04caf0572196f2df5735546a2d5fb4c2bd6cce0e697a02b4852d55c2997de12a

Analysis

max time kernel
161s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06-03-2024 13:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-06_8045184ac3be40b1d64b628d49dfbcc9_goldeneye.exe
Size

168KB
MD5

8045184ac3be40b1d64b628d49dfbcc9
SHA1

991bbe769ce24e7f2bd09c7c30667f7311eadf0b
SHA256

04caf0572196f2df5735546a2d5fb4c2bd6cce0e697a02b4852d55c2997de12a
SHA512

3121b8f5db039fae0e648148303169144adf25aaa147b642e1c04ce709b5a6aadfd5695691e173ffdaad0e4360a31b33c6ae63a6d5ade2ec5eb917ba0e02de98
SSDEEP

1536:1EGh0obli5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0obliOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000800000002322c-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002323a-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023242-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000228be-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023263-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023270-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002336a-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000233d5-29.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000233d7-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000233d5-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000233d7-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000233d5-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E8D7C11-C53D-4d4e-8B44-2064A36F0C83}\stubpath = "C:\\Windows\\{9E8D7C11-C53D-4d4e-8B44-2064A36F0C83}.exe"	{3638AEB0-0827-4deb-AA44-73E4EA9A4ABA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF251792-15EA-42bb-8E57-E2A66E7F9338}\stubpath = "C:\\Windows\\{AF251792-15EA-42bb-8E57-E2A66E7F9338}.exe"	{5D5770B6-7C09-4f3e-A0BB-EF78BFADBD25}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3AAD2E0F-68F6-4c29-B628-7D154C2846E2}\stubpath = "C:\\Windows\\{3AAD2E0F-68F6-4c29-B628-7D154C2846E2}.exe"	2024-03-06_8045184ac3be40b1d64b628d49dfbcc9_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20C80738-3BC5-401a-AA32-3A7BD77FBEE9}\stubpath = "C:\\Windows\\{20C80738-3BC5-401a-AA32-3A7BD77FBEE9}.exe"	{3AAD2E0F-68F6-4c29-B628-7D154C2846E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25F94BBB-41D2-4b24-A8D1-0342C159922B}\stubpath = "C:\\Windows\\{25F94BBB-41D2-4b24-A8D1-0342C159922B}.exe"	{20C80738-3BC5-401a-AA32-3A7BD77FBEE9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9A3075F-65E5-42a9-819B-4A5605B324DF}\stubpath = "C:\\Windows\\{F9A3075F-65E5-42a9-819B-4A5605B324DF}.exe"	{C71FCEE8-98B4-4a64-8BC6-672F918FACEB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3638AEB0-0827-4deb-AA44-73E4EA9A4ABA}	{BE6C5C31-17D0-4620-987C-A257E2D368F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3638AEB0-0827-4deb-AA44-73E4EA9A4ABA}\stubpath = "C:\\Windows\\{3638AEB0-0827-4deb-AA44-73E4EA9A4ABA}.exe"	{BE6C5C31-17D0-4620-987C-A257E2D368F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B4F0B58-0619-415b-8A1A-B3FBD5508C26}\stubpath = "C:\\Windows\\{0B4F0B58-0619-415b-8A1A-B3FBD5508C26}.exe"	{AF251792-15EA-42bb-8E57-E2A66E7F9338}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF5D88AF-E3B3-4b4b-A039-577C3E7E0255}\stubpath = "C:\\Windows\\{BF5D88AF-E3B3-4b4b-A039-577C3E7E0255}.exe"	{25F94BBB-41D2-4b24-A8D1-0342C159922B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9A3075F-65E5-42a9-819B-4A5605B324DF}	{C71FCEE8-98B4-4a64-8BC6-672F918FACEB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE6C5C31-17D0-4620-987C-A257E2D368F5}\stubpath = "C:\\Windows\\{BE6C5C31-17D0-4620-987C-A257E2D368F5}.exe"	{F9A3075F-65E5-42a9-819B-4A5605B324DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D5770B6-7C09-4f3e-A0BB-EF78BFADBD25}	{9E8D7C11-C53D-4d4e-8B44-2064A36F0C83}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B4F0B58-0619-415b-8A1A-B3FBD5508C26}	{AF251792-15EA-42bb-8E57-E2A66E7F9338}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3AAD2E0F-68F6-4c29-B628-7D154C2846E2}	2024-03-06_8045184ac3be40b1d64b628d49dfbcc9_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20C80738-3BC5-401a-AA32-3A7BD77FBEE9}	{3AAD2E0F-68F6-4c29-B628-7D154C2846E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25F94BBB-41D2-4b24-A8D1-0342C159922B}	{20C80738-3BC5-401a-AA32-3A7BD77FBEE9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C71FCEE8-98B4-4a64-8BC6-672F918FACEB}	{BF5D88AF-E3B3-4b4b-A039-577C3E7E0255}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C71FCEE8-98B4-4a64-8BC6-672F918FACEB}\stubpath = "C:\\Windows\\{C71FCEE8-98B4-4a64-8BC6-672F918FACEB}.exe"	{BF5D88AF-E3B3-4b4b-A039-577C3E7E0255}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE6C5C31-17D0-4620-987C-A257E2D368F5}	{F9A3075F-65E5-42a9-819B-4A5605B324DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF5D88AF-E3B3-4b4b-A039-577C3E7E0255}	{25F94BBB-41D2-4b24-A8D1-0342C159922B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E8D7C11-C53D-4d4e-8B44-2064A36F0C83}	{3638AEB0-0827-4deb-AA44-73E4EA9A4ABA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D5770B6-7C09-4f3e-A0BB-EF78BFADBD25}\stubpath = "C:\\Windows\\{5D5770B6-7C09-4f3e-A0BB-EF78BFADBD25}.exe"	{9E8D7C11-C53D-4d4e-8B44-2064A36F0C83}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF251792-15EA-42bb-8E57-E2A66E7F9338}	{5D5770B6-7C09-4f3e-A0BB-EF78BFADBD25}.exe

Executes dropped EXE 12 IoCs

pid	Process
2068	{3AAD2E0F-68F6-4c29-B628-7D154C2846E2}.exe
2600	{20C80738-3BC5-401a-AA32-3A7BD77FBEE9}.exe
2828	{25F94BBB-41D2-4b24-A8D1-0342C159922B}.exe
2532	{BF5D88AF-E3B3-4b4b-A039-577C3E7E0255}.exe
1640	{C71FCEE8-98B4-4a64-8BC6-672F918FACEB}.exe
2756	{F9A3075F-65E5-42a9-819B-4A5605B324DF}.exe
4144	{BE6C5C31-17D0-4620-987C-A257E2D368F5}.exe
4692	{3638AEB0-0827-4deb-AA44-73E4EA9A4ABA}.exe
1648	{9E8D7C11-C53D-4d4e-8B44-2064A36F0C83}.exe
3028	{5D5770B6-7C09-4f3e-A0BB-EF78BFADBD25}.exe
3464	{AF251792-15EA-42bb-8E57-E2A66E7F9338}.exe
2524	{0B4F0B58-0619-415b-8A1A-B3FBD5508C26}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{3AAD2E0F-68F6-4c29-B628-7D154C2846E2}.exe	2024-03-06_8045184ac3be40b1d64b628d49dfbcc9_goldeneye.exe
File created	C:\Windows\{C71FCEE8-98B4-4a64-8BC6-672F918FACEB}.exe	{BF5D88AF-E3B3-4b4b-A039-577C3E7E0255}.exe
File created	C:\Windows\{5D5770B6-7C09-4f3e-A0BB-EF78BFADBD25}.exe	{9E8D7C11-C53D-4d4e-8B44-2064A36F0C83}.exe
File created	C:\Windows\{AF251792-15EA-42bb-8E57-E2A66E7F9338}.exe	{5D5770B6-7C09-4f3e-A0BB-EF78BFADBD25}.exe
File created	C:\Windows\{20C80738-3BC5-401a-AA32-3A7BD77FBEE9}.exe	{3AAD2E0F-68F6-4c29-B628-7D154C2846E2}.exe
File created	C:\Windows\{25F94BBB-41D2-4b24-A8D1-0342C159922B}.exe	{20C80738-3BC5-401a-AA32-3A7BD77FBEE9}.exe
File created	C:\Windows\{BF5D88AF-E3B3-4b4b-A039-577C3E7E0255}.exe	{25F94BBB-41D2-4b24-A8D1-0342C159922B}.exe
File created	C:\Windows\{F9A3075F-65E5-42a9-819B-4A5605B324DF}.exe	{C71FCEE8-98B4-4a64-8BC6-672F918FACEB}.exe
File created	C:\Windows\{BE6C5C31-17D0-4620-987C-A257E2D368F5}.exe	{F9A3075F-65E5-42a9-819B-4A5605B324DF}.exe
File created	C:\Windows\{3638AEB0-0827-4deb-AA44-73E4EA9A4ABA}.exe	{BE6C5C31-17D0-4620-987C-A257E2D368F5}.exe
File created	C:\Windows\{9E8D7C11-C53D-4d4e-8B44-2064A36F0C83}.exe	{3638AEB0-0827-4deb-AA44-73E4EA9A4ABA}.exe
File created	C:\Windows\{0B4F0B58-0619-415b-8A1A-B3FBD5508C26}.exe	{AF251792-15EA-42bb-8E57-E2A66E7F9338}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3192	2024-03-06_8045184ac3be40b1d64b628d49dfbcc9_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2068	{3AAD2E0F-68F6-4c29-B628-7D154C2846E2}.exe
Token: SeIncBasePriorityPrivilege	2600	{20C80738-3BC5-401a-AA32-3A7BD77FBEE9}.exe
Token: SeIncBasePriorityPrivilege	2828	{25F94BBB-41D2-4b24-A8D1-0342C159922B}.exe
Token: SeIncBasePriorityPrivilege	2532	{BF5D88AF-E3B3-4b4b-A039-577C3E7E0255}.exe
Token: SeIncBasePriorityPrivilege	1640	{C71FCEE8-98B4-4a64-8BC6-672F918FACEB}.exe
Token: SeIncBasePriorityPrivilege	2756	{F9A3075F-65E5-42a9-819B-4A5605B324DF}.exe
Token: SeIncBasePriorityPrivilege	4144	{BE6C5C31-17D0-4620-987C-A257E2D368F5}.exe
Token: SeIncBasePriorityPrivilege	4692	{3638AEB0-0827-4deb-AA44-73E4EA9A4ABA}.exe
Token: SeIncBasePriorityPrivilege	1648	{9E8D7C11-C53D-4d4e-8B44-2064A36F0C83}.exe
Token: SeIncBasePriorityPrivilege	3028	{5D5770B6-7C09-4f3e-A0BB-EF78BFADBD25}.exe
Token: SeIncBasePriorityPrivilege	3464	{AF251792-15EA-42bb-8E57-E2A66E7F9338}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 2068	3192	2024-03-06_8045184ac3be40b1d64b628d49dfbcc9_goldeneye.exe	94
PID 3192 wrote to memory of 2068	3192	2024-03-06_8045184ac3be40b1d64b628d49dfbcc9_goldeneye.exe	94
PID 3192 wrote to memory of 2068	3192	2024-03-06_8045184ac3be40b1d64b628d49dfbcc9_goldeneye.exe	94
PID 3192 wrote to memory of 3384	3192	2024-03-06_8045184ac3be40b1d64b628d49dfbcc9_goldeneye.exe	95
PID 3192 wrote to memory of 3384	3192	2024-03-06_8045184ac3be40b1d64b628d49dfbcc9_goldeneye.exe	95
PID 3192 wrote to memory of 3384	3192	2024-03-06_8045184ac3be40b1d64b628d49dfbcc9_goldeneye.exe	95
PID 2068 wrote to memory of 2600	2068	{3AAD2E0F-68F6-4c29-B628-7D154C2846E2}.exe	100
PID 2068 wrote to memory of 2600	2068	{3AAD2E0F-68F6-4c29-B628-7D154C2846E2}.exe	100
PID 2068 wrote to memory of 2600	2068	{3AAD2E0F-68F6-4c29-B628-7D154C2846E2}.exe	100
PID 2068 wrote to memory of 1640	2068	{3AAD2E0F-68F6-4c29-B628-7D154C2846E2}.exe	101
PID 2068 wrote to memory of 1640	2068	{3AAD2E0F-68F6-4c29-B628-7D154C2846E2}.exe	101
PID 2068 wrote to memory of 1640	2068	{3AAD2E0F-68F6-4c29-B628-7D154C2846E2}.exe	101
PID 2600 wrote to memory of 2828	2600	{20C80738-3BC5-401a-AA32-3A7BD77FBEE9}.exe	102
PID 2600 wrote to memory of 2828	2600	{20C80738-3BC5-401a-AA32-3A7BD77FBEE9}.exe	102
PID 2600 wrote to memory of 2828	2600	{20C80738-3BC5-401a-AA32-3A7BD77FBEE9}.exe	102
PID 2600 wrote to memory of 440	2600	{20C80738-3BC5-401a-AA32-3A7BD77FBEE9}.exe	103
PID 2600 wrote to memory of 440	2600	{20C80738-3BC5-401a-AA32-3A7BD77FBEE9}.exe	103
PID 2600 wrote to memory of 440	2600	{20C80738-3BC5-401a-AA32-3A7BD77FBEE9}.exe	103
PID 2828 wrote to memory of 2532	2828	{25F94BBB-41D2-4b24-A8D1-0342C159922B}.exe	105
PID 2828 wrote to memory of 2532	2828	{25F94BBB-41D2-4b24-A8D1-0342C159922B}.exe	105
PID 2828 wrote to memory of 2532	2828	{25F94BBB-41D2-4b24-A8D1-0342C159922B}.exe	105
PID 2828 wrote to memory of 3788	2828	{25F94BBB-41D2-4b24-A8D1-0342C159922B}.exe	106
PID 2828 wrote to memory of 3788	2828	{25F94BBB-41D2-4b24-A8D1-0342C159922B}.exe	106
PID 2828 wrote to memory of 3788	2828	{25F94BBB-41D2-4b24-A8D1-0342C159922B}.exe	106
PID 2532 wrote to memory of 1640	2532	{BF5D88AF-E3B3-4b4b-A039-577C3E7E0255}.exe	109
PID 2532 wrote to memory of 1640	2532	{BF5D88AF-E3B3-4b4b-A039-577C3E7E0255}.exe	109
PID 2532 wrote to memory of 1640	2532	{BF5D88AF-E3B3-4b4b-A039-577C3E7E0255}.exe	109
PID 2532 wrote to memory of 2068	2532	{BF5D88AF-E3B3-4b4b-A039-577C3E7E0255}.exe	110
PID 2532 wrote to memory of 2068	2532	{BF5D88AF-E3B3-4b4b-A039-577C3E7E0255}.exe	110
PID 2532 wrote to memory of 2068	2532	{BF5D88AF-E3B3-4b4b-A039-577C3E7E0255}.exe	110
PID 1640 wrote to memory of 2756	1640	{C71FCEE8-98B4-4a64-8BC6-672F918FACEB}.exe	113
PID 1640 wrote to memory of 2756	1640	{C71FCEE8-98B4-4a64-8BC6-672F918FACEB}.exe	113
PID 1640 wrote to memory of 2756	1640	{C71FCEE8-98B4-4a64-8BC6-672F918FACEB}.exe	113
PID 1640 wrote to memory of 1792	1640	{C71FCEE8-98B4-4a64-8BC6-672F918FACEB}.exe	114
PID 1640 wrote to memory of 1792	1640	{C71FCEE8-98B4-4a64-8BC6-672F918FACEB}.exe	114
PID 1640 wrote to memory of 1792	1640	{C71FCEE8-98B4-4a64-8BC6-672F918FACEB}.exe	114
PID 2756 wrote to memory of 4144	2756	{F9A3075F-65E5-42a9-819B-4A5605B324DF}.exe	115
PID 2756 wrote to memory of 4144	2756	{F9A3075F-65E5-42a9-819B-4A5605B324DF}.exe	115
PID 2756 wrote to memory of 4144	2756	{F9A3075F-65E5-42a9-819B-4A5605B324DF}.exe	115
PID 2756 wrote to memory of 2028	2756	{F9A3075F-65E5-42a9-819B-4A5605B324DF}.exe	116
PID 2756 wrote to memory of 2028	2756	{F9A3075F-65E5-42a9-819B-4A5605B324DF}.exe	116
PID 2756 wrote to memory of 2028	2756	{F9A3075F-65E5-42a9-819B-4A5605B324DF}.exe	116
PID 4144 wrote to memory of 4692	4144	{BE6C5C31-17D0-4620-987C-A257E2D368F5}.exe	118
PID 4144 wrote to memory of 4692	4144	{BE6C5C31-17D0-4620-987C-A257E2D368F5}.exe	118
PID 4144 wrote to memory of 4692	4144	{BE6C5C31-17D0-4620-987C-A257E2D368F5}.exe	118
PID 4144 wrote to memory of 4804	4144	{BE6C5C31-17D0-4620-987C-A257E2D368F5}.exe	119
PID 4144 wrote to memory of 4804	4144	{BE6C5C31-17D0-4620-987C-A257E2D368F5}.exe	119
PID 4144 wrote to memory of 4804	4144	{BE6C5C31-17D0-4620-987C-A257E2D368F5}.exe	119
PID 4692 wrote to memory of 1648	4692	{3638AEB0-0827-4deb-AA44-73E4EA9A4ABA}.exe	120
PID 4692 wrote to memory of 1648	4692	{3638AEB0-0827-4deb-AA44-73E4EA9A4ABA}.exe	120
PID 4692 wrote to memory of 1648	4692	{3638AEB0-0827-4deb-AA44-73E4EA9A4ABA}.exe	120
PID 4692 wrote to memory of 2744	4692	{3638AEB0-0827-4deb-AA44-73E4EA9A4ABA}.exe	121
PID 4692 wrote to memory of 2744	4692	{3638AEB0-0827-4deb-AA44-73E4EA9A4ABA}.exe	121
PID 4692 wrote to memory of 2744	4692	{3638AEB0-0827-4deb-AA44-73E4EA9A4ABA}.exe	121
PID 1648 wrote to memory of 3028	1648	{9E8D7C11-C53D-4d4e-8B44-2064A36F0C83}.exe	122
PID 1648 wrote to memory of 3028	1648	{9E8D7C11-C53D-4d4e-8B44-2064A36F0C83}.exe	122
PID 1648 wrote to memory of 3028	1648	{9E8D7C11-C53D-4d4e-8B44-2064A36F0C83}.exe	122
PID 1648 wrote to memory of 816	1648	{9E8D7C11-C53D-4d4e-8B44-2064A36F0C83}.exe	123
PID 1648 wrote to memory of 816	1648	{9E8D7C11-C53D-4d4e-8B44-2064A36F0C83}.exe	123
PID 1648 wrote to memory of 816	1648	{9E8D7C11-C53D-4d4e-8B44-2064A36F0C83}.exe	123
PID 3028 wrote to memory of 3464	3028	{5D5770B6-7C09-4f3e-A0BB-EF78BFADBD25}.exe	124
PID 3028 wrote to memory of 3464	3028	{5D5770B6-7C09-4f3e-A0BB-EF78BFADBD25}.exe	124
PID 3028 wrote to memory of 3464	3028	{5D5770B6-7C09-4f3e-A0BB-EF78BFADBD25}.exe	124
PID 3028 wrote to memory of 4752	3028	{5D5770B6-7C09-4f3e-A0BB-EF78BFADBD25}.exe	125

C:\Users\Admin\AppData\Local\Temp\2024-03-06_8045184ac3be40b1d64b628d49dfbcc9_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-06_8045184ac3be40b1d64b628d49dfbcc9_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Windows\{3AAD2E0F-68F6-4c29-B628-7D154C2846E2}.exe
  C:\Windows\{3AAD2E0F-68F6-4c29-B628-7D154C2846E2}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Windows\{20C80738-3BC5-401a-AA32-3A7BD77FBEE9}.exe
    C:\Windows\{20C80738-3BC5-401a-AA32-3A7BD77FBEE9}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Windows\{25F94BBB-41D2-4b24-A8D1-0342C159922B}.exe
      C:\Windows\{25F94BBB-41D2-4b24-A8D1-0342C159922B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2828
    - - C:\Windows\{BF5D88AF-E3B3-4b4b-A039-577C3E7E0255}.exe
        
        C:\Windows\{BF5D88AF-E3B3-4b4b-A039-577C3E7E0255}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2532
      - C:\Windows\{C71FCEE8-98B4-4a64-8BC6-672F918FACEB}.exe
        
        C:\Windows\{C71FCEE8-98B4-4a64-8BC6-672F918FACEB}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\{F9A3075F-65E5-42a9-819B-4A5605B324DF}.exe
        
        C:\Windows\{F9A3075F-65E5-42a9-819B-4A5605B324DF}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\{BE6C5C31-17D0-4620-987C-A257E2D368F5}.exe
        
        C:\Windows\{BE6C5C31-17D0-4620-987C-A257E2D368F5}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4144
        
        C:\Windows\{3638AEB0-0827-4deb-AA44-73E4EA9A4ABA}.exe
        
        C:\Windows\{3638AEB0-0827-4deb-AA44-73E4EA9A4ABA}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\{9E8D7C11-C53D-4d4e-8B44-2064A36F0C83}.exe
        
        C:\Windows\{9E8D7C11-C53D-4d4e-8B44-2064A36F0C83}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\{5D5770B6-7C09-4f3e-A0BB-EF78BFADBD25}.exe
        
        C:\Windows\{5D5770B6-7C09-4f3e-A0BB-EF78BFADBD25}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\{AF251792-15EA-42bb-8E57-E2A66E7F9338}.exe
        
        C:\Windows\{AF251792-15EA-42bb-8E57-E2A66E7F9338}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3464
        
        C:\Windows\{0B4F0B58-0619-415b-8A1A-B3FBD5508C26}.exe
        
        C:\Windows\{0B4F0B58-0619-415b-8A1A-B3FBD5508C26}.exe
        13⤵
        Executes dropped EXE
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AF251~1.EXE > nul
        13⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5D577~1.EXE > nul
        12⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E8D7~1.EXE > nul
        11⤵
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3638A~1.EXE > nul
        10⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE6C5~1.EXE > nul
        9⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F9A30~1.EXE > nul
        8⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C71FC~1.EXE > nul
        7⤵
        
        PID:1792
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BF5D8~1.EXE > nul
        6⤵
        
        PID:2068
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{25F94~1.EXE > nul
        5⤵
        
        PID:3788
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{20C80~1.EXE > nul
      4⤵
      PID:440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3AAD2~1.EXE > nul
    3⤵
    PID:1640
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0B4F0B58-0619-415b-8A1A-B3FBD5508C26}.exe

Filesize
168KB

MD5
78fd9409d90947c14e68e041c9a491a5

SHA1
7241089dea72e2b809649b234e06db681d7795c3

SHA256
e3c9c6295da5afef17d4273a6594d07e60c0f22b2bb855dbbda86ce9d20af2c3

SHA512
ce4ed7b1e547b9507a6e9de9e1f3f1917f1868c4538c4363efd1f1a70539eaa97f7478f7a12feb283d110e77a45f4fb42b360dc4ad7593261e1c29a7afe8ac46

Download Submit
C:\Windows\{20C80738-3BC5-401a-AA32-3A7BD77FBEE9}.exe

Filesize
168KB

MD5
cee859dd944c6fcc77ff2459fe58fc9f

SHA1
a94b448cc81d8667ee24c88d031d57608923d5a6

SHA256
05ace2bb5f749f81abeb2e51a45843bd3bdbc1b23090f46f8542f15281a91696

SHA512
05dca1269beed4ba3f1e19e1a21949a7157859cff4d3504866a1afd9af5012a52221491829a8811fa46f2528d4dc4d7abb25b577e2dba82ad4270ed10dfe917f

Download Submit
C:\Windows\{25F94BBB-41D2-4b24-A8D1-0342C159922B}.exe

Filesize
168KB

MD5
ad89ddd65e9bddaffb76a04753f61d9d

SHA1
cfac7c4fd8c8228804759b43a6dec3263515e5cb

SHA256
b4ba6f355df2b6cd6253d14e372c8fc900ac825d16357578d59eba3048629d69

SHA512
d3b347902d30aedf41f163bc05bb9daa49f140542a83c7a898f71129d8910ae2c25bae6650691c7adfc0800ae66fc4b5d4dd30c2a14978c818817bc04ac15fa9

Download Submit
C:\Windows\{3638AEB0-0827-4deb-AA44-73E4EA9A4ABA}.exe

Filesize
168KB

MD5
30f893cbee8b362c1d2e1104c1603fe8

SHA1
0e5b73bf019f9207420da05249380e5d6d1acab8

SHA256
355f03e6b56b6f4374eaf12f4ca0b71d5f91b08a39b0ef9b77986e2dda339f74

SHA512
07ba6d3fddd89b24ef357df5983d3b8aaf79f8f393b5f5ee76d7f73fda4f029a41448fcb8714bbe5302080b09158bdd5649a0e283af84fbe9da7dda8ff7845af

Download Submit
C:\Windows\{3AAD2E0F-68F6-4c29-B628-7D154C2846E2}.exe

Filesize
168KB

MD5
ac1ec7731c086b0655191f8a1cf5ef72

SHA1
9a07a3a2defb42973a7c5fa883d6c56466c844a9

SHA256
fea492c6932bb4710306d5fdfeba700980bd59b40392aee0fca461b65779aecf

SHA512
d1350d62626083f5ec517743518dd01331e44c1db8bf5f4bd9e27d42685c26d9bece6db8ed63c3f4d3801297214d08d069d8a3aaeb072ab612174b524ad900bf

Download Submit
C:\Windows\{5D5770B6-7C09-4f3e-A0BB-EF78BFADBD25}.exe

Filesize
168KB

MD5
115e5bd2349d0605fc8895b67134b2cb

SHA1
9c4b10cb932d133ffd69441bad790a02afab2591

SHA256
595a782dc49da3b32ffed77ca4b0deed776b733bc56f5b8ae0c4fc6ed37bb893

SHA512
a71390e29552ea070990006eb390018e30c0561df2d7a259995bb32b770ca9a8860d5affe8740c49cd11e047d3d2051b6abaf722a1f6b79cd8a77f548a08815c

Download Submit
C:\Windows\{9E8D7C11-C53D-4d4e-8B44-2064A36F0C83}.exe

Filesize
168KB

MD5
0b3239e79d3cb3d55ac6560c110f2a3e

SHA1
116c3bc776cde330b82fbe80bf910bcb28e587e2

SHA256
aade39f056b29be059873d9ede04355269ec2252474063ba9b49db4481626e65

SHA512
f6c14164c7fbb323ba9afa6e83b015450f72c6671dcb8ec03077ec29556e48a7d89a2d5fc1ebd6bc152f9d8fddf5ec1faffe6030bfe6f7426034884dcfb8eba5

Download Submit
C:\Windows\{AF251792-15EA-42bb-8E57-E2A66E7F9338}.exe

Filesize
168KB

MD5
447e77c04d51f1dcfed3f93d385259ba

SHA1
bb523432e6cce46eac9715c94546533dff4823e0

SHA256
328aeeeee581f87668d8806c5cf784170caa4e50e068e4d6c816b05d35d5f906

SHA512
5a528bda5333680971046f0a46608917584210358d02afb5f96d3f518279ebc5305705080d992bdac64c77b27c1ec8f56b8281794d455d635b48fffaf96f59ed

Download Submit
C:\Windows\{BE6C5C31-17D0-4620-987C-A257E2D368F5}.exe

Filesize
168KB

MD5
92be3e867c7c9e1e5531b9d8b707072d

SHA1
d3fdaf96dfef2a072378272dd232a1f96c003929

SHA256
c276a4972696ef935c7a4d4f6402a74ca787f279ca9a3d3ad7ca6b4a2de3ce1b

SHA512
fee53b0b1ac680c4c57ddb18e9840020b26fcf76fe2314226c3f3375fa6c2b6d96f16a07528886665a7491da0307029651babf08ec329be3a15707d4a2f75494

Download Submit
C:\Windows\{BF5D88AF-E3B3-4b4b-A039-577C3E7E0255}.exe

Filesize
168KB

MD5
730ad219e0a20ae28a57921a364c604f

SHA1
dda1e360a2849e1bb543da8ce12e7100f9335cf7

SHA256
062531dcf7cdc68a97c4441ddd4ff1642ad5bc7144af939f162aa0f437ae82a3

SHA512
d4942339b85cb998c7bb661bf5b01adfe5588e065fd2d5db5737c01fb4d585a50c70f1eda4585f154aa553fb5cab1a9c32def687d703fa503fddcd2b01d534ce

Download Submit
C:\Windows\{C71FCEE8-98B4-4a64-8BC6-672F918FACEB}.exe

Filesize
168KB

MD5
7cddd0ce8ff15a6a0f66c24f6714d774

SHA1
03aa93e80e5f746dc3ad8cd2cdb6421438f26b19

SHA256
1822baf9e10f343475e6b922f3011df3d4d7c82e991e86ea8670657d75df0aa8

SHA512
9ee0397359f8c33018a9c528949932d4f242c6187c593bec4e7752838d92e05750b3a1f0b8ebce5568718547405b6c8d83eadc3be69a0a63598de60fb4fe53eb

Download Submit
C:\Windows\{F9A3075F-65E5-42a9-819B-4A5605B324DF}.exe

Filesize
168KB

MD5
b22d77ad28277b672e84636b6b4e95c7

SHA1
9e3cc4fe6a181cdc673e91fb057f7625952d3cc0

SHA256
715cc09adddcbb62971950c9593ebe1d0d82cea69c63d9bd6e51338a1e3e5180

SHA512
00977bd33bf8a3ae5dccdb8b8d86c884d778dc964102b6558a526e4ad52b09c120fc4d0d2155ab6bc7331cfde90c083aa910844bd56efc99585eef9440424ff7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads