899d5898ef32ba0d6fda899a5116e639c343ddddb133295eed08281310f4dfc4

Analysis

max time kernel
149s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
23-02-2024 10:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-23_6fbd82e183a0204539b0ba786056ed3e_goldeneye.exe
Size

168KB
MD5

6fbd82e183a0204539b0ba786056ed3e
SHA1

d803ed86a3551780ae0d535b6e00db61b67befa1
SHA256

899d5898ef32ba0d6fda899a5116e639c343ddddb133295eed08281310f4dfc4
SHA512

4bc6b8411451f41dc975d143560b38aead617f0ee7edca62cc6d6102053e17741fccd409cfb0e3e8af55c4cb43a148eaf29e0ec3d7144773f00dcaef19b1a133
SSDEEP

1536:1EGh0oWlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oWlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023213-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023209-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023110-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023209-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023110-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023209-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f000000023110-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023209-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023110-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023209-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023110-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023209-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EAE72089-92D5-4cb4-BA54-32D0DF126975}	2024-02-23_6fbd82e183a0204539b0ba786056ed3e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01A4F856-217A-4843-9D4C-E6769B3CA987}	{EAE72089-92D5-4cb4-BA54-32D0DF126975}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B33842BE-40DF-4d37-93CB-2329B0AA3080}	{072D8434-C9E5-42af-AF2B-291DDFAC3678}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E64BC8E5-235A-489b-81CB-DF2DC296AF9C}	{07F50DFB-8B24-415f-AA93-AAF799FCC85B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1EB96F0-3292-4620-A622-15B403BCD287}\stubpath = "C:\\Windows\\{B1EB96F0-3292-4620-A622-15B403BCD287}.exe"	{2BFB9C13-87B0-4c6b-A613-AE08295C8EC9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CABCAC06-CE1A-4f62-86D0-A57C3B3B4C69}\stubpath = "C:\\Windows\\{CABCAC06-CE1A-4f62-86D0-A57C3B3B4C69}.exe"	{B33842BE-40DF-4d37-93CB-2329B0AA3080}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07F50DFB-8B24-415f-AA93-AAF799FCC85B}	{CABCAC06-CE1A-4f62-86D0-A57C3B3B4C69}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E64BC8E5-235A-489b-81CB-DF2DC296AF9C}\stubpath = "C:\\Windows\\{E64BC8E5-235A-489b-81CB-DF2DC296AF9C}.exe"	{07F50DFB-8B24-415f-AA93-AAF799FCC85B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7ED7DFFA-D3D2-48cf-8E79-7BFD7760CD1C}\stubpath = "C:\\Windows\\{7ED7DFFA-D3D2-48cf-8E79-7BFD7760CD1C}.exe"	{4432D7BE-53BF-43c8-A8AB-4235E2113F61}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7ACC759B-DFB5-4954-B1FF-3C152A5AB754}	{7ED7DFFA-D3D2-48cf-8E79-7BFD7760CD1C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7ACC759B-DFB5-4954-B1FF-3C152A5AB754}\stubpath = "C:\\Windows\\{7ACC759B-DFB5-4954-B1FF-3C152A5AB754}.exe"	{7ED7DFFA-D3D2-48cf-8E79-7BFD7760CD1C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BFB9C13-87B0-4c6b-A613-AE08295C8EC9}\stubpath = "C:\\Windows\\{2BFB9C13-87B0-4c6b-A613-AE08295C8EC9}.exe"	{7ACC759B-DFB5-4954-B1FF-3C152A5AB754}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BFB9C13-87B0-4c6b-A613-AE08295C8EC9}	{7ACC759B-DFB5-4954-B1FF-3C152A5AB754}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EAE72089-92D5-4cb4-BA54-32D0DF126975}\stubpath = "C:\\Windows\\{EAE72089-92D5-4cb4-BA54-32D0DF126975}.exe"	2024-02-23_6fbd82e183a0204539b0ba786056ed3e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01A4F856-217A-4843-9D4C-E6769B3CA987}\stubpath = "C:\\Windows\\{01A4F856-217A-4843-9D4C-E6769B3CA987}.exe"	{EAE72089-92D5-4cb4-BA54-32D0DF126975}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{072D8434-C9E5-42af-AF2B-291DDFAC3678}	{01A4F856-217A-4843-9D4C-E6769B3CA987}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CABCAC06-CE1A-4f62-86D0-A57C3B3B4C69}	{B33842BE-40DF-4d37-93CB-2329B0AA3080}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4432D7BE-53BF-43c8-A8AB-4235E2113F61}	{E64BC8E5-235A-489b-81CB-DF2DC296AF9C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4432D7BE-53BF-43c8-A8AB-4235E2113F61}\stubpath = "C:\\Windows\\{4432D7BE-53BF-43c8-A8AB-4235E2113F61}.exe"	{E64BC8E5-235A-489b-81CB-DF2DC296AF9C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7ED7DFFA-D3D2-48cf-8E79-7BFD7760CD1C}	{4432D7BE-53BF-43c8-A8AB-4235E2113F61}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1EB96F0-3292-4620-A622-15B403BCD287}	{2BFB9C13-87B0-4c6b-A613-AE08295C8EC9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{072D8434-C9E5-42af-AF2B-291DDFAC3678}\stubpath = "C:\\Windows\\{072D8434-C9E5-42af-AF2B-291DDFAC3678}.exe"	{01A4F856-217A-4843-9D4C-E6769B3CA987}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B33842BE-40DF-4d37-93CB-2329B0AA3080}\stubpath = "C:\\Windows\\{B33842BE-40DF-4d37-93CB-2329B0AA3080}.exe"	{072D8434-C9E5-42af-AF2B-291DDFAC3678}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07F50DFB-8B24-415f-AA93-AAF799FCC85B}\stubpath = "C:\\Windows\\{07F50DFB-8B24-415f-AA93-AAF799FCC85B}.exe"	{CABCAC06-CE1A-4f62-86D0-A57C3B3B4C69}.exe

Executes dropped EXE 12 IoCs

pid	Process
5296	{EAE72089-92D5-4cb4-BA54-32D0DF126975}.exe
3548	{01A4F856-217A-4843-9D4C-E6769B3CA987}.exe
5476	{072D8434-C9E5-42af-AF2B-291DDFAC3678}.exe
1848	{B33842BE-40DF-4d37-93CB-2329B0AA3080}.exe
4464	{CABCAC06-CE1A-4f62-86D0-A57C3B3B4C69}.exe
4492	{07F50DFB-8B24-415f-AA93-AAF799FCC85B}.exe
4884	{E64BC8E5-235A-489b-81CB-DF2DC296AF9C}.exe
3336	{4432D7BE-53BF-43c8-A8AB-4235E2113F61}.exe
4800	{7ED7DFFA-D3D2-48cf-8E79-7BFD7760CD1C}.exe
1732	{7ACC759B-DFB5-4954-B1FF-3C152A5AB754}.exe
60	{2BFB9C13-87B0-4c6b-A613-AE08295C8EC9}.exe
3564	{B1EB96F0-3292-4620-A622-15B403BCD287}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{01A4F856-217A-4843-9D4C-E6769B3CA987}.exe	{EAE72089-92D5-4cb4-BA54-32D0DF126975}.exe
File created	C:\Windows\{B1EB96F0-3292-4620-A622-15B403BCD287}.exe	{2BFB9C13-87B0-4c6b-A613-AE08295C8EC9}.exe
File created	C:\Windows\{07F50DFB-8B24-415f-AA93-AAF799FCC85B}.exe	{CABCAC06-CE1A-4f62-86D0-A57C3B3B4C69}.exe
File created	C:\Windows\{E64BC8E5-235A-489b-81CB-DF2DC296AF9C}.exe	{07F50DFB-8B24-415f-AA93-AAF799FCC85B}.exe
File created	C:\Windows\{4432D7BE-53BF-43c8-A8AB-4235E2113F61}.exe	{E64BC8E5-235A-489b-81CB-DF2DC296AF9C}.exe
File created	C:\Windows\{7ED7DFFA-D3D2-48cf-8E79-7BFD7760CD1C}.exe	{4432D7BE-53BF-43c8-A8AB-4235E2113F61}.exe
File created	C:\Windows\{EAE72089-92D5-4cb4-BA54-32D0DF126975}.exe	2024-02-23_6fbd82e183a0204539b0ba786056ed3e_goldeneye.exe
File created	C:\Windows\{072D8434-C9E5-42af-AF2B-291DDFAC3678}.exe	{01A4F856-217A-4843-9D4C-E6769B3CA987}.exe
File created	C:\Windows\{B33842BE-40DF-4d37-93CB-2329B0AA3080}.exe	{072D8434-C9E5-42af-AF2B-291DDFAC3678}.exe
File created	C:\Windows\{CABCAC06-CE1A-4f62-86D0-A57C3B3B4C69}.exe	{B33842BE-40DF-4d37-93CB-2329B0AA3080}.exe
File created	C:\Windows\{7ACC759B-DFB5-4954-B1FF-3C152A5AB754}.exe	{7ED7DFFA-D3D2-48cf-8E79-7BFD7760CD1C}.exe
File created	C:\Windows\{2BFB9C13-87B0-4c6b-A613-AE08295C8EC9}.exe	{7ACC759B-DFB5-4954-B1FF-3C152A5AB754}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	624	2024-02-23_6fbd82e183a0204539b0ba786056ed3e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	5296	{EAE72089-92D5-4cb4-BA54-32D0DF126975}.exe
Token: SeIncBasePriorityPrivilege	3548	{01A4F856-217A-4843-9D4C-E6769B3CA987}.exe
Token: SeIncBasePriorityPrivilege	5476	{072D8434-C9E5-42af-AF2B-291DDFAC3678}.exe
Token: SeIncBasePriorityPrivilege	1848	{B33842BE-40DF-4d37-93CB-2329B0AA3080}.exe
Token: SeIncBasePriorityPrivilege	4464	{CABCAC06-CE1A-4f62-86D0-A57C3B3B4C69}.exe
Token: SeIncBasePriorityPrivilege	4492	{07F50DFB-8B24-415f-AA93-AAF799FCC85B}.exe
Token: SeIncBasePriorityPrivilege	4884	{E64BC8E5-235A-489b-81CB-DF2DC296AF9C}.exe
Token: SeIncBasePriorityPrivilege	3336	{4432D7BE-53BF-43c8-A8AB-4235E2113F61}.exe
Token: SeIncBasePriorityPrivilege	4800	{7ED7DFFA-D3D2-48cf-8E79-7BFD7760CD1C}.exe
Token: SeIncBasePriorityPrivilege	1732	{7ACC759B-DFB5-4954-B1FF-3C152A5AB754}.exe
Token: SeIncBasePriorityPrivilege	60	{2BFB9C13-87B0-4c6b-A613-AE08295C8EC9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 624 wrote to memory of 5296	624	2024-02-23_6fbd82e183a0204539b0ba786056ed3e_goldeneye.exe	93
PID 624 wrote to memory of 5296	624	2024-02-23_6fbd82e183a0204539b0ba786056ed3e_goldeneye.exe	93
PID 624 wrote to memory of 5296	624	2024-02-23_6fbd82e183a0204539b0ba786056ed3e_goldeneye.exe	93
PID 624 wrote to memory of 5028	624	2024-02-23_6fbd82e183a0204539b0ba786056ed3e_goldeneye.exe	94
PID 624 wrote to memory of 5028	624	2024-02-23_6fbd82e183a0204539b0ba786056ed3e_goldeneye.exe	94
PID 624 wrote to memory of 5028	624	2024-02-23_6fbd82e183a0204539b0ba786056ed3e_goldeneye.exe	94
PID 5296 wrote to memory of 3548	5296	{EAE72089-92D5-4cb4-BA54-32D0DF126975}.exe	95
PID 5296 wrote to memory of 3548	5296	{EAE72089-92D5-4cb4-BA54-32D0DF126975}.exe	95
PID 5296 wrote to memory of 3548	5296	{EAE72089-92D5-4cb4-BA54-32D0DF126975}.exe	95
PID 5296 wrote to memory of 628	5296	{EAE72089-92D5-4cb4-BA54-32D0DF126975}.exe	96
PID 5296 wrote to memory of 628	5296	{EAE72089-92D5-4cb4-BA54-32D0DF126975}.exe	96
PID 5296 wrote to memory of 628	5296	{EAE72089-92D5-4cb4-BA54-32D0DF126975}.exe	96
PID 3548 wrote to memory of 5476	3548	{01A4F856-217A-4843-9D4C-E6769B3CA987}.exe	100
PID 3548 wrote to memory of 5476	3548	{01A4F856-217A-4843-9D4C-E6769B3CA987}.exe	100
PID 3548 wrote to memory of 5476	3548	{01A4F856-217A-4843-9D4C-E6769B3CA987}.exe	100
PID 3548 wrote to memory of 5780	3548	{01A4F856-217A-4843-9D4C-E6769B3CA987}.exe	101
PID 3548 wrote to memory of 5780	3548	{01A4F856-217A-4843-9D4C-E6769B3CA987}.exe	101
PID 3548 wrote to memory of 5780	3548	{01A4F856-217A-4843-9D4C-E6769B3CA987}.exe	101
PID 5476 wrote to memory of 1848	5476	{072D8434-C9E5-42af-AF2B-291DDFAC3678}.exe	102
PID 5476 wrote to memory of 1848	5476	{072D8434-C9E5-42af-AF2B-291DDFAC3678}.exe	102
PID 5476 wrote to memory of 1848	5476	{072D8434-C9E5-42af-AF2B-291DDFAC3678}.exe	102
PID 5476 wrote to memory of 3996	5476	{072D8434-C9E5-42af-AF2B-291DDFAC3678}.exe	103
PID 5476 wrote to memory of 3996	5476	{072D8434-C9E5-42af-AF2B-291DDFAC3678}.exe	103
PID 5476 wrote to memory of 3996	5476	{072D8434-C9E5-42af-AF2B-291DDFAC3678}.exe	103
PID 1848 wrote to memory of 4464	1848	{B33842BE-40DF-4d37-93CB-2329B0AA3080}.exe	104
PID 1848 wrote to memory of 4464	1848	{B33842BE-40DF-4d37-93CB-2329B0AA3080}.exe	104
PID 1848 wrote to memory of 4464	1848	{B33842BE-40DF-4d37-93CB-2329B0AA3080}.exe	104
PID 1848 wrote to memory of 6068	1848	{B33842BE-40DF-4d37-93CB-2329B0AA3080}.exe	105
PID 1848 wrote to memory of 6068	1848	{B33842BE-40DF-4d37-93CB-2329B0AA3080}.exe	105
PID 1848 wrote to memory of 6068	1848	{B33842BE-40DF-4d37-93CB-2329B0AA3080}.exe	105
PID 4464 wrote to memory of 4492	4464	{CABCAC06-CE1A-4f62-86D0-A57C3B3B4C69}.exe	106
PID 4464 wrote to memory of 4492	4464	{CABCAC06-CE1A-4f62-86D0-A57C3B3B4C69}.exe	106
PID 4464 wrote to memory of 4492	4464	{CABCAC06-CE1A-4f62-86D0-A57C3B3B4C69}.exe	106
PID 4464 wrote to memory of 5628	4464	{CABCAC06-CE1A-4f62-86D0-A57C3B3B4C69}.exe	107
PID 4464 wrote to memory of 5628	4464	{CABCAC06-CE1A-4f62-86D0-A57C3B3B4C69}.exe	107
PID 4464 wrote to memory of 5628	4464	{CABCAC06-CE1A-4f62-86D0-A57C3B3B4C69}.exe	107
PID 4492 wrote to memory of 4884	4492	{07F50DFB-8B24-415f-AA93-AAF799FCC85B}.exe	108
PID 4492 wrote to memory of 4884	4492	{07F50DFB-8B24-415f-AA93-AAF799FCC85B}.exe	108
PID 4492 wrote to memory of 4884	4492	{07F50DFB-8B24-415f-AA93-AAF799FCC85B}.exe	108
PID 4492 wrote to memory of 2488	4492	{07F50DFB-8B24-415f-AA93-AAF799FCC85B}.exe	109
PID 4492 wrote to memory of 2488	4492	{07F50DFB-8B24-415f-AA93-AAF799FCC85B}.exe	109
PID 4492 wrote to memory of 2488	4492	{07F50DFB-8B24-415f-AA93-AAF799FCC85B}.exe	109
PID 4884 wrote to memory of 3336	4884	{E64BC8E5-235A-489b-81CB-DF2DC296AF9C}.exe	110
PID 4884 wrote to memory of 3336	4884	{E64BC8E5-235A-489b-81CB-DF2DC296AF9C}.exe	110
PID 4884 wrote to memory of 3336	4884	{E64BC8E5-235A-489b-81CB-DF2DC296AF9C}.exe	110
PID 4884 wrote to memory of 1512	4884	{E64BC8E5-235A-489b-81CB-DF2DC296AF9C}.exe	111
PID 4884 wrote to memory of 1512	4884	{E64BC8E5-235A-489b-81CB-DF2DC296AF9C}.exe	111
PID 4884 wrote to memory of 1512	4884	{E64BC8E5-235A-489b-81CB-DF2DC296AF9C}.exe	111
PID 3336 wrote to memory of 4800	3336	{4432D7BE-53BF-43c8-A8AB-4235E2113F61}.exe	112
PID 3336 wrote to memory of 4800	3336	{4432D7BE-53BF-43c8-A8AB-4235E2113F61}.exe	112
PID 3336 wrote to memory of 4800	3336	{4432D7BE-53BF-43c8-A8AB-4235E2113F61}.exe	112
PID 3336 wrote to memory of 5540	3336	{4432D7BE-53BF-43c8-A8AB-4235E2113F61}.exe	113
PID 3336 wrote to memory of 5540	3336	{4432D7BE-53BF-43c8-A8AB-4235E2113F61}.exe	113
PID 3336 wrote to memory of 5540	3336	{4432D7BE-53BF-43c8-A8AB-4235E2113F61}.exe	113
PID 4800 wrote to memory of 1732	4800	{7ED7DFFA-D3D2-48cf-8E79-7BFD7760CD1C}.exe	114
PID 4800 wrote to memory of 1732	4800	{7ED7DFFA-D3D2-48cf-8E79-7BFD7760CD1C}.exe	114
PID 4800 wrote to memory of 1732	4800	{7ED7DFFA-D3D2-48cf-8E79-7BFD7760CD1C}.exe	114
PID 4800 wrote to memory of 8	4800	{7ED7DFFA-D3D2-48cf-8E79-7BFD7760CD1C}.exe	115
PID 4800 wrote to memory of 8	4800	{7ED7DFFA-D3D2-48cf-8E79-7BFD7760CD1C}.exe	115
PID 4800 wrote to memory of 8	4800	{7ED7DFFA-D3D2-48cf-8E79-7BFD7760CD1C}.exe	115
PID 1732 wrote to memory of 60	1732	{7ACC759B-DFB5-4954-B1FF-3C152A5AB754}.exe	116
PID 1732 wrote to memory of 60	1732	{7ACC759B-DFB5-4954-B1FF-3C152A5AB754}.exe	116
PID 1732 wrote to memory of 60	1732	{7ACC759B-DFB5-4954-B1FF-3C152A5AB754}.exe	116
PID 1732 wrote to memory of 2236	1732	{7ACC759B-DFB5-4954-B1FF-3C152A5AB754}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-02-23_6fbd82e183a0204539b0ba786056ed3e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-23_6fbd82e183a0204539b0ba786056ed3e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:624
- C:\Windows\{EAE72089-92D5-4cb4-BA54-32D0DF126975}.exe
  C:\Windows\{EAE72089-92D5-4cb4-BA54-32D0DF126975}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5296
- - C:\Windows\{01A4F856-217A-4843-9D4C-E6769B3CA987}.exe
    C:\Windows\{01A4F856-217A-4843-9D4C-E6769B3CA987}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3548
  - - C:\Windows\{072D8434-C9E5-42af-AF2B-291DDFAC3678}.exe
      C:\Windows\{072D8434-C9E5-42af-AF2B-291DDFAC3678}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5476
    - - C:\Windows\{B33842BE-40DF-4d37-93CB-2329B0AA3080}.exe
        
        C:\Windows\{B33842BE-40DF-4d37-93CB-2329B0AA3080}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1848
      - C:\Windows\{CABCAC06-CE1A-4f62-86D0-A57C3B3B4C69}.exe
        
        C:\Windows\{CABCAC06-CE1A-4f62-86D0-A57C3B3B4C69}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\{07F50DFB-8B24-415f-AA93-AAF799FCC85B}.exe
        
        C:\Windows\{07F50DFB-8B24-415f-AA93-AAF799FCC85B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4492
        
        C:\Windows\{E64BC8E5-235A-489b-81CB-DF2DC296AF9C}.exe
        
        C:\Windows\{E64BC8E5-235A-489b-81CB-DF2DC296AF9C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Windows\{4432D7BE-53BF-43c8-A8AB-4235E2113F61}.exe
        
        C:\Windows\{4432D7BE-53BF-43c8-A8AB-4235E2113F61}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3336
        
        C:\Windows\{7ED7DFFA-D3D2-48cf-8E79-7BFD7760CD1C}.exe
        
        C:\Windows\{7ED7DFFA-D3D2-48cf-8E79-7BFD7760CD1C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Windows\{7ACC759B-DFB5-4954-B1FF-3C152A5AB754}.exe
        
        C:\Windows\{7ACC759B-DFB5-4954-B1FF-3C152A5AB754}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\{2BFB9C13-87B0-4c6b-A613-AE08295C8EC9}.exe
        
        C:\Windows\{2BFB9C13-87B0-4c6b-A613-AE08295C8EC9}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:60
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2BFB9~1.EXE > nul
        13⤵
        
        PID:1644
        
        C:\Windows\{B1EB96F0-3292-4620-A622-15B403BCD287}.exe
        
        C:\Windows\{B1EB96F0-3292-4620-A622-15B403BCD287}.exe
        13⤵
        Executes dropped EXE
        
        PID:3564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7ACC7~1.EXE > nul
        12⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7ED7D~1.EXE > nul
        11⤵
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4432D~1.EXE > nul
        10⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E64BC~1.EXE > nul
        9⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{07F50~1.EXE > nul
        8⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CABCA~1.EXE > nul
        7⤵
        
        PID:5628
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B3384~1.EXE > nul
        6⤵
        
        PID:6068
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{072D8~1.EXE > nul
        5⤵
        
        PID:3996
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{01A4F~1.EXE > nul
      4⤵
      PID:5780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{EAE72~1.EXE > nul
    3⤵
    PID:628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:5028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{01A4F856-217A-4843-9D4C-E6769B3CA987}.exe

Filesize
168KB

MD5
9074146d7ac5097e13d3a8fa19b044cd

SHA1
e78af2e239ac7992588acc06fa7191015d4cd31c

SHA256
1e2f05b95b5eca6d158db2b93327c777af2538e9f695ad8f0d25aae3dbcba574

SHA512
cb8f441898a4ecc996d9b5c2dc9ff517b18fca06371f4dc7329ad6386d92c7505641dce002fad92cdd81807dad2d9bda2fb5bd26c162d31109c1553365bc0d0a

Download Submit
C:\Windows\{072D8434-C9E5-42af-AF2B-291DDFAC3678}.exe

Filesize
168KB

MD5
4e2c7f16e814bfba3e7d9db0c271a951

SHA1
d3b38aafe7b5186da85ec030f817223aa29270e4

SHA256
ed0e2b57ff1a9f741ba587a45d6ad72f27802a6fd4e3cc2806212e81f317c6db

SHA512
733642c5d478bf770b58da347a4b1dd3895ff8a17cdf88652e203f451b57ee81476f97d7289944d539a0f393ac8ebe6d260a1d95af3853214c4ee63984e2aa1b

Download Submit
C:\Windows\{07F50DFB-8B24-415f-AA93-AAF799FCC85B}.exe

Filesize
168KB

MD5
4b7587374147d37a81e8a73f5284a2eb

SHA1
44559de13dba82b6b24d50c5874dc238724cd9bb

SHA256
f7dda03732148e36e1d04df05672f61e81c8b56b2f28f23a115ecc7a7c7a9851

SHA512
a5ddb102d0dd401966f088470c00c79cb5db482243dbc1bb3a7e9b3ebf884b4a7e8fdc06785459aea91e0a28b6c0045422083ad4092f29b4b059eb7850110652

Download Submit
C:\Windows\{2BFB9C13-87B0-4c6b-A613-AE08295C8EC9}.exe

Filesize
168KB

MD5
c25caf3193c35751e5cfa904d095f943

SHA1
0e4829a03e86e4297b4c2e2c4f662c45d59a7d52

SHA256
2f35f01bd5ec18cdaf96f756686999a91b3e319b71d63e24c9e0105f987328f7

SHA512
8098d28a1260d97a792325f04c07d75e1043863435b016b8a1445743b28102f5ad724c052b4f87ae6fa90a5940cdb763b0076082a6ed7a1d2a58ea0140842c68

Download Submit
C:\Windows\{4432D7BE-53BF-43c8-A8AB-4235E2113F61}.exe

Filesize
168KB

MD5
3fde26619bcf49085c5091cf4f5bf74c

SHA1
565643e4125ad80fb24bbc0d84d8a5d03da51323

SHA256
93c7f8deeae2c60c4cff6e4c0f88dc44503bf35335dd9b1d117da5fcad329fcb

SHA512
7de70ebee9a73bbd59f40595a91bbe99bbebcc49950c734ebbe7ca3f7fce99949a6cd387d4e80cb61c8c55901d71c04aa6d89ea5e7c009550abc496726fd106b

Download Submit
C:\Windows\{7ACC759B-DFB5-4954-B1FF-3C152A5AB754}.exe

Filesize
168KB

MD5
863e6c1f576207f27c81499d8229f853

SHA1
79068cc585095945995acdbfc816a3b62e93d0be

SHA256
62818f9a13f74cdd47ab30f34790f734dedfaa85f2a067d334f5a1b05983abd4

SHA512
1e4a05abfc2c4c7019acc318631f6ed6c38eb54c2d21b80f2a1142d520a307857b3c7f256c2ec3b9043cf658457a465261c82590b88ff278bddf66bbb5a2c596

Download Submit
C:\Windows\{7ED7DFFA-D3D2-48cf-8E79-7BFD7760CD1C}.exe

Filesize
168KB

MD5
5aad1583b74debc0124d441880d2e908

SHA1
6d107a994d139639c5ca6c6104361ea804369818

SHA256
73b44365e4eedeeefbd402452e3def2fb3337dd7d733b75efdc4ae213c7bc007

SHA512
5df5879e32a8f1b7bee3bdfd76742f200f4ab104f8f98d841b2c15dd9115ea67934be5ac7071be949131e02368265fa813420a92b90c98b17420e886174753d9

Download Submit
C:\Windows\{B1EB96F0-3292-4620-A622-15B403BCD287}.exe

Filesize
168KB

MD5
9b3ec81677d8ae45d099cf8c58886d71

SHA1
1e725b84b2360d7216c68856d0d8da0e9d5f2bdb

SHA256
ce63ebd9d24a2e92455575bf6c054848d4e8279cd40ad73b608aafa1c5d45bc5

SHA512
c8a1e65c665a7c3cb5a6805b4c96f19fef161d77d38842cb84cb8f99235afeb4c1ec93fc222d593be6ab5da488a7076c6f404b3eca6b1e5d1cbda6e0785f1fb4

Download Submit
C:\Windows\{B33842BE-40DF-4d37-93CB-2329B0AA3080}.exe

Filesize
168KB

MD5
ca6d564a8edc4cc8796a04f6382a751c

SHA1
9d089dc93e2b778d83f24f6aee681b4088094c5a

SHA256
76b7e43a6c68d946960b723395b8855990dad34c838694cd6a7908e13435c746

SHA512
ae3980fb08e2b6ee2e9a2424b196c49c0bdf2099ed0a641f0f06952046be82a97af0595a91816cbf8c8454eb88efe72c17a5f6f0f0a3486f5a5dd3de168048d7

Download Submit
C:\Windows\{CABCAC06-CE1A-4f62-86D0-A57C3B3B4C69}.exe

Filesize
168KB

MD5
a303545b7766d9b685b40a93a669c5d6

SHA1
5eceb4bc5690776b7eb3212896b71c476b2423df

SHA256
d1574921a62baf3378f41e244756ca92b4a7b54f350cf9d234fe676d0e5623f6

SHA512
5e367742e8d22865d22bf38ec58c198b8e3eeaeacfda8d423dc67bf4b865d24d81d95dcfda2001f398211e35181060934397d2dc8806919ec536598afe4257c9

Download Submit
C:\Windows\{E64BC8E5-235A-489b-81CB-DF2DC296AF9C}.exe

Filesize
168KB

MD5
63cdb31e8ed728b79983bc70752d8b04

SHA1
d7a7c72bbabdfbb1eb5dd223fe5b23ce0cbe8266

SHA256
b327ba07eb89b489e6707c450c0dcb8bbeef5f174b4945fd65a68846a1aa59f4

SHA512
ec61da0896f5f3c50763624a16595c5b33620224d0c3305c8ea06b50e6a556763b89ca0af0b838b4faddf234ccc9e1e0d8cd579171cb98a47c5f4838bd542f39

Download Submit
C:\Windows\{EAE72089-92D5-4cb4-BA54-32D0DF126975}.exe

Filesize
168KB

MD5
dac1d70835e95fe15418ac6dc5acbaf6

SHA1
a2d39a46df741ef38ffc1ef4a0dc4c519f228349

SHA256
cbe4cf8aede8be81397d0e7571ebe3905c82e77172997aa9a08bf3853b0759b0

SHA512
6309953b3dd25d53cb6a5f0992f2948f259f56d458c51b83893fae3e58bfe65f74675eef138632b912b822028cd98a41bc77bd275ba9e9592c066bca6524faa6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads