3f43cb3dabe3354bac3d368aaa25e3601d9957c5b254109a6898b6f74dd23d87

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2024, 23:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-12_7e883eb35385cfd4268b0027200e3217_goldeneye.exe
Size

197KB
MD5

7e883eb35385cfd4268b0027200e3217
SHA1

7614c302c73fb2f735bbb988a1d3815d2ef4474b
SHA256

3f43cb3dabe3354bac3d368aaa25e3601d9957c5b254109a6898b6f74dd23d87
SHA512

3405403a97953430035ab0829db3e835452f6d71d12dae26b63bddb4df7554c61d9e844303ada656ec88f537619d6eaf3f95f593377a9fd0d03a893197920aa7
SSDEEP

3072:jEGh0oAl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGKlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00070000000231f6-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023208-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023309-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000001695d-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023374-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000001695d-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002338c-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023491-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023496-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023491-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023499-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002349c-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A01D8936-F09F-4a7d-A99A-2233F481F378}\stubpath = "C:\\Windows\\{A01D8936-F09F-4a7d-A99A-2233F481F378}.exe"	{9CA06927-C183-496f-8898-767BFF6D76EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5AC6911F-B4F0-4255-9BC2-B17F972C790B}	{FDF32034-7DAE-4fec-8E81-A6A8F76FD7A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5AC6911F-B4F0-4255-9BC2-B17F972C790B}\stubpath = "C:\\Windows\\{5AC6911F-B4F0-4255-9BC2-B17F972C790B}.exe"	{FDF32034-7DAE-4fec-8E81-A6A8F76FD7A3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{573D99DA-0952-4542-9F6F-27F8A3086C8B}	{7636E774-5D91-4583-A38A-925EDD20C24E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{936A98A4-CAB6-4c70-AC03-CF1794DDBDCA}	{A01D8936-F09F-4a7d-A99A-2233F481F378}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6CEB3197-5152-4e73-8EB0-AEF61A3C58C6}	{4D1FCA84-5C88-4521-9333-783AFB22308D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DEF7D48-53A7-4bb9-ABB5-3A47DA017710}	{6CEB3197-5152-4e73-8EB0-AEF61A3C58C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF7FF4F5-DAC8-4c21-B8C5-B1FE6FD32A93}	{3DEF7D48-53A7-4bb9-ABB5-3A47DA017710}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF7FF4F5-DAC8-4c21-B8C5-B1FE6FD32A93}\stubpath = "C:\\Windows\\{CF7FF4F5-DAC8-4c21-B8C5-B1FE6FD32A93}.exe"	{3DEF7D48-53A7-4bb9-ABB5-3A47DA017710}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95EBFA00-D058-43d7-A2A1-1BB53C5621A2}\stubpath = "C:\\Windows\\{95EBFA00-D058-43d7-A2A1-1BB53C5621A2}.exe"	{5AC6911F-B4F0-4255-9BC2-B17F972C790B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FDF32034-7DAE-4fec-8E81-A6A8F76FD7A3}	{CF7FF4F5-DAC8-4c21-B8C5-B1FE6FD32A93}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FDF32034-7DAE-4fec-8E81-A6A8F76FD7A3}\stubpath = "C:\\Windows\\{FDF32034-7DAE-4fec-8E81-A6A8F76FD7A3}.exe"	{CF7FF4F5-DAC8-4c21-B8C5-B1FE6FD32A93}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7636E774-5D91-4583-A38A-925EDD20C24E}\stubpath = "C:\\Windows\\{7636E774-5D91-4583-A38A-925EDD20C24E}.exe"	2024-03-12_7e883eb35385cfd4268b0027200e3217_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9CA06927-C183-496f-8898-767BFF6D76EA}\stubpath = "C:\\Windows\\{9CA06927-C183-496f-8898-767BFF6D76EA}.exe"	{573D99DA-0952-4542-9F6F-27F8A3086C8B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A01D8936-F09F-4a7d-A99A-2233F481F378}	{9CA06927-C183-496f-8898-767BFF6D76EA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{936A98A4-CAB6-4c70-AC03-CF1794DDBDCA}\stubpath = "C:\\Windows\\{936A98A4-CAB6-4c70-AC03-CF1794DDBDCA}.exe"	{A01D8936-F09F-4a7d-A99A-2233F481F378}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D1FCA84-5C88-4521-9333-783AFB22308D}\stubpath = "C:\\Windows\\{4D1FCA84-5C88-4521-9333-783AFB22308D}.exe"	{936A98A4-CAB6-4c70-AC03-CF1794DDBDCA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6CEB3197-5152-4e73-8EB0-AEF61A3C58C6}\stubpath = "C:\\Windows\\{6CEB3197-5152-4e73-8EB0-AEF61A3C58C6}.exe"	{4D1FCA84-5C88-4521-9333-783AFB22308D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7636E774-5D91-4583-A38A-925EDD20C24E}	2024-03-12_7e883eb35385cfd4268b0027200e3217_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{573D99DA-0952-4542-9F6F-27F8A3086C8B}\stubpath = "C:\\Windows\\{573D99DA-0952-4542-9F6F-27F8A3086C8B}.exe"	{7636E774-5D91-4583-A38A-925EDD20C24E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9CA06927-C183-496f-8898-767BFF6D76EA}	{573D99DA-0952-4542-9F6F-27F8A3086C8B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D1FCA84-5C88-4521-9333-783AFB22308D}	{936A98A4-CAB6-4c70-AC03-CF1794DDBDCA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DEF7D48-53A7-4bb9-ABB5-3A47DA017710}\stubpath = "C:\\Windows\\{3DEF7D48-53A7-4bb9-ABB5-3A47DA017710}.exe"	{6CEB3197-5152-4e73-8EB0-AEF61A3C58C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95EBFA00-D058-43d7-A2A1-1BB53C5621A2}	{5AC6911F-B4F0-4255-9BC2-B17F972C790B}.exe

Executes dropped EXE 12 IoCs

pid	Process
4364	{7636E774-5D91-4583-A38A-925EDD20C24E}.exe
1044	{573D99DA-0952-4542-9F6F-27F8A3086C8B}.exe
1640	{9CA06927-C183-496f-8898-767BFF6D76EA}.exe
4848	{A01D8936-F09F-4a7d-A99A-2233F481F378}.exe
3676	{936A98A4-CAB6-4c70-AC03-CF1794DDBDCA}.exe
3956	{4D1FCA84-5C88-4521-9333-783AFB22308D}.exe
2468	{6CEB3197-5152-4e73-8EB0-AEF61A3C58C6}.exe
2784	{3DEF7D48-53A7-4bb9-ABB5-3A47DA017710}.exe
3900	{CF7FF4F5-DAC8-4c21-B8C5-B1FE6FD32A93}.exe
3780	{FDF32034-7DAE-4fec-8E81-A6A8F76FD7A3}.exe
2384	{5AC6911F-B4F0-4255-9BC2-B17F972C790B}.exe
3776	{95EBFA00-D058-43d7-A2A1-1BB53C5621A2}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{95EBFA00-D058-43d7-A2A1-1BB53C5621A2}.exe	{5AC6911F-B4F0-4255-9BC2-B17F972C790B}.exe
File created	C:\Windows\{573D99DA-0952-4542-9F6F-27F8A3086C8B}.exe	{7636E774-5D91-4583-A38A-925EDD20C24E}.exe
File created	C:\Windows\{9CA06927-C183-496f-8898-767BFF6D76EA}.exe	{573D99DA-0952-4542-9F6F-27F8A3086C8B}.exe
File created	C:\Windows\{A01D8936-F09F-4a7d-A99A-2233F481F378}.exe	{9CA06927-C183-496f-8898-767BFF6D76EA}.exe
File created	C:\Windows\{4D1FCA84-5C88-4521-9333-783AFB22308D}.exe	{936A98A4-CAB6-4c70-AC03-CF1794DDBDCA}.exe
File created	C:\Windows\{CF7FF4F5-DAC8-4c21-B8C5-B1FE6FD32A93}.exe	{3DEF7D48-53A7-4bb9-ABB5-3A47DA017710}.exe
File created	C:\Windows\{FDF32034-7DAE-4fec-8E81-A6A8F76FD7A3}.exe	{CF7FF4F5-DAC8-4c21-B8C5-B1FE6FD32A93}.exe
File created	C:\Windows\{5AC6911F-B4F0-4255-9BC2-B17F972C790B}.exe	{FDF32034-7DAE-4fec-8E81-A6A8F76FD7A3}.exe
File created	C:\Windows\{7636E774-5D91-4583-A38A-925EDD20C24E}.exe	2024-03-12_7e883eb35385cfd4268b0027200e3217_goldeneye.exe
File created	C:\Windows\{936A98A4-CAB6-4c70-AC03-CF1794DDBDCA}.exe	{A01D8936-F09F-4a7d-A99A-2233F481F378}.exe
File created	C:\Windows\{6CEB3197-5152-4e73-8EB0-AEF61A3C58C6}.exe	{4D1FCA84-5C88-4521-9333-783AFB22308D}.exe
File created	C:\Windows\{3DEF7D48-53A7-4bb9-ABB5-3A47DA017710}.exe	{6CEB3197-5152-4e73-8EB0-AEF61A3C58C6}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3780	2024-03-12_7e883eb35385cfd4268b0027200e3217_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4364	{7636E774-5D91-4583-A38A-925EDD20C24E}.exe
Token: SeIncBasePriorityPrivilege	1044	{573D99DA-0952-4542-9F6F-27F8A3086C8B}.exe
Token: SeIncBasePriorityPrivilege	1640	{9CA06927-C183-496f-8898-767BFF6D76EA}.exe
Token: SeIncBasePriorityPrivilege	4848	{A01D8936-F09F-4a7d-A99A-2233F481F378}.exe
Token: SeIncBasePriorityPrivilege	3676	{936A98A4-CAB6-4c70-AC03-CF1794DDBDCA}.exe
Token: SeIncBasePriorityPrivilege	3956	{4D1FCA84-5C88-4521-9333-783AFB22308D}.exe
Token: SeIncBasePriorityPrivilege	2468	{6CEB3197-5152-4e73-8EB0-AEF61A3C58C6}.exe
Token: SeIncBasePriorityPrivilege	2784	{3DEF7D48-53A7-4bb9-ABB5-3A47DA017710}.exe
Token: SeIncBasePriorityPrivilege	3900	{CF7FF4F5-DAC8-4c21-B8C5-B1FE6FD32A93}.exe
Token: SeIncBasePriorityPrivilege	3780	{FDF32034-7DAE-4fec-8E81-A6A8F76FD7A3}.exe
Token: SeIncBasePriorityPrivilege	2384	{5AC6911F-B4F0-4255-9BC2-B17F972C790B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3780 wrote to memory of 4364	3780	2024-03-12_7e883eb35385cfd4268b0027200e3217_goldeneye.exe	99
PID 3780 wrote to memory of 4364	3780	2024-03-12_7e883eb35385cfd4268b0027200e3217_goldeneye.exe	99
PID 3780 wrote to memory of 4364	3780	2024-03-12_7e883eb35385cfd4268b0027200e3217_goldeneye.exe	99
PID 3780 wrote to memory of 2368	3780	2024-03-12_7e883eb35385cfd4268b0027200e3217_goldeneye.exe	100
PID 3780 wrote to memory of 2368	3780	2024-03-12_7e883eb35385cfd4268b0027200e3217_goldeneye.exe	100
PID 3780 wrote to memory of 2368	3780	2024-03-12_7e883eb35385cfd4268b0027200e3217_goldeneye.exe	100
PID 4364 wrote to memory of 1044	4364	{7636E774-5D91-4583-A38A-925EDD20C24E}.exe	102
PID 4364 wrote to memory of 1044	4364	{7636E774-5D91-4583-A38A-925EDD20C24E}.exe	102
PID 4364 wrote to memory of 1044	4364	{7636E774-5D91-4583-A38A-925EDD20C24E}.exe	102
PID 4364 wrote to memory of 4400	4364	{7636E774-5D91-4583-A38A-925EDD20C24E}.exe	103
PID 4364 wrote to memory of 4400	4364	{7636E774-5D91-4583-A38A-925EDD20C24E}.exe	103
PID 4364 wrote to memory of 4400	4364	{7636E774-5D91-4583-A38A-925EDD20C24E}.exe	103
PID 1044 wrote to memory of 1640	1044	{573D99DA-0952-4542-9F6F-27F8A3086C8B}.exe	106
PID 1044 wrote to memory of 1640	1044	{573D99DA-0952-4542-9F6F-27F8A3086C8B}.exe	106
PID 1044 wrote to memory of 1640	1044	{573D99DA-0952-4542-9F6F-27F8A3086C8B}.exe	106
PID 1044 wrote to memory of 2580	1044	{573D99DA-0952-4542-9F6F-27F8A3086C8B}.exe	107
PID 1044 wrote to memory of 2580	1044	{573D99DA-0952-4542-9F6F-27F8A3086C8B}.exe	107
PID 1044 wrote to memory of 2580	1044	{573D99DA-0952-4542-9F6F-27F8A3086C8B}.exe	107
PID 1640 wrote to memory of 4848	1640	{9CA06927-C183-496f-8898-767BFF6D76EA}.exe	108
PID 1640 wrote to memory of 4848	1640	{9CA06927-C183-496f-8898-767BFF6D76EA}.exe	108
PID 1640 wrote to memory of 4848	1640	{9CA06927-C183-496f-8898-767BFF6D76EA}.exe	108
PID 1640 wrote to memory of 3524	1640	{9CA06927-C183-496f-8898-767BFF6D76EA}.exe	109
PID 1640 wrote to memory of 3524	1640	{9CA06927-C183-496f-8898-767BFF6D76EA}.exe	109
PID 1640 wrote to memory of 3524	1640	{9CA06927-C183-496f-8898-767BFF6D76EA}.exe	109
PID 4848 wrote to memory of 3676	4848	{A01D8936-F09F-4a7d-A99A-2233F481F378}.exe	110
PID 4848 wrote to memory of 3676	4848	{A01D8936-F09F-4a7d-A99A-2233F481F378}.exe	110
PID 4848 wrote to memory of 3676	4848	{A01D8936-F09F-4a7d-A99A-2233F481F378}.exe	110
PID 4848 wrote to memory of 4972	4848	{A01D8936-F09F-4a7d-A99A-2233F481F378}.exe	111
PID 4848 wrote to memory of 4972	4848	{A01D8936-F09F-4a7d-A99A-2233F481F378}.exe	111
PID 4848 wrote to memory of 4972	4848	{A01D8936-F09F-4a7d-A99A-2233F481F378}.exe	111
PID 3676 wrote to memory of 3956	3676	{936A98A4-CAB6-4c70-AC03-CF1794DDBDCA}.exe	113
PID 3676 wrote to memory of 3956	3676	{936A98A4-CAB6-4c70-AC03-CF1794DDBDCA}.exe	113
PID 3676 wrote to memory of 3956	3676	{936A98A4-CAB6-4c70-AC03-CF1794DDBDCA}.exe	113
PID 3676 wrote to memory of 4788	3676	{936A98A4-CAB6-4c70-AC03-CF1794DDBDCA}.exe	114
PID 3676 wrote to memory of 4788	3676	{936A98A4-CAB6-4c70-AC03-CF1794DDBDCA}.exe	114
PID 3676 wrote to memory of 4788	3676	{936A98A4-CAB6-4c70-AC03-CF1794DDBDCA}.exe	114
PID 3956 wrote to memory of 2468	3956	{4D1FCA84-5C88-4521-9333-783AFB22308D}.exe	115
PID 3956 wrote to memory of 2468	3956	{4D1FCA84-5C88-4521-9333-783AFB22308D}.exe	115
PID 3956 wrote to memory of 2468	3956	{4D1FCA84-5C88-4521-9333-783AFB22308D}.exe	115
PID 3956 wrote to memory of 3632	3956	{4D1FCA84-5C88-4521-9333-783AFB22308D}.exe	116
PID 3956 wrote to memory of 3632	3956	{4D1FCA84-5C88-4521-9333-783AFB22308D}.exe	116
PID 3956 wrote to memory of 3632	3956	{4D1FCA84-5C88-4521-9333-783AFB22308D}.exe	116
PID 2468 wrote to memory of 2784	2468	{6CEB3197-5152-4e73-8EB0-AEF61A3C58C6}.exe	119
PID 2468 wrote to memory of 2784	2468	{6CEB3197-5152-4e73-8EB0-AEF61A3C58C6}.exe	119
PID 2468 wrote to memory of 2784	2468	{6CEB3197-5152-4e73-8EB0-AEF61A3C58C6}.exe	119
PID 2468 wrote to memory of 1664	2468	{6CEB3197-5152-4e73-8EB0-AEF61A3C58C6}.exe	120
PID 2468 wrote to memory of 1664	2468	{6CEB3197-5152-4e73-8EB0-AEF61A3C58C6}.exe	120
PID 2468 wrote to memory of 1664	2468	{6CEB3197-5152-4e73-8EB0-AEF61A3C58C6}.exe	120
PID 2784 wrote to memory of 3900	2784	{3DEF7D48-53A7-4bb9-ABB5-3A47DA017710}.exe	123
PID 2784 wrote to memory of 3900	2784	{3DEF7D48-53A7-4bb9-ABB5-3A47DA017710}.exe	123
PID 2784 wrote to memory of 3900	2784	{3DEF7D48-53A7-4bb9-ABB5-3A47DA017710}.exe	123
PID 2784 wrote to memory of 3060	2784	{3DEF7D48-53A7-4bb9-ABB5-3A47DA017710}.exe	124
PID 2784 wrote to memory of 3060	2784	{3DEF7D48-53A7-4bb9-ABB5-3A47DA017710}.exe	124
PID 2784 wrote to memory of 3060	2784	{3DEF7D48-53A7-4bb9-ABB5-3A47DA017710}.exe	124
PID 3900 wrote to memory of 3780	3900	{CF7FF4F5-DAC8-4c21-B8C5-B1FE6FD32A93}.exe	125
PID 3900 wrote to memory of 3780	3900	{CF7FF4F5-DAC8-4c21-B8C5-B1FE6FD32A93}.exe	125
PID 3900 wrote to memory of 3780	3900	{CF7FF4F5-DAC8-4c21-B8C5-B1FE6FD32A93}.exe	125
PID 3900 wrote to memory of 640	3900	{CF7FF4F5-DAC8-4c21-B8C5-B1FE6FD32A93}.exe	126
PID 3900 wrote to memory of 640	3900	{CF7FF4F5-DAC8-4c21-B8C5-B1FE6FD32A93}.exe	126
PID 3900 wrote to memory of 640	3900	{CF7FF4F5-DAC8-4c21-B8C5-B1FE6FD32A93}.exe	126
PID 3780 wrote to memory of 2384	3780	{FDF32034-7DAE-4fec-8E81-A6A8F76FD7A3}.exe	127
PID 3780 wrote to memory of 2384	3780	{FDF32034-7DAE-4fec-8E81-A6A8F76FD7A3}.exe	127
PID 3780 wrote to memory of 2384	3780	{FDF32034-7DAE-4fec-8E81-A6A8F76FD7A3}.exe	127
PID 3780 wrote to memory of 1220	3780	{FDF32034-7DAE-4fec-8E81-A6A8F76FD7A3}.exe	128

C:\Users\Admin\AppData\Local\Temp\2024-03-12_7e883eb35385cfd4268b0027200e3217_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-12_7e883eb35385cfd4268b0027200e3217_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3780
- C:\Windows\{7636E774-5D91-4583-A38A-925EDD20C24E}.exe
  C:\Windows\{7636E774-5D91-4583-A38A-925EDD20C24E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4364
- - C:\Windows\{573D99DA-0952-4542-9F6F-27F8A3086C8B}.exe
    C:\Windows\{573D99DA-0952-4542-9F6F-27F8A3086C8B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1044
  - - C:\Windows\{9CA06927-C183-496f-8898-767BFF6D76EA}.exe
      C:\Windows\{9CA06927-C183-496f-8898-767BFF6D76EA}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1640
    - - C:\Windows\{A01D8936-F09F-4a7d-A99A-2233F481F378}.exe
        
        C:\Windows\{A01D8936-F09F-4a7d-A99A-2233F481F378}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4848
      - C:\Windows\{936A98A4-CAB6-4c70-AC03-CF1794DDBDCA}.exe
        
        C:\Windows\{936A98A4-CAB6-4c70-AC03-CF1794DDBDCA}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3676
        
        C:\Windows\{4D1FCA84-5C88-4521-9333-783AFB22308D}.exe
        
        C:\Windows\{4D1FCA84-5C88-4521-9333-783AFB22308D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\{6CEB3197-5152-4e73-8EB0-AEF61A3C58C6}.exe
        
        C:\Windows\{6CEB3197-5152-4e73-8EB0-AEF61A3C58C6}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\{3DEF7D48-53A7-4bb9-ABB5-3A47DA017710}.exe
        
        C:\Windows\{3DEF7D48-53A7-4bb9-ABB5-3A47DA017710}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\{CF7FF4F5-DAC8-4c21-B8C5-B1FE6FD32A93}.exe
        
        C:\Windows\{CF7FF4F5-DAC8-4c21-B8C5-B1FE6FD32A93}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3900
        
        C:\Windows\{FDF32034-7DAE-4fec-8E81-A6A8F76FD7A3}.exe
        
        C:\Windows\{FDF32034-7DAE-4fec-8E81-A6A8F76FD7A3}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3780
        
        C:\Windows\{5AC6911F-B4F0-4255-9BC2-B17F972C790B}.exe
        
        C:\Windows\{5AC6911F-B4F0-4255-9BC2-B17F972C790B}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384
        
        C:\Windows\{95EBFA00-D058-43d7-A2A1-1BB53C5621A2}.exe
        
        C:\Windows\{95EBFA00-D058-43d7-A2A1-1BB53C5621A2}.exe
        13⤵
        Executes dropped EXE
        
        PID:3776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5AC69~1.EXE > nul
        13⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FDF32~1.EXE > nul
        12⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CF7FF~1.EXE > nul
        11⤵
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3DEF7~1.EXE > nul
        10⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6CEB3~1.EXE > nul
        9⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D1FC~1.EXE > nul
        8⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{936A9~1.EXE > nul
        7⤵
        
        PID:4788
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A01D8~1.EXE > nul
        6⤵
        
        PID:4972
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9CA06~1.EXE > nul
        5⤵
        
        PID:3524
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{573D9~1.EXE > nul
      4⤵
      PID:2580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7636E~1.EXE > nul
    3⤵
    PID:4400
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3DEF7D48-53A7-4bb9-ABB5-3A47DA017710}.exe

Filesize
197KB

MD5
1dc11f36700f78b7660dbeb69e32bcb9

SHA1
a5133cc821c131ce5a76b7098fbc7a2feb1a2ba1

SHA256
92f071d3a39c0d926e7f2c32fa65d9cecb3d605184c798c71dbcb8fa1ba94d49

SHA512
6a9f94b73c0ea5e3879a34d5d3c24b7aaddbbbe34526c1c21f519fc6d057ec9a66639ca1b78f257cbf3f4b892550c94d804ae329bdd67b8d647b88d895321de9

Download Submit
C:\Windows\{4D1FCA84-5C88-4521-9333-783AFB22308D}.exe

Filesize
197KB

MD5
c1008fc12fbf025aa8c27414d1907b89

SHA1
172bf1104b0856e3c79d16b047ab683b57d38faa

SHA256
3451b97973674550f177ed01328ff461c07cb7a2b5120984dd6678ecc3902dbe

SHA512
56ba38eec7ec94c3ca5e5f823d428aa1f2edf3a89e6c1af8827c46527c50018f6d37660863574e734a450d9eb572e6a876cd0fe86f3748fad3af17d48c402258

Download Submit
C:\Windows\{573D99DA-0952-4542-9F6F-27F8A3086C8B}.exe

Filesize
197KB

MD5
fe95d8174197db3211ff4173accdada7

SHA1
8da66421e5b1480605819a0a231a90988c838f61

SHA256
9e30423f508daf9d640b76ab2d705541cf8f892d88f737ff33b3e78329a5f035

SHA512
7ba604e942d963ab9ba5d9c0a73e6556243024cd6b83b4bee1c166da3476278f6f27fc832d1513196ec0e2fecaec0d4d679aabfd27a18365230df62dcf39c8f0

Download Submit
C:\Windows\{5AC6911F-B4F0-4255-9BC2-B17F972C790B}.exe

Filesize
197KB

MD5
059073719ca82bf3c43f21acf9611341

SHA1
b8ad4ef40eb426832b9fc6fb652b3a23fa06e780

SHA256
448cb649ff364d6a522682af1bb4d8ec11605cd96374d695cd765ae3eb16bc25

SHA512
d372294532213dc87cc22a8ff2eaba6a33cd9f2aa7f66e1fefa0d09904005839cf27e2e6b59e789597174389fcc5b3e691bc5cde275f4cae8ee0a9fe46854c1b

Download Submit
C:\Windows\{6CEB3197-5152-4e73-8EB0-AEF61A3C58C6}.exe

Filesize
197KB

MD5
402f7577e95b91e88037b6dcf2e8ab85

SHA1
99afbcc73b3cf56261805f90ad0130caaf23e896

SHA256
13d1a734432a0f9e476766a2fd3e1355af343ff271f1141e025e15947f17d85f

SHA512
568aad28168fa21af147bf97bc36772bb7e199a0a6d3c0200cb309fb0f490b512c44b2b7d270ca21e7af870856d15f6d17217d5e477ddf505bf73b148c60cee9

Download Submit
C:\Windows\{7636E774-5D91-4583-A38A-925EDD20C24E}.exe

Filesize
197KB

MD5
7e7f3e50f3e033b4274ffcd8a63f386e

SHA1
b7821421e6855764de229aa5a787ed470e2de959

SHA256
edf9b4929669a7476cce2ba20228a70d51aed8bc639eea3c593133c04de4f2ef

SHA512
2723611764d10d41e1abf85d9b3ab3ae897d353c293d9d917656a93cca26d72fb9822ebe99a716e097578b188579c798701124101227cadbfac3eadc78958002

Download Submit
C:\Windows\{936A98A4-CAB6-4c70-AC03-CF1794DDBDCA}.exe

Filesize
197KB

MD5
c4b12cfd9e089c7b5512862d3163d57a

SHA1
31e5109f69786ebbd3aff9390fc1f0986cd059bf

SHA256
5b93527f2210bcc31ca6a2ec65b16a1f88c1abf60badf91b5ce9417e1d67431f

SHA512
6108d78ac6258908bc4090684972225e4099f572973350d64f0e2a01eb7d3449e4047c0ae105d058afd5917b9746702874a749ed3f3b6cb7ed19fb98b9e7aca1

Download Submit
C:\Windows\{95EBFA00-D058-43d7-A2A1-1BB53C5621A2}.exe

Filesize
197KB

MD5
2ca85a4cd7f7a6364c5198ea5b800626

SHA1
cbef2c5d1d77c8593a9448a056fbf26a09255741

SHA256
217d8360f7d1069eaeaa86cad281952c9d57f51b0fe92e3e83032238d09c7dc5

SHA512
6874a3c122a9e2e4983a83b9ed4cea839aca9abe06ebfd2d75e630563925a681a6b18cd4c6735fa0410179176b98370680d9cf79b69b0d9aaa980b9c8bcc6f0f

Download Submit
C:\Windows\{9CA06927-C183-496f-8898-767BFF6D76EA}.exe

Filesize
197KB

MD5
922863ccf08310ec30d08f76d44f714b

SHA1
e7abc775f1bf2c5178fe710a008c8107f853ec5c

SHA256
9054c88af08f458b67ce4a39adcbe3e7918f2ac2f5c3dde9cf6381c030431bbe

SHA512
73588bf63ad4ea2629d5bbb7278efa2b79f7fdee15e32a4ec2f24e2a70c247063e25f08f6da187735cb926d69533f5aaeea1125303b82adf2a5e7f19cb456448

Download Submit
C:\Windows\{A01D8936-F09F-4a7d-A99A-2233F481F378}.exe

Filesize
197KB

MD5
fc90f350c220efa8a91e5dd35db48c14

SHA1
465b98347f30e34815d9554e6f7aca6ff5a868ac

SHA256
1f4e2f0d60c03d389f9a7db286165738d1198e0b7590c4a2299116b1c5f12277

SHA512
c342230396825dbbf43c8eacad97c344a7189b594209d1eb1d2f48b88b791a733bacf0684457c1b1d2e00e70648876f4a49dda76b42c3e04a39344630f1d5020

Download Submit
C:\Windows\{CF7FF4F5-DAC8-4c21-B8C5-B1FE6FD32A93}.exe

Filesize
197KB

MD5
4ce08f838cc55c0f4d5d8e799e9596ed

SHA1
99c6891000bf4ec19a2d9277ceaa58651edb3785

SHA256
c59dd51c01f00937d6a64ee326f7e4fa6094845b4348a25bc22a4e8102f9c535

SHA512
9421971e4ef02dbbe91931e0973068b04e5f3eb17e23a39bded08e54cb925aec721cb90b91be5c6b85f2d7dab5c52985034ad7d9f31d38a55be1a1ef18829600

Download Submit
C:\Windows\{FDF32034-7DAE-4fec-8E81-A6A8F76FD7A3}.exe

Filesize
197KB

MD5
5962ba61b6e61310942637362f7c18ee

SHA1
6c63e547a7dd53394c0d1c617055862dfc96396f

SHA256
85d3c7ab88912f3b234dc09cf009ab9b9d5467d84e133897cde005a477410edf

SHA512
4c7b9fead70c7bfa321ac6bd9776b977051c99bff23eeedfc56321a65fc4eead1295ac458eecb82f45f7ca987dece0d0f82590b28b7d9b1d7b2d95005ab4db30

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads