aa8102a6c0a4053d5fd52706cdc1a148bb6342119e4625c54396dcea43a561b6

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2024 05:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-27_d3b57013d8afaeee3415f4c848d6ea8a_goldeneye.exe
Size

197KB
MD5

d3b57013d8afaeee3415f4c848d6ea8a
SHA1

f9347bf71568ef2d63dbbade62fb98b1dc19fef7
SHA256

aa8102a6c0a4053d5fd52706cdc1a148bb6342119e4625c54396dcea43a561b6
SHA512

091dbe4702ba962142e689b53925b158f4e68d68c13bdadfdd0fa6e3e42d75e36b6ddb3aa8abe521c59d12e88e1a5bf2d5679320b1b6a3b304951ec0f0abcde3
SSDEEP

3072:jEGh0oDl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGxlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x000400000001e3d9-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000023219-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023220-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000001e804-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000001e804-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021f82-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000001e804-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021f82-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000006c5-29.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000006c5-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000006c5-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BAC8B847-8DE5-42c5-A36A-3B0C3794F0A8}\stubpath = "C:\\Windows\\{BAC8B847-8DE5-42c5-A36A-3B0C3794F0A8}.exe"	{3869B63E-5706-4331-9E3E-F11DE6B59083}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2557292B-F666-49f8-AA89-1F38DE8863EE}	{BAC8B847-8DE5-42c5-A36A-3B0C3794F0A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A324A764-D316-47c3-8D64-5950E70F27DF}\stubpath = "C:\\Windows\\{A324A764-D316-47c3-8D64-5950E70F27DF}.exe"	{2557292B-F666-49f8-AA89-1F38DE8863EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F0449B6-B210-4f7a-ADAC-92E1CBD8323D}\stubpath = "C:\\Windows\\{9F0449B6-B210-4f7a-ADAC-92E1CBD8323D}.exe"	{A324A764-D316-47c3-8D64-5950E70F27DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3AFC11D1-8FEB-4ecb-95E1-F666D1AD57D5}\stubpath = "C:\\Windows\\{3AFC11D1-8FEB-4ecb-95E1-F666D1AD57D5}.exe"	{E0F7ED7C-9429-4149-AD11-B6B29E7E2F8D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3869B63E-5706-4331-9E3E-F11DE6B59083}	2024-03-27_d3b57013d8afaeee3415f4c848d6ea8a_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3869B63E-5706-4331-9E3E-F11DE6B59083}\stubpath = "C:\\Windows\\{3869B63E-5706-4331-9E3E-F11DE6B59083}.exe"	2024-03-27_d3b57013d8afaeee3415f4c848d6ea8a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BAC8B847-8DE5-42c5-A36A-3B0C3794F0A8}	{3869B63E-5706-4331-9E3E-F11DE6B59083}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F0449B6-B210-4f7a-ADAC-92E1CBD8323D}	{A324A764-D316-47c3-8D64-5950E70F27DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D118686-D4EC-4c24-B976-5EDCC742A7F8}	{9F0449B6-B210-4f7a-ADAC-92E1CBD8323D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6DED426-059B-41ee-B7AB-D4B21C597222}	{0D118686-D4EC-4c24-B976-5EDCC742A7F8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{776975B5-8810-4248-8F10-65853EDE351E}\stubpath = "C:\\Windows\\{776975B5-8810-4248-8F10-65853EDE351E}.exe"	{C6DED426-059B-41ee-B7AB-D4B21C597222}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0F7ED7C-9429-4149-AD11-B6B29E7E2F8D}	{776975B5-8810-4248-8F10-65853EDE351E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0F7ED7C-9429-4149-AD11-B6B29E7E2F8D}\stubpath = "C:\\Windows\\{E0F7ED7C-9429-4149-AD11-B6B29E7E2F8D}.exe"	{776975B5-8810-4248-8F10-65853EDE351E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8C5AD5E-F4C3-43ba-994A-C4BC1567DAE1}	{3AFC11D1-8FEB-4ecb-95E1-F666D1AD57D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E0A1AE6-D58F-4546-88AF-1CE9B8382AAC}\stubpath = "C:\\Windows\\{9E0A1AE6-D58F-4546-88AF-1CE9B8382AAC}.exe"	{B8C5AD5E-F4C3-43ba-994A-C4BC1567DAE1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2557292B-F666-49f8-AA89-1F38DE8863EE}\stubpath = "C:\\Windows\\{2557292B-F666-49f8-AA89-1F38DE8863EE}.exe"	{BAC8B847-8DE5-42c5-A36A-3B0C3794F0A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6DED426-059B-41ee-B7AB-D4B21C597222}\stubpath = "C:\\Windows\\{C6DED426-059B-41ee-B7AB-D4B21C597222}.exe"	{0D118686-D4EC-4c24-B976-5EDCC742A7F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3AFC11D1-8FEB-4ecb-95E1-F666D1AD57D5}	{E0F7ED7C-9429-4149-AD11-B6B29E7E2F8D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E0A1AE6-D58F-4546-88AF-1CE9B8382AAC}	{B8C5AD5E-F4C3-43ba-994A-C4BC1567DAE1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A324A764-D316-47c3-8D64-5950E70F27DF}	{2557292B-F666-49f8-AA89-1F38DE8863EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D118686-D4EC-4c24-B976-5EDCC742A7F8}\stubpath = "C:\\Windows\\{0D118686-D4EC-4c24-B976-5EDCC742A7F8}.exe"	{9F0449B6-B210-4f7a-ADAC-92E1CBD8323D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{776975B5-8810-4248-8F10-65853EDE351E}	{C6DED426-059B-41ee-B7AB-D4B21C597222}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8C5AD5E-F4C3-43ba-994A-C4BC1567DAE1}\stubpath = "C:\\Windows\\{B8C5AD5E-F4C3-43ba-994A-C4BC1567DAE1}.exe"	{3AFC11D1-8FEB-4ecb-95E1-F666D1AD57D5}.exe

Executes dropped EXE 12 IoCs

pid	Process
3464	{3869B63E-5706-4331-9E3E-F11DE6B59083}.exe
3208	{BAC8B847-8DE5-42c5-A36A-3B0C3794F0A8}.exe
2152	{2557292B-F666-49f8-AA89-1F38DE8863EE}.exe
4676	{A324A764-D316-47c3-8D64-5950E70F27DF}.exe
448	{9F0449B6-B210-4f7a-ADAC-92E1CBD8323D}.exe
1992	{0D118686-D4EC-4c24-B976-5EDCC742A7F8}.exe
2908	{C6DED426-059B-41ee-B7AB-D4B21C597222}.exe
1088	{776975B5-8810-4248-8F10-65853EDE351E}.exe
1944	{E0F7ED7C-9429-4149-AD11-B6B29E7E2F8D}.exe
5032	{3AFC11D1-8FEB-4ecb-95E1-F666D1AD57D5}.exe
2112	{B8C5AD5E-F4C3-43ba-994A-C4BC1567DAE1}.exe
1732	{9E0A1AE6-D58F-4546-88AF-1CE9B8382AAC}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{776975B5-8810-4248-8F10-65853EDE351E}.exe	{C6DED426-059B-41ee-B7AB-D4B21C597222}.exe
File created	C:\Windows\{E0F7ED7C-9429-4149-AD11-B6B29E7E2F8D}.exe	{776975B5-8810-4248-8F10-65853EDE351E}.exe
File created	C:\Windows\{B8C5AD5E-F4C3-43ba-994A-C4BC1567DAE1}.exe	{3AFC11D1-8FEB-4ecb-95E1-F666D1AD57D5}.exe
File created	C:\Windows\{9E0A1AE6-D58F-4546-88AF-1CE9B8382AAC}.exe	{B8C5AD5E-F4C3-43ba-994A-C4BC1567DAE1}.exe
File created	C:\Windows\{2557292B-F666-49f8-AA89-1F38DE8863EE}.exe	{BAC8B847-8DE5-42c5-A36A-3B0C3794F0A8}.exe
File created	C:\Windows\{A324A764-D316-47c3-8D64-5950E70F27DF}.exe	{2557292B-F666-49f8-AA89-1F38DE8863EE}.exe
File created	C:\Windows\{9F0449B6-B210-4f7a-ADAC-92E1CBD8323D}.exe	{A324A764-D316-47c3-8D64-5950E70F27DF}.exe
File created	C:\Windows\{C6DED426-059B-41ee-B7AB-D4B21C597222}.exe	{0D118686-D4EC-4c24-B976-5EDCC742A7F8}.exe
File created	C:\Windows\{3AFC11D1-8FEB-4ecb-95E1-F666D1AD57D5}.exe	{E0F7ED7C-9429-4149-AD11-B6B29E7E2F8D}.exe
File created	C:\Windows\{3869B63E-5706-4331-9E3E-F11DE6B59083}.exe	2024-03-27_d3b57013d8afaeee3415f4c848d6ea8a_goldeneye.exe
File created	C:\Windows\{BAC8B847-8DE5-42c5-A36A-3B0C3794F0A8}.exe	{3869B63E-5706-4331-9E3E-F11DE6B59083}.exe
File created	C:\Windows\{0D118686-D4EC-4c24-B976-5EDCC742A7F8}.exe	{9F0449B6-B210-4f7a-ADAC-92E1CBD8323D}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3736	2024-03-27_d3b57013d8afaeee3415f4c848d6ea8a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3464	{3869B63E-5706-4331-9E3E-F11DE6B59083}.exe
Token: SeIncBasePriorityPrivilege	3208	{BAC8B847-8DE5-42c5-A36A-3B0C3794F0A8}.exe
Token: SeIncBasePriorityPrivilege	2152	{2557292B-F666-49f8-AA89-1F38DE8863EE}.exe
Token: SeIncBasePriorityPrivilege	4676	{A324A764-D316-47c3-8D64-5950E70F27DF}.exe
Token: SeIncBasePriorityPrivilege	448	{9F0449B6-B210-4f7a-ADAC-92E1CBD8323D}.exe
Token: SeIncBasePriorityPrivilege	1992	{0D118686-D4EC-4c24-B976-5EDCC742A7F8}.exe
Token: SeIncBasePriorityPrivilege	2908	{C6DED426-059B-41ee-B7AB-D4B21C597222}.exe
Token: SeIncBasePriorityPrivilege	1088	{776975B5-8810-4248-8F10-65853EDE351E}.exe
Token: SeIncBasePriorityPrivilege	1944	{E0F7ED7C-9429-4149-AD11-B6B29E7E2F8D}.exe
Token: SeIncBasePriorityPrivilege	5032	{3AFC11D1-8FEB-4ecb-95E1-F666D1AD57D5}.exe
Token: SeIncBasePriorityPrivilege	2112	{B8C5AD5E-F4C3-43ba-994A-C4BC1567DAE1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3736 wrote to memory of 3464	3736	2024-03-27_d3b57013d8afaeee3415f4c848d6ea8a_goldeneye.exe	91
PID 3736 wrote to memory of 3464	3736	2024-03-27_d3b57013d8afaeee3415f4c848d6ea8a_goldeneye.exe	91
PID 3736 wrote to memory of 3464	3736	2024-03-27_d3b57013d8afaeee3415f4c848d6ea8a_goldeneye.exe	91
PID 3736 wrote to memory of 1556	3736	2024-03-27_d3b57013d8afaeee3415f4c848d6ea8a_goldeneye.exe	92
PID 3736 wrote to memory of 1556	3736	2024-03-27_d3b57013d8afaeee3415f4c848d6ea8a_goldeneye.exe	92
PID 3736 wrote to memory of 1556	3736	2024-03-27_d3b57013d8afaeee3415f4c848d6ea8a_goldeneye.exe	92
PID 3464 wrote to memory of 3208	3464	{3869B63E-5706-4331-9E3E-F11DE6B59083}.exe	95
PID 3464 wrote to memory of 3208	3464	{3869B63E-5706-4331-9E3E-F11DE6B59083}.exe	95
PID 3464 wrote to memory of 3208	3464	{3869B63E-5706-4331-9E3E-F11DE6B59083}.exe	95
PID 3464 wrote to memory of 5020	3464	{3869B63E-5706-4331-9E3E-F11DE6B59083}.exe	96
PID 3464 wrote to memory of 5020	3464	{3869B63E-5706-4331-9E3E-F11DE6B59083}.exe	96
PID 3464 wrote to memory of 5020	3464	{3869B63E-5706-4331-9E3E-F11DE6B59083}.exe	96
PID 3208 wrote to memory of 2152	3208	{BAC8B847-8DE5-42c5-A36A-3B0C3794F0A8}.exe	98
PID 3208 wrote to memory of 2152	3208	{BAC8B847-8DE5-42c5-A36A-3B0C3794F0A8}.exe	98
PID 3208 wrote to memory of 2152	3208	{BAC8B847-8DE5-42c5-A36A-3B0C3794F0A8}.exe	98
PID 3208 wrote to memory of 4584	3208	{BAC8B847-8DE5-42c5-A36A-3B0C3794F0A8}.exe	99
PID 3208 wrote to memory of 4584	3208	{BAC8B847-8DE5-42c5-A36A-3B0C3794F0A8}.exe	99
PID 3208 wrote to memory of 4584	3208	{BAC8B847-8DE5-42c5-A36A-3B0C3794F0A8}.exe	99
PID 2152 wrote to memory of 4676	2152	{2557292B-F666-49f8-AA89-1F38DE8863EE}.exe	100
PID 2152 wrote to memory of 4676	2152	{2557292B-F666-49f8-AA89-1F38DE8863EE}.exe	100
PID 2152 wrote to memory of 4676	2152	{2557292B-F666-49f8-AA89-1F38DE8863EE}.exe	100
PID 2152 wrote to memory of 3772	2152	{2557292B-F666-49f8-AA89-1F38DE8863EE}.exe	101
PID 2152 wrote to memory of 3772	2152	{2557292B-F666-49f8-AA89-1F38DE8863EE}.exe	101
PID 2152 wrote to memory of 3772	2152	{2557292B-F666-49f8-AA89-1F38DE8863EE}.exe	101
PID 4676 wrote to memory of 448	4676	{A324A764-D316-47c3-8D64-5950E70F27DF}.exe	102
PID 4676 wrote to memory of 448	4676	{A324A764-D316-47c3-8D64-5950E70F27DF}.exe	102
PID 4676 wrote to memory of 448	4676	{A324A764-D316-47c3-8D64-5950E70F27DF}.exe	102
PID 4676 wrote to memory of 1792	4676	{A324A764-D316-47c3-8D64-5950E70F27DF}.exe	103
PID 4676 wrote to memory of 1792	4676	{A324A764-D316-47c3-8D64-5950E70F27DF}.exe	103
PID 4676 wrote to memory of 1792	4676	{A324A764-D316-47c3-8D64-5950E70F27DF}.exe	103
PID 448 wrote to memory of 1992	448	{9F0449B6-B210-4f7a-ADAC-92E1CBD8323D}.exe	104
PID 448 wrote to memory of 1992	448	{9F0449B6-B210-4f7a-ADAC-92E1CBD8323D}.exe	104
PID 448 wrote to memory of 1992	448	{9F0449B6-B210-4f7a-ADAC-92E1CBD8323D}.exe	104
PID 448 wrote to memory of 1436	448	{9F0449B6-B210-4f7a-ADAC-92E1CBD8323D}.exe	105
PID 448 wrote to memory of 1436	448	{9F0449B6-B210-4f7a-ADAC-92E1CBD8323D}.exe	105
PID 448 wrote to memory of 1436	448	{9F0449B6-B210-4f7a-ADAC-92E1CBD8323D}.exe	105
PID 1992 wrote to memory of 2908	1992	{0D118686-D4EC-4c24-B976-5EDCC742A7F8}.exe	106
PID 1992 wrote to memory of 2908	1992	{0D118686-D4EC-4c24-B976-5EDCC742A7F8}.exe	106
PID 1992 wrote to memory of 2908	1992	{0D118686-D4EC-4c24-B976-5EDCC742A7F8}.exe	106
PID 1992 wrote to memory of 4088	1992	{0D118686-D4EC-4c24-B976-5EDCC742A7F8}.exe	107
PID 1992 wrote to memory of 4088	1992	{0D118686-D4EC-4c24-B976-5EDCC742A7F8}.exe	107
PID 1992 wrote to memory of 4088	1992	{0D118686-D4EC-4c24-B976-5EDCC742A7F8}.exe	107
PID 2908 wrote to memory of 1088	2908	{C6DED426-059B-41ee-B7AB-D4B21C597222}.exe	108
PID 2908 wrote to memory of 1088	2908	{C6DED426-059B-41ee-B7AB-D4B21C597222}.exe	108
PID 2908 wrote to memory of 1088	2908	{C6DED426-059B-41ee-B7AB-D4B21C597222}.exe	108
PID 2908 wrote to memory of 4064	2908	{C6DED426-059B-41ee-B7AB-D4B21C597222}.exe	109
PID 2908 wrote to memory of 4064	2908	{C6DED426-059B-41ee-B7AB-D4B21C597222}.exe	109
PID 2908 wrote to memory of 4064	2908	{C6DED426-059B-41ee-B7AB-D4B21C597222}.exe	109
PID 1088 wrote to memory of 1944	1088	{776975B5-8810-4248-8F10-65853EDE351E}.exe	110
PID 1088 wrote to memory of 1944	1088	{776975B5-8810-4248-8F10-65853EDE351E}.exe	110
PID 1088 wrote to memory of 1944	1088	{776975B5-8810-4248-8F10-65853EDE351E}.exe	110
PID 1088 wrote to memory of 1244	1088	{776975B5-8810-4248-8F10-65853EDE351E}.exe	111
PID 1088 wrote to memory of 1244	1088	{776975B5-8810-4248-8F10-65853EDE351E}.exe	111
PID 1088 wrote to memory of 1244	1088	{776975B5-8810-4248-8F10-65853EDE351E}.exe	111
PID 1944 wrote to memory of 5032	1944	{E0F7ED7C-9429-4149-AD11-B6B29E7E2F8D}.exe	112
PID 1944 wrote to memory of 5032	1944	{E0F7ED7C-9429-4149-AD11-B6B29E7E2F8D}.exe	112
PID 1944 wrote to memory of 5032	1944	{E0F7ED7C-9429-4149-AD11-B6B29E7E2F8D}.exe	112
PID 1944 wrote to memory of 1740	1944	{E0F7ED7C-9429-4149-AD11-B6B29E7E2F8D}.exe	113
PID 1944 wrote to memory of 1740	1944	{E0F7ED7C-9429-4149-AD11-B6B29E7E2F8D}.exe	113
PID 1944 wrote to memory of 1740	1944	{E0F7ED7C-9429-4149-AD11-B6B29E7E2F8D}.exe	113
PID 5032 wrote to memory of 2112	5032	{3AFC11D1-8FEB-4ecb-95E1-F666D1AD57D5}.exe	114
PID 5032 wrote to memory of 2112	5032	{3AFC11D1-8FEB-4ecb-95E1-F666D1AD57D5}.exe	114
PID 5032 wrote to memory of 2112	5032	{3AFC11D1-8FEB-4ecb-95E1-F666D1AD57D5}.exe	114
PID 5032 wrote to memory of 2284	5032	{3AFC11D1-8FEB-4ecb-95E1-F666D1AD57D5}.exe	115

C:\Users\Admin\AppData\Local\Temp\2024-03-27_d3b57013d8afaeee3415f4c848d6ea8a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-27_d3b57013d8afaeee3415f4c848d6ea8a_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3736
- C:\Windows\{3869B63E-5706-4331-9E3E-F11DE6B59083}.exe
  C:\Windows\{3869B63E-5706-4331-9E3E-F11DE6B59083}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3464
- - C:\Windows\{BAC8B847-8DE5-42c5-A36A-3B0C3794F0A8}.exe
    C:\Windows\{BAC8B847-8DE5-42c5-A36A-3B0C3794F0A8}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3208
  - - C:\Windows\{2557292B-F666-49f8-AA89-1F38DE8863EE}.exe
      C:\Windows\{2557292B-F666-49f8-AA89-1F38DE8863EE}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2152
    - - C:\Windows\{A324A764-D316-47c3-8D64-5950E70F27DF}.exe
        
        C:\Windows\{A324A764-D316-47c3-8D64-5950E70F27DF}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4676
      - C:\Windows\{9F0449B6-B210-4f7a-ADAC-92E1CBD8323D}.exe
        
        C:\Windows\{9F0449B6-B210-4f7a-ADAC-92E1CBD8323D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\{0D118686-D4EC-4c24-B976-5EDCC742A7F8}.exe
        
        C:\Windows\{0D118686-D4EC-4c24-B976-5EDCC742A7F8}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\{C6DED426-059B-41ee-B7AB-D4B21C597222}.exe
        
        C:\Windows\{C6DED426-059B-41ee-B7AB-D4B21C597222}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\{776975B5-8810-4248-8F10-65853EDE351E}.exe
        
        C:\Windows\{776975B5-8810-4248-8F10-65853EDE351E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\{E0F7ED7C-9429-4149-AD11-B6B29E7E2F8D}.exe
        
        C:\Windows\{E0F7ED7C-9429-4149-AD11-B6B29E7E2F8D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\{3AFC11D1-8FEB-4ecb-95E1-F666D1AD57D5}.exe
        
        C:\Windows\{3AFC11D1-8FEB-4ecb-95E1-F666D1AD57D5}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\{B8C5AD5E-F4C3-43ba-994A-C4BC1567DAE1}.exe
        
        C:\Windows\{B8C5AD5E-F4C3-43ba-994A-C4BC1567DAE1}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
        
        C:\Windows\{9E0A1AE6-D58F-4546-88AF-1CE9B8382AAC}.exe
        
        C:\Windows\{9E0A1AE6-D58F-4546-88AF-1CE9B8382AAC}.exe
        13⤵
        Executes dropped EXE
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B8C5A~1.EXE > nul
        13⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3AFC1~1.EXE > nul
        12⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E0F7E~1.EXE > nul
        11⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{77697~1.EXE > nul
        10⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C6DED~1.EXE > nul
        9⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0D118~1.EXE > nul
        8⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9F044~1.EXE > nul
        7⤵
        
        PID:1436
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A324A~1.EXE > nul
        6⤵
        
        PID:1792
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{25572~1.EXE > nul
        5⤵
        
        PID:3772
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BAC8B~1.EXE > nul
      4⤵
      PID:4584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3869B~1.EXE > nul
    3⤵
    PID:5020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0D118686-D4EC-4c24-B976-5EDCC742A7F8}.exe

Filesize
197KB

MD5
f58625069fee200c16c087aebe5ecc8d

SHA1
de3ff07b0d2315bc8b11b91618a5c4f3c1ca782c

SHA256
7da9b2597502e39211271c5e06ec893a45f8bcdc9c41fd3707b43f3aeeced902

SHA512
b7f1161ccc7f02e379996a933bce7fa67512bf4405bc0516831b7f889f304299864a5bb307df74193530a494ca4d67851d6b6886fdd566e30858e76ff31de7ce

Download Submit
C:\Windows\{2557292B-F666-49f8-AA89-1F38DE8863EE}.exe

Filesize
197KB

MD5
03d509778f38d56253def7d9d8ccbbbe

SHA1
cd3a6493d0fe61b6294943113d7de09587f3b82d

SHA256
d541e1119109e7d0dd6b6465641bfa42990fa5731c272854afc128a8048756bd

SHA512
951ffd4b0ff708364d9a7bcb21b853ebe32f792df8d7477b41ff789d4339dcb391373c37b76604f38cda425157e0aa01a196c792dcbf41efc8df34b3fb0eba4c

Download Submit
C:\Windows\{3869B63E-5706-4331-9E3E-F11DE6B59083}.exe

Filesize
197KB

MD5
657e1f0b44deb9a9dcf47d5f422bd044

SHA1
2082b612b91a4865018086fe0aba371efc7f61f5

SHA256
074bdf66a61f373479ab7ba39bf737b8aabf91fff829c35109d38c9955c09122

SHA512
46341cb7b63faafbba4a101de41a87c615ac65b25284972ee7532365541b9dca35bb89f0234e846bc2c4f402781d215b9822c5288a6e7295dcb9cca1c272a593

Download Submit
C:\Windows\{3AFC11D1-8FEB-4ecb-95E1-F666D1AD57D5}.exe

Filesize
197KB

MD5
0c0366f79a607732d1c1b7c24e9aa3ea

SHA1
ee56aabf75ff4a4e3af23c51bb904ed330dc5e89

SHA256
be6ab7b394ab68b7071453d4e67dca316328cf88de22db252475f0ab47fcb2af

SHA512
bfdea52a07f9d8bf6dd634631fb5a5eb5c610c5816b6eadaf3bb173da048828cb36b0b0b71a614e98e12444a51a896714fc2fd066519f96c44810ea2bc26a874

Download Submit
C:\Windows\{776975B5-8810-4248-8F10-65853EDE351E}.exe

Filesize
197KB

MD5
a9a724a6cd2aa012c334fac2bc1f669f

SHA1
8e84f080804e5509d52b8e10a9ac19556e48c6de

SHA256
457d07f4f1e3cf2392f005c79b2fdb4f470bac88352aa1ba17fc147b1c004b48

SHA512
43140a5741f1b18d21da51f2745a51041378566212873cf3f4882e09e88544af012daffd00e86ac3304f0abb05bbec5555430076e98e90a4ffd472c321008dec

Download Submit
C:\Windows\{9E0A1AE6-D58F-4546-88AF-1CE9B8382AAC}.exe

Filesize
197KB

MD5
5cba04a2ae68932143ba8e747db9b8fa

SHA1
eab31c802781a9a9a84836d9e7ddf3d3cf96eba4

SHA256
254107ca4f4d93fb057aabb16411cc0dcb334f1a402edc9b8a1d2707a7f772f3

SHA512
c0e2ea3e219d7c5f58e52df85902caded7082ae920ca5c45a4ba89cef1a6ab090cbba4c3268d1c5f4b92c8a66bf3626154222c5f87942cda583fc3c5a02e99a5

Download Submit
C:\Windows\{9F0449B6-B210-4f7a-ADAC-92E1CBD8323D}.exe

Filesize
197KB

MD5
4692a88536cc62d9593eceefc93c6016

SHA1
9762a799603a8d33f18a40f178c51e16e716a11b

SHA256
f96a76561b597b0a0071d9c173c7a4f3e9bb1c2fb9428a1f25e5016a9183c1ce

SHA512
7da8942e9a860748828c5d30c3f2a82ed6890d144c98356a2235bdb7044ea5cde53c887c5383860b5d2fc12adee1e5bcfc1b071981f8b813a82eb000c7b40ce4

Download Submit
C:\Windows\{A324A764-D316-47c3-8D64-5950E70F27DF}.exe

Filesize
103KB

MD5
0f33786b0a009a614d213071c6de5de5

SHA1
23bfb80f859507ea5ea4a2e104ab30194ec15ff9

SHA256
f41f6f032728d270879eb18be9e3d70361f3bac09ef92e53707bd6f30d156291

SHA512
3be83cf0824bad79fa36eeb1f7622fe35d93f26d8818f83b6a6a836972fec3703deee08c24a906930bc10d79ead2f518e6f1c420807814bf3e8397a049d25af4

Download Submit
C:\Windows\{A324A764-D316-47c3-8D64-5950E70F27DF}.exe

Filesize
64KB

MD5
6117b04f353be48b0538af2dc7076a64

SHA1
8fbeaeb30d1e5d1abb429f58443dbb50b9bb1a13

SHA256
01c9d151ba015f79080b6e9922c0043e04c02d7896330d24c57324c023de1ad7

SHA512
86b5347ad6d05f99ccf7f16c86fdeca95e67ad6606f17e804ba395f58c38dc6623ec3baea0e604d118d83381aa6bee13135a78aa851dafafb38ea9ce1c604087

Download Submit
C:\Windows\{B8C5AD5E-F4C3-43ba-994A-C4BC1567DAE1}.exe

Filesize
197KB

MD5
a425c7e3769bfb33d97e025d09b15d1d

SHA1
7a10e86b84c703cdc51370bf1faffb331df824fe

SHA256
972f46f40ca6a9851444f5631ae0d0cd5996f35b94c64644f7585be3a3d85214

SHA512
d5e5347448a5e78d6313916b8d20277e972f13b8f7ed991d80e633c6f2d89582dc4ca54d10ae76504257597090930c74420ac1cbef77cfe3ff9d00c3abc84d5e

Download Submit
C:\Windows\{BAC8B847-8DE5-42c5-A36A-3B0C3794F0A8}.exe

Filesize
197KB

MD5
f7ef27dda2b35487c2acfd1b10d733b6

SHA1
41ac610e5d6500ccf4b3e35aa226fbdbfcf3d4db

SHA256
b4ab32ae1d7460a858eb7d8cc2da1ed2f4aa95a9f6711ac5d3d5f96a8ca6b1da

SHA512
8448fcfff907abe6a783365a4ce7ac920ff38dd683731b47a33778edec686344675b0932a69c7f39340cc71ad381643df441a78168f9f27d1f040f55e877e78c

Download Submit
C:\Windows\{C6DED426-059B-41ee-B7AB-D4B21C597222}.exe

Filesize
197KB

MD5
3267ca9822ccbe7062a8728b8c8f367f

SHA1
79d10b9b1d86ced0078703aebc16332719170037

SHA256
22f64260e0725ec9dc7b4e49108d2c4bed7490dc85e0db42f8315ac78ded9465

SHA512
06b560f3e40b9d764eedf36557504347516119c99569be5a67c4a820f392ef565a0f0457323dc1e39540d5b8ff90085aff78ecbd73fbc983b067741c308aa107

Download Submit
C:\Windows\{E0F7ED7C-9429-4149-AD11-B6B29E7E2F8D}.exe

Filesize
197KB

MD5
4561c0163e8b4c8c5cb2d2e5b54acbbf

SHA1
bd652546d9f98400df73f914bd686e69840bd771

SHA256
f889f65aa29bc7417e800b67f029a976a7622e27efdf4f084d1ff0f3491a6888

SHA512
a54e0e652b2c27513b59f59a9c91928692a8b30f16e6b37ff39eb070f333d7d368f9bbe44b524a1d3e479af0061bd528d4d2dd343bd9810ba2f3eb5b2116da97

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads