a52a35b2fcb4a9ea2bb6731e59c4ae5e0941302ca88f1e13fa5067b2fac99222

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25-03-2024 12:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-25_aa26920988f31cae055d298ad44e08db_goldeneye.exe
Size

344KB
MD5

aa26920988f31cae055d298ad44e08db
SHA1

691b65fda5a4206aa09fbca72316e3d95d12f43c
SHA256

a52a35b2fcb4a9ea2bb6731e59c4ae5e0941302ca88f1e13fa5067b2fac99222
SHA512

9b456cb8f321cea1fb1a7715881d5ba5fa68eeea7f122972c4c6deeb3b9ebd4bcb1f7aefa484d29ee2658d50a4b93fb25b2a723c61b30d9db6186ce383bbb87d
SSDEEP

3072:mEGh0onlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGBlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00080000000231da-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00110000000231df-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000231f9-11.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000232f7-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000016976-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002335c-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000016976-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023376-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000230fb-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000230fc-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000230fb-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023376-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2EE3D5F2-F520-427a-A464-31EFA18472AC}	2024-03-25_aa26920988f31cae055d298ad44e08db_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35B221B6-4514-4a53-A1F9-ED7A3D8D1F46}	{354494FE-549C-4e2b-88AC-B5CF61993D4D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7D5F778-056D-4ee3-B4DF-606FD1B6FA61}\stubpath = "C:\\Windows\\{B7D5F778-056D-4ee3-B4DF-606FD1B6FA61}.exe"	{35B221B6-4514-4a53-A1F9-ED7A3D8D1F46}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A199C91-8F45-47a7-ACCE-847D4D681EDC}	{B7D5F778-056D-4ee3-B4DF-606FD1B6FA61}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D8EB008-E4F2-4133-80B8-7AF191F50DBA}\stubpath = "C:\\Windows\\{0D8EB008-E4F2-4133-80B8-7AF191F50DBA}.exe"	{7A199C91-8F45-47a7-ACCE-847D4D681EDC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BBC4EFB3-D2DF-455e-A341-F8E6D76E1FEE}	{0D8EB008-E4F2-4133-80B8-7AF191F50DBA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2247CA5-85F9-42ad-8BB4-475834B184DA}\stubpath = "C:\\Windows\\{D2247CA5-85F9-42ad-8BB4-475834B184DA}.exe"	{BBC4EFB3-D2DF-455e-A341-F8E6D76E1FEE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C572321-2063-4d18-B9CE-FBC62A091985}	{D2247CA5-85F9-42ad-8BB4-475834B184DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2EE3D5F2-F520-427a-A464-31EFA18472AC}\stubpath = "C:\\Windows\\{2EE3D5F2-F520-427a-A464-31EFA18472AC}.exe"	2024-03-25_aa26920988f31cae055d298ad44e08db_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{354494FE-549C-4e2b-88AC-B5CF61993D4D}\stubpath = "C:\\Windows\\{354494FE-549C-4e2b-88AC-B5CF61993D4D}.exe"	{2EE3D5F2-F520-427a-A464-31EFA18472AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35B221B6-4514-4a53-A1F9-ED7A3D8D1F46}\stubpath = "C:\\Windows\\{35B221B6-4514-4a53-A1F9-ED7A3D8D1F46}.exe"	{354494FE-549C-4e2b-88AC-B5CF61993D4D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7D5F778-056D-4ee3-B4DF-606FD1B6FA61}	{35B221B6-4514-4a53-A1F9-ED7A3D8D1F46}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D8EB008-E4F2-4133-80B8-7AF191F50DBA}	{7A199C91-8F45-47a7-ACCE-847D4D681EDC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BBC4EFB3-D2DF-455e-A341-F8E6D76E1FEE}\stubpath = "C:\\Windows\\{BBC4EFB3-D2DF-455e-A341-F8E6D76E1FEE}.exe"	{0D8EB008-E4F2-4133-80B8-7AF191F50DBA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF01595C-1E8C-4f34-ADFF-F5BEE27AC38C}	{5B9E6E57-12B8-4b38-87C0-8A0E0709D606}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A199C91-8F45-47a7-ACCE-847D4D681EDC}\stubpath = "C:\\Windows\\{7A199C91-8F45-47a7-ACCE-847D4D681EDC}.exe"	{B7D5F778-056D-4ee3-B4DF-606FD1B6FA61}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B9E6E57-12B8-4b38-87C0-8A0E0709D606}	{2C572321-2063-4d18-B9CE-FBC62A091985}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B9E6E57-12B8-4b38-87C0-8A0E0709D606}\stubpath = "C:\\Windows\\{5B9E6E57-12B8-4b38-87C0-8A0E0709D606}.exe"	{2C572321-2063-4d18-B9CE-FBC62A091985}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF01595C-1E8C-4f34-ADFF-F5BEE27AC38C}\stubpath = "C:\\Windows\\{BF01595C-1E8C-4f34-ADFF-F5BEE27AC38C}.exe"	{5B9E6E57-12B8-4b38-87C0-8A0E0709D606}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15500CDC-1E28-474a-963D-CDADA4D416D9}	{BF01595C-1E8C-4f34-ADFF-F5BEE27AC38C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{354494FE-549C-4e2b-88AC-B5CF61993D4D}	{2EE3D5F2-F520-427a-A464-31EFA18472AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2247CA5-85F9-42ad-8BB4-475834B184DA}	{BBC4EFB3-D2DF-455e-A341-F8E6D76E1FEE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C572321-2063-4d18-B9CE-FBC62A091985}\stubpath = "C:\\Windows\\{2C572321-2063-4d18-B9CE-FBC62A091985}.exe"	{D2247CA5-85F9-42ad-8BB4-475834B184DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15500CDC-1E28-474a-963D-CDADA4D416D9}\stubpath = "C:\\Windows\\{15500CDC-1E28-474a-963D-CDADA4D416D9}.exe"	{BF01595C-1E8C-4f34-ADFF-F5BEE27AC38C}.exe

Executes dropped EXE 12 IoCs

pid	Process
3608	{2EE3D5F2-F520-427a-A464-31EFA18472AC}.exe
400	{354494FE-549C-4e2b-88AC-B5CF61993D4D}.exe
1420	{35B221B6-4514-4a53-A1F9-ED7A3D8D1F46}.exe
4616	{B7D5F778-056D-4ee3-B4DF-606FD1B6FA61}.exe
2480	{7A199C91-8F45-47a7-ACCE-847D4D681EDC}.exe
620	{0D8EB008-E4F2-4133-80B8-7AF191F50DBA}.exe
3608	{BBC4EFB3-D2DF-455e-A341-F8E6D76E1FEE}.exe
2016	{D2247CA5-85F9-42ad-8BB4-475834B184DA}.exe
3868	{2C572321-2063-4d18-B9CE-FBC62A091985}.exe
2700	{5B9E6E57-12B8-4b38-87C0-8A0E0709D606}.exe
3204	{BF01595C-1E8C-4f34-ADFF-F5BEE27AC38C}.exe
1944	{15500CDC-1E28-474a-963D-CDADA4D416D9}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{7A199C91-8F45-47a7-ACCE-847D4D681EDC}.exe	{B7D5F778-056D-4ee3-B4DF-606FD1B6FA61}.exe
File created	C:\Windows\{5B9E6E57-12B8-4b38-87C0-8A0E0709D606}.exe	{2C572321-2063-4d18-B9CE-FBC62A091985}.exe
File created	C:\Windows\{BF01595C-1E8C-4f34-ADFF-F5BEE27AC38C}.exe	{5B9E6E57-12B8-4b38-87C0-8A0E0709D606}.exe
File created	C:\Windows\{15500CDC-1E28-474a-963D-CDADA4D416D9}.exe	{BF01595C-1E8C-4f34-ADFF-F5BEE27AC38C}.exe
File created	C:\Windows\{D2247CA5-85F9-42ad-8BB4-475834B184DA}.exe	{BBC4EFB3-D2DF-455e-A341-F8E6D76E1FEE}.exe
File created	C:\Windows\{2C572321-2063-4d18-B9CE-FBC62A091985}.exe	{D2247CA5-85F9-42ad-8BB4-475834B184DA}.exe
File created	C:\Windows\{2EE3D5F2-F520-427a-A464-31EFA18472AC}.exe	2024-03-25_aa26920988f31cae055d298ad44e08db_goldeneye.exe
File created	C:\Windows\{354494FE-549C-4e2b-88AC-B5CF61993D4D}.exe	{2EE3D5F2-F520-427a-A464-31EFA18472AC}.exe
File created	C:\Windows\{35B221B6-4514-4a53-A1F9-ED7A3D8D1F46}.exe	{354494FE-549C-4e2b-88AC-B5CF61993D4D}.exe
File created	C:\Windows\{B7D5F778-056D-4ee3-B4DF-606FD1B6FA61}.exe	{35B221B6-4514-4a53-A1F9-ED7A3D8D1F46}.exe
File created	C:\Windows\{0D8EB008-E4F2-4133-80B8-7AF191F50DBA}.exe	{7A199C91-8F45-47a7-ACCE-847D4D681EDC}.exe
File created	C:\Windows\{BBC4EFB3-D2DF-455e-A341-F8E6D76E1FEE}.exe	{0D8EB008-E4F2-4133-80B8-7AF191F50DBA}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	620	2024-03-25_aa26920988f31cae055d298ad44e08db_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3608	{2EE3D5F2-F520-427a-A464-31EFA18472AC}.exe
Token: SeIncBasePriorityPrivilege	400	{354494FE-549C-4e2b-88AC-B5CF61993D4D}.exe
Token: SeIncBasePriorityPrivilege	1420	{35B221B6-4514-4a53-A1F9-ED7A3D8D1F46}.exe
Token: SeIncBasePriorityPrivilege	4616	{B7D5F778-056D-4ee3-B4DF-606FD1B6FA61}.exe
Token: SeIncBasePriorityPrivilege	2480	{7A199C91-8F45-47a7-ACCE-847D4D681EDC}.exe
Token: SeIncBasePriorityPrivilege	620	{0D8EB008-E4F2-4133-80B8-7AF191F50DBA}.exe
Token: SeIncBasePriorityPrivilege	3608	{BBC4EFB3-D2DF-455e-A341-F8E6D76E1FEE}.exe
Token: SeIncBasePriorityPrivilege	2016	{D2247CA5-85F9-42ad-8BB4-475834B184DA}.exe
Token: SeIncBasePriorityPrivilege	3868	{2C572321-2063-4d18-B9CE-FBC62A091985}.exe
Token: SeIncBasePriorityPrivilege	2700	{5B9E6E57-12B8-4b38-87C0-8A0E0709D606}.exe
Token: SeIncBasePriorityPrivilege	3204	{BF01595C-1E8C-4f34-ADFF-F5BEE27AC38C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 620 wrote to memory of 3608	620	2024-03-25_aa26920988f31cae055d298ad44e08db_goldeneye.exe	98
PID 620 wrote to memory of 3608	620	2024-03-25_aa26920988f31cae055d298ad44e08db_goldeneye.exe	98
PID 620 wrote to memory of 3608	620	2024-03-25_aa26920988f31cae055d298ad44e08db_goldeneye.exe	98
PID 620 wrote to memory of 4808	620	2024-03-25_aa26920988f31cae055d298ad44e08db_goldeneye.exe	99
PID 620 wrote to memory of 4808	620	2024-03-25_aa26920988f31cae055d298ad44e08db_goldeneye.exe	99
PID 620 wrote to memory of 4808	620	2024-03-25_aa26920988f31cae055d298ad44e08db_goldeneye.exe	99
PID 3608 wrote to memory of 400	3608	{2EE3D5F2-F520-427a-A464-31EFA18472AC}.exe	100
PID 3608 wrote to memory of 400	3608	{2EE3D5F2-F520-427a-A464-31EFA18472AC}.exe	100
PID 3608 wrote to memory of 400	3608	{2EE3D5F2-F520-427a-A464-31EFA18472AC}.exe	100
PID 3608 wrote to memory of 5072	3608	{2EE3D5F2-F520-427a-A464-31EFA18472AC}.exe	101
PID 3608 wrote to memory of 5072	3608	{2EE3D5F2-F520-427a-A464-31EFA18472AC}.exe	101
PID 3608 wrote to memory of 5072	3608	{2EE3D5F2-F520-427a-A464-31EFA18472AC}.exe	101
PID 400 wrote to memory of 1420	400	{354494FE-549C-4e2b-88AC-B5CF61993D4D}.exe	105
PID 400 wrote to memory of 1420	400	{354494FE-549C-4e2b-88AC-B5CF61993D4D}.exe	105
PID 400 wrote to memory of 1420	400	{354494FE-549C-4e2b-88AC-B5CF61993D4D}.exe	105
PID 400 wrote to memory of 4768	400	{354494FE-549C-4e2b-88AC-B5CF61993D4D}.exe	106
PID 400 wrote to memory of 4768	400	{354494FE-549C-4e2b-88AC-B5CF61993D4D}.exe	106
PID 400 wrote to memory of 4768	400	{354494FE-549C-4e2b-88AC-B5CF61993D4D}.exe	106
PID 1420 wrote to memory of 4616	1420	{35B221B6-4514-4a53-A1F9-ED7A3D8D1F46}.exe	107
PID 1420 wrote to memory of 4616	1420	{35B221B6-4514-4a53-A1F9-ED7A3D8D1F46}.exe	107
PID 1420 wrote to memory of 4616	1420	{35B221B6-4514-4a53-A1F9-ED7A3D8D1F46}.exe	107
PID 1420 wrote to memory of 836	1420	{35B221B6-4514-4a53-A1F9-ED7A3D8D1F46}.exe	108
PID 1420 wrote to memory of 836	1420	{35B221B6-4514-4a53-A1F9-ED7A3D8D1F46}.exe	108
PID 1420 wrote to memory of 836	1420	{35B221B6-4514-4a53-A1F9-ED7A3D8D1F46}.exe	108
PID 4616 wrote to memory of 2480	4616	{B7D5F778-056D-4ee3-B4DF-606FD1B6FA61}.exe	109
PID 4616 wrote to memory of 2480	4616	{B7D5F778-056D-4ee3-B4DF-606FD1B6FA61}.exe	109
PID 4616 wrote to memory of 2480	4616	{B7D5F778-056D-4ee3-B4DF-606FD1B6FA61}.exe	109
PID 4616 wrote to memory of 1288	4616	{B7D5F778-056D-4ee3-B4DF-606FD1B6FA61}.exe	110
PID 4616 wrote to memory of 1288	4616	{B7D5F778-056D-4ee3-B4DF-606FD1B6FA61}.exe	110
PID 4616 wrote to memory of 1288	4616	{B7D5F778-056D-4ee3-B4DF-606FD1B6FA61}.exe	110
PID 2480 wrote to memory of 620	2480	{7A199C91-8F45-47a7-ACCE-847D4D681EDC}.exe	112
PID 2480 wrote to memory of 620	2480	{7A199C91-8F45-47a7-ACCE-847D4D681EDC}.exe	112
PID 2480 wrote to memory of 620	2480	{7A199C91-8F45-47a7-ACCE-847D4D681EDC}.exe	112
PID 2480 wrote to memory of 3120	2480	{7A199C91-8F45-47a7-ACCE-847D4D681EDC}.exe	113
PID 2480 wrote to memory of 3120	2480	{7A199C91-8F45-47a7-ACCE-847D4D681EDC}.exe	113
PID 2480 wrote to memory of 3120	2480	{7A199C91-8F45-47a7-ACCE-847D4D681EDC}.exe	113
PID 620 wrote to memory of 3608	620	{0D8EB008-E4F2-4133-80B8-7AF191F50DBA}.exe	114
PID 620 wrote to memory of 3608	620	{0D8EB008-E4F2-4133-80B8-7AF191F50DBA}.exe	114
PID 620 wrote to memory of 3608	620	{0D8EB008-E4F2-4133-80B8-7AF191F50DBA}.exe	114
PID 620 wrote to memory of 3140	620	{0D8EB008-E4F2-4133-80B8-7AF191F50DBA}.exe	115
PID 620 wrote to memory of 3140	620	{0D8EB008-E4F2-4133-80B8-7AF191F50DBA}.exe	115
PID 620 wrote to memory of 3140	620	{0D8EB008-E4F2-4133-80B8-7AF191F50DBA}.exe	115
PID 3608 wrote to memory of 2016	3608	{BBC4EFB3-D2DF-455e-A341-F8E6D76E1FEE}.exe	116
PID 3608 wrote to memory of 2016	3608	{BBC4EFB3-D2DF-455e-A341-F8E6D76E1FEE}.exe	116
PID 3608 wrote to memory of 2016	3608	{BBC4EFB3-D2DF-455e-A341-F8E6D76E1FEE}.exe	116
PID 3608 wrote to memory of 4436	3608	{BBC4EFB3-D2DF-455e-A341-F8E6D76E1FEE}.exe	117
PID 3608 wrote to memory of 4436	3608	{BBC4EFB3-D2DF-455e-A341-F8E6D76E1FEE}.exe	117
PID 3608 wrote to memory of 4436	3608	{BBC4EFB3-D2DF-455e-A341-F8E6D76E1FEE}.exe	117
PID 2016 wrote to memory of 3868	2016	{D2247CA5-85F9-42ad-8BB4-475834B184DA}.exe	126
PID 2016 wrote to memory of 3868	2016	{D2247CA5-85F9-42ad-8BB4-475834B184DA}.exe	126
PID 2016 wrote to memory of 3868	2016	{D2247CA5-85F9-42ad-8BB4-475834B184DA}.exe	126
PID 2016 wrote to memory of 2044	2016	{D2247CA5-85F9-42ad-8BB4-475834B184DA}.exe	127
PID 2016 wrote to memory of 2044	2016	{D2247CA5-85F9-42ad-8BB4-475834B184DA}.exe	127
PID 2016 wrote to memory of 2044	2016	{D2247CA5-85F9-42ad-8BB4-475834B184DA}.exe	127
PID 3868 wrote to memory of 2700	3868	{2C572321-2063-4d18-B9CE-FBC62A091985}.exe	128
PID 3868 wrote to memory of 2700	3868	{2C572321-2063-4d18-B9CE-FBC62A091985}.exe	128
PID 3868 wrote to memory of 2700	3868	{2C572321-2063-4d18-B9CE-FBC62A091985}.exe	128
PID 3868 wrote to memory of 3064	3868	{2C572321-2063-4d18-B9CE-FBC62A091985}.exe	129
PID 3868 wrote to memory of 3064	3868	{2C572321-2063-4d18-B9CE-FBC62A091985}.exe	129
PID 3868 wrote to memory of 3064	3868	{2C572321-2063-4d18-B9CE-FBC62A091985}.exe	129
PID 2700 wrote to memory of 3204	2700	{5B9E6E57-12B8-4b38-87C0-8A0E0709D606}.exe	130
PID 2700 wrote to memory of 3204	2700	{5B9E6E57-12B8-4b38-87C0-8A0E0709D606}.exe	130
PID 2700 wrote to memory of 3204	2700	{5B9E6E57-12B8-4b38-87C0-8A0E0709D606}.exe	130
PID 2700 wrote to memory of 1508	2700	{5B9E6E57-12B8-4b38-87C0-8A0E0709D606}.exe	131

C:\Users\Admin\AppData\Local\Temp\2024-03-25_aa26920988f31cae055d298ad44e08db_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-25_aa26920988f31cae055d298ad44e08db_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:620
- C:\Windows\{2EE3D5F2-F520-427a-A464-31EFA18472AC}.exe
  C:\Windows\{2EE3D5F2-F520-427a-A464-31EFA18472AC}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3608
- - C:\Windows\{354494FE-549C-4e2b-88AC-B5CF61993D4D}.exe
    C:\Windows\{354494FE-549C-4e2b-88AC-B5CF61993D4D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:400
  - - C:\Windows\{35B221B6-4514-4a53-A1F9-ED7A3D8D1F46}.exe
      C:\Windows\{35B221B6-4514-4a53-A1F9-ED7A3D8D1F46}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1420
    - - C:\Windows\{B7D5F778-056D-4ee3-B4DF-606FD1B6FA61}.exe
        
        C:\Windows\{B7D5F778-056D-4ee3-B4DF-606FD1B6FA61}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4616
      - C:\Windows\{7A199C91-8F45-47a7-ACCE-847D4D681EDC}.exe
        
        C:\Windows\{7A199C91-8F45-47a7-ACCE-847D4D681EDC}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Windows\{0D8EB008-E4F2-4133-80B8-7AF191F50DBA}.exe
        
        C:\Windows\{0D8EB008-E4F2-4133-80B8-7AF191F50DBA}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:620
        
        C:\Windows\{BBC4EFB3-D2DF-455e-A341-F8E6D76E1FEE}.exe
        
        C:\Windows\{BBC4EFB3-D2DF-455e-A341-F8E6D76E1FEE}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3608
        
        C:\Windows\{D2247CA5-85F9-42ad-8BB4-475834B184DA}.exe
        
        C:\Windows\{D2247CA5-85F9-42ad-8BB4-475834B184DA}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\{2C572321-2063-4d18-B9CE-FBC62A091985}.exe
        
        C:\Windows\{2C572321-2063-4d18-B9CE-FBC62A091985}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3868
        
        C:\Windows\{5B9E6E57-12B8-4b38-87C0-8A0E0709D606}.exe
        
        C:\Windows\{5B9E6E57-12B8-4b38-87C0-8A0E0709D606}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\{BF01595C-1E8C-4f34-ADFF-F5BEE27AC38C}.exe
        
        C:\Windows\{BF01595C-1E8C-4f34-ADFF-F5BEE27AC38C}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3204
        
        C:\Windows\{15500CDC-1E28-474a-963D-CDADA4D416D9}.exe
        
        C:\Windows\{15500CDC-1E28-474a-963D-CDADA4D416D9}.exe
        13⤵
        Executes dropped EXE
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BF015~1.EXE > nul
        13⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5B9E6~1.EXE > nul
        12⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2C572~1.EXE > nul
        11⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D2247~1.EXE > nul
        10⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BBC4E~1.EXE > nul
        9⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0D8EB~1.EXE > nul
        8⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7A199~1.EXE > nul
        7⤵
        
        PID:3120
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7D5F~1.EXE > nul
        6⤵
        
        PID:1288
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{35B22~1.EXE > nul
        5⤵
        
        PID:836
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{35449~1.EXE > nul
      4⤵
      PID:4768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2EE3D~1.EXE > nul
    3⤵
    PID:5072
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0D8EB008-E4F2-4133-80B8-7AF191F50DBA}.exe

Filesize
344KB

MD5
0721b7a25a01910cb71212668922da24

SHA1
f69288dc747245ade86b767afd2cfdecf47eb963

SHA256
a311954f62c834dbf2c41ff737e0fb44f601a64098aea32fc7609c74d8cb393f

SHA512
1cdd09129cee41cf86b4f40a7cfc62bb73eb7bf2239045025f225a35c7eb7421a719672ce817af1c49094a23d1e0090769d180268f6fa13d3a91436e780c7fdf

Download Submit
C:\Windows\{15500CDC-1E28-474a-963D-CDADA4D416D9}.exe

Filesize
344KB

MD5
6240f2b0f697dec6266bee3973042da1

SHA1
8f0dab4d5255940f380c260c19a6f26dd6c56da9

SHA256
9f22105008b4834471d9b8c0dbbeb619b4417f040a7bd438e072b90c54f5af19

SHA512
0af748795fda204178a963e193f38ad1ce8fe696c1e38a0869843145e99177eb4e91ae88ef19f4115a6fac05e043537f8d6249a2436964efceb6711c13bd0472

Download Submit
C:\Windows\{2C572321-2063-4d18-B9CE-FBC62A091985}.exe

Filesize
344KB

MD5
9252e109057db11896050b4c42574448

SHA1
8bc7189b45869089d86f97186b18d0dd49d6a625

SHA256
a04ea0b8887b4eed94b00b49ade0dfe382e4853682fe322a81b852c241383209

SHA512
2adeeeb6b422d398db61e527110f72ecd2faa34ec161f7c811de9568bf2d6d29158e4817db8a44b4d360dce3536772367f1d95366a01059f4b95394f8e06a912

Download Submit
C:\Windows\{2EE3D5F2-F520-427a-A464-31EFA18472AC}.exe

Filesize
344KB

MD5
c102a07dbddc003278496569bee7a89e

SHA1
d7047f97e80e592dadb28f07f9e6ad8abf1c5ff1

SHA256
18efe7c97607f8b6d2a01f58d9b30f72ad424dbe628c8c4722d6c63db23d18c2

SHA512
83fb592a783fddad41556ddec0f69a6a2971b918e15231a5f31bea7823c28c6f23b50f08e3b61c736724d3f102c3aeeb014bae621e76ee0fb9a7756e5884eb5e

Download Submit
C:\Windows\{354494FE-549C-4e2b-88AC-B5CF61993D4D}.exe

Filesize
344KB

MD5
7ea6ba8adb83c2494c1ef88ab9f464c0

SHA1
062110a06daebc090d218dac4fb8bfd9d280f51b

SHA256
4187a31bbee2de2decd61e58b91f9098ac25c6a644924d0f93b30bc99c628fac

SHA512
1786271e6b1f9e29bce1155f37f46cd7d4bfec0e64f1c712da69dbdc161bae1a2e2687a3d2b3d4979c10d3202be23fa4d237d7f6fffc50ef0a241b36dff84a4c

Download Submit
C:\Windows\{35B221B6-4514-4a53-A1F9-ED7A3D8D1F46}.exe

Filesize
344KB

MD5
398a8c7e38c6f117e12b9f3e8236aa1d

SHA1
c0de9bb635e71524669560edc34015fcc7c1bc3c

SHA256
1dd5e41d09782b42e7978a462995bef75909aeffb50fcda9e722a1446a399931

SHA512
7c6a9cf4b6888a5737edfd4c3873c22fda60ec39e64303a9ea6f389f1b2cf4a5c1e68eb348bc97fd62c7ca45f4fd8e1fc4faa8a14f862dccc364c978fc6b42ad

Download Submit
C:\Windows\{5B9E6E57-12B8-4b38-87C0-8A0E0709D606}.exe

Filesize
344KB

MD5
a6652cf3a0a88ac79e29eebe2d9b6cbb

SHA1
0a4c8be2371a1e43744ce3ce61ee55df39542906

SHA256
b65da6a3edf711a52cbd0870bf58a70a0e7ff9dcdaaf4986cd3743cabd9cfff3

SHA512
0926c643dfd88fcc4ecb59eff49174c935d1e91ffb2b16b2be475efee33b609337aeebae5318a9a6053a038e1ffefe727a9a5fd964b3895ebc695c2a7f2e6316

Download Submit
C:\Windows\{7A199C91-8F45-47a7-ACCE-847D4D681EDC}.exe

Filesize
344KB

MD5
7b890a266a4a514bec2a6ee473c61503

SHA1
bc9bf6ea4426df4ef38f7f6400e670cb29c38ae5

SHA256
713ea278e3bb3ee4ae4369b2dd644779ec4e14c0af6a436e773d28cc754d2a03

SHA512
5f90b271d5b775e83f82cdc3113e590e4ba91eadf0920cb7f08d97f319c873ca290a2a113995fd30252fa4ab36a0fdbe7a17a3a0270d267bb8147ec078007dcd

Download Submit
C:\Windows\{B7D5F778-056D-4ee3-B4DF-606FD1B6FA61}.exe

Filesize
344KB

MD5
d49bde42b149d98b02f487292c2b569a

SHA1
995a5b85a841754e449fe9953995b32e8b98cb0c

SHA256
65ec1e28dcca34f2298b09c628e5b426370d0b9ff150f030263caaaec0763e00

SHA512
f0288c3ad32c6b7483e1fcd51b9d58103711adcef39269336f5516bbed3b4ee71dd4d39567d181cecd5946aaea8483556c14d7cc6bcc25ce47cf47dd99229c51

Download Submit
C:\Windows\{BBC4EFB3-D2DF-455e-A341-F8E6D76E1FEE}.exe

Filesize
344KB

MD5
8456f6fcb937e3cecb913d219a15f9d1

SHA1
11726a5d18c6c73549dc51dbe8cc928974bf0c74

SHA256
51fd57e3b50a8484adffb1c4fcf297048e49328c63deb5358e9eb028b4176ccb

SHA512
f1e8235a3e107cf9eb7ae78621e5a8c331d934f0a4372d65e486cd28b66725c3243573fe55562b4bd3da46e5336a4e4a8a5bc3f345fdced98554c4ef7a41e926

Download Submit
C:\Windows\{BF01595C-1E8C-4f34-ADFF-F5BEE27AC38C}.exe

Filesize
344KB

MD5
4548de954cd935c3afe150aafbc9de0f

SHA1
66360fff494749a08db52926493fef7523220f7f

SHA256
4bf0b4add25655e022ca50fce4fa7e37bfca957ad2b878700532ca92ee65e106

SHA512
778ba4feac9d6d2edb1c75d728d5d5f79e89fdeff96a009d58e8df5c161c2f9f386627c18bcd77ba4cfc07275fdf11f842126d4987d553d7e4a50d9024d656e5

Download Submit
C:\Windows\{D2247CA5-85F9-42ad-8BB4-475834B184DA}.exe

Filesize
344KB

MD5
ee91a4c6f067096310330b0739d0861d

SHA1
a8961ac676de9ee09a780751421bfb068a766b62

SHA256
1033e6eacf19ac20dee64606ad0904d9b80ff25a2ac6377fcbe0a704cfec50f1

SHA512
c60c3cc3273367f93cda6f7faf5c8d5a94487c1322782e35dd035527a9a7efa370dc8e8cd6319e7f0502d6d9f29f33070f5421dfeebea9c9e63d1992adb3293d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads