03228a56edd1daa0e1ad9f7b9567f03e8cb2d58487502be90c452dac0878bcf0

Analysis

max time kernel
150s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27-02-2024 19:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-27_adf6bd25e6474168e863ef596f7556a2_goldeneye.exe
Size

197KB
MD5

adf6bd25e6474168e863ef596f7556a2
SHA1

c4a26a29c26ec93fc9bc3f25c5b2db9cef9d5cfa
SHA256

03228a56edd1daa0e1ad9f7b9567f03e8cb2d58487502be90c452dac0878bcf0
SHA512

3fbfc2d50407b2cd1cdd9b55e160012d696b99d0fb7e50d269a458c94f4ef6361bff247287c07104a4398e2f84daec42be45e326db3f62178cd007c367c41eaa
SSDEEP

3072:jEGh0oil+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGAlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000800000002322d-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023224-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023235-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000001e768-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023235-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000001e768-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023237-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001e768-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023237-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000001e768-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023232-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000001e768-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70C495D3-8E7D-4992-9978-D29E9C648D57}	2024-02-27_adf6bd25e6474168e863ef596f7556a2_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51AC5E4E-C225-422b-BEAD-BF6C8EABBD6C}\stubpath = "C:\\Windows\\{51AC5E4E-C225-422b-BEAD-BF6C8EABBD6C}.exe"	{D1406806-4CFC-4fa3-B177-B2FD0A1D6B84}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74DC1F94-FD28-4146-BEA4-8FC7A48F3995}\stubpath = "C:\\Windows\\{74DC1F94-FD28-4146-BEA4-8FC7A48F3995}.exe"	{A6DC7BA1-73BE-49a0-ABE9-751A514DAF4F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86C77A5A-844E-4841-AED2-D94F14385F6A}\stubpath = "C:\\Windows\\{86C77A5A-844E-4841-AED2-D94F14385F6A}.exe"	{3B3C5DD1-F772-4f2e-8C67-34CE4CBE0C93}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6DC7BA1-73BE-49a0-ABE9-751A514DAF4F}\stubpath = "C:\\Windows\\{A6DC7BA1-73BE-49a0-ABE9-751A514DAF4F}.exe"	{8C0C2034-7983-4fcc-9A0E-2297C6DE2C75}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B3C5DD1-F772-4f2e-8C67-34CE4CBE0C93}	{74DC1F94-FD28-4146-BEA4-8FC7A48F3995}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1465381-9C68-49f5-985F-308F9870E2A3}	{86C77A5A-844E-4841-AED2-D94F14385F6A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70C495D3-8E7D-4992-9978-D29E9C648D57}\stubpath = "C:\\Windows\\{70C495D3-8E7D-4992-9978-D29E9C648D57}.exe"	2024-02-27_adf6bd25e6474168e863ef596f7556a2_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51AC5E4E-C225-422b-BEAD-BF6C8EABBD6C}	{D1406806-4CFC-4fa3-B177-B2FD0A1D6B84}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF7C3E8C-AFF1-4d0d-9F21-46FE2E790E87}\stubpath = "C:\\Windows\\{BF7C3E8C-AFF1-4d0d-9F21-46FE2E790E87}.exe"	{51AC5E4E-C225-422b-BEAD-BF6C8EABBD6C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD19C427-6D83-45ab-B81E-13EBED62D7F3}	{0BD820E6-FC5A-4c3a-A023-090200AEEB4B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD19C427-6D83-45ab-B81E-13EBED62D7F3}\stubpath = "C:\\Windows\\{FD19C427-6D83-45ab-B81E-13EBED62D7F3}.exe"	{0BD820E6-FC5A-4c3a-A023-090200AEEB4B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74DC1F94-FD28-4146-BEA4-8FC7A48F3995}	{A6DC7BA1-73BE-49a0-ABE9-751A514DAF4F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86C77A5A-844E-4841-AED2-D94F14385F6A}	{3B3C5DD1-F772-4f2e-8C67-34CE4CBE0C93}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D1406806-4CFC-4fa3-B177-B2FD0A1D6B84}\stubpath = "C:\\Windows\\{D1406806-4CFC-4fa3-B177-B2FD0A1D6B84}.exe"	{70C495D3-8E7D-4992-9978-D29E9C648D57}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0BD820E6-FC5A-4c3a-A023-090200AEEB4B}\stubpath = "C:\\Windows\\{0BD820E6-FC5A-4c3a-A023-090200AEEB4B}.exe"	{BF7C3E8C-AFF1-4d0d-9F21-46FE2E790E87}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C0C2034-7983-4fcc-9A0E-2297C6DE2C75}	{FD19C427-6D83-45ab-B81E-13EBED62D7F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C0C2034-7983-4fcc-9A0E-2297C6DE2C75}\stubpath = "C:\\Windows\\{8C0C2034-7983-4fcc-9A0E-2297C6DE2C75}.exe"	{FD19C427-6D83-45ab-B81E-13EBED62D7F3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6DC7BA1-73BE-49a0-ABE9-751A514DAF4F}	{8C0C2034-7983-4fcc-9A0E-2297C6DE2C75}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D1406806-4CFC-4fa3-B177-B2FD0A1D6B84}	{70C495D3-8E7D-4992-9978-D29E9C648D57}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF7C3E8C-AFF1-4d0d-9F21-46FE2E790E87}	{51AC5E4E-C225-422b-BEAD-BF6C8EABBD6C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0BD820E6-FC5A-4c3a-A023-090200AEEB4B}	{BF7C3E8C-AFF1-4d0d-9F21-46FE2E790E87}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B3C5DD1-F772-4f2e-8C67-34CE4CBE0C93}\stubpath = "C:\\Windows\\{3B3C5DD1-F772-4f2e-8C67-34CE4CBE0C93}.exe"	{74DC1F94-FD28-4146-BEA4-8FC7A48F3995}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1465381-9C68-49f5-985F-308F9870E2A3}\stubpath = "C:\\Windows\\{C1465381-9C68-49f5-985F-308F9870E2A3}.exe"	{86C77A5A-844E-4841-AED2-D94F14385F6A}.exe

Executes dropped EXE 12 IoCs

pid	Process
3988	{70C495D3-8E7D-4992-9978-D29E9C648D57}.exe
832	{D1406806-4CFC-4fa3-B177-B2FD0A1D6B84}.exe
4936	{51AC5E4E-C225-422b-BEAD-BF6C8EABBD6C}.exe
2216	{BF7C3E8C-AFF1-4d0d-9F21-46FE2E790E87}.exe
376	{0BD820E6-FC5A-4c3a-A023-090200AEEB4B}.exe
3536	{FD19C427-6D83-45ab-B81E-13EBED62D7F3}.exe
3220	{8C0C2034-7983-4fcc-9A0E-2297C6DE2C75}.exe
1232	{A6DC7BA1-73BE-49a0-ABE9-751A514DAF4F}.exe
1768	{74DC1F94-FD28-4146-BEA4-8FC7A48F3995}.exe
1948	{3B3C5DD1-F772-4f2e-8C67-34CE4CBE0C93}.exe
3896	{86C77A5A-844E-4841-AED2-D94F14385F6A}.exe
4188	{C1465381-9C68-49f5-985F-308F9870E2A3}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{86C77A5A-844E-4841-AED2-D94F14385F6A}.exe	{3B3C5DD1-F772-4f2e-8C67-34CE4CBE0C93}.exe
File created	C:\Windows\{C1465381-9C68-49f5-985F-308F9870E2A3}.exe	{86C77A5A-844E-4841-AED2-D94F14385F6A}.exe
File created	C:\Windows\{70C495D3-8E7D-4992-9978-D29E9C648D57}.exe	2024-02-27_adf6bd25e6474168e863ef596f7556a2_goldeneye.exe
File created	C:\Windows\{D1406806-4CFC-4fa3-B177-B2FD0A1D6B84}.exe	{70C495D3-8E7D-4992-9978-D29E9C648D57}.exe
File created	C:\Windows\{0BD820E6-FC5A-4c3a-A023-090200AEEB4B}.exe	{BF7C3E8C-AFF1-4d0d-9F21-46FE2E790E87}.exe
File created	C:\Windows\{74DC1F94-FD28-4146-BEA4-8FC7A48F3995}.exe	{A6DC7BA1-73BE-49a0-ABE9-751A514DAF4F}.exe
File created	C:\Windows\{A6DC7BA1-73BE-49a0-ABE9-751A514DAF4F}.exe	{8C0C2034-7983-4fcc-9A0E-2297C6DE2C75}.exe
File created	C:\Windows\{3B3C5DD1-F772-4f2e-8C67-34CE4CBE0C93}.exe	{74DC1F94-FD28-4146-BEA4-8FC7A48F3995}.exe
File created	C:\Windows\{51AC5E4E-C225-422b-BEAD-BF6C8EABBD6C}.exe	{D1406806-4CFC-4fa3-B177-B2FD0A1D6B84}.exe
File created	C:\Windows\{BF7C3E8C-AFF1-4d0d-9F21-46FE2E790E87}.exe	{51AC5E4E-C225-422b-BEAD-BF6C8EABBD6C}.exe
File created	C:\Windows\{FD19C427-6D83-45ab-B81E-13EBED62D7F3}.exe	{0BD820E6-FC5A-4c3a-A023-090200AEEB4B}.exe
File created	C:\Windows\{8C0C2034-7983-4fcc-9A0E-2297C6DE2C75}.exe	{FD19C427-6D83-45ab-B81E-13EBED62D7F3}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4948	2024-02-27_adf6bd25e6474168e863ef596f7556a2_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3988	{70C495D3-8E7D-4992-9978-D29E9C648D57}.exe
Token: SeIncBasePriorityPrivilege	832	{D1406806-4CFC-4fa3-B177-B2FD0A1D6B84}.exe
Token: SeIncBasePriorityPrivilege	4936	{51AC5E4E-C225-422b-BEAD-BF6C8EABBD6C}.exe
Token: SeIncBasePriorityPrivilege	2216	{BF7C3E8C-AFF1-4d0d-9F21-46FE2E790E87}.exe
Token: SeIncBasePriorityPrivilege	376	{0BD820E6-FC5A-4c3a-A023-090200AEEB4B}.exe
Token: SeIncBasePriorityPrivilege	3536	{FD19C427-6D83-45ab-B81E-13EBED62D7F3}.exe
Token: SeIncBasePriorityPrivilege	3220	{8C0C2034-7983-4fcc-9A0E-2297C6DE2C75}.exe
Token: SeIncBasePriorityPrivilege	1232	{A6DC7BA1-73BE-49a0-ABE9-751A514DAF4F}.exe
Token: SeIncBasePriorityPrivilege	1768	{74DC1F94-FD28-4146-BEA4-8FC7A48F3995}.exe
Token: SeIncBasePriorityPrivilege	1948	{3B3C5DD1-F772-4f2e-8C67-34CE4CBE0C93}.exe
Token: SeIncBasePriorityPrivilege	3896	{86C77A5A-844E-4841-AED2-D94F14385F6A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 3988	4948	2024-02-27_adf6bd25e6474168e863ef596f7556a2_goldeneye.exe	91
PID 4948 wrote to memory of 3988	4948	2024-02-27_adf6bd25e6474168e863ef596f7556a2_goldeneye.exe	91
PID 4948 wrote to memory of 3988	4948	2024-02-27_adf6bd25e6474168e863ef596f7556a2_goldeneye.exe	91
PID 4948 wrote to memory of 4940	4948	2024-02-27_adf6bd25e6474168e863ef596f7556a2_goldeneye.exe	92
PID 4948 wrote to memory of 4940	4948	2024-02-27_adf6bd25e6474168e863ef596f7556a2_goldeneye.exe	92
PID 4948 wrote to memory of 4940	4948	2024-02-27_adf6bd25e6474168e863ef596f7556a2_goldeneye.exe	92
PID 3988 wrote to memory of 832	3988	{70C495D3-8E7D-4992-9978-D29E9C648D57}.exe	93
PID 3988 wrote to memory of 832	3988	{70C495D3-8E7D-4992-9978-D29E9C648D57}.exe	93
PID 3988 wrote to memory of 832	3988	{70C495D3-8E7D-4992-9978-D29E9C648D57}.exe	93
PID 3988 wrote to memory of 3896	3988	{70C495D3-8E7D-4992-9978-D29E9C648D57}.exe	94
PID 3988 wrote to memory of 3896	3988	{70C495D3-8E7D-4992-9978-D29E9C648D57}.exe	94
PID 3988 wrote to memory of 3896	3988	{70C495D3-8E7D-4992-9978-D29E9C648D57}.exe	94
PID 832 wrote to memory of 4936	832	{D1406806-4CFC-4fa3-B177-B2FD0A1D6B84}.exe	97
PID 832 wrote to memory of 4936	832	{D1406806-4CFC-4fa3-B177-B2FD0A1D6B84}.exe	97
PID 832 wrote to memory of 4936	832	{D1406806-4CFC-4fa3-B177-B2FD0A1D6B84}.exe	97
PID 832 wrote to memory of 5100	832	{D1406806-4CFC-4fa3-B177-B2FD0A1D6B84}.exe	98
PID 832 wrote to memory of 5100	832	{D1406806-4CFC-4fa3-B177-B2FD0A1D6B84}.exe	98
PID 832 wrote to memory of 5100	832	{D1406806-4CFC-4fa3-B177-B2FD0A1D6B84}.exe	98
PID 4936 wrote to memory of 2216	4936	{51AC5E4E-C225-422b-BEAD-BF6C8EABBD6C}.exe	100
PID 4936 wrote to memory of 2216	4936	{51AC5E4E-C225-422b-BEAD-BF6C8EABBD6C}.exe	100
PID 4936 wrote to memory of 2216	4936	{51AC5E4E-C225-422b-BEAD-BF6C8EABBD6C}.exe	100
PID 4936 wrote to memory of 3628	4936	{51AC5E4E-C225-422b-BEAD-BF6C8EABBD6C}.exe	101
PID 4936 wrote to memory of 3628	4936	{51AC5E4E-C225-422b-BEAD-BF6C8EABBD6C}.exe	101
PID 4936 wrote to memory of 3628	4936	{51AC5E4E-C225-422b-BEAD-BF6C8EABBD6C}.exe	101
PID 2216 wrote to memory of 376	2216	{BF7C3E8C-AFF1-4d0d-9F21-46FE2E790E87}.exe	102
PID 2216 wrote to memory of 376	2216	{BF7C3E8C-AFF1-4d0d-9F21-46FE2E790E87}.exe	102
PID 2216 wrote to memory of 376	2216	{BF7C3E8C-AFF1-4d0d-9F21-46FE2E790E87}.exe	102
PID 2216 wrote to memory of 4352	2216	{BF7C3E8C-AFF1-4d0d-9F21-46FE2E790E87}.exe	103
PID 2216 wrote to memory of 4352	2216	{BF7C3E8C-AFF1-4d0d-9F21-46FE2E790E87}.exe	103
PID 2216 wrote to memory of 4352	2216	{BF7C3E8C-AFF1-4d0d-9F21-46FE2E790E87}.exe	103
PID 376 wrote to memory of 3536	376	{0BD820E6-FC5A-4c3a-A023-090200AEEB4B}.exe	104
PID 376 wrote to memory of 3536	376	{0BD820E6-FC5A-4c3a-A023-090200AEEB4B}.exe	104
PID 376 wrote to memory of 3536	376	{0BD820E6-FC5A-4c3a-A023-090200AEEB4B}.exe	104
PID 376 wrote to memory of 3132	376	{0BD820E6-FC5A-4c3a-A023-090200AEEB4B}.exe	105
PID 376 wrote to memory of 3132	376	{0BD820E6-FC5A-4c3a-A023-090200AEEB4B}.exe	105
PID 376 wrote to memory of 3132	376	{0BD820E6-FC5A-4c3a-A023-090200AEEB4B}.exe	105
PID 3536 wrote to memory of 3220	3536	{FD19C427-6D83-45ab-B81E-13EBED62D7F3}.exe	107
PID 3536 wrote to memory of 3220	3536	{FD19C427-6D83-45ab-B81E-13EBED62D7F3}.exe	107
PID 3536 wrote to memory of 3220	3536	{FD19C427-6D83-45ab-B81E-13EBED62D7F3}.exe	107
PID 3536 wrote to memory of 1168	3536	{FD19C427-6D83-45ab-B81E-13EBED62D7F3}.exe	108
PID 3536 wrote to memory of 1168	3536	{FD19C427-6D83-45ab-B81E-13EBED62D7F3}.exe	108
PID 3536 wrote to memory of 1168	3536	{FD19C427-6D83-45ab-B81E-13EBED62D7F3}.exe	108
PID 3220 wrote to memory of 1232	3220	{8C0C2034-7983-4fcc-9A0E-2297C6DE2C75}.exe	109
PID 3220 wrote to memory of 1232	3220	{8C0C2034-7983-4fcc-9A0E-2297C6DE2C75}.exe	109
PID 3220 wrote to memory of 1232	3220	{8C0C2034-7983-4fcc-9A0E-2297C6DE2C75}.exe	109
PID 3220 wrote to memory of 3720	3220	{8C0C2034-7983-4fcc-9A0E-2297C6DE2C75}.exe	110
PID 3220 wrote to memory of 3720	3220	{8C0C2034-7983-4fcc-9A0E-2297C6DE2C75}.exe	110
PID 3220 wrote to memory of 3720	3220	{8C0C2034-7983-4fcc-9A0E-2297C6DE2C75}.exe	110
PID 1232 wrote to memory of 1768	1232	{A6DC7BA1-73BE-49a0-ABE9-751A514DAF4F}.exe	111
PID 1232 wrote to memory of 1768	1232	{A6DC7BA1-73BE-49a0-ABE9-751A514DAF4F}.exe	111
PID 1232 wrote to memory of 1768	1232	{A6DC7BA1-73BE-49a0-ABE9-751A514DAF4F}.exe	111
PID 1232 wrote to memory of 3056	1232	{A6DC7BA1-73BE-49a0-ABE9-751A514DAF4F}.exe	112
PID 1232 wrote to memory of 3056	1232	{A6DC7BA1-73BE-49a0-ABE9-751A514DAF4F}.exe	112
PID 1232 wrote to memory of 3056	1232	{A6DC7BA1-73BE-49a0-ABE9-751A514DAF4F}.exe	112
PID 1768 wrote to memory of 1948	1768	{74DC1F94-FD28-4146-BEA4-8FC7A48F3995}.exe	113
PID 1768 wrote to memory of 1948	1768	{74DC1F94-FD28-4146-BEA4-8FC7A48F3995}.exe	113
PID 1768 wrote to memory of 1948	1768	{74DC1F94-FD28-4146-BEA4-8FC7A48F3995}.exe	113
PID 1768 wrote to memory of 2728	1768	{74DC1F94-FD28-4146-BEA4-8FC7A48F3995}.exe	114
PID 1768 wrote to memory of 2728	1768	{74DC1F94-FD28-4146-BEA4-8FC7A48F3995}.exe	114
PID 1768 wrote to memory of 2728	1768	{74DC1F94-FD28-4146-BEA4-8FC7A48F3995}.exe	114
PID 1948 wrote to memory of 3896	1948	{3B3C5DD1-F772-4f2e-8C67-34CE4CBE0C93}.exe	115
PID 1948 wrote to memory of 3896	1948	{3B3C5DD1-F772-4f2e-8C67-34CE4CBE0C93}.exe	115
PID 1948 wrote to memory of 3896	1948	{3B3C5DD1-F772-4f2e-8C67-34CE4CBE0C93}.exe	115
PID 1948 wrote to memory of 1556	1948	{3B3C5DD1-F772-4f2e-8C67-34CE4CBE0C93}.exe	116

C:\Users\Admin\AppData\Local\Temp\2024-02-27_adf6bd25e6474168e863ef596f7556a2_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-27_adf6bd25e6474168e863ef596f7556a2_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Windows\{70C495D3-8E7D-4992-9978-D29E9C648D57}.exe
  C:\Windows\{70C495D3-8E7D-4992-9978-D29E9C648D57}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3988
- - C:\Windows\{D1406806-4CFC-4fa3-B177-B2FD0A1D6B84}.exe
    C:\Windows\{D1406806-4CFC-4fa3-B177-B2FD0A1D6B84}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:832
  - - C:\Windows\{51AC5E4E-C225-422b-BEAD-BF6C8EABBD6C}.exe
      C:\Windows\{51AC5E4E-C225-422b-BEAD-BF6C8EABBD6C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4936
    - - C:\Windows\{BF7C3E8C-AFF1-4d0d-9F21-46FE2E790E87}.exe
        
        C:\Windows\{BF7C3E8C-AFF1-4d0d-9F21-46FE2E790E87}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2216
      - C:\Windows\{0BD820E6-FC5A-4c3a-A023-090200AEEB4B}.exe
        
        C:\Windows\{0BD820E6-FC5A-4c3a-A023-090200AEEB4B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:376
        
        C:\Windows\{FD19C427-6D83-45ab-B81E-13EBED62D7F3}.exe
        
        C:\Windows\{FD19C427-6D83-45ab-B81E-13EBED62D7F3}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3536
        
        C:\Windows\{8C0C2034-7983-4fcc-9A0E-2297C6DE2C75}.exe
        
        C:\Windows\{8C0C2034-7983-4fcc-9A0E-2297C6DE2C75}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3220
        
        C:\Windows\{A6DC7BA1-73BE-49a0-ABE9-751A514DAF4F}.exe
        
        C:\Windows\{A6DC7BA1-73BE-49a0-ABE9-751A514DAF4F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\{74DC1F94-FD28-4146-BEA4-8FC7A48F3995}.exe
        
        C:\Windows\{74DC1F94-FD28-4146-BEA4-8FC7A48F3995}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\{3B3C5DD1-F772-4f2e-8C67-34CE4CBE0C93}.exe
        
        C:\Windows\{3B3C5DD1-F772-4f2e-8C67-34CE4CBE0C93}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\{86C77A5A-844E-4841-AED2-D94F14385F6A}.exe
        
        C:\Windows\{86C77A5A-844E-4841-AED2-D94F14385F6A}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3896
        
        C:\Windows\{C1465381-9C68-49f5-985F-308F9870E2A3}.exe
        
        C:\Windows\{C1465381-9C68-49f5-985F-308F9870E2A3}.exe
        13⤵
        Executes dropped EXE
        
        PID:4188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86C77~1.EXE > nul
        13⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3B3C5~1.EXE > nul
        12⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74DC1~1.EXE > nul
        11⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6DC7~1.EXE > nul
        10⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C0C2~1.EXE > nul
        9⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD19C~1.EXE > nul
        8⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0BD82~1.EXE > nul
        7⤵
        
        PID:3132
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BF7C3~1.EXE > nul
        6⤵
        
        PID:4352
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51AC5~1.EXE > nul
        5⤵
        
        PID:3628
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D1406~1.EXE > nul
      4⤵
      PID:5100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{70C49~1.EXE > nul
    3⤵
    PID:3896
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0BD820E6-FC5A-4c3a-A023-090200AEEB4B}.exe

Filesize
197KB

MD5
9dddf0079a7181c07e2074a6d0cc87f8

SHA1
bba737252b9aab018dcfc5ba94c8bf9e06d7c8de

SHA256
15945a3e290966a30a79c67b1f43e1bb1117182aafda9d73bc47614d4c57f164

SHA512
94dceb95309a76c2ac37526126d8101502ed8e948f60053ed45bab98fce9ceb788e6c99521ff7c9a94fea20c4704e7546ef2095329b672263731f1e23cbbfe34

Download Submit
C:\Windows\{3B3C5DD1-F772-4f2e-8C67-34CE4CBE0C93}.exe

Filesize
197KB

MD5
cfc2ae9367ef35f2c935d357ded61a29

SHA1
8fa51286a2283c726a39e3e25e6d5c0d77adc76f

SHA256
51eed38b55f7c761fc1023765c85ccab7c59caac933debe7b902b5cdb10576fe

SHA512
4e5e5ab6953d9a114acf7f2ab281bfdeb2b08db15fab4962d90cd29d12dd9938984f240cc4325f763e53632301d7359b80e73bb6d694130da813d1b8d0d5e58c

Download Submit
C:\Windows\{51AC5E4E-C225-422b-BEAD-BF6C8EABBD6C}.exe

Filesize
197KB

MD5
e4ab1650b37ca0b3f92745c78d77d005

SHA1
66c19570b419cd70c74d1ece695fd81454489c61

SHA256
9214844ebf06abf109026c9c8c90cfebba7403a184c0b45c6fe8b88c5bcfaf20

SHA512
ea834b0f6dc63bfc3285ecd36b9464dd511303973fa681b6597be6679c9805566cf8cecd9ff6d6b4d064cdd8d9b3a0c619d726faf98caa8e48956b7821a50dca

Download Submit
C:\Windows\{70C495D3-8E7D-4992-9978-D29E9C648D57}.exe

Filesize
197KB

MD5
4ff88e8b12b60610d179929964d3a0a7

SHA1
9ec304bd81a0a1fee1c76cbb51ba8ae547a31b36

SHA256
e8409791c52a427572416cdcfecfb8c62808b7b7521ac4d2c8c8754f0f8349a1

SHA512
885683a475187bf1b3ecd93a0f36e2ded8749b8d54033637d1775fe2bbcbb88be9753d36feff102e57ea49d3e3291cc4f011b3422a2a088ff938c4e8dd4b5d98

Download Submit
C:\Windows\{74DC1F94-FD28-4146-BEA4-8FC7A48F3995}.exe

Filesize
197KB

MD5
41281e4dbde65896119632e3e0461a95

SHA1
b432f889431939a7ad166bc772cfa381ac1c8513

SHA256
5e1f020e2adddb7a50585d627f962d89abc57395aa3c022695b77a1b0e02162d

SHA512
ede16c70beaceb3a38fe49ad3cf6adaa87dcd8f644f5edfe5f9b1f8496757d5700af3da0d8f5bc56b3ccbab219a5b347780c17a2e1666b63da7bcf86cf8808f8

Download Submit
C:\Windows\{86C77A5A-844E-4841-AED2-D94F14385F6A}.exe

Filesize
197KB

MD5
f5b957d848f3b7df90dc086207a73234

SHA1
f655b02e4f071d2066d4dc417f5bb40ad8bb6b19

SHA256
b04a3681c9c12f429a34ccf94f67a6f0bb6d1dd0a346cb45eac4db29428105d1

SHA512
58fe175dc536c70aa5d80169790ad54698e929b926b5fc1c6f6e7a245cffb4babb7049ee398aad0de0bad57296630eacdb724bbfd481749a5d0c9d5f11d4f1a1

Download Submit
C:\Windows\{8C0C2034-7983-4fcc-9A0E-2297C6DE2C75}.exe

Filesize
197KB

MD5
862f9cced3c882b85d16ec052069cf6e

SHA1
fe4d7f906a8154bcc35ee2350da3f17e7ec18654

SHA256
a55bd79552473110dc91f9876d271a02a0269e748187b74cb3ca72430a4e4e6b

SHA512
f13aeef3a302ec6fbbd4c8505ae3d96a654f02a9bdbe666199a1dc58e738dbdd1f1e9d785004383863af5e9a4e717a60a83f7697a43704a11de9223139063e3d

Download Submit
C:\Windows\{A6DC7BA1-73BE-49a0-ABE9-751A514DAF4F}.exe

Filesize
197KB

MD5
c4457138d159f63ab0ac1ea9ab362e5c

SHA1
7d65ed0f19fcd136101cbba12550344cd63d7006

SHA256
ad730d75a11ca4857bc7c9b68c53ea5a05d9f3ec9f3b96feea0e95e3791375a9

SHA512
c5deb12e7a8720d76f968e75fb8a39a9b864aef8271e0230b7f0d28b614a3c69898c351d369a397d7dba3815bc4f85584fc73a8c22d192a9a4a78c71ad22bf1d

Download Submit
C:\Windows\{BF7C3E8C-AFF1-4d0d-9F21-46FE2E790E87}.exe

Filesize
197KB

MD5
3c307c1f853161bcd9a320ea118fa03c

SHA1
17c72918385f4c9efbbd2a7bedaa8f981d40cccc

SHA256
ef28bad4dff3f725686ea9adbc0373c637422c6eee644872c3619638eb7c23c6

SHA512
fd3a9ea01cbd0bcd99b55d515f42707c04548a12a78f8f47592405c7844b71dd4459ae982d13af987f31d08e02d9c8c7691832ba2208761a8c5a92fb5e5292c7

Download Submit
C:\Windows\{C1465381-9C68-49f5-985F-308F9870E2A3}.exe

Filesize
197KB

MD5
223473fa2caab87ae868ac4f67da2fc8

SHA1
32d55893d2cd12d28c2c248a1f333781742999a1

SHA256
dfaa22e3e20a75b6f4b59717657e94ace437f32f8b36f2508f65a03809c2b9c3

SHA512
80ea5f914936e92b3b08efdbef32077f803b9a345d2de4aaf2b556b068db566f204d425170a900dad21cd494466cdded4cd93b3ea2826397c0fef6076c03ead3

Download Submit
C:\Windows\{D1406806-4CFC-4fa3-B177-B2FD0A1D6B84}.exe

Filesize
197KB

MD5
0ce422b7dc03213b7a2dcabe7946c41d

SHA1
eebb411b4bca2b36717be9dc4fdd3c9eb55aceb2

SHA256
f8c854943fe2361faeefa2021567532ca7e1513b3d758d03bdf63744a32304ed

SHA512
02abeb435bd0b9bf3ea8f778f9b2d520576bb6c481d9f4315f87f2dcc457fc7058b070c8f8a71463121ff3721e8985cd8e87a89a06f125bd8557bd93f2701770

Download Submit
C:\Windows\{FD19C427-6D83-45ab-B81E-13EBED62D7F3}.exe

Filesize
197KB

MD5
35004093cc6f8e7101c2f0046f8fb56e

SHA1
8c33d037c6506d0acb4b00eec9db76f719e4a267

SHA256
bc7b79d24dfafdf8b1ac417f8339a5abf13b784e2e56c4885561d0083f424c9e

SHA512
ce41fbf6aa4f6d1ef321e9f242c39923cfde98df24a2b36a9a78c33019176037c32a417a7ecff111d18376e1fbf9f154b56b77f55a8230288898e08a9cd6719c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads