3e403712421e430d21b7225a3bd24563f234344b7af3d08cf2aae0468ea864f0

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2024, 14:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-05_83e0e740ca8244b58ca48136f73bd600_goldeneye.exe
Size

204KB
MD5

83e0e740ca8244b58ca48136f73bd600
SHA1

1e6a05d072007b7af3184b7a8039e33b0e5b05dd
SHA256

3e403712421e430d21b7225a3bd24563f234344b7af3d08cf2aae0468ea864f0
SHA512

f47a85b943b0d86999275fe6490ff3e475079d8c90cc976e90ff671e76e7331fa6d51dc2bcc49a7038c35849c46b8a192e4721b2086b0200df0ce7ad9dd45943
SSDEEP

1536:1EGh0oDl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oDl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 14 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023224-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023239-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023239-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023247-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001000000002312f-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023247-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000233c0-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000001e747-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000001e747-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000233c8-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000234db-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000233c8-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000234db-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000233c8-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3220D07B-52EA-4dd8-966C-EE61E66D4930}\stubpath = "C:\\Windows\\{3220D07B-52EA-4dd8-966C-EE61E66D4930}.exe"	2024-03-05_83e0e740ca8244b58ca48136f73bd600_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61A95123-BAD7-4887-B60D-B41AC53DCCF0}	{8915AC6F-B455-45f9-AB76-DCEFAC664F6D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E754973-0792-4733-BDC3-0B335359AF4F}	{61A95123-BAD7-4887-B60D-B41AC53DCCF0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60FA8A53-8E12-4733-B26A-07891B662558}	{6E754973-0792-4733-BDC3-0B335359AF4F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A19162D-1F7F-4669-9817-DC277F4338ED}\stubpath = "C:\\Windows\\{9A19162D-1F7F-4669-9817-DC277F4338ED}.exe"	{BB52507D-F9C7-497d-9AD4-D8F4AACF0491}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ACE3FEF2-74B4-41c4-9E3D-1AC886414149}\stubpath = "C:\\Windows\\{ACE3FEF2-74B4-41c4-9E3D-1AC886414149}.exe"	{495436B4-7A9B-4e85-8672-26C14775B6D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06A66A6C-4D1D-43c7-B73F-53FEFEEF4ED4}	{ACE3FEF2-74B4-41c4-9E3D-1AC886414149}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E59F6F14-B1A8-4cbd-8E5B-7871E0015F54}\stubpath = "C:\\Windows\\{E59F6F14-B1A8-4cbd-8E5B-7871E0015F54}.exe"	{06A66A6C-4D1D-43c7-B73F-53FEFEEF4ED4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61A95123-BAD7-4887-B60D-B41AC53DCCF0}\stubpath = "C:\\Windows\\{61A95123-BAD7-4887-B60D-B41AC53DCCF0}.exe"	{8915AC6F-B455-45f9-AB76-DCEFAC664F6D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E754973-0792-4733-BDC3-0B335359AF4F}\stubpath = "C:\\Windows\\{6E754973-0792-4733-BDC3-0B335359AF4F}.exe"	{61A95123-BAD7-4887-B60D-B41AC53DCCF0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB52507D-F9C7-497d-9AD4-D8F4AACF0491}	{60FA8A53-8E12-4733-B26A-07891B662558}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{495436B4-7A9B-4e85-8672-26C14775B6D4}\stubpath = "C:\\Windows\\{495436B4-7A9B-4e85-8672-26C14775B6D4}.exe"	{3220D07B-52EA-4dd8-966C-EE61E66D4930}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ACE3FEF2-74B4-41c4-9E3D-1AC886414149}	{495436B4-7A9B-4e85-8672-26C14775B6D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E59F6F14-B1A8-4cbd-8E5B-7871E0015F54}	{06A66A6C-4D1D-43c7-B73F-53FEFEEF4ED4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48652442-2575-4162-A344-CE63BE6050C0}	{E59F6F14-B1A8-4cbd-8E5B-7871E0015F54}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48652442-2575-4162-A344-CE63BE6050C0}\stubpath = "C:\\Windows\\{48652442-2575-4162-A344-CE63BE6050C0}.exe"	{E59F6F14-B1A8-4cbd-8E5B-7871E0015F54}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8915AC6F-B455-45f9-AB76-DCEFAC664F6D}\stubpath = "C:\\Windows\\{8915AC6F-B455-45f9-AB76-DCEFAC664F6D}.exe"	{48652442-2575-4162-A344-CE63BE6050C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60FA8A53-8E12-4733-B26A-07891B662558}\stubpath = "C:\\Windows\\{60FA8A53-8E12-4733-B26A-07891B662558}.exe"	{6E754973-0792-4733-BDC3-0B335359AF4F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3220D07B-52EA-4dd8-966C-EE61E66D4930}	2024-03-05_83e0e740ca8244b58ca48136f73bd600_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{495436B4-7A9B-4e85-8672-26C14775B6D4}	{3220D07B-52EA-4dd8-966C-EE61E66D4930}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06A66A6C-4D1D-43c7-B73F-53FEFEEF4ED4}\stubpath = "C:\\Windows\\{06A66A6C-4D1D-43c7-B73F-53FEFEEF4ED4}.exe"	{ACE3FEF2-74B4-41c4-9E3D-1AC886414149}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8915AC6F-B455-45f9-AB76-DCEFAC664F6D}	{48652442-2575-4162-A344-CE63BE6050C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB52507D-F9C7-497d-9AD4-D8F4AACF0491}\stubpath = "C:\\Windows\\{BB52507D-F9C7-497d-9AD4-D8F4AACF0491}.exe"	{60FA8A53-8E12-4733-B26A-07891B662558}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A19162D-1F7F-4669-9817-DC277F4338ED}	{BB52507D-F9C7-497d-9AD4-D8F4AACF0491}.exe

Executes dropped EXE 12 IoCs

pid	Process
1872	{3220D07B-52EA-4dd8-966C-EE61E66D4930}.exe
3360	{495436B4-7A9B-4e85-8672-26C14775B6D4}.exe
1496	{ACE3FEF2-74B4-41c4-9E3D-1AC886414149}.exe
3780	{06A66A6C-4D1D-43c7-B73F-53FEFEEF4ED4}.exe
3224	{E59F6F14-B1A8-4cbd-8E5B-7871E0015F54}.exe
3208	{48652442-2575-4162-A344-CE63BE6050C0}.exe
3780	{8915AC6F-B455-45f9-AB76-DCEFAC664F6D}.exe
2288	{61A95123-BAD7-4887-B60D-B41AC53DCCF0}.exe
2436	{6E754973-0792-4733-BDC3-0B335359AF4F}.exe
1504	{60FA8A53-8E12-4733-B26A-07891B662558}.exe
4888	{BB52507D-F9C7-497d-9AD4-D8F4AACF0491}.exe
3816	{9A19162D-1F7F-4669-9817-DC277F4338ED}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{06A66A6C-4D1D-43c7-B73F-53FEFEEF4ED4}.exe	{ACE3FEF2-74B4-41c4-9E3D-1AC886414149}.exe
File created	C:\Windows\{E59F6F14-B1A8-4cbd-8E5B-7871E0015F54}.exe	{06A66A6C-4D1D-43c7-B73F-53FEFEEF4ED4}.exe
File created	C:\Windows\{48652442-2575-4162-A344-CE63BE6050C0}.exe	{E59F6F14-B1A8-4cbd-8E5B-7871E0015F54}.exe
File created	C:\Windows\{8915AC6F-B455-45f9-AB76-DCEFAC664F6D}.exe	{48652442-2575-4162-A344-CE63BE6050C0}.exe
File created	C:\Windows\{60FA8A53-8E12-4733-B26A-07891B662558}.exe	{6E754973-0792-4733-BDC3-0B335359AF4F}.exe
File created	C:\Windows\{BB52507D-F9C7-497d-9AD4-D8F4AACF0491}.exe	{60FA8A53-8E12-4733-B26A-07891B662558}.exe
File created	C:\Windows\{3220D07B-52EA-4dd8-966C-EE61E66D4930}.exe	2024-03-05_83e0e740ca8244b58ca48136f73bd600_goldeneye.exe
File created	C:\Windows\{495436B4-7A9B-4e85-8672-26C14775B6D4}.exe	{3220D07B-52EA-4dd8-966C-EE61E66D4930}.exe
File created	C:\Windows\{9A19162D-1F7F-4669-9817-DC277F4338ED}.exe	{BB52507D-F9C7-497d-9AD4-D8F4AACF0491}.exe
File created	C:\Windows\{6E754973-0792-4733-BDC3-0B335359AF4F}.exe	{61A95123-BAD7-4887-B60D-B41AC53DCCF0}.exe
File created	C:\Windows\{ACE3FEF2-74B4-41c4-9E3D-1AC886414149}.exe	{495436B4-7A9B-4e85-8672-26C14775B6D4}.exe
File created	C:\Windows\{61A95123-BAD7-4887-B60D-B41AC53DCCF0}.exe	{8915AC6F-B455-45f9-AB76-DCEFAC664F6D}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2568	2024-03-05_83e0e740ca8244b58ca48136f73bd600_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1872	{3220D07B-52EA-4dd8-966C-EE61E66D4930}.exe
Token: SeIncBasePriorityPrivilege	3360	{495436B4-7A9B-4e85-8672-26C14775B6D4}.exe
Token: SeIncBasePriorityPrivilege	1496	{ACE3FEF2-74B4-41c4-9E3D-1AC886414149}.exe
Token: SeIncBasePriorityPrivilege	3780	{06A66A6C-4D1D-43c7-B73F-53FEFEEF4ED4}.exe
Token: SeIncBasePriorityPrivilege	3224	{E59F6F14-B1A8-4cbd-8E5B-7871E0015F54}.exe
Token: SeIncBasePriorityPrivilege	3208	{48652442-2575-4162-A344-CE63BE6050C0}.exe
Token: SeIncBasePriorityPrivilege	3780	{8915AC6F-B455-45f9-AB76-DCEFAC664F6D}.exe
Token: SeIncBasePriorityPrivilege	2288	{61A95123-BAD7-4887-B60D-B41AC53DCCF0}.exe
Token: SeIncBasePriorityPrivilege	2436	{6E754973-0792-4733-BDC3-0B335359AF4F}.exe
Token: SeIncBasePriorityPrivilege	1504	{60FA8A53-8E12-4733-B26A-07891B662558}.exe
Token: SeIncBasePriorityPrivilege	4888	{BB52507D-F9C7-497d-9AD4-D8F4AACF0491}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 1872	2568	2024-03-05_83e0e740ca8244b58ca48136f73bd600_goldeneye.exe	96
PID 2568 wrote to memory of 1872	2568	2024-03-05_83e0e740ca8244b58ca48136f73bd600_goldeneye.exe	96
PID 2568 wrote to memory of 1872	2568	2024-03-05_83e0e740ca8244b58ca48136f73bd600_goldeneye.exe	96
PID 2568 wrote to memory of 4508	2568	2024-03-05_83e0e740ca8244b58ca48136f73bd600_goldeneye.exe	97
PID 2568 wrote to memory of 4508	2568	2024-03-05_83e0e740ca8244b58ca48136f73bd600_goldeneye.exe	97
PID 2568 wrote to memory of 4508	2568	2024-03-05_83e0e740ca8244b58ca48136f73bd600_goldeneye.exe	97
PID 1872 wrote to memory of 3360	1872	{3220D07B-52EA-4dd8-966C-EE61E66D4930}.exe	100
PID 1872 wrote to memory of 3360	1872	{3220D07B-52EA-4dd8-966C-EE61E66D4930}.exe	100
PID 1872 wrote to memory of 3360	1872	{3220D07B-52EA-4dd8-966C-EE61E66D4930}.exe	100
PID 1872 wrote to memory of 4640	1872	{3220D07B-52EA-4dd8-966C-EE61E66D4930}.exe	101
PID 1872 wrote to memory of 4640	1872	{3220D07B-52EA-4dd8-966C-EE61E66D4930}.exe	101
PID 1872 wrote to memory of 4640	1872	{3220D07B-52EA-4dd8-966C-EE61E66D4930}.exe	101
PID 3360 wrote to memory of 1496	3360	{495436B4-7A9B-4e85-8672-26C14775B6D4}.exe	105
PID 3360 wrote to memory of 1496	3360	{495436B4-7A9B-4e85-8672-26C14775B6D4}.exe	105
PID 3360 wrote to memory of 1496	3360	{495436B4-7A9B-4e85-8672-26C14775B6D4}.exe	105
PID 3360 wrote to memory of 1732	3360	{495436B4-7A9B-4e85-8672-26C14775B6D4}.exe	106
PID 3360 wrote to memory of 1732	3360	{495436B4-7A9B-4e85-8672-26C14775B6D4}.exe	106
PID 3360 wrote to memory of 1732	3360	{495436B4-7A9B-4e85-8672-26C14775B6D4}.exe	106
PID 1496 wrote to memory of 3780	1496	{ACE3FEF2-74B4-41c4-9E3D-1AC886414149}.exe	114
PID 1496 wrote to memory of 3780	1496	{ACE3FEF2-74B4-41c4-9E3D-1AC886414149}.exe	114
PID 1496 wrote to memory of 3780	1496	{ACE3FEF2-74B4-41c4-9E3D-1AC886414149}.exe	114
PID 1496 wrote to memory of 3472	1496	{ACE3FEF2-74B4-41c4-9E3D-1AC886414149}.exe	115
PID 1496 wrote to memory of 3472	1496	{ACE3FEF2-74B4-41c4-9E3D-1AC886414149}.exe	115
PID 1496 wrote to memory of 3472	1496	{ACE3FEF2-74B4-41c4-9E3D-1AC886414149}.exe	115
PID 3780 wrote to memory of 3224	3780	{06A66A6C-4D1D-43c7-B73F-53FEFEEF4ED4}.exe	116
PID 3780 wrote to memory of 3224	3780	{06A66A6C-4D1D-43c7-B73F-53FEFEEF4ED4}.exe	116
PID 3780 wrote to memory of 3224	3780	{06A66A6C-4D1D-43c7-B73F-53FEFEEF4ED4}.exe	116
PID 3780 wrote to memory of 1588	3780	{06A66A6C-4D1D-43c7-B73F-53FEFEEF4ED4}.exe	117
PID 3780 wrote to memory of 1588	3780	{06A66A6C-4D1D-43c7-B73F-53FEFEEF4ED4}.exe	117
PID 3780 wrote to memory of 1588	3780	{06A66A6C-4D1D-43c7-B73F-53FEFEEF4ED4}.exe	117
PID 3224 wrote to memory of 3208	3224	{E59F6F14-B1A8-4cbd-8E5B-7871E0015F54}.exe	118
PID 3224 wrote to memory of 3208	3224	{E59F6F14-B1A8-4cbd-8E5B-7871E0015F54}.exe	118
PID 3224 wrote to memory of 3208	3224	{E59F6F14-B1A8-4cbd-8E5B-7871E0015F54}.exe	118
PID 3224 wrote to memory of 4860	3224	{E59F6F14-B1A8-4cbd-8E5B-7871E0015F54}.exe	119
PID 3224 wrote to memory of 4860	3224	{E59F6F14-B1A8-4cbd-8E5B-7871E0015F54}.exe	119
PID 3224 wrote to memory of 4860	3224	{E59F6F14-B1A8-4cbd-8E5B-7871E0015F54}.exe	119
PID 3208 wrote to memory of 3780	3208	{48652442-2575-4162-A344-CE63BE6050C0}.exe	121
PID 3208 wrote to memory of 3780	3208	{48652442-2575-4162-A344-CE63BE6050C0}.exe	121
PID 3208 wrote to memory of 3780	3208	{48652442-2575-4162-A344-CE63BE6050C0}.exe	121
PID 3208 wrote to memory of 1588	3208	{48652442-2575-4162-A344-CE63BE6050C0}.exe	122
PID 3208 wrote to memory of 1588	3208	{48652442-2575-4162-A344-CE63BE6050C0}.exe	122
PID 3208 wrote to memory of 1588	3208	{48652442-2575-4162-A344-CE63BE6050C0}.exe	122
PID 3780 wrote to memory of 2288	3780	{8915AC6F-B455-45f9-AB76-DCEFAC664F6D}.exe	123
PID 3780 wrote to memory of 2288	3780	{8915AC6F-B455-45f9-AB76-DCEFAC664F6D}.exe	123
PID 3780 wrote to memory of 2288	3780	{8915AC6F-B455-45f9-AB76-DCEFAC664F6D}.exe	123
PID 3780 wrote to memory of 3816	3780	{8915AC6F-B455-45f9-AB76-DCEFAC664F6D}.exe	124
PID 3780 wrote to memory of 3816	3780	{8915AC6F-B455-45f9-AB76-DCEFAC664F6D}.exe	124
PID 3780 wrote to memory of 3816	3780	{8915AC6F-B455-45f9-AB76-DCEFAC664F6D}.exe	124
PID 2288 wrote to memory of 2436	2288	{61A95123-BAD7-4887-B60D-B41AC53DCCF0}.exe	125
PID 2288 wrote to memory of 2436	2288	{61A95123-BAD7-4887-B60D-B41AC53DCCF0}.exe	125
PID 2288 wrote to memory of 2436	2288	{61A95123-BAD7-4887-B60D-B41AC53DCCF0}.exe	125
PID 2288 wrote to memory of 3832	2288	{61A95123-BAD7-4887-B60D-B41AC53DCCF0}.exe	126
PID 2288 wrote to memory of 3832	2288	{61A95123-BAD7-4887-B60D-B41AC53DCCF0}.exe	126
PID 2288 wrote to memory of 3832	2288	{61A95123-BAD7-4887-B60D-B41AC53DCCF0}.exe	126
PID 2436 wrote to memory of 1504	2436	{6E754973-0792-4733-BDC3-0B335359AF4F}.exe	127
PID 2436 wrote to memory of 1504	2436	{6E754973-0792-4733-BDC3-0B335359AF4F}.exe	127
PID 2436 wrote to memory of 1504	2436	{6E754973-0792-4733-BDC3-0B335359AF4F}.exe	127
PID 2436 wrote to memory of 1796	2436	{6E754973-0792-4733-BDC3-0B335359AF4F}.exe	128
PID 2436 wrote to memory of 1796	2436	{6E754973-0792-4733-BDC3-0B335359AF4F}.exe	128
PID 2436 wrote to memory of 1796	2436	{6E754973-0792-4733-BDC3-0B335359AF4F}.exe	128
PID 1504 wrote to memory of 4888	1504	{60FA8A53-8E12-4733-B26A-07891B662558}.exe	129
PID 1504 wrote to memory of 4888	1504	{60FA8A53-8E12-4733-B26A-07891B662558}.exe	129
PID 1504 wrote to memory of 4888	1504	{60FA8A53-8E12-4733-B26A-07891B662558}.exe	129
PID 1504 wrote to memory of 4376	1504	{60FA8A53-8E12-4733-B26A-07891B662558}.exe	130

C:\Users\Admin\AppData\Local\Temp\2024-03-05_83e0e740ca8244b58ca48136f73bd600_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-05_83e0e740ca8244b58ca48136f73bd600_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Windows\{3220D07B-52EA-4dd8-966C-EE61E66D4930}.exe
  C:\Windows\{3220D07B-52EA-4dd8-966C-EE61E66D4930}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1872
- - C:\Windows\{495436B4-7A9B-4e85-8672-26C14775B6D4}.exe
    C:\Windows\{495436B4-7A9B-4e85-8672-26C14775B6D4}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3360
  - - C:\Windows\{ACE3FEF2-74B4-41c4-9E3D-1AC886414149}.exe
      C:\Windows\{ACE3FEF2-74B4-41c4-9E3D-1AC886414149}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1496
    - - C:\Windows\{06A66A6C-4D1D-43c7-B73F-53FEFEEF4ED4}.exe
        
        C:\Windows\{06A66A6C-4D1D-43c7-B73F-53FEFEEF4ED4}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3780
      - C:\Windows\{E59F6F14-B1A8-4cbd-8E5B-7871E0015F54}.exe
        
        C:\Windows\{E59F6F14-B1A8-4cbd-8E5B-7871E0015F54}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3224
        
        C:\Windows\{48652442-2575-4162-A344-CE63BE6050C0}.exe
        
        C:\Windows\{48652442-2575-4162-A344-CE63BE6050C0}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\{8915AC6F-B455-45f9-AB76-DCEFAC664F6D}.exe
        
        C:\Windows\{8915AC6F-B455-45f9-AB76-DCEFAC664F6D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3780
        
        C:\Windows\{61A95123-BAD7-4887-B60D-B41AC53DCCF0}.exe
        
        C:\Windows\{61A95123-BAD7-4887-B60D-B41AC53DCCF0}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\{6E754973-0792-4733-BDC3-0B335359AF4F}.exe
        
        C:\Windows\{6E754973-0792-4733-BDC3-0B335359AF4F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\{60FA8A53-8E12-4733-B26A-07891B662558}.exe
        
        C:\Windows\{60FA8A53-8E12-4733-B26A-07891B662558}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\{BB52507D-F9C7-497d-9AD4-D8F4AACF0491}.exe
        
        C:\Windows\{BB52507D-F9C7-497d-9AD4-D8F4AACF0491}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4888
        
        C:\Windows\{9A19162D-1F7F-4669-9817-DC277F4338ED}.exe
        
        C:\Windows\{9A19162D-1F7F-4669-9817-DC277F4338ED}.exe
        13⤵
        Executes dropped EXE
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BB525~1.EXE > nul
        13⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{60FA8~1.EXE > nul
        12⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6E754~1.EXE > nul
        11⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{61A95~1.EXE > nul
        10⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8915A~1.EXE > nul
        9⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{48652~1.EXE > nul
        8⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E59F6~1.EXE > nul
        7⤵
        
        PID:4860
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{06A66~1.EXE > nul
        6⤵
        
        PID:1588
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ACE3F~1.EXE > nul
        5⤵
        
        PID:3472
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{49543~1.EXE > nul
      4⤵
      PID:1732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3220D~1.EXE > nul
    3⤵
    PID:4640
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{06A66A6C-4D1D-43c7-B73F-53FEFEEF4ED4}.exe

Filesize
204KB

MD5
1f35bb0518cc6336383650f831292132

SHA1
f86940f6ee2aad1e1ac0b95cb4a02208f56764b4

SHA256
4b314beeb46aad883107956c86c545129c40b39fa99d4b7e9fc679c7550606e1

SHA512
15023dd91baeddc13cf0021d516caceec4e0162de8112ecf8473d77f659e4da08a01e80f5d96d6779a3fe3343a16de226bb2e435455787cf80a8a252ae1e0efc

Download Submit
C:\Windows\{3220D07B-52EA-4dd8-966C-EE61E66D4930}.exe

Filesize
204KB

MD5
ba004ec3040ab5aada014d206967dbbb

SHA1
1cf837bafd49896cf38f47787c1f1fd0d075aea3

SHA256
733405a86a930f7cc8984bea2f2ca2dba93cd735be085613d99a7a8c786af3d4

SHA512
4bfe7aa51872536aff17f992b5d5cf4fca1261d3ab1665f3a34722d3b9a50743fe7c6a828fe6f246c5b193ef9ca6888e87494ad779d596a29a9571806569cea5

Download Submit
C:\Windows\{48652442-2575-4162-A344-CE63BE6050C0}.exe

Filesize
204KB

MD5
ce751f6ee62e8df90e0ea0f1c810c98d

SHA1
de53820a46c039997529c4f6b7a93f8ed381f15d

SHA256
e9051c338f51d101a3488f807599a52fc3aa8ef241bc69fc5ed42ddb45326bf8

SHA512
484e301f131162073d74ee27a85f2c06423e41ff3d368defcf2933cbd71376f68dd10ae461456bbb6d2290cfa819268077bfa6dc1f9f370223f8685d10894a51

Download Submit
C:\Windows\{495436B4-7A9B-4e85-8672-26C14775B6D4}.exe

Filesize
163KB

MD5
a5c9311e46aebbd217968ec6b960918d

SHA1
022a57aaf4b9ebeb3af977171401298305abf837

SHA256
ad57dce74c9befbb58060963822c3ff855906128d1a313a6dad4df672c0ea457

SHA512
368c76e8a08e7f0bb8d653aabaa691617f6621f5ba969cf69547e1881c3b4abd178f1645c194b50f7fcb22d11b7d8fbbc89356e80693f96e3bec76041edbd085

Download Submit
C:\Windows\{495436B4-7A9B-4e85-8672-26C14775B6D4}.exe

Filesize
128KB

MD5
57063b02ad9433e43bced163a97ac3d0

SHA1
2eece64ecbcbf91c661ada26ded84fa5098d6d81

SHA256
cf62c45321692bea4d172ff2b447dfe556652c0b602e5be764621d6992ca5481

SHA512
ba51bdf785abf02989476311bf7ead42777a5eb79fc70952964e66260e42d56be44b406a641d43b4378e43ff13ca92e6c4ab1e226c87162af0331fdde33e6ffc

Download Submit
C:\Windows\{60FA8A53-8E12-4733-B26A-07891B662558}.exe

Filesize
204KB

MD5
5179bfdf41c5244a056431d1eb3ee1bf

SHA1
d9f3c4cf05bd844182169f5325a0a2207198326f

SHA256
0c167e83146c07caf56e1442ba6d4682a2d02a5d1a99281b1d4b9ba0c21aecb7

SHA512
64298f69ad21932d4f2f0a7ce03732755977710024f6dab98a3a5edc8b3f71c1771f9aeaf22ae20b728eff9e46ddee40df2b8c2c007e44322081f0cb43d2292f

Download Submit
C:\Windows\{61A95123-BAD7-4887-B60D-B41AC53DCCF0}.exe

Filesize
204KB

MD5
ac9769774a6b51d44865b27f8f06e36c

SHA1
cf41d28fe1526533207055e9fd3d32e16f357a2c

SHA256
574d22f40b718eca3ae44333e2c913c5a286e358276d57ef1d4ce48212e8c58a

SHA512
0ecaf636559aea622f4e25a618c546c0c21dd1baa5f02e36a6c4e862a66d6b32d834df3ac456467425438680e04304c1e60f43a23c83932dfd930bd5a5e1bd31

Download Submit
C:\Windows\{6E754973-0792-4733-BDC3-0B335359AF4F}.exe

Filesize
204KB

MD5
301592e5e759fd5162d701c72707053c

SHA1
5998a0ededfe0c30edf927e87b748e622134803c

SHA256
c57d73c322ecc7fb6d1dbc690fe3922b69f580477b9c032f94f5b8495e25667c

SHA512
dafd8498c5da9a3f032ab9773fef27ec8f451a8e7881cd39faf839e84e805b54c5ce27284f65ce3554cdaa95cab5f75dedc4da4959b8f60c2711f2ee6e98df0a

Download Submit
C:\Windows\{8915AC6F-B455-45f9-AB76-DCEFAC664F6D}.exe

Filesize
81KB

MD5
f169b1e81498c4f3a1fe559a0b30938c

SHA1
b18eb4c503b45d015f40c48e14a2df532142690c

SHA256
f8a305f4b2d802d08e6040016760a46271ce971d7105343fec5d829bd66d62ac

SHA512
e43abc861cac30313b9ccb82191b8ccfd740aa2fa545a73dfc9f31d336e388b01958b6de81f9c613c51de5e0945d29250e2bfccbf404488ac41594114468acdc

Download Submit
C:\Windows\{8915AC6F-B455-45f9-AB76-DCEFAC664F6D}.exe

Filesize
204KB

MD5
afa9fdaab7a492626aea4e69bc92764c

SHA1
3f813f8311ab8a147d38d3e24ddfd6dd0b47dea8

SHA256
b2ce269c5aa01488cfc82fb5e427a63fc0760aaf4fb0d82132ebdf88a97f493f

SHA512
ec6c6113e9ce8c35edc27b00fa25ef1c5868d3f10107316568ff6256a3471aaab57f02e967222912dc79dde1ee88024c2cd70d4da1fc1959a3cf01d8c5a0e762

Download Submit
C:\Windows\{9A19162D-1F7F-4669-9817-DC277F4338ED}.exe

Filesize
204KB

MD5
b3e17b43d0f4cdf58701f7ce00f8c61f

SHA1
0e20e44c9e32010b7078b6e3c71da7ec1e4ff5df

SHA256
759ce8d8b3b1ee1a40b0d5b9f26ded2afd85f877fe3788839b6eb95608f567f9

SHA512
8717073978e850a0e337bd638b5e3ad116d65d2da3a816767de0163b050aaafcceadbff2803a1b255d02655363bd63075e519b5422f54b0be220d029f5a3fcac

Download Submit
C:\Windows\{ACE3FEF2-74B4-41c4-9E3D-1AC886414149}.exe

Filesize
204KB

MD5
9cf3b285e5785eb8cb9b37aaa57db8b9

SHA1
7fdb2f1a619ab6d05d45a015b5de17d1c45df642

SHA256
8addd5b9076c05c6eba4b7ede58d18859a2f4e7ff608f60ca7caafd7541a842b

SHA512
617712af041fd1d77bff5669babe0c8fe532e54b90f6cdf80f56643cec0aafa80ce794c658f937689a04eadf8966a99c6c3a4d5713d222cb4e237237de3886a3

Download Submit
C:\Windows\{BB52507D-F9C7-497d-9AD4-D8F4AACF0491}.exe

Filesize
204KB

MD5
413f6d3a4bc73bd0addabd0c17ce893e

SHA1
7f1f1957cd8cb980ad7d42c52bc455e0a4499ceb

SHA256
d8c6793e7b6ef0e1243f47b350e6db7a4a5f4e1d8b45284b5331cb376f7f20a6

SHA512
2acc7f4accb5a17537a511036877aff3938b4fbf37e7ec34f90cc31f783d1044ca9bb7816b694cff04c4dec818d502e040b1b61450c013ab7904fefdb59b17a8

Download Submit
C:\Windows\{E59F6F14-B1A8-4cbd-8E5B-7871E0015F54}.exe

Filesize
204KB

MD5
e46d3442a54ff3b89870b31b7e837086

SHA1
02edd602a13c05a13276b90d9fb93e5d0e7e7d57

SHA256
bbd22086a887dfa629e55a197b190bd2ee4a9d80bf03f424c86835527b900e2a

SHA512
ffcfd665cd63993ee55ab8f9d79285ebe808ce5f0671e514bfab9bc4117ff69a020086c1843db0c73c61f0767c07498d9d4343b398580d8c9a32f7a7f9a260d9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads