72bccabf7d72fc850b0757b04b868aa28a404d7fb68f8839e0f4fee05ca4f07a

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2024, 23:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-19_426baac8045413bb6e1d20f082f6a779_goldeneye.exe
Size

380KB
MD5

426baac8045413bb6e1d20f082f6a779
SHA1

d314736f422669536a5014bf4ed65f4ce27d2018
SHA256

72bccabf7d72fc850b0757b04b868aa28a404d7fb68f8839e0f4fee05ca4f07a
SHA512

04797d28c299d61c40bbb421a92d46c64d3067234da35c354b3190f2669e3ca6b54a211ac7601b97509a82cc3514c0f92e2103f70e8cd26fa35f633eb02f9896
SSDEEP

3072:mEGh0oKlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGUl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x000700000002320a-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023308-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023308-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023109-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023308-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023109-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001db4d-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023371-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000001db4d-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023104-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000001db4d-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000001e584-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000234a0-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95633282-FF3A-41a3-AE21-7F4661FAD0E2}	{90899D02-E5F2-454b-B25B-E9E0961FA355}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D6668F4-6E5B-4195-B4D9-4B99FAFD5472}\stubpath = "C:\\Windows\\{2D6668F4-6E5B-4195-B4D9-4B99FAFD5472}.exe"	{95633282-FF3A-41a3-AE21-7F4661FAD0E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16F26653-CB83-41d7-96A3-4E2C325BB841}	{BE9E387D-F4B8-4018-B91E-2054CFEE40B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{251F888F-5C3B-4d5c-8B31-E22CA1331FE7}\stubpath = "C:\\Windows\\{251F888F-5C3B-4d5c-8B31-E22CA1331FE7}.exe"	{16F26653-CB83-41d7-96A3-4E2C325BB841}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E42D4EF4-AB22-4ce9-B8D6-041151B50992}	{36C61E62-DE37-41cb-97C2-FE5D9BFDB265}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DA4A88B-7D0F-4642-BF47-B31A7F3356A2}	{E42D4EF4-AB22-4ce9-B8D6-041151B50992}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90899D02-E5F2-454b-B25B-E9E0961FA355}\stubpath = "C:\\Windows\\{90899D02-E5F2-454b-B25B-E9E0961FA355}.exe"	{1747CB75-65C9-4a20-8CFD-71086F6F55E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84A4D2FF-24D0-43eb-BB3B-79A8DDDCDDB6}	{EF6E67E7-E609-4aae-B885-E40B686A174F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16F26653-CB83-41d7-96A3-4E2C325BB841}\stubpath = "C:\\Windows\\{16F26653-CB83-41d7-96A3-4E2C325BB841}.exe"	{BE9E387D-F4B8-4018-B91E-2054CFEE40B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{251F888F-5C3B-4d5c-8B31-E22CA1331FE7}	{16F26653-CB83-41d7-96A3-4E2C325BB841}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36C61E62-DE37-41cb-97C2-FE5D9BFDB265}\stubpath = "C:\\Windows\\{36C61E62-DE37-41cb-97C2-FE5D9BFDB265}.exe"	{251F888F-5C3B-4d5c-8B31-E22CA1331FE7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DA4A88B-7D0F-4642-BF47-B31A7F3356A2}\stubpath = "C:\\Windows\\{3DA4A88B-7D0F-4642-BF47-B31A7F3356A2}.exe"	{E42D4EF4-AB22-4ce9-B8D6-041151B50992}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF6E67E7-E609-4aae-B885-E40B686A174F}\stubpath = "C:\\Windows\\{EF6E67E7-E609-4aae-B885-E40B686A174F}.exe"	{3DA4A88B-7D0F-4642-BF47-B31A7F3356A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE9E387D-F4B8-4018-B91E-2054CFEE40B8}\stubpath = "C:\\Windows\\{BE9E387D-F4B8-4018-B91E-2054CFEE40B8}.exe"	2024-03-19_426baac8045413bb6e1d20f082f6a779_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF6E67E7-E609-4aae-B885-E40B686A174F}	{3DA4A88B-7D0F-4642-BF47-B31A7F3356A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1747CB75-65C9-4a20-8CFD-71086F6F55E0}	{84A4D2FF-24D0-43eb-BB3B-79A8DDDCDDB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1747CB75-65C9-4a20-8CFD-71086F6F55E0}\stubpath = "C:\\Windows\\{1747CB75-65C9-4a20-8CFD-71086F6F55E0}.exe"	{84A4D2FF-24D0-43eb-BB3B-79A8DDDCDDB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95633282-FF3A-41a3-AE21-7F4661FAD0E2}\stubpath = "C:\\Windows\\{95633282-FF3A-41a3-AE21-7F4661FAD0E2}.exe"	{90899D02-E5F2-454b-B25B-E9E0961FA355}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D6668F4-6E5B-4195-B4D9-4B99FAFD5472}	{95633282-FF3A-41a3-AE21-7F4661FAD0E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE9E387D-F4B8-4018-B91E-2054CFEE40B8}	2024-03-19_426baac8045413bb6e1d20f082f6a779_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36C61E62-DE37-41cb-97C2-FE5D9BFDB265}	{251F888F-5C3B-4d5c-8B31-E22CA1331FE7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E42D4EF4-AB22-4ce9-B8D6-041151B50992}\stubpath = "C:\\Windows\\{E42D4EF4-AB22-4ce9-B8D6-041151B50992}.exe"	{36C61E62-DE37-41cb-97C2-FE5D9BFDB265}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84A4D2FF-24D0-43eb-BB3B-79A8DDDCDDB6}\stubpath = "C:\\Windows\\{84A4D2FF-24D0-43eb-BB3B-79A8DDDCDDB6}.exe"	{EF6E67E7-E609-4aae-B885-E40B686A174F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90899D02-E5F2-454b-B25B-E9E0961FA355}	{1747CB75-65C9-4a20-8CFD-71086F6F55E0}.exe

Executes dropped EXE 12 IoCs

pid	Process
2456	{BE9E387D-F4B8-4018-B91E-2054CFEE40B8}.exe
2620	{16F26653-CB83-41d7-96A3-4E2C325BB841}.exe
3888	{251F888F-5C3B-4d5c-8B31-E22CA1331FE7}.exe
4672	{36C61E62-DE37-41cb-97C2-FE5D9BFDB265}.exe
2052	{E42D4EF4-AB22-4ce9-B8D6-041151B50992}.exe
864	{3DA4A88B-7D0F-4642-BF47-B31A7F3356A2}.exe
4592	{EF6E67E7-E609-4aae-B885-E40B686A174F}.exe
2660	{84A4D2FF-24D0-43eb-BB3B-79A8DDDCDDB6}.exe
4980	{1747CB75-65C9-4a20-8CFD-71086F6F55E0}.exe
3520	{90899D02-E5F2-454b-B25B-E9E0961FA355}.exe
3084	{95633282-FF3A-41a3-AE21-7F4661FAD0E2}.exe
2212	{2D6668F4-6E5B-4195-B4D9-4B99FAFD5472}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{16F26653-CB83-41d7-96A3-4E2C325BB841}.exe	{BE9E387D-F4B8-4018-B91E-2054CFEE40B8}.exe
File created	C:\Windows\{251F888F-5C3B-4d5c-8B31-E22CA1331FE7}.exe	{16F26653-CB83-41d7-96A3-4E2C325BB841}.exe
File created	C:\Windows\{36C61E62-DE37-41cb-97C2-FE5D9BFDB265}.exe	{251F888F-5C3B-4d5c-8B31-E22CA1331FE7}.exe
File created	C:\Windows\{E42D4EF4-AB22-4ce9-B8D6-041151B50992}.exe	{36C61E62-DE37-41cb-97C2-FE5D9BFDB265}.exe
File created	C:\Windows\{84A4D2FF-24D0-43eb-BB3B-79A8DDDCDDB6}.exe	{EF6E67E7-E609-4aae-B885-E40B686A174F}.exe
File created	C:\Windows\{2D6668F4-6E5B-4195-B4D9-4B99FAFD5472}.exe	{95633282-FF3A-41a3-AE21-7F4661FAD0E2}.exe
File created	C:\Windows\{BE9E387D-F4B8-4018-B91E-2054CFEE40B8}.exe	2024-03-19_426baac8045413bb6e1d20f082f6a779_goldeneye.exe
File created	C:\Windows\{EF6E67E7-E609-4aae-B885-E40B686A174F}.exe	{3DA4A88B-7D0F-4642-BF47-B31A7F3356A2}.exe
File created	C:\Windows\{1747CB75-65C9-4a20-8CFD-71086F6F55E0}.exe	{84A4D2FF-24D0-43eb-BB3B-79A8DDDCDDB6}.exe
File created	C:\Windows\{90899D02-E5F2-454b-B25B-E9E0961FA355}.exe	{1747CB75-65C9-4a20-8CFD-71086F6F55E0}.exe
File created	C:\Windows\{95633282-FF3A-41a3-AE21-7F4661FAD0E2}.exe	{90899D02-E5F2-454b-B25B-E9E0961FA355}.exe
File created	C:\Windows\{3DA4A88B-7D0F-4642-BF47-B31A7F3356A2}.exe	{E42D4EF4-AB22-4ce9-B8D6-041151B50992}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	116	2024-03-19_426baac8045413bb6e1d20f082f6a779_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2456	{BE9E387D-F4B8-4018-B91E-2054CFEE40B8}.exe
Token: SeIncBasePriorityPrivilege	2620	{16F26653-CB83-41d7-96A3-4E2C325BB841}.exe
Token: SeIncBasePriorityPrivilege	3888	{251F888F-5C3B-4d5c-8B31-E22CA1331FE7}.exe
Token: SeIncBasePriorityPrivilege	4672	{36C61E62-DE37-41cb-97C2-FE5D9BFDB265}.exe
Token: SeIncBasePriorityPrivilege	2052	{E42D4EF4-AB22-4ce9-B8D6-041151B50992}.exe
Token: SeIncBasePriorityPrivilege	864	{3DA4A88B-7D0F-4642-BF47-B31A7F3356A2}.exe
Token: SeIncBasePriorityPrivilege	4592	{EF6E67E7-E609-4aae-B885-E40B686A174F}.exe
Token: SeIncBasePriorityPrivilege	2660	{84A4D2FF-24D0-43eb-BB3B-79A8DDDCDDB6}.exe
Token: SeIncBasePriorityPrivilege	4980	{1747CB75-65C9-4a20-8CFD-71086F6F55E0}.exe
Token: SeIncBasePriorityPrivilege	3520	{90899D02-E5F2-454b-B25B-E9E0961FA355}.exe
Token: SeIncBasePriorityPrivilege	3084	{95633282-FF3A-41a3-AE21-7F4661FAD0E2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 116 wrote to memory of 2456	116	2024-03-19_426baac8045413bb6e1d20f082f6a779_goldeneye.exe	99
PID 116 wrote to memory of 2456	116	2024-03-19_426baac8045413bb6e1d20f082f6a779_goldeneye.exe	99
PID 116 wrote to memory of 2456	116	2024-03-19_426baac8045413bb6e1d20f082f6a779_goldeneye.exe	99
PID 116 wrote to memory of 2820	116	2024-03-19_426baac8045413bb6e1d20f082f6a779_goldeneye.exe	100
PID 116 wrote to memory of 2820	116	2024-03-19_426baac8045413bb6e1d20f082f6a779_goldeneye.exe	100
PID 116 wrote to memory of 2820	116	2024-03-19_426baac8045413bb6e1d20f082f6a779_goldeneye.exe	100
PID 2456 wrote to memory of 2620	2456	{BE9E387D-F4B8-4018-B91E-2054CFEE40B8}.exe	101
PID 2456 wrote to memory of 2620	2456	{BE9E387D-F4B8-4018-B91E-2054CFEE40B8}.exe	101
PID 2456 wrote to memory of 2620	2456	{BE9E387D-F4B8-4018-B91E-2054CFEE40B8}.exe	101
PID 2456 wrote to memory of 3600	2456	{BE9E387D-F4B8-4018-B91E-2054CFEE40B8}.exe	102
PID 2456 wrote to memory of 3600	2456	{BE9E387D-F4B8-4018-B91E-2054CFEE40B8}.exe	102
PID 2456 wrote to memory of 3600	2456	{BE9E387D-F4B8-4018-B91E-2054CFEE40B8}.exe	102
PID 2620 wrote to memory of 3888	2620	{16F26653-CB83-41d7-96A3-4E2C325BB841}.exe	105
PID 2620 wrote to memory of 3888	2620	{16F26653-CB83-41d7-96A3-4E2C325BB841}.exe	105
PID 2620 wrote to memory of 3888	2620	{16F26653-CB83-41d7-96A3-4E2C325BB841}.exe	105
PID 2620 wrote to memory of 3880	2620	{16F26653-CB83-41d7-96A3-4E2C325BB841}.exe	106
PID 2620 wrote to memory of 3880	2620	{16F26653-CB83-41d7-96A3-4E2C325BB841}.exe	106
PID 2620 wrote to memory of 3880	2620	{16F26653-CB83-41d7-96A3-4E2C325BB841}.exe	106
PID 3888 wrote to memory of 4672	3888	{251F888F-5C3B-4d5c-8B31-E22CA1331FE7}.exe	107
PID 3888 wrote to memory of 4672	3888	{251F888F-5C3B-4d5c-8B31-E22CA1331FE7}.exe	107
PID 3888 wrote to memory of 4672	3888	{251F888F-5C3B-4d5c-8B31-E22CA1331FE7}.exe	107
PID 3888 wrote to memory of 4572	3888	{251F888F-5C3B-4d5c-8B31-E22CA1331FE7}.exe	108
PID 3888 wrote to memory of 4572	3888	{251F888F-5C3B-4d5c-8B31-E22CA1331FE7}.exe	108
PID 3888 wrote to memory of 4572	3888	{251F888F-5C3B-4d5c-8B31-E22CA1331FE7}.exe	108
PID 4672 wrote to memory of 2052	4672	{36C61E62-DE37-41cb-97C2-FE5D9BFDB265}.exe	109
PID 4672 wrote to memory of 2052	4672	{36C61E62-DE37-41cb-97C2-FE5D9BFDB265}.exe	109
PID 4672 wrote to memory of 2052	4672	{36C61E62-DE37-41cb-97C2-FE5D9BFDB265}.exe	109
PID 4672 wrote to memory of 1628	4672	{36C61E62-DE37-41cb-97C2-FE5D9BFDB265}.exe	110
PID 4672 wrote to memory of 1628	4672	{36C61E62-DE37-41cb-97C2-FE5D9BFDB265}.exe	110
PID 4672 wrote to memory of 1628	4672	{36C61E62-DE37-41cb-97C2-FE5D9BFDB265}.exe	110
PID 2052 wrote to memory of 864	2052	{E42D4EF4-AB22-4ce9-B8D6-041151B50992}.exe	112
PID 2052 wrote to memory of 864	2052	{E42D4EF4-AB22-4ce9-B8D6-041151B50992}.exe	112
PID 2052 wrote to memory of 864	2052	{E42D4EF4-AB22-4ce9-B8D6-041151B50992}.exe	112
PID 2052 wrote to memory of 1704	2052	{E42D4EF4-AB22-4ce9-B8D6-041151B50992}.exe	113
PID 2052 wrote to memory of 1704	2052	{E42D4EF4-AB22-4ce9-B8D6-041151B50992}.exe	113
PID 2052 wrote to memory of 1704	2052	{E42D4EF4-AB22-4ce9-B8D6-041151B50992}.exe	113
PID 864 wrote to memory of 4592	864	{3DA4A88B-7D0F-4642-BF47-B31A7F3356A2}.exe	114
PID 864 wrote to memory of 4592	864	{3DA4A88B-7D0F-4642-BF47-B31A7F3356A2}.exe	114
PID 864 wrote to memory of 4592	864	{3DA4A88B-7D0F-4642-BF47-B31A7F3356A2}.exe	114
PID 864 wrote to memory of 1776	864	{3DA4A88B-7D0F-4642-BF47-B31A7F3356A2}.exe	115
PID 864 wrote to memory of 1776	864	{3DA4A88B-7D0F-4642-BF47-B31A7F3356A2}.exe	115
PID 864 wrote to memory of 1776	864	{3DA4A88B-7D0F-4642-BF47-B31A7F3356A2}.exe	115
PID 4592 wrote to memory of 2660	4592	{EF6E67E7-E609-4aae-B885-E40B686A174F}.exe	116
PID 4592 wrote to memory of 2660	4592	{EF6E67E7-E609-4aae-B885-E40B686A174F}.exe	116
PID 4592 wrote to memory of 2660	4592	{EF6E67E7-E609-4aae-B885-E40B686A174F}.exe	116
PID 4592 wrote to memory of 2844	4592	{EF6E67E7-E609-4aae-B885-E40B686A174F}.exe	117
PID 4592 wrote to memory of 2844	4592	{EF6E67E7-E609-4aae-B885-E40B686A174F}.exe	117
PID 4592 wrote to memory of 2844	4592	{EF6E67E7-E609-4aae-B885-E40B686A174F}.exe	117
PID 2660 wrote to memory of 4980	2660	{84A4D2FF-24D0-43eb-BB3B-79A8DDDCDDB6}.exe	125
PID 2660 wrote to memory of 4980	2660	{84A4D2FF-24D0-43eb-BB3B-79A8DDDCDDB6}.exe	125
PID 2660 wrote to memory of 4980	2660	{84A4D2FF-24D0-43eb-BB3B-79A8DDDCDDB6}.exe	125
PID 2660 wrote to memory of 3440	2660	{84A4D2FF-24D0-43eb-BB3B-79A8DDDCDDB6}.exe	126
PID 2660 wrote to memory of 3440	2660	{84A4D2FF-24D0-43eb-BB3B-79A8DDDCDDB6}.exe	126
PID 2660 wrote to memory of 3440	2660	{84A4D2FF-24D0-43eb-BB3B-79A8DDDCDDB6}.exe	126
PID 4980 wrote to memory of 3520	4980	{1747CB75-65C9-4a20-8CFD-71086F6F55E0}.exe	127
PID 4980 wrote to memory of 3520	4980	{1747CB75-65C9-4a20-8CFD-71086F6F55E0}.exe	127
PID 4980 wrote to memory of 3520	4980	{1747CB75-65C9-4a20-8CFD-71086F6F55E0}.exe	127
PID 4980 wrote to memory of 1628	4980	{1747CB75-65C9-4a20-8CFD-71086F6F55E0}.exe	128
PID 4980 wrote to memory of 1628	4980	{1747CB75-65C9-4a20-8CFD-71086F6F55E0}.exe	128
PID 4980 wrote to memory of 1628	4980	{1747CB75-65C9-4a20-8CFD-71086F6F55E0}.exe	128
PID 3520 wrote to memory of 3084	3520	{90899D02-E5F2-454b-B25B-E9E0961FA355}.exe	130
PID 3520 wrote to memory of 3084	3520	{90899D02-E5F2-454b-B25B-E9E0961FA355}.exe	130
PID 3520 wrote to memory of 3084	3520	{90899D02-E5F2-454b-B25B-E9E0961FA355}.exe	130
PID 3520 wrote to memory of 2604	3520	{90899D02-E5F2-454b-B25B-E9E0961FA355}.exe	131

C:\Users\Admin\AppData\Local\Temp\2024-03-19_426baac8045413bb6e1d20f082f6a779_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-19_426baac8045413bb6e1d20f082f6a779_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:116
- C:\Windows\{BE9E387D-F4B8-4018-B91E-2054CFEE40B8}.exe
  C:\Windows\{BE9E387D-F4B8-4018-B91E-2054CFEE40B8}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Windows\{16F26653-CB83-41d7-96A3-4E2C325BB841}.exe
    C:\Windows\{16F26653-CB83-41d7-96A3-4E2C325BB841}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Windows\{251F888F-5C3B-4d5c-8B31-E22CA1331FE7}.exe
      C:\Windows\{251F888F-5C3B-4d5c-8B31-E22CA1331FE7}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3888
    - - C:\Windows\{36C61E62-DE37-41cb-97C2-FE5D9BFDB265}.exe
        
        C:\Windows\{36C61E62-DE37-41cb-97C2-FE5D9BFDB265}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4672
      - C:\Windows\{E42D4EF4-AB22-4ce9-B8D6-041151B50992}.exe
        
        C:\Windows\{E42D4EF4-AB22-4ce9-B8D6-041151B50992}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\{3DA4A88B-7D0F-4642-BF47-B31A7F3356A2}.exe
        
        C:\Windows\{3DA4A88B-7D0F-4642-BF47-B31A7F3356A2}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:864
        
        C:\Windows\{EF6E67E7-E609-4aae-B885-E40B686A174F}.exe
        
        C:\Windows\{EF6E67E7-E609-4aae-B885-E40B686A174F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\{84A4D2FF-24D0-43eb-BB3B-79A8DDDCDDB6}.exe
        
        C:\Windows\{84A4D2FF-24D0-43eb-BB3B-79A8DDDCDDB6}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\{1747CB75-65C9-4a20-8CFD-71086F6F55E0}.exe
        
        C:\Windows\{1747CB75-65C9-4a20-8CFD-71086F6F55E0}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Windows\{90899D02-E5F2-454b-B25B-E9E0961FA355}.exe
        
        C:\Windows\{90899D02-E5F2-454b-B25B-E9E0961FA355}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\{95633282-FF3A-41a3-AE21-7F4661FAD0E2}.exe
        
        C:\Windows\{95633282-FF3A-41a3-AE21-7F4661FAD0E2}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3084
        
        C:\Windows\{2D6668F4-6E5B-4195-B4D9-4B99FAFD5472}.exe
        
        C:\Windows\{2D6668F4-6E5B-4195-B4D9-4B99FAFD5472}.exe
        13⤵
        Executes dropped EXE
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95633~1.EXE > nul
        13⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{90899~1.EXE > nul
        12⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1747C~1.EXE > nul
        11⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{84A4D~1.EXE > nul
        10⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF6E6~1.EXE > nul
        9⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3DA4A~1.EXE > nul
        8⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E42D4~1.EXE > nul
        7⤵
        
        PID:1704
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{36C61~1.EXE > nul
        6⤵
        
        PID:1628
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{251F8~1.EXE > nul
        5⤵
        
        PID:4572
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{16F26~1.EXE > nul
      4⤵
      PID:3880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{BE9E3~1.EXE > nul
    3⤵
    PID:3600
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{16F26653-CB83-41d7-96A3-4E2C325BB841}.exe

Filesize
380KB

MD5
0e62929ff2bfffe27c90c3d259375995

SHA1
21672564f4e00317101303ef3a9bab8abd788690

SHA256
cf94707e9bc96f80e03664a8d578f3e79e5b327b77adac42474a8eb5f0627102

SHA512
3a96698f1f5ccf727484d44d7d007ee11a156d8aaf667d3268e8cd6e650c0713924ea7af6f1e8955dc7ad96a5ed9791495277b7ccabdfeaab9d78e2bba0e42cd

Download Submit
C:\Windows\{16F26653-CB83-41d7-96A3-4E2C325BB841}.exe

Filesize
172KB

MD5
604cb2d099938b9620685d5f37d6e337

SHA1
5ae71a5b5313a625ecd40ee4cfa98079d4c1d41d

SHA256
80d9d09ee2aa2b18fec8877174d71454fd09e4b606746c36323ed6f0c2138dba

SHA512
29c5753072619c147f4adeb243de2bc230cd9f6b4d0673d47d6245a8badc9d81623dae257932f71927b87bb68ba97479abb6412fc253537a9e6269112917a7ce

Download Submit
C:\Windows\{1747CB75-65C9-4a20-8CFD-71086F6F55E0}.exe

Filesize
380KB

MD5
4e9547c25da2682b31db52360ce971ca

SHA1
6ec901d0fdb92ec151b5132603aa98ad43b5f36c

SHA256
72474b677fd4d64e8388b2ce5db74a9f8e6d47acb0805d8698f43b1618fc6ad5

SHA512
b73977e433a77c6b3a951c35eba493d43ca68c6dd5401d462fb452d1411443a9bef5f06e7d69c04981dcbff8404ef6a04f92070dcdee7c74e6fdc64700243f48

Download Submit
C:\Windows\{251F888F-5C3B-4d5c-8B31-E22CA1331FE7}.exe

Filesize
380KB

MD5
ca93a82d202e0a862ebedb03e04919c5

SHA1
613552d027e2985aa65095739dddcc5315f6ae9b

SHA256
6e5c6aa2252b6641c1fd61ba2ce3d3a31ae37e89c04e1b6b53a57c0442b48593

SHA512
b986d8b32369aa2397bc4f6e33c56d897c6c036dc337751c313915d075b6b346f1a73be2debb41fdfce84718edb6aeeaf314474333913901c411c48f2288731d

Download Submit
C:\Windows\{2D6668F4-6E5B-4195-B4D9-4B99FAFD5472}.exe

Filesize
380KB

MD5
56548866ec82b427bce29d5f107abcb3

SHA1
7df4d078936c5672be201c5e3b2ba4e296c41ecf

SHA256
0d1915c09f464683ead49a93a864ef450a9a41eec1e98aae0fb32e62b557a77d

SHA512
ebf7d594c36080500b82186e20ec42903e6b45fae56a2c3c9a2afac988386e1889194a79b570d532357f31de3e9b2f0abd488d0b2abc7dd317c2d3bb734df54e

Download Submit
C:\Windows\{36C61E62-DE37-41cb-97C2-FE5D9BFDB265}.exe

Filesize
380KB

MD5
97f25ec5be0af69dd2fa8bd82bd9aa84

SHA1
ee7f99bc65c5ca3b20480ebd2131ce92501ffabd

SHA256
54993a4b57a1ef665f599ce5f4afd23f7e065ad5ecba18da522204f95b0c3e11

SHA512
e850d4538a9c7d5396b9ea800e231140622a69cd06e9e2516f57cc370feaef327d2a26cabb6909426401b6a2ad079fdb36f3054352602a1e4ee55960fb59a26d

Download Submit
C:\Windows\{3DA4A88B-7D0F-4642-BF47-B31A7F3356A2}.exe

Filesize
380KB

MD5
7531e2487cbd95e3a4cd0244b62303e4

SHA1
1d5d50ce88b3ee65d68a97a065ab1c0a14f432a9

SHA256
10ceb027048adca20f74cc33acbdb2e92687653b0b3af8a4fb5584d31e400c69

SHA512
e24580868bd55159bbf5313d72325d93cac43531b9de2a7fec064eaef344cd3f67bdda961ef712058ea00ffa57e07dec29adf44e6016183fbcfc2e61582d0e86

Download Submit
C:\Windows\{84A4D2FF-24D0-43eb-BB3B-79A8DDDCDDB6}.exe

Filesize
380KB

MD5
19c4001aae1ee62884f21bd3113aa71c

SHA1
284d116e7b2dcfdd468585074a83b373754b2ac2

SHA256
7a1ff8b66edaa9acbde8f435374badcb2e59b77be611262ccacd48750b1ff7f9

SHA512
6de325086cef1c84110add050ae14e7b4d2245d844d4914001cc714f80e688a3dde3fb0c1045a7b431b98dc8367325a9d8abac6a2712407a50cf97292613bfb2

Download Submit
C:\Windows\{90899D02-E5F2-454b-B25B-E9E0961FA355}.exe

Filesize
380KB

MD5
630ecf975bcd2b228650cef6f86cb322

SHA1
e809b62cb430750e276a59beda4f96108171ba09

SHA256
751f0dddc8a4542a44951a5afce103872195215cc9ea21d85eeb64990d2c3a99

SHA512
57643b9d168e1cd4ae0288cda8ad6423141a6a14eb440e159a9de56f61924d64be9537a2afd43de49a2576dc2f9b99733cfc9f60257f43001e592da8821dfad7

Download Submit
C:\Windows\{95633282-FF3A-41a3-AE21-7F4661FAD0E2}.exe

Filesize
380KB

MD5
1ed33ed3f6934177dbcd3d72fa7b8b26

SHA1
29b1c621459a8bdf6e02e6e5885e132aa4b3db34

SHA256
e94da75ab80b06c0a4ad53c0c355783ac18bf0385d039b3042fb3ccb4cb839b5

SHA512
dea946336b547b0a1acb9cb8cb37f6a5cfc63aec70cdfe6708d1989b5ec07cd2e2544273d6cedc0d1b2077b56496790d98005585d2343009270bbd8e16fcdb5f

Download Submit
C:\Windows\{BE9E387D-F4B8-4018-B91E-2054CFEE40B8}.exe

Filesize
380KB

MD5
7dfbd3360984411e8c73fc645d195c2f

SHA1
50f060b0baa62dbc1f6caa700a180cffe4daca7e

SHA256
409af8fa1ca4f3183d265b729d3ce8d1bd79cb5a3ac616087dae27ebdac86fc7

SHA512
6f6766455a147856d7dd98adb8635ece6602deccdbc30c9164ad46a928dc2ab25b3a701b35821267068a2ecb1273979fc33eb41ea82f1ada350c728db93c0daa

Download Submit
C:\Windows\{E42D4EF4-AB22-4ce9-B8D6-041151B50992}.exe

Filesize
380KB

MD5
e3fe0166f0d80d273a877fc03e40826a

SHA1
4366eac3c11d654b59620c7ff114ef5a3a789c9f

SHA256
69c7e09bc0592950f2b32632ba045277a8c2d552e9443cd5c1ceaf8c6e4a3283

SHA512
d95c24cce1e878e76da69f1b2e4e1e19c6df1b0e42f7279d0255bc61073d287aefdd7090d3a6c03dcaa49c75dfeb2df6facfdaecb1244d1d419c61d8290bf371

Download Submit
C:\Windows\{EF6E67E7-E609-4aae-B885-E40B686A174F}.exe

Filesize
380KB

MD5
5e5edeaf426b3ec204bdd49e3d957a67

SHA1
ea7f581db16878f7e76f6372a43bb7bcc2014978

SHA256
5ff82dbd642f1536594564d74b7e203779bbe52a3c85314e81738a79a377f05b

SHA512
aab01ed1409b30a2bc4f61ed3abdda1a4389a2fef8aaacc27f3bbc3f60b233a2ed73090cefc7baafa2e7a0a9cf8e1f38b06298e6dae3eb1974d5541f9fb874e8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads