4dc0d71e11abc38cfb3e936ec73ef7d10662721b62f45c2a70828520c2ee4e19

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
25-02-2024 13:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-25_270a14242378a05514b21f10895e0227_goldeneye.exe
Size

344KB
MD5

270a14242378a05514b21f10895e0227
SHA1

813e985f7d64539a882b593fa39ab079ed1b49d7
SHA256

4dc0d71e11abc38cfb3e936ec73ef7d10662721b62f45c2a70828520c2ee4e19
SHA512

6f8b898b9e7cea9ae8938eda420e3155bf2b9c80de250ae30ae1b84359345dae55278dc96e5ace71dfe2650340ed5dcbdfb34f135dfd322b73300606542f843c
SSDEEP

3072:mEGh0oZlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGTlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023139-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002313f-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023146-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023023-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023146-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023023-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023146-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023023-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023146-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023023-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023146-41.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023023-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFE9AFA7-0EEE-48b0-8542-FF0809B48F71}	{D787774A-E857-4e7e-AD36-4CE81E631969}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF4E216A-1637-48f3-874B-A78F217CBF27}\stubpath = "C:\\Windows\\{DF4E216A-1637-48f3-874B-A78F217CBF27}.exe"	{CFE9AFA7-0EEE-48b0-8542-FF0809B48F71}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF7BF511-7017-47f7-9B54-74474979874A}	{046A68A7-E849-409b-B791-F30AC1F2E3AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9B419F6-CF5F-4023-999D-D1C45ED0726C}	{22686A41-A5EC-4d78-9F5C-D6901DA31DE3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9B419F6-CF5F-4023-999D-D1C45ED0726C}\stubpath = "C:\\Windows\\{A9B419F6-CF5F-4023-999D-D1C45ED0726C}.exe"	{22686A41-A5EC-4d78-9F5C-D6901DA31DE3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98D1E3D4-132B-4ee2-B6FA-C545D2FA99DA}	{6AC9F5F7-6B8D-4c97-9CB3-BCBD19C0F5B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A1DB46B-B4B3-4838-B71E-8A25B7788EC5}	{E87E3161-1D33-42ff-B10B-AA6BB44273B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6AC9F5F7-6B8D-4c97-9CB3-BCBD19C0F5B0}	{4A1DB46B-B4B3-4838-B71E-8A25B7788EC5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D787774A-E857-4e7e-AD36-4CE81E631969}\stubpath = "C:\\Windows\\{D787774A-E857-4e7e-AD36-4CE81E631969}.exe"	{98D1E3D4-132B-4ee2-B6FA-C545D2FA99DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFE9AFA7-0EEE-48b0-8542-FF0809B48F71}\stubpath = "C:\\Windows\\{CFE9AFA7-0EEE-48b0-8542-FF0809B48F71}.exe"	{D787774A-E857-4e7e-AD36-4CE81E631969}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF4E216A-1637-48f3-874B-A78F217CBF27}	{CFE9AFA7-0EEE-48b0-8542-FF0809B48F71}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22686A41-A5EC-4d78-9F5C-D6901DA31DE3}\stubpath = "C:\\Windows\\{22686A41-A5EC-4d78-9F5C-D6901DA31DE3}.exe"	2024-02-25_270a14242378a05514b21f10895e0227_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E87E3161-1D33-42ff-B10B-AA6BB44273B1}	{A9B419F6-CF5F-4023-999D-D1C45ED0726C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E87E3161-1D33-42ff-B10B-AA6BB44273B1}\stubpath = "C:\\Windows\\{E87E3161-1D33-42ff-B10B-AA6BB44273B1}.exe"	{A9B419F6-CF5F-4023-999D-D1C45ED0726C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{586BA97A-82B9-4274-9DD5-F543AFBD0AEC}	{BF7BF511-7017-47f7-9B54-74474979874A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{586BA97A-82B9-4274-9DD5-F543AFBD0AEC}\stubpath = "C:\\Windows\\{586BA97A-82B9-4274-9DD5-F543AFBD0AEC}.exe"	{BF7BF511-7017-47f7-9B54-74474979874A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6AC9F5F7-6B8D-4c97-9CB3-BCBD19C0F5B0}\stubpath = "C:\\Windows\\{6AC9F5F7-6B8D-4c97-9CB3-BCBD19C0F5B0}.exe"	{4A1DB46B-B4B3-4838-B71E-8A25B7788EC5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{046A68A7-E849-409b-B791-F30AC1F2E3AB}	{DF4E216A-1637-48f3-874B-A78F217CBF27}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF7BF511-7017-47f7-9B54-74474979874A}\stubpath = "C:\\Windows\\{BF7BF511-7017-47f7-9B54-74474979874A}.exe"	{046A68A7-E849-409b-B791-F30AC1F2E3AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D787774A-E857-4e7e-AD36-4CE81E631969}	{98D1E3D4-132B-4ee2-B6FA-C545D2FA99DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{046A68A7-E849-409b-B791-F30AC1F2E3AB}\stubpath = "C:\\Windows\\{046A68A7-E849-409b-B791-F30AC1F2E3AB}.exe"	{DF4E216A-1637-48f3-874B-A78F217CBF27}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22686A41-A5EC-4d78-9F5C-D6901DA31DE3}	2024-02-25_270a14242378a05514b21f10895e0227_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A1DB46B-B4B3-4838-B71E-8A25B7788EC5}\stubpath = "C:\\Windows\\{4A1DB46B-B4B3-4838-B71E-8A25B7788EC5}.exe"	{E87E3161-1D33-42ff-B10B-AA6BB44273B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98D1E3D4-132B-4ee2-B6FA-C545D2FA99DA}\stubpath = "C:\\Windows\\{98D1E3D4-132B-4ee2-B6FA-C545D2FA99DA}.exe"	{6AC9F5F7-6B8D-4c97-9CB3-BCBD19C0F5B0}.exe

Executes dropped EXE 12 IoCs

pid	Process
2012	{22686A41-A5EC-4d78-9F5C-D6901DA31DE3}.exe
1540	{A9B419F6-CF5F-4023-999D-D1C45ED0726C}.exe
4192	{E87E3161-1D33-42ff-B10B-AA6BB44273B1}.exe
3124	{4A1DB46B-B4B3-4838-B71E-8A25B7788EC5}.exe
4540	{6AC9F5F7-6B8D-4c97-9CB3-BCBD19C0F5B0}.exe
2540	{98D1E3D4-132B-4ee2-B6FA-C545D2FA99DA}.exe
2160	{D787774A-E857-4e7e-AD36-4CE81E631969}.exe
380	{CFE9AFA7-0EEE-48b0-8542-FF0809B48F71}.exe
4468	{DF4E216A-1637-48f3-874B-A78F217CBF27}.exe
2876	{046A68A7-E849-409b-B791-F30AC1F2E3AB}.exe
3016	{BF7BF511-7017-47f7-9B54-74474979874A}.exe
3184	{586BA97A-82B9-4274-9DD5-F543AFBD0AEC}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{D787774A-E857-4e7e-AD36-4CE81E631969}.exe	{98D1E3D4-132B-4ee2-B6FA-C545D2FA99DA}.exe
File created	C:\Windows\{CFE9AFA7-0EEE-48b0-8542-FF0809B48F71}.exe	{D787774A-E857-4e7e-AD36-4CE81E631969}.exe
File created	C:\Windows\{DF4E216A-1637-48f3-874B-A78F217CBF27}.exe	{CFE9AFA7-0EEE-48b0-8542-FF0809B48F71}.exe
File created	C:\Windows\{BF7BF511-7017-47f7-9B54-74474979874A}.exe	{046A68A7-E849-409b-B791-F30AC1F2E3AB}.exe
File created	C:\Windows\{586BA97A-82B9-4274-9DD5-F543AFBD0AEC}.exe	{BF7BF511-7017-47f7-9B54-74474979874A}.exe
File created	C:\Windows\{E87E3161-1D33-42ff-B10B-AA6BB44273B1}.exe	{A9B419F6-CF5F-4023-999D-D1C45ED0726C}.exe
File created	C:\Windows\{A9B419F6-CF5F-4023-999D-D1C45ED0726C}.exe	{22686A41-A5EC-4d78-9F5C-D6901DA31DE3}.exe
File created	C:\Windows\{4A1DB46B-B4B3-4838-B71E-8A25B7788EC5}.exe	{E87E3161-1D33-42ff-B10B-AA6BB44273B1}.exe
File created	C:\Windows\{6AC9F5F7-6B8D-4c97-9CB3-BCBD19C0F5B0}.exe	{4A1DB46B-B4B3-4838-B71E-8A25B7788EC5}.exe
File created	C:\Windows\{98D1E3D4-132B-4ee2-B6FA-C545D2FA99DA}.exe	{6AC9F5F7-6B8D-4c97-9CB3-BCBD19C0F5B0}.exe
File created	C:\Windows\{046A68A7-E849-409b-B791-F30AC1F2E3AB}.exe	{DF4E216A-1637-48f3-874B-A78F217CBF27}.exe
File created	C:\Windows\{22686A41-A5EC-4d78-9F5C-D6901DA31DE3}.exe	2024-02-25_270a14242378a05514b21f10895e0227_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1468	2024-02-25_270a14242378a05514b21f10895e0227_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2012	{22686A41-A5EC-4d78-9F5C-D6901DA31DE3}.exe
Token: SeIncBasePriorityPrivilege	1540	{A9B419F6-CF5F-4023-999D-D1C45ED0726C}.exe
Token: SeIncBasePriorityPrivilege	4192	{E87E3161-1D33-42ff-B10B-AA6BB44273B1}.exe
Token: SeIncBasePriorityPrivilege	3124	{4A1DB46B-B4B3-4838-B71E-8A25B7788EC5}.exe
Token: SeIncBasePriorityPrivilege	4540	{6AC9F5F7-6B8D-4c97-9CB3-BCBD19C0F5B0}.exe
Token: SeIncBasePriorityPrivilege	2540	{98D1E3D4-132B-4ee2-B6FA-C545D2FA99DA}.exe
Token: SeIncBasePriorityPrivilege	2160	{D787774A-E857-4e7e-AD36-4CE81E631969}.exe
Token: SeIncBasePriorityPrivilege	380	{CFE9AFA7-0EEE-48b0-8542-FF0809B48F71}.exe
Token: SeIncBasePriorityPrivilege	4468	{DF4E216A-1637-48f3-874B-A78F217CBF27}.exe
Token: SeIncBasePriorityPrivilege	2876	{046A68A7-E849-409b-B791-F30AC1F2E3AB}.exe
Token: SeIncBasePriorityPrivilege	3016	{BF7BF511-7017-47f7-9B54-74474979874A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 2012	1468	2024-02-25_270a14242378a05514b21f10895e0227_goldeneye.exe	86
PID 1468 wrote to memory of 2012	1468	2024-02-25_270a14242378a05514b21f10895e0227_goldeneye.exe	86
PID 1468 wrote to memory of 2012	1468	2024-02-25_270a14242378a05514b21f10895e0227_goldeneye.exe	86
PID 1468 wrote to memory of 2384	1468	2024-02-25_270a14242378a05514b21f10895e0227_goldeneye.exe	87
PID 1468 wrote to memory of 2384	1468	2024-02-25_270a14242378a05514b21f10895e0227_goldeneye.exe	87
PID 1468 wrote to memory of 2384	1468	2024-02-25_270a14242378a05514b21f10895e0227_goldeneye.exe	87
PID 2012 wrote to memory of 1540	2012	{22686A41-A5EC-4d78-9F5C-D6901DA31DE3}.exe	89
PID 2012 wrote to memory of 1540	2012	{22686A41-A5EC-4d78-9F5C-D6901DA31DE3}.exe	89
PID 2012 wrote to memory of 1540	2012	{22686A41-A5EC-4d78-9F5C-D6901DA31DE3}.exe	89
PID 2012 wrote to memory of 5032	2012	{22686A41-A5EC-4d78-9F5C-D6901DA31DE3}.exe	88
PID 2012 wrote to memory of 5032	2012	{22686A41-A5EC-4d78-9F5C-D6901DA31DE3}.exe	88
PID 2012 wrote to memory of 5032	2012	{22686A41-A5EC-4d78-9F5C-D6901DA31DE3}.exe	88
PID 1540 wrote to memory of 4192	1540	{A9B419F6-CF5F-4023-999D-D1C45ED0726C}.exe	93
PID 1540 wrote to memory of 4192	1540	{A9B419F6-CF5F-4023-999D-D1C45ED0726C}.exe	93
PID 1540 wrote to memory of 4192	1540	{A9B419F6-CF5F-4023-999D-D1C45ED0726C}.exe	93
PID 1540 wrote to memory of 1548	1540	{A9B419F6-CF5F-4023-999D-D1C45ED0726C}.exe	92
PID 1540 wrote to memory of 1548	1540	{A9B419F6-CF5F-4023-999D-D1C45ED0726C}.exe	92
PID 1540 wrote to memory of 1548	1540	{A9B419F6-CF5F-4023-999D-D1C45ED0726C}.exe	92
PID 4192 wrote to memory of 3124	4192	{E87E3161-1D33-42ff-B10B-AA6BB44273B1}.exe	96
PID 4192 wrote to memory of 3124	4192	{E87E3161-1D33-42ff-B10B-AA6BB44273B1}.exe	96
PID 4192 wrote to memory of 3124	4192	{E87E3161-1D33-42ff-B10B-AA6BB44273B1}.exe	96
PID 4192 wrote to memory of 1920	4192	{E87E3161-1D33-42ff-B10B-AA6BB44273B1}.exe	97
PID 4192 wrote to memory of 1920	4192	{E87E3161-1D33-42ff-B10B-AA6BB44273B1}.exe	97
PID 4192 wrote to memory of 1920	4192	{E87E3161-1D33-42ff-B10B-AA6BB44273B1}.exe	97
PID 3124 wrote to memory of 4540	3124	{4A1DB46B-B4B3-4838-B71E-8A25B7788EC5}.exe	98
PID 3124 wrote to memory of 4540	3124	{4A1DB46B-B4B3-4838-B71E-8A25B7788EC5}.exe	98
PID 3124 wrote to memory of 4540	3124	{4A1DB46B-B4B3-4838-B71E-8A25B7788EC5}.exe	98
PID 3124 wrote to memory of 2256	3124	{4A1DB46B-B4B3-4838-B71E-8A25B7788EC5}.exe	99
PID 3124 wrote to memory of 2256	3124	{4A1DB46B-B4B3-4838-B71E-8A25B7788EC5}.exe	99
PID 3124 wrote to memory of 2256	3124	{4A1DB46B-B4B3-4838-B71E-8A25B7788EC5}.exe	99
PID 4540 wrote to memory of 2540	4540	{6AC9F5F7-6B8D-4c97-9CB3-BCBD19C0F5B0}.exe	100
PID 4540 wrote to memory of 2540	4540	{6AC9F5F7-6B8D-4c97-9CB3-BCBD19C0F5B0}.exe	100
PID 4540 wrote to memory of 2540	4540	{6AC9F5F7-6B8D-4c97-9CB3-BCBD19C0F5B0}.exe	100
PID 4540 wrote to memory of 2924	4540	{6AC9F5F7-6B8D-4c97-9CB3-BCBD19C0F5B0}.exe	101
PID 4540 wrote to memory of 2924	4540	{6AC9F5F7-6B8D-4c97-9CB3-BCBD19C0F5B0}.exe	101
PID 4540 wrote to memory of 2924	4540	{6AC9F5F7-6B8D-4c97-9CB3-BCBD19C0F5B0}.exe	101
PID 2540 wrote to memory of 2160	2540	{98D1E3D4-132B-4ee2-B6FA-C545D2FA99DA}.exe	102
PID 2540 wrote to memory of 2160	2540	{98D1E3D4-132B-4ee2-B6FA-C545D2FA99DA}.exe	102
PID 2540 wrote to memory of 2160	2540	{98D1E3D4-132B-4ee2-B6FA-C545D2FA99DA}.exe	102
PID 2540 wrote to memory of 1012	2540	{98D1E3D4-132B-4ee2-B6FA-C545D2FA99DA}.exe	103
PID 2540 wrote to memory of 1012	2540	{98D1E3D4-132B-4ee2-B6FA-C545D2FA99DA}.exe	103
PID 2540 wrote to memory of 1012	2540	{98D1E3D4-132B-4ee2-B6FA-C545D2FA99DA}.exe	103
PID 2160 wrote to memory of 380	2160	{D787774A-E857-4e7e-AD36-4CE81E631969}.exe	104
PID 2160 wrote to memory of 380	2160	{D787774A-E857-4e7e-AD36-4CE81E631969}.exe	104
PID 2160 wrote to memory of 380	2160	{D787774A-E857-4e7e-AD36-4CE81E631969}.exe	104
PID 2160 wrote to memory of 4040	2160	{D787774A-E857-4e7e-AD36-4CE81E631969}.exe	105
PID 2160 wrote to memory of 4040	2160	{D787774A-E857-4e7e-AD36-4CE81E631969}.exe	105
PID 2160 wrote to memory of 4040	2160	{D787774A-E857-4e7e-AD36-4CE81E631969}.exe	105
PID 380 wrote to memory of 4468	380	{CFE9AFA7-0EEE-48b0-8542-FF0809B48F71}.exe	106
PID 380 wrote to memory of 4468	380	{CFE9AFA7-0EEE-48b0-8542-FF0809B48F71}.exe	106
PID 380 wrote to memory of 4468	380	{CFE9AFA7-0EEE-48b0-8542-FF0809B48F71}.exe	106
PID 380 wrote to memory of 1136	380	{CFE9AFA7-0EEE-48b0-8542-FF0809B48F71}.exe	107
PID 380 wrote to memory of 1136	380	{CFE9AFA7-0EEE-48b0-8542-FF0809B48F71}.exe	107
PID 380 wrote to memory of 1136	380	{CFE9AFA7-0EEE-48b0-8542-FF0809B48F71}.exe	107
PID 4468 wrote to memory of 2876	4468	{DF4E216A-1637-48f3-874B-A78F217CBF27}.exe	108
PID 4468 wrote to memory of 2876	4468	{DF4E216A-1637-48f3-874B-A78F217CBF27}.exe	108
PID 4468 wrote to memory of 2876	4468	{DF4E216A-1637-48f3-874B-A78F217CBF27}.exe	108
PID 4468 wrote to memory of 1360	4468	{DF4E216A-1637-48f3-874B-A78F217CBF27}.exe	109
PID 4468 wrote to memory of 1360	4468	{DF4E216A-1637-48f3-874B-A78F217CBF27}.exe	109
PID 4468 wrote to memory of 1360	4468	{DF4E216A-1637-48f3-874B-A78F217CBF27}.exe	109
PID 2876 wrote to memory of 3016	2876	{046A68A7-E849-409b-B791-F30AC1F2E3AB}.exe	110
PID 2876 wrote to memory of 3016	2876	{046A68A7-E849-409b-B791-F30AC1F2E3AB}.exe	110
PID 2876 wrote to memory of 3016	2876	{046A68A7-E849-409b-B791-F30AC1F2E3AB}.exe	110
PID 2876 wrote to memory of 1616	2876	{046A68A7-E849-409b-B791-F30AC1F2E3AB}.exe	111

C:\Users\Admin\AppData\Local\Temp\2024-02-25_270a14242378a05514b21f10895e0227_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-25_270a14242378a05514b21f10895e0227_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Windows\{22686A41-A5EC-4d78-9F5C-D6901DA31DE3}.exe
  C:\Windows\{22686A41-A5EC-4d78-9F5C-D6901DA31DE3}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{22686~1.EXE > nul
    3⤵
    PID:5032
- - C:\Windows\{A9B419F6-CF5F-4023-999D-D1C45ED0726C}.exe
    C:\Windows\{A9B419F6-CF5F-4023-999D-D1C45ED0726C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1540
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A9B41~1.EXE > nul
      4⤵
      PID:1548
  - - C:\Windows\{E87E3161-1D33-42ff-B10B-AA6BB44273B1}.exe
      C:\Windows\{E87E3161-1D33-42ff-B10B-AA6BB44273B1}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4192
    - - C:\Windows\{4A1DB46B-B4B3-4838-B71E-8A25B7788EC5}.exe
        
        C:\Windows\{4A1DB46B-B4B3-4838-B71E-8A25B7788EC5}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3124
      - C:\Windows\{6AC9F5F7-6B8D-4c97-9CB3-BCBD19C0F5B0}.exe
        
        C:\Windows\{6AC9F5F7-6B8D-4c97-9CB3-BCBD19C0F5B0}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\{98D1E3D4-132B-4ee2-B6FA-C545D2FA99DA}.exe
        
        C:\Windows\{98D1E3D4-132B-4ee2-B6FA-C545D2FA99DA}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\{D787774A-E857-4e7e-AD36-4CE81E631969}.exe
        
        C:\Windows\{D787774A-E857-4e7e-AD36-4CE81E631969}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\{CFE9AFA7-0EEE-48b0-8542-FF0809B48F71}.exe
        
        C:\Windows\{CFE9AFA7-0EEE-48b0-8542-FF0809B48F71}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:380
        
        C:\Windows\{DF4E216A-1637-48f3-874B-A78F217CBF27}.exe
        
        C:\Windows\{DF4E216A-1637-48f3-874B-A78F217CBF27}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\{046A68A7-E849-409b-B791-F30AC1F2E3AB}.exe
        
        C:\Windows\{046A68A7-E849-409b-B791-F30AC1F2E3AB}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\{BF7BF511-7017-47f7-9B54-74474979874A}.exe
        
        C:\Windows\{BF7BF511-7017-47f7-9B54-74474979874A}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
        
        C:\Windows\{586BA97A-82B9-4274-9DD5-F543AFBD0AEC}.exe
        
        C:\Windows\{586BA97A-82B9-4274-9DD5-F543AFBD0AEC}.exe
        13⤵
        Executes dropped EXE
        
        PID:3184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BF7BF~1.EXE > nul
        13⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{046A6~1.EXE > nul
        12⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF4E2~1.EXE > nul
        11⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CFE9A~1.EXE > nul
        10⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D7877~1.EXE > nul
        9⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{98D1E~1.EXE > nul
        8⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6AC9F~1.EXE > nul
        7⤵
        
        PID:2924
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4A1DB~1.EXE > nul
        6⤵
        
        PID:2256
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E87E3~1.EXE > nul
        5⤵
        
        PID:1920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{046A68A7-E849-409b-B791-F30AC1F2E3AB}.exe

Filesize
344KB

MD5
21d88fe5a3525858d0fdcb77e3b33ca6

SHA1
1049c5ab7406231b162fa47855b101daff107228

SHA256
79051138e1bd0c90b68f3c3e84440c851a1616e0b0c3239eb567d8776cebf94b

SHA512
1c59f73bf4b71a841daa34535492c2f7dff00d6372f191ab014fd275bbe8f3ae5278fecaf50d880a0cfd9f16998feffb69ae1293702ca51183513d8987cc3774

Download Submit
C:\Windows\{22686A41-A5EC-4d78-9F5C-D6901DA31DE3}.exe

Filesize
344KB

MD5
c3a2ae800c497e5b3b86ee30cddfadeb

SHA1
ec7bb558fa6c82c8d5cb398145f1f8d79b1a956c

SHA256
fb3340446d2f452ad6dac64590399a14a61597878b972d3f270f294aab018379

SHA512
9167a5ebb18cc670ca3df9b659a74a7d5c5c3f3f69fb1335c9e87603aaeb20a0cd407d5d5483c934ca2434329acd1febe7b99ac9962821681038fd15a7b7f44e

Download Submit
C:\Windows\{4A1DB46B-B4B3-4838-B71E-8A25B7788EC5}.exe

Filesize
344KB

MD5
7c7e53695dd0e97552b8e53d91f83cca

SHA1
708c0c61b5faee7470133207889707e2847ab3ee

SHA256
71699fd50edf5205c750157ad5b833d8d15164530338b2b3aa15088bb2fa8fe4

SHA512
31e927881edb4abab97e03c930684475fb14c342d3847cbece255de5a8728755400d6a64b14d06507b8750bc3b013de52c48e659a5f0d222871180aa95f5568e

Download Submit
C:\Windows\{586BA97A-82B9-4274-9DD5-F543AFBD0AEC}.exe

Filesize
344KB

MD5
0c528a72efec1193ed18d7cdda4a6637

SHA1
f09642f13d27d0c6cc04d4b84eced4debd82f073

SHA256
433633e5c42e9b0bdbff40de196c4d00aded16d958af088cede12ac73dadc4f5

SHA512
a886af09407b8f5009769a9a3c9d7c3f843c722957a480822c2d1128474254623495336ae788939e5e2afa3c4d21c6d2883520354e13400fc0c003522d715016

Download Submit
C:\Windows\{6AC9F5F7-6B8D-4c97-9CB3-BCBD19C0F5B0}.exe

Filesize
344KB

MD5
cb255dbd8b054f23fcd684a1271563ba

SHA1
0faf3da3c3498735b9cd9992e197ed2123ca2efe

SHA256
7eb02cb02aa9900970a1390244d8fcc686116093e8a55d31d5290bb09917dbeb

SHA512
6669859f73e1b31c4483d831bcafaf6786de731549d5e7a528b5a2d64078f9d5a5f5ef19ec1652e54f6eba08df32a4a33dc68046ec8d26f7c9bcce99a99870e7

Download Submit
C:\Windows\{98D1E3D4-132B-4ee2-B6FA-C545D2FA99DA}.exe

Filesize
344KB

MD5
28715959b3b6e5a0cd9529b049023714

SHA1
632b525446dbda2789ede00a1eb22c4b9a58cee2

SHA256
fcb7fc71d6b5f50c60f5df739baf75944074aa2d4735c8b1f6977a67e93e3002

SHA512
763479844672b9cc2ad9ff893cc1098c40d7a165bf5ed07632d7d152ee0b32650eb29c0a7c06632efdda60c7ba340c4f09b37fe6601ed20e2304c5b83b7525b8

Download Submit
C:\Windows\{A9B419F6-CF5F-4023-999D-D1C45ED0726C}.exe

Filesize
344KB

MD5
f63f7c64aad748853ff294b10e480c45

SHA1
b2c9f42f028b30e2fed7cd55753709497af1ae48

SHA256
76f3f1a8a6b9b9e47a91d49a888abf8ae38c48744bbf9034895834915bc469a2

SHA512
a5d7c62a6ba256be0908e2f7b27508dd1f89cee151f24064c6312c1a27393fbd2d8b4ee20f015484d12580fbd885835799ca156185cc9b95dfe3d8e141297f77

Download Submit
C:\Windows\{BF7BF511-7017-47f7-9B54-74474979874A}.exe

Filesize
344KB

MD5
1bd7e15242c695ff012df5920e2fb79d

SHA1
d69d86c4a559434b9010f6b5083c3fba09a82a1e

SHA256
3076005df23f3eddc5d8dded0ea74cbe43041bc1effc396f477c2c1b9560786f

SHA512
9545aa41add4e3a2a7f3cbff546bf19597b778370b73062a9fe3adfa920e5d67c1f4322e780cf1534777088914445938dfd06c98efbf5a8985e5e28a8b2c0bbe

Download Submit
C:\Windows\{CFE9AFA7-0EEE-48b0-8542-FF0809B48F71}.exe

Filesize
344KB

MD5
aaecc0ac725adae08ce0d9fbd0243c07

SHA1
7f9837e8f1b4a911544ec4e3524e06a1259c8971

SHA256
342a6f3628489c61e9143baccdd7217ecf3710402977b3ac5cb0dee3b2afdcb5

SHA512
f76c35093ac80d2b413a4cef7276ec7b63bbccb0d63a9c4132e4e3d6f3ba2b1667994b8d69f459916b21612fab25cff17583a9993500b0109092e1b1586a6b15

Download Submit
C:\Windows\{D787774A-E857-4e7e-AD36-4CE81E631969}.exe

Filesize
344KB

MD5
6adcb1ae735fcbcde94cb6b4833a6956

SHA1
a660e111c42fcb12347bb5ae95174eff75d9ff25

SHA256
cec39134bee0bfa05f16f137f4e80566f25d449290bd7c5841e10f566261bb49

SHA512
ed2ef6e6e1142e981fb3ee5e00d4b26dc3ae12710e87390a09c79a2391643b7a2973f0f72dba54882845dbde33f4168885122004920dc8e0198a1d94a32a7f82

Download Submit
C:\Windows\{DF4E216A-1637-48f3-874B-A78F217CBF27}.exe

Filesize
344KB

MD5
5c41ea0a698dd682e74be204683f8d3c

SHA1
56c3c98b90ce2de9b1ad11019e0a56e4f5636f64

SHA256
89f6eb99654b7e6756fb87c44e0c9a8fac569d16298b7b27e3156bd1a7768ff4

SHA512
e494a0c6a78a97fcd58d751cc2f72c744c04adff368d1ff88aaf5e91679aff81c430b0180d4fdae97f670a51c4e78118c9700ecb57f1a583a6e6ac71b331eb8a

Download Submit
C:\Windows\{E87E3161-1D33-42ff-B10B-AA6BB44273B1}.exe

Filesize
344KB

MD5
b8c49e6c03976a216f4b71c20a462801

SHA1
29c85c82ea3140f1054e8db1ecd683ddbfb9840a

SHA256
a65c13763b2fd57485a38bb0c7a868e66776e565cbe8d48f65de9b3935efe8f6

SHA512
97739f78c0a47fdac21ad9dedbe15c2620a9303aacd5062253d4614366ff76e30f8fe9d9a9bfbd81b6505556a285d89305be01aaaa2ddeb037b2ac7b3b039287

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads