780a367303c1347467dc3cf254266ae6ea92ae1bffcb52daa3842c978e1c0226

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14-03-2024 18:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-14_711053a156c1a8216c0842ffe36b5a79_goldeneye.exe
Size

344KB
MD5

711053a156c1a8216c0842ffe36b5a79
SHA1

c56a383e8ff9ab7ffc211d3b129d22f9a9e532f9
SHA256

780a367303c1347467dc3cf254266ae6ea92ae1bffcb52daa3842c978e1c0226
SHA512

260573f17e7eadb9bfe1ca26edc3f0306536297f326b78305d2d808b1ad620615b0298247d8d2107bab80b15e0e6008b57012ee56720405240995177fce18fbb
SSDEEP

3072:mEGh0odlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGjlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 14 IoCs

resource	yara_rule
behavioral2/files/0x000a0000000231d0-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000231f9-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002320d-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002320d-11.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002320d-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001e36d-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002320d-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023373-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000001e432-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023388-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002338d-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002348f-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002338d-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023492-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7783009F-F864-46df-B4DB-51577F0A9D52}\stubpath = "C:\\Windows\\{7783009F-F864-46df-B4DB-51577F0A9D52}.exe"	2024-03-14_711053a156c1a8216c0842ffe36b5a79_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31ED2910-7FDF-4e1a-9F6F-71C5C109148C}\stubpath = "C:\\Windows\\{31ED2910-7FDF-4e1a-9F6F-71C5C109148C}.exe"	{7783009F-F864-46df-B4DB-51577F0A9D52}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05875A6B-041C-4fd1-9A0F-C8D5F9496190}	{F5CB0F49-0E91-4c70-825A-7FC680AAB66E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05875A6B-041C-4fd1-9A0F-C8D5F9496190}\stubpath = "C:\\Windows\\{05875A6B-041C-4fd1-9A0F-C8D5F9496190}.exe"	{F5CB0F49-0E91-4c70-825A-7FC680AAB66E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5D6ECFE-9ACB-45bd-B0E4-F7B8D341F10B}	{F5D2EA09-CE1A-4a1a-B2D4-5E1CFBF2FD82}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5D6ECFE-9ACB-45bd-B0E4-F7B8D341F10B}\stubpath = "C:\\Windows\\{D5D6ECFE-9ACB-45bd-B0E4-F7B8D341F10B}.exe"	{F5D2EA09-CE1A-4a1a-B2D4-5E1CFBF2FD82}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31515523-0B92-4417-8574-D68A7BA917CF}	{D5D6ECFE-9ACB-45bd-B0E4-F7B8D341F10B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9606AB1-719F-4b6e-B5FE-B372A4A0F2D6}\stubpath = "C:\\Windows\\{D9606AB1-719F-4b6e-B5FE-B372A4A0F2D6}.exe"	{6C5B221C-FCD2-40cf-A65E-6B7BF79258EA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89CADBBF-1238-4113-AF68-112264A9DFE7}\stubpath = "C:\\Windows\\{89CADBBF-1238-4113-AF68-112264A9DFE7}.exe"	{328501C5-4CC1-4f39-BACC-65464B7DF2C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5CB0F49-0E91-4c70-825A-7FC680AAB66E}	{31ED2910-7FDF-4e1a-9F6F-71C5C109148C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9606AB1-719F-4b6e-B5FE-B372A4A0F2D6}	{6C5B221C-FCD2-40cf-A65E-6B7BF79258EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89CADBBF-1238-4113-AF68-112264A9DFE7}	{328501C5-4CC1-4f39-BACC-65464B7DF2C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5CB0F49-0E91-4c70-825A-7FC680AAB66E}\stubpath = "C:\\Windows\\{F5CB0F49-0E91-4c70-825A-7FC680AAB66E}.exe"	{31ED2910-7FDF-4e1a-9F6F-71C5C109148C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7AF0AF47-591C-4d1c-9225-152F258CAB90}	{31515523-0B92-4417-8574-D68A7BA917CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7AF0AF47-591C-4d1c-9225-152F258CAB90}\stubpath = "C:\\Windows\\{7AF0AF47-591C-4d1c-9225-152F258CAB90}.exe"	{31515523-0B92-4417-8574-D68A7BA917CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C5B221C-FCD2-40cf-A65E-6B7BF79258EA}\stubpath = "C:\\Windows\\{6C5B221C-FCD2-40cf-A65E-6B7BF79258EA}.exe"	{7AF0AF47-591C-4d1c-9225-152F258CAB90}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{328501C5-4CC1-4f39-BACC-65464B7DF2C1}	{D9606AB1-719F-4b6e-B5FE-B372A4A0F2D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7783009F-F864-46df-B4DB-51577F0A9D52}	2024-03-14_711053a156c1a8216c0842ffe36b5a79_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31ED2910-7FDF-4e1a-9F6F-71C5C109148C}	{7783009F-F864-46df-B4DB-51577F0A9D52}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5D2EA09-CE1A-4a1a-B2D4-5E1CFBF2FD82}	{05875A6B-041C-4fd1-9A0F-C8D5F9496190}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5D2EA09-CE1A-4a1a-B2D4-5E1CFBF2FD82}\stubpath = "C:\\Windows\\{F5D2EA09-CE1A-4a1a-B2D4-5E1CFBF2FD82}.exe"	{05875A6B-041C-4fd1-9A0F-C8D5F9496190}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31515523-0B92-4417-8574-D68A7BA917CF}\stubpath = "C:\\Windows\\{31515523-0B92-4417-8574-D68A7BA917CF}.exe"	{D5D6ECFE-9ACB-45bd-B0E4-F7B8D341F10B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C5B221C-FCD2-40cf-A65E-6B7BF79258EA}	{7AF0AF47-591C-4d1c-9225-152F258CAB90}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{328501C5-4CC1-4f39-BACC-65464B7DF2C1}\stubpath = "C:\\Windows\\{328501C5-4CC1-4f39-BACC-65464B7DF2C1}.exe"	{D9606AB1-719F-4b6e-B5FE-B372A4A0F2D6}.exe

Executes dropped EXE 12 IoCs

pid	Process
1524	{7783009F-F864-46df-B4DB-51577F0A9D52}.exe
4508	{31ED2910-7FDF-4e1a-9F6F-71C5C109148C}.exe
4740	{F5CB0F49-0E91-4c70-825A-7FC680AAB66E}.exe
4832	{05875A6B-041C-4fd1-9A0F-C8D5F9496190}.exe
2816	{F5D2EA09-CE1A-4a1a-B2D4-5E1CFBF2FD82}.exe
1520	{D5D6ECFE-9ACB-45bd-B0E4-F7B8D341F10B}.exe
3512	{31515523-0B92-4417-8574-D68A7BA917CF}.exe
2000	{7AF0AF47-591C-4d1c-9225-152F258CAB90}.exe
2960	{6C5B221C-FCD2-40cf-A65E-6B7BF79258EA}.exe
696	{D9606AB1-719F-4b6e-B5FE-B372A4A0F2D6}.exe
4304	{328501C5-4CC1-4f39-BACC-65464B7DF2C1}.exe
5052	{89CADBBF-1238-4113-AF68-112264A9DFE7}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{31ED2910-7FDF-4e1a-9F6F-71C5C109148C}.exe	{7783009F-F864-46df-B4DB-51577F0A9D52}.exe
File created	C:\Windows\{F5CB0F49-0E91-4c70-825A-7FC680AAB66E}.exe	{31ED2910-7FDF-4e1a-9F6F-71C5C109148C}.exe
File created	C:\Windows\{05875A6B-041C-4fd1-9A0F-C8D5F9496190}.exe	{F5CB0F49-0E91-4c70-825A-7FC680AAB66E}.exe
File created	C:\Windows\{31515523-0B92-4417-8574-D68A7BA917CF}.exe	{D5D6ECFE-9ACB-45bd-B0E4-F7B8D341F10B}.exe
File created	C:\Windows\{7AF0AF47-591C-4d1c-9225-152F258CAB90}.exe	{31515523-0B92-4417-8574-D68A7BA917CF}.exe
File created	C:\Windows\{328501C5-4CC1-4f39-BACC-65464B7DF2C1}.exe	{D9606AB1-719F-4b6e-B5FE-B372A4A0F2D6}.exe
File created	C:\Windows\{7783009F-F864-46df-B4DB-51577F0A9D52}.exe	2024-03-14_711053a156c1a8216c0842ffe36b5a79_goldeneye.exe
File created	C:\Windows\{D5D6ECFE-9ACB-45bd-B0E4-F7B8D341F10B}.exe	{F5D2EA09-CE1A-4a1a-B2D4-5E1CFBF2FD82}.exe
File created	C:\Windows\{6C5B221C-FCD2-40cf-A65E-6B7BF79258EA}.exe	{7AF0AF47-591C-4d1c-9225-152F258CAB90}.exe
File created	C:\Windows\{D9606AB1-719F-4b6e-B5FE-B372A4A0F2D6}.exe	{6C5B221C-FCD2-40cf-A65E-6B7BF79258EA}.exe
File created	C:\Windows\{89CADBBF-1238-4113-AF68-112264A9DFE7}.exe	{328501C5-4CC1-4f39-BACC-65464B7DF2C1}.exe
File created	C:\Windows\{F5D2EA09-CE1A-4a1a-B2D4-5E1CFBF2FD82}.exe	{05875A6B-041C-4fd1-9A0F-C8D5F9496190}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4104	2024-03-14_711053a156c1a8216c0842ffe36b5a79_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1524	{7783009F-F864-46df-B4DB-51577F0A9D52}.exe
Token: SeIncBasePriorityPrivilege	4508	{31ED2910-7FDF-4e1a-9F6F-71C5C109148C}.exe
Token: SeIncBasePriorityPrivilege	4740	{F5CB0F49-0E91-4c70-825A-7FC680AAB66E}.exe
Token: SeIncBasePriorityPrivilege	4832	{05875A6B-041C-4fd1-9A0F-C8D5F9496190}.exe
Token: SeIncBasePriorityPrivilege	2816	{F5D2EA09-CE1A-4a1a-B2D4-5E1CFBF2FD82}.exe
Token: SeIncBasePriorityPrivilege	1520	{D5D6ECFE-9ACB-45bd-B0E4-F7B8D341F10B}.exe
Token: SeIncBasePriorityPrivilege	3512	{31515523-0B92-4417-8574-D68A7BA917CF}.exe
Token: SeIncBasePriorityPrivilege	2000	{7AF0AF47-591C-4d1c-9225-152F258CAB90}.exe
Token: SeIncBasePriorityPrivilege	2960	{6C5B221C-FCD2-40cf-A65E-6B7BF79258EA}.exe
Token: SeIncBasePriorityPrivilege	696	{D9606AB1-719F-4b6e-B5FE-B372A4A0F2D6}.exe
Token: SeIncBasePriorityPrivilege	4304	{328501C5-4CC1-4f39-BACC-65464B7DF2C1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4104 wrote to memory of 1524	4104	2024-03-14_711053a156c1a8216c0842ffe36b5a79_goldeneye.exe	105
PID 4104 wrote to memory of 1524	4104	2024-03-14_711053a156c1a8216c0842ffe36b5a79_goldeneye.exe	105
PID 4104 wrote to memory of 1524	4104	2024-03-14_711053a156c1a8216c0842ffe36b5a79_goldeneye.exe	105
PID 4104 wrote to memory of 3220	4104	2024-03-14_711053a156c1a8216c0842ffe36b5a79_goldeneye.exe	106
PID 4104 wrote to memory of 3220	4104	2024-03-14_711053a156c1a8216c0842ffe36b5a79_goldeneye.exe	106
PID 4104 wrote to memory of 3220	4104	2024-03-14_711053a156c1a8216c0842ffe36b5a79_goldeneye.exe	106
PID 1524 wrote to memory of 4508	1524	{7783009F-F864-46df-B4DB-51577F0A9D52}.exe	107
PID 1524 wrote to memory of 4508	1524	{7783009F-F864-46df-B4DB-51577F0A9D52}.exe	107
PID 1524 wrote to memory of 4508	1524	{7783009F-F864-46df-B4DB-51577F0A9D52}.exe	107
PID 1524 wrote to memory of 4856	1524	{7783009F-F864-46df-B4DB-51577F0A9D52}.exe	108
PID 1524 wrote to memory of 4856	1524	{7783009F-F864-46df-B4DB-51577F0A9D52}.exe	108
PID 1524 wrote to memory of 4856	1524	{7783009F-F864-46df-B4DB-51577F0A9D52}.exe	108
PID 4508 wrote to memory of 4740	4508	{31ED2910-7FDF-4e1a-9F6F-71C5C109148C}.exe	112
PID 4508 wrote to memory of 4740	4508	{31ED2910-7FDF-4e1a-9F6F-71C5C109148C}.exe	112
PID 4508 wrote to memory of 4740	4508	{31ED2910-7FDF-4e1a-9F6F-71C5C109148C}.exe	112
PID 4508 wrote to memory of 4484	4508	{31ED2910-7FDF-4e1a-9F6F-71C5C109148C}.exe	113
PID 4508 wrote to memory of 4484	4508	{31ED2910-7FDF-4e1a-9F6F-71C5C109148C}.exe	113
PID 4508 wrote to memory of 4484	4508	{31ED2910-7FDF-4e1a-9F6F-71C5C109148C}.exe	113
PID 4740 wrote to memory of 4832	4740	{F5CB0F49-0E91-4c70-825A-7FC680AAB66E}.exe	114
PID 4740 wrote to memory of 4832	4740	{F5CB0F49-0E91-4c70-825A-7FC680AAB66E}.exe	114
PID 4740 wrote to memory of 4832	4740	{F5CB0F49-0E91-4c70-825A-7FC680AAB66E}.exe	114
PID 4740 wrote to memory of 3732	4740	{F5CB0F49-0E91-4c70-825A-7FC680AAB66E}.exe	115
PID 4740 wrote to memory of 3732	4740	{F5CB0F49-0E91-4c70-825A-7FC680AAB66E}.exe	115
PID 4740 wrote to memory of 3732	4740	{F5CB0F49-0E91-4c70-825A-7FC680AAB66E}.exe	115
PID 4832 wrote to memory of 2816	4832	{05875A6B-041C-4fd1-9A0F-C8D5F9496190}.exe	116
PID 4832 wrote to memory of 2816	4832	{05875A6B-041C-4fd1-9A0F-C8D5F9496190}.exe	116
PID 4832 wrote to memory of 2816	4832	{05875A6B-041C-4fd1-9A0F-C8D5F9496190}.exe	116
PID 4832 wrote to memory of 764	4832	{05875A6B-041C-4fd1-9A0F-C8D5F9496190}.exe	117
PID 4832 wrote to memory of 764	4832	{05875A6B-041C-4fd1-9A0F-C8D5F9496190}.exe	117
PID 4832 wrote to memory of 764	4832	{05875A6B-041C-4fd1-9A0F-C8D5F9496190}.exe	117
PID 2816 wrote to memory of 1520	2816	{F5D2EA09-CE1A-4a1a-B2D4-5E1CFBF2FD82}.exe	119
PID 2816 wrote to memory of 1520	2816	{F5D2EA09-CE1A-4a1a-B2D4-5E1CFBF2FD82}.exe	119
PID 2816 wrote to memory of 1520	2816	{F5D2EA09-CE1A-4a1a-B2D4-5E1CFBF2FD82}.exe	119
PID 2816 wrote to memory of 4644	2816	{F5D2EA09-CE1A-4a1a-B2D4-5E1CFBF2FD82}.exe	120
PID 2816 wrote to memory of 4644	2816	{F5D2EA09-CE1A-4a1a-B2D4-5E1CFBF2FD82}.exe	120
PID 2816 wrote to memory of 4644	2816	{F5D2EA09-CE1A-4a1a-B2D4-5E1CFBF2FD82}.exe	120
PID 1520 wrote to memory of 3512	1520	{D5D6ECFE-9ACB-45bd-B0E4-F7B8D341F10B}.exe	121
PID 1520 wrote to memory of 3512	1520	{D5D6ECFE-9ACB-45bd-B0E4-F7B8D341F10B}.exe	121
PID 1520 wrote to memory of 3512	1520	{D5D6ECFE-9ACB-45bd-B0E4-F7B8D341F10B}.exe	121
PID 1520 wrote to memory of 4452	1520	{D5D6ECFE-9ACB-45bd-B0E4-F7B8D341F10B}.exe	122
PID 1520 wrote to memory of 4452	1520	{D5D6ECFE-9ACB-45bd-B0E4-F7B8D341F10B}.exe	122
PID 1520 wrote to memory of 4452	1520	{D5D6ECFE-9ACB-45bd-B0E4-F7B8D341F10B}.exe	122
PID 3512 wrote to memory of 2000	3512	{31515523-0B92-4417-8574-D68A7BA917CF}.exe	126
PID 3512 wrote to memory of 2000	3512	{31515523-0B92-4417-8574-D68A7BA917CF}.exe	126
PID 3512 wrote to memory of 2000	3512	{31515523-0B92-4417-8574-D68A7BA917CF}.exe	126
PID 3512 wrote to memory of 4164	3512	{31515523-0B92-4417-8574-D68A7BA917CF}.exe	127
PID 3512 wrote to memory of 4164	3512	{31515523-0B92-4417-8574-D68A7BA917CF}.exe	127
PID 3512 wrote to memory of 4164	3512	{31515523-0B92-4417-8574-D68A7BA917CF}.exe	127
PID 2000 wrote to memory of 2960	2000	{7AF0AF47-591C-4d1c-9225-152F258CAB90}.exe	128
PID 2000 wrote to memory of 2960	2000	{7AF0AF47-591C-4d1c-9225-152F258CAB90}.exe	128
PID 2000 wrote to memory of 2960	2000	{7AF0AF47-591C-4d1c-9225-152F258CAB90}.exe	128
PID 2000 wrote to memory of 4820	2000	{7AF0AF47-591C-4d1c-9225-152F258CAB90}.exe	129
PID 2000 wrote to memory of 4820	2000	{7AF0AF47-591C-4d1c-9225-152F258CAB90}.exe	129
PID 2000 wrote to memory of 4820	2000	{7AF0AF47-591C-4d1c-9225-152F258CAB90}.exe	129
PID 2960 wrote to memory of 696	2960	{6C5B221C-FCD2-40cf-A65E-6B7BF79258EA}.exe	130
PID 2960 wrote to memory of 696	2960	{6C5B221C-FCD2-40cf-A65E-6B7BF79258EA}.exe	130
PID 2960 wrote to memory of 696	2960	{6C5B221C-FCD2-40cf-A65E-6B7BF79258EA}.exe	130
PID 2960 wrote to memory of 3012	2960	{6C5B221C-FCD2-40cf-A65E-6B7BF79258EA}.exe	131
PID 2960 wrote to memory of 3012	2960	{6C5B221C-FCD2-40cf-A65E-6B7BF79258EA}.exe	131
PID 2960 wrote to memory of 3012	2960	{6C5B221C-FCD2-40cf-A65E-6B7BF79258EA}.exe	131
PID 696 wrote to memory of 4304	696	{D9606AB1-719F-4b6e-B5FE-B372A4A0F2D6}.exe	132
PID 696 wrote to memory of 4304	696	{D9606AB1-719F-4b6e-B5FE-B372A4A0F2D6}.exe	132
PID 696 wrote to memory of 4304	696	{D9606AB1-719F-4b6e-B5FE-B372A4A0F2D6}.exe	132
PID 696 wrote to memory of 3856	696	{D9606AB1-719F-4b6e-B5FE-B372A4A0F2D6}.exe	133

C:\Users\Admin\AppData\Local\Temp\2024-03-14_711053a156c1a8216c0842ffe36b5a79_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-14_711053a156c1a8216c0842ffe36b5a79_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4104
- C:\Windows\{7783009F-F864-46df-B4DB-51577F0A9D52}.exe
  C:\Windows\{7783009F-F864-46df-B4DB-51577F0A9D52}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1524
- - C:\Windows\{31ED2910-7FDF-4e1a-9F6F-71C5C109148C}.exe
    C:\Windows\{31ED2910-7FDF-4e1a-9F6F-71C5C109148C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4508
  - - C:\Windows\{F5CB0F49-0E91-4c70-825A-7FC680AAB66E}.exe
      C:\Windows\{F5CB0F49-0E91-4c70-825A-7FC680AAB66E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4740
    - - C:\Windows\{05875A6B-041C-4fd1-9A0F-C8D5F9496190}.exe
        
        C:\Windows\{05875A6B-041C-4fd1-9A0F-C8D5F9496190}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4832
      - C:\Windows\{F5D2EA09-CE1A-4a1a-B2D4-5E1CFBF2FD82}.exe
        
        C:\Windows\{F5D2EA09-CE1A-4a1a-B2D4-5E1CFBF2FD82}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\{D5D6ECFE-9ACB-45bd-B0E4-F7B8D341F10B}.exe
        
        C:\Windows\{D5D6ECFE-9ACB-45bd-B0E4-F7B8D341F10B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\{31515523-0B92-4417-8574-D68A7BA917CF}.exe
        
        C:\Windows\{31515523-0B92-4417-8574-D68A7BA917CF}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\{7AF0AF47-591C-4d1c-9225-152F258CAB90}.exe
        
        C:\Windows\{7AF0AF47-591C-4d1c-9225-152F258CAB90}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\{6C5B221C-FCD2-40cf-A65E-6B7BF79258EA}.exe
        
        C:\Windows\{6C5B221C-FCD2-40cf-A65E-6B7BF79258EA}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\{D9606AB1-719F-4b6e-B5FE-B372A4A0F2D6}.exe
        
        C:\Windows\{D9606AB1-719F-4b6e-B5FE-B372A4A0F2D6}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:696
        
        C:\Windows\{328501C5-4CC1-4f39-BACC-65464B7DF2C1}.exe
        
        C:\Windows\{328501C5-4CC1-4f39-BACC-65464B7DF2C1}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4304
        
        C:\Windows\{89CADBBF-1238-4113-AF68-112264A9DFE7}.exe
        
        C:\Windows\{89CADBBF-1238-4113-AF68-112264A9DFE7}.exe
        13⤵
        Executes dropped EXE
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{32850~1.EXE > nul
        13⤵
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D9606~1.EXE > nul
        12⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6C5B2~1.EXE > nul
        11⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7AF0A~1.EXE > nul
        10⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{31515~1.EXE > nul
        9⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D5D6E~1.EXE > nul
        8⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F5D2E~1.EXE > nul
        7⤵
        
        PID:4644
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{05875~1.EXE > nul
        6⤵
        
        PID:764
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F5CB0~1.EXE > nul
        5⤵
        
        PID:3732
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{31ED2~1.EXE > nul
      4⤵
      PID:4484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{77830~1.EXE > nul
    3⤵
    PID:4856
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{05875A6B-041C-4fd1-9A0F-C8D5F9496190}.exe

Filesize
344KB

MD5
2476d733c13998831979cc6e8b09bcd1

SHA1
a1526e1e5a39ff9f6b477f288f4dfa6f0ce5455d

SHA256
0d65d0c9b1097317b5c8c540ec0bee4c4cd8ff0b887ce86adc9bf6cdf3f5f94d

SHA512
3c2de5e952653e5e5292ef4830b732bdc48fbe8dd03f4e31afc390b43a9b2a91a3e0f517b239d0687319de15aa1b99e2485ab35594bfcc1eeec2bc801314c585

Download Submit
C:\Windows\{31515523-0B92-4417-8574-D68A7BA917CF}.exe

Filesize
344KB

MD5
e67e3e321c72ce05227fb4fb68c46dce

SHA1
b891b7807d6b6cef26bc8f9416efbf7d0463c19a

SHA256
58589d3e48c4a1ef0bf11a35e0224a324510ba19bedf8b9d06a66b21ed202974

SHA512
c65d2fc077cbce99c9e568c60a0d277961963095ca4f4d6f9b29358b1452e5e08f5ccc210a201e4ca8417365f56f8732a976a6a08414174d073aa13050de28c8

Download Submit
C:\Windows\{31ED2910-7FDF-4e1a-9F6F-71C5C109148C}.exe

Filesize
344KB

MD5
af39fec9a88752968adef88ee1965a47

SHA1
f3e1c4eaa1fabedb76d7ee80db58148fc5a9db7e

SHA256
ab585baab19543ccc1aa4cbd0fd437274ef7ae78c531bcffbee1d16913a889a1

SHA512
6c990cbf27b6a949900f05303f721c6eae34d3a015297b679df0ff3f1396e980be1384903c57d514ccc8e6884e5e475dc7afae4cac58edc9b032a58e479d6e14

Download Submit
C:\Windows\{328501C5-4CC1-4f39-BACC-65464B7DF2C1}.exe

Filesize
344KB

MD5
96238a08528aea75805ef6a5a4950233

SHA1
8bfa44752233ed477470d1eae09162b1753c6248

SHA256
d6ffa63022db751b6507234f284c0512d693412fae341a22d477f306d320f48e

SHA512
8ac7587eeb085f18084c130ca848c94dbe08364a562736bbc8ac0b912518b736381720d3fdf537237cdf69508594f019c0e96a87fac16f3a9203b6e1cfdc2ba2

Download Submit
C:\Windows\{6C5B221C-FCD2-40cf-A65E-6B7BF79258EA}.exe

Filesize
344KB

MD5
496e5711fef4fcfe0e2e30e90bd77283

SHA1
1a991e21d5af6de2dcf0079c7cc110d8c0673b56

SHA256
b26dc08966143b36253278ae288c5ffb705062aceba30eb6f1581347d6fef215

SHA512
ea402e153510d1ba6bbbb632c37ca62b0bb2d70159b3e13b10b73eef6fbaf51e038832a32a70a3cea8693640aac71b646f24e99e1d92421538040ca8c53a37a9

Download Submit
C:\Windows\{7783009F-F864-46df-B4DB-51577F0A9D52}.exe

Filesize
344KB

MD5
dc5970a69b1fa4238b4b02f99abd43ff

SHA1
8c129345b7f4760595d82abf2f41b3504ec52a24

SHA256
1db5cb1392e555ad0a6284a307493a80c0cb69d66a8f176762e8457b9dae3e78

SHA512
8d326b0af01309be72ea1ab841739481fb82f17d1d60c802c397100d476fbf0d630cdf56a85d814503ac5366440ffbd5dc10f8d5f413a8bc3b42f671aa5b93c2

Download Submit
C:\Windows\{7AF0AF47-591C-4d1c-9225-152F258CAB90}.exe

Filesize
344KB

MD5
7f28cef7b5e5db88d55bf61eefcde427

SHA1
5e25126b97503736b09200c62451f8207ab18b3c

SHA256
1cbcaf455f2c3c3d5bd8927c4579ec107a612dda40742e2183bacf2c7e2d5c95

SHA512
a03a1732522fbaad30814e5fd0d2dfbb709e122ebc96c0098456ae303501c3cdf5b09ee0b60b128da37dc39ef707a2f93ac88e9df85b0b408ebabde430d29b95

Download Submit
C:\Windows\{89CADBBF-1238-4113-AF68-112264A9DFE7}.exe

Filesize
344KB

MD5
eb107db72db9000ea3ecebedbf42412f

SHA1
bc936bc1a2a57bc3f1ad62591f7c5d44366b960a

SHA256
f6c35afcc72149474cee11629651938ed6ab07c225827763d0dedbc8fa9cc440

SHA512
def5a814654ed84f1f50348f6fb8fbed23cc5887843b48547a322517028f3f6c180003f07faf21d58fea5cc2cb18ce54b210e6cf4ce869dded6bc260b7a15bf8

Download Submit
C:\Windows\{D5D6ECFE-9ACB-45bd-B0E4-F7B8D341F10B}.exe

Filesize
344KB

MD5
285760988d0eb83abd1c55c1834ebe62

SHA1
adea848d6767b8c7bc03d7b06b2f3afa53a9b5b9

SHA256
07a2550415b3c765143baccc2a33f7b1ec2c2fa3392fe4c61f6b2fa701649120

SHA512
95ae5908688628f1591fc0908ad1cb02b34f3c3feaf89b0c67492df90bfcb8e5df7b66e904ef34a6895f5a4dbeb77651edc788bea20971ff3d291442505b4127

Download Submit
C:\Windows\{D9606AB1-719F-4b6e-B5FE-B372A4A0F2D6}.exe

Filesize
344KB

MD5
8ff0f3f22abd91f6d9261459f1ccd54f

SHA1
8c51c91a9d2d46037c0dab4aaa0feddcc8dcdd76

SHA256
fe357d41d9fceb9bacacc6ad2e74511469e9f75302eb5056afeee591bbc61ce0

SHA512
3693213a7b9d878b6897a38aaaf92986443a321efa77bbeb7a1980d288964ceb2078a0a733d0170cfdd680c6efecb97dc5ccf3d46ee5438f525bc2e30112ad28

Download Submit
C:\Windows\{F5CB0F49-0E91-4c70-825A-7FC680AAB66E}.exe

Filesize
320KB

MD5
2c8bc524c18daa90647aa203f868f0ab

SHA1
31a7d34e6515f47585ef043c5bf30cffa1f6df4b

SHA256
af704aa542dced16bb73f02b8499a6984dda94e60f31f5439956f50834cfbbc4

SHA512
2974624e9b050c150304d9df0d7de7869432c99a258718a1bb9dd869baade67e342c18327855f8e1839c2575f76d5bdc9f08a2b632809cfd929386443b94bf00

Download Submit
C:\Windows\{F5CB0F49-0E91-4c70-825A-7FC680AAB66E}.exe

Filesize
192KB

MD5
fdea66eaabdd94ede77f53b8799be485

SHA1
cb41e052d13def75964e47deaab98e67c73e716b

SHA256
5682b6e81b2cdd136d53ed2faef698ec8a0483aefbdf346982c50f8e1e79f3cc

SHA512
84a51191dd5826bed265b55405d25ec2f4b64febe06cefdf33863ef504da03efc174388f55c24653590f7ee094be4db6c351581107c9d7640abc99acc9eff72e

Download Submit
C:\Windows\{F5CB0F49-0E91-4c70-825A-7FC680AAB66E}.exe

Filesize
344KB

MD5
87c39d56d95bcafb6f200a95afddc444

SHA1
de269d3633233202c9fa1957db9bf12550f20114

SHA256
07c0d0eb7e58d131bb2ce57a6d08c608d38d91268d2d813e80032769bbf865f8

SHA512
f64d05f7199a8ca4281b8a1503e18d014215cc38735bde87e8d47a8a3d90d7dd047dbf4f331aa65f6387b7b6f877bf533d1603c534b315d3c461119353edba6c

Download Submit
C:\Windows\{F5D2EA09-CE1A-4a1a-B2D4-5E1CFBF2FD82}.exe

Filesize
344KB

MD5
76d0f45dfebd9e3db282430b6ae5dad1

SHA1
7c3661da2036bb9f6cdf84be33072c5150196df0

SHA256
a2c503a38c35302ede8829eec7c6c81d8048cd9d60ede125a5208c6dadb13676

SHA512
5e5c2b0b46ab8ba164f5ba657dc70b1626ac9555d8d59c2618d7513ef1a2621067000453b7007b091ad07e5725c97a61016d81788f8c1665c24cf62523e5d258

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads