186a07aac6cec5fd49bf4bcec01a32e744b95a0467ce06ad3feb9baa965dc02d

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05-03-2024 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-05_b154ca9d59307346fe77450ccc21ac14_goldeneye.exe
Size

168KB
MD5

b154ca9d59307346fe77450ccc21ac14
SHA1

32148aaa995008507ad45c67a63303a3689538e8
SHA256

186a07aac6cec5fd49bf4bcec01a32e744b95a0467ce06ad3feb9baa965dc02d
SHA512

b114569b4bbc363705943eeed2dd36afa8e517edacf32d7c2fce6b3b64d3d6ae369ca3be0a0aa41ce4b09cc2ff031fce444619a909b422146db49620e404186f
SSDEEP

1536:1EGh0oslq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oslqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000800000002321c-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023231-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023133-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023245-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002334e-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023119-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002334e-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023119-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023374-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000233ba-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000001e56c-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000001e56e-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D8EEFB1-F915-429b-BF27-809CE51DDA25}	{4A2AB533-72B5-4754-A467-101CA9B40180}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B27CA95-3476-4241-9419-469C457654F1}	{7D8EEFB1-F915-429b-BF27-809CE51DDA25}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C33D8EE-CEEC-46dc-BFE0-0095CAD0ED5A}	{22FCDF68-0F10-4a7f-A7EB-69E6EFA58475}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03F12231-2ECC-41af-8267-B60E5E74CC02}	{AC35C5A8-1EB4-4399-B789-57A596E48132}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0AC2DCFB-2F8D-41a6-9EC9-5E5D64187E88}	{4B8BF391-1FFF-4c41-94B9-A63EB591D3D3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0AC2DCFB-2F8D-41a6-9EC9-5E5D64187E88}\stubpath = "C:\\Windows\\{0AC2DCFB-2F8D-41a6-9EC9-5E5D64187E88}.exe"	{4B8BF391-1FFF-4c41-94B9-A63EB591D3D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47D2B365-8A7D-4cf9-80F3-66F158ABA1C1}	{0AC2DCFB-2F8D-41a6-9EC9-5E5D64187E88}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47D2B365-8A7D-4cf9-80F3-66F158ABA1C1}\stubpath = "C:\\Windows\\{47D2B365-8A7D-4cf9-80F3-66F158ABA1C1}.exe"	{0AC2DCFB-2F8D-41a6-9EC9-5E5D64187E88}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E68248C0-EFD2-4c57-A669-F3FDDC14454C}	{47D2B365-8A7D-4cf9-80F3-66F158ABA1C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22FCDF68-0F10-4a7f-A7EB-69E6EFA58475}	{E68248C0-EFD2-4c57-A669-F3FDDC14454C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95F30EF3-E5C1-4d17-BA1E-06853F17C34B}\stubpath = "C:\\Windows\\{95F30EF3-E5C1-4d17-BA1E-06853F17C34B}.exe"	2024-03-05_b154ca9d59307346fe77450ccc21ac14_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B8BF391-1FFF-4c41-94B9-A63EB591D3D3}\stubpath = "C:\\Windows\\{4B8BF391-1FFF-4c41-94B9-A63EB591D3D3}.exe"	{95F30EF3-E5C1-4d17-BA1E-06853F17C34B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC35C5A8-1EB4-4399-B789-57A596E48132}\stubpath = "C:\\Windows\\{AC35C5A8-1EB4-4399-B789-57A596E48132}.exe"	{2C33D8EE-CEEC-46dc-BFE0-0095CAD0ED5A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03F12231-2ECC-41af-8267-B60E5E74CC02}\stubpath = "C:\\Windows\\{03F12231-2ECC-41af-8267-B60E5E74CC02}.exe"	{AC35C5A8-1EB4-4399-B789-57A596E48132}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C33D8EE-CEEC-46dc-BFE0-0095CAD0ED5A}\stubpath = "C:\\Windows\\{2C33D8EE-CEEC-46dc-BFE0-0095CAD0ED5A}.exe"	{22FCDF68-0F10-4a7f-A7EB-69E6EFA58475}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC35C5A8-1EB4-4399-B789-57A596E48132}	{2C33D8EE-CEEC-46dc-BFE0-0095CAD0ED5A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D8EEFB1-F915-429b-BF27-809CE51DDA25}\stubpath = "C:\\Windows\\{7D8EEFB1-F915-429b-BF27-809CE51DDA25}.exe"	{4A2AB533-72B5-4754-A467-101CA9B40180}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95F30EF3-E5C1-4d17-BA1E-06853F17C34B}	2024-03-05_b154ca9d59307346fe77450ccc21ac14_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A2AB533-72B5-4754-A467-101CA9B40180}	{03F12231-2ECC-41af-8267-B60E5E74CC02}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22FCDF68-0F10-4a7f-A7EB-69E6EFA58475}\stubpath = "C:\\Windows\\{22FCDF68-0F10-4a7f-A7EB-69E6EFA58475}.exe"	{E68248C0-EFD2-4c57-A669-F3FDDC14454C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A2AB533-72B5-4754-A467-101CA9B40180}\stubpath = "C:\\Windows\\{4A2AB533-72B5-4754-A467-101CA9B40180}.exe"	{03F12231-2ECC-41af-8267-B60E5E74CC02}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B27CA95-3476-4241-9419-469C457654F1}\stubpath = "C:\\Windows\\{9B27CA95-3476-4241-9419-469C457654F1}.exe"	{7D8EEFB1-F915-429b-BF27-809CE51DDA25}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B8BF391-1FFF-4c41-94B9-A63EB591D3D3}	{95F30EF3-E5C1-4d17-BA1E-06853F17C34B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E68248C0-EFD2-4c57-A669-F3FDDC14454C}\stubpath = "C:\\Windows\\{E68248C0-EFD2-4c57-A669-F3FDDC14454C}.exe"	{47D2B365-8A7D-4cf9-80F3-66F158ABA1C1}.exe

Executes dropped EXE 12 IoCs

pid	Process
3896	{95F30EF3-E5C1-4d17-BA1E-06853F17C34B}.exe
2536	{4B8BF391-1FFF-4c41-94B9-A63EB591D3D3}.exe
1844	{0AC2DCFB-2F8D-41a6-9EC9-5E5D64187E88}.exe
3936	{47D2B365-8A7D-4cf9-80F3-66F158ABA1C1}.exe
3288	{E68248C0-EFD2-4c57-A669-F3FDDC14454C}.exe
4696	{22FCDF68-0F10-4a7f-A7EB-69E6EFA58475}.exe
4148	{2C33D8EE-CEEC-46dc-BFE0-0095CAD0ED5A}.exe
4544	{AC35C5A8-1EB4-4399-B789-57A596E48132}.exe
996	{03F12231-2ECC-41af-8267-B60E5E74CC02}.exe
3424	{4A2AB533-72B5-4754-A467-101CA9B40180}.exe
2344	{7D8EEFB1-F915-429b-BF27-809CE51DDA25}.exe
2176	{9B27CA95-3476-4241-9419-469C457654F1}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{95F30EF3-E5C1-4d17-BA1E-06853F17C34B}.exe	2024-03-05_b154ca9d59307346fe77450ccc21ac14_goldeneye.exe
File created	C:\Windows\{0AC2DCFB-2F8D-41a6-9EC9-5E5D64187E88}.exe	{4B8BF391-1FFF-4c41-94B9-A63EB591D3D3}.exe
File created	C:\Windows\{22FCDF68-0F10-4a7f-A7EB-69E6EFA58475}.exe	{E68248C0-EFD2-4c57-A669-F3FDDC14454C}.exe
File created	C:\Windows\{9B27CA95-3476-4241-9419-469C457654F1}.exe	{7D8EEFB1-F915-429b-BF27-809CE51DDA25}.exe
File created	C:\Windows\{7D8EEFB1-F915-429b-BF27-809CE51DDA25}.exe	{4A2AB533-72B5-4754-A467-101CA9B40180}.exe
File created	C:\Windows\{4B8BF391-1FFF-4c41-94B9-A63EB591D3D3}.exe	{95F30EF3-E5C1-4d17-BA1E-06853F17C34B}.exe
File created	C:\Windows\{47D2B365-8A7D-4cf9-80F3-66F158ABA1C1}.exe	{0AC2DCFB-2F8D-41a6-9EC9-5E5D64187E88}.exe
File created	C:\Windows\{E68248C0-EFD2-4c57-A669-F3FDDC14454C}.exe	{47D2B365-8A7D-4cf9-80F3-66F158ABA1C1}.exe
File created	C:\Windows\{2C33D8EE-CEEC-46dc-BFE0-0095CAD0ED5A}.exe	{22FCDF68-0F10-4a7f-A7EB-69E6EFA58475}.exe
File created	C:\Windows\{AC35C5A8-1EB4-4399-B789-57A596E48132}.exe	{2C33D8EE-CEEC-46dc-BFE0-0095CAD0ED5A}.exe
File created	C:\Windows\{03F12231-2ECC-41af-8267-B60E5E74CC02}.exe	{AC35C5A8-1EB4-4399-B789-57A596E48132}.exe
File created	C:\Windows\{4A2AB533-72B5-4754-A467-101CA9B40180}.exe	{03F12231-2ECC-41af-8267-B60E5E74CC02}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1660	2024-03-05_b154ca9d59307346fe77450ccc21ac14_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3896	{95F30EF3-E5C1-4d17-BA1E-06853F17C34B}.exe
Token: SeIncBasePriorityPrivilege	2536	{4B8BF391-1FFF-4c41-94B9-A63EB591D3D3}.exe
Token: SeIncBasePriorityPrivilege	1844	{0AC2DCFB-2F8D-41a6-9EC9-5E5D64187E88}.exe
Token: SeIncBasePriorityPrivilege	3936	{47D2B365-8A7D-4cf9-80F3-66F158ABA1C1}.exe
Token: SeIncBasePriorityPrivilege	3288	{E68248C0-EFD2-4c57-A669-F3FDDC14454C}.exe
Token: SeIncBasePriorityPrivilege	4696	{22FCDF68-0F10-4a7f-A7EB-69E6EFA58475}.exe
Token: SeIncBasePriorityPrivilege	4148	{2C33D8EE-CEEC-46dc-BFE0-0095CAD0ED5A}.exe
Token: SeIncBasePriorityPrivilege	4544	{AC35C5A8-1EB4-4399-B789-57A596E48132}.exe
Token: SeIncBasePriorityPrivilege	996	{03F12231-2ECC-41af-8267-B60E5E74CC02}.exe
Token: SeIncBasePriorityPrivilege	3424	{4A2AB533-72B5-4754-A467-101CA9B40180}.exe
Token: SeIncBasePriorityPrivilege	2344	{7D8EEFB1-F915-429b-BF27-809CE51DDA25}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 3896	1660	2024-03-05_b154ca9d59307346fe77450ccc21ac14_goldeneye.exe	92
PID 1660 wrote to memory of 3896	1660	2024-03-05_b154ca9d59307346fe77450ccc21ac14_goldeneye.exe	92
PID 1660 wrote to memory of 3896	1660	2024-03-05_b154ca9d59307346fe77450ccc21ac14_goldeneye.exe	92
PID 1660 wrote to memory of 1408	1660	2024-03-05_b154ca9d59307346fe77450ccc21ac14_goldeneye.exe	93
PID 1660 wrote to memory of 1408	1660	2024-03-05_b154ca9d59307346fe77450ccc21ac14_goldeneye.exe	93
PID 1660 wrote to memory of 1408	1660	2024-03-05_b154ca9d59307346fe77450ccc21ac14_goldeneye.exe	93
PID 3896 wrote to memory of 2536	3896	{95F30EF3-E5C1-4d17-BA1E-06853F17C34B}.exe	99
PID 3896 wrote to memory of 2536	3896	{95F30EF3-E5C1-4d17-BA1E-06853F17C34B}.exe	99
PID 3896 wrote to memory of 2536	3896	{95F30EF3-E5C1-4d17-BA1E-06853F17C34B}.exe	99
PID 3896 wrote to memory of 4040	3896	{95F30EF3-E5C1-4d17-BA1E-06853F17C34B}.exe	100
PID 3896 wrote to memory of 4040	3896	{95F30EF3-E5C1-4d17-BA1E-06853F17C34B}.exe	100
PID 3896 wrote to memory of 4040	3896	{95F30EF3-E5C1-4d17-BA1E-06853F17C34B}.exe	100
PID 2536 wrote to memory of 1844	2536	{4B8BF391-1FFF-4c41-94B9-A63EB591D3D3}.exe	110
PID 2536 wrote to memory of 1844	2536	{4B8BF391-1FFF-4c41-94B9-A63EB591D3D3}.exe	110
PID 2536 wrote to memory of 1844	2536	{4B8BF391-1FFF-4c41-94B9-A63EB591D3D3}.exe	110
PID 2536 wrote to memory of 4368	2536	{4B8BF391-1FFF-4c41-94B9-A63EB591D3D3}.exe	111
PID 2536 wrote to memory of 4368	2536	{4B8BF391-1FFF-4c41-94B9-A63EB591D3D3}.exe	111
PID 2536 wrote to memory of 4368	2536	{4B8BF391-1FFF-4c41-94B9-A63EB591D3D3}.exe	111
PID 1844 wrote to memory of 3936	1844	{0AC2DCFB-2F8D-41a6-9EC9-5E5D64187E88}.exe	112
PID 1844 wrote to memory of 3936	1844	{0AC2DCFB-2F8D-41a6-9EC9-5E5D64187E88}.exe	112
PID 1844 wrote to memory of 3936	1844	{0AC2DCFB-2F8D-41a6-9EC9-5E5D64187E88}.exe	112
PID 1844 wrote to memory of 4696	1844	{0AC2DCFB-2F8D-41a6-9EC9-5E5D64187E88}.exe	113
PID 1844 wrote to memory of 4696	1844	{0AC2DCFB-2F8D-41a6-9EC9-5E5D64187E88}.exe	113
PID 1844 wrote to memory of 4696	1844	{0AC2DCFB-2F8D-41a6-9EC9-5E5D64187E88}.exe	113
PID 3936 wrote to memory of 3288	3936	{47D2B365-8A7D-4cf9-80F3-66F158ABA1C1}.exe	116
PID 3936 wrote to memory of 3288	3936	{47D2B365-8A7D-4cf9-80F3-66F158ABA1C1}.exe	116
PID 3936 wrote to memory of 3288	3936	{47D2B365-8A7D-4cf9-80F3-66F158ABA1C1}.exe	116
PID 3936 wrote to memory of 1692	3936	{47D2B365-8A7D-4cf9-80F3-66F158ABA1C1}.exe	117
PID 3936 wrote to memory of 1692	3936	{47D2B365-8A7D-4cf9-80F3-66F158ABA1C1}.exe	117
PID 3936 wrote to memory of 1692	3936	{47D2B365-8A7D-4cf9-80F3-66F158ABA1C1}.exe	117
PID 3288 wrote to memory of 4696	3288	{E68248C0-EFD2-4c57-A669-F3FDDC14454C}.exe	119
PID 3288 wrote to memory of 4696	3288	{E68248C0-EFD2-4c57-A669-F3FDDC14454C}.exe	119
PID 3288 wrote to memory of 4696	3288	{E68248C0-EFD2-4c57-A669-F3FDDC14454C}.exe	119
PID 3288 wrote to memory of 1560	3288	{E68248C0-EFD2-4c57-A669-F3FDDC14454C}.exe	120
PID 3288 wrote to memory of 1560	3288	{E68248C0-EFD2-4c57-A669-F3FDDC14454C}.exe	120
PID 3288 wrote to memory of 1560	3288	{E68248C0-EFD2-4c57-A669-F3FDDC14454C}.exe	120
PID 4696 wrote to memory of 4148	4696	{22FCDF68-0F10-4a7f-A7EB-69E6EFA58475}.exe	121
PID 4696 wrote to memory of 4148	4696	{22FCDF68-0F10-4a7f-A7EB-69E6EFA58475}.exe	121
PID 4696 wrote to memory of 4148	4696	{22FCDF68-0F10-4a7f-A7EB-69E6EFA58475}.exe	121
PID 4696 wrote to memory of 1708	4696	{22FCDF68-0F10-4a7f-A7EB-69E6EFA58475}.exe	122
PID 4696 wrote to memory of 1708	4696	{22FCDF68-0F10-4a7f-A7EB-69E6EFA58475}.exe	122
PID 4696 wrote to memory of 1708	4696	{22FCDF68-0F10-4a7f-A7EB-69E6EFA58475}.exe	122
PID 4148 wrote to memory of 4544	4148	{2C33D8EE-CEEC-46dc-BFE0-0095CAD0ED5A}.exe	123
PID 4148 wrote to memory of 4544	4148	{2C33D8EE-CEEC-46dc-BFE0-0095CAD0ED5A}.exe	123
PID 4148 wrote to memory of 4544	4148	{2C33D8EE-CEEC-46dc-BFE0-0095CAD0ED5A}.exe	123
PID 4148 wrote to memory of 4372	4148	{2C33D8EE-CEEC-46dc-BFE0-0095CAD0ED5A}.exe	124
PID 4148 wrote to memory of 4372	4148	{2C33D8EE-CEEC-46dc-BFE0-0095CAD0ED5A}.exe	124
PID 4148 wrote to memory of 4372	4148	{2C33D8EE-CEEC-46dc-BFE0-0095CAD0ED5A}.exe	124
PID 4544 wrote to memory of 996	4544	{AC35C5A8-1EB4-4399-B789-57A596E48132}.exe	125
PID 4544 wrote to memory of 996	4544	{AC35C5A8-1EB4-4399-B789-57A596E48132}.exe	125
PID 4544 wrote to memory of 996	4544	{AC35C5A8-1EB4-4399-B789-57A596E48132}.exe	125
PID 4544 wrote to memory of 1560	4544	{AC35C5A8-1EB4-4399-B789-57A596E48132}.exe	126
PID 4544 wrote to memory of 1560	4544	{AC35C5A8-1EB4-4399-B789-57A596E48132}.exe	126
PID 4544 wrote to memory of 1560	4544	{AC35C5A8-1EB4-4399-B789-57A596E48132}.exe	126
PID 996 wrote to memory of 3424	996	{03F12231-2ECC-41af-8267-B60E5E74CC02}.exe	127
PID 996 wrote to memory of 3424	996	{03F12231-2ECC-41af-8267-B60E5E74CC02}.exe	127
PID 996 wrote to memory of 3424	996	{03F12231-2ECC-41af-8267-B60E5E74CC02}.exe	127
PID 996 wrote to memory of 2368	996	{03F12231-2ECC-41af-8267-B60E5E74CC02}.exe	128
PID 996 wrote to memory of 2368	996	{03F12231-2ECC-41af-8267-B60E5E74CC02}.exe	128
PID 996 wrote to memory of 2368	996	{03F12231-2ECC-41af-8267-B60E5E74CC02}.exe	128
PID 3424 wrote to memory of 2344	3424	{4A2AB533-72B5-4754-A467-101CA9B40180}.exe	129
PID 3424 wrote to memory of 2344	3424	{4A2AB533-72B5-4754-A467-101CA9B40180}.exe	129
PID 3424 wrote to memory of 2344	3424	{4A2AB533-72B5-4754-A467-101CA9B40180}.exe	129
PID 3424 wrote to memory of 4016	3424	{4A2AB533-72B5-4754-A467-101CA9B40180}.exe	130

C:\Users\Admin\AppData\Local\Temp\2024-03-05_b154ca9d59307346fe77450ccc21ac14_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-05_b154ca9d59307346fe77450ccc21ac14_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Windows\{95F30EF3-E5C1-4d17-BA1E-06853F17C34B}.exe
  C:\Windows\{95F30EF3-E5C1-4d17-BA1E-06853F17C34B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3896
- - C:\Windows\{4B8BF391-1FFF-4c41-94B9-A63EB591D3D3}.exe
    C:\Windows\{4B8BF391-1FFF-4c41-94B9-A63EB591D3D3}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2536
  - - C:\Windows\{0AC2DCFB-2F8D-41a6-9EC9-5E5D64187E88}.exe
      C:\Windows\{0AC2DCFB-2F8D-41a6-9EC9-5E5D64187E88}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1844
    - - C:\Windows\{47D2B365-8A7D-4cf9-80F3-66F158ABA1C1}.exe
        
        C:\Windows\{47D2B365-8A7D-4cf9-80F3-66F158ABA1C1}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3936
      - C:\Windows\{E68248C0-EFD2-4c57-A669-F3FDDC14454C}.exe
        
        C:\Windows\{E68248C0-EFD2-4c57-A669-F3FDDC14454C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3288
        
        C:\Windows\{22FCDF68-0F10-4a7f-A7EB-69E6EFA58475}.exe
        
        C:\Windows\{22FCDF68-0F10-4a7f-A7EB-69E6EFA58475}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\{2C33D8EE-CEEC-46dc-BFE0-0095CAD0ED5A}.exe
        
        C:\Windows\{2C33D8EE-CEEC-46dc-BFE0-0095CAD0ED5A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4148
        
        C:\Windows\{AC35C5A8-1EB4-4399-B789-57A596E48132}.exe
        
        C:\Windows\{AC35C5A8-1EB4-4399-B789-57A596E48132}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Windows\{03F12231-2ECC-41af-8267-B60E5E74CC02}.exe
        
        C:\Windows\{03F12231-2ECC-41af-8267-B60E5E74CC02}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:996
        
        C:\Windows\{4A2AB533-72B5-4754-A467-101CA9B40180}.exe
        
        C:\Windows\{4A2AB533-72B5-4754-A467-101CA9B40180}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3424
        
        C:\Windows\{7D8EEFB1-F915-429b-BF27-809CE51DDA25}.exe
        
        C:\Windows\{7D8EEFB1-F915-429b-BF27-809CE51DDA25}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
        
        C:\Windows\{9B27CA95-3476-4241-9419-469C457654F1}.exe
        
        C:\Windows\{9B27CA95-3476-4241-9419-469C457654F1}.exe
        13⤵
        Executes dropped EXE
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D8EE~1.EXE > nul
        13⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4A2AB~1.EXE > nul
        12⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{03F12~1.EXE > nul
        11⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AC35C~1.EXE > nul
        10⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2C33D~1.EXE > nul
        9⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{22FCD~1.EXE > nul
        8⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6824~1.EXE > nul
        7⤵
        
        PID:1560
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{47D2B~1.EXE > nul
        6⤵
        
        PID:1692
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0AC2D~1.EXE > nul
        5⤵
        
        PID:4696
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4B8BF~1.EXE > nul
      4⤵
      PID:4368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{95F30~1.EXE > nul
    3⤵
    PID:4040
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{03F12231-2ECC-41af-8267-B60E5E74CC02}.exe

Filesize
168KB

MD5
80b7845232b09300378197da9f929fe1

SHA1
151875fdb219bede9e50a2370d97ab1ea714c1a6

SHA256
2c9a81558d7753b2fc66e390dfe80599b3af055dd5fcd03133414d40b7a629a6

SHA512
df798b14cd8135a26e5b869031f2ed40214d1007aec333638647d56af54a09244dcdf6c2af3c8e33e67ee76dae8916a2b20284f88d1db05cd64651d1152ef782

Download Submit
C:\Windows\{0AC2DCFB-2F8D-41a6-9EC9-5E5D64187E88}.exe

Filesize
168KB

MD5
c6552029910db9ff9ea4ef0bbb42b839

SHA1
9d6fcec16f94b55f9cdd7a515102f7887c5b91a0

SHA256
c4256dfbaa4b5edb6da8372598e2bd6bca863647ed357a24e6ea49105509a56d

SHA512
e7ce46520b2e0d34eb6f1d83f29b6ea5f18bbf7c4917093b066161c2b88d03572c16f6319699bf8d50059b327ebe9df6c1410383868372e5750ff390fdc7f8e3

Download Submit
C:\Windows\{22FCDF68-0F10-4a7f-A7EB-69E6EFA58475}.exe

Filesize
168KB

MD5
69bd5fc40b0522e45e65b4de36e276cb

SHA1
cdf76a0c236d0f030e68d57e11b80b74995803bc

SHA256
0c801c64af7e25e5589f857c0e4f6694ed6afd20dc1173ad1a4b72f64d71530b

SHA512
2fd24fec32584884c38e8f616e50b010d382434e1555fd50d801630588b94ab164227301f782bc165b0dedf9a47127c41ba65ddbeaccdf77b71f3660cb58160a

Download Submit
C:\Windows\{2C33D8EE-CEEC-46dc-BFE0-0095CAD0ED5A}.exe

Filesize
168KB

MD5
98af0f744c358dfbd2b8d7f04ce7ad56

SHA1
d45abd4abcaa778172ab57aaa9356ce601e0b706

SHA256
ced219e05f36202ba6a8693b409f9befe9d57a8e73a1a8d2c890a6284673e7ad

SHA512
7e3a30772b4720448b16ad474d2a06911d5124fcb095db3e8238a44a21c57eb595bbf46416ea44d9b88dc3a00fae0f2825d86e05d0026c2f4e460d1d17bbd32a

Download Submit
C:\Windows\{47D2B365-8A7D-4cf9-80F3-66F158ABA1C1}.exe

Filesize
168KB

MD5
6bb5068e43806ef5e6187dd37e1b6e29

SHA1
d3f08d4b61737e755a65f60c8c329b10285b31ed

SHA256
ba5e8f5550fee8d50bb90e4bf5bd7e37c4c3273fbac017475089d84850b23fa9

SHA512
75732258f71c267670bfbd3a99bdc58d49da6ac3b467bf91a7fb85523ad56e6ff455eadb1a2178e474dc3c758ec47cca14e04e08330f748b22ba033240ffe3c0

Download Submit
C:\Windows\{4A2AB533-72B5-4754-A467-101CA9B40180}.exe

Filesize
168KB

MD5
bd860fb490de10fdcd65e82c297e3c19

SHA1
1968ef04c18ea2a87aeeef00bc098e01903e55e9

SHA256
7bfb964756f8f3f310da0cf34ec12627f908d7fd9c82f4ef7fcfbad093ba099e

SHA512
7c080d7740e0a480a323e882bbc3e5ca63e3127ef71e00babccad31667641f07c5fd4ffe35f388dd23d6e51a7d929298f7f18d943734a54387590b2308b37c95

Download Submit
C:\Windows\{4B8BF391-1FFF-4c41-94B9-A63EB591D3D3}.exe

Filesize
168KB

MD5
a28abca7d2eb46056b9c7b3cf3d1f242

SHA1
8c6bf1b85c25cb6215a6ebf7f7d87ded679d35d0

SHA256
d210bb2a0ffd2e1c4a637e20acfa6bd6707b1945d3d0dced05dba63241393d62

SHA512
c4e5d314eaa6cc6a8960143b0bf083b2af28d8b26205c445a6f7bfcbce7b7bb41c50afccebffb9d3bbda583940a11faff8f47aec662e3954b941fd1910b00c88

Download Submit
C:\Windows\{7D8EEFB1-F915-429b-BF27-809CE51DDA25}.exe

Filesize
168KB

MD5
09f10dbfb4dc2e3ca56f470199bf9486

SHA1
8a508eb088816f90a5e8f3074a090ab113ba457b

SHA256
4097d0fc3e4e221d7d0fe4521de90302b6045a33c87652e35ecb922f324f6af9

SHA512
b19ba8808f8941f6371771efa28ed66b45abfab8310f8f5618dbf3dd4a505647c9594dae9a0989021387882d11f1b1d3ff2efa6c3434a4e5a382177207838018

Download Submit
C:\Windows\{95F30EF3-E5C1-4d17-BA1E-06853F17C34B}.exe

Filesize
168KB

MD5
3c7dd866c023affaca4bd5a9a5f34034

SHA1
7865d27799293eb781d41434e24540e7aadf195f

SHA256
a6e3425ea3509b85aea9cc7998c589442374fece5ec7524f075086ca366e66eb

SHA512
c208db6cb04daa5d20eb6d2018c5509bda162056fa2d4b5946ddd55b8f804e75fc27e7865e3873b0ea01f8c450b6147fb69a22b7f7969bf64d2e48a5f4893aa4

Download Submit
C:\Windows\{9B27CA95-3476-4241-9419-469C457654F1}.exe

Filesize
168KB

MD5
90ceb06b38bb98e875fb0a5a36bb3d58

SHA1
e88958d7ac000476aa53a7945eee109ebfa38dfa

SHA256
e0e7508fc07ec1e4ce0612dabe8c52d6613fa2455428089563571a0b95a38a82

SHA512
667779a5978fa327a6232c1abdc68f7e51ecbc0ddc5dcaee59513efa05b784eac0c1837c228e90ad6d58cb9ef5ae6e6eeb8ca0fd1d1faf2581ba59c61b1797a5

Download Submit
C:\Windows\{AC35C5A8-1EB4-4399-B789-57A596E48132}.exe

Filesize
168KB

MD5
22af8f493eaf75c546839be504c48d01

SHA1
5c1e5265eae8f6a4e79e8e67c3432383f4e4be9d

SHA256
e40b2ca31eac2d497cda0841ff13d57c8c01f1b21151bcce9294fe197f9b9269

SHA512
c3e7cbc862f3d6d1752f88e4a4daf277530860fcf8cf0ba6e671fb13e7edb605fc9fdc955c6c192d388af30c3f506f885681193c3de7ad72e7deadc36da81392

Download Submit
C:\Windows\{E68248C0-EFD2-4c57-A669-F3FDDC14454C}.exe

Filesize
168KB

MD5
b93d3c90aa5230ae829033bdfbea6424

SHA1
cd42c944019d12a99f18e37d8c98e25fcca26ec6

SHA256
7aaaf5adfca23e20451a08efa442d67be1144718d94907ff667c37d9098fad3a

SHA512
b7896698e2c830a0bccb64e0038a96beba89efe299d799367322991b38c4caee25053449d008d1164019de3eabbd7696fbc65f5ae64d9fff5d337cd8f9eab20e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads