a76b0de94fdefedd7e05cb2d870b0a4e1ba1b00decce2f1a87bd030f00b2d9d0

Analysis

max time kernel
156s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2024, 06:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-06_e77cc1c5995b8d825389c4fc17ce9778_goldeneye.exe
Size

344KB
MD5

e77cc1c5995b8d825389c4fc17ce9778
SHA1

a22db6d7cafee3f30e4dd8271f8ec01914e7653d
SHA256

a76b0de94fdefedd7e05cb2d870b0a4e1ba1b00decce2f1a87bd030f00b2d9d0
SHA512

2356bd2da0bd368774e2cd096d573d74e63364c9d938408fecc1c84dd57d953b9e73f56a26358e0f530c907b8b7abd172320454cb680e3b3993fe2e8e7b251e4
SSDEEP

3072:mEGh0o2lEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGUlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000a00000002320e-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002321c-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002322a-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002330a-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002312a-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000233b9-21.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000233ba-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000233c0-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000233e6-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000234d4-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000234d5-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000234d4-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4C3F20C-EFD4-46ab-A835-6C1A4543D1EF}\stubpath = "C:\\Windows\\{F4C3F20C-EFD4-46ab-A835-6C1A4543D1EF}.exe"	{C247A289-44B1-40d1-B759-4FEC1BB87865}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5750B28D-9397-4228-ADE9-A4464A6FBD3E}	{F4C3F20C-EFD4-46ab-A835-6C1A4543D1EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42FC70E5-13DD-4e10-BC73-41D36C440D2E}	{B2ACB6DA-49D9-4187-82E0-B9871CCB3949}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B54E615-03EF-428b-9632-D9D383E96D2C}\stubpath = "C:\\Windows\\{8B54E615-03EF-428b-9632-D9D383E96D2C}.exe"	{42FC70E5-13DD-4e10-BC73-41D36C440D2E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0988C14-2EAD-4e71-B0B0-46EE815BF668}\stubpath = "C:\\Windows\\{E0988C14-2EAD-4e71-B0B0-46EE815BF668}.exe"	{8B54E615-03EF-428b-9632-D9D383E96D2C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD1FA773-00CB-4d91-B329-156408D8AE6F}	{3932D5BB-F1D1-4e44-845D-A62F897C4CD3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E91C300-D360-4554-B354-6DC1369FA339}	2024-03-06_e77cc1c5995b8d825389c4fc17ce9778_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4C3F20C-EFD4-46ab-A835-6C1A4543D1EF}	{C247A289-44B1-40d1-B759-4FEC1BB87865}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD1FA773-00CB-4d91-B329-156408D8AE6F}\stubpath = "C:\\Windows\\{BD1FA773-00CB-4d91-B329-156408D8AE6F}.exe"	{3932D5BB-F1D1-4e44-845D-A62F897C4CD3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42FC70E5-13DD-4e10-BC73-41D36C440D2E}\stubpath = "C:\\Windows\\{42FC70E5-13DD-4e10-BC73-41D36C440D2E}.exe"	{B2ACB6DA-49D9-4187-82E0-B9871CCB3949}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B54E615-03EF-428b-9632-D9D383E96D2C}	{42FC70E5-13DD-4e10-BC73-41D36C440D2E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0988C14-2EAD-4e71-B0B0-46EE815BF668}	{8B54E615-03EF-428b-9632-D9D383E96D2C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3932D5BB-F1D1-4e44-845D-A62F897C4CD3}	{E0988C14-2EAD-4e71-B0B0-46EE815BF668}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3932D5BB-F1D1-4e44-845D-A62F897C4CD3}\stubpath = "C:\\Windows\\{3932D5BB-F1D1-4e44-845D-A62F897C4CD3}.exe"	{E0988C14-2EAD-4e71-B0B0-46EE815BF668}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B7F8D2-A48F-4e00-A7BA-CC1E2E1969C9}\stubpath = "C:\\Windows\\{08B7F8D2-A48F-4e00-A7BA-CC1E2E1969C9}.exe"	{9E91C300-D360-4554-B354-6DC1369FA339}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5750B28D-9397-4228-ADE9-A4464A6FBD3E}\stubpath = "C:\\Windows\\{5750B28D-9397-4228-ADE9-A4464A6FBD3E}.exe"	{F4C3F20C-EFD4-46ab-A835-6C1A4543D1EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0EA16A8-DD9D-49c2-9381-1005CB1793BF}	{5750B28D-9397-4228-ADE9-A4464A6FBD3E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2ACB6DA-49D9-4187-82E0-B9871CCB3949}\stubpath = "C:\\Windows\\{B2ACB6DA-49D9-4187-82E0-B9871CCB3949}.exe"	{F0EA16A8-DD9D-49c2-9381-1005CB1793BF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E91C300-D360-4554-B354-6DC1369FA339}\stubpath = "C:\\Windows\\{9E91C300-D360-4554-B354-6DC1369FA339}.exe"	2024-03-06_e77cc1c5995b8d825389c4fc17ce9778_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B7F8D2-A48F-4e00-A7BA-CC1E2E1969C9}	{9E91C300-D360-4554-B354-6DC1369FA339}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0EA16A8-DD9D-49c2-9381-1005CB1793BF}\stubpath = "C:\\Windows\\{F0EA16A8-DD9D-49c2-9381-1005CB1793BF}.exe"	{5750B28D-9397-4228-ADE9-A4464A6FBD3E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2ACB6DA-49D9-4187-82E0-B9871CCB3949}	{F0EA16A8-DD9D-49c2-9381-1005CB1793BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C247A289-44B1-40d1-B759-4FEC1BB87865}	{08B7F8D2-A48F-4e00-A7BA-CC1E2E1969C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C247A289-44B1-40d1-B759-4FEC1BB87865}\stubpath = "C:\\Windows\\{C247A289-44B1-40d1-B759-4FEC1BB87865}.exe"	{08B7F8D2-A48F-4e00-A7BA-CC1E2E1969C9}.exe

Executes dropped EXE 12 IoCs

pid	Process
2364	{9E91C300-D360-4554-B354-6DC1369FA339}.exe
2864	{08B7F8D2-A48F-4e00-A7BA-CC1E2E1969C9}.exe
1984	{C247A289-44B1-40d1-B759-4FEC1BB87865}.exe
3664	{F4C3F20C-EFD4-46ab-A835-6C1A4543D1EF}.exe
2988	{5750B28D-9397-4228-ADE9-A4464A6FBD3E}.exe
3672	{F0EA16A8-DD9D-49c2-9381-1005CB1793BF}.exe
1696	{B2ACB6DA-49D9-4187-82E0-B9871CCB3949}.exe
2000	{42FC70E5-13DD-4e10-BC73-41D36C440D2E}.exe
4864	{8B54E615-03EF-428b-9632-D9D383E96D2C}.exe
1448	{E0988C14-2EAD-4e71-B0B0-46EE815BF668}.exe
624	{3932D5BB-F1D1-4e44-845D-A62F897C4CD3}.exe
1220	{BD1FA773-00CB-4d91-B329-156408D8AE6F}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{F0EA16A8-DD9D-49c2-9381-1005CB1793BF}.exe	{5750B28D-9397-4228-ADE9-A4464A6FBD3E}.exe
File created	C:\Windows\{B2ACB6DA-49D9-4187-82E0-B9871CCB3949}.exe	{F0EA16A8-DD9D-49c2-9381-1005CB1793BF}.exe
File created	C:\Windows\{42FC70E5-13DD-4e10-BC73-41D36C440D2E}.exe	{B2ACB6DA-49D9-4187-82E0-B9871CCB3949}.exe
File created	C:\Windows\{E0988C14-2EAD-4e71-B0B0-46EE815BF668}.exe	{8B54E615-03EF-428b-9632-D9D383E96D2C}.exe
File created	C:\Windows\{3932D5BB-F1D1-4e44-845D-A62F897C4CD3}.exe	{E0988C14-2EAD-4e71-B0B0-46EE815BF668}.exe
File created	C:\Windows\{F4C3F20C-EFD4-46ab-A835-6C1A4543D1EF}.exe	{C247A289-44B1-40d1-B759-4FEC1BB87865}.exe
File created	C:\Windows\{5750B28D-9397-4228-ADE9-A4464A6FBD3E}.exe	{F4C3F20C-EFD4-46ab-A835-6C1A4543D1EF}.exe
File created	C:\Windows\{C247A289-44B1-40d1-B759-4FEC1BB87865}.exe	{08B7F8D2-A48F-4e00-A7BA-CC1E2E1969C9}.exe
File created	C:\Windows\{8B54E615-03EF-428b-9632-D9D383E96D2C}.exe	{42FC70E5-13DD-4e10-BC73-41D36C440D2E}.exe
File created	C:\Windows\{BD1FA773-00CB-4d91-B329-156408D8AE6F}.exe	{3932D5BB-F1D1-4e44-845D-A62F897C4CD3}.exe
File created	C:\Windows\{9E91C300-D360-4554-B354-6DC1369FA339}.exe	2024-03-06_e77cc1c5995b8d825389c4fc17ce9778_goldeneye.exe
File created	C:\Windows\{08B7F8D2-A48F-4e00-A7BA-CC1E2E1969C9}.exe	{9E91C300-D360-4554-B354-6DC1369FA339}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4072	2024-03-06_e77cc1c5995b8d825389c4fc17ce9778_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2364	{9E91C300-D360-4554-B354-6DC1369FA339}.exe
Token: SeIncBasePriorityPrivilege	2864	{08B7F8D2-A48F-4e00-A7BA-CC1E2E1969C9}.exe
Token: SeIncBasePriorityPrivilege	1984	{C247A289-44B1-40d1-B759-4FEC1BB87865}.exe
Token: SeIncBasePriorityPrivilege	3664	{F4C3F20C-EFD4-46ab-A835-6C1A4543D1EF}.exe
Token: SeIncBasePriorityPrivilege	2988	{5750B28D-9397-4228-ADE9-A4464A6FBD3E}.exe
Token: SeIncBasePriorityPrivilege	3672	{F0EA16A8-DD9D-49c2-9381-1005CB1793BF}.exe
Token: SeIncBasePriorityPrivilege	1696	{B2ACB6DA-49D9-4187-82E0-B9871CCB3949}.exe
Token: SeIncBasePriorityPrivilege	2000	{42FC70E5-13DD-4e10-BC73-41D36C440D2E}.exe
Token: SeIncBasePriorityPrivilege	4864	{8B54E615-03EF-428b-9632-D9D383E96D2C}.exe
Token: SeIncBasePriorityPrivilege	1448	{E0988C14-2EAD-4e71-B0B0-46EE815BF668}.exe
Token: SeIncBasePriorityPrivilege	624	{3932D5BB-F1D1-4e44-845D-A62F897C4CD3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4072 wrote to memory of 2364	4072	2024-03-06_e77cc1c5995b8d825389c4fc17ce9778_goldeneye.exe	91
PID 4072 wrote to memory of 2364	4072	2024-03-06_e77cc1c5995b8d825389c4fc17ce9778_goldeneye.exe	91
PID 4072 wrote to memory of 2364	4072	2024-03-06_e77cc1c5995b8d825389c4fc17ce9778_goldeneye.exe	91
PID 4072 wrote to memory of 3308	4072	2024-03-06_e77cc1c5995b8d825389c4fc17ce9778_goldeneye.exe	92
PID 4072 wrote to memory of 3308	4072	2024-03-06_e77cc1c5995b8d825389c4fc17ce9778_goldeneye.exe	92
PID 4072 wrote to memory of 3308	4072	2024-03-06_e77cc1c5995b8d825389c4fc17ce9778_goldeneye.exe	92
PID 2364 wrote to memory of 2864	2364	{9E91C300-D360-4554-B354-6DC1369FA339}.exe	98
PID 2364 wrote to memory of 2864	2364	{9E91C300-D360-4554-B354-6DC1369FA339}.exe	98
PID 2364 wrote to memory of 2864	2364	{9E91C300-D360-4554-B354-6DC1369FA339}.exe	98
PID 2364 wrote to memory of 2816	2364	{9E91C300-D360-4554-B354-6DC1369FA339}.exe	99
PID 2364 wrote to memory of 2816	2364	{9E91C300-D360-4554-B354-6DC1369FA339}.exe	99
PID 2364 wrote to memory of 2816	2364	{9E91C300-D360-4554-B354-6DC1369FA339}.exe	99
PID 2864 wrote to memory of 1984	2864	{08B7F8D2-A48F-4e00-A7BA-CC1E2E1969C9}.exe	101
PID 2864 wrote to memory of 1984	2864	{08B7F8D2-A48F-4e00-A7BA-CC1E2E1969C9}.exe	101
PID 2864 wrote to memory of 1984	2864	{08B7F8D2-A48F-4e00-A7BA-CC1E2E1969C9}.exe	101
PID 2864 wrote to memory of 5088	2864	{08B7F8D2-A48F-4e00-A7BA-CC1E2E1969C9}.exe	102
PID 2864 wrote to memory of 5088	2864	{08B7F8D2-A48F-4e00-A7BA-CC1E2E1969C9}.exe	102
PID 2864 wrote to memory of 5088	2864	{08B7F8D2-A48F-4e00-A7BA-CC1E2E1969C9}.exe	102
PID 1984 wrote to memory of 3664	1984	{C247A289-44B1-40d1-B759-4FEC1BB87865}.exe	112
PID 1984 wrote to memory of 3664	1984	{C247A289-44B1-40d1-B759-4FEC1BB87865}.exe	112
PID 1984 wrote to memory of 3664	1984	{C247A289-44B1-40d1-B759-4FEC1BB87865}.exe	112
PID 1984 wrote to memory of 4720	1984	{C247A289-44B1-40d1-B759-4FEC1BB87865}.exe	113
PID 1984 wrote to memory of 4720	1984	{C247A289-44B1-40d1-B759-4FEC1BB87865}.exe	113
PID 1984 wrote to memory of 4720	1984	{C247A289-44B1-40d1-B759-4FEC1BB87865}.exe	113
PID 3664 wrote to memory of 2988	3664	{F4C3F20C-EFD4-46ab-A835-6C1A4543D1EF}.exe	114
PID 3664 wrote to memory of 2988	3664	{F4C3F20C-EFD4-46ab-A835-6C1A4543D1EF}.exe	114
PID 3664 wrote to memory of 2988	3664	{F4C3F20C-EFD4-46ab-A835-6C1A4543D1EF}.exe	114
PID 3664 wrote to memory of 4704	3664	{F4C3F20C-EFD4-46ab-A835-6C1A4543D1EF}.exe	115
PID 3664 wrote to memory of 4704	3664	{F4C3F20C-EFD4-46ab-A835-6C1A4543D1EF}.exe	115
PID 3664 wrote to memory of 4704	3664	{F4C3F20C-EFD4-46ab-A835-6C1A4543D1EF}.exe	115
PID 2988 wrote to memory of 3672	2988	{5750B28D-9397-4228-ADE9-A4464A6FBD3E}.exe	116
PID 2988 wrote to memory of 3672	2988	{5750B28D-9397-4228-ADE9-A4464A6FBD3E}.exe	116
PID 2988 wrote to memory of 3672	2988	{5750B28D-9397-4228-ADE9-A4464A6FBD3E}.exe	116
PID 2988 wrote to memory of 552	2988	{5750B28D-9397-4228-ADE9-A4464A6FBD3E}.exe	117
PID 2988 wrote to memory of 552	2988	{5750B28D-9397-4228-ADE9-A4464A6FBD3E}.exe	117
PID 2988 wrote to memory of 552	2988	{5750B28D-9397-4228-ADE9-A4464A6FBD3E}.exe	117
PID 3672 wrote to memory of 1696	3672	{F0EA16A8-DD9D-49c2-9381-1005CB1793BF}.exe	119
PID 3672 wrote to memory of 1696	3672	{F0EA16A8-DD9D-49c2-9381-1005CB1793BF}.exe	119
PID 3672 wrote to memory of 1696	3672	{F0EA16A8-DD9D-49c2-9381-1005CB1793BF}.exe	119
PID 3672 wrote to memory of 3908	3672	{F0EA16A8-DD9D-49c2-9381-1005CB1793BF}.exe	120
PID 3672 wrote to memory of 3908	3672	{F0EA16A8-DD9D-49c2-9381-1005CB1793BF}.exe	120
PID 3672 wrote to memory of 3908	3672	{F0EA16A8-DD9D-49c2-9381-1005CB1793BF}.exe	120
PID 1696 wrote to memory of 2000	1696	{B2ACB6DA-49D9-4187-82E0-B9871CCB3949}.exe	121
PID 1696 wrote to memory of 2000	1696	{B2ACB6DA-49D9-4187-82E0-B9871CCB3949}.exe	121
PID 1696 wrote to memory of 2000	1696	{B2ACB6DA-49D9-4187-82E0-B9871CCB3949}.exe	121
PID 1696 wrote to memory of 1764	1696	{B2ACB6DA-49D9-4187-82E0-B9871CCB3949}.exe	122
PID 1696 wrote to memory of 1764	1696	{B2ACB6DA-49D9-4187-82E0-B9871CCB3949}.exe	122
PID 1696 wrote to memory of 1764	1696	{B2ACB6DA-49D9-4187-82E0-B9871CCB3949}.exe	122
PID 2000 wrote to memory of 4864	2000	{42FC70E5-13DD-4e10-BC73-41D36C440D2E}.exe	123
PID 2000 wrote to memory of 4864	2000	{42FC70E5-13DD-4e10-BC73-41D36C440D2E}.exe	123
PID 2000 wrote to memory of 4864	2000	{42FC70E5-13DD-4e10-BC73-41D36C440D2E}.exe	123
PID 2000 wrote to memory of 4412	2000	{42FC70E5-13DD-4e10-BC73-41D36C440D2E}.exe	124
PID 2000 wrote to memory of 4412	2000	{42FC70E5-13DD-4e10-BC73-41D36C440D2E}.exe	124
PID 2000 wrote to memory of 4412	2000	{42FC70E5-13DD-4e10-BC73-41D36C440D2E}.exe	124
PID 4864 wrote to memory of 1448	4864	{8B54E615-03EF-428b-9632-D9D383E96D2C}.exe	125
PID 4864 wrote to memory of 1448	4864	{8B54E615-03EF-428b-9632-D9D383E96D2C}.exe	125
PID 4864 wrote to memory of 1448	4864	{8B54E615-03EF-428b-9632-D9D383E96D2C}.exe	125
PID 4864 wrote to memory of 4168	4864	{8B54E615-03EF-428b-9632-D9D383E96D2C}.exe	126
PID 4864 wrote to memory of 4168	4864	{8B54E615-03EF-428b-9632-D9D383E96D2C}.exe	126
PID 4864 wrote to memory of 4168	4864	{8B54E615-03EF-428b-9632-D9D383E96D2C}.exe	126
PID 1448 wrote to memory of 624	1448	{E0988C14-2EAD-4e71-B0B0-46EE815BF668}.exe	127
PID 1448 wrote to memory of 624	1448	{E0988C14-2EAD-4e71-B0B0-46EE815BF668}.exe	127
PID 1448 wrote to memory of 624	1448	{E0988C14-2EAD-4e71-B0B0-46EE815BF668}.exe	127
PID 1448 wrote to memory of 3896	1448	{E0988C14-2EAD-4e71-B0B0-46EE815BF668}.exe	128

C:\Users\Admin\AppData\Local\Temp\2024-03-06_e77cc1c5995b8d825389c4fc17ce9778_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-06_e77cc1c5995b8d825389c4fc17ce9778_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4072
- C:\Windows\{9E91C300-D360-4554-B354-6DC1369FA339}.exe
  C:\Windows\{9E91C300-D360-4554-B354-6DC1369FA339}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Windows\{08B7F8D2-A48F-4e00-A7BA-CC1E2E1969C9}.exe
    C:\Windows\{08B7F8D2-A48F-4e00-A7BA-CC1E2E1969C9}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Windows\{C247A289-44B1-40d1-B759-4FEC1BB87865}.exe
      C:\Windows\{C247A289-44B1-40d1-B759-4FEC1BB87865}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1984
    - - C:\Windows\{F4C3F20C-EFD4-46ab-A835-6C1A4543D1EF}.exe
        
        C:\Windows\{F4C3F20C-EFD4-46ab-A835-6C1A4543D1EF}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3664
      - C:\Windows\{5750B28D-9397-4228-ADE9-A4464A6FBD3E}.exe
        
        C:\Windows\{5750B28D-9397-4228-ADE9-A4464A6FBD3E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\{F0EA16A8-DD9D-49c2-9381-1005CB1793BF}.exe
        
        C:\Windows\{F0EA16A8-DD9D-49c2-9381-1005CB1793BF}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3672
        
        C:\Windows\{B2ACB6DA-49D9-4187-82E0-B9871CCB3949}.exe
        
        C:\Windows\{B2ACB6DA-49D9-4187-82E0-B9871CCB3949}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\{42FC70E5-13DD-4e10-BC73-41D36C440D2E}.exe
        
        C:\Windows\{42FC70E5-13DD-4e10-BC73-41D36C440D2E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\{8B54E615-03EF-428b-9632-D9D383E96D2C}.exe
        
        C:\Windows\{8B54E615-03EF-428b-9632-D9D383E96D2C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\{E0988C14-2EAD-4e71-B0B0-46EE815BF668}.exe
        
        C:\Windows\{E0988C14-2EAD-4e71-B0B0-46EE815BF668}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Windows\{3932D5BB-F1D1-4e44-845D-A62F897C4CD3}.exe
        
        C:\Windows\{3932D5BB-F1D1-4e44-845D-A62F897C4CD3}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:624
        
        C:\Windows\{BD1FA773-00CB-4d91-B329-156408D8AE6F}.exe
        
        C:\Windows\{BD1FA773-00CB-4d91-B329-156408D8AE6F}.exe
        13⤵
        Executes dropped EXE
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3932D~1.EXE > nul
        13⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E0988~1.EXE > nul
        12⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B54E~1.EXE > nul
        11⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{42FC7~1.EXE > nul
        10⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B2ACB~1.EXE > nul
        9⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F0EA1~1.EXE > nul
        8⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5750B~1.EXE > nul
        7⤵
        
        PID:552
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F4C3F~1.EXE > nul
        6⤵
        
        PID:4704
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C247A~1.EXE > nul
        5⤵
        
        PID:4720
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{08B7F~1.EXE > nul
      4⤵
      PID:5088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9E91C~1.EXE > nul
    3⤵
    PID:2816
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{08B7F8D2-A48F-4e00-A7BA-CC1E2E1969C9}.exe

Filesize
344KB

MD5
ca66014c3f819b16dc9b488df2a9eb77

SHA1
60f9369d017fb067b6c2e1742123f1a51dd86b6f

SHA256
4f6416a61d9dead7126af283c1d626b992cf435ad7660b51eb119bb04e8ff2c7

SHA512
809fb8a422d7b52569e0a29fdf3f6e2053205da55770e1852e71791b7f7e9fc2c19e4ac6d83d4de66915276a037339aef3194ca7c75049a00d8b6cc915961c22

Download Submit
C:\Windows\{3932D5BB-F1D1-4e44-845D-A62F897C4CD3}.exe

Filesize
344KB

MD5
bc15808f02e8fdf3101872993c4dee6c

SHA1
e67e7baaab91c9c8944f23b255caf6c0ad5ba1ff

SHA256
62a9f2f8bf292d72f22a822df68ecafb7bd695ace6cd27428996650af392faca

SHA512
31924573d09f0ca280dff771e853181ef9d1ec0dd6dd7d8e2619e83cccc14e58d2ec73598c5a5f942c1c6bec10971e3abf6a5678fe6c847f1c9ab7d51fcac440

Download Submit
C:\Windows\{42FC70E5-13DD-4e10-BC73-41D36C440D2E}.exe

Filesize
344KB

MD5
6ac860f2cd15b92f021c38095cebf77b

SHA1
1e30ffc500c609b06ac464c9114d7b7c5ab9692b

SHA256
05c74c69ad698f480792c27e9594ab5ecd70fd3a478c8d4d5aabf7dad2d4d355

SHA512
2e4f4cf69d2f8f143a3d17db42e5497778fd0cd8742918a8639cd974acd62115077ebf202a02a0bc71fd18cf21dd7727f8a9326fff012c382124080153eca646

Download Submit
C:\Windows\{5750B28D-9397-4228-ADE9-A4464A6FBD3E}.exe

Filesize
344KB

MD5
0efa8f1a356dae74ee97435c955048b6

SHA1
e1b966587f743ceb409e2560b000ded7e93ddf0e

SHA256
136f05b84fcd33e5f5b92787f222fcd0bffe671eff9a19d2dc284c7afe9c4779

SHA512
07cfb2528bd5a6299fc0ddad52fa2037c22f20e911339fb6582c37ee5564d3ed8a6e51f48510560600a42c3718e4cc637bac9d2c5aa5c152b2f71ac84b58764d

Download Submit
C:\Windows\{8B54E615-03EF-428b-9632-D9D383E96D2C}.exe

Filesize
344KB

MD5
159effaa908d79fa01fed793904986ed

SHA1
ed92ca7d7cb7f7a1dbba77d3b1363d96860b2cce

SHA256
aa03d9d486917db8453836a19a496955e488fa35c45a679e1c2c9542dcb88742

SHA512
b77edaa73b9e205c18218eed3f84cd947b26393d9b9db84cd5edd53c4a4d668ea622274a3ac208c910aad21b0354a090980624e515c38a2fd91ebad64b724840

Download Submit
C:\Windows\{9E91C300-D360-4554-B354-6DC1369FA339}.exe

Filesize
344KB

MD5
1c149e0048fa663875b777eb00f104ed

SHA1
08d4ee6c2fd99810533e0af83aafac65a101ea04

SHA256
3c167857e8bd76500952234a3753d7c3fd33d74566c9bdeb07beebd5324ca242

SHA512
38d85049f8b0c9811aea4f4dc2216f1f5de8ca037e75214af6c1e9893294113c70f70c2efd9e0b648e00a369ae5c8fc4bce0d601295d7ee5f83d8cf040f1879a

Download Submit
C:\Windows\{B2ACB6DA-49D9-4187-82E0-B9871CCB3949}.exe

Filesize
344KB

MD5
39e69cd259d3c920a6c8e4d524daffc4

SHA1
9819fc29f2db88665529ad09ba402cd834fa56a7

SHA256
b0beb38197de33a90986bd0e54e922a1e653966ef96075677b3a83b9caf33d12

SHA512
c818fa3949f9fe6fa01a1dfd70b3b164de347130657eb510bcd820ecf8e912b41bd676e80730d58aee6899c2b47902e77b3fd221a60a7c1f825c13b1083b9b3c

Download Submit
C:\Windows\{BD1FA773-00CB-4d91-B329-156408D8AE6F}.exe

Filesize
344KB

MD5
3d3428d7d5c407941e5f2bb0906b0082

SHA1
6dc50043f0ce50087f81754ac649833c3bac2efb

SHA256
1e7787e2713fac40a66dcf084fc94df28c7d676e707f87ee1ae3f85c4a677eed

SHA512
a88c102c5fff0cc8a730eab04affd83843a1a887545b86e5c83242e4e36815527802c6f5ec8628f2f27ce3eea0a6c4aa682c4c485ed6cb42bafbaccce81e3daf

Download Submit
C:\Windows\{C247A289-44B1-40d1-B759-4FEC1BB87865}.exe

Filesize
344KB

MD5
ba5bdfb86d7129fb33642c868da8b330

SHA1
4f86478e562f0086f06774846ba662df201d82bb

SHA256
221e01f02643ee68f224be7307e7366a37830530a15c66b2668ff2e946db3bc7

SHA512
1f8f26ccf97f7a7788fab61240c031ff1ccc8c993eb7ed6ce311ea52747f709b8374d63f0ab461b984f27bb794b1981ad83e25f4bd61e51a5119202777bd73d4

Download Submit
C:\Windows\{E0988C14-2EAD-4e71-B0B0-46EE815BF668}.exe

Filesize
344KB

MD5
99c6e897ce09f0b09d8b996ca09ab26b

SHA1
b55ad231418c008b85b59e73a7d448a32cea500f

SHA256
2e7214c9893ab9a84a1832df96806ba979ddcdcf98d2e386eec1c962a192e88b

SHA512
85377c332ef697268e39bad155a014f48d244ae63c00fe0a0105a1a4a00f8d7ffca7c2aab7e05f54de971f7246876cc42c702816bae5a59e37101e96924e91d3

Download Submit
C:\Windows\{F0EA16A8-DD9D-49c2-9381-1005CB1793BF}.exe

Filesize
344KB

MD5
3ffb9c8ebafd477475eb86feb7ae0b7d

SHA1
4494e7d54dba9650e0b0235000da856ed49569b9

SHA256
fc05fc533301eebec6dfe35cb259448179e3894a9b4c50652ddc63ba6b6e5df8

SHA512
d04e4b7f7c7b1fa818a5bdf0d9db1d64dcf106b5a0f9951ac85e3f9a2ff47601b6034645ad638dd7d1db7b5bffb11721b63632be1147d3db2b6a4f19fb242674

Download Submit
C:\Windows\{F4C3F20C-EFD4-46ab-A835-6C1A4543D1EF}.exe

Filesize
344KB

MD5
286b49715ddf2450dbdcc72a8700937e

SHA1
2acc5ef3f993da13c9442aaeb10057f5afb55434

SHA256
a49f724eb9be7a641cde54a401139fc04a3fcc8f81293df5b554b7ea0a5ae77a

SHA512
c7bee848a784d454afa3ccead7ea770c2bf2ce6366b003c46bc0c595968e6f56b9e94b228e5356486b0666df9c1515df14f7f943753c61ecd358403636c9c2d8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads