04988e3086505e7c39e44cfc596f3472a098a391cde055913a4ca631b0d46d43

Analysis

max time kernel
150s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2024, 02:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-10_02c1640e0b767045a4cd8953c29b1ddc_goldeneye.exe
Size

408KB
MD5

02c1640e0b767045a4cd8953c29b1ddc
SHA1

7c6a091b4bd84d0d3f977a739437f68884dcde20
SHA256

04988e3086505e7c39e44cfc596f3472a098a391cde055913a4ca631b0d46d43
SHA512

55720e64a3624c3a8c00866944c6745c845e38490b55114c301dc377883cdf01f2f14d4fc087642e3896ed535472c7c7f621689e3bcc206882276f3f2b8e39ac
SSDEEP

3072:CEGh0oAl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGmldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023230-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023230-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023239-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023240-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000016923-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023240-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000016923-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023240-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000016923-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f000000023139-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023140-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023139-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023141-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D84B6188-A84F-4306-B5E4-B1CBF7A177DA}\stubpath = "C:\\Windows\\{D84B6188-A84F-4306-B5E4-B1CBF7A177DA}.exe"	{1326066C-F281-46f8-A77B-EFE4A37C6FB7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F047320-8D16-4bb0-9BBB-4070554FD182}	{D84B6188-A84F-4306-B5E4-B1CBF7A177DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10305235-054E-4c0e-82F3-BB2E61966894}	{093CC1CB-A2BC-4752-9263-63C4038F1A3B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B19EBDF0-0CB2-4da4-8EF7-D774F9E7FE9F}	{BFA56ABE-7123-4c7f-AF94-5B7FC2D97BD0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ECFA8F3A-AD54-46f1-9F7C-19FF5497FA90}\stubpath = "C:\\Windows\\{ECFA8F3A-AD54-46f1-9F7C-19FF5497FA90}.exe"	{FBA7B42C-1690-48d2-B591-1A6C929C455B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9D26052-44BF-4b1d-90AD-45083AF69D46}\stubpath = "C:\\Windows\\{F9D26052-44BF-4b1d-90AD-45083AF69D46}.exe"	{ECFA8F3A-AD54-46f1-9F7C-19FF5497FA90}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1428C315-AB8B-435c-8077-592526AA1769}\stubpath = "C:\\Windows\\{1428C315-AB8B-435c-8077-592526AA1769}.exe"	{30E7C6CC-7668-4ab3-A2EC-D54FF9AA84BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1326066C-F281-46f8-A77B-EFE4A37C6FB7}\stubpath = "C:\\Windows\\{1326066C-F281-46f8-A77B-EFE4A37C6FB7}.exe"	{1428C315-AB8B-435c-8077-592526AA1769}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D84B6188-A84F-4306-B5E4-B1CBF7A177DA}	{1326066C-F281-46f8-A77B-EFE4A37C6FB7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F047320-8D16-4bb0-9BBB-4070554FD182}\stubpath = "C:\\Windows\\{8F047320-8D16-4bb0-9BBB-4070554FD182}.exe"	{D84B6188-A84F-4306-B5E4-B1CBF7A177DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B19EBDF0-0CB2-4da4-8EF7-D774F9E7FE9F}\stubpath = "C:\\Windows\\{B19EBDF0-0CB2-4da4-8EF7-D774F9E7FE9F}.exe"	{BFA56ABE-7123-4c7f-AF94-5B7FC2D97BD0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FBA7B42C-1690-48d2-B591-1A6C929C455B}	{B19EBDF0-0CB2-4da4-8EF7-D774F9E7FE9F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ECFA8F3A-AD54-46f1-9F7C-19FF5497FA90}	{FBA7B42C-1690-48d2-B591-1A6C929C455B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30E7C6CC-7668-4ab3-A2EC-D54FF9AA84BA}	2024-03-10_02c1640e0b767045a4cd8953c29b1ddc_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30E7C6CC-7668-4ab3-A2EC-D54FF9AA84BA}\stubpath = "C:\\Windows\\{30E7C6CC-7668-4ab3-A2EC-D54FF9AA84BA}.exe"	2024-03-10_02c1640e0b767045a4cd8953c29b1ddc_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1326066C-F281-46f8-A77B-EFE4A37C6FB7}	{1428C315-AB8B-435c-8077-592526AA1769}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{093CC1CB-A2BC-4752-9263-63C4038F1A3B}\stubpath = "C:\\Windows\\{093CC1CB-A2BC-4752-9263-63C4038F1A3B}.exe"	{8F047320-8D16-4bb0-9BBB-4070554FD182}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10305235-054E-4c0e-82F3-BB2E61966894}\stubpath = "C:\\Windows\\{10305235-054E-4c0e-82F3-BB2E61966894}.exe"	{093CC1CB-A2BC-4752-9263-63C4038F1A3B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BFA56ABE-7123-4c7f-AF94-5B7FC2D97BD0}	{10305235-054E-4c0e-82F3-BB2E61966894}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9D26052-44BF-4b1d-90AD-45083AF69D46}	{ECFA8F3A-AD54-46f1-9F7C-19FF5497FA90}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1428C315-AB8B-435c-8077-592526AA1769}	{30E7C6CC-7668-4ab3-A2EC-D54FF9AA84BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{093CC1CB-A2BC-4752-9263-63C4038F1A3B}	{8F047320-8D16-4bb0-9BBB-4070554FD182}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BFA56ABE-7123-4c7f-AF94-5B7FC2D97BD0}\stubpath = "C:\\Windows\\{BFA56ABE-7123-4c7f-AF94-5B7FC2D97BD0}.exe"	{10305235-054E-4c0e-82F3-BB2E61966894}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FBA7B42C-1690-48d2-B591-1A6C929C455B}\stubpath = "C:\\Windows\\{FBA7B42C-1690-48d2-B591-1A6C929C455B}.exe"	{B19EBDF0-0CB2-4da4-8EF7-D774F9E7FE9F}.exe

Executes dropped EXE 12 IoCs

pid	Process
1856	{30E7C6CC-7668-4ab3-A2EC-D54FF9AA84BA}.exe
3668	{1428C315-AB8B-435c-8077-592526AA1769}.exe
3392	{1326066C-F281-46f8-A77B-EFE4A37C6FB7}.exe
3888	{D84B6188-A84F-4306-B5E4-B1CBF7A177DA}.exe
1472	{8F047320-8D16-4bb0-9BBB-4070554FD182}.exe
920	{093CC1CB-A2BC-4752-9263-63C4038F1A3B}.exe
1932	{10305235-054E-4c0e-82F3-BB2E61966894}.exe
3004	{BFA56ABE-7123-4c7f-AF94-5B7FC2D97BD0}.exe
4180	{B19EBDF0-0CB2-4da4-8EF7-D774F9E7FE9F}.exe
4204	{FBA7B42C-1690-48d2-B591-1A6C929C455B}.exe
3764	{ECFA8F3A-AD54-46f1-9F7C-19FF5497FA90}.exe
2928	{F9D26052-44BF-4b1d-90AD-45083AF69D46}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{D84B6188-A84F-4306-B5E4-B1CBF7A177DA}.exe	{1326066C-F281-46f8-A77B-EFE4A37C6FB7}.exe
File created	C:\Windows\{8F047320-8D16-4bb0-9BBB-4070554FD182}.exe	{D84B6188-A84F-4306-B5E4-B1CBF7A177DA}.exe
File created	C:\Windows\{B19EBDF0-0CB2-4da4-8EF7-D774F9E7FE9F}.exe	{BFA56ABE-7123-4c7f-AF94-5B7FC2D97BD0}.exe
File created	C:\Windows\{ECFA8F3A-AD54-46f1-9F7C-19FF5497FA90}.exe	{FBA7B42C-1690-48d2-B591-1A6C929C455B}.exe
File created	C:\Windows\{F9D26052-44BF-4b1d-90AD-45083AF69D46}.exe	{ECFA8F3A-AD54-46f1-9F7C-19FF5497FA90}.exe
File created	C:\Windows\{30E7C6CC-7668-4ab3-A2EC-D54FF9AA84BA}.exe	2024-03-10_02c1640e0b767045a4cd8953c29b1ddc_goldeneye.exe
File created	C:\Windows\{1428C315-AB8B-435c-8077-592526AA1769}.exe	{30E7C6CC-7668-4ab3-A2EC-D54FF9AA84BA}.exe
File created	C:\Windows\{10305235-054E-4c0e-82F3-BB2E61966894}.exe	{093CC1CB-A2BC-4752-9263-63C4038F1A3B}.exe
File created	C:\Windows\{BFA56ABE-7123-4c7f-AF94-5B7FC2D97BD0}.exe	{10305235-054E-4c0e-82F3-BB2E61966894}.exe
File created	C:\Windows\{FBA7B42C-1690-48d2-B591-1A6C929C455B}.exe	{B19EBDF0-0CB2-4da4-8EF7-D774F9E7FE9F}.exe
File created	C:\Windows\{1326066C-F281-46f8-A77B-EFE4A37C6FB7}.exe	{1428C315-AB8B-435c-8077-592526AA1769}.exe
File created	C:\Windows\{093CC1CB-A2BC-4752-9263-63C4038F1A3B}.exe	{8F047320-8D16-4bb0-9BBB-4070554FD182}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2940	2024-03-10_02c1640e0b767045a4cd8953c29b1ddc_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1856	{30E7C6CC-7668-4ab3-A2EC-D54FF9AA84BA}.exe
Token: SeIncBasePriorityPrivilege	3668	{1428C315-AB8B-435c-8077-592526AA1769}.exe
Token: SeIncBasePriorityPrivilege	3392	{1326066C-F281-46f8-A77B-EFE4A37C6FB7}.exe
Token: SeIncBasePriorityPrivilege	3888	{D84B6188-A84F-4306-B5E4-B1CBF7A177DA}.exe
Token: SeIncBasePriorityPrivilege	1472	{8F047320-8D16-4bb0-9BBB-4070554FD182}.exe
Token: SeIncBasePriorityPrivilege	920	{093CC1CB-A2BC-4752-9263-63C4038F1A3B}.exe
Token: SeIncBasePriorityPrivilege	1932	{10305235-054E-4c0e-82F3-BB2E61966894}.exe
Token: SeIncBasePriorityPrivilege	3004	{BFA56ABE-7123-4c7f-AF94-5B7FC2D97BD0}.exe
Token: SeIncBasePriorityPrivilege	4180	{B19EBDF0-0CB2-4da4-8EF7-D774F9E7FE9F}.exe
Token: SeIncBasePriorityPrivilege	4204	{FBA7B42C-1690-48d2-B591-1A6C929C455B}.exe
Token: SeIncBasePriorityPrivilege	3764	{ECFA8F3A-AD54-46f1-9F7C-19FF5497FA90}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 1856	2940	2024-03-10_02c1640e0b767045a4cd8953c29b1ddc_goldeneye.exe	101
PID 2940 wrote to memory of 1856	2940	2024-03-10_02c1640e0b767045a4cd8953c29b1ddc_goldeneye.exe	101
PID 2940 wrote to memory of 1856	2940	2024-03-10_02c1640e0b767045a4cd8953c29b1ddc_goldeneye.exe	101
PID 2940 wrote to memory of 3148	2940	2024-03-10_02c1640e0b767045a4cd8953c29b1ddc_goldeneye.exe	102
PID 2940 wrote to memory of 3148	2940	2024-03-10_02c1640e0b767045a4cd8953c29b1ddc_goldeneye.exe	102
PID 2940 wrote to memory of 3148	2940	2024-03-10_02c1640e0b767045a4cd8953c29b1ddc_goldeneye.exe	102
PID 1856 wrote to memory of 3668	1856	{30E7C6CC-7668-4ab3-A2EC-D54FF9AA84BA}.exe	105
PID 1856 wrote to memory of 3668	1856	{30E7C6CC-7668-4ab3-A2EC-D54FF9AA84BA}.exe	105
PID 1856 wrote to memory of 3668	1856	{30E7C6CC-7668-4ab3-A2EC-D54FF9AA84BA}.exe	105
PID 1856 wrote to memory of 1120	1856	{30E7C6CC-7668-4ab3-A2EC-D54FF9AA84BA}.exe	106
PID 1856 wrote to memory of 1120	1856	{30E7C6CC-7668-4ab3-A2EC-D54FF9AA84BA}.exe	106
PID 1856 wrote to memory of 1120	1856	{30E7C6CC-7668-4ab3-A2EC-D54FF9AA84BA}.exe	106
PID 3668 wrote to memory of 3392	3668	{1428C315-AB8B-435c-8077-592526AA1769}.exe	108
PID 3668 wrote to memory of 3392	3668	{1428C315-AB8B-435c-8077-592526AA1769}.exe	108
PID 3668 wrote to memory of 3392	3668	{1428C315-AB8B-435c-8077-592526AA1769}.exe	108
PID 3668 wrote to memory of 4368	3668	{1428C315-AB8B-435c-8077-592526AA1769}.exe	109
PID 3668 wrote to memory of 4368	3668	{1428C315-AB8B-435c-8077-592526AA1769}.exe	109
PID 3668 wrote to memory of 4368	3668	{1428C315-AB8B-435c-8077-592526AA1769}.exe	109
PID 3392 wrote to memory of 3888	3392	{1326066C-F281-46f8-A77B-EFE4A37C6FB7}.exe	112
PID 3392 wrote to memory of 3888	3392	{1326066C-F281-46f8-A77B-EFE4A37C6FB7}.exe	112
PID 3392 wrote to memory of 3888	3392	{1326066C-F281-46f8-A77B-EFE4A37C6FB7}.exe	112
PID 3392 wrote to memory of 5028	3392	{1326066C-F281-46f8-A77B-EFE4A37C6FB7}.exe	113
PID 3392 wrote to memory of 5028	3392	{1326066C-F281-46f8-A77B-EFE4A37C6FB7}.exe	113
PID 3392 wrote to memory of 5028	3392	{1326066C-F281-46f8-A77B-EFE4A37C6FB7}.exe	113
PID 3888 wrote to memory of 1472	3888	{D84B6188-A84F-4306-B5E4-B1CBF7A177DA}.exe	114
PID 3888 wrote to memory of 1472	3888	{D84B6188-A84F-4306-B5E4-B1CBF7A177DA}.exe	114
PID 3888 wrote to memory of 1472	3888	{D84B6188-A84F-4306-B5E4-B1CBF7A177DA}.exe	114
PID 3888 wrote to memory of 3816	3888	{D84B6188-A84F-4306-B5E4-B1CBF7A177DA}.exe	115
PID 3888 wrote to memory of 3816	3888	{D84B6188-A84F-4306-B5E4-B1CBF7A177DA}.exe	115
PID 3888 wrote to memory of 3816	3888	{D84B6188-A84F-4306-B5E4-B1CBF7A177DA}.exe	115
PID 1472 wrote to memory of 920	1472	{8F047320-8D16-4bb0-9BBB-4070554FD182}.exe	117
PID 1472 wrote to memory of 920	1472	{8F047320-8D16-4bb0-9BBB-4070554FD182}.exe	117
PID 1472 wrote to memory of 920	1472	{8F047320-8D16-4bb0-9BBB-4070554FD182}.exe	117
PID 1472 wrote to memory of 1652	1472	{8F047320-8D16-4bb0-9BBB-4070554FD182}.exe	118
PID 1472 wrote to memory of 1652	1472	{8F047320-8D16-4bb0-9BBB-4070554FD182}.exe	118
PID 1472 wrote to memory of 1652	1472	{8F047320-8D16-4bb0-9BBB-4070554FD182}.exe	118
PID 920 wrote to memory of 1932	920	{093CC1CB-A2BC-4752-9263-63C4038F1A3B}.exe	119
PID 920 wrote to memory of 1932	920	{093CC1CB-A2BC-4752-9263-63C4038F1A3B}.exe	119
PID 920 wrote to memory of 1932	920	{093CC1CB-A2BC-4752-9263-63C4038F1A3B}.exe	119
PID 920 wrote to memory of 2928	920	{093CC1CB-A2BC-4752-9263-63C4038F1A3B}.exe	120
PID 920 wrote to memory of 2928	920	{093CC1CB-A2BC-4752-9263-63C4038F1A3B}.exe	120
PID 920 wrote to memory of 2928	920	{093CC1CB-A2BC-4752-9263-63C4038F1A3B}.exe	120
PID 1932 wrote to memory of 3004	1932	{10305235-054E-4c0e-82F3-BB2E61966894}.exe	121
PID 1932 wrote to memory of 3004	1932	{10305235-054E-4c0e-82F3-BB2E61966894}.exe	121
PID 1932 wrote to memory of 3004	1932	{10305235-054E-4c0e-82F3-BB2E61966894}.exe	121
PID 1932 wrote to memory of 4192	1932	{10305235-054E-4c0e-82F3-BB2E61966894}.exe	122
PID 1932 wrote to memory of 4192	1932	{10305235-054E-4c0e-82F3-BB2E61966894}.exe	122
PID 1932 wrote to memory of 4192	1932	{10305235-054E-4c0e-82F3-BB2E61966894}.exe	122
PID 3004 wrote to memory of 4180	3004	{BFA56ABE-7123-4c7f-AF94-5B7FC2D97BD0}.exe	130
PID 3004 wrote to memory of 4180	3004	{BFA56ABE-7123-4c7f-AF94-5B7FC2D97BD0}.exe	130
PID 3004 wrote to memory of 4180	3004	{BFA56ABE-7123-4c7f-AF94-5B7FC2D97BD0}.exe	130
PID 3004 wrote to memory of 1564	3004	{BFA56ABE-7123-4c7f-AF94-5B7FC2D97BD0}.exe	131
PID 3004 wrote to memory of 1564	3004	{BFA56ABE-7123-4c7f-AF94-5B7FC2D97BD0}.exe	131
PID 3004 wrote to memory of 1564	3004	{BFA56ABE-7123-4c7f-AF94-5B7FC2D97BD0}.exe	131
PID 4180 wrote to memory of 4204	4180	{B19EBDF0-0CB2-4da4-8EF7-D774F9E7FE9F}.exe	132
PID 4180 wrote to memory of 4204	4180	{B19EBDF0-0CB2-4da4-8EF7-D774F9E7FE9F}.exe	132
PID 4180 wrote to memory of 4204	4180	{B19EBDF0-0CB2-4da4-8EF7-D774F9E7FE9F}.exe	132
PID 4180 wrote to memory of 844	4180	{B19EBDF0-0CB2-4da4-8EF7-D774F9E7FE9F}.exe	133
PID 4180 wrote to memory of 844	4180	{B19EBDF0-0CB2-4da4-8EF7-D774F9E7FE9F}.exe	133
PID 4180 wrote to memory of 844	4180	{B19EBDF0-0CB2-4da4-8EF7-D774F9E7FE9F}.exe	133
PID 4204 wrote to memory of 3764	4204	{FBA7B42C-1690-48d2-B591-1A6C929C455B}.exe	134
PID 4204 wrote to memory of 3764	4204	{FBA7B42C-1690-48d2-B591-1A6C929C455B}.exe	134
PID 4204 wrote to memory of 3764	4204	{FBA7B42C-1690-48d2-B591-1A6C929C455B}.exe	134
PID 4204 wrote to memory of 508	4204	{FBA7B42C-1690-48d2-B591-1A6C929C455B}.exe	135

C:\Users\Admin\AppData\Local\Temp\2024-03-10_02c1640e0b767045a4cd8953c29b1ddc_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-10_02c1640e0b767045a4cd8953c29b1ddc_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Windows\{30E7C6CC-7668-4ab3-A2EC-D54FF9AA84BA}.exe
  C:\Windows\{30E7C6CC-7668-4ab3-A2EC-D54FF9AA84BA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1856
- - C:\Windows\{1428C315-AB8B-435c-8077-592526AA1769}.exe
    C:\Windows\{1428C315-AB8B-435c-8077-592526AA1769}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3668
  - - C:\Windows\{1326066C-F281-46f8-A77B-EFE4A37C6FB7}.exe
      C:\Windows\{1326066C-F281-46f8-A77B-EFE4A37C6FB7}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3392
    - - C:\Windows\{D84B6188-A84F-4306-B5E4-B1CBF7A177DA}.exe
        
        C:\Windows\{D84B6188-A84F-4306-B5E4-B1CBF7A177DA}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3888
      - C:\Windows\{8F047320-8D16-4bb0-9BBB-4070554FD182}.exe
        
        C:\Windows\{8F047320-8D16-4bb0-9BBB-4070554FD182}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\{093CC1CB-A2BC-4752-9263-63C4038F1A3B}.exe
        
        C:\Windows\{093CC1CB-A2BC-4752-9263-63C4038F1A3B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\Windows\{10305235-054E-4c0e-82F3-BB2E61966894}.exe
        
        C:\Windows\{10305235-054E-4c0e-82F3-BB2E61966894}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\{BFA56ABE-7123-4c7f-AF94-5B7FC2D97BD0}.exe
        
        C:\Windows\{BFA56ABE-7123-4c7f-AF94-5B7FC2D97BD0}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\{B19EBDF0-0CB2-4da4-8EF7-D774F9E7FE9F}.exe
        
        C:\Windows\{B19EBDF0-0CB2-4da4-8EF7-D774F9E7FE9F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4180
        
        C:\Windows\{FBA7B42C-1690-48d2-B591-1A6C929C455B}.exe
        
        C:\Windows\{FBA7B42C-1690-48d2-B591-1A6C929C455B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4204
        
        C:\Windows\{ECFA8F3A-AD54-46f1-9F7C-19FF5497FA90}.exe
        
        C:\Windows\{ECFA8F3A-AD54-46f1-9F7C-19FF5497FA90}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3764
        
        C:\Windows\{F9D26052-44BF-4b1d-90AD-45083AF69D46}.exe
        
        C:\Windows\{F9D26052-44BF-4b1d-90AD-45083AF69D46}.exe
        13⤵
        Executes dropped EXE
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ECFA8~1.EXE > nul
        13⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FBA7B~1.EXE > nul
        12⤵
        
        PID:508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B19EB~1.EXE > nul
        11⤵
        
        PID:844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BFA56~1.EXE > nul
        10⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{10305~1.EXE > nul
        9⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{093CC~1.EXE > nul
        8⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F047~1.EXE > nul
        7⤵
        
        PID:1652
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D84B6~1.EXE > nul
        6⤵
        
        PID:3816
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{13260~1.EXE > nul
        5⤵
        
        PID:5028
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1428C~1.EXE > nul
      4⤵
      PID:4368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{30E7C~1.EXE > nul
    3⤵
    PID:1120
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{093CC1CB-A2BC-4752-9263-63C4038F1A3B}.exe

Filesize
408KB

MD5
4d7ac3c828351351aaeec1bd5f0398fb

SHA1
a4d515dda62bc190cfa9f885ccfcc35f2f64af82

SHA256
48003d66f1b75da584ce80dbc190aa2f034ab36b9eefc1ed8dd70e3cf6f9a63f

SHA512
3a868ef907cfcc38aee614ecab43faa5247bbb576c8a94f86b6b7d8e9559e1a56c9a97ec868c6bd13edf5a1519cbffc94fa092f55d3d330a98b79d9beed04048

Download Submit
C:\Windows\{10305235-054E-4c0e-82F3-BB2E61966894}.exe

Filesize
408KB

MD5
3dc0fa9d4965ae81f038492dc388774e

SHA1
4a447e3be96d9f2989d5e47041b4d5b90ffde576

SHA256
1a411c3b201c64082a0bd792c21109d6851890b6a513e82a86a80f9630166ab2

SHA512
accdfbf8bc890241fd37d52701205312ccfe6d127360ba771c988bd0ba9a7aface1d97c73c836a1015cd0a914f156080db602614329ec10da0b278036e5c7c02

Download Submit
C:\Windows\{1326066C-F281-46f8-A77B-EFE4A37C6FB7}.exe

Filesize
408KB

MD5
7e15dda575dec97252f86b998072a3ce

SHA1
c1f1b360972cdf1dcb6eede3073af61adc6a8f9d

SHA256
d90ca7025d713fb2a39d58afeb1ebd3d448637d1fb8d8a35b893d338d769651a

SHA512
8cdcf0aa36a3d69dcb9e15383305aaeaf942535fe19fc40fe88262ae108bd3bf3839cff96ebc81c6244aaaa3a14e266f5c106285f869013af4cd835437dbaffb

Download Submit
C:\Windows\{1428C315-AB8B-435c-8077-592526AA1769}.exe

Filesize
408KB

MD5
674774be6ece2a23ae6cc45e13c53f17

SHA1
15d329f629f47e0b661b72cf6d30ed8c4685da22

SHA256
c7f1dd5f4bccd0718b1730d102d31d9c5d1b984b17fefe28208086013d618db6

SHA512
207d762471898c66683e6e7844ce9549ab4d2981a5dc9dc9b93053d253f9fb0b13a898379d01dfb38898b7ee3340c5d7a30972d9c216b5b1a192911b24be289c

Download Submit
C:\Windows\{30E7C6CC-7668-4ab3-A2EC-D54FF9AA84BA}.exe

Filesize
294KB

MD5
ede892edb16c43bb939000ddc81b398e

SHA1
b24160f2c9b4af4ce22f83758deeab7b47aca2ab

SHA256
f35b82029895dca8faf2f5c09796247345850e2ce7c59f6da1d95190e118c2a4

SHA512
846f329a79401677de4e0ed6523a0a5fc9fc036be9f66f92bd0c997cbf3a7d9ebf95277b1392e3649c8f449974b842def2cae45c95dcbf11e12417eab5bf94cc

Download Submit
C:\Windows\{30E7C6CC-7668-4ab3-A2EC-D54FF9AA84BA}.exe

Filesize
256KB

MD5
808b0e16dfc54687bb553f8176365531

SHA1
20a828c2bdef8ec13c8eae0da23413da30d51639

SHA256
15f11998fd502d4b43e2783ff8cc11d89e815c6db524f6576f36d3381fd36099

SHA512
7184f70eabfe0759a486a92d3770ffcd90cdc7f5d573cd0829683671b169a608ee842ba23ae86a0fd6bba9866e6fc3f35608225b45c306d7a670bb375872af14

Download Submit
C:\Windows\{8F047320-8D16-4bb0-9BBB-4070554FD182}.exe

Filesize
408KB

MD5
6f46d1f8f13c968a56781d218e0e41a0

SHA1
9e0a102e54d3a8266cf6b2cd6723938f7c299a9c

SHA256
0853074f8bb0e9bda4a3cd5f00792d53bef614a2a84cb451490ea71d6aaddad4

SHA512
d084c55b72a0367584a978197801f3ca0dafaffff55fa0944af8f6337317d9492b5d436ee9c11d4f7bed6e898ad62d055f8d083dba0268fed74c367c88d00067

Download Submit
C:\Windows\{B19EBDF0-0CB2-4da4-8EF7-D774F9E7FE9F}.exe

Filesize
408KB

MD5
c3b37ae8ff277bdeb5d9e3098ff6e815

SHA1
6b6b1ead2397cb05d4260b523ce94f3bc7c890ef

SHA256
75979782772d861883e9005c3d3ebac2f91e77926d66446225c5f98e6ce98900

SHA512
67cf514b38993b2ffe6b364df95d85c15c30bc6f0c45cbf9bafc0eb64e7699ed8981a55c9cca8e7b6e2aa5eba8238899d5faacb7ee8d0b0784de301480c889e9

Download Submit
C:\Windows\{BFA56ABE-7123-4c7f-AF94-5B7FC2D97BD0}.exe

Filesize
408KB

MD5
07d78c675227ae9d782438adaac45473

SHA1
74660d5a5df7cc0b0917b8d1994d3c79ab3fb88c

SHA256
6c45ff4ae3a8695de970eda136beb3fa7d5adfb5e6c79da985527d01c8cee4a3

SHA512
293f7b430a3a9e3098d6dda62712e4cf0c7c6ae0592878bace72c5433c3d57cd5f0e97e2ee11116876ceda363c38560c65121ea3d629be60f2116d64ac2e12d8

Download Submit
C:\Windows\{D84B6188-A84F-4306-B5E4-B1CBF7A177DA}.exe

Filesize
408KB

MD5
27a009ef2bfc81ad61f138be1f019649

SHA1
d10dd2994cacac96c6bf138faff348646cd45ae6

SHA256
be92027a2354ed6de1ae794dae6a6d329eae4d30d53dc9470c0c1f3272713d4e

SHA512
7f6fd6bb2844e4d65f7e44b994f4fc234aaad45210b6c435a38bbf92a6727e73c158cf3d3075f151127add7843edd4f0f1020bd8a5e7499f4d30419fe5287008

Download Submit
C:\Windows\{ECFA8F3A-AD54-46f1-9F7C-19FF5497FA90}.exe

Filesize
408KB

MD5
6d8a5f6cc0bb5c7969e8f02c1e56f40c

SHA1
46e8ae5141fb26ca61aa457df872af462fddd541

SHA256
c41bb1fa1927c40ef94a030c846831578136d8bf06a265aeee469dfabfaaf3fc

SHA512
ab445b82f4f0eef99b2bb2d99331194ab9d075ae257aff049773ab32a192a36706eb971ff4893aafc037ca7a15e73407da46880805493deda8be6f5539766732

Download Submit
C:\Windows\{F9D26052-44BF-4b1d-90AD-45083AF69D46}.exe

Filesize
408KB

MD5
85f7ba36b059b1330e926d1ad5e84bc2

SHA1
4472605c6f6d8c5dd6ec82199c6e0ebfcbd3aa84

SHA256
da6d916a355bf48bbe814b458c10e1df1c2314b1e449b0e99c534b9a07897596

SHA512
4365308d4d0e25cbee111350e7187d91513cf61c9db0b5f502146a9541b5b3552422b2b62df0ce065cac2eed34e4d6a9e97ca4e46d64a9b1b4e598c6a125bb03

Download Submit
C:\Windows\{FBA7B42C-1690-48d2-B591-1A6C929C455B}.exe

Filesize
408KB

MD5
4e5bfece03e69a1fec575cbed4f1a8c0

SHA1
a6efd90929792e0b62fe1d9159d3ddd408a34842

SHA256
da2995301a1257716bdcdbadf424d5915288a822eb4fd196cf3a541a7f00be26

SHA512
11d951e5552133342d5a6c0db9d65698c561b9844d18be5afa83f1eeb30e67a9feaa398f3ec4e4327987ac0d88622f37423d355fdac5c568f9c548b99aa7c6d5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads