acf41f54055a08ad200b2f420fad05e89cca2e8946097dbd7649eb843d763fb3

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14/03/2024, 05:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-14_3e86c949a48276e86bd116095e504d21_goldeneye.exe
Size

344KB
MD5

3e86c949a48276e86bd116095e504d21
SHA1

ef5927059b67bf43fb82a2b752c6462e47966cb0
SHA256

acf41f54055a08ad200b2f420fad05e89cca2e8946097dbd7649eb843d763fb3
SHA512

e6c1961406427fca00cbff664b870beb3519529d4a92241af097142e3eb764093dd49ca3e2bd164ad1e5c87c733d4bae8d9865ee39f86183a68c12952070cc9d
SSDEEP

3072:mEGh0o2lEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGMlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x000700000002320f-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023227-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023323-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000001e3a0-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023323-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000001e3a0-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023391-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000001e3a0-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023395-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023395-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000234c4-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023395-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000234cb-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A442A9BC-7F51-40df-9AC2-0CF7D92982F7}\stubpath = "C:\\Windows\\{A442A9BC-7F51-40df-9AC2-0CF7D92982F7}.exe"	{3D7F8DCB-0FC3-48ae-8D5C-0FF2929C435C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EED917D5-A537-411c-BF45-CBF76EBB4324}	{95060B8C-64D4-4f58-AB42-BD38B1F44E34}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34F5DF44-2107-4e2b-BEF6-078E2F7461A1}	{9E67C5D7-F9EB-444f-8FF7-38AD9781452E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1380F026-A568-4622-A9F5-82BE5CE4D315}	{58CD180C-D013-4baf-AB85-50029D823D5F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58CD180C-D013-4baf-AB85-50029D823D5F}\stubpath = "C:\\Windows\\{58CD180C-D013-4baf-AB85-50029D823D5F}.exe"	{34F5DF44-2107-4e2b-BEF6-078E2F7461A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D7F8DCB-0FC3-48ae-8D5C-0FF2929C435C}\stubpath = "C:\\Windows\\{3D7F8DCB-0FC3-48ae-8D5C-0FF2929C435C}.exe"	{1380F026-A568-4622-A9F5-82BE5CE4D315}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EED917D5-A537-411c-BF45-CBF76EBB4324}\stubpath = "C:\\Windows\\{EED917D5-A537-411c-BF45-CBF76EBB4324}.exe"	{95060B8C-64D4-4f58-AB42-BD38B1F44E34}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E67C5D7-F9EB-444f-8FF7-38AD9781452E}	{EED917D5-A537-411c-BF45-CBF76EBB4324}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E67C5D7-F9EB-444f-8FF7-38AD9781452E}\stubpath = "C:\\Windows\\{9E67C5D7-F9EB-444f-8FF7-38AD9781452E}.exe"	{EED917D5-A537-411c-BF45-CBF76EBB4324}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6119C8FB-97C9-4c01-8632-D586BDC002CB}\stubpath = "C:\\Windows\\{6119C8FB-97C9-4c01-8632-D586BDC002CB}.exe"	{A442A9BC-7F51-40df-9AC2-0CF7D92982F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52212C1F-DBAF-471e-82D0-71298B3D5031}\stubpath = "C:\\Windows\\{52212C1F-DBAF-471e-82D0-71298B3D5031}.exe"	{6119C8FB-97C9-4c01-8632-D586BDC002CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52BCBDCC-7BE7-47b0-94DD-E145882C2334}\stubpath = "C:\\Windows\\{52BCBDCC-7BE7-47b0-94DD-E145882C2334}.exe"	2024-03-14_3e86c949a48276e86bd116095e504d21_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D7F8DCB-0FC3-48ae-8D5C-0FF2929C435C}	{1380F026-A568-4622-A9F5-82BE5CE4D315}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A442A9BC-7F51-40df-9AC2-0CF7D92982F7}	{3D7F8DCB-0FC3-48ae-8D5C-0FF2929C435C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95060B8C-64D4-4f58-AB42-BD38B1F44E34}	{0FA73C5C-4B76-47d9-BD76-979A00FAA51C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95060B8C-64D4-4f58-AB42-BD38B1F44E34}\stubpath = "C:\\Windows\\{95060B8C-64D4-4f58-AB42-BD38B1F44E34}.exe"	{0FA73C5C-4B76-47d9-BD76-979A00FAA51C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34F5DF44-2107-4e2b-BEF6-078E2F7461A1}\stubpath = "C:\\Windows\\{34F5DF44-2107-4e2b-BEF6-078E2F7461A1}.exe"	{9E67C5D7-F9EB-444f-8FF7-38AD9781452E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58CD180C-D013-4baf-AB85-50029D823D5F}	{34F5DF44-2107-4e2b-BEF6-078E2F7461A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1380F026-A568-4622-A9F5-82BE5CE4D315}\stubpath = "C:\\Windows\\{1380F026-A568-4622-A9F5-82BE5CE4D315}.exe"	{58CD180C-D013-4baf-AB85-50029D823D5F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52BCBDCC-7BE7-47b0-94DD-E145882C2334}	2024-03-14_3e86c949a48276e86bd116095e504d21_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0FA73C5C-4B76-47d9-BD76-979A00FAA51C}	{52BCBDCC-7BE7-47b0-94DD-E145882C2334}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0FA73C5C-4B76-47d9-BD76-979A00FAA51C}\stubpath = "C:\\Windows\\{0FA73C5C-4B76-47d9-BD76-979A00FAA51C}.exe"	{52BCBDCC-7BE7-47b0-94DD-E145882C2334}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6119C8FB-97C9-4c01-8632-D586BDC002CB}	{A442A9BC-7F51-40df-9AC2-0CF7D92982F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52212C1F-DBAF-471e-82D0-71298B3D5031}	{6119C8FB-97C9-4c01-8632-D586BDC002CB}.exe

Executes dropped EXE 12 IoCs

pid	Process
3220	{52BCBDCC-7BE7-47b0-94DD-E145882C2334}.exe
4012	{0FA73C5C-4B76-47d9-BD76-979A00FAA51C}.exe
4796	{95060B8C-64D4-4f58-AB42-BD38B1F44E34}.exe
4192	{EED917D5-A537-411c-BF45-CBF76EBB4324}.exe
3992	{9E67C5D7-F9EB-444f-8FF7-38AD9781452E}.exe
4736	{34F5DF44-2107-4e2b-BEF6-078E2F7461A1}.exe
4796	{58CD180C-D013-4baf-AB85-50029D823D5F}.exe
3384	{1380F026-A568-4622-A9F5-82BE5CE4D315}.exe
4124	{3D7F8DCB-0FC3-48ae-8D5C-0FF2929C435C}.exe
1652	{A442A9BC-7F51-40df-9AC2-0CF7D92982F7}.exe
1224	{6119C8FB-97C9-4c01-8632-D586BDC002CB}.exe
3996	{52212C1F-DBAF-471e-82D0-71298B3D5031}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{58CD180C-D013-4baf-AB85-50029D823D5F}.exe	{34F5DF44-2107-4e2b-BEF6-078E2F7461A1}.exe
File created	C:\Windows\{1380F026-A568-4622-A9F5-82BE5CE4D315}.exe	{58CD180C-D013-4baf-AB85-50029D823D5F}.exe
File created	C:\Windows\{A442A9BC-7F51-40df-9AC2-0CF7D92982F7}.exe	{3D7F8DCB-0FC3-48ae-8D5C-0FF2929C435C}.exe
File created	C:\Windows\{6119C8FB-97C9-4c01-8632-D586BDC002CB}.exe	{A442A9BC-7F51-40df-9AC2-0CF7D92982F7}.exe
File created	C:\Windows\{95060B8C-64D4-4f58-AB42-BD38B1F44E34}.exe	{0FA73C5C-4B76-47d9-BD76-979A00FAA51C}.exe
File created	C:\Windows\{34F5DF44-2107-4e2b-BEF6-078E2F7461A1}.exe	{9E67C5D7-F9EB-444f-8FF7-38AD9781452E}.exe
File created	C:\Windows\{EED917D5-A537-411c-BF45-CBF76EBB4324}.exe	{95060B8C-64D4-4f58-AB42-BD38B1F44E34}.exe
File created	C:\Windows\{9E67C5D7-F9EB-444f-8FF7-38AD9781452E}.exe	{EED917D5-A537-411c-BF45-CBF76EBB4324}.exe
File created	C:\Windows\{3D7F8DCB-0FC3-48ae-8D5C-0FF2929C435C}.exe	{1380F026-A568-4622-A9F5-82BE5CE4D315}.exe
File created	C:\Windows\{52212C1F-DBAF-471e-82D0-71298B3D5031}.exe	{6119C8FB-97C9-4c01-8632-D586BDC002CB}.exe
File created	C:\Windows\{52BCBDCC-7BE7-47b0-94DD-E145882C2334}.exe	2024-03-14_3e86c949a48276e86bd116095e504d21_goldeneye.exe
File created	C:\Windows\{0FA73C5C-4B76-47d9-BD76-979A00FAA51C}.exe	{52BCBDCC-7BE7-47b0-94DD-E145882C2334}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2984	2024-03-14_3e86c949a48276e86bd116095e504d21_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3220	{52BCBDCC-7BE7-47b0-94DD-E145882C2334}.exe
Token: SeIncBasePriorityPrivilege	4012	{0FA73C5C-4B76-47d9-BD76-979A00FAA51C}.exe
Token: SeIncBasePriorityPrivilege	4796	{95060B8C-64D4-4f58-AB42-BD38B1F44E34}.exe
Token: SeIncBasePriorityPrivilege	4192	{EED917D5-A537-411c-BF45-CBF76EBB4324}.exe
Token: SeIncBasePriorityPrivilege	3992	{9E67C5D7-F9EB-444f-8FF7-38AD9781452E}.exe
Token: SeIncBasePriorityPrivilege	4736	{34F5DF44-2107-4e2b-BEF6-078E2F7461A1}.exe
Token: SeIncBasePriorityPrivilege	4796	{58CD180C-D013-4baf-AB85-50029D823D5F}.exe
Token: SeIncBasePriorityPrivilege	3384	{1380F026-A568-4622-A9F5-82BE5CE4D315}.exe
Token: SeIncBasePriorityPrivilege	4124	{3D7F8DCB-0FC3-48ae-8D5C-0FF2929C435C}.exe
Token: SeIncBasePriorityPrivilege	1652	{A442A9BC-7F51-40df-9AC2-0CF7D92982F7}.exe
Token: SeIncBasePriorityPrivilege	1224	{6119C8FB-97C9-4c01-8632-D586BDC002CB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 3220	2984	2024-03-14_3e86c949a48276e86bd116095e504d21_goldeneye.exe	96
PID 2984 wrote to memory of 3220	2984	2024-03-14_3e86c949a48276e86bd116095e504d21_goldeneye.exe	96
PID 2984 wrote to memory of 3220	2984	2024-03-14_3e86c949a48276e86bd116095e504d21_goldeneye.exe	96
PID 2984 wrote to memory of 4824	2984	2024-03-14_3e86c949a48276e86bd116095e504d21_goldeneye.exe	97
PID 2984 wrote to memory of 4824	2984	2024-03-14_3e86c949a48276e86bd116095e504d21_goldeneye.exe	97
PID 2984 wrote to memory of 4824	2984	2024-03-14_3e86c949a48276e86bd116095e504d21_goldeneye.exe	97
PID 3220 wrote to memory of 4012	3220	{52BCBDCC-7BE7-47b0-94DD-E145882C2334}.exe	100
PID 3220 wrote to memory of 4012	3220	{52BCBDCC-7BE7-47b0-94DD-E145882C2334}.exe	100
PID 3220 wrote to memory of 4012	3220	{52BCBDCC-7BE7-47b0-94DD-E145882C2334}.exe	100
PID 3220 wrote to memory of 2204	3220	{52BCBDCC-7BE7-47b0-94DD-E145882C2334}.exe	101
PID 3220 wrote to memory of 2204	3220	{52BCBDCC-7BE7-47b0-94DD-E145882C2334}.exe	101
PID 3220 wrote to memory of 2204	3220	{52BCBDCC-7BE7-47b0-94DD-E145882C2334}.exe	101
PID 4012 wrote to memory of 4796	4012	{0FA73C5C-4B76-47d9-BD76-979A00FAA51C}.exe	104
PID 4012 wrote to memory of 4796	4012	{0FA73C5C-4B76-47d9-BD76-979A00FAA51C}.exe	104
PID 4012 wrote to memory of 4796	4012	{0FA73C5C-4B76-47d9-BD76-979A00FAA51C}.exe	104
PID 4012 wrote to memory of 4336	4012	{0FA73C5C-4B76-47d9-BD76-979A00FAA51C}.exe	105
PID 4012 wrote to memory of 4336	4012	{0FA73C5C-4B76-47d9-BD76-979A00FAA51C}.exe	105
PID 4012 wrote to memory of 4336	4012	{0FA73C5C-4B76-47d9-BD76-979A00FAA51C}.exe	105
PID 4796 wrote to memory of 4192	4796	{95060B8C-64D4-4f58-AB42-BD38B1F44E34}.exe	107
PID 4796 wrote to memory of 4192	4796	{95060B8C-64D4-4f58-AB42-BD38B1F44E34}.exe	107
PID 4796 wrote to memory of 4192	4796	{95060B8C-64D4-4f58-AB42-BD38B1F44E34}.exe	107
PID 4796 wrote to memory of 4428	4796	{95060B8C-64D4-4f58-AB42-BD38B1F44E34}.exe	108
PID 4796 wrote to memory of 4428	4796	{95060B8C-64D4-4f58-AB42-BD38B1F44E34}.exe	108
PID 4796 wrote to memory of 4428	4796	{95060B8C-64D4-4f58-AB42-BD38B1F44E34}.exe	108
PID 4192 wrote to memory of 3992	4192	{EED917D5-A537-411c-BF45-CBF76EBB4324}.exe	109
PID 4192 wrote to memory of 3992	4192	{EED917D5-A537-411c-BF45-CBF76EBB4324}.exe	109
PID 4192 wrote to memory of 3992	4192	{EED917D5-A537-411c-BF45-CBF76EBB4324}.exe	109
PID 4192 wrote to memory of 3928	4192	{EED917D5-A537-411c-BF45-CBF76EBB4324}.exe	110
PID 4192 wrote to memory of 3928	4192	{EED917D5-A537-411c-BF45-CBF76EBB4324}.exe	110
PID 4192 wrote to memory of 3928	4192	{EED917D5-A537-411c-BF45-CBF76EBB4324}.exe	110
PID 3992 wrote to memory of 4736	3992	{9E67C5D7-F9EB-444f-8FF7-38AD9781452E}.exe	112
PID 3992 wrote to memory of 4736	3992	{9E67C5D7-F9EB-444f-8FF7-38AD9781452E}.exe	112
PID 3992 wrote to memory of 4736	3992	{9E67C5D7-F9EB-444f-8FF7-38AD9781452E}.exe	112
PID 3992 wrote to memory of 4008	3992	{9E67C5D7-F9EB-444f-8FF7-38AD9781452E}.exe	113
PID 3992 wrote to memory of 4008	3992	{9E67C5D7-F9EB-444f-8FF7-38AD9781452E}.exe	113
PID 3992 wrote to memory of 4008	3992	{9E67C5D7-F9EB-444f-8FF7-38AD9781452E}.exe	113
PID 4736 wrote to memory of 4796	4736	{34F5DF44-2107-4e2b-BEF6-078E2F7461A1}.exe	114
PID 4736 wrote to memory of 4796	4736	{34F5DF44-2107-4e2b-BEF6-078E2F7461A1}.exe	114
PID 4736 wrote to memory of 4796	4736	{34F5DF44-2107-4e2b-BEF6-078E2F7461A1}.exe	114
PID 4736 wrote to memory of 2692	4736	{34F5DF44-2107-4e2b-BEF6-078E2F7461A1}.exe	115
PID 4736 wrote to memory of 2692	4736	{34F5DF44-2107-4e2b-BEF6-078E2F7461A1}.exe	115
PID 4736 wrote to memory of 2692	4736	{34F5DF44-2107-4e2b-BEF6-078E2F7461A1}.exe	115
PID 4796 wrote to memory of 3384	4796	{58CD180C-D013-4baf-AB85-50029D823D5F}.exe	116
PID 4796 wrote to memory of 3384	4796	{58CD180C-D013-4baf-AB85-50029D823D5F}.exe	116
PID 4796 wrote to memory of 3384	4796	{58CD180C-D013-4baf-AB85-50029D823D5F}.exe	116
PID 4796 wrote to memory of 1272	4796	{58CD180C-D013-4baf-AB85-50029D823D5F}.exe	117
PID 4796 wrote to memory of 1272	4796	{58CD180C-D013-4baf-AB85-50029D823D5F}.exe	117
PID 4796 wrote to memory of 1272	4796	{58CD180C-D013-4baf-AB85-50029D823D5F}.exe	117
PID 3384 wrote to memory of 4124	3384	{1380F026-A568-4622-A9F5-82BE5CE4D315}.exe	126
PID 3384 wrote to memory of 4124	3384	{1380F026-A568-4622-A9F5-82BE5CE4D315}.exe	126
PID 3384 wrote to memory of 4124	3384	{1380F026-A568-4622-A9F5-82BE5CE4D315}.exe	126
PID 3384 wrote to memory of 2056	3384	{1380F026-A568-4622-A9F5-82BE5CE4D315}.exe	127
PID 3384 wrote to memory of 2056	3384	{1380F026-A568-4622-A9F5-82BE5CE4D315}.exe	127
PID 3384 wrote to memory of 2056	3384	{1380F026-A568-4622-A9F5-82BE5CE4D315}.exe	127
PID 4124 wrote to memory of 1652	4124	{3D7F8DCB-0FC3-48ae-8D5C-0FF2929C435C}.exe	128
PID 4124 wrote to memory of 1652	4124	{3D7F8DCB-0FC3-48ae-8D5C-0FF2929C435C}.exe	128
PID 4124 wrote to memory of 1652	4124	{3D7F8DCB-0FC3-48ae-8D5C-0FF2929C435C}.exe	128
PID 4124 wrote to memory of 2672	4124	{3D7F8DCB-0FC3-48ae-8D5C-0FF2929C435C}.exe	129
PID 4124 wrote to memory of 2672	4124	{3D7F8DCB-0FC3-48ae-8D5C-0FF2929C435C}.exe	129
PID 4124 wrote to memory of 2672	4124	{3D7F8DCB-0FC3-48ae-8D5C-0FF2929C435C}.exe	129
PID 1652 wrote to memory of 1224	1652	{A442A9BC-7F51-40df-9AC2-0CF7D92982F7}.exe	130
PID 1652 wrote to memory of 1224	1652	{A442A9BC-7F51-40df-9AC2-0CF7D92982F7}.exe	130
PID 1652 wrote to memory of 1224	1652	{A442A9BC-7F51-40df-9AC2-0CF7D92982F7}.exe	130
PID 1652 wrote to memory of 408	1652	{A442A9BC-7F51-40df-9AC2-0CF7D92982F7}.exe	131

C:\Users\Admin\AppData\Local\Temp\2024-03-14_3e86c949a48276e86bd116095e504d21_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-14_3e86c949a48276e86bd116095e504d21_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Windows\{52BCBDCC-7BE7-47b0-94DD-E145882C2334}.exe
  C:\Windows\{52BCBDCC-7BE7-47b0-94DD-E145882C2334}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3220
- - C:\Windows\{0FA73C5C-4B76-47d9-BD76-979A00FAA51C}.exe
    C:\Windows\{0FA73C5C-4B76-47d9-BD76-979A00FAA51C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4012
  - - C:\Windows\{95060B8C-64D4-4f58-AB42-BD38B1F44E34}.exe
      C:\Windows\{95060B8C-64D4-4f58-AB42-BD38B1F44E34}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4796
    - - C:\Windows\{EED917D5-A537-411c-BF45-CBF76EBB4324}.exe
        
        C:\Windows\{EED917D5-A537-411c-BF45-CBF76EBB4324}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4192
      - C:\Windows\{9E67C5D7-F9EB-444f-8FF7-38AD9781452E}.exe
        
        C:\Windows\{9E67C5D7-F9EB-444f-8FF7-38AD9781452E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\Windows\{34F5DF44-2107-4e2b-BEF6-078E2F7461A1}.exe
        
        C:\Windows\{34F5DF44-2107-4e2b-BEF6-078E2F7461A1}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Windows\{58CD180C-D013-4baf-AB85-50029D823D5F}.exe
        
        C:\Windows\{58CD180C-D013-4baf-AB85-50029D823D5F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\{1380F026-A568-4622-A9F5-82BE5CE4D315}.exe
        
        C:\Windows\{1380F026-A568-4622-A9F5-82BE5CE4D315}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3384
        
        C:\Windows\{3D7F8DCB-0FC3-48ae-8D5C-0FF2929C435C}.exe
        
        C:\Windows\{3D7F8DCB-0FC3-48ae-8D5C-0FF2929C435C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4124
        
        C:\Windows\{A442A9BC-7F51-40df-9AC2-0CF7D92982F7}.exe
        
        C:\Windows\{A442A9BC-7F51-40df-9AC2-0CF7D92982F7}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\{6119C8FB-97C9-4c01-8632-D586BDC002CB}.exe
        
        C:\Windows\{6119C8FB-97C9-4c01-8632-D586BDC002CB}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1224
        
        C:\Windows\{52212C1F-DBAF-471e-82D0-71298B3D5031}.exe
        
        C:\Windows\{52212C1F-DBAF-471e-82D0-71298B3D5031}.exe
        13⤵
        Executes dropped EXE
        
        PID:3996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6119C~1.EXE > nul
        13⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A442A~1.EXE > nul
        12⤵
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3D7F8~1.EXE > nul
        11⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1380F~1.EXE > nul
        10⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{58CD1~1.EXE > nul
        9⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{34F5D~1.EXE > nul
        8⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E67C~1.EXE > nul
        7⤵
        
        PID:4008
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EED91~1.EXE > nul
        6⤵
        
        PID:3928
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95060~1.EXE > nul
        5⤵
        
        PID:4428
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0FA73~1.EXE > nul
      4⤵
      PID:4336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{52BCB~1.EXE > nul
    3⤵
    PID:2204
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0FA73C5C-4B76-47d9-BD76-979A00FAA51C}.exe

Filesize
344KB

MD5
b1ad2520fbe0c5449ce0ef899e10b181

SHA1
38a03715db57b332471e41291e779144f1b19c4a

SHA256
105385d93e846bc2b8e63ef87f0ac02db7576f1e8024818867ae42ff11005de4

SHA512
aa04f78bd521913675b8ead27ee670d9e29c86a3597e8ad5fa9c4517a99cf0aac4878516c981c682a8f633931414d9aeafcf98c6211020c690f4d9bae9246353

Download Submit
C:\Windows\{1380F026-A568-4622-A9F5-82BE5CE4D315}.exe

Filesize
344KB

MD5
25083aec28d1ba69a2a783bd6bada5e8

SHA1
eca5a2aea3b153158ea61e207559e5210a104a2a

SHA256
217a7001c035a2ecc976060488fbad1310989f0d5cf3bde9db7dd5c897bcb266

SHA512
0d01db5cd46de0d5143c816b0011040c20d4257436ecf9317f561c55138688c7dcb7917be85daa19d91c85871e15223d9889ea1f7fb8a457f4fc9ed7caea4050

Download Submit
C:\Windows\{34F5DF44-2107-4e2b-BEF6-078E2F7461A1}.exe

Filesize
344KB

MD5
0d2d1f23cfff1e656d0384d718021b16

SHA1
c90dcfd2eb1def2f1a91021c663d6ee98d9f651f

SHA256
550abb903bca29f183f6025072db566f982c3cff0909f66e869ad717e4460a9a

SHA512
537f67aa96bd03ede434a8c1dd5b0e6d14607d9c82b6498b0534dedda6402cbd9fae6af3e4a6d12add5f45309a185fae20cb86ac01b60d530fbb6aa8cc033c2a

Download Submit
C:\Windows\{3D7F8DCB-0FC3-48ae-8D5C-0FF2929C435C}.exe

Filesize
344KB

MD5
3719942ba293eac5b91b58bb0154d89c

SHA1
32f81f013afbf5cd820f00cfd0e0008ebc2baf72

SHA256
70aec18e668fc5da975fb413be151b451d8513b76f27b60e125739aa10d934f2

SHA512
a612535840816148460c1893c10275e9521733e7cb7c572ff1223551ff73061b29e8b9a7886401bdbdb55735a1499ad75106b53127e48a9b8c2941b61c5ca4c9

Download Submit
C:\Windows\{3D7F8DCB-0FC3-48ae-8D5C-0FF2929C435C}.exe

Filesize
273KB

MD5
5cd3014b7ba42a48cc4c0d8e9bc9ec08

SHA1
59e7d2dc4165efab3db5f47baab5fbd9db7f4337

SHA256
a926af9784f8bd40b00edd9b5aad636380a5ac891d71d9afd88b922c819e49c7

SHA512
638d0ff9d64f38b79184553eed052662f35a8132a06f0be2d7ab065abe0f62b9fa50eccb89e9f06e347ba7577143be2fecbf5428db293ebc932cb3e3f8218132

Download Submit
C:\Windows\{52212C1F-DBAF-471e-82D0-71298B3D5031}.exe

Filesize
344KB

MD5
190a8472ccb5e825344fde6663d7661f

SHA1
c4b2dbce4793e767ed13831a091d25d8abaae9c1

SHA256
1ead2191dc53c028b0156a8b4709dac7d3a61e4effb31921f41141a34fc1f8df

SHA512
df4b3639be2d8537058b93adb4bcdc80cba2d40137b9c3dea55fa90f230491b6a2847c2f0f1cc4b9e5892b3c0242a968b67fcb5d0b7d1d63b45fc7249af03872

Download Submit
C:\Windows\{52BCBDCC-7BE7-47b0-94DD-E145882C2334}.exe

Filesize
344KB

MD5
0abfc4d8e2b38742d7132285a29a0744

SHA1
025319bca022216072a5195975aee35d17d5e8e2

SHA256
ba6aa8126bd712e12bdae99329db21df5918b62147c304dea36ad15636707a4f

SHA512
a00936722f427decc054ef5f83083debbf61f127a72d2e1ab4d5c7e20aae624bd71d33806e72858033a7fa45ba1140d9253ad1cd6b61a8d671c63ef43c3becfc

Download Submit
C:\Windows\{58CD180C-D013-4baf-AB85-50029D823D5F}.exe

Filesize
344KB

MD5
b9f8907b7e17e0f3ff3fa65ef311f645

SHA1
bae8fe2cc53184a5e06409f9c9cccb328330c10f

SHA256
4efa2b74f0e40b34e74cc4b3bd38ed49b93b37e2deb6a92b43450e9663af3774

SHA512
1535b29d8ed8b41fae5badab779c4666023598be10c25d02049dc98edc99f4e15448d236adc43b674c62e3fcd8b86b726299f8b24d47b19538f1608e17927976

Download Submit
C:\Windows\{6119C8FB-97C9-4c01-8632-D586BDC002CB}.exe

Filesize
344KB

MD5
25de72acd97b91b4fe25c72e83b9beb6

SHA1
6b9b19fed0d4a7f278087ef30cac91682638af2a

SHA256
a45c8b3e5a2b211413b4ac9896bd813579d2b543344cb2f6211ed7157b96dff5

SHA512
b3f83b27996e5c273a8a9c97cd8c97a919c6cd5dadc1486c9090289139e95ebfefb1ba1d7294d650d5ce93cb80214c13787af8fd89e0c44b6e34399aa4879ce1

Download Submit
C:\Windows\{95060B8C-64D4-4f58-AB42-BD38B1F44E34}.exe

Filesize
344KB

MD5
7658f723cf634cd129de458491943294

SHA1
69dffd00a8cf0feafffc2a9541e668f0afc3ddad

SHA256
8afe2f57dc7414ddd81c76890ad37f2111d3b1dcfe3182f49f21bac38306cd37

SHA512
1492cb3c834efc0bf88e1d3e22311f555a35288f402653fba42605fbdb777113601093d3cfc2f98b490fb2ea27c7ddb7361468fe8c18f897c15d854fa4036805

Download Submit
C:\Windows\{9E67C5D7-F9EB-444f-8FF7-38AD9781452E}.exe

Filesize
344KB

MD5
48eaa09aefc66f472f58e94b3b572cad

SHA1
d4b9057f989b022fd75f53c0c72a4810ed331b73

SHA256
fec69b984e0a1e0fd16fbf5c3a7ed3336a4f4d8dd411f122b3f2fc4b137a84bc

SHA512
f69603537f6f4a8e204b9b0acb85de94de9aaac186f2cbc8315e4cbd7929df5c70e015ae942530941ab99c30538bc509e283372056ac3d9fa8ad8628a10e1e8e

Download Submit
C:\Windows\{A442A9BC-7F51-40df-9AC2-0CF7D92982F7}.exe

Filesize
344KB

MD5
96b9d855792d8a37fdc6b4cf658c4e70

SHA1
6283bd7120f6537529156a64f4b5998d176ba5cd

SHA256
917272fe80f308aec134b81146679c239fa0721477c2aa5bef20944a954e20d0

SHA512
0236f6a30e4468f7954c39b969f8303cb2be76c6399439839a8cac7fab882a348ca4811d7610ee1430e29d864e67fda0d1144506814f9b3c1a5a01b8693ef31a

Download Submit
C:\Windows\{EED917D5-A537-411c-BF45-CBF76EBB4324}.exe

Filesize
344KB

MD5
41aba82ba7aa7ff01e87e219e2963744

SHA1
19e8d0116ed47b8d882e492e13a83496af5d5963

SHA256
3b2d41ebcfa566dd351251ea010eb323e94907a40f80a92ec05c94f878437c70

SHA512
62859faf544677fd099561350bdb41103ecd35f144b49896ad1a5120e2b9e62c4ff40f71b03774ab4f62fd7a61220b1cd99b6e5d000ecc3e13fad590d104d117

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads