a78432e5ec364d6f40c13a43f5a73dac29a749cc3676a04b6905511ccdbf6d5d

Analysis

max time kernel
149s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05-03-2024 23:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-05_b0f56e3b8f947a36356e6bf8c17c728a_goldeneye.exe
Size

180KB
MD5

b0f56e3b8f947a36356e6bf8c17c728a
SHA1

e764560d135cd9a0fa55a952342fa16fd2b714b8
SHA256

a78432e5ec364d6f40c13a43f5a73dac29a749cc3676a04b6905511ccdbf6d5d
SHA512

6cc99aec606bc108eefe3d5ffa9f0f61301a9f550a2f8db138b0069eb3b8e418050d763c2bfad5636bc104ab0ec03b51dde95167c3e529ede2b511ffb3031a2e
SSDEEP

3072:jEGh0oQlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGGl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023229-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023232-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023342-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000233a5-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000234b7-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000233a5-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000234b7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000234c1-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002322a-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000001e985-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002322a-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000234db-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7966C6DF-1772-4e02-B122-BD8B21062320}	{B3DC2208-85ED-40fd-905C-0BFC345AAB7D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54E8A4B4-9E67-4c6c-9E07-A39B14764035}\stubpath = "C:\\Windows\\{54E8A4B4-9E67-4c6c-9E07-A39B14764035}.exe"	{C925A2D3-7016-49f6-BD57-323C66E1CF0C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DFE75B1-8C85-407c-80BC-F831C1BBA6E3}	{DC0973C3-FBA1-4a6a-AD16-F54E0D9835A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{530D79BD-0CA6-43f2-91D0-FD253D2EEB9D}	{6B286F1F-931B-48cc-AA44-D78044C64511}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E59E6FBD-3CD3-43bc-8003-C5E1FF499806}\stubpath = "C:\\Windows\\{E59E6FBD-3CD3-43bc-8003-C5E1FF499806}.exe"	{2D5878A9-BC55-4a7e-93E7-A80F2396117A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3DC2208-85ED-40fd-905C-0BFC345AAB7D}	2024-03-05_b0f56e3b8f947a36356e6bf8c17c728a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C925A2D3-7016-49f6-BD57-323C66E1CF0C}	{7966C6DF-1772-4e02-B122-BD8B21062320}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C925A2D3-7016-49f6-BD57-323C66E1CF0C}\stubpath = "C:\\Windows\\{C925A2D3-7016-49f6-BD57-323C66E1CF0C}.exe"	{7966C6DF-1772-4e02-B122-BD8B21062320}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DFE75B1-8C85-407c-80BC-F831C1BBA6E3}\stubpath = "C:\\Windows\\{7DFE75B1-8C85-407c-80BC-F831C1BBA6E3}.exe"	{DC0973C3-FBA1-4a6a-AD16-F54E0D9835A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3DC2208-85ED-40fd-905C-0BFC345AAB7D}\stubpath = "C:\\Windows\\{B3DC2208-85ED-40fd-905C-0BFC345AAB7D}.exe"	2024-03-05_b0f56e3b8f947a36356e6bf8c17c728a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54E8A4B4-9E67-4c6c-9E07-A39B14764035}	{C925A2D3-7016-49f6-BD57-323C66E1CF0C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC0973C3-FBA1-4a6a-AD16-F54E0D9835A9}	{54E8A4B4-9E67-4c6c-9E07-A39B14764035}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2C735FE-7EBA-4337-A2F1-F114C76290FC}	{7DFE75B1-8C85-407c-80BC-F831C1BBA6E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B286F1F-931B-48cc-AA44-D78044C64511}	{A2C735FE-7EBA-4337-A2F1-F114C76290FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{530D79BD-0CA6-43f2-91D0-FD253D2EEB9D}\stubpath = "C:\\Windows\\{530D79BD-0CA6-43f2-91D0-FD253D2EEB9D}.exe"	{6B286F1F-931B-48cc-AA44-D78044C64511}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D5878A9-BC55-4a7e-93E7-A80F2396117A}	{530D79BD-0CA6-43f2-91D0-FD253D2EEB9D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D5878A9-BC55-4a7e-93E7-A80F2396117A}\stubpath = "C:\\Windows\\{2D5878A9-BC55-4a7e-93E7-A80F2396117A}.exe"	{530D79BD-0CA6-43f2-91D0-FD253D2EEB9D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7966C6DF-1772-4e02-B122-BD8B21062320}\stubpath = "C:\\Windows\\{7966C6DF-1772-4e02-B122-BD8B21062320}.exe"	{B3DC2208-85ED-40fd-905C-0BFC345AAB7D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4F7C23A-A60F-4d54-927D-66B808DEB255}	{E59E6FBD-3CD3-43bc-8003-C5E1FF499806}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E59E6FBD-3CD3-43bc-8003-C5E1FF499806}	{2D5878A9-BC55-4a7e-93E7-A80F2396117A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2C735FE-7EBA-4337-A2F1-F114C76290FC}\stubpath = "C:\\Windows\\{A2C735FE-7EBA-4337-A2F1-F114C76290FC}.exe"	{7DFE75B1-8C85-407c-80BC-F831C1BBA6E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B286F1F-931B-48cc-AA44-D78044C64511}\stubpath = "C:\\Windows\\{6B286F1F-931B-48cc-AA44-D78044C64511}.exe"	{A2C735FE-7EBA-4337-A2F1-F114C76290FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4F7C23A-A60F-4d54-927D-66B808DEB255}\stubpath = "C:\\Windows\\{B4F7C23A-A60F-4d54-927D-66B808DEB255}.exe"	{E59E6FBD-3CD3-43bc-8003-C5E1FF499806}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC0973C3-FBA1-4a6a-AD16-F54E0D9835A9}\stubpath = "C:\\Windows\\{DC0973C3-FBA1-4a6a-AD16-F54E0D9835A9}.exe"	{54E8A4B4-9E67-4c6c-9E07-A39B14764035}.exe

Executes dropped EXE 12 IoCs

pid	Process
2768	{B3DC2208-85ED-40fd-905C-0BFC345AAB7D}.exe
1200	{7966C6DF-1772-4e02-B122-BD8B21062320}.exe
1360	{C925A2D3-7016-49f6-BD57-323C66E1CF0C}.exe
4848	{54E8A4B4-9E67-4c6c-9E07-A39B14764035}.exe
3332	{DC0973C3-FBA1-4a6a-AD16-F54E0D9835A9}.exe
4932	{7DFE75B1-8C85-407c-80BC-F831C1BBA6E3}.exe
4332	{A2C735FE-7EBA-4337-A2F1-F114C76290FC}.exe
3020	{6B286F1F-931B-48cc-AA44-D78044C64511}.exe
3964	{530D79BD-0CA6-43f2-91D0-FD253D2EEB9D}.exe
3184	{2D5878A9-BC55-4a7e-93E7-A80F2396117A}.exe
3252	{E59E6FBD-3CD3-43bc-8003-C5E1FF499806}.exe
2340	{B4F7C23A-A60F-4d54-927D-66B808DEB255}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{2D5878A9-BC55-4a7e-93E7-A80F2396117A}.exe	{530D79BD-0CA6-43f2-91D0-FD253D2EEB9D}.exe
File created	C:\Windows\{E59E6FBD-3CD3-43bc-8003-C5E1FF499806}.exe	{2D5878A9-BC55-4a7e-93E7-A80F2396117A}.exe
File created	C:\Windows\{7966C6DF-1772-4e02-B122-BD8B21062320}.exe	{B3DC2208-85ED-40fd-905C-0BFC345AAB7D}.exe
File created	C:\Windows\{C925A2D3-7016-49f6-BD57-323C66E1CF0C}.exe	{7966C6DF-1772-4e02-B122-BD8B21062320}.exe
File created	C:\Windows\{54E8A4B4-9E67-4c6c-9E07-A39B14764035}.exe	{C925A2D3-7016-49f6-BD57-323C66E1CF0C}.exe
File created	C:\Windows\{A2C735FE-7EBA-4337-A2F1-F114C76290FC}.exe	{7DFE75B1-8C85-407c-80BC-F831C1BBA6E3}.exe
File created	C:\Windows\{530D79BD-0CA6-43f2-91D0-FD253D2EEB9D}.exe	{6B286F1F-931B-48cc-AA44-D78044C64511}.exe
File created	C:\Windows\{B3DC2208-85ED-40fd-905C-0BFC345AAB7D}.exe	2024-03-05_b0f56e3b8f947a36356e6bf8c17c728a_goldeneye.exe
File created	C:\Windows\{DC0973C3-FBA1-4a6a-AD16-F54E0D9835A9}.exe	{54E8A4B4-9E67-4c6c-9E07-A39B14764035}.exe
File created	C:\Windows\{7DFE75B1-8C85-407c-80BC-F831C1BBA6E3}.exe	{DC0973C3-FBA1-4a6a-AD16-F54E0D9835A9}.exe
File created	C:\Windows\{6B286F1F-931B-48cc-AA44-D78044C64511}.exe	{A2C735FE-7EBA-4337-A2F1-F114C76290FC}.exe
File created	C:\Windows\{B4F7C23A-A60F-4d54-927D-66B808DEB255}.exe	{E59E6FBD-3CD3-43bc-8003-C5E1FF499806}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4856	2024-03-05_b0f56e3b8f947a36356e6bf8c17c728a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2768	{B3DC2208-85ED-40fd-905C-0BFC345AAB7D}.exe
Token: SeIncBasePriorityPrivilege	1200	{7966C6DF-1772-4e02-B122-BD8B21062320}.exe
Token: SeIncBasePriorityPrivilege	1360	{C925A2D3-7016-49f6-BD57-323C66E1CF0C}.exe
Token: SeIncBasePriorityPrivilege	4848	{54E8A4B4-9E67-4c6c-9E07-A39B14764035}.exe
Token: SeIncBasePriorityPrivilege	3332	{DC0973C3-FBA1-4a6a-AD16-F54E0D9835A9}.exe
Token: SeIncBasePriorityPrivilege	4932	{7DFE75B1-8C85-407c-80BC-F831C1BBA6E3}.exe
Token: SeIncBasePriorityPrivilege	4332	{A2C735FE-7EBA-4337-A2F1-F114C76290FC}.exe
Token: SeIncBasePriorityPrivilege	3020	{6B286F1F-931B-48cc-AA44-D78044C64511}.exe
Token: SeIncBasePriorityPrivilege	3964	{530D79BD-0CA6-43f2-91D0-FD253D2EEB9D}.exe
Token: SeIncBasePriorityPrivilege	3184	{2D5878A9-BC55-4a7e-93E7-A80F2396117A}.exe
Token: SeIncBasePriorityPrivilege	3252	{E59E6FBD-3CD3-43bc-8003-C5E1FF499806}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 2768	4856	2024-03-05_b0f56e3b8f947a36356e6bf8c17c728a_goldeneye.exe	99
PID 4856 wrote to memory of 2768	4856	2024-03-05_b0f56e3b8f947a36356e6bf8c17c728a_goldeneye.exe	99
PID 4856 wrote to memory of 2768	4856	2024-03-05_b0f56e3b8f947a36356e6bf8c17c728a_goldeneye.exe	99
PID 4856 wrote to memory of 1284	4856	2024-03-05_b0f56e3b8f947a36356e6bf8c17c728a_goldeneye.exe	100
PID 4856 wrote to memory of 1284	4856	2024-03-05_b0f56e3b8f947a36356e6bf8c17c728a_goldeneye.exe	100
PID 4856 wrote to memory of 1284	4856	2024-03-05_b0f56e3b8f947a36356e6bf8c17c728a_goldeneye.exe	100
PID 2768 wrote to memory of 1200	2768	{B3DC2208-85ED-40fd-905C-0BFC345AAB7D}.exe	101
PID 2768 wrote to memory of 1200	2768	{B3DC2208-85ED-40fd-905C-0BFC345AAB7D}.exe	101
PID 2768 wrote to memory of 1200	2768	{B3DC2208-85ED-40fd-905C-0BFC345AAB7D}.exe	101
PID 2768 wrote to memory of 5004	2768	{B3DC2208-85ED-40fd-905C-0BFC345AAB7D}.exe	102
PID 2768 wrote to memory of 5004	2768	{B3DC2208-85ED-40fd-905C-0BFC345AAB7D}.exe	102
PID 2768 wrote to memory of 5004	2768	{B3DC2208-85ED-40fd-905C-0BFC345AAB7D}.exe	102
PID 1200 wrote to memory of 1360	1200	{7966C6DF-1772-4e02-B122-BD8B21062320}.exe	106
PID 1200 wrote to memory of 1360	1200	{7966C6DF-1772-4e02-B122-BD8B21062320}.exe	106
PID 1200 wrote to memory of 1360	1200	{7966C6DF-1772-4e02-B122-BD8B21062320}.exe	106
PID 1200 wrote to memory of 4148	1200	{7966C6DF-1772-4e02-B122-BD8B21062320}.exe	107
PID 1200 wrote to memory of 4148	1200	{7966C6DF-1772-4e02-B122-BD8B21062320}.exe	107
PID 1200 wrote to memory of 4148	1200	{7966C6DF-1772-4e02-B122-BD8B21062320}.exe	107
PID 1360 wrote to memory of 4848	1360	{C925A2D3-7016-49f6-BD57-323C66E1CF0C}.exe	108
PID 1360 wrote to memory of 4848	1360	{C925A2D3-7016-49f6-BD57-323C66E1CF0C}.exe	108
PID 1360 wrote to memory of 4848	1360	{C925A2D3-7016-49f6-BD57-323C66E1CF0C}.exe	108
PID 1360 wrote to memory of 3664	1360	{C925A2D3-7016-49f6-BD57-323C66E1CF0C}.exe	109
PID 1360 wrote to memory of 3664	1360	{C925A2D3-7016-49f6-BD57-323C66E1CF0C}.exe	109
PID 1360 wrote to memory of 3664	1360	{C925A2D3-7016-49f6-BD57-323C66E1CF0C}.exe	109
PID 4848 wrote to memory of 3332	4848	{54E8A4B4-9E67-4c6c-9E07-A39B14764035}.exe	110
PID 4848 wrote to memory of 3332	4848	{54E8A4B4-9E67-4c6c-9E07-A39B14764035}.exe	110
PID 4848 wrote to memory of 3332	4848	{54E8A4B4-9E67-4c6c-9E07-A39B14764035}.exe	110
PID 4848 wrote to memory of 4328	4848	{54E8A4B4-9E67-4c6c-9E07-A39B14764035}.exe	111
PID 4848 wrote to memory of 4328	4848	{54E8A4B4-9E67-4c6c-9E07-A39B14764035}.exe	111
PID 4848 wrote to memory of 4328	4848	{54E8A4B4-9E67-4c6c-9E07-A39B14764035}.exe	111
PID 3332 wrote to memory of 4932	3332	{DC0973C3-FBA1-4a6a-AD16-F54E0D9835A9}.exe	114
PID 3332 wrote to memory of 4932	3332	{DC0973C3-FBA1-4a6a-AD16-F54E0D9835A9}.exe	114
PID 3332 wrote to memory of 4932	3332	{DC0973C3-FBA1-4a6a-AD16-F54E0D9835A9}.exe	114
PID 3332 wrote to memory of 2028	3332	{DC0973C3-FBA1-4a6a-AD16-F54E0D9835A9}.exe	115
PID 3332 wrote to memory of 2028	3332	{DC0973C3-FBA1-4a6a-AD16-F54E0D9835A9}.exe	115
PID 3332 wrote to memory of 2028	3332	{DC0973C3-FBA1-4a6a-AD16-F54E0D9835A9}.exe	115
PID 4932 wrote to memory of 4332	4932	{7DFE75B1-8C85-407c-80BC-F831C1BBA6E3}.exe	116
PID 4932 wrote to memory of 4332	4932	{7DFE75B1-8C85-407c-80BC-F831C1BBA6E3}.exe	116
PID 4932 wrote to memory of 4332	4932	{7DFE75B1-8C85-407c-80BC-F831C1BBA6E3}.exe	116
PID 4932 wrote to memory of 4400	4932	{7DFE75B1-8C85-407c-80BC-F831C1BBA6E3}.exe	117
PID 4932 wrote to memory of 4400	4932	{7DFE75B1-8C85-407c-80BC-F831C1BBA6E3}.exe	117
PID 4932 wrote to memory of 4400	4932	{7DFE75B1-8C85-407c-80BC-F831C1BBA6E3}.exe	117
PID 4332 wrote to memory of 3020	4332	{A2C735FE-7EBA-4337-A2F1-F114C76290FC}.exe	122
PID 4332 wrote to memory of 3020	4332	{A2C735FE-7EBA-4337-A2F1-F114C76290FC}.exe	122
PID 4332 wrote to memory of 3020	4332	{A2C735FE-7EBA-4337-A2F1-F114C76290FC}.exe	122
PID 4332 wrote to memory of 4928	4332	{A2C735FE-7EBA-4337-A2F1-F114C76290FC}.exe	123
PID 4332 wrote to memory of 4928	4332	{A2C735FE-7EBA-4337-A2F1-F114C76290FC}.exe	123
PID 4332 wrote to memory of 4928	4332	{A2C735FE-7EBA-4337-A2F1-F114C76290FC}.exe	123
PID 3020 wrote to memory of 3964	3020	{6B286F1F-931B-48cc-AA44-D78044C64511}.exe	127
PID 3020 wrote to memory of 3964	3020	{6B286F1F-931B-48cc-AA44-D78044C64511}.exe	127
PID 3020 wrote to memory of 3964	3020	{6B286F1F-931B-48cc-AA44-D78044C64511}.exe	127
PID 3020 wrote to memory of 4856	3020	{6B286F1F-931B-48cc-AA44-D78044C64511}.exe	128
PID 3020 wrote to memory of 4856	3020	{6B286F1F-931B-48cc-AA44-D78044C64511}.exe	128
PID 3020 wrote to memory of 4856	3020	{6B286F1F-931B-48cc-AA44-D78044C64511}.exe	128
PID 3964 wrote to memory of 3184	3964	{530D79BD-0CA6-43f2-91D0-FD253D2EEB9D}.exe	130
PID 3964 wrote to memory of 3184	3964	{530D79BD-0CA6-43f2-91D0-FD253D2EEB9D}.exe	130
PID 3964 wrote to memory of 3184	3964	{530D79BD-0CA6-43f2-91D0-FD253D2EEB9D}.exe	130
PID 3964 wrote to memory of 4904	3964	{530D79BD-0CA6-43f2-91D0-FD253D2EEB9D}.exe	131
PID 3964 wrote to memory of 4904	3964	{530D79BD-0CA6-43f2-91D0-FD253D2EEB9D}.exe	131
PID 3964 wrote to memory of 4904	3964	{530D79BD-0CA6-43f2-91D0-FD253D2EEB9D}.exe	131
PID 3184 wrote to memory of 3252	3184	{2D5878A9-BC55-4a7e-93E7-A80F2396117A}.exe	132
PID 3184 wrote to memory of 3252	3184	{2D5878A9-BC55-4a7e-93E7-A80F2396117A}.exe	132
PID 3184 wrote to memory of 3252	3184	{2D5878A9-BC55-4a7e-93E7-A80F2396117A}.exe	132
PID 3184 wrote to memory of 4328	3184	{2D5878A9-BC55-4a7e-93E7-A80F2396117A}.exe	133

C:\Users\Admin\AppData\Local\Temp\2024-03-05_b0f56e3b8f947a36356e6bf8c17c728a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-05_b0f56e3b8f947a36356e6bf8c17c728a_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Windows\{B3DC2208-85ED-40fd-905C-0BFC345AAB7D}.exe
  C:\Windows\{B3DC2208-85ED-40fd-905C-0BFC345AAB7D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\{7966C6DF-1772-4e02-B122-BD8B21062320}.exe
    C:\Windows\{7966C6DF-1772-4e02-B122-BD8B21062320}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1200
  - - C:\Windows\{C925A2D3-7016-49f6-BD57-323C66E1CF0C}.exe
      C:\Windows\{C925A2D3-7016-49f6-BD57-323C66E1CF0C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1360
    - - C:\Windows\{54E8A4B4-9E67-4c6c-9E07-A39B14764035}.exe
        
        C:\Windows\{54E8A4B4-9E67-4c6c-9E07-A39B14764035}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4848
      - C:\Windows\{DC0973C3-FBA1-4a6a-AD16-F54E0D9835A9}.exe
        
        C:\Windows\{DC0973C3-FBA1-4a6a-AD16-F54E0D9835A9}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3332
        
        C:\Windows\{7DFE75B1-8C85-407c-80BC-F831C1BBA6E3}.exe
        
        C:\Windows\{7DFE75B1-8C85-407c-80BC-F831C1BBA6E3}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Windows\{A2C735FE-7EBA-4337-A2F1-F114C76290FC}.exe
        
        C:\Windows\{A2C735FE-7EBA-4337-A2F1-F114C76290FC}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Windows\{6B286F1F-931B-48cc-AA44-D78044C64511}.exe
        
        C:\Windows\{6B286F1F-931B-48cc-AA44-D78044C64511}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\{530D79BD-0CA6-43f2-91D0-FD253D2EEB9D}.exe
        
        C:\Windows\{530D79BD-0CA6-43f2-91D0-FD253D2EEB9D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\{2D5878A9-BC55-4a7e-93E7-A80F2396117A}.exe
        
        C:\Windows\{2D5878A9-BC55-4a7e-93E7-A80F2396117A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3184
        
        C:\Windows\{E59E6FBD-3CD3-43bc-8003-C5E1FF499806}.exe
        
        C:\Windows\{E59E6FBD-3CD3-43bc-8003-C5E1FF499806}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3252
        
        C:\Windows\{B4F7C23A-A60F-4d54-927D-66B808DEB255}.exe
        
        C:\Windows\{B4F7C23A-A60F-4d54-927D-66B808DEB255}.exe
        13⤵
        Executes dropped EXE
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E59E6~1.EXE > nul
        13⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D587~1.EXE > nul
        12⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{530D7~1.EXE > nul
        11⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B286~1.EXE > nul
        10⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A2C73~1.EXE > nul
        9⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7DFE7~1.EXE > nul
        8⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC097~1.EXE > nul
        7⤵
        
        PID:2028
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{54E8A~1.EXE > nul
        6⤵
        
        PID:4328
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C925A~1.EXE > nul
        5⤵
        
        PID:3664
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7966C~1.EXE > nul
      4⤵
      PID:4148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B3DC2~1.EXE > nul
    3⤵
    PID:5004
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2D5878A9-BC55-4a7e-93E7-A80F2396117A}.exe

Filesize
180KB

MD5
75bf90217b7c6a006746f7ed6ec4c907

SHA1
60ca549028d43da5a087f470ce8e2ad28dafc7cf

SHA256
2390b1e133960f47bd9626e747f8cc66ae1f702b7c0f4dca84018f42b5ba059d

SHA512
a8ad1e5f7b756a5ff253f48f4edb77d4c585ed9c33140a3ad78996140c7a5040ace98cbb0daf3e3d12e0ca9778a38f4b511c45cb4471c3367a0d3e2db87e99c7

Download Submit
C:\Windows\{530D79BD-0CA6-43f2-91D0-FD253D2EEB9D}.exe

Filesize
180KB

MD5
49bd13a3a3dfbddf71cc91ddf4f6d57f

SHA1
e5ab4eb62f15fdda278aab4af1a7dee608d096df

SHA256
f96606d675e0dd328314825234f3894a8326bb8d1e879d645a652f63942e753c

SHA512
8e6a9292122610e9114900d3b9419ab521b639d9a4ef795315eee7cde62af22b574bc578e8c0b8afee773f70aff91d52eb78edd3916191bcb38d12a711b0600a

Download Submit
C:\Windows\{54E8A4B4-9E67-4c6c-9E07-A39B14764035}.exe

Filesize
180KB

MD5
48177813f4eef9f06b923604e97b231f

SHA1
031a5256eb4599d25c3c0450c81fe3d9b8d56836

SHA256
0a9fd65307d60b79cf9357f3faa2984cdadd9d75f28bd24b26184ebd5655467e

SHA512
5b56c2549ded5d1e9db61448618524a5b30af8f89faf63c5018be38ea33dc5689c1d7f514085431944a523c952be893bd7ff4ea069898f2ef30fcb716b6abc6c

Download Submit
C:\Windows\{6B286F1F-931B-48cc-AA44-D78044C64511}.exe

Filesize
180KB

MD5
e0523308a80e96c3860b5180a88246a3

SHA1
ac7facc22617089ba43fcefb027f9e355b0a5bec

SHA256
107a4d9e38dbe8a2ee32b81d37a9ab9446ea547735234ffb4a5200acfab30697

SHA512
f057b54dea9be483d1f1ecc2a9159e4fea7d4ef794f4f88c408797efcb573a730c9b5fd9fb3d8f97d684bbfab5e40bbf19d0350b3b6bc0a259552746277a71ff

Download Submit
C:\Windows\{7966C6DF-1772-4e02-B122-BD8B21062320}.exe

Filesize
180KB

MD5
91c5c1858662de055f42ba2c87fa0987

SHA1
2a23e9172e75d4315b37e33d6254af346fa61156

SHA256
2a5b7c0f13f21b17c5c5633c7b1d8a4c5778188e3bb564fb3a9ae63f943107e2

SHA512
8952c236a1916e45500d6e09ae14cb6567a37cd6a4246fbee30e60d8ff5133ab989b5986bd7025b3d737ee37389fc430b736427493287ac88b1924e927b7a3b4

Download Submit
C:\Windows\{7DFE75B1-8C85-407c-80BC-F831C1BBA6E3}.exe

Filesize
180KB

MD5
b2803f925bf293c1edf72121c3772598

SHA1
ecabd69e462f3ea1148160f23ac2a0a5667125eb

SHA256
b89a1e22758d36137c8b1237b6c330d6a262932c15c26631ff65872bb8d6ac50

SHA512
9e6bdebe2e7a45040abb8fda3922688c7013b1899f10028638159ecfab56d8b8fb74d3c66350d08ecf2943bf310a9e94c1c2d44fe420c930ca78debd321c8b99

Download Submit
C:\Windows\{A2C735FE-7EBA-4337-A2F1-F114C76290FC}.exe

Filesize
180KB

MD5
9bd6f464153454850d0a32da8c703a0a

SHA1
2639b7fd68966a95636ea61d38c2ea96d8008e2e

SHA256
c0359598fb8a3ea15fe02e785bd44bbac469d0ec8dccad37c370e6bbabb6d27b

SHA512
79de76c3ec4caeaa99ac50447004c53597b65ec2bed0c9e59b995e08f3f9dce4453d6487f9e9e8f9ad26aa164a5ca6b039b0d38d45a286cdcb6e8a56763646dd

Download Submit
C:\Windows\{B3DC2208-85ED-40fd-905C-0BFC345AAB7D}.exe

Filesize
180KB

MD5
65df43a12636fae2a295e5f5424012e1

SHA1
aba25c7804221b62598848645895f97e86d5445d

SHA256
862d37a8d4b2ea61ea56115588fba2963a2259a90cb8f19a4e3d91014c8db6df

SHA512
d57f326382f8db3e5bc22f851bf2f9b1513c7e43f8f1836d8080ab9829ff22d0ca8cf7664121e566e4534c4400eb4b64264e0e4ed6c188473732943c90e30173

Download Submit
C:\Windows\{B4F7C23A-A60F-4d54-927D-66B808DEB255}.exe

Filesize
180KB

MD5
31038c754f2678c06d20f17755b96a93

SHA1
925247a8ac05e420d8fb0873e5b878998c978d76

SHA256
8964490b203ddbdc3e0b4acddcc0049eb13f78e849d0021acf5066071f0066fc

SHA512
f428831f12be00f76f978a5c2d69cd1572751cfeebac8a303845020b07028b7210b41df8c3bbd8dbb156a08e245e7771d077e43898e1708c60daf05281734cc1

Download Submit
C:\Windows\{C925A2D3-7016-49f6-BD57-323C66E1CF0C}.exe

Filesize
180KB

MD5
a33b5ae942718cde654192de3524d4d2

SHA1
69706b2b8f080e77faa8ec456cd33cdc65b2c535

SHA256
d76edbd91f4282582df38ae9c6a7fc035fb1f3e781d45dc36fb36303c499eedd

SHA512
a8d34e80e2b38892f52405f9b46e4cd43ab2c66e7291a5555a63f8216837e52a410ccbacc0fa06f33e1150ac15883b72a51d07fb1e850f49b4d0ef33fd22d259

Download Submit
C:\Windows\{DC0973C3-FBA1-4a6a-AD16-F54E0D9835A9}.exe

Filesize
180KB

MD5
cb345a2dd044fd911967469076467029

SHA1
3d3c929118d32a9119a727685b9b01919452b3d9

SHA256
5e8458a9f1beac36d4e15458e1f5f186bb03b7377a4ee974ab7c64ffef8cd311

SHA512
db8ec7432e42a0b6283b57be3c93e374215400cfdc14af029f852294647181e96a2f7c057196243a9e2897e83d0d48bc99c125f92bf880e498a3dbd9b50eb3fe

Download Submit
C:\Windows\{E59E6FBD-3CD3-43bc-8003-C5E1FF499806}.exe

Filesize
180KB

MD5
527ec333e29b5c725f5c7dae45142572

SHA1
018aa81e255f8be349f10b18ee14cf7440c8e0c4

SHA256
6c84c1ae4e1b7c7d0198ed1ded755bd0226d5cb341a5ec91337a33a42aca6064

SHA512
8e45d4911b012f193624a018ef6ba6cb6d573aaf8f3a7e2d3cc1fd83a5542bd27d47e900c4515d0096b3f6ee5f5f8a8a5fee2f71a0d75548e39e14190a6e4039

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads