e04e4debae1d00d1482dbd00239f6ff5c54420dd3bc8f7ccd96726700314aae5

Analysis

max time kernel
158s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2024, 06:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-10_4a05b218ed84c7c633485ae937916bde_goldeneye.exe
Size

372KB
MD5

4a05b218ed84c7c633485ae937916bde
SHA1

bc44d706e05f965fe55412b5b29cb1eb4ea1ec60
SHA256

e04e4debae1d00d1482dbd00239f6ff5c54420dd3bc8f7ccd96726700314aae5
SHA512

386ccc1a1c611bb47ce56d2f4aff3d4d9bdd00042c7155ded93402ff1e63fbe01a5e762617c8c7b8234782a46710a9b69b2a4ce5a5dae9c4ee28359d55450c53
SSDEEP

3072:CEGh0o+lMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGglkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023218-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002322e-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023333-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002334a-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000001e302-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002313c-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000233a6-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000233a8-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000001e302-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000233bf-37.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000234be-41.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000233bf-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F4ACF88-4F17-407b-9BAB-101F89C3EE06}\stubpath = "C:\\Windows\\{9F4ACF88-4F17-407b-9BAB-101F89C3EE06}.exe"	2024-03-10_4a05b218ed84c7c633485ae937916bde_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0673858-2BB4-4351-A143-A435BB195B3F}\stubpath = "C:\\Windows\\{F0673858-2BB4-4351-A143-A435BB195B3F}.exe"	{73CAC94B-E43B-43bc-A27C-85716CFD2B3C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32909A0D-0D92-44cb-BBCC-11592D859052}	{54C88F96-9CDA-4ba5-9CB2-0AF5433508B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{741CDBFE-005E-4661-990D-43FDA3CC362A}\stubpath = "C:\\Windows\\{741CDBFE-005E-4661-990D-43FDA3CC362A}.exe"	{C88C29A0-EF09-4449-9149-53452675AFF2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B8EB286-AEBB-44d9-896B-2C1C544B74D3}	{9F4ACF88-4F17-407b-9BAB-101F89C3EE06}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B8EB286-AEBB-44d9-896B-2C1C544B74D3}\stubpath = "C:\\Windows\\{4B8EB286-AEBB-44d9-896B-2C1C544B74D3}.exe"	{9F4ACF88-4F17-407b-9BAB-101F89C3EE06}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73CAC94B-E43B-43bc-A27C-85716CFD2B3C}	{C5DABA34-8F14-4ee7-A400-A1CCAF032EB7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0673858-2BB4-4351-A143-A435BB195B3F}	{73CAC94B-E43B-43bc-A27C-85716CFD2B3C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32909A0D-0D92-44cb-BBCC-11592D859052}\stubpath = "C:\\Windows\\{32909A0D-0D92-44cb-BBCC-11592D859052}.exe"	{54C88F96-9CDA-4ba5-9CB2-0AF5433508B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5DABA34-8F14-4ee7-A400-A1CCAF032EB7}\stubpath = "C:\\Windows\\{C5DABA34-8F14-4ee7-A400-A1CCAF032EB7}.exe"	{84C3FC89-06F1-4b4e-9BCF-A407F6187ECE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54C88F96-9CDA-4ba5-9CB2-0AF5433508B2}\stubpath = "C:\\Windows\\{54C88F96-9CDA-4ba5-9CB2-0AF5433508B2}.exe"	{F0673858-2BB4-4351-A143-A435BB195B3F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADE752A6-C7B4-4b73-9E70-D08F1B1D262B}\stubpath = "C:\\Windows\\{ADE752A6-C7B4-4b73-9E70-D08F1B1D262B}.exe"	{32909A0D-0D92-44cb-BBCC-11592D859052}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F4ACF88-4F17-407b-9BAB-101F89C3EE06}	2024-03-10_4a05b218ed84c7c633485ae937916bde_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D25A8F30-C6C3-4434-BBE6-CE0CE7828EF0}	{4B8EB286-AEBB-44d9-896B-2C1C544B74D3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D25A8F30-C6C3-4434-BBE6-CE0CE7828EF0}\stubpath = "C:\\Windows\\{D25A8F30-C6C3-4434-BBE6-CE0CE7828EF0}.exe"	{4B8EB286-AEBB-44d9-896B-2C1C544B74D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84C3FC89-06F1-4b4e-9BCF-A407F6187ECE}	{D25A8F30-C6C3-4434-BBE6-CE0CE7828EF0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5DABA34-8F14-4ee7-A400-A1CCAF032EB7}	{84C3FC89-06F1-4b4e-9BCF-A407F6187ECE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C88C29A0-EF09-4449-9149-53452675AFF2}\stubpath = "C:\\Windows\\{C88C29A0-EF09-4449-9149-53452675AFF2}.exe"	{ADE752A6-C7B4-4b73-9E70-D08F1B1D262B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{741CDBFE-005E-4661-990D-43FDA3CC362A}	{C88C29A0-EF09-4449-9149-53452675AFF2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84C3FC89-06F1-4b4e-9BCF-A407F6187ECE}\stubpath = "C:\\Windows\\{84C3FC89-06F1-4b4e-9BCF-A407F6187ECE}.exe"	{D25A8F30-C6C3-4434-BBE6-CE0CE7828EF0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73CAC94B-E43B-43bc-A27C-85716CFD2B3C}\stubpath = "C:\\Windows\\{73CAC94B-E43B-43bc-A27C-85716CFD2B3C}.exe"	{C5DABA34-8F14-4ee7-A400-A1CCAF032EB7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54C88F96-9CDA-4ba5-9CB2-0AF5433508B2}	{F0673858-2BB4-4351-A143-A435BB195B3F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADE752A6-C7B4-4b73-9E70-D08F1B1D262B}	{32909A0D-0D92-44cb-BBCC-11592D859052}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C88C29A0-EF09-4449-9149-53452675AFF2}	{ADE752A6-C7B4-4b73-9E70-D08F1B1D262B}.exe

Executes dropped EXE 12 IoCs

pid	Process
4532	{9F4ACF88-4F17-407b-9BAB-101F89C3EE06}.exe
2824	{4B8EB286-AEBB-44d9-896B-2C1C544B74D3}.exe
4844	{D25A8F30-C6C3-4434-BBE6-CE0CE7828EF0}.exe
5036	{84C3FC89-06F1-4b4e-9BCF-A407F6187ECE}.exe
4552	{C5DABA34-8F14-4ee7-A400-A1CCAF032EB7}.exe
2672	{73CAC94B-E43B-43bc-A27C-85716CFD2B3C}.exe
2056	{F0673858-2BB4-4351-A143-A435BB195B3F}.exe
4916	{54C88F96-9CDA-4ba5-9CB2-0AF5433508B2}.exe
1648	{32909A0D-0D92-44cb-BBCC-11592D859052}.exe
992	{ADE752A6-C7B4-4b73-9E70-D08F1B1D262B}.exe
1984	{C88C29A0-EF09-4449-9149-53452675AFF2}.exe
3852	{741CDBFE-005E-4661-990D-43FDA3CC362A}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{9F4ACF88-4F17-407b-9BAB-101F89C3EE06}.exe	2024-03-10_4a05b218ed84c7c633485ae937916bde_goldeneye.exe
File created	C:\Windows\{4B8EB286-AEBB-44d9-896B-2C1C544B74D3}.exe	{9F4ACF88-4F17-407b-9BAB-101F89C3EE06}.exe
File created	C:\Windows\{84C3FC89-06F1-4b4e-9BCF-A407F6187ECE}.exe	{D25A8F30-C6C3-4434-BBE6-CE0CE7828EF0}.exe
File created	C:\Windows\{F0673858-2BB4-4351-A143-A435BB195B3F}.exe	{73CAC94B-E43B-43bc-A27C-85716CFD2B3C}.exe
File created	C:\Windows\{ADE752A6-C7B4-4b73-9E70-D08F1B1D262B}.exe	{32909A0D-0D92-44cb-BBCC-11592D859052}.exe
File created	C:\Windows\{C88C29A0-EF09-4449-9149-53452675AFF2}.exe	{ADE752A6-C7B4-4b73-9E70-D08F1B1D262B}.exe
File created	C:\Windows\{741CDBFE-005E-4661-990D-43FDA3CC362A}.exe	{C88C29A0-EF09-4449-9149-53452675AFF2}.exe
File created	C:\Windows\{D25A8F30-C6C3-4434-BBE6-CE0CE7828EF0}.exe	{4B8EB286-AEBB-44d9-896B-2C1C544B74D3}.exe
File created	C:\Windows\{C5DABA34-8F14-4ee7-A400-A1CCAF032EB7}.exe	{84C3FC89-06F1-4b4e-9BCF-A407F6187ECE}.exe
File created	C:\Windows\{73CAC94B-E43B-43bc-A27C-85716CFD2B3C}.exe	{C5DABA34-8F14-4ee7-A400-A1CCAF032EB7}.exe
File created	C:\Windows\{54C88F96-9CDA-4ba5-9CB2-0AF5433508B2}.exe	{F0673858-2BB4-4351-A143-A435BB195B3F}.exe
File created	C:\Windows\{32909A0D-0D92-44cb-BBCC-11592D859052}.exe	{54C88F96-9CDA-4ba5-9CB2-0AF5433508B2}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4752	2024-03-10_4a05b218ed84c7c633485ae937916bde_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4532	{9F4ACF88-4F17-407b-9BAB-101F89C3EE06}.exe
Token: SeIncBasePriorityPrivilege	2824	{4B8EB286-AEBB-44d9-896B-2C1C544B74D3}.exe
Token: SeIncBasePriorityPrivilege	4844	{D25A8F30-C6C3-4434-BBE6-CE0CE7828EF0}.exe
Token: SeIncBasePriorityPrivilege	5036	{84C3FC89-06F1-4b4e-9BCF-A407F6187ECE}.exe
Token: SeIncBasePriorityPrivilege	4552	{C5DABA34-8F14-4ee7-A400-A1CCAF032EB7}.exe
Token: SeIncBasePriorityPrivilege	2672	{73CAC94B-E43B-43bc-A27C-85716CFD2B3C}.exe
Token: SeIncBasePriorityPrivilege	2056	{F0673858-2BB4-4351-A143-A435BB195B3F}.exe
Token: SeIncBasePriorityPrivilege	4916	{54C88F96-9CDA-4ba5-9CB2-0AF5433508B2}.exe
Token: SeIncBasePriorityPrivilege	1648	{32909A0D-0D92-44cb-BBCC-11592D859052}.exe
Token: SeIncBasePriorityPrivilege	992	{ADE752A6-C7B4-4b73-9E70-D08F1B1D262B}.exe
Token: SeIncBasePriorityPrivilege	1984	{C88C29A0-EF09-4449-9149-53452675AFF2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4752 wrote to memory of 4532	4752	2024-03-10_4a05b218ed84c7c633485ae937916bde_goldeneye.exe	96
PID 4752 wrote to memory of 4532	4752	2024-03-10_4a05b218ed84c7c633485ae937916bde_goldeneye.exe	96
PID 4752 wrote to memory of 4532	4752	2024-03-10_4a05b218ed84c7c633485ae937916bde_goldeneye.exe	96
PID 4752 wrote to memory of 4864	4752	2024-03-10_4a05b218ed84c7c633485ae937916bde_goldeneye.exe	97
PID 4752 wrote to memory of 4864	4752	2024-03-10_4a05b218ed84c7c633485ae937916bde_goldeneye.exe	97
PID 4752 wrote to memory of 4864	4752	2024-03-10_4a05b218ed84c7c633485ae937916bde_goldeneye.exe	97
PID 4532 wrote to memory of 2824	4532	{9F4ACF88-4F17-407b-9BAB-101F89C3EE06}.exe	101
PID 4532 wrote to memory of 2824	4532	{9F4ACF88-4F17-407b-9BAB-101F89C3EE06}.exe	101
PID 4532 wrote to memory of 2824	4532	{9F4ACF88-4F17-407b-9BAB-101F89C3EE06}.exe	101
PID 4532 wrote to memory of 760	4532	{9F4ACF88-4F17-407b-9BAB-101F89C3EE06}.exe	102
PID 4532 wrote to memory of 760	4532	{9F4ACF88-4F17-407b-9BAB-101F89C3EE06}.exe	102
PID 4532 wrote to memory of 760	4532	{9F4ACF88-4F17-407b-9BAB-101F89C3EE06}.exe	102
PID 2824 wrote to memory of 4844	2824	{4B8EB286-AEBB-44d9-896B-2C1C544B74D3}.exe	106
PID 2824 wrote to memory of 4844	2824	{4B8EB286-AEBB-44d9-896B-2C1C544B74D3}.exe	106
PID 2824 wrote to memory of 4844	2824	{4B8EB286-AEBB-44d9-896B-2C1C544B74D3}.exe	106
PID 2824 wrote to memory of 3716	2824	{4B8EB286-AEBB-44d9-896B-2C1C544B74D3}.exe	107
PID 2824 wrote to memory of 3716	2824	{4B8EB286-AEBB-44d9-896B-2C1C544B74D3}.exe	107
PID 2824 wrote to memory of 3716	2824	{4B8EB286-AEBB-44d9-896B-2C1C544B74D3}.exe	107
PID 4844 wrote to memory of 5036	4844	{D25A8F30-C6C3-4434-BBE6-CE0CE7828EF0}.exe	110
PID 4844 wrote to memory of 5036	4844	{D25A8F30-C6C3-4434-BBE6-CE0CE7828EF0}.exe	110
PID 4844 wrote to memory of 5036	4844	{D25A8F30-C6C3-4434-BBE6-CE0CE7828EF0}.exe	110
PID 4844 wrote to memory of 4940	4844	{D25A8F30-C6C3-4434-BBE6-CE0CE7828EF0}.exe	111
PID 4844 wrote to memory of 4940	4844	{D25A8F30-C6C3-4434-BBE6-CE0CE7828EF0}.exe	111
PID 4844 wrote to memory of 4940	4844	{D25A8F30-C6C3-4434-BBE6-CE0CE7828EF0}.exe	111
PID 5036 wrote to memory of 4552	5036	{84C3FC89-06F1-4b4e-9BCF-A407F6187ECE}.exe	116
PID 5036 wrote to memory of 4552	5036	{84C3FC89-06F1-4b4e-9BCF-A407F6187ECE}.exe	116
PID 5036 wrote to memory of 4552	5036	{84C3FC89-06F1-4b4e-9BCF-A407F6187ECE}.exe	116
PID 5036 wrote to memory of 3272	5036	{84C3FC89-06F1-4b4e-9BCF-A407F6187ECE}.exe	117
PID 5036 wrote to memory of 3272	5036	{84C3FC89-06F1-4b4e-9BCF-A407F6187ECE}.exe	117
PID 5036 wrote to memory of 3272	5036	{84C3FC89-06F1-4b4e-9BCF-A407F6187ECE}.exe	117
PID 4552 wrote to memory of 2672	4552	{C5DABA34-8F14-4ee7-A400-A1CCAF032EB7}.exe	118
PID 4552 wrote to memory of 2672	4552	{C5DABA34-8F14-4ee7-A400-A1CCAF032EB7}.exe	118
PID 4552 wrote to memory of 2672	4552	{C5DABA34-8F14-4ee7-A400-A1CCAF032EB7}.exe	118
PID 4552 wrote to memory of 5016	4552	{C5DABA34-8F14-4ee7-A400-A1CCAF032EB7}.exe	119
PID 4552 wrote to memory of 5016	4552	{C5DABA34-8F14-4ee7-A400-A1CCAF032EB7}.exe	119
PID 4552 wrote to memory of 5016	4552	{C5DABA34-8F14-4ee7-A400-A1CCAF032EB7}.exe	119
PID 2672 wrote to memory of 2056	2672	{73CAC94B-E43B-43bc-A27C-85716CFD2B3C}.exe	121
PID 2672 wrote to memory of 2056	2672	{73CAC94B-E43B-43bc-A27C-85716CFD2B3C}.exe	121
PID 2672 wrote to memory of 2056	2672	{73CAC94B-E43B-43bc-A27C-85716CFD2B3C}.exe	121
PID 2672 wrote to memory of 2252	2672	{73CAC94B-E43B-43bc-A27C-85716CFD2B3C}.exe	122
PID 2672 wrote to memory of 2252	2672	{73CAC94B-E43B-43bc-A27C-85716CFD2B3C}.exe	122
PID 2672 wrote to memory of 2252	2672	{73CAC94B-E43B-43bc-A27C-85716CFD2B3C}.exe	122
PID 2056 wrote to memory of 4916	2056	{F0673858-2BB4-4351-A143-A435BB195B3F}.exe	123
PID 2056 wrote to memory of 4916	2056	{F0673858-2BB4-4351-A143-A435BB195B3F}.exe	123
PID 2056 wrote to memory of 4916	2056	{F0673858-2BB4-4351-A143-A435BB195B3F}.exe	123
PID 2056 wrote to memory of 4520	2056	{F0673858-2BB4-4351-A143-A435BB195B3F}.exe	124
PID 2056 wrote to memory of 4520	2056	{F0673858-2BB4-4351-A143-A435BB195B3F}.exe	124
PID 2056 wrote to memory of 4520	2056	{F0673858-2BB4-4351-A143-A435BB195B3F}.exe	124
PID 4916 wrote to memory of 1648	4916	{54C88F96-9CDA-4ba5-9CB2-0AF5433508B2}.exe	125
PID 4916 wrote to memory of 1648	4916	{54C88F96-9CDA-4ba5-9CB2-0AF5433508B2}.exe	125
PID 4916 wrote to memory of 1648	4916	{54C88F96-9CDA-4ba5-9CB2-0AF5433508B2}.exe	125
PID 4916 wrote to memory of 2556	4916	{54C88F96-9CDA-4ba5-9CB2-0AF5433508B2}.exe	126
PID 4916 wrote to memory of 2556	4916	{54C88F96-9CDA-4ba5-9CB2-0AF5433508B2}.exe	126
PID 4916 wrote to memory of 2556	4916	{54C88F96-9CDA-4ba5-9CB2-0AF5433508B2}.exe	126
PID 1648 wrote to memory of 992	1648	{32909A0D-0D92-44cb-BBCC-11592D859052}.exe	127
PID 1648 wrote to memory of 992	1648	{32909A0D-0D92-44cb-BBCC-11592D859052}.exe	127
PID 1648 wrote to memory of 992	1648	{32909A0D-0D92-44cb-BBCC-11592D859052}.exe	127
PID 1648 wrote to memory of 3096	1648	{32909A0D-0D92-44cb-BBCC-11592D859052}.exe	128
PID 1648 wrote to memory of 3096	1648	{32909A0D-0D92-44cb-BBCC-11592D859052}.exe	128
PID 1648 wrote to memory of 3096	1648	{32909A0D-0D92-44cb-BBCC-11592D859052}.exe	128
PID 992 wrote to memory of 1984	992	{ADE752A6-C7B4-4b73-9E70-D08F1B1D262B}.exe	129
PID 992 wrote to memory of 1984	992	{ADE752A6-C7B4-4b73-9E70-D08F1B1D262B}.exe	129
PID 992 wrote to memory of 1984	992	{ADE752A6-C7B4-4b73-9E70-D08F1B1D262B}.exe	129
PID 992 wrote to memory of 4436	992	{ADE752A6-C7B4-4b73-9E70-D08F1B1D262B}.exe	130

C:\Users\Admin\AppData\Local\Temp\2024-03-10_4a05b218ed84c7c633485ae937916bde_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-10_4a05b218ed84c7c633485ae937916bde_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4752
- C:\Windows\{9F4ACF88-4F17-407b-9BAB-101F89C3EE06}.exe
  C:\Windows\{9F4ACF88-4F17-407b-9BAB-101F89C3EE06}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4532
- - C:\Windows\{4B8EB286-AEBB-44d9-896B-2C1C544B74D3}.exe
    C:\Windows\{4B8EB286-AEBB-44d9-896B-2C1C544B74D3}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Windows\{D25A8F30-C6C3-4434-BBE6-CE0CE7828EF0}.exe
      C:\Windows\{D25A8F30-C6C3-4434-BBE6-CE0CE7828EF0}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4844
    - - C:\Windows\{84C3FC89-06F1-4b4e-9BCF-A407F6187ECE}.exe
        
        C:\Windows\{84C3FC89-06F1-4b4e-9BCF-A407F6187ECE}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5036
      - C:\Windows\{C5DABA34-8F14-4ee7-A400-A1CCAF032EB7}.exe
        
        C:\Windows\{C5DABA34-8F14-4ee7-A400-A1CCAF032EB7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Windows\{73CAC94B-E43B-43bc-A27C-85716CFD2B3C}.exe
        
        C:\Windows\{73CAC94B-E43B-43bc-A27C-85716CFD2B3C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\{F0673858-2BB4-4351-A143-A435BB195B3F}.exe
        
        C:\Windows\{F0673858-2BB4-4351-A143-A435BB195B3F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\{54C88F96-9CDA-4ba5-9CB2-0AF5433508B2}.exe
        
        C:\Windows\{54C88F96-9CDA-4ba5-9CB2-0AF5433508B2}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\{32909A0D-0D92-44cb-BBCC-11592D859052}.exe
        
        C:\Windows\{32909A0D-0D92-44cb-BBCC-11592D859052}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\{ADE752A6-C7B4-4b73-9E70-D08F1B1D262B}.exe
        
        C:\Windows\{ADE752A6-C7B4-4b73-9E70-D08F1B1D262B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:992
        
        C:\Windows\{C88C29A0-EF09-4449-9149-53452675AFF2}.exe
        
        C:\Windows\{C88C29A0-EF09-4449-9149-53452675AFF2}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
        
        C:\Windows\{741CDBFE-005E-4661-990D-43FDA3CC362A}.exe
        
        C:\Windows\{741CDBFE-005E-4661-990D-43FDA3CC362A}.exe
        13⤵
        Executes dropped EXE
        
        PID:3852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C88C2~1.EXE > nul
        13⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ADE75~1.EXE > nul
        12⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{32909~1.EXE > nul
        11⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{54C88~1.EXE > nul
        10⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F0673~1.EXE > nul
        9⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{73CAC~1.EXE > nul
        8⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C5DAB~1.EXE > nul
        7⤵
        
        PID:5016
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{84C3F~1.EXE > nul
        6⤵
        
        PID:3272
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D25A8~1.EXE > nul
        5⤵
        
        PID:4940
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4B8EB~1.EXE > nul
      4⤵
      PID:3716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9F4AC~1.EXE > nul
    3⤵
    PID:760
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{32909A0D-0D92-44cb-BBCC-11592D859052}.exe

Filesize
372KB

MD5
ed215da20dbc6fdf4cc0d286d09abba4

SHA1
9c9db33ec95d32a0ffbbe76fe0bc7a4cb0b660a9

SHA256
ab6bf0e004fefc1820ac0508286fbcfa6f04d536b08b18cdcf1d7546f5f0a4df

SHA512
e781e4819b73b71c54e374a217b85c4eb8061c0bb71e2484cee8647bb57feb74697cbfc4356ff85a4e7e9929c6aa1857b8d3a0ae6ec380a372a4913bcf6be130

Download Submit
C:\Windows\{4B8EB286-AEBB-44d9-896B-2C1C544B74D3}.exe

Filesize
372KB

MD5
bbe3ad80ba0d7b6a42addc5b34b904e9

SHA1
9b43e3ffccf501fc243789060b4fe09901d1f1c8

SHA256
12bacb9b7408ffe088a49665a656f1242436fa63f903f11ed1038c90aa6aa2fa

SHA512
cabaa73e5c096704d7a4acf6c7f97319fd788d490abeaea7a813facf250725679961aa706655d80104fbb4eb38785c85ce2115118782859e3ff6b17ad24ade7f

Download Submit
C:\Windows\{54C88F96-9CDA-4ba5-9CB2-0AF5433508B2}.exe

Filesize
372KB

MD5
5d7eea714baa5ce62fcefd28b10cd473

SHA1
3996de7e984ccf23f5d95a0c8b4365cc60f29e3f

SHA256
3a3da21dc3970b73a68e0c181223a627d588b1b963b48b7771f1d2c987b26ee0

SHA512
84aa21b54883e4b7d2497c983dd5f74cce95852605a170b20dd145e96741a123c93074a15cf99ed53822d6391a831c1243936dde919486600eb1e4ff19778394

Download Submit
C:\Windows\{73CAC94B-E43B-43bc-A27C-85716CFD2B3C}.exe

Filesize
372KB

MD5
cd4e6a856edcb68b61ffd729a9dee020

SHA1
0181b6b0fff8d1c39fc9dcb4bf8e45df30c3feba

SHA256
9cfdcb14a691e8cdd1041ed4fbfbf3806e30625ba7eee86baf58f71d77babb71

SHA512
258c4a82f4f74b1af5152c048b006b261ac12aec3357ab2a61703df36923b3cfaabfad066f081877f23123013972e2fcb2567a96f014eab6083bb8d9034502ea

Download Submit
C:\Windows\{741CDBFE-005E-4661-990D-43FDA3CC362A}.exe

Filesize
372KB

MD5
0d036df48a51b78ff4123be7f7df7366

SHA1
49d337cb25d2568d7e15b0926678844b1bd8d305

SHA256
110bfd52c926148d2b5882264f85921718491581726ad76689cacd1fc22a25a7

SHA512
a971686c619fcf7088ddc82b908e531600e6eab811fcfe28949c2b789fd63ac71a47fc30160c1f91a94aaa0c83a8b213c7b5e5da81f9bcfd29d9fd2949a7cdb4

Download Submit
C:\Windows\{84C3FC89-06F1-4b4e-9BCF-A407F6187ECE}.exe

Filesize
372KB

MD5
80612e289e9578af0d6aad92c247c73c

SHA1
a1ee7a15b190f8ee9a687d87ae7bb06e9cb5dfd0

SHA256
c99050704dba79661e51c1f06cf19d888a0c88abda264922117298d33a73a901

SHA512
2e1fd88396a1fe49b4638bbb3267400224b4c2b574067f2651d8fc3f915d260a03966e855d0422b355d871a4b2746440177c77173d32f19323d751eb4840bb4a

Download Submit
C:\Windows\{9F4ACF88-4F17-407b-9BAB-101F89C3EE06}.exe

Filesize
372KB

MD5
b330ea5f6586b877edf60676c3da6d40

SHA1
41e6adbbf4db79064a95969fa1fadb145cbab83a

SHA256
14e8c5eb1327653e543451d1cfdeba2b73a01a498e6616bf176a0f4627c02de2

SHA512
3ab6be34d9e74777ecd2a93bd4cbf86e1946992843404372f7a81990e08987be14e2bde2923298fd8c303a173e808f3cfbf31c2ac56b6a2ae09872efa382970f

Download Submit
C:\Windows\{ADE752A6-C7B4-4b73-9E70-D08F1B1D262B}.exe

Filesize
372KB

MD5
a5f777754cf9175e55e54510b0c6c6da

SHA1
ec6147cad45a6b81bf218425430b7195f5671394

SHA256
0d33d37fdf14fde94b89b4665626c6c6eae9acd41548fc0f1bfc80f79991cc66

SHA512
3c48df4d136c7f7f796e174b445ed0d3d9b323e93b61f4893a8d57eb815671f09062ecc46cfc5ff7d4ed7e7dd44682442357bb14d4196a56acf34363f76b9658

Download Submit
C:\Windows\{C5DABA34-8F14-4ee7-A400-A1CCAF032EB7}.exe

Filesize
372KB

MD5
ee634e6819fa40ea4317b6024276ee4d

SHA1
7c657caec968ad50cef06cc8f392b0a7b085a69d

SHA256
901b5322d2b92074f0c74e7111b1233889ad3b47ba24dfaf9e8a7fcb4b6ee56f

SHA512
83f60a836c056bf4fa00cae2d866c228cea8c66e159885c5ddde3e0ed57f1daa1479f582cf07d47231a27f73bb1f609d31c7252da9bce050af7324bebaef0dbe

Download Submit
C:\Windows\{C88C29A0-EF09-4449-9149-53452675AFF2}.exe

Filesize
372KB

MD5
c41666b98fd26da56fba9fc8abaa30e6

SHA1
0d9892f692dd1e3b4dd5176c61172abeba65702e

SHA256
f609fe564e681082b4d60eaa64ac7a686a5bbe36377986a33180499496b9a579

SHA512
404254c174bbbc47b1f0c93b078b5628eddc6b7f28fe1ffd8995c9ab0817f6af0f8611c4ce7d480140c78bbb448fd06f6848aa997a52e0adad7fdc324b8db526

Download Submit
C:\Windows\{D25A8F30-C6C3-4434-BBE6-CE0CE7828EF0}.exe

Filesize
372KB

MD5
052dd9fc92fb3a1854ac8eed539da3f2

SHA1
94386ad1fe0a02998aed136e00dceb907f554d45

SHA256
af7fac24bffed8f37291e4f5e7e3f80716fc5dbc67de67a45bdb565582c3fa43

SHA512
2a68703fd3c2356169b0a868d98c8ad5292628741310ed70906f6c4b05c94411567a41b3d304ad3960247abad9e4e9b37fb41083e074a97560c5a48501acc715

Download Submit
C:\Windows\{F0673858-2BB4-4351-A143-A435BB195B3F}.exe

Filesize
372KB

MD5
f88dd71c21660b216cac628f8426a10c

SHA1
c71b5ba74bbbef3a5c5c9f248ba30faba6802417

SHA256
b949889f7d161cf92c578b7c1a8b180e779ffb830fdcce2db807784c72a1c542

SHA512
78f410fa9300092fde75d4d18fc53b118eb5bcc8e3b95b4711e1d8e937216ed2cc7fe7e11c6b3b0b1e3a711d14986f85bc7cdc5de09e773c50dbbaeeb7adcd7a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads