b8d895e683e189930d9625d2ce972e5274a9fccb29a2755ab3ea684cb2381ba0

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/03/2024, 17:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-09_9b8b77226735127bc2b90856a560fc2b_goldeneye.exe
Size

216KB
MD5

9b8b77226735127bc2b90856a560fc2b
SHA1

f73e4b0d935d6d96516c8721b5e2307be721cca1
SHA256

b8d895e683e189930d9625d2ce972e5274a9fccb29a2755ab3ea684cb2381ba0
SHA512

b1f2b977a4862dc968b3342c6a7e8b90ec149381641545c46a369abde474dd5deca7a057454ff5d7b84a3caa02d94fb703c7d0cb9f0080cc09b90dd996305cb5
SSDEEP

3072:jEGh0orl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGJlEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00070000000231da-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00130000000231e5-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000016923-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023206-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000016976-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023206-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000016976-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023356-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023378-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002337b-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023102-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023388-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{877C53A0-2815-4fae-BDD3-DCB94FC0A533}\stubpath = "C:\\Windows\\{877C53A0-2815-4fae-BDD3-DCB94FC0A533}.exe"	{4FBD510C-3C8F-472b-8DB2-DB4011CF6D5B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E6261A1-CD41-410e-A842-F21D89838136}\stubpath = "C:\\Windows\\{4E6261A1-CD41-410e-A842-F21D89838136}.exe"	{877C53A0-2815-4fae-BDD3-DCB94FC0A533}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EB789BA-8F02-41b6-A8B2-9DCF5063C276}\stubpath = "C:\\Windows\\{6EB789BA-8F02-41b6-A8B2-9DCF5063C276}.exe"	{4E6261A1-CD41-410e-A842-F21D89838136}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DD1AC2D-5C03-451d-AD54-5DA8632360D5}	2024-03-09_9b8b77226735127bc2b90856a560fc2b_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DD1AC2D-5C03-451d-AD54-5DA8632360D5}\stubpath = "C:\\Windows\\{7DD1AC2D-5C03-451d-AD54-5DA8632360D5}.exe"	2024-03-09_9b8b77226735127bc2b90856a560fc2b_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF3577D5-9710-45a3-A8D7-C058E3AC3BF2}\stubpath = "C:\\Windows\\{BF3577D5-9710-45a3-A8D7-C058E3AC3BF2}.exe"	{7DD1AC2D-5C03-451d-AD54-5DA8632360D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5137AD60-523B-413a-A274-5BEF727597DC}	{165335A4-5DD3-4f30-AB3A-C5C6B83E78DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84F03BE4-8195-4b3e-B831-CB6E07073E99}\stubpath = "C:\\Windows\\{84F03BE4-8195-4b3e-B831-CB6E07073E99}.exe"	{5137AD60-523B-413a-A274-5BEF727597DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E6261A1-CD41-410e-A842-F21D89838136}	{877C53A0-2815-4fae-BDD3-DCB94FC0A533}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EB789BA-8F02-41b6-A8B2-9DCF5063C276}	{4E6261A1-CD41-410e-A842-F21D89838136}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{165335A4-5DD3-4f30-AB3A-C5C6B83E78DB}\stubpath = "C:\\Windows\\{165335A4-5DD3-4f30-AB3A-C5C6B83E78DB}.exe"	{BF3577D5-9710-45a3-A8D7-C058E3AC3BF2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84F03BE4-8195-4b3e-B831-CB6E07073E99}	{5137AD60-523B-413a-A274-5BEF727597DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48DE94EC-8BC2-4d0a-8F92-0E8C79587741}	{84F03BE4-8195-4b3e-B831-CB6E07073E99}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48DE94EC-8BC2-4d0a-8F92-0E8C79587741}\stubpath = "C:\\Windows\\{48DE94EC-8BC2-4d0a-8F92-0E8C79587741}.exe"	{84F03BE4-8195-4b3e-B831-CB6E07073E99}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4FBD510C-3C8F-472b-8DB2-DB4011CF6D5B}\stubpath = "C:\\Windows\\{4FBD510C-3C8F-472b-8DB2-DB4011CF6D5B}.exe"	{1B2CA886-8E54-47d4-A6B7-5BEA4D0C9F35}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5137AD60-523B-413a-A274-5BEF727597DC}\stubpath = "C:\\Windows\\{5137AD60-523B-413a-A274-5BEF727597DC}.exe"	{165335A4-5DD3-4f30-AB3A-C5C6B83E78DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B2CA886-8E54-47d4-A6B7-5BEA4D0C9F35}	{48DE94EC-8BC2-4d0a-8F92-0E8C79587741}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4FBD510C-3C8F-472b-8DB2-DB4011CF6D5B}	{1B2CA886-8E54-47d4-A6B7-5BEA4D0C9F35}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{877C53A0-2815-4fae-BDD3-DCB94FC0A533}	{4FBD510C-3C8F-472b-8DB2-DB4011CF6D5B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33C4E617-81CF-4dda-BAAA-92BBAB02D891}	{6EB789BA-8F02-41b6-A8B2-9DCF5063C276}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF3577D5-9710-45a3-A8D7-C058E3AC3BF2}	{7DD1AC2D-5C03-451d-AD54-5DA8632360D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{165335A4-5DD3-4f30-AB3A-C5C6B83E78DB}	{BF3577D5-9710-45a3-A8D7-C058E3AC3BF2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B2CA886-8E54-47d4-A6B7-5BEA4D0C9F35}\stubpath = "C:\\Windows\\{1B2CA886-8E54-47d4-A6B7-5BEA4D0C9F35}.exe"	{48DE94EC-8BC2-4d0a-8F92-0E8C79587741}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33C4E617-81CF-4dda-BAAA-92BBAB02D891}\stubpath = "C:\\Windows\\{33C4E617-81CF-4dda-BAAA-92BBAB02D891}.exe"	{6EB789BA-8F02-41b6-A8B2-9DCF5063C276}.exe

Executes dropped EXE 12 IoCs

pid	Process
4100	{7DD1AC2D-5C03-451d-AD54-5DA8632360D5}.exe
3608	{BF3577D5-9710-45a3-A8D7-C058E3AC3BF2}.exe
588	{165335A4-5DD3-4f30-AB3A-C5C6B83E78DB}.exe
3940	{5137AD60-523B-413a-A274-5BEF727597DC}.exe
2920	{84F03BE4-8195-4b3e-B831-CB6E07073E99}.exe
3316	{48DE94EC-8BC2-4d0a-8F92-0E8C79587741}.exe
3788	{1B2CA886-8E54-47d4-A6B7-5BEA4D0C9F35}.exe
3652	{4FBD510C-3C8F-472b-8DB2-DB4011CF6D5B}.exe
3892	{877C53A0-2815-4fae-BDD3-DCB94FC0A533}.exe
1324	{4E6261A1-CD41-410e-A842-F21D89838136}.exe
624	{6EB789BA-8F02-41b6-A8B2-9DCF5063C276}.exe
1148	{33C4E617-81CF-4dda-BAAA-92BBAB02D891}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{84F03BE4-8195-4b3e-B831-CB6E07073E99}.exe	{5137AD60-523B-413a-A274-5BEF727597DC}.exe
File created	C:\Windows\{1B2CA886-8E54-47d4-A6B7-5BEA4D0C9F35}.exe	{48DE94EC-8BC2-4d0a-8F92-0E8C79587741}.exe
File created	C:\Windows\{877C53A0-2815-4fae-BDD3-DCB94FC0A533}.exe	{4FBD510C-3C8F-472b-8DB2-DB4011CF6D5B}.exe
File created	C:\Windows\{4E6261A1-CD41-410e-A842-F21D89838136}.exe	{877C53A0-2815-4fae-BDD3-DCB94FC0A533}.exe
File created	C:\Windows\{7DD1AC2D-5C03-451d-AD54-5DA8632360D5}.exe	2024-03-09_9b8b77226735127bc2b90856a560fc2b_goldeneye.exe
File created	C:\Windows\{BF3577D5-9710-45a3-A8D7-C058E3AC3BF2}.exe	{7DD1AC2D-5C03-451d-AD54-5DA8632360D5}.exe
File created	C:\Windows\{165335A4-5DD3-4f30-AB3A-C5C6B83E78DB}.exe	{BF3577D5-9710-45a3-A8D7-C058E3AC3BF2}.exe
File created	C:\Windows\{6EB789BA-8F02-41b6-A8B2-9DCF5063C276}.exe	{4E6261A1-CD41-410e-A842-F21D89838136}.exe
File created	C:\Windows\{33C4E617-81CF-4dda-BAAA-92BBAB02D891}.exe	{6EB789BA-8F02-41b6-A8B2-9DCF5063C276}.exe
File created	C:\Windows\{5137AD60-523B-413a-A274-5BEF727597DC}.exe	{165335A4-5DD3-4f30-AB3A-C5C6B83E78DB}.exe
File created	C:\Windows\{48DE94EC-8BC2-4d0a-8F92-0E8C79587741}.exe	{84F03BE4-8195-4b3e-B831-CB6E07073E99}.exe
File created	C:\Windows\{4FBD510C-3C8F-472b-8DB2-DB4011CF6D5B}.exe	{1B2CA886-8E54-47d4-A6B7-5BEA4D0C9F35}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2800	2024-03-09_9b8b77226735127bc2b90856a560fc2b_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4100	{7DD1AC2D-5C03-451d-AD54-5DA8632360D5}.exe
Token: SeIncBasePriorityPrivilege	3608	{BF3577D5-9710-45a3-A8D7-C058E3AC3BF2}.exe
Token: SeIncBasePriorityPrivilege	588	{165335A4-5DD3-4f30-AB3A-C5C6B83E78DB}.exe
Token: SeIncBasePriorityPrivilege	3940	{5137AD60-523B-413a-A274-5BEF727597DC}.exe
Token: SeIncBasePriorityPrivilege	2920	{84F03BE4-8195-4b3e-B831-CB6E07073E99}.exe
Token: SeIncBasePriorityPrivilege	3316	{48DE94EC-8BC2-4d0a-8F92-0E8C79587741}.exe
Token: SeIncBasePriorityPrivilege	3788	{1B2CA886-8E54-47d4-A6B7-5BEA4D0C9F35}.exe
Token: SeIncBasePriorityPrivilege	3652	{4FBD510C-3C8F-472b-8DB2-DB4011CF6D5B}.exe
Token: SeIncBasePriorityPrivilege	3892	{877C53A0-2815-4fae-BDD3-DCB94FC0A533}.exe
Token: SeIncBasePriorityPrivilege	1324	{4E6261A1-CD41-410e-A842-F21D89838136}.exe
Token: SeIncBasePriorityPrivilege	624	{6EB789BA-8F02-41b6-A8B2-9DCF5063C276}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2800 wrote to memory of 4100	2800	2024-03-09_9b8b77226735127bc2b90856a560fc2b_goldeneye.exe	95
PID 2800 wrote to memory of 4100	2800	2024-03-09_9b8b77226735127bc2b90856a560fc2b_goldeneye.exe	95
PID 2800 wrote to memory of 4100	2800	2024-03-09_9b8b77226735127bc2b90856a560fc2b_goldeneye.exe	95
PID 2800 wrote to memory of 1904	2800	2024-03-09_9b8b77226735127bc2b90856a560fc2b_goldeneye.exe	96
PID 2800 wrote to memory of 1904	2800	2024-03-09_9b8b77226735127bc2b90856a560fc2b_goldeneye.exe	96
PID 2800 wrote to memory of 1904	2800	2024-03-09_9b8b77226735127bc2b90856a560fc2b_goldeneye.exe	96
PID 4100 wrote to memory of 3608	4100	{7DD1AC2D-5C03-451d-AD54-5DA8632360D5}.exe	99
PID 4100 wrote to memory of 3608	4100	{7DD1AC2D-5C03-451d-AD54-5DA8632360D5}.exe	99
PID 4100 wrote to memory of 3608	4100	{7DD1AC2D-5C03-451d-AD54-5DA8632360D5}.exe	99
PID 4100 wrote to memory of 1820	4100	{7DD1AC2D-5C03-451d-AD54-5DA8632360D5}.exe	100
PID 4100 wrote to memory of 1820	4100	{7DD1AC2D-5C03-451d-AD54-5DA8632360D5}.exe	100
PID 4100 wrote to memory of 1820	4100	{7DD1AC2D-5C03-451d-AD54-5DA8632360D5}.exe	100
PID 3608 wrote to memory of 588	3608	{BF3577D5-9710-45a3-A8D7-C058E3AC3BF2}.exe	103
PID 3608 wrote to memory of 588	3608	{BF3577D5-9710-45a3-A8D7-C058E3AC3BF2}.exe	103
PID 3608 wrote to memory of 588	3608	{BF3577D5-9710-45a3-A8D7-C058E3AC3BF2}.exe	103
PID 3608 wrote to memory of 2524	3608	{BF3577D5-9710-45a3-A8D7-C058E3AC3BF2}.exe	104
PID 3608 wrote to memory of 2524	3608	{BF3577D5-9710-45a3-A8D7-C058E3AC3BF2}.exe	104
PID 3608 wrote to memory of 2524	3608	{BF3577D5-9710-45a3-A8D7-C058E3AC3BF2}.exe	104
PID 588 wrote to memory of 3940	588	{165335A4-5DD3-4f30-AB3A-C5C6B83E78DB}.exe	106
PID 588 wrote to memory of 3940	588	{165335A4-5DD3-4f30-AB3A-C5C6B83E78DB}.exe	106
PID 588 wrote to memory of 3940	588	{165335A4-5DD3-4f30-AB3A-C5C6B83E78DB}.exe	106
PID 588 wrote to memory of 3244	588	{165335A4-5DD3-4f30-AB3A-C5C6B83E78DB}.exe	107
PID 588 wrote to memory of 3244	588	{165335A4-5DD3-4f30-AB3A-C5C6B83E78DB}.exe	107
PID 588 wrote to memory of 3244	588	{165335A4-5DD3-4f30-AB3A-C5C6B83E78DB}.exe	107
PID 3940 wrote to memory of 2920	3940	{5137AD60-523B-413a-A274-5BEF727597DC}.exe	108
PID 3940 wrote to memory of 2920	3940	{5137AD60-523B-413a-A274-5BEF727597DC}.exe	108
PID 3940 wrote to memory of 2920	3940	{5137AD60-523B-413a-A274-5BEF727597DC}.exe	108
PID 3940 wrote to memory of 1592	3940	{5137AD60-523B-413a-A274-5BEF727597DC}.exe	109
PID 3940 wrote to memory of 1592	3940	{5137AD60-523B-413a-A274-5BEF727597DC}.exe	109
PID 3940 wrote to memory of 1592	3940	{5137AD60-523B-413a-A274-5BEF727597DC}.exe	109
PID 2920 wrote to memory of 3316	2920	{84F03BE4-8195-4b3e-B831-CB6E07073E99}.exe	111
PID 2920 wrote to memory of 3316	2920	{84F03BE4-8195-4b3e-B831-CB6E07073E99}.exe	111
PID 2920 wrote to memory of 3316	2920	{84F03BE4-8195-4b3e-B831-CB6E07073E99}.exe	111
PID 2920 wrote to memory of 840	2920	{84F03BE4-8195-4b3e-B831-CB6E07073E99}.exe	112
PID 2920 wrote to memory of 840	2920	{84F03BE4-8195-4b3e-B831-CB6E07073E99}.exe	112
PID 2920 wrote to memory of 840	2920	{84F03BE4-8195-4b3e-B831-CB6E07073E99}.exe	112
PID 3316 wrote to memory of 3788	3316	{48DE94EC-8BC2-4d0a-8F92-0E8C79587741}.exe	113
PID 3316 wrote to memory of 3788	3316	{48DE94EC-8BC2-4d0a-8F92-0E8C79587741}.exe	113
PID 3316 wrote to memory of 3788	3316	{48DE94EC-8BC2-4d0a-8F92-0E8C79587741}.exe	113
PID 3316 wrote to memory of 1272	3316	{48DE94EC-8BC2-4d0a-8F92-0E8C79587741}.exe	114
PID 3316 wrote to memory of 1272	3316	{48DE94EC-8BC2-4d0a-8F92-0E8C79587741}.exe	114
PID 3316 wrote to memory of 1272	3316	{48DE94EC-8BC2-4d0a-8F92-0E8C79587741}.exe	114
PID 3788 wrote to memory of 3652	3788	{1B2CA886-8E54-47d4-A6B7-5BEA4D0C9F35}.exe	115
PID 3788 wrote to memory of 3652	3788	{1B2CA886-8E54-47d4-A6B7-5BEA4D0C9F35}.exe	115
PID 3788 wrote to memory of 3652	3788	{1B2CA886-8E54-47d4-A6B7-5BEA4D0C9F35}.exe	115
PID 3788 wrote to memory of 1400	3788	{1B2CA886-8E54-47d4-A6B7-5BEA4D0C9F35}.exe	116
PID 3788 wrote to memory of 1400	3788	{1B2CA886-8E54-47d4-A6B7-5BEA4D0C9F35}.exe	116
PID 3788 wrote to memory of 1400	3788	{1B2CA886-8E54-47d4-A6B7-5BEA4D0C9F35}.exe	116
PID 3652 wrote to memory of 3892	3652	{4FBD510C-3C8F-472b-8DB2-DB4011CF6D5B}.exe	121
PID 3652 wrote to memory of 3892	3652	{4FBD510C-3C8F-472b-8DB2-DB4011CF6D5B}.exe	121
PID 3652 wrote to memory of 3892	3652	{4FBD510C-3C8F-472b-8DB2-DB4011CF6D5B}.exe	121
PID 3652 wrote to memory of 3580	3652	{4FBD510C-3C8F-472b-8DB2-DB4011CF6D5B}.exe	122
PID 3652 wrote to memory of 3580	3652	{4FBD510C-3C8F-472b-8DB2-DB4011CF6D5B}.exe	122
PID 3652 wrote to memory of 3580	3652	{4FBD510C-3C8F-472b-8DB2-DB4011CF6D5B}.exe	122
PID 3892 wrote to memory of 1324	3892	{877C53A0-2815-4fae-BDD3-DCB94FC0A533}.exe	123
PID 3892 wrote to memory of 1324	3892	{877C53A0-2815-4fae-BDD3-DCB94FC0A533}.exe	123
PID 3892 wrote to memory of 1324	3892	{877C53A0-2815-4fae-BDD3-DCB94FC0A533}.exe	123
PID 3892 wrote to memory of 1152	3892	{877C53A0-2815-4fae-BDD3-DCB94FC0A533}.exe	124
PID 3892 wrote to memory of 1152	3892	{877C53A0-2815-4fae-BDD3-DCB94FC0A533}.exe	124
PID 3892 wrote to memory of 1152	3892	{877C53A0-2815-4fae-BDD3-DCB94FC0A533}.exe	124
PID 1324 wrote to memory of 624	1324	{4E6261A1-CD41-410e-A842-F21D89838136}.exe	130
PID 1324 wrote to memory of 624	1324	{4E6261A1-CD41-410e-A842-F21D89838136}.exe	130
PID 1324 wrote to memory of 624	1324	{4E6261A1-CD41-410e-A842-F21D89838136}.exe	130
PID 1324 wrote to memory of 4972	1324	{4E6261A1-CD41-410e-A842-F21D89838136}.exe	131

C:\Users\Admin\AppData\Local\Temp\2024-03-09_9b8b77226735127bc2b90856a560fc2b_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-09_9b8b77226735127bc2b90856a560fc2b_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Windows\{7DD1AC2D-5C03-451d-AD54-5DA8632360D5}.exe
  C:\Windows\{7DD1AC2D-5C03-451d-AD54-5DA8632360D5}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4100
- - C:\Windows\{BF3577D5-9710-45a3-A8D7-C058E3AC3BF2}.exe
    C:\Windows\{BF3577D5-9710-45a3-A8D7-C058E3AC3BF2}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3608
  - - C:\Windows\{165335A4-5DD3-4f30-AB3A-C5C6B83E78DB}.exe
      C:\Windows\{165335A4-5DD3-4f30-AB3A-C5C6B83E78DB}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:588
    - - C:\Windows\{5137AD60-523B-413a-A274-5BEF727597DC}.exe
        
        C:\Windows\{5137AD60-523B-413a-A274-5BEF727597DC}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3940
      - C:\Windows\{84F03BE4-8195-4b3e-B831-CB6E07073E99}.exe
        
        C:\Windows\{84F03BE4-8195-4b3e-B831-CB6E07073E99}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\{48DE94EC-8BC2-4d0a-8F92-0E8C79587741}.exe
        
        C:\Windows\{48DE94EC-8BC2-4d0a-8F92-0E8C79587741}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3316
        
        C:\Windows\{1B2CA886-8E54-47d4-A6B7-5BEA4D0C9F35}.exe
        
        C:\Windows\{1B2CA886-8E54-47d4-A6B7-5BEA4D0C9F35}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3788
        
        C:\Windows\{4FBD510C-3C8F-472b-8DB2-DB4011CF6D5B}.exe
        
        C:\Windows\{4FBD510C-3C8F-472b-8DB2-DB4011CF6D5B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Windows\{877C53A0-2815-4fae-BDD3-DCB94FC0A533}.exe
        
        C:\Windows\{877C53A0-2815-4fae-BDD3-DCB94FC0A533}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3892
        
        C:\Windows\{4E6261A1-CD41-410e-A842-F21D89838136}.exe
        
        C:\Windows\{4E6261A1-CD41-410e-A842-F21D89838136}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\{6EB789BA-8F02-41b6-A8B2-9DCF5063C276}.exe
        
        C:\Windows\{6EB789BA-8F02-41b6-A8B2-9DCF5063C276}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:624
        
        C:\Windows\{33C4E617-81CF-4dda-BAAA-92BBAB02D891}.exe
        
        C:\Windows\{33C4E617-81CF-4dda-BAAA-92BBAB02D891}.exe
        13⤵
        Executes dropped EXE
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6EB78~1.EXE > nul
        13⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4E626~1.EXE > nul
        12⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{877C5~1.EXE > nul
        11⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4FBD5~1.EXE > nul
        10⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1B2CA~1.EXE > nul
        9⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{48DE9~1.EXE > nul
        8⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{84F03~1.EXE > nul
        7⤵
        
        PID:840
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5137A~1.EXE > nul
        6⤵
        
        PID:1592
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16533~1.EXE > nul
        5⤵
        
        PID:3244
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BF357~1.EXE > nul
      4⤵
      PID:2524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7DD1A~1.EXE > nul
    3⤵
    PID:1820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{165335A4-5DD3-4f30-AB3A-C5C6B83E78DB}.exe

Filesize
216KB

MD5
48d98563dfe29acf5b9b674f631f4a26

SHA1
c28a6dca18f0c2c7bd1e05e5a07e31c1ef9efab2

SHA256
d47ea8195ec62df61883353b70e85256e2b9f82fc8452bc6fcdda7c0dafd31c9

SHA512
37040b0de6a1e9e1db9eae17fb81aae9202da4119fde2b5b8106a5d39c0cac1c7010d47941a7909f94d9995525383e7034f8509c3aaddbd6dff7cdb0cdabbe67

Download Submit
C:\Windows\{1B2CA886-8E54-47d4-A6B7-5BEA4D0C9F35}.exe

Filesize
216KB

MD5
b5ef17d9aa0234cdc2a2ac8ec10cff18

SHA1
460bb946870bd10e41a327972468f8d268290d1e

SHA256
78a957af48f68d1698e90980346020659e609e2af23e4ad53fbde03569cd3255

SHA512
1930c14cc0111bece00348caaa3d7d7021767c875d5e999388b3a8c73994a217b9a5920a137c2fd59c609b869afe8f542ee2cbbb48add18042b225c545f04635

Download Submit
C:\Windows\{33C4E617-81CF-4dda-BAAA-92BBAB02D891}.exe

Filesize
216KB

MD5
02bea67e5cd32e6d67950d892b738637

SHA1
f31c324404b806c309fcf258717921b5ae2482af

SHA256
b4769c850736655339e3dc8df848d4aa5b85feebe39125ee2ab062cf67f30085

SHA512
6c26bd1c1143d52f2a710d137f2fb42f4193194d981bd76088b2ea850f5fa99b4715ae80d1434022e852bc405bdf408549406e2be8d07efcd5431fc52ce811b9

Download Submit
C:\Windows\{48DE94EC-8BC2-4d0a-8F92-0E8C79587741}.exe

Filesize
216KB

MD5
d4b4581da5eff8b69505961b2045f470

SHA1
3343211f33f140b59e1e5bdd4dfcb65f142ff266

SHA256
48923fa2aa1652ed7d76c6b8cd3613fc3650457c7ca2b9b2ba428c68caec52eb

SHA512
b234bbc6a12482ba113de8c55203534fcc9176be6552159ed407f4b3a38df2e75bb4ab7ab3ebb95f50b8c9043eb55c60697147e40b4076392ff06e4a46045a3f

Download Submit
C:\Windows\{4E6261A1-CD41-410e-A842-F21D89838136}.exe

Filesize
216KB

MD5
85420ed4c1fa349aca0676147f4888e1

SHA1
d9312cd2a8f33a88f47b2139744daf7635308997

SHA256
ff52ede7c06a07306fcf8e085515959aa98f012238e67dafac5aa0daa08c9ce2

SHA512
0b34b6fb428d9eb8f855202387e14055acd9f8d2294501a80288a8d945741314cfaa955ac99cb358eb39a801339acc9681ab294e79d83b909ba8bdc8beed52a2

Download Submit
C:\Windows\{4FBD510C-3C8F-472b-8DB2-DB4011CF6D5B}.exe

Filesize
216KB

MD5
295e30bd588366819b28af10a5623bb3

SHA1
cac93fea255db135ce95d3f9a13ad6b75e394139

SHA256
9d3179601652d19581301400434a801b368ec594d09a60e115d3172a1c978875

SHA512
a2d850caf22da7ee4d0d5ab88bcf33ade7433a8d4986511abe0acb449120934aee44378e975a532b785167431ebc2eb246e264db9a5ce41a9fd09c8ff86bf292

Download Submit
C:\Windows\{5137AD60-523B-413a-A274-5BEF727597DC}.exe

Filesize
216KB

MD5
b7100617a366b89ecbdf05effd492d04

SHA1
bd0d9e2d46185c4b9818e1534063e10d59256131

SHA256
27992ea85e06fd5d3637e22e99111170990b5bae6cb714381d96385ae8b0b91b

SHA512
e00ae61754fb7c557c8b612cb9d1197136d10fcfa6e05824e98a5de13810d6348631d129b0c86ec8b28bc30097134c14ca90dbce9724de1f8020ed10b766589e

Download Submit
C:\Windows\{6EB789BA-8F02-41b6-A8B2-9DCF5063C276}.exe

Filesize
216KB

MD5
30960f366880c256eb61c3b49a1cbb72

SHA1
9d458fd3f82d0749a975447bf0ac5ca379831480

SHA256
de349fb3250e4471d9aee9b2661e461e6998c93c25d9241676af9e05b7abe166

SHA512
525e4692c11f7dcb8e355feae1714c11a3981da0621d2a72e019e755bb27b3f84e5ae9f126214b63e99874568e9739a75df4ed9a6d300940bf676a9f4f259f2a

Download Submit
C:\Windows\{7DD1AC2D-5C03-451d-AD54-5DA8632360D5}.exe

Filesize
216KB

MD5
cb5c3bb5b3d40fa43719d78adf9e3dff

SHA1
eb85e41a0f99d213c62a46ef85171e8a3484449c

SHA256
113014e22e2445c5a50bcf5df565ffe88e8bcb7223449d4c41ec5ca4854c6687

SHA512
8c4b952bbdb4ae1d67115430cd866848f8aafe8bc19edfdb2938b77b5206b3eedca4887d9c8b9d18cfc8af279e203ac799cf76d44bda011ad7756a2b8cd11bf7

Download Submit
C:\Windows\{84F03BE4-8195-4b3e-B831-CB6E07073E99}.exe

Filesize
216KB

MD5
5cb8a88addf243ac63c553596cef0a48

SHA1
53671b7d93046d689ab0787b6ca36d76a9c3fce0

SHA256
d1a4f4e8d27e296428005cd100639efc47025cab5a6127c7065022b8c29d0512

SHA512
6e1feb8dd1460137f2957bf8c368868bd4a1734d699f86cd3513d110d297cf4679480cc67bf6a96d56f665e9c9797694ce5ebc979a33c13f710d43f7a3ff1086

Download Submit
C:\Windows\{877C53A0-2815-4fae-BDD3-DCB94FC0A533}.exe

Filesize
216KB

MD5
bf84bcfd974ac6edf8b4eb7a45439324

SHA1
418739bda9f54ffb3053c5b4397fd8c82f68943c

SHA256
f82b3e51e5f4698be52deb80d48c7a0f674c6d08ff5a99cee6bb76d98e271dea

SHA512
6702351e76392a4070d79c0bd38ed2917aa3b9c96480255b82c6cfecaa6a2811ad8542308b34cef7fb166591c5787f81d7d37026391dcedf63436aaa0f03c40f

Download Submit
C:\Windows\{BF3577D5-9710-45a3-A8D7-C058E3AC3BF2}.exe

Filesize
216KB

MD5
d6e18c38d8145b256db8dff94e5e5b97

SHA1
85a2b2552a487ebce6f2418c9b55e3f22beb91a4

SHA256
80478dac2a3f3cbdf0b015bf76ed055e06b513598e934cf935303c830621f5ad

SHA512
8ea1092cbbdb4efdb5cf56e738fd0031fa38069757a3ff15b2134f203a31c8dc7a05b270c51614798a35c70f8aadb32f3efd88fbbc3b47dfdf4323f9308fbf58

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads