46b4d5fc9231f02c5bdc4f4604b9b6eab9dd8e839fc3c7125daad0dd15f2b3e7

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12-03-2024 14:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-12_5952356f685433b6aa42d214df5668a0_goldeneye.exe
Size

197KB
MD5

5952356f685433b6aa42d214df5668a0
SHA1

66856e420956e11e7ac440f841d1ac0c9ad164c9
SHA256

46b4d5fc9231f02c5bdc4f4604b9b6eab9dd8e839fc3c7125daad0dd15f2b3e7
SHA512

af092ac42a06bf849b9f7aebf3082605dc99107e0f70967554c1dd7febfae48597b725be75d71121c69673bf1805ca00c7dfe03365bbcd3f73b5a4de29b42001
SSDEEP

3072:jEGh0o8l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGOlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00080000000231e6-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00110000000231ed-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023209-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002330b-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000001e693-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023371-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000001e693-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000001e432-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000001e5a4-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002338f-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023490-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f0000000230e6-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32425B5A-3A64-487b-BB64-16D3BE6EB4E7}\stubpath = "C:\\Windows\\{32425B5A-3A64-487b-BB64-16D3BE6EB4E7}.exe"	{19CB053B-B981-4c8e-9A68-9EA444F0D279}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F0C5DFF-8C03-493b-B6EE-0036557AE1E4}	{64D5AD25-7F18-4e39-9FE9-4EE6762CCC1C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E37DBBF8-46FB-4b58-9EE6-F46F03593D97}\stubpath = "C:\\Windows\\{E37DBBF8-46FB-4b58-9EE6-F46F03593D97}.exe"	2024-03-12_5952356f685433b6aa42d214df5668a0_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76146925-EFD4-4b03-9008-E774CB3CAFA5}\stubpath = "C:\\Windows\\{76146925-EFD4-4b03-9008-E774CB3CAFA5}.exe"	{EE7D463C-DF8F-4b2e-B16F-7703C6F6A0C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48EF2ECC-BC8F-4298-9FA4-8FC1C085356D}	{4F0C5DFF-8C03-493b-B6EE-0036557AE1E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57F7F2F3-144F-4b16-8FFF-29472D8EF378}\stubpath = "C:\\Windows\\{57F7F2F3-144F-4b16-8FFF-29472D8EF378}.exe"	{48EF2ECC-BC8F-4298-9FA4-8FC1C085356D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24C9204E-ADC8-4631-B107-A993699F0EAF}\stubpath = "C:\\Windows\\{24C9204E-ADC8-4631-B107-A993699F0EAF}.exe"	{57F7F2F3-144F-4b16-8FFF-29472D8EF378}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63D2545D-196A-4d4b-ACA3-0678A2499879}	{76146925-EFD4-4b03-9008-E774CB3CAFA5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F0C5DFF-8C03-493b-B6EE-0036557AE1E4}\stubpath = "C:\\Windows\\{4F0C5DFF-8C03-493b-B6EE-0036557AE1E4}.exe"	{64D5AD25-7F18-4e39-9FE9-4EE6762CCC1C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE7D463C-DF8F-4b2e-B16F-7703C6F6A0C9}\stubpath = "C:\\Windows\\{EE7D463C-DF8F-4b2e-B16F-7703C6F6A0C9}.exe"	{92A69EBD-7D76-4e60-8858-EDD29A88053F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63D2545D-196A-4d4b-ACA3-0678A2499879}\stubpath = "C:\\Windows\\{63D2545D-196A-4d4b-ACA3-0678A2499879}.exe"	{76146925-EFD4-4b03-9008-E774CB3CAFA5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19CB053B-B981-4c8e-9A68-9EA444F0D279}	{63D2545D-196A-4d4b-ACA3-0678A2499879}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19CB053B-B981-4c8e-9A68-9EA444F0D279}\stubpath = "C:\\Windows\\{19CB053B-B981-4c8e-9A68-9EA444F0D279}.exe"	{63D2545D-196A-4d4b-ACA3-0678A2499879}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92A69EBD-7D76-4e60-8858-EDD29A88053F}	{E37DBBF8-46FB-4b58-9EE6-F46F03593D97}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE7D463C-DF8F-4b2e-B16F-7703C6F6A0C9}	{92A69EBD-7D76-4e60-8858-EDD29A88053F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76146925-EFD4-4b03-9008-E774CB3CAFA5}	{EE7D463C-DF8F-4b2e-B16F-7703C6F6A0C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32425B5A-3A64-487b-BB64-16D3BE6EB4E7}	{19CB053B-B981-4c8e-9A68-9EA444F0D279}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64D5AD25-7F18-4e39-9FE9-4EE6762CCC1C}	{32425B5A-3A64-487b-BB64-16D3BE6EB4E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64D5AD25-7F18-4e39-9FE9-4EE6762CCC1C}\stubpath = "C:\\Windows\\{64D5AD25-7F18-4e39-9FE9-4EE6762CCC1C}.exe"	{32425B5A-3A64-487b-BB64-16D3BE6EB4E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48EF2ECC-BC8F-4298-9FA4-8FC1C085356D}\stubpath = "C:\\Windows\\{48EF2ECC-BC8F-4298-9FA4-8FC1C085356D}.exe"	{4F0C5DFF-8C03-493b-B6EE-0036557AE1E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57F7F2F3-144F-4b16-8FFF-29472D8EF378}	{48EF2ECC-BC8F-4298-9FA4-8FC1C085356D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E37DBBF8-46FB-4b58-9EE6-F46F03593D97}	2024-03-12_5952356f685433b6aa42d214df5668a0_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92A69EBD-7D76-4e60-8858-EDD29A88053F}\stubpath = "C:\\Windows\\{92A69EBD-7D76-4e60-8858-EDD29A88053F}.exe"	{E37DBBF8-46FB-4b58-9EE6-F46F03593D97}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24C9204E-ADC8-4631-B107-A993699F0EAF}	{57F7F2F3-144F-4b16-8FFF-29472D8EF378}.exe

Executes dropped EXE 12 IoCs

pid	Process
4800	{E37DBBF8-46FB-4b58-9EE6-F46F03593D97}.exe
4064	{92A69EBD-7D76-4e60-8858-EDD29A88053F}.exe
4872	{EE7D463C-DF8F-4b2e-B16F-7703C6F6A0C9}.exe
2572	{76146925-EFD4-4b03-9008-E774CB3CAFA5}.exe
1340	{63D2545D-196A-4d4b-ACA3-0678A2499879}.exe
3848	{19CB053B-B981-4c8e-9A68-9EA444F0D279}.exe
4648	{32425B5A-3A64-487b-BB64-16D3BE6EB4E7}.exe
1932	{64D5AD25-7F18-4e39-9FE9-4EE6762CCC1C}.exe
3028	{4F0C5DFF-8C03-493b-B6EE-0036557AE1E4}.exe
3904	{48EF2ECC-BC8F-4298-9FA4-8FC1C085356D}.exe
928	{57F7F2F3-144F-4b16-8FFF-29472D8EF378}.exe
1028	{24C9204E-ADC8-4631-B107-A993699F0EAF}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{4F0C5DFF-8C03-493b-B6EE-0036557AE1E4}.exe	{64D5AD25-7F18-4e39-9FE9-4EE6762CCC1C}.exe
File created	C:\Windows\{48EF2ECC-BC8F-4298-9FA4-8FC1C085356D}.exe	{4F0C5DFF-8C03-493b-B6EE-0036557AE1E4}.exe
File created	C:\Windows\{24C9204E-ADC8-4631-B107-A993699F0EAF}.exe	{57F7F2F3-144F-4b16-8FFF-29472D8EF378}.exe
File created	C:\Windows\{E37DBBF8-46FB-4b58-9EE6-F46F03593D97}.exe	2024-03-12_5952356f685433b6aa42d214df5668a0_goldeneye.exe
File created	C:\Windows\{92A69EBD-7D76-4e60-8858-EDD29A88053F}.exe	{E37DBBF8-46FB-4b58-9EE6-F46F03593D97}.exe
File created	C:\Windows\{64D5AD25-7F18-4e39-9FE9-4EE6762CCC1C}.exe	{32425B5A-3A64-487b-BB64-16D3BE6EB4E7}.exe
File created	C:\Windows\{19CB053B-B981-4c8e-9A68-9EA444F0D279}.exe	{63D2545D-196A-4d4b-ACA3-0678A2499879}.exe
File created	C:\Windows\{32425B5A-3A64-487b-BB64-16D3BE6EB4E7}.exe	{19CB053B-B981-4c8e-9A68-9EA444F0D279}.exe
File created	C:\Windows\{57F7F2F3-144F-4b16-8FFF-29472D8EF378}.exe	{48EF2ECC-BC8F-4298-9FA4-8FC1C085356D}.exe
File created	C:\Windows\{EE7D463C-DF8F-4b2e-B16F-7703C6F6A0C9}.exe	{92A69EBD-7D76-4e60-8858-EDD29A88053F}.exe
File created	C:\Windows\{76146925-EFD4-4b03-9008-E774CB3CAFA5}.exe	{EE7D463C-DF8F-4b2e-B16F-7703C6F6A0C9}.exe
File created	C:\Windows\{63D2545D-196A-4d4b-ACA3-0678A2499879}.exe	{76146925-EFD4-4b03-9008-E774CB3CAFA5}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	5080	2024-03-12_5952356f685433b6aa42d214df5668a0_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4800	{E37DBBF8-46FB-4b58-9EE6-F46F03593D97}.exe
Token: SeIncBasePriorityPrivilege	4064	{92A69EBD-7D76-4e60-8858-EDD29A88053F}.exe
Token: SeIncBasePriorityPrivilege	4872	{EE7D463C-DF8F-4b2e-B16F-7703C6F6A0C9}.exe
Token: SeIncBasePriorityPrivilege	2572	{76146925-EFD4-4b03-9008-E774CB3CAFA5}.exe
Token: SeIncBasePriorityPrivilege	1340	{63D2545D-196A-4d4b-ACA3-0678A2499879}.exe
Token: SeIncBasePriorityPrivilege	3848	{19CB053B-B981-4c8e-9A68-9EA444F0D279}.exe
Token: SeIncBasePriorityPrivilege	4648	{32425B5A-3A64-487b-BB64-16D3BE6EB4E7}.exe
Token: SeIncBasePriorityPrivilege	1932	{64D5AD25-7F18-4e39-9FE9-4EE6762CCC1C}.exe
Token: SeIncBasePriorityPrivilege	3028	{4F0C5DFF-8C03-493b-B6EE-0036557AE1E4}.exe
Token: SeIncBasePriorityPrivilege	3904	{48EF2ECC-BC8F-4298-9FA4-8FC1C085356D}.exe
Token: SeIncBasePriorityPrivilege	928	{57F7F2F3-144F-4b16-8FFF-29472D8EF378}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5080 wrote to memory of 4800	5080	2024-03-12_5952356f685433b6aa42d214df5668a0_goldeneye.exe	102
PID 5080 wrote to memory of 4800	5080	2024-03-12_5952356f685433b6aa42d214df5668a0_goldeneye.exe	102
PID 5080 wrote to memory of 4800	5080	2024-03-12_5952356f685433b6aa42d214df5668a0_goldeneye.exe	102
PID 5080 wrote to memory of 812	5080	2024-03-12_5952356f685433b6aa42d214df5668a0_goldeneye.exe	103
PID 5080 wrote to memory of 812	5080	2024-03-12_5952356f685433b6aa42d214df5668a0_goldeneye.exe	103
PID 5080 wrote to memory of 812	5080	2024-03-12_5952356f685433b6aa42d214df5668a0_goldeneye.exe	103
PID 4800 wrote to memory of 4064	4800	{E37DBBF8-46FB-4b58-9EE6-F46F03593D97}.exe	104
PID 4800 wrote to memory of 4064	4800	{E37DBBF8-46FB-4b58-9EE6-F46F03593D97}.exe	104
PID 4800 wrote to memory of 4064	4800	{E37DBBF8-46FB-4b58-9EE6-F46F03593D97}.exe	104
PID 4800 wrote to memory of 1576	4800	{E37DBBF8-46FB-4b58-9EE6-F46F03593D97}.exe	105
PID 4800 wrote to memory of 1576	4800	{E37DBBF8-46FB-4b58-9EE6-F46F03593D97}.exe	105
PID 4800 wrote to memory of 1576	4800	{E37DBBF8-46FB-4b58-9EE6-F46F03593D97}.exe	105
PID 4064 wrote to memory of 4872	4064	{92A69EBD-7D76-4e60-8858-EDD29A88053F}.exe	108
PID 4064 wrote to memory of 4872	4064	{92A69EBD-7D76-4e60-8858-EDD29A88053F}.exe	108
PID 4064 wrote to memory of 4872	4064	{92A69EBD-7D76-4e60-8858-EDD29A88053F}.exe	108
PID 4064 wrote to memory of 1680	4064	{92A69EBD-7D76-4e60-8858-EDD29A88053F}.exe	109
PID 4064 wrote to memory of 1680	4064	{92A69EBD-7D76-4e60-8858-EDD29A88053F}.exe	109
PID 4064 wrote to memory of 1680	4064	{92A69EBD-7D76-4e60-8858-EDD29A88053F}.exe	109
PID 4872 wrote to memory of 2572	4872	{EE7D463C-DF8F-4b2e-B16F-7703C6F6A0C9}.exe	111
PID 4872 wrote to memory of 2572	4872	{EE7D463C-DF8F-4b2e-B16F-7703C6F6A0C9}.exe	111
PID 4872 wrote to memory of 2572	4872	{EE7D463C-DF8F-4b2e-B16F-7703C6F6A0C9}.exe	111
PID 4872 wrote to memory of 3516	4872	{EE7D463C-DF8F-4b2e-B16F-7703C6F6A0C9}.exe	112
PID 4872 wrote to memory of 3516	4872	{EE7D463C-DF8F-4b2e-B16F-7703C6F6A0C9}.exe	112
PID 4872 wrote to memory of 3516	4872	{EE7D463C-DF8F-4b2e-B16F-7703C6F6A0C9}.exe	112
PID 2572 wrote to memory of 1340	2572	{76146925-EFD4-4b03-9008-E774CB3CAFA5}.exe	113
PID 2572 wrote to memory of 1340	2572	{76146925-EFD4-4b03-9008-E774CB3CAFA5}.exe	113
PID 2572 wrote to memory of 1340	2572	{76146925-EFD4-4b03-9008-E774CB3CAFA5}.exe	113
PID 2572 wrote to memory of 760	2572	{76146925-EFD4-4b03-9008-E774CB3CAFA5}.exe	114
PID 2572 wrote to memory of 760	2572	{76146925-EFD4-4b03-9008-E774CB3CAFA5}.exe	114
PID 2572 wrote to memory of 760	2572	{76146925-EFD4-4b03-9008-E774CB3CAFA5}.exe	114
PID 1340 wrote to memory of 3848	1340	{63D2545D-196A-4d4b-ACA3-0678A2499879}.exe	116
PID 1340 wrote to memory of 3848	1340	{63D2545D-196A-4d4b-ACA3-0678A2499879}.exe	116
PID 1340 wrote to memory of 3848	1340	{63D2545D-196A-4d4b-ACA3-0678A2499879}.exe	116
PID 1340 wrote to memory of 4024	1340	{63D2545D-196A-4d4b-ACA3-0678A2499879}.exe	117
PID 1340 wrote to memory of 4024	1340	{63D2545D-196A-4d4b-ACA3-0678A2499879}.exe	117
PID 1340 wrote to memory of 4024	1340	{63D2545D-196A-4d4b-ACA3-0678A2499879}.exe	117
PID 3848 wrote to memory of 4648	3848	{19CB053B-B981-4c8e-9A68-9EA444F0D279}.exe	118
PID 3848 wrote to memory of 4648	3848	{19CB053B-B981-4c8e-9A68-9EA444F0D279}.exe	118
PID 3848 wrote to memory of 4648	3848	{19CB053B-B981-4c8e-9A68-9EA444F0D279}.exe	118
PID 3848 wrote to memory of 1948	3848	{19CB053B-B981-4c8e-9A68-9EA444F0D279}.exe	119
PID 3848 wrote to memory of 1948	3848	{19CB053B-B981-4c8e-9A68-9EA444F0D279}.exe	119
PID 3848 wrote to memory of 1948	3848	{19CB053B-B981-4c8e-9A68-9EA444F0D279}.exe	119
PID 4648 wrote to memory of 1932	4648	{32425B5A-3A64-487b-BB64-16D3BE6EB4E7}.exe	120
PID 4648 wrote to memory of 1932	4648	{32425B5A-3A64-487b-BB64-16D3BE6EB4E7}.exe	120
PID 4648 wrote to memory of 1932	4648	{32425B5A-3A64-487b-BB64-16D3BE6EB4E7}.exe	120
PID 4648 wrote to memory of 4280	4648	{32425B5A-3A64-487b-BB64-16D3BE6EB4E7}.exe	121
PID 4648 wrote to memory of 4280	4648	{32425B5A-3A64-487b-BB64-16D3BE6EB4E7}.exe	121
PID 4648 wrote to memory of 4280	4648	{32425B5A-3A64-487b-BB64-16D3BE6EB4E7}.exe	121
PID 1932 wrote to memory of 3028	1932	{64D5AD25-7F18-4e39-9FE9-4EE6762CCC1C}.exe	129
PID 1932 wrote to memory of 3028	1932	{64D5AD25-7F18-4e39-9FE9-4EE6762CCC1C}.exe	129
PID 1932 wrote to memory of 3028	1932	{64D5AD25-7F18-4e39-9FE9-4EE6762CCC1C}.exe	129
PID 1932 wrote to memory of 3680	1932	{64D5AD25-7F18-4e39-9FE9-4EE6762CCC1C}.exe	130
PID 1932 wrote to memory of 3680	1932	{64D5AD25-7F18-4e39-9FE9-4EE6762CCC1C}.exe	130
PID 1932 wrote to memory of 3680	1932	{64D5AD25-7F18-4e39-9FE9-4EE6762CCC1C}.exe	130
PID 3028 wrote to memory of 3904	3028	{4F0C5DFF-8C03-493b-B6EE-0036557AE1E4}.exe	131
PID 3028 wrote to memory of 3904	3028	{4F0C5DFF-8C03-493b-B6EE-0036557AE1E4}.exe	131
PID 3028 wrote to memory of 3904	3028	{4F0C5DFF-8C03-493b-B6EE-0036557AE1E4}.exe	131
PID 3028 wrote to memory of 4428	3028	{4F0C5DFF-8C03-493b-B6EE-0036557AE1E4}.exe	132
PID 3028 wrote to memory of 4428	3028	{4F0C5DFF-8C03-493b-B6EE-0036557AE1E4}.exe	132
PID 3028 wrote to memory of 4428	3028	{4F0C5DFF-8C03-493b-B6EE-0036557AE1E4}.exe	132
PID 3904 wrote to memory of 928	3904	{48EF2ECC-BC8F-4298-9FA4-8FC1C085356D}.exe	133
PID 3904 wrote to memory of 928	3904	{48EF2ECC-BC8F-4298-9FA4-8FC1C085356D}.exe	133
PID 3904 wrote to memory of 928	3904	{48EF2ECC-BC8F-4298-9FA4-8FC1C085356D}.exe	133
PID 3904 wrote to memory of 4296	3904	{48EF2ECC-BC8F-4298-9FA4-8FC1C085356D}.exe	134

C:\Users\Admin\AppData\Local\Temp\2024-03-12_5952356f685433b6aa42d214df5668a0_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-12_5952356f685433b6aa42d214df5668a0_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Windows\{E37DBBF8-46FB-4b58-9EE6-F46F03593D97}.exe
  C:\Windows\{E37DBBF8-46FB-4b58-9EE6-F46F03593D97}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4800
- - C:\Windows\{92A69EBD-7D76-4e60-8858-EDD29A88053F}.exe
    C:\Windows\{92A69EBD-7D76-4e60-8858-EDD29A88053F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4064
  - - C:\Windows\{EE7D463C-DF8F-4b2e-B16F-7703C6F6A0C9}.exe
      C:\Windows\{EE7D463C-DF8F-4b2e-B16F-7703C6F6A0C9}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4872
    - - C:\Windows\{76146925-EFD4-4b03-9008-E774CB3CAFA5}.exe
        
        C:\Windows\{76146925-EFD4-4b03-9008-E774CB3CAFA5}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2572
      - C:\Windows\{63D2545D-196A-4d4b-ACA3-0678A2499879}.exe
        
        C:\Windows\{63D2545D-196A-4d4b-ACA3-0678A2499879}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Windows\{19CB053B-B981-4c8e-9A68-9EA444F0D279}.exe
        
        C:\Windows\{19CB053B-B981-4c8e-9A68-9EA444F0D279}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3848
        
        C:\Windows\{32425B5A-3A64-487b-BB64-16D3BE6EB4E7}.exe
        
        C:\Windows\{32425B5A-3A64-487b-BB64-16D3BE6EB4E7}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4648
        
        C:\Windows\{64D5AD25-7F18-4e39-9FE9-4EE6762CCC1C}.exe
        
        C:\Windows\{64D5AD25-7F18-4e39-9FE9-4EE6762CCC1C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\{4F0C5DFF-8C03-493b-B6EE-0036557AE1E4}.exe
        
        C:\Windows\{4F0C5DFF-8C03-493b-B6EE-0036557AE1E4}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\{48EF2ECC-BC8F-4298-9FA4-8FC1C085356D}.exe
        
        C:\Windows\{48EF2ECC-BC8F-4298-9FA4-8FC1C085356D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3904
        
        C:\Windows\{57F7F2F3-144F-4b16-8FFF-29472D8EF378}.exe
        
        C:\Windows\{57F7F2F3-144F-4b16-8FFF-29472D8EF378}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:928
        
        C:\Windows\{24C9204E-ADC8-4631-B107-A993699F0EAF}.exe
        
        C:\Windows\{24C9204E-ADC8-4631-B107-A993699F0EAF}.exe
        13⤵
        Executes dropped EXE
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{57F7F~1.EXE > nul
        13⤵
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{48EF2~1.EXE > nul
        12⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4F0C5~1.EXE > nul
        11⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64D5A~1.EXE > nul
        10⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{32425~1.EXE > nul
        9⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{19CB0~1.EXE > nul
        8⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{63D25~1.EXE > nul
        7⤵
        
        PID:4024
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76146~1.EXE > nul
        6⤵
        
        PID:760
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EE7D4~1.EXE > nul
        5⤵
        
        PID:3516
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{92A69~1.EXE > nul
      4⤵
      PID:1680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E37DB~1.EXE > nul
    3⤵
    PID:1576
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{19CB053B-B981-4c8e-9A68-9EA444F0D279}.exe

Filesize
197KB

MD5
c05d383db6777bbdd1d66e6d18570ac0

SHA1
8dc1db4e1810b8d23a376dbdc55fcccf24989e9d

SHA256
498d4a0c75b25209c7a656a1a6886f3589e51476ef973d961477b41962906297

SHA512
e0c60cfa77ffae038c1ff8ad7d1779b4935a1499b9c45523a3c09853d0111f669b47c9f2dab9ea3fd631e5560b64439ed34a7309977c385b6bf584bdb50cbd85

Download Submit
C:\Windows\{24C9204E-ADC8-4631-B107-A993699F0EAF}.exe

Filesize
197KB

MD5
55851a11fe381e3f4d45bffc290b967b

SHA1
e114a0f4084f6bdb913ae1015ca6d9203362c1da

SHA256
291812c4295051e71cca9a31de73157517c4a6e1a49b5100f530e9f71cb4723f

SHA512
8ede11c78a9fa9e87e55881a79a666c37a075b872cbd7fe72087aa335420a48cef400b641a813666b42f751d9374b9c640ffc5aa7ef584c8e0495949fe9a3714

Download Submit
C:\Windows\{32425B5A-3A64-487b-BB64-16D3BE6EB4E7}.exe

Filesize
197KB

MD5
2038e73ec04afa2261a76533dc346dcd

SHA1
2a04b32fb93360cfd9f92f6d84fc9b41c97a7aeb

SHA256
e07e0dd622fae743f84a70c84ffe1faa5affe26e8f05e7b97d907c24c9b12ea0

SHA512
ae8960dd9594310c3e75e2ae72f56f221f300486d6af585bb9db3ce39ddd3787633a66a7c973caa50378e4845d75fea601c846f5943aa66fe0a163295ec00324

Download Submit
C:\Windows\{48EF2ECC-BC8F-4298-9FA4-8FC1C085356D}.exe

Filesize
197KB

MD5
394769cb210299c5b9566577bbbd9a24

SHA1
eaf8bb8de3961d3202819cdbd7cddd160370379b

SHA256
9bef59fdae9d8b10c6f3ea05a4ce2f6f2e55373926110214d16eae368acfd4b7

SHA512
a72cded98f55c8abd7007f633a8a2d481da7583b736e053ef7af5cf50d0ded3f942a7fb9f82792a08395c1f53a6c205dd3dd5b012c10507fabb473ef06b53c49

Download Submit
C:\Windows\{4F0C5DFF-8C03-493b-B6EE-0036557AE1E4}.exe

Filesize
197KB

MD5
120872355684a02b4bf692399877bfab

SHA1
5cc2cf51c5fb2f7943e45caef0a6f12dfda1c11e

SHA256
872d8faf13d5880d5880f0f2e44e6d83e411147e47dc9eb02fb0cebe5a731bf7

SHA512
79971d5e88d38379426c59835a8fc71a92383d405d5bce48744d6d77773aefe9f1b7556bfe8dd9934403db7313c912cc164c72540f23c35e83c30d131ddc86de

Download Submit
C:\Windows\{57F7F2F3-144F-4b16-8FFF-29472D8EF378}.exe

Filesize
197KB

MD5
594761e5391fa01b60c48399a7a44399

SHA1
74973b1978777b3849df5f279357a0e4d0a78577

SHA256
fb378e804afd874c0ee5f88b23f3c1779caf05ffe04969f867124110a37acf16

SHA512
713799e16ea21006bca5aa620cf2ef782348538be17ed503968b828e3c52a3875ac7c9d39961a7ec3cc5ffc38724e938cc5660847834352344487e487ba122a8

Download Submit
C:\Windows\{63D2545D-196A-4d4b-ACA3-0678A2499879}.exe

Filesize
197KB

MD5
b96fda04d921e840605f0f5f3d38a734

SHA1
ff8fd19df419308d9904e687d2fe42e36095edf1

SHA256
4ea187e4b5c9decad6948479375c52aacf75f3dc0ade00dbf5647b7c3444ad36

SHA512
0882e70749b91289bd74a22b9db9c278d0eee48ae2ecd0ad157573a656cff21cb0b5c9fb6e56d4fb2c73c5a60e9ec3981ff2756e96f74fa5527edcc71a01ae83

Download Submit
C:\Windows\{64D5AD25-7F18-4e39-9FE9-4EE6762CCC1C}.exe

Filesize
197KB

MD5
4193afb701216e6ba302a21f38ac097a

SHA1
1011ba43ba4267847b0c84d6777bc97aea5eab3a

SHA256
e486e2f1533adcaa81394ca56579978e688572ae2be3bc7ef3a4b6fcaeb1e719

SHA512
39b02773fae347107e876e4e08a1d5fbcd0cd019029548ec5b26b06efd7cce2299ccacecaceed76a14e72e6ce9acf48c32452ea2b9d834f22aae80a89cc0e25d

Download Submit
C:\Windows\{76146925-EFD4-4b03-9008-E774CB3CAFA5}.exe

Filesize
197KB

MD5
7e86a3d9c07b2e3c045187ad9480d23b

SHA1
56ed7a56430a106694918ce325cff725c1cf70e1

SHA256
d61fd0d713314e63d56420032074690932a456799f358d3e70be67b1992ffac1

SHA512
8a56adf4c532fa9bee163888d37c8bddbb4c892e2a0fafd6273f4b3b3875cfbd1bc5fc787c995464a2a1e1f85341f9cf7b3915f7ec83b7417e14475b0a2dce3e

Download Submit
C:\Windows\{92A69EBD-7D76-4e60-8858-EDD29A88053F}.exe

Filesize
197KB

MD5
29c841fb96d0a8d47224a3f5e1e51dd5

SHA1
195fc13c4b8d675542d4468db5a47e10dfe8dd7b

SHA256
89ef535a7246bdf34c45c3fe6861f744ec89cf3ba4372167eaff54d1c233c16d

SHA512
46b77c69671cd685b2d94ede9d379b0bbf32eb88ffebe85dbe48659f99d47c7b06fe07c831280ab335b1c541fe2a68016c11f42e9acbb78cfc47c10fbd63ef41

Download Submit
C:\Windows\{E37DBBF8-46FB-4b58-9EE6-F46F03593D97}.exe

Filesize
197KB

MD5
6f81340648ec651127b79c02a817f425

SHA1
fae2f3fc85d02652a43abbd99e9f6a0f90aed3d8

SHA256
b026f114ffa83742badada00dae2460e61343799ae4d261ee87f1534df6c4998

SHA512
4852aca4f7d5c91a5b8326762de0772bbbb4481b43ff48404da483f5962e2a8f54a6c9f191da4421a24aecb2e56568aa2187e0984adca50e2892acea3d1c3795

Download Submit
C:\Windows\{EE7D463C-DF8F-4b2e-B16F-7703C6F6A0C9}.exe

Filesize
197KB

MD5
3fcbe3626ab6edd93e7d0e8809559768

SHA1
0404b480894e227e148478768e308b10bb74eff0

SHA256
80c8f18947fe17f98a2db177def6ac2fd8ef81f493b3c37dcc95d14426e9b5fc

SHA512
135f0d0184f4d0097010e5c0c29061fad5cf1cc35bc0919826d37baf46cbec6f0334dac47e2790a72d568389b2668c3c90f222b5ac88d6e5e5f3e31c1e924a1a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads