3585114fe3fd2ae7cbb5a8e3219b189e1f7780c55eaa3f6e44e0133bd98281a8

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
25/02/2024, 13:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-25_0a93c3d3d46da76bb27d154cbdd1c0e3_goldeneye.exe
Size

180KB
MD5

0a93c3d3d46da76bb27d154cbdd1c0e3
SHA1

404f907a4e86c6c7ad9cc525b391a9e47249bc4d
SHA256

3585114fe3fd2ae7cbb5a8e3219b189e1f7780c55eaa3f6e44e0133bd98281a8
SHA512

0c18c297715c9ed3f872ee0547002fb4562e4388e0062ae345839e51ef7343a773837d37a8f1c68f7181bf568e4a20e7383f6c8e46f7c7a0e42d07464b1c9257
SSDEEP

3072:jEGh0o2hlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGel5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000800000002313f-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023140-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002314b-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023140-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002314b-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023140-21.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002314b-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f00000002313a-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002314b-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001000000002313a-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023145-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001100000002313a-45.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DAEF50A-EBC2-4ba6-A63F-816A6C94D35E}	{75901678-B608-4db1-984A-0AC505836EAC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DAEF50A-EBC2-4ba6-A63F-816A6C94D35E}\stubpath = "C:\\Windows\\{5DAEF50A-EBC2-4ba6-A63F-816A6C94D35E}.exe"	{75901678-B608-4db1-984A-0AC505836EAC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9978BCCA-49CA-44b2-922E-C69409992AF8}	{5DAEF50A-EBC2-4ba6-A63F-816A6C94D35E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C11AAA68-2EDF-416d-A45F-385D212FDCD6}	{9978BCCA-49CA-44b2-922E-C69409992AF8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{362C72A7-A0E5-49bc-B7CD-186FDD87553F}	{B76B4D28-1536-4ba2-93C4-7F8578A503A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D9EC744-66EA-4bf0-B55B-33F5A22193BB}	{C77270FD-3993-4e96-BA06-D332FDBF829D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9978BCCA-49CA-44b2-922E-C69409992AF8}\stubpath = "C:\\Windows\\{9978BCCA-49CA-44b2-922E-C69409992AF8}.exe"	{5DAEF50A-EBC2-4ba6-A63F-816A6C94D35E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02B3ACAA-A52D-435e-A19D-6A245FB8529A}\stubpath = "C:\\Windows\\{02B3ACAA-A52D-435e-A19D-6A245FB8529A}.exe"	{7D9EC744-66EA-4bf0-B55B-33F5A22193BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BDAD0C2-D716-4efe-A237-584B8A181EE8}	{02B3ACAA-A52D-435e-A19D-6A245FB8529A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75901678-B608-4db1-984A-0AC505836EAC}	2024-02-25_0a93c3d3d46da76bb27d154cbdd1c0e3_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C11AAA68-2EDF-416d-A45F-385D212FDCD6}\stubpath = "C:\\Windows\\{C11AAA68-2EDF-416d-A45F-385D212FDCD6}.exe"	{9978BCCA-49CA-44b2-922E-C69409992AF8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE5E4335-4F7F-4b8e-945B-A9FE2EE8A7FD}\stubpath = "C:\\Windows\\{DE5E4335-4F7F-4b8e-945B-A9FE2EE8A7FD}.exe"	{C11AAA68-2EDF-416d-A45F-385D212FDCD6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B76B4D28-1536-4ba2-93C4-7F8578A503A2}	{DE5E4335-4F7F-4b8e-945B-A9FE2EE8A7FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1049D5CF-7D25-4112-BDE0-613BD4BAED7D}\stubpath = "C:\\Windows\\{1049D5CF-7D25-4112-BDE0-613BD4BAED7D}.exe"	{362C72A7-A0E5-49bc-B7CD-186FDD87553F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C77270FD-3993-4e96-BA06-D332FDBF829D}	{1049D5CF-7D25-4112-BDE0-613BD4BAED7D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D9EC744-66EA-4bf0-B55B-33F5A22193BB}\stubpath = "C:\\Windows\\{7D9EC744-66EA-4bf0-B55B-33F5A22193BB}.exe"	{C77270FD-3993-4e96-BA06-D332FDBF829D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BDAD0C2-D716-4efe-A237-584B8A181EE8}\stubpath = "C:\\Windows\\{6BDAD0C2-D716-4efe-A237-584B8A181EE8}.exe"	{02B3ACAA-A52D-435e-A19D-6A245FB8529A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75901678-B608-4db1-984A-0AC505836EAC}\stubpath = "C:\\Windows\\{75901678-B608-4db1-984A-0AC505836EAC}.exe"	2024-02-25_0a93c3d3d46da76bb27d154cbdd1c0e3_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE5E4335-4F7F-4b8e-945B-A9FE2EE8A7FD}	{C11AAA68-2EDF-416d-A45F-385D212FDCD6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B76B4D28-1536-4ba2-93C4-7F8578A503A2}\stubpath = "C:\\Windows\\{B76B4D28-1536-4ba2-93C4-7F8578A503A2}.exe"	{DE5E4335-4F7F-4b8e-945B-A9FE2EE8A7FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{362C72A7-A0E5-49bc-B7CD-186FDD87553F}\stubpath = "C:\\Windows\\{362C72A7-A0E5-49bc-B7CD-186FDD87553F}.exe"	{B76B4D28-1536-4ba2-93C4-7F8578A503A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1049D5CF-7D25-4112-BDE0-613BD4BAED7D}	{362C72A7-A0E5-49bc-B7CD-186FDD87553F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C77270FD-3993-4e96-BA06-D332FDBF829D}\stubpath = "C:\\Windows\\{C77270FD-3993-4e96-BA06-D332FDBF829D}.exe"	{1049D5CF-7D25-4112-BDE0-613BD4BAED7D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02B3ACAA-A52D-435e-A19D-6A245FB8529A}	{7D9EC744-66EA-4bf0-B55B-33F5A22193BB}.exe

Executes dropped EXE 12 IoCs

pid	Process
1592	{75901678-B608-4db1-984A-0AC505836EAC}.exe
2440	{5DAEF50A-EBC2-4ba6-A63F-816A6C94D35E}.exe
3040	{9978BCCA-49CA-44b2-922E-C69409992AF8}.exe
3088	{C11AAA68-2EDF-416d-A45F-385D212FDCD6}.exe
4140	{DE5E4335-4F7F-4b8e-945B-A9FE2EE8A7FD}.exe
4980	{B76B4D28-1536-4ba2-93C4-7F8578A503A2}.exe
964	{362C72A7-A0E5-49bc-B7CD-186FDD87553F}.exe
2892	{1049D5CF-7D25-4112-BDE0-613BD4BAED7D}.exe
1044	{C77270FD-3993-4e96-BA06-D332FDBF829D}.exe
5008	{7D9EC744-66EA-4bf0-B55B-33F5A22193BB}.exe
4968	{02B3ACAA-A52D-435e-A19D-6A245FB8529A}.exe
4928	{6BDAD0C2-D716-4efe-A237-584B8A181EE8}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{75901678-B608-4db1-984A-0AC505836EAC}.exe	2024-02-25_0a93c3d3d46da76bb27d154cbdd1c0e3_goldeneye.exe
File created	C:\Windows\{C11AAA68-2EDF-416d-A45F-385D212FDCD6}.exe	{9978BCCA-49CA-44b2-922E-C69409992AF8}.exe
File created	C:\Windows\{B76B4D28-1536-4ba2-93C4-7F8578A503A2}.exe	{DE5E4335-4F7F-4b8e-945B-A9FE2EE8A7FD}.exe
File created	C:\Windows\{C77270FD-3993-4e96-BA06-D332FDBF829D}.exe	{1049D5CF-7D25-4112-BDE0-613BD4BAED7D}.exe
File created	C:\Windows\{02B3ACAA-A52D-435e-A19D-6A245FB8529A}.exe	{7D9EC744-66EA-4bf0-B55B-33F5A22193BB}.exe
File created	C:\Windows\{6BDAD0C2-D716-4efe-A237-584B8A181EE8}.exe	{02B3ACAA-A52D-435e-A19D-6A245FB8529A}.exe
File created	C:\Windows\{5DAEF50A-EBC2-4ba6-A63F-816A6C94D35E}.exe	{75901678-B608-4db1-984A-0AC505836EAC}.exe
File created	C:\Windows\{9978BCCA-49CA-44b2-922E-C69409992AF8}.exe	{5DAEF50A-EBC2-4ba6-A63F-816A6C94D35E}.exe
File created	C:\Windows\{DE5E4335-4F7F-4b8e-945B-A9FE2EE8A7FD}.exe	{C11AAA68-2EDF-416d-A45F-385D212FDCD6}.exe
File created	C:\Windows\{362C72A7-A0E5-49bc-B7CD-186FDD87553F}.exe	{B76B4D28-1536-4ba2-93C4-7F8578A503A2}.exe
File created	C:\Windows\{1049D5CF-7D25-4112-BDE0-613BD4BAED7D}.exe	{362C72A7-A0E5-49bc-B7CD-186FDD87553F}.exe
File created	C:\Windows\{7D9EC744-66EA-4bf0-B55B-33F5A22193BB}.exe	{C77270FD-3993-4e96-BA06-D332FDBF829D}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3320	2024-02-25_0a93c3d3d46da76bb27d154cbdd1c0e3_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1592	{75901678-B608-4db1-984A-0AC505836EAC}.exe
Token: SeIncBasePriorityPrivilege	2440	{5DAEF50A-EBC2-4ba6-A63F-816A6C94D35E}.exe
Token: SeIncBasePriorityPrivilege	3040	{9978BCCA-49CA-44b2-922E-C69409992AF8}.exe
Token: SeIncBasePriorityPrivilege	3088	{C11AAA68-2EDF-416d-A45F-385D212FDCD6}.exe
Token: SeIncBasePriorityPrivilege	4140	{DE5E4335-4F7F-4b8e-945B-A9FE2EE8A7FD}.exe
Token: SeIncBasePriorityPrivilege	4980	{B76B4D28-1536-4ba2-93C4-7F8578A503A2}.exe
Token: SeIncBasePriorityPrivilege	964	{362C72A7-A0E5-49bc-B7CD-186FDD87553F}.exe
Token: SeIncBasePriorityPrivilege	2892	{1049D5CF-7D25-4112-BDE0-613BD4BAED7D}.exe
Token: SeIncBasePriorityPrivilege	1044	{C77270FD-3993-4e96-BA06-D332FDBF829D}.exe
Token: SeIncBasePriorityPrivilege	5008	{7D9EC744-66EA-4bf0-B55B-33F5A22193BB}.exe
Token: SeIncBasePriorityPrivilege	4968	{02B3ACAA-A52D-435e-A19D-6A245FB8529A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3320 wrote to memory of 1592	3320	2024-02-25_0a93c3d3d46da76bb27d154cbdd1c0e3_goldeneye.exe	92
PID 3320 wrote to memory of 1592	3320	2024-02-25_0a93c3d3d46da76bb27d154cbdd1c0e3_goldeneye.exe	92
PID 3320 wrote to memory of 1592	3320	2024-02-25_0a93c3d3d46da76bb27d154cbdd1c0e3_goldeneye.exe	92
PID 3320 wrote to memory of 1080	3320	2024-02-25_0a93c3d3d46da76bb27d154cbdd1c0e3_goldeneye.exe	93
PID 3320 wrote to memory of 1080	3320	2024-02-25_0a93c3d3d46da76bb27d154cbdd1c0e3_goldeneye.exe	93
PID 3320 wrote to memory of 1080	3320	2024-02-25_0a93c3d3d46da76bb27d154cbdd1c0e3_goldeneye.exe	93
PID 1592 wrote to memory of 2440	1592	{75901678-B608-4db1-984A-0AC505836EAC}.exe	94
PID 1592 wrote to memory of 2440	1592	{75901678-B608-4db1-984A-0AC505836EAC}.exe	94
PID 1592 wrote to memory of 2440	1592	{75901678-B608-4db1-984A-0AC505836EAC}.exe	94
PID 1592 wrote to memory of 3232	1592	{75901678-B608-4db1-984A-0AC505836EAC}.exe	95
PID 1592 wrote to memory of 3232	1592	{75901678-B608-4db1-984A-0AC505836EAC}.exe	95
PID 1592 wrote to memory of 3232	1592	{75901678-B608-4db1-984A-0AC505836EAC}.exe	95
PID 2440 wrote to memory of 3040	2440	{5DAEF50A-EBC2-4ba6-A63F-816A6C94D35E}.exe	101
PID 2440 wrote to memory of 3040	2440	{5DAEF50A-EBC2-4ba6-A63F-816A6C94D35E}.exe	101
PID 2440 wrote to memory of 3040	2440	{5DAEF50A-EBC2-4ba6-A63F-816A6C94D35E}.exe	101
PID 2440 wrote to memory of 3448	2440	{5DAEF50A-EBC2-4ba6-A63F-816A6C94D35E}.exe	100
PID 2440 wrote to memory of 3448	2440	{5DAEF50A-EBC2-4ba6-A63F-816A6C94D35E}.exe	100
PID 2440 wrote to memory of 3448	2440	{5DAEF50A-EBC2-4ba6-A63F-816A6C94D35E}.exe	100
PID 3040 wrote to memory of 3088	3040	{9978BCCA-49CA-44b2-922E-C69409992AF8}.exe	102
PID 3040 wrote to memory of 3088	3040	{9978BCCA-49CA-44b2-922E-C69409992AF8}.exe	102
PID 3040 wrote to memory of 3088	3040	{9978BCCA-49CA-44b2-922E-C69409992AF8}.exe	102
PID 3040 wrote to memory of 3188	3040	{9978BCCA-49CA-44b2-922E-C69409992AF8}.exe	103
PID 3040 wrote to memory of 3188	3040	{9978BCCA-49CA-44b2-922E-C69409992AF8}.exe	103
PID 3040 wrote to memory of 3188	3040	{9978BCCA-49CA-44b2-922E-C69409992AF8}.exe	103
PID 3088 wrote to memory of 4140	3088	{C11AAA68-2EDF-416d-A45F-385D212FDCD6}.exe	104
PID 3088 wrote to memory of 4140	3088	{C11AAA68-2EDF-416d-A45F-385D212FDCD6}.exe	104
PID 3088 wrote to memory of 4140	3088	{C11AAA68-2EDF-416d-A45F-385D212FDCD6}.exe	104
PID 3088 wrote to memory of 548	3088	{C11AAA68-2EDF-416d-A45F-385D212FDCD6}.exe	105
PID 3088 wrote to memory of 548	3088	{C11AAA68-2EDF-416d-A45F-385D212FDCD6}.exe	105
PID 3088 wrote to memory of 548	3088	{C11AAA68-2EDF-416d-A45F-385D212FDCD6}.exe	105
PID 4140 wrote to memory of 4980	4140	{DE5E4335-4F7F-4b8e-945B-A9FE2EE8A7FD}.exe	106
PID 4140 wrote to memory of 4980	4140	{DE5E4335-4F7F-4b8e-945B-A9FE2EE8A7FD}.exe	106
PID 4140 wrote to memory of 4980	4140	{DE5E4335-4F7F-4b8e-945B-A9FE2EE8A7FD}.exe	106
PID 4140 wrote to memory of 4780	4140	{DE5E4335-4F7F-4b8e-945B-A9FE2EE8A7FD}.exe	107
PID 4140 wrote to memory of 4780	4140	{DE5E4335-4F7F-4b8e-945B-A9FE2EE8A7FD}.exe	107
PID 4140 wrote to memory of 4780	4140	{DE5E4335-4F7F-4b8e-945B-A9FE2EE8A7FD}.exe	107
PID 4980 wrote to memory of 964	4980	{B76B4D28-1536-4ba2-93C4-7F8578A503A2}.exe	108
PID 4980 wrote to memory of 964	4980	{B76B4D28-1536-4ba2-93C4-7F8578A503A2}.exe	108
PID 4980 wrote to memory of 964	4980	{B76B4D28-1536-4ba2-93C4-7F8578A503A2}.exe	108
PID 4980 wrote to memory of 3476	4980	{B76B4D28-1536-4ba2-93C4-7F8578A503A2}.exe	109
PID 4980 wrote to memory of 3476	4980	{B76B4D28-1536-4ba2-93C4-7F8578A503A2}.exe	109
PID 4980 wrote to memory of 3476	4980	{B76B4D28-1536-4ba2-93C4-7F8578A503A2}.exe	109
PID 964 wrote to memory of 2892	964	{362C72A7-A0E5-49bc-B7CD-186FDD87553F}.exe	113
PID 964 wrote to memory of 2892	964	{362C72A7-A0E5-49bc-B7CD-186FDD87553F}.exe	113
PID 964 wrote to memory of 2892	964	{362C72A7-A0E5-49bc-B7CD-186FDD87553F}.exe	113
PID 964 wrote to memory of 3112	964	{362C72A7-A0E5-49bc-B7CD-186FDD87553F}.exe	114
PID 964 wrote to memory of 3112	964	{362C72A7-A0E5-49bc-B7CD-186FDD87553F}.exe	114
PID 964 wrote to memory of 3112	964	{362C72A7-A0E5-49bc-B7CD-186FDD87553F}.exe	114
PID 2892 wrote to memory of 1044	2892	{1049D5CF-7D25-4112-BDE0-613BD4BAED7D}.exe	115
PID 2892 wrote to memory of 1044	2892	{1049D5CF-7D25-4112-BDE0-613BD4BAED7D}.exe	115
PID 2892 wrote to memory of 1044	2892	{1049D5CF-7D25-4112-BDE0-613BD4BAED7D}.exe	115
PID 2892 wrote to memory of 1088	2892	{1049D5CF-7D25-4112-BDE0-613BD4BAED7D}.exe	116
PID 2892 wrote to memory of 1088	2892	{1049D5CF-7D25-4112-BDE0-613BD4BAED7D}.exe	116
PID 2892 wrote to memory of 1088	2892	{1049D5CF-7D25-4112-BDE0-613BD4BAED7D}.exe	116
PID 1044 wrote to memory of 5008	1044	{C77270FD-3993-4e96-BA06-D332FDBF829D}.exe	117
PID 1044 wrote to memory of 5008	1044	{C77270FD-3993-4e96-BA06-D332FDBF829D}.exe	117
PID 1044 wrote to memory of 5008	1044	{C77270FD-3993-4e96-BA06-D332FDBF829D}.exe	117
PID 1044 wrote to memory of 4032	1044	{C77270FD-3993-4e96-BA06-D332FDBF829D}.exe	118
PID 1044 wrote to memory of 4032	1044	{C77270FD-3993-4e96-BA06-D332FDBF829D}.exe	118
PID 1044 wrote to memory of 4032	1044	{C77270FD-3993-4e96-BA06-D332FDBF829D}.exe	118
PID 5008 wrote to memory of 4968	5008	{7D9EC744-66EA-4bf0-B55B-33F5A22193BB}.exe	119
PID 5008 wrote to memory of 4968	5008	{7D9EC744-66EA-4bf0-B55B-33F5A22193BB}.exe	119
PID 5008 wrote to memory of 4968	5008	{7D9EC744-66EA-4bf0-B55B-33F5A22193BB}.exe	119
PID 5008 wrote to memory of 2480	5008	{7D9EC744-66EA-4bf0-B55B-33F5A22193BB}.exe	120

C:\Users\Admin\AppData\Local\Temp\2024-02-25_0a93c3d3d46da76bb27d154cbdd1c0e3_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-25_0a93c3d3d46da76bb27d154cbdd1c0e3_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3320
- C:\Windows\{75901678-B608-4db1-984A-0AC505836EAC}.exe
  C:\Windows\{75901678-B608-4db1-984A-0AC505836EAC}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1592
- - C:\Windows\{5DAEF50A-EBC2-4ba6-A63F-816A6C94D35E}.exe
    C:\Windows\{5DAEF50A-EBC2-4ba6-A63F-816A6C94D35E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2440
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5DAEF~1.EXE > nul
      4⤵
      PID:3448
  - - C:\Windows\{9978BCCA-49CA-44b2-922E-C69409992AF8}.exe
      C:\Windows\{9978BCCA-49CA-44b2-922E-C69409992AF8}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3040
    - - C:\Windows\{C11AAA68-2EDF-416d-A45F-385D212FDCD6}.exe
        
        C:\Windows\{C11AAA68-2EDF-416d-A45F-385D212FDCD6}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3088
      - C:\Windows\{DE5E4335-4F7F-4b8e-945B-A9FE2EE8A7FD}.exe
        
        C:\Windows\{DE5E4335-4F7F-4b8e-945B-A9FE2EE8A7FD}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4140
        
        C:\Windows\{B76B4D28-1536-4ba2-93C4-7F8578A503A2}.exe
        
        C:\Windows\{B76B4D28-1536-4ba2-93C4-7F8578A503A2}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Windows\{362C72A7-A0E5-49bc-B7CD-186FDD87553F}.exe
        
        C:\Windows\{362C72A7-A0E5-49bc-B7CD-186FDD87553F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:964
        
        C:\Windows\{1049D5CF-7D25-4112-BDE0-613BD4BAED7D}.exe
        
        C:\Windows\{1049D5CF-7D25-4112-BDE0-613BD4BAED7D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\{C77270FD-3993-4e96-BA06-D332FDBF829D}.exe
        
        C:\Windows\{C77270FD-3993-4e96-BA06-D332FDBF829D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Windows\{7D9EC744-66EA-4bf0-B55B-33F5A22193BB}.exe
        
        C:\Windows\{7D9EC744-66EA-4bf0-B55B-33F5A22193BB}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\{02B3ACAA-A52D-435e-A19D-6A245FB8529A}.exe
        
        C:\Windows\{02B3ACAA-A52D-435e-A19D-6A245FB8529A}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4968
        
        C:\Windows\{6BDAD0C2-D716-4efe-A237-584B8A181EE8}.exe
        
        C:\Windows\{6BDAD0C2-D716-4efe-A237-584B8A181EE8}.exe
        13⤵
        Executes dropped EXE
        
        PID:4928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{02B3A~1.EXE > nul
        13⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D9EC~1.EXE > nul
        12⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C7727~1.EXE > nul
        11⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1049D~1.EXE > nul
        10⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{362C7~1.EXE > nul
        9⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B76B4~1.EXE > nul
        8⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DE5E4~1.EXE > nul
        7⤵
        
        PID:4780
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C11AA~1.EXE > nul
        6⤵
        
        PID:548
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9978B~1.EXE > nul
        5⤵
        
        PID:3188
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{75901~1.EXE > nul
    3⤵
    PID:3232
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02B3ACAA-A52D-435e-A19D-6A245FB8529A}.exe

Filesize
180KB

MD5
187f3a78e288f47fafb4378b20c6bb29

SHA1
df2160b446351e0f1881dc9e4365f0c94d629437

SHA256
ad6adeec5ae27ba93484a92e2e23951d02aa04d015327ca09958c91a6671dc41

SHA512
6e6c767ac82ed0832ff5f6bee59a67e27dcc34ffe4c18fa317890bb1454b3e5d611fd3daafa001b308aecb8443e4c373b96a25354f00b602df7d6489fe80c49d

Download Submit
C:\Windows\{1049D5CF-7D25-4112-BDE0-613BD4BAED7D}.exe

Filesize
180KB

MD5
62b9f390b30727b0264f893bbc4feb79

SHA1
fa30552d3d20250329394115d943983b7752b60f

SHA256
c812e5dd562ea965315f82dc4dfd764fa992a9277f0afbfb7f2934aa9ddfd898

SHA512
611fdf11742dc3063d87759cb2f552deea2701cf44a4748fb0edb5480b9dbfc11814744f6b493f75ca3c192ac5e06c6a6f1aef6c64544d2799e63b681198e6bb

Download Submit
C:\Windows\{362C72A7-A0E5-49bc-B7CD-186FDD87553F}.exe

Filesize
180KB

MD5
2028adca9e8a7d5b3b0462e3425fb6d6

SHA1
9094f4627def90bc1b1d3cf2e534708ceb45971c

SHA256
69aca3ea38b1dd4404fad80d83c3f88cc0ce057f1f1e427175f4966b1929c94e

SHA512
99dcd4a0543cb2d04290d9d2314f276c1d4bd5064e2485c676b2c6c7f6ee64a354fe6ae670debffb432960b7ae6469e5432cb183154fe7971f8a1dbbbbcfbe1d

Download Submit
C:\Windows\{5DAEF50A-EBC2-4ba6-A63F-816A6C94D35E}.exe

Filesize
180KB

MD5
d616b310361a6c75f5db805ca2fc4419

SHA1
beb52193f32a2b572c4c256118f543e02fe8f6a2

SHA256
ddb2fdb5685327db7e125100f2db97656613d3314b8c71d7bf33711dab7f9ce7

SHA512
19dce2e9263fee3946a436ff640b6c88fdfd2195aa0fe7b22a1f805891eca32b5258eb40495ef6993c46fc4c258ca10fa805e07c22f734fa69ac0486e6fef8d9

Download Submit
C:\Windows\{6BDAD0C2-D716-4efe-A237-584B8A181EE8}.exe

Filesize
180KB

MD5
3f944a4d8bac66173b04b83c1004468e

SHA1
1a5073d739d45e3ff87cba5c4d296c82eec77770

SHA256
adb7d7ebda19ad2936c568d5984a68bac0d9e48025ea9c14bcfc978b6bf58087

SHA512
36036495298b5f1ebe90e7b3560c50865e7a69f358119692c4c377e3e609b432d5d525bdd7e73fe800e67f9dcd5372f5ac6ebbe5f9dba0025dbb47a5fe67e58a

Download Submit
C:\Windows\{75901678-B608-4db1-984A-0AC505836EAC}.exe

Filesize
180KB

MD5
716ed5a4c5e11eff017bc2b81099a7d5

SHA1
018484ad70ecd42e2a0173a5df0e840239d373c5

SHA256
2521c895606a7bf7cbcde001c0c37130a3203c3d423959d8868ed4033e31b3d2

SHA512
0a34adce7b72d72a27df9da44f57388b43ef3318b2ed339864599e7aa8e3b144db10747b4c33a9dbc403542bf3b74c68d52914cd28bfc9c433157e3ccb4654d3

Download Submit
C:\Windows\{7D9EC744-66EA-4bf0-B55B-33F5A22193BB}.exe

Filesize
180KB

MD5
21675150873fa55f441522dc05a6c2f0

SHA1
08b25ba43fc027833ff67bd4873a5a80a5d4bb9c

SHA256
e49e7f5761f37587d2c8f1155f3548ed5a1ea230e3c05dbd2bce0e013621e240

SHA512
1985acd7022fd4fbe32ac7574bec91418180371998f3d52f937cd1a4c376fe9f1bc51122b2a95f433da1eba980503e76cd2cb9ab5ea6df5a1f704b8c3b83f942

Download Submit
C:\Windows\{9978BCCA-49CA-44b2-922E-C69409992AF8}.exe

Filesize
180KB

MD5
8f40f52a5af0ad04bafd4cf0ac9ca301

SHA1
d0cceeb0d5b2800f48b5957ead38f5ac9340f128

SHA256
699f90e25497635565cb7b07460820cc0961573c58870c89eb35a9a70d96d870

SHA512
497d21719664ae28ebbabb3841db66a2e3de86e63884e3112197b4f681e9e8b30d4c998c3c0739ccce1cffe5f99e12e6347c66d4a781aa6b6364c0a0b0d9047c

Download Submit
C:\Windows\{B76B4D28-1536-4ba2-93C4-7F8578A503A2}.exe

Filesize
180KB

MD5
017a4f7f27b8b3fd165ca79fe491bb67

SHA1
1eb4972f32afaa71b182a9acae87feaa0a6dacdc

SHA256
2ef3705e0aa6cc1700bfeaae70f15e6f6ab5ef827039600f97e96d44137b97ff

SHA512
11f7373afbce0a0eb2844075f4398406926e783ffb06f53141a5be78cd0ab4c01508bf87e599347b26ef02c88b9bff8c18337dedafa11c6e57abc34d443c6ce6

Download Submit
C:\Windows\{C11AAA68-2EDF-416d-A45F-385D212FDCD6}.exe

Filesize
180KB

MD5
3208289e44cc3e364f26c291dde60f41

SHA1
ccedca6400c13e6c60d24c4c6a0547cd6680be2e

SHA256
4352539dde67e6d0e6a6c9c7bc4e8fbe4827cbc661e4472c2a72e826228966ff

SHA512
6dd27c208d19a2363bdcf37e2d76402e54ef09a9eb22aa99c5a96911d1cfe738ff7d65580ee84f4a98a46230442f10727d3192833b0da6f10610a302bded15e1

Download Submit
C:\Windows\{C77270FD-3993-4e96-BA06-D332FDBF829D}.exe

Filesize
180KB

MD5
9703f425f123ce9e1a3900a1ebc2083e

SHA1
7e90fa58959b64ba29a6fe7f0e37c7772213c387

SHA256
80bdcc06c6aa58862f51a81dd8e362ab010d87308fe86c66c8c41ef386442bfc

SHA512
2fc08e87c951cb2ff789faf07e8ab95440199c77df01e589ddbdf672a6a7e38000449999d0c40e87e5250336c1b4475ed29fd38eb85fcc4df31167377bd7446d

Download Submit
C:\Windows\{DE5E4335-4F7F-4b8e-945B-A9FE2EE8A7FD}.exe

Filesize
180KB

MD5
61ee77dc681404408909b711fc2ce103

SHA1
b7b3dbcf50630c464d3a37dc7969f3a1019aad29

SHA256
efeb787ff275bbb1793740c3b2980400033bb9ac571fa48a33b9834ccdec59c3

SHA512
a4b41c13ba9a2d1ee50ca5b9566d4ff5670656426647d7d4cadf6bb40a893e4865bf72392500b094fb6631b3c3e321de9cb9ddab4943407c5d961fcfcb18ae5f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads