a7ce0c73939272c6b16a4389ea29866b12245067edd0b144146a5683ea2a362e

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2024, 01:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-12_75605c9b00bc24631d7add5b78b244eb_goldeneye.exe
Size

197KB
MD5

75605c9b00bc24631d7add5b78b244eb
SHA1

92c2b394891342e5e3ac858e7d380b669710c07e
SHA256

a7ce0c73939272c6b16a4389ea29866b12245067edd0b144146a5683ea2a362e
SHA512

ea35002f32ac31a450da55f3047ad045060607d48e2eca3e11d60207db7714cf4c4d8c65045e938c79187f6e4a71bb01df000fec66980c77fde19ca6a196d239
SSDEEP

3072:jEGh0obl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGllEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 14 IoCs

resource	yara_rule
behavioral2/files/0x000800000002320a-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002321b-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001e153-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001e153-11.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001e153-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002312f-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000001e385-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002312f-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000233a0-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002312f-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000233a0-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000233bf-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000234c1-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000233bf-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6D9A9F8-EA10-42f2-B4ED-7D7F31A404B1}	{3C3A7156-1966-4ec8-A68A-44B671154D84}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF62836F-E447-45be-9ECF-D7519B194939}	{E6D9A9F8-EA10-42f2-B4ED-7D7F31A404B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57E314A0-0B18-4b89-A2C2-DFFF2E29AD7D}	{BF62836F-E447-45be-9ECF-D7519B194939}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57E314A0-0B18-4b89-A2C2-DFFF2E29AD7D}\stubpath = "C:\\Windows\\{57E314A0-0B18-4b89-A2C2-DFFF2E29AD7D}.exe"	{BF62836F-E447-45be-9ECF-D7519B194939}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29294B06-2022-45d4-B6D4-1D1C1EFB2BA8}	{F7F7522E-E173-48de-8549-26FF18FF99B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29294B06-2022-45d4-B6D4-1D1C1EFB2BA8}\stubpath = "C:\\Windows\\{29294B06-2022-45d4-B6D4-1D1C1EFB2BA8}.exe"	{F7F7522E-E173-48de-8549-26FF18FF99B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6991A6F4-804C-47b4-BA9B-2E2AB0A7D904}\stubpath = "C:\\Windows\\{6991A6F4-804C-47b4-BA9B-2E2AB0A7D904}.exe"	{29294B06-2022-45d4-B6D4-1D1C1EFB2BA8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B55FF64C-9B29-46db-9107-C9C0D23BCCC3}\stubpath = "C:\\Windows\\{B55FF64C-9B29-46db-9107-C9C0D23BCCC3}.exe"	{83F744C7-B046-4bce-B1C0-1E929E4656C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43B2AA1E-C0B3-4c6f-9AD5-29B905EE6B2C}\stubpath = "C:\\Windows\\{43B2AA1E-C0B3-4c6f-9AD5-29B905EE6B2C}.exe"	{C17E1BB0-49D1-4da4-96FB-4214B547B5E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C3A7156-1966-4ec8-A68A-44B671154D84}	2024-03-12_75605c9b00bc24631d7add5b78b244eb_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7F7522E-E173-48de-8549-26FF18FF99B8}	{57E314A0-0B18-4b89-A2C2-DFFF2E29AD7D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83F744C7-B046-4bce-B1C0-1E929E4656C3}	{6991A6F4-804C-47b4-BA9B-2E2AB0A7D904}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B55FF64C-9B29-46db-9107-C9C0D23BCCC3}	{83F744C7-B046-4bce-B1C0-1E929E4656C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C17E1BB0-49D1-4da4-96FB-4214B547B5E8}\stubpath = "C:\\Windows\\{C17E1BB0-49D1-4da4-96FB-4214B547B5E8}.exe"	{B55FF64C-9B29-46db-9107-C9C0D23BCCC3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A8FBECC-7FF0-4635-B0D3-F17C894982C2}	{43B2AA1E-C0B3-4c6f-9AD5-29B905EE6B2C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6D9A9F8-EA10-42f2-B4ED-7D7F31A404B1}\stubpath = "C:\\Windows\\{E6D9A9F8-EA10-42f2-B4ED-7D7F31A404B1}.exe"	{3C3A7156-1966-4ec8-A68A-44B671154D84}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF62836F-E447-45be-9ECF-D7519B194939}\stubpath = "C:\\Windows\\{BF62836F-E447-45be-9ECF-D7519B194939}.exe"	{E6D9A9F8-EA10-42f2-B4ED-7D7F31A404B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6991A6F4-804C-47b4-BA9B-2E2AB0A7D904}	{29294B06-2022-45d4-B6D4-1D1C1EFB2BA8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C3A7156-1966-4ec8-A68A-44B671154D84}\stubpath = "C:\\Windows\\{3C3A7156-1966-4ec8-A68A-44B671154D84}.exe"	2024-03-12_75605c9b00bc24631d7add5b78b244eb_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7F7522E-E173-48de-8549-26FF18FF99B8}\stubpath = "C:\\Windows\\{F7F7522E-E173-48de-8549-26FF18FF99B8}.exe"	{57E314A0-0B18-4b89-A2C2-DFFF2E29AD7D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83F744C7-B046-4bce-B1C0-1E929E4656C3}\stubpath = "C:\\Windows\\{83F744C7-B046-4bce-B1C0-1E929E4656C3}.exe"	{6991A6F4-804C-47b4-BA9B-2E2AB0A7D904}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C17E1BB0-49D1-4da4-96FB-4214B547B5E8}	{B55FF64C-9B29-46db-9107-C9C0D23BCCC3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43B2AA1E-C0B3-4c6f-9AD5-29B905EE6B2C}	{C17E1BB0-49D1-4da4-96FB-4214B547B5E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A8FBECC-7FF0-4635-B0D3-F17C894982C2}\stubpath = "C:\\Windows\\{1A8FBECC-7FF0-4635-B0D3-F17C894982C2}.exe"	{43B2AA1E-C0B3-4c6f-9AD5-29B905EE6B2C}.exe

Executes dropped EXE 12 IoCs

pid	Process
2084	{3C3A7156-1966-4ec8-A68A-44B671154D84}.exe
4480	{E6D9A9F8-EA10-42f2-B4ED-7D7F31A404B1}.exe
2448	{BF62836F-E447-45be-9ECF-D7519B194939}.exe
3592	{57E314A0-0B18-4b89-A2C2-DFFF2E29AD7D}.exe
964	{F7F7522E-E173-48de-8549-26FF18FF99B8}.exe
3956	{29294B06-2022-45d4-B6D4-1D1C1EFB2BA8}.exe
1112	{6991A6F4-804C-47b4-BA9B-2E2AB0A7D904}.exe
1020	{83F744C7-B046-4bce-B1C0-1E929E4656C3}.exe
5020	{B55FF64C-9B29-46db-9107-C9C0D23BCCC3}.exe
2988	{C17E1BB0-49D1-4da4-96FB-4214B547B5E8}.exe
4976	{43B2AA1E-C0B3-4c6f-9AD5-29B905EE6B2C}.exe
964	{1A8FBECC-7FF0-4635-B0D3-F17C894982C2}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{83F744C7-B046-4bce-B1C0-1E929E4656C3}.exe	{6991A6F4-804C-47b4-BA9B-2E2AB0A7D904}.exe
File created	C:\Windows\{C17E1BB0-49D1-4da4-96FB-4214B547B5E8}.exe	{B55FF64C-9B29-46db-9107-C9C0D23BCCC3}.exe
File created	C:\Windows\{43B2AA1E-C0B3-4c6f-9AD5-29B905EE6B2C}.exe	{C17E1BB0-49D1-4da4-96FB-4214B547B5E8}.exe
File created	C:\Windows\{29294B06-2022-45d4-B6D4-1D1C1EFB2BA8}.exe	{F7F7522E-E173-48de-8549-26FF18FF99B8}.exe
File created	C:\Windows\{6991A6F4-804C-47b4-BA9B-2E2AB0A7D904}.exe	{29294B06-2022-45d4-B6D4-1D1C1EFB2BA8}.exe
File created	C:\Windows\{B55FF64C-9B29-46db-9107-C9C0D23BCCC3}.exe	{83F744C7-B046-4bce-B1C0-1E929E4656C3}.exe
File created	C:\Windows\{3C3A7156-1966-4ec8-A68A-44B671154D84}.exe	2024-03-12_75605c9b00bc24631d7add5b78b244eb_goldeneye.exe
File created	C:\Windows\{E6D9A9F8-EA10-42f2-B4ED-7D7F31A404B1}.exe	{3C3A7156-1966-4ec8-A68A-44B671154D84}.exe
File created	C:\Windows\{BF62836F-E447-45be-9ECF-D7519B194939}.exe	{E6D9A9F8-EA10-42f2-B4ED-7D7F31A404B1}.exe
File created	C:\Windows\{57E314A0-0B18-4b89-A2C2-DFFF2E29AD7D}.exe	{BF62836F-E447-45be-9ECF-D7519B194939}.exe
File created	C:\Windows\{F7F7522E-E173-48de-8549-26FF18FF99B8}.exe	{57E314A0-0B18-4b89-A2C2-DFFF2E29AD7D}.exe
File created	C:\Windows\{1A8FBECC-7FF0-4635-B0D3-F17C894982C2}.exe	{43B2AA1E-C0B3-4c6f-9AD5-29B905EE6B2C}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1564	2024-03-12_75605c9b00bc24631d7add5b78b244eb_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2084	{3C3A7156-1966-4ec8-A68A-44B671154D84}.exe
Token: SeIncBasePriorityPrivilege	4480	{E6D9A9F8-EA10-42f2-B4ED-7D7F31A404B1}.exe
Token: SeIncBasePriorityPrivilege	2448	{BF62836F-E447-45be-9ECF-D7519B194939}.exe
Token: SeIncBasePriorityPrivilege	3592	{57E314A0-0B18-4b89-A2C2-DFFF2E29AD7D}.exe
Token: SeIncBasePriorityPrivilege	964	{F7F7522E-E173-48de-8549-26FF18FF99B8}.exe
Token: SeIncBasePriorityPrivilege	3956	{29294B06-2022-45d4-B6D4-1D1C1EFB2BA8}.exe
Token: SeIncBasePriorityPrivilege	1112	{6991A6F4-804C-47b4-BA9B-2E2AB0A7D904}.exe
Token: SeIncBasePriorityPrivilege	1020	{83F744C7-B046-4bce-B1C0-1E929E4656C3}.exe
Token: SeIncBasePriorityPrivilege	5020	{B55FF64C-9B29-46db-9107-C9C0D23BCCC3}.exe
Token: SeIncBasePriorityPrivilege	2988	{C17E1BB0-49D1-4da4-96FB-4214B547B5E8}.exe
Token: SeIncBasePriorityPrivilege	4976	{43B2AA1E-C0B3-4c6f-9AD5-29B905EE6B2C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1564 wrote to memory of 2084	1564	2024-03-12_75605c9b00bc24631d7add5b78b244eb_goldeneye.exe	96
PID 1564 wrote to memory of 2084	1564	2024-03-12_75605c9b00bc24631d7add5b78b244eb_goldeneye.exe	96
PID 1564 wrote to memory of 2084	1564	2024-03-12_75605c9b00bc24631d7add5b78b244eb_goldeneye.exe	96
PID 1564 wrote to memory of 1924	1564	2024-03-12_75605c9b00bc24631d7add5b78b244eb_goldeneye.exe	97
PID 1564 wrote to memory of 1924	1564	2024-03-12_75605c9b00bc24631d7add5b78b244eb_goldeneye.exe	97
PID 1564 wrote to memory of 1924	1564	2024-03-12_75605c9b00bc24631d7add5b78b244eb_goldeneye.exe	97
PID 2084 wrote to memory of 4480	2084	{3C3A7156-1966-4ec8-A68A-44B671154D84}.exe	100
PID 2084 wrote to memory of 4480	2084	{3C3A7156-1966-4ec8-A68A-44B671154D84}.exe	100
PID 2084 wrote to memory of 4480	2084	{3C3A7156-1966-4ec8-A68A-44B671154D84}.exe	100
PID 2084 wrote to memory of 116	2084	{3C3A7156-1966-4ec8-A68A-44B671154D84}.exe	101
PID 2084 wrote to memory of 116	2084	{3C3A7156-1966-4ec8-A68A-44B671154D84}.exe	101
PID 2084 wrote to memory of 116	2084	{3C3A7156-1966-4ec8-A68A-44B671154D84}.exe	101
PID 4480 wrote to memory of 2448	4480	{E6D9A9F8-EA10-42f2-B4ED-7D7F31A404B1}.exe	104
PID 4480 wrote to memory of 2448	4480	{E6D9A9F8-EA10-42f2-B4ED-7D7F31A404B1}.exe	104
PID 4480 wrote to memory of 2448	4480	{E6D9A9F8-EA10-42f2-B4ED-7D7F31A404B1}.exe	104
PID 4480 wrote to memory of 2608	4480	{E6D9A9F8-EA10-42f2-B4ED-7D7F31A404B1}.exe	105
PID 4480 wrote to memory of 2608	4480	{E6D9A9F8-EA10-42f2-B4ED-7D7F31A404B1}.exe	105
PID 4480 wrote to memory of 2608	4480	{E6D9A9F8-EA10-42f2-B4ED-7D7F31A404B1}.exe	105
PID 2448 wrote to memory of 3592	2448	{BF62836F-E447-45be-9ECF-D7519B194939}.exe	114
PID 2448 wrote to memory of 3592	2448	{BF62836F-E447-45be-9ECF-D7519B194939}.exe	114
PID 2448 wrote to memory of 3592	2448	{BF62836F-E447-45be-9ECF-D7519B194939}.exe	114
PID 2448 wrote to memory of 2456	2448	{BF62836F-E447-45be-9ECF-D7519B194939}.exe	115
PID 2448 wrote to memory of 2456	2448	{BF62836F-E447-45be-9ECF-D7519B194939}.exe	115
PID 2448 wrote to memory of 2456	2448	{BF62836F-E447-45be-9ECF-D7519B194939}.exe	115
PID 3592 wrote to memory of 964	3592	{57E314A0-0B18-4b89-A2C2-DFFF2E29AD7D}.exe	116
PID 3592 wrote to memory of 964	3592	{57E314A0-0B18-4b89-A2C2-DFFF2E29AD7D}.exe	116
PID 3592 wrote to memory of 964	3592	{57E314A0-0B18-4b89-A2C2-DFFF2E29AD7D}.exe	116
PID 3592 wrote to memory of 2656	3592	{57E314A0-0B18-4b89-A2C2-DFFF2E29AD7D}.exe	117
PID 3592 wrote to memory of 2656	3592	{57E314A0-0B18-4b89-A2C2-DFFF2E29AD7D}.exe	117
PID 3592 wrote to memory of 2656	3592	{57E314A0-0B18-4b89-A2C2-DFFF2E29AD7D}.exe	117
PID 964 wrote to memory of 3956	964	{F7F7522E-E173-48de-8549-26FF18FF99B8}.exe	118
PID 964 wrote to memory of 3956	964	{F7F7522E-E173-48de-8549-26FF18FF99B8}.exe	118
PID 964 wrote to memory of 3956	964	{F7F7522E-E173-48de-8549-26FF18FF99B8}.exe	118
PID 964 wrote to memory of 5088	964	{F7F7522E-E173-48de-8549-26FF18FF99B8}.exe	119
PID 964 wrote to memory of 5088	964	{F7F7522E-E173-48de-8549-26FF18FF99B8}.exe	119
PID 964 wrote to memory of 5088	964	{F7F7522E-E173-48de-8549-26FF18FF99B8}.exe	119
PID 3956 wrote to memory of 1112	3956	{29294B06-2022-45d4-B6D4-1D1C1EFB2BA8}.exe	121
PID 3956 wrote to memory of 1112	3956	{29294B06-2022-45d4-B6D4-1D1C1EFB2BA8}.exe	121
PID 3956 wrote to memory of 1112	3956	{29294B06-2022-45d4-B6D4-1D1C1EFB2BA8}.exe	121
PID 3956 wrote to memory of 1656	3956	{29294B06-2022-45d4-B6D4-1D1C1EFB2BA8}.exe	122
PID 3956 wrote to memory of 1656	3956	{29294B06-2022-45d4-B6D4-1D1C1EFB2BA8}.exe	122
PID 3956 wrote to memory of 1656	3956	{29294B06-2022-45d4-B6D4-1D1C1EFB2BA8}.exe	122
PID 1112 wrote to memory of 1020	1112	{6991A6F4-804C-47b4-BA9B-2E2AB0A7D904}.exe	123
PID 1112 wrote to memory of 1020	1112	{6991A6F4-804C-47b4-BA9B-2E2AB0A7D904}.exe	123
PID 1112 wrote to memory of 1020	1112	{6991A6F4-804C-47b4-BA9B-2E2AB0A7D904}.exe	123
PID 1112 wrote to memory of 3084	1112	{6991A6F4-804C-47b4-BA9B-2E2AB0A7D904}.exe	124
PID 1112 wrote to memory of 3084	1112	{6991A6F4-804C-47b4-BA9B-2E2AB0A7D904}.exe	124
PID 1112 wrote to memory of 3084	1112	{6991A6F4-804C-47b4-BA9B-2E2AB0A7D904}.exe	124
PID 1020 wrote to memory of 5020	1020	{83F744C7-B046-4bce-B1C0-1E929E4656C3}.exe	125
PID 1020 wrote to memory of 5020	1020	{83F744C7-B046-4bce-B1C0-1E929E4656C3}.exe	125
PID 1020 wrote to memory of 5020	1020	{83F744C7-B046-4bce-B1C0-1E929E4656C3}.exe	125
PID 1020 wrote to memory of 3436	1020	{83F744C7-B046-4bce-B1C0-1E929E4656C3}.exe	126
PID 1020 wrote to memory of 3436	1020	{83F744C7-B046-4bce-B1C0-1E929E4656C3}.exe	126
PID 1020 wrote to memory of 3436	1020	{83F744C7-B046-4bce-B1C0-1E929E4656C3}.exe	126
PID 5020 wrote to memory of 2988	5020	{B55FF64C-9B29-46db-9107-C9C0D23BCCC3}.exe	127
PID 5020 wrote to memory of 2988	5020	{B55FF64C-9B29-46db-9107-C9C0D23BCCC3}.exe	127
PID 5020 wrote to memory of 2988	5020	{B55FF64C-9B29-46db-9107-C9C0D23BCCC3}.exe	127
PID 5020 wrote to memory of 1856	5020	{B55FF64C-9B29-46db-9107-C9C0D23BCCC3}.exe	128
PID 5020 wrote to memory of 1856	5020	{B55FF64C-9B29-46db-9107-C9C0D23BCCC3}.exe	128
PID 5020 wrote to memory of 1856	5020	{B55FF64C-9B29-46db-9107-C9C0D23BCCC3}.exe	128
PID 2988 wrote to memory of 4976	2988	{C17E1BB0-49D1-4da4-96FB-4214B547B5E8}.exe	129
PID 2988 wrote to memory of 4976	2988	{C17E1BB0-49D1-4da4-96FB-4214B547B5E8}.exe	129
PID 2988 wrote to memory of 4976	2988	{C17E1BB0-49D1-4da4-96FB-4214B547B5E8}.exe	129
PID 2988 wrote to memory of 552	2988	{C17E1BB0-49D1-4da4-96FB-4214B547B5E8}.exe	130

C:\Users\Admin\AppData\Local\Temp\2024-03-12_75605c9b00bc24631d7add5b78b244eb_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-12_75605c9b00bc24631d7add5b78b244eb_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1564
- C:\Windows\{3C3A7156-1966-4ec8-A68A-44B671154D84}.exe
  C:\Windows\{3C3A7156-1966-4ec8-A68A-44B671154D84}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Windows\{E6D9A9F8-EA10-42f2-B4ED-7D7F31A404B1}.exe
    C:\Windows\{E6D9A9F8-EA10-42f2-B4ED-7D7F31A404B1}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4480
  - - C:\Windows\{BF62836F-E447-45be-9ECF-D7519B194939}.exe
      C:\Windows\{BF62836F-E447-45be-9ECF-D7519B194939}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2448
    - - C:\Windows\{57E314A0-0B18-4b89-A2C2-DFFF2E29AD7D}.exe
        
        C:\Windows\{57E314A0-0B18-4b89-A2C2-DFFF2E29AD7D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3592
      - C:\Windows\{F7F7522E-E173-48de-8549-26FF18FF99B8}.exe
        
        C:\Windows\{F7F7522E-E173-48de-8549-26FF18FF99B8}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:964
        
        C:\Windows\{29294B06-2022-45d4-B6D4-1D1C1EFB2BA8}.exe
        
        C:\Windows\{29294B06-2022-45d4-B6D4-1D1C1EFB2BA8}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\{6991A6F4-804C-47b4-BA9B-2E2AB0A7D904}.exe
        
        C:\Windows\{6991A6F4-804C-47b4-BA9B-2E2AB0A7D904}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1112
        
        C:\Windows\{83F744C7-B046-4bce-B1C0-1E929E4656C3}.exe
        
        C:\Windows\{83F744C7-B046-4bce-B1C0-1E929E4656C3}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\{B55FF64C-9B29-46db-9107-C9C0D23BCCC3}.exe
        
        C:\Windows\{B55FF64C-9B29-46db-9107-C9C0D23BCCC3}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\{C17E1BB0-49D1-4da4-96FB-4214B547B5E8}.exe
        
        C:\Windows\{C17E1BB0-49D1-4da4-96FB-4214B547B5E8}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\{43B2AA1E-C0B3-4c6f-9AD5-29B905EE6B2C}.exe
        
        C:\Windows\{43B2AA1E-C0B3-4c6f-9AD5-29B905EE6B2C}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4976
        
        C:\Windows\{1A8FBECC-7FF0-4635-B0D3-F17C894982C2}.exe
        
        C:\Windows\{1A8FBECC-7FF0-4635-B0D3-F17C894982C2}.exe
        13⤵
        Executes dropped EXE
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{43B2A~1.EXE > nul
        13⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C17E1~1.EXE > nul
        12⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B55FF~1.EXE > nul
        11⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83F74~1.EXE > nul
        10⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6991A~1.EXE > nul
        9⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{29294~1.EXE > nul
        8⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F7F75~1.EXE > nul
        7⤵
        
        PID:5088
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{57E31~1.EXE > nul
        6⤵
        
        PID:2656
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BF628~1.EXE > nul
        5⤵
        
        PID:2456
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E6D9A~1.EXE > nul
      4⤵
      PID:2608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3C3A7~1.EXE > nul
    3⤵
    PID:116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1A8FBECC-7FF0-4635-B0D3-F17C894982C2}.exe

Filesize
197KB

MD5
c147b99dd5e9969d4e65689888f6780a

SHA1
e2fe047ee8e5501a1f2681df6b2fab87086d599e

SHA256
9025772ba39de0ca901acae4692e3e71ca2b5101f28027ee301b7f8d4711d25b

SHA512
09359d20217d6102e74318ef64e36b0d12734844f2a8d3845cd69fea1f6c5a916e12f391d98fa023b98dd5cf2cec5486214d40e6279016a1085b828118b38527

Download Submit
C:\Windows\{29294B06-2022-45d4-B6D4-1D1C1EFB2BA8}.exe

Filesize
197KB

MD5
285b8651ded84b760d037cf4d2ba91bb

SHA1
0299fae2c19ec7c3e5893cfcd0e6d84103cb1065

SHA256
e6c7bac501a0e6abb633003ec2128506cdad3ba5934674d3fd3dae85c26cd7e7

SHA512
37f1ae524d9c6ec36470dc6e524c52bd836a1adf87eb06dc443007e5e217c5724dfab32cc3e595332594857658936e91929fba6f89c11fb407b125645b211ba1

Download Submit
C:\Windows\{3C3A7156-1966-4ec8-A68A-44B671154D84}.exe

Filesize
197KB

MD5
cb3626ce767b74ee92233e8b915a80a3

SHA1
a523e1fad76957830b49a48d0ec9c52207bbcdb7

SHA256
2c56c67c4483d6ccc68282377a2d7d706f059cca02f766ca02901ca41f91f30c

SHA512
c9a22de774c5e127341f9737fc95876102198305c74ad79d61d3c5fec058406dc26181101c56291302ac7a2c873ef84cfbeae4512e65e2c4f47b14962b42cf9f

Download Submit
C:\Windows\{43B2AA1E-C0B3-4c6f-9AD5-29B905EE6B2C}.exe

Filesize
197KB

MD5
e9451aef10f4b0d504da8007e5e242fc

SHA1
6b06e26ae44f5a74e15136a8f5d3fea03e92c350

SHA256
f7c4076cbf08abbe68fbed59f8215ee4021ec946ed13e388c68a96ba7bd5f4f4

SHA512
8409bffd02d123c110e68e9b653832530eb6c9919be973f62b6e0a3733f32e8e598c93275a877d6168337495ef86aa1d455b2a5cbcaab98f51c46d6005c53c55

Download Submit
C:\Windows\{57E314A0-0B18-4b89-A2C2-DFFF2E29AD7D}.exe

Filesize
197KB

MD5
205708d2f7b1bcc70c87a84416121aea

SHA1
973c09df07299c92069335ad7d578a8bf3edf50f

SHA256
d1288d7f74034bdb94d67f5f0f088d8c57dd5803e3b2c867e4fcbd0693d7aab4

SHA512
20ed30b8acf2eff48346cb6387e20eb8df59ee10c7a1164999659a2dc8d821187746885d48d3080673cd26346381bb22209953818c73dbeb2800688969b3df27

Download Submit
C:\Windows\{6991A6F4-804C-47b4-BA9B-2E2AB0A7D904}.exe

Filesize
197KB

MD5
cc51e6b0faf89b2bcdd7b643b7863bd3

SHA1
aa82a884a22e4d1bdef6c908937d0c37f0f75792

SHA256
53c7f08fc60500ae1ee5e852a2c92fee9e21777170bd69f2a39b27ace3816200

SHA512
2a65c830006a8123e2104480d7ab13fb420f7b0e638c052dbe2ed132e03052b2ba64d3abd29a776beaa22e4c31cbf4c8f75c7638423557642b1dc59b9f2f1be1

Download Submit
C:\Windows\{83F744C7-B046-4bce-B1C0-1E929E4656C3}.exe

Filesize
197KB

MD5
c98d52166543ef03732f184fcd76991c

SHA1
7fe20006a73781b3b9b8145ed87a20f0084ee2b7

SHA256
e162096a40242b8e018aadcafee5669f999af764e6bd4c7cb7761215bc2d49a6

SHA512
b454e97ad9cbdbc1bbef3ea403c1c840a9f26a88fae29b2abf93b4ba89c5335a9a7b782bb0a273a47be64dbc27365482bcc1c6a168e973513fadb37b29671ac8

Download Submit
C:\Windows\{B55FF64C-9B29-46db-9107-C9C0D23BCCC3}.exe

Filesize
197KB

MD5
b2e3b4b5e1ee9a5b60438cee9081a3b1

SHA1
3ae69a6bf5ecc30e99c2a71be110c8a752a62a77

SHA256
e33bfed33f1f738f75f7b43c6bd138e6cf4015b408439fb419b6a14e0cffbfe2

SHA512
375271a04f16fdedef529cd0bc11fad723f63e7a3f0ea14509f517609721c42fcbd244a04c52ab7d16dd43f1d5fee261811fe074deaa6885d47f7913c1a69c0e

Download Submit
C:\Windows\{BF62836F-E447-45be-9ECF-D7519B194939}.exe

Filesize
151KB

MD5
f0cf5aa8d956a94e48a6038e92ed3135

SHA1
4a5471350d3814de81a944c857e0a49b8e4c4ecb

SHA256
1acd61360a1dab4cab231e4ab1bb9c072ef0e48e4694401210fad4a7c48569f0

SHA512
bdf5d2cc4e52143d6dc767dc42db577224c46c690ab2ab08b0a010aff734c0358b09e37c3b67c32cc25b51cf762633d28e3967da69d0fa0290b71672f350bc83

Download Submit
C:\Windows\{BF62836F-E447-45be-9ECF-D7519B194939}.exe

Filesize
125KB

MD5
a9df58e0dde556a1b7daf929304f47d9

SHA1
89bddcc4df742577b656409a9f49056a9913bdec

SHA256
8c34a1d688129ad279dc6c4b47629904ccd4301ca1fc06fb147a51811a447906

SHA512
e0526ca9b4b0a4576451b3ba5d25bdcd2560e0b5025c418a454ba0d7cce398fba2aaf33ab89764425eddd7ba8af0e04895ef23a9e7949e19714868712e2adba9

Download Submit
C:\Windows\{BF62836F-E447-45be-9ECF-D7519B194939}.exe

Filesize
197KB

MD5
b30849c85f60e21fdc69d2f707b3dac8

SHA1
ce7f0cf4e99e1807b7f3e43fea637e2d69bc148e

SHA256
f42e65caabbae1bd16abb2ded7f62179d2c9ab3a583a016c3b2f9d04b04f342f

SHA512
c01548b9d92a8f55002570cbe6256e71697f18ca9207ff6b41067ec7786e7c2a3ea05155c89caf2a00edd72a8dbe444d54ecbecfdc917f08cac88b9de20a8f04

Download Submit
C:\Windows\{C17E1BB0-49D1-4da4-96FB-4214B547B5E8}.exe

Filesize
197KB

MD5
2be02584014a8c858d4fbc23d6051d97

SHA1
759d9c9d5921a85865d2a37b6e1e501f56677b53

SHA256
1ad3fb0b2b2d5fec33f83336921efbfbd524fd3273e6a1091303e381627a8ff9

SHA512
9d7e0a6f40e9dd22e0e2c0a7768142614969a35c9fa1824f3aa4800d42eabdb935136e9c8145f515474109163519da5111277dcae34ba10a9b0cc16e4d91ca41

Download Submit
C:\Windows\{E6D9A9F8-EA10-42f2-B4ED-7D7F31A404B1}.exe

Filesize
197KB

MD5
445efb0203fc991920e2e3fcd9777044

SHA1
28d5f2dece8205cd1be208cc921bd37cd2e34ec2

SHA256
4119c41f69a33a92ea4879cb4ea44f789694e3cfd8a2a0b12061231f8ddc0f45

SHA512
6ccc117a2ecbe586a83deab0bfce582473469e4a6fc42361d1e11b6dc2e9aad2c071eebbea0f38cce302d362339d87292cacab7ebb7d374ac1c97440767a5c1f

Download Submit
C:\Windows\{F7F7522E-E173-48de-8549-26FF18FF99B8}.exe

Filesize
197KB

MD5
c892078e8e0f2ca487a75fb02c742f19

SHA1
821c846b17b936e10c74475d825c3743fa525e3c

SHA256
0fe9372affe3872a2ef405db826f2d177003d8ed484cf8a53109360655741fa7

SHA512
afa5c0987343ee8ab80c2333bbf39e8e6a39c19bd484bd57b6b0a39d32daaa0be95eeecaaef515f866b482ab947290bfad47c1f4050f439bf9508f3cba2459a7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads