efc87d650b9166e5b73e00b19ef95f70c28bae06ec4e87def95da60bf051dfcd

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13/03/2024, 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-13_c7ee460d323c5578ec8d56c1aec7d099_goldeneye.exe
Size

344KB
MD5

c7ee460d323c5578ec8d56c1aec7d099
SHA1

560ee81d8b7f4ac4ab0661c1b38b8039f5522c67
SHA256

efc87d650b9166e5b73e00b19ef95f70c28bae06ec4e87def95da60bf051dfcd
SHA512

f874ef9b36352eb2ead20f1ef3031a5b8c1076530c1825385d60b0a7c90ac4a104404164cde3893c6d7f95d08f052bfd9490001d5c92799469acbcb2dc4b1614
SSDEEP

3072:mEGh0oPlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGhlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023215-1.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000001e4f1-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002331d-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000230eb-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023347-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023353-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f000000023124-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023327-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023124-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023390-37.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000233db-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000234c8-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8538856B-176D-4394-966E-F75005ECACD8}\stubpath = "C:\\Windows\\{8538856B-176D-4394-966E-F75005ECACD8}.exe"	{EAF57E7C-B7EF-4587-ACA6-D3A1A53ABA9F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51A5475A-0D2A-4fe5-8B9D-894BD62B6287}	2024-03-13_c7ee460d323c5578ec8d56c1aec7d099_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C2D3B11-3CFD-45d8-B458-085DA92F8AAF}	{51A5475A-0D2A-4fe5-8B9D-894BD62B6287}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C2D3B11-3CFD-45d8-B458-085DA92F8AAF}\stubpath = "C:\\Windows\\{6C2D3B11-3CFD-45d8-B458-085DA92F8AAF}.exe"	{51A5475A-0D2A-4fe5-8B9D-894BD62B6287}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{929A456C-AD75-45d1-A2CB-5054DAFF35C8}\stubpath = "C:\\Windows\\{929A456C-AD75-45d1-A2CB-5054DAFF35C8}.exe"	{6C2D3B11-3CFD-45d8-B458-085DA92F8AAF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2BC822B-0F3E-4381-B99C-55B1C38C57D4}	{EC37E728-492A-4fd7-AE4D-F3C87FD1396E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C463151-D75F-4b3d-B92F-FB2529A1CBC1}\stubpath = "C:\\Windows\\{3C463151-D75F-4b3d-B92F-FB2529A1CBC1}.exe"	{D2BC822B-0F3E-4381-B99C-55B1C38C57D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8538856B-176D-4394-966E-F75005ECACD8}	{EAF57E7C-B7EF-4587-ACA6-D3A1A53ABA9F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{929A456C-AD75-45d1-A2CB-5054DAFF35C8}	{6C2D3B11-3CFD-45d8-B458-085DA92F8AAF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D8F27DB-1B15-4f08-ADB3-23CA89CA3A14}	{57384EF3-3C2A-41a7-B4C2-1F1BBAE9E7E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D8F27DB-1B15-4f08-ADB3-23CA89CA3A14}\stubpath = "C:\\Windows\\{9D8F27DB-1B15-4f08-ADB3-23CA89CA3A14}.exe"	{57384EF3-3C2A-41a7-B4C2-1F1BBAE9E7E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C463151-D75F-4b3d-B92F-FB2529A1CBC1}	{D2BC822B-0F3E-4381-B99C-55B1C38C57D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9EBC3868-0AB2-49ff-A637-B252ABF9AAAF}\stubpath = "C:\\Windows\\{9EBC3868-0AB2-49ff-A637-B252ABF9AAAF}.exe"	{7C8694B9-9B61-4c26-97B8-840F7CA461C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51A5475A-0D2A-4fe5-8B9D-894BD62B6287}\stubpath = "C:\\Windows\\{51A5475A-0D2A-4fe5-8B9D-894BD62B6287}.exe"	2024-03-13_c7ee460d323c5578ec8d56c1aec7d099_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2BC822B-0F3E-4381-B99C-55B1C38C57D4}\stubpath = "C:\\Windows\\{D2BC822B-0F3E-4381-B99C-55B1C38C57D4}.exe"	{EC37E728-492A-4fd7-AE4D-F3C87FD1396E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C8694B9-9B61-4c26-97B8-840F7CA461C4}	{3C463151-D75F-4b3d-B92F-FB2529A1CBC1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C8694B9-9B61-4c26-97B8-840F7CA461C4}\stubpath = "C:\\Windows\\{7C8694B9-9B61-4c26-97B8-840F7CA461C4}.exe"	{3C463151-D75F-4b3d-B92F-FB2529A1CBC1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9EBC3868-0AB2-49ff-A637-B252ABF9AAAF}	{7C8694B9-9B61-4c26-97B8-840F7CA461C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EAF57E7C-B7EF-4587-ACA6-D3A1A53ABA9F}\stubpath = "C:\\Windows\\{EAF57E7C-B7EF-4587-ACA6-D3A1A53ABA9F}.exe"	{9EBC3868-0AB2-49ff-A637-B252ABF9AAAF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57384EF3-3C2A-41a7-B4C2-1F1BBAE9E7E8}	{929A456C-AD75-45d1-A2CB-5054DAFF35C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57384EF3-3C2A-41a7-B4C2-1F1BBAE9E7E8}\stubpath = "C:\\Windows\\{57384EF3-3C2A-41a7-B4C2-1F1BBAE9E7E8}.exe"	{929A456C-AD75-45d1-A2CB-5054DAFF35C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC37E728-492A-4fd7-AE4D-F3C87FD1396E}	{9D8F27DB-1B15-4f08-ADB3-23CA89CA3A14}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC37E728-492A-4fd7-AE4D-F3C87FD1396E}\stubpath = "C:\\Windows\\{EC37E728-492A-4fd7-AE4D-F3C87FD1396E}.exe"	{9D8F27DB-1B15-4f08-ADB3-23CA89CA3A14}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EAF57E7C-B7EF-4587-ACA6-D3A1A53ABA9F}	{9EBC3868-0AB2-49ff-A637-B252ABF9AAAF}.exe

Executes dropped EXE 12 IoCs

pid	Process
4244	{51A5475A-0D2A-4fe5-8B9D-894BD62B6287}.exe
412	{6C2D3B11-3CFD-45d8-B458-085DA92F8AAF}.exe
4636	{929A456C-AD75-45d1-A2CB-5054DAFF35C8}.exe
2976	{57384EF3-3C2A-41a7-B4C2-1F1BBAE9E7E8}.exe
744	{9D8F27DB-1B15-4f08-ADB3-23CA89CA3A14}.exe
4328	{EC37E728-492A-4fd7-AE4D-F3C87FD1396E}.exe
3160	{D2BC822B-0F3E-4381-B99C-55B1C38C57D4}.exe
1660	{3C463151-D75F-4b3d-B92F-FB2529A1CBC1}.exe
4848	{7C8694B9-9B61-4c26-97B8-840F7CA461C4}.exe
2120	{9EBC3868-0AB2-49ff-A637-B252ABF9AAAF}.exe
4892	{EAF57E7C-B7EF-4587-ACA6-D3A1A53ABA9F}.exe
3828	{8538856B-176D-4394-966E-F75005ECACD8}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{51A5475A-0D2A-4fe5-8B9D-894BD62B6287}.exe	2024-03-13_c7ee460d323c5578ec8d56c1aec7d099_goldeneye.exe
File created	C:\Windows\{6C2D3B11-3CFD-45d8-B458-085DA92F8AAF}.exe	{51A5475A-0D2A-4fe5-8B9D-894BD62B6287}.exe
File created	C:\Windows\{929A456C-AD75-45d1-A2CB-5054DAFF35C8}.exe	{6C2D3B11-3CFD-45d8-B458-085DA92F8AAF}.exe
File created	C:\Windows\{9D8F27DB-1B15-4f08-ADB3-23CA89CA3A14}.exe	{57384EF3-3C2A-41a7-B4C2-1F1BBAE9E7E8}.exe
File created	C:\Windows\{EC37E728-492A-4fd7-AE4D-F3C87FD1396E}.exe	{9D8F27DB-1B15-4f08-ADB3-23CA89CA3A14}.exe
File created	C:\Windows\{3C463151-D75F-4b3d-B92F-FB2529A1CBC1}.exe	{D2BC822B-0F3E-4381-B99C-55B1C38C57D4}.exe
File created	C:\Windows\{7C8694B9-9B61-4c26-97B8-840F7CA461C4}.exe	{3C463151-D75F-4b3d-B92F-FB2529A1CBC1}.exe
File created	C:\Windows\{9EBC3868-0AB2-49ff-A637-B252ABF9AAAF}.exe	{7C8694B9-9B61-4c26-97B8-840F7CA461C4}.exe
File created	C:\Windows\{8538856B-176D-4394-966E-F75005ECACD8}.exe	{EAF57E7C-B7EF-4587-ACA6-D3A1A53ABA9F}.exe
File created	C:\Windows\{57384EF3-3C2A-41a7-B4C2-1F1BBAE9E7E8}.exe	{929A456C-AD75-45d1-A2CB-5054DAFF35C8}.exe
File created	C:\Windows\{D2BC822B-0F3E-4381-B99C-55B1C38C57D4}.exe	{EC37E728-492A-4fd7-AE4D-F3C87FD1396E}.exe
File created	C:\Windows\{EAF57E7C-B7EF-4587-ACA6-D3A1A53ABA9F}.exe	{9EBC3868-0AB2-49ff-A637-B252ABF9AAAF}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4964	2024-03-13_c7ee460d323c5578ec8d56c1aec7d099_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4244	{51A5475A-0D2A-4fe5-8B9D-894BD62B6287}.exe
Token: SeIncBasePriorityPrivilege	412	{6C2D3B11-3CFD-45d8-B458-085DA92F8AAF}.exe
Token: SeIncBasePriorityPrivilege	4636	{929A456C-AD75-45d1-A2CB-5054DAFF35C8}.exe
Token: SeIncBasePriorityPrivilege	2976	{57384EF3-3C2A-41a7-B4C2-1F1BBAE9E7E8}.exe
Token: SeIncBasePriorityPrivilege	744	{9D8F27DB-1B15-4f08-ADB3-23CA89CA3A14}.exe
Token: SeIncBasePriorityPrivilege	4328	{EC37E728-492A-4fd7-AE4D-F3C87FD1396E}.exe
Token: SeIncBasePriorityPrivilege	3160	{D2BC822B-0F3E-4381-B99C-55B1C38C57D4}.exe
Token: SeIncBasePriorityPrivilege	1660	{3C463151-D75F-4b3d-B92F-FB2529A1CBC1}.exe
Token: SeIncBasePriorityPrivilege	4848	{7C8694B9-9B61-4c26-97B8-840F7CA461C4}.exe
Token: SeIncBasePriorityPrivilege	2120	{9EBC3868-0AB2-49ff-A637-B252ABF9AAAF}.exe
Token: SeIncBasePriorityPrivilege	4892	{EAF57E7C-B7EF-4587-ACA6-D3A1A53ABA9F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4964 wrote to memory of 4244	4964	2024-03-13_c7ee460d323c5578ec8d56c1aec7d099_goldeneye.exe	100
PID 4964 wrote to memory of 4244	4964	2024-03-13_c7ee460d323c5578ec8d56c1aec7d099_goldeneye.exe	100
PID 4964 wrote to memory of 4244	4964	2024-03-13_c7ee460d323c5578ec8d56c1aec7d099_goldeneye.exe	100
PID 4964 wrote to memory of 1852	4964	2024-03-13_c7ee460d323c5578ec8d56c1aec7d099_goldeneye.exe	101
PID 4964 wrote to memory of 1852	4964	2024-03-13_c7ee460d323c5578ec8d56c1aec7d099_goldeneye.exe	101
PID 4964 wrote to memory of 1852	4964	2024-03-13_c7ee460d323c5578ec8d56c1aec7d099_goldeneye.exe	101
PID 4244 wrote to memory of 412	4244	{51A5475A-0D2A-4fe5-8B9D-894BD62B6287}.exe	102
PID 4244 wrote to memory of 412	4244	{51A5475A-0D2A-4fe5-8B9D-894BD62B6287}.exe	102
PID 4244 wrote to memory of 412	4244	{51A5475A-0D2A-4fe5-8B9D-894BD62B6287}.exe	102
PID 4244 wrote to memory of 3492	4244	{51A5475A-0D2A-4fe5-8B9D-894BD62B6287}.exe	103
PID 4244 wrote to memory of 3492	4244	{51A5475A-0D2A-4fe5-8B9D-894BD62B6287}.exe	103
PID 4244 wrote to memory of 3492	4244	{51A5475A-0D2A-4fe5-8B9D-894BD62B6287}.exe	103
PID 412 wrote to memory of 4636	412	{6C2D3B11-3CFD-45d8-B458-085DA92F8AAF}.exe	108
PID 412 wrote to memory of 4636	412	{6C2D3B11-3CFD-45d8-B458-085DA92F8AAF}.exe	108
PID 412 wrote to memory of 4636	412	{6C2D3B11-3CFD-45d8-B458-085DA92F8AAF}.exe	108
PID 412 wrote to memory of 4376	412	{6C2D3B11-3CFD-45d8-B458-085DA92F8AAF}.exe	109
PID 412 wrote to memory of 4376	412	{6C2D3B11-3CFD-45d8-B458-085DA92F8AAF}.exe	109
PID 412 wrote to memory of 4376	412	{6C2D3B11-3CFD-45d8-B458-085DA92F8AAF}.exe	109
PID 4636 wrote to memory of 2976	4636	{929A456C-AD75-45d1-A2CB-5054DAFF35C8}.exe	112
PID 4636 wrote to memory of 2976	4636	{929A456C-AD75-45d1-A2CB-5054DAFF35C8}.exe	112
PID 4636 wrote to memory of 2976	4636	{929A456C-AD75-45d1-A2CB-5054DAFF35C8}.exe	112
PID 4636 wrote to memory of 3716	4636	{929A456C-AD75-45d1-A2CB-5054DAFF35C8}.exe	113
PID 4636 wrote to memory of 3716	4636	{929A456C-AD75-45d1-A2CB-5054DAFF35C8}.exe	113
PID 4636 wrote to memory of 3716	4636	{929A456C-AD75-45d1-A2CB-5054DAFF35C8}.exe	113
PID 2976 wrote to memory of 744	2976	{57384EF3-3C2A-41a7-B4C2-1F1BBAE9E7E8}.exe	114
PID 2976 wrote to memory of 744	2976	{57384EF3-3C2A-41a7-B4C2-1F1BBAE9E7E8}.exe	114
PID 2976 wrote to memory of 744	2976	{57384EF3-3C2A-41a7-B4C2-1F1BBAE9E7E8}.exe	114
PID 2976 wrote to memory of 1332	2976	{57384EF3-3C2A-41a7-B4C2-1F1BBAE9E7E8}.exe	115
PID 2976 wrote to memory of 1332	2976	{57384EF3-3C2A-41a7-B4C2-1F1BBAE9E7E8}.exe	115
PID 2976 wrote to memory of 1332	2976	{57384EF3-3C2A-41a7-B4C2-1F1BBAE9E7E8}.exe	115
PID 744 wrote to memory of 4328	744	{9D8F27DB-1B15-4f08-ADB3-23CA89CA3A14}.exe	116
PID 744 wrote to memory of 4328	744	{9D8F27DB-1B15-4f08-ADB3-23CA89CA3A14}.exe	116
PID 744 wrote to memory of 4328	744	{9D8F27DB-1B15-4f08-ADB3-23CA89CA3A14}.exe	116
PID 744 wrote to memory of 944	744	{9D8F27DB-1B15-4f08-ADB3-23CA89CA3A14}.exe	117
PID 744 wrote to memory of 944	744	{9D8F27DB-1B15-4f08-ADB3-23CA89CA3A14}.exe	117
PID 744 wrote to memory of 944	744	{9D8F27DB-1B15-4f08-ADB3-23CA89CA3A14}.exe	117
PID 4328 wrote to memory of 3160	4328	{EC37E728-492A-4fd7-AE4D-F3C87FD1396E}.exe	123
PID 4328 wrote to memory of 3160	4328	{EC37E728-492A-4fd7-AE4D-F3C87FD1396E}.exe	123
PID 4328 wrote to memory of 3160	4328	{EC37E728-492A-4fd7-AE4D-F3C87FD1396E}.exe	123
PID 4328 wrote to memory of 4748	4328	{EC37E728-492A-4fd7-AE4D-F3C87FD1396E}.exe	124
PID 4328 wrote to memory of 4748	4328	{EC37E728-492A-4fd7-AE4D-F3C87FD1396E}.exe	124
PID 4328 wrote to memory of 4748	4328	{EC37E728-492A-4fd7-AE4D-F3C87FD1396E}.exe	124
PID 3160 wrote to memory of 1660	3160	{D2BC822B-0F3E-4381-B99C-55B1C38C57D4}.exe	125
PID 3160 wrote to memory of 1660	3160	{D2BC822B-0F3E-4381-B99C-55B1C38C57D4}.exe	125
PID 3160 wrote to memory of 1660	3160	{D2BC822B-0F3E-4381-B99C-55B1C38C57D4}.exe	125
PID 3160 wrote to memory of 4636	3160	{D2BC822B-0F3E-4381-B99C-55B1C38C57D4}.exe	126
PID 3160 wrote to memory of 4636	3160	{D2BC822B-0F3E-4381-B99C-55B1C38C57D4}.exe	126
PID 3160 wrote to memory of 4636	3160	{D2BC822B-0F3E-4381-B99C-55B1C38C57D4}.exe	126
PID 1660 wrote to memory of 4848	1660	{3C463151-D75F-4b3d-B92F-FB2529A1CBC1}.exe	127
PID 1660 wrote to memory of 4848	1660	{3C463151-D75F-4b3d-B92F-FB2529A1CBC1}.exe	127
PID 1660 wrote to memory of 4848	1660	{3C463151-D75F-4b3d-B92F-FB2529A1CBC1}.exe	127
PID 1660 wrote to memory of 4332	1660	{3C463151-D75F-4b3d-B92F-FB2529A1CBC1}.exe	128
PID 1660 wrote to memory of 4332	1660	{3C463151-D75F-4b3d-B92F-FB2529A1CBC1}.exe	128
PID 1660 wrote to memory of 4332	1660	{3C463151-D75F-4b3d-B92F-FB2529A1CBC1}.exe	128
PID 4848 wrote to memory of 2120	4848	{7C8694B9-9B61-4c26-97B8-840F7CA461C4}.exe	129
PID 4848 wrote to memory of 2120	4848	{7C8694B9-9B61-4c26-97B8-840F7CA461C4}.exe	129
PID 4848 wrote to memory of 2120	4848	{7C8694B9-9B61-4c26-97B8-840F7CA461C4}.exe	129
PID 4848 wrote to memory of 3600	4848	{7C8694B9-9B61-4c26-97B8-840F7CA461C4}.exe	130
PID 4848 wrote to memory of 3600	4848	{7C8694B9-9B61-4c26-97B8-840F7CA461C4}.exe	130
PID 4848 wrote to memory of 3600	4848	{7C8694B9-9B61-4c26-97B8-840F7CA461C4}.exe	130
PID 2120 wrote to memory of 4892	2120	{9EBC3868-0AB2-49ff-A637-B252ABF9AAAF}.exe	131
PID 2120 wrote to memory of 4892	2120	{9EBC3868-0AB2-49ff-A637-B252ABF9AAAF}.exe	131
PID 2120 wrote to memory of 4892	2120	{9EBC3868-0AB2-49ff-A637-B252ABF9AAAF}.exe	131
PID 2120 wrote to memory of 3868	2120	{9EBC3868-0AB2-49ff-A637-B252ABF9AAAF}.exe	132

C:\Users\Admin\AppData\Local\Temp\2024-03-13_c7ee460d323c5578ec8d56c1aec7d099_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-13_c7ee460d323c5578ec8d56c1aec7d099_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4964
- C:\Windows\{51A5475A-0D2A-4fe5-8B9D-894BD62B6287}.exe
  C:\Windows\{51A5475A-0D2A-4fe5-8B9D-894BD62B6287}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4244
- - C:\Windows\{6C2D3B11-3CFD-45d8-B458-085DA92F8AAF}.exe
    C:\Windows\{6C2D3B11-3CFD-45d8-B458-085DA92F8AAF}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:412
  - - C:\Windows\{929A456C-AD75-45d1-A2CB-5054DAFF35C8}.exe
      C:\Windows\{929A456C-AD75-45d1-A2CB-5054DAFF35C8}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4636
    - - C:\Windows\{57384EF3-3C2A-41a7-B4C2-1F1BBAE9E7E8}.exe
        
        C:\Windows\{57384EF3-3C2A-41a7-B4C2-1F1BBAE9E7E8}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2976
      - C:\Windows\{9D8F27DB-1B15-4f08-ADB3-23CA89CA3A14}.exe
        
        C:\Windows\{9D8F27DB-1B15-4f08-ADB3-23CA89CA3A14}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\Windows\{EC37E728-492A-4fd7-AE4D-F3C87FD1396E}.exe
        
        C:\Windows\{EC37E728-492A-4fd7-AE4D-F3C87FD1396E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Windows\{D2BC822B-0F3E-4381-B99C-55B1C38C57D4}.exe
        
        C:\Windows\{D2BC822B-0F3E-4381-B99C-55B1C38C57D4}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3160
        
        C:\Windows\{3C463151-D75F-4b3d-B92F-FB2529A1CBC1}.exe
        
        C:\Windows\{3C463151-D75F-4b3d-B92F-FB2529A1CBC1}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\{7C8694B9-9B61-4c26-97B8-840F7CA461C4}.exe
        
        C:\Windows\{7C8694B9-9B61-4c26-97B8-840F7CA461C4}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\{9EBC3868-0AB2-49ff-A637-B252ABF9AAAF}.exe
        
        C:\Windows\{9EBC3868-0AB2-49ff-A637-B252ABF9AAAF}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\{EAF57E7C-B7EF-4587-ACA6-D3A1A53ABA9F}.exe
        
        C:\Windows\{EAF57E7C-B7EF-4587-ACA6-D3A1A53ABA9F}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4892
        
        C:\Windows\{8538856B-176D-4394-966E-F75005ECACD8}.exe
        
        C:\Windows\{8538856B-176D-4394-966E-F75005ECACD8}.exe
        13⤵
        Executes dropped EXE
        
        PID:3828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EAF57~1.EXE > nul
        13⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9EBC3~1.EXE > nul
        12⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7C869~1.EXE > nul
        11⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C463~1.EXE > nul
        10⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D2BC8~1.EXE > nul
        9⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EC37E~1.EXE > nul
        8⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9D8F2~1.EXE > nul
        7⤵
        
        PID:944
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{57384~1.EXE > nul
        6⤵
        
        PID:1332
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{929A4~1.EXE > nul
        5⤵
        
        PID:3716
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6C2D3~1.EXE > nul
      4⤵
      PID:4376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{51A54~1.EXE > nul
    3⤵
    PID:3492
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3C463151-D75F-4b3d-B92F-FB2529A1CBC1}.exe

Filesize
344KB

MD5
9c7ddbcc8b3e24c5df03880db1a73aa3

SHA1
7a55cc4a7e1cf1ea1fca5354081064277dfa0a54

SHA256
c21fc3e7464efbc86200bf183807eedab8dd5ec934a8a45765b2137ea296be54

SHA512
509ba2a6366d479792a0cccd9fc43f8fb0501ff378efbb5e622ad896b78b9699cc4710446a0c6972cdc62bc8af2c470154f91f133040409f8ac377ce57d49fa0

Download Submit
C:\Windows\{51A5475A-0D2A-4fe5-8B9D-894BD62B6287}.exe

Filesize
344KB

MD5
be5fe343ebf84e38d6f0e9b4c8fe77ef

SHA1
54909ac72c3d65ef97908893a77f9e463a1fd2a7

SHA256
dcdceb5d0e6d0fc2c6335e89db8047cf750153383c75f2d965720cd9f3aa071d

SHA512
f15eb0e3b4a263ce3fa0e1095b47ef5908174f7acd7ac2c7a016099288c946d7f201760205bb37f348e6e5cbf45a00d93c2cd6ebe2e7ae5ff1d14ce718d38d30

Download Submit
C:\Windows\{57384EF3-3C2A-41a7-B4C2-1F1BBAE9E7E8}.exe

Filesize
344KB

MD5
692498f188b20fba10f17949e62916d2

SHA1
b3d9347b4b6bc10eeeebe276496192bab4b208fa

SHA256
6c2d781e1fdc2874f9ad1fe8d6ec974ddaad71cc662b0d0d28841e848354b123

SHA512
dec3f7239339f4a4985d12f472533689d84c3f066f75862973d1a2bd2aa00e5d781c352b5b616631f9560a012fff882044366e35909fb2fc57c477d7ec29b199

Download Submit
C:\Windows\{6C2D3B11-3CFD-45d8-B458-085DA92F8AAF}.exe

Filesize
344KB

MD5
bc5ec022f819ed6f62bf9cc6002e3561

SHA1
e8b926e3b67f4a0649d90b3c5ac71267f4842cef

SHA256
611013d92006a912a71ab4ad422f12036e5301e309a0f5ca3fc049486ff388c4

SHA512
5da61098eaa07493da221023796d3faaf47cebcb73a8e783859273d56538a9953f271d7c24408902ad5c45e7941cb6112f6866d28109b18e757de3b9f728c2e3

Download Submit
C:\Windows\{7C8694B9-9B61-4c26-97B8-840F7CA461C4}.exe

Filesize
344KB

MD5
0a5f06dfa37756ad50ace496b80fa513

SHA1
4c3d3bac957119afb3a048ca8f1a3bb6fbdce055

SHA256
74aa10b4dad0c28e2ac16673d130eceee890a8750adfaadd1e0bc72599d96357

SHA512
245c050b107ac5f848d807bfe1d20966ae61532e3e638f113d4b9145b2b64bc4be6cababc372afc65f68819498fbaeabd90f47b02992b8f9889552ed356dfc61

Download Submit
C:\Windows\{8538856B-176D-4394-966E-F75005ECACD8}.exe

Filesize
344KB

MD5
8dbaaefaa4319c10c20490f640e7273b

SHA1
646f0ee991a48eec5534226b7d8d5b4acaa09a40

SHA256
ab3a2ec082d2876cc95af62dcec501f463902d5a40bf44ae5bd85b5313c14f2b

SHA512
44cdff11e572c4bdd70eace1a1eec40121ba14e8d3b0fb66b48064afa8cd4b985d66a49fb532884c9472e2ebf4a51dec5a110bcc845760821f4b5ebd76a6261c

Download Submit
C:\Windows\{929A456C-AD75-45d1-A2CB-5054DAFF35C8}.exe

Filesize
344KB

MD5
aaf8a946dae76960b9c478b0b3f32bef

SHA1
3dca1e62d22b9984866582a4508b760ea65326c7

SHA256
f4ff99a8c63a47b5247135b5e965f72e09addaf2cfecfdc9280d5befe5be6933

SHA512
6c1e8944df191754ac0c2587813d3aef34b285803922538d8b12e76234c4dcb385d0da6dc32e8a334ad89325b0853913e4167a2f9b4fafd53a7ef34ce1907c34

Download Submit
C:\Windows\{9D8F27DB-1B15-4f08-ADB3-23CA89CA3A14}.exe

Filesize
344KB

MD5
c7eb79709620e1df30670369ba91aed9

SHA1
0e8b3d705ea4eb31aa48f200f773b3bed542e58a

SHA256
d72b5a6c5d188a88b29c40f79d4314f36d9bc3ceee52b962d059b2503fff832d

SHA512
a82a4d985fe73b2b822a6e47c0e4d2cc11cd1f7e203d792d4962c39946f2905f3189dbee0be01fa194d600d1f33b2efec37675dca7d1333c4368c9a3fdfdd744

Download Submit
C:\Windows\{9EBC3868-0AB2-49ff-A637-B252ABF9AAAF}.exe

Filesize
344KB

MD5
391030fe9309565156426ef79374b8cd

SHA1
9cf4d005d1213d115f1f28b4d893d2dc94599594

SHA256
3194cd6adbd893edde7e04e259757f06d47af7456485cb72a434eeaab4b636ff

SHA512
89927268fb11d5fc505d0313980583aca0f637f980ee67faca161d14cb4c39c8629818114a870404bcb0141bedddcf783686cc86d4922abd2ac5a093ba94c520

Download Submit
C:\Windows\{D2BC822B-0F3E-4381-B99C-55B1C38C57D4}.exe

Filesize
344KB

MD5
61b7ca4b54587814ccd5b95af89ef687

SHA1
bf9b11be900769911d924bf28c512181f90f07f0

SHA256
a920c2d0bb40266a755acf9bdf8e28693465de82abbc43a0c4bd06f1001b6009

SHA512
7297acce050c3495e0fad12918add0fc200893d37f97fd92e5c6aac7a3cbda0ed85280fbeaa5577c719cd894746072f09e122956fa421dde13c5b2b3983eaa31

Download Submit
C:\Windows\{EAF57E7C-B7EF-4587-ACA6-D3A1A53ABA9F}.exe

Filesize
344KB

MD5
5bd14f579090a59f9916975e636d8fa3

SHA1
d3e28ce6d5231c9e67bb86cae0d8a748a8433e3f

SHA256
bfeeceeb3120e69317acec8b7dfd4d940e1e1e1fe68113a3bf562845b13ba954

SHA512
def29ee4827fb49e486b8d6f747f2e41517ee7f42e7a0a3550e363b175380f4682fe7e301ad1716e631dc745a1bffb414c0a3d8d398fe672931d6e62518a29d7

Download Submit
C:\Windows\{EC37E728-492A-4fd7-AE4D-F3C87FD1396E}.exe

Filesize
344KB

MD5
9d6eeda021d9e527be0fe1ff2bc5c674

SHA1
bddab1a983fe7bd74001a1b932055387cf42c741

SHA256
f3f1cf98a721c235eca4bc89e1977ee0983f7f0ec8786ddd94cdcf77bfb9a19b

SHA512
e66250bae5edd1a27bd63f52a8af88f09543354e7a6c4d936e8b71ef1fb34eebb431bee0fa5bcf324598935536197d2372b209df965684a0da0f6e129a0c3245

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads