b9292755ff74daf07292c57826dfa3f05e02aa114992afbe16e985943363ddfe

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2024, 12:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-05_a1f4550fcb22d668204987bb810420d0_goldeneye.exe
Size

180KB
MD5

a1f4550fcb22d668204987bb810420d0
SHA1

9de01b3307fafbf333b3970d7cef460f560bd15e
SHA256

b9292755ff74daf07292c57826dfa3f05e02aa114992afbe16e985943363ddfe
SHA512

5e6aafa11ad1430f44b1c5adbf26d829aced40da7b3a2bc18b9681cea97929d3b5bb3e47701727d0296d403e4e6763f47e4b3393bf57c8cd281e7f67a61889e4
SSDEEP

3072:jEGh0oHlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEG9l5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00070000000231f3-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023200-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023108-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023214-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002330e-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023214-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002330e-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023375-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023387-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002338a-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000233b9-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00040000000006cf-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5DAB933-3C98-4f11-A4AB-1FAA5A6B4487}	{25EF3FF4-5A52-43ba-ACF3-47F6119E068A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A045BCC8-438A-41af-BE3B-14C71A450AD3}	{A5DAB933-3C98-4f11-A4AB-1FAA5A6B4487}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{859665C6-235D-4be1-A6A8-F07EAB4DDF05}\stubpath = "C:\\Windows\\{859665C6-235D-4be1-A6A8-F07EAB4DDF05}.exe"	{C89CE80A-7D3C-45aa-BD61-26908F05D7F3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87F7B6EA-CBAE-4364-BA9C-9E57AE201619}	{859665C6-235D-4be1-A6A8-F07EAB4DDF05}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{735031F5-D11E-4d8a-8EC9-A207D85519E6}\stubpath = "C:\\Windows\\{735031F5-D11E-4d8a-8EC9-A207D85519E6}.exe"	{87F7B6EA-CBAE-4364-BA9C-9E57AE201619}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0387E585-222B-45a8-8357-EEB8D28F5678}	{F51F7DC4-349D-48eb-A0D0-01315FB04FBC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CBC8CB2E-D388-4e21-A21F-B74364796DDC}\stubpath = "C:\\Windows\\{CBC8CB2E-D388-4e21-A21F-B74364796DDC}.exe"	{0387E585-222B-45a8-8357-EEB8D28F5678}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25EF3FF4-5A52-43ba-ACF3-47F6119E068A}\stubpath = "C:\\Windows\\{25EF3FF4-5A52-43ba-ACF3-47F6119E068A}.exe"	2024-03-05_a1f4550fcb22d668204987bb810420d0_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5DAB933-3C98-4f11-A4AB-1FAA5A6B4487}\stubpath = "C:\\Windows\\{A5DAB933-3C98-4f11-A4AB-1FAA5A6B4487}.exe"	{25EF3FF4-5A52-43ba-ACF3-47F6119E068A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE3E094A-97E0-4ff5-87B0-031CDA11EFAB}\stubpath = "C:\\Windows\\{FE3E094A-97E0-4ff5-87B0-031CDA11EFAB}.exe"	{A045BCC8-438A-41af-BE3B-14C71A450AD3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C89CE80A-7D3C-45aa-BD61-26908F05D7F3}	{FE3E094A-97E0-4ff5-87B0-031CDA11EFAB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{735031F5-D11E-4d8a-8EC9-A207D85519E6}	{87F7B6EA-CBAE-4364-BA9C-9E57AE201619}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E4222BE-107E-46c1-952D-FAC693907AA1}	{CBC8CB2E-D388-4e21-A21F-B74364796DDC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CBC8CB2E-D388-4e21-A21F-B74364796DDC}	{0387E585-222B-45a8-8357-EEB8D28F5678}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E4222BE-107E-46c1-952D-FAC693907AA1}\stubpath = "C:\\Windows\\{6E4222BE-107E-46c1-952D-FAC693907AA1}.exe"	{CBC8CB2E-D388-4e21-A21F-B74364796DDC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A045BCC8-438A-41af-BE3B-14C71A450AD3}\stubpath = "C:\\Windows\\{A045BCC8-438A-41af-BE3B-14C71A450AD3}.exe"	{A5DAB933-3C98-4f11-A4AB-1FAA5A6B4487}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C89CE80A-7D3C-45aa-BD61-26908F05D7F3}\stubpath = "C:\\Windows\\{C89CE80A-7D3C-45aa-BD61-26908F05D7F3}.exe"	{FE3E094A-97E0-4ff5-87B0-031CDA11EFAB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87F7B6EA-CBAE-4364-BA9C-9E57AE201619}\stubpath = "C:\\Windows\\{87F7B6EA-CBAE-4364-BA9C-9E57AE201619}.exe"	{859665C6-235D-4be1-A6A8-F07EAB4DDF05}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F51F7DC4-349D-48eb-A0D0-01315FB04FBC}	{735031F5-D11E-4d8a-8EC9-A207D85519E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0387E585-222B-45a8-8357-EEB8D28F5678}\stubpath = "C:\\Windows\\{0387E585-222B-45a8-8357-EEB8D28F5678}.exe"	{F51F7DC4-349D-48eb-A0D0-01315FB04FBC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25EF3FF4-5A52-43ba-ACF3-47F6119E068A}	2024-03-05_a1f4550fcb22d668204987bb810420d0_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE3E094A-97E0-4ff5-87B0-031CDA11EFAB}	{A045BCC8-438A-41af-BE3B-14C71A450AD3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{859665C6-235D-4be1-A6A8-F07EAB4DDF05}	{C89CE80A-7D3C-45aa-BD61-26908F05D7F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F51F7DC4-349D-48eb-A0D0-01315FB04FBC}\stubpath = "C:\\Windows\\{F51F7DC4-349D-48eb-A0D0-01315FB04FBC}.exe"	{735031F5-D11E-4d8a-8EC9-A207D85519E6}.exe

Deletes itself 1 IoCs

pid	Process
4504	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
4824	{25EF3FF4-5A52-43ba-ACF3-47F6119E068A}.exe
3740	{A5DAB933-3C98-4f11-A4AB-1FAA5A6B4487}.exe
4988	{A045BCC8-438A-41af-BE3B-14C71A450AD3}.exe
2008	{FE3E094A-97E0-4ff5-87B0-031CDA11EFAB}.exe
4880	{C89CE80A-7D3C-45aa-BD61-26908F05D7F3}.exe
2024	{859665C6-235D-4be1-A6A8-F07EAB4DDF05}.exe
4064	{87F7B6EA-CBAE-4364-BA9C-9E57AE201619}.exe
1456	{735031F5-D11E-4d8a-8EC9-A207D85519E6}.exe
3528	{F51F7DC4-349D-48eb-A0D0-01315FB04FBC}.exe
2064	{0387E585-222B-45a8-8357-EEB8D28F5678}.exe
4304	{CBC8CB2E-D388-4e21-A21F-B74364796DDC}.exe
4396	{6E4222BE-107E-46c1-952D-FAC693907AA1}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{735031F5-D11E-4d8a-8EC9-A207D85519E6}.exe	{87F7B6EA-CBAE-4364-BA9C-9E57AE201619}.exe
File created	C:\Windows\{F51F7DC4-349D-48eb-A0D0-01315FB04FBC}.exe	{735031F5-D11E-4d8a-8EC9-A207D85519E6}.exe
File created	C:\Windows\{A5DAB933-3C98-4f11-A4AB-1FAA5A6B4487}.exe	{25EF3FF4-5A52-43ba-ACF3-47F6119E068A}.exe
File created	C:\Windows\{87F7B6EA-CBAE-4364-BA9C-9E57AE201619}.exe	{859665C6-235D-4be1-A6A8-F07EAB4DDF05}.exe
File created	C:\Windows\{FE3E094A-97E0-4ff5-87B0-031CDA11EFAB}.exe	{A045BCC8-438A-41af-BE3B-14C71A450AD3}.exe
File created	C:\Windows\{C89CE80A-7D3C-45aa-BD61-26908F05D7F3}.exe	{FE3E094A-97E0-4ff5-87B0-031CDA11EFAB}.exe
File created	C:\Windows\{859665C6-235D-4be1-A6A8-F07EAB4DDF05}.exe	{C89CE80A-7D3C-45aa-BD61-26908F05D7F3}.exe
File created	C:\Windows\{0387E585-222B-45a8-8357-EEB8D28F5678}.exe	{F51F7DC4-349D-48eb-A0D0-01315FB04FBC}.exe
File created	C:\Windows\{CBC8CB2E-D388-4e21-A21F-B74364796DDC}.exe	{0387E585-222B-45a8-8357-EEB8D28F5678}.exe
File created	C:\Windows\{6E4222BE-107E-46c1-952D-FAC693907AA1}.exe	{CBC8CB2E-D388-4e21-A21F-B74364796DDC}.exe
File created	C:\Windows\{25EF3FF4-5A52-43ba-ACF3-47F6119E068A}.exe	2024-03-05_a1f4550fcb22d668204987bb810420d0_goldeneye.exe
File created	C:\Windows\{A045BCC8-438A-41af-BE3B-14C71A450AD3}.exe	{A5DAB933-3C98-4f11-A4AB-1FAA5A6B4487}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4908	2024-03-05_a1f4550fcb22d668204987bb810420d0_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4824	{25EF3FF4-5A52-43ba-ACF3-47F6119E068A}.exe
Token: SeIncBasePriorityPrivilege	3740	{A5DAB933-3C98-4f11-A4AB-1FAA5A6B4487}.exe
Token: SeIncBasePriorityPrivilege	4988	{A045BCC8-438A-41af-BE3B-14C71A450AD3}.exe
Token: SeIncBasePriorityPrivilege	2008	{FE3E094A-97E0-4ff5-87B0-031CDA11EFAB}.exe
Token: SeIncBasePriorityPrivilege	4880	{C89CE80A-7D3C-45aa-BD61-26908F05D7F3}.exe
Token: SeIncBasePriorityPrivilege	2024	{859665C6-235D-4be1-A6A8-F07EAB4DDF05}.exe
Token: SeIncBasePriorityPrivilege	4064	{87F7B6EA-CBAE-4364-BA9C-9E57AE201619}.exe
Token: SeIncBasePriorityPrivilege	1456	{735031F5-D11E-4d8a-8EC9-A207D85519E6}.exe
Token: SeIncBasePriorityPrivilege	3528	{F51F7DC4-349D-48eb-A0D0-01315FB04FBC}.exe
Token: SeIncBasePriorityPrivilege	2064	{0387E585-222B-45a8-8357-EEB8D28F5678}.exe
Token: SeIncBasePriorityPrivilege	4304	{CBC8CB2E-D388-4e21-A21F-B74364796DDC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4908 wrote to memory of 4824	4908	2024-03-05_a1f4550fcb22d668204987bb810420d0_goldeneye.exe	97
PID 4908 wrote to memory of 4824	4908	2024-03-05_a1f4550fcb22d668204987bb810420d0_goldeneye.exe	97
PID 4908 wrote to memory of 4824	4908	2024-03-05_a1f4550fcb22d668204987bb810420d0_goldeneye.exe	97
PID 4908 wrote to memory of 4504	4908	2024-03-05_a1f4550fcb22d668204987bb810420d0_goldeneye.exe	98
PID 4908 wrote to memory of 4504	4908	2024-03-05_a1f4550fcb22d668204987bb810420d0_goldeneye.exe	98
PID 4908 wrote to memory of 4504	4908	2024-03-05_a1f4550fcb22d668204987bb810420d0_goldeneye.exe	98
PID 4824 wrote to memory of 3740	4824	{25EF3FF4-5A52-43ba-ACF3-47F6119E068A}.exe	100
PID 4824 wrote to memory of 3740	4824	{25EF3FF4-5A52-43ba-ACF3-47F6119E068A}.exe	100
PID 4824 wrote to memory of 3740	4824	{25EF3FF4-5A52-43ba-ACF3-47F6119E068A}.exe	100
PID 4824 wrote to memory of 2552	4824	{25EF3FF4-5A52-43ba-ACF3-47F6119E068A}.exe	101
PID 4824 wrote to memory of 2552	4824	{25EF3FF4-5A52-43ba-ACF3-47F6119E068A}.exe	101
PID 4824 wrote to memory of 2552	4824	{25EF3FF4-5A52-43ba-ACF3-47F6119E068A}.exe	101
PID 3740 wrote to memory of 4988	3740	{A5DAB933-3C98-4f11-A4AB-1FAA5A6B4487}.exe	104
PID 3740 wrote to memory of 4988	3740	{A5DAB933-3C98-4f11-A4AB-1FAA5A6B4487}.exe	104
PID 3740 wrote to memory of 4988	3740	{A5DAB933-3C98-4f11-A4AB-1FAA5A6B4487}.exe	104
PID 3740 wrote to memory of 3964	3740	{A5DAB933-3C98-4f11-A4AB-1FAA5A6B4487}.exe	105
PID 3740 wrote to memory of 3964	3740	{A5DAB933-3C98-4f11-A4AB-1FAA5A6B4487}.exe	105
PID 3740 wrote to memory of 3964	3740	{A5DAB933-3C98-4f11-A4AB-1FAA5A6B4487}.exe	105
PID 4988 wrote to memory of 2008	4988	{A045BCC8-438A-41af-BE3B-14C71A450AD3}.exe	107
PID 4988 wrote to memory of 2008	4988	{A045BCC8-438A-41af-BE3B-14C71A450AD3}.exe	107
PID 4988 wrote to memory of 2008	4988	{A045BCC8-438A-41af-BE3B-14C71A450AD3}.exe	107
PID 4988 wrote to memory of 2128	4988	{A045BCC8-438A-41af-BE3B-14C71A450AD3}.exe	108
PID 4988 wrote to memory of 2128	4988	{A045BCC8-438A-41af-BE3B-14C71A450AD3}.exe	108
PID 4988 wrote to memory of 2128	4988	{A045BCC8-438A-41af-BE3B-14C71A450AD3}.exe	108
PID 2008 wrote to memory of 4880	2008	{FE3E094A-97E0-4ff5-87B0-031CDA11EFAB}.exe	109
PID 2008 wrote to memory of 4880	2008	{FE3E094A-97E0-4ff5-87B0-031CDA11EFAB}.exe	109
PID 2008 wrote to memory of 4880	2008	{FE3E094A-97E0-4ff5-87B0-031CDA11EFAB}.exe	109
PID 2008 wrote to memory of 3380	2008	{FE3E094A-97E0-4ff5-87B0-031CDA11EFAB}.exe	110
PID 2008 wrote to memory of 3380	2008	{FE3E094A-97E0-4ff5-87B0-031CDA11EFAB}.exe	110
PID 2008 wrote to memory of 3380	2008	{FE3E094A-97E0-4ff5-87B0-031CDA11EFAB}.exe	110
PID 4880 wrote to memory of 2024	4880	{C89CE80A-7D3C-45aa-BD61-26908F05D7F3}.exe	112
PID 4880 wrote to memory of 2024	4880	{C89CE80A-7D3C-45aa-BD61-26908F05D7F3}.exe	112
PID 4880 wrote to memory of 2024	4880	{C89CE80A-7D3C-45aa-BD61-26908F05D7F3}.exe	112
PID 4880 wrote to memory of 3848	4880	{C89CE80A-7D3C-45aa-BD61-26908F05D7F3}.exe	113
PID 4880 wrote to memory of 3848	4880	{C89CE80A-7D3C-45aa-BD61-26908F05D7F3}.exe	113
PID 4880 wrote to memory of 3848	4880	{C89CE80A-7D3C-45aa-BD61-26908F05D7F3}.exe	113
PID 2024 wrote to memory of 4064	2024	{859665C6-235D-4be1-A6A8-F07EAB4DDF05}.exe	114
PID 2024 wrote to memory of 4064	2024	{859665C6-235D-4be1-A6A8-F07EAB4DDF05}.exe	114
PID 2024 wrote to memory of 4064	2024	{859665C6-235D-4be1-A6A8-F07EAB4DDF05}.exe	114
PID 2024 wrote to memory of 1588	2024	{859665C6-235D-4be1-A6A8-F07EAB4DDF05}.exe	115
PID 2024 wrote to memory of 1588	2024	{859665C6-235D-4be1-A6A8-F07EAB4DDF05}.exe	115
PID 2024 wrote to memory of 1588	2024	{859665C6-235D-4be1-A6A8-F07EAB4DDF05}.exe	115
PID 4064 wrote to memory of 1456	4064	{87F7B6EA-CBAE-4364-BA9C-9E57AE201619}.exe	116
PID 4064 wrote to memory of 1456	4064	{87F7B6EA-CBAE-4364-BA9C-9E57AE201619}.exe	116
PID 4064 wrote to memory of 1456	4064	{87F7B6EA-CBAE-4364-BA9C-9E57AE201619}.exe	116
PID 4064 wrote to memory of 3164	4064	{87F7B6EA-CBAE-4364-BA9C-9E57AE201619}.exe	117
PID 4064 wrote to memory of 3164	4064	{87F7B6EA-CBAE-4364-BA9C-9E57AE201619}.exe	117
PID 4064 wrote to memory of 3164	4064	{87F7B6EA-CBAE-4364-BA9C-9E57AE201619}.exe	117
PID 1456 wrote to memory of 3528	1456	{735031F5-D11E-4d8a-8EC9-A207D85519E6}.exe	122
PID 1456 wrote to memory of 3528	1456	{735031F5-D11E-4d8a-8EC9-A207D85519E6}.exe	122
PID 1456 wrote to memory of 3528	1456	{735031F5-D11E-4d8a-8EC9-A207D85519E6}.exe	122
PID 1456 wrote to memory of 1672	1456	{735031F5-D11E-4d8a-8EC9-A207D85519E6}.exe	123
PID 1456 wrote to memory of 1672	1456	{735031F5-D11E-4d8a-8EC9-A207D85519E6}.exe	123
PID 1456 wrote to memory of 1672	1456	{735031F5-D11E-4d8a-8EC9-A207D85519E6}.exe	123
PID 3528 wrote to memory of 2064	3528	{F51F7DC4-349D-48eb-A0D0-01315FB04FBC}.exe	124
PID 3528 wrote to memory of 2064	3528	{F51F7DC4-349D-48eb-A0D0-01315FB04FBC}.exe	124
PID 3528 wrote to memory of 2064	3528	{F51F7DC4-349D-48eb-A0D0-01315FB04FBC}.exe	124
PID 3528 wrote to memory of 4032	3528	{F51F7DC4-349D-48eb-A0D0-01315FB04FBC}.exe	125
PID 3528 wrote to memory of 4032	3528	{F51F7DC4-349D-48eb-A0D0-01315FB04FBC}.exe	125
PID 3528 wrote to memory of 4032	3528	{F51F7DC4-349D-48eb-A0D0-01315FB04FBC}.exe	125
PID 2064 wrote to memory of 4304	2064	{0387E585-222B-45a8-8357-EEB8D28F5678}.exe	126
PID 2064 wrote to memory of 4304	2064	{0387E585-222B-45a8-8357-EEB8D28F5678}.exe	126
PID 2064 wrote to memory of 4304	2064	{0387E585-222B-45a8-8357-EEB8D28F5678}.exe	126
PID 2064 wrote to memory of 1172	2064	{0387E585-222B-45a8-8357-EEB8D28F5678}.exe	127

C:\Users\Admin\AppData\Local\Temp\2024-03-05_a1f4550fcb22d668204987bb810420d0_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-05_a1f4550fcb22d668204987bb810420d0_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4908
- C:\Windows\{25EF3FF4-5A52-43ba-ACF3-47F6119E068A}.exe
  C:\Windows\{25EF3FF4-5A52-43ba-ACF3-47F6119E068A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4824
- - C:\Windows\{A5DAB933-3C98-4f11-A4AB-1FAA5A6B4487}.exe
    C:\Windows\{A5DAB933-3C98-4f11-A4AB-1FAA5A6B4487}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3740
  - - C:\Windows\{A045BCC8-438A-41af-BE3B-14C71A450AD3}.exe
      C:\Windows\{A045BCC8-438A-41af-BE3B-14C71A450AD3}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4988
    - - C:\Windows\{FE3E094A-97E0-4ff5-87B0-031CDA11EFAB}.exe
        
        C:\Windows\{FE3E094A-97E0-4ff5-87B0-031CDA11EFAB}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2008
      - C:\Windows\{C89CE80A-7D3C-45aa-BD61-26908F05D7F3}.exe
        
        C:\Windows\{C89CE80A-7D3C-45aa-BD61-26908F05D7F3}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\{859665C6-235D-4be1-A6A8-F07EAB4DDF05}.exe
        
        C:\Windows\{859665C6-235D-4be1-A6A8-F07EAB4DDF05}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\{87F7B6EA-CBAE-4364-BA9C-9E57AE201619}.exe
        
        C:\Windows\{87F7B6EA-CBAE-4364-BA9C-9E57AE201619}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\{735031F5-D11E-4d8a-8EC9-A207D85519E6}.exe
        
        C:\Windows\{735031F5-D11E-4d8a-8EC9-A207D85519E6}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Windows\{F51F7DC4-349D-48eb-A0D0-01315FB04FBC}.exe
        
        C:\Windows\{F51F7DC4-349D-48eb-A0D0-01315FB04FBC}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3528
        
        C:\Windows\{0387E585-222B-45a8-8357-EEB8D28F5678}.exe
        
        C:\Windows\{0387E585-222B-45a8-8357-EEB8D28F5678}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\{CBC8CB2E-D388-4e21-A21F-B74364796DDC}.exe
        
        C:\Windows\{CBC8CB2E-D388-4e21-A21F-B74364796DDC}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4304
        
        C:\Windows\{6E4222BE-107E-46c1-952D-FAC693907AA1}.exe
        
        C:\Windows\{6E4222BE-107E-46c1-952D-FAC693907AA1}.exe
        13⤵
        Executes dropped EXE
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CBC8C~1.EXE > nul
        13⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0387E~1.EXE > nul
        12⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F51F7~1.EXE > nul
        11⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{73503~1.EXE > nul
        10⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{87F7B~1.EXE > nul
        9⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{85966~1.EXE > nul
        8⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C89CE~1.EXE > nul
        7⤵
        
        PID:3848
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FE3E0~1.EXE > nul
        6⤵
        
        PID:3380
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A045B~1.EXE > nul
        5⤵
        
        PID:2128
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A5DAB~1.EXE > nul
      4⤵
      PID:3964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{25EF3~1.EXE > nul
    3⤵
    PID:2552
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:4504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0387E585-222B-45a8-8357-EEB8D28F5678}.exe

Filesize
180KB

MD5
d7bda592d17cf5baf5d1a1cc129352a4

SHA1
67c2502d944fe3db9b52d51baf0d1e195b3e4daf

SHA256
113c02d822f511297190bd376bccbaaf91874b30745b977c014e167cca82cb9a

SHA512
8649b317422b33ae53fd5044b14e957d0ebd66cb031389f418c37b51656dd363f3a02c4ba957b0b0b27cfe3d30017874918ef41f37fc893eac35205d5a98d0c3

Download Submit
C:\Windows\{25EF3FF4-5A52-43ba-ACF3-47F6119E068A}.exe

Filesize
180KB

MD5
025c0e061f9770852f789ab37a327566

SHA1
f8ba0533321b83451c581238e79ddff07190363d

SHA256
f4ee74d49bf2eac2b427953844d95f50ce6272f026be6eea60d2e6ae973eea51

SHA512
b533e6ad36011e4d5a24acedd3758cf2bc71b19a86563462383f9a1f222fa9e48dcccf64c745fd2c5066881947e846fe36dfb844c874d5c897238b49f712ad7e

Download Submit
C:\Windows\{6E4222BE-107E-46c1-952D-FAC693907AA1}.exe

Filesize
180KB

MD5
5044456574ffa7e105bb86f01c428728

SHA1
e290b7931f5e3c4a924dfa9a0b00f3c22a81464b

SHA256
676e8a69826d27a366ffc6ee23e8675f16c6cbb8c82565fb6e501da8daa569f4

SHA512
8f350be5e1c962c247b74caa206c8dff454720e69045f47330217bc30cf91b20bebbd1161f833c15b67ab2e03fb4ff37958dbd482aeca1b750bc65034f498051

Download Submit
C:\Windows\{735031F5-D11E-4d8a-8EC9-A207D85519E6}.exe

Filesize
180KB

MD5
b16788080a1ab5bdb3d3611073388fe2

SHA1
5540e7aeaaa2df3b0bc0e2252a56d7625af1faa7

SHA256
66f5536aa258af3424c9ec3a6811b3804415791492dc17c1d41701dbdddf6844

SHA512
1a2df6e2346277a1cd0ee00523649e5d60d8f0353fdcb0f59a4cdc39e188a12f627e5315dbd269480674724d9992e1719eb1858244990f33f8825a8140e0bbb2

Download Submit
C:\Windows\{859665C6-235D-4be1-A6A8-F07EAB4DDF05}.exe

Filesize
180KB

MD5
fb6be060ea75ae5a84177a5b0bad7653

SHA1
e2a994a881928d29ee0ffc1bc791b040e8a11ed0

SHA256
1203ec8cf14b7f5cb54af74ed51aa58e9cb75a3ac13a290423ff0aead37c574b

SHA512
48387ef3c12f115088dcf66913a4cb09007699fd75ecf02cd42ceb7fda8ea74e96cf9219819f36ca3f8abde367c8990391fd7cc292d84b4913668944a3aa0587

Download Submit
C:\Windows\{87F7B6EA-CBAE-4364-BA9C-9E57AE201619}.exe

Filesize
180KB

MD5
a6d9a8fc33185dfebf1f35a18ae137b3

SHA1
7b5f55fc2e2a47e5b633e9955fe082b3db0eed49

SHA256
8c3f651b2549639f62417470722a02f5c26706cf420f528173e5e6c57ee402cf

SHA512
92f5aa45c1c548235cb7f45d9447cc32ad9c9a31e477207a124776d4fe4fa92509a5ec537c77985a0ef5e5c9edcf5b6fa3b96322abbd2aa2a490089e57f62cf5

Download Submit
C:\Windows\{A045BCC8-438A-41af-BE3B-14C71A450AD3}.exe

Filesize
180KB

MD5
5f2fd2730ff5ae0ee839e445a3cc053d

SHA1
ea294a87377d301b9fe83c60fca74e4d4cf555a1

SHA256
08f652f14deb75eb547d10fbb5c2ec314dac232047e56f11b69568476f42e911

SHA512
dfe28363fd0d14ff5e069c936d97192c52cdd884142d9c326c9370a022b65e6a7d805152e0fd513e2312fec3d0bd165ed2ec517dd9a55c66d62449b09969c6cc

Download Submit
C:\Windows\{A5DAB933-3C98-4f11-A4AB-1FAA5A6B4487}.exe

Filesize
180KB

MD5
65e8f5cd317ec680ed89123b3596b90b

SHA1
9963d0c87b0c653b67ddba5f42421491604e50cd

SHA256
018bd297e6a1abada24aa388073611c8516d3b754487ab0271813662787de854

SHA512
8ad869efc759cad8c3851b5a397bb324ca54350042fa07a44b29485846a3f85bb41109045ce1c662b4761b5d6c592db5ef7d6614cc3296cf78a418acfa1cfd0c

Download Submit
C:\Windows\{C89CE80A-7D3C-45aa-BD61-26908F05D7F3}.exe

Filesize
180KB

MD5
14ea29ed46ed160210977dbc8db6d2a9

SHA1
8b869eec8c814ae2cc378f4d45eeeb0210a53fca

SHA256
baca51878ee2bb4670bf51d04c6e624317f007b76dc98ec3005b3ef615c7fbe8

SHA512
ea8eeeb9465f9b6c41ab1bd6391fd46863e6f7c349ec71a672d74e92405ef02c7832f88b2bd9c9dc6bc1d3b949c01efd843b34c6c9c94692c4948acb8f68079d

Download Submit
C:\Windows\{CBC8CB2E-D388-4e21-A21F-B74364796DDC}.exe

Filesize
180KB

MD5
1f7b61d0f9924b8d1e8f6cdcd6943f0a

SHA1
95532f806243863f2c38ab5ea67e951b3dae67cb

SHA256
8ab3c1bc5b237e1035ab0c893d05ab2ae5ac5a5a82ce96b2a5554831918d4f3d

SHA512
299463d067e6910611974a57a8c05fb4d4a59eb085152693cd903190363c2e58966567e10043158686fa8b397127127fd16ffb6976d91b4dc8454d5d796161b9

Download Submit
C:\Windows\{F51F7DC4-349D-48eb-A0D0-01315FB04FBC}.exe

Filesize
180KB

MD5
586978c8e0f08ff2c999761c61a7d47b

SHA1
7a026e8aa30d7df6247ae7d5b7205504f589878b

SHA256
bae9ab58b1edd92134355e0c63243e594388afa763101226cd0be7093a24c217

SHA512
5907f896f60b5e735c9ef8f5b06fb6d2ea4f4121bcda4471c9a80ca83357314896859efdb89fc4a0e2a07a8915ca12339b64e1a342fc26fd13aebc2f677ed652

Download Submit
C:\Windows\{FE3E094A-97E0-4ff5-87B0-031CDA11EFAB}.exe

Filesize
180KB

MD5
c54bb696410ea09468e22c3bb7f08b89

SHA1
5ff05ec6f2591ab84dcfe20120e53d555dc525f6

SHA256
3d79fe212aceb613454e2427ac88f94c65d1906d6fef2b690279ed9f5c8d788e

SHA512
625c94ce5f352f75e4c78db0099dbb11ae16c39d1b9d63ce77d0e8c6c13cc48e7f023f91693c58e9170e0701755a3054c583c227a822c328a88498153a144f76

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads