541e80f3404e2463c32d1f70ce674b7a6b18538e86f2e19e3c84de8c317e6b09

Analysis

max time kernel
155s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29-03-2024 04:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-29_21b267991b6bdae6c8c135b96bbf717c_goldeneye.exe
Size

168KB
MD5

21b267991b6bdae6c8c135b96bbf717c
SHA1

a0de5c63f2eca243da4cc4867b03866b1c6af4a1
SHA256

541e80f3404e2463c32d1f70ce674b7a6b18538e86f2e19e3c84de8c317e6b09
SHA512

5b47290570525273f0e49a0ed7ecf75fe55a156c2704e37bbbbe04fe15919b1f4309f5ec64dcd40a1bb0eeeb3a820178536c02ebbd0993872d32c17451520d84
SSDEEP

1536:1EGh0odlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0odlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000300000001e809-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f000000023238-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002323f-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023238-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002323f-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023238-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002323f-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000072f-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000731-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000072f-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000731-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000000072f-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7CDD512A-F335-4fe1-AF14-8B291B2A8ED0}\stubpath = "C:\\Windows\\{7CDD512A-F335-4fe1-AF14-8B291B2A8ED0}.exe"	{1EB26B2C-C4C1-48c2-AC6E-766D102B8FA4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7ECEFDC5-6F40-49c2-803E-7F76AD0277FF}	{7CDD512A-F335-4fe1-AF14-8B291B2A8ED0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{895BDA96-191F-4a8c-AF27-7559AF68F8C4}\stubpath = "C:\\Windows\\{895BDA96-191F-4a8c-AF27-7559AF68F8C4}.exe"	{7ECEFDC5-6F40-49c2-803E-7F76AD0277FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D840C595-843B-4221-B023-C9642DDDDAC9}	{7A2CA33B-5E50-4244-AE9A-648F43ED42BF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4CE2078F-37D9-4d1d-85BE-4BDB8857518E}\stubpath = "C:\\Windows\\{4CE2078F-37D9-4d1d-85BE-4BDB8857518E}.exe"	{0269359E-71B8-477f-AFD3-DF77191EBE64}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A5C9C2B-1365-4709-9436-017F94637602}	{4CE2078F-37D9-4d1d-85BE-4BDB8857518E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DFEA239-DEFB-4898-B979-C1907E00FC61}	2024-03-29_21b267991b6bdae6c8c135b96bbf717c_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1EB26B2C-C4C1-48c2-AC6E-766D102B8FA4}\stubpath = "C:\\Windows\\{1EB26B2C-C4C1-48c2-AC6E-766D102B8FA4}.exe"	{2DFEA239-DEFB-4898-B979-C1907E00FC61}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{468309A4-7D91-459f-B810-C1AA6FA4FC86}	{E8AB444F-E4A9-41e7-8ACE-AE24DE8E08E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D840C595-843B-4221-B023-C9642DDDDAC9}\stubpath = "C:\\Windows\\{D840C595-843B-4221-B023-C9642DDDDAC9}.exe"	{7A2CA33B-5E50-4244-AE9A-648F43ED42BF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0269359E-71B8-477f-AFD3-DF77191EBE64}\stubpath = "C:\\Windows\\{0269359E-71B8-477f-AFD3-DF77191EBE64}.exe"	{D840C595-843B-4221-B023-C9642DDDDAC9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8AB444F-E4A9-41e7-8ACE-AE24DE8E08E3}\stubpath = "C:\\Windows\\{E8AB444F-E4A9-41e7-8ACE-AE24DE8E08E3}.exe"	{2A5C9C2B-1365-4709-9436-017F94637602}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7ECEFDC5-6F40-49c2-803E-7F76AD0277FF}\stubpath = "C:\\Windows\\{7ECEFDC5-6F40-49c2-803E-7F76AD0277FF}.exe"	{7CDD512A-F335-4fe1-AF14-8B291B2A8ED0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{895BDA96-191F-4a8c-AF27-7559AF68F8C4}	{7ECEFDC5-6F40-49c2-803E-7F76AD0277FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7CDD512A-F335-4fe1-AF14-8B291B2A8ED0}	{1EB26B2C-C4C1-48c2-AC6E-766D102B8FA4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A2CA33B-5E50-4244-AE9A-648F43ED42BF}\stubpath = "C:\\Windows\\{7A2CA33B-5E50-4244-AE9A-648F43ED42BF}.exe"	{895BDA96-191F-4a8c-AF27-7559AF68F8C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DFEA239-DEFB-4898-B979-C1907E00FC61}\stubpath = "C:\\Windows\\{2DFEA239-DEFB-4898-B979-C1907E00FC61}.exe"	2024-03-29_21b267991b6bdae6c8c135b96bbf717c_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1EB26B2C-C4C1-48c2-AC6E-766D102B8FA4}	{2DFEA239-DEFB-4898-B979-C1907E00FC61}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4CE2078F-37D9-4d1d-85BE-4BDB8857518E}	{0269359E-71B8-477f-AFD3-DF77191EBE64}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A5C9C2B-1365-4709-9436-017F94637602}\stubpath = "C:\\Windows\\{2A5C9C2B-1365-4709-9436-017F94637602}.exe"	{4CE2078F-37D9-4d1d-85BE-4BDB8857518E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8AB444F-E4A9-41e7-8ACE-AE24DE8E08E3}	{2A5C9C2B-1365-4709-9436-017F94637602}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{468309A4-7D91-459f-B810-C1AA6FA4FC86}\stubpath = "C:\\Windows\\{468309A4-7D91-459f-B810-C1AA6FA4FC86}.exe"	{E8AB444F-E4A9-41e7-8ACE-AE24DE8E08E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A2CA33B-5E50-4244-AE9A-648F43ED42BF}	{895BDA96-191F-4a8c-AF27-7559AF68F8C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0269359E-71B8-477f-AFD3-DF77191EBE64}	{D840C595-843B-4221-B023-C9642DDDDAC9}.exe

Executes dropped EXE 12 IoCs

pid	Process
3372	{2DFEA239-DEFB-4898-B979-C1907E00FC61}.exe
4752	{1EB26B2C-C4C1-48c2-AC6E-766D102B8FA4}.exe
3628	{7CDD512A-F335-4fe1-AF14-8B291B2A8ED0}.exe
3616	{7ECEFDC5-6F40-49c2-803E-7F76AD0277FF}.exe
1580	{895BDA96-191F-4a8c-AF27-7559AF68F8C4}.exe
3952	{7A2CA33B-5E50-4244-AE9A-648F43ED42BF}.exe
5040	{D840C595-843B-4221-B023-C9642DDDDAC9}.exe
5036	{0269359E-71B8-477f-AFD3-DF77191EBE64}.exe
4436	{4CE2078F-37D9-4d1d-85BE-4BDB8857518E}.exe
1348	{2A5C9C2B-1365-4709-9436-017F94637602}.exe
3552	{E8AB444F-E4A9-41e7-8ACE-AE24DE8E08E3}.exe
1636	{468309A4-7D91-459f-B810-C1AA6FA4FC86}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{2DFEA239-DEFB-4898-B979-C1907E00FC61}.exe	2024-03-29_21b267991b6bdae6c8c135b96bbf717c_goldeneye.exe
File created	C:\Windows\{1EB26B2C-C4C1-48c2-AC6E-766D102B8FA4}.exe	{2DFEA239-DEFB-4898-B979-C1907E00FC61}.exe
File created	C:\Windows\{7ECEFDC5-6F40-49c2-803E-7F76AD0277FF}.exe	{7CDD512A-F335-4fe1-AF14-8B291B2A8ED0}.exe
File created	C:\Windows\{D840C595-843B-4221-B023-C9642DDDDAC9}.exe	{7A2CA33B-5E50-4244-AE9A-648F43ED42BF}.exe
File created	C:\Windows\{2A5C9C2B-1365-4709-9436-017F94637602}.exe	{4CE2078F-37D9-4d1d-85BE-4BDB8857518E}.exe
File created	C:\Windows\{E8AB444F-E4A9-41e7-8ACE-AE24DE8E08E3}.exe	{2A5C9C2B-1365-4709-9436-017F94637602}.exe
File created	C:\Windows\{468309A4-7D91-459f-B810-C1AA6FA4FC86}.exe	{E8AB444F-E4A9-41e7-8ACE-AE24DE8E08E3}.exe
File created	C:\Windows\{7CDD512A-F335-4fe1-AF14-8B291B2A8ED0}.exe	{1EB26B2C-C4C1-48c2-AC6E-766D102B8FA4}.exe
File created	C:\Windows\{895BDA96-191F-4a8c-AF27-7559AF68F8C4}.exe	{7ECEFDC5-6F40-49c2-803E-7F76AD0277FF}.exe
File created	C:\Windows\{7A2CA33B-5E50-4244-AE9A-648F43ED42BF}.exe	{895BDA96-191F-4a8c-AF27-7559AF68F8C4}.exe
File created	C:\Windows\{0269359E-71B8-477f-AFD3-DF77191EBE64}.exe	{D840C595-843B-4221-B023-C9642DDDDAC9}.exe
File created	C:\Windows\{4CE2078F-37D9-4d1d-85BE-4BDB8857518E}.exe	{0269359E-71B8-477f-AFD3-DF77191EBE64}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4728	2024-03-29_21b267991b6bdae6c8c135b96bbf717c_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3372	{2DFEA239-DEFB-4898-B979-C1907E00FC61}.exe
Token: SeIncBasePriorityPrivilege	4752	{1EB26B2C-C4C1-48c2-AC6E-766D102B8FA4}.exe
Token: SeIncBasePriorityPrivilege	3628	{7CDD512A-F335-4fe1-AF14-8B291B2A8ED0}.exe
Token: SeIncBasePriorityPrivilege	3616	{7ECEFDC5-6F40-49c2-803E-7F76AD0277FF}.exe
Token: SeIncBasePriorityPrivilege	1580	{895BDA96-191F-4a8c-AF27-7559AF68F8C4}.exe
Token: SeIncBasePriorityPrivilege	3952	{7A2CA33B-5E50-4244-AE9A-648F43ED42BF}.exe
Token: SeIncBasePriorityPrivilege	5040	{D840C595-843B-4221-B023-C9642DDDDAC9}.exe
Token: SeIncBasePriorityPrivilege	5036	{0269359E-71B8-477f-AFD3-DF77191EBE64}.exe
Token: SeIncBasePriorityPrivilege	4436	{4CE2078F-37D9-4d1d-85BE-4BDB8857518E}.exe
Token: SeIncBasePriorityPrivilege	1348	{2A5C9C2B-1365-4709-9436-017F94637602}.exe
Token: SeIncBasePriorityPrivilege	3552	{E8AB444F-E4A9-41e7-8ACE-AE24DE8E08E3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4728 wrote to memory of 3372	4728	2024-03-29_21b267991b6bdae6c8c135b96bbf717c_goldeneye.exe	91
PID 4728 wrote to memory of 3372	4728	2024-03-29_21b267991b6bdae6c8c135b96bbf717c_goldeneye.exe	91
PID 4728 wrote to memory of 3372	4728	2024-03-29_21b267991b6bdae6c8c135b96bbf717c_goldeneye.exe	91
PID 4728 wrote to memory of 2944	4728	2024-03-29_21b267991b6bdae6c8c135b96bbf717c_goldeneye.exe	92
PID 4728 wrote to memory of 2944	4728	2024-03-29_21b267991b6bdae6c8c135b96bbf717c_goldeneye.exe	92
PID 4728 wrote to memory of 2944	4728	2024-03-29_21b267991b6bdae6c8c135b96bbf717c_goldeneye.exe	92
PID 3372 wrote to memory of 4752	3372	{2DFEA239-DEFB-4898-B979-C1907E00FC61}.exe	96
PID 3372 wrote to memory of 4752	3372	{2DFEA239-DEFB-4898-B979-C1907E00FC61}.exe	96
PID 3372 wrote to memory of 4752	3372	{2DFEA239-DEFB-4898-B979-C1907E00FC61}.exe	96
PID 3372 wrote to memory of 3732	3372	{2DFEA239-DEFB-4898-B979-C1907E00FC61}.exe	97
PID 3372 wrote to memory of 3732	3372	{2DFEA239-DEFB-4898-B979-C1907E00FC61}.exe	97
PID 3372 wrote to memory of 3732	3372	{2DFEA239-DEFB-4898-B979-C1907E00FC61}.exe	97
PID 4752 wrote to memory of 3628	4752	{1EB26B2C-C4C1-48c2-AC6E-766D102B8FA4}.exe	99
PID 4752 wrote to memory of 3628	4752	{1EB26B2C-C4C1-48c2-AC6E-766D102B8FA4}.exe	99
PID 4752 wrote to memory of 3628	4752	{1EB26B2C-C4C1-48c2-AC6E-766D102B8FA4}.exe	99
PID 4752 wrote to memory of 1356	4752	{1EB26B2C-C4C1-48c2-AC6E-766D102B8FA4}.exe	100
PID 4752 wrote to memory of 1356	4752	{1EB26B2C-C4C1-48c2-AC6E-766D102B8FA4}.exe	100
PID 4752 wrote to memory of 1356	4752	{1EB26B2C-C4C1-48c2-AC6E-766D102B8FA4}.exe	100
PID 3628 wrote to memory of 3616	3628	{7CDD512A-F335-4fe1-AF14-8B291B2A8ED0}.exe	101
PID 3628 wrote to memory of 3616	3628	{7CDD512A-F335-4fe1-AF14-8B291B2A8ED0}.exe	101
PID 3628 wrote to memory of 3616	3628	{7CDD512A-F335-4fe1-AF14-8B291B2A8ED0}.exe	101
PID 3628 wrote to memory of 1104	3628	{7CDD512A-F335-4fe1-AF14-8B291B2A8ED0}.exe	102
PID 3628 wrote to memory of 1104	3628	{7CDD512A-F335-4fe1-AF14-8B291B2A8ED0}.exe	102
PID 3628 wrote to memory of 1104	3628	{7CDD512A-F335-4fe1-AF14-8B291B2A8ED0}.exe	102
PID 3616 wrote to memory of 1580	3616	{7ECEFDC5-6F40-49c2-803E-7F76AD0277FF}.exe	103
PID 3616 wrote to memory of 1580	3616	{7ECEFDC5-6F40-49c2-803E-7F76AD0277FF}.exe	103
PID 3616 wrote to memory of 1580	3616	{7ECEFDC5-6F40-49c2-803E-7F76AD0277FF}.exe	103
PID 3616 wrote to memory of 3080	3616	{7ECEFDC5-6F40-49c2-803E-7F76AD0277FF}.exe	104
PID 3616 wrote to memory of 3080	3616	{7ECEFDC5-6F40-49c2-803E-7F76AD0277FF}.exe	104
PID 3616 wrote to memory of 3080	3616	{7ECEFDC5-6F40-49c2-803E-7F76AD0277FF}.exe	104
PID 1580 wrote to memory of 3952	1580	{895BDA96-191F-4a8c-AF27-7559AF68F8C4}.exe	105
PID 1580 wrote to memory of 3952	1580	{895BDA96-191F-4a8c-AF27-7559AF68F8C4}.exe	105
PID 1580 wrote to memory of 3952	1580	{895BDA96-191F-4a8c-AF27-7559AF68F8C4}.exe	105
PID 1580 wrote to memory of 3936	1580	{895BDA96-191F-4a8c-AF27-7559AF68F8C4}.exe	106
PID 1580 wrote to memory of 3936	1580	{895BDA96-191F-4a8c-AF27-7559AF68F8C4}.exe	106
PID 1580 wrote to memory of 3936	1580	{895BDA96-191F-4a8c-AF27-7559AF68F8C4}.exe	106
PID 3952 wrote to memory of 5040	3952	{7A2CA33B-5E50-4244-AE9A-648F43ED42BF}.exe	107
PID 3952 wrote to memory of 5040	3952	{7A2CA33B-5E50-4244-AE9A-648F43ED42BF}.exe	107
PID 3952 wrote to memory of 5040	3952	{7A2CA33B-5E50-4244-AE9A-648F43ED42BF}.exe	107
PID 3952 wrote to memory of 716	3952	{7A2CA33B-5E50-4244-AE9A-648F43ED42BF}.exe	108
PID 3952 wrote to memory of 716	3952	{7A2CA33B-5E50-4244-AE9A-648F43ED42BF}.exe	108
PID 3952 wrote to memory of 716	3952	{7A2CA33B-5E50-4244-AE9A-648F43ED42BF}.exe	108
PID 5040 wrote to memory of 5036	5040	{D840C595-843B-4221-B023-C9642DDDDAC9}.exe	109
PID 5040 wrote to memory of 5036	5040	{D840C595-843B-4221-B023-C9642DDDDAC9}.exe	109
PID 5040 wrote to memory of 5036	5040	{D840C595-843B-4221-B023-C9642DDDDAC9}.exe	109
PID 5040 wrote to memory of 536	5040	{D840C595-843B-4221-B023-C9642DDDDAC9}.exe	110
PID 5040 wrote to memory of 536	5040	{D840C595-843B-4221-B023-C9642DDDDAC9}.exe	110
PID 5040 wrote to memory of 536	5040	{D840C595-843B-4221-B023-C9642DDDDAC9}.exe	110
PID 5036 wrote to memory of 4436	5036	{0269359E-71B8-477f-AFD3-DF77191EBE64}.exe	111
PID 5036 wrote to memory of 4436	5036	{0269359E-71B8-477f-AFD3-DF77191EBE64}.exe	111
PID 5036 wrote to memory of 4436	5036	{0269359E-71B8-477f-AFD3-DF77191EBE64}.exe	111
PID 5036 wrote to memory of 4468	5036	{0269359E-71B8-477f-AFD3-DF77191EBE64}.exe	112
PID 5036 wrote to memory of 4468	5036	{0269359E-71B8-477f-AFD3-DF77191EBE64}.exe	112
PID 5036 wrote to memory of 4468	5036	{0269359E-71B8-477f-AFD3-DF77191EBE64}.exe	112
PID 4436 wrote to memory of 1348	4436	{4CE2078F-37D9-4d1d-85BE-4BDB8857518E}.exe	113
PID 4436 wrote to memory of 1348	4436	{4CE2078F-37D9-4d1d-85BE-4BDB8857518E}.exe	113
PID 4436 wrote to memory of 1348	4436	{4CE2078F-37D9-4d1d-85BE-4BDB8857518E}.exe	113
PID 4436 wrote to memory of 1252	4436	{4CE2078F-37D9-4d1d-85BE-4BDB8857518E}.exe	114
PID 4436 wrote to memory of 1252	4436	{4CE2078F-37D9-4d1d-85BE-4BDB8857518E}.exe	114
PID 4436 wrote to memory of 1252	4436	{4CE2078F-37D9-4d1d-85BE-4BDB8857518E}.exe	114
PID 1348 wrote to memory of 3552	1348	{2A5C9C2B-1365-4709-9436-017F94637602}.exe	115
PID 1348 wrote to memory of 3552	1348	{2A5C9C2B-1365-4709-9436-017F94637602}.exe	115
PID 1348 wrote to memory of 3552	1348	{2A5C9C2B-1365-4709-9436-017F94637602}.exe	115
PID 1348 wrote to memory of 1980	1348	{2A5C9C2B-1365-4709-9436-017F94637602}.exe	116

C:\Users\Admin\AppData\Local\Temp\2024-03-29_21b267991b6bdae6c8c135b96bbf717c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-29_21b267991b6bdae6c8c135b96bbf717c_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4728
- C:\Windows\{2DFEA239-DEFB-4898-B979-C1907E00FC61}.exe
  C:\Windows\{2DFEA239-DEFB-4898-B979-C1907E00FC61}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3372
- - C:\Windows\{1EB26B2C-C4C1-48c2-AC6E-766D102B8FA4}.exe
    C:\Windows\{1EB26B2C-C4C1-48c2-AC6E-766D102B8FA4}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4752
  - - C:\Windows\{7CDD512A-F335-4fe1-AF14-8B291B2A8ED0}.exe
      C:\Windows\{7CDD512A-F335-4fe1-AF14-8B291B2A8ED0}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3628
    - - C:\Windows\{7ECEFDC5-6F40-49c2-803E-7F76AD0277FF}.exe
        
        C:\Windows\{7ECEFDC5-6F40-49c2-803E-7F76AD0277FF}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3616
      - C:\Windows\{895BDA96-191F-4a8c-AF27-7559AF68F8C4}.exe
        
        C:\Windows\{895BDA96-191F-4a8c-AF27-7559AF68F8C4}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\{7A2CA33B-5E50-4244-AE9A-648F43ED42BF}.exe
        
        C:\Windows\{7A2CA33B-5E50-4244-AE9A-648F43ED42BF}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\{D840C595-843B-4221-B023-C9642DDDDAC9}.exe
        
        C:\Windows\{D840C595-843B-4221-B023-C9642DDDDAC9}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\{0269359E-71B8-477f-AFD3-DF77191EBE64}.exe
        
        C:\Windows\{0269359E-71B8-477f-AFD3-DF77191EBE64}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\{4CE2078F-37D9-4d1d-85BE-4BDB8857518E}.exe
        
        C:\Windows\{4CE2078F-37D9-4d1d-85BE-4BDB8857518E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\{2A5C9C2B-1365-4709-9436-017F94637602}.exe
        
        C:\Windows\{2A5C9C2B-1365-4709-9436-017F94637602}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1348
        
        C:\Windows\{E8AB444F-E4A9-41e7-8ACE-AE24DE8E08E3}.exe
        
        C:\Windows\{E8AB444F-E4A9-41e7-8ACE-AE24DE8E08E3}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3552
        
        C:\Windows\{468309A4-7D91-459f-B810-C1AA6FA4FC86}.exe
        
        C:\Windows\{468309A4-7D91-459f-B810-C1AA6FA4FC86}.exe
        13⤵
        Executes dropped EXE
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E8AB4~1.EXE > nul
        13⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A5C9~1.EXE > nul
        12⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4CE20~1.EXE > nul
        11⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{02693~1.EXE > nul
        10⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D840C~1.EXE > nul
        9⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7A2CA~1.EXE > nul
        8⤵
        
        PID:716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{895BD~1.EXE > nul
        7⤵
        
        PID:3936
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7ECEF~1.EXE > nul
        6⤵
        
        PID:3080
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7CDD5~1.EXE > nul
        5⤵
        
        PID:1104
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1EB26~1.EXE > nul
      4⤵
      PID:1356
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2DFEA~1.EXE > nul
    3⤵
    PID:3732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0269359E-71B8-477f-AFD3-DF77191EBE64}.exe

Filesize
168KB

MD5
2e7fe92ca89f73404bf16d2d8d1984f8

SHA1
3b602794cfbef4116816e48b34ae44cdbf9e2e24

SHA256
882180c76b0e9467f78c538455deb3a0aa5c4c01d02cf8c17eea722998df1ebc

SHA512
72a5e445bcaaf2845d562d0e5cae30190aae8a8234934f6a83af6ea8cfdb3b0353eef1d9d99e0349faec6598a46c3d0be16cd0d25b22aaf89dfd6d17f739112c

Download Submit
C:\Windows\{1EB26B2C-C4C1-48c2-AC6E-766D102B8FA4}.exe

Filesize
168KB

MD5
46801d686747a73697402be4ebb5a0ec

SHA1
5cc4f92af4f6a830095ef6103ba63a10ec37a005

SHA256
bc08c09c8ebd98d099020973a79ffcde3516d5e5e9e40138e079ce70f8b0c298

SHA512
8ae0dbe699d73f6046f8e5979e2b897f370b167746c7d941b6123159f329d84a1dbe40cd63b4708cde28338a129b0441869147f00daf82d3bc2ff9b4261f34e7

Download Submit
C:\Windows\{2A5C9C2B-1365-4709-9436-017F94637602}.exe

Filesize
168KB

MD5
e58dcde87e67840fd322c8ebf23970c7

SHA1
a0bb3328e21228c6193bfab5eee9a69cfa86c9cf

SHA256
733ddaa8a9437d2890ef7c9c78a1a4b0832e9a16793bb723ae733f99ef4dbdbe

SHA512
e97ee1d5336ee93827ec87e822bb8371958341f78c9846d09aeb11cfbe1384534fa94f71185514da06d7909316b546928a23f09cb8837f4bb0fb6c8df7b61b7b

Download Submit
C:\Windows\{2DFEA239-DEFB-4898-B979-C1907E00FC61}.exe

Filesize
168KB

MD5
778a9484d89578753192c3519a36c870

SHA1
16168af8543268b89d52a18ab0db8862a18e2712

SHA256
50c1d0911ba47e56da60c57288e05bb72d228519c221bcedc327744b283fef71

SHA512
6bd6deb9dbdbf6ce03fdd2bd5fb256231c9d6976d30e40fa8980ee145ab035c99c42728a8ddef98104a775ac7349342c5cdb3ad366d8d94f056f21eaafec9830

Download Submit
C:\Windows\{468309A4-7D91-459f-B810-C1AA6FA4FC86}.exe

Filesize
168KB

MD5
a79d45bd04a6015aebaa3237bb1e5f90

SHA1
f2eebc987bde3cf9c5526b248bfff66e54e30a06

SHA256
2cbb2e5d1f9586b863889ec5bd9fd323f1576c18a115cf43868fd11bc37b4192

SHA512
72641b7f7bd4ab45a6655392b9f60f5bd98a3694076030b8029da40774d75424c01595fd6e57ab056077d0e7fc0c5eb670b9b00ad952aa9bcdfed1cb72454051

Download Submit
C:\Windows\{4CE2078F-37D9-4d1d-85BE-4BDB8857518E}.exe

Filesize
168KB

MD5
66ee0c96deb9597bfa7aff8966922ea8

SHA1
b7351074cfc49dc5f8e40c7229f08c4fa75c6d63

SHA256
6ff92b583bbcd39d976ce3cd6ac99298bcd6dd4e7f0bfd92830de33c78476abb

SHA512
f3353c6e3f8a9a1fc370aed94780cbe1ef6a9307216ae3ea0122374d7bd917699ec58459800dc2860e9f8055a19a8f4f4e26ff69b2e4addcec80c46e2dac3177

Download Submit
C:\Windows\{7A2CA33B-5E50-4244-AE9A-648F43ED42BF}.exe

Filesize
168KB

MD5
a30db3e5246e8cf18ed1d2cf38190fd4

SHA1
f1858a4df062f97e6b9fdad62e401693b2003d97

SHA256
479a1696248ec5ca17fa374427cddec8b47d53f26fe330d6acd325fac9bdfeae

SHA512
1281aa0700d478fb4f12bd6ecfbb301a07b97027e5cf3cf33a0f4bd005a30a0d9f2c23f4bc8751d4e511ee7a7fa0f2f46e8a5e160ac1cc6c24db1f7235c0c807

Download Submit
C:\Windows\{7CDD512A-F335-4fe1-AF14-8B291B2A8ED0}.exe

Filesize
168KB

MD5
f7060d7d9ef7b91bcbe5267dc2dc6536

SHA1
71a21ca4d48a8afe7c3ce91ceb75f492fe842fc3

SHA256
bda0c0e93b87a7bba8e65499bd17ca2ff2c3d2481fb1a39f8606b4a2198f26e2

SHA512
c41f1d5667a7bd80323d77dffac6c86fe9f94a857b1f08334b5e9398f2bd649dae5629922c4db7b4ab4cc69940199cd560a16eef4f83238d09b17f87fe0ec157

Download Submit
C:\Windows\{7ECEFDC5-6F40-49c2-803E-7F76AD0277FF}.exe

Filesize
168KB

MD5
f5949263d7bec1a67925da40e7715c05

SHA1
2285230240f386c748752b1ade3c799208450994

SHA256
c38d6eb80dcf3330fbf9c6e14a3dd70e8f66d44c9563580bb04b3dbe193cda4b

SHA512
9b7838c15ea4cb6a2a80a2105185109ee6fbbaf31d1713008ea5c18cde908680a79696e89f94d2a3c4fd2c809defbda037914e6a946d1f225b0e52ed15fae087

Download Submit
C:\Windows\{895BDA96-191F-4a8c-AF27-7559AF68F8C4}.exe

Filesize
168KB

MD5
afdd544b909aa5f18d653cb19b14e3cd

SHA1
d4547775b1a2ec1ce716bbdeef0d4c9a20bfd612

SHA256
e2d0263f6a7409f01acdc05533bdbd745c62903de7df17edfa88a2fce7a23aee

SHA512
6345ec208305cb0ed78b2c1cec7f66fee396fd7088dcb90febff3f3bd85d2afd6277a2348fee7063bcf491ff3cac75154a049984a8703d49409a45ca9213126a

Download Submit
C:\Windows\{D840C595-843B-4221-B023-C9642DDDDAC9}.exe

Filesize
168KB

MD5
6c60b7bacbab7509edf83abffea60df0

SHA1
e40765aa8915431c828c84f67d6e8f5948722fac

SHA256
f244650154c8648afc033f67c9982816a25d031fa74142320b4ca21a09617191

SHA512
812b3426a4485c3b17e34e2e0f49636ba9806a6f28587efe1ca83750f67dd148995b47a6953473dc34f5b4070b1df62af84051a25e94deac993949cf1ddbe6d3

Download Submit
C:\Windows\{E8AB444F-E4A9-41e7-8ACE-AE24DE8E08E3}.exe

Filesize
168KB

MD5
288cb2b61cdf978c51920cac48299265

SHA1
2820a09fe917188cd4e375fa3bc6637a47589c1d

SHA256
f42c4c0599c3d0cf90a2cd74603fd3d84e091a5e9a1c93a7869604dd2e6a9138

SHA512
6d7a96907b9f5a081d448c8bb68d69b375d3475376346e79d345a0fa2919545f42226d3d1ce49f9c0ffaa30481591ac9b101dc71ec62a52779bea91b1281208e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads