2d257435357de3c66748a6903f2b1275b6e2f2adb92b875d4e3a06d213c5f2fa

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2024, 17:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-05_ff01018b85fa5b5ab677f3905ebf3012_goldeneye.exe
Size

408KB
MD5

ff01018b85fa5b5ab677f3905ebf3012
SHA1

74e14fbb28971c41c6232fe83a51db3b38416d59
SHA256

2d257435357de3c66748a6903f2b1275b6e2f2adb92b875d4e3a06d213c5f2fa
SHA512

051dc6e215efbf40cc77a46c4b4fa310c7a6e2bf75b0d5d5bab4ea43c794dcae6eb09047f1d09425565e8b6d3e3bde16ea63ba0d6cc520d673d63e28af9540e9
SSDEEP

3072:CEGh0o3l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGJldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023210-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0013000000023218-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000002287a-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023340-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001e39c-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002334b-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002287a-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002311c-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000001e56c-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000001e56e-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002339b-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002339c-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D83A6BF9-D14F-442f-AA06-BA4C5F80F7AC}\stubpath = "C:\\Windows\\{D83A6BF9-D14F-442f-AA06-BA4C5F80F7AC}.exe"	{F0C53DD0-9B55-4748-B84B-46173C84D7DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD73D851-8AFA-4bcf-8A41-09FFAF3AE8B8}	{D83A6BF9-D14F-442f-AA06-BA4C5F80F7AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D369AF71-5687-4655-867D-6B1F3EAB9778}	{68CDD1D4-235B-4953-A8CE-8D7E8972AC18}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{304E22A0-5E54-4648-80E9-05DBCD7B9A66}	{A3331CDB-799A-4977-8CCF-1FEAD7C7767D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{304E22A0-5E54-4648-80E9-05DBCD7B9A66}\stubpath = "C:\\Windows\\{304E22A0-5E54-4648-80E9-05DBCD7B9A66}.exe"	{A3331CDB-799A-4977-8CCF-1FEAD7C7767D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B16B5BA7-EF56-4b29-98AB-8C19E00E3F43}	{A81D913A-0A89-41fc-BFC4-F9A4660D09E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B16B5BA7-EF56-4b29-98AB-8C19E00E3F43}\stubpath = "C:\\Windows\\{B16B5BA7-EF56-4b29-98AB-8C19E00E3F43}.exe"	{A81D913A-0A89-41fc-BFC4-F9A4660D09E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D83A6BF9-D14F-442f-AA06-BA4C5F80F7AC}	{F0C53DD0-9B55-4748-B84B-46173C84D7DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C734E15E-6C21-4f0b-A73A-6B7F3D4413EF}	{D369AF71-5687-4655-867D-6B1F3EAB9778}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61EB45C3-BEA9-4fdd-8A04-392349670801}	{5DEEB14C-9B79-4b8c-BDC5-34085D12AE95}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0C53DD0-9B55-4748-B84B-46173C84D7DC}\stubpath = "C:\\Windows\\{F0C53DD0-9B55-4748-B84B-46173C84D7DC}.exe"	{B16B5BA7-EF56-4b29-98AB-8C19E00E3F43}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD73D851-8AFA-4bcf-8A41-09FFAF3AE8B8}\stubpath = "C:\\Windows\\{FD73D851-8AFA-4bcf-8A41-09FFAF3AE8B8}.exe"	{D83A6BF9-D14F-442f-AA06-BA4C5F80F7AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D369AF71-5687-4655-867D-6B1F3EAB9778}\stubpath = "C:\\Windows\\{D369AF71-5687-4655-867D-6B1F3EAB9778}.exe"	{68CDD1D4-235B-4953-A8CE-8D7E8972AC18}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DEEB14C-9B79-4b8c-BDC5-34085D12AE95}	2024-03-05_ff01018b85fa5b5ab677f3905ebf3012_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DEEB14C-9B79-4b8c-BDC5-34085D12AE95}\stubpath = "C:\\Windows\\{5DEEB14C-9B79-4b8c-BDC5-34085D12AE95}.exe"	2024-03-05_ff01018b85fa5b5ab677f3905ebf3012_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61EB45C3-BEA9-4fdd-8A04-392349670801}\stubpath = "C:\\Windows\\{61EB45C3-BEA9-4fdd-8A04-392349670801}.exe"	{5DEEB14C-9B79-4b8c-BDC5-34085D12AE95}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3331CDB-799A-4977-8CCF-1FEAD7C7767D}	{61EB45C3-BEA9-4fdd-8A04-392349670801}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68CDD1D4-235B-4953-A8CE-8D7E8972AC18}	{FD73D851-8AFA-4bcf-8A41-09FFAF3AE8B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C734E15E-6C21-4f0b-A73A-6B7F3D4413EF}\stubpath = "C:\\Windows\\{C734E15E-6C21-4f0b-A73A-6B7F3D4413EF}.exe"	{D369AF71-5687-4655-867D-6B1F3EAB9778}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3331CDB-799A-4977-8CCF-1FEAD7C7767D}\stubpath = "C:\\Windows\\{A3331CDB-799A-4977-8CCF-1FEAD7C7767D}.exe"	{61EB45C3-BEA9-4fdd-8A04-392349670801}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A81D913A-0A89-41fc-BFC4-F9A4660D09E2}	{304E22A0-5E54-4648-80E9-05DBCD7B9A66}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A81D913A-0A89-41fc-BFC4-F9A4660D09E2}\stubpath = "C:\\Windows\\{A81D913A-0A89-41fc-BFC4-F9A4660D09E2}.exe"	{304E22A0-5E54-4648-80E9-05DBCD7B9A66}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0C53DD0-9B55-4748-B84B-46173C84D7DC}	{B16B5BA7-EF56-4b29-98AB-8C19E00E3F43}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68CDD1D4-235B-4953-A8CE-8D7E8972AC18}\stubpath = "C:\\Windows\\{68CDD1D4-235B-4953-A8CE-8D7E8972AC18}.exe"	{FD73D851-8AFA-4bcf-8A41-09FFAF3AE8B8}.exe

Executes dropped EXE 12 IoCs

pid	Process
2292	{5DEEB14C-9B79-4b8c-BDC5-34085D12AE95}.exe
4000	{61EB45C3-BEA9-4fdd-8A04-392349670801}.exe
4932	{A3331CDB-799A-4977-8CCF-1FEAD7C7767D}.exe
3036	{304E22A0-5E54-4648-80E9-05DBCD7B9A66}.exe
968	{A81D913A-0A89-41fc-BFC4-F9A4660D09E2}.exe
4068	{B16B5BA7-EF56-4b29-98AB-8C19E00E3F43}.exe
4512	{F0C53DD0-9B55-4748-B84B-46173C84D7DC}.exe
1012	{D83A6BF9-D14F-442f-AA06-BA4C5F80F7AC}.exe
2424	{FD73D851-8AFA-4bcf-8A41-09FFAF3AE8B8}.exe
4412	{68CDD1D4-235B-4953-A8CE-8D7E8972AC18}.exe
3216	{D369AF71-5687-4655-867D-6B1F3EAB9778}.exe
2664	{C734E15E-6C21-4f0b-A73A-6B7F3D4413EF}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{61EB45C3-BEA9-4fdd-8A04-392349670801}.exe	{5DEEB14C-9B79-4b8c-BDC5-34085D12AE95}.exe
File created	C:\Windows\{FD73D851-8AFA-4bcf-8A41-09FFAF3AE8B8}.exe	{D83A6BF9-D14F-442f-AA06-BA4C5F80F7AC}.exe
File created	C:\Windows\{D369AF71-5687-4655-867D-6B1F3EAB9778}.exe	{68CDD1D4-235B-4953-A8CE-8D7E8972AC18}.exe
File created	C:\Windows\{C734E15E-6C21-4f0b-A73A-6B7F3D4413EF}.exe	{D369AF71-5687-4655-867D-6B1F3EAB9778}.exe
File created	C:\Windows\{68CDD1D4-235B-4953-A8CE-8D7E8972AC18}.exe	{FD73D851-8AFA-4bcf-8A41-09FFAF3AE8B8}.exe
File created	C:\Windows\{5DEEB14C-9B79-4b8c-BDC5-34085D12AE95}.exe	2024-03-05_ff01018b85fa5b5ab677f3905ebf3012_goldeneye.exe
File created	C:\Windows\{A3331CDB-799A-4977-8CCF-1FEAD7C7767D}.exe	{61EB45C3-BEA9-4fdd-8A04-392349670801}.exe
File created	C:\Windows\{304E22A0-5E54-4648-80E9-05DBCD7B9A66}.exe	{A3331CDB-799A-4977-8CCF-1FEAD7C7767D}.exe
File created	C:\Windows\{A81D913A-0A89-41fc-BFC4-F9A4660D09E2}.exe	{304E22A0-5E54-4648-80E9-05DBCD7B9A66}.exe
File created	C:\Windows\{B16B5BA7-EF56-4b29-98AB-8C19E00E3F43}.exe	{A81D913A-0A89-41fc-BFC4-F9A4660D09E2}.exe
File created	C:\Windows\{F0C53DD0-9B55-4748-B84B-46173C84D7DC}.exe	{B16B5BA7-EF56-4b29-98AB-8C19E00E3F43}.exe
File created	C:\Windows\{D83A6BF9-D14F-442f-AA06-BA4C5F80F7AC}.exe	{F0C53DD0-9B55-4748-B84B-46173C84D7DC}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3852	2024-03-05_ff01018b85fa5b5ab677f3905ebf3012_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2292	{5DEEB14C-9B79-4b8c-BDC5-34085D12AE95}.exe
Token: SeIncBasePriorityPrivilege	4000	{61EB45C3-BEA9-4fdd-8A04-392349670801}.exe
Token: SeIncBasePriorityPrivilege	4932	{A3331CDB-799A-4977-8CCF-1FEAD7C7767D}.exe
Token: SeIncBasePriorityPrivilege	3036	{304E22A0-5E54-4648-80E9-05DBCD7B9A66}.exe
Token: SeIncBasePriorityPrivilege	968	{A81D913A-0A89-41fc-BFC4-F9A4660D09E2}.exe
Token: SeIncBasePriorityPrivilege	4068	{B16B5BA7-EF56-4b29-98AB-8C19E00E3F43}.exe
Token: SeIncBasePriorityPrivilege	4512	{F0C53DD0-9B55-4748-B84B-46173C84D7DC}.exe
Token: SeIncBasePriorityPrivilege	1012	{D83A6BF9-D14F-442f-AA06-BA4C5F80F7AC}.exe
Token: SeIncBasePriorityPrivilege	2424	{FD73D851-8AFA-4bcf-8A41-09FFAF3AE8B8}.exe
Token: SeIncBasePriorityPrivilege	4412	{68CDD1D4-235B-4953-A8CE-8D7E8972AC18}.exe
Token: SeIncBasePriorityPrivilege	3216	{D369AF71-5687-4655-867D-6B1F3EAB9778}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3852 wrote to memory of 2292	3852	2024-03-05_ff01018b85fa5b5ab677f3905ebf3012_goldeneye.exe	98
PID 3852 wrote to memory of 2292	3852	2024-03-05_ff01018b85fa5b5ab677f3905ebf3012_goldeneye.exe	98
PID 3852 wrote to memory of 2292	3852	2024-03-05_ff01018b85fa5b5ab677f3905ebf3012_goldeneye.exe	98
PID 3852 wrote to memory of 4180	3852	2024-03-05_ff01018b85fa5b5ab677f3905ebf3012_goldeneye.exe	99
PID 3852 wrote to memory of 4180	3852	2024-03-05_ff01018b85fa5b5ab677f3905ebf3012_goldeneye.exe	99
PID 3852 wrote to memory of 4180	3852	2024-03-05_ff01018b85fa5b5ab677f3905ebf3012_goldeneye.exe	99
PID 2292 wrote to memory of 4000	2292	{5DEEB14C-9B79-4b8c-BDC5-34085D12AE95}.exe	101
PID 2292 wrote to memory of 4000	2292	{5DEEB14C-9B79-4b8c-BDC5-34085D12AE95}.exe	101
PID 2292 wrote to memory of 4000	2292	{5DEEB14C-9B79-4b8c-BDC5-34085D12AE95}.exe	101
PID 2292 wrote to memory of 3648	2292	{5DEEB14C-9B79-4b8c-BDC5-34085D12AE95}.exe	102
PID 2292 wrote to memory of 3648	2292	{5DEEB14C-9B79-4b8c-BDC5-34085D12AE95}.exe	102
PID 2292 wrote to memory of 3648	2292	{5DEEB14C-9B79-4b8c-BDC5-34085D12AE95}.exe	102
PID 4000 wrote to memory of 4932	4000	{61EB45C3-BEA9-4fdd-8A04-392349670801}.exe	107
PID 4000 wrote to memory of 4932	4000	{61EB45C3-BEA9-4fdd-8A04-392349670801}.exe	107
PID 4000 wrote to memory of 4932	4000	{61EB45C3-BEA9-4fdd-8A04-392349670801}.exe	107
PID 4000 wrote to memory of 2308	4000	{61EB45C3-BEA9-4fdd-8A04-392349670801}.exe	108
PID 4000 wrote to memory of 2308	4000	{61EB45C3-BEA9-4fdd-8A04-392349670801}.exe	108
PID 4000 wrote to memory of 2308	4000	{61EB45C3-BEA9-4fdd-8A04-392349670801}.exe	108
PID 4932 wrote to memory of 3036	4932	{A3331CDB-799A-4977-8CCF-1FEAD7C7767D}.exe	111
PID 4932 wrote to memory of 3036	4932	{A3331CDB-799A-4977-8CCF-1FEAD7C7767D}.exe	111
PID 4932 wrote to memory of 3036	4932	{A3331CDB-799A-4977-8CCF-1FEAD7C7767D}.exe	111
PID 4932 wrote to memory of 3724	4932	{A3331CDB-799A-4977-8CCF-1FEAD7C7767D}.exe	112
PID 4932 wrote to memory of 3724	4932	{A3331CDB-799A-4977-8CCF-1FEAD7C7767D}.exe	112
PID 4932 wrote to memory of 3724	4932	{A3331CDB-799A-4977-8CCF-1FEAD7C7767D}.exe	112
PID 3036 wrote to memory of 968	3036	{304E22A0-5E54-4648-80E9-05DBCD7B9A66}.exe	113
PID 3036 wrote to memory of 968	3036	{304E22A0-5E54-4648-80E9-05DBCD7B9A66}.exe	113
PID 3036 wrote to memory of 968	3036	{304E22A0-5E54-4648-80E9-05DBCD7B9A66}.exe	113
PID 3036 wrote to memory of 4592	3036	{304E22A0-5E54-4648-80E9-05DBCD7B9A66}.exe	114
PID 3036 wrote to memory of 4592	3036	{304E22A0-5E54-4648-80E9-05DBCD7B9A66}.exe	114
PID 3036 wrote to memory of 4592	3036	{304E22A0-5E54-4648-80E9-05DBCD7B9A66}.exe	114
PID 968 wrote to memory of 4068	968	{A81D913A-0A89-41fc-BFC4-F9A4660D09E2}.exe	115
PID 968 wrote to memory of 4068	968	{A81D913A-0A89-41fc-BFC4-F9A4660D09E2}.exe	115
PID 968 wrote to memory of 4068	968	{A81D913A-0A89-41fc-BFC4-F9A4660D09E2}.exe	115
PID 968 wrote to memory of 4452	968	{A81D913A-0A89-41fc-BFC4-F9A4660D09E2}.exe	116
PID 968 wrote to memory of 4452	968	{A81D913A-0A89-41fc-BFC4-F9A4660D09E2}.exe	116
PID 968 wrote to memory of 4452	968	{A81D913A-0A89-41fc-BFC4-F9A4660D09E2}.exe	116
PID 4068 wrote to memory of 4512	4068	{B16B5BA7-EF56-4b29-98AB-8C19E00E3F43}.exe	121
PID 4068 wrote to memory of 4512	4068	{B16B5BA7-EF56-4b29-98AB-8C19E00E3F43}.exe	121
PID 4068 wrote to memory of 4512	4068	{B16B5BA7-EF56-4b29-98AB-8C19E00E3F43}.exe	121
PID 4068 wrote to memory of 4312	4068	{B16B5BA7-EF56-4b29-98AB-8C19E00E3F43}.exe	122
PID 4068 wrote to memory of 4312	4068	{B16B5BA7-EF56-4b29-98AB-8C19E00E3F43}.exe	122
PID 4068 wrote to memory of 4312	4068	{B16B5BA7-EF56-4b29-98AB-8C19E00E3F43}.exe	122
PID 4512 wrote to memory of 1012	4512	{F0C53DD0-9B55-4748-B84B-46173C84D7DC}.exe	123
PID 4512 wrote to memory of 1012	4512	{F0C53DD0-9B55-4748-B84B-46173C84D7DC}.exe	123
PID 4512 wrote to memory of 1012	4512	{F0C53DD0-9B55-4748-B84B-46173C84D7DC}.exe	123
PID 4512 wrote to memory of 368	4512	{F0C53DD0-9B55-4748-B84B-46173C84D7DC}.exe	124
PID 4512 wrote to memory of 368	4512	{F0C53DD0-9B55-4748-B84B-46173C84D7DC}.exe	124
PID 4512 wrote to memory of 368	4512	{F0C53DD0-9B55-4748-B84B-46173C84D7DC}.exe	124
PID 1012 wrote to memory of 2424	1012	{D83A6BF9-D14F-442f-AA06-BA4C5F80F7AC}.exe	125
PID 1012 wrote to memory of 2424	1012	{D83A6BF9-D14F-442f-AA06-BA4C5F80F7AC}.exe	125
PID 1012 wrote to memory of 2424	1012	{D83A6BF9-D14F-442f-AA06-BA4C5F80F7AC}.exe	125
PID 1012 wrote to memory of 3324	1012	{D83A6BF9-D14F-442f-AA06-BA4C5F80F7AC}.exe	126
PID 1012 wrote to memory of 3324	1012	{D83A6BF9-D14F-442f-AA06-BA4C5F80F7AC}.exe	126
PID 1012 wrote to memory of 3324	1012	{D83A6BF9-D14F-442f-AA06-BA4C5F80F7AC}.exe	126
PID 2424 wrote to memory of 4412	2424	{FD73D851-8AFA-4bcf-8A41-09FFAF3AE8B8}.exe	127
PID 2424 wrote to memory of 4412	2424	{FD73D851-8AFA-4bcf-8A41-09FFAF3AE8B8}.exe	127
PID 2424 wrote to memory of 4412	2424	{FD73D851-8AFA-4bcf-8A41-09FFAF3AE8B8}.exe	127
PID 2424 wrote to memory of 4968	2424	{FD73D851-8AFA-4bcf-8A41-09FFAF3AE8B8}.exe	128
PID 2424 wrote to memory of 4968	2424	{FD73D851-8AFA-4bcf-8A41-09FFAF3AE8B8}.exe	128
PID 2424 wrote to memory of 4968	2424	{FD73D851-8AFA-4bcf-8A41-09FFAF3AE8B8}.exe	128
PID 4412 wrote to memory of 3216	4412	{68CDD1D4-235B-4953-A8CE-8D7E8972AC18}.exe	130
PID 4412 wrote to memory of 3216	4412	{68CDD1D4-235B-4953-A8CE-8D7E8972AC18}.exe	130
PID 4412 wrote to memory of 3216	4412	{68CDD1D4-235B-4953-A8CE-8D7E8972AC18}.exe	130
PID 4412 wrote to memory of 4420	4412	{68CDD1D4-235B-4953-A8CE-8D7E8972AC18}.exe	131

C:\Users\Admin\AppData\Local\Temp\2024-03-05_ff01018b85fa5b5ab677f3905ebf3012_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-05_ff01018b85fa5b5ab677f3905ebf3012_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3852
- C:\Windows\{5DEEB14C-9B79-4b8c-BDC5-34085D12AE95}.exe
  C:\Windows\{5DEEB14C-9B79-4b8c-BDC5-34085D12AE95}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Windows\{61EB45C3-BEA9-4fdd-8A04-392349670801}.exe
    C:\Windows\{61EB45C3-BEA9-4fdd-8A04-392349670801}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4000
  - - C:\Windows\{A3331CDB-799A-4977-8CCF-1FEAD7C7767D}.exe
      C:\Windows\{A3331CDB-799A-4977-8CCF-1FEAD7C7767D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4932
    - - C:\Windows\{304E22A0-5E54-4648-80E9-05DBCD7B9A66}.exe
        
        C:\Windows\{304E22A0-5E54-4648-80E9-05DBCD7B9A66}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3036
      - C:\Windows\{A81D913A-0A89-41fc-BFC4-F9A4660D09E2}.exe
        
        C:\Windows\{A81D913A-0A89-41fc-BFC4-F9A4660D09E2}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:968
        
        C:\Windows\{B16B5BA7-EF56-4b29-98AB-8C19E00E3F43}.exe
        
        C:\Windows\{B16B5BA7-EF56-4b29-98AB-8C19E00E3F43}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\{F0C53DD0-9B55-4748-B84B-46173C84D7DC}.exe
        
        C:\Windows\{F0C53DD0-9B55-4748-B84B-46173C84D7DC}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4512
        
        C:\Windows\{D83A6BF9-D14F-442f-AA06-BA4C5F80F7AC}.exe
        
        C:\Windows\{D83A6BF9-D14F-442f-AA06-BA4C5F80F7AC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Windows\{FD73D851-8AFA-4bcf-8A41-09FFAF3AE8B8}.exe
        
        C:\Windows\{FD73D851-8AFA-4bcf-8A41-09FFAF3AE8B8}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\{68CDD1D4-235B-4953-A8CE-8D7E8972AC18}.exe
        
        C:\Windows\{68CDD1D4-235B-4953-A8CE-8D7E8972AC18}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\{D369AF71-5687-4655-867D-6B1F3EAB9778}.exe
        
        C:\Windows\{D369AF71-5687-4655-867D-6B1F3EAB9778}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3216
        
        C:\Windows\{C734E15E-6C21-4f0b-A73A-6B7F3D4413EF}.exe
        
        C:\Windows\{C734E15E-6C21-4f0b-A73A-6B7F3D4413EF}.exe
        13⤵
        Executes dropped EXE
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D369A~1.EXE > nul
        13⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{68CDD~1.EXE > nul
        12⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD73D~1.EXE > nul
        11⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D83A6~1.EXE > nul
        10⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F0C53~1.EXE > nul
        9⤵
        
        PID:368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B16B5~1.EXE > nul
        8⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A81D9~1.EXE > nul
        7⤵
        
        PID:4452
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{304E2~1.EXE > nul
        6⤵
        
        PID:4592
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A3331~1.EXE > nul
        5⤵
        
        PID:3724
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{61EB4~1.EXE > nul
      4⤵
      PID:2308
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5DEEB~1.EXE > nul
    3⤵
    PID:3648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{304E22A0-5E54-4648-80E9-05DBCD7B9A66}.exe

Filesize
408KB

MD5
39c285184fac5c3c1a465186f91cfb1c

SHA1
79cf2b8c227ffe4e34b7a4978334e008c680c227

SHA256
d953306e2df81fa21688bd8e8a93438ecbda2957b0b6185a3a73f8ff8ea13527

SHA512
9574c328838491726f8213fd3303f1df00a36d9f68672e93dad047005bead91fd4e67208d74b2aecc50924143e20c6b8b41ce9943b604c18b787d8a79996d775

Download Submit
C:\Windows\{5DEEB14C-9B79-4b8c-BDC5-34085D12AE95}.exe

Filesize
408KB

MD5
3363f3d8911989f826bbefd1258aa6b6

SHA1
349f6c2fe3a57187ebdd3446967b683da66f5775

SHA256
47bb3ec34b463635795757d1c6714c4ae1646796b6e8faa2f211c63ed1327f39

SHA512
496f682bcf73eddca65f7f42c6a4170f9dd914ab06384187a1d100ac7fe209cac79a04ed5970b3601c8c9dd4d9d135612fba23010f74ea0fc2642ccf33d86ae5

Download Submit
C:\Windows\{61EB45C3-BEA9-4fdd-8A04-392349670801}.exe

Filesize
408KB

MD5
933dcfeb73af052abcfe7c8a99b83bed

SHA1
0fa8d243b8a36f63170056088171a433685fb5ce

SHA256
4a5e54c6124f3360813ce988c6f31a48b1afbed1c8ca30de669b7589d5fdb919

SHA512
e7e13fb980b92551760dedc398c7bf358b0c489712abb609de54e96d8560022efdb381d3cba2e4930a4076b6290cdf950ebe2f216ea86d72061d50659b8a7978

Download Submit
C:\Windows\{68CDD1D4-235B-4953-A8CE-8D7E8972AC18}.exe

Filesize
408KB

MD5
d170fe7253d4229c4de8a10ab1e1deb8

SHA1
c527263097a935f43e939ed778dba9a86eaae479

SHA256
940ea237e43a5ed781e5232608b8a44748b7bb3b1a1aeb44cd39d62aef989389

SHA512
d1be118acba183959b690489668b3b349591e368d15a7e99c1401c4b7d4d9442088cc5200969dcf6f3e93acdb0e837d24925b4d6db573754dd8a1a8fc621d90f

Download Submit
C:\Windows\{A3331CDB-799A-4977-8CCF-1FEAD7C7767D}.exe

Filesize
408KB

MD5
6d9853ccc372ce39aa925cfda6d9fa22

SHA1
5701504fd692ca1488e7a6e34483f8da390f7d98

SHA256
3d12de8cd84d2506bec4d718da1f1953ff5c3bf0c0913619af70bb7928c3e9b6

SHA512
5f124495fb28e50cb20fa73f7e06f052cccc536cd4444996bd8aae7267de66f65838b1c603b8ec6a24ecb2fafde79544a09b0ff8accc9da9408e12b99291871d

Download Submit
C:\Windows\{A81D913A-0A89-41fc-BFC4-F9A4660D09E2}.exe

Filesize
408KB

MD5
33ae8bdf3c295a52d81a08262de202ea

SHA1
7dcf0da2ddf04bdfd5de6b78fd8bc8f9039181ec

SHA256
8bc6f099ce26c6afda2426c291a344955085a882d65e68dd70449010933bce48

SHA512
5e8242f0a49e89511a362ff423d71213a054c7d2e9cfba2e135c98453ae86aa32e7604dc909587211c667da5a4c12d89f964ceeefda8621f7cbf951b2bff50a3

Download Submit
C:\Windows\{B16B5BA7-EF56-4b29-98AB-8C19E00E3F43}.exe

Filesize
408KB

MD5
5c338168b517005b42a6131c15e39daf

SHA1
760623be71b267ba5f76a20710909dc96199b00a

SHA256
6c3b8fddfb6456e7fee7ca0c58fbe2302c782c547d6841a1552400351a7cebe8

SHA512
74cb526663d3ba1b915c3d04ec72ceb9c59c6fdd4794b240e332a4db26907ff9954d4b63cd42b647888a55506fec4c1511880966d20521763f6d8422e01112b1

Download Submit
C:\Windows\{C734E15E-6C21-4f0b-A73A-6B7F3D4413EF}.exe

Filesize
408KB

MD5
e138642a70b546dbaf4da40d25a50c66

SHA1
2d9d405e5cb1a4a77a4951a87413445b9d573472

SHA256
d19b0b4d9e8060b98f2d6e8d97cf7d3f09098bfa34e7d28356dae0672dacb8ca

SHA512
8d8e13a3d71b7316bf4003f234deb1003f5e1e176d7a5787d3abf50bd72bf2cbd77918e3ab9fa093b73784b65ce2c22a332af56ef7be1e61fdfb9d9b5e388f4c

Download Submit
C:\Windows\{D369AF71-5687-4655-867D-6B1F3EAB9778}.exe

Filesize
408KB

MD5
5e28ea09aaee60f438d604ed54b2d4c7

SHA1
f694ac8a82c3e74854769ac3220642e0ac1f60ca

SHA256
0b5ee62fd1e561acadaf1a7dfcc3833828dea3a1b455916b611f3773ed269e0c

SHA512
739c1eb710ce5362bbc8b55c354233c098127940affe452054eda832ebc00846eead7e76f0bf80b580bea0ac0a3c8207ec1edd1faafd854cf7e07a204e9cd358

Download Submit
C:\Windows\{D83A6BF9-D14F-442f-AA06-BA4C5F80F7AC}.exe

Filesize
408KB

MD5
f46a38863febc2f820fc01735c0fb41a

SHA1
96168154d2d59b48a841898113f40decef3f7df7

SHA256
0194baf27baf50404f2ba47401f13111cccd7279fc2061ff986011c228cf3ea0

SHA512
655a0fcb2a59ac11ff251bd336c122c6e31d2d97b83340c62110faf5a0b6547ea9502c86c00b04c994de0b63b797836669b6ebe7f91f0e657140429c1c1826af

Download Submit
C:\Windows\{F0C53DD0-9B55-4748-B84B-46173C84D7DC}.exe

Filesize
408KB

MD5
1eb52bd58b8ffe87e0f5d27d774da390

SHA1
688ce41202180eb24cc842555ae134fff3ad84f9

SHA256
c96b85d121615a57bd50eb074e44e56fd4d70887618afff2807f30080f9bcd6b

SHA512
4ae66dc0badf848cf93a9d6b52ecc8cbb1028dd8a375fb2e31747e02df16efe0726ae2a66955ab1d45cf1f923e4ddb2cb4825ea799995ff0513c3636c893cb1b

Download Submit
C:\Windows\{FD73D851-8AFA-4bcf-8A41-09FFAF3AE8B8}.exe

Filesize
408KB

MD5
cac47fa9b0bab198e49b3a462f298d45

SHA1
c7c7541f9b0193fa31cf115aa021446305bd5c3b

SHA256
741c45d7d8f88f02a54fc58c16509851d1c7543a603873adaa8038764699358c

SHA512
590b949373aafe8fb7487453f9ff543f652406ad68bb271368b577ae83e31fc6b6ed2c6e8b41a7d4370bb27a3c3f0620a13acccf79e45f63a91f4943cc584f67

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads