712ab9efdc8c1230b388f5b4490bb41db65fed7ae7c69a97b65aaf7abd5c9d28

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
04-04-2024 17:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-04_337779f6852849e54d48d95649d09d25_goldeneye.exe
Size

372KB
MD5

337779f6852849e54d48d95649d09d25
SHA1

0f0f8538a1fd9070d7624ca4c11f19214cef9e40
SHA256

712ab9efdc8c1230b388f5b4490bb41db65fed7ae7c69a97b65aaf7abd5c9d28
SHA512

b7b67c0015b51726dbda78eece9b24ffbef01bf0471c91298c1c6fbf795b402923dfa0c0ad4b9aa036f2156d7ef4d427ac7fb17fd604e31a18426f95b19bd70f
SSDEEP

3072:CEGh0oQlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEG+lkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000300000001e809-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023209-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023215-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023209-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023215-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000021838-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000021841-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000000037-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000000037-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000709-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000000037-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D138F6F-A299-4fb1-B7AD-13396884E398}\stubpath = "C:\\Windows\\{6D138F6F-A299-4fb1-B7AD-13396884E398}.exe"	{F1638C04-997C-4c90-A072-FCC2637645C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F11402A4-7FEE-4f66-BE66-A8B182B5887E}\stubpath = "C:\\Windows\\{F11402A4-7FEE-4f66-BE66-A8B182B5887E}.exe"	2024-04-04_337779f6852849e54d48d95649d09d25_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E744861D-4FB0-4d43-B04D-3E555152D72E}	{DE02FA0A-1DE1-4ee3-A40A-E8AD053F64D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E744861D-4FB0-4d43-B04D-3E555152D72E}\stubpath = "C:\\Windows\\{E744861D-4FB0-4d43-B04D-3E555152D72E}.exe"	{DE02FA0A-1DE1-4ee3-A40A-E8AD053F64D0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82A3240E-4DE0-43ca-8DB3-8A50BB0128BC}	{A3076648-219A-4c7b-898A-45A30E9F3707}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F43A8F59-AAFA-42fb-BE3C-C22B5FB5B7AD}\stubpath = "C:\\Windows\\{F43A8F59-AAFA-42fb-BE3C-C22B5FB5B7AD}.exe"	{82A3240E-4DE0-43ca-8DB3-8A50BB0128BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3076648-219A-4c7b-898A-45A30E9F3707}	{E744861D-4FB0-4d43-B04D-3E555152D72E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3076648-219A-4c7b-898A-45A30E9F3707}\stubpath = "C:\\Windows\\{A3076648-219A-4c7b-898A-45A30E9F3707}.exe"	{E744861D-4FB0-4d43-B04D-3E555152D72E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D138F6F-A299-4fb1-B7AD-13396884E398}	{F1638C04-997C-4c90-A072-FCC2637645C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A72DA4FC-4B34-45cf-8AF3-9EA6AD3B6583}\stubpath = "C:\\Windows\\{A72DA4FC-4B34-45cf-8AF3-9EA6AD3B6583}.exe"	{735A9D84-ED0A-4578-ABED-CC5EDC66E239}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C71A1C5-8E85-404d-AE60-75D0F96B9BFC}\stubpath = "C:\\Windows\\{0C71A1C5-8E85-404d-AE60-75D0F96B9BFC}.exe"	{48F1D5BC-9403-49f7-8CE7-BE0150E88EFB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C71A1C5-8E85-404d-AE60-75D0F96B9BFC}	{48F1D5BC-9403-49f7-8CE7-BE0150E88EFB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE02FA0A-1DE1-4ee3-A40A-E8AD053F64D0}\stubpath = "C:\\Windows\\{DE02FA0A-1DE1-4ee3-A40A-E8AD053F64D0}.exe"	{F11402A4-7FEE-4f66-BE66-A8B182B5887E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F43A8F59-AAFA-42fb-BE3C-C22B5FB5B7AD}	{82A3240E-4DE0-43ca-8DB3-8A50BB0128BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1638C04-997C-4c90-A072-FCC2637645C6}	{F43A8F59-AAFA-42fb-BE3C-C22B5FB5B7AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1638C04-997C-4c90-A072-FCC2637645C6}\stubpath = "C:\\Windows\\{F1638C04-997C-4c90-A072-FCC2637645C6}.exe"	{F43A8F59-AAFA-42fb-BE3C-C22B5FB5B7AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48F1D5BC-9403-49f7-8CE7-BE0150E88EFB}	{A72DA4FC-4B34-45cf-8AF3-9EA6AD3B6583}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A72DA4FC-4B34-45cf-8AF3-9EA6AD3B6583}	{735A9D84-ED0A-4578-ABED-CC5EDC66E239}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48F1D5BC-9403-49f7-8CE7-BE0150E88EFB}\stubpath = "C:\\Windows\\{48F1D5BC-9403-49f7-8CE7-BE0150E88EFB}.exe"	{A72DA4FC-4B34-45cf-8AF3-9EA6AD3B6583}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F11402A4-7FEE-4f66-BE66-A8B182B5887E}	2024-04-04_337779f6852849e54d48d95649d09d25_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE02FA0A-1DE1-4ee3-A40A-E8AD053F64D0}	{F11402A4-7FEE-4f66-BE66-A8B182B5887E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82A3240E-4DE0-43ca-8DB3-8A50BB0128BC}\stubpath = "C:\\Windows\\{82A3240E-4DE0-43ca-8DB3-8A50BB0128BC}.exe"	{A3076648-219A-4c7b-898A-45A30E9F3707}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{735A9D84-ED0A-4578-ABED-CC5EDC66E239}	{6D138F6F-A299-4fb1-B7AD-13396884E398}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{735A9D84-ED0A-4578-ABED-CC5EDC66E239}\stubpath = "C:\\Windows\\{735A9D84-ED0A-4578-ABED-CC5EDC66E239}.exe"	{6D138F6F-A299-4fb1-B7AD-13396884E398}.exe

Executes dropped EXE 12 IoCs

pid	Process
4952	{F11402A4-7FEE-4f66-BE66-A8B182B5887E}.exe
4396	{DE02FA0A-1DE1-4ee3-A40A-E8AD053F64D0}.exe
4240	{E744861D-4FB0-4d43-B04D-3E555152D72E}.exe
3680	{A3076648-219A-4c7b-898A-45A30E9F3707}.exe
4360	{82A3240E-4DE0-43ca-8DB3-8A50BB0128BC}.exe
1268	{F43A8F59-AAFA-42fb-BE3C-C22B5FB5B7AD}.exe
2772	{F1638C04-997C-4c90-A072-FCC2637645C6}.exe
4476	{6D138F6F-A299-4fb1-B7AD-13396884E398}.exe
4808	{735A9D84-ED0A-4578-ABED-CC5EDC66E239}.exe
3288	{A72DA4FC-4B34-45cf-8AF3-9EA6AD3B6583}.exe
3636	{48F1D5BC-9403-49f7-8CE7-BE0150E88EFB}.exe
4624	{0C71A1C5-8E85-404d-AE60-75D0F96B9BFC}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{0C71A1C5-8E85-404d-AE60-75D0F96B9BFC}.exe	{48F1D5BC-9403-49f7-8CE7-BE0150E88EFB}.exe
File created	C:\Windows\{DE02FA0A-1DE1-4ee3-A40A-E8AD053F64D0}.exe	{F11402A4-7FEE-4f66-BE66-A8B182B5887E}.exe
File created	C:\Windows\{A3076648-219A-4c7b-898A-45A30E9F3707}.exe	{E744861D-4FB0-4d43-B04D-3E555152D72E}.exe
File created	C:\Windows\{82A3240E-4DE0-43ca-8DB3-8A50BB0128BC}.exe	{A3076648-219A-4c7b-898A-45A30E9F3707}.exe
File created	C:\Windows\{F43A8F59-AAFA-42fb-BE3C-C22B5FB5B7AD}.exe	{82A3240E-4DE0-43ca-8DB3-8A50BB0128BC}.exe
File created	C:\Windows\{735A9D84-ED0A-4578-ABED-CC5EDC66E239}.exe	{6D138F6F-A299-4fb1-B7AD-13396884E398}.exe
File created	C:\Windows\{48F1D5BC-9403-49f7-8CE7-BE0150E88EFB}.exe	{A72DA4FC-4B34-45cf-8AF3-9EA6AD3B6583}.exe
File created	C:\Windows\{F11402A4-7FEE-4f66-BE66-A8B182B5887E}.exe	2024-04-04_337779f6852849e54d48d95649d09d25_goldeneye.exe
File created	C:\Windows\{E744861D-4FB0-4d43-B04D-3E555152D72E}.exe	{DE02FA0A-1DE1-4ee3-A40A-E8AD053F64D0}.exe
File created	C:\Windows\{F1638C04-997C-4c90-A072-FCC2637645C6}.exe	{F43A8F59-AAFA-42fb-BE3C-C22B5FB5B7AD}.exe
File created	C:\Windows\{6D138F6F-A299-4fb1-B7AD-13396884E398}.exe	{F1638C04-997C-4c90-A072-FCC2637645C6}.exe
File created	C:\Windows\{A72DA4FC-4B34-45cf-8AF3-9EA6AD3B6583}.exe	{735A9D84-ED0A-4578-ABED-CC5EDC66E239}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2784	2024-04-04_337779f6852849e54d48d95649d09d25_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4952	{F11402A4-7FEE-4f66-BE66-A8B182B5887E}.exe
Token: SeIncBasePriorityPrivilege	4396	{DE02FA0A-1DE1-4ee3-A40A-E8AD053F64D0}.exe
Token: SeIncBasePriorityPrivilege	4240	{E744861D-4FB0-4d43-B04D-3E555152D72E}.exe
Token: SeIncBasePriorityPrivilege	3680	{A3076648-219A-4c7b-898A-45A30E9F3707}.exe
Token: SeIncBasePriorityPrivilege	4360	{82A3240E-4DE0-43ca-8DB3-8A50BB0128BC}.exe
Token: SeIncBasePriorityPrivilege	1268	{F43A8F59-AAFA-42fb-BE3C-C22B5FB5B7AD}.exe
Token: SeIncBasePriorityPrivilege	2772	{F1638C04-997C-4c90-A072-FCC2637645C6}.exe
Token: SeIncBasePriorityPrivilege	4476	{6D138F6F-A299-4fb1-B7AD-13396884E398}.exe
Token: SeIncBasePriorityPrivilege	4808	{735A9D84-ED0A-4578-ABED-CC5EDC66E239}.exe
Token: SeIncBasePriorityPrivilege	3288	{A72DA4FC-4B34-45cf-8AF3-9EA6AD3B6583}.exe
Token: SeIncBasePriorityPrivilege	3636	{48F1D5BC-9403-49f7-8CE7-BE0150E88EFB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 4952	2784	2024-04-04_337779f6852849e54d48d95649d09d25_goldeneye.exe	92
PID 2784 wrote to memory of 4952	2784	2024-04-04_337779f6852849e54d48d95649d09d25_goldeneye.exe	92
PID 2784 wrote to memory of 4952	2784	2024-04-04_337779f6852849e54d48d95649d09d25_goldeneye.exe	92
PID 2784 wrote to memory of 716	2784	2024-04-04_337779f6852849e54d48d95649d09d25_goldeneye.exe	93
PID 2784 wrote to memory of 716	2784	2024-04-04_337779f6852849e54d48d95649d09d25_goldeneye.exe	93
PID 2784 wrote to memory of 716	2784	2024-04-04_337779f6852849e54d48d95649d09d25_goldeneye.exe	93
PID 4952 wrote to memory of 4396	4952	{F11402A4-7FEE-4f66-BE66-A8B182B5887E}.exe	97
PID 4952 wrote to memory of 4396	4952	{F11402A4-7FEE-4f66-BE66-A8B182B5887E}.exe	97
PID 4952 wrote to memory of 4396	4952	{F11402A4-7FEE-4f66-BE66-A8B182B5887E}.exe	97
PID 4952 wrote to memory of 976	4952	{F11402A4-7FEE-4f66-BE66-A8B182B5887E}.exe	98
PID 4952 wrote to memory of 976	4952	{F11402A4-7FEE-4f66-BE66-A8B182B5887E}.exe	98
PID 4952 wrote to memory of 976	4952	{F11402A4-7FEE-4f66-BE66-A8B182B5887E}.exe	98
PID 4396 wrote to memory of 4240	4396	{DE02FA0A-1DE1-4ee3-A40A-E8AD053F64D0}.exe	100
PID 4396 wrote to memory of 4240	4396	{DE02FA0A-1DE1-4ee3-A40A-E8AD053F64D0}.exe	100
PID 4396 wrote to memory of 4240	4396	{DE02FA0A-1DE1-4ee3-A40A-E8AD053F64D0}.exe	100
PID 4396 wrote to memory of 1196	4396	{DE02FA0A-1DE1-4ee3-A40A-E8AD053F64D0}.exe	101
PID 4396 wrote to memory of 1196	4396	{DE02FA0A-1DE1-4ee3-A40A-E8AD053F64D0}.exe	101
PID 4396 wrote to memory of 1196	4396	{DE02FA0A-1DE1-4ee3-A40A-E8AD053F64D0}.exe	101
PID 4240 wrote to memory of 3680	4240	{E744861D-4FB0-4d43-B04D-3E555152D72E}.exe	102
PID 4240 wrote to memory of 3680	4240	{E744861D-4FB0-4d43-B04D-3E555152D72E}.exe	102
PID 4240 wrote to memory of 3680	4240	{E744861D-4FB0-4d43-B04D-3E555152D72E}.exe	102
PID 4240 wrote to memory of 4688	4240	{E744861D-4FB0-4d43-B04D-3E555152D72E}.exe	103
PID 4240 wrote to memory of 4688	4240	{E744861D-4FB0-4d43-B04D-3E555152D72E}.exe	103
PID 4240 wrote to memory of 4688	4240	{E744861D-4FB0-4d43-B04D-3E555152D72E}.exe	103
PID 3680 wrote to memory of 4360	3680	{A3076648-219A-4c7b-898A-45A30E9F3707}.exe	104
PID 3680 wrote to memory of 4360	3680	{A3076648-219A-4c7b-898A-45A30E9F3707}.exe	104
PID 3680 wrote to memory of 4360	3680	{A3076648-219A-4c7b-898A-45A30E9F3707}.exe	104
PID 3680 wrote to memory of 2356	3680	{A3076648-219A-4c7b-898A-45A30E9F3707}.exe	105
PID 3680 wrote to memory of 2356	3680	{A3076648-219A-4c7b-898A-45A30E9F3707}.exe	105
PID 3680 wrote to memory of 2356	3680	{A3076648-219A-4c7b-898A-45A30E9F3707}.exe	105
PID 4360 wrote to memory of 1268	4360	{82A3240E-4DE0-43ca-8DB3-8A50BB0128BC}.exe	106
PID 4360 wrote to memory of 1268	4360	{82A3240E-4DE0-43ca-8DB3-8A50BB0128BC}.exe	106
PID 4360 wrote to memory of 1268	4360	{82A3240E-4DE0-43ca-8DB3-8A50BB0128BC}.exe	106
PID 4360 wrote to memory of 1376	4360	{82A3240E-4DE0-43ca-8DB3-8A50BB0128BC}.exe	107
PID 4360 wrote to memory of 1376	4360	{82A3240E-4DE0-43ca-8DB3-8A50BB0128BC}.exe	107
PID 4360 wrote to memory of 1376	4360	{82A3240E-4DE0-43ca-8DB3-8A50BB0128BC}.exe	107
PID 1268 wrote to memory of 2772	1268	{F43A8F59-AAFA-42fb-BE3C-C22B5FB5B7AD}.exe	108
PID 1268 wrote to memory of 2772	1268	{F43A8F59-AAFA-42fb-BE3C-C22B5FB5B7AD}.exe	108
PID 1268 wrote to memory of 2772	1268	{F43A8F59-AAFA-42fb-BE3C-C22B5FB5B7AD}.exe	108
PID 1268 wrote to memory of 860	1268	{F43A8F59-AAFA-42fb-BE3C-C22B5FB5B7AD}.exe	109
PID 1268 wrote to memory of 860	1268	{F43A8F59-AAFA-42fb-BE3C-C22B5FB5B7AD}.exe	109
PID 1268 wrote to memory of 860	1268	{F43A8F59-AAFA-42fb-BE3C-C22B5FB5B7AD}.exe	109
PID 2772 wrote to memory of 4476	2772	{F1638C04-997C-4c90-A072-FCC2637645C6}.exe	110
PID 2772 wrote to memory of 4476	2772	{F1638C04-997C-4c90-A072-FCC2637645C6}.exe	110
PID 2772 wrote to memory of 4476	2772	{F1638C04-997C-4c90-A072-FCC2637645C6}.exe	110
PID 2772 wrote to memory of 4424	2772	{F1638C04-997C-4c90-A072-FCC2637645C6}.exe	111
PID 2772 wrote to memory of 4424	2772	{F1638C04-997C-4c90-A072-FCC2637645C6}.exe	111
PID 2772 wrote to memory of 4424	2772	{F1638C04-997C-4c90-A072-FCC2637645C6}.exe	111
PID 4476 wrote to memory of 4808	4476	{6D138F6F-A299-4fb1-B7AD-13396884E398}.exe	112
PID 4476 wrote to memory of 4808	4476	{6D138F6F-A299-4fb1-B7AD-13396884E398}.exe	112
PID 4476 wrote to memory of 4808	4476	{6D138F6F-A299-4fb1-B7AD-13396884E398}.exe	112
PID 4476 wrote to memory of 4508	4476	{6D138F6F-A299-4fb1-B7AD-13396884E398}.exe	113
PID 4476 wrote to memory of 4508	4476	{6D138F6F-A299-4fb1-B7AD-13396884E398}.exe	113
PID 4476 wrote to memory of 4508	4476	{6D138F6F-A299-4fb1-B7AD-13396884E398}.exe	113
PID 4808 wrote to memory of 3288	4808	{735A9D84-ED0A-4578-ABED-CC5EDC66E239}.exe	114
PID 4808 wrote to memory of 3288	4808	{735A9D84-ED0A-4578-ABED-CC5EDC66E239}.exe	114
PID 4808 wrote to memory of 3288	4808	{735A9D84-ED0A-4578-ABED-CC5EDC66E239}.exe	114
PID 4808 wrote to memory of 4024	4808	{735A9D84-ED0A-4578-ABED-CC5EDC66E239}.exe	115
PID 4808 wrote to memory of 4024	4808	{735A9D84-ED0A-4578-ABED-CC5EDC66E239}.exe	115
PID 4808 wrote to memory of 4024	4808	{735A9D84-ED0A-4578-ABED-CC5EDC66E239}.exe	115
PID 3288 wrote to memory of 3636	3288	{A72DA4FC-4B34-45cf-8AF3-9EA6AD3B6583}.exe	116
PID 3288 wrote to memory of 3636	3288	{A72DA4FC-4B34-45cf-8AF3-9EA6AD3B6583}.exe	116
PID 3288 wrote to memory of 3636	3288	{A72DA4FC-4B34-45cf-8AF3-9EA6AD3B6583}.exe	116
PID 3288 wrote to memory of 736	3288	{A72DA4FC-4B34-45cf-8AF3-9EA6AD3B6583}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-04-04_337779f6852849e54d48d95649d09d25_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-04_337779f6852849e54d48d95649d09d25_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Windows\{F11402A4-7FEE-4f66-BE66-A8B182B5887E}.exe
  C:\Windows\{F11402A4-7FEE-4f66-BE66-A8B182B5887E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4952
- - C:\Windows\{DE02FA0A-1DE1-4ee3-A40A-E8AD053F64D0}.exe
    C:\Windows\{DE02FA0A-1DE1-4ee3-A40A-E8AD053F64D0}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4396
  - - C:\Windows\{E744861D-4FB0-4d43-B04D-3E555152D72E}.exe
      C:\Windows\{E744861D-4FB0-4d43-B04D-3E555152D72E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4240
    - - C:\Windows\{A3076648-219A-4c7b-898A-45A30E9F3707}.exe
        
        C:\Windows\{A3076648-219A-4c7b-898A-45A30E9F3707}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3680
      - C:\Windows\{82A3240E-4DE0-43ca-8DB3-8A50BB0128BC}.exe
        
        C:\Windows\{82A3240E-4DE0-43ca-8DB3-8A50BB0128BC}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Windows\{F43A8F59-AAFA-42fb-BE3C-C22B5FB5B7AD}.exe
        
        C:\Windows\{F43A8F59-AAFA-42fb-BE3C-C22B5FB5B7AD}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Windows\{F1638C04-997C-4c90-A072-FCC2637645C6}.exe
        
        C:\Windows\{F1638C04-997C-4c90-A072-FCC2637645C6}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\{6D138F6F-A299-4fb1-B7AD-13396884E398}.exe
        
        C:\Windows\{6D138F6F-A299-4fb1-B7AD-13396884E398}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4476
        
        C:\Windows\{735A9D84-ED0A-4578-ABED-CC5EDC66E239}.exe
        
        C:\Windows\{735A9D84-ED0A-4578-ABED-CC5EDC66E239}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Windows\{A72DA4FC-4B34-45cf-8AF3-9EA6AD3B6583}.exe
        
        C:\Windows\{A72DA4FC-4B34-45cf-8AF3-9EA6AD3B6583}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3288
        
        C:\Windows\{48F1D5BC-9403-49f7-8CE7-BE0150E88EFB}.exe
        
        C:\Windows\{48F1D5BC-9403-49f7-8CE7-BE0150E88EFB}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3636
        
        C:\Windows\{0C71A1C5-8E85-404d-AE60-75D0F96B9BFC}.exe
        
        C:\Windows\{0C71A1C5-8E85-404d-AE60-75D0F96B9BFC}.exe
        13⤵
        Executes dropped EXE
        
        PID:4624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{48F1D~1.EXE > nul
        13⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A72DA~1.EXE > nul
        12⤵
        
        PID:736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{735A9~1.EXE > nul
        11⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6D138~1.EXE > nul
        10⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F1638~1.EXE > nul
        9⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F43A8~1.EXE > nul
        8⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{82A32~1.EXE > nul
        7⤵
        
        PID:1376
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A3076~1.EXE > nul
        6⤵
        
        PID:2356
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7448~1.EXE > nul
        5⤵
        
        PID:4688
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{DE02F~1.EXE > nul
      4⤵
      PID:1196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F1140~1.EXE > nul
    3⤵
    PID:976
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0C71A1C5-8E85-404d-AE60-75D0F96B9BFC}.exe

Filesize
372KB

MD5
2134360c37bf50118e396578780c945f

SHA1
b28078f19d65ef23d9d17bd16cbbc73a2dfb0eb4

SHA256
f1d588d0386b7e39d553818fccb0c25b41eff163bf92eabe1989ae85fc67d298

SHA512
9bd5d876d85b24169056e06f394dd2a040f67236f08a0f6eb792698360aee66f9dca0746320b155e5d98c82f291c9ce0110062b4361274d3343359afdc4769eb

Download Submit
C:\Windows\{48F1D5BC-9403-49f7-8CE7-BE0150E88EFB}.exe

Filesize
372KB

MD5
d596ed513987e5ddc97a2c333d847eb0

SHA1
97fad1a90e16bfc5b98b82149472b7a4904815c1

SHA256
c3facb88cfdf25bfe59e9730458da5e34703ef92f1de52326556c281389d95e8

SHA512
4bd62597aac04c5d832ede38f3f632ab447ff19fd41501cc0188047c4eb9128fcebf79e091cb4063512f8692e28b1add1dde71a0e8cf6968b981df853dc75dc4

Download Submit
C:\Windows\{6D138F6F-A299-4fb1-B7AD-13396884E398}.exe

Filesize
372KB

MD5
b4c24888b1380ad621bcd590dccef853

SHA1
7b8a9ae45a6d1cd809971fd5846121035cf893ce

SHA256
6d0a3a41a8ba032cefb77aabda6f7587c4551bb670ca23c9e6032e35a28aa855

SHA512
75b728e7dc2b557f79eedd44eab6923a82a56f74eb53b56b2d5f7a281e5e867c400043403ca96e70faeae42e288695237e155b4308e22c221e1377923a8e6c5c

Download Submit
C:\Windows\{735A9D84-ED0A-4578-ABED-CC5EDC66E239}.exe

Filesize
372KB

MD5
d068eb8b22c11ee62c2057445bc034f2

SHA1
1bd2c698be8f576df6737d6d307b558e4ba18bac

SHA256
9515fd52cb5a24935dc2f3db95d2b182c068da2ba953f8bff457ce5c3481c5c7

SHA512
e3c4fb54eab22cf6d604da6386820e25b1f8bf36a6edf409c43ece0fa7444e9e3cb94d2a250786ff500b26f2f50c3de13241706254f281de0c80f4fe982c0524

Download Submit
C:\Windows\{82A3240E-4DE0-43ca-8DB3-8A50BB0128BC}.exe

Filesize
372KB

MD5
3a253fb071de8a990742dc5b64c5dfca

SHA1
be535bfa3a117984c0eebc6a81feb2af37198f5b

SHA256
95f6c9395ba271a1fc1ce8072d2adf2f45bf33f3abab2ad2d0730df8d803efde

SHA512
487d7607dcfa2fa16ae32ade7589a57c0614fda28bb07939584d5c544340683d4edebcac390372fc758bddb393f825f725100d9cfe53fa2bae5675ed0d23cdd8

Download Submit
C:\Windows\{A3076648-219A-4c7b-898A-45A30E9F3707}.exe

Filesize
372KB

MD5
4db6a63410d9ea5adf8043f389873faa

SHA1
39855a77eb4e6de37e19c68c803cc039c2ee2d96

SHA256
988675db92639b6912371241eb0a2aeb0c4b9e00c6c2440d3044e6670fa5ab3c

SHA512
d4eb8c66a691ad6ed7a8f649ea5c8889c8a51a8a1b79ea9541e5f89f0206df4e28514d03eda12ded8cc873115b72e061617eb16695be23a36b1f6d4040ebe7f5

Download Submit
C:\Windows\{A72DA4FC-4B34-45cf-8AF3-9EA6AD3B6583}.exe

Filesize
372KB

MD5
7ea8fd6ee9eb9160db9ced4bf81e4b18

SHA1
9b73e63a6f2321e4f5fe1ed3c3b78f27cb59db1d

SHA256
c6a7c1d01a34a13819d91a77137e800e32fa62b62b5549925decfab52fc3aaf8

SHA512
bbb83e4b9a05250571720b9fbd44acf48ebbfdb662ec59898b57065e57a49391e99fd0fc17d0fa5b5908904cfaad0325b0442c8a89638a4671fce830fe2d6316

Download Submit
C:\Windows\{DE02FA0A-1DE1-4ee3-A40A-E8AD053F64D0}.exe

Filesize
372KB

MD5
c5a210a626609967228d0d7f1c4758e1

SHA1
aa3964ef5721e3ab4bbdacc18ad2f11c8e9d5168

SHA256
32abe52876d7f2dbf8076ca8bd8dde816229e96e7cca1dd2f85d4332e347fec5

SHA512
65c3a950a64ac150523126b7483bfb7f3f11b689b9305cd2db4008d6cc49a3fcf135a420a8aa02fcc34d020ce5601cd3ffa4ee4021529d9f703efbc4adac47d8

Download Submit
C:\Windows\{E744861D-4FB0-4d43-B04D-3E555152D72E}.exe

Filesize
372KB

MD5
0c4e7914392b3e62a276e1b873b873a7

SHA1
a760f34d98859614351b575432767b9a0fa9cb03

SHA256
1444a39dcfa4e69805b782f918274b17ea901d3d1720308fb84fdb22321674f7

SHA512
0ef28bbcac9d20aae40bde2977f5addfc0f429b3ddeea9f17b7885ec5573e12eac7e4f4e3dbc2db128e25b897616fca56dc591f09110f4e02da39975463c73ce

Download Submit
C:\Windows\{F11402A4-7FEE-4f66-BE66-A8B182B5887E}.exe

Filesize
372KB

MD5
3a9756a305e65fa21f4a5f2b05fbc270

SHA1
c65fbaa7ee332d766b5ae3c1ce1b55b074a22f7a

SHA256
0f8a358e804ba018e4abd12c5318af5a5dc316b4a9d14b0dea6975e50747babb

SHA512
acb6eb40abd562ff6556f409abb13894a511394609850f271695f251ae1e2953e1da277bee06bfb69874314449b6596a08fc4efd2d27caa7923e936c947aeebc

Download Submit
C:\Windows\{F1638C04-997C-4c90-A072-FCC2637645C6}.exe

Filesize
372KB

MD5
f76b7a0a2a909db3939fc1d43112cbe5

SHA1
915eb11fa4919147bbe8ebedd314f8db846193ac

SHA256
d6ea524bdbd33d190b0dc71c7457c8e386a185987c42ea40ecb0c91d3952e62c

SHA512
5783508ed0a357715cbd65db2b36930ff22335b8de13efb63b833515e613c37147a54b9d264a99a8c243046d61bd13323e22227dbb5a7aab015f7e38b3e83313

Download Submit
C:\Windows\{F43A8F59-AAFA-42fb-BE3C-C22B5FB5B7AD}.exe

Filesize
372KB

MD5
1f4bd22311b03d912819a882521fe146

SHA1
5429401ac1956853b8103d9e11d233c991544bff

SHA256
2e0f6b8553d7003b97b75815004ef6df1da7b5d4df65facd86c1faeace0f86d8

SHA512
02ab26554cee64a3c5b906b88b291a0d992bbe71d92884d81d14a850eca41abbe49b7b06d5bf6cb8c2258f51f7f54ec374d75d946d376918dc7be67cb9688f99

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads