719811872fcbcc1fd4a0d2d550e4b55bc0cdb4047b02ae201ffc772282c5b22f

Analysis

max time kernel
156s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2024, 06:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-10_f78260489f4f9b48574ba079ba7acff5_goldeneye.exe
Size

372KB
MD5

f78260489f4f9b48574ba079ba7acff5
SHA1

f8f7de60ca41435c62b29e04b00399a3d1a20b56
SHA256

719811872fcbcc1fd4a0d2d550e4b55bc0cdb4047b02ae201ffc772282c5b22f
SHA512

44d11ddb279463dc469e00b4f3ba51171df882d98ce4a20226ecfc25ad493c65d1b5ca4db165072ac9e89ae4b64cb1dac454a9b6129dbe1463409115f51ab942
SSDEEP

3072:CEGh0oylMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGMlkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023216-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023221-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023222-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000001e76b-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0012000000023222-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001e76b-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0013000000023222-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000001e76b-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002322e-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000001e76b-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002322e-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023132-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA1CD6A9-297F-4a11-9C72-C34E720A5E4D}\stubpath = "C:\\Windows\\{DA1CD6A9-297F-4a11-9C72-C34E720A5E4D}.exe"	{79E4B883-B84D-433e-B6E0-6F0CC7467DF1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D843798A-D001-4a84-9709-C30978AF54D6}	2024-03-10_f78260489f4f9b48574ba079ba7acff5_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D843798A-D001-4a84-9709-C30978AF54D6}\stubpath = "C:\\Windows\\{D843798A-D001-4a84-9709-C30978AF54D6}.exe"	2024-03-10_f78260489f4f9b48574ba079ba7acff5_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1F4E5B4-F5B0-4716-801E-389D3036082D}	{D843798A-D001-4a84-9709-C30978AF54D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C809E9CB-D243-404f-8120-A0638CBE8951}	{395482B5-1A4C-4fd0-9F18-ACEF4FE192F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79E4B883-B84D-433e-B6E0-6F0CC7467DF1}	{C809E9CB-D243-404f-8120-A0638CBE8951}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D31AC26A-47C2-4fd1-A5D0-CA0C530BD049}\stubpath = "C:\\Windows\\{D31AC26A-47C2-4fd1-A5D0-CA0C530BD049}.exe"	{B1F4E5B4-F5B0-4716-801E-389D3036082D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C809E9CB-D243-404f-8120-A0638CBE8951}\stubpath = "C:\\Windows\\{C809E9CB-D243-404f-8120-A0638CBE8951}.exe"	{395482B5-1A4C-4fd0-9F18-ACEF4FE192F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8AFC8C0C-74D5-4d74-A335-150B0C47E9F4}	{DA1CD6A9-297F-4a11-9C72-C34E720A5E4D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8AFC8C0C-74D5-4d74-A335-150B0C47E9F4}\stubpath = "C:\\Windows\\{8AFC8C0C-74D5-4d74-A335-150B0C47E9F4}.exe"	{DA1CD6A9-297F-4a11-9C72-C34E720A5E4D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D31AC26A-47C2-4fd1-A5D0-CA0C530BD049}	{B1F4E5B4-F5B0-4716-801E-389D3036082D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{238AD5E5-A075-4bb4-8B3E-3498A989A67B}	{D31AC26A-47C2-4fd1-A5D0-CA0C530BD049}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8BDDF4D-D651-43c2-A605-C8F8678F5005}\stubpath = "C:\\Windows\\{E8BDDF4D-D651-43c2-A605-C8F8678F5005}.exe"	{238AD5E5-A075-4bb4-8B3E-3498A989A67B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19E9E8E2-206C-48da-8041-4081F9A3BAA5}	{8AFC8C0C-74D5-4d74-A335-150B0C47E9F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CEDD908-2FBF-4977-83D4-D97E137D95D0}\stubpath = "C:\\Windows\\{5CEDD908-2FBF-4977-83D4-D97E137D95D0}.exe"	{19E9E8E2-206C-48da-8041-4081F9A3BAA5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79E4B883-B84D-433e-B6E0-6F0CC7467DF1}\stubpath = "C:\\Windows\\{79E4B883-B84D-433e-B6E0-6F0CC7467DF1}.exe"	{C809E9CB-D243-404f-8120-A0638CBE8951}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA1CD6A9-297F-4a11-9C72-C34E720A5E4D}	{79E4B883-B84D-433e-B6E0-6F0CC7467DF1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19E9E8E2-206C-48da-8041-4081F9A3BAA5}\stubpath = "C:\\Windows\\{19E9E8E2-206C-48da-8041-4081F9A3BAA5}.exe"	{8AFC8C0C-74D5-4d74-A335-150B0C47E9F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1F4E5B4-F5B0-4716-801E-389D3036082D}\stubpath = "C:\\Windows\\{B1F4E5B4-F5B0-4716-801E-389D3036082D}.exe"	{D843798A-D001-4a84-9709-C30978AF54D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{238AD5E5-A075-4bb4-8B3E-3498A989A67B}\stubpath = "C:\\Windows\\{238AD5E5-A075-4bb4-8B3E-3498A989A67B}.exe"	{D31AC26A-47C2-4fd1-A5D0-CA0C530BD049}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8BDDF4D-D651-43c2-A605-C8F8678F5005}	{238AD5E5-A075-4bb4-8B3E-3498A989A67B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{395482B5-1A4C-4fd0-9F18-ACEF4FE192F7}	{E8BDDF4D-D651-43c2-A605-C8F8678F5005}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{395482B5-1A4C-4fd0-9F18-ACEF4FE192F7}\stubpath = "C:\\Windows\\{395482B5-1A4C-4fd0-9F18-ACEF4FE192F7}.exe"	{E8BDDF4D-D651-43c2-A605-C8F8678F5005}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CEDD908-2FBF-4977-83D4-D97E137D95D0}	{19E9E8E2-206C-48da-8041-4081F9A3BAA5}.exe

Executes dropped EXE 12 IoCs

pid	Process
772	{D843798A-D001-4a84-9709-C30978AF54D6}.exe
5088	{B1F4E5B4-F5B0-4716-801E-389D3036082D}.exe
2620	{D31AC26A-47C2-4fd1-A5D0-CA0C530BD049}.exe
3820	{238AD5E5-A075-4bb4-8B3E-3498A989A67B}.exe
2152	{E8BDDF4D-D651-43c2-A605-C8F8678F5005}.exe
3732	{395482B5-1A4C-4fd0-9F18-ACEF4FE192F7}.exe
3584	{C809E9CB-D243-404f-8120-A0638CBE8951}.exe
4000	{79E4B883-B84D-433e-B6E0-6F0CC7467DF1}.exe
3892	{DA1CD6A9-297F-4a11-9C72-C34E720A5E4D}.exe
2988	{8AFC8C0C-74D5-4d74-A335-150B0C47E9F4}.exe
3124	{19E9E8E2-206C-48da-8041-4081F9A3BAA5}.exe
3360	{5CEDD908-2FBF-4977-83D4-D97E137D95D0}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{D843798A-D001-4a84-9709-C30978AF54D6}.exe	2024-03-10_f78260489f4f9b48574ba079ba7acff5_goldeneye.exe
File created	C:\Windows\{B1F4E5B4-F5B0-4716-801E-389D3036082D}.exe	{D843798A-D001-4a84-9709-C30978AF54D6}.exe
File created	C:\Windows\{D31AC26A-47C2-4fd1-A5D0-CA0C530BD049}.exe	{B1F4E5B4-F5B0-4716-801E-389D3036082D}.exe
File created	C:\Windows\{238AD5E5-A075-4bb4-8B3E-3498A989A67B}.exe	{D31AC26A-47C2-4fd1-A5D0-CA0C530BD049}.exe
File created	C:\Windows\{395482B5-1A4C-4fd0-9F18-ACEF4FE192F7}.exe	{E8BDDF4D-D651-43c2-A605-C8F8678F5005}.exe
File created	C:\Windows\{C809E9CB-D243-404f-8120-A0638CBE8951}.exe	{395482B5-1A4C-4fd0-9F18-ACEF4FE192F7}.exe
File created	C:\Windows\{8AFC8C0C-74D5-4d74-A335-150B0C47E9F4}.exe	{DA1CD6A9-297F-4a11-9C72-C34E720A5E4D}.exe
File created	C:\Windows\{E8BDDF4D-D651-43c2-A605-C8F8678F5005}.exe	{238AD5E5-A075-4bb4-8B3E-3498A989A67B}.exe
File created	C:\Windows\{79E4B883-B84D-433e-B6E0-6F0CC7467DF1}.exe	{C809E9CB-D243-404f-8120-A0638CBE8951}.exe
File created	C:\Windows\{DA1CD6A9-297F-4a11-9C72-C34E720A5E4D}.exe	{79E4B883-B84D-433e-B6E0-6F0CC7467DF1}.exe
File created	C:\Windows\{19E9E8E2-206C-48da-8041-4081F9A3BAA5}.exe	{8AFC8C0C-74D5-4d74-A335-150B0C47E9F4}.exe
File created	C:\Windows\{5CEDD908-2FBF-4977-83D4-D97E137D95D0}.exe	{19E9E8E2-206C-48da-8041-4081F9A3BAA5}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3024	2024-03-10_f78260489f4f9b48574ba079ba7acff5_goldeneye.exe
Token: SeIncBasePriorityPrivilege	772	{D843798A-D001-4a84-9709-C30978AF54D6}.exe
Token: SeIncBasePriorityPrivilege	5088	{B1F4E5B4-F5B0-4716-801E-389D3036082D}.exe
Token: SeIncBasePriorityPrivilege	2620	{D31AC26A-47C2-4fd1-A5D0-CA0C530BD049}.exe
Token: SeIncBasePriorityPrivilege	3820	{238AD5E5-A075-4bb4-8B3E-3498A989A67B}.exe
Token: SeIncBasePriorityPrivilege	2152	{E8BDDF4D-D651-43c2-A605-C8F8678F5005}.exe
Token: SeIncBasePriorityPrivilege	3732	{395482B5-1A4C-4fd0-9F18-ACEF4FE192F7}.exe
Token: SeIncBasePriorityPrivilege	3584	{C809E9CB-D243-404f-8120-A0638CBE8951}.exe
Token: SeIncBasePriorityPrivilege	4000	{79E4B883-B84D-433e-B6E0-6F0CC7467DF1}.exe
Token: SeIncBasePriorityPrivilege	3892	{DA1CD6A9-297F-4a11-9C72-C34E720A5E4D}.exe
Token: SeIncBasePriorityPrivilege	2988	{8AFC8C0C-74D5-4d74-A335-150B0C47E9F4}.exe
Token: SeIncBasePriorityPrivilege	3124	{19E9E8E2-206C-48da-8041-4081F9A3BAA5}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 772	3024	2024-03-10_f78260489f4f9b48574ba079ba7acff5_goldeneye.exe	95
PID 3024 wrote to memory of 772	3024	2024-03-10_f78260489f4f9b48574ba079ba7acff5_goldeneye.exe	95
PID 3024 wrote to memory of 772	3024	2024-03-10_f78260489f4f9b48574ba079ba7acff5_goldeneye.exe	95
PID 3024 wrote to memory of 576	3024	2024-03-10_f78260489f4f9b48574ba079ba7acff5_goldeneye.exe	96
PID 3024 wrote to memory of 576	3024	2024-03-10_f78260489f4f9b48574ba079ba7acff5_goldeneye.exe	96
PID 3024 wrote to memory of 576	3024	2024-03-10_f78260489f4f9b48574ba079ba7acff5_goldeneye.exe	96
PID 772 wrote to memory of 5088	772	{D843798A-D001-4a84-9709-C30978AF54D6}.exe	100
PID 772 wrote to memory of 5088	772	{D843798A-D001-4a84-9709-C30978AF54D6}.exe	100
PID 772 wrote to memory of 5088	772	{D843798A-D001-4a84-9709-C30978AF54D6}.exe	100
PID 772 wrote to memory of 3628	772	{D843798A-D001-4a84-9709-C30978AF54D6}.exe	101
PID 772 wrote to memory of 3628	772	{D843798A-D001-4a84-9709-C30978AF54D6}.exe	101
PID 772 wrote to memory of 3628	772	{D843798A-D001-4a84-9709-C30978AF54D6}.exe	101
PID 5088 wrote to memory of 2620	5088	{B1F4E5B4-F5B0-4716-801E-389D3036082D}.exe	103
PID 5088 wrote to memory of 2620	5088	{B1F4E5B4-F5B0-4716-801E-389D3036082D}.exe	103
PID 5088 wrote to memory of 2620	5088	{B1F4E5B4-F5B0-4716-801E-389D3036082D}.exe	103
PID 5088 wrote to memory of 4256	5088	{B1F4E5B4-F5B0-4716-801E-389D3036082D}.exe	104
PID 5088 wrote to memory of 4256	5088	{B1F4E5B4-F5B0-4716-801E-389D3036082D}.exe	104
PID 5088 wrote to memory of 4256	5088	{B1F4E5B4-F5B0-4716-801E-389D3036082D}.exe	104
PID 2620 wrote to memory of 3820	2620	{D31AC26A-47C2-4fd1-A5D0-CA0C530BD049}.exe	105
PID 2620 wrote to memory of 3820	2620	{D31AC26A-47C2-4fd1-A5D0-CA0C530BD049}.exe	105
PID 2620 wrote to memory of 3820	2620	{D31AC26A-47C2-4fd1-A5D0-CA0C530BD049}.exe	105
PID 2620 wrote to memory of 3068	2620	{D31AC26A-47C2-4fd1-A5D0-CA0C530BD049}.exe	106
PID 2620 wrote to memory of 3068	2620	{D31AC26A-47C2-4fd1-A5D0-CA0C530BD049}.exe	106
PID 2620 wrote to memory of 3068	2620	{D31AC26A-47C2-4fd1-A5D0-CA0C530BD049}.exe	106
PID 3820 wrote to memory of 2152	3820	{238AD5E5-A075-4bb4-8B3E-3498A989A67B}.exe	107
PID 3820 wrote to memory of 2152	3820	{238AD5E5-A075-4bb4-8B3E-3498A989A67B}.exe	107
PID 3820 wrote to memory of 2152	3820	{238AD5E5-A075-4bb4-8B3E-3498A989A67B}.exe	107
PID 3820 wrote to memory of 4124	3820	{238AD5E5-A075-4bb4-8B3E-3498A989A67B}.exe	108
PID 3820 wrote to memory of 4124	3820	{238AD5E5-A075-4bb4-8B3E-3498A989A67B}.exe	108
PID 3820 wrote to memory of 4124	3820	{238AD5E5-A075-4bb4-8B3E-3498A989A67B}.exe	108
PID 2152 wrote to memory of 3732	2152	{E8BDDF4D-D651-43c2-A605-C8F8678F5005}.exe	110
PID 2152 wrote to memory of 3732	2152	{E8BDDF4D-D651-43c2-A605-C8F8678F5005}.exe	110
PID 2152 wrote to memory of 3732	2152	{E8BDDF4D-D651-43c2-A605-C8F8678F5005}.exe	110
PID 2152 wrote to memory of 1704	2152	{E8BDDF4D-D651-43c2-A605-C8F8678F5005}.exe	111
PID 2152 wrote to memory of 1704	2152	{E8BDDF4D-D651-43c2-A605-C8F8678F5005}.exe	111
PID 2152 wrote to memory of 1704	2152	{E8BDDF4D-D651-43c2-A605-C8F8678F5005}.exe	111
PID 3732 wrote to memory of 3584	3732	{395482B5-1A4C-4fd0-9F18-ACEF4FE192F7}.exe	112
PID 3732 wrote to memory of 3584	3732	{395482B5-1A4C-4fd0-9F18-ACEF4FE192F7}.exe	112
PID 3732 wrote to memory of 3584	3732	{395482B5-1A4C-4fd0-9F18-ACEF4FE192F7}.exe	112
PID 3732 wrote to memory of 1428	3732	{395482B5-1A4C-4fd0-9F18-ACEF4FE192F7}.exe	113
PID 3732 wrote to memory of 1428	3732	{395482B5-1A4C-4fd0-9F18-ACEF4FE192F7}.exe	113
PID 3732 wrote to memory of 1428	3732	{395482B5-1A4C-4fd0-9F18-ACEF4FE192F7}.exe	113
PID 3584 wrote to memory of 4000	3584	{C809E9CB-D243-404f-8120-A0638CBE8951}.exe	114
PID 3584 wrote to memory of 4000	3584	{C809E9CB-D243-404f-8120-A0638CBE8951}.exe	114
PID 3584 wrote to memory of 4000	3584	{C809E9CB-D243-404f-8120-A0638CBE8951}.exe	114
PID 3584 wrote to memory of 3200	3584	{C809E9CB-D243-404f-8120-A0638CBE8951}.exe	115
PID 3584 wrote to memory of 3200	3584	{C809E9CB-D243-404f-8120-A0638CBE8951}.exe	115
PID 3584 wrote to memory of 3200	3584	{C809E9CB-D243-404f-8120-A0638CBE8951}.exe	115
PID 4000 wrote to memory of 3892	4000	{79E4B883-B84D-433e-B6E0-6F0CC7467DF1}.exe	122
PID 4000 wrote to memory of 3892	4000	{79E4B883-B84D-433e-B6E0-6F0CC7467DF1}.exe	122
PID 4000 wrote to memory of 3892	4000	{79E4B883-B84D-433e-B6E0-6F0CC7467DF1}.exe	122
PID 4000 wrote to memory of 2284	4000	{79E4B883-B84D-433e-B6E0-6F0CC7467DF1}.exe	123
PID 4000 wrote to memory of 2284	4000	{79E4B883-B84D-433e-B6E0-6F0CC7467DF1}.exe	123
PID 4000 wrote to memory of 2284	4000	{79E4B883-B84D-433e-B6E0-6F0CC7467DF1}.exe	123
PID 3892 wrote to memory of 2988	3892	{DA1CD6A9-297F-4a11-9C72-C34E720A5E4D}.exe	124
PID 3892 wrote to memory of 2988	3892	{DA1CD6A9-297F-4a11-9C72-C34E720A5E4D}.exe	124
PID 3892 wrote to memory of 2988	3892	{DA1CD6A9-297F-4a11-9C72-C34E720A5E4D}.exe	124
PID 3892 wrote to memory of 2480	3892	{DA1CD6A9-297F-4a11-9C72-C34E720A5E4D}.exe	125
PID 3892 wrote to memory of 2480	3892	{DA1CD6A9-297F-4a11-9C72-C34E720A5E4D}.exe	125
PID 3892 wrote to memory of 2480	3892	{DA1CD6A9-297F-4a11-9C72-C34E720A5E4D}.exe	125
PID 2988 wrote to memory of 3124	2988	{8AFC8C0C-74D5-4d74-A335-150B0C47E9F4}.exe	126
PID 2988 wrote to memory of 3124	2988	{8AFC8C0C-74D5-4d74-A335-150B0C47E9F4}.exe	126
PID 2988 wrote to memory of 3124	2988	{8AFC8C0C-74D5-4d74-A335-150B0C47E9F4}.exe	126
PID 2988 wrote to memory of 4124	2988	{8AFC8C0C-74D5-4d74-A335-150B0C47E9F4}.exe	127

C:\Users\Admin\AppData\Local\Temp\2024-03-10_f78260489f4f9b48574ba079ba7acff5_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-10_f78260489f4f9b48574ba079ba7acff5_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Windows\{D843798A-D001-4a84-9709-C30978AF54D6}.exe
  C:\Windows\{D843798A-D001-4a84-9709-C30978AF54D6}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:772
- - C:\Windows\{B1F4E5B4-F5B0-4716-801E-389D3036082D}.exe
    C:\Windows\{B1F4E5B4-F5B0-4716-801E-389D3036082D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5088
  - - C:\Windows\{D31AC26A-47C2-4fd1-A5D0-CA0C530BD049}.exe
      C:\Windows\{D31AC26A-47C2-4fd1-A5D0-CA0C530BD049}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2620
    - - C:\Windows\{238AD5E5-A075-4bb4-8B3E-3498A989A67B}.exe
        
        C:\Windows\{238AD5E5-A075-4bb4-8B3E-3498A989A67B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3820
      - C:\Windows\{E8BDDF4D-D651-43c2-A605-C8F8678F5005}.exe
        
        C:\Windows\{E8BDDF4D-D651-43c2-A605-C8F8678F5005}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\{395482B5-1A4C-4fd0-9F18-ACEF4FE192F7}.exe
        
        C:\Windows\{395482B5-1A4C-4fd0-9F18-ACEF4FE192F7}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3732
        
        C:\Windows\{C809E9CB-D243-404f-8120-A0638CBE8951}.exe
        
        C:\Windows\{C809E9CB-D243-404f-8120-A0638CBE8951}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3584
        
        C:\Windows\{79E4B883-B84D-433e-B6E0-6F0CC7467DF1}.exe
        
        C:\Windows\{79E4B883-B84D-433e-B6E0-6F0CC7467DF1}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4000
        
        C:\Windows\{DA1CD6A9-297F-4a11-9C72-C34E720A5E4D}.exe
        
        C:\Windows\{DA1CD6A9-297F-4a11-9C72-C34E720A5E4D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3892
        
        C:\Windows\{8AFC8C0C-74D5-4d74-A335-150B0C47E9F4}.exe
        
        C:\Windows\{8AFC8C0C-74D5-4d74-A335-150B0C47E9F4}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\{19E9E8E2-206C-48da-8041-4081F9A3BAA5}.exe
        
        C:\Windows\{19E9E8E2-206C-48da-8041-4081F9A3BAA5}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3124
        
        C:\Windows\{5CEDD908-2FBF-4977-83D4-D97E137D95D0}.exe
        
        C:\Windows\{5CEDD908-2FBF-4977-83D4-D97E137D95D0}.exe
        13⤵
        Executes dropped EXE
        
        PID:3360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{19E9E~1.EXE > nul
        13⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8AFC8~1.EXE > nul
        12⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DA1CD~1.EXE > nul
        11⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79E4B~1.EXE > nul
        10⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C809E~1.EXE > nul
        9⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39548~1.EXE > nul
        8⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E8BDD~1.EXE > nul
        7⤵
        
        PID:1704
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{238AD~1.EXE > nul
        6⤵
        
        PID:4124
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D31AC~1.EXE > nul
        5⤵
        
        PID:3068
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B1F4E~1.EXE > nul
      4⤵
      PID:4256
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D8437~1.EXE > nul
    3⤵
    PID:3628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{19E9E8E2-206C-48da-8041-4081F9A3BAA5}.exe

Filesize
372KB

MD5
839107d81ae02acd6bb0d616ab205611

SHA1
9f31544073fb235bdfb9de8f8eb32f60f8b2b5d8

SHA256
27e118444b15f695d80f56bb6f8fbe0e0c83c04d4c7716ec4e77ffac24034aea

SHA512
1eacf7023a962129eaf767448310b615fd082761b313bf4c506b9f7132a5332cf71c0c2fa73bc502b43195bab7928f15fc52279745cf46ddd2c421e6411bf537

Download Submit
C:\Windows\{238AD5E5-A075-4bb4-8B3E-3498A989A67B}.exe

Filesize
372KB

MD5
4005dbae0cc3b4ad8399badfa214aeb2

SHA1
9441864bd829508dfc2f34c67d69042f648693d7

SHA256
46fd212adcd94838dc230b6aac644adf2ba4282a0d11663bf212664188ce1030

SHA512
d9af57407309378622b9704cd003241ebb4bba41d3890e0c02b35297b6ffe6fa4fba7889410ac93c9a7aafed9d75a72910df1d074c4b18e25e5ff105887f9f3e

Download Submit
C:\Windows\{395482B5-1A4C-4fd0-9F18-ACEF4FE192F7}.exe

Filesize
372KB

MD5
88347e7215dd70cfb7675d3c5b926555

SHA1
f3b2881604f784bbf25b6628e1bc37fdfebff936

SHA256
c001797a645931090767576b8d41985ad590f47014ad8b72d327aaafc96f49a8

SHA512
83dfce4f62a0840e090529ca16d33bad616368340c955b9ebd0c481d23b81f80b96cac0d47c7040ccc309532ab16c56ffa0018d446206d909a5c1e49fc958e8f

Download Submit
C:\Windows\{5CEDD908-2FBF-4977-83D4-D97E137D95D0}.exe

Filesize
372KB

MD5
a03a83a85e7bc8234cec76aaf4a576f3

SHA1
2367e91b430a7f206480e9afa289e7d9e10e1470

SHA256
ebde4e9b4a9ce1ab478d0b4673f6f1217f2123092dc1f24c299eddb47216337f

SHA512
dad7ff8dca47c8e1445c89a43cb133c73fa619df76c4e2fd09f25f7e0144a590de6070f05894c87ff7c20e1239d027309af7fc469b2e8f89f64cf87d5832cffb

Download Submit
C:\Windows\{79E4B883-B84D-433e-B6E0-6F0CC7467DF1}.exe

Filesize
372KB

MD5
7e3e6c162b4e96a3896b7f09b52356c0

SHA1
50292381e5884d25bee8fc3c6dfd9777e9b79739

SHA256
4348132cc87ff549e473b300e1c8191d4fdd97fa4ae4ba680a018a9876452186

SHA512
9c53a70bc332a6d64f4e073483dc85cc43d490ec51e076556ccbd3b32f9b2c4edcfb5ee4925814ca7bfc8848e034d3e99cffc9ff9829657d3e6653987cee3e68

Download Submit
C:\Windows\{8AFC8C0C-74D5-4d74-A335-150B0C47E9F4}.exe

Filesize
372KB

MD5
97290e1c48813cfbde79038ad8472a55

SHA1
ed934c9ada06a9d431825eeba5e1d2fe7dc1c2b7

SHA256
5616943c3e405d0a4a66032544c9045ff974d7d1815a59d16184f6fa204f584a

SHA512
712d383dce276e48dc155d50a1880d9465dace993e427c3600a72a8b1f8a6bc9039a77d1950092ac0d744569ccf0f17e93a19cbdd55828edafa7e31495601044

Download Submit
C:\Windows\{B1F4E5B4-F5B0-4716-801E-389D3036082D}.exe

Filesize
372KB

MD5
de5ddc27fbeb63db68982045954a5c32

SHA1
58202a8351b546345985d39b6a5d2cfbedf79ff2

SHA256
72cdfeef4dd7a4c6b3ff3a40a62c38866715ee6857e89d5f6619ac5361a806f3

SHA512
e1ee28e68b0b741c12751d834af70cc89f919f1debf5db9df977806fcc1ad42fbb5767648b8fe8bca81adc4a75a3009572e317de9df79105cd378cf05d94ee09

Download Submit
C:\Windows\{C809E9CB-D243-404f-8120-A0638CBE8951}.exe

Filesize
372KB

MD5
48d58d4866648eca2e7969a351e0ee85

SHA1
81c9290c94733a93f3aff4c8baa4591859956122

SHA256
ae6a262b6160e3a1466aa1f5c1b99e8224f182a09deae4d62bce2e22160fc4b1

SHA512
92bd1d1406aa1703360a7f9077d2ac0d93033100c5c04ebe9858a3ace5d7207a973ab4dc7c5a12f12ee11bdb0928d629cdec4080f23e8470d8bc977169c909b8

Download Submit
C:\Windows\{D31AC26A-47C2-4fd1-A5D0-CA0C530BD049}.exe

Filesize
372KB

MD5
07b7059c3bf8a8b6cbf27f2ff207e7bf

SHA1
9ddf08549d7f8d846f7b2ab5af0c091aa618723d

SHA256
809ce6c17b12a31a41253fbeceae0cc2b24f80004151ea2c79ffffec8135f3b7

SHA512
1de6fe1fb60061b6ad1874a3a1144ef5a808c8dd4e61241ef3c1c28fe35f7ea59fae0e111785343fa26f4cc33531f9ea77184ebde3cd5464b146fc3e9ec24adc

Download Submit
C:\Windows\{D843798A-D001-4a84-9709-C30978AF54D6}.exe

Filesize
372KB

MD5
7e781faa3b9f87c7d3dd4662cf4e033f

SHA1
1e1110094771012e1dcad8ddc9127dbbd9354f5f

SHA256
74be30c007307cbf2a50bd77d1e2fa9480bbe04f3d2edff74b39e4ec2e5fe13b

SHA512
79169079642ec3ffdfa1ca156789eace124772654e2510c9f9f050899e08f81c815261d3a8b7ea23c669d26dc015781a76571894713fcc3ccbc80577fda9e031

Download Submit
C:\Windows\{DA1CD6A9-297F-4a11-9C72-C34E720A5E4D}.exe

Filesize
372KB

MD5
99b337b6dcdfd55d89c9b26f2473b84d

SHA1
ba7ee216a1d7e7a47e069c64bea3de96800bc645

SHA256
424b4a44c22ecd735bda1a60abedabf70438156451bb13cf0b45f41520089854

SHA512
39a8d03dcf83aa1868c8f1d5351db63c171050408f0325f03d71f12c4def586ceb4bff219dcacfaa95e965b59bbc5d3a0f0065dc810102acf9393a4252cf9a90

Download Submit
C:\Windows\{E8BDDF4D-D651-43c2-A605-C8F8678F5005}.exe

Filesize
372KB

MD5
ba0a690c667a70df5e872fd53446a28e

SHA1
8ef4751958a95f19c607ba7d3cbf6c0a16368e9e

SHA256
274005a9055dde153f27f5439ce581769c03e6edf5d419b05ac9dc36c3cde6d2

SHA512
c43d2d3d38cd9cec68235af31a1d1397ff0527042b6a008f381188edd1603224b2617da3bd3f6c14640dc50aaeee54e1a4a083b206d25f56047dcb8c93a7435e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads