71a59cf51dd9ea88f77acd47c6a3b9efb119a8aaf3e83d5ea105cc2dbe6b5870

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2024, 10:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-12_416cd2df03d64c68249c5d6ab1f320fb_goldeneye.exe
Size

344KB
MD5

416cd2df03d64c68249c5d6ab1f320fb
SHA1

798bbd4005a7f6b4806fec139c2f5717d48a613b
SHA256

71a59cf51dd9ea88f77acd47c6a3b9efb119a8aaf3e83d5ea105cc2dbe6b5870
SHA512

8097118a410e640fe3b5f4d47e709877b8d8020a6cac7c1fbc7a34c67bbbb6c9b29c429146ff51a363b00df4e09a767e40c2e54c47c837a100ed8936a27e1e72
SSDEEP

3072:mEGh0o8lEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGWlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x00070000000231ed-1.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000231f3-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023211-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000001e693-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023371-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023398-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023486-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023398-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023496-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023496-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002349f-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000022e44-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000001e5a2-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F67ADBA-AD28-497d-913C-C9AFA705C253}	{69560B17-DDB8-475b-BE73-762ADC2C6F4D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F67ADBA-AD28-497d-913C-C9AFA705C253}\stubpath = "C:\\Windows\\{5F67ADBA-AD28-497d-913C-C9AFA705C253}.exe"	{69560B17-DDB8-475b-BE73-762ADC2C6F4D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C09554D6-A522-45c9-9D0D-0E45EE635D34}\stubpath = "C:\\Windows\\{C09554D6-A522-45c9-9D0D-0E45EE635D34}.exe"	{D85A07E8-736A-41ad-A1F2-92D53006AC98}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{236C4476-1F04-4610-8575-EB7115E53799}	{B2F3ADA1-5903-4f67-9BE2-B5BEB952E4AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0A78167-47B0-480b-95BC-B2EC6F0BB2A9}	{236C4476-1F04-4610-8575-EB7115E53799}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB50050A-BA2A-4140-9AB7-68BF6143F8D9}\stubpath = "C:\\Windows\\{DB50050A-BA2A-4140-9AB7-68BF6143F8D9}.exe"	{A0A78167-47B0-480b-95BC-B2EC6F0BB2A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90E0A163-9ABB-4af6-AC28-C2B85755D8AC}\stubpath = "C:\\Windows\\{90E0A163-9ABB-4af6-AC28-C2B85755D8AC}.exe"	{F924FB55-9ED5-4024-8DA9-B0BA99888E9E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69560B17-DDB8-475b-BE73-762ADC2C6F4D}	{90E0A163-9ABB-4af6-AC28-C2B85755D8AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C09554D6-A522-45c9-9D0D-0E45EE635D34}	{D85A07E8-736A-41ad-A1F2-92D53006AC98}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{236C4476-1F04-4610-8575-EB7115E53799}\stubpath = "C:\\Windows\\{236C4476-1F04-4610-8575-EB7115E53799}.exe"	{B2F3ADA1-5903-4f67-9BE2-B5BEB952E4AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0A78167-47B0-480b-95BC-B2EC6F0BB2A9}\stubpath = "C:\\Windows\\{A0A78167-47B0-480b-95BC-B2EC6F0BB2A9}.exe"	{236C4476-1F04-4610-8575-EB7115E53799}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B44E0A21-1646-4082-8C6F-538E7CC1CE00}	{8AC876BC-024E-4404-831B-A32A9DA45C0A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90E0A163-9ABB-4af6-AC28-C2B85755D8AC}	{F924FB55-9ED5-4024-8DA9-B0BA99888E9E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B44E0A21-1646-4082-8C6F-538E7CC1CE00}\stubpath = "C:\\Windows\\{B44E0A21-1646-4082-8C6F-538E7CC1CE00}.exe"	{8AC876BC-024E-4404-831B-A32A9DA45C0A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F924FB55-9ED5-4024-8DA9-B0BA99888E9E}	{B44E0A21-1646-4082-8C6F-538E7CC1CE00}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F924FB55-9ED5-4024-8DA9-B0BA99888E9E}\stubpath = "C:\\Windows\\{F924FB55-9ED5-4024-8DA9-B0BA99888E9E}.exe"	{B44E0A21-1646-4082-8C6F-538E7CC1CE00}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D85A07E8-736A-41ad-A1F2-92D53006AC98}	{5F67ADBA-AD28-497d-913C-C9AFA705C253}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D85A07E8-736A-41ad-A1F2-92D53006AC98}\stubpath = "C:\\Windows\\{D85A07E8-736A-41ad-A1F2-92D53006AC98}.exe"	{5F67ADBA-AD28-497d-913C-C9AFA705C253}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8AC876BC-024E-4404-831B-A32A9DA45C0A}	2024-03-12_416cd2df03d64c68249c5d6ab1f320fb_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8AC876BC-024E-4404-831B-A32A9DA45C0A}\stubpath = "C:\\Windows\\{8AC876BC-024E-4404-831B-A32A9DA45C0A}.exe"	2024-03-12_416cd2df03d64c68249c5d6ab1f320fb_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2F3ADA1-5903-4f67-9BE2-B5BEB952E4AC}\stubpath = "C:\\Windows\\{B2F3ADA1-5903-4f67-9BE2-B5BEB952E4AC}.exe"	{C09554D6-A522-45c9-9D0D-0E45EE635D34}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB50050A-BA2A-4140-9AB7-68BF6143F8D9}	{A0A78167-47B0-480b-95BC-B2EC6F0BB2A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69560B17-DDB8-475b-BE73-762ADC2C6F4D}\stubpath = "C:\\Windows\\{69560B17-DDB8-475b-BE73-762ADC2C6F4D}.exe"	{90E0A163-9ABB-4af6-AC28-C2B85755D8AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2F3ADA1-5903-4f67-9BE2-B5BEB952E4AC}	{C09554D6-A522-45c9-9D0D-0E45EE635D34}.exe

Executes dropped EXE 12 IoCs

pid	Process
3588	{8AC876BC-024E-4404-831B-A32A9DA45C0A}.exe
2676	{B44E0A21-1646-4082-8C6F-538E7CC1CE00}.exe
4644	{F924FB55-9ED5-4024-8DA9-B0BA99888E9E}.exe
3320	{90E0A163-9ABB-4af6-AC28-C2B85755D8AC}.exe
2784	{69560B17-DDB8-475b-BE73-762ADC2C6F4D}.exe
2136	{5F67ADBA-AD28-497d-913C-C9AFA705C253}.exe
2584	{D85A07E8-736A-41ad-A1F2-92D53006AC98}.exe
1692	{C09554D6-A522-45c9-9D0D-0E45EE635D34}.exe
2036	{B2F3ADA1-5903-4f67-9BE2-B5BEB952E4AC}.exe
4396	{236C4476-1F04-4610-8575-EB7115E53799}.exe
1080	{A0A78167-47B0-480b-95BC-B2EC6F0BB2A9}.exe
2640	{DB50050A-BA2A-4140-9AB7-68BF6143F8D9}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{B44E0A21-1646-4082-8C6F-538E7CC1CE00}.exe	{8AC876BC-024E-4404-831B-A32A9DA45C0A}.exe
File created	C:\Windows\{5F67ADBA-AD28-497d-913C-C9AFA705C253}.exe	{69560B17-DDB8-475b-BE73-762ADC2C6F4D}.exe
File created	C:\Windows\{D85A07E8-736A-41ad-A1F2-92D53006AC98}.exe	{5F67ADBA-AD28-497d-913C-C9AFA705C253}.exe
File created	C:\Windows\{A0A78167-47B0-480b-95BC-B2EC6F0BB2A9}.exe	{236C4476-1F04-4610-8575-EB7115E53799}.exe
File created	C:\Windows\{DB50050A-BA2A-4140-9AB7-68BF6143F8D9}.exe	{A0A78167-47B0-480b-95BC-B2EC6F0BB2A9}.exe
File created	C:\Windows\{236C4476-1F04-4610-8575-EB7115E53799}.exe	{B2F3ADA1-5903-4f67-9BE2-B5BEB952E4AC}.exe
File created	C:\Windows\{8AC876BC-024E-4404-831B-A32A9DA45C0A}.exe	2024-03-12_416cd2df03d64c68249c5d6ab1f320fb_goldeneye.exe
File created	C:\Windows\{F924FB55-9ED5-4024-8DA9-B0BA99888E9E}.exe	{B44E0A21-1646-4082-8C6F-538E7CC1CE00}.exe
File created	C:\Windows\{90E0A163-9ABB-4af6-AC28-C2B85755D8AC}.exe	{F924FB55-9ED5-4024-8DA9-B0BA99888E9E}.exe
File created	C:\Windows\{69560B17-DDB8-475b-BE73-762ADC2C6F4D}.exe	{90E0A163-9ABB-4af6-AC28-C2B85755D8AC}.exe
File created	C:\Windows\{C09554D6-A522-45c9-9D0D-0E45EE635D34}.exe	{D85A07E8-736A-41ad-A1F2-92D53006AC98}.exe
File created	C:\Windows\{B2F3ADA1-5903-4f67-9BE2-B5BEB952E4AC}.exe	{C09554D6-A522-45c9-9D0D-0E45EE635D34}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1524	2024-03-12_416cd2df03d64c68249c5d6ab1f320fb_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3588	{8AC876BC-024E-4404-831B-A32A9DA45C0A}.exe
Token: SeIncBasePriorityPrivilege	2676	{B44E0A21-1646-4082-8C6F-538E7CC1CE00}.exe
Token: SeIncBasePriorityPrivilege	4644	{F924FB55-9ED5-4024-8DA9-B0BA99888E9E}.exe
Token: SeIncBasePriorityPrivilege	3320	{90E0A163-9ABB-4af6-AC28-C2B85755D8AC}.exe
Token: SeIncBasePriorityPrivilege	2784	{69560B17-DDB8-475b-BE73-762ADC2C6F4D}.exe
Token: SeIncBasePriorityPrivilege	2136	{5F67ADBA-AD28-497d-913C-C9AFA705C253}.exe
Token: SeIncBasePriorityPrivilege	2584	{D85A07E8-736A-41ad-A1F2-92D53006AC98}.exe
Token: SeIncBasePriorityPrivilege	1692	{C09554D6-A522-45c9-9D0D-0E45EE635D34}.exe
Token: SeIncBasePriorityPrivilege	2036	{B2F3ADA1-5903-4f67-9BE2-B5BEB952E4AC}.exe
Token: SeIncBasePriorityPrivilege	4396	{236C4476-1F04-4610-8575-EB7115E53799}.exe
Token: SeIncBasePriorityPrivilege	1080	{A0A78167-47B0-480b-95BC-B2EC6F0BB2A9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1524 wrote to memory of 3588	1524	2024-03-12_416cd2df03d64c68249c5d6ab1f320fb_goldeneye.exe	100
PID 1524 wrote to memory of 3588	1524	2024-03-12_416cd2df03d64c68249c5d6ab1f320fb_goldeneye.exe	100
PID 1524 wrote to memory of 3588	1524	2024-03-12_416cd2df03d64c68249c5d6ab1f320fb_goldeneye.exe	100
PID 1524 wrote to memory of 3252	1524	2024-03-12_416cd2df03d64c68249c5d6ab1f320fb_goldeneye.exe	101
PID 1524 wrote to memory of 3252	1524	2024-03-12_416cd2df03d64c68249c5d6ab1f320fb_goldeneye.exe	101
PID 1524 wrote to memory of 3252	1524	2024-03-12_416cd2df03d64c68249c5d6ab1f320fb_goldeneye.exe	101
PID 3588 wrote to memory of 2676	3588	{8AC876BC-024E-4404-831B-A32A9DA45C0A}.exe	102
PID 3588 wrote to memory of 2676	3588	{8AC876BC-024E-4404-831B-A32A9DA45C0A}.exe	102
PID 3588 wrote to memory of 2676	3588	{8AC876BC-024E-4404-831B-A32A9DA45C0A}.exe	102
PID 3588 wrote to memory of 1064	3588	{8AC876BC-024E-4404-831B-A32A9DA45C0A}.exe	103
PID 3588 wrote to memory of 1064	3588	{8AC876BC-024E-4404-831B-A32A9DA45C0A}.exe	103
PID 3588 wrote to memory of 1064	3588	{8AC876BC-024E-4404-831B-A32A9DA45C0A}.exe	103
PID 2676 wrote to memory of 4644	2676	{B44E0A21-1646-4082-8C6F-538E7CC1CE00}.exe	107
PID 2676 wrote to memory of 4644	2676	{B44E0A21-1646-4082-8C6F-538E7CC1CE00}.exe	107
PID 2676 wrote to memory of 4644	2676	{B44E0A21-1646-4082-8C6F-538E7CC1CE00}.exe	107
PID 2676 wrote to memory of 3352	2676	{B44E0A21-1646-4082-8C6F-538E7CC1CE00}.exe	108
PID 2676 wrote to memory of 3352	2676	{B44E0A21-1646-4082-8C6F-538E7CC1CE00}.exe	108
PID 2676 wrote to memory of 3352	2676	{B44E0A21-1646-4082-8C6F-538E7CC1CE00}.exe	108
PID 4644 wrote to memory of 3320	4644	{F924FB55-9ED5-4024-8DA9-B0BA99888E9E}.exe	109
PID 4644 wrote to memory of 3320	4644	{F924FB55-9ED5-4024-8DA9-B0BA99888E9E}.exe	109
PID 4644 wrote to memory of 3320	4644	{F924FB55-9ED5-4024-8DA9-B0BA99888E9E}.exe	109
PID 4644 wrote to memory of 5044	4644	{F924FB55-9ED5-4024-8DA9-B0BA99888E9E}.exe	110
PID 4644 wrote to memory of 5044	4644	{F924FB55-9ED5-4024-8DA9-B0BA99888E9E}.exe	110
PID 4644 wrote to memory of 5044	4644	{F924FB55-9ED5-4024-8DA9-B0BA99888E9E}.exe	110
PID 3320 wrote to memory of 2784	3320	{90E0A163-9ABB-4af6-AC28-C2B85755D8AC}.exe	111
PID 3320 wrote to memory of 2784	3320	{90E0A163-9ABB-4af6-AC28-C2B85755D8AC}.exe	111
PID 3320 wrote to memory of 2784	3320	{90E0A163-9ABB-4af6-AC28-C2B85755D8AC}.exe	111
PID 3320 wrote to memory of 1924	3320	{90E0A163-9ABB-4af6-AC28-C2B85755D8AC}.exe	112
PID 3320 wrote to memory of 1924	3320	{90E0A163-9ABB-4af6-AC28-C2B85755D8AC}.exe	112
PID 3320 wrote to memory of 1924	3320	{90E0A163-9ABB-4af6-AC28-C2B85755D8AC}.exe	112
PID 2784 wrote to memory of 2136	2784	{69560B17-DDB8-475b-BE73-762ADC2C6F4D}.exe	114
PID 2784 wrote to memory of 2136	2784	{69560B17-DDB8-475b-BE73-762ADC2C6F4D}.exe	114
PID 2784 wrote to memory of 2136	2784	{69560B17-DDB8-475b-BE73-762ADC2C6F4D}.exe	114
PID 2784 wrote to memory of 4368	2784	{69560B17-DDB8-475b-BE73-762ADC2C6F4D}.exe	115
PID 2784 wrote to memory of 4368	2784	{69560B17-DDB8-475b-BE73-762ADC2C6F4D}.exe	115
PID 2784 wrote to memory of 4368	2784	{69560B17-DDB8-475b-BE73-762ADC2C6F4D}.exe	115
PID 2136 wrote to memory of 2584	2136	{5F67ADBA-AD28-497d-913C-C9AFA705C253}.exe	116
PID 2136 wrote to memory of 2584	2136	{5F67ADBA-AD28-497d-913C-C9AFA705C253}.exe	116
PID 2136 wrote to memory of 2584	2136	{5F67ADBA-AD28-497d-913C-C9AFA705C253}.exe	116
PID 2136 wrote to memory of 1064	2136	{5F67ADBA-AD28-497d-913C-C9AFA705C253}.exe	117
PID 2136 wrote to memory of 1064	2136	{5F67ADBA-AD28-497d-913C-C9AFA705C253}.exe	117
PID 2136 wrote to memory of 1064	2136	{5F67ADBA-AD28-497d-913C-C9AFA705C253}.exe	117
PID 2584 wrote to memory of 1692	2584	{D85A07E8-736A-41ad-A1F2-92D53006AC98}.exe	118
PID 2584 wrote to memory of 1692	2584	{D85A07E8-736A-41ad-A1F2-92D53006AC98}.exe	118
PID 2584 wrote to memory of 1692	2584	{D85A07E8-736A-41ad-A1F2-92D53006AC98}.exe	118
PID 2584 wrote to memory of 2292	2584	{D85A07E8-736A-41ad-A1F2-92D53006AC98}.exe	119
PID 2584 wrote to memory of 2292	2584	{D85A07E8-736A-41ad-A1F2-92D53006AC98}.exe	119
PID 2584 wrote to memory of 2292	2584	{D85A07E8-736A-41ad-A1F2-92D53006AC98}.exe	119
PID 1692 wrote to memory of 2036	1692	{C09554D6-A522-45c9-9D0D-0E45EE635D34}.exe	124
PID 1692 wrote to memory of 2036	1692	{C09554D6-A522-45c9-9D0D-0E45EE635D34}.exe	124
PID 1692 wrote to memory of 2036	1692	{C09554D6-A522-45c9-9D0D-0E45EE635D34}.exe	124
PID 1692 wrote to memory of 1636	1692	{C09554D6-A522-45c9-9D0D-0E45EE635D34}.exe	125
PID 1692 wrote to memory of 1636	1692	{C09554D6-A522-45c9-9D0D-0E45EE635D34}.exe	125
PID 1692 wrote to memory of 1636	1692	{C09554D6-A522-45c9-9D0D-0E45EE635D34}.exe	125
PID 2036 wrote to memory of 4396	2036	{B2F3ADA1-5903-4f67-9BE2-B5BEB952E4AC}.exe	126
PID 2036 wrote to memory of 4396	2036	{B2F3ADA1-5903-4f67-9BE2-B5BEB952E4AC}.exe	126
PID 2036 wrote to memory of 4396	2036	{B2F3ADA1-5903-4f67-9BE2-B5BEB952E4AC}.exe	126
PID 2036 wrote to memory of 1644	2036	{B2F3ADA1-5903-4f67-9BE2-B5BEB952E4AC}.exe	127
PID 2036 wrote to memory of 1644	2036	{B2F3ADA1-5903-4f67-9BE2-B5BEB952E4AC}.exe	127
PID 2036 wrote to memory of 1644	2036	{B2F3ADA1-5903-4f67-9BE2-B5BEB952E4AC}.exe	127
PID 4396 wrote to memory of 1080	4396	{236C4476-1F04-4610-8575-EB7115E53799}.exe	133
PID 4396 wrote to memory of 1080	4396	{236C4476-1F04-4610-8575-EB7115E53799}.exe	133
PID 4396 wrote to memory of 1080	4396	{236C4476-1F04-4610-8575-EB7115E53799}.exe	133
PID 4396 wrote to memory of 3900	4396	{236C4476-1F04-4610-8575-EB7115E53799}.exe	134

C:\Users\Admin\AppData\Local\Temp\2024-03-12_416cd2df03d64c68249c5d6ab1f320fb_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-12_416cd2df03d64c68249c5d6ab1f320fb_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Windows\{8AC876BC-024E-4404-831B-A32A9DA45C0A}.exe
  C:\Windows\{8AC876BC-024E-4404-831B-A32A9DA45C0A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3588
- - C:\Windows\{B44E0A21-1646-4082-8C6F-538E7CC1CE00}.exe
    C:\Windows\{B44E0A21-1646-4082-8C6F-538E7CC1CE00}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Windows\{F924FB55-9ED5-4024-8DA9-B0BA99888E9E}.exe
      C:\Windows\{F924FB55-9ED5-4024-8DA9-B0BA99888E9E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4644
    - - C:\Windows\{90E0A163-9ABB-4af6-AC28-C2B85755D8AC}.exe
        
        C:\Windows\{90E0A163-9ABB-4af6-AC28-C2B85755D8AC}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3320
      - C:\Windows\{69560B17-DDB8-475b-BE73-762ADC2C6F4D}.exe
        
        C:\Windows\{69560B17-DDB8-475b-BE73-762ADC2C6F4D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\{5F67ADBA-AD28-497d-913C-C9AFA705C253}.exe
        
        C:\Windows\{5F67ADBA-AD28-497d-913C-C9AFA705C253}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\{D85A07E8-736A-41ad-A1F2-92D53006AC98}.exe
        
        C:\Windows\{D85A07E8-736A-41ad-A1F2-92D53006AC98}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\{C09554D6-A522-45c9-9D0D-0E45EE635D34}.exe
        
        C:\Windows\{C09554D6-A522-45c9-9D0D-0E45EE635D34}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\{B2F3ADA1-5903-4f67-9BE2-B5BEB952E4AC}.exe
        
        C:\Windows\{B2F3ADA1-5903-4f67-9BE2-B5BEB952E4AC}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\{236C4476-1F04-4610-8575-EB7115E53799}.exe
        
        C:\Windows\{236C4476-1F04-4610-8575-EB7115E53799}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4396
        
        C:\Windows\{A0A78167-47B0-480b-95BC-B2EC6F0BB2A9}.exe
        
        C:\Windows\{A0A78167-47B0-480b-95BC-B2EC6F0BB2A9}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1080
        
        C:\Windows\{DB50050A-BA2A-4140-9AB7-68BF6143F8D9}.exe
        
        C:\Windows\{DB50050A-BA2A-4140-9AB7-68BF6143F8D9}.exe
        13⤵
        Executes dropped EXE
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A0A78~1.EXE > nul
        13⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{236C4~1.EXE > nul
        12⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B2F3A~1.EXE > nul
        11⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C0955~1.EXE > nul
        10⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D85A0~1.EXE > nul
        9⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5F67A~1.EXE > nul
        8⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69560~1.EXE > nul
        7⤵
        
        PID:4368
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{90E0A~1.EXE > nul
        6⤵
        
        PID:1924
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F924F~1.EXE > nul
        5⤵
        
        PID:5044
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B44E0~1.EXE > nul
      4⤵
      PID:3352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8AC87~1.EXE > nul
    3⤵
    PID:1064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{236C4476-1F04-4610-8575-EB7115E53799}.exe

Filesize
344KB

MD5
f64b9044f7ba2d7320e3d89c541dbb69

SHA1
d636d5f059bc51b5a1f3b20b8abd7be8f5c759c1

SHA256
2a55393e9b9727aed9d1c16a942418a6a20690964620d19570f96b8b903c0f46

SHA512
a571e692b0a10749ff06875447ee1b1850e2250f9bae2827206a8e42393200ac363803e1e7b94523f003a965ee0b7210a93cf36a3683029bc8aab9b667ff0914

Download Submit
C:\Windows\{5F67ADBA-AD28-497d-913C-C9AFA705C253}.exe

Filesize
344KB

MD5
22db902cc94ad88bfb4ea224c7e82b52

SHA1
11df02c95137e827a0c2064db5d662bb3deff2cf

SHA256
b055e175c0c0bfd7954b2d72b6f5a3184f0e00daa4ac8d380d458d2b268e0c44

SHA512
39209dac45082e57a8e4dbb63c4e112282be67734f8d526907652994a4ba797f95d4a8596760b66c6626232b8b55d8f1104d1307e4f9f6519bc6bf1f92f0f32b

Download Submit
C:\Windows\{69560B17-DDB8-475b-BE73-762ADC2C6F4D}.exe

Filesize
344KB

MD5
53d2c53614d7f41a2ea6ceb659eafd66

SHA1
3ef40f8549367a688436ab38424380a20d8d245a

SHA256
bf87bf8f5ccbda6f0094774c77df6452aa11191f6819cc127685f256f5f41871

SHA512
0c6dfce7835ea4eaa3b385df57e9ae8d5931ba3dedd3da0e79c3df4f50d7c93b8c60cf6764f4f021ba6569ac628d193d2020598f76dadb38adf598691e9c9f27

Download Submit
C:\Windows\{8AC876BC-024E-4404-831B-A32A9DA45C0A}.exe

Filesize
344KB

MD5
c60f0608798bcf423ea64af80b7d9840

SHA1
2e4a210251cbab8853c29ed6844b595e9856e146

SHA256
d526da13b345bfd13944369ab4dcdc141534d2093ab9af2e9cbbd8265628c927

SHA512
614e687ed2697d842c8a346a52d65bf5f864ec13ba6a116236fb460c268176b2a49870970469128397e9ddf56d713299e7cd38ef47e669ddcf928540304f2aa8

Download Submit
C:\Windows\{90E0A163-9ABB-4af6-AC28-C2B85755D8AC}.exe

Filesize
344KB

MD5
f6ae8891ecd694df4b5097364d6018d6

SHA1
e3bb1c69d2511d9db0dca94a3993cbd1e4783119

SHA256
9ecdd8aabb265167d0bc0a09faf8c61487641d3dd9bfd7a3961ddfd29ef6de8b

SHA512
2b704e2ac5c9d44a06ab9173398a12e3cd2ac5295926f0a75894f12794556872dc6fa6ac3e96fe5b32a29698cfd3b043653c5abd76e0ddb367f5c47a057cde5a

Download Submit
C:\Windows\{A0A78167-47B0-480b-95BC-B2EC6F0BB2A9}.exe

Filesize
344KB

MD5
a0ec4adf7edd6f58e1a748335c770f24

SHA1
8f49035566f1010403c0d08ce43cb8f97ba07713

SHA256
5231da3a0469c3918a88c66c2e9bf68e638292e82cef99834463c685480ecd5e

SHA512
28bacc8fd9d876adbd1e4dec019603e0a84de52ca6e81825cd54eb5ebe4f4c352bd1fb252f6721714e2754846666d02092e5c0808cf76b0fc22809be6e4ecee9

Download Submit
C:\Windows\{B2F3ADA1-5903-4f67-9BE2-B5BEB952E4AC}.exe

Filesize
284KB

MD5
006be94cd596a155b17ec0322b8013fb

SHA1
073e43bcf8bfc6a20a278ee75c3391875bbb7717

SHA256
82fe7bcc66d31b699ac7bc1179fd1bab125d281fea06322f4618e41dc66f811f

SHA512
52545cef7fd4e6f1cab4ebdb2ab8aa14d7fb29986ccc30316849e06be864fa1e9fa94d98f4f740c8d687849b00ddf08c80140b7b9811fdbda3a81b716cc3d686

Download Submit
C:\Windows\{B2F3ADA1-5903-4f67-9BE2-B5BEB952E4AC}.exe

Filesize
344KB

MD5
5f477e59d22e9f02f741cfdd4dab8c35

SHA1
8ca96371448ab087c2a70fa02a6459b2e9739029

SHA256
2cd482a5587f5a542bdacfe2156bb92a3878734cd8bc79511813dfe8065eadd1

SHA512
9ce150f876744e15858440dccbb5134885b2f5c0bd845db58bc7f0b93154e9a575d42087070b88f3fc7b0c533f0335ef753f7bb216b9ae139143fdf22d03b734

Download Submit
C:\Windows\{B44E0A21-1646-4082-8C6F-538E7CC1CE00}.exe

Filesize
344KB

MD5
9c5134a3932fa2353fd76334f38bb587

SHA1
b9c3a475959587d4e7c2be0463f0aef9b0a69e1d

SHA256
801f908153c8dabc90292d35f9ce2b725bd49f2b8eb307cb38e6bd5df8624860

SHA512
ec3974f998e070f01bf3aac2977906a553f6185a1d924e5d0a6871c5f9c3bb1b9f5a952ef33a00b362336362f09f7a1d9cdb9a2b9e473b1a3117b2bf84426ca4

Download Submit
C:\Windows\{C09554D6-A522-45c9-9D0D-0E45EE635D34}.exe

Filesize
344KB

MD5
dcba686a0867e50ee025aca374c53856

SHA1
1b002f77a418bec550d999fd34da91c13a47b89b

SHA256
f4ad7e0b83a1af14f866773d2d53d72ced97db7949cfd5bac714b0b592f403f9

SHA512
de4f3f1694891c7944f358738afdff4b86aa1d985bc513cbe4e910c153c778afc0dab07ab808a505ad5498d7eeb21de91d4f133292c2ab4fd7d4af0d4601e166

Download Submit
C:\Windows\{D85A07E8-736A-41ad-A1F2-92D53006AC98}.exe

Filesize
344KB

MD5
3ee371c6f098f75c40358fc240698f63

SHA1
28c27a72cec0aef063503d7aff24b6982fccd1d8

SHA256
cbc502334cfe59a811ccefdfb5ca1a70520827f2eed5ad13fbd31dd5a24544c3

SHA512
ffcc2703623b6d3cae53637af1952e343112674401867b9a3ad7da86a39ee3b71206244237ff2f70c0e1481b3122d0fd194e1c3e5e4cfb5f8e88b2cdb2c7b67e

Download Submit
C:\Windows\{DB50050A-BA2A-4140-9AB7-68BF6143F8D9}.exe

Filesize
344KB

MD5
eed08aaf35c832a555c770511f702b51

SHA1
bca6ab3493aaf62cd2f7bb3701058fec68a8a78d

SHA256
6c7f1baba6ac92d2ca615598e1268e25fbb79660e19122425e3b4e4795ab2eb6

SHA512
c1e6448cb8a57e5eab709aa4d3cf6db58dab8a1eb78ea6e2939d1ee20699a906d723bc2569229bd9edec339a8cd94023a3d11f798885dd61798babab0cc2c57a

Download Submit
C:\Windows\{F924FB55-9ED5-4024-8DA9-B0BA99888E9E}.exe

Filesize
344KB

MD5
2a272cbbf36bd54349a7e51cd140ad48

SHA1
ce009aee12533bb2bd429e761bb7e06d8ee18e3f

SHA256
52404ee1155da97618f097e7164aa2393b2848f1f0c0f68fa554750e8a210dd3

SHA512
c2cab85b7754c7614c9ae54e2023c199cbb04d693894b4c9ec318cacba0b514c7ea638ff4318b856e11fd361965a2983ef488e547232093575b26e85f5eeefe3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads