5bb096797906802cc6d002a53987507872df8d38802dfb9ba0eb41167514d8e0

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-02-2024 15:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-28_39a5887e6b7ca409173d96fa52f388b5_goldeneye.exe
Size

408KB
MD5

39a5887e6b7ca409173d96fa52f388b5
SHA1

a17da4aa62842e4e9f11430faf5752633bae59ef
SHA256

5bb096797906802cc6d002a53987507872df8d38802dfb9ba0eb41167514d8e0
SHA512

f947a2a08c0886e735d76b967305c75be25e7548a46b2fa449725d84fd7bbd7670067cf52c83aa83ce14d53dee65c3b8fcd84a8ddd46d1b189b718080d8ffdc2
SSDEEP

3072:CEGh0oHl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGJldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023133-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002321a-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002322b-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f000000023137-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002322b-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023137-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000002276e-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023137-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000002276e-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0012000000023137-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000002276e-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0013000000023137-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B91EA0D-1972-45ac-AC74-406B14C37AD5}	{5D8C8B2A-CE99-4e4b-9D87-C7A26766586D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B87A35EB-1B85-4fb6-8908-84DC21A9F2C9}	{5EEDA40A-064C-45f7-8AA1-80DAC4583504}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5BCB4681-C053-4308-8B29-495060DA997C}	{B35A77FD-83F0-432b-A935-24F1D8EB264C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5BCB4681-C053-4308-8B29-495060DA997C}\stubpath = "C:\\Windows\\{5BCB4681-C053-4308-8B29-495060DA997C}.exe"	{B35A77FD-83F0-432b-A935-24F1D8EB264C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21E4AB06-E3A1-4e54-9A77-16278E305E87}\stubpath = "C:\\Windows\\{21E4AB06-E3A1-4e54-9A77-16278E305E87}.exe"	{4B91EA0D-1972-45ac-AC74-406B14C37AD5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9BB29B6C-CE2E-4cbb-A10D-A83F6C2729A3}\stubpath = "C:\\Windows\\{9BB29B6C-CE2E-4cbb-A10D-A83F6C2729A3}.exe"	{A29C35B6-950A-49f3-A9D8-9594B4174C5D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C7D577F-2E3C-489f-B918-7DCC994E4AF3}	{9BB29B6C-CE2E-4cbb-A10D-A83F6C2729A3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5EEDA40A-064C-45f7-8AA1-80DAC4583504}	{87FC17A8-27AB-4b7d-A8D0-2BD6C9BC5230}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B35A77FD-83F0-432b-A935-24F1D8EB264C}	{2CE85BAB-D336-4437-83B4-78D6AD5E8B7A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B91EA0D-1972-45ac-AC74-406B14C37AD5}\stubpath = "C:\\Windows\\{4B91EA0D-1972-45ac-AC74-406B14C37AD5}.exe"	{5D8C8B2A-CE99-4e4b-9D87-C7A26766586D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21E4AB06-E3A1-4e54-9A77-16278E305E87}	{4B91EA0D-1972-45ac-AC74-406B14C37AD5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A29C35B6-950A-49f3-A9D8-9594B4174C5D}\stubpath = "C:\\Windows\\{A29C35B6-950A-49f3-A9D8-9594B4174C5D}.exe"	{21E4AB06-E3A1-4e54-9A77-16278E305E87}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9BB29B6C-CE2E-4cbb-A10D-A83F6C2729A3}	{A29C35B6-950A-49f3-A9D8-9594B4174C5D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87FC17A8-27AB-4b7d-A8D0-2BD6C9BC5230}	{0C7D577F-2E3C-489f-B918-7DCC994E4AF3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87FC17A8-27AB-4b7d-A8D0-2BD6C9BC5230}\stubpath = "C:\\Windows\\{87FC17A8-27AB-4b7d-A8D0-2BD6C9BC5230}.exe"	{0C7D577F-2E3C-489f-B918-7DCC994E4AF3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5EEDA40A-064C-45f7-8AA1-80DAC4583504}\stubpath = "C:\\Windows\\{5EEDA40A-064C-45f7-8AA1-80DAC4583504}.exe"	{87FC17A8-27AB-4b7d-A8D0-2BD6C9BC5230}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2CE85BAB-D336-4437-83B4-78D6AD5E8B7A}	2024-02-28_39a5887e6b7ca409173d96fa52f388b5_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B35A77FD-83F0-432b-A935-24F1D8EB264C}\stubpath = "C:\\Windows\\{B35A77FD-83F0-432b-A935-24F1D8EB264C}.exe"	{2CE85BAB-D336-4437-83B4-78D6AD5E8B7A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D8C8B2A-CE99-4e4b-9D87-C7A26766586D}\stubpath = "C:\\Windows\\{5D8C8B2A-CE99-4e4b-9D87-C7A26766586D}.exe"	{5BCB4681-C053-4308-8B29-495060DA997C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A29C35B6-950A-49f3-A9D8-9594B4174C5D}	{21E4AB06-E3A1-4e54-9A77-16278E305E87}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C7D577F-2E3C-489f-B918-7DCC994E4AF3}\stubpath = "C:\\Windows\\{0C7D577F-2E3C-489f-B918-7DCC994E4AF3}.exe"	{9BB29B6C-CE2E-4cbb-A10D-A83F6C2729A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B87A35EB-1B85-4fb6-8908-84DC21A9F2C9}\stubpath = "C:\\Windows\\{B87A35EB-1B85-4fb6-8908-84DC21A9F2C9}.exe"	{5EEDA40A-064C-45f7-8AA1-80DAC4583504}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2CE85BAB-D336-4437-83B4-78D6AD5E8B7A}\stubpath = "C:\\Windows\\{2CE85BAB-D336-4437-83B4-78D6AD5E8B7A}.exe"	2024-02-28_39a5887e6b7ca409173d96fa52f388b5_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D8C8B2A-CE99-4e4b-9D87-C7A26766586D}	{5BCB4681-C053-4308-8B29-495060DA997C}.exe

Executes dropped EXE 12 IoCs

pid	Process
4132	{2CE85BAB-D336-4437-83B4-78D6AD5E8B7A}.exe
3712	{B35A77FD-83F0-432b-A935-24F1D8EB264C}.exe
3248	{5BCB4681-C053-4308-8B29-495060DA997C}.exe
4260	{5D8C8B2A-CE99-4e4b-9D87-C7A26766586D}.exe
2376	{4B91EA0D-1972-45ac-AC74-406B14C37AD5}.exe
2804	{21E4AB06-E3A1-4e54-9A77-16278E305E87}.exe
4884	{A29C35B6-950A-49f3-A9D8-9594B4174C5D}.exe
2112	{9BB29B6C-CE2E-4cbb-A10D-A83F6C2729A3}.exe
116	{0C7D577F-2E3C-489f-B918-7DCC994E4AF3}.exe
4744	{87FC17A8-27AB-4b7d-A8D0-2BD6C9BC5230}.exe
2368	{5EEDA40A-064C-45f7-8AA1-80DAC4583504}.exe
1760	{B87A35EB-1B85-4fb6-8908-84DC21A9F2C9}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{4B91EA0D-1972-45ac-AC74-406B14C37AD5}.exe	{5D8C8B2A-CE99-4e4b-9D87-C7A26766586D}.exe
File created	C:\Windows\{21E4AB06-E3A1-4e54-9A77-16278E305E87}.exe	{4B91EA0D-1972-45ac-AC74-406B14C37AD5}.exe
File created	C:\Windows\{9BB29B6C-CE2E-4cbb-A10D-A83F6C2729A3}.exe	{A29C35B6-950A-49f3-A9D8-9594B4174C5D}.exe
File created	C:\Windows\{87FC17A8-27AB-4b7d-A8D0-2BD6C9BC5230}.exe	{0C7D577F-2E3C-489f-B918-7DCC994E4AF3}.exe
File created	C:\Windows\{5EEDA40A-064C-45f7-8AA1-80DAC4583504}.exe	{87FC17A8-27AB-4b7d-A8D0-2BD6C9BC5230}.exe
File created	C:\Windows\{B35A77FD-83F0-432b-A935-24F1D8EB264C}.exe	{2CE85BAB-D336-4437-83B4-78D6AD5E8B7A}.exe
File created	C:\Windows\{5BCB4681-C053-4308-8B29-495060DA997C}.exe	{B35A77FD-83F0-432b-A935-24F1D8EB264C}.exe
File created	C:\Windows\{5D8C8B2A-CE99-4e4b-9D87-C7A26766586D}.exe	{5BCB4681-C053-4308-8B29-495060DA997C}.exe
File created	C:\Windows\{B87A35EB-1B85-4fb6-8908-84DC21A9F2C9}.exe	{5EEDA40A-064C-45f7-8AA1-80DAC4583504}.exe
File created	C:\Windows\{2CE85BAB-D336-4437-83B4-78D6AD5E8B7A}.exe	2024-02-28_39a5887e6b7ca409173d96fa52f388b5_goldeneye.exe
File created	C:\Windows\{A29C35B6-950A-49f3-A9D8-9594B4174C5D}.exe	{21E4AB06-E3A1-4e54-9A77-16278E305E87}.exe
File created	C:\Windows\{0C7D577F-2E3C-489f-B918-7DCC994E4AF3}.exe	{9BB29B6C-CE2E-4cbb-A10D-A83F6C2729A3}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2072	2024-02-28_39a5887e6b7ca409173d96fa52f388b5_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4132	{2CE85BAB-D336-4437-83B4-78D6AD5E8B7A}.exe
Token: SeIncBasePriorityPrivilege	3712	{B35A77FD-83F0-432b-A935-24F1D8EB264C}.exe
Token: SeIncBasePriorityPrivilege	3248	{5BCB4681-C053-4308-8B29-495060DA997C}.exe
Token: SeIncBasePriorityPrivilege	4260	{5D8C8B2A-CE99-4e4b-9D87-C7A26766586D}.exe
Token: SeIncBasePriorityPrivilege	2376	{4B91EA0D-1972-45ac-AC74-406B14C37AD5}.exe
Token: SeIncBasePriorityPrivilege	2804	{21E4AB06-E3A1-4e54-9A77-16278E305E87}.exe
Token: SeIncBasePriorityPrivilege	4884	{A29C35B6-950A-49f3-A9D8-9594B4174C5D}.exe
Token: SeIncBasePriorityPrivilege	2112	{9BB29B6C-CE2E-4cbb-A10D-A83F6C2729A3}.exe
Token: SeIncBasePriorityPrivilege	116	{0C7D577F-2E3C-489f-B918-7DCC994E4AF3}.exe
Token: SeIncBasePriorityPrivilege	4744	{87FC17A8-27AB-4b7d-A8D0-2BD6C9BC5230}.exe
Token: SeIncBasePriorityPrivilege	2368	{5EEDA40A-064C-45f7-8AA1-80DAC4583504}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 4132	2072	2024-02-28_39a5887e6b7ca409173d96fa52f388b5_goldeneye.exe	91
PID 2072 wrote to memory of 4132	2072	2024-02-28_39a5887e6b7ca409173d96fa52f388b5_goldeneye.exe	91
PID 2072 wrote to memory of 4132	2072	2024-02-28_39a5887e6b7ca409173d96fa52f388b5_goldeneye.exe	91
PID 2072 wrote to memory of 4720	2072	2024-02-28_39a5887e6b7ca409173d96fa52f388b5_goldeneye.exe	92
PID 2072 wrote to memory of 4720	2072	2024-02-28_39a5887e6b7ca409173d96fa52f388b5_goldeneye.exe	92
PID 2072 wrote to memory of 4720	2072	2024-02-28_39a5887e6b7ca409173d96fa52f388b5_goldeneye.exe	92
PID 4132 wrote to memory of 3712	4132	{2CE85BAB-D336-4437-83B4-78D6AD5E8B7A}.exe	93
PID 4132 wrote to memory of 3712	4132	{2CE85BAB-D336-4437-83B4-78D6AD5E8B7A}.exe	93
PID 4132 wrote to memory of 3712	4132	{2CE85BAB-D336-4437-83B4-78D6AD5E8B7A}.exe	93
PID 4132 wrote to memory of 1224	4132	{2CE85BAB-D336-4437-83B4-78D6AD5E8B7A}.exe	94
PID 4132 wrote to memory of 1224	4132	{2CE85BAB-D336-4437-83B4-78D6AD5E8B7A}.exe	94
PID 4132 wrote to memory of 1224	4132	{2CE85BAB-D336-4437-83B4-78D6AD5E8B7A}.exe	94
PID 3712 wrote to memory of 3248	3712	{B35A77FD-83F0-432b-A935-24F1D8EB264C}.exe	100
PID 3712 wrote to memory of 3248	3712	{B35A77FD-83F0-432b-A935-24F1D8EB264C}.exe	100
PID 3712 wrote to memory of 3248	3712	{B35A77FD-83F0-432b-A935-24F1D8EB264C}.exe	100
PID 3712 wrote to memory of 1696	3712	{B35A77FD-83F0-432b-A935-24F1D8EB264C}.exe	99
PID 3712 wrote to memory of 1696	3712	{B35A77FD-83F0-432b-A935-24F1D8EB264C}.exe	99
PID 3712 wrote to memory of 1696	3712	{B35A77FD-83F0-432b-A935-24F1D8EB264C}.exe	99
PID 3248 wrote to memory of 4260	3248	{5BCB4681-C053-4308-8B29-495060DA997C}.exe	101
PID 3248 wrote to memory of 4260	3248	{5BCB4681-C053-4308-8B29-495060DA997C}.exe	101
PID 3248 wrote to memory of 4260	3248	{5BCB4681-C053-4308-8B29-495060DA997C}.exe	101
PID 3248 wrote to memory of 940	3248	{5BCB4681-C053-4308-8B29-495060DA997C}.exe	102
PID 3248 wrote to memory of 940	3248	{5BCB4681-C053-4308-8B29-495060DA997C}.exe	102
PID 3248 wrote to memory of 940	3248	{5BCB4681-C053-4308-8B29-495060DA997C}.exe	102
PID 4260 wrote to memory of 2376	4260	{5D8C8B2A-CE99-4e4b-9D87-C7A26766586D}.exe	103
PID 4260 wrote to memory of 2376	4260	{5D8C8B2A-CE99-4e4b-9D87-C7A26766586D}.exe	103
PID 4260 wrote to memory of 2376	4260	{5D8C8B2A-CE99-4e4b-9D87-C7A26766586D}.exe	103
PID 4260 wrote to memory of 2120	4260	{5D8C8B2A-CE99-4e4b-9D87-C7A26766586D}.exe	104
PID 4260 wrote to memory of 2120	4260	{5D8C8B2A-CE99-4e4b-9D87-C7A26766586D}.exe	104
PID 4260 wrote to memory of 2120	4260	{5D8C8B2A-CE99-4e4b-9D87-C7A26766586D}.exe	104
PID 2376 wrote to memory of 2804	2376	{4B91EA0D-1972-45ac-AC74-406B14C37AD5}.exe	105
PID 2376 wrote to memory of 2804	2376	{4B91EA0D-1972-45ac-AC74-406B14C37AD5}.exe	105
PID 2376 wrote to memory of 2804	2376	{4B91EA0D-1972-45ac-AC74-406B14C37AD5}.exe	105
PID 2376 wrote to memory of 1308	2376	{4B91EA0D-1972-45ac-AC74-406B14C37AD5}.exe	106
PID 2376 wrote to memory of 1308	2376	{4B91EA0D-1972-45ac-AC74-406B14C37AD5}.exe	106
PID 2376 wrote to memory of 1308	2376	{4B91EA0D-1972-45ac-AC74-406B14C37AD5}.exe	106
PID 2804 wrote to memory of 4884	2804	{21E4AB06-E3A1-4e54-9A77-16278E305E87}.exe	109
PID 2804 wrote to memory of 4884	2804	{21E4AB06-E3A1-4e54-9A77-16278E305E87}.exe	109
PID 2804 wrote to memory of 4884	2804	{21E4AB06-E3A1-4e54-9A77-16278E305E87}.exe	109
PID 2804 wrote to memory of 4004	2804	{21E4AB06-E3A1-4e54-9A77-16278E305E87}.exe	110
PID 2804 wrote to memory of 4004	2804	{21E4AB06-E3A1-4e54-9A77-16278E305E87}.exe	110
PID 2804 wrote to memory of 4004	2804	{21E4AB06-E3A1-4e54-9A77-16278E305E87}.exe	110
PID 4884 wrote to memory of 2112	4884	{A29C35B6-950A-49f3-A9D8-9594B4174C5D}.exe	111
PID 4884 wrote to memory of 2112	4884	{A29C35B6-950A-49f3-A9D8-9594B4174C5D}.exe	111
PID 4884 wrote to memory of 2112	4884	{A29C35B6-950A-49f3-A9D8-9594B4174C5D}.exe	111
PID 4884 wrote to memory of 4476	4884	{A29C35B6-950A-49f3-A9D8-9594B4174C5D}.exe	112
PID 4884 wrote to memory of 4476	4884	{A29C35B6-950A-49f3-A9D8-9594B4174C5D}.exe	112
PID 4884 wrote to memory of 4476	4884	{A29C35B6-950A-49f3-A9D8-9594B4174C5D}.exe	112
PID 2112 wrote to memory of 116	2112	{9BB29B6C-CE2E-4cbb-A10D-A83F6C2729A3}.exe	113
PID 2112 wrote to memory of 116	2112	{9BB29B6C-CE2E-4cbb-A10D-A83F6C2729A3}.exe	113
PID 2112 wrote to memory of 116	2112	{9BB29B6C-CE2E-4cbb-A10D-A83F6C2729A3}.exe	113
PID 2112 wrote to memory of 4952	2112	{9BB29B6C-CE2E-4cbb-A10D-A83F6C2729A3}.exe	114
PID 2112 wrote to memory of 4952	2112	{9BB29B6C-CE2E-4cbb-A10D-A83F6C2729A3}.exe	114
PID 2112 wrote to memory of 4952	2112	{9BB29B6C-CE2E-4cbb-A10D-A83F6C2729A3}.exe	114
PID 116 wrote to memory of 4744	116	{0C7D577F-2E3C-489f-B918-7DCC994E4AF3}.exe	115
PID 116 wrote to memory of 4744	116	{0C7D577F-2E3C-489f-B918-7DCC994E4AF3}.exe	115
PID 116 wrote to memory of 4744	116	{0C7D577F-2E3C-489f-B918-7DCC994E4AF3}.exe	115
PID 116 wrote to memory of 3264	116	{0C7D577F-2E3C-489f-B918-7DCC994E4AF3}.exe	116
PID 116 wrote to memory of 3264	116	{0C7D577F-2E3C-489f-B918-7DCC994E4AF3}.exe	116
PID 116 wrote to memory of 3264	116	{0C7D577F-2E3C-489f-B918-7DCC994E4AF3}.exe	116
PID 4744 wrote to memory of 2368	4744	{87FC17A8-27AB-4b7d-A8D0-2BD6C9BC5230}.exe	117
PID 4744 wrote to memory of 2368	4744	{87FC17A8-27AB-4b7d-A8D0-2BD6C9BC5230}.exe	117
PID 4744 wrote to memory of 2368	4744	{87FC17A8-27AB-4b7d-A8D0-2BD6C9BC5230}.exe	117
PID 4744 wrote to memory of 1500	4744	{87FC17A8-27AB-4b7d-A8D0-2BD6C9BC5230}.exe	118

C:\Users\Admin\AppData\Local\Temp\2024-02-28_39a5887e6b7ca409173d96fa52f388b5_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-28_39a5887e6b7ca409173d96fa52f388b5_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\{2CE85BAB-D336-4437-83B4-78D6AD5E8B7A}.exe
  C:\Windows\{2CE85BAB-D336-4437-83B4-78D6AD5E8B7A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4132
- - C:\Windows\{B35A77FD-83F0-432b-A935-24F1D8EB264C}.exe
    C:\Windows\{B35A77FD-83F0-432b-A935-24F1D8EB264C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3712
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B35A7~1.EXE > nul
      4⤵
      PID:1696
  - - C:\Windows\{5BCB4681-C053-4308-8B29-495060DA997C}.exe
      C:\Windows\{5BCB4681-C053-4308-8B29-495060DA997C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3248
    - - C:\Windows\{5D8C8B2A-CE99-4e4b-9D87-C7A26766586D}.exe
        
        C:\Windows\{5D8C8B2A-CE99-4e4b-9D87-C7A26766586D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4260
      - C:\Windows\{4B91EA0D-1972-45ac-AC74-406B14C37AD5}.exe
        
        C:\Windows\{4B91EA0D-1972-45ac-AC74-406B14C37AD5}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\{21E4AB06-E3A1-4e54-9A77-16278E305E87}.exe
        
        C:\Windows\{21E4AB06-E3A1-4e54-9A77-16278E305E87}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\{A29C35B6-950A-49f3-A9D8-9594B4174C5D}.exe
        
        C:\Windows\{A29C35B6-950A-49f3-A9D8-9594B4174C5D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Windows\{9BB29B6C-CE2E-4cbb-A10D-A83F6C2729A3}.exe
        
        C:\Windows\{9BB29B6C-CE2E-4cbb-A10D-A83F6C2729A3}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\{0C7D577F-2E3C-489f-B918-7DCC994E4AF3}.exe
        
        C:\Windows\{0C7D577F-2E3C-489f-B918-7DCC994E4AF3}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Windows\{87FC17A8-27AB-4b7d-A8D0-2BD6C9BC5230}.exe
        
        C:\Windows\{87FC17A8-27AB-4b7d-A8D0-2BD6C9BC5230}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4744
        
        C:\Windows\{5EEDA40A-064C-45f7-8AA1-80DAC4583504}.exe
        
        C:\Windows\{5EEDA40A-064C-45f7-8AA1-80DAC4583504}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2368
        
        C:\Windows\{B87A35EB-1B85-4fb6-8908-84DC21A9F2C9}.exe
        
        C:\Windows\{B87A35EB-1B85-4fb6-8908-84DC21A9F2C9}.exe
        13⤵
        Executes dropped EXE
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5EEDA~1.EXE > nul
        13⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{87FC1~1.EXE > nul
        12⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0C7D5~1.EXE > nul
        11⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9BB29~1.EXE > nul
        10⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A29C3~1.EXE > nul
        9⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{21E4A~1.EXE > nul
        8⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4B91E~1.EXE > nul
        7⤵
        
        PID:1308
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5D8C8~1.EXE > nul
        6⤵
        
        PID:2120
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5BCB4~1.EXE > nul
        5⤵
        
        PID:940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2CE85~1.EXE > nul
    3⤵
    PID:1224
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0C7D577F-2E3C-489f-B918-7DCC994E4AF3}.exe

Filesize
408KB

MD5
fc8161dde4bac16ecc893e2545b382d6

SHA1
c460a5a24a6b94498098b0b0ca6970d8d0392858

SHA256
573f0750b21f3b379ea7683db3abc069d800b6945300a1b310a05788901a064b

SHA512
74564327c4f91874149890a2b706d6d1d8b0d69bd7d6e1014d1b62122a076ad468a2fd6bcbc7bdedddb1749211b0524fed72c72f3d50f886dedc87f2f5994250

Download Submit
C:\Windows\{21E4AB06-E3A1-4e54-9A77-16278E305E87}.exe

Filesize
408KB

MD5
8a5e975cb45d454aebcc2af5f27139e1

SHA1
06cd6bd4ea913aea18da4b68288fe366eee7ab96

SHA256
10d78b7fd8e69b3bc60b8e4b474bdde9b0cb3f3bb1393d3fbd99bcba9f751a3c

SHA512
1f10a50c8db26cdedc6294257d4f4faf63b8b0a97f5565b704c5c71c3746e28924b66e054bbc15d870e3d31552c1f58704361ab665309f97ed7a262b6b334a2f

Download Submit
C:\Windows\{2CE85BAB-D336-4437-83B4-78D6AD5E8B7A}.exe

Filesize
408KB

MD5
d8f1e4ddb1579a89824445e337016feb

SHA1
e5e363bf5486a5dd360a6bef4254f69c49d73e25

SHA256
e49892f83823477d4ccce046b06f691f426e354389d1fdf784ff7fb59ed6aff8

SHA512
1c918b908f3701e9b459c9d0ab45a3e75010bce71cc8312eaa72932afba4f6e4f2e1584c74074c2d5e71c212a947d0d28d7fd872020ce67ef49207cd645d11f2

Download Submit
C:\Windows\{4B91EA0D-1972-45ac-AC74-406B14C37AD5}.exe

Filesize
408KB

MD5
3ed8b44778207195f7289ec7f74a749e

SHA1
a277fd8e501237ff99c20ef2ede2b51d627cc73c

SHA256
0c387ae790c69fd9ea5b8df79b660b81881671d706d04edbe8e87bcdbf56737c

SHA512
0e33f2d242dac59887bc497d9f59ed020e27136db4052c937fd5f362cee7f757e10b8e1619a48b55b6683ca49ead82a5e4f24316b76d72bfa455ced5e7fc2a05

Download Submit
C:\Windows\{5BCB4681-C053-4308-8B29-495060DA997C}.exe

Filesize
408KB

MD5
f7ce726185ee412d53982bb078b4da79

SHA1
e3f5836ee48a49a182cffd1b92792e622d5c2108

SHA256
cdf2f8b57b52acbb9b34200ca2b38778a1522fa11ee4d37b1696987a17f820f7

SHA512
09a157a97d2963099b23185e00c45a7d490cfc028c9496dcec6164517ff019abc1bda648c7c7b461873f14e46e93978baa674e6ba6fece3c0e2da560e823985c

Download Submit
C:\Windows\{5D8C8B2A-CE99-4e4b-9D87-C7A26766586D}.exe

Filesize
408KB

MD5
aa91001fec28d40cafff2217de21efba

SHA1
0f942c7a67af18702a150ca6d2d2ba16b65353cb

SHA256
1afee2e5160c99c0c19c101c8f80e3666aa7ec0147317eae39771479c98c5e13

SHA512
c5a48165db301224a13a972bfff87775d45ce38b4678a0533305675d90a214d93ed8146e21f9f854e7c9cf594dd8220ed43919a7a46d30129b123512ea63e811

Download Submit
C:\Windows\{5EEDA40A-064C-45f7-8AA1-80DAC4583504}.exe

Filesize
408KB

MD5
7fd40ff493a27aed390dbfbe7a531d24

SHA1
4dcf3a78469fff7d721e5e73a3214e044752e1a5

SHA256
d1926f75373b75d7becdeced5bf183d9dbff7e6e4ba72a51475fe24f98f8fd12

SHA512
7b464157e02e2ee53b0aba353e0e9542732364dc76d5040de42b5d8fe503dcae4a40918fe478ba393a7dfe1ff68bc78167e77cce1d000366b44dcbb47d68786f

Download Submit
C:\Windows\{87FC17A8-27AB-4b7d-A8D0-2BD6C9BC5230}.exe

Filesize
408KB

MD5
efda2821579fdffff344a77d155065ce

SHA1
7da7223cf8a03fbc938528bd071c07b752dd4e6e

SHA256
0690885d79280f6230b093454fab6517cf7ecee1b09f6f446e23fb2f2ed01c0e

SHA512
a7c2e912314981e17678be7703d7861799c0f9898ff6a0c451c33d17e1ccabdd38a340ca5f77ba32c3af937a9807b829f4e6c27849275577e7fd5f35d511ef57

Download Submit
C:\Windows\{9BB29B6C-CE2E-4cbb-A10D-A83F6C2729A3}.exe

Filesize
408KB

MD5
19519bc827787c07290b8d6c904b3fc3

SHA1
2ad596833cf7eac57866db87ab8fd90235d8416e

SHA256
ecc666c807f4da90e7b26254519a98726bc5ce01d6bcac75f6a5bea57245554c

SHA512
9b880ed7084fd95018f57cea52dc6be75a7c00888733314036e59c68a244d9795ff16387ab26936ac19a2d5e9415c2836851a508b0b0df8f996a23e0dbad9d27

Download Submit
C:\Windows\{A29C35B6-950A-49f3-A9D8-9594B4174C5D}.exe

Filesize
408KB

MD5
5a4aa97d9117de10889fec190ecd9ddc

SHA1
7307ccc7595e5b124df9175438e49392c7f90d83

SHA256
b61451a047e3e68be83ce12e97dd2eecc67ce260f6f73d87fded4d0a3f4ca5b1

SHA512
db0c125d6a04b5c4f96bae48cf5910af361bd738062017ab65e5a289a4e5afb5baeaca1c356afb995275de4d911ffff0d2edd7dcc7b4087d154d92c3cd5e0819

Download Submit
C:\Windows\{B35A77FD-83F0-432b-A935-24F1D8EB264C}.exe

Filesize
408KB

MD5
fc70b60e3d7093ab19cc2fa537de07bf

SHA1
e08cd4706e71a4167e939247f4ece16fa60c1fda

SHA256
ac7e025ad2e811df1780567c5fb79fa283c83a694d9f4222049bf18143b08bac

SHA512
ac1c0e3f353f060bcaf1eba0ce5626a6c1afc5f10fbae68d7ff1ea4340215c6a1200b13d489949bc06f851a5c26ebef8f72e1c3d21cdd6d812e0a6c8cfab905e

Download Submit
C:\Windows\{B87A35EB-1B85-4fb6-8908-84DC21A9F2C9}.exe

Filesize
408KB

MD5
907706960d24a5745e2b651b8a1b42c6

SHA1
9b6c7523b049df52123de743f4a92a5909e5addb

SHA256
4073043586874a91f355574970fe690532d61003c7b1e3b83f031d4be3c2c9ed

SHA512
51f3eabfbf72669b9e03b5efb54435909568eb28e4abd5faec9801b107e80b848924fdc3f45d5b25b74db259f5f9a1d4d8604988cf7fa97a13fc157ce303ec9e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads