4ca03702b65c2a6b55cd64a3f129c5276769b5c7c183bdb31b03078a2c3d6663

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29-03-2024 08:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-29_f797d23d54142b2ee88b93e80052a1cf_goldeneye.exe
Size

192KB
MD5

f797d23d54142b2ee88b93e80052a1cf
SHA1

ca7f796eaf8834a23feb7439af89f40f320ba1ed
SHA256

4ca03702b65c2a6b55cd64a3f129c5276769b5c7c183bdb31b03078a2c3d6663
SHA512

16f56c62f801be76cc025866e6c825b084252f0c94ddeb7e1b7d990ace51dc62f057d1cd984495a6534623e9e36a3dd2cf56021d67d8e5041383851c547f52bf
SSDEEP

1536:1EGh0oql15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oql1OPOe2MUVg3Ve+rXfMUa

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023218-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001000000002323d-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023243-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001100000002323d-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021f82-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021f83-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000006c5-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000006c5-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000006c5-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000705-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7729411-E11C-4b9b-81EA-E9BDBF4CB42B}\stubpath = "C:\\Windows\\{E7729411-E11C-4b9b-81EA-E9BDBF4CB42B}.exe"	{69336A47-4FF4-40a8-9FB2-A7B9E3F95459}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE2CD98B-5CB2-4cc7-8ACB-9BF2A3292492}\stubpath = "C:\\Windows\\{AE2CD98B-5CB2-4cc7-8ACB-9BF2A3292492}.exe"	{E7729411-E11C-4b9b-81EA-E9BDBF4CB42B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0EFDF75D-8D96-4f9a-9783-D66B6C14EC76}	{AE2CD98B-5CB2-4cc7-8ACB-9BF2A3292492}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0EFDF75D-8D96-4f9a-9783-D66B6C14EC76}\stubpath = "C:\\Windows\\{0EFDF75D-8D96-4f9a-9783-D66B6C14EC76}.exe"	{AE2CD98B-5CB2-4cc7-8ACB-9BF2A3292492}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE0C7762-6D9B-4fdf-A353-5411BA727878}	{5B15A568-B8F5-4cd7-B849-A69C0196A3DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE0C7762-6D9B-4fdf-A353-5411BA727878}\stubpath = "C:\\Windows\\{BE0C7762-6D9B-4fdf-A353-5411BA727878}.exe"	{5B15A568-B8F5-4cd7-B849-A69C0196A3DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{200A6FD7-9C54-4296-AD5E-EF440F75FCCF}\stubpath = "C:\\Windows\\{200A6FD7-9C54-4296-AD5E-EF440F75FCCF}.exe"	2024-03-29_f797d23d54142b2ee88b93e80052a1cf_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{569EAC49-E6FC-4455-890F-48022F1FEEEB}\stubpath = "C:\\Windows\\{569EAC49-E6FC-4455-890F-48022F1FEEEB}.exe"	{0EFDF75D-8D96-4f9a-9783-D66B6C14EC76}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B15A568-B8F5-4cd7-B849-A69C0196A3DD}\stubpath = "C:\\Windows\\{5B15A568-B8F5-4cd7-B849-A69C0196A3DD}.exe"	{FF3B9C2E-80F0-42fa-A480-CE4237732BBE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{200A6FD7-9C54-4296-AD5E-EF440F75FCCF}	2024-03-29_f797d23d54142b2ee88b93e80052a1cf_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB3590C0-841F-472f-B51D-9F5928EC2F93}	{A20271D4-47BB-4e7c-B274-A49B1F9B494E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB3590C0-841F-472f-B51D-9F5928EC2F93}\stubpath = "C:\\Windows\\{DB3590C0-841F-472f-B51D-9F5928EC2F93}.exe"	{A20271D4-47BB-4e7c-B274-A49B1F9B494E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69336A47-4FF4-40a8-9FB2-A7B9E3F95459}\stubpath = "C:\\Windows\\{69336A47-4FF4-40a8-9FB2-A7B9E3F95459}.exe"	{DB3590C0-841F-472f-B51D-9F5928EC2F93}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7729411-E11C-4b9b-81EA-E9BDBF4CB42B}	{69336A47-4FF4-40a8-9FB2-A7B9E3F95459}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE2CD98B-5CB2-4cc7-8ACB-9BF2A3292492}	{E7729411-E11C-4b9b-81EA-E9BDBF4CB42B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{569EAC49-E6FC-4455-890F-48022F1FEEEB}	{0EFDF75D-8D96-4f9a-9783-D66B6C14EC76}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F94AFA2-4AE7-437e-9035-F36A566A655E}	{569EAC49-E6FC-4455-890F-48022F1FEEEB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF3B9C2E-80F0-42fa-A480-CE4237732BBE}	{2F94AFA2-4AE7-437e-9035-F36A566A655E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A20271D4-47BB-4e7c-B274-A49B1F9B494E}	{200A6FD7-9C54-4296-AD5E-EF440F75FCCF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A20271D4-47BB-4e7c-B274-A49B1F9B494E}\stubpath = "C:\\Windows\\{A20271D4-47BB-4e7c-B274-A49B1F9B494E}.exe"	{200A6FD7-9C54-4296-AD5E-EF440F75FCCF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69336A47-4FF4-40a8-9FB2-A7B9E3F95459}	{DB3590C0-841F-472f-B51D-9F5928EC2F93}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F94AFA2-4AE7-437e-9035-F36A566A655E}\stubpath = "C:\\Windows\\{2F94AFA2-4AE7-437e-9035-F36A566A655E}.exe"	{569EAC49-E6FC-4455-890F-48022F1FEEEB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF3B9C2E-80F0-42fa-A480-CE4237732BBE}\stubpath = "C:\\Windows\\{FF3B9C2E-80F0-42fa-A480-CE4237732BBE}.exe"	{2F94AFA2-4AE7-437e-9035-F36A566A655E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B15A568-B8F5-4cd7-B849-A69C0196A3DD}	{FF3B9C2E-80F0-42fa-A480-CE4237732BBE}.exe

Executes dropped EXE 12 IoCs

pid	Process
1880	{200A6FD7-9C54-4296-AD5E-EF440F75FCCF}.exe
772	{A20271D4-47BB-4e7c-B274-A49B1F9B494E}.exe
2740	{DB3590C0-841F-472f-B51D-9F5928EC2F93}.exe
3288	{69336A47-4FF4-40a8-9FB2-A7B9E3F95459}.exe
1464	{E7729411-E11C-4b9b-81EA-E9BDBF4CB42B}.exe
4532	{AE2CD98B-5CB2-4cc7-8ACB-9BF2A3292492}.exe
4392	{0EFDF75D-8D96-4f9a-9783-D66B6C14EC76}.exe
2092	{569EAC49-E6FC-4455-890F-48022F1FEEEB}.exe
1152	{2F94AFA2-4AE7-437e-9035-F36A566A655E}.exe
4032	{FF3B9C2E-80F0-42fa-A480-CE4237732BBE}.exe
1440	{5B15A568-B8F5-4cd7-B849-A69C0196A3DD}.exe
4500	{BE0C7762-6D9B-4fdf-A353-5411BA727878}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{BE0C7762-6D9B-4fdf-A353-5411BA727878}.exe	{5B15A568-B8F5-4cd7-B849-A69C0196A3DD}.exe
File created	C:\Windows\{A20271D4-47BB-4e7c-B274-A49B1F9B494E}.exe	{200A6FD7-9C54-4296-AD5E-EF440F75FCCF}.exe
File created	C:\Windows\{69336A47-4FF4-40a8-9FB2-A7B9E3F95459}.exe	{DB3590C0-841F-472f-B51D-9F5928EC2F93}.exe
File created	C:\Windows\{AE2CD98B-5CB2-4cc7-8ACB-9BF2A3292492}.exe	{E7729411-E11C-4b9b-81EA-E9BDBF4CB42B}.exe
File created	C:\Windows\{0EFDF75D-8D96-4f9a-9783-D66B6C14EC76}.exe	{AE2CD98B-5CB2-4cc7-8ACB-9BF2A3292492}.exe
File created	C:\Windows\{FF3B9C2E-80F0-42fa-A480-CE4237732BBE}.exe	{2F94AFA2-4AE7-437e-9035-F36A566A655E}.exe
File created	C:\Windows\{5B15A568-B8F5-4cd7-B849-A69C0196A3DD}.exe	{FF3B9C2E-80F0-42fa-A480-CE4237732BBE}.exe
File created	C:\Windows\{200A6FD7-9C54-4296-AD5E-EF440F75FCCF}.exe	2024-03-29_f797d23d54142b2ee88b93e80052a1cf_goldeneye.exe
File created	C:\Windows\{DB3590C0-841F-472f-B51D-9F5928EC2F93}.exe	{A20271D4-47BB-4e7c-B274-A49B1F9B494E}.exe
File created	C:\Windows\{E7729411-E11C-4b9b-81EA-E9BDBF4CB42B}.exe	{69336A47-4FF4-40a8-9FB2-A7B9E3F95459}.exe
File created	C:\Windows\{569EAC49-E6FC-4455-890F-48022F1FEEEB}.exe	{0EFDF75D-8D96-4f9a-9783-D66B6C14EC76}.exe
File created	C:\Windows\{2F94AFA2-4AE7-437e-9035-F36A566A655E}.exe	{569EAC49-E6FC-4455-890F-48022F1FEEEB}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2432	2024-03-29_f797d23d54142b2ee88b93e80052a1cf_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1880	{200A6FD7-9C54-4296-AD5E-EF440F75FCCF}.exe
Token: SeIncBasePriorityPrivilege	772	{A20271D4-47BB-4e7c-B274-A49B1F9B494E}.exe
Token: SeIncBasePriorityPrivilege	2740	{DB3590C0-841F-472f-B51D-9F5928EC2F93}.exe
Token: SeIncBasePriorityPrivilege	3288	{69336A47-4FF4-40a8-9FB2-A7B9E3F95459}.exe
Token: SeIncBasePriorityPrivilege	1464	{E7729411-E11C-4b9b-81EA-E9BDBF4CB42B}.exe
Token: SeIncBasePriorityPrivilege	4532	{AE2CD98B-5CB2-4cc7-8ACB-9BF2A3292492}.exe
Token: SeIncBasePriorityPrivilege	4392	{0EFDF75D-8D96-4f9a-9783-D66B6C14EC76}.exe
Token: SeIncBasePriorityPrivilege	2092	{569EAC49-E6FC-4455-890F-48022F1FEEEB}.exe
Token: SeIncBasePriorityPrivilege	1152	{2F94AFA2-4AE7-437e-9035-F36A566A655E}.exe
Token: SeIncBasePriorityPrivilege	4032	{FF3B9C2E-80F0-42fa-A480-CE4237732BBE}.exe
Token: SeIncBasePriorityPrivilege	1440	{5B15A568-B8F5-4cd7-B849-A69C0196A3DD}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 1880	2432	2024-03-29_f797d23d54142b2ee88b93e80052a1cf_goldeneye.exe	85
PID 2432 wrote to memory of 1880	2432	2024-03-29_f797d23d54142b2ee88b93e80052a1cf_goldeneye.exe	85
PID 2432 wrote to memory of 1880	2432	2024-03-29_f797d23d54142b2ee88b93e80052a1cf_goldeneye.exe	85
PID 2432 wrote to memory of 1840	2432	2024-03-29_f797d23d54142b2ee88b93e80052a1cf_goldeneye.exe	86
PID 2432 wrote to memory of 1840	2432	2024-03-29_f797d23d54142b2ee88b93e80052a1cf_goldeneye.exe	86
PID 2432 wrote to memory of 1840	2432	2024-03-29_f797d23d54142b2ee88b93e80052a1cf_goldeneye.exe	86
PID 1880 wrote to memory of 772	1880	{200A6FD7-9C54-4296-AD5E-EF440F75FCCF}.exe	94
PID 1880 wrote to memory of 772	1880	{200A6FD7-9C54-4296-AD5E-EF440F75FCCF}.exe	94
PID 1880 wrote to memory of 772	1880	{200A6FD7-9C54-4296-AD5E-EF440F75FCCF}.exe	94
PID 1880 wrote to memory of 228	1880	{200A6FD7-9C54-4296-AD5E-EF440F75FCCF}.exe	95
PID 1880 wrote to memory of 228	1880	{200A6FD7-9C54-4296-AD5E-EF440F75FCCF}.exe	95
PID 1880 wrote to memory of 228	1880	{200A6FD7-9C54-4296-AD5E-EF440F75FCCF}.exe	95
PID 772 wrote to memory of 2740	772	{A20271D4-47BB-4e7c-B274-A49B1F9B494E}.exe	97
PID 772 wrote to memory of 2740	772	{A20271D4-47BB-4e7c-B274-A49B1F9B494E}.exe	97
PID 772 wrote to memory of 2740	772	{A20271D4-47BB-4e7c-B274-A49B1F9B494E}.exe	97
PID 772 wrote to memory of 3368	772	{A20271D4-47BB-4e7c-B274-A49B1F9B494E}.exe	98
PID 772 wrote to memory of 3368	772	{A20271D4-47BB-4e7c-B274-A49B1F9B494E}.exe	98
PID 772 wrote to memory of 3368	772	{A20271D4-47BB-4e7c-B274-A49B1F9B494E}.exe	98
PID 2740 wrote to memory of 3288	2740	{DB3590C0-841F-472f-B51D-9F5928EC2F93}.exe	99
PID 2740 wrote to memory of 3288	2740	{DB3590C0-841F-472f-B51D-9F5928EC2F93}.exe	99
PID 2740 wrote to memory of 3288	2740	{DB3590C0-841F-472f-B51D-9F5928EC2F93}.exe	99
PID 2740 wrote to memory of 3164	2740	{DB3590C0-841F-472f-B51D-9F5928EC2F93}.exe	100
PID 2740 wrote to memory of 3164	2740	{DB3590C0-841F-472f-B51D-9F5928EC2F93}.exe	100
PID 2740 wrote to memory of 3164	2740	{DB3590C0-841F-472f-B51D-9F5928EC2F93}.exe	100
PID 3288 wrote to memory of 1464	3288	{69336A47-4FF4-40a8-9FB2-A7B9E3F95459}.exe	101
PID 3288 wrote to memory of 1464	3288	{69336A47-4FF4-40a8-9FB2-A7B9E3F95459}.exe	101
PID 3288 wrote to memory of 1464	3288	{69336A47-4FF4-40a8-9FB2-A7B9E3F95459}.exe	101
PID 3288 wrote to memory of 912	3288	{69336A47-4FF4-40a8-9FB2-A7B9E3F95459}.exe	102
PID 3288 wrote to memory of 912	3288	{69336A47-4FF4-40a8-9FB2-A7B9E3F95459}.exe	102
PID 3288 wrote to memory of 912	3288	{69336A47-4FF4-40a8-9FB2-A7B9E3F95459}.exe	102
PID 1464 wrote to memory of 4532	1464	{E7729411-E11C-4b9b-81EA-E9BDBF4CB42B}.exe	103
PID 1464 wrote to memory of 4532	1464	{E7729411-E11C-4b9b-81EA-E9BDBF4CB42B}.exe	103
PID 1464 wrote to memory of 4532	1464	{E7729411-E11C-4b9b-81EA-E9BDBF4CB42B}.exe	103
PID 1464 wrote to memory of 4732	1464	{E7729411-E11C-4b9b-81EA-E9BDBF4CB42B}.exe	104
PID 1464 wrote to memory of 4732	1464	{E7729411-E11C-4b9b-81EA-E9BDBF4CB42B}.exe	104
PID 1464 wrote to memory of 4732	1464	{E7729411-E11C-4b9b-81EA-E9BDBF4CB42B}.exe	104
PID 4532 wrote to memory of 4392	4532	{AE2CD98B-5CB2-4cc7-8ACB-9BF2A3292492}.exe	105
PID 4532 wrote to memory of 4392	4532	{AE2CD98B-5CB2-4cc7-8ACB-9BF2A3292492}.exe	105
PID 4532 wrote to memory of 4392	4532	{AE2CD98B-5CB2-4cc7-8ACB-9BF2A3292492}.exe	105
PID 4532 wrote to memory of 4812	4532	{AE2CD98B-5CB2-4cc7-8ACB-9BF2A3292492}.exe	106
PID 4532 wrote to memory of 4812	4532	{AE2CD98B-5CB2-4cc7-8ACB-9BF2A3292492}.exe	106
PID 4532 wrote to memory of 4812	4532	{AE2CD98B-5CB2-4cc7-8ACB-9BF2A3292492}.exe	106
PID 4392 wrote to memory of 2092	4392	{0EFDF75D-8D96-4f9a-9783-D66B6C14EC76}.exe	107
PID 4392 wrote to memory of 2092	4392	{0EFDF75D-8D96-4f9a-9783-D66B6C14EC76}.exe	107
PID 4392 wrote to memory of 2092	4392	{0EFDF75D-8D96-4f9a-9783-D66B6C14EC76}.exe	107
PID 4392 wrote to memory of 4996	4392	{0EFDF75D-8D96-4f9a-9783-D66B6C14EC76}.exe	108
PID 4392 wrote to memory of 4996	4392	{0EFDF75D-8D96-4f9a-9783-D66B6C14EC76}.exe	108
PID 4392 wrote to memory of 4996	4392	{0EFDF75D-8D96-4f9a-9783-D66B6C14EC76}.exe	108
PID 2092 wrote to memory of 1152	2092	{569EAC49-E6FC-4455-890F-48022F1FEEEB}.exe	109
PID 2092 wrote to memory of 1152	2092	{569EAC49-E6FC-4455-890F-48022F1FEEEB}.exe	109
PID 2092 wrote to memory of 1152	2092	{569EAC49-E6FC-4455-890F-48022F1FEEEB}.exe	109
PID 2092 wrote to memory of 3344	2092	{569EAC49-E6FC-4455-890F-48022F1FEEEB}.exe	110
PID 2092 wrote to memory of 3344	2092	{569EAC49-E6FC-4455-890F-48022F1FEEEB}.exe	110
PID 2092 wrote to memory of 3344	2092	{569EAC49-E6FC-4455-890F-48022F1FEEEB}.exe	110
PID 1152 wrote to memory of 4032	1152	{2F94AFA2-4AE7-437e-9035-F36A566A655E}.exe	111
PID 1152 wrote to memory of 4032	1152	{2F94AFA2-4AE7-437e-9035-F36A566A655E}.exe	111
PID 1152 wrote to memory of 4032	1152	{2F94AFA2-4AE7-437e-9035-F36A566A655E}.exe	111
PID 1152 wrote to memory of 640	1152	{2F94AFA2-4AE7-437e-9035-F36A566A655E}.exe	112
PID 1152 wrote to memory of 640	1152	{2F94AFA2-4AE7-437e-9035-F36A566A655E}.exe	112
PID 1152 wrote to memory of 640	1152	{2F94AFA2-4AE7-437e-9035-F36A566A655E}.exe	112
PID 4032 wrote to memory of 1440	4032	{FF3B9C2E-80F0-42fa-A480-CE4237732BBE}.exe	113
PID 4032 wrote to memory of 1440	4032	{FF3B9C2E-80F0-42fa-A480-CE4237732BBE}.exe	113
PID 4032 wrote to memory of 1440	4032	{FF3B9C2E-80F0-42fa-A480-CE4237732BBE}.exe	113
PID 4032 wrote to memory of 4180	4032	{FF3B9C2E-80F0-42fa-A480-CE4237732BBE}.exe	114

C:\Users\Admin\AppData\Local\Temp\2024-03-29_f797d23d54142b2ee88b93e80052a1cf_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-29_f797d23d54142b2ee88b93e80052a1cf_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Windows\{200A6FD7-9C54-4296-AD5E-EF440F75FCCF}.exe
  C:\Windows\{200A6FD7-9C54-4296-AD5E-EF440F75FCCF}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1880
- - C:\Windows\{A20271D4-47BB-4e7c-B274-A49B1F9B494E}.exe
    C:\Windows\{A20271D4-47BB-4e7c-B274-A49B1F9B494E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:772
  - - C:\Windows\{DB3590C0-841F-472f-B51D-9F5928EC2F93}.exe
      C:\Windows\{DB3590C0-841F-472f-B51D-9F5928EC2F93}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\Windows\{69336A47-4FF4-40a8-9FB2-A7B9E3F95459}.exe
        
        C:\Windows\{69336A47-4FF4-40a8-9FB2-A7B9E3F95459}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3288
      - C:\Windows\{E7729411-E11C-4b9b-81EA-E9BDBF4CB42B}.exe
        
        C:\Windows\{E7729411-E11C-4b9b-81EA-E9BDBF4CB42B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Windows\{AE2CD98B-5CB2-4cc7-8ACB-9BF2A3292492}.exe
        
        C:\Windows\{AE2CD98B-5CB2-4cc7-8ACB-9BF2A3292492}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\{0EFDF75D-8D96-4f9a-9783-D66B6C14EC76}.exe
        
        C:\Windows\{0EFDF75D-8D96-4f9a-9783-D66B6C14EC76}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\Windows\{569EAC49-E6FC-4455-890F-48022F1FEEEB}.exe
        
        C:\Windows\{569EAC49-E6FC-4455-890F-48022F1FEEEB}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\{2F94AFA2-4AE7-437e-9035-F36A566A655E}.exe
        
        C:\Windows\{2F94AFA2-4AE7-437e-9035-F36A566A655E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\{FF3B9C2E-80F0-42fa-A480-CE4237732BBE}.exe
        
        C:\Windows\{FF3B9C2E-80F0-42fa-A480-CE4237732BBE}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Windows\{5B15A568-B8F5-4cd7-B849-A69C0196A3DD}.exe
        
        C:\Windows\{5B15A568-B8F5-4cd7-B849-A69C0196A3DD}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1440
        
        C:\Windows\{BE0C7762-6D9B-4fdf-A353-5411BA727878}.exe
        
        C:\Windows\{BE0C7762-6D9B-4fdf-A353-5411BA727878}.exe
        13⤵
        Executes dropped EXE
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5B15A~1.EXE > nul
        13⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF3B9~1.EXE > nul
        12⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2F94A~1.EXE > nul
        11⤵
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{569EA~1.EXE > nul
        10⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0EFDF~1.EXE > nul
        9⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE2CD~1.EXE > nul
        8⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7729~1.EXE > nul
        7⤵
        
        PID:4732
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69336~1.EXE > nul
        6⤵
        
        PID:912
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DB359~1.EXE > nul
        5⤵
        
        PID:3164
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A2027~1.EXE > nul
      4⤵
      PID:3368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{200A6~1.EXE > nul
    3⤵
    PID:228
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0EFDF75D-8D96-4f9a-9783-D66B6C14EC76}.exe

Filesize
192KB

MD5
85f6e85d7743f39d387430106c5307d5

SHA1
448ba694a4bd2353ac86394b5ebf0abd9490ae02

SHA256
dacbb9f5483447628ef815343df2d0a8df10cad0935673ad87bac60a9db0bdfc

SHA512
2aac2f7a881370802982778948fb67f5ae09a5021523fb702c0b4c3a8bec8ac908120144d34c6d1c7dd975f02aff6443efaebe56757534fabd188f745ccc1a65

Download Submit
C:\Windows\{200A6FD7-9C54-4296-AD5E-EF440F75FCCF}.exe

Filesize
192KB

MD5
51d5e1d88a140c091d1ed8131f762060

SHA1
9b319040ad517b9a57a8fb2187f21827a143e3f4

SHA256
287dbb5663f0f55dcd8f04b1386f2d4357c79ec2d8d9fe8d4b7e0d0be9267fd7

SHA512
c1bcb0d7eec5174b0a4214530949b2bac3fb6984681c2a1b7fc5a1d96813941216e68d6c1c9f06292c6509fef24ac8ef30a423820fdb3d556cee1baf1a8827c2

Download Submit
C:\Windows\{2F94AFA2-4AE7-437e-9035-F36A566A655E}.exe

Filesize
192KB

MD5
0e53e7f94cee4aea6eaeac9e831649fd

SHA1
1ec4434d4db342a501ca0f4bf8dd81db9b75329b

SHA256
43179afe8027d719270f59ad2f090660a5fbc01e38db3985c63eddaa0cf3bbfb

SHA512
feee71babe1a3c9505ddbcb8ff1d4fd28dd9820ff20faffb1ef52fef1e68be52f12669607b36ecc7d60903a83821620c9c5816092d680be0e47d7887f8a6c10d

Download Submit
C:\Windows\{569EAC49-E6FC-4455-890F-48022F1FEEEB}.exe

Filesize
192KB

MD5
b5300cadc6f0b47608c5293ee480a040

SHA1
2df8dc1c28ffbac8203bbc9123f5e3d24ee414e7

SHA256
f25715827b7586b445a612bf00ba721a81a6b0131c4729a7d7b2f42106e5efb3

SHA512
096b189cf1921504ece88898019005195df7c5ae6606704e591a58c80a6ddbef678ece317e5540aabac931c2f0e8aac5db6e475946f285a3e4c5a52cdf81cb0f

Download Submit
C:\Windows\{5B15A568-B8F5-4cd7-B849-A69C0196A3DD}.exe

Filesize
192KB

MD5
5e2ce6c7d6f3148b1872f778d87badc0

SHA1
9f599694c542ef4455e8863425776e41678b646c

SHA256
76314ad858929f8449244ba201272272a9e88bb6b1d5e905776b0581ae82967e

SHA512
8ed453c691dfc599200d01bf4757c25789c162881b41e925aedc65253518840c0949346e73fe5cdd75ee86d62bec8eb72006826933acdd95981d1789019bf4dc

Download Submit
C:\Windows\{69336A47-4FF4-40a8-9FB2-A7B9E3F95459}.exe

Filesize
192KB

MD5
690596b1b6b6da1bce9095a1eb30feff

SHA1
3d58d4c5b56482726bd10cf408f699084ae91f07

SHA256
61f2aa9a8bf718a33cab0c1cb54ebedfcc68c2366afec490dfc8ac86d46fbaca

SHA512
b47a57bf5866a0c37de12ca70e16e702d57ef26eef4da6afed0c9878035438b26e3494f9d081a86adeca8ecc7cb12d989417c798ac53729888f0617348288084

Download Submit
C:\Windows\{A20271D4-47BB-4e7c-B274-A49B1F9B494E}.exe

Filesize
192KB

MD5
477de91bf4f2bc301c464f8b1fba8b23

SHA1
26b1952de07716bac8cc47f24e2c11f56104ae33

SHA256
8112d6b089f9c1380bddcf4e8a1ed44bc5651b5f75b99b3a6d411a7815fd9234

SHA512
156529e54c73afd4cdcdd3064de80f2a0e5d22821594e623a86d46c3f6d9873380ea6736e028ff9ccbbb1c3f512c6e8ee2225d8eb7ada36cc7014853a5261ed2

Download Submit
C:\Windows\{AE2CD98B-5CB2-4cc7-8ACB-9BF2A3292492}.exe

Filesize
192KB

MD5
76685abde4f00659b25f30c39548b75a

SHA1
4116f79dab3ba786b83adb1c251181463138cb3e

SHA256
b5aec0e09f8590a93130e3225c944e0885369c77bdddded61e849d6936d7d388

SHA512
8d643e060b6d66e0a8e6d0bfeb37df812a0c93ce797bcba9a4f85d18131f4ccb8b707b7c2a3acbdb2dde2ecf84a0fbc02b828322ded3c9a14be980cfbf8b6fa3

Download Submit
C:\Windows\{BE0C7762-6D9B-4fdf-A353-5411BA727878}.exe

Filesize
192KB

MD5
d5a87331386d696e88951c3c545637ee

SHA1
726fc065229bc4d21ab238b5d176e0a52481a0e4

SHA256
916baa5e28c5dc7e834c3d41e71adbbe74854feb665b16139044d415550c2667

SHA512
ef7aed83a2c483f1814bcc777f8fc7899788cdc8bdfc373b092963b6987a619d88df5df11d43f6fad4fab9d0a650b02212a9b90e1271e996df20fb4ecc397762

Download Submit
C:\Windows\{DB3590C0-841F-472f-B51D-9F5928EC2F93}.exe

Filesize
192KB

MD5
690761c8a3d39e9c42fa0bff0cc0ae53

SHA1
5fd9b96843940ea29b431e8ba2c7f3a521ce7649

SHA256
cb2cdab2feb655623191f7254db20f8c0f9035186ee15ddd1e4cc1709e562957

SHA512
1a4cc2298eb85a105774d4683e8cdf5c3e445c9107fb19f919991430cdfb9e3486c605645021c50a8d1575253b302e2d1651e66cbbeca99d05bbf1e2cf413fc6

Download Submit
C:\Windows\{E7729411-E11C-4b9b-81EA-E9BDBF4CB42B}.exe

Filesize
192KB

MD5
6d08df5aff42fe1b7ce2fc6a2d765806

SHA1
5fb6375a36451164d201f71eec6586997976ccb4

SHA256
9f8d42429f5d0439462d687233b015fc831bf72db48340557c04f46dcd0880db

SHA512
13b8e25b025e0ad1f25233fb339caf7d21c04ff471e7f29f02160ce0c3a3ae831a320819aaf40def806a5816959a722bd83d4b44a190636177f8b633c5167b11

Download Submit
C:\Windows\{FF3B9C2E-80F0-42fa-A480-CE4237732BBE}.exe

Filesize
192KB

MD5
2f9244051d052d3de6a8f2cf162011c1

SHA1
4b1f3723b7d093e75d663492bd3b366becd0d933

SHA256
d8f9924f2d86ae62486621c8d5519090f6c53d908fb36120f1b3b3dee7fd36ea

SHA512
5f4b67216855a836c682745608838c5c6b7fda30f735d5eb3dee1249a922886d76a2a176151e8602783b31529786c9a8f5bcb6f1c58b79bdc55c574688d0b146

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads