3b817ecfc36f7b3eb5dd4ca1d1252e5aa80cf1bbb43d7806e2486f33c0cad334

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/02/2024, 02:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-28_bdf2acef414e9f13517ffa325fd55ca1_goldeneye.exe
Size

344KB
MD5

bdf2acef414e9f13517ffa325fd55ca1
SHA1

f62eacd4cbeea1844b865f0f14bd3bd65c3ed34d
SHA256

3b817ecfc36f7b3eb5dd4ca1d1252e5aa80cf1bbb43d7806e2486f33c0cad334
SHA512

128ff1b7e9d80eda6dea9a53b5102b3d2731931e76b03fa9cd186192650a6ec691f4db32bda40716778d28b21231568809232f7e5d8ffd0570e1759cb9cd7371
SSDEEP

3072:mEGh0o3lEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGhlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023246-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023235-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002324e-11.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000001e768-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002324e-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000001e768-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002324e-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001e768-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002324e-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000001e768-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002324b-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000001e768-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7B30CDD-AA9B-4326-9CAB-8856D041F5BC}\stubpath = "C:\\Windows\\{C7B30CDD-AA9B-4326-9CAB-8856D041F5BC}.exe"	{E72B9038-0A40-41ce-A21C-27F9ED848EFD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C3AF286-E1FC-409d-B038-48384D9F5A73}	{C7B30CDD-AA9B-4326-9CAB-8856D041F5BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C882E67B-2131-498f-BAAA-99693F9650C2}\stubpath = "C:\\Windows\\{C882E67B-2131-498f-BAAA-99693F9650C2}.exe"	{2C3AF286-E1FC-409d-B038-48384D9F5A73}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E711E9C1-E6B0-4a86-8AB5-5475BBBDDE9E}	{C882E67B-2131-498f-BAAA-99693F9650C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44943BF1-BD0C-41c8-8B73-D47D5929AB2E}\stubpath = "C:\\Windows\\{44943BF1-BD0C-41c8-8B73-D47D5929AB2E}.exe"	2024-02-28_bdf2acef414e9f13517ffa325fd55ca1_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF8D75B8-00A1-4faa-8039-A830D7C7F4A1}\stubpath = "C:\\Windows\\{CF8D75B8-00A1-4faa-8039-A830D7C7F4A1}.exe"	{44943BF1-BD0C-41c8-8B73-D47D5929AB2E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B437421-745F-4507-A59A-926929C11BBF}\stubpath = "C:\\Windows\\{2B437421-745F-4507-A59A-926929C11BBF}.exe"	{C24981E4-DB30-4af9-BEB4-ECDB3D9D46B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E72B9038-0A40-41ce-A21C-27F9ED848EFD}	{19B497F5-B467-40eb-ADC4-E4EFF41EF557}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E711E9C1-E6B0-4a86-8AB5-5475BBBDDE9E}\stubpath = "C:\\Windows\\{E711E9C1-E6B0-4a86-8AB5-5475BBBDDE9E}.exe"	{C882E67B-2131-498f-BAAA-99693F9650C2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF8D75B8-00A1-4faa-8039-A830D7C7F4A1}	{44943BF1-BD0C-41c8-8B73-D47D5929AB2E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19B497F5-B467-40eb-ADC4-E4EFF41EF557}\stubpath = "C:\\Windows\\{19B497F5-B467-40eb-ADC4-E4EFF41EF557}.exe"	{2B437421-745F-4507-A59A-926929C11BBF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7B30CDD-AA9B-4326-9CAB-8856D041F5BC}	{E72B9038-0A40-41ce-A21C-27F9ED848EFD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19B497F5-B467-40eb-ADC4-E4EFF41EF557}	{2B437421-745F-4507-A59A-926929C11BBF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4A740DC-1B34-49a2-8C81-75FDAB505B0E}	{E711E9C1-E6B0-4a86-8AB5-5475BBBDDE9E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4A740DC-1B34-49a2-8C81-75FDAB505B0E}\stubpath = "C:\\Windows\\{D4A740DC-1B34-49a2-8C81-75FDAB505B0E}.exe"	{E711E9C1-E6B0-4a86-8AB5-5475BBBDDE9E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44943BF1-BD0C-41c8-8B73-D47D5929AB2E}	2024-02-28_bdf2acef414e9f13517ffa325fd55ca1_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57074FFF-ABD7-42cf-A233-9FF19129CAE7}	{CF8D75B8-00A1-4faa-8039-A830D7C7F4A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57074FFF-ABD7-42cf-A233-9FF19129CAE7}\stubpath = "C:\\Windows\\{57074FFF-ABD7-42cf-A233-9FF19129CAE7}.exe"	{CF8D75B8-00A1-4faa-8039-A830D7C7F4A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B437421-745F-4507-A59A-926929C11BBF}	{C24981E4-DB30-4af9-BEB4-ECDB3D9D46B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C882E67B-2131-498f-BAAA-99693F9650C2}	{2C3AF286-E1FC-409d-B038-48384D9F5A73}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C24981E4-DB30-4af9-BEB4-ECDB3D9D46B2}	{57074FFF-ABD7-42cf-A233-9FF19129CAE7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C24981E4-DB30-4af9-BEB4-ECDB3D9D46B2}\stubpath = "C:\\Windows\\{C24981E4-DB30-4af9-BEB4-ECDB3D9D46B2}.exe"	{57074FFF-ABD7-42cf-A233-9FF19129CAE7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E72B9038-0A40-41ce-A21C-27F9ED848EFD}\stubpath = "C:\\Windows\\{E72B9038-0A40-41ce-A21C-27F9ED848EFD}.exe"	{19B497F5-B467-40eb-ADC4-E4EFF41EF557}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C3AF286-E1FC-409d-B038-48384D9F5A73}\stubpath = "C:\\Windows\\{2C3AF286-E1FC-409d-B038-48384D9F5A73}.exe"	{C7B30CDD-AA9B-4326-9CAB-8856D041F5BC}.exe

Executes dropped EXE 12 IoCs

pid	Process
5020	{44943BF1-BD0C-41c8-8B73-D47D5929AB2E}.exe
1968	{CF8D75B8-00A1-4faa-8039-A830D7C7F4A1}.exe
1344	{57074FFF-ABD7-42cf-A233-9FF19129CAE7}.exe
4924	{C24981E4-DB30-4af9-BEB4-ECDB3D9D46B2}.exe
2472	{2B437421-745F-4507-A59A-926929C11BBF}.exe
2592	{19B497F5-B467-40eb-ADC4-E4EFF41EF557}.exe
1620	{E72B9038-0A40-41ce-A21C-27F9ED848EFD}.exe
3552	{C7B30CDD-AA9B-4326-9CAB-8856D041F5BC}.exe
4784	{2C3AF286-E1FC-409d-B038-48384D9F5A73}.exe
4600	{C882E67B-2131-498f-BAAA-99693F9650C2}.exe
4212	{E711E9C1-E6B0-4a86-8AB5-5475BBBDDE9E}.exe
2672	{D4A740DC-1B34-49a2-8C81-75FDAB505B0E}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{CF8D75B8-00A1-4faa-8039-A830D7C7F4A1}.exe	{44943BF1-BD0C-41c8-8B73-D47D5929AB2E}.exe
File created	C:\Windows\{2B437421-745F-4507-A59A-926929C11BBF}.exe	{C24981E4-DB30-4af9-BEB4-ECDB3D9D46B2}.exe
File created	C:\Windows\{C7B30CDD-AA9B-4326-9CAB-8856D041F5BC}.exe	{E72B9038-0A40-41ce-A21C-27F9ED848EFD}.exe
File created	C:\Windows\{E711E9C1-E6B0-4a86-8AB5-5475BBBDDE9E}.exe	{C882E67B-2131-498f-BAAA-99693F9650C2}.exe
File created	C:\Windows\{D4A740DC-1B34-49a2-8C81-75FDAB505B0E}.exe	{E711E9C1-E6B0-4a86-8AB5-5475BBBDDE9E}.exe
File created	C:\Windows\{C882E67B-2131-498f-BAAA-99693F9650C2}.exe	{2C3AF286-E1FC-409d-B038-48384D9F5A73}.exe
File created	C:\Windows\{44943BF1-BD0C-41c8-8B73-D47D5929AB2E}.exe	2024-02-28_bdf2acef414e9f13517ffa325fd55ca1_goldeneye.exe
File created	C:\Windows\{57074FFF-ABD7-42cf-A233-9FF19129CAE7}.exe	{CF8D75B8-00A1-4faa-8039-A830D7C7F4A1}.exe
File created	C:\Windows\{C24981E4-DB30-4af9-BEB4-ECDB3D9D46B2}.exe	{57074FFF-ABD7-42cf-A233-9FF19129CAE7}.exe
File created	C:\Windows\{19B497F5-B467-40eb-ADC4-E4EFF41EF557}.exe	{2B437421-745F-4507-A59A-926929C11BBF}.exe
File created	C:\Windows\{E72B9038-0A40-41ce-A21C-27F9ED848EFD}.exe	{19B497F5-B467-40eb-ADC4-E4EFF41EF557}.exe
File created	C:\Windows\{2C3AF286-E1FC-409d-B038-48384D9F5A73}.exe	{C7B30CDD-AA9B-4326-9CAB-8856D041F5BC}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3312	2024-02-28_bdf2acef414e9f13517ffa325fd55ca1_goldeneye.exe
Token: SeIncBasePriorityPrivilege	5020	{44943BF1-BD0C-41c8-8B73-D47D5929AB2E}.exe
Token: SeIncBasePriorityPrivilege	1968	{CF8D75B8-00A1-4faa-8039-A830D7C7F4A1}.exe
Token: SeIncBasePriorityPrivilege	1344	{57074FFF-ABD7-42cf-A233-9FF19129CAE7}.exe
Token: SeIncBasePriorityPrivilege	4924	{C24981E4-DB30-4af9-BEB4-ECDB3D9D46B2}.exe
Token: SeIncBasePriorityPrivilege	2472	{2B437421-745F-4507-A59A-926929C11BBF}.exe
Token: SeIncBasePriorityPrivilege	2592	{19B497F5-B467-40eb-ADC4-E4EFF41EF557}.exe
Token: SeIncBasePriorityPrivilege	1620	{E72B9038-0A40-41ce-A21C-27F9ED848EFD}.exe
Token: SeIncBasePriorityPrivilege	3552	{C7B30CDD-AA9B-4326-9CAB-8856D041F5BC}.exe
Token: SeIncBasePriorityPrivilege	4784	{2C3AF286-E1FC-409d-B038-48384D9F5A73}.exe
Token: SeIncBasePriorityPrivilege	4600	{C882E67B-2131-498f-BAAA-99693F9650C2}.exe
Token: SeIncBasePriorityPrivilege	4212	{E711E9C1-E6B0-4a86-8AB5-5475BBBDDE9E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3312 wrote to memory of 5020	3312	2024-02-28_bdf2acef414e9f13517ffa325fd55ca1_goldeneye.exe	94
PID 3312 wrote to memory of 5020	3312	2024-02-28_bdf2acef414e9f13517ffa325fd55ca1_goldeneye.exe	94
PID 3312 wrote to memory of 5020	3312	2024-02-28_bdf2acef414e9f13517ffa325fd55ca1_goldeneye.exe	94
PID 3312 wrote to memory of 744	3312	2024-02-28_bdf2acef414e9f13517ffa325fd55ca1_goldeneye.exe	95
PID 3312 wrote to memory of 744	3312	2024-02-28_bdf2acef414e9f13517ffa325fd55ca1_goldeneye.exe	95
PID 3312 wrote to memory of 744	3312	2024-02-28_bdf2acef414e9f13517ffa325fd55ca1_goldeneye.exe	95
PID 5020 wrote to memory of 1968	5020	{44943BF1-BD0C-41c8-8B73-D47D5929AB2E}.exe	96
PID 5020 wrote to memory of 1968	5020	{44943BF1-BD0C-41c8-8B73-D47D5929AB2E}.exe	96
PID 5020 wrote to memory of 1968	5020	{44943BF1-BD0C-41c8-8B73-D47D5929AB2E}.exe	96
PID 5020 wrote to memory of 1452	5020	{44943BF1-BD0C-41c8-8B73-D47D5929AB2E}.exe	97
PID 5020 wrote to memory of 1452	5020	{44943BF1-BD0C-41c8-8B73-D47D5929AB2E}.exe	97
PID 5020 wrote to memory of 1452	5020	{44943BF1-BD0C-41c8-8B73-D47D5929AB2E}.exe	97
PID 1968 wrote to memory of 1344	1968	{CF8D75B8-00A1-4faa-8039-A830D7C7F4A1}.exe	101
PID 1968 wrote to memory of 1344	1968	{CF8D75B8-00A1-4faa-8039-A830D7C7F4A1}.exe	101
PID 1968 wrote to memory of 1344	1968	{CF8D75B8-00A1-4faa-8039-A830D7C7F4A1}.exe	101
PID 1968 wrote to memory of 3248	1968	{CF8D75B8-00A1-4faa-8039-A830D7C7F4A1}.exe	100
PID 1968 wrote to memory of 3248	1968	{CF8D75B8-00A1-4faa-8039-A830D7C7F4A1}.exe	100
PID 1968 wrote to memory of 3248	1968	{CF8D75B8-00A1-4faa-8039-A830D7C7F4A1}.exe	100
PID 1344 wrote to memory of 4924	1344	{57074FFF-ABD7-42cf-A233-9FF19129CAE7}.exe	103
PID 1344 wrote to memory of 4924	1344	{57074FFF-ABD7-42cf-A233-9FF19129CAE7}.exe	103
PID 1344 wrote to memory of 4924	1344	{57074FFF-ABD7-42cf-A233-9FF19129CAE7}.exe	103
PID 1344 wrote to memory of 884	1344	{57074FFF-ABD7-42cf-A233-9FF19129CAE7}.exe	104
PID 1344 wrote to memory of 884	1344	{57074FFF-ABD7-42cf-A233-9FF19129CAE7}.exe	104
PID 1344 wrote to memory of 884	1344	{57074FFF-ABD7-42cf-A233-9FF19129CAE7}.exe	104
PID 4924 wrote to memory of 2472	4924	{C24981E4-DB30-4af9-BEB4-ECDB3D9D46B2}.exe	105
PID 4924 wrote to memory of 2472	4924	{C24981E4-DB30-4af9-BEB4-ECDB3D9D46B2}.exe	105
PID 4924 wrote to memory of 2472	4924	{C24981E4-DB30-4af9-BEB4-ECDB3D9D46B2}.exe	105
PID 4924 wrote to memory of 4092	4924	{C24981E4-DB30-4af9-BEB4-ECDB3D9D46B2}.exe	106
PID 4924 wrote to memory of 4092	4924	{C24981E4-DB30-4af9-BEB4-ECDB3D9D46B2}.exe	106
PID 4924 wrote to memory of 4092	4924	{C24981E4-DB30-4af9-BEB4-ECDB3D9D46B2}.exe	106
PID 2472 wrote to memory of 2592	2472	{2B437421-745F-4507-A59A-926929C11BBF}.exe	107
PID 2472 wrote to memory of 2592	2472	{2B437421-745F-4507-A59A-926929C11BBF}.exe	107
PID 2472 wrote to memory of 2592	2472	{2B437421-745F-4507-A59A-926929C11BBF}.exe	107
PID 2472 wrote to memory of 856	2472	{2B437421-745F-4507-A59A-926929C11BBF}.exe	108
PID 2472 wrote to memory of 856	2472	{2B437421-745F-4507-A59A-926929C11BBF}.exe	108
PID 2472 wrote to memory of 856	2472	{2B437421-745F-4507-A59A-926929C11BBF}.exe	108
PID 2592 wrote to memory of 1620	2592	{19B497F5-B467-40eb-ADC4-E4EFF41EF557}.exe	109
PID 2592 wrote to memory of 1620	2592	{19B497F5-B467-40eb-ADC4-E4EFF41EF557}.exe	109
PID 2592 wrote to memory of 1620	2592	{19B497F5-B467-40eb-ADC4-E4EFF41EF557}.exe	109
PID 2592 wrote to memory of 4484	2592	{19B497F5-B467-40eb-ADC4-E4EFF41EF557}.exe	110
PID 2592 wrote to memory of 4484	2592	{19B497F5-B467-40eb-ADC4-E4EFF41EF557}.exe	110
PID 2592 wrote to memory of 4484	2592	{19B497F5-B467-40eb-ADC4-E4EFF41EF557}.exe	110
PID 1620 wrote to memory of 3552	1620	{E72B9038-0A40-41ce-A21C-27F9ED848EFD}.exe	111
PID 1620 wrote to memory of 3552	1620	{E72B9038-0A40-41ce-A21C-27F9ED848EFD}.exe	111
PID 1620 wrote to memory of 3552	1620	{E72B9038-0A40-41ce-A21C-27F9ED848EFD}.exe	111
PID 1620 wrote to memory of 1320	1620	{E72B9038-0A40-41ce-A21C-27F9ED848EFD}.exe	112
PID 1620 wrote to memory of 1320	1620	{E72B9038-0A40-41ce-A21C-27F9ED848EFD}.exe	112
PID 1620 wrote to memory of 1320	1620	{E72B9038-0A40-41ce-A21C-27F9ED848EFD}.exe	112
PID 3552 wrote to memory of 4784	3552	{C7B30CDD-AA9B-4326-9CAB-8856D041F5BC}.exe	113
PID 3552 wrote to memory of 4784	3552	{C7B30CDD-AA9B-4326-9CAB-8856D041F5BC}.exe	113
PID 3552 wrote to memory of 4784	3552	{C7B30CDD-AA9B-4326-9CAB-8856D041F5BC}.exe	113
PID 3552 wrote to memory of 1176	3552	{C7B30CDD-AA9B-4326-9CAB-8856D041F5BC}.exe	114
PID 3552 wrote to memory of 1176	3552	{C7B30CDD-AA9B-4326-9CAB-8856D041F5BC}.exe	114
PID 3552 wrote to memory of 1176	3552	{C7B30CDD-AA9B-4326-9CAB-8856D041F5BC}.exe	114
PID 4784 wrote to memory of 4600	4784	{2C3AF286-E1FC-409d-B038-48384D9F5A73}.exe	115
PID 4784 wrote to memory of 4600	4784	{2C3AF286-E1FC-409d-B038-48384D9F5A73}.exe	115
PID 4784 wrote to memory of 4600	4784	{2C3AF286-E1FC-409d-B038-48384D9F5A73}.exe	115
PID 4784 wrote to memory of 232	4784	{2C3AF286-E1FC-409d-B038-48384D9F5A73}.exe	116
PID 4784 wrote to memory of 232	4784	{2C3AF286-E1FC-409d-B038-48384D9F5A73}.exe	116
PID 4784 wrote to memory of 232	4784	{2C3AF286-E1FC-409d-B038-48384D9F5A73}.exe	116
PID 4600 wrote to memory of 4212	4600	{C882E67B-2131-498f-BAAA-99693F9650C2}.exe	117
PID 4600 wrote to memory of 4212	4600	{C882E67B-2131-498f-BAAA-99693F9650C2}.exe	117
PID 4600 wrote to memory of 4212	4600	{C882E67B-2131-498f-BAAA-99693F9650C2}.exe	117
PID 4600 wrote to memory of 4708	4600	{C882E67B-2131-498f-BAAA-99693F9650C2}.exe	118

C:\Users\Admin\AppData\Local\Temp\2024-02-28_bdf2acef414e9f13517ffa325fd55ca1_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-28_bdf2acef414e9f13517ffa325fd55ca1_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3312
- C:\Windows\{44943BF1-BD0C-41c8-8B73-D47D5929AB2E}.exe
  C:\Windows\{44943BF1-BD0C-41c8-8B73-D47D5929AB2E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5020
- - C:\Windows\{CF8D75B8-00A1-4faa-8039-A830D7C7F4A1}.exe
    C:\Windows\{CF8D75B8-00A1-4faa-8039-A830D7C7F4A1}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1968
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CF8D7~1.EXE > nul
      4⤵
      PID:3248
  - - C:\Windows\{57074FFF-ABD7-42cf-A233-9FF19129CAE7}.exe
      C:\Windows\{57074FFF-ABD7-42cf-A233-9FF19129CAE7}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1344
    - - C:\Windows\{C24981E4-DB30-4af9-BEB4-ECDB3D9D46B2}.exe
        
        C:\Windows\{C24981E4-DB30-4af9-BEB4-ECDB3D9D46B2}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4924
      - C:\Windows\{2B437421-745F-4507-A59A-926929C11BBF}.exe
        
        C:\Windows\{2B437421-745F-4507-A59A-926929C11BBF}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\{19B497F5-B467-40eb-ADC4-E4EFF41EF557}.exe
        
        C:\Windows\{19B497F5-B467-40eb-ADC4-E4EFF41EF557}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\{E72B9038-0A40-41ce-A21C-27F9ED848EFD}.exe
        
        C:\Windows\{E72B9038-0A40-41ce-A21C-27F9ED848EFD}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\{C7B30CDD-AA9B-4326-9CAB-8856D041F5BC}.exe
        
        C:\Windows\{C7B30CDD-AA9B-4326-9CAB-8856D041F5BC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3552
        
        C:\Windows\{2C3AF286-E1FC-409d-B038-48384D9F5A73}.exe
        
        C:\Windows\{2C3AF286-E1FC-409d-B038-48384D9F5A73}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Windows\{C882E67B-2131-498f-BAAA-99693F9650C2}.exe
        
        C:\Windows\{C882E67B-2131-498f-BAAA-99693F9650C2}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Windows\{E711E9C1-E6B0-4a86-8AB5-5475BBBDDE9E}.exe
        
        C:\Windows\{E711E9C1-E6B0-4a86-8AB5-5475BBBDDE9E}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E711E~1.EXE > nul
        13⤵
        
        PID:4564
        
        C:\Windows\{D4A740DC-1B34-49a2-8C81-75FDAB505B0E}.exe
        
        C:\Windows\{D4A740DC-1B34-49a2-8C81-75FDAB505B0E}.exe
        13⤵
        Executes dropped EXE
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C882E~1.EXE > nul
        12⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2C3AF~1.EXE > nul
        11⤵
        
        PID:232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C7B30~1.EXE > nul
        10⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E72B9~1.EXE > nul
        9⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{19B49~1.EXE > nul
        8⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B437~1.EXE > nul
        7⤵
        
        PID:856
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C2498~1.EXE > nul
        6⤵
        
        PID:4092
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{57074~1.EXE > nul
        5⤵
        
        PID:884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{44943~1.EXE > nul
    3⤵
    PID:1452
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{19B497F5-B467-40eb-ADC4-E4EFF41EF557}.exe

Filesize
344KB

MD5
45ea4b3876d10a828b82f520db2cf4ed

SHA1
85c0a3ef9dbcba6c68e9170766abdcf4a2f33350

SHA256
7ad03c1100896e02f76eb2a8da4841f3f62a82ca956b8c290f6c40de185b2c82

SHA512
58cbd4f2ba849871af31be4801b5d8aada325922d20be7b6b29f4a5ddff976c56fa1de7c54057fefe8ca880f5a38af513c4add9fd953f4071e4bac3f01d3f25e

Download Submit
C:\Windows\{2B437421-745F-4507-A59A-926929C11BBF}.exe

Filesize
344KB

MD5
ef4e1bf9d052499d88e50e34fa338d9a

SHA1
8fc76f6370f38f1dadde72e44919de6554467453

SHA256
4e9d9b3a4a4ba79eb913abde4f872dcb0effa98b62d64a7ae7c6ced4e8e24ccb

SHA512
f2dec27179092a6affdcecfd1a9ee52d557b2dac50c31602fe383fafd02761a5ab4444f1797c5cd699bb690aca084124b5feed3fc8fe0642fa0b6022c1372d74

Download Submit
C:\Windows\{2C3AF286-E1FC-409d-B038-48384D9F5A73}.exe

Filesize
344KB

MD5
32bdbde4e8895c45bd6b15189ba87d0f

SHA1
4ac260b7b2312dc8908aae897c40edd0c8d6c33e

SHA256
c51da805474ebf09c11455c41c55f4cf3d2acdb9b1b24b258be86aa06dd4b4e4

SHA512
cacff79a69454e89b98252cb72eaa5c9604fa141bf6537705904873ff667d0831988af51a505fe6760a9f324f06aff6d5100ac3274ab8ea5d9ce2dd068958c0f

Download Submit
C:\Windows\{44943BF1-BD0C-41c8-8B73-D47D5929AB2E}.exe

Filesize
344KB

MD5
04d288bac331f3a1b6f3b9083f407d2c

SHA1
566ec99f1081d8e6a6703bebc9b65fc9da0b97ee

SHA256
ea87fc1a04fd53a46d0500785287202b9abf9eed2851ef0197f22478120bde18

SHA512
9234ded42c886ff78070b25a52c8c31f7c8efe06a3db54e5da7c7e4f80f3408dacca9122560ab11799dc2fc04989d6c03e6aab83b3127460b0f8a27a46588c11

Download Submit
C:\Windows\{57074FFF-ABD7-42cf-A233-9FF19129CAE7}.exe

Filesize
344KB

MD5
c3271154f3fd3c8a2d0725c6c3d3bae9

SHA1
2c3c0240c6f626e8b7cabafa4c2e512ad3b59701

SHA256
b379d5616a19af766db62ef28b5e6637678866368f318df8f47da85fe490a4dd

SHA512
9cf204e8c066b036f660ae8743117d39b9a946408c2ac6809482f1d5f46f2386db93ba225f0e3a55dac983b7b1a94a73e85f756eca4f94118544e4421a0aa36c

Download Submit
C:\Windows\{C24981E4-DB30-4af9-BEB4-ECDB3D9D46B2}.exe

Filesize
344KB

MD5
b68eabdff4f96eb91dbdb962ebfd97a4

SHA1
1aad1f3bbbcbb05ce064aab0f64c2ff301a0e3d4

SHA256
a08d5de2aa097eb684a8c29cee0e881d880209db851b293b1c66dccd279ab2c1

SHA512
a7ad14860b5a3447d78e342b64ccd1dba81440804c443d9da56f64d38e3350c57f6df49d49be36b90772aba4b2e94e1b5503a93ae6582c2c813fa22427321e0c

Download Submit
C:\Windows\{C7B30CDD-AA9B-4326-9CAB-8856D041F5BC}.exe

Filesize
344KB

MD5
086822f3380ed0ca403987bb8f7cd9fa

SHA1
8dad3d3d6cdbfd8768ecdbd526fa6073125716d8

SHA256
5124d52fe0f6b95c2385c5ce882929cd90dce4653552a1af6bf46282c130bb40

SHA512
aad70c7f0f069e08fe0ad16a89e1f80447bab78bf12686a7577fc2b1957bc426c6c9b15a1bfd05a4c21d10e616cf1eebbd2f277904b57596d066d4763bfe7687

Download Submit
C:\Windows\{C882E67B-2131-498f-BAAA-99693F9650C2}.exe

Filesize
344KB

MD5
a48974343dc444c09925d62ca23fd2b6

SHA1
bcfb85d5a0816475b5ffc75b960b013d5d59973b

SHA256
3bd78097c57dbaff122bc076b8a9bf14f8a4fa7ab900c870a34c872971339d58

SHA512
b067f477c93ded863a4d22c03d7ed74b677b12ead72238011a2c058f658c094fb20eb8ad3fa766eb9a656eb79a9fde4eab8a7b576a5f9fce8f74e3f5a5ca6fae

Download Submit
C:\Windows\{CF8D75B8-00A1-4faa-8039-A830D7C7F4A1}.exe

Filesize
344KB

MD5
20be72130d4dc9a8cfcf3b295bf1dc90

SHA1
7d3fbbcb83c7eb0905e067275f66861213476bac

SHA256
c9ddc63fc087eb4dabaace2c1b782f1a951c31fd15c400dd2fa501800732e0d0

SHA512
a05390082eb8ccabc9d17b74ec6b399e6ee2348dab2207fbb8458ffba8a7093d85a9df62d6c8fe528c50d33f2f85b43a38be2a6ce6adca9cb94f761964c33c90

Download Submit
C:\Windows\{D4A740DC-1B34-49a2-8C81-75FDAB505B0E}.exe

Filesize
344KB

MD5
e3e5b6d944dec2fe5b8b0d5eb6ce3b51

SHA1
1d33f10003992475604d0f374305d839c1f76fa2

SHA256
f3170e5dfdfbd80f8b5c9413df2b371c9bc3ddcf9182a7ffc8741e8099e62780

SHA512
8e77573dd3b9bf51f780213e9d200b6a6d9101d5881966c7842a2e40e8c67d055f598f2c438fe45cb32ebfa81eb70794336422a603cb2065298b3036f45de7a5

Download Submit
C:\Windows\{E711E9C1-E6B0-4a86-8AB5-5475BBBDDE9E}.exe

Filesize
344KB

MD5
cc76b435643cc9b57e0947013335017a

SHA1
9443427682ee9135759ee23f9aca1fac3f1eb1b8

SHA256
1760d5d260811f2de0d18fcff9f68230f303e0b60beea1ebc538e1bb858831f6

SHA512
79a9a3d4db6dd3e2cb1e0c1b0e727c6715a098152a4cfcfd3c8708ba5ea0028d29e794a1cdedb6180be2fdd3a4d28bc7ef8a28497439d9a5fe0e3e03cdbe432c

Download Submit
C:\Windows\{E72B9038-0A40-41ce-A21C-27F9ED848EFD}.exe

Filesize
344KB

MD5
5c896abbd4a82c6e83f020b9b1cf4ddc

SHA1
ddd79c4ccce1c9e6c323a8bce0af94422d0da44a

SHA256
f1fdcdc2c011082e14cc22ce6575230c9fd5efd9f8a7b9c204b44946484ffe90

SHA512
d20e8123d0ded2394b762b2cf5f2881668ca54812788ca1671a9c0e94bcc59cf90016dacb0b930ec32844d7f311f2d82697c80769e0ff05d20eff8253a08fe5f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads