c44b3fad0da219f46dd924393df8c1495957e0777d525f1a625b2a25dc295a47

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2024, 14:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-28_0d9394ad5a802647767b7c37a5e4d70f_goldeneye.exe
Size

192KB
MD5

0d9394ad5a802647767b7c37a5e4d70f
SHA1

2c6768acd0e75ab679da885f50eeaa0b5d83e0d4
SHA256

c44b3fad0da219f46dd924393df8c1495957e0777d525f1a625b2a25dc295a47
SHA512

587db6453da23c85db83f2c4cba05e10e356c63275b5a046e97156339b573a4cf7ae5a83f764ec45c47ce879cdcecaa83c798f6f0d535b20631be3acba385a21
SSDEEP

1536:1EGh0oAl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oAl1OPOe2MUVg3Ve+rXfMUa

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023155-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002322e-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023234-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002322e-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023234-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002322e-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023234-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000072f-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000731-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000072f-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000073d-41.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000000072f-45.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E28B1AD-BBF8-48bd-A5AE-6AEFF2E18BEC}	2024-03-28_0d9394ad5a802647767b7c37a5e4d70f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F7DD312-97CB-42ad-A409-A1C9F0C72BDD}	{0107E238-71C4-49fc-8BB9-8B4B18AC70D3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE82C92C-EE41-4b35-B1DB-F5C65BA6EB86}\stubpath = "C:\\Windows\\{FE82C92C-EE41-4b35-B1DB-F5C65BA6EB86}.exe"	{60FC5449-BC40-47a8-B8E1-7B0AD41F4626}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7EB36B7D-7FFA-4334-854C-853165683B83}\stubpath = "C:\\Windows\\{7EB36B7D-7FFA-4334-854C-853165683B83}.exe"	{FE82C92C-EE41-4b35-B1DB-F5C65BA6EB86}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51376CC6-6B42-4302-A252-85F511F9F67D}\stubpath = "C:\\Windows\\{51376CC6-6B42-4302-A252-85F511F9F67D}.exe"	{3E28B1AD-BBF8-48bd-A5AE-6AEFF2E18BEC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E3EF563A-0FFA-4193-BB13-C6A6BA8EE247}	{51376CC6-6B42-4302-A252-85F511F9F67D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E3EF563A-0FFA-4193-BB13-C6A6BA8EE247}\stubpath = "C:\\Windows\\{E3EF563A-0FFA-4193-BB13-C6A6BA8EE247}.exe"	{51376CC6-6B42-4302-A252-85F511F9F67D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{542AEB96-DA58-40ff-AEF3-6AC03D2AA3EF}	{E3EF563A-0FFA-4193-BB13-C6A6BA8EE247}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{542AEB96-DA58-40ff-AEF3-6AC03D2AA3EF}\stubpath = "C:\\Windows\\{542AEB96-DA58-40ff-AEF3-6AC03D2AA3EF}.exe"	{E3EF563A-0FFA-4193-BB13-C6A6BA8EE247}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60FC5449-BC40-47a8-B8E1-7B0AD41F4626}\stubpath = "C:\\Windows\\{60FC5449-BC40-47a8-B8E1-7B0AD41F4626}.exe"	{1EADBD6B-CB41-4ec3-B874-9B6597B336D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE82C92C-EE41-4b35-B1DB-F5C65BA6EB86}	{60FC5449-BC40-47a8-B8E1-7B0AD41F4626}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7EB36B7D-7FFA-4334-854C-853165683B83}	{FE82C92C-EE41-4b35-B1DB-F5C65BA6EB86}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E28B1AD-BBF8-48bd-A5AE-6AEFF2E18BEC}\stubpath = "C:\\Windows\\{3E28B1AD-BBF8-48bd-A5AE-6AEFF2E18BEC}.exe"	2024-03-28_0d9394ad5a802647767b7c37a5e4d70f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0107E238-71C4-49fc-8BB9-8B4B18AC70D3}\stubpath = "C:\\Windows\\{0107E238-71C4-49fc-8BB9-8B4B18AC70D3}.exe"	{542AEB96-DA58-40ff-AEF3-6AC03D2AA3EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1C0CBAC-ABAE-41de-A71B-11D4F43C710C}	{1F7DD312-97CB-42ad-A409-A1C9F0C72BDD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C923F51-A017-458d-8262-C0FBC425928A}	{F1C0CBAC-ABAE-41de-A71B-11D4F43C710C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60FC5449-BC40-47a8-B8E1-7B0AD41F4626}	{1EADBD6B-CB41-4ec3-B874-9B6597B336D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1EADBD6B-CB41-4ec3-B874-9B6597B336D8}	{2C923F51-A017-458d-8262-C0FBC425928A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1EADBD6B-CB41-4ec3-B874-9B6597B336D8}\stubpath = "C:\\Windows\\{1EADBD6B-CB41-4ec3-B874-9B6597B336D8}.exe"	{2C923F51-A017-458d-8262-C0FBC425928A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51376CC6-6B42-4302-A252-85F511F9F67D}	{3E28B1AD-BBF8-48bd-A5AE-6AEFF2E18BEC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0107E238-71C4-49fc-8BB9-8B4B18AC70D3}	{542AEB96-DA58-40ff-AEF3-6AC03D2AA3EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F7DD312-97CB-42ad-A409-A1C9F0C72BDD}\stubpath = "C:\\Windows\\{1F7DD312-97CB-42ad-A409-A1C9F0C72BDD}.exe"	{0107E238-71C4-49fc-8BB9-8B4B18AC70D3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1C0CBAC-ABAE-41de-A71B-11D4F43C710C}\stubpath = "C:\\Windows\\{F1C0CBAC-ABAE-41de-A71B-11D4F43C710C}.exe"	{1F7DD312-97CB-42ad-A409-A1C9F0C72BDD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C923F51-A017-458d-8262-C0FBC425928A}\stubpath = "C:\\Windows\\{2C923F51-A017-458d-8262-C0FBC425928A}.exe"	{F1C0CBAC-ABAE-41de-A71B-11D4F43C710C}.exe

Executes dropped EXE 12 IoCs

pid	Process
3740	{3E28B1AD-BBF8-48bd-A5AE-6AEFF2E18BEC}.exe
2244	{51376CC6-6B42-4302-A252-85F511F9F67D}.exe
3140	{E3EF563A-0FFA-4193-BB13-C6A6BA8EE247}.exe
3852	{542AEB96-DA58-40ff-AEF3-6AC03D2AA3EF}.exe
2388	{0107E238-71C4-49fc-8BB9-8B4B18AC70D3}.exe
3160	{1F7DD312-97CB-42ad-A409-A1C9F0C72BDD}.exe
3828	{F1C0CBAC-ABAE-41de-A71B-11D4F43C710C}.exe
2852	{2C923F51-A017-458d-8262-C0FBC425928A}.exe
4840	{1EADBD6B-CB41-4ec3-B874-9B6597B336D8}.exe
3068	{60FC5449-BC40-47a8-B8E1-7B0AD41F4626}.exe
4348	{FE82C92C-EE41-4b35-B1DB-F5C65BA6EB86}.exe
2368	{7EB36B7D-7FFA-4334-854C-853165683B83}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{3E28B1AD-BBF8-48bd-A5AE-6AEFF2E18BEC}.exe	2024-03-28_0d9394ad5a802647767b7c37a5e4d70f_goldeneye.exe
File created	C:\Windows\{E3EF563A-0FFA-4193-BB13-C6A6BA8EE247}.exe	{51376CC6-6B42-4302-A252-85F511F9F67D}.exe
File created	C:\Windows\{1F7DD312-97CB-42ad-A409-A1C9F0C72BDD}.exe	{0107E238-71C4-49fc-8BB9-8B4B18AC70D3}.exe
File created	C:\Windows\{F1C0CBAC-ABAE-41de-A71B-11D4F43C710C}.exe	{1F7DD312-97CB-42ad-A409-A1C9F0C72BDD}.exe
File created	C:\Windows\{2C923F51-A017-458d-8262-C0FBC425928A}.exe	{F1C0CBAC-ABAE-41de-A71B-11D4F43C710C}.exe
File created	C:\Windows\{1EADBD6B-CB41-4ec3-B874-9B6597B336D8}.exe	{2C923F51-A017-458d-8262-C0FBC425928A}.exe
File created	C:\Windows\{7EB36B7D-7FFA-4334-854C-853165683B83}.exe	{FE82C92C-EE41-4b35-B1DB-F5C65BA6EB86}.exe
File created	C:\Windows\{51376CC6-6B42-4302-A252-85F511F9F67D}.exe	{3E28B1AD-BBF8-48bd-A5AE-6AEFF2E18BEC}.exe
File created	C:\Windows\{542AEB96-DA58-40ff-AEF3-6AC03D2AA3EF}.exe	{E3EF563A-0FFA-4193-BB13-C6A6BA8EE247}.exe
File created	C:\Windows\{0107E238-71C4-49fc-8BB9-8B4B18AC70D3}.exe	{542AEB96-DA58-40ff-AEF3-6AC03D2AA3EF}.exe
File created	C:\Windows\{60FC5449-BC40-47a8-B8E1-7B0AD41F4626}.exe	{1EADBD6B-CB41-4ec3-B874-9B6597B336D8}.exe
File created	C:\Windows\{FE82C92C-EE41-4b35-B1DB-F5C65BA6EB86}.exe	{60FC5449-BC40-47a8-B8E1-7B0AD41F4626}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4352	2024-03-28_0d9394ad5a802647767b7c37a5e4d70f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3740	{3E28B1AD-BBF8-48bd-A5AE-6AEFF2E18BEC}.exe
Token: SeIncBasePriorityPrivilege	2244	{51376CC6-6B42-4302-A252-85F511F9F67D}.exe
Token: SeIncBasePriorityPrivilege	3140	{E3EF563A-0FFA-4193-BB13-C6A6BA8EE247}.exe
Token: SeIncBasePriorityPrivilege	3852	{542AEB96-DA58-40ff-AEF3-6AC03D2AA3EF}.exe
Token: SeIncBasePriorityPrivilege	2388	{0107E238-71C4-49fc-8BB9-8B4B18AC70D3}.exe
Token: SeIncBasePriorityPrivilege	3160	{1F7DD312-97CB-42ad-A409-A1C9F0C72BDD}.exe
Token: SeIncBasePriorityPrivilege	3828	{F1C0CBAC-ABAE-41de-A71B-11D4F43C710C}.exe
Token: SeIncBasePriorityPrivilege	2852	{2C923F51-A017-458d-8262-C0FBC425928A}.exe
Token: SeIncBasePriorityPrivilege	4840	{1EADBD6B-CB41-4ec3-B874-9B6597B336D8}.exe
Token: SeIncBasePriorityPrivilege	3068	{60FC5449-BC40-47a8-B8E1-7B0AD41F4626}.exe
Token: SeIncBasePriorityPrivilege	4348	{FE82C92C-EE41-4b35-B1DB-F5C65BA6EB86}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4352 wrote to memory of 3740	4352	2024-03-28_0d9394ad5a802647767b7c37a5e4d70f_goldeneye.exe	95
PID 4352 wrote to memory of 3740	4352	2024-03-28_0d9394ad5a802647767b7c37a5e4d70f_goldeneye.exe	95
PID 4352 wrote to memory of 3740	4352	2024-03-28_0d9394ad5a802647767b7c37a5e4d70f_goldeneye.exe	95
PID 4352 wrote to memory of 1520	4352	2024-03-28_0d9394ad5a802647767b7c37a5e4d70f_goldeneye.exe	96
PID 4352 wrote to memory of 1520	4352	2024-03-28_0d9394ad5a802647767b7c37a5e4d70f_goldeneye.exe	96
PID 4352 wrote to memory of 1520	4352	2024-03-28_0d9394ad5a802647767b7c37a5e4d70f_goldeneye.exe	96
PID 3740 wrote to memory of 2244	3740	{3E28B1AD-BBF8-48bd-A5AE-6AEFF2E18BEC}.exe	97
PID 3740 wrote to memory of 2244	3740	{3E28B1AD-BBF8-48bd-A5AE-6AEFF2E18BEC}.exe	97
PID 3740 wrote to memory of 2244	3740	{3E28B1AD-BBF8-48bd-A5AE-6AEFF2E18BEC}.exe	97
PID 3740 wrote to memory of 4020	3740	{3E28B1AD-BBF8-48bd-A5AE-6AEFF2E18BEC}.exe	98
PID 3740 wrote to memory of 4020	3740	{3E28B1AD-BBF8-48bd-A5AE-6AEFF2E18BEC}.exe	98
PID 3740 wrote to memory of 4020	3740	{3E28B1AD-BBF8-48bd-A5AE-6AEFF2E18BEC}.exe	98
PID 2244 wrote to memory of 3140	2244	{51376CC6-6B42-4302-A252-85F511F9F67D}.exe	100
PID 2244 wrote to memory of 3140	2244	{51376CC6-6B42-4302-A252-85F511F9F67D}.exe	100
PID 2244 wrote to memory of 3140	2244	{51376CC6-6B42-4302-A252-85F511F9F67D}.exe	100
PID 2244 wrote to memory of 3240	2244	{51376CC6-6B42-4302-A252-85F511F9F67D}.exe	101
PID 2244 wrote to memory of 3240	2244	{51376CC6-6B42-4302-A252-85F511F9F67D}.exe	101
PID 2244 wrote to memory of 3240	2244	{51376CC6-6B42-4302-A252-85F511F9F67D}.exe	101
PID 3140 wrote to memory of 3852	3140	{E3EF563A-0FFA-4193-BB13-C6A6BA8EE247}.exe	102
PID 3140 wrote to memory of 3852	3140	{E3EF563A-0FFA-4193-BB13-C6A6BA8EE247}.exe	102
PID 3140 wrote to memory of 3852	3140	{E3EF563A-0FFA-4193-BB13-C6A6BA8EE247}.exe	102
PID 3140 wrote to memory of 3416	3140	{E3EF563A-0FFA-4193-BB13-C6A6BA8EE247}.exe	103
PID 3140 wrote to memory of 3416	3140	{E3EF563A-0FFA-4193-BB13-C6A6BA8EE247}.exe	103
PID 3140 wrote to memory of 3416	3140	{E3EF563A-0FFA-4193-BB13-C6A6BA8EE247}.exe	103
PID 3852 wrote to memory of 2388	3852	{542AEB96-DA58-40ff-AEF3-6AC03D2AA3EF}.exe	104
PID 3852 wrote to memory of 2388	3852	{542AEB96-DA58-40ff-AEF3-6AC03D2AA3EF}.exe	104
PID 3852 wrote to memory of 2388	3852	{542AEB96-DA58-40ff-AEF3-6AC03D2AA3EF}.exe	104
PID 3852 wrote to memory of 960	3852	{542AEB96-DA58-40ff-AEF3-6AC03D2AA3EF}.exe	105
PID 3852 wrote to memory of 960	3852	{542AEB96-DA58-40ff-AEF3-6AC03D2AA3EF}.exe	105
PID 3852 wrote to memory of 960	3852	{542AEB96-DA58-40ff-AEF3-6AC03D2AA3EF}.exe	105
PID 2388 wrote to memory of 3160	2388	{0107E238-71C4-49fc-8BB9-8B4B18AC70D3}.exe	106
PID 2388 wrote to memory of 3160	2388	{0107E238-71C4-49fc-8BB9-8B4B18AC70D3}.exe	106
PID 2388 wrote to memory of 3160	2388	{0107E238-71C4-49fc-8BB9-8B4B18AC70D3}.exe	106
PID 2388 wrote to memory of 3148	2388	{0107E238-71C4-49fc-8BB9-8B4B18AC70D3}.exe	107
PID 2388 wrote to memory of 3148	2388	{0107E238-71C4-49fc-8BB9-8B4B18AC70D3}.exe	107
PID 2388 wrote to memory of 3148	2388	{0107E238-71C4-49fc-8BB9-8B4B18AC70D3}.exe	107
PID 3160 wrote to memory of 3828	3160	{1F7DD312-97CB-42ad-A409-A1C9F0C72BDD}.exe	108
PID 3160 wrote to memory of 3828	3160	{1F7DD312-97CB-42ad-A409-A1C9F0C72BDD}.exe	108
PID 3160 wrote to memory of 3828	3160	{1F7DD312-97CB-42ad-A409-A1C9F0C72BDD}.exe	108
PID 3160 wrote to memory of 4968	3160	{1F7DD312-97CB-42ad-A409-A1C9F0C72BDD}.exe	109
PID 3160 wrote to memory of 4968	3160	{1F7DD312-97CB-42ad-A409-A1C9F0C72BDD}.exe	109
PID 3160 wrote to memory of 4968	3160	{1F7DD312-97CB-42ad-A409-A1C9F0C72BDD}.exe	109
PID 3828 wrote to memory of 2852	3828	{F1C0CBAC-ABAE-41de-A71B-11D4F43C710C}.exe	110
PID 3828 wrote to memory of 2852	3828	{F1C0CBAC-ABAE-41de-A71B-11D4F43C710C}.exe	110
PID 3828 wrote to memory of 2852	3828	{F1C0CBAC-ABAE-41de-A71B-11D4F43C710C}.exe	110
PID 3828 wrote to memory of 1516	3828	{F1C0CBAC-ABAE-41de-A71B-11D4F43C710C}.exe	111
PID 3828 wrote to memory of 1516	3828	{F1C0CBAC-ABAE-41de-A71B-11D4F43C710C}.exe	111
PID 3828 wrote to memory of 1516	3828	{F1C0CBAC-ABAE-41de-A71B-11D4F43C710C}.exe	111
PID 2852 wrote to memory of 4840	2852	{2C923F51-A017-458d-8262-C0FBC425928A}.exe	112
PID 2852 wrote to memory of 4840	2852	{2C923F51-A017-458d-8262-C0FBC425928A}.exe	112
PID 2852 wrote to memory of 4840	2852	{2C923F51-A017-458d-8262-C0FBC425928A}.exe	112
PID 2852 wrote to memory of 4972	2852	{2C923F51-A017-458d-8262-C0FBC425928A}.exe	113
PID 2852 wrote to memory of 4972	2852	{2C923F51-A017-458d-8262-C0FBC425928A}.exe	113
PID 2852 wrote to memory of 4972	2852	{2C923F51-A017-458d-8262-C0FBC425928A}.exe	113
PID 4840 wrote to memory of 3068	4840	{1EADBD6B-CB41-4ec3-B874-9B6597B336D8}.exe	114
PID 4840 wrote to memory of 3068	4840	{1EADBD6B-CB41-4ec3-B874-9B6597B336D8}.exe	114
PID 4840 wrote to memory of 3068	4840	{1EADBD6B-CB41-4ec3-B874-9B6597B336D8}.exe	114
PID 4840 wrote to memory of 1328	4840	{1EADBD6B-CB41-4ec3-B874-9B6597B336D8}.exe	115
PID 4840 wrote to memory of 1328	4840	{1EADBD6B-CB41-4ec3-B874-9B6597B336D8}.exe	115
PID 4840 wrote to memory of 1328	4840	{1EADBD6B-CB41-4ec3-B874-9B6597B336D8}.exe	115
PID 3068 wrote to memory of 4348	3068	{60FC5449-BC40-47a8-B8E1-7B0AD41F4626}.exe	116
PID 3068 wrote to memory of 4348	3068	{60FC5449-BC40-47a8-B8E1-7B0AD41F4626}.exe	116
PID 3068 wrote to memory of 4348	3068	{60FC5449-BC40-47a8-B8E1-7B0AD41F4626}.exe	116
PID 3068 wrote to memory of 4936	3068	{60FC5449-BC40-47a8-B8E1-7B0AD41F4626}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-03-28_0d9394ad5a802647767b7c37a5e4d70f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-28_0d9394ad5a802647767b7c37a5e4d70f_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4352
- C:\Windows\{3E28B1AD-BBF8-48bd-A5AE-6AEFF2E18BEC}.exe
  C:\Windows\{3E28B1AD-BBF8-48bd-A5AE-6AEFF2E18BEC}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3740
- - C:\Windows\{51376CC6-6B42-4302-A252-85F511F9F67D}.exe
    C:\Windows\{51376CC6-6B42-4302-A252-85F511F9F67D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2244
  - - C:\Windows\{E3EF563A-0FFA-4193-BB13-C6A6BA8EE247}.exe
      C:\Windows\{E3EF563A-0FFA-4193-BB13-C6A6BA8EE247}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3140
    - - C:\Windows\{542AEB96-DA58-40ff-AEF3-6AC03D2AA3EF}.exe
        
        C:\Windows\{542AEB96-DA58-40ff-AEF3-6AC03D2AA3EF}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3852
      - C:\Windows\{0107E238-71C4-49fc-8BB9-8B4B18AC70D3}.exe
        
        C:\Windows\{0107E238-71C4-49fc-8BB9-8B4B18AC70D3}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\{1F7DD312-97CB-42ad-A409-A1C9F0C72BDD}.exe
        
        C:\Windows\{1F7DD312-97CB-42ad-A409-A1C9F0C72BDD}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3160
        
        C:\Windows\{F1C0CBAC-ABAE-41de-A71B-11D4F43C710C}.exe
        
        C:\Windows\{F1C0CBAC-ABAE-41de-A71B-11D4F43C710C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3828
        
        C:\Windows\{2C923F51-A017-458d-8262-C0FBC425928A}.exe
        
        C:\Windows\{2C923F51-A017-458d-8262-C0FBC425928A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\{1EADBD6B-CB41-4ec3-B874-9B6597B336D8}.exe
        
        C:\Windows\{1EADBD6B-CB41-4ec3-B874-9B6597B336D8}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\{60FC5449-BC40-47a8-B8E1-7B0AD41F4626}.exe
        
        C:\Windows\{60FC5449-BC40-47a8-B8E1-7B0AD41F4626}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\{FE82C92C-EE41-4b35-B1DB-F5C65BA6EB86}.exe
        
        C:\Windows\{FE82C92C-EE41-4b35-B1DB-F5C65BA6EB86}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4348
        
        C:\Windows\{7EB36B7D-7FFA-4334-854C-853165683B83}.exe
        
        C:\Windows\{7EB36B7D-7FFA-4334-854C-853165683B83}.exe
        13⤵
        Executes dropped EXE
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FE82C~1.EXE > nul
        13⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{60FC5~1.EXE > nul
        12⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1EADB~1.EXE > nul
        11⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2C923~1.EXE > nul
        10⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F1C0C~1.EXE > nul
        9⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1F7DD~1.EXE > nul
        8⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0107E~1.EXE > nul
        7⤵
        
        PID:3148
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{542AE~1.EXE > nul
        6⤵
        
        PID:960
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E3EF5~1.EXE > nul
        5⤵
        
        PID:3416
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{51376~1.EXE > nul
      4⤵
      PID:3240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3E28B~1.EXE > nul
    3⤵
    PID:4020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0107E238-71C4-49fc-8BB9-8B4B18AC70D3}.exe

Filesize
192KB

MD5
d8f64f744b26db710ec2343e2ea701a6

SHA1
e11c43b5f78cc97b68de615f2f7370a1f60b3a31

SHA256
c6d19482cc3bcb4dbd1a846472c1b2af3a1d34d5d85473b1605f04b306b17569

SHA512
436a221825bec1c368e9246dabceca222c2079e86fd65d59d083da772ca73c65c88f3f4fc46d5e29c277fbd4210604568f4a66ce20fc0f12eba4f7427923c336

Download Submit
C:\Windows\{1EADBD6B-CB41-4ec3-B874-9B6597B336D8}.exe

Filesize
192KB

MD5
b65aa473c90fce9bd48db8d553dc72ac

SHA1
de5cdb3f690584f2386879bbdad609850f68d2c6

SHA256
28a6318e88d4308516da5e209422c6c67de7c72283cf1043a613c2a9ee923524

SHA512
95e72f6704b656bc5dd327acded2da3b4112b792b89d680dce3f87570090b04d19513a12a8874ad643003984d76dc473829d4ea8a75f03d8bf333c540b5bc329

Download Submit
C:\Windows\{1F7DD312-97CB-42ad-A409-A1C9F0C72BDD}.exe

Filesize
192KB

MD5
24ef4aed0b244291795737c1daee07f8

SHA1
a7c3c7d7edc8f0f7f71e049429b2b2c9ebeb598b

SHA256
681e7e622019c24b227785faa90cdf133ed5660ccaa684830a7826d95cccff39

SHA512
d57771a8b6910447efbe6fdaf14ac08293e3c7e44a651e70432515c73343d9cc18660b82db3eabd0d1ef74473acc5d70c3cf4258c767121d0350b403a1b6c0e6

Download Submit
C:\Windows\{2C923F51-A017-458d-8262-C0FBC425928A}.exe

Filesize
192KB

MD5
3dcb327a062d360661845f24c48bfa77

SHA1
a8352ec55fb9c45c5976ad7a37d4950384f66bd6

SHA256
6816caae8469a846f64c8f93b488582da954b76fac80ccf894f0992e1e7b261f

SHA512
84596e98d25716907923a23385ebdd860087b0e46c158565e06bcd29b07a7c3c4e1b4c0198b757e62b50197fb12de5d1b1ea67d5f33b606f7a3ffaa507436db6

Download Submit
C:\Windows\{3E28B1AD-BBF8-48bd-A5AE-6AEFF2E18BEC}.exe

Filesize
192KB

MD5
597e3f32f4a0c39716eb7c74f15f585b

SHA1
54006b37f67bedc17290330932f1ae6fd564e90a

SHA256
765ebce937c90197fccf49d14765ab3231baf1947693370d213fd6b4a10664f6

SHA512
feff694cb770008b0be57fdfaa7e59982dddc6abcccc9bed3339e90b394ae7d13abd337d2f134f0ceb1e1752131a8c36e8a487e813b40bba7cd8248dbc3b9e03

Download Submit
C:\Windows\{51376CC6-6B42-4302-A252-85F511F9F67D}.exe

Filesize
192KB

MD5
58981fe3a01762b8270d126b2c78da4e

SHA1
b1f5e6e0c9cf10e5fecd1c8ceb146a6260cfe398

SHA256
9560c0f03173141e9b1c4efa949d99ace6f03abcefb7acc1b98a0c9f777c2f9d

SHA512
c2ef8c55bd76519c673df7b2f6a71a137ed1513b4bd5495874c55886ab71008a4863c239c47186622b2be89e2eebda7d1e10a5b3ebd9208542bcee4da45ef0a3

Download Submit
C:\Windows\{542AEB96-DA58-40ff-AEF3-6AC03D2AA3EF}.exe

Filesize
192KB

MD5
fa14cc83927d59025d800e60c4246606

SHA1
4d25b61b804f2510cbea4dd71c46fb331ad482ac

SHA256
80e8728c0574649e36c8515bb55eac16958d442d6690711897e105e91beb9964

SHA512
b6003ebc80ca38089a062400ecee02c645afd9a2ab6be95beece0846879716dc942cec8cddb351ea5690ad0421d88e7a0029464b93db70db57ee6942a47d9758

Download Submit
C:\Windows\{60FC5449-BC40-47a8-B8E1-7B0AD41F4626}.exe

Filesize
192KB

MD5
dc532960318d38a0b68baddd935dc4e7

SHA1
c8f9f0b4fdb02f5e315ec423c08762aa57b72691

SHA256
7457a9b921e7df32fdc215ff393a371adc96a67b735627e7ef44c9e752ca5eac

SHA512
c7973991610faa8711657e79f2373fae2107247d1bc1e2216efea02cee29f8dabd7ba1c5d507a6d41f0b29d4cc5c0e0e5793e513b5443bc098382ba432614064

Download Submit
C:\Windows\{7EB36B7D-7FFA-4334-854C-853165683B83}.exe

Filesize
192KB

MD5
137bfa906855b7af4d40ca637f8fb02c

SHA1
abc326eacf0094cc7f61fd34d323d56811bf6896

SHA256
40711ce6913f654499b04a76cf6d4a9fb19c286c1210eb9263397800aa7aef97

SHA512
465d6b852f34910cc912bddcfad39e15732789ce060f74a8789f705c836b8eae825bc316aa83452b3c29d9b4fc5ed589f0a3e726f8284ddbc5747c5f0f7aa3a1

Download Submit
C:\Windows\{E3EF563A-0FFA-4193-BB13-C6A6BA8EE247}.exe

Filesize
192KB

MD5
ac3d7afd49461a0baa4da33dce1d1d46

SHA1
778037305706429f6b94f01442e36d2146e251b9

SHA256
cd145d03102cd0d4e1f45ef8db342080ca20a6fffdd15692b1dd98be431de040

SHA512
0a60000dc2d5847cbd64a4fab6e3fb7e1d396b069dfed915cc09700b5218991eff08961ca9cd6ac6effe5e243040e003c7a4a600a7028449c8c502d2392e8344

Download Submit
C:\Windows\{F1C0CBAC-ABAE-41de-A71B-11D4F43C710C}.exe

Filesize
192KB

MD5
5a2d954ef5504918cefde4ae911e9633

SHA1
53db05f915af3dbbe759c1cbb0a804456fb4fc1b

SHA256
efbbcfe60f4a2765e5e8ba58f3e42553598ea02fda53e4f9c2bce0486ee885c3

SHA512
f552a738f4e2fc36b1c4eff14f61e0a3f1f2190e04f6ce24abfe7abd47158fc0c896aac72cae8a15c7b8a93ad6a50c682bdec4c7c76b80d47f2bc436ae016ac0

Download Submit
C:\Windows\{FE82C92C-EE41-4b35-B1DB-F5C65BA6EB86}.exe

Filesize
192KB

MD5
9538710d37f8302d91e8c61bbbd06523

SHA1
618608a3ade99c15ca092cf5bf2b562576ab9af7

SHA256
e566892e3d3cd40f2df076a531a7a01c9b27f617d45318d474903699fdf949e7

SHA512
422907f7852cd9b7cf9f819afa09f8b61c708a06adb3dc21c30a0a782d38deff637f4c19c9d6f4df9bc435d1055d65c28f76329849aa19a1407009a18d8c8089

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads