a5c8795050e34692a6fe2f01af9f29a9a06b303ec9969fb98826fe42b63f5fa3

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2024, 22:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-11_c38a63f7e9d858e8f293a7e5dc7cf962_goldeneye.exe
Size

380KB
MD5

c38a63f7e9d858e8f293a7e5dc7cf962
SHA1

3d5e95a9434aa8cc0d3d3ac35d304b9d5adb02b2
SHA256

a5c8795050e34692a6fe2f01af9f29a9a06b303ec9969fb98826fe42b63f5fa3
SHA512

fc5d50ba7535d39060636d69041a2e3e0e2c3bcd8940fd661f676e47ba1f6f800569d6aeac0e6f2ea320d9fc67dfbfa27c345bf65612fb49d8dfd7d113e3d8d4
SSDEEP

3072:mEGh0oglPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGOl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 16 IoCs

resource	yara_rule
behavioral2/files/0x000700000002323c-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023245-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023245-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002325f-11.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002325f-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002325f-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002335c-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002335c-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000216c9-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002325f-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000233c3-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000233d6-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000234db-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000233d6-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000234df-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000233d6-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{449B21DF-739A-4820-8710-A2389433A2D3}\stubpath = "C:\\Windows\\{449B21DF-739A-4820-8710-A2389433A2D3}.exe"	{667C6505-B3A7-425a-872A-359AF925B031}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17D6F58D-380E-4ec9-9191-FBD5A3DB6C5C}\stubpath = "C:\\Windows\\{17D6F58D-380E-4ec9-9191-FBD5A3DB6C5C}.exe"	{449B21DF-739A-4820-8710-A2389433A2D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4CE0323A-40F0-4137-9DD9-678667B09C1D}	{1AF29619-D57A-4b52-A5B8-355934012AFD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BFEF72D4-CC2E-470d-A130-4DFE386D1003}	{4CE0323A-40F0-4137-9DD9-678667B09C1D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{506E7682-6302-4f2e-A956-1A5EC0C1E44E}	{BFEF72D4-CC2E-470d-A130-4DFE386D1003}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{667C6505-B3A7-425a-872A-359AF925B031}	{506E7682-6302-4f2e-A956-1A5EC0C1E44E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17D6F58D-380E-4ec9-9191-FBD5A3DB6C5C}	{449B21DF-739A-4820-8710-A2389433A2D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2FBFB0E3-1868-4066-ABD7-7A2AC9B9EC2F}	{BD885BB0-6CEC-463b-AF21-E6F89B8EA812}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6171B956-D10E-4f37-B275-60240CD99B02}	2024-03-11_c38a63f7e9d858e8f293a7e5dc7cf962_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6171B956-D10E-4f37-B275-60240CD99B02}\stubpath = "C:\\Windows\\{6171B956-D10E-4f37-B275-60240CD99B02}.exe"	2024-03-11_c38a63f7e9d858e8f293a7e5dc7cf962_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E263D4D5-B3AA-49be-8ECE-7EBA7B4A24D4}	{6171B956-D10E-4f37-B275-60240CD99B02}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{506E7682-6302-4f2e-A956-1A5EC0C1E44E}\stubpath = "C:\\Windows\\{506E7682-6302-4f2e-A956-1A5EC0C1E44E}.exe"	{BFEF72D4-CC2E-470d-A130-4DFE386D1003}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{667C6505-B3A7-425a-872A-359AF925B031}\stubpath = "C:\\Windows\\{667C6505-B3A7-425a-872A-359AF925B031}.exe"	{506E7682-6302-4f2e-A956-1A5EC0C1E44E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{449B21DF-739A-4820-8710-A2389433A2D3}	{667C6505-B3A7-425a-872A-359AF925B031}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD885BB0-6CEC-463b-AF21-E6F89B8EA812}	{17D6F58D-380E-4ec9-9191-FBD5A3DB6C5C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E263D4D5-B3AA-49be-8ECE-7EBA7B4A24D4}\stubpath = "C:\\Windows\\{E263D4D5-B3AA-49be-8ECE-7EBA7B4A24D4}.exe"	{6171B956-D10E-4f37-B275-60240CD99B02}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2840D4C-407E-4159-949B-2FC411373689}\stubpath = "C:\\Windows\\{E2840D4C-407E-4159-949B-2FC411373689}.exe"	{E263D4D5-B3AA-49be-8ECE-7EBA7B4A24D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1AF29619-D57A-4b52-A5B8-355934012AFD}\stubpath = "C:\\Windows\\{1AF29619-D57A-4b52-A5B8-355934012AFD}.exe"	{E2840D4C-407E-4159-949B-2FC411373689}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4CE0323A-40F0-4137-9DD9-678667B09C1D}\stubpath = "C:\\Windows\\{4CE0323A-40F0-4137-9DD9-678667B09C1D}.exe"	{1AF29619-D57A-4b52-A5B8-355934012AFD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2FBFB0E3-1868-4066-ABD7-7A2AC9B9EC2F}\stubpath = "C:\\Windows\\{2FBFB0E3-1868-4066-ABD7-7A2AC9B9EC2F}.exe"	{BD885BB0-6CEC-463b-AF21-E6F89B8EA812}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2840D4C-407E-4159-949B-2FC411373689}	{E263D4D5-B3AA-49be-8ECE-7EBA7B4A24D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1AF29619-D57A-4b52-A5B8-355934012AFD}	{E2840D4C-407E-4159-949B-2FC411373689}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BFEF72D4-CC2E-470d-A130-4DFE386D1003}\stubpath = "C:\\Windows\\{BFEF72D4-CC2E-470d-A130-4DFE386D1003}.exe"	{4CE0323A-40F0-4137-9DD9-678667B09C1D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD885BB0-6CEC-463b-AF21-E6F89B8EA812}\stubpath = "C:\\Windows\\{BD885BB0-6CEC-463b-AF21-E6F89B8EA812}.exe"	{17D6F58D-380E-4ec9-9191-FBD5A3DB6C5C}.exe

Executes dropped EXE 12 IoCs

pid	Process
3512	{6171B956-D10E-4f37-B275-60240CD99B02}.exe
4484	{E263D4D5-B3AA-49be-8ECE-7EBA7B4A24D4}.exe
3792	{E2840D4C-407E-4159-949B-2FC411373689}.exe
1228	{1AF29619-D57A-4b52-A5B8-355934012AFD}.exe
3092	{4CE0323A-40F0-4137-9DD9-678667B09C1D}.exe
1036	{BFEF72D4-CC2E-470d-A130-4DFE386D1003}.exe
3200	{506E7682-6302-4f2e-A956-1A5EC0C1E44E}.exe
216	{667C6505-B3A7-425a-872A-359AF925B031}.exe
4560	{449B21DF-739A-4820-8710-A2389433A2D3}.exe
1324	{17D6F58D-380E-4ec9-9191-FBD5A3DB6C5C}.exe
2624	{BD885BB0-6CEC-463b-AF21-E6F89B8EA812}.exe
3180	{2FBFB0E3-1868-4066-ABD7-7A2AC9B9EC2F}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{BD885BB0-6CEC-463b-AF21-E6F89B8EA812}.exe	{17D6F58D-380E-4ec9-9191-FBD5A3DB6C5C}.exe
File created	C:\Windows\{2FBFB0E3-1868-4066-ABD7-7A2AC9B9EC2F}.exe	{BD885BB0-6CEC-463b-AF21-E6F89B8EA812}.exe
File created	C:\Windows\{1AF29619-D57A-4b52-A5B8-355934012AFD}.exe	{E2840D4C-407E-4159-949B-2FC411373689}.exe
File created	C:\Windows\{4CE0323A-40F0-4137-9DD9-678667B09C1D}.exe	{1AF29619-D57A-4b52-A5B8-355934012AFD}.exe
File created	C:\Windows\{506E7682-6302-4f2e-A956-1A5EC0C1E44E}.exe	{BFEF72D4-CC2E-470d-A130-4DFE386D1003}.exe
File created	C:\Windows\{449B21DF-739A-4820-8710-A2389433A2D3}.exe	{667C6505-B3A7-425a-872A-359AF925B031}.exe
File created	C:\Windows\{667C6505-B3A7-425a-872A-359AF925B031}.exe	{506E7682-6302-4f2e-A956-1A5EC0C1E44E}.exe
File created	C:\Windows\{17D6F58D-380E-4ec9-9191-FBD5A3DB6C5C}.exe	{449B21DF-739A-4820-8710-A2389433A2D3}.exe
File created	C:\Windows\{6171B956-D10E-4f37-B275-60240CD99B02}.exe	2024-03-11_c38a63f7e9d858e8f293a7e5dc7cf962_goldeneye.exe
File created	C:\Windows\{E263D4D5-B3AA-49be-8ECE-7EBA7B4A24D4}.exe	{6171B956-D10E-4f37-B275-60240CD99B02}.exe
File created	C:\Windows\{E2840D4C-407E-4159-949B-2FC411373689}.exe	{E263D4D5-B3AA-49be-8ECE-7EBA7B4A24D4}.exe
File created	C:\Windows\{BFEF72D4-CC2E-470d-A130-4DFE386D1003}.exe	{4CE0323A-40F0-4137-9DD9-678667B09C1D}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1176	2024-03-11_c38a63f7e9d858e8f293a7e5dc7cf962_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3512	{6171B956-D10E-4f37-B275-60240CD99B02}.exe
Token: SeIncBasePriorityPrivilege	4484	{E263D4D5-B3AA-49be-8ECE-7EBA7B4A24D4}.exe
Token: SeIncBasePriorityPrivilege	3792	{E2840D4C-407E-4159-949B-2FC411373689}.exe
Token: SeIncBasePriorityPrivilege	1228	{1AF29619-D57A-4b52-A5B8-355934012AFD}.exe
Token: SeIncBasePriorityPrivilege	3092	{4CE0323A-40F0-4137-9DD9-678667B09C1D}.exe
Token: SeIncBasePriorityPrivilege	1036	{BFEF72D4-CC2E-470d-A130-4DFE386D1003}.exe
Token: SeIncBasePriorityPrivilege	3200	{506E7682-6302-4f2e-A956-1A5EC0C1E44E}.exe
Token: SeIncBasePriorityPrivilege	216	{667C6505-B3A7-425a-872A-359AF925B031}.exe
Token: SeIncBasePriorityPrivilege	4560	{449B21DF-739A-4820-8710-A2389433A2D3}.exe
Token: SeIncBasePriorityPrivilege	1324	{17D6F58D-380E-4ec9-9191-FBD5A3DB6C5C}.exe
Token: SeIncBasePriorityPrivilege	2624	{BD885BB0-6CEC-463b-AF21-E6F89B8EA812}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1176 wrote to memory of 3512	1176	2024-03-11_c38a63f7e9d858e8f293a7e5dc7cf962_goldeneye.exe	99
PID 1176 wrote to memory of 3512	1176	2024-03-11_c38a63f7e9d858e8f293a7e5dc7cf962_goldeneye.exe	99
PID 1176 wrote to memory of 3512	1176	2024-03-11_c38a63f7e9d858e8f293a7e5dc7cf962_goldeneye.exe	99
PID 1176 wrote to memory of 1412	1176	2024-03-11_c38a63f7e9d858e8f293a7e5dc7cf962_goldeneye.exe	100
PID 1176 wrote to memory of 1412	1176	2024-03-11_c38a63f7e9d858e8f293a7e5dc7cf962_goldeneye.exe	100
PID 1176 wrote to memory of 1412	1176	2024-03-11_c38a63f7e9d858e8f293a7e5dc7cf962_goldeneye.exe	100
PID 3512 wrote to memory of 4484	3512	{6171B956-D10E-4f37-B275-60240CD99B02}.exe	101
PID 3512 wrote to memory of 4484	3512	{6171B956-D10E-4f37-B275-60240CD99B02}.exe	101
PID 3512 wrote to memory of 4484	3512	{6171B956-D10E-4f37-B275-60240CD99B02}.exe	101
PID 3512 wrote to memory of 2608	3512	{6171B956-D10E-4f37-B275-60240CD99B02}.exe	102
PID 3512 wrote to memory of 2608	3512	{6171B956-D10E-4f37-B275-60240CD99B02}.exe	102
PID 3512 wrote to memory of 2608	3512	{6171B956-D10E-4f37-B275-60240CD99B02}.exe	102
PID 4484 wrote to memory of 3792	4484	{E263D4D5-B3AA-49be-8ECE-7EBA7B4A24D4}.exe	106
PID 4484 wrote to memory of 3792	4484	{E263D4D5-B3AA-49be-8ECE-7EBA7B4A24D4}.exe	106
PID 4484 wrote to memory of 3792	4484	{E263D4D5-B3AA-49be-8ECE-7EBA7B4A24D4}.exe	106
PID 4484 wrote to memory of 4376	4484	{E263D4D5-B3AA-49be-8ECE-7EBA7B4A24D4}.exe	107
PID 4484 wrote to memory of 4376	4484	{E263D4D5-B3AA-49be-8ECE-7EBA7B4A24D4}.exe	107
PID 4484 wrote to memory of 4376	4484	{E263D4D5-B3AA-49be-8ECE-7EBA7B4A24D4}.exe	107
PID 3792 wrote to memory of 1228	3792	{E2840D4C-407E-4159-949B-2FC411373689}.exe	108
PID 3792 wrote to memory of 1228	3792	{E2840D4C-407E-4159-949B-2FC411373689}.exe	108
PID 3792 wrote to memory of 1228	3792	{E2840D4C-407E-4159-949B-2FC411373689}.exe	108
PID 3792 wrote to memory of 3480	3792	{E2840D4C-407E-4159-949B-2FC411373689}.exe	109
PID 3792 wrote to memory of 3480	3792	{E2840D4C-407E-4159-949B-2FC411373689}.exe	109
PID 3792 wrote to memory of 3480	3792	{E2840D4C-407E-4159-949B-2FC411373689}.exe	109
PID 1228 wrote to memory of 3092	1228	{1AF29619-D57A-4b52-A5B8-355934012AFD}.exe	110
PID 1228 wrote to memory of 3092	1228	{1AF29619-D57A-4b52-A5B8-355934012AFD}.exe	110
PID 1228 wrote to memory of 3092	1228	{1AF29619-D57A-4b52-A5B8-355934012AFD}.exe	110
PID 1228 wrote to memory of 632	1228	{1AF29619-D57A-4b52-A5B8-355934012AFD}.exe	111
PID 1228 wrote to memory of 632	1228	{1AF29619-D57A-4b52-A5B8-355934012AFD}.exe	111
PID 1228 wrote to memory of 632	1228	{1AF29619-D57A-4b52-A5B8-355934012AFD}.exe	111
PID 3092 wrote to memory of 1036	3092	{4CE0323A-40F0-4137-9DD9-678667B09C1D}.exe	113
PID 3092 wrote to memory of 1036	3092	{4CE0323A-40F0-4137-9DD9-678667B09C1D}.exe	113
PID 3092 wrote to memory of 1036	3092	{4CE0323A-40F0-4137-9DD9-678667B09C1D}.exe	113
PID 3092 wrote to memory of 2868	3092	{4CE0323A-40F0-4137-9DD9-678667B09C1D}.exe	114
PID 3092 wrote to memory of 2868	3092	{4CE0323A-40F0-4137-9DD9-678667B09C1D}.exe	114
PID 3092 wrote to memory of 2868	3092	{4CE0323A-40F0-4137-9DD9-678667B09C1D}.exe	114
PID 1036 wrote to memory of 3200	1036	{BFEF72D4-CC2E-470d-A130-4DFE386D1003}.exe	115
PID 1036 wrote to memory of 3200	1036	{BFEF72D4-CC2E-470d-A130-4DFE386D1003}.exe	115
PID 1036 wrote to memory of 3200	1036	{BFEF72D4-CC2E-470d-A130-4DFE386D1003}.exe	115
PID 1036 wrote to memory of 4112	1036	{BFEF72D4-CC2E-470d-A130-4DFE386D1003}.exe	116
PID 1036 wrote to memory of 4112	1036	{BFEF72D4-CC2E-470d-A130-4DFE386D1003}.exe	116
PID 1036 wrote to memory of 4112	1036	{BFEF72D4-CC2E-470d-A130-4DFE386D1003}.exe	116
PID 3200 wrote to memory of 216	3200	{506E7682-6302-4f2e-A956-1A5EC0C1E44E}.exe	117
PID 3200 wrote to memory of 216	3200	{506E7682-6302-4f2e-A956-1A5EC0C1E44E}.exe	117
PID 3200 wrote to memory of 216	3200	{506E7682-6302-4f2e-A956-1A5EC0C1E44E}.exe	117
PID 3200 wrote to memory of 2444	3200	{506E7682-6302-4f2e-A956-1A5EC0C1E44E}.exe	118
PID 3200 wrote to memory of 2444	3200	{506E7682-6302-4f2e-A956-1A5EC0C1E44E}.exe	118
PID 3200 wrote to memory of 2444	3200	{506E7682-6302-4f2e-A956-1A5EC0C1E44E}.exe	118
PID 216 wrote to memory of 4560	216	{667C6505-B3A7-425a-872A-359AF925B031}.exe	126
PID 216 wrote to memory of 4560	216	{667C6505-B3A7-425a-872A-359AF925B031}.exe	126
PID 216 wrote to memory of 4560	216	{667C6505-B3A7-425a-872A-359AF925B031}.exe	126
PID 216 wrote to memory of 1380	216	{667C6505-B3A7-425a-872A-359AF925B031}.exe	127
PID 216 wrote to memory of 1380	216	{667C6505-B3A7-425a-872A-359AF925B031}.exe	127
PID 216 wrote to memory of 1380	216	{667C6505-B3A7-425a-872A-359AF925B031}.exe	127
PID 4560 wrote to memory of 1324	4560	{449B21DF-739A-4820-8710-A2389433A2D3}.exe	128
PID 4560 wrote to memory of 1324	4560	{449B21DF-739A-4820-8710-A2389433A2D3}.exe	128
PID 4560 wrote to memory of 1324	4560	{449B21DF-739A-4820-8710-A2389433A2D3}.exe	128
PID 4560 wrote to memory of 948	4560	{449B21DF-739A-4820-8710-A2389433A2D3}.exe	129
PID 4560 wrote to memory of 948	4560	{449B21DF-739A-4820-8710-A2389433A2D3}.exe	129
PID 4560 wrote to memory of 948	4560	{449B21DF-739A-4820-8710-A2389433A2D3}.exe	129
PID 1324 wrote to memory of 2624	1324	{17D6F58D-380E-4ec9-9191-FBD5A3DB6C5C}.exe	133
PID 1324 wrote to memory of 2624	1324	{17D6F58D-380E-4ec9-9191-FBD5A3DB6C5C}.exe	133
PID 1324 wrote to memory of 2624	1324	{17D6F58D-380E-4ec9-9191-FBD5A3DB6C5C}.exe	133
PID 1324 wrote to memory of 652	1324	{17D6F58D-380E-4ec9-9191-FBD5A3DB6C5C}.exe	134

C:\Users\Admin\AppData\Local\Temp\2024-03-11_c38a63f7e9d858e8f293a7e5dc7cf962_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-11_c38a63f7e9d858e8f293a7e5dc7cf962_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Windows\{6171B956-D10E-4f37-B275-60240CD99B02}.exe
  C:\Windows\{6171B956-D10E-4f37-B275-60240CD99B02}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3512
- - C:\Windows\{E263D4D5-B3AA-49be-8ECE-7EBA7B4A24D4}.exe
    C:\Windows\{E263D4D5-B3AA-49be-8ECE-7EBA7B4A24D4}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4484
  - - C:\Windows\{E2840D4C-407E-4159-949B-2FC411373689}.exe
      C:\Windows\{E2840D4C-407E-4159-949B-2FC411373689}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3792
    - - C:\Windows\{1AF29619-D57A-4b52-A5B8-355934012AFD}.exe
        
        C:\Windows\{1AF29619-D57A-4b52-A5B8-355934012AFD}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1228
      - C:\Windows\{4CE0323A-40F0-4137-9DD9-678667B09C1D}.exe
        
        C:\Windows\{4CE0323A-40F0-4137-9DD9-678667B09C1D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3092
        
        C:\Windows\{BFEF72D4-CC2E-470d-A130-4DFE386D1003}.exe
        
        C:\Windows\{BFEF72D4-CC2E-470d-A130-4DFE386D1003}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\{506E7682-6302-4f2e-A956-1A5EC0C1E44E}.exe
        
        C:\Windows\{506E7682-6302-4f2e-A956-1A5EC0C1E44E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3200
        
        C:\Windows\{667C6505-B3A7-425a-872A-359AF925B031}.exe
        
        C:\Windows\{667C6505-B3A7-425a-872A-359AF925B031}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Windows\{449B21DF-739A-4820-8710-A2389433A2D3}.exe
        
        C:\Windows\{449B21DF-739A-4820-8710-A2389433A2D3}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\{17D6F58D-380E-4ec9-9191-FBD5A3DB6C5C}.exe
        
        C:\Windows\{17D6F58D-380E-4ec9-9191-FBD5A3DB6C5C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\{BD885BB0-6CEC-463b-AF21-E6F89B8EA812}.exe
        
        C:\Windows\{BD885BB0-6CEC-463b-AF21-E6F89B8EA812}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
        
        C:\Windows\{2FBFB0E3-1868-4066-ABD7-7A2AC9B9EC2F}.exe
        
        C:\Windows\{2FBFB0E3-1868-4066-ABD7-7A2AC9B9EC2F}.exe
        13⤵
        Executes dropped EXE
        
        PID:3180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD885~1.EXE > nul
        13⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{17D6F~1.EXE > nul
        12⤵
        
        PID:652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{449B2~1.EXE > nul
        11⤵
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{667C6~1.EXE > nul
        10⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{506E7~1.EXE > nul
        9⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BFEF7~1.EXE > nul
        8⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4CE03~1.EXE > nul
        7⤵
        
        PID:2868
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1AF29~1.EXE > nul
        6⤵
        
        PID:632
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2840~1.EXE > nul
        5⤵
        
        PID:3480
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E263D~1.EXE > nul
      4⤵
      PID:4376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6171B~1.EXE > nul
    3⤵
    PID:2608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{17D6F58D-380E-4ec9-9191-FBD5A3DB6C5C}.exe

Filesize
380KB

MD5
a2e1ee7194dadd506bbbac4f3fadf564

SHA1
f5ac957c9d76daf4195380ae86ac1e222e4b40bf

SHA256
63d0ddff00c870b817123f527e48574a2fbc05584d4a01111bc4931a2322769e

SHA512
47994fb2d67ac6af3234a2f649cb12b1bc46cca9f7c0274be9c0a139c8fe9df573810c16c55b4a27ec93dbd848f5dafe049b046115f1d77ebc618d03fcb3dab2

Download Submit
C:\Windows\{1AF29619-D57A-4b52-A5B8-355934012AFD}.exe

Filesize
128KB

MD5
7104400b7f497f5adedc2fb4a2025737

SHA1
0db9cc014235700eeff65f9392259d244aa8ba1c

SHA256
e826e002bb1e80fbfbd60a3e8ebee9bff0cf9626cac745af5fa56f4180c067cc

SHA512
723bb9ae2d62323448faf8cf513cc7e436fa1f0ef6898d1d82c75adef1abb8b889aa68e799bae3226123b9ca1a88b367c41eec13e33d09df8368ce83b42a3358

Download Submit
C:\Windows\{1AF29619-D57A-4b52-A5B8-355934012AFD}.exe

Filesize
92KB

MD5
d3403ded5dc211414a9a1e6715ba4364

SHA1
c724615ef2799ad8cd18194cf2547b658a2fbf0b

SHA256
c6a97f3433a349d920734f168bfb191cf21303172860da5332a66e9f460ae0db

SHA512
17504c2adc703fa2954c146d20ac3074b857c47f05f7b4197b8e24a7bbd452f6f7d067e8bc8a483e42f09ae8755989e397ad1f8d4e04143734d80e38336df145

Download Submit
C:\Windows\{2FBFB0E3-1868-4066-ABD7-7A2AC9B9EC2F}.exe

Filesize
380KB

MD5
d5ae3c019eb47b7b00c272c69a19019f

SHA1
2e4190b4b469448e82c03f0d9d740f4029b4f573

SHA256
a8e83352b4c90764146be0ba98ce78c6bda8da0818d1d2faead55698c499f3a7

SHA512
86e95d7e5ec5d8c005d95cc6acaab0e11841b18bb09217278eae51064df7e97218f7e051559c87a2711e235fcf81bb6f8af795093b193909a66661319b62565a

Download Submit
C:\Windows\{449B21DF-739A-4820-8710-A2389433A2D3}.exe

Filesize
380KB

MD5
7ed51a23fb020c111daa61d559f2a2df

SHA1
eb89e1f5e99a50999f20528e50f1c067a29390b1

SHA256
85f6a0e6307ed5594c41f42f6288685ff431c88c59911fed0bff57fd38b4ce15

SHA512
37a5d861ea44bf9946c1317366041c9ff895803d7782aad21b2ded3aaf837eb059a3fab03cef7c272031190a62775ff8d6e1b02f2467105130eb44d9daae1f64

Download Submit
C:\Windows\{4CE0323A-40F0-4137-9DD9-678667B09C1D}.exe

Filesize
380KB

MD5
940660b3045325ea9e7a2cd1bff7fc34

SHA1
4883f809c5197df12ea292f77f9f3051eeeae506

SHA256
14f215e3dc3f665fc75d5bfc6c9e9125e90cde064f78b53782ff29b9560568d6

SHA512
3ae830764d7b523655f646fd56f89e3a54c317f990698f4eccd9169f65c5234626aec8f52be60ea7a9137ee9db81b865b8e412f534656f4490e97d51ee0ce0b0

Download Submit
C:\Windows\{506E7682-6302-4f2e-A956-1A5EC0C1E44E}.exe

Filesize
380KB

MD5
ec5c66f4e01c3707ba78e90ba507ddd0

SHA1
fbef84f807aa0602769916aa69130ea3cd336e1d

SHA256
485a1c3ecf95faf9b0f773b208977e73024347a16d5c1f6442defc2619a8f505

SHA512
8c0eb49343e2b3cd8c5e46c66adf4878e52c2bc02d42a9feb9f341010101c3c126406f44d17269050b06d9201fc8c4fb461d74816606796c5b2db77381625b89

Download Submit
C:\Windows\{6171B956-D10E-4f37-B275-60240CD99B02}.exe

Filesize
380KB

MD5
d7ff47c5bd148795393eb338ce1564cd

SHA1
96d1298a2da286083733565d4aabfc76b063bc34

SHA256
45e2e4a9d1c3004b59ba8ceda9663bc62f6722e980f948dc9d5d1a0dec1c6b7b

SHA512
a148c478aaae24c966fb246967270c4e8af2c640c21ebc109d284f276616012df0df80af3f3fd06d3ae62cb54e753dce4146bb0f6cd89dbe0d52c4a3f9137538

Download Submit
C:\Windows\{667C6505-B3A7-425a-872A-359AF925B031}.exe

Filesize
380KB

MD5
aea78f457d8caed2a72a79c9e85531c7

SHA1
b7f0285c5ab1c967abf37a570f8b185f162ccc4b

SHA256
05d52a3d54ec1494856c4e9d1fc6e168d5398b5138dcc0f5500c4673af394c24

SHA512
bfb1ae87b37f74b6fcd60cede0e9fb250feacc66e4aaf3553c725e651d0fa9319a612a4d61910b68c8a3d44595ceb7b8eaf3633c77a959f3cf85021fc09f77ae

Download Submit
C:\Windows\{BD885BB0-6CEC-463b-AF21-E6F89B8EA812}.exe

Filesize
380KB

MD5
593de001d0ca550870710868e3ddcf77

SHA1
c07be67ded4457d908feac4b8140856504b45159

SHA256
f14882d4251aca33a7094224f7eeaf99029ee27e6b6bd4d92c7a1b97aa28fb04

SHA512
9e866f65354c55bc0cd73ec5d8950f1c212b1b67dac485dc90b9d5c5ea50056407545c08c1c6be8fb9bf1305aafa1b63498227288a7793c35be27152c29f219b

Download Submit
C:\Windows\{BFEF72D4-CC2E-470d-A130-4DFE386D1003}.exe

Filesize
380KB

MD5
2b566d6569612f35e50af066325dc2d6

SHA1
fd9d440ad78f8d3a13d9881c3a8b048163ca19af

SHA256
335be68dde7373bf3eb496d993e33f87456a5893a20d0143f053f69a2cd4f5d5

SHA512
eafc6825ed7c5108d0ea09d2c0eba63c757032836e02fb83acc25eca0468b7ce942aa6a4caf90e713e182038f69068b270cdb08191afea79048a1d0423f407ff

Download Submit
C:\Windows\{E263D4D5-B3AA-49be-8ECE-7EBA7B4A24D4}.exe

Filesize
21KB

MD5
d980a99c76d1e29f4380950d069f3414

SHA1
e3aa6b4b1786b517382f8d79f5cbdb181373dd4c

SHA256
f9ded452c1d3555628aa98b658e457a514ca7b7dcaa53addad2a05c6a7caa38a

SHA512
fe5dc5d47f04ed52640b464ba20ea91d939aa2536cfc143b7fe286bce5a441828f6bf484cc44293faea6e96ea83b89ebf2a29f1e77e3a39b5a8c608a97404ffe

Download Submit
C:\Windows\{E263D4D5-B3AA-49be-8ECE-7EBA7B4A24D4}.exe

Filesize
15KB

MD5
85d477bc282dc59679a4072da4d70885

SHA1
3add7b2ad3cec6d7acdbae1e0133bc9cd0db67df

SHA256
48dcf32ea8929bd2dc3fc8cd37c9d752a065262935fa94d5de0bdda30fbba756

SHA512
1c22c0d104ef5a96f77000ab10110cc6c0e4e8af9747c645a5a12455445ae1264909545a95cf2c16f3ac73cb632396f70605f55168f00ff82805ab5d395feee0

Download Submit
C:\Windows\{E2840D4C-407E-4159-949B-2FC411373689}.exe

Filesize
1KB

MD5
0469c37c06779c374b10516f746e54cd

SHA1
a554cdfb5bfe2fdbef5626dff44175a0a14c9aa7

SHA256
42a50b9c0cdee18b6513ca0684fe36d5108fee23b4202466ba22f5312f2c43b5

SHA512
8116e597ca3fc7d7b801424a1b37533ade4fbe62b33f7045e6eaeb6b03275c7e981498b4e237230262e157aed9d257faadb6ba1586191f0ebb8d87f292cf4ce0

Download Submit
C:\Windows\{E2840D4C-407E-4159-949B-2FC411373689}.exe

Filesize
93KB

MD5
9461dc2f29fac88d7284533bccf4e30d

SHA1
1bc21795d14f7bfe5ebc70f11a87eb47d19237d5

SHA256
f1c5815e39a681bf3fecd0dbafebfa20b80ce83a26d5e8157c33701c0b40e040

SHA512
ae46c6ef77c59cd31739e8a2ca837f1a9b0b03ca49d023ed015702ea4f918c8ccb24b255c0b3600375e8d715a5ea52c6f42e0556fd7d6201973e1395db1eb749

Download Submit
C:\Windows\{E2840D4C-407E-4159-949B-2FC411373689}.exe

Filesize
57KB

MD5
4275721f88be209875d08007e1fbe062

SHA1
6d6ff885a60acb1cac93ef312d51930e7b6463b2

SHA256
891cee469268195040bfd1b3a6e4704bf1b51a2bf095844b3e1021aaf3453700

SHA512
0459f547a77f3cd0fc2de6d71e48e3f16dde604dca5a04b6e04603a40fa08ff4ef5c568ec6814e2db408337eaad76c836616d25212a4ba21fa08a692c36bd155

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads