2c2a2fb770897e71eb15e7ed9441a196f18112d4c8f11ed5b77475af39bfc452

Analysis

max time kernel
151s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23/02/2024, 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-23_6be0c56305dec263b8fc35e66ff8219d_goldeneye.exe
Size

168KB
MD5

6be0c56305dec263b8fc35e66ff8219d
SHA1

a43ccf20b0bee6f8de6b3a7aa54f6c2fe5082477
SHA256

2c2a2fb770897e71eb15e7ed9441a196f18112d4c8f11ed5b77475af39bfc452
SHA512

86e1cf7cdecec60fc76e89c27d24bdf63bd854d9bdf4b1f6e4db8930b961afdf91d5b891b2c656adee80ba8fb8bda2bb2397adc46c49e3d4ca7f219780b259d6
SSDEEP

1536:1EGh0ozlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0ozlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x0008000000012226-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000012246-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000012226-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00120000000055a2-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000012226-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00130000000055a2-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000012226-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00140000000055a2-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012226-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00150000000055a2-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012226-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00160000000055a2-82.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{912FD017-91C4-4ddf-9D8E-B26CE62C9A5A}\stubpath = "C:\\Windows\\{912FD017-91C4-4ddf-9D8E-B26CE62C9A5A}.exe"	2024-02-23_6be0c56305dec263b8fc35e66ff8219d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5266EE0B-24FF-4bf3-9E14-76D3D56ADBE9}\stubpath = "C:\\Windows\\{5266EE0B-24FF-4bf3-9E14-76D3D56ADBE9}.exe"	{912FD017-91C4-4ddf-9D8E-B26CE62C9A5A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3180A4C9-B522-4532-96A1-11ED7AFC2C38}	{5266EE0B-24FF-4bf3-9E14-76D3D56ADBE9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7CAF8F2E-964A-4d16-AA1D-3F289EF223C6}	{FEC33F6C-B7EC-4113-B79C-27F2A017700E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{307F18DC-1E92-4303-98A8-5C6AF3D6D50D}\stubpath = "C:\\Windows\\{307F18DC-1E92-4303-98A8-5C6AF3D6D50D}.exe"	{D27B344C-F41D-4320-8C1C-7CF312D7FA05}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{002B1E62-5A6B-48a2-AF11-2FF25753BA2D}	{307F18DC-1E92-4303-98A8-5C6AF3D6D50D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0DDCE83-319B-4f1b-A245-F5D749A24A5A}\stubpath = "C:\\Windows\\{D0DDCE83-319B-4f1b-A245-F5D749A24A5A}.exe"	{002B1E62-5A6B-48a2-AF11-2FF25753BA2D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{912FD017-91C4-4ddf-9D8E-B26CE62C9A5A}	2024-02-23_6be0c56305dec263b8fc35e66ff8219d_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5266EE0B-24FF-4bf3-9E14-76D3D56ADBE9}	{912FD017-91C4-4ddf-9D8E-B26CE62C9A5A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FEC33F6C-B7EC-4113-B79C-27F2A017700E}	{C28ECDE2-E482-48aa-A4DD-EF4D7E1BCDF7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7CAF8F2E-964A-4d16-AA1D-3F289EF223C6}\stubpath = "C:\\Windows\\{7CAF8F2E-964A-4d16-AA1D-3F289EF223C6}.exe"	{FEC33F6C-B7EC-4113-B79C-27F2A017700E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49460771-08F0-4ae8-8DA9-F616DB9C4D4D}\stubpath = "C:\\Windows\\{49460771-08F0-4ae8-8DA9-F616DB9C4D4D}.exe"	{7CAF8F2E-964A-4d16-AA1D-3F289EF223C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C28ECDE2-E482-48aa-A4DD-EF4D7E1BCDF7}\stubpath = "C:\\Windows\\{C28ECDE2-E482-48aa-A4DD-EF4D7E1BCDF7}.exe"	{3180A4C9-B522-4532-96A1-11ED7AFC2C38}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FEC33F6C-B7EC-4113-B79C-27F2A017700E}\stubpath = "C:\\Windows\\{FEC33F6C-B7EC-4113-B79C-27F2A017700E}.exe"	{C28ECDE2-E482-48aa-A4DD-EF4D7E1BCDF7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49460771-08F0-4ae8-8DA9-F616DB9C4D4D}	{7CAF8F2E-964A-4d16-AA1D-3F289EF223C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CB0D382-D704-4ad0-9072-63D421ADED68}\stubpath = "C:\\Windows\\{3CB0D382-D704-4ad0-9072-63D421ADED68}.exe"	{D0DDCE83-319B-4f1b-A245-F5D749A24A5A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{002B1E62-5A6B-48a2-AF11-2FF25753BA2D}\stubpath = "C:\\Windows\\{002B1E62-5A6B-48a2-AF11-2FF25753BA2D}.exe"	{307F18DC-1E92-4303-98A8-5C6AF3D6D50D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0DDCE83-319B-4f1b-A245-F5D749A24A5A}	{002B1E62-5A6B-48a2-AF11-2FF25753BA2D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CB0D382-D704-4ad0-9072-63D421ADED68}	{D0DDCE83-319B-4f1b-A245-F5D749A24A5A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3180A4C9-B522-4532-96A1-11ED7AFC2C38}\stubpath = "C:\\Windows\\{3180A4C9-B522-4532-96A1-11ED7AFC2C38}.exe"	{5266EE0B-24FF-4bf3-9E14-76D3D56ADBE9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C28ECDE2-E482-48aa-A4DD-EF4D7E1BCDF7}	{3180A4C9-B522-4532-96A1-11ED7AFC2C38}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27B344C-F41D-4320-8C1C-7CF312D7FA05}	{49460771-08F0-4ae8-8DA9-F616DB9C4D4D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27B344C-F41D-4320-8C1C-7CF312D7FA05}\stubpath = "C:\\Windows\\{D27B344C-F41D-4320-8C1C-7CF312D7FA05}.exe"	{49460771-08F0-4ae8-8DA9-F616DB9C4D4D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{307F18DC-1E92-4303-98A8-5C6AF3D6D50D}	{D27B344C-F41D-4320-8C1C-7CF312D7FA05}.exe

Deletes itself 1 IoCs

pid	Process
2524	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2888	{912FD017-91C4-4ddf-9D8E-B26CE62C9A5A}.exe
2632	{5266EE0B-24FF-4bf3-9E14-76D3D56ADBE9}.exe
2396	{3180A4C9-B522-4532-96A1-11ED7AFC2C38}.exe
756	{C28ECDE2-E482-48aa-A4DD-EF4D7E1BCDF7}.exe
320	{FEC33F6C-B7EC-4113-B79C-27F2A017700E}.exe
1636	{7CAF8F2E-964A-4d16-AA1D-3F289EF223C6}.exe
528	{49460771-08F0-4ae8-8DA9-F616DB9C4D4D}.exe
940	{D27B344C-F41D-4320-8C1C-7CF312D7FA05}.exe
372	{307F18DC-1E92-4303-98A8-5C6AF3D6D50D}.exe
2084	{002B1E62-5A6B-48a2-AF11-2FF25753BA2D}.exe
1864	{D0DDCE83-319B-4f1b-A245-F5D749A24A5A}.exe
1800	{3CB0D382-D704-4ad0-9072-63D421ADED68}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{912FD017-91C4-4ddf-9D8E-B26CE62C9A5A}.exe	2024-02-23_6be0c56305dec263b8fc35e66ff8219d_goldeneye.exe
File created	C:\Windows\{3180A4C9-B522-4532-96A1-11ED7AFC2C38}.exe	{5266EE0B-24FF-4bf3-9E14-76D3D56ADBE9}.exe
File created	C:\Windows\{C28ECDE2-E482-48aa-A4DD-EF4D7E1BCDF7}.exe	{3180A4C9-B522-4532-96A1-11ED7AFC2C38}.exe
File created	C:\Windows\{49460771-08F0-4ae8-8DA9-F616DB9C4D4D}.exe	{7CAF8F2E-964A-4d16-AA1D-3F289EF223C6}.exe
File created	C:\Windows\{D0DDCE83-319B-4f1b-A245-F5D749A24A5A}.exe	{002B1E62-5A6B-48a2-AF11-2FF25753BA2D}.exe
File created	C:\Windows\{3CB0D382-D704-4ad0-9072-63D421ADED68}.exe	{D0DDCE83-319B-4f1b-A245-F5D749A24A5A}.exe
File created	C:\Windows\{5266EE0B-24FF-4bf3-9E14-76D3D56ADBE9}.exe	{912FD017-91C4-4ddf-9D8E-B26CE62C9A5A}.exe
File created	C:\Windows\{FEC33F6C-B7EC-4113-B79C-27F2A017700E}.exe	{C28ECDE2-E482-48aa-A4DD-EF4D7E1BCDF7}.exe
File created	C:\Windows\{7CAF8F2E-964A-4d16-AA1D-3F289EF223C6}.exe	{FEC33F6C-B7EC-4113-B79C-27F2A017700E}.exe
File created	C:\Windows\{D27B344C-F41D-4320-8C1C-7CF312D7FA05}.exe	{49460771-08F0-4ae8-8DA9-F616DB9C4D4D}.exe
File created	C:\Windows\{307F18DC-1E92-4303-98A8-5C6AF3D6D50D}.exe	{D27B344C-F41D-4320-8C1C-7CF312D7FA05}.exe
File created	C:\Windows\{002B1E62-5A6B-48a2-AF11-2FF25753BA2D}.exe	{307F18DC-1E92-4303-98A8-5C6AF3D6D50D}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2272	2024-02-23_6be0c56305dec263b8fc35e66ff8219d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2888	{912FD017-91C4-4ddf-9D8E-B26CE62C9A5A}.exe
Token: SeIncBasePriorityPrivilege	2632	{5266EE0B-24FF-4bf3-9E14-76D3D56ADBE9}.exe
Token: SeIncBasePriorityPrivilege	2396	{3180A4C9-B522-4532-96A1-11ED7AFC2C38}.exe
Token: SeIncBasePriorityPrivilege	756	{C28ECDE2-E482-48aa-A4DD-EF4D7E1BCDF7}.exe
Token: SeIncBasePriorityPrivilege	320	{FEC33F6C-B7EC-4113-B79C-27F2A017700E}.exe
Token: SeIncBasePriorityPrivilege	1636	{7CAF8F2E-964A-4d16-AA1D-3F289EF223C6}.exe
Token: SeIncBasePriorityPrivilege	528	{49460771-08F0-4ae8-8DA9-F616DB9C4D4D}.exe
Token: SeIncBasePriorityPrivilege	940	{D27B344C-F41D-4320-8C1C-7CF312D7FA05}.exe
Token: SeIncBasePriorityPrivilege	372	{307F18DC-1E92-4303-98A8-5C6AF3D6D50D}.exe
Token: SeIncBasePriorityPrivilege	2084	{002B1E62-5A6B-48a2-AF11-2FF25753BA2D}.exe
Token: SeIncBasePriorityPrivilege	1864	{D0DDCE83-319B-4f1b-A245-F5D749A24A5A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 2888	2272	2024-02-23_6be0c56305dec263b8fc35e66ff8219d_goldeneye.exe	28
PID 2272 wrote to memory of 2888	2272	2024-02-23_6be0c56305dec263b8fc35e66ff8219d_goldeneye.exe	28
PID 2272 wrote to memory of 2888	2272	2024-02-23_6be0c56305dec263b8fc35e66ff8219d_goldeneye.exe	28
PID 2272 wrote to memory of 2888	2272	2024-02-23_6be0c56305dec263b8fc35e66ff8219d_goldeneye.exe	28
PID 2272 wrote to memory of 2524	2272	2024-02-23_6be0c56305dec263b8fc35e66ff8219d_goldeneye.exe	29
PID 2272 wrote to memory of 2524	2272	2024-02-23_6be0c56305dec263b8fc35e66ff8219d_goldeneye.exe	29
PID 2272 wrote to memory of 2524	2272	2024-02-23_6be0c56305dec263b8fc35e66ff8219d_goldeneye.exe	29
PID 2272 wrote to memory of 2524	2272	2024-02-23_6be0c56305dec263b8fc35e66ff8219d_goldeneye.exe	29
PID 2888 wrote to memory of 2632	2888	{912FD017-91C4-4ddf-9D8E-B26CE62C9A5A}.exe	30
PID 2888 wrote to memory of 2632	2888	{912FD017-91C4-4ddf-9D8E-B26CE62C9A5A}.exe	30
PID 2888 wrote to memory of 2632	2888	{912FD017-91C4-4ddf-9D8E-B26CE62C9A5A}.exe	30
PID 2888 wrote to memory of 2632	2888	{912FD017-91C4-4ddf-9D8E-B26CE62C9A5A}.exe	30
PID 2888 wrote to memory of 2644	2888	{912FD017-91C4-4ddf-9D8E-B26CE62C9A5A}.exe	31
PID 2888 wrote to memory of 2644	2888	{912FD017-91C4-4ddf-9D8E-B26CE62C9A5A}.exe	31
PID 2888 wrote to memory of 2644	2888	{912FD017-91C4-4ddf-9D8E-B26CE62C9A5A}.exe	31
PID 2888 wrote to memory of 2644	2888	{912FD017-91C4-4ddf-9D8E-B26CE62C9A5A}.exe	31
PID 2632 wrote to memory of 2396	2632	{5266EE0B-24FF-4bf3-9E14-76D3D56ADBE9}.exe	32
PID 2632 wrote to memory of 2396	2632	{5266EE0B-24FF-4bf3-9E14-76D3D56ADBE9}.exe	32
PID 2632 wrote to memory of 2396	2632	{5266EE0B-24FF-4bf3-9E14-76D3D56ADBE9}.exe	32
PID 2632 wrote to memory of 2396	2632	{5266EE0B-24FF-4bf3-9E14-76D3D56ADBE9}.exe	32
PID 2632 wrote to memory of 2428	2632	{5266EE0B-24FF-4bf3-9E14-76D3D56ADBE9}.exe	33
PID 2632 wrote to memory of 2428	2632	{5266EE0B-24FF-4bf3-9E14-76D3D56ADBE9}.exe	33
PID 2632 wrote to memory of 2428	2632	{5266EE0B-24FF-4bf3-9E14-76D3D56ADBE9}.exe	33
PID 2632 wrote to memory of 2428	2632	{5266EE0B-24FF-4bf3-9E14-76D3D56ADBE9}.exe	33
PID 2396 wrote to memory of 756	2396	{3180A4C9-B522-4532-96A1-11ED7AFC2C38}.exe	36
PID 2396 wrote to memory of 756	2396	{3180A4C9-B522-4532-96A1-11ED7AFC2C38}.exe	36
PID 2396 wrote to memory of 756	2396	{3180A4C9-B522-4532-96A1-11ED7AFC2C38}.exe	36
PID 2396 wrote to memory of 756	2396	{3180A4C9-B522-4532-96A1-11ED7AFC2C38}.exe	36
PID 2396 wrote to memory of 2560	2396	{3180A4C9-B522-4532-96A1-11ED7AFC2C38}.exe	37
PID 2396 wrote to memory of 2560	2396	{3180A4C9-B522-4532-96A1-11ED7AFC2C38}.exe	37
PID 2396 wrote to memory of 2560	2396	{3180A4C9-B522-4532-96A1-11ED7AFC2C38}.exe	37
PID 2396 wrote to memory of 2560	2396	{3180A4C9-B522-4532-96A1-11ED7AFC2C38}.exe	37
PID 756 wrote to memory of 320	756	{C28ECDE2-E482-48aa-A4DD-EF4D7E1BCDF7}.exe	38
PID 756 wrote to memory of 320	756	{C28ECDE2-E482-48aa-A4DD-EF4D7E1BCDF7}.exe	38
PID 756 wrote to memory of 320	756	{C28ECDE2-E482-48aa-A4DD-EF4D7E1BCDF7}.exe	38
PID 756 wrote to memory of 320	756	{C28ECDE2-E482-48aa-A4DD-EF4D7E1BCDF7}.exe	38
PID 756 wrote to memory of 1980	756	{C28ECDE2-E482-48aa-A4DD-EF4D7E1BCDF7}.exe	39
PID 756 wrote to memory of 1980	756	{C28ECDE2-E482-48aa-A4DD-EF4D7E1BCDF7}.exe	39
PID 756 wrote to memory of 1980	756	{C28ECDE2-E482-48aa-A4DD-EF4D7E1BCDF7}.exe	39
PID 756 wrote to memory of 1980	756	{C28ECDE2-E482-48aa-A4DD-EF4D7E1BCDF7}.exe	39
PID 320 wrote to memory of 1636	320	{FEC33F6C-B7EC-4113-B79C-27F2A017700E}.exe	40
PID 320 wrote to memory of 1636	320	{FEC33F6C-B7EC-4113-B79C-27F2A017700E}.exe	40
PID 320 wrote to memory of 1636	320	{FEC33F6C-B7EC-4113-B79C-27F2A017700E}.exe	40
PID 320 wrote to memory of 1636	320	{FEC33F6C-B7EC-4113-B79C-27F2A017700E}.exe	40
PID 320 wrote to memory of 1316	320	{FEC33F6C-B7EC-4113-B79C-27F2A017700E}.exe	41
PID 320 wrote to memory of 1316	320	{FEC33F6C-B7EC-4113-B79C-27F2A017700E}.exe	41
PID 320 wrote to memory of 1316	320	{FEC33F6C-B7EC-4113-B79C-27F2A017700E}.exe	41
PID 320 wrote to memory of 1316	320	{FEC33F6C-B7EC-4113-B79C-27F2A017700E}.exe	41
PID 1636 wrote to memory of 528	1636	{7CAF8F2E-964A-4d16-AA1D-3F289EF223C6}.exe	42
PID 1636 wrote to memory of 528	1636	{7CAF8F2E-964A-4d16-AA1D-3F289EF223C6}.exe	42
PID 1636 wrote to memory of 528	1636	{7CAF8F2E-964A-4d16-AA1D-3F289EF223C6}.exe	42
PID 1636 wrote to memory of 528	1636	{7CAF8F2E-964A-4d16-AA1D-3F289EF223C6}.exe	42
PID 1636 wrote to memory of 644	1636	{7CAF8F2E-964A-4d16-AA1D-3F289EF223C6}.exe	43
PID 1636 wrote to memory of 644	1636	{7CAF8F2E-964A-4d16-AA1D-3F289EF223C6}.exe	43
PID 1636 wrote to memory of 644	1636	{7CAF8F2E-964A-4d16-AA1D-3F289EF223C6}.exe	43
PID 1636 wrote to memory of 644	1636	{7CAF8F2E-964A-4d16-AA1D-3F289EF223C6}.exe	43
PID 528 wrote to memory of 940	528	{49460771-08F0-4ae8-8DA9-F616DB9C4D4D}.exe	44
PID 528 wrote to memory of 940	528	{49460771-08F0-4ae8-8DA9-F616DB9C4D4D}.exe	44
PID 528 wrote to memory of 940	528	{49460771-08F0-4ae8-8DA9-F616DB9C4D4D}.exe	44
PID 528 wrote to memory of 940	528	{49460771-08F0-4ae8-8DA9-F616DB9C4D4D}.exe	44
PID 528 wrote to memory of 2336	528	{49460771-08F0-4ae8-8DA9-F616DB9C4D4D}.exe	45
PID 528 wrote to memory of 2336	528	{49460771-08F0-4ae8-8DA9-F616DB9C4D4D}.exe	45
PID 528 wrote to memory of 2336	528	{49460771-08F0-4ae8-8DA9-F616DB9C4D4D}.exe	45
PID 528 wrote to memory of 2336	528	{49460771-08F0-4ae8-8DA9-F616DB9C4D4D}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-23_6be0c56305dec263b8fc35e66ff8219d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-23_6be0c56305dec263b8fc35e66ff8219d_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\{912FD017-91C4-4ddf-9D8E-B26CE62C9A5A}.exe
  C:\Windows\{912FD017-91C4-4ddf-9D8E-B26CE62C9A5A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\{5266EE0B-24FF-4bf3-9E14-76D3D56ADBE9}.exe
    C:\Windows\{5266EE0B-24FF-4bf3-9E14-76D3D56ADBE9}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\{3180A4C9-B522-4532-96A1-11ED7AFC2C38}.exe
      C:\Windows\{3180A4C9-B522-4532-96A1-11ED7AFC2C38}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2396
    - - C:\Windows\{C28ECDE2-E482-48aa-A4DD-EF4D7E1BCDF7}.exe
        
        C:\Windows\{C28ECDE2-E482-48aa-A4DD-EF4D7E1BCDF7}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:756
      - C:\Windows\{FEC33F6C-B7EC-4113-B79C-27F2A017700E}.exe
        
        C:\Windows\{FEC33F6C-B7EC-4113-B79C-27F2A017700E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\{7CAF8F2E-964A-4d16-AA1D-3F289EF223C6}.exe
        
        C:\Windows\{7CAF8F2E-964A-4d16-AA1D-3F289EF223C6}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\{49460771-08F0-4ae8-8DA9-F616DB9C4D4D}.exe
        
        C:\Windows\{49460771-08F0-4ae8-8DA9-F616DB9C4D4D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:528
        
        C:\Windows\{D27B344C-F41D-4320-8C1C-7CF312D7FA05}.exe
        
        C:\Windows\{D27B344C-F41D-4320-8C1C-7CF312D7FA05}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:940
        
        C:\Windows\{307F18DC-1E92-4303-98A8-5C6AF3D6D50D}.exe
        
        C:\Windows\{307F18DC-1E92-4303-98A8-5C6AF3D6D50D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:372
        
        C:\Windows\{002B1E62-5A6B-48a2-AF11-2FF25753BA2D}.exe
        
        C:\Windows\{002B1E62-5A6B-48a2-AF11-2FF25753BA2D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2084
        
        C:\Windows\{D0DDCE83-319B-4f1b-A245-F5D749A24A5A}.exe
        
        C:\Windows\{D0DDCE83-319B-4f1b-A245-F5D749A24A5A}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1864
        
        C:\Windows\{3CB0D382-D704-4ad0-9072-63D421ADED68}.exe
        
        C:\Windows\{3CB0D382-D704-4ad0-9072-63D421ADED68}.exe
        13⤵
        Executes dropped EXE
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D0DDC~1.EXE > nul
        13⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{002B1~1.EXE > nul
        12⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{307F1~1.EXE > nul
        11⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D27B3~1.EXE > nul
        10⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{49460~1.EXE > nul
        9⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7CAF8~1.EXE > nul
        8⤵
        
        PID:644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FEC33~1.EXE > nul
        7⤵
        
        PID:1316
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C28EC~1.EXE > nul
        6⤵
        
        PID:1980
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3180A~1.EXE > nul
        5⤵
        
        PID:2560
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5266E~1.EXE > nul
      4⤵
      PID:2428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{912FD~1.EXE > nul
    3⤵
    PID:2644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{002B1E62-5A6B-48a2-AF11-2FF25753BA2D}.exe

Filesize
168KB

MD5
7fb4253108866ff960231b28e656dcb9

SHA1
4c3f8faebe0b28c8eafc67d7087afd346c4a0fed

SHA256
6bb08efe2038084b4ba1f52bff7d464939592adc5e0c4da9340b0efa07e6d939

SHA512
647846cd29097bfc357aa26e332ca9c5fef9e93dcad90784dd475165693b8af76a9a8dcc956486fdb8f61748de52cb49211d4215aef86f5b4a9cf21cb87b7874

Download Submit
C:\Windows\{307F18DC-1E92-4303-98A8-5C6AF3D6D50D}.exe

Filesize
168KB

MD5
5661a80109d78e1495756bd04f2d9b69

SHA1
07dadd2c6b20879a070ee2b59afcfe8a67077115

SHA256
77f20c0a6da0c639dcb8bdf3abb8217cd7b719cc4845b87af1446e2760ccaf05

SHA512
7966061d6715d203d15a787119564f193fa614d5e6c7b7be65d5604f9c1f54aa8797ca0261929a0201a427bd170178a78aea6ce233cf9f865364a758c4e129ee

Download Submit
C:\Windows\{3180A4C9-B522-4532-96A1-11ED7AFC2C38}.exe

Filesize
168KB

MD5
59009f4447ee07d630d1b66033680e4a

SHA1
d6b144f2b3a80186ef5d80589ad3875160e442bc

SHA256
2cda6758c506fc11dbdc42252027df821ffc6e9ad0ba1af5acbc183a9bae4a53

SHA512
eee06824b637ce02568f6fecc4f63f1287a6867091e80b5036a0027456a406473b6ea4e3950a31ce60ed2d9dc0c53237f02bd4f2813c98823ad7314ae157d3d9

Download Submit
C:\Windows\{3CB0D382-D704-4ad0-9072-63D421ADED68}.exe

Filesize
168KB

MD5
7f0f053f9d0258847faf3227008c2406

SHA1
7c4a4bbc80b2d3a17a94f0f055f772abc6741472

SHA256
ae548b6ded2630aec08d798a8c66d232aac8a7d075f4841479fa2c834cbc16df

SHA512
f46d9c4bff224a5034b7e1f649405820f77def5c637f3ddebca3e9d287e2256edd78df5d9ade2def460e5d2916651fb900983bdbcc0d244042cc9d817012a379

Download Submit
C:\Windows\{49460771-08F0-4ae8-8DA9-F616DB9C4D4D}.exe

Filesize
168KB

MD5
66addabb6223154fb5d333333e578a96

SHA1
e0756ff0ee03fce7be2f81c3502d4d829f14b1e5

SHA256
397cab5df1a80c0979da0b9000f743bf937e0fd96dafe725900fc5057c44886d

SHA512
bf011a2e9341cf85503e257d56c470ced702a2cad8f589aad8f904d27c7c0ea6681f2dee9de9a2cfa4dd304ce1b4574dbe169e7b7af87e327f17dcd86695308e

Download Submit
C:\Windows\{5266EE0B-24FF-4bf3-9E14-76D3D56ADBE9}.exe

Filesize
168KB

MD5
e18e5e07c54c3c8b3e436e9a27a187d7

SHA1
4cf5eeb7d8b58bfc83abe097bfb9a11086868820

SHA256
d746fe1b8162bcc49c21ceee2a4d3494b7eb2f20cbfe1e7b8e3336050c21dd9e

SHA512
93c8252c3658ed9487880368682dbad56219fb02e57c9740f154b1c757d5330306468e158f614fde26743c917c2bc3e56952cbb32e44b5bce8f1774c2a9064ee

Download Submit
C:\Windows\{7CAF8F2E-964A-4d16-AA1D-3F289EF223C6}.exe

Filesize
168KB

MD5
562d85c8807e47e9ab60c8c5aebb6d11

SHA1
2b50be921f66c21d1bedb262cac0c7d892946dd9

SHA256
f856ab3566b421d56a67173fcf255d10b527b377948b7f0122785028b3913dea

SHA512
37156ebc86c6d586bf45acc6dde8ba57c9d2e193257318011932c4ea1134babe8008bdb7ad1e2125b796246c2bc0d4dc68a72b20c892922ae6fcdf5752a2dbf3

Download Submit
C:\Windows\{912FD017-91C4-4ddf-9D8E-B26CE62C9A5A}.exe

Filesize
168KB

MD5
1bebe8b6cc83ce5d0131605011c0da33

SHA1
a32bb2e335012be616010bd88b6d76d8b5c5a476

SHA256
0f840ec66917bbeea78a59892d82a6db90f751158394ae2f10121fb22bdcb60c

SHA512
26306ddb569201ab8c27b0bb7fdc8d00aa56b985e5f4fe9a1614c4eabf93a60f22c4150031cbdb3024eac6d6965a86e37dbc657c876013209f328772394bf631

Download Submit
C:\Windows\{C28ECDE2-E482-48aa-A4DD-EF4D7E1BCDF7}.exe

Filesize
168KB

MD5
7d37b2d32d4aefeca4da78d5817a18b4

SHA1
cd63027d438d6a6d630e405ade634093d76fbfeb

SHA256
121eaad84617a59f80037ffafe627103174779051bf8614a75ece2b399593500

SHA512
0b3fb8510b49f51cbfb6cdd6cc5bda1c29efa6fc654a287614413d81fae61c7b14dd7f682ef3ea27218490beb208316e730a13db5cd904ad639945ae29b4eecc

Download Submit
C:\Windows\{D0DDCE83-319B-4f1b-A245-F5D749A24A5A}.exe

Filesize
168KB

MD5
91bc9c9082f0c936ff9becec3d6c9226

SHA1
634d2b889346ecbe82cb31beaa9a4aa2170cdfe5

SHA256
aff43cfdc3c7c4a19ffa2609d723f212a6b7026322e3a038dfd78ad7bfa3c479

SHA512
d0b24a61930649ade667a30f730aaeb0b415e8b1dc83998911cfc056926656716cf0282a56fb1ba9daf67ee124aa6f722f138e90c58c354fe116a4473f1afde8

Download Submit
C:\Windows\{D27B344C-F41D-4320-8C1C-7CF312D7FA05}.exe

Filesize
168KB

MD5
dc87e4086e0d2bfca1f30fcc77476f55

SHA1
11ec4f16a74855092f1473158551d0a4fa148cfd

SHA256
e3f756be7296a76220eafc0525aaf44182b5915713be6ad5d11be1299c04b320

SHA512
fb0d843987d33cb05bf1703efa8067ea1b4a8d50f06b6d9ed37ade81f99803e4033e54f4333262e36ff3b1896fa682bd9c2687ffa87c7e2dba818ac418451a17

Download Submit
C:\Windows\{FEC33F6C-B7EC-4113-B79C-27F2A017700E}.exe

Filesize
168KB

MD5
2048cc1a6f33a467e8f66ecb0bde24c0

SHA1
fd58b75002bf32b3cf131ac9464f9422beaf8f6c

SHA256
dca3bd890c997780e8aaef5bdbc61f45c30f6e3fae88c239b066166cdd36d151

SHA512
7813888590a460542783bdf59f3364b637774dd2f4c5442e1c17bae66b4d6b9bdab9cffafbdc34d339979b80ad30c2f34cede2ce5633b1873bb5900baeb2aa0a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads