5071d3aafff34f7f31df0bed9ff042796767566fa2dd0d04beb91dbb3df5eebc

Analysis

max time kernel
168s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15-03-2024 13:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-15_15008c3814150baa9770e7ab6cc33111_goldeneye.exe
Size

197KB
MD5

15008c3814150baa9770e7ab6cc33111
SHA1

4d3082483ea91d91781092b9a96d60963caef643
SHA256

5071d3aafff34f7f31df0bed9ff042796767566fa2dd0d04beb91dbb3df5eebc
SHA512

75e69393036e61513da820e84844ea3e8dc1712b73a2b39104e00a429f9ba9b74a26dd6103d73dfb9536e17df06146fc94432331d322e4bf625f6e4ade710011
SSDEEP

3072:jEGh0oMl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGGlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x000a00000002322c-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002322c-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002323c-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001500000002322c-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f000000023143-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001600000002322c-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023143-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001700000002322c-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0012000000023143-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002313f-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023142-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002313f-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023140-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02E4ED4C-3907-4963-BF2E-C97AEBCFB030}\stubpath = "C:\\Windows\\{02E4ED4C-3907-4963-BF2E-C97AEBCFB030}.exe"	{D2150F88-DC78-4e7e-BB73-69D642EDC438}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD9DBF67-01D1-4861-B466-568D621E0D5F}\stubpath = "C:\\Windows\\{DD9DBF67-01D1-4861-B466-568D621E0D5F}.exe"	{02E4ED4C-3907-4963-BF2E-C97AEBCFB030}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D869C8C6-E429-41a0-B9D4-35829CCE5CCC}\stubpath = "C:\\Windows\\{D869C8C6-E429-41a0-B9D4-35829CCE5CCC}.exe"	{E8AAF6FE-348A-4e6b-BA16-EC521F85A592}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B4EC526-AFC8-4db1-B4F8-FFCC8DE5F4E2}	{27AF1B1B-2492-4ba6-8748-B37B0F5C3B94}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B4EC526-AFC8-4db1-B4F8-FFCC8DE5F4E2}\stubpath = "C:\\Windows\\{6B4EC526-AFC8-4db1-B4F8-FFCC8DE5F4E2}.exe"	{27AF1B1B-2492-4ba6-8748-B37B0F5C3B94}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{598EF2D6-EC4D-4735-9A72-533965BD0AEC}	{4D1D43C6-2439-4418-A990-F8AD470CA85C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{598EF2D6-EC4D-4735-9A72-533965BD0AEC}\stubpath = "C:\\Windows\\{598EF2D6-EC4D-4735-9A72-533965BD0AEC}.exe"	{4D1D43C6-2439-4418-A990-F8AD470CA85C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2150F88-DC78-4e7e-BB73-69D642EDC438}	{598EF2D6-EC4D-4735-9A72-533965BD0AEC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8AAF6FE-348A-4e6b-BA16-EC521F85A592}\stubpath = "C:\\Windows\\{E8AAF6FE-348A-4e6b-BA16-EC521F85A592}.exe"	{DD9DBF67-01D1-4861-B466-568D621E0D5F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA2BA97C-B2F2-4792-951E-4BA6A3E97F20}\stubpath = "C:\\Windows\\{CA2BA97C-B2F2-4792-951E-4BA6A3E97F20}.exe"	2024-03-15_15008c3814150baa9770e7ab6cc33111_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27AF1B1B-2492-4ba6-8748-B37B0F5C3B94}	{F8DB661D-2679-42bd-9DC7-64EA904F11D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D1D43C6-2439-4418-A990-F8AD470CA85C}	{37481809-7BDB-4d51-BEC2-69766458BACD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8DB661D-2679-42bd-9DC7-64EA904F11D9}\stubpath = "C:\\Windows\\{F8DB661D-2679-42bd-9DC7-64EA904F11D9}.exe"	{CA2BA97C-B2F2-4792-951E-4BA6A3E97F20}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37481809-7BDB-4d51-BEC2-69766458BACD}	{6B4EC526-AFC8-4db1-B4F8-FFCC8DE5F4E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8AAF6FE-348A-4e6b-BA16-EC521F85A592}	{DD9DBF67-01D1-4861-B466-568D621E0D5F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37481809-7BDB-4d51-BEC2-69766458BACD}\stubpath = "C:\\Windows\\{37481809-7BDB-4d51-BEC2-69766458BACD}.exe"	{6B4EC526-AFC8-4db1-B4F8-FFCC8DE5F4E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D1D43C6-2439-4418-A990-F8AD470CA85C}\stubpath = "C:\\Windows\\{4D1D43C6-2439-4418-A990-F8AD470CA85C}.exe"	{37481809-7BDB-4d51-BEC2-69766458BACD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2150F88-DC78-4e7e-BB73-69D642EDC438}\stubpath = "C:\\Windows\\{D2150F88-DC78-4e7e-BB73-69D642EDC438}.exe"	{598EF2D6-EC4D-4735-9A72-533965BD0AEC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02E4ED4C-3907-4963-BF2E-C97AEBCFB030}	{D2150F88-DC78-4e7e-BB73-69D642EDC438}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD9DBF67-01D1-4861-B466-568D621E0D5F}	{02E4ED4C-3907-4963-BF2E-C97AEBCFB030}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA2BA97C-B2F2-4792-951E-4BA6A3E97F20}	2024-03-15_15008c3814150baa9770e7ab6cc33111_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8DB661D-2679-42bd-9DC7-64EA904F11D9}	{CA2BA97C-B2F2-4792-951E-4BA6A3E97F20}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27AF1B1B-2492-4ba6-8748-B37B0F5C3B94}\stubpath = "C:\\Windows\\{27AF1B1B-2492-4ba6-8748-B37B0F5C3B94}.exe"	{F8DB661D-2679-42bd-9DC7-64EA904F11D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D869C8C6-E429-41a0-B9D4-35829CCE5CCC}	{E8AAF6FE-348A-4e6b-BA16-EC521F85A592}.exe

Executes dropped EXE 12 IoCs

pid	Process
1048	{CA2BA97C-B2F2-4792-951E-4BA6A3E97F20}.exe
2296	{F8DB661D-2679-42bd-9DC7-64EA904F11D9}.exe
4356	{27AF1B1B-2492-4ba6-8748-B37B0F5C3B94}.exe
4380	{6B4EC526-AFC8-4db1-B4F8-FFCC8DE5F4E2}.exe
4464	{37481809-7BDB-4d51-BEC2-69766458BACD}.exe
1344	{4D1D43C6-2439-4418-A990-F8AD470CA85C}.exe
2028	{598EF2D6-EC4D-4735-9A72-533965BD0AEC}.exe
4168	{D2150F88-DC78-4e7e-BB73-69D642EDC438}.exe
4356	{02E4ED4C-3907-4963-BF2E-C97AEBCFB030}.exe
1916	{DD9DBF67-01D1-4861-B466-568D621E0D5F}.exe
4276	{E8AAF6FE-348A-4e6b-BA16-EC521F85A592}.exe
740	{D869C8C6-E429-41a0-B9D4-35829CCE5CCC}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{CA2BA97C-B2F2-4792-951E-4BA6A3E97F20}.exe	2024-03-15_15008c3814150baa9770e7ab6cc33111_goldeneye.exe
File created	C:\Windows\{F8DB661D-2679-42bd-9DC7-64EA904F11D9}.exe	{CA2BA97C-B2F2-4792-951E-4BA6A3E97F20}.exe
File created	C:\Windows\{27AF1B1B-2492-4ba6-8748-B37B0F5C3B94}.exe	{F8DB661D-2679-42bd-9DC7-64EA904F11D9}.exe
File created	C:\Windows\{6B4EC526-AFC8-4db1-B4F8-FFCC8DE5F4E2}.exe	{27AF1B1B-2492-4ba6-8748-B37B0F5C3B94}.exe
File created	C:\Windows\{4D1D43C6-2439-4418-A990-F8AD470CA85C}.exe	{37481809-7BDB-4d51-BEC2-69766458BACD}.exe
File created	C:\Windows\{D2150F88-DC78-4e7e-BB73-69D642EDC438}.exe	{598EF2D6-EC4D-4735-9A72-533965BD0AEC}.exe
File created	C:\Windows\{D869C8C6-E429-41a0-B9D4-35829CCE5CCC}.exe	{E8AAF6FE-348A-4e6b-BA16-EC521F85A592}.exe
File created	C:\Windows\{37481809-7BDB-4d51-BEC2-69766458BACD}.exe	{6B4EC526-AFC8-4db1-B4F8-FFCC8DE5F4E2}.exe
File created	C:\Windows\{598EF2D6-EC4D-4735-9A72-533965BD0AEC}.exe	{4D1D43C6-2439-4418-A990-F8AD470CA85C}.exe
File created	C:\Windows\{02E4ED4C-3907-4963-BF2E-C97AEBCFB030}.exe	{D2150F88-DC78-4e7e-BB73-69D642EDC438}.exe
File created	C:\Windows\{DD9DBF67-01D1-4861-B466-568D621E0D5F}.exe	{02E4ED4C-3907-4963-BF2E-C97AEBCFB030}.exe
File created	C:\Windows\{E8AAF6FE-348A-4e6b-BA16-EC521F85A592}.exe	{DD9DBF67-01D1-4861-B466-568D621E0D5F}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4784	2024-03-15_15008c3814150baa9770e7ab6cc33111_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1048	{CA2BA97C-B2F2-4792-951E-4BA6A3E97F20}.exe
Token: SeIncBasePriorityPrivilege	2296	{F8DB661D-2679-42bd-9DC7-64EA904F11D9}.exe
Token: SeIncBasePriorityPrivilege	4356	{27AF1B1B-2492-4ba6-8748-B37B0F5C3B94}.exe
Token: SeIncBasePriorityPrivilege	4380	{6B4EC526-AFC8-4db1-B4F8-FFCC8DE5F4E2}.exe
Token: SeIncBasePriorityPrivilege	4464	{37481809-7BDB-4d51-BEC2-69766458BACD}.exe
Token: SeIncBasePriorityPrivilege	1344	{4D1D43C6-2439-4418-A990-F8AD470CA85C}.exe
Token: SeIncBasePriorityPrivilege	2028	{598EF2D6-EC4D-4735-9A72-533965BD0AEC}.exe
Token: SeIncBasePriorityPrivilege	4168	{D2150F88-DC78-4e7e-BB73-69D642EDC438}.exe
Token: SeIncBasePriorityPrivilege	4356	{02E4ED4C-3907-4963-BF2E-C97AEBCFB030}.exe
Token: SeIncBasePriorityPrivilege	1916	{DD9DBF67-01D1-4861-B466-568D621E0D5F}.exe
Token: SeIncBasePriorityPrivilege	4276	{E8AAF6FE-348A-4e6b-BA16-EC521F85A592}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4784 wrote to memory of 1048	4784	2024-03-15_15008c3814150baa9770e7ab6cc33111_goldeneye.exe	97
PID 4784 wrote to memory of 1048	4784	2024-03-15_15008c3814150baa9770e7ab6cc33111_goldeneye.exe	97
PID 4784 wrote to memory of 1048	4784	2024-03-15_15008c3814150baa9770e7ab6cc33111_goldeneye.exe	97
PID 4784 wrote to memory of 2028	4784	2024-03-15_15008c3814150baa9770e7ab6cc33111_goldeneye.exe	98
PID 4784 wrote to memory of 2028	4784	2024-03-15_15008c3814150baa9770e7ab6cc33111_goldeneye.exe	98
PID 4784 wrote to memory of 2028	4784	2024-03-15_15008c3814150baa9770e7ab6cc33111_goldeneye.exe	98
PID 1048 wrote to memory of 2296	1048	{CA2BA97C-B2F2-4792-951E-4BA6A3E97F20}.exe	103
PID 1048 wrote to memory of 2296	1048	{CA2BA97C-B2F2-4792-951E-4BA6A3E97F20}.exe	103
PID 1048 wrote to memory of 2296	1048	{CA2BA97C-B2F2-4792-951E-4BA6A3E97F20}.exe	103
PID 1048 wrote to memory of 4844	1048	{CA2BA97C-B2F2-4792-951E-4BA6A3E97F20}.exe	104
PID 1048 wrote to memory of 4844	1048	{CA2BA97C-B2F2-4792-951E-4BA6A3E97F20}.exe	104
PID 1048 wrote to memory of 4844	1048	{CA2BA97C-B2F2-4792-951E-4BA6A3E97F20}.exe	104
PID 2296 wrote to memory of 4356	2296	{F8DB661D-2679-42bd-9DC7-64EA904F11D9}.exe	105
PID 2296 wrote to memory of 4356	2296	{F8DB661D-2679-42bd-9DC7-64EA904F11D9}.exe	105
PID 2296 wrote to memory of 4356	2296	{F8DB661D-2679-42bd-9DC7-64EA904F11D9}.exe	105
PID 2296 wrote to memory of 4304	2296	{F8DB661D-2679-42bd-9DC7-64EA904F11D9}.exe	106
PID 2296 wrote to memory of 4304	2296	{F8DB661D-2679-42bd-9DC7-64EA904F11D9}.exe	106
PID 2296 wrote to memory of 4304	2296	{F8DB661D-2679-42bd-9DC7-64EA904F11D9}.exe	106
PID 4356 wrote to memory of 4380	4356	{27AF1B1B-2492-4ba6-8748-B37B0F5C3B94}.exe	108
PID 4356 wrote to memory of 4380	4356	{27AF1B1B-2492-4ba6-8748-B37B0F5C3B94}.exe	108
PID 4356 wrote to memory of 4380	4356	{27AF1B1B-2492-4ba6-8748-B37B0F5C3B94}.exe	108
PID 4356 wrote to memory of 4656	4356	{27AF1B1B-2492-4ba6-8748-B37B0F5C3B94}.exe	109
PID 4356 wrote to memory of 4656	4356	{27AF1B1B-2492-4ba6-8748-B37B0F5C3B94}.exe	109
PID 4356 wrote to memory of 4656	4356	{27AF1B1B-2492-4ba6-8748-B37B0F5C3B94}.exe	109
PID 4380 wrote to memory of 4464	4380	{6B4EC526-AFC8-4db1-B4F8-FFCC8DE5F4E2}.exe	110
PID 4380 wrote to memory of 4464	4380	{6B4EC526-AFC8-4db1-B4F8-FFCC8DE5F4E2}.exe	110
PID 4380 wrote to memory of 4464	4380	{6B4EC526-AFC8-4db1-B4F8-FFCC8DE5F4E2}.exe	110
PID 4380 wrote to memory of 1776	4380	{6B4EC526-AFC8-4db1-B4F8-FFCC8DE5F4E2}.exe	111
PID 4380 wrote to memory of 1776	4380	{6B4EC526-AFC8-4db1-B4F8-FFCC8DE5F4E2}.exe	111
PID 4380 wrote to memory of 1776	4380	{6B4EC526-AFC8-4db1-B4F8-FFCC8DE5F4E2}.exe	111
PID 4464 wrote to memory of 1344	4464	{37481809-7BDB-4d51-BEC2-69766458BACD}.exe	113
PID 4464 wrote to memory of 1344	4464	{37481809-7BDB-4d51-BEC2-69766458BACD}.exe	113
PID 4464 wrote to memory of 1344	4464	{37481809-7BDB-4d51-BEC2-69766458BACD}.exe	113
PID 4464 wrote to memory of 972	4464	{37481809-7BDB-4d51-BEC2-69766458BACD}.exe	114
PID 4464 wrote to memory of 972	4464	{37481809-7BDB-4d51-BEC2-69766458BACD}.exe	114
PID 4464 wrote to memory of 972	4464	{37481809-7BDB-4d51-BEC2-69766458BACD}.exe	114
PID 1344 wrote to memory of 2028	1344	{4D1D43C6-2439-4418-A990-F8AD470CA85C}.exe	115
PID 1344 wrote to memory of 2028	1344	{4D1D43C6-2439-4418-A990-F8AD470CA85C}.exe	115
PID 1344 wrote to memory of 2028	1344	{4D1D43C6-2439-4418-A990-F8AD470CA85C}.exe	115
PID 1344 wrote to memory of 4784	1344	{4D1D43C6-2439-4418-A990-F8AD470CA85C}.exe	116
PID 1344 wrote to memory of 4784	1344	{4D1D43C6-2439-4418-A990-F8AD470CA85C}.exe	116
PID 1344 wrote to memory of 4784	1344	{4D1D43C6-2439-4418-A990-F8AD470CA85C}.exe	116
PID 2028 wrote to memory of 4168	2028	{598EF2D6-EC4D-4735-9A72-533965BD0AEC}.exe	117
PID 2028 wrote to memory of 4168	2028	{598EF2D6-EC4D-4735-9A72-533965BD0AEC}.exe	117
PID 2028 wrote to memory of 4168	2028	{598EF2D6-EC4D-4735-9A72-533965BD0AEC}.exe	117
PID 2028 wrote to memory of 1708	2028	{598EF2D6-EC4D-4735-9A72-533965BD0AEC}.exe	118
PID 2028 wrote to memory of 1708	2028	{598EF2D6-EC4D-4735-9A72-533965BD0AEC}.exe	118
PID 2028 wrote to memory of 1708	2028	{598EF2D6-EC4D-4735-9A72-533965BD0AEC}.exe	118
PID 4168 wrote to memory of 4356	4168	{D2150F88-DC78-4e7e-BB73-69D642EDC438}.exe	126
PID 4168 wrote to memory of 4356	4168	{D2150F88-DC78-4e7e-BB73-69D642EDC438}.exe	126
PID 4168 wrote to memory of 4356	4168	{D2150F88-DC78-4e7e-BB73-69D642EDC438}.exe	126
PID 4168 wrote to memory of 4656	4168	{D2150F88-DC78-4e7e-BB73-69D642EDC438}.exe	127
PID 4168 wrote to memory of 4656	4168	{D2150F88-DC78-4e7e-BB73-69D642EDC438}.exe	127
PID 4168 wrote to memory of 4656	4168	{D2150F88-DC78-4e7e-BB73-69D642EDC438}.exe	127
PID 4356 wrote to memory of 1916	4356	{02E4ED4C-3907-4963-BF2E-C97AEBCFB030}.exe	128
PID 4356 wrote to memory of 1916	4356	{02E4ED4C-3907-4963-BF2E-C97AEBCFB030}.exe	128
PID 4356 wrote to memory of 1916	4356	{02E4ED4C-3907-4963-BF2E-C97AEBCFB030}.exe	128
PID 4356 wrote to memory of 4040	4356	{02E4ED4C-3907-4963-BF2E-C97AEBCFB030}.exe	129
PID 4356 wrote to memory of 4040	4356	{02E4ED4C-3907-4963-BF2E-C97AEBCFB030}.exe	129
PID 4356 wrote to memory of 4040	4356	{02E4ED4C-3907-4963-BF2E-C97AEBCFB030}.exe	129
PID 1916 wrote to memory of 4276	1916	{DD9DBF67-01D1-4861-B466-568D621E0D5F}.exe	130
PID 1916 wrote to memory of 4276	1916	{DD9DBF67-01D1-4861-B466-568D621E0D5F}.exe	130
PID 1916 wrote to memory of 4276	1916	{DD9DBF67-01D1-4861-B466-568D621E0D5F}.exe	130
PID 1916 wrote to memory of 2072	1916	{DD9DBF67-01D1-4861-B466-568D621E0D5F}.exe	131

C:\Users\Admin\AppData\Local\Temp\2024-03-15_15008c3814150baa9770e7ab6cc33111_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-15_15008c3814150baa9770e7ab6cc33111_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4784
- C:\Windows\{CA2BA97C-B2F2-4792-951E-4BA6A3E97F20}.exe
  C:\Windows\{CA2BA97C-B2F2-4792-951E-4BA6A3E97F20}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1048
- - C:\Windows\{F8DB661D-2679-42bd-9DC7-64EA904F11D9}.exe
    C:\Windows\{F8DB661D-2679-42bd-9DC7-64EA904F11D9}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2296
  - - C:\Windows\{27AF1B1B-2492-4ba6-8748-B37B0F5C3B94}.exe
      C:\Windows\{27AF1B1B-2492-4ba6-8748-B37B0F5C3B94}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4356
    - - C:\Windows\{6B4EC526-AFC8-4db1-B4F8-FFCC8DE5F4E2}.exe
        
        C:\Windows\{6B4EC526-AFC8-4db1-B4F8-FFCC8DE5F4E2}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4380
      - C:\Windows\{37481809-7BDB-4d51-BEC2-69766458BACD}.exe
        
        C:\Windows\{37481809-7BDB-4d51-BEC2-69766458BACD}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\{4D1D43C6-2439-4418-A990-F8AD470CA85C}.exe
        
        C:\Windows\{4D1D43C6-2439-4418-A990-F8AD470CA85C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\{598EF2D6-EC4D-4735-9A72-533965BD0AEC}.exe
        
        C:\Windows\{598EF2D6-EC4D-4735-9A72-533965BD0AEC}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\{D2150F88-DC78-4e7e-BB73-69D642EDC438}.exe
        
        C:\Windows\{D2150F88-DC78-4e7e-BB73-69D642EDC438}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4168
        
        C:\Windows\{02E4ED4C-3907-4963-BF2E-C97AEBCFB030}.exe
        
        C:\Windows\{02E4ED4C-3907-4963-BF2E-C97AEBCFB030}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4356
        
        C:\Windows\{DD9DBF67-01D1-4861-B466-568D621E0D5F}.exe
        
        C:\Windows\{DD9DBF67-01D1-4861-B466-568D621E0D5F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\{E8AAF6FE-348A-4e6b-BA16-EC521F85A592}.exe
        
        C:\Windows\{E8AAF6FE-348A-4e6b-BA16-EC521F85A592}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4276
        
        C:\Windows\{D869C8C6-E429-41a0-B9D4-35829CCE5CCC}.exe
        
        C:\Windows\{D869C8C6-E429-41a0-B9D4-35829CCE5CCC}.exe
        13⤵
        Executes dropped EXE
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E8AAF~1.EXE > nul
        13⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD9DB~1.EXE > nul
        12⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{02E4E~1.EXE > nul
        11⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D2150~1.EXE > nul
        10⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{598EF~1.EXE > nul
        9⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D1D4~1.EXE > nul
        8⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37481~1.EXE > nul
        7⤵
        
        PID:972
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B4EC~1.EXE > nul
        6⤵
        
        PID:1776
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{27AF1~1.EXE > nul
        5⤵
        
        PID:4656
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F8DB6~1.EXE > nul
      4⤵
      PID:4304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CA2BA~1.EXE > nul
    3⤵
    PID:4844
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02E4ED4C-3907-4963-BF2E-C97AEBCFB030}.exe

Filesize
197KB

MD5
bbbf75e320af7c4c698d2d738b12d6d4

SHA1
cd0bc6eadaeca9ff32ff6060e417fdce9dd18667

SHA256
02d66e2bda0417cbe86022097cfa8cfaf04534dfff5c42d56f7e8c7b0df8d11f

SHA512
3562772e3aa8901397927f47198b890430be718ba561cde4ed39d34996494734424251e444d3abb0c1ae97ae5ccfe8b945cdb900a2514333966dbf25ccc82812

Download Submit
C:\Windows\{27AF1B1B-2492-4ba6-8748-B37B0F5C3B94}.exe

Filesize
197KB

MD5
20d4d4b2037258f90a3c92c24eb4692b

SHA1
94932e881f0dc7eea45795c70eee846eb8580988

SHA256
5d2b890f26b7b2b454aa09516b8583a0ed2cb07dce31930c7da3f983640e07cb

SHA512
ae6224cf091add1f43ae8bbd6f758c5b21cc2bd6571c6772bdc6c81176f576efb3f90095087ae5456cc7e3d07fd73eff2badb3500cc9b8d4530d8b54946a465c

Download Submit
C:\Windows\{37481809-7BDB-4d51-BEC2-69766458BACD}.exe

Filesize
197KB

MD5
15ad86f4cc3dc87d5258c889cbaf0c91

SHA1
0a49d95dea6a51c7f96c506ba33b7adb57da8f2f

SHA256
ab343aa63c18b7dfd6ab638d0f33b294c13160bb934e14d2dd31b654d7338a9b

SHA512
d49cf970e81075a298c7e1a78de7f252f75668d06339459c9d4c4a886d72f607109f00a6759bc6252b91ecb6413c4f9eb0b942839ef7e0a686e2bab93d2a39ae

Download Submit
C:\Windows\{4D1D43C6-2439-4418-A990-F8AD470CA85C}.exe

Filesize
197KB

MD5
e434106f011ce7d3f59c1f1c05469296

SHA1
3603411e4fc67029c660e59f352e5c7014bebed6

SHA256
2cd31948220411db7898e18cfc752ff8e9fc8117262ed6c6a4fb9886b9f6ab2c

SHA512
bec1adc8cf6121685bc2fa5faef9c606cd125f38d1d7d7993f1785914a629e0aae036cf2d10b90d6bc6269dab2f75765f5133288efa99803f0b1b2ed81153bc7

Download Submit
C:\Windows\{598EF2D6-EC4D-4735-9A72-533965BD0AEC}.exe

Filesize
197KB

MD5
30af62ed2bb33819383847a9f75dd1a3

SHA1
c9c0576654c83d02eaf8d9ccdc0fba3e7f7eebd6

SHA256
08f7a679f4df5430fbddd9cb7ff6ebe8b9eef4d844a91145aa07e33552944f0a

SHA512
45c22f4571c9d3bf5780687d85bf454b13a5cde35b1f6a6182e5dc0794df9c365334a7c7f20fb9abdb35b4b4dd8ca3e1a3833986b63ed99555e8b595cbb7a257

Download Submit
C:\Windows\{6B4EC526-AFC8-4db1-B4F8-FFCC8DE5F4E2}.exe

Filesize
197KB

MD5
d9f4b6acca097b8259de997711ca0ed3

SHA1
f7b25e3e1ac7376532ea7c3738faa3f74831c950

SHA256
3ff975807ae907181e112baa93831ebe6ec70c6a3d92912e1cca06c4cdecaa22

SHA512
b34a250b3210a68e6b971f6a15462323cf2baaecfe329b9b9d526869c8f597dbfa57e080f28ea421c32072f774a6efe57398380f5050d64ae8e4f495d1b5cef1

Download Submit
C:\Windows\{CA2BA97C-B2F2-4792-951E-4BA6A3E97F20}.exe

Filesize
128KB

MD5
a776da0b6fb0522557b862e5bd98711e

SHA1
797514c9bbd10c500a76d6213caa3f53a692f8cd

SHA256
e8e3321114df1e99d3fc82d9fc218e58c79748a2f9c4cebfea7a1514968047e0

SHA512
3a3c2c4c7510718f4819f447b276cc18b0a9a646e6088382d3cb42a13105c1a30d0d37d4701b626444a1cd6a4188d4920bec32ae8e7e8e1da3af174887fb3d62

Download Submit
C:\Windows\{CA2BA97C-B2F2-4792-951E-4BA6A3E97F20}.exe

Filesize
197KB

MD5
5b25ffc75493f69e98b9513151ea4167

SHA1
ce9895a04d42291812b898b73c5506f8ee6759de

SHA256
6d3a623ebc659bc5c7e80be5f47dda4a1ca9551d9eb369d2122d29263d563542

SHA512
61cd512f0eaf2e7679e9919b38405dfb1252f24c0320f39caeb276af9b781f1b0ada90f84b1c7059293dba9b2001c25f358110232df32aec12267b04ac86005b

Download Submit
C:\Windows\{D2150F88-DC78-4e7e-BB73-69D642EDC438}.exe

Filesize
197KB

MD5
1fe0bd7b7b273c520c2b19ea0b48f06a

SHA1
c2145a98f920685555d1f0753cc1bf3d9f62bc43

SHA256
a79afdd19d6b91f74ee58ca258b7717063a3d5b7cdf48072c56ddef80d469a70

SHA512
79ad1f693bb5e14c0f83bdbbfb8dd31ed3fdb6ea3424c13bad712998d226824a1ccf75820979414f0d71853fade9e4a652b39cc456e921492f011bb9e087b9be

Download Submit
C:\Windows\{D869C8C6-E429-41a0-B9D4-35829CCE5CCC}.exe

Filesize
197KB

MD5
ac6b0498f6f95c25e5adc2843aa4fad9

SHA1
88d5e2b0c1a7d0a11a6734e44b566cda7d5c3200

SHA256
fdcb7e6941f19e0e657e1581f9638c8f69baa329816a01faf96d22ae0426af0a

SHA512
19761c6017bb67201a3e1d8df61602001a1dea4f4bcc6cfc584d3ce03e4cf5ba9ccfd67779a6126884c2bb02afc7ed343aced67c9918ff1dfe15ea5067e3e511

Download Submit
C:\Windows\{DD9DBF67-01D1-4861-B466-568D621E0D5F}.exe

Filesize
197KB

MD5
0995e0af1164283e3d9fe5534ced4307

SHA1
9914c0075ef5f6d1fbd8280873cd7de267470b03

SHA256
18c61f726e686a245f107a71c88be0cb9b36de5137107a7d2880cc4e986ba4e7

SHA512
4e1096423dc9152b5d6db8d8b05bd8e7c91a4bb62d7c57b902ee4b90d6b1ef8bb639609325d8ee1bd684727a71115671cb073a39f5b9f696fcef9bf8574e2d17

Download Submit
C:\Windows\{E8AAF6FE-348A-4e6b-BA16-EC521F85A592}.exe

Filesize
197KB

MD5
4d7172291a59e571cc36115b9c3fd3a7

SHA1
c899dc605058eeef46dfab577514015e527cd8a4

SHA256
66990a5c82acbf0d04061182bb98e68b38c321f3da94671245e5fbff67db70a3

SHA512
d96e0a1296448e6baa9bdf9341df6fea0f2ac2718188ec535cd9929097acb6f1a82c3213df2dda0b6b4fac26b01824f05a5f971460634b8abd4c3cc88709ff22

Download Submit
C:\Windows\{F8DB661D-2679-42bd-9DC7-64EA904F11D9}.exe

Filesize
197KB

MD5
31b86bb249a034fc10e08ca0573b193f

SHA1
0d3e7ba5b3af8c3e62cdb2790d0879f3e6744258

SHA256
e073d4fe66e37a923a04424aad5f8dcb98ca4d56edb1e8af9a05f5fc291ea317

SHA512
8b98df7d7aa9ebcf0337268341f175ef471bc038017dc6e55aac40f894a21758b1d669f2f95374e2bf448fa4d519d71710067c3bedc01f212d4b3d293e01b2b2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads