6b238ee962bd094a56c0571dcf1dda8574ac5ac8d9dadb7f2036912fd8c62fbf

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/04/2024, 21:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-05_41d2feb21daa69e9d4fc37619c2259e2_goldeneye.exe
Size

192KB
MD5

41d2feb21daa69e9d4fc37619c2259e2
SHA1

01d78a0551acd1075afe8d28dad837a626a1fe03
SHA256

6b238ee962bd094a56c0571dcf1dda8574ac5ac8d9dadb7f2036912fd8c62fbf
SHA512

a0a9a0bcd956fa350306823ce8c710ffd8d2a265104bf052e6b399eb20b79fccb8ed99d631af5ed60834093a937711ccbcd2356ff8d484fd409b125c4d35fbf2
SSDEEP

1536:1EGh0ocl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0ocl1OPOe2MUVg3Ve+rXfMUa

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023207-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001100000002320e-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023215-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001200000002320e-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021c86-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021c87-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021c86-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070f-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000000070d-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC40963C-3FDC-45f0-9AAC-AE0C0603F89A}\stubpath = "C:\\Windows\\{AC40963C-3FDC-45f0-9AAC-AE0C0603F89A}.exe"	2024-04-05_41d2feb21daa69e9d4fc37619c2259e2_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B771F39D-7479-4324-AFC2-8F81D4B3FE5B}\stubpath = "C:\\Windows\\{B771F39D-7479-4324-AFC2-8F81D4B3FE5B}.exe"	{AC40963C-3FDC-45f0-9AAC-AE0C0603F89A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3517274E-6B28-4089-A0D9-850B480E7FCC}	{E4D91496-E1B4-46c6-AFA7-27B7B6E82912}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CC726E6-66DB-4bc2-AF81-4775A83139A6}\stubpath = "C:\\Windows\\{5CC726E6-66DB-4bc2-AF81-4775A83139A6}.exe"	{040BF9B8-F13D-4997-AF10-A13FABE11CA6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6909702-27DB-4763-9684-60B7C3B91EA1}	{5CC726E6-66DB-4bc2-AF81-4775A83139A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4D91496-E1B4-46c6-AFA7-27B7B6E82912}	{1BCB1EFE-7FA6-430a-90C7-9998A40D7A76}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4D91496-E1B4-46c6-AFA7-27B7B6E82912}\stubpath = "C:\\Windows\\{E4D91496-E1B4-46c6-AFA7-27B7B6E82912}.exe"	{1BCB1EFE-7FA6-430a-90C7-9998A40D7A76}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3517274E-6B28-4089-A0D9-850B480E7FCC}\stubpath = "C:\\Windows\\{3517274E-6B28-4089-A0D9-850B480E7FCC}.exe"	{E4D91496-E1B4-46c6-AFA7-27B7B6E82912}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{040BF9B8-F13D-4997-AF10-A13FABE11CA6}	{65188F99-C213-48a7-8B21-13C4D15DFFA2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E67D403D-0626-46f0-B3BF-5F553C4BC90B}	{073ED87C-BC02-4a32-9B7C-DF2E4103A575}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E67D403D-0626-46f0-B3BF-5F553C4BC90B}\stubpath = "C:\\Windows\\{E67D403D-0626-46f0-B3BF-5F553C4BC90B}.exe"	{073ED87C-BC02-4a32-9B7C-DF2E4103A575}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{073ED87C-BC02-4a32-9B7C-DF2E4103A575}\stubpath = "C:\\Windows\\{073ED87C-BC02-4a32-9B7C-DF2E4103A575}.exe"	{E6909702-27DB-4763-9684-60B7C3B91EA1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B771F39D-7479-4324-AFC2-8F81D4B3FE5B}	{AC40963C-3FDC-45f0-9AAC-AE0C0603F89A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BCB1EFE-7FA6-430a-90C7-9998A40D7A76}	{B771F39D-7479-4324-AFC2-8F81D4B3FE5B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DDE62B82-C186-43a5-8B1B-2BA8BC950C4B}	{3517274E-6B28-4089-A0D9-850B480E7FCC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65188F99-C213-48a7-8B21-13C4D15DFFA2}	{DDE62B82-C186-43a5-8B1B-2BA8BC950C4B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{040BF9B8-F13D-4997-AF10-A13FABE11CA6}\stubpath = "C:\\Windows\\{040BF9B8-F13D-4997-AF10-A13FABE11CA6}.exe"	{65188F99-C213-48a7-8B21-13C4D15DFFA2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6909702-27DB-4763-9684-60B7C3B91EA1}\stubpath = "C:\\Windows\\{E6909702-27DB-4763-9684-60B7C3B91EA1}.exe"	{5CC726E6-66DB-4bc2-AF81-4775A83139A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{073ED87C-BC02-4a32-9B7C-DF2E4103A575}	{E6909702-27DB-4763-9684-60B7C3B91EA1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC40963C-3FDC-45f0-9AAC-AE0C0603F89A}	2024-04-05_41d2feb21daa69e9d4fc37619c2259e2_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BCB1EFE-7FA6-430a-90C7-9998A40D7A76}\stubpath = "C:\\Windows\\{1BCB1EFE-7FA6-430a-90C7-9998A40D7A76}.exe"	{B771F39D-7479-4324-AFC2-8F81D4B3FE5B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DDE62B82-C186-43a5-8B1B-2BA8BC950C4B}\stubpath = "C:\\Windows\\{DDE62B82-C186-43a5-8B1B-2BA8BC950C4B}.exe"	{3517274E-6B28-4089-A0D9-850B480E7FCC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65188F99-C213-48a7-8B21-13C4D15DFFA2}\stubpath = "C:\\Windows\\{65188F99-C213-48a7-8B21-13C4D15DFFA2}.exe"	{DDE62B82-C186-43a5-8B1B-2BA8BC950C4B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CC726E6-66DB-4bc2-AF81-4775A83139A6}	{040BF9B8-F13D-4997-AF10-A13FABE11CA6}.exe

Executes dropped EXE 12 IoCs

pid	Process
3240	{AC40963C-3FDC-45f0-9AAC-AE0C0603F89A}.exe
4848	{B771F39D-7479-4324-AFC2-8F81D4B3FE5B}.exe
3536	{1BCB1EFE-7FA6-430a-90C7-9998A40D7A76}.exe
3256	{E4D91496-E1B4-46c6-AFA7-27B7B6E82912}.exe
2508	{3517274E-6B28-4089-A0D9-850B480E7FCC}.exe
2280	{DDE62B82-C186-43a5-8B1B-2BA8BC950C4B}.exe
4760	{65188F99-C213-48a7-8B21-13C4D15DFFA2}.exe
940	{040BF9B8-F13D-4997-AF10-A13FABE11CA6}.exe
2768	{5CC726E6-66DB-4bc2-AF81-4775A83139A6}.exe
2912	{E6909702-27DB-4763-9684-60B7C3B91EA1}.exe
1352	{073ED87C-BC02-4a32-9B7C-DF2E4103A575}.exe
4528	{E67D403D-0626-46f0-B3BF-5F553C4BC90B}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{B771F39D-7479-4324-AFC2-8F81D4B3FE5B}.exe	{AC40963C-3FDC-45f0-9AAC-AE0C0603F89A}.exe
File created	C:\Windows\{E4D91496-E1B4-46c6-AFA7-27B7B6E82912}.exe	{1BCB1EFE-7FA6-430a-90C7-9998A40D7A76}.exe
File created	C:\Windows\{DDE62B82-C186-43a5-8B1B-2BA8BC950C4B}.exe	{3517274E-6B28-4089-A0D9-850B480E7FCC}.exe
File created	C:\Windows\{5CC726E6-66DB-4bc2-AF81-4775A83139A6}.exe	{040BF9B8-F13D-4997-AF10-A13FABE11CA6}.exe
File created	C:\Windows\{073ED87C-BC02-4a32-9B7C-DF2E4103A575}.exe	{E6909702-27DB-4763-9684-60B7C3B91EA1}.exe
File created	C:\Windows\{E67D403D-0626-46f0-B3BF-5F553C4BC90B}.exe	{073ED87C-BC02-4a32-9B7C-DF2E4103A575}.exe
File created	C:\Windows\{AC40963C-3FDC-45f0-9AAC-AE0C0603F89A}.exe	2024-04-05_41d2feb21daa69e9d4fc37619c2259e2_goldeneye.exe
File created	C:\Windows\{1BCB1EFE-7FA6-430a-90C7-9998A40D7A76}.exe	{B771F39D-7479-4324-AFC2-8F81D4B3FE5B}.exe
File created	C:\Windows\{3517274E-6B28-4089-A0D9-850B480E7FCC}.exe	{E4D91496-E1B4-46c6-AFA7-27B7B6E82912}.exe
File created	C:\Windows\{65188F99-C213-48a7-8B21-13C4D15DFFA2}.exe	{DDE62B82-C186-43a5-8B1B-2BA8BC950C4B}.exe
File created	C:\Windows\{040BF9B8-F13D-4997-AF10-A13FABE11CA6}.exe	{65188F99-C213-48a7-8B21-13C4D15DFFA2}.exe
File created	C:\Windows\{E6909702-27DB-4763-9684-60B7C3B91EA1}.exe	{5CC726E6-66DB-4bc2-AF81-4775A83139A6}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2268	2024-04-05_41d2feb21daa69e9d4fc37619c2259e2_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3240	{AC40963C-3FDC-45f0-9AAC-AE0C0603F89A}.exe
Token: SeIncBasePriorityPrivilege	4848	{B771F39D-7479-4324-AFC2-8F81D4B3FE5B}.exe
Token: SeIncBasePriorityPrivilege	3536	{1BCB1EFE-7FA6-430a-90C7-9998A40D7A76}.exe
Token: SeIncBasePriorityPrivilege	3256	{E4D91496-E1B4-46c6-AFA7-27B7B6E82912}.exe
Token: SeIncBasePriorityPrivilege	2508	{3517274E-6B28-4089-A0D9-850B480E7FCC}.exe
Token: SeIncBasePriorityPrivilege	2280	{DDE62B82-C186-43a5-8B1B-2BA8BC950C4B}.exe
Token: SeIncBasePriorityPrivilege	4760	{65188F99-C213-48a7-8B21-13C4D15DFFA2}.exe
Token: SeIncBasePriorityPrivilege	940	{040BF9B8-F13D-4997-AF10-A13FABE11CA6}.exe
Token: SeIncBasePriorityPrivilege	2768	{5CC726E6-66DB-4bc2-AF81-4775A83139A6}.exe
Token: SeIncBasePriorityPrivilege	2912	{E6909702-27DB-4763-9684-60B7C3B91EA1}.exe
Token: SeIncBasePriorityPrivilege	1352	{073ED87C-BC02-4a32-9B7C-DF2E4103A575}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 3240	2268	2024-04-05_41d2feb21daa69e9d4fc37619c2259e2_goldeneye.exe	95
PID 2268 wrote to memory of 3240	2268	2024-04-05_41d2feb21daa69e9d4fc37619c2259e2_goldeneye.exe	95
PID 2268 wrote to memory of 3240	2268	2024-04-05_41d2feb21daa69e9d4fc37619c2259e2_goldeneye.exe	95
PID 2268 wrote to memory of 2692	2268	2024-04-05_41d2feb21daa69e9d4fc37619c2259e2_goldeneye.exe	96
PID 2268 wrote to memory of 2692	2268	2024-04-05_41d2feb21daa69e9d4fc37619c2259e2_goldeneye.exe	96
PID 2268 wrote to memory of 2692	2268	2024-04-05_41d2feb21daa69e9d4fc37619c2259e2_goldeneye.exe	96
PID 3240 wrote to memory of 4848	3240	{AC40963C-3FDC-45f0-9AAC-AE0C0603F89A}.exe	97
PID 3240 wrote to memory of 4848	3240	{AC40963C-3FDC-45f0-9AAC-AE0C0603F89A}.exe	97
PID 3240 wrote to memory of 4848	3240	{AC40963C-3FDC-45f0-9AAC-AE0C0603F89A}.exe	97
PID 3240 wrote to memory of 4808	3240	{AC40963C-3FDC-45f0-9AAC-AE0C0603F89A}.exe	98
PID 3240 wrote to memory of 4808	3240	{AC40963C-3FDC-45f0-9AAC-AE0C0603F89A}.exe	98
PID 3240 wrote to memory of 4808	3240	{AC40963C-3FDC-45f0-9AAC-AE0C0603F89A}.exe	98
PID 4848 wrote to memory of 3536	4848	{B771F39D-7479-4324-AFC2-8F81D4B3FE5B}.exe	100
PID 4848 wrote to memory of 3536	4848	{B771F39D-7479-4324-AFC2-8F81D4B3FE5B}.exe	100
PID 4848 wrote to memory of 3536	4848	{B771F39D-7479-4324-AFC2-8F81D4B3FE5B}.exe	100
PID 4848 wrote to memory of 364	4848	{B771F39D-7479-4324-AFC2-8F81D4B3FE5B}.exe	101
PID 4848 wrote to memory of 364	4848	{B771F39D-7479-4324-AFC2-8F81D4B3FE5B}.exe	101
PID 4848 wrote to memory of 364	4848	{B771F39D-7479-4324-AFC2-8F81D4B3FE5B}.exe	101
PID 3536 wrote to memory of 3256	3536	{1BCB1EFE-7FA6-430a-90C7-9998A40D7A76}.exe	102
PID 3536 wrote to memory of 3256	3536	{1BCB1EFE-7FA6-430a-90C7-9998A40D7A76}.exe	102
PID 3536 wrote to memory of 3256	3536	{1BCB1EFE-7FA6-430a-90C7-9998A40D7A76}.exe	102
PID 3536 wrote to memory of 856	3536	{1BCB1EFE-7FA6-430a-90C7-9998A40D7A76}.exe	103
PID 3536 wrote to memory of 856	3536	{1BCB1EFE-7FA6-430a-90C7-9998A40D7A76}.exe	103
PID 3536 wrote to memory of 856	3536	{1BCB1EFE-7FA6-430a-90C7-9998A40D7A76}.exe	103
PID 3256 wrote to memory of 2508	3256	{E4D91496-E1B4-46c6-AFA7-27B7B6E82912}.exe	104
PID 3256 wrote to memory of 2508	3256	{E4D91496-E1B4-46c6-AFA7-27B7B6E82912}.exe	104
PID 3256 wrote to memory of 2508	3256	{E4D91496-E1B4-46c6-AFA7-27B7B6E82912}.exe	104
PID 3256 wrote to memory of 1688	3256	{E4D91496-E1B4-46c6-AFA7-27B7B6E82912}.exe	105
PID 3256 wrote to memory of 1688	3256	{E4D91496-E1B4-46c6-AFA7-27B7B6E82912}.exe	105
PID 3256 wrote to memory of 1688	3256	{E4D91496-E1B4-46c6-AFA7-27B7B6E82912}.exe	105
PID 2508 wrote to memory of 2280	2508	{3517274E-6B28-4089-A0D9-850B480E7FCC}.exe	106
PID 2508 wrote to memory of 2280	2508	{3517274E-6B28-4089-A0D9-850B480E7FCC}.exe	106
PID 2508 wrote to memory of 2280	2508	{3517274E-6B28-4089-A0D9-850B480E7FCC}.exe	106
PID 2508 wrote to memory of 4496	2508	{3517274E-6B28-4089-A0D9-850B480E7FCC}.exe	107
PID 2508 wrote to memory of 4496	2508	{3517274E-6B28-4089-A0D9-850B480E7FCC}.exe	107
PID 2508 wrote to memory of 4496	2508	{3517274E-6B28-4089-A0D9-850B480E7FCC}.exe	107
PID 2280 wrote to memory of 4760	2280	{DDE62B82-C186-43a5-8B1B-2BA8BC950C4B}.exe	108
PID 2280 wrote to memory of 4760	2280	{DDE62B82-C186-43a5-8B1B-2BA8BC950C4B}.exe	108
PID 2280 wrote to memory of 4760	2280	{DDE62B82-C186-43a5-8B1B-2BA8BC950C4B}.exe	108
PID 2280 wrote to memory of 5024	2280	{DDE62B82-C186-43a5-8B1B-2BA8BC950C4B}.exe	109
PID 2280 wrote to memory of 5024	2280	{DDE62B82-C186-43a5-8B1B-2BA8BC950C4B}.exe	109
PID 2280 wrote to memory of 5024	2280	{DDE62B82-C186-43a5-8B1B-2BA8BC950C4B}.exe	109
PID 4760 wrote to memory of 940	4760	{65188F99-C213-48a7-8B21-13C4D15DFFA2}.exe	110
PID 4760 wrote to memory of 940	4760	{65188F99-C213-48a7-8B21-13C4D15DFFA2}.exe	110
PID 4760 wrote to memory of 940	4760	{65188F99-C213-48a7-8B21-13C4D15DFFA2}.exe	110
PID 4760 wrote to memory of 1440	4760	{65188F99-C213-48a7-8B21-13C4D15DFFA2}.exe	111
PID 4760 wrote to memory of 1440	4760	{65188F99-C213-48a7-8B21-13C4D15DFFA2}.exe	111
PID 4760 wrote to memory of 1440	4760	{65188F99-C213-48a7-8B21-13C4D15DFFA2}.exe	111
PID 940 wrote to memory of 2768	940	{040BF9B8-F13D-4997-AF10-A13FABE11CA6}.exe	112
PID 940 wrote to memory of 2768	940	{040BF9B8-F13D-4997-AF10-A13FABE11CA6}.exe	112
PID 940 wrote to memory of 2768	940	{040BF9B8-F13D-4997-AF10-A13FABE11CA6}.exe	112
PID 940 wrote to memory of 4672	940	{040BF9B8-F13D-4997-AF10-A13FABE11CA6}.exe	113
PID 940 wrote to memory of 4672	940	{040BF9B8-F13D-4997-AF10-A13FABE11CA6}.exe	113
PID 940 wrote to memory of 4672	940	{040BF9B8-F13D-4997-AF10-A13FABE11CA6}.exe	113
PID 2768 wrote to memory of 2912	2768	{5CC726E6-66DB-4bc2-AF81-4775A83139A6}.exe	114
PID 2768 wrote to memory of 2912	2768	{5CC726E6-66DB-4bc2-AF81-4775A83139A6}.exe	114
PID 2768 wrote to memory of 2912	2768	{5CC726E6-66DB-4bc2-AF81-4775A83139A6}.exe	114
PID 2768 wrote to memory of 2036	2768	{5CC726E6-66DB-4bc2-AF81-4775A83139A6}.exe	115
PID 2768 wrote to memory of 2036	2768	{5CC726E6-66DB-4bc2-AF81-4775A83139A6}.exe	115
PID 2768 wrote to memory of 2036	2768	{5CC726E6-66DB-4bc2-AF81-4775A83139A6}.exe	115
PID 2912 wrote to memory of 1352	2912	{E6909702-27DB-4763-9684-60B7C3B91EA1}.exe	116
PID 2912 wrote to memory of 1352	2912	{E6909702-27DB-4763-9684-60B7C3B91EA1}.exe	116
PID 2912 wrote to memory of 1352	2912	{E6909702-27DB-4763-9684-60B7C3B91EA1}.exe	116
PID 2912 wrote to memory of 1628	2912	{E6909702-27DB-4763-9684-60B7C3B91EA1}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-04-05_41d2feb21daa69e9d4fc37619c2259e2_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-05_41d2feb21daa69e9d4fc37619c2259e2_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\{AC40963C-3FDC-45f0-9AAC-AE0C0603F89A}.exe
  C:\Windows\{AC40963C-3FDC-45f0-9AAC-AE0C0603F89A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3240
- - C:\Windows\{B771F39D-7479-4324-AFC2-8F81D4B3FE5B}.exe
    C:\Windows\{B771F39D-7479-4324-AFC2-8F81D4B3FE5B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4848
  - - C:\Windows\{1BCB1EFE-7FA6-430a-90C7-9998A40D7A76}.exe
      C:\Windows\{1BCB1EFE-7FA6-430a-90C7-9998A40D7A76}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3536
    - - C:\Windows\{E4D91496-E1B4-46c6-AFA7-27B7B6E82912}.exe
        
        C:\Windows\{E4D91496-E1B4-46c6-AFA7-27B7B6E82912}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3256
      - C:\Windows\{3517274E-6B28-4089-A0D9-850B480E7FCC}.exe
        
        C:\Windows\{3517274E-6B28-4089-A0D9-850B480E7FCC}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\{DDE62B82-C186-43a5-8B1B-2BA8BC950C4B}.exe
        
        C:\Windows\{DDE62B82-C186-43a5-8B1B-2BA8BC950C4B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\{65188F99-C213-48a7-8B21-13C4D15DFFA2}.exe
        
        C:\Windows\{65188F99-C213-48a7-8B21-13C4D15DFFA2}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4760
        
        C:\Windows\{040BF9B8-F13D-4997-AF10-A13FABE11CA6}.exe
        
        C:\Windows\{040BF9B8-F13D-4997-AF10-A13FABE11CA6}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:940
        
        C:\Windows\{5CC726E6-66DB-4bc2-AF81-4775A83139A6}.exe
        
        C:\Windows\{5CC726E6-66DB-4bc2-AF81-4775A83139A6}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\{E6909702-27DB-4763-9684-60B7C3B91EA1}.exe
        
        C:\Windows\{E6909702-27DB-4763-9684-60B7C3B91EA1}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\{073ED87C-BC02-4a32-9B7C-DF2E4103A575}.exe
        
        C:\Windows\{073ED87C-BC02-4a32-9B7C-DF2E4103A575}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1352
        
        C:\Windows\{E67D403D-0626-46f0-B3BF-5F553C4BC90B}.exe
        
        C:\Windows\{E67D403D-0626-46f0-B3BF-5F553C4BC90B}.exe
        13⤵
        Executes dropped EXE
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{073ED~1.EXE > nul
        13⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6909~1.EXE > nul
        12⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5CC72~1.EXE > nul
        11⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{040BF~1.EXE > nul
        10⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{65188~1.EXE > nul
        9⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DDE62~1.EXE > nul
        8⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{35172~1.EXE > nul
        7⤵
        
        PID:4496
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E4D91~1.EXE > nul
        6⤵
        
        PID:1688
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1BCB1~1.EXE > nul
        5⤵
        
        PID:856
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B771F~1.EXE > nul
      4⤵
      PID:364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{AC409~1.EXE > nul
    3⤵
    PID:4808
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{040BF9B8-F13D-4997-AF10-A13FABE11CA6}.exe

Filesize
192KB

MD5
4e5415b8a76be442b4f5f289a47bf3d5

SHA1
45fc61ee7d41e4aa8b8c866a7bf2c88dd433a815

SHA256
bbc6f2b0e6b8575e91f1624bbc95a44c0abdf7f827e88572f4cf9b14f8a62569

SHA512
693e493f3fedbd5b7b3ab8cf9c0d99709be852e3e8b41272860cd5238c98c9d779f1f43c37d394f61f4796001e4801273335ac266fdd4c76984d754284308b78

Download Submit
C:\Windows\{073ED87C-BC02-4a32-9B7C-DF2E4103A575}.exe

Filesize
192KB

MD5
3fc3ea28b00d88a74a948265182f3b60

SHA1
92346c9369930a3943d4ea8b5bdaf33548f1a4cb

SHA256
01af8c6dc578cf081908771a4f49b610591ad4a78b88698373c4bf672cdbd6d8

SHA512
e3076174e41f3f85c85c36d95075fea34f292e4fa68f29adc7131709e368374fa0a092e2fd080773bf7132cd0d84cc71bf065fa2e6b9b2507bfb3491f5bb108d

Download Submit
C:\Windows\{1BCB1EFE-7FA6-430a-90C7-9998A40D7A76}.exe

Filesize
192KB

MD5
68f159a47de8f73cc9cd49e13de2f74d

SHA1
49fc68b893530f4cedeefb4d6e5711e091492604

SHA256
cfa490859dfc09b67b29c87f823b8b2e1f91619c3f67d1c138c869d3a1dd407f

SHA512
ced8f417984329f231c17663c25a41bf6913df60e1f82a50aaff5c6f5bb5da635388480952b1512cc9da12187783e589cac160031d32c0a79dfaa03e4e2ae8aa

Download Submit
C:\Windows\{3517274E-6B28-4089-A0D9-850B480E7FCC}.exe

Filesize
192KB

MD5
86ba253de0dd5babcc47e539333fa32c

SHA1
387f3c056dbfc0e4e984b1442610953407f9729f

SHA256
e2b81261b02a22a3c5cb32a56ca4e6efaa405e07e3af76f418e47e3b210cc1e6

SHA512
758b92cca069f0cc108b2b678b465c178afbdfd859104f134681d9ddf03262cbd441c8431d7bef4281a8098f1515338955bd781b61d5d62bebd97c42c6490473

Download Submit
C:\Windows\{5CC726E6-66DB-4bc2-AF81-4775A83139A6}.exe

Filesize
192KB

MD5
d209f31bf3d9a51a22ac793748d84f44

SHA1
e63ba7efc7d8d50eef1a351bffcea4caf74b05b6

SHA256
923a35402a8f173cde154f132b0a79db8a3089e5e5a9bd63fb66e10a58711d99

SHA512
dfecee89dc0c32e71ca1db7d9c5044c66bca5f8e323fc67e4cea19906ceda6d574729821be1bc28d6378116d0e23f9e297043dc54560c324595338e54f2d7a18

Download Submit
C:\Windows\{65188F99-C213-48a7-8B21-13C4D15DFFA2}.exe

Filesize
192KB

MD5
4e0816a4ceb02e1c727c7674ede614bc

SHA1
312d39639358204eedf6efb22fa1b002d49a2586

SHA256
964280fd8120270bac3ef2d7369b19906349c062e9a3d9c51be1bb505f4c57fc

SHA512
d82d32daa55efedf6a5b95577e9c1c37a3c38029b6485f9e5914b0f808508b956dd988207a95f6255f4d4af2c05641b6ac39fb5e4c53d4515303a445ba2654d6

Download Submit
C:\Windows\{AC40963C-3FDC-45f0-9AAC-AE0C0603F89A}.exe

Filesize
192KB

MD5
784c6c5c45c57dcf1063c607a5de1e84

SHA1
86444745a06800b6a17a14b8e24734d41cf98a52

SHA256
922805af63e94b86d446aa0aa96d0af7b93c2a41d8a988572b9e61ff09125761

SHA512
7ac7e491197c9a3b20c20493071b26410500378a91f21041bc46b81738bc5d7b3c8111e7a47311d4f1b33b08e47283b943c20ecc85743a689b7d47dd24af70a3

Download Submit
C:\Windows\{B771F39D-7479-4324-AFC2-8F81D4B3FE5B}.exe

Filesize
192KB

MD5
b731b4b6606828eb79ef078b9e8829ba

SHA1
56c5b751713f9db86b55a651fde645e4b712cf78

SHA256
f618e5740b6399a7aaaad194bcba2708e92a83b829088a745519d9e02adff726

SHA512
12480ede3c5442954e7f572727eecd08517085bf6aa3158a6ea5d2d6cdad7e39255d3033dbbe348be44bb033c1e57fc5eebed4cbf01d72e0ff7e87368fd23f98

Download Submit
C:\Windows\{DDE62B82-C186-43a5-8B1B-2BA8BC950C4B}.exe

Filesize
192KB

MD5
438f89887ff0d5ffbb300a6d1f8c6598

SHA1
979e4829b19e82c5182c760338989013154e838f

SHA256
a0591dd39cf0b19a85fc3125b13e9696ef76cfb7dee0514e2123069fa0aaa9d1

SHA512
5a4e705c84aaac6676ed53ad14be2a2521eed978e03d37e2c8082be6cb98b0e6ce539768de91dfc1d86f906d68113662623eec80c059678fa91528999a69bff5

Download Submit
C:\Windows\{E4D91496-E1B4-46c6-AFA7-27B7B6E82912}.exe

Filesize
192KB

MD5
5b9dbe7d33eee6bb1510b4085e641b01

SHA1
6a7042aeb1a0fb6df406aca54c3f10bda0abc0c5

SHA256
83f88eacb0d44770250c14cd5addf60a5b37d01748ab217ad8fa5a03102ff294

SHA512
19d1a4372a02c753bb3ac497ea6498402d396f91b89929a7832bc0f0db6655167bcf3764e2728ed3d3e4c9d77d41eb5aa57c98fd1f87d4cca1a9ef988d122cff

Download Submit
C:\Windows\{E67D403D-0626-46f0-B3BF-5F553C4BC90B}.exe

Filesize
192KB

MD5
16b14d659fd75f45c5154ef6260acd09

SHA1
a102bba76d15f530ecfb5b79f22b120fd50f5541

SHA256
4a0d61e990f3e5cd41d469a4481d074df07d69ee9116cfd631ccf1287ef574d4

SHA512
ddc1333be0cddcfce5279dc4eb88f2e648c24130781dbf8d4464afaaae7245e1b549f8968f83cf7365dd1d2836181f0b4973ba758838b57dd9db52f037fe9b15

Download Submit
C:\Windows\{E6909702-27DB-4763-9684-60B7C3B91EA1}.exe

Filesize
192KB

MD5
50deb08eb319346d9e029f29a14c063d

SHA1
0064b93e597f98db70c175c3357aa6c02a378ce5

SHA256
08d88fe9407c97edcafcf999460b5fa43a0a14116f7ebd9806f2b324e96e2928

SHA512
1e6719bdfcb71818304691420523c238b2c856a594c838c60ee0ffdce598be5d56f9a9e191893c178e3011c61521bbccddf10e308e1ba749e1d35bdbd134d81b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads