37c1a61d159e7008cc0064a8cfb7a422d5695759977380d05681d8ffdc466af2

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
24/02/2024, 06:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-24_f34cdcec1cb458fd82bbaf51934182b2_goldeneye.exe
Size

204KB
MD5

f34cdcec1cb458fd82bbaf51934182b2
SHA1

e1abb69f2d19fda740d18ea0295d07caf1f1f76a
SHA256

37c1a61d159e7008cc0064a8cfb7a422d5695759977380d05681d8ffdc466af2
SHA512

2863b4809444ec9876912bb05231a70530362f13e017e83fd023e86aea9ab65d01f9c50553e44b32fdec3b4d442a079e070fc484909e6d1d0de99b649572a9b4
SSDEEP

1536:1EGh0oCl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oCl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x00070000000230f2-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000230f4-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000230fb-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000022fec-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000230fb-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000230fb-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000022fec-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000230fb-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000022fec-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000230fb-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000022fec-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000230fb-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000022fec-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B98A2577-4AA9-4697-AC78-F5BA263C84B7}	2024-02-24_f34cdcec1cb458fd82bbaf51934182b2_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75FE4519-6D7D-48a0-8B02-68973FFC3CA9}\stubpath = "C:\\Windows\\{75FE4519-6D7D-48a0-8B02-68973FFC3CA9}.exe"	{39BC115B-4617-4e7b-8748-C8078A862300}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CC41930-C538-4532-9DF7-57E4AC1EDD0F}	{EDA4CE64-312B-46a8-AE05-60A4E561AA57}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64A70688-3F97-42b4-A1E0-1F48D8405524}\stubpath = "C:\\Windows\\{64A70688-3F97-42b4-A1E0-1F48D8405524}.exe"	{5CC41930-C538-4532-9DF7-57E4AC1EDD0F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F65B8F2B-3DAC-4684-9D9C-0F89E75C4D2E}\stubpath = "C:\\Windows\\{F65B8F2B-3DAC-4684-9D9C-0F89E75C4D2E}.exe"	{DDF57BEC-A214-4040-99E6-AD7B71C94882}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B52538C7-B685-493c-A08B-2CD812435AAA}	{CB2CCE77-D5FB-4a40-9CB7-B038B8D133AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BEC58E7F-9D52-4e13-B8D1-B5347B62E61C}\stubpath = "C:\\Windows\\{BEC58E7F-9D52-4e13-B8D1-B5347B62E61C}.exe"	{B52538C7-B685-493c-A08B-2CD812435AAA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B98A2577-4AA9-4697-AC78-F5BA263C84B7}\stubpath = "C:\\Windows\\{B98A2577-4AA9-4697-AC78-F5BA263C84B7}.exe"	2024-02-24_f34cdcec1cb458fd82bbaf51934182b2_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75FE4519-6D7D-48a0-8B02-68973FFC3CA9}	{39BC115B-4617-4e7b-8748-C8078A862300}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EDA4CE64-312B-46a8-AE05-60A4E561AA57}	{75FE4519-6D7D-48a0-8B02-68973FFC3CA9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64A70688-3F97-42b4-A1E0-1F48D8405524}	{5CC41930-C538-4532-9DF7-57E4AC1EDD0F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F65B8F2B-3DAC-4684-9D9C-0F89E75C4D2E}	{DDF57BEC-A214-4040-99E6-AD7B71C94882}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB2CCE77-D5FB-4a40-9CB7-B038B8D133AA}\stubpath = "C:\\Windows\\{CB2CCE77-D5FB-4a40-9CB7-B038B8D133AA}.exe"	{F65B8F2B-3DAC-4684-9D9C-0F89E75C4D2E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B52538C7-B685-493c-A08B-2CD812435AAA}\stubpath = "C:\\Windows\\{B52538C7-B685-493c-A08B-2CD812435AAA}.exe"	{CB2CCE77-D5FB-4a40-9CB7-B038B8D133AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CC41930-C538-4532-9DF7-57E4AC1EDD0F}\stubpath = "C:\\Windows\\{5CC41930-C538-4532-9DF7-57E4AC1EDD0F}.exe"	{EDA4CE64-312B-46a8-AE05-60A4E561AA57}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FDE4AAE5-D3A2-43c2-9C81-81B967495179}	{64A70688-3F97-42b4-A1E0-1F48D8405524}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FDE4AAE5-D3A2-43c2-9C81-81B967495179}\stubpath = "C:\\Windows\\{FDE4AAE5-D3A2-43c2-9C81-81B967495179}.exe"	{64A70688-3F97-42b4-A1E0-1F48D8405524}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DDF57BEC-A214-4040-99E6-AD7B71C94882}	{FDE4AAE5-D3A2-43c2-9C81-81B967495179}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DDF57BEC-A214-4040-99E6-AD7B71C94882}\stubpath = "C:\\Windows\\{DDF57BEC-A214-4040-99E6-AD7B71C94882}.exe"	{FDE4AAE5-D3A2-43c2-9C81-81B967495179}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39BC115B-4617-4e7b-8748-C8078A862300}	{B98A2577-4AA9-4697-AC78-F5BA263C84B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39BC115B-4617-4e7b-8748-C8078A862300}\stubpath = "C:\\Windows\\{39BC115B-4617-4e7b-8748-C8078A862300}.exe"	{B98A2577-4AA9-4697-AC78-F5BA263C84B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EDA4CE64-312B-46a8-AE05-60A4E561AA57}\stubpath = "C:\\Windows\\{EDA4CE64-312B-46a8-AE05-60A4E561AA57}.exe"	{75FE4519-6D7D-48a0-8B02-68973FFC3CA9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB2CCE77-D5FB-4a40-9CB7-B038B8D133AA}	{F65B8F2B-3DAC-4684-9D9C-0F89E75C4D2E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BEC58E7F-9D52-4e13-B8D1-B5347B62E61C}	{B52538C7-B685-493c-A08B-2CD812435AAA}.exe

Executes dropped EXE 12 IoCs

pid	Process
4064	{B98A2577-4AA9-4697-AC78-F5BA263C84B7}.exe
3788	{39BC115B-4617-4e7b-8748-C8078A862300}.exe
2652	{75FE4519-6D7D-48a0-8B02-68973FFC3CA9}.exe
2820	{EDA4CE64-312B-46a8-AE05-60A4E561AA57}.exe
3628	{5CC41930-C538-4532-9DF7-57E4AC1EDD0F}.exe
3576	{64A70688-3F97-42b4-A1E0-1F48D8405524}.exe
3368	{FDE4AAE5-D3A2-43c2-9C81-81B967495179}.exe
1596	{DDF57BEC-A214-4040-99E6-AD7B71C94882}.exe
1360	{F65B8F2B-3DAC-4684-9D9C-0F89E75C4D2E}.exe
4248	{CB2CCE77-D5FB-4a40-9CB7-B038B8D133AA}.exe
2504	{B52538C7-B685-493c-A08B-2CD812435AAA}.exe
4712	{BEC58E7F-9D52-4e13-B8D1-B5347B62E61C}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{39BC115B-4617-4e7b-8748-C8078A862300}.exe	{B98A2577-4AA9-4697-AC78-F5BA263C84B7}.exe
File created	C:\Windows\{75FE4519-6D7D-48a0-8B02-68973FFC3CA9}.exe	{39BC115B-4617-4e7b-8748-C8078A862300}.exe
File created	C:\Windows\{64A70688-3F97-42b4-A1E0-1F48D8405524}.exe	{5CC41930-C538-4532-9DF7-57E4AC1EDD0F}.exe
File created	C:\Windows\{DDF57BEC-A214-4040-99E6-AD7B71C94882}.exe	{FDE4AAE5-D3A2-43c2-9C81-81B967495179}.exe
File created	C:\Windows\{F65B8F2B-3DAC-4684-9D9C-0F89E75C4D2E}.exe	{DDF57BEC-A214-4040-99E6-AD7B71C94882}.exe
File created	C:\Windows\{B52538C7-B685-493c-A08B-2CD812435AAA}.exe	{CB2CCE77-D5FB-4a40-9CB7-B038B8D133AA}.exe
File created	C:\Windows\{B98A2577-4AA9-4697-AC78-F5BA263C84B7}.exe	2024-02-24_f34cdcec1cb458fd82bbaf51934182b2_goldeneye.exe
File created	C:\Windows\{EDA4CE64-312B-46a8-AE05-60A4E561AA57}.exe	{75FE4519-6D7D-48a0-8B02-68973FFC3CA9}.exe
File created	C:\Windows\{5CC41930-C538-4532-9DF7-57E4AC1EDD0F}.exe	{EDA4CE64-312B-46a8-AE05-60A4E561AA57}.exe
File created	C:\Windows\{FDE4AAE5-D3A2-43c2-9C81-81B967495179}.exe	{64A70688-3F97-42b4-A1E0-1F48D8405524}.exe
File created	C:\Windows\{CB2CCE77-D5FB-4a40-9CB7-B038B8D133AA}.exe	{F65B8F2B-3DAC-4684-9D9C-0F89E75C4D2E}.exe
File created	C:\Windows\{BEC58E7F-9D52-4e13-B8D1-B5347B62E61C}.exe	{B52538C7-B685-493c-A08B-2CD812435AAA}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3220	2024-02-24_f34cdcec1cb458fd82bbaf51934182b2_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4064	{B98A2577-4AA9-4697-AC78-F5BA263C84B7}.exe
Token: SeIncBasePriorityPrivilege	3788	{39BC115B-4617-4e7b-8748-C8078A862300}.exe
Token: SeIncBasePriorityPrivilege	2652	{75FE4519-6D7D-48a0-8B02-68973FFC3CA9}.exe
Token: SeIncBasePriorityPrivilege	2820	{EDA4CE64-312B-46a8-AE05-60A4E561AA57}.exe
Token: SeIncBasePriorityPrivilege	3628	{5CC41930-C538-4532-9DF7-57E4AC1EDD0F}.exe
Token: SeIncBasePriorityPrivilege	3576	{64A70688-3F97-42b4-A1E0-1F48D8405524}.exe
Token: SeIncBasePriorityPrivilege	3368	{FDE4AAE5-D3A2-43c2-9C81-81B967495179}.exe
Token: SeIncBasePriorityPrivilege	1596	{DDF57BEC-A214-4040-99E6-AD7B71C94882}.exe
Token: SeIncBasePriorityPrivilege	1360	{F65B8F2B-3DAC-4684-9D9C-0F89E75C4D2E}.exe
Token: SeIncBasePriorityPrivilege	4248	{CB2CCE77-D5FB-4a40-9CB7-B038B8D133AA}.exe
Token: SeIncBasePriorityPrivilege	2504	{B52538C7-B685-493c-A08B-2CD812435AAA}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3220 wrote to memory of 4064	3220	2024-02-24_f34cdcec1cb458fd82bbaf51934182b2_goldeneye.exe	87
PID 3220 wrote to memory of 4064	3220	2024-02-24_f34cdcec1cb458fd82bbaf51934182b2_goldeneye.exe	87
PID 3220 wrote to memory of 4064	3220	2024-02-24_f34cdcec1cb458fd82bbaf51934182b2_goldeneye.exe	87
PID 3220 wrote to memory of 3564	3220	2024-02-24_f34cdcec1cb458fd82bbaf51934182b2_goldeneye.exe	88
PID 3220 wrote to memory of 3564	3220	2024-02-24_f34cdcec1cb458fd82bbaf51934182b2_goldeneye.exe	88
PID 3220 wrote to memory of 3564	3220	2024-02-24_f34cdcec1cb458fd82bbaf51934182b2_goldeneye.exe	88
PID 4064 wrote to memory of 3788	4064	{B98A2577-4AA9-4697-AC78-F5BA263C84B7}.exe	90
PID 4064 wrote to memory of 3788	4064	{B98A2577-4AA9-4697-AC78-F5BA263C84B7}.exe	90
PID 4064 wrote to memory of 3788	4064	{B98A2577-4AA9-4697-AC78-F5BA263C84B7}.exe	90
PID 4064 wrote to memory of 4580	4064	{B98A2577-4AA9-4697-AC78-F5BA263C84B7}.exe	89
PID 4064 wrote to memory of 4580	4064	{B98A2577-4AA9-4697-AC78-F5BA263C84B7}.exe	89
PID 4064 wrote to memory of 4580	4064	{B98A2577-4AA9-4697-AC78-F5BA263C84B7}.exe	89
PID 3788 wrote to memory of 2652	3788	{39BC115B-4617-4e7b-8748-C8078A862300}.exe	94
PID 3788 wrote to memory of 2652	3788	{39BC115B-4617-4e7b-8748-C8078A862300}.exe	94
PID 3788 wrote to memory of 2652	3788	{39BC115B-4617-4e7b-8748-C8078A862300}.exe	94
PID 3788 wrote to memory of 3408	3788	{39BC115B-4617-4e7b-8748-C8078A862300}.exe	93
PID 3788 wrote to memory of 3408	3788	{39BC115B-4617-4e7b-8748-C8078A862300}.exe	93
PID 3788 wrote to memory of 3408	3788	{39BC115B-4617-4e7b-8748-C8078A862300}.exe	93
PID 2652 wrote to memory of 2820	2652	{75FE4519-6D7D-48a0-8B02-68973FFC3CA9}.exe	99
PID 2652 wrote to memory of 2820	2652	{75FE4519-6D7D-48a0-8B02-68973FFC3CA9}.exe	99
PID 2652 wrote to memory of 2820	2652	{75FE4519-6D7D-48a0-8B02-68973FFC3CA9}.exe	99
PID 2652 wrote to memory of 4252	2652	{75FE4519-6D7D-48a0-8B02-68973FFC3CA9}.exe	98
PID 2652 wrote to memory of 4252	2652	{75FE4519-6D7D-48a0-8B02-68973FFC3CA9}.exe	98
PID 2652 wrote to memory of 4252	2652	{75FE4519-6D7D-48a0-8B02-68973FFC3CA9}.exe	98
PID 2820 wrote to memory of 3628	2820	{EDA4CE64-312B-46a8-AE05-60A4E561AA57}.exe	101
PID 2820 wrote to memory of 3628	2820	{EDA4CE64-312B-46a8-AE05-60A4E561AA57}.exe	101
PID 2820 wrote to memory of 3628	2820	{EDA4CE64-312B-46a8-AE05-60A4E561AA57}.exe	101
PID 2820 wrote to memory of 1336	2820	{EDA4CE64-312B-46a8-AE05-60A4E561AA57}.exe	100
PID 2820 wrote to memory of 1336	2820	{EDA4CE64-312B-46a8-AE05-60A4E561AA57}.exe	100
PID 2820 wrote to memory of 1336	2820	{EDA4CE64-312B-46a8-AE05-60A4E561AA57}.exe	100
PID 3628 wrote to memory of 3576	3628	{5CC41930-C538-4532-9DF7-57E4AC1EDD0F}.exe	103
PID 3628 wrote to memory of 3576	3628	{5CC41930-C538-4532-9DF7-57E4AC1EDD0F}.exe	103
PID 3628 wrote to memory of 3576	3628	{5CC41930-C538-4532-9DF7-57E4AC1EDD0F}.exe	103
PID 3628 wrote to memory of 1196	3628	{5CC41930-C538-4532-9DF7-57E4AC1EDD0F}.exe	102
PID 3628 wrote to memory of 1196	3628	{5CC41930-C538-4532-9DF7-57E4AC1EDD0F}.exe	102
PID 3628 wrote to memory of 1196	3628	{5CC41930-C538-4532-9DF7-57E4AC1EDD0F}.exe	102
PID 3576 wrote to memory of 3368	3576	{64A70688-3F97-42b4-A1E0-1F48D8405524}.exe	105
PID 3576 wrote to memory of 3368	3576	{64A70688-3F97-42b4-A1E0-1F48D8405524}.exe	105
PID 3576 wrote to memory of 3368	3576	{64A70688-3F97-42b4-A1E0-1F48D8405524}.exe	105
PID 3576 wrote to memory of 4700	3576	{64A70688-3F97-42b4-A1E0-1F48D8405524}.exe	104
PID 3576 wrote to memory of 4700	3576	{64A70688-3F97-42b4-A1E0-1F48D8405524}.exe	104
PID 3576 wrote to memory of 4700	3576	{64A70688-3F97-42b4-A1E0-1F48D8405524}.exe	104
PID 3368 wrote to memory of 1596	3368	{FDE4AAE5-D3A2-43c2-9C81-81B967495179}.exe	107
PID 3368 wrote to memory of 1596	3368	{FDE4AAE5-D3A2-43c2-9C81-81B967495179}.exe	107
PID 3368 wrote to memory of 1596	3368	{FDE4AAE5-D3A2-43c2-9C81-81B967495179}.exe	107
PID 3368 wrote to memory of 1308	3368	{FDE4AAE5-D3A2-43c2-9C81-81B967495179}.exe	106
PID 3368 wrote to memory of 1308	3368	{FDE4AAE5-D3A2-43c2-9C81-81B967495179}.exe	106
PID 3368 wrote to memory of 1308	3368	{FDE4AAE5-D3A2-43c2-9C81-81B967495179}.exe	106
PID 1596 wrote to memory of 1360	1596	{DDF57BEC-A214-4040-99E6-AD7B71C94882}.exe	108
PID 1596 wrote to memory of 1360	1596	{DDF57BEC-A214-4040-99E6-AD7B71C94882}.exe	108
PID 1596 wrote to memory of 1360	1596	{DDF57BEC-A214-4040-99E6-AD7B71C94882}.exe	108
PID 1596 wrote to memory of 3568	1596	{DDF57BEC-A214-4040-99E6-AD7B71C94882}.exe	109
PID 1596 wrote to memory of 3568	1596	{DDF57BEC-A214-4040-99E6-AD7B71C94882}.exe	109
PID 1596 wrote to memory of 3568	1596	{DDF57BEC-A214-4040-99E6-AD7B71C94882}.exe	109
PID 1360 wrote to memory of 4248	1360	{F65B8F2B-3DAC-4684-9D9C-0F89E75C4D2E}.exe	110
PID 1360 wrote to memory of 4248	1360	{F65B8F2B-3DAC-4684-9D9C-0F89E75C4D2E}.exe	110
PID 1360 wrote to memory of 4248	1360	{F65B8F2B-3DAC-4684-9D9C-0F89E75C4D2E}.exe	110
PID 1360 wrote to memory of 3592	1360	{F65B8F2B-3DAC-4684-9D9C-0F89E75C4D2E}.exe	111
PID 1360 wrote to memory of 3592	1360	{F65B8F2B-3DAC-4684-9D9C-0F89E75C4D2E}.exe	111
PID 1360 wrote to memory of 3592	1360	{F65B8F2B-3DAC-4684-9D9C-0F89E75C4D2E}.exe	111
PID 4248 wrote to memory of 2504	4248	{CB2CCE77-D5FB-4a40-9CB7-B038B8D133AA}.exe	112
PID 4248 wrote to memory of 2504	4248	{CB2CCE77-D5FB-4a40-9CB7-B038B8D133AA}.exe	112
PID 4248 wrote to memory of 2504	4248	{CB2CCE77-D5FB-4a40-9CB7-B038B8D133AA}.exe	112
PID 4248 wrote to memory of 2964	4248	{CB2CCE77-D5FB-4a40-9CB7-B038B8D133AA}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-02-24_f34cdcec1cb458fd82bbaf51934182b2_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-24_f34cdcec1cb458fd82bbaf51934182b2_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3220
- C:\Windows\{B98A2577-4AA9-4697-AC78-F5BA263C84B7}.exe
  C:\Windows\{B98A2577-4AA9-4697-AC78-F5BA263C84B7}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B98A2~1.EXE > nul
    3⤵
    PID:4580
- - C:\Windows\{39BC115B-4617-4e7b-8748-C8078A862300}.exe
    C:\Windows\{39BC115B-4617-4e7b-8748-C8078A862300}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3788
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{39BC1~1.EXE > nul
      4⤵
      PID:3408
  - - C:\Windows\{75FE4519-6D7D-48a0-8B02-68973FFC3CA9}.exe
      C:\Windows\{75FE4519-6D7D-48a0-8B02-68973FFC3CA9}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2652
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{75FE4~1.EXE > nul
        5⤵
        
        PID:4252
    - - C:\Windows\{EDA4CE64-312B-46a8-AE05-60A4E561AA57}.exe
        
        C:\Windows\{EDA4CE64-312B-46a8-AE05-60A4E561AA57}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2820
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EDA4C~1.EXE > nul
        6⤵
        
        PID:1336
      - C:\Windows\{5CC41930-C538-4532-9DF7-57E4AC1EDD0F}.exe
        
        C:\Windows\{5CC41930-C538-4532-9DF7-57E4AC1EDD0F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5CC41~1.EXE > nul
        7⤵
        
        PID:1196
        
        C:\Windows\{64A70688-3F97-42b4-A1E0-1F48D8405524}.exe
        
        C:\Windows\{64A70688-3F97-42b4-A1E0-1F48D8405524}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64A70~1.EXE > nul
        8⤵
        
        PID:4700
        
        C:\Windows\{FDE4AAE5-D3A2-43c2-9C81-81B967495179}.exe
        
        C:\Windows\{FDE4AAE5-D3A2-43c2-9C81-81B967495179}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FDE4A~1.EXE > nul
        9⤵
        
        PID:1308
        
        C:\Windows\{DDF57BEC-A214-4040-99E6-AD7B71C94882}.exe
        
        C:\Windows\{DDF57BEC-A214-4040-99E6-AD7B71C94882}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\{F65B8F2B-3DAC-4684-9D9C-0F89E75C4D2E}.exe
        
        C:\Windows\{F65B8F2B-3DAC-4684-9D9C-0F89E75C4D2E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Windows\{CB2CCE77-D5FB-4a40-9CB7-B038B8D133AA}.exe
        
        C:\Windows\{CB2CCE77-D5FB-4a40-9CB7-B038B8D133AA}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Windows\{B52538C7-B685-493c-A08B-2CD812435AAA}.exe
        
        C:\Windows\{B52538C7-B685-493c-A08B-2CD812435AAA}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
        
        C:\Windows\{BEC58E7F-9D52-4e13-B8D1-B5347B62E61C}.exe
        
        C:\Windows\{BEC58E7F-9D52-4e13-B8D1-B5347B62E61C}.exe
        13⤵
        Executes dropped EXE
        
        PID:4712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B5253~1.EXE > nul
        13⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CB2CC~1.EXE > nul
        12⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F65B8~1.EXE > nul
        11⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DDF57~1.EXE > nul
        10⤵
        
        PID:3568
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{39BC115B-4617-4e7b-8748-C8078A862300}.exe

Filesize
204KB

MD5
d679debae0fcf8f9f842b16beb5bec03

SHA1
54628708baf82df06d8fd417c013f3b5f99b9d66

SHA256
31853ed5cc52ba5883c411c1853c92ca6c9ed74c8a4aa61b05905da9b6acbed0

SHA512
c7d6e52ad73ea39dad485429ff53763630569ba597ff07886fee481e05266fe2cf1f0f2bc905c77e21995686973d9fdd7287ba033d61a899bcfae8ff57942e46

Download Submit
C:\Windows\{5CC41930-C538-4532-9DF7-57E4AC1EDD0F}.exe

Filesize
30KB

MD5
42cf8a14ff3d2b0ef696d999f9002f44

SHA1
b7658dd0e8966396597c7f5cb8a8b6a9bba6c54a

SHA256
f8441c93dd6a78c08e720b67e8a6a6b0eb3e27fde011db479a4333acb32177a9

SHA512
0d1def4b9aa5c6be4e233eecbe562cad96b5f0d2aaa90c0faa124ffb4cc203b326c6d9626bf4bff64e518f17958a162480ff7f66079e92715c29b103864f6976

Download Submit
C:\Windows\{5CC41930-C538-4532-9DF7-57E4AC1EDD0F}.exe

Filesize
106KB

MD5
f104f2e2939ec8ea5581ad4aba59d5bf

SHA1
d4c831fdf00f3ad0aa7f9ac8ad92dd385f509b2b

SHA256
a3dbd667907752c985543357d9167f2fc5df1cfa96d2a42e72b8e8cf8f58ba69

SHA512
677d50351b32f8c0d3d0d08422156b1548b38d6505ad04e0cc4ef4454edaecc938d2cdc03a7ef4d1adf6c517b57eb55c47a75582baaf07fb35452db1ebd26dfb

Download Submit
C:\Windows\{64A70688-3F97-42b4-A1E0-1F48D8405524}.exe

Filesize
204KB

MD5
1d6f472d93000592e8bdaac3a4d3721e

SHA1
4cd84d2eadd72ca17a3b21e5c01dd82457682d4f

SHA256
8d41bfc19d45937bf915410514cacc769dca0732650cbe99da922bbe102cebc9

SHA512
5dda40cf394d1fbbc820e41b3bce99c91cd0a6ea70ecc82d05be9c8f6975cfb1b64e19c77134383bb5246bb1133470e62411640247dc3a88fac4961ed294cec4

Download Submit
C:\Windows\{75FE4519-6D7D-48a0-8B02-68973FFC3CA9}.exe

Filesize
204KB

MD5
bfd6bcd3919ee35ed7dcfb303a33f9a9

SHA1
4118ccf5cdda733130b4be3c8f1353ff728480d8

SHA256
8576ae2e7a142d2dedf57d2226cf14b5f06c3e9c49420433904578a7fce54e04

SHA512
dd9aee5ad25677be077209f02474a7c632551907d2a5f103c910c86be71f9b605e281dd3f653fae47ea12349e09e137223a0272ab8a096480323419a89567a16

Download Submit
C:\Windows\{B52538C7-B685-493c-A08B-2CD812435AAA}.exe

Filesize
204KB

MD5
61ea5b0939d4be1960587fadbe273ab8

SHA1
8ada0ed96aed9c2729dc5909a7de3c740bd8f31d

SHA256
61aac06b0701cc0cb0c99d7112f07f5b0a389376e9054cbf917cc01ac72ad633

SHA512
3d59e7faf3587183e082f19df5f61e1278d2cd905cd86272966c861ae3f146d95f704cfffae15d7e788a69453a9365a73b340daff17231b9d2a5e54c8629a5ce

Download Submit
C:\Windows\{B98A2577-4AA9-4697-AC78-F5BA263C84B7}.exe

Filesize
204KB

MD5
b289fdf99f6456005908d73ff7c4599d

SHA1
9fa29cfe76c37b5764bd17b234b047bf524db948

SHA256
72603d07a691a2f21b546a5345a9e2c6ff4be3377effb43dcaf8c44bb8996dce

SHA512
d7f61f23d7f1ea05efea47298e5cf21e348ca82de29d208cf2d02dec5ff99e5a26245d53c83578c616f4b3b0beadef16c54a4b0fa371c5e874968be00c314fff

Download Submit
C:\Windows\{BEC58E7F-9D52-4e13-B8D1-B5347B62E61C}.exe

Filesize
204KB

MD5
7c3768c5eedaba2921a1a3546f1c4ee0

SHA1
f3b1e220e7e001f0deb2b49d30ddb634495d2bd1

SHA256
671886526dc8a3281bbfa280d64549d50a1ed079ee46d5a74c0573de0acdc901

SHA512
80415c0211d11620272852cc72c595c49eba28dfdbce704ce392082346ab91d2bf3e72d81db19cf637f562c8923acc5bb8a7405f86491c98cd86467aef1ba6b8

Download Submit
C:\Windows\{CB2CCE77-D5FB-4a40-9CB7-B038B8D133AA}.exe

Filesize
204KB

MD5
6fb3ee94de5cdd0d7654805aed7acd7c

SHA1
0729c54f8e326d59e66f6946ba4ccbaf487693c1

SHA256
79a35f1646a13858c22f0784807eed4345f74cd3b74519d8bae7adf663352ede

SHA512
54a5281462978201b24adfab71fee4b0d27cc2210ac8801937468cd9f1a96d36275138627e882ae2c759fb8c4a022a8fbcf6162e3524b4bd4b3ba21e745aa415

Download Submit
C:\Windows\{DDF57BEC-A214-4040-99E6-AD7B71C94882}.exe

Filesize
204KB

MD5
d27d2edfa5955546a68919875f4147b2

SHA1
a558a8c055a4cdfd1b3e46be9d0c1def5111e16f

SHA256
89d276ed0b66f98698ece1550949fae299267fe06eab0036a2351d9a65f71bea

SHA512
14859ff444dda896dce2dd6b10b4b6f1f9bb8ac0bf776b93a0174762a6b4d14bd825e0a4a6173427dc78f617cfc95680b114b94d2e311a533dc99f5a5cde1a0d

Download Submit
C:\Windows\{EDA4CE64-312B-46a8-AE05-60A4E561AA57}.exe

Filesize
204KB

MD5
f0798ef01728655dd5286323d1bc1821

SHA1
44f4dbc6905a17562b92f1f4b62c8f97d67e3bd3

SHA256
24a9012e32f7144dae79cc7d017baf606a0c41b55367ac868d1952bbd43844ee

SHA512
ce8dbf55adca6d7e2813c480fd353fa4fc9ff8a58d4c9fb15caf70ba3ebd89eb15889013a0ced4059678710c162c50ce9e24da8a2ea8ae91f03099e165d59666

Download Submit
C:\Windows\{F65B8F2B-3DAC-4684-9D9C-0F89E75C4D2E}.exe

Filesize
204KB

MD5
9354ca31e3f0e8a6ac6d1daee441fa0f

SHA1
6ac81804f75b6631e5e10dee40d0215bcc63ccab

SHA256
0562de201df15fe469421f222edae255e10b343e85e551b475eb1ea0a0766076

SHA512
7e1804f03fc1b74fa0e9f607c1a0b32a0b70f24e9cd51453443c936c325e5610424df5d39c154a65363dd5f57f60885409990681b6c96eca43cb755256ba1d28

Download Submit
C:\Windows\{FDE4AAE5-D3A2-43c2-9C81-81B967495179}.exe

Filesize
204KB

MD5
331366e66fdb18d1669b41b5aee05fe8

SHA1
3b68caad758f6d76a7241d70592ce16deb27f703

SHA256
9edcf7b5f3d72b4b1b35cc0cf21073872964f99bd61f4c776c868b9ad1b04126

SHA512
1c537ec9fa4960e68414db9d039392a95bb045c8f0c44754f921349d418ccdf3ae1acc1e2b118ffafef7f716cdc74292b94cd41ef263da1d91ce7f189994fc5d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads