e63b32362cb7ede50d8014a040901beea0c2403fb9d000824b165de49c3acdbf

Analysis

max time kernel
157s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2024, 22:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-28_9dbf5d744873cb1e25a96ceca175fb8f_goldeneye.exe
Size

168KB
MD5

9dbf5d744873cb1e25a96ceca175fb8f
SHA1

d229c9212ef48715cd4cc176441672cb23bbe6f9
SHA256

e63b32362cb7ede50d8014a040901beea0c2403fb9d000824b165de49c3acdbf
SHA512

2ad68e6caeb1d8546ab92be4e8f8bbf8835b6efe4389c02759efb044d96fee070998530bd8a03fb0e7c09a53979dd46dd349cbf583e09d380bf4e21809c1ec77
SSDEEP

1536:1EGh0oOlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oOlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023138-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023225-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023228-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023225-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023228-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023225-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000072f-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000731-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000072f-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000731-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006df-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00130000000006d1-45.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B5416F6-D27B-45a7-9A25-DFF414E7808E}\stubpath = "C:\\Windows\\{9B5416F6-D27B-45a7-9A25-DFF414E7808E}.exe"	{481698FB-E972-4691-AB3E-825286DBEE25}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21EBBE0A-1130-45be-BA42-93BCF0DFF790}\stubpath = "C:\\Windows\\{21EBBE0A-1130-45be-BA42-93BCF0DFF790}.exe"	{9B5416F6-D27B-45a7-9A25-DFF414E7808E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{268C4B74-E421-46fd-B5FE-212CC97327EA}\stubpath = "C:\\Windows\\{268C4B74-E421-46fd-B5FE-212CC97327EA}.exe"	{08A37B8B-6E16-4e62-BDC3-29BAB32D977E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFAB043B-8F05-4c48-8C0F-59DEF69C8F96}\stubpath = "C:\\Windows\\{CFAB043B-8F05-4c48-8C0F-59DEF69C8F96}.exe"	2024-03-28_9dbf5d744873cb1e25a96ceca175fb8f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{481698FB-E972-4691-AB3E-825286DBEE25}\stubpath = "C:\\Windows\\{481698FB-E972-4691-AB3E-825286DBEE25}.exe"	{CFAB043B-8F05-4c48-8C0F-59DEF69C8F96}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08A37B8B-6E16-4e62-BDC3-29BAB32D977E}\stubpath = "C:\\Windows\\{08A37B8B-6E16-4e62-BDC3-29BAB32D977E}.exe"	{21EBBE0A-1130-45be-BA42-93BCF0DFF790}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C1D8ED7-605A-4b31-8CFE-A346E741CFD4}\stubpath = "C:\\Windows\\{6C1D8ED7-605A-4b31-8CFE-A346E741CFD4}.exe"	{268C4B74-E421-46fd-B5FE-212CC97327EA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{605CDD4C-AE3A-4ce4-9577-22A1B5AB5D3E}\stubpath = "C:\\Windows\\{605CDD4C-AE3A-4ce4-9577-22A1B5AB5D3E}.exe"	{6C1D8ED7-605A-4b31-8CFE-A346E741CFD4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92279C5C-FDAF-4f62-A1D0-677D128616A7}\stubpath = "C:\\Windows\\{92279C5C-FDAF-4f62-A1D0-677D128616A7}.exe"	{605CDD4C-AE3A-4ce4-9577-22A1B5AB5D3E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{942DA72F-12CC-4b78-86D0-95F322DE84DB}\stubpath = "C:\\Windows\\{942DA72F-12CC-4b78-86D0-95F322DE84DB}.exe"	{92279C5C-FDAF-4f62-A1D0-677D128616A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F72FDBF7-4C5B-4c5f-AF4C-E6D58ADDCAEF}	{942DA72F-12CC-4b78-86D0-95F322DE84DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F72FDBF7-4C5B-4c5f-AF4C-E6D58ADDCAEF}\stubpath = "C:\\Windows\\{F72FDBF7-4C5B-4c5f-AF4C-E6D58ADDCAEF}.exe"	{942DA72F-12CC-4b78-86D0-95F322DE84DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B5416F6-D27B-45a7-9A25-DFF414E7808E}	{481698FB-E972-4691-AB3E-825286DBEE25}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08A37B8B-6E16-4e62-BDC3-29BAB32D977E}	{21EBBE0A-1130-45be-BA42-93BCF0DFF790}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C1D8ED7-605A-4b31-8CFE-A346E741CFD4}	{268C4B74-E421-46fd-B5FE-212CC97327EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{605CDD4C-AE3A-4ce4-9577-22A1B5AB5D3E}	{6C1D8ED7-605A-4b31-8CFE-A346E741CFD4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{942DA72F-12CC-4b78-86D0-95F322DE84DB}	{92279C5C-FDAF-4f62-A1D0-677D128616A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFAB043B-8F05-4c48-8C0F-59DEF69C8F96}	2024-03-28_9dbf5d744873cb1e25a96ceca175fb8f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{481698FB-E972-4691-AB3E-825286DBEE25}	{CFAB043B-8F05-4c48-8C0F-59DEF69C8F96}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21EBBE0A-1130-45be-BA42-93BCF0DFF790}	{9B5416F6-D27B-45a7-9A25-DFF414E7808E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{268C4B74-E421-46fd-B5FE-212CC97327EA}	{08A37B8B-6E16-4e62-BDC3-29BAB32D977E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92279C5C-FDAF-4f62-A1D0-677D128616A7}	{605CDD4C-AE3A-4ce4-9577-22A1B5AB5D3E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{021F0A61-AC9F-4946-9D4E-11280D71EBB9}	{F72FDBF7-4C5B-4c5f-AF4C-E6D58ADDCAEF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{021F0A61-AC9F-4946-9D4E-11280D71EBB9}\stubpath = "C:\\Windows\\{021F0A61-AC9F-4946-9D4E-11280D71EBB9}.exe"	{F72FDBF7-4C5B-4c5f-AF4C-E6D58ADDCAEF}.exe

Executes dropped EXE 12 IoCs

pid	Process
1104	{CFAB043B-8F05-4c48-8C0F-59DEF69C8F96}.exe
3720	{481698FB-E972-4691-AB3E-825286DBEE25}.exe
1276	{9B5416F6-D27B-45a7-9A25-DFF414E7808E}.exe
4288	{21EBBE0A-1130-45be-BA42-93BCF0DFF790}.exe
3452	{08A37B8B-6E16-4e62-BDC3-29BAB32D977E}.exe
2100	{268C4B74-E421-46fd-B5FE-212CC97327EA}.exe
4704	{6C1D8ED7-605A-4b31-8CFE-A346E741CFD4}.exe
2932	{605CDD4C-AE3A-4ce4-9577-22A1B5AB5D3E}.exe
5012	{92279C5C-FDAF-4f62-A1D0-677D128616A7}.exe
392	{942DA72F-12CC-4b78-86D0-95F322DE84DB}.exe
3760	{F72FDBF7-4C5B-4c5f-AF4C-E6D58ADDCAEF}.exe
1444	{021F0A61-AC9F-4946-9D4E-11280D71EBB9}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{F72FDBF7-4C5B-4c5f-AF4C-E6D58ADDCAEF}.exe	{942DA72F-12CC-4b78-86D0-95F322DE84DB}.exe
File created	C:\Windows\{CFAB043B-8F05-4c48-8C0F-59DEF69C8F96}.exe	2024-03-28_9dbf5d744873cb1e25a96ceca175fb8f_goldeneye.exe
File created	C:\Windows\{481698FB-E972-4691-AB3E-825286DBEE25}.exe	{CFAB043B-8F05-4c48-8C0F-59DEF69C8F96}.exe
File created	C:\Windows\{08A37B8B-6E16-4e62-BDC3-29BAB32D977E}.exe	{21EBBE0A-1130-45be-BA42-93BCF0DFF790}.exe
File created	C:\Windows\{268C4B74-E421-46fd-B5FE-212CC97327EA}.exe	{08A37B8B-6E16-4e62-BDC3-29BAB32D977E}.exe
File created	C:\Windows\{6C1D8ED7-605A-4b31-8CFE-A346E741CFD4}.exe	{268C4B74-E421-46fd-B5FE-212CC97327EA}.exe
File created	C:\Windows\{92279C5C-FDAF-4f62-A1D0-677D128616A7}.exe	{605CDD4C-AE3A-4ce4-9577-22A1B5AB5D3E}.exe
File created	C:\Windows\{942DA72F-12CC-4b78-86D0-95F322DE84DB}.exe	{92279C5C-FDAF-4f62-A1D0-677D128616A7}.exe
File created	C:\Windows\{9B5416F6-D27B-45a7-9A25-DFF414E7808E}.exe	{481698FB-E972-4691-AB3E-825286DBEE25}.exe
File created	C:\Windows\{21EBBE0A-1130-45be-BA42-93BCF0DFF790}.exe	{9B5416F6-D27B-45a7-9A25-DFF414E7808E}.exe
File created	C:\Windows\{605CDD4C-AE3A-4ce4-9577-22A1B5AB5D3E}.exe	{6C1D8ED7-605A-4b31-8CFE-A346E741CFD4}.exe
File created	C:\Windows\{021F0A61-AC9F-4946-9D4E-11280D71EBB9}.exe	{F72FDBF7-4C5B-4c5f-AF4C-E6D58ADDCAEF}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3292	2024-03-28_9dbf5d744873cb1e25a96ceca175fb8f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1104	{CFAB043B-8F05-4c48-8C0F-59DEF69C8F96}.exe
Token: SeIncBasePriorityPrivilege	3720	{481698FB-E972-4691-AB3E-825286DBEE25}.exe
Token: SeIncBasePriorityPrivilege	1276	{9B5416F6-D27B-45a7-9A25-DFF414E7808E}.exe
Token: SeIncBasePriorityPrivilege	4288	{21EBBE0A-1130-45be-BA42-93BCF0DFF790}.exe
Token: SeIncBasePriorityPrivilege	3452	{08A37B8B-6E16-4e62-BDC3-29BAB32D977E}.exe
Token: SeIncBasePriorityPrivilege	2100	{268C4B74-E421-46fd-B5FE-212CC97327EA}.exe
Token: SeIncBasePriorityPrivilege	4704	{6C1D8ED7-605A-4b31-8CFE-A346E741CFD4}.exe
Token: SeIncBasePriorityPrivilege	2932	{605CDD4C-AE3A-4ce4-9577-22A1B5AB5D3E}.exe
Token: SeIncBasePriorityPrivilege	5012	{92279C5C-FDAF-4f62-A1D0-677D128616A7}.exe
Token: SeIncBasePriorityPrivilege	392	{942DA72F-12CC-4b78-86D0-95F322DE84DB}.exe
Token: SeIncBasePriorityPrivilege	3760	{F72FDBF7-4C5B-4c5f-AF4C-E6D58ADDCAEF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3292 wrote to memory of 1104	3292	2024-03-28_9dbf5d744873cb1e25a96ceca175fb8f_goldeneye.exe	94
PID 3292 wrote to memory of 1104	3292	2024-03-28_9dbf5d744873cb1e25a96ceca175fb8f_goldeneye.exe	94
PID 3292 wrote to memory of 1104	3292	2024-03-28_9dbf5d744873cb1e25a96ceca175fb8f_goldeneye.exe	94
PID 3292 wrote to memory of 2252	3292	2024-03-28_9dbf5d744873cb1e25a96ceca175fb8f_goldeneye.exe	95
PID 3292 wrote to memory of 2252	3292	2024-03-28_9dbf5d744873cb1e25a96ceca175fb8f_goldeneye.exe	95
PID 3292 wrote to memory of 2252	3292	2024-03-28_9dbf5d744873cb1e25a96ceca175fb8f_goldeneye.exe	95
PID 1104 wrote to memory of 3720	1104	{CFAB043B-8F05-4c48-8C0F-59DEF69C8F96}.exe	98
PID 1104 wrote to memory of 3720	1104	{CFAB043B-8F05-4c48-8C0F-59DEF69C8F96}.exe	98
PID 1104 wrote to memory of 3720	1104	{CFAB043B-8F05-4c48-8C0F-59DEF69C8F96}.exe	98
PID 1104 wrote to memory of 4688	1104	{CFAB043B-8F05-4c48-8C0F-59DEF69C8F96}.exe	99
PID 1104 wrote to memory of 4688	1104	{CFAB043B-8F05-4c48-8C0F-59DEF69C8F96}.exe	99
PID 1104 wrote to memory of 4688	1104	{CFAB043B-8F05-4c48-8C0F-59DEF69C8F96}.exe	99
PID 3720 wrote to memory of 1276	3720	{481698FB-E972-4691-AB3E-825286DBEE25}.exe	100
PID 3720 wrote to memory of 1276	3720	{481698FB-E972-4691-AB3E-825286DBEE25}.exe	100
PID 3720 wrote to memory of 1276	3720	{481698FB-E972-4691-AB3E-825286DBEE25}.exe	100
PID 3720 wrote to memory of 412	3720	{481698FB-E972-4691-AB3E-825286DBEE25}.exe	101
PID 3720 wrote to memory of 412	3720	{481698FB-E972-4691-AB3E-825286DBEE25}.exe	101
PID 3720 wrote to memory of 412	3720	{481698FB-E972-4691-AB3E-825286DBEE25}.exe	101
PID 1276 wrote to memory of 4288	1276	{9B5416F6-D27B-45a7-9A25-DFF414E7808E}.exe	102
PID 1276 wrote to memory of 4288	1276	{9B5416F6-D27B-45a7-9A25-DFF414E7808E}.exe	102
PID 1276 wrote to memory of 4288	1276	{9B5416F6-D27B-45a7-9A25-DFF414E7808E}.exe	102
PID 1276 wrote to memory of 4800	1276	{9B5416F6-D27B-45a7-9A25-DFF414E7808E}.exe	103
PID 1276 wrote to memory of 4800	1276	{9B5416F6-D27B-45a7-9A25-DFF414E7808E}.exe	103
PID 1276 wrote to memory of 4800	1276	{9B5416F6-D27B-45a7-9A25-DFF414E7808E}.exe	103
PID 4288 wrote to memory of 3452	4288	{21EBBE0A-1130-45be-BA42-93BCF0DFF790}.exe	104
PID 4288 wrote to memory of 3452	4288	{21EBBE0A-1130-45be-BA42-93BCF0DFF790}.exe	104
PID 4288 wrote to memory of 3452	4288	{21EBBE0A-1130-45be-BA42-93BCF0DFF790}.exe	104
PID 4288 wrote to memory of 1400	4288	{21EBBE0A-1130-45be-BA42-93BCF0DFF790}.exe	105
PID 4288 wrote to memory of 1400	4288	{21EBBE0A-1130-45be-BA42-93BCF0DFF790}.exe	105
PID 4288 wrote to memory of 1400	4288	{21EBBE0A-1130-45be-BA42-93BCF0DFF790}.exe	105
PID 3452 wrote to memory of 2100	3452	{08A37B8B-6E16-4e62-BDC3-29BAB32D977E}.exe	106
PID 3452 wrote to memory of 2100	3452	{08A37B8B-6E16-4e62-BDC3-29BAB32D977E}.exe	106
PID 3452 wrote to memory of 2100	3452	{08A37B8B-6E16-4e62-BDC3-29BAB32D977E}.exe	106
PID 3452 wrote to memory of 5080	3452	{08A37B8B-6E16-4e62-BDC3-29BAB32D977E}.exe	107
PID 3452 wrote to memory of 5080	3452	{08A37B8B-6E16-4e62-BDC3-29BAB32D977E}.exe	107
PID 3452 wrote to memory of 5080	3452	{08A37B8B-6E16-4e62-BDC3-29BAB32D977E}.exe	107
PID 2100 wrote to memory of 4704	2100	{268C4B74-E421-46fd-B5FE-212CC97327EA}.exe	108
PID 2100 wrote to memory of 4704	2100	{268C4B74-E421-46fd-B5FE-212CC97327EA}.exe	108
PID 2100 wrote to memory of 4704	2100	{268C4B74-E421-46fd-B5FE-212CC97327EA}.exe	108
PID 2100 wrote to memory of 944	2100	{268C4B74-E421-46fd-B5FE-212CC97327EA}.exe	109
PID 2100 wrote to memory of 944	2100	{268C4B74-E421-46fd-B5FE-212CC97327EA}.exe	109
PID 2100 wrote to memory of 944	2100	{268C4B74-E421-46fd-B5FE-212CC97327EA}.exe	109
PID 4704 wrote to memory of 2932	4704	{6C1D8ED7-605A-4b31-8CFE-A346E741CFD4}.exe	110
PID 4704 wrote to memory of 2932	4704	{6C1D8ED7-605A-4b31-8CFE-A346E741CFD4}.exe	110
PID 4704 wrote to memory of 2932	4704	{6C1D8ED7-605A-4b31-8CFE-A346E741CFD4}.exe	110
PID 4704 wrote to memory of 2692	4704	{6C1D8ED7-605A-4b31-8CFE-A346E741CFD4}.exe	111
PID 4704 wrote to memory of 2692	4704	{6C1D8ED7-605A-4b31-8CFE-A346E741CFD4}.exe	111
PID 4704 wrote to memory of 2692	4704	{6C1D8ED7-605A-4b31-8CFE-A346E741CFD4}.exe	111
PID 2932 wrote to memory of 5012	2932	{605CDD4C-AE3A-4ce4-9577-22A1B5AB5D3E}.exe	112
PID 2932 wrote to memory of 5012	2932	{605CDD4C-AE3A-4ce4-9577-22A1B5AB5D3E}.exe	112
PID 2932 wrote to memory of 5012	2932	{605CDD4C-AE3A-4ce4-9577-22A1B5AB5D3E}.exe	112
PID 2932 wrote to memory of 4896	2932	{605CDD4C-AE3A-4ce4-9577-22A1B5AB5D3E}.exe	113
PID 2932 wrote to memory of 4896	2932	{605CDD4C-AE3A-4ce4-9577-22A1B5AB5D3E}.exe	113
PID 2932 wrote to memory of 4896	2932	{605CDD4C-AE3A-4ce4-9577-22A1B5AB5D3E}.exe	113
PID 5012 wrote to memory of 392	5012	{92279C5C-FDAF-4f62-A1D0-677D128616A7}.exe	114
PID 5012 wrote to memory of 392	5012	{92279C5C-FDAF-4f62-A1D0-677D128616A7}.exe	114
PID 5012 wrote to memory of 392	5012	{92279C5C-FDAF-4f62-A1D0-677D128616A7}.exe	114
PID 5012 wrote to memory of 4832	5012	{92279C5C-FDAF-4f62-A1D0-677D128616A7}.exe	115
PID 5012 wrote to memory of 4832	5012	{92279C5C-FDAF-4f62-A1D0-677D128616A7}.exe	115
PID 5012 wrote to memory of 4832	5012	{92279C5C-FDAF-4f62-A1D0-677D128616A7}.exe	115
PID 392 wrote to memory of 3760	392	{942DA72F-12CC-4b78-86D0-95F322DE84DB}.exe	116
PID 392 wrote to memory of 3760	392	{942DA72F-12CC-4b78-86D0-95F322DE84DB}.exe	116
PID 392 wrote to memory of 3760	392	{942DA72F-12CC-4b78-86D0-95F322DE84DB}.exe	116
PID 392 wrote to memory of 4628	392	{942DA72F-12CC-4b78-86D0-95F322DE84DB}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-03-28_9dbf5d744873cb1e25a96ceca175fb8f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-28_9dbf5d744873cb1e25a96ceca175fb8f_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3292
- C:\Windows\{CFAB043B-8F05-4c48-8C0F-59DEF69C8F96}.exe
  C:\Windows\{CFAB043B-8F05-4c48-8C0F-59DEF69C8F96}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1104
- - C:\Windows\{481698FB-E972-4691-AB3E-825286DBEE25}.exe
    C:\Windows\{481698FB-E972-4691-AB3E-825286DBEE25}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3720
  - - C:\Windows\{9B5416F6-D27B-45a7-9A25-DFF414E7808E}.exe
      C:\Windows\{9B5416F6-D27B-45a7-9A25-DFF414E7808E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1276
    - - C:\Windows\{21EBBE0A-1130-45be-BA42-93BCF0DFF790}.exe
        
        C:\Windows\{21EBBE0A-1130-45be-BA42-93BCF0DFF790}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4288
      - C:\Windows\{08A37B8B-6E16-4e62-BDC3-29BAB32D977E}.exe
        
        C:\Windows\{08A37B8B-6E16-4e62-BDC3-29BAB32D977E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3452
        
        C:\Windows\{268C4B74-E421-46fd-B5FE-212CC97327EA}.exe
        
        C:\Windows\{268C4B74-E421-46fd-B5FE-212CC97327EA}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\{6C1D8ED7-605A-4b31-8CFE-A346E741CFD4}.exe
        
        C:\Windows\{6C1D8ED7-605A-4b31-8CFE-A346E741CFD4}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\{605CDD4C-AE3A-4ce4-9577-22A1B5AB5D3E}.exe
        
        C:\Windows\{605CDD4C-AE3A-4ce4-9577-22A1B5AB5D3E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\{92279C5C-FDAF-4f62-A1D0-677D128616A7}.exe
        
        C:\Windows\{92279C5C-FDAF-4f62-A1D0-677D128616A7}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\{942DA72F-12CC-4b78-86D0-95F322DE84DB}.exe
        
        C:\Windows\{942DA72F-12CC-4b78-86D0-95F322DE84DB}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:392
        
        C:\Windows\{F72FDBF7-4C5B-4c5f-AF4C-E6D58ADDCAEF}.exe
        
        C:\Windows\{F72FDBF7-4C5B-4c5f-AF4C-E6D58ADDCAEF}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3760
        
        C:\Windows\{021F0A61-AC9F-4946-9D4E-11280D71EBB9}.exe
        
        C:\Windows\{021F0A61-AC9F-4946-9D4E-11280D71EBB9}.exe
        13⤵
        Executes dropped EXE
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F72FD~1.EXE > nul
        13⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{942DA~1.EXE > nul
        12⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92279~1.EXE > nul
        11⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{605CD~1.EXE > nul
        10⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6C1D8~1.EXE > nul
        9⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{268C4~1.EXE > nul
        8⤵
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{08A37~1.EXE > nul
        7⤵
        
        PID:5080
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{21EBB~1.EXE > nul
        6⤵
        
        PID:1400
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9B541~1.EXE > nul
        5⤵
        
        PID:4800
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{48169~1.EXE > nul
      4⤵
      PID:412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CFAB0~1.EXE > nul
    3⤵
    PID:4688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{021F0A61-AC9F-4946-9D4E-11280D71EBB9}.exe

Filesize
168KB

MD5
20e5cbf49bdd47962933db08f6bcc173

SHA1
0836b6919bc3a62f4ff905f3a408b921af516988

SHA256
608e8df4e98feecc86ad33c49463d6d3dce372521247ce5d9847293bca973024

SHA512
224c3a8c6bc94e27657c1708ad922260fdf336c49c273745f174506d1bf0786996afb3e70b60e092a055604c11eb41704a2a400f2181c3cfcc55fb1abe1d9d70

Download Submit
C:\Windows\{08A37B8B-6E16-4e62-BDC3-29BAB32D977E}.exe

Filesize
168KB

MD5
1e7f402cded8d1c109a898dcde6ba144

SHA1
ff2012f8cc6442899bd01b87e473972325a1ac62

SHA256
1745c500fa10d6be5a126a85e248bedc73ab37218b257967544ca76453d0f31c

SHA512
38aad47d806e7e5ba5f1482f9ab601e840eaab961d582e3638535af48c0ce61656e9e72db5a568ec022c6bf048ebb922ebc0afab74331ab06a228db02ea506a2

Download Submit
C:\Windows\{21EBBE0A-1130-45be-BA42-93BCF0DFF790}.exe

Filesize
168KB

MD5
c78a53a423c22d8b7b31a1a6fed776a4

SHA1
718b5184bc739848dea04f2b2919167a815e39fe

SHA256
daf02f9d7ba4c74124722d0f3ed685c9b7788314aa8199bacb65c5c280c932c9

SHA512
c9c3c362539e1679e966ed8c874f03a4474e823c1c4f5ad8ff4e68d6510ac6f76388b7fb0976ca98295837620843a686f8cc73e5944d0d5d1418d9f6bce50c39

Download Submit
C:\Windows\{268C4B74-E421-46fd-B5FE-212CC97327EA}.exe

Filesize
168KB

MD5
eb9a433aa93c3a8ee20a32516cb50d0f

SHA1
e25926634ec4fa628bb2deb213d194722070757d

SHA256
4624b91a753f44e535969c04f33da162c29798d60f7b7731123bb1540330cb2a

SHA512
188f9aba5ae19d609ffe9a6ab1d967af71f3fa8e283bfc693aff7aef45d2468b815af5360943ae2f2f10b5e3449ccac96d165259d84e5279e7ce3c7c71e066e3

Download Submit
C:\Windows\{481698FB-E972-4691-AB3E-825286DBEE25}.exe

Filesize
168KB

MD5
ab7f25ab1adfbdb2ca900cbf181b2fea

SHA1
516cc6786254fedf9e4e342a47c442a8b10a9b55

SHA256
80a132d4e80605ae81e206c84cf8271bff964bc509f5e79d0e9e61831c72bcdc

SHA512
7e7afa6d23e06778e5d395b67daa4d7405b50a78c7a6e1777d54ae414145d3c4e3bd6339a99b63e449562df0df51e57e4606fd6983028207a56180e7c59b7471

Download Submit
C:\Windows\{605CDD4C-AE3A-4ce4-9577-22A1B5AB5D3E}.exe

Filesize
168KB

MD5
2968e0bf827aed4237453a16ad4fb67f

SHA1
425469e0ead5d85ded7e2a7b50fb960a2edad9c8

SHA256
ac09337b2b158283a926fa68a7170bb5c99eb762206f92bb2809d87d2ac9444d

SHA512
dc1026ba1f0b9fffb98a7e51ed94230d25f3f828979d6be0f2103fa7ad5def2fe40de47a26e7d4d7e6ecb8f34c79b6a30e265589b837fb22bd57de353d3b6940

Download Submit
C:\Windows\{6C1D8ED7-605A-4b31-8CFE-A346E741CFD4}.exe

Filesize
168KB

MD5
7181b6645d2a86ea3a9bfe84bc45275f

SHA1
5cc40130923169bce8a374fde673b3820b1cb7e5

SHA256
52d6f8604548ce37e69c157564bb9d43f5799ed34588b5847a5264db8cecc6d9

SHA512
f5fc5f1fc060e8e6ee426f4c2d4f90fc01078a1f7336b96c4efaf2c593463cb3562d3d770a28318e84a32d7cc98e54a806ddb0123c0fc879e5e57ee7cb71f146

Download Submit
C:\Windows\{92279C5C-FDAF-4f62-A1D0-677D128616A7}.exe

Filesize
168KB

MD5
d09f175940a8188f2874627bb8d2fe6a

SHA1
e939e4dcabffb4a9b7b3e08005fbb31ab2a9a2fc

SHA256
cda1edda64bfae57ab8d7f262995e366d3912fe03e02d09469bc2c6819ef572e

SHA512
46b33f7281781afcbc234e423c5d913b1a4272673db0d30bf48dc070c9a5f3393a47af301018746f75be1b253e1f7020fd0c7a39c8756503769e5734635a6ecb

Download Submit
C:\Windows\{942DA72F-12CC-4b78-86D0-95F322DE84DB}.exe

Filesize
168KB

MD5
6daa2a8577e8fa76531e8c6ba8e0e8f5

SHA1
51c3e5c6e1b4220b1e068fc3a0c119a25f19b08b

SHA256
e3c919fafa083bb0a1f77dd77b784da454e09922366d9fbe2a8083382247fd2e

SHA512
935b10e5982da8078df68c3b7ac12948ad8550cc37ae0e9ddd3414bb05398438a52639b533f4b6a89551fe176b53379a820c47d607b5c48fdaec05f57b4ca9cb

Download Submit
C:\Windows\{9B5416F6-D27B-45a7-9A25-DFF414E7808E}.exe

Filesize
168KB

MD5
867f7e435342698b255188c3a4b94e08

SHA1
81d17487908debaaec73e6c8f2e20ec65849b1c2

SHA256
e7b1b2dec47994de1e124cc0da28804e33d68fd29c03cd045dd26f0c74e41c5f

SHA512
0c3998703f27656aad72134299c91e4a36176392c21692c6436521398416d58f2038cec533a7d5b911c673d3117b114c6d0214f61bbc4c15a611720b15baedc0

Download Submit
C:\Windows\{CFAB043B-8F05-4c48-8C0F-59DEF69C8F96}.exe

Filesize
168KB

MD5
94f3cca89ae5e1c216dc0cd0c8ade927

SHA1
60360b18990b583d51c71db724a61758f1cff5e4

SHA256
fb5d3af3d004879db612b1dc56c82bc849425dc8eb74b2dc006755b599baf580

SHA512
370cd0918500f2d8e310eb3c871d4341197e615db13d2bad5259da9e0e666be96729b5a8527161d9967024dc1d7507b2e22903df774855faefa87bf7aa46a514

Download Submit
C:\Windows\{F72FDBF7-4C5B-4c5f-AF4C-E6D58ADDCAEF}.exe

Filesize
168KB

MD5
ec64f9e255bb51f2c506b0323205978b

SHA1
8ff6f33da97a3c0984b959ca2ea64fb26092b4db

SHA256
86e8067f234bafc882a76d36fb9e965ebd367cd85602333485591c3ec469bd05

SHA512
a148a39abf98cb6e20dc3e36824d70504a78a9eea480422c0473995386cddf6e994888a1a4ec5650556e182c211fac6ab1f042ee1e19d9b6619ad848ce5a78bd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads