57c88f998b6dda71dddcfbe1630f11b24c461584766632c0ccd24d112344a8e2

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
25/02/2024, 08:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-25_d6a7a480ca0d5d928535bb095fa17f21_goldeneye.exe
Size

180KB
MD5

d6a7a480ca0d5d928535bb095fa17f21
SHA1

6a8733faee5ec08fd170e86d0c526c43b9f63435
SHA256

57c88f998b6dda71dddcfbe1630f11b24c461584766632c0ccd24d112344a8e2
SHA512

e89ad79edea16919b79e227d5053e0628b3ab17bd33cb76fe15972bc879477827d1168132268f2fb486c07fb3610a00ac2cd7dd05624350f4dedb70742de6d8c
SSDEEP

3072:jEGh0orlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEG1l5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x000700000002321d-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002321d-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023211-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023225-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000016927-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023225-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000016927-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023225-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000016927-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023225-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000016927-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023222-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000016927-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D6875A9-3E82-4900-AAC7-3924425FE1C4}\stubpath = "C:\\Windows\\{0D6875A9-3E82-4900-AAC7-3924425FE1C4}.exe"	{C1CB7C70-CDAD-4721-8352-70BD768C7C0A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63C40470-FFD0-4e14-9365-FB1948F7E207}\stubpath = "C:\\Windows\\{63C40470-FFD0-4e14-9365-FB1948F7E207}.exe"	{D69608F5-0E05-41ab-8CBF-D910E8DAAEE5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54C8D5E7-333D-496f-8502-C499ECD508FD}\stubpath = "C:\\Windows\\{54C8D5E7-333D-496f-8502-C499ECD508FD}.exe"	{63C40470-FFD0-4e14-9365-FB1948F7E207}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF470EB2-7534-467f-8D62-1D8BF182AAE7}\stubpath = "C:\\Windows\\{BF470EB2-7534-467f-8D62-1D8BF182AAE7}.exe"	{BA6E1F69-53F3-4234-ACBB-5FEDC204ED47}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08F60AFA-931B-493a-901A-B3DFAA8BDD05}	{436075B0-68D6-4de2-9DBA-B3A35F77D20B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D69608F5-0E05-41ab-8CBF-D910E8DAAEE5}\stubpath = "C:\\Windows\\{D69608F5-0E05-41ab-8CBF-D910E8DAAEE5}.exe"	2024-02-25_d6a7a480ca0d5d928535bb095fa17f21_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBF6B7A6-5EA6-437d-A536-A38FB6D5D871}	{54C8D5E7-333D-496f-8502-C499ECD508FD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{436075B0-68D6-4de2-9DBA-B3A35F77D20B}	{BF470EB2-7534-467f-8D62-1D8BF182AAE7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61068421-035F-44e6-975E-2866F664952E}	{4DF5E964-E9E2-4ee7-B5C1-75B7AE6D9462}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{436075B0-68D6-4de2-9DBA-B3A35F77D20B}\stubpath = "C:\\Windows\\{436075B0-68D6-4de2-9DBA-B3A35F77D20B}.exe"	{BF470EB2-7534-467f-8D62-1D8BF182AAE7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1CB7C70-CDAD-4721-8352-70BD768C7C0A}\stubpath = "C:\\Windows\\{C1CB7C70-CDAD-4721-8352-70BD768C7C0A}.exe"	{08F60AFA-931B-493a-901A-B3DFAA8BDD05}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DF5E964-E9E2-4ee7-B5C1-75B7AE6D9462}	{0D6875A9-3E82-4900-AAC7-3924425FE1C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61068421-035F-44e6-975E-2866F664952E}\stubpath = "C:\\Windows\\{61068421-035F-44e6-975E-2866F664952E}.exe"	{4DF5E964-E9E2-4ee7-B5C1-75B7AE6D9462}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D69608F5-0E05-41ab-8CBF-D910E8DAAEE5}	2024-02-25_d6a7a480ca0d5d928535bb095fa17f21_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54C8D5E7-333D-496f-8502-C499ECD508FD}	{63C40470-FFD0-4e14-9365-FB1948F7E207}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA6E1F69-53F3-4234-ACBB-5FEDC204ED47}	{EBF6B7A6-5EA6-437d-A536-A38FB6D5D871}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA6E1F69-53F3-4234-ACBB-5FEDC204ED47}\stubpath = "C:\\Windows\\{BA6E1F69-53F3-4234-ACBB-5FEDC204ED47}.exe"	{EBF6B7A6-5EA6-437d-A536-A38FB6D5D871}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1CB7C70-CDAD-4721-8352-70BD768C7C0A}	{08F60AFA-931B-493a-901A-B3DFAA8BDD05}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D6875A9-3E82-4900-AAC7-3924425FE1C4}	{C1CB7C70-CDAD-4721-8352-70BD768C7C0A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DF5E964-E9E2-4ee7-B5C1-75B7AE6D9462}\stubpath = "C:\\Windows\\{4DF5E964-E9E2-4ee7-B5C1-75B7AE6D9462}.exe"	{0D6875A9-3E82-4900-AAC7-3924425FE1C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63C40470-FFD0-4e14-9365-FB1948F7E207}	{D69608F5-0E05-41ab-8CBF-D910E8DAAEE5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBF6B7A6-5EA6-437d-A536-A38FB6D5D871}\stubpath = "C:\\Windows\\{EBF6B7A6-5EA6-437d-A536-A38FB6D5D871}.exe"	{54C8D5E7-333D-496f-8502-C499ECD508FD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF470EB2-7534-467f-8D62-1D8BF182AAE7}	{BA6E1F69-53F3-4234-ACBB-5FEDC204ED47}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08F60AFA-931B-493a-901A-B3DFAA8BDD05}\stubpath = "C:\\Windows\\{08F60AFA-931B-493a-901A-B3DFAA8BDD05}.exe"	{436075B0-68D6-4de2-9DBA-B3A35F77D20B}.exe

Executes dropped EXE 12 IoCs

pid	Process
1840	{D69608F5-0E05-41ab-8CBF-D910E8DAAEE5}.exe
4528	{63C40470-FFD0-4e14-9365-FB1948F7E207}.exe
5964	{54C8D5E7-333D-496f-8502-C499ECD508FD}.exe
2124	{EBF6B7A6-5EA6-437d-A536-A38FB6D5D871}.exe
5460	{BA6E1F69-53F3-4234-ACBB-5FEDC204ED47}.exe
5992	{BF470EB2-7534-467f-8D62-1D8BF182AAE7}.exe
1444	{436075B0-68D6-4de2-9DBA-B3A35F77D20B}.exe
3900	{08F60AFA-931B-493a-901A-B3DFAA8BDD05}.exe
3752	{C1CB7C70-CDAD-4721-8352-70BD768C7C0A}.exe
4624	{0D6875A9-3E82-4900-AAC7-3924425FE1C4}.exe
1760	{4DF5E964-E9E2-4ee7-B5C1-75B7AE6D9462}.exe
384	{61068421-035F-44e6-975E-2866F664952E}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{436075B0-68D6-4de2-9DBA-B3A35F77D20B}.exe	{BF470EB2-7534-467f-8D62-1D8BF182AAE7}.exe
File created	C:\Windows\{61068421-035F-44e6-975E-2866F664952E}.exe	{4DF5E964-E9E2-4ee7-B5C1-75B7AE6D9462}.exe
File created	C:\Windows\{D69608F5-0E05-41ab-8CBF-D910E8DAAEE5}.exe	2024-02-25_d6a7a480ca0d5d928535bb095fa17f21_goldeneye.exe
File created	C:\Windows\{63C40470-FFD0-4e14-9365-FB1948F7E207}.exe	{D69608F5-0E05-41ab-8CBF-D910E8DAAEE5}.exe
File created	C:\Windows\{54C8D5E7-333D-496f-8502-C499ECD508FD}.exe	{63C40470-FFD0-4e14-9365-FB1948F7E207}.exe
File created	C:\Windows\{EBF6B7A6-5EA6-437d-A536-A38FB6D5D871}.exe	{54C8D5E7-333D-496f-8502-C499ECD508FD}.exe
File created	C:\Windows\{BA6E1F69-53F3-4234-ACBB-5FEDC204ED47}.exe	{EBF6B7A6-5EA6-437d-A536-A38FB6D5D871}.exe
File created	C:\Windows\{BF470EB2-7534-467f-8D62-1D8BF182AAE7}.exe	{BA6E1F69-53F3-4234-ACBB-5FEDC204ED47}.exe
File created	C:\Windows\{08F60AFA-931B-493a-901A-B3DFAA8BDD05}.exe	{436075B0-68D6-4de2-9DBA-B3A35F77D20B}.exe
File created	C:\Windows\{C1CB7C70-CDAD-4721-8352-70BD768C7C0A}.exe	{08F60AFA-931B-493a-901A-B3DFAA8BDD05}.exe
File created	C:\Windows\{0D6875A9-3E82-4900-AAC7-3924425FE1C4}.exe	{C1CB7C70-CDAD-4721-8352-70BD768C7C0A}.exe
File created	C:\Windows\{4DF5E964-E9E2-4ee7-B5C1-75B7AE6D9462}.exe	{0D6875A9-3E82-4900-AAC7-3924425FE1C4}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4604	2024-02-25_d6a7a480ca0d5d928535bb095fa17f21_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1840	{D69608F5-0E05-41ab-8CBF-D910E8DAAEE5}.exe
Token: SeIncBasePriorityPrivilege	4528	{63C40470-FFD0-4e14-9365-FB1948F7E207}.exe
Token: SeIncBasePriorityPrivilege	5964	{54C8D5E7-333D-496f-8502-C499ECD508FD}.exe
Token: SeIncBasePriorityPrivilege	2124	{EBF6B7A6-5EA6-437d-A536-A38FB6D5D871}.exe
Token: SeIncBasePriorityPrivilege	5460	{BA6E1F69-53F3-4234-ACBB-5FEDC204ED47}.exe
Token: SeIncBasePriorityPrivilege	5992	{BF470EB2-7534-467f-8D62-1D8BF182AAE7}.exe
Token: SeIncBasePriorityPrivilege	1444	{436075B0-68D6-4de2-9DBA-B3A35F77D20B}.exe
Token: SeIncBasePriorityPrivilege	3900	{08F60AFA-931B-493a-901A-B3DFAA8BDD05}.exe
Token: SeIncBasePriorityPrivilege	3752	{C1CB7C70-CDAD-4721-8352-70BD768C7C0A}.exe
Token: SeIncBasePriorityPrivilege	4624	{0D6875A9-3E82-4900-AAC7-3924425FE1C4}.exe
Token: SeIncBasePriorityPrivilege	1760	{4DF5E964-E9E2-4ee7-B5C1-75B7AE6D9462}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4604 wrote to memory of 1840	4604	2024-02-25_d6a7a480ca0d5d928535bb095fa17f21_goldeneye.exe	93
PID 4604 wrote to memory of 1840	4604	2024-02-25_d6a7a480ca0d5d928535bb095fa17f21_goldeneye.exe	93
PID 4604 wrote to memory of 1840	4604	2024-02-25_d6a7a480ca0d5d928535bb095fa17f21_goldeneye.exe	93
PID 4604 wrote to memory of 1940	4604	2024-02-25_d6a7a480ca0d5d928535bb095fa17f21_goldeneye.exe	94
PID 4604 wrote to memory of 1940	4604	2024-02-25_d6a7a480ca0d5d928535bb095fa17f21_goldeneye.exe	94
PID 4604 wrote to memory of 1940	4604	2024-02-25_d6a7a480ca0d5d928535bb095fa17f21_goldeneye.exe	94
PID 1840 wrote to memory of 4528	1840	{D69608F5-0E05-41ab-8CBF-D910E8DAAEE5}.exe	95
PID 1840 wrote to memory of 4528	1840	{D69608F5-0E05-41ab-8CBF-D910E8DAAEE5}.exe	95
PID 1840 wrote to memory of 4528	1840	{D69608F5-0E05-41ab-8CBF-D910E8DAAEE5}.exe	95
PID 1840 wrote to memory of 5256	1840	{D69608F5-0E05-41ab-8CBF-D910E8DAAEE5}.exe	96
PID 1840 wrote to memory of 5256	1840	{D69608F5-0E05-41ab-8CBF-D910E8DAAEE5}.exe	96
PID 1840 wrote to memory of 5256	1840	{D69608F5-0E05-41ab-8CBF-D910E8DAAEE5}.exe	96
PID 4528 wrote to memory of 5964	4528	{63C40470-FFD0-4e14-9365-FB1948F7E207}.exe	100
PID 4528 wrote to memory of 5964	4528	{63C40470-FFD0-4e14-9365-FB1948F7E207}.exe	100
PID 4528 wrote to memory of 5964	4528	{63C40470-FFD0-4e14-9365-FB1948F7E207}.exe	100
PID 4528 wrote to memory of 3372	4528	{63C40470-FFD0-4e14-9365-FB1948F7E207}.exe	99
PID 4528 wrote to memory of 3372	4528	{63C40470-FFD0-4e14-9365-FB1948F7E207}.exe	99
PID 4528 wrote to memory of 3372	4528	{63C40470-FFD0-4e14-9365-FB1948F7E207}.exe	99
PID 5964 wrote to memory of 2124	5964	{54C8D5E7-333D-496f-8502-C499ECD508FD}.exe	102
PID 5964 wrote to memory of 2124	5964	{54C8D5E7-333D-496f-8502-C499ECD508FD}.exe	102
PID 5964 wrote to memory of 2124	5964	{54C8D5E7-333D-496f-8502-C499ECD508FD}.exe	102
PID 5964 wrote to memory of 2784	5964	{54C8D5E7-333D-496f-8502-C499ECD508FD}.exe	103
PID 5964 wrote to memory of 2784	5964	{54C8D5E7-333D-496f-8502-C499ECD508FD}.exe	103
PID 5964 wrote to memory of 2784	5964	{54C8D5E7-333D-496f-8502-C499ECD508FD}.exe	103
PID 2124 wrote to memory of 5460	2124	{EBF6B7A6-5EA6-437d-A536-A38FB6D5D871}.exe	104
PID 2124 wrote to memory of 5460	2124	{EBF6B7A6-5EA6-437d-A536-A38FB6D5D871}.exe	104
PID 2124 wrote to memory of 5460	2124	{EBF6B7A6-5EA6-437d-A536-A38FB6D5D871}.exe	104
PID 2124 wrote to memory of 5728	2124	{EBF6B7A6-5EA6-437d-A536-A38FB6D5D871}.exe	105
PID 2124 wrote to memory of 5728	2124	{EBF6B7A6-5EA6-437d-A536-A38FB6D5D871}.exe	105
PID 2124 wrote to memory of 5728	2124	{EBF6B7A6-5EA6-437d-A536-A38FB6D5D871}.exe	105
PID 5460 wrote to memory of 5992	5460	{BA6E1F69-53F3-4234-ACBB-5FEDC204ED47}.exe	106
PID 5460 wrote to memory of 5992	5460	{BA6E1F69-53F3-4234-ACBB-5FEDC204ED47}.exe	106
PID 5460 wrote to memory of 5992	5460	{BA6E1F69-53F3-4234-ACBB-5FEDC204ED47}.exe	106
PID 5460 wrote to memory of 4608	5460	{BA6E1F69-53F3-4234-ACBB-5FEDC204ED47}.exe	107
PID 5460 wrote to memory of 4608	5460	{BA6E1F69-53F3-4234-ACBB-5FEDC204ED47}.exe	107
PID 5460 wrote to memory of 4608	5460	{BA6E1F69-53F3-4234-ACBB-5FEDC204ED47}.exe	107
PID 5992 wrote to memory of 1444	5992	{BF470EB2-7534-467f-8D62-1D8BF182AAE7}.exe	108
PID 5992 wrote to memory of 1444	5992	{BF470EB2-7534-467f-8D62-1D8BF182AAE7}.exe	108
PID 5992 wrote to memory of 1444	5992	{BF470EB2-7534-467f-8D62-1D8BF182AAE7}.exe	108
PID 5992 wrote to memory of 2204	5992	{BF470EB2-7534-467f-8D62-1D8BF182AAE7}.exe	109
PID 5992 wrote to memory of 2204	5992	{BF470EB2-7534-467f-8D62-1D8BF182AAE7}.exe	109
PID 5992 wrote to memory of 2204	5992	{BF470EB2-7534-467f-8D62-1D8BF182AAE7}.exe	109
PID 1444 wrote to memory of 3900	1444	{436075B0-68D6-4de2-9DBA-B3A35F77D20B}.exe	110
PID 1444 wrote to memory of 3900	1444	{436075B0-68D6-4de2-9DBA-B3A35F77D20B}.exe	110
PID 1444 wrote to memory of 3900	1444	{436075B0-68D6-4de2-9DBA-B3A35F77D20B}.exe	110
PID 1444 wrote to memory of 3892	1444	{436075B0-68D6-4de2-9DBA-B3A35F77D20B}.exe	111
PID 1444 wrote to memory of 3892	1444	{436075B0-68D6-4de2-9DBA-B3A35F77D20B}.exe	111
PID 1444 wrote to memory of 3892	1444	{436075B0-68D6-4de2-9DBA-B3A35F77D20B}.exe	111
PID 3900 wrote to memory of 3752	3900	{08F60AFA-931B-493a-901A-B3DFAA8BDD05}.exe	112
PID 3900 wrote to memory of 3752	3900	{08F60AFA-931B-493a-901A-B3DFAA8BDD05}.exe	112
PID 3900 wrote to memory of 3752	3900	{08F60AFA-931B-493a-901A-B3DFAA8BDD05}.exe	112
PID 3900 wrote to memory of 4936	3900	{08F60AFA-931B-493a-901A-B3DFAA8BDD05}.exe	113
PID 3900 wrote to memory of 4936	3900	{08F60AFA-931B-493a-901A-B3DFAA8BDD05}.exe	113
PID 3900 wrote to memory of 4936	3900	{08F60AFA-931B-493a-901A-B3DFAA8BDD05}.exe	113
PID 3752 wrote to memory of 4624	3752	{C1CB7C70-CDAD-4721-8352-70BD768C7C0A}.exe	115
PID 3752 wrote to memory of 4624	3752	{C1CB7C70-CDAD-4721-8352-70BD768C7C0A}.exe	115
PID 3752 wrote to memory of 4624	3752	{C1CB7C70-CDAD-4721-8352-70BD768C7C0A}.exe	115
PID 3752 wrote to memory of 4084	3752	{C1CB7C70-CDAD-4721-8352-70BD768C7C0A}.exe	114
PID 3752 wrote to memory of 4084	3752	{C1CB7C70-CDAD-4721-8352-70BD768C7C0A}.exe	114
PID 3752 wrote to memory of 4084	3752	{C1CB7C70-CDAD-4721-8352-70BD768C7C0A}.exe	114
PID 4624 wrote to memory of 1760	4624	{0D6875A9-3E82-4900-AAC7-3924425FE1C4}.exe	116
PID 4624 wrote to memory of 1760	4624	{0D6875A9-3E82-4900-AAC7-3924425FE1C4}.exe	116
PID 4624 wrote to memory of 1760	4624	{0D6875A9-3E82-4900-AAC7-3924425FE1C4}.exe	116
PID 4624 wrote to memory of 5676	4624	{0D6875A9-3E82-4900-AAC7-3924425FE1C4}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-02-25_d6a7a480ca0d5d928535bb095fa17f21_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-25_d6a7a480ca0d5d928535bb095fa17f21_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Windows\{D69608F5-0E05-41ab-8CBF-D910E8DAAEE5}.exe
  C:\Windows\{D69608F5-0E05-41ab-8CBF-D910E8DAAEE5}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1840
- - C:\Windows\{63C40470-FFD0-4e14-9365-FB1948F7E207}.exe
    C:\Windows\{63C40470-FFD0-4e14-9365-FB1948F7E207}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4528
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{63C40~1.EXE > nul
      4⤵
      PID:3372
  - - C:\Windows\{54C8D5E7-333D-496f-8502-C499ECD508FD}.exe
      C:\Windows\{54C8D5E7-333D-496f-8502-C499ECD508FD}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5964
    - - C:\Windows\{EBF6B7A6-5EA6-437d-A536-A38FB6D5D871}.exe
        
        C:\Windows\{EBF6B7A6-5EA6-437d-A536-A38FB6D5D871}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2124
      - C:\Windows\{BA6E1F69-53F3-4234-ACBB-5FEDC204ED47}.exe
        
        C:\Windows\{BA6E1F69-53F3-4234-ACBB-5FEDC204ED47}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5460
        
        C:\Windows\{BF470EB2-7534-467f-8D62-1D8BF182AAE7}.exe
        
        C:\Windows\{BF470EB2-7534-467f-8D62-1D8BF182AAE7}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5992
        
        C:\Windows\{436075B0-68D6-4de2-9DBA-B3A35F77D20B}.exe
        
        C:\Windows\{436075B0-68D6-4de2-9DBA-B3A35F77D20B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\{08F60AFA-931B-493a-901A-B3DFAA8BDD05}.exe
        
        C:\Windows\{08F60AFA-931B-493a-901A-B3DFAA8BDD05}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3900
        
        C:\Windows\{C1CB7C70-CDAD-4721-8352-70BD768C7C0A}.exe
        
        C:\Windows\{C1CB7C70-CDAD-4721-8352-70BD768C7C0A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C1CB7~1.EXE > nul
        11⤵
        
        PID:4084
        
        C:\Windows\{0D6875A9-3E82-4900-AAC7-3924425FE1C4}.exe
        
        C:\Windows\{0D6875A9-3E82-4900-AAC7-3924425FE1C4}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Windows\{4DF5E964-E9E2-4ee7-B5C1-75B7AE6D9462}.exe
        
        C:\Windows\{4DF5E964-E9E2-4ee7-B5C1-75B7AE6D9462}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760
        
        C:\Windows\{61068421-035F-44e6-975E-2866F664952E}.exe
        
        C:\Windows\{61068421-035F-44e6-975E-2866F664952E}.exe
        13⤵
        Executes dropped EXE
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4DF5E~1.EXE > nul
        13⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0D687~1.EXE > nul
        12⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{08F60~1.EXE > nul
        10⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{43607~1.EXE > nul
        9⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BF470~1.EXE > nul
        8⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BA6E1~1.EXE > nul
        7⤵
        
        PID:4608
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EBF6B~1.EXE > nul
        6⤵
        
        PID:5728
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{54C8D~1.EXE > nul
        5⤵
        
        PID:2784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D6960~1.EXE > nul
    3⤵
    PID:5256
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{08F60AFA-931B-493a-901A-B3DFAA8BDD05}.exe

Filesize
180KB

MD5
d926c78e698be76fe7e7a3f3d917f69d

SHA1
413027ac0e26d5cf70f7f4922a518bca2f775c11

SHA256
1031185e4fadd87b7cb0f917029e22298b0c6cc7b348cd770f7afc89da7809c7

SHA512
181c169e38dcbeb8f63d8b2b6a424c6c33f6e276a297716e3aed0159a50336943a0dc8e09eff47dff363132e5856e114337ddc175da3fac564af3f8cdb0ffeec

Download Submit
C:\Windows\{0D6875A9-3E82-4900-AAC7-3924425FE1C4}.exe

Filesize
180KB

MD5
a4babb1f97b5e763d858a5937832fff9

SHA1
35f02ac6f0922a9d31eb0b16724d88ba2d49f06f

SHA256
1074aa28e8559f2b5a41ceb1b76e61a1fc76333a3e5fc41e1d92b8b54ff102bc

SHA512
41a0f2b8a0f29160ae3f30ca4e1574bc762089ed57ca5fd4100a101f95b5985c97de3aabfe8ad2e762dda68752d4d73772789b09ae00ecc996be25f453bb5805

Download Submit
C:\Windows\{436075B0-68D6-4de2-9DBA-B3A35F77D20B}.exe

Filesize
180KB

MD5
36cca5462c97db8c6b836899a7d258ca

SHA1
9b5190affb97ff6d94ed0d1e9adfdc508f50174f

SHA256
afdb106e59fa07ce903c6109bd995b26efde62d72b9037c9e930518047734de1

SHA512
dd460048f319f154ea876d58fac51e1b6b151f4d76883445fc35a9bec109c3378419fde02563004c6ff7dbbfdef5612149a7be3051b60e0581f6dc27ad55188a

Download Submit
C:\Windows\{4DF5E964-E9E2-4ee7-B5C1-75B7AE6D9462}.exe

Filesize
180KB

MD5
123f1b8f3a368555a90d87900120adae

SHA1
77e5c5d04d528bb459be5d25f91f73cef15554d8

SHA256
08a39052325243a40310a8091ec29bd502f2e0e3379087155d659f5416c5c383

SHA512
421be7b64067a9f0eadb9745a243ced8503180448d2e1a134a38538ab7f0b13f76ecd054606aa8aaee1d7fe9b21b699b8f9e170c8021319894779d0e350f3b1c

Download Submit
C:\Windows\{54C8D5E7-333D-496f-8502-C499ECD508FD}.exe

Filesize
180KB

MD5
f3dddb3c1bec4a6ce6e24d589d12e337

SHA1
0beed4d833cba2213994afa58bf444e2cfa6a0ca

SHA256
d957e2c26786bba4c5cb83cbd5d2dd12e4864993453f5e8b265c6feff18af5b9

SHA512
a86d601a0fb1f551d09f97abd8513f52f98ab6c340baf92eb7782f54109e78556e2250ff34e83c626552cca63949542585789becef8e8194b1bd8497943c7a93

Download Submit
C:\Windows\{61068421-035F-44e6-975E-2866F664952E}.exe

Filesize
180KB

MD5
a8c64ab1c913875e4c2583eb2468c6e8

SHA1
d3be3d10f27f982200b49bb0def211adf6fe542d

SHA256
b4a96e4567bf33e5559824d1d8a433bca01ce2546ed51afd4d362ef3d3880d52

SHA512
ce4f7f0d779bef630c0809edd38bafc4da5b59872f184ae06be635c02a8e178a6c6c2fa3967b1341e3d67e80599601d78692e52402f3589a9b945caac1b9e281

Download Submit
C:\Windows\{63C40470-FFD0-4e14-9365-FB1948F7E207}.exe

Filesize
180KB

MD5
178e15c8bd00e6ffc872c7df803f4239

SHA1
016024dffd804dfccbf202e4d7bf9a1f11f00c22

SHA256
9bfcbbd04e50f4448b343f0894962bef7afa0f7bb1f97611317071ba5260649f

SHA512
f1977b5e74c9a46421b9748c080304c319ae6a3c2430c5ebca148c85c815704bc1a3c8d0a49926385f70031b656d7e80e37c223ee5340dc3812609e2217e4649

Download Submit
C:\Windows\{BA6E1F69-53F3-4234-ACBB-5FEDC204ED47}.exe

Filesize
180KB

MD5
a4ff53c6446d949f97d78d544e3e9ce4

SHA1
58c77de45a3b522344a9501e44cc14c63c05833a

SHA256
acf43cb54f512dc9801247464f0f3fdd020ab4421ea2ee57f564ee9202962f0a

SHA512
d3e844c8c96b62d59f305a0fcb6ad269f9ba9114af190389e22667b60f2cd50d0b4731f9edbdc579f5e5bf6807a0ef93c53997c66a22614aff9a4811e6e535bd

Download Submit
C:\Windows\{BF470EB2-7534-467f-8D62-1D8BF182AAE7}.exe

Filesize
180KB

MD5
d36d8bfc4a42eba19745e240a02f8b26

SHA1
c020df5de21492e504387bb124a36095c3132132

SHA256
f5b458f8bee7d0ebbd69c5dba49a9d30890db5ca35113a28bfc98c15700c428b

SHA512
0258ab5553fcbe0cb9d67f1d83b1a17a98b88ab91270868ec87ebe023f6e8d264a58d4627c693a2a11adbaaef4f94114d030c36fd269f67e1b0914208fb9934a

Download Submit
C:\Windows\{C1CB7C70-CDAD-4721-8352-70BD768C7C0A}.exe

Filesize
180KB

MD5
e48ec7c9ce0bd42027c3b0ac5cc6724c

SHA1
8da391cbd82d4ee2dfc5fe82a4ac7904fbeaaf8a

SHA256
16a6f5c53a3030a6f6e1240cb5cc38757260c1b14072db07af28fa631afe342b

SHA512
c722e9e8e40d387b02bb2b4e3bbf34ba70df6f50ee257296dc435671c8cdb9b00094e74dd3cfc805a2faa46250642981cf446c80fc25e45af8b57babf0a4434a

Download Submit
C:\Windows\{D69608F5-0E05-41ab-8CBF-D910E8DAAEE5}.exe

Filesize
180KB

MD5
ded92dfc9d84a8cf998f5618d2f54e71

SHA1
06dec3c3616211ae6d6a9c1b932b864364ca43ce

SHA256
a5c1362db4386f9eb7538aa7ba61facf4761c5c6027763a22097df3921e5a863

SHA512
6c97536fc926f506c93c8b58654bbbf0e192aeb891c8daf126e96883a028c76f601a9caac027ca9d31bbe3048f5bc91a3eec886c78dea616369a1588188406bd

Download Submit
C:\Windows\{D69608F5-0E05-41ab-8CBF-D910E8DAAEE5}.exe

Filesize
86KB

MD5
d0cef172bdc284d57e2f4009372ba85d

SHA1
f39cae3564fec8da28a1731a7db89dba97e84d0c

SHA256
0cdc842a9b8f3a3386daba30d4d3e7517ecbdf7c46e312837c5a0220ec75f453

SHA512
09e365bf35a72a36ab7f8d16f46a24ae2acac9792e2f4e61ac9fbfd27ec86de5282ea469eca87ce7039fee1fa000fa6c066bff91344f18ff3c92dc774231dae6

Download Submit
C:\Windows\{EBF6B7A6-5EA6-437d-A536-A38FB6D5D871}.exe

Filesize
180KB

MD5
bf7c71428a72a1ae5e54e329eedc6ccc

SHA1
af8e5cc4e145495afdf41663a488c5423206ac22

SHA256
5cf359bc19e6154a2284696e1740dcb88037639e2a1bc5ef0cdceff06bd6f9d7

SHA512
755bc08bfdf1e4dd7ecc20b76c0d28134df8cf431d42efd678317a404e956475df15d69b27799130bcd6814f4bce7fad8dc8fad319a2977d25d421184b774162

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads