb58eb9b27b2acb16b32d9d56059109a56064f3a0ed

SHA512
c02ca49833f3492b985042f945ca82420cb1c906ab04e708d5d6d2cf4077ff00fffdd108e1ba394425776476526a5bb45f5291355f1ae10550e606e70d226df4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads